diff --git a/cmd/ingress-operator/start.go b/cmd/ingress-operator/start.go
index d9053f862a..ace92620d9 100644
--- a/cmd/ingress-operator/start.go
+++ b/cmd/ingress-operator/start.go
@@ -36,7 +36,7 @@ const (
 	defaultGatewayAPIOperatorCatalog = "redhat-operators"
 	defaultGatewayAPIOperatorChannel = "stable"
 	defaultGatewayAPIOperatorVersion = "servicemeshoperator3.v3.2.0"
-	defaultIstioVersion              = "v1.27.3"
+	defaultIstioVersion              = "v1.27.5"
 )
 
 type StartOptions struct {
diff --git a/go.mod b/go.mod
index 651a8f3885..54bd964896 100644
--- a/go.mod
+++ b/go.mod
@@ -19,8 +19,8 @@ require (
 	github.com/go-logr/zapr v1.3.0
 	github.com/google/go-cmp v0.7.0
 	github.com/google/gopacket v1.1.19
-	github.com/istio-ecosystem/sail-operator v0.0.0-20250513111011-30be83268d6b
-	github.com/openshift/api v0.0.0-20251214014457-bfa868a22401
+	github.com/istio-ecosystem/sail-operator v0.0.0-20260212113734-df7c3ff58926
+	github.com/openshift/api v0.0.0-20260223154456-de86ee3bf481
 	github.com/openshift/client-go v0.0.0-20251205093018-96a6cbc1420c
 	github.com/openshift/library-go v0.0.0-20251021141706-f489e811f030
 	github.com/operator-framework/api v0.30.0
@@ -32,9 +32,9 @@ require (
 	github.com/summerwind/h2spec v0.0.0-20200804131034-70ac22940108
 	github.com/tcnksm/go-httpstat v0.2.1-0.20191008022543-e866bb274419
 	go.uber.org/zap v1.27.0
-	golang.org/x/time v0.12.0
+	golang.org/x/time v0.14.0
 	google.golang.org/api v0.126.0
-	google.golang.org/grpc v1.75.1
+	google.golang.org/grpc v1.78.0
 	gopkg.in/fsnotify.v1 v1.4.7
 	gopkg.in/yaml.v2 v2.4.0
 	k8s.io/api v0.35.0
@@ -42,113 +42,177 @@ require (
 	k8s.io/apimachinery v0.35.0
 	k8s.io/apiserver v0.35.0
 	k8s.io/client-go v0.35.0
-	k8s.io/utils v0.0.0-20251002143259-bc988d571ff4
+	k8s.io/utils v0.0.0-20251219084037-98d557b7f1e7
 	sigs.k8s.io/controller-runtime v0.23.1
 	sigs.k8s.io/gateway-api v1.4.1
 )
 
 require (
-	cloud.google.com/go/compute/metadata v0.7.0 // indirect
+	cloud.google.com/go/compute/metadata v0.9.0 // indirect
+	dario.cat/mergo v1.0.2 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.3.1 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.1 // indirect
+	github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c // indirect
 	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
 	github.com/Azure/go-autorest/autorest/adal v0.9.20 // indirect
 	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
 	github.com/Azure/go-autorest/logger v0.2.1 // indirect
 	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
 	github.com/AzureAD/microsoft-authentication-library-for-go v1.3.3 // indirect
+	github.com/BurntSushi/toml v1.5.0 // indirect
+	github.com/MakeNowJust/heredoc v1.0.0 // indirect
+	github.com/Masterminds/goutils v1.1.1 // indirect
+	github.com/Masterminds/semver/v3 v3.4.0 // indirect
+	github.com/Masterminds/sprig/v3 v3.3.0 // indirect
+	github.com/Masterminds/squirrel v1.5.4 // indirect
 	github.com/antlr4-go/antlr/v4 v4.13.1 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
-	github.com/cncf/xds/go v0.0.0-20250501225837-2ac532fd4443 // indirect
+	github.com/chai2010/gettext-go v1.0.3 // indirect
+	github.com/cncf/xds/go v0.0.0-20251110193048-8bfbf64dc13e // indirect
+	github.com/containerd/containerd v1.7.29 // indirect
+	github.com/containerd/errdefs v0.3.0 // indirect
+	github.com/containerd/log v0.1.0 // indirect
+	github.com/containerd/platforms v0.2.1 // indirect
+	github.com/cyphar/filepath-securejoin v0.4.1 // indirect
 	github.com/emicklei/go-restful/v3 v3.13.0 // indirect
-	github.com/envoyproxy/protoc-gen-validate v1.2.1 // indirect
+	github.com/envoyproxy/protoc-gen-validate v1.3.0 // indirect
+	github.com/evanphx/json-patch v5.9.11+incompatible // indirect
 	github.com/evanphx/json-patch/v5 v5.9.11 // indirect
+	github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f // indirect
 	github.com/fatih/color v1.18.0 // indirect
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.3 // indirect
+	github.com/go-errors/errors v1.5.1 // indirect
+	github.com/go-gorp/gorp/v3 v3.1.0 // indirect
 	github.com/go-openapi/errors v0.21.0 // indirect
-	github.com/go-openapi/jsonpointer v0.21.2 // indirect
-	github.com/go-openapi/jsonreference v0.21.0 // indirect
+	github.com/go-openapi/jsonpointer v0.22.4 // indirect
+	github.com/go-openapi/jsonreference v0.21.4 // indirect
 	github.com/go-openapi/strfmt v0.22.1 // indirect
-	github.com/go-openapi/swag v0.23.1 // indirect
+	github.com/go-openapi/swag v0.25.4 // indirect
+	github.com/go-openapi/swag/cmdutils v0.25.4 // indirect
+	github.com/go-openapi/swag/conv v0.25.4 // indirect
+	github.com/go-openapi/swag/fileutils v0.25.4 // indirect
+	github.com/go-openapi/swag/jsonname v0.25.4 // indirect
+	github.com/go-openapi/swag/jsonutils v0.25.4 // indirect
+	github.com/go-openapi/swag/loading v0.25.4 // indirect
+	github.com/go-openapi/swag/mangling v0.25.4 // indirect
+	github.com/go-openapi/swag/netutils v0.25.4 // indirect
+	github.com/go-openapi/swag/stringutils v0.25.4 // indirect
+	github.com/go-openapi/swag/typeutils v0.25.4 // indirect
+	github.com/go-openapi/swag/yamlutils v0.25.4 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
 	github.com/go-playground/validator/v10 v10.19.0 // indirect
+	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt/v4 v4.5.2 // indirect
 	github.com/golang-jwt/jwt/v5 v5.2.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/btree v1.1.3 // indirect
-	github.com/google/gnostic-models v0.7.0 // indirect
+	github.com/google/gnostic-models v0.7.1 // indirect
 	github.com/google/s2a-go v0.1.4 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.2.3 // indirect
 	github.com/googleapis/gax-go/v2 v2.10.0 // indirect
 	github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 // indirect
+	github.com/gosuri/uitable v0.0.4 // indirect
+	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
+	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
+	github.com/huandu/xstrings v1.5.0 // indirect
 	github.com/imdario/mergo v1.0.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
-	github.com/josharian/intern v1.0.0 // indirect
+	github.com/jmoiron/sqlx v1.4.0 // indirect
 	github.com/josharian/native v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/klauspost/compress v1.18.0 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
+	github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect
+	github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
-	github.com/mailru/easyjson v0.9.0 // indirect
+	github.com/lib/pq v1.10.9 // indirect
+	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
+	github.com/magiconair/properties v1.8.9 // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mattn/go-runewidth v0.0.16 // indirect
 	github.com/mdlayher/netlink v1.6.0 // indirect
 	github.com/mdlayher/socket v0.1.1 // indirect
+	github.com/mitchellh/copystructure v1.2.0 // indirect
+	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
+	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/moby/spdystream v0.5.0 // indirect
+	github.com/moby/term v0.5.2 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
+	github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
+	github.com/opencontainers/go-digest v1.0.0 // indirect
+	github.com/opencontainers/image-spec v1.1.1 // indirect
+	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
 	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/prometheus/client_model v0.6.2 // indirect
 	github.com/prometheus/procfs v0.17.0 // indirect
+	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/robfig/cron v1.2.0 // indirect
+	github.com/rubenv/sql-migrate v1.8.0 // indirect
+	github.com/russross/blackfriday/v2 v2.1.0 // indirect
+	github.com/santhosh-tekuri/jsonschema/v6 v6.0.2 // indirect
+	github.com/shopspring/decimal v1.4.0 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
-	github.com/spf13/pflag v1.0.9 // indirect
+	github.com/spf13/cast v1.8.0 // indirect
+	github.com/spf13/pflag v1.0.10 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
+	github.com/xlab/treeprint v1.2.0 // indirect
 	go.mongodb.org/mongo-driver v1.14.0 // indirect
 	go.opencensus.io v0.24.0 // indirect
-	go.opentelemetry.io/otel v1.37.0 // indirect
-	go.opentelemetry.io/otel/trace v1.37.0 // indirect
+	go.opentelemetry.io/otel v1.38.0 // indirect
+	go.opentelemetry.io/otel/trace v1.38.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/crypto v0.45.0 // indirect
-	golang.org/x/exp v0.0.0-20250506013437-ce4c2cf36ca6 // indirect
-	golang.org/x/net v0.47.0 // indirect
-	golang.org/x/oauth2 v0.30.0 // indirect
-	golang.org/x/sync v0.18.0 // indirect
-	golang.org/x/sys v0.38.0 // indirect
-	golang.org/x/term v0.37.0 // indirect
-	golang.org/x/text v0.31.0 // indirect
+	golang.org/x/crypto v0.46.0 // indirect
+	golang.org/x/exp v0.0.0-20251017212417-90e834f514db // indirect
+	golang.org/x/net v0.48.0 // indirect
+	golang.org/x/oauth2 v0.34.0 // indirect
+	golang.org/x/sync v0.19.0 // indirect
+	golang.org/x/sys v0.39.0 // indirect
+	golang.org/x/term v0.38.0 // indirect
+	golang.org/x/text v0.32.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.5.0 // indirect
 	google.golang.org/appengine v1.6.8 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250826171959-ef028d996bc1 // indirect
-	google.golang.org/protobuf v1.36.8 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20251213004720-97cd9d5aeac2 // indirect
+	google.golang.org/protobuf v1.36.11 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
+	helm.sh/helm/v3 v3.18.6 // indirect
+	istio.io/istio v0.0.0-20260208024451-a30ad73344d7 // indirect
+	k8s.io/cli-runtime v0.35.0 // indirect
 	k8s.io/component-base v0.35.0 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
-	k8s.io/kube-aggregator v0.35.0 // indirect
-	k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect
+	k8s.io/kube-aggregator v0.34.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20251125145642-4e65d59e963e // indirect
+	k8s.io/kubectl v0.35.0 // indirect
+	oras.land/oras-go/v2 v2.6.0 // indirect
 	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
 	sigs.k8s.io/kube-storage-version-migrator v0.0.6-0.20230721195810-5c8923c5ff96 // indirect
+	sigs.k8s.io/kustomize/api v0.20.1 // indirect
+	sigs.k8s.io/kustomize/kyaml v0.20.1 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.2-0.20260122202528-d9cc6641c482 // indirect
 	sigs.k8s.io/yaml v1.6.0 // indirect
@@ -157,3 +221,6 @@ require (
 // This replace stanza is necessary to import
 // github.com/istio-ecosystem/sail-operator.
 replace github.com/imdario/mergo => github.com/imdario/mergo v0.3.5
+
+// Use the sail_library_2 branch from aslakknutsen's fork for Sail Library integration
+replace github.com/istio-ecosystem/sail-operator => github.com/aslakknutsen/sail-operator v0.0.0-20260223154431-ffebc5493a7f
diff --git a/go.sum b/go.sum
index 93efb94820..6f3561c42b 100644
--- a/go.sum
+++ b/go.sum
@@ -1,7 +1,13 @@
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-cloud.google.com/go/compute/metadata v0.7.0 h1:PBWF+iiAerVNe8UCHxdOt6eHLVc3ydFeOCw78U8ytSU=
-cloud.google.com/go/compute/metadata v0.7.0/go.mod h1:j5MvL9PprKL39t166CoB1uVHfQMs4tFQZZcKwksXUjo=
+cloud.google.com/go/compute/metadata v0.9.0 h1:pDUj4QMoPejqq20dK0Pg2N4yG9zIkYGdBtwLoEkH9Zs=
+cloud.google.com/go/compute/metadata v0.9.0/go.mod h1:E0bWwX5wTnLPedCKqk3pJmVgCBSM6qQI1yTBdEb3C10=
+dario.cat/mergo v1.0.2 h1:85+piFYR1tMbRrLcDwR18y4UKJ3aH1Tbzi24VRW1TK8=
+dario.cat/mergo v1.0.2/go.mod h1:E/hbnu0NxMFBjpMIE34DRGLWqDy0g5FuKDhCb31ngxA=
+filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
+filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
+github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 h1:He8afgbRMd7mFxO99hRNu+6tazq8nFF9lIwo9JFroBk=
+github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8=
 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.17.0 h1:g0EZJwz7xkXQiZAI5xi9f3WWFYBlX1CPTrR+NDToRkQ=
 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.17.0/go.mod h1:XCW7KnZet0Opnr7HccfUw1PLc4CjHqpcaxW8DHklNkQ=
 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.2 h1:F0gBpfdPLGsw+nsgk6aqqkZS1jiixa5WwFe3fk/T3Ys=
@@ -22,6 +28,8 @@ github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.3.1 h1:mrkD
 github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.3.1/go.mod h1:hPv41DbqMmnxcGralanA/kVlfdH5jv3T4LxGku2E1BY=
 github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.1 h1:bFWuoEKg+gImo7pvkiQEFAc8ocibADgXeiLAxWhWmkI=
 github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.1/go.mod h1:Vih/3yc6yac2JzU4hzpaDupBJP0Flaia9rXXrU8xyww=
+github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c h1:udKWzYgxTojEKWjV8V+WSxDXJ4NFATAsZjh8iIbsQIg=
+github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/Azure/go-autorest v14.2.0+incompatible h1:V5VMDjClD3GiElqLWO7mz2MxNAK/vTfRHdAubSIPRgs=
 github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24=
 github.com/Azure/go-autorest/autorest v0.11.27 h1:F3R3q42aWytozkV8ihzcgMO4OA4cuqr3bNlsEuF6//A=
@@ -47,14 +55,25 @@ github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1/go.mo
 github.com/AzureAD/microsoft-authentication-library-for-go v1.3.3 h1:H5xDQaE3XowWfhZRUpnfC+rGZMEVoSiji+b+/HFAPU4=
 github.com/AzureAD/microsoft-authentication-library-for-go v1.3.3/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/BurntSushi/toml v1.5.0 h1:W5quZX/G/csjUnuI8SUYlsHs9M38FC7znL0lIO+DvMg=
+github.com/BurntSushi/toml v1.5.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
+github.com/DATA-DOG/go-sqlmock v1.5.2 h1:OcvFkGmslmlZibjAjaHm3L//6LiuBgolP7OputlJIzU=
+github.com/DATA-DOG/go-sqlmock v1.5.2/go.mod h1:88MAG/4G7SMwSE3CeA0ZKzrT5CiOU3OJ+JlNzwDqpNU=
 github.com/IBM/go-sdk-core/v5 v5.8.0/go.mod h1:+YbdhrjCHC84ls4MeBp+Hj4NZCni+tDAc0XQUqRO9Jc=
 github.com/IBM/go-sdk-core/v5 v5.17.4 h1:VGb9+mRrnS2HpHZFM5hy4J6ppIWnwNrw0G+tLSgcJLc=
 github.com/IBM/go-sdk-core/v5 v5.17.4/go.mod h1:KsAAI7eStAWwQa4F96MLy+whYSh39JzNjklZRbN/8ns=
 github.com/IBM/networking-go-sdk v0.26.0 h1:K/geWMCgg5P0pbaVQ0eZLhim2G6yOZc8rjszbv2Kmzc=
 github.com/IBM/networking-go-sdk v0.26.0/go.mod h1:tVxXclpQs8nQJYPTr9ZPNC1voaPNQLy8iy/72oVfFtM=
-github.com/Masterminds/semver v1.5.0 h1:H65muMkzWKEuNDnfl9d70GUjFniHKHRbFPGBuZ3QEww=
+github.com/MakeNowJust/heredoc v1.0.0 h1:cXCdzVdstXyiTqTvfqk9SDHpKNjxuom+DOlyEeQ4pzQ=
+github.com/MakeNowJust/heredoc v1.0.0/go.mod h1:mG5amYoWBHf8vpLOuehzbGGw0EHxpZZ6lCpQ4fNJ8LE=
+github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI=
+github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU=
 github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0=
 github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
+github.com/Masterminds/sprig/v3 v3.3.0 h1:mQh0Yrg1XPo6vjYXgtf5OtijNAKJRNcTdOOGZe3tPhs=
+github.com/Masterminds/sprig/v3 v3.3.0/go.mod h1:Zy1iXRYNqNLUolqCpL4uhk6SHUMAOSCzdgBfDb35Lz0=
+github.com/Masterminds/squirrel v1.5.4 h1:uUcX/aBc8O7Fg9kaISIUsHXdKuqehiXAMQTYX8afzqM=
+github.com/Masterminds/squirrel v1.5.4/go.mod h1:NNaOrjSoIDfDA40n7sr2tPNZRfjzjA400rg+riTZj10=
 github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
 github.com/antlr4-go/antlr/v4 v4.13.1 h1:SqQKkuVZ+zWkMMNkjy5FZe5mr5WURWnlpmOuzYWrPrQ=
 github.com/antlr4-go/antlr/v4 v4.13.1/go.mod h1:GKmUxMtwp6ZgGwZSva4eWPC5mS6vUAmOABFgjdkM7Nw=
@@ -63,6 +82,8 @@ github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkY
 github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
 github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so=
 github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
+github.com/aslakknutsen/sail-operator v0.0.0-20260223154431-ffebc5493a7f h1:/wY2qCfgvOQhcr0GK+J8lkvajwseOrITgyrlHyIQWo0=
+github.com/aslakknutsen/sail-operator v0.0.0-20260223154431-ffebc5493a7f/go.mod h1:rR8cFIg6t7uYqAb03oMQSQ/vYnXR1WJN7zbnm+3VTDI=
 github.com/aws/aws-sdk-go v1.34.28/go.mod h1:H7NKnBqNVzoTJpGfLrQkkD+ytBA93eiDYi/+8rV9s48=
 github.com/aws/aws-sdk-go v1.38.49 h1:E31vxjCe6a5I+mJLmUGaZobiWmg9KdWaud9IfceYeYQ=
 github.com/aws/aws-sdk-go v1.38.49/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro=
@@ -70,10 +91,18 @@ github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM=
 github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ=
+github.com/bshuster-repo/logrus-logstash-hook v1.0.0 h1:e+C0SB5R1pu//O4MQ3f9cFuPGoOVeF2fE4Og9otCc70=
+github.com/bshuster-repo/logrus-logstash-hook v1.0.0/go.mod h1:zsTqEiSzDgAa/8GZR7E1qaXrhYNDKBYy5/dWPTIflbk=
+github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
+github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
+github.com/cenkalti/backoff/v5 v5.0.2 h1:rIfFVxEf1QsI7E1ZHfp/B4DF/6QBAUhmgkxc0H7Zss8=
+github.com/cenkalti/backoff/v5 v5.0.2/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/chai2010/gettext-go v1.0.3 h1:9liNh8t+u26xl5ddmWLmsOsdNLwkdRTg5AG+JnTiM80=
+github.com/chai2010/gettext-go v1.0.3/go.mod h1:y+wnP2cHYaVj19NZhYKAwEMH2CI1gNHeQQ+5AjwawxA=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
@@ -81,16 +110,42 @@ github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4/go.mod h1:6pvJx4me5XP
 github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
-github.com/cncf/xds/go v0.0.0-20250501225837-2ac532fd4443 h1:aQ3y1lwWyqYPiWZThqv1aFbZMiM9vblcSArJRf2Irls=
-github.com/cncf/xds/go v0.0.0-20250501225837-2ac532fd4443/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8=
+github.com/cncf/xds/go v0.0.0-20251110193048-8bfbf64dc13e h1:gt7U1Igw0xbJdyaCM5H2CnlAlPSkzrhsebQB6WQWjLA=
+github.com/cncf/xds/go v0.0.0-20251110193048-8bfbf64dc13e/go.mod h1:KdCmV+x/BuvyMxRnYBlmVaq4OLiKW6iRQfvC62cvdkI=
+github.com/containerd/containerd v1.7.29 h1:90fWABQsaN9mJhGkoVnuzEY+o1XDPbg9BTC9QTAHnuE=
+github.com/containerd/containerd v1.7.29/go.mod h1:azUkWcOvHrWvaiUjSQH0fjzuHIwSPg1WL5PshGP4Szs=
+github.com/containerd/errdefs v0.3.0 h1:FSZgGOeK4yuT/+DnF07/Olde/q4KBoMsaamhXxIMDp4=
+github.com/containerd/errdefs v0.3.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M=
+github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
+github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
+github.com/containerd/platforms v0.2.1 h1:zvwtM3rz2YHPQsF2CHYM8+KtB5dvhISiXh5ZpSBQv6A=
+github.com/containerd/platforms v0.2.1/go.mod h1:XHCb+2/hzowdiut9rkudds9bE5yJ7npe7dG/wG+uFPw=
+github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs=
+github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY=
+github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
+github.com/cyphar/filepath-securejoin v0.4.1 h1:JyxxyPEaktOD+GAnqIqTf9A8tHyAG22rowi7HkoSU1s=
+github.com/cyphar/filepath-securejoin v0.4.1/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78=
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
+github.com/distribution/distribution/v3 v3.0.0 h1:q4R8wemdRQDClzoNNStftB2ZAfqOiN6UX90KJc4HjyM=
+github.com/distribution/distribution/v3 v3.0.0/go.mod h1:tRNuFoZsUdyRVegq8xGNeds4KLjwLCRin/tTo6i1DhU=
+github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
+github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
+github.com/dlclark/regexp2 v1.11.0 h1:G/nrcoOa7ZXlpoa/91N3X7mM3r8eIlMBBJZvsz/mxKI=
+github.com/dlclark/regexp2 v1.11.0/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
+github.com/docker/docker-credential-helpers v0.9.3 h1:gAm/VtF9wgqJMoxzT3Gj5p4AqIjCBS4wrsOh9yRqcz8=
+github.com/docker/docker-credential-helpers v0.9.3/go.mod h1:x+4Gbw9aGmChi3qTLZj8Dfn0TD20M/fuWy0E5+WDeCo=
+github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c h1:+pKlWGMw7gf6bQ+oDZB4KHQFypsfjYlq/C4rfL7D3g8=
+github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c/go.mod h1:Uw6UezgYA44ePAFQYUehOuCzmy5zmg/+nl2ZfMWGkpA=
+github.com/docker/go-metrics v0.0.1 h1:AgB/0SvBxihN0X8OR4SjsblXkbMvalQ8cjmtKQ2rQV8=
+github.com/docker/go-metrics v0.0.1/go.mod h1:cG1hvH2utMXtqgqqYE9plW6lDxS3/5ayHzueweSI3Vw=
 github.com/emicklei/go-restful/v3 v3.13.0 h1:C4Bl2xDndpU6nJ4bc1jXd+uTmYPVUwkD6bFY/oTyCes=
 github.com/emicklei/go-restful/v3 v3.13.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
@@ -99,17 +154,25 @@ github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1m
 github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
 github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
-github.com/envoyproxy/protoc-gen-validate v1.2.1 h1:DEo3O99U8j4hBFwbJfrz9VtgcDfUKS7KJ7spH3d86P8=
-github.com/envoyproxy/protoc-gen-validate v1.2.1/go.mod h1:d/C80l/jxXLdfEIhX1W2TmLfsJ31lvEjwamM4DxlWXU=
-github.com/evanphx/json-patch v5.9.0+incompatible h1:fBXyNpNMuTTDdquAq/uisOr2lShz4oaXpDTX2bLe7ls=
-github.com/evanphx/json-patch v5.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
+github.com/envoyproxy/protoc-gen-validate v1.3.0 h1:TvGH1wof4H33rezVKWSpqKz5NXWg5VPuZ0uONDT6eb4=
+github.com/envoyproxy/protoc-gen-validate v1.3.0/go.mod h1:HvYl7zwPa5mffgyeTUHA9zHIH36nmrm7oCbo4YKoSWA=
+github.com/evanphx/json-patch v5.9.11+incompatible h1:ixHHqfcGvxhWkniF1tWxBHA0yb4Z+d1UQi45df52xW8=
+github.com/evanphx/json-patch v5.9.11+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/evanphx/json-patch/v5 v5.9.11 h1:/8HVnzMq13/3x9TPvjG08wUGqBTmZBsCWzjTM0wiaDU=
 github.com/evanphx/json-patch/v5 v5.9.11/go.mod h1:3j+LviiESTElxA4p3EMKAB9HXj3/XEtnUf6OZxqIQTM=
+github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f h1:Wl78ApPPB2Wvf/TIe2xdyJxTlb6obmF18d8QdkxNDu4=
+github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f/go.mod h1:OSYXu++VVOHnXeitef/D8n/6y4QV8uLHSFXX4NeXMGc=
 github.com/fatih/color v0.0.0-20161025120501-bf82308e8c85/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM=
 github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU=
+github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
+github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/florianl/go-nfqueue v1.3.2 h1:8DPzhKJHywpHJAE/4ktgcqveCL7qmMLsEsVD68C4x4I=
 github.com/florianl/go-nfqueue v1.3.2/go.mod h1:eSnAor2YCfMCVYrVNEhkLGN/r1L+J4uDjc0EUy0tfq4=
+github.com/foxcpp/go-mockdns v1.1.0 h1:jI0rD8M0wuYAxL7r/ynTrCQQq0BVqfB99Vgk7DlmewI=
+github.com/foxcpp/go-mockdns v1.1.0/go.mod h1:IhLeSFGed3mJIAXPH2aiRQB+kqz7oqu8ld2qVbOu7Wk=
+github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
+github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
 github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k=
@@ -119,6 +182,10 @@ github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj2
 github.com/gabriel-vasile/mimetype v1.4.3 h1:in2uUcidCuFcDKtdcBxlR0rJ1+fsokWf+uqxgUFjbI0=
 github.com/gabriel-vasile/mimetype v1.4.3/go.mod h1:d8uq/6HKRL6CGdk+aubisF/M5GcPfT7nKyLpA0lbSSk=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
+github.com/go-errors/errors v1.5.1 h1:ZwEMSLRCapFLflTpT7NKaAc7ukJ8ZPEjzlxt8rPN8bk=
+github.com/go-errors/errors v1.5.1/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og=
+github.com/go-gorp/gorp/v3 v3.1.0 h1:ItKF/Vbuj31dmV4jxA1qblpSwkl9g1typ24xoe70IGs=
+github.com/go-gorp/gorp/v3 v3.1.0/go.mod h1:dLEjIyyRNiXvNZ8PSmzpt1GsWAUK8kjVhEpjH8TixEw=
 github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
 github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
@@ -128,15 +195,43 @@ github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR
 github.com/go-openapi/errors v0.19.8/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M=
 github.com/go-openapi/errors v0.21.0 h1:FhChC/duCnfoLj1gZ0BgaBmzhJC2SL/sJr8a2vAobSY=
 github.com/go-openapi/errors v0.21.0/go.mod h1:jxNTMUxRCKj65yb/okJGEtahVd7uvWnuWfj53bse4ho=
-github.com/go-openapi/jsonpointer v0.21.2 h1:AqQaNADVwq/VnkCmQg6ogE+M3FOsKTytwges0JdwVuA=
-github.com/go-openapi/jsonpointer v0.21.2/go.mod h1:50I1STOfbY1ycR8jGz8DaMeLCdXiI6aDteEdRNNzpdk=
-github.com/go-openapi/jsonreference v0.21.0 h1:Rs+Y7hSXT83Jacb7kFyjn4ijOuVGSvOdF2+tg1TRrwQ=
-github.com/go-openapi/jsonreference v0.21.0/go.mod h1:LmZmgsrTkVg9LG4EaHeY8cBDslNPMo06cago5JNLkm4=
+github.com/go-openapi/jsonpointer v0.22.4 h1:dZtK82WlNpVLDW2jlA1YCiVJFVqkED1MegOUy9kR5T4=
+github.com/go-openapi/jsonpointer v0.22.4/go.mod h1:elX9+UgznpFhgBuaMQ7iu4lvvX1nvNsesQ3oxmYTw80=
+github.com/go-openapi/jsonreference v0.21.4 h1:24qaE2y9bx/q3uRK/qN+TDwbok1NhbSmGjjySRCHtC8=
+github.com/go-openapi/jsonreference v0.21.4/go.mod h1:rIENPTjDbLpzQmQWCj5kKj3ZlmEh+EFVbz3RTUh30/4=
 github.com/go-openapi/strfmt v0.20.2/go.mod h1:43urheQI9dNtE5lTZQfuFJvjYJKPrxicATpEfZwHUNk=
 github.com/go-openapi/strfmt v0.22.1 h1:5Ky8cybT4576C6Ffc+8gYji/wRXCo6Ozm8RaWjPI6jc=
 github.com/go-openapi/strfmt v0.22.1/go.mod h1:OfVoytIXJasDkkGvkb1Cceb3BPyMOwk1FgmyyEw7NYg=
-github.com/go-openapi/swag v0.23.1 h1:lpsStH0n2ittzTnbaSloVZLuB5+fvSY/+hnagBjSNZU=
-github.com/go-openapi/swag v0.23.1/go.mod h1:STZs8TbRvEQQKUA+JZNAm3EWlgaOBGpyFDqQnDHMef0=
+github.com/go-openapi/swag v0.25.4 h1:OyUPUFYDPDBMkqyxOTkqDYFnrhuhi9NR6QVUvIochMU=
+github.com/go-openapi/swag v0.25.4/go.mod h1:zNfJ9WZABGHCFg2RnY0S4IOkAcVTzJ6z2Bi+Q4i6qFQ=
+github.com/go-openapi/swag/cmdutils v0.25.4 h1:8rYhB5n6WawR192/BfUu2iVlxqVR9aRgGJP6WaBoW+4=
+github.com/go-openapi/swag/cmdutils v0.25.4/go.mod h1:pdae/AFo6WxLl5L0rq87eRzVPm/XRHM3MoYgRMvG4A0=
+github.com/go-openapi/swag/conv v0.25.4 h1:/Dd7p0LZXczgUcC/Ikm1+YqVzkEeCc9LnOWjfkpkfe4=
+github.com/go-openapi/swag/conv v0.25.4/go.mod h1:3LXfie/lwoAv0NHoEuY1hjoFAYkvlqI/Bn5EQDD3PPU=
+github.com/go-openapi/swag/fileutils v0.25.4 h1:2oI0XNW5y6UWZTC7vAxC8hmsK/tOkWXHJQH4lKjqw+Y=
+github.com/go-openapi/swag/fileutils v0.25.4/go.mod h1:cdOT/PKbwcysVQ9Tpr0q20lQKH7MGhOEb6EwmHOirUk=
+github.com/go-openapi/swag/jsonname v0.25.4 h1:bZH0+MsS03MbnwBXYhuTttMOqk+5KcQ9869Vye1bNHI=
+github.com/go-openapi/swag/jsonname v0.25.4/go.mod h1:GPVEk9CWVhNvWhZgrnvRA6utbAltopbKwDu8mXNUMag=
+github.com/go-openapi/swag/jsonutils v0.25.4 h1:VSchfbGhD4UTf4vCdR2F4TLBdLwHyUDTd1/q4i+jGZA=
+github.com/go-openapi/swag/jsonutils v0.25.4/go.mod h1:7OYGXpvVFPn4PpaSdPHJBtF0iGnbEaTk8AvBkoWnaAY=
+github.com/go-openapi/swag/jsonutils/fixtures_test v0.25.4 h1:IACsSvBhiNJwlDix7wq39SS2Fh7lUOCJRmx/4SN4sVo=
+github.com/go-openapi/swag/jsonutils/fixtures_test v0.25.4/go.mod h1:Mt0Ost9l3cUzVv4OEZG+WSeoHwjWLnarzMePNDAOBiM=
+github.com/go-openapi/swag/loading v0.25.4 h1:jN4MvLj0X6yhCDduRsxDDw1aHe+ZWoLjW+9ZQWIKn2s=
+github.com/go-openapi/swag/loading v0.25.4/go.mod h1:rpUM1ZiyEP9+mNLIQUdMiD7dCETXvkkC30z53i+ftTE=
+github.com/go-openapi/swag/mangling v0.25.4 h1:2b9kBJk9JvPgxr36V23FxJLdwBrpijI26Bx5JH4Hp48=
+github.com/go-openapi/swag/mangling v0.25.4/go.mod h1:6dxwu6QyORHpIIApsdZgb6wBk/DPU15MdyYj/ikn0Hg=
+github.com/go-openapi/swag/netutils v0.25.4 h1:Gqe6K71bGRb3ZQLusdI8p/y1KLgV4M/k+/HzVSqT8H0=
+github.com/go-openapi/swag/netutils v0.25.4/go.mod h1:m2W8dtdaoX7oj9rEttLyTeEFFEBvnAx9qHd5nJEBzYg=
+github.com/go-openapi/swag/stringutils v0.25.4 h1:O6dU1Rd8bej4HPA3/CLPciNBBDwZj9HiEpdVsb8B5A8=
+github.com/go-openapi/swag/stringutils v0.25.4/go.mod h1:GTsRvhJW5xM5gkgiFe0fV3PUlFm0dr8vki6/VSRaZK0=
+github.com/go-openapi/swag/typeutils v0.25.4 h1:1/fbZOUN472NTc39zpa+YGHn3jzHWhv42wAJSN91wRw=
+github.com/go-openapi/swag/typeutils v0.25.4/go.mod h1:Ou7g//Wx8tTLS9vG0UmzfCsjZjKhpjxayRKTHXf2pTE=
+github.com/go-openapi/swag/yamlutils v0.25.4 h1:6jdaeSItEUb7ioS9lFoCZ65Cne1/RZtPBZ9A56h92Sw=
+github.com/go-openapi/swag/yamlutils v0.25.4/go.mod h1:MNzq1ulQu+yd8Kl7wPOut/YHAAU/H6hL91fF+E2RFwc=
+github.com/go-openapi/testify/enable/yaml/v2 v2.0.2 h1:0+Y41Pz1NkbTHz8NngxTuAXxEodtNSI1WG1c/m5Akw4=
+github.com/go-openapi/testify/enable/yaml/v2 v2.0.2/go.mod h1:kme83333GCtJQHXQ8UKX3IBZu6z8T5Dvy5+CW3NLUUg=
+github.com/go-openapi/testify/v2 v2.0.2 h1:X999g3jeLcoY8qctY/c/Z8iBHTbwLz7R2WXd6Ub6wls=
+github.com/go-openapi/testify/v2 v2.0.2/go.mod h1:HCPmvFFnheKK2BuwSA0TbbdxJ3I16pjwMkYkP4Ywn54=
 github.com/go-playground/assert/v2 v2.2.0 h1:JvknZsQTYeFEAhQwI4qEt9cyV5ONwRHC+lYKSsYSR8s=
 github.com/go-playground/assert/v2 v2.2.0/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4=
 github.com/go-playground/locales v0.13.0/go.mod h1:taPMhCMXrRLJO55olJkUXHZBHCxTMfnGwq/HNwmWNS8=
@@ -148,6 +243,8 @@ github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91
 github.com/go-playground/validator/v10 v10.19.0 h1:ol+5Fu+cSq9JD7SoSqe04GMI92cbn0+wvQ3bZ8b/AU4=
 github.com/go-playground/validator/v10 v10.19.0/go.mod h1:dbuPbCMFw/DrkbEynArYaCwl3amGuJotoKCe95atGMM=
 github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg=
+github.com/go-sql-driver/mysql v1.8.1 h1:LedoTUt/eveggdHS9qUFC1EFSa8bU2+1pZjSRpvNJ1Y=
+github.com/go-sql-driver/mysql v1.8.1/go.mod h1:wEBSXgmK//2ZFJyE+qWnIsVGmvmEKlqwuVSjsCm7DZg=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
 github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
 github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
@@ -176,6 +273,8 @@ github.com/gobuffalo/packd v0.1.0/go.mod h1:M2Juc+hhDXf/PnmBANFCqx4DM3wRbgDvnVWe
 github.com/gobuffalo/packr/v2 v2.0.9/go.mod h1:emmyGweYTm6Kdper+iywB6YK5YzuKchGtJQZ0Odn4pQ=
 github.com/gobuffalo/packr/v2 v2.2.0/go.mod h1:CaAwI0GPIAv+5wKLtv8Afwl+Cm78K/I/VCm/3ptBN+0=
 github.com/gobuffalo/syncx v0.0.0-20190224160051-33c29581e754/go.mod h1:HhnNqWY95UYwwW3uSASeV7vtgYkT2t16hJgV3AEPUpw=
+github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
+github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
@@ -207,8 +306,8 @@ github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6
 github.com/golang/snappy v0.0.1/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg=
 github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
-github.com/google/gnostic-models v0.7.0 h1:qwTtogB15McXDaNqTZdzPJRHvaVJlAl+HVQnLmJEJxo=
-github.com/google/gnostic-models v0.7.0/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7OUGxBlw57miDrQ=
+github.com/google/gnostic-models v0.7.1 h1:SisTfuFKJSKM5CPZkffwi6coztzzeYUhc3v4yxLWH8c=
+github.com/google/gnostic-models v0.7.1/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7OUGxBlw57miDrQ=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
@@ -226,8 +325,8 @@ github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
 github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/gopacket v1.1.19 h1:ves8RnFZPGiFnTS0uPQStjwru6uO6h+nlr9j6fL7kF8=
 github.com/google/gopacket v1.1.19/go.mod h1:iJ8V8n6KS+z2U1A8pUwu8bW5SyEMkXJB8Yo/Vo+TKTo=
-github.com/google/pprof v0.0.0-20250501235452-c0086092b71a h1:rDA3FfmxwXR+BVKKdz55WwMJ1pD2hJQNW31d+l3mPk4=
-github.com/google/pprof v0.0.0-20250501235452-c0086092b71a/go.mod h1:5hDyRhoBCxViHszMt12TnOpEI4VVi+U8Gm9iphldiMA=
+github.com/google/pprof v0.0.0-20250607225305-033d6d78b36a h1://KbezygeMJZCSHH+HgUZiTeSoiuFspbMg1ge+eFj18=
+github.com/google/pprof v0.0.0-20250607225305-033d6d78b36a/go.mod h1:5hDyRhoBCxViHszMt12TnOpEI4VVi+U8Gm9iphldiMA=
 github.com/google/s2a-go v0.1.4 h1:1kZ/sQM3srePvKs3tXAvQzo66XfcReoqFpIpIccE7Oc=
 github.com/google/s2a-go v0.1.4/go.mod h1:Ej+mSEMGRnqRzjc7VtF+jdBwYG5fuJfiZ8ELkjEwM0A=
 github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
@@ -238,40 +337,65 @@ github.com/googleapis/enterprise-certificate-proxy v0.2.3 h1:yk9/cqRKtT9wXZSsRH9
 github.com/googleapis/enterprise-certificate-proxy v0.2.3/go.mod h1:AwSRAtLfXpU5Nm3pW+v7rGDHp09LsPtGY9MduiEsR9k=
 github.com/googleapis/gax-go/v2 v2.10.0 h1:ebSgKfMxynOdxw8QQuFOKMgomqeLGPqNLQox2bo42zg=
 github.com/googleapis/gax-go/v2 v2.10.0/go.mod h1:4UOEnMCrxsSqQ940WnTiD6qJ63le2ev3xfyagutxiPw=
+github.com/gorilla/handlers v1.5.2 h1:cLTUSsNkgcwhgRqvCNmdbRWG0A3N4F+M2nWKdScwyEE=
+github.com/gorilla/handlers v1.5.2/go.mod h1:dX+xVpaxdSw+q0Qek8SSsl3dfMk3jNddUkMzo0GtH0w=
+github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
+github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
 github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 h1:JeSE6pjso5THxAzdVpqr6/geYxZytqFMBCOtn/ujyeo=
 github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674/go.mod h1:r4w70xmWCQKmi1ONH4KIaBptdivuRPyosB9RmPlGEwA=
+github.com/gosuri/uitable v0.0.4 h1:IG2xLKRvErL3uhY6e1BylFzG+aJiwQviDDTfOKeKTpY=
+github.com/gosuri/uitable v0.0.4/go.mod h1:tKR86bXuXPZazfOTG1FIzvjIdXzd0mo4Vtn16vt0PJo=
+github.com/grafana/regexp v0.0.0-20240518133315-a468a5bfb3bc h1:GN2Lv3MGO7AS6PrRoT6yV5+wkrOpcszoIsO4+4ds248=
+github.com/grafana/regexp v0.0.0-20240518133315-a468a5bfb3bc/go.mod h1:+JKpmjMGhpgPL+rXZ5nsZieVzvarn86asRlBg4uNGnk=
+github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 h1:+ngKgrYPPJrOjhax5N+uePQ0Fh1Z7PheYoUI/0nzkPA=
+github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
+github.com/grpc-ecosystem/grpc-gateway v1.16.0 h1:gmcG1KaJ57LophUzW0Hy8NmPhnMZb4M0+kPpLofRdBo=
 github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2 h1:8Tjv8EJ+pM1xP8mK6egEbD1OgnVTyacbefKhmbLhIhU=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2/go.mod h1:pkJQ2tZHJ0aFOVEEot6oZmaVEZcRme73eIFmhiVuRWs=
+github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
+github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I=
+github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
 github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
 github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
 github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ=
 github.com/hashicorp/go-hclog v1.6.3 h1:Qr2kF+eVWjTiYmU7Y31tYlP1h0q/X3Nl3tPGdaB11/k=
 github.com/hashicorp/go-hclog v1.6.3/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M=
+github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
+github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
 github.com/hashicorp/go-retryablehttp v0.7.0/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY=
 github.com/hashicorp/go-retryablehttp v0.7.7 h1:C8hUCYzor8PIfXHa4UrZkU4VvK8o9ISHxT2Q8+VepXU=
 github.com/hashicorp/go-retryablehttp v0.7.7/go.mod h1:pkQpWZeYWskR+D1tR2O5OcBFOxfA7DoAO6xtkuQnHTk=
+github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+lJfyTc=
+github.com/hashicorp/golang-lru/arc/v2 v2.0.5 h1:l2zaLDubNhW4XO3LnliVj0GXO3+/CGNJAg1dcN2Fpfw=
+github.com/hashicorp/golang-lru/arc/v2 v2.0.5/go.mod h1:ny6zBSQZi2JxIeYcv7kt2sH2PXJtirBN7RDhRpxPkxU=
+github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k=
+github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
+github.com/huandu/xstrings v1.5.0 h1:2ag3IFq9ZDANvthTwTiqSSZLjDc+BedvHPAp5tJy2TI=
+github.com/huandu/xstrings v1.5.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
 github.com/imdario/mergo v0.3.5 h1:JboBksRwiiAJWvIYJVo46AfV+IAIKZpfrSzVKj42R4Q=
 github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
-github.com/istio-ecosystem/sail-operator v0.0.0-20250513111011-30be83268d6b h1:jQokaEG8FFjsl7DQ6sb/pEMemZonFQ6Uu1puaCyXzF0=
-github.com/istio-ecosystem/sail-operator v0.0.0-20250513111011-30be83268d6b/go.mod h1:Es2YI34zqMGgV0gpf+KM5SaXMNcJ+9BnFMUSE32atcM=
 github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
 github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
 github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8=
 github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
+github.com/jmoiron/sqlx v1.4.0 h1:1PLqN7S1UYp5t4SrVVnt4nUVNemrDAtxlulVe+Qgm3o=
+github.com/jmoiron/sqlx v1.4.0/go.mod h1:ZrZ7UsYB/weZdl2Bxg6jCRO9c3YHl8r3ahlKmRT4JLY=
 github.com/joho/godotenv v1.3.0 h1:Zjp+RcGpHhGlrMbJzXTrZZPrWj+1vfm90La1wgB6Bhc=
 github.com/joho/godotenv v1.3.0/go.mod h1:7hK45KPybAkOC6peb+G5yklZfMxEjkZhHbwpqxOKXbg=
-github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
-github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/josharian/native v1.0.0 h1:Ts/E8zCSEsG17dUqv7joXJFybuMLjQfWE04tsBODTxk=
 github.com/josharian/native v1.0.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
 github.com/jpillora/backoff v1.0.0 h1:uvFg412JmmHBHw7iwprIxkPMI+sGQ4kzOWsMeHnm2EA=
 github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
+github.com/k8snetworkplumbingwg/network-attachment-definition-client v1.4.0 h1:VzM3TYHDgqPkettiP6I6q2jOeQFL4nrJM+UcAc4f6Fs=
+github.com/k8snetworkplumbingwg/network-attachment-definition-client v1.4.0/go.mod h1:nqCI7aelBJU61wiBeeZWJ6oi4bJy5nrjkM6lWIMA4j0=
 github.com/karrick/godirwalk v1.8.0/go.mod h1:H5KPZjojv4lE+QYImBI8xVtrBRgYrIVsaRPx4tDPEn4=
 github.com/karrick/godirwalk v1.10.3/go.mod h1:RoGL9dQei4vP9ilrpETWE8CLOZ1kiN0LhBygSwrAsHA=
 github.com/keybase/go-keychain v0.0.0-20231219164618-57a3676c3af6 h1:IsMZxCuZqKuao2vNdfD82fjjgPLfyHLpR41Z88viRWs=
@@ -292,11 +416,19 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
+github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 h1:SOEGU9fKiNWd/HOJuq6+3iTQz8KNCLtVX6idSoTLdUw=
+github.com/lann/builder v0.0.0-20180802200727-47ae307949d0/go.mod h1:dXGbAdH5GtBTC4WfIxhKZfyBF/HBFgRZSWwZ9g/He9o=
+github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 h1:P6pPBnrTSX3DEVR4fDembhRWSsG5rVo6hYhAB/ADZrk=
+github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0/go.mod h1:vmVJ0l/dxyfGW6FmdpVm2joNMFikkuWg0EoCKLGUMNw=
 github.com/leodido/go-urn v1.2.0/go.mod h1:+8+nEpDfqqsY+g338gtMEUOtuK+4dEMhiQEgxpxOKII=
 github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ=
 github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI=
-github.com/mailru/easyjson v0.9.0 h1:PrnmzHw7262yW8sTBwxi1PdJA3Iw/EKBa8psRf7d9a4=
-github.com/mailru/easyjson v0.9.0/go.mod h1:1+xMtQp2MRNVL/V1bOzuP3aP8VNwRW55fQUto+XFtTU=
+github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
+github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
+github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de h1:9TO3cAIGXtEhnIaL+V+BEER86oLrvS+kWobKpbJuye0=
+github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de/go.mod h1:zAbeS9B/r2mtpb6U+EI2rYA5OAXxsYw6wTamcNW+zcE=
+github.com/magiconair/properties v1.8.9 h1:nWcCbLq1N2v/cpNsy5WvQ37Fb+YElfq20WJ/a8RkpQM=
+github.com/magiconair/properties v1.8.9/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0=
 github.com/markbates/oncer v0.0.0-20181203154359-bf2de49a0be2/go.mod h1:Ld9puTsIW75CHf65OeIOkyKbteujpZVXDpWK6YGZbxE=
 github.com/markbates/safe v1.0.1/go.mod h1:nAqgmRi7cY2nqMc92/bSEeQA+R4OheNU2T1kNSCBdG0=
 github.com/mattn/go-colorable v0.1.0/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
@@ -305,21 +437,37 @@ github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stg
 github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc=
+github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
+github.com/mattn/go-sqlite3 v1.14.22 h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o4kU=
+github.com/mattn/go-sqlite3 v1.14.22/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
 github.com/mdlayher/netlink v1.6.0 h1:rOHX5yl7qnlpiVkFWoqccueppMtXzeziFjWAjLg6sz0=
 github.com/mdlayher/netlink v1.6.0/go.mod h1:0o3PlBmGst1xve7wQ7j/hwpNaFaH4qCRyWCdcZk8/vA=
 github.com/mdlayher/socket v0.1.1 h1:q3uOGirUPfAV2MUoaC7BavjQ154J7+JOkTWyiV+intI=
 github.com/mdlayher/socket v0.1.1/go.mod h1:mYV5YIZAfHh4dzDVzI8x8tWLWCliuX8Mon5Awbj+qDs=
+github.com/miekg/dns v1.1.68 h1:jsSRkNozw7G/mnmXULynzMNIsgY2dHC8LO6U6Ij2JEA=
+github.com/miekg/dns v1.1.68/go.mod h1:fujopn7TB3Pu3JM69XaawiU0wqjpL9/8xGop5UrTPps=
+github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw=
+github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s=
+github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0=
+github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0=
 github.com/mitchellh/mapstructure v1.3.3/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
+github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ=
+github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
 github.com/moby/spdystream v0.5.0 h1:7r0J1Si3QO/kjRitvSLVVFUjxMEb/YLj6S9FF62JBCU=
 github.com/moby/spdystream v0.5.0/go.mod h1:xBAYlnt/ay+11ShkdFKNAG7LsyK/tmNBVvVOwrfMgdI=
+github.com/moby/term v0.5.2 h1:6qk3FJAFDs6i/q3W/pQ97SX192qKfZgGjCQqfCJkgzQ=
+github.com/moby/term v0.5.2/go.mod h1:d3djjFCrjnB+fl8NJux+EJzu0msscUP+f8it8hPkFLc=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFdJifH4BDsTlE89Zl93FEloxaWZfGcifgq8=
 github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 h1:n6/2gBQ3RWajuToeY6ZtZTIKv2v7ThUy5KKusIT0yc0=
+github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00/go.mod h1:Pm3mSP3c5uWn86xMLZ5Sa7JB9GsEZySvHYXCTK4E9q4=
 github.com/montanaflynn/stats v0.0.0-20171201202039-1bf9dbcd8cbe/go.mod h1:wL8QJuTMNUDYhXwkmfOly8iTdp5TEcJFWZD2D7SIkUc=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
@@ -345,8 +493,12 @@ github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1y
 github.com/onsi/gomega v1.10.5/go.mod h1:gza4q3jKQJijlu05nKWRCW/GavJumGt8aNRxWg7mt48=
 github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A=
 github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k=
-github.com/openshift/api v0.0.0-20251214014457-bfa868a22401 h1:goMf6pBtRFSQaVElFk6K+GIAqnv7O84p7PJHH6pDz/E=
-github.com/openshift/api v0.0.0-20251214014457-bfa868a22401/go.mod h1:d5uzF0YN2nQQFA0jIEWzzOZ+edmo6wzlGLvx5Fhz4uY=
+github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
+github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
+github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
+github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
+github.com/openshift/api v0.0.0-20260223154456-de86ee3bf481 h1:vzJFg36EK0uI3ODv9cgC1dgnYxwxFv4+kgJFXQ5kojM=
+github.com/openshift/api v0.0.0-20260223154456-de86ee3bf481/go.mod h1:ZYAxo9t1AALeEotN07tNzIvqqqWSxcZIqMUKnY/xCeQ=
 github.com/openshift/client-go v0.0.0-20251205093018-96a6cbc1420c h1:TBE0Gl+oCo/SNEhLKZQNNH/SWHXrpGyhAw7P0lAqdHg=
 github.com/openshift/client-go v0.0.0-20251205093018-96a6cbc1420c/go.mod h1:IsynOWZAfdH+BgWimcFQRtI41Id9sgdhsCEjIk8ACLw=
 github.com/openshift/library-go v0.0.0-20251021141706-f489e811f030 h1:dbv8ZYDWIl22A5WBjQJTKeENM08f8HwMBuv8glDXO/0=
@@ -354,6 +506,10 @@ github.com/openshift/library-go v0.0.0-20251021141706-f489e811f030/go.mod h1:OlF
 github.com/operator-framework/api v0.30.0 h1:44hCmGnEnZk/Miol5o44dhSldNH0EToQUG7vZTl29kk=
 github.com/operator-framework/api v0.30.0/go.mod h1:FYxAPhjtlXSAty/fbn5YJnFagt6SpJZJgFNNbvDe5W0=
 github.com/pelletier/go-toml v1.7.0/go.mod h1:vwGMzjaWMwyfHwgIBhI2YUM4fB6nL6lVAvS1LBMMhTE=
+github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI=
+github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
+github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5 h1:Ii+DKncOVM8Cu1Hc+ETb5K+23HdAMvESYE3ZJ5b5cMI=
+github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5/go.mod h1:iIss55rKnNBTvrwdmkUpLnDpZoAHvWaiq5+iMmen4AE=
 github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ=
 github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@@ -363,6 +519,8 @@ github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/poy/onpar v1.1.2 h1:QaNrNiZx0+Nar5dLgTVp5mXkyoVFIbepjyEoGSnhbAY=
+github.com/poy/onpar v1.1.2/go.mod h1:6X8FLNoxyr9kkmnlqpK6LSoiOtrO6MICtWwEuWkLjzg=
 github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.74.0 h1:AHzMWDxNiAVscJL6+4wkvFRTpMnJqiaZFEKA/osaBXE=
 github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.74.0/go.mod h1:wAR5JopumPtAZnu0Cjv2PSqV4p4QB09LMhc6fZZTXuA=
 github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h0RJWRi/o0o=
@@ -372,10 +530,19 @@ github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNw
 github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
 github.com/prometheus/common v0.66.1 h1:h5E0h5/Y8niHc5DlaLlWLArTQI7tMrsfQjHV+d9ZoGs=
 github.com/prometheus/common v0.66.1/go.mod h1:gcaUsgf3KfRSwHY4dIMXLPV0K/Wg1oZ8+SbZk/HH/dA=
+github.com/prometheus/otlptranslator v0.0.0-20250717125610-8549f4ab4f8f h1:QQB6SuvGZjK8kdc2YaLJpYhV8fxauOsjE6jgcL6YJ8Q=
+github.com/prometheus/otlptranslator v0.0.0-20250717125610-8549f4ab4f8f/go.mod h1:P8AwMgdD7XEr6QRUJ2QWLpiAZTgTE2UYgjlu3svompI=
 github.com/prometheus/procfs v0.17.0 h1:FuLQ+05u4ZI+SS/w9+BWEM2TXiHKsUQ9TADiRH7DuK0=
 github.com/prometheus/procfs v0.17.0/go.mod h1:oPQLaDAMRbA+u8H5Pbfq+dl3VDAvHxMUOVhe0wYB2zw=
-github.com/redis/go-redis/v9 v9.7.0 h1:HhLSs+B6O021gwzl+locl0zEDnyNkxMtf/Z3NNBMa9E=
-github.com/redis/go-redis/v9 v9.7.0/go.mod h1:f6zhXITC7JUJIlPEiBOTXxJgPLdZcA93GewI7inzyWw=
+github.com/redis/go-redis/extra/rediscmd/v9 v9.0.5 h1:EaDatTxkdHG+U3Bk4EUr+DZ7fOGwTfezUiUJMaIcaho=
+github.com/redis/go-redis/extra/rediscmd/v9 v9.0.5/go.mod h1:fyalQWdtzDBECAQFBJuQe5bzQ02jGd5Qcbgb97Flm7U=
+github.com/redis/go-redis/extra/redisotel/v9 v9.0.5 h1:EfpWLLCyXw8PSM2/XNJLjI3Pb27yVE+gIAfeqp8LUCc=
+github.com/redis/go-redis/extra/redisotel/v9 v9.0.5/go.mod h1:WZjPDy7VNzn77AAfnAfVjZNvfJTYfPetfZk5yoSTLaQ=
+github.com/redis/go-redis/v9 v9.7.3 h1:YpPyAayJV+XErNsatSElgRZZVCwXX9QzkKYNvO7x0wM=
+github.com/redis/go-redis/v9 v9.7.3/go.mod h1:bGUrSggJ9X9GUmZpZNEOQKaANxSGgOEBRltRTZHSvrA=
+github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
+github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
+github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
 github.com/robfig/cron v1.2.0 h1:ZjScXvvxeQ63Dbyxy76Fj3AT3Ut0aKsyd2/tl3DTMuQ=
 github.com/robfig/cron v1.2.0/go.mod h1:JGuDeoQd7Z6yL4zQhZ3OPEVHB7fL6Ka6skscFHfmt2k=
 github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
@@ -384,20 +551,31 @@ github.com/rogpeppe/go-internal v1.2.2/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFR
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
 github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
+github.com/rubenv/sql-migrate v1.8.0 h1:dXnYiJk9k3wetp7GfQbKJcPHjVJL6YK19tKj8t2Ns0o=
+github.com/rubenv/sql-migrate v1.8.0/go.mod h1:F2bGFBwCU+pnmbtNYDeKvSuvL6lBVtXDXUUv5t+u1qw=
+github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/santhosh-tekuri/jsonschema/v6 v6.0.2 h1:KRzFb2m7YtdldCEkzs6KqmJw4nqEVZGK7IN2kJkjTuQ=
+github.com/santhosh-tekuri/jsonschema/v6 v6.0.2/go.mod h1:JXeL+ps8p7/KNMjDQk3TCwPpBy0wYklyWTfbkIzdIFU=
+github.com/sergi/go-diff v1.2.0 h1:XU+rvMAioB0UC3q1MFrIQy4Vo5/4VsRDQQXHsEya6xQ=
+github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
+github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp81k=
+github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME=
 github.com/sirupsen/logrus v1.4.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
 github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/spf13/cast v1.8.0 h1:gEN9K4b8Xws4EX0+a0reLmhq8moKn7ntRlQYgjPeCDk=
+github.com/spf13/cast v1.8.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo=
 github.com/spf13/cobra v0.0.0-20170118185516-dc208f4211e7/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
 github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
 github.com/spf13/cobra v1.10.0 h1:a5/WeUlSDCvV5a45ljW2ZFtV0bTDpkfSAj3uqB6Sc+0=
 github.com/spf13/cobra v1.10.0/go.mod h1:9dhySC7dnTtEiqzmqfkLj47BslqLCUPMXjG2lj/NgoE=
 github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.8/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
-github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY=
-github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
+github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
@@ -425,6 +603,8 @@ github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcY
 github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI=
 github.com/xdg-go/scram v1.0.2/go.mod h1:1WAq6h33pAW+iRreB34OORO2Nf7qel3VV3fjBj+hCSs=
 github.com/xdg-go/stringprep v1.0.2/go.mod h1:8F9zXuvzgwmyT5DUm4GUfZGDdT3W+LCvS6+da4O5kxM=
+github.com/xlab/treeprint v1.2.0 h1:HzHnuAF1plUN2zGlAFHbSQP2qJ0ZAD3XF5XD7OesXRQ=
+github.com/xlab/treeprint v1.2.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0=
 github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d/go.mod h1:rHwXgn7JulP+udvsHwJoVG1YGAP6VLg4y9I5dyZdqmA=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
@@ -434,19 +614,55 @@ go.mongodb.org/mongo-driver v1.14.0 h1:P98w8egYRjYe3XDjxhYJagTokP/H6HzlsnojRgZRd
 go.mongodb.org/mongo-driver v1.14.0/go.mod h1:Vzb0Mk/pa7e6cWw85R4F/endUC3u0U9jGcNU603k65c=
 go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
 go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
-go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
-go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
-go.opentelemetry.io/otel v1.37.0 h1:9zhNfelUvx0KBfu/gb+ZgeAfAgtWrfHJZcAqFC228wQ=
-go.opentelemetry.io/otel v1.37.0/go.mod h1:ehE/umFRLnuLa/vSccNq9oS1ErUlkkK71gMcN34UG8I=
-go.opentelemetry.io/otel/metric v1.37.0 h1:mvwbQS5m0tbmqML4NqK+e3aDiO02vsf/WgbsdpcPoZE=
-go.opentelemetry.io/otel/metric v1.37.0/go.mod h1:04wGrZurHYKOc+RKeye86GwKiTb9FKm1WHtO+4EVr2E=
-go.opentelemetry.io/otel/sdk v1.37.0 h1:ItB0QUqnjesGRvNcmAcU0LyvkVyGJ2xftD29bWdDvKI=
-go.opentelemetry.io/otel/sdk v1.37.0/go.mod h1:VredYzxUvuo2q3WRcDnKDjbdvmO0sCzOvVAiY+yUkAg=
-go.opentelemetry.io/otel/sdk/metric v1.37.0 h1:90lI228XrB9jCMuSdA0673aubgRobVZFhbjxHHspCPc=
-go.opentelemetry.io/otel/sdk/metric v1.37.0/go.mod h1:cNen4ZWfiD37l5NhS+Keb5RXVWZWpRE+9WyVCpbo5ps=
-go.opentelemetry.io/otel/trace v1.37.0 h1:HLdcFNbRQBE2imdSEgm/kwqmQj1Or1l/7bW6mxVK7z4=
-go.opentelemetry.io/otel/trace v1.37.0/go.mod h1:TlgrlQ+PtQO5XFerSPUYG0JSgGyryXewPGyayAWSBS0=
+go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
+go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
+go.opentelemetry.io/contrib/bridges/prometheus v0.57.0 h1:UW0+QyeyBVhn+COBec3nGhfnFe5lwB0ic1JBVjzhk0w=
+go.opentelemetry.io/contrib/bridges/prometheus v0.57.0/go.mod h1:ppciCHRLsyCio54qbzQv0E4Jyth/fLWDTJYfvWpcSVk=
+go.opentelemetry.io/contrib/exporters/autoexport v0.57.0 h1:jmTVJ86dP60C01K3slFQa2NQ/Aoi7zA+wy7vMOKD9H4=
+go.opentelemetry.io/contrib/exporters/autoexport v0.57.0/go.mod h1:EJBheUMttD/lABFyLXhce47Wr6DPWYReCzaZiXadH7g=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 h1:F7Jx+6hwnZ41NSFTO5q4LYDtJRXBf2PD0rNBkeB/lus=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0/go.mod h1:UHB22Z8QsdRDrnAtX4PntOl36ajSxcdUMt1sF7Y6E7Q=
+go.opentelemetry.io/otel v1.38.0 h1:RkfdswUDRimDg0m2Az18RKOsnI8UDzppJAtj01/Ymk8=
+go.opentelemetry.io/otel v1.38.0/go.mod h1:zcmtmQ1+YmQM9wrNsTGV/q/uyusom3P8RxwExxkZhjM=
+go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.8.0 h1:WzNab7hOOLzdDF/EoWCt4glhrbMPVMOO5JYTmpz36Ls=
+go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.8.0/go.mod h1:hKvJwTzJdp90Vh7p6q/9PAOd55dI6WA6sWj62a/JvSs=
+go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.8.0 h1:S+LdBGiQXtJdowoJoQPEtI52syEP/JYBUpjO49EQhV8=
+go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.8.0/go.mod h1:5KXybFvPGds3QinJWQT7pmXf+TN5YIa7CNYObWRkj50=
+go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.32.0 h1:j7ZSD+5yn+lo3sGV69nW04rRR0jhYnBwjuX3r0HvnK0=
+go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.32.0/go.mod h1:WXbYJTUaZXAbYd8lbgGuvih0yuCfOFC5RJoYnoLcGz8=
+go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.32.0 h1:t/Qur3vKSkUCcDVaSumWF2PKHt85pc7fRvFuoVT8qFU=
+go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.32.0/go.mod h1:Rl61tySSdcOJWoEgYZVtmnKdA0GeKrSqkHC1t+91CH8=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.37.0 h1:Ahq7pZmv87yiyn3jeFz/LekZmPLLdKejuO3NcK9MssM=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.37.0/go.mod h1:MJTqhM0im3mRLw1i8uGHnCvUEeS7VwRyxlLC78PA18M=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.37.0 h1:EtFWSnwW9hGObjkIdmlnWSydO+Qs8OwzfzXLUPg4xOc=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.37.0/go.mod h1:QjUEoiGCPkvFZ/MjK6ZZfNOS6mfVEVKYE99dFhuN2LI=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.37.0 h1:bDMKF3RUSxshZ5OjOTi8rsHGaPKsAt76FaqgvIUySLc=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.37.0/go.mod h1:dDT67G/IkA46Mr2l9Uj7HsQVwsjASyV9SjGofsiUZDA=
+go.opentelemetry.io/otel/exporters/prometheus v0.59.1 h1:HcpSkTkJbggT8bjYP+BjyqPWlD17BH9C5CYNKeDzmcA=
+go.opentelemetry.io/otel/exporters/prometheus v0.59.1/go.mod h1:0FJL+gjuUoM07xzik3KPBaN+nz/CoB15kV6WLMiXZag=
+go.opentelemetry.io/otel/exporters/stdout/stdoutlog v0.8.0 h1:CHXNXwfKWfzS65yrlB2PVds1IBZcdsX8Vepy9of0iRU=
+go.opentelemetry.io/otel/exporters/stdout/stdoutlog v0.8.0/go.mod h1:zKU4zUgKiaRxrdovSS2amdM5gOc59slmo/zJwGX+YBg=
+go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.32.0 h1:SZmDnHcgp3zwlPBS2JX2urGYe/jBKEIT6ZedHRUyCz8=
+go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.32.0/go.mod h1:fdWW0HtZJ7+jNpTKUR0GpMEDP69nR8YBJQxNiVCE3jk=
+go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.32.0 h1:cC2yDI3IQd0Udsux7Qmq8ToKAx1XCilTQECZ0KDZyTw=
+go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.32.0/go.mod h1:2PD5Ex6z8CFzDbTdOlwyNIUywRr1DN0ospafJM1wJ+s=
+go.opentelemetry.io/otel/log v0.8.0 h1:egZ8vV5atrUWUbnSsHn6vB8R21G2wrKqNiDt3iWertk=
+go.opentelemetry.io/otel/log v0.8.0/go.mod h1:M9qvDdUTRCopJcGRKg57+JSQ9LgLBrwwfC32epk5NX8=
+go.opentelemetry.io/otel/metric v1.38.0 h1:Kl6lzIYGAh5M159u9NgiRkmoMKjvbsKtYRwgfrA6WpA=
+go.opentelemetry.io/otel/metric v1.38.0/go.mod h1:kB5n/QoRM8YwmUahxvI3bO34eVtQf2i4utNVLr9gEmI=
+go.opentelemetry.io/otel/sdk v1.38.0 h1:l48sr5YbNf2hpCUj/FoGhW9yDkl+Ma+LrVl8qaM5b+E=
+go.opentelemetry.io/otel/sdk v1.38.0/go.mod h1:ghmNdGlVemJI3+ZB5iDEuk4bWA3GkTpW+DOoZMYBVVg=
+go.opentelemetry.io/otel/sdk/log v0.8.0 h1:zg7GUYXqxk1jnGF/dTdLPrK06xJdrXgqgFLnI4Crxvs=
+go.opentelemetry.io/otel/sdk/log v0.8.0/go.mod h1:50iXr0UVwQrYS45KbruFrEt4LvAdCaWWgIrsN3ZQggo=
+go.opentelemetry.io/otel/sdk/metric v1.38.0 h1:aSH66iL0aZqo//xXzQLYozmWrXxyFkBJ6qT5wthqPoM=
+go.opentelemetry.io/otel/sdk/metric v1.38.0/go.mod h1:dg9PBnW9XdQ1Hd6ZnRz689CbtrUp0wMMs9iPcgT9EZA=
+go.opentelemetry.io/otel/trace v1.38.0 h1:Fxk5bKrDZJUH+AMyyIXGcFAPah0oRcT+LuNtJrmcNLE=
+go.opentelemetry.io/otel/trace v1.38.0/go.mod h1:j1P9ivuFsTceSWe1oY+EeW3sc+Pp42sO++GHkg4wwhs=
 go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI=
+go.opentelemetry.io/proto/otlp v1.9.0 h1:l706jCMITVouPOqEnii2fIAuO3IVGBRPV5ICjceRb/A=
+go.opentelemetry.io/proto/otlp v1.9.0/go.mod h1:xE+Cx5E/eEHw+ISFkwPLwCZefwVjY+pqKg1qcK03+/4=
+go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
+go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
@@ -466,11 +682,11 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.0.0-20220314234659-1baeb1ce4c0b/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
-golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
+golang.org/x/crypto v0.46.0 h1:cKRW/pmt1pKAfetfu+RCEvjvZkA9RimPbh7bhFjGVBU=
+golang.org/x/crypto v0.46.0/go.mod h1:Evb/oLKmMraqjZ2iQTwDwvCtJkczlDuTmdJXoZVzqU0=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/exp v0.0.0-20250506013437-ce4c2cf36ca6 h1:y5zboxd6LQAqYIhHnB48p0ByQ/GnQx2BE33L8BOHQkI=
-golang.org/x/exp v0.0.0-20250506013437-ce4c2cf36ca6/go.mod h1:U6Lno4MTRCDY+Ba7aCcauB9T60gsv5s4ralQzP72ZoQ=
+golang.org/x/exp v0.0.0-20251017212417-90e834f514db h1:by6IehL4BH5k3e3SJmcoNbOobMey2SLpAF79iPOEBvw=
+golang.org/x/exp v0.0.0-20251017212417-90e834f514db/go.mod h1:j/pmGrbnkbPtQfxEe5D0VQhZC6qKbfKifgD0oM7sR70=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
 golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
@@ -479,8 +695,8 @@ golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzB
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA=
-golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
+golang.org/x/mod v0.30.0 h1:fDEXFVZ/fmCKProc/yAXXUijritrDzahmwwefnjoPFk=
+golang.org/x/mod v0.30.0/go.mod h1:lAsf5O2EvJeSFMiBxXDki7sCgAxEUcZHXoXMKT4GJKc=
 golang.org/x/net v0.0.0-20161104230106-55a3084c9119/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -502,12 +718,12 @@ golang.org/x/net v0.0.0-20210928044308-7d9f5e0b762b/go.mod h1:9nx3DQGgdP8bBQD5qx
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
-golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
+golang.org/x/net v0.48.0 h1:zyQRTTrjc33Lhh0fBgT/H3oZq9WuvRR5gPC70xpDiQU=
+golang.org/x/net v0.48.0/go.mod h1:+ndRgGjkh8FGtu1w1FGbEC31if4VrNVMuKTgcAAnQRY=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
-golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
+golang.org/x/oauth2 v0.34.0 h1:hqK/t4AKgbqWkdkcAeI8XLmbK+4m4G5YeQRrmiotGlw=
+golang.org/x/oauth2 v0.34.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -518,8 +734,8 @@ golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
-golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
+golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -539,6 +755,7 @@ golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -547,12 +764,12 @@ golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
-golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk=
+golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
-golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
+golang.org/x/term v0.38.0 h1:PQ5pkm/rLO6HnxFR7N2lJHOZX6Kez5Y1gDSJla6jo7Q=
+golang.org/x/term v0.38.0/go.mod h1:bSEAKrOT1W+VSu9TSCMtoGEOUcKxOKgl3LE5QEF/xVg=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -560,10 +777,10 @@ golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
-golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
-golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
-golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
-golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
+golang.org/x/text v0.32.0 h1:ZD01bjUt1FQ9WJ0ClOL5vxgxOI/sVCNgX1YtKwcY0mU=
+golang.org/x/text v0.32.0/go.mod h1:o/rUWzghvpD5TXrTIBuJU77MTaN0ljMWE47kxGJQ7jY=
+golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI=
+golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
@@ -578,8 +795,8 @@ golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapK
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ=
-golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
+golang.org/x/tools v0.39.0 h1:ik4ho21kwuQln40uelmciQPp9SipgNDdrafrYA4TmQQ=
+golang.org/x/tools v0.39.0/go.mod h1:JnefbkDPyD8UU2kI5fuf8ZX4/yUeh9W877ZeBONxUqQ=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -598,11 +815,11 @@ google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoA
 google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
 google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
-google.golang.org/genproto v0.0.0-20230530153820-e85fd2cbaebc h1:8DyZCyvI8mE1IdLy/60bS+52xfymkE72wv1asokgtao=
-google.golang.org/genproto/googleapis/api v0.0.0-20250707201910-8d1bb00bc6a7 h1:FiusG7LWj+4byqhbvmB+Q93B/mOxJLN2DTozDuZm4EU=
-google.golang.org/genproto/googleapis/api v0.0.0-20250707201910-8d1bb00bc6a7/go.mod h1:kXqgZtrWaf6qS3jZOCnCH7WYfrvFjkC51bM8fz3RsCA=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250826171959-ef028d996bc1 h1:pmJpJEvT846VzausCQ5d7KreSROcDqmO388w5YbnltA=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250826171959-ef028d996bc1/go.mod h1:GmFNa4BdJZ2a8G+wCe9Bg3wwThLrJun751XstdJt5Og=
+google.golang.org/genproto v0.0.0-20231211222908-989df2bf70f3 h1:1hfbdAfFbkmpg41000wDVqr7jUpK/Yo+LPnIxxGzmkg=
+google.golang.org/genproto/googleapis/api v0.0.0-20251213004720-97cd9d5aeac2 h1:7LRqPCEdE4TP4/9psdaB7F2nhZFfBiGJomA5sojLWdU=
+google.golang.org/genproto/googleapis/api v0.0.0-20251213004720-97cd9d5aeac2/go.mod h1:+rXWjjaukWZun3mLfjmVnQi18E1AsFbDN9QdJ5YXLto=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251213004720-97cd9d5aeac2 h1:2I6GHUeJ/4shcDpoUlLs/2WPnhg7yJwvXtqcMJt9liA=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251213004720-97cd9d5aeac2/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
 google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
@@ -611,8 +828,8 @@ google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTp
 google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
 google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
 google.golang.org/grpc v1.45.0/go.mod h1:lN7owxKUQEqMfSyQikvvk5tf/6zMPsrK+ONuO11+0rQ=
-google.golang.org/grpc v1.75.1 h1:/ODCNEuf9VghjgO3rqLcfg8fiOP0nSluljWFlDxELLI=
-google.golang.org/grpc v1.75.1/go.mod h1:JtPAzKiq4v1xcAB2hydNlWI2RnF85XXcV0mhKXr2ecQ=
+google.golang.org/grpc v1.78.0 h1:K1XZG/yGDJnzMdd/uZHAkVqJE+xIDOcmdSFZkBUicNc=
+google.golang.org/grpc v1.78.0/go.mod h1:I47qjTo4OKbMkjA/aOOwxDIiPSBofUtQUI5EfpWvW7U=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
@@ -624,8 +841,8 @@ google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpAD
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
-google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
+google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
+google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -640,6 +857,8 @@ gopkg.in/go-playground/assert.v1 v1.2.1/go.mod h1:9RXL0bg/zibRAgZUYszZSwO/z8Y/a8
 gopkg.in/go-playground/validator.v9 v9.31.0/go.mod h1:+c9/zcJMFNgbLvly1L1V+PpxWdVbfP1avr/N00E2vyQ=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
+gopkg.in/natefinch/lumberjack.v2 v2.2.1 h1:bBRl1b0OH9s/DuPhuXpNl+VtCaJXFZ5/uEFST95x9zc=
+gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYskCTPBJVb9jqSc=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
@@ -653,8 +872,16 @@ gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C
 gopkg.in/yaml.v3 v3.0.0-20200605160147-a5ece683394c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+helm.sh/helm/v3 v3.18.6 h1:S/2CqcYnNfLckkHLI0VgQbxgcDaU3N4A/46E3n9wSNY=
+helm.sh/helm/v3 v3.18.6/go.mod h1:L/dXDR2r539oPlFP1PJqKAC1CUgqHJDLkxKpDGrWnyg=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+istio.io/api v1.29.0-alpha.0.0.20260205010447-d2bc7d18a337 h1:fTa0j3yQhp5RohEaAaGB+DiXWX6EEq4CGcrcvU+9Sao=
+istio.io/api v1.29.0-alpha.0.0.20260205010447-d2bc7d18a337/go.mod h1:+brQWcBHoROuyA6fv8rbgg8Kfn0RCGuqoY0duCMuSLA=
+istio.io/client-go v1.29.0-alpha.0.0.20260205011149-b3a6b2e28b06 h1:S3ger4fZHVuV61d9HKwUksc2y1vQhtyu4zgVr0lD03M=
+istio.io/client-go v1.29.0-alpha.0.0.20260205011149-b3a6b2e28b06/go.mod h1:NHEtxuW56GL/RuXXE6NLdzrBURs++EyIp2WSsL9Fpe8=
+istio.io/istio v0.0.0-20260208024451-a30ad73344d7 h1:QjIjbK46AhUscVomrrEFiiFq1roN+/3I2hqCauHGO7M=
+istio.io/istio v0.0.0-20260208024451-a30ad73344d7/go.mod h1:cVTeU6zOpccSZOT3xFeSPn7G0ySPG/vaP9T0kqgk0Wg=
 k8s.io/api v0.35.0 h1:iBAU5LTyBI9vw3L5glmat1njFK34srdLmktWwLTprlY=
 k8s.io/api v0.35.0/go.mod h1:AQ0SNTzm4ZAczM03QH42c7l3bih1TbAXYo0DkF8ktnA=
 k8s.io/apiextensions-apiserver v0.35.0 h1:3xHk2rTOdWXXJM+RDQZJvdx0yEOgC0FgQ1PlJatA5T4=
@@ -663,18 +890,24 @@ k8s.io/apimachinery v0.35.0 h1:Z2L3IHvPVv/MJ7xRxHEtk6GoJElaAqDCCU0S6ncYok8=
 k8s.io/apimachinery v0.35.0/go.mod h1:jQCgFZFR1F4Ik7hvr2g84RTJSZegBc8yHgFWKn//hns=
 k8s.io/apiserver v0.35.0 h1:CUGo5o+7hW9GcAEF3x3usT3fX4f9r8xmgQeCBDaOgX4=
 k8s.io/apiserver v0.35.0/go.mod h1:QUy1U4+PrzbJaM3XGu2tQ7U9A4udRRo5cyxkFX0GEds=
+k8s.io/cli-runtime v0.35.0 h1:PEJtYS/Zr4p20PfZSLCbY6YvaoLrfByd6THQzPworUE=
+k8s.io/cli-runtime v0.35.0/go.mod h1:VBRvHzosVAoVdP3XwUQn1Oqkvaa8facnokNkD7jOTMY=
 k8s.io/client-go v0.35.0 h1:IAW0ifFbfQQwQmga0UdoH0yvdqrbwMdq9vIFEhRpxBE=
 k8s.io/client-go v0.35.0/go.mod h1:q2E5AAyqcbeLGPdoRB+Nxe3KYTfPce1Dnu1myQdqz9o=
 k8s.io/component-base v0.35.0 h1:+yBrOhzri2S1BVqyVSvcM3PtPyx5GUxCK2tinZz1G94=
 k8s.io/component-base v0.35.0/go.mod h1:85SCX4UCa6SCFt6p3IKAPej7jSnF3L8EbfSyMZayJR0=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
-k8s.io/kube-aggregator v0.35.0 h1:FBtbuRFA7Ohe2QKirFZcJf8rgimC8oSaNiCi4pdU5xw=
-k8s.io/kube-aggregator v0.35.0/go.mod h1:vKBRpQUfDryb7udwUwF3eCSvv3AJNgHtL4PGl6PqAg8=
-k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZcmKS3g6CthxToOb37KgwE=
-k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ=
-k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck=
-k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+k8s.io/kube-aggregator v0.34.1 h1:WNLV0dVNoFKmuyvdWLd92iDSyD/TSTjqwaPj0U9XAEU=
+k8s.io/kube-aggregator v0.34.1/go.mod h1:RU8j+5ERfp0h+gIvWtxRPfsa5nK7rboDm8RST8BJfYQ=
+k8s.io/kube-openapi v0.0.0-20251125145642-4e65d59e963e h1:iW9ChlU0cU16w8MpVYjXk12dqQ4BPFBEgif+ap7/hqQ=
+k8s.io/kube-openapi v0.0.0-20251125145642-4e65d59e963e/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ=
+k8s.io/kubectl v0.35.0 h1:cL/wJKHDe8E8+rP3G7avnymcMg6bH6JEcR5w5uo06wc=
+k8s.io/kubectl v0.35.0/go.mod h1:VR5/TSkYyxZwrRwY5I5dDq6l5KXmiCb+9w8IKplk3Qo=
+k8s.io/utils v0.0.0-20251219084037-98d557b7f1e7 h1:H6xtwB5tC+KFSHoEhA1o7DnOtHDEo+n9OBSHjlajVKc=
+k8s.io/utils v0.0.0-20251219084037-98d557b7f1e7/go.mod h1:xDxuJ0whA3d0I4mf/C4ppKHxXynQ+fxnkmQH0vTHnuk=
+oras.land/oras-go/v2 v2.6.0 h1:X4ELRsiGkrbeox69+9tzTu492FMUu7zJQW6eJU+I2oc=
+oras.land/oras-go/v2 v2.6.0/go.mod h1:magiQDfG6H1O9APp+rOsvCPcW1GD2MM7vgnKY0Y+u1o=
 sigs.k8s.io/controller-runtime v0.23.1 h1:TjJSM80Nf43Mg21+RCy3J70aj/W6KyvDtOlpKf+PupE=
 sigs.k8s.io/controller-runtime v0.23.1/go.mod h1:B6COOxKptp+YaUT5q4l6LqUJTRpizbgf9KSRNdQGns0=
 sigs.k8s.io/gateway-api v1.4.1 h1:NPxFutNkKNa8UfLd2CMlEuhIPMQgDQ6DXNKG9sHbJU8=
@@ -683,6 +916,10 @@ sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5E
 sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
 sigs.k8s.io/kube-storage-version-migrator v0.0.6-0.20230721195810-5c8923c5ff96 h1:PFWFSkpArPNJxFX4ZKWAk9NSeRoZaXschn+ULa4xVek=
 sigs.k8s.io/kube-storage-version-migrator v0.0.6-0.20230721195810-5c8923c5ff96/go.mod h1:EOBQyBowOUsd7U4CJnMHNE0ri+zCXyouGdLwC/jZU+I=
+sigs.k8s.io/kustomize/api v0.20.1 h1:iWP1Ydh3/lmldBnH/S5RXgT98vWYMaTUL1ADcr+Sv7I=
+sigs.k8s.io/kustomize/api v0.20.1/go.mod h1:t6hUFxO+Ph0VxIk1sKp1WS0dOjbPCtLJ4p8aADLwqjM=
+sigs.k8s.io/kustomize/kyaml v0.20.1 h1:PCMnA2mrVbRP3NIB6v9kYCAc38uvFLVs8j/CD567A78=
+sigs.k8s.io/kustomize/kyaml v0.20.1/go.mod h1:0EmkQHRUsJxY8Ug9Niig1pUMSCGHxQ5RklbpV/Ri6po=
 sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
 sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
 sigs.k8s.io/structured-merge-diff/v6 v6.3.2-0.20260122202528-d9cc6641c482 h1:2WOzJpHUBVrrkDjU4KBT8n5LDcj824eX0I5UKcgeRUs=
diff --git a/manifests/00-cluster-role.yaml b/manifests/00-cluster-role.yaml
index e29ed4bd76..1f06f50573 100644
--- a/manifests/00-cluster-role.yaml
+++ b/manifests/00-cluster-role.yaml
@@ -37,13 +37,31 @@ rules:
   resources:
   - nodes
   verbs:
+  - get
   - list
+  - watch
+
+- apiGroups:
+  - ""
+  resources:
+  - services/status
+  - replicationcontrollers
+  verbs:
+  - "*"
 
 - apiGroups:
   - apps
   resources:
   - deployments
   - daemonsets
+  - replicasets
+  verbs:
+  - "*"
+
+- apiGroups:
+  - autoscaling
+  resources:
+  - horizontalpodautoscalers
   verbs:
   - "*"
 
@@ -71,11 +89,7 @@ rules:
   - roles
   - rolebindings
   verbs:
-  - create
-  - get
-  - list
-  - watch
-  - update
+  - "*"
 
 - apiGroups:
   - operator.openshift.io
@@ -158,16 +172,6 @@ rules:
   verbs:
   - '*'
 
-- apiGroups:
-  - gateway.networking.k8s.io
-  resources:
-  - gatewayclasses
-  - gateways
-  - httproutes
-  - grpcroutes
-  verbs:
-  - '*'
-
 - apiGroups:
   - apiextensions.k8s.io
   resources:
@@ -187,6 +191,7 @@ rules:
   - sailoperator.io
   resources:
   - istios
+  - istiorevisions
   verbs:
   - '*'
 
@@ -249,5 +254,95 @@ rules:
   resources:
   - endpointslices
   verbs:
+  - get
+  - list
+  - watch
+
+# Required for Istio installation via Helm
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - mutatingwebhookconfigurations
+  - validatingwebhookconfigurations
+  verbs:
+  - "*"
+
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  - ingresses/status
+  verbs:
+  - "*"
+
+- apiGroups:
+  - authentication.istio.io
+  - config.istio.io
+  - extensions.istio.io
+  - networking.istio.io
+  - rbac.istio.io
+  - security.istio.io
+  - telemetry.istio.io
+  resources:
+  - "*"
+  verbs:
+  - "*"
+
+- apiGroups:
+  - gateway.networking.k8s.io
+  resources:
+  - "*"
+  verbs:
+  - "*"
+
+- apiGroups:
+  - gateway.networking.x-k8s.io
+  resources:
+  - "*"
+  verbs:
+  - "*"
+
+- apiGroups:
+  - networking.x-k8s.io
+  resources:
+  - gateways
+  verbs:
+  - get
   - list
   - watch
+
+- apiGroups:
+  - multicluster.x-k8s.io
+  resources:
+  - serviceexports
+  - serviceimports
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - delete
+
+- apiGroups:
+  - inference.networking.x-k8s.io
+  resources:
+  - inferencepools
+  - inferencepools/status
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+  - patch
diff --git a/manifests/00-custom-resource-definition.yaml b/manifests/00-custom-resource-definition.yaml
index d37991c458..fd7ecdeba2 100644
--- a/manifests/00-custom-resource-definition.yaml
+++ b/manifests/00-custom-resource-definition.yaml
@@ -1994,27 +1994,25 @@ spec:
                       profile as invalid configurations can be catastrophic. An example custom profile
                       looks like this:
 
+                        minTLSVersion: VersionTLS11
                         ciphers:
-
                           - ECDHE-ECDSA-CHACHA20-POLY1305
-
                           - ECDHE-RSA-CHACHA20-POLY1305
-
                           - ECDHE-RSA-AES128-GCM-SHA256
-
                           - ECDHE-ECDSA-AES128-GCM-SHA256
-
-                        minTLSVersion: VersionTLS11
                     nullable: true
                     properties:
                       ciphers:
                         description: |-
                           ciphers is used to specify the cipher algorithms that are negotiated
-                          during the TLS handshake.  Operators may remove entries their operands
-                          do not support.  For example, to use DES-CBC3-SHA  (yaml):
+                          during the TLS handshake. Operators may remove entries that their operands
+                          do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml):
 
                             ciphers:
-                              - DES-CBC3-SHA
+                              - ECDHE-RSA-AES128-GCM-SHA256
+
+                          TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable
+                          and are always enabled when TLS 1.3 is negotiated.
                         items:
                           type: string
                         type: array
@@ -2026,8 +2024,6 @@ spec:
                           versions 1.1, 1.2 and 1.3 (yaml):
 
                             minTLSVersion: VersionTLS11
-
-                          NOTE: currently the highest minTLSVersion allowed is VersionTLS12
                         enum:
                         - VersionTLS10
                         - VersionTLS11
@@ -2037,143 +2033,81 @@ spec:
                     type: object
                   intermediate:
                     description: |-
-                      intermediate is a TLS security profile based on:
-
-                      https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29
-
-                      and looks like this (yaml):
+                      intermediate is a TLS profile for use when you do not need compatibility with
+                      legacy clients and want to remain highly secure while being compatible with
+                      most clients currently in use.
 
+                      This profile is equivalent to a Custom profile specified as:
+                        minTLSVersion: VersionTLS12
                         ciphers:
-
                           - TLS_AES_128_GCM_SHA256
-
                           - TLS_AES_256_GCM_SHA384
-
                           - TLS_CHACHA20_POLY1305_SHA256
-
                           - ECDHE-ECDSA-AES128-GCM-SHA256
-
                           - ECDHE-RSA-AES128-GCM-SHA256
-
                           - ECDHE-ECDSA-AES256-GCM-SHA384
-
                           - ECDHE-RSA-AES256-GCM-SHA384
-
                           - ECDHE-ECDSA-CHACHA20-POLY1305
-
                           - ECDHE-RSA-CHACHA20-POLY1305
-
-                          - DHE-RSA-AES128-GCM-SHA256
-
-                          - DHE-RSA-AES256-GCM-SHA384
-
-                        minTLSVersion: VersionTLS12
                     nullable: true
                     type: object
                   modern:
                     description: |-
-                      modern is a TLS security profile based on:
-
-                      https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
-
-                      and looks like this (yaml):
+                      modern is a TLS security profile for use with clients that support TLS 1.3 and
+                      do not need backward compatibility for older clients.
 
+                      This profile is equivalent to a Custom profile specified as:
+                        minTLSVersion: VersionTLS13
                         ciphers:
-
                           - TLS_AES_128_GCM_SHA256
-
                           - TLS_AES_256_GCM_SHA384
-
                           - TLS_CHACHA20_POLY1305_SHA256
-
-                        minTLSVersion: VersionTLS13
                     nullable: true
                     type: object
                   old:
                     description: |-
-                      old is a TLS security profile based on:
-
-                      https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility
-
-                      and looks like this (yaml):
+                      old is a TLS profile for use when services need to be accessed by very old
+                      clients or libraries and should be used only as a last resort.
 
+                      This profile is equivalent to a Custom profile specified as:
+                        minTLSVersion: VersionTLS10
                         ciphers:
-
                           - TLS_AES_128_GCM_SHA256
-
                           - TLS_AES_256_GCM_SHA384
-
                           - TLS_CHACHA20_POLY1305_SHA256
-
                           - ECDHE-ECDSA-AES128-GCM-SHA256
-
                           - ECDHE-RSA-AES128-GCM-SHA256
-
                           - ECDHE-ECDSA-AES256-GCM-SHA384
-
                           - ECDHE-RSA-AES256-GCM-SHA384
-
                           - ECDHE-ECDSA-CHACHA20-POLY1305
-
                           - ECDHE-RSA-CHACHA20-POLY1305
-
-                          - DHE-RSA-AES128-GCM-SHA256
-
-                          - DHE-RSA-AES256-GCM-SHA384
-
-                          - DHE-RSA-CHACHA20-POLY1305
-
                           - ECDHE-ECDSA-AES128-SHA256
-
                           - ECDHE-RSA-AES128-SHA256
-
                           - ECDHE-ECDSA-AES128-SHA
-
                           - ECDHE-RSA-AES128-SHA
-
-                          - ECDHE-ECDSA-AES256-SHA384
-
-                          - ECDHE-RSA-AES256-SHA384
-
                           - ECDHE-ECDSA-AES256-SHA
-
                           - ECDHE-RSA-AES256-SHA
-
-                          - DHE-RSA-AES128-SHA256
-
-                          - DHE-RSA-AES256-SHA256
-
                           - AES128-GCM-SHA256
-
                           - AES256-GCM-SHA384
-
                           - AES128-SHA256
-
-                          - AES256-SHA256
-
                           - AES128-SHA
-
                           - AES256-SHA
-
                           - DES-CBC3-SHA
-
-                        minTLSVersion: VersionTLS10
                     nullable: true
                     type: object
                   type:
                     description: |-
-                      type is one of Old, Intermediate, Modern or Custom. Custom provides
-                      the ability to specify individual TLS security profile parameters.
-                      Old, Intermediate and Modern are TLS security profiles based on:
-
-                      https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
+                      type is one of Old, Intermediate, Modern or Custom. Custom provides the
+                      ability to specify individual TLS security profile parameters.
 
-                      The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers
-                      are found to be insecure.  Depending on precisely which ciphers are available to a process, the list may be
-                      reduced.
+                      The profiles are based on version 5.7 of the Mozilla Server Side TLS
+                      configuration guidelines. The cipher lists consist of the configuration's
+                      "ciphersuites" followed by the Go-specific "ciphers" from the guidelines.
+                      See: https://ssl-config.mozilla.org/guidelines/5.7.json
 
-                      Note that the Modern profile is currently not supported because it is not
-                      yet well adopted by common software libraries.
+                      The profiles are intent based, so they may change over time as new ciphers are
+                      developed and existing ciphers are found to be insecure. Depending on
+                      precisely which ciphers are available to a process, the list may be reduced.
                     enum:
                     - Old
                     - Intermediate
@@ -3307,11 +3241,14 @@ spec:
                   ciphers:
                     description: |-
                       ciphers is used to specify the cipher algorithms that are negotiated
-                      during the TLS handshake.  Operators may remove entries their operands
-                      do not support.  For example, to use DES-CBC3-SHA  (yaml):
+                      during the TLS handshake. Operators may remove entries that their operands
+                      do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml):
 
                         ciphers:
-                          - DES-CBC3-SHA
+                          - ECDHE-RSA-AES128-GCM-SHA256
+
+                      TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable
+                      and are always enabled when TLS 1.3 is negotiated.
                     items:
                       type: string
                     type: array
@@ -3323,8 +3260,6 @@ spec:
                       versions 1.1, 1.2 and 1.3 (yaml):
 
                         minTLSVersion: VersionTLS11
-
-                      NOTE: currently the highest minTLSVersion allowed is VersionTLS12
                     enum:
                     - VersionTLS10
                     - VersionTLS11
diff --git a/pkg/operator/controller/gatewayclass/controller.go b/pkg/operator/controller/gatewayclass/controller.go
index f409d3c4e9..5ae9b45b17 100644
--- a/pkg/operator/controller/gatewayclass/controller.go
+++ b/pkg/operator/controller/gatewayclass/controller.go
@@ -3,19 +3,27 @@ package gatewayclass
 import (
 	"context"
 	"fmt"
+	"slices"
+	"strings"
 	"sync"
+	"time"
 
 	logf "github.com/openshift/cluster-ingress-operator/pkg/log"
 	operatorcontroller "github.com/openshift/cluster-ingress-operator/pkg/operator/controller"
 
-	sailv1 "github.com/istio-ecosystem/sail-operator/api/v1"
 	operatorsv1alpha1 "github.com/operator-framework/api/pkg/operators/v1alpha1"
 
+	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/record"
+	"k8s.io/client-go/util/workqueue"
 
 	gatewayapiv1 "sigs.k8s.io/gateway-api/apis/v1"
 
+	sailv1 "github.com/istio-ecosystem/sail-operator/api/v1"
+	"github.com/istio-ecosystem/sail-operator/pkg/install"
+
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
@@ -23,6 +31,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/cache"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller"
+	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 	"sigs.k8s.io/controller-runtime/pkg/handler"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
 	"sigs.k8s.io/controller-runtime/pkg/predicate"
@@ -71,6 +80,14 @@ const (
 	// can be specified.  This annotation is only intended for use by
 	// OpenShift developers.
 	istioVersionOverrideAnnotationKey = "unsupported.do-not-use.openshift.io/istio-version"
+	// sailLibraryFinalizer is a finalizer key added to GatewayClasses that
+	// at some moment were reconciled by sail-library.
+	// They signal two things:
+	// 1 - For sail-library, if there is no other gatewayclass using it, the reconciliation
+	// can be stopped
+	// 2 - For olm-install - In case it is called, it means the installation was rolled
+	// back and the finalizer must be removed
+	sailLibraryFinalizer = "openshift.io/ingress-operator-sail-finalizer"
 )
 
 var log = logf.Logger.WithName(controllerName)
@@ -81,11 +98,13 @@ var gatewayClassController controller.Controller
 // that the manager does not start it.
 func NewUnmanaged(mgr manager.Manager, config Config) (controller.Controller, error) {
 	operatorCache := mgr.GetCache()
+
 	reconciler := &reconciler{
-		config:   config,
-		client:   mgr.GetClient(),
-		cache:    operatorCache,
-		recorder: mgr.GetEventRecorderFor(controllerName),
+		config:     config,
+		client:     mgr.GetClient(),
+		cache:      operatorCache,
+		kubeConfig: config.KubeConfig,
+		recorder:   mgr.GetEventRecorderFor(controllerName),
 	}
 	options := controller.Options{Reconciler: reconciler}
 	options.DefaultFromConfig(mgr.GetControllerOptions())
@@ -104,21 +123,11 @@ func NewUnmanaged(mgr manager.Manager, config Config) (controller.Controller, er
 		return nil, err
 	}
 
-	isServiceMeshSubscription := predicate.NewPredicateFuncs(func(o client.Object) bool {
-		return o.GetName() == operatorcontroller.ServiceMeshOperatorSubscriptionName().Name
-	})
-	if err = c.Watch(source.Kind[client.Object](operatorCache, &operatorsv1alpha1.Subscription{},
-		reconciler.enqueueRequestForSomeGatewayClass(), isServiceMeshSubscription)); err != nil {
-		return nil, err
-	}
-
 	isOurInstallPlan := predicate.NewPredicateFuncs(func(o client.Object) bool {
 		installPlan := o.(*operatorsv1alpha1.InstallPlan)
 		if len(installPlan.Spec.ClusterServiceVersionNames) > 0 {
-			for _, csv := range installPlan.Spec.ClusterServiceVersionNames {
-				if csv == config.GatewayAPIOperatorVersion {
-					return true
-				}
+			if slices.Contains(installPlan.Spec.ClusterServiceVersionNames, config.GatewayAPIOperatorVersion) {
+				return true
 			}
 		}
 		return false
@@ -130,9 +139,6 @@ func NewUnmanaged(mgr manager.Manager, config Config) (controller.Controller, er
 		installPlan := o.(*operatorsv1alpha1.InstallPlan)
 		return !installPlan.Spec.Approved && installPlan.Status.Phase == operatorsv1alpha1.InstallPlanPhaseRequiresApproval
 	})
-	if err := c.Watch(source.Kind[client.Object](operatorCache, &operatorsv1alpha1.InstallPlan{}, reconciler.enqueueRequestForSomeGatewayClass(), isOurInstallPlan, isInstallPlanReadyForApproval)); err != nil {
-		return nil, err
-	}
 
 	// Watch for the InferencePool CRD to determine whether to enable
 	// Gateway API Inference Extension (GIE) on the Istio control-plane.
@@ -144,8 +150,54 @@ func NewUnmanaged(mgr manager.Manager, config Config) (controller.Controller, er
 			return false
 		}
 	})
-	if err := c.Watch(source.Kind[client.Object](operatorCache, &apiextensionsv1.CustomResourceDefinition{}, reconciler.enqueueRequestForSomeGatewayClass(), isInferencepoolCrd)); err != nil {
-		return nil, err
+
+	if !config.GatewayAPIWithoutOLMEnabled {
+		isServiceMeshSubscription := predicate.NewPredicateFuncs(func(o client.Object) bool {
+			return o.GetName() == operatorcontroller.ServiceMeshOperatorSubscriptionName().Name
+		})
+		if err = c.Watch(source.Kind[client.Object](operatorCache, &operatorsv1alpha1.Subscription{},
+			reconciler.enqueueRequestForSomeGatewayClass(), isServiceMeshSubscription)); err != nil {
+			return nil, err
+		}
+		if err := c.Watch(source.Kind[client.Object](operatorCache, &operatorsv1alpha1.InstallPlan{}, reconciler.enqueueRequestForSomeGatewayClass(), isOurInstallPlan, isInstallPlanReadyForApproval)); err != nil {
+			return nil, err
+		}
+		if err := c.Watch(source.Kind[client.Object](operatorCache, &apiextensionsv1.CustomResourceDefinition{}, reconciler.enqueueRequestForSomeGatewayClass(), isInferencepoolCrd)); err != nil {
+			return nil, err
+		}
+	} else {
+		// On OLM we need to watch Subscriptions, InstallPlans and CRDs differently.
+		// Any change on any subscription, installplan (if ours) or CRD (if Istio or GIE) must:
+		// - Trigger a new installer enqueue (part of enqueueRequestForSubscriptionChange)
+		// - Trigger a reconciliation for ALL (and not SOME) classes we manage to add status
+		isIstioCRD := predicate.NewPredicateFuncs(func(o client.Object) bool {
+			return strings.Contains(o.GetName(), "istio.io")
+		})
+
+		if err = c.Watch(source.Kind[client.Object](operatorCache, &operatorsv1alpha1.Subscription{},
+			reconciler.enqueueRequestForSubscriptionChange())); err != nil {
+			return nil, err
+		}
+		if err := c.Watch(source.Kind[client.Object](operatorCache, &operatorsv1alpha1.InstallPlan{}, reconciler.enqueueRequestForSubscriptionChange(), isOurInstallPlan)); err != nil {
+			return nil, err
+		}
+		if err := c.Watch(source.Kind[client.Object](operatorCache, &apiextensionsv1.CustomResourceDefinition{}, reconciler.enqueueRequestForSubscriptionChange(), predicate.Or(isInferencepoolCrd, isIstioCRD))); err != nil {
+			return nil, err
+		}
+
+		// For Non-OLM install, we start the sail-operator library that
+		// does the reconciliation of CRDs and resources.
+		// The channel here receives notification from the previously started sail-operator library
+		// and triggers new reconciliations
+		if config.SailOperatorReconciler != nil && config.SailOperatorReconciler.NotifyCh != nil {
+			sailOperatorSource := &SailOperatorSource[client.Object]{
+				NotifyCh:     config.SailOperatorReconciler.NotifyCh,
+				RequestsFunc: reconciler.allManagedGatewayClasses,
+			}
+			if err := c.Watch(sailOperatorSource); err != nil {
+				return nil, err
+			}
+		}
 	}
 
 	gatewayClassController = c
@@ -155,8 +207,9 @@ func NewUnmanaged(mgr manager.Manager, config Config) (controller.Controller, er
 // Config holds all the configuration that must be provided when creating the
 // controller.
 type Config struct {
-	// OperatorNamespace is the namespace in which the operator should
-	// create the Istio CR.
+	// KubeConfig is the Kubernetes client configuration used by the Sail Library.
+	KubeConfig *rest.Config
+	// OperatorNamespace is the namespace in which the operator is deployed.
 	OperatorNamespace string
 	// OperandNamespace is the namespace in which Istio should be deployed.
 	OperandNamespace string
@@ -166,75 +219,182 @@ type Config struct {
 	GatewayAPIOperatorChannel string
 	// GatewayAPIOperatorVersion is the name and release of the Gateway API implementation to install.
 	GatewayAPIOperatorVersion string
-	// IstioVersion is the version of Istio to configure on the Istio CR.
+	// GatewayAPIWithoutOLMEnabled indicates whether the GatewayAPIWithoutOLM feature gate is enabled.
+	GatewayAPIWithoutOLMEnabled bool
+	// IstioVersion is the version of Istio to install.
 	IstioVersion string
+	// SailOperatorReconciler contains the instance and the notification channel for the reconciler of Istio resources
+	SailOperatorReconciler *SailOperatorReconciler
+}
+
+// SailLibraryInstaller implements the methods of sail library but in a way we can
+// also mock and test
+type SailLibraryInstaller interface {
+	Start(ctx context.Context) <-chan struct{}
+	Apply(opts install.Options)
+	Uninstall(ctx context.Context, namespace, revision string) error
+	Status() install.Status
+	Enqueue()
+}
+
+type SailOperatorReconciler struct {
+	Installer SailLibraryInstaller
+	NotifyCh  <-chan struct{}
 }
 
 // reconciler reconciles gatewayclasses.
 type reconciler struct {
 	config Config
 
-	client   client.Client
-	cache    cache.Cache
-	recorder record.EventRecorder
+	client     client.Client
+	cache      cache.Cache
+	kubeConfig *rest.Config
+	recorder   record.EventRecorder
 
 	startIstioWatch sync.Once
 }
 
+func (r *reconciler) enqueueRequestForSubscriptionChange() handler.EventHandler {
+	return handler.EnqueueRequestsFromMapFunc(
+		func(ctx context.Context, obj client.Object) []reconcile.Request {
+			// If this is OLM and we detect the change of subscriptions, we must
+			// enforce that Sail Installer also enqueues a new reconciliation
+			if r.config.SailOperatorReconciler != nil && r.config.SailOperatorReconciler.Installer != nil {
+				// We can call Enqueue as many times as we want, as sail-library should enqueue and filter
+				// and not make concurrent operations
+				r.config.SailOperatorReconciler.Installer.Enqueue()
+			}
+			return r.allManagedGatewayClasses(ctx, obj)
+		})
+}
+
 // enqueueRequestForSomeGatewayClass enqueues a reconciliation request for the
 // gatewayclass that has the earliest creation timestamp and that specifies our
 // controller name.
 func (r *reconciler) enqueueRequestForSomeGatewayClass() handler.EventHandler {
 	return handler.EnqueueRequestsFromMapFunc(
-		func(ctx context.Context, _ client.Object) []reconcile.Request {
-			requests := []reconcile.Request{}
+		func(ctx context.Context, obj client.Object) []reconcile.Request {
+			if r.config.GatewayAPIWithoutOLMEnabled {
+				return r.allManagedGatewayClasses(ctx, obj)
+			}
+			return r.requestsForSomeGatewayClass(ctx, obj)
+		},
+	)
+}
 
-			var gatewayClasses gatewayapiv1.GatewayClassList
-			if err := r.cache.List(context.Background(), &gatewayClasses); err != nil {
-				log.Error(err, "Failed to list gatewayclasses")
+func (r *reconciler) requestsForSomeGatewayClass(ctx context.Context, _ client.Object) []reconcile.Request {
+	requests := []reconcile.Request{}
+	var gatewayClasses gatewayapiv1.GatewayClassList
+	if err := r.cache.List(ctx, &gatewayClasses); err != nil {
+		log.Error(err, "Failed to list gatewayclasses")
 
-				return requests
-			}
+		return requests
+	}
 
-			var (
-				found  bool
-				oldest metav1.Time
-				name   string
-			)
-			for i := range gatewayClasses.Items {
-				if gatewayClasses.Items[i].Spec.ControllerName != operatorcontroller.OpenShiftGatewayClassControllerName {
-					continue
-				}
+	var (
+		found  bool
+		oldest metav1.Time
+		name   string
+	)
+	for i := range gatewayClasses.Items {
+		if gatewayClasses.Items[i].Spec.ControllerName != operatorcontroller.OpenShiftGatewayClassControllerName {
+			continue
+		}
 
-				ctime := gatewayClasses.Items[i].CreationTimestamp
-				if !found || ctime.Before(&oldest) {
-					found, oldest, name = true, ctime, gatewayClasses.Items[i].Name
-				}
+		// If we ever added the sail library finalizer, this means this is a rollback so
+		// we need to be sure that the OLM process removes the finalizer and the status
+		if controllerutil.ContainsFinalizer(&gatewayClasses.Items[i], sailLibraryFinalizer) {
+			request := reconcile.Request{
+				NamespacedName: types.NamespacedName{
+					Namespace: "",
+					Name:      gatewayClasses.Items[i].Name,
+				},
 			}
+			requests = append(requests, request)
+			continue
+		}
 
-			if found {
-				request := reconcile.Request{
-					NamespacedName: types.NamespacedName{
-						Namespace: "", // GatewayClass is cluster-scoped.
-						Name:      name,
-					},
-				}
-				requests = append(requests, request)
-			}
+		ctime := gatewayClasses.Items[i].CreationTimestamp
+		if !found || ctime.Before(&oldest) {
+			found, oldest, name = true, ctime, gatewayClasses.Items[i].Name
+		}
+	}
 
-			return requests
-		},
-	)
+	if found {
+		request := reconcile.Request{
+			NamespacedName: types.NamespacedName{
+				Namespace: "", // GatewayClass is cluster-scoped.
+				Name:      name,
+			},
+		}
+		requests = append(requests, request)
+	}
+
+	return requests
+}
+
+func (r *reconciler) allManagedGatewayClasses(ctx context.Context, _ client.Object) []reconcile.Request {
+	requests := []reconcile.Request{}
+	var gatewayClasses gatewayapiv1.GatewayClassList
+	if err := r.cache.List(ctx, &gatewayClasses, client.MatchingFields{
+		operatorcontroller.GatewayClassIndexFieldName: operatorcontroller.OpenShiftGatewayClassControllerName,
+	}); err != nil {
+		log.Error(err, "Failed to list gatewayclasses")
+		return requests
+	}
+
+	for _, class := range gatewayClasses.Items {
+		request := reconcile.Request{
+			NamespacedName: types.NamespacedName{
+				Namespace: "", // GatewayClass is cluster-scoped.
+				Name:      class.Name,
+			},
+		}
+		requests = append(requests, request)
+	}
+
+	return requests
 }
 
 // Reconcile expects request to refer to a GatewayClass and creates or
 // reconciles an Istio deployment.
 func (r *reconciler) Reconcile(ctx context.Context, request reconcile.Request) (reconcile.Result, error) {
+	if r.config.GatewayAPIWithoutOLMEnabled && r.config.SailOperatorReconciler != nil && r.config.SailOperatorReconciler.Installer != nil {
+		return r.reconcileWithSailLibrary(ctx, request)
+	}
+	return r.reconcileWithOLM(ctx, request)
+}
+
+// reconcileWithOLM reconciles a GatewayClass using OLM to install OSSM,
+// which then manages an Istio CR for the Istio installation.
+func (r *reconciler) reconcileWithOLM(ctx context.Context, request reconcile.Request) (reconcile.Result, error) {
 	log.Info("reconciling", "request", request)
 
-	var gatewayclass gatewayapiv1.GatewayClass
-	if err := r.cache.Get(ctx, request.NamespacedName, &gatewayclass); err != nil {
-		return reconcile.Result{}, err
+	sourceGatewayClass := &gatewayapiv1.GatewayClass{}
+	if err := r.cache.Get(ctx, request.NamespacedName, sourceGatewayClass); err != nil {
+		if !errors.IsNotFound(err) {
+			return reconcile.Result{}, fmt.Errorf("error getting gatewayclass: %w", err)
+		}
+		return reconcile.Result{}, nil
+	}
+
+	gatewayclass := sourceGatewayClass.DeepCopy()
+	// This is not SailOperator class, so remove any finalizer and any status from it
+	if controllerutil.RemoveFinalizer(gatewayclass, sailLibraryFinalizer) {
+		var errs []error
+		err := r.client.Patch(ctx, gatewayclass, client.MergeFrom(sourceGatewayClass))
+		if err != nil {
+			log.Error(err, "error patching the gatewayclass status")
+			errs = append(errs, err)
+		}
+		removeSailOperatorConditions(&gatewayclass.Status.Conditions)
+		if err := r.client.Status().Patch(ctx, gatewayclass, client.MergeFrom(sourceGatewayClass)); err != nil {
+			log.Error(err, "error patching the gatewayclass status")
+			errs = append(errs, err)
+
+		}
+
+		return reconcile.Result{}, utilerrors.NewAggregate(errs) // Removing the finalizer should kick a new reconciliation
 	}
 
 	var errs []error
@@ -260,7 +420,7 @@ func (r *reconciler) Reconcile(ctx context.Context, request reconcile.Request) (
 	if v, ok := gatewayclass.Annotations[istioVersionOverrideAnnotationKey]; ok {
 		istioVersion = v
 	}
-	if _, _, err := r.ensureIstio(ctx, &gatewayclass, istioVersion); err != nil {
+	if _, _, err := r.ensureIstioOLM(ctx, gatewayclass, istioVersion); err != nil {
 		errs = append(errs, err)
 	} else {
 		// The OSSM operator installs the istios.sailoperator.io CRD.
@@ -280,3 +440,114 @@ func (r *reconciler) Reconcile(ctx context.Context, request reconcile.Request) (
 
 	return reconcile.Result{}, utilerrors.NewAggregate(errs)
 }
+
+// reconcileWithSailLibrary reconciles a GatewayClass using the Sail Library
+// for direct Helm-based installation of Istio.
+func (r *reconciler) reconcileWithSailLibrary(ctx context.Context, request reconcile.Request) (reconcile.Result, error) {
+	log.Info("reconciling", "request", request)
+
+	sourceGatewayClass := &gatewayapiv1.GatewayClass{}
+	if err := r.cache.Get(ctx, request.NamespacedName, sourceGatewayClass); err != nil {
+		if !errors.IsNotFound(err) {
+			return reconcile.Result{}, fmt.Errorf("error getting gatewayclass: %w", err)
+		}
+		return reconcile.Result{}, nil
+	}
+
+	gatewayclass := sourceGatewayClass.DeepCopy()
+
+	if !gatewayclass.DeletionTimestamp.IsZero() {
+		// Check if this is the last remaining GatewayClass. If so:
+		// 1 - Stop the library in case this is the last GatewayClass
+		// 2 - Delete the finalizer (always, regardless of being the last)
+		// 3 - We must always return from here when deletion is in progress
+		gatewayClassList := gatewayapiv1.GatewayClassList{}
+		if err := r.cache.List(ctx, &gatewayClassList, client.MatchingFields{
+			operatorcontroller.GatewayClassIndexFieldName: operatorcontroller.OpenShiftGatewayClassControllerName,
+		}); err != nil {
+			return reconcile.Result{}, fmt.Errorf("failed to list gateway classes: %w", err)
+		}
+
+		if len(gatewayClassList.Items) < 2 {
+			if err := r.config.SailOperatorReconciler.Installer.Uninstall(ctx, operatorcontroller.DefaultOperandNamespace, operatorcontroller.IstioName("").Name); err != nil {
+				return reconcile.Result{}, fmt.Errorf("failed to uninstall the operator: %w", err)
+			}
+		}
+		// This is not SailOperator class, so remove any finalizer
+		if controllerutil.RemoveFinalizer(gatewayclass, sailLibraryFinalizer) {
+			err := r.client.Patch(ctx, gatewayclass, client.MergeFrom(sourceGatewayClass))
+			if err != nil {
+				log.Error(err, "error patching the gatewayclass status")
+			}
+			return reconcile.Result{}, err // Removing the finalizer should kick a new reconciliation
+		}
+		// Finalizer already absent; nothing else to do during deletion.
+		return reconcile.Result{}, nil
+	}
+
+	if controllerutil.AddFinalizer(gatewayclass, sailLibraryFinalizer) {
+		err := r.client.Patch(ctx, gatewayclass, client.MergeFrom(sourceGatewayClass))
+		if err != nil {
+			log.Error(err, "error patching the gatewayclass status")
+		}
+		return reconcile.Result{}, err // Return if we added the finalizer, to kick reconciliation again
+	}
+
+	// Ensure migration from 4.21 to 4.22 Sail Library.
+	if migrationComplete, err := r.ensureOSSMtoSailLibraryMigration(ctx); err != nil {
+		return reconcile.Result{}, fmt.Errorf("error validating sail library migration: %w", err)
+	} else if !migrationComplete {
+		// Migration isn't complete - give OSSM time to clean up.
+		return reconcile.Result{RequeueAfter: 5 * time.Second}, nil
+	}
+
+	var errs []error
+
+	istioVersion := r.config.IstioVersion
+	if v, ok := gatewayclass.Annotations[istioVersionOverrideAnnotationKey]; ok {
+		istioVersion = v
+	}
+
+	if err := r.ensureIstio(ctx, gatewayclass, istioVersion); err != nil {
+		log.Error(err, "error ensuring Istio")
+		errs = append(errs, err)
+	}
+
+	if err := r.client.Status().Patch(ctx, gatewayclass, client.MergeFrom(sourceGatewayClass)); err != nil {
+		log.Error(err, "error patching the gatewayclass status")
+		errs = append(errs, err)
+	}
+
+	return reconcile.Result{}, utilerrors.NewAggregate(errs)
+}
+
+// SailOperatorSource bridges a sail operator channel to a MapFunc logic.
+// the Sail operator contains a source channel where notification for changes (like drifts)
+// can be sent back to our controller, so we trigger a reconciliation of our GatewayClass and its status
+type SailOperatorSource[T client.Object] struct {
+	NotifyCh     <-chan struct{}
+	RequestsFunc func(context.Context, client.Object) []reconcile.Request
+}
+
+func (s *SailOperatorSource[T]) Start(ctx context.Context, queue workqueue.TypedRateLimitingInterface[reconcile.Request]) error {
+	go func() {
+		for {
+			select {
+			case <-ctx.Done():
+				return
+			case _, ok := <-s.NotifyCh:
+				if !ok {
+					log.Info("sail operator notification channel closed, stopping watch")
+					return
+				}
+				var empty T
+				requests := s.RequestsFunc(ctx, empty)
+				log.Info("got notification from sail library")
+				for _, req := range requests {
+					queue.Add(req)
+				}
+			}
+		}
+	}()
+	return nil
+}
diff --git a/pkg/operator/controller/gatewayclass/controller_test.go b/pkg/operator/controller/gatewayclass/controller_test.go
index f3c193c2ee..a1f8ec37a0 100644
--- a/pkg/operator/controller/gatewayclass/controller_test.go
+++ b/pkg/operator/controller/gatewayclass/controller_test.go
@@ -3,6 +3,7 @@ package gatewayclass
 import (
 	"context"
 	"testing"
+	"time"
 
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-cmp/cmp/cmpopts"
@@ -10,6 +11,7 @@ import (
 	configv1 "github.com/openshift/api/config/v1"
 	operatorsv1alpha1 "github.com/operator-framework/api/pkg/operators/v1alpha1"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -51,6 +53,14 @@ func Test_Reconcile(t *testing.T) {
 		}
 	}
 
+	istioCRD := func() *apiextensionsv1.CustomResourceDefinition {
+		return &apiextensionsv1.CustomResourceDefinition{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: "istios.sailoperator.io",
+			},
+		}
+	}
+
 	istio := func(version string, gieEnabled bool) *sailv1.Istio {
 		ret := &sailv1.Istio{
 			ObjectMeta: metav1.ObjectMeta{
@@ -126,27 +136,31 @@ func Test_Reconcile(t *testing.T) {
 	}
 
 	tests := []struct {
-		name            string
-		request         reconcile.Request
-		existingObjects []runtime.Object
-		expectCreate    []client.Object
-		expectUpdate    []client.Object
-		expectDelete    []client.Object
-		expectError     string
+		name                  string
+		request               reconcile.Request
+		expectedResult        reconcile.Result
+		fakeHelmInstaller     SailLibraryInstaller
+		existingObjects       []client.Object
+		expectCreate          []client.Object
+		expectUpdate          []client.Object
+		expectPatched         []client.Object
+		expectDelete          []client.Object
+		expectedStatusPatched []client.Object
+		expectError           string
 	}{
 		{
 			name:            "Nonexistent gatewayclass",
 			request:         req("openshift-default"),
-			existingObjects: []runtime.Object{},
+			existingObjects: []client.Object{},
 			expectCreate:    []client.Object{},
 			expectUpdate:    []client.Object{},
 			expectDelete:    []client.Object{},
-			expectError:     `"openshift-default" not found`,
+			//expectError:     `"openshift-default" not found`, // We should not expect an error when a class is not found
 		},
 		{
 			name:    "Minimal gatewayclass",
 			request: req("openshift-default"),
-			existingObjects: []runtime.Object{
+			existingObjects: []client.Object{
 				&gatewayapiv1.GatewayClass{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "openshift-default",
@@ -166,7 +180,7 @@ func Test_Reconcile(t *testing.T) {
 		{
 			name:    "Minimal gatewayclass with experimental InferencePool CRD",
 			request: req("openshift-default"),
-			existingObjects: []runtime.Object{
+			existingObjects: []client.Object{
 				&gatewayapiv1.GatewayClass{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "openshift-default",
@@ -191,7 +205,7 @@ func Test_Reconcile(t *testing.T) {
 		{
 			name:    "Minimal gatewayclass with stable InferencePool CRD",
 			request: req("openshift-default"),
-			existingObjects: []runtime.Object{
+			existingObjects: []client.Object{
 				&gatewayapiv1.GatewayClass{
 					ObjectMeta: metav1.ObjectMeta{
 						Name: "openshift-default",
@@ -216,7 +230,7 @@ func Test_Reconcile(t *testing.T) {
 		{
 			name:    "Gatewayclass with Istio version override",
 			request: req("openshift-default"),
-			existingObjects: []runtime.Object{
+			existingObjects: []client.Object{
 				&gatewayapiv1.GatewayClass{
 					ObjectMeta: metav1.ObjectMeta{
 						Annotations: map[string]string{
@@ -239,7 +253,7 @@ func Test_Reconcile(t *testing.T) {
 		{
 			name:    "Gatewayclass with OSSM and Istio overrides",
 			request: req("openshift-default"),
-			existingObjects: []runtime.Object{
+			existingObjects: []client.Object{
 				&gatewayapiv1.GatewayClass{
 					ObjectMeta: metav1.ObjectMeta{
 						Annotations: map[string]string{
@@ -262,6 +276,164 @@ func Test_Reconcile(t *testing.T) {
 			expectUpdate: []client.Object{},
 			expectDelete: []client.Object{},
 		},
+		{
+			name:    "Gatewayclass when has sail finalizer but helm fg is disabled should remove the finalizer and status",
+			request: req("openshift-default"),
+			existingObjects: []client.Object{
+				&gatewayapiv1.GatewayClass{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:       "openshift-default",
+						Finalizers: []string{"openshift.io/ingress-operator-sail-finalizer"},
+					},
+					Spec: gatewayapiv1.GatewayClassSpec{
+						ControllerName: gatewayapiv1.GatewayController("openshift.io/gateway-controller/v1"),
+					},
+					Status: gatewayapiv1.GatewayClassStatus{
+						Conditions: []metav1.Condition{
+							{
+								Type:   ControllerInstalledConditionType,
+								Reason: "Something",
+								Status: metav1.ConditionUnknown,
+							},
+							{
+								Type:   CRDsReadyConditionType,
+								Reason: "Otherthing",
+								Status: metav1.ConditionTrue,
+							},
+						},
+					},
+				},
+			},
+			expectPatched: []client.Object{
+				&gatewayapiv1.GatewayClass{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "openshift-default",
+					},
+					Spec: gatewayapiv1.GatewayClassSpec{
+						ControllerName: gatewayapiv1.GatewayController("openshift.io/gateway-controller/v1"),
+					},
+					Status: gatewayapiv1.GatewayClassStatus{
+						Conditions: []metav1.Condition{},
+					},
+				},
+			},
+			expectedStatusPatched: []client.Object{
+				&gatewayapiv1.GatewayClass{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "openshift-default",
+					},
+					Spec: gatewayapiv1.GatewayClassSpec{
+						ControllerName: gatewayapiv1.GatewayController("openshift.io/gateway-controller/v1"),
+					},
+					Status: gatewayapiv1.GatewayClassStatus{
+						Conditions: []metav1.Condition{},
+					},
+				},
+			},
+		},
+		{
+			name:              "Gatewayclass when using helm installer should get finalizer",
+			fakeHelmInstaller: &fakeSailInstaller{},
+			request:           req("openshift-default"),
+			existingObjects: []client.Object{
+				&gatewayapiv1.GatewayClass{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "openshift-default",
+					},
+					Spec: gatewayapiv1.GatewayClassSpec{
+						ControllerName: gatewayapiv1.GatewayController("openshift.io/gateway-controller/v1"),
+					},
+				},
+			},
+			expectPatched: []client.Object{
+				&gatewayapiv1.GatewayClass{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:       "openshift-default",
+						Finalizers: []string{"openshift.io/ingress-operator-sail-finalizer"},
+					},
+					Spec: gatewayapiv1.GatewayClassSpec{
+						ControllerName: gatewayapiv1.GatewayController("openshift.io/gateway-controller/v1"),
+					},
+				},
+			},
+			expectDelete: []client.Object{},
+		},
+		{
+			name:              "Gatewayclass when using helm installer should migrate old Istio instances",
+			fakeHelmInstaller: &fakeSailInstaller{},
+			request:           req("openshift-default"),
+			existingObjects: []client.Object{
+				&gatewayapiv1.GatewayClass{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:       "openshift-default",
+						Finalizers: []string{"openshift.io/ingress-operator-sail-finalizer"},
+					},
+					Spec: gatewayapiv1.GatewayClassSpec{
+						ControllerName: gatewayapiv1.GatewayController("openshift.io/gateway-controller/v1"),
+					},
+				},
+				istioCRD(),
+				istio("v1.24.4", true),
+			},
+			expectPatched: []client.Object{},
+			expectDelete: []client.Object{
+				istio("v1.24.4", true), // Expect this resource to be deleted
+			},
+			expectedResult: reconcile.Result{
+				RequeueAfter: 5 * time.Second,
+			},
+		},
+		{
+			name:              "Gatewayclass when using helm installer and has no istio instance should install via helm",
+			fakeHelmInstaller: &fakeSailInstaller{},
+			request:           req("openshift-default"),
+			existingObjects: []client.Object{
+				&gatewayapiv1.GatewayClass{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:       "openshift-default",
+						Finalizers: []string{"openshift.io/ingress-operator-sail-finalizer"},
+					},
+					Spec: gatewayapiv1.GatewayClassSpec{
+						ControllerName: gatewayapiv1.GatewayController("openshift.io/gateway-controller/v1"),
+					},
+					Status: gatewayapiv1.GatewayClassStatus{
+						Conditions: []metav1.Condition{},
+					},
+				},
+			},
+			expectedStatusPatched: []client.Object{
+				&gatewayapiv1.GatewayClass{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:       "openshift-default",
+						Finalizers: []string{"openshift.io/ingress-operator-sail-finalizer"},
+					},
+					Spec: gatewayapiv1.GatewayClassSpec{
+						ControllerName: gatewayapiv1.GatewayController("openshift.io/gateway-controller/v1"),
+					},
+					Status: gatewayapiv1.GatewayClassStatus{
+						Conditions: []metav1.Condition{
+							{
+								Type:   "ControllerInstalled",
+								Status: metav1.ConditionTrue,
+								Reason: "Installed",
+							},
+							{
+								Type:   "CRDsReady",
+								Status: metav1.ConditionUnknown,
+								Reason: "NoneExist",
+							},
+						},
+					},
+				},
+			},
+		},
+		/* TODO:
+		- Add tests for different conditions
+		- Verify if we can force some error on Istio removal
+		- Add a full "update/downgrade/update" test
+		- Add a test for GatewayClass removal when there are still classes (should not call Uninstall)
+		- Add a test for full removal
+		*/
 	}
 
 	scheme := runtime.NewScheme()
@@ -275,14 +447,20 @@ func Test_Reconcile(t *testing.T) {
 		t.Run(tc.name, func(t *testing.T) {
 			fakeClient := fake.NewClientBuilder().
 				WithScheme(scheme).
-				WithRuntimeObjects(tc.existingObjects...).
+				WithStatusSubresource(tc.existingObjects...).
+				WithObjects(tc.existingObjects...).
+				// TODO: add index
 				Build()
 			cl := &testutil.FakeClientRecorder{
-				Client:  fakeClient,
+				Client: fakeClient,
+				StatusWriter: &testutil.FakeStatusWriter{
+					StatusWriter: fakeClient.Status(),
+				},
 				T:       t,
 				Added:   []client.Object{},
 				Updated: []client.Object{},
 				Deleted: []client.Object{},
+				Patched: []client.Object{},
 			}
 			gatewayClassController = &testutil.FakeController{
 				T:                     t,
@@ -303,17 +481,27 @@ func Test_Reconcile(t *testing.T) {
 					IstioVersion:              "v1.24.4",
 				},
 			}
+			if tc.fakeHelmInstaller != nil {
+				reconciler.config.GatewayAPIWithoutOLMEnabled = true
+				reconciler.config.SailOperatorReconciler = &SailOperatorReconciler{
+					Installer: tc.fakeHelmInstaller,
+					NotifyCh:  tc.fakeHelmInstaller.Start(context.Background()),
+				}
+			}
 			res, err := reconciler.Reconcile(context.Background(), tc.request)
 			if tc.expectError != "" {
+				require.NotNil(t, err)
 				assert.Contains(t, err.Error(), tc.expectError)
 			} else {
 				assert.NoError(t, err)
 			}
-			assert.Equal(t, reconcile.Result{}, res)
+
+			assert.Equal(t, tc.expectedResult, res)
 			cmpOpts := []cmp.Option{
 				cmpopts.EquateEmpty(),
 				cmpopts.IgnoreFields(metav1.ObjectMeta{}, "ResourceVersion", "OwnerReferences"),
 				cmpopts.IgnoreFields(metav1.TypeMeta{}, "Kind", "APIVersion"),
+				cmpopts.IgnoreFields(metav1.Condition{}, "LastTransitionTime", "Message"),
 				cmpopts.IgnoreFields(operatorsv1alpha1.SubscriptionSpec{}, "Config"),
 				cmpopts.IgnoreFields(apiextensionsv1.CustomResourceDefinition{}, "Spec"),
 			}
@@ -326,6 +514,12 @@ func Test_Reconcile(t *testing.T) {
 			if diff := cmp.Diff(tc.expectDelete, cl.Deleted, cmpOpts...); diff != "" {
 				t.Fatalf("found diff between expected and actual deletes: %s", diff)
 			}
+			if diff := cmp.Diff(tc.expectPatched, cl.Patched, cmpOpts...); diff != "" {
+				t.Fatalf("found diff between expected and actual patches: %s", diff)
+			}
+			if diff := cmp.Diff(tc.expectedStatusPatched, cl.StatusWriter.Patched, cmpOpts...); diff != "" {
+				t.Fatalf("found diff between expected and actual patches: %s", diff)
+			}
 		})
 	}
 }
diff --git a/pkg/operator/controller/gatewayclass/istio.go b/pkg/operator/controller/gatewayclass/istio_olm.go
similarity index 86%
rename from pkg/operator/controller/gatewayclass/istio.go
rename to pkg/operator/controller/gatewayclass/istio_olm.go
index 4e1a1c2b40..05587bf571 100644
--- a/pkg/operator/controller/gatewayclass/istio.go
+++ b/pkg/operator/controller/gatewayclass/istio_olm.go
@@ -9,7 +9,6 @@ import (
 	gatewayapiv1 "sigs.k8s.io/gateway-api/apis/v1"
 
 	sailv1 "github.com/istio-ecosystem/sail-operator/api/v1"
-
 	"github.com/openshift/cluster-ingress-operator/pkg/operator/controller"
 
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
@@ -23,10 +22,10 @@ import (
 // cluster-critical priority class in a pod's spec.priorityClassName.
 const systemClusterCriticalPriorityClassName = "system-cluster-critical"
 
-// ensureIstio attempts to ensure that an Istio CR is present and returns a
+// ensureIstioOLM attempts to ensure that an Istio CR is present and returns a
 // Boolean indicating whether it exists, the CR if it exists, and an error
 // value.
-func (r *reconciler) ensureIstio(ctx context.Context, gatewayclass *gatewayapiv1.GatewayClass, istioVersion string) (bool, *sailv1.Istio, error) {
+func (r *reconciler) ensureIstioOLM(ctx context.Context, gatewayclass *gatewayapiv1.GatewayClass, istioVersion string) (bool, *sailv1.Istio, error) {
 	name := controller.IstioName(r.config.OperandNamespace)
 	have, current, err := r.currentIstio(ctx, name)
 	if err != nil {
@@ -95,9 +94,10 @@ func (r *reconciler) crdExists(ctx context.Context, crdName string) (bool, error
 	return true, nil
 }
 
-// desiredIstio returns the desired Istio CR.
-func desiredIstio(name types.NamespacedName, ownerRef metav1.OwnerReference, istioVersion string, enableInferenceExtension bool) *sailv1.Istio {
-	pilotContainerEnv := map[string]string{
+// gatewayAPIPilotEnv returns the pilot environment variables for configuring
+// Istio's Gateway API controller with OpenShift-specific settings.
+func gatewayAPIPilotEnv(enableInferenceExtension bool) map[string]string {
+	env := map[string]string{
 		// Enable Gateway API.
 		"PILOT_ENABLE_GATEWAY_API": "true",
 		// Do not enable experimental Gateway API features.
@@ -146,8 +146,14 @@ func desiredIstio(name types.NamespacedName, ownerRef metav1.OwnerReference, ist
 		"PILOT_ENABLE_GATEWAY_API_COPY_LABELS_ANNOTATIONS": "false",
 	}
 	if enableInferenceExtension {
-		pilotContainerEnv["ENABLE_GATEWAY_API_INFERENCE_EXTENSION"] = "true"
+		env["ENABLE_GATEWAY_API_INFERENCE_EXTENSION"] = "true"
 	}
+	return env
+}
+
+// desiredIstio returns the desired Istio CR.
+func desiredIstio(name types.NamespacedName, ownerRef metav1.OwnerReference, istioVersion string, enableInferenceExtension bool) *sailv1.Istio {
+	pilotContainerEnv := gatewayAPIPilotEnv(enableInferenceExtension)
 	return &sailv1.Istio{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace:       name.Namespace,
@@ -278,3 +284,29 @@ func istioChanged(current, expected *sailv1.Istio) (bool, *sailv1.Istio) {
 
 	return true, updated
 }
+
+// openshiftValues returns the OpenShift-specific value overrides for Istio.
+// These values are merged on top of the gateway-api preset defaults.
+func openshiftValues(enableInferenceExtension bool) *sailv1.Values {
+	pilotEnv := gatewayAPIPilotEnv(enableInferenceExtension)
+
+	return &sailv1.Values{
+		Global: &sailv1.GlobalConfig{
+			DefaultPodDisruptionBudget: &sailv1.DefaultPodDisruptionBudgetConfig{
+				Enabled: ptr.To(false),
+			},
+			IstioNamespace: ptr.To(controller.DefaultOperandNamespace),
+			// Use system-cluster-critical priority for OpenShift system workloads
+			PriorityClassName: ptr.To(systemClusterCriticalPriorityClassName),
+			// OpenShift-specific CA trust bundle
+			TrustBundleName: ptr.To(controller.OpenShiftGatewayCARootCertName),
+		},
+		Pilot: &sailv1.PilotConfig{
+			Env: pilotEnv,
+			// Workload partitioning for OpenShift management workloads
+			PodAnnotations: map[string]string{
+				WorkloadPartitioningManagementAnnotationKey: WorkloadPartitioningManagementPreferredScheduling,
+			},
+		},
+	}
+}
diff --git a/pkg/operator/controller/gatewayclass/istio_sail_installer.go b/pkg/operator/controller/gatewayclass/istio_sail_installer.go
new file mode 100644
index 0000000000..58f4960389
--- /dev/null
+++ b/pkg/operator/controller/gatewayclass/istio_sail_installer.go
@@ -0,0 +1,227 @@
+package gatewayclass
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/istio-ecosystem/sail-operator/pkg/install"
+	"github.com/openshift/cluster-ingress-operator/pkg/operator/controller"
+	operatorsv1alpha1 "github.com/operator-framework/api/pkg/operators/v1alpha1"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/utils/ptr"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	gatewayapiv1 "sigs.k8s.io/gateway-api/apis/v1"
+)
+
+const (
+	ControllerInstalledConditionType = "ControllerInstalled"
+	CRDsReadyConditionType           = "CRDsReady"
+
+	subscriptionPrefix = "operators.coreos.com/"
+)
+
+// SubscriptionExists is used as a predicate function to allow the library to
+// query CIO if a subscription exists before taking an action over a CRD
+func (r *reconciler) overwriteOLMManagedCRDFunc(ctx context.Context, crd *apiextensionsv1.CustomResourceDefinition) bool {
+	// defensive measure
+	if ctx == nil || crd == nil {
+		return false
+	}
+
+	logOverwrite := log.WithValues("crd", crd.GetName())
+
+	labels := crd.GetLabels()
+	if labels == nil {
+		// no labels, we can override
+		return true
+	}
+
+	// This is not a OLM managed CRD
+	if val, ok := labels["olm.managed"]; !ok || val != "true" {
+		return true
+	}
+
+	var subscriptionName, subscriptionNamespace, foundLabel string
+	// we just care about the label name
+	for label := range labels {
+		if after, ok := strings.CutPrefix(label, subscriptionPrefix); ok {
+			// Check if label is on the format we want
+			nameNamespace := strings.SplitN(after, ".", 2)
+			if len(nameNamespace) != 2 {
+				logOverwrite.Info("ignoring invalid OLM label", "label", label)
+				continue
+			}
+			foundLabel = label
+			subscriptionName, subscriptionNamespace = nameNamespace[0], nameNamespace[1]
+			break
+		}
+	}
+
+	if foundLabel == "" || subscriptionName == "" || subscriptionNamespace == "" {
+		logOverwrite.Info("no subscription label found")
+		return true
+	}
+
+	// Check for InstallPlan, which effectively installs CRDs. Even if invalid it
+	// may become valid at some point and overwrite CRDs
+	installPlanList := operatorsv1alpha1.InstallPlanList{}
+	if err := r.cache.List(ctx, &installPlanList, client.HasLabels([]string{foundLabel})); err != nil {
+		log.Error(err, "error trying to find install plans")
+		return false
+	}
+	if len(installPlanList.Items) > 0 {
+		logOverwrite.Info("CRD has valid installPlans, not overwriting")
+		return false
+	}
+
+	// Next check for subscriptions.
+	subscription := operatorsv1alpha1.Subscription{}
+	subscription.SetNamespace(subscriptionNamespace)
+	subscription.SetName(subscriptionName)
+	err := r.cache.Get(ctx, client.ObjectKeyFromObject(&subscription), &subscription)
+	if err != nil {
+		if !errors.IsNotFound(err) {
+			log.Error(err, "error trying to find subscription")
+			return false
+		}
+		// No subscription was found, the CRD can be overwritten
+		return true
+	}
+	// If we are here means we don't have installplans, but we do have subscriptions
+	// which means we may be on an intermediate state
+	return false
+}
+
+// ensureIstio installs or updates Istio using the Sail Library.
+// It returns an error if the installation fails.
+func (r *reconciler) ensureIstio(ctx context.Context, gatewayclass *gatewayapiv1.GatewayClass, istioVersion string) error {
+	if r.config.SailOperatorReconciler == nil || r.config.SailOperatorReconciler.Installer == nil {
+		return fmt.Errorf("internal error: sail operator is null")
+	}
+	sailInstaller := r.config.SailOperatorReconciler.Installer
+
+	enableInferenceExtension, err := r.inferencepoolCrdExists(ctx)
+	if err != nil {
+		return fmt.Errorf("failed to check for InferencePool CRD: %w", err)
+	}
+
+	// Build options from current state
+	opts, err := r.buildInstallerOptions(enableInferenceExtension, istioVersion)
+	if err != nil {
+		return err
+	}
+
+	opts.OverwriteOLMManagedCRD = r.overwriteOLMManagedCRDFunc
+	// Enqueue the request to reconcile. This does not return
+	// any error or status. We validate the status again next, and set
+	// the right conditions on the GatewayClass for it
+	sailInstaller.Apply(opts)
+
+	status := sailInstaller.Status()
+	log.V(1).Info("CRD management result", "status", status.CRDs)
+
+	mapStatusToConditions(status, gatewayclass.Generation, &gatewayclass.Status.Conditions)
+
+	return nil
+}
+
+func (r *reconciler) buildInstallerOptions(enableInferenceExtension bool, istioVersion string) (install.Options, error) {
+	// Start with Gateway API defaults
+	values := install.GatewayAPIDefaults()
+
+	// Apply OpenShift-specific overrides
+	openshiftOverrides := openshiftValues(enableInferenceExtension)
+	values = install.MergeValues(values, openshiftOverrides)
+
+	return install.Options{
+		Namespace:      controller.DefaultOperandNamespace,
+		Revision:       controller.IstioName("").Name,
+		Values:         values,
+		Version:        istioVersion,
+		ManageCRDs:     ptr.To(true),
+		IncludeAllCRDs: ptr.To(true),
+	}, nil
+}
+
+// mapStatusToConditions translates the library Status into GatewayClass conditions.
+func mapStatusToConditions(status install.Status, generation int64, conditions *[]metav1.Condition) {
+	installed := metav1.Condition{
+		Type:               ControllerInstalledConditionType,
+		ObservedGeneration: generation,
+		LastTransitionTime: metav1.Now(),
+	}
+	if status.Installed {
+		installed.Status = metav1.ConditionTrue
+		installed.Reason = "Installed"
+		if status.Error != nil {
+			installed.Message = fmt.Sprintf("istiod %s installed (with warning: %v)", status.Version, status.Error)
+		} else {
+			installed.Message = fmt.Sprintf("istiod %s installed", status.Version)
+		}
+	} else if status.Error != nil {
+		installed.Status = metav1.ConditionFalse
+		installed.Reason = "InstallFailed"
+		installed.Message = status.Error.Error()
+	} else {
+		installed.Status = metav1.ConditionUnknown
+		installed.Reason = "Pending"
+		installed.Message = "waiting for first reconciliation"
+	}
+
+	meta.SetStatusCondition(conditions, installed)
+
+	// CRD condition: reflects CRD ownership state.
+	crd := metav1.Condition{
+		Type:               CRDsReadyConditionType,
+		ObservedGeneration: generation,
+		LastTransitionTime: metav1.Now(),
+	}
+	switch status.CRDState {
+	case install.CRDManagedByCIO:
+		crd.Status = metav1.ConditionTrue
+		crd.Reason = "ManagedByCIO"
+		crd.Message = status.CRDMessage
+	case install.CRDManagedByOLM:
+		crd.Status = metav1.ConditionTrue
+		crd.Reason = "ManagedByOLM"
+		crd.Message = status.CRDMessage
+	case install.CRDNoneExist:
+		crd.Status = metav1.ConditionUnknown
+		crd.Reason = "NoneExist"
+		crd.Message = "CRDs not yet installed"
+	case install.CRDMixedOwnership:
+		crd.Status = metav1.ConditionFalse
+		crd.Reason = "MixedOwnership"
+		crd.Message = getCRDStatusMessage(status)
+	default:
+		crd.Status = metav1.ConditionFalse
+		crd.Reason = "UnknownManagement"
+		crd.Message = getCRDStatusMessage(status)
+	}
+	meta.SetStatusCondition(conditions, crd)
+}
+
+func removeSailOperatorConditions(conditions *[]metav1.Condition) {
+	meta.RemoveStatusCondition(conditions, ControllerInstalledConditionType)
+	meta.RemoveStatusCondition(conditions, CRDsReadyConditionType)
+}
+
+func getCRDStatusMessage(status install.Status) string {
+	var message bytes.Buffer
+	if _, err := message.WriteString(status.CRDMessage); err != nil {
+		log.Error(err, "error writing CRD status", "status", status.CRDMessage)
+	}
+	for _, info := range status.CRDs {
+		crdMsg := fmt.Sprintf("\n- %s: %s", info.Name, info.State)
+		_, err := message.WriteString(crdMsg)
+		if err != nil {
+			log.Error(err, "error writing CRD message", "crd", info.Name)
+		}
+	}
+	return message.String()
+}
diff --git a/pkg/operator/controller/gatewayclass/istio_sail_installer_test.go b/pkg/operator/controller/gatewayclass/istio_sail_installer_test.go
new file mode 100644
index 0000000000..c8c6255dac
--- /dev/null
+++ b/pkg/operator/controller/gatewayclass/istio_sail_installer_test.go
@@ -0,0 +1,55 @@
+package gatewayclass
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/istio-ecosystem/sail-operator/pkg/install"
+)
+
+// fakeSailInstaller implements the Istio methods for installation
+// We care for now just about Apply, Uninstall and Status for the reconciliation tests
+type fakeSailInstaller struct {
+	notifyCh     chan struct{}
+	internalOpts install.Options
+	status       install.Status
+}
+
+// Test if implementation adheres the interface
+var _ SailLibraryInstaller = &fakeSailInstaller{}
+
+func (i *fakeSailInstaller) Start(ctx context.Context) <-chan struct{} {
+	i.notifyCh = make(chan struct{})
+	return i.notifyCh
+}
+
+func (i *fakeSailInstaller) Apply(opts install.Options) {
+	// This is where we fake behavior
+	switch opts.Version {
+	case "ok-helm":
+		i.status.Installed = true
+		i.status.CRDState = install.CRDManagedByCIO
+	case "ok-olm":
+		i.status.Installed = true
+		i.status.CRDState = install.CRDManagedByOLM
+	case "ok-mixed":
+		i.status.Installed = true
+		i.status.CRDState = install.CRDMixedOwnership
+	case "broken":
+		i.status.Error = fmt.Errorf("broken installation")
+		i.status.CRDState = install.CRDUnknownManagement
+	default:
+		i.status.Installed = true
+		i.status.CRDState = install.CRDNoneExist
+	}
+}
+
+func (i *fakeSailInstaller) Uninstall(ctx context.Context, namespace, revision string) error {
+	return nil
+}
+
+func (i *fakeSailInstaller) Status() install.Status {
+	return i.status
+}
+
+func (i *fakeSailInstaller) Enqueue() {}
diff --git a/pkg/operator/controller/gatewayclass/migration.go b/pkg/operator/controller/gatewayclass/migration.go
new file mode 100644
index 0000000000..77dadb1216
--- /dev/null
+++ b/pkg/operator/controller/gatewayclass/migration.go
@@ -0,0 +1,104 @@
+package gatewayclass
+
+import (
+	"context"
+	"fmt"
+
+	sailv1 "github.com/istio-ecosystem/sail-operator/api/v1"
+
+	"github.com/openshift/cluster-ingress-operator/pkg/operator/controller"
+
+	"k8s.io/apimachinery/pkg/api/errors"
+)
+
+// ensureOSSMtoSailLibraryMigration handles the upgrade migration from OLM-based
+// Istio installation (4.21) to Helm-based installation via Sail Library (4.22).
+//
+// Steps:
+//  1. Check if old Istio CR exists and delete it if present
+//  2. Wait for Sail Operator to clean up IstioRevision and Helm resources
+//  3. Return nil when cleanup is complete to proceed with Helm-based installation
+//
+// Returns a bool whether the migration is complete and an error.
+//
+// This migration logic can be removed in 4.23+ when 4.21 is no longer supported.
+func (r *reconciler) ensureOSSMtoSailLibraryMigration(ctx context.Context) (bool, error) {
+	// Check if migration is needed.
+	needsMigration, istio, err := r.needsOSSMtoSailLibraryMigration(ctx)
+	if err != nil {
+		return false, fmt.Errorf("failed to check migration status: %w", err)
+	}
+	if !needsMigration {
+		// No Istio CR found, check if we're waiting for IstioRevision cleanup.
+		istioRevisionExists, err := r.istioRevisionExists(ctx)
+		if err != nil {
+			return false, fmt.Errorf("failed to check for IstioRevision: %w", err)
+		}
+		if istioRevisionExists {
+			log.Info("IstioRevision still exists, requeueing to wait for cleanup", "name", controller.IstioName("").Name)
+			return false, nil
+		}
+		return true, nil
+	}
+
+	// Istio CR exists - delete it to trigger Sail Operator cleanup.
+	log.Info("Migrating from OSSM to Sail Library: deleting Istio CR", "name", controller.IstioName(""))
+
+	if err := r.client.Delete(ctx, istio); err != nil {
+		if errors.IsNotFound(err) {
+			// Already deleted between Get and Delete, that's fine.
+			log.Info("Istio CR already deleted during migration", "name", controller.IstioName(""))
+			return false, nil
+		}
+		return false, fmt.Errorf("failed to delete Istio CR: %w", err)
+	}
+
+	// Waiting for istio revision cleanup.
+	return false, nil
+}
+
+func (r *reconciler) needsOSSMtoSailLibraryMigration(ctx context.Context) (bool, *sailv1.Istio, error) {
+	// First check if the Istio CRD exists.
+	istioCrdExists, err := r.crdExists(ctx, "istios.sailoperator.io")
+	if err != nil {
+		return false, nil, fmt.Errorf("failed to check for Istio CRD: %w", err)
+	}
+	if !istioCrdExists {
+		return false, nil, nil
+	}
+
+	// Check if the specific Istio CR "openshift-gateway" exists.
+	name := controller.IstioName(r.config.OperandNamespace)
+	exists, istio, err := r.currentIstio(ctx, name)
+	if err != nil {
+		return false, nil, fmt.Errorf("failed to check for Istio CR: %w", err)
+	}
+	if !exists {
+		return false, nil, nil
+	}
+
+	return true, istio, nil
+}
+
+// istioRevisionExists checks if an IstioRevision resource exists with the expected name.
+func (r *reconciler) istioRevisionExists(ctx context.Context) (bool, error) {
+	istioRevisionCrdExists, err := r.crdExists(ctx, "istiorevisions.sailoperator.io")
+	if err != nil {
+		return false, fmt.Errorf("failed to check for IstioRevision CRD: %w", err)
+	}
+	if !istioRevisionCrdExists {
+		return false, nil
+	}
+
+	// Check if the IstioRevision resource exists.
+	istioRevisionName := controller.IstioName("")
+	istioRevision := &sailv1.IstioRevision{}
+	err = r.client.Get(ctx, istioRevisionName, istioRevision)
+	if err != nil {
+		if errors.IsNotFound(err) {
+			return false, nil
+		}
+		return false, fmt.Errorf("failed to get IstioRevision: %w", err)
+	}
+	return true, nil
+}
diff --git a/pkg/operator/controller/test/util/fake.go b/pkg/operator/controller/test/util/fake.go
index f49acd5af8..026dde81d9 100644
--- a/pkg/operator/controller/test/util/fake.go
+++ b/pkg/operator/controller/test/util/fake.go
@@ -29,6 +29,7 @@ type FakeClientRecorder struct {
 	Added   []client.Object
 	Updated []client.Object
 	Deleted []client.Object
+	Patched []client.Object
 
 	StatusWriter *FakeStatusWriter
 }
@@ -69,6 +70,7 @@ func (c *FakeClientRecorder) Update(ctx context.Context, obj client.Object, opts
 }
 
 func (c *FakeClientRecorder) Patch(ctx context.Context, obj client.Object, patch client.Patch, opts ...client.PatchOption) error {
+	c.Patched = append(c.Patched, obj)
 	return c.Client.Patch(ctx, obj, patch, opts...)
 }
 
@@ -84,6 +86,7 @@ type FakeStatusWriter struct {
 
 	Added   []client.Object
 	Updated []client.Object
+	Patched []client.Object
 }
 
 func (w *FakeStatusWriter) Create(ctx context.Context, obj client.Object, subResource client.Object, opts ...client.SubResourceCreateOption) error {
@@ -97,6 +100,7 @@ func (w *FakeStatusWriter) Update(ctx context.Context, obj client.Object, opts .
 }
 
 func (w *FakeStatusWriter) Patch(ctx context.Context, obj client.Object, patch client.Patch, opts ...client.SubResourcePatchOption) error {
+	w.Patched = append(w.Patched, obj)
 	return w.StatusWriter.Patch(ctx, obj, patch, opts...)
 }
 
diff --git a/pkg/operator/operator.go b/pkg/operator/operator.go
index ff5457f84b..e9f19095c3 100644
--- a/pkg/operator/operator.go
+++ b/pkg/operator/operator.go
@@ -3,8 +3,12 @@ package operator
 import (
 	"context"
 	"fmt"
+	"os"
+	"strconv"
 	"time"
 
+	"github.com/istio-ecosystem/sail-operator/pkg/install"
+	"github.com/istio-ecosystem/sail-operator/resources"
 	configclient "github.com/openshift/client-go/config/clientset/versioned"
 	configinformers "github.com/openshift/client-go/config/informers/externalversions"
 	"github.com/openshift/library-go/pkg/operator/configobserver/featuregates"
@@ -136,6 +140,18 @@ func New(config operatorconfig.Config, kubeConfig *rest.Config) (*Operator, erro
 	azureWorkloadIdentityEnabled := featureGates.Enabled(features.FeatureGateAzureWorkloadIdentity)
 	gatewayAPIEnabled := featureGates.Enabled(features.FeatureGateGatewayAPI)
 	gatewayAPIControllerEnabled := featureGates.Enabled(features.FeatureGateGatewayAPIController)
+	//gatewayAPIWithoutOLMEnabled := featureGates.Enabled(features.FeatureGateGatewayAPIWithoutOLM)
+
+	gatewayAPIWithoutOLMEnabledBool, ok := os.LookupEnv("GATEWAY_HELM")
+	if !ok {
+		gatewayAPIWithoutOLMEnabledBool = "false"
+	}
+
+	gatewayAPIWithoutOLMEnabled, err := strconv.ParseBool(gatewayAPIWithoutOLMEnabledBool)
+	if err != nil {
+		return nil, err
+	}
+
 	routeExternalCertificateEnabled := featureGates.Enabled(features.FeatureGateRouteExternalCertificate)
 	ingressControllerDCMEnabled := featureGates.Enabled(features.FeatureGateIngressControllerDynamicConfigurationManager)
 
@@ -313,14 +329,36 @@ func New(config operatorconfig.Config, kubeConfig *rest.Config) (*Operator, erro
 	// Set up the gatewayclass controller.  This controller is unmanaged by
 	// the manager; the gatewayapi controller starts it after it creates the
 	// Gateway API CRDs.
-	gatewayClassController, err := gatewayclasscontroller.NewUnmanaged(mgr, gatewayclasscontroller.Config{
-		OperatorNamespace:         config.Namespace,
-		OperandNamespace:          operatorcontroller.DefaultOperandNamespace,
-		GatewayAPIOperatorCatalog: config.GatewayAPIOperatorCatalog,
-		GatewayAPIOperatorChannel: config.GatewayAPIOperatorChannel,
-		GatewayAPIOperatorVersion: config.GatewayAPIOperatorVersion,
-		IstioVersion:              config.IstioVersion,
-	})
+	//
+	gatewayclassControllerConfig := gatewayclasscontroller.Config{
+		KubeConfig:                  kubeConfig,
+		OperatorNamespace:           config.Namespace,
+		OperandNamespace:            operatorcontroller.DefaultOperandNamespace,
+		GatewayAPIOperatorCatalog:   config.GatewayAPIOperatorCatalog,
+		GatewayAPIOperatorChannel:   config.GatewayAPIOperatorChannel,
+		GatewayAPIOperatorVersion:   config.GatewayAPIOperatorVersion,
+		GatewayAPIWithoutOLMEnabled: gatewayAPIWithoutOLMEnabled,
+		IstioVersion:                config.IstioVersion,
+	}
+
+	// Gated Feature - For Non-OLM install, we start the sail-operator library that
+	// does the reconciliation of CRDs and resources.
+	// Starting this library returns a channel, that can be used by the reconciliation
+	// process to receive notifications from the library informer and kick a new GatewayClass
+	// reconciliation.
+	if gatewayAPIWithoutOLMEnabled {
+		installer, err := install.New(mgr.GetConfig(), resources.FS)
+		if err != nil {
+			return nil, fmt.Errorf("failed to initialize sail-operator installation library: %w", err)
+		}
+		notifyCh := installer.Start(ctx)
+		gatewayclassControllerConfig.SailOperatorReconciler = &gatewayclasscontroller.SailOperatorReconciler{
+			NotifyCh:  notifyCh,
+			Installer: installer,
+		}
+	}
+
+	gatewayClassController, err := gatewayclasscontroller.NewUnmanaged(mgr, gatewayclassControllerConfig)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create gatewayclass controller: %w", err)
 	}
diff --git a/vendor/cloud.google.com/go/compute/metadata/CHANGES.md b/vendor/cloud.google.com/go/compute/metadata/CHANGES.md
index 1f848ce0b3..e384683c50 100644
--- a/vendor/cloud.google.com/go/compute/metadata/CHANGES.md
+++ b/vendor/cloud.google.com/go/compute/metadata/CHANGES.md
@@ -1,5 +1,47 @@
 # Changes
 
+## [0.9.0](https://github.com/googleapis/google-cloud-go/compare/compute/metadata/v0.8.4...compute/metadata/v0.9.0) (2025-09-24)
+
+
+### Features
+
+* **compute/metadata:** Retry on HTTP 429 ([#12932](https://github.com/googleapis/google-cloud-go/issues/12932)) ([1e91f5c](https://github.com/googleapis/google-cloud-go/commit/1e91f5c07acacd38ecdd4ff3e83e092b745e0bc2))
+
+## [0.8.4](https://github.com/googleapis/google-cloud-go/compare/compute/metadata/v0.8.3...compute/metadata/v0.8.4) (2025-09-18)
+
+
+### Bug Fixes
+
+* **compute/metadata:** Set subClient for UseDefaultClient case ([#12911](https://github.com/googleapis/google-cloud-go/issues/12911)) ([9e2646b](https://github.com/googleapis/google-cloud-go/commit/9e2646b1821231183fd775bb107c062865eeaccd))
+
+## [0.8.3](https://github.com/googleapis/google-cloud-go/compare/compute/metadata/v0.8.2...compute/metadata/v0.8.3) (2025-09-17)
+
+
+### Bug Fixes
+
+* **compute/metadata:** Disable Client timeouts for subscription client ([#12910](https://github.com/googleapis/google-cloud-go/issues/12910)) ([187a58a](https://github.com/googleapis/google-cloud-go/commit/187a58a540494e1e8562b046325b8cad8cf7af4a))
+
+## [0.8.2](https://github.com/googleapis/google-cloud-go/compare/compute/metadata/v0.8.1...compute/metadata/v0.8.2) (2025-09-17)
+
+
+### Bug Fixes
+
+* **compute/metadata:** Racy test and uninitialized subClient ([#12892](https://github.com/googleapis/google-cloud-go/issues/12892)) ([4943ca2](https://github.com/googleapis/google-cloud-go/commit/4943ca2bf83908a23806247bc4252dfb440d09cc)), refs [#12888](https://github.com/googleapis/google-cloud-go/issues/12888)
+
+## [0.8.1](https://github.com/googleapis/google-cloud-go/compare/compute/metadata/v0.8.0...compute/metadata/v0.8.1) (2025-09-16)
+
+
+### Bug Fixes
+
+* **compute/metadata:** Use separate client for subscribe methods  ([#12885](https://github.com/googleapis/google-cloud-go/issues/12885)) ([76b80f8](https://github.com/googleapis/google-cloud-go/commit/76b80f8df9bf9339d175407e8c15936fe1ac1c9c))
+
+## [0.8.0](https://github.com/googleapis/google-cloud-go/compare/compute/metadata/v0.7.0...compute/metadata/v0.8.0) (2025-08-06)
+
+
+### Features
+
+* **compute/metadata:** Add Options.UseDefaultClient ([#12657](https://github.com/googleapis/google-cloud-go/issues/12657)) ([1a88209](https://github.com/googleapis/google-cloud-go/commit/1a8820900f20e038291c4bb2c5284a449196e81f)), refs [#11078](https://github.com/googleapis/google-cloud-go/issues/11078)
+
 ## [0.7.0](https://github.com/googleapis/google-cloud-go/compare/compute/metadata/v0.6.0...compute/metadata/v0.7.0) (2025-05-13)
 
 
diff --git a/vendor/cloud.google.com/go/compute/metadata/metadata.go b/vendor/cloud.google.com/go/compute/metadata/metadata.go
index 322be8032d..6bd1891660 100644
--- a/vendor/cloud.google.com/go/compute/metadata/metadata.go
+++ b/vendor/cloud.google.com/go/compute/metadata/metadata.go
@@ -22,6 +22,7 @@ package metadata // import "cloud.google.com/go/compute/metadata"
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"log/slog"
@@ -62,21 +63,26 @@ var (
 )
 
 var defaultClient = &Client{
-	hc:     newDefaultHTTPClient(),
-	logger: slog.New(noOpHandler{}),
+	hc:        newDefaultHTTPClient(true),
+	subClient: newDefaultHTTPClient(false),
+	logger:    slog.New(noOpHandler{}),
 }
 
-func newDefaultHTTPClient() *http.Client {
-	return &http.Client{
-		Transport: &http.Transport{
-			Dial: (&net.Dialer{
-				Timeout:   2 * time.Second,
-				KeepAlive: 30 * time.Second,
-			}).Dial,
-			IdleConnTimeout: 60 * time.Second,
-		},
-		Timeout: 5 * time.Second,
+func newDefaultHTTPClient(enableTimeouts bool) *http.Client {
+	transport := &http.Transport{
+		Dial: (&net.Dialer{
+			Timeout:   2 * time.Second,
+			KeepAlive: 30 * time.Second,
+		}).Dial,
 	}
+	c := &http.Client{
+		Transport: transport,
+	}
+	if enableTimeouts {
+		transport.IdleConnTimeout = 60 * time.Second
+		c.Timeout = 5 * time.Second
+	}
+	return c
 }
 
 // NotDefinedError is returned when requested metadata is not defined.
@@ -350,42 +356,74 @@ func strsContains(ss []string, s string) bool {
 
 // A Client provides metadata.
 type Client struct {
-	hc     *http.Client
-	logger *slog.Logger
+	hc *http.Client
+	// subClient by default is a HTTP Client that is only used for subscribe
+	// methods that should not specify a timeout. If the user specifies a client
+	// this with be the same as 'hc'.
+	subClient *http.Client
+	logger    *slog.Logger
 }
 
 // Options for configuring a [Client].
 type Options struct {
 	// Client is the HTTP client used to make requests. Optional.
+	// If UseDefaultClient is true, this field is ignored.
+	// If this field is nil, a new default http.Client will be created.
 	Client *http.Client
 	// Logger is used to log information about HTTP request and responses.
 	// If not provided, nothing will be logged. Optional.
 	Logger *slog.Logger
+	// UseDefaultClient specifies that the client should use the same default
+	// internal http.Client that is used in functions such as GetWithContext.
+	// This is useful for sharing a single TCP connection pool across requests.
+	// The difference vs GetWithContext is the ability to use this struct
+	// to provide a custom logger. If this field is true, the Client
+	// field is ignored.
+	UseDefaultClient bool
 }
 
 // NewClient returns a Client that can be used to fetch metadata.
 // Returns the client that uses the specified http.Client for HTTP requests.
-// If nil is specified, returns the default client.
+// If nil is specified, returns the default internal Client that is
+// also used in functions such as GetWithContext. This is useful for sharing
+// a single TCP connection pool across requests.
 func NewClient(c *http.Client) *Client {
-	return NewWithOptions(&Options{
-		Client: c,
-	})
+	if c == nil {
+		// Preserve original behavior for nil argument.
+		return defaultClient
+	}
+	// Return a new client with a no-op logger for backward compatibility.
+	return &Client{hc: c, subClient: c, logger: slog.New(noOpHandler{})}
 }
 
 // NewWithOptions returns a Client that is configured with the provided Options.
 func NewWithOptions(opts *Options) *Client {
+	// Preserve original behavior for nil opts.
 	if opts == nil {
 		return defaultClient
 	}
+
+	// Handle explicit request for the internal default http.Client.
+	if opts.UseDefaultClient {
+		logger := opts.Logger
+		if logger == nil {
+			logger = slog.New(noOpHandler{})
+		}
+		return &Client{hc: defaultClient.hc, subClient: defaultClient.subClient, logger: logger}
+	}
+
+	// Handle isolated client creation.
 	client := opts.Client
+	subClient := opts.Client
 	if client == nil {
-		client = newDefaultHTTPClient()
+		client = newDefaultHTTPClient(true)
+		subClient = newDefaultHTTPClient(false)
 	}
 	logger := opts.Logger
 	if logger == nil {
 		logger = slog.New(noOpHandler{})
 	}
-	return &Client{hc: client, logger: logger}
+	return &Client{hc: client, subClient: subClient, logger: logger}
 }
 
 // NOTE: metadataRequestStrategy is assigned to a variable for test stubbing purposes.
@@ -469,6 +507,10 @@ func (c *Client) OnGCEWithContext(ctx context.Context) bool {
 // getETag returns a value from the metadata service as well as the associated ETag.
 // This func is otherwise equivalent to Get.
 func (c *Client) getETag(ctx context.Context, suffix string) (value, etag string, err error) {
+	return c.getETagWithSubClient(ctx, suffix, false)
+}
+
+func (c *Client) getETagWithSubClient(ctx context.Context, suffix string, enableSubClient bool) (value, etag string, err error) {
 	// Using a fixed IP makes it very difficult to spoof the metadata service in
 	// a container, which is an important use-case for local testing of cloud
 	// deployments. To enable spoofing of the metadata service, the environment
@@ -495,9 +537,13 @@ func (c *Client) getETag(ctx context.Context, suffix string) (value, etag string
 	var reqErr error
 	var body []byte
 	retryer := newRetryer()
+	hc := c.hc
+	if enableSubClient {
+		hc = c.subClient
+	}
 	for {
 		c.logger.DebugContext(ctx, "metadata request", "request", httpRequest(req, nil))
-		res, reqErr = c.hc.Do(req)
+		res, reqErr = hc.Do(req)
 		var code int
 		if res != nil {
 			code = res.StatusCode
@@ -843,7 +889,7 @@ func (c *Client) SubscribeWithContext(ctx context.Context, suffix string, fn fun
 	const failedSubscribeSleep = time.Second * 5
 
 	// First check to see if the metadata value exists at all.
-	val, lastETag, err := c.getETag(ctx, suffix)
+	val, lastETag, err := c.getETagWithSubClient(ctx, suffix, true)
 	if err != nil {
 		return err
 	}
@@ -859,8 +905,11 @@ func (c *Client) SubscribeWithContext(ctx context.Context, suffix string, fn fun
 		suffix += "?wait_for_change=true&last_etag="
 	}
 	for {
-		val, etag, err := c.getETag(ctx, suffix+url.QueryEscape(lastETag))
+		val, etag, err := c.getETagWithSubClient(ctx, suffix+url.QueryEscape(lastETag), true)
 		if err != nil {
+			if errors.Is(err, context.Canceled) || errors.Is(err, context.DeadlineExceeded) {
+				return err
+			}
 			if _, deleted := err.(NotDefinedError); !deleted {
 				time.Sleep(failedSubscribeSleep)
 				continue // Retry on other errors.
diff --git a/vendor/cloud.google.com/go/compute/metadata/retry.go b/vendor/cloud.google.com/go/compute/metadata/retry.go
index 3d4bc75ddf..d516f30f80 100644
--- a/vendor/cloud.google.com/go/compute/metadata/retry.go
+++ b/vendor/cloud.google.com/go/compute/metadata/retry.go
@@ -95,6 +95,9 @@ func shouldRetry(status int, err error) bool {
 	if 500 <= status && status <= 599 {
 		return true
 	}
+	if status == http.StatusTooManyRequests {
+		return true
+	}
 	if err == io.ErrUnexpectedEOF {
 		return true
 	}
diff --git a/vendor/dario.cat/mergo/.deepsource.toml b/vendor/dario.cat/mergo/.deepsource.toml
new file mode 100644
index 0000000000..a8bc979e02
--- /dev/null
+++ b/vendor/dario.cat/mergo/.deepsource.toml
@@ -0,0 +1,12 @@
+version = 1
+
+test_patterns = [
+  "*_test.go"
+]
+
+[[analyzers]]
+name = "go"
+enabled = true
+
+  [analyzers.meta]
+  import_path = "dario.cat/mergo"
\ No newline at end of file
diff --git a/vendor/dario.cat/mergo/.gitignore b/vendor/dario.cat/mergo/.gitignore
new file mode 100644
index 0000000000..45ad0f1ae3
--- /dev/null
+++ b/vendor/dario.cat/mergo/.gitignore
@@ -0,0 +1,36 @@
+#### joe made this: http://goel.io/joe
+
+#### go ####
+# Binaries for programs and plugins
+*.exe
+*.dll
+*.so
+*.dylib
+
+# Test binary, build with `go test -c`
+*.test
+
+# Output of the go coverage tool, specifically when used with LiteIDE
+*.out
+
+# Golang/Intellij
+.idea
+
+# Project-local glide cache, RE: https://github.com/Masterminds/glide/issues/736
+.glide/
+
+#### vim ####
+# Swap
+[._]*.s[a-v][a-z]
+[._]*.sw[a-p]
+[._]s[a-v][a-z]
+[._]sw[a-p]
+
+# Session
+Session.vim
+
+# Temporary
+.netrwhist
+*~
+# Auto-generated tag files
+tags
diff --git a/vendor/dario.cat/mergo/.travis.yml b/vendor/dario.cat/mergo/.travis.yml
new file mode 100644
index 0000000000..d324c43ba4
--- /dev/null
+++ b/vendor/dario.cat/mergo/.travis.yml
@@ -0,0 +1,12 @@
+language: go
+arch:
+    - amd64
+    - ppc64le
+install:
+  - go get -t
+  - go get golang.org/x/tools/cmd/cover
+  - go get github.com/mattn/goveralls
+script:
+  - go test -race -v ./...
+after_script:
+  - $HOME/gopath/bin/goveralls -service=travis-ci -repotoken $COVERALLS_TOKEN
diff --git a/vendor/dario.cat/mergo/CODE_OF_CONDUCT.md b/vendor/dario.cat/mergo/CODE_OF_CONDUCT.md
new file mode 100644
index 0000000000..469b44907a
--- /dev/null
+++ b/vendor/dario.cat/mergo/CODE_OF_CONDUCT.md
@@ -0,0 +1,46 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at i@dario.im. The project team will review and investigate all complaints, and will respond in a way that it deems appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, available at [http://contributor-covenant.org/version/1/4][version]
+
+[homepage]: http://contributor-covenant.org
+[version]: http://contributor-covenant.org/version/1/4/
diff --git a/vendor/dario.cat/mergo/CONTRIBUTING.md b/vendor/dario.cat/mergo/CONTRIBUTING.md
new file mode 100644
index 0000000000..0a1ff9f94d
--- /dev/null
+++ b/vendor/dario.cat/mergo/CONTRIBUTING.md
@@ -0,0 +1,112 @@
+<!-- omit in toc -->
+# Contributing to mergo
+
+First off, thanks for taking the time to contribute! ��
+
+All types of contributions are encouraged and valued. See the [Table of Contents](#table-of-contents) for different ways to help and details about how this project handles them. Please make sure to read the relevant section before making your contribution. It will make it a lot easier for us maintainers and smooth out the experience for all involved. The community looks forward to your contributions. 🎉
+
+> And if you like the project, but just don't have time to contribute, that's fine. There are other easy ways to support the project and show your appreciation, which we would also be very happy about:
+> - Star the project
+> - Tweet about it
+> - Refer this project in your project's readme
+> - Mention the project at local meetups and tell your friends/colleagues
+
+<!-- omit in toc -->
+## Table of Contents
+
+- [Code of Conduct](#code-of-conduct)
+- [I Have a Question](#i-have-a-question)
+- [I Want To Contribute](#i-want-to-contribute)
+- [Reporting Bugs](#reporting-bugs)
+- [Suggesting Enhancements](#suggesting-enhancements)
+
+## Code of Conduct
+
+This project and everyone participating in it is governed by the
+[mergo Code of Conduct](https://github.com/imdario/mergoblob/master/CODE_OF_CONDUCT.md).
+By participating, you are expected to uphold this code. Please report unacceptable behavior
+to <>.
+
+
+## I Have a Question
+
+> If you want to ask a question, we assume that you have read the available [Documentation](https://pkg.go.dev/github.com/imdario/mergo).
+
+Before you ask a question, it is best to search for existing [Issues](https://github.com/imdario/mergo/issues) that might help you. In case you have found a suitable issue and still need clarification, you can write your question in this issue. It is also advisable to search the internet for answers first.
+
+If you then still feel the need to ask a question and need clarification, we recommend the following:
+
+- Open an [Issue](https://github.com/imdario/mergo/issues/new).
+- Provide as much context as you can about what you're running into.
+- Provide project and platform versions (nodejs, npm, etc), depending on what seems relevant.
+
+We will then take care of the issue as soon as possible.
+
+## I Want To Contribute
+
+> ### Legal Notice <!-- omit in toc -->
+> When contributing to this project, you must agree that you have authored 100% of the content, that you have the necessary rights to the content and that the content you contribute may be provided under the project license.
+
+### Reporting Bugs
+
+<!-- omit in toc -->
+#### Before Submitting a Bug Report
+
+A good bug report shouldn't leave others needing to chase you up for more information. Therefore, we ask you to investigate carefully, collect information and describe the issue in detail in your report. Please complete the following steps in advance to help us fix any potential bug as fast as possible.
+
+- Make sure that you are using the latest version.
+- Determine if your bug is really a bug and not an error on your side e.g. using incompatible environment components/versions (Make sure that you have read the [documentation](). If you are looking for support, you might want to check [this section](#i-have-a-question)).
+- To see if other users have experienced (and potentially already solved) the same issue you are having, check if there is not already a bug report existing for your bug or error in the [bug tracker](https://github.com/imdario/mergoissues?q=label%3Abug).
+- Also make sure to search the internet (including Stack Overflow) to see if users outside of the GitHub community have discussed the issue.
+- Collect information about the bug:
+- Stack trace (Traceback)
+- OS, Platform and Version (Windows, Linux, macOS, x86, ARM)
+- Version of the interpreter, compiler, SDK, runtime environment, package manager, depending on what seems relevant.
+- Possibly your input and the output
+- Can you reliably reproduce the issue? And can you also reproduce it with older versions?
+
+<!-- omit in toc -->
+#### How Do I Submit a Good Bug Report?
+
+> You must never report security related issues, vulnerabilities or bugs including sensitive information to the issue tracker, or elsewhere in public. Instead sensitive bugs must be sent by email to .
+<!-- You may add a PGP key to allow the messages to be sent encrypted as well. -->
+
+We use GitHub issues to track bugs and errors. If you run into an issue with the project:
+
+- Open an [Issue](https://github.com/imdario/mergo/issues/new). (Since we can't be sure at this point whether it is a bug or not, we ask you not to talk about a bug yet and not to label the issue.)
+- Explain the behavior you would expect and the actual behavior.
+- Please provide as much context as possible and describe the *reproduction steps* that someone else can follow to recreate the issue on their own. This usually includes your code. For good bug reports you should isolate the problem and create a reduced test case.
+- Provide the information you collected in the previous section.
+
+Once it's filed:
+
+- The project team will label the issue accordingly.
+- A team member will try to reproduce the issue with your provided steps. If there are no reproduction steps or no obvious way to reproduce the issue, the team will ask you for those steps and mark the issue as `needs-repro`. Bugs with the `needs-repro` tag will not be addressed until they are reproduced.
+- If the team is able to reproduce the issue, it will be marked `needs-fix`, as well as possibly other tags (such as `critical`), and the issue will be left to be implemented by someone.
+
+### Suggesting Enhancements
+
+This section guides you through submitting an enhancement suggestion for mergo, **including completely new features and minor improvements to existing functionality**. Following these guidelines will help maintainers and the community to understand your suggestion and find related suggestions.
+
+<!-- omit in toc -->
+#### Before Submitting an Enhancement
+
+- Make sure that you are using the latest version.
+- Read the [documentation]() carefully and find out if the functionality is already covered, maybe by an individual configuration.
+- Perform a [search](https://github.com/imdario/mergo/issues) to see if the enhancement has already been suggested. If it has, add a comment to the existing issue instead of opening a new one.
+- Find out whether your idea fits with the scope and aims of the project. It's up to you to make a strong case to convince the project's developers of the merits of this feature. Keep in mind that we want features that will be useful to the majority of our users and not just a small subset. If you're just targeting a minority of users, consider writing an add-on/plugin library.
+
+<!-- omit in toc -->
+#### How Do I Submit a Good Enhancement Suggestion?
+
+Enhancement suggestions are tracked as [GitHub issues](https://github.com/imdario/mergo/issues).
+
+- Use a **clear and descriptive title** for the issue to identify the suggestion.
+- Provide a **step-by-step description of the suggested enhancement** in as many details as possible.
+- **Describe the current behavior** and **explain which behavior you expected to see instead** and why. At this point you can also tell which alternatives do not work for you.
+- You may want to **include screenshots and animated GIFs** which help you demonstrate the steps or point out the part which the suggestion is related to. You can use [this tool](https://www.cockos.com/licecap/) to record GIFs on macOS and Windows, and [this tool](https://github.com/colinkeenan/silentcast) or [this tool](https://github.com/GNOME/byzanz) on Linux. <!-- this should only be included if the project has a GUI -->
+- **Explain why this enhancement would be useful** to most mergo users. You may also want to point out the other projects that solved it better and which could serve as inspiration.
+
+<!-- omit in toc -->
+## Attribution
+This guide is based on the **contributing-gen**. [Make your own](https://github.com/bttger/contributing-gen)!
diff --git a/vendor/dario.cat/mergo/FUNDING.json b/vendor/dario.cat/mergo/FUNDING.json
new file mode 100644
index 0000000000..0585e1fe13
--- /dev/null
+++ b/vendor/dario.cat/mergo/FUNDING.json
@@ -0,0 +1,7 @@
+{
+  "drips": {
+    "ethereum": {
+      "ownedBy": "0x6160020e7102237aC41bdb156e94401692D76930"
+    }
+  }
+}
diff --git a/vendor/dario.cat/mergo/LICENSE b/vendor/dario.cat/mergo/LICENSE
new file mode 100644
index 0000000000..686680298d
--- /dev/null
+++ b/vendor/dario.cat/mergo/LICENSE
@@ -0,0 +1,28 @@
+Copyright (c) 2013 Dario Castañé. All rights reserved.
+Copyright (c) 2012 The Go Authors. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+   * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+   * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+   * Neither the name of Google Inc. nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/vendor/dario.cat/mergo/README.md b/vendor/dario.cat/mergo/README.md
new file mode 100644
index 0000000000..0e4a59afd9
--- /dev/null
+++ b/vendor/dario.cat/mergo/README.md
@@ -0,0 +1,253 @@
+# Mergo
+
+[![GitHub release][5]][6]
+[![GoCard][7]][8]
+[![Test status][1]][2]
+[![OpenSSF Scorecard][21]][22]
+[![OpenSSF Best Practices][19]][20]
+[![Coverage status][9]][10]
+[![Sourcegraph][11]][12]
+[![FOSSA status][13]][14]
+
+[![GoDoc][3]][4]
+[![Become my sponsor][15]][16]
+[![Tidelift][17]][18]
+
+[1]: https://github.com/imdario/mergo/workflows/tests/badge.svg?branch=master
+[2]: https://github.com/imdario/mergo/actions/workflows/tests.yml
+[3]: https://godoc.org/github.com/imdario/mergo?status.svg
+[4]: https://godoc.org/github.com/imdario/mergo
+[5]: https://img.shields.io/github/release/imdario/mergo.svg
+[6]: https://github.com/imdario/mergo/releases
+[7]: https://goreportcard.com/badge/imdario/mergo
+[8]: https://goreportcard.com/report/github.com/imdario/mergo
+[9]: https://coveralls.io/repos/github/imdario/mergo/badge.svg?branch=master
+[10]: https://coveralls.io/github/imdario/mergo?branch=master
+[11]: https://sourcegraph.com/github.com/imdario/mergo/-/badge.svg
+[12]: https://sourcegraph.com/github.com/imdario/mergo?badge
+[13]: https://app.fossa.io/api/projects/git%2Bgithub.com%2Fimdario%2Fmergo.svg?type=shield
+[14]: https://app.fossa.io/projects/git%2Bgithub.com%2Fimdario%2Fmergo?ref=badge_shield
+[15]: https://img.shields.io/github/sponsors/imdario
+[16]: https://github.com/sponsors/imdario
+[17]: https://tidelift.com/badges/package/go/github.com%2Fimdario%2Fmergo
+[18]: https://tidelift.com/subscription/pkg/go-github.com-imdario-mergo
+[19]: https://bestpractices.coreinfrastructure.org/projects/7177/badge
+[20]: https://bestpractices.coreinfrastructure.org/projects/7177
+[21]: https://api.securityscorecards.dev/projects/github.com/imdario/mergo/badge
+[22]: https://api.securityscorecards.dev/projects/github.com/imdario/mergo
+
+A helper to merge structs and maps in Golang. Useful for configuration default values, avoiding messy if-statements.
+
+Mergo merges same-type structs and maps by setting default values in zero-value fields. Mergo won't merge unexported (private) fields. It will do recursively any exported one. It also won't merge structs inside maps (because they are not addressable using Go reflection).
+
+Also a lovely [comune](http://en.wikipedia.org/wiki/Mergo) (municipality) in the Province of Ancona in the Italian region of Marche.
+
+## Status
+
+Mergo is stable and frozen, ready for production. Check a short list of the projects using at large scale it [here](https://github.com/imdario/mergo#mergo-in-the-wild).
+
+No new features are accepted. They will be considered for a future v2 that improves the implementation and fixes bugs for corner cases.
+
+### Important notes
+
+#### 1.0.0
+
+In [1.0.0](//github.com/imdario/mergo/releases/tag/1.0.0) Mergo moves to a vanity URL `dario.cat/mergo`. No more v1 versions will be released.
+
+If the vanity URL is causing issues in your project due to a dependency pulling Mergo - it isn't a direct dependency in your project - it is recommended to use [replace](https://github.com/golang/go/wiki/Modules#when-should-i-use-the-replace-directive) to pin the version to the last one with the old import URL:
+
+```
+replace github.com/imdario/mergo => github.com/imdario/mergo v0.3.16
+```
+
+#### 0.3.9
+
+Please keep in mind that a problematic PR broke [0.3.9](//github.com/imdario/mergo/releases/tag/0.3.9). I reverted it in [0.3.10](//github.com/imdario/mergo/releases/tag/0.3.10), and I consider it stable but not bug-free. Also, this version adds support for go modules.
+
+Keep in mind that in [0.3.2](//github.com/imdario/mergo/releases/tag/0.3.2), Mergo changed `Merge()`and `Map()` signatures to support [transformers](#transformers). I added an optional/variadic argument so that it won't break the existing code.
+
+If you were using Mergo before April 6th, 2015, please check your project works as intended after updating your local copy with ```go get -u dario.cat/mergo```. I apologize for any issue caused by its previous behavior and any future bug that Mergo could cause in existing projects after the change (release 0.2.0).
+
+### Donations
+
+If Mergo is useful to you, consider buying me a coffee, a beer, or making a monthly donation to allow me to keep building great free software. :heart_eyes:
+
+<a href="https://liberapay.com/dario/donate"><img alt="Donate using Liberapay" src="https://liberapay.com/assets/widgets/donate.svg"></a>
+<a href='https://github.com/sponsors/imdario' target='_blank'><img alt="Become my sponsor" src="https://img.shields.io/github/sponsors/imdario?style=for-the-badge" /></a>
+
+### Mergo in the wild
+
+Mergo is used by [thousands](https://deps.dev/go/dario.cat%2Fmergo/v1.0.0/dependents) [of](https://deps.dev/go/github.com%2Fimdario%2Fmergo/v0.3.16/dependents) [projects](https://deps.dev/go/github.com%2Fimdario%2Fmergo/v0.3.12), including:
+
+* [containerd/containerd](https://github.com/containerd/containerd)
+* [datadog/datadog-agent](https://github.com/datadog/datadog-agent)
+* [docker/cli/](https://github.com/docker/cli/)
+* [goreleaser/goreleaser](https://github.com/goreleaser/goreleaser)
+* [go-micro/go-micro](https://github.com/go-micro/go-micro)
+* [grafana/loki](https://github.com/grafana/loki)
+* [masterminds/sprig](github.com/Masterminds/sprig)
+* [moby/moby](https://github.com/moby/moby)
+* [slackhq/nebula](https://github.com/slackhq/nebula)
+* [volcano-sh/volcano](https://github.com/volcano-sh/volcano)
+
+## Install
+
+    go get dario.cat/mergo
+
+    // use in your .go code
+    import (
+        "dario.cat/mergo"
+    )
+
+## Usage
+
+You can only merge same-type structs with exported fields initialized as zero value of their type and same-types maps. Mergo won't merge unexported (private) fields but will do recursively any exported one. It won't merge empty structs value as [they are zero values](https://golang.org/ref/spec#The_zero_value) too. Also, maps will be merged recursively except for structs inside maps (because they are not addressable using Go reflection).
+
+```go
+if err := mergo.Merge(&dst, src); err != nil {
+    // ...
+}
+```
+
+Also, you can merge overwriting values using the transformer `WithOverride`.
+
+```go
+if err := mergo.Merge(&dst, src, mergo.WithOverride); err != nil {
+    // ...
+}
+```
+
+If you need to override pointers, so the source pointer's value is assigned to the destination's pointer, you must use `WithoutDereference`:
+
+```go
+package main
+
+import (
+	"fmt"
+
+	"dario.cat/mergo"
+)
+
+type Foo struct {
+	A *string
+	B int64
+}
+
+func main() {
+	first := "first"
+	second := "second"
+	src := Foo{
+		A: &first,
+		B: 2,
+	}
+
+	dest := Foo{
+		A: &second,
+		B: 1,
+	}
+
+	mergo.Merge(&dest, src, mergo.WithOverride, mergo.WithoutDereference)
+}
+```
+
+Additionally, you can map a `map[string]interface{}` to a struct (and otherwise, from struct to map), following the same restrictions as in `Merge()`. Keys are capitalized to find each corresponding exported field.
+
+```go
+if err := mergo.Map(&dst, srcMap); err != nil {
+    // ...
+}
+```
+
+Warning: if you map a struct to map, it won't do it recursively. Don't expect Mergo to map struct members of your struct as `map[string]interface{}`. They will be just assigned as values.
+
+Here is a nice example:
+
+```go
+package main
+
+import (
+	"fmt"
+	"dario.cat/mergo"
+)
+
+type Foo struct {
+	A string
+	B int64
+}
+
+func main() {
+	src := Foo{
+		A: "one",
+		B: 2,
+	}
+	dest := Foo{
+		A: "two",
+	}
+	mergo.Merge(&dest, src)
+	fmt.Println(dest)
+	// Will print
+	// {two 2}
+}
+```
+
+### Transformers
+
+Transformers allow to merge specific types differently than in the default behavior. In other words, now you can customize how some types are merged. For example, `time.Time` is a struct; it doesn't have zero value but IsZero can return true because it has fields with zero value. How can we merge a non-zero `time.Time`?
+
+```go
+package main
+
+import (
+	"fmt"
+	"dario.cat/mergo"
+    "reflect"
+    "time"
+)
+
+type timeTransformer struct {
+}
+
+func (t timeTransformer) Transformer(typ reflect.Type) func(dst, src reflect.Value) error {
+	if typ == reflect.TypeOf(time.Time{}) {
+		return func(dst, src reflect.Value) error {
+			if dst.CanSet() {
+				isZero := dst.MethodByName("IsZero")
+				result := isZero.Call([]reflect.Value{})
+				if result[0].Bool() {
+					dst.Set(src)
+				}
+			}
+			return nil
+		}
+	}
+	return nil
+}
+
+type Snapshot struct {
+	Time time.Time
+	// ...
+}
+
+func main() {
+	src := Snapshot{time.Now()}
+	dest := Snapshot{}
+	mergo.Merge(&dest, src, mergo.WithTransformers(timeTransformer{}))
+	fmt.Println(dest)
+	// Will print
+	// { 2018-01-12 01:15:00 +0000 UTC m=+0.000000001 }
+}
+```
+
+## Contact me
+
+If I can help you, you have an idea or you are using Mergo in your projects, don't hesitate to drop me a line (or a pull request): [@im_dario](https://twitter.com/im_dario)
+
+## About
+
+Written by [Dario Castañé](http://dario.im).
+
+## License
+
+[BSD 3-Clause](http://opensource.org/licenses/BSD-3-Clause) license, as [Go language](http://golang.org/LICENSE).
+
+[![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2Fimdario%2Fmergo.svg?type=large)](https://app.fossa.io/projects/git%2Bgithub.com%2Fimdario%2Fmergo?ref=badge_large)
diff --git a/vendor/dario.cat/mergo/SECURITY.md b/vendor/dario.cat/mergo/SECURITY.md
new file mode 100644
index 0000000000..3788fcc1c2
--- /dev/null
+++ b/vendor/dario.cat/mergo/SECURITY.md
@@ -0,0 +1,14 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 1.x.x   | :white_check_mark: |
+| < 1.0   | :x:                |
+
+## Security contact information
+
+To report a security vulnerability, please use the
+[Tidelift security contact](https://tidelift.com/security).
+Tidelift will coordinate the fix and disclosure.
diff --git a/vendor/dario.cat/mergo/doc.go b/vendor/dario.cat/mergo/doc.go
new file mode 100644
index 0000000000..7d96ec0546
--- /dev/null
+++ b/vendor/dario.cat/mergo/doc.go
@@ -0,0 +1,148 @@
+// Copyright 2013 Dario Castañé. All rights reserved.
+// Copyright 2009 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+/*
+A helper to merge structs and maps in Golang. Useful for configuration default values, avoiding messy if-statements.
+
+Mergo merges same-type structs and maps by setting default values in zero-value fields. Mergo won't merge unexported (private) fields. It will do recursively any exported one. It also won't merge structs inside maps (because they are not addressable using Go reflection).
+
+# Status
+
+It is ready for production use. It is used in several projects by Docker, Google, The Linux Foundation, VMWare, Shopify, etc.
+
+# Important notes
+
+1.0.0
+
+In 1.0.0 Mergo moves to a vanity URL `dario.cat/mergo`.
+
+0.3.9
+
+Please keep in mind that a problematic PR broke 0.3.9. We reverted it in 0.3.10. We consider 0.3.10 as stable but not bug-free. . Also, this version adds suppot for go modules.
+
+Keep in mind that in 0.3.2, Mergo changed Merge() and Map() signatures to support transformers. We added an optional/variadic argument so that it won't break the existing code.
+
+If you were using Mergo before April 6th, 2015, please check your project works as intended after updating your local copy with go get -u dario.cat/mergo. I apologize for any issue caused by its previous behavior and any future bug that Mergo could cause in existing projects after the change (release 0.2.0).
+
+# Install
+
+Do your usual installation procedure:
+
+	go get dario.cat/mergo
+
+	// use in your .go code
+	import (
+	    "dario.cat/mergo"
+	)
+
+# Usage
+
+You can only merge same-type structs with exported fields initialized as zero value of their type and same-types maps. Mergo won't merge unexported (private) fields but will do recursively any exported one. It won't merge empty structs value as they are zero values too. Also, maps will be merged recursively except for structs inside maps (because they are not addressable using Go reflection).
+
+	if err := mergo.Merge(&dst, src); err != nil {
+		// ...
+	}
+
+Also, you can merge overwriting values using the transformer WithOverride.
+
+	if err := mergo.Merge(&dst, src, mergo.WithOverride); err != nil {
+		// ...
+	}
+
+Additionally, you can map a map[string]interface{} to a struct (and otherwise, from struct to map), following the same restrictions as in Merge(). Keys are capitalized to find each corresponding exported field.
+
+	if err := mergo.Map(&dst, srcMap); err != nil {
+		// ...
+	}
+
+Warning: if you map a struct to map, it won't do it recursively. Don't expect Mergo to map struct members of your struct as map[string]interface{}. They will be just assigned as values.
+
+Here is a nice example:
+
+	package main
+
+	import (
+		"fmt"
+		"dario.cat/mergo"
+	)
+
+	type Foo struct {
+		A string
+		B int64
+	}
+
+	func main() {
+		src := Foo{
+			A: "one",
+			B: 2,
+		}
+		dest := Foo{
+			A: "two",
+		}
+		mergo.Merge(&dest, src)
+		fmt.Println(dest)
+		// Will print
+		// {two 2}
+	}
+
+# Transformers
+
+Transformers allow to merge specific types differently than in the default behavior. In other words, now you can customize how some types are merged. For example, time.Time is a struct; it doesn't have zero value but IsZero can return true because it has fields with zero value. How can we merge a non-zero time.Time?
+
+	package main
+
+	import (
+		"fmt"
+		"dario.cat/mergo"
+		"reflect"
+		"time"
+	)
+
+	type timeTransformer struct {
+	}
+
+	func (t timeTransformer) Transformer(typ reflect.Type) func(dst, src reflect.Value) error {
+		if typ == reflect.TypeOf(time.Time{}) {
+			return func(dst, src reflect.Value) error {
+				if dst.CanSet() {
+					isZero := dst.MethodByName("IsZero")
+					result := isZero.Call([]reflect.Value{})
+					if result[0].Bool() {
+						dst.Set(src)
+					}
+				}
+				return nil
+			}
+		}
+		return nil
+	}
+
+	type Snapshot struct {
+		Time time.Time
+		// ...
+	}
+
+	func main() {
+		src := Snapshot{time.Now()}
+		dest := Snapshot{}
+		mergo.Merge(&dest, src, mergo.WithTransformers(timeTransformer{}))
+		fmt.Println(dest)
+		// Will print
+		// { 2018-01-12 01:15:00 +0000 UTC m=+0.000000001 }
+	}
+
+# Contact me
+
+If I can help you, you have an idea or you are using Mergo in your projects, don't hesitate to drop me a line (or a pull request): https://twitter.com/im_dario
+
+# About
+
+Written by Dario Castañé: https://da.rio.hn
+
+# License
+
+BSD 3-Clause license, as Go language.
+*/
+package mergo
diff --git a/vendor/dario.cat/mergo/map.go b/vendor/dario.cat/mergo/map.go
new file mode 100644
index 0000000000..759b4f74fd
--- /dev/null
+++ b/vendor/dario.cat/mergo/map.go
@@ -0,0 +1,178 @@
+// Copyright 2014 Dario Castañé. All rights reserved.
+// Copyright 2009 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Based on src/pkg/reflect/deepequal.go from official
+// golang's stdlib.
+
+package mergo
+
+import (
+	"fmt"
+	"reflect"
+	"unicode"
+	"unicode/utf8"
+)
+
+func changeInitialCase(s string, mapper func(rune) rune) string {
+	if s == "" {
+		return s
+	}
+	r, n := utf8.DecodeRuneInString(s)
+	return string(mapper(r)) + s[n:]
+}
+
+func isExported(field reflect.StructField) bool {
+	r, _ := utf8.DecodeRuneInString(field.Name)
+	return r >= 'A' && r <= 'Z'
+}
+
+// Traverses recursively both values, assigning src's fields values to dst.
+// The map argument tracks comparisons that have already been seen, which allows
+// short circuiting on recursive types.
+func deepMap(dst, src reflect.Value, visited map[uintptr]*visit, depth int, config *Config) (err error) {
+	overwrite := config.Overwrite
+	if dst.CanAddr() {
+		addr := dst.UnsafeAddr()
+		h := 17 * addr
+		seen := visited[h]
+		typ := dst.Type()
+		for p := seen; p != nil; p = p.next {
+			if p.ptr == addr && p.typ == typ {
+				return nil
+			}
+		}
+		// Remember, remember...
+		visited[h] = &visit{typ, seen, addr}
+	}
+	zeroValue := reflect.Value{}
+	switch dst.Kind() {
+	case reflect.Map:
+		dstMap := dst.Interface().(map[string]interface{})
+		for i, n := 0, src.NumField(); i < n; i++ {
+			srcType := src.Type()
+			field := srcType.Field(i)
+			if !isExported(field) {
+				continue
+			}
+			fieldName := field.Name
+			fieldName = changeInitialCase(fieldName, unicode.ToLower)
+			if _, ok := dstMap[fieldName]; !ok || (!isEmptyValue(reflect.ValueOf(src.Field(i).Interface()), !config.ShouldNotDereference) && overwrite) || config.overwriteWithEmptyValue {
+				dstMap[fieldName] = src.Field(i).Interface()
+			}
+		}
+	case reflect.Ptr:
+		if dst.IsNil() {
+			v := reflect.New(dst.Type().Elem())
+			dst.Set(v)
+		}
+		dst = dst.Elem()
+		fallthrough
+	case reflect.Struct:
+		srcMap := src.Interface().(map[string]interface{})
+		for key := range srcMap {
+			config.overwriteWithEmptyValue = true
+			srcValue := srcMap[key]
+			fieldName := changeInitialCase(key, unicode.ToUpper)
+			dstElement := dst.FieldByName(fieldName)
+			if dstElement == zeroValue {
+				// We discard it because the field doesn't exist.
+				continue
+			}
+			srcElement := reflect.ValueOf(srcValue)
+			dstKind := dstElement.Kind()
+			srcKind := srcElement.Kind()
+			if srcKind == reflect.Ptr && dstKind != reflect.Ptr {
+				srcElement = srcElement.Elem()
+				srcKind = reflect.TypeOf(srcElement.Interface()).Kind()
+			} else if dstKind == reflect.Ptr {
+				// Can this work? I guess it can't.
+				if srcKind != reflect.Ptr && srcElement.CanAddr() {
+					srcPtr := srcElement.Addr()
+					srcElement = reflect.ValueOf(srcPtr)
+					srcKind = reflect.Ptr
+				}
+			}
+
+			if !srcElement.IsValid() {
+				continue
+			}
+			if srcKind == dstKind {
+				if err = deepMerge(dstElement, srcElement, visited, depth+1, config); err != nil {
+					return
+				}
+			} else if dstKind == reflect.Interface && dstElement.Kind() == reflect.Interface {
+				if err = deepMerge(dstElement, srcElement, visited, depth+1, config); err != nil {
+					return
+				}
+			} else if srcKind == reflect.Map {
+				if err = deepMap(dstElement, srcElement, visited, depth+1, config); err != nil {
+					return
+				}
+			} else {
+				return fmt.Errorf("type mismatch on %s field: found %v, expected %v", fieldName, srcKind, dstKind)
+			}
+		}
+	}
+	return
+}
+
+// Map sets fields' values in dst from src.
+// src can be a map with string keys or a struct. dst must be the opposite:
+// if src is a map, dst must be a valid pointer to struct. If src is a struct,
+// dst must be map[string]interface{}.
+// It won't merge unexported (private) fields and will do recursively
+// any exported field.
+// If dst is a map, keys will be src fields' names in lower camel case.
+// Missing key in src that doesn't match a field in dst will be skipped. This
+// doesn't apply if dst is a map.
+// This is separated method from Merge because it is cleaner and it keeps sane
+// semantics: merging equal types, mapping different (restricted) types.
+func Map(dst, src interface{}, opts ...func(*Config)) error {
+	return _map(dst, src, opts...)
+}
+
+// MapWithOverwrite will do the same as Map except that non-empty dst attributes will be overridden by
+// non-empty src attribute values.
+// Deprecated: Use Map(…) with WithOverride
+func MapWithOverwrite(dst, src interface{}, opts ...func(*Config)) error {
+	return _map(dst, src, append(opts, WithOverride)...)
+}
+
+func _map(dst, src interface{}, opts ...func(*Config)) error {
+	if dst != nil && reflect.ValueOf(dst).Kind() != reflect.Ptr {
+		return ErrNonPointerArgument
+	}
+	var (
+		vDst, vSrc reflect.Value
+		err        error
+	)
+	config := &Config{}
+
+	for _, opt := range opts {
+		opt(config)
+	}
+
+	if vDst, vSrc, err = resolveValues(dst, src); err != nil {
+		return err
+	}
+	// To be friction-less, we redirect equal-type arguments
+	// to deepMerge. Only because arguments can be anything.
+	if vSrc.Kind() == vDst.Kind() {
+		return deepMerge(vDst, vSrc, make(map[uintptr]*visit), 0, config)
+	}
+	switch vSrc.Kind() {
+	case reflect.Struct:
+		if vDst.Kind() != reflect.Map {
+			return ErrExpectedMapAsDestination
+		}
+	case reflect.Map:
+		if vDst.Kind() != reflect.Struct {
+			return ErrExpectedStructAsDestination
+		}
+	default:
+		return ErrNotSupported
+	}
+	return deepMap(vDst, vSrc, make(map[uintptr]*visit), 0, config)
+}
diff --git a/vendor/dario.cat/mergo/merge.go b/vendor/dario.cat/mergo/merge.go
new file mode 100644
index 0000000000..fd47c95b2b
--- /dev/null
+++ b/vendor/dario.cat/mergo/merge.go
@@ -0,0 +1,409 @@
+// Copyright 2013 Dario Castañé. All rights reserved.
+// Copyright 2009 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Based on src/pkg/reflect/deepequal.go from official
+// golang's stdlib.
+
+package mergo
+
+import (
+	"fmt"
+	"reflect"
+)
+
+func hasMergeableFields(dst reflect.Value) (exported bool) {
+	for i, n := 0, dst.NumField(); i < n; i++ {
+		field := dst.Type().Field(i)
+		if field.Anonymous && dst.Field(i).Kind() == reflect.Struct {
+			exported = exported || hasMergeableFields(dst.Field(i))
+		} else if isExportedComponent(&field) {
+			exported = exported || len(field.PkgPath) == 0
+		}
+	}
+	return
+}
+
+func isExportedComponent(field *reflect.StructField) bool {
+	pkgPath := field.PkgPath
+	if len(pkgPath) > 0 {
+		return false
+	}
+	c := field.Name[0]
+	if 'a' <= c && c <= 'z' || c == '_' {
+		return false
+	}
+	return true
+}
+
+type Config struct {
+	Transformers                 Transformers
+	Overwrite                    bool
+	ShouldNotDereference         bool
+	AppendSlice                  bool
+	TypeCheck                    bool
+	overwriteWithEmptyValue      bool
+	overwriteSliceWithEmptyValue bool
+	sliceDeepCopy                bool
+	debug                        bool
+}
+
+type Transformers interface {
+	Transformer(reflect.Type) func(dst, src reflect.Value) error
+}
+
+// Traverses recursively both values, assigning src's fields values to dst.
+// The map argument tracks comparisons that have already been seen, which allows
+// short circuiting on recursive types.
+func deepMerge(dst, src reflect.Value, visited map[uintptr]*visit, depth int, config *Config) (err error) {
+	overwrite := config.Overwrite
+	typeCheck := config.TypeCheck
+	overwriteWithEmptySrc := config.overwriteWithEmptyValue
+	overwriteSliceWithEmptySrc := config.overwriteSliceWithEmptyValue
+	sliceDeepCopy := config.sliceDeepCopy
+
+	if !src.IsValid() {
+		return
+	}
+	if dst.CanAddr() {
+		addr := dst.UnsafeAddr()
+		h := 17 * addr
+		seen := visited[h]
+		typ := dst.Type()
+		for p := seen; p != nil; p = p.next {
+			if p.ptr == addr && p.typ == typ {
+				return nil
+			}
+		}
+		// Remember, remember...
+		visited[h] = &visit{typ, seen, addr}
+	}
+
+	if config.Transformers != nil && !isReflectNil(dst) && dst.IsValid() {
+		if fn := config.Transformers.Transformer(dst.Type()); fn != nil {
+			err = fn(dst, src)
+			return
+		}
+	}
+
+	switch dst.Kind() {
+	case reflect.Struct:
+		if hasMergeableFields(dst) {
+			for i, n := 0, dst.NumField(); i < n; i++ {
+				if err = deepMerge(dst.Field(i), src.Field(i), visited, depth+1, config); err != nil {
+					return
+				}
+			}
+		} else {
+			if dst.CanSet() && (isReflectNil(dst) || overwrite) && (!isEmptyValue(src, !config.ShouldNotDereference) || overwriteWithEmptySrc) {
+				dst.Set(src)
+			}
+		}
+	case reflect.Map:
+		if dst.IsNil() && !src.IsNil() {
+			if dst.CanSet() {
+				dst.Set(reflect.MakeMap(dst.Type()))
+			} else {
+				dst = src
+				return
+			}
+		}
+
+		if src.Kind() != reflect.Map {
+			if overwrite && dst.CanSet() {
+				dst.Set(src)
+			}
+			return
+		}
+
+		for _, key := range src.MapKeys() {
+			srcElement := src.MapIndex(key)
+			if !srcElement.IsValid() {
+				continue
+			}
+			dstElement := dst.MapIndex(key)
+			switch srcElement.Kind() {
+			case reflect.Chan, reflect.Func, reflect.Map, reflect.Interface, reflect.Slice:
+				if srcElement.IsNil() {
+					if overwrite {
+						dst.SetMapIndex(key, srcElement)
+					}
+					continue
+				}
+				fallthrough
+			default:
+				if !srcElement.CanInterface() {
+					continue
+				}
+				switch reflect.TypeOf(srcElement.Interface()).Kind() {
+				case reflect.Struct:
+					fallthrough
+				case reflect.Ptr:
+					fallthrough
+				case reflect.Map:
+					srcMapElm := srcElement
+					dstMapElm := dstElement
+					if srcMapElm.CanInterface() {
+						srcMapElm = reflect.ValueOf(srcMapElm.Interface())
+						if dstMapElm.IsValid() {
+							dstMapElm = reflect.ValueOf(dstMapElm.Interface())
+						}
+					}
+					if err = deepMerge(dstMapElm, srcMapElm, visited, depth+1, config); err != nil {
+						return
+					}
+				case reflect.Slice:
+					srcSlice := reflect.ValueOf(srcElement.Interface())
+
+					var dstSlice reflect.Value
+					if !dstElement.IsValid() || dstElement.IsNil() {
+						dstSlice = reflect.MakeSlice(srcSlice.Type(), 0, srcSlice.Len())
+					} else {
+						dstSlice = reflect.ValueOf(dstElement.Interface())
+					}
+
+					if (!isEmptyValue(src, !config.ShouldNotDereference) || overwriteWithEmptySrc || overwriteSliceWithEmptySrc) && (overwrite || isEmptyValue(dst, !config.ShouldNotDereference)) && !config.AppendSlice && !sliceDeepCopy {
+						if typeCheck && srcSlice.Type() != dstSlice.Type() {
+							return fmt.Errorf("cannot override two slices with different type (%s, %s)", srcSlice.Type(), dstSlice.Type())
+						}
+						dstSlice = srcSlice
+					} else if config.AppendSlice {
+						if srcSlice.Type() != dstSlice.Type() {
+							return fmt.Errorf("cannot append two slices with different type (%s, %s)", srcSlice.Type(), dstSlice.Type())
+						}
+						dstSlice = reflect.AppendSlice(dstSlice, srcSlice)
+					} else if sliceDeepCopy {
+						i := 0
+						for ; i < srcSlice.Len() && i < dstSlice.Len(); i++ {
+							srcElement := srcSlice.Index(i)
+							dstElement := dstSlice.Index(i)
+
+							if srcElement.CanInterface() {
+								srcElement = reflect.ValueOf(srcElement.Interface())
+							}
+							if dstElement.CanInterface() {
+								dstElement = reflect.ValueOf(dstElement.Interface())
+							}
+
+							if err = deepMerge(dstElement, srcElement, visited, depth+1, config); err != nil {
+								return
+							}
+						}
+
+					}
+					dst.SetMapIndex(key, dstSlice)
+				}
+			}
+
+			if dstElement.IsValid() && !isEmptyValue(dstElement, !config.ShouldNotDereference) {
+				if reflect.TypeOf(srcElement.Interface()).Kind() == reflect.Slice {
+					continue
+				}
+				if reflect.TypeOf(srcElement.Interface()).Kind() == reflect.Map && reflect.TypeOf(dstElement.Interface()).Kind() == reflect.Map {
+					continue
+				}
+			}
+
+			if srcElement.IsValid() && ((srcElement.Kind() != reflect.Ptr && overwrite) || !dstElement.IsValid() || isEmptyValue(dstElement, !config.ShouldNotDereference)) {
+				if dst.IsNil() {
+					dst.Set(reflect.MakeMap(dst.Type()))
+				}
+				dst.SetMapIndex(key, srcElement)
+			}
+		}
+
+		// Ensure that all keys in dst are deleted if they are not in src.
+		if overwriteWithEmptySrc {
+			for _, key := range dst.MapKeys() {
+				srcElement := src.MapIndex(key)
+				if !srcElement.IsValid() {
+					dst.SetMapIndex(key, reflect.Value{})
+				}
+			}
+		}
+	case reflect.Slice:
+		if !dst.CanSet() {
+			break
+		}
+		if (!isEmptyValue(src, !config.ShouldNotDereference) || overwriteWithEmptySrc || overwriteSliceWithEmptySrc) && (overwrite || isEmptyValue(dst, !config.ShouldNotDereference)) && !config.AppendSlice && !sliceDeepCopy {
+			dst.Set(src)
+		} else if config.AppendSlice {
+			if src.Type() != dst.Type() {
+				return fmt.Errorf("cannot append two slice with different type (%s, %s)", src.Type(), dst.Type())
+			}
+			dst.Set(reflect.AppendSlice(dst, src))
+		} else if sliceDeepCopy {
+			for i := 0; i < src.Len() && i < dst.Len(); i++ {
+				srcElement := src.Index(i)
+				dstElement := dst.Index(i)
+				if srcElement.CanInterface() {
+					srcElement = reflect.ValueOf(srcElement.Interface())
+				}
+				if dstElement.CanInterface() {
+					dstElement = reflect.ValueOf(dstElement.Interface())
+				}
+
+				if err = deepMerge(dstElement, srcElement, visited, depth+1, config); err != nil {
+					return
+				}
+			}
+		}
+	case reflect.Ptr:
+		fallthrough
+	case reflect.Interface:
+		if isReflectNil(src) {
+			if overwriteWithEmptySrc && dst.CanSet() && src.Type().AssignableTo(dst.Type()) {
+				dst.Set(src)
+			}
+			break
+		}
+
+		if src.Kind() != reflect.Interface {
+			if dst.IsNil() || (src.Kind() != reflect.Ptr && overwrite) {
+				if dst.CanSet() && (overwrite || isEmptyValue(dst, !config.ShouldNotDereference)) {
+					dst.Set(src)
+				}
+			} else if src.Kind() == reflect.Ptr {
+				if !config.ShouldNotDereference {
+					if err = deepMerge(dst.Elem(), src.Elem(), visited, depth+1, config); err != nil {
+						return
+					}
+				} else if src.Elem().Kind() != reflect.Struct {
+					if overwriteWithEmptySrc || (overwrite && !src.IsNil()) || dst.IsNil() {
+						dst.Set(src)
+					}
+				}
+			} else if dst.Elem().Type() == src.Type() {
+				if err = deepMerge(dst.Elem(), src, visited, depth+1, config); err != nil {
+					return
+				}
+			} else {
+				return ErrDifferentArgumentsTypes
+			}
+			break
+		}
+
+		if dst.IsNil() || overwrite {
+			if dst.CanSet() && (overwrite || isEmptyValue(dst, !config.ShouldNotDereference)) {
+				dst.Set(src)
+			}
+			break
+		}
+
+		if dst.Elem().Kind() == src.Elem().Kind() {
+			if err = deepMerge(dst.Elem(), src.Elem(), visited, depth+1, config); err != nil {
+				return
+			}
+			break
+		}
+	default:
+		mustSet := (isEmptyValue(dst, !config.ShouldNotDereference) || overwrite) && (!isEmptyValue(src, !config.ShouldNotDereference) || overwriteWithEmptySrc)
+		if mustSet {
+			if dst.CanSet() {
+				dst.Set(src)
+			} else {
+				dst = src
+			}
+		}
+	}
+
+	return
+}
+
+// Merge will fill any empty for value type attributes on the dst struct using corresponding
+// src attributes if they themselves are not empty. dst and src must be valid same-type structs
+// and dst must be a pointer to struct.
+// It won't merge unexported (private) fields and will do recursively any exported field.
+func Merge(dst, src interface{}, opts ...func(*Config)) error {
+	return merge(dst, src, opts...)
+}
+
+// MergeWithOverwrite will do the same as Merge except that non-empty dst attributes will be overridden by
+// non-empty src attribute values.
+// Deprecated: use Merge(…) with WithOverride
+func MergeWithOverwrite(dst, src interface{}, opts ...func(*Config)) error {
+	return merge(dst, src, append(opts, WithOverride)...)
+}
+
+// WithTransformers adds transformers to merge, allowing to customize the merging of some types.
+func WithTransformers(transformers Transformers) func(*Config) {
+	return func(config *Config) {
+		config.Transformers = transformers
+	}
+}
+
+// WithOverride will make merge override non-empty dst attributes with non-empty src attributes values.
+func WithOverride(config *Config) {
+	config.Overwrite = true
+}
+
+// WithOverwriteWithEmptyValue will make merge override non empty dst attributes with empty src attributes values.
+func WithOverwriteWithEmptyValue(config *Config) {
+	config.Overwrite = true
+	config.overwriteWithEmptyValue = true
+}
+
+// WithOverrideEmptySlice will make merge override empty dst slice with empty src slice.
+func WithOverrideEmptySlice(config *Config) {
+	config.overwriteSliceWithEmptyValue = true
+}
+
+// WithoutDereference prevents dereferencing pointers when evaluating whether they are empty
+// (i.e. a non-nil pointer is never considered empty).
+func WithoutDereference(config *Config) {
+	config.ShouldNotDereference = true
+}
+
+// WithAppendSlice will make merge append slices instead of overwriting it.
+func WithAppendSlice(config *Config) {
+	config.AppendSlice = true
+}
+
+// WithTypeCheck will make merge check types while overwriting it (must be used with WithOverride).
+func WithTypeCheck(config *Config) {
+	config.TypeCheck = true
+}
+
+// WithSliceDeepCopy will merge slice element one by one with Overwrite flag.
+func WithSliceDeepCopy(config *Config) {
+	config.sliceDeepCopy = true
+	config.Overwrite = true
+}
+
+func merge(dst, src interface{}, opts ...func(*Config)) error {
+	if dst != nil && reflect.ValueOf(dst).Kind() != reflect.Ptr {
+		return ErrNonPointerArgument
+	}
+	var (
+		vDst, vSrc reflect.Value
+		err        error
+	)
+
+	config := &Config{}
+
+	for _, opt := range opts {
+		opt(config)
+	}
+
+	if vDst, vSrc, err = resolveValues(dst, src); err != nil {
+		return err
+	}
+	if vDst.Type() != vSrc.Type() {
+		return ErrDifferentArgumentsTypes
+	}
+	return deepMerge(vDst, vSrc, make(map[uintptr]*visit), 0, config)
+}
+
+// IsReflectNil is the reflect value provided nil
+func isReflectNil(v reflect.Value) bool {
+	k := v.Kind()
+	switch k {
+	case reflect.Interface, reflect.Slice, reflect.Chan, reflect.Func, reflect.Map, reflect.Ptr:
+		// Both interface and slice are nil if first word is 0.
+		// Both are always bigger than a word; assume flagIndir.
+		return v.IsNil()
+	default:
+		return false
+	}
+}
diff --git a/vendor/dario.cat/mergo/mergo.go b/vendor/dario.cat/mergo/mergo.go
new file mode 100644
index 0000000000..0a721e2d85
--- /dev/null
+++ b/vendor/dario.cat/mergo/mergo.go
@@ -0,0 +1,81 @@
+// Copyright 2013 Dario Castañé. All rights reserved.
+// Copyright 2009 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Based on src/pkg/reflect/deepequal.go from official
+// golang's stdlib.
+
+package mergo
+
+import (
+	"errors"
+	"reflect"
+)
+
+// Errors reported by Mergo when it finds invalid arguments.
+var (
+	ErrNilArguments                = errors.New("src and dst must not be nil")
+	ErrDifferentArgumentsTypes     = errors.New("src and dst must be of same type")
+	ErrNotSupported                = errors.New("only structs, maps, and slices are supported")
+	ErrExpectedMapAsDestination    = errors.New("dst was expected to be a map")
+	ErrExpectedStructAsDestination = errors.New("dst was expected to be a struct")
+	ErrNonPointerArgument          = errors.New("dst must be a pointer")
+)
+
+// During deepMerge, must keep track of checks that are
+// in progress.  The comparison algorithm assumes that all
+// checks in progress are true when it reencounters them.
+// Visited are stored in a map indexed by 17 * a1 + a2;
+type visit struct {
+	typ  reflect.Type
+	next *visit
+	ptr  uintptr
+}
+
+// From src/pkg/encoding/json/encode.go.
+func isEmptyValue(v reflect.Value, shouldDereference bool) bool {
+	switch v.Kind() {
+	case reflect.Array, reflect.Map, reflect.Slice, reflect.String:
+		return v.Len() == 0
+	case reflect.Bool:
+		return !v.Bool()
+	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
+		return v.Int() == 0
+	case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr:
+		return v.Uint() == 0
+	case reflect.Float32, reflect.Float64:
+		return v.Float() == 0
+	case reflect.Interface, reflect.Ptr:
+		if v.IsNil() {
+			return true
+		}
+		if shouldDereference {
+			return isEmptyValue(v.Elem(), shouldDereference)
+		}
+		return false
+	case reflect.Func:
+		return v.IsNil()
+	case reflect.Invalid:
+		return true
+	}
+	return false
+}
+
+func resolveValues(dst, src interface{}) (vDst, vSrc reflect.Value, err error) {
+	if dst == nil || src == nil {
+		err = ErrNilArguments
+		return
+	}
+	vDst = reflect.ValueOf(dst).Elem()
+	if vDst.Kind() != reflect.Struct && vDst.Kind() != reflect.Map && vDst.Kind() != reflect.Slice {
+		err = ErrNotSupported
+		return
+	}
+	vSrc = reflect.ValueOf(src)
+	// We check if vSrc is a pointer to dereference it.
+	if vSrc.Kind() == reflect.Ptr {
+		vSrc = vSrc.Elem()
+	}
+	return
+}
diff --git a/vendor/github.com/Azure/go-ansiterm/LICENSE b/vendor/github.com/Azure/go-ansiterm/LICENSE
new file mode 100644
index 0000000000..e3d9a64d1d
--- /dev/null
+++ b/vendor/github.com/Azure/go-ansiterm/LICENSE
@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2015 Microsoft Corporation
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
diff --git a/vendor/github.com/Azure/go-ansiterm/README.md b/vendor/github.com/Azure/go-ansiterm/README.md
new file mode 100644
index 0000000000..261c041e7a
--- /dev/null
+++ b/vendor/github.com/Azure/go-ansiterm/README.md
@@ -0,0 +1,12 @@
+# go-ansiterm
+
+This is a cross platform Ansi Terminal Emulation library.  It reads a stream of Ansi characters and produces the appropriate function calls.  The results of the function calls are platform dependent.
+
+For example the parser might receive "ESC, [, A" as a stream of three characters.  This is the code for Cursor Up (http://www.vt100.net/docs/vt510-rm/CUU).  The parser then calls the cursor up function (CUU()) on an event handler.  The event handler determines what platform specific work must be done to cause the cursor to move up one position.
+
+The parser (parser.go) is a partial implementation of this state machine (http://vt100.net/emu/vt500_parser.png).  There are also two event handler implementations, one for tests (test_event_handler.go) to validate that the expected events are being produced and called, the other is a Windows implementation (winterm/win_event_handler.go).
+
+See parser_test.go for examples exercising the state machine and generating appropriate function calls.
+
+-----
+This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments.
diff --git a/vendor/github.com/Azure/go-ansiterm/SECURITY.md b/vendor/github.com/Azure/go-ansiterm/SECURITY.md
new file mode 100644
index 0000000000..e138ec5d6a
--- /dev/null
+++ b/vendor/github.com/Azure/go-ansiterm/SECURITY.md
@@ -0,0 +1,41 @@
+<!-- BEGIN MICROSOFT SECURITY.MD V0.0.8 BLOCK -->
+
+## Security
+
+Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin), and [our GitHub organizations](https://opensource.microsoft.com/).
+
+If you believe you have found a security vulnerability in any Microsoft-owned repository that meets [Microsoft's definition of a security vulnerability](https://aka.ms/opensource/security/definition), please report it to us as described below.
+
+## Reporting Security Issues
+
+**Please do not report security vulnerabilities through public GitHub issues.**
+
+Instead, please report them to the Microsoft Security Response Center (MSRC) at [https://msrc.microsoft.com/create-report](https://aka.ms/opensource/security/create-report).
+
+If you prefer to submit without logging in, send email to [secure@microsoft.com](mailto:secure@microsoft.com).  If possible, encrypt your message with our PGP key; please download it from the [Microsoft Security Response Center PGP Key page](https://aka.ms/opensource/security/pgpkey).
+
+You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://aka.ms/opensource/security/msrc). 
+
+Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue:
+
+  * Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
+  * Full paths of source file(s) related to the manifestation of the issue
+  * The location of the affected source code (tag/branch/commit or direct URL)
+  * Any special configuration required to reproduce the issue
+  * Step-by-step instructions to reproduce the issue
+  * Proof-of-concept or exploit code (if possible)
+  * Impact of the issue, including how an attacker might exploit the issue
+
+This information will help us triage your report more quickly.
+
+If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our [Microsoft Bug Bounty Program](https://aka.ms/opensource/security/bounty) page for more details about our active programs.
+
+## Preferred Languages
+
+We prefer all communications to be in English.
+
+## Policy
+
+Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://aka.ms/opensource/security/cvd).
+
+<!-- END MICROSOFT SECURITY.MD BLOCK -->
diff --git a/vendor/github.com/Azure/go-ansiterm/constants.go b/vendor/github.com/Azure/go-ansiterm/constants.go
new file mode 100644
index 0000000000..96504a33bc
--- /dev/null
+++ b/vendor/github.com/Azure/go-ansiterm/constants.go
@@ -0,0 +1,188 @@
+package ansiterm
+
+const LogEnv = "DEBUG_TERMINAL"
+
+// ANSI constants
+// References:
+// -- http://www.ecma-international.org/publications/standards/Ecma-048.htm
+// -- http://man7.org/linux/man-pages/man4/console_codes.4.html
+// -- http://manpages.ubuntu.com/manpages/intrepid/man4/console_codes.4.html
+// -- http://en.wikipedia.org/wiki/ANSI_escape_code
+// -- http://vt100.net/emu/dec_ansi_parser
+// -- http://vt100.net/emu/vt500_parser.svg
+// -- http://invisible-island.net/xterm/ctlseqs/ctlseqs.html
+// -- http://www.inwap.com/pdp10/ansicode.txt
+const (
+	// ECMA-48 Set Graphics Rendition
+	// Note:
+	// -- Constants leading with an underscore (e.g., _ANSI_xxx) are unsupported or reserved
+	// -- Fonts could possibly be supported via SetCurrentConsoleFontEx
+	// -- Windows does not expose the per-window cursor (i.e., caret) blink times
+	ANSI_SGR_RESET              = 0
+	ANSI_SGR_BOLD               = 1
+	ANSI_SGR_DIM                = 2
+	_ANSI_SGR_ITALIC            = 3
+	ANSI_SGR_UNDERLINE          = 4
+	_ANSI_SGR_BLINKSLOW         = 5
+	_ANSI_SGR_BLINKFAST         = 6
+	ANSI_SGR_REVERSE            = 7
+	_ANSI_SGR_INVISIBLE         = 8
+	_ANSI_SGR_LINETHROUGH       = 9
+	_ANSI_SGR_FONT_00           = 10
+	_ANSI_SGR_FONT_01           = 11
+	_ANSI_SGR_FONT_02           = 12
+	_ANSI_SGR_FONT_03           = 13
+	_ANSI_SGR_FONT_04           = 14
+	_ANSI_SGR_FONT_05           = 15
+	_ANSI_SGR_FONT_06           = 16
+	_ANSI_SGR_FONT_07           = 17
+	_ANSI_SGR_FONT_08           = 18
+	_ANSI_SGR_FONT_09           = 19
+	_ANSI_SGR_FONT_10           = 20
+	_ANSI_SGR_DOUBLEUNDERLINE   = 21
+	ANSI_SGR_BOLD_DIM_OFF       = 22
+	_ANSI_SGR_ITALIC_OFF        = 23
+	ANSI_SGR_UNDERLINE_OFF      = 24
+	_ANSI_SGR_BLINK_OFF         = 25
+	_ANSI_SGR_RESERVED_00       = 26
+	ANSI_SGR_REVERSE_OFF        = 27
+	_ANSI_SGR_INVISIBLE_OFF     = 28
+	_ANSI_SGR_LINETHROUGH_OFF   = 29
+	ANSI_SGR_FOREGROUND_BLACK   = 30
+	ANSI_SGR_FOREGROUND_RED     = 31
+	ANSI_SGR_FOREGROUND_GREEN   = 32
+	ANSI_SGR_FOREGROUND_YELLOW  = 33
+	ANSI_SGR_FOREGROUND_BLUE    = 34
+	ANSI_SGR_FOREGROUND_MAGENTA = 35
+	ANSI_SGR_FOREGROUND_CYAN    = 36
+	ANSI_SGR_FOREGROUND_WHITE   = 37
+	_ANSI_SGR_RESERVED_01       = 38
+	ANSI_SGR_FOREGROUND_DEFAULT = 39
+	ANSI_SGR_BACKGROUND_BLACK   = 40
+	ANSI_SGR_BACKGROUND_RED     = 41
+	ANSI_SGR_BACKGROUND_GREEN   = 42
+	ANSI_SGR_BACKGROUND_YELLOW  = 43
+	ANSI_SGR_BACKGROUND_BLUE    = 44
+	ANSI_SGR_BACKGROUND_MAGENTA = 45
+	ANSI_SGR_BACKGROUND_CYAN    = 46
+	ANSI_SGR_BACKGROUND_WHITE   = 47
+	_ANSI_SGR_RESERVED_02       = 48
+	ANSI_SGR_BACKGROUND_DEFAULT = 49
+	// 50 - 65: Unsupported
+
+	ANSI_MAX_CMD_LENGTH = 4096
+
+	MAX_INPUT_EVENTS = 128
+	DEFAULT_WIDTH    = 80
+	DEFAULT_HEIGHT   = 24
+
+	ANSI_BEL              = 0x07
+	ANSI_BACKSPACE        = 0x08
+	ANSI_TAB              = 0x09
+	ANSI_LINE_FEED        = 0x0A
+	ANSI_VERTICAL_TAB     = 0x0B
+	ANSI_FORM_FEED        = 0x0C
+	ANSI_CARRIAGE_RETURN  = 0x0D
+	ANSI_ESCAPE_PRIMARY   = 0x1B
+	ANSI_ESCAPE_SECONDARY = 0x5B
+	ANSI_OSC_STRING_ENTRY = 0x5D
+	ANSI_COMMAND_FIRST    = 0x40
+	ANSI_COMMAND_LAST     = 0x7E
+	DCS_ENTRY             = 0x90
+	CSI_ENTRY             = 0x9B
+	OSC_STRING            = 0x9D
+	ANSI_PARAMETER_SEP    = ";"
+	ANSI_CMD_G0           = '('
+	ANSI_CMD_G1           = ')'
+	ANSI_CMD_G2           = '*'
+	ANSI_CMD_G3           = '+'
+	ANSI_CMD_DECPNM       = '>'
+	ANSI_CMD_DECPAM       = '='
+	ANSI_CMD_OSC          = ']'
+	ANSI_CMD_STR_TERM     = '\\'
+
+	KEY_CONTROL_PARAM_2 = ";2"
+	KEY_CONTROL_PARAM_3 = ";3"
+	KEY_CONTROL_PARAM_4 = ";4"
+	KEY_CONTROL_PARAM_5 = ";5"
+	KEY_CONTROL_PARAM_6 = ";6"
+	KEY_CONTROL_PARAM_7 = ";7"
+	KEY_CONTROL_PARAM_8 = ";8"
+	KEY_ESC_CSI         = "\x1B["
+	KEY_ESC_N           = "\x1BN"
+	KEY_ESC_O           = "\x1BO"
+
+	FILL_CHARACTER = ' '
+)
+
+func getByteRange(start byte, end byte) []byte {
+	bytes := make([]byte, 0, 32)
+	for i := start; i <= end; i++ {
+		bytes = append(bytes, byte(i))
+	}
+
+	return bytes
+}
+
+var toGroundBytes = getToGroundBytes()
+var executors = getExecuteBytes()
+
+// SPACE		  20+A0 hex  Always and everywhere a blank space
+// Intermediate	  20-2F hex   !"#$%&'()*+,-./
+var intermeds = getByteRange(0x20, 0x2F)
+
+// Parameters	  30-3F hex  0123456789:;<=>?
+// CSI Parameters 30-39, 3B hex 0123456789;
+var csiParams = getByteRange(0x30, 0x3F)
+
+var csiCollectables = append(getByteRange(0x30, 0x39), getByteRange(0x3B, 0x3F)...)
+
+// Uppercase	  40-5F hex  @ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_
+var upperCase = getByteRange(0x40, 0x5F)
+
+// Lowercase	  60-7E hex  `abcdefghijlkmnopqrstuvwxyz{|}~
+var lowerCase = getByteRange(0x60, 0x7E)
+
+// Alphabetics	  40-7E hex  (all of upper and lower case)
+var alphabetics = append(upperCase, lowerCase...)
+
+var printables = getByteRange(0x20, 0x7F)
+
+var escapeIntermediateToGroundBytes = getByteRange(0x30, 0x7E)
+var escapeToGroundBytes = getEscapeToGroundBytes()
+
+// See http://www.vt100.net/emu/vt500_parser.png for description of the complex
+// byte ranges below
+
+func getEscapeToGroundBytes() []byte {
+	escapeToGroundBytes := getByteRange(0x30, 0x4F)
+	escapeToGroundBytes = append(escapeToGroundBytes, getByteRange(0x51, 0x57)...)
+	escapeToGroundBytes = append(escapeToGroundBytes, 0x59)
+	escapeToGroundBytes = append(escapeToGroundBytes, 0x5A)
+	escapeToGroundBytes = append(escapeToGroundBytes, 0x5C)
+	escapeToGroundBytes = append(escapeToGroundBytes, getByteRange(0x60, 0x7E)...)
+	return escapeToGroundBytes
+}
+
+func getExecuteBytes() []byte {
+	executeBytes := getByteRange(0x00, 0x17)
+	executeBytes = append(executeBytes, 0x19)
+	executeBytes = append(executeBytes, getByteRange(0x1C, 0x1F)...)
+	return executeBytes
+}
+
+func getToGroundBytes() []byte {
+	groundBytes := []byte{0x18}
+	groundBytes = append(groundBytes, 0x1A)
+	groundBytes = append(groundBytes, getByteRange(0x80, 0x8F)...)
+	groundBytes = append(groundBytes, getByteRange(0x91, 0x97)...)
+	groundBytes = append(groundBytes, 0x99)
+	groundBytes = append(groundBytes, 0x9A)
+	groundBytes = append(groundBytes, 0x9C)
+	return groundBytes
+}
+
+// Delete		     7F hex  Always and everywhere ignored
+// C1 Control	  80-9F hex  32 additional control characters
+// G1 Displayable A1-FE hex  94 additional displayable characters
+// Special		  A0+FF hex  Same as SPACE and DELETE
diff --git a/vendor/github.com/Azure/go-ansiterm/context.go b/vendor/github.com/Azure/go-ansiterm/context.go
new file mode 100644
index 0000000000..8d66e777c0
--- /dev/null
+++ b/vendor/github.com/Azure/go-ansiterm/context.go
@@ -0,0 +1,7 @@
+package ansiterm
+
+type ansiContext struct {
+	currentChar byte
+	paramBuffer []byte
+	interBuffer []byte
+}
diff --git a/vendor/github.com/Azure/go-ansiterm/csi_entry_state.go b/vendor/github.com/Azure/go-ansiterm/csi_entry_state.go
new file mode 100644
index 0000000000..bcbe00d0c5
--- /dev/null
+++ b/vendor/github.com/Azure/go-ansiterm/csi_entry_state.go
@@ -0,0 +1,49 @@
+package ansiterm
+
+type csiEntryState struct {
+	baseState
+}
+
+func (csiState csiEntryState) Handle(b byte) (s state, e error) {
+	csiState.parser.logf("CsiEntry::Handle %#x", b)
+
+	nextState, err := csiState.baseState.Handle(b)
+	if nextState != nil || err != nil {
+		return nextState, err
+	}
+
+	switch {
+	case sliceContains(alphabetics, b):
+		return csiState.parser.ground, nil
+	case sliceContains(csiCollectables, b):
+		return csiState.parser.csiParam, nil
+	case sliceContains(executors, b):
+		return csiState, csiState.parser.execute()
+	}
+
+	return csiState, nil
+}
+
+func (csiState csiEntryState) Transition(s state) error {
+	csiState.parser.logf("CsiEntry::Transition %s --> %s", csiState.Name(), s.Name())
+	csiState.baseState.Transition(s)
+
+	switch s {
+	case csiState.parser.ground:
+		return csiState.parser.csiDispatch()
+	case csiState.parser.csiParam:
+		switch {
+		case sliceContains(csiParams, csiState.parser.context.currentChar):
+			csiState.parser.collectParam()
+		case sliceContains(intermeds, csiState.parser.context.currentChar):
+			csiState.parser.collectInter()
+		}
+	}
+
+	return nil
+}
+
+func (csiState csiEntryState) Enter() error {
+	csiState.parser.clear()
+	return nil
+}
diff --git a/vendor/github.com/Azure/go-ansiterm/csi_param_state.go b/vendor/github.com/Azure/go-ansiterm/csi_param_state.go
new file mode 100644
index 0000000000..7ed5e01c34
--- /dev/null
+++ b/vendor/github.com/Azure/go-ansiterm/csi_param_state.go
@@ -0,0 +1,38 @@
+package ansiterm
+
+type csiParamState struct {
+	baseState
+}
+
+func (csiState csiParamState) Handle(b byte) (s state, e error) {
+	csiState.parser.logf("CsiParam::Handle %#x", b)
+
+	nextState, err := csiState.baseState.Handle(b)
+	if nextState != nil || err != nil {
+		return nextState, err
+	}
+
+	switch {
+	case sliceContains(alphabetics, b):
+		return csiState.parser.ground, nil
+	case sliceContains(csiCollectables, b):
+		csiState.parser.collectParam()
+		return csiState, nil
+	case sliceContains(executors, b):
+		return csiState, csiState.parser.execute()
+	}
+
+	return csiState, nil
+}
+
+func (csiState csiParamState) Transition(s state) error {
+	csiState.parser.logf("CsiParam::Transition %s --> %s", csiState.Name(), s.Name())
+	csiState.baseState.Transition(s)
+
+	switch s {
+	case csiState.parser.ground:
+		return csiState.parser.csiDispatch()
+	}
+
+	return nil
+}
diff --git a/vendor/github.com/Azure/go-ansiterm/escape_intermediate_state.go b/vendor/github.com/Azure/go-ansiterm/escape_intermediate_state.go
new file mode 100644
index 0000000000..1c719db9e4
--- /dev/null
+++ b/vendor/github.com/Azure/go-ansiterm/escape_intermediate_state.go
@@ -0,0 +1,36 @@
+package ansiterm
+
+type escapeIntermediateState struct {
+	baseState
+}
+
+func (escState escapeIntermediateState) Handle(b byte) (s state, e error) {
+	escState.parser.logf("escapeIntermediateState::Handle %#x", b)
+	nextState, err := escState.baseState.Handle(b)
+	if nextState != nil || err != nil {
+		return nextState, err
+	}
+
+	switch {
+	case sliceContains(intermeds, b):
+		return escState, escState.parser.collectInter()
+	case sliceContains(executors, b):
+		return escState, escState.parser.execute()
+	case sliceContains(escapeIntermediateToGroundBytes, b):
+		return escState.parser.ground, nil
+	}
+
+	return escState, nil
+}
+
+func (escState escapeIntermediateState) Transition(s state) error {
+	escState.parser.logf("escapeIntermediateState::Transition %s --> %s", escState.Name(), s.Name())
+	escState.baseState.Transition(s)
+
+	switch s {
+	case escState.parser.ground:
+		return escState.parser.escDispatch()
+	}
+
+	return nil
+}
diff --git a/vendor/github.com/Azure/go-ansiterm/escape_state.go b/vendor/github.com/Azure/go-ansiterm/escape_state.go
new file mode 100644
index 0000000000..6390abd231
--- /dev/null
+++ b/vendor/github.com/Azure/go-ansiterm/escape_state.go
@@ -0,0 +1,47 @@
+package ansiterm
+
+type escapeState struct {
+	baseState
+}
+
+func (escState escapeState) Handle(b byte) (s state, e error) {
+	escState.parser.logf("escapeState::Handle %#x", b)
+	nextState, err := escState.baseState.Handle(b)
+	if nextState != nil || err != nil {
+		return nextState, err
+	}
+
+	switch {
+	case b == ANSI_ESCAPE_SECONDARY:
+		return escState.parser.csiEntry, nil
+	case b == ANSI_OSC_STRING_ENTRY:
+		return escState.parser.oscString, nil
+	case sliceContains(executors, b):
+		return escState, escState.parser.execute()
+	case sliceContains(escapeToGroundBytes, b):
+		return escState.parser.ground, nil
+	case sliceContains(intermeds, b):
+		return escState.parser.escapeIntermediate, nil
+	}
+
+	return escState, nil
+}
+
+func (escState escapeState) Transition(s state) error {
+	escState.parser.logf("Escape::Transition %s --> %s", escState.Name(), s.Name())
+	escState.baseState.Transition(s)
+
+	switch s {
+	case escState.parser.ground:
+		return escState.parser.escDispatch()
+	case escState.parser.escapeIntermediate:
+		return escState.parser.collectInter()
+	}
+
+	return nil
+}
+
+func (escState escapeState) Enter() error {
+	escState.parser.clear()
+	return nil
+}
diff --git a/vendor/github.com/Azure/go-ansiterm/event_handler.go b/vendor/github.com/Azure/go-ansiterm/event_handler.go
new file mode 100644
index 0000000000..98087b38c2
--- /dev/null
+++ b/vendor/github.com/Azure/go-ansiterm/event_handler.go
@@ -0,0 +1,90 @@
+package ansiterm
+
+type AnsiEventHandler interface {
+	// Print
+	Print(b byte) error
+
+	// Execute C0 commands
+	Execute(b byte) error
+
+	// CUrsor Up
+	CUU(int) error
+
+	// CUrsor Down
+	CUD(int) error
+
+	// CUrsor Forward
+	CUF(int) error
+
+	// CUrsor Backward
+	CUB(int) error
+
+	// Cursor to Next Line
+	CNL(int) error
+
+	// Cursor to Previous Line
+	CPL(int) error
+
+	// Cursor Horizontal position Absolute
+	CHA(int) error
+
+	// Vertical line Position Absolute
+	VPA(int) error
+
+	// CUrsor Position
+	CUP(int, int) error
+
+	// Horizontal and Vertical Position (depends on PUM)
+	HVP(int, int) error
+
+	// Text Cursor Enable Mode
+	DECTCEM(bool) error
+
+	// Origin Mode
+	DECOM(bool) error
+
+	// 132 Column Mode
+	DECCOLM(bool) error
+
+	// Erase in Display
+	ED(int) error
+
+	// Erase in Line
+	EL(int) error
+
+	// Insert Line
+	IL(int) error
+
+	// Delete Line
+	DL(int) error
+
+	// Insert Character
+	ICH(int) error
+
+	// Delete Character
+	DCH(int) error
+
+	// Set Graphics Rendition
+	SGR([]int) error
+
+	// Pan Down
+	SU(int) error
+
+	// Pan Up
+	SD(int) error
+
+	// Device Attributes
+	DA([]string) error
+
+	// Set Top and Bottom Margins
+	DECSTBM(int, int) error
+
+	// Index
+	IND() error
+
+	// Reverse Index
+	RI() error
+
+	// Flush updates from previous commands
+	Flush() error
+}
diff --git a/vendor/github.com/Azure/go-ansiterm/ground_state.go b/vendor/github.com/Azure/go-ansiterm/ground_state.go
new file mode 100644
index 0000000000..52451e9469
--- /dev/null
+++ b/vendor/github.com/Azure/go-ansiterm/ground_state.go
@@ -0,0 +1,24 @@
+package ansiterm
+
+type groundState struct {
+	baseState
+}
+
+func (gs groundState) Handle(b byte) (s state, e error) {
+	gs.parser.context.currentChar = b
+
+	nextState, err := gs.baseState.Handle(b)
+	if nextState != nil || err != nil {
+		return nextState, err
+	}
+
+	switch {
+	case sliceContains(printables, b):
+		return gs, gs.parser.print()
+
+	case sliceContains(executors, b):
+		return gs, gs.parser.execute()
+	}
+
+	return gs, nil
+}
diff --git a/vendor/github.com/Azure/go-ansiterm/osc_string_state.go b/vendor/github.com/Azure/go-ansiterm/osc_string_state.go
new file mode 100644
index 0000000000..194d5e9c94
--- /dev/null
+++ b/vendor/github.com/Azure/go-ansiterm/osc_string_state.go
@@ -0,0 +1,23 @@
+package ansiterm
+
+type oscStringState struct {
+	baseState
+}
+
+func (oscState oscStringState) Handle(b byte) (s state, e error) {
+	oscState.parser.logf("OscString::Handle %#x", b)
+	nextState, err := oscState.baseState.Handle(b)
+	if nextState != nil || err != nil {
+		return nextState, err
+	}
+
+	// There are several control characters and sequences which can
+	// terminate an OSC string. Most of them are handled by the baseState
+	// handler. The ANSI_BEL character is a special case which behaves as a
+	// terminator only for an OSC string.
+	if b == ANSI_BEL {
+		return oscState.parser.ground, nil
+	}
+
+	return oscState, nil
+}
diff --git a/vendor/github.com/Azure/go-ansiterm/parser.go b/vendor/github.com/Azure/go-ansiterm/parser.go
new file mode 100644
index 0000000000..03cec7ada6
--- /dev/null
+++ b/vendor/github.com/Azure/go-ansiterm/parser.go
@@ -0,0 +1,151 @@
+package ansiterm
+
+import (
+	"errors"
+	"log"
+	"os"
+)
+
+type AnsiParser struct {
+	currState          state
+	eventHandler       AnsiEventHandler
+	context            *ansiContext
+	csiEntry           state
+	csiParam           state
+	dcsEntry           state
+	escape             state
+	escapeIntermediate state
+	error              state
+	ground             state
+	oscString          state
+	stateMap           []state
+
+	logf func(string, ...interface{})
+}
+
+type Option func(*AnsiParser)
+
+func WithLogf(f func(string, ...interface{})) Option {
+	return func(ap *AnsiParser) {
+		ap.logf = f
+	}
+}
+
+func CreateParser(initialState string, evtHandler AnsiEventHandler, opts ...Option) *AnsiParser {
+	ap := &AnsiParser{
+		eventHandler: evtHandler,
+		context:      &ansiContext{},
+	}
+	for _, o := range opts {
+		o(ap)
+	}
+
+	if isDebugEnv := os.Getenv(LogEnv); isDebugEnv == "1" {
+		logFile, _ := os.Create("ansiParser.log")
+		logger := log.New(logFile, "", log.LstdFlags)
+		if ap.logf != nil {
+			l := ap.logf
+			ap.logf = func(s string, v ...interface{}) {
+				l(s, v...)
+				logger.Printf(s, v...)
+			}
+		} else {
+			ap.logf = logger.Printf
+		}
+	}
+
+	if ap.logf == nil {
+		ap.logf = func(string, ...interface{}) {}
+	}
+
+	ap.csiEntry = csiEntryState{baseState{name: "CsiEntry", parser: ap}}
+	ap.csiParam = csiParamState{baseState{name: "CsiParam", parser: ap}}
+	ap.dcsEntry = dcsEntryState{baseState{name: "DcsEntry", parser: ap}}
+	ap.escape = escapeState{baseState{name: "Escape", parser: ap}}
+	ap.escapeIntermediate = escapeIntermediateState{baseState{name: "EscapeIntermediate", parser: ap}}
+	ap.error = errorState{baseState{name: "Error", parser: ap}}
+	ap.ground = groundState{baseState{name: "Ground", parser: ap}}
+	ap.oscString = oscStringState{baseState{name: "OscString", parser: ap}}
+
+	ap.stateMap = []state{
+		ap.csiEntry,
+		ap.csiParam,
+		ap.dcsEntry,
+		ap.escape,
+		ap.escapeIntermediate,
+		ap.error,
+		ap.ground,
+		ap.oscString,
+	}
+
+	ap.currState = getState(initialState, ap.stateMap)
+
+	ap.logf("CreateParser: parser %p", ap)
+	return ap
+}
+
+func getState(name string, states []state) state {
+	for _, el := range states {
+		if el.Name() == name {
+			return el
+		}
+	}
+
+	return nil
+}
+
+func (ap *AnsiParser) Parse(bytes []byte) (int, error) {
+	for i, b := range bytes {
+		if err := ap.handle(b); err != nil {
+			return i, err
+		}
+	}
+
+	return len(bytes), ap.eventHandler.Flush()
+}
+
+func (ap *AnsiParser) handle(b byte) error {
+	ap.context.currentChar = b
+	newState, err := ap.currState.Handle(b)
+	if err != nil {
+		return err
+	}
+
+	if newState == nil {
+		ap.logf("WARNING: newState is nil")
+		return errors.New("New state of 'nil' is invalid.")
+	}
+
+	if newState != ap.currState {
+		if err := ap.changeState(newState); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (ap *AnsiParser) changeState(newState state) error {
+	ap.logf("ChangeState %s --> %s", ap.currState.Name(), newState.Name())
+
+	// Exit old state
+	if err := ap.currState.Exit(); err != nil {
+		ap.logf("Exit state '%s' failed with : '%v'", ap.currState.Name(), err)
+		return err
+	}
+
+	// Perform transition action
+	if err := ap.currState.Transition(newState); err != nil {
+		ap.logf("Transition from '%s' to '%s' failed with: '%v'", ap.currState.Name(), newState.Name, err)
+		return err
+	}
+
+	// Enter new state
+	if err := newState.Enter(); err != nil {
+		ap.logf("Enter state '%s' failed with: '%v'", newState.Name(), err)
+		return err
+	}
+
+	ap.currState = newState
+	return nil
+}
diff --git a/vendor/github.com/Azure/go-ansiterm/parser_action_helpers.go b/vendor/github.com/Azure/go-ansiterm/parser_action_helpers.go
new file mode 100644
index 0000000000..de0a1f9cde
--- /dev/null
+++ b/vendor/github.com/Azure/go-ansiterm/parser_action_helpers.go
@@ -0,0 +1,99 @@
+package ansiterm
+
+import (
+	"strconv"
+)
+
+func parseParams(bytes []byte) ([]string, error) {
+	paramBuff := make([]byte, 0, 0)
+	params := []string{}
+
+	for _, v := range bytes {
+		if v == ';' {
+			if len(paramBuff) > 0 {
+				// Completed parameter, append it to the list
+				s := string(paramBuff)
+				params = append(params, s)
+				paramBuff = make([]byte, 0, 0)
+			}
+		} else {
+			paramBuff = append(paramBuff, v)
+		}
+	}
+
+	// Last parameter may not be terminated with ';'
+	if len(paramBuff) > 0 {
+		s := string(paramBuff)
+		params = append(params, s)
+	}
+
+	return params, nil
+}
+
+func parseCmd(context ansiContext) (string, error) {
+	return string(context.currentChar), nil
+}
+
+func getInt(params []string, dflt int) int {
+	i := getInts(params, 1, dflt)[0]
+	return i
+}
+
+func getInts(params []string, minCount int, dflt int) []int {
+	ints := []int{}
+
+	for _, v := range params {
+		i, _ := strconv.Atoi(v)
+		// Zero is mapped to the default value in VT100.
+		if i == 0 {
+			i = dflt
+		}
+		ints = append(ints, i)
+	}
+
+	if len(ints) < minCount {
+		remaining := minCount - len(ints)
+		for i := 0; i < remaining; i++ {
+			ints = append(ints, dflt)
+		}
+	}
+
+	return ints
+}
+
+func (ap *AnsiParser) modeDispatch(param string, set bool) error {
+	switch param {
+	case "?3":
+		return ap.eventHandler.DECCOLM(set)
+	case "?6":
+		return ap.eventHandler.DECOM(set)
+	case "?25":
+		return ap.eventHandler.DECTCEM(set)
+	}
+	return nil
+}
+
+func (ap *AnsiParser) hDispatch(params []string) error {
+	if len(params) == 1 {
+		return ap.modeDispatch(params[0], true)
+	}
+
+	return nil
+}
+
+func (ap *AnsiParser) lDispatch(params []string) error {
+	if len(params) == 1 {
+		return ap.modeDispatch(params[0], false)
+	}
+
+	return nil
+}
+
+func getEraseParam(params []string) int {
+	param := getInt(params, 0)
+	if param < 0 || 3 < param {
+		param = 0
+	}
+
+	return param
+}
diff --git a/vendor/github.com/Azure/go-ansiterm/parser_actions.go b/vendor/github.com/Azure/go-ansiterm/parser_actions.go
new file mode 100644
index 0000000000..0bb5e51e9a
--- /dev/null
+++ b/vendor/github.com/Azure/go-ansiterm/parser_actions.go
@@ -0,0 +1,119 @@
+package ansiterm
+
+func (ap *AnsiParser) collectParam() error {
+	currChar := ap.context.currentChar
+	ap.logf("collectParam %#x", currChar)
+	ap.context.paramBuffer = append(ap.context.paramBuffer, currChar)
+	return nil
+}
+
+func (ap *AnsiParser) collectInter() error {
+	currChar := ap.context.currentChar
+	ap.logf("collectInter %#x", currChar)
+	ap.context.paramBuffer = append(ap.context.interBuffer, currChar)
+	return nil
+}
+
+func (ap *AnsiParser) escDispatch() error {
+	cmd, _ := parseCmd(*ap.context)
+	intermeds := ap.context.interBuffer
+	ap.logf("escDispatch currentChar: %#x", ap.context.currentChar)
+	ap.logf("escDispatch: %v(%v)", cmd, intermeds)
+
+	switch cmd {
+	case "D": // IND
+		return ap.eventHandler.IND()
+	case "E": // NEL, equivalent to CRLF
+		err := ap.eventHandler.Execute(ANSI_CARRIAGE_RETURN)
+		if err == nil {
+			err = ap.eventHandler.Execute(ANSI_LINE_FEED)
+		}
+		return err
+	case "M": // RI
+		return ap.eventHandler.RI()
+	}
+
+	return nil
+}
+
+func (ap *AnsiParser) csiDispatch() error {
+	cmd, _ := parseCmd(*ap.context)
+	params, _ := parseParams(ap.context.paramBuffer)
+	ap.logf("Parsed params: %v with length: %d", params, len(params))
+
+	ap.logf("csiDispatch: %v(%v)", cmd, params)
+
+	switch cmd {
+	case "@":
+		return ap.eventHandler.ICH(getInt(params, 1))
+	case "A":
+		return ap.eventHandler.CUU(getInt(params, 1))
+	case "B":
+		return ap.eventHandler.CUD(getInt(params, 1))
+	case "C":
+		return ap.eventHandler.CUF(getInt(params, 1))
+	case "D":
+		return ap.eventHandler.CUB(getInt(params, 1))
+	case "E":
+		return ap.eventHandler.CNL(getInt(params, 1))
+	case "F":
+		return ap.eventHandler.CPL(getInt(params, 1))
+	case "G":
+		return ap.eventHandler.CHA(getInt(params, 1))
+	case "H":
+		ints := getInts(params, 2, 1)
+		x, y := ints[0], ints[1]
+		return ap.eventHandler.CUP(x, y)
+	case "J":
+		param := getEraseParam(params)
+		return ap.eventHandler.ED(param)
+	case "K":
+		param := getEraseParam(params)
+		return ap.eventHandler.EL(param)
+	case "L":
+		return ap.eventHandler.IL(getInt(params, 1))
+	case "M":
+		return ap.eventHandler.DL(getInt(params, 1))
+	case "P":
+		return ap.eventHandler.DCH(getInt(params, 1))
+	case "S":
+		return ap.eventHandler.SU(getInt(params, 1))
+	case "T":
+		return ap.eventHandler.SD(getInt(params, 1))
+	case "c":
+		return ap.eventHandler.DA(params)
+	case "d":
+		return ap.eventHandler.VPA(getInt(params, 1))
+	case "f":
+		ints := getInts(params, 2, 1)
+		x, y := ints[0], ints[1]
+		return ap.eventHandler.HVP(x, y)
+	case "h":
+		return ap.hDispatch(params)
+	case "l":
+		return ap.lDispatch(params)
+	case "m":
+		return ap.eventHandler.SGR(getInts(params, 1, 0))
+	case "r":
+		ints := getInts(params, 2, 1)
+		top, bottom := ints[0], ints[1]
+		return ap.eventHandler.DECSTBM(top, bottom)
+	default:
+		ap.logf("ERROR: Unsupported CSI command: '%s', with full context:  %v", cmd, ap.context)
+		return nil
+	}
+
+}
+
+func (ap *AnsiParser) print() error {
+	return ap.eventHandler.Print(ap.context.currentChar)
+}
+
+func (ap *AnsiParser) clear() error {
+	ap.context = &ansiContext{}
+	return nil
+}
+
+func (ap *AnsiParser) execute() error {
+	return ap.eventHandler.Execute(ap.context.currentChar)
+}
diff --git a/vendor/github.com/Azure/go-ansiterm/states.go b/vendor/github.com/Azure/go-ansiterm/states.go
new file mode 100644
index 0000000000..f2ea1fcd12
--- /dev/null
+++ b/vendor/github.com/Azure/go-ansiterm/states.go
@@ -0,0 +1,71 @@
+package ansiterm
+
+type stateID int
+
+type state interface {
+	Enter() error
+	Exit() error
+	Handle(byte) (state, error)
+	Name() string
+	Transition(state) error
+}
+
+type baseState struct {
+	name   string
+	parser *AnsiParser
+}
+
+func (base baseState) Enter() error {
+	return nil
+}
+
+func (base baseState) Exit() error {
+	return nil
+}
+
+func (base baseState) Handle(b byte) (s state, e error) {
+
+	switch {
+	case b == CSI_ENTRY:
+		return base.parser.csiEntry, nil
+	case b == DCS_ENTRY:
+		return base.parser.dcsEntry, nil
+	case b == ANSI_ESCAPE_PRIMARY:
+		return base.parser.escape, nil
+	case b == OSC_STRING:
+		return base.parser.oscString, nil
+	case sliceContains(toGroundBytes, b):
+		return base.parser.ground, nil
+	}
+
+	return nil, nil
+}
+
+func (base baseState) Name() string {
+	return base.name
+}
+
+func (base baseState) Transition(s state) error {
+	if s == base.parser.ground {
+		execBytes := []byte{0x18}
+		execBytes = append(execBytes, 0x1A)
+		execBytes = append(execBytes, getByteRange(0x80, 0x8F)...)
+		execBytes = append(execBytes, getByteRange(0x91, 0x97)...)
+		execBytes = append(execBytes, 0x99)
+		execBytes = append(execBytes, 0x9A)
+
+		if sliceContains(execBytes, base.parser.context.currentChar) {
+			return base.parser.execute()
+		}
+	}
+
+	return nil
+}
+
+type dcsEntryState struct {
+	baseState
+}
+
+type errorState struct {
+	baseState
+}
diff --git a/vendor/github.com/Azure/go-ansiterm/utilities.go b/vendor/github.com/Azure/go-ansiterm/utilities.go
new file mode 100644
index 0000000000..392114493a
--- /dev/null
+++ b/vendor/github.com/Azure/go-ansiterm/utilities.go
@@ -0,0 +1,21 @@
+package ansiterm
+
+import (
+	"strconv"
+)
+
+func sliceContains(bytes []byte, b byte) bool {
+	for _, v := range bytes {
+		if v == b {
+			return true
+		}
+	}
+
+	return false
+}
+
+func convertBytesToInteger(bytes []byte) int {
+	s := string(bytes)
+	i, _ := strconv.Atoi(s)
+	return i
+}
diff --git a/vendor/github.com/Azure/go-ansiterm/winterm/ansi.go b/vendor/github.com/Azure/go-ansiterm/winterm/ansi.go
new file mode 100644
index 0000000000..5599082ae9
--- /dev/null
+++ b/vendor/github.com/Azure/go-ansiterm/winterm/ansi.go
@@ -0,0 +1,196 @@
+// +build windows
+
+package winterm
+
+import (
+	"fmt"
+	"os"
+	"strconv"
+	"strings"
+	"syscall"
+
+	"github.com/Azure/go-ansiterm"
+	windows "golang.org/x/sys/windows"
+)
+
+// Windows keyboard constants
+// See https://msdn.microsoft.com/en-us/library/windows/desktop/dd375731(v=vs.85).aspx.
+const (
+	VK_PRIOR    = 0x21 // PAGE UP key
+	VK_NEXT     = 0x22 // PAGE DOWN key
+	VK_END      = 0x23 // END key
+	VK_HOME     = 0x24 // HOME key
+	VK_LEFT     = 0x25 // LEFT ARROW key
+	VK_UP       = 0x26 // UP ARROW key
+	VK_RIGHT    = 0x27 // RIGHT ARROW key
+	VK_DOWN     = 0x28 // DOWN ARROW key
+	VK_SELECT   = 0x29 // SELECT key
+	VK_PRINT    = 0x2A // PRINT key
+	VK_EXECUTE  = 0x2B // EXECUTE key
+	VK_SNAPSHOT = 0x2C // PRINT SCREEN key
+	VK_INSERT   = 0x2D // INS key
+	VK_DELETE   = 0x2E // DEL key
+	VK_HELP     = 0x2F // HELP key
+	VK_F1       = 0x70 // F1 key
+	VK_F2       = 0x71 // F2 key
+	VK_F3       = 0x72 // F3 key
+	VK_F4       = 0x73 // F4 key
+	VK_F5       = 0x74 // F5 key
+	VK_F6       = 0x75 // F6 key
+	VK_F7       = 0x76 // F7 key
+	VK_F8       = 0x77 // F8 key
+	VK_F9       = 0x78 // F9 key
+	VK_F10      = 0x79 // F10 key
+	VK_F11      = 0x7A // F11 key
+	VK_F12      = 0x7B // F12 key
+
+	RIGHT_ALT_PRESSED  = 0x0001
+	LEFT_ALT_PRESSED   = 0x0002
+	RIGHT_CTRL_PRESSED = 0x0004
+	LEFT_CTRL_PRESSED  = 0x0008
+	SHIFT_PRESSED      = 0x0010
+	NUMLOCK_ON         = 0x0020
+	SCROLLLOCK_ON      = 0x0040
+	CAPSLOCK_ON        = 0x0080
+	ENHANCED_KEY       = 0x0100
+)
+
+type ansiCommand struct {
+	CommandBytes []byte
+	Command      string
+	Parameters   []string
+	IsSpecial    bool
+}
+
+func newAnsiCommand(command []byte) *ansiCommand {
+
+	if isCharacterSelectionCmdChar(command[1]) {
+		// Is Character Set Selection commands
+		return &ansiCommand{
+			CommandBytes: command,
+			Command:      string(command),
+			IsSpecial:    true,
+		}
+	}
+
+	// last char is command character
+	lastCharIndex := len(command) - 1
+
+	ac := &ansiCommand{
+		CommandBytes: command,
+		Command:      string(command[lastCharIndex]),
+		IsSpecial:    false,
+	}
+
+	// more than a single escape
+	if lastCharIndex != 0 {
+		start := 1
+		// skip if double char escape sequence
+		if command[0] == ansiterm.ANSI_ESCAPE_PRIMARY && command[1] == ansiterm.ANSI_ESCAPE_SECONDARY {
+			start++
+		}
+		// convert this to GetNextParam method
+		ac.Parameters = strings.Split(string(command[start:lastCharIndex]), ansiterm.ANSI_PARAMETER_SEP)
+	}
+
+	return ac
+}
+
+func (ac *ansiCommand) paramAsSHORT(index int, defaultValue int16) int16 {
+	if index < 0 || index >= len(ac.Parameters) {
+		return defaultValue
+	}
+
+	param, err := strconv.ParseInt(ac.Parameters[index], 10, 16)
+	if err != nil {
+		return defaultValue
+	}
+
+	return int16(param)
+}
+
+func (ac *ansiCommand) String() string {
+	return fmt.Sprintf("0x%v \"%v\" (\"%v\")",
+		bytesToHex(ac.CommandBytes),
+		ac.Command,
+		strings.Join(ac.Parameters, "\",\""))
+}
+
+// isAnsiCommandChar returns true if the passed byte falls within the range of ANSI commands.
+// See http://manpages.ubuntu.com/manpages/intrepid/man4/console_codes.4.html.
+func isAnsiCommandChar(b byte) bool {
+	switch {
+	case ansiterm.ANSI_COMMAND_FIRST <= b && b <= ansiterm.ANSI_COMMAND_LAST && b != ansiterm.ANSI_ESCAPE_SECONDARY:
+		return true
+	case b == ansiterm.ANSI_CMD_G1 || b == ansiterm.ANSI_CMD_OSC || b == ansiterm.ANSI_CMD_DECPAM || b == ansiterm.ANSI_CMD_DECPNM:
+		// non-CSI escape sequence terminator
+		return true
+	case b == ansiterm.ANSI_CMD_STR_TERM || b == ansiterm.ANSI_BEL:
+		// String escape sequence terminator
+		return true
+	}
+	return false
+}
+
+func isXtermOscSequence(command []byte, current byte) bool {
+	return (len(command) >= 2 && command[0] == ansiterm.ANSI_ESCAPE_PRIMARY && command[1] == ansiterm.ANSI_CMD_OSC && current != ansiterm.ANSI_BEL)
+}
+
+func isCharacterSelectionCmdChar(b byte) bool {
+	return (b == ansiterm.ANSI_CMD_G0 || b == ansiterm.ANSI_CMD_G1 || b == ansiterm.ANSI_CMD_G2 || b == ansiterm.ANSI_CMD_G3)
+}
+
+// bytesToHex converts a slice of bytes to a human-readable string.
+func bytesToHex(b []byte) string {
+	hex := make([]string, len(b))
+	for i, ch := range b {
+		hex[i] = fmt.Sprintf("%X", ch)
+	}
+	return strings.Join(hex, "")
+}
+
+// ensureInRange adjusts the passed value, if necessary, to ensure it is within
+// the passed min / max range.
+func ensureInRange(n int16, min int16, max int16) int16 {
+	if n < min {
+		return min
+	} else if n > max {
+		return max
+	} else {
+		return n
+	}
+}
+
+func GetStdFile(nFile int) (*os.File, uintptr) {
+	var file *os.File
+
+	// syscall uses negative numbers
+	// windows package uses very big uint32
+	// Keep these switches split so we don't have to convert ints too much.
+	switch uint32(nFile) {
+	case windows.STD_INPUT_HANDLE:
+		file = os.Stdin
+	case windows.STD_OUTPUT_HANDLE:
+		file = os.Stdout
+	case windows.STD_ERROR_HANDLE:
+		file = os.Stderr
+	default:
+		switch nFile {
+		case syscall.STD_INPUT_HANDLE:
+			file = os.Stdin
+		case syscall.STD_OUTPUT_HANDLE:
+			file = os.Stdout
+		case syscall.STD_ERROR_HANDLE:
+			file = os.Stderr
+		default:
+			panic(fmt.Errorf("Invalid standard handle identifier: %v", nFile))
+		}
+	}
+
+	fd, err := syscall.GetStdHandle(nFile)
+	if err != nil {
+		panic(fmt.Errorf("Invalid standard handle identifier: %v -- %v", nFile, err))
+	}
+
+	return file, uintptr(fd)
+}
diff --git a/vendor/github.com/Azure/go-ansiterm/winterm/api.go b/vendor/github.com/Azure/go-ansiterm/winterm/api.go
new file mode 100644
index 0000000000..6055e33b91
--- /dev/null
+++ b/vendor/github.com/Azure/go-ansiterm/winterm/api.go
@@ -0,0 +1,327 @@
+// +build windows
+
+package winterm
+
+import (
+	"fmt"
+	"syscall"
+	"unsafe"
+)
+
+//===========================================================================================================
+// IMPORTANT NOTE:
+//
+//	The methods below make extensive use of the "unsafe" package to obtain the required pointers.
+//	Beginning in Go 1.3, the garbage collector may release local variables (e.g., incoming arguments, stack
+//	variables) the pointers reference *before* the API completes.
+//
+//  As a result, in those cases, the code must hint that the variables remain in active by invoking the
+//	dummy method "use" (see below). Newer versions of Go are planned to change the mechanism to no longer
+//	require unsafe pointers.
+//
+//	If you add or modify methods, ENSURE protection of local variables through the "use" builtin to inform
+//	the garbage collector the variables remain in use if:
+//
+//	-- The value is not a pointer (e.g., int32, struct)
+//	-- The value is not referenced by the method after passing the pointer to Windows
+//
+//	See http://golang.org/doc/go1.3.
+//===========================================================================================================
+
+var (
+	kernel32DLL = syscall.NewLazyDLL("kernel32.dll")
+
+	getConsoleCursorInfoProc       = kernel32DLL.NewProc("GetConsoleCursorInfo")
+	setConsoleCursorInfoProc       = kernel32DLL.NewProc("SetConsoleCursorInfo")
+	setConsoleCursorPositionProc   = kernel32DLL.NewProc("SetConsoleCursorPosition")
+	setConsoleModeProc             = kernel32DLL.NewProc("SetConsoleMode")
+	getConsoleScreenBufferInfoProc = kernel32DLL.NewProc("GetConsoleScreenBufferInfo")
+	setConsoleScreenBufferSizeProc = kernel32DLL.NewProc("SetConsoleScreenBufferSize")
+	scrollConsoleScreenBufferProc  = kernel32DLL.NewProc("ScrollConsoleScreenBufferA")
+	setConsoleTextAttributeProc    = kernel32DLL.NewProc("SetConsoleTextAttribute")
+	setConsoleWindowInfoProc       = kernel32DLL.NewProc("SetConsoleWindowInfo")
+	writeConsoleOutputProc         = kernel32DLL.NewProc("WriteConsoleOutputW")
+	readConsoleInputProc           = kernel32DLL.NewProc("ReadConsoleInputW")
+	waitForSingleObjectProc        = kernel32DLL.NewProc("WaitForSingleObject")
+)
+
+// Windows Console constants
+const (
+	// Console modes
+	// See https://msdn.microsoft.com/en-us/library/windows/desktop/ms686033(v=vs.85).aspx.
+	ENABLE_PROCESSED_INPUT        = 0x0001
+	ENABLE_LINE_INPUT             = 0x0002
+	ENABLE_ECHO_INPUT             = 0x0004
+	ENABLE_WINDOW_INPUT           = 0x0008
+	ENABLE_MOUSE_INPUT            = 0x0010
+	ENABLE_INSERT_MODE            = 0x0020
+	ENABLE_QUICK_EDIT_MODE        = 0x0040
+	ENABLE_EXTENDED_FLAGS         = 0x0080
+	ENABLE_AUTO_POSITION          = 0x0100
+	ENABLE_VIRTUAL_TERMINAL_INPUT = 0x0200
+
+	ENABLE_PROCESSED_OUTPUT            = 0x0001
+	ENABLE_WRAP_AT_EOL_OUTPUT          = 0x0002
+	ENABLE_VIRTUAL_TERMINAL_PROCESSING = 0x0004
+	DISABLE_NEWLINE_AUTO_RETURN        = 0x0008
+	ENABLE_LVB_GRID_WORLDWIDE          = 0x0010
+
+	// Character attributes
+	// Note:
+	// -- The attributes are combined to produce various colors (e.g., Blue + Green will create Cyan).
+	//    Clearing all foreground or background colors results in black; setting all creates white.
+	// See https://msdn.microsoft.com/en-us/library/windows/desktop/ms682088(v=vs.85).aspx#_win32_character_attributes.
+	FOREGROUND_BLUE      uint16 = 0x0001
+	FOREGROUND_GREEN     uint16 = 0x0002
+	FOREGROUND_RED       uint16 = 0x0004
+	FOREGROUND_INTENSITY uint16 = 0x0008
+	FOREGROUND_MASK      uint16 = 0x000F
+
+	BACKGROUND_BLUE      uint16 = 0x0010
+	BACKGROUND_GREEN     uint16 = 0x0020
+	BACKGROUND_RED       uint16 = 0x0040
+	BACKGROUND_INTENSITY uint16 = 0x0080
+	BACKGROUND_MASK      uint16 = 0x00F0
+
+	COMMON_LVB_MASK          uint16 = 0xFF00
+	COMMON_LVB_REVERSE_VIDEO uint16 = 0x4000
+	COMMON_LVB_UNDERSCORE    uint16 = 0x8000
+
+	// Input event types
+	// See https://msdn.microsoft.com/en-us/library/windows/desktop/ms683499(v=vs.85).aspx.
+	KEY_EVENT                = 0x0001
+	MOUSE_EVENT              = 0x0002
+	WINDOW_BUFFER_SIZE_EVENT = 0x0004
+	MENU_EVENT               = 0x0008
+	FOCUS_EVENT              = 0x0010
+
+	// WaitForSingleObject return codes
+	WAIT_ABANDONED = 0x00000080
+	WAIT_FAILED    = 0xFFFFFFFF
+	WAIT_SIGNALED  = 0x0000000
+	WAIT_TIMEOUT   = 0x00000102
+
+	// WaitForSingleObject wait duration
+	WAIT_INFINITE       = 0xFFFFFFFF
+	WAIT_ONE_SECOND     = 1000
+	WAIT_HALF_SECOND    = 500
+	WAIT_QUARTER_SECOND = 250
+)
+
+// Windows API Console types
+// -- See https://msdn.microsoft.com/en-us/library/windows/desktop/ms682101(v=vs.85).aspx for Console specific types (e.g., COORD)
+// -- See https://msdn.microsoft.com/en-us/library/aa296569(v=vs.60).aspx for comments on alignment
+type (
+	CHAR_INFO struct {
+		UnicodeChar uint16
+		Attributes  uint16
+	}
+
+	CONSOLE_CURSOR_INFO struct {
+		Size    uint32
+		Visible int32
+	}
+
+	CONSOLE_SCREEN_BUFFER_INFO struct {
+		Size              COORD
+		CursorPosition    COORD
+		Attributes        uint16
+		Window            SMALL_RECT
+		MaximumWindowSize COORD
+	}
+
+	COORD struct {
+		X int16
+		Y int16
+	}
+
+	SMALL_RECT struct {
+		Left   int16
+		Top    int16
+		Right  int16
+		Bottom int16
+	}
+
+	// INPUT_RECORD is a C/C++ union of which KEY_EVENT_RECORD is one case, it is also the largest
+	// See https://msdn.microsoft.com/en-us/library/windows/desktop/ms683499(v=vs.85).aspx.
+	INPUT_RECORD struct {
+		EventType uint16
+		KeyEvent  KEY_EVENT_RECORD
+	}
+
+	KEY_EVENT_RECORD struct {
+		KeyDown         int32
+		RepeatCount     uint16
+		VirtualKeyCode  uint16
+		VirtualScanCode uint16
+		UnicodeChar     uint16
+		ControlKeyState uint32
+	}
+
+	WINDOW_BUFFER_SIZE struct {
+		Size COORD
+	}
+)
+
+// boolToBOOL converts a Go bool into a Windows int32.
+func boolToBOOL(f bool) int32 {
+	if f {
+		return int32(1)
+	} else {
+		return int32(0)
+	}
+}
+
+// GetConsoleCursorInfo retrieves information about the size and visiblity of the console cursor.
+// See https://msdn.microsoft.com/en-us/library/windows/desktop/ms683163(v=vs.85).aspx.
+func GetConsoleCursorInfo(handle uintptr, cursorInfo *CONSOLE_CURSOR_INFO) error {
+	r1, r2, err := getConsoleCursorInfoProc.Call(handle, uintptr(unsafe.Pointer(cursorInfo)), 0)
+	return checkError(r1, r2, err)
+}
+
+// SetConsoleCursorInfo sets the size and visiblity of the console cursor.
+// See https://msdn.microsoft.com/en-us/library/windows/desktop/ms686019(v=vs.85).aspx.
+func SetConsoleCursorInfo(handle uintptr, cursorInfo *CONSOLE_CURSOR_INFO) error {
+	r1, r2, err := setConsoleCursorInfoProc.Call(handle, uintptr(unsafe.Pointer(cursorInfo)), 0)
+	return checkError(r1, r2, err)
+}
+
+// SetConsoleCursorPosition location of the console cursor.
+// See https://msdn.microsoft.com/en-us/library/windows/desktop/ms686025(v=vs.85).aspx.
+func SetConsoleCursorPosition(handle uintptr, coord COORD) error {
+	r1, r2, err := setConsoleCursorPositionProc.Call(handle, coordToPointer(coord))
+	use(coord)
+	return checkError(r1, r2, err)
+}
+
+// GetConsoleMode gets the console mode for given file descriptor
+// See http://msdn.microsoft.com/en-us/library/windows/desktop/ms683167(v=vs.85).aspx.
+func GetConsoleMode(handle uintptr) (mode uint32, err error) {
+	err = syscall.GetConsoleMode(syscall.Handle(handle), &mode)
+	return mode, err
+}
+
+// SetConsoleMode sets the console mode for given file descriptor
+// See http://msdn.microsoft.com/en-us/library/windows/desktop/ms686033(v=vs.85).aspx.
+func SetConsoleMode(handle uintptr, mode uint32) error {
+	r1, r2, err := setConsoleModeProc.Call(handle, uintptr(mode), 0)
+	use(mode)
+	return checkError(r1, r2, err)
+}
+
+// GetConsoleScreenBufferInfo retrieves information about the specified console screen buffer.
+// See http://msdn.microsoft.com/en-us/library/windows/desktop/ms683171(v=vs.85).aspx.
+func GetConsoleScreenBufferInfo(handle uintptr) (*CONSOLE_SCREEN_BUFFER_INFO, error) {
+	info := CONSOLE_SCREEN_BUFFER_INFO{}
+	err := checkError(getConsoleScreenBufferInfoProc.Call(handle, uintptr(unsafe.Pointer(&info)), 0))
+	if err != nil {
+		return nil, err
+	}
+	return &info, nil
+}
+
+func ScrollConsoleScreenBuffer(handle uintptr, scrollRect SMALL_RECT, clipRect SMALL_RECT, destOrigin COORD, char CHAR_INFO) error {
+	r1, r2, err := scrollConsoleScreenBufferProc.Call(handle, uintptr(unsafe.Pointer(&scrollRect)), uintptr(unsafe.Pointer(&clipRect)), coordToPointer(destOrigin), uintptr(unsafe.Pointer(&char)))
+	use(scrollRect)
+	use(clipRect)
+	use(destOrigin)
+	use(char)
+	return checkError(r1, r2, err)
+}
+
+// SetConsoleScreenBufferSize sets the size of the console screen buffer.
+// See https://msdn.microsoft.com/en-us/library/windows/desktop/ms686044(v=vs.85).aspx.
+func SetConsoleScreenBufferSize(handle uintptr, coord COORD) error {
+	r1, r2, err := setConsoleScreenBufferSizeProc.Call(handle, coordToPointer(coord))
+	use(coord)
+	return checkError(r1, r2, err)
+}
+
+// SetConsoleTextAttribute sets the attributes of characters written to the
+// console screen buffer by the WriteFile or WriteConsole function.
+// See http://msdn.microsoft.com/en-us/library/windows/desktop/ms686047(v=vs.85).aspx.
+func SetConsoleTextAttribute(handle uintptr, attribute uint16) error {
+	r1, r2, err := setConsoleTextAttributeProc.Call(handle, uintptr(attribute), 0)
+	use(attribute)
+	return checkError(r1, r2, err)
+}
+
+// SetConsoleWindowInfo sets the size and position of the console screen buffer's window.
+// Note that the size and location must be within and no larger than the backing console screen buffer.
+// See https://msdn.microsoft.com/en-us/library/windows/desktop/ms686125(v=vs.85).aspx.
+func SetConsoleWindowInfo(handle uintptr, isAbsolute bool, rect SMALL_RECT) error {
+	r1, r2, err := setConsoleWindowInfoProc.Call(handle, uintptr(boolToBOOL(isAbsolute)), uintptr(unsafe.Pointer(&rect)))
+	use(isAbsolute)
+	use(rect)
+	return checkError(r1, r2, err)
+}
+
+// WriteConsoleOutput writes the CHAR_INFOs from the provided buffer to the active console buffer.
+// See https://msdn.microsoft.com/en-us/library/windows/desktop/ms687404(v=vs.85).aspx.
+func WriteConsoleOutput(handle uintptr, buffer []CHAR_INFO, bufferSize COORD, bufferCoord COORD, writeRegion *SMALL_RECT) error {
+	r1, r2, err := writeConsoleOutputProc.Call(handle, uintptr(unsafe.Pointer(&buffer[0])), coordToPointer(bufferSize), coordToPointer(bufferCoord), uintptr(unsafe.Pointer(writeRegion)))
+	use(buffer)
+	use(bufferSize)
+	use(bufferCoord)
+	return checkError(r1, r2, err)
+}
+
+// ReadConsoleInput reads (and removes) data from the console input buffer.
+// See https://msdn.microsoft.com/en-us/library/windows/desktop/ms684961(v=vs.85).aspx.
+func ReadConsoleInput(handle uintptr, buffer []INPUT_RECORD, count *uint32) error {
+	r1, r2, err := readConsoleInputProc.Call(handle, uintptr(unsafe.Pointer(&buffer[0])), uintptr(len(buffer)), uintptr(unsafe.Pointer(count)))
+	use(buffer)
+	return checkError(r1, r2, err)
+}
+
+// WaitForSingleObject waits for the passed handle to be signaled.
+// It returns true if the handle was signaled; false otherwise.
+// See https://msdn.microsoft.com/en-us/library/windows/desktop/ms687032(v=vs.85).aspx.
+func WaitForSingleObject(handle uintptr, msWait uint32) (bool, error) {
+	r1, _, err := waitForSingleObjectProc.Call(handle, uintptr(uint32(msWait)))
+	switch r1 {
+	case WAIT_ABANDONED, WAIT_TIMEOUT:
+		return false, nil
+	case WAIT_SIGNALED:
+		return true, nil
+	}
+	use(msWait)
+	return false, err
+}
+
+// String helpers
+func (info CONSOLE_SCREEN_BUFFER_INFO) String() string {
+	return fmt.Sprintf("Size(%v) Cursor(%v) Window(%v) Max(%v)", info.Size, info.CursorPosition, info.Window, info.MaximumWindowSize)
+}
+
+func (coord COORD) String() string {
+	return fmt.Sprintf("%v,%v", coord.X, coord.Y)
+}
+
+func (rect SMALL_RECT) String() string {
+	return fmt.Sprintf("(%v,%v),(%v,%v)", rect.Left, rect.Top, rect.Right, rect.Bottom)
+}
+
+// checkError evaluates the results of a Windows API call and returns the error if it failed.
+func checkError(r1, r2 uintptr, err error) error {
+	// Windows APIs return non-zero to indicate success
+	if r1 != 0 {
+		return nil
+	}
+
+	// Return the error if provided, otherwise default to EINVAL
+	if err != nil {
+		return err
+	}
+	return syscall.EINVAL
+}
+
+// coordToPointer converts a COORD into a uintptr (by fooling the type system).
+func coordToPointer(c COORD) uintptr {
+	// Note: This code assumes the two SHORTs are correctly laid out; the "cast" to uint32 is just to get a pointer to pass.
+	return uintptr(*((*uint32)(unsafe.Pointer(&c))))
+}
+
+// use is a no-op, but the compiler cannot see that it is.
+// Calling use(p) ensures that p is kept live until that point.
+func use(p interface{}) {}
diff --git a/vendor/github.com/Azure/go-ansiterm/winterm/attr_translation.go b/vendor/github.com/Azure/go-ansiterm/winterm/attr_translation.go
new file mode 100644
index 0000000000..cbec8f728f
--- /dev/null
+++ b/vendor/github.com/Azure/go-ansiterm/winterm/attr_translation.go
@@ -0,0 +1,100 @@
+// +build windows
+
+package winterm
+
+import "github.com/Azure/go-ansiterm"
+
+const (
+	FOREGROUND_COLOR_MASK = FOREGROUND_RED | FOREGROUND_GREEN | FOREGROUND_BLUE
+	BACKGROUND_COLOR_MASK = BACKGROUND_RED | BACKGROUND_GREEN | BACKGROUND_BLUE
+)
+
+// collectAnsiIntoWindowsAttributes modifies the passed Windows text mode flags to reflect the
+// request represented by the passed ANSI mode.
+func collectAnsiIntoWindowsAttributes(windowsMode uint16, inverted bool, baseMode uint16, ansiMode int16) (uint16, bool) {
+	switch ansiMode {
+
+	// Mode styles
+	case ansiterm.ANSI_SGR_BOLD:
+		windowsMode = windowsMode | FOREGROUND_INTENSITY
+
+	case ansiterm.ANSI_SGR_DIM, ansiterm.ANSI_SGR_BOLD_DIM_OFF:
+		windowsMode &^= FOREGROUND_INTENSITY
+
+	case ansiterm.ANSI_SGR_UNDERLINE:
+		windowsMode = windowsMode | COMMON_LVB_UNDERSCORE
+
+	case ansiterm.ANSI_SGR_REVERSE:
+		inverted = true
+
+	case ansiterm.ANSI_SGR_REVERSE_OFF:
+		inverted = false
+
+	case ansiterm.ANSI_SGR_UNDERLINE_OFF:
+		windowsMode &^= COMMON_LVB_UNDERSCORE
+
+		// Foreground colors
+	case ansiterm.ANSI_SGR_FOREGROUND_DEFAULT:
+		windowsMode = (windowsMode &^ FOREGROUND_MASK) | (baseMode & FOREGROUND_MASK)
+
+	case ansiterm.ANSI_SGR_FOREGROUND_BLACK:
+		windowsMode = (windowsMode &^ FOREGROUND_COLOR_MASK)
+
+	case ansiterm.ANSI_SGR_FOREGROUND_RED:
+		windowsMode = (windowsMode &^ FOREGROUND_COLOR_MASK) | FOREGROUND_RED
+
+	case ansiterm.ANSI_SGR_FOREGROUND_GREEN:
+		windowsMode = (windowsMode &^ FOREGROUND_COLOR_MASK) | FOREGROUND_GREEN
+
+	case ansiterm.ANSI_SGR_FOREGROUND_YELLOW:
+		windowsMode = (windowsMode &^ FOREGROUND_COLOR_MASK) | FOREGROUND_RED | FOREGROUND_GREEN
+
+	case ansiterm.ANSI_SGR_FOREGROUND_BLUE:
+		windowsMode = (windowsMode &^ FOREGROUND_COLOR_MASK) | FOREGROUND_BLUE
+
+	case ansiterm.ANSI_SGR_FOREGROUND_MAGENTA:
+		windowsMode = (windowsMode &^ FOREGROUND_COLOR_MASK) | FOREGROUND_RED | FOREGROUND_BLUE
+
+	case ansiterm.ANSI_SGR_FOREGROUND_CYAN:
+		windowsMode = (windowsMode &^ FOREGROUND_COLOR_MASK) | FOREGROUND_GREEN | FOREGROUND_BLUE
+
+	case ansiterm.ANSI_SGR_FOREGROUND_WHITE:
+		windowsMode = (windowsMode &^ FOREGROUND_COLOR_MASK) | FOREGROUND_RED | FOREGROUND_GREEN | FOREGROUND_BLUE
+
+		// Background colors
+	case ansiterm.ANSI_SGR_BACKGROUND_DEFAULT:
+		// Black with no intensity
+		windowsMode = (windowsMode &^ BACKGROUND_MASK) | (baseMode & BACKGROUND_MASK)
+
+	case ansiterm.ANSI_SGR_BACKGROUND_BLACK:
+		windowsMode = (windowsMode &^ BACKGROUND_COLOR_MASK)
+
+	case ansiterm.ANSI_SGR_BACKGROUND_RED:
+		windowsMode = (windowsMode &^ BACKGROUND_COLOR_MASK) | BACKGROUND_RED
+
+	case ansiterm.ANSI_SGR_BACKGROUND_GREEN:
+		windowsMode = (windowsMode &^ BACKGROUND_COLOR_MASK) | BACKGROUND_GREEN
+
+	case ansiterm.ANSI_SGR_BACKGROUND_YELLOW:
+		windowsMode = (windowsMode &^ BACKGROUND_COLOR_MASK) | BACKGROUND_RED | BACKGROUND_GREEN
+
+	case ansiterm.ANSI_SGR_BACKGROUND_BLUE:
+		windowsMode = (windowsMode &^ BACKGROUND_COLOR_MASK) | BACKGROUND_BLUE
+
+	case ansiterm.ANSI_SGR_BACKGROUND_MAGENTA:
+		windowsMode = (windowsMode &^ BACKGROUND_COLOR_MASK) | BACKGROUND_RED | BACKGROUND_BLUE
+
+	case ansiterm.ANSI_SGR_BACKGROUND_CYAN:
+		windowsMode = (windowsMode &^ BACKGROUND_COLOR_MASK) | BACKGROUND_GREEN | BACKGROUND_BLUE
+
+	case ansiterm.ANSI_SGR_BACKGROUND_WHITE:
+		windowsMode = (windowsMode &^ BACKGROUND_COLOR_MASK) | BACKGROUND_RED | BACKGROUND_GREEN | BACKGROUND_BLUE
+	}
+
+	return windowsMode, inverted
+}
+
+// invertAttributes inverts the foreground and background colors of a Windows attributes value
+func invertAttributes(windowsMode uint16) uint16 {
+	return (COMMON_LVB_MASK & windowsMode) | ((FOREGROUND_MASK & windowsMode) << 4) | ((BACKGROUND_MASK & windowsMode) >> 4)
+}
diff --git a/vendor/github.com/Azure/go-ansiterm/winterm/cursor_helpers.go b/vendor/github.com/Azure/go-ansiterm/winterm/cursor_helpers.go
new file mode 100644
index 0000000000..3ee06ea728
--- /dev/null
+++ b/vendor/github.com/Azure/go-ansiterm/winterm/cursor_helpers.go
@@ -0,0 +1,101 @@
+// +build windows
+
+package winterm
+
+const (
+	horizontal = iota
+	vertical
+)
+
+func (h *windowsAnsiEventHandler) getCursorWindow(info *CONSOLE_SCREEN_BUFFER_INFO) SMALL_RECT {
+	if h.originMode {
+		sr := h.effectiveSr(info.Window)
+		return SMALL_RECT{
+			Top:    sr.top,
+			Bottom: sr.bottom,
+			Left:   0,
+			Right:  info.Size.X - 1,
+		}
+	} else {
+		return SMALL_RECT{
+			Top:    info.Window.Top,
+			Bottom: info.Window.Bottom,
+			Left:   0,
+			Right:  info.Size.X - 1,
+		}
+	}
+}
+
+// setCursorPosition sets the cursor to the specified position, bounded to the screen size
+func (h *windowsAnsiEventHandler) setCursorPosition(position COORD, window SMALL_RECT) error {
+	position.X = ensureInRange(position.X, window.Left, window.Right)
+	position.Y = ensureInRange(position.Y, window.Top, window.Bottom)
+	err := SetConsoleCursorPosition(h.fd, position)
+	if err != nil {
+		return err
+	}
+	h.logf("Cursor position set: (%d, %d)", position.X, position.Y)
+	return err
+}
+
+func (h *windowsAnsiEventHandler) moveCursorVertical(param int) error {
+	return h.moveCursor(vertical, param)
+}
+
+func (h *windowsAnsiEventHandler) moveCursorHorizontal(param int) error {
+	return h.moveCursor(horizontal, param)
+}
+
+func (h *windowsAnsiEventHandler) moveCursor(moveMode int, param int) error {
+	info, err := GetConsoleScreenBufferInfo(h.fd)
+	if err != nil {
+		return err
+	}
+
+	position := info.CursorPosition
+	switch moveMode {
+	case horizontal:
+		position.X += int16(param)
+	case vertical:
+		position.Y += int16(param)
+	}
+
+	if err = h.setCursorPosition(position, h.getCursorWindow(info)); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (h *windowsAnsiEventHandler) moveCursorLine(param int) error {
+	info, err := GetConsoleScreenBufferInfo(h.fd)
+	if err != nil {
+		return err
+	}
+
+	position := info.CursorPosition
+	position.X = 0
+	position.Y += int16(param)
+
+	if err = h.setCursorPosition(position, h.getCursorWindow(info)); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (h *windowsAnsiEventHandler) moveCursorColumn(param int) error {
+	info, err := GetConsoleScreenBufferInfo(h.fd)
+	if err != nil {
+		return err
+	}
+
+	position := info.CursorPosition
+	position.X = int16(param) - 1
+
+	if err = h.setCursorPosition(position, h.getCursorWindow(info)); err != nil {
+		return err
+	}
+
+	return nil
+}
diff --git a/vendor/github.com/Azure/go-ansiterm/winterm/erase_helpers.go b/vendor/github.com/Azure/go-ansiterm/winterm/erase_helpers.go
new file mode 100644
index 0000000000..244b5fa25e
--- /dev/null
+++ b/vendor/github.com/Azure/go-ansiterm/winterm/erase_helpers.go
@@ -0,0 +1,84 @@
+// +build windows
+
+package winterm
+
+import "github.com/Azure/go-ansiterm"
+
+func (h *windowsAnsiEventHandler) clearRange(attributes uint16, fromCoord COORD, toCoord COORD) error {
+	// Ignore an invalid (negative area) request
+	if toCoord.Y < fromCoord.Y {
+		return nil
+	}
+
+	var err error
+
+	var coordStart = COORD{}
+	var coordEnd = COORD{}
+
+	xCurrent, yCurrent := fromCoord.X, fromCoord.Y
+	xEnd, yEnd := toCoord.X, toCoord.Y
+
+	// Clear any partial initial line
+	if xCurrent > 0 {
+		coordStart.X, coordStart.Y = xCurrent, yCurrent
+		coordEnd.X, coordEnd.Y = xEnd, yCurrent
+
+		err = h.clearRect(attributes, coordStart, coordEnd)
+		if err != nil {
+			return err
+		}
+
+		xCurrent = 0
+		yCurrent += 1
+	}
+
+	// Clear intervening rectangular section
+	if yCurrent < yEnd {
+		coordStart.X, coordStart.Y = xCurrent, yCurrent
+		coordEnd.X, coordEnd.Y = xEnd, yEnd-1
+
+		err = h.clearRect(attributes, coordStart, coordEnd)
+		if err != nil {
+			return err
+		}
+
+		xCurrent = 0
+		yCurrent = yEnd
+	}
+
+	// Clear remaining partial ending line
+	coordStart.X, coordStart.Y = xCurrent, yCurrent
+	coordEnd.X, coordEnd.Y = xEnd, yEnd
+
+	err = h.clearRect(attributes, coordStart, coordEnd)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (h *windowsAnsiEventHandler) clearRect(attributes uint16, fromCoord COORD, toCoord COORD) error {
+	region := SMALL_RECT{Top: fromCoord.Y, Left: fromCoord.X, Bottom: toCoord.Y, Right: toCoord.X}
+	width := toCoord.X - fromCoord.X + 1
+	height := toCoord.Y - fromCoord.Y + 1
+	size := uint32(width) * uint32(height)
+
+	if size <= 0 {
+		return nil
+	}
+
+	buffer := make([]CHAR_INFO, size)
+
+	char := CHAR_INFO{ansiterm.FILL_CHARACTER, attributes}
+	for i := 0; i < int(size); i++ {
+		buffer[i] = char
+	}
+
+	err := WriteConsoleOutput(h.fd, buffer, COORD{X: width, Y: height}, COORD{X: 0, Y: 0}, &region)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
diff --git a/vendor/github.com/Azure/go-ansiterm/winterm/scroll_helper.go b/vendor/github.com/Azure/go-ansiterm/winterm/scroll_helper.go
new file mode 100644
index 0000000000..2d27fa1d02
--- /dev/null
+++ b/vendor/github.com/Azure/go-ansiterm/winterm/scroll_helper.go
@@ -0,0 +1,118 @@
+// +build windows
+
+package winterm
+
+// effectiveSr gets the current effective scroll region in buffer coordinates
+func (h *windowsAnsiEventHandler) effectiveSr(window SMALL_RECT) scrollRegion {
+	top := addInRange(window.Top, h.sr.top, window.Top, window.Bottom)
+	bottom := addInRange(window.Top, h.sr.bottom, window.Top, window.Bottom)
+	if top >= bottom {
+		top = window.Top
+		bottom = window.Bottom
+	}
+	return scrollRegion{top: top, bottom: bottom}
+}
+
+func (h *windowsAnsiEventHandler) scrollUp(param int) error {
+	info, err := GetConsoleScreenBufferInfo(h.fd)
+	if err != nil {
+		return err
+	}
+
+	sr := h.effectiveSr(info.Window)
+	return h.scroll(param, sr, info)
+}
+
+func (h *windowsAnsiEventHandler) scrollDown(param int) error {
+	return h.scrollUp(-param)
+}
+
+func (h *windowsAnsiEventHandler) deleteLines(param int) error {
+	info, err := GetConsoleScreenBufferInfo(h.fd)
+	if err != nil {
+		return err
+	}
+
+	start := info.CursorPosition.Y
+	sr := h.effectiveSr(info.Window)
+	// Lines cannot be inserted or deleted outside the scrolling region.
+	if start >= sr.top && start <= sr.bottom {
+		sr.top = start
+		return h.scroll(param, sr, info)
+	} else {
+		return nil
+	}
+}
+
+func (h *windowsAnsiEventHandler) insertLines(param int) error {
+	return h.deleteLines(-param)
+}
+
+// scroll scrolls the provided scroll region by param lines. The scroll region is in buffer coordinates.
+func (h *windowsAnsiEventHandler) scroll(param int, sr scrollRegion, info *CONSOLE_SCREEN_BUFFER_INFO) error {
+	h.logf("scroll: scrollTop: %d, scrollBottom: %d", sr.top, sr.bottom)
+	h.logf("scroll: windowTop: %d, windowBottom: %d", info.Window.Top, info.Window.Bottom)
+
+	// Copy from and clip to the scroll region (full buffer width)
+	scrollRect := SMALL_RECT{
+		Top:    sr.top,
+		Bottom: sr.bottom,
+		Left:   0,
+		Right:  info.Size.X - 1,
+	}
+
+	// Origin to which area should be copied
+	destOrigin := COORD{
+		X: 0,
+		Y: sr.top - int16(param),
+	}
+
+	char := CHAR_INFO{
+		UnicodeChar: ' ',
+		Attributes:  h.attributes,
+	}
+
+	if err := ScrollConsoleScreenBuffer(h.fd, scrollRect, scrollRect, destOrigin, char); err != nil {
+		return err
+	}
+	return nil
+}
+
+func (h *windowsAnsiEventHandler) deleteCharacters(param int) error {
+	info, err := GetConsoleScreenBufferInfo(h.fd)
+	if err != nil {
+		return err
+	}
+	return h.scrollLine(param, info.CursorPosition, info)
+}
+
+func (h *windowsAnsiEventHandler) insertCharacters(param int) error {
+	return h.deleteCharacters(-param)
+}
+
+// scrollLine scrolls a line horizontally starting at the provided position by a number of columns.
+func (h *windowsAnsiEventHandler) scrollLine(columns int, position COORD, info *CONSOLE_SCREEN_BUFFER_INFO) error {
+	// Copy from and clip to the scroll region (full buffer width)
+	scrollRect := SMALL_RECT{
+		Top:    position.Y,
+		Bottom: position.Y,
+		Left:   position.X,
+		Right:  info.Size.X - 1,
+	}
+
+	// Origin to which area should be copied
+	destOrigin := COORD{
+		X: position.X - int16(columns),
+		Y: position.Y,
+	}
+
+	char := CHAR_INFO{
+		UnicodeChar: ' ',
+		Attributes:  h.attributes,
+	}
+
+	if err := ScrollConsoleScreenBuffer(h.fd, scrollRect, scrollRect, destOrigin, char); err != nil {
+		return err
+	}
+	return nil
+}
diff --git a/vendor/github.com/Azure/go-ansiterm/winterm/utilities.go b/vendor/github.com/Azure/go-ansiterm/winterm/utilities.go
new file mode 100644
index 0000000000..afa7635d77
--- /dev/null
+++ b/vendor/github.com/Azure/go-ansiterm/winterm/utilities.go
@@ -0,0 +1,9 @@
+// +build windows
+
+package winterm
+
+// AddInRange increments a value by the passed quantity while ensuring the values
+// always remain within the supplied min / max range.
+func addInRange(n int16, increment int16, min int16, max int16) int16 {
+	return ensureInRange(n+increment, min, max)
+}
diff --git a/vendor/github.com/Azure/go-ansiterm/winterm/win_event_handler.go b/vendor/github.com/Azure/go-ansiterm/winterm/win_event_handler.go
new file mode 100644
index 0000000000..2d40fb75ad
--- /dev/null
+++ b/vendor/github.com/Azure/go-ansiterm/winterm/win_event_handler.go
@@ -0,0 +1,743 @@
+// +build windows
+
+package winterm
+
+import (
+	"bytes"
+	"log"
+	"os"
+	"strconv"
+
+	"github.com/Azure/go-ansiterm"
+)
+
+type windowsAnsiEventHandler struct {
+	fd             uintptr
+	file           *os.File
+	infoReset      *CONSOLE_SCREEN_BUFFER_INFO
+	sr             scrollRegion
+	buffer         bytes.Buffer
+	attributes     uint16
+	inverted       bool
+	wrapNext       bool
+	drewMarginByte bool
+	originMode     bool
+	marginByte     byte
+	curInfo        *CONSOLE_SCREEN_BUFFER_INFO
+	curPos         COORD
+	logf           func(string, ...interface{})
+}
+
+type Option func(*windowsAnsiEventHandler)
+
+func WithLogf(f func(string, ...interface{})) Option {
+	return func(w *windowsAnsiEventHandler) {
+		w.logf = f
+	}
+}
+
+func CreateWinEventHandler(fd uintptr, file *os.File, opts ...Option) ansiterm.AnsiEventHandler {
+	infoReset, err := GetConsoleScreenBufferInfo(fd)
+	if err != nil {
+		return nil
+	}
+
+	h := &windowsAnsiEventHandler{
+		fd:         fd,
+		file:       file,
+		infoReset:  infoReset,
+		attributes: infoReset.Attributes,
+	}
+	for _, o := range opts {
+		o(h)
+	}
+
+	if isDebugEnv := os.Getenv(ansiterm.LogEnv); isDebugEnv == "1" {
+		logFile, _ := os.Create("winEventHandler.log")
+		logger := log.New(logFile, "", log.LstdFlags)
+		if h.logf != nil {
+			l := h.logf
+			h.logf = func(s string, v ...interface{}) {
+				l(s, v...)
+				logger.Printf(s, v...)
+			}
+		} else {
+			h.logf = logger.Printf
+		}
+	}
+
+	if h.logf == nil {
+		h.logf = func(string, ...interface{}) {}
+	}
+
+	return h
+}
+
+type scrollRegion struct {
+	top    int16
+	bottom int16
+}
+
+// simulateLF simulates a LF or CR+LF by scrolling if necessary to handle the
+// current cursor position and scroll region settings, in which case it returns
+// true. If no special handling is necessary, then it does nothing and returns
+// false.
+//
+// In the false case, the caller should ensure that a carriage return
+// and line feed are inserted or that the text is otherwise wrapped.
+func (h *windowsAnsiEventHandler) simulateLF(includeCR bool) (bool, error) {
+	if h.wrapNext {
+		if err := h.Flush(); err != nil {
+			return false, err
+		}
+		h.clearWrap()
+	}
+	pos, info, err := h.getCurrentInfo()
+	if err != nil {
+		return false, err
+	}
+	sr := h.effectiveSr(info.Window)
+	if pos.Y == sr.bottom {
+		// Scrolling is necessary. Let Windows automatically scroll if the scrolling region
+		// is the full window.
+		if sr.top == info.Window.Top && sr.bottom == info.Window.Bottom {
+			if includeCR {
+				pos.X = 0
+				h.updatePos(pos)
+			}
+			return false, nil
+		}
+
+		// A custom scroll region is active. Scroll the window manually to simulate
+		// the LF.
+		if err := h.Flush(); err != nil {
+			return false, err
+		}
+		h.logf("Simulating LF inside scroll region")
+		if err := h.scrollUp(1); err != nil {
+			return false, err
+		}
+		if includeCR {
+			pos.X = 0
+			if err := SetConsoleCursorPosition(h.fd, pos); err != nil {
+				return false, err
+			}
+		}
+		return true, nil
+
+	} else if pos.Y < info.Window.Bottom {
+		// Let Windows handle the LF.
+		pos.Y++
+		if includeCR {
+			pos.X = 0
+		}
+		h.updatePos(pos)
+		return false, nil
+	} else {
+		// The cursor is at the bottom of the screen but outside the scroll
+		// region. Skip the LF.
+		h.logf("Simulating LF outside scroll region")
+		if includeCR {
+			if err := h.Flush(); err != nil {
+				return false, err
+			}
+			pos.X = 0
+			if err := SetConsoleCursorPosition(h.fd, pos); err != nil {
+				return false, err
+			}
+		}
+		return true, nil
+	}
+}
+
+// executeLF executes a LF without a CR.
+func (h *windowsAnsiEventHandler) executeLF() error {
+	handled, err := h.simulateLF(false)
+	if err != nil {
+		return err
+	}
+	if !handled {
+		// Windows LF will reset the cursor column position. Write the LF
+		// and restore the cursor position.
+		pos, _, err := h.getCurrentInfo()
+		if err != nil {
+			return err
+		}
+		h.buffer.WriteByte(ansiterm.ANSI_LINE_FEED)
+		if pos.X != 0 {
+			if err := h.Flush(); err != nil {
+				return err
+			}
+			h.logf("Resetting cursor position for LF without CR")
+			if err := SetConsoleCursorPosition(h.fd, pos); err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+func (h *windowsAnsiEventHandler) Print(b byte) error {
+	if h.wrapNext {
+		h.buffer.WriteByte(h.marginByte)
+		h.clearWrap()
+		if _, err := h.simulateLF(true); err != nil {
+			return err
+		}
+	}
+	pos, info, err := h.getCurrentInfo()
+	if err != nil {
+		return err
+	}
+	if pos.X == info.Size.X-1 {
+		h.wrapNext = true
+		h.marginByte = b
+	} else {
+		pos.X++
+		h.updatePos(pos)
+		h.buffer.WriteByte(b)
+	}
+	return nil
+}
+
+func (h *windowsAnsiEventHandler) Execute(b byte) error {
+	switch b {
+	case ansiterm.ANSI_TAB:
+		h.logf("Execute(TAB)")
+		// Move to the next tab stop, but preserve auto-wrap if already set.
+		if !h.wrapNext {
+			pos, info, err := h.getCurrentInfo()
+			if err != nil {
+				return err
+			}
+			pos.X = (pos.X + 8) - pos.X%8
+			if pos.X >= info.Size.X {
+				pos.X = info.Size.X - 1
+			}
+			if err := h.Flush(); err != nil {
+				return err
+			}
+			if err := SetConsoleCursorPosition(h.fd, pos); err != nil {
+				return err
+			}
+		}
+		return nil
+
+	case ansiterm.ANSI_BEL:
+		h.buffer.WriteByte(ansiterm.ANSI_BEL)
+		return nil
+
+	case ansiterm.ANSI_BACKSPACE:
+		if h.wrapNext {
+			if err := h.Flush(); err != nil {
+				return err
+			}
+			h.clearWrap()
+		}
+		pos, _, err := h.getCurrentInfo()
+		if err != nil {
+			return err
+		}
+		if pos.X > 0 {
+			pos.X--
+			h.updatePos(pos)
+			h.buffer.WriteByte(ansiterm.ANSI_BACKSPACE)
+		}
+		return nil
+
+	case ansiterm.ANSI_VERTICAL_TAB, ansiterm.ANSI_FORM_FEED:
+		// Treat as true LF.
+		return h.executeLF()
+
+	case ansiterm.ANSI_LINE_FEED:
+		// Simulate a CR and LF for now since there is no way in go-ansiterm
+		// to tell if the LF should include CR (and more things break when it's
+		// missing than when it's incorrectly added).
+		handled, err := h.simulateLF(true)
+		if handled || err != nil {
+			return err
+		}
+		return h.buffer.WriteByte(ansiterm.ANSI_LINE_FEED)
+
+	case ansiterm.ANSI_CARRIAGE_RETURN:
+		if h.wrapNext {
+			if err := h.Flush(); err != nil {
+				return err
+			}
+			h.clearWrap()
+		}
+		pos, _, err := h.getCurrentInfo()
+		if err != nil {
+			return err
+		}
+		if pos.X != 0 {
+			pos.X = 0
+			h.updatePos(pos)
+			h.buffer.WriteByte(ansiterm.ANSI_CARRIAGE_RETURN)
+		}
+		return nil
+
+	default:
+		return nil
+	}
+}
+
+func (h *windowsAnsiEventHandler) CUU(param int) error {
+	if err := h.Flush(); err != nil {
+		return err
+	}
+	h.logf("CUU: [%v]", []string{strconv.Itoa(param)})
+	h.clearWrap()
+	return h.moveCursorVertical(-param)
+}
+
+func (h *windowsAnsiEventHandler) CUD(param int) error {
+	if err := h.Flush(); err != nil {
+		return err
+	}
+	h.logf("CUD: [%v]", []string{strconv.Itoa(param)})
+	h.clearWrap()
+	return h.moveCursorVertical(param)
+}
+
+func (h *windowsAnsiEventHandler) CUF(param int) error {
+	if err := h.Flush(); err != nil {
+		return err
+	}
+	h.logf("CUF: [%v]", []string{strconv.Itoa(param)})
+	h.clearWrap()
+	return h.moveCursorHorizontal(param)
+}
+
+func (h *windowsAnsiEventHandler) CUB(param int) error {
+	if err := h.Flush(); err != nil {
+		return err
+	}
+	h.logf("CUB: [%v]", []string{strconv.Itoa(param)})
+	h.clearWrap()
+	return h.moveCursorHorizontal(-param)
+}
+
+func (h *windowsAnsiEventHandler) CNL(param int) error {
+	if err := h.Flush(); err != nil {
+		return err
+	}
+	h.logf("CNL: [%v]", []string{strconv.Itoa(param)})
+	h.clearWrap()
+	return h.moveCursorLine(param)
+}
+
+func (h *windowsAnsiEventHandler) CPL(param int) error {
+	if err := h.Flush(); err != nil {
+		return err
+	}
+	h.logf("CPL: [%v]", []string{strconv.Itoa(param)})
+	h.clearWrap()
+	return h.moveCursorLine(-param)
+}
+
+func (h *windowsAnsiEventHandler) CHA(param int) error {
+	if err := h.Flush(); err != nil {
+		return err
+	}
+	h.logf("CHA: [%v]", []string{strconv.Itoa(param)})
+	h.clearWrap()
+	return h.moveCursorColumn(param)
+}
+
+func (h *windowsAnsiEventHandler) VPA(param int) error {
+	if err := h.Flush(); err != nil {
+		return err
+	}
+	h.logf("VPA: [[%d]]", param)
+	h.clearWrap()
+	info, err := GetConsoleScreenBufferInfo(h.fd)
+	if err != nil {
+		return err
+	}
+	window := h.getCursorWindow(info)
+	position := info.CursorPosition
+	position.Y = window.Top + int16(param) - 1
+	return h.setCursorPosition(position, window)
+}
+
+func (h *windowsAnsiEventHandler) CUP(row int, col int) error {
+	if err := h.Flush(); err != nil {
+		return err
+	}
+	h.logf("CUP: [[%d %d]]", row, col)
+	h.clearWrap()
+	info, err := GetConsoleScreenBufferInfo(h.fd)
+	if err != nil {
+		return err
+	}
+
+	window := h.getCursorWindow(info)
+	position := COORD{window.Left + int16(col) - 1, window.Top + int16(row) - 1}
+	return h.setCursorPosition(position, window)
+}
+
+func (h *windowsAnsiEventHandler) HVP(row int, col int) error {
+	if err := h.Flush(); err != nil {
+		return err
+	}
+	h.logf("HVP: [[%d %d]]", row, col)
+	h.clearWrap()
+	return h.CUP(row, col)
+}
+
+func (h *windowsAnsiEventHandler) DECTCEM(visible bool) error {
+	if err := h.Flush(); err != nil {
+		return err
+	}
+	h.logf("DECTCEM: [%v]", []string{strconv.FormatBool(visible)})
+	h.clearWrap()
+	return nil
+}
+
+func (h *windowsAnsiEventHandler) DECOM(enable bool) error {
+	if err := h.Flush(); err != nil {
+		return err
+	}
+	h.logf("DECOM: [%v]", []string{strconv.FormatBool(enable)})
+	h.clearWrap()
+	h.originMode = enable
+	return h.CUP(1, 1)
+}
+
+func (h *windowsAnsiEventHandler) DECCOLM(use132 bool) error {
+	if err := h.Flush(); err != nil {
+		return err
+	}
+	h.logf("DECCOLM: [%v]", []string{strconv.FormatBool(use132)})
+	h.clearWrap()
+	if err := h.ED(2); err != nil {
+		return err
+	}
+	info, err := GetConsoleScreenBufferInfo(h.fd)
+	if err != nil {
+		return err
+	}
+	targetWidth := int16(80)
+	if use132 {
+		targetWidth = 132
+	}
+	if info.Size.X < targetWidth {
+		if err := SetConsoleScreenBufferSize(h.fd, COORD{targetWidth, info.Size.Y}); err != nil {
+			h.logf("set buffer failed: %v", err)
+			return err
+		}
+	}
+	window := info.Window
+	window.Left = 0
+	window.Right = targetWidth - 1
+	if err := SetConsoleWindowInfo(h.fd, true, window); err != nil {
+		h.logf("set window failed: %v", err)
+		return err
+	}
+	if info.Size.X > targetWidth {
+		if err := SetConsoleScreenBufferSize(h.fd, COORD{targetWidth, info.Size.Y}); err != nil {
+			h.logf("set buffer failed: %v", err)
+			return err
+		}
+	}
+	return SetConsoleCursorPosition(h.fd, COORD{0, 0})
+}
+
+func (h *windowsAnsiEventHandler) ED(param int) error {
+	if err := h.Flush(); err != nil {
+		return err
+	}
+	h.logf("ED: [%v]", []string{strconv.Itoa(param)})
+	h.clearWrap()
+
+	// [J  -- Erases from the cursor to the end of the screen, including the cursor position.
+	// [1J -- Erases from the beginning of the screen to the cursor, including the cursor position.
+	// [2J -- Erases the complete display. The cursor does not move.
+	// Notes:
+	// -- Clearing the entire buffer, versus just the Window, works best for Windows Consoles
+
+	info, err := GetConsoleScreenBufferInfo(h.fd)
+	if err != nil {
+		return err
+	}
+
+	var start COORD
+	var end COORD
+
+	switch param {
+	case 0:
+		start = info.CursorPosition
+		end = COORD{info.Size.X - 1, info.Size.Y - 1}
+
+	case 1:
+		start = COORD{0, 0}
+		end = info.CursorPosition
+
+	case 2:
+		start = COORD{0, 0}
+		end = COORD{info.Size.X - 1, info.Size.Y - 1}
+	}
+
+	err = h.clearRange(h.attributes, start, end)
+	if err != nil {
+		return err
+	}
+
+	// If the whole buffer was cleared, move the window to the top while preserving
+	// the window-relative cursor position.
+	if param == 2 {
+		pos := info.CursorPosition
+		window := info.Window
+		pos.Y -= window.Top
+		window.Bottom -= window.Top
+		window.Top = 0
+		if err := SetConsoleCursorPosition(h.fd, pos); err != nil {
+			return err
+		}
+		if err := SetConsoleWindowInfo(h.fd, true, window); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (h *windowsAnsiEventHandler) EL(param int) error {
+	if err := h.Flush(); err != nil {
+		return err
+	}
+	h.logf("EL: [%v]", strconv.Itoa(param))
+	h.clearWrap()
+
+	// [K  -- Erases from the cursor to the end of the line, including the cursor position.
+	// [1K -- Erases from the beginning of the line to the cursor, including the cursor position.
+	// [2K -- Erases the complete line.
+
+	info, err := GetConsoleScreenBufferInfo(h.fd)
+	if err != nil {
+		return err
+	}
+
+	var start COORD
+	var end COORD
+
+	switch param {
+	case 0:
+		start = info.CursorPosition
+		end = COORD{info.Size.X, info.CursorPosition.Y}
+
+	case 1:
+		start = COORD{0, info.CursorPosition.Y}
+		end = info.CursorPosition
+
+	case 2:
+		start = COORD{0, info.CursorPosition.Y}
+		end = COORD{info.Size.X, info.CursorPosition.Y}
+	}
+
+	err = h.clearRange(h.attributes, start, end)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (h *windowsAnsiEventHandler) IL(param int) error {
+	if err := h.Flush(); err != nil {
+		return err
+	}
+	h.logf("IL: [%v]", strconv.Itoa(param))
+	h.clearWrap()
+	return h.insertLines(param)
+}
+
+func (h *windowsAnsiEventHandler) DL(param int) error {
+	if err := h.Flush(); err != nil {
+		return err
+	}
+	h.logf("DL: [%v]", strconv.Itoa(param))
+	h.clearWrap()
+	return h.deleteLines(param)
+}
+
+func (h *windowsAnsiEventHandler) ICH(param int) error {
+	if err := h.Flush(); err != nil {
+		return err
+	}
+	h.logf("ICH: [%v]", strconv.Itoa(param))
+	h.clearWrap()
+	return h.insertCharacters(param)
+}
+
+func (h *windowsAnsiEventHandler) DCH(param int) error {
+	if err := h.Flush(); err != nil {
+		return err
+	}
+	h.logf("DCH: [%v]", strconv.Itoa(param))
+	h.clearWrap()
+	return h.deleteCharacters(param)
+}
+
+func (h *windowsAnsiEventHandler) SGR(params []int) error {
+	if err := h.Flush(); err != nil {
+		return err
+	}
+	strings := []string{}
+	for _, v := range params {
+		strings = append(strings, strconv.Itoa(v))
+	}
+
+	h.logf("SGR: [%v]", strings)
+
+	if len(params) <= 0 {
+		h.attributes = h.infoReset.Attributes
+		h.inverted = false
+	} else {
+		for _, attr := range params {
+
+			if attr == ansiterm.ANSI_SGR_RESET {
+				h.attributes = h.infoReset.Attributes
+				h.inverted = false
+				continue
+			}
+
+			h.attributes, h.inverted = collectAnsiIntoWindowsAttributes(h.attributes, h.inverted, h.infoReset.Attributes, int16(attr))
+		}
+	}
+
+	attributes := h.attributes
+	if h.inverted {
+		attributes = invertAttributes(attributes)
+	}
+	err := SetConsoleTextAttribute(h.fd, attributes)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (h *windowsAnsiEventHandler) SU(param int) error {
+	if err := h.Flush(); err != nil {
+		return err
+	}
+	h.logf("SU: [%v]", []string{strconv.Itoa(param)})
+	h.clearWrap()
+	return h.scrollUp(param)
+}
+
+func (h *windowsAnsiEventHandler) SD(param int) error {
+	if err := h.Flush(); err != nil {
+		return err
+	}
+	h.logf("SD: [%v]", []string{strconv.Itoa(param)})
+	h.clearWrap()
+	return h.scrollDown(param)
+}
+
+func (h *windowsAnsiEventHandler) DA(params []string) error {
+	h.logf("DA: [%v]", params)
+	// DA cannot be implemented because it must send data on the VT100 input stream,
+	// which is not available to go-ansiterm.
+	return nil
+}
+
+func (h *windowsAnsiEventHandler) DECSTBM(top int, bottom int) error {
+	if err := h.Flush(); err != nil {
+		return err
+	}
+	h.logf("DECSTBM: [%d, %d]", top, bottom)
+
+	// Windows is 0 indexed, Linux is 1 indexed
+	h.sr.top = int16(top - 1)
+	h.sr.bottom = int16(bottom - 1)
+
+	// This command also moves the cursor to the origin.
+	h.clearWrap()
+	return h.CUP(1, 1)
+}
+
+func (h *windowsAnsiEventHandler) RI() error {
+	if err := h.Flush(); err != nil {
+		return err
+	}
+	h.logf("RI: []")
+	h.clearWrap()
+
+	info, err := GetConsoleScreenBufferInfo(h.fd)
+	if err != nil {
+		return err
+	}
+
+	sr := h.effectiveSr(info.Window)
+	if info.CursorPosition.Y == sr.top {
+		return h.scrollDown(1)
+	}
+
+	return h.moveCursorVertical(-1)
+}
+
+func (h *windowsAnsiEventHandler) IND() error {
+	h.logf("IND: []")
+	return h.executeLF()
+}
+
+func (h *windowsAnsiEventHandler) Flush() error {
+	h.curInfo = nil
+	if h.buffer.Len() > 0 {
+		h.logf("Flush: [%s]", h.buffer.Bytes())
+		if _, err := h.buffer.WriteTo(h.file); err != nil {
+			return err
+		}
+	}
+
+	if h.wrapNext && !h.drewMarginByte {
+		h.logf("Flush: drawing margin byte '%c'", h.marginByte)
+
+		info, err := GetConsoleScreenBufferInfo(h.fd)
+		if err != nil {
+			return err
+		}
+
+		charInfo := []CHAR_INFO{{UnicodeChar: uint16(h.marginByte), Attributes: info.Attributes}}
+		size := COORD{1, 1}
+		position := COORD{0, 0}
+		region := SMALL_RECT{Left: info.CursorPosition.X, Top: info.CursorPosition.Y, Right: info.CursorPosition.X, Bottom: info.CursorPosition.Y}
+		if err := WriteConsoleOutput(h.fd, charInfo, size, position, &region); err != nil {
+			return err
+		}
+		h.drewMarginByte = true
+	}
+	return nil
+}
+
+// cacheConsoleInfo ensures that the current console screen information has been queried
+// since the last call to Flush(). It must be called before accessing h.curInfo or h.curPos.
+func (h *windowsAnsiEventHandler) getCurrentInfo() (COORD, *CONSOLE_SCREEN_BUFFER_INFO, error) {
+	if h.curInfo == nil {
+		info, err := GetConsoleScreenBufferInfo(h.fd)
+		if err != nil {
+			return COORD{}, nil, err
+		}
+		h.curInfo = info
+		h.curPos = info.CursorPosition
+	}
+	return h.curPos, h.curInfo, nil
+}
+
+func (h *windowsAnsiEventHandler) updatePos(pos COORD) {
+	if h.curInfo == nil {
+		panic("failed to call getCurrentInfo before calling updatePos")
+	}
+	h.curPos = pos
+}
+
+// clearWrap clears the state where the cursor is in the margin
+// waiting for the next character before wrapping the line. This must
+// be done before most operations that act on the cursor.
+func (h *windowsAnsiEventHandler) clearWrap() {
+	h.wrapNext = false
+	h.drewMarginByte = false
+}
diff --git a/vendor/github.com/BurntSushi/toml/.gitignore b/vendor/github.com/BurntSushi/toml/.gitignore
new file mode 100644
index 0000000000..fe79e3adda
--- /dev/null
+++ b/vendor/github.com/BurntSushi/toml/.gitignore
@@ -0,0 +1,2 @@
+/toml.test
+/toml-test
diff --git a/vendor/github.com/BurntSushi/toml/COPYING b/vendor/github.com/BurntSushi/toml/COPYING
new file mode 100644
index 0000000000..01b5743200
--- /dev/null
+++ b/vendor/github.com/BurntSushi/toml/COPYING
@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2013 TOML authors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
diff --git a/vendor/github.com/BurntSushi/toml/README.md b/vendor/github.com/BurntSushi/toml/README.md
new file mode 100644
index 0000000000..235496eeb2
--- /dev/null
+++ b/vendor/github.com/BurntSushi/toml/README.md
@@ -0,0 +1,120 @@
+TOML stands for Tom's Obvious, Minimal Language. This Go package provides a
+reflection interface similar to Go's standard library `json` and `xml` packages.
+
+Compatible with TOML version [v1.0.0](https://toml.io/en/v1.0.0).
+
+Documentation: https://pkg.go.dev/github.com/BurntSushi/toml
+
+See the [releases page](https://github.com/BurntSushi/toml/releases) for a
+changelog; this information is also in the git tag annotations (e.g. `git show
+v0.4.0`).
+
+This library requires Go 1.18 or newer; add it to your go.mod with:
+
+    % go get github.com/BurntSushi/toml@latest
+
+It also comes with a TOML validator CLI tool:
+
+    % go install github.com/BurntSushi/toml/cmd/tomlv@latest
+    % tomlv some-toml-file.toml
+
+### Examples
+For the simplest example, consider some TOML file as just a list of keys and
+values:
+
+```toml
+Age = 25
+Cats = [ "Cauchy", "Plato" ]
+Pi = 3.14
+Perfection = [ 6, 28, 496, 8128 ]
+DOB = 1987-07-05T05:45:00Z
+```
+
+Which can be decoded with:
+
+```go
+type Config struct {
+	Age        int
+	Cats       []string
+	Pi         float64
+	Perfection []int
+	DOB        time.Time
+}
+
+var conf Config
+_, err := toml.Decode(tomlData, &conf)
+```
+
+You can also use struct tags if your struct field name doesn't map to a TOML key
+value directly:
+
+```toml
+some_key_NAME = "wat"
+```
+
+```go
+type TOML struct {
+    ObscureKey string `toml:"some_key_NAME"`
+}
+```
+
+Beware that like other decoders **only exported fields** are considered when
+encoding and decoding; private fields are silently ignored.
+
+### Using the `Marshaler` and `encoding.TextUnmarshaler` interfaces
+Here's an example that automatically parses values in a `mail.Address`:
+
+```toml
+contacts = [
+    "Donald Duck <donald@duckburg.com>",
+    "Scrooge McDuck <scrooge@duckburg.com>",
+]
+```
+
+Can be decoded with:
+
+```go
+// Create address type which satisfies the encoding.TextUnmarshaler interface.
+type address struct {
+	*mail.Address
+}
+
+func (a *address) UnmarshalText(text []byte) error {
+	var err error
+	a.Address, err = mail.ParseAddress(string(text))
+	return err
+}
+
+// Decode it.
+func decode() {
+	blob := `
+		contacts = [
+			"Donald Duck <donald@duckburg.com>",
+			"Scrooge McDuck <scrooge@duckburg.com>",
+		]
+	`
+
+	var contacts struct {
+		Contacts []address
+	}
+
+	_, err := toml.Decode(blob, &contacts)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	for _, c := range contacts.Contacts {
+		fmt.Printf("%#v\n", c.Address)
+	}
+
+	// Output:
+	// &mail.Address{Name:"Donald Duck", Address:"donald@duckburg.com"}
+	// &mail.Address{Name:"Scrooge McDuck", Address:"scrooge@duckburg.com"}
+}
+```
+
+To target TOML specifically you can implement `UnmarshalTOML` TOML interface in
+a similar way.
+
+### More complex usage
+See the [`_example/`](/_example) directory for a more complex example.
diff --git a/vendor/github.com/BurntSushi/toml/decode.go b/vendor/github.com/BurntSushi/toml/decode.go
new file mode 100644
index 0000000000..3fa516caa2
--- /dev/null
+++ b/vendor/github.com/BurntSushi/toml/decode.go
@@ -0,0 +1,638 @@
+package toml
+
+import (
+	"bytes"
+	"encoding"
+	"encoding/json"
+	"fmt"
+	"io"
+	"io/fs"
+	"math"
+	"os"
+	"reflect"
+	"strconv"
+	"strings"
+	"time"
+)
+
+// Unmarshaler is the interface implemented by objects that can unmarshal a
+// TOML description of themselves.
+type Unmarshaler interface {
+	UnmarshalTOML(any) error
+}
+
+// Unmarshal decodes the contents of data in TOML format into a pointer v.
+//
+// See [Decoder] for a description of the decoding process.
+func Unmarshal(data []byte, v any) error {
+	_, err := NewDecoder(bytes.NewReader(data)).Decode(v)
+	return err
+}
+
+// Decode the TOML data in to the pointer v.
+//
+// See [Decoder] for a description of the decoding process.
+func Decode(data string, v any) (MetaData, error) {
+	return NewDecoder(strings.NewReader(data)).Decode(v)
+}
+
+// DecodeFile reads the contents of a file and decodes it with [Decode].
+func DecodeFile(path string, v any) (MetaData, error) {
+	fp, err := os.Open(path)
+	if err != nil {
+		return MetaData{}, err
+	}
+	defer fp.Close()
+	return NewDecoder(fp).Decode(v)
+}
+
+// DecodeFS reads the contents of a file from [fs.FS] and decodes it with
+// [Decode].
+func DecodeFS(fsys fs.FS, path string, v any) (MetaData, error) {
+	fp, err := fsys.Open(path)
+	if err != nil {
+		return MetaData{}, err
+	}
+	defer fp.Close()
+	return NewDecoder(fp).Decode(v)
+}
+
+// Primitive is a TOML value that hasn't been decoded into a Go value.
+//
+// This type can be used for any value, which will cause decoding to be delayed.
+// You can use [PrimitiveDecode] to "manually" decode these values.
+//
+// NOTE: The underlying representation of a `Primitive` value is subject to
+// change. Do not rely on it.
+//
+// NOTE: Primitive values are still parsed, so using them will only avoid the
+// overhead of reflection. They can be useful when you don't know the exact type
+// of TOML data until runtime.
+type Primitive struct {
+	undecoded any
+	context   Key
+}
+
+// The significand precision for float32 and float64 is 24 and 53 bits; this is
+// the range a natural number can be stored in a float without loss of data.
+const (
+	maxSafeFloat32Int = 16777215                // 2^24-1
+	maxSafeFloat64Int = int64(9007199254740991) // 2^53-1
+)
+
+// Decoder decodes TOML data.
+//
+// TOML tables correspond to Go structs or maps; they can be used
+// interchangeably, but structs offer better type safety.
+//
+// TOML table arrays correspond to either a slice of structs or a slice of maps.
+//
+// TOML datetimes correspond to [time.Time]. Local datetimes are parsed in the
+// local timezone.
+//
+// [time.Duration] types are treated as nanoseconds if the TOML value is an
+// integer, or they're parsed with time.ParseDuration() if they're strings.
+//
+// All other TOML types (float, string, int, bool and array) correspond to the
+// obvious Go types.
+//
+// An exception to the above rules is if a type implements the TextUnmarshaler
+// interface, in which case any primitive TOML value (floats, strings, integers,
+// booleans, datetimes) will be converted to a []byte and given to the value's
+// UnmarshalText method. See the Unmarshaler example for a demonstration with
+// email addresses.
+//
+// # Key mapping
+//
+// TOML keys can map to either keys in a Go map or field names in a Go struct.
+// The special `toml` struct tag can be used to map TOML keys to struct fields
+// that don't match the key name exactly (see the example). A case insensitive
+// match to struct names will be tried if an exact match can't be found.
+//
+// The mapping between TOML values and Go values is loose. That is, there may
+// exist TOML values that cannot be placed into your representation, and there
+// may be parts of your representation that do not correspond to TOML values.
+// This loose mapping can be made stricter by using the IsDefined and/or
+// Undecoded methods on the MetaData returned.
+//
+// This decoder does not handle cyclic types. Decode will not terminate if a
+// cyclic type is passed.
+type Decoder struct {
+	r io.Reader
+}
+
+// NewDecoder creates a new Decoder.
+func NewDecoder(r io.Reader) *Decoder {
+	return &Decoder{r: r}
+}
+
+var (
+	unmarshalToml = reflect.TypeOf((*Unmarshaler)(nil)).Elem()
+	unmarshalText = reflect.TypeOf((*encoding.TextUnmarshaler)(nil)).Elem()
+	primitiveType = reflect.TypeOf((*Primitive)(nil)).Elem()
+)
+
+// Decode TOML data in to the pointer `v`.
+func (dec *Decoder) Decode(v any) (MetaData, error) {
+	rv := reflect.ValueOf(v)
+	if rv.Kind() != reflect.Ptr {
+		s := "%q"
+		if reflect.TypeOf(v) == nil {
+			s = "%v"
+		}
+
+		return MetaData{}, fmt.Errorf("toml: cannot decode to non-pointer "+s, reflect.TypeOf(v))
+	}
+	if rv.IsNil() {
+		return MetaData{}, fmt.Errorf("toml: cannot decode to nil value of %q", reflect.TypeOf(v))
+	}
+
+	// Check if this is a supported type: struct, map, any, or something that
+	// implements UnmarshalTOML or UnmarshalText.
+	rv = indirect(rv)
+	rt := rv.Type()
+	if rv.Kind() != reflect.Struct && rv.Kind() != reflect.Map &&
+		!(rv.Kind() == reflect.Interface && rv.NumMethod() == 0) &&
+		!rt.Implements(unmarshalToml) && !rt.Implements(unmarshalText) {
+		return MetaData{}, fmt.Errorf("toml: cannot decode to type %s", rt)
+	}
+
+	// TODO: parser should read from io.Reader? Or at the very least, make it
+	// read from []byte rather than string
+	data, err := io.ReadAll(dec.r)
+	if err != nil {
+		return MetaData{}, err
+	}
+
+	p, err := parse(string(data))
+	if err != nil {
+		return MetaData{}, err
+	}
+
+	md := MetaData{
+		mapping: p.mapping,
+		keyInfo: p.keyInfo,
+		keys:    p.ordered,
+		decoded: make(map[string]struct{}, len(p.ordered)),
+		context: nil,
+		data:    data,
+	}
+	return md, md.unify(p.mapping, rv)
+}
+
+// PrimitiveDecode is just like the other Decode* functions, except it decodes a
+// TOML value that has already been parsed. Valid primitive values can *only* be
+// obtained from values filled by the decoder functions, including this method.
+// (i.e., v may contain more [Primitive] values.)
+//
+// Meta data for primitive values is included in the meta data returned by the
+// Decode* functions with one exception: keys returned by the Undecoded method
+// will only reflect keys that were decoded. Namely, any keys hidden behind a
+// Primitive will be considered undecoded. Executing this method will update the
+// undecoded keys in the meta data. (See the example.)
+func (md *MetaData) PrimitiveDecode(primValue Primitive, v any) error {
+	md.context = primValue.context
+	defer func() { md.context = nil }()
+	return md.unify(primValue.undecoded, rvalue(v))
+}
+
+// markDecodedRecursive is a helper to mark any key under the given tmap as
+// decoded, recursing as needed
+func markDecodedRecursive(md *MetaData, tmap map[string]any) {
+	for key := range tmap {
+		md.decoded[md.context.add(key).String()] = struct{}{}
+		if tmap, ok := tmap[key].(map[string]any); ok {
+			md.context = append(md.context, key)
+			markDecodedRecursive(md, tmap)
+			md.context = md.context[0 : len(md.context)-1]
+		}
+	}
+}
+
+// unify performs a sort of type unification based on the structure of `rv`,
+// which is the client representation.
+//
+// Any type mismatch produces an error. Finding a type that we don't know
+// how to handle produces an unsupported type error.
+func (md *MetaData) unify(data any, rv reflect.Value) error {
+	// Special case. Look for a `Primitive` value.
+	// TODO: #76 would make this superfluous after implemented.
+	if rv.Type() == primitiveType {
+		// Save the undecoded data and the key context into the primitive
+		// value.
+		context := make(Key, len(md.context))
+		copy(context, md.context)
+		rv.Set(reflect.ValueOf(Primitive{
+			undecoded: data,
+			context:   context,
+		}))
+		return nil
+	}
+
+	rvi := rv.Interface()
+	if v, ok := rvi.(Unmarshaler); ok {
+		err := v.UnmarshalTOML(data)
+		if err != nil {
+			return md.parseErr(err)
+		}
+		// Assume the Unmarshaler decoded everything, so mark all keys under
+		// this table as decoded.
+		if tmap, ok := data.(map[string]any); ok {
+			markDecodedRecursive(md, tmap)
+		}
+		if aot, ok := data.([]map[string]any); ok {
+			for _, tmap := range aot {
+				markDecodedRecursive(md, tmap)
+			}
+		}
+		return nil
+	}
+	if v, ok := rvi.(encoding.TextUnmarshaler); ok {
+		return md.unifyText(data, v)
+	}
+
+	// TODO:
+	// The behavior here is incorrect whenever a Go type satisfies the
+	// encoding.TextUnmarshaler interface but also corresponds to a TOML hash or
+	// array. In particular, the unmarshaler should only be applied to primitive
+	// TOML values. But at this point, it will be applied to all kinds of values
+	// and produce an incorrect error whenever those values are hashes or arrays
+	// (including arrays of tables).
+
+	k := rv.Kind()
+
+	if k >= reflect.Int && k <= reflect.Uint64 {
+		return md.unifyInt(data, rv)
+	}
+	switch k {
+	case reflect.Struct:
+		return md.unifyStruct(data, rv)
+	case reflect.Map:
+		return md.unifyMap(data, rv)
+	case reflect.Array:
+		return md.unifyArray(data, rv)
+	case reflect.Slice:
+		return md.unifySlice(data, rv)
+	case reflect.String:
+		return md.unifyString(data, rv)
+	case reflect.Bool:
+		return md.unifyBool(data, rv)
+	case reflect.Interface:
+		if rv.NumMethod() > 0 { /// Only empty interfaces are supported.
+			return md.e("unsupported type %s", rv.Type())
+		}
+		return md.unifyAnything(data, rv)
+	case reflect.Float32, reflect.Float64:
+		return md.unifyFloat64(data, rv)
+	}
+	return md.e("unsupported type %s", rv.Kind())
+}
+
+func (md *MetaData) unifyStruct(mapping any, rv reflect.Value) error {
+	tmap, ok := mapping.(map[string]any)
+	if !ok {
+		if mapping == nil {
+			return nil
+		}
+		return md.e("type mismatch for %s: expected table but found %s", rv.Type().String(), fmtType(mapping))
+	}
+
+	for key, datum := range tmap {
+		var f *field
+		fields := cachedTypeFields(rv.Type())
+		for i := range fields {
+			ff := &fields[i]
+			if ff.name == key {
+				f = ff
+				break
+			}
+			if f == nil && strings.EqualFold(ff.name, key) {
+				f = ff
+			}
+		}
+		if f != nil {
+			subv := rv
+			for _, i := range f.index {
+				subv = indirect(subv.Field(i))
+			}
+
+			if isUnifiable(subv) {
+				md.decoded[md.context.add(key).String()] = struct{}{}
+				md.context = append(md.context, key)
+
+				err := md.unify(datum, subv)
+				if err != nil {
+					return err
+				}
+				md.context = md.context[0 : len(md.context)-1]
+			} else if f.name != "" {
+				return md.e("cannot write unexported field %s.%s", rv.Type().String(), f.name)
+			}
+		}
+	}
+	return nil
+}
+
+func (md *MetaData) unifyMap(mapping any, rv reflect.Value) error {
+	keyType := rv.Type().Key().Kind()
+	if keyType != reflect.String && keyType != reflect.Interface {
+		return fmt.Errorf("toml: cannot decode to a map with non-string key type (%s in %q)",
+			keyType, rv.Type())
+	}
+
+	tmap, ok := mapping.(map[string]any)
+	if !ok {
+		if tmap == nil {
+			return nil
+		}
+		return md.badtype("map", mapping)
+	}
+	if rv.IsNil() {
+		rv.Set(reflect.MakeMap(rv.Type()))
+	}
+	for k, v := range tmap {
+		md.decoded[md.context.add(k).String()] = struct{}{}
+		md.context = append(md.context, k)
+
+		rvval := reflect.Indirect(reflect.New(rv.Type().Elem()))
+
+		err := md.unify(v, indirect(rvval))
+		if err != nil {
+			return err
+		}
+		md.context = md.context[0 : len(md.context)-1]
+
+		rvkey := indirect(reflect.New(rv.Type().Key()))
+
+		switch keyType {
+		case reflect.Interface:
+			rvkey.Set(reflect.ValueOf(k))
+		case reflect.String:
+			rvkey.SetString(k)
+		}
+
+		rv.SetMapIndex(rvkey, rvval)
+	}
+	return nil
+}
+
+func (md *MetaData) unifyArray(data any, rv reflect.Value) error {
+	datav := reflect.ValueOf(data)
+	if datav.Kind() != reflect.Slice {
+		if !datav.IsValid() {
+			return nil
+		}
+		return md.badtype("slice", data)
+	}
+	if l := datav.Len(); l != rv.Len() {
+		return md.e("expected array length %d; got TOML array of length %d", rv.Len(), l)
+	}
+	return md.unifySliceArray(datav, rv)
+}
+
+func (md *MetaData) unifySlice(data any, rv reflect.Value) error {
+	datav := reflect.ValueOf(data)
+	if datav.Kind() != reflect.Slice {
+		if !datav.IsValid() {
+			return nil
+		}
+		return md.badtype("slice", data)
+	}
+	n := datav.Len()
+	if rv.IsNil() || rv.Cap() < n {
+		rv.Set(reflect.MakeSlice(rv.Type(), n, n))
+	}
+	rv.SetLen(n)
+	return md.unifySliceArray(datav, rv)
+}
+
+func (md *MetaData) unifySliceArray(data, rv reflect.Value) error {
+	l := data.Len()
+	for i := 0; i < l; i++ {
+		err := md.unify(data.Index(i).Interface(), indirect(rv.Index(i)))
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (md *MetaData) unifyString(data any, rv reflect.Value) error {
+	_, ok := rv.Interface().(json.Number)
+	if ok {
+		if i, ok := data.(int64); ok {
+			rv.SetString(strconv.FormatInt(i, 10))
+		} else if f, ok := data.(float64); ok {
+			rv.SetString(strconv.FormatFloat(f, 'f', -1, 64))
+		} else {
+			return md.badtype("string", data)
+		}
+		return nil
+	}
+
+	if s, ok := data.(string); ok {
+		rv.SetString(s)
+		return nil
+	}
+	return md.badtype("string", data)
+}
+
+func (md *MetaData) unifyFloat64(data any, rv reflect.Value) error {
+	rvk := rv.Kind()
+
+	if num, ok := data.(float64); ok {
+		switch rvk {
+		case reflect.Float32:
+			if num < -math.MaxFloat32 || num > math.MaxFloat32 {
+				return md.parseErr(errParseRange{i: num, size: rvk.String()})
+			}
+			fallthrough
+		case reflect.Float64:
+			rv.SetFloat(num)
+		default:
+			panic("bug")
+		}
+		return nil
+	}
+
+	if num, ok := data.(int64); ok {
+		if (rvk == reflect.Float32 && (num < -maxSafeFloat32Int || num > maxSafeFloat32Int)) ||
+			(rvk == reflect.Float64 && (num < -maxSafeFloat64Int || num > maxSafeFloat64Int)) {
+			return md.parseErr(errUnsafeFloat{i: num, size: rvk.String()})
+		}
+		rv.SetFloat(float64(num))
+		return nil
+	}
+
+	return md.badtype("float", data)
+}
+
+func (md *MetaData) unifyInt(data any, rv reflect.Value) error {
+	_, ok := rv.Interface().(time.Duration)
+	if ok {
+		// Parse as string duration, and fall back to regular integer parsing
+		// (as nanosecond) if this is not a string.
+		if s, ok := data.(string); ok {
+			dur, err := time.ParseDuration(s)
+			if err != nil {
+				return md.parseErr(errParseDuration{s})
+			}
+			rv.SetInt(int64(dur))
+			return nil
+		}
+	}
+
+	num, ok := data.(int64)
+	if !ok {
+		return md.badtype("integer", data)
+	}
+
+	rvk := rv.Kind()
+	switch {
+	case rvk >= reflect.Int && rvk <= reflect.Int64:
+		if (rvk == reflect.Int8 && (num < math.MinInt8 || num > math.MaxInt8)) ||
+			(rvk == reflect.Int16 && (num < math.MinInt16 || num > math.MaxInt16)) ||
+			(rvk == reflect.Int32 && (num < math.MinInt32 || num > math.MaxInt32)) {
+			return md.parseErr(errParseRange{i: num, size: rvk.String()})
+		}
+		rv.SetInt(num)
+	case rvk >= reflect.Uint && rvk <= reflect.Uint64:
+		unum := uint64(num)
+		if rvk == reflect.Uint8 && (num < 0 || unum > math.MaxUint8) ||
+			rvk == reflect.Uint16 && (num < 0 || unum > math.MaxUint16) ||
+			rvk == reflect.Uint32 && (num < 0 || unum > math.MaxUint32) {
+			return md.parseErr(errParseRange{i: num, size: rvk.String()})
+		}
+		rv.SetUint(unum)
+	default:
+		panic("unreachable")
+	}
+	return nil
+}
+
+func (md *MetaData) unifyBool(data any, rv reflect.Value) error {
+	if b, ok := data.(bool); ok {
+		rv.SetBool(b)
+		return nil
+	}
+	return md.badtype("boolean", data)
+}
+
+func (md *MetaData) unifyAnything(data any, rv reflect.Value) error {
+	rv.Set(reflect.ValueOf(data))
+	return nil
+}
+
+func (md *MetaData) unifyText(data any, v encoding.TextUnmarshaler) error {
+	var s string
+	switch sdata := data.(type) {
+	case Marshaler:
+		text, err := sdata.MarshalTOML()
+		if err != nil {
+			return err
+		}
+		s = string(text)
+	case encoding.TextMarshaler:
+		text, err := sdata.MarshalText()
+		if err != nil {
+			return err
+		}
+		s = string(text)
+	case fmt.Stringer:
+		s = sdata.String()
+	case string:
+		s = sdata
+	case bool:
+		s = fmt.Sprintf("%v", sdata)
+	case int64:
+		s = fmt.Sprintf("%d", sdata)
+	case float64:
+		s = fmt.Sprintf("%f", sdata)
+	default:
+		return md.badtype("primitive (string-like)", data)
+	}
+	if err := v.UnmarshalText([]byte(s)); err != nil {
+		return md.parseErr(err)
+	}
+	return nil
+}
+
+func (md *MetaData) badtype(dst string, data any) error {
+	return md.e("incompatible types: TOML value has type %s; destination has type %s", fmtType(data), dst)
+}
+
+func (md *MetaData) parseErr(err error) error {
+	k := md.context.String()
+	d := string(md.data)
+	return ParseError{
+		Message:  err.Error(),
+		err:      err,
+		LastKey:  k,
+		Position: md.keyInfo[k].pos.withCol(d),
+		Line:     md.keyInfo[k].pos.Line,
+		input:    d,
+	}
+}
+
+func (md *MetaData) e(format string, args ...any) error {
+	f := "toml: "
+	if len(md.context) > 0 {
+		f = fmt.Sprintf("toml: (last key %q): ", md.context)
+		p := md.keyInfo[md.context.String()].pos
+		if p.Line > 0 {
+			f = fmt.Sprintf("toml: line %d (last key %q): ", p.Line, md.context)
+		}
+	}
+	return fmt.Errorf(f+format, args...)
+}
+
+// rvalue returns a reflect.Value of `v`. All pointers are resolved.
+func rvalue(v any) reflect.Value {
+	return indirect(reflect.ValueOf(v))
+}
+
+// indirect returns the value pointed to by a pointer.
+//
+// Pointers are followed until the value is not a pointer. New values are
+// allocated for each nil pointer.
+//
+// An exception to this rule is if the value satisfies an interface of interest
+// to us (like encoding.TextUnmarshaler).
+func indirect(v reflect.Value) reflect.Value {
+	if v.Kind() != reflect.Ptr {
+		if v.CanSet() {
+			pv := v.Addr()
+			pvi := pv.Interface()
+			if _, ok := pvi.(encoding.TextUnmarshaler); ok {
+				return pv
+			}
+			if _, ok := pvi.(Unmarshaler); ok {
+				return pv
+			}
+		}
+		return v
+	}
+	if v.IsNil() {
+		v.Set(reflect.New(v.Type().Elem()))
+	}
+	return indirect(reflect.Indirect(v))
+}
+
+func isUnifiable(rv reflect.Value) bool {
+	if rv.CanSet() {
+		return true
+	}
+	rvi := rv.Interface()
+	if _, ok := rvi.(encoding.TextUnmarshaler); ok {
+		return true
+	}
+	if _, ok := rvi.(Unmarshaler); ok {
+		return true
+	}
+	return false
+}
+
+// fmt %T with "interface {}" replaced with "any", which is far more readable.
+func fmtType(t any) string {
+	return strings.ReplaceAll(fmt.Sprintf("%T", t), "interface {}", "any")
+}
diff --git a/vendor/github.com/BurntSushi/toml/deprecated.go b/vendor/github.com/BurntSushi/toml/deprecated.go
new file mode 100644
index 0000000000..155709a80b
--- /dev/null
+++ b/vendor/github.com/BurntSushi/toml/deprecated.go
@@ -0,0 +1,29 @@
+package toml
+
+import (
+	"encoding"
+	"io"
+)
+
+// TextMarshaler is an alias for encoding.TextMarshaler.
+//
+// Deprecated: use encoding.TextMarshaler
+type TextMarshaler encoding.TextMarshaler
+
+// TextUnmarshaler is an alias for encoding.TextUnmarshaler.
+//
+// Deprecated: use encoding.TextUnmarshaler
+type TextUnmarshaler encoding.TextUnmarshaler
+
+// DecodeReader is an alias for NewDecoder(r).Decode(v).
+//
+// Deprecated: use NewDecoder(reader).Decode(&value).
+func DecodeReader(r io.Reader, v any) (MetaData, error) { return NewDecoder(r).Decode(v) }
+
+// PrimitiveDecode is an alias for MetaData.PrimitiveDecode().
+//
+// Deprecated: use MetaData.PrimitiveDecode.
+func PrimitiveDecode(primValue Primitive, v any) error {
+	md := MetaData{decoded: make(map[string]struct{})}
+	return md.unify(primValue.undecoded, rvalue(v))
+}
diff --git a/vendor/github.com/BurntSushi/toml/doc.go b/vendor/github.com/BurntSushi/toml/doc.go
new file mode 100644
index 0000000000..82c90a9057
--- /dev/null
+++ b/vendor/github.com/BurntSushi/toml/doc.go
@@ -0,0 +1,8 @@
+// Package toml implements decoding and encoding of TOML files.
+//
+// This package supports TOML v1.0.0, as specified at https://toml.io
+//
+// The github.com/BurntSushi/toml/cmd/tomlv package implements a TOML validator,
+// and can be used to verify if TOML document is valid. It can also be used to
+// print the type of each key.
+package toml
diff --git a/vendor/github.com/BurntSushi/toml/encode.go b/vendor/github.com/BurntSushi/toml/encode.go
new file mode 100644
index 0000000000..ac196e7df8
--- /dev/null
+++ b/vendor/github.com/BurntSushi/toml/encode.go
@@ -0,0 +1,776 @@
+package toml
+
+import (
+	"bufio"
+	"bytes"
+	"encoding"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"math"
+	"reflect"
+	"sort"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/BurntSushi/toml/internal"
+)
+
+type tomlEncodeError struct{ error }
+
+var (
+	errArrayNilElement = errors.New("toml: cannot encode array with nil element")
+	errNonString       = errors.New("toml: cannot encode a map with non-string key type")
+	errNoKey           = errors.New("toml: top-level values must be Go maps or structs")
+	errAnything        = errors.New("") // used in testing
+)
+
+var dblQuotedReplacer = strings.NewReplacer(
+	"\"", "\\\"",
+	"\\", "\\\\",
+	"\x00", `\u0000`,
+	"\x01", `\u0001`,
+	"\x02", `\u0002`,
+	"\x03", `\u0003`,
+	"\x04", `\u0004`,
+	"\x05", `\u0005`,
+	"\x06", `\u0006`,
+	"\x07", `\u0007`,
+	"\b", `\b`,
+	"\t", `\t`,
+	"\n", `\n`,
+	"\x0b", `\u000b`,
+	"\f", `\f`,
+	"\r", `\r`,
+	"\x0e", `\u000e`,
+	"\x0f", `\u000f`,
+	"\x10", `\u0010`,
+	"\x11", `\u0011`,
+	"\x12", `\u0012`,
+	"\x13", `\u0013`,
+	"\x14", `\u0014`,
+	"\x15", `\u0015`,
+	"\x16", `\u0016`,
+	"\x17", `\u0017`,
+	"\x18", `\u0018`,
+	"\x19", `\u0019`,
+	"\x1a", `\u001a`,
+	"\x1b", `\u001b`,
+	"\x1c", `\u001c`,
+	"\x1d", `\u001d`,
+	"\x1e", `\u001e`,
+	"\x1f", `\u001f`,
+	"\x7f", `\u007f`,
+)
+
+var (
+	marshalToml = reflect.TypeOf((*Marshaler)(nil)).Elem()
+	marshalText = reflect.TypeOf((*encoding.TextMarshaler)(nil)).Elem()
+	timeType    = reflect.TypeOf((*time.Time)(nil)).Elem()
+)
+
+// Marshaler is the interface implemented by types that can marshal themselves
+// into valid TOML.
+type Marshaler interface {
+	MarshalTOML() ([]byte, error)
+}
+
+// Marshal returns a TOML representation of the Go value.
+//
+// See [Encoder] for a description of the encoding process.
+func Marshal(v any) ([]byte, error) {
+	buff := new(bytes.Buffer)
+	if err := NewEncoder(buff).Encode(v); err != nil {
+		return nil, err
+	}
+	return buff.Bytes(), nil
+}
+
+// Encoder encodes a Go to a TOML document.
+//
+// The mapping between Go values and TOML values should be precisely the same as
+// for [Decode].
+//
+// time.Time is encoded as a RFC 3339 string, and time.Duration as its string
+// representation.
+//
+// The [Marshaler] and [encoding.TextMarshaler] interfaces are supported to
+// encoding the value as custom TOML.
+//
+// If you want to write arbitrary binary data then you will need to use
+// something like base64 since TOML does not have any binary types.
+//
+// When encoding TOML hashes (Go maps or structs), keys without any sub-hashes
+// are encoded first.
+//
+// Go maps will be sorted alphabetically by key for deterministic output.
+//
+// The toml struct tag can be used to provide the key name; if omitted the
+// struct field name will be used. If the "omitempty" option is present the
+// following value will be skipped:
+//
+//   - arrays, slices, maps, and string with len of 0
+//   - struct with all zero values
+//   - bool false
+//
+// If omitzero is given all int and float types with a value of 0 will be
+// skipped.
+//
+// Encoding Go values without a corresponding TOML representation will return an
+// error. Examples of this includes maps with non-string keys, slices with nil
+// elements, embedded non-struct types, and nested slices containing maps or
+// structs. (e.g. [][]map[string]string is not allowed but []map[string]string
+// is okay, as is []map[string][]string).
+//
+// NOTE: only exported keys are encoded due to the use of reflection. Unexported
+// keys are silently discarded.
+type Encoder struct {
+	Indent     string // string for a single indentation level; default is two spaces.
+	hasWritten bool   // written any output to w yet?
+	w          *bufio.Writer
+}
+
+// NewEncoder create a new Encoder.
+func NewEncoder(w io.Writer) *Encoder {
+	return &Encoder{w: bufio.NewWriter(w), Indent: "  "}
+}
+
+// Encode writes a TOML representation of the Go value to the [Encoder]'s writer.
+//
+// An error is returned if the value given cannot be encoded to a valid TOML
+// document.
+func (enc *Encoder) Encode(v any) error {
+	rv := eindirect(reflect.ValueOf(v))
+	err := enc.safeEncode(Key([]string{}), rv)
+	if err != nil {
+		return err
+	}
+	return enc.w.Flush()
+}
+
+func (enc *Encoder) safeEncode(key Key, rv reflect.Value) (err error) {
+	defer func() {
+		if r := recover(); r != nil {
+			if terr, ok := r.(tomlEncodeError); ok {
+				err = terr.error
+				return
+			}
+			panic(r)
+		}
+	}()
+	enc.encode(key, rv)
+	return nil
+}
+
+func (enc *Encoder) encode(key Key, rv reflect.Value) {
+	// If we can marshal the type to text, then we use that. This prevents the
+	// encoder for handling these types as generic structs (or whatever the
+	// underlying type of a TextMarshaler is).
+	switch {
+	case isMarshaler(rv):
+		enc.writeKeyValue(key, rv, false)
+		return
+	case rv.Type() == primitiveType: // TODO: #76 would make this superfluous after implemented.
+		enc.encode(key, reflect.ValueOf(rv.Interface().(Primitive).undecoded))
+		return
+	}
+
+	k := rv.Kind()
+	switch k {
+	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32,
+		reflect.Int64,
+		reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32,
+		reflect.Uint64,
+		reflect.Float32, reflect.Float64, reflect.String, reflect.Bool:
+		enc.writeKeyValue(key, rv, false)
+	case reflect.Array, reflect.Slice:
+		if typeEqual(tomlArrayHash, tomlTypeOfGo(rv)) {
+			enc.eArrayOfTables(key, rv)
+		} else {
+			enc.writeKeyValue(key, rv, false)
+		}
+	case reflect.Interface:
+		if rv.IsNil() {
+			return
+		}
+		enc.encode(key, rv.Elem())
+	case reflect.Map:
+		if rv.IsNil() {
+			return
+		}
+		enc.eTable(key, rv)
+	case reflect.Ptr:
+		if rv.IsNil() {
+			return
+		}
+		enc.encode(key, rv.Elem())
+	case reflect.Struct:
+		enc.eTable(key, rv)
+	default:
+		encPanic(fmt.Errorf("unsupported type for key '%s': %s", key, k))
+	}
+}
+
+// eElement encodes any value that can be an array element.
+func (enc *Encoder) eElement(rv reflect.Value) {
+	switch v := rv.Interface().(type) {
+	case time.Time: // Using TextMarshaler adds extra quotes, which we don't want.
+		format := time.RFC3339Nano
+		switch v.Location() {
+		case internal.LocalDatetime:
+			format = "2006-01-02T15:04:05.999999999"
+		case internal.LocalDate:
+			format = "2006-01-02"
+		case internal.LocalTime:
+			format = "15:04:05.999999999"
+		}
+		switch v.Location() {
+		default:
+			enc.wf(v.Format(format))
+		case internal.LocalDatetime, internal.LocalDate, internal.LocalTime:
+			enc.wf(v.In(time.UTC).Format(format))
+		}
+		return
+	case Marshaler:
+		s, err := v.MarshalTOML()
+		if err != nil {
+			encPanic(err)
+		}
+		if s == nil {
+			encPanic(errors.New("MarshalTOML returned nil and no error"))
+		}
+		enc.w.Write(s)
+		return
+	case encoding.TextMarshaler:
+		s, err := v.MarshalText()
+		if err != nil {
+			encPanic(err)
+		}
+		if s == nil {
+			encPanic(errors.New("MarshalText returned nil and no error"))
+		}
+		enc.writeQuoted(string(s))
+		return
+	case time.Duration:
+		enc.writeQuoted(v.String())
+		return
+	case json.Number:
+		n, _ := rv.Interface().(json.Number)
+
+		if n == "" { /// Useful zero value.
+			enc.w.WriteByte('0')
+			return
+		} else if v, err := n.Int64(); err == nil {
+			enc.eElement(reflect.ValueOf(v))
+			return
+		} else if v, err := n.Float64(); err == nil {
+			enc.eElement(reflect.ValueOf(v))
+			return
+		}
+		encPanic(fmt.Errorf("unable to convert %q to int64 or float64", n))
+	}
+
+	switch rv.Kind() {
+	case reflect.Ptr:
+		enc.eElement(rv.Elem())
+		return
+	case reflect.String:
+		enc.writeQuoted(rv.String())
+	case reflect.Bool:
+		enc.wf(strconv.FormatBool(rv.Bool()))
+	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
+		enc.wf(strconv.FormatInt(rv.Int(), 10))
+	case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64:
+		enc.wf(strconv.FormatUint(rv.Uint(), 10))
+	case reflect.Float32:
+		f := rv.Float()
+		if math.IsNaN(f) {
+			if math.Signbit(f) {
+				enc.wf("-")
+			}
+			enc.wf("nan")
+		} else if math.IsInf(f, 0) {
+			if math.Signbit(f) {
+				enc.wf("-")
+			}
+			enc.wf("inf")
+		} else {
+			enc.wf(floatAddDecimal(strconv.FormatFloat(f, 'f', -1, 32)))
+		}
+	case reflect.Float64:
+		f := rv.Float()
+		if math.IsNaN(f) {
+			if math.Signbit(f) {
+				enc.wf("-")
+			}
+			enc.wf("nan")
+		} else if math.IsInf(f, 0) {
+			if math.Signbit(f) {
+				enc.wf("-")
+			}
+			enc.wf("inf")
+		} else {
+			enc.wf(floatAddDecimal(strconv.FormatFloat(f, 'f', -1, 64)))
+		}
+	case reflect.Array, reflect.Slice:
+		enc.eArrayOrSliceElement(rv)
+	case reflect.Struct:
+		enc.eStruct(nil, rv, true)
+	case reflect.Map:
+		enc.eMap(nil, rv, true)
+	case reflect.Interface:
+		enc.eElement(rv.Elem())
+	default:
+		encPanic(fmt.Errorf("unexpected type: %s", fmtType(rv.Interface())))
+	}
+}
+
+// By the TOML spec, all floats must have a decimal with at least one number on
+// either side.
+func floatAddDecimal(fstr string) string {
+	if !strings.Contains(fstr, ".") {
+		return fstr + ".0"
+	}
+	return fstr
+}
+
+func (enc *Encoder) writeQuoted(s string) {
+	enc.wf("\"%s\"", dblQuotedReplacer.Replace(s))
+}
+
+func (enc *Encoder) eArrayOrSliceElement(rv reflect.Value) {
+	length := rv.Len()
+	enc.wf("[")
+	for i := 0; i < length; i++ {
+		elem := eindirect(rv.Index(i))
+		enc.eElement(elem)
+		if i != length-1 {
+			enc.wf(", ")
+		}
+	}
+	enc.wf("]")
+}
+
+func (enc *Encoder) eArrayOfTables(key Key, rv reflect.Value) {
+	if len(key) == 0 {
+		encPanic(errNoKey)
+	}
+	for i := 0; i < rv.Len(); i++ {
+		trv := eindirect(rv.Index(i))
+		if isNil(trv) {
+			continue
+		}
+		enc.newline()
+		enc.wf("%s[[%s]]", enc.indentStr(key), key)
+		enc.newline()
+		enc.eMapOrStruct(key, trv, false)
+	}
+}
+
+func (enc *Encoder) eTable(key Key, rv reflect.Value) {
+	if len(key) == 1 {
+		// Output an extra newline between top-level tables.
+		// (The newline isn't written if nothing else has been written though.)
+		enc.newline()
+	}
+	if len(key) > 0 {
+		enc.wf("%s[%s]", enc.indentStr(key), key)
+		enc.newline()
+	}
+	enc.eMapOrStruct(key, rv, false)
+}
+
+func (enc *Encoder) eMapOrStruct(key Key, rv reflect.Value, inline bool) {
+	switch rv.Kind() {
+	case reflect.Map:
+		enc.eMap(key, rv, inline)
+	case reflect.Struct:
+		enc.eStruct(key, rv, inline)
+	default:
+		// Should never happen?
+		panic("eTable: unhandled reflect.Value Kind: " + rv.Kind().String())
+	}
+}
+
+func (enc *Encoder) eMap(key Key, rv reflect.Value, inline bool) {
+	rt := rv.Type()
+	if rt.Key().Kind() != reflect.String {
+		encPanic(errNonString)
+	}
+
+	// Sort keys so that we have deterministic output. And write keys directly
+	// underneath this key first, before writing sub-structs or sub-maps.
+	var mapKeysDirect, mapKeysSub []reflect.Value
+	for _, mapKey := range rv.MapKeys() {
+		if typeIsTable(tomlTypeOfGo(eindirect(rv.MapIndex(mapKey)))) {
+			mapKeysSub = append(mapKeysSub, mapKey)
+		} else {
+			mapKeysDirect = append(mapKeysDirect, mapKey)
+		}
+	}
+
+	writeMapKeys := func(mapKeys []reflect.Value, trailC bool) {
+		sort.Slice(mapKeys, func(i, j int) bool { return mapKeys[i].String() < mapKeys[j].String() })
+		for i, mapKey := range mapKeys {
+			val := eindirect(rv.MapIndex(mapKey))
+			if isNil(val) {
+				continue
+			}
+
+			if inline {
+				enc.writeKeyValue(Key{mapKey.String()}, val, true)
+				if trailC || i != len(mapKeys)-1 {
+					enc.wf(", ")
+				}
+			} else {
+				enc.encode(key.add(mapKey.String()), val)
+			}
+		}
+	}
+
+	if inline {
+		enc.wf("{")
+	}
+	writeMapKeys(mapKeysDirect, len(mapKeysSub) > 0)
+	writeMapKeys(mapKeysSub, false)
+	if inline {
+		enc.wf("}")
+	}
+}
+
+func pointerTo(t reflect.Type) reflect.Type {
+	if t.Kind() == reflect.Ptr {
+		return pointerTo(t.Elem())
+	}
+	return t
+}
+
+func (enc *Encoder) eStruct(key Key, rv reflect.Value, inline bool) {
+	// Write keys for fields directly under this key first, because if we write
+	// a field that creates a new table then all keys under it will be in that
+	// table (not the one we're writing here).
+	//
+	// Fields is a [][]int: for fieldsDirect this always has one entry (the
+	// struct index). For fieldsSub it contains two entries: the parent field
+	// index from tv, and the field indexes for the fields of the sub.
+	var (
+		rt                      = rv.Type()
+		fieldsDirect, fieldsSub [][]int
+		addFields               func(rt reflect.Type, rv reflect.Value, start []int)
+	)
+	addFields = func(rt reflect.Type, rv reflect.Value, start []int) {
+		for i := 0; i < rt.NumField(); i++ {
+			f := rt.Field(i)
+			isEmbed := f.Anonymous && pointerTo(f.Type).Kind() == reflect.Struct
+			if f.PkgPath != "" && !isEmbed { /// Skip unexported fields.
+				continue
+			}
+			opts := getOptions(f.Tag)
+			if opts.skip {
+				continue
+			}
+
+			frv := eindirect(rv.Field(i))
+
+			// Need to make a copy because ... ehm, I don't know why... I guess
+			// allocating a new array can cause it to fail(?)
+			//
+			// Done for: https://github.com/BurntSushi/toml/issues/430
+			// Previously only on 32bit for: https://github.com/BurntSushi/toml/issues/314
+			copyStart := make([]int, len(start))
+			copy(copyStart, start)
+			start = copyStart
+
+			// Treat anonymous struct fields with tag names as though they are
+			// not anonymous, like encoding/json does.
+			//
+			// Non-struct anonymous fields use the normal encoding logic.
+			if isEmbed {
+				if getOptions(f.Tag).name == "" && frv.Kind() == reflect.Struct {
+					addFields(frv.Type(), frv, append(start, f.Index...))
+					continue
+				}
+			}
+
+			if typeIsTable(tomlTypeOfGo(frv)) {
+				fieldsSub = append(fieldsSub, append(start, f.Index...))
+			} else {
+				fieldsDirect = append(fieldsDirect, append(start, f.Index...))
+			}
+		}
+	}
+	addFields(rt, rv, nil)
+
+	writeFields := func(fields [][]int, totalFields int) {
+		for _, fieldIndex := range fields {
+			fieldType := rt.FieldByIndex(fieldIndex)
+			fieldVal := rv.FieldByIndex(fieldIndex)
+
+			opts := getOptions(fieldType.Tag)
+			if opts.skip {
+				continue
+			}
+			if opts.omitempty && isEmpty(fieldVal) {
+				continue
+			}
+
+			fieldVal = eindirect(fieldVal)
+
+			if isNil(fieldVal) { /// Don't write anything for nil fields.
+				continue
+			}
+
+			keyName := fieldType.Name
+			if opts.name != "" {
+				keyName = opts.name
+			}
+
+			if opts.omitzero && isZero(fieldVal) {
+				continue
+			}
+
+			if inline {
+				enc.writeKeyValue(Key{keyName}, fieldVal, true)
+				if fieldIndex[0] != totalFields-1 {
+					enc.wf(", ")
+				}
+			} else {
+				enc.encode(key.add(keyName), fieldVal)
+			}
+		}
+	}
+
+	if inline {
+		enc.wf("{")
+	}
+
+	l := len(fieldsDirect) + len(fieldsSub)
+	writeFields(fieldsDirect, l)
+	writeFields(fieldsSub, l)
+	if inline {
+		enc.wf("}")
+	}
+}
+
+// tomlTypeOfGo returns the TOML type name of the Go value's type.
+//
+// It is used to determine whether the types of array elements are mixed (which
+// is forbidden). If the Go value is nil, then it is illegal for it to be an
+// array element, and valueIsNil is returned as true.
+//
+// The type may be `nil`, which means no concrete TOML type could be found.
+func tomlTypeOfGo(rv reflect.Value) tomlType {
+	if isNil(rv) || !rv.IsValid() {
+		return nil
+	}
+
+	if rv.Kind() == reflect.Struct {
+		if rv.Type() == timeType {
+			return tomlDatetime
+		}
+		if isMarshaler(rv) {
+			return tomlString
+		}
+		return tomlHash
+	}
+
+	if isMarshaler(rv) {
+		return tomlString
+	}
+
+	switch rv.Kind() {
+	case reflect.Bool:
+		return tomlBool
+	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32,
+		reflect.Int64,
+		reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32,
+		reflect.Uint64:
+		return tomlInteger
+	case reflect.Float32, reflect.Float64:
+		return tomlFloat
+	case reflect.Array, reflect.Slice:
+		if isTableArray(rv) {
+			return tomlArrayHash
+		}
+		return tomlArray
+	case reflect.Ptr, reflect.Interface:
+		return tomlTypeOfGo(rv.Elem())
+	case reflect.String:
+		return tomlString
+	case reflect.Map:
+		return tomlHash
+	default:
+		encPanic(errors.New("unsupported type: " + rv.Kind().String()))
+		panic("unreachable")
+	}
+}
+
+func isMarshaler(rv reflect.Value) bool {
+	return rv.Type().Implements(marshalText) || rv.Type().Implements(marshalToml)
+}
+
+// isTableArray reports if all entries in the array or slice are a table.
+func isTableArray(arr reflect.Value) bool {
+	if isNil(arr) || !arr.IsValid() || arr.Len() == 0 {
+		return false
+	}
+
+	ret := true
+	for i := 0; i < arr.Len(); i++ {
+		tt := tomlTypeOfGo(eindirect(arr.Index(i)))
+		// Don't allow nil.
+		if tt == nil {
+			encPanic(errArrayNilElement)
+		}
+
+		if ret && !typeEqual(tomlHash, tt) {
+			ret = false
+		}
+	}
+	return ret
+}
+
+type tagOptions struct {
+	skip      bool // "-"
+	name      string
+	omitempty bool
+	omitzero  bool
+}
+
+func getOptions(tag reflect.StructTag) tagOptions {
+	t := tag.Get("toml")
+	if t == "-" {
+		return tagOptions{skip: true}
+	}
+	var opts tagOptions
+	parts := strings.Split(t, ",")
+	opts.name = parts[0]
+	for _, s := range parts[1:] {
+		switch s {
+		case "omitempty":
+			opts.omitempty = true
+		case "omitzero":
+			opts.omitzero = true
+		}
+	}
+	return opts
+}
+
+func isZero(rv reflect.Value) bool {
+	switch rv.Kind() {
+	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
+		return rv.Int() == 0
+	case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64:
+		return rv.Uint() == 0
+	case reflect.Float32, reflect.Float64:
+		return rv.Float() == 0.0
+	}
+	return false
+}
+
+func isEmpty(rv reflect.Value) bool {
+	switch rv.Kind() {
+	case reflect.Array, reflect.Slice, reflect.Map, reflect.String:
+		return rv.Len() == 0
+	case reflect.Struct:
+		if rv.Type().Comparable() {
+			return reflect.Zero(rv.Type()).Interface() == rv.Interface()
+		}
+		// Need to also check if all the fields are empty, otherwise something
+		// like this with uncomparable types will always return true:
+		//
+		//   type a struct{ field b }
+		//   type b struct{ s []string }
+		//   s := a{field: b{s: []string{"AAA"}}}
+		for i := 0; i < rv.NumField(); i++ {
+			if !isEmpty(rv.Field(i)) {
+				return false
+			}
+		}
+		return true
+	case reflect.Bool:
+		return !rv.Bool()
+	case reflect.Ptr:
+		return rv.IsNil()
+	}
+	return false
+}
+
+func (enc *Encoder) newline() {
+	if enc.hasWritten {
+		enc.wf("\n")
+	}
+}
+
+// Write a key/value pair:
+//
+//	key = <any value>
+//
+// This is also used for "k = v" in inline tables; so something like this will
+// be written in three calls:
+//
+//	┌───────────────────�
+//	│      ┌───�  ┌────�│
+//	v      v   v  v    vv
+//	key = {k = 1, k2 = 2}
+func (enc *Encoder) writeKeyValue(key Key, val reflect.Value, inline bool) {
+	/// Marshaler used on top-level document; call eElement() to just call
+	/// Marshal{TOML,Text}.
+	if len(key) == 0 {
+		enc.eElement(val)
+		return
+	}
+	enc.wf("%s%s = ", enc.indentStr(key), key.maybeQuoted(len(key)-1))
+	enc.eElement(val)
+	if !inline {
+		enc.newline()
+	}
+}
+
+func (enc *Encoder) wf(format string, v ...any) {
+	_, err := fmt.Fprintf(enc.w, format, v...)
+	if err != nil {
+		encPanic(err)
+	}
+	enc.hasWritten = true
+}
+
+func (enc *Encoder) indentStr(key Key) string {
+	return strings.Repeat(enc.Indent, len(key)-1)
+}
+
+func encPanic(err error) {
+	panic(tomlEncodeError{err})
+}
+
+// Resolve any level of pointers to the actual value (e.g. **string → string).
+func eindirect(v reflect.Value) reflect.Value {
+	if v.Kind() != reflect.Ptr && v.Kind() != reflect.Interface {
+		if isMarshaler(v) {
+			return v
+		}
+		if v.CanAddr() { /// Special case for marshalers; see #358.
+			if pv := v.Addr(); isMarshaler(pv) {
+				return pv
+			}
+		}
+		return v
+	}
+
+	if v.IsNil() {
+		return v
+	}
+
+	return eindirect(v.Elem())
+}
+
+func isNil(rv reflect.Value) bool {
+	switch rv.Kind() {
+	case reflect.Interface, reflect.Map, reflect.Ptr, reflect.Slice:
+		return rv.IsNil()
+	default:
+		return false
+	}
+}
diff --git a/vendor/github.com/BurntSushi/toml/error.go b/vendor/github.com/BurntSushi/toml/error.go
new file mode 100644
index 0000000000..b7077d3ae3
--- /dev/null
+++ b/vendor/github.com/BurntSushi/toml/error.go
@@ -0,0 +1,347 @@
+package toml
+
+import (
+	"fmt"
+	"strings"
+)
+
+// ParseError is returned when there is an error parsing the TOML syntax such as
+// invalid syntax, duplicate keys, etc.
+//
+// In addition to the error message itself, you can also print detailed location
+// information with context by using [ErrorWithPosition]:
+//
+//	toml: error: Key 'fruit' was already created and cannot be used as an array.
+//
+//	At line 4, column 2-7:
+//
+//	      2 | fruit = []
+//	      3 |
+//	      4 | [[fruit]] # Not allowed
+//	            ^^^^^
+//
+// [ErrorWithUsage] can be used to print the above with some more detailed usage
+// guidance:
+//
+//	toml: error: newlines not allowed within inline tables
+//
+//	At line 1, column 18:
+//
+//	      1 | x = [{ key = 42 #
+//	                           ^
+//
+//	Error help:
+//
+//	  Inline tables must always be on a single line:
+//
+//	      table = {key = 42, second = 43}
+//
+//	  It is invalid to split them over multiple lines like so:
+//
+//	      # INVALID
+//	      table = {
+//	          key    = 42,
+//	          second = 43
+//	      }
+//
+//	  Use regular for this:
+//
+//	      [table]
+//	      key    = 42
+//	      second = 43
+type ParseError struct {
+	Message  string   // Short technical message.
+	Usage    string   // Longer message with usage guidance; may be blank.
+	Position Position // Position of the error
+	LastKey  string   // Last parsed key, may be blank.
+
+	// Line the error occurred.
+	//
+	// Deprecated: use [Position].
+	Line int
+
+	err   error
+	input string
+}
+
+// Position of an error.
+type Position struct {
+	Line  int // Line number, starting at 1.
+	Col   int // Error column, starting at 1.
+	Start int // Start of error, as byte offset starting at 0.
+	Len   int // Length of the error in bytes.
+}
+
+func (p Position) withCol(tomlFile string) Position {
+	var (
+		pos   int
+		lines = strings.Split(tomlFile, "\n")
+	)
+	for i := range lines {
+		ll := len(lines[i]) + 1 // +1 for the removed newline
+		if pos+ll >= p.Start {
+			p.Col = p.Start - pos + 1
+			if p.Col < 1 { // Should never happen, but just in case.
+				p.Col = 1
+			}
+			break
+		}
+		pos += ll
+	}
+	return p
+}
+
+func (pe ParseError) Error() string {
+	if pe.LastKey == "" {
+		return fmt.Sprintf("toml: line %d: %s", pe.Position.Line, pe.Message)
+	}
+	return fmt.Sprintf("toml: line %d (last key %q): %s",
+		pe.Position.Line, pe.LastKey, pe.Message)
+}
+
+// ErrorWithPosition returns the error with detailed location context.
+//
+// See the documentation on [ParseError].
+func (pe ParseError) ErrorWithPosition() string {
+	if pe.input == "" { // Should never happen, but just in case.
+		return pe.Error()
+	}
+
+	// TODO: don't show control characters as literals? This may not show up
+	// well everywhere.
+
+	var (
+		lines = strings.Split(pe.input, "\n")
+		b     = new(strings.Builder)
+	)
+	if pe.Position.Len == 1 {
+		fmt.Fprintf(b, "toml: error: %s\n\nAt line %d, column %d:\n\n",
+			pe.Message, pe.Position.Line, pe.Position.Col)
+	} else {
+		fmt.Fprintf(b, "toml: error: %s\n\nAt line %d, column %d-%d:\n\n",
+			pe.Message, pe.Position.Line, pe.Position.Col, pe.Position.Col+pe.Position.Len-1)
+	}
+	if pe.Position.Line > 2 {
+		fmt.Fprintf(b, "% 7d | %s\n", pe.Position.Line-2, expandTab(lines[pe.Position.Line-3]))
+	}
+	if pe.Position.Line > 1 {
+		fmt.Fprintf(b, "% 7d | %s\n", pe.Position.Line-1, expandTab(lines[pe.Position.Line-2]))
+	}
+
+	/// Expand tabs, so that the ^^^s are at the correct position, but leave
+	/// "column 10-13" intact. Adjusting this to the visual column would be
+	/// better, but we don't know the tabsize of the user in their editor, which
+	/// can be 8, 4, 2, or something else. We can't know. So leaving it as the
+	/// character index is probably the "most correct".
+	expanded := expandTab(lines[pe.Position.Line-1])
+	diff := len(expanded) - len(lines[pe.Position.Line-1])
+
+	fmt.Fprintf(b, "% 7d | %s\n", pe.Position.Line, expanded)
+	fmt.Fprintf(b, "% 10s%s%s\n", "", strings.Repeat(" ", pe.Position.Col-1+diff), strings.Repeat("^", pe.Position.Len))
+	return b.String()
+}
+
+// ErrorWithUsage returns the error with detailed location context and usage
+// guidance.
+//
+// See the documentation on [ParseError].
+func (pe ParseError) ErrorWithUsage() string {
+	m := pe.ErrorWithPosition()
+	if u, ok := pe.err.(interface{ Usage() string }); ok && u.Usage() != "" {
+		lines := strings.Split(strings.TrimSpace(u.Usage()), "\n")
+		for i := range lines {
+			if lines[i] != "" {
+				lines[i] = "    " + lines[i]
+			}
+		}
+		return m + "Error help:\n\n" + strings.Join(lines, "\n") + "\n"
+	}
+	return m
+}
+
+func expandTab(s string) string {
+	var (
+		b    strings.Builder
+		l    int
+		fill = func(n int) string {
+			b := make([]byte, n)
+			for i := range b {
+				b[i] = ' '
+			}
+			return string(b)
+		}
+	)
+	b.Grow(len(s))
+	for _, r := range s {
+		switch r {
+		case '\t':
+			tw := 8 - l%8
+			b.WriteString(fill(tw))
+			l += tw
+		default:
+			b.WriteRune(r)
+			l += 1
+		}
+	}
+	return b.String()
+}
+
+type (
+	errLexControl       struct{ r rune }
+	errLexEscape        struct{ r rune }
+	errLexUTF8          struct{ b byte }
+	errParseDate        struct{ v string }
+	errLexInlineTableNL struct{}
+	errLexStringNL      struct{}
+	errParseRange       struct {
+		i    any    // int or float
+		size string // "int64", "uint16", etc.
+	}
+	errUnsafeFloat struct {
+		i    interface{} // float32 or float64
+		size string      // "float32" or "float64"
+	}
+	errParseDuration struct{ d string }
+)
+
+func (e errLexControl) Error() string {
+	return fmt.Sprintf("TOML files cannot contain control characters: '0x%02x'", e.r)
+}
+func (e errLexControl) Usage() string { return "" }
+
+func (e errLexEscape) Error() string        { return fmt.Sprintf(`invalid escape in string '\%c'`, e.r) }
+func (e errLexEscape) Usage() string        { return usageEscape }
+func (e errLexUTF8) Error() string          { return fmt.Sprintf("invalid UTF-8 byte: 0x%02x", e.b) }
+func (e errLexUTF8) Usage() string          { return "" }
+func (e errParseDate) Error() string        { return fmt.Sprintf("invalid datetime: %q", e.v) }
+func (e errParseDate) Usage() string        { return usageDate }
+func (e errLexInlineTableNL) Error() string { return "newlines not allowed within inline tables" }
+func (e errLexInlineTableNL) Usage() string { return usageInlineNewline }
+func (e errLexStringNL) Error() string      { return "strings cannot contain newlines" }
+func (e errLexStringNL) Usage() string      { return usageStringNewline }
+func (e errParseRange) Error() string       { return fmt.Sprintf("%v is out of range for %s", e.i, e.size) }
+func (e errParseRange) Usage() string       { return usageIntOverflow }
+func (e errUnsafeFloat) Error() string {
+	return fmt.Sprintf("%v is out of the safe %s range", e.i, e.size)
+}
+func (e errUnsafeFloat) Usage() string   { return usageUnsafeFloat }
+func (e errParseDuration) Error() string { return fmt.Sprintf("invalid duration: %q", e.d) }
+func (e errParseDuration) Usage() string { return usageDuration }
+
+const usageEscape = `
+A '\' inside a "-delimited string is interpreted as an escape character.
+
+The following escape sequences are supported:
+\b, \t, \n, \f, \r, \", \\, \uXXXX, and \UXXXXXXXX
+
+To prevent a '\' from being recognized as an escape character, use either:
+
+- a ' or '''-delimited string; escape characters aren't processed in them; or
+- write two backslashes to get a single backslash: '\\'.
+
+If you're trying to add a Windows path (e.g. "C:\Users\martin") then using '/'
+instead of '\' will usually also work: "C:/Users/martin".
+`
+
+const usageInlineNewline = `
+Inline tables must always be on a single line:
+
+    table = {key = 42, second = 43}
+
+It is invalid to split them over multiple lines like so:
+
+    # INVALID
+    table = {
+        key    = 42,
+        second = 43
+    }
+
+Use regular for this:
+
+    [table]
+    key    = 42
+    second = 43
+`
+
+const usageStringNewline = `
+Strings must always be on a single line, and cannot span more than one line:
+
+    # INVALID
+    string = "Hello,
+    world!"
+
+Instead use """ or ''' to split strings over multiple lines:
+
+    string = """Hello,
+    world!"""
+`
+
+const usageIntOverflow = `
+This number is too large; this may be an error in the TOML, but it can also be a
+bug in the program that uses too small of an integer.
+
+The maximum and minimum values are:
+
+    size   │ lowest         │ highest
+    ───────┼────────────────┼──────────────
+    int8   │ -128           │ 127
+    int16  │ -32,768        │ 32,767
+    int32  │ -2,147,483,648 │ 2,147,483,647
+    int64  │ -9.2 × 10¹�    │ 9.2 × 10¹�
+    uint8  │ 0              │ 255
+    uint16 │ 0              │ 65,535
+    uint32 │ 0              │ 4,294,967,295
+    uint64 │ 0              │ 1.8 × 10¹�
+
+int refers to int32 on 32-bit systems and int64 on 64-bit systems.
+`
+
+const usageUnsafeFloat = `
+This number is outside of the "safe" range for floating point numbers; whole
+(non-fractional) numbers outside the below range can not always be represented
+accurately in a float, leading to some loss of accuracy.
+
+Explicitly mark a number as a fractional unit by adding ".0", which will incur
+some loss of accuracy; for example:
+
+	f = 2_000_000_000.0
+
+Accuracy ranges:
+
+	float32 =            16,777,215
+	float64 = 9,007,199,254,740,991
+`
+
+const usageDuration = `
+A duration must be as "number<unit>", without any spaces. Valid units are:
+
+    ns         nanoseconds (billionth of a second)
+    us, µs     microseconds (millionth of a second)
+    ms         milliseconds (thousands of a second)
+    s          seconds
+    m          minutes
+    h          hours
+
+You can combine multiple units; for example "5m10s" for 5 minutes and 10
+seconds.
+`
+
+const usageDate = `
+A TOML datetime must be in one of the following formats:
+
+    2006-01-02T15:04:05Z07:00   Date and time, with timezone.
+    2006-01-02T15:04:05         Date and time, but without timezone.
+    2006-01-02                  Date without a time or timezone.
+    15:04:05                    Just a time, without any timezone.
+
+Seconds may optionally have a fraction, up to nanosecond precision:
+
+    15:04:05.123
+    15:04:05.856018510
+`
+
+// TOML 1.1:
+// The seconds part in times is optional, and may be omitted:
+//     2006-01-02T15:04Z07:00
+//     2006-01-02T15:04
+//     15:04
diff --git a/vendor/github.com/BurntSushi/toml/internal/tz.go b/vendor/github.com/BurntSushi/toml/internal/tz.go
new file mode 100644
index 0000000000..022f15bc2b
--- /dev/null
+++ b/vendor/github.com/BurntSushi/toml/internal/tz.go
@@ -0,0 +1,36 @@
+package internal
+
+import "time"
+
+// Timezones used for local datetime, date, and time TOML types.
+//
+// The exact way times and dates without a timezone should be interpreted is not
+// well-defined in the TOML specification and left to the implementation. These
+// defaults to current local timezone offset of the computer, but this can be
+// changed by changing these variables before decoding.
+//
+// TODO:
+// Ideally we'd like to offer people the ability to configure the used timezone
+// by setting Decoder.Timezone and Encoder.Timezone; however, this is a bit
+// tricky: the reason we use three different variables for this is to support
+// round-tripping – without these specific TZ names we wouldn't know which
+// format to use.
+//
+// There isn't a good way to encode this right now though, and passing this sort
+// of information also ties in to various related issues such as string format
+// encoding, encoding of comments, etc.
+//
+// So, for the time being, just put this in internal until we can write a good
+// comprehensive API for doing all of this.
+//
+// The reason they're exported is because they're referred from in e.g.
+// internal/tag.
+//
+// Note that this behaviour is valid according to the TOML spec as the exact
+// behaviour is left up to implementations.
+var (
+	localOffset   = func() int { _, o := time.Now().Zone(); return o }()
+	LocalDatetime = time.FixedZone("datetime-local", localOffset)
+	LocalDate     = time.FixedZone("date-local", localOffset)
+	LocalTime     = time.FixedZone("time-local", localOffset)
+)
diff --git a/vendor/github.com/BurntSushi/toml/lex.go b/vendor/github.com/BurntSushi/toml/lex.go
new file mode 100644
index 0000000000..1c3b477029
--- /dev/null
+++ b/vendor/github.com/BurntSushi/toml/lex.go
@@ -0,0 +1,1272 @@
+package toml
+
+import (
+	"fmt"
+	"reflect"
+	"runtime"
+	"strings"
+	"unicode"
+	"unicode/utf8"
+)
+
+type itemType int
+
+const (
+	itemError itemType = iota
+	itemNIL            // used in the parser to indicate no type
+	itemEOF
+	itemText
+	itemString
+	itemStringEsc
+	itemRawString
+	itemMultilineString
+	itemRawMultilineString
+	itemBool
+	itemInteger
+	itemFloat
+	itemDatetime
+	itemArray // the start of an array
+	itemArrayEnd
+	itemTableStart
+	itemTableEnd
+	itemArrayTableStart
+	itemArrayTableEnd
+	itemKeyStart
+	itemKeyEnd
+	itemCommentStart
+	itemInlineTableStart
+	itemInlineTableEnd
+)
+
+const eof = 0
+
+type stateFn func(lx *lexer) stateFn
+
+func (p Position) String() string {
+	return fmt.Sprintf("at line %d; start %d; length %d", p.Line, p.Start, p.Len)
+}
+
+type lexer struct {
+	input    string
+	start    int
+	pos      int
+	line     int
+	state    stateFn
+	items    chan item
+	tomlNext bool
+	esc      bool
+
+	// Allow for backing up up to 4 runes. This is necessary because TOML
+	// contains 3-rune tokens (""" and ''').
+	prevWidths [4]int
+	nprev      int  // how many of prevWidths are in use
+	atEOF      bool // If we emit an eof, we can still back up, but it is not OK to call next again.
+
+	// A stack of state functions used to maintain context.
+	//
+	// The idea is to reuse parts of the state machine in various places. For
+	// example, values can appear at the top level or within arbitrarily nested
+	// arrays. The last state on the stack is used after a value has been lexed.
+	// Similarly for comments.
+	stack []stateFn
+}
+
+type item struct {
+	typ itemType
+	val string
+	err error
+	pos Position
+}
+
+func (lx *lexer) nextItem() item {
+	for {
+		select {
+		case item := <-lx.items:
+			return item
+		default:
+			lx.state = lx.state(lx)
+			//fmt.Printf("     STATE %-24s  current: %-10s	stack: %s\n", lx.state, lx.current(), lx.stack)
+		}
+	}
+}
+
+func lex(input string, tomlNext bool) *lexer {
+	lx := &lexer{
+		input:    input,
+		state:    lexTop,
+		items:    make(chan item, 10),
+		stack:    make([]stateFn, 0, 10),
+		line:     1,
+		tomlNext: tomlNext,
+	}
+	return lx
+}
+
+func (lx *lexer) push(state stateFn) {
+	lx.stack = append(lx.stack, state)
+}
+
+func (lx *lexer) pop() stateFn {
+	if len(lx.stack) == 0 {
+		return lx.errorf("BUG in lexer: no states to pop")
+	}
+	last := lx.stack[len(lx.stack)-1]
+	lx.stack = lx.stack[0 : len(lx.stack)-1]
+	return last
+}
+
+func (lx *lexer) current() string {
+	return lx.input[lx.start:lx.pos]
+}
+
+func (lx lexer) getPos() Position {
+	p := Position{
+		Line:  lx.line,
+		Start: lx.start,
+		Len:   lx.pos - lx.start,
+	}
+	if p.Len <= 0 {
+		p.Len = 1
+	}
+	return p
+}
+
+func (lx *lexer) emit(typ itemType) {
+	// Needed for multiline strings ending with an incomplete UTF-8 sequence.
+	if lx.start > lx.pos {
+		lx.error(errLexUTF8{lx.input[lx.pos]})
+		return
+	}
+	lx.items <- item{typ: typ, pos: lx.getPos(), val: lx.current()}
+	lx.start = lx.pos
+}
+
+func (lx *lexer) emitTrim(typ itemType) {
+	lx.items <- item{typ: typ, pos: lx.getPos(), val: strings.TrimSpace(lx.current())}
+	lx.start = lx.pos
+}
+
+func (lx *lexer) next() (r rune) {
+	if lx.atEOF {
+		panic("BUG in lexer: next called after EOF")
+	}
+	if lx.pos >= len(lx.input) {
+		lx.atEOF = true
+		return eof
+	}
+
+	if lx.input[lx.pos] == '\n' {
+		lx.line++
+	}
+	lx.prevWidths[3] = lx.prevWidths[2]
+	lx.prevWidths[2] = lx.prevWidths[1]
+	lx.prevWidths[1] = lx.prevWidths[0]
+	if lx.nprev < 4 {
+		lx.nprev++
+	}
+
+	r, w := utf8.DecodeRuneInString(lx.input[lx.pos:])
+	if r == utf8.RuneError && w == 1 {
+		lx.error(errLexUTF8{lx.input[lx.pos]})
+		return utf8.RuneError
+	}
+
+	// Note: don't use peek() here, as this calls next().
+	if isControl(r) || (r == '\r' && (len(lx.input)-1 == lx.pos || lx.input[lx.pos+1] != '\n')) {
+		lx.errorControlChar(r)
+		return utf8.RuneError
+	}
+
+	lx.prevWidths[0] = w
+	lx.pos += w
+	return r
+}
+
+// ignore skips over the pending input before this point.
+func (lx *lexer) ignore() {
+	lx.start = lx.pos
+}
+
+// backup steps back one rune. Can be called 4 times between calls to next.
+func (lx *lexer) backup() {
+	if lx.atEOF {
+		lx.atEOF = false
+		return
+	}
+	if lx.nprev < 1 {
+		panic("BUG in lexer: backed up too far")
+	}
+	w := lx.prevWidths[0]
+	lx.prevWidths[0] = lx.prevWidths[1]
+	lx.prevWidths[1] = lx.prevWidths[2]
+	lx.prevWidths[2] = lx.prevWidths[3]
+	lx.nprev--
+
+	lx.pos -= w
+	if lx.pos < len(lx.input) && lx.input[lx.pos] == '\n' {
+		lx.line--
+	}
+}
+
+// accept consumes the next rune if it's equal to `valid`.
+func (lx *lexer) accept(valid rune) bool {
+	if lx.next() == valid {
+		return true
+	}
+	lx.backup()
+	return false
+}
+
+// peek returns but does not consume the next rune in the input.
+func (lx *lexer) peek() rune {
+	r := lx.next()
+	lx.backup()
+	return r
+}
+
+// skip ignores all input that matches the given predicate.
+func (lx *lexer) skip(pred func(rune) bool) {
+	for {
+		r := lx.next()
+		if pred(r) {
+			continue
+		}
+		lx.backup()
+		lx.ignore()
+		return
+	}
+}
+
+// error stops all lexing by emitting an error and returning `nil`.
+//
+// Note that any value that is a character is escaped if it's a special
+// character (newlines, tabs, etc.).
+func (lx *lexer) error(err error) stateFn {
+	if lx.atEOF {
+		return lx.errorPrevLine(err)
+	}
+	lx.items <- item{typ: itemError, pos: lx.getPos(), err: err}
+	return nil
+}
+
+// errorfPrevline is like error(), but sets the position to the last column of
+// the previous line.
+//
+// This is so that unexpected EOF or NL errors don't show on a new blank line.
+func (lx *lexer) errorPrevLine(err error) stateFn {
+	pos := lx.getPos()
+	pos.Line--
+	pos.Len = 1
+	pos.Start = lx.pos - 1
+	lx.items <- item{typ: itemError, pos: pos, err: err}
+	return nil
+}
+
+// errorPos is like error(), but allows explicitly setting the position.
+func (lx *lexer) errorPos(start, length int, err error) stateFn {
+	pos := lx.getPos()
+	pos.Start = start
+	pos.Len = length
+	lx.items <- item{typ: itemError, pos: pos, err: err}
+	return nil
+}
+
+// errorf is like error, and creates a new error.
+func (lx *lexer) errorf(format string, values ...any) stateFn {
+	if lx.atEOF {
+		pos := lx.getPos()
+		if lx.pos >= 1 && lx.input[lx.pos-1] == '\n' {
+			pos.Line--
+		}
+		pos.Len = 1
+		pos.Start = lx.pos - 1
+		lx.items <- item{typ: itemError, pos: pos, err: fmt.Errorf(format, values...)}
+		return nil
+	}
+	lx.items <- item{typ: itemError, pos: lx.getPos(), err: fmt.Errorf(format, values...)}
+	return nil
+}
+
+func (lx *lexer) errorControlChar(cc rune) stateFn {
+	return lx.errorPos(lx.pos-1, 1, errLexControl{cc})
+}
+
+// lexTop consumes elements at the top level of TOML data.
+func lexTop(lx *lexer) stateFn {
+	r := lx.next()
+	if isWhitespace(r) || isNL(r) {
+		return lexSkip(lx, lexTop)
+	}
+	switch r {
+	case '#':
+		lx.push(lexTop)
+		return lexCommentStart
+	case '[':
+		return lexTableStart
+	case eof:
+		if lx.pos > lx.start {
+			return lx.errorf("unexpected EOF")
+		}
+		lx.emit(itemEOF)
+		return nil
+	}
+
+	// At this point, the only valid item can be a key, so we back up
+	// and let the key lexer do the rest.
+	lx.backup()
+	lx.push(lexTopEnd)
+	return lexKeyStart
+}
+
+// lexTopEnd is entered whenever a top-level item has been consumed. (A value
+// or a table.) It must see only whitespace, and will turn back to lexTop
+// upon a newline. If it sees EOF, it will quit the lexer successfully.
+func lexTopEnd(lx *lexer) stateFn {
+	r := lx.next()
+	switch {
+	case r == '#':
+		// a comment will read to a newline for us.
+		lx.push(lexTop)
+		return lexCommentStart
+	case isWhitespace(r):
+		return lexTopEnd
+	case isNL(r):
+		lx.ignore()
+		return lexTop
+	case r == eof:
+		lx.emit(itemEOF)
+		return nil
+	}
+	return lx.errorf("expected a top-level item to end with a newline, comment, or EOF, but got %q instead", r)
+}
+
+// lexTable lexes the beginning of a table. Namely, it makes sure that
+// it starts with a character other than '.' and ']'.
+// It assumes that '[' has already been consumed.
+// It also handles the case that this is an item in an array of tables.
+// e.g., '[[name]]'.
+func lexTableStart(lx *lexer) stateFn {
+	if lx.peek() == '[' {
+		lx.next()
+		lx.emit(itemArrayTableStart)
+		lx.push(lexArrayTableEnd)
+	} else {
+		lx.emit(itemTableStart)
+		lx.push(lexTableEnd)
+	}
+	return lexTableNameStart
+}
+
+func lexTableEnd(lx *lexer) stateFn {
+	lx.emit(itemTableEnd)
+	return lexTopEnd
+}
+
+func lexArrayTableEnd(lx *lexer) stateFn {
+	if r := lx.next(); r != ']' {
+		return lx.errorf("expected end of table array name delimiter ']', but got %q instead", r)
+	}
+	lx.emit(itemArrayTableEnd)
+	return lexTopEnd
+}
+
+func lexTableNameStart(lx *lexer) stateFn {
+	lx.skip(isWhitespace)
+	switch r := lx.peek(); {
+	case r == ']' || r == eof:
+		return lx.errorf("unexpected end of table name (table names cannot be empty)")
+	case r == '.':
+		return lx.errorf("unexpected table separator (table names cannot be empty)")
+	case r == '"' || r == '\'':
+		lx.ignore()
+		lx.push(lexTableNameEnd)
+		return lexQuotedName
+	default:
+		lx.push(lexTableNameEnd)
+		return lexBareName
+	}
+}
+
+// lexTableNameEnd reads the end of a piece of a table name, optionally
+// consuming whitespace.
+func lexTableNameEnd(lx *lexer) stateFn {
+	lx.skip(isWhitespace)
+	switch r := lx.next(); {
+	case isWhitespace(r):
+		return lexTableNameEnd
+	case r == '.':
+		lx.ignore()
+		return lexTableNameStart
+	case r == ']':
+		return lx.pop()
+	default:
+		return lx.errorf("expected '.' or ']' to end table name, but got %q instead", r)
+	}
+}
+
+// lexBareName lexes one part of a key or table.
+//
+// It assumes that at least one valid character for the table has already been
+// read.
+//
+// Lexes only one part, e.g. only 'a' inside 'a.b'.
+func lexBareName(lx *lexer) stateFn {
+	r := lx.next()
+	if isBareKeyChar(r, lx.tomlNext) {
+		return lexBareName
+	}
+	lx.backup()
+	lx.emit(itemText)
+	return lx.pop()
+}
+
+// lexBareName lexes one part of a key or table.
+//
+// It assumes that at least one valid character for the table has already been
+// read.
+//
+// Lexes only one part, e.g. only '"a"' inside '"a".b'.
+func lexQuotedName(lx *lexer) stateFn {
+	r := lx.next()
+	switch {
+	case isWhitespace(r):
+		return lexSkip(lx, lexValue)
+	case r == '"':
+		lx.ignore() // ignore the '"'
+		return lexString
+	case r == '\'':
+		lx.ignore() // ignore the "'"
+		return lexRawString
+	case r == eof:
+		return lx.errorf("unexpected EOF; expected value")
+	default:
+		return lx.errorf("expected value but found %q instead", r)
+	}
+}
+
+// lexKeyStart consumes all key parts until a '='.
+func lexKeyStart(lx *lexer) stateFn {
+	lx.skip(isWhitespace)
+	switch r := lx.peek(); {
+	case r == '=' || r == eof:
+		return lx.errorf("unexpected '=': key name appears blank")
+	case r == '.':
+		return lx.errorf("unexpected '.': keys cannot start with a '.'")
+	case r == '"' || r == '\'':
+		lx.ignore()
+		fallthrough
+	default: // Bare key
+		lx.emit(itemKeyStart)
+		return lexKeyNameStart
+	}
+}
+
+func lexKeyNameStart(lx *lexer) stateFn {
+	lx.skip(isWhitespace)
+	switch r := lx.peek(); {
+	case r == '=' || r == eof:
+		return lx.errorf("unexpected '='")
+	case r == '.':
+		return lx.errorf("unexpected '.'")
+	case r == '"' || r == '\'':
+		lx.ignore()
+		lx.push(lexKeyEnd)
+		return lexQuotedName
+	default:
+		lx.push(lexKeyEnd)
+		return lexBareName
+	}
+}
+
+// lexKeyEnd consumes the end of a key and trims whitespace (up to the key
+// separator).
+func lexKeyEnd(lx *lexer) stateFn {
+	lx.skip(isWhitespace)
+	switch r := lx.next(); {
+	case isWhitespace(r):
+		return lexSkip(lx, lexKeyEnd)
+	case r == eof:
+		return lx.errorf("unexpected EOF; expected key separator '='")
+	case r == '.':
+		lx.ignore()
+		return lexKeyNameStart
+	case r == '=':
+		lx.emit(itemKeyEnd)
+		return lexSkip(lx, lexValue)
+	default:
+		if r == '\n' {
+			return lx.errorPrevLine(fmt.Errorf("expected '.' or '=', but got %q instead", r))
+		}
+		return lx.errorf("expected '.' or '=', but got %q instead", r)
+	}
+}
+
+// lexValue starts the consumption of a value anywhere a value is expected.
+// lexValue will ignore whitespace.
+// After a value is lexed, the last state on the next is popped and returned.
+func lexValue(lx *lexer) stateFn {
+	// We allow whitespace to precede a value, but NOT newlines.
+	// In array syntax, the array states are responsible for ignoring newlines.
+	r := lx.next()
+	switch {
+	case isWhitespace(r):
+		return lexSkip(lx, lexValue)
+	case isDigit(r):
+		lx.backup() // avoid an extra state and use the same as above
+		return lexNumberOrDateStart
+	}
+	switch r {
+	case '[':
+		lx.ignore()
+		lx.emit(itemArray)
+		return lexArrayValue
+	case '{':
+		lx.ignore()
+		lx.emit(itemInlineTableStart)
+		return lexInlineTableValue
+	case '"':
+		if lx.accept('"') {
+			if lx.accept('"') {
+				lx.ignore() // Ignore """
+				return lexMultilineString
+			}
+			lx.backup()
+		}
+		lx.ignore() // ignore the '"'
+		return lexString
+	case '\'':
+		if lx.accept('\'') {
+			if lx.accept('\'') {
+				lx.ignore() // Ignore """
+				return lexMultilineRawString
+			}
+			lx.backup()
+		}
+		lx.ignore() // ignore the "'"
+		return lexRawString
+	case '.': // special error case, be kind to users
+		return lx.errorf("floats must start with a digit, not '.'")
+	case 'i', 'n':
+		if (lx.accept('n') && lx.accept('f')) || (lx.accept('a') && lx.accept('n')) {
+			lx.emit(itemFloat)
+			return lx.pop()
+		}
+	case '-', '+':
+		return lexDecimalNumberStart
+	}
+	if unicode.IsLetter(r) {
+		// Be permissive here; lexBool will give a nice error if the
+		// user wrote something like
+		//   x = foo
+		// (i.e. not 'true' or 'false' but is something else word-like.)
+		lx.backup()
+		return lexBool
+	}
+	if r == eof {
+		return lx.errorf("unexpected EOF; expected value")
+	}
+	if r == '\n' {
+		return lx.errorPrevLine(fmt.Errorf("expected value but found %q instead", r))
+	}
+	return lx.errorf("expected value but found %q instead", r)
+}
+
+// lexArrayValue consumes one value in an array. It assumes that '[' or ','
+// have already been consumed. All whitespace and newlines are ignored.
+func lexArrayValue(lx *lexer) stateFn {
+	r := lx.next()
+	switch {
+	case isWhitespace(r) || isNL(r):
+		return lexSkip(lx, lexArrayValue)
+	case r == '#':
+		lx.push(lexArrayValue)
+		return lexCommentStart
+	case r == ',':
+		return lx.errorf("unexpected comma")
+	case r == ']':
+		return lexArrayEnd
+	}
+
+	lx.backup()
+	lx.push(lexArrayValueEnd)
+	return lexValue
+}
+
+// lexArrayValueEnd consumes everything between the end of an array value and
+// the next value (or the end of the array): it ignores whitespace and newlines
+// and expects either a ',' or a ']'.
+func lexArrayValueEnd(lx *lexer) stateFn {
+	switch r := lx.next(); {
+	case isWhitespace(r) || isNL(r):
+		return lexSkip(lx, lexArrayValueEnd)
+	case r == '#':
+		lx.push(lexArrayValueEnd)
+		return lexCommentStart
+	case r == ',':
+		lx.ignore()
+		return lexArrayValue // move on to the next value
+	case r == ']':
+		return lexArrayEnd
+	default:
+		return lx.errorf("expected a comma (',') or array terminator (']'), but got %s", runeOrEOF(r))
+	}
+}
+
+// lexArrayEnd finishes the lexing of an array.
+// It assumes that a ']' has just been consumed.
+func lexArrayEnd(lx *lexer) stateFn {
+	lx.ignore()
+	lx.emit(itemArrayEnd)
+	return lx.pop()
+}
+
+// lexInlineTableValue consumes one key/value pair in an inline table.
+// It assumes that '{' or ',' have already been consumed. Whitespace is ignored.
+func lexInlineTableValue(lx *lexer) stateFn {
+	r := lx.next()
+	switch {
+	case isWhitespace(r):
+		return lexSkip(lx, lexInlineTableValue)
+	case isNL(r):
+		if lx.tomlNext {
+			return lexSkip(lx, lexInlineTableValue)
+		}
+		return lx.errorPrevLine(errLexInlineTableNL{})
+	case r == '#':
+		lx.push(lexInlineTableValue)
+		return lexCommentStart
+	case r == ',':
+		return lx.errorf("unexpected comma")
+	case r == '}':
+		return lexInlineTableEnd
+	}
+	lx.backup()
+	lx.push(lexInlineTableValueEnd)
+	return lexKeyStart
+}
+
+// lexInlineTableValueEnd consumes everything between the end of an inline table
+// key/value pair and the next pair (or the end of the table):
+// it ignores whitespace and expects either a ',' or a '}'.
+func lexInlineTableValueEnd(lx *lexer) stateFn {
+	switch r := lx.next(); {
+	case isWhitespace(r):
+		return lexSkip(lx, lexInlineTableValueEnd)
+	case isNL(r):
+		if lx.tomlNext {
+			return lexSkip(lx, lexInlineTableValueEnd)
+		}
+		return lx.errorPrevLine(errLexInlineTableNL{})
+	case r == '#':
+		lx.push(lexInlineTableValueEnd)
+		return lexCommentStart
+	case r == ',':
+		lx.ignore()
+		lx.skip(isWhitespace)
+		if lx.peek() == '}' {
+			if lx.tomlNext {
+				return lexInlineTableValueEnd
+			}
+			return lx.errorf("trailing comma not allowed in inline tables")
+		}
+		return lexInlineTableValue
+	case r == '}':
+		return lexInlineTableEnd
+	default:
+		return lx.errorf("expected a comma or an inline table terminator '}', but got %s instead", runeOrEOF(r))
+	}
+}
+
+func runeOrEOF(r rune) string {
+	if r == eof {
+		return "end of file"
+	}
+	return "'" + string(r) + "'"
+}
+
+// lexInlineTableEnd finishes the lexing of an inline table.
+// It assumes that a '}' has just been consumed.
+func lexInlineTableEnd(lx *lexer) stateFn {
+	lx.ignore()
+	lx.emit(itemInlineTableEnd)
+	return lx.pop()
+}
+
+// lexString consumes the inner contents of a string. It assumes that the
+// beginning '"' has already been consumed and ignored.
+func lexString(lx *lexer) stateFn {
+	r := lx.next()
+	switch {
+	case r == eof:
+		return lx.errorf(`unexpected EOF; expected '"'`)
+	case isNL(r):
+		return lx.errorPrevLine(errLexStringNL{})
+	case r == '\\':
+		lx.push(lexString)
+		return lexStringEscape
+	case r == '"':
+		lx.backup()
+		if lx.esc {
+			lx.esc = false
+			lx.emit(itemStringEsc)
+		} else {
+			lx.emit(itemString)
+		}
+		lx.next()
+		lx.ignore()
+		return lx.pop()
+	}
+	return lexString
+}
+
+// lexMultilineString consumes the inner contents of a string. It assumes that
+// the beginning '"""' has already been consumed and ignored.
+func lexMultilineString(lx *lexer) stateFn {
+	r := lx.next()
+	switch r {
+	default:
+		return lexMultilineString
+	case eof:
+		return lx.errorf(`unexpected EOF; expected '"""'`)
+	case '\\':
+		return lexMultilineStringEscape
+	case '"':
+		/// Found " → try to read two more "".
+		if lx.accept('"') {
+			if lx.accept('"') {
+				/// Peek ahead: the string can contain " and "", including at the
+				/// end: """str"""""
+				/// 6 or more at the end, however, is an error.
+				if lx.peek() == '"' {
+					/// Check if we already lexed 5 's; if so we have 6 now, and
+					/// that's just too many man!
+					///
+					/// Second check is for the edge case:
+					///
+					///            two quotes allowed.
+					///            vv
+					///   """lol \""""""
+					///          ^^  ^^^---- closing three
+					///     escaped
+					///
+					/// But ugly, but it works
+					if strings.HasSuffix(lx.current(), `"""""`) && !strings.HasSuffix(lx.current(), `\"""""`) {
+						return lx.errorf(`unexpected '""""""'`)
+					}
+					lx.backup()
+					lx.backup()
+					return lexMultilineString
+				}
+
+				lx.backup() /// backup: don't include the """ in the item.
+				lx.backup()
+				lx.backup()
+				lx.esc = false
+				lx.emit(itemMultilineString)
+				lx.next() /// Read over ''' again and discard it.
+				lx.next()
+				lx.next()
+				lx.ignore()
+				return lx.pop()
+			}
+			lx.backup()
+		}
+		return lexMultilineString
+	}
+}
+
+// lexRawString consumes a raw string. Nothing can be escaped in such a string.
+// It assumes that the beginning "'" has already been consumed and ignored.
+func lexRawString(lx *lexer) stateFn {
+	r := lx.next()
+	switch {
+	default:
+		return lexRawString
+	case r == eof:
+		return lx.errorf(`unexpected EOF; expected "'"`)
+	case isNL(r):
+		return lx.errorPrevLine(errLexStringNL{})
+	case r == '\'':
+		lx.backup()
+		lx.emit(itemRawString)
+		lx.next()
+		lx.ignore()
+		return lx.pop()
+	}
+}
+
+// lexMultilineRawString consumes a raw string. Nothing can be escaped in such a
+// string. It assumes that the beginning triple-' has already been consumed and
+// ignored.
+func lexMultilineRawString(lx *lexer) stateFn {
+	r := lx.next()
+	switch r {
+	default:
+		return lexMultilineRawString
+	case eof:
+		return lx.errorf(`unexpected EOF; expected "'''"`)
+	case '\'':
+		/// Found ' → try to read two more ''.
+		if lx.accept('\'') {
+			if lx.accept('\'') {
+				/// Peek ahead: the string can contain ' and '', including at the
+				/// end: '''str'''''
+				/// 6 or more at the end, however, is an error.
+				if lx.peek() == '\'' {
+					/// Check if we already lexed 5 's; if so we have 6 now, and
+					/// that's just too many man!
+					if strings.HasSuffix(lx.current(), "'''''") {
+						return lx.errorf(`unexpected "''''''"`)
+					}
+					lx.backup()
+					lx.backup()
+					return lexMultilineRawString
+				}
+
+				lx.backup() /// backup: don't include the ''' in the item.
+				lx.backup()
+				lx.backup()
+				lx.emit(itemRawMultilineString)
+				lx.next() /// Read over ''' again and discard it.
+				lx.next()
+				lx.next()
+				lx.ignore()
+				return lx.pop()
+			}
+			lx.backup()
+		}
+		return lexMultilineRawString
+	}
+}
+
+// lexMultilineStringEscape consumes an escaped character. It assumes that the
+// preceding '\\' has already been consumed.
+func lexMultilineStringEscape(lx *lexer) stateFn {
+	if isNL(lx.next()) { /// \ escaping newline.
+		return lexMultilineString
+	}
+	lx.backup()
+	lx.push(lexMultilineString)
+	return lexStringEscape(lx)
+}
+
+func lexStringEscape(lx *lexer) stateFn {
+	lx.esc = true
+	r := lx.next()
+	switch r {
+	case 'e':
+		if !lx.tomlNext {
+			return lx.error(errLexEscape{r})
+		}
+		fallthrough
+	case 'b':
+		fallthrough
+	case 't':
+		fallthrough
+	case 'n':
+		fallthrough
+	case 'f':
+		fallthrough
+	case 'r':
+		fallthrough
+	case '"':
+		fallthrough
+	case ' ', '\t':
+		// Inside """ .. """ strings you can use \ to escape newlines, and any
+		// amount of whitespace can be between the \ and \n.
+		fallthrough
+	case '\\':
+		return lx.pop()
+	case 'x':
+		if !lx.tomlNext {
+			return lx.error(errLexEscape{r})
+		}
+		return lexHexEscape
+	case 'u':
+		return lexShortUnicodeEscape
+	case 'U':
+		return lexLongUnicodeEscape
+	}
+	return lx.error(errLexEscape{r})
+}
+
+func lexHexEscape(lx *lexer) stateFn {
+	var r rune
+	for i := 0; i < 2; i++ {
+		r = lx.next()
+		if !isHex(r) {
+			return lx.errorf(`expected two hexadecimal digits after '\x', but got %q instead`, lx.current())
+		}
+	}
+	return lx.pop()
+}
+
+func lexShortUnicodeEscape(lx *lexer) stateFn {
+	var r rune
+	for i := 0; i < 4; i++ {
+		r = lx.next()
+		if !isHex(r) {
+			return lx.errorf(`expected four hexadecimal digits after '\u', but got %q instead`, lx.current())
+		}
+	}
+	return lx.pop()
+}
+
+func lexLongUnicodeEscape(lx *lexer) stateFn {
+	var r rune
+	for i := 0; i < 8; i++ {
+		r = lx.next()
+		if !isHex(r) {
+			return lx.errorf(`expected eight hexadecimal digits after '\U', but got %q instead`, lx.current())
+		}
+	}
+	return lx.pop()
+}
+
+// lexNumberOrDateStart processes the first character of a value which begins
+// with a digit. It exists to catch values starting with '0', so that
+// lexBaseNumberOrDate can differentiate base prefixed integers from other
+// types.
+func lexNumberOrDateStart(lx *lexer) stateFn {
+	r := lx.next()
+	switch r {
+	case '0':
+		return lexBaseNumberOrDate
+	}
+
+	if !isDigit(r) {
+		// The only way to reach this state is if the value starts
+		// with a digit, so specifically treat anything else as an
+		// error.
+		return lx.errorf("expected a digit but got %q", r)
+	}
+
+	return lexNumberOrDate
+}
+
+// lexNumberOrDate consumes either an integer, float or datetime.
+func lexNumberOrDate(lx *lexer) stateFn {
+	r := lx.next()
+	if isDigit(r) {
+		return lexNumberOrDate
+	}
+	switch r {
+	case '-', ':':
+		return lexDatetime
+	case '_':
+		return lexDecimalNumber
+	case '.', 'e', 'E':
+		return lexFloat
+	}
+
+	lx.backup()
+	lx.emit(itemInteger)
+	return lx.pop()
+}
+
+// lexDatetime consumes a Datetime, to a first approximation.
+// The parser validates that it matches one of the accepted formats.
+func lexDatetime(lx *lexer) stateFn {
+	r := lx.next()
+	if isDigit(r) {
+		return lexDatetime
+	}
+	switch r {
+	case '-', ':', 'T', 't', ' ', '.', 'Z', 'z', '+':
+		return lexDatetime
+	}
+
+	lx.backup()
+	lx.emitTrim(itemDatetime)
+	return lx.pop()
+}
+
+// lexHexInteger consumes a hexadecimal integer after seeing the '0x' prefix.
+func lexHexInteger(lx *lexer) stateFn {
+	r := lx.next()
+	if isHex(r) {
+		return lexHexInteger
+	}
+	switch r {
+	case '_':
+		return lexHexInteger
+	}
+
+	lx.backup()
+	lx.emit(itemInteger)
+	return lx.pop()
+}
+
+// lexOctalInteger consumes an octal integer after seeing the '0o' prefix.
+func lexOctalInteger(lx *lexer) stateFn {
+	r := lx.next()
+	if isOctal(r) {
+		return lexOctalInteger
+	}
+	switch r {
+	case '_':
+		return lexOctalInteger
+	}
+
+	lx.backup()
+	lx.emit(itemInteger)
+	return lx.pop()
+}
+
+// lexBinaryInteger consumes a binary integer after seeing the '0b' prefix.
+func lexBinaryInteger(lx *lexer) stateFn {
+	r := lx.next()
+	if isBinary(r) {
+		return lexBinaryInteger
+	}
+	switch r {
+	case '_':
+		return lexBinaryInteger
+	}
+
+	lx.backup()
+	lx.emit(itemInteger)
+	return lx.pop()
+}
+
+// lexDecimalNumber consumes a decimal float or integer.
+func lexDecimalNumber(lx *lexer) stateFn {
+	r := lx.next()
+	if isDigit(r) {
+		return lexDecimalNumber
+	}
+	switch r {
+	case '.', 'e', 'E':
+		return lexFloat
+	case '_':
+		return lexDecimalNumber
+	}
+
+	lx.backup()
+	lx.emit(itemInteger)
+	return lx.pop()
+}
+
+// lexDecimalNumber consumes the first digit of a number beginning with a sign.
+// It assumes the sign has already been consumed. Values which start with a sign
+// are only allowed to be decimal integers or floats.
+//
+// The special "nan" and "inf" values are also recognized.
+func lexDecimalNumberStart(lx *lexer) stateFn {
+	r := lx.next()
+
+	// Special error cases to give users better error messages
+	switch r {
+	case 'i':
+		if !lx.accept('n') || !lx.accept('f') {
+			return lx.errorf("invalid float: '%s'", lx.current())
+		}
+		lx.emit(itemFloat)
+		return lx.pop()
+	case 'n':
+		if !lx.accept('a') || !lx.accept('n') {
+			return lx.errorf("invalid float: '%s'", lx.current())
+		}
+		lx.emit(itemFloat)
+		return lx.pop()
+	case '0':
+		p := lx.peek()
+		switch p {
+		case 'b', 'o', 'x':
+			return lx.errorf("cannot use sign with non-decimal numbers: '%s%c'", lx.current(), p)
+		}
+	case '.':
+		return lx.errorf("floats must start with a digit, not '.'")
+	}
+
+	if isDigit(r) {
+		return lexDecimalNumber
+	}
+
+	return lx.errorf("expected a digit but got %q", r)
+}
+
+// lexBaseNumberOrDate differentiates between the possible values which
+// start with '0'. It assumes that before reaching this state, the initial '0'
+// has been consumed.
+func lexBaseNumberOrDate(lx *lexer) stateFn {
+	r := lx.next()
+	// Note: All datetimes start with at least two digits, so we don't
+	// handle date characters (':', '-', etc.) here.
+	if isDigit(r) {
+		return lexNumberOrDate
+	}
+	switch r {
+	case '_':
+		// Can only be decimal, because there can't be an underscore
+		// between the '0' and the base designator, and dates can't
+		// contain underscores.
+		return lexDecimalNumber
+	case '.', 'e', 'E':
+		return lexFloat
+	case 'b':
+		r = lx.peek()
+		if !isBinary(r) {
+			lx.errorf("not a binary number: '%s%c'", lx.current(), r)
+		}
+		return lexBinaryInteger
+	case 'o':
+		r = lx.peek()
+		if !isOctal(r) {
+			lx.errorf("not an octal number: '%s%c'", lx.current(), r)
+		}
+		return lexOctalInteger
+	case 'x':
+		r = lx.peek()
+		if !isHex(r) {
+			lx.errorf("not a hexadecimal number: '%s%c'", lx.current(), r)
+		}
+		return lexHexInteger
+	}
+
+	lx.backup()
+	lx.emit(itemInteger)
+	return lx.pop()
+}
+
+// lexFloat consumes the elements of a float. It allows any sequence of
+// float-like characters, so floats emitted by the lexer are only a first
+// approximation and must be validated by the parser.
+func lexFloat(lx *lexer) stateFn {
+	r := lx.next()
+	if isDigit(r) {
+		return lexFloat
+	}
+	switch r {
+	case '_', '.', '-', '+', 'e', 'E':
+		return lexFloat
+	}
+
+	lx.backup()
+	lx.emit(itemFloat)
+	return lx.pop()
+}
+
+// lexBool consumes a bool string: 'true' or 'false.
+func lexBool(lx *lexer) stateFn {
+	var rs []rune
+	for {
+		r := lx.next()
+		if !unicode.IsLetter(r) {
+			lx.backup()
+			break
+		}
+		rs = append(rs, r)
+	}
+	s := string(rs)
+	switch s {
+	case "true", "false":
+		lx.emit(itemBool)
+		return lx.pop()
+	}
+	return lx.errorf("expected value but found %q instead", s)
+}
+
+// lexCommentStart begins the lexing of a comment. It will emit
+// itemCommentStart and consume no characters, passing control to lexComment.
+func lexCommentStart(lx *lexer) stateFn {
+	lx.ignore()
+	lx.emit(itemCommentStart)
+	return lexComment
+}
+
+// lexComment lexes an entire comment. It assumes that '#' has been consumed.
+// It will consume *up to* the first newline character, and pass control
+// back to the last state on the stack.
+func lexComment(lx *lexer) stateFn {
+	switch r := lx.next(); {
+	case isNL(r) || r == eof:
+		lx.backup()
+		lx.emit(itemText)
+		return lx.pop()
+	default:
+		return lexComment
+	}
+}
+
+// lexSkip ignores all slurped input and moves on to the next state.
+func lexSkip(lx *lexer, nextState stateFn) stateFn {
+	lx.ignore()
+	return nextState
+}
+
+func (s stateFn) String() string {
+	name := runtime.FuncForPC(reflect.ValueOf(s).Pointer()).Name()
+	if i := strings.LastIndexByte(name, '.'); i > -1 {
+		name = name[i+1:]
+	}
+	if s == nil {
+		name = "<nil>"
+	}
+	return name + "()"
+}
+
+func (itype itemType) String() string {
+	switch itype {
+	case itemError:
+		return "Error"
+	case itemNIL:
+		return "NIL"
+	case itemEOF:
+		return "EOF"
+	case itemText:
+		return "Text"
+	case itemString, itemStringEsc, itemRawString, itemMultilineString, itemRawMultilineString:
+		return "String"
+	case itemBool:
+		return "Bool"
+	case itemInteger:
+		return "Integer"
+	case itemFloat:
+		return "Float"
+	case itemDatetime:
+		return "DateTime"
+	case itemTableStart:
+		return "TableStart"
+	case itemTableEnd:
+		return "TableEnd"
+	case itemKeyStart:
+		return "KeyStart"
+	case itemKeyEnd:
+		return "KeyEnd"
+	case itemArray:
+		return "Array"
+	case itemArrayEnd:
+		return "ArrayEnd"
+	case itemCommentStart:
+		return "CommentStart"
+	case itemInlineTableStart:
+		return "InlineTableStart"
+	case itemInlineTableEnd:
+		return "InlineTableEnd"
+	}
+	panic(fmt.Sprintf("BUG: Unknown type '%d'.", int(itype)))
+}
+
+func (item item) String() string {
+	return fmt.Sprintf("(%s, %s)", item.typ, item.val)
+}
+
+func isWhitespace(r rune) bool { return r == '\t' || r == ' ' }
+func isNL(r rune) bool         { return r == '\n' || r == '\r' }
+func isControl(r rune) bool { // Control characters except \t, \r, \n
+	switch r {
+	case '\t', '\r', '\n':
+		return false
+	default:
+		return (r >= 0x00 && r <= 0x1f) || r == 0x7f
+	}
+}
+func isDigit(r rune) bool  { return r >= '0' && r <= '9' }
+func isBinary(r rune) bool { return r == '0' || r == '1' }
+func isOctal(r rune) bool  { return r >= '0' && r <= '7' }
+func isHex(r rune) bool    { return (r >= '0' && r <= '9') || (r|0x20 >= 'a' && r|0x20 <= 'f') }
+func isBareKeyChar(r rune, tomlNext bool) bool {
+	return (r >= 'A' && r <= 'Z') || (r >= 'a' && r <= 'z') ||
+		(r >= '0' && r <= '9') || r == '_' || r == '-'
+}
diff --git a/vendor/github.com/BurntSushi/toml/meta.go b/vendor/github.com/BurntSushi/toml/meta.go
new file mode 100644
index 0000000000..0d337026c1
--- /dev/null
+++ b/vendor/github.com/BurntSushi/toml/meta.go
@@ -0,0 +1,145 @@
+package toml
+
+import (
+	"strings"
+)
+
+// MetaData allows access to meta information about TOML data that's not
+// accessible otherwise.
+//
+// It allows checking if a key is defined in the TOML data, whether any keys
+// were undecoded, and the TOML type of a key.
+type MetaData struct {
+	context Key // Used only during decoding.
+
+	keyInfo map[string]keyInfo
+	mapping map[string]any
+	keys    []Key
+	decoded map[string]struct{}
+	data    []byte // Input file; for errors.
+}
+
+// IsDefined reports if the key exists in the TOML data.
+//
+// The key should be specified hierarchically, for example to access the TOML
+// key "a.b.c" you would use IsDefined("a", "b", "c"). Keys are case sensitive.
+//
+// Returns false for an empty key.
+func (md *MetaData) IsDefined(key ...string) bool {
+	if len(key) == 0 {
+		return false
+	}
+
+	var (
+		hash      map[string]any
+		ok        bool
+		hashOrVal any = md.mapping
+	)
+	for _, k := range key {
+		if hash, ok = hashOrVal.(map[string]any); !ok {
+			return false
+		}
+		if hashOrVal, ok = hash[k]; !ok {
+			return false
+		}
+	}
+	return true
+}
+
+// Type returns a string representation of the type of the key specified.
+//
+// Type will return the empty string if given an empty key or a key that does
+// not exist. Keys are case sensitive.
+func (md *MetaData) Type(key ...string) string {
+	if ki, ok := md.keyInfo[Key(key).String()]; ok {
+		return ki.tomlType.typeString()
+	}
+	return ""
+}
+
+// Keys returns a slice of every key in the TOML data, including key groups.
+//
+// Each key is itself a slice, where the first element is the top of the
+// hierarchy and the last is the most specific. The list will have the same
+// order as the keys appeared in the TOML data.
+//
+// All keys returned are non-empty.
+func (md *MetaData) Keys() []Key {
+	return md.keys
+}
+
+// Undecoded returns all keys that have not been decoded in the order in which
+// they appear in the original TOML document.
+//
+// This includes keys that haven't been decoded because of a [Primitive] value.
+// Once the Primitive value is decoded, the keys will be considered decoded.
+//
+// Also note that decoding into an empty interface will result in no decoding,
+// and so no keys will be considered decoded.
+//
+// In this sense, the Undecoded keys correspond to keys in the TOML document
+// that do not have a concrete type in your representation.
+func (md *MetaData) Undecoded() []Key {
+	undecoded := make([]Key, 0, len(md.keys))
+	for _, key := range md.keys {
+		if _, ok := md.decoded[key.String()]; !ok {
+			undecoded = append(undecoded, key)
+		}
+	}
+	return undecoded
+}
+
+// Key represents any TOML key, including key groups. Use [MetaData.Keys] to get
+// values of this type.
+type Key []string
+
+func (k Key) String() string {
+	// This is called quite often, so it's a bit funky to make it faster.
+	var b strings.Builder
+	b.Grow(len(k) * 25)
+outer:
+	for i, kk := range k {
+		if i > 0 {
+			b.WriteByte('.')
+		}
+		if kk == "" {
+			b.WriteString(`""`)
+		} else {
+			for _, r := range kk {
+				// "Inline" isBareKeyChar
+				if !((r >= 'A' && r <= 'Z') || (r >= 'a' && r <= 'z') || (r >= '0' && r <= '9') || r == '_' || r == '-') {
+					b.WriteByte('"')
+					b.WriteString(dblQuotedReplacer.Replace(kk))
+					b.WriteByte('"')
+					continue outer
+				}
+			}
+			b.WriteString(kk)
+		}
+	}
+	return b.String()
+}
+
+func (k Key) maybeQuoted(i int) string {
+	if k[i] == "" {
+		return `""`
+	}
+	for _, r := range k[i] {
+		if (r >= 'A' && r <= 'Z') || (r >= 'a' && r <= 'z') || (r >= '0' && r <= '9') || r == '_' || r == '-' {
+			continue
+		}
+		return `"` + dblQuotedReplacer.Replace(k[i]) + `"`
+	}
+	return k[i]
+}
+
+// Like append(), but only increase the cap by 1.
+func (k Key) add(piece string) Key {
+	newKey := make(Key, len(k)+1)
+	copy(newKey, k)
+	newKey[len(k)] = piece
+	return newKey
+}
+
+func (k Key) parent() Key  { return k[:len(k)-1] } // all except the last piece.
+func (k Key) last() string { return k[len(k)-1] }  // last piece of this key.
diff --git a/vendor/github.com/BurntSushi/toml/parse.go b/vendor/github.com/BurntSushi/toml/parse.go
new file mode 100644
index 0000000000..e3ea8a9a2d
--- /dev/null
+++ b/vendor/github.com/BurntSushi/toml/parse.go
@@ -0,0 +1,845 @@
+package toml
+
+import (
+	"fmt"
+	"math"
+	"os"
+	"strconv"
+	"strings"
+	"time"
+	"unicode/utf8"
+
+	"github.com/BurntSushi/toml/internal"
+)
+
+type parser struct {
+	lx         *lexer
+	context    Key      // Full key for the current hash in scope.
+	currentKey string   // Base key name for everything except hashes.
+	pos        Position // Current position in the TOML file.
+	tomlNext   bool
+
+	ordered []Key // List of keys in the order that they appear in the TOML data.
+
+	keyInfo   map[string]keyInfo  // Map keyname → info about the TOML key.
+	mapping   map[string]any      // Map keyname → key value.
+	implicits map[string]struct{} // Record implicit keys (e.g. "key.group.names").
+}
+
+type keyInfo struct {
+	pos      Position
+	tomlType tomlType
+}
+
+func parse(data string) (p *parser, err error) {
+	_, tomlNext := os.LookupEnv("BURNTSUSHI_TOML_110")
+
+	defer func() {
+		if r := recover(); r != nil {
+			if pErr, ok := r.(ParseError); ok {
+				pErr.input = data
+				err = pErr
+				return
+			}
+			panic(r)
+		}
+	}()
+
+	// Read over BOM; do this here as the lexer calls utf8.DecodeRuneInString()
+	// which mangles stuff. UTF-16 BOM isn't strictly valid, but some tools add
+	// it anyway.
+	if strings.HasPrefix(data, "\xff\xfe") || strings.HasPrefix(data, "\xfe\xff") { // UTF-16
+		data = data[2:]
+	} else if strings.HasPrefix(data, "\xef\xbb\xbf") { // UTF-8
+		data = data[3:]
+	}
+
+	// Examine first few bytes for NULL bytes; this probably means it's a UTF-16
+	// file (second byte in surrogate pair being NULL). Again, do this here to
+	// avoid having to deal with UTF-8/16 stuff in the lexer.
+	ex := 6
+	if len(data) < 6 {
+		ex = len(data)
+	}
+	if i := strings.IndexRune(data[:ex], 0); i > -1 {
+		return nil, ParseError{
+			Message:  "files cannot contain NULL bytes; probably using UTF-16; TOML files must be UTF-8",
+			Position: Position{Line: 1, Col: 1, Start: i, Len: 1},
+			Line:     1,
+			input:    data,
+		}
+	}
+
+	p = &parser{
+		keyInfo:   make(map[string]keyInfo),
+		mapping:   make(map[string]any),
+		lx:        lex(data, tomlNext),
+		ordered:   make([]Key, 0),
+		implicits: make(map[string]struct{}),
+		tomlNext:  tomlNext,
+	}
+	for {
+		item := p.next()
+		if item.typ == itemEOF {
+			break
+		}
+		p.topLevel(item)
+	}
+
+	return p, nil
+}
+
+func (p *parser) panicErr(it item, err error) {
+	panic(ParseError{
+		Message:  err.Error(),
+		err:      err,
+		Position: it.pos.withCol(p.lx.input),
+		Line:     it.pos.Len,
+		LastKey:  p.current(),
+	})
+}
+
+func (p *parser) panicItemf(it item, format string, v ...any) {
+	panic(ParseError{
+		Message:  fmt.Sprintf(format, v...),
+		Position: it.pos.withCol(p.lx.input),
+		Line:     it.pos.Len,
+		LastKey:  p.current(),
+	})
+}
+
+func (p *parser) panicf(format string, v ...any) {
+	panic(ParseError{
+		Message:  fmt.Sprintf(format, v...),
+		Position: p.pos.withCol(p.lx.input),
+		Line:     p.pos.Line,
+		LastKey:  p.current(),
+	})
+}
+
+func (p *parser) next() item {
+	it := p.lx.nextItem()
+	//fmt.Printf("ITEM %-18s line %-3d │ %q\n", it.typ, it.pos.Line, it.val)
+	if it.typ == itemError {
+		if it.err != nil {
+			panic(ParseError{
+				Message:  it.err.Error(),
+				err:      it.err,
+				Position: it.pos.withCol(p.lx.input),
+				Line:     it.pos.Line,
+				LastKey:  p.current(),
+			})
+		}
+
+		p.panicItemf(it, "%s", it.val)
+	}
+	return it
+}
+
+func (p *parser) nextPos() item {
+	it := p.next()
+	p.pos = it.pos
+	return it
+}
+
+func (p *parser) bug(format string, v ...any) {
+	panic(fmt.Sprintf("BUG: "+format+"\n\n", v...))
+}
+
+func (p *parser) expect(typ itemType) item {
+	it := p.next()
+	p.assertEqual(typ, it.typ)
+	return it
+}
+
+func (p *parser) assertEqual(expected, got itemType) {
+	if expected != got {
+		p.bug("Expected '%s' but got '%s'.", expected, got)
+	}
+}
+
+func (p *parser) topLevel(item item) {
+	switch item.typ {
+	case itemCommentStart: // # ..
+		p.expect(itemText)
+	case itemTableStart: // [ .. ]
+		name := p.nextPos()
+
+		var key Key
+		for ; name.typ != itemTableEnd && name.typ != itemEOF; name = p.next() {
+			key = append(key, p.keyString(name))
+		}
+		p.assertEqual(itemTableEnd, name.typ)
+
+		p.addContext(key, false)
+		p.setType("", tomlHash, item.pos)
+		p.ordered = append(p.ordered, key)
+	case itemArrayTableStart: // [[ .. ]]
+		name := p.nextPos()
+
+		var key Key
+		for ; name.typ != itemArrayTableEnd && name.typ != itemEOF; name = p.next() {
+			key = append(key, p.keyString(name))
+		}
+		p.assertEqual(itemArrayTableEnd, name.typ)
+
+		p.addContext(key, true)
+		p.setType("", tomlArrayHash, item.pos)
+		p.ordered = append(p.ordered, key)
+	case itemKeyStart: // key = ..
+		outerContext := p.context
+		/// Read all the key parts (e.g. 'a' and 'b' in 'a.b')
+		k := p.nextPos()
+		var key Key
+		for ; k.typ != itemKeyEnd && k.typ != itemEOF; k = p.next() {
+			key = append(key, p.keyString(k))
+		}
+		p.assertEqual(itemKeyEnd, k.typ)
+
+		/// The current key is the last part.
+		p.currentKey = key.last()
+
+		/// All the other parts (if any) are the context; need to set each part
+		/// as implicit.
+		context := key.parent()
+		for i := range context {
+			p.addImplicitContext(append(p.context, context[i:i+1]...))
+		}
+		p.ordered = append(p.ordered, p.context.add(p.currentKey))
+
+		/// Set value.
+		vItem := p.next()
+		val, typ := p.value(vItem, false)
+		p.setValue(p.currentKey, val)
+		p.setType(p.currentKey, typ, vItem.pos)
+
+		/// Remove the context we added (preserving any context from [tbl] lines).
+		p.context = outerContext
+		p.currentKey = ""
+	default:
+		p.bug("Unexpected type at top level: %s", item.typ)
+	}
+}
+
+// Gets a string for a key (or part of a key in a table name).
+func (p *parser) keyString(it item) string {
+	switch it.typ {
+	case itemText:
+		return it.val
+	case itemString, itemStringEsc, itemMultilineString,
+		itemRawString, itemRawMultilineString:
+		s, _ := p.value(it, false)
+		return s.(string)
+	default:
+		p.bug("Unexpected key type: %s", it.typ)
+	}
+	panic("unreachable")
+}
+
+var datetimeRepl = strings.NewReplacer(
+	"z", "Z",
+	"t", "T",
+	" ", "T")
+
+// value translates an expected value from the lexer into a Go value wrapped
+// as an empty interface.
+func (p *parser) value(it item, parentIsArray bool) (any, tomlType) {
+	switch it.typ {
+	case itemString:
+		return it.val, p.typeOfPrimitive(it)
+	case itemStringEsc:
+		return p.replaceEscapes(it, it.val), p.typeOfPrimitive(it)
+	case itemMultilineString:
+		return p.replaceEscapes(it, p.stripEscapedNewlines(stripFirstNewline(it.val))), p.typeOfPrimitive(it)
+	case itemRawString:
+		return it.val, p.typeOfPrimitive(it)
+	case itemRawMultilineString:
+		return stripFirstNewline(it.val), p.typeOfPrimitive(it)
+	case itemInteger:
+		return p.valueInteger(it)
+	case itemFloat:
+		return p.valueFloat(it)
+	case itemBool:
+		switch it.val {
+		case "true":
+			return true, p.typeOfPrimitive(it)
+		case "false":
+			return false, p.typeOfPrimitive(it)
+		default:
+			p.bug("Expected boolean value, but got '%s'.", it.val)
+		}
+	case itemDatetime:
+		return p.valueDatetime(it)
+	case itemArray:
+		return p.valueArray(it)
+	case itemInlineTableStart:
+		return p.valueInlineTable(it, parentIsArray)
+	default:
+		p.bug("Unexpected value type: %s", it.typ)
+	}
+	panic("unreachable")
+}
+
+func (p *parser) valueInteger(it item) (any, tomlType) {
+	if !numUnderscoresOK(it.val) {
+		p.panicItemf(it, "Invalid integer %q: underscores must be surrounded by digits", it.val)
+	}
+	if numHasLeadingZero(it.val) {
+		p.panicItemf(it, "Invalid integer %q: cannot have leading zeroes", it.val)
+	}
+
+	num, err := strconv.ParseInt(it.val, 0, 64)
+	if err != nil {
+		// Distinguish integer values. Normally, it'd be a bug if the lexer
+		// provides an invalid integer, but it's possible that the number is
+		// out of range of valid values (which the lexer cannot determine).
+		// So mark the former as a bug but the latter as a legitimate user
+		// error.
+		if e, ok := err.(*strconv.NumError); ok && e.Err == strconv.ErrRange {
+			p.panicErr(it, errParseRange{i: it.val, size: "int64"})
+		} else {
+			p.bug("Expected integer value, but got '%s'.", it.val)
+		}
+	}
+	return num, p.typeOfPrimitive(it)
+}
+
+func (p *parser) valueFloat(it item) (any, tomlType) {
+	parts := strings.FieldsFunc(it.val, func(r rune) bool {
+		switch r {
+		case '.', 'e', 'E':
+			return true
+		}
+		return false
+	})
+	for _, part := range parts {
+		if !numUnderscoresOK(part) {
+			p.panicItemf(it, "Invalid float %q: underscores must be surrounded by digits", it.val)
+		}
+	}
+	if len(parts) > 0 && numHasLeadingZero(parts[0]) {
+		p.panicItemf(it, "Invalid float %q: cannot have leading zeroes", it.val)
+	}
+	if !numPeriodsOK(it.val) {
+		// As a special case, numbers like '123.' or '1.e2',
+		// which are valid as far as Go/strconv are concerned,
+		// must be rejected because TOML says that a fractional
+		// part consists of '.' followed by 1+ digits.
+		p.panicItemf(it, "Invalid float %q: '.' must be followed by one or more digits", it.val)
+	}
+	val := strings.Replace(it.val, "_", "", -1)
+	signbit := false
+	if val == "+nan" || val == "-nan" {
+		signbit = val == "-nan"
+		val = "nan"
+	}
+	num, err := strconv.ParseFloat(val, 64)
+	if err != nil {
+		if e, ok := err.(*strconv.NumError); ok && e.Err == strconv.ErrRange {
+			p.panicErr(it, errParseRange{i: it.val, size: "float64"})
+		} else {
+			p.panicItemf(it, "Invalid float value: %q", it.val)
+		}
+	}
+	if signbit {
+		num = math.Copysign(num, -1)
+	}
+	return num, p.typeOfPrimitive(it)
+}
+
+var dtTypes = []struct {
+	fmt  string
+	zone *time.Location
+	next bool
+}{
+	{time.RFC3339Nano, time.Local, false},
+	{"2006-01-02T15:04:05.999999999", internal.LocalDatetime, false},
+	{"2006-01-02", internal.LocalDate, false},
+	{"15:04:05.999999999", internal.LocalTime, false},
+
+	// tomlNext
+	{"2006-01-02T15:04Z07:00", time.Local, true},
+	{"2006-01-02T15:04", internal.LocalDatetime, true},
+	{"15:04", internal.LocalTime, true},
+}
+
+func (p *parser) valueDatetime(it item) (any, tomlType) {
+	it.val = datetimeRepl.Replace(it.val)
+	var (
+		t   time.Time
+		ok  bool
+		err error
+	)
+	for _, dt := range dtTypes {
+		if dt.next && !p.tomlNext {
+			continue
+		}
+		t, err = time.ParseInLocation(dt.fmt, it.val, dt.zone)
+		if err == nil {
+			if missingLeadingZero(it.val, dt.fmt) {
+				p.panicErr(it, errParseDate{it.val})
+			}
+			ok = true
+			break
+		}
+	}
+	if !ok {
+		p.panicErr(it, errParseDate{it.val})
+	}
+	return t, p.typeOfPrimitive(it)
+}
+
+// Go's time.Parse() will accept numbers without a leading zero; there isn't any
+// way to require it. https://github.com/golang/go/issues/29911
+//
+// Depend on the fact that the separators (- and :) should always be at the same
+// location.
+func missingLeadingZero(d, l string) bool {
+	for i, c := range []byte(l) {
+		if c == '.' || c == 'Z' {
+			return false
+		}
+		if (c < '0' || c > '9') && d[i] != c {
+			return true
+		}
+	}
+	return false
+}
+
+func (p *parser) valueArray(it item) (any, tomlType) {
+	p.setType(p.currentKey, tomlArray, it.pos)
+
+	var (
+		// Initialize to a non-nil slice to make it consistent with how S = []
+		// decodes into a non-nil slice inside something like struct { S
+		// []string }. See #338
+		array = make([]any, 0, 2)
+	)
+	for it = p.next(); it.typ != itemArrayEnd; it = p.next() {
+		if it.typ == itemCommentStart {
+			p.expect(itemText)
+			continue
+		}
+
+		val, typ := p.value(it, true)
+		array = append(array, val)
+
+		// XXX: type isn't used here, we need it to record the accurate type
+		// information.
+		//
+		// Not entirely sure how to best store this; could use "key[0]",
+		// "key[1]" notation, or maybe store it on the Array type?
+		_ = typ
+	}
+	return array, tomlArray
+}
+
+func (p *parser) valueInlineTable(it item, parentIsArray bool) (any, tomlType) {
+	var (
+		topHash      = make(map[string]any)
+		outerContext = p.context
+		outerKey     = p.currentKey
+	)
+
+	p.context = append(p.context, p.currentKey)
+	prevContext := p.context
+	p.currentKey = ""
+
+	p.addImplicit(p.context)
+	p.addContext(p.context, parentIsArray)
+
+	/// Loop over all table key/value pairs.
+	for it := p.next(); it.typ != itemInlineTableEnd; it = p.next() {
+		if it.typ == itemCommentStart {
+			p.expect(itemText)
+			continue
+		}
+
+		/// Read all key parts.
+		k := p.nextPos()
+		var key Key
+		for ; k.typ != itemKeyEnd && k.typ != itemEOF; k = p.next() {
+			key = append(key, p.keyString(k))
+		}
+		p.assertEqual(itemKeyEnd, k.typ)
+
+		/// The current key is the last part.
+		p.currentKey = key.last()
+
+		/// All the other parts (if any) are the context; need to set each part
+		/// as implicit.
+		context := key.parent()
+		for i := range context {
+			p.addImplicitContext(append(p.context, context[i:i+1]...))
+		}
+		p.ordered = append(p.ordered, p.context.add(p.currentKey))
+
+		/// Set the value.
+		val, typ := p.value(p.next(), false)
+		p.setValue(p.currentKey, val)
+		p.setType(p.currentKey, typ, it.pos)
+
+		hash := topHash
+		for _, c := range context {
+			h, ok := hash[c]
+			if !ok {
+				h = make(map[string]any)
+				hash[c] = h
+			}
+			hash, ok = h.(map[string]any)
+			if !ok {
+				p.panicf("%q is not a table", p.context)
+			}
+		}
+		hash[p.currentKey] = val
+
+		/// Restore context.
+		p.context = prevContext
+	}
+	p.context = outerContext
+	p.currentKey = outerKey
+	return topHash, tomlHash
+}
+
+// numHasLeadingZero checks if this number has leading zeroes, allowing for '0',
+// +/- signs, and base prefixes.
+func numHasLeadingZero(s string) bool {
+	if len(s) > 1 && s[0] == '0' && !(s[1] == 'b' || s[1] == 'o' || s[1] == 'x') { // Allow 0b, 0o, 0x
+		return true
+	}
+	if len(s) > 2 && (s[0] == '-' || s[0] == '+') && s[1] == '0' {
+		return true
+	}
+	return false
+}
+
+// numUnderscoresOK checks whether each underscore in s is surrounded by
+// characters that are not underscores.
+func numUnderscoresOK(s string) bool {
+	switch s {
+	case "nan", "+nan", "-nan", "inf", "-inf", "+inf":
+		return true
+	}
+	accept := false
+	for _, r := range s {
+		if r == '_' {
+			if !accept {
+				return false
+			}
+		}
+
+		// isHex is a superset of all the permissible characters surrounding an
+		// underscore.
+		accept = isHex(r)
+	}
+	return accept
+}
+
+// numPeriodsOK checks whether every period in s is followed by a digit.
+func numPeriodsOK(s string) bool {
+	period := false
+	for _, r := range s {
+		if period && !isDigit(r) {
+			return false
+		}
+		period = r == '.'
+	}
+	return !period
+}
+
+// Set the current context of the parser, where the context is either a hash or
+// an array of hashes, depending on the value of the `array` parameter.
+//
+// Establishing the context also makes sure that the key isn't a duplicate, and
+// will create implicit hashes automatically.
+func (p *parser) addContext(key Key, array bool) {
+	/// Always start at the top level and drill down for our context.
+	hashContext := p.mapping
+	keyContext := make(Key, 0, len(key)-1)
+
+	/// We only need implicit hashes for the parents.
+	for _, k := range key.parent() {
+		_, ok := hashContext[k]
+		keyContext = append(keyContext, k)
+
+		// No key? Make an implicit hash and move on.
+		if !ok {
+			p.addImplicit(keyContext)
+			hashContext[k] = make(map[string]any)
+		}
+
+		// If the hash context is actually an array of tables, then set
+		// the hash context to the last element in that array.
+		//
+		// Otherwise, it better be a table, since this MUST be a key group (by
+		// virtue of it not being the last element in a key).
+		switch t := hashContext[k].(type) {
+		case []map[string]any:
+			hashContext = t[len(t)-1]
+		case map[string]any:
+			hashContext = t
+		default:
+			p.panicf("Key '%s' was already created as a hash.", keyContext)
+		}
+	}
+
+	p.context = keyContext
+	if array {
+		// If this is the first element for this array, then allocate a new
+		// list of tables for it.
+		k := key.last()
+		if _, ok := hashContext[k]; !ok {
+			hashContext[k] = make([]map[string]any, 0, 4)
+		}
+
+		// Add a new table. But make sure the key hasn't already been used
+		// for something else.
+		if hash, ok := hashContext[k].([]map[string]any); ok {
+			hashContext[k] = append(hash, make(map[string]any))
+		} else {
+			p.panicf("Key '%s' was already created and cannot be used as an array.", key)
+		}
+	} else {
+		p.setValue(key.last(), make(map[string]any))
+	}
+	p.context = append(p.context, key.last())
+}
+
+// setValue sets the given key to the given value in the current context.
+// It will make sure that the key hasn't already been defined, account for
+// implicit key groups.
+func (p *parser) setValue(key string, value any) {
+	var (
+		tmpHash    any
+		ok         bool
+		hash       = p.mapping
+		keyContext = make(Key, 0, len(p.context)+1)
+	)
+	for _, k := range p.context {
+		keyContext = append(keyContext, k)
+		if tmpHash, ok = hash[k]; !ok {
+			p.bug("Context for key '%s' has not been established.", keyContext)
+		}
+		switch t := tmpHash.(type) {
+		case []map[string]any:
+			// The context is a table of hashes. Pick the most recent table
+			// defined as the current hash.
+			hash = t[len(t)-1]
+		case map[string]any:
+			hash = t
+		default:
+			p.panicf("Key '%s' has already been defined.", keyContext)
+		}
+	}
+	keyContext = append(keyContext, key)
+
+	if _, ok := hash[key]; ok {
+		// Normally redefining keys isn't allowed, but the key could have been
+		// defined implicitly and it's allowed to be redefined concretely. (See
+		// the `valid/implicit-and-explicit-after.toml` in toml-test)
+		//
+		// But we have to make sure to stop marking it as an implicit. (So that
+		// another redefinition provokes an error.)
+		//
+		// Note that since it has already been defined (as a hash), we don't
+		// want to overwrite it. So our business is done.
+		if p.isArray(keyContext) {
+			p.removeImplicit(keyContext)
+			hash[key] = value
+			return
+		}
+		if p.isImplicit(keyContext) {
+			p.removeImplicit(keyContext)
+			return
+		}
+		// Otherwise, we have a concrete key trying to override a previous key,
+		// which is *always* wrong.
+		p.panicf("Key '%s' has already been defined.", keyContext)
+	}
+
+	hash[key] = value
+}
+
+// setType sets the type of a particular value at a given key. It should be
+// called immediately AFTER setValue.
+//
+// Note that if `key` is empty, then the type given will be applied to the
+// current context (which is either a table or an array of tables).
+func (p *parser) setType(key string, typ tomlType, pos Position) {
+	keyContext := make(Key, 0, len(p.context)+1)
+	keyContext = append(keyContext, p.context...)
+	if len(key) > 0 { // allow type setting for hashes
+		keyContext = append(keyContext, key)
+	}
+	// Special case to make empty keys ("" = 1) work.
+	// Without it it will set "" rather than `""`.
+	// TODO: why is this needed? And why is this only needed here?
+	if len(keyContext) == 0 {
+		keyContext = Key{""}
+	}
+	p.keyInfo[keyContext.String()] = keyInfo{tomlType: typ, pos: pos}
+}
+
+// Implicit keys need to be created when tables are implied in "a.b.c.d = 1" and
+// "[a.b.c]" (the "a", "b", and "c" hashes are never created explicitly).
+func (p *parser) addImplicit(key Key)        { p.implicits[key.String()] = struct{}{} }
+func (p *parser) removeImplicit(key Key)     { delete(p.implicits, key.String()) }
+func (p *parser) isImplicit(key Key) bool    { _, ok := p.implicits[key.String()]; return ok }
+func (p *parser) isArray(key Key) bool       { return p.keyInfo[key.String()].tomlType == tomlArray }
+func (p *parser) addImplicitContext(key Key) { p.addImplicit(key); p.addContext(key, false) }
+
+// current returns the full key name of the current context.
+func (p *parser) current() string {
+	if len(p.currentKey) == 0 {
+		return p.context.String()
+	}
+	if len(p.context) == 0 {
+		return p.currentKey
+	}
+	return fmt.Sprintf("%s.%s", p.context, p.currentKey)
+}
+
+func stripFirstNewline(s string) string {
+	if len(s) > 0 && s[0] == '\n' {
+		return s[1:]
+	}
+	if len(s) > 1 && s[0] == '\r' && s[1] == '\n' {
+		return s[2:]
+	}
+	return s
+}
+
+// stripEscapedNewlines removes whitespace after line-ending backslashes in
+// multiline strings.
+//
+// A line-ending backslash is an unescaped \ followed only by whitespace until
+// the next newline. After a line-ending backslash, all whitespace is removed
+// until the next non-whitespace character.
+func (p *parser) stripEscapedNewlines(s string) string {
+	var (
+		b strings.Builder
+		i int
+	)
+	b.Grow(len(s))
+	for {
+		ix := strings.Index(s[i:], `\`)
+		if ix < 0 {
+			b.WriteString(s)
+			return b.String()
+		}
+		i += ix
+
+		if len(s) > i+1 && s[i+1] == '\\' {
+			// Escaped backslash.
+			i += 2
+			continue
+		}
+		// Scan until the next non-whitespace.
+		j := i + 1
+	whitespaceLoop:
+		for ; j < len(s); j++ {
+			switch s[j] {
+			case ' ', '\t', '\r', '\n':
+			default:
+				break whitespaceLoop
+			}
+		}
+		if j == i+1 {
+			// Not a whitespace escape.
+			i++
+			continue
+		}
+		if !strings.Contains(s[i:j], "\n") {
+			// This is not a line-ending backslash. (It's a bad escape sequence,
+			// but we can let replaceEscapes catch it.)
+			i++
+			continue
+		}
+		b.WriteString(s[:i])
+		s = s[j:]
+		i = 0
+	}
+}
+
+func (p *parser) replaceEscapes(it item, str string) string {
+	var (
+		b    strings.Builder
+		skip = 0
+	)
+	b.Grow(len(str))
+	for i, c := range str {
+		if skip > 0 {
+			skip--
+			continue
+		}
+		if c != '\\' {
+			b.WriteRune(c)
+			continue
+		}
+
+		if i >= len(str) {
+			p.bug("Escape sequence at end of string.")
+			return ""
+		}
+		switch str[i+1] {
+		default:
+			p.bug("Expected valid escape code after \\, but got %q.", str[i+1])
+		case ' ', '\t':
+			p.panicItemf(it, "invalid escape: '\\%c'", str[i+1])
+		case 'b':
+			b.WriteByte(0x08)
+			skip = 1
+		case 't':
+			b.WriteByte(0x09)
+			skip = 1
+		case 'n':
+			b.WriteByte(0x0a)
+			skip = 1
+		case 'f':
+			b.WriteByte(0x0c)
+			skip = 1
+		case 'r':
+			b.WriteByte(0x0d)
+			skip = 1
+		case 'e':
+			if p.tomlNext {
+				b.WriteByte(0x1b)
+				skip = 1
+			}
+		case '"':
+			b.WriteByte(0x22)
+			skip = 1
+		case '\\':
+			b.WriteByte(0x5c)
+			skip = 1
+		// The lexer guarantees the correct number of characters are present;
+		// don't need to check here.
+		case 'x':
+			if p.tomlNext {
+				escaped := p.asciiEscapeToUnicode(it, str[i+2:i+4])
+				b.WriteRune(escaped)
+				skip = 3
+			}
+		case 'u':
+			escaped := p.asciiEscapeToUnicode(it, str[i+2:i+6])
+			b.WriteRune(escaped)
+			skip = 5
+		case 'U':
+			escaped := p.asciiEscapeToUnicode(it, str[i+2:i+10])
+			b.WriteRune(escaped)
+			skip = 9
+		}
+	}
+	return b.String()
+}
+
+func (p *parser) asciiEscapeToUnicode(it item, s string) rune {
+	hex, err := strconv.ParseUint(strings.ToLower(s), 16, 32)
+	if err != nil {
+		p.bug("Could not parse '%s' as a hexadecimal number, but the lexer claims it's OK: %s", s, err)
+	}
+	if !utf8.ValidRune(rune(hex)) {
+		p.panicItemf(it, "Escaped character '\\u%s' is not valid UTF-8.", s)
+	}
+	return rune(hex)
+}
diff --git a/vendor/github.com/BurntSushi/toml/type_fields.go b/vendor/github.com/BurntSushi/toml/type_fields.go
new file mode 100644
index 0000000000..10c51f7eeb
--- /dev/null
+++ b/vendor/github.com/BurntSushi/toml/type_fields.go
@@ -0,0 +1,238 @@
+package toml
+
+// Struct field handling is adapted from code in encoding/json:
+//
+// Copyright 2010 The Go Authors.  All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the Go distribution.
+
+import (
+	"reflect"
+	"sort"
+	"sync"
+)
+
+// A field represents a single field found in a struct.
+type field struct {
+	name  string       // the name of the field (`toml` tag included)
+	tag   bool         // whether field has a `toml` tag
+	index []int        // represents the depth of an anonymous field
+	typ   reflect.Type // the type of the field
+}
+
+// byName sorts field by name, breaking ties with depth,
+// then breaking ties with "name came from toml tag", then
+// breaking ties with index sequence.
+type byName []field
+
+func (x byName) Len() int      { return len(x) }
+func (x byName) Swap(i, j int) { x[i], x[j] = x[j], x[i] }
+func (x byName) Less(i, j int) bool {
+	if x[i].name != x[j].name {
+		return x[i].name < x[j].name
+	}
+	if len(x[i].index) != len(x[j].index) {
+		return len(x[i].index) < len(x[j].index)
+	}
+	if x[i].tag != x[j].tag {
+		return x[i].tag
+	}
+	return byIndex(x).Less(i, j)
+}
+
+// byIndex sorts field by index sequence.
+type byIndex []field
+
+func (x byIndex) Len() int      { return len(x) }
+func (x byIndex) Swap(i, j int) { x[i], x[j] = x[j], x[i] }
+func (x byIndex) Less(i, j int) bool {
+	for k, xik := range x[i].index {
+		if k >= len(x[j].index) {
+			return false
+		}
+		if xik != x[j].index[k] {
+			return xik < x[j].index[k]
+		}
+	}
+	return len(x[i].index) < len(x[j].index)
+}
+
+// typeFields returns a list of fields that TOML should recognize for the given
+// type. The algorithm is breadth-first search over the set of structs to
+// include - the top struct and then any reachable anonymous structs.
+func typeFields(t reflect.Type) []field {
+	// Anonymous fields to explore at the current level and the next.
+	current := []field{}
+	next := []field{{typ: t}}
+
+	// Count of queued names for current level and the next.
+	var count map[reflect.Type]int
+	var nextCount map[reflect.Type]int
+
+	// Types already visited at an earlier level.
+	visited := map[reflect.Type]bool{}
+
+	// Fields found.
+	var fields []field
+
+	for len(next) > 0 {
+		current, next = next, current[:0]
+		count, nextCount = nextCount, map[reflect.Type]int{}
+
+		for _, f := range current {
+			if visited[f.typ] {
+				continue
+			}
+			visited[f.typ] = true
+
+			// Scan f.typ for fields to include.
+			for i := 0; i < f.typ.NumField(); i++ {
+				sf := f.typ.Field(i)
+				if sf.PkgPath != "" && !sf.Anonymous { // unexported
+					continue
+				}
+				opts := getOptions(sf.Tag)
+				if opts.skip {
+					continue
+				}
+				index := make([]int, len(f.index)+1)
+				copy(index, f.index)
+				index[len(f.index)] = i
+
+				ft := sf.Type
+				if ft.Name() == "" && ft.Kind() == reflect.Ptr {
+					// Follow pointer.
+					ft = ft.Elem()
+				}
+
+				// Record found field and index sequence.
+				if opts.name != "" || !sf.Anonymous || ft.Kind() != reflect.Struct {
+					tagged := opts.name != ""
+					name := opts.name
+					if name == "" {
+						name = sf.Name
+					}
+					fields = append(fields, field{name, tagged, index, ft})
+					if count[f.typ] > 1 {
+						// If there were multiple instances, add a second,
+						// so that the annihilation code will see a duplicate.
+						// It only cares about the distinction between 1 or 2,
+						// so don't bother generating any more copies.
+						fields = append(fields, fields[len(fields)-1])
+					}
+					continue
+				}
+
+				// Record new anonymous struct to explore in next round.
+				nextCount[ft]++
+				if nextCount[ft] == 1 {
+					f := field{name: ft.Name(), index: index, typ: ft}
+					next = append(next, f)
+				}
+			}
+		}
+	}
+
+	sort.Sort(byName(fields))
+
+	// Delete all fields that are hidden by the Go rules for embedded fields,
+	// except that fields with TOML tags are promoted.
+
+	// The fields are sorted in primary order of name, secondary order
+	// of field index length. Loop over names; for each name, delete
+	// hidden fields by choosing the one dominant field that survives.
+	out := fields[:0]
+	for advance, i := 0, 0; i < len(fields); i += advance {
+		// One iteration per name.
+		// Find the sequence of fields with the name of this first field.
+		fi := fields[i]
+		name := fi.name
+		for advance = 1; i+advance < len(fields); advance++ {
+			fj := fields[i+advance]
+			if fj.name != name {
+				break
+			}
+		}
+		if advance == 1 { // Only one field with this name
+			out = append(out, fi)
+			continue
+		}
+		dominant, ok := dominantField(fields[i : i+advance])
+		if ok {
+			out = append(out, dominant)
+		}
+	}
+
+	fields = out
+	sort.Sort(byIndex(fields))
+
+	return fields
+}
+
+// dominantField looks through the fields, all of which are known to
+// have the same name, to find the single field that dominates the
+// others using Go's embedding rules, modified by the presence of
+// TOML tags. If there are multiple top-level fields, the boolean
+// will be false: This condition is an error in Go and we skip all
+// the fields.
+func dominantField(fields []field) (field, bool) {
+	// The fields are sorted in increasing index-length order. The winner
+	// must therefore be one with the shortest index length. Drop all
+	// longer entries, which is easy: just truncate the slice.
+	length := len(fields[0].index)
+	tagged := -1 // Index of first tagged field.
+	for i, f := range fields {
+		if len(f.index) > length {
+			fields = fields[:i]
+			break
+		}
+		if f.tag {
+			if tagged >= 0 {
+				// Multiple tagged fields at the same level: conflict.
+				// Return no field.
+				return field{}, false
+			}
+			tagged = i
+		}
+	}
+	if tagged >= 0 {
+		return fields[tagged], true
+	}
+	// All remaining fields have the same length. If there's more than one,
+	// we have a conflict (two fields named "X" at the same level) and we
+	// return no field.
+	if len(fields) > 1 {
+		return field{}, false
+	}
+	return fields[0], true
+}
+
+var fieldCache struct {
+	sync.RWMutex
+	m map[reflect.Type][]field
+}
+
+// cachedTypeFields is like typeFields but uses a cache to avoid repeated work.
+func cachedTypeFields(t reflect.Type) []field {
+	fieldCache.RLock()
+	f := fieldCache.m[t]
+	fieldCache.RUnlock()
+	if f != nil {
+		return f
+	}
+
+	// Compute fields without lock.
+	// Might duplicate effort but won't hold other computations back.
+	f = typeFields(t)
+	if f == nil {
+		f = []field{}
+	}
+
+	fieldCache.Lock()
+	if fieldCache.m == nil {
+		fieldCache.m = map[reflect.Type][]field{}
+	}
+	fieldCache.m[t] = f
+	fieldCache.Unlock()
+	return f
+}
diff --git a/vendor/github.com/BurntSushi/toml/type_toml.go b/vendor/github.com/BurntSushi/toml/type_toml.go
new file mode 100644
index 0000000000..1c090d331e
--- /dev/null
+++ b/vendor/github.com/BurntSushi/toml/type_toml.go
@@ -0,0 +1,65 @@
+package toml
+
+// tomlType represents any Go type that corresponds to a TOML type.
+// While the first draft of the TOML spec has a simplistic type system that
+// probably doesn't need this level of sophistication, we seem to be militating
+// toward adding real composite types.
+type tomlType interface {
+	typeString() string
+}
+
+// typeEqual accepts any two types and returns true if they are equal.
+func typeEqual(t1, t2 tomlType) bool {
+	if t1 == nil || t2 == nil {
+		return false
+	}
+	return t1.typeString() == t2.typeString()
+}
+
+func typeIsTable(t tomlType) bool {
+	return typeEqual(t, tomlHash) || typeEqual(t, tomlArrayHash)
+}
+
+type tomlBaseType string
+
+func (btype tomlBaseType) typeString() string { return string(btype) }
+func (btype tomlBaseType) String() string     { return btype.typeString() }
+
+var (
+	tomlInteger   tomlBaseType = "Integer"
+	tomlFloat     tomlBaseType = "Float"
+	tomlDatetime  tomlBaseType = "Datetime"
+	tomlString    tomlBaseType = "String"
+	tomlBool      tomlBaseType = "Bool"
+	tomlArray     tomlBaseType = "Array"
+	tomlHash      tomlBaseType = "Hash"
+	tomlArrayHash tomlBaseType = "ArrayHash"
+)
+
+// typeOfPrimitive returns a tomlType of any primitive value in TOML.
+// Primitive values are: Integer, Float, Datetime, String and Bool.
+//
+// Passing a lexer item other than the following will cause a BUG message
+// to occur: itemString, itemBool, itemInteger, itemFloat, itemDatetime.
+func (p *parser) typeOfPrimitive(lexItem item) tomlType {
+	switch lexItem.typ {
+	case itemInteger:
+		return tomlInteger
+	case itemFloat:
+		return tomlFloat
+	case itemDatetime:
+		return tomlDatetime
+	case itemString, itemStringEsc:
+		return tomlString
+	case itemMultilineString:
+		return tomlString
+	case itemRawString:
+		return tomlString
+	case itemRawMultilineString:
+		return tomlString
+	case itemBool:
+		return tomlBool
+	}
+	p.bug("Cannot infer primitive type of lex item '%s'.", lexItem)
+	panic("unreachable")
+}
diff --git a/vendor/github.com/MakeNowJust/heredoc/LICENSE b/vendor/github.com/MakeNowJust/heredoc/LICENSE
new file mode 100644
index 0000000000..6d0eb9d5d6
--- /dev/null
+++ b/vendor/github.com/MakeNowJust/heredoc/LICENSE
@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2014-2019 TSUYUSATO Kitsune
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
diff --git a/vendor/github.com/MakeNowJust/heredoc/README.md b/vendor/github.com/MakeNowJust/heredoc/README.md
new file mode 100644
index 0000000000..e9924d2974
--- /dev/null
+++ b/vendor/github.com/MakeNowJust/heredoc/README.md
@@ -0,0 +1,52 @@
+# heredoc
+
+[![Build Status](https://circleci.com/gh/MakeNowJust/heredoc.svg?style=svg)](https://circleci.com/gh/MakeNowJust/heredoc) [![GoDoc](https://godoc.org/github.com/MakeNowJusti/heredoc?status.svg)](https://godoc.org/github.com/MakeNowJust/heredoc)
+
+## About
+
+Package heredoc provides the here-document with keeping indent.
+
+## Install
+
+```console
+$ go get github.com/MakeNowJust/heredoc
+```
+
+## Import
+
+```go
+// usual
+import "github.com/MakeNowJust/heredoc"
+```
+
+## Example
+
+```go
+package main
+
+import (
+	"fmt"
+	"github.com/MakeNowJust/heredoc"
+)
+
+func main() {
+	fmt.Println(heredoc.Doc(`
+		Lorem ipsum dolor sit amet, consectetur adipisicing elit,
+		sed do eiusmod tempor incididunt ut labore et dolore magna
+		aliqua. Ut enim ad minim veniam, ...
+	`))
+	// Output:
+	// Lorem ipsum dolor sit amet, consectetur adipisicing elit,
+	// sed do eiusmod tempor incididunt ut labore et dolore magna
+	// aliqua. Ut enim ad minim veniam, ...
+	//
+}
+```
+
+## API Document
+
+ - [heredoc - GoDoc](https://godoc.org/github.com/MakeNowJust/heredoc)
+
+## License
+
+This software is released under the MIT License, see LICENSE.
diff --git a/vendor/github.com/MakeNowJust/heredoc/heredoc.go b/vendor/github.com/MakeNowJust/heredoc/heredoc.go
new file mode 100644
index 0000000000..1fc0469555
--- /dev/null
+++ b/vendor/github.com/MakeNowJust/heredoc/heredoc.go
@@ -0,0 +1,105 @@
+// Copyright (c) 2014-2019 TSUYUSATO Kitsune
+// This software is released under the MIT License.
+// http://opensource.org/licenses/mit-license.php
+
+// Package heredoc provides creation of here-documents from raw strings.
+//
+// Golang supports raw-string syntax.
+//
+//     doc := `
+//     	Foo
+//     	Bar
+//     `
+//
+// But raw-string cannot recognize indentation. Thus such content is an indented string, equivalent to
+//
+//     "\n\tFoo\n\tBar\n"
+//
+// I dont't want this!
+//
+// However this problem is solved by package heredoc.
+//
+//     doc := heredoc.Doc(`
+//     	Foo
+//     	Bar
+//     `)
+//
+// Is equivalent to
+//
+//     "Foo\nBar\n"
+package heredoc
+
+import (
+	"fmt"
+	"strings"
+	"unicode"
+)
+
+const maxInt = int(^uint(0) >> 1)
+
+// Doc returns un-indented string as here-document.
+func Doc(raw string) string {
+	skipFirstLine := false
+	if len(raw) > 0 && raw[0] == '\n' {
+		raw = raw[1:]
+	} else {
+		skipFirstLine = true
+	}
+
+	lines := strings.Split(raw, "\n")
+
+	minIndentSize := getMinIndent(lines, skipFirstLine)
+	lines = removeIndentation(lines, minIndentSize, skipFirstLine)
+
+	return strings.Join(lines, "\n")
+}
+
+// getMinIndent calculates the minimum indentation in lines, excluding empty lines.
+func getMinIndent(lines []string, skipFirstLine bool) int {
+	minIndentSize := maxInt
+
+	for i, line := range lines {
+		if i == 0 && skipFirstLine {
+			continue
+		}
+
+		indentSize := 0
+		for _, r := range []rune(line) {
+			if unicode.IsSpace(r) {
+				indentSize += 1
+			} else {
+				break
+			}
+		}
+
+		if len(line) == indentSize {
+			if i == len(lines)-1 && indentSize < minIndentSize {
+				lines[i] = ""
+			}
+		} else if indentSize < minIndentSize {
+			minIndentSize = indentSize
+		}
+	}
+	return minIndentSize
+}
+
+// removeIndentation removes n characters from the front of each line in lines.
+// Skips first line if skipFirstLine is true, skips empty lines.
+func removeIndentation(lines []string, n int, skipFirstLine bool) []string {
+	for i, line := range lines {
+		if i == 0 && skipFirstLine {
+			continue
+		}
+
+		if len(lines[i]) >= n {
+			lines[i] = line[n:]
+		}
+	}
+	return lines
+}
+
+// Docf returns unindented and formatted string as here-document.
+// Formatting is done as for fmt.Printf().
+func Docf(raw string, args ...interface{}) string {
+	return fmt.Sprintf(Doc(raw), args...)
+}
diff --git a/vendor/github.com/Masterminds/goutils/.travis.yml b/vendor/github.com/Masterminds/goutils/.travis.yml
new file mode 100644
index 0000000000..4025e01ec4
--- /dev/null
+++ b/vendor/github.com/Masterminds/goutils/.travis.yml
@@ -0,0 +1,18 @@
+language: go
+
+go:
+  - 1.6
+  - 1.7
+  - 1.8
+  - tip
+
+script:
+  - go test -v
+
+notifications:
+  webhooks:
+    urls:
+      - https://webhooks.gitter.im/e/06e3328629952dabe3e0
+    on_success: change  # options: [always|never|change] default: always
+    on_failure: always  # options: [always|never|change] default: always
+    on_start: never     # options: [always|never|change] default: always
diff --git a/vendor/github.com/Masterminds/goutils/CHANGELOG.md b/vendor/github.com/Masterminds/goutils/CHANGELOG.md
new file mode 100644
index 0000000000..d700ec47f2
--- /dev/null
+++ b/vendor/github.com/Masterminds/goutils/CHANGELOG.md
@@ -0,0 +1,8 @@
+# 1.0.1 (2017-05-31)
+
+## Fixed
+- #21: Fix generation of alphanumeric strings (thanks @dbarranco)
+
+# 1.0.0 (2014-04-30)
+
+- Initial release.
diff --git a/vendor/github.com/Masterminds/goutils/LICENSE.txt b/vendor/github.com/Masterminds/goutils/LICENSE.txt
new file mode 100644
index 0000000000..d645695673
--- /dev/null
+++ b/vendor/github.com/Masterminds/goutils/LICENSE.txt
@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/vendor/github.com/Masterminds/goutils/README.md b/vendor/github.com/Masterminds/goutils/README.md
new file mode 100644
index 0000000000..163ffe72a8
--- /dev/null
+++ b/vendor/github.com/Masterminds/goutils/README.md
@@ -0,0 +1,70 @@
+GoUtils
+===========
+[![Stability: Maintenance](https://masterminds.github.io/stability/maintenance.svg)](https://masterminds.github.io/stability/maintenance.html)
+[![GoDoc](https://godoc.org/github.com/Masterminds/goutils?status.png)](https://godoc.org/github.com/Masterminds/goutils) [![Build Status](https://travis-ci.org/Masterminds/goutils.svg?branch=master)](https://travis-ci.org/Masterminds/goutils) [![Build status](https://ci.appveyor.com/api/projects/status/sc2b1ew0m7f0aiju?svg=true)](https://ci.appveyor.com/project/mattfarina/goutils)
+
+
+GoUtils provides users with utility functions to manipulate strings in various ways. It is a Go implementation of some
+string manipulation libraries of Java Apache Commons. GoUtils includes the following Java Apache Commons classes:
+* WordUtils    
+* RandomStringUtils  
+* StringUtils (partial implementation)
+
+## Installation
+If you have Go set up on your system, from the GOPATH directory within the command line/terminal, enter this:
+
+	go get github.com/Masterminds/goutils
+
+If you do not have Go set up on your system, please follow the [Go installation directions from the documenation](http://golang.org/doc/install), and then follow the instructions above to install GoUtils.
+
+
+## Documentation
+GoUtils doc is available here: [![GoDoc](https://godoc.org/github.com/Masterminds/goutils?status.png)](https://godoc.org/github.com/Masterminds/goutils)
+
+
+## Usage
+The code snippets below show examples of how to use GoUtils. Some functions return errors while others do not. The first instance below, which does not return an error, is the `Initials` function (located within the `wordutils.go` file).
+
+    package main
+
+    import (
+        "fmt"
+    	"github.com/Masterminds/goutils"
+    )
+
+    func main() {
+
+    	// EXAMPLE 1: A goutils function which returns no errors
+        fmt.Println (goutils.Initials("John Doe Foo")) // Prints out "JDF"
+
+    }
+Some functions return errors mainly due to illegal arguements used as parameters. The code example below illustrates how to deal with function that returns an error. In this instance, the function is the `Random` function (located within the `randomstringutils.go` file).
+
+    package main
+
+    import (
+        "fmt"
+        "github.com/Masterminds/goutils"
+    )
+
+    func main() {
+
+        // EXAMPLE 2: A goutils function which returns an error
+        rand1, err1 := goutils.Random (-1, 0, 0, true, true)  
+
+        if err1 != nil {
+			fmt.Println(err1) // Prints out error message because -1 was entered as the first parameter in goutils.Random(...)
+		} else {
+			fmt.Println(rand1)
+		}
+
+    }
+
+## License
+GoUtils is licensed under the Apache License, Version 2.0. Please check the LICENSE.txt file or visit http://www.apache.org/licenses/LICENSE-2.0 for a copy of the license.
+
+## Issue Reporting
+Make suggestions or report issues using the Git issue tracker: https://github.com/Masterminds/goutils/issues
+
+## Website
+* [GoUtils webpage](http://Masterminds.github.io/goutils/)
diff --git a/vendor/github.com/Masterminds/goutils/appveyor.yml b/vendor/github.com/Masterminds/goutils/appveyor.yml
new file mode 100644
index 0000000000..657564a847
--- /dev/null
+++ b/vendor/github.com/Masterminds/goutils/appveyor.yml
@@ -0,0 +1,21 @@
+version: build-{build}.{branch}
+
+clone_folder: C:\gopath\src\github.com\Masterminds\goutils
+shallow_clone: true
+
+environment:
+  GOPATH: C:\gopath
+
+platform:
+  - x64
+
+build: off
+
+install:
+  - go version
+  - go env
+
+test_script:
+  - go test -v
+
+deploy: off
diff --git a/vendor/github.com/Masterminds/goutils/cryptorandomstringutils.go b/vendor/github.com/Masterminds/goutils/cryptorandomstringutils.go
new file mode 100644
index 0000000000..8dbd924858
--- /dev/null
+++ b/vendor/github.com/Masterminds/goutils/cryptorandomstringutils.go
@@ -0,0 +1,230 @@
+/*
+Copyright 2014 Alexander Okoli
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package goutils
+
+import (
+	"crypto/rand"
+	"fmt"
+	"math"
+	"math/big"
+	"unicode"
+)
+
+/*
+CryptoRandomNonAlphaNumeric creates a random string whose length is the number of characters specified.
+Characters will be chosen from the set of all characters (ASCII/Unicode values between 0 to 2,147,483,647 (math.MaxInt32)).
+
+Parameter:
+	count - the length of random string to create
+
+Returns:
+	string - the random string
+	error - an error stemming from an invalid parameter within underlying function, CryptoRandom(...)
+*/
+func CryptoRandomNonAlphaNumeric(count int) (string, error) {
+	return CryptoRandomAlphaNumericCustom(count, false, false)
+}
+
+/*
+CryptoRandomAscii creates a random string whose length is the number of characters specified.
+Characters will be chosen from the set of characters whose ASCII value is between 32 and 126 (inclusive).
+
+Parameter:
+	count - the length of random string to create
+
+Returns:
+	string - the random string
+	error - an error stemming from an invalid parameter within underlying function, CryptoRandom(...)
+*/
+func CryptoRandomAscii(count int) (string, error) {
+	return CryptoRandom(count, 32, 127, false, false)
+}
+
+/*
+CryptoRandomNumeric creates a random string whose length is the number of characters specified.
+Characters will be chosen from the set of numeric characters.
+
+Parameter:
+	count - the length of random string to create
+
+Returns:
+	string - the random string
+	error - an error stemming from an invalid parameter within underlying function, CryptoRandom(...)
+*/
+func CryptoRandomNumeric(count int) (string, error) {
+	return CryptoRandom(count, 0, 0, false, true)
+}
+
+/*
+CryptoRandomAlphabetic creates a random string whose length is the number of characters specified.
+Characters will be chosen from the set of alpha-numeric characters as indicated by the arguments.
+
+Parameters:
+	count - the length of random string to create
+	letters - if true, generated string may include alphabetic characters
+	numbers - if true, generated string may include numeric characters
+
+Returns:
+	string - the random string
+	error - an error stemming from an invalid parameter within underlying function, CryptoRandom(...)
+*/
+func CryptoRandomAlphabetic(count int) (string, error) {
+	return CryptoRandom(count, 0, 0, true, false)
+}
+
+/*
+CryptoRandomAlphaNumeric creates a random string whose length is the number of characters specified.
+Characters will be chosen from the set of alpha-numeric characters.
+
+Parameter:
+	count - the length of random string to create
+
+Returns:
+	string - the random string
+	error - an error stemming from an invalid parameter within underlying function, CryptoRandom(...)
+*/
+func CryptoRandomAlphaNumeric(count int) (string, error) {
+	return CryptoRandom(count, 0, 0, true, true)
+}
+
+/*
+CryptoRandomAlphaNumericCustom creates a random string whose length is the number of characters specified.
+Characters will be chosen from the set of alpha-numeric characters as indicated by the arguments.
+
+Parameters:
+	count - the length of random string to create
+	letters - if true, generated string may include alphabetic characters
+	numbers - if true, generated string may include numeric characters
+
+Returns:
+	string - the random string
+	error - an error stemming from an invalid parameter within underlying function, CryptoRandom(...)
+*/
+func CryptoRandomAlphaNumericCustom(count int, letters bool, numbers bool) (string, error) {
+	return CryptoRandom(count, 0, 0, letters, numbers)
+}
+
+/*
+CryptoRandom creates a random string based on a variety of options, using using golang's crypto/rand source of randomness.
+If the parameters start and end are both 0, start and end are set to ' ' and 'z', the ASCII printable characters, will be used,
+unless letters and numbers are both false, in which case, start and end are set to 0 and math.MaxInt32, respectively.
+If chars is not nil, characters stored in chars that are between start and end are chosen.
+
+Parameters:
+	count - the length of random string to create
+	start - the position in set of chars (ASCII/Unicode int) to start at
+	end - the position in set of chars (ASCII/Unicode int) to end before
+	letters - if true, generated string may include alphabetic characters
+	numbers - if true, generated string may include numeric characters
+	chars - the set of chars to choose randoms from. If nil, then it will use the set of all chars.
+
+Returns:
+	string - the random string
+	error - an error stemming from invalid parameters: if count < 0; or the provided chars array is empty; or end <= start; or end > len(chars)
+*/
+func CryptoRandom(count int, start int, end int, letters bool, numbers bool, chars ...rune) (string, error) {
+	if count == 0 {
+		return "", nil
+	} else if count < 0 {
+		err := fmt.Errorf("randomstringutils illegal argument: Requested random string length %v is less than 0.", count) // equiv to err := errors.New("...")
+		return "", err
+	}
+	if chars != nil && len(chars) == 0 {
+		err := fmt.Errorf("randomstringutils illegal argument: The chars array must not be empty")
+		return "", err
+	}
+
+	if start == 0 && end == 0 {
+		if chars != nil {
+			end = len(chars)
+		} else {
+			if !letters && !numbers {
+				end = math.MaxInt32
+			} else {
+				end = 'z' + 1
+				start = ' '
+			}
+		}
+	} else {
+		if end <= start {
+			err := fmt.Errorf("randomstringutils illegal argument: Parameter end (%v) must be greater than start (%v)", end, start)
+			return "", err
+		}
+
+		if chars != nil && end > len(chars) {
+			err := fmt.Errorf("randomstringutils illegal argument: Parameter end (%v) cannot be greater than len(chars) (%v)", end, len(chars))
+			return "", err
+		}
+	}
+
+	buffer := make([]rune, count)
+	gap := end - start
+
+	// high-surrogates range, (\uD800-\uDBFF) = 55296 - 56319
+	//  low-surrogates range, (\uDC00-\uDFFF) = 56320 - 57343
+
+	for count != 0 {
+		count--
+		var ch rune
+		if chars == nil {
+			ch = rune(getCryptoRandomInt(gap) + int64(start))
+		} else {
+			ch = chars[getCryptoRandomInt(gap)+int64(start)]
+		}
+
+		if letters && unicode.IsLetter(ch) || numbers && unicode.IsDigit(ch) || !letters && !numbers {
+			if ch >= 56320 && ch <= 57343 { // low surrogate range
+				if count == 0 {
+					count++
+				} else {
+					// Insert low surrogate
+					buffer[count] = ch
+					count--
+					// Insert high surrogate
+					buffer[count] = rune(55296 + getCryptoRandomInt(128))
+				}
+			} else if ch >= 55296 && ch <= 56191 { // High surrogates range (Partial)
+				if count == 0 {
+					count++
+				} else {
+					// Insert low surrogate
+					buffer[count] = rune(56320 + getCryptoRandomInt(128))
+					count--
+					// Insert high surrogate
+					buffer[count] = ch
+				}
+			} else if ch >= 56192 && ch <= 56319 {
+				// private high surrogate, skip it
+				count++
+			} else {
+				// not one of the surrogates*
+				buffer[count] = ch
+			}
+		} else {
+			count++
+		}
+	}
+	return string(buffer), nil
+}
+
+func getCryptoRandomInt(count int) int64 {
+	nBig, err := rand.Int(rand.Reader, big.NewInt(int64(count)))
+	if err != nil {
+		panic(err)
+	}
+	return nBig.Int64()
+}
diff --git a/vendor/github.com/Masterminds/goutils/randomstringutils.go b/vendor/github.com/Masterminds/goutils/randomstringutils.go
new file mode 100644
index 0000000000..272670231a
--- /dev/null
+++ b/vendor/github.com/Masterminds/goutils/randomstringutils.go
@@ -0,0 +1,248 @@
+/*
+Copyright 2014 Alexander Okoli
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package goutils
+
+import (
+	"fmt"
+	"math"
+	"math/rand"
+	"time"
+	"unicode"
+)
+
+// RANDOM provides the time-based seed used to generate random numbers
+var RANDOM = rand.New(rand.NewSource(time.Now().UnixNano()))
+
+/*
+RandomNonAlphaNumeric creates a random string whose length is the number of characters specified.
+Characters will be chosen from the set of all characters (ASCII/Unicode values between 0 to 2,147,483,647 (math.MaxInt32)).
+
+Parameter:
+	count - the length of random string to create
+
+Returns:
+	string - the random string
+	error - an error stemming from an invalid parameter within underlying function, RandomSeed(...)
+*/
+func RandomNonAlphaNumeric(count int) (string, error) {
+	return RandomAlphaNumericCustom(count, false, false)
+}
+
+/*
+RandomAscii creates a random string whose length is the number of characters specified.
+Characters will be chosen from the set of characters whose ASCII value is between 32 and 126 (inclusive).
+
+Parameter:
+	count - the length of random string to create
+
+Returns:
+	string - the random string
+	error - an error stemming from an invalid parameter within underlying function, RandomSeed(...)
+*/
+func RandomAscii(count int) (string, error) {
+	return Random(count, 32, 127, false, false)
+}
+
+/*
+RandomNumeric creates a random string whose length is the number of characters specified.
+Characters will be chosen from the set of numeric characters.
+
+Parameter:
+	count - the length of random string to create
+
+Returns:
+	string - the random string
+	error - an error stemming from an invalid parameter within underlying function, RandomSeed(...)
+*/
+func RandomNumeric(count int) (string, error) {
+	return Random(count, 0, 0, false, true)
+}
+
+/*
+RandomAlphabetic creates a random string whose length is the number of characters specified.
+Characters will be chosen from the set of alphabetic characters.
+
+Parameters:
+	count - the length of random string to create
+
+Returns:
+	string - the random string
+	error - an error stemming from an invalid parameter within underlying function, RandomSeed(...)
+*/
+func RandomAlphabetic(count int) (string, error) {
+	return Random(count, 0, 0, true, false)
+}
+
+/*
+RandomAlphaNumeric creates a random string whose length is the number of characters specified.
+Characters will be chosen from the set of alpha-numeric characters.
+
+Parameter:
+	count - the length of random string to create
+
+Returns:
+	string - the random string
+	error - an error stemming from an invalid parameter within underlying function, RandomSeed(...)
+*/
+func RandomAlphaNumeric(count int) (string, error) {
+	return Random(count, 0, 0, true, true)
+}
+
+/*
+RandomAlphaNumericCustom creates a random string whose length is the number of characters specified.
+Characters will be chosen from the set of alpha-numeric characters as indicated by the arguments.
+
+Parameters:
+	count - the length of random string to create
+	letters - if true, generated string may include alphabetic characters
+	numbers - if true, generated string may include numeric characters
+
+Returns:
+	string - the random string
+	error - an error stemming from an invalid parameter within underlying function, RandomSeed(...)
+*/
+func RandomAlphaNumericCustom(count int, letters bool, numbers bool) (string, error) {
+	return Random(count, 0, 0, letters, numbers)
+}
+
+/*
+Random creates a random string based on a variety of options, using default source of randomness.
+This method has exactly the same semantics as RandomSeed(int, int, int, bool, bool, []char, *rand.Rand), but
+instead of using an externally supplied source of randomness, it uses the internal *rand.Rand instance.
+
+Parameters:
+	count - the length of random string to create
+	start - the position in set of chars (ASCII/Unicode int) to start at
+	end - the position in set of chars (ASCII/Unicode int) to end before
+	letters - if true, generated string may include alphabetic characters
+	numbers - if true, generated string may include numeric characters
+	chars - the set of chars to choose randoms from. If nil, then it will use the set of all chars.
+
+Returns:
+	string - the random string
+	error - an error stemming from an invalid parameter within underlying function, RandomSeed(...)
+*/
+func Random(count int, start int, end int, letters bool, numbers bool, chars ...rune) (string, error) {
+	return RandomSeed(count, start, end, letters, numbers, chars, RANDOM)
+}
+
+/*
+RandomSeed creates a random string based on a variety of options, using supplied source of randomness.
+If the parameters start and end are both 0, start and end are set to ' ' and 'z', the ASCII printable characters, will be used,
+unless letters and numbers are both false, in which case, start and end are set to 0 and math.MaxInt32, respectively.
+If chars is not nil, characters stored in chars that are between start and end are chosen.
+This method accepts a user-supplied *rand.Rand instance to use as a source of randomness. By seeding a single *rand.Rand instance
+with a fixed seed and using it for each call, the same random sequence of strings can be generated repeatedly and predictably.
+
+Parameters:
+	count - the length of random string to create
+	start - the position in set of chars (ASCII/Unicode decimals) to start at
+	end - the position in set of chars (ASCII/Unicode decimals) to end before
+	letters - if true, generated string may include alphabetic characters
+	numbers - if true, generated string may include numeric characters
+	chars - the set of chars to choose randoms from. If nil, then it will use the set of all chars.
+	random - a source of randomness.
+
+Returns:
+	string - the random string
+	error - an error stemming from invalid parameters: if count < 0; or the provided chars array is empty; or end <= start; or end > len(chars)
+*/
+func RandomSeed(count int, start int, end int, letters bool, numbers bool, chars []rune, random *rand.Rand) (string, error) {
+
+	if count == 0 {
+		return "", nil
+	} else if count < 0 {
+		err := fmt.Errorf("randomstringutils illegal argument: Requested random string length %v is less than 0.", count) // equiv to err := errors.New("...")
+		return "", err
+	}
+	if chars != nil && len(chars) == 0 {
+		err := fmt.Errorf("randomstringutils illegal argument: The chars array must not be empty")
+		return "", err
+	}
+
+	if start == 0 && end == 0 {
+		if chars != nil {
+			end = len(chars)
+		} else {
+			if !letters && !numbers {
+				end = math.MaxInt32
+			} else {
+				end = 'z' + 1
+				start = ' '
+			}
+		}
+	} else {
+		if end <= start {
+			err := fmt.Errorf("randomstringutils illegal argument: Parameter end (%v) must be greater than start (%v)", end, start)
+			return "", err
+		}
+
+		if chars != nil && end > len(chars) {
+			err := fmt.Errorf("randomstringutils illegal argument: Parameter end (%v) cannot be greater than len(chars) (%v)", end, len(chars))
+			return "", err
+		}
+	}
+
+	buffer := make([]rune, count)
+	gap := end - start
+
+	// high-surrogates range, (\uD800-\uDBFF) = 55296 - 56319
+	//  low-surrogates range, (\uDC00-\uDFFF) = 56320 - 57343
+
+	for count != 0 {
+		count--
+		var ch rune
+		if chars == nil {
+			ch = rune(random.Intn(gap) + start)
+		} else {
+			ch = chars[random.Intn(gap)+start]
+		}
+
+		if letters && unicode.IsLetter(ch) || numbers && unicode.IsDigit(ch) || !letters && !numbers {
+			if ch >= 56320 && ch <= 57343 { // low surrogate range
+				if count == 0 {
+					count++
+				} else {
+					// Insert low surrogate
+					buffer[count] = ch
+					count--
+					// Insert high surrogate
+					buffer[count] = rune(55296 + random.Intn(128))
+				}
+			} else if ch >= 55296 && ch <= 56191 { // High surrogates range (Partial)
+				if count == 0 {
+					count++
+				} else {
+					// Insert low surrogate
+					buffer[count] = rune(56320 + random.Intn(128))
+					count--
+					// Insert high surrogate
+					buffer[count] = ch
+				}
+			} else if ch >= 56192 && ch <= 56319 {
+				// private high surrogate, skip it
+				count++
+			} else {
+				// not one of the surrogates*
+				buffer[count] = ch
+			}
+		} else {
+			count++
+		}
+	}
+	return string(buffer), nil
+}
diff --git a/vendor/github.com/Masterminds/goutils/stringutils.go b/vendor/github.com/Masterminds/goutils/stringutils.go
new file mode 100644
index 0000000000..741bb530e8
--- /dev/null
+++ b/vendor/github.com/Masterminds/goutils/stringutils.go
@@ -0,0 +1,240 @@
+/*
+Copyright 2014 Alexander Okoli
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package goutils
+
+import (
+	"bytes"
+	"fmt"
+	"strings"
+	"unicode"
+)
+
+// Typically returned by functions where a searched item cannot be found
+const INDEX_NOT_FOUND = -1
+
+/*
+Abbreviate abbreviates a string using ellipses. This will turn  the string "Now is the time for all good men" into "Now is the time for..."
+
+Specifically, the algorithm is as follows:
+
+    - If str is less than maxWidth characters long, return it.
+    - Else abbreviate it to (str[0:maxWidth - 3] + "...").
+    - If maxWidth is less than 4, return an illegal argument error.
+    - In no case will it return a string of length greater than maxWidth.
+
+Parameters:
+    str -  the string to check
+    maxWidth - maximum length of result string, must be at least 4
+
+Returns:
+    string - abbreviated string
+    error - if the width is too small
+*/
+func Abbreviate(str string, maxWidth int) (string, error) {
+	return AbbreviateFull(str, 0, maxWidth)
+}
+
+/*
+AbbreviateFull abbreviates a string using ellipses. This will turn the string "Now is the time for all good men" into "...is the time for..."
+This function works like Abbreviate(string, int), but allows you to specify a "left edge" offset. Note that this left edge is not
+necessarily going to be the leftmost character in the result, or the first character following the ellipses, but it will appear
+somewhere in the result.
+In no case will it return a string of length greater than maxWidth.
+
+Parameters:
+    str - the string to check
+    offset - left edge of source string
+    maxWidth - maximum length of result string, must be at least 4
+
+Returns:
+    string - abbreviated string
+    error - if the width is too small
+*/
+func AbbreviateFull(str string, offset int, maxWidth int) (string, error) {
+	if str == "" {
+		return "", nil
+	}
+	if maxWidth < 4 {
+		err := fmt.Errorf("stringutils illegal argument: Minimum abbreviation width is 4")
+		return "", err
+	}
+	if len(str) <= maxWidth {
+		return str, nil
+	}
+	if offset > len(str) {
+		offset = len(str)
+	}
+	if len(str)-offset < (maxWidth - 3) { // 15 - 5 < 10 - 3 =  10 < 7
+		offset = len(str) - (maxWidth - 3)
+	}
+	abrevMarker := "..."
+	if offset <= 4 {
+		return str[0:maxWidth-3] + abrevMarker, nil // str.substring(0, maxWidth - 3) + abrevMarker;
+	}
+	if maxWidth < 7 {
+		err := fmt.Errorf("stringutils illegal argument: Minimum abbreviation width with offset is 7")
+		return "", err
+	}
+	if (offset + maxWidth - 3) < len(str) { // 5 + (10-3) < 15 = 12 < 15
+		abrevStr, _ := Abbreviate(str[offset:len(str)], (maxWidth - 3))
+		return abrevMarker + abrevStr, nil // abrevMarker + abbreviate(str.substring(offset), maxWidth - 3);
+	}
+	return abrevMarker + str[(len(str)-(maxWidth-3)):len(str)], nil // abrevMarker + str.substring(str.length() - (maxWidth - 3));
+}
+
+/*
+DeleteWhiteSpace deletes all whitespaces from a string as defined by unicode.IsSpace(rune).
+It returns the string without whitespaces.
+
+Parameter:
+    str - the string to delete whitespace from, may be nil
+
+Returns:
+    the string without whitespaces
+*/
+func DeleteWhiteSpace(str string) string {
+	if str == "" {
+		return str
+	}
+	sz := len(str)
+	var chs bytes.Buffer
+	count := 0
+	for i := 0; i < sz; i++ {
+		ch := rune(str[i])
+		if !unicode.IsSpace(ch) {
+			chs.WriteRune(ch)
+			count++
+		}
+	}
+	if count == sz {
+		return str
+	}
+	return chs.String()
+}
+
+/*
+IndexOfDifference compares two strings, and returns the index at which the strings begin to differ.
+
+Parameters:
+    str1 - the first string
+    str2 - the second string
+
+Returns:
+    the index where str1 and str2 begin to differ; -1 if they are equal
+*/
+func IndexOfDifference(str1 string, str2 string) int {
+	if str1 == str2 {
+		return INDEX_NOT_FOUND
+	}
+	if IsEmpty(str1) || IsEmpty(str2) {
+		return 0
+	}
+	var i int
+	for i = 0; i < len(str1) && i < len(str2); i++ {
+		if rune(str1[i]) != rune(str2[i]) {
+			break
+		}
+	}
+	if i < len(str2) || i < len(str1) {
+		return i
+	}
+	return INDEX_NOT_FOUND
+}
+
+/*
+IsBlank checks if a string is whitespace or empty (""). Observe the following behavior:
+
+    goutils.IsBlank("")        = true
+    goutils.IsBlank(" ")       = true
+    goutils.IsBlank("bob")     = false
+    goutils.IsBlank("  bob  ") = false
+
+Parameter:
+    str - the string to check
+
+Returns:
+    true - if the string is whitespace or empty ("")
+*/
+func IsBlank(str string) bool {
+	strLen := len(str)
+	if str == "" || strLen == 0 {
+		return true
+	}
+	for i := 0; i < strLen; i++ {
+		if unicode.IsSpace(rune(str[i])) == false {
+			return false
+		}
+	}
+	return true
+}
+
+/*
+IndexOf returns the index of the first instance of sub in str, with the search beginning from the
+index start point specified. -1 is returned if sub is not present in str.
+
+An empty string ("") will return -1 (INDEX_NOT_FOUND). A negative start position is treated as zero.
+A start position greater than the string length returns -1.
+
+Parameters:
+    str - the string to check
+    sub - the substring to find
+    start - the start position; negative treated as zero
+
+Returns:
+    the first index where the sub string was found  (always >= start)
+*/
+func IndexOf(str string, sub string, start int) int {
+
+	if start < 0 {
+		start = 0
+	}
+
+	if len(str) < start {
+		return INDEX_NOT_FOUND
+	}
+
+	if IsEmpty(str) || IsEmpty(sub) {
+		return INDEX_NOT_FOUND
+	}
+
+	partialIndex := strings.Index(str[start:len(str)], sub)
+	if partialIndex == -1 {
+		return INDEX_NOT_FOUND
+	}
+	return partialIndex + start
+}
+
+// IsEmpty checks if a string is empty (""). Returns true if empty, and false otherwise.
+func IsEmpty(str string) bool {
+	return len(str) == 0
+}
+
+// Returns either the passed in string, or if the string is empty, the value of defaultStr.
+func DefaultString(str string, defaultStr string) string {
+	if IsEmpty(str) {
+		return defaultStr
+	}
+	return str
+}
+
+// Returns either the passed in string, or if the string is whitespace, empty (""), the value of defaultStr.
+func DefaultIfBlank(str string, defaultStr string) string {
+	if IsBlank(str) {
+		return defaultStr
+	}
+	return str
+}
diff --git a/vendor/github.com/Masterminds/goutils/wordutils.go b/vendor/github.com/Masterminds/goutils/wordutils.go
new file mode 100644
index 0000000000..034cad8e21
--- /dev/null
+++ b/vendor/github.com/Masterminds/goutils/wordutils.go
@@ -0,0 +1,357 @@
+/*
+Copyright 2014 Alexander Okoli
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+/*
+Package goutils provides utility functions to manipulate strings in various ways.
+The code snippets below show examples of how to use goutils. Some functions return
+errors while others do not, so usage would vary as a result.
+
+Example:
+
+    package main
+
+    import (
+        "fmt"
+        "github.com/aokoli/goutils"
+    )
+
+    func main() {
+
+        // EXAMPLE 1: A goutils function which returns no errors
+        fmt.Println (goutils.Initials("John Doe Foo")) // Prints out "JDF"
+
+
+
+        // EXAMPLE 2: A goutils function which returns an error
+        rand1, err1 := goutils.Random (-1, 0, 0, true, true)
+
+        if err1 != nil {
+            fmt.Println(err1) // Prints out error message because -1 was entered as the first parameter in goutils.Random(...)
+        } else {
+            fmt.Println(rand1)
+        }
+    }
+*/
+package goutils
+
+import (
+	"bytes"
+	"strings"
+	"unicode"
+)
+
+// VERSION indicates the current version of goutils
+const VERSION = "1.0.0"
+
+/*
+Wrap wraps a single line of text, identifying words by ' '.
+New lines will be separated by '\n'. Very long words, such as URLs will not be wrapped.
+Leading spaces on a new line are stripped. Trailing spaces are not stripped.
+
+Parameters:
+    str - the string to be word wrapped
+    wrapLength - the column (a column can fit only one character) to wrap the words at, less than 1 is treated as 1
+
+Returns:
+    a line with newlines inserted
+*/
+func Wrap(str string, wrapLength int) string {
+	return WrapCustom(str, wrapLength, "", false)
+}
+
+/*
+WrapCustom wraps a single line of text, identifying words by ' '.
+Leading spaces on a new line are stripped. Trailing spaces are not stripped.
+
+Parameters:
+    str - the string to be word wrapped
+    wrapLength - the column number (a column can fit only one character) to wrap the words at, less than 1 is treated as 1
+    newLineStr - the string to insert for a new line, "" uses '\n'
+    wrapLongWords - true if long words (such as URLs) should be wrapped
+
+Returns:
+    a line with newlines inserted
+*/
+func WrapCustom(str string, wrapLength int, newLineStr string, wrapLongWords bool) string {
+
+	if str == "" {
+		return ""
+	}
+	if newLineStr == "" {
+		newLineStr = "\n" // TODO Assumes "\n" is seperator. Explore SystemUtils.LINE_SEPARATOR from Apache Commons
+	}
+	if wrapLength < 1 {
+		wrapLength = 1
+	}
+
+	inputLineLength := len(str)
+	offset := 0
+
+	var wrappedLine bytes.Buffer
+
+	for inputLineLength-offset > wrapLength {
+
+		if rune(str[offset]) == ' ' {
+			offset++
+			continue
+		}
+
+		end := wrapLength + offset + 1
+		spaceToWrapAt := strings.LastIndex(str[offset:end], " ") + offset
+
+		if spaceToWrapAt >= offset {
+			// normal word (not longer than wrapLength)
+			wrappedLine.WriteString(str[offset:spaceToWrapAt])
+			wrappedLine.WriteString(newLineStr)
+			offset = spaceToWrapAt + 1
+
+		} else {
+			// long word or URL
+			if wrapLongWords {
+				end := wrapLength + offset
+				// long words are wrapped one line at a time
+				wrappedLine.WriteString(str[offset:end])
+				wrappedLine.WriteString(newLineStr)
+				offset += wrapLength
+			} else {
+				// long words aren't wrapped, just extended beyond limit
+				end := wrapLength + offset
+				index := strings.IndexRune(str[end:len(str)], ' ')
+				if index == -1 {
+					wrappedLine.WriteString(str[offset:len(str)])
+					offset = inputLineLength
+				} else {
+					spaceToWrapAt = index + end
+					wrappedLine.WriteString(str[offset:spaceToWrapAt])
+					wrappedLine.WriteString(newLineStr)
+					offset = spaceToWrapAt + 1
+				}
+			}
+		}
+	}
+
+	wrappedLine.WriteString(str[offset:len(str)])
+
+	return wrappedLine.String()
+
+}
+
+/*
+Capitalize capitalizes all the delimiter separated words in a string. Only the first letter of each word is changed.
+To convert the rest of each word to lowercase at the same time, use CapitalizeFully(str string, delimiters ...rune).
+The delimiters represent a set of characters understood to separate words. The first string character
+and the first non-delimiter character after a delimiter will be capitalized. A "" input string returns "".
+Capitalization uses the Unicode title case, normally equivalent to upper case.
+
+Parameters:
+    str - the string to capitalize
+    delimiters - set of characters to determine capitalization, exclusion of this parameter means whitespace would be delimeter
+
+Returns:
+    capitalized string
+*/
+func Capitalize(str string, delimiters ...rune) string {
+
+	var delimLen int
+
+	if delimiters == nil {
+		delimLen = -1
+	} else {
+		delimLen = len(delimiters)
+	}
+
+	if str == "" || delimLen == 0 {
+		return str
+	}
+
+	buffer := []rune(str)
+	capitalizeNext := true
+	for i := 0; i < len(buffer); i++ {
+		ch := buffer[i]
+		if isDelimiter(ch, delimiters...) {
+			capitalizeNext = true
+		} else if capitalizeNext {
+			buffer[i] = unicode.ToTitle(ch)
+			capitalizeNext = false
+		}
+	}
+	return string(buffer)
+
+}
+
+/*
+CapitalizeFully converts all the delimiter separated words in a string into capitalized words, that is each word is made up of a
+titlecase character and then a series of lowercase characters. The delimiters represent a set of characters understood
+to separate words. The first string character and the first non-delimiter character after a delimiter will be capitalized.
+Capitalization uses the Unicode title case, normally equivalent to upper case.
+
+Parameters:
+    str - the string to capitalize fully
+    delimiters - set of characters to determine capitalization, exclusion of this parameter means whitespace would be delimeter
+
+Returns:
+    capitalized string
+*/
+func CapitalizeFully(str string, delimiters ...rune) string {
+
+	var delimLen int
+
+	if delimiters == nil {
+		delimLen = -1
+	} else {
+		delimLen = len(delimiters)
+	}
+
+	if str == "" || delimLen == 0 {
+		return str
+	}
+	str = strings.ToLower(str)
+	return Capitalize(str, delimiters...)
+}
+
+/*
+Uncapitalize uncapitalizes all the whitespace separated words in a string. Only the first letter of each word is changed.
+The delimiters represent a set of characters understood to separate words. The first string character and the first non-delimiter
+character after a delimiter will be uncapitalized. Whitespace is defined by unicode.IsSpace(char).
+
+Parameters:
+    str - the string to uncapitalize fully
+    delimiters - set of characters to determine capitalization, exclusion of this parameter means whitespace would be delimeter
+
+Returns:
+    uncapitalized string
+*/
+func Uncapitalize(str string, delimiters ...rune) string {
+
+	var delimLen int
+
+	if delimiters == nil {
+		delimLen = -1
+	} else {
+		delimLen = len(delimiters)
+	}
+
+	if str == "" || delimLen == 0 {
+		return str
+	}
+
+	buffer := []rune(str)
+	uncapitalizeNext := true // TODO Always makes capitalize/un apply to first char.
+	for i := 0; i < len(buffer); i++ {
+		ch := buffer[i]
+		if isDelimiter(ch, delimiters...) {
+			uncapitalizeNext = true
+		} else if uncapitalizeNext {
+			buffer[i] = unicode.ToLower(ch)
+			uncapitalizeNext = false
+		}
+	}
+	return string(buffer)
+}
+
+/*
+SwapCase swaps the case of a string using a word based algorithm.
+
+Conversion algorithm:
+
+    Upper case character converts to Lower case
+    Title case character converts to Lower case
+    Lower case character after Whitespace or at start converts to Title case
+    Other Lower case character converts to Upper case
+    Whitespace is defined by unicode.IsSpace(char).
+
+Parameters:
+    str - the string to swap case
+
+Returns:
+    the changed string
+*/
+func SwapCase(str string) string {
+	if str == "" {
+		return str
+	}
+	buffer := []rune(str)
+
+	whitespace := true
+
+	for i := 0; i < len(buffer); i++ {
+		ch := buffer[i]
+		if unicode.IsUpper(ch) {
+			buffer[i] = unicode.ToLower(ch)
+			whitespace = false
+		} else if unicode.IsTitle(ch) {
+			buffer[i] = unicode.ToLower(ch)
+			whitespace = false
+		} else if unicode.IsLower(ch) {
+			if whitespace {
+				buffer[i] = unicode.ToTitle(ch)
+				whitespace = false
+			} else {
+				buffer[i] = unicode.ToUpper(ch)
+			}
+		} else {
+			whitespace = unicode.IsSpace(ch)
+		}
+	}
+	return string(buffer)
+}
+
+/*
+Initials extracts the initial letters from each word in the string. The first letter of the string and all first
+letters after the defined delimiters are returned as a new string. Their case is not changed. If the delimiters
+parameter is excluded, then Whitespace is used. Whitespace is defined by unicode.IsSpacea(char). An empty delimiter array returns an empty string.
+
+Parameters:
+    str - the string to get initials from
+    delimiters - set of characters to determine words, exclusion of this parameter means whitespace would be delimeter
+Returns:
+    string of initial letters
+*/
+func Initials(str string, delimiters ...rune) string {
+	if str == "" {
+		return str
+	}
+	if delimiters != nil && len(delimiters) == 0 {
+		return ""
+	}
+	strLen := len(str)
+	var buf bytes.Buffer
+	lastWasGap := true
+	for i := 0; i < strLen; i++ {
+		ch := rune(str[i])
+
+		if isDelimiter(ch, delimiters...) {
+			lastWasGap = true
+		} else if lastWasGap {
+			buf.WriteRune(ch)
+			lastWasGap = false
+		}
+	}
+	return buf.String()
+}
+
+// private function (lower case func name)
+func isDelimiter(ch rune, delimiters ...rune) bool {
+	if delimiters == nil {
+		return unicode.IsSpace(ch)
+	}
+	for _, delimiter := range delimiters {
+		if ch == delimiter {
+			return true
+		}
+	}
+	return false
+}
diff --git a/vendor/github.com/Masterminds/semver/v3/.gitignore b/vendor/github.com/Masterminds/semver/v3/.gitignore
new file mode 100644
index 0000000000..6b061e6174
--- /dev/null
+++ b/vendor/github.com/Masterminds/semver/v3/.gitignore
@@ -0,0 +1 @@
+_fuzz/
\ No newline at end of file
diff --git a/vendor/github.com/Masterminds/semver/v3/.golangci.yml b/vendor/github.com/Masterminds/semver/v3/.golangci.yml
new file mode 100644
index 0000000000..fbc6332592
--- /dev/null
+++ b/vendor/github.com/Masterminds/semver/v3/.golangci.yml
@@ -0,0 +1,27 @@
+run:
+  deadline: 2m
+
+linters:
+  disable-all: true
+  enable:
+    - misspell
+    - govet
+    - staticcheck
+    - errcheck
+    - unparam
+    - ineffassign
+    - nakedret
+    - gocyclo
+    - dupl
+    - goimports
+    - revive
+    - gosec
+    - gosimple
+    - typecheck
+    - unused
+
+linters-settings:
+  gofmt:
+    simplify: true
+  dupl:
+    threshold: 600
diff --git a/vendor/github.com/Masterminds/semver/v3/CHANGELOG.md b/vendor/github.com/Masterminds/semver/v3/CHANGELOG.md
new file mode 100644
index 0000000000..fabe5e43dc
--- /dev/null
+++ b/vendor/github.com/Masterminds/semver/v3/CHANGELOG.md
@@ -0,0 +1,268 @@
+# Changelog
+
+## 3.4.0 (2025-06-27)
+
+### Added
+
+- #268: Added property to Constraints to include prereleases for Check and Validate
+
+### Changed
+
+- #263: Updated Go testing for 1.24, 1.23, and 1.22
+- #269: Updated the error message handling for message case and wrapping errors
+- #266: Restore the ability to have leading 0's when parsing with NewVersion.
+  Opt-out of this by setting CoerceNewVersion to false.
+
+### Fixed
+
+- #257: Fixed the CodeQL link (thanks @dmitris)
+- #262: Restored detailed errors when failed to parse with NewVersion. Opt-out
+  of this by setting DetailedNewVersionErrors to false for faster performance.
+- #267: Handle pre-releases for an "and" group if one constraint includes them
+
+## 3.3.1 (2024-11-19)
+
+### Fixed
+
+- #253: Fix for allowing some version that were invalid
+
+## 3.3.0 (2024-08-27)
+
+### Added
+
+- #238: Add LessThanEqual and GreaterThanEqual functions (thanks @grosser)
+- #213: nil version equality checking (thanks @KnutZuidema)
+
+### Changed
+
+- #241: Simplify StrictNewVersion parsing (thanks @grosser)
+- Testing support up through Go 1.23
+- Minimum version set to 1.21 as this is what's tested now
+- Fuzz testing now supports caching
+
+## 3.2.1 (2023-04-10)
+
+### Changed
+
+- #198: Improved testing around pre-release names
+- #200: Improved code scanning with addition of CodeQL
+- #201: Testing now includes Go 1.20. Go 1.17 has been dropped
+- #202: Migrated Fuzz testing to Go built-in Fuzzing. CI runs daily
+- #203: Docs updated for security details
+
+### Fixed
+
+- #199: Fixed issue with range transformations
+
+## 3.2.0 (2022-11-28)
+
+### Added
+
+- #190: Added text marshaling and unmarshaling
+- #167: Added JSON marshalling for constraints (thanks @SimonTheLeg)
+- #173: Implement encoding.TextMarshaler and encoding.TextUnmarshaler on Version (thanks @MarkRosemaker)
+- #179: Added New() version constructor (thanks @kazhuravlev)
+
+### Changed
+
+- #182/#183: Updated CI testing setup
+
+### Fixed
+
+- #186: Fixing issue where validation of constraint section gave false positives
+- #176: Fix constraints check with *-0 (thanks @mtt0)
+- #181: Fixed Caret operator (^) gives unexpected results when the minor version in constraint is 0 (thanks @arshchimni)
+- #161: Fixed godoc (thanks @afirth)
+
+## 3.1.1 (2020-11-23)
+
+### Fixed
+
+- #158: Fixed issue with generated regex operation order that could cause problem
+
+## 3.1.0 (2020-04-15)
+
+### Added
+
+- #131: Add support for serializing/deserializing SQL (thanks @ryancurrah)
+
+### Changed
+
+- #148: More accurate validation messages on constraints
+
+## 3.0.3 (2019-12-13)
+
+### Fixed
+
+- #141: Fixed issue with <= comparison
+
+## 3.0.2 (2019-11-14)
+
+### Fixed
+
+- #134: Fixed broken constraint checking with ^0.0 (thanks @krmichelos)
+
+## 3.0.1 (2019-09-13)
+
+### Fixed
+
+- #125: Fixes issue with module path for v3
+
+## 3.0.0 (2019-09-12)
+
+This is a major release of the semver package which includes API changes. The Go
+API is compatible with ^1. The Go API was not changed because many people are using
+`go get` without Go modules for their applications and API breaking changes cause
+errors which we have or would need to support.
+
+The changes in this release are the handling based on the data passed into the
+functions. These are described in the added and changed sections below.
+
+### Added
+
+- StrictNewVersion function. This is similar to NewVersion but will return an
+  error if the version passed in is not a strict semantic version. For example,
+  1.2.3 would pass but v1.2.3 or 1.2 would fail because they are not strictly
+  speaking semantic versions. This function is faster, performs fewer operations,
+  and uses fewer allocations than NewVersion.
+- Fuzzing has been performed on NewVersion, StrictNewVersion, and NewConstraint.
+  The Makefile contains the operations used. For more information on you can start
+  on Wikipedia at https://en.wikipedia.org/wiki/Fuzzing
+- Now using Go modules
+
+### Changed
+
+- NewVersion has proper prerelease and metadata validation with error messages
+  to signal an issue with either of them
+- ^ now operates using a similar set of rules to npm/js and Rust/Cargo. If the
+  version is >=1 the ^ ranges works the same as v1. For major versions of 0 the
+  rules have changed. The minor version is treated as the stable version unless
+  a patch is specified and then it is equivalent to =. One difference from npm/js
+  is that prereleases there are only to a specific version (e.g. 1.2.3).
+  Prereleases here look over multiple versions and follow semantic version
+  ordering rules. This pattern now follows along with the expected and requested
+  handling of this packaged by numerous users.
+
+## 1.5.0 (2019-09-11)
+
+### Added
+
+- #103: Add basic fuzzing for `NewVersion()` (thanks @jesse-c)
+
+### Changed
+
+- #82: Clarify wildcard meaning in range constraints and update tests for it (thanks @greysteil)
+- #83: Clarify caret operator range for pre-1.0.0 dependencies (thanks @greysteil)
+- #72: Adding docs comment pointing to vert for a cli
+- #71: Update the docs on pre-release comparator handling
+- #89: Test with new go versions (thanks @thedevsaddam)
+- #87: Added $ to ValidPrerelease for better validation (thanks @jeremycarroll)
+
+### Fixed
+
+- #78: Fix unchecked error in example code (thanks @ravron)
+- #70: Fix the handling of pre-releases and the 0.0.0 release edge case
+- #97: Fixed copyright file for proper display on GitHub
+- #107: Fix handling prerelease when sorting alphanum and num
+- #109: Fixed where Validate sometimes returns wrong message on error
+
+## 1.4.2 (2018-04-10)
+
+### Changed
+
+- #72: Updated the docs to point to vert for a console appliaction
+- #71: Update the docs on pre-release comparator handling
+
+### Fixed
+
+- #70: Fix the handling of pre-releases and the 0.0.0 release edge case
+
+## 1.4.1 (2018-04-02)
+
+### Fixed
+
+- Fixed #64: Fix pre-release precedence issue (thanks @uudashr)
+
+## 1.4.0 (2017-10-04)
+
+### Changed
+
+- #61: Update NewVersion to parse ints with a 64bit int size (thanks @zknill)
+
+## 1.3.1 (2017-07-10)
+
+### Fixed
+
+- Fixed #57: number comparisons in prerelease sometimes inaccurate
+
+## 1.3.0 (2017-05-02)
+
+### Added
+
+- #45: Added json (un)marshaling support (thanks @mh-cbon)
+- Stability marker. See https://masterminds.github.io/stability/
+
+### Fixed
+
+- #51: Fix handling of single digit tilde constraint (thanks @dgodd)
+
+### Changed
+
+- #55: The godoc icon moved from png to svg
+
+## 1.2.3 (2017-04-03)
+
+### Fixed
+
+- #46: Fixed 0.x.x and 0.0.x in constraints being treated as *
+
+## Release 1.2.2 (2016-12-13)
+
+### Fixed
+
+- #34: Fixed issue where hyphen range was not working with pre-release parsing.
+
+## Release 1.2.1 (2016-11-28)
+
+### Fixed
+
+- #24: Fixed edge case issue where constraint "> 0" does not handle "0.0.1-alpha"
+  properly.
+
+## Release 1.2.0 (2016-11-04)
+
+### Added
+
+- #20: Added MustParse function for versions (thanks @adamreese)
+- #15: Added increment methods on versions (thanks @mh-cbon)
+
+### Fixed
+
+- Issue #21: Per the SemVer spec (section 9) a pre-release is unstable and
+  might not satisfy the intended compatibility. The change here ignores pre-releases
+  on constraint checks (e.g., ~ or ^) when a pre-release is not part of the
+  constraint. For example, `^1.2.3` will ignore pre-releases while
+  `^1.2.3-alpha` will include them.
+
+## Release 1.1.1 (2016-06-30)
+
+### Changed
+
+- Issue #9: Speed up version comparison performance (thanks @sdboyer)
+- Issue #8: Added benchmarks (thanks @sdboyer)
+- Updated Go Report Card URL to new location
+- Updated Readme to add code snippet formatting (thanks @mh-cbon)
+- Updating tagging to v[SemVer] structure for compatibility with other tools.
+
+## Release 1.1.0 (2016-03-11)
+
+- Issue #2: Implemented validation to provide reasons a versions failed a
+  constraint.
+
+## Release 1.0.1 (2015-12-31)
+
+- Fixed #1: * constraint failing on valid versions.
+
+## Release 1.0.0 (2015-10-20)
+
+- Initial release
diff --git a/vendor/github.com/Masterminds/semver/v3/LICENSE.txt b/vendor/github.com/Masterminds/semver/v3/LICENSE.txt
new file mode 100644
index 0000000000..9ff7da9c48
--- /dev/null
+++ b/vendor/github.com/Masterminds/semver/v3/LICENSE.txt
@@ -0,0 +1,19 @@
+Copyright (C) 2014-2019, Matt Butcher and Matt Farina
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
diff --git a/vendor/github.com/Masterminds/semver/v3/Makefile b/vendor/github.com/Masterminds/semver/v3/Makefile
new file mode 100644
index 0000000000..9ca87a2c79
--- /dev/null
+++ b/vendor/github.com/Masterminds/semver/v3/Makefile
@@ -0,0 +1,31 @@
+GOPATH=$(shell go env GOPATH)
+GOLANGCI_LINT=$(GOPATH)/bin/golangci-lint
+
+.PHONY: lint
+lint: $(GOLANGCI_LINT)
+	@echo "==> Linting codebase"
+	@$(GOLANGCI_LINT) run
+
+.PHONY: test
+test:
+	@echo "==> Running tests"
+	GO111MODULE=on go test -v
+
+.PHONY: test-cover
+test-cover:
+	@echo "==> Running Tests with coverage"
+	GO111MODULE=on go test -cover .
+
+.PHONY: fuzz
+fuzz:
+	@echo "==> Running Fuzz Tests"
+	go env GOCACHE
+	go test -fuzz=FuzzNewVersion -fuzztime=15s .
+	go test -fuzz=FuzzStrictNewVersion -fuzztime=15s .
+	go test -fuzz=FuzzNewConstraint -fuzztime=15s .
+
+$(GOLANGCI_LINT):
+	# Install golangci-lint. The configuration for it is in the .golangci.yml
+	# file in the root of the repository
+	echo ${GOPATH}
+	curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | sh -s -- -b $(GOPATH)/bin v1.56.2
diff --git a/vendor/github.com/Masterminds/semver/v3/README.md b/vendor/github.com/Masterminds/semver/v3/README.md
new file mode 100644
index 0000000000..2f56c676a5
--- /dev/null
+++ b/vendor/github.com/Masterminds/semver/v3/README.md
@@ -0,0 +1,274 @@
+# SemVer
+
+The `semver` package provides the ability to work with [Semantic Versions](http://semver.org) in Go. Specifically it provides the ability to:
+
+* Parse semantic versions
+* Sort semantic versions
+* Check if a semantic version fits within a set of constraints
+* Optionally work with a `v` prefix
+
+[![Stability:
+Active](https://masterminds.github.io/stability/active.svg)](https://masterminds.github.io/stability/active.html)
+[![](https://github.com/Masterminds/semver/workflows/Tests/badge.svg)](https://github.com/Masterminds/semver/actions)
+[![GoDoc](https://img.shields.io/static/v1?label=godoc&message=reference&color=blue)](https://pkg.go.dev/github.com/Masterminds/semver/v3)
+[![Go Report Card](https://goreportcard.com/badge/github.com/Masterminds/semver)](https://goreportcard.com/report/github.com/Masterminds/semver)
+
+## Package Versions
+
+Note, import `github.com/Masterminds/semver/v3` to use the latest version.
+
+There are three major versions fo the `semver` package.
+
+* 3.x.x is the stable and active version. This version is focused on constraint
+  compatibility for range handling in other tools from other languages. It has
+  a similar API to the v1 releases. The development of this version is on the master
+  branch. The documentation for this version is below.
+* 2.x was developed primarily for [dep](https://github.com/golang/dep). There are
+  no tagged releases and the development was performed by [@sdboyer](https://github.com/sdboyer).
+  There are API breaking changes from v1. This version lives on the [2.x branch](https://github.com/Masterminds/semver/tree/2.x).
+* 1.x.x is the original release. It is no longer maintained. You should use the
+  v3 release instead. You can read the documentation for the 1.x.x release
+  [here](https://github.com/Masterminds/semver/blob/release-1/README.md).
+
+## Parsing Semantic Versions
+
+There are two functions that can parse semantic versions. The `StrictNewVersion`
+function only parses valid version 2 semantic versions as outlined in the
+specification. The `NewVersion` function attempts to coerce a version into a
+semantic version and parse it. For example, if there is a leading v or a version
+listed without all 3 parts (e.g. `v1.2`) it will attempt to coerce it into a valid
+semantic version (e.g., 1.2.0). In both cases a `Version` object is returned
+that can be sorted, compared, and used in constraints.
+
+When parsing a version an error is returned if there is an issue parsing the
+version. For example,
+
+    v, err := semver.NewVersion("1.2.3-beta.1+build345")
+
+The version object has methods to get the parts of the version, compare it to
+other versions, convert the version back into a string, and get the original
+string. Getting the original string is useful if the semantic version was coerced
+into a valid form.
+
+There are package level variables that affect how `NewVersion` handles parsing.
+
+- `CoerceNewVersion` is `true` by default. When set to `true` it coerces non-compliant
+  versions into SemVer. For example, allowing a leading 0 in a major, minor, or patch
+  part. This enables the use of CalVer in versions even when not compliant with SemVer.
+  When set to `false` less coercion work is done.
+- `DetailedNewVersionErrors` provides more detailed errors. It only has an affect when
+  `CoerceNewVersion` is set to `false`. When `DetailedNewVersionErrors` is set to `true`
+  it can provide some more insight into why a version is invalid. Setting
+  `DetailedNewVersionErrors` to `false` is faster on performance but provides less
+  detailed error messages if a version fails to parse.
+
+## Sorting Semantic Versions
+
+A set of versions can be sorted using the `sort` package from the standard library.
+For example,
+
+```go
+raw := []string{"1.2.3", "1.0", "1.3", "2", "0.4.2",}
+vs := make([]*semver.Version, len(raw))
+for i, r := range raw {
+    v, err := semver.NewVersion(r)
+    if err != nil {
+        t.Errorf("Error parsing version: %s", err)
+    }
+
+    vs[i] = v
+}
+
+sort.Sort(semver.Collection(vs))
+```
+
+## Checking Version Constraints
+
+There are two methods for comparing versions. One uses comparison methods on
+`Version` instances and the other uses `Constraints`. There are some important
+differences to notes between these two methods of comparison.
+
+1. When two versions are compared using functions such as `Compare`, `LessThan`,
+   and others it will follow the specification and always include pre-releases
+   within the comparison. It will provide an answer that is valid with the
+   comparison section of the spec at https://semver.org/#spec-item-11
+2. When constraint checking is used for checks or validation it will follow a
+   different set of rules that are common for ranges with tools like npm/js
+   and Rust/Cargo. This includes considering pre-releases to be invalid if the
+   ranges does not include one. If you want to have it include pre-releases a
+   simple solution is to include `-0` in your range.
+3. Constraint ranges can have some complex rules including the shorthand use of
+   ~ and ^. For more details on those see the options below.
+
+There are differences between the two methods or checking versions because the
+comparison methods on `Version` follow the specification while comparison ranges
+are not part of the specification. Different packages and tools have taken it
+upon themselves to come up with range rules. This has resulted in differences.
+For example, npm/js and Cargo/Rust follow similar patterns while PHP has a
+different pattern for ^. The comparison features in this package follow the
+npm/js and Cargo/Rust lead because applications using it have followed similar
+patters with their versions.
+
+Checking a version against version constraints is one of the most featureful
+parts of the package.
+
+```go
+c, err := semver.NewConstraint(">= 1.2.3")
+if err != nil {
+    // Handle constraint not being parsable.
+}
+
+v, err := semver.NewVersion("1.3")
+if err != nil {
+    // Handle version not being parsable.
+}
+// Check if the version meets the constraints. The variable a will be true.
+a := c.Check(v)
+```
+
+### Basic Comparisons
+
+There are two elements to the comparisons. First, a comparison string is a list
+of space or comma separated AND comparisons. These are then separated by || (OR)
+comparisons. For example, `">= 1.2 < 3.0.0 || >= 4.2.3"` is looking for a
+comparison that's greater than or equal to 1.2 and less than 3.0.0 or is
+greater than or equal to 4.2.3.
+
+The basic comparisons are:
+
+* `=`: equal (aliased to no operator)
+* `!=`: not equal
+* `>`: greater than
+* `<`: less than
+* `>=`: greater than or equal to
+* `<=`: less than or equal to
+
+### Working With Prerelease Versions
+
+Pre-releases, for those not familiar with them, are used for software releases
+prior to stable or generally available releases. Examples of pre-releases include
+development, alpha, beta, and release candidate releases. A pre-release may be
+a version such as `1.2.3-beta.1` while the stable release would be `1.2.3`. In the
+order of precedence, pre-releases come before their associated releases. In this
+example `1.2.3-beta.1 < 1.2.3`.
+
+According to the Semantic Version specification, pre-releases may not be
+API compliant with their release counterpart. It says,
+
+> A pre-release version indicates that the version is unstable and might not satisfy the intended compatibility requirements as denoted by its associated normal version.
+
+SemVer's comparisons using constraints without a pre-release comparator will skip
+pre-release versions. For example, `>=1.2.3` will skip pre-releases when looking
+at a list of releases while `>=1.2.3-0` will evaluate and find pre-releases.
+
+The reason for the `0` as a pre-release version in the example comparison is
+because pre-releases can only contain ASCII alphanumerics and hyphens (along with
+`.` separators), per the spec. Sorting happens in ASCII sort order, again per the
+spec. The lowest character is a `0` in ASCII sort order
+(see an [ASCII Table](http://www.asciitable.com/))
+
+Understanding ASCII sort ordering is important because A-Z comes before a-z. That
+means `>=1.2.3-BETA` will return `1.2.3-alpha`. What you might expect from case
+sensitivity doesn't apply here. This is due to ASCII sort ordering which is what
+the spec specifies.
+
+The `Constraints` instance returned from `semver.NewConstraint()` has a property
+`IncludePrerelease` that, when set to true, will return prerelease versions when calls
+to `Check()` and `Validate()` are made.
+
+### Hyphen Range Comparisons
+
+There are multiple methods to handle ranges and the first is hyphens ranges.
+These look like:
+
+* `1.2 - 1.4.5` which is equivalent to `>= 1.2 <= 1.4.5`
+* `2.3.4 - 4.5` which is equivalent to `>= 2.3.4 <= 4.5`
+
+Note that `1.2-1.4.5` without whitespace is parsed completely differently; it's
+parsed as a single constraint `1.2.0` with _prerelease_ `1.4.5`.
+
+### Wildcards In Comparisons
+
+The `x`, `X`, and `*` characters can be used as a wildcard character. This works
+for all comparison operators. When used on the `=` operator it falls
+back to the patch level comparison (see tilde below). For example,
+
+* `1.2.x` is equivalent to `>= 1.2.0, < 1.3.0`
+* `>= 1.2.x` is equivalent to `>= 1.2.0`
+* `<= 2.x` is equivalent to `< 3`
+* `*` is equivalent to `>= 0.0.0`
+
+### Tilde Range Comparisons (Patch)
+
+The tilde (`~`) comparison operator is for patch level ranges when a minor
+version is specified and major level changes when the minor number is missing.
+For example,
+
+* `~1.2.3` is equivalent to `>= 1.2.3, < 1.3.0`
+* `~1` is equivalent to `>= 1, < 2`
+* `~2.3` is equivalent to `>= 2.3, < 2.4`
+* `~1.2.x` is equivalent to `>= 1.2.0, < 1.3.0`
+* `~1.x` is equivalent to `>= 1, < 2`
+
+### Caret Range Comparisons (Major)
+
+The caret (`^`) comparison operator is for major level changes once a stable
+(1.0.0) release has occurred. Prior to a 1.0.0 release the minor versions acts
+as the API stability level. This is useful when comparisons of API versions as a
+major change is API breaking. For example,
+
+* `^1.2.3` is equivalent to `>= 1.2.3, < 2.0.0`
+* `^1.2.x` is equivalent to `>= 1.2.0, < 2.0.0`
+* `^2.3` is equivalent to `>= 2.3, < 3`
+* `^2.x` is equivalent to `>= 2.0.0, < 3`
+* `^0.2.3` is equivalent to `>=0.2.3 <0.3.0`
+* `^0.2` is equivalent to `>=0.2.0 <0.3.0`
+* `^0.0.3` is equivalent to `>=0.0.3 <0.0.4`
+* `^0.0` is equivalent to `>=0.0.0 <0.1.0`
+* `^0` is equivalent to `>=0.0.0 <1.0.0`
+
+## Validation
+
+In addition to testing a version against a constraint, a version can be validated
+against a constraint. When validation fails a slice of errors containing why a
+version didn't meet the constraint is returned. For example,
+
+```go
+c, err := semver.NewConstraint("<= 1.2.3, >= 1.4")
+if err != nil {
+    // Handle constraint not being parseable.
+}
+
+v, err := semver.NewVersion("1.3")
+if err != nil {
+    // Handle version not being parseable.
+}
+
+// Validate a version against a constraint.
+a, msgs := c.Validate(v)
+// a is false
+for _, m := range msgs {
+    fmt.Println(m)
+
+    // Loops over the errors which would read
+    // "1.3 is greater than 1.2.3"
+    // "1.3 is less than 1.4"
+}
+```
+
+## Contribute
+
+If you find an issue or want to contribute please file an [issue](https://github.com/Masterminds/semver/issues)
+or [create a pull request](https://github.com/Masterminds/semver/pulls).
+
+## Security
+
+Security is an important consideration for this project. The project currently
+uses the following tools to help discover security issues:
+
+* [CodeQL](https://codeql.github.com)
+* [gosec](https://github.com/securego/gosec)
+* Daily Fuzz testing
+
+If you believe you have found a security vulnerability you can privately disclose
+it through the [GitHub security page](https://github.com/Masterminds/semver/security).
diff --git a/vendor/github.com/Masterminds/semver/v3/SECURITY.md b/vendor/github.com/Masterminds/semver/v3/SECURITY.md
new file mode 100644
index 0000000000..a30a66b1f7
--- /dev/null
+++ b/vendor/github.com/Masterminds/semver/v3/SECURITY.md
@@ -0,0 +1,19 @@
+# Security Policy
+
+## Supported Versions
+
+The following versions of semver are currently supported:
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 3.x     | :white_check_mark: |
+| 2.x     | :x:                |
+| 1.x     | :x:                |
+
+Fixes are only released for the latest minor version in the form of a patch release.
+
+## Reporting a Vulnerability
+
+You can privately disclose a vulnerability through GitHubs
+[private vulnerability reporting](https://github.com/Masterminds/semver/security/advisories)
+mechanism.
diff --git a/vendor/github.com/Masterminds/semver/v3/collection.go b/vendor/github.com/Masterminds/semver/v3/collection.go
new file mode 100644
index 0000000000..a78235895f
--- /dev/null
+++ b/vendor/github.com/Masterminds/semver/v3/collection.go
@@ -0,0 +1,24 @@
+package semver
+
+// Collection is a collection of Version instances and implements the sort
+// interface. See the sort package for more details.
+// https://golang.org/pkg/sort/
+type Collection []*Version
+
+// Len returns the length of a collection. The number of Version instances
+// on the slice.
+func (c Collection) Len() int {
+	return len(c)
+}
+
+// Less is needed for the sort interface to compare two Version objects on the
+// slice. If checks if one is less than the other.
+func (c Collection) Less(i, j int) bool {
+	return c[i].LessThan(c[j])
+}
+
+// Swap is needed for the sort interface to replace the Version objects
+// at two different positions in the slice.
+func (c Collection) Swap(i, j int) {
+	c[i], c[j] = c[j], c[i]
+}
diff --git a/vendor/github.com/Masterminds/semver/v3/constraints.go b/vendor/github.com/Masterminds/semver/v3/constraints.go
new file mode 100644
index 0000000000..8b7a10f836
--- /dev/null
+++ b/vendor/github.com/Masterminds/semver/v3/constraints.go
@@ -0,0 +1,601 @@
+package semver
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"regexp"
+	"strings"
+)
+
+// Constraints is one or more constraint that a semantic version can be
+// checked against.
+type Constraints struct {
+	constraints [][]*constraint
+	containsPre []bool
+
+	// IncludePrerelease specifies if pre-releases should be included in
+	// the results. Note, if a constraint range has a prerelease than
+	// prereleases will be included for that AND group even if this is
+	// set to false.
+	IncludePrerelease bool
+}
+
+// NewConstraint returns a Constraints instance that a Version instance can
+// be checked against. If there is a parse error it will be returned.
+func NewConstraint(c string) (*Constraints, error) {
+
+	// Rewrite - ranges into a comparison operation.
+	c = rewriteRange(c)
+
+	ors := strings.Split(c, "||")
+	lenors := len(ors)
+	or := make([][]*constraint, lenors)
+	hasPre := make([]bool, lenors)
+	for k, v := range ors {
+		// Validate the segment
+		if !validConstraintRegex.MatchString(v) {
+			return nil, fmt.Errorf("improper constraint: %s", v)
+		}
+
+		cs := findConstraintRegex.FindAllString(v, -1)
+		if cs == nil {
+			cs = append(cs, v)
+		}
+		result := make([]*constraint, len(cs))
+		for i, s := range cs {
+			pc, err := parseConstraint(s)
+			if err != nil {
+				return nil, err
+			}
+
+			// If one of the constraints has a prerelease record this.
+			// This information is used when checking all in an "and"
+			// group to ensure they all check for prereleases.
+			if pc.con.pre != "" {
+				hasPre[k] = true
+			}
+
+			result[i] = pc
+		}
+		or[k] = result
+	}
+
+	o := &Constraints{
+		constraints: or,
+		containsPre: hasPre,
+	}
+	return o, nil
+}
+
+// Check tests if a version satisfies the constraints.
+func (cs Constraints) Check(v *Version) bool {
+	// TODO(mattfarina): For v4 of this library consolidate the Check and Validate
+	// functions as the underlying functions make that possible now.
+	// loop over the ORs and check the inner ANDs
+	for i, o := range cs.constraints {
+		joy := true
+		for _, c := range o {
+			if check, _ := c.check(v, (cs.IncludePrerelease || cs.containsPre[i])); !check {
+				joy = false
+				break
+			}
+		}
+
+		if joy {
+			return true
+		}
+	}
+
+	return false
+}
+
+// Validate checks if a version satisfies a constraint. If not a slice of
+// reasons for the failure are returned in addition to a bool.
+func (cs Constraints) Validate(v *Version) (bool, []error) {
+	// loop over the ORs and check the inner ANDs
+	var e []error
+
+	// Capture the prerelease message only once. When it happens the first time
+	// this var is marked
+	var prerelesase bool
+	for i, o := range cs.constraints {
+		joy := true
+		for _, c := range o {
+			// Before running the check handle the case there the version is
+			// a prerelease and the check is not searching for prereleases.
+			if !(cs.IncludePrerelease || cs.containsPre[i]) && v.pre != "" {
+				if !prerelesase {
+					em := fmt.Errorf("%s is a prerelease version and the constraint is only looking for release versions", v)
+					e = append(e, em)
+					prerelesase = true
+				}
+				joy = false
+
+			} else {
+
+				if _, err := c.check(v, (cs.IncludePrerelease || cs.containsPre[i])); err != nil {
+					e = append(e, err)
+					joy = false
+				}
+			}
+		}
+
+		if joy {
+			return true, []error{}
+		}
+	}
+
+	return false, e
+}
+
+func (cs Constraints) String() string {
+	buf := make([]string, len(cs.constraints))
+	var tmp bytes.Buffer
+
+	for k, v := range cs.constraints {
+		tmp.Reset()
+		vlen := len(v)
+		for kk, c := range v {
+			tmp.WriteString(c.string())
+
+			// Space separate the AND conditions
+			if vlen > 1 && kk < vlen-1 {
+				tmp.WriteString(" ")
+			}
+		}
+		buf[k] = tmp.String()
+	}
+
+	return strings.Join(buf, " || ")
+}
+
+// UnmarshalText implements the encoding.TextUnmarshaler interface.
+func (cs *Constraints) UnmarshalText(text []byte) error {
+	temp, err := NewConstraint(string(text))
+	if err != nil {
+		return err
+	}
+
+	*cs = *temp
+
+	return nil
+}
+
+// MarshalText implements the encoding.TextMarshaler interface.
+func (cs Constraints) MarshalText() ([]byte, error) {
+	return []byte(cs.String()), nil
+}
+
+var constraintOps map[string]cfunc
+var constraintRegex *regexp.Regexp
+var constraintRangeRegex *regexp.Regexp
+
+// Used to find individual constraints within a multi-constraint string
+var findConstraintRegex *regexp.Regexp
+
+// Used to validate an segment of ANDs is valid
+var validConstraintRegex *regexp.Regexp
+
+const cvRegex string = `v?([0-9|x|X|\*]+)(\.[0-9|x|X|\*]+)?(\.[0-9|x|X|\*]+)?` +
+	`(-([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?` +
+	`(\+([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?`
+
+func init() {
+	constraintOps = map[string]cfunc{
+		"":   constraintTildeOrEqual,
+		"=":  constraintTildeOrEqual,
+		"!=": constraintNotEqual,
+		">":  constraintGreaterThan,
+		"<":  constraintLessThan,
+		">=": constraintGreaterThanEqual,
+		"=>": constraintGreaterThanEqual,
+		"<=": constraintLessThanEqual,
+		"=<": constraintLessThanEqual,
+		"~":  constraintTilde,
+		"~>": constraintTilde,
+		"^":  constraintCaret,
+	}
+
+	ops := `=||!=|>|<|>=|=>|<=|=<|~|~>|\^`
+
+	constraintRegex = regexp.MustCompile(fmt.Sprintf(
+		`^\s*(%s)\s*(%s)\s*$`,
+		ops,
+		cvRegex))
+
+	constraintRangeRegex = regexp.MustCompile(fmt.Sprintf(
+		`\s*(%s)\s+-\s+(%s)\s*`,
+		cvRegex, cvRegex))
+
+	findConstraintRegex = regexp.MustCompile(fmt.Sprintf(
+		`(%s)\s*(%s)`,
+		ops,
+		cvRegex))
+
+	// The first time a constraint shows up will look slightly different from
+	// future times it shows up due to a leading space or comma in a given
+	// string.
+	validConstraintRegex = regexp.MustCompile(fmt.Sprintf(
+		`^(\s*(%s)\s*(%s)\s*)((?:\s+|,\s*)(%s)\s*(%s)\s*)*$`,
+		ops,
+		cvRegex,
+		ops,
+		cvRegex))
+}
+
+// An individual constraint
+type constraint struct {
+	// The version used in the constraint check. For example, if a constraint
+	// is '<= 2.0.0' the con a version instance representing 2.0.0.
+	con *Version
+
+	// The original parsed version (e.g., 4.x from != 4.x)
+	orig string
+
+	// The original operator for the constraint
+	origfunc string
+
+	// When an x is used as part of the version (e.g., 1.x)
+	minorDirty bool
+	dirty      bool
+	patchDirty bool
+}
+
+// Check if a version meets the constraint
+func (c *constraint) check(v *Version, includePre bool) (bool, error) {
+	return constraintOps[c.origfunc](v, c, includePre)
+}
+
+// String prints an individual constraint into a string
+func (c *constraint) string() string {
+	return c.origfunc + c.orig
+}
+
+type cfunc func(v *Version, c *constraint, includePre bool) (bool, error)
+
+func parseConstraint(c string) (*constraint, error) {
+	if len(c) > 0 {
+		m := constraintRegex.FindStringSubmatch(c)
+		if m == nil {
+			return nil, fmt.Errorf("improper constraint: %s", c)
+		}
+
+		cs := &constraint{
+			orig:     m[2],
+			origfunc: m[1],
+		}
+
+		ver := m[2]
+		minorDirty := false
+		patchDirty := false
+		dirty := false
+		if isX(m[3]) || m[3] == "" {
+			ver = fmt.Sprintf("0.0.0%s", m[6])
+			dirty = true
+		} else if isX(strings.TrimPrefix(m[4], ".")) || m[4] == "" {
+			minorDirty = true
+			dirty = true
+			ver = fmt.Sprintf("%s.0.0%s", m[3], m[6])
+		} else if isX(strings.TrimPrefix(m[5], ".")) || m[5] == "" {
+			dirty = true
+			patchDirty = true
+			ver = fmt.Sprintf("%s%s.0%s", m[3], m[4], m[6])
+		}
+
+		con, err := NewVersion(ver)
+		if err != nil {
+
+			// The constraintRegex should catch any regex parsing errors. So,
+			// we should never get here.
+			return nil, errors.New("constraint parser error")
+		}
+
+		cs.con = con
+		cs.minorDirty = minorDirty
+		cs.patchDirty = patchDirty
+		cs.dirty = dirty
+
+		return cs, nil
+	}
+
+	// The rest is the special case where an empty string was passed in which
+	// is equivalent to * or >=0.0.0
+	con, err := StrictNewVersion("0.0.0")
+	if err != nil {
+
+		// The constraintRegex should catch any regex parsing errors. So,
+		// we should never get here.
+		return nil, errors.New("constraint parser error")
+	}
+
+	cs := &constraint{
+		con:        con,
+		orig:       c,
+		origfunc:   "",
+		minorDirty: false,
+		patchDirty: false,
+		dirty:      true,
+	}
+	return cs, nil
+}
+
+// Constraint functions
+func constraintNotEqual(v *Version, c *constraint, includePre bool) (bool, error) {
+	// The existence of prereleases is checked at the group level and passed in.
+	// Exit early if the version has a prerelease but those are to be ignored.
+	if v.Prerelease() != "" && !includePre {
+		return false, fmt.Errorf("%s is a prerelease version and the constraint is only looking for release versions", v)
+	}
+
+	if c.dirty {
+		if c.con.Major() != v.Major() {
+			return true, nil
+		}
+		if c.con.Minor() != v.Minor() && !c.minorDirty {
+			return true, nil
+		} else if c.minorDirty {
+			return false, fmt.Errorf("%s is equal to %s", v, c.orig)
+		} else if c.con.Patch() != v.Patch() && !c.patchDirty {
+			return true, nil
+		} else if c.patchDirty {
+			// Need to handle prereleases if present
+			if v.Prerelease() != "" || c.con.Prerelease() != "" {
+				eq := comparePrerelease(v.Prerelease(), c.con.Prerelease()) != 0
+				if eq {
+					return true, nil
+				}
+				return false, fmt.Errorf("%s is equal to %s", v, c.orig)
+			}
+			return false, fmt.Errorf("%s is equal to %s", v, c.orig)
+		}
+	}
+
+	eq := v.Equal(c.con)
+	if eq {
+		return false, fmt.Errorf("%s is equal to %s", v, c.orig)
+	}
+
+	return true, nil
+}
+
+func constraintGreaterThan(v *Version, c *constraint, includePre bool) (bool, error) {
+
+	// The existence of prereleases is checked at the group level and passed in.
+	// Exit early if the version has a prerelease but those are to be ignored.
+	if v.Prerelease() != "" && !includePre {
+		return false, fmt.Errorf("%s is a prerelease version and the constraint is only looking for release versions", v)
+	}
+
+	var eq bool
+
+	if !c.dirty {
+		eq = v.Compare(c.con) == 1
+		if eq {
+			return true, nil
+		}
+		return false, fmt.Errorf("%s is less than or equal to %s", v, c.orig)
+	}
+
+	if v.Major() > c.con.Major() {
+		return true, nil
+	} else if v.Major() < c.con.Major() {
+		return false, fmt.Errorf("%s is less than or equal to %s", v, c.orig)
+	} else if c.minorDirty {
+		// This is a range case such as >11. When the version is something like
+		// 11.1.0 is it not > 11. For that we would need 12 or higher
+		return false, fmt.Errorf("%s is less than or equal to %s", v, c.orig)
+	} else if c.patchDirty {
+		// This is for ranges such as >11.1. A version of 11.1.1 is not greater
+		// which one of 11.2.1 is greater
+		eq = v.Minor() > c.con.Minor()
+		if eq {
+			return true, nil
+		}
+		return false, fmt.Errorf("%s is less than or equal to %s", v, c.orig)
+	}
+
+	// If we have gotten here we are not comparing pre-preleases and can use the
+	// Compare function to accomplish that.
+	eq = v.Compare(c.con) == 1
+	if eq {
+		return true, nil
+	}
+	return false, fmt.Errorf("%s is less than or equal to %s", v, c.orig)
+}
+
+func constraintLessThan(v *Version, c *constraint, includePre bool) (bool, error) {
+	// The existence of prereleases is checked at the group level and passed in.
+	// Exit early if the version has a prerelease but those are to be ignored.
+	if v.Prerelease() != "" && !includePre {
+		return false, fmt.Errorf("%s is a prerelease version and the constraint is only looking for release versions", v)
+	}
+
+	eq := v.Compare(c.con) < 0
+	if eq {
+		return true, nil
+	}
+	return false, fmt.Errorf("%s is greater than or equal to %s", v, c.orig)
+}
+
+func constraintGreaterThanEqual(v *Version, c *constraint, includePre bool) (bool, error) {
+
+	// The existence of prereleases is checked at the group level and passed in.
+	// Exit early if the version has a prerelease but those are to be ignored.
+	if v.Prerelease() != "" && !includePre {
+		return false, fmt.Errorf("%s is a prerelease version and the constraint is only looking for release versions", v)
+	}
+
+	eq := v.Compare(c.con) >= 0
+	if eq {
+		return true, nil
+	}
+	return false, fmt.Errorf("%s is less than %s", v, c.orig)
+}
+
+func constraintLessThanEqual(v *Version, c *constraint, includePre bool) (bool, error) {
+	// The existence of prereleases is checked at the group level and passed in.
+	// Exit early if the version has a prerelease but those are to be ignored.
+	if v.Prerelease() != "" && !includePre {
+		return false, fmt.Errorf("%s is a prerelease version and the constraint is only looking for release versions", v)
+	}
+
+	var eq bool
+
+	if !c.dirty {
+		eq = v.Compare(c.con) <= 0
+		if eq {
+			return true, nil
+		}
+		return false, fmt.Errorf("%s is greater than %s", v, c.orig)
+	}
+
+	if v.Major() > c.con.Major() {
+		return false, fmt.Errorf("%s is greater than %s", v, c.orig)
+	} else if v.Major() == c.con.Major() && v.Minor() > c.con.Minor() && !c.minorDirty {
+		return false, fmt.Errorf("%s is greater than %s", v, c.orig)
+	}
+
+	return true, nil
+}
+
+// ~*, ~>* --> >= 0.0.0 (any)
+// ~2, ~2.x, ~2.x.x, ~>2, ~>2.x ~>2.x.x --> >=2.0.0, <3.0.0
+// ~2.0, ~2.0.x, ~>2.0, ~>2.0.x --> >=2.0.0, <2.1.0
+// ~1.2, ~1.2.x, ~>1.2, ~>1.2.x --> >=1.2.0, <1.3.0
+// ~1.2.3, ~>1.2.3 --> >=1.2.3, <1.3.0
+// ~1.2.0, ~>1.2.0 --> >=1.2.0, <1.3.0
+func constraintTilde(v *Version, c *constraint, includePre bool) (bool, error) {
+	// The existence of prereleases is checked at the group level and passed in.
+	// Exit early if the version has a prerelease but those are to be ignored.
+	if v.Prerelease() != "" && !includePre {
+		return false, fmt.Errorf("%s is a prerelease version and the constraint is only looking for release versions", v)
+	}
+
+	if v.LessThan(c.con) {
+		return false, fmt.Errorf("%s is less than %s", v, c.orig)
+	}
+
+	// ~0.0.0 is a special case where all constraints are accepted. It's
+	// equivalent to >= 0.0.0.
+	if c.con.Major() == 0 && c.con.Minor() == 0 && c.con.Patch() == 0 &&
+		!c.minorDirty && !c.patchDirty {
+		return true, nil
+	}
+
+	if v.Major() != c.con.Major() {
+		return false, fmt.Errorf("%s does not have same major version as %s", v, c.orig)
+	}
+
+	if v.Minor() != c.con.Minor() && !c.minorDirty {
+		return false, fmt.Errorf("%s does not have same major and minor version as %s", v, c.orig)
+	}
+
+	return true, nil
+}
+
+// When there is a .x (dirty) status it automatically opts in to ~. Otherwise
+// it's a straight =
+func constraintTildeOrEqual(v *Version, c *constraint, includePre bool) (bool, error) {
+	// The existence of prereleases is checked at the group level and passed in.
+	// Exit early if the version has a prerelease but those are to be ignored.
+	if v.Prerelease() != "" && !includePre {
+		return false, fmt.Errorf("%s is a prerelease version and the constraint is only looking for release versions", v)
+	}
+
+	if c.dirty {
+		return constraintTilde(v, c, includePre)
+	}
+
+	eq := v.Equal(c.con)
+	if eq {
+		return true, nil
+	}
+
+	return false, fmt.Errorf("%s is not equal to %s", v, c.orig)
+}
+
+// ^*      -->  (any)
+// ^1.2.3  -->  >=1.2.3 <2.0.0
+// ^1.2    -->  >=1.2.0 <2.0.0
+// ^1      -->  >=1.0.0 <2.0.0
+// ^0.2.3  -->  >=0.2.3 <0.3.0
+// ^0.2    -->  >=0.2.0 <0.3.0
+// ^0.0.3  -->  >=0.0.3 <0.0.4
+// ^0.0    -->  >=0.0.0 <0.1.0
+// ^0      -->  >=0.0.0 <1.0.0
+func constraintCaret(v *Version, c *constraint, includePre bool) (bool, error) {
+	// The existence of prereleases is checked at the group level and passed in.
+	// Exit early if the version has a prerelease but those are to be ignored.
+	if v.Prerelease() != "" && !includePre {
+		return false, fmt.Errorf("%s is a prerelease version and the constraint is only looking for release versions", v)
+	}
+
+	// This less than handles prereleases
+	if v.LessThan(c.con) {
+		return false, fmt.Errorf("%s is less than %s", v, c.orig)
+	}
+
+	var eq bool
+
+	// ^ when the major > 0 is >=x.y.z < x+1
+	if c.con.Major() > 0 || c.minorDirty {
+
+		// ^ has to be within a major range for > 0. Everything less than was
+		// filtered out with the LessThan call above. This filters out those
+		// that greater but not within the same major range.
+		eq = v.Major() == c.con.Major()
+		if eq {
+			return true, nil
+		}
+		return false, fmt.Errorf("%s does not have same major version as %s", v, c.orig)
+	}
+
+	// ^ when the major is 0 and minor > 0 is >=0.y.z < 0.y+1
+	if c.con.Major() == 0 && v.Major() > 0 {
+		return false, fmt.Errorf("%s does not have same major version as %s", v, c.orig)
+	}
+	// If the con Minor is > 0 it is not dirty
+	if c.con.Minor() > 0 || c.patchDirty {
+		eq = v.Minor() == c.con.Minor()
+		if eq {
+			return true, nil
+		}
+		return false, fmt.Errorf("%s does not have same minor version as %s. Expected minor versions to match when constraint major version is 0", v, c.orig)
+	}
+	// ^ when the minor is 0 and minor > 0 is =0.0.z
+	if c.con.Minor() == 0 && v.Minor() > 0 {
+		return false, fmt.Errorf("%s does not have same minor version as %s", v, c.orig)
+	}
+
+	// At this point the major is 0 and the minor is 0 and not dirty. The patch
+	// is not dirty so we need to check if they are equal. If they are not equal
+	eq = c.con.Patch() == v.Patch()
+	if eq {
+		return true, nil
+	}
+	return false, fmt.Errorf("%s does not equal %s. Expect version and constraint to equal when major and minor versions are 0", v, c.orig)
+}
+
+func isX(x string) bool {
+	switch x {
+	case "x", "*", "X":
+		return true
+	default:
+		return false
+	}
+}
+
+func rewriteRange(i string) string {
+	m := constraintRangeRegex.FindAllStringSubmatch(i, -1)
+	if m == nil {
+		return i
+	}
+	o := i
+	for _, v := range m {
+		t := fmt.Sprintf(">= %s, <= %s ", v[1], v[11])
+		o = strings.Replace(o, v[0], t, 1)
+	}
+
+	return o
+}
diff --git a/vendor/github.com/Masterminds/semver/v3/doc.go b/vendor/github.com/Masterminds/semver/v3/doc.go
new file mode 100644
index 0000000000..74f97caa57
--- /dev/null
+++ b/vendor/github.com/Masterminds/semver/v3/doc.go
@@ -0,0 +1,184 @@
+/*
+Package semver provides the ability to work with Semantic Versions (http://semver.org) in Go.
+
+Specifically it provides the ability to:
+
+  - Parse semantic versions
+  - Sort semantic versions
+  - Check if a semantic version fits within a set of constraints
+  - Optionally work with a `v` prefix
+
+# Parsing Semantic Versions
+
+There are two functions that can parse semantic versions. The `StrictNewVersion`
+function only parses valid version 2 semantic versions as outlined in the
+specification. The `NewVersion` function attempts to coerce a version into a
+semantic version and parse it. For example, if there is a leading v or a version
+listed without all 3 parts (e.g. 1.2) it will attempt to coerce it into a valid
+semantic version (e.g., 1.2.0). In both cases a `Version` object is returned
+that can be sorted, compared, and used in constraints.
+
+When parsing a version an optional error can be returned if there is an issue
+parsing the version. For example,
+
+	v, err := semver.NewVersion("1.2.3-beta.1+b345")
+
+The version object has methods to get the parts of the version, compare it to
+other versions, convert the version back into a string, and get the original
+string. For more details please see the documentation
+at https://godoc.org/github.com/Masterminds/semver.
+
+# Sorting Semantic Versions
+
+A set of versions can be sorted using the `sort` package from the standard library.
+For example,
+
+	    raw := []string{"1.2.3", "1.0", "1.3", "2", "0.4.2",}
+	    vs := make([]*semver.Version, len(raw))
+		for i, r := range raw {
+			v, err := semver.NewVersion(r)
+			if err != nil {
+				t.Errorf("Error parsing version: %s", err)
+			}
+
+			vs[i] = v
+		}
+
+		sort.Sort(semver.Collection(vs))
+
+# Checking Version Constraints and Comparing Versions
+
+There are two methods for comparing versions. One uses comparison methods on
+`Version` instances and the other is using Constraints. There are some important
+differences to notes between these two methods of comparison.
+
+ 1. When two versions are compared using functions such as `Compare`, `LessThan`,
+    and others it will follow the specification and always include prereleases
+    within the comparison. It will provide an answer valid with the comparison
+    spec section at https://semver.org/#spec-item-11
+ 2. When constraint checking is used for checks or validation it will follow a
+    different set of rules that are common for ranges with tools like npm/js
+    and Rust/Cargo. This includes considering prereleases to be invalid if the
+    ranges does not include on. If you want to have it include pre-releases a
+    simple solution is to include `-0` in your range.
+ 3. Constraint ranges can have some complex rules including the shorthard use of
+    ~ and ^. For more details on those see the options below.
+
+There are differences between the two methods or checking versions because the
+comparison methods on `Version` follow the specification while comparison ranges
+are not part of the specification. Different packages and tools have taken it
+upon themselves to come up with range rules. This has resulted in differences.
+For example, npm/js and Cargo/Rust follow similar patterns which PHP has a
+different pattern for ^. The comparison features in this package follow the
+npm/js and Cargo/Rust lead because applications using it have followed similar
+patters with their versions.
+
+Checking a version against version constraints is one of the most featureful
+parts of the package.
+
+	c, err := semver.NewConstraint(">= 1.2.3")
+	if err != nil {
+	    // Handle constraint not being parsable.
+	}
+
+	v, err := semver.NewVersion("1.3")
+	if err != nil {
+	    // Handle version not being parsable.
+	}
+	// Check if the version meets the constraints. The a variable will be true.
+	a := c.Check(v)
+
+# Basic Comparisons
+
+There are two elements to the comparisons. First, a comparison string is a list
+of comma or space separated AND comparisons. These are then separated by || (OR)
+comparisons. For example, `">= 1.2 < 3.0.0 || >= 4.2.3"` is looking for a
+comparison that's greater than or equal to 1.2 and less than 3.0.0 or is
+greater than or equal to 4.2.3. This can also be written as
+`">= 1.2, < 3.0.0 || >= 4.2.3"`
+
+The basic comparisons are:
+
+  - `=`: equal (aliased to no operator)
+  - `!=`: not equal
+  - `>`: greater than
+  - `<`: less than
+  - `>=`: greater than or equal to
+  - `<=`: less than or equal to
+
+# Hyphen Range Comparisons
+
+There are multiple methods to handle ranges and the first is hyphens ranges.
+These look like:
+
+  - `1.2 - 1.4.5` which is equivalent to `>= 1.2, <= 1.4.5`
+  - `2.3.4 - 4.5` which is equivalent to `>= 2.3.4 <= 4.5`
+
+# Wildcards In Comparisons
+
+The `x`, `X`, and `*` characters can be used as a wildcard character. This works
+for all comparison operators. When used on the `=` operator it falls
+back to the tilde operation. For example,
+
+  - `1.2.x` is equivalent to `>= 1.2.0 < 1.3.0`
+  - `>= 1.2.x` is equivalent to `>= 1.2.0`
+  - `<= 2.x` is equivalent to `<= 3`
+  - `*` is equivalent to `>= 0.0.0`
+
+Tilde Range Comparisons (Patch)
+
+The tilde (`~`) comparison operator is for patch level ranges when a minor
+version is specified and major level changes when the minor number is missing.
+For example,
+
+  - `~1.2.3` is equivalent to `>= 1.2.3 < 1.3.0`
+  - `~1` is equivalent to `>= 1, < 2`
+  - `~2.3` is equivalent to `>= 2.3 < 2.4`
+  - `~1.2.x` is equivalent to `>= 1.2.0 < 1.3.0`
+  - `~1.x` is equivalent to `>= 1 < 2`
+
+Caret Range Comparisons (Major)
+
+The caret (`^`) comparison operator is for major level changes once a stable
+(1.0.0) release has occurred. Prior to a 1.0.0 release the minor versions acts
+as the API stability level. This is useful when comparisons of API versions as a
+major change is API breaking. For example,
+
+  - `^1.2.3` is equivalent to `>= 1.2.3, < 2.0.0`
+  - `^1.2.x` is equivalent to `>= 1.2.0, < 2.0.0`
+  - `^2.3` is equivalent to `>= 2.3, < 3`
+  - `^2.x` is equivalent to `>= 2.0.0, < 3`
+  - `^0.2.3` is equivalent to `>=0.2.3 <0.3.0`
+  - `^0.2` is equivalent to `>=0.2.0 <0.3.0`
+  - `^0.0.3` is equivalent to `>=0.0.3 <0.0.4`
+  - `^0.0` is equivalent to `>=0.0.0 <0.1.0`
+  - `^0` is equivalent to `>=0.0.0 <1.0.0`
+
+# Validation
+
+In addition to testing a version against a constraint, a version can be validated
+against a constraint. When validation fails a slice of errors containing why a
+version didn't meet the constraint is returned. For example,
+
+	c, err := semver.NewConstraint("<= 1.2.3, >= 1.4")
+	if err != nil {
+	    // Handle constraint not being parseable.
+	}
+
+	v, _ := semver.NewVersion("1.3")
+	if err != nil {
+	    // Handle version not being parseable.
+	}
+
+	// Validate a version against a constraint.
+	a, msgs := c.Validate(v)
+	// a is false
+	for _, m := range msgs {
+	    fmt.Println(m)
+
+	    // Loops over the errors which would read
+	    // "1.3 is greater than 1.2.3"
+	    // "1.3 is less than 1.4"
+	}
+*/
+package semver
diff --git a/vendor/github.com/Masterminds/semver/v3/version.go b/vendor/github.com/Masterminds/semver/v3/version.go
new file mode 100644
index 0000000000..7a3ba73887
--- /dev/null
+++ b/vendor/github.com/Masterminds/semver/v3/version.go
@@ -0,0 +1,788 @@
+package semver
+
+import (
+	"bytes"
+	"database/sql/driver"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"regexp"
+	"strconv"
+	"strings"
+)
+
+// The compiled version of the regex created at init() is cached here so it
+// only needs to be created once.
+var versionRegex *regexp.Regexp
+var looseVersionRegex *regexp.Regexp
+
+// CoerceNewVersion sets if leading 0's are allowd in the version part. Leading 0's are
+// not allowed in a valid semantic version. When set to true, NewVersion will coerce
+// leading 0's into a valid version.
+var CoerceNewVersion = true
+
+// DetailedNewVersionErrors specifies if detailed errors are returned from the NewVersion
+// function. This is used when CoerceNewVersion is set to false. If set to false
+// ErrInvalidSemVer is returned for an invalid version. This does not apply to
+// StrictNewVersion. Setting this function to false returns errors more quickly.
+var DetailedNewVersionErrors = true
+
+var (
+	// ErrInvalidSemVer is returned a version is found to be invalid when
+	// being parsed.
+	ErrInvalidSemVer = errors.New("invalid semantic version")
+
+	// ErrEmptyString is returned when an empty string is passed in for parsing.
+	ErrEmptyString = errors.New("version string empty")
+
+	// ErrInvalidCharacters is returned when invalid characters are found as
+	// part of a version
+	ErrInvalidCharacters = errors.New("invalid characters in version")
+
+	// ErrSegmentStartsZero is returned when a version segment starts with 0.
+	// This is invalid in SemVer.
+	ErrSegmentStartsZero = errors.New("version segment starts with 0")
+
+	// ErrInvalidMetadata is returned when the metadata is an invalid format
+	ErrInvalidMetadata = errors.New("invalid metadata string")
+
+	// ErrInvalidPrerelease is returned when the pre-release is an invalid format
+	ErrInvalidPrerelease = errors.New("invalid prerelease string")
+)
+
+// semVerRegex is the regular expression used to parse a semantic version.
+// This is not the official regex from the semver spec. It has been modified to allow for loose handling
+// where versions like 2.1 are detected.
+const semVerRegex string = `v?(0|[1-9]\d*)(?:\.(0|[1-9]\d*))?(?:\.(0|[1-9]\d*))?` +
+	`(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?` +
+	`(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?`
+
+// looseSemVerRegex is a regular expression that lets invalid semver expressions through
+// with enough detail that certain errors can be checked for.
+const looseSemVerRegex string = `v?([0-9]+)(\.[0-9]+)?(\.[0-9]+)?` +
+	`(-([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?` +
+	`(\+([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?`
+
+// Version represents a single semantic version.
+type Version struct {
+	major, minor, patch uint64
+	pre                 string
+	metadata            string
+	original            string
+}
+
+func init() {
+	versionRegex = regexp.MustCompile("^" + semVerRegex + "$")
+	looseVersionRegex = regexp.MustCompile("^" + looseSemVerRegex + "$")
+}
+
+const (
+	num     string = "0123456789"
+	allowed string = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ-" + num
+)
+
+// StrictNewVersion parses a given version and returns an instance of Version or
+// an error if unable to parse the version. Only parses valid semantic versions.
+// Performs checking that can find errors within the version.
+// If you want to coerce a version such as 1 or 1.2 and parse it as the 1.x
+// releases of semver did, use the NewVersion() function.
+func StrictNewVersion(v string) (*Version, error) {
+	// Parsing here does not use RegEx in order to increase performance and reduce
+	// allocations.
+
+	if len(v) == 0 {
+		return nil, ErrEmptyString
+	}
+
+	// Split the parts into [0]major, [1]minor, and [2]patch,prerelease,build
+	parts := strings.SplitN(v, ".", 3)
+	if len(parts) != 3 {
+		return nil, ErrInvalidSemVer
+	}
+
+	sv := &Version{
+		original: v,
+	}
+
+	// Extract build metadata
+	if strings.Contains(parts[2], "+") {
+		extra := strings.SplitN(parts[2], "+", 2)
+		sv.metadata = extra[1]
+		parts[2] = extra[0]
+		if err := validateMetadata(sv.metadata); err != nil {
+			return nil, err
+		}
+	}
+
+	// Extract build prerelease
+	if strings.Contains(parts[2], "-") {
+		extra := strings.SplitN(parts[2], "-", 2)
+		sv.pre = extra[1]
+		parts[2] = extra[0]
+		if err := validatePrerelease(sv.pre); err != nil {
+			return nil, err
+		}
+	}
+
+	// Validate the number segments are valid. This includes only having positive
+	// numbers and no leading 0's.
+	for _, p := range parts {
+		if !containsOnly(p, num) {
+			return nil, ErrInvalidCharacters
+		}
+
+		if len(p) > 1 && p[0] == '0' {
+			return nil, ErrSegmentStartsZero
+		}
+	}
+
+	// Extract major, minor, and patch
+	var err error
+	sv.major, err = strconv.ParseUint(parts[0], 10, 64)
+	if err != nil {
+		return nil, err
+	}
+
+	sv.minor, err = strconv.ParseUint(parts[1], 10, 64)
+	if err != nil {
+		return nil, err
+	}
+
+	sv.patch, err = strconv.ParseUint(parts[2], 10, 64)
+	if err != nil {
+		return nil, err
+	}
+
+	return sv, nil
+}
+
+// NewVersion parses a given version and returns an instance of Version or
+// an error if unable to parse the version. If the version is SemVer-ish it
+// attempts to convert it to SemVer. If you want  to validate it was a strict
+// semantic version at parse time see StrictNewVersion().
+func NewVersion(v string) (*Version, error) {
+	if CoerceNewVersion {
+		return coerceNewVersion(v)
+	}
+	m := versionRegex.FindStringSubmatch(v)
+	if m == nil {
+
+		// Disabling detailed errors is first so that it is in the fast path.
+		if !DetailedNewVersionErrors {
+			return nil, ErrInvalidSemVer
+		}
+
+		// Check for specific errors with the semver string and return a more detailed
+		// error.
+		m = looseVersionRegex.FindStringSubmatch(v)
+		if m == nil {
+			return nil, ErrInvalidSemVer
+		}
+		err := validateVersion(m)
+		if err != nil {
+			return nil, err
+		}
+		return nil, ErrInvalidSemVer
+	}
+
+	sv := &Version{
+		metadata: m[5],
+		pre:      m[4],
+		original: v,
+	}
+
+	var err error
+	sv.major, err = strconv.ParseUint(m[1], 10, 64)
+	if err != nil {
+		return nil, fmt.Errorf("error parsing version segment: %w", err)
+	}
+
+	if m[2] != "" {
+		sv.minor, err = strconv.ParseUint(m[2], 10, 64)
+		if err != nil {
+			return nil, fmt.Errorf("error parsing version segment: %w", err)
+		}
+	} else {
+		sv.minor = 0
+	}
+
+	if m[3] != "" {
+		sv.patch, err = strconv.ParseUint(m[3], 10, 64)
+		if err != nil {
+			return nil, fmt.Errorf("error parsing version segment: %w", err)
+		}
+	} else {
+		sv.patch = 0
+	}
+
+	// Perform some basic due diligence on the extra parts to ensure they are
+	// valid.
+
+	if sv.pre != "" {
+		if err = validatePrerelease(sv.pre); err != nil {
+			return nil, err
+		}
+	}
+
+	if sv.metadata != "" {
+		if err = validateMetadata(sv.metadata); err != nil {
+			return nil, err
+		}
+	}
+
+	return sv, nil
+}
+
+func coerceNewVersion(v string) (*Version, error) {
+	m := looseVersionRegex.FindStringSubmatch(v)
+	if m == nil {
+		return nil, ErrInvalidSemVer
+	}
+
+	sv := &Version{
+		metadata: m[8],
+		pre:      m[5],
+		original: v,
+	}
+
+	var err error
+	sv.major, err = strconv.ParseUint(m[1], 10, 64)
+	if err != nil {
+		return nil, fmt.Errorf("error parsing version segment: %w", err)
+	}
+
+	if m[2] != "" {
+		sv.minor, err = strconv.ParseUint(strings.TrimPrefix(m[2], "."), 10, 64)
+		if err != nil {
+			return nil, fmt.Errorf("error parsing version segment: %w", err)
+		}
+	} else {
+		sv.minor = 0
+	}
+
+	if m[3] != "" {
+		sv.patch, err = strconv.ParseUint(strings.TrimPrefix(m[3], "."), 10, 64)
+		if err != nil {
+			return nil, fmt.Errorf("error parsing version segment: %w", err)
+		}
+	} else {
+		sv.patch = 0
+	}
+
+	// Perform some basic due diligence on the extra parts to ensure they are
+	// valid.
+
+	if sv.pre != "" {
+		if err = validatePrerelease(sv.pre); err != nil {
+			return nil, err
+		}
+	}
+
+	if sv.metadata != "" {
+		if err = validateMetadata(sv.metadata); err != nil {
+			return nil, err
+		}
+	}
+
+	return sv, nil
+}
+
+// New creates a new instance of Version with each of the parts passed in as
+// arguments instead of parsing a version string.
+func New(major, minor, patch uint64, pre, metadata string) *Version {
+	v := Version{
+		major:    major,
+		minor:    minor,
+		patch:    patch,
+		pre:      pre,
+		metadata: metadata,
+		original: "",
+	}
+
+	v.original = v.String()
+
+	return &v
+}
+
+// MustParse parses a given version and panics on error.
+func MustParse(v string) *Version {
+	sv, err := NewVersion(v)
+	if err != nil {
+		panic(err)
+	}
+	return sv
+}
+
+// String converts a Version object to a string.
+// Note, if the original version contained a leading v this version will not.
+// See the Original() method to retrieve the original value. Semantic Versions
+// don't contain a leading v per the spec. Instead it's optional on
+// implementation.
+func (v Version) String() string {
+	var buf bytes.Buffer
+
+	fmt.Fprintf(&buf, "%d.%d.%d", v.major, v.minor, v.patch)
+	if v.pre != "" {
+		fmt.Fprintf(&buf, "-%s", v.pre)
+	}
+	if v.metadata != "" {
+		fmt.Fprintf(&buf, "+%s", v.metadata)
+	}
+
+	return buf.String()
+}
+
+// Original returns the original value passed in to be parsed.
+func (v *Version) Original() string {
+	return v.original
+}
+
+// Major returns the major version.
+func (v Version) Major() uint64 {
+	return v.major
+}
+
+// Minor returns the minor version.
+func (v Version) Minor() uint64 {
+	return v.minor
+}
+
+// Patch returns the patch version.
+func (v Version) Patch() uint64 {
+	return v.patch
+}
+
+// Prerelease returns the pre-release version.
+func (v Version) Prerelease() string {
+	return v.pre
+}
+
+// Metadata returns the metadata on the version.
+func (v Version) Metadata() string {
+	return v.metadata
+}
+
+// originalVPrefix returns the original 'v' prefix if any.
+func (v Version) originalVPrefix() string {
+	// Note, only lowercase v is supported as a prefix by the parser.
+	if v.original != "" && v.original[:1] == "v" {
+		return v.original[:1]
+	}
+	return ""
+}
+
+// IncPatch produces the next patch version.
+// If the current version does not have prerelease/metadata information,
+// it unsets metadata and prerelease values, increments patch number.
+// If the current version has any of prerelease or metadata information,
+// it unsets both values and keeps current patch value
+func (v Version) IncPatch() Version {
+	vNext := v
+	// according to http://semver.org/#spec-item-9
+	// Pre-release versions have a lower precedence than the associated normal version.
+	// according to http://semver.org/#spec-item-10
+	// Build metadata SHOULD be ignored when determining version precedence.
+	if v.pre != "" {
+		vNext.metadata = ""
+		vNext.pre = ""
+	} else {
+		vNext.metadata = ""
+		vNext.pre = ""
+		vNext.patch = v.patch + 1
+	}
+	vNext.original = v.originalVPrefix() + "" + vNext.String()
+	return vNext
+}
+
+// IncMinor produces the next minor version.
+// Sets patch to 0.
+// Increments minor number.
+// Unsets metadata.
+// Unsets prerelease status.
+func (v Version) IncMinor() Version {
+	vNext := v
+	vNext.metadata = ""
+	vNext.pre = ""
+	vNext.patch = 0
+	vNext.minor = v.minor + 1
+	vNext.original = v.originalVPrefix() + "" + vNext.String()
+	return vNext
+}
+
+// IncMajor produces the next major version.
+// Sets patch to 0.
+// Sets minor to 0.
+// Increments major number.
+// Unsets metadata.
+// Unsets prerelease status.
+func (v Version) IncMajor() Version {
+	vNext := v
+	vNext.metadata = ""
+	vNext.pre = ""
+	vNext.patch = 0
+	vNext.minor = 0
+	vNext.major = v.major + 1
+	vNext.original = v.originalVPrefix() + "" + vNext.String()
+	return vNext
+}
+
+// SetPrerelease defines the prerelease value.
+// Value must not include the required 'hyphen' prefix.
+func (v Version) SetPrerelease(prerelease string) (Version, error) {
+	vNext := v
+	if len(prerelease) > 0 {
+		if err := validatePrerelease(prerelease); err != nil {
+			return vNext, err
+		}
+	}
+	vNext.pre = prerelease
+	vNext.original = v.originalVPrefix() + "" + vNext.String()
+	return vNext, nil
+}
+
+// SetMetadata defines metadata value.
+// Value must not include the required 'plus' prefix.
+func (v Version) SetMetadata(metadata string) (Version, error) {
+	vNext := v
+	if len(metadata) > 0 {
+		if err := validateMetadata(metadata); err != nil {
+			return vNext, err
+		}
+	}
+	vNext.metadata = metadata
+	vNext.original = v.originalVPrefix() + "" + vNext.String()
+	return vNext, nil
+}
+
+// LessThan tests if one version is less than another one.
+func (v *Version) LessThan(o *Version) bool {
+	return v.Compare(o) < 0
+}
+
+// LessThanEqual tests if one version is less or equal than another one.
+func (v *Version) LessThanEqual(o *Version) bool {
+	return v.Compare(o) <= 0
+}
+
+// GreaterThan tests if one version is greater than another one.
+func (v *Version) GreaterThan(o *Version) bool {
+	return v.Compare(o) > 0
+}
+
+// GreaterThanEqual tests if one version is greater or equal than another one.
+func (v *Version) GreaterThanEqual(o *Version) bool {
+	return v.Compare(o) >= 0
+}
+
+// Equal tests if two versions are equal to each other.
+// Note, versions can be equal with different metadata since metadata
+// is not considered part of the comparable version.
+func (v *Version) Equal(o *Version) bool {
+	if v == o {
+		return true
+	}
+	if v == nil || o == nil {
+		return false
+	}
+	return v.Compare(o) == 0
+}
+
+// Compare compares this version to another one. It returns -1, 0, or 1 if
+// the version smaller, equal, or larger than the other version.
+//
+// Versions are compared by X.Y.Z. Build metadata is ignored. Prerelease is
+// lower than the version without a prerelease. Compare always takes into account
+// prereleases. If you want to work with ranges using typical range syntaxes that
+// skip prereleases if the range is not looking for them use constraints.
+func (v *Version) Compare(o *Version) int {
+	// Compare the major, minor, and patch version for differences. If a
+	// difference is found return the comparison.
+	if d := compareSegment(v.Major(), o.Major()); d != 0 {
+		return d
+	}
+	if d := compareSegment(v.Minor(), o.Minor()); d != 0 {
+		return d
+	}
+	if d := compareSegment(v.Patch(), o.Patch()); d != 0 {
+		return d
+	}
+
+	// At this point the major, minor, and patch versions are the same.
+	ps := v.pre
+	po := o.Prerelease()
+
+	if ps == "" && po == "" {
+		return 0
+	}
+	if ps == "" {
+		return 1
+	}
+	if po == "" {
+		return -1
+	}
+
+	return comparePrerelease(ps, po)
+}
+
+// UnmarshalJSON implements JSON.Unmarshaler interface.
+func (v *Version) UnmarshalJSON(b []byte) error {
+	var s string
+	if err := json.Unmarshal(b, &s); err != nil {
+		return err
+	}
+	temp, err := NewVersion(s)
+	if err != nil {
+		return err
+	}
+	v.major = temp.major
+	v.minor = temp.minor
+	v.patch = temp.patch
+	v.pre = temp.pre
+	v.metadata = temp.metadata
+	v.original = temp.original
+	return nil
+}
+
+// MarshalJSON implements JSON.Marshaler interface.
+func (v Version) MarshalJSON() ([]byte, error) {
+	return json.Marshal(v.String())
+}
+
+// UnmarshalText implements the encoding.TextUnmarshaler interface.
+func (v *Version) UnmarshalText(text []byte) error {
+	temp, err := NewVersion(string(text))
+	if err != nil {
+		return err
+	}
+
+	*v = *temp
+
+	return nil
+}
+
+// MarshalText implements the encoding.TextMarshaler interface.
+func (v Version) MarshalText() ([]byte, error) {
+	return []byte(v.String()), nil
+}
+
+// Scan implements the SQL.Scanner interface.
+func (v *Version) Scan(value interface{}) error {
+	var s string
+	s, _ = value.(string)
+	temp, err := NewVersion(s)
+	if err != nil {
+		return err
+	}
+	v.major = temp.major
+	v.minor = temp.minor
+	v.patch = temp.patch
+	v.pre = temp.pre
+	v.metadata = temp.metadata
+	v.original = temp.original
+	return nil
+}
+
+// Value implements the Driver.Valuer interface.
+func (v Version) Value() (driver.Value, error) {
+	return v.String(), nil
+}
+
+func compareSegment(v, o uint64) int {
+	if v < o {
+		return -1
+	}
+	if v > o {
+		return 1
+	}
+
+	return 0
+}
+
+func comparePrerelease(v, o string) int {
+	// split the prelease versions by their part. The separator, per the spec,
+	// is a .
+	sparts := strings.Split(v, ".")
+	oparts := strings.Split(o, ".")
+
+	// Find the longer length of the parts to know how many loop iterations to
+	// go through.
+	slen := len(sparts)
+	olen := len(oparts)
+
+	l := slen
+	if olen > slen {
+		l = olen
+	}
+
+	// Iterate over each part of the prereleases to compare the differences.
+	for i := 0; i < l; i++ {
+		// Since the lentgh of the parts can be different we need to create
+		// a placeholder. This is to avoid out of bounds issues.
+		stemp := ""
+		if i < slen {
+			stemp = sparts[i]
+		}
+
+		otemp := ""
+		if i < olen {
+			otemp = oparts[i]
+		}
+
+		d := comparePrePart(stemp, otemp)
+		if d != 0 {
+			return d
+		}
+	}
+
+	// Reaching here means two versions are of equal value but have different
+	// metadata (the part following a +). They are not identical in string form
+	// but the version comparison finds them to be equal.
+	return 0
+}
+
+func comparePrePart(s, o string) int {
+	// Fastpath if they are equal
+	if s == o {
+		return 0
+	}
+
+	// When s or o are empty we can use the other in an attempt to determine
+	// the response.
+	if s == "" {
+		if o != "" {
+			return -1
+		}
+		return 1
+	}
+
+	if o == "" {
+		if s != "" {
+			return 1
+		}
+		return -1
+	}
+
+	// When comparing strings "99" is greater than "103". To handle
+	// cases like this we need to detect numbers and compare them. According
+	// to the semver spec, numbers are always positive. If there is a - at the
+	// start like -99 this is to be evaluated as an alphanum. numbers always
+	// have precedence over alphanum. Parsing as Uints because negative numbers
+	// are ignored.
+
+	oi, n1 := strconv.ParseUint(o, 10, 64)
+	si, n2 := strconv.ParseUint(s, 10, 64)
+
+	// The case where both are strings compare the strings
+	if n1 != nil && n2 != nil {
+		if s > o {
+			return 1
+		}
+		return -1
+	} else if n1 != nil {
+		// o is a string and s is a number
+		return -1
+	} else if n2 != nil {
+		// s is a string and o is a number
+		return 1
+	}
+	// Both are numbers
+	if si > oi {
+		return 1
+	}
+	return -1
+}
+
+// Like strings.ContainsAny but does an only instead of any.
+func containsOnly(s string, comp string) bool {
+	return strings.IndexFunc(s, func(r rune) bool {
+		return !strings.ContainsRune(comp, r)
+	}) == -1
+}
+
+// From the spec, "Identifiers MUST comprise only
+// ASCII alphanumerics and hyphen [0-9A-Za-z-]. Identifiers MUST NOT be empty.
+// Numeric identifiers MUST NOT include leading zeroes.". These segments can
+// be dot separated.
+func validatePrerelease(p string) error {
+	eparts := strings.Split(p, ".")
+	for _, p := range eparts {
+		if p == "" {
+			return ErrInvalidPrerelease
+		} else if containsOnly(p, num) {
+			if len(p) > 1 && p[0] == '0' {
+				return ErrSegmentStartsZero
+			}
+		} else if !containsOnly(p, allowed) {
+			return ErrInvalidPrerelease
+		}
+	}
+
+	return nil
+}
+
+// From the spec, "Build metadata MAY be denoted by
+// appending a plus sign and a series of dot separated identifiers immediately
+// following the patch or pre-release version. Identifiers MUST comprise only
+// ASCII alphanumerics and hyphen [0-9A-Za-z-]. Identifiers MUST NOT be empty."
+func validateMetadata(m string) error {
+	eparts := strings.Split(m, ".")
+	for _, p := range eparts {
+		if p == "" {
+			return ErrInvalidMetadata
+		} else if !containsOnly(p, allowed) {
+			return ErrInvalidMetadata
+		}
+	}
+	return nil
+}
+
+// validateVersion checks for common validation issues but may not catch all errors
+func validateVersion(m []string) error {
+	var err error
+	var v string
+	if m[1] != "" {
+		if len(m[1]) > 1 && m[1][0] == '0' {
+			return ErrSegmentStartsZero
+		}
+		_, err = strconv.ParseUint(m[1], 10, 64)
+		if err != nil {
+			return fmt.Errorf("error parsing version segment: %w", err)
+		}
+	}
+
+	if m[2] != "" {
+		v = strings.TrimPrefix(m[2], ".")
+		if len(v) > 1 && v[0] == '0' {
+			return ErrSegmentStartsZero
+		}
+		_, err = strconv.ParseUint(v, 10, 64)
+		if err != nil {
+			return fmt.Errorf("error parsing version segment: %w", err)
+		}
+	}
+
+	if m[3] != "" {
+		v = strings.TrimPrefix(m[3], ".")
+		if len(v) > 1 && v[0] == '0' {
+			return ErrSegmentStartsZero
+		}
+		_, err = strconv.ParseUint(v, 10, 64)
+		if err != nil {
+			return fmt.Errorf("error parsing version segment: %w", err)
+		}
+	}
+
+	if m[5] != "" {
+		if err = validatePrerelease(m[5]); err != nil {
+			return err
+		}
+	}
+
+	if m[8] != "" {
+		if err = validateMetadata(m[8]); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
diff --git a/vendor/github.com/Masterminds/sprig/v3/.gitignore b/vendor/github.com/Masterminds/sprig/v3/.gitignore
new file mode 100644
index 0000000000..5e3002f88f
--- /dev/null
+++ b/vendor/github.com/Masterminds/sprig/v3/.gitignore
@@ -0,0 +1,2 @@
+vendor/
+/.glide
diff --git a/vendor/github.com/Masterminds/sprig/v3/CHANGELOG.md b/vendor/github.com/Masterminds/sprig/v3/CHANGELOG.md
new file mode 100644
index 0000000000..b5ef766a7a
--- /dev/null
+++ b/vendor/github.com/Masterminds/sprig/v3/CHANGELOG.md
@@ -0,0 +1,401 @@
+# Changelog
+
+## Release 3.3.0 (2024-08-29)
+
+### Added
+
+- #400: added sha512sum function (thanks @itzik-elayev)
+
+### Changed
+
+- #407: Removed duplicate documentation (functions were documentated in 2 places)
+- #290: Corrected copy/paster oops in math documentation (thanks @zzhu41)
+- #369: Corrected template reference in docs (thanks @chey)
+- #375: Added link to URL documenation (thanks @carlpett)
+- #406: Updated the mergo dependency which had a breaking change (which was accounted for)
+- #376: Fixed documentation error (thanks @jheyduk)
+- #404: Updated dependency tree
+- #391: Fixed misspelling (thanks @chrishalbert)
+- #405: Updated Go versions used in testing
+
+## Release 3.2.3 (2022-11-29)
+
+### Changed
+
+- Updated docs (thanks @book987 @aJetHorn @neelayu @pellizzetti @apricote @SaigyoujiYuyuko233 @AlekSi)
+- #348: Updated huandu/xstrings which fixed a snake case bug (thanks @yxxhero)
+- #353: Updated masterminds/semver which included bug fixes
+- #354: Updated golang.org/x/crypto which included bug fixes
+
+## Release 3.2.2 (2021-02-04)
+
+This is a re-release of 3.2.1 to satisfy something with the Go module system.
+
+## Release 3.2.1 (2021-02-04)
+
+### Changed
+
+- Upgraded `Masterminds/goutils` to `v1.1.1`. see the [Security Advisory](https://github.com/Masterminds/goutils/security/advisories/GHSA-xg2h-wx96-xgxr)
+
+## Release 3.2.0 (2020-12-14)
+
+### Added
+
+- #211: Added randInt function (thanks @kochurovro)
+- #223: Added fromJson and mustFromJson functions (thanks @mholt)
+- #242: Added a bcrypt function (thanks @robbiet480)
+- #253: Added randBytes function (thanks @MikaelSmith)
+- #254: Added dig function for dicts (thanks @nyarly)
+- #257: Added regexQuoteMeta for quoting regex metadata (thanks @rheaton)
+- #261: Added filepath functions osBase, osDir, osExt, osClean, osIsAbs (thanks @zugl)
+- #268: Added and and all functions for testing conditions (thanks @phuslu)
+- #181: Added float64 arithmetic addf, add1f, subf, divf, mulf, maxf, and minf
+  (thanks @andrewmostello)
+- #265: Added chunk function to split array into smaller arrays (thanks @karelbilek)
+- #270: Extend certificate functions to handle non-RSA keys + add support for
+  ed25519 keys (thanks @misberner)
+
+### Changed
+
+- Removed testing and support for Go 1.12. ed25519 support requires Go 1.13 or newer
+- Using semver 3.1.1 and mergo 0.3.11
+
+### Fixed
+
+- #249: Fix htmlDateInZone example (thanks @spawnia)
+
+NOTE: The dependency github.com/imdario/mergo reverted the breaking change in
+0.3.9 via 0.3.10 release.
+
+## Release 3.1.0 (2020-04-16)
+
+NOTE: The dependency github.com/imdario/mergo made a behavior change in 0.3.9
+that impacts sprig functionality. Do not use sprig with a version newer than 0.3.8.
+
+### Added
+
+- #225: Added support for generating htpasswd hash (thanks @rustycl0ck)
+- #224: Added duration filter (thanks @frebib)
+- #205: Added `seq` function (thanks @thadc23)
+
+### Changed
+
+- #203: Unlambda functions with correct signature (thanks @muesli)
+- #236: Updated the license formatting for GitHub display purposes
+- #238: Updated package dependency versions. Note, mergo not updated to 0.3.9
+        as it causes a breaking change for sprig. That issue is tracked at
+        https://github.com/imdario/mergo/issues/139
+
+### Fixed
+
+- #229: Fix `seq` example in docs (thanks @kalmant)
+
+## Release 3.0.2 (2019-12-13)
+
+### Fixed
+
+- #220: Updating to semver v3.0.3 to fix issue with <= ranges
+- #218: fix typo elyptical->elliptic in ecdsa key description (thanks @laverya)
+
+## Release 3.0.1 (2019-12-08)
+
+### Fixed
+
+- #212: Updated semver fixing broken constraint checking with ^0.0
+
+## Release 3.0.0 (2019-10-02)
+
+### Added
+
+- #187: Added durationRound function (thanks @yjp20)
+- #189: Added numerous template functions that return errors rather than panic (thanks @nrvnrvn)
+- #193: Added toRawJson support (thanks @Dean-Coakley)
+- #197: Added get support to dicts (thanks @Dean-Coakley)
+
+### Changed
+
+- #186: Moving dependency management to Go modules
+- #186: Updated semver to v3. This has changes in the way ^ is handled
+- #194: Updated documentation on merging and how it copies. Added example using deepCopy
+- #196: trunc now supports negative values (thanks @Dean-Coakley)
+
+## Release 2.22.0 (2019-10-02)
+
+### Added
+
+- #173: Added getHostByName function to resolve dns names to ips (thanks @fcgravalos)
+- #195: Added deepCopy function for use with dicts
+
+### Changed
+
+- Updated merge and mergeOverwrite documentation to explain copying and how to
+  use deepCopy with it
+
+## Release 2.21.0 (2019-09-18)
+
+### Added
+
+- #122: Added encryptAES/decryptAES functions (thanks @n0madic)
+- #128: Added toDecimal support (thanks @Dean-Coakley)
+- #169: Added list contcat (thanks @astorath)
+- #174: Added deepEqual function (thanks @bonifaido)
+- #170: Added url parse and join functions (thanks @astorath)
+
+### Changed
+
+- #171: Updated glide config for Google UUID to v1 and to add ranges to semver and testify
+
+### Fixed
+
+- #172: Fix semver wildcard example (thanks @piepmatz)
+- #175: Fix dateInZone doc example (thanks @s3than)
+
+## Release 2.20.0 (2019-06-18)
+
+### Added
+
+- #164: Adding function to get unix epoch for a time (@mattfarina)
+- #166: Adding tests for date_in_zone (@mattfarina)
+
+### Changed
+
+- #144: Fix function comments based on best practices from Effective Go (@CodeLingoTeam)
+- #150: Handles pointer type for time.Time in "htmlDate" (@mapreal19)
+- #161, #157, #160,  #153, #158, #156,  #155,  #159, #152 documentation updates (@badeadan)
+
+### Fixed
+
+## Release 2.19.0 (2019-03-02)
+
+IMPORTANT: This release reverts a change from 2.18.0
+
+In the previous release (2.18), we prematurely merged a partial change to the crypto functions that led to creating two sets of crypto functions (I blame @technosophos -- since that's me). This release rolls back that change, and does what was originally intended: It alters the existing crypto functions to use secure random.
+
+We debated whether this classifies as a change worthy of major revision, but given the proximity to the last release, we have decided that treating 2.18 as a faulty release is the correct course of action. We apologize for any inconvenience.
+
+### Changed
+
+- Fix substr panic 35fb796 (Alexey igrychev)
+- Remove extra period 1eb7729 (Matthew Lorimor)
+- Make random string functions use crypto by default 6ceff26 (Matthew Lorimor)
+- README edits/fixes/suggestions 08fe136 (Lauri Apple)
+
+
+## Release 2.18.0 (2019-02-12)
+
+### Added
+
+- Added mergeOverwrite function
+- cryptographic functions that use secure random (see fe1de12)
+
+### Changed
+
+- Improve documentation of regexMatch function, resolves #139 90b89ce (Jan Tagscherer)
+- Handle has for nil list 9c10885 (Daniel Cohen)
+- Document behaviour of mergeOverwrite fe0dbe9 (Lukas Rieder)
+- doc: adds missing documentation. 4b871e6 (Fernandez Ludovic)
+- Replace outdated goutils imports 01893d2 (Matthew Lorimor)
+- Surface crypto secure random strings from goutils fe1de12 (Matthew Lorimor)
+- Handle untyped nil values as paramters to string functions 2b2ec8f (Morten Torkildsen)
+
+### Fixed
+
+- Fix dict merge issue and provide mergeOverwrite .dst .src1 to overwrite from src -> dst 4c59c12 (Lukas Rieder)
+- Fix substr var names and comments d581f80 (Dean Coakley)
+- Fix substr documentation 2737203 (Dean Coakley)
+
+## Release 2.17.1 (2019-01-03)
+
+### Fixed
+
+The 2.17.0 release did not have a version pinned for xstrings, which caused compilation failures when xstrings < 1.2 was used. This adds the correct version string to glide.yaml.
+
+## Release 2.17.0 (2019-01-03)
+
+### Added
+
+- adds alder32sum function and test 6908fc2 (marshallford)
+- Added kebabcase function ca331a1 (Ilyes512)
+
+### Changed
+
+- Update goutils to 1.1.0 4e1125d (Matt Butcher)
+
+### Fixed
+
+- Fix 'has' documentation e3f2a85 (dean-coakley)
+- docs(dict): fix typo in pick example dc424f9 (Dustin Specker)
+- fixes spelling errors... not sure how that happened 4cf188a (marshallford)
+
+## Release 2.16.0 (2018-08-13)
+
+### Added
+
+- add splitn function fccb0b0 (Helgi Þorbjörnsson)
+- Add slice func df28ca7 (gongdo)
+- Generate serial number a3bdffd (Cody Coons)
+- Extract values of dict with values function df39312 (Lawrence Jones)
+
+### Changed
+
+- Modify panic message for list.slice ae38335 (gongdo)
+- Minor improvement in code quality - Removed an unreachable piece of code at defaults.go#L26:6 - Resolve formatting issues. 5834241 (Abhishek Kashyap)
+- Remove duplicated documentation 1d97af1 (Matthew Fisher)
+- Test on go 1.11 49df809 (Helgi Þormar Þorbjörnsson)
+
+### Fixed
+
+- Fix file permissions c5f40b5 (gongdo)
+- Fix example for buildCustomCert 7779e0d (Tin Lam)
+
+## Release 2.15.0 (2018-04-02)
+
+### Added
+
+- #68 and #69: Add json helpers to docs (thanks @arunvelsriram)
+- #66: Add ternary function (thanks @binoculars)
+- #67: Allow keys function to take multiple dicts (thanks @binoculars)
+- #89: Added sha1sum to crypto function (thanks @benkeil)
+- #81: Allow customizing Root CA that used by genSignedCert (thanks @chenzhiwei)
+- #92: Add travis testing for go 1.10
+- #93: Adding appveyor config for windows testing
+
+### Changed
+
+- #90: Updating to more recent dependencies
+- #73: replace satori/go.uuid with google/uuid (thanks @petterw)
+
+### Fixed
+
+- #76: Fixed documentation typos (thanks @Thiht)
+- Fixed rounding issue on the `ago` function. Note, the removes support for Go 1.8 and older
+
+## Release 2.14.1 (2017-12-01)
+
+### Fixed
+
+- #60: Fix typo in function name documentation (thanks @neil-ca-moore)
+- #61: Removing line with {{ due to blocking github pages genertion
+- #64: Update the list functions to handle int, string, and other slices for compatibility
+
+## Release 2.14.0 (2017-10-06)
+
+This new version of Sprig adds a set of functions for generating and working with SSL certificates.
+
+- `genCA` generates an SSL Certificate Authority
+- `genSelfSignedCert` generates an SSL self-signed certificate
+- `genSignedCert` generates an SSL certificate and key based on a given CA
+
+## Release 2.13.0 (2017-09-18)
+
+This release adds new functions, including:
+
+- `regexMatch`, `regexFindAll`, `regexFind`, `regexReplaceAll`, `regexReplaceAllLiteral`, and `regexSplit` to work with regular expressions
+- `floor`, `ceil`, and `round` math functions
+- `toDate` converts a string to a date
+- `nindent` is just like `indent` but also prepends a new line
+- `ago` returns the time from `time.Now`
+
+### Added
+
+- #40: Added basic regex functionality (thanks @alanquillin)
+- #41: Added ceil floor and round functions (thanks @alanquillin)
+- #48: Added toDate function (thanks @andreynering)
+- #50: Added nindent function (thanks @binoculars)
+- #46: Added ago function (thanks @slayer)
+
+### Changed
+
+- #51: Updated godocs to include new string functions (thanks @curtisallen)
+- #49: Added ability to merge multiple dicts (thanks @binoculars)
+
+## Release 2.12.0 (2017-05-17)
+
+- `snakecase`, `camelcase`, and `shuffle` are three new string functions
+- `fail` allows you to bail out of a template render when conditions are not met
+
+## Release 2.11.0 (2017-05-02)
+
+- Added `toJson` and `toPrettyJson`
+- Added `merge`
+- Refactored documentation
+
+## Release 2.10.0 (2017-03-15)
+
+- Added `semver` and `semverCompare` for Semantic Versions
+- `list` replaces `tuple`
+- Fixed issue with `join`
+- Added `first`, `last`, `initial`, `rest`, `prepend`, `append`, `toString`, `toStrings`, `sortAlpha`, `reverse`, `coalesce`, `pluck`, `pick`, `compact`, `keys`, `omit`, `uniq`, `has`, `without`
+
+## Release 2.9.0 (2017-02-23)
+
+- Added `splitList` to split a list
+- Added crypto functions of `genPrivateKey` and `derivePassword`
+
+## Release 2.8.0 (2016-12-21)
+
+- Added access to several path functions (`base`, `dir`, `clean`, `ext`, and `abs`)
+- Added functions for _mutating_ dictionaries (`set`, `unset`, `hasKey`)
+
+## Release 2.7.0 (2016-12-01)
+
+- Added `sha256sum` to generate a hash of an input
+- Added functions to convert a numeric or string to `int`, `int64`, `float64`
+
+## Release 2.6.0 (2016-10-03)
+
+- Added a `uuidv4` template function for generating UUIDs inside of a template.
+
+## Release 2.5.0 (2016-08-19)
+
+- New `trimSuffix`, `trimPrefix`, `hasSuffix`, and `hasPrefix` functions
+- New aliases have been added for a few functions that didn't follow the naming conventions (`trimAll` and `abbrevBoth`)
+- `trimall` and `abbrevboth` (notice the case) are deprecated and will be removed in 3.0.0
+
+## Release 2.4.0 (2016-08-16)
+
+- Adds two functions: `until` and `untilStep`
+
+## Release 2.3.0 (2016-06-21)
+
+- cat: Concatenate strings with whitespace separators.
+- replace: Replace parts of a string: `replace " " "-" "Me First"` renders "Me-First"
+- plural: Format plurals: `len "foo" | plural "one foo" "many foos"` renders "many foos"
+- indent: Indent blocks of text in a way that is sensitive to "\n" characters.
+
+## Release 2.2.0 (2016-04-21)
+
+- Added a `genPrivateKey` function (Thanks @bacongobbler)
+
+## Release 2.1.0 (2016-03-30)
+
+- `default` now prints the default value when it does not receive a value down the pipeline. It is much safer now to do `{{.Foo | default "bar"}}`.
+- Added accessors for "hermetic" functions. These return only functions that, when given the same input, produce the same output.
+
+## Release 2.0.0 (2016-03-29)
+
+Because we switched from `int` to `int64` as the return value for all integer math functions, the library's major version number has been incremented.
+
+- `min` complements `max` (formerly `biggest`)
+- `empty` indicates that a value is the empty value for its type
+- `tuple` creates a tuple inside of a template: `{{$t := tuple "a", "b" "c"}}`
+- `dict` creates a dictionary inside of a template `{{$d := dict "key1" "val1" "key2" "val2"}}`
+- Date formatters have been added for HTML dates (as used in `date` input fields)
+- Integer math functions can convert from a number of types, including `string` (via `strconv.ParseInt`).
+
+## Release 1.2.0 (2016-02-01)
+
+- Added quote and squote
+- Added b32enc and b32dec
+- add now takes varargs
+- biggest now takes varargs
+
+## Release 1.1.0 (2015-12-29)
+
+- Added #4: Added contains function. strings.Contains, but with the arguments
+  switched to simplify common pipelines. (thanks krancour)
+- Added Travis-CI testing support
+
+## Release 1.0.0 (2015-12-23)
+
+- Initial release
diff --git a/vendor/github.com/Masterminds/sprig/v3/LICENSE.txt b/vendor/github.com/Masterminds/sprig/v3/LICENSE.txt
new file mode 100644
index 0000000000..f311b1eaaa
--- /dev/null
+++ b/vendor/github.com/Masterminds/sprig/v3/LICENSE.txt
@@ -0,0 +1,19 @@
+Copyright (C) 2013-2020 Masterminds
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
diff --git a/vendor/github.com/Masterminds/sprig/v3/Makefile b/vendor/github.com/Masterminds/sprig/v3/Makefile
new file mode 100644
index 0000000000..78d409cde2
--- /dev/null
+++ b/vendor/github.com/Masterminds/sprig/v3/Makefile
@@ -0,0 +1,9 @@
+.PHONY: test
+test:
+	@echo "==> Running tests"
+	GO111MODULE=on go test -v
+
+.PHONY: test-cover
+test-cover:
+	@echo "==> Running Tests with coverage"
+	GO111MODULE=on go test -cover .
diff --git a/vendor/github.com/Masterminds/sprig/v3/README.md b/vendor/github.com/Masterminds/sprig/v3/README.md
new file mode 100644
index 0000000000..3e22c60e1a
--- /dev/null
+++ b/vendor/github.com/Masterminds/sprig/v3/README.md
@@ -0,0 +1,100 @@
+# Sprig: Template functions for Go templates
+
+[![GoDoc](https://img.shields.io/static/v1?label=godoc&message=reference&color=blue)](https://pkg.go.dev/github.com/Masterminds/sprig/v3)
+[![Go Report Card](https://goreportcard.com/badge/github.com/Masterminds/sprig)](https://goreportcard.com/report/github.com/Masterminds/sprig)
+[![Stability: Sustained](https://masterminds.github.io/stability/sustained.svg)](https://masterminds.github.io/stability/sustained.html)
+[![](https://github.com/Masterminds/sprig/workflows/Tests/badge.svg)](https://github.com/Masterminds/sprig/actions)
+
+The Go language comes with a [built-in template
+language](http://golang.org/pkg/text/template/), but not
+very many template functions. Sprig is a library that provides more than 100 commonly
+used template functions.
+
+It is inspired by the template functions found in
+[Twig](http://twig.sensiolabs.org/documentation) and in various
+JavaScript libraries, such as [underscore.js](http://underscorejs.org/).
+
+## IMPORTANT NOTES
+
+Sprig leverages [mergo](https://github.com/imdario/mergo) to handle merges. In
+its v0.3.9 release, there was a behavior change that impacts merging template
+functions in sprig. It is currently recommended to use v0.3.10 or later of that package.
+Using v0.3.9 will cause sprig tests to fail.
+
+## Package Versions
+
+There are two active major versions of the `sprig` package.
+
+* v3 is currently stable release series on the `master` branch. The Go API should
+  remain compatible with v2, the current stable version. Behavior change behind
+  some functions is the reason for the new major version.
+* v2 is the previous stable release series. It has been more than three years since
+  the initial release of v2. You can read the documentation and see the code
+  on the [release-2](https://github.com/Masterminds/sprig/tree/release-2) branch.
+  Bug fixes to this major version will continue for some time.
+
+## Usage
+
+**Template developers**: Please use Sprig's [function documentation](http://masterminds.github.io/sprig/) for
+detailed instructions and code snippets for the >100 template functions available.
+
+**Go developers**: If you'd like to include Sprig as a library in your program,
+our API documentation is available [at GoDoc.org](http://godoc.org/github.com/Masterminds/sprig).
+
+For standard usage, read on.
+
+### Load the Sprig library
+
+To load the Sprig `FuncMap`:
+
+```go
+
+import (
+  "github.com/Masterminds/sprig/v3"
+  "html/template"
+)
+
+// This example illustrates that the FuncMap *must* be set before the
+// templates themselves are loaded.
+tpl := template.Must(
+  template.New("base").Funcs(sprig.FuncMap()).ParseGlob("*.html")
+)
+
+
+```
+
+### Calling the functions inside of templates
+
+By convention, all functions are lowercase. This seems to follow the Go
+idiom for template functions (as opposed to template methods, which are
+TitleCase). For example, this:
+
+```
+{{ "hello!" | upper | repeat 5 }}
+```
+
+produces this:
+
+```
+HELLO!HELLO!HELLO!HELLO!HELLO!
+```
+
+## Principles Driving Our Function Selection
+
+We followed these principles to decide which functions to add and how to implement them:
+
+- Use template functions to build layout. The following
+  types of operations are within the domain of template functions:
+  - Formatting
+  - Layout
+  - Simple type conversions
+  - Utilities that assist in handling common formatting and layout needs (e.g. arithmetic)
+- Template functions should not return errors unless there is no way to print
+  a sensible value. For example, converting a string to an integer should not
+  produce an error if conversion fails. Instead, it should display a default
+  value.
+- Simple math is necessary for grid layouts, pagers, and so on. Complex math
+  (anything other than arithmetic) should be done outside of templates.
+- Template functions only deal with the data passed into them. They never retrieve
+  data from a source.
+- Finally, do not override core Go template functions.
diff --git a/vendor/github.com/Masterminds/sprig/v3/crypto.go b/vendor/github.com/Masterminds/sprig/v3/crypto.go
new file mode 100644
index 0000000000..75fe027e4d
--- /dev/null
+++ b/vendor/github.com/Masterminds/sprig/v3/crypto.go
@@ -0,0 +1,659 @@
+package sprig
+
+import (
+	"bytes"
+	"crypto"
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/dsa"
+	"crypto/ecdsa"
+	"crypto/ed25519"
+	"crypto/elliptic"
+	"crypto/hmac"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/sha1"
+	"crypto/sha256"
+	"crypto/sha512"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/asn1"
+	"encoding/base64"
+	"encoding/binary"
+	"encoding/hex"
+	"encoding/pem"
+	"errors"
+	"fmt"
+	"hash/adler32"
+	"io"
+	"math/big"
+	"net"
+	"time"
+
+	"strings"
+
+	"github.com/google/uuid"
+	bcrypt_lib "golang.org/x/crypto/bcrypt"
+	"golang.org/x/crypto/scrypt"
+)
+
+func sha512sum(input string) string {
+	hash := sha512.Sum512([]byte(input))
+	return hex.EncodeToString(hash[:])
+}
+
+func sha256sum(input string) string {
+	hash := sha256.Sum256([]byte(input))
+	return hex.EncodeToString(hash[:])
+}
+
+func sha1sum(input string) string {
+	hash := sha1.Sum([]byte(input))
+	return hex.EncodeToString(hash[:])
+}
+
+func adler32sum(input string) string {
+	hash := adler32.Checksum([]byte(input))
+	return fmt.Sprintf("%d", hash)
+}
+
+func bcrypt(input string) string {
+	hash, err := bcrypt_lib.GenerateFromPassword([]byte(input), bcrypt_lib.DefaultCost)
+	if err != nil {
+		return fmt.Sprintf("failed to encrypt string with bcrypt: %s", err)
+	}
+
+	return string(hash)
+}
+
+func htpasswd(username string, password string) string {
+	if strings.Contains(username, ":") {
+		return fmt.Sprintf("invalid username: %s", username)
+	}
+	return fmt.Sprintf("%s:%s", username, bcrypt(password))
+}
+
+func randBytes(count int) (string, error) {
+	buf := make([]byte, count)
+	if _, err := rand.Read(buf); err != nil {
+		return "", err
+	}
+	return base64.StdEncoding.EncodeToString(buf), nil
+}
+
+// uuidv4 provides a safe and secure UUID v4 implementation
+func uuidv4() string {
+	return uuid.New().String()
+}
+
+var masterPasswordSeed = "com.lyndir.masterpassword"
+
+var passwordTypeTemplates = map[string][][]byte{
+	"maximum": {[]byte("anoxxxxxxxxxxxxxxxxx"), []byte("axxxxxxxxxxxxxxxxxno")},
+	"long": {[]byte("CvcvnoCvcvCvcv"), []byte("CvcvCvcvnoCvcv"), []byte("CvcvCvcvCvcvno"), []byte("CvccnoCvcvCvcv"), []byte("CvccCvcvnoCvcv"),
+		[]byte("CvccCvcvCvcvno"), []byte("CvcvnoCvccCvcv"), []byte("CvcvCvccnoCvcv"), []byte("CvcvCvccCvcvno"), []byte("CvcvnoCvcvCvcc"),
+		[]byte("CvcvCvcvnoCvcc"), []byte("CvcvCvcvCvccno"), []byte("CvccnoCvccCvcv"), []byte("CvccCvccnoCvcv"), []byte("CvccCvccCvcvno"),
+		[]byte("CvcvnoCvccCvcc"), []byte("CvcvCvccnoCvcc"), []byte("CvcvCvccCvccno"), []byte("CvccnoCvcvCvcc"), []byte("CvccCvcvnoCvcc"),
+		[]byte("CvccCvcvCvccno")},
+	"medium": {[]byte("CvcnoCvc"), []byte("CvcCvcno")},
+	"short":  {[]byte("Cvcn")},
+	"basic":  {[]byte("aaanaaan"), []byte("aannaaan"), []byte("aaannaaa")},
+	"pin":    {[]byte("nnnn")},
+}
+
+var templateCharacters = map[byte]string{
+	'V': "AEIOU",
+	'C': "BCDFGHJKLMNPQRSTVWXYZ",
+	'v': "aeiou",
+	'c': "bcdfghjklmnpqrstvwxyz",
+	'A': "AEIOUBCDFGHJKLMNPQRSTVWXYZ",
+	'a': "AEIOUaeiouBCDFGHJKLMNPQRSTVWXYZbcdfghjklmnpqrstvwxyz",
+	'n': "0123456789",
+	'o': "@&%?,=[]_:-+*$#!'^~;()/.",
+	'x': "AEIOUaeiouBCDFGHJKLMNPQRSTVWXYZbcdfghjklmnpqrstvwxyz0123456789!@#$%^&*()",
+}
+
+func derivePassword(counter uint32, passwordType, password, user, site string) string {
+	var templates = passwordTypeTemplates[passwordType]
+	if templates == nil {
+		return fmt.Sprintf("cannot find password template %s", passwordType)
+	}
+
+	var buffer bytes.Buffer
+	buffer.WriteString(masterPasswordSeed)
+	binary.Write(&buffer, binary.BigEndian, uint32(len(user)))
+	buffer.WriteString(user)
+
+	salt := buffer.Bytes()
+	key, err := scrypt.Key([]byte(password), salt, 32768, 8, 2, 64)
+	if err != nil {
+		return fmt.Sprintf("failed to derive password: %s", err)
+	}
+
+	buffer.Truncate(len(masterPasswordSeed))
+	binary.Write(&buffer, binary.BigEndian, uint32(len(site)))
+	buffer.WriteString(site)
+	binary.Write(&buffer, binary.BigEndian, counter)
+
+	var hmacv = hmac.New(sha256.New, key)
+	hmacv.Write(buffer.Bytes())
+	var seed = hmacv.Sum(nil)
+	var temp = templates[int(seed[0])%len(templates)]
+
+	buffer.Truncate(0)
+	for i, element := range temp {
+		passChars := templateCharacters[element]
+		passChar := passChars[int(seed[i+1])%len(passChars)]
+		buffer.WriteByte(passChar)
+	}
+
+	return buffer.String()
+}
+
+func generatePrivateKey(typ string) string {
+	var priv interface{}
+	var err error
+	switch typ {
+	case "", "rsa":
+		// good enough for government work
+		priv, err = rsa.GenerateKey(rand.Reader, 4096)
+	case "dsa":
+		key := new(dsa.PrivateKey)
+		// again, good enough for government work
+		if err = dsa.GenerateParameters(&key.Parameters, rand.Reader, dsa.L2048N256); err != nil {
+			return fmt.Sprintf("failed to generate dsa params: %s", err)
+		}
+		err = dsa.GenerateKey(key, rand.Reader)
+		priv = key
+	case "ecdsa":
+		// again, good enough for government work
+		priv, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	case "ed25519":
+		_, priv, err = ed25519.GenerateKey(rand.Reader)
+	default:
+		return "Unknown type " + typ
+	}
+	if err != nil {
+		return fmt.Sprintf("failed to generate private key: %s", err)
+	}
+
+	return string(pem.EncodeToMemory(pemBlockForKey(priv)))
+}
+
+// DSAKeyFormat stores the format for DSA keys.
+// Used by pemBlockForKey
+type DSAKeyFormat struct {
+	Version       int
+	P, Q, G, Y, X *big.Int
+}
+
+func pemBlockForKey(priv interface{}) *pem.Block {
+	switch k := priv.(type) {
+	case *rsa.PrivateKey:
+		return &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(k)}
+	case *dsa.PrivateKey:
+		val := DSAKeyFormat{
+			P: k.P, Q: k.Q, G: k.G,
+			Y: k.Y, X: k.X,
+		}
+		bytes, _ := asn1.Marshal(val)
+		return &pem.Block{Type: "DSA PRIVATE KEY", Bytes: bytes}
+	case *ecdsa.PrivateKey:
+		b, _ := x509.MarshalECPrivateKey(k)
+		return &pem.Block{Type: "EC PRIVATE KEY", Bytes: b}
+	default:
+		// attempt PKCS#8 format for all other keys
+		b, err := x509.MarshalPKCS8PrivateKey(k)
+		if err != nil {
+			return nil
+		}
+		return &pem.Block{Type: "PRIVATE KEY", Bytes: b}
+	}
+}
+
+func parsePrivateKeyPEM(pemBlock string) (crypto.PrivateKey, error) {
+	block, _ := pem.Decode([]byte(pemBlock))
+	if block == nil {
+		return nil, errors.New("no PEM data in input")
+	}
+
+	if block.Type == "PRIVATE KEY" {
+		priv, err := x509.ParsePKCS8PrivateKey(block.Bytes)
+		if err != nil {
+			return nil, fmt.Errorf("decoding PEM as PKCS#8: %s", err)
+		}
+		return priv, nil
+	} else if !strings.HasSuffix(block.Type, " PRIVATE KEY") {
+		return nil, fmt.Errorf("no private key data in PEM block of type %s", block.Type)
+	}
+
+	switch block.Type[:len(block.Type)-12] { // strip " PRIVATE KEY"
+	case "RSA":
+		priv, err := x509.ParsePKCS1PrivateKey(block.Bytes)
+		if err != nil {
+			return nil, fmt.Errorf("parsing RSA private key from PEM: %s", err)
+		}
+		return priv, nil
+	case "EC":
+		priv, err := x509.ParseECPrivateKey(block.Bytes)
+		if err != nil {
+			return nil, fmt.Errorf("parsing EC private key from PEM: %s", err)
+		}
+		return priv, nil
+	case "DSA":
+		var k DSAKeyFormat
+		_, err := asn1.Unmarshal(block.Bytes, &k)
+		if err != nil {
+			return nil, fmt.Errorf("parsing DSA private key from PEM: %s", err)
+		}
+		priv := &dsa.PrivateKey{
+			PublicKey: dsa.PublicKey{
+				Parameters: dsa.Parameters{
+					P: k.P, Q: k.Q, G: k.G,
+				},
+				Y: k.Y,
+			},
+			X: k.X,
+		}
+		return priv, nil
+	default:
+		return nil, fmt.Errorf("invalid private key type %s", block.Type)
+	}
+}
+
+func getPublicKey(priv crypto.PrivateKey) (crypto.PublicKey, error) {
+	switch k := priv.(type) {
+	case interface{ Public() crypto.PublicKey }:
+		return k.Public(), nil
+	case *dsa.PrivateKey:
+		return &k.PublicKey, nil
+	default:
+		return nil, fmt.Errorf("unable to get public key for type %T", priv)
+	}
+}
+
+type certificate struct {
+	Cert string
+	Key  string
+}
+
+func buildCustomCertificate(b64cert string, b64key string) (certificate, error) {
+	crt := certificate{}
+
+	cert, err := base64.StdEncoding.DecodeString(b64cert)
+	if err != nil {
+		return crt, errors.New("unable to decode base64 certificate")
+	}
+
+	key, err := base64.StdEncoding.DecodeString(b64key)
+	if err != nil {
+		return crt, errors.New("unable to decode base64 private key")
+	}
+
+	decodedCert, _ := pem.Decode(cert)
+	if decodedCert == nil {
+		return crt, errors.New("unable to decode certificate")
+	}
+	_, err = x509.ParseCertificate(decodedCert.Bytes)
+	if err != nil {
+		return crt, fmt.Errorf(
+			"error parsing certificate: decodedCert.Bytes: %s",
+			err,
+		)
+	}
+
+	_, err = parsePrivateKeyPEM(string(key))
+	if err != nil {
+		return crt, fmt.Errorf(
+			"error parsing private key: %s",
+			err,
+		)
+	}
+
+	crt.Cert = string(cert)
+	crt.Key = string(key)
+
+	return crt, nil
+}
+
+func generateCertificateAuthority(
+	cn string,
+	daysValid int,
+) (certificate, error) {
+	priv, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		return certificate{}, fmt.Errorf("error generating rsa key: %s", err)
+	}
+
+	return generateCertificateAuthorityWithKeyInternal(cn, daysValid, priv)
+}
+
+func generateCertificateAuthorityWithPEMKey(
+	cn string,
+	daysValid int,
+	privPEM string,
+) (certificate, error) {
+	priv, err := parsePrivateKeyPEM(privPEM)
+	if err != nil {
+		return certificate{}, fmt.Errorf("parsing private key: %s", err)
+	}
+	return generateCertificateAuthorityWithKeyInternal(cn, daysValid, priv)
+}
+
+func generateCertificateAuthorityWithKeyInternal(
+	cn string,
+	daysValid int,
+	priv crypto.PrivateKey,
+) (certificate, error) {
+	ca := certificate{}
+
+	template, err := getBaseCertTemplate(cn, nil, nil, daysValid)
+	if err != nil {
+		return ca, err
+	}
+	// Override KeyUsage and IsCA
+	template.KeyUsage = x509.KeyUsageKeyEncipherment |
+		x509.KeyUsageDigitalSignature |
+		x509.KeyUsageCertSign
+	template.IsCA = true
+
+	ca.Cert, ca.Key, err = getCertAndKey(template, priv, template, priv)
+
+	return ca, err
+}
+
+func generateSelfSignedCertificate(
+	cn string,
+	ips []interface{},
+	alternateDNS []interface{},
+	daysValid int,
+) (certificate, error) {
+	priv, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		return certificate{}, fmt.Errorf("error generating rsa key: %s", err)
+	}
+	return generateSelfSignedCertificateWithKeyInternal(cn, ips, alternateDNS, daysValid, priv)
+}
+
+func generateSelfSignedCertificateWithPEMKey(
+	cn string,
+	ips []interface{},
+	alternateDNS []interface{},
+	daysValid int,
+	privPEM string,
+) (certificate, error) {
+	priv, err := parsePrivateKeyPEM(privPEM)
+	if err != nil {
+		return certificate{}, fmt.Errorf("parsing private key: %s", err)
+	}
+	return generateSelfSignedCertificateWithKeyInternal(cn, ips, alternateDNS, daysValid, priv)
+}
+
+func generateSelfSignedCertificateWithKeyInternal(
+	cn string,
+	ips []interface{},
+	alternateDNS []interface{},
+	daysValid int,
+	priv crypto.PrivateKey,
+) (certificate, error) {
+	cert := certificate{}
+
+	template, err := getBaseCertTemplate(cn, ips, alternateDNS, daysValid)
+	if err != nil {
+		return cert, err
+	}
+
+	cert.Cert, cert.Key, err = getCertAndKey(template, priv, template, priv)
+
+	return cert, err
+}
+
+func generateSignedCertificate(
+	cn string,
+	ips []interface{},
+	alternateDNS []interface{},
+	daysValid int,
+	ca certificate,
+) (certificate, error) {
+	priv, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		return certificate{}, fmt.Errorf("error generating rsa key: %s", err)
+	}
+	return generateSignedCertificateWithKeyInternal(cn, ips, alternateDNS, daysValid, ca, priv)
+}
+
+func generateSignedCertificateWithPEMKey(
+	cn string,
+	ips []interface{},
+	alternateDNS []interface{},
+	daysValid int,
+	ca certificate,
+	privPEM string,
+) (certificate, error) {
+	priv, err := parsePrivateKeyPEM(privPEM)
+	if err != nil {
+		return certificate{}, fmt.Errorf("parsing private key: %s", err)
+	}
+	return generateSignedCertificateWithKeyInternal(cn, ips, alternateDNS, daysValid, ca, priv)
+}
+
+func generateSignedCertificateWithKeyInternal(
+	cn string,
+	ips []interface{},
+	alternateDNS []interface{},
+	daysValid int,
+	ca certificate,
+	priv crypto.PrivateKey,
+) (certificate, error) {
+	cert := certificate{}
+
+	decodedSignerCert, _ := pem.Decode([]byte(ca.Cert))
+	if decodedSignerCert == nil {
+		return cert, errors.New("unable to decode certificate")
+	}
+	signerCert, err := x509.ParseCertificate(decodedSignerCert.Bytes)
+	if err != nil {
+		return cert, fmt.Errorf(
+			"error parsing certificate: decodedSignerCert.Bytes: %s",
+			err,
+		)
+	}
+	signerKey, err := parsePrivateKeyPEM(ca.Key)
+	if err != nil {
+		return cert, fmt.Errorf(
+			"error parsing private key: %s",
+			err,
+		)
+	}
+
+	template, err := getBaseCertTemplate(cn, ips, alternateDNS, daysValid)
+	if err != nil {
+		return cert, err
+	}
+
+	cert.Cert, cert.Key, err = getCertAndKey(
+		template,
+		priv,
+		signerCert,
+		signerKey,
+	)
+
+	return cert, err
+}
+
+func getCertAndKey(
+	template *x509.Certificate,
+	signeeKey crypto.PrivateKey,
+	parent *x509.Certificate,
+	signingKey crypto.PrivateKey,
+) (string, string, error) {
+	signeePubKey, err := getPublicKey(signeeKey)
+	if err != nil {
+		return "", "", fmt.Errorf("error retrieving public key from signee key: %s", err)
+	}
+	derBytes, err := x509.CreateCertificate(
+		rand.Reader,
+		template,
+		parent,
+		signeePubKey,
+		signingKey,
+	)
+	if err != nil {
+		return "", "", fmt.Errorf("error creating certificate: %s", err)
+	}
+
+	certBuffer := bytes.Buffer{}
+	if err := pem.Encode(
+		&certBuffer,
+		&pem.Block{Type: "CERTIFICATE", Bytes: derBytes},
+	); err != nil {
+		return "", "", fmt.Errorf("error pem-encoding certificate: %s", err)
+	}
+
+	keyBuffer := bytes.Buffer{}
+	if err := pem.Encode(
+		&keyBuffer,
+		pemBlockForKey(signeeKey),
+	); err != nil {
+		return "", "", fmt.Errorf("error pem-encoding key: %s", err)
+	}
+
+	return certBuffer.String(), keyBuffer.String(), nil
+}
+
+func getBaseCertTemplate(
+	cn string,
+	ips []interface{},
+	alternateDNS []interface{},
+	daysValid int,
+) (*x509.Certificate, error) {
+	ipAddresses, err := getNetIPs(ips)
+	if err != nil {
+		return nil, err
+	}
+	dnsNames, err := getAlternateDNSStrs(alternateDNS)
+	if err != nil {
+		return nil, err
+	}
+	serialNumberUpperBound := new(big.Int).Lsh(big.NewInt(1), 128)
+	serialNumber, err := rand.Int(rand.Reader, serialNumberUpperBound)
+	if err != nil {
+		return nil, err
+	}
+	return &x509.Certificate{
+		SerialNumber: serialNumber,
+		Subject: pkix.Name{
+			CommonName: cn,
+		},
+		IPAddresses: ipAddresses,
+		DNSNames:    dnsNames,
+		NotBefore:   time.Now(),
+		NotAfter:    time.Now().Add(time.Hour * 24 * time.Duration(daysValid)),
+		KeyUsage:    x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+		ExtKeyUsage: []x509.ExtKeyUsage{
+			x509.ExtKeyUsageServerAuth,
+			x509.ExtKeyUsageClientAuth,
+		},
+		BasicConstraintsValid: true,
+	}, nil
+}
+
+func getNetIPs(ips []interface{}) ([]net.IP, error) {
+	if ips == nil {
+		return []net.IP{}, nil
+	}
+	var ipStr string
+	var ok bool
+	var netIP net.IP
+	netIPs := make([]net.IP, len(ips))
+	for i, ip := range ips {
+		ipStr, ok = ip.(string)
+		if !ok {
+			return nil, fmt.Errorf("error parsing ip: %v is not a string", ip)
+		}
+		netIP = net.ParseIP(ipStr)
+		if netIP == nil {
+			return nil, fmt.Errorf("error parsing ip: %s", ipStr)
+		}
+		netIPs[i] = netIP
+	}
+	return netIPs, nil
+}
+
+func getAlternateDNSStrs(alternateDNS []interface{}) ([]string, error) {
+	if alternateDNS == nil {
+		return []string{}, nil
+	}
+	var dnsStr string
+	var ok bool
+	alternateDNSStrs := make([]string, len(alternateDNS))
+	for i, dns := range alternateDNS {
+		dnsStr, ok = dns.(string)
+		if !ok {
+			return nil, fmt.Errorf(
+				"error processing alternate dns name: %v is not a string",
+				dns,
+			)
+		}
+		alternateDNSStrs[i] = dnsStr
+	}
+	return alternateDNSStrs, nil
+}
+
+func encryptAES(password string, plaintext string) (string, error) {
+	if plaintext == "" {
+		return "", nil
+	}
+
+	key := make([]byte, 32)
+	copy(key, []byte(password))
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return "", err
+	}
+
+	content := []byte(plaintext)
+	blockSize := block.BlockSize()
+	padding := blockSize - len(content)%blockSize
+	padtext := bytes.Repeat([]byte{byte(padding)}, padding)
+	content = append(content, padtext...)
+
+	ciphertext := make([]byte, aes.BlockSize+len(content))
+
+	iv := ciphertext[:aes.BlockSize]
+	if _, err := io.ReadFull(rand.Reader, iv); err != nil {
+		return "", err
+	}
+
+	mode := cipher.NewCBCEncrypter(block, iv)
+	mode.CryptBlocks(ciphertext[aes.BlockSize:], content)
+
+	return base64.StdEncoding.EncodeToString(ciphertext), nil
+}
+
+func decryptAES(password string, crypt64 string) (string, error) {
+	if crypt64 == "" {
+		return "", nil
+	}
+
+	key := make([]byte, 32)
+	copy(key, []byte(password))
+
+	crypt, err := base64.StdEncoding.DecodeString(crypt64)
+	if err != nil {
+		return "", err
+	}
+
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return "", err
+	}
+
+	iv := crypt[:aes.BlockSize]
+	crypt = crypt[aes.BlockSize:]
+	decrypted := make([]byte, len(crypt))
+	mode := cipher.NewCBCDecrypter(block, iv)
+	mode.CryptBlocks(decrypted, crypt)
+
+	return string(decrypted[:len(decrypted)-int(decrypted[len(decrypted)-1])]), nil
+}
diff --git a/vendor/github.com/Masterminds/sprig/v3/date.go b/vendor/github.com/Masterminds/sprig/v3/date.go
new file mode 100644
index 0000000000..ed022ddaca
--- /dev/null
+++ b/vendor/github.com/Masterminds/sprig/v3/date.go
@@ -0,0 +1,152 @@
+package sprig
+
+import (
+	"strconv"
+	"time"
+)
+
+// Given a format and a date, format the date string.
+//
+// Date can be a `time.Time` or an `int, int32, int64`.
+// In the later case, it is treated as seconds since UNIX
+// epoch.
+func date(fmt string, date interface{}) string {
+	return dateInZone(fmt, date, "Local")
+}
+
+func htmlDate(date interface{}) string {
+	return dateInZone("2006-01-02", date, "Local")
+}
+
+func htmlDateInZone(date interface{}, zone string) string {
+	return dateInZone("2006-01-02", date, zone)
+}
+
+func dateInZone(fmt string, date interface{}, zone string) string {
+	var t time.Time
+	switch date := date.(type) {
+	default:
+		t = time.Now()
+	case time.Time:
+		t = date
+	case *time.Time:
+		t = *date
+	case int64:
+		t = time.Unix(date, 0)
+	case int:
+		t = time.Unix(int64(date), 0)
+	case int32:
+		t = time.Unix(int64(date), 0)
+	}
+
+	loc, err := time.LoadLocation(zone)
+	if err != nil {
+		loc, _ = time.LoadLocation("UTC")
+	}
+
+	return t.In(loc).Format(fmt)
+}
+
+func dateModify(fmt string, date time.Time) time.Time {
+	d, err := time.ParseDuration(fmt)
+	if err != nil {
+		return date
+	}
+	return date.Add(d)
+}
+
+func mustDateModify(fmt string, date time.Time) (time.Time, error) {
+	d, err := time.ParseDuration(fmt)
+	if err != nil {
+		return time.Time{}, err
+	}
+	return date.Add(d), nil
+}
+
+func dateAgo(date interface{}) string {
+	var t time.Time
+
+	switch date := date.(type) {
+	default:
+		t = time.Now()
+	case time.Time:
+		t = date
+	case int64:
+		t = time.Unix(date, 0)
+	case int:
+		t = time.Unix(int64(date), 0)
+	}
+	// Drop resolution to seconds
+	duration := time.Since(t).Round(time.Second)
+	return duration.String()
+}
+
+func duration(sec interface{}) string {
+	var n int64
+	switch value := sec.(type) {
+	default:
+		n = 0
+	case string:
+		n, _ = strconv.ParseInt(value, 10, 64)
+	case int64:
+		n = value
+	}
+	return (time.Duration(n) * time.Second).String()
+}
+
+func durationRound(duration interface{}) string {
+	var d time.Duration
+	switch duration := duration.(type) {
+	default:
+		d = 0
+	case string:
+		d, _ = time.ParseDuration(duration)
+	case int64:
+		d = time.Duration(duration)
+	case time.Time:
+		d = time.Since(duration)
+	}
+
+	u := uint64(d)
+	neg := d < 0
+	if neg {
+		u = -u
+	}
+
+	var (
+		year   = uint64(time.Hour) * 24 * 365
+		month  = uint64(time.Hour) * 24 * 30
+		day    = uint64(time.Hour) * 24
+		hour   = uint64(time.Hour)
+		minute = uint64(time.Minute)
+		second = uint64(time.Second)
+	)
+	switch {
+	case u > year:
+		return strconv.FormatUint(u/year, 10) + "y"
+	case u > month:
+		return strconv.FormatUint(u/month, 10) + "mo"
+	case u > day:
+		return strconv.FormatUint(u/day, 10) + "d"
+	case u > hour:
+		return strconv.FormatUint(u/hour, 10) + "h"
+	case u > minute:
+		return strconv.FormatUint(u/minute, 10) + "m"
+	case u > second:
+		return strconv.FormatUint(u/second, 10) + "s"
+	}
+	return "0s"
+}
+
+func toDate(fmt, str string) time.Time {
+	t, _ := time.ParseInLocation(fmt, str, time.Local)
+	return t
+}
+
+func mustToDate(fmt, str string) (time.Time, error) {
+	return time.ParseInLocation(fmt, str, time.Local)
+}
+
+func unixEpoch(date time.Time) string {
+	return strconv.FormatInt(date.Unix(), 10)
+}
diff --git a/vendor/github.com/Masterminds/sprig/v3/defaults.go b/vendor/github.com/Masterminds/sprig/v3/defaults.go
new file mode 100644
index 0000000000..b9f979666d
--- /dev/null
+++ b/vendor/github.com/Masterminds/sprig/v3/defaults.go
@@ -0,0 +1,163 @@
+package sprig
+
+import (
+	"bytes"
+	"encoding/json"
+	"math/rand"
+	"reflect"
+	"strings"
+	"time"
+)
+
+func init() {
+	rand.Seed(time.Now().UnixNano())
+}
+
+// dfault checks whether `given` is set, and returns default if not set.
+//
+// This returns `d` if `given` appears not to be set, and `given` otherwise.
+//
+// For numeric types 0 is unset.
+// For strings, maps, arrays, and slices, len() = 0 is considered unset.
+// For bool, false is unset.
+// Structs are never considered unset.
+//
+// For everything else, including pointers, a nil value is unset.
+func dfault(d interface{}, given ...interface{}) interface{} {
+
+	if empty(given) || empty(given[0]) {
+		return d
+	}
+	return given[0]
+}
+
+// empty returns true if the given value has the zero value for its type.
+func empty(given interface{}) bool {
+	g := reflect.ValueOf(given)
+	if !g.IsValid() {
+		return true
+	}
+
+	// Basically adapted from text/template.isTrue
+	switch g.Kind() {
+	default:
+		return g.IsNil()
+	case reflect.Array, reflect.Slice, reflect.Map, reflect.String:
+		return g.Len() == 0
+	case reflect.Bool:
+		return !g.Bool()
+	case reflect.Complex64, reflect.Complex128:
+		return g.Complex() == 0
+	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
+		return g.Int() == 0
+	case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr:
+		return g.Uint() == 0
+	case reflect.Float32, reflect.Float64:
+		return g.Float() == 0
+	case reflect.Struct:
+		return false
+	}
+}
+
+// coalesce returns the first non-empty value.
+func coalesce(v ...interface{}) interface{} {
+	for _, val := range v {
+		if !empty(val) {
+			return val
+		}
+	}
+	return nil
+}
+
+// all returns true if empty(x) is false for all values x in the list.
+// If the list is empty, return true.
+func all(v ...interface{}) bool {
+	for _, val := range v {
+		if empty(val) {
+			return false
+		}
+	}
+	return true
+}
+
+// any returns true if empty(x) is false for any x in the list.
+// If the list is empty, return false.
+func any(v ...interface{}) bool {
+	for _, val := range v {
+		if !empty(val) {
+			return true
+		}
+	}
+	return false
+}
+
+// fromJson decodes JSON into a structured value, ignoring errors.
+func fromJson(v string) interface{} {
+	output, _ := mustFromJson(v)
+	return output
+}
+
+// mustFromJson decodes JSON into a structured value, returning errors.
+func mustFromJson(v string) (interface{}, error) {
+	var output interface{}
+	err := json.Unmarshal([]byte(v), &output)
+	return output, err
+}
+
+// toJson encodes an item into a JSON string
+func toJson(v interface{}) string {
+	output, _ := json.Marshal(v)
+	return string(output)
+}
+
+func mustToJson(v interface{}) (string, error) {
+	output, err := json.Marshal(v)
+	if err != nil {
+		return "", err
+	}
+	return string(output), nil
+}
+
+// toPrettyJson encodes an item into a pretty (indented) JSON string
+func toPrettyJson(v interface{}) string {
+	output, _ := json.MarshalIndent(v, "", "  ")
+	return string(output)
+}
+
+func mustToPrettyJson(v interface{}) (string, error) {
+	output, err := json.MarshalIndent(v, "", "  ")
+	if err != nil {
+		return "", err
+	}
+	return string(output), nil
+}
+
+// toRawJson encodes an item into a JSON string with no escaping of HTML characters.
+func toRawJson(v interface{}) string {
+	output, err := mustToRawJson(v)
+	if err != nil {
+		panic(err)
+	}
+	return string(output)
+}
+
+// mustToRawJson encodes an item into a JSON string with no escaping of HTML characters.
+func mustToRawJson(v interface{}) (string, error) {
+	buf := new(bytes.Buffer)
+	enc := json.NewEncoder(buf)
+	enc.SetEscapeHTML(false)
+	err := enc.Encode(&v)
+	if err != nil {
+		return "", err
+	}
+	return strings.TrimSuffix(buf.String(), "\n"), nil
+}
+
+// ternary returns the first value if the last value is true, otherwise returns the second value.
+func ternary(vt interface{}, vf interface{}, v bool) interface{} {
+	if v {
+		return vt
+	}
+
+	return vf
+}
diff --git a/vendor/github.com/Masterminds/sprig/v3/dict.go b/vendor/github.com/Masterminds/sprig/v3/dict.go
new file mode 100644
index 0000000000..4315b3542a
--- /dev/null
+++ b/vendor/github.com/Masterminds/sprig/v3/dict.go
@@ -0,0 +1,174 @@
+package sprig
+
+import (
+	"dario.cat/mergo"
+	"github.com/mitchellh/copystructure"
+)
+
+func get(d map[string]interface{}, key string) interface{} {
+	if val, ok := d[key]; ok {
+		return val
+	}
+	return ""
+}
+
+func set(d map[string]interface{}, key string, value interface{}) map[string]interface{} {
+	d[key] = value
+	return d
+}
+
+func unset(d map[string]interface{}, key string) map[string]interface{} {
+	delete(d, key)
+	return d
+}
+
+func hasKey(d map[string]interface{}, key string) bool {
+	_, ok := d[key]
+	return ok
+}
+
+func pluck(key string, d ...map[string]interface{}) []interface{} {
+	res := []interface{}{}
+	for _, dict := range d {
+		if val, ok := dict[key]; ok {
+			res = append(res, val)
+		}
+	}
+	return res
+}
+
+func keys(dicts ...map[string]interface{}) []string {
+	k := []string{}
+	for _, dict := range dicts {
+		for key := range dict {
+			k = append(k, key)
+		}
+	}
+	return k
+}
+
+func pick(dict map[string]interface{}, keys ...string) map[string]interface{} {
+	res := map[string]interface{}{}
+	for _, k := range keys {
+		if v, ok := dict[k]; ok {
+			res[k] = v
+		}
+	}
+	return res
+}
+
+func omit(dict map[string]interface{}, keys ...string) map[string]interface{} {
+	res := map[string]interface{}{}
+
+	omit := make(map[string]bool, len(keys))
+	for _, k := range keys {
+		omit[k] = true
+	}
+
+	for k, v := range dict {
+		if _, ok := omit[k]; !ok {
+			res[k] = v
+		}
+	}
+	return res
+}
+
+func dict(v ...interface{}) map[string]interface{} {
+	dict := map[string]interface{}{}
+	lenv := len(v)
+	for i := 0; i < lenv; i += 2 {
+		key := strval(v[i])
+		if i+1 >= lenv {
+			dict[key] = ""
+			continue
+		}
+		dict[key] = v[i+1]
+	}
+	return dict
+}
+
+func merge(dst map[string]interface{}, srcs ...map[string]interface{}) interface{} {
+	for _, src := range srcs {
+		if err := mergo.Merge(&dst, src); err != nil {
+			// Swallow errors inside of a template.
+			return ""
+		}
+	}
+	return dst
+}
+
+func mustMerge(dst map[string]interface{}, srcs ...map[string]interface{}) (interface{}, error) {
+	for _, src := range srcs {
+		if err := mergo.Merge(&dst, src); err != nil {
+			return nil, err
+		}
+	}
+	return dst, nil
+}
+
+func mergeOverwrite(dst map[string]interface{}, srcs ...map[string]interface{}) interface{} {
+	for _, src := range srcs {
+		if err := mergo.MergeWithOverwrite(&dst, src); err != nil {
+			// Swallow errors inside of a template.
+			return ""
+		}
+	}
+	return dst
+}
+
+func mustMergeOverwrite(dst map[string]interface{}, srcs ...map[string]interface{}) (interface{}, error) {
+	for _, src := range srcs {
+		if err := mergo.MergeWithOverwrite(&dst, src); err != nil {
+			return nil, err
+		}
+	}
+	return dst, nil
+}
+
+func values(dict map[string]interface{}) []interface{} {
+	values := []interface{}{}
+	for _, value := range dict {
+		values = append(values, value)
+	}
+
+	return values
+}
+
+func deepCopy(i interface{}) interface{} {
+	c, err := mustDeepCopy(i)
+	if err != nil {
+		panic("deepCopy error: " + err.Error())
+	}
+
+	return c
+}
+
+func mustDeepCopy(i interface{}) (interface{}, error) {
+	return copystructure.Copy(i)
+}
+
+func dig(ps ...interface{}) (interface{}, error) {
+	if len(ps) < 3 {
+		panic("dig needs at least three arguments")
+	}
+	dict := ps[len(ps)-1].(map[string]interface{})
+	def := ps[len(ps)-2]
+	ks := make([]string, len(ps)-2)
+	for i := 0; i < len(ks); i++ {
+		ks[i] = ps[i].(string)
+	}
+
+	return digFromDict(dict, def, ks)
+}
+
+func digFromDict(dict map[string]interface{}, d interface{}, ks []string) (interface{}, error) {
+	k, ns := ks[0], ks[1:len(ks)]
+	step, has := dict[k]
+	if !has {
+		return d, nil
+	}
+	if len(ns) == 0 {
+		return step, nil
+	}
+	return digFromDict(step.(map[string]interface{}), d, ns)
+}
diff --git a/vendor/github.com/Masterminds/sprig/v3/doc.go b/vendor/github.com/Masterminds/sprig/v3/doc.go
new file mode 100644
index 0000000000..91031d6d19
--- /dev/null
+++ b/vendor/github.com/Masterminds/sprig/v3/doc.go
@@ -0,0 +1,19 @@
+/*
+Package sprig provides template functions for Go.
+
+This package contains a number of utility functions for working with data
+inside of Go `html/template` and `text/template` files.
+
+To add these functions, use the `template.Funcs()` method:
+
+	t := template.New("foo").Funcs(sprig.FuncMap())
+
+Note that you should add the function map before you parse any template files.
+
+	In several cases, Sprig reverses the order of arguments from the way they
+	appear in the standard library. This is to make it easier to pipe
+	arguments into functions.
+
+See http://masterminds.github.io/sprig/ for more detailed documentation on each of the available functions.
+*/
+package sprig
diff --git a/vendor/github.com/Masterminds/sprig/v3/functions.go b/vendor/github.com/Masterminds/sprig/v3/functions.go
new file mode 100644
index 0000000000..cda47d26f2
--- /dev/null
+++ b/vendor/github.com/Masterminds/sprig/v3/functions.go
@@ -0,0 +1,385 @@
+package sprig
+
+import (
+	"errors"
+	"html/template"
+	"math/rand"
+	"os"
+	"path"
+	"path/filepath"
+	"reflect"
+	"strconv"
+	"strings"
+	ttemplate "text/template"
+	"time"
+
+	util "github.com/Masterminds/goutils"
+	"github.com/huandu/xstrings"
+	"github.com/shopspring/decimal"
+)
+
+// FuncMap produces the function map.
+//
+// Use this to pass the functions into the template engine:
+//
+//	tpl := template.New("foo").Funcs(sprig.FuncMap()))
+func FuncMap() template.FuncMap {
+	return HtmlFuncMap()
+}
+
+// HermeticTxtFuncMap returns a 'text/template'.FuncMap with only repeatable functions.
+func HermeticTxtFuncMap() ttemplate.FuncMap {
+	r := TxtFuncMap()
+	for _, name := range nonhermeticFunctions {
+		delete(r, name)
+	}
+	return r
+}
+
+// HermeticHtmlFuncMap returns an 'html/template'.Funcmap with only repeatable functions.
+func HermeticHtmlFuncMap() template.FuncMap {
+	r := HtmlFuncMap()
+	for _, name := range nonhermeticFunctions {
+		delete(r, name)
+	}
+	return r
+}
+
+// TxtFuncMap returns a 'text/template'.FuncMap
+func TxtFuncMap() ttemplate.FuncMap {
+	return ttemplate.FuncMap(GenericFuncMap())
+}
+
+// HtmlFuncMap returns an 'html/template'.Funcmap
+func HtmlFuncMap() template.FuncMap {
+	return template.FuncMap(GenericFuncMap())
+}
+
+// GenericFuncMap returns a copy of the basic function map as a map[string]interface{}.
+func GenericFuncMap() map[string]interface{} {
+	gfm := make(map[string]interface{}, len(genericMap))
+	for k, v := range genericMap {
+		gfm[k] = v
+	}
+	return gfm
+}
+
+// These functions are not guaranteed to evaluate to the same result for given input, because they
+// refer to the environment or global state.
+var nonhermeticFunctions = []string{
+	// Date functions
+	"date",
+	"date_in_zone",
+	"date_modify",
+	"now",
+	"htmlDate",
+	"htmlDateInZone",
+	"dateInZone",
+	"dateModify",
+
+	// Strings
+	"randAlphaNum",
+	"randAlpha",
+	"randAscii",
+	"randNumeric",
+	"randBytes",
+	"uuidv4",
+
+	// OS
+	"env",
+	"expandenv",
+
+	// Network
+	"getHostByName",
+}
+
+var genericMap = map[string]interface{}{
+	"hello": func() string { return "Hello!" },
+
+	// Date functions
+	"ago":              dateAgo,
+	"date":             date,
+	"date_in_zone":     dateInZone,
+	"date_modify":      dateModify,
+	"dateInZone":       dateInZone,
+	"dateModify":       dateModify,
+	"duration":         duration,
+	"durationRound":    durationRound,
+	"htmlDate":         htmlDate,
+	"htmlDateInZone":   htmlDateInZone,
+	"must_date_modify": mustDateModify,
+	"mustDateModify":   mustDateModify,
+	"mustToDate":       mustToDate,
+	"now":              time.Now,
+	"toDate":           toDate,
+	"unixEpoch":        unixEpoch,
+
+	// Strings
+	"abbrev":     abbrev,
+	"abbrevboth": abbrevboth,
+	"trunc":      trunc,
+	"trim":       strings.TrimSpace,
+	"upper":      strings.ToUpper,
+	"lower":      strings.ToLower,
+	"title":      strings.Title,
+	"untitle":    untitle,
+	"substr":     substring,
+	// Switch order so that "foo" | repeat 5
+	"repeat": func(count int, str string) string { return strings.Repeat(str, count) },
+	// Deprecated: Use trimAll.
+	"trimall": func(a, b string) string { return strings.Trim(b, a) },
+	// Switch order so that "$foo" | trimall "$"
+	"trimAll":      func(a, b string) string { return strings.Trim(b, a) },
+	"trimSuffix":   func(a, b string) string { return strings.TrimSuffix(b, a) },
+	"trimPrefix":   func(a, b string) string { return strings.TrimPrefix(b, a) },
+	"nospace":      util.DeleteWhiteSpace,
+	"initials":     initials,
+	"randAlphaNum": randAlphaNumeric,
+	"randAlpha":    randAlpha,
+	"randAscii":    randAscii,
+	"randNumeric":  randNumeric,
+	"swapcase":     util.SwapCase,
+	"shuffle":      xstrings.Shuffle,
+	"snakecase":    xstrings.ToSnakeCase,
+	// camelcase used to call xstrings.ToCamelCase, but that function had a breaking change in version
+	// 1.5 that moved it from upper camel case to lower camel case. This is a breaking change for sprig.
+	// A new xstrings.ToPascalCase function was added that provided upper camel case.
+	"camelcase": xstrings.ToPascalCase,
+	"kebabcase": xstrings.ToKebabCase,
+	"wrap":      func(l int, s string) string { return util.Wrap(s, l) },
+	"wrapWith":  func(l int, sep, str string) string { return util.WrapCustom(str, l, sep, true) },
+	// Switch order so that "foobar" | contains "foo"
+	"contains":   func(substr string, str string) bool { return strings.Contains(str, substr) },
+	"hasPrefix":  func(substr string, str string) bool { return strings.HasPrefix(str, substr) },
+	"hasSuffix":  func(substr string, str string) bool { return strings.HasSuffix(str, substr) },
+	"quote":      quote,
+	"squote":     squote,
+	"cat":        cat,
+	"indent":     indent,
+	"nindent":    nindent,
+	"replace":    replace,
+	"plural":     plural,
+	"sha1sum":    sha1sum,
+	"sha256sum":  sha256sum,
+	"sha512sum":  sha512sum,
+	"adler32sum": adler32sum,
+	"toString":   strval,
+
+	// Wrap Atoi to stop errors.
+	"atoi":      func(a string) int { i, _ := strconv.Atoi(a); return i },
+	"int64":     toInt64,
+	"int":       toInt,
+	"float64":   toFloat64,
+	"seq":       seq,
+	"toDecimal": toDecimal,
+
+	//"gt": func(a, b int) bool {return a > b},
+	//"gte": func(a, b int) bool {return a >= b},
+	//"lt": func(a, b int) bool {return a < b},
+	//"lte": func(a, b int) bool {return a <= b},
+
+	// split "/" foo/bar returns map[int]string{0: foo, 1: bar}
+	"split":     split,
+	"splitList": func(sep, orig string) []string { return strings.Split(orig, sep) },
+	// splitn "/" foo/bar/fuu returns map[int]string{0: foo, 1: bar/fuu}
+	"splitn":    splitn,
+	"toStrings": strslice,
+
+	"until":     until,
+	"untilStep": untilStep,
+
+	// VERY basic arithmetic.
+	"add1": func(i interface{}) int64 { return toInt64(i) + 1 },
+	"add": func(i ...interface{}) int64 {
+		var a int64 = 0
+		for _, b := range i {
+			a += toInt64(b)
+		}
+		return a
+	},
+	"sub": func(a, b interface{}) int64 { return toInt64(a) - toInt64(b) },
+	"div": func(a, b interface{}) int64 { return toInt64(a) / toInt64(b) },
+	"mod": func(a, b interface{}) int64 { return toInt64(a) % toInt64(b) },
+	"mul": func(a interface{}, v ...interface{}) int64 {
+		val := toInt64(a)
+		for _, b := range v {
+			val = val * toInt64(b)
+		}
+		return val
+	},
+	"randInt": func(min, max int) int { return rand.Intn(max-min) + min },
+	"add1f": func(i interface{}) float64 {
+		return execDecimalOp(i, []interface{}{1}, func(d1, d2 decimal.Decimal) decimal.Decimal { return d1.Add(d2) })
+	},
+	"addf": func(i ...interface{}) float64 {
+		a := interface{}(float64(0))
+		return execDecimalOp(a, i, func(d1, d2 decimal.Decimal) decimal.Decimal { return d1.Add(d2) })
+	},
+	"subf": func(a interface{}, v ...interface{}) float64 {
+		return execDecimalOp(a, v, func(d1, d2 decimal.Decimal) decimal.Decimal { return d1.Sub(d2) })
+	},
+	"divf": func(a interface{}, v ...interface{}) float64 {
+		return execDecimalOp(a, v, func(d1, d2 decimal.Decimal) decimal.Decimal { return d1.Div(d2) })
+	},
+	"mulf": func(a interface{}, v ...interface{}) float64 {
+		return execDecimalOp(a, v, func(d1, d2 decimal.Decimal) decimal.Decimal { return d1.Mul(d2) })
+	},
+	"biggest": max,
+	"max":     max,
+	"min":     min,
+	"maxf":    maxf,
+	"minf":    minf,
+	"ceil":    ceil,
+	"floor":   floor,
+	"round":   round,
+
+	// string slices. Note that we reverse the order b/c that's better
+	// for template processing.
+	"join":      join,
+	"sortAlpha": sortAlpha,
+
+	// Defaults
+	"default":          dfault,
+	"empty":            empty,
+	"coalesce":         coalesce,
+	"all":              all,
+	"any":              any,
+	"compact":          compact,
+	"mustCompact":      mustCompact,
+	"fromJson":         fromJson,
+	"toJson":           toJson,
+	"toPrettyJson":     toPrettyJson,
+	"toRawJson":        toRawJson,
+	"mustFromJson":     mustFromJson,
+	"mustToJson":       mustToJson,
+	"mustToPrettyJson": mustToPrettyJson,
+	"mustToRawJson":    mustToRawJson,
+	"ternary":          ternary,
+	"deepCopy":         deepCopy,
+	"mustDeepCopy":     mustDeepCopy,
+
+	// Reflection
+	"typeOf":     typeOf,
+	"typeIs":     typeIs,
+	"typeIsLike": typeIsLike,
+	"kindOf":     kindOf,
+	"kindIs":     kindIs,
+	"deepEqual":  reflect.DeepEqual,
+
+	// OS:
+	"env":       os.Getenv,
+	"expandenv": os.ExpandEnv,
+
+	// Network:
+	"getHostByName": getHostByName,
+
+	// Paths:
+	"base":  path.Base,
+	"dir":   path.Dir,
+	"clean": path.Clean,
+	"ext":   path.Ext,
+	"isAbs": path.IsAbs,
+
+	// Filepaths:
+	"osBase":  filepath.Base,
+	"osClean": filepath.Clean,
+	"osDir":   filepath.Dir,
+	"osExt":   filepath.Ext,
+	"osIsAbs": filepath.IsAbs,
+
+	// Encoding:
+	"b64enc": base64encode,
+	"b64dec": base64decode,
+	"b32enc": base32encode,
+	"b32dec": base32decode,
+
+	// Data Structures:
+	"tuple":              list, // FIXME: with the addition of append/prepend these are no longer immutable.
+	"list":               list,
+	"dict":               dict,
+	"get":                get,
+	"set":                set,
+	"unset":              unset,
+	"hasKey":             hasKey,
+	"pluck":              pluck,
+	"keys":               keys,
+	"pick":               pick,
+	"omit":               omit,
+	"merge":              merge,
+	"mergeOverwrite":     mergeOverwrite,
+	"mustMerge":          mustMerge,
+	"mustMergeOverwrite": mustMergeOverwrite,
+	"values":             values,
+
+	"append": push, "push": push,
+	"mustAppend": mustPush, "mustPush": mustPush,
+	"prepend":     prepend,
+	"mustPrepend": mustPrepend,
+	"first":       first,
+	"mustFirst":   mustFirst,
+	"rest":        rest,
+	"mustRest":    mustRest,
+	"last":        last,
+	"mustLast":    mustLast,
+	"initial":     initial,
+	"mustInitial": mustInitial,
+	"reverse":     reverse,
+	"mustReverse": mustReverse,
+	"uniq":        uniq,
+	"mustUniq":    mustUniq,
+	"without":     without,
+	"mustWithout": mustWithout,
+	"has":         has,
+	"mustHas":     mustHas,
+	"slice":       slice,
+	"mustSlice":   mustSlice,
+	"concat":      concat,
+	"dig":         dig,
+	"chunk":       chunk,
+	"mustChunk":   mustChunk,
+
+	// Crypto:
+	"bcrypt":                   bcrypt,
+	"htpasswd":                 htpasswd,
+	"genPrivateKey":            generatePrivateKey,
+	"derivePassword":           derivePassword,
+	"buildCustomCert":          buildCustomCertificate,
+	"genCA":                    generateCertificateAuthority,
+	"genCAWithKey":             generateCertificateAuthorityWithPEMKey,
+	"genSelfSignedCert":        generateSelfSignedCertificate,
+	"genSelfSignedCertWithKey": generateSelfSignedCertificateWithPEMKey,
+	"genSignedCert":            generateSignedCertificate,
+	"genSignedCertWithKey":     generateSignedCertificateWithPEMKey,
+	"encryptAES":               encryptAES,
+	"decryptAES":               decryptAES,
+	"randBytes":                randBytes,
+
+	// UUIDs:
+	"uuidv4": uuidv4,
+
+	// SemVer:
+	"semver":        semver,
+	"semverCompare": semverCompare,
+
+	// Flow Control:
+	"fail": func(msg string) (string, error) { return "", errors.New(msg) },
+
+	// Regex
+	"regexMatch":                 regexMatch,
+	"mustRegexMatch":             mustRegexMatch,
+	"regexFindAll":               regexFindAll,
+	"mustRegexFindAll":           mustRegexFindAll,
+	"regexFind":                  regexFind,
+	"mustRegexFind":              mustRegexFind,
+	"regexReplaceAll":            regexReplaceAll,
+	"mustRegexReplaceAll":        mustRegexReplaceAll,
+	"regexReplaceAllLiteral":     regexReplaceAllLiteral,
+	"mustRegexReplaceAllLiteral": mustRegexReplaceAllLiteral,
+	"regexSplit":                 regexSplit,
+	"mustRegexSplit":             mustRegexSplit,
+	"regexQuoteMeta":             regexQuoteMeta,
+
+	// URLs:
+	"urlParse": urlParse,
+	"urlJoin":  urlJoin,
+}
diff --git a/vendor/github.com/Masterminds/sprig/v3/list.go b/vendor/github.com/Masterminds/sprig/v3/list.go
new file mode 100644
index 0000000000..ca0fbb7893
--- /dev/null
+++ b/vendor/github.com/Masterminds/sprig/v3/list.go
@@ -0,0 +1,464 @@
+package sprig
+
+import (
+	"fmt"
+	"math"
+	"reflect"
+	"sort"
+)
+
+// Reflection is used in these functions so that slices and arrays of strings,
+// ints, and other types not implementing []interface{} can be worked with.
+// For example, this is useful if you need to work on the output of regexs.
+
+func list(v ...interface{}) []interface{} {
+	return v
+}
+
+func push(list interface{}, v interface{}) []interface{} {
+	l, err := mustPush(list, v)
+	if err != nil {
+		panic(err)
+	}
+
+	return l
+}
+
+func mustPush(list interface{}, v interface{}) ([]interface{}, error) {
+	tp := reflect.TypeOf(list).Kind()
+	switch tp {
+	case reflect.Slice, reflect.Array:
+		l2 := reflect.ValueOf(list)
+
+		l := l2.Len()
+		nl := make([]interface{}, l)
+		for i := 0; i < l; i++ {
+			nl[i] = l2.Index(i).Interface()
+		}
+
+		return append(nl, v), nil
+
+	default:
+		return nil, fmt.Errorf("Cannot push on type %s", tp)
+	}
+}
+
+func prepend(list interface{}, v interface{}) []interface{} {
+	l, err := mustPrepend(list, v)
+	if err != nil {
+		panic(err)
+	}
+
+	return l
+}
+
+func mustPrepend(list interface{}, v interface{}) ([]interface{}, error) {
+	//return append([]interface{}{v}, list...)
+
+	tp := reflect.TypeOf(list).Kind()
+	switch tp {
+	case reflect.Slice, reflect.Array:
+		l2 := reflect.ValueOf(list)
+
+		l := l2.Len()
+		nl := make([]interface{}, l)
+		for i := 0; i < l; i++ {
+			nl[i] = l2.Index(i).Interface()
+		}
+
+		return append([]interface{}{v}, nl...), nil
+
+	default:
+		return nil, fmt.Errorf("Cannot prepend on type %s", tp)
+	}
+}
+
+func chunk(size int, list interface{}) [][]interface{} {
+	l, err := mustChunk(size, list)
+	if err != nil {
+		panic(err)
+	}
+
+	return l
+}
+
+func mustChunk(size int, list interface{}) ([][]interface{}, error) {
+	tp := reflect.TypeOf(list).Kind()
+	switch tp {
+	case reflect.Slice, reflect.Array:
+		l2 := reflect.ValueOf(list)
+
+		l := l2.Len()
+
+		cs := int(math.Floor(float64(l-1)/float64(size)) + 1)
+		nl := make([][]interface{}, cs)
+
+		for i := 0; i < cs; i++ {
+			clen := size
+			if i == cs-1 {
+				clen = int(math.Floor(math.Mod(float64(l), float64(size))))
+				if clen == 0 {
+					clen = size
+				}
+			}
+
+			nl[i] = make([]interface{}, clen)
+
+			for j := 0; j < clen; j++ {
+				ix := i*size + j
+				nl[i][j] = l2.Index(ix).Interface()
+			}
+		}
+
+		return nl, nil
+
+	default:
+		return nil, fmt.Errorf("Cannot chunk type %s", tp)
+	}
+}
+
+func last(list interface{}) interface{} {
+	l, err := mustLast(list)
+	if err != nil {
+		panic(err)
+	}
+
+	return l
+}
+
+func mustLast(list interface{}) (interface{}, error) {
+	tp := reflect.TypeOf(list).Kind()
+	switch tp {
+	case reflect.Slice, reflect.Array:
+		l2 := reflect.ValueOf(list)
+
+		l := l2.Len()
+		if l == 0 {
+			return nil, nil
+		}
+
+		return l2.Index(l - 1).Interface(), nil
+	default:
+		return nil, fmt.Errorf("Cannot find last on type %s", tp)
+	}
+}
+
+func first(list interface{}) interface{} {
+	l, err := mustFirst(list)
+	if err != nil {
+		panic(err)
+	}
+
+	return l
+}
+
+func mustFirst(list interface{}) (interface{}, error) {
+	tp := reflect.TypeOf(list).Kind()
+	switch tp {
+	case reflect.Slice, reflect.Array:
+		l2 := reflect.ValueOf(list)
+
+		l := l2.Len()
+		if l == 0 {
+			return nil, nil
+		}
+
+		return l2.Index(0).Interface(), nil
+	default:
+		return nil, fmt.Errorf("Cannot find first on type %s", tp)
+	}
+}
+
+func rest(list interface{}) []interface{} {
+	l, err := mustRest(list)
+	if err != nil {
+		panic(err)
+	}
+
+	return l
+}
+
+func mustRest(list interface{}) ([]interface{}, error) {
+	tp := reflect.TypeOf(list).Kind()
+	switch tp {
+	case reflect.Slice, reflect.Array:
+		l2 := reflect.ValueOf(list)
+
+		l := l2.Len()
+		if l == 0 {
+			return nil, nil
+		}
+
+		nl := make([]interface{}, l-1)
+		for i := 1; i < l; i++ {
+			nl[i-1] = l2.Index(i).Interface()
+		}
+
+		return nl, nil
+	default:
+		return nil, fmt.Errorf("Cannot find rest on type %s", tp)
+	}
+}
+
+func initial(list interface{}) []interface{} {
+	l, err := mustInitial(list)
+	if err != nil {
+		panic(err)
+	}
+
+	return l
+}
+
+func mustInitial(list interface{}) ([]interface{}, error) {
+	tp := reflect.TypeOf(list).Kind()
+	switch tp {
+	case reflect.Slice, reflect.Array:
+		l2 := reflect.ValueOf(list)
+
+		l := l2.Len()
+		if l == 0 {
+			return nil, nil
+		}
+
+		nl := make([]interface{}, l-1)
+		for i := 0; i < l-1; i++ {
+			nl[i] = l2.Index(i).Interface()
+		}
+
+		return nl, nil
+	default:
+		return nil, fmt.Errorf("Cannot find initial on type %s", tp)
+	}
+}
+
+func sortAlpha(list interface{}) []string {
+	k := reflect.Indirect(reflect.ValueOf(list)).Kind()
+	switch k {
+	case reflect.Slice, reflect.Array:
+		a := strslice(list)
+		s := sort.StringSlice(a)
+		s.Sort()
+		return s
+	}
+	return []string{strval(list)}
+}
+
+func reverse(v interface{}) []interface{} {
+	l, err := mustReverse(v)
+	if err != nil {
+		panic(err)
+	}
+
+	return l
+}
+
+func mustReverse(v interface{}) ([]interface{}, error) {
+	tp := reflect.TypeOf(v).Kind()
+	switch tp {
+	case reflect.Slice, reflect.Array:
+		l2 := reflect.ValueOf(v)
+
+		l := l2.Len()
+		// We do not sort in place because the incoming array should not be altered.
+		nl := make([]interface{}, l)
+		for i := 0; i < l; i++ {
+			nl[l-i-1] = l2.Index(i).Interface()
+		}
+
+		return nl, nil
+	default:
+		return nil, fmt.Errorf("Cannot find reverse on type %s", tp)
+	}
+}
+
+func compact(list interface{}) []interface{} {
+	l, err := mustCompact(list)
+	if err != nil {
+		panic(err)
+	}
+
+	return l
+}
+
+func mustCompact(list interface{}) ([]interface{}, error) {
+	tp := reflect.TypeOf(list).Kind()
+	switch tp {
+	case reflect.Slice, reflect.Array:
+		l2 := reflect.ValueOf(list)
+
+		l := l2.Len()
+		nl := []interface{}{}
+		var item interface{}
+		for i := 0; i < l; i++ {
+			item = l2.Index(i).Interface()
+			if !empty(item) {
+				nl = append(nl, item)
+			}
+		}
+
+		return nl, nil
+	default:
+		return nil, fmt.Errorf("Cannot compact on type %s", tp)
+	}
+}
+
+func uniq(list interface{}) []interface{} {
+	l, err := mustUniq(list)
+	if err != nil {
+		panic(err)
+	}
+
+	return l
+}
+
+func mustUniq(list interface{}) ([]interface{}, error) {
+	tp := reflect.TypeOf(list).Kind()
+	switch tp {
+	case reflect.Slice, reflect.Array:
+		l2 := reflect.ValueOf(list)
+
+		l := l2.Len()
+		dest := []interface{}{}
+		var item interface{}
+		for i := 0; i < l; i++ {
+			item = l2.Index(i).Interface()
+			if !inList(dest, item) {
+				dest = append(dest, item)
+			}
+		}
+
+		return dest, nil
+	default:
+		return nil, fmt.Errorf("Cannot find uniq on type %s", tp)
+	}
+}
+
+func inList(haystack []interface{}, needle interface{}) bool {
+	for _, h := range haystack {
+		if reflect.DeepEqual(needle, h) {
+			return true
+		}
+	}
+	return false
+}
+
+func without(list interface{}, omit ...interface{}) []interface{} {
+	l, err := mustWithout(list, omit...)
+	if err != nil {
+		panic(err)
+	}
+
+	return l
+}
+
+func mustWithout(list interface{}, omit ...interface{}) ([]interface{}, error) {
+	tp := reflect.TypeOf(list).Kind()
+	switch tp {
+	case reflect.Slice, reflect.Array:
+		l2 := reflect.ValueOf(list)
+
+		l := l2.Len()
+		res := []interface{}{}
+		var item interface{}
+		for i := 0; i < l; i++ {
+			item = l2.Index(i).Interface()
+			if !inList(omit, item) {
+				res = append(res, item)
+			}
+		}
+
+		return res, nil
+	default:
+		return nil, fmt.Errorf("Cannot find without on type %s", tp)
+	}
+}
+
+func has(needle interface{}, haystack interface{}) bool {
+	l, err := mustHas(needle, haystack)
+	if err != nil {
+		panic(err)
+	}
+
+	return l
+}
+
+func mustHas(needle interface{}, haystack interface{}) (bool, error) {
+	if haystack == nil {
+		return false, nil
+	}
+	tp := reflect.TypeOf(haystack).Kind()
+	switch tp {
+	case reflect.Slice, reflect.Array:
+		l2 := reflect.ValueOf(haystack)
+		var item interface{}
+		l := l2.Len()
+		for i := 0; i < l; i++ {
+			item = l2.Index(i).Interface()
+			if reflect.DeepEqual(needle, item) {
+				return true, nil
+			}
+		}
+
+		return false, nil
+	default:
+		return false, fmt.Errorf("Cannot find has on type %s", tp)
+	}
+}
+
+// $list := [1, 2, 3, 4, 5]
+// slice $list     -> list[0:5] = list[:]
+// slice $list 0 3 -> list[0:3] = list[:3]
+// slice $list 3 5 -> list[3:5]
+// slice $list 3   -> list[3:5] = list[3:]
+func slice(list interface{}, indices ...interface{}) interface{} {
+	l, err := mustSlice(list, indices...)
+	if err != nil {
+		panic(err)
+	}
+
+	return l
+}
+
+func mustSlice(list interface{}, indices ...interface{}) (interface{}, error) {
+	tp := reflect.TypeOf(list).Kind()
+	switch tp {
+	case reflect.Slice, reflect.Array:
+		l2 := reflect.ValueOf(list)
+
+		l := l2.Len()
+		if l == 0 {
+			return nil, nil
+		}
+
+		var start, end int
+		if len(indices) > 0 {
+			start = toInt(indices[0])
+		}
+		if len(indices) < 2 {
+			end = l
+		} else {
+			end = toInt(indices[1])
+		}
+
+		return l2.Slice(start, end).Interface(), nil
+	default:
+		return nil, fmt.Errorf("list should be type of slice or array but %s", tp)
+	}
+}
+
+func concat(lists ...interface{}) interface{} {
+	var res []interface{}
+	for _, list := range lists {
+		tp := reflect.TypeOf(list).Kind()
+		switch tp {
+		case reflect.Slice, reflect.Array:
+			l2 := reflect.ValueOf(list)
+			for i := 0; i < l2.Len(); i++ {
+				res = append(res, l2.Index(i).Interface())
+			}
+		default:
+			panic(fmt.Sprintf("Cannot concat type %s as list", tp))
+		}
+	}
+	return res
+}
diff --git a/vendor/github.com/Masterminds/sprig/v3/network.go b/vendor/github.com/Masterminds/sprig/v3/network.go
new file mode 100644
index 0000000000..108d78a946
--- /dev/null
+++ b/vendor/github.com/Masterminds/sprig/v3/network.go
@@ -0,0 +1,12 @@
+package sprig
+
+import (
+	"math/rand"
+	"net"
+)
+
+func getHostByName(name string) string {
+	addrs, _ := net.LookupHost(name)
+	//TODO: add error handing when release v3 comes out
+	return addrs[rand.Intn(len(addrs))]
+}
diff --git a/vendor/github.com/Masterminds/sprig/v3/numeric.go b/vendor/github.com/Masterminds/sprig/v3/numeric.go
new file mode 100644
index 0000000000..f68e4182ee
--- /dev/null
+++ b/vendor/github.com/Masterminds/sprig/v3/numeric.go
@@ -0,0 +1,186 @@
+package sprig
+
+import (
+	"fmt"
+	"math"
+	"strconv"
+	"strings"
+
+	"github.com/spf13/cast"
+	"github.com/shopspring/decimal"
+)
+
+// toFloat64 converts 64-bit floats
+func toFloat64(v interface{}) float64 {
+	return cast.ToFloat64(v)
+}
+
+func toInt(v interface{}) int {
+	return cast.ToInt(v)
+}
+
+// toInt64 converts integer types to 64-bit integers
+func toInt64(v interface{}) int64 {
+	return cast.ToInt64(v)
+}
+
+func max(a interface{}, i ...interface{}) int64 {
+	aa := toInt64(a)
+	for _, b := range i {
+		bb := toInt64(b)
+		if bb > aa {
+			aa = bb
+		}
+	}
+	return aa
+}
+
+func maxf(a interface{}, i ...interface{}) float64 {
+	aa := toFloat64(a)
+	for _, b := range i {
+		bb := toFloat64(b)
+		aa = math.Max(aa, bb)
+	}
+	return aa
+}
+
+func min(a interface{}, i ...interface{}) int64 {
+	aa := toInt64(a)
+	for _, b := range i {
+		bb := toInt64(b)
+		if bb < aa {
+			aa = bb
+		}
+	}
+	return aa
+}
+
+func minf(a interface{}, i ...interface{}) float64 {
+	aa := toFloat64(a)
+	for _, b := range i {
+		bb := toFloat64(b)
+		aa = math.Min(aa, bb)
+	}
+	return aa
+}
+
+func until(count int) []int {
+	step := 1
+	if count < 0 {
+		step = -1
+	}
+	return untilStep(0, count, step)
+}
+
+func untilStep(start, stop, step int) []int {
+	v := []int{}
+
+	if stop < start {
+		if step >= 0 {
+			return v
+		}
+		for i := start; i > stop; i += step {
+			v = append(v, i)
+		}
+		return v
+	}
+
+	if step <= 0 {
+		return v
+	}
+	for i := start; i < stop; i += step {
+		v = append(v, i)
+	}
+	return v
+}
+
+func floor(a interface{}) float64 {
+	aa := toFloat64(a)
+	return math.Floor(aa)
+}
+
+func ceil(a interface{}) float64 {
+	aa := toFloat64(a)
+	return math.Ceil(aa)
+}
+
+func round(a interface{}, p int, rOpt ...float64) float64 {
+	roundOn := .5
+	if len(rOpt) > 0 {
+		roundOn = rOpt[0]
+	}
+	val := toFloat64(a)
+	places := toFloat64(p)
+
+	var round float64
+	pow := math.Pow(10, places)
+	digit := pow * val
+	_, div := math.Modf(digit)
+	if div >= roundOn {
+		round = math.Ceil(digit)
+	} else {
+		round = math.Floor(digit)
+	}
+	return round / pow
+}
+
+// converts unix octal to decimal
+func toDecimal(v interface{}) int64 {
+	result, err := strconv.ParseInt(fmt.Sprint(v), 8, 64)
+	if err != nil {
+		return 0
+	}
+	return result
+}
+
+func seq(params ...int) string {
+	increment := 1
+	switch len(params) {
+	case 0:
+		return ""
+	case 1:
+		start := 1
+		end := params[0]
+		if end < start {
+			increment = -1
+		}
+		return intArrayToString(untilStep(start, end+increment, increment), " ")
+	case 3:
+		start := params[0]
+		end := params[2]
+		step := params[1]
+		if end < start {
+			increment = -1
+			if step > 0 {
+				return ""
+			}
+		}
+		return intArrayToString(untilStep(start, end+increment, step), " ")
+	case 2:
+		start := params[0]
+		end := params[1]
+		step := 1
+		if end < start {
+			step = -1
+		}
+		return intArrayToString(untilStep(start, end+step, step), " ")
+	default:
+		return ""
+	}
+}
+
+func intArrayToString(slice []int, delimeter string) string {
+	return strings.Trim(strings.Join(strings.Fields(fmt.Sprint(slice)), delimeter), "[]")
+}
+
+// performs a float and subsequent decimal.Decimal conversion on inputs,
+// and iterates through a and b executing the mathmetical operation f
+func execDecimalOp(a interface{}, b []interface{}, f func(d1, d2 decimal.Decimal) decimal.Decimal) float64 {
+	prt := decimal.NewFromFloat(toFloat64(a))
+	for _, x := range b {
+		dx := decimal.NewFromFloat(toFloat64(x))
+		prt = f(prt, dx)
+	}
+	rslt, _ := prt.Float64()
+	return rslt
+}
diff --git a/vendor/github.com/Masterminds/sprig/v3/reflect.go b/vendor/github.com/Masterminds/sprig/v3/reflect.go
new file mode 100644
index 0000000000..8a65c132f0
--- /dev/null
+++ b/vendor/github.com/Masterminds/sprig/v3/reflect.go
@@ -0,0 +1,28 @@
+package sprig
+
+import (
+	"fmt"
+	"reflect"
+)
+
+// typeIs returns true if the src is the type named in target.
+func typeIs(target string, src interface{}) bool {
+	return target == typeOf(src)
+}
+
+func typeIsLike(target string, src interface{}) bool {
+	t := typeOf(src)
+	return target == t || "*"+target == t
+}
+
+func typeOf(src interface{}) string {
+	return fmt.Sprintf("%T", src)
+}
+
+func kindIs(target string, src interface{}) bool {
+	return target == kindOf(src)
+}
+
+func kindOf(src interface{}) string {
+	return reflect.ValueOf(src).Kind().String()
+}
diff --git a/vendor/github.com/Masterminds/sprig/v3/regex.go b/vendor/github.com/Masterminds/sprig/v3/regex.go
new file mode 100644
index 0000000000..fab5510189
--- /dev/null
+++ b/vendor/github.com/Masterminds/sprig/v3/regex.go
@@ -0,0 +1,83 @@
+package sprig
+
+import (
+	"regexp"
+)
+
+func regexMatch(regex string, s string) bool {
+	match, _ := regexp.MatchString(regex, s)
+	return match
+}
+
+func mustRegexMatch(regex string, s string) (bool, error) {
+	return regexp.MatchString(regex, s)
+}
+
+func regexFindAll(regex string, s string, n int) []string {
+	r := regexp.MustCompile(regex)
+	return r.FindAllString(s, n)
+}
+
+func mustRegexFindAll(regex string, s string, n int) ([]string, error) {
+	r, err := regexp.Compile(regex)
+	if err != nil {
+		return []string{}, err
+	}
+	return r.FindAllString(s, n), nil
+}
+
+func regexFind(regex string, s string) string {
+	r := regexp.MustCompile(regex)
+	return r.FindString(s)
+}
+
+func mustRegexFind(regex string, s string) (string, error) {
+	r, err := regexp.Compile(regex)
+	if err != nil {
+		return "", err
+	}
+	return r.FindString(s), nil
+}
+
+func regexReplaceAll(regex string, s string, repl string) string {
+	r := regexp.MustCompile(regex)
+	return r.ReplaceAllString(s, repl)
+}
+
+func mustRegexReplaceAll(regex string, s string, repl string) (string, error) {
+	r, err := regexp.Compile(regex)
+	if err != nil {
+		return "", err
+	}
+	return r.ReplaceAllString(s, repl), nil
+}
+
+func regexReplaceAllLiteral(regex string, s string, repl string) string {
+	r := regexp.MustCompile(regex)
+	return r.ReplaceAllLiteralString(s, repl)
+}
+
+func mustRegexReplaceAllLiteral(regex string, s string, repl string) (string, error) {
+	r, err := regexp.Compile(regex)
+	if err != nil {
+		return "", err
+	}
+	return r.ReplaceAllLiteralString(s, repl), nil
+}
+
+func regexSplit(regex string, s string, n int) []string {
+	r := regexp.MustCompile(regex)
+	return r.Split(s, n)
+}
+
+func mustRegexSplit(regex string, s string, n int) ([]string, error) {
+	r, err := regexp.Compile(regex)
+	if err != nil {
+		return []string{}, err
+	}
+	return r.Split(s, n), nil
+}
+
+func regexQuoteMeta(s string) string {
+	return regexp.QuoteMeta(s)
+}
diff --git a/vendor/github.com/Masterminds/sprig/v3/semver.go b/vendor/github.com/Masterminds/sprig/v3/semver.go
new file mode 100644
index 0000000000..3fbe08aa63
--- /dev/null
+++ b/vendor/github.com/Masterminds/sprig/v3/semver.go
@@ -0,0 +1,23 @@
+package sprig
+
+import (
+	sv2 "github.com/Masterminds/semver/v3"
+)
+
+func semverCompare(constraint, version string) (bool, error) {
+	c, err := sv2.NewConstraint(constraint)
+	if err != nil {
+		return false, err
+	}
+
+	v, err := sv2.NewVersion(version)
+	if err != nil {
+		return false, err
+	}
+
+	return c.Check(v), nil
+}
+
+func semver(version string) (*sv2.Version, error) {
+	return sv2.NewVersion(version)
+}
diff --git a/vendor/github.com/Masterminds/sprig/v3/strings.go b/vendor/github.com/Masterminds/sprig/v3/strings.go
new file mode 100644
index 0000000000..e0ae628c84
--- /dev/null
+++ b/vendor/github.com/Masterminds/sprig/v3/strings.go
@@ -0,0 +1,236 @@
+package sprig
+
+import (
+	"encoding/base32"
+	"encoding/base64"
+	"fmt"
+	"reflect"
+	"strconv"
+	"strings"
+
+	util "github.com/Masterminds/goutils"
+)
+
+func base64encode(v string) string {
+	return base64.StdEncoding.EncodeToString([]byte(v))
+}
+
+func base64decode(v string) string {
+	data, err := base64.StdEncoding.DecodeString(v)
+	if err != nil {
+		return err.Error()
+	}
+	return string(data)
+}
+
+func base32encode(v string) string {
+	return base32.StdEncoding.EncodeToString([]byte(v))
+}
+
+func base32decode(v string) string {
+	data, err := base32.StdEncoding.DecodeString(v)
+	if err != nil {
+		return err.Error()
+	}
+	return string(data)
+}
+
+func abbrev(width int, s string) string {
+	if width < 4 {
+		return s
+	}
+	r, _ := util.Abbreviate(s, width)
+	return r
+}
+
+func abbrevboth(left, right int, s string) string {
+	if right < 4 || left > 0 && right < 7 {
+		return s
+	}
+	r, _ := util.AbbreviateFull(s, left, right)
+	return r
+}
+func initials(s string) string {
+	// Wrap this just to eliminate the var args, which templates don't do well.
+	return util.Initials(s)
+}
+
+func randAlphaNumeric(count int) string {
+	// It is not possible, it appears, to actually generate an error here.
+	r, _ := util.CryptoRandomAlphaNumeric(count)
+	return r
+}
+
+func randAlpha(count int) string {
+	r, _ := util.CryptoRandomAlphabetic(count)
+	return r
+}
+
+func randAscii(count int) string {
+	r, _ := util.CryptoRandomAscii(count)
+	return r
+}
+
+func randNumeric(count int) string {
+	r, _ := util.CryptoRandomNumeric(count)
+	return r
+}
+
+func untitle(str string) string {
+	return util.Uncapitalize(str)
+}
+
+func quote(str ...interface{}) string {
+	out := make([]string, 0, len(str))
+	for _, s := range str {
+		if s != nil {
+			out = append(out, fmt.Sprintf("%q", strval(s)))
+		}
+	}
+	return strings.Join(out, " ")
+}
+
+func squote(str ...interface{}) string {
+	out := make([]string, 0, len(str))
+	for _, s := range str {
+		if s != nil {
+			out = append(out, fmt.Sprintf("'%v'", s))
+		}
+	}
+	return strings.Join(out, " ")
+}
+
+func cat(v ...interface{}) string {
+	v = removeNilElements(v)
+	r := strings.TrimSpace(strings.Repeat("%v ", len(v)))
+	return fmt.Sprintf(r, v...)
+}
+
+func indent(spaces int, v string) string {
+	pad := strings.Repeat(" ", spaces)
+	return pad + strings.Replace(v, "\n", "\n"+pad, -1)
+}
+
+func nindent(spaces int, v string) string {
+	return "\n" + indent(spaces, v)
+}
+
+func replace(old, new, src string) string {
+	return strings.Replace(src, old, new, -1)
+}
+
+func plural(one, many string, count int) string {
+	if count == 1 {
+		return one
+	}
+	return many
+}
+
+func strslice(v interface{}) []string {
+	switch v := v.(type) {
+	case []string:
+		return v
+	case []interface{}:
+		b := make([]string, 0, len(v))
+		for _, s := range v {
+			if s != nil {
+				b = append(b, strval(s))
+			}
+		}
+		return b
+	default:
+		val := reflect.ValueOf(v)
+		switch val.Kind() {
+		case reflect.Array, reflect.Slice:
+			l := val.Len()
+			b := make([]string, 0, l)
+			for i := 0; i < l; i++ {
+				value := val.Index(i).Interface()
+				if value != nil {
+					b = append(b, strval(value))
+				}
+			}
+			return b
+		default:
+			if v == nil {
+				return []string{}
+			}
+
+			return []string{strval(v)}
+		}
+	}
+}
+
+func removeNilElements(v []interface{}) []interface{} {
+	newSlice := make([]interface{}, 0, len(v))
+	for _, i := range v {
+		if i != nil {
+			newSlice = append(newSlice, i)
+		}
+	}
+	return newSlice
+}
+
+func strval(v interface{}) string {
+	switch v := v.(type) {
+	case string:
+		return v
+	case []byte:
+		return string(v)
+	case error:
+		return v.Error()
+	case fmt.Stringer:
+		return v.String()
+	default:
+		return fmt.Sprintf("%v", v)
+	}
+}
+
+func trunc(c int, s string) string {
+	if c < 0 && len(s)+c > 0 {
+		return s[len(s)+c:]
+	}
+	if c >= 0 && len(s) > c {
+		return s[:c]
+	}
+	return s
+}
+
+func join(sep string, v interface{}) string {
+	return strings.Join(strslice(v), sep)
+}
+
+func split(sep, orig string) map[string]string {
+	parts := strings.Split(orig, sep)
+	res := make(map[string]string, len(parts))
+	for i, v := range parts {
+		res["_"+strconv.Itoa(i)] = v
+	}
+	return res
+}
+
+func splitn(sep string, n int, orig string) map[string]string {
+	parts := strings.SplitN(orig, sep, n)
+	res := make(map[string]string, len(parts))
+	for i, v := range parts {
+		res["_"+strconv.Itoa(i)] = v
+	}
+	return res
+}
+
+// substring creates a substring of the given string.
+//
+// If start is < 0, this calls string[:end].
+//
+// If start is >= 0 and end < 0 or end bigger than s length, this calls string[start:]
+//
+// Otherwise, this calls string[start, end].
+func substring(start, end int, s string) string {
+	if start < 0 {
+		return s[:end]
+	}
+	if end < 0 || end > len(s) {
+		return s[start:]
+	}
+	return s[start:end]
+}
diff --git a/vendor/github.com/Masterminds/sprig/v3/url.go b/vendor/github.com/Masterminds/sprig/v3/url.go
new file mode 100644
index 0000000000..b8e120e19b
--- /dev/null
+++ b/vendor/github.com/Masterminds/sprig/v3/url.go
@@ -0,0 +1,66 @@
+package sprig
+
+import (
+	"fmt"
+	"net/url"
+	"reflect"
+)
+
+func dictGetOrEmpty(dict map[string]interface{}, key string) string {
+	value, ok := dict[key]
+	if !ok {
+		return ""
+	}
+	tp := reflect.TypeOf(value).Kind()
+	if tp != reflect.String {
+		panic(fmt.Sprintf("unable to parse %s key, must be of type string, but %s found", key, tp.String()))
+	}
+	return reflect.ValueOf(value).String()
+}
+
+// parses given URL to return dict object
+func urlParse(v string) map[string]interface{} {
+	dict := map[string]interface{}{}
+	parsedURL, err := url.Parse(v)
+	if err != nil {
+		panic(fmt.Sprintf("unable to parse url: %s", err))
+	}
+	dict["scheme"] = parsedURL.Scheme
+	dict["host"] = parsedURL.Host
+	dict["hostname"] = parsedURL.Hostname()
+	dict["path"] = parsedURL.Path
+	dict["query"] = parsedURL.RawQuery
+	dict["opaque"] = parsedURL.Opaque
+	dict["fragment"] = parsedURL.Fragment
+	if parsedURL.User != nil {
+		dict["userinfo"] = parsedURL.User.String()
+	} else {
+		dict["userinfo"] = ""
+	}
+
+	return dict
+}
+
+// join given dict to URL string
+func urlJoin(d map[string]interface{}) string {
+	resURL := url.URL{
+		Scheme:   dictGetOrEmpty(d, "scheme"),
+		Host:     dictGetOrEmpty(d, "host"),
+		Path:     dictGetOrEmpty(d, "path"),
+		RawQuery: dictGetOrEmpty(d, "query"),
+		Opaque:   dictGetOrEmpty(d, "opaque"),
+		Fragment: dictGetOrEmpty(d, "fragment"),
+	}
+	userinfo := dictGetOrEmpty(d, "userinfo")
+	var user *url.Userinfo
+	if userinfo != "" {
+		tempURL, err := url.Parse(fmt.Sprintf("proto://%s@host", userinfo))
+		if err != nil {
+			panic(fmt.Sprintf("unable to parse userinfo in dict: %s", err))
+		}
+		user = tempURL.User
+	}
+
+	resURL.User = user
+	return resURL.String()
+}
diff --git a/vendor/github.com/Masterminds/squirrel/.gitignore b/vendor/github.com/Masterminds/squirrel/.gitignore
new file mode 100644
index 0000000000..4a0699f0b7
--- /dev/null
+++ b/vendor/github.com/Masterminds/squirrel/.gitignore
@@ -0,0 +1 @@
+squirrel.test
\ No newline at end of file
diff --git a/vendor/github.com/Masterminds/squirrel/.travis.yml b/vendor/github.com/Masterminds/squirrel/.travis.yml
new file mode 100644
index 0000000000..7bb6da4878
--- /dev/null
+++ b/vendor/github.com/Masterminds/squirrel/.travis.yml
@@ -0,0 +1,30 @@
+language: go
+
+go:
+  - 1.11.x
+  - 1.12.x
+  - 1.13.x
+
+services:
+  - mysql
+  - postgresql
+
+# Setting sudo access to false will let Travis CI use containers rather than
+# VMs to run the tests. For more details see:
+# - http://docs.travis-ci.com/user/workers/container-based-infrastructure/
+# - http://docs.travis-ci.com/user/workers/standard-infrastructure/
+sudo: false
+
+before_script:
+  - mysql -e 'CREATE DATABASE squirrel;'
+  - psql -c 'CREATE DATABASE squirrel;' -U postgres
+
+script:
+  - go test
+  - cd integration
+  - go test -args -driver sqlite3
+  - go test -args -driver mysql -dataSource travis@/squirrel
+  - go test -args -driver postgres -dataSource 'postgres://postgres@localhost/squirrel?sslmode=disable'
+
+notifications:
+  irc: "irc.freenode.net#masterminds"
diff --git a/vendor/github.com/Masterminds/squirrel/LICENSE b/vendor/github.com/Masterminds/squirrel/LICENSE
new file mode 100644
index 0000000000..b459007fd8
--- /dev/null
+++ b/vendor/github.com/Masterminds/squirrel/LICENSE
@@ -0,0 +1,23 @@
+MIT License
+
+Squirrel: The Masterminds
+Copyright (c) 2014-2015, Lann Martin. Copyright (C) 2015-2016, Google. Copyright (C) 2015, Matt Farina and Matt Butcher.
+
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/vendor/github.com/Masterminds/squirrel/README.md b/vendor/github.com/Masterminds/squirrel/README.md
new file mode 100644
index 0000000000..1d37f282f1
--- /dev/null
+++ b/vendor/github.com/Masterminds/squirrel/README.md
@@ -0,0 +1,142 @@
+[![Stability: Maintenance](https://masterminds.github.io/stability/maintenance.svg)](https://masterminds.github.io/stability/maintenance.html)
+### Squirrel is "complete".
+Bug fixes will still be merged (slowly). Bug reports are welcome, but I will not necessarily respond to them. If another fork (or substantially similar project) actively improves on what Squirrel does, let me know and I may link to it here.
+
+
+# Squirrel - fluent SQL generator for Go
+
+```go
+import "github.com/Masterminds/squirrel"
+```
+
+
+[![GoDoc](https://godoc.org/github.com/Masterminds/squirrel?status.png)](https://godoc.org/github.com/Masterminds/squirrel)
+[![Build Status](https://api.travis-ci.org/Masterminds/squirrel.svg?branch=master)](https://travis-ci.org/Masterminds/squirrel)
+
+**Squirrel is not an ORM.** For an application of Squirrel, check out
+[structable, a table-struct mapper](https://github.com/Masterminds/structable)
+
+
+Squirrel helps you build SQL queries from composable parts:
+
+```go
+import sq "github.com/Masterminds/squirrel"
+
+users := sq.Select("*").From("users").Join("emails USING (email_id)")
+
+active := users.Where(sq.Eq{"deleted_at": nil})
+
+sql, args, err := active.ToSql()
+
+sql == "SELECT * FROM users JOIN emails USING (email_id) WHERE deleted_at IS NULL"
+```
+
+```go
+sql, args, err := sq.
+    Insert("users").Columns("name", "age").
+    Values("moe", 13).Values("larry", sq.Expr("? + 5", 12)).
+    ToSql()
+
+sql == "INSERT INTO users (name,age) VALUES (?,?),(?,? + 5)"
+```
+
+Squirrel can also execute queries directly:
+
+```go
+stooges := users.Where(sq.Eq{"username": []string{"moe", "larry", "curly", "shemp"}})
+three_stooges := stooges.Limit(3)
+rows, err := three_stooges.RunWith(db).Query()
+
+// Behaves like:
+rows, err := db.Query("SELECT * FROM users WHERE username IN (?,?,?,?) LIMIT 3",
+                      "moe", "larry", "curly", "shemp")
+```
+
+Squirrel makes conditional query building a breeze:
+
+```go
+if len(q) > 0 {
+    users = users.Where("name LIKE ?", fmt.Sprint("%", q, "%"))
+}
+```
+
+Squirrel wants to make your life easier:
+
+```go
+// StmtCache caches Prepared Stmts for you
+dbCache := sq.NewStmtCache(db)
+
+// StatementBuilder keeps your syntax neat
+mydb := sq.StatementBuilder.RunWith(dbCache)
+select_users := mydb.Select("*").From("users")
+```
+
+Squirrel loves PostgreSQL:
+
+```go
+psql := sq.StatementBuilder.PlaceholderFormat(sq.Dollar)
+
+// You use question marks for placeholders...
+sql, _, _ := psql.Select("*").From("elephants").Where("name IN (?,?)", "Dumbo", "Verna").ToSql()
+
+/// ...squirrel replaces them using PlaceholderFormat.
+sql == "SELECT * FROM elephants WHERE name IN ($1,$2)"
+
+
+/// You can retrieve id ...
+query := sq.Insert("nodes").
+    Columns("uuid", "type", "data").
+    Values(node.Uuid, node.Type, node.Data).
+    Suffix("RETURNING \"id\"").
+    RunWith(m.db).
+    PlaceholderFormat(sq.Dollar)
+
+query.QueryRow().Scan(&node.id)
+```
+
+You can escape question marks by inserting two question marks:
+
+```sql
+SELECT * FROM nodes WHERE meta->'format' ??| array[?,?]
+```
+
+will generate with the Dollar Placeholder:
+
+```sql
+SELECT * FROM nodes WHERE meta->'format' ?| array[$1,$2]
+```
+
+## FAQ
+
+* **How can I build an IN query on composite keys / tuples, e.g. `WHERE (col1, col2) IN ((1,2),(3,4))`? ([#104](https://github.com/Masterminds/squirrel/issues/104))**
+
+    Squirrel does not explicitly support tuples, but you can get the same effect with e.g.:
+
+    ```go
+    sq.Or{
+      sq.Eq{"col1": 1, "col2": 2},
+      sq.Eq{"col1": 3, "col2": 4}}
+    ```
+
+    ```sql
+    WHERE (col1 = 1 AND col2 = 2) OR (col1 = 3 AND col2 = 4)
+    ```
+
+    (which should produce the same query plan as the tuple version)
+
+* **Why doesn't `Eq{"mynumber": []uint8{1,2,3}}` turn into an `IN` query? ([#114](https://github.com/Masterminds/squirrel/issues/114))**
+
+    Values of type `[]byte` are handled specially by `database/sql`. In Go, [`byte` is just an alias of `uint8`](https://golang.org/pkg/builtin/#byte), so there is no way to distinguish `[]uint8` from `[]byte`.
+
+* **Some features are poorly documented!**
+
+    This isn't a frequent complaints section!
+
+* **Some features are poorly documented?**
+
+    Yes. The tests should be considered a part of the documentation; take a look at those for ideas on how to express more complex queries.
+
+## License
+
+Squirrel is released under the
+[MIT License](http://www.opensource.org/licenses/MIT).
diff --git a/vendor/github.com/Masterminds/squirrel/case.go b/vendor/github.com/Masterminds/squirrel/case.go
new file mode 100644
index 0000000000..299e14b9d4
--- /dev/null
+++ b/vendor/github.com/Masterminds/squirrel/case.go
@@ -0,0 +1,128 @@
+package squirrel
+
+import (
+	"bytes"
+	"errors"
+
+	"github.com/lann/builder"
+)
+
+func init() {
+	builder.Register(CaseBuilder{}, caseData{})
+}
+
+// sqlizerBuffer is a helper that allows to write many Sqlizers one by one
+// without constant checks for errors that may come from Sqlizer
+type sqlizerBuffer struct {
+	bytes.Buffer
+	args []interface{}
+	err  error
+}
+
+// WriteSql converts Sqlizer to SQL strings and writes it to buffer
+func (b *sqlizerBuffer) WriteSql(item Sqlizer) {
+	if b.err != nil {
+		return
+	}
+
+	var str string
+	var args []interface{}
+	str, args, b.err = nestedToSql(item)
+
+	if b.err != nil {
+		return
+	}
+
+	b.WriteString(str)
+	b.WriteByte(' ')
+	b.args = append(b.args, args...)
+}
+
+func (b *sqlizerBuffer) ToSql() (string, []interface{}, error) {
+	return b.String(), b.args, b.err
+}
+
+// whenPart is a helper structure to describe SQLs "WHEN ... THEN ..." expression
+type whenPart struct {
+	when Sqlizer
+	then Sqlizer
+}
+
+func newWhenPart(when interface{}, then interface{}) whenPart {
+	return whenPart{newPart(when), newPart(then)}
+}
+
+// caseData holds all the data required to build a CASE SQL construct
+type caseData struct {
+	What      Sqlizer
+	WhenParts []whenPart
+	Else      Sqlizer
+}
+
+// ToSql implements Sqlizer
+func (d *caseData) ToSql() (sqlStr string, args []interface{}, err error) {
+	if len(d.WhenParts) == 0 {
+		err = errors.New("case expression must contain at lease one WHEN clause")
+
+		return
+	}
+
+	sql := sqlizerBuffer{}
+
+	sql.WriteString("CASE ")
+	if d.What != nil {
+		sql.WriteSql(d.What)
+	}
+
+	for _, p := range d.WhenParts {
+		sql.WriteString("WHEN ")
+		sql.WriteSql(p.when)
+		sql.WriteString("THEN ")
+		sql.WriteSql(p.then)
+	}
+
+	if d.Else != nil {
+		sql.WriteString("ELSE ")
+		sql.WriteSql(d.Else)
+	}
+
+	sql.WriteString("END")
+
+	return sql.ToSql()
+}
+
+// CaseBuilder builds SQL CASE construct which could be used as parts of queries.
+type CaseBuilder builder.Builder
+
+// ToSql builds the query into a SQL string and bound args.
+func (b CaseBuilder) ToSql() (string, []interface{}, error) {
+	data := builder.GetStruct(b).(caseData)
+	return data.ToSql()
+}
+
+// MustSql builds the query into a SQL string and bound args.
+// It panics if there are any errors.
+func (b CaseBuilder) MustSql() (string, []interface{}) {
+	sql, args, err := b.ToSql()
+	if err != nil {
+		panic(err)
+	}
+	return sql, args
+}
+
+// what sets optional value for CASE construct "CASE [value] ..."
+func (b CaseBuilder) what(expr interface{}) CaseBuilder {
+	return builder.Set(b, "What", newPart(expr)).(CaseBuilder)
+}
+
+// When adds "WHEN ... THEN ..." part to CASE construct
+func (b CaseBuilder) When(when interface{}, then interface{}) CaseBuilder {
+	// TODO: performance hint: replace slice of WhenPart with just slice of parts
+	// where even indices of the slice belong to "when"s and odd indices belong to "then"s
+	return builder.Append(b, "WhenParts", newWhenPart(when, then)).(CaseBuilder)
+}
+
+// What sets optional "ELSE ..." part for CASE construct
+func (b CaseBuilder) Else(expr interface{}) CaseBuilder {
+	return builder.Set(b, "Else", newPart(expr)).(CaseBuilder)
+}
diff --git a/vendor/github.com/Masterminds/squirrel/delete.go b/vendor/github.com/Masterminds/squirrel/delete.go
new file mode 100644
index 0000000000..f3f31e63ef
--- /dev/null
+++ b/vendor/github.com/Masterminds/squirrel/delete.go
@@ -0,0 +1,191 @@
+package squirrel
+
+import (
+	"bytes"
+	"database/sql"
+	"fmt"
+	"strings"
+
+	"github.com/lann/builder"
+)
+
+type deleteData struct {
+	PlaceholderFormat PlaceholderFormat
+	RunWith           BaseRunner
+	Prefixes          []Sqlizer
+	From              string
+	WhereParts        []Sqlizer
+	OrderBys          []string
+	Limit             string
+	Offset            string
+	Suffixes          []Sqlizer
+}
+
+func (d *deleteData) Exec() (sql.Result, error) {
+	if d.RunWith == nil {
+		return nil, RunnerNotSet
+	}
+	return ExecWith(d.RunWith, d)
+}
+
+func (d *deleteData) ToSql() (sqlStr string, args []interface{}, err error) {
+	if len(d.From) == 0 {
+		err = fmt.Errorf("delete statements must specify a From table")
+		return
+	}
+
+	sql := &bytes.Buffer{}
+
+	if len(d.Prefixes) > 0 {
+		args, err = appendToSql(d.Prefixes, sql, " ", args)
+		if err != nil {
+			return
+		}
+
+		sql.WriteString(" ")
+	}
+
+	sql.WriteString("DELETE FROM ")
+	sql.WriteString(d.From)
+
+	if len(d.WhereParts) > 0 {
+		sql.WriteString(" WHERE ")
+		args, err = appendToSql(d.WhereParts, sql, " AND ", args)
+		if err != nil {
+			return
+		}
+	}
+
+	if len(d.OrderBys) > 0 {
+		sql.WriteString(" ORDER BY ")
+		sql.WriteString(strings.Join(d.OrderBys, ", "))
+	}
+
+	if len(d.Limit) > 0 {
+		sql.WriteString(" LIMIT ")
+		sql.WriteString(d.Limit)
+	}
+
+	if len(d.Offset) > 0 {
+		sql.WriteString(" OFFSET ")
+		sql.WriteString(d.Offset)
+	}
+
+	if len(d.Suffixes) > 0 {
+		sql.WriteString(" ")
+		args, err = appendToSql(d.Suffixes, sql, " ", args)
+		if err != nil {
+			return
+		}
+	}
+
+	sqlStr, err = d.PlaceholderFormat.ReplacePlaceholders(sql.String())
+	return
+}
+
+// Builder
+
+// DeleteBuilder builds SQL DELETE statements.
+type DeleteBuilder builder.Builder
+
+func init() {
+	builder.Register(DeleteBuilder{}, deleteData{})
+}
+
+// Format methods
+
+// PlaceholderFormat sets PlaceholderFormat (e.g. Question or Dollar) for the
+// query.
+func (b DeleteBuilder) PlaceholderFormat(f PlaceholderFormat) DeleteBuilder {
+	return builder.Set(b, "PlaceholderFormat", f).(DeleteBuilder)
+}
+
+// Runner methods
+
+// RunWith sets a Runner (like database/sql.DB) to be used with e.g. Exec.
+func (b DeleteBuilder) RunWith(runner BaseRunner) DeleteBuilder {
+	return setRunWith(b, runner).(DeleteBuilder)
+}
+
+// Exec builds and Execs the query with the Runner set by RunWith.
+func (b DeleteBuilder) Exec() (sql.Result, error) {
+	data := builder.GetStruct(b).(deleteData)
+	return data.Exec()
+}
+
+// SQL methods
+
+// ToSql builds the query into a SQL string and bound args.
+func (b DeleteBuilder) ToSql() (string, []interface{}, error) {
+	data := builder.GetStruct(b).(deleteData)
+	return data.ToSql()
+}
+
+// MustSql builds the query into a SQL string and bound args.
+// It panics if there are any errors.
+func (b DeleteBuilder) MustSql() (string, []interface{}) {
+	sql, args, err := b.ToSql()
+	if err != nil {
+		panic(err)
+	}
+	return sql, args
+}
+
+// Prefix adds an expression to the beginning of the query
+func (b DeleteBuilder) Prefix(sql string, args ...interface{}) DeleteBuilder {
+	return b.PrefixExpr(Expr(sql, args...))
+}
+
+// PrefixExpr adds an expression to the very beginning of the query
+func (b DeleteBuilder) PrefixExpr(expr Sqlizer) DeleteBuilder {
+	return builder.Append(b, "Prefixes", expr).(DeleteBuilder)
+}
+
+// From sets the table to be deleted from.
+func (b DeleteBuilder) From(from string) DeleteBuilder {
+	return builder.Set(b, "From", from).(DeleteBuilder)
+}
+
+// Where adds WHERE expressions to the query.
+//
+// See SelectBuilder.Where for more information.
+func (b DeleteBuilder) Where(pred interface{}, args ...interface{}) DeleteBuilder {
+	return builder.Append(b, "WhereParts", newWherePart(pred, args...)).(DeleteBuilder)
+}
+
+// OrderBy adds ORDER BY expressions to the query.
+func (b DeleteBuilder) OrderBy(orderBys ...string) DeleteBuilder {
+	return builder.Extend(b, "OrderBys", orderBys).(DeleteBuilder)
+}
+
+// Limit sets a LIMIT clause on the query.
+func (b DeleteBuilder) Limit(limit uint64) DeleteBuilder {
+	return builder.Set(b, "Limit", fmt.Sprintf("%d", limit)).(DeleteBuilder)
+}
+
+// Offset sets a OFFSET clause on the query.
+func (b DeleteBuilder) Offset(offset uint64) DeleteBuilder {
+	return builder.Set(b, "Offset", fmt.Sprintf("%d", offset)).(DeleteBuilder)
+}
+
+// Suffix adds an expression to the end of the query
+func (b DeleteBuilder) Suffix(sql string, args ...interface{}) DeleteBuilder {
+	return b.SuffixExpr(Expr(sql, args...))
+}
+
+// SuffixExpr adds an expression to the end of the query
+func (b DeleteBuilder) SuffixExpr(expr Sqlizer) DeleteBuilder {
+	return builder.Append(b, "Suffixes", expr).(DeleteBuilder)
+}
+
+func (b DeleteBuilder) Query() (*sql.Rows, error) {
+	data := builder.GetStruct(b).(deleteData)
+	return data.Query()
+}
+
+func (d *deleteData) Query() (*sql.Rows, error) {
+	if d.RunWith == nil {
+		return nil, RunnerNotSet
+	}
+	return QueryWith(d.RunWith, d)
+}
diff --git a/vendor/github.com/Masterminds/squirrel/delete_ctx.go b/vendor/github.com/Masterminds/squirrel/delete_ctx.go
new file mode 100644
index 0000000000..de83c55df3
--- /dev/null
+++ b/vendor/github.com/Masterminds/squirrel/delete_ctx.go
@@ -0,0 +1,69 @@
+// +build go1.8
+
+package squirrel
+
+import (
+	"context"
+	"database/sql"
+
+	"github.com/lann/builder"
+)
+
+func (d *deleteData) ExecContext(ctx context.Context) (sql.Result, error) {
+	if d.RunWith == nil {
+		return nil, RunnerNotSet
+	}
+	ctxRunner, ok := d.RunWith.(ExecerContext)
+	if !ok {
+		return nil, NoContextSupport
+	}
+	return ExecContextWith(ctx, ctxRunner, d)
+}
+
+func (d *deleteData) QueryContext(ctx context.Context) (*sql.Rows, error) {
+	if d.RunWith == nil {
+		return nil, RunnerNotSet
+	}
+	ctxRunner, ok := d.RunWith.(QueryerContext)
+	if !ok {
+		return nil, NoContextSupport
+	}
+	return QueryContextWith(ctx, ctxRunner, d)
+}
+
+func (d *deleteData) QueryRowContext(ctx context.Context) RowScanner {
+	if d.RunWith == nil {
+		return &Row{err: RunnerNotSet}
+	}
+	queryRower, ok := d.RunWith.(QueryRowerContext)
+	if !ok {
+		if _, ok := d.RunWith.(QueryerContext); !ok {
+			return &Row{err: RunnerNotQueryRunner}
+		}
+		return &Row{err: NoContextSupport}
+	}
+	return QueryRowContextWith(ctx, queryRower, d)
+}
+
+// ExecContext builds and ExecContexts the query with the Runner set by RunWith.
+func (b DeleteBuilder) ExecContext(ctx context.Context) (sql.Result, error) {
+	data := builder.GetStruct(b).(deleteData)
+	return data.ExecContext(ctx)
+}
+
+// QueryContext builds and QueryContexts the query with the Runner set by RunWith.
+func (b DeleteBuilder) QueryContext(ctx context.Context) (*sql.Rows, error) {
+	data := builder.GetStruct(b).(deleteData)
+	return data.QueryContext(ctx)
+}
+
+// QueryRowContext builds and QueryRowContexts the query with the Runner set by RunWith.
+func (b DeleteBuilder) QueryRowContext(ctx context.Context) RowScanner {
+	data := builder.GetStruct(b).(deleteData)
+	return data.QueryRowContext(ctx)
+}
+
+// ScanContext is a shortcut for QueryRowContext().Scan.
+func (b DeleteBuilder) ScanContext(ctx context.Context, dest ...interface{}) error {
+	return b.QueryRowContext(ctx).Scan(dest...)
+}
diff --git a/vendor/github.com/Masterminds/squirrel/expr.go b/vendor/github.com/Masterminds/squirrel/expr.go
new file mode 100644
index 0000000000..eba1b4579e
--- /dev/null
+++ b/vendor/github.com/Masterminds/squirrel/expr.go
@@ -0,0 +1,419 @@
+package squirrel
+
+import (
+	"bytes"
+	"database/sql/driver"
+	"fmt"
+	"reflect"
+	"sort"
+	"strings"
+)
+
+const (
+	// Portable true/false literals.
+	sqlTrue  = "(1=1)"
+	sqlFalse = "(1=0)"
+)
+
+type expr struct {
+	sql  string
+	args []interface{}
+}
+
+// Expr builds an expression from a SQL fragment and arguments.
+//
+// Ex:
+//     Expr("FROM_UNIXTIME(?)", t)
+func Expr(sql string, args ...interface{}) Sqlizer {
+	return expr{sql: sql, args: args}
+}
+
+func (e expr) ToSql() (sql string, args []interface{}, err error) {
+	simple := true
+	for _, arg := range e.args {
+		if _, ok := arg.(Sqlizer); ok {
+			simple = false
+		}
+	}
+	if simple {
+		return e.sql, e.args, nil
+	}
+
+	buf := &bytes.Buffer{}
+	ap := e.args
+	sp := e.sql
+
+	var isql string
+	var iargs []interface{}
+
+	for err == nil && len(ap) > 0 && len(sp) > 0 {
+		i := strings.Index(sp, "?")
+		if i < 0 {
+			// no more placeholders
+			break
+		}
+		if len(sp) > i+1 && sp[i+1:i+2] == "?" {
+			// escaped "??"; append it and step past
+			buf.WriteString(sp[:i+2])
+			sp = sp[i+2:]
+			continue
+		}
+
+		if as, ok := ap[0].(Sqlizer); ok {
+			// sqlizer argument; expand it and append the result
+			isql, iargs, err = as.ToSql()
+			buf.WriteString(sp[:i])
+			buf.WriteString(isql)
+			args = append(args, iargs...)
+		} else {
+			// normal argument; append it and the placeholder
+			buf.WriteString(sp[:i+1])
+			args = append(args, ap[0])
+		}
+
+		// step past the argument and placeholder
+		ap = ap[1:]
+		sp = sp[i+1:]
+	}
+
+	// append the remaining sql and arguments
+	buf.WriteString(sp)
+	return buf.String(), append(args, ap...), err
+}
+
+type concatExpr []interface{}
+
+func (ce concatExpr) ToSql() (sql string, args []interface{}, err error) {
+	for _, part := range ce {
+		switch p := part.(type) {
+		case string:
+			sql += p
+		case Sqlizer:
+			pSql, pArgs, err := p.ToSql()
+			if err != nil {
+				return "", nil, err
+			}
+			sql += pSql
+			args = append(args, pArgs...)
+		default:
+			return "", nil, fmt.Errorf("%#v is not a string or Sqlizer", part)
+		}
+	}
+	return
+}
+
+// ConcatExpr builds an expression by concatenating strings and other expressions.
+//
+// Ex:
+//     name_expr := Expr("CONCAT(?, ' ', ?)", firstName, lastName)
+//     ConcatExpr("COALESCE(full_name,", name_expr, ")")
+func ConcatExpr(parts ...interface{}) concatExpr {
+	return concatExpr(parts)
+}
+
+// aliasExpr helps to alias part of SQL query generated with underlying "expr"
+type aliasExpr struct {
+	expr  Sqlizer
+	alias string
+}
+
+// Alias allows to define alias for column in SelectBuilder. Useful when column is
+// defined as complex expression like IF or CASE
+// Ex:
+//		.Column(Alias(caseStmt, "case_column"))
+func Alias(expr Sqlizer, alias string) aliasExpr {
+	return aliasExpr{expr, alias}
+}
+
+func (e aliasExpr) ToSql() (sql string, args []interface{}, err error) {
+	sql, args, err = e.expr.ToSql()
+	if err == nil {
+		sql = fmt.Sprintf("(%s) AS %s", sql, e.alias)
+	}
+	return
+}
+
+// Eq is syntactic sugar for use with Where/Having/Set methods.
+type Eq map[string]interface{}
+
+func (eq Eq) toSQL(useNotOpr bool) (sql string, args []interface{}, err error) {
+	if len(eq) == 0 {
+		// Empty Sql{} evaluates to true.
+		sql = sqlTrue
+		return
+	}
+
+	var (
+		exprs       []string
+		equalOpr    = "="
+		inOpr       = "IN"
+		nullOpr     = "IS"
+		inEmptyExpr = sqlFalse
+	)
+
+	if useNotOpr {
+		equalOpr = "<>"
+		inOpr = "NOT IN"
+		nullOpr = "IS NOT"
+		inEmptyExpr = sqlTrue
+	}
+
+	sortedKeys := getSortedKeys(eq)
+	for _, key := range sortedKeys {
+		var expr string
+		val := eq[key]
+
+		switch v := val.(type) {
+		case driver.Valuer:
+			if val, err = v.Value(); err != nil {
+				return
+			}
+		}
+
+		r := reflect.ValueOf(val)
+		if r.Kind() == reflect.Ptr {
+			if r.IsNil() {
+				val = nil
+			} else {
+				val = r.Elem().Interface()
+			}
+		}
+
+		if val == nil {
+			expr = fmt.Sprintf("%s %s NULL", key, nullOpr)
+		} else {
+			if isListType(val) {
+				valVal := reflect.ValueOf(val)
+				if valVal.Len() == 0 {
+					expr = inEmptyExpr
+					if args == nil {
+						args = []interface{}{}
+					}
+				} else {
+					for i := 0; i < valVal.Len(); i++ {
+						args = append(args, valVal.Index(i).Interface())
+					}
+					expr = fmt.Sprintf("%s %s (%s)", key, inOpr, Placeholders(valVal.Len()))
+				}
+			} else {
+				expr = fmt.Sprintf("%s %s ?", key, equalOpr)
+				args = append(args, val)
+			}
+		}
+		exprs = append(exprs, expr)
+	}
+	sql = strings.Join(exprs, " AND ")
+	return
+}
+
+func (eq Eq) ToSql() (sql string, args []interface{}, err error) {
+	return eq.toSQL(false)
+}
+
+// NotEq is syntactic sugar for use with Where/Having/Set methods.
+// Ex:
+//     .Where(NotEq{"id": 1}) == "id <> 1"
+type NotEq Eq
+
+func (neq NotEq) ToSql() (sql string, args []interface{}, err error) {
+	return Eq(neq).toSQL(true)
+}
+
+// Like is syntactic sugar for use with LIKE conditions.
+// Ex:
+//     .Where(Like{"name": "%irrel"})
+type Like map[string]interface{}
+
+func (lk Like) toSql(opr string) (sql string, args []interface{}, err error) {
+	var exprs []string
+	for key, val := range lk {
+		expr := ""
+
+		switch v := val.(type) {
+		case driver.Valuer:
+			if val, err = v.Value(); err != nil {
+				return
+			}
+		}
+
+		if val == nil {
+			err = fmt.Errorf("cannot use null with like operators")
+			return
+		} else {
+			if isListType(val) {
+				err = fmt.Errorf("cannot use array or slice with like operators")
+				return
+			} else {
+				expr = fmt.Sprintf("%s %s ?", key, opr)
+				args = append(args, val)
+			}
+		}
+		exprs = append(exprs, expr)
+	}
+	sql = strings.Join(exprs, " AND ")
+	return
+}
+
+func (lk Like) ToSql() (sql string, args []interface{}, err error) {
+	return lk.toSql("LIKE")
+}
+
+// NotLike is syntactic sugar for use with LIKE conditions.
+// Ex:
+//     .Where(NotLike{"name": "%irrel"})
+type NotLike Like
+
+func (nlk NotLike) ToSql() (sql string, args []interface{}, err error) {
+	return Like(nlk).toSql("NOT LIKE")
+}
+
+// ILike is syntactic sugar for use with ILIKE conditions.
+// Ex:
+//    .Where(ILike{"name": "sq%"})
+type ILike Like
+
+func (ilk ILike) ToSql() (sql string, args []interface{}, err error) {
+	return Like(ilk).toSql("ILIKE")
+}
+
+// NotILike is syntactic sugar for use with ILIKE conditions.
+// Ex:
+//    .Where(NotILike{"name": "sq%"})
+type NotILike Like
+
+func (nilk NotILike) ToSql() (sql string, args []interface{}, err error) {
+	return Like(nilk).toSql("NOT ILIKE")
+}
+
+// Lt is syntactic sugar for use with Where/Having/Set methods.
+// Ex:
+//     .Where(Lt{"id": 1})
+type Lt map[string]interface{}
+
+func (lt Lt) toSql(opposite, orEq bool) (sql string, args []interface{}, err error) {
+	var (
+		exprs []string
+		opr   = "<"
+	)
+
+	if opposite {
+		opr = ">"
+	}
+
+	if orEq {
+		opr = fmt.Sprintf("%s%s", opr, "=")
+	}
+
+	sortedKeys := getSortedKeys(lt)
+	for _, key := range sortedKeys {
+		var expr string
+		val := lt[key]
+
+		switch v := val.(type) {
+		case driver.Valuer:
+			if val, err = v.Value(); err != nil {
+				return
+			}
+		}
+
+		if val == nil {
+			err = fmt.Errorf("cannot use null with less than or greater than operators")
+			return
+		}
+		if isListType(val) {
+			err = fmt.Errorf("cannot use array or slice with less than or greater than operators")
+			return
+		}
+		expr = fmt.Sprintf("%s %s ?", key, opr)
+		args = append(args, val)
+
+		exprs = append(exprs, expr)
+	}
+	sql = strings.Join(exprs, " AND ")
+	return
+}
+
+func (lt Lt) ToSql() (sql string, args []interface{}, err error) {
+	return lt.toSql(false, false)
+}
+
+// LtOrEq is syntactic sugar for use with Where/Having/Set methods.
+// Ex:
+//     .Where(LtOrEq{"id": 1}) == "id <= 1"
+type LtOrEq Lt
+
+func (ltOrEq LtOrEq) ToSql() (sql string, args []interface{}, err error) {
+	return Lt(ltOrEq).toSql(false, true)
+}
+
+// Gt is syntactic sugar for use with Where/Having/Set methods.
+// Ex:
+//     .Where(Gt{"id": 1}) == "id > 1"
+type Gt Lt
+
+func (gt Gt) ToSql() (sql string, args []interface{}, err error) {
+	return Lt(gt).toSql(true, false)
+}
+
+// GtOrEq is syntactic sugar for use with Where/Having/Set methods.
+// Ex:
+//     .Where(GtOrEq{"id": 1}) == "id >= 1"
+type GtOrEq Lt
+
+func (gtOrEq GtOrEq) ToSql() (sql string, args []interface{}, err error) {
+	return Lt(gtOrEq).toSql(true, true)
+}
+
+type conj []Sqlizer
+
+func (c conj) join(sep, defaultExpr string) (sql string, args []interface{}, err error) {
+	if len(c) == 0 {
+		return defaultExpr, []interface{}{}, nil
+	}
+	var sqlParts []string
+	for _, sqlizer := range c {
+		partSQL, partArgs, err := nestedToSql(sqlizer)
+		if err != nil {
+			return "", nil, err
+		}
+		if partSQL != "" {
+			sqlParts = append(sqlParts, partSQL)
+			args = append(args, partArgs...)
+		}
+	}
+	if len(sqlParts) > 0 {
+		sql = fmt.Sprintf("(%s)", strings.Join(sqlParts, sep))
+	}
+	return
+}
+
+// And conjunction Sqlizers
+type And conj
+
+func (a And) ToSql() (string, []interface{}, error) {
+	return conj(a).join(" AND ", sqlTrue)
+}
+
+// Or conjunction Sqlizers
+type Or conj
+
+func (o Or) ToSql() (string, []interface{}, error) {
+	return conj(o).join(" OR ", sqlFalse)
+}
+
+func getSortedKeys(exp map[string]interface{}) []string {
+	sortedKeys := make([]string, 0, len(exp))
+	for k := range exp {
+		sortedKeys = append(sortedKeys, k)
+	}
+	sort.Strings(sortedKeys)
+	return sortedKeys
+}
+
+func isListType(val interface{}) bool {
+	if driver.IsValue(val) {
+		return false
+	}
+	valVal := reflect.ValueOf(val)
+	return valVal.Kind() == reflect.Array || valVal.Kind() == reflect.Slice
+}
diff --git a/vendor/github.com/Masterminds/squirrel/insert.go b/vendor/github.com/Masterminds/squirrel/insert.go
new file mode 100644
index 0000000000..c23a57935b
--- /dev/null
+++ b/vendor/github.com/Masterminds/squirrel/insert.go
@@ -0,0 +1,298 @@
+package squirrel
+
+import (
+	"bytes"
+	"database/sql"
+	"errors"
+	"fmt"
+	"io"
+	"sort"
+	"strings"
+
+	"github.com/lann/builder"
+)
+
+type insertData struct {
+	PlaceholderFormat PlaceholderFormat
+	RunWith           BaseRunner
+	Prefixes          []Sqlizer
+	StatementKeyword  string
+	Options           []string
+	Into              string
+	Columns           []string
+	Values            [][]interface{}
+	Suffixes          []Sqlizer
+	Select            *SelectBuilder
+}
+
+func (d *insertData) Exec() (sql.Result, error) {
+	if d.RunWith == nil {
+		return nil, RunnerNotSet
+	}
+	return ExecWith(d.RunWith, d)
+}
+
+func (d *insertData) Query() (*sql.Rows, error) {
+	if d.RunWith == nil {
+		return nil, RunnerNotSet
+	}
+	return QueryWith(d.RunWith, d)
+}
+
+func (d *insertData) QueryRow() RowScanner {
+	if d.RunWith == nil {
+		return &Row{err: RunnerNotSet}
+	}
+	queryRower, ok := d.RunWith.(QueryRower)
+	if !ok {
+		return &Row{err: RunnerNotQueryRunner}
+	}
+	return QueryRowWith(queryRower, d)
+}
+
+func (d *insertData) ToSql() (sqlStr string, args []interface{}, err error) {
+	if len(d.Into) == 0 {
+		err = errors.New("insert statements must specify a table")
+		return
+	}
+	if len(d.Values) == 0 && d.Select == nil {
+		err = errors.New("insert statements must have at least one set of values or select clause")
+		return
+	}
+
+	sql := &bytes.Buffer{}
+
+	if len(d.Prefixes) > 0 {
+		args, err = appendToSql(d.Prefixes, sql, " ", args)
+		if err != nil {
+			return
+		}
+
+		sql.WriteString(" ")
+	}
+
+	if d.StatementKeyword == "" {
+		sql.WriteString("INSERT ")
+	} else {
+		sql.WriteString(d.StatementKeyword)
+		sql.WriteString(" ")
+	}
+
+	if len(d.Options) > 0 {
+		sql.WriteString(strings.Join(d.Options, " "))
+		sql.WriteString(" ")
+	}
+
+	sql.WriteString("INTO ")
+	sql.WriteString(d.Into)
+	sql.WriteString(" ")
+
+	if len(d.Columns) > 0 {
+		sql.WriteString("(")
+		sql.WriteString(strings.Join(d.Columns, ","))
+		sql.WriteString(") ")
+	}
+
+	if d.Select != nil {
+		args, err = d.appendSelectToSQL(sql, args)
+	} else {
+		args, err = d.appendValuesToSQL(sql, args)
+	}
+	if err != nil {
+		return
+	}
+
+	if len(d.Suffixes) > 0 {
+		sql.WriteString(" ")
+		args, err = appendToSql(d.Suffixes, sql, " ", args)
+		if err != nil {
+			return
+		}
+	}
+
+	sqlStr, err = d.PlaceholderFormat.ReplacePlaceholders(sql.String())
+	return
+}
+
+func (d *insertData) appendValuesToSQL(w io.Writer, args []interface{}) ([]interface{}, error) {
+	if len(d.Values) == 0 {
+		return args, errors.New("values for insert statements are not set")
+	}
+
+	io.WriteString(w, "VALUES ")
+
+	valuesStrings := make([]string, len(d.Values))
+	for r, row := range d.Values {
+		valueStrings := make([]string, len(row))
+		for v, val := range row {
+			if vs, ok := val.(Sqlizer); ok {
+				vsql, vargs, err := vs.ToSql()
+				if err != nil {
+					return nil, err
+				}
+				valueStrings[v] = vsql
+				args = append(args, vargs...)
+			} else {
+				valueStrings[v] = "?"
+				args = append(args, val)
+			}
+		}
+		valuesStrings[r] = fmt.Sprintf("(%s)", strings.Join(valueStrings, ","))
+	}
+
+	io.WriteString(w, strings.Join(valuesStrings, ","))
+
+	return args, nil
+}
+
+func (d *insertData) appendSelectToSQL(w io.Writer, args []interface{}) ([]interface{}, error) {
+	if d.Select == nil {
+		return args, errors.New("select clause for insert statements are not set")
+	}
+
+	selectClause, sArgs, err := d.Select.ToSql()
+	if err != nil {
+		return args, err
+	}
+
+	io.WriteString(w, selectClause)
+	args = append(args, sArgs...)
+
+	return args, nil
+}
+
+// Builder
+
+// InsertBuilder builds SQL INSERT statements.
+type InsertBuilder builder.Builder
+
+func init() {
+	builder.Register(InsertBuilder{}, insertData{})
+}
+
+// Format methods
+
+// PlaceholderFormat sets PlaceholderFormat (e.g. Question or Dollar) for the
+// query.
+func (b InsertBuilder) PlaceholderFormat(f PlaceholderFormat) InsertBuilder {
+	return builder.Set(b, "PlaceholderFormat", f).(InsertBuilder)
+}
+
+// Runner methods
+
+// RunWith sets a Runner (like database/sql.DB) to be used with e.g. Exec.
+func (b InsertBuilder) RunWith(runner BaseRunner) InsertBuilder {
+	return setRunWith(b, runner).(InsertBuilder)
+}
+
+// Exec builds and Execs the query with the Runner set by RunWith.
+func (b InsertBuilder) Exec() (sql.Result, error) {
+	data := builder.GetStruct(b).(insertData)
+	return data.Exec()
+}
+
+// Query builds and Querys the query with the Runner set by RunWith.
+func (b InsertBuilder) Query() (*sql.Rows, error) {
+	data := builder.GetStruct(b).(insertData)
+	return data.Query()
+}
+
+// QueryRow builds and QueryRows the query with the Runner set by RunWith.
+func (b InsertBuilder) QueryRow() RowScanner {
+	data := builder.GetStruct(b).(insertData)
+	return data.QueryRow()
+}
+
+// Scan is a shortcut for QueryRow().Scan.
+func (b InsertBuilder) Scan(dest ...interface{}) error {
+	return b.QueryRow().Scan(dest...)
+}
+
+// SQL methods
+
+// ToSql builds the query into a SQL string and bound args.
+func (b InsertBuilder) ToSql() (string, []interface{}, error) {
+	data := builder.GetStruct(b).(insertData)
+	return data.ToSql()
+}
+
+// MustSql builds the query into a SQL string and bound args.
+// It panics if there are any errors.
+func (b InsertBuilder) MustSql() (string, []interface{}) {
+	sql, args, err := b.ToSql()
+	if err != nil {
+		panic(err)
+	}
+	return sql, args
+}
+
+// Prefix adds an expression to the beginning of the query
+func (b InsertBuilder) Prefix(sql string, args ...interface{}) InsertBuilder {
+	return b.PrefixExpr(Expr(sql, args...))
+}
+
+// PrefixExpr adds an expression to the very beginning of the query
+func (b InsertBuilder) PrefixExpr(expr Sqlizer) InsertBuilder {
+	return builder.Append(b, "Prefixes", expr).(InsertBuilder)
+}
+
+// Options adds keyword options before the INTO clause of the query.
+func (b InsertBuilder) Options(options ...string) InsertBuilder {
+	return builder.Extend(b, "Options", options).(InsertBuilder)
+}
+
+// Into sets the INTO clause of the query.
+func (b InsertBuilder) Into(from string) InsertBuilder {
+	return builder.Set(b, "Into", from).(InsertBuilder)
+}
+
+// Columns adds insert columns to the query.
+func (b InsertBuilder) Columns(columns ...string) InsertBuilder {
+	return builder.Extend(b, "Columns", columns).(InsertBuilder)
+}
+
+// Values adds a single row's values to the query.
+func (b InsertBuilder) Values(values ...interface{}) InsertBuilder {
+	return builder.Append(b, "Values", values).(InsertBuilder)
+}
+
+// Suffix adds an expression to the end of the query
+func (b InsertBuilder) Suffix(sql string, args ...interface{}) InsertBuilder {
+	return b.SuffixExpr(Expr(sql, args...))
+}
+
+// SuffixExpr adds an expression to the end of the query
+func (b InsertBuilder) SuffixExpr(expr Sqlizer) InsertBuilder {
+	return builder.Append(b, "Suffixes", expr).(InsertBuilder)
+}
+
+// SetMap set columns and values for insert builder from a map of column name and value
+// note that it will reset all previous columns and values was set if any
+func (b InsertBuilder) SetMap(clauses map[string]interface{}) InsertBuilder {
+	// Keep the columns in a consistent order by sorting the column key string.
+	cols := make([]string, 0, len(clauses))
+	for col := range clauses {
+		cols = append(cols, col)
+	}
+	sort.Strings(cols)
+
+	vals := make([]interface{}, 0, len(clauses))
+	for _, col := range cols {
+		vals = append(vals, clauses[col])
+	}
+
+	b = builder.Set(b, "Columns", cols).(InsertBuilder)
+	b = builder.Set(b, "Values", [][]interface{}{vals}).(InsertBuilder)
+
+	return b
+}
+
+// Select set Select clause for insert query
+// If Values and Select are used, then Select has higher priority
+func (b InsertBuilder) Select(sb SelectBuilder) InsertBuilder {
+	return builder.Set(b, "Select", &sb).(InsertBuilder)
+}
+
+func (b InsertBuilder) statementKeyword(keyword string) InsertBuilder {
+	return builder.Set(b, "StatementKeyword", keyword).(InsertBuilder)
+}
diff --git a/vendor/github.com/Masterminds/squirrel/insert_ctx.go b/vendor/github.com/Masterminds/squirrel/insert_ctx.go
new file mode 100644
index 0000000000..4541c2fed3
--- /dev/null
+++ b/vendor/github.com/Masterminds/squirrel/insert_ctx.go
@@ -0,0 +1,69 @@
+// +build go1.8
+
+package squirrel
+
+import (
+	"context"
+	"database/sql"
+
+	"github.com/lann/builder"
+)
+
+func (d *insertData) ExecContext(ctx context.Context) (sql.Result, error) {
+	if d.RunWith == nil {
+		return nil, RunnerNotSet
+	}
+	ctxRunner, ok := d.RunWith.(ExecerContext)
+	if !ok {
+		return nil, NoContextSupport
+	}
+	return ExecContextWith(ctx, ctxRunner, d)
+}
+
+func (d *insertData) QueryContext(ctx context.Context) (*sql.Rows, error) {
+	if d.RunWith == nil {
+		return nil, RunnerNotSet
+	}
+	ctxRunner, ok := d.RunWith.(QueryerContext)
+	if !ok {
+		return nil, NoContextSupport
+	}
+	return QueryContextWith(ctx, ctxRunner, d)
+}
+
+func (d *insertData) QueryRowContext(ctx context.Context) RowScanner {
+	if d.RunWith == nil {
+		return &Row{err: RunnerNotSet}
+	}
+	queryRower, ok := d.RunWith.(QueryRowerContext)
+	if !ok {
+		if _, ok := d.RunWith.(QueryerContext); !ok {
+			return &Row{err: RunnerNotQueryRunner}
+		}
+		return &Row{err: NoContextSupport}
+	}
+	return QueryRowContextWith(ctx, queryRower, d)
+}
+
+// ExecContext builds and ExecContexts the query with the Runner set by RunWith.
+func (b InsertBuilder) ExecContext(ctx context.Context) (sql.Result, error) {
+	data := builder.GetStruct(b).(insertData)
+	return data.ExecContext(ctx)
+}
+
+// QueryContext builds and QueryContexts the query with the Runner set by RunWith.
+func (b InsertBuilder) QueryContext(ctx context.Context) (*sql.Rows, error) {
+	data := builder.GetStruct(b).(insertData)
+	return data.QueryContext(ctx)
+}
+
+// QueryRowContext builds and QueryRowContexts the query with the Runner set by RunWith.
+func (b InsertBuilder) QueryRowContext(ctx context.Context) RowScanner {
+	data := builder.GetStruct(b).(insertData)
+	return data.QueryRowContext(ctx)
+}
+
+// ScanContext is a shortcut for QueryRowContext().Scan.
+func (b InsertBuilder) ScanContext(ctx context.Context, dest ...interface{}) error {
+	return b.QueryRowContext(ctx).Scan(dest...)
+}
diff --git a/vendor/github.com/Masterminds/squirrel/part.go b/vendor/github.com/Masterminds/squirrel/part.go
new file mode 100644
index 0000000000..c58f68f1a4
--- /dev/null
+++ b/vendor/github.com/Masterminds/squirrel/part.go
@@ -0,0 +1,63 @@
+package squirrel
+
+import (
+	"fmt"
+	"io"
+)
+
+type part struct {
+	pred interface{}
+	args []interface{}
+}
+
+func newPart(pred interface{}, args ...interface{}) Sqlizer {
+	return &part{pred, args}
+}
+
+func (p part) ToSql() (sql string, args []interface{}, err error) {
+	switch pred := p.pred.(type) {
+	case nil:
+		// no-op
+	case Sqlizer:
+		sql, args, err = nestedToSql(pred)
+	case string:
+		sql = pred
+		args = p.args
+	default:
+		err = fmt.Errorf("expected string or Sqlizer, not %T", pred)
+	}
+	return
+}
+
+func nestedToSql(s Sqlizer) (string, []interface{}, error) {
+	if raw, ok := s.(rawSqlizer); ok {
+		return raw.toSqlRaw()
+	} else {
+		return s.ToSql()
+	}
+}
+
+func appendToSql(parts []Sqlizer, w io.Writer, sep string, args []interface{}) ([]interface{}, error) {
+	for i, p := range parts {
+		partSql, partArgs, err := nestedToSql(p)
+		if err != nil {
+			return nil, err
+		} else if len(partSql) == 0 {
+			continue
+		}
+
+		if i > 0 {
+			_, err := io.WriteString(w, sep)
+			if err != nil {
+				return nil, err
+			}
+		}
+
+		_, err = io.WriteString(w, partSql)
+		if err != nil {
+			return nil, err
+		}
+		args = append(args, partArgs...)
+	}
+	return args, nil
+}
diff --git a/vendor/github.com/Masterminds/squirrel/placeholder.go b/vendor/github.com/Masterminds/squirrel/placeholder.go
new file mode 100644
index 0000000000..8e97a6c62d
--- /dev/null
+++ b/vendor/github.com/Masterminds/squirrel/placeholder.go
@@ -0,0 +1,114 @@
+package squirrel
+
+import (
+	"bytes"
+	"fmt"
+	"strings"
+)
+
+// PlaceholderFormat is the interface that wraps the ReplacePlaceholders method.
+//
+// ReplacePlaceholders takes a SQL statement and replaces each question mark
+// placeholder with a (possibly different) SQL placeholder.
+type PlaceholderFormat interface {
+	ReplacePlaceholders(sql string) (string, error)
+}
+
+type placeholderDebugger interface {
+	debugPlaceholder() string
+}
+
+var (
+	// Question is a PlaceholderFormat instance that leaves placeholders as
+	// question marks.
+	Question = questionFormat{}
+
+	// Dollar is a PlaceholderFormat instance that replaces placeholders with
+	// dollar-prefixed positional placeholders (e.g. $1, $2, $3).
+	Dollar = dollarFormat{}
+
+	// Colon is a PlaceholderFormat instance that replaces placeholders with
+	// colon-prefixed positional placeholders (e.g. :1, :2, :3).
+	Colon = colonFormat{}
+
+	// AtP is a PlaceholderFormat instance that replaces placeholders with
+	// "@p"-prefixed positional placeholders (e.g. @p1, @p2, @p3).
+	AtP = atpFormat{}
+)
+
+type questionFormat struct{}
+
+func (questionFormat) ReplacePlaceholders(sql string) (string, error) {
+	return sql, nil
+}
+
+func (questionFormat) debugPlaceholder() string {
+	return "?"
+}
+
+type dollarFormat struct{}
+
+func (dollarFormat) ReplacePlaceholders(sql string) (string, error) {
+	return replacePositionalPlaceholders(sql, "$")
+}
+
+func (dollarFormat) debugPlaceholder() string {
+	return "$"
+}
+
+type colonFormat struct{}
+
+func (colonFormat) ReplacePlaceholders(sql string) (string, error) {
+	return replacePositionalPlaceholders(sql, ":")
+}
+
+func (colonFormat) debugPlaceholder() string {
+	return ":"
+}
+
+type atpFormat struct{}
+
+func (atpFormat) ReplacePlaceholders(sql string) (string, error) {
+	return replacePositionalPlaceholders(sql, "@p")
+}
+
+func (atpFormat) debugPlaceholder() string {
+	return "@p"
+}
+
+// Placeholders returns a string with count ? placeholders joined with commas.
+func Placeholders(count int) string {
+	if count < 1 {
+		return ""
+	}
+
+	return strings.Repeat(",?", count)[1:]
+}
+
+func replacePositionalPlaceholders(sql, prefix string) (string, error) {
+	buf := &bytes.Buffer{}
+	i := 0
+	for {
+		p := strings.Index(sql, "?")
+		if p == -1 {
+			break
+		}
+
+		if len(sql[p:]) > 1 && sql[p:p+2] == "??" { // escape ?? => ?
+			buf.WriteString(sql[:p])
+			buf.WriteString("?")
+			if len(sql[p:]) == 1 {
+				break
+			}
+			sql = sql[p+2:]
+		} else {
+			i++
+			buf.WriteString(sql[:p])
+			fmt.Fprintf(buf, "%s%d", prefix, i)
+			sql = sql[p+1:]
+		}
+	}
+
+	buf.WriteString(sql)
+	return buf.String(), nil
+}
diff --git a/vendor/github.com/Masterminds/squirrel/row.go b/vendor/github.com/Masterminds/squirrel/row.go
new file mode 100644
index 0000000000..74ffda92bd
--- /dev/null
+++ b/vendor/github.com/Masterminds/squirrel/row.go
@@ -0,0 +1,22 @@
+package squirrel
+
+// RowScanner is the interface that wraps the Scan method.
+//
+// Scan behaves like database/sql.Row.Scan.
+type RowScanner interface {
+	Scan(...interface{}) error
+}
+
+// Row wraps database/sql.Row to let squirrel return new errors on Scan.
+type Row struct {
+	RowScanner
+	err error
+}
+
+// Scan returns Row.err or calls RowScanner.Scan.
+func (r *Row) Scan(dest ...interface{}) error {
+	if r.err != nil {
+		return r.err
+	}
+	return r.RowScanner.Scan(dest...)
+}
diff --git a/vendor/github.com/Masterminds/squirrel/select.go b/vendor/github.com/Masterminds/squirrel/select.go
new file mode 100644
index 0000000000..d55ce4c740
--- /dev/null
+++ b/vendor/github.com/Masterminds/squirrel/select.go
@@ -0,0 +1,403 @@
+package squirrel
+
+import (
+	"bytes"
+	"database/sql"
+	"fmt"
+	"strings"
+
+	"github.com/lann/builder"
+)
+
+type selectData struct {
+	PlaceholderFormat PlaceholderFormat
+	RunWith           BaseRunner
+	Prefixes          []Sqlizer
+	Options           []string
+	Columns           []Sqlizer
+	From              Sqlizer
+	Joins             []Sqlizer
+	WhereParts        []Sqlizer
+	GroupBys          []string
+	HavingParts       []Sqlizer
+	OrderByParts      []Sqlizer
+	Limit             string
+	Offset            string
+	Suffixes          []Sqlizer
+}
+
+func (d *selectData) Exec() (sql.Result, error) {
+	if d.RunWith == nil {
+		return nil, RunnerNotSet
+	}
+	return ExecWith(d.RunWith, d)
+}
+
+func (d *selectData) Query() (*sql.Rows, error) {
+	if d.RunWith == nil {
+		return nil, RunnerNotSet
+	}
+	return QueryWith(d.RunWith, d)
+}
+
+func (d *selectData) QueryRow() RowScanner {
+	if d.RunWith == nil {
+		return &Row{err: RunnerNotSet}
+	}
+	queryRower, ok := d.RunWith.(QueryRower)
+	if !ok {
+		return &Row{err: RunnerNotQueryRunner}
+	}
+	return QueryRowWith(queryRower, d)
+}
+
+func (d *selectData) ToSql() (sqlStr string, args []interface{}, err error) {
+	sqlStr, args, err = d.toSqlRaw()
+	if err != nil {
+		return
+	}
+
+	sqlStr, err = d.PlaceholderFormat.ReplacePlaceholders(sqlStr)
+	return
+}
+
+func (d *selectData) toSqlRaw() (sqlStr string, args []interface{}, err error) {
+	if len(d.Columns) == 0 {
+		err = fmt.Errorf("select statements must have at least one result column")
+		return
+	}
+
+	sql := &bytes.Buffer{}
+
+	if len(d.Prefixes) > 0 {
+		args, err = appendToSql(d.Prefixes, sql, " ", args)
+		if err != nil {
+			return
+		}
+
+		sql.WriteString(" ")
+	}
+
+	sql.WriteString("SELECT ")
+
+	if len(d.Options) > 0 {
+		sql.WriteString(strings.Join(d.Options, " "))
+		sql.WriteString(" ")
+	}
+
+	if len(d.Columns) > 0 {
+		args, err = appendToSql(d.Columns, sql, ", ", args)
+		if err != nil {
+			return
+		}
+	}
+
+	if d.From != nil {
+		sql.WriteString(" FROM ")
+		args, err = appendToSql([]Sqlizer{d.From}, sql, "", args)
+		if err != nil {
+			return
+		}
+	}
+
+	if len(d.Joins) > 0 {
+		sql.WriteString(" ")
+		args, err = appendToSql(d.Joins, sql, " ", args)
+		if err != nil {
+			return
+		}
+	}
+
+	if len(d.WhereParts) > 0 {
+		sql.WriteString(" WHERE ")
+		args, err = appendToSql(d.WhereParts, sql, " AND ", args)
+		if err != nil {
+			return
+		}
+	}
+
+	if len(d.GroupBys) > 0 {
+		sql.WriteString(" GROUP BY ")
+		sql.WriteString(strings.Join(d.GroupBys, ", "))
+	}
+
+	if len(d.HavingParts) > 0 {
+		sql.WriteString(" HAVING ")
+		args, err = appendToSql(d.HavingParts, sql, " AND ", args)
+		if err != nil {
+			return
+		}
+	}
+
+	if len(d.OrderByParts) > 0 {
+		sql.WriteString(" ORDER BY ")
+		args, err = appendToSql(d.OrderByParts, sql, ", ", args)
+		if err != nil {
+			return
+		}
+	}
+
+	if len(d.Limit) > 0 {
+		sql.WriteString(" LIMIT ")
+		sql.WriteString(d.Limit)
+	}
+
+	if len(d.Offset) > 0 {
+		sql.WriteString(" OFFSET ")
+		sql.WriteString(d.Offset)
+	}
+
+	if len(d.Suffixes) > 0 {
+		sql.WriteString(" ")
+
+		args, err = appendToSql(d.Suffixes, sql, " ", args)
+		if err != nil {
+			return
+		}
+	}
+
+	sqlStr = sql.String()
+	return
+}
+
+// Builder
+
+// SelectBuilder builds SQL SELECT statements.
+type SelectBuilder builder.Builder
+
+func init() {
+	builder.Register(SelectBuilder{}, selectData{})
+}
+
+// Format methods
+
+// PlaceholderFormat sets PlaceholderFormat (e.g. Question or Dollar) for the
+// query.
+func (b SelectBuilder) PlaceholderFormat(f PlaceholderFormat) SelectBuilder {
+	return builder.Set(b, "PlaceholderFormat", f).(SelectBuilder)
+}
+
+// Runner methods
+
+// RunWith sets a Runner (like database/sql.DB) to be used with e.g. Exec.
+// For most cases runner will be a database connection.
+//
+// Internally we use this to mock out the database connection for testing.
+func (b SelectBuilder) RunWith(runner BaseRunner) SelectBuilder {
+	return setRunWith(b, runner).(SelectBuilder)
+}
+
+// Exec builds and Execs the query with the Runner set by RunWith.
+func (b SelectBuilder) Exec() (sql.Result, error) {
+	data := builder.GetStruct(b).(selectData)
+	return data.Exec()
+}
+
+// Query builds and Querys the query with the Runner set by RunWith.
+func (b SelectBuilder) Query() (*sql.Rows, error) {
+	data := builder.GetStruct(b).(selectData)
+	return data.Query()
+}
+
+// QueryRow builds and QueryRows the query with the Runner set by RunWith.
+func (b SelectBuilder) QueryRow() RowScanner {
+	data := builder.GetStruct(b).(selectData)
+	return data.QueryRow()
+}
+
+// Scan is a shortcut for QueryRow().Scan.
+func (b SelectBuilder) Scan(dest ...interface{}) error {
+	return b.QueryRow().Scan(dest...)
+}
+
+// SQL methods
+
+// ToSql builds the query into a SQL string and bound args.
+func (b SelectBuilder) ToSql() (string, []interface{}, error) {
+	data := builder.GetStruct(b).(selectData)
+	return data.ToSql()
+}
+
+func (b SelectBuilder) toSqlRaw() (string, []interface{}, error) {
+	data := builder.GetStruct(b).(selectData)
+	return data.toSqlRaw()
+}
+
+// MustSql builds the query into a SQL string and bound args.
+// It panics if there are any errors.
+func (b SelectBuilder) MustSql() (string, []interface{}) {
+	sql, args, err := b.ToSql()
+	if err != nil {
+		panic(err)
+	}
+	return sql, args
+}
+
+// Prefix adds an expression to the beginning of the query
+func (b SelectBuilder) Prefix(sql string, args ...interface{}) SelectBuilder {
+	return b.PrefixExpr(Expr(sql, args...))
+}
+
+// PrefixExpr adds an expression to the very beginning of the query
+func (b SelectBuilder) PrefixExpr(expr Sqlizer) SelectBuilder {
+	return builder.Append(b, "Prefixes", expr).(SelectBuilder)
+}
+
+// Distinct adds a DISTINCT clause to the query.
+func (b SelectBuilder) Distinct() SelectBuilder {
+	return b.Options("DISTINCT")
+}
+
+// Options adds select option to the query
+func (b SelectBuilder) Options(options ...string) SelectBuilder {
+	return builder.Extend(b, "Options", options).(SelectBuilder)
+}
+
+// Columns adds result columns to the query.
+func (b SelectBuilder) Columns(columns ...string) SelectBuilder {
+	parts := make([]interface{}, 0, len(columns))
+	for _, str := range columns {
+		parts = append(parts, newPart(str))
+	}
+	return builder.Extend(b, "Columns", parts).(SelectBuilder)
+}
+
+// RemoveColumns remove all columns from query.
+// Must add a new column with Column or Columns methods, otherwise
+// return a error.
+func (b SelectBuilder) RemoveColumns() SelectBuilder {
+	return builder.Delete(b, "Columns").(SelectBuilder)
+}
+
+// Column adds a result column to the query.
+// Unlike Columns, Column accepts args which will be bound to placeholders in
+// the columns string, for example:
+//   Column("IF(col IN ("+squirrel.Placeholders(3)+"), 1, 0) as col", 1, 2, 3)
+func (b SelectBuilder) Column(column interface{}, args ...interface{}) SelectBuilder {
+	return builder.Append(b, "Columns", newPart(column, args...)).(SelectBuilder)
+}
+
+// From sets the FROM clause of the query.
+func (b SelectBuilder) From(from string) SelectBuilder {
+	return builder.Set(b, "From", newPart(from)).(SelectBuilder)
+}
+
+// FromSelect sets a subquery into the FROM clause of the query.
+func (b SelectBuilder) FromSelect(from SelectBuilder, alias string) SelectBuilder {
+	// Prevent misnumbered parameters in nested selects (#183).
+	from = from.PlaceholderFormat(Question)
+	return builder.Set(b, "From", Alias(from, alias)).(SelectBuilder)
+}
+
+// JoinClause adds a join clause to the query.
+func (b SelectBuilder) JoinClause(pred interface{}, args ...interface{}) SelectBuilder {
+	return builder.Append(b, "Joins", newPart(pred, args...)).(SelectBuilder)
+}
+
+// Join adds a JOIN clause to the query.
+func (b SelectBuilder) Join(join string, rest ...interface{}) SelectBuilder {
+	return b.JoinClause("JOIN "+join, rest...)
+}
+
+// LeftJoin adds a LEFT JOIN clause to the query.
+func (b SelectBuilder) LeftJoin(join string, rest ...interface{}) SelectBuilder {
+	return b.JoinClause("LEFT JOIN "+join, rest...)
+}
+
+// RightJoin adds a RIGHT JOIN clause to the query.
+func (b SelectBuilder) RightJoin(join string, rest ...interface{}) SelectBuilder {
+	return b.JoinClause("RIGHT JOIN "+join, rest...)
+}
+
+// InnerJoin adds a INNER JOIN clause to the query.
+func (b SelectBuilder) InnerJoin(join string, rest ...interface{}) SelectBuilder {
+	return b.JoinClause("INNER JOIN "+join, rest...)
+}
+
+// CrossJoin adds a CROSS JOIN clause to the query.
+func (b SelectBuilder) CrossJoin(join string, rest ...interface{}) SelectBuilder {
+	return b.JoinClause("CROSS JOIN "+join, rest...)
+}
+
+// Where adds an expression to the WHERE clause of the query.
+//
+// Expressions are ANDed together in the generated SQL.
+//
+// Where accepts several types for its pred argument:
+//
+// nil OR "" - ignored.
+//
+// string - SQL expression.
+// If the expression has SQL placeholders then a set of arguments must be passed
+// as well, one for each placeholder.
+//
+// map[string]interface{} OR Eq - map of SQL expressions to values. Each key is
+// transformed into an expression like "<key> = ?", with the corresponding value
+// bound to the placeholder. If the value is nil, the expression will be "<key>
+// IS NULL". If the value is an array or slice, the expression will be "<key> IN
+// (?,?,...)", with one placeholder for each item in the value. These expressions
+// are ANDed together.
+//
+// Where will panic if pred isn't any of the above types.
+func (b SelectBuilder) Where(pred interface{}, args ...interface{}) SelectBuilder {
+	if pred == nil || pred == "" {
+		return b
+	}
+	return builder.Append(b, "WhereParts", newWherePart(pred, args...)).(SelectBuilder)
+}
+
+// GroupBy adds GROUP BY expressions to the query.
+func (b SelectBuilder) GroupBy(groupBys ...string) SelectBuilder {
+	return builder.Extend(b, "GroupBys", groupBys).(SelectBuilder)
+}
+
+// Having adds an expression to the HAVING clause of the query.
+//
+// See Where.
+func (b SelectBuilder) Having(pred interface{}, rest ...interface{}) SelectBuilder {
+	return builder.Append(b, "HavingParts", newWherePart(pred, rest...)).(SelectBuilder)
+}
+
+// OrderByClause adds ORDER BY clause to the query.
+func (b SelectBuilder) OrderByClause(pred interface{}, args ...interface{}) SelectBuilder {
+	return builder.Append(b, "OrderByParts", newPart(pred, args...)).(SelectBuilder)
+}
+
+// OrderBy adds ORDER BY expressions to the query.
+func (b SelectBuilder) OrderBy(orderBys ...string) SelectBuilder {
+	for _, orderBy := range orderBys {
+		b = b.OrderByClause(orderBy)
+	}
+
+	return b
+}
+
+// Limit sets a LIMIT clause on the query.
+func (b SelectBuilder) Limit(limit uint64) SelectBuilder {
+	return builder.Set(b, "Limit", fmt.Sprintf("%d", limit)).(SelectBuilder)
+}
+
+// Limit ALL allows to access all records with limit
+func (b SelectBuilder) RemoveLimit() SelectBuilder {
+	return builder.Delete(b, "Limit").(SelectBuilder)
+}
+
+// Offset sets a OFFSET clause on the query.
+func (b SelectBuilder) Offset(offset uint64) SelectBuilder {
+	return builder.Set(b, "Offset", fmt.Sprintf("%d", offset)).(SelectBuilder)
+}
+
+// RemoveOffset removes OFFSET clause.
+func (b SelectBuilder) RemoveOffset() SelectBuilder {
+	return builder.Delete(b, "Offset").(SelectBuilder)
+}
+
+// Suffix adds an expression to the end of the query
+func (b SelectBuilder) Suffix(sql string, args ...interface{}) SelectBuilder {
+	return b.SuffixExpr(Expr(sql, args...))
+}
+
+// SuffixExpr adds an expression to the end of the query
+func (b SelectBuilder) SuffixExpr(expr Sqlizer) SelectBuilder {
+	return builder.Append(b, "Suffixes", expr).(SelectBuilder)
+}
diff --git a/vendor/github.com/Masterminds/squirrel/select_ctx.go b/vendor/github.com/Masterminds/squirrel/select_ctx.go
new file mode 100644
index 0000000000..4c42c13f47
--- /dev/null
+++ b/vendor/github.com/Masterminds/squirrel/select_ctx.go
@@ -0,0 +1,69 @@
+// +build go1.8
+
+package squirrel
+
+import (
+	"context"
+	"database/sql"
+
+	"github.com/lann/builder"
+)
+
+func (d *selectData) ExecContext(ctx context.Context) (sql.Result, error) {
+	if d.RunWith == nil {
+		return nil, RunnerNotSet
+	}
+	ctxRunner, ok := d.RunWith.(ExecerContext)
+	if !ok {
+		return nil, NoContextSupport
+	}
+	return ExecContextWith(ctx, ctxRunner, d)
+}
+
+func (d *selectData) QueryContext(ctx context.Context) (*sql.Rows, error) {
+	if d.RunWith == nil {
+		return nil, RunnerNotSet
+	}
+	ctxRunner, ok := d.RunWith.(QueryerContext)
+	if !ok {
+		return nil, NoContextSupport
+	}
+	return QueryContextWith(ctx, ctxRunner, d)
+}
+
+func (d *selectData) QueryRowContext(ctx context.Context) RowScanner {
+	if d.RunWith == nil {
+		return &Row{err: RunnerNotSet}
+	}
+	queryRower, ok := d.RunWith.(QueryRowerContext)
+	if !ok {
+		if _, ok := d.RunWith.(QueryerContext); !ok {
+			return &Row{err: RunnerNotQueryRunner}
+		}
+		return &Row{err: NoContextSupport}
+	}
+	return QueryRowContextWith(ctx, queryRower, d)
+}
+
+// ExecContext builds and ExecContexts the query with the Runner set by RunWith.
+func (b SelectBuilder) ExecContext(ctx context.Context) (sql.Result, error) {
+	data := builder.GetStruct(b).(selectData)
+	return data.ExecContext(ctx)
+}
+
+// QueryContext builds and QueryContexts the query with the Runner set by RunWith.
+func (b SelectBuilder) QueryContext(ctx context.Context) (*sql.Rows, error) {
+	data := builder.GetStruct(b).(selectData)
+	return data.QueryContext(ctx)
+}
+
+// QueryRowContext builds and QueryRowContexts the query with the Runner set by RunWith.
+func (b SelectBuilder) QueryRowContext(ctx context.Context) RowScanner {
+	data := builder.GetStruct(b).(selectData)
+	return data.QueryRowContext(ctx)
+}
+
+// ScanContext is a shortcut for QueryRowContext().Scan.
+func (b SelectBuilder) ScanContext(ctx context.Context, dest ...interface{}) error {
+	return b.QueryRowContext(ctx).Scan(dest...)
+}
diff --git a/vendor/github.com/Masterminds/squirrel/squirrel.go b/vendor/github.com/Masterminds/squirrel/squirrel.go
new file mode 100644
index 0000000000..46d456eb62
--- /dev/null
+++ b/vendor/github.com/Masterminds/squirrel/squirrel.go
@@ -0,0 +1,183 @@
+// Package squirrel provides a fluent SQL generator.
+//
+// See https://github.com/Masterminds/squirrel for examples.
+package squirrel
+
+import (
+	"bytes"
+	"database/sql"
+	"fmt"
+	"strings"
+
+	"github.com/lann/builder"
+)
+
+// Sqlizer is the interface that wraps the ToSql method.
+//
+// ToSql returns a SQL representation of the Sqlizer, along with a slice of args
+// as passed to e.g. database/sql.Exec. It can also return an error.
+type Sqlizer interface {
+	ToSql() (string, []interface{}, error)
+}
+
+// rawSqlizer is expected to do what Sqlizer does, but without finalizing placeholders.
+// This is useful for nested queries.
+type rawSqlizer interface {
+	toSqlRaw() (string, []interface{}, error)
+}
+
+// Execer is the interface that wraps the Exec method.
+//
+// Exec executes the given query as implemented by database/sql.Exec.
+type Execer interface {
+	Exec(query string, args ...interface{}) (sql.Result, error)
+}
+
+// Queryer is the interface that wraps the Query method.
+//
+// Query executes the given query as implemented by database/sql.Query.
+type Queryer interface {
+	Query(query string, args ...interface{}) (*sql.Rows, error)
+}
+
+// QueryRower is the interface that wraps the QueryRow method.
+//
+// QueryRow executes the given query as implemented by database/sql.QueryRow.
+type QueryRower interface {
+	QueryRow(query string, args ...interface{}) RowScanner
+}
+
+// BaseRunner groups the Execer and Queryer interfaces.
+type BaseRunner interface {
+	Execer
+	Queryer
+}
+
+// Runner groups the Execer, Queryer, and QueryRower interfaces.
+type Runner interface {
+	Execer
+	Queryer
+	QueryRower
+}
+
+// WrapStdSql wraps a type implementing the standard SQL interface with methods that
+// squirrel expects.
+func WrapStdSql(stdSql StdSql) Runner {
+	return &stdsqlRunner{stdSql}
+}
+
+// StdSql encompasses the standard methods of the *sql.DB type, and other types that
+// wrap these methods.
+type StdSql interface {
+	Query(string, ...interface{}) (*sql.Rows, error)
+	QueryRow(string, ...interface{}) *sql.Row
+	Exec(string, ...interface{}) (sql.Result, error)
+}
+
+type stdsqlRunner struct {
+	StdSql
+}
+
+func (r *stdsqlRunner) QueryRow(query string, args ...interface{}) RowScanner {
+	return r.StdSql.QueryRow(query, args...)
+}
+
+func setRunWith(b interface{}, runner BaseRunner) interface{} {
+	switch r := runner.(type) {
+	case StdSqlCtx:
+		runner = WrapStdSqlCtx(r)
+	case StdSql:
+		runner = WrapStdSql(r)
+	}
+	return builder.Set(b, "RunWith", runner)
+}
+
+// RunnerNotSet is returned by methods that need a Runner if it isn't set.
+var RunnerNotSet = fmt.Errorf("cannot run; no Runner set (RunWith)")
+
+// RunnerNotQueryRunner is returned by QueryRow if the RunWith value doesn't implement QueryRower.
+var RunnerNotQueryRunner = fmt.Errorf("cannot QueryRow; Runner is not a QueryRower")
+
+// ExecWith Execs the SQL returned by s with db.
+func ExecWith(db Execer, s Sqlizer) (res sql.Result, err error) {
+	query, args, err := s.ToSql()
+	if err != nil {
+		return
+	}
+	return db.Exec(query, args...)
+}
+
+// QueryWith Querys the SQL returned by s with db.
+func QueryWith(db Queryer, s Sqlizer) (rows *sql.Rows, err error) {
+	query, args, err := s.ToSql()
+	if err != nil {
+		return
+	}
+	return db.Query(query, args...)
+}
+
+// QueryRowWith QueryRows the SQL returned by s with db.
+func QueryRowWith(db QueryRower, s Sqlizer) RowScanner {
+	query, args, err := s.ToSql()
+	return &Row{RowScanner: db.QueryRow(query, args...), err: err}
+}
+
+// DebugSqlizer calls ToSql on s and shows the approximate SQL to be executed
+//
+// If ToSql returns an error, the result of this method will look like:
+// "[ToSql error: %s]" or "[DebugSqlizer error: %s]"
+//
+// IMPORTANT: As its name suggests, this function should only be used for
+// debugging. While the string result *might* be valid SQL, this function does
+// not try very hard to ensure it. Additionally, executing the output of this
+// function with any untrusted user input is certainly insecure.
+func DebugSqlizer(s Sqlizer) string {
+	sql, args, err := s.ToSql()
+	if err != nil {
+		return fmt.Sprintf("[ToSql error: %s]", err)
+	}
+
+	var placeholder string
+	downCast, ok := s.(placeholderDebugger)
+	if !ok {
+		placeholder = "?"
+	} else {
+		placeholder = downCast.debugPlaceholder()
+	}
+	// TODO: dedupe this with placeholder.go
+	buf := &bytes.Buffer{}
+	i := 0
+	for {
+		p := strings.Index(sql, placeholder)
+		if p == -1 {
+			break
+		}
+		if len(sql[p:]) > 1 && sql[p:p+2] == "??" { // escape ?? => ?
+			buf.WriteString(sql[:p])
+			buf.WriteString("?")
+			if len(sql[p:]) == 1 {
+				break
+			}
+			sql = sql[p+2:]
+		} else {
+			if i+1 > len(args) {
+				return fmt.Sprintf(
+					"[DebugSqlizer error: too many placeholders in %#v for %d args]",
+					sql, len(args))
+			}
+			buf.WriteString(sql[:p])
+			fmt.Fprintf(buf, "'%v'", args[i])
+			// advance our sql string "cursor" beyond the arg we placed
+			sql = sql[p+1:]
+			i++
+		}
+	}
+	if i < len(args) {
+		return fmt.Sprintf(
+			"[DebugSqlizer error: not enough placeholders in %#v for %d args]",
+			sql, len(args))
+	}
+	// "append" any remaning sql that won't need interpolating
+	buf.WriteString(sql)
+	return buf.String()
+}
diff --git a/vendor/github.com/Masterminds/squirrel/squirrel_ctx.go b/vendor/github.com/Masterminds/squirrel/squirrel_ctx.go
new file mode 100644
index 0000000000..c20148ad33
--- /dev/null
+++ b/vendor/github.com/Masterminds/squirrel/squirrel_ctx.go
@@ -0,0 +1,93 @@
+// +build go1.8
+
+package squirrel
+
+import (
+	"context"
+	"database/sql"
+	"errors"
+)
+
+// NoContextSupport is returned if a db doesn't support Context.
+var NoContextSupport = errors.New("DB does not support Context")
+
+// ExecerContext is the interface that wraps the ExecContext method.
+//
+// Exec executes the given query as implemented by database/sql.ExecContext.
+type ExecerContext interface {
+	ExecContext(ctx context.Context, query string, args ...interface{}) (sql.Result, error)
+}
+
+// QueryerContext is the interface that wraps the QueryContext method.
+//
+// QueryContext executes the given query as implemented by database/sql.QueryContext.
+type QueryerContext interface {
+	QueryContext(ctx context.Context, query string, args ...interface{}) (*sql.Rows, error)
+}
+
+// QueryRowerContext is the interface that wraps the QueryRowContext method.
+//
+// QueryRowContext executes the given query as implemented by database/sql.QueryRowContext.
+type QueryRowerContext interface {
+	QueryRowContext(ctx context.Context, query string, args ...interface{}) RowScanner
+}
+
+// RunnerContext groups the Runner interface, along with the Context versions of each of
+// its methods
+type RunnerContext interface {
+	Runner
+	QueryerContext
+	QueryRowerContext
+	ExecerContext
+}
+
+// WrapStdSqlCtx wraps a type implementing the standard SQL interface plus the context
+// versions of the methods with methods that squirrel expects.
+func WrapStdSqlCtx(stdSqlCtx StdSqlCtx) RunnerContext {
+	return &stdsqlCtxRunner{stdSqlCtx}
+}
+
+// StdSqlCtx encompasses the standard methods of the *sql.DB type, along with the Context
+// versions of those methods, and other types that wrap these methods.
+type StdSqlCtx interface {
+	StdSql
+	QueryContext(context.Context, string, ...interface{}) (*sql.Rows, error)
+	QueryRowContext(context.Context, string, ...interface{}) *sql.Row
+	ExecContext(context.Context, string, ...interface{}) (sql.Result, error)
+}
+
+type stdsqlCtxRunner struct {
+	StdSqlCtx
+}
+
+func (r *stdsqlCtxRunner) QueryRow(query string, args ...interface{}) RowScanner {
+	return r.StdSqlCtx.QueryRow(query, args...)
+}
+
+func (r *stdsqlCtxRunner) QueryRowContext(ctx context.Context, query string, args ...interface{}) RowScanner {
+	return r.StdSqlCtx.QueryRowContext(ctx, query, args...)
+}
+
+// ExecContextWith ExecContexts the SQL returned by s with db.
+func ExecContextWith(ctx context.Context, db ExecerContext, s Sqlizer) (res sql.Result, err error) {
+	query, args, err := s.ToSql()
+	if err != nil {
+		return
+	}
+	return db.ExecContext(ctx, query, args...)
+}
+
+// QueryContextWith QueryContexts the SQL returned by s with db.
+func QueryContextWith(ctx context.Context, db QueryerContext, s Sqlizer) (rows *sql.Rows, err error) {
+	query, args, err := s.ToSql()
+	if err != nil {
+		return
+	}
+	return db.QueryContext(ctx, query, args...)
+}
+
+// QueryRowContextWith QueryRowContexts the SQL returned by s with db.
+func QueryRowContextWith(ctx context.Context, db QueryRowerContext, s Sqlizer) RowScanner {
+	query, args, err := s.ToSql()
+	return &Row{RowScanner: db.QueryRowContext(ctx, query, args...), err: err}
+}
diff --git a/vendor/github.com/Masterminds/squirrel/statement.go b/vendor/github.com/Masterminds/squirrel/statement.go
new file mode 100644
index 0000000000..9420c67f8e
--- /dev/null
+++ b/vendor/github.com/Masterminds/squirrel/statement.go
@@ -0,0 +1,104 @@
+package squirrel
+
+import "github.com/lann/builder"
+
+// StatementBuilderType is the type of StatementBuilder.
+type StatementBuilderType builder.Builder
+
+// Select returns a SelectBuilder for this StatementBuilderType.
+func (b StatementBuilderType) Select(columns ...string) SelectBuilder {
+	return SelectBuilder(b).Columns(columns...)
+}
+
+// Insert returns a InsertBuilder for this StatementBuilderType.
+func (b StatementBuilderType) Insert(into string) InsertBuilder {
+	return InsertBuilder(b).Into(into)
+}
+
+// Replace returns a InsertBuilder for this StatementBuilderType with the
+// statement keyword set to "REPLACE".
+func (b StatementBuilderType) Replace(into string) InsertBuilder {
+	return InsertBuilder(b).statementKeyword("REPLACE").Into(into)
+}
+
+// Update returns a UpdateBuilder for this StatementBuilderType.
+func (b StatementBuilderType) Update(table string) UpdateBuilder {
+	return UpdateBuilder(b).Table(table)
+}
+
+// Delete returns a DeleteBuilder for this StatementBuilderType.
+func (b StatementBuilderType) Delete(from string) DeleteBuilder {
+	return DeleteBuilder(b).From(from)
+}
+
+// PlaceholderFormat sets the PlaceholderFormat field for any child builders.
+func (b StatementBuilderType) PlaceholderFormat(f PlaceholderFormat) StatementBuilderType {
+	return builder.Set(b, "PlaceholderFormat", f).(StatementBuilderType)
+}
+
+// RunWith sets the RunWith field for any child builders.
+func (b StatementBuilderType) RunWith(runner BaseRunner) StatementBuilderType {
+	return setRunWith(b, runner).(StatementBuilderType)
+}
+
+// Where adds WHERE expressions to the query.
+//
+// See SelectBuilder.Where for more information.
+func (b StatementBuilderType) Where(pred interface{}, args ...interface{}) StatementBuilderType {
+	return builder.Append(b, "WhereParts", newWherePart(pred, args...)).(StatementBuilderType)
+}
+
+// StatementBuilder is a parent builder for other builders, e.g. SelectBuilder.
+var StatementBuilder = StatementBuilderType(builder.EmptyBuilder).PlaceholderFormat(Question)
+
+// Select returns a new SelectBuilder, optionally setting some result columns.
+//
+// See SelectBuilder.Columns.
+func Select(columns ...string) SelectBuilder {
+	return StatementBuilder.Select(columns...)
+}
+
+// Insert returns a new InsertBuilder with the given table name.
+//
+// See InsertBuilder.Into.
+func Insert(into string) InsertBuilder {
+	return StatementBuilder.Insert(into)
+}
+
+// Replace returns a new InsertBuilder with the statement keyword set to
+// "REPLACE" and with the given table name.
+//
+// See InsertBuilder.Into.
+func Replace(into string) InsertBuilder {
+	return StatementBuilder.Replace(into)
+}
+
+// Update returns a new UpdateBuilder with the given table name.
+//
+// See UpdateBuilder.Table.
+func Update(table string) UpdateBuilder {
+	return StatementBuilder.Update(table)
+}
+
+// Delete returns a new DeleteBuilder with the given table name.
+//
+// See DeleteBuilder.Table.
+func Delete(from string) DeleteBuilder {
+	return StatementBuilder.Delete(from)
+}
+
+// Case returns a new CaseBuilder
+// "what" represents case value
+func Case(what ...interface{}) CaseBuilder {
+	b := CaseBuilder(builder.EmptyBuilder)
+
+	switch len(what) {
+	case 0:
+	case 1:
+		b = b.what(what[0])
+	default:
+		b = b.what(newPart(what[0], what[1:]...))
+
+	}
+	return b
+}
diff --git a/vendor/github.com/Masterminds/squirrel/stmtcacher.go b/vendor/github.com/Masterminds/squirrel/stmtcacher.go
new file mode 100644
index 0000000000..5bf267a136
--- /dev/null
+++ b/vendor/github.com/Masterminds/squirrel/stmtcacher.go
@@ -0,0 +1,121 @@
+package squirrel
+
+import (
+	"database/sql"
+	"fmt"
+	"sync"
+)
+
+// Prepareer is the interface that wraps the Prepare method.
+//
+// Prepare executes the given query as implemented by database/sql.Prepare.
+type Preparer interface {
+	Prepare(query string) (*sql.Stmt, error)
+}
+
+// DBProxy groups the Execer, Queryer, QueryRower, and Preparer interfaces.
+type DBProxy interface {
+	Execer
+	Queryer
+	QueryRower
+	Preparer
+}
+
+// NOTE: NewStmtCache is defined in stmtcacher_ctx.go (Go >= 1.8) or stmtcacher_noctx.go (Go < 1.8).
+
+// StmtCache wraps and delegates down to a Preparer type
+//
+// It also automatically prepares all statements sent to the underlying Preparer calls
+// for Exec, Query and QueryRow and caches the returns *sql.Stmt using the provided
+// query as the key. So that it can be automatically re-used.
+type StmtCache struct {
+	prep  Preparer
+	cache map[string]*sql.Stmt
+	mu    sync.Mutex
+}
+
+// Prepare delegates down to the underlying Preparer and caches the result
+// using the provided query as a key
+func (sc *StmtCache) Prepare(query string) (*sql.Stmt, error) {
+	sc.mu.Lock()
+	defer sc.mu.Unlock()
+
+	stmt, ok := sc.cache[query]
+	if ok {
+		return stmt, nil
+	}
+	stmt, err := sc.prep.Prepare(query)
+	if err == nil {
+		sc.cache[query] = stmt
+	}
+	return stmt, err
+}
+
+// Exec delegates down to the underlying Preparer using a prepared statement
+func (sc *StmtCache) Exec(query string, args ...interface{}) (res sql.Result, err error) {
+	stmt, err := sc.Prepare(query)
+	if err != nil {
+		return
+	}
+	return stmt.Exec(args...)
+}
+
+// Query delegates down to the underlying Preparer using a prepared statement
+func (sc *StmtCache) Query(query string, args ...interface{}) (rows *sql.Rows, err error) {
+	stmt, err := sc.Prepare(query)
+	if err != nil {
+		return
+	}
+	return stmt.Query(args...)
+}
+
+// QueryRow delegates down to the underlying Preparer using a prepared statement
+func (sc *StmtCache) QueryRow(query string, args ...interface{}) RowScanner {
+	stmt, err := sc.Prepare(query)
+	if err != nil {
+		return &Row{err: err}
+	}
+	return stmt.QueryRow(args...)
+}
+
+// Clear removes and closes all the currently cached prepared statements
+func (sc *StmtCache) Clear() (err error) {
+	sc.mu.Lock()
+	defer sc.mu.Unlock()
+
+	for key, stmt := range sc.cache {
+		delete(sc.cache, key)
+
+		if stmt == nil {
+			continue
+		}
+
+		if cerr := stmt.Close(); cerr != nil {
+			err = cerr
+		}
+	}
+
+	if err != nil {
+		return fmt.Errorf("one or more Stmt.Close failed; last error: %v", err)
+	}
+
+	return
+}
+
+type DBProxyBeginner interface {
+	DBProxy
+	Begin() (*sql.Tx, error)
+}
+
+type stmtCacheProxy struct {
+	DBProxy
+	db *sql.DB
+}
+
+func NewStmtCacheProxy(db *sql.DB) DBProxyBeginner {
+	return &stmtCacheProxy{DBProxy: NewStmtCache(db), db: db}
+}
+
+func (sp *stmtCacheProxy) Begin() (*sql.Tx, error) {
+	return sp.db.Begin()
+}
diff --git a/vendor/github.com/Masterminds/squirrel/stmtcacher_ctx.go b/vendor/github.com/Masterminds/squirrel/stmtcacher_ctx.go
new file mode 100644
index 0000000000..53603cf4c9
--- /dev/null
+++ b/vendor/github.com/Masterminds/squirrel/stmtcacher_ctx.go
@@ -0,0 +1,86 @@
+// +build go1.8
+
+package squirrel
+
+import (
+	"context"
+	"database/sql"
+)
+
+// PrepareerContext is the interface that wraps the Prepare and PrepareContext methods.
+//
+// Prepare executes the given query as implemented by database/sql.Prepare.
+// PrepareContext executes the given query as implemented by database/sql.PrepareContext.
+type PreparerContext interface {
+	Preparer
+	PrepareContext(ctx context.Context, query string) (*sql.Stmt, error)
+}
+
+// DBProxyContext groups the Execer, Queryer, QueryRower and PreparerContext interfaces.
+type DBProxyContext interface {
+	Execer
+	Queryer
+	QueryRower
+	PreparerContext
+}
+
+// NewStmtCache returns a *StmtCache wrapping a PreparerContext that caches Prepared Stmts.
+//
+// Stmts are cached based on the string value of their queries.
+func NewStmtCache(prep PreparerContext) *StmtCache {
+	return &StmtCache{prep: prep, cache: make(map[string]*sql.Stmt)}
+}
+
+// NewStmtCacher is deprecated
+//
+// Use NewStmtCache instead
+func NewStmtCacher(prep PreparerContext) DBProxyContext {
+	return NewStmtCache(prep)
+}
+
+// PrepareContext delegates down to the underlying PreparerContext and caches the result
+// using the provided query as a key
+func (sc *StmtCache) PrepareContext(ctx context.Context, query string) (*sql.Stmt, error) {
+	ctxPrep, ok := sc.prep.(PreparerContext)
+	if !ok {
+		return nil, NoContextSupport
+	}
+	sc.mu.Lock()
+	defer sc.mu.Unlock()
+	stmt, ok := sc.cache[query]
+	if ok {
+		return stmt, nil
+	}
+	stmt, err := ctxPrep.PrepareContext(ctx, query)
+	if err == nil {
+		sc.cache[query] = stmt
+	}
+	return stmt, err
+}
+
+// ExecContext delegates down to the underlying PreparerContext using a prepared statement
+func (sc *StmtCache) ExecContext(ctx context.Context, query string, args ...interface{}) (res sql.Result, err error) {
+	stmt, err := sc.PrepareContext(ctx, query)
+	if err != nil {
+		return
+	}
+	return stmt.ExecContext(ctx, args...)
+}
+
+// QueryContext delegates down to the underlying PreparerContext using a prepared statement
+func (sc *StmtCache) QueryContext(ctx context.Context, query string, args ...interface{}) (rows *sql.Rows, err error) {
+	stmt, err := sc.PrepareContext(ctx, query)
+	if err != nil {
+		return
+	}
+	return stmt.QueryContext(ctx, args...)
+}
+
+// QueryRowContext delegates down to the underlying PreparerContext using a prepared statement
+func (sc *StmtCache) QueryRowContext(ctx context.Context, query string, args ...interface{}) RowScanner {
+	stmt, err := sc.PrepareContext(ctx, query)
+	if err != nil {
+		return &Row{err: err}
+	}
+	return stmt.QueryRowContext(ctx, args...)
+}
diff --git a/vendor/github.com/Masterminds/squirrel/stmtcacher_noctx.go b/vendor/github.com/Masterminds/squirrel/stmtcacher_noctx.go
new file mode 100644
index 0000000000..deac96777b
--- /dev/null
+++ b/vendor/github.com/Masterminds/squirrel/stmtcacher_noctx.go
@@ -0,0 +1,21 @@
+// +build !go1.8
+
+package squirrel
+
+import (
+	"database/sql"
+)
+
+// NewStmtCacher returns a DBProxy wrapping prep that caches Prepared Stmts.
+//
+// Stmts are cached based on the string value of their queries.
+func NewStmtCache(prep Preparer) *StmtCache {
+	return &StmtCacher{prep: prep, cache: make(map[string]*sql.Stmt)}
+}
+
+// NewStmtCacher is deprecated
+//
+// Use NewStmtCache instead
+func NewStmtCacher(prep Preparer) DBProxy {
+	return NewStmtCache(prep)
+}
diff --git a/vendor/github.com/Masterminds/squirrel/update.go b/vendor/github.com/Masterminds/squirrel/update.go
new file mode 100644
index 0000000000..eb2a9c4dd9
--- /dev/null
+++ b/vendor/github.com/Masterminds/squirrel/update.go
@@ -0,0 +1,288 @@
+package squirrel
+
+import (
+	"bytes"
+	"database/sql"
+	"fmt"
+	"sort"
+	"strings"
+
+	"github.com/lann/builder"
+)
+
+type updateData struct {
+	PlaceholderFormat PlaceholderFormat
+	RunWith           BaseRunner
+	Prefixes          []Sqlizer
+	Table             string
+	SetClauses        []setClause
+	From              Sqlizer
+	WhereParts        []Sqlizer
+	OrderBys          []string
+	Limit             string
+	Offset            string
+	Suffixes          []Sqlizer
+}
+
+type setClause struct {
+	column string
+	value  interface{}
+}
+
+func (d *updateData) Exec() (sql.Result, error) {
+	if d.RunWith == nil {
+		return nil, RunnerNotSet
+	}
+	return ExecWith(d.RunWith, d)
+}
+
+func (d *updateData) Query() (*sql.Rows, error) {
+	if d.RunWith == nil {
+		return nil, RunnerNotSet
+	}
+	return QueryWith(d.RunWith, d)
+}
+
+func (d *updateData) QueryRow() RowScanner {
+	if d.RunWith == nil {
+		return &Row{err: RunnerNotSet}
+	}
+	queryRower, ok := d.RunWith.(QueryRower)
+	if !ok {
+		return &Row{err: RunnerNotQueryRunner}
+	}
+	return QueryRowWith(queryRower, d)
+}
+
+func (d *updateData) ToSql() (sqlStr string, args []interface{}, err error) {
+	if len(d.Table) == 0 {
+		err = fmt.Errorf("update statements must specify a table")
+		return
+	}
+	if len(d.SetClauses) == 0 {
+		err = fmt.Errorf("update statements must have at least one Set clause")
+		return
+	}
+
+	sql := &bytes.Buffer{}
+
+	if len(d.Prefixes) > 0 {
+		args, err = appendToSql(d.Prefixes, sql, " ", args)
+		if err != nil {
+			return
+		}
+
+		sql.WriteString(" ")
+	}
+
+	sql.WriteString("UPDATE ")
+	sql.WriteString(d.Table)
+
+	sql.WriteString(" SET ")
+	setSqls := make([]string, len(d.SetClauses))
+	for i, setClause := range d.SetClauses {
+		var valSql string
+		if vs, ok := setClause.value.(Sqlizer); ok {
+			vsql, vargs, err := vs.ToSql()
+			if err != nil {
+				return "", nil, err
+			}
+			if _, ok := vs.(SelectBuilder); ok {
+				valSql = fmt.Sprintf("(%s)", vsql)
+			} else {
+				valSql = vsql
+			}
+			args = append(args, vargs...)
+		} else {
+			valSql = "?"
+			args = append(args, setClause.value)
+		}
+		setSqls[i] = fmt.Sprintf("%s = %s", setClause.column, valSql)
+	}
+	sql.WriteString(strings.Join(setSqls, ", "))
+
+	if d.From != nil {
+		sql.WriteString(" FROM ")
+		args, err = appendToSql([]Sqlizer{d.From}, sql, "", args)
+		if err != nil {
+			return
+		}
+	}
+
+	if len(d.WhereParts) > 0 {
+		sql.WriteString(" WHERE ")
+		args, err = appendToSql(d.WhereParts, sql, " AND ", args)
+		if err != nil {
+			return
+		}
+	}
+
+	if len(d.OrderBys) > 0 {
+		sql.WriteString(" ORDER BY ")
+		sql.WriteString(strings.Join(d.OrderBys, ", "))
+	}
+
+	if len(d.Limit) > 0 {
+		sql.WriteString(" LIMIT ")
+		sql.WriteString(d.Limit)
+	}
+
+	if len(d.Offset) > 0 {
+		sql.WriteString(" OFFSET ")
+		sql.WriteString(d.Offset)
+	}
+
+	if len(d.Suffixes) > 0 {
+		sql.WriteString(" ")
+		args, err = appendToSql(d.Suffixes, sql, " ", args)
+		if err != nil {
+			return
+		}
+	}
+
+	sqlStr, err = d.PlaceholderFormat.ReplacePlaceholders(sql.String())
+	return
+}
+
+// Builder
+
+// UpdateBuilder builds SQL UPDATE statements.
+type UpdateBuilder builder.Builder
+
+func init() {
+	builder.Register(UpdateBuilder{}, updateData{})
+}
+
+// Format methods
+
+// PlaceholderFormat sets PlaceholderFormat (e.g. Question or Dollar) for the
+// query.
+func (b UpdateBuilder) PlaceholderFormat(f PlaceholderFormat) UpdateBuilder {
+	return builder.Set(b, "PlaceholderFormat", f).(UpdateBuilder)
+}
+
+// Runner methods
+
+// RunWith sets a Runner (like database/sql.DB) to be used with e.g. Exec.
+func (b UpdateBuilder) RunWith(runner BaseRunner) UpdateBuilder {
+	return setRunWith(b, runner).(UpdateBuilder)
+}
+
+// Exec builds and Execs the query with the Runner set by RunWith.
+func (b UpdateBuilder) Exec() (sql.Result, error) {
+	data := builder.GetStruct(b).(updateData)
+	return data.Exec()
+}
+
+func (b UpdateBuilder) Query() (*sql.Rows, error) {
+	data := builder.GetStruct(b).(updateData)
+	return data.Query()
+}
+
+func (b UpdateBuilder) QueryRow() RowScanner {
+	data := builder.GetStruct(b).(updateData)
+	return data.QueryRow()
+}
+
+func (b UpdateBuilder) Scan(dest ...interface{}) error {
+	return b.QueryRow().Scan(dest...)
+}
+
+// SQL methods
+
+// ToSql builds the query into a SQL string and bound args.
+func (b UpdateBuilder) ToSql() (string, []interface{}, error) {
+	data := builder.GetStruct(b).(updateData)
+	return data.ToSql()
+}
+
+// MustSql builds the query into a SQL string and bound args.
+// It panics if there are any errors.
+func (b UpdateBuilder) MustSql() (string, []interface{}) {
+	sql, args, err := b.ToSql()
+	if err != nil {
+		panic(err)
+	}
+	return sql, args
+}
+
+// Prefix adds an expression to the beginning of the query
+func (b UpdateBuilder) Prefix(sql string, args ...interface{}) UpdateBuilder {
+	return b.PrefixExpr(Expr(sql, args...))
+}
+
+// PrefixExpr adds an expression to the very beginning of the query
+func (b UpdateBuilder) PrefixExpr(expr Sqlizer) UpdateBuilder {
+	return builder.Append(b, "Prefixes", expr).(UpdateBuilder)
+}
+
+// Table sets the table to be updated.
+func (b UpdateBuilder) Table(table string) UpdateBuilder {
+	return builder.Set(b, "Table", table).(UpdateBuilder)
+}
+
+// Set adds SET clauses to the query.
+func (b UpdateBuilder) Set(column string, value interface{}) UpdateBuilder {
+	return builder.Append(b, "SetClauses", setClause{column: column, value: value}).(UpdateBuilder)
+}
+
+// SetMap is a convenience method which calls .Set for each key/value pair in clauses.
+func (b UpdateBuilder) SetMap(clauses map[string]interface{}) UpdateBuilder {
+	keys := make([]string, len(clauses))
+	i := 0
+	for key := range clauses {
+		keys[i] = key
+		i++
+	}
+	sort.Strings(keys)
+	for _, key := range keys {
+		val, _ := clauses[key]
+		b = b.Set(key, val)
+	}
+	return b
+}
+
+// From adds FROM clause to the query
+// FROM is valid construct in postgresql only.
+func (b UpdateBuilder) From(from string) UpdateBuilder {
+	return builder.Set(b, "From", newPart(from)).(UpdateBuilder)
+}
+
+// FromSelect sets a subquery into the FROM clause of the query.
+func (b UpdateBuilder) FromSelect(from SelectBuilder, alias string) UpdateBuilder {
+	// Prevent misnumbered parameters in nested selects (#183).
+	from = from.PlaceholderFormat(Question)
+	return builder.Set(b, "From", Alias(from, alias)).(UpdateBuilder)
+}
+
+// Where adds WHERE expressions to the query.
+//
+// See SelectBuilder.Where for more information.
+func (b UpdateBuilder) Where(pred interface{}, args ...interface{}) UpdateBuilder {
+	return builder.Append(b, "WhereParts", newWherePart(pred, args...)).(UpdateBuilder)
+}
+
+// OrderBy adds ORDER BY expressions to the query.
+func (b UpdateBuilder) OrderBy(orderBys ...string) UpdateBuilder {
+	return builder.Extend(b, "OrderBys", orderBys).(UpdateBuilder)
+}
+
+// Limit sets a LIMIT clause on the query.
+func (b UpdateBuilder) Limit(limit uint64) UpdateBuilder {
+	return builder.Set(b, "Limit", fmt.Sprintf("%d", limit)).(UpdateBuilder)
+}
+
+// Offset sets a OFFSET clause on the query.
+func (b UpdateBuilder) Offset(offset uint64) UpdateBuilder {
+	return builder.Set(b, "Offset", fmt.Sprintf("%d", offset)).(UpdateBuilder)
+}
+
+// Suffix adds an expression to the end of the query
+func (b UpdateBuilder) Suffix(sql string, args ...interface{}) UpdateBuilder {
+	return b.SuffixExpr(Expr(sql, args...))
+}
+
+// SuffixExpr adds an expression to the end of the query
+func (b UpdateBuilder) SuffixExpr(expr Sqlizer) UpdateBuilder {
+	return builder.Append(b, "Suffixes", expr).(UpdateBuilder)
+}
diff --git a/vendor/github.com/Masterminds/squirrel/update_ctx.go b/vendor/github.com/Masterminds/squirrel/update_ctx.go
new file mode 100644
index 0000000000..ad479f96f4
--- /dev/null
+++ b/vendor/github.com/Masterminds/squirrel/update_ctx.go
@@ -0,0 +1,69 @@
+// +build go1.8
+
+package squirrel
+
+import (
+	"context"
+	"database/sql"
+
+	"github.com/lann/builder"
+)
+
+func (d *updateData) ExecContext(ctx context.Context) (sql.Result, error) {
+	if d.RunWith == nil {
+		return nil, RunnerNotSet
+	}
+	ctxRunner, ok := d.RunWith.(ExecerContext)
+	if !ok {
+		return nil, NoContextSupport
+	}
+	return ExecContextWith(ctx, ctxRunner, d)
+}
+
+func (d *updateData) QueryContext(ctx context.Context) (*sql.Rows, error) {
+	if d.RunWith == nil {
+		return nil, RunnerNotSet
+	}
+	ctxRunner, ok := d.RunWith.(QueryerContext)
+	if !ok {
+		return nil, NoContextSupport
+	}
+	return QueryContextWith(ctx, ctxRunner, d)
+}
+
+func (d *updateData) QueryRowContext(ctx context.Context) RowScanner {
+	if d.RunWith == nil {
+		return &Row{err: RunnerNotSet}
+	}
+	queryRower, ok := d.RunWith.(QueryRowerContext)
+	if !ok {
+		if _, ok := d.RunWith.(QueryerContext); !ok {
+			return &Row{err: RunnerNotQueryRunner}
+		}
+		return &Row{err: NoContextSupport}
+	}
+	return QueryRowContextWith(ctx, queryRower, d)
+}
+
+// ExecContext builds and ExecContexts the query with the Runner set by RunWith.
+func (b UpdateBuilder) ExecContext(ctx context.Context) (sql.Result, error) {
+	data := builder.GetStruct(b).(updateData)
+	return data.ExecContext(ctx)
+}
+
+// QueryContext builds and QueryContexts the query with the Runner set by RunWith.
+func (b UpdateBuilder) QueryContext(ctx context.Context) (*sql.Rows, error) {
+	data := builder.GetStruct(b).(updateData)
+	return data.QueryContext(ctx)
+}
+
+// QueryRowContext builds and QueryRowContexts the query with the Runner set by RunWith.
+func (b UpdateBuilder) QueryRowContext(ctx context.Context) RowScanner {
+	data := builder.GetStruct(b).(updateData)
+	return data.QueryRowContext(ctx)
+}
+
+// ScanContext is a shortcut for QueryRowContext().Scan.
+func (b UpdateBuilder) ScanContext(ctx context.Context, dest ...interface{}) error {
+	return b.QueryRowContext(ctx).Scan(dest...)
+}
diff --git a/vendor/github.com/Masterminds/squirrel/where.go b/vendor/github.com/Masterminds/squirrel/where.go
new file mode 100644
index 0000000000..976b63ace4
--- /dev/null
+++ b/vendor/github.com/Masterminds/squirrel/where.go
@@ -0,0 +1,30 @@
+package squirrel
+
+import (
+	"fmt"
+)
+
+type wherePart part
+
+func newWherePart(pred interface{}, args ...interface{}) Sqlizer {
+	return &wherePart{pred: pred, args: args}
+}
+
+func (p wherePart) ToSql() (sql string, args []interface{}, err error) {
+	switch pred := p.pred.(type) {
+	case nil:
+		// no-op
+	case rawSqlizer:
+		return pred.toSqlRaw()
+	case Sqlizer:
+		return pred.ToSql()
+	case map[string]interface{}:
+		return Eq(pred).ToSql()
+	case string:
+		sql = pred
+		args = p.args
+	default:
+		err = fmt.Errorf("expected string-keyed map or string, not %T", pred)
+	}
+	return
+}
diff --git a/vendor/github.com/chai2010/gettext-go/.travis.yml b/vendor/github.com/chai2010/gettext-go/.travis.yml
new file mode 100644
index 0000000000..4eac3982bc
--- /dev/null
+++ b/vendor/github.com/chai2010/gettext-go/.travis.yml
@@ -0,0 +1,5 @@
+language: go
+
+go:
+  - "1.14"
+  - tip
diff --git a/vendor/github.com/chai2010/gettext-go/LICENSE b/vendor/github.com/chai2010/gettext-go/LICENSE
new file mode 100644
index 0000000000..8f39408250
--- /dev/null
+++ b/vendor/github.com/chai2010/gettext-go/LICENSE
@@ -0,0 +1,27 @@
+Copyright 2013 ChaiShushan <chaishushan{AT}gmail.com>. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+   * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+   * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+   * Neither the name of Google Inc. nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/vendor/github.com/chai2010/gettext-go/README.md b/vendor/github.com/chai2010/gettext-go/README.md
new file mode 100644
index 0000000000..d766fab4d7
--- /dev/null
+++ b/vendor/github.com/chai2010/gettext-go/README.md
@@ -0,0 +1,190 @@
+- *Go语言QQ群: 102319854, 1055927514*
+- *凹语言(凹读音“Wa�)(The Wa Programming Language): https://github.com/wa-lang/wa*
+
+----
+
+# gettext-go: GNU gettext for Go ([Imported By Kubernetes](https://pkg.go.dev/github.com/chai2010/gettext-go@v0.1.0/gettext?tab=importedby))
+
+- PkgDoc: [http://godoc.org/github.com/chai2010/gettext-go](http://godoc.org/github.com/chai2010/gettext-go)
+- PkgDoc: [http://pkg.go.dev/github.com/chai2010/gettext-go](http://pkg.go.dev/github.com/chai2010/gettext-go)
+
+## Install
+
+1. `go get github.com/chai2010/gettext-go`
+2. `go run hello.go`
+
+The godoc.org or go.dev has more information.
+
+## Examples
+
+```Go
+package main
+
+import (
+	"fmt"
+
+	"github.com/chai2010/gettext-go"
+)
+
+func main() {
+	gettext := gettext.New("hello", "./examples/locale").SetLanguage("zh_CN")
+	fmt.Println(gettext.Gettext("Hello, world!"))
+
+	// Output: 你好, 世界!
+}
+```
+
+```Go
+package main
+
+import (
+	"fmt"
+
+	"github.com/chai2010/gettext-go"
+)
+
+func main() {
+	gettext.SetLanguage("zh_CN")
+	gettext.BindLocale(gettext.New("hello", "locale"))
+
+	// gettext.BindLocale("hello", "locale")              // from locale dir
+	// gettext.BindLocale("hello", "locale.zip")          // from locale zip file
+	// gettext.BindLocale("hello", "locale.zip", zipData) // from embedded zip data
+
+	// translate source text
+	fmt.Println(gettext.Gettext("Hello, world!"))
+	// Output: 你好, 世界!
+
+	// if no msgctxt in PO file (only msgid and msgstr),
+	// specify context as "" by
+	fmt.Println(gettext.PGettext("", "Hello, world!"))
+	// Output: 你好, 世界!
+
+	// translate resource
+	fmt.Println(string(gettext.Getdata("poems.txt"))))
+	// Output: ...
+}
+```
+
+Go file: [hello.go](https://github.com/chai2010/gettext-go/blob/master/examples/hello.go); PO file: [hello.po](https://github.com/chai2010/gettext-go/blob/master/examples/locale/default/LC_MESSAGES/hello.po);
+
+----
+
+## API Changes (v0.1.0 vs v1.0.0)
+
+### Renamed package path
+
+| v0.1.0 (old)                                    | v1.0.0 (new)                            |
+| ----------------------------------------------- | --------------------------------------- |
+| `github.com/chai2010/gettext-go/gettext`        | `github.com/chai2010/gettext-go`        |
+| `github.com/chai2010/gettext-go/gettext/po`     | `github.com/chai2010/gettext-go/po`     |
+| `github.com/chai2010/gettext-go/gettext/mo`     | `github.com/chai2010/gettext-go/mo`     |
+| `github.com/chai2010/gettext-go/gettext/plural` | `github.com/chai2010/gettext-go/plural` |
+
+### Renamed functions
+
+| v0.1.0 (old)                       | v1.0.0 (new)                |
+| ---------------------------------- | --------------------------- |
+| `gettext-go/gettext.*`             | `gettext-go.*`              |
+| `gettext-go/gettext.DefaultLocal`  | `gettext-go.DefaultLanguage`|
+| `gettext-go/gettext.BindTextdomain`| `gettext-go.BindLocale`     |
+| `gettext-go/gettext.Textdomain`    | `gettext-go.SetDomain`      |
+| `gettext-go/gettext.SetLocale`     | `gettext-go.SetLanguage`    |
+| `gettext-go/gettext/po.Load`       | `gettext-go/po.LoadFile`    |
+| `gettext-go/gettext/po.LoadData`   | `gettext-go/po.Load`        |
+| `gettext-go/gettext/mo.Load`       | `gettext-go/mo.LoadFile`    |
+| `gettext-go/gettext/mo.LoadData`   | `gettext-go/mo.Load`        |
+
+### Use empty string as the default context for `gettext.Gettext`
+
+```go
+package main
+
+// v0.1.0
+// if the **context** missing, use `callerName(2)` as the context:
+
+// v1.0.0
+// if the **context** missing, use empty string as the context:
+
+func main() {
+	gettext.Gettext("hello")          
+	// v0.1.0 => gettext.PGettext("main.main", "hello")
+	// v1.0.0 => gettext.PGettext("", "hello")
+
+	gettext.DGettext("domain", "hello")
+	// v0.1.0 => gettext.DPGettext("domain", "main.main", "hello")
+	// v1.0.0 => gettext.DPGettext("domain", "", "hello")
+
+	gettext.NGettext("domain", "hello", "hello2", n)
+	// v0.1.0 => gettext.PNGettext("domain", "main.main", "hello", "hello2", n)
+	// v1.0.0 => gettext.PNGettext("domain", "", "hello", "hello2", n)
+
+	gettext.DNGettext("domain", "hello", "hello2", n)
+	// v0.1.0 => gettext.DPNGettext("domain", "main.main", "hello", "hello2", n)
+	// v1.0.0 => gettext.DPNGettext("domain", "", "hello", "hello2", n)
+}
+```
+
+### `BindLocale` support `FileSystem` interface
+
+```go
+// Use FileSystem:
+//	BindLocale(New("poedit", "name", OS("path/to/dir"))) // bind "poedit" domain
+//	BindLocale(New("poedit", "name", OS("path/to.zip"))) // bind "poedit" domain
+```
+
+## New API in v1.0.0
+
+`Gettexter` interface:
+
+```go
+type Gettexter interface {
+	FileSystem() FileSystem
+
+	GetDomain() string
+	SetDomain(domain string) Gettexter
+
+	GetLanguage() string
+	SetLanguage(lang string) Gettexter
+
+	Gettext(msgid string) string
+	PGettext(msgctxt, msgid string) string
+
+	NGettext(msgid, msgidPlural string, n int) string
+	PNGettext(msgctxt, msgid, msgidPlural string, n int) string
+
+	DGettext(domain, msgid string) string
+	DPGettext(domain, msgctxt, msgid string) string
+	DNGettext(domain, msgid, msgidPlural string, n int) string
+	DPNGettext(domain, msgctxt, msgid, msgidPlural string, n int) string
+
+	Getdata(name string) []byte
+	DGetdata(domain, name string) []byte
+}
+
+func New(domain, path string, data ...interface{}) Gettexter
+```
+
+`FileSystem` interface:
+
+```go
+type FileSystem interface {
+	LocaleList() []string
+	LoadMessagesFile(domain, lang, ext string) ([]byte, error)
+	LoadResourceFile(domain, lang, name string) ([]byte, error)
+	String() string
+}
+
+func NewFS(name string, x interface{}) FileSystem
+func OS(root string) FileSystem
+func ZipFS(r *zip.Reader, name string) FileSystem
+func NilFS(name string) FileSystem
+```
+
+----
+
+## BUGS
+
+Please report bugs to <chaishushan@gmail.com>.
+
+Thanks!
diff --git a/vendor/github.com/chai2010/gettext-go/doc.go b/vendor/github.com/chai2010/gettext-go/doc.go
new file mode 100644
index 0000000000..50dfea3305
--- /dev/null
+++ b/vendor/github.com/chai2010/gettext-go/doc.go
@@ -0,0 +1,67 @@
+// Copyright 2013 <chaishushan{AT}gmail.com>. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+/*
+Package gettext implements a basic GNU's gettext library.
+
+Example:
+	import (
+		"github.com/chai2010/gettext-go"
+	)
+
+	func main() {
+		gettext.SetLanguage("zh_CN")
+
+		// gettext.BindLocale(gettext.New("hello", "locale"))              // from locale dir
+		// gettext.BindLocale(gettext.New("hello", "locale.zip"))          // from locale zip file
+		// gettext.BindLocale(gettext.New("hello", "locale.zip", zipData)) // from embedded zip data
+
+		gettext.BindLocale(gettext.New("hello", "locale"))
+
+		// translate source text
+		fmt.Println(gettext.Gettext("Hello, world!"))
+		// Output: 你好, 世界!
+
+		// translate resource
+		fmt.Println(string(gettext.Getdata("poems.txt")))
+		// Output: ...
+	}
+
+Translate directory struct("./examples/locale.zip"):
+
+	Root: "path" or "file.zip/zipBaseName"
+	 +-default                 # locale: $(LC_MESSAGES) or $(LANG) or "default"
+	 |  +-LC_MESSAGES            # just for `gettext.Gettext`
+	 |  |   +-hello.mo             # $(Root)/$(lang)/LC_MESSAGES/$(domain).mo
+	 |  |   +-hello.po             # $(Root)/$(lang)/LC_MESSAGES/$(domain).po
+	 |  |   \-hello.json           # $(Root)/$(lang)/LC_MESSAGES/$(domain).json
+	 |  |
+	 |  \-LC_RESOURCE            # just for `gettext.Getdata`
+	 |      +-hello                # domain map a dir in resource translate
+	 |         +-favicon.ico       # $(Root)/$(lang)/LC_RESOURCE/$(domain)/$(filename)
+	 |         \-poems.txt
+	 |
+	 \-zh_CN                   # simple chinese translate
+	    +-LC_MESSAGES
+	    |   +-hello.po             # try "$(domain).po" first
+	    |   +-hello.mo             # try "$(domain).mo" second
+	    |   \-hello.json           # try "$(domain).json" third
+	    |
+	    \-LC_RESOURCE
+	        +-hello
+	           +-favicon.ico       # $(lang)/$(domain)/favicon.ico
+	           \-poems.txt         # $(lang)/$(domain)/poems.txt
+
+See:
+	http://en.wikipedia.org/wiki/Gettext
+	http://www.gnu.org/software/gettext/manual/html_node
+	http://www.gnu.org/software/gettext/manual/html_node/Header-Entry.html
+	http://www.gnu.org/software/gettext/manual/html_node/PO-Files.html
+	http://www.gnu.org/software/gettext/manual/html_node/MO-Files.html
+	http://www.poedit.net/
+
+Please report bugs to <chaishushan{AT}gmail.com>.
+Thanks!
+*/
+package gettext
diff --git a/vendor/github.com/chai2010/gettext-go/fs.go b/vendor/github.com/chai2010/gettext-go/fs.go
new file mode 100644
index 0000000000..4e66fae7c6
--- /dev/null
+++ b/vendor/github.com/chai2010/gettext-go/fs.go
@@ -0,0 +1,84 @@
+// Copyright 2013 ChaiShushan <chaishushan{AT}gmail.com>. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package gettext
+
+import (
+	"archive/zip"
+	"bytes"
+	"fmt"
+)
+
+type FileSystem interface {
+	LocaleList() []string
+	LoadMessagesFile(domain, lang, ext string) ([]byte, error)
+	LoadResourceFile(domain, lang, name string) ([]byte, error)
+	String() string
+}
+
+func NewFS(name string, x interface{}) FileSystem {
+	if x == nil {
+		if name != "" {
+			return OS(name)
+		}
+		return NilFS(name)
+	}
+
+	switch x := x.(type) {
+	case []byte:
+		if len(x) == 0 {
+			return OS(name)
+		}
+		if r, err := zip.NewReader(bytes.NewReader(x), int64(len(x))); err == nil {
+			return ZipFS(r, name)
+		}
+		if fs, err := newJson(x, name); err == nil {
+			return fs
+		}
+	case string:
+		if len(x) == 0 {
+			return OS(name)
+		}
+		if r, err := zip.NewReader(bytes.NewReader([]byte(x)), int64(len(x))); err == nil {
+			return ZipFS(r, name)
+		}
+		if fs, err := newJson([]byte(x), name); err == nil {
+			return fs
+		}
+	case FileSystem:
+		return x
+	}
+
+	return NilFS(name)
+}
+
+func OS(root string) FileSystem {
+	return newOsFS(root)
+}
+
+func ZipFS(r *zip.Reader, name string) FileSystem {
+	return newZipFS(r, name)
+}
+
+func NilFS(name string) FileSystem {
+	return &nilFS{name}
+}
+
+type nilFS struct {
+	name string
+}
+
+func (p *nilFS) LocaleList() []string {
+	return nil
+}
+
+func (p *nilFS) LoadMessagesFile(domain, lang, ext string) ([]byte, error) {
+	return nil, fmt.Errorf("not found")
+}
+func (p *nilFS) LoadResourceFile(domain, lang, name string) ([]byte, error) {
+	return nil, fmt.Errorf("not found")
+}
+func (p *nilFS) String() string {
+	return "gettext.nilfs(" + p.name + ")"
+}
diff --git a/vendor/github.com/chai2010/gettext-go/fs_json.go b/vendor/github.com/chai2010/gettext-go/fs_json.go
new file mode 100644
index 0000000000..c7138c9954
--- /dev/null
+++ b/vendor/github.com/chai2010/gettext-go/fs_json.go
@@ -0,0 +1,66 @@
+// Copyright 2020 ChaiShushan <chaishushan{AT}gmail.com>. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package gettext
+
+import (
+	"encoding/json"
+	"fmt"
+	"sort"
+)
+
+type jsonFS struct {
+	name string
+	x    map[string]struct {
+		LC_MESSAGES map[string][]struct {
+			MsgContext  string   `json:"msgctxt"`      // msgctxt context
+			MsgId       string   `json:"msgid"`        // msgid untranslated-string
+			MsgIdPlural string   `json:"msgid_plural"` // msgid_plural untranslated-string-plural
+			MsgStr      []string `json:"msgstr"`       // msgstr translated-string
+		}
+		LC_RESOURCE map[string]map[string]string
+	}
+}
+
+func isJsonData() bool {
+	return false
+}
+
+func newJson(jsonData []byte, name string) (*jsonFS, error) {
+	p := &jsonFS{name: name}
+	if err := json.Unmarshal(jsonData, &p.x); err != nil {
+		return nil, err
+	}
+
+	return p, nil
+}
+
+func (p *jsonFS) LocaleList() []string {
+	var ss []string
+	for lang := range p.x {
+		ss = append(ss, lang)
+	}
+	sort.Strings(ss)
+	return ss
+}
+
+func (p *jsonFS) LoadMessagesFile(domain, lang, ext string) ([]byte, error) {
+	if v, ok := p.x[lang]; ok {
+		if v, ok := v.LC_MESSAGES[domain+ext]; ok {
+			return json.Marshal(v)
+		}
+	}
+	return nil, fmt.Errorf("not found")
+}
+func (p *jsonFS) LoadResourceFile(domain, lang, name string) ([]byte, error) {
+	if v, ok := p.x[lang]; ok {
+		if v, ok := v.LC_RESOURCE[domain]; ok {
+			return []byte(v[name]), nil
+		}
+	}
+	return nil, fmt.Errorf("not found")
+}
+func (p *jsonFS) String() string {
+	return "gettext.nilfs(" + p.name + ")"
+}
diff --git a/vendor/github.com/chai2010/gettext-go/fs_os.go b/vendor/github.com/chai2010/gettext-go/fs_os.go
new file mode 100644
index 0000000000..80d4f51bac
--- /dev/null
+++ b/vendor/github.com/chai2010/gettext-go/fs_os.go
@@ -0,0 +1,91 @@
+// Copyright 2013 ChaiShushan <chaishushan{AT}gmail.com>. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package gettext
+
+import (
+	"archive/zip"
+	"bytes"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"sort"
+	"strings"
+)
+
+type osFS struct {
+	root string
+}
+
+func newOsFS(root string) FileSystem {
+	// locale zip file
+	if fi, err := os.Stat(root); err == nil && !fi.IsDir() {
+		if strings.HasSuffix(strings.ToLower(root), ".zip") {
+			if x, err := ioutil.ReadFile(root); err == nil {
+				if r, err := zip.NewReader(bytes.NewReader(x), int64(len(x))); err == nil {
+					return ZipFS(r, root)
+				}
+			}
+		}
+		if strings.HasSuffix(strings.ToLower(root), ".json") {
+			if x, err := ioutil.ReadFile(root); err == nil {
+				if fs, err := newJson(x, root); err == nil {
+					return fs
+				}
+			}
+		}
+	}
+
+	// locale dir
+	return &osFS{root: root}
+}
+
+func (p *osFS) LocaleList() []string {
+	list, err := ioutil.ReadDir(p.root)
+	if err != nil {
+		return nil
+	}
+	ssMap := make(map[string]bool)
+	for _, dir := range list {
+		if dir.IsDir() {
+			ssMap[dir.Name()] = true
+		}
+	}
+	var locales = make([]string, 0, len(ssMap))
+	for s := range ssMap {
+		locales = append(locales, s)
+	}
+	sort.Strings(locales)
+	return locales
+}
+
+func (p *osFS) LoadMessagesFile(domain, locale, ext string) ([]byte, error) {
+	trName := p.makeMessagesFileName(domain, locale, ext)
+	rcData, err := ioutil.ReadFile(trName)
+	if err != nil {
+		return nil, err
+	}
+	return rcData, nil
+}
+
+func (p *osFS) LoadResourceFile(domain, locale, name string) ([]byte, error) {
+	rcName := p.makeResourceFileName(domain, locale, name)
+	rcData, err := ioutil.ReadFile(rcName)
+	if err != nil {
+		return nil, err
+	}
+	return rcData, nil
+}
+
+func (p *osFS) String() string {
+	return "gettext.localfs(" + p.root + ")"
+}
+
+func (p *osFS) makeMessagesFileName(domain, lang, ext string) string {
+	return fmt.Sprintf("%s/%s/LC_MESSAGES/%s%s", p.root, lang, domain, ext)
+}
+
+func (p *osFS) makeResourceFileName(domain, lang, name string) string {
+	return fmt.Sprintf("%s/%s/LC_RESOURCE/%s/%s", p.root, lang, domain, name)
+}
diff --git a/vendor/github.com/chai2010/gettext-go/fs_zip.go b/vendor/github.com/chai2010/gettext-go/fs_zip.go
new file mode 100644
index 0000000000..61eb8359da
--- /dev/null
+++ b/vendor/github.com/chai2010/gettext-go/fs_zip.go
@@ -0,0 +1,142 @@
+// Copyright 2013 ChaiShushan <chaishushan{AT}gmail.com>. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package gettext
+
+import (
+	"archive/zip"
+	"fmt"
+	"io/ioutil"
+	"sort"
+	"strings"
+)
+
+type zipFS struct {
+	root string
+	name string
+	r    *zip.Reader
+}
+
+func newZipFS(r *zip.Reader, name string) *zipFS {
+	fs := &zipFS{r: r, name: name}
+	fs.root = fs.zipRoot()
+	return fs
+}
+
+func (p *zipFS) zipName() string {
+	name := p.name
+	if x := strings.LastIndexAny(name, `\/`); x != -1 {
+		name = name[x+1:]
+	}
+	name = strings.TrimSuffix(name, ".zip")
+	return name
+}
+
+func (p *zipFS) zipRoot() string {
+	var somepath string
+	for _, f := range p.r.File {
+		if x := strings.Index(f.Name, "LC_MESSAGES"); x != -1 {
+			somepath = f.Name
+		}
+		if x := strings.Index(f.Name, "LC_RESOURCE"); x != -1 {
+			somepath = f.Name
+		}
+	}
+	if somepath == "" {
+		return p.zipName()
+	}
+
+	ss := strings.Split(somepath, "/")
+	for i, s := range ss {
+		// $(root)/$(lang)/LC_MESSAGES
+		// $(root)/$(lang)/LC_RESOURCE
+		if (s == "LC_MESSAGES" || s == "LC_RESOURCE") && i >= 2 {
+			return strings.Join(ss[:i-1], "/")
+		}
+	}
+
+	return p.zipName()
+}
+
+func (p *zipFS) LocaleList() []string {
+	var locals []string
+	for s := range p.lsZip(p.r) {
+		locals = append(locals, s)
+	}
+	sort.Strings(locals)
+	return locals
+}
+
+func (p *zipFS) LoadMessagesFile(domain, lang, ext string) ([]byte, error) {
+	trName := p.makeMessagesFileName(domain, lang, ext)
+	for _, f := range p.r.File {
+		if f.Name != trName {
+			continue
+		}
+		rc, err := f.Open()
+		if err != nil {
+			return nil, err
+		}
+		rcData, err := ioutil.ReadAll(rc)
+		rc.Close()
+		return rcData, err
+	}
+	return nil, fmt.Errorf("not found")
+}
+
+func (p *zipFS) LoadResourceFile(domain, lang, name string) ([]byte, error) {
+	rcName := p.makeResourceFileName(domain, lang, name)
+	for _, f := range p.r.File {
+		if f.Name != rcName {
+			continue
+		}
+		rc, err := f.Open()
+		if err != nil {
+			return nil, err
+		}
+		rcData, err := ioutil.ReadAll(rc)
+		rc.Close()
+		return rcData, err
+	}
+	return nil, fmt.Errorf("not found")
+}
+
+func (p *zipFS) String() string {
+	return "gettext.zipfs(" + p.name + ")"
+}
+
+func (p *zipFS) makeMessagesFileName(domain, lang, ext string) string {
+	return fmt.Sprintf("%s/%s/LC_MESSAGES/%s%s", p.root, lang, domain, ext)
+}
+
+func (p *zipFS) makeResourceFileName(domain, lang, name string) string {
+	return fmt.Sprintf("%s/%s/LC_RESOURCE/%s/%s", p.root, lang, domain, name)
+}
+
+func (p *zipFS) lsZip(r *zip.Reader) map[string]bool {
+	ssMap := make(map[string]bool)
+	for _, f := range r.File {
+		if x := strings.Index(f.Name, "LC_MESSAGES"); x != -1 {
+			s := strings.TrimRight(f.Name[:x], `\/`)
+			if x = strings.LastIndexAny(s, `\/`); x != -1 {
+				s = s[x+1:]
+			}
+			if s != "" {
+				ssMap[s] = true
+			}
+			continue
+		}
+		if x := strings.Index(f.Name, "LC_RESOURCE"); x != -1 {
+			s := strings.TrimRight(f.Name[:x], `\/`)
+			if x = strings.LastIndexAny(s, `\/`); x != -1 {
+				s = s[x+1:]
+			}
+			if s != "" {
+				ssMap[s] = true
+			}
+			continue
+		}
+	}
+	return ssMap
+}
diff --git a/vendor/github.com/chai2010/gettext-go/gettext.go b/vendor/github.com/chai2010/gettext-go/gettext.go
new file mode 100644
index 0000000000..7747188ab4
--- /dev/null
+++ b/vendor/github.com/chai2010/gettext-go/gettext.go
@@ -0,0 +1,219 @@
+// Copyright 2013 ChaiShushan <chaishushan{AT}gmail.com>. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package gettext
+
+var (
+	DefaultLanguage string = getDefaultLanguage() // use $(LC_MESSAGES) or $(LANG) or "default"
+)
+
+type Gettexter interface {
+	FileSystem() FileSystem
+
+	GetDomain() string
+	SetDomain(domain string) Gettexter
+
+	GetLanguage() string
+	SetLanguage(lang string) Gettexter
+
+	Gettext(msgid string) string
+	PGettext(msgctxt, msgid string) string
+
+	NGettext(msgid, msgidPlural string, n int) string
+	PNGettext(msgctxt, msgid, msgidPlural string, n int) string
+
+	DGettext(domain, msgid string) string
+	DPGettext(domain, msgctxt, msgid string) string
+	DNGettext(domain, msgid, msgidPlural string, n int) string
+	DPNGettext(domain, msgctxt, msgid, msgidPlural string, n int) string
+
+	Getdata(name string) []byte
+	DGetdata(domain, name string) []byte
+}
+
+// New create Interface use default language.
+func New(domain, path string, data ...interface{}) Gettexter {
+	return newLocale(domain, path, data...)
+}
+
+var defaultGettexter struct {
+	lang   string
+	domain string
+	Gettexter
+}
+
+func init() {
+	defaultGettexter.lang = getDefaultLanguage()
+	defaultGettexter.domain = "default"
+	defaultGettexter.Gettexter = newLocale("", "")
+}
+
+// BindLocale sets and queries program's domains.
+//
+// Examples:
+//	BindLocale(New("poedit", "locale")) // bind "poedit" domain
+//
+// Use zip file:
+//	BindLocale(New("poedit", "locale.zip"))          // bind "poedit" domain
+//	BindLocale(New("poedit", "locale.zip", zipData)) // bind "poedit" domain
+//
+// Use FileSystem:
+//	BindLocale(New("poedit", "name", OS("path/to/dir"))) // bind "poedit" domain
+//	BindLocale(New("poedit", "name", OS("path/to.zip"))) // bind "poedit" domain
+//
+func BindLocale(g Gettexter) {
+	if g != nil {
+		defaultGettexter.Gettexter = g
+		defaultGettexter.SetLanguage(defaultGettexter.lang)
+	} else {
+		defaultGettexter.Gettexter = newLocale("", "")
+		defaultGettexter.SetLanguage(defaultGettexter.lang)
+	}
+}
+
+// SetLanguage sets and queries the program's current lang.
+//
+// If the lang is not empty string, set the new locale.
+//
+// If the lang is empty string, don't change anything.
+//
+// Returns is the current locale.
+//
+// Examples:
+//	SetLanguage("")      // get locale: return DefaultLocale
+//	SetLanguage("zh_CN") // set locale: return zh_CN
+//	SetLanguage("")      // get locale: return zh_CN
+func SetLanguage(lang string) string {
+	defaultGettexter.SetLanguage(lang)
+	return defaultGettexter.GetLanguage()
+}
+
+// SetDomain sets and retrieves the current message domain.
+//
+// If the domain is not empty string, set the new domains.
+//
+// If the domain is empty string, don't change anything.
+//
+// Returns is the all used domains.
+//
+// Examples:
+//	SetDomain("poedit") // set domain: poedit
+//	SetDomain("")       // get domain: return poedit
+func SetDomain(domain string) string {
+	defaultGettexter.SetDomain(domain)
+	return defaultGettexter.GetDomain()
+}
+
+// Gettext attempt to translate a text string into the user's native language,
+// by looking up the translation in a message catalog.
+//
+// It use the caller's function name as the msgctxt.
+//
+// Examples:
+//	func Foo() {
+//		msg := gettext.Gettext("Hello") // msgctxt is ""
+//	}
+func Gettext(msgid string) string {
+	return defaultGettexter.Gettext(msgid)
+}
+
+// Getdata attempt to translate a resource file into the user's native language,
+// by looking up the translation in a message catalog.
+//
+// Examples:
+//	func Foo() {
+//		Textdomain("hello")
+//		BindLocale("hello", "locale.zip", nilOrZipData)
+//		poems := gettext.Getdata("poems.txt")
+//	}
+func Getdata(name string) []byte {
+	return defaultGettexter.Getdata(name)
+}
+
+// NGettext attempt to translate a text string into the user's native language,
+// by looking up the appropriate plural form of the translation in a message
+// catalog.
+//
+// It use the caller's function name as the msgctxt.
+//
+// Examples:
+//	func Foo() {
+//		msg := gettext.NGettext("%d people", "%d peoples", 2)
+//	}
+func NGettext(msgid, msgidPlural string, n int) string {
+	return defaultGettexter.NGettext(msgid, msgidPlural, n)
+}
+
+// PGettext attempt to translate a text string into the user's native language,
+// by looking up the translation in a message catalog.
+//
+// Examples:
+//	func Foo() {
+//		msg := gettext.PGettext("gettext-go.example", "Hello") // msgctxt is "gettext-go.example"
+//	}
+func PGettext(msgctxt, msgid string) string {
+	return defaultGettexter.PGettext(msgctxt, msgid)
+}
+
+// PNGettext attempt to translate a text string into the user's native language,
+// by looking up the appropriate plural form of the translation in a message
+// catalog.
+//
+// Examples:
+//	func Foo() {
+//		msg := gettext.PNGettext("gettext-go.example", "%d people", "%d peoples", 2)
+//	}
+func PNGettext(msgctxt, msgid, msgidPlural string, n int) string {
+	return defaultGettexter.PNGettext(msgctxt, msgid, msgidPlural, n)
+}
+
+// DGettext like Gettext(), but looking up the message in the specified domain.
+//
+// Examples:
+//	func Foo() {
+//		msg := gettext.DGettext("poedit", "Hello")
+//	}
+func DGettext(domain, msgid string) string {
+	return defaultGettexter.DGettext(domain, msgid)
+}
+
+// DNGettext like NGettext(), but looking up the message in the specified domain.
+//
+// Examples:
+//	func Foo() {
+//		msg := gettext.PNGettext("poedit", "gettext-go.example", "%d people", "%d peoples", 2)
+//	}
+func DNGettext(domain, msgid, msgidPlural string, n int) string {
+	return defaultGettexter.DNGettext(domain, msgid, msgidPlural, n)
+}
+
+// DPGettext like PGettext(), but looking up the message in the specified domain.
+//
+// Examples:
+//	func Foo() {
+//		msg := gettext.DPGettext("poedit", "gettext-go.example", "Hello")
+//	}
+func DPGettext(domain, msgctxt, msgid string) string {
+	return defaultGettexter.DPGettext(domain, msgctxt, msgid)
+}
+
+// DPNGettext like PNGettext(), but looking up the message in the specified domain.
+//
+// Examples:
+//	func Foo() {
+//		msg := gettext.DPNGettext("poedit", "gettext-go.example", "%d people", "%d peoples", 2)
+//	}
+func DPNGettext(domain, msgctxt, msgid, msgidPlural string, n int) string {
+	return defaultGettexter.DPNGettext(domain, msgctxt, msgid, msgidPlural, n)
+}
+
+// DGetdata like Getdata(), but looking up the resource in the specified domain.
+//
+// Examples:
+//	func Foo() {
+//		msg := gettext.DGetdata("hello", "poems.txt")
+//	}
+func DGetdata(domain, name string) []byte {
+	return defaultGettexter.DGetdata(domain, name)
+}
diff --git a/vendor/github.com/chai2010/gettext-go/locale.go b/vendor/github.com/chai2010/gettext-go/locale.go
new file mode 100644
index 0000000000..e7a2d4b37b
--- /dev/null
+++ b/vendor/github.com/chai2010/gettext-go/locale.go
@@ -0,0 +1,205 @@
+// Copyright 2020 ChaiShushan <chaishushan{AT}gmail.com>. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package gettext
+
+import (
+	"fmt"
+	"sync"
+)
+
+type _Locale struct {
+	mutex     sync.Mutex
+	fs        FileSystem
+	lang      string
+	domain    string
+	trMap     map[string]*translator
+	trCurrent *translator
+}
+
+var _ Gettexter = (*_Locale)(nil)
+
+func newLocale(domain, path string, data ...interface{}) *_Locale {
+	if domain == "" {
+		domain = "default"
+	}
+	p := &_Locale{
+		lang:   DefaultLanguage,
+		domain: domain,
+	}
+	if len(data) > 0 {
+		p.fs = NewFS(path, data[0])
+	} else {
+		p.fs = NewFS(path, nil)
+	}
+
+	p.syncTrMap()
+	return p
+}
+
+func (p *_Locale) makeTrMapKey(domain, _Locale string) string {
+	return domain + "_$$$_" + _Locale
+}
+
+func (p *_Locale) FileSystem() FileSystem {
+	return p.fs
+}
+
+func (p *_Locale) GetLanguage() string {
+	p.mutex.Lock()
+	defer p.mutex.Unlock()
+
+	return p.lang
+}
+func (p *_Locale) SetLanguage(lang string) Gettexter {
+	p.mutex.Lock()
+	defer p.mutex.Unlock()
+
+	if lang == "" {
+		lang = DefaultLanguage
+	}
+	if lang == p.lang {
+		return p
+	}
+
+	p.lang = lang
+	p.syncTrMap()
+	return p
+}
+
+func (p *_Locale) GetDomain() string {
+	p.mutex.Lock()
+	defer p.mutex.Unlock()
+	return p.domain
+}
+
+func (p *_Locale) SetDomain(domain string) Gettexter {
+	p.mutex.Lock()
+	defer p.mutex.Unlock()
+
+	if domain == "" || domain == p.domain {
+		return p
+	}
+
+	p.domain = domain
+	p.syncTrMap()
+	return p
+}
+
+func (p *_Locale) syncTrMap() {
+	p.trMap = make(map[string]*translator)
+	trMapKey := p.makeTrMapKey(p.domain, p.lang)
+
+	if tr, ok := p.trMap[trMapKey]; ok {
+		p.trCurrent = tr
+		return
+	}
+
+	// try load po file
+	if data, err := p.fs.LoadMessagesFile(p.domain, p.lang, ".po"); err == nil {
+		if tr, err := newPoTranslator(fmt.Sprintf("%s_%s.po", p.domain, p.lang), data); err == nil {
+			p.trMap[trMapKey] = tr
+			p.trCurrent = tr
+			return
+		}
+	}
+
+	// try load mo file
+	if data, err := p.fs.LoadMessagesFile(p.domain, p.lang, ".mo"); err == nil {
+		if tr, err := newMoTranslator(fmt.Sprintf("%s_%s.mo", p.domain, p.lang), data); err == nil {
+			p.trMap[trMapKey] = tr
+			p.trCurrent = tr
+			return
+		}
+	}
+
+	// try load json file
+	if data, err := p.fs.LoadMessagesFile(p.domain, p.lang, ".json"); err == nil {
+		if tr, err := newJsonTranslator(p.lang, fmt.Sprintf("%s_%s.json", p.domain, p.lang), data); err == nil {
+			p.trMap[trMapKey] = tr
+			p.trCurrent = tr
+			return
+		}
+	}
+
+	// no po/mo file
+	p.trMap[trMapKey] = nilTranslator
+	p.trCurrent = nilTranslator
+	return
+}
+
+func (p *_Locale) Gettext(msgid string) string {
+	p.mutex.Lock()
+	defer p.mutex.Unlock()
+	return p.trCurrent.PGettext("", msgid)
+}
+
+func (p *_Locale) PGettext(msgctxt, msgid string) string {
+	p.mutex.Lock()
+	defer p.mutex.Unlock()
+	return p.trCurrent.PGettext(msgctxt, msgid)
+}
+
+func (p *_Locale) NGettext(msgid, msgidPlural string, n int) string {
+	p.mutex.Lock()
+	defer p.mutex.Unlock()
+	return p.trCurrent.PNGettext("", msgid, msgidPlural, n)
+}
+
+func (p *_Locale) PNGettext(msgctxt, msgid, msgidPlural string, n int) string {
+	p.mutex.Lock()
+	defer p.mutex.Unlock()
+	return p.trCurrent.PNGettext(msgctxt, msgid, msgidPlural, n)
+}
+
+func (p *_Locale) DGettext(domain, msgid string) string {
+	p.mutex.Lock()
+	defer p.mutex.Unlock()
+	return p.gettext(domain, "", msgid, "", 0)
+}
+
+func (p *_Locale) DNGettext(domain, msgid, msgidPlural string, n int) string {
+	p.mutex.Lock()
+	defer p.mutex.Unlock()
+	return p.gettext(domain, "", msgid, msgidPlural, n)
+}
+
+func (p *_Locale) DPGettext(domain, msgctxt, msgid string) string {
+	p.mutex.Lock()
+	defer p.mutex.Unlock()
+	return p.gettext(domain, msgctxt, msgid, "", 0)
+}
+
+func (p *_Locale) DPNGettext(domain, msgctxt, msgid, msgidPlural string, n int) string {
+	p.mutex.Lock()
+	defer p.mutex.Unlock()
+	return p.gettext(domain, msgctxt, msgid, msgidPlural, n)
+}
+
+func (p *_Locale) Getdata(name string) []byte {
+	return p.getdata(p.domain, name)
+}
+
+func (p *_Locale) DGetdata(domain, name string) []byte {
+	return p.getdata(domain, name)
+}
+
+func (p *_Locale) gettext(domain, msgctxt, msgid, msgidPlural string, n int) string {
+	if f, ok := p.trMap[p.makeTrMapKey(domain, p.lang)]; ok {
+		return f.PNGettext(msgctxt, msgid, msgidPlural, n)
+	}
+	return msgid
+}
+
+func (p *_Locale) getdata(domain, name string) []byte {
+	if data, err := p.fs.LoadResourceFile(domain, p.lang, name); err == nil {
+		return data
+	}
+	if p.lang != "default" {
+		if data, err := p.fs.LoadResourceFile(domain, "default", name); err == nil {
+			return data
+		}
+	}
+	return nil
+}
diff --git a/vendor/github.com/chai2010/gettext-go/mo/doc.go b/vendor/github.com/chai2010/gettext-go/mo/doc.go
new file mode 100644
index 0000000000..5fefc18930
--- /dev/null
+++ b/vendor/github.com/chai2010/gettext-go/mo/doc.go
@@ -0,0 +1,74 @@
+// Copyright 2013 ChaiShushan <chaishushan{AT}gmail.com>. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+/*
+Package mo provides support for reading and writing GNU MO file.
+
+Examples:
+	import (
+		"github.com/chai2010/gettext-go/mo"
+	)
+
+	func main() {
+		moFile, err := mo.LoadFile("test.mo")
+		if err != nil {
+			log.Fatal(err)
+		}
+		fmt.Printf("%v", moFile)
+	}
+
+GNU MO file struct:
+
+	        byte
+	             +------------------------------------------+
+	          0  | magic number = 0x950412de                |
+	             |                                          |
+	          4  | file format revision = 0                 |
+	             |                                          |
+	          8  | number of strings                        |  == N
+	             |                                          |
+	         12  | offset of table with original strings    |  == O
+	             |                                          |
+	         16  | offset of table with translation strings |  == T
+	             |                                          |
+	         20  | size of hashing table                    |  == S
+	             |                                          |
+	         24  | offset of hashing table                  |  == H
+	             |                                          |
+	             .                                          .
+	             .    (possibly more entries later)         .
+	             .                                          .
+	             |                                          |
+	          O  | length & offset 0th string  ----------------.
+	      O + 8  | length & offset 1st string  ------------------.
+	              ...                                    ...   | |
+	O + ((N-1)*8)| length & offset (N-1)th string           |  | |
+	             |                                          |  | |
+	          T  | length & offset 0th translation  ---------------.
+	      T + 8  | length & offset 1st translation  -----------------.
+	              ...                                    ...   | | | |
+	T + ((N-1)*8)| length & offset (N-1)th translation      |  | | | |
+	             |                                          |  | | | |
+	          H  | start hash table                         |  | | | |
+	              ...                                    ...   | | | |
+	  H + S * 4  | end hash table                           |  | | | |
+	             |                                          |  | | | |
+	             | NUL terminated 0th string  <----------------' | | |
+	             |                                          |    | | |
+	             | NUL terminated 1st string  <------------------' | |
+	             |                                          |      | |
+	              ...                                    ...       | |
+	             |                                          |      | |
+	             | NUL terminated 0th translation  <---------------' |
+	             |                                          |        |
+	             | NUL terminated 1st translation  <-----------------'
+	             |                                          |
+	              ...                                    ...
+	             |                                          |
+	             +------------------------------------------+
+
+The GNU MO file specification is at
+http://www.gnu.org/software/gettext/manual/html_node/MO-Files.html.
+*/
+package mo
diff --git a/vendor/github.com/chai2010/gettext-go/mo/encoder.go b/vendor/github.com/chai2010/gettext-go/mo/encoder.go
new file mode 100644
index 0000000000..f953fd3cb8
--- /dev/null
+++ b/vendor/github.com/chai2010/gettext-go/mo/encoder.go
@@ -0,0 +1,105 @@
+// Copyright 2013 ChaiShushan <chaishushan{AT}gmail.com>. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package mo
+
+import (
+	"bytes"
+	"encoding/binary"
+	"sort"
+	"strings"
+)
+
+type moHeader struct {
+	MagicNumber  uint32
+	MajorVersion uint16
+	MinorVersion uint16
+	MsgIdCount   uint32
+	MsgIdOffset  uint32
+	MsgStrOffset uint32
+	HashSize     uint32
+	HashOffset   uint32
+}
+
+type moStrPos struct {
+	Size uint32 // must keep fields order
+	Addr uint32
+}
+
+func encodeFile(f *File) []byte {
+	hdr := &moHeader{
+		MagicNumber: MoMagicLittleEndian,
+	}
+	data := encodeData(hdr, f)
+	data = append(encodeHeader(hdr), data...)
+	return data
+}
+
+// encode data and init moHeader
+func encodeData(hdr *moHeader, f *File) []byte {
+	msgList := []Message{f.MimeHeader.toMessage()}
+	for _, v := range f.Messages {
+		if len(v.MsgId) == 0 {
+			continue
+		}
+		if len(v.MsgStr) == 0 && len(v.MsgStrPlural) == 0 {
+			continue
+		}
+		msgList = append(msgList, v)
+	}
+	sort.Slice(msgList, func(i, j int) bool {
+		return msgList[i].less(&msgList[j])
+	})
+
+	var buf bytes.Buffer
+	var msgIdPosList = make([]moStrPos, len(msgList))
+	var msgStrPosList = make([]moStrPos, len(msgList))
+	for i, v := range msgList {
+		// write msgid
+		msgId := encodeMsgId(v)
+		msgIdPosList[i].Addr = uint32(buf.Len() + MoHeaderSize)
+		msgIdPosList[i].Size = uint32(len(msgId))
+		buf.WriteString(msgId)
+		// write msgstr
+		msgStr := encodeMsgStr(v)
+		msgStrPosList[i].Addr = uint32(buf.Len() + MoHeaderSize)
+		msgStrPosList[i].Size = uint32(len(msgStr))
+		buf.WriteString(msgStr)
+	}
+
+	hdr.MsgIdOffset = uint32(buf.Len() + MoHeaderSize)
+	binary.Write(&buf, binary.LittleEndian, msgIdPosList)
+	hdr.MsgStrOffset = uint32(buf.Len() + MoHeaderSize)
+	binary.Write(&buf, binary.LittleEndian, msgStrPosList)
+
+	hdr.MsgIdCount = uint32(len(msgList))
+	return buf.Bytes()
+}
+
+// must called after encodeData
+func encodeHeader(hdr *moHeader) []byte {
+	var buf bytes.Buffer
+	binary.Write(&buf, binary.LittleEndian, hdr)
+	return buf.Bytes()
+}
+
+func encodeMsgId(v Message) string {
+	if v.MsgContext != "" && v.MsgIdPlural != "" {
+		return v.MsgContext + EotSeparator + v.MsgId + NulSeparator + v.MsgIdPlural
+	}
+	if v.MsgContext != "" && v.MsgIdPlural == "" {
+		return v.MsgContext + EotSeparator + v.MsgId
+	}
+	if v.MsgContext == "" && v.MsgIdPlural != "" {
+		return v.MsgId + NulSeparator + v.MsgIdPlural
+	}
+	return v.MsgId
+}
+
+func encodeMsgStr(v Message) string {
+	if v.MsgIdPlural != "" {
+		return strings.Join(v.MsgStrPlural, NulSeparator)
+	}
+	return v.MsgStr
+}
diff --git a/vendor/github.com/chai2010/gettext-go/mo/file.go b/vendor/github.com/chai2010/gettext-go/mo/file.go
new file mode 100644
index 0000000000..6f7ed161c1
--- /dev/null
+++ b/vendor/github.com/chai2010/gettext-go/mo/file.go
@@ -0,0 +1,197 @@
+// Copyright 2013 ChaiShushan <chaishushan{AT}gmail.com>. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package mo
+
+import (
+	"bytes"
+	"encoding/binary"
+	"fmt"
+	"io/ioutil"
+	"strings"
+)
+
+const (
+	MoHeaderSize        = 28
+	MoMagicLittleEndian = 0x950412de
+	MoMagicBigEndian    = 0xde120495
+
+	EotSeparator = "\x04" // msgctxt and msgid separator
+	NulSeparator = "\x00" // msgid and msgstr separator
+)
+
+// File represents an MO File.
+//
+// See http://www.gnu.org/software/gettext/manual/html_node/MO-Files.html
+type File struct {
+	MagicNumber  uint32
+	MajorVersion uint16
+	MinorVersion uint16
+	MsgIdCount   uint32
+	MsgIdOffset  uint32
+	MsgStrOffset uint32
+	HashSize     uint32
+	HashOffset   uint32
+	MimeHeader   Header
+	Messages     []Message
+}
+
+// Load loads mo file format data.
+func Load(data []byte) (*File, error) {
+	return loadData(data)
+}
+
+// Load loads a named mo file.
+func LoadFile(path string) (*File, error) {
+	data, err := ioutil.ReadFile(path)
+	if err != nil {
+		return nil, err
+	}
+	return loadData(data)
+}
+
+func loadData(data []byte) (*File, error) {
+	r := bytes.NewReader(data)
+
+	var magicNumber uint32
+	if err := binary.Read(r, binary.LittleEndian, &magicNumber); err != nil {
+		return nil, fmt.Errorf("gettext: %v", err)
+	}
+	var bo binary.ByteOrder
+	switch magicNumber {
+	case MoMagicLittleEndian:
+		bo = binary.LittleEndian
+	case MoMagicBigEndian:
+		bo = binary.BigEndian
+	default:
+		return nil, fmt.Errorf("gettext: %v", "invalid magic number")
+	}
+
+	var header struct {
+		MajorVersion uint16
+		MinorVersion uint16
+		MsgIdCount   uint32
+		MsgIdOffset  uint32
+		MsgStrOffset uint32
+		HashSize     uint32
+		HashOffset   uint32
+	}
+	if err := binary.Read(r, bo, &header); err != nil {
+		return nil, fmt.Errorf("gettext: %v", err)
+	}
+	if v := header.MajorVersion; v != 0 && v != 1 {
+		return nil, fmt.Errorf("gettext: %v", "invalid version number")
+	}
+	if v := header.MinorVersion; v != 0 && v != 1 {
+		return nil, fmt.Errorf("gettext: %v", "invalid version number")
+	}
+
+	msgIdStart := make([]uint32, header.MsgIdCount)
+	msgIdLen := make([]uint32, header.MsgIdCount)
+	if _, err := r.Seek(int64(header.MsgIdOffset), 0); err != nil {
+		return nil, fmt.Errorf("gettext: %v", err)
+	}
+	for i := 0; i < int(header.MsgIdCount); i++ {
+		if err := binary.Read(r, bo, &msgIdLen[i]); err != nil {
+			return nil, fmt.Errorf("gettext: %v", err)
+		}
+		if err := binary.Read(r, bo, &msgIdStart[i]); err != nil {
+			return nil, fmt.Errorf("gettext: %v", err)
+		}
+	}
+
+	msgStrStart := make([]int32, header.MsgIdCount)
+	msgStrLen := make([]int32, header.MsgIdCount)
+	if _, err := r.Seek(int64(header.MsgStrOffset), 0); err != nil {
+		return nil, fmt.Errorf("gettext: %v", err)
+	}
+	for i := 0; i < int(header.MsgIdCount); i++ {
+		if err := binary.Read(r, bo, &msgStrLen[i]); err != nil {
+			return nil, fmt.Errorf("gettext: %v", err)
+		}
+		if err := binary.Read(r, bo, &msgStrStart[i]); err != nil {
+			return nil, fmt.Errorf("gettext: %v", err)
+		}
+	}
+
+	file := &File{
+		MagicNumber:  magicNumber,
+		MajorVersion: header.MajorVersion,
+		MinorVersion: header.MinorVersion,
+		MsgIdCount:   header.MsgIdCount,
+		MsgIdOffset:  header.MsgIdOffset,
+		MsgStrOffset: header.MsgStrOffset,
+		HashSize:     header.HashSize,
+		HashOffset:   header.HashOffset,
+	}
+	for i := 0; i < int(header.MsgIdCount); i++ {
+		if _, err := r.Seek(int64(msgIdStart[i]), 0); err != nil {
+			return nil, fmt.Errorf("gettext: %v", err)
+		}
+		msgIdData := make([]byte, msgIdLen[i])
+		if _, err := r.Read(msgIdData); err != nil {
+			return nil, fmt.Errorf("gettext: %v", err)
+		}
+
+		if _, err := r.Seek(int64(msgStrStart[i]), 0); err != nil {
+			return nil, fmt.Errorf("gettext: %v", err)
+		}
+		msgStrData := make([]byte, msgStrLen[i])
+		if _, err := r.Read(msgStrData); err != nil {
+			return nil, fmt.Errorf("gettext: %v", err)
+		}
+
+		if len(msgIdData) == 0 {
+			var msg = Message{
+				MsgId:  string(msgIdData),
+				MsgStr: string(msgStrData),
+			}
+			file.MimeHeader.fromMessage(&msg)
+		} else {
+			var msg = Message{
+				MsgId:  string(msgIdData),
+				MsgStr: string(msgStrData),
+			}
+			// Is this a context message?
+			if idx := strings.Index(msg.MsgId, EotSeparator); idx != -1 {
+				msg.MsgContext, msg.MsgId = msg.MsgId[:idx], msg.MsgId[idx+1:]
+			}
+			// Is this a plural message?
+			if idx := strings.Index(msg.MsgId, NulSeparator); idx != -1 {
+				msg.MsgId, msg.MsgIdPlural = msg.MsgId[:idx], msg.MsgId[idx+1:]
+				msg.MsgStrPlural = strings.Split(msg.MsgStr, NulSeparator)
+				msg.MsgStr = ""
+			}
+			file.Messages = append(file.Messages, msg)
+		}
+	}
+
+	return file, nil
+}
+
+// Save saves a mo file.
+func (f *File) Save(name string) error {
+	return ioutil.WriteFile(name, f.Data(), 0666)
+}
+
+// Save returns a mo file format data.
+func (f *File) Data() []byte {
+	return encodeFile(f)
+}
+
+// String returns the po format file string.
+func (f *File) String() string {
+	var buf bytes.Buffer
+	fmt.Fprintf(&buf, "# version: %d.%d\n", f.MajorVersion, f.MinorVersion)
+	fmt.Fprintf(&buf, "%s\n", f.MimeHeader.String())
+	fmt.Fprintf(&buf, "\n")
+
+	for k, v := range f.Messages {
+		fmt.Fprintf(&buf, `msgid "%v"`+"\n", k)
+		fmt.Fprintf(&buf, `msgstr "%s"`+"\n", v.MsgStr)
+		fmt.Fprintf(&buf, "\n")
+	}
+
+	return buf.String()
+}
diff --git a/vendor/github.com/chai2010/gettext-go/mo/header.go b/vendor/github.com/chai2010/gettext-go/mo/header.go
new file mode 100644
index 0000000000..d8c7a5e3a3
--- /dev/null
+++ b/vendor/github.com/chai2010/gettext-go/mo/header.go
@@ -0,0 +1,109 @@
+// Copyright 2013 ChaiShushan <chaishushan{AT}gmail.com>. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package mo
+
+import (
+	"bytes"
+	"fmt"
+	"strings"
+)
+
+// Header is the initial comments "SOME DESCRIPTIVE TITLE", "YEAR"
+// and "FIRST AUTHOR <EMAIL@ADDRESS>, YEAR" ought to be replaced by sensible information.
+//
+// See http://www.gnu.org/software/gettext/manual/html_node/Header-Entry.html#Header-Entry
+type Header struct {
+	ProjectIdVersion        string // Project-Id-Version: PACKAGE VERSION
+	ReportMsgidBugsTo       string // Report-Msgid-Bugs-To: FIRST AUTHOR <EMAIL@ADDRESS>
+	POTCreationDate         string // POT-Creation-Date: YEAR-MO-DA HO:MI+ZONE
+	PORevisionDate          string // PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE
+	LastTranslator          string // Last-Translator: FIRST AUTHOR <EMAIL@ADDRESS>
+	LanguageTeam            string // Language-Team: golang-china
+	Language                string // Language: zh_CN
+	MimeVersion             string // MIME-Version: 1.0
+	ContentType             string // Content-Type: text/plain; charset=UTF-8
+	ContentTransferEncoding string // Content-Transfer-Encoding: 8bit
+	PluralForms             string // Plural-Forms: nplurals=2; plural=n == 1 ? 0 : 1;
+	XGenerator              string // X-Generator: Poedit 1.5.5
+	UnknowFields            map[string]string
+}
+
+func (p *Header) fromMessage(msg *Message) {
+	if msg.MsgId != "" || msg.MsgStr == "" {
+		return
+	}
+	lines := strings.Split(msg.MsgStr, "\n")
+	for i := 0; i < len(lines); i++ {
+		idx := strings.Index(lines[i], ":")
+		if idx < 0 {
+			continue
+		}
+		key := strings.TrimSpace(lines[i][:idx])
+		val := strings.TrimSpace(lines[i][idx+1:])
+		switch strings.ToUpper(key) {
+		case strings.ToUpper("Project-Id-Version"):
+			p.ProjectIdVersion = val
+		case strings.ToUpper("Report-Msgid-Bugs-To"):
+			p.ReportMsgidBugsTo = val
+		case strings.ToUpper("POT-Creation-Date"):
+			p.POTCreationDate = val
+		case strings.ToUpper("PO-Revision-Date"):
+			p.PORevisionDate = val
+		case strings.ToUpper("Last-Translator"):
+			p.LastTranslator = val
+		case strings.ToUpper("Language-Team"):
+			p.LanguageTeam = val
+		case strings.ToUpper("Language"):
+			p.Language = val
+		case strings.ToUpper("MIME-Version"):
+			p.MimeVersion = val
+		case strings.ToUpper("Content-Type"):
+			p.ContentType = val
+		case strings.ToUpper("Content-Transfer-Encoding"):
+			p.ContentTransferEncoding = val
+		case strings.ToUpper("Plural-Forms"):
+			p.PluralForms = val
+		case strings.ToUpper("X-Generator"):
+			p.XGenerator = val
+		default:
+			if p.UnknowFields == nil {
+				p.UnknowFields = make(map[string]string)
+			}
+			p.UnknowFields[key] = val
+		}
+	}
+}
+
+func (p *Header) toMessage() Message {
+	return Message{
+		MsgStr: p.String(),
+	}
+}
+
+// String returns the po format header string.
+func (p Header) String() string {
+	var buf bytes.Buffer
+	fmt.Fprintf(&buf, `msgid ""`+"\n")
+	fmt.Fprintf(&buf, `msgstr ""`+"\n")
+	fmt.Fprintf(&buf, `"%s: %s\n"`+"\n", "Project-Id-Version", p.ProjectIdVersion)
+	fmt.Fprintf(&buf, `"%s: %s\n"`+"\n", "Report-Msgid-Bugs-To", p.ReportMsgidBugsTo)
+	fmt.Fprintf(&buf, `"%s: %s\n"`+"\n", "POT-Creation-Date", p.POTCreationDate)
+	fmt.Fprintf(&buf, `"%s: %s\n"`+"\n", "PO-Revision-Date", p.PORevisionDate)
+	fmt.Fprintf(&buf, `"%s: %s\n"`+"\n", "Last-Translator", p.LastTranslator)
+	fmt.Fprintf(&buf, `"%s: %s\n"`+"\n", "Language-Team", p.LanguageTeam)
+	fmt.Fprintf(&buf, `"%s: %s\n"`+"\n", "Language", p.Language)
+	if p.MimeVersion != "" {
+		fmt.Fprintf(&buf, `"%s: %s\n"`+"\n", "MIME-Version", p.MimeVersion)
+	}
+	fmt.Fprintf(&buf, `"%s: %s\n"`+"\n", "Content-Type", p.ContentType)
+	fmt.Fprintf(&buf, `"%s: %s\n"`+"\n", "Content-Transfer-Encoding", p.ContentTransferEncoding)
+	if p.XGenerator != "" {
+		fmt.Fprintf(&buf, `"%s: %s\n"`+"\n", "X-Generator", p.XGenerator)
+	}
+	for k, v := range p.UnknowFields {
+		fmt.Fprintf(&buf, `"%s: %s\n"`+"\n", k, v)
+	}
+	return buf.String()
+}
diff --git a/vendor/github.com/chai2010/gettext-go/mo/message.go b/vendor/github.com/chai2010/gettext-go/mo/message.go
new file mode 100644
index 0000000000..b67bde0b70
--- /dev/null
+++ b/vendor/github.com/chai2010/gettext-go/mo/message.go
@@ -0,0 +1,52 @@
+// Copyright 2013 ChaiShushan <chaishushan{AT}gmail.com>. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package mo
+
+import (
+	"bytes"
+	"fmt"
+)
+
+// A MO file is made up of many entries,
+// each entry holding the relation between an original untranslated string
+// and its corresponding translation.
+//
+// See http://www.gnu.org/software/gettext/manual/html_node/MO-Files.html
+type Message struct {
+	MsgContext   string   // msgctxt context
+	MsgId        string   // msgid untranslated-string
+	MsgIdPlural  string   // msgid_plural untranslated-string-plural
+	MsgStr       string   // msgstr translated-string
+	MsgStrPlural []string // msgstr[0] translated-string-case-0
+}
+
+// String returns the po format entry string.
+func (p Message) String() string {
+	var buf bytes.Buffer
+	fmt.Fprintf(&buf, "msgid %s", encodePoString(p.MsgId))
+	if p.MsgIdPlural != "" {
+		fmt.Fprintf(&buf, "msgid_plural %s", encodePoString(p.MsgIdPlural))
+	}
+	if p.MsgStr != "" {
+		fmt.Fprintf(&buf, "msgstr %s", encodePoString(p.MsgStr))
+	}
+	for i := 0; i < len(p.MsgStrPlural); i++ {
+		fmt.Fprintf(&buf, "msgstr[%d] %s", i, encodePoString(p.MsgStrPlural[i]))
+	}
+	return buf.String()
+}
+
+func (m_i *Message) less(m_j *Message) bool {
+	if a, b := m_i.MsgContext, m_j.MsgContext; a != b {
+		return a < b
+	}
+	if a, b := m_i.MsgId, m_j.MsgId; a != b {
+		return a < b
+	}
+	if a, b := m_i.MsgIdPlural, m_j.MsgIdPlural; a != b {
+		return a < b
+	}
+	return false
+}
diff --git a/vendor/github.com/chai2010/gettext-go/mo/util.go b/vendor/github.com/chai2010/gettext-go/mo/util.go
new file mode 100644
index 0000000000..3804511053
--- /dev/null
+++ b/vendor/github.com/chai2010/gettext-go/mo/util.go
@@ -0,0 +1,110 @@
+// Copyright 2013 ChaiShushan <chaishushan{AT}gmail.com>. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package mo
+
+import (
+	"bytes"
+	"strings"
+)
+
+func decodePoString(text string) string {
+	lines := strings.Split(text, "\n")
+	for i := 0; i < len(lines); i++ {
+		left := strings.Index(lines[i], `"`)
+		right := strings.LastIndex(lines[i], `"`)
+		if left < 0 || right < 0 || left == right {
+			lines[i] = ""
+			continue
+		}
+		line := lines[i][left+1 : right]
+		data := make([]byte, 0, len(line))
+		for i := 0; i < len(line); i++ {
+			if line[i] != '\\' {
+				data = append(data, line[i])
+				continue
+			}
+			if i+1 >= len(line) {
+				break
+			}
+			switch line[i+1] {
+			case 'n': // \\n -> \n
+				data = append(data, '\n')
+				i++
+			case 't': // \\t -> \n
+				data = append(data, '\t')
+				i++
+			case '\\': // \\\ -> ?
+				data = append(data, '\\')
+				i++
+			}
+		}
+		lines[i] = string(data)
+	}
+	return strings.Join(lines, "")
+}
+
+func encodePoString(text string) string {
+	var buf bytes.Buffer
+	lines := strings.Split(text, "\n")
+	for i := 0; i < len(lines); i++ {
+		if lines[i] == "" {
+			if i != len(lines)-1 {
+				buf.WriteString(`"\n"` + "\n")
+			}
+			continue
+		}
+		buf.WriteRune('"')
+		for _, r := range lines[i] {
+			switch r {
+			case '\\':
+				buf.WriteString(`\\`)
+			case '"':
+				buf.WriteString(`\"`)
+			case '\n':
+				buf.WriteString(`\n`)
+			case '\t':
+				buf.WriteString(`\t`)
+			default:
+				buf.WriteRune(r)
+			}
+		}
+		buf.WriteString(`\n"` + "\n")
+	}
+	return buf.String()
+}
+
+func encodeCommentPoString(text string) string {
+	var buf bytes.Buffer
+	lines := strings.Split(text, "\n")
+	if len(lines) > 1 {
+		buf.WriteString(`""` + "\n")
+	}
+	for i := 0; i < len(lines); i++ {
+		if len(lines) > 0 {
+			buf.WriteString("#| ")
+		}
+		buf.WriteRune('"')
+		for _, r := range lines[i] {
+			switch r {
+			case '\\':
+				buf.WriteString(`\\`)
+			case '"':
+				buf.WriteString(`\"`)
+			case '\n':
+				buf.WriteString(`\n`)
+			case '\t':
+				buf.WriteString(`\t`)
+			default:
+				buf.WriteRune(r)
+			}
+		}
+		if i < len(lines)-1 {
+			buf.WriteString(`\n"` + "\n")
+		} else {
+			buf.WriteString(`"`)
+		}
+	}
+	return buf.String()
+}
diff --git a/vendor/github.com/chai2010/gettext-go/plural/doc.go b/vendor/github.com/chai2010/gettext-go/plural/doc.go
new file mode 100644
index 0000000000..31cb8fae9f
--- /dev/null
+++ b/vendor/github.com/chai2010/gettext-go/plural/doc.go
@@ -0,0 +1,36 @@
+// Copyright 2013 ChaiShushan <chaishushan{AT}gmail.com>. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+/*
+Package plural provides standard plural formulas.
+
+Examples:
+	import (
+		"github.com/chai2010/gettext-go/plural"
+	)
+
+	func main() {
+		enFormula := plural.Formula("en_US")
+		xxFormula := plural.Formula("zh_CN")
+
+		fmt.Printf("%s: %d\n", "en", enFormula(0))
+		fmt.Printf("%s: %d\n", "en", enFormula(1))
+		fmt.Printf("%s: %d\n", "en", enFormula(2))
+		fmt.Printf("%s: %d\n", "??", xxFormula(0))
+		fmt.Printf("%s: %d\n", "??", xxFormula(1))
+		fmt.Printf("%s: %d\n", "??", xxFormula(2))
+		fmt.Printf("%s: %d\n", "??", xxFormula(9))
+		// Output:
+		// en: 0
+		// en: 0
+		// en: 1
+		// ??: 0
+		// ??: 0
+		// ??: 1
+		// ??: 8
+	}
+
+See http://www.gnu.org/software/gettext/manual/html_node/Plural-forms.html
+*/
+package plural
diff --git a/vendor/github.com/chai2010/gettext-go/plural/formula.go b/vendor/github.com/chai2010/gettext-go/plural/formula.go
new file mode 100644
index 0000000000..c92dc19ead
--- /dev/null
+++ b/vendor/github.com/chai2010/gettext-go/plural/formula.go
@@ -0,0 +1,181 @@
+// Copyright 2013 ChaiShushan <chaishushan{AT}gmail.com>. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package plural
+
+import (
+	"strings"
+)
+
+// Formula provides the language's standard plural formula.
+func Formula(lang string) func(n int) int {
+	if idx := index(lang); idx != -1 {
+		return formulaTable[fmtForms(FormsTable[idx].Value)]
+	}
+	if idx := index("??"); idx != -1 {
+		return formulaTable[fmtForms(FormsTable[idx].Value)]
+	}
+	return func(n int) int {
+		return n
+	}
+}
+
+func index(lang string) int {
+	for i := 0; i < len(FormsTable); i++ {
+		if strings.HasPrefix(lang, FormsTable[i].Lang) {
+			return i
+		}
+	}
+	return -1
+}
+
+func fmtForms(forms string) string {
+	forms = strings.TrimSpace(forms)
+	forms = strings.Replace(forms, " ", "", -1)
+	return forms
+}
+
+var formulaTable = map[string]func(n int) int{
+	fmtForms("nplurals=n; plural=n-1;"): func(n int) int {
+		if n > 0 {
+			return n - 1
+		}
+		return 0
+	},
+	fmtForms("nplurals=1; plural=0;"): func(n int) int {
+		return 0
+	},
+	fmtForms("nplurals=2; plural=(n != 1);"): func(n int) int {
+		if n == 1 {
+			return 0
+		}
+		return 1
+	},
+	fmtForms("nplurals=2; plural=(n > 1);"): func(n int) int {
+		if n <= 1 {
+			return 0
+		}
+		return 1
+	},
+	fmtForms("nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n != 0 ? 1 : 2);"): func(n int) int {
+		if n%10 == 1 && n%100 != 11 {
+			return 0
+		}
+		if n != 0 {
+			return 1
+		}
+		return 2
+	},
+	fmtForms("nplurals=3; plural=n==1 ? 0 : n==2 ? 1 : 2;"): func(n int) int {
+		if n == 1 {
+			return 0
+		}
+		if n == 2 {
+			return 1
+		}
+		return 2
+	},
+	fmtForms("nplurals=3; plural=n==1 ? 0 : (n==0 || (n%100 > 0 && n%100 < 20)) ? 1 : 2;"): func(n int) int {
+		if n == 1 {
+			return 0
+		}
+		if n == 0 || (n%100 > 0 && n%100 < 20) {
+			return 1
+		}
+		return 2
+	},
+	fmtForms("nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && (n%100<10 || n%100>=20) ? 1 : 2);"): func(n int) int {
+		if n%10 == 1 && n%100 != 11 {
+			return 0
+		}
+		if n%10 >= 2 && (n%100 < 10 || n%100 >= 20) {
+			return 1
+		}
+		return 2
+	},
+	fmtForms("nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);"): func(n int) int {
+		if n%10 == 1 && n%100 != 11 {
+			return 0
+		}
+		if n%10 >= 2 && n%10 <= 4 && (n%100 < 10 || n%100 >= 20) {
+			return 1
+		}
+		return 2
+	},
+	fmtForms("nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);"): func(n int) int {
+		if n%10 == 1 && n%100 != 11 {
+			return 0
+		}
+		if n%10 >= 2 && n%10 <= 4 && (n%100 < 10 || n%100 >= 20) {
+			return 1
+		}
+		return 2
+	},
+	fmtForms("nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);"): func(n int) int {
+		if n%10 == 1 && n%100 != 11 {
+			return 0
+		}
+		if n%10 >= 2 && n%10 <= 4 && (n%100 < 10 || n%100 >= 20) {
+			return 1
+		}
+		return 2
+	},
+	fmtForms("nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);"): func(n int) int {
+		if n%10 == 1 && n%100 != 11 {
+			return 0
+		}
+		if n%10 >= 2 && n%10 <= 4 && (n%100 < 10 || n%100 >= 20) {
+			return 1
+		}
+		return 2
+	},
+	fmtForms("nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);"): func(n int) int {
+		if n%10 == 1 && n%100 != 11 {
+			return 0
+		}
+		if n%10 >= 2 && n%10 <= 4 && (n%100 < 10 || n%100 >= 20) {
+			return 1
+		}
+		return 2
+	},
+	fmtForms("nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;"): func(n int) int {
+		if n == 1 {
+			return 0
+		}
+		if n >= 2 && n <= 4 {
+			return 1
+		}
+		return 2
+	},
+	fmtForms("nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;"): func(n int) int {
+		if n == 1 {
+			return 0
+		}
+		if n >= 2 && n <= 4 {
+			return 1
+		}
+		return 2
+	},
+	fmtForms("nplurals=3; plural=(n==1 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);"): func(n int) int {
+		if n == 1 {
+			return 0
+		}
+		if n%10 >= 2 && n%10 <= 4 && (n%100 < 10 || n%100 >= 20) {
+			return 1
+		}
+		return 2
+	},
+	fmtForms("nplurals=4; plural=(n%100==1 ? 0 : n%100==2 ? 1 : n%100==3 || n%100==4 ? 2 : 3);"): func(n int) int {
+		if n%100 == 1 {
+			return 0
+		}
+		if n%100 == 2 {
+			return 1
+		}
+		if n%100 == 3 || n%100 == 4 {
+			return 2
+		}
+		return 3
+	},
+}
diff --git a/vendor/github.com/chai2010/gettext-go/plural/table.go b/vendor/github.com/chai2010/gettext-go/plural/table.go
new file mode 100644
index 0000000000..cdc50d2110
--- /dev/null
+++ b/vendor/github.com/chai2010/gettext-go/plural/table.go
@@ -0,0 +1,55 @@
+// Copyright 2013 ChaiShushan <chaishushan{AT}gmail.com>. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package plural
+
+// FormsTable are standard hard-coded plural rules.
+// The application developers and the translators need to understand them.
+//
+// See GNU's gettext library source code: gettext/gettext-tools/src/plural-table.c
+var FormsTable = []struct {
+	Lang     string
+	Language string
+	Value    string
+}{
+	{"??", "Unknown", "nplurals=1; plural=0;"},
+	{"ja", "Japanese", "nplurals=1; plural=0;"},
+	{"vi", "Vietnamese", "nplurals=1; plural=0;"},
+	{"ko", "Korean", "nplurals=1; plural=0;"},
+	{"en", "English", "nplurals=2; plural=(n != 1);"},
+	{"de", "German", "nplurals=2; plural=(n != 1);"},
+	{"nl", "Dutch", "nplurals=2; plural=(n != 1);"},
+	{"sv", "Swedish", "nplurals=2; plural=(n != 1);"},
+	{"da", "Danish", "nplurals=2; plural=(n != 1);"},
+	{"no", "Norwegian", "nplurals=2; plural=(n != 1);"},
+	{"nb", "Norwegian Bokmal", "nplurals=2; plural=(n != 1);"},
+	{"nn", "Norwegian Nynorsk", "nplurals=2; plural=(n != 1);"},
+	{"fo", "Faroese", "nplurals=2; plural=(n != 1);"},
+	{"es", "Spanish", "nplurals=2; plural=(n != 1);"},
+	{"pt", "Portuguese", "nplurals=2; plural=(n != 1);"},
+	{"it", "Italian", "nplurals=2; plural=(n != 1);"},
+	{"bg", "Bulgarian", "nplurals=2; plural=(n != 1);"},
+	{"el", "Greek", "nplurals=2; plural=(n != 1);"},
+	{"fi", "Finnish", "nplurals=2; plural=(n != 1);"},
+	{"et", "Estonian", "nplurals=2; plural=(n != 1);"},
+	{"he", "Hebrew", "nplurals=2; plural=(n != 1);"},
+	{"eo", "Esperanto", "nplurals=2; plural=(n != 1);"},
+	{"hu", "Hungarian", "nplurals=2; plural=(n != 1);"},
+	{"tr", "Turkish", "nplurals=2; plural=(n != 1);"},
+	{"pt_BR", "Brazilian", "nplurals=2; plural=(n > 1);"},
+	{"fr", "French", "nplurals=2; plural=(n > 1);"},
+	{"lv", "Latvian", "nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n != 0 ? 1 : 2);"},
+	{"ga", "Irish", "nplurals=3; plural=n==1 ? 0 : n==2 ? 1 : 2;"},
+	{"ro", "Romanian", "nplurals=3; plural=n==1 ? 0 : (n==0 || (n%100 > 0 && n%100 < 20)) ? 1 : 2;"},
+	{"lt", "Lithuanian", "nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && (n%100<10 || n%100>=20) ? 1 : 2);"},
+	{"ru", "Russian", "nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);"},
+	{"uk", "Ukrainian", "nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);"},
+	{"be", "Belarusian", "nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);"},
+	{"sr", "Serbian", "nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);"},
+	{"hr", "Croatian", "nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);"},
+	{"cs", "Czech", "nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;"},
+	{"sk", "Slovak", "nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;"},
+	{"pl", "Polish", "nplurals=3; plural=(n==1 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);"},
+	{"sl", "Slovenian", "nplurals=4; plural=(n%100==1 ? 0 : n%100==2 ? 1 : n%100==3 || n%100==4 ? 2 : 3);"},
+}
diff --git a/vendor/github.com/chai2010/gettext-go/po/comment.go b/vendor/github.com/chai2010/gettext-go/po/comment.go
new file mode 100644
index 0000000000..d4abe7c106
--- /dev/null
+++ b/vendor/github.com/chai2010/gettext-go/po/comment.go
@@ -0,0 +1,270 @@
+// Copyright 2013 ChaiShushan <chaishushan{AT}gmail.com>. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package po
+
+import (
+	"bytes"
+	"fmt"
+	"io"
+	"strconv"
+	"strings"
+)
+
+// Comment represents every message's comments.
+type Comment struct {
+	StartLine         int      // comment start line
+	TranslatorComment string   // #  translator-comments // TrimSpace
+	ExtractedComment  string   // #. extracted-comments
+	ReferenceFile     []string // #: src/msgcmp.c:338 src/po-lex.c:699
+	ReferenceLine     []int    // #: src/msgcmp.c:338 src/po-lex.c:699
+	Flags             []string // #, fuzzy,c-format,range:0..10
+	PrevMsgContext    string   // #| msgctxt previous-context
+	PrevMsgId         string   // #| msgid previous-untranslated-string
+}
+
+func (p *Comment) less(q *Comment) bool {
+	if p.StartLine != 0 || q.StartLine != 0 {
+		return p.StartLine < q.StartLine
+	}
+	if a, b := len(p.ReferenceFile), len(q.ReferenceFile); a != b {
+		return a < b
+	}
+	for i := 0; i < len(p.ReferenceFile); i++ {
+		if a, b := p.ReferenceFile[i], q.ReferenceFile[i]; a != b {
+			return a < b
+		}
+		if a, b := p.ReferenceLine[i], q.ReferenceLine[i]; a != b {
+			return a < b
+		}
+	}
+	return false
+}
+
+func (p *Comment) readPoComment(r *lineReader) (err error) {
+	*p = Comment{}
+	if err = r.skipBlankLine(); err != nil {
+		return err
+	}
+	defer func(oldPos int) {
+		newPos := r.currentPos()
+		if newPos != oldPos && err == io.EOF {
+			err = nil
+		}
+	}(r.currentPos())
+
+	p.StartLine = r.currentPos() + 1
+	for {
+		var s string
+		if s, _, err = r.currentLine(); err != nil {
+			return
+		}
+		if len(s) == 0 || s[0] != '#' {
+			return
+		}
+
+		if err = p.readTranslatorComment(r); err != nil {
+			return
+		}
+		if err = p.readExtractedComment(r); err != nil {
+			return
+		}
+		if err = p.readReferenceComment(r); err != nil {
+			return
+		}
+		if err = p.readFlagsComment(r); err != nil {
+			return
+		}
+		if err = p.readPrevMsgContext(r); err != nil {
+			return
+		}
+		if err = p.readPrevMsgId(r); err != nil {
+			return
+		}
+	}
+}
+
+func (p *Comment) readTranslatorComment(r *lineReader) (err error) {
+	const prefix = "# " // .,:|
+	for {
+		var s string
+		if s, _, err = r.readLine(); err != nil {
+			return err
+		}
+		if len(s) < 1 || s[0] != '#' {
+			r.unreadLine()
+			return nil
+		}
+		if len(s) >= 2 {
+			switch s[1] {
+			case '.', ',', ':', '|':
+				r.unreadLine()
+				return nil
+			}
+		}
+		if p.TranslatorComment != "" {
+			p.TranslatorComment += "\n"
+		}
+		p.TranslatorComment += strings.TrimSpace(s[1:])
+	}
+}
+
+func (p *Comment) readExtractedComment(r *lineReader) (err error) {
+	const prefix = "#."
+	for {
+		var s string
+		if s, _, err = r.readLine(); err != nil {
+			return err
+		}
+		if len(s) < len(prefix) || s[:len(prefix)] != prefix {
+			r.unreadLine()
+			return nil
+		}
+		if p.ExtractedComment != "" {
+			p.ExtractedComment += "\n"
+		}
+		p.ExtractedComment += strings.TrimSpace(s[len(prefix):])
+	}
+}
+
+func (p *Comment) readReferenceComment(r *lineReader) (err error) {
+	const prefix = "#:"
+	for {
+		var s string
+		if s, _, err = r.readLine(); err != nil {
+			return err
+		}
+		if len(s) < len(prefix) || s[:len(prefix)] != prefix {
+			r.unreadLine()
+			return nil
+		}
+		ss := strings.Split(strings.TrimSpace(s[len(prefix):]), " ")
+		for i := 0; i < len(ss); i++ {
+			idx := strings.Index(ss[i], ":")
+			if idx <= 0 {
+				continue
+			}
+			name := strings.TrimSpace(ss[i][:idx])
+			line, _ := strconv.Atoi(strings.TrimSpace(ss[i][idx+1:]))
+			p.ReferenceFile = append(p.ReferenceFile, name)
+			p.ReferenceLine = append(p.ReferenceLine, line)
+		}
+	}
+}
+
+func (p *Comment) readFlagsComment(r *lineReader) (err error) {
+	const prefix = "#,"
+	for {
+		var s string
+		if s, _, err = r.readLine(); err != nil {
+			return err
+		}
+		if len(s) < len(prefix) || s[:len(prefix)] != prefix {
+			r.unreadLine()
+			return nil
+		}
+		ss := strings.Split(strings.TrimSpace(s[len(prefix):]), ",")
+		for i := 0; i < len(ss); i++ {
+			p.Flags = append(p.Flags, strings.TrimSpace(ss[i]))
+		}
+	}
+}
+
+func (p *Comment) readPrevMsgContext(r *lineReader) (err error) {
+	var s string
+	if s, _, err = r.currentLine(); err != nil {
+		return
+	}
+	if !rePrevMsgContextComments.MatchString(s) {
+		return
+	}
+	p.PrevMsgContext, err = p.readString(r)
+	return
+}
+
+func (p *Comment) readPrevMsgId(r *lineReader) (err error) {
+	var s string
+	if s, _, err = r.currentLine(); err != nil {
+		return
+	}
+	if !rePrevMsgIdComments.MatchString(s) {
+		return
+	}
+	p.PrevMsgId, err = p.readString(r)
+	return
+}
+
+func (p *Comment) readString(r *lineReader) (msg string, err error) {
+	var s string
+	if s, _, err = r.readLine(); err != nil {
+		return
+	}
+	msg += decodePoString(s)
+	for {
+		if s, _, err = r.readLine(); err != nil {
+			return
+		}
+		if !reStringLineComments.MatchString(s) {
+			r.unreadLine()
+			break
+		}
+		msg += decodePoString(s)
+	}
+	return
+}
+
+// GetFuzzy gets the fuzzy flag.
+func (p *Comment) GetFuzzy() bool {
+	for _, s := range p.Flags {
+		if s == "fuzzy" {
+			return true
+		}
+	}
+	return false
+}
+
+// SetFuzzy sets the fuzzy flag.
+func (p *Comment) SetFuzzy(fuzzy bool) {
+	//
+}
+
+// String returns the po format comment string.
+func (p Comment) String() string {
+	var buf bytes.Buffer
+	if p.TranslatorComment != "" {
+		ss := strings.Split(p.TranslatorComment, "\n")
+		for i := 0; i < len(ss); i++ {
+			fmt.Fprintf(&buf, "# %s\n", ss[i])
+		}
+	}
+	if p.ExtractedComment != "" {
+		ss := strings.Split(p.ExtractedComment, "\n")
+		for i := 0; i < len(ss); i++ {
+			fmt.Fprintf(&buf, "#. %s\n", ss[i])
+		}
+	}
+	if a, b := len(p.ReferenceFile), len(p.ReferenceLine); a != 0 && a == b {
+		fmt.Fprintf(&buf, "#:")
+		for i := 0; i < len(p.ReferenceFile); i++ {
+			fmt.Fprintf(&buf, " %s:%d", p.ReferenceFile[i], p.ReferenceLine[i])
+		}
+		fmt.Fprintf(&buf, "\n")
+	}
+	if len(p.Flags) != 0 {
+		fmt.Fprintf(&buf, "#, %s", p.Flags[0])
+		for i := 1; i < len(p.Flags); i++ {
+			fmt.Fprintf(&buf, ", %s", p.Flags[i])
+		}
+		fmt.Fprintf(&buf, "\n")
+	}
+	if p.PrevMsgContext != "" {
+		s := encodeCommentPoString(p.PrevMsgContext)
+		fmt.Fprintf(&buf, "#| msgctxt %s\n", s)
+	}
+	if p.PrevMsgId != "" {
+		s := encodeCommentPoString(p.PrevMsgId)
+		fmt.Fprintf(&buf, "#| msgid %s\n", s)
+	}
+	return buf.String()
+}
diff --git a/vendor/github.com/chai2010/gettext-go/po/doc.go b/vendor/github.com/chai2010/gettext-go/po/doc.go
new file mode 100644
index 0000000000..6cfa2a24be
--- /dev/null
+++ b/vendor/github.com/chai2010/gettext-go/po/doc.go
@@ -0,0 +1,24 @@
+// Copyright 2013 ChaiShushan <chaishushan{AT}gmail.com>. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+/*
+Package po provides support for reading and writing GNU PO file.
+
+Examples:
+	import (
+		"github.com/chai2010/gettext-go/po"
+	)
+
+	func main() {
+		poFile, err := po.LoadFile("test.po")
+		if err != nil {
+			log.Fatal(err)
+		}
+		fmt.Printf("%v", poFile)
+	}
+
+The GNU PO file specification is at
+http://www.gnu.org/software/gettext/manual/html_node/PO-Files.html.
+*/
+package po
diff --git a/vendor/github.com/chai2010/gettext-go/po/file.go b/vendor/github.com/chai2010/gettext-go/po/file.go
new file mode 100644
index 0000000000..4a122eeb8b
--- /dev/null
+++ b/vendor/github.com/chai2010/gettext-go/po/file.go
@@ -0,0 +1,81 @@
+// Copyright 2013 ChaiShushan <chaishushan{AT}gmail.com>. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package po
+
+import (
+	"bytes"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"sort"
+)
+
+// File represents an PO File.
+//
+// See http://www.gnu.org/software/gettext/manual/html_node/PO-Files.html
+type File struct {
+	MimeHeader Header
+	Messages   []Message
+}
+
+// Load loads po file format data.
+func Load(data []byte) (*File, error) {
+	return loadData(data)
+}
+
+// LoadFile loads a named po file.
+func LoadFile(path string) (*File, error) {
+	data, err := ioutil.ReadFile(path)
+	if err != nil {
+		return nil, err
+	}
+	return loadData(data)
+}
+
+func loadData(data []byte) (*File, error) {
+	r := newLineReader(string(data))
+	var file File
+	for {
+		var msg Message
+		if err := msg.readPoEntry(r); err != nil {
+			if err == io.EOF {
+				return &file, nil
+			}
+			return nil, err
+		}
+		if msg.MsgId == "" {
+			file.MimeHeader.parseHeader(&msg)
+			continue
+		}
+		file.Messages = append(file.Messages, msg)
+	}
+}
+
+// Save saves a po file.
+func (f *File) Save(name string) error {
+	return ioutil.WriteFile(name, []byte(f.String()), 0666)
+}
+
+// Save returns a po file format data.
+func (f *File) Data() []byte {
+	// sort the massge as ReferenceFile/ReferenceLine field
+	var messages []Message
+	messages = append(messages, f.Messages...)
+	sort.Slice(messages, func(i, j int) bool {
+		return messages[i].less(&messages[j])
+	})
+
+	var buf bytes.Buffer
+	fmt.Fprintf(&buf, "%s\n", f.MimeHeader.String())
+	for i := 0; i < len(messages); i++ {
+		fmt.Fprintf(&buf, "%s\n", messages[i].String())
+	}
+	return buf.Bytes()
+}
+
+// String returns the po format file string.
+func (f *File) String() string {
+	return string(f.Data())
+}
diff --git a/vendor/github.com/chai2010/gettext-go/po/header.go b/vendor/github.com/chai2010/gettext-go/po/header.go
new file mode 100644
index 0000000000..a9b5b6671b
--- /dev/null
+++ b/vendor/github.com/chai2010/gettext-go/po/header.go
@@ -0,0 +1,106 @@
+// Copyright 2013 ChaiShushan <chaishushan{AT}gmail.com>. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package po
+
+import (
+	"bytes"
+	"fmt"
+	"strings"
+)
+
+// Header is the initial comments "SOME DESCRIPTIVE TITLE", "YEAR"
+// and "FIRST AUTHOR <EMAIL@ADDRESS>, YEAR" ought to be replaced by sensible information.
+//
+// See http://www.gnu.org/software/gettext/manual/html_node/Header-Entry.html#Header-Entry
+type Header struct {
+	Comment                        // Header Comments
+	ProjectIdVersion        string // Project-Id-Version: PACKAGE VERSION
+	ReportMsgidBugsTo       string // Report-Msgid-Bugs-To: FIRST AUTHOR <EMAIL@ADDRESS>
+	POTCreationDate         string // POT-Creation-Date: YEAR-MO-DA HO:MI+ZONE
+	PORevisionDate          string // PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE
+	LastTranslator          string // Last-Translator: FIRST AUTHOR <EMAIL@ADDRESS>
+	LanguageTeam            string // Language-Team: golang-china
+	Language                string // Language: zh_CN
+	MimeVersion             string // MIME-Version: 1.0
+	ContentType             string // Content-Type: text/plain; charset=UTF-8
+	ContentTransferEncoding string // Content-Transfer-Encoding: 8bit
+	PluralForms             string // Plural-Forms: nplurals=2; plural=n == 1 ? 0 : 1;
+	XGenerator              string // X-Generator: Poedit 1.5.5
+	UnknowFields            map[string]string
+}
+
+func (p *Header) parseHeader(msg *Message) {
+	if msg.MsgId != "" || msg.MsgStr == "" {
+		return
+	}
+	lines := strings.Split(msg.MsgStr, "\n")
+	for i := 0; i < len(lines); i++ {
+		idx := strings.Index(lines[i], ":")
+		if idx < 0 {
+			continue
+		}
+		key := strings.TrimSpace(lines[i][:idx])
+		val := strings.TrimSpace(lines[i][idx+1:])
+		switch strings.ToUpper(key) {
+		case strings.ToUpper("Project-Id-Version"):
+			p.ProjectIdVersion = val
+		case strings.ToUpper("Report-Msgid-Bugs-To"):
+			p.ReportMsgidBugsTo = val
+		case strings.ToUpper("POT-Creation-Date"):
+			p.POTCreationDate = val
+		case strings.ToUpper("PO-Revision-Date"):
+			p.PORevisionDate = val
+		case strings.ToUpper("Last-Translator"):
+			p.LastTranslator = val
+		case strings.ToUpper("Language-Team"):
+			p.LanguageTeam = val
+		case strings.ToUpper("Language"):
+			p.Language = val
+		case strings.ToUpper("MIME-Version"):
+			p.MimeVersion = val
+		case strings.ToUpper("Content-Type"):
+			p.ContentType = val
+		case strings.ToUpper("Content-Transfer-Encoding"):
+			p.ContentTransferEncoding = val
+		case strings.ToUpper("Plural-Forms"):
+			p.PluralForms = val
+		case strings.ToUpper("X-Generator"):
+			p.XGenerator = val
+		default:
+			if p.UnknowFields == nil {
+				p.UnknowFields = make(map[string]string)
+			}
+			p.UnknowFields[key] = val
+		}
+	}
+	p.Comment = msg.Comment
+}
+
+// String returns the po format header string.
+func (p Header) String() string {
+	var buf bytes.Buffer
+	fmt.Fprintf(&buf, "%s", p.Comment.String())
+	fmt.Fprintf(&buf, `msgid ""`+"\n")
+	fmt.Fprintf(&buf, `msgstr ""`+"\n")
+	fmt.Fprintf(&buf, `"%s: %s\n"`+"\n", "Project-Id-Version", p.ProjectIdVersion)
+	fmt.Fprintf(&buf, `"%s: %s\n"`+"\n", "Report-Msgid-Bugs-To", p.ReportMsgidBugsTo)
+	fmt.Fprintf(&buf, `"%s: %s\n"`+"\n", "POT-Creation-Date", p.POTCreationDate)
+	fmt.Fprintf(&buf, `"%s: %s\n"`+"\n", "PO-Revision-Date", p.PORevisionDate)
+	fmt.Fprintf(&buf, `"%s: %s\n"`+"\n", "Last-Translator", p.LastTranslator)
+	fmt.Fprintf(&buf, `"%s: %s\n"`+"\n", "Language-Team", p.LanguageTeam)
+	fmt.Fprintf(&buf, `"%s: %s\n"`+"\n", "Language", p.Language)
+	if p.MimeVersion != "" {
+		fmt.Fprintf(&buf, `"%s: %s\n"`+"\n", "MIME-Version", p.MimeVersion)
+	}
+	fmt.Fprintf(&buf, `"%s: %s\n"`+"\n", "Content-Type", p.ContentType)
+	fmt.Fprintf(&buf, `"%s: %s\n"`+"\n", "Content-Transfer-Encoding", p.ContentTransferEncoding)
+	if p.XGenerator != "" {
+		fmt.Fprintf(&buf, `"%s: %s\n"`+"\n", "X-Generator", p.XGenerator)
+	}
+	for k, v := range p.UnknowFields {
+		fmt.Fprintf(&buf, `"%s: %s\n"`+"\n", k, v)
+	}
+	return buf.String()
+}
diff --git a/vendor/github.com/chai2010/gettext-go/po/line_reader.go b/vendor/github.com/chai2010/gettext-go/po/line_reader.go
new file mode 100644
index 0000000000..8597273a2b
--- /dev/null
+++ b/vendor/github.com/chai2010/gettext-go/po/line_reader.go
@@ -0,0 +1,62 @@
+// Copyright 2013 ChaiShushan <chaishushan{AT}gmail.com>. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package po
+
+import (
+	"io"
+	"strings"
+)
+
+type lineReader struct {
+	lines []string
+	pos   int
+}
+
+func newLineReader(data string) *lineReader {
+	data = strings.Replace(data, "\r", "", -1)
+	lines := strings.Split(data, "\n")
+	return &lineReader{lines: lines}
+}
+
+func (r *lineReader) skipBlankLine() error {
+	for ; r.pos < len(r.lines); r.pos++ {
+		if strings.TrimSpace(r.lines[r.pos]) != "" {
+			break
+		}
+	}
+	if r.pos >= len(r.lines) {
+		return io.EOF
+	}
+	return nil
+}
+
+func (r *lineReader) currentPos() int {
+	return r.pos
+}
+
+func (r *lineReader) currentLine() (s string, pos int, err error) {
+	if r.pos >= len(r.lines) {
+		err = io.EOF
+		return
+	}
+	s, pos = r.lines[r.pos], r.pos
+	return
+}
+
+func (r *lineReader) readLine() (s string, pos int, err error) {
+	if r.pos >= len(r.lines) {
+		err = io.EOF
+		return
+	}
+	s, pos = r.lines[r.pos], r.pos
+	r.pos++
+	return
+}
+
+func (r *lineReader) unreadLine() {
+	if r.pos >= 0 {
+		r.pos--
+	}
+}
diff --git a/vendor/github.com/chai2010/gettext-go/po/message.go b/vendor/github.com/chai2010/gettext-go/po/message.go
new file mode 100644
index 0000000000..39936dcc7b
--- /dev/null
+++ b/vendor/github.com/chai2010/gettext-go/po/message.go
@@ -0,0 +1,193 @@
+// Copyright 2013 ChaiShushan <chaishushan{AT}gmail.com>. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package po
+
+import (
+	"bytes"
+	"fmt"
+	"io"
+	"strconv"
+	"strings"
+)
+
+// A PO file is made up of many entries,
+// each entry holding the relation between an original untranslated string
+// and its corresponding translation.
+//
+// See http://www.gnu.org/software/gettext/manual/html_node/PO-Files.html
+type Message struct {
+	Comment               // Coments
+	MsgContext   string   // msgctxt context
+	MsgId        string   // msgid untranslated-string
+	MsgIdPlural  string   // msgid_plural untranslated-string-plural
+	MsgStr       string   // msgstr translated-string
+	MsgStrPlural []string // msgstr[0] translated-string-case-0
+}
+
+func (p *Message) less(q *Message) bool {
+	if p.Comment.less(&q.Comment) {
+		return true
+	}
+	if a, b := p.MsgContext, q.MsgContext; a != b {
+		return a < b
+	}
+	if a, b := p.MsgId, q.MsgId; a != b {
+		return a < b
+	}
+	if a, b := p.MsgIdPlural, q.MsgIdPlural; a != b {
+		return a < b
+	}
+	return false
+}
+
+func (p *Message) readPoEntry(r *lineReader) (err error) {
+	*p = Message{}
+	if err = r.skipBlankLine(); err != nil {
+		return
+	}
+	defer func(oldPos int) {
+		newPos := r.currentPos()
+		if newPos != oldPos && err == io.EOF {
+			err = nil
+		}
+	}(r.currentPos())
+
+	if err = p.Comment.readPoComment(r); err != nil {
+		return
+	}
+	for {
+		var s string
+		if s, _, err = r.currentLine(); err != nil {
+			return
+		}
+
+		if p.isInvalidLine(s) {
+			err = fmt.Errorf("gettext: line %d, %v", r.currentPos(), "invalid line")
+			return
+		}
+		if reComment.MatchString(s) || reBlankLine.MatchString(s) {
+			return
+		}
+
+		if err = p.readMsgContext(r); err != nil {
+			return
+		}
+		if err = p.readMsgId(r); err != nil {
+			return
+		}
+		if err = p.readMsgIdPlural(r); err != nil {
+			return
+		}
+		if err = p.readMsgStrOrPlural(r); err != nil {
+			return
+		}
+	}
+}
+
+func (p *Message) readMsgContext(r *lineReader) (err error) {
+	var s string
+	if s, _, err = r.currentLine(); err != nil {
+		return
+	}
+	if !reMsgContext.MatchString(s) {
+		return
+	}
+	p.MsgContext, err = p.readString(r)
+	return
+}
+
+func (p *Message) readMsgId(r *lineReader) (err error) {
+	var s string
+	if s, _, err = r.currentLine(); err != nil {
+		return
+	}
+	if !reMsgId.MatchString(s) {
+		return
+	}
+	p.MsgId, err = p.readString(r)
+	return
+}
+
+func (p *Message) readMsgIdPlural(r *lineReader) (err error) {
+	var s string
+	if s, _, err = r.currentLine(); err != nil {
+		return
+	}
+	if !reMsgIdPlural.MatchString(s) {
+		return
+	}
+	p.MsgIdPlural, err = p.readString(r)
+	return nil
+}
+
+func (p *Message) readMsgStrOrPlural(r *lineReader) (err error) {
+	var s string
+	if s, _, err = r.currentLine(); err != nil {
+		return
+	}
+	if !reMsgStr.MatchString(s) && !reMsgStrPlural.MatchString(s) {
+		return
+	}
+	if reMsgStrPlural.MatchString(s) {
+		left, right := strings.Index(s, `[`), strings.LastIndex(s, `]`)
+		idx, _ := strconv.Atoi(s[left+1 : right])
+		s, err = p.readString(r)
+		if n := len(p.MsgStrPlural); (idx + 1) > n {
+			p.MsgStrPlural = append(p.MsgStrPlural, make([]string, (idx+1)-n)...)
+		}
+		p.MsgStrPlural[idx] = s
+	} else {
+		p.MsgStr, err = p.readString(r)
+	}
+	return nil
+}
+
+func (p *Message) readString(r *lineReader) (msg string, err error) {
+	var s string
+	if s, _, err = r.readLine(); err != nil {
+		return
+	}
+	msg += decodePoString(s)
+	for {
+		if s, _, err = r.readLine(); err != nil {
+			return
+		}
+		if !reStringLine.MatchString(s) {
+			r.unreadLine()
+			break
+		}
+		msg += decodePoString(s)
+	}
+	return
+}
+
+// String returns the po format entry string.
+func (p Message) String() string {
+	var buf bytes.Buffer
+	fmt.Fprintf(&buf, "%s", p.Comment.String())
+	if p.MsgContext != "" {
+		fmt.Fprintf(&buf, "msgctxt %s", encodePoString(p.MsgContext))
+	}
+	fmt.Fprintf(&buf, "msgid %s", encodePoString(p.MsgId))
+	if p.MsgIdPlural != "" {
+		fmt.Fprintf(&buf, "msgid_plural %s", encodePoString(p.MsgIdPlural))
+	}
+	if len(p.MsgStrPlural) == 0 {
+		if p.MsgStr != "" {
+			fmt.Fprintf(&buf, "msgstr %s", encodePoString(p.MsgStr))
+		} else {
+			fmt.Fprintf(&buf, "msgstr %s", `""`+"\n")
+		}
+	} else {
+		for i := 0; i < len(p.MsgStrPlural); i++ {
+			if p.MsgStrPlural[i] != "" {
+				fmt.Fprintf(&buf, "msgstr[%d] %s", i, encodePoString(p.MsgStrPlural[i]))
+			} else {
+				fmt.Fprintf(&buf, "msgstr[%d] %s", i, `""`+"\n")
+			}
+		}
+	}
+	return buf.String()
+}
diff --git a/vendor/github.com/chai2010/gettext-go/po/re.go b/vendor/github.com/chai2010/gettext-go/po/re.go
new file mode 100644
index 0000000000..67c240a57b
--- /dev/null
+++ b/vendor/github.com/chai2010/gettext-go/po/re.go
@@ -0,0 +1,58 @@
+// Copyright 2013 ChaiShushan <chaishushan{AT}gmail.com>. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package po
+
+import (
+	"regexp"
+)
+
+var (
+	reComment                = regexp.MustCompile(`^#`)              // #
+	reExtractedComments      = regexp.MustCompile(`^#\.`)            // #.
+	reReferenceComments      = regexp.MustCompile(`^#:`)             // #:
+	reFlagsComments          = regexp.MustCompile(`^#,`)             // #, fuzzy,c-format
+	rePrevMsgContextComments = regexp.MustCompile(`^#\|\s+msgctxt`)  // #| msgctxt
+	rePrevMsgIdComments      = regexp.MustCompile(`^#\|\s+msgid`)    // #| msgid
+	reStringLineComments     = regexp.MustCompile(`^#\|\s+".*"\s*$`) // #| "message"
+
+	reMsgContext   = regexp.MustCompile(`^msgctxt\s+".*"\s*$`)            // msgctxt
+	reMsgId        = regexp.MustCompile(`^msgid\s+".*"\s*$`)              // msgid
+	reMsgIdPlural  = regexp.MustCompile(`^msgid_plural\s+".*"\s*$`)       // msgid_plural
+	reMsgStr       = regexp.MustCompile(`^msgstr\s*".*"\s*$`)             // msgstr
+	reMsgStrPlural = regexp.MustCompile(`^msgstr\s*(\[\d+\])\s*".*"\s*$`) // msgstr[0]
+	reStringLine   = regexp.MustCompile(`^\s*".*"\s*$`)                   // "message"
+	reBlankLine    = regexp.MustCompile(`^\s*$`)                          //
+)
+
+func (p *Message) isInvalidLine(s string) bool {
+	if reComment.MatchString(s) {
+		return false
+	}
+	if reBlankLine.MatchString(s) {
+		return false
+	}
+
+	if reMsgContext.MatchString(s) {
+		return false
+	}
+	if reMsgId.MatchString(s) {
+		return false
+	}
+	if reMsgIdPlural.MatchString(s) {
+		return false
+	}
+	if reMsgStr.MatchString(s) {
+		return false
+	}
+	if reMsgStrPlural.MatchString(s) {
+		return false
+	}
+
+	if reStringLine.MatchString(s) {
+		return false
+	}
+
+	return true
+}
diff --git a/vendor/github.com/chai2010/gettext-go/po/util.go b/vendor/github.com/chai2010/gettext-go/po/util.go
new file mode 100644
index 0000000000..1a0928b111
--- /dev/null
+++ b/vendor/github.com/chai2010/gettext-go/po/util.go
@@ -0,0 +1,121 @@
+// Copyright 2013 ChaiShushan <chaishushan{AT}gmail.com>. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package po
+
+import (
+	"bytes"
+	"strings"
+)
+
+func decodePoString(text string) string {
+	lines := strings.Split(text, "\n")
+	for i := 0; i < len(lines); i++ {
+		left := strings.Index(lines[i], `"`)
+		right := strings.LastIndex(lines[i], `"`)
+		if left < 0 || right < 0 || left == right {
+			lines[i] = ""
+			continue
+		}
+		line := lines[i][left+1 : right]
+		data := make([]byte, 0, len(line))
+		for i := 0; i < len(line); i++ {
+			if line[i] != '\\' {
+				data = append(data, line[i])
+				continue
+			}
+			if i+1 >= len(line) {
+				break
+			}
+			switch line[i+1] {
+			case 'r': // \\r -> \r
+				data = append(data, '\r')
+				i++
+			case 'n': // \\n -> \n
+				data = append(data, '\n')
+				i++
+			case 't': // \\t -> \n
+				data = append(data, '\t')
+				i++
+			case '\\': // \\\ -> ?
+				data = append(data, '\\')
+				i++
+			}
+		}
+		lines[i] = string(data)
+	}
+	return strings.Join(lines, "")
+}
+
+func encodePoString(text string) string {
+	var buf bytes.Buffer
+	lines := strings.Split(text, "\n")
+	for i := 0; i < len(lines); i++ {
+		if lines[i] == "" {
+			if i != len(lines)-1 {
+				buf.WriteString(`"\n"` + "\n")
+			}
+			continue
+		}
+		buf.WriteRune('"')
+		for _, r := range lines[i] {
+			switch r {
+			case '\\':
+				buf.WriteString(`\\`)
+			case '"':
+				buf.WriteString(`\"`)
+			case '\r':
+				buf.WriteString(`\r`)
+			case '\n':
+				buf.WriteString(`\n`)
+			case '\t':
+				buf.WriteString(`\t`)
+			default:
+				buf.WriteRune(r)
+			}
+		}
+		if i < len(lines)-1 {
+			buf.WriteString(`\n"` + "\n")
+		} else {
+			buf.WriteString(`"` + "\n")
+		}
+	}
+	return buf.String()
+}
+
+func encodeCommentPoString(text string) string {
+	var buf bytes.Buffer
+	lines := strings.Split(text, "\n")
+	if len(lines) > 1 {
+		buf.WriteString(`""` + "\n")
+	}
+	for i := 0; i < len(lines); i++ {
+		if len(lines) > 0 {
+			buf.WriteString("#| ")
+		}
+		buf.WriteRune('"')
+		for _, r := range lines[i] {
+			switch r {
+			case '\\':
+				buf.WriteString(`\\`)
+			case '"':
+				buf.WriteString(`\"`)
+			case '\r':
+				buf.WriteString(`\r`)
+			case '\n':
+				buf.WriteString(`\n`)
+			case '\t':
+				buf.WriteString(`\t`)
+			default:
+				buf.WriteRune(r)
+			}
+		}
+		if i < len(lines)-1 {
+			buf.WriteString(`\n"` + "\n")
+		} else {
+			buf.WriteString(`"`)
+		}
+	}
+	return buf.String()
+}
diff --git a/vendor/github.com/chai2010/gettext-go/tr.go b/vendor/github.com/chai2010/gettext-go/tr.go
new file mode 100644
index 0000000000..5b9d08f426
--- /dev/null
+++ b/vendor/github.com/chai2010/gettext-go/tr.go
@@ -0,0 +1,175 @@
+// Copyright 2013 ChaiShushan <chaishushan{AT}gmail.com>. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package gettext
+
+import (
+	"encoding/json"
+
+	"github.com/chai2010/gettext-go/mo"
+	"github.com/chai2010/gettext-go/plural"
+	"github.com/chai2010/gettext-go/po"
+)
+
+var nilTranslator = &translator{
+	MessageMap:    make(map[string]mo.Message),
+	PluralFormula: plural.Formula("??"),
+}
+
+type translator struct {
+	MessageMap    map[string]mo.Message
+	PluralFormula func(n int) int
+}
+
+func newMoTranslator(name string, data []byte) (*translator, error) {
+	var (
+		f   *mo.File
+		err error
+	)
+	if len(data) != 0 {
+		f, err = mo.Load(data)
+	} else {
+		f, err = mo.LoadFile(name)
+	}
+	if err != nil {
+		return nil, err
+	}
+	var tr = &translator{
+		MessageMap: make(map[string]mo.Message),
+	}
+	for _, v := range f.Messages {
+		tr.MessageMap[tr.makeMapKey(v.MsgContext, v.MsgId)] = v
+	}
+	if lang := f.MimeHeader.Language; lang != "" {
+		tr.PluralFormula = plural.Formula(lang)
+	} else {
+		tr.PluralFormula = plural.Formula("??")
+	}
+	return tr, nil
+}
+
+func newPoTranslator(name string, data []byte) (*translator, error) {
+	var (
+		f   *po.File
+		err error
+	)
+	if len(data) != 0 {
+		f, err = po.Load(data)
+	} else {
+		f, err = po.LoadFile(name)
+	}
+	if err != nil {
+		return nil, err
+	}
+	var tr = &translator{
+		MessageMap: make(map[string]mo.Message),
+	}
+	for _, v := range f.Messages {
+		tr.MessageMap[tr.makeMapKey(v.MsgContext, v.MsgId)] = mo.Message{
+			MsgContext:   v.MsgContext,
+			MsgId:        v.MsgId,
+			MsgIdPlural:  v.MsgIdPlural,
+			MsgStr:       v.MsgStr,
+			MsgStrPlural: v.MsgStrPlural,
+		}
+	}
+	if lang := f.MimeHeader.Language; lang != "" {
+		tr.PluralFormula = plural.Formula(lang)
+	} else {
+		tr.PluralFormula = plural.Formula("??")
+	}
+	return tr, nil
+}
+
+func newJsonTranslator(lang, name string, jsonData []byte) (*translator, error) {
+	var msgList []struct {
+		MsgContext  string   `json:"msgctxt"`      // msgctxt context
+		MsgId       string   `json:"msgid"`        // msgid untranslated-string
+		MsgIdPlural string   `json:"msgid_plural"` // msgid_plural untranslated-string-plural
+		MsgStr      []string `json:"msgstr"`       // msgstr translated-string
+	}
+	if err := json.Unmarshal(jsonData, &msgList); err != nil {
+		return nil, err
+	}
+
+	var tr = &translator{
+		MessageMap:    make(map[string]mo.Message),
+		PluralFormula: plural.Formula(lang),
+	}
+
+	for _, v := range msgList {
+		var v_MsgStr string
+		var v_MsgStrPlural = v.MsgStr
+
+		if len(v.MsgStr) != 0 {
+			v_MsgStr = v.MsgStr[0]
+		}
+
+		tr.MessageMap[tr.makeMapKey(v.MsgContext, v.MsgId)] = mo.Message{
+			MsgContext:   v.MsgContext,
+			MsgId:        v.MsgId,
+			MsgIdPlural:  v.MsgIdPlural,
+			MsgStr:       v_MsgStr,
+			MsgStrPlural: v_MsgStrPlural,
+		}
+	}
+	return tr, nil
+}
+
+func (p *translator) PGettext(msgctxt, msgid string) string {
+	return p.findMsgStr(msgctxt, msgid)
+}
+
+func (p *translator) PNGettext(msgctxt, msgid, msgidPlural string, n int) string {
+	n = p.PluralFormula(n)
+	if ss := p.findMsgStrPlural(msgctxt, msgid, msgidPlural); len(ss) != 0 {
+		if n >= len(ss) {
+			n = len(ss) - 1
+		}
+		if ss[n] != "" {
+			return ss[n]
+		}
+	}
+	if msgidPlural != "" && n > 0 {
+		return msgidPlural
+	}
+	return msgid
+}
+
+func (p *translator) findMsgStr(msgctxt, msgid string) string {
+	key := p.makeMapKey(msgctxt, msgid)
+	if v, ok := p.MessageMap[key]; ok {
+		if v.MsgStr != "" {
+			return v.MsgStr
+		}
+	}
+	return msgid
+}
+
+func (p *translator) findMsgStrPlural(msgctxt, msgid, msgidPlural string) []string {
+	key := p.makeMapKey(msgctxt, msgid)
+	if v, ok := p.MessageMap[key]; ok {
+		if len(v.MsgIdPlural) != 0 {
+			if len(v.MsgStrPlural) != 0 {
+				return v.MsgStrPlural
+			} else {
+				return nil
+			}
+		} else {
+			if len(v.MsgStr) != 0 {
+				return []string{v.MsgStr}
+			} else {
+				return nil
+			}
+		}
+	}
+	return nil
+}
+
+func (p *translator) makeMapKey(msgctxt, msgid string) string {
+	if msgctxt != "" {
+		return msgctxt + mo.EotSeparator + msgid
+	}
+	return msgid
+}
diff --git a/vendor/github.com/chai2010/gettext-go/util.go b/vendor/github.com/chai2010/gettext-go/util.go
new file mode 100644
index 0000000000..b8269a605c
--- /dev/null
+++ b/vendor/github.com/chai2010/gettext-go/util.go
@@ -0,0 +1,34 @@
+// Copyright 2013 ChaiShushan <chaishushan{AT}gmail.com>. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package gettext
+
+import (
+	"os"
+	"strings"
+)
+
+func getDefaultLanguage() string {
+	if v := os.Getenv("LC_MESSAGES"); v != "" {
+		return simplifiedLanguage(v)
+	}
+	if v := os.Getenv("LANG"); v != "" {
+		return simplifiedLanguage(v)
+	}
+	return "default"
+}
+
+func simplifiedLanguage(lang string) string {
+	// en_US/en_US.UTF-8/zh_CN/zh_TW/el_GR@euro/...
+	if idx := strings.Index(lang, ":"); idx != -1 {
+		lang = lang[:idx]
+	}
+	if idx := strings.Index(lang, "@"); idx != -1 {
+		lang = lang[:idx]
+	}
+	if idx := strings.Index(lang, "."); idx != -1 {
+		lang = lang[:idx]
+	}
+	return strings.TrimSpace(lang)
+}
diff --git a/vendor/github.com/cncf/xds/go/xds/data/orca/v3/orca_load_report.pb.go b/vendor/github.com/cncf/xds/go/xds/data/orca/v3/orca_load_report.pb.go
index f929ca6374..44db331868 100644
--- a/vendor/github.com/cncf/xds/go/xds/data/orca/v3/orca_load_report.pb.go
+++ b/vendor/github.com/cncf/xds/go/xds/data/orca/v3/orca_load_report.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.33.0
-// 	protoc        v5.29.1
+// 	protoc-gen-go v1.36.10
+// 	protoc        v5.29.3
 // source: xds/data/orca/v3/orca_load_report.proto
 
 package v3
@@ -12,6 +12,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -22,29 +23,26 @@ const (
 )
 
 type OrcaLoadReport struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
-	CpuUtilization float64 `protobuf:"fixed64,1,opt,name=cpu_utilization,json=cpuUtilization,proto3" json:"cpu_utilization,omitempty"`
-	MemUtilization float64 `protobuf:"fixed64,2,opt,name=mem_utilization,json=memUtilization,proto3" json:"mem_utilization,omitempty"`
+	state          protoimpl.MessageState `protogen:"open.v1"`
+	CpuUtilization float64                `protobuf:"fixed64,1,opt,name=cpu_utilization,json=cpuUtilization,proto3" json:"cpu_utilization,omitempty"`
+	MemUtilization float64                `protobuf:"fixed64,2,opt,name=mem_utilization,json=memUtilization,proto3" json:"mem_utilization,omitempty"`
 	// Deprecated: Marked as deprecated in xds/data/orca/v3/orca_load_report.proto.
 	Rps                    uint64             `protobuf:"varint,3,opt,name=rps,proto3" json:"rps,omitempty"`
-	RequestCost            map[string]float64 `protobuf:"bytes,4,rep,name=request_cost,json=requestCost,proto3" json:"request_cost,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"fixed64,2,opt,name=value,proto3"`
-	Utilization            map[string]float64 `protobuf:"bytes,5,rep,name=utilization,proto3" json:"utilization,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"fixed64,2,opt,name=value,proto3"`
+	RequestCost            map[string]float64 `protobuf:"bytes,4,rep,name=request_cost,json=requestCost,proto3" json:"request_cost,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"fixed64,2,opt,name=value"`
+	Utilization            map[string]float64 `protobuf:"bytes,5,rep,name=utilization,proto3" json:"utilization,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"fixed64,2,opt,name=value"`
 	RpsFractional          float64            `protobuf:"fixed64,6,opt,name=rps_fractional,json=rpsFractional,proto3" json:"rps_fractional,omitempty"`
 	Eps                    float64            `protobuf:"fixed64,7,opt,name=eps,proto3" json:"eps,omitempty"`
-	NamedMetrics           map[string]float64 `protobuf:"bytes,8,rep,name=named_metrics,json=namedMetrics,proto3" json:"named_metrics,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"fixed64,2,opt,name=value,proto3"`
+	NamedMetrics           map[string]float64 `protobuf:"bytes,8,rep,name=named_metrics,json=namedMetrics,proto3" json:"named_metrics,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"fixed64,2,opt,name=value"`
 	ApplicationUtilization float64            `protobuf:"fixed64,9,opt,name=application_utilization,json=applicationUtilization,proto3" json:"application_utilization,omitempty"`
+	unknownFields          protoimpl.UnknownFields
+	sizeCache              protoimpl.SizeCache
 }
 
 func (x *OrcaLoadReport) Reset() {
 	*x = OrcaLoadReport{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_xds_data_orca_v3_orca_load_report_proto_msgTypes[0]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_xds_data_orca_v3_orca_load_report_proto_msgTypes[0]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *OrcaLoadReport) String() string {
@@ -55,7 +53,7 @@ func (*OrcaLoadReport) ProtoMessage() {}
 
 func (x *OrcaLoadReport) ProtoReflect() protoreflect.Message {
 	mi := &file_xds_data_orca_v3_orca_load_report_proto_msgTypes[0]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -136,86 +134,44 @@ func (x *OrcaLoadReport) GetApplicationUtilization() float64 {
 
 var File_xds_data_orca_v3_orca_load_report_proto protoreflect.FileDescriptor
 
-var file_xds_data_orca_v3_orca_load_report_proto_rawDesc = []byte{
-	0x0a, 0x27, 0x78, 0x64, 0x73, 0x2f, 0x64, 0x61, 0x74, 0x61, 0x2f, 0x6f, 0x72, 0x63, 0x61, 0x2f,
-	0x76, 0x33, 0x2f, 0x6f, 0x72, 0x63, 0x61, 0x5f, 0x6c, 0x6f, 0x61, 0x64, 0x5f, 0x72, 0x65, 0x70,
-	0x6f, 0x72, 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x10, 0x78, 0x64, 0x73, 0x2e, 0x64,
-	0x61, 0x74, 0x61, 0x2e, 0x6f, 0x72, 0x63, 0x61, 0x2e, 0x76, 0x33, 0x1a, 0x17, 0x76, 0x61, 0x6c,
-	0x69, 0x64, 0x61, 0x74, 0x65, 0x2f, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x2e, 0x70,
-	0x72, 0x6f, 0x74, 0x6f, 0x22, 0xa6, 0x06, 0x0a, 0x0e, 0x4f, 0x72, 0x63, 0x61, 0x4c, 0x6f, 0x61,
-	0x64, 0x52, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x12, 0x37, 0x0a, 0x0f, 0x63, 0x70, 0x75, 0x5f, 0x75,
-	0x74, 0x69, 0x6c, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x01,
-	0x42, 0x0e, 0xfa, 0x42, 0x0b, 0x12, 0x09, 0x29, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-	0x52, 0x0e, 0x63, 0x70, 0x75, 0x55, 0x74, 0x69, 0x6c, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e,
-	0x12, 0x40, 0x0a, 0x0f, 0x6d, 0x65, 0x6d, 0x5f, 0x75, 0x74, 0x69, 0x6c, 0x69, 0x7a, 0x61, 0x74,
-	0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x01, 0x42, 0x17, 0xfa, 0x42, 0x14, 0x12, 0x12,
-	0x19, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf0, 0x3f, 0x29, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-	0x00, 0x00, 0x52, 0x0e, 0x6d, 0x65, 0x6d, 0x55, 0x74, 0x69, 0x6c, 0x69, 0x7a, 0x61, 0x74, 0x69,
-	0x6f, 0x6e, 0x12, 0x14, 0x0a, 0x03, 0x72, 0x70, 0x73, 0x18, 0x03, 0x20, 0x01, 0x28, 0x04, 0x42,
-	0x02, 0x18, 0x01, 0x52, 0x03, 0x72, 0x70, 0x73, 0x12, 0x54, 0x0a, 0x0c, 0x72, 0x65, 0x71, 0x75,
-	0x65, 0x73, 0x74, 0x5f, 0x63, 0x6f, 0x73, 0x74, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x31,
-	0x2e, 0x78, 0x64, 0x73, 0x2e, 0x64, 0x61, 0x74, 0x61, 0x2e, 0x6f, 0x72, 0x63, 0x61, 0x2e, 0x76,
-	0x33, 0x2e, 0x4f, 0x72, 0x63, 0x61, 0x4c, 0x6f, 0x61, 0x64, 0x52, 0x65, 0x70, 0x6f, 0x72, 0x74,
-	0x2e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x43, 0x6f, 0x73, 0x74, 0x45, 0x6e, 0x74, 0x72,
-	0x79, 0x52, 0x0b, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x43, 0x6f, 0x73, 0x74, 0x12, 0x71,
-	0x0a, 0x0b, 0x75, 0x74, 0x69, 0x6c, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x05, 0x20,
-	0x03, 0x28, 0x0b, 0x32, 0x31, 0x2e, 0x78, 0x64, 0x73, 0x2e, 0x64, 0x61, 0x74, 0x61, 0x2e, 0x6f,
-	0x72, 0x63, 0x61, 0x2e, 0x76, 0x33, 0x2e, 0x4f, 0x72, 0x63, 0x61, 0x4c, 0x6f, 0x61, 0x64, 0x52,
-	0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x55, 0x74, 0x69, 0x6c, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f,
-	0x6e, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x42, 0x1c, 0xfa, 0x42, 0x19, 0x9a, 0x01, 0x16, 0x2a, 0x14,
-	0x12, 0x12, 0x19, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf0, 0x3f, 0x29, 0x00, 0x00, 0x00, 0x00,
-	0x00, 0x00, 0x00, 0x00, 0x52, 0x0b, 0x75, 0x74, 0x69, 0x6c, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f,
-	0x6e, 0x12, 0x35, 0x0a, 0x0e, 0x72, 0x70, 0x73, 0x5f, 0x66, 0x72, 0x61, 0x63, 0x74, 0x69, 0x6f,
-	0x6e, 0x61, 0x6c, 0x18, 0x06, 0x20, 0x01, 0x28, 0x01, 0x42, 0x0e, 0xfa, 0x42, 0x0b, 0x12, 0x09,
-	0x29, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x52, 0x0d, 0x72, 0x70, 0x73, 0x46, 0x72,
-	0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x12, 0x20, 0x0a, 0x03, 0x65, 0x70, 0x73, 0x18,
-	0x07, 0x20, 0x01, 0x28, 0x01, 0x42, 0x0e, 0xfa, 0x42, 0x0b, 0x12, 0x09, 0x29, 0x00, 0x00, 0x00,
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x52, 0x03, 0x65, 0x70, 0x73, 0x12, 0x57, 0x0a, 0x0d, 0x6e, 0x61,
-	0x6d, 0x65, 0x64, 0x5f, 0x6d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x73, 0x18, 0x08, 0x20, 0x03, 0x28,
-	0x0b, 0x32, 0x32, 0x2e, 0x78, 0x64, 0x73, 0x2e, 0x64, 0x61, 0x74, 0x61, 0x2e, 0x6f, 0x72, 0x63,
-	0x61, 0x2e, 0x76, 0x33, 0x2e, 0x4f, 0x72, 0x63, 0x61, 0x4c, 0x6f, 0x61, 0x64, 0x52, 0x65, 0x70,
-	0x6f, 0x72, 0x74, 0x2e, 0x4e, 0x61, 0x6d, 0x65, 0x64, 0x4d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x73,
-	0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x0c, 0x6e, 0x61, 0x6d, 0x65, 0x64, 0x4d, 0x65, 0x74, 0x72,
-	0x69, 0x63, 0x73, 0x12, 0x47, 0x0a, 0x17, 0x61, 0x70, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x74, 0x69,
-	0x6f, 0x6e, 0x5f, 0x75, 0x74, 0x69, 0x6c, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x09,
-	0x20, 0x01, 0x28, 0x01, 0x42, 0x0e, 0xfa, 0x42, 0x0b, 0x12, 0x09, 0x29, 0x00, 0x00, 0x00, 0x00,
-	0x00, 0x00, 0x00, 0x00, 0x52, 0x16, 0x61, 0x70, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f,
-	0x6e, 0x55, 0x74, 0x69, 0x6c, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x1a, 0x3e, 0x0a, 0x10,
-	0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x43, 0x6f, 0x73, 0x74, 0x45, 0x6e, 0x74, 0x72, 0x79,
-	0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b,
-	0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28,
-	0x01, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x1a, 0x3e, 0x0a, 0x10,
-	0x55, 0x74, 0x69, 0x6c, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x45, 0x6e, 0x74, 0x72, 0x79,
-	0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b,
-	0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28,
-	0x01, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x1a, 0x3f, 0x0a, 0x11,
-	0x4e, 0x61, 0x6d, 0x65, 0x64, 0x4d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x73, 0x45, 0x6e, 0x74, 0x72,
-	0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03,
-	0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01,
-	0x28, 0x01, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x42, 0x5d, 0x0a,
-	0x1b, 0x63, 0x6f, 0x6d, 0x2e, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x78, 0x64, 0x73, 0x2e,
-	0x64, 0x61, 0x74, 0x61, 0x2e, 0x6f, 0x72, 0x63, 0x61, 0x2e, 0x76, 0x33, 0x42, 0x13, 0x4f, 0x72,
-	0x63, 0x61, 0x4c, 0x6f, 0x61, 0x64, 0x52, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x50, 0x72, 0x6f, 0x74,
-	0x6f, 0x50, 0x01, 0x5a, 0x27, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f,
-	0x63, 0x6e, 0x63, 0x66, 0x2f, 0x78, 0x64, 0x73, 0x2f, 0x67, 0x6f, 0x2f, 0x78, 0x64, 0x73, 0x2f,
-	0x64, 0x61, 0x74, 0x61, 0x2f, 0x6f, 0x72, 0x63, 0x61, 0x2f, 0x76, 0x33, 0x62, 0x06, 0x70, 0x72,
-	0x6f, 0x74, 0x6f, 0x33,
-}
+const file_xds_data_orca_v3_orca_load_report_proto_rawDesc = "" +
+	"\n" +
+	"'xds/data/orca/v3/orca_load_report.proto\x12\x10xds.data.orca.v3\x1a\x17validate/validate.proto\"\xa6\x06\n" +
+	"\x0eOrcaLoadReport\x127\n" +
+	"\x0fcpu_utilization\x18\x01 \x01(\x01B\x0e\xfaB\v\x12\t)\x00\x00\x00\x00\x00\x00\x00\x00R\x0ecpuUtilization\x12@\n" +
+	"\x0fmem_utilization\x18\x02 \x01(\x01B\x17\xfaB\x14\x12\x12\x19\x00\x00\x00\x00\x00\x00\xf0?)\x00\x00\x00\x00\x00\x00\x00\x00R\x0ememUtilization\x12\x14\n" +
+	"\x03rps\x18\x03 \x01(\x04B\x02\x18\x01R\x03rps\x12T\n" +
+	"\frequest_cost\x18\x04 \x03(\v21.xds.data.orca.v3.OrcaLoadReport.RequestCostEntryR\vrequestCost\x12q\n" +
+	"\vutilization\x18\x05 \x03(\v21.xds.data.orca.v3.OrcaLoadReport.UtilizationEntryB\x1c\xfaB\x19\x9a\x01\x16*\x14\x12\x12\x19\x00\x00\x00\x00\x00\x00\xf0?)\x00\x00\x00\x00\x00\x00\x00\x00R\vutilization\x125\n" +
+	"\x0erps_fractional\x18\x06 \x01(\x01B\x0e\xfaB\v\x12\t)\x00\x00\x00\x00\x00\x00\x00\x00R\rrpsFractional\x12 \n" +
+	"\x03eps\x18\a \x01(\x01B\x0e\xfaB\v\x12\t)\x00\x00\x00\x00\x00\x00\x00\x00R\x03eps\x12W\n" +
+	"\rnamed_metrics\x18\b \x03(\v22.xds.data.orca.v3.OrcaLoadReport.NamedMetricsEntryR\fnamedMetrics\x12G\n" +
+	"\x17application_utilization\x18\t \x01(\x01B\x0e\xfaB\v\x12\t)\x00\x00\x00\x00\x00\x00\x00\x00R\x16applicationUtilization\x1a>\n" +
+	"\x10RequestCostEntry\x12\x10\n" +
+	"\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" +
+	"\x05value\x18\x02 \x01(\x01R\x05value:\x028\x01\x1a>\n" +
+	"\x10UtilizationEntry\x12\x10\n" +
+	"\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" +
+	"\x05value\x18\x02 \x01(\x01R\x05value:\x028\x01\x1a?\n" +
+	"\x11NamedMetricsEntry\x12\x10\n" +
+	"\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" +
+	"\x05value\x18\x02 \x01(\x01R\x05value:\x028\x01B]\n" +
+	"\x1bcom.github.xds.data.orca.v3B\x13OrcaLoadReportProtoP\x01Z'github.com/cncf/xds/go/xds/data/orca/v3b\x06proto3"
 
 var (
 	file_xds_data_orca_v3_orca_load_report_proto_rawDescOnce sync.Once
-	file_xds_data_orca_v3_orca_load_report_proto_rawDescData = file_xds_data_orca_v3_orca_load_report_proto_rawDesc
+	file_xds_data_orca_v3_orca_load_report_proto_rawDescData []byte
 )
 
 func file_xds_data_orca_v3_orca_load_report_proto_rawDescGZIP() []byte {
 	file_xds_data_orca_v3_orca_load_report_proto_rawDescOnce.Do(func() {
-		file_xds_data_orca_v3_orca_load_report_proto_rawDescData = protoimpl.X.CompressGZIP(file_xds_data_orca_v3_orca_load_report_proto_rawDescData)
+		file_xds_data_orca_v3_orca_load_report_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_xds_data_orca_v3_orca_load_report_proto_rawDesc), len(file_xds_data_orca_v3_orca_load_report_proto_rawDesc)))
 	})
 	return file_xds_data_orca_v3_orca_load_report_proto_rawDescData
 }
 
 var file_xds_data_orca_v3_orca_load_report_proto_msgTypes = make([]protoimpl.MessageInfo, 4)
-var file_xds_data_orca_v3_orca_load_report_proto_goTypes = []interface{}{
+var file_xds_data_orca_v3_orca_load_report_proto_goTypes = []any{
 	(*OrcaLoadReport)(nil), // 0: xds.data.orca.v3.OrcaLoadReport
 	nil,                    // 1: xds.data.orca.v3.OrcaLoadReport.RequestCostEntry
 	nil,                    // 2: xds.data.orca.v3.OrcaLoadReport.UtilizationEntry
@@ -237,25 +193,11 @@ func file_xds_data_orca_v3_orca_load_report_proto_init() {
 	if File_xds_data_orca_v3_orca_load_report_proto != nil {
 		return
 	}
-	if !protoimpl.UnsafeEnabled {
-		file_xds_data_orca_v3_orca_load_report_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*OrcaLoadReport); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_xds_data_orca_v3_orca_load_report_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_xds_data_orca_v3_orca_load_report_proto_rawDesc), len(file_xds_data_orca_v3_orca_load_report_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   4,
 			NumExtensions: 0,
@@ -266,7 +208,6 @@ func file_xds_data_orca_v3_orca_load_report_proto_init() {
 		MessageInfos:      file_xds_data_orca_v3_orca_load_report_proto_msgTypes,
 	}.Build()
 	File_xds_data_orca_v3_orca_load_report_proto = out.File
-	file_xds_data_orca_v3_orca_load_report_proto_rawDesc = nil
 	file_xds_data_orca_v3_orca_load_report_proto_goTypes = nil
 	file_xds_data_orca_v3_orca_load_report_proto_depIdxs = nil
 }
diff --git a/vendor/github.com/cncf/xds/go/xds/data/orca/v3/orca_load_report.pb.validate.go b/vendor/github.com/cncf/xds/go/xds/data/orca/v3/orca_load_report.pb.validate.go
index 8dd55330ac..b9f63bc7d2 100644
--- a/vendor/github.com/cncf/xds/go/xds/data/orca/v3/orca_load_report.pb.validate.go
+++ b/vendor/github.com/cncf/xds/go/xds/data/orca/v3/orca_load_report.pb.validate.go
@@ -160,7 +160,7 @@ type OrcaLoadReportMultiError []error
 
 // Error returns a concatenation of all the error messages it wraps.
 func (m OrcaLoadReportMultiError) Error() string {
-	var msgs []string
+	msgs := make([]string, 0, len(m))
 	for _, err := range m {
 		msgs = append(msgs, err.Error())
 	}
diff --git a/vendor/github.com/cncf/xds/go/xds/service/orca/v3/orca.pb.go b/vendor/github.com/cncf/xds/go/xds/service/orca/v3/orca.pb.go
index 32e4a37bc8..35ac9b6f3a 100644
--- a/vendor/github.com/cncf/xds/go/xds/service/orca/v3/orca.pb.go
+++ b/vendor/github.com/cncf/xds/go/xds/service/orca/v3/orca.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.33.0
-// 	protoc        v5.29.1
+// 	protoc-gen-go v1.36.10
+// 	protoc        v5.29.3
 // source: xds/service/orca/v3/orca.proto
 
 package v3
@@ -13,6 +13,7 @@ import (
 	durationpb "google.golang.org/protobuf/types/known/durationpb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -23,21 +24,18 @@ const (
 )
 
 type OrcaLoadReportRequest struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
-	ReportInterval   *durationpb.Duration `protobuf:"bytes,1,opt,name=report_interval,json=reportInterval,proto3" json:"report_interval,omitempty"`
-	RequestCostNames []string             `protobuf:"bytes,2,rep,name=request_cost_names,json=requestCostNames,proto3" json:"request_cost_names,omitempty"`
+	state            protoimpl.MessageState `protogen:"open.v1"`
+	ReportInterval   *durationpb.Duration   `protobuf:"bytes,1,opt,name=report_interval,json=reportInterval,proto3" json:"report_interval,omitempty"`
+	RequestCostNames []string               `protobuf:"bytes,2,rep,name=request_cost_names,json=requestCostNames,proto3" json:"request_cost_names,omitempty"`
+	unknownFields    protoimpl.UnknownFields
+	sizeCache        protoimpl.SizeCache
 }
 
 func (x *OrcaLoadReportRequest) Reset() {
 	*x = OrcaLoadReportRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_xds_service_orca_v3_orca_proto_msgTypes[0]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_xds_service_orca_v3_orca_proto_msgTypes[0]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *OrcaLoadReportRequest) String() string {
@@ -48,7 +46,7 @@ func (*OrcaLoadReportRequest) ProtoMessage() {}
 
 func (x *OrcaLoadReportRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_xds_service_orca_v3_orca_proto_msgTypes[0]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -79,54 +77,30 @@ func (x *OrcaLoadReportRequest) GetRequestCostNames() []string {
 
 var File_xds_service_orca_v3_orca_proto protoreflect.FileDescriptor
 
-var file_xds_service_orca_v3_orca_proto_rawDesc = []byte{
-	0x0a, 0x1e, 0x78, 0x64, 0x73, 0x2f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2f, 0x6f, 0x72,
-	0x63, 0x61, 0x2f, 0x76, 0x33, 0x2f, 0x6f, 0x72, 0x63, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
-	0x12, 0x13, 0x78, 0x64, 0x73, 0x2e, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2e, 0x6f, 0x72,
-	0x63, 0x61, 0x2e, 0x76, 0x33, 0x1a, 0x27, 0x78, 0x64, 0x73, 0x2f, 0x64, 0x61, 0x74, 0x61, 0x2f,
-	0x6f, 0x72, 0x63, 0x61, 0x2f, 0x76, 0x33, 0x2f, 0x6f, 0x72, 0x63, 0x61, 0x5f, 0x6c, 0x6f, 0x61,
-	0x64, 0x5f, 0x72, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1e,
-	0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f,
-	0x64, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x89,
-	0x01, 0x0a, 0x15, 0x4f, 0x72, 0x63, 0x61, 0x4c, 0x6f, 0x61, 0x64, 0x52, 0x65, 0x70, 0x6f, 0x72,
-	0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x42, 0x0a, 0x0f, 0x72, 0x65, 0x70, 0x6f,
-	0x72, 0x74, 0x5f, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x76, 0x61, 0x6c, 0x18, 0x01, 0x20, 0x01, 0x28,
-	0x0b, 0x32, 0x19, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
-	0x62, 0x75, 0x66, 0x2e, 0x44, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x0e, 0x72, 0x65,
-	0x70, 0x6f, 0x72, 0x74, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x76, 0x61, 0x6c, 0x12, 0x2c, 0x0a, 0x12,
-	0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x5f, 0x63, 0x6f, 0x73, 0x74, 0x5f, 0x6e, 0x61, 0x6d,
-	0x65, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x10, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73,
-	0x74, 0x43, 0x6f, 0x73, 0x74, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x32, 0x75, 0x0a, 0x0e, 0x4f, 0x70,
-	0x65, 0x6e, 0x52, 0x63, 0x61, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x63, 0x0a, 0x11,
-	0x53, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x43, 0x6f, 0x72, 0x65, 0x4d, 0x65, 0x74, 0x72, 0x69, 0x63,
-	0x73, 0x12, 0x2a, 0x2e, 0x78, 0x64, 0x73, 0x2e, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2e,
-	0x6f, 0x72, 0x63, 0x61, 0x2e, 0x76, 0x33, 0x2e, 0x4f, 0x72, 0x63, 0x61, 0x4c, 0x6f, 0x61, 0x64,
-	0x52, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x20, 0x2e,
-	0x78, 0x64, 0x73, 0x2e, 0x64, 0x61, 0x74, 0x61, 0x2e, 0x6f, 0x72, 0x63, 0x61, 0x2e, 0x76, 0x33,
-	0x2e, 0x4f, 0x72, 0x63, 0x61, 0x4c, 0x6f, 0x61, 0x64, 0x52, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x30,
-	0x01, 0x42, 0x59, 0x0a, 0x1e, 0x63, 0x6f, 0x6d, 0x2e, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e,
-	0x78, 0x64, 0x73, 0x2e, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2e, 0x6f, 0x72, 0x63, 0x61,
-	0x2e, 0x76, 0x33, 0x42, 0x09, 0x4f, 0x72, 0x63, 0x61, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01,
-	0x5a, 0x2a, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x63, 0x6e, 0x63,
-	0x66, 0x2f, 0x78, 0x64, 0x73, 0x2f, 0x67, 0x6f, 0x2f, 0x78, 0x64, 0x73, 0x2f, 0x73, 0x65, 0x72,
-	0x76, 0x69, 0x63, 0x65, 0x2f, 0x6f, 0x72, 0x63, 0x61, 0x2f, 0x76, 0x33, 0x62, 0x06, 0x70, 0x72,
-	0x6f, 0x74, 0x6f, 0x33,
-}
+const file_xds_service_orca_v3_orca_proto_rawDesc = "" +
+	"\n" +
+	"\x1exds/service/orca/v3/orca.proto\x12\x13xds.service.orca.v3\x1a'xds/data/orca/v3/orca_load_report.proto\x1a\x1egoogle/protobuf/duration.proto\"\x89\x01\n" +
+	"\x15OrcaLoadReportRequest\x12B\n" +
+	"\x0freport_interval\x18\x01 \x01(\v2\x19.google.protobuf.DurationR\x0ereportInterval\x12,\n" +
+	"\x12request_cost_names\x18\x02 \x03(\tR\x10requestCostNames2u\n" +
+	"\x0eOpenRcaService\x12c\n" +
+	"\x11StreamCoreMetrics\x12*.xds.service.orca.v3.OrcaLoadReportRequest\x1a .xds.data.orca.v3.OrcaLoadReport0\x01BY\n" +
+	"\x1ecom.github.xds.service.orca.v3B\tOrcaProtoP\x01Z*github.com/cncf/xds/go/xds/service/orca/v3b\x06proto3"
 
 var (
 	file_xds_service_orca_v3_orca_proto_rawDescOnce sync.Once
-	file_xds_service_orca_v3_orca_proto_rawDescData = file_xds_service_orca_v3_orca_proto_rawDesc
+	file_xds_service_orca_v3_orca_proto_rawDescData []byte
 )
 
 func file_xds_service_orca_v3_orca_proto_rawDescGZIP() []byte {
 	file_xds_service_orca_v3_orca_proto_rawDescOnce.Do(func() {
-		file_xds_service_orca_v3_orca_proto_rawDescData = protoimpl.X.CompressGZIP(file_xds_service_orca_v3_orca_proto_rawDescData)
+		file_xds_service_orca_v3_orca_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_xds_service_orca_v3_orca_proto_rawDesc), len(file_xds_service_orca_v3_orca_proto_rawDesc)))
 	})
 	return file_xds_service_orca_v3_orca_proto_rawDescData
 }
 
 var file_xds_service_orca_v3_orca_proto_msgTypes = make([]protoimpl.MessageInfo, 1)
-var file_xds_service_orca_v3_orca_proto_goTypes = []interface{}{
+var file_xds_service_orca_v3_orca_proto_goTypes = []any{
 	(*OrcaLoadReportRequest)(nil), // 0: xds.service.orca.v3.OrcaLoadReportRequest
 	(*durationpb.Duration)(nil),   // 1: google.protobuf.Duration
 	(*v3.OrcaLoadReport)(nil),     // 2: xds.data.orca.v3.OrcaLoadReport
@@ -147,25 +121,11 @@ func file_xds_service_orca_v3_orca_proto_init() {
 	if File_xds_service_orca_v3_orca_proto != nil {
 		return
 	}
-	if !protoimpl.UnsafeEnabled {
-		file_xds_service_orca_v3_orca_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*OrcaLoadReportRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_xds_service_orca_v3_orca_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_xds_service_orca_v3_orca_proto_rawDesc), len(file_xds_service_orca_v3_orca_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   1,
 			NumExtensions: 0,
@@ -176,7 +136,6 @@ func file_xds_service_orca_v3_orca_proto_init() {
 		MessageInfos:      file_xds_service_orca_v3_orca_proto_msgTypes,
 	}.Build()
 	File_xds_service_orca_v3_orca_proto = out.File
-	file_xds_service_orca_v3_orca_proto_rawDesc = nil
 	file_xds_service_orca_v3_orca_proto_goTypes = nil
 	file_xds_service_orca_v3_orca_proto_depIdxs = nil
 }
diff --git a/vendor/github.com/cncf/xds/go/xds/service/orca/v3/orca.pb.validate.go b/vendor/github.com/cncf/xds/go/xds/service/orca/v3/orca.pb.validate.go
index 8949e8372b..198b81a3d9 100644
--- a/vendor/github.com/cncf/xds/go/xds/service/orca/v3/orca.pb.validate.go
+++ b/vendor/github.com/cncf/xds/go/xds/service/orca/v3/orca.pb.validate.go
@@ -100,7 +100,7 @@ type OrcaLoadReportRequestMultiError []error
 
 // Error returns a concatenation of all the error messages it wraps.
 func (m OrcaLoadReportRequestMultiError) Error() string {
-	var msgs []string
+	msgs := make([]string, 0, len(m))
 	for _, err := range m {
 		msgs = append(msgs, err.Error())
 	}
diff --git a/vendor/github.com/cncf/xds/go/xds/service/orca/v3/orca_grpc.pb.go b/vendor/github.com/cncf/xds/go/xds/service/orca/v3/orca_grpc.pb.go
index 8a92439e07..f0666e2e14 100644
--- a/vendor/github.com/cncf/xds/go/xds/service/orca/v3/orca_grpc.pb.go
+++ b/vendor/github.com/cncf/xds/go/xds/service/orca/v3/orca_grpc.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
-// - protoc-gen-go-grpc v1.3.0
-// - protoc             v5.29.1
+// - protoc-gen-go-grpc v1.5.1
+// - protoc             v5.29.3
 // source: xds/service/orca/v3/orca.proto
 
 package v3
@@ -16,8 +16,8 @@ import (
 
 // This is a compile-time assertion to ensure that this generated file
 // is compatible with the grpc package it is being compiled against.
-// Requires gRPC-Go v1.32.0 or later.
-const _ = grpc.SupportPackageIsVersion7
+// Requires gRPC-Go v1.64.0 or later.
+const _ = grpc.SupportPackageIsVersion9
 
 const (
 	OpenRcaService_StreamCoreMetrics_FullMethodName = "/xds.service.orca.v3.OpenRcaService/StreamCoreMetrics"
@@ -27,7 +27,7 @@ const (
 //
 // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
 type OpenRcaServiceClient interface {
-	StreamCoreMetrics(ctx context.Context, in *OrcaLoadReportRequest, opts ...grpc.CallOption) (OpenRcaService_StreamCoreMetricsClient, error)
+	StreamCoreMetrics(ctx context.Context, in *OrcaLoadReportRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[v3.OrcaLoadReport], error)
 }
 
 type openRcaServiceClient struct {
@@ -38,12 +38,13 @@ func NewOpenRcaServiceClient(cc grpc.ClientConnInterface) OpenRcaServiceClient {
 	return &openRcaServiceClient{cc}
 }
 
-func (c *openRcaServiceClient) StreamCoreMetrics(ctx context.Context, in *OrcaLoadReportRequest, opts ...grpc.CallOption) (OpenRcaService_StreamCoreMetricsClient, error) {
-	stream, err := c.cc.NewStream(ctx, &OpenRcaService_ServiceDesc.Streams[0], OpenRcaService_StreamCoreMetrics_FullMethodName, opts...)
+func (c *openRcaServiceClient) StreamCoreMetrics(ctx context.Context, in *OrcaLoadReportRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[v3.OrcaLoadReport], error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	stream, err := c.cc.NewStream(ctx, &OpenRcaService_ServiceDesc.Streams[0], OpenRcaService_StreamCoreMetrics_FullMethodName, cOpts...)
 	if err != nil {
 		return nil, err
 	}
-	x := &openRcaServiceStreamCoreMetricsClient{stream}
+	x := &grpc.GenericClientStream[OrcaLoadReportRequest, v3.OrcaLoadReport]{ClientStream: stream}
 	if err := x.ClientStream.SendMsg(in); err != nil {
 		return nil, err
 	}
@@ -53,37 +54,27 @@ func (c *openRcaServiceClient) StreamCoreMetrics(ctx context.Context, in *OrcaLo
 	return x, nil
 }
 
-type OpenRcaService_StreamCoreMetricsClient interface {
-	Recv() (*v3.OrcaLoadReport, error)
-	grpc.ClientStream
-}
-
-type openRcaServiceStreamCoreMetricsClient struct {
-	grpc.ClientStream
-}
-
-func (x *openRcaServiceStreamCoreMetricsClient) Recv() (*v3.OrcaLoadReport, error) {
-	m := new(v3.OrcaLoadReport)
-	if err := x.ClientStream.RecvMsg(m); err != nil {
-		return nil, err
-	}
-	return m, nil
-}
+// This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
+type OpenRcaService_StreamCoreMetricsClient = grpc.ServerStreamingClient[v3.OrcaLoadReport]
 
 // OpenRcaServiceServer is the server API for OpenRcaService service.
 // All implementations should embed UnimplementedOpenRcaServiceServer
-// for forward compatibility
+// for forward compatibility.
 type OpenRcaServiceServer interface {
-	StreamCoreMetrics(*OrcaLoadReportRequest, OpenRcaService_StreamCoreMetricsServer) error
+	StreamCoreMetrics(*OrcaLoadReportRequest, grpc.ServerStreamingServer[v3.OrcaLoadReport]) error
 }
 
-// UnimplementedOpenRcaServiceServer should be embedded to have forward compatible implementations.
-type UnimplementedOpenRcaServiceServer struct {
-}
+// UnimplementedOpenRcaServiceServer should be embedded to have
+// forward compatible implementations.
+//
+// NOTE: this should be embedded by value instead of pointer to avoid a nil
+// pointer dereference when methods are called.
+type UnimplementedOpenRcaServiceServer struct{}
 
-func (UnimplementedOpenRcaServiceServer) StreamCoreMetrics(*OrcaLoadReportRequest, OpenRcaService_StreamCoreMetricsServer) error {
+func (UnimplementedOpenRcaServiceServer) StreamCoreMetrics(*OrcaLoadReportRequest, grpc.ServerStreamingServer[v3.OrcaLoadReport]) error {
 	return status.Errorf(codes.Unimplemented, "method StreamCoreMetrics not implemented")
 }
+func (UnimplementedOpenRcaServiceServer) testEmbeddedByValue() {}
 
 // UnsafeOpenRcaServiceServer may be embedded to opt out of forward compatibility for this service.
 // Use of this interface is not recommended, as added methods to OpenRcaServiceServer will
@@ -93,6 +84,13 @@ type UnsafeOpenRcaServiceServer interface {
 }
 
 func RegisterOpenRcaServiceServer(s grpc.ServiceRegistrar, srv OpenRcaServiceServer) {
+	// If the following call pancis, it indicates UnimplementedOpenRcaServiceServer was
+	// embedded by pointer and is nil.  This will cause panics if an
+	// unimplemented method is ever invoked, so we test this at initialization
+	// time to prevent it from happening at runtime later due to I/O.
+	if t, ok := srv.(interface{ testEmbeddedByValue() }); ok {
+		t.testEmbeddedByValue()
+	}
 	s.RegisterService(&OpenRcaService_ServiceDesc, srv)
 }
 
@@ -101,21 +99,11 @@ func _OpenRcaService_StreamCoreMetrics_Handler(srv interface{}, stream grpc.Serv
 	if err := stream.RecvMsg(m); err != nil {
 		return err
 	}
-	return srv.(OpenRcaServiceServer).StreamCoreMetrics(m, &openRcaServiceStreamCoreMetricsServer{stream})
-}
-
-type OpenRcaService_StreamCoreMetricsServer interface {
-	Send(*v3.OrcaLoadReport) error
-	grpc.ServerStream
+	return srv.(OpenRcaServiceServer).StreamCoreMetrics(m, &grpc.GenericServerStream[OrcaLoadReportRequest, v3.OrcaLoadReport]{ServerStream: stream})
 }
 
-type openRcaServiceStreamCoreMetricsServer struct {
-	grpc.ServerStream
-}
-
-func (x *openRcaServiceStreamCoreMetricsServer) Send(m *v3.OrcaLoadReport) error {
-	return x.ServerStream.SendMsg(m)
-}
+// This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
+type OpenRcaService_StreamCoreMetricsServer = grpc.ServerStreamingServer[v3.OrcaLoadReport]
 
 // OpenRcaService_ServiceDesc is the grpc.ServiceDesc for OpenRcaService service.
 // It's only intended for direct use with grpc.RegisterService,
diff --git a/vendor/github.com/containerd/containerd/LICENSE b/vendor/github.com/containerd/containerd/LICENSE
new file mode 100644
index 0000000000..584149b6ee
--- /dev/null
+++ b/vendor/github.com/containerd/containerd/LICENSE
@@ -0,0 +1,191 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        https://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   Copyright The containerd Authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       https://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/vendor/github.com/containerd/containerd/NOTICE b/vendor/github.com/containerd/containerd/NOTICE
new file mode 100644
index 0000000000..8915f02773
--- /dev/null
+++ b/vendor/github.com/containerd/containerd/NOTICE
@@ -0,0 +1,16 @@
+Docker
+Copyright 2012-2015 Docker, Inc.
+
+This product includes software developed at Docker, Inc. (https://www.docker.com).
+
+The following is courtesy of our legal counsel:
+
+
+Use and transfer of Docker may be subject to certain restrictions by the
+United States and other governments.
+It is your responsibility to ensure that your use and/or transfer does not
+violate applicable laws.
+
+For more information, please see https://www.bis.doc.gov
+
+See also https://www.apache.org/dev/crypto.html and/or seek legal counsel.
diff --git a/vendor/github.com/containerd/containerd/archive/compression/compression.go b/vendor/github.com/containerd/containerd/archive/compression/compression.go
new file mode 100644
index 0000000000..3c152f2815
--- /dev/null
+++ b/vendor/github.com/containerd/containerd/archive/compression/compression.go
@@ -0,0 +1,327 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package compression
+
+import (
+	"bufio"
+	"bytes"
+	"compress/gzip"
+	"context"
+	"encoding/binary"
+	"fmt"
+	"io"
+	"os"
+	"os/exec"
+	"strconv"
+	"sync"
+
+	"github.com/containerd/log"
+	"github.com/klauspost/compress/zstd"
+)
+
+type (
+	// Compression is the state represents if compressed or not.
+	Compression int
+)
+
+const (
+	// Uncompressed represents the uncompressed.
+	Uncompressed Compression = iota
+	// Gzip is gzip compression algorithm.
+	Gzip
+	// Zstd is zstd compression algorithm.
+	Zstd
+	// Unknown is used when a plugin handles the algorithm.
+	Unknown
+)
+
+const disablePigzEnv = "CONTAINERD_DISABLE_PIGZ"
+
+var (
+	initPigz   sync.Once
+	unpigzPath string
+)
+
+var (
+	bufioReader32KPool = &sync.Pool{
+		New: func() interface{} { return bufio.NewReaderSize(nil, 32*1024) },
+	}
+)
+
+// DecompressReadCloser include the stream after decompress and the compress method detected.
+type DecompressReadCloser interface {
+	io.ReadCloser
+	// GetCompression returns the compress method which is used before decompressing
+	GetCompression() Compression
+}
+
+type readCloserWrapper struct {
+	io.Reader
+	compression Compression
+	closer      func() error
+}
+
+func (r *readCloserWrapper) Close() error {
+	if r.closer != nil {
+		return r.closer()
+	}
+	return nil
+}
+
+func (r *readCloserWrapper) GetCompression() Compression {
+	return r.compression
+}
+
+type writeCloserWrapper struct {
+	io.Writer
+	closer func() error
+}
+
+func (w *writeCloserWrapper) Close() error {
+	if w.closer != nil {
+		w.closer()
+	}
+	return nil
+}
+
+type bufferedReader struct {
+	buf *bufio.Reader
+}
+
+func newBufferedReader(r io.Reader) *bufferedReader {
+	buf := bufioReader32KPool.Get().(*bufio.Reader)
+	buf.Reset(r)
+	return &bufferedReader{buf}
+}
+
+func (r *bufferedReader) Read(p []byte) (n int, err error) {
+	if r.buf == nil {
+		return 0, io.EOF
+	}
+	n, err = r.buf.Read(p)
+	if err == io.EOF {
+		r.buf.Reset(nil)
+		bufioReader32KPool.Put(r.buf)
+		r.buf = nil
+	}
+	return
+}
+
+func (r *bufferedReader) Peek(n int) ([]byte, error) {
+	if r.buf == nil {
+		return nil, io.EOF
+	}
+	return r.buf.Peek(n)
+}
+
+const (
+	zstdMagicSkippableStart = 0x184D2A50
+	zstdMagicSkippableMask  = 0xFFFFFFF0
+)
+
+var (
+	gzipMagic = []byte{0x1F, 0x8B, 0x08}
+	zstdMagic = []byte{0x28, 0xb5, 0x2f, 0xfd}
+)
+
+type matcher = func([]byte) bool
+
+func magicNumberMatcher(m []byte) matcher {
+	return func(source []byte) bool {
+		return bytes.HasPrefix(source, m)
+	}
+}
+
+// zstdMatcher detects zstd compression algorithm.
+// There are two frame formats defined by Zstandard: Zstandard frames and Skippable frames.
+// See https://tools.ietf.org/id/draft-kucherawy-dispatch-zstd-00.html#rfc.section.2 for more details.
+func zstdMatcher() matcher {
+	return func(source []byte) bool {
+		if bytes.HasPrefix(source, zstdMagic) {
+			// Zstandard frame
+			return true
+		}
+		// skippable frame
+		if len(source) < 8 {
+			return false
+		}
+		// magic number from 0x184D2A50 to 0x184D2A5F.
+		if binary.LittleEndian.Uint32(source[:4])&zstdMagicSkippableMask == zstdMagicSkippableStart {
+			return true
+		}
+		return false
+	}
+}
+
+// DetectCompression detects the compression algorithm of the source.
+func DetectCompression(source []byte) Compression {
+	for compression, fn := range map[Compression]matcher{
+		Gzip: magicNumberMatcher(gzipMagic),
+		Zstd: zstdMatcher(),
+	} {
+		if fn(source) {
+			return compression
+		}
+	}
+	return Uncompressed
+}
+
+// DecompressStream decompresses the archive and returns a ReaderCloser with the decompressed archive.
+func DecompressStream(archive io.Reader) (DecompressReadCloser, error) {
+	buf := newBufferedReader(archive)
+	bs, err := buf.Peek(10)
+	if err != nil && err != io.EOF {
+		// Note: we'll ignore any io.EOF error because there are some odd
+		// cases where the layer.tar file will be empty (zero bytes) and
+		// that results in an io.EOF from the Peek() call. So, in those
+		// cases we'll just treat it as a non-compressed stream and
+		// that means just create an empty layer.
+		// See Issue docker/docker#18170
+		return nil, err
+	}
+
+	switch compression := DetectCompression(bs); compression {
+	case Uncompressed:
+		return &readCloserWrapper{
+			Reader:      buf,
+			compression: compression,
+		}, nil
+	case Gzip:
+		ctx, cancel := context.WithCancel(context.Background())
+		gzReader, err := gzipDecompress(ctx, buf)
+		if err != nil {
+			cancel()
+			return nil, err
+		}
+
+		return &readCloserWrapper{
+			Reader:      gzReader,
+			compression: compression,
+			closer: func() error {
+				cancel()
+				return gzReader.Close()
+			},
+		}, nil
+	case Zstd:
+		zstdReader, err := zstd.NewReader(buf)
+		if err != nil {
+			return nil, err
+		}
+		return &readCloserWrapper{
+			Reader:      zstdReader,
+			compression: compression,
+			closer: func() error {
+				zstdReader.Close()
+				return nil
+			},
+		}, nil
+
+	default:
+		return nil, fmt.Errorf("unsupported compression format %s", (&compression).Extension())
+	}
+}
+
+// CompressStream compresses the dest with specified compression algorithm.
+func CompressStream(dest io.Writer, compression Compression) (io.WriteCloser, error) {
+	switch compression {
+	case Uncompressed:
+		return &writeCloserWrapper{dest, nil}, nil
+	case Gzip:
+		return gzip.NewWriter(dest), nil
+	case Zstd:
+		return zstd.NewWriter(dest)
+	default:
+		return nil, fmt.Errorf("unsupported compression format %s", (&compression).Extension())
+	}
+}
+
+// Extension returns the extension of a file that uses the specified compression algorithm.
+func (compression *Compression) Extension() string {
+	switch *compression {
+	case Gzip:
+		return "gz"
+	case Zstd:
+		return "zst"
+	case Unknown:
+		return "unknown"
+	}
+	return ""
+}
+
+func gzipDecompress(ctx context.Context, buf io.Reader) (io.ReadCloser, error) {
+	initPigz.Do(func() {
+		if unpigzPath = detectPigz(); unpigzPath != "" {
+			log.L.Debug("using pigz for decompression")
+		}
+	})
+
+	if unpigzPath == "" {
+		return gzip.NewReader(buf)
+	}
+
+	return cmdStream(exec.CommandContext(ctx, unpigzPath, "-d", "-c"), buf)
+}
+
+func cmdStream(cmd *exec.Cmd, in io.Reader) (io.ReadCloser, error) {
+	reader, writer := io.Pipe()
+
+	cmd.Stdin = in
+	cmd.Stdout = writer
+
+	var errBuf bytes.Buffer
+	cmd.Stderr = &errBuf
+
+	if err := cmd.Start(); err != nil {
+		return nil, err
+	}
+
+	go func() {
+		if err := cmd.Wait(); err != nil {
+			writer.CloseWithError(fmt.Errorf("%s: %s", err, errBuf.String()))
+		} else {
+			writer.Close()
+		}
+	}()
+
+	return reader, nil
+}
+
+func detectPigz() string {
+	path, err := exec.LookPath("unpigz")
+	if err != nil {
+		log.L.WithError(err).Debug("unpigz not found, falling back to go gzip")
+		return ""
+	}
+
+	// Check if pigz disabled via CONTAINERD_DISABLE_PIGZ env variable
+	value := os.Getenv(disablePigzEnv)
+	if value == "" {
+		return path
+	}
+
+	disable, err := strconv.ParseBool(value)
+	if err != nil {
+		log.L.WithError(err).Warnf("could not parse %s: %s", disablePigzEnv, value)
+		return path
+	}
+
+	if disable {
+		return ""
+	}
+
+	return path
+}
diff --git a/vendor/github.com/containerd/containerd/archive/compression/compression_fuzzer.go b/vendor/github.com/containerd/containerd/archive/compression/compression_fuzzer.go
new file mode 100644
index 0000000000..3516494ac0
--- /dev/null
+++ b/vendor/github.com/containerd/containerd/archive/compression/compression_fuzzer.go
@@ -0,0 +1,28 @@
+//go:build gofuzz
+
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package compression
+
+import (
+	"bytes"
+)
+
+func FuzzDecompressStream(data []byte) int {
+	_, _ = DecompressStream(bytes.NewReader(data))
+	return 1
+}
diff --git a/vendor/github.com/containerd/containerd/content/adaptor.go b/vendor/github.com/containerd/containerd/content/adaptor.go
new file mode 100644
index 0000000000..88bad2610e
--- /dev/null
+++ b/vendor/github.com/containerd/containerd/content/adaptor.go
@@ -0,0 +1,52 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package content
+
+import (
+	"strings"
+
+	"github.com/containerd/containerd/filters"
+)
+
+// AdaptInfo returns `filters.Adaptor` that handles `content.Info`.
+func AdaptInfo(info Info) filters.Adaptor {
+	return filters.AdapterFunc(func(fieldpath []string) (string, bool) {
+		if len(fieldpath) == 0 {
+			return "", false
+		}
+
+		switch fieldpath[0] {
+		case "digest":
+			return info.Digest.String(), true
+		case "size":
+			// TODO: support size based filtering
+		case "labels":
+			return checkMap(fieldpath[1:], info.Labels)
+		}
+
+		return "", false
+	})
+}
+
+func checkMap(fieldpath []string, m map[string]string) (string, bool) {
+	if len(m) == 0 {
+		return "", false
+	}
+
+	value, ok := m[strings.Join(fieldpath, ".")]
+	return value, ok
+}
diff --git a/vendor/github.com/containerd/containerd/content/content.go b/vendor/github.com/containerd/containerd/content/content.go
new file mode 100644
index 0000000000..2dc7bf8b52
--- /dev/null
+++ b/vendor/github.com/containerd/containerd/content/content.go
@@ -0,0 +1,207 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package content
+
+import (
+	"context"
+	"io"
+	"time"
+
+	"github.com/opencontainers/go-digest"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+// Store combines the methods of content-oriented interfaces into a set that
+// are commonly provided by complete implementations.
+//
+// Overall content lifecycle:
+//   - Ingester is used to initiate a write operation (aka ingestion)
+//   - IngestManager is used to manage (e.g. list, abort) active ingestions
+//   - Once an ingestion is complete (see Writer.Commit), Provider is used to
+//     query a single piece of content by its digest
+//   - Manager is used to manage (e.g. list, delete) previously committed content
+//
+// Note that until ingestion is complete, its content is not visible through
+// Provider or Manager. Once ingestion is complete, it is no longer exposed
+// through IngestManager.
+type Store interface {
+	Manager
+	Provider
+	IngestManager
+	Ingester
+}
+
+// ReaderAt extends the standard io.ReaderAt interface with reporting of Size and io.Closer
+type ReaderAt interface {
+	io.ReaderAt
+	io.Closer
+	Size() int64
+}
+
+// Provider provides a reader interface for specific content
+type Provider interface {
+	// ReaderAt only requires desc.Digest to be set.
+	// Other fields in the descriptor may be used internally for resolving
+	// the location of the actual data.
+	ReaderAt(ctx context.Context, desc ocispec.Descriptor) (ReaderAt, error)
+}
+
+// Ingester writes content
+type Ingester interface {
+	// Writer initiates a writing operation (aka ingestion). A single ingestion
+	// is uniquely identified by its ref, provided using a WithRef option.
+	// Writer can be called multiple times with the same ref to access the same
+	// ingestion.
+	// Once all the data is written, use Writer.Commit to complete the ingestion.
+	Writer(ctx context.Context, opts ...WriterOpt) (Writer, error)
+}
+
+// IngestManager provides methods for managing ingestions. An ingestion is a
+// not-yet-complete writing operation initiated using Ingester and identified
+// by a ref string.
+type IngestManager interface {
+	// Status returns the status of the provided ref.
+	Status(ctx context.Context, ref string) (Status, error)
+
+	// ListStatuses returns the status of any active ingestions whose ref match
+	// the provided regular expression. If empty, all active ingestions will be
+	// returned.
+	ListStatuses(ctx context.Context, filters ...string) ([]Status, error)
+
+	// Abort completely cancels the ingest operation targeted by ref.
+	Abort(ctx context.Context, ref string) error
+}
+
+// Info holds content specific information
+type Info struct {
+	Digest    digest.Digest
+	Size      int64
+	CreatedAt time.Time
+	UpdatedAt time.Time
+	Labels    map[string]string
+}
+
+// Status of a content operation (i.e. an ingestion)
+type Status struct {
+	Ref       string
+	Offset    int64
+	Total     int64
+	Expected  digest.Digest
+	StartedAt time.Time
+	UpdatedAt time.Time
+}
+
+// WalkFunc defines the callback for a blob walk.
+type WalkFunc func(Info) error
+
+// InfoReaderProvider provides both info and reader for the specific content.
+type InfoReaderProvider interface {
+	InfoProvider
+	Provider
+}
+
+// InfoProvider provides info for content inspection.
+type InfoProvider interface {
+	// Info will return metadata about content available in the content store.
+	//
+	// If the content is not present, ErrNotFound will be returned.
+	Info(ctx context.Context, dgst digest.Digest) (Info, error)
+}
+
+// Manager provides methods for inspecting, listing and removing content.
+type Manager interface {
+	InfoProvider
+
+	// Update updates mutable information related to content.
+	// If one or more fieldpaths are provided, only those
+	// fields will be updated.
+	// Mutable fields:
+	//  labels.*
+	Update(ctx context.Context, info Info, fieldpaths ...string) (Info, error)
+
+	// Walk will call fn for each item in the content store which
+	// match the provided filters. If no filters are given all
+	// items will be walked.
+	Walk(ctx context.Context, fn WalkFunc, filters ...string) error
+
+	// Delete removes the content from the store.
+	Delete(ctx context.Context, dgst digest.Digest) error
+}
+
+// Writer handles writing of content into a content store
+type Writer interface {
+	// Close closes the writer, if the writer has not been
+	// committed this allows resuming or aborting.
+	// Calling Close on a closed writer will not error.
+	io.WriteCloser
+
+	// Digest may return empty digest or panics until committed.
+	Digest() digest.Digest
+
+	// Commit commits the blob (but no roll-back is guaranteed on an error).
+	// size and expected can be zero-value when unknown.
+	// Commit always closes the writer, even on error.
+	// ErrAlreadyExists aborts the writer.
+	Commit(ctx context.Context, size int64, expected digest.Digest, opts ...Opt) error
+
+	// Status returns the current state of write
+	Status() (Status, error)
+
+	// Truncate updates the size of the target blob
+	Truncate(size int64) error
+}
+
+// Opt is used to alter the mutable properties of content
+type Opt func(*Info) error
+
+// WithLabels allows labels to be set on content
+func WithLabels(labels map[string]string) Opt {
+	return func(info *Info) error {
+		info.Labels = labels
+		return nil
+	}
+}
+
+// WriterOpts is internally used by WriterOpt.
+type WriterOpts struct {
+	Ref  string
+	Desc ocispec.Descriptor
+}
+
+// WriterOpt is used for passing options to Ingester.Writer.
+type WriterOpt func(*WriterOpts) error
+
+// WithDescriptor specifies an OCI descriptor.
+// Writer may optionally use the descriptor internally for resolving
+// the location of the actual data.
+// Write does not require any field of desc to be set.
+// If the data size is unknown, desc.Size should be set to 0.
+// Some implementations may also accept negative values as "unknown".
+func WithDescriptor(desc ocispec.Descriptor) WriterOpt {
+	return func(opts *WriterOpts) error {
+		opts.Desc = desc
+		return nil
+	}
+}
+
+// WithRef specifies a ref string.
+func WithRef(ref string) WriterOpt {
+	return func(opts *WriterOpts) error {
+		opts.Ref = ref
+		return nil
+	}
+}
diff --git a/vendor/github.com/containerd/containerd/content/helpers.go b/vendor/github.com/containerd/containerd/content/helpers.go
new file mode 100644
index 0000000000..93bcdde106
--- /dev/null
+++ b/vendor/github.com/containerd/containerd/content/helpers.go
@@ -0,0 +1,340 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package content
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"sync"
+	"time"
+
+	"github.com/containerd/log"
+	"github.com/opencontainers/go-digest"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+
+	"github.com/containerd/containerd/errdefs"
+	"github.com/containerd/containerd/pkg/randutil"
+)
+
+var ErrReset = errors.New("writer has been reset")
+
+var bufPool = sync.Pool{
+	New: func() interface{} {
+		buffer := make([]byte, 1<<20)
+		return &buffer
+	},
+}
+
+type reader interface {
+	Reader() io.Reader
+}
+
+// NewReader returns a io.Reader from a ReaderAt
+func NewReader(ra ReaderAt) io.Reader {
+	if rd, ok := ra.(reader); ok {
+		return rd.Reader()
+	}
+	return io.NewSectionReader(ra, 0, ra.Size())
+}
+
+// ReadBlob retrieves the entire contents of the blob from the provider.
+//
+// Avoid using this for large blobs, such as layers.
+func ReadBlob(ctx context.Context, provider Provider, desc ocispec.Descriptor) ([]byte, error) {
+	if int64(len(desc.Data)) == desc.Size && digest.FromBytes(desc.Data) == desc.Digest {
+		return desc.Data, nil
+	}
+
+	ra, err := provider.ReaderAt(ctx, desc)
+	if err != nil {
+		return nil, err
+	}
+	defer ra.Close()
+
+	p := make([]byte, ra.Size())
+
+	n, err := ra.ReadAt(p, 0)
+	if err == io.EOF {
+		if int64(n) != ra.Size() {
+			err = io.ErrUnexpectedEOF
+		} else {
+			err = nil
+		}
+	}
+	return p, err
+}
+
+// WriteBlob writes data with the expected digest into the content store. If
+// expected already exists, the method returns immediately and the reader will
+// not be consumed.
+//
+// This is useful when the digest and size are known beforehand.
+//
+// Copy is buffered, so no need to wrap reader in buffered io.
+func WriteBlob(ctx context.Context, cs Ingester, ref string, r io.Reader, desc ocispec.Descriptor, opts ...Opt) error {
+	cw, err := OpenWriter(ctx, cs, WithRef(ref), WithDescriptor(desc))
+	if err != nil {
+		if !errdefs.IsAlreadyExists(err) {
+			return fmt.Errorf("failed to open writer: %w", err)
+		}
+
+		return nil // already present
+	}
+	defer cw.Close()
+
+	return Copy(ctx, cw, r, desc.Size, desc.Digest, opts...)
+}
+
+// OpenWriter opens a new writer for the given reference, retrying if the writer
+// is locked until the reference is available or returns an error.
+func OpenWriter(ctx context.Context, cs Ingester, opts ...WriterOpt) (Writer, error) {
+	var (
+		cw    Writer
+		err   error
+		retry = 16
+	)
+	for {
+		cw, err = cs.Writer(ctx, opts...)
+		if err != nil {
+			if !errdefs.IsUnavailable(err) {
+				return nil, err
+			}
+
+			// TODO: Check status to determine if the writer is active,
+			// continue waiting while active, otherwise return lock
+			// error or abort. Requires asserting for an ingest manager
+
+			select {
+			case <-time.After(time.Millisecond * time.Duration(randutil.Intn(retry))):
+				if retry < 2048 {
+					retry = retry << 1
+				}
+				continue
+			case <-ctx.Done():
+				// Propagate lock error
+				return nil, err
+			}
+
+		}
+		break
+	}
+
+	return cw, err
+}
+
+// Copy copies data with the expected digest from the reader into the
+// provided content store writer. This copy commits the writer.
+//
+// This is useful when the digest and size are known beforehand. When
+// the size or digest is unknown, these values may be empty.
+//
+// Copy is buffered, so no need to wrap reader in buffered io.
+func Copy(ctx context.Context, cw Writer, or io.Reader, size int64, expected digest.Digest, opts ...Opt) error {
+	ws, err := cw.Status()
+	if err != nil {
+		return fmt.Errorf("failed to get status: %w", err)
+	}
+	r := or
+	if ws.Offset > 0 {
+		r, err = seekReader(or, ws.Offset, size)
+		if err != nil {
+			return fmt.Errorf("unable to resume write to %v: %w", ws.Ref, err)
+		}
+	}
+
+	for i := 0; ; i++ {
+		if i >= 1 {
+			log.G(ctx).WithField("digest", expected).Debugf("retrying copy due to reset")
+		}
+		copied, err := copyWithBuffer(cw, r)
+		if errors.Is(err, ErrReset) {
+			ws, err := cw.Status()
+			if err != nil {
+				return fmt.Errorf("failed to get status: %w", err)
+			}
+			r, err = seekReader(or, ws.Offset, size)
+			if err != nil {
+				return fmt.Errorf("unable to resume write to %v: %w", ws.Ref, err)
+			}
+			continue
+		}
+		if err != nil {
+			return fmt.Errorf("failed to copy: %w", err)
+		}
+		if size != 0 && copied < size-ws.Offset {
+			// Short writes would return its own error, this indicates a read failure
+			return fmt.Errorf("failed to read expected number of bytes: %w", io.ErrUnexpectedEOF)
+		}
+		if err := cw.Commit(ctx, size, expected, opts...); err != nil {
+			if errors.Is(err, ErrReset) {
+				ws, err := cw.Status()
+				if err != nil {
+					return fmt.Errorf("failed to get status: %w", err)
+				}
+				r, err = seekReader(or, ws.Offset, size)
+				if err != nil {
+					return fmt.Errorf("unable to resume write to %v: %w", ws.Ref, err)
+				}
+				continue
+			}
+			if !errdefs.IsAlreadyExists(err) {
+				return fmt.Errorf("failed commit on ref %q: %w", ws.Ref, err)
+			}
+		}
+		return nil
+	}
+}
+
+// CopyReaderAt copies to a writer from a given reader at for the given
+// number of bytes. This copy does not commit the writer.
+func CopyReaderAt(cw Writer, ra ReaderAt, n int64) error {
+	ws, err := cw.Status()
+	if err != nil {
+		return err
+	}
+
+	copied, err := copyWithBuffer(cw, io.NewSectionReader(ra, ws.Offset, n))
+	if err != nil {
+		return fmt.Errorf("failed to copy: %w", err)
+	}
+	if copied < n {
+		// Short writes would return its own error, this indicates a read failure
+		return fmt.Errorf("failed to read expected number of bytes: %w", io.ErrUnexpectedEOF)
+	}
+	return nil
+}
+
+// CopyReader copies to a writer from a given reader, returning
+// the number of bytes copied.
+// Note: if the writer has a non-zero offset, the total number
+// of bytes read may be greater than those copied if the reader
+// is not an io.Seeker.
+// This copy does not commit the writer.
+func CopyReader(cw Writer, r io.Reader) (int64, error) {
+	ws, err := cw.Status()
+	if err != nil {
+		return 0, fmt.Errorf("failed to get status: %w", err)
+	}
+
+	if ws.Offset > 0 {
+		r, err = seekReader(r, ws.Offset, 0)
+		if err != nil {
+			return 0, fmt.Errorf("unable to resume write to %v: %w", ws.Ref, err)
+		}
+	}
+
+	return copyWithBuffer(cw, r)
+}
+
+// seekReader attempts to seek the reader to the given offset, either by
+// resolving `io.Seeker`, by detecting `io.ReaderAt`, or discarding
+// up to the given offset.
+func seekReader(r io.Reader, offset, size int64) (io.Reader, error) {
+	// attempt to resolve r as a seeker and setup the offset.
+	seeker, ok := r.(io.Seeker)
+	if ok {
+		nn, err := seeker.Seek(offset, io.SeekStart)
+		if nn != offset {
+			if err == nil {
+				err = fmt.Errorf("unexpected seek location without seek error")
+			}
+			return nil, fmt.Errorf("failed to seek to offset %v: %w", offset, err)
+		}
+
+		if err != nil {
+			return nil, err
+		}
+
+		return r, nil
+	}
+
+	// ok, let's try io.ReaderAt!
+	readerAt, ok := r.(io.ReaderAt)
+	if ok && size > offset {
+		sr := io.NewSectionReader(readerAt, offset, size)
+		return sr, nil
+	}
+
+	// well then, let's just discard up to the offset
+	n, err := copyWithBuffer(io.Discard, io.LimitReader(r, offset))
+	if err != nil {
+		return nil, fmt.Errorf("failed to discard to offset: %w", err)
+	}
+	if n != offset {
+		return nil, errors.New("unable to discard to offset")
+	}
+
+	return r, nil
+}
+
+// copyWithBuffer is very similar to  io.CopyBuffer https://golang.org/pkg/io/#CopyBuffer
+// but instead of using Read to read from the src, we use ReadAtLeast to make sure we have
+// a full buffer before we do a write operation to dst to reduce overheads associated
+// with the write operations of small buffers.
+func copyWithBuffer(dst io.Writer, src io.Reader) (written int64, err error) {
+	// If the reader has a WriteTo method, use it to do the copy.
+	// Avoids an allocation and a copy.
+	if wt, ok := src.(io.WriterTo); ok {
+		return wt.WriteTo(dst)
+	}
+	// Similarly, if the writer has a ReadFrom method, use it to do the copy.
+	if rt, ok := dst.(io.ReaderFrom); ok {
+		return rt.ReadFrom(src)
+	}
+	bufRef := bufPool.Get().(*[]byte)
+	defer bufPool.Put(bufRef)
+	buf := *bufRef
+	for {
+		nr, er := io.ReadAtLeast(src, buf, len(buf))
+		if nr > 0 {
+			nw, ew := dst.Write(buf[0:nr])
+			if nw > 0 {
+				written += int64(nw)
+			}
+			if ew != nil {
+				err = ew
+				break
+			}
+			if nr != nw {
+				err = io.ErrShortWrite
+				break
+			}
+		}
+		if er != nil {
+			// If an EOF happens after reading fewer than the requested bytes,
+			// ReadAtLeast returns ErrUnexpectedEOF.
+			if er != io.EOF && er != io.ErrUnexpectedEOF {
+				err = er
+			}
+			break
+		}
+	}
+	return
+}
+
+// Exists returns whether an attempt to access the content would not error out
+// with an ErrNotFound error. It will return an encountered error if it was
+// different than ErrNotFound.
+func Exists(ctx context.Context, provider InfoProvider, desc ocispec.Descriptor) (bool, error) {
+	_, err := provider.Info(ctx, desc.Digest)
+	if errdefs.IsNotFound(err) {
+		return false, nil
+	}
+	return err == nil, err
+}
diff --git a/vendor/github.com/containerd/containerd/errdefs/errors.go b/vendor/github.com/containerd/containerd/errdefs/errors.go
new file mode 100644
index 0000000000..de22cadd41
--- /dev/null
+++ b/vendor/github.com/containerd/containerd/errdefs/errors.go
@@ -0,0 +1,72 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+// Package errdefs defines the common errors used throughout containerd
+// packages.
+//
+// Use with fmt.Errorf to add context to an error.
+//
+// To detect an error class, use the IsXXX functions to tell whether an error
+// is of a certain type.
+package errdefs
+
+import (
+	"github.com/containerd/errdefs"
+)
+
+// Definitions of common error types used throughout containerd. All containerd
+// errors returned by most packages will map into one of these errors classes.
+// Packages should return errors of these types when they want to instruct a
+// client to take a particular action.
+//
+// These errors map closely to grpc errors.
+var (
+	ErrUnknown            = errdefs.ErrUnknown
+	ErrInvalidArgument    = errdefs.ErrInvalidArgument
+	ErrNotFound           = errdefs.ErrNotFound
+	ErrAlreadyExists      = errdefs.ErrAlreadyExists
+	ErrPermissionDenied   = errdefs.ErrPermissionDenied
+	ErrResourceExhausted  = errdefs.ErrResourceExhausted
+	ErrFailedPrecondition = errdefs.ErrFailedPrecondition
+	ErrConflict           = errdefs.ErrConflict
+	ErrNotModified        = errdefs.ErrNotModified
+	ErrAborted            = errdefs.ErrAborted
+	ErrOutOfRange         = errdefs.ErrOutOfRange
+	ErrNotImplemented     = errdefs.ErrNotImplemented
+	ErrInternal           = errdefs.ErrInternal
+	ErrUnavailable        = errdefs.ErrUnavailable
+	ErrDataLoss           = errdefs.ErrDataLoss
+	ErrUnauthenticated    = errdefs.ErrUnauthenticated
+
+	IsCanceled           = errdefs.IsCanceled
+	IsUnknown            = errdefs.IsUnknown
+	IsInvalidArgument    = errdefs.IsInvalidArgument
+	IsDeadlineExceeded   = errdefs.IsDeadlineExceeded
+	IsNotFound           = errdefs.IsNotFound
+	IsAlreadyExists      = errdefs.IsAlreadyExists
+	IsPermissionDenied   = errdefs.IsPermissionDenied
+	IsResourceExhausted  = errdefs.IsResourceExhausted
+	IsFailedPrecondition = errdefs.IsFailedPrecondition
+	IsConflict           = errdefs.IsConflict
+	IsNotModified        = errdefs.IsNotModified
+	IsAborted            = errdefs.IsAborted
+	IsOutOfRange         = errdefs.IsOutOfRange
+	IsNotImplemented     = errdefs.IsNotImplemented
+	IsInternal           = errdefs.IsInternal
+	IsUnavailable        = errdefs.IsUnavailable
+	IsDataLoss           = errdefs.IsDataLoss
+	IsUnauthorized       = errdefs.IsUnauthorized
+)
diff --git a/vendor/github.com/containerd/containerd/errdefs/grpc.go b/vendor/github.com/containerd/containerd/errdefs/grpc.go
new file mode 100644
index 0000000000..11091b1db0
--- /dev/null
+++ b/vendor/github.com/containerd/containerd/errdefs/grpc.go
@@ -0,0 +1,147 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package errdefs
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+)
+
+// ToGRPC will attempt to map the backend containerd error into a grpc error,
+// using the original error message as a description.
+//
+// Further information may be extracted from certain errors depending on their
+// type.
+//
+// If the error is unmapped, the original error will be returned to be handled
+// by the regular grpc error handling stack.
+func ToGRPC(err error) error {
+	if err == nil {
+		return nil
+	}
+
+	if isGRPCError(err) {
+		// error has already been mapped to grpc
+		return err
+	}
+
+	switch {
+	case IsInvalidArgument(err):
+		return status.Error(codes.InvalidArgument, err.Error())
+	case IsNotFound(err):
+		return status.Error(codes.NotFound, err.Error())
+	case IsAlreadyExists(err):
+		return status.Error(codes.AlreadyExists, err.Error())
+	case IsFailedPrecondition(err):
+		return status.Error(codes.FailedPrecondition, err.Error())
+	case IsUnavailable(err):
+		return status.Error(codes.Unavailable, err.Error())
+	case IsNotImplemented(err):
+		return status.Error(codes.Unimplemented, err.Error())
+	case IsCanceled(err):
+		return status.Error(codes.Canceled, err.Error())
+	case IsDeadlineExceeded(err):
+		return status.Error(codes.DeadlineExceeded, err.Error())
+	}
+
+	return err
+}
+
+// ToGRPCf maps the error to grpc error codes, assembling the formatting string
+// and combining it with the target error string.
+//
+// This is equivalent to errdefs.ToGRPC(fmt.Errorf("%s: %w", fmt.Sprintf(format, args...), err))
+func ToGRPCf(err error, format string, args ...interface{}) error {
+	return ToGRPC(fmt.Errorf("%s: %w", fmt.Sprintf(format, args...), err))
+}
+
+// FromGRPC returns the underlying error from a grpc service based on the grpc error code
+func FromGRPC(err error) error {
+	if err == nil {
+		return nil
+	}
+
+	var cls error // divide these into error classes, becomes the cause
+
+	switch code(err) {
+	case codes.InvalidArgument:
+		cls = ErrInvalidArgument
+	case codes.AlreadyExists:
+		cls = ErrAlreadyExists
+	case codes.NotFound:
+		cls = ErrNotFound
+	case codes.Unavailable:
+		cls = ErrUnavailable
+	case codes.FailedPrecondition:
+		cls = ErrFailedPrecondition
+	case codes.Unimplemented:
+		cls = ErrNotImplemented
+	case codes.Canceled:
+		cls = context.Canceled
+	case codes.DeadlineExceeded:
+		cls = context.DeadlineExceeded
+	default:
+		cls = ErrUnknown
+	}
+
+	msg := rebaseMessage(cls, err)
+	if msg != "" {
+		err = fmt.Errorf("%s: %w", msg, cls)
+	} else {
+		err = cls
+	}
+
+	return err
+}
+
+// rebaseMessage removes the repeats for an error at the end of an error
+// string. This will happen when taking an error over grpc then remapping it.
+//
+// Effectively, we just remove the string of cls from the end of err if it
+// appears there.
+func rebaseMessage(cls error, err error) string {
+	desc := errDesc(err)
+	clss := cls.Error()
+	if desc == clss {
+		return ""
+	}
+
+	return strings.TrimSuffix(desc, ": "+clss)
+}
+
+func isGRPCError(err error) bool {
+	_, ok := status.FromError(err)
+	return ok
+}
+
+func code(err error) codes.Code {
+	if s, ok := status.FromError(err); ok {
+		return s.Code()
+	}
+	return codes.Unknown
+}
+
+func errDesc(err error) string {
+	if s, ok := status.FromError(err); ok {
+		return s.Message()
+	}
+	return err.Error()
+}
diff --git a/vendor/github.com/containerd/containerd/filters/adaptor.go b/vendor/github.com/containerd/containerd/filters/adaptor.go
new file mode 100644
index 0000000000..5a9c559c1e
--- /dev/null
+++ b/vendor/github.com/containerd/containerd/filters/adaptor.go
@@ -0,0 +1,33 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package filters
+
+// Adaptor specifies the mapping of fieldpaths to a type. For the given field
+// path, the value and whether it is present should be returned. The mapping of
+// the fieldpath to a field is deferred to the adaptor implementation, but
+// should generally follow protobuf field path/mask semantics.
+type Adaptor interface {
+	Field(fieldpath []string) (value string, present bool)
+}
+
+// AdapterFunc allows implementation specific matching of fieldpaths
+type AdapterFunc func(fieldpath []string) (string, bool)
+
+// Field returns the field name and true if it exists
+func (fn AdapterFunc) Field(fieldpath []string) (string, bool) {
+	return fn(fieldpath)
+}
diff --git a/vendor/github.com/containerd/containerd/filters/filter.go b/vendor/github.com/containerd/containerd/filters/filter.go
new file mode 100644
index 0000000000..dcc569a4b7
--- /dev/null
+++ b/vendor/github.com/containerd/containerd/filters/filter.go
@@ -0,0 +1,178 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+// Package filters defines a syntax and parser that can be used for the
+// filtration of items across the containerd API. The core is built on the
+// concept of protobuf field paths, with quoting.  Several operators allow the
+// user to flexibly select items based on field presence, equality, inequality
+// and regular expressions. Flexible adaptors support working with any type.
+//
+// The syntax is fairly familiar, if you've used container ecosystem
+// projects.  At the core, we base it on the concept of protobuf field
+// paths, augmenting with the ability to quote portions of the field path
+// to match arbitrary labels. These "selectors" come in the following
+// syntax:
+//
+// ```
+// <fieldpath>[<operator><value>]
+// ```
+//
+// A basic example is as follows:
+//
+// ```
+// name==foo
+// ```
+//
+// This would match all objects that have a field `name` with the value
+// `foo`. If we only want to test if the field is present, we can omit the
+// operator. This is most useful for matching labels in containerd. The
+// following will match objects that have the field "labels" and have the
+// label "foo" defined:
+//
+// ```
+// labels.foo
+// ```
+//
+// We also allow for quoting of parts of the field path to allow matching
+// of arbitrary items:
+//
+// ```
+// labels."very complex label"==something
+// ```
+//
+// We also define `!=` and `~=` as operators. The `!=` will match all
+// objects that don't match the value for a field and `~=` will compile the
+// target value as a regular expression and match the field value against that.
+//
+// Selectors can be combined using a comma, such that the resulting
+// selector will require all selectors are matched for the object to match.
+// The following example will match objects that are named `foo` and have
+// the label `bar`:
+//
+// ```
+// name==foo,labels.bar
+// ```
+package filters
+
+import (
+	"regexp"
+
+	"github.com/containerd/log"
+)
+
+// Filter matches specific resources based the provided filter
+type Filter interface {
+	Match(adaptor Adaptor) bool
+}
+
+// FilterFunc is a function that handles matching with an adaptor
+type FilterFunc func(Adaptor) bool
+
+// Match matches the FilterFunc returning true if the object matches the filter
+func (fn FilterFunc) Match(adaptor Adaptor) bool {
+	return fn(adaptor)
+}
+
+// Always is a filter that always returns true for any type of object
+var Always FilterFunc = func(adaptor Adaptor) bool {
+	return true
+}
+
+// Any allows multiple filters to be matched against the object
+type Any []Filter
+
+// Match returns true if any of the provided filters are true
+func (m Any) Match(adaptor Adaptor) bool {
+	for _, m := range m {
+		if m.Match(adaptor) {
+			return true
+		}
+	}
+
+	return false
+}
+
+// All allows multiple filters to be matched against the object
+type All []Filter
+
+// Match only returns true if all filters match the object
+func (m All) Match(adaptor Adaptor) bool {
+	for _, m := range m {
+		if !m.Match(adaptor) {
+			return false
+		}
+	}
+
+	return true
+}
+
+type operator int
+
+const (
+	operatorPresent = iota
+	operatorEqual
+	operatorNotEqual
+	operatorMatches
+)
+
+func (op operator) String() string {
+	switch op {
+	case operatorPresent:
+		return "?"
+	case operatorEqual:
+		return "=="
+	case operatorNotEqual:
+		return "!="
+	case operatorMatches:
+		return "~="
+	}
+
+	return "unknown"
+}
+
+type selector struct {
+	fieldpath []string
+	operator  operator
+	value     string
+	re        *regexp.Regexp
+}
+
+func (m selector) Match(adaptor Adaptor) bool {
+	value, present := adaptor.Field(m.fieldpath)
+
+	switch m.operator {
+	case operatorPresent:
+		return present
+	case operatorEqual:
+		return present && value == m.value
+	case operatorNotEqual:
+		return value != m.value
+	case operatorMatches:
+		if m.re == nil {
+			r, err := regexp.Compile(m.value)
+			if err != nil {
+				log.L.Errorf("error compiling regexp %q", m.value)
+				return false
+			}
+
+			m.re = r
+		}
+
+		return m.re.MatchString(value)
+	default:
+		return false
+	}
+}
diff --git a/vendor/github.com/containerd/containerd/filters/parser.go b/vendor/github.com/containerd/containerd/filters/parser.go
new file mode 100644
index 0000000000..790597aaf2
--- /dev/null
+++ b/vendor/github.com/containerd/containerd/filters/parser.go
@@ -0,0 +1,294 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package filters
+
+import (
+	"fmt"
+	"io"
+
+	"github.com/containerd/containerd/errdefs"
+)
+
+/*
+Parse the strings into a filter that may be used with an adaptor.
+
+The filter is made up of zero or more selectors.
+
+The format is a comma separated list of expressions, in the form of
+`<fieldpath><op><value>`, known as selectors. All selectors must match the
+target object for the filter to be true.
+
+We define the operators "==" for equality, "!=" for not equal and "~=" for a
+regular expression. If the operator and value are not present, the matcher will
+test for the presence of a value, as defined by the target object.
+
+The formal grammar is as follows:
+
+selectors := selector ("," selector)*
+selector  := fieldpath (operator value)
+fieldpath := field ('.' field)*
+field     := quoted | [A-Za-z] [A-Za-z0-9_]+
+operator  := "==" | "!=" | "~="
+value     := quoted | [^\s,]+
+quoted    := <go string syntax>
+*/
+func Parse(s string) (Filter, error) {
+	// special case empty to match all
+	if s == "" {
+		return Always, nil
+	}
+
+	p := parser{input: s}
+	return p.parse()
+}
+
+// ParseAll parses each filter in ss and returns a filter that will return true
+// if any filter matches the expression.
+//
+// If no filters are provided, the filter will match anything.
+func ParseAll(ss ...string) (Filter, error) {
+	if len(ss) == 0 {
+		return Always, nil
+	}
+
+	var fs []Filter
+	for _, s := range ss {
+		f, err := Parse(s)
+		if err != nil {
+			return nil, fmt.Errorf("%s: %w", err.Error(), errdefs.ErrInvalidArgument)
+		}
+
+		fs = append(fs, f)
+	}
+
+	return Any(fs), nil
+}
+
+type parser struct {
+	input   string
+	scanner scanner
+}
+
+func (p *parser) parse() (Filter, error) {
+	p.scanner.init(p.input)
+
+	ss, err := p.selectors()
+	if err != nil {
+		return nil, fmt.Errorf("filters: %w", err)
+	}
+
+	return ss, nil
+}
+
+func (p *parser) selectors() (Filter, error) {
+	s, err := p.selector()
+	if err != nil {
+		return nil, err
+	}
+
+	ss := All{s}
+
+loop:
+	for {
+		tok := p.scanner.peek()
+		switch tok {
+		case ',':
+			pos, tok, _ := p.scanner.scan()
+			if tok != tokenSeparator {
+				return nil, p.mkerr(pos, "expected a separator")
+			}
+
+			s, err := p.selector()
+			if err != nil {
+				return nil, err
+			}
+
+			ss = append(ss, s)
+		case tokenEOF:
+			break loop
+		default:
+			return nil, p.mkerrf(p.scanner.ppos, "unexpected input: %v", string(tok))
+		}
+	}
+
+	return ss, nil
+}
+
+func (p *parser) selector() (selector, error) {
+	fieldpath, err := p.fieldpath()
+	if err != nil {
+		return selector{}, err
+	}
+
+	switch p.scanner.peek() {
+	case ',', tokenSeparator, tokenEOF:
+		return selector{
+			fieldpath: fieldpath,
+			operator:  operatorPresent,
+		}, nil
+	}
+
+	op, err := p.operator()
+	if err != nil {
+		return selector{}, err
+	}
+
+	var allowAltQuotes bool
+	if op == operatorMatches {
+		allowAltQuotes = true
+	}
+
+	value, err := p.value(allowAltQuotes)
+	if err != nil {
+		if err == io.EOF {
+			return selector{}, io.ErrUnexpectedEOF
+		}
+		return selector{}, err
+	}
+
+	return selector{
+		fieldpath: fieldpath,
+		value:     value,
+		operator:  op,
+	}, nil
+}
+
+func (p *parser) fieldpath() ([]string, error) {
+	f, err := p.field()
+	if err != nil {
+		return nil, err
+	}
+
+	fs := []string{f}
+loop:
+	for {
+		tok := p.scanner.peek() // lookahead to consume field separator
+
+		switch tok {
+		case '.':
+			pos, tok, _ := p.scanner.scan() // consume separator
+			if tok != tokenSeparator {
+				return nil, p.mkerr(pos, "expected a field separator (`.`)")
+			}
+
+			f, err := p.field()
+			if err != nil {
+				return nil, err
+			}
+
+			fs = append(fs, f)
+		default:
+			// let the layer above handle the other bad cases.
+			break loop
+		}
+	}
+
+	return fs, nil
+}
+
+func (p *parser) field() (string, error) {
+	pos, tok, s := p.scanner.scan()
+	switch tok {
+	case tokenField:
+		return s, nil
+	case tokenQuoted:
+		return p.unquote(pos, s, false)
+	case tokenIllegal:
+		return "", p.mkerr(pos, p.scanner.err)
+	}
+
+	return "", p.mkerr(pos, "expected field or quoted")
+}
+
+func (p *parser) operator() (operator, error) {
+	pos, tok, s := p.scanner.scan()
+	switch tok {
+	case tokenOperator:
+		switch s {
+		case "==":
+			return operatorEqual, nil
+		case "!=":
+			return operatorNotEqual, nil
+		case "~=":
+			return operatorMatches, nil
+		default:
+			return 0, p.mkerrf(pos, "unsupported operator %q", s)
+		}
+	case tokenIllegal:
+		return 0, p.mkerr(pos, p.scanner.err)
+	}
+
+	return 0, p.mkerr(pos, `expected an operator ("=="|"!="|"~=")`)
+}
+
+func (p *parser) value(allowAltQuotes bool) (string, error) {
+	pos, tok, s := p.scanner.scan()
+
+	switch tok {
+	case tokenValue, tokenField:
+		return s, nil
+	case tokenQuoted:
+		return p.unquote(pos, s, allowAltQuotes)
+	case tokenIllegal:
+		return "", p.mkerr(pos, p.scanner.err)
+	}
+
+	return "", p.mkerr(pos, "expected value or quoted")
+}
+
+func (p *parser) unquote(pos int, s string, allowAlts bool) (string, error) {
+	if !allowAlts && s[0] != '\'' && s[0] != '"' {
+		return "", p.mkerr(pos, "invalid quote encountered")
+	}
+
+	uq, err := unquote(s)
+	if err != nil {
+		return "", p.mkerrf(pos, "unquoting failed: %v", err)
+	}
+
+	return uq, nil
+}
+
+type parseError struct {
+	input string
+	pos   int
+	msg   string
+}
+
+func (pe parseError) Error() string {
+	if pe.pos < len(pe.input) {
+		before := pe.input[:pe.pos]
+		location := pe.input[pe.pos : pe.pos+1] // need to handle end
+		after := pe.input[pe.pos+1:]
+
+		return fmt.Sprintf("[%s >|%s|< %s]: %v", before, location, after, pe.msg)
+	}
+
+	return fmt.Sprintf("[%s]: %v", pe.input, pe.msg)
+}
+
+func (p *parser) mkerrf(pos int, format string, args ...interface{}) error {
+	return p.mkerr(pos, fmt.Sprintf(format, args...))
+}
+
+func (p *parser) mkerr(pos int, msg string) error {
+	return fmt.Errorf("parse error: %w", parseError{
+		input: p.input,
+		pos:   pos,
+		msg:   msg,
+	})
+}
diff --git a/vendor/github.com/containerd/containerd/filters/quote.go b/vendor/github.com/containerd/containerd/filters/quote.go
new file mode 100644
index 0000000000..5c800ef846
--- /dev/null
+++ b/vendor/github.com/containerd/containerd/filters/quote.go
@@ -0,0 +1,252 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package filters
+
+import (
+	"errors"
+	"unicode/utf8"
+)
+
+// NOTE(stevvooe): Most of this code in this file is copied from the stdlib
+// strconv package and modified to be able to handle quoting with `/` and `|`
+// as delimiters.  The copyright is held by the Go authors.
+
+var errQuoteSyntax = errors.New("quote syntax error")
+
+// UnquoteChar decodes the first character or byte in the escaped string
+// or character literal represented by the string s.
+// It returns four values:
+//
+//  1. value, the decoded Unicode code point or byte value;
+//  2. multibyte, a boolean indicating whether the decoded character requires a multibyte UTF-8 representation;
+//  3. tail, the remainder of the string after the character; and
+//  4. an error that will be nil if the character is syntactically valid.
+//
+// The second argument, quote, specifies the type of literal being parsed
+// and therefore which escaped quote character is permitted.
+// If set to a single quote, it permits the sequence \' and disallows unescaped '.
+// If set to a double quote, it permits \" and disallows unescaped ".
+// If set to zero, it does not permit either escape and allows both quote characters to appear unescaped.
+//
+// This is from Go strconv package, modified to support `|` and `/` as double
+// quotes for use with regular expressions.
+func unquoteChar(s string, quote byte) (value rune, multibyte bool, tail string, err error) {
+	// easy cases
+	switch c := s[0]; {
+	case c == quote && (quote == '\'' || quote == '"' || quote == '/' || quote == '|'):
+		err = errQuoteSyntax
+		return
+	case c >= utf8.RuneSelf:
+		r, size := utf8.DecodeRuneInString(s)
+		return r, true, s[size:], nil
+	case c != '\\':
+		return rune(s[0]), false, s[1:], nil
+	}
+
+	// hard case: c is backslash
+	if len(s) <= 1 {
+		err = errQuoteSyntax
+		return
+	}
+	c := s[1]
+	s = s[2:]
+
+	switch c {
+	case 'a':
+		value = '\a'
+	case 'b':
+		value = '\b'
+	case 'f':
+		value = '\f'
+	case 'n':
+		value = '\n'
+	case 'r':
+		value = '\r'
+	case 't':
+		value = '\t'
+	case 'v':
+		value = '\v'
+	case 'x', 'u', 'U':
+		n := 0
+		switch c {
+		case 'x':
+			n = 2
+		case 'u':
+			n = 4
+		case 'U':
+			n = 8
+		}
+		var v rune
+		if len(s) < n {
+			err = errQuoteSyntax
+			return
+		}
+		for j := 0; j < n; j++ {
+			x, ok := unhex(s[j])
+			if !ok {
+				err = errQuoteSyntax
+				return
+			}
+			v = v<<4 | x
+		}
+		s = s[n:]
+		if c == 'x' {
+			// single-byte string, possibly not UTF-8
+			value = v
+			break
+		}
+		if v > utf8.MaxRune {
+			err = errQuoteSyntax
+			return
+		}
+		value = v
+		multibyte = true
+	case '0', '1', '2', '3', '4', '5', '6', '7':
+		v := rune(c) - '0'
+		if len(s) < 2 {
+			err = errQuoteSyntax
+			return
+		}
+		for j := 0; j < 2; j++ { // one digit already; two more
+			x := rune(s[j]) - '0'
+			if x < 0 || x > 7 {
+				err = errQuoteSyntax
+				return
+			}
+			v = (v << 3) | x
+		}
+		s = s[2:]
+		if v > 255 {
+			err = errQuoteSyntax
+			return
+		}
+		value = v
+	case '\\':
+		value = '\\'
+	case '\'', '"', '|', '/':
+		if c != quote {
+			err = errQuoteSyntax
+			return
+		}
+		value = rune(c)
+	default:
+		err = errQuoteSyntax
+		return
+	}
+	tail = s
+	return
+}
+
+// unquote interprets s as a single-quoted, double-quoted,
+// or backquoted Go string literal, returning the string value
+// that s quotes.  (If s is single-quoted, it would be a Go
+// character literal; Unquote returns the corresponding
+// one-character string.)
+//
+// This is modified from the standard library to support `|` and `/` as quote
+// characters for use with regular expressions.
+func unquote(s string) (string, error) {
+	n := len(s)
+	if n < 2 {
+		return "", errQuoteSyntax
+	}
+	quote := s[0]
+	if quote != s[n-1] {
+		return "", errQuoteSyntax
+	}
+	s = s[1 : n-1]
+
+	if quote == '`' {
+		if contains(s, '`') {
+			return "", errQuoteSyntax
+		}
+		if contains(s, '\r') {
+			// -1 because we know there is at least one \r to remove.
+			buf := make([]byte, 0, len(s)-1)
+			for i := 0; i < len(s); i++ {
+				if s[i] != '\r' {
+					buf = append(buf, s[i])
+				}
+			}
+			return string(buf), nil
+		}
+		return s, nil
+	}
+	if quote != '"' && quote != '\'' && quote != '|' && quote != '/' {
+		return "", errQuoteSyntax
+	}
+	if contains(s, '\n') {
+		return "", errQuoteSyntax
+	}
+
+	// Is it trivial?  Avoid allocation.
+	if !contains(s, '\\') && !contains(s, quote) {
+		switch quote {
+		case '"', '/', '|': // pipe and slash are treated like double quote
+			return s, nil
+		case '\'':
+			r, size := utf8.DecodeRuneInString(s)
+			if size == len(s) && (r != utf8.RuneError || size != 1) {
+				return s, nil
+			}
+		}
+	}
+
+	var runeTmp [utf8.UTFMax]byte
+	buf := make([]byte, 0, 3*len(s)/2) // Try to avoid more allocations.
+	for len(s) > 0 {
+		c, multibyte, ss, err := unquoteChar(s, quote)
+		if err != nil {
+			return "", err
+		}
+		s = ss
+		if c < utf8.RuneSelf || !multibyte {
+			buf = append(buf, byte(c))
+		} else {
+			n := utf8.EncodeRune(runeTmp[:], c)
+			buf = append(buf, runeTmp[:n]...)
+		}
+		if quote == '\'' && len(s) != 0 {
+			// single-quoted must be single character
+			return "", errQuoteSyntax
+		}
+	}
+	return string(buf), nil
+}
+
+// contains reports whether the string contains the byte c.
+func contains(s string, c byte) bool {
+	for i := 0; i < len(s); i++ {
+		if s[i] == c {
+			return true
+		}
+	}
+	return false
+}
+
+func unhex(b byte) (v rune, ok bool) {
+	c := rune(b)
+	switch {
+	case '0' <= c && c <= '9':
+		return c - '0', true
+	case 'a' <= c && c <= 'f':
+		return c - 'a' + 10, true
+	case 'A' <= c && c <= 'F':
+		return c - 'A' + 10, true
+	}
+	return
+}
diff --git a/vendor/github.com/containerd/containerd/filters/scanner.go b/vendor/github.com/containerd/containerd/filters/scanner.go
new file mode 100644
index 0000000000..6a485467b8
--- /dev/null
+++ b/vendor/github.com/containerd/containerd/filters/scanner.go
@@ -0,0 +1,297 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package filters
+
+import (
+	"unicode"
+	"unicode/utf8"
+)
+
+const (
+	tokenEOF = -(iota + 1)
+	tokenQuoted
+	tokenValue
+	tokenField
+	tokenSeparator
+	tokenOperator
+	tokenIllegal
+)
+
+type token rune
+
+func (t token) String() string {
+	switch t {
+	case tokenEOF:
+		return "EOF"
+	case tokenQuoted:
+		return "Quoted"
+	case tokenValue:
+		return "Value"
+	case tokenField:
+		return "Field"
+	case tokenSeparator:
+		return "Separator"
+	case tokenOperator:
+		return "Operator"
+	case tokenIllegal:
+		return "Illegal"
+	}
+
+	return string(t)
+}
+
+func (t token) GoString() string {
+	return "token" + t.String()
+}
+
+type scanner struct {
+	input string
+	pos   int
+	ppos  int // bounds the current rune in the string
+	value bool
+	err   string
+}
+
+func (s *scanner) init(input string) {
+	s.input = input
+	s.pos = 0
+	s.ppos = 0
+}
+
+func (s *scanner) next() rune {
+	if s.pos >= len(s.input) {
+		return tokenEOF
+	}
+	s.pos = s.ppos
+
+	r, w := utf8.DecodeRuneInString(s.input[s.ppos:])
+	s.ppos += w
+	if r == utf8.RuneError {
+		if w > 0 {
+			s.error("rune error")
+			return tokenIllegal
+		}
+		return tokenEOF
+	}
+
+	if r == 0 {
+		s.error("unexpected null")
+		return tokenIllegal
+	}
+
+	return r
+}
+
+func (s *scanner) peek() rune {
+	pos := s.pos
+	ppos := s.ppos
+	ch := s.next()
+	s.pos = pos
+	s.ppos = ppos
+	return ch
+}
+
+func (s *scanner) scan() (nextp int, tk token, text string) {
+	var (
+		ch  = s.next()
+		pos = s.pos
+	)
+
+chomp:
+	switch {
+	case ch == tokenEOF:
+	case ch == tokenIllegal:
+	case isQuoteRune(ch):
+		if !s.scanQuoted(ch) {
+			return pos, tokenIllegal, s.input[pos:s.ppos]
+		}
+		return pos, tokenQuoted, s.input[pos:s.ppos]
+	case isSeparatorRune(ch):
+		s.value = false
+		return pos, tokenSeparator, s.input[pos:s.ppos]
+	case isOperatorRune(ch):
+		s.scanOperator()
+		s.value = true
+		return pos, tokenOperator, s.input[pos:s.ppos]
+	case unicode.IsSpace(ch):
+		// chomp
+		ch = s.next()
+		pos = s.pos
+		goto chomp
+	case s.value:
+		s.scanValue()
+		s.value = false
+		return pos, tokenValue, s.input[pos:s.ppos]
+	case isFieldRune(ch):
+		s.scanField()
+		return pos, tokenField, s.input[pos:s.ppos]
+	}
+
+	return s.pos, token(ch), ""
+}
+
+func (s *scanner) scanField() {
+	for {
+		ch := s.peek()
+		if !isFieldRune(ch) {
+			break
+		}
+		s.next()
+	}
+}
+
+func (s *scanner) scanOperator() {
+	for {
+		ch := s.peek()
+		switch ch {
+		case '=', '!', '~':
+			s.next()
+		default:
+			return
+		}
+	}
+}
+
+func (s *scanner) scanValue() {
+	for {
+		ch := s.peek()
+		if !isValueRune(ch) {
+			break
+		}
+		s.next()
+	}
+}
+
+func (s *scanner) scanQuoted(quote rune) bool {
+	var illegal bool
+	ch := s.next() // read character after quote
+	for ch != quote {
+		if ch == '\n' || ch < 0 {
+			s.error("quoted literal not terminated")
+			return false
+		}
+		if ch == '\\' {
+			var legal bool
+			ch, legal = s.scanEscape(quote)
+			if !legal {
+				illegal = true
+			}
+		} else {
+			ch = s.next()
+		}
+	}
+	return !illegal
+}
+
+func (s *scanner) scanEscape(quote rune) (ch rune, legal bool) {
+	ch = s.next() // read character after '/'
+	switch ch {
+	case 'a', 'b', 'f', 'n', 'r', 't', 'v', '\\', quote:
+		// nothing to do
+		ch = s.next()
+		legal = true
+	case '0', '1', '2', '3', '4', '5', '6', '7':
+		ch, legal = s.scanDigits(ch, 8, 3)
+	case 'x':
+		ch, legal = s.scanDigits(s.next(), 16, 2)
+	case 'u':
+		ch, legal = s.scanDigits(s.next(), 16, 4)
+	case 'U':
+		ch, legal = s.scanDigits(s.next(), 16, 8)
+	default:
+		s.error("illegal escape sequence")
+	}
+	return
+}
+
+func (s *scanner) scanDigits(ch rune, base, n int) (rune, bool) {
+	for n > 0 && digitVal(ch) < base {
+		ch = s.next()
+		n--
+	}
+	if n > 0 {
+		s.error("illegal numeric escape sequence")
+		return ch, false
+	}
+	return ch, true
+}
+
+func (s *scanner) error(msg string) {
+	if s.err == "" {
+		s.err = msg
+	}
+}
+
+func digitVal(ch rune) int {
+	switch {
+	case '0' <= ch && ch <= '9':
+		return int(ch - '0')
+	case 'a' <= ch && ch <= 'f':
+		return int(ch - 'a' + 10)
+	case 'A' <= ch && ch <= 'F':
+		return int(ch - 'A' + 10)
+	}
+	return 16 // larger than any legal digit val
+}
+
+func isFieldRune(r rune) bool {
+	return (r == '_' || isAlphaRune(r) || isDigitRune(r))
+}
+
+func isAlphaRune(r rune) bool {
+	return r >= 'A' && r <= 'Z' || r >= 'a' && r <= 'z'
+}
+
+func isDigitRune(r rune) bool {
+	return r >= '0' && r <= '9'
+}
+
+func isOperatorRune(r rune) bool {
+	switch r {
+	case '=', '!', '~':
+		return true
+	}
+
+	return false
+}
+
+func isQuoteRune(r rune) bool {
+	switch r {
+	case '/', '|', '"': // maybe add single quoting?
+		return true
+	}
+
+	return false
+}
+
+func isSeparatorRune(r rune) bool {
+	switch r {
+	case ',', '.':
+		return true
+	}
+
+	return false
+}
+
+func isValueRune(r rune) bool {
+	return r != ',' && !unicode.IsSpace(r) &&
+		(unicode.IsLetter(r) ||
+			unicode.IsDigit(r) ||
+			unicode.IsNumber(r) ||
+			unicode.IsGraphic(r) ||
+			unicode.IsPunct(r))
+}
diff --git a/vendor/github.com/containerd/containerd/images/annotations.go b/vendor/github.com/containerd/containerd/images/annotations.go
new file mode 100644
index 0000000000..47d92104cd
--- /dev/null
+++ b/vendor/github.com/containerd/containerd/images/annotations.go
@@ -0,0 +1,23 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package images
+
+const (
+	// AnnotationImageName is an annotation on a Descriptor in an index.json
+	// containing the `Name` value as used by an `Image` struct
+	AnnotationImageName = "io.containerd.image.name"
+)
diff --git a/vendor/github.com/containerd/containerd/images/diffid.go b/vendor/github.com/containerd/containerd/images/diffid.go
new file mode 100644
index 0000000000..85577eedee
--- /dev/null
+++ b/vendor/github.com/containerd/containerd/images/diffid.go
@@ -0,0 +1,81 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package images
+
+import (
+	"context"
+	"io"
+
+	"github.com/containerd/containerd/archive/compression"
+	"github.com/containerd/containerd/content"
+	"github.com/containerd/containerd/labels"
+	"github.com/opencontainers/go-digest"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/sirupsen/logrus"
+)
+
+// GetDiffID gets the diff ID of the layer blob descriptor.
+func GetDiffID(ctx context.Context, cs content.Store, desc ocispec.Descriptor) (digest.Digest, error) {
+	switch desc.MediaType {
+	case
+		// If the layer is already uncompressed, we can just return its digest
+		MediaTypeDockerSchema2Layer,
+		ocispec.MediaTypeImageLayer,
+		MediaTypeDockerSchema2LayerForeign,
+		ocispec.MediaTypeImageLayerNonDistributable: //nolint:staticcheck // deprecated
+		return desc.Digest, nil
+	}
+	info, err := cs.Info(ctx, desc.Digest)
+	if err != nil {
+		return "", err
+	}
+	v, ok := info.Labels[labels.LabelUncompressed]
+	if ok {
+		// Fast path: if the image is already unpacked, we can use the label value
+		return digest.Parse(v)
+	}
+	// if the image is not unpacked, we may not have the label
+	ra, err := cs.ReaderAt(ctx, desc)
+	if err != nil {
+		return "", err
+	}
+	defer ra.Close()
+	r := content.NewReader(ra)
+	uR, err := compression.DecompressStream(r)
+	if err != nil {
+		return "", err
+	}
+	defer uR.Close()
+	digester := digest.Canonical.Digester()
+	hashW := digester.Hash()
+	if _, err := io.Copy(hashW, uR); err != nil {
+		return "", err
+	}
+	if err := ra.Close(); err != nil {
+		return "", err
+	}
+	digest := digester.Digest()
+	// memorize the computed value
+	if info.Labels == nil {
+		info.Labels = make(map[string]string)
+	}
+	info.Labels[labels.LabelUncompressed] = digest.String()
+	if _, err := cs.Update(ctx, info, "labels"); err != nil {
+		logrus.WithError(err).Warnf("failed to set %s label for %s", labels.LabelUncompressed, desc.Digest)
+	}
+	return digest, nil
+}
diff --git a/vendor/github.com/containerd/containerd/images/handlers.go b/vendor/github.com/containerd/containerd/images/handlers.go
new file mode 100644
index 0000000000..a685092e2c
--- /dev/null
+++ b/vendor/github.com/containerd/containerd/images/handlers.go
@@ -0,0 +1,323 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package images
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"sort"
+
+	"github.com/containerd/platforms"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"golang.org/x/sync/errgroup"
+	"golang.org/x/sync/semaphore"
+
+	"github.com/containerd/containerd/content"
+	"github.com/containerd/containerd/errdefs"
+)
+
+var (
+	// ErrSkipDesc is used to skip processing of a descriptor and
+	// its descendants.
+	ErrSkipDesc = errors.New("skip descriptor")
+
+	// ErrStopHandler is used to signify that the descriptor
+	// has been handled and should not be handled further.
+	// This applies only to a single descriptor in a handler
+	// chain and does not apply to descendant descriptors.
+	ErrStopHandler = errors.New("stop handler")
+
+	// ErrEmptyWalk is used when the WalkNotEmpty handlers return no
+	// children (e.g.: they were filtered out).
+	ErrEmptyWalk = errors.New("image might be filtered out")
+)
+
+// Handler handles image manifests
+type Handler interface {
+	Handle(ctx context.Context, desc ocispec.Descriptor) (subdescs []ocispec.Descriptor, err error)
+}
+
+// HandlerFunc function implementing the Handler interface
+type HandlerFunc func(ctx context.Context, desc ocispec.Descriptor) (subdescs []ocispec.Descriptor, err error)
+
+// Handle image manifests
+func (fn HandlerFunc) Handle(ctx context.Context, desc ocispec.Descriptor) (subdescs []ocispec.Descriptor, err error) {
+	return fn(ctx, desc)
+}
+
+// Handlers returns a handler that will run the handlers in sequence.
+//
+// A handler may return `ErrStopHandler` to stop calling additional handlers
+func Handlers(handlers ...Handler) HandlerFunc {
+	return func(ctx context.Context, desc ocispec.Descriptor) (subdescs []ocispec.Descriptor, err error) {
+		var children []ocispec.Descriptor
+		for _, handler := range handlers {
+			ch, err := handler.Handle(ctx, desc)
+			if err != nil {
+				if errors.Is(err, ErrStopHandler) {
+					break
+				}
+				return nil, err
+			}
+
+			children = append(children, ch...)
+		}
+
+		return children, nil
+	}
+}
+
+// Walk the resources of an image and call the handler for each. If the handler
+// decodes the sub-resources for each image,
+//
+// This differs from dispatch in that each sibling resource is considered
+// synchronously.
+func Walk(ctx context.Context, handler Handler, descs ...ocispec.Descriptor) error {
+	for _, desc := range descs {
+
+		children, err := handler.Handle(ctx, desc)
+		if err != nil {
+			if errors.Is(err, ErrSkipDesc) {
+				continue // don't traverse the children.
+			}
+			return err
+		}
+
+		if len(children) > 0 {
+			if err := Walk(ctx, handler, children...); err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+// WalkNotEmpty works the same way Walk does, with the exception that it ensures that
+// some children are still found by Walking the descriptors (for example, not all of
+// them have been filtered out by one of the handlers). If there are no children,
+// then an ErrEmptyWalk error is returned.
+func WalkNotEmpty(ctx context.Context, handler Handler, descs ...ocispec.Descriptor) error {
+	isEmpty := true
+	var notEmptyHandler HandlerFunc = func(ctx context.Context, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) {
+		children, err := handler.Handle(ctx, desc)
+		if err != nil {
+			return children, err
+		}
+
+		if len(children) > 0 {
+			isEmpty = false
+		}
+
+		return children, nil
+	}
+
+	err := Walk(ctx, notEmptyHandler, descs...)
+	if err != nil {
+		return err
+	}
+
+	if isEmpty {
+		return ErrEmptyWalk
+	}
+
+	return nil
+}
+
+// Dispatch runs the provided handler for content specified by the descriptors.
+// If the handler decode subresources, they will be visited, as well.
+//
+// Handlers for siblings are run in parallel on the provided descriptors. A
+// handler may return `ErrSkipDesc` to signal to the dispatcher to not traverse
+// any children.
+//
+// A concurrency limiter can be passed in to limit the number of concurrent
+// handlers running. When limiter is nil, there is no limit.
+//
+// Typically, this function will be used with `FetchHandler`, often composed
+// with other handlers.
+//
+// If any handler returns an error, the dispatch session will be canceled.
+func Dispatch(ctx context.Context, handler Handler, limiter *semaphore.Weighted, descs ...ocispec.Descriptor) error {
+	eg, ctx2 := errgroup.WithContext(ctx)
+	for _, desc := range descs {
+		desc := desc
+
+		if limiter != nil {
+			if err := limiter.Acquire(ctx, 1); err != nil {
+				return err
+			}
+		}
+
+		eg.Go(func() error {
+			desc := desc
+
+			children, err := handler.Handle(ctx2, desc)
+			if limiter != nil {
+				limiter.Release(1)
+			}
+			if err != nil {
+				if errors.Is(err, ErrSkipDesc) {
+					return nil // don't traverse the children.
+				}
+				return err
+			}
+
+			if len(children) > 0 {
+				return Dispatch(ctx2, handler, limiter, children...)
+			}
+
+			return nil
+		})
+	}
+
+	return eg.Wait()
+}
+
+// ChildrenHandler decodes well-known manifest types and returns their children.
+//
+// This is useful for supporting recursive fetch and other use cases where you
+// want to do a full walk of resources.
+//
+// One can also replace this with another implementation to allow descending of
+// arbitrary types.
+func ChildrenHandler(provider content.Provider) HandlerFunc {
+	return func(ctx context.Context, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) {
+		return Children(ctx, provider, desc)
+	}
+}
+
+// SetChildrenLabels is a handler wrapper which sets labels for the content on
+// the children returned by the handler and passes through the children.
+// Must follow a handler that returns the children to be labeled.
+func SetChildrenLabels(manager content.Manager, f HandlerFunc) HandlerFunc {
+	return SetChildrenMappedLabels(manager, f, nil)
+}
+
+// SetChildrenMappedLabels is a handler wrapper which sets labels for the content on
+// the children returned by the handler and passes through the children.
+// Must follow a handler that returns the children to be labeled.
+// The label map allows the caller to control the labels per child descriptor.
+// For returned labels, the index of the child will be appended to the end
+// except for the first index when the returned label does not end with '.'.
+func SetChildrenMappedLabels(manager content.Manager, f HandlerFunc, labelMap func(ocispec.Descriptor) []string) HandlerFunc {
+	if labelMap == nil {
+		labelMap = ChildGCLabels
+	}
+	return func(ctx context.Context, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) {
+		children, err := f(ctx, desc)
+		if err != nil {
+			return children, err
+		}
+
+		if len(children) > 0 {
+			var (
+				info = content.Info{
+					Digest: desc.Digest,
+					Labels: map[string]string{},
+				}
+				fields = []string{}
+				keys   = map[string]uint{}
+			)
+			for _, ch := range children {
+				labelKeys := labelMap(ch)
+				for _, key := range labelKeys {
+					idx := keys[key]
+					keys[key] = idx + 1
+					if idx > 0 || key[len(key)-1] == '.' {
+						key = fmt.Sprintf("%s%d", key, idx)
+					}
+
+					info.Labels[key] = ch.Digest.String()
+					fields = append(fields, "labels."+key)
+				}
+			}
+
+			_, err := manager.Update(ctx, info, fields...)
+			if err != nil {
+				return nil, err
+			}
+		}
+
+		return children, err
+	}
+}
+
+// FilterPlatforms is a handler wrapper which limits the descriptors returned
+// based on matching the specified platform matcher.
+func FilterPlatforms(f HandlerFunc, m platforms.Matcher) HandlerFunc {
+	return func(ctx context.Context, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) {
+		children, err := f(ctx, desc)
+		if err != nil {
+			return children, err
+		}
+
+		var descs []ocispec.Descriptor
+
+		if m == nil {
+			descs = children
+		} else {
+			for _, d := range children {
+				if d.Platform == nil || m.Match(*d.Platform) {
+					descs = append(descs, d)
+				}
+			}
+		}
+
+		return descs, nil
+	}
+}
+
+// LimitManifests is a handler wrapper which filters the manifest descriptors
+// returned using the provided platform.
+// The results will be ordered according to the comparison operator and
+// use the ordering in the manifests for equal matches.
+// A limit of 0 or less is considered no limit.
+// A not found error is returned if no manifest is matched.
+func LimitManifests(f HandlerFunc, m platforms.MatchComparer, n int) HandlerFunc {
+	return func(ctx context.Context, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) {
+		children, err := f(ctx, desc)
+		if err != nil {
+			return children, err
+		}
+
+		switch desc.MediaType {
+		case ocispec.MediaTypeImageIndex, MediaTypeDockerSchema2ManifestList:
+			sort.SliceStable(children, func(i, j int) bool {
+				if children[i].Platform == nil {
+					return false
+				}
+				if children[j].Platform == nil {
+					return true
+				}
+				return m.Less(*children[i].Platform, *children[j].Platform)
+			})
+
+			if n > 0 {
+				if len(children) == 0 {
+					return children, fmt.Errorf("no match for platform in manifest: %w", errdefs.ErrNotFound)
+				}
+				if len(children) > n {
+					children = children[:n]
+				}
+			}
+		default:
+			// only limit manifests from an index
+		}
+		return children, nil
+	}
+}
diff --git a/vendor/github.com/containerd/containerd/images/image.go b/vendor/github.com/containerd/containerd/images/image.go
new file mode 100644
index 0000000000..8bebae19b3
--- /dev/null
+++ b/vendor/github.com/containerd/containerd/images/image.go
@@ -0,0 +1,444 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package images
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"sort"
+	"time"
+
+	"github.com/containerd/log"
+	"github.com/containerd/platforms"
+	digest "github.com/opencontainers/go-digest"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+
+	"github.com/containerd/containerd/content"
+	"github.com/containerd/containerd/errdefs"
+)
+
+// Image provides the model for how containerd views container images.
+type Image struct {
+	// Name of the image.
+	//
+	// To be pulled, it must be a reference compatible with resolvers.
+	//
+	// This field is required.
+	Name string
+
+	// Labels provide runtime decoration for the image record.
+	//
+	// There is no default behavior for how these labels are propagated. They
+	// only decorate the static metadata object.
+	//
+	// This field is optional.
+	Labels map[string]string
+
+	// Target describes the root content for this image. Typically, this is
+	// a manifest, index or manifest list.
+	Target ocispec.Descriptor
+
+	CreatedAt, UpdatedAt time.Time
+}
+
+// DeleteOptions provide options on image delete
+type DeleteOptions struct {
+	Synchronous bool
+}
+
+// DeleteOpt allows configuring a delete operation
+type DeleteOpt func(context.Context, *DeleteOptions) error
+
+// SynchronousDelete is used to indicate that an image deletion and removal of
+// the image resources should occur synchronously before returning a result.
+func SynchronousDelete() DeleteOpt {
+	return func(ctx context.Context, o *DeleteOptions) error {
+		o.Synchronous = true
+		return nil
+	}
+}
+
+// Store and interact with images
+type Store interface {
+	Get(ctx context.Context, name string) (Image, error)
+	List(ctx context.Context, filters ...string) ([]Image, error)
+	Create(ctx context.Context, image Image) (Image, error)
+
+	// Update will replace the data in the store with the provided image. If
+	// one or more fieldpaths are provided, only those fields will be updated.
+	Update(ctx context.Context, image Image, fieldpaths ...string) (Image, error)
+
+	Delete(ctx context.Context, name string, opts ...DeleteOpt) error
+}
+
+// TODO(stevvooe): Many of these functions make strong platform assumptions,
+// which are untrue in a lot of cases. More refactoring must be done here to
+// make this work in all cases.
+
+// Config resolves the image configuration descriptor.
+//
+// The caller can then use the descriptor to resolve and process the
+// configuration of the image.
+func (image *Image) Config(ctx context.Context, provider content.Provider, platform platforms.MatchComparer) (ocispec.Descriptor, error) {
+	return Config(ctx, provider, image.Target, platform)
+}
+
+// RootFS returns the unpacked diffids that make up and images rootfs.
+//
+// These are used to verify that a set of layers unpacked to the expected
+// values.
+func (image *Image) RootFS(ctx context.Context, provider content.Provider, platform platforms.MatchComparer) ([]digest.Digest, error) {
+	desc, err := image.Config(ctx, provider, platform)
+	if err != nil {
+		return nil, err
+	}
+	return RootFS(ctx, provider, desc)
+}
+
+// Size returns the total size of an image's packed resources.
+func (image *Image) Size(ctx context.Context, provider content.Provider, platform platforms.MatchComparer) (int64, error) {
+	var size int64
+	return size, Walk(ctx, Handlers(HandlerFunc(func(ctx context.Context, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) {
+		if desc.Size < 0 {
+			return nil, fmt.Errorf("invalid size %v in %v (%v)", desc.Size, desc.Digest, desc.MediaType)
+		}
+		size += desc.Size
+		return nil, nil
+	}), LimitManifests(FilterPlatforms(ChildrenHandler(provider), platform), platform, 1)), image.Target)
+}
+
+type platformManifest struct {
+	p *ocispec.Platform
+	m *ocispec.Manifest
+}
+
+// Manifest resolves a manifest from the image for the given platform.
+//
+// When a manifest descriptor inside of a manifest index does not have
+// a platform defined, the platform from the image config is considered.
+//
+// If the descriptor points to a non-index manifest, then the manifest is
+// unmarshalled and returned without considering the platform inside of the
+// config.
+//
+// TODO(stevvooe): This violates the current platform agnostic approach to this
+// package by returning a specific manifest type. We'll need to refactor this
+// to return a manifest descriptor or decide that we want to bring the API in
+// this direction because this abstraction is not needed.
+func Manifest(ctx context.Context, provider content.Provider, image ocispec.Descriptor, platform platforms.MatchComparer) (ocispec.Manifest, error) {
+	var (
+		limit    = 1
+		m        []platformManifest
+		wasIndex bool
+	)
+
+	if err := Walk(ctx, HandlerFunc(func(ctx context.Context, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) {
+		switch desc.MediaType {
+		case MediaTypeDockerSchema2Manifest, ocispec.MediaTypeImageManifest:
+			p, err := content.ReadBlob(ctx, provider, desc)
+			if err != nil {
+				return nil, err
+			}
+
+			if err := validateMediaType(p, desc.MediaType); err != nil {
+				return nil, fmt.Errorf("manifest: invalid desc %s: %w", desc.Digest, err)
+			}
+
+			var manifest ocispec.Manifest
+			if err := json.Unmarshal(p, &manifest); err != nil {
+				return nil, err
+			}
+
+			if desc.Digest != image.Digest && platform != nil {
+				if desc.Platform != nil && !platform.Match(*desc.Platform) {
+					return nil, nil
+				}
+
+				if desc.Platform == nil {
+					p, err := content.ReadBlob(ctx, provider, manifest.Config)
+					if err != nil {
+						return nil, err
+					}
+
+					var image ocispec.Image
+					if err := json.Unmarshal(p, &image); err != nil {
+						return nil, err
+					}
+
+					if !platform.Match(platforms.Normalize(ocispec.Platform{OS: image.OS, Architecture: image.Architecture})) {
+						return nil, nil
+					}
+
+				}
+			}
+
+			m = append(m, platformManifest{
+				p: desc.Platform,
+				m: &manifest,
+			})
+
+			return nil, nil
+		case MediaTypeDockerSchema2ManifestList, ocispec.MediaTypeImageIndex:
+			p, err := content.ReadBlob(ctx, provider, desc)
+			if err != nil {
+				return nil, err
+			}
+
+			if err := validateMediaType(p, desc.MediaType); err != nil {
+				return nil, fmt.Errorf("manifest: invalid desc %s: %w", desc.Digest, err)
+			}
+
+			var idx ocispec.Index
+			if err := json.Unmarshal(p, &idx); err != nil {
+				return nil, err
+			}
+
+			if platform == nil {
+				return idx.Manifests, nil
+			}
+
+			var descs []ocispec.Descriptor
+			for _, d := range idx.Manifests {
+				if d.Platform == nil || platform.Match(*d.Platform) {
+					descs = append(descs, d)
+				}
+			}
+
+			sort.SliceStable(descs, func(i, j int) bool {
+				if descs[i].Platform == nil {
+					return false
+				}
+				if descs[j].Platform == nil {
+					return true
+				}
+				return platform.Less(*descs[i].Platform, *descs[j].Platform)
+			})
+
+			wasIndex = true
+
+			if len(descs) > limit {
+				return descs[:limit], nil
+			}
+			return descs, nil
+		}
+		return nil, fmt.Errorf("unexpected media type %v for %v: %w", desc.MediaType, desc.Digest, errdefs.ErrNotFound)
+	}), image); err != nil {
+		return ocispec.Manifest{}, err
+	}
+
+	if len(m) == 0 {
+		err := fmt.Errorf("manifest %v: %w", image.Digest, errdefs.ErrNotFound)
+		if wasIndex {
+			err = fmt.Errorf("no match for platform in manifest %v: %w", image.Digest, errdefs.ErrNotFound)
+		}
+		return ocispec.Manifest{}, err
+	}
+	return *m[0].m, nil
+}
+
+// Config resolves the image configuration descriptor using a content provided
+// to resolve child resources on the image.
+//
+// The caller can then use the descriptor to resolve and process the
+// configuration of the image.
+func Config(ctx context.Context, provider content.Provider, image ocispec.Descriptor, platform platforms.MatchComparer) (ocispec.Descriptor, error) {
+	manifest, err := Manifest(ctx, provider, image, platform)
+	if err != nil {
+		return ocispec.Descriptor{}, err
+	}
+	return manifest.Config, err
+}
+
+// Platforms returns one or more platforms supported by the image.
+func Platforms(ctx context.Context, provider content.Provider, image ocispec.Descriptor) ([]ocispec.Platform, error) {
+	var platformSpecs []ocispec.Platform
+	return platformSpecs, Walk(ctx, Handlers(HandlerFunc(func(ctx context.Context, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) {
+		if desc.Platform != nil {
+			if desc.Platform.OS == "unknown" || desc.Platform.Architecture == "unknown" {
+				return nil, ErrSkipDesc
+			}
+			platformSpecs = append(platformSpecs, *desc.Platform)
+			return nil, ErrSkipDesc
+		}
+
+		switch desc.MediaType {
+		case MediaTypeDockerSchema2Config, ocispec.MediaTypeImageConfig:
+			p, err := content.ReadBlob(ctx, provider, desc)
+			if err != nil {
+				return nil, err
+			}
+
+			var image ocispec.Image
+			if err := json.Unmarshal(p, &image); err != nil {
+				return nil, err
+			}
+
+			platformSpecs = append(platformSpecs,
+				platforms.Normalize(ocispec.Platform{OS: image.OS, Architecture: image.Architecture}))
+		}
+		return nil, nil
+	}), ChildrenHandler(provider)), image)
+}
+
+// Check returns nil if the all components of an image are available in the
+// provider for the specified platform.
+//
+// If available is true, the caller can assume that required represents the
+// complete set of content required for the image.
+//
+// missing will have the components that are part of required but not available
+// in the provider.
+//
+// If there is a problem resolving content, an error will be returned.
+func Check(ctx context.Context, provider content.Provider, image ocispec.Descriptor, platform platforms.MatchComparer) (available bool, required, present, missing []ocispec.Descriptor, err error) {
+	mfst, err := Manifest(ctx, provider, image, platform)
+	if err != nil {
+		if errdefs.IsNotFound(err) {
+			return false, []ocispec.Descriptor{image}, nil, []ocispec.Descriptor{image}, nil
+		}
+
+		return false, nil, nil, nil, fmt.Errorf("failed to check image %v: %w", image.Digest, err)
+	}
+
+	// TODO(stevvooe): It is possible that referenced components could have
+	// children, but this is rare. For now, we ignore this and only verify
+	// that manifest components are present.
+	required = append([]ocispec.Descriptor{mfst.Config}, mfst.Layers...)
+
+	for _, desc := range required {
+		ra, err := provider.ReaderAt(ctx, desc)
+		if err != nil {
+			if errdefs.IsNotFound(err) {
+				missing = append(missing, desc)
+				continue
+			} else {
+				return false, nil, nil, nil, fmt.Errorf("failed to check image %v: %w", desc.Digest, err)
+			}
+		}
+		ra.Close()
+		present = append(present, desc)
+
+	}
+
+	return true, required, present, missing, nil
+}
+
+// Children returns the immediate children of content described by the descriptor.
+func Children(ctx context.Context, provider content.Provider, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) {
+	var descs []ocispec.Descriptor
+	switch desc.MediaType {
+	case MediaTypeDockerSchema2Manifest, ocispec.MediaTypeImageManifest:
+		p, err := content.ReadBlob(ctx, provider, desc)
+		if err != nil {
+			return nil, err
+		}
+
+		if err := validateMediaType(p, desc.MediaType); err != nil {
+			return nil, fmt.Errorf("children: invalid desc %s: %w", desc.Digest, err)
+		}
+
+		// TODO(stevvooe): We just assume oci manifest, for now. There may be
+		// subtle differences from the docker version.
+		var manifest ocispec.Manifest
+		if err := json.Unmarshal(p, &manifest); err != nil {
+			return nil, err
+		}
+
+		descs = append(descs, manifest.Config)
+		descs = append(descs, manifest.Layers...)
+	case MediaTypeDockerSchema2ManifestList, ocispec.MediaTypeImageIndex:
+		p, err := content.ReadBlob(ctx, provider, desc)
+		if err != nil {
+			return nil, err
+		}
+
+		if err := validateMediaType(p, desc.MediaType); err != nil {
+			return nil, fmt.Errorf("children: invalid desc %s: %w", desc.Digest, err)
+		}
+
+		var index ocispec.Index
+		if err := json.Unmarshal(p, &index); err != nil {
+			return nil, err
+		}
+
+		descs = append(descs, index.Manifests...)
+	default:
+		if IsLayerType(desc.MediaType) || IsKnownConfig(desc.MediaType) || IsAttestationType(desc.MediaType) {
+			// childless data types.
+			return nil, nil
+		}
+		log.G(ctx).Debugf("encountered unknown type %v; children may not be fetched", desc.MediaType)
+	}
+
+	return descs, nil
+}
+
+// unknownDocument represents a manifest, manifest list, or index that has not
+// yet been validated.
+type unknownDocument struct {
+	MediaType string          `json:"mediaType,omitempty"`
+	Config    json.RawMessage `json:"config,omitempty"`
+	Layers    json.RawMessage `json:"layers,omitempty"`
+	Manifests json.RawMessage `json:"manifests,omitempty"`
+	FSLayers  json.RawMessage `json:"fsLayers,omitempty"` // schema 1
+}
+
+// validateMediaType returns an error if the byte slice is invalid JSON or if
+// the media type identifies the blob as one format but it contains elements of
+// another format.
+func validateMediaType(b []byte, mt string) error {
+	var doc unknownDocument
+	if err := json.Unmarshal(b, &doc); err != nil {
+		return err
+	}
+	if len(doc.FSLayers) != 0 {
+		return fmt.Errorf("media-type: schema 1 not supported")
+	}
+	switch mt {
+	case MediaTypeDockerSchema2Manifest, ocispec.MediaTypeImageManifest:
+		if len(doc.Manifests) != 0 ||
+			doc.MediaType == MediaTypeDockerSchema2ManifestList ||
+			doc.MediaType == ocispec.MediaTypeImageIndex {
+			return fmt.Errorf("media-type: expected manifest but found index (%s)", mt)
+		}
+	case MediaTypeDockerSchema2ManifestList, ocispec.MediaTypeImageIndex:
+		if len(doc.Config) != 0 || len(doc.Layers) != 0 ||
+			doc.MediaType == MediaTypeDockerSchema2Manifest ||
+			doc.MediaType == ocispec.MediaTypeImageManifest {
+			return fmt.Errorf("media-type: expected index but found manifest (%s)", mt)
+		}
+	}
+	return nil
+}
+
+// RootFS returns the unpacked diffids that make up and images rootfs.
+//
+// These are used to verify that a set of layers unpacked to the expected
+// values.
+func RootFS(ctx context.Context, provider content.Provider, configDesc ocispec.Descriptor) ([]digest.Digest, error) {
+	p, err := content.ReadBlob(ctx, provider, configDesc)
+	if err != nil {
+		return nil, err
+	}
+
+	var config ocispec.Image
+	if err := json.Unmarshal(p, &config); err != nil {
+		return nil, err
+	}
+	return config.RootFS.DiffIDs, nil
+}
diff --git a/vendor/github.com/containerd/containerd/images/importexport.go b/vendor/github.com/containerd/containerd/images/importexport.go
new file mode 100644
index 0000000000..843adcadc7
--- /dev/null
+++ b/vendor/github.com/containerd/containerd/images/importexport.go
@@ -0,0 +1,37 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package images
+
+import (
+	"context"
+	"io"
+
+	"github.com/containerd/containerd/content"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+// Importer is the interface for image importer.
+type Importer interface {
+	// Import imports an image from a tar stream.
+	Import(ctx context.Context, store content.Store, reader io.Reader) (ocispec.Descriptor, error)
+}
+
+// Exporter is the interface for image exporter.
+type Exporter interface {
+	// Export exports an image to a tar stream.
+	Export(ctx context.Context, store content.Provider, desc ocispec.Descriptor, writer io.Writer) error
+}
diff --git a/vendor/github.com/containerd/containerd/images/labels.go b/vendor/github.com/containerd/containerd/images/labels.go
new file mode 100644
index 0000000000..06dfed572d
--- /dev/null
+++ b/vendor/github.com/containerd/containerd/images/labels.go
@@ -0,0 +1,21 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package images
+
+const (
+	ConvertedDockerSchema1LabelKey = "io.containerd.image/converted-docker-schema1"
+)
diff --git a/vendor/github.com/containerd/containerd/images/mediatypes.go b/vendor/github.com/containerd/containerd/images/mediatypes.go
new file mode 100644
index 0000000000..49d2a5b1c5
--- /dev/null
+++ b/vendor/github.com/containerd/containerd/images/mediatypes.go
@@ -0,0 +1,228 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package images
+
+import (
+	"context"
+	"fmt"
+	"sort"
+	"strings"
+
+	"github.com/containerd/containerd/errdefs"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+// mediatype definitions for image components handled in containerd.
+//
+// oci components are generally referenced directly, although we may centralize
+// here for clarity.
+const (
+	MediaTypeDockerSchema2Layer            = "application/vnd.docker.image.rootfs.diff.tar"
+	MediaTypeDockerSchema2LayerForeign     = "application/vnd.docker.image.rootfs.foreign.diff.tar"
+	MediaTypeDockerSchema2LayerGzip        = "application/vnd.docker.image.rootfs.diff.tar.gzip"
+	MediaTypeDockerSchema2LayerForeignGzip = "application/vnd.docker.image.rootfs.foreign.diff.tar.gzip"
+	MediaTypeDockerSchema2Config           = "application/vnd.docker.container.image.v1+json"
+	MediaTypeDockerSchema2Manifest         = "application/vnd.docker.distribution.manifest.v2+json"
+	MediaTypeDockerSchema2ManifestList     = "application/vnd.docker.distribution.manifest.list.v2+json"
+
+	// Checkpoint/Restore Media Types
+
+	MediaTypeContainerd1Checkpoint               = "application/vnd.containerd.container.criu.checkpoint.criu.tar"
+	MediaTypeContainerd1CheckpointPreDump        = "application/vnd.containerd.container.criu.checkpoint.predump.tar"
+	MediaTypeContainerd1Resource                 = "application/vnd.containerd.container.resource.tar"
+	MediaTypeContainerd1RW                       = "application/vnd.containerd.container.rw.tar"
+	MediaTypeContainerd1CheckpointConfig         = "application/vnd.containerd.container.checkpoint.config.v1+proto"
+	MediaTypeContainerd1CheckpointOptions        = "application/vnd.containerd.container.checkpoint.options.v1+proto"
+	MediaTypeContainerd1CheckpointRuntimeName    = "application/vnd.containerd.container.checkpoint.runtime.name"
+	MediaTypeContainerd1CheckpointRuntimeOptions = "application/vnd.containerd.container.checkpoint.runtime.options+proto"
+
+	// MediaTypeDockerSchema1Manifest is the legacy Docker schema1 manifest
+	MediaTypeDockerSchema1Manifest = "application/vnd.docker.distribution.manifest.v1+prettyjws"
+
+	// Encrypted media types
+
+	MediaTypeImageLayerEncrypted     = ocispec.MediaTypeImageLayer + "+encrypted"
+	MediaTypeImageLayerGzipEncrypted = ocispec.MediaTypeImageLayerGzip + "+encrypted"
+
+	// In-toto attestation
+	MediaTypeInToto = "application/vnd.in-toto+json"
+)
+
+// DiffCompression returns the compression as defined by the layer diff media
+// type. For Docker media types without compression, "unknown" is returned to
+// indicate that the media type may be compressed. If the media type is not
+// recognized as a layer diff, then it returns errdefs.ErrNotImplemented
+func DiffCompression(ctx context.Context, mediaType string) (string, error) {
+	base, ext := parseMediaTypes(mediaType)
+	switch base {
+	case MediaTypeDockerSchema2Layer, MediaTypeDockerSchema2LayerForeign:
+		if len(ext) > 0 {
+			// Type is wrapped
+			return "", nil
+		}
+		// These media types may have been compressed but failed to
+		// use the correct media type. The decompression function
+		// should detect and handle this case.
+		return "unknown", nil
+	case MediaTypeDockerSchema2LayerGzip, MediaTypeDockerSchema2LayerForeignGzip:
+		if len(ext) > 0 {
+			// Type is wrapped
+			return "", nil
+		}
+		return "gzip", nil
+	case ocispec.MediaTypeImageLayer, ocispec.MediaTypeImageLayerNonDistributable: //nolint:staticcheck // Non-distributable layers are deprecated
+		if len(ext) > 0 {
+			switch ext[len(ext)-1] {
+			case "gzip":
+				return "gzip", nil
+			case "zstd":
+				return "zstd", nil
+			}
+		}
+		return "", nil
+	default:
+		return "", fmt.Errorf("unrecognised mediatype %s: %w", mediaType, errdefs.ErrNotImplemented)
+	}
+}
+
+// parseMediaTypes splits the media type into the base type and
+// an array of sorted extensions
+func parseMediaTypes(mt string) (mediaType string, suffixes []string) {
+	if mt == "" {
+		return "", []string{}
+	}
+	mediaType, ext, ok := strings.Cut(mt, "+")
+	if !ok {
+		return mediaType, []string{}
+	}
+
+	// Splitting the extensions following the mediatype "(+)gzip+encrypted".
+	// We expect this to be a limited list, so add an arbitrary limit (50).
+	//
+	// Note that DiffCompression is only using the last element, so perhaps we
+	// should split on the last "+" only.
+	suffixes = strings.SplitN(ext, "+", 50)
+	sort.Strings(suffixes)
+	return mediaType, suffixes
+}
+
+// IsNonDistributable returns true if the media type is non-distributable.
+func IsNonDistributable(mt string) bool {
+	return strings.HasPrefix(mt, "application/vnd.oci.image.layer.nondistributable.") ||
+		strings.HasPrefix(mt, "application/vnd.docker.image.rootfs.foreign.")
+}
+
+// IsLayerType returns true if the media type is a layer
+func IsLayerType(mt string) bool {
+	if strings.HasPrefix(mt, "application/vnd.oci.image.layer.") {
+		return true
+	}
+
+	// Parse Docker media types, strip off any + suffixes first
+	switch base, _ := parseMediaTypes(mt); base {
+	case MediaTypeDockerSchema2Layer, MediaTypeDockerSchema2LayerGzip,
+		MediaTypeDockerSchema2LayerForeign, MediaTypeDockerSchema2LayerForeignGzip:
+		return true
+	}
+	return false
+}
+
+// IsDockerType returns true if the media type has "application/vnd.docker." prefix
+func IsDockerType(mt string) bool {
+	return strings.HasPrefix(mt, "application/vnd.docker.")
+}
+
+// IsManifestType returns true if the media type is an OCI-compatible manifest.
+// No support for schema1 manifest.
+func IsManifestType(mt string) bool {
+	switch mt {
+	case MediaTypeDockerSchema2Manifest, ocispec.MediaTypeImageManifest:
+		return true
+	default:
+		return false
+	}
+}
+
+// IsIndexType returns true if the media type is an OCI-compatible index.
+func IsIndexType(mt string) bool {
+	switch mt {
+	case ocispec.MediaTypeImageIndex, MediaTypeDockerSchema2ManifestList:
+		return true
+	default:
+		return false
+	}
+}
+
+// IsConfigType returns true if the media type is an OCI-compatible image config.
+// No support for containerd checkpoint configs.
+func IsConfigType(mt string) bool {
+	switch mt {
+	case MediaTypeDockerSchema2Config, ocispec.MediaTypeImageConfig:
+		return true
+	default:
+		return false
+	}
+}
+
+// IsKnownConfig returns true if the media type is a known config type,
+// including containerd checkpoint configs
+func IsKnownConfig(mt string) bool {
+	switch mt {
+	case MediaTypeDockerSchema2Config, ocispec.MediaTypeImageConfig,
+		MediaTypeContainerd1Checkpoint, MediaTypeContainerd1CheckpointConfig:
+		return true
+	}
+	return false
+}
+
+// IsAttestationType returns true if the media type is an attestation type
+func IsAttestationType(mt string) bool {
+	switch mt {
+	case MediaTypeInToto:
+		return true
+	default:
+		return false
+	}
+}
+
+// ChildGCLabels returns the label for a given descriptor to reference it
+func ChildGCLabels(desc ocispec.Descriptor) []string {
+	mt := desc.MediaType
+	if IsKnownConfig(mt) {
+		return []string{"containerd.io/gc.ref.content.config"}
+	}
+
+	switch mt {
+	case MediaTypeDockerSchema2Manifest, ocispec.MediaTypeImageManifest:
+		return []string{"containerd.io/gc.ref.content.m."}
+	}
+
+	if IsLayerType(mt) {
+		return []string{"containerd.io/gc.ref.content.l."}
+	}
+
+	return []string{"containerd.io/gc.ref.content."}
+}
+
+// ChildGCLabelsFilterLayers returns the labels for a given descriptor to
+// reference it, skipping layer media types
+func ChildGCLabelsFilterLayers(desc ocispec.Descriptor) []string {
+	if IsLayerType(desc.MediaType) {
+		return nil
+	}
+	return ChildGCLabels(desc)
+}
diff --git a/vendor/github.com/containerd/containerd/labels/labels.go b/vendor/github.com/containerd/containerd/labels/labels.go
new file mode 100644
index 0000000000..0f9bab5c5d
--- /dev/null
+++ b/vendor/github.com/containerd/containerd/labels/labels.go
@@ -0,0 +1,29 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package labels
+
+// LabelUncompressed is added to compressed layer contents.
+// The value is digest of the uncompressed content.
+const LabelUncompressed = "containerd.io/uncompressed"
+
+// LabelSharedNamespace is added to a namespace to allow that namespaces
+// contents to be shared.
+const LabelSharedNamespace = "containerd.io/namespace.shareable"
+
+// LabelDistributionSource is added to content to indicate its origin.
+// e.g., "containerd.io/distribution.source.docker.io=library/redis"
+const LabelDistributionSource = "containerd.io/distribution.source"
diff --git a/vendor/github.com/containerd/containerd/labels/validate.go b/vendor/github.com/containerd/containerd/labels/validate.go
new file mode 100644
index 0000000000..f83b5dde29
--- /dev/null
+++ b/vendor/github.com/containerd/containerd/labels/validate.go
@@ -0,0 +1,41 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package labels
+
+import (
+	"fmt"
+
+	"github.com/containerd/containerd/errdefs"
+)
+
+const (
+	maxSize = 4096
+	// maximum length of key portion of error message if len of key + len of value > maxSize
+	keyMaxLen = 64
+)
+
+// Validate a label's key and value are under 4096 bytes
+func Validate(k, v string) error {
+	total := len(k) + len(v)
+	if total > maxSize {
+		if len(k) > keyMaxLen {
+			k = k[:keyMaxLen]
+		}
+		return fmt.Errorf("label key and value length (%d bytes) greater than maximum size (%d bytes), key: %s: %w", total, maxSize, k, errdefs.ErrInvalidArgument)
+	}
+	return nil
+}
diff --git a/vendor/github.com/containerd/containerd/pkg/randutil/randutil.go b/vendor/github.com/containerd/containerd/pkg/randutil/randutil.go
new file mode 100644
index 0000000000..f4b657d7dd
--- /dev/null
+++ b/vendor/github.com/containerd/containerd/pkg/randutil/randutil.go
@@ -0,0 +1,48 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+// Package randutil provides utilities for [cyrpto/rand].
+package randutil
+
+import (
+	"crypto/rand"
+	"math"
+	"math/big"
+)
+
+// Int63n is similar to [math/rand.Int63n] but uses [crypto/rand.Reader] under the hood.
+func Int63n(n int64) int64 {
+	b, err := rand.Int(rand.Reader, big.NewInt(n))
+	if err != nil {
+		panic(err)
+	}
+	return b.Int64()
+}
+
+// Int63 is similar to [math/rand.Int63] but uses [crypto/rand.Reader] under the hood.
+func Int63() int64 {
+	return Int63n(math.MaxInt64)
+}
+
+// Intn is similar to [math/rand.Intn] but uses [crypto/rand.Reader] under the hood.
+func Intn(n int) int {
+	return int(Int63n(int64(n)))
+}
+
+// Int is similar to [math/rand.Int] but uses [crypto/rand.Reader] under the hood.
+func Int() int {
+	return int(Int63())
+}
diff --git a/vendor/github.com/containerd/containerd/remotes/handlers.go b/vendor/github.com/containerd/containerd/remotes/handlers.go
new file mode 100644
index 0000000000..14af02769c
--- /dev/null
+++ b/vendor/github.com/containerd/containerd/remotes/handlers.go
@@ -0,0 +1,416 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package remotes
+
+import (
+	"bytes"
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"strings"
+	"sync"
+
+	"github.com/containerd/log"
+	"github.com/containerd/platforms"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"golang.org/x/sync/semaphore"
+
+	"github.com/containerd/containerd/content"
+	"github.com/containerd/containerd/errdefs"
+	"github.com/containerd/containerd/images"
+	"github.com/containerd/containerd/labels"
+)
+
+type refKeyPrefix struct{}
+
+// WithMediaTypeKeyPrefix adds a custom key prefix for a media type which is used when storing
+// data in the content store from the FetchHandler.
+//
+// Used in `MakeRefKey` to determine what the key prefix should be.
+func WithMediaTypeKeyPrefix(ctx context.Context, mediaType, prefix string) context.Context {
+	var values map[string]string
+	if v := ctx.Value(refKeyPrefix{}); v != nil {
+		values = v.(map[string]string)
+	} else {
+		values = make(map[string]string)
+	}
+
+	values[mediaType] = prefix
+	return context.WithValue(ctx, refKeyPrefix{}, values)
+}
+
+// MakeRefKey returns a unique reference for the descriptor. This reference can be
+// used to lookup ongoing processes related to the descriptor. This function
+// may look to the context to namespace the reference appropriately.
+func MakeRefKey(ctx context.Context, desc ocispec.Descriptor) string {
+	key := desc.Digest.String()
+	if desc.Annotations != nil {
+		if name, ok := desc.Annotations[ocispec.AnnotationRefName]; ok {
+			key = fmt.Sprintf("%s@%s", name, desc.Digest.String())
+		}
+	}
+
+	if v := ctx.Value(refKeyPrefix{}); v != nil {
+		values := v.(map[string]string)
+		if prefix := values[desc.MediaType]; prefix != "" {
+			return prefix + "-" + key
+		}
+	}
+
+	switch mt := desc.MediaType; {
+	case mt == images.MediaTypeDockerSchema2Manifest || mt == ocispec.MediaTypeImageManifest:
+		return "manifest-" + key
+	case mt == images.MediaTypeDockerSchema2ManifestList || mt == ocispec.MediaTypeImageIndex:
+		return "index-" + key
+	case images.IsLayerType(mt):
+		return "layer-" + key
+	case images.IsKnownConfig(mt):
+		return "config-" + key
+	case images.IsAttestationType(desc.MediaType):
+		return "attestation-" + key
+	default:
+		log.G(ctx).Warnf("reference for unknown type: %s", mt)
+		return "unknown-" + key
+	}
+}
+
+// FetchHandler returns a handler that will fetch all content into the ingester
+// discovered in a call to Dispatch. Use with ChildrenHandler to do a full
+// recursive fetch.
+func FetchHandler(ingester content.Ingester, fetcher Fetcher) images.HandlerFunc {
+	return func(ctx context.Context, desc ocispec.Descriptor) (subdescs []ocispec.Descriptor, err error) {
+		ctx = log.WithLogger(ctx, log.G(ctx).WithFields(log.Fields{
+			"digest":    desc.Digest,
+			"mediatype": desc.MediaType,
+			"size":      desc.Size,
+		}))
+
+		switch desc.MediaType {
+		case images.MediaTypeDockerSchema1Manifest:
+			return nil, fmt.Errorf("%v not supported", desc.MediaType)
+		default:
+			err := Fetch(ctx, ingester, fetcher, desc)
+			if errdefs.IsAlreadyExists(err) {
+				return nil, nil
+			}
+			return nil, err
+		}
+	}
+}
+
+// Fetch fetches the given digest into the provided ingester
+func Fetch(ctx context.Context, ingester content.Ingester, fetcher Fetcher, desc ocispec.Descriptor) error {
+	log.G(ctx).Debug("fetch")
+
+	cw, err := content.OpenWriter(ctx, ingester, content.WithRef(MakeRefKey(ctx, desc)), content.WithDescriptor(desc))
+	if err != nil {
+		return err
+	}
+	defer cw.Close()
+
+	ws, err := cw.Status()
+	if err != nil {
+		return err
+	}
+
+	if desc.Size == 0 {
+		// most likely a poorly configured registry/web front end which responded with no
+		// Content-Length header; unable (not to mention useless) to commit a 0-length entry
+		// into the content store. Error out here otherwise the error sent back is confusing
+		return fmt.Errorf("unable to fetch descriptor (%s) which reports content size of zero: %w", desc.Digest, errdefs.ErrInvalidArgument)
+	}
+	if ws.Offset == desc.Size {
+		// If writer is already complete, commit and return
+		err := cw.Commit(ctx, desc.Size, desc.Digest)
+		if err != nil && !errdefs.IsAlreadyExists(err) {
+			return fmt.Errorf("failed commit on ref %q: %w", ws.Ref, err)
+		}
+		return err
+	}
+
+	if desc.Size == int64(len(desc.Data)) {
+		return content.Copy(ctx, cw, bytes.NewReader(desc.Data), desc.Size, desc.Digest)
+	}
+
+	rc, err := fetcher.Fetch(ctx, desc)
+	if err != nil {
+		return err
+	}
+	defer rc.Close()
+
+	return content.Copy(ctx, cw, rc, desc.Size, desc.Digest)
+}
+
+// PushHandler returns a handler that will push all content from the provider
+// using a writer from the pusher.
+func PushHandler(pusher Pusher, provider content.Provider) images.HandlerFunc {
+	return func(ctx context.Context, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) {
+		ctx = log.WithLogger(ctx, log.G(ctx).WithFields(log.Fields{
+			"digest":    desc.Digest,
+			"mediatype": desc.MediaType,
+			"size":      desc.Size,
+		}))
+
+		err := push(ctx, provider, pusher, desc)
+		return nil, err
+	}
+}
+
+func push(ctx context.Context, provider content.Provider, pusher Pusher, desc ocispec.Descriptor) error {
+	log.G(ctx).Debug("push")
+
+	var (
+		cw  content.Writer
+		err error
+	)
+	if cs, ok := pusher.(content.Ingester); ok {
+		cw, err = content.OpenWriter(ctx, cs, content.WithRef(MakeRefKey(ctx, desc)), content.WithDescriptor(desc))
+	} else {
+		cw, err = pusher.Push(ctx, desc)
+	}
+	if err != nil {
+		if !errdefs.IsAlreadyExists(err) {
+			return err
+		}
+
+		return nil
+	}
+	defer cw.Close()
+
+	ra, err := provider.ReaderAt(ctx, desc)
+	if err != nil {
+		return err
+	}
+	defer ra.Close()
+
+	rd := io.NewSectionReader(ra, 0, desc.Size)
+	return content.Copy(ctx, cw, rd, desc.Size, desc.Digest)
+}
+
+// PushContent pushes content specified by the descriptor from the provider.
+//
+// Base handlers can be provided which will be called before any push specific
+// handlers.
+//
+// If the passed in content.Provider is also a content.InfoProvider (such as
+// content.Manager) then this will also annotate the distribution sources using
+// labels prefixed with "containerd.io/distribution.source".
+func PushContent(ctx context.Context, pusher Pusher, desc ocispec.Descriptor, store content.Provider, limiter *semaphore.Weighted, platform platforms.MatchComparer, wrapper func(h images.Handler) images.Handler) error {
+
+	var m sync.Mutex
+	manifests := []ocispec.Descriptor{}
+	indexStack := []ocispec.Descriptor{}
+
+	filterHandler := images.HandlerFunc(func(ctx context.Context, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) {
+		switch desc.MediaType {
+		case images.MediaTypeDockerSchema2Manifest, ocispec.MediaTypeImageManifest:
+			m.Lock()
+			manifests = append(manifests, desc)
+			m.Unlock()
+			return nil, images.ErrStopHandler
+		case images.MediaTypeDockerSchema2ManifestList, ocispec.MediaTypeImageIndex:
+			m.Lock()
+			indexStack = append(indexStack, desc)
+			m.Unlock()
+			return nil, images.ErrStopHandler
+		default:
+			return nil, nil
+		}
+	})
+
+	pushHandler := PushHandler(pusher, store)
+
+	platformFilterhandler := images.FilterPlatforms(images.ChildrenHandler(store), platform)
+
+	var handler images.Handler
+	if m, ok := store.(content.InfoProvider); ok {
+		annotateHandler := annotateDistributionSourceHandler(platformFilterhandler, m)
+		handler = images.Handlers(annotateHandler, filterHandler, pushHandler)
+	} else {
+		handler = images.Handlers(platformFilterhandler, filterHandler, pushHandler)
+	}
+
+	if wrapper != nil {
+		handler = wrapper(handler)
+	}
+
+	if err := images.Dispatch(ctx, handler, limiter, desc); err != nil {
+		return err
+	}
+
+	if err := images.Dispatch(ctx, pushHandler, limiter, manifests...); err != nil {
+		return err
+	}
+
+	// Iterate in reverse order as seen, parent always uploaded after child
+	for i := len(indexStack) - 1; i >= 0; i-- {
+		err := images.Dispatch(ctx, pushHandler, limiter, indexStack[i])
+		if err != nil {
+			// TODO(estesp): until we have a more complete method for index push, we need to report
+			// missing dependencies in an index/manifest list by sensing the "400 Bad Request"
+			// as a marker for this problem
+			if errors.Unwrap(err) != nil && strings.Contains(errors.Unwrap(err).Error(), "400 Bad Request") {
+				return fmt.Errorf("manifest list/index references to blobs and/or manifests are missing in your target registry: %w", err)
+			}
+			return err
+		}
+	}
+
+	return nil
+}
+
+// SkipNonDistributableBlobs returns a handler that skips blobs that have a media type that is "non-distributeable".
+// An example of this kind of content would be a Windows base layer, which is not supposed to be redistributed.
+//
+// This is based on the media type of the content:
+//   - application/vnd.oci.image.layer.nondistributable
+//   - application/vnd.docker.image.rootfs.foreign
+func SkipNonDistributableBlobs(f images.HandlerFunc) images.HandlerFunc {
+	return func(ctx context.Context, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) {
+		if images.IsNonDistributable(desc.MediaType) {
+			log.G(ctx).WithField("digest", desc.Digest).WithField("mediatype", desc.MediaType).Debug("Skipping non-distributable blob")
+			return nil, images.ErrSkipDesc
+		}
+
+		if images.IsLayerType(desc.MediaType) {
+			return nil, nil
+		}
+
+		children, err := f(ctx, desc)
+		if err != nil {
+			return nil, err
+		}
+		if len(children) == 0 {
+			return nil, nil
+		}
+
+		out := make([]ocispec.Descriptor, 0, len(children))
+		for _, child := range children {
+			if !images.IsNonDistributable(child.MediaType) {
+				out = append(out, child)
+			} else {
+				log.G(ctx).WithField("digest", child.Digest).WithField("mediatype", child.MediaType).Debug("Skipping non-distributable blob")
+			}
+		}
+		return out, nil
+	}
+}
+
+// FilterManifestByPlatformHandler allows Handler to handle non-target
+// platform's manifest and configuration data.
+func FilterManifestByPlatformHandler(f images.HandlerFunc, m platforms.Matcher) images.HandlerFunc {
+	return func(ctx context.Context, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) {
+		children, err := f(ctx, desc)
+		if err != nil {
+			return nil, err
+		}
+
+		// no platform information
+		if desc.Platform == nil || m == nil {
+			return children, nil
+		}
+
+		var descs []ocispec.Descriptor
+		switch desc.MediaType {
+		case images.MediaTypeDockerSchema2Manifest, ocispec.MediaTypeImageManifest:
+			if m.Match(*desc.Platform) {
+				descs = children
+			} else {
+				for _, child := range children {
+					if child.MediaType == images.MediaTypeDockerSchema2Config ||
+						child.MediaType == ocispec.MediaTypeImageConfig {
+
+						descs = append(descs, child)
+					}
+				}
+			}
+		default:
+			descs = children
+		}
+		return descs, nil
+	}
+}
+
+// annotateDistributionSourceHandler add distribution source label into
+// annotation of config or blob descriptor.
+func annotateDistributionSourceHandler(f images.HandlerFunc, provider content.InfoProvider) images.HandlerFunc {
+	return func(ctx context.Context, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) {
+		children, err := f(ctx, desc)
+		if err != nil {
+			return nil, err
+		}
+
+		// Distribution source is only used for config or blob but may be inherited from
+		// a manifest or manifest list
+		switch desc.MediaType {
+		case images.MediaTypeDockerSchema2Manifest, ocispec.MediaTypeImageManifest,
+			images.MediaTypeDockerSchema2ManifestList, ocispec.MediaTypeImageIndex:
+		default:
+			return children, nil
+		}
+
+		parentSourceAnnotations := desc.Annotations
+		var parentLabels map[string]string
+		if pi, err := provider.Info(ctx, desc.Digest); err != nil {
+			if !errdefs.IsNotFound(err) {
+				return nil, err
+			}
+		} else {
+			parentLabels = pi.Labels
+		}
+
+		for i := range children {
+			child := children[i]
+
+			info, err := provider.Info(ctx, child.Digest)
+			if err != nil {
+				if !errdefs.IsNotFound(err) {
+					return nil, err
+				}
+			}
+			copyDistributionSourceLabels(info.Labels, &child)
+
+			// Annotate with parent labels for cross repo mount or fetch.
+			// Parent sources may apply to all children since most registries
+			// enforce that children exist before the manifests.
+			copyDistributionSourceLabels(parentSourceAnnotations, &child)
+			copyDistributionSourceLabels(parentLabels, &child)
+
+			children[i] = child
+		}
+		return children, nil
+	}
+}
+
+func copyDistributionSourceLabels(from map[string]string, to *ocispec.Descriptor) {
+	for k, v := range from {
+		if !strings.HasPrefix(k, labels.LabelDistributionSource+".") {
+			continue
+		}
+
+		if to.Annotations == nil {
+			to.Annotations = make(map[string]string)
+		} else {
+			// Only propagate the parent label if the child doesn't already have it.
+			if _, has := to.Annotations[k]; has {
+				continue
+			}
+		}
+		to.Annotations[k] = v
+	}
+}
diff --git a/vendor/github.com/containerd/containerd/remotes/resolver.go b/vendor/github.com/containerd/containerd/remotes/resolver.go
new file mode 100644
index 0000000000..f200c84bc7
--- /dev/null
+++ b/vendor/github.com/containerd/containerd/remotes/resolver.go
@@ -0,0 +1,94 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package remotes
+
+import (
+	"context"
+	"io"
+
+	"github.com/containerd/containerd/content"
+	"github.com/opencontainers/go-digest"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+// Resolver provides remotes based on a locator.
+type Resolver interface {
+	// Resolve attempts to resolve the reference into a name and descriptor.
+	//
+	// The argument `ref` should be a scheme-less URI representing the remote.
+	// Structurally, it has a host and path. The "host" can be used to directly
+	// reference a specific host or be matched against a specific handler.
+	//
+	// The returned name should be used to identify the referenced entity.
+	// Depending on the remote namespace, this may be immutable or mutable.
+	// While the name may differ from ref, it should itself be a valid ref.
+	//
+	// If the resolution fails, an error will be returned.
+	Resolve(ctx context.Context, ref string) (name string, desc ocispec.Descriptor, err error)
+
+	// Fetcher returns a new fetcher for the provided reference.
+	// All content fetched from the returned fetcher will be
+	// from the namespace referred to by ref.
+	Fetcher(ctx context.Context, ref string) (Fetcher, error)
+
+	// Pusher returns a new pusher for the provided reference
+	// The returned Pusher should satisfy content.Ingester and concurrent attempts
+	// to push the same blob using the Ingester API should result in ErrUnavailable.
+	Pusher(ctx context.Context, ref string) (Pusher, error)
+}
+
+// Fetcher fetches content.
+// A fetcher implementation may implement the FetcherByDigest interface too.
+type Fetcher interface {
+	// Fetch the resource identified by the descriptor.
+	Fetch(ctx context.Context, desc ocispec.Descriptor) (io.ReadCloser, error)
+}
+
+// FetcherByDigest fetches content by the digest.
+type FetcherByDigest interface {
+	// FetchByDigest fetches the resource identified by the digest.
+	//
+	// FetcherByDigest usually returns an incomplete descriptor.
+	// Typically, the media type is always set to "application/octet-stream",
+	// and the annotations are unset.
+	FetchByDigest(ctx context.Context, dgst digest.Digest) (io.ReadCloser, ocispec.Descriptor, error)
+}
+
+// Pusher pushes content
+type Pusher interface {
+	// Push returns a content writer for the given resource identified
+	// by the descriptor.
+	Push(ctx context.Context, d ocispec.Descriptor) (content.Writer, error)
+}
+
+// FetcherFunc allows package users to implement a Fetcher with just a
+// function.
+type FetcherFunc func(ctx context.Context, desc ocispec.Descriptor) (io.ReadCloser, error)
+
+// Fetch content
+func (fn FetcherFunc) Fetch(ctx context.Context, desc ocispec.Descriptor) (io.ReadCloser, error) {
+	return fn(ctx, desc)
+}
+
+// PusherFunc allows package users to implement a Pusher with just a
+// function.
+type PusherFunc func(ctx context.Context, desc ocispec.Descriptor) (content.Writer, error)
+
+// Push content
+func (fn PusherFunc) Push(ctx context.Context, desc ocispec.Descriptor) (content.Writer, error) {
+	return fn(ctx, desc)
+}
diff --git a/vendor/github.com/containerd/errdefs/LICENSE b/vendor/github.com/containerd/errdefs/LICENSE
new file mode 100644
index 0000000000..584149b6ee
--- /dev/null
+++ b/vendor/github.com/containerd/errdefs/LICENSE
@@ -0,0 +1,191 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        https://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   Copyright The containerd Authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       https://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/vendor/github.com/containerd/errdefs/README.md b/vendor/github.com/containerd/errdefs/README.md
new file mode 100644
index 0000000000..bd418c63f9
--- /dev/null
+++ b/vendor/github.com/containerd/errdefs/README.md
@@ -0,0 +1,13 @@
+# errdefs
+
+A Go package for defining and checking common containerd errors.
+
+## Project details
+
+**errdefs** is a containerd sub-project, licensed under the [Apache 2.0 license](./LICENSE).
+As a containerd sub-project, you will find the:
+ * [Project governance](https://github.com/containerd/project/blob/main/GOVERNANCE.md),
+ * [Maintainers](https://github.com/containerd/project/blob/main/MAINTAINERS),
+ * and [Contributing guidelines](https://github.com/containerd/project/blob/main/CONTRIBUTING.md)
+
+information in our [`containerd/project`](https://github.com/containerd/project) repository.
diff --git a/vendor/github.com/containerd/errdefs/errors.go b/vendor/github.com/containerd/errdefs/errors.go
new file mode 100644
index 0000000000..f654d19649
--- /dev/null
+++ b/vendor/github.com/containerd/errdefs/errors.go
@@ -0,0 +1,443 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+// Package errdefs defines the common errors used throughout containerd
+// packages.
+//
+// Use with fmt.Errorf to add context to an error.
+//
+// To detect an error class, use the IsXXX functions to tell whether an error
+// is of a certain type.
+package errdefs
+
+import (
+	"context"
+	"errors"
+)
+
+// Definitions of common error types used throughout containerd. All containerd
+// errors returned by most packages will map into one of these errors classes.
+// Packages should return errors of these types when they want to instruct a
+// client to take a particular action.
+//
+// These errors map closely to grpc errors.
+var (
+	ErrUnknown            = errUnknown{}
+	ErrInvalidArgument    = errInvalidArgument{}
+	ErrNotFound           = errNotFound{}
+	ErrAlreadyExists      = errAlreadyExists{}
+	ErrPermissionDenied   = errPermissionDenied{}
+	ErrResourceExhausted  = errResourceExhausted{}
+	ErrFailedPrecondition = errFailedPrecondition{}
+	ErrConflict           = errConflict{}
+	ErrNotModified        = errNotModified{}
+	ErrAborted            = errAborted{}
+	ErrOutOfRange         = errOutOfRange{}
+	ErrNotImplemented     = errNotImplemented{}
+	ErrInternal           = errInternal{}
+	ErrUnavailable        = errUnavailable{}
+	ErrDataLoss           = errDataLoss{}
+	ErrUnauthenticated    = errUnauthorized{}
+)
+
+// cancelled maps to Moby's "ErrCancelled"
+type cancelled interface {
+	Cancelled()
+}
+
+// IsCanceled returns true if the error is due to `context.Canceled`.
+func IsCanceled(err error) bool {
+	return errors.Is(err, context.Canceled) || isInterface[cancelled](err)
+}
+
+type errUnknown struct{}
+
+func (errUnknown) Error() string { return "unknown" }
+
+func (errUnknown) Unknown() {}
+
+func (e errUnknown) WithMessage(msg string) error {
+	return customMessage{e, msg}
+}
+
+// unknown maps to Moby's "ErrUnknown"
+type unknown interface {
+	Unknown()
+}
+
+// IsUnknown returns true if the error is due to an unknown error,
+// unhandled condition or unexpected response.
+func IsUnknown(err error) bool {
+	return errors.Is(err, errUnknown{}) || isInterface[unknown](err)
+}
+
+type errInvalidArgument struct{}
+
+func (errInvalidArgument) Error() string { return "invalid argument" }
+
+func (errInvalidArgument) InvalidParameter() {}
+
+func (e errInvalidArgument) WithMessage(msg string) error {
+	return customMessage{e, msg}
+}
+
+// invalidParameter maps to Moby's "ErrInvalidParameter"
+type invalidParameter interface {
+	InvalidParameter()
+}
+
+// IsInvalidArgument returns true if the error is due to an invalid argument
+func IsInvalidArgument(err error) bool {
+	return errors.Is(err, ErrInvalidArgument) || isInterface[invalidParameter](err)
+}
+
+// deadlineExceed maps to Moby's "ErrDeadline"
+type deadlineExceeded interface {
+	DeadlineExceeded()
+}
+
+// IsDeadlineExceeded returns true if the error is due to
+// `context.DeadlineExceeded`.
+func IsDeadlineExceeded(err error) bool {
+	return errors.Is(err, context.DeadlineExceeded) || isInterface[deadlineExceeded](err)
+}
+
+type errNotFound struct{}
+
+func (errNotFound) Error() string { return "not found" }
+
+func (errNotFound) NotFound() {}
+
+func (e errNotFound) WithMessage(msg string) error {
+	return customMessage{e, msg}
+}
+
+// notFound maps to Moby's "ErrNotFound"
+type notFound interface {
+	NotFound()
+}
+
+// IsNotFound returns true if the error is due to a missing object
+func IsNotFound(err error) bool {
+	return errors.Is(err, ErrNotFound) || isInterface[notFound](err)
+}
+
+type errAlreadyExists struct{}
+
+func (errAlreadyExists) Error() string { return "already exists" }
+
+func (errAlreadyExists) AlreadyExists() {}
+
+func (e errAlreadyExists) WithMessage(msg string) error {
+	return customMessage{e, msg}
+}
+
+type alreadyExists interface {
+	AlreadyExists()
+}
+
+// IsAlreadyExists returns true if the error is due to an already existing
+// metadata item
+func IsAlreadyExists(err error) bool {
+	return errors.Is(err, ErrAlreadyExists) || isInterface[alreadyExists](err)
+}
+
+type errPermissionDenied struct{}
+
+func (errPermissionDenied) Error() string { return "permission denied" }
+
+func (errPermissionDenied) Forbidden() {}
+
+func (e errPermissionDenied) WithMessage(msg string) error {
+	return customMessage{e, msg}
+}
+
+// forbidden maps to Moby's "ErrForbidden"
+type forbidden interface {
+	Forbidden()
+}
+
+// IsPermissionDenied returns true if the error is due to permission denied
+// or forbidden (403) response
+func IsPermissionDenied(err error) bool {
+	return errors.Is(err, ErrPermissionDenied) || isInterface[forbidden](err)
+}
+
+type errResourceExhausted struct{}
+
+func (errResourceExhausted) Error() string { return "resource exhausted" }
+
+func (errResourceExhausted) ResourceExhausted() {}
+
+func (e errResourceExhausted) WithMessage(msg string) error {
+	return customMessage{e, msg}
+}
+
+type resourceExhausted interface {
+	ResourceExhausted()
+}
+
+// IsResourceExhausted returns true if the error is due to
+// a lack of resources or too many attempts.
+func IsResourceExhausted(err error) bool {
+	return errors.Is(err, errResourceExhausted{}) || isInterface[resourceExhausted](err)
+}
+
+type errFailedPrecondition struct{}
+
+func (e errFailedPrecondition) Error() string { return "failed precondition" }
+
+func (errFailedPrecondition) FailedPrecondition() {}
+
+func (e errFailedPrecondition) WithMessage(msg string) error {
+	return customMessage{e, msg}
+}
+
+type failedPrecondition interface {
+	FailedPrecondition()
+}
+
+// IsFailedPrecondition returns true if an operation could not proceed due to
+// the lack of a particular condition
+func IsFailedPrecondition(err error) bool {
+	return errors.Is(err, errFailedPrecondition{}) || isInterface[failedPrecondition](err)
+}
+
+type errConflict struct{}
+
+func (errConflict) Error() string { return "conflict" }
+
+func (errConflict) Conflict() {}
+
+func (e errConflict) WithMessage(msg string) error {
+	return customMessage{e, msg}
+}
+
+// conflict maps to Moby's "ErrConflict"
+type conflict interface {
+	Conflict()
+}
+
+// IsConflict returns true if an operation could not proceed due to
+// a conflict.
+func IsConflict(err error) bool {
+	return errors.Is(err, errConflict{}) || isInterface[conflict](err)
+}
+
+type errNotModified struct{}
+
+func (errNotModified) Error() string { return "not modified" }
+
+func (errNotModified) NotModified() {}
+
+func (e errNotModified) WithMessage(msg string) error {
+	return customMessage{e, msg}
+}
+
+// notModified maps to Moby's "ErrNotModified"
+type notModified interface {
+	NotModified()
+}
+
+// IsNotModified returns true if an operation could not proceed due
+// to an object not modified from a previous state.
+func IsNotModified(err error) bool {
+	return errors.Is(err, errNotModified{}) || isInterface[notModified](err)
+}
+
+type errAborted struct{}
+
+func (errAborted) Error() string { return "aborted" }
+
+func (errAborted) Aborted() {}
+
+func (e errAborted) WithMessage(msg string) error {
+	return customMessage{e, msg}
+}
+
+type aborted interface {
+	Aborted()
+}
+
+// IsAborted returns true if an operation was aborted.
+func IsAborted(err error) bool {
+	return errors.Is(err, errAborted{}) || isInterface[aborted](err)
+}
+
+type errOutOfRange struct{}
+
+func (errOutOfRange) Error() string { return "out of range" }
+
+func (errOutOfRange) OutOfRange() {}
+
+func (e errOutOfRange) WithMessage(msg string) error {
+	return customMessage{e, msg}
+}
+
+type outOfRange interface {
+	OutOfRange()
+}
+
+// IsOutOfRange returns true if an operation could not proceed due
+// to data being out of the expected range.
+func IsOutOfRange(err error) bool {
+	return errors.Is(err, errOutOfRange{}) || isInterface[outOfRange](err)
+}
+
+type errNotImplemented struct{}
+
+func (errNotImplemented) Error() string { return "not implemented" }
+
+func (errNotImplemented) NotImplemented() {}
+
+func (e errNotImplemented) WithMessage(msg string) error {
+	return customMessage{e, msg}
+}
+
+// notImplemented maps to Moby's "ErrNotImplemented"
+type notImplemented interface {
+	NotImplemented()
+}
+
+// IsNotImplemented returns true if the error is due to not being implemented
+func IsNotImplemented(err error) bool {
+	return errors.Is(err, errNotImplemented{}) || isInterface[notImplemented](err)
+}
+
+type errInternal struct{}
+
+func (errInternal) Error() string { return "internal" }
+
+func (errInternal) System() {}
+
+func (e errInternal) WithMessage(msg string) error {
+	return customMessage{e, msg}
+}
+
+// system maps to Moby's "ErrSystem"
+type system interface {
+	System()
+}
+
+// IsInternal returns true if the error returns to an internal or system error
+func IsInternal(err error) bool {
+	return errors.Is(err, errInternal{}) || isInterface[system](err)
+}
+
+type errUnavailable struct{}
+
+func (errUnavailable) Error() string { return "unavailable" }
+
+func (errUnavailable) Unavailable() {}
+
+func (e errUnavailable) WithMessage(msg string) error {
+	return customMessage{e, msg}
+}
+
+// unavailable maps to Moby's "ErrUnavailable"
+type unavailable interface {
+	Unavailable()
+}
+
+// IsUnavailable returns true if the error is due to a resource being unavailable
+func IsUnavailable(err error) bool {
+	return errors.Is(err, errUnavailable{}) || isInterface[unavailable](err)
+}
+
+type errDataLoss struct{}
+
+func (errDataLoss) Error() string { return "data loss" }
+
+func (errDataLoss) DataLoss() {}
+
+func (e errDataLoss) WithMessage(msg string) error {
+	return customMessage{e, msg}
+}
+
+// dataLoss maps to Moby's "ErrDataLoss"
+type dataLoss interface {
+	DataLoss()
+}
+
+// IsDataLoss returns true if data during an operation was lost or corrupted
+func IsDataLoss(err error) bool {
+	return errors.Is(err, errDataLoss{}) || isInterface[dataLoss](err)
+}
+
+type errUnauthorized struct{}
+
+func (errUnauthorized) Error() string { return "unauthorized" }
+
+func (errUnauthorized) Unauthorized() {}
+
+func (e errUnauthorized) WithMessage(msg string) error {
+	return customMessage{e, msg}
+}
+
+// unauthorized maps to Moby's "ErrUnauthorized"
+type unauthorized interface {
+	Unauthorized()
+}
+
+// IsUnauthorized returns true if the error indicates that the user was
+// unauthenticated or unauthorized.
+func IsUnauthorized(err error) bool {
+	return errors.Is(err, errUnauthorized{}) || isInterface[unauthorized](err)
+}
+
+func isInterface[T any](err error) bool {
+	for {
+		switch x := err.(type) {
+		case T:
+			return true
+		case customMessage:
+			err = x.err
+		case interface{ Unwrap() error }:
+			err = x.Unwrap()
+			if err == nil {
+				return false
+			}
+		case interface{ Unwrap() []error }:
+			for _, err := range x.Unwrap() {
+				if isInterface[T](err) {
+					return true
+				}
+			}
+			return false
+		default:
+			return false
+		}
+	}
+}
+
+// customMessage is used to provide a defined error with a custom message.
+// The message is not wrapped but can be compared by the `Is(error) bool` interface.
+type customMessage struct {
+	err error
+	msg string
+}
+
+func (c customMessage) Is(err error) bool {
+	return c.err == err
+}
+
+func (c customMessage) As(target any) bool {
+	return errors.As(c.err, target)
+}
+
+func (c customMessage) Error() string {
+	return c.msg
+}
diff --git a/vendor/github.com/containerd/errdefs/resolve.go b/vendor/github.com/containerd/errdefs/resolve.go
new file mode 100644
index 0000000000..c02d4a73f4
--- /dev/null
+++ b/vendor/github.com/containerd/errdefs/resolve.go
@@ -0,0 +1,147 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package errdefs
+
+import "context"
+
+// Resolve returns the first error found in the error chain which matches an
+// error defined in this package or context error. A raw, unwrapped error is
+// returned or ErrUnknown if no matching error is found.
+//
+// This is useful for determining a response code based on the outermost wrapped
+// error rather than the original cause. For example, a not found error deep
+// in the code may be wrapped as an invalid argument. When determining status
+// code from Is* functions, the depth or ordering of the error is not
+// considered.
+//
+// The search order is depth first, a wrapped error returned from any part of
+// the chain from `Unwrap() error` will be returned before any joined errors
+// as returned by `Unwrap() []error`.
+func Resolve(err error) error {
+	if err == nil {
+		return nil
+	}
+	err = firstError(err)
+	if err == nil {
+		err = ErrUnknown
+	}
+	return err
+}
+
+func firstError(err error) error {
+	for {
+		switch err {
+		case ErrUnknown,
+			ErrInvalidArgument,
+			ErrNotFound,
+			ErrAlreadyExists,
+			ErrPermissionDenied,
+			ErrResourceExhausted,
+			ErrFailedPrecondition,
+			ErrConflict,
+			ErrNotModified,
+			ErrAborted,
+			ErrOutOfRange,
+			ErrNotImplemented,
+			ErrInternal,
+			ErrUnavailable,
+			ErrDataLoss,
+			ErrUnauthenticated,
+			context.DeadlineExceeded,
+			context.Canceled:
+			return err
+		}
+		switch e := err.(type) {
+		case customMessage:
+			err = e.err
+		case unknown:
+			return ErrUnknown
+		case invalidParameter:
+			return ErrInvalidArgument
+		case notFound:
+			return ErrNotFound
+		case alreadyExists:
+			return ErrAlreadyExists
+		case forbidden:
+			return ErrPermissionDenied
+		case resourceExhausted:
+			return ErrResourceExhausted
+		case failedPrecondition:
+			return ErrFailedPrecondition
+		case conflict:
+			return ErrConflict
+		case notModified:
+			return ErrNotModified
+		case aborted:
+			return ErrAborted
+		case errOutOfRange:
+			return ErrOutOfRange
+		case notImplemented:
+			return ErrNotImplemented
+		case system:
+			return ErrInternal
+		case unavailable:
+			return ErrUnavailable
+		case dataLoss:
+			return ErrDataLoss
+		case unauthorized:
+			return ErrUnauthenticated
+		case deadlineExceeded:
+			return context.DeadlineExceeded
+		case cancelled:
+			return context.Canceled
+		case interface{ Unwrap() error }:
+			err = e.Unwrap()
+			if err == nil {
+				return nil
+			}
+		case interface{ Unwrap() []error }:
+			for _, ue := range e.Unwrap() {
+				if fe := firstError(ue); fe != nil {
+					return fe
+				}
+			}
+			return nil
+		case interface{ Is(error) bool }:
+			for _, target := range []error{ErrUnknown,
+				ErrInvalidArgument,
+				ErrNotFound,
+				ErrAlreadyExists,
+				ErrPermissionDenied,
+				ErrResourceExhausted,
+				ErrFailedPrecondition,
+				ErrConflict,
+				ErrNotModified,
+				ErrAborted,
+				ErrOutOfRange,
+				ErrNotImplemented,
+				ErrInternal,
+				ErrUnavailable,
+				ErrDataLoss,
+				ErrUnauthenticated,
+				context.DeadlineExceeded,
+				context.Canceled} {
+				if e.Is(target) {
+					return target
+				}
+			}
+			return nil
+		default:
+			return nil
+		}
+	}
+}
diff --git a/vendor/github.com/containerd/log/.golangci.yml b/vendor/github.com/containerd/log/.golangci.yml
new file mode 100644
index 0000000000..a695775df4
--- /dev/null
+++ b/vendor/github.com/containerd/log/.golangci.yml
@@ -0,0 +1,30 @@
+linters:
+  enable:
+    - exportloopref # Checks for pointers to enclosing loop variables
+    - gofmt
+    - goimports
+    - gosec
+    - ineffassign
+    - misspell
+    - nolintlint
+    - revive
+    - staticcheck
+    - tenv # Detects using os.Setenv instead of t.Setenv since Go 1.17
+    - unconvert
+    - unused
+    - vet
+    - dupword # Checks for duplicate words in the source code
+  disable:
+    - errcheck
+
+run:
+  timeout: 5m
+  skip-dirs:
+    - api
+    - cluster
+    - design
+    - docs
+    - docs/man
+    - releases
+    - reports
+    - test # e2e scripts
diff --git a/vendor/github.com/containerd/log/LICENSE b/vendor/github.com/containerd/log/LICENSE
new file mode 100644
index 0000000000..584149b6ee
--- /dev/null
+++ b/vendor/github.com/containerd/log/LICENSE
@@ -0,0 +1,191 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        https://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   Copyright The containerd Authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       https://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/vendor/github.com/containerd/log/README.md b/vendor/github.com/containerd/log/README.md
new file mode 100644
index 0000000000..00e0849880
--- /dev/null
+++ b/vendor/github.com/containerd/log/README.md
@@ -0,0 +1,17 @@
+# log
+
+A Go package providing a common logging interface across containerd repositories and a way for clients to use and configure logging in containerd packages.
+
+This package is not intended to be used as a standalone logging package outside of the containerd ecosystem and is intended as an interface wrapper around a logging implementation.
+In the future this package may be replaced with a common go logging interface.
+
+## Project details
+
+**log** is a containerd sub-project, licensed under the [Apache 2.0 license](./LICENSE).
+As a containerd sub-project, you will find the:
+ * [Project governance](https://github.com/containerd/project/blob/main/GOVERNANCE.md),
+ * [Maintainers](https://github.com/containerd/project/blob/main/MAINTAINERS),
+ * and [Contributing guidelines](https://github.com/containerd/project/blob/main/CONTRIBUTING.md)
+
+information in our [`containerd/project`](https://github.com/containerd/project) repository.
+
diff --git a/vendor/github.com/containerd/log/context.go b/vendor/github.com/containerd/log/context.go
new file mode 100644
index 0000000000..20153066f3
--- /dev/null
+++ b/vendor/github.com/containerd/log/context.go
@@ -0,0 +1,182 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+// Package log provides types and functions related to logging, passing
+// loggers through a context, and attaching context to the logger.
+//
+// # Transitional types
+//
+// This package contains various types that are aliases for types in [logrus].
+// These aliases are intended for transitioning away from hard-coding logrus
+// as logging implementation. Consumers of this package are encouraged to use
+// the type-aliases from this package instead of directly using their logrus
+// equivalent.
+//
+// The intent is to replace these aliases with locally defined types and
+// interfaces once all consumers are no longer directly importing logrus
+// types.
+//
+// IMPORTANT: due to the transitional purpose of this package, it is not
+// guaranteed for the full logrus API to be provided in the future. As
+// outlined, these aliases are provided as a step to transition away from
+// a specific implementation which, as a result, exposes the full logrus API.
+// While no decisions have been made on the ultimate design and interface
+// provided by this package, we do not expect carrying "less common" features.
+package log
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/sirupsen/logrus"
+)
+
+// G is a shorthand for [GetLogger].
+//
+// We may want to define this locally to a package to get package tagged log
+// messages.
+var G = GetLogger
+
+// L is an alias for the standard logger.
+var L = &Entry{
+	Logger: logrus.StandardLogger(),
+	// Default is three fields plus a little extra room.
+	Data: make(Fields, 6),
+}
+
+type loggerKey struct{}
+
+// Fields type to pass to "WithFields".
+type Fields = map[string]any
+
+// Entry is a logging entry. It contains all the fields passed with
+// [Entry.WithFields]. It's finally logged when Trace, Debug, Info, Warn,
+// Error, Fatal or Panic is called on it. These objects can be reused and
+// passed around as much as you wish to avoid field duplication.
+//
+// Entry is a transitional type, and currently an alias for [logrus.Entry].
+type Entry = logrus.Entry
+
+// RFC3339NanoFixed is [time.RFC3339Nano] with nanoseconds padded using
+// zeros to ensure the formatted time is always the same number of
+// characters.
+const RFC3339NanoFixed = "2006-01-02T15:04:05.000000000Z07:00"
+
+// Level is a logging level.
+type Level = logrus.Level
+
+// Supported log levels.
+const (
+	// TraceLevel level. Designates finer-grained informational events
+	// than [DebugLevel].
+	TraceLevel Level = logrus.TraceLevel
+
+	// DebugLevel level. Usually only enabled when debugging. Very verbose
+	// logging.
+	DebugLevel Level = logrus.DebugLevel
+
+	// InfoLevel level. General operational entries about what's going on
+	// inside the application.
+	InfoLevel Level = logrus.InfoLevel
+
+	// WarnLevel level. Non-critical entries that deserve eyes.
+	WarnLevel Level = logrus.WarnLevel
+
+	// ErrorLevel level. Logs errors that should definitely be noted.
+	// Commonly used for hooks to send errors to an error tracking service.
+	ErrorLevel Level = logrus.ErrorLevel
+
+	// FatalLevel level. Logs and then calls "logger.Exit(1)". It exits
+	// even if the logging level is set to Panic.
+	FatalLevel Level = logrus.FatalLevel
+
+	// PanicLevel level. This is the highest level of severity. Logs and
+	// then calls panic with the message passed to Debug, Info, ...
+	PanicLevel Level = logrus.PanicLevel
+)
+
+// SetLevel sets log level globally. It returns an error if the given
+// level is not supported.
+//
+// level can be one of:
+//
+//   - "trace" ([TraceLevel])
+//   - "debug" ([DebugLevel])
+//   - "info" ([InfoLevel])
+//   - "warn" ([WarnLevel])
+//   - "error" ([ErrorLevel])
+//   - "fatal" ([FatalLevel])
+//   - "panic" ([PanicLevel])
+func SetLevel(level string) error {
+	lvl, err := logrus.ParseLevel(level)
+	if err != nil {
+		return err
+	}
+
+	L.Logger.SetLevel(lvl)
+	return nil
+}
+
+// GetLevel returns the current log level.
+func GetLevel() Level {
+	return L.Logger.GetLevel()
+}
+
+// OutputFormat specifies a log output format.
+type OutputFormat string
+
+// Supported log output formats.
+const (
+	// TextFormat represents the text logging format.
+	TextFormat OutputFormat = "text"
+
+	// JSONFormat represents the JSON logging format.
+	JSONFormat OutputFormat = "json"
+)
+
+// SetFormat sets the log output format ([TextFormat] or [JSONFormat]).
+func SetFormat(format OutputFormat) error {
+	switch format {
+	case TextFormat:
+		L.Logger.SetFormatter(&logrus.TextFormatter{
+			TimestampFormat: RFC3339NanoFixed,
+			FullTimestamp:   true,
+		})
+		return nil
+	case JSONFormat:
+		L.Logger.SetFormatter(&logrus.JSONFormatter{
+			TimestampFormat: RFC3339NanoFixed,
+		})
+		return nil
+	default:
+		return fmt.Errorf("unknown log format: %s", format)
+	}
+}
+
+// WithLogger returns a new context with the provided logger. Use in
+// combination with logger.WithField(s) for great effect.
+func WithLogger(ctx context.Context, logger *Entry) context.Context {
+	return context.WithValue(ctx, loggerKey{}, logger.WithContext(ctx))
+}
+
+// GetLogger retrieves the current logger from the context. If no logger is
+// available, the default logger is returned.
+func GetLogger(ctx context.Context) *Entry {
+	if logger := ctx.Value(loggerKey{}); logger != nil {
+		return logger.(*Entry)
+	}
+	return L.WithContext(ctx)
+}
diff --git a/vendor/github.com/containerd/platforms/.gitattributes b/vendor/github.com/containerd/platforms/.gitattributes
new file mode 100644
index 0000000000..a0717e4b3b
--- /dev/null
+++ b/vendor/github.com/containerd/platforms/.gitattributes
@@ -0,0 +1 @@
+*.go text eol=lf
\ No newline at end of file
diff --git a/vendor/github.com/containerd/platforms/.golangci.yml b/vendor/github.com/containerd/platforms/.golangci.yml
new file mode 100644
index 0000000000..a695775df4
--- /dev/null
+++ b/vendor/github.com/containerd/platforms/.golangci.yml
@@ -0,0 +1,30 @@
+linters:
+  enable:
+    - exportloopref # Checks for pointers to enclosing loop variables
+    - gofmt
+    - goimports
+    - gosec
+    - ineffassign
+    - misspell
+    - nolintlint
+    - revive
+    - staticcheck
+    - tenv # Detects using os.Setenv instead of t.Setenv since Go 1.17
+    - unconvert
+    - unused
+    - vet
+    - dupword # Checks for duplicate words in the source code
+  disable:
+    - errcheck
+
+run:
+  timeout: 5m
+  skip-dirs:
+    - api
+    - cluster
+    - design
+    - docs
+    - docs/man
+    - releases
+    - reports
+    - test # e2e scripts
diff --git a/vendor/github.com/containerd/platforms/LICENSE b/vendor/github.com/containerd/platforms/LICENSE
new file mode 100644
index 0000000000..584149b6ee
--- /dev/null
+++ b/vendor/github.com/containerd/platforms/LICENSE
@@ -0,0 +1,191 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        https://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   Copyright The containerd Authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       https://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/vendor/github.com/containerd/platforms/README.md b/vendor/github.com/containerd/platforms/README.md
new file mode 100644
index 0000000000..2059de771c
--- /dev/null
+++ b/vendor/github.com/containerd/platforms/README.md
@@ -0,0 +1,32 @@
+# platforms
+
+A Go package for formatting, normalizing and matching container platforms.
+
+This package is based on the Open Containers Image Spec definition of a [platform](https://github.com/opencontainers/image-spec/blob/main/specs-go/v1/descriptor.go#L52).
+
+## Platform Specifier
+
+While the OCI platform specifications provide a tool for components to
+specify structured information, user input typically doesn't need the full
+context and much can be inferred. To solve this problem, this package introduces
+"specifiers". A specifier has the format
+`<os>|<arch>|<os>/<arch>[/<variant>]`.  The user can provide either the
+operating system or the architecture or both.
+
+An example of a common specifier is `linux/amd64`. If the host has a default
+runtime that matches this, the user can simply provide the component that
+matters. For example, if an image provides `amd64` and `arm64` support, the
+operating system, `linux` can be inferred, so they only have to provide
+`arm64` or `amd64`. Similar behavior is implemented for operating systems,
+where the architecture may be known but a runtime may support images from
+different operating systems.
+
+## Project details
+
+**platforms** is a containerd sub-project, licensed under the [Apache 2.0 license](./LICENSE).
+As a containerd sub-project, you will find the:
+ * [Project governance](https://github.com/containerd/project/blob/main/GOVERNANCE.md),
+ * [Maintainers](https://github.com/containerd/project/blob/main/MAINTAINERS),
+ * and [Contributing guidelines](https://github.com/containerd/project/blob/main/CONTRIBUTING.md)
+
+information in our [`containerd/project`](https://github.com/containerd/project) repository.
\ No newline at end of file
diff --git a/vendor/github.com/containerd/platforms/compare.go b/vendor/github.com/containerd/platforms/compare.go
new file mode 100644
index 0000000000..3913ef6637
--- /dev/null
+++ b/vendor/github.com/containerd/platforms/compare.go
@@ -0,0 +1,203 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package platforms
+
+import (
+	"strconv"
+	"strings"
+
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+// MatchComparer is able to match and compare platforms to
+// filter and sort platforms.
+type MatchComparer interface {
+	Matcher
+
+	Less(specs.Platform, specs.Platform) bool
+}
+
+// platformVector returns an (ordered) vector of appropriate specs.Platform
+// objects to try matching for the given platform object (see platforms.Only).
+func platformVector(platform specs.Platform) []specs.Platform {
+	vector := []specs.Platform{platform}
+
+	switch platform.Architecture {
+	case "amd64":
+		if amd64Version, err := strconv.Atoi(strings.TrimPrefix(platform.Variant, "v")); err == nil && amd64Version > 1 {
+			for amd64Version--; amd64Version >= 1; amd64Version-- {
+				vector = append(vector, specs.Platform{
+					Architecture: platform.Architecture,
+					OS:           platform.OS,
+					OSVersion:    platform.OSVersion,
+					OSFeatures:   platform.OSFeatures,
+					Variant:      "v" + strconv.Itoa(amd64Version),
+				})
+			}
+		}
+		vector = append(vector, specs.Platform{
+			Architecture: "386",
+			OS:           platform.OS,
+			OSVersion:    platform.OSVersion,
+			OSFeatures:   platform.OSFeatures,
+		})
+	case "arm":
+		if armVersion, err := strconv.Atoi(strings.TrimPrefix(platform.Variant, "v")); err == nil && armVersion > 5 {
+			for armVersion--; armVersion >= 5; armVersion-- {
+				vector = append(vector, specs.Platform{
+					Architecture: platform.Architecture,
+					OS:           platform.OS,
+					OSVersion:    platform.OSVersion,
+					OSFeatures:   platform.OSFeatures,
+					Variant:      "v" + strconv.Itoa(armVersion),
+				})
+			}
+		}
+	case "arm64":
+		variant := platform.Variant
+		if variant == "" {
+			variant = "v8"
+		}
+		vector = append(vector, platformVector(specs.Platform{
+			Architecture: "arm",
+			OS:           platform.OS,
+			OSVersion:    platform.OSVersion,
+			OSFeatures:   platform.OSFeatures,
+			Variant:      variant,
+		})...)
+	}
+
+	return vector
+}
+
+// Only returns a match comparer for a single platform
+// using default resolution logic for the platform.
+//
+// For arm/v8, will also match arm/v7, arm/v6 and arm/v5
+// For arm/v7, will also match arm/v6 and arm/v5
+// For arm/v6, will also match arm/v5
+// For amd64, will also match 386
+func Only(platform specs.Platform) MatchComparer {
+	return Ordered(platformVector(Normalize(platform))...)
+}
+
+// OnlyStrict returns a match comparer for a single platform.
+//
+// Unlike Only, OnlyStrict does not match sub platforms.
+// So, "arm/vN" will not match "arm/vM" where M < N,
+// and "amd64" will not also match "386".
+//
+// OnlyStrict matches non-canonical forms.
+// So, "arm64" matches "arm/64/v8".
+func OnlyStrict(platform specs.Platform) MatchComparer {
+	return Ordered(Normalize(platform))
+}
+
+// Ordered returns a platform MatchComparer which matches any of the platforms
+// but orders them in order they are provided.
+func Ordered(platforms ...specs.Platform) MatchComparer {
+	matchers := make([]Matcher, len(platforms))
+	for i := range platforms {
+		matchers[i] = NewMatcher(platforms[i])
+	}
+	return orderedPlatformComparer{
+		matchers: matchers,
+	}
+}
+
+// Any returns a platform MatchComparer which matches any of the platforms
+// with no preference for ordering.
+func Any(platforms ...specs.Platform) MatchComparer {
+	matchers := make([]Matcher, len(platforms))
+	for i := range platforms {
+		matchers[i] = NewMatcher(platforms[i])
+	}
+	return anyPlatformComparer{
+		matchers: matchers,
+	}
+}
+
+// All is a platform MatchComparer which matches all platforms
+// with preference for ordering.
+var All MatchComparer = allPlatformComparer{}
+
+type orderedPlatformComparer struct {
+	matchers []Matcher
+}
+
+func (c orderedPlatformComparer) Match(platform specs.Platform) bool {
+	for _, m := range c.matchers {
+		if m.Match(platform) {
+			return true
+		}
+	}
+	return false
+}
+
+func (c orderedPlatformComparer) Less(p1 specs.Platform, p2 specs.Platform) bool {
+	for _, m := range c.matchers {
+		p1m := m.Match(p1)
+		p2m := m.Match(p2)
+		if p1m && !p2m {
+			return true
+		}
+		if p1m || p2m {
+			return false
+		}
+	}
+	return false
+}
+
+type anyPlatformComparer struct {
+	matchers []Matcher
+}
+
+func (c anyPlatformComparer) Match(platform specs.Platform) bool {
+	for _, m := range c.matchers {
+		if m.Match(platform) {
+			return true
+		}
+	}
+	return false
+}
+
+func (c anyPlatformComparer) Less(p1, p2 specs.Platform) bool {
+	var p1m, p2m bool
+	for _, m := range c.matchers {
+		if !p1m && m.Match(p1) {
+			p1m = true
+		}
+		if !p2m && m.Match(p2) {
+			p2m = true
+		}
+		if p1m && p2m {
+			return false
+		}
+	}
+	// If one matches, and the other does, sort match first
+	return p1m && !p2m
+}
+
+type allPlatformComparer struct{}
+
+func (allPlatformComparer) Match(specs.Platform) bool {
+	return true
+}
+
+func (allPlatformComparer) Less(specs.Platform, specs.Platform) bool {
+	return false
+}
diff --git a/vendor/github.com/containerd/platforms/cpuinfo.go b/vendor/github.com/containerd/platforms/cpuinfo.go
new file mode 100644
index 0000000000..91f50e8c88
--- /dev/null
+++ b/vendor/github.com/containerd/platforms/cpuinfo.go
@@ -0,0 +1,43 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package platforms
+
+import (
+	"runtime"
+	"sync"
+
+	"github.com/containerd/log"
+)
+
+// Present the ARM instruction set architecture, eg: v7, v8
+// Don't use this value directly; call cpuVariant() instead.
+var cpuVariantValue string
+
+var cpuVariantOnce sync.Once
+
+func cpuVariant() string {
+	cpuVariantOnce.Do(func() {
+		if isArmArch(runtime.GOARCH) {
+			var err error
+			cpuVariantValue, err = getCPUVariant()
+			if err != nil {
+				log.L.Errorf("Error getCPUVariant for OS %s: %v", runtime.GOOS, err)
+			}
+		}
+	})
+	return cpuVariantValue
+}
diff --git a/vendor/github.com/containerd/platforms/cpuinfo_linux.go b/vendor/github.com/containerd/platforms/cpuinfo_linux.go
new file mode 100644
index 0000000000..98c7001f93
--- /dev/null
+++ b/vendor/github.com/containerd/platforms/cpuinfo_linux.go
@@ -0,0 +1,160 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package platforms
+
+import (
+	"bufio"
+	"bytes"
+	"errors"
+	"fmt"
+	"os"
+	"runtime"
+	"strings"
+
+	"golang.org/x/sys/unix"
+)
+
+// getMachineArch retrieves the machine architecture through system call
+func getMachineArch() (string, error) {
+	var uname unix.Utsname
+	err := unix.Uname(&uname)
+	if err != nil {
+		return "", err
+	}
+
+	arch := string(uname.Machine[:bytes.IndexByte(uname.Machine[:], 0)])
+
+	return arch, nil
+}
+
+// For Linux, the kernel has already detected the ABI, ISA and Features.
+// So we don't need to access the ARM registers to detect platform information
+// by ourselves. We can just parse these information from /proc/cpuinfo
+func getCPUInfo(pattern string) (info string, err error) {
+
+	cpuinfo, err := os.Open("/proc/cpuinfo")
+	if err != nil {
+		return "", err
+	}
+	defer cpuinfo.Close()
+
+	// Start to Parse the Cpuinfo line by line. For SMP SoC, we parse
+	// the first core is enough.
+	scanner := bufio.NewScanner(cpuinfo)
+	for scanner.Scan() {
+		newline := scanner.Text()
+		list := strings.Split(newline, ":")
+
+		if len(list) > 1 && strings.EqualFold(strings.TrimSpace(list[0]), pattern) {
+			return strings.TrimSpace(list[1]), nil
+		}
+	}
+
+	// Check whether the scanner encountered errors
+	err = scanner.Err()
+	if err != nil {
+		return "", err
+	}
+
+	return "", fmt.Errorf("getCPUInfo for pattern %s: %w", pattern, errNotFound)
+}
+
+// getCPUVariantFromArch get CPU variant from arch through a system call
+func getCPUVariantFromArch(arch string) (string, error) {
+
+	var variant string
+
+	arch = strings.ToLower(arch)
+
+	if arch == "aarch64" {
+		variant = "8"
+	} else if arch[0:4] == "armv" && len(arch) >= 5 {
+		// Valid arch format is in form of armvXx
+		switch arch[3:5] {
+		case "v8":
+			variant = "8"
+		case "v7":
+			variant = "7"
+		case "v6":
+			variant = "6"
+		case "v5":
+			variant = "5"
+		case "v4":
+			variant = "4"
+		case "v3":
+			variant = "3"
+		default:
+			variant = "unknown"
+		}
+	} else {
+		return "", fmt.Errorf("getCPUVariantFromArch invalid arch: %s, %w", arch, errInvalidArgument)
+	}
+	return variant, nil
+}
+
+// getCPUVariant returns cpu variant for ARM
+// We first try reading "Cpu architecture" field from /proc/cpuinfo
+// If we can't find it, then fall back using a system call
+// This is to cover running ARM in emulated environment on x86 host as this field in /proc/cpuinfo
+// was not present.
+func getCPUVariant() (string, error) {
+	variant, err := getCPUInfo("Cpu architecture")
+	if err != nil {
+		if errors.Is(err, errNotFound) {
+			// Let's try getting CPU variant from machine architecture
+			arch, err := getMachineArch()
+			if err != nil {
+				return "", fmt.Errorf("failure getting machine architecture: %v", err)
+			}
+
+			variant, err = getCPUVariantFromArch(arch)
+			if err != nil {
+				return "", fmt.Errorf("failure getting CPU variant from machine architecture: %v", err)
+			}
+		} else {
+			return "", fmt.Errorf("failure getting CPU variant: %v", err)
+		}
+	}
+
+	// handle edge case for Raspberry Pi ARMv6 devices (which due to a kernel quirk, report "CPU architecture: 7")
+	// https://www.raspberrypi.org/forums/viewtopic.php?t=12614
+	if runtime.GOARCH == "arm" && variant == "7" {
+		model, err := getCPUInfo("model name")
+		if err == nil && strings.HasPrefix(strings.ToLower(model), "armv6-compatible") {
+			variant = "6"
+		}
+	}
+
+	switch strings.ToLower(variant) {
+	case "8", "aarch64":
+		variant = "v8"
+	case "7", "7m", "?(12)", "?(13)", "?(14)", "?(15)", "?(16)", "?(17)":
+		variant = "v7"
+	case "6", "6tej":
+		variant = "v6"
+	case "5", "5t", "5te", "5tej":
+		variant = "v5"
+	case "4", "4t":
+		variant = "v4"
+	case "3":
+		variant = "v3"
+	default:
+		variant = "unknown"
+	}
+
+	return variant, nil
+}
diff --git a/vendor/github.com/containerd/platforms/cpuinfo_other.go b/vendor/github.com/containerd/platforms/cpuinfo_other.go
new file mode 100644
index 0000000000..97a1fe8a3e
--- /dev/null
+++ b/vendor/github.com/containerd/platforms/cpuinfo_other.go
@@ -0,0 +1,55 @@
+//go:build !linux
+
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package platforms
+
+import (
+	"fmt"
+	"runtime"
+)
+
+func getCPUVariant() (string, error) {
+
+	var variant string
+
+	if runtime.GOOS == "windows" || runtime.GOOS == "darwin" {
+		// Windows/Darwin only supports v7 for ARM32 and v8 for ARM64 and so we can use
+		// runtime.GOARCH to determine the variants
+		switch runtime.GOARCH {
+		case "arm64":
+			variant = "v8"
+		case "arm":
+			variant = "v7"
+		default:
+			variant = "unknown"
+		}
+	} else if runtime.GOOS == "freebsd" {
+		// FreeBSD supports ARMv6 and ARMv7 as well as ARMv4 and ARMv5 (though deprecated)
+		// detecting those variants is currently unimplemented
+		switch runtime.GOARCH {
+		case "arm64":
+			variant = "v8"
+		default:
+			variant = "unknown"
+		}
+	} else {
+		return "", fmt.Errorf("getCPUVariant for OS %s: %v", runtime.GOOS, errNotImplemented)
+	}
+
+	return variant, nil
+}
diff --git a/vendor/github.com/containerd/platforms/database.go b/vendor/github.com/containerd/platforms/database.go
new file mode 100644
index 0000000000..2e26fd3b4f
--- /dev/null
+++ b/vendor/github.com/containerd/platforms/database.go
@@ -0,0 +1,109 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package platforms
+
+import (
+	"runtime"
+	"strings"
+)
+
+// These function are generated from https://golang.org/src/go/build/syslist.go.
+//
+// We use switch statements because they are slightly faster than map lookups
+// and use a little less memory.
+
+// isKnownOS returns true if we know about the operating system.
+//
+// The OS value should be normalized before calling this function.
+func isKnownOS(os string) bool {
+	switch os {
+	case "aix", "android", "darwin", "dragonfly", "freebsd", "hurd", "illumos", "ios", "js", "linux", "nacl", "netbsd", "openbsd", "plan9", "solaris", "windows", "zos":
+		return true
+	}
+	return false
+}
+
+// isArmArch returns true if the architecture is ARM.
+//
+// The arch value should be normalized before being passed to this function.
+func isArmArch(arch string) bool {
+	switch arch {
+	case "arm", "arm64":
+		return true
+	}
+	return false
+}
+
+// isKnownArch returns true if we know about the architecture.
+//
+// The arch value should be normalized before being passed to this function.
+func isKnownArch(arch string) bool {
+	switch arch {
+	case "386", "amd64", "amd64p32", "arm", "armbe", "arm64", "arm64be", "ppc64", "ppc64le", "loong64", "mips", "mipsle", "mips64", "mips64le", "mips64p32", "mips64p32le", "ppc", "riscv", "riscv64", "s390", "s390x", "sparc", "sparc64", "wasm":
+		return true
+	}
+	return false
+}
+
+func normalizeOS(os string) string {
+	if os == "" {
+		return runtime.GOOS
+	}
+	os = strings.ToLower(os)
+
+	switch os {
+	case "macos":
+		os = "darwin"
+	}
+	return os
+}
+
+// normalizeArch normalizes the architecture.
+func normalizeArch(arch, variant string) (string, string) {
+	arch, variant = strings.ToLower(arch), strings.ToLower(variant)
+	switch arch {
+	case "i386":
+		arch = "386"
+		variant = ""
+	case "x86_64", "x86-64", "amd64":
+		arch = "amd64"
+		if variant == "v1" {
+			variant = ""
+		}
+	case "aarch64", "arm64":
+		arch = "arm64"
+		switch variant {
+		case "8", "v8":
+			variant = ""
+		}
+	case "armhf":
+		arch = "arm"
+		variant = "v7"
+	case "armel":
+		arch = "arm"
+		variant = "v6"
+	case "arm":
+		switch variant {
+		case "", "7":
+			variant = "v7"
+		case "5", "6", "8":
+			variant = "v" + variant
+		}
+	}
+
+	return arch, variant
+}
diff --git a/vendor/github.com/containerd/platforms/defaults.go b/vendor/github.com/containerd/platforms/defaults.go
new file mode 100644
index 0000000000..9d898d60e6
--- /dev/null
+++ b/vendor/github.com/containerd/platforms/defaults.go
@@ -0,0 +1,29 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package platforms
+
+// DefaultString returns the default string specifier for the platform,
+// with [PR#6](https://github.com/containerd/platforms/pull/6) the result
+// may now also include the OSVersion from the provided platform specification.
+func DefaultString() string {
+	return FormatAll(DefaultSpec())
+}
+
+// DefaultStrict returns strict form of Default.
+func DefaultStrict() MatchComparer {
+	return OnlyStrict(DefaultSpec())
+}
diff --git a/vendor/github.com/containerd/platforms/defaults_darwin.go b/vendor/github.com/containerd/platforms/defaults_darwin.go
new file mode 100644
index 0000000000..72355ca85f
--- /dev/null
+++ b/vendor/github.com/containerd/platforms/defaults_darwin.go
@@ -0,0 +1,44 @@
+//go:build darwin
+
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package platforms
+
+import (
+	"runtime"
+
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+// DefaultSpec returns the current platform's default platform specification.
+func DefaultSpec() specs.Platform {
+	return specs.Platform{
+		OS:           runtime.GOOS,
+		Architecture: runtime.GOARCH,
+		// The Variant field will be empty if arch != ARM.
+		Variant: cpuVariant(),
+	}
+}
+
+// Default returns the default matcher for the platform.
+func Default() MatchComparer {
+	return Ordered(DefaultSpec(), specs.Platform{
+		// darwin runtime also supports Linux binary via runu/LKL
+		OS:           "linux",
+		Architecture: runtime.GOARCH,
+	})
+}
diff --git a/vendor/github.com/containerd/platforms/defaults_freebsd.go b/vendor/github.com/containerd/platforms/defaults_freebsd.go
new file mode 100644
index 0000000000..d3fe89e076
--- /dev/null
+++ b/vendor/github.com/containerd/platforms/defaults_freebsd.go
@@ -0,0 +1,43 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package platforms
+
+import (
+	"runtime"
+
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+// DefaultSpec returns the current platform's default platform specification.
+func DefaultSpec() specs.Platform {
+	return specs.Platform{
+		OS:           runtime.GOOS,
+		Architecture: runtime.GOARCH,
+		// The Variant field will be empty if arch != ARM.
+		Variant: cpuVariant(),
+	}
+}
+
+// Default returns the default matcher for the platform.
+func Default() MatchComparer {
+	return Ordered(DefaultSpec(), specs.Platform{
+		OS:           "linux",
+		Architecture: runtime.GOARCH,
+		// The Variant field will be empty if arch != ARM.
+		Variant: cpuVariant(),
+	})
+}
diff --git a/vendor/github.com/containerd/platforms/defaults_unix.go b/vendor/github.com/containerd/platforms/defaults_unix.go
new file mode 100644
index 0000000000..44acc47eb3
--- /dev/null
+++ b/vendor/github.com/containerd/platforms/defaults_unix.go
@@ -0,0 +1,40 @@
+//go:build !windows && !darwin && !freebsd
+
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package platforms
+
+import (
+	"runtime"
+
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+// DefaultSpec returns the current platform's default platform specification.
+func DefaultSpec() specs.Platform {
+	return specs.Platform{
+		OS:           runtime.GOOS,
+		Architecture: runtime.GOARCH,
+		// The Variant field will be empty if arch != ARM.
+		Variant: cpuVariant(),
+	}
+}
+
+// Default returns the default matcher for the platform.
+func Default() MatchComparer {
+	return Only(DefaultSpec())
+}
diff --git a/vendor/github.com/containerd/platforms/defaults_windows.go b/vendor/github.com/containerd/platforms/defaults_windows.go
new file mode 100644
index 0000000000..427ed72eb6
--- /dev/null
+++ b/vendor/github.com/containerd/platforms/defaults_windows.go
@@ -0,0 +1,118 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package platforms
+
+import (
+	"fmt"
+	"runtime"
+	"strconv"
+	"strings"
+
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+	"golang.org/x/sys/windows"
+)
+
+// DefaultSpec returns the current platform's default platform specification.
+func DefaultSpec() specs.Platform {
+	major, minor, build := windows.RtlGetNtVersionNumbers()
+	return specs.Platform{
+		OS:           runtime.GOOS,
+		Architecture: runtime.GOARCH,
+		OSVersion:    fmt.Sprintf("%d.%d.%d", major, minor, build),
+		// The Variant field will be empty if arch != ARM.
+		Variant: cpuVariant(),
+	}
+}
+
+type windowsmatcher struct {
+	specs.Platform
+	osVersionPrefix string
+	defaultMatcher  Matcher
+}
+
+// Match matches platform with the same windows major, minor
+// and build version.
+func (m windowsmatcher) Match(p specs.Platform) bool {
+	match := m.defaultMatcher.Match(p)
+
+	if match && m.OS == "windows" {
+		// HPC containers do not have OS version filled
+		if m.OSVersion == "" || p.OSVersion == "" {
+			return true
+		}
+
+		hostOsVersion := getOSVersion(m.osVersionPrefix)
+		ctrOsVersion := getOSVersion(p.OSVersion)
+		return checkHostAndContainerCompat(hostOsVersion, ctrOsVersion)
+	}
+
+	return match
+}
+
+func getOSVersion(osVersionPrefix string) osVersion {
+	parts := strings.Split(osVersionPrefix, ".")
+	if len(parts) < 3 {
+		return osVersion{}
+	}
+
+	majorVersion, _ := strconv.Atoi(parts[0])
+	minorVersion, _ := strconv.Atoi(parts[1])
+	buildNumber, _ := strconv.Atoi(parts[2])
+
+	return osVersion{
+		MajorVersion: uint8(majorVersion),
+		MinorVersion: uint8(minorVersion),
+		Build:        uint16(buildNumber),
+	}
+}
+
+// Less sorts matched platforms in front of other platforms.
+// For matched platforms, it puts platforms with larger revision
+// number in front.
+func (m windowsmatcher) Less(p1, p2 specs.Platform) bool {
+	m1, m2 := m.Match(p1), m.Match(p2)
+	if m1 && m2 {
+		r1, r2 := revision(p1.OSVersion), revision(p2.OSVersion)
+		return r1 > r2
+	}
+	return m1 && !m2
+}
+
+func revision(v string) int {
+	parts := strings.Split(v, ".")
+	if len(parts) < 4 {
+		return 0
+	}
+	r, err := strconv.Atoi(parts[3])
+	if err != nil {
+		return 0
+	}
+	return r
+}
+
+func prefix(v string) string {
+	parts := strings.Split(v, ".")
+	if len(parts) < 4 {
+		return v
+	}
+	return strings.Join(parts[0:3], ".")
+}
+
+// Default returns the current platform's default platform specification.
+func Default() MatchComparer {
+	return Only(DefaultSpec())
+}
diff --git a/vendor/github.com/containerd/platforms/errors.go b/vendor/github.com/containerd/platforms/errors.go
new file mode 100644
index 0000000000..5ad721e779
--- /dev/null
+++ b/vendor/github.com/containerd/platforms/errors.go
@@ -0,0 +1,30 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package platforms
+
+import "errors"
+
+// These errors mirror the errors defined in [github.com/containerd/containerd/errdefs],
+// however, they are not exported as they are not expected to be used as sentinel
+// errors by consumers of this package.
+//
+//nolint:unused // not all errors are used on all platforms.
+var (
+	errNotFound        = errors.New("not found")
+	errInvalidArgument = errors.New("invalid argument")
+	errNotImplemented  = errors.New("not implemented")
+)
diff --git a/vendor/github.com/containerd/platforms/platform_compat_windows.go b/vendor/github.com/containerd/platforms/platform_compat_windows.go
new file mode 100644
index 0000000000..89e66f0c09
--- /dev/null
+++ b/vendor/github.com/containerd/platforms/platform_compat_windows.go
@@ -0,0 +1,78 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package platforms
+
+// osVersion is a wrapper for Windows version information
+// https://msdn.microsoft.com/en-us/library/windows/desktop/ms724439(v=vs.85).aspx
+type osVersion struct {
+	Version      uint32
+	MajorVersion uint8
+	MinorVersion uint8
+	Build        uint16
+}
+
+// Windows Client and Server build numbers.
+//
+// See:
+// https://learn.microsoft.com/en-us/windows/release-health/release-information
+// https://learn.microsoft.com/en-us/windows/release-health/windows-server-release-info
+// https://learn.microsoft.com/en-us/windows/release-health/windows11-release-information
+const (
+	// rs5 (version 1809, codename "Redstone 5") corresponds to Windows Server
+	// 2019 (ltsc2019), and Windows 10 (October 2018 Update).
+	rs5 = 17763
+
+	// v21H2Server corresponds to Windows Server 2022 (ltsc2022).
+	v21H2Server = 20348
+
+	// v22H2Win11 corresponds to Windows 11 (2022 Update).
+	v22H2Win11 = 22621
+)
+
+// List of stable ABI compliant ltsc releases
+// Note: List must be sorted in ascending order
+var compatLTSCReleases = []uint16{
+	v21H2Server,
+}
+
+// CheckHostAndContainerCompat checks if given host and container
+// OS versions are compatible.
+// It includes support for stable ABI compliant versions as well.
+// Every release after WS 2022 will support the previous ltsc
+// container image. Stable ABI is in preview mode for windows 11 client.
+// Refer: https://learn.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-2022%2Cwindows-10#windows-server-host-os-compatibility
+func checkHostAndContainerCompat(host, ctr osVersion) bool {
+	// check major minor versions of host and guest
+	if host.MajorVersion != ctr.MajorVersion ||
+		host.MinorVersion != ctr.MinorVersion {
+		return false
+	}
+
+	// If host is < WS 2022, exact version match is required
+	if host.Build < v21H2Server {
+		return host.Build == ctr.Build
+	}
+
+	var supportedLtscRelease uint16
+	for i := len(compatLTSCReleases) - 1; i >= 0; i-- {
+		if host.Build >= compatLTSCReleases[i] {
+			supportedLtscRelease = compatLTSCReleases[i]
+			break
+		}
+	}
+	return ctr.Build >= supportedLtscRelease && ctr.Build <= host.Build
+}
diff --git a/vendor/github.com/containerd/platforms/platforms.go b/vendor/github.com/containerd/platforms/platforms.go
new file mode 100644
index 0000000000..1bbbdb91db
--- /dev/null
+++ b/vendor/github.com/containerd/platforms/platforms.go
@@ -0,0 +1,308 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+// Package platforms provides a toolkit for normalizing, matching and
+// specifying container platforms.
+//
+// Centered around OCI platform specifications, we define a string-based
+// specifier syntax that can be used for user input. With a specifier, users
+// only need to specify the parts of the platform that are relevant to their
+// context, providing an operating system or architecture or both.
+//
+// How do I use this package?
+//
+// The vast majority of use cases should simply use the match function with
+// user input. The first step is to parse a specifier into a matcher:
+//
+//	m, err := Parse("linux")
+//	if err != nil { ... }
+//
+// Once you have a matcher, use it to match against the platform declared by a
+// component, typically from an image or runtime. Since extracting an images
+// platform is a little more involved, we'll use an example against the
+// platform default:
+//
+//	if ok := m.Match(Default()); !ok { /* doesn't match */ }
+//
+// This can be composed in loops for resolving runtimes or used as a filter for
+// fetch and select images.
+//
+// More details of the specifier syntax and platform spec follow.
+//
+// # Declaring Platform Support
+//
+// Components that have strict platform requirements should use the OCI
+// platform specification to declare their support. Typically, this will be
+// images and runtimes that should make these declaring which platform they
+// support specifically. This looks roughly as follows:
+//
+//	  type Platform struct {
+//		   Architecture string
+//		   OS           string
+//		   Variant      string
+//	  }
+//
+// Most images and runtimes should at least set Architecture and OS, according
+// to their GOARCH and GOOS values, respectively (follow the OCI image
+// specification when in doubt). ARM should set variant under certain
+// discussions, which are outlined below.
+//
+// # Platform Specifiers
+//
+// While the OCI platform specifications provide a tool for components to
+// specify structured information, user input typically doesn't need the full
+// context and much can be inferred. To solve this problem, we introduced
+// "specifiers". A specifier has the format
+// `<os>|<arch>|<os>/<arch>[/<variant>]`.  The user can provide either the
+// operating system or the architecture or both.
+//
+// An example of a common specifier is `linux/amd64`. If the host has a default
+// of runtime that matches this, the user can simply provide the component that
+// matters. For example, if a image provides amd64 and arm64 support, the
+// operating system, `linux` can be inferred, so they only have to provide
+// `arm64` or `amd64`. Similar behavior is implemented for operating systems,
+// where the architecture may be known but a runtime may support images from
+// different operating systems.
+//
+// # Normalization
+//
+// Because not all users are familiar with the way the Go runtime represents
+// platforms, several normalizations have been provided to make this package
+// easier to user.
+//
+// The following are performed for architectures:
+//
+//	Value    Normalized
+//	aarch64  arm64
+//	armhf    arm
+//	armel    arm/v6
+//	i386     386
+//	x86_64   amd64
+//	x86-64   amd64
+//
+// We also normalize the operating system `macos` to `darwin`.
+//
+// # ARM Support
+//
+// To qualify ARM architecture, the Variant field is used to qualify the arm
+// version. The most common arm version, v7, is represented without the variant
+// unless it is explicitly provided. This is treated as equivalent to armhf. A
+// previous architecture, armel, will be normalized to arm/v6.
+//
+// Similarly, the most common arm64 version v8, and most common amd64 version v1
+// are represented without the variant.
+//
+// While these normalizations are provided, their support on arm platforms has
+// not yet been fully implemented and tested.
+package platforms
+
+import (
+	"fmt"
+	"path"
+	"regexp"
+	"runtime"
+	"strconv"
+	"strings"
+
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+var (
+	specifierRe    = regexp.MustCompile(`^[A-Za-z0-9_-]+$`)
+	osAndVersionRe = regexp.MustCompile(`^([A-Za-z0-9_-]+)(?:\(([A-Za-z0-9_.-]*)\))?$`)
+)
+
+const osAndVersionFormat = "%s(%s)"
+
+// Platform is a type alias for convenience, so there is no need to import image-spec package everywhere.
+type Platform = specs.Platform
+
+// Matcher matches platforms specifications, provided by an image or runtime.
+type Matcher interface {
+	Match(platform specs.Platform) bool
+}
+
+// NewMatcher returns a simple matcher based on the provided platform
+// specification. The returned matcher only looks for equality based on os,
+// architecture and variant.
+//
+// One may implement their own matcher if this doesn't provide the required
+// functionality.
+//
+// Applications should opt to use `Match` over directly parsing specifiers.
+func NewMatcher(platform specs.Platform) Matcher {
+	return newDefaultMatcher(platform)
+}
+
+type matcher struct {
+	specs.Platform
+}
+
+func (m *matcher) Match(platform specs.Platform) bool {
+	normalized := Normalize(platform)
+	return m.OS == normalized.OS &&
+		m.Architecture == normalized.Architecture &&
+		m.Variant == normalized.Variant
+}
+
+func (m *matcher) String() string {
+	return FormatAll(m.Platform)
+}
+
+// ParseAll parses a list of platform specifiers into a list of platform.
+func ParseAll(specifiers []string) ([]specs.Platform, error) {
+	platforms := make([]specs.Platform, len(specifiers))
+	for i, s := range specifiers {
+		p, err := Parse(s)
+		if err != nil {
+			return nil, fmt.Errorf("invalid platform %s: %w", s, err)
+		}
+		platforms[i] = p
+	}
+	return platforms, nil
+}
+
+// Parse parses the platform specifier syntax into a platform declaration.
+//
+// Platform specifiers are in the format `<os>[(<OSVersion>)]|<arch>|<os>[(<OSVersion>)]/<arch>[/<variant>]`.
+// The minimum required information for a platform specifier is the operating
+// system or architecture. The OSVersion can be part of the OS like `windows(10.0.17763)`
+// When an OSVersion is specified, then specs.Platform.OSVersion is populated with that value,
+// and an empty string otherwise.
+// If there is only a single string (no slashes), the
+// value will be matched against the known set of operating systems, then fall
+// back to the known set of architectures. The missing component will be
+// inferred based on the local environment.
+func Parse(specifier string) (specs.Platform, error) {
+	if strings.Contains(specifier, "*") {
+		// TODO(stevvooe): need to work out exact wildcard handling
+		return specs.Platform{}, fmt.Errorf("%q: wildcards not yet supported: %w", specifier, errInvalidArgument)
+	}
+
+	// Limit to 4 elements to prevent unbounded split
+	parts := strings.SplitN(specifier, "/", 4)
+
+	var p specs.Platform
+	for i, part := range parts {
+		if i == 0 {
+			// First element is <os>[(<OSVersion>)]
+			osVer := osAndVersionRe.FindStringSubmatch(part)
+			if osVer == nil {
+				return specs.Platform{}, fmt.Errorf("%q is an invalid OS component of %q: OSAndVersion specifier component must match %q: %w", part, specifier, osAndVersionRe.String(), errInvalidArgument)
+			}
+
+			p.OS = normalizeOS(osVer[1])
+			p.OSVersion = osVer[2]
+		} else {
+			if !specifierRe.MatchString(part) {
+				return specs.Platform{}, fmt.Errorf("%q is an invalid component of %q: platform specifier component must match %q: %w", part, specifier, specifierRe.String(), errInvalidArgument)
+			}
+		}
+	}
+
+	switch len(parts) {
+	case 1:
+		// in this case, we will test that the value might be an OS (with or
+		// without the optional OSVersion specified) and look it up.
+		// If it is not known, we'll treat it as an architecture. Since
+		// we have very little information about the platform here, we are
+		// going to be a little more strict if we don't know about the argument
+		// value.
+		if isKnownOS(p.OS) {
+			// picks a default architecture
+			p.Architecture = runtime.GOARCH
+			if p.Architecture == "arm" && cpuVariant() != "v7" {
+				p.Variant = cpuVariant()
+			}
+
+			return p, nil
+		}
+
+		p.Architecture, p.Variant = normalizeArch(parts[0], "")
+		if p.Architecture == "arm" && p.Variant == "v7" {
+			p.Variant = ""
+		}
+		if isKnownArch(p.Architecture) {
+			p.OS = runtime.GOOS
+			return p, nil
+		}
+
+		return specs.Platform{}, fmt.Errorf("%q: unknown operating system or architecture: %w", specifier, errInvalidArgument)
+	case 2:
+		// In this case, we treat as a regular OS[(OSVersion)]/arch pair. We don't care
+		// about whether or not we know of the platform.
+		p.Architecture, p.Variant = normalizeArch(parts[1], "")
+		if p.Architecture == "arm" && p.Variant == "v7" {
+			p.Variant = ""
+		}
+
+		return p, nil
+	case 3:
+		// we have a fully specified variant, this is rare
+		p.Architecture, p.Variant = normalizeArch(parts[1], parts[2])
+		if p.Architecture == "arm64" && p.Variant == "" {
+			p.Variant = "v8"
+		}
+
+		return p, nil
+	}
+
+	return specs.Platform{}, fmt.Errorf("%q: cannot parse platform specifier: %w", specifier, errInvalidArgument)
+}
+
+// MustParse is like Parses but panics if the specifier cannot be parsed.
+// Simplifies initialization of global variables.
+func MustParse(specifier string) specs.Platform {
+	p, err := Parse(specifier)
+	if err != nil {
+		panic("platform: Parse(" + strconv.Quote(specifier) + "): " + err.Error())
+	}
+	return p
+}
+
+// Format returns a string specifier from the provided platform specification.
+func Format(platform specs.Platform) string {
+	if platform.OS == "" {
+		return "unknown"
+	}
+
+	return path.Join(platform.OS, platform.Architecture, platform.Variant)
+}
+
+// FormatAll returns a string specifier that also includes the OSVersion from the
+// provided platform specification.
+func FormatAll(platform specs.Platform) string {
+	if platform.OS == "" {
+		return "unknown"
+	}
+
+	if platform.OSVersion != "" {
+		OSAndVersion := fmt.Sprintf(osAndVersionFormat, platform.OS, platform.OSVersion)
+		return path.Join(OSAndVersion, platform.Architecture, platform.Variant)
+	}
+	return path.Join(platform.OS, platform.Architecture, platform.Variant)
+}
+
+// Normalize validates and translate the platform to the canonical value.
+//
+// For example, if "Aarch64" is encountered, we change it to "arm64" or if
+// "x86_64" is encountered, it becomes "amd64".
+func Normalize(platform specs.Platform) specs.Platform {
+	platform.OS = normalizeOS(platform.OS)
+	platform.Architecture, platform.Variant = normalizeArch(platform.Architecture, platform.Variant)
+
+	return platform
+}
diff --git a/vendor/github.com/containerd/platforms/platforms_other.go b/vendor/github.com/containerd/platforms/platforms_other.go
new file mode 100644
index 0000000000..03f4dcd998
--- /dev/null
+++ b/vendor/github.com/containerd/platforms/platforms_other.go
@@ -0,0 +1,30 @@
+//go:build !windows
+
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package platforms
+
+import (
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+// NewMatcher returns the default Matcher for containerd
+func newDefaultMatcher(platform specs.Platform) Matcher {
+	return &matcher{
+		Platform: Normalize(platform),
+	}
+}
diff --git a/vendor/github.com/containerd/platforms/platforms_windows.go b/vendor/github.com/containerd/platforms/platforms_windows.go
new file mode 100644
index 0000000000..950e2a2ddb
--- /dev/null
+++ b/vendor/github.com/containerd/platforms/platforms_windows.go
@@ -0,0 +1,34 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package platforms
+
+import (
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+// NewMatcher returns a Windows matcher that will match on osVersionPrefix if
+// the platform is Windows otherwise use the default matcher
+func newDefaultMatcher(platform specs.Platform) Matcher {
+	prefix := prefix(platform.OSVersion)
+	return windowsmatcher{
+		Platform:        platform,
+		osVersionPrefix: prefix,
+		defaultMatcher: &matcher{
+			Platform: Normalize(platform),
+		},
+	}
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/CHANGELOG.md b/vendor/github.com/cyphar/filepath-securejoin/CHANGELOG.md
new file mode 100644
index 0000000000..ca0e3c62c7
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/CHANGELOG.md
@@ -0,0 +1,256 @@
+# Changelog #
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](http://keepachangelog.com/)
+and this project adheres to [Semantic Versioning](http://semver.org/).
+
+## [Unreleased] ##
+
+## [0.4.1] - 2025-01-28 ##
+
+### Fixed ###
+- The restrictions added for `root` paths passed to `SecureJoin` in 0.4.0 was
+  found to be too strict and caused some regressions when folks tried to
+  update, so this restriction has been relaxed to only return an error if the
+  path contains a `..` component. We still recommend users use `filepath.Clean`
+  (and even `filepath.EvalSymlinks`) on the `root` path they are using, but at
+  least you will no longer be punished for "trivial" unclean paths.
+
+## [0.4.0] - 2025-01-13 ##
+
+### Breaking ####
+- `SecureJoin(VFS)` will now return an error if the provided `root` is not a
+  `filepath.Clean`'d path.
+
+  While it is ultimately the responsibility of the caller to ensure the root is
+  a safe path to use, passing a path like `/symlink/..` as a root would result
+  in the `SecureJoin`'d path being placed in `/` even though `/symlink/..`
+  might be a different directory, and so we should more strongly discourage
+  such usage.
+
+  All major users of `securejoin.SecureJoin` already ensure that the paths they
+  provide are safe (and this is ultimately a question of user error), but
+  removing this foot-gun is probably a good idea. Of course, this is
+  necessarily a breaking API change (though we expect no real users to be
+  affected by it).
+
+  Thanks to [Erik Sjölund](https://github.com/eriksjolund), who initially
+  reported this issue as a possible security issue.
+
+- `MkdirAll` and `MkdirHandle` now take an `os.FileMode`-style mode argument
+  instead of a raw `unix.S_*`-style mode argument, which may cause compile-time
+  type errors depending on how you use `filepath-securejoin`. For most users,
+  there will be no change in behaviour aside from the type change (as the
+  bottom `0o777` bits are the same in both formats, and most users are probably
+  only using those bits).
+
+  However, if you were using `unix.S_ISVTX` to set the sticky bit with
+  `MkdirAll(Handle)` you will need to switch to `os.ModeSticky` otherwise you
+  will get a runtime error with this update. In addition, the error message you
+  will get from passing `unix.S_ISUID` and `unix.S_ISGID` will be different as
+  they are treated as invalid bits now (note that previously passing said bits
+  was also an error).
+
+## [0.3.6] - 2024-12-17 ##
+
+### Compatibility ###
+- The minimum Go version requirement for `filepath-securejoin` is now Go 1.18
+  (we use generics internally).
+
+  For reference, `filepath-securejoin@v0.3.0` somewhat-arbitrarily bumped the
+  Go version requirement to 1.21.
+
+  While we did make some use of Go 1.21 stdlib features (and in principle Go
+  versions <= 1.21 are no longer even supported by upstream anymore), some
+  downstreams have complained that the version bump has meant that they have to
+  do workarounds when backporting fixes that use the new `filepath-securejoin`
+  API onto old branches. This is not an ideal situation, but since using this
+  library is probably better for most downstreams than a hand-rolled
+  workaround, we now have compatibility shims that allow us to build on older
+  Go versions.
+- Lower minimum version requirement for `golang.org/x/sys` to `v0.18.0` (we
+  need the wrappers for `fsconfig(2)`), which should also make backporting
+  patches to older branches easier.
+
+## [0.3.5] - 2024-12-06 ##
+
+### Fixed ###
+- `MkdirAll` will now no longer return an `EEXIST` error if two racing
+  processes are creating the same directory. We will still verify that the path
+  is a directory, but this will avoid spurious errors when multiple threads or
+  programs are trying to `MkdirAll` the same path. opencontainers/runc#4543
+
+## [0.3.4] - 2024-10-09 ##
+
+### Fixed ###
+- Previously, some testing mocks we had resulted in us doing `import "testing"`
+  in non-`_test.go` code, which made some downstreams like Kubernetes unhappy.
+  This has been fixed. (#32)
+
+## [0.3.3] - 2024-09-30 ##
+
+### Fixed ###
+- The mode and owner verification logic in `MkdirAll` has been removed. This
+  was originally intended to protect against some theoretical attacks but upon
+  further consideration these protections don't actually buy us anything and
+  they were causing spurious errors with more complicated filesystem setups.
+- The "is the created directory empty" logic in `MkdirAll` has also been
+  removed. This was not causing us issues yet, but some pseudofilesystems (such
+  as `cgroup`) create non-empty directories and so this logic would've been
+  wrong for such cases.
+
+## [0.3.2] - 2024-09-13 ##
+
+### Changed ###
+- Passing the `S_ISUID` or `S_ISGID` modes to `MkdirAllInRoot` will now return
+  an explicit error saying that those bits are ignored by `mkdirat(2)`. In the
+  past a different error was returned, but since the silent ignoring behaviour
+  is codified in the man pages a more explicit error seems apt. While silently
+  ignoring these bits would be the most compatible option, it could lead to
+  users thinking their code sets these bits when it doesn't. Programs that need
+  to deal with compatibility can mask the bits themselves. (#23, #25)
+
+### Fixed ###
+- If a directory has `S_ISGID` set, then all child directories will have
+  `S_ISGID` set when created and a different gid will be used for any inode
+  created under the directory. Previously, the "expected owner and mode"
+  validation in `securejoin.MkdirAll` did not correctly handle this. We now
+  correctly handle this case. (#24, #25)
+
+## [0.3.1] - 2024-07-23 ##
+
+### Changed ###
+- By allowing `Open(at)InRoot` to opt-out of the extra work done by `MkdirAll`
+  to do the necessary "partial lookups", `Open(at)InRoot` now does less work
+  for both implementations (resulting in a many-fold decrease in the number of
+  operations for `openat2`, and a modest improvement for non-`openat2`) and is
+  far more guaranteed to match the correct `openat2(RESOLVE_IN_ROOT)`
+  behaviour.
+- We now use `readlinkat(fd, "")` where possible. For `Open(at)InRoot` this
+  effectively just means that we no longer risk getting spurious errors during
+  rename races. However, for our hardened procfs handler, this in theory should
+  prevent mount attacks from tricking us when doing magic-link readlinks (even
+  when using the unsafe host `/proc` handle). Unfortunately `Reopen` is still
+  potentially vulnerable to those kinds of somewhat-esoteric attacks.
+
+  Technically this [will only work on post-2.6.39 kernels][linux-readlinkat-emptypath]
+  but it seems incredibly unlikely anyone is using `filepath-securejoin` on a
+  pre-2011 kernel.
+
+### Fixed ###
+- Several improvements were made to the errors returned by `Open(at)InRoot` and
+  `MkdirAll` when dealing with invalid paths under the emulated (ie.
+  non-`openat2`) implementation. Previously, some paths would return the wrong
+  error (`ENOENT` when the last component was a non-directory), and other paths
+  would be returned as though they were acceptable (trailing-slash components
+  after a non-directory would be ignored by `Open(at)InRoot`).
+
+  These changes were done to match `openat2`'s behaviour and purely is a
+  consistency fix (most users are going to be using `openat2` anyway).
+
+[linux-readlinkat-emptypath]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=65cfc6722361570bfe255698d9cd4dccaf47570d
+
+## [0.3.0] - 2024-07-11 ##
+
+### Added ###
+- A new set of `*os.File`-based APIs have been added. These are adapted from
+  [libpathrs][] and we strongly suggest using them if possible (as they provide
+  far more protection against attacks than `SecureJoin`):
+
+   - `Open(at)InRoot` resolves a path inside a rootfs and returns an `*os.File`
+     handle to the path. Note that the handle returned is an `O_PATH` handle,
+     which cannot be used for reading or writing (as well as some other
+     operations -- [see open(2) for more details][open.2])
+
+   - `Reopen` takes an `O_PATH` file handle and safely re-opens it to upgrade
+     it to a regular handle. This can also be used with non-`O_PATH` handles,
+     but `O_PATH` is the most obvious application.
+
+   - `MkdirAll` is an implementation of `os.MkdirAll` that is safe to use to
+     create a directory tree within a rootfs.
+
+  As these are new APIs, they may change in the future. However, they should be
+  safe to start migrating to as we have extensive tests ensuring they behave
+  correctly and are safe against various races and other attacks.
+
+[libpathrs]: https://github.com/openSUSE/libpathrs
+[open.2]: https://www.man7.org/linux/man-pages/man2/open.2.html
+
+## [0.2.5] - 2024-05-03 ##
+
+### Changed ###
+- Some minor changes were made to how lexical components (like `..` and `.`)
+  are handled during path generation in `SecureJoin`. There is no behaviour
+  change as a result of this fix (the resulting paths are the same).
+
+### Fixed ###
+- The error returned when we hit a symlink loop now references the correct
+  path. (#10)
+
+## [0.2.4] - 2023-09-06 ##
+
+### Security ###
+- This release fixes a potential security issue in filepath-securejoin when
+  used on Windows ([GHSA-6xv5-86q9-7xr8][], which could be used to generate
+  paths outside of the provided rootfs in certain cases), as well as improving
+  the overall behaviour of filepath-securejoin when dealing with Windows paths
+  that contain volume names. Thanks to Paulo Gomes for discovering and fixing
+  these issues.
+
+### Fixed ###
+- Switch to GitHub Actions for CI so we can test on Windows as well as Linux
+  and MacOS.
+
+[GHSA-6xv5-86q9-7xr8]: https://github.com/advisories/GHSA-6xv5-86q9-7xr8
+
+## [0.2.3] - 2021-06-04 ##
+
+### Changed ###
+- Switch to Go 1.13-style `%w` error wrapping, letting us drop the dependency
+  on `github.com/pkg/errors`.
+
+## [0.2.2] - 2018-09-05 ##
+
+### Changed ###
+- Use `syscall.ELOOP` as the base error for symlink loops, rather than our own
+  (internal) error. This allows callers to more easily use `errors.Is` to check
+  for this case.
+
+## [0.2.1] - 2018-09-05 ##
+
+### Fixed ###
+- Use our own `IsNotExist` implementation, which lets us handle `ENOTDIR`
+  properly within `SecureJoin`.
+
+## [0.2.0] - 2017-07-19 ##
+
+We now have 100% test coverage!
+
+### Added ###
+- Add a `SecureJoinVFS` API that can be used for mocking (as we do in our new
+  tests) or for implementing custom handling of lookup operations (such as for
+  rootless containers, where work is necessary to access directories with weird
+  modes because we don't have `CAP_DAC_READ_SEARCH` or `CAP_DAC_OVERRIDE`).
+
+## 0.1.0 - 2017-07-19
+
+This is our first release of `github.com/cyphar/filepath-securejoin`,
+containing a full implementation with a coverage of 93.5% (the only missing
+cases are the error cases, which are hard to mocktest at the moment).
+
+[Unreleased]: https://github.com/cyphar/filepath-securejoin/compare/v0.4.1...HEAD
+[0.4.1]: https://github.com/cyphar/filepath-securejoin/compare/v0.4.0...v0.4.1
+[0.4.0]: https://github.com/cyphar/filepath-securejoin/compare/v0.3.6...v0.4.0
+[0.3.6]: https://github.com/cyphar/filepath-securejoin/compare/v0.3.5...v0.3.6
+[0.3.5]: https://github.com/cyphar/filepath-securejoin/compare/v0.3.4...v0.3.5
+[0.3.4]: https://github.com/cyphar/filepath-securejoin/compare/v0.3.3...v0.3.4
+[0.3.3]: https://github.com/cyphar/filepath-securejoin/compare/v0.3.2...v0.3.3
+[0.3.2]: https://github.com/cyphar/filepath-securejoin/compare/v0.3.1...v0.3.2
+[0.3.1]: https://github.com/cyphar/filepath-securejoin/compare/v0.3.0...v0.3.1
+[0.3.0]: https://github.com/cyphar/filepath-securejoin/compare/v0.2.5...v0.3.0
+[0.2.5]: https://github.com/cyphar/filepath-securejoin/compare/v0.2.4...v0.2.5
+[0.2.4]: https://github.com/cyphar/filepath-securejoin/compare/v0.2.3...v0.2.4
+[0.2.3]: https://github.com/cyphar/filepath-securejoin/compare/v0.2.2...v0.2.3
+[0.2.2]: https://github.com/cyphar/filepath-securejoin/compare/v0.2.1...v0.2.2
+[0.2.1]: https://github.com/cyphar/filepath-securejoin/compare/v0.2.0...v0.2.1
+[0.2.0]: https://github.com/cyphar/filepath-securejoin/compare/v0.1.0...v0.2.0
diff --git a/vendor/github.com/cyphar/filepath-securejoin/LICENSE b/vendor/github.com/cyphar/filepath-securejoin/LICENSE
new file mode 100644
index 0000000000..cb1ab88da0
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/LICENSE
@@ -0,0 +1,28 @@
+Copyright (C) 2014-2015 Docker Inc & Go Authors. All rights reserved.
+Copyright (C) 2017-2024 SUSE LLC. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+   * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+   * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+   * Neither the name of Google Inc. nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/vendor/github.com/cyphar/filepath-securejoin/README.md b/vendor/github.com/cyphar/filepath-securejoin/README.md
new file mode 100644
index 0000000000..eaeb53fcd0
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/README.md
@@ -0,0 +1,169 @@
+## `filepath-securejoin` ##
+
+[![Go Documentation](https://pkg.go.dev/badge/github.com/cyphar/filepath-securejoin.svg)](https://pkg.go.dev/github.com/cyphar/filepath-securejoin)
+[![Build Status](https://github.com/cyphar/filepath-securejoin/actions/workflows/ci.yml/badge.svg)](https://github.com/cyphar/filepath-securejoin/actions/workflows/ci.yml)
+
+### Old API ###
+
+This library was originally just an implementation of `SecureJoin` which was
+[intended to be included in the Go standard library][go#20126] as a safer
+`filepath.Join` that would restrict the path lookup to be inside a root
+directory.
+
+The implementation was based on code that existed in several container
+runtimes. Unfortunately, this API is **fundamentally unsafe** against attackers
+that can modify path components after `SecureJoin` returns and before the
+caller uses the path, allowing for some fairly trivial TOCTOU attacks.
+
+`SecureJoin` (and `SecureJoinVFS`) are still provided by this library to
+support legacy users, but new users are strongly suggested to avoid using
+`SecureJoin` and instead use the [new api](#new-api) or switch to
+[libpathrs][libpathrs].
+
+With the above limitations in mind, this library guarantees the following:
+
+* If no error is set, the resulting string **must** be a child path of
+  `root` and will not contain any symlink path components (they will all be
+  expanded).
+
+* When expanding symlinks, all symlink path components **must** be resolved
+  relative to the provided root. In particular, this can be considered a
+  userspace implementation of how `chroot(2)` operates on file paths. Note that
+  these symlinks will **not** be expanded lexically (`filepath.Clean` is not
+  called on the input before processing).
+
+* Non-existent path components are unaffected by `SecureJoin` (similar to
+  `filepath.EvalSymlinks`'s semantics).
+
+* The returned path will always be `filepath.Clean`ed and thus not contain any
+  `..` components.
+
+A (trivial) implementation of this function on GNU/Linux systems could be done
+with the following (note that this requires root privileges and is far more
+opaque than the implementation in this library, and also requires that
+`readlink` is inside the `root` path and is trustworthy):
+
+```go
+package securejoin
+
+import (
+	"os/exec"
+	"path/filepath"
+)
+
+func SecureJoin(root, unsafePath string) (string, error) {
+	unsafePath = string(filepath.Separator) + unsafePath
+	cmd := exec.Command("chroot", root,
+		"readlink", "--canonicalize-missing", "--no-newline", unsafePath)
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		return "", err
+	}
+	expanded := string(output)
+	return filepath.Join(root, expanded), nil
+}
+```
+
+[libpathrs]: https://github.com/openSUSE/libpathrs
+[go#20126]: https://github.com/golang/go/issues/20126
+
+### New API ###
+
+While we recommend users switch to [libpathrs][libpathrs] as soon as it has a
+stable release, some methods implemented by libpathrs have been ported to this
+library to ease the transition. These APIs are only supported on Linux.
+
+These APIs are implemented such that `filepath-securejoin` will
+opportunistically use certain newer kernel APIs that make these operations far
+more secure. In particular:
+
+* All of the lookup operations will use [`openat2`][openat2.2] on new enough
+  kernels (Linux 5.6 or later) to restrict lookups through magic-links and
+  bind-mounts (for certain operations) and to make use of `RESOLVE_IN_ROOT` to
+  efficiently resolve symlinks within a rootfs.
+
+* The APIs provide hardening against a malicious `/proc` mount to either detect
+  or avoid being tricked by a `/proc` that is not legitimate. This is done
+  using [`openat2`][openat2.2] for all users, and privileged users will also be
+  further protected by using [`fsopen`][fsopen.2] and [`open_tree`][open_tree.2]
+  (Linux 5.2 or later).
+
+[openat2.2]: https://www.man7.org/linux/man-pages/man2/openat2.2.html
+[fsopen.2]: https://github.com/brauner/man-pages-md/blob/main/fsopen.md
+[open_tree.2]: https://github.com/brauner/man-pages-md/blob/main/open_tree.md
+
+#### `OpenInRoot` ####
+
+```go
+func OpenInRoot(root, unsafePath string) (*os.File, error)
+func OpenatInRoot(root *os.File, unsafePath string) (*os.File, error)
+func Reopen(handle *os.File, flags int) (*os.File, error)
+```
+
+`OpenInRoot` is a much safer version of
+
+```go
+path, err := securejoin.SecureJoin(root, unsafePath)
+file, err := os.OpenFile(path, unix.O_PATH|unix.O_CLOEXEC)
+```
+
+that protects against various race attacks that could lead to serious security
+issues, depending on the application. Note that the returned `*os.File` is an
+`O_PATH` file descriptor, which is quite restricted. Callers will probably need
+to use `Reopen` to get a more usable handle (this split is done to provide
+useful features like PTY spawning and to avoid users accidentally opening bad
+inodes that could cause a DoS).
+
+Callers need to be careful in how they use the returned `*os.File`. Usually it
+is only safe to operate on the handle directly, and it is very easy to create a
+security issue. [libpathrs][libpathrs] provides far more helpers to make using
+these handles safer -- there is currently no plan to port them to
+`filepath-securejoin`.
+
+`OpenatInRoot` is like `OpenInRoot` except that the root is provided using an
+`*os.File`. This allows you to ensure that multiple `OpenatInRoot` (or
+`MkdirAllHandle`) calls are operating on the same rootfs.
+
+> **NOTE**: Unlike `SecureJoin`, `OpenInRoot` will error out as soon as it hits
+> a dangling symlink or non-existent path. This is in contrast to `SecureJoin`
+> which treated non-existent components as though they were real directories,
+> and would allow for partial resolution of dangling symlinks. These behaviours
+> are at odds with how Linux treats non-existent paths and dangling symlinks,
+> and so these are no longer allowed.
+
+#### `MkdirAll` ####
+
+```go
+func MkdirAll(root, unsafePath string, mode int) error
+func MkdirAllHandle(root *os.File, unsafePath string, mode int) (*os.File, error)
+```
+
+`MkdirAll` is a much safer version of
+
+```go
+path, err := securejoin.SecureJoin(root, unsafePath)
+err = os.MkdirAll(path, mode)
+```
+
+that protects against the same kinds of races that `OpenInRoot` protects
+against.
+
+`MkdirAllHandle` is like `MkdirAll` except that the root is provided using an
+`*os.File` (the reason for this is the same as with `OpenatInRoot`) and an
+`*os.File` of the final created directory is returned (this directory is
+guaranteed to be effectively identical to the directory created by
+`MkdirAllHandle`, which is not possible to ensure by just using `OpenatInRoot`
+after `MkdirAll`).
+
+> **NOTE**: Unlike `SecureJoin`, `MkdirAll` will error out as soon as it hits
+> a dangling symlink or non-existent path. This is in contrast to `SecureJoin`
+> which treated non-existent components as though they were real directories,
+> and would allow for partial resolution of dangling symlinks. These behaviours
+> are at odds with how Linux treats non-existent paths and dangling symlinks,
+> and so these are no longer allowed. This means that `MkdirAll` will not
+> create non-existent directories referenced by a dangling symlink.
+
+### License ###
+
+The license of this project is the same as Go, which is a BSD 3-clause license
+available in the `LICENSE` file.
diff --git a/vendor/github.com/cyphar/filepath-securejoin/VERSION b/vendor/github.com/cyphar/filepath-securejoin/VERSION
new file mode 100644
index 0000000000..267577d47e
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/VERSION
@@ -0,0 +1 @@
+0.4.1
diff --git a/vendor/github.com/cyphar/filepath-securejoin/doc.go b/vendor/github.com/cyphar/filepath-securejoin/doc.go
new file mode 100644
index 0000000000..1ec7d065ef
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/doc.go
@@ -0,0 +1,39 @@
+// Copyright (C) 2014-2015 Docker Inc & Go Authors. All rights reserved.
+// Copyright (C) 2017-2024 SUSE LLC. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package securejoin implements a set of helpers to make it easier to write Go
+// code that is safe against symlink-related escape attacks. The primary idea
+// is to let you resolve a path within a rootfs directory as if the rootfs was
+// a chroot.
+//
+// securejoin has two APIs, a "legacy" API and a "modern" API.
+//
+// The legacy API is [SecureJoin] and [SecureJoinVFS]. These methods are
+// **not** safe against race conditions where an attacker changes the
+// filesystem after (or during) the [SecureJoin] operation.
+//
+// The new API is made up of [OpenInRoot] and [MkdirAll] (and derived
+// functions). These are safe against racing attackers and have several other
+// protections that are not provided by the legacy API. There are many more
+// operations that most programs expect to be able to do safely, but we do not
+// provide explicit support for them because we want to encourage users to
+// switch to [libpathrs](https://github.com/openSUSE/libpathrs) which is a
+// cross-language next-generation library that is entirely designed around
+// operating on paths safely.
+//
+// securejoin has been used by several container runtimes (Docker, runc,
+// Kubernetes, etc) for quite a few years as a de-facto standard for operating
+// on container filesystem paths "safely". However, most users still use the
+// legacy API which is unsafe against various attacks (there is a fairly long
+// history of CVEs in dependent as a result). Users should switch to the modern
+// API as soon as possible (or even better, switch to libpathrs).
+//
+// This project was initially intended to be included in the Go standard
+// library, but [it was rejected](https://go.dev/issue/20126). There is now a
+// [new Go proposal](https://go.dev/issue/67002) for a safe path resolution API
+// that shares some of the goals of filepath-securejoin. However, that design
+// is intended to work like `openat2(RESOLVE_BENEATH)` which does not fit the
+// usecase of container runtimes and most system tools.
+package securejoin
diff --git a/vendor/github.com/cyphar/filepath-securejoin/gocompat_errors_go120.go b/vendor/github.com/cyphar/filepath-securejoin/gocompat_errors_go120.go
new file mode 100644
index 0000000000..42452bbf9b
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/gocompat_errors_go120.go
@@ -0,0 +1,18 @@
+//go:build linux && go1.20
+
+// Copyright (C) 2024 SUSE LLC. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package securejoin
+
+import (
+	"fmt"
+)
+
+// wrapBaseError is a helper that is equivalent to fmt.Errorf("%w: %w"), except
+// that on pre-1.20 Go versions only errors.Is() works properly (errors.Unwrap)
+// is only guaranteed to give you baseErr.
+func wrapBaseError(baseErr, extraErr error) error {
+	return fmt.Errorf("%w: %w", extraErr, baseErr)
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/gocompat_errors_unsupported.go b/vendor/github.com/cyphar/filepath-securejoin/gocompat_errors_unsupported.go
new file mode 100644
index 0000000000..e7adca3fd1
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/gocompat_errors_unsupported.go
@@ -0,0 +1,38 @@
+//go:build linux && !go1.20
+
+// Copyright (C) 2024 SUSE LLC. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package securejoin
+
+import (
+	"fmt"
+)
+
+type wrappedError struct {
+	inner   error
+	isError error
+}
+
+func (err wrappedError) Is(target error) bool {
+	return err.isError == target
+}
+
+func (err wrappedError) Unwrap() error {
+	return err.inner
+}
+
+func (err wrappedError) Error() string {
+	return fmt.Sprintf("%v: %v", err.isError, err.inner)
+}
+
+// wrapBaseError is a helper that is equivalent to fmt.Errorf("%w: %w"), except
+// that on pre-1.20 Go versions only errors.Is() works properly (errors.Unwrap)
+// is only guaranteed to give you baseErr.
+func wrapBaseError(baseErr, extraErr error) error {
+	return wrappedError{
+		inner:   baseErr,
+		isError: extraErr,
+	}
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/gocompat_generics_go121.go b/vendor/github.com/cyphar/filepath-securejoin/gocompat_generics_go121.go
new file mode 100644
index 0000000000..ddd6fa9a41
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/gocompat_generics_go121.go
@@ -0,0 +1,32 @@
+//go:build linux && go1.21
+
+// Copyright (C) 2024 SUSE LLC. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package securejoin
+
+import (
+	"slices"
+	"sync"
+)
+
+func slices_DeleteFunc[S ~[]E, E any](slice S, delFn func(E) bool) S {
+	return slices.DeleteFunc(slice, delFn)
+}
+
+func slices_Contains[S ~[]E, E comparable](slice S, val E) bool {
+	return slices.Contains(slice, val)
+}
+
+func slices_Clone[S ~[]E, E any](slice S) S {
+	return slices.Clone(slice)
+}
+
+func sync_OnceValue[T any](f func() T) func() T {
+	return sync.OnceValue(f)
+}
+
+func sync_OnceValues[T1, T2 any](f func() (T1, T2)) func() (T1, T2) {
+	return sync.OnceValues(f)
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/gocompat_generics_unsupported.go b/vendor/github.com/cyphar/filepath-securejoin/gocompat_generics_unsupported.go
new file mode 100644
index 0000000000..f1e6fe7e71
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/gocompat_generics_unsupported.go
@@ -0,0 +1,124 @@
+//go:build linux && !go1.21
+
+// Copyright (C) 2024 SUSE LLC. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package securejoin
+
+import (
+	"sync"
+)
+
+// These are very minimal implementations of functions that appear in Go 1.21's
+// stdlib, included so that we can build on older Go versions. Most are
+// borrowed directly from the stdlib, and a few are modified to be "obviously
+// correct" without needing to copy too many other helpers.
+
+// clearSlice is equivalent to the builtin clear from Go 1.21.
+// Copied from the Go 1.24 stdlib implementation.
+func clearSlice[S ~[]E, E any](slice S) {
+	var zero E
+	for i := range slice {
+		slice[i] = zero
+	}
+}
+
+// Copied from the Go 1.24 stdlib implementation.
+func slices_IndexFunc[S ~[]E, E any](s S, f func(E) bool) int {
+	for i := range s {
+		if f(s[i]) {
+			return i
+		}
+	}
+	return -1
+}
+
+// Copied from the Go 1.24 stdlib implementation.
+func slices_DeleteFunc[S ~[]E, E any](s S, del func(E) bool) S {
+	i := slices_IndexFunc(s, del)
+	if i == -1 {
+		return s
+	}
+	// Don't start copying elements until we find one to delete.
+	for j := i + 1; j < len(s); j++ {
+		if v := s[j]; !del(v) {
+			s[i] = v
+			i++
+		}
+	}
+	clearSlice(s[i:]) // zero/nil out the obsolete elements, for GC
+	return s[:i]
+}
+
+// Similar to the stdlib slices.Contains, except that we don't have
+// slices.Index so we need to use slices.IndexFunc for this non-Func helper.
+func slices_Contains[S ~[]E, E comparable](s S, v E) bool {
+	return slices_IndexFunc(s, func(e E) bool { return e == v }) >= 0
+}
+
+// Copied from the Go 1.24 stdlib implementation.
+func slices_Clone[S ~[]E, E any](s S) S {
+	// Preserve nil in case it matters.
+	if s == nil {
+		return nil
+	}
+	return append(S([]E{}), s...)
+}
+
+// Copied from the Go 1.24 stdlib implementation.
+func sync_OnceValue[T any](f func() T) func() T {
+	var (
+		once   sync.Once
+		valid  bool
+		p      any
+		result T
+	)
+	g := func() {
+		defer func() {
+			p = recover()
+			if !valid {
+				panic(p)
+			}
+		}()
+		result = f()
+		f = nil
+		valid = true
+	}
+	return func() T {
+		once.Do(g)
+		if !valid {
+			panic(p)
+		}
+		return result
+	}
+}
+
+// Copied from the Go 1.24 stdlib implementation.
+func sync_OnceValues[T1, T2 any](f func() (T1, T2)) func() (T1, T2) {
+	var (
+		once  sync.Once
+		valid bool
+		p     any
+		r1    T1
+		r2    T2
+	)
+	g := func() {
+		defer func() {
+			p = recover()
+			if !valid {
+				panic(p)
+			}
+		}()
+		r1, r2 = f()
+		f = nil
+		valid = true
+	}
+	return func() (T1, T2) {
+		once.Do(g)
+		if !valid {
+			panic(p)
+		}
+		return r1, r2
+	}
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/join.go b/vendor/github.com/cyphar/filepath-securejoin/join.go
new file mode 100644
index 0000000000..e6634d4778
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/join.go
@@ -0,0 +1,166 @@
+// Copyright (C) 2014-2015 Docker Inc & Go Authors. All rights reserved.
+// Copyright (C) 2017-2025 SUSE LLC. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package securejoin
+
+import (
+	"errors"
+	"os"
+	"path/filepath"
+	"strings"
+	"syscall"
+)
+
+const maxSymlinkLimit = 255
+
+// IsNotExist tells you if err is an error that implies that either the path
+// accessed does not exist (or path components don't exist). This is
+// effectively a more broad version of [os.IsNotExist].
+func IsNotExist(err error) bool {
+	// Check that it's not actually an ENOTDIR, which in some cases is a more
+	// convoluted case of ENOENT (usually involving weird paths).
+	return errors.Is(err, os.ErrNotExist) || errors.Is(err, syscall.ENOTDIR) || errors.Is(err, syscall.ENOENT)
+}
+
+// errUnsafeRoot is returned if the user provides SecureJoinVFS with a path
+// that contains ".." components.
+var errUnsafeRoot = errors.New("root path provided to SecureJoin contains '..' components")
+
+// stripVolume just gets rid of the Windows volume included in a path. Based on
+// some godbolt tests, the Go compiler is smart enough to make this a no-op on
+// Linux.
+func stripVolume(path string) string {
+	return path[len(filepath.VolumeName(path)):]
+}
+
+// hasDotDot checks if the path contains ".." components in a platform-agnostic
+// way.
+func hasDotDot(path string) bool {
+	// If we are on Windows, strip any volume letters. It turns out that
+	// C:..\foo may (or may not) be a valid pathname and we need to handle that
+	// leading "..".
+	path = stripVolume(path)
+	// Look for "/../" in the path, but we need to handle leading and trailing
+	// ".."s by adding separators. Doing this with filepath.Separator is ugly
+	// so just convert to Unix-style "/" first.
+	path = filepath.ToSlash(path)
+	return strings.Contains("/"+path+"/", "/../")
+}
+
+// SecureJoinVFS joins the two given path components (similar to [filepath.Join]) except
+// that the returned path is guaranteed to be scoped inside the provided root
+// path (when evaluated). Any symbolic links in the path are evaluated with the
+// given root treated as the root of the filesystem, similar to a chroot. The
+// filesystem state is evaluated through the given [VFS] interface (if nil, the
+// standard [os].* family of functions are used).
+//
+// Note that the guarantees provided by this function only apply if the path
+// components in the returned string are not modified (in other words are not
+// replaced with symlinks on the filesystem) after this function has returned.
+// Such a symlink race is necessarily out-of-scope of SecureJoinVFS.
+//
+// NOTE: Due to the above limitation, Linux users are strongly encouraged to
+// use [OpenInRoot] instead, which does safely protect against these kinds of
+// attacks. There is no way to solve this problem with SecureJoinVFS because
+// the API is fundamentally wrong (you cannot return a "safe" path string and
+// guarantee it won't be modified afterwards).
+//
+// Volume names in unsafePath are always discarded, regardless if they are
+// provided via direct input or when evaluating symlinks. Therefore:
+//
+// "C:\Temp" + "D:\path\to\file.txt" results in "C:\Temp\path\to\file.txt"
+//
+// If the provided root is not [filepath.Clean] then an error will be returned,
+// as such root paths are bordering on somewhat unsafe and using such paths is
+// not best practice. We also strongly suggest that any root path is first
+// fully resolved using [filepath.EvalSymlinks] or otherwise constructed to
+// avoid containing symlink components. Of course, the root also *must not* be
+// attacker-controlled.
+func SecureJoinVFS(root, unsafePath string, vfs VFS) (string, error) {
+	// The root path must not contain ".." components, otherwise when we join
+	// the subpath we will end up with a weird path. We could work around this
+	// in other ways but users shouldn't be giving us non-lexical root paths in
+	// the first place.
+	if hasDotDot(root) {
+		return "", errUnsafeRoot
+	}
+
+	// Use the os.* VFS implementation if none was specified.
+	if vfs == nil {
+		vfs = osVFS{}
+	}
+
+	unsafePath = filepath.FromSlash(unsafePath)
+	var (
+		currentPath   string
+		remainingPath = unsafePath
+		linksWalked   int
+	)
+	for remainingPath != "" {
+		// On Windows, if we managed to end up at a path referencing a volume,
+		// drop the volume to make sure we don't end up with broken paths or
+		// escaping the root volume.
+		remainingPath = stripVolume(remainingPath)
+
+		// Get the next path component.
+		var part string
+		if i := strings.IndexRune(remainingPath, filepath.Separator); i == -1 {
+			part, remainingPath = remainingPath, ""
+		} else {
+			part, remainingPath = remainingPath[:i], remainingPath[i+1:]
+		}
+
+		// Apply the component lexically to the path we are building.
+		// currentPath does not contain any symlinks, and we are lexically
+		// dealing with a single component, so it's okay to do a filepath.Clean
+		// here.
+		nextPath := filepath.Join(string(filepath.Separator), currentPath, part)
+		if nextPath == string(filepath.Separator) {
+			currentPath = ""
+			continue
+		}
+		fullPath := root + string(filepath.Separator) + nextPath
+
+		// Figure out whether the path is a symlink.
+		fi, err := vfs.Lstat(fullPath)
+		if err != nil && !IsNotExist(err) {
+			return "", err
+		}
+		// Treat non-existent path components the same as non-symlinks (we
+		// can't do any better here).
+		if IsNotExist(err) || fi.Mode()&os.ModeSymlink == 0 {
+			currentPath = nextPath
+			continue
+		}
+
+		// It's a symlink, so get its contents and expand it by prepending it
+		// to the yet-unparsed path.
+		linksWalked++
+		if linksWalked > maxSymlinkLimit {
+			return "", &os.PathError{Op: "SecureJoin", Path: root + string(filepath.Separator) + unsafePath, Err: syscall.ELOOP}
+		}
+
+		dest, err := vfs.Readlink(fullPath)
+		if err != nil {
+			return "", err
+		}
+		remainingPath = dest + string(filepath.Separator) + remainingPath
+		// Absolute symlinks reset any work we've already done.
+		if filepath.IsAbs(dest) {
+			currentPath = ""
+		}
+	}
+
+	// There should be no lexical components like ".." left in the path here,
+	// but for safety clean up the path before joining it to the root.
+	finalPath := filepath.Join(string(filepath.Separator), currentPath)
+	return filepath.Join(root, finalPath), nil
+}
+
+// SecureJoin is a wrapper around [SecureJoinVFS] that just uses the [os].* library
+// of functions as the [VFS]. If in doubt, use this function over [SecureJoinVFS].
+func SecureJoin(root, unsafePath string) (string, error) {
+	return SecureJoinVFS(root, unsafePath, nil)
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/lookup_linux.go b/vendor/github.com/cyphar/filepath-securejoin/lookup_linux.go
new file mode 100644
index 0000000000..be81e498d7
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/lookup_linux.go
@@ -0,0 +1,388 @@
+//go:build linux
+
+// Copyright (C) 2024 SUSE LLC. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package securejoin
+
+import (
+	"errors"
+	"fmt"
+	"os"
+	"path"
+	"path/filepath"
+	"strings"
+
+	"golang.org/x/sys/unix"
+)
+
+type symlinkStackEntry struct {
+	// (dir, remainingPath) is what we would've returned if the link didn't
+	// exist. This matches what openat2(RESOLVE_IN_ROOT) would return in
+	// this case.
+	dir           *os.File
+	remainingPath string
+	// linkUnwalked is the remaining path components from the original
+	// Readlink which we have yet to walk. When this slice is empty, we
+	// drop the link from the stack.
+	linkUnwalked []string
+}
+
+func (se symlinkStackEntry) String() string {
+	return fmt.Sprintf("<%s>/%s [->%s]", se.dir.Name(), se.remainingPath, strings.Join(se.linkUnwalked, "/"))
+}
+
+func (se symlinkStackEntry) Close() {
+	_ = se.dir.Close()
+}
+
+type symlinkStack []*symlinkStackEntry
+
+func (s *symlinkStack) IsEmpty() bool {
+	return s == nil || len(*s) == 0
+}
+
+func (s *symlinkStack) Close() {
+	if s != nil {
+		for _, link := range *s {
+			link.Close()
+		}
+		// TODO: Switch to clear once we switch to Go 1.21.
+		*s = nil
+	}
+}
+
+var (
+	errEmptyStack         = errors.New("[internal] stack is empty")
+	errBrokenSymlinkStack = errors.New("[internal error] broken symlink stack")
+)
+
+func (s *symlinkStack) popPart(part string) error {
+	if s == nil || s.IsEmpty() {
+		// If there is nothing in the symlink stack, then the part was from the
+		// real path provided by the user, and this is a no-op.
+		return errEmptyStack
+	}
+	if part == "." {
+		// "." components are no-ops -- we drop them when doing SwapLink.
+		return nil
+	}
+
+	tailEntry := (*s)[len(*s)-1]
+
+	// Double-check that we are popping the component we expect.
+	if len(tailEntry.linkUnwalked) == 0 {
+		return fmt.Errorf("%w: trying to pop component %q of empty stack entry %s", errBrokenSymlinkStack, part, tailEntry)
+	}
+	headPart := tailEntry.linkUnwalked[0]
+	if headPart != part {
+		return fmt.Errorf("%w: trying to pop component %q but the last stack entry is %s (%q)", errBrokenSymlinkStack, part, tailEntry, headPart)
+	}
+
+	// Drop the component, but keep the entry around in case we are dealing
+	// with a "tail-chained" symlink.
+	tailEntry.linkUnwalked = tailEntry.linkUnwalked[1:]
+	return nil
+}
+
+func (s *symlinkStack) PopPart(part string) error {
+	if err := s.popPart(part); err != nil {
+		if errors.Is(err, errEmptyStack) {
+			// Skip empty stacks.
+			err = nil
+		}
+		return err
+	}
+
+	// Clean up any of the trailing stack entries that are empty.
+	for lastGood := len(*s) - 1; lastGood >= 0; lastGood-- {
+		entry := (*s)[lastGood]
+		if len(entry.linkUnwalked) > 0 {
+			break
+		}
+		entry.Close()
+		(*s) = (*s)[:lastGood]
+	}
+	return nil
+}
+
+func (s *symlinkStack) push(dir *os.File, remainingPath, linkTarget string) error {
+	if s == nil {
+		return nil
+	}
+	// Split the link target and clean up any "" parts.
+	linkTargetParts := slices_DeleteFunc(
+		strings.Split(linkTarget, "/"),
+		func(part string) bool { return part == "" || part == "." })
+
+	// Copy the directory so the caller doesn't close our copy.
+	dirCopy, err := dupFile(dir)
+	if err != nil {
+		return err
+	}
+
+	// Add to the stack.
+	*s = append(*s, &symlinkStackEntry{
+		dir:           dirCopy,
+		remainingPath: remainingPath,
+		linkUnwalked:  linkTargetParts,
+	})
+	return nil
+}
+
+func (s *symlinkStack) SwapLink(linkPart string, dir *os.File, remainingPath, linkTarget string) error {
+	// If we are currently inside a symlink resolution, remove the symlink
+	// component from the last symlink entry, but don't remove the entry even
+	// if it's empty. If we are a "tail-chained" symlink (a trailing symlink we
+	// hit during a symlink resolution) we need to keep the old symlink until
+	// we finish the resolution.
+	if err := s.popPart(linkPart); err != nil {
+		if !errors.Is(err, errEmptyStack) {
+			return err
+		}
+		// Push the component regardless of whether the stack was empty.
+	}
+	return s.push(dir, remainingPath, linkTarget)
+}
+
+func (s *symlinkStack) PopTopSymlink() (*os.File, string, bool) {
+	if s == nil || s.IsEmpty() {
+		return nil, "", false
+	}
+	tailEntry := (*s)[0]
+	*s = (*s)[1:]
+	return tailEntry.dir, tailEntry.remainingPath, true
+}
+
+// partialLookupInRoot tries to lookup as much of the request path as possible
+// within the provided root (a-la RESOLVE_IN_ROOT) and opens the final existing
+// component of the requested path, returning a file handle to the final
+// existing component and a string containing the remaining path components.
+func partialLookupInRoot(root *os.File, unsafePath string) (*os.File, string, error) {
+	return lookupInRoot(root, unsafePath, true)
+}
+
+func completeLookupInRoot(root *os.File, unsafePath string) (*os.File, error) {
+	handle, remainingPath, err := lookupInRoot(root, unsafePath, false)
+	if remainingPath != "" && err == nil {
+		// should never happen
+		err = fmt.Errorf("[bug] non-empty remaining path when doing a non-partial lookup: %q", remainingPath)
+	}
+	// lookupInRoot(partial=false) will always close the handle if an error is
+	// returned, so no need to double-check here.
+	return handle, err
+}
+
+func lookupInRoot(root *os.File, unsafePath string, partial bool) (Handle *os.File, _ string, _ error) {
+	unsafePath = filepath.ToSlash(unsafePath) // noop
+
+	// This is very similar to SecureJoin, except that we operate on the
+	// components using file descriptors. We then return the last component we
+	// managed open, along with the remaining path components not opened.
+
+	// Try to use openat2 if possible.
+	if hasOpenat2() {
+		return lookupOpenat2(root, unsafePath, partial)
+	}
+
+	// Get the "actual" root path from /proc/self/fd. This is necessary if the
+	// root is some magic-link like /proc/$pid/root, in which case we want to
+	// make sure when we do checkProcSelfFdPath that we are using the correct
+	// root path.
+	logicalRootPath, err := procSelfFdReadlink(root)
+	if err != nil {
+		return nil, "", fmt.Errorf("get real root path: %w", err)
+	}
+
+	currentDir, err := dupFile(root)
+	if err != nil {
+		return nil, "", fmt.Errorf("clone root fd: %w", err)
+	}
+	defer func() {
+		// If a handle is not returned, close the internal handle.
+		if Handle == nil {
+			_ = currentDir.Close()
+		}
+	}()
+
+	// symlinkStack is used to emulate how openat2(RESOLVE_IN_ROOT) treats
+	// dangling symlinks. If we hit a non-existent path while resolving a
+	// symlink, we need to return the (dir, remainingPath) that we had when we
+	// hit the symlink (treating the symlink as though it were a regular file).
+	// The set of (dir, remainingPath) sets is stored within the symlinkStack
+	// and we add and remove parts when we hit symlink and non-symlink
+	// components respectively. We need a stack because of recursive symlinks
+	// (symlinks that contain symlink components in their target).
+	//
+	// Note that the stack is ONLY used for book-keeping. All of the actual
+	// path walking logic is still based on currentPath/remainingPath and
+	// currentDir (as in SecureJoin).
+	var symStack *symlinkStack
+	if partial {
+		symStack = new(symlinkStack)
+		defer symStack.Close()
+	}
+
+	var (
+		linksWalked   int
+		currentPath   string
+		remainingPath = unsafePath
+	)
+	for remainingPath != "" {
+		// Save the current remaining path so if the part is not real we can
+		// return the path including the component.
+		oldRemainingPath := remainingPath
+
+		// Get the next path component.
+		var part string
+		if i := strings.IndexByte(remainingPath, '/'); i == -1 {
+			part, remainingPath = remainingPath, ""
+		} else {
+			part, remainingPath = remainingPath[:i], remainingPath[i+1:]
+		}
+		// If we hit an empty component, we need to treat it as though it is
+		// "." so that trailing "/" and "//" components on a non-directory
+		// correctly return the right error code.
+		if part == "" {
+			part = "."
+		}
+
+		// Apply the component lexically to the path we are building.
+		// currentPath does not contain any symlinks, and we are lexically
+		// dealing with a single component, so it's okay to do a filepath.Clean
+		// here.
+		nextPath := path.Join("/", currentPath, part)
+		// If we logically hit the root, just clone the root rather than
+		// opening the part and doing all of the other checks.
+		if nextPath == "/" {
+			if err := symStack.PopPart(part); err != nil {
+				return nil, "", fmt.Errorf("walking into root with part %q failed: %w", part, err)
+			}
+			// Jump to root.
+			rootClone, err := dupFile(root)
+			if err != nil {
+				return nil, "", fmt.Errorf("clone root fd: %w", err)
+			}
+			_ = currentDir.Close()
+			currentDir = rootClone
+			currentPath = nextPath
+			continue
+		}
+
+		// Try to open the next component.
+		nextDir, err := openatFile(currentDir, part, unix.O_PATH|unix.O_NOFOLLOW|unix.O_CLOEXEC, 0)
+		switch {
+		case err == nil:
+			st, err := nextDir.Stat()
+			if err != nil {
+				_ = nextDir.Close()
+				return nil, "", fmt.Errorf("stat component %q: %w", part, err)
+			}
+
+			switch st.Mode() & os.ModeType {
+			case os.ModeSymlink:
+				// readlinkat implies AT_EMPTY_PATH since Linux 2.6.39. See
+				// Linux commit 65cfc6722361 ("readlinkat(), fchownat() and
+				// fstatat() with empty relative pathnames").
+				linkDest, err := readlinkatFile(nextDir, "")
+				// We don't need the handle anymore.
+				_ = nextDir.Close()
+				if err != nil {
+					return nil, "", err
+				}
+
+				linksWalked++
+				if linksWalked > maxSymlinkLimit {
+					return nil, "", &os.PathError{Op: "securejoin.lookupInRoot", Path: logicalRootPath + "/" + unsafePath, Err: unix.ELOOP}
+				}
+
+				// Swap out the symlink's component for the link entry itself.
+				if err := symStack.SwapLink(part, currentDir, oldRemainingPath, linkDest); err != nil {
+					return nil, "", fmt.Errorf("walking into symlink %q failed: push symlink: %w", part, err)
+				}
+
+				// Update our logical remaining path.
+				remainingPath = linkDest + "/" + remainingPath
+				// Absolute symlinks reset any work we've already done.
+				if path.IsAbs(linkDest) {
+					// Jump to root.
+					rootClone, err := dupFile(root)
+					if err != nil {
+						return nil, "", fmt.Errorf("clone root fd: %w", err)
+					}
+					_ = currentDir.Close()
+					currentDir = rootClone
+					currentPath = "/"
+				}
+
+			default:
+				// If we are dealing with a directory, simply walk into it.
+				_ = currentDir.Close()
+				currentDir = nextDir
+				currentPath = nextPath
+
+				// The part was real, so drop it from the symlink stack.
+				if err := symStack.PopPart(part); err != nil {
+					return nil, "", fmt.Errorf("walking into directory %q failed: %w", part, err)
+				}
+
+				// If we are operating on a .., make sure we haven't escaped.
+				// We only have to check for ".." here because walking down
+				// into a regular component component cannot cause you to
+				// escape. This mirrors the logic in RESOLVE_IN_ROOT, except we
+				// have to check every ".." rather than only checking after a
+				// rename or mount on the system.
+				if part == ".." {
+					// Make sure the root hasn't moved.
+					if err := checkProcSelfFdPath(logicalRootPath, root); err != nil {
+						return nil, "", fmt.Errorf("root path moved during lookup: %w", err)
+					}
+					// Make sure the path is what we expect.
+					fullPath := logicalRootPath + nextPath
+					if err := checkProcSelfFdPath(fullPath, currentDir); err != nil {
+						return nil, "", fmt.Errorf("walking into %q had unexpected result: %w", part, err)
+					}
+				}
+			}
+
+		default:
+			if !partial {
+				return nil, "", err
+			}
+			// If there are any remaining components in the symlink stack, we
+			// are still within a symlink resolution and thus we hit a dangling
+			// symlink. So pretend that the first symlink in the stack we hit
+			// was an ENOENT (to match openat2).
+			if oldDir, remainingPath, ok := symStack.PopTopSymlink(); ok {
+				_ = currentDir.Close()
+				return oldDir, remainingPath, err
+			}
+			// We have hit a final component that doesn't exist, so we have our
+			// partial open result. Note that we have to use the OLD remaining
+			// path, since the lookup failed.
+			return currentDir, oldRemainingPath, err
+		}
+	}
+
+	// If the unsafePath had a trailing slash, we need to make sure we try to
+	// do a relative "." open so that we will correctly return an error when
+	// the final component is a non-directory (to match openat2). In the
+	// context of openat2, a trailing slash and a trailing "/." are completely
+	// equivalent.
+	if strings.HasSuffix(unsafePath, "/") {
+		nextDir, err := openatFile(currentDir, ".", unix.O_PATH|unix.O_NOFOLLOW|unix.O_CLOEXEC, 0)
+		if err != nil {
+			if !partial {
+				_ = currentDir.Close()
+				currentDir = nil
+			}
+			return currentDir, "", err
+		}
+		_ = currentDir.Close()
+		currentDir = nextDir
+	}
+
+	// All of the components existed!
+	return currentDir, "", nil
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/mkdir_linux.go b/vendor/github.com/cyphar/filepath-securejoin/mkdir_linux.go
new file mode 100644
index 0000000000..a17ae3b038
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/mkdir_linux.go
@@ -0,0 +1,236 @@
+//go:build linux
+
+// Copyright (C) 2024 SUSE LLC. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package securejoin
+
+import (
+	"errors"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"golang.org/x/sys/unix"
+)
+
+var (
+	errInvalidMode    = errors.New("invalid permission mode")
+	errPossibleAttack = errors.New("possible attack detected")
+)
+
+// modePermExt is like os.ModePerm except that it also includes the set[ug]id
+// and sticky bits.
+const modePermExt = os.ModePerm | os.ModeSetuid | os.ModeSetgid | os.ModeSticky
+
+//nolint:cyclop // this function needs to handle a lot of cases
+func toUnixMode(mode os.FileMode) (uint32, error) {
+	sysMode := uint32(mode.Perm())
+	if mode&os.ModeSetuid != 0 {
+		sysMode |= unix.S_ISUID
+	}
+	if mode&os.ModeSetgid != 0 {
+		sysMode |= unix.S_ISGID
+	}
+	if mode&os.ModeSticky != 0 {
+		sysMode |= unix.S_ISVTX
+	}
+	// We don't allow file type bits.
+	if mode&os.ModeType != 0 {
+		return 0, fmt.Errorf("%w %+.3o (%s): type bits not permitted", errInvalidMode, mode, mode)
+	}
+	// We don't allow other unknown modes.
+	if mode&^modePermExt != 0 || sysMode&unix.S_IFMT != 0 {
+		return 0, fmt.Errorf("%w %+.3o (%s): unknown mode bits", errInvalidMode, mode, mode)
+	}
+	return sysMode, nil
+}
+
+// MkdirAllHandle is equivalent to [MkdirAll], except that it is safer to use
+// in two respects:
+//
+//   - The caller provides the root directory as an *[os.File] (preferably O_PATH)
+//     handle. This means that the caller can be sure which root directory is
+//     being used. Note that this can be emulated by using /proc/self/fd/... as
+//     the root path with [os.MkdirAll].
+//
+//   - Once all of the directories have been created, an *[os.File] O_PATH handle
+//     to the directory at unsafePath is returned to the caller. This is done in
+//     an effectively-race-free way (an attacker would only be able to swap the
+//     final directory component), which is not possible to emulate with
+//     [MkdirAll].
+//
+// In addition, the returned handle is obtained far more efficiently than doing
+// a brand new lookup of unsafePath (such as with [SecureJoin] or openat2) after
+// doing [MkdirAll]. If you intend to open the directory after creating it, you
+// should use MkdirAllHandle.
+func MkdirAllHandle(root *os.File, unsafePath string, mode os.FileMode) (_ *os.File, Err error) {
+	unixMode, err := toUnixMode(mode)
+	if err != nil {
+		return nil, err
+	}
+	// On Linux, mkdirat(2) (and os.Mkdir) silently ignore the suid and sgid
+	// bits. We could also silently ignore them but since we have very few
+	// users it seems more prudent to return an error so users notice that
+	// these bits will not be set.
+	if unixMode&^0o1777 != 0 {
+		return nil, fmt.Errorf("%w for mkdir %+.3o: suid and sgid are ignored by mkdir", errInvalidMode, mode)
+	}
+
+	// Try to open as much of the path as possible.
+	currentDir, remainingPath, err := partialLookupInRoot(root, unsafePath)
+	defer func() {
+		if Err != nil {
+			_ = currentDir.Close()
+		}
+	}()
+	if err != nil && !errors.Is(err, unix.ENOENT) {
+		return nil, fmt.Errorf("find existing subpath of %q: %w", unsafePath, err)
+	}
+
+	// If there is an attacker deleting directories as we walk into them,
+	// detect this proactively. Note this is guaranteed to detect if the
+	// attacker deleted any part of the tree up to currentDir.
+	//
+	// Once we walk into a dead directory, partialLookupInRoot would not be
+	// able to walk further down the tree (directories must be empty before
+	// they are deleted), and if the attacker has removed the entire tree we
+	// can be sure that anything that was originally inside a dead directory
+	// must also be deleted and thus is a dead directory in its own right.
+	//
+	// This is mostly a quality-of-life check, because mkdir will simply fail
+	// later if the attacker deletes the tree after this check.
+	if err := isDeadInode(currentDir); err != nil {
+		return nil, fmt.Errorf("finding existing subpath of %q: %w", unsafePath, err)
+	}
+
+	// Re-open the path to match the O_DIRECTORY reopen loop later (so that we
+	// always return a non-O_PATH handle). We also check that we actually got a
+	// directory.
+	if reopenDir, err := Reopen(currentDir, unix.O_DIRECTORY|unix.O_CLOEXEC); errors.Is(err, unix.ENOTDIR) {
+		return nil, fmt.Errorf("cannot create subdirectories in %q: %w", currentDir.Name(), unix.ENOTDIR)
+	} else if err != nil {
+		return nil, fmt.Errorf("re-opening handle to %q: %w", currentDir.Name(), err)
+	} else {
+		_ = currentDir.Close()
+		currentDir = reopenDir
+	}
+
+	remainingParts := strings.Split(remainingPath, string(filepath.Separator))
+	if slices_Contains(remainingParts, "..") {
+		// The path contained ".." components after the end of the "real"
+		// components. We could try to safely resolve ".." here but that would
+		// add a bunch of extra logic for something that it's not clear even
+		// needs to be supported. So just return an error.
+		//
+		// If we do filepath.Clean(remainingPath) then we end up with the
+		// problem that ".." can erase a trailing dangling symlink and produce
+		// a path that doesn't quite match what the user asked for.
+		return nil, fmt.Errorf("%w: yet-to-be-created path %q contains '..' components", unix.ENOENT, remainingPath)
+	}
+
+	// Create the remaining components.
+	for _, part := range remainingParts {
+		switch part {
+		case "", ".":
+			// Skip over no-op paths.
+			continue
+		}
+
+		// NOTE: mkdir(2) will not follow trailing symlinks, so we can safely
+		// create the final component without worrying about symlink-exchange
+		// attacks.
+		//
+		// If we get -EEXIST, it's possible that another program created the
+		// directory at the same time as us. In that case, just continue on as
+		// if we created it (if the created inode is not a directory, the
+		// following open call will fail).
+		if err := unix.Mkdirat(int(currentDir.Fd()), part, unixMode); err != nil && !errors.Is(err, unix.EEXIST) {
+			err = &os.PathError{Op: "mkdirat", Path: currentDir.Name() + "/" + part, Err: err}
+			// Make the error a bit nicer if the directory is dead.
+			if deadErr := isDeadInode(currentDir); deadErr != nil {
+				// TODO: Once we bump the minimum Go version to 1.20, we can use
+				// multiple %w verbs for this wrapping. For now we need to use a
+				// compatibility shim for older Go versions.
+				//err = fmt.Errorf("%w (%w)", err, deadErr)
+				err = wrapBaseError(err, deadErr)
+			}
+			return nil, err
+		}
+
+		// Get a handle to the next component. O_DIRECTORY means we don't need
+		// to use O_PATH.
+		var nextDir *os.File
+		if hasOpenat2() {
+			nextDir, err = openat2File(currentDir, part, &unix.OpenHow{
+				Flags:   unix.O_NOFOLLOW | unix.O_DIRECTORY | unix.O_CLOEXEC,
+				Resolve: unix.RESOLVE_BENEATH | unix.RESOLVE_NO_SYMLINKS | unix.RESOLVE_NO_XDEV,
+			})
+		} else {
+			nextDir, err = openatFile(currentDir, part, unix.O_NOFOLLOW|unix.O_DIRECTORY|unix.O_CLOEXEC, 0)
+		}
+		if err != nil {
+			return nil, err
+		}
+		_ = currentDir.Close()
+		currentDir = nextDir
+
+		// It's possible that the directory we just opened was swapped by an
+		// attacker. Unfortunately there isn't much we can do to protect
+		// against this, and MkdirAll's behaviour is that we will reuse
+		// existing directories anyway so the need to protect against this is
+		// incredibly limited (and arguably doesn't even deserve mention here).
+		//
+		// Ideally we might want to check that the owner and mode match what we
+		// would've created -- unfortunately, it is non-trivial to verify that
+		// the owner and mode of the created directory match. While plain Unix
+		// DAC rules seem simple enough to emulate, there are a bunch of other
+		// factors that can change the mode or owner of created directories
+		// (default POSIX ACLs, mount options like uid=1,gid=2,umask=0 on
+		// filesystems like vfat, etc etc). We used to try to verify this but
+		// it just lead to a series of spurious errors.
+		//
+		// We could also check that the directory is non-empty, but
+		// unfortunately some pseduofilesystems (like cgroupfs) create
+		// non-empty directories, which would result in different spurious
+		// errors.
+	}
+	return currentDir, nil
+}
+
+// MkdirAll is a race-safe alternative to the [os.MkdirAll] function,
+// where the new directory is guaranteed to be within the root directory (if an
+// attacker can move directories from inside the root to outside the root, the
+// created directory tree might be outside of the root but the key constraint
+// is that at no point will we walk outside of the directory tree we are
+// creating).
+//
+// Effectively, MkdirAll(root, unsafePath, mode) is equivalent to
+//
+//	path, _ := securejoin.SecureJoin(root, unsafePath)
+//	err := os.MkdirAll(path, mode)
+//
+// But is much safer. The above implementation is unsafe because if an attacker
+// can modify the filesystem tree between [SecureJoin] and [os.MkdirAll], it is
+// possible for MkdirAll to resolve unsafe symlink components and create
+// directories outside of the root.
+//
+// If you plan to open the directory after you have created it or want to use
+// an open directory handle as the root, you should use [MkdirAllHandle] instead.
+// This function is a wrapper around [MkdirAllHandle].
+func MkdirAll(root, unsafePath string, mode os.FileMode) error {
+	rootDir, err := os.OpenFile(root, unix.O_PATH|unix.O_DIRECTORY|unix.O_CLOEXEC, 0)
+	if err != nil {
+		return err
+	}
+	defer rootDir.Close()
+
+	f, err := MkdirAllHandle(rootDir, unsafePath, mode)
+	if err != nil {
+		return err
+	}
+	_ = f.Close()
+	return nil
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/open_linux.go b/vendor/github.com/cyphar/filepath-securejoin/open_linux.go
new file mode 100644
index 0000000000..230be73f0e
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/open_linux.go
@@ -0,0 +1,103 @@
+//go:build linux
+
+// Copyright (C) 2024 SUSE LLC. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package securejoin
+
+import (
+	"fmt"
+	"os"
+	"strconv"
+
+	"golang.org/x/sys/unix"
+)
+
+// OpenatInRoot is equivalent to [OpenInRoot], except that the root is provided
+// using an *[os.File] handle, to ensure that the correct root directory is used.
+func OpenatInRoot(root *os.File, unsafePath string) (*os.File, error) {
+	handle, err := completeLookupInRoot(root, unsafePath)
+	if err != nil {
+		return nil, &os.PathError{Op: "securejoin.OpenInRoot", Path: unsafePath, Err: err}
+	}
+	return handle, nil
+}
+
+// OpenInRoot safely opens the provided unsafePath within the root.
+// Effectively, OpenInRoot(root, unsafePath) is equivalent to
+//
+//	path, _ := securejoin.SecureJoin(root, unsafePath)
+//	handle, err := os.OpenFile(path, unix.O_PATH|unix.O_CLOEXEC)
+//
+// But is much safer. The above implementation is unsafe because if an attacker
+// can modify the filesystem tree between [SecureJoin] and [os.OpenFile], it is
+// possible for the returned file to be outside of the root.
+//
+// Note that the returned handle is an O_PATH handle, meaning that only a very
+// limited set of operations will work on the handle. This is done to avoid
+// accidentally opening an untrusted file that could cause issues (such as a
+// disconnected TTY that could cause a DoS, or some other issue). In order to
+// use the returned handle, you can "upgrade" it to a proper handle using
+// [Reopen].
+func OpenInRoot(root, unsafePath string) (*os.File, error) {
+	rootDir, err := os.OpenFile(root, unix.O_PATH|unix.O_DIRECTORY|unix.O_CLOEXEC, 0)
+	if err != nil {
+		return nil, err
+	}
+	defer rootDir.Close()
+	return OpenatInRoot(rootDir, unsafePath)
+}
+
+// Reopen takes an *[os.File] handle and re-opens it through /proc/self/fd.
+// Reopen(file, flags) is effectively equivalent to
+//
+//	fdPath := fmt.Sprintf("/proc/self/fd/%d", file.Fd())
+//	os.OpenFile(fdPath, flags|unix.O_CLOEXEC)
+//
+// But with some extra hardenings to ensure that we are not tricked by a
+// maliciously-configured /proc mount. While this attack scenario is not
+// common, in container runtimes it is possible for higher-level runtimes to be
+// tricked into configuring an unsafe /proc that can be used to attack file
+// operations. See [CVE-2019-19921] for more details.
+//
+// [CVE-2019-19921]: https://github.com/advisories/GHSA-fh74-hm69-rqjw
+func Reopen(handle *os.File, flags int) (*os.File, error) {
+	procRoot, err := getProcRoot()
+	if err != nil {
+		return nil, err
+	}
+
+	// We can't operate on /proc/thread-self/fd/$n directly when doing a
+	// re-open, so we need to open /proc/thread-self/fd and then open a single
+	// final component.
+	procFdDir, closer, err := procThreadSelf(procRoot, "fd/")
+	if err != nil {
+		return nil, fmt.Errorf("get safe /proc/thread-self/fd handle: %w", err)
+	}
+	defer procFdDir.Close()
+	defer closer()
+
+	// Try to detect if there is a mount on top of the magic-link we are about
+	// to open. If we are using unsafeHostProcRoot(), this could change after
+	// we check it (and there's nothing we can do about that) but for
+	// privateProcRoot() this should be guaranteed to be safe (at least since
+	// Linux 5.12[1], when anonymous mount namespaces were completely isolated
+	// from external mounts including mount propagation events).
+	//
+	// [1]: Linux commit ee2e3f50629f ("mount: fix mounting of detached mounts
+	// onto targets that reside on shared mounts").
+	fdStr := strconv.Itoa(int(handle.Fd()))
+	if err := checkSymlinkOvermount(procRoot, procFdDir, fdStr); err != nil {
+		return nil, fmt.Errorf("check safety of /proc/thread-self/fd/%s magiclink: %w", fdStr, err)
+	}
+
+	flags |= unix.O_CLOEXEC
+	// Rather than just wrapping openatFile, open-code it so we can copy
+	// handle.Name().
+	reopenFd, err := unix.Openat(int(procFdDir.Fd()), fdStr, flags, 0)
+	if err != nil {
+		return nil, fmt.Errorf("reopen fd %d: %w", handle.Fd(), err)
+	}
+	return os.NewFile(uintptr(reopenFd), handle.Name()), nil
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/openat2_linux.go b/vendor/github.com/cyphar/filepath-securejoin/openat2_linux.go
new file mode 100644
index 0000000000..f7a13e69ce
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/openat2_linux.go
@@ -0,0 +1,127 @@
+//go:build linux
+
+// Copyright (C) 2024 SUSE LLC. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package securejoin
+
+import (
+	"errors"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"golang.org/x/sys/unix"
+)
+
+var hasOpenat2 = sync_OnceValue(func() bool {
+	fd, err := unix.Openat2(unix.AT_FDCWD, ".", &unix.OpenHow{
+		Flags:   unix.O_PATH | unix.O_CLOEXEC,
+		Resolve: unix.RESOLVE_NO_SYMLINKS | unix.RESOLVE_IN_ROOT,
+	})
+	if err != nil {
+		return false
+	}
+	_ = unix.Close(fd)
+	return true
+})
+
+func scopedLookupShouldRetry(how *unix.OpenHow, err error) bool {
+	// RESOLVE_IN_ROOT (and RESOLVE_BENEATH) can return -EAGAIN if we resolve
+	// ".." while a mount or rename occurs anywhere on the system. This could
+	// happen spuriously, or as the result of an attacker trying to mess with
+	// us during lookup.
+	//
+	// In addition, scoped lookups have a "safety check" at the end of
+	// complete_walk which will return -EXDEV if the final path is not in the
+	// root.
+	return how.Resolve&(unix.RESOLVE_IN_ROOT|unix.RESOLVE_BENEATH) != 0 &&
+		(errors.Is(err, unix.EAGAIN) || errors.Is(err, unix.EXDEV))
+}
+
+const scopedLookupMaxRetries = 10
+
+func openat2File(dir *os.File, path string, how *unix.OpenHow) (*os.File, error) {
+	fullPath := dir.Name() + "/" + path
+	// Make sure we always set O_CLOEXEC.
+	how.Flags |= unix.O_CLOEXEC
+	var tries int
+	for tries < scopedLookupMaxRetries {
+		fd, err := unix.Openat2(int(dir.Fd()), path, how)
+		if err != nil {
+			if scopedLookupShouldRetry(how, err) {
+				// We retry a couple of times to avoid the spurious errors, and
+				// if we are being attacked then returning -EAGAIN is the best
+				// we can do.
+				tries++
+				continue
+			}
+			return nil, &os.PathError{Op: "openat2", Path: fullPath, Err: err}
+		}
+		// If we are using RESOLVE_IN_ROOT, the name we generated may be wrong.
+		// NOTE: The procRoot code MUST NOT use RESOLVE_IN_ROOT, otherwise
+		//       you'll get infinite recursion here.
+		if how.Resolve&unix.RESOLVE_IN_ROOT == unix.RESOLVE_IN_ROOT {
+			if actualPath, err := rawProcSelfFdReadlink(fd); err == nil {
+				fullPath = actualPath
+			}
+		}
+		return os.NewFile(uintptr(fd), fullPath), nil
+	}
+	return nil, &os.PathError{Op: "openat2", Path: fullPath, Err: errPossibleAttack}
+}
+
+func lookupOpenat2(root *os.File, unsafePath string, partial bool) (*os.File, string, error) {
+	if !partial {
+		file, err := openat2File(root, unsafePath, &unix.OpenHow{
+			Flags:   unix.O_PATH | unix.O_CLOEXEC,
+			Resolve: unix.RESOLVE_IN_ROOT | unix.RESOLVE_NO_MAGICLINKS,
+		})
+		return file, "", err
+	}
+	return partialLookupOpenat2(root, unsafePath)
+}
+
+// partialLookupOpenat2 is an alternative implementation of
+// partialLookupInRoot, using openat2(RESOLVE_IN_ROOT) to more safely get a
+// handle to the deepest existing child of the requested path within the root.
+func partialLookupOpenat2(root *os.File, unsafePath string) (*os.File, string, error) {
+	// TODO: Implement this as a git-bisect-like binary search.
+
+	unsafePath = filepath.ToSlash(unsafePath) // noop
+	endIdx := len(unsafePath)
+	var lastError error
+	for endIdx > 0 {
+		subpath := unsafePath[:endIdx]
+
+		handle, err := openat2File(root, subpath, &unix.OpenHow{
+			Flags:   unix.O_PATH | unix.O_CLOEXEC,
+			Resolve: unix.RESOLVE_IN_ROOT | unix.RESOLVE_NO_MAGICLINKS,
+		})
+		if err == nil {
+			// Jump over the slash if we have a non-"" remainingPath.
+			if endIdx < len(unsafePath) {
+				endIdx += 1
+			}
+			// We found a subpath!
+			return handle, unsafePath[endIdx:], lastError
+		}
+		if errors.Is(err, unix.ENOENT) || errors.Is(err, unix.ENOTDIR) {
+			// That path doesn't exist, let's try the next directory up.
+			endIdx = strings.LastIndexByte(subpath, '/')
+			lastError = err
+			continue
+		}
+		return nil, "", fmt.Errorf("open subpath: %w", err)
+	}
+	// If we couldn't open anything, the whole subpath is missing. Return a
+	// copy of the root fd so that the caller doesn't close this one by
+	// accident.
+	rootClone, err := dupFile(root)
+	if err != nil {
+		return nil, "", err
+	}
+	return rootClone, unsafePath, lastError
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/openat_linux.go b/vendor/github.com/cyphar/filepath-securejoin/openat_linux.go
new file mode 100644
index 0000000000..949fb5f2d8
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/openat_linux.go
@@ -0,0 +1,59 @@
+//go:build linux
+
+// Copyright (C) 2024 SUSE LLC. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package securejoin
+
+import (
+	"os"
+	"path/filepath"
+
+	"golang.org/x/sys/unix"
+)
+
+func dupFile(f *os.File) (*os.File, error) {
+	fd, err := unix.FcntlInt(f.Fd(), unix.F_DUPFD_CLOEXEC, 0)
+	if err != nil {
+		return nil, os.NewSyscallError("fcntl(F_DUPFD_CLOEXEC)", err)
+	}
+	return os.NewFile(uintptr(fd), f.Name()), nil
+}
+
+func openatFile(dir *os.File, path string, flags int, mode int) (*os.File, error) {
+	// Make sure we always set O_CLOEXEC.
+	flags |= unix.O_CLOEXEC
+	fd, err := unix.Openat(int(dir.Fd()), path, flags, uint32(mode))
+	if err != nil {
+		return nil, &os.PathError{Op: "openat", Path: dir.Name() + "/" + path, Err: err}
+	}
+	// All of the paths we use with openatFile(2) are guaranteed to be
+	// lexically safe, so we can use path.Join here.
+	fullPath := filepath.Join(dir.Name(), path)
+	return os.NewFile(uintptr(fd), fullPath), nil
+}
+
+func fstatatFile(dir *os.File, path string, flags int) (unix.Stat_t, error) {
+	var stat unix.Stat_t
+	if err := unix.Fstatat(int(dir.Fd()), path, &stat, flags); err != nil {
+		return stat, &os.PathError{Op: "fstatat", Path: dir.Name() + "/" + path, Err: err}
+	}
+	return stat, nil
+}
+
+func readlinkatFile(dir *os.File, path string) (string, error) {
+	size := 4096
+	for {
+		linkBuf := make([]byte, size)
+		n, err := unix.Readlinkat(int(dir.Fd()), path, linkBuf)
+		if err != nil {
+			return "", &os.PathError{Op: "readlinkat", Path: dir.Name() + "/" + path, Err: err}
+		}
+		if n != size {
+			return string(linkBuf[:n]), nil
+		}
+		// Possible truncation, resize the buffer.
+		size *= 2
+	}
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/procfs_linux.go b/vendor/github.com/cyphar/filepath-securejoin/procfs_linux.go
new file mode 100644
index 0000000000..809a579cbd
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/procfs_linux.go
@@ -0,0 +1,452 @@
+//go:build linux
+
+// Copyright (C) 2024 SUSE LLC. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package securejoin
+
+import (
+	"errors"
+	"fmt"
+	"os"
+	"runtime"
+	"strconv"
+
+	"golang.org/x/sys/unix"
+)
+
+func fstat(f *os.File) (unix.Stat_t, error) {
+	var stat unix.Stat_t
+	if err := unix.Fstat(int(f.Fd()), &stat); err != nil {
+		return stat, &os.PathError{Op: "fstat", Path: f.Name(), Err: err}
+	}
+	return stat, nil
+}
+
+func fstatfs(f *os.File) (unix.Statfs_t, error) {
+	var statfs unix.Statfs_t
+	if err := unix.Fstatfs(int(f.Fd()), &statfs); err != nil {
+		return statfs, &os.PathError{Op: "fstatfs", Path: f.Name(), Err: err}
+	}
+	return statfs, nil
+}
+
+// The kernel guarantees that the root inode of a procfs mount has an
+// f_type of PROC_SUPER_MAGIC and st_ino of PROC_ROOT_INO.
+const (
+	procSuperMagic = 0x9fa0 // PROC_SUPER_MAGIC
+	procRootIno    = 1      // PROC_ROOT_INO
+)
+
+func verifyProcRoot(procRoot *os.File) error {
+	if statfs, err := fstatfs(procRoot); err != nil {
+		return err
+	} else if statfs.Type != procSuperMagic {
+		return fmt.Errorf("%w: incorrect procfs root filesystem type 0x%x", errUnsafeProcfs, statfs.Type)
+	}
+	if stat, err := fstat(procRoot); err != nil {
+		return err
+	} else if stat.Ino != procRootIno {
+		return fmt.Errorf("%w: incorrect procfs root inode number %d", errUnsafeProcfs, stat.Ino)
+	}
+	return nil
+}
+
+var hasNewMountApi = sync_OnceValue(func() bool {
+	// All of the pieces of the new mount API we use (fsopen, fsconfig,
+	// fsmount, open_tree) were added together in Linux 5.1[1,2], so we can
+	// just check for one of the syscalls and the others should also be
+	// available.
+	//
+	// Just try to use open_tree(2) to open a file without OPEN_TREE_CLONE.
+	// This is equivalent to openat(2), but tells us if open_tree is
+	// available (and thus all of the other basic new mount API syscalls).
+	// open_tree(2) is most light-weight syscall to test here.
+	//
+	// [1]: merge commit 400913252d09
+	// [2]: <https://lore.kernel.org/lkml/153754740781.17872.7869536526927736855.stgit@warthog.procyon.org.uk/>
+	fd, err := unix.OpenTree(-int(unix.EBADF), "/", unix.OPEN_TREE_CLOEXEC)
+	if err != nil {
+		return false
+	}
+	_ = unix.Close(fd)
+	return true
+})
+
+func fsopen(fsName string, flags int) (*os.File, error) {
+	// Make sure we always set O_CLOEXEC.
+	flags |= unix.FSOPEN_CLOEXEC
+	fd, err := unix.Fsopen(fsName, flags)
+	if err != nil {
+		return nil, os.NewSyscallError("fsopen "+fsName, err)
+	}
+	return os.NewFile(uintptr(fd), "fscontext:"+fsName), nil
+}
+
+func fsmount(ctx *os.File, flags, mountAttrs int) (*os.File, error) {
+	// Make sure we always set O_CLOEXEC.
+	flags |= unix.FSMOUNT_CLOEXEC
+	fd, err := unix.Fsmount(int(ctx.Fd()), flags, mountAttrs)
+	if err != nil {
+		return nil, os.NewSyscallError("fsmount "+ctx.Name(), err)
+	}
+	return os.NewFile(uintptr(fd), "fsmount:"+ctx.Name()), nil
+}
+
+func newPrivateProcMount() (*os.File, error) {
+	procfsCtx, err := fsopen("proc", unix.FSOPEN_CLOEXEC)
+	if err != nil {
+		return nil, err
+	}
+	defer procfsCtx.Close()
+
+	// Try to configure hidepid=ptraceable,subset=pid if possible, but ignore errors.
+	_ = unix.FsconfigSetString(int(procfsCtx.Fd()), "hidepid", "ptraceable")
+	_ = unix.FsconfigSetString(int(procfsCtx.Fd()), "subset", "pid")
+
+	// Get an actual handle.
+	if err := unix.FsconfigCreate(int(procfsCtx.Fd())); err != nil {
+		return nil, os.NewSyscallError("fsconfig create procfs", err)
+	}
+	return fsmount(procfsCtx, unix.FSMOUNT_CLOEXEC, unix.MS_RDONLY|unix.MS_NODEV|unix.MS_NOEXEC|unix.MS_NOSUID)
+}
+
+func openTree(dir *os.File, path string, flags uint) (*os.File, error) {
+	dirFd := -int(unix.EBADF)
+	dirName := "."
+	if dir != nil {
+		dirFd = int(dir.Fd())
+		dirName = dir.Name()
+	}
+	// Make sure we always set O_CLOEXEC.
+	flags |= unix.OPEN_TREE_CLOEXEC
+	fd, err := unix.OpenTree(dirFd, path, flags)
+	if err != nil {
+		return nil, &os.PathError{Op: "open_tree", Path: path, Err: err}
+	}
+	return os.NewFile(uintptr(fd), dirName+"/"+path), nil
+}
+
+func clonePrivateProcMount() (_ *os.File, Err error) {
+	// Try to make a clone without using AT_RECURSIVE if we can. If this works,
+	// we can be sure there are no over-mounts and so if the root is valid then
+	// we're golden. Otherwise, we have to deal with over-mounts.
+	procfsHandle, err := openTree(nil, "/proc", unix.OPEN_TREE_CLONE)
+	if err != nil || hookForcePrivateProcRootOpenTreeAtRecursive(procfsHandle) {
+		procfsHandle, err = openTree(nil, "/proc", unix.OPEN_TREE_CLONE|unix.AT_RECURSIVE)
+	}
+	if err != nil {
+		return nil, fmt.Errorf("creating a detached procfs clone: %w", err)
+	}
+	defer func() {
+		if Err != nil {
+			_ = procfsHandle.Close()
+		}
+	}()
+	if err := verifyProcRoot(procfsHandle); err != nil {
+		return nil, err
+	}
+	return procfsHandle, nil
+}
+
+func privateProcRoot() (*os.File, error) {
+	if !hasNewMountApi() || hookForceGetProcRootUnsafe() {
+		return nil, fmt.Errorf("new mount api: %w", unix.ENOTSUP)
+	}
+	// Try to create a new procfs mount from scratch if we can. This ensures we
+	// can get a procfs mount even if /proc is fake (for whatever reason).
+	procRoot, err := newPrivateProcMount()
+	if err != nil || hookForcePrivateProcRootOpenTree(procRoot) {
+		// Try to clone /proc then...
+		procRoot, err = clonePrivateProcMount()
+	}
+	return procRoot, err
+}
+
+func unsafeHostProcRoot() (_ *os.File, Err error) {
+	procRoot, err := os.OpenFile("/proc", unix.O_PATH|unix.O_NOFOLLOW|unix.O_DIRECTORY|unix.O_CLOEXEC, 0)
+	if err != nil {
+		return nil, err
+	}
+	defer func() {
+		if Err != nil {
+			_ = procRoot.Close()
+		}
+	}()
+	if err := verifyProcRoot(procRoot); err != nil {
+		return nil, err
+	}
+	return procRoot, nil
+}
+
+func doGetProcRoot() (*os.File, error) {
+	procRoot, err := privateProcRoot()
+	if err != nil {
+		// Fall back to using a /proc handle if making a private mount failed.
+		// If we have openat2, at least we can avoid some kinds of over-mount
+		// attacks, but without openat2 there's not much we can do.
+		procRoot, err = unsafeHostProcRoot()
+	}
+	return procRoot, err
+}
+
+var getProcRoot = sync_OnceValues(func() (*os.File, error) {
+	return doGetProcRoot()
+})
+
+var hasProcThreadSelf = sync_OnceValue(func() bool {
+	return unix.Access("/proc/thread-self/", unix.F_OK) == nil
+})
+
+var errUnsafeProcfs = errors.New("unsafe procfs detected")
+
+type procThreadSelfCloser func()
+
+// procThreadSelf returns a handle to /proc/thread-self/<subpath> (or an
+// equivalent handle on older kernels where /proc/thread-self doesn't exist).
+// Once finished with the handle, you must call the returned closer function
+// (runtime.UnlockOSThread). You must not pass the returned *os.File to other
+// Go threads or use the handle after calling the closer.
+//
+// This is similar to ProcThreadSelf from runc, but with extra hardening
+// applied and using *os.File.
+func procThreadSelf(procRoot *os.File, subpath string) (_ *os.File, _ procThreadSelfCloser, Err error) {
+	// We need to lock our thread until the caller is done with the handle
+	// because between getting the handle and using it we could get interrupted
+	// by the Go runtime and hit the case where the underlying thread is
+	// swapped out and the original thread is killed, resulting in
+	// pull-your-hair-out-hard-to-debug issues in the caller.
+	runtime.LockOSThread()
+	defer func() {
+		if Err != nil {
+			runtime.UnlockOSThread()
+		}
+	}()
+
+	// Figure out what prefix we want to use.
+	threadSelf := "thread-self/"
+	if !hasProcThreadSelf() || hookForceProcSelfTask() {
+		/// Pre-3.17 kernels don't have /proc/thread-self, so do it manually.
+		threadSelf = "self/task/" + strconv.Itoa(unix.Gettid()) + "/"
+		if _, err := fstatatFile(procRoot, threadSelf, unix.AT_SYMLINK_NOFOLLOW); err != nil || hookForceProcSelf() {
+			// In this case, we running in a pid namespace that doesn't match
+			// the /proc mount we have. This can happen inside runc.
+			//
+			// Unfortunately, there is no nice way to get the correct TID to
+			// use here because of the age of the kernel, so we have to just
+			// use /proc/self and hope that it works.
+			threadSelf = "self/"
+		}
+	}
+
+	// Grab the handle.
+	var (
+		handle *os.File
+		err    error
+	)
+	if hasOpenat2() {
+		// We prefer being able to use RESOLVE_NO_XDEV if we can, to be
+		// absolutely sure we are operating on a clean /proc handle that
+		// doesn't have any cheeky overmounts that could trick us (including
+		// symlink mounts on top of /proc/thread-self). RESOLVE_BENEATH isn't
+		// strictly needed, but just use it since we have it.
+		//
+		// NOTE: /proc/self is technically a magic-link (the contents of the
+		//       symlink are generated dynamically), but it doesn't use
+		//       nd_jump_link() so RESOLVE_NO_MAGICLINKS allows it.
+		//
+		// NOTE: We MUST NOT use RESOLVE_IN_ROOT here, as openat2File uses
+		//       procSelfFdReadlink to clean up the returned f.Name() if we use
+		//       RESOLVE_IN_ROOT (which would lead to an infinite recursion).
+		handle, err = openat2File(procRoot, threadSelf+subpath, &unix.OpenHow{
+			Flags:   unix.O_PATH | unix.O_NOFOLLOW | unix.O_CLOEXEC,
+			Resolve: unix.RESOLVE_BENEATH | unix.RESOLVE_NO_XDEV | unix.RESOLVE_NO_MAGICLINKS,
+		})
+		if err != nil {
+			// TODO: Once we bump the minimum Go version to 1.20, we can use
+			// multiple %w verbs for this wrapping. For now we need to use a
+			// compatibility shim for older Go versions.
+			//err = fmt.Errorf("%w: %w", errUnsafeProcfs, err)
+			return nil, nil, wrapBaseError(err, errUnsafeProcfs)
+		}
+	} else {
+		handle, err = openatFile(procRoot, threadSelf+subpath, unix.O_PATH|unix.O_NOFOLLOW|unix.O_CLOEXEC, 0)
+		if err != nil {
+			// TODO: Once we bump the minimum Go version to 1.20, we can use
+			// multiple %w verbs for this wrapping. For now we need to use a
+			// compatibility shim for older Go versions.
+			//err = fmt.Errorf("%w: %w", errUnsafeProcfs, err)
+			return nil, nil, wrapBaseError(err, errUnsafeProcfs)
+		}
+		defer func() {
+			if Err != nil {
+				_ = handle.Close()
+			}
+		}()
+		// We can't detect bind-mounts of different parts of procfs on top of
+		// /proc (a-la RESOLVE_NO_XDEV), but we can at least be sure that we
+		// aren't on the wrong filesystem here.
+		if statfs, err := fstatfs(handle); err != nil {
+			return nil, nil, err
+		} else if statfs.Type != procSuperMagic {
+			return nil, nil, fmt.Errorf("%w: incorrect /proc/self/fd filesystem type 0x%x", errUnsafeProcfs, statfs.Type)
+		}
+	}
+	return handle, runtime.UnlockOSThread, nil
+}
+
+// STATX_MNT_ID_UNIQUE is provided in golang.org/x/sys@v0.20.0, but in order to
+// avoid bumping the requirement for a single constant we can just define it
+// ourselves.
+const STATX_MNT_ID_UNIQUE = 0x4000
+
+var hasStatxMountId = sync_OnceValue(func() bool {
+	var (
+		stx unix.Statx_t
+		// We don't care which mount ID we get. The kernel will give us the
+		// unique one if it is supported.
+		wantStxMask uint32 = STATX_MNT_ID_UNIQUE | unix.STATX_MNT_ID
+	)
+	err := unix.Statx(-int(unix.EBADF), "/", 0, int(wantStxMask), &stx)
+	return err == nil && stx.Mask&wantStxMask != 0
+})
+
+func getMountId(dir *os.File, path string) (uint64, error) {
+	// If we don't have statx(STATX_MNT_ID*) support, we can't do anything.
+	if !hasStatxMountId() {
+		return 0, nil
+	}
+
+	var (
+		stx unix.Statx_t
+		// We don't care which mount ID we get. The kernel will give us the
+		// unique one if it is supported.
+		wantStxMask uint32 = STATX_MNT_ID_UNIQUE | unix.STATX_MNT_ID
+	)
+
+	err := unix.Statx(int(dir.Fd()), path, unix.AT_EMPTY_PATH|unix.AT_SYMLINK_NOFOLLOW, int(wantStxMask), &stx)
+	if stx.Mask&wantStxMask == 0 {
+		// It's not a kernel limitation, for some reason we couldn't get a
+		// mount ID. Assume it's some kind of attack.
+		err = fmt.Errorf("%w: could not get mount id", errUnsafeProcfs)
+	}
+	if err != nil {
+		return 0, &os.PathError{Op: "statx(STATX_MNT_ID_...)", Path: dir.Name() + "/" + path, Err: err}
+	}
+	return stx.Mnt_id, nil
+}
+
+func checkSymlinkOvermount(procRoot *os.File, dir *os.File, path string) error {
+	// Get the mntId of our procfs handle.
+	expectedMountId, err := getMountId(procRoot, "")
+	if err != nil {
+		return err
+	}
+	// Get the mntId of the target magic-link.
+	gotMountId, err := getMountId(dir, path)
+	if err != nil {
+		return err
+	}
+	// As long as the directory mount is alive, even with wrapping mount IDs,
+	// we would expect to see a different mount ID here. (Of course, if we're
+	// using unsafeHostProcRoot() then an attaker could change this after we
+	// did this check.)
+	if expectedMountId != gotMountId {
+		return fmt.Errorf("%w: symlink %s/%s has an overmount obscuring the real link (mount ids do not match %d != %d)", errUnsafeProcfs, dir.Name(), path, expectedMountId, gotMountId)
+	}
+	return nil
+}
+
+func doRawProcSelfFdReadlink(procRoot *os.File, fd int) (string, error) {
+	fdPath := fmt.Sprintf("fd/%d", fd)
+	procFdLink, closer, err := procThreadSelf(procRoot, fdPath)
+	if err != nil {
+		return "", fmt.Errorf("get safe /proc/thread-self/%s handle: %w", fdPath, err)
+	}
+	defer procFdLink.Close()
+	defer closer()
+
+	// Try to detect if there is a mount on top of the magic-link. Since we use the handle directly
+	// provide to the closure. If the closure uses the handle directly, this
+	// should be safe in general (a mount on top of the path afterwards would
+	// not affect the handle itself) and will definitely be safe if we are
+	// using privateProcRoot() (at least since Linux 5.12[1], when anonymous
+	// mount namespaces were completely isolated from external mounts including
+	// mount propagation events).
+	//
+	// [1]: Linux commit ee2e3f50629f ("mount: fix mounting of detached mounts
+	// onto targets that reside on shared mounts").
+	if err := checkSymlinkOvermount(procRoot, procFdLink, ""); err != nil {
+		return "", fmt.Errorf("check safety of /proc/thread-self/fd/%d magiclink: %w", fd, err)
+	}
+
+	// readlinkat implies AT_EMPTY_PATH since Linux 2.6.39. See Linux commit
+	// 65cfc6722361 ("readlinkat(), fchownat() and fstatat() with empty
+	// relative pathnames").
+	return readlinkatFile(procFdLink, "")
+}
+
+func rawProcSelfFdReadlink(fd int) (string, error) {
+	procRoot, err := getProcRoot()
+	if err != nil {
+		return "", err
+	}
+	return doRawProcSelfFdReadlink(procRoot, fd)
+}
+
+func procSelfFdReadlink(f *os.File) (string, error) {
+	return rawProcSelfFdReadlink(int(f.Fd()))
+}
+
+var (
+	errPossibleBreakout = errors.New("possible breakout detected")
+	errInvalidDirectory = errors.New("wandered into deleted directory")
+	errDeletedInode     = errors.New("cannot verify path of deleted inode")
+)
+
+func isDeadInode(file *os.File) error {
+	// If the nlink of a file drops to 0, there is an attacker deleting
+	// directories during our walk, which could result in weird /proc values.
+	// It's better to error out in this case.
+	stat, err := fstat(file)
+	if err != nil {
+		return fmt.Errorf("check for dead inode: %w", err)
+	}
+	if stat.Nlink == 0 {
+		err := errDeletedInode
+		if stat.Mode&unix.S_IFMT == unix.S_IFDIR {
+			err = errInvalidDirectory
+		}
+		return fmt.Errorf("%w %q", err, file.Name())
+	}
+	return nil
+}
+
+func checkProcSelfFdPath(path string, file *os.File) error {
+	if err := isDeadInode(file); err != nil {
+		return err
+	}
+	actualPath, err := procSelfFdReadlink(file)
+	if err != nil {
+		return fmt.Errorf("get path of handle: %w", err)
+	}
+	if actualPath != path {
+		return fmt.Errorf("%w: handle path %q doesn't match expected path %q", errPossibleBreakout, actualPath, path)
+	}
+	return nil
+}
+
+// Test hooks used in the procfs tests to verify that the fallback logic works.
+// See testing_mocks_linux_test.go and procfs_linux_test.go for more details.
+var (
+	hookForcePrivateProcRootOpenTree            = hookDummyFile
+	hookForcePrivateProcRootOpenTreeAtRecursive = hookDummyFile
+	hookForceGetProcRootUnsafe                  = hookDummy
+
+	hookForceProcSelfTask = hookDummy
+	hookForceProcSelf     = hookDummy
+)
+
+func hookDummy() bool               { return false }
+func hookDummyFile(_ *os.File) bool { return false }
diff --git a/vendor/github.com/cyphar/filepath-securejoin/vfs.go b/vendor/github.com/cyphar/filepath-securejoin/vfs.go
new file mode 100644
index 0000000000..36373f8c51
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/vfs.go
@@ -0,0 +1,35 @@
+// Copyright (C) 2017-2024 SUSE LLC. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package securejoin
+
+import "os"
+
+// In future this should be moved into a separate package, because now there
+// are several projects (umoci and go-mtree) that are using this sort of
+// interface.
+
+// VFS is the minimal interface necessary to use [SecureJoinVFS]. A nil VFS is
+// equivalent to using the standard [os].* family of functions. This is mainly
+// used for the purposes of mock testing, but also can be used to otherwise use
+// [SecureJoinVFS] with VFS-like system.
+type VFS interface {
+	// Lstat returns an [os.FileInfo] describing the named file. If the
+	// file is a symbolic link, the returned [os.FileInfo] describes the
+	// symbolic link. Lstat makes no attempt to follow the link.
+	// The semantics are identical to [os.Lstat].
+	Lstat(name string) (os.FileInfo, error)
+
+	// Readlink returns the destination of the named symbolic link.
+	// The semantics are identical to [os.Readlink].
+	Readlink(name string) (string, error)
+}
+
+// osVFS is the "nil" VFS, in that it just passes everything through to the os
+// module.
+type osVFS struct{}
+
+func (o osVFS) Lstat(name string) (os.FileInfo, error) { return os.Lstat(name) }
+
+func (o osVFS) Readlink(name string) (string, error) { return os.Readlink(name) }
diff --git a/vendor/github.com/envoyproxy/protoc-gen-validate/validate/BUILD b/vendor/github.com/envoyproxy/protoc-gen-validate/validate/BUILD
index ef634dd812..368eb571d1 100644
--- a/vendor/github.com/envoyproxy/protoc-gen-validate/validate/BUILD
+++ b/vendor/github.com/envoyproxy/protoc-gen-validate/validate/BUILD
@@ -1,10 +1,10 @@
 load("@com_google_protobuf//bazel:cc_proto_library.bzl", "cc_proto_library")
+load("@com_google_protobuf//bazel:proto_library.bzl", "proto_library")
+load("@com_google_protobuf//bazel:py_proto_library.bzl", "py_proto_library")
 load("@io_bazel_rules_go//go:def.bzl", "go_library")
 load("@io_bazel_rules_go//proto:def.bzl", "go_proto_library")
 load("@rules_cc//cc:defs.bzl", "cc_library")
 load("@rules_java//java:defs.bzl", "java_proto_library")
-load("@rules_proto//proto:defs.bzl", "proto_library")
-load("@rules_python//python:proto.bzl", "py_proto_library")
 
 package(
     default_visibility =
diff --git a/vendor/github.com/evanphx/json-patch/.gitignore b/vendor/github.com/evanphx/json-patch/.gitignore
new file mode 100644
index 0000000000..b7ed7f956d
--- /dev/null
+++ b/vendor/github.com/evanphx/json-patch/.gitignore
@@ -0,0 +1,6 @@
+# editor and IDE paraphernalia
+.idea
+.vscode
+
+# macOS paraphernalia
+.DS_Store
diff --git a/vendor/github.com/evanphx/json-patch/LICENSE b/vendor/github.com/evanphx/json-patch/LICENSE
new file mode 100644
index 0000000000..df76d7d771
--- /dev/null
+++ b/vendor/github.com/evanphx/json-patch/LICENSE
@@ -0,0 +1,25 @@
+Copyright (c) 2014, Evan Phoenix
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without 
+modification, are permitted provided that the following conditions are met:
+
+* Redistributions of source code must retain the above copyright notice, this
+  list of conditions and the following disclaimer.
+* Redistributions in binary form must reproduce the above copyright notice,
+  this list of conditions and the following disclaimer in the documentation
+  and/or other materials provided with the distribution.
+* Neither the name of the Evan Phoenix nor the names of its contributors 
+  may be used to endorse or promote products derived from this software 
+  without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE 
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/vendor/github.com/evanphx/json-patch/README.md b/vendor/github.com/evanphx/json-patch/README.md
new file mode 100644
index 0000000000..86fefd5bf7
--- /dev/null
+++ b/vendor/github.com/evanphx/json-patch/README.md
@@ -0,0 +1,315 @@
+# JSON-Patch
+`jsonpatch` is a library which provides functionality for both applying
+[RFC6902 JSON patches](http://tools.ietf.org/html/rfc6902) against documents, as
+well as for calculating & applying [RFC7396 JSON merge patches](https://tools.ietf.org/html/rfc7396).
+
+[![GoDoc](https://godoc.org/github.com/evanphx/json-patch?status.svg)](http://godoc.org/github.com/evanphx/json-patch)
+[![Build Status](https://github.com/evanphx/json-patch/actions/workflows/go.yml/badge.svg)](https://github.com/evanphx/json-patch/actions/workflows/go.yml)
+[![Report Card](https://goreportcard.com/badge/github.com/evanphx/json-patch)](https://goreportcard.com/report/github.com/evanphx/json-patch)
+
+# Get It!
+
+**Latest and greatest**: 
+```bash
+go get -u github.com/evanphx/json-patch/v5
+```
+
+If you need version 4, use `go get -u gopkg.in/evanphx/json-patch.v4`
+
+(previous versions below `v3` are unavailable)
+
+# Use It!
+* [Create and apply a merge patch](#create-and-apply-a-merge-patch)
+* [Create and apply a JSON Patch](#create-and-apply-a-json-patch)
+* [Comparing JSON documents](#comparing-json-documents)
+* [Combine merge patches](#combine-merge-patches)
+
+
+# Configuration
+
+* There is a global configuration variable `jsonpatch.SupportNegativeIndices`.
+  This defaults to `true` and enables the non-standard practice of allowing
+  negative indices to mean indices starting at the end of an array. This
+  functionality can be disabled by setting `jsonpatch.SupportNegativeIndices =
+  false`.
+
+* There is a global configuration variable `jsonpatch.AccumulatedCopySizeLimit`,
+  which limits the total size increase in bytes caused by "copy" operations in a
+  patch. It defaults to 0, which means there is no limit.
+
+These global variables control the behavior of `jsonpatch.Apply`.
+
+An alternative to `jsonpatch.Apply` is `jsonpatch.ApplyWithOptions` whose behavior
+is controlled by an `options` parameter of type `*jsonpatch.ApplyOptions`.
+
+Structure `jsonpatch.ApplyOptions` includes the configuration options above 
+and adds two new options: `AllowMissingPathOnRemove` and `EnsurePathExistsOnAdd`.
+
+When `AllowMissingPathOnRemove` is set to `true`, `jsonpatch.ApplyWithOptions` will ignore
+`remove` operations whose `path` points to a non-existent location in the JSON document.
+`AllowMissingPathOnRemove` defaults to `false` which will lead to `jsonpatch.ApplyWithOptions`
+returning an error when hitting a missing `path` on `remove`.
+
+When `EnsurePathExistsOnAdd` is set to `true`, `jsonpatch.ApplyWithOptions` will make sure
+that `add` operations produce all the `path` elements that are missing from the target object.
+
+Use `jsonpatch.NewApplyOptions` to create an instance of `jsonpatch.ApplyOptions`
+whose values are populated from the global configuration variables.
+
+## Create and apply a merge patch
+Given both an original JSON document and a modified JSON document, you can create
+a [Merge Patch](https://tools.ietf.org/html/rfc7396) document. 
+
+It can describe the changes needed to convert from the original to the 
+modified JSON document.
+
+Once you have a merge patch, you can apply it to other JSON documents using the
+`jsonpatch.MergePatch(document, patch)` function.
+
+```go
+package main
+
+import (
+	"fmt"
+
+	jsonpatch "github.com/evanphx/json-patch"
+)
+
+func main() {
+	// Let's create a merge patch from these two documents...
+	original := []byte(`{"name": "John", "age": 24, "height": 3.21}`)
+	target := []byte(`{"name": "Jane", "age": 24}`)
+
+	patch, err := jsonpatch.CreateMergePatch(original, target)
+	if err != nil {
+		panic(err)
+	}
+
+	// Now lets apply the patch against a different JSON document...
+
+	alternative := []byte(`{"name": "Tina", "age": 28, "height": 3.75}`)
+	modifiedAlternative, err := jsonpatch.MergePatch(alternative, patch)
+
+	fmt.Printf("patch document:   %s\n", patch)
+	fmt.Printf("updated alternative doc: %s\n", modifiedAlternative)
+}
+```
+
+When ran, you get the following output:
+
+```bash
+$ go run main.go
+patch document:   {"height":null,"name":"Jane"}
+updated alternative doc: {"age":28,"name":"Jane"}
+```
+
+## Create and apply a JSON Patch
+You can create patch objects using `DecodePatch([]byte)`, which can then 
+be applied against JSON documents.
+
+The following is an example of creating a patch from two operations, and
+applying it against a JSON document.
+
+```go
+package main
+
+import (
+	"fmt"
+
+	jsonpatch "github.com/evanphx/json-patch"
+)
+
+func main() {
+	original := []byte(`{"name": "John", "age": 24, "height": 3.21}`)
+	patchJSON := []byte(`[
+		{"op": "replace", "path": "/name", "value": "Jane"},
+		{"op": "remove", "path": "/height"}
+	]`)
+
+	patch, err := jsonpatch.DecodePatch(patchJSON)
+	if err != nil {
+		panic(err)
+	}
+
+	modified, err := patch.Apply(original)
+	if err != nil {
+		panic(err)
+	}
+
+	fmt.Printf("Original document: %s\n", original)
+	fmt.Printf("Modified document: %s\n", modified)
+}
+```
+
+When ran, you get the following output:
+
+```bash
+$ go run main.go
+Original document: {"name": "John", "age": 24, "height": 3.21}
+Modified document: {"age":24,"name":"Jane"}
+```
+
+## Comparing JSON documents
+Due to potential whitespace and ordering differences, one cannot simply compare
+JSON strings or byte-arrays directly. 
+
+As such, you can instead use `jsonpatch.Equal(document1, document2)` to 
+determine if two JSON documents are _structurally_ equal. This ignores
+whitespace differences, and key-value ordering.
+
+```go
+package main
+
+import (
+	"fmt"
+
+	jsonpatch "github.com/evanphx/json-patch"
+)
+
+func main() {
+	original := []byte(`{"name": "John", "age": 24, "height": 3.21}`)
+	similar := []byte(`
+		{
+			"age": 24,
+			"height": 3.21,
+			"name": "John"
+		}
+	`)
+	different := []byte(`{"name": "Jane", "age": 20, "height": 3.37}`)
+
+	if jsonpatch.Equal(original, similar) {
+		fmt.Println(`"original" is structurally equal to "similar"`)
+	}
+
+	if !jsonpatch.Equal(original, different) {
+		fmt.Println(`"original" is _not_ structurally equal to "different"`)
+	}
+}
+```
+
+When ran, you get the following output:
+```bash
+$ go run main.go
+"original" is structurally equal to "similar"
+"original" is _not_ structurally equal to "different"
+```
+
+## Combine merge patches
+Given two JSON merge patch documents, it is possible to combine them into a 
+single merge patch which can describe both set of changes.
+
+The resulting merge patch can be used such that applying it results in a
+document structurally similar as merging each merge patch to the document
+in succession. 
+
+```go
+package main
+
+import (
+	"fmt"
+
+	jsonpatch "github.com/evanphx/json-patch"
+)
+
+func main() {
+	original := []byte(`{"name": "John", "age": 24, "height": 3.21}`)
+
+	nameAndHeight := []byte(`{"height":null,"name":"Jane"}`)
+	ageAndEyes := []byte(`{"age":4.23,"eyes":"blue"}`)
+
+	// Let's combine these merge patch documents...
+	combinedPatch, err := jsonpatch.MergeMergePatches(nameAndHeight, ageAndEyes)
+	if err != nil {
+		panic(err)
+	}
+
+	// Apply each patch individual against the original document
+	withoutCombinedPatch, err := jsonpatch.MergePatch(original, nameAndHeight)
+	if err != nil {
+		panic(err)
+	}
+
+	withoutCombinedPatch, err = jsonpatch.MergePatch(withoutCombinedPatch, ageAndEyes)
+	if err != nil {
+		panic(err)
+	}
+
+	// Apply the combined patch against the original document
+
+	withCombinedPatch, err := jsonpatch.MergePatch(original, combinedPatch)
+	if err != nil {
+		panic(err)
+	}
+
+	// Do both result in the same thing? They should!
+	if jsonpatch.Equal(withCombinedPatch, withoutCombinedPatch) {
+		fmt.Println("Both JSON documents are structurally the same!")
+	}
+
+	fmt.Printf("combined merge patch: %s", combinedPatch)
+}
+```
+
+When ran, you get the following output:
+```bash
+$ go run main.go
+Both JSON documents are structurally the same!
+combined merge patch: {"age":4.23,"eyes":"blue","height":null,"name":"Jane"}
+```
+
+# CLI for comparing JSON documents
+You can install the commandline program `json-patch`.
+
+This program can take multiple JSON patch documents as arguments, 
+and fed a JSON document from `stdin`. It will apply the patch(es) against 
+the document and output the modified doc.
+
+**patch.1.json**
+```json
+[
+    {"op": "replace", "path": "/name", "value": "Jane"},
+    {"op": "remove", "path": "/height"}
+]
+```
+
+**patch.2.json**
+```json
+[
+    {"op": "add", "path": "/address", "value": "123 Main St"},
+    {"op": "replace", "path": "/age", "value": "21"}
+]
+```
+
+**document.json**
+```json
+{
+    "name": "John",
+    "age": 24,
+    "height": 3.21
+}
+```
+
+You can then run:
+
+```bash
+$ go install github.com/evanphx/json-patch/cmd/json-patch
+$ cat document.json | json-patch -p patch.1.json -p patch.2.json
+{"address":"123 Main St","age":"21","name":"Jane"}
+```
+
+# Help It!
+Contributions are welcomed! Leave [an issue](https://github.com/evanphx/json-patch/issues)
+or [create a PR](https://github.com/evanphx/json-patch/compare).
+
+
+Before creating a pull request, we'd ask that you make sure tests are passing
+and that you have added new tests when applicable.
+
+Contributors can run tests using:
+
+```bash
+go test -cover ./...
+```
+
+Builds for pull requests are tested automatically 
+using [GitHub Actions](https://github.com/evanphx/json-patch/actions/workflows/go.yml).
diff --git a/vendor/github.com/evanphx/json-patch/errors.go b/vendor/github.com/evanphx/json-patch/errors.go
new file mode 100644
index 0000000000..75304b4437
--- /dev/null
+++ b/vendor/github.com/evanphx/json-patch/errors.go
@@ -0,0 +1,38 @@
+package jsonpatch
+
+import "fmt"
+
+// AccumulatedCopySizeError is an error type returned when the accumulated size
+// increase caused by copy operations in a patch operation has exceeded the
+// limit.
+type AccumulatedCopySizeError struct {
+	limit       int64
+	accumulated int64
+}
+
+// NewAccumulatedCopySizeError returns an AccumulatedCopySizeError.
+func NewAccumulatedCopySizeError(l, a int64) *AccumulatedCopySizeError {
+	return &AccumulatedCopySizeError{limit: l, accumulated: a}
+}
+
+// Error implements the error interface.
+func (a *AccumulatedCopySizeError) Error() string {
+	return fmt.Sprintf("Unable to complete the copy, the accumulated size increase of copy is %d, exceeding the limit %d", a.accumulated, a.limit)
+}
+
+// ArraySizeError is an error type returned when the array size has exceeded
+// the limit.
+type ArraySizeError struct {
+	limit int
+	size  int
+}
+
+// NewArraySizeError returns an ArraySizeError.
+func NewArraySizeError(l, s int) *ArraySizeError {
+	return &ArraySizeError{limit: l, size: s}
+}
+
+// Error implements the error interface.
+func (a *ArraySizeError) Error() string {
+	return fmt.Sprintf("Unable to create array of size %d, limit is %d", a.size, a.limit)
+}
diff --git a/vendor/github.com/evanphx/json-patch/merge.go b/vendor/github.com/evanphx/json-patch/merge.go
new file mode 100644
index 0000000000..ad88d40181
--- /dev/null
+++ b/vendor/github.com/evanphx/json-patch/merge.go
@@ -0,0 +1,389 @@
+package jsonpatch
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"reflect"
+)
+
+func merge(cur, patch *lazyNode, mergeMerge bool) *lazyNode {
+	curDoc, err := cur.intoDoc()
+
+	if err != nil {
+		pruneNulls(patch)
+		return patch
+	}
+
+	patchDoc, err := patch.intoDoc()
+
+	if err != nil {
+		return patch
+	}
+
+	mergeDocs(curDoc, patchDoc, mergeMerge)
+
+	return cur
+}
+
+func mergeDocs(doc, patch *partialDoc, mergeMerge bool) {
+	for k, v := range *patch {
+		if v == nil {
+			if mergeMerge {
+				(*doc)[k] = nil
+			} else {
+				delete(*doc, k)
+			}
+		} else {
+			cur, ok := (*doc)[k]
+
+			if !ok || cur == nil {
+				if !mergeMerge {
+					pruneNulls(v)
+				}
+
+				(*doc)[k] = v
+			} else {
+				(*doc)[k] = merge(cur, v, mergeMerge)
+			}
+		}
+	}
+}
+
+func pruneNulls(n *lazyNode) {
+	sub, err := n.intoDoc()
+
+	if err == nil {
+		pruneDocNulls(sub)
+	} else {
+		ary, err := n.intoAry()
+
+		if err == nil {
+			pruneAryNulls(ary)
+		}
+	}
+}
+
+func pruneDocNulls(doc *partialDoc) *partialDoc {
+	for k, v := range *doc {
+		if v == nil {
+			delete(*doc, k)
+		} else {
+			pruneNulls(v)
+		}
+	}
+
+	return doc
+}
+
+func pruneAryNulls(ary *partialArray) *partialArray {
+	newAry := []*lazyNode{}
+
+	for _, v := range *ary {
+		if v != nil {
+			pruneNulls(v)
+		}
+		newAry = append(newAry, v)
+	}
+
+	*ary = newAry
+
+	return ary
+}
+
+var ErrBadJSONDoc = fmt.Errorf("Invalid JSON Document")
+var ErrBadJSONPatch = fmt.Errorf("Invalid JSON Patch")
+var errBadMergeTypes = fmt.Errorf("Mismatched JSON Documents")
+
+// MergeMergePatches merges two merge patches together, such that
+// applying this resulting merged merge patch to a document yields the same
+// as merging each merge patch to the document in succession.
+func MergeMergePatches(patch1Data, patch2Data []byte) ([]byte, error) {
+	return doMergePatch(patch1Data, patch2Data, true)
+}
+
+// MergePatch merges the patchData into the docData.
+func MergePatch(docData, patchData []byte) ([]byte, error) {
+	return doMergePatch(docData, patchData, false)
+}
+
+func doMergePatch(docData, patchData []byte, mergeMerge bool) ([]byte, error) {
+	doc := &partialDoc{}
+
+	docErr := json.Unmarshal(docData, doc)
+
+	patch := &partialDoc{}
+
+	patchErr := json.Unmarshal(patchData, patch)
+
+	if _, ok := docErr.(*json.SyntaxError); ok {
+		return nil, ErrBadJSONDoc
+	}
+
+	if _, ok := patchErr.(*json.SyntaxError); ok {
+		return nil, ErrBadJSONPatch
+	}
+
+	if docErr == nil && *doc == nil {
+		return nil, ErrBadJSONDoc
+	}
+
+	if patchErr == nil && *patch == nil {
+		return nil, ErrBadJSONPatch
+	}
+
+	if docErr != nil || patchErr != nil {
+		// Not an error, just not a doc, so we turn straight into the patch
+		if patchErr == nil {
+			if mergeMerge {
+				doc = patch
+			} else {
+				doc = pruneDocNulls(patch)
+			}
+		} else {
+			patchAry := &partialArray{}
+			patchErr = json.Unmarshal(patchData, patchAry)
+
+			if patchErr != nil {
+				return nil, ErrBadJSONPatch
+			}
+
+			pruneAryNulls(patchAry)
+
+			out, patchErr := json.Marshal(patchAry)
+
+			if patchErr != nil {
+				return nil, ErrBadJSONPatch
+			}
+
+			return out, nil
+		}
+	} else {
+		mergeDocs(doc, patch, mergeMerge)
+	}
+
+	return json.Marshal(doc)
+}
+
+// resemblesJSONArray indicates whether the byte-slice "appears" to be
+// a JSON array or not.
+// False-positives are possible, as this function does not check the internal
+// structure of the array. It only checks that the outer syntax is present and
+// correct.
+func resemblesJSONArray(input []byte) bool {
+	input = bytes.TrimSpace(input)
+
+	hasPrefix := bytes.HasPrefix(input, []byte("["))
+	hasSuffix := bytes.HasSuffix(input, []byte("]"))
+
+	return hasPrefix && hasSuffix
+}
+
+// CreateMergePatch will return a merge patch document capable of converting
+// the original document(s) to the modified document(s).
+// The parameters can be bytes of either two JSON Documents, or two arrays of
+// JSON documents.
+// The merge patch returned follows the specification defined at http://tools.ietf.org/html/draft-ietf-appsawg-json-merge-patch-07
+func CreateMergePatch(originalJSON, modifiedJSON []byte) ([]byte, error) {
+	originalResemblesArray := resemblesJSONArray(originalJSON)
+	modifiedResemblesArray := resemblesJSONArray(modifiedJSON)
+
+	// Do both byte-slices seem like JSON arrays?
+	if originalResemblesArray && modifiedResemblesArray {
+		return createArrayMergePatch(originalJSON, modifiedJSON)
+	}
+
+	// Are both byte-slices are not arrays? Then they are likely JSON objects...
+	if !originalResemblesArray && !modifiedResemblesArray {
+		return createObjectMergePatch(originalJSON, modifiedJSON)
+	}
+
+	// None of the above? Then return an error because of mismatched types.
+	return nil, errBadMergeTypes
+}
+
+// createObjectMergePatch will return a merge-patch document capable of
+// converting the original document to the modified document.
+func createObjectMergePatch(originalJSON, modifiedJSON []byte) ([]byte, error) {
+	originalDoc := map[string]interface{}{}
+	modifiedDoc := map[string]interface{}{}
+
+	err := json.Unmarshal(originalJSON, &originalDoc)
+	if err != nil {
+		return nil, ErrBadJSONDoc
+	}
+
+	err = json.Unmarshal(modifiedJSON, &modifiedDoc)
+	if err != nil {
+		return nil, ErrBadJSONDoc
+	}
+
+	dest, err := getDiff(originalDoc, modifiedDoc)
+	if err != nil {
+		return nil, err
+	}
+
+	return json.Marshal(dest)
+}
+
+// createArrayMergePatch will return an array of merge-patch documents capable
+// of converting the original document to the modified document for each
+// pair of JSON documents provided in the arrays.
+// Arrays of mismatched sizes will result in an error.
+func createArrayMergePatch(originalJSON, modifiedJSON []byte) ([]byte, error) {
+	originalDocs := []json.RawMessage{}
+	modifiedDocs := []json.RawMessage{}
+
+	err := json.Unmarshal(originalJSON, &originalDocs)
+	if err != nil {
+		return nil, ErrBadJSONDoc
+	}
+
+	err = json.Unmarshal(modifiedJSON, &modifiedDocs)
+	if err != nil {
+		return nil, ErrBadJSONDoc
+	}
+
+	total := len(originalDocs)
+	if len(modifiedDocs) != total {
+		return nil, ErrBadJSONDoc
+	}
+
+	result := []json.RawMessage{}
+	for i := 0; i < len(originalDocs); i++ {
+		original := originalDocs[i]
+		modified := modifiedDocs[i]
+
+		patch, err := createObjectMergePatch(original, modified)
+		if err != nil {
+			return nil, err
+		}
+
+		result = append(result, json.RawMessage(patch))
+	}
+
+	return json.Marshal(result)
+}
+
+// Returns true if the array matches (must be json types).
+// As is idiomatic for go, an empty array is not the same as a nil array.
+func matchesArray(a, b []interface{}) bool {
+	if len(a) != len(b) {
+		return false
+	}
+	if (a == nil && b != nil) || (a != nil && b == nil) {
+		return false
+	}
+	for i := range a {
+		if !matchesValue(a[i], b[i]) {
+			return false
+		}
+	}
+	return true
+}
+
+// Returns true if the values matches (must be json types)
+// The types of the values must match, otherwise it will always return false
+// If two map[string]interface{} are given, all elements must match.
+func matchesValue(av, bv interface{}) bool {
+	if reflect.TypeOf(av) != reflect.TypeOf(bv) {
+		return false
+	}
+	switch at := av.(type) {
+	case string:
+		bt := bv.(string)
+		if bt == at {
+			return true
+		}
+	case float64:
+		bt := bv.(float64)
+		if bt == at {
+			return true
+		}
+	case bool:
+		bt := bv.(bool)
+		if bt == at {
+			return true
+		}
+	case nil:
+		// Both nil, fine.
+		return true
+	case map[string]interface{}:
+		bt := bv.(map[string]interface{})
+		if len(bt) != len(at) {
+			return false
+		}
+		for key := range bt {
+			av, aOK := at[key]
+			bv, bOK := bt[key]
+			if aOK != bOK {
+				return false
+			}
+			if !matchesValue(av, bv) {
+				return false
+			}
+		}
+		return true
+	case []interface{}:
+		bt := bv.([]interface{})
+		return matchesArray(at, bt)
+	}
+	return false
+}
+
+// getDiff returns the (recursive) difference between a and b as a map[string]interface{}.
+func getDiff(a, b map[string]interface{}) (map[string]interface{}, error) {
+	into := map[string]interface{}{}
+	for key, bv := range b {
+		av, ok := a[key]
+		// value was added
+		if !ok {
+			into[key] = bv
+			continue
+		}
+		// If types have changed, replace completely
+		if reflect.TypeOf(av) != reflect.TypeOf(bv) {
+			into[key] = bv
+			continue
+		}
+		// Types are the same, compare values
+		switch at := av.(type) {
+		case map[string]interface{}:
+			bt := bv.(map[string]interface{})
+			dst := make(map[string]interface{}, len(bt))
+			dst, err := getDiff(at, bt)
+			if err != nil {
+				return nil, err
+			}
+			if len(dst) > 0 {
+				into[key] = dst
+			}
+		case string, float64, bool:
+			if !matchesValue(av, bv) {
+				into[key] = bv
+			}
+		case []interface{}:
+			bt := bv.([]interface{})
+			if !matchesArray(at, bt) {
+				into[key] = bv
+			}
+		case nil:
+			switch bv.(type) {
+			case nil:
+				// Both nil, fine.
+			default:
+				into[key] = bv
+			}
+		default:
+			panic(fmt.Sprintf("Unknown type:%T in key %s", av, key))
+		}
+	}
+	// Now add all deleted values as nil
+	for key := range a {
+		_, found := b[key]
+		if !found {
+			into[key] = nil
+		}
+	}
+	return into, nil
+}
diff --git a/vendor/github.com/evanphx/json-patch/patch.go b/vendor/github.com/evanphx/json-patch/patch.go
new file mode 100644
index 0000000000..95136681ba
--- /dev/null
+++ b/vendor/github.com/evanphx/json-patch/patch.go
@@ -0,0 +1,850 @@
+package jsonpatch
+
+import (
+	"bytes"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"strconv"
+	"strings"
+)
+
+const (
+	eRaw = iota
+	eDoc
+	eAry
+)
+
+var (
+	// SupportNegativeIndices decides whether to support non-standard practice of
+	// allowing negative indices to mean indices starting at the end of an array.
+	// Default to true.
+	SupportNegativeIndices bool = true
+	// AccumulatedCopySizeLimit limits the total size increase in bytes caused by
+	// "copy" operations in a patch.
+	AccumulatedCopySizeLimit int64 = 0
+)
+
+var (
+	ErrTestFailed   = errors.New("test failed")
+	ErrMissing      = errors.New("missing value")
+	ErrUnknownType  = errors.New("unknown object type")
+	ErrInvalid      = errors.New("invalid state detected")
+	ErrInvalidIndex = errors.New("invalid index referenced")
+)
+
+type lazyNode struct {
+	raw   *json.RawMessage
+	doc   partialDoc
+	ary   partialArray
+	which int
+}
+
+// Operation is a single JSON-Patch step, such as a single 'add' operation.
+type Operation map[string]*json.RawMessage
+
+// Patch is an ordered collection of Operations.
+type Patch []Operation
+
+type partialDoc map[string]*lazyNode
+type partialArray []*lazyNode
+
+type container interface {
+	get(key string) (*lazyNode, error)
+	set(key string, val *lazyNode) error
+	add(key string, val *lazyNode) error
+	remove(key string) error
+}
+
+func newLazyNode(raw *json.RawMessage) *lazyNode {
+	return &lazyNode{raw: raw, doc: nil, ary: nil, which: eRaw}
+}
+
+func (n *lazyNode) MarshalJSON() ([]byte, error) {
+	switch n.which {
+	case eRaw:
+		return json.Marshal(n.raw)
+	case eDoc:
+		return json.Marshal(n.doc)
+	case eAry:
+		return json.Marshal(n.ary)
+	default:
+		return nil, ErrUnknownType
+	}
+}
+
+func (n *lazyNode) UnmarshalJSON(data []byte) error {
+	dest := make(json.RawMessage, len(data))
+	copy(dest, data)
+	n.raw = &dest
+	n.which = eRaw
+	return nil
+}
+
+func deepCopy(src *lazyNode) (*lazyNode, int, error) {
+	if src == nil {
+		return nil, 0, nil
+	}
+	a, err := src.MarshalJSON()
+	if err != nil {
+		return nil, 0, err
+	}
+	sz := len(a)
+	ra := make(json.RawMessage, sz)
+	copy(ra, a)
+	return newLazyNode(&ra), sz, nil
+}
+
+func (n *lazyNode) intoDoc() (*partialDoc, error) {
+	if n.which == eDoc {
+		return &n.doc, nil
+	}
+
+	if n.raw == nil {
+		return nil, ErrInvalid
+	}
+
+	err := json.Unmarshal(*n.raw, &n.doc)
+
+	if err != nil {
+		return nil, err
+	}
+
+	n.which = eDoc
+	return &n.doc, nil
+}
+
+func (n *lazyNode) intoAry() (*partialArray, error) {
+	if n.which == eAry {
+		return &n.ary, nil
+	}
+
+	if n.raw == nil {
+		return nil, ErrInvalid
+	}
+
+	err := json.Unmarshal(*n.raw, &n.ary)
+
+	if err != nil {
+		return nil, err
+	}
+
+	n.which = eAry
+	return &n.ary, nil
+}
+
+func (n *lazyNode) compact() []byte {
+	buf := &bytes.Buffer{}
+
+	if n.raw == nil {
+		return nil
+	}
+
+	err := json.Compact(buf, *n.raw)
+
+	if err != nil {
+		return *n.raw
+	}
+
+	return buf.Bytes()
+}
+
+func (n *lazyNode) tryDoc() bool {
+	if n.raw == nil {
+		return false
+	}
+
+	err := json.Unmarshal(*n.raw, &n.doc)
+
+	if err != nil {
+		return false
+	}
+
+	n.which = eDoc
+	return true
+}
+
+func (n *lazyNode) tryAry() bool {
+	if n.raw == nil {
+		return false
+	}
+
+	err := json.Unmarshal(*n.raw, &n.ary)
+
+	if err != nil {
+		return false
+	}
+
+	n.which = eAry
+	return true
+}
+
+func (n *lazyNode) equal(o *lazyNode) bool {
+	if n.which == eRaw {
+		if !n.tryDoc() && !n.tryAry() {
+			if o.which != eRaw {
+				return false
+			}
+
+			return bytes.Equal(n.compact(), o.compact())
+		}
+	}
+
+	if n.which == eDoc {
+		if o.which == eRaw {
+			if !o.tryDoc() {
+				return false
+			}
+		}
+
+		if o.which != eDoc {
+			return false
+		}
+
+		if len(n.doc) != len(o.doc) {
+			return false
+		}
+
+		for k, v := range n.doc {
+			ov, ok := o.doc[k]
+
+			if !ok {
+				return false
+			}
+
+			if (v == nil) != (ov == nil) {
+				return false
+			}
+
+			if v == nil && ov == nil {
+				continue
+			}
+
+			if !v.equal(ov) {
+				return false
+			}
+		}
+
+		return true
+	}
+
+	if o.which != eAry && !o.tryAry() {
+		return false
+	}
+
+	if len(n.ary) != len(o.ary) {
+		return false
+	}
+
+	for idx, val := range n.ary {
+		if !val.equal(o.ary[idx]) {
+			return false
+		}
+	}
+
+	return true
+}
+
+// Kind reads the "op" field of the Operation.
+func (o Operation) Kind() string {
+	if obj, ok := o["op"]; ok && obj != nil {
+		var op string
+
+		err := json.Unmarshal(*obj, &op)
+
+		if err != nil {
+			return "unknown"
+		}
+
+		return op
+	}
+
+	return "unknown"
+}
+
+// Path reads the "path" field of the Operation.
+func (o Operation) Path() (string, error) {
+	if obj, ok := o["path"]; ok && obj != nil {
+		var op string
+
+		err := json.Unmarshal(*obj, &op)
+
+		if err != nil {
+			return "unknown", err
+		}
+
+		return op, nil
+	}
+
+	return "unknown", fmt.Errorf("operation missing path field: %w", ErrMissing)
+}
+
+// From reads the "from" field of the Operation.
+func (o Operation) From() (string, error) {
+	if obj, ok := o["from"]; ok && obj != nil {
+		var op string
+
+		err := json.Unmarshal(*obj, &op)
+
+		if err != nil {
+			return "unknown", err
+		}
+
+		return op, nil
+	}
+
+	return "unknown", fmt.Errorf("operation, missing from field: %w", ErrMissing)
+}
+
+func (o Operation) value() *lazyNode {
+	if obj, ok := o["value"]; ok {
+		return newLazyNode(obj)
+	}
+
+	return nil
+}
+
+// ValueInterface decodes the operation value into an interface.
+func (o Operation) ValueInterface() (interface{}, error) {
+	if obj, ok := o["value"]; ok && obj != nil {
+		var v interface{}
+
+		err := json.Unmarshal(*obj, &v)
+
+		if err != nil {
+			return nil, err
+		}
+
+		return v, nil
+	}
+
+	return nil, fmt.Errorf("operation, missing value field: %w", ErrMissing)
+}
+
+func isArray(buf []byte) bool {
+Loop:
+	for _, c := range buf {
+		switch c {
+		case ' ':
+		case '\n':
+		case '\t':
+			continue
+		case '[':
+			return true
+		default:
+			break Loop
+		}
+	}
+
+	return false
+}
+
+func findObject(pd *container, path string) (container, string) {
+	doc := *pd
+
+	split := strings.Split(path, "/")
+
+	if len(split) < 2 {
+		return nil, ""
+	}
+
+	parts := split[1 : len(split)-1]
+
+	key := split[len(split)-1]
+
+	var err error
+
+	for _, part := range parts {
+
+		next, ok := doc.get(decodePatchKey(part))
+
+		if next == nil || ok != nil || next.raw == nil {
+			return nil, ""
+		}
+
+		if isArray(*next.raw) {
+			doc, err = next.intoAry()
+
+			if err != nil {
+				return nil, ""
+			}
+		} else {
+			doc, err = next.intoDoc()
+
+			if err != nil {
+				return nil, ""
+			}
+		}
+	}
+
+	return doc, decodePatchKey(key)
+}
+
+func (d *partialDoc) set(key string, val *lazyNode) error {
+	(*d)[key] = val
+	return nil
+}
+
+func (d *partialDoc) add(key string, val *lazyNode) error {
+	(*d)[key] = val
+	return nil
+}
+
+func (d *partialDoc) get(key string) (*lazyNode, error) {
+	return (*d)[key], nil
+}
+
+func (d *partialDoc) remove(key string) error {
+	_, ok := (*d)[key]
+	if !ok {
+		return fmt.Errorf("Unable to remove nonexistent key: %s: %w", key, ErrMissing)
+	}
+
+	delete(*d, key)
+	return nil
+}
+
+// set should only be used to implement the "replace" operation, so "key" must
+// be an already existing index in "d".
+func (d *partialArray) set(key string, val *lazyNode) error {
+	idx, err := strconv.Atoi(key)
+	if err != nil {
+		return err
+	}
+
+	if idx < 0 {
+		if !SupportNegativeIndices {
+			return fmt.Errorf("Unable to access invalid index: %d: %w", idx, ErrInvalidIndex)
+		}
+		if idx < -len(*d) {
+			return fmt.Errorf("Unable to access invalid index: %d: %w", idx, ErrInvalidIndex)
+		}
+		idx += len(*d)
+	}
+
+	(*d)[idx] = val
+	return nil
+}
+
+func (d *partialArray) add(key string, val *lazyNode) error {
+	if key == "-" {
+		*d = append(*d, val)
+		return nil
+	}
+
+	idx, err := strconv.Atoi(key)
+	if err != nil {
+		return fmt.Errorf("value was not a proper array index: '%s': %w", key, err)
+	}
+
+	sz := len(*d) + 1
+
+	ary := make([]*lazyNode, sz)
+
+	cur := *d
+
+	if idx >= len(ary) {
+		return fmt.Errorf("Unable to access invalid index: %d: %w", idx, ErrInvalidIndex)
+	}
+
+	if idx < 0 {
+		if !SupportNegativeIndices {
+			return fmt.Errorf("Unable to access invalid index: %d: %w", idx, ErrInvalidIndex)
+		}
+		if idx < -len(ary) {
+			return fmt.Errorf("Unable to access invalid index: %d: %w", idx, ErrInvalidIndex)
+		}
+		idx += len(ary)
+	}
+
+	copy(ary[0:idx], cur[0:idx])
+	ary[idx] = val
+	copy(ary[idx+1:], cur[idx:])
+
+	*d = ary
+	return nil
+}
+
+func (d *partialArray) get(key string) (*lazyNode, error) {
+	idx, err := strconv.Atoi(key)
+
+	if err != nil {
+		return nil, err
+	}
+
+	if idx < 0 {
+		if !SupportNegativeIndices {
+			return nil, fmt.Errorf("Unable to access invalid index: %d: %w", idx, ErrInvalidIndex)
+		}
+		if idx < -len(*d) {
+			return nil, fmt.Errorf("Unable to access invalid index: %d: %w", idx, ErrInvalidIndex)
+		}
+		idx += len(*d)
+	}
+
+	if idx >= len(*d) {
+		return nil, fmt.Errorf("Unable to access invalid index: %d: %w", idx, ErrInvalidIndex)
+	}
+
+	return (*d)[idx], nil
+}
+
+func (d *partialArray) remove(key string) error {
+	idx, err := strconv.Atoi(key)
+	if err != nil {
+		return err
+	}
+
+	cur := *d
+
+	if idx >= len(cur) {
+		return fmt.Errorf("Unable to access invalid index: %d: %w", idx, ErrInvalidIndex)
+	}
+
+	if idx < 0 {
+		if !SupportNegativeIndices {
+			return fmt.Errorf("Unable to access invalid index: %d: %w", idx, ErrInvalidIndex)
+		}
+		if idx < -len(cur) {
+			return fmt.Errorf("Unable to access invalid index: %d: %w", idx, ErrInvalidIndex)
+		}
+		idx += len(cur)
+	}
+
+	ary := make([]*lazyNode, len(cur)-1)
+
+	copy(ary[0:idx], cur[0:idx])
+	copy(ary[idx:], cur[idx+1:])
+
+	*d = ary
+	return nil
+
+}
+
+func (p Patch) add(doc *container, op Operation) error {
+	path, err := op.Path()
+	if err != nil {
+		return fmt.Errorf("add operation failed to decode path: %w", ErrMissing)
+	}
+
+	con, key := findObject(doc, path)
+
+	if con == nil {
+		return fmt.Errorf("add operation does not apply: doc is missing path: \"%s\": %w", path, ErrMissing)
+	}
+
+	err = con.add(key, op.value())
+	if err != nil {
+		return fmt.Errorf("error in add for path: '%s': %w", path, err)
+	}
+
+	return nil
+}
+
+func (p Patch) remove(doc *container, op Operation) error {
+	path, err := op.Path()
+	if err != nil {
+		return fmt.Errorf("remove operation failed to decode path: %w", ErrMissing)
+	}
+
+	con, key := findObject(doc, path)
+
+	if con == nil {
+		return fmt.Errorf("remove operation does not apply: doc is missing path: \"%s\": %w", path, ErrMissing)
+	}
+
+	err = con.remove(key)
+	if err != nil {
+		return fmt.Errorf("error in remove for path: '%s': %w", path, err)
+	}
+
+	return nil
+}
+
+func (p Patch) replace(doc *container, op Operation) error {
+	path, err := op.Path()
+	if err != nil {
+		return fmt.Errorf("replace operation failed to decode path: %w", err)
+	}
+
+	if path == "" {
+		val := op.value()
+
+		if val.which == eRaw {
+			if !val.tryDoc() {
+				if !val.tryAry() {
+					return fmt.Errorf("replace operation value must be object or array: %w", err)
+				}
+			}
+		}
+
+		switch val.which {
+		case eAry:
+			*doc = &val.ary
+		case eDoc:
+			*doc = &val.doc
+		case eRaw:
+			return fmt.Errorf("replace operation hit impossible case: %w", err)
+		}
+
+		return nil
+	}
+
+	con, key := findObject(doc, path)
+
+	if con == nil {
+		return fmt.Errorf("replace operation does not apply: doc is missing path: %s: %w", path, ErrMissing)
+	}
+
+	_, ok := con.get(key)
+	if ok != nil {
+		return fmt.Errorf("replace operation does not apply: doc is missing key: %s: %w", path, ErrMissing)
+	}
+
+	err = con.set(key, op.value())
+	if err != nil {
+		return fmt.Errorf("error in remove for path: '%s': %w", path, err)
+	}
+
+	return nil
+}
+
+func (p Patch) move(doc *container, op Operation) error {
+	from, err := op.From()
+	if err != nil {
+		return fmt.Errorf("move operation failed to decode from: %w", err)
+	}
+
+	con, key := findObject(doc, from)
+
+	if con == nil {
+		return fmt.Errorf("move operation does not apply: doc is missing from path: %s: %w", from, ErrMissing)
+	}
+
+	val, err := con.get(key)
+	if err != nil {
+		return fmt.Errorf("error in move for path: '%s': %w", key, err)
+	}
+
+	err = con.remove(key)
+	if err != nil {
+		return fmt.Errorf("error in move for path: '%s': %w", key, err)
+	}
+
+	path, err := op.Path()
+	if err != nil {
+		return fmt.Errorf("move operation failed to decode path: %w", err)
+	}
+
+	con, key = findObject(doc, path)
+
+	if con == nil {
+		return fmt.Errorf("move operation does not apply: doc is missing destination path: %s: %w", path, ErrMissing)
+	}
+
+	err = con.add(key, val)
+	if err != nil {
+		return fmt.Errorf("error in move for path: '%s': %w", path, err)
+	}
+
+	return nil
+}
+
+func (p Patch) test(doc *container, op Operation) error {
+	path, err := op.Path()
+	if err != nil {
+		return fmt.Errorf("test operation failed to decode path: %w", err)
+	}
+
+	if path == "" {
+		var self lazyNode
+
+		switch sv := (*doc).(type) {
+		case *partialDoc:
+			self.doc = *sv
+			self.which = eDoc
+		case *partialArray:
+			self.ary = *sv
+			self.which = eAry
+		}
+
+		if self.equal(op.value()) {
+			return nil
+		}
+
+		return fmt.Errorf("testing value %s failed: %w", path, ErrTestFailed)
+	}
+
+	con, key := findObject(doc, path)
+
+	if con == nil {
+		return fmt.Errorf("test operation does not apply: is missing path: %s: %w", path, ErrMissing)
+	}
+
+	val, err := con.get(key)
+	if err != nil {
+		return fmt.Errorf("error in test for path: '%s': %w", path, err)
+	}
+
+	if val == nil {
+		if op.value() == nil || op.value().raw == nil {
+			return nil
+		}
+		return fmt.Errorf("testing value %s failed: %w", path, ErrTestFailed)
+	} else if op.value() == nil {
+		return fmt.Errorf("testing value %s failed: %w", path, ErrTestFailed)
+	}
+
+	if val.equal(op.value()) {
+		return nil
+	}
+
+	return fmt.Errorf("testing value %s failed: %w", path, ErrTestFailed)
+}
+
+func (p Patch) copy(doc *container, op Operation, accumulatedCopySize *int64) error {
+	from, err := op.From()
+	if err != nil {
+		return fmt.Errorf("copy operation failed to decode from: %w", err)
+	}
+
+	con, key := findObject(doc, from)
+
+	if con == nil {
+		return fmt.Errorf("copy operation does not apply: doc is missing from path: %s: %w", from, ErrMissing)
+	}
+
+	val, err := con.get(key)
+	if err != nil {
+		return fmt.Errorf("error in copy for from: '%s': %w", from, err)
+	}
+
+	path, err := op.Path()
+	if err != nil {
+		return fmt.Errorf("copy operation failed to decode path: %w", ErrMissing)
+	}
+
+	con, key = findObject(doc, path)
+
+	if con == nil {
+		return fmt.Errorf("copy operation does not apply: doc is missing destination path: %s: %w", path, ErrMissing)
+	}
+
+	valCopy, sz, err := deepCopy(val)
+	if err != nil {
+		return fmt.Errorf("error while performing deep copy: %w", err)
+	}
+
+	(*accumulatedCopySize) += int64(sz)
+	if AccumulatedCopySizeLimit > 0 && *accumulatedCopySize > AccumulatedCopySizeLimit {
+		return NewAccumulatedCopySizeError(AccumulatedCopySizeLimit, *accumulatedCopySize)
+	}
+
+	err = con.add(key, valCopy)
+	if err != nil {
+		return fmt.Errorf("error while adding value during copy: %w", err)
+	}
+
+	return nil
+}
+
+// Equal indicates if 2 JSON documents have the same structural equality.
+func Equal(a, b []byte) bool {
+	ra := make(json.RawMessage, len(a))
+	copy(ra, a)
+	la := newLazyNode(&ra)
+
+	rb := make(json.RawMessage, len(b))
+	copy(rb, b)
+	lb := newLazyNode(&rb)
+
+	return la.equal(lb)
+}
+
+// DecodePatch decodes the passed JSON document as an RFC 6902 patch.
+func DecodePatch(buf []byte) (Patch, error) {
+	var p Patch
+
+	err := json.Unmarshal(buf, &p)
+
+	if err != nil {
+		return nil, err
+	}
+
+	return p, nil
+}
+
+// Apply mutates a JSON document according to the patch, and returns the new
+// document.
+func (p Patch) Apply(doc []byte) ([]byte, error) {
+	return p.ApplyIndent(doc, "")
+}
+
+// ApplyIndent mutates a JSON document according to the patch, and returns the new
+// document indented.
+func (p Patch) ApplyIndent(doc []byte, indent string) ([]byte, error) {
+	if len(doc) == 0 {
+		return doc, nil
+	}
+
+	var pd container
+	if doc[0] == '[' {
+		pd = &partialArray{}
+	} else {
+		pd = &partialDoc{}
+	}
+
+	err := json.Unmarshal(doc, pd)
+
+	if err != nil {
+		return nil, err
+	}
+
+	err = nil
+
+	var accumulatedCopySize int64
+
+	for _, op := range p {
+		switch op.Kind() {
+		case "add":
+			err = p.add(&pd, op)
+		case "remove":
+			err = p.remove(&pd, op)
+		case "replace":
+			err = p.replace(&pd, op)
+		case "move":
+			err = p.move(&pd, op)
+		case "test":
+			err = p.test(&pd, op)
+		case "copy":
+			err = p.copy(&pd, op, &accumulatedCopySize)
+		default:
+			err = fmt.Errorf("Unexpected kind: %s", op.Kind())
+		}
+
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	if indent != "" {
+		return json.MarshalIndent(pd, "", indent)
+	}
+
+	return json.Marshal(pd)
+}
+
+// From http://tools.ietf.org/html/rfc6901#section-4 :
+//
+// Evaluation of each reference token begins by decoding any escaped
+// character sequence.  This is performed by first transforming any
+// occurrence of the sequence '~1' to '/', and then transforming any
+// occurrence of the sequence '~0' to '~'.
+
+var (
+	rfc6901Decoder = strings.NewReplacer("~1", "/", "~0", "~")
+)
+
+func decodePatchKey(k string) string {
+	return rfc6901Decoder.Replace(k)
+}
diff --git a/vendor/github.com/exponent-io/jsonpath/.gitignore b/vendor/github.com/exponent-io/jsonpath/.gitignore
new file mode 100644
index 0000000000..daf913b1b3
--- /dev/null
+++ b/vendor/github.com/exponent-io/jsonpath/.gitignore
@@ -0,0 +1,24 @@
+# Compiled Object files, Static and Dynamic libs (Shared Objects)
+*.o
+*.a
+*.so
+
+# Folders
+_obj
+_test
+
+# Architecture specific extensions/prefixes
+*.[568vq]
+[568vq].out
+
+*.cgo1.go
+*.cgo2.c
+_cgo_defun.c
+_cgo_gotypes.go
+_cgo_export.*
+
+_testmain.go
+
+*.exe
+*.test
+*.prof
diff --git a/vendor/github.com/exponent-io/jsonpath/.travis.yml b/vendor/github.com/exponent-io/jsonpath/.travis.yml
new file mode 100644
index 0000000000..53bb8b3f95
--- /dev/null
+++ b/vendor/github.com/exponent-io/jsonpath/.travis.yml
@@ -0,0 +1,7 @@
+language: go
+arch:
+  - amd64
+  - ppc64le
+go:
+  - 1.15
+  - tip
diff --git a/vendor/github.com/exponent-io/jsonpath/LICENSE b/vendor/github.com/exponent-io/jsonpath/LICENSE
new file mode 100644
index 0000000000..5419772507
--- /dev/null
+++ b/vendor/github.com/exponent-io/jsonpath/LICENSE
@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2015 Exponent Labs LLC
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/vendor/github.com/exponent-io/jsonpath/README.md b/vendor/github.com/exponent-io/jsonpath/README.md
new file mode 100644
index 0000000000..382fb3138c
--- /dev/null
+++ b/vendor/github.com/exponent-io/jsonpath/README.md
@@ -0,0 +1,66 @@
+[![GoDoc](https://godoc.org/github.com/exponent-io/jsonpath?status.svg)](https://godoc.org/github.com/exponent-io/jsonpath)
+[![Build Status](https://travis-ci.org/exponent-io/jsonpath.svg?branch=master)](https://travis-ci.org/exponent-io/jsonpath)
+
+# jsonpath
+
+This package extends the [json.Decoder](https://golang.org/pkg/encoding/json/#Decoder) to support navigating a stream of JSON tokens. You should be able to use this extended Decoder places where a json.Decoder would have been used.
+
+This Decoder has the following enhancements...
+ * The [Scan](https://godoc.org/github.com/exponent-io/jsonpath/#Decoder.Scan) method supports scanning a JSON stream while extracting particular values along the way using [PathActions](https://godoc.org/github.com/exponent-io/jsonpath#PathActions).
+ * The [SeekTo](https://godoc.org/github.com/exponent-io/jsonpath#Decoder.SeekTo) method supports seeking forward in a JSON token stream to a particular path.
+ * The [Path](https://godoc.org/github.com/exponent-io/jsonpath#Decoder.Path) method returns the path of the most recently parsed token.
+ * The [Token](https://godoc.org/github.com/exponent-io/jsonpath#Decoder.Token) method has been modified to distinguish between strings that are object keys and strings that are values. Object key strings are returned as the [KeyString](https://godoc.org/github.com/exponent-io/jsonpath#KeyString) type rather than a native string.
+
+## Installation
+
+    go get -u github.com/exponent-io/jsonpath
+
+## Example Usage
+
+#### SeekTo
+
+```go
+import "github.com/exponent-io/jsonpath"
+
+var j = []byte(`[
+  {"Space": "YCbCr", "Point": {"Y": 255, "Cb": 0, "Cr": -10}},
+  {"Space": "RGB",   "Point": {"R": 98, "G": 218, "B": 255}}
+]`)
+
+w := json.NewDecoder(bytes.NewReader(j))
+var v interface{}
+
+w.SeekTo(1, "Point", "G")
+w.Decode(&v) // v is 218
+```
+
+#### Scan with PathActions
+
+```go
+var j = []byte(`{"colors":[
+  {"Space": "YCbCr", "Point": {"Y": 255, "Cb": 0, "Cr": -10, "A": 58}},
+  {"Space": "RGB",   "Point": {"R": 98, "G": 218, "B": 255, "A": 231}}
+]}`)
+
+var actions PathActions
+
+// Extract the value at Point.A
+actions.Add(func(d *Decoder) error {
+  var alpha int
+  err := d.Decode(&alpha)
+  fmt.Printf("Alpha: %v\n", alpha)
+  return err
+}, "Point", "A")
+
+w := NewDecoder(bytes.NewReader(j))
+w.SeekTo("colors", 0)
+
+var ok = true
+var err error
+for ok {
+  ok, err = w.Scan(&actions)
+  if err != nil && err != io.EOF {
+    panic(err)
+  }
+}
+```
diff --git a/vendor/github.com/exponent-io/jsonpath/decoder.go b/vendor/github.com/exponent-io/jsonpath/decoder.go
new file mode 100644
index 0000000000..5e3a06548a
--- /dev/null
+++ b/vendor/github.com/exponent-io/jsonpath/decoder.go
@@ -0,0 +1,209 @@
+package jsonpath
+
+import (
+	"encoding/json"
+	"io"
+)
+
+// KeyString is returned from Decoder.Token to represent each key in a JSON object value.
+type KeyString string
+
+// Decoder extends the Go runtime's encoding/json.Decoder to support navigating in a stream of JSON tokens.
+type Decoder struct {
+	json.Decoder
+
+	path    JsonPath
+	context jsonContext
+}
+
+// NewDecoder creates a new instance of the extended JSON Decoder.
+func NewDecoder(r io.Reader) *Decoder {
+	return &Decoder{Decoder: *json.NewDecoder(r)}
+}
+
+// SeekTo causes the Decoder to move forward to a given path in the JSON structure.
+//
+// The path argument must consist of strings or integers. Each string specifies an JSON object key, and
+// each integer specifies an index into a JSON array.
+//
+// Consider the JSON structure
+//
+//  { "a": [0,"s",12e4,{"b":0,"v":35} ] }
+//
+// SeekTo("a",3,"v") will move to the value referenced by the "a" key in the current object,
+// followed by a move to the 4th value (index 3) in the array, followed by a move to the value at key "v".
+// In this example, a subsequent call to the decoder's Decode() would unmarshal the value 35.
+//
+// SeekTo returns a boolean value indicating whether a match was found.
+//
+// Decoder is intended to be used with a stream of tokens. As a result it navigates forward only.
+func (d *Decoder) SeekTo(path ...interface{}) (bool, error) {
+
+	if len(path) > 0 {
+		last := len(path) - 1
+		if i, ok := path[last].(int); ok {
+			path[last] = i - 1
+		}
+	}
+
+	for {
+		if len(path) == len(d.path) && d.path.Equal(path) {
+			return true, nil
+		}
+		_, err := d.Token()
+		if err == io.EOF {
+			return false, nil
+		} else if err != nil {
+			return false, err
+		}
+	}
+}
+
+// Decode reads the next JSON-encoded value from its input and stores it in the value pointed to by v. This is
+// equivalent to encoding/json.Decode().
+func (d *Decoder) Decode(v interface{}) error {
+	switch d.context {
+	case objValue:
+		d.context = objKey
+		break
+	case arrValue:
+		d.path.incTop()
+		break
+	}
+	return d.Decoder.Decode(v)
+}
+
+// Path returns a slice of string and/or int values representing the path from the root of the JSON object to the
+// position of the most-recently parsed token.
+func (d *Decoder) Path() JsonPath {
+	p := make(JsonPath, len(d.path))
+	copy(p, d.path)
+	return p
+}
+
+// Token is equivalent to the Token() method on json.Decoder. The primary difference is that it distinguishes
+// between strings that are keys and and strings that are values. String tokens that are object keys are returned as a
+// KeyString rather than as a native string.
+func (d *Decoder) Token() (json.Token, error) {
+	t, err := d.Decoder.Token()
+	if err != nil {
+		return t, err
+	}
+
+	if t == nil {
+		switch d.context {
+		case objValue:
+			d.context = objKey
+			break
+		case arrValue:
+			d.path.incTop()
+			break
+		}
+		return t, err
+	}
+
+	switch t := t.(type) {
+	case json.Delim:
+		switch t {
+		case json.Delim('{'):
+			if d.context == arrValue {
+				d.path.incTop()
+			}
+			d.path.push("")
+			d.context = objKey
+			break
+		case json.Delim('}'):
+			d.path.pop()
+			d.context = d.path.inferContext()
+			break
+		case json.Delim('['):
+			if d.context == arrValue {
+				d.path.incTop()
+			}
+			d.path.push(-1)
+			d.context = arrValue
+			break
+		case json.Delim(']'):
+			d.path.pop()
+			d.context = d.path.inferContext()
+			break
+		}
+	case float64, json.Number, bool:
+		switch d.context {
+		case objValue:
+			d.context = objKey
+			break
+		case arrValue:
+			d.path.incTop()
+			break
+		}
+		break
+	case string:
+		switch d.context {
+		case objKey:
+			d.path.nameTop(t)
+			d.context = objValue
+			return KeyString(t), err
+		case objValue:
+			d.context = objKey
+		case arrValue:
+			d.path.incTop()
+		}
+		break
+	}
+
+	return t, err
+}
+
+// Scan moves forward over the JSON stream consuming all the tokens at the current level (current object, current array)
+// invoking each matching PathAction along the way.
+//
+// Scan returns true if there are more contiguous values to scan (for example in an array).
+func (d *Decoder) Scan(ext *PathActions) (bool, error) {
+
+	rootPath := d.Path()
+
+	// If this is an array path, increment the root path in our local copy.
+	if rootPath.inferContext() == arrValue {
+		rootPath.incTop()
+	}
+
+	for {
+		// advance the token position
+		_, err := d.Token()
+		if err != nil {
+			return false, err
+		}
+
+	match:
+		var relPath JsonPath
+
+		// capture the new JSON path
+		path := d.Path()
+
+		if len(path) > len(rootPath) {
+			// capture the path relative to where the scan started
+			relPath = path[len(rootPath):]
+		} else {
+			// if the path is not longer than the root, then we are done with this scan
+			// return boolean flag indicating if there are more items to scan at the same level
+			return d.Decoder.More(), nil
+		}
+
+		// match the relative path against the path actions
+		if node := ext.node.match(relPath); node != nil {
+			if node.action != nil {
+				// we have a match so execute the action
+				err = node.action(d)
+				if err != nil {
+					return d.Decoder.More(), err
+				}
+				// The action may have advanced the decoder. If we are in an array, advancing it further would
+				// skip tokens. So, if we are scanning an array, jump to the top without advancing the token.
+				if d.path.inferContext() == arrValue && d.Decoder.More() {
+					goto match
+				}
+			}
+		}
+	}
+}
diff --git a/vendor/github.com/exponent-io/jsonpath/path.go b/vendor/github.com/exponent-io/jsonpath/path.go
new file mode 100644
index 0000000000..d7db2ad336
--- /dev/null
+++ b/vendor/github.com/exponent-io/jsonpath/path.go
@@ -0,0 +1,67 @@
+// Extends the Go runtime's json.Decoder enabling navigation of a stream of json tokens.
+package jsonpath
+
+import "fmt"
+
+type jsonContext int
+
+const (
+	none jsonContext = iota
+	objKey
+	objValue
+	arrValue
+)
+
+// AnyIndex can be used in a pattern to match any array index.
+const AnyIndex = -2
+
+// JsonPath is a slice of strings and/or integers. Each string specifies an JSON object key, and
+// each integer specifies an index into a JSON array.
+type JsonPath []interface{}
+
+func (p *JsonPath) push(n interface{}) { *p = append(*p, n) }
+func (p *JsonPath) pop()               { *p = (*p)[:len(*p)-1] }
+
+// increment the index at the top of the stack (must be an array index)
+func (p *JsonPath) incTop() { (*p)[len(*p)-1] = (*p)[len(*p)-1].(int) + 1 }
+
+// name the key at the top of the stack (must be an object key)
+func (p *JsonPath) nameTop(n string) { (*p)[len(*p)-1] = n }
+
+// infer the context from the item at the top of the stack
+func (p *JsonPath) inferContext() jsonContext {
+	if len(*p) == 0 {
+		return none
+	}
+	t := (*p)[len(*p)-1]
+	switch t.(type) {
+	case string:
+		return objKey
+	case int:
+		return arrValue
+	default:
+		panic(fmt.Sprintf("Invalid stack type %T", t))
+	}
+}
+
+// Equal tests for equality between two JsonPath types.
+func (p *JsonPath) Equal(o JsonPath) bool {
+	if len(*p) != len(o) {
+		return false
+	}
+	for i, v := range *p {
+		if v != o[i] {
+			return false
+		}
+	}
+	return true
+}
+
+func (p *JsonPath) HasPrefix(o JsonPath) bool {
+	for i, v := range o {
+		if v != (*p)[i] {
+			return false
+		}
+	}
+	return true
+}
diff --git a/vendor/github.com/exponent-io/jsonpath/pathaction.go b/vendor/github.com/exponent-io/jsonpath/pathaction.go
new file mode 100644
index 0000000000..497ed686ca
--- /dev/null
+++ b/vendor/github.com/exponent-io/jsonpath/pathaction.go
@@ -0,0 +1,61 @@
+package jsonpath
+
+// pathNode is used to construct a trie of paths to be matched
+type pathNode struct {
+	matchOn    interface{} // string, or integer
+	childNodes []pathNode
+	action     DecodeAction
+}
+
+// match climbs the trie to find a node that matches the given JSON path.
+func (n *pathNode) match(path JsonPath) *pathNode {
+	var node *pathNode = n
+	for _, ps := range path {
+		found := false
+		for i, n := range node.childNodes {
+			if n.matchOn == ps {
+				node = &node.childNodes[i]
+				found = true
+				break
+			} else if _, ok := ps.(int); ok && n.matchOn == AnyIndex {
+				node = &node.childNodes[i]
+				found = true
+				break
+			}
+		}
+		if !found {
+			return nil
+		}
+	}
+	return node
+}
+
+// PathActions represents a collection of DecodeAction functions that should be called at certain path positions
+// when scanning the JSON stream. PathActions can be created once and used many times in one or more JSON streams.
+type PathActions struct {
+	node pathNode
+}
+
+// DecodeAction handlers are called by the Decoder when scanning objects. See PathActions.Add for more detail.
+type DecodeAction func(d *Decoder) error
+
+// Add specifies an action to call on the Decoder when the specified path is encountered.
+func (je *PathActions) Add(action DecodeAction, path ...interface{}) {
+
+	var node *pathNode = &je.node
+	for _, ps := range path {
+		found := false
+		for i, n := range node.childNodes {
+			if n.matchOn == ps {
+				node = &node.childNodes[i]
+				found = true
+				break
+			}
+		}
+		if !found {
+			node.childNodes = append(node.childNodes, pathNode{matchOn: ps})
+			node = &node.childNodes[len(node.childNodes)-1]
+		}
+	}
+	node.action = action
+}
diff --git a/vendor/github.com/go-errors/errors/.travis.yml b/vendor/github.com/go-errors/errors/.travis.yml
new file mode 100644
index 0000000000..1dc296026a
--- /dev/null
+++ b/vendor/github.com/go-errors/errors/.travis.yml
@@ -0,0 +1,7 @@
+language: go
+
+go:
+  - "1.8.x"
+  - "1.11.x"
+  - "1.16.x"
+  - "1.21.x"
diff --git a/vendor/github.com/go-errors/errors/LICENSE.MIT b/vendor/github.com/go-errors/errors/LICENSE.MIT
new file mode 100644
index 0000000000..c9a5b2eeb7
--- /dev/null
+++ b/vendor/github.com/go-errors/errors/LICENSE.MIT
@@ -0,0 +1,7 @@
+Copyright (c) 2015 Conrad Irwin <conrad@bugsnag.com>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
diff --git a/vendor/github.com/go-errors/errors/README.md b/vendor/github.com/go-errors/errors/README.md
new file mode 100644
index 0000000000..558bc883ef
--- /dev/null
+++ b/vendor/github.com/go-errors/errors/README.md
@@ -0,0 +1,84 @@
+go-errors/errors
+================
+
+[![Build Status](https://travis-ci.org/go-errors/errors.svg?branch=master)](https://travis-ci.org/go-errors/errors)
+
+Package errors adds stacktrace support to errors in go.
+
+This is particularly useful when you want to understand the state of execution
+when an error was returned unexpectedly.
+
+It provides the type \*Error which implements the standard golang error
+interface, so you can use this library interchangeably with code that is
+expecting a normal error return.
+
+Usage
+-----
+
+Full documentation is available on
+[godoc](https://godoc.org/github.com/go-errors/errors), but here's a simple
+example:
+
+```go
+package crashy
+
+import "github.com/go-errors/errors"
+
+var Crashed = errors.Errorf("oh dear")
+
+func Crash() error {
+    return errors.New(Crashed)
+}
+```
+
+This can be called as follows:
+
+```go
+package main
+
+import (
+    "crashy"
+    "fmt"
+    "github.com/go-errors/errors"
+)
+
+func main() {
+    err := crashy.Crash()
+    if err != nil {
+        if errors.Is(err, crashy.Crashed) {
+            fmt.Println(err.(*errors.Error).ErrorStack())
+        } else {
+            panic(err)
+        }
+    }
+}
+```
+
+Meta-fu
+-------
+
+This package was original written to allow reporting to
+[Bugsnag](https://bugsnag.com/) from
+[bugsnag-go](https://github.com/bugsnag/bugsnag-go), but after I found similar
+packages by Facebook and Dropbox, it was moved to one canonical location so
+everyone can benefit.
+
+This package is licensed under the MIT license, see LICENSE.MIT for details.
+
+
+## Changelog
+* v1.1.0 updated to use go1.13's standard-library errors.Is method instead of == in errors.Is
+* v1.2.0 added `errors.As` from the standard library.
+* v1.3.0 *BREAKING* updated error methods to return `error` instead of `*Error`.
+>  Code that needs access to the underlying `*Error` can use the new errors.AsError(e)
+> ```
+>   // before
+>   errors.New(err).ErrorStack()
+>   // after
+>.  errors.AsError(errors.Wrap(err)).ErrorStack()
+> ```
+* v1.4.0 *BREAKING* v1.4.0 reverted all changes from v1.3.0 and is identical to v1.2.0
+* v1.4.1 no code change, but now without an unnecessary cover.out file.
+* v1.4.2 performance improvement to ErrorStack() to avoid unnecessary work https://github.com/go-errors/errors/pull/40
+* v1.5.0 add errors.Join() and errors.Unwrap() copying the stdlib https://github.com/go-errors/errors/pull/40
+* v1.5.1 fix build on go1.13..go1.19 (broken by adding Join and Unwrap with wrong build constraints)
diff --git a/vendor/github.com/go-errors/errors/error.go b/vendor/github.com/go-errors/errors/error.go
new file mode 100644
index 0000000000..ccbc2e4272
--- /dev/null
+++ b/vendor/github.com/go-errors/errors/error.go
@@ -0,0 +1,209 @@
+// Package errors provides errors that have stack-traces.
+//
+// This is particularly useful when you want to understand the
+// state of execution when an error was returned unexpectedly.
+//
+// It provides the type *Error which implements the standard
+// golang error interface, so you can use this library interchangably
+// with code that is expecting a normal error return.
+//
+// For example:
+//
+//  package crashy
+//
+//  import "github.com/go-errors/errors"
+//
+//  var Crashed = errors.Errorf("oh dear")
+//
+//  func Crash() error {
+//      return errors.New(Crashed)
+//  }
+//
+// This can be called as follows:
+//
+//  package main
+//
+//  import (
+//      "crashy"
+//      "fmt"
+//      "github.com/go-errors/errors"
+//  )
+//
+//  func main() {
+//      err := crashy.Crash()
+//      if err != nil {
+//          if errors.Is(err, crashy.Crashed) {
+//              fmt.Println(err.(*errors.Error).ErrorStack())
+//          } else {
+//              panic(err)
+//          }
+//      }
+//  }
+//
+// This package was original written to allow reporting to Bugsnag,
+// but after I found similar packages by Facebook and Dropbox, it
+// was moved to one canonical location so everyone can benefit.
+package errors
+
+import (
+	"bytes"
+	"fmt"
+	"reflect"
+	"runtime"
+)
+
+// The maximum number of stackframes on any error.
+var MaxStackDepth = 50
+
+// Error is an error with an attached stacktrace. It can be used
+// wherever the builtin error interface is expected.
+type Error struct {
+	Err    error
+	stack  []uintptr
+	frames []StackFrame
+	prefix string
+}
+
+// New makes an Error from the given value. If that value is already an
+// error then it will be used directly, if not, it will be passed to
+// fmt.Errorf("%v"). The stacktrace will point to the line of code that
+// called New.
+func New(e interface{}) *Error {
+	var err error
+
+	switch e := e.(type) {
+	case error:
+		err = e
+	default:
+		err = fmt.Errorf("%v", e)
+	}
+
+	stack := make([]uintptr, MaxStackDepth)
+	length := runtime.Callers(2, stack[:])
+	return &Error{
+		Err:   err,
+		stack: stack[:length],
+	}
+}
+
+// Wrap makes an Error from the given value. If that value is already an
+// error then it will be used directly, if not, it will be passed to
+// fmt.Errorf("%v"). The skip parameter indicates how far up the stack
+// to start the stacktrace. 0 is from the current call, 1 from its caller, etc.
+func Wrap(e interface{}, skip int) *Error {
+	if e == nil {
+		return nil
+	}
+
+	var err error
+
+	switch e := e.(type) {
+	case *Error:
+		return e
+	case error:
+		err = e
+	default:
+		err = fmt.Errorf("%v", e)
+	}
+
+	stack := make([]uintptr, MaxStackDepth)
+	length := runtime.Callers(2+skip, stack[:])
+	return &Error{
+		Err:   err,
+		stack: stack[:length],
+	}
+}
+
+// WrapPrefix makes an Error from the given value. If that value is already an
+// error then it will be used directly, if not, it will be passed to
+// fmt.Errorf("%v"). The prefix parameter is used to add a prefix to the
+// error message when calling Error(). The skip parameter indicates how far
+// up the stack to start the stacktrace. 0 is from the current call,
+// 1 from its caller, etc.
+func WrapPrefix(e interface{}, prefix string, skip int) *Error {
+	if e == nil {
+		return nil
+	}
+
+	err := Wrap(e, 1+skip)
+
+	if err.prefix != "" {
+		prefix = fmt.Sprintf("%s: %s", prefix, err.prefix)
+	}
+
+	return &Error{
+		Err:    err.Err,
+		stack:  err.stack,
+		prefix: prefix,
+	}
+
+}
+
+// Errorf creates a new error with the given message. You can use it
+// as a drop-in replacement for fmt.Errorf() to provide descriptive
+// errors in return values.
+func Errorf(format string, a ...interface{}) *Error {
+	return Wrap(fmt.Errorf(format, a...), 1)
+}
+
+// Error returns the underlying error's message.
+func (err *Error) Error() string {
+
+	msg := err.Err.Error()
+	if err.prefix != "" {
+		msg = fmt.Sprintf("%s: %s", err.prefix, msg)
+	}
+
+	return msg
+}
+
+// Stack returns the callstack formatted the same way that go does
+// in runtime/debug.Stack()
+func (err *Error) Stack() []byte {
+	buf := bytes.Buffer{}
+
+	for _, frame := range err.StackFrames() {
+		buf.WriteString(frame.String())
+	}
+
+	return buf.Bytes()
+}
+
+// Callers satisfies the bugsnag ErrorWithCallerS() interface
+// so that the stack can be read out.
+func (err *Error) Callers() []uintptr {
+	return err.stack
+}
+
+// ErrorStack returns a string that contains both the
+// error message and the callstack.
+func (err *Error) ErrorStack() string {
+	return err.TypeName() + " " + err.Error() + "\n" + string(err.Stack())
+}
+
+// StackFrames returns an array of frames containing information about the
+// stack.
+func (err *Error) StackFrames() []StackFrame {
+	if err.frames == nil {
+		err.frames = make([]StackFrame, len(err.stack))
+
+		for i, pc := range err.stack {
+			err.frames[i] = NewStackFrame(pc)
+		}
+	}
+
+	return err.frames
+}
+
+// TypeName returns the type this error. e.g. *errors.stringError.
+func (err *Error) TypeName() string {
+	if _, ok := err.Err.(uncaughtPanic); ok {
+		return "panic"
+	}
+	return reflect.TypeOf(err.Err).String()
+}
+
+// Return the wrapped error (implements api for As function).
+func (err *Error) Unwrap() error {
+	return err.Err
+}
diff --git a/vendor/github.com/go-errors/errors/error_1_13.go b/vendor/github.com/go-errors/errors/error_1_13.go
new file mode 100644
index 0000000000..34ab3e00eb
--- /dev/null
+++ b/vendor/github.com/go-errors/errors/error_1_13.go
@@ -0,0 +1,35 @@
+//go:build go1.13
+// +build go1.13
+
+package errors
+
+import (
+	baseErrors "errors"
+)
+
+// As finds the first error in err's tree that matches target, and if one is found, sets
+// target to that error value and returns true. Otherwise, it returns false.
+//
+// For more information see stdlib errors.As.
+func As(err error, target interface{}) bool {
+	return baseErrors.As(err, target)
+}
+
+// Is detects whether the error is equal to a given error. Errors
+// are considered equal by this function if they are matched by errors.Is
+// or if their contained errors are matched through errors.Is.
+func Is(e error, original error) bool {
+	if baseErrors.Is(e, original) {
+		return true
+	}
+
+	if e, ok := e.(*Error); ok {
+		return Is(e.Err, original)
+	}
+
+	if original, ok := original.(*Error); ok {
+		return Is(e, original.Err)
+	}
+
+	return false
+}
diff --git a/vendor/github.com/go-errors/errors/error_backward.go b/vendor/github.com/go-errors/errors/error_backward.go
new file mode 100644
index 0000000000..ff14c4bfa2
--- /dev/null
+++ b/vendor/github.com/go-errors/errors/error_backward.go
@@ -0,0 +1,125 @@
+//go:build !go1.13
+// +build !go1.13
+
+package errors
+
+import (
+	"reflect"
+)
+
+type unwrapper interface {
+	Unwrap() error
+}
+
+// As assigns error or any wrapped error to the value target points
+// to. If there is no value of the target type of target As returns
+// false.
+func As(err error, target interface{}) bool {
+	targetType := reflect.TypeOf(target)
+
+	for {
+		errType := reflect.TypeOf(err)
+
+		if errType == nil {
+			return false
+		}
+
+		if reflect.PtrTo(errType) == targetType {
+			reflect.ValueOf(target).Elem().Set(reflect.ValueOf(err))
+			return true
+		}
+
+		wrapped, ok := err.(unwrapper)
+		if ok {
+			err = wrapped.Unwrap()
+		} else {
+			return false
+		}
+	}
+}
+
+// Is detects whether the error is equal to a given error. Errors
+// are considered equal by this function if they are the same object,
+// or if they both contain the same error inside an errors.Error.
+func Is(e error, original error) bool {
+	if e == original {
+		return true
+	}
+
+	if e, ok := e.(*Error); ok {
+		return Is(e.Err, original)
+	}
+
+	if original, ok := original.(*Error); ok {
+		return Is(e, original.Err)
+	}
+
+	return false
+}
+
+// Disclaimer: functions Join and Unwrap are copied from the stdlib errors
+// package v1.21.0.
+
+// Join returns an error that wraps the given errors.
+// Any nil error values are discarded.
+// Join returns nil if every value in errs is nil.
+// The error formats as the concatenation of the strings obtained
+// by calling the Error method of each element of errs, with a newline
+// between each string.
+//
+// A non-nil error returned by Join implements the Unwrap() []error method.
+func Join(errs ...error) error {
+	n := 0
+	for _, err := range errs {
+		if err != nil {
+			n++
+		}
+	}
+	if n == 0 {
+		return nil
+	}
+	e := &joinError{
+		errs: make([]error, 0, n),
+	}
+	for _, err := range errs {
+		if err != nil {
+			e.errs = append(e.errs, err)
+		}
+	}
+	return e
+}
+
+type joinError struct {
+	errs []error
+}
+
+func (e *joinError) Error() string {
+	var b []byte
+	for i, err := range e.errs {
+		if i > 0 {
+			b = append(b, '\n')
+		}
+		b = append(b, err.Error()...)
+	}
+	return string(b)
+}
+
+func (e *joinError) Unwrap() []error {
+	return e.errs
+}
+
+// Unwrap returns the result of calling the Unwrap method on err, if err's
+// type contains an Unwrap method returning error.
+// Otherwise, Unwrap returns nil.
+//
+// Unwrap only calls a method of the form "Unwrap() error".
+// In particular Unwrap does not unwrap errors returned by [Join].
+func Unwrap(err error) error {
+	u, ok := err.(interface {
+		Unwrap() error
+	})
+	if !ok {
+		return nil
+	}
+	return u.Unwrap()
+}
diff --git a/vendor/github.com/go-errors/errors/join_unwrap_1_20.go b/vendor/github.com/go-errors/errors/join_unwrap_1_20.go
new file mode 100644
index 0000000000..44df35ece9
--- /dev/null
+++ b/vendor/github.com/go-errors/errors/join_unwrap_1_20.go
@@ -0,0 +1,32 @@
+//go:build go1.20
+// +build go1.20
+
+package errors
+
+import baseErrors "errors"
+
+// Join returns an error that wraps the given errors.
+// Any nil error values are discarded.
+// Join returns nil if every value in errs is nil.
+// The error formats as the concatenation of the strings obtained
+// by calling the Error method of each element of errs, with a newline
+// between each string.
+//
+// A non-nil error returned by Join implements the Unwrap() []error method.
+//
+// For more information see stdlib errors.Join.
+func Join(errs ...error) error {
+	return baseErrors.Join(errs...)
+}
+
+// Unwrap returns the result of calling the Unwrap method on err, if err's
+// type contains an Unwrap method returning error.
+// Otherwise, Unwrap returns nil.
+//
+// Unwrap only calls a method of the form "Unwrap() error".
+// In particular Unwrap does not unwrap errors returned by [Join].
+//
+// For more information see stdlib errors.Unwrap.
+func Unwrap(err error) error {
+	return baseErrors.Unwrap(err)
+}
diff --git a/vendor/github.com/go-errors/errors/join_unwrap_backward.go b/vendor/github.com/go-errors/errors/join_unwrap_backward.go
new file mode 100644
index 0000000000..50c766976c
--- /dev/null
+++ b/vendor/github.com/go-errors/errors/join_unwrap_backward.go
@@ -0,0 +1,71 @@
+//go:build !go1.20
+// +build !go1.20
+
+package errors
+
+// Disclaimer: functions Join and Unwrap are copied from the stdlib errors
+// package v1.21.0.
+
+// Join returns an error that wraps the given errors.
+// Any nil error values are discarded.
+// Join returns nil if every value in errs is nil.
+// The error formats as the concatenation of the strings obtained
+// by calling the Error method of each element of errs, with a newline
+// between each string.
+//
+// A non-nil error returned by Join implements the Unwrap() []error method.
+func Join(errs ...error) error {
+	n := 0
+	for _, err := range errs {
+		if err != nil {
+			n++
+		}
+	}
+	if n == 0 {
+		return nil
+	}
+	e := &joinError{
+		errs: make([]error, 0, n),
+	}
+	for _, err := range errs {
+		if err != nil {
+			e.errs = append(e.errs, err)
+		}
+	}
+	return e
+}
+
+type joinError struct {
+	errs []error
+}
+
+func (e *joinError) Error() string {
+	var b []byte
+	for i, err := range e.errs {
+		if i > 0 {
+			b = append(b, '\n')
+		}
+		b = append(b, err.Error()...)
+	}
+	return string(b)
+}
+
+func (e *joinError) Unwrap() []error {
+	return e.errs
+}
+
+// Unwrap returns the result of calling the Unwrap method on err, if err's
+// type contains an Unwrap method returning error.
+// Otherwise, Unwrap returns nil.
+//
+// Unwrap only calls a method of the form "Unwrap() error".
+// In particular Unwrap does not unwrap errors returned by [Join].
+func Unwrap(err error) error {
+	u, ok := err.(interface {
+		Unwrap() error
+	})
+	if !ok {
+		return nil
+	}
+	return u.Unwrap()
+}
diff --git a/vendor/github.com/go-errors/errors/parse_panic.go b/vendor/github.com/go-errors/errors/parse_panic.go
new file mode 100644
index 0000000000..cc37052d78
--- /dev/null
+++ b/vendor/github.com/go-errors/errors/parse_panic.go
@@ -0,0 +1,127 @@
+package errors
+
+import (
+	"strconv"
+	"strings"
+)
+
+type uncaughtPanic struct{ message string }
+
+func (p uncaughtPanic) Error() string {
+	return p.message
+}
+
+// ParsePanic allows you to get an error object from the output of a go program
+// that panicked. This is particularly useful with https://github.com/mitchellh/panicwrap.
+func ParsePanic(text string) (*Error, error) {
+	lines := strings.Split(text, "\n")
+
+	state := "start"
+
+	var message string
+	var stack []StackFrame
+
+	for i := 0; i < len(lines); i++ {
+		line := lines[i]
+
+		if state == "start" {
+			if strings.HasPrefix(line, "panic: ") {
+				message = strings.TrimPrefix(line, "panic: ")
+				state = "seek"
+			} else {
+				return nil, Errorf("bugsnag.panicParser: Invalid line (no prefix): %s", line)
+			}
+
+		} else if state == "seek" {
+			if strings.HasPrefix(line, "goroutine ") && strings.HasSuffix(line, "[running]:") {
+				state = "parsing"
+			}
+
+		} else if state == "parsing" {
+			if line == "" {
+				state = "done"
+				break
+			}
+			createdBy := false
+			if strings.HasPrefix(line, "created by ") {
+				line = strings.TrimPrefix(line, "created by ")
+				createdBy = true
+			}
+
+			i++
+
+			if i >= len(lines) {
+				return nil, Errorf("bugsnag.panicParser: Invalid line (unpaired): %s", line)
+			}
+
+			frame, err := parsePanicFrame(line, lines[i], createdBy)
+			if err != nil {
+				return nil, err
+			}
+
+			stack = append(stack, *frame)
+			if createdBy {
+				state = "done"
+				break
+			}
+		}
+	}
+
+	if state == "done" || state == "parsing" {
+		return &Error{Err: uncaughtPanic{message}, frames: stack}, nil
+	}
+	return nil, Errorf("could not parse panic: %v", text)
+}
+
+// The lines we're passing look like this:
+//
+//     main.(*foo).destruct(0xc208067e98)
+//             /0/go/src/github.com/bugsnag/bugsnag-go/pan/main.go:22 +0x151
+func parsePanicFrame(name string, line string, createdBy bool) (*StackFrame, error) {
+	idx := strings.LastIndex(name, "(")
+	if idx == -1 && !createdBy {
+		return nil, Errorf("bugsnag.panicParser: Invalid line (no call): %s", name)
+	}
+	if idx != -1 {
+		name = name[:idx]
+	}
+	pkg := ""
+
+	if lastslash := strings.LastIndex(name, "/"); lastslash >= 0 {
+		pkg += name[:lastslash] + "/"
+		name = name[lastslash+1:]
+	}
+	if period := strings.Index(name, "."); period >= 0 {
+		pkg += name[:period]
+		name = name[period+1:]
+	}
+
+	name = strings.Replace(name, "·", ".", -1)
+
+	if !strings.HasPrefix(line, "\t") {
+		return nil, Errorf("bugsnag.panicParser: Invalid line (no tab): %s", line)
+	}
+
+	idx = strings.LastIndex(line, ":")
+	if idx == -1 {
+		return nil, Errorf("bugsnag.panicParser: Invalid line (no line number): %s", line)
+	}
+	file := line[1:idx]
+
+	number := line[idx+1:]
+	if idx = strings.Index(number, " +"); idx > -1 {
+		number = number[:idx]
+	}
+
+	lno, err := strconv.ParseInt(number, 10, 32)
+	if err != nil {
+		return nil, Errorf("bugsnag.panicParser: Invalid line (bad line number): %s", line)
+	}
+
+	return &StackFrame{
+		File:       file,
+		LineNumber: int(lno),
+		Package:    pkg,
+		Name:       name,
+	}, nil
+}
diff --git a/vendor/github.com/go-errors/errors/stackframe.go b/vendor/github.com/go-errors/errors/stackframe.go
new file mode 100644
index 0000000000..ef4a8b3f3b
--- /dev/null
+++ b/vendor/github.com/go-errors/errors/stackframe.go
@@ -0,0 +1,122 @@
+package errors
+
+import (
+	"bufio"
+	"bytes"
+	"fmt"
+	"os"
+	"runtime"
+	"strings"
+)
+
+// A StackFrame contains all necessary information about to generate a line
+// in a callstack.
+type StackFrame struct {
+	// The path to the file containing this ProgramCounter
+	File string
+	// The LineNumber in that file
+	LineNumber int
+	// The Name of the function that contains this ProgramCounter
+	Name string
+	// The Package that contains this function
+	Package string
+	// The underlying ProgramCounter
+	ProgramCounter uintptr
+}
+
+// NewStackFrame popoulates a stack frame object from the program counter.
+func NewStackFrame(pc uintptr) (frame StackFrame) {
+
+	frame = StackFrame{ProgramCounter: pc}
+	if frame.Func() == nil {
+		return
+	}
+	frame.Package, frame.Name = packageAndName(frame.Func())
+
+	// pc -1 because the program counters we use are usually return addresses,
+	// and we want to show the line that corresponds to the function call
+	frame.File, frame.LineNumber = frame.Func().FileLine(pc - 1)
+	return
+
+}
+
+// Func returns the function that contained this frame.
+func (frame *StackFrame) Func() *runtime.Func {
+	if frame.ProgramCounter == 0 {
+		return nil
+	}
+	return runtime.FuncForPC(frame.ProgramCounter)
+}
+
+// String returns the stackframe formatted in the same way as go does
+// in runtime/debug.Stack()
+func (frame *StackFrame) String() string {
+	str := fmt.Sprintf("%s:%d (0x%x)\n", frame.File, frame.LineNumber, frame.ProgramCounter)
+
+	source, err := frame.sourceLine()
+	if err != nil {
+		return str
+	}
+
+	return str + fmt.Sprintf("\t%s: %s\n", frame.Name, source)
+}
+
+// SourceLine gets the line of code (from File and Line) of the original source if possible.
+func (frame *StackFrame) SourceLine() (string, error) {
+	source, err := frame.sourceLine()
+	if err != nil {
+		return source, New(err)
+	}
+	return source, err
+}
+
+func (frame *StackFrame) sourceLine() (string, error) {
+	if frame.LineNumber <= 0 {
+		return "???", nil
+	}
+
+	file, err := os.Open(frame.File)
+	if err != nil {
+		return "", err
+	}
+	defer file.Close()
+
+	scanner := bufio.NewScanner(file)
+	currentLine := 1
+	for scanner.Scan() {
+		if currentLine == frame.LineNumber {
+			return string(bytes.Trim(scanner.Bytes(), " \t")), nil
+		}
+		currentLine++
+	}
+	if err := scanner.Err(); err != nil {
+		return "", err
+	}
+
+	return "???", nil
+}
+
+func packageAndName(fn *runtime.Func) (string, string) {
+	name := fn.Name()
+	pkg := ""
+
+	// The name includes the path name to the package, which is unnecessary
+	// since the file name is already included.  Plus, it has center dots.
+	// That is, we see
+	//  runtime/debug.*T·ptrmethod
+	// and want
+	//  *T.ptrmethod
+	// Since the package path might contains dots (e.g. code.google.com/...),
+	// we first remove the path prefix if there is one.
+	if lastslash := strings.LastIndex(name, "/"); lastslash >= 0 {
+		pkg += name[:lastslash] + "/"
+		name = name[lastslash+1:]
+	}
+	if period := strings.Index(name, "."); period >= 0 {
+		pkg += name[:period]
+		name = name[period+1:]
+	}
+
+	name = strings.Replace(name, "·", ".", -1)
+	return pkg, name
+}
diff --git a/vendor/github.com/go-gorp/gorp/v3/.gitignore b/vendor/github.com/go-gorp/gorp/v3/.gitignore
new file mode 100644
index 0000000000..a96e5fec57
--- /dev/null
+++ b/vendor/github.com/go-gorp/gorp/v3/.gitignore
@@ -0,0 +1,11 @@
+_test
+*.test
+_testmain.go
+_obj
+*~
+*.6
+6.out
+gorptest.bin
+tmp
+.idea
+coverage.out
diff --git a/vendor/github.com/go-gorp/gorp/v3/.travis.yml b/vendor/github.com/go-gorp/gorp/v3/.travis.yml
new file mode 100644
index 0000000000..958d260ace
--- /dev/null
+++ b/vendor/github.com/go-gorp/gorp/v3/.travis.yml
@@ -0,0 +1,36 @@
+language: go
+go:
+- "1.15.x"
+- "1.16.x"
+- tip
+
+matrix:
+  allow_failures:
+  - go: tip
+
+services:
+- mysql
+- postgresql
+- sqlite3
+
+env:
+  global:
+  - secure: RriLxF6+2yMl67hdVv8ImXlu0h62mhcpqjaOgYNU+IEbUQ7hx96CKY6gkpYubW3BgApvF5RH6j3+HKvh2kGp0XhDOYOQCODfBSaSipZ5Aa5RKjsEYLtuVIobvJ80awR9hUeql69+WXs0/s72WThG0qTbOUY4pqHWfteeY235hWM=
+
+install:
+  - go get -t -d
+  - go get -t -d -tags integration
+
+before_script:
+- mysql -e "CREATE DATABASE gorptest;"
+- mysql -u root -e "GRANT ALL ON gorptest.* TO gorptest@localhost IDENTIFIED BY 'gorptest'"
+- psql -c "CREATE DATABASE gorptest;" -U postgres
+- psql -c "CREATE USER "gorptest" WITH SUPERUSER PASSWORD 'gorptest';" -U postgres
+- go get github.com/lib/pq
+- go get github.com/mattn/go-sqlite3
+- go get github.com/ziutek/mymysql/godrv
+- go get github.com/go-sql-driver/mysql
+- go get golang.org/x/tools/cmd/cover
+- go get github.com/mattn/goveralls
+
+script: ./test_all.sh
diff --git a/vendor/github.com/go-gorp/gorp/v3/CONTRIBUTING.md b/vendor/github.com/go-gorp/gorp/v3/CONTRIBUTING.md
new file mode 100644
index 0000000000..7bc145fd7c
--- /dev/null
+++ b/vendor/github.com/go-gorp/gorp/v3/CONTRIBUTING.md
@@ -0,0 +1,34 @@
+# Contributions are very welcome!
+
+## First: Create an Issue
+
+Even if your fix is simple, we'd like to have an issue to relate to
+the PR.  Discussion about the architecture and value can go on the
+issue, leaving PR comments exclusively for coding style.
+
+## Second: Make Your PR
+
+- Fork the `master` branch
+- Make your change
+- Make a PR against the `master` branch
+
+You don't need to wait for comments on the issue before making your
+PR.  If you do wait for comments, you'll have a better chance of
+getting your PR accepted the first time around, but it's not
+necessary.
+
+## Third: Be Patient
+
+- If your change breaks backward compatibility, this becomes
+  especially true.
+
+We all have lives and jobs, and many of us are no longer on projects
+that make use of `gorp`.  We will get back to you, but it might take a
+while.
+
+## Fourth: Consider Becoming a Maintainer
+
+We really do need help.  We will likely ask you for help after a good
+PR, but if we don't, please create an issue requesting maintainership.
+Considering how few of us are currently active, we are unlikely to
+refuse good help.
diff --git a/vendor/github.com/go-gorp/gorp/v3/LICENSE b/vendor/github.com/go-gorp/gorp/v3/LICENSE
new file mode 100644
index 0000000000..b661111d0a
--- /dev/null
+++ b/vendor/github.com/go-gorp/gorp/v3/LICENSE
@@ -0,0 +1,22 @@
+(The MIT License)
+
+Copyright (c) 2012 James Cooper <james@bitmechanic.com>
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+'Software'), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
diff --git a/vendor/github.com/go-gorp/gorp/v3/README.md b/vendor/github.com/go-gorp/gorp/v3/README.md
new file mode 100644
index 0000000000..983fe4343b
--- /dev/null
+++ b/vendor/github.com/go-gorp/gorp/v3/README.md
@@ -0,0 +1,809 @@
+# Go Relational Persistence
+
+[![build status](https://github.com/go-gorp/gorp/actions/workflows/go.yml/badge.svg)](https://github.com/go-gorp/gorp/actions)
+[![issues](https://img.shields.io/github/issues/go-gorp/gorp.svg)](https://github.com/go-gorp/gorp/issues)
+[![Go Reference](https://pkg.go.dev/badge/github.com/go-gorp/gorp/v3.svg)](https://pkg.go.dev/github.com/go-gorp/gorp/v3)
+
+### Update 2016-11-13: Future versions
+
+As many of the maintainers have become busy with other projects,
+progress toward the ever-elusive v2 has slowed to the point that we're
+only occasionally making progress outside of merging pull requests.
+In the interest of continuing to release, I'd like to lean toward a
+more maintainable path forward.
+
+For the moment, I am releasing a v2 tag with the current feature set
+from master, as some of those features have been actively used and
+relied on by more than one project.  Our next goal is to continue
+cleaning up the code base with non-breaking changes as much as
+possible, but if/when a breaking change is needed, we'll just release
+new versions.  This allows us to continue development at whatever pace
+we're capable of, without delaying the release of features or refusing
+PRs.
+
+## Introduction
+
+I hesitate to call gorp an ORM.  Go doesn't really have objects, at
+least not in the classic Smalltalk/Java sense.  There goes the "O".
+gorp doesn't know anything about the relationships between your
+structs (at least not yet).  So the "R" is questionable too (but I use
+it in the name because, well, it seemed more clever).
+
+The "M" is alive and well.  Given some Go structs and a database, gorp
+should remove a fair amount of boilerplate busy-work from your code.
+
+I hope that gorp saves you time, minimizes the drudgery of getting
+data in and out of your database, and helps your code focus on
+algorithms, not infrastructure.
+
+* Bind struct fields to table columns via API or tag
+* Support for embedded structs
+* Support for transactions
+* Forward engineer db schema from structs (great for unit tests)
+* Pre/post insert/update/delete hooks
+* Automatically generate insert/update/delete statements for a struct
+* Automatic binding of auto increment PKs back to struct after insert
+* Delete by primary key(s)
+* Select by primary key(s)
+* Optional trace sql logging
+* Bind arbitrary SQL queries to a struct
+* Bind slice to SELECT query results without type assertions
+* Use positional or named bind parameters in custom SELECT queries
+* Optional optimistic locking using a version column (for
+  update/deletes)
+
+## Installation
+
+Use `go get` or your favorite vendoring tool, using whichever import
+path you'd like.
+
+## Versioning
+
+We use semantic version tags.  Feel free to import through `gopkg.in`
+(e.g. `gopkg.in/gorp.v2`) to get the latest tag for a major version,
+or check out the tag using your favorite vendoring tool.
+
+Development is not very active right now, but we have plans to
+restructure `gorp` as we continue to move toward a more extensible
+system.  Whenever a breaking change is needed, the major version will
+be bumped.
+
+The `master` branch is where all development is done, and breaking
+changes may happen from time to time.  That said, if you want to live
+on the bleeding edge and are comfortable updating your code when we
+make a breaking change, you may use `github.com/go-gorp/gorp` as your
+import path.
+
+Check the version tags to see what's available.  We'll make a good
+faith effort to add badges for new versions, but we make no
+guarantees.
+
+## Supported Go versions
+
+This package is guaranteed to be compatible with the latest 2 major
+versions of Go.
+
+Any earlier versions are only supported on a best effort basis and can
+be dropped any time.  Go has a great compatibility promise. Upgrading
+your program to a newer version of Go should never really be a
+problem.
+
+## Migration guide
+
+#### Pre-v2 to v2
+Automatic mapping of the version column used in optimistic locking has
+been removed as it could cause problems if the type was not int. The
+version column must now explicitly be set with
+`tablemap.SetVersionCol()`.
+
+## Help/Support
+
+Use our [`gitter` channel](https://gitter.im/go-gorp/gorp).  We used
+to use IRC, but with most of us being pulled in many directions, we
+often need the email notifications from `gitter` to yell at us to sign
+in.
+
+## Quickstart
+
+```go
+package main
+
+import (
+    "database/sql"
+    "gopkg.in/gorp.v1"
+    _ "github.com/mattn/go-sqlite3"
+    "log"
+    "time"
+)
+
+func main() {
+    // initialize the DbMap
+    dbmap := initDb()
+    defer dbmap.Db.Close()
+
+    // delete any existing rows
+    err := dbmap.TruncateTables()
+    checkErr(err, "TruncateTables failed")
+
+    // create two posts
+    p1 := newPost("Go 1.1 released!", "Lorem ipsum lorem ipsum")
+    p2 := newPost("Go 1.2 released!", "Lorem ipsum lorem ipsum")
+
+    // insert rows - auto increment PKs will be set properly after the insert
+    err = dbmap.Insert(&p1, &p2)
+    checkErr(err, "Insert failed")
+
+    // use convenience SelectInt
+    count, err := dbmap.SelectInt("select count(*) from posts")
+    checkErr(err, "select count(*) failed")
+    log.Println("Rows after inserting:", count)
+
+    // update a row
+    p2.Title = "Go 1.2 is better than ever"
+    count, err = dbmap.Update(&p2)
+    checkErr(err, "Update failed")
+    log.Println("Rows updated:", count)
+
+    // fetch one row - note use of "post_id" instead of "Id" since column is aliased
+    //
+    // Postgres users should use $1 instead of ? placeholders
+    // See 'Known Issues' below
+    //
+    err = dbmap.SelectOne(&p2, "select * from posts where post_id=?", p2.Id)
+    checkErr(err, "SelectOne failed")
+    log.Println("p2 row:", p2)
+
+    // fetch all rows
+    var posts []Post
+    _, err = dbmap.Select(&posts, "select * from posts order by post_id")
+    checkErr(err, "Select failed")
+    log.Println("All rows:")
+    for x, p := range posts {
+        log.Printf("    %d: %v\n", x, p)
+    }
+
+    // delete row by PK
+    count, err = dbmap.Delete(&p1)
+    checkErr(err, "Delete failed")
+    log.Println("Rows deleted:", count)
+
+    // delete row manually via Exec
+    _, err = dbmap.Exec("delete from posts where post_id=?", p2.Id)
+    checkErr(err, "Exec failed")
+
+    // confirm count is zero
+    count, err = dbmap.SelectInt("select count(*) from posts")
+    checkErr(err, "select count(*) failed")
+    log.Println("Row count - should be zero:", count)
+
+    log.Println("Done!")
+}
+
+type Post struct {
+    // db tag lets you specify the column name if it differs from the struct field
+    Id      int64  `db:"post_id"`
+    Created int64
+    Title   string `db:",size:50"`               // Column size set to 50
+    Body    string `db:"article_body,size:1024"` // Set both column name and size
+}
+
+func newPost(title, body string) Post {
+    return Post{
+        Created: time.Now().UnixNano(),
+        Title:   title,
+        Body:    body,
+    }
+}
+
+func initDb() *gorp.DbMap {
+    // connect to db using standard Go database/sql API
+    // use whatever database/sql driver you wish
+    db, err := sql.Open("sqlite3", "/tmp/post_db.bin")
+    checkErr(err, "sql.Open failed")
+
+    // construct a gorp DbMap
+    dbmap := &gorp.DbMap{Db: db, Dialect: gorp.SqliteDialect{}}
+
+    // add a table, setting the table name to 'posts' and
+    // specifying that the Id property is an auto incrementing PK
+    dbmap.AddTableWithName(Post{}, "posts").SetKeys(true, "Id")
+
+    // create the table. in a production system you'd generally
+    // use a migration tool, or create the tables via scripts
+    err = dbmap.CreateTablesIfNotExists()
+    checkErr(err, "Create tables failed")
+
+    return dbmap
+}
+
+func checkErr(err error, msg string) {
+    if err != nil {
+        log.Fatalln(msg, err)
+    }
+}
+```
+
+## Examples
+
+### Mapping structs to tables
+
+First define some types:
+
+```go
+type Invoice struct {
+    Id       int64
+    Created  int64
+    Updated  int64
+    Memo     string
+    PersonId int64
+}
+
+type Person struct {
+    Id      int64
+    Created int64
+    Updated int64
+    FName   string
+    LName   string
+}
+
+// Example of using tags to alias fields to column names
+// The 'db' value is the column name
+//
+// A hyphen will cause gorp to skip this field, similar to the
+// Go json package.
+//
+// This is equivalent to using the ColMap methods:
+//
+//   table := dbmap.AddTableWithName(Product{}, "product")
+//   table.ColMap("Id").Rename("product_id")
+//   table.ColMap("Price").Rename("unit_price")
+//   table.ColMap("IgnoreMe").SetTransient(true)
+//
+// You can optionally declare the field to be a primary key and/or autoincrement
+//
+type Product struct {
+    Id         int64     `db:"product_id, primarykey, autoincrement"`
+    Price      int64     `db:"unit_price"`
+    IgnoreMe   string    `db:"-"`
+}
+```
+
+Then create a mapper, typically you'd do this one time at app startup:
+
+```go
+// connect to db using standard Go database/sql API
+// use whatever database/sql driver you wish
+db, err := sql.Open("mymysql", "tcp:localhost:3306*mydb/myuser/mypassword")
+
+// construct a gorp DbMap
+dbmap := &gorp.DbMap{Db: db, Dialect: gorp.MySQLDialect{"InnoDB", "UTF8"}}
+
+// register the structs you wish to use with gorp
+// you can also use the shorter dbmap.AddTable() if you
+// don't want to override the table name
+//
+// SetKeys(true) means we have a auto increment primary key, which
+// will get automatically bound to your struct post-insert
+//
+t1 := dbmap.AddTableWithName(Invoice{}, "invoice_test").SetKeys(true, "Id")
+t2 := dbmap.AddTableWithName(Person{}, "person_test").SetKeys(true, "Id")
+t3 := dbmap.AddTableWithName(Product{}, "product_test").SetKeys(true, "Id")
+```
+
+### Struct Embedding
+
+gorp supports embedding structs.  For example:
+
+```go
+type Names struct {
+    FirstName string
+    LastName  string
+}
+
+type WithEmbeddedStruct struct {
+    Id int64
+    Names
+}
+
+es := &WithEmbeddedStruct{-1, Names{FirstName: "Alice", LastName: "Smith"}}
+err := dbmap.Insert(es)
+```
+
+See the `TestWithEmbeddedStruct` function in `gorp_test.go` for a full example.
+
+### Create/Drop Tables ###
+
+Automatically create / drop registered tables.  This is useful for unit tests
+but is entirely optional.  You can of course use gorp with tables created manually,
+or with a separate migration tool (like [sql-migrate](https://github.com/rubenv/sql-migrate), [goose](https://bitbucket.org/liamstask/goose) or [migrate](https://github.com/mattes/migrate)).
+
+```go
+// create all registered tables
+dbmap.CreateTables()
+
+// same as above, but uses "if not exists" clause to skip tables that are
+// already defined
+dbmap.CreateTablesIfNotExists()
+
+// drop
+dbmap.DropTables()
+```
+
+### SQL Logging
+
+Optionally you can pass in a logger to trace all SQL statements.
+I recommend enabling this initially while you're getting the feel for what
+gorp is doing on your behalf.
+
+Gorp defines a `GorpLogger` interface that Go's built in `log.Logger` satisfies.
+However, you can write your own `GorpLogger` implementation, or use a package such
+as `glog` if you want more control over how statements are logged.
+
+```go
+// Will log all SQL statements + args as they are run
+// The first arg is a string prefix to prepend to all log messages
+dbmap.TraceOn("[gorp]", log.New(os.Stdout, "myapp:", log.Lmicroseconds))
+
+// Turn off tracing
+dbmap.TraceOff()
+```
+
+### Insert
+
+```go
+// Must declare as pointers so optional callback hooks
+// can operate on your data, not copies
+inv1 := &Invoice{0, 100, 200, "first order", 0}
+inv2 := &Invoice{0, 100, 200, "second order", 0}
+
+// Insert your rows
+err := dbmap.Insert(inv1, inv2)
+
+// Because we called SetKeys(true) on Invoice, the Id field
+// will be populated after the Insert() automatically
+fmt.Printf("inv1.Id=%d  inv2.Id=%d\n", inv1.Id, inv2.Id)
+```
+
+### Update
+
+Continuing the above example, use the `Update` method to modify an Invoice:
+
+```go
+// count is the # of rows updated, which should be 1 in this example
+count, err := dbmap.Update(inv1)
+```
+
+### Delete
+
+If you have primary key(s) defined for a struct, you can use the `Delete`
+method to remove rows:
+
+```go
+count, err := dbmap.Delete(inv1)
+```
+
+### Select by Key
+
+Use the `Get` method to fetch a single row by primary key.  It returns
+nil if no row is found.
+
+```go
+// fetch Invoice with Id=99
+obj, err := dbmap.Get(Invoice{}, 99)
+inv := obj.(*Invoice)
+```
+
+### Ad Hoc SQL
+
+#### SELECT
+
+`Select()` and `SelectOne()` provide a simple way to bind arbitrary queries to a slice
+or a single struct.
+
+```go
+// Select a slice - first return value is not needed when a slice pointer is passed to Select()
+var posts []Post
+_, err := dbmap.Select(&posts, "select * from post order by id")
+
+// You can also use primitive types
+var ids []string
+_, err := dbmap.Select(&ids, "select id from post")
+
+// Select a single row.
+// Returns an error if no row found, or if more than one row is found
+var post Post
+err := dbmap.SelectOne(&post, "select * from post where id=?", id)
+```
+
+Want to do joins?  Just write the SQL and the struct. gorp will bind them:
+
+```go
+// Define a type for your join
+// It *must* contain all the columns in your SELECT statement
+//
+// The names here should match the aliased column names you specify
+// in your SQL - no additional binding work required.  simple.
+//
+type InvoicePersonView struct {
+    InvoiceId   int64
+    PersonId    int64
+    Memo        string
+    FName       string
+}
+
+// Create some rows
+p1 := &Person{0, 0, 0, "bob", "smith"}
+err = dbmap.Insert(p1)
+checkErr(err, "Insert failed")
+
+// notice how we can wire up p1.Id to the invoice easily
+inv1 := &Invoice{0, 0, 0, "xmas order", p1.Id}
+err = dbmap.Insert(inv1)
+checkErr(err, "Insert failed")
+
+// Run your query
+query := "select i.Id InvoiceId, p.Id PersonId, i.Memo, p.FName " +
+	"from invoice_test i, person_test p " +
+	"where i.PersonId = p.Id"
+
+// pass a slice to Select()
+var list []InvoicePersonView
+_, err := dbmap.Select(&list, query)
+
+// this should test true
+expected := InvoicePersonView{inv1.Id, p1.Id, inv1.Memo, p1.FName}
+if reflect.DeepEqual(list[0], expected) {
+    fmt.Println("Woot! My join worked!")
+}
+```
+
+#### SELECT string or int64
+
+gorp provides a few convenience methods for selecting a single string or int64.
+
+```go
+// select single int64 from db (use $1 instead of ? for postgresql)
+i64, err := dbmap.SelectInt("select count(*) from foo where blah=?", blahVal)
+
+// select single string from db:
+s, err := dbmap.SelectStr("select name from foo where blah=?", blahVal)
+
+```
+
+#### Named bind parameters
+
+You may use a map or struct to bind parameters by name.  This is currently
+only supported in SELECT queries.
+
+```go
+_, err := dbm.Select(&dest, "select * from Foo where name = :name and age = :age", map[string]interface{}{
+  "name": "Rob",
+  "age": 31,
+})
+```
+
+#### UPDATE / DELETE
+
+You can execute raw SQL if you wish.  Particularly good for batch operations.
+
+```go
+res, err := dbmap.Exec("delete from invoice_test where PersonId=?", 10)
+```
+
+### Transactions
+
+You can batch operations into a transaction:
+
+```go
+func InsertInv(dbmap *DbMap, inv *Invoice, per *Person) error {
+    // Start a new transaction
+    trans, err := dbmap.Begin()
+    if err != nil {
+        return err
+    }
+
+    err = trans.Insert(per)
+    checkErr(err, "Insert failed")
+
+    inv.PersonId = per.Id
+    err = trans.Insert(inv)
+    checkErr(err, "Insert failed")
+
+    // if the commit is successful, a nil error is returned
+    return trans.Commit()
+}
+```
+
+### Hooks
+
+Use hooks to update data before/after saving to the db. Good for timestamps:
+
+```go
+// implement the PreInsert and PreUpdate hooks
+func (i *Invoice) PreInsert(s gorp.SqlExecutor) error {
+    i.Created = time.Now().UnixNano()
+    i.Updated = i.Created
+    return nil
+}
+
+func (i *Invoice) PreUpdate(s gorp.SqlExecutor) error {
+    i.Updated = time.Now().UnixNano()
+    return nil
+}
+
+// You can use the SqlExecutor to cascade additional SQL
+// Take care to avoid cycles. gorp won't prevent them.
+//
+// Here's an example of a cascading delete
+//
+func (p *Person) PreDelete(s gorp.SqlExecutor) error {
+    query := "delete from invoice_test where PersonId=?"
+    
+    _, err := s.Exec(query, p.Id)
+    
+    if err != nil {
+        return err
+    }
+    return nil
+}
+```
+
+Full list of hooks that you can implement:
+
+    PostGet
+    PreInsert
+    PostInsert
+    PreUpdate
+    PostUpdate
+    PreDelete
+    PostDelete
+
+    All have the same signature.  for example:
+
+    func (p *MyStruct) PostUpdate(s gorp.SqlExecutor) error
+
+### Optimistic Locking
+
+#### Note that this behaviour has changed in v2. See [Migration Guide](#migration-guide).
+
+gorp provides a simple optimistic locking feature, similar to Java's
+JPA, that will raise an error if you try to update/delete a row whose
+`version` column has a value different than the one in memory.  This
+provides a safe way to do "select then update" style operations
+without explicit read and write locks.
+
+```go
+// Version is an auto-incremented number, managed by gorp
+// If this property is present on your struct, update
+// operations will be constrained
+//
+// For example, say we defined Person as:
+
+type Person struct {
+    Id       int64
+    Created  int64
+    Updated  int64
+    FName    string
+    LName    string
+
+    // automatically used as the Version col
+    // use table.SetVersionCol("columnName") to map a different
+    // struct field as the version field
+    Version  int64
+}
+
+p1 := &Person{0, 0, 0, "Bob", "Smith", 0}
+err = dbmap.Insert(p1)  // Version is now 1
+checkErr(err, "Insert failed")
+
+obj, err := dbmap.Get(Person{}, p1.Id)
+p2 := obj.(*Person)
+p2.LName = "Edwards"
+_,err = dbmap.Update(p2)  // Version is now 2
+checkErr(err, "Update failed")
+
+p1.LName = "Howard"
+
+// Raises error because p1.Version == 1, which is out of date
+count, err := dbmap.Update(p1)
+_, ok := err.(gorp.OptimisticLockError)
+if ok {
+    // should reach this statement
+
+    // in a real app you might reload the row and retry, or
+    // you might propegate this to the user, depending on the desired
+    // semantics
+    fmt.Printf("Tried to update row with stale data: %v\n", err)
+} else {
+    // some other db error occurred - log or return up the stack
+    fmt.Printf("Unknown db err: %v\n", err)
+}
+```
+### Adding INDEX(es) on column(s) beyond the primary key ###
+
+Indexes are frequently critical for performance. Here is how to add
+them to your tables.
+
+NB: SqlServer and Oracle need testing and possible adjustment to the
+CreateIndexSuffix() and DropIndexSuffix() methods to make AddIndex()
+work for them.
+
+In the example below we put an index both on the Id field, and on the
+AcctId field.
+
+```
+type Account struct {
+	Id      int64
+	AcctId  string // e.g. this might be a long uuid for portability
+}
+
+// indexType (the 2nd param to AddIndex call) is "Btree" or "Hash" for MySQL.
+// demonstrate adding a second index on AcctId, and constrain that field to have unique values.
+dbm.AddTable(iptab.Account{}).SetKeys(true, "Id").AddIndex("AcctIdIndex", "Btree", []string{"AcctId"}).SetUnique(true)
+
+err = dbm.CreateTablesIfNotExists()
+checkErr(err, "CreateTablesIfNotExists failed")
+
+err = dbm.CreateIndex()
+checkErr(err, "CreateIndex failed")
+
+```
+Check the effect of the CreateIndex() call in mysql:
+```
+$ mysql
+
+MariaDB [test]> show create table Account;
++---------+--------------------------+
+| Account | CREATE TABLE `Account` (
+  `Id` bigint(20) NOT NULL AUTO_INCREMENT,
+  `AcctId` varchar(255) DEFAULT NULL,
+  PRIMARY KEY (`Id`),
+  UNIQUE KEY `AcctIdIndex` (`AcctId`) USING BTREE   <<<--- yes! index added.
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 
++---------+--------------------------+
+
+```
+
+
+## Database Drivers
+
+gorp uses the Go 1 `database/sql` package.  A full list of compliant
+drivers is available here:
+
+http://code.google.com/p/go-wiki/wiki/SQLDrivers
+
+Sadly, SQL databases differ on various issues. gorp provides a Dialect
+interface that should be implemented per database vendor.  Dialects
+are provided for:
+
+* MySQL
+* PostgreSQL
+* sqlite3
+
+Each of these three databases pass the test suite.  See `gorp_test.go`
+for example DSNs for these three databases.
+
+Support is also provided for:
+
+* Oracle (contributed by @klaidliadon)
+* SQL Server (contributed by @qrawl) - use driver:
+  github.com/denisenkom/go-mssqldb
+
+Note that these databases are not covered by CI and I (@coopernurse)
+have no good way to test them locally.  So please try them and send
+patches as needed, but expect a bit more unpredicability.
+
+## Sqlite3 Extensions
+
+In order to use sqlite3 extensions you need to first register a custom driver:
+
+```go
+import (
+	"database/sql"
+
+	// use whatever database/sql driver you wish
+	sqlite "github.com/mattn/go-sqlite3"
+)
+
+func customDriver() (*sql.DB, error) {
+
+	// create custom driver with extensions defined
+	sql.Register("sqlite3-custom", &sqlite.SQLiteDriver{
+		Extensions: []string{
+			"mod_spatialite",
+		},
+	})
+
+	// now you can then connect using the 'sqlite3-custom' driver instead of 'sqlite3'
+	return sql.Open("sqlite3-custom", "/tmp/post_db.bin")
+}
+```
+
+## Known Issues
+
+### SQL placeholder portability
+
+Different databases use different strings to indicate variable
+placeholders in prepared SQL statements.  Unlike some database
+abstraction layers (such as JDBC), Go's `database/sql` does not
+standardize this.
+
+SQL generated by gorp in the `Insert`, `Update`, `Delete`, and `Get`
+methods delegates to a Dialect implementation for each database, and
+will generate portable SQL.
+
+Raw SQL strings passed to `Exec`, `Select`, `SelectOne`, `SelectInt`,
+etc will not be parsed.  Consequently you may have portability issues
+if you write a query like this:
+
+```go 
+// works on MySQL and Sqlite3, but not with Postgresql err :=
+dbmap.SelectOne(&val, "select * from foo where id = ?", 30)
+```
+
+In `Select` and `SelectOne` you can use named parameters to work
+around this.  The following is portable:
+
+```go 
+err := dbmap.SelectOne(&val, "select * from foo where id = :id",
+map[string]interface{} { "id": 30})
+```
+
+Additionally, when using Postgres as your database, you should utilize
+`$1` instead of `?` placeholders as utilizing `?` placeholders when
+querying Postgres will result in `pq: operator does not exist`
+errors. Alternatively, use `dbMap.Dialect.BindVar(varIdx)` to get the
+proper variable binding for your dialect.
+
+### time.Time and time zones
+
+gorp will pass `time.Time` fields through to the `database/sql`
+driver, but note that the behavior of this type varies across database
+drivers.
+
+MySQL users should be especially cautious.  See:
+https://github.com/ziutek/mymysql/pull/77
+
+To avoid any potential issues with timezone/DST, consider:
+
+- Using an integer field for time data and storing UNIX time.
+- Using a custom time type that implements some SQL types:
+  - [`"database/sql".Scanner`](https://golang.org/pkg/database/sql/#Scanner)
+  - [`"database/sql/driver".Valuer`](https://golang.org/pkg/database/sql/driver/#Valuer)
+
+## Running the tests
+
+The included tests may be run against MySQL, Postgresql, or sqlite3.
+You must set two environment variables so the test code knows which
+driver to use, and how to connect to your database.
+
+```sh
+# MySQL example:
+export GORP_TEST_DSN=gomysql_test/gomysql_test/abc123
+export GORP_TEST_DIALECT=mysql
+
+# run the tests
+go test
+
+# run the tests and benchmarks
+go test -bench="Bench" -benchtime 10
+```
+
+Valid `GORP_TEST_DIALECT` values are: "mysql"(for mymysql),
+"gomysql"(for go-sql-driver), "postgres", "sqlite" See the
+`test_all.sh` script for examples of all 3 databases.  This is the
+script I run locally to test the library.
+
+## Performance
+
+gorp uses reflection to construct SQL queries and bind parameters.
+See the BenchmarkNativeCrud vs BenchmarkGorpCrud in gorp_test.go for a
+simple perf test.  On my MacBook Pro gorp is about 2-3% slower than
+hand written SQL.
+
+
+## Contributors
+
+* matthias-margush - column aliasing via tags
+* Rob Figueiredo - @robfig
+* Quinn Slack - @sqs
diff --git a/vendor/github.com/go-gorp/gorp/v3/column.go b/vendor/github.com/go-gorp/gorp/v3/column.go
new file mode 100644
index 0000000000..383e9efb65
--- /dev/null
+++ b/vendor/github.com/go-gorp/gorp/v3/column.go
@@ -0,0 +1,76 @@
+// Copyright 2012 James Cooper. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package gorp
+
+import "reflect"
+
+// ColumnMap represents a mapping between a Go struct field and a single
+// column in a table.
+// Unique and MaxSize only inform the
+// CreateTables() function and are not used by Insert/Update/Delete/Get.
+type ColumnMap struct {
+	// Column name in db table
+	ColumnName string
+
+	// If true, this column is skipped in generated SQL statements
+	Transient bool
+
+	// If true, " unique" is added to create table statements.
+	// Not used elsewhere
+	Unique bool
+
+	// Query used for getting generated id after insert
+	GeneratedIdQuery string
+
+	// Passed to Dialect.ToSqlType() to assist in informing the
+	// correct column type to map to in CreateTables()
+	MaxSize int
+
+	DefaultValue string
+
+	fieldName  string
+	gotype     reflect.Type
+	isPK       bool
+	isAutoIncr bool
+	isNotNull  bool
+}
+
+// Rename allows you to specify the column name in the table
+//
+// Example:  table.ColMap("Updated").Rename("date_updated")
+//
+func (c *ColumnMap) Rename(colname string) *ColumnMap {
+	c.ColumnName = colname
+	return c
+}
+
+// SetTransient allows you to mark the column as transient. If true
+// this column will be skipped when SQL statements are generated
+func (c *ColumnMap) SetTransient(b bool) *ColumnMap {
+	c.Transient = b
+	return c
+}
+
+// SetUnique adds "unique" to the create table statements for this
+// column, if b is true.
+func (c *ColumnMap) SetUnique(b bool) *ColumnMap {
+	c.Unique = b
+	return c
+}
+
+// SetNotNull adds "not null" to the create table statements for this
+// column, if nn is true.
+func (c *ColumnMap) SetNotNull(nn bool) *ColumnMap {
+	c.isNotNull = nn
+	return c
+}
+
+// SetMaxSize specifies the max length of values of this column. This is
+// passed to the dialect.ToSqlType() function, which can use the value
+// to alter the generated type for "create table" statements
+func (c *ColumnMap) SetMaxSize(size int) *ColumnMap {
+	c.MaxSize = size
+	return c
+}
diff --git a/vendor/github.com/go-gorp/gorp/v3/db.go b/vendor/github.com/go-gorp/gorp/v3/db.go
new file mode 100644
index 0000000000..d78062e5b1
--- /dev/null
+++ b/vendor/github.com/go-gorp/gorp/v3/db.go
@@ -0,0 +1,985 @@
+// Copyright 2012 James Cooper. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package gorp
+
+import (
+	"bytes"
+	"context"
+	"database/sql"
+	"database/sql/driver"
+	"errors"
+	"fmt"
+	"log"
+	"reflect"
+	"strconv"
+	"strings"
+	"time"
+)
+
+// DbMap is the root gorp mapping object. Create one of these for each
+// database schema you wish to map.  Each DbMap contains a list of
+// mapped tables.
+//
+// Example:
+//
+//     dialect := gorp.MySQLDialect{"InnoDB", "UTF8"}
+//     dbmap := &gorp.DbMap{Db: db, Dialect: dialect}
+//
+type DbMap struct {
+	ctx context.Context
+
+	// Db handle to use with this map
+	Db *sql.DB
+
+	// Dialect implementation to use with this map
+	Dialect Dialect
+
+	TypeConverter TypeConverter
+
+	// ExpandSlices when enabled will convert slice arguments in mappers into flat
+	// values. It will modify the query, adding more placeholders, and the mapper,
+	// adding each item of the slice as a new unique entry in the mapper. For
+	// example, given the scenario bellow:
+	//
+	//     dbmap.Select(&output, "SELECT 1 FROM example WHERE id IN (:IDs)", map[string]interface{}{
+	//       "IDs": []int64{1, 2, 3},
+	//     })
+	//
+	// The executed query would be:
+	//
+	//     SELECT 1 FROM example WHERE id IN (:IDs0,:IDs1,:IDs2)
+	//
+	// With the mapper:
+	//
+	//     map[string]interface{}{
+	//       "IDs":  []int64{1, 2, 3},
+	//       "IDs0": int64(1),
+	//       "IDs1": int64(2),
+	//       "IDs2": int64(3),
+	//     }
+	//
+	// It is also flexible for custom slice types. The value just need to
+	// implement stringer or numberer interfaces.
+	//
+	//     type CustomValue string
+	//
+	//     const (
+	//       CustomValueHey CustomValue = "hey"
+	//       CustomValueOh  CustomValue = "oh"
+	//     )
+	//
+	//     type CustomValues []CustomValue
+	//
+	//     func (c CustomValues) ToStringSlice() []string {
+	//       values := make([]string, len(c))
+	//       for i := range c {
+	//         values[i] = string(c[i])
+	//       }
+	//       return values
+	//     }
+	//
+	//     func query() {
+	//       // ...
+	//       result, err := dbmap.Select(&output, "SELECT 1 FROM example WHERE value IN (:Values)", map[string]interface{}{
+	//         "Values": CustomValues([]CustomValue{CustomValueHey}),
+	//       })
+	//       // ...
+	//     }
+	ExpandSliceArgs bool
+
+	tables        []*TableMap
+	tablesDynamic map[string]*TableMap // tables that use same go-struct and different db table names
+	logger        GorpLogger
+	logPrefix     string
+}
+
+func (m *DbMap) dynamicTableAdd(tableName string, tbl *TableMap) {
+	if m.tablesDynamic == nil {
+		m.tablesDynamic = make(map[string]*TableMap)
+	}
+	m.tablesDynamic[tableName] = tbl
+}
+
+func (m *DbMap) dynamicTableFind(tableName string) (*TableMap, bool) {
+	if m.tablesDynamic == nil {
+		return nil, false
+	}
+	tbl, found := m.tablesDynamic[tableName]
+	return tbl, found
+}
+
+func (m *DbMap) dynamicTableMap() map[string]*TableMap {
+	if m.tablesDynamic == nil {
+		m.tablesDynamic = make(map[string]*TableMap)
+	}
+	return m.tablesDynamic
+}
+
+func (m *DbMap) WithContext(ctx context.Context) SqlExecutor {
+	copy := &DbMap{}
+	*copy = *m
+	copy.ctx = ctx
+	return copy
+}
+
+func (m *DbMap) CreateIndex() error {
+	var err error
+	dialect := reflect.TypeOf(m.Dialect)
+	for _, table := range m.tables {
+		for _, index := range table.indexes {
+			err = m.createIndexImpl(dialect, table, index)
+			if err != nil {
+				break
+			}
+		}
+	}
+
+	for _, table := range m.dynamicTableMap() {
+		for _, index := range table.indexes {
+			err = m.createIndexImpl(dialect, table, index)
+			if err != nil {
+				break
+			}
+		}
+	}
+
+	return err
+}
+
+func (m *DbMap) createIndexImpl(dialect reflect.Type,
+	table *TableMap,
+	index *IndexMap) error {
+	s := bytes.Buffer{}
+	s.WriteString("create")
+	if index.Unique {
+		s.WriteString(" unique")
+	}
+	s.WriteString(" index")
+	s.WriteString(fmt.Sprintf(" %s on %s", index.IndexName, table.TableName))
+	if dname := dialect.Name(); dname == "PostgresDialect" && index.IndexType != "" {
+		s.WriteString(fmt.Sprintf(" %s %s", m.Dialect.CreateIndexSuffix(), index.IndexType))
+	}
+	s.WriteString(" (")
+	for x, col := range index.columns {
+		if x > 0 {
+			s.WriteString(", ")
+		}
+		s.WriteString(m.Dialect.QuoteField(col))
+	}
+	s.WriteString(")")
+
+	if dname := dialect.Name(); dname == "MySQLDialect" && index.IndexType != "" {
+		s.WriteString(fmt.Sprintf(" %s %s", m.Dialect.CreateIndexSuffix(), index.IndexType))
+	}
+	s.WriteString(";")
+	_, err := m.Exec(s.String())
+	return err
+}
+
+func (t *TableMap) DropIndex(name string) error {
+
+	var err error
+	dialect := reflect.TypeOf(t.dbmap.Dialect)
+	for _, idx := range t.indexes {
+		if idx.IndexName == name {
+			s := bytes.Buffer{}
+			s.WriteString(fmt.Sprintf("DROP INDEX %s", idx.IndexName))
+
+			if dname := dialect.Name(); dname == "MySQLDialect" {
+				s.WriteString(fmt.Sprintf(" %s %s", t.dbmap.Dialect.DropIndexSuffix(), t.TableName))
+			}
+			s.WriteString(";")
+			_, e := t.dbmap.Exec(s.String())
+			if e != nil {
+				err = e
+			}
+			break
+		}
+	}
+	t.ResetSql()
+	return err
+}
+
+// AddTable registers the given interface type with gorp. The table name
+// will be given the name of the TypeOf(i).  You must call this function,
+// or AddTableWithName, for any struct type you wish to persist with
+// the given DbMap.
+//
+// This operation is idempotent. If i's type is already mapped, the
+// existing *TableMap is returned
+func (m *DbMap) AddTable(i interface{}) *TableMap {
+	return m.AddTableWithName(i, "")
+}
+
+// AddTableWithName has the same behavior as AddTable, but sets
+// table.TableName to name.
+func (m *DbMap) AddTableWithName(i interface{}, name string) *TableMap {
+	return m.AddTableWithNameAndSchema(i, "", name)
+}
+
+// AddTableWithNameAndSchema has the same behavior as AddTable, but sets
+// table.TableName to name.
+func (m *DbMap) AddTableWithNameAndSchema(i interface{}, schema string, name string) *TableMap {
+	t := reflect.TypeOf(i)
+	if name == "" {
+		name = t.Name()
+	}
+
+	// check if we have a table for this type already
+	// if so, update the name and return the existing pointer
+	for i := range m.tables {
+		table := m.tables[i]
+		if table.gotype == t {
+			table.TableName = name
+			return table
+		}
+	}
+
+	tmap := &TableMap{gotype: t, TableName: name, SchemaName: schema, dbmap: m}
+	var primaryKey []*ColumnMap
+	tmap.Columns, primaryKey = m.readStructColumns(t)
+	m.tables = append(m.tables, tmap)
+	if len(primaryKey) > 0 {
+		tmap.keys = append(tmap.keys, primaryKey...)
+	}
+
+	return tmap
+}
+
+// AddTableDynamic registers the given interface type with gorp.
+// The table name will be dynamically determined at runtime by
+// using the GetTableName method on DynamicTable interface
+func (m *DbMap) AddTableDynamic(inp DynamicTable, schema string) *TableMap {
+
+	val := reflect.ValueOf(inp)
+	elm := val.Elem()
+	t := elm.Type()
+	name := inp.TableName()
+	if name == "" {
+		panic("Missing table name in DynamicTable instance")
+	}
+
+	// Check if there is another dynamic table with the same name
+	if _, found := m.dynamicTableFind(name); found {
+		panic(fmt.Sprintf("A table with the same name %v already exists", name))
+	}
+
+	tmap := &TableMap{gotype: t, TableName: name, SchemaName: schema, dbmap: m}
+	var primaryKey []*ColumnMap
+	tmap.Columns, primaryKey = m.readStructColumns(t)
+	if len(primaryKey) > 0 {
+		tmap.keys = append(tmap.keys, primaryKey...)
+	}
+
+	m.dynamicTableAdd(name, tmap)
+
+	return tmap
+}
+
+func (m *DbMap) readStructColumns(t reflect.Type) (cols []*ColumnMap, primaryKey []*ColumnMap) {
+	primaryKey = make([]*ColumnMap, 0)
+	n := t.NumField()
+	for i := 0; i < n; i++ {
+		f := t.Field(i)
+		if f.Anonymous && f.Type.Kind() == reflect.Struct {
+			// Recursively add nested fields in embedded structs.
+			subcols, subpk := m.readStructColumns(f.Type)
+			// Don't append nested fields that have the same field
+			// name as an already-mapped field.
+			for _, subcol := range subcols {
+				shouldAppend := true
+				for _, col := range cols {
+					if !subcol.Transient && subcol.fieldName == col.fieldName {
+						shouldAppend = false
+						break
+					}
+				}
+				if shouldAppend {
+					cols = append(cols, subcol)
+				}
+			}
+			if subpk != nil {
+				primaryKey = append(primaryKey, subpk...)
+			}
+		} else {
+			// Tag = Name { ','  Option }
+			// Option = OptionKey [ ':' OptionValue ]
+			cArguments := strings.Split(f.Tag.Get("db"), ",")
+			columnName := cArguments[0]
+			var maxSize int
+			var defaultValue string
+			var isAuto bool
+			var isPK bool
+			var isNotNull bool
+			for _, argString := range cArguments[1:] {
+				argString = strings.TrimSpace(argString)
+				arg := strings.SplitN(argString, ":", 2)
+
+				// check mandatory/unexpected option values
+				switch arg[0] {
+				case "size", "default":
+					// options requiring value
+					if len(arg) == 1 {
+						panic(fmt.Sprintf("missing option value for option %v on field %v", arg[0], f.Name))
+					}
+				default:
+					// options where value is invalid (currently all other options)
+					if len(arg) == 2 {
+						panic(fmt.Sprintf("unexpected option value for option %v on field %v", arg[0], f.Name))
+					}
+				}
+
+				switch arg[0] {
+				case "size":
+					maxSize, _ = strconv.Atoi(arg[1])
+				case "default":
+					defaultValue = arg[1]
+				case "primarykey":
+					isPK = true
+				case "autoincrement":
+					isAuto = true
+				case "notnull":
+					isNotNull = true
+				default:
+					panic(fmt.Sprintf("Unrecognized tag option for field %v: %v", f.Name, arg))
+				}
+			}
+			if columnName == "" {
+				columnName = f.Name
+			}
+
+			gotype := f.Type
+			valueType := gotype
+			if valueType.Kind() == reflect.Ptr {
+				valueType = valueType.Elem()
+			}
+			value := reflect.New(valueType).Interface()
+			if m.TypeConverter != nil {
+				// Make a new pointer to a value of type gotype and
+				// pass it to the TypeConverter's FromDb method to see
+				// if a different type should be used for the column
+				// type during table creation.
+				scanner, useHolder := m.TypeConverter.FromDb(value)
+				if useHolder {
+					value = scanner.Holder
+					gotype = reflect.TypeOf(value)
+				}
+			}
+			if typer, ok := value.(SqlTyper); ok {
+				gotype = reflect.TypeOf(typer.SqlType())
+			} else if typer, ok := value.(legacySqlTyper); ok {
+				log.Printf("Deprecation Warning: update your SqlType methods to return a driver.Value")
+				gotype = reflect.TypeOf(typer.SqlType())
+			} else if valuer, ok := value.(driver.Valuer); ok {
+				// Only check for driver.Valuer if SqlTyper wasn't
+				// found.
+				v, err := valuer.Value()
+				if err == nil && v != nil {
+					gotype = reflect.TypeOf(v)
+				}
+			}
+			cm := &ColumnMap{
+				ColumnName:   columnName,
+				DefaultValue: defaultValue,
+				Transient:    columnName == "-",
+				fieldName:    f.Name,
+				gotype:       gotype,
+				isPK:         isPK,
+				isAutoIncr:   isAuto,
+				isNotNull:    isNotNull,
+				MaxSize:      maxSize,
+			}
+			if isPK {
+				primaryKey = append(primaryKey, cm)
+			}
+			// Check for nested fields of the same field name and
+			// override them.
+			shouldAppend := true
+			for index, col := range cols {
+				if !col.Transient && col.fieldName == cm.fieldName {
+					cols[index] = cm
+					shouldAppend = false
+					break
+				}
+			}
+			if shouldAppend {
+				cols = append(cols, cm)
+			}
+		}
+
+	}
+	return
+}
+
+// CreateTables iterates through TableMaps registered to this DbMap and
+// executes "create table" statements against the database for each.
+//
+// This is particularly useful in unit tests where you want to create
+// and destroy the schema automatically.
+func (m *DbMap) CreateTables() error {
+	return m.createTables(false)
+}
+
+// CreateTablesIfNotExists is similar to CreateTables, but starts
+// each statement with "create table if not exists" so that existing
+// tables do not raise errors
+func (m *DbMap) CreateTablesIfNotExists() error {
+	return m.createTables(true)
+}
+
+func (m *DbMap) createTables(ifNotExists bool) error {
+	var err error
+	for i := range m.tables {
+		table := m.tables[i]
+		sql := table.SqlForCreate(ifNotExists)
+		_, err = m.Exec(sql)
+		if err != nil {
+			return err
+		}
+	}
+
+	for _, tbl := range m.dynamicTableMap() {
+		sql := tbl.SqlForCreate(ifNotExists)
+		_, err = m.Exec(sql)
+		if err != nil {
+			return err
+		}
+	}
+
+	return err
+}
+
+// DropTable drops an individual table.
+// Returns an error when the table does not exist.
+func (m *DbMap) DropTable(table interface{}) error {
+	t := reflect.TypeOf(table)
+
+	tableName := ""
+	if dyn, ok := table.(DynamicTable); ok {
+		tableName = dyn.TableName()
+	}
+
+	return m.dropTable(t, tableName, false)
+}
+
+// DropTableIfExists drops an individual table when the table exists.
+func (m *DbMap) DropTableIfExists(table interface{}) error {
+	t := reflect.TypeOf(table)
+
+	tableName := ""
+	if dyn, ok := table.(DynamicTable); ok {
+		tableName = dyn.TableName()
+	}
+
+	return m.dropTable(t, tableName, true)
+}
+
+// DropTables iterates through TableMaps registered to this DbMap and
+// executes "drop table" statements against the database for each.
+func (m *DbMap) DropTables() error {
+	return m.dropTables(false)
+}
+
+// DropTablesIfExists is the same as DropTables, but uses the "if exists" clause to
+// avoid errors for tables that do not exist.
+func (m *DbMap) DropTablesIfExists() error {
+	return m.dropTables(true)
+}
+
+// Goes through all the registered tables, dropping them one by one.
+// If an error is encountered, then it is returned and the rest of
+// the tables are not dropped.
+func (m *DbMap) dropTables(addIfExists bool) (err error) {
+	for _, table := range m.tables {
+		err = m.dropTableImpl(table, addIfExists)
+		if err != nil {
+			return err
+		}
+	}
+
+	for _, table := range m.dynamicTableMap() {
+		err = m.dropTableImpl(table, addIfExists)
+		if err != nil {
+			return err
+		}
+	}
+
+	return err
+}
+
+// Implementation of dropping a single table.
+func (m *DbMap) dropTable(t reflect.Type, name string, addIfExists bool) error {
+	table := tableOrNil(m, t, name)
+	if table == nil {
+		return fmt.Errorf("table %s was not registered", table.TableName)
+	}
+
+	return m.dropTableImpl(table, addIfExists)
+}
+
+func (m *DbMap) dropTableImpl(table *TableMap, ifExists bool) (err error) {
+	tableDrop := "drop table"
+	if ifExists {
+		tableDrop = m.Dialect.IfTableExists(tableDrop, table.SchemaName, table.TableName)
+	}
+	_, err = m.Exec(fmt.Sprintf("%s %s;", tableDrop, m.Dialect.QuotedTableForQuery(table.SchemaName, table.TableName)))
+	return err
+}
+
+// TruncateTables iterates through TableMaps registered to this DbMap and
+// executes "truncate table" statements against the database for each, or in the case of
+// sqlite, a "delete from" with no "where" clause, which uses the truncate optimization
+// (http://www.sqlite.org/lang_delete.html)
+func (m *DbMap) TruncateTables() error {
+	var err error
+	for i := range m.tables {
+		table := m.tables[i]
+		_, e := m.Exec(fmt.Sprintf("%s %s;", m.Dialect.TruncateClause(), m.Dialect.QuotedTableForQuery(table.SchemaName, table.TableName)))
+		if e != nil {
+			err = e
+		}
+	}
+
+	for _, table := range m.dynamicTableMap() {
+		_, e := m.Exec(fmt.Sprintf("%s %s;", m.Dialect.TruncateClause(), m.Dialect.QuotedTableForQuery(table.SchemaName, table.TableName)))
+		if e != nil {
+			err = e
+		}
+	}
+
+	return err
+}
+
+// Insert runs a SQL INSERT statement for each element in list.  List
+// items must be pointers.
+//
+// Any interface whose TableMap has an auto-increment primary key will
+// have its last insert id bound to the PK field on the struct.
+//
+// The hook functions PreInsert() and/or PostInsert() will be executed
+// before/after the INSERT statement if the interface defines them.
+//
+// Panics if any interface in the list has not been registered with AddTable
+func (m *DbMap) Insert(list ...interface{}) error {
+	return insert(m, m, list...)
+}
+
+// Update runs a SQL UPDATE statement for each element in list.  List
+// items must be pointers.
+//
+// The hook functions PreUpdate() and/or PostUpdate() will be executed
+// before/after the UPDATE statement if the interface defines them.
+//
+// Returns the number of rows updated.
+//
+// Returns an error if SetKeys has not been called on the TableMap
+// Panics if any interface in the list has not been registered with AddTable
+func (m *DbMap) Update(list ...interface{}) (int64, error) {
+	return update(m, m, nil, list...)
+}
+
+// UpdateColumns runs a SQL UPDATE statement for each element in list.  List
+// items must be pointers.
+//
+// Only the columns accepted by filter are included in the UPDATE.
+//
+// The hook functions PreUpdate() and/or PostUpdate() will be executed
+// before/after the UPDATE statement if the interface defines them.
+//
+// Returns the number of rows updated.
+//
+// Returns an error if SetKeys has not been called on the TableMap
+// Panics if any interface in the list has not been registered with AddTable
+func (m *DbMap) UpdateColumns(filter ColumnFilter, list ...interface{}) (int64, error) {
+	return update(m, m, filter, list...)
+}
+
+// Delete runs a SQL DELETE statement for each element in list.  List
+// items must be pointers.
+//
+// The hook functions PreDelete() and/or PostDelete() will be executed
+// before/after the DELETE statement if the interface defines them.
+//
+// Returns the number of rows deleted.
+//
+// Returns an error if SetKeys has not been called on the TableMap
+// Panics if any interface in the list has not been registered with AddTable
+func (m *DbMap) Delete(list ...interface{}) (int64, error) {
+	return delete(m, m, list...)
+}
+
+// Get runs a SQL SELECT to fetch a single row from the table based on the
+// primary key(s)
+//
+// i should be an empty value for the struct to load.  keys should be
+// the primary key value(s) for the row to load.  If multiple keys
+// exist on the table, the order should match the column order
+// specified in SetKeys() when the table mapping was defined.
+//
+// The hook function PostGet() will be executed after the SELECT
+// statement if the interface defines them.
+//
+// Returns a pointer to a struct that matches or nil if no row is found.
+//
+// Returns an error if SetKeys has not been called on the TableMap
+// Panics if any interface in the list has not been registered with AddTable
+func (m *DbMap) Get(i interface{}, keys ...interface{}) (interface{}, error) {
+	return get(m, m, i, keys...)
+}
+
+// Select runs an arbitrary SQL query, binding the columns in the result
+// to fields on the struct specified by i.  args represent the bind
+// parameters for the SQL statement.
+//
+// Column names on the SELECT statement should be aliased to the field names
+// on the struct i. Returns an error if one or more columns in the result
+// do not match.  It is OK if fields on i are not part of the SQL
+// statement.
+//
+// The hook function PostGet() will be executed after the SELECT
+// statement if the interface defines them.
+//
+// Values are returned in one of two ways:
+// 1. If i is a struct or a pointer to a struct, returns a slice of pointers to
+// matching rows of type i.
+// 2. If i is a pointer to a slice, the results will be appended to that slice
+// and nil returned.
+//
+// i does NOT need to be registered with AddTable()
+func (m *DbMap) Select(i interface{}, query string, args ...interface{}) ([]interface{}, error) {
+	if m.ExpandSliceArgs {
+		expandSliceArgs(&query, args...)
+	}
+
+	return hookedselect(m, m, i, query, args...)
+}
+
+// Exec runs an arbitrary SQL statement.  args represent the bind parameters.
+// This is equivalent to running:  Exec() using database/sql
+func (m *DbMap) Exec(query string, args ...interface{}) (sql.Result, error) {
+	if m.ExpandSliceArgs {
+		expandSliceArgs(&query, args...)
+	}
+
+	if m.logger != nil {
+		now := time.Now()
+		defer m.trace(now, query, args...)
+	}
+	return maybeExpandNamedQueryAndExec(m, query, args...)
+}
+
+// SelectInt is a convenience wrapper around the gorp.SelectInt function
+func (m *DbMap) SelectInt(query string, args ...interface{}) (int64, error) {
+	if m.ExpandSliceArgs {
+		expandSliceArgs(&query, args...)
+	}
+
+	return SelectInt(m, query, args...)
+}
+
+// SelectNullInt is a convenience wrapper around the gorp.SelectNullInt function
+func (m *DbMap) SelectNullInt(query string, args ...interface{}) (sql.NullInt64, error) {
+	if m.ExpandSliceArgs {
+		expandSliceArgs(&query, args...)
+	}
+
+	return SelectNullInt(m, query, args...)
+}
+
+// SelectFloat is a convenience wrapper around the gorp.SelectFloat function
+func (m *DbMap) SelectFloat(query string, args ...interface{}) (float64, error) {
+	if m.ExpandSliceArgs {
+		expandSliceArgs(&query, args...)
+	}
+
+	return SelectFloat(m, query, args...)
+}
+
+// SelectNullFloat is a convenience wrapper around the gorp.SelectNullFloat function
+func (m *DbMap) SelectNullFloat(query string, args ...interface{}) (sql.NullFloat64, error) {
+	if m.ExpandSliceArgs {
+		expandSliceArgs(&query, args...)
+	}
+
+	return SelectNullFloat(m, query, args...)
+}
+
+// SelectStr is a convenience wrapper around the gorp.SelectStr function
+func (m *DbMap) SelectStr(query string, args ...interface{}) (string, error) {
+	if m.ExpandSliceArgs {
+		expandSliceArgs(&query, args...)
+	}
+
+	return SelectStr(m, query, args...)
+}
+
+// SelectNullStr is a convenience wrapper around the gorp.SelectNullStr function
+func (m *DbMap) SelectNullStr(query string, args ...interface{}) (sql.NullString, error) {
+	if m.ExpandSliceArgs {
+		expandSliceArgs(&query, args...)
+	}
+
+	return SelectNullStr(m, query, args...)
+}
+
+// SelectOne is a convenience wrapper around the gorp.SelectOne function
+func (m *DbMap) SelectOne(holder interface{}, query string, args ...interface{}) error {
+	if m.ExpandSliceArgs {
+		expandSliceArgs(&query, args...)
+	}
+
+	return SelectOne(m, m, holder, query, args...)
+}
+
+// Begin starts a gorp Transaction
+func (m *DbMap) Begin() (*Transaction, error) {
+	if m.logger != nil {
+		now := time.Now()
+		defer m.trace(now, "begin;")
+	}
+	tx, err := begin(m)
+	if err != nil {
+		return nil, err
+	}
+	return &Transaction{
+		dbmap:  m,
+		tx:     tx,
+		closed: false,
+	}, nil
+}
+
+// TableFor returns the *TableMap corresponding to the given Go Type
+// If no table is mapped to that type an error is returned.
+// If checkPK is true and the mapped table has no registered PKs, an error is returned.
+func (m *DbMap) TableFor(t reflect.Type, checkPK bool) (*TableMap, error) {
+	table := tableOrNil(m, t, "")
+	if table == nil {
+		return nil, fmt.Errorf("no table found for type: %v", t.Name())
+	}
+
+	if checkPK && len(table.keys) < 1 {
+		e := fmt.Sprintf("gorp: no keys defined for table: %s",
+			table.TableName)
+		return nil, errors.New(e)
+	}
+
+	return table, nil
+}
+
+// DynamicTableFor returns the *TableMap for the dynamic table corresponding
+// to the input tablename
+// If no table is mapped to that tablename an error is returned.
+// If checkPK is true and the mapped table has no registered PKs, an error is returned.
+func (m *DbMap) DynamicTableFor(tableName string, checkPK bool) (*TableMap, error) {
+	table, found := m.dynamicTableFind(tableName)
+	if !found {
+		return nil, fmt.Errorf("gorp: no table found for name: %v", tableName)
+	}
+
+	if checkPK && len(table.keys) < 1 {
+		e := fmt.Sprintf("gorp: no keys defined for table: %s",
+			table.TableName)
+		return nil, errors.New(e)
+	}
+
+	return table, nil
+}
+
+// Prepare creates a prepared statement for later queries or executions.
+// Multiple queries or executions may be run concurrently from the returned statement.
+// This is equivalent to running:  Prepare() using database/sql
+func (m *DbMap) Prepare(query string) (*sql.Stmt, error) {
+	if m.logger != nil {
+		now := time.Now()
+		defer m.trace(now, query, nil)
+	}
+	return prepare(m, query)
+}
+
+func tableOrNil(m *DbMap, t reflect.Type, name string) *TableMap {
+	if name != "" {
+		// Search by table name (dynamic tables)
+		if table, found := m.dynamicTableFind(name); found {
+			return table
+		}
+		return nil
+	}
+
+	for i := range m.tables {
+		table := m.tables[i]
+		if table.gotype == t {
+			return table
+		}
+	}
+	return nil
+}
+
+func (m *DbMap) tableForPointer(ptr interface{}, checkPK bool) (*TableMap, reflect.Value, error) {
+	ptrv := reflect.ValueOf(ptr)
+	if ptrv.Kind() != reflect.Ptr {
+		e := fmt.Sprintf("gorp: passed non-pointer: %v (kind=%v)", ptr,
+			ptrv.Kind())
+		return nil, reflect.Value{}, errors.New(e)
+	}
+	elem := ptrv.Elem()
+	ifc := elem.Interface()
+	var t *TableMap
+	var err error
+	tableName := ""
+	if dyn, isDyn := ptr.(DynamicTable); isDyn {
+		tableName = dyn.TableName()
+		t, err = m.DynamicTableFor(tableName, checkPK)
+	} else {
+		etype := reflect.TypeOf(ifc)
+		t, err = m.TableFor(etype, checkPK)
+	}
+
+	if err != nil {
+		return nil, reflect.Value{}, err
+	}
+
+	return t, elem, nil
+}
+
+func (m *DbMap) QueryRow(query string, args ...interface{}) *sql.Row {
+	if m.ExpandSliceArgs {
+		expandSliceArgs(&query, args...)
+	}
+
+	if m.logger != nil {
+		now := time.Now()
+		defer m.trace(now, query, args...)
+	}
+	return queryRow(m, query, args...)
+}
+
+func (m *DbMap) Query(q string, args ...interface{}) (*sql.Rows, error) {
+	if m.ExpandSliceArgs {
+		expandSliceArgs(&q, args...)
+	}
+
+	if m.logger != nil {
+		now := time.Now()
+		defer m.trace(now, q, args...)
+	}
+	return query(m, q, args...)
+}
+
+func (m *DbMap) trace(started time.Time, query string, args ...interface{}) {
+	if m.ExpandSliceArgs {
+		expandSliceArgs(&query, args...)
+	}
+
+	if m.logger != nil {
+		var margs = argsString(args...)
+		m.logger.Printf("%s%s [%s] (%v)", m.logPrefix, query, margs, (time.Now().Sub(started)))
+	}
+}
+
+type stringer interface {
+	ToStringSlice() []string
+}
+
+type numberer interface {
+	ToInt64Slice() []int64
+}
+
+func expandSliceArgs(query *string, args ...interface{}) {
+	for _, arg := range args {
+		mapper, ok := arg.(map[string]interface{})
+		if !ok {
+			continue
+		}
+
+		for key, value := range mapper {
+			var replacements []string
+
+			// add flexibility for any custom type to be convert to one of the
+			// acceptable formats.
+			if v, ok := value.(stringer); ok {
+				value = v.ToStringSlice()
+			}
+			if v, ok := value.(numberer); ok {
+				value = v.ToInt64Slice()
+			}
+
+			switch v := value.(type) {
+			case []string:
+				for id, replace := range v {
+					mapper[fmt.Sprintf("%s%d", key, id)] = replace
+					replacements = append(replacements, fmt.Sprintf(":%s%d", key, id))
+				}
+			case []uint:
+				for id, replace := range v {
+					mapper[fmt.Sprintf("%s%d", key, id)] = replace
+					replacements = append(replacements, fmt.Sprintf(":%s%d", key, id))
+				}
+			case []uint8:
+				for id, replace := range v {
+					mapper[fmt.Sprintf("%s%d", key, id)] = replace
+					replacements = append(replacements, fmt.Sprintf(":%s%d", key, id))
+				}
+			case []uint16:
+				for id, replace := range v {
+					mapper[fmt.Sprintf("%s%d", key, id)] = replace
+					replacements = append(replacements, fmt.Sprintf(":%s%d", key, id))
+				}
+			case []uint32:
+				for id, replace := range v {
+					mapper[fmt.Sprintf("%s%d", key, id)] = replace
+					replacements = append(replacements, fmt.Sprintf(":%s%d", key, id))
+				}
+			case []uint64:
+				for id, replace := range v {
+					mapper[fmt.Sprintf("%s%d", key, id)] = replace
+					replacements = append(replacements, fmt.Sprintf(":%s%d", key, id))
+				}
+			case []int:
+				for id, replace := range v {
+					mapper[fmt.Sprintf("%s%d", key, id)] = replace
+					replacements = append(replacements, fmt.Sprintf(":%s%d", key, id))
+				}
+			case []int8:
+				for id, replace := range v {
+					mapper[fmt.Sprintf("%s%d", key, id)] = replace
+					replacements = append(replacements, fmt.Sprintf(":%s%d", key, id))
+				}
+			case []int16:
+				for id, replace := range v {
+					mapper[fmt.Sprintf("%s%d", key, id)] = replace
+					replacements = append(replacements, fmt.Sprintf(":%s%d", key, id))
+				}
+			case []int32:
+				for id, replace := range v {
+					mapper[fmt.Sprintf("%s%d", key, id)] = replace
+					replacements = append(replacements, fmt.Sprintf(":%s%d", key, id))
+				}
+			case []int64:
+				for id, replace := range v {
+					mapper[fmt.Sprintf("%s%d", key, id)] = replace
+					replacements = append(replacements, fmt.Sprintf(":%s%d", key, id))
+				}
+			case []float32:
+				for id, replace := range v {
+					mapper[fmt.Sprintf("%s%d", key, id)] = replace
+					replacements = append(replacements, fmt.Sprintf(":%s%d", key, id))
+				}
+			case []float64:
+				for id, replace := range v {
+					mapper[fmt.Sprintf("%s%d", key, id)] = replace
+					replacements = append(replacements, fmt.Sprintf(":%s%d", key, id))
+				}
+			default:
+				continue
+			}
+
+			if len(replacements) == 0 {
+				continue
+			}
+
+			*query = strings.Replace(*query, fmt.Sprintf(":%s", key), strings.Join(replacements, ","), -1)
+		}
+	}
+}
diff --git a/vendor/github.com/go-gorp/gorp/v3/dialect.go b/vendor/github.com/go-gorp/gorp/v3/dialect.go
new file mode 100644
index 0000000000..fdea2b203c
--- /dev/null
+++ b/vendor/github.com/go-gorp/gorp/v3/dialect.go
@@ -0,0 +1,105 @@
+// Copyright 2012 James Cooper. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package gorp
+
+import (
+	"reflect"
+)
+
+// The Dialect interface encapsulates behaviors that differ across
+// SQL databases.  At present the Dialect is only used by CreateTables()
+// but this could change in the future
+type Dialect interface {
+	// adds a suffix to any query, usually ";"
+	QuerySuffix() string
+
+	// ToSqlType returns the SQL column type to use when creating a
+	// table of the given Go Type.  maxsize can be used to switch based on
+	// size.  For example, in MySQL []byte could map to BLOB, MEDIUMBLOB,
+	// or LONGBLOB depending on the maxsize
+	ToSqlType(val reflect.Type, maxsize int, isAutoIncr bool) string
+
+	// string to append to primary key column definitions
+	AutoIncrStr() string
+
+	// string to bind autoincrement columns to. Empty string will
+	// remove reference to those columns in the INSERT statement.
+	AutoIncrBindValue() string
+
+	AutoIncrInsertSuffix(col *ColumnMap) string
+
+	// string to append to "create table" statement for vendor specific
+	// table attributes
+	CreateTableSuffix() string
+
+	// string to append to "create index" statement
+	CreateIndexSuffix() string
+
+	// string to append to "drop index" statement
+	DropIndexSuffix() string
+
+	// string to truncate tables
+	TruncateClause() string
+
+	// bind variable string to use when forming SQL statements
+	// in many dbs it is "?", but Postgres appears to use $1
+	//
+	// i is a zero based index of the bind variable in this statement
+	//
+	BindVar(i int) string
+
+	// Handles quoting of a field name to ensure that it doesn't raise any
+	// SQL parsing exceptions by using a reserved word as a field name.
+	QuoteField(field string) string
+
+	// Handles building up of a schema.database string that is compatible with
+	// the given dialect
+	//
+	// schema - The schema that <table> lives in
+	// table - The table name
+	QuotedTableForQuery(schema string, table string) string
+
+	// Existence clause for table creation / deletion
+	IfSchemaNotExists(command, schema string) string
+	IfTableExists(command, schema, table string) string
+	IfTableNotExists(command, schema, table string) string
+}
+
+// IntegerAutoIncrInserter is implemented by dialects that can perform
+// inserts with automatically incremented integer primary keys.  If
+// the dialect can handle automatic assignment of more than just
+// integers, see TargetedAutoIncrInserter.
+type IntegerAutoIncrInserter interface {
+	InsertAutoIncr(exec SqlExecutor, insertSql string, params ...interface{}) (int64, error)
+}
+
+// TargetedAutoIncrInserter is implemented by dialects that can
+// perform automatic assignment of any primary key type (i.e. strings
+// for uuids, integers for serials, etc).
+type TargetedAutoIncrInserter interface {
+	// InsertAutoIncrToTarget runs an insert operation and assigns the
+	// automatically generated primary key directly to the passed in
+	// target.  The target should be a pointer to the primary key
+	// field of the value being inserted.
+	InsertAutoIncrToTarget(exec SqlExecutor, insertSql string, target interface{}, params ...interface{}) error
+}
+
+// TargetQueryInserter is implemented by dialects that can perform
+// assignment of integer primary key type by executing a query
+// like "select sequence.currval from dual".
+type TargetQueryInserter interface {
+	// TargetQueryInserter runs an insert operation and assigns the
+	// automatically generated primary key retrived by the query
+	// extracted from the GeneratedIdQuery field of the id column.
+	InsertQueryToTarget(exec SqlExecutor, insertSql, idSql string, target interface{}, params ...interface{}) error
+}
+
+func standardInsertAutoIncr(exec SqlExecutor, insertSql string, params ...interface{}) (int64, error) {
+	res, err := exec.Exec(insertSql, params...)
+	if err != nil {
+		return 0, err
+	}
+	return res.LastInsertId()
+}
diff --git a/vendor/github.com/go-gorp/gorp/v3/dialect_mysql.go b/vendor/github.com/go-gorp/gorp/v3/dialect_mysql.go
new file mode 100644
index 0000000000..d068ebe85e
--- /dev/null
+++ b/vendor/github.com/go-gorp/gorp/v3/dialect_mysql.go
@@ -0,0 +1,169 @@
+// Copyright 2012 James Cooper. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package gorp
+
+import (
+	"fmt"
+	"reflect"
+	"strings"
+	"time"
+)
+
+// Implementation of Dialect for MySQL databases.
+type MySQLDialect struct {
+
+	// Engine is the storage engine to use "InnoDB" vs "MyISAM" for example
+	Engine string
+
+	// Encoding is the character encoding to use for created tables
+	Encoding string
+}
+
+func (d MySQLDialect) QuerySuffix() string { return ";" }
+
+func (d MySQLDialect) ToSqlType(val reflect.Type, maxsize int, isAutoIncr bool) string {
+	switch val.Kind() {
+	case reflect.Ptr:
+		return d.ToSqlType(val.Elem(), maxsize, isAutoIncr)
+	case reflect.Bool:
+		return "boolean"
+	case reflect.Int8:
+		return "tinyint"
+	case reflect.Uint8:
+		return "tinyint unsigned"
+	case reflect.Int16:
+		return "smallint"
+	case reflect.Uint16:
+		return "smallint unsigned"
+	case reflect.Int, reflect.Int32:
+		return "int"
+	case reflect.Uint, reflect.Uint32:
+		return "int unsigned"
+	case reflect.Int64:
+		return "bigint"
+	case reflect.Uint64:
+		return "bigint unsigned"
+	case reflect.Float64, reflect.Float32:
+		return "double"
+	case reflect.Slice:
+		if val.Elem().Kind() == reflect.Uint8 {
+			return "mediumblob"
+		}
+	}
+
+	switch val.Name() {
+	case "NullInt64":
+		return "bigint"
+	case "NullFloat64":
+		return "double"
+	case "NullBool":
+		return "tinyint"
+	case "Time":
+		return "datetime"
+	}
+
+	if maxsize < 1 {
+		maxsize = 255
+	}
+
+	/* == About varchar(N) ==
+	 * N is number of characters.
+	 * A varchar column can store up to 65535 bytes.
+	 * Remember that 1 character is 3 bytes in utf-8 charset.
+	 * Also remember that each row can store up to 65535 bytes,
+	 * and you have some overheads, so it's not possible for a
+	 * varchar column to have 65535/3 characters really.
+	 * So it would be better to use 'text' type in stead of
+	 * large varchar type.
+	 */
+	if maxsize < 256 {
+		return fmt.Sprintf("varchar(%d)", maxsize)
+	} else {
+		return "text"
+	}
+}
+
+// Returns auto_increment
+func (d MySQLDialect) AutoIncrStr() string {
+	return "auto_increment"
+}
+
+func (d MySQLDialect) AutoIncrBindValue() string {
+	return "null"
+}
+
+func (d MySQLDialect) AutoIncrInsertSuffix(col *ColumnMap) string {
+	return ""
+}
+
+// Returns engine=%s charset=%s  based on values stored on struct
+func (d MySQLDialect) CreateTableSuffix() string {
+	if d.Engine == "" || d.Encoding == "" {
+		msg := "gorp - undefined"
+
+		if d.Engine == "" {
+			msg += " MySQLDialect.Engine"
+		}
+		if d.Engine == "" && d.Encoding == "" {
+			msg += ","
+		}
+		if d.Encoding == "" {
+			msg += " MySQLDialect.Encoding"
+		}
+		msg += ". Check that your MySQLDialect was correctly initialized when declared."
+		panic(msg)
+	}
+
+	return fmt.Sprintf(" engine=%s charset=%s", d.Engine, d.Encoding)
+}
+
+func (d MySQLDialect) CreateIndexSuffix() string {
+	return "using"
+}
+
+func (d MySQLDialect) DropIndexSuffix() string {
+	return "on"
+}
+
+func (d MySQLDialect) TruncateClause() string {
+	return "truncate"
+}
+
+func (d MySQLDialect) SleepClause(s time.Duration) string {
+	return fmt.Sprintf("sleep(%f)", s.Seconds())
+}
+
+// Returns "?"
+func (d MySQLDialect) BindVar(i int) string {
+	return "?"
+}
+
+func (d MySQLDialect) InsertAutoIncr(exec SqlExecutor, insertSql string, params ...interface{}) (int64, error) {
+	return standardInsertAutoIncr(exec, insertSql, params...)
+}
+
+func (d MySQLDialect) QuoteField(f string) string {
+	return "`" + f + "`"
+}
+
+func (d MySQLDialect) QuotedTableForQuery(schema string, table string) string {
+	if strings.TrimSpace(schema) == "" {
+		return d.QuoteField(table)
+	}
+
+	return schema + "." + d.QuoteField(table)
+}
+
+func (d MySQLDialect) IfSchemaNotExists(command, schema string) string {
+	return fmt.Sprintf("%s if not exists", command)
+}
+
+func (d MySQLDialect) IfTableExists(command, schema, table string) string {
+	return fmt.Sprintf("%s if exists", command)
+}
+
+func (d MySQLDialect) IfTableNotExists(command, schema, table string) string {
+	return fmt.Sprintf("%s if not exists", command)
+}
diff --git a/vendor/github.com/go-gorp/gorp/v3/dialect_oracle.go b/vendor/github.com/go-gorp/gorp/v3/dialect_oracle.go
new file mode 100644
index 0000000000..01a99b8a19
--- /dev/null
+++ b/vendor/github.com/go-gorp/gorp/v3/dialect_oracle.go
@@ -0,0 +1,139 @@
+// Copyright 2012 James Cooper. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package gorp
+
+import (
+	"fmt"
+	"reflect"
+	"strings"
+)
+
+// Implementation of Dialect for Oracle databases.
+type OracleDialect struct{}
+
+func (d OracleDialect) QuerySuffix() string { return "" }
+
+func (d OracleDialect) CreateIndexSuffix() string { return "" }
+
+func (d OracleDialect) DropIndexSuffix() string { return "" }
+
+func (d OracleDialect) ToSqlType(val reflect.Type, maxsize int, isAutoIncr bool) string {
+	switch val.Kind() {
+	case reflect.Ptr:
+		return d.ToSqlType(val.Elem(), maxsize, isAutoIncr)
+	case reflect.Bool:
+		return "boolean"
+	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32:
+		if isAutoIncr {
+			return "serial"
+		}
+		return "integer"
+	case reflect.Int64, reflect.Uint64:
+		if isAutoIncr {
+			return "bigserial"
+		}
+		return "bigint"
+	case reflect.Float64:
+		return "double precision"
+	case reflect.Float32:
+		return "real"
+	case reflect.Slice:
+		if val.Elem().Kind() == reflect.Uint8 {
+			return "bytea"
+		}
+	}
+
+	switch val.Name() {
+	case "NullInt64":
+		return "bigint"
+	case "NullFloat64":
+		return "double precision"
+	case "NullBool":
+		return "boolean"
+	case "NullTime", "Time":
+		return "timestamp with time zone"
+	}
+
+	if maxsize > 0 {
+		return fmt.Sprintf("varchar(%d)", maxsize)
+	} else {
+		return "text"
+	}
+
+}
+
+// Returns empty string
+func (d OracleDialect) AutoIncrStr() string {
+	return ""
+}
+
+func (d OracleDialect) AutoIncrBindValue() string {
+	return "NULL"
+}
+
+func (d OracleDialect) AutoIncrInsertSuffix(col *ColumnMap) string {
+	return ""
+}
+
+// Returns suffix
+func (d OracleDialect) CreateTableSuffix() string {
+	return ""
+}
+
+func (d OracleDialect) TruncateClause() string {
+	return "truncate"
+}
+
+// Returns "$(i+1)"
+func (d OracleDialect) BindVar(i int) string {
+	return fmt.Sprintf(":%d", i+1)
+}
+
+// After executing the insert uses the ColMap IdQuery to get the generated id
+func (d OracleDialect) InsertQueryToTarget(exec SqlExecutor, insertSql, idSql string, target interface{}, params ...interface{}) error {
+	_, err := exec.Exec(insertSql, params...)
+	if err != nil {
+		return err
+	}
+	id, err := exec.SelectInt(idSql)
+	if err != nil {
+		return err
+	}
+	switch target.(type) {
+	case *int64:
+		*(target.(*int64)) = id
+	case *int32:
+		*(target.(*int32)) = int32(id)
+	case int:
+		*(target.(*int)) = int(id)
+	default:
+		return fmt.Errorf("Id field can be int, int32 or int64")
+	}
+	return nil
+}
+
+func (d OracleDialect) QuoteField(f string) string {
+	return `"` + strings.ToUpper(f) + `"`
+}
+
+func (d OracleDialect) QuotedTableForQuery(schema string, table string) string {
+	if strings.TrimSpace(schema) == "" {
+		return d.QuoteField(table)
+	}
+
+	return schema + "." + d.QuoteField(table)
+}
+
+func (d OracleDialect) IfSchemaNotExists(command, schema string) string {
+	return fmt.Sprintf("%s if not exists", command)
+}
+
+func (d OracleDialect) IfTableExists(command, schema, table string) string {
+	return fmt.Sprintf("%s if exists", command)
+}
+
+func (d OracleDialect) IfTableNotExists(command, schema, table string) string {
+	return fmt.Sprintf("%s if not exists", command)
+}
diff --git a/vendor/github.com/go-gorp/gorp/v3/dialect_postgres.go b/vendor/github.com/go-gorp/gorp/v3/dialect_postgres.go
new file mode 100644
index 0000000000..7a9c50bf8a
--- /dev/null
+++ b/vendor/github.com/go-gorp/gorp/v3/dialect_postgres.go
@@ -0,0 +1,149 @@
+// Copyright 2012 James Cooper. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package gorp
+
+import (
+	"fmt"
+	"reflect"
+	"strings"
+	"time"
+)
+
+type PostgresDialect struct {
+	suffix          string
+	LowercaseFields bool
+}
+
+func (d PostgresDialect) QuerySuffix() string { return ";" }
+
+func (d PostgresDialect) ToSqlType(val reflect.Type, maxsize int, isAutoIncr bool) string {
+	switch val.Kind() {
+	case reflect.Ptr:
+		return d.ToSqlType(val.Elem(), maxsize, isAutoIncr)
+	case reflect.Bool:
+		return "boolean"
+	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32:
+		if isAutoIncr {
+			return "serial"
+		}
+		return "integer"
+	case reflect.Int64, reflect.Uint64:
+		if isAutoIncr {
+			return "bigserial"
+		}
+		return "bigint"
+	case reflect.Float64:
+		return "double precision"
+	case reflect.Float32:
+		return "real"
+	case reflect.Slice:
+		if val.Elem().Kind() == reflect.Uint8 {
+			return "bytea"
+		}
+	}
+
+	switch val.Name() {
+	case "NullInt64":
+		return "bigint"
+	case "NullFloat64":
+		return "double precision"
+	case "NullBool":
+		return "boolean"
+	case "Time", "NullTime":
+		return "timestamp with time zone"
+	}
+
+	if maxsize > 0 {
+		return fmt.Sprintf("varchar(%d)", maxsize)
+	} else {
+		return "text"
+	}
+
+}
+
+// Returns empty string
+func (d PostgresDialect) AutoIncrStr() string {
+	return ""
+}
+
+func (d PostgresDialect) AutoIncrBindValue() string {
+	return "default"
+}
+
+func (d PostgresDialect) AutoIncrInsertSuffix(col *ColumnMap) string {
+	return " returning " + d.QuoteField(col.ColumnName)
+}
+
+// Returns suffix
+func (d PostgresDialect) CreateTableSuffix() string {
+	return d.suffix
+}
+
+func (d PostgresDialect) CreateIndexSuffix() string {
+	return "using"
+}
+
+func (d PostgresDialect) DropIndexSuffix() string {
+	return ""
+}
+
+func (d PostgresDialect) TruncateClause() string {
+	return "truncate"
+}
+
+func (d PostgresDialect) SleepClause(s time.Duration) string {
+	return fmt.Sprintf("pg_sleep(%f)", s.Seconds())
+}
+
+// Returns "$(i+1)"
+func (d PostgresDialect) BindVar(i int) string {
+	return fmt.Sprintf("$%d", i+1)
+}
+
+func (d PostgresDialect) InsertAutoIncrToTarget(exec SqlExecutor, insertSql string, target interface{}, params ...interface{}) error {
+	rows, err := exec.Query(insertSql, params...)
+	if err != nil {
+		return err
+	}
+	defer rows.Close()
+
+	if !rows.Next() {
+		return fmt.Errorf("No serial value returned for insert: %s Encountered error: %s", insertSql, rows.Err())
+	}
+	if err := rows.Scan(target); err != nil {
+		return err
+	}
+	if rows.Next() {
+		return fmt.Errorf("more than two serial value returned for insert: %s", insertSql)
+	}
+	return rows.Err()
+}
+
+func (d PostgresDialect) QuoteField(f string) string {
+	if d.LowercaseFields {
+		return `"` + strings.ToLower(f) + `"`
+	}
+	return `"` + f + `"`
+}
+
+func (d PostgresDialect) QuotedTableForQuery(schema string, table string) string {
+	if strings.TrimSpace(schema) == "" {
+		return d.QuoteField(table)
+	}
+
+	return schema + "." + d.QuoteField(table)
+}
+
+func (d PostgresDialect) IfSchemaNotExists(command, schema string) string {
+	return fmt.Sprintf("%s if not exists", command)
+}
+
+func (d PostgresDialect) IfTableExists(command, schema, table string) string {
+	return fmt.Sprintf("%s if exists", command)
+}
+
+func (d PostgresDialect) IfTableNotExists(command, schema, table string) string {
+	return fmt.Sprintf("%s if not exists", command)
+}
diff --git a/vendor/github.com/go-gorp/gorp/v3/dialect_snowflake.go b/vendor/github.com/go-gorp/gorp/v3/dialect_snowflake.go
new file mode 100644
index 0000000000..2e2cb89523
--- /dev/null
+++ b/vendor/github.com/go-gorp/gorp/v3/dialect_snowflake.go
@@ -0,0 +1,152 @@
+// Copyright 2012 James Cooper. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package gorp
+
+import (
+  "fmt"
+  "reflect"
+  "strings"
+)
+
+type SnowflakeDialect struct {
+  suffix          string
+  LowercaseFields bool
+}
+
+func (d SnowflakeDialect) QuerySuffix() string { return ";" }
+
+func (d SnowflakeDialect) ToSqlType(val reflect.Type, maxsize int, isAutoIncr bool) string {
+  switch val.Kind() {
+  case reflect.Ptr:
+    return d.ToSqlType(val.Elem(), maxsize, isAutoIncr)
+  case reflect.Bool:
+    return "boolean"
+  case reflect.Int,
+    reflect.Int8,
+    reflect.Int16,
+    reflect.Int32,
+    reflect.Uint,
+    reflect.Uint8,
+    reflect.Uint16,
+    reflect.Uint32:
+
+    if isAutoIncr {
+      return "serial"
+    }
+    return "integer"
+  case reflect.Int64, reflect.Uint64:
+    if isAutoIncr {
+      return "bigserial"
+    }
+    return "bigint"
+  case reflect.Float64:
+    return "double precision"
+  case reflect.Float32:
+    return "real"
+  case reflect.Slice:
+    if val.Elem().Kind() == reflect.Uint8 {
+      return "binary"
+    }
+  }
+
+  switch val.Name() {
+  case "NullInt64":
+    return "bigint"
+  case "NullFloat64":
+    return "double precision"
+  case "NullBool":
+    return "boolean"
+  case "Time", "NullTime":
+    return "timestamp with time zone"
+  }
+
+  if maxsize > 0 {
+    return fmt.Sprintf("varchar(%d)", maxsize)
+  } else {
+    return "text"
+  }
+
+}
+
+// Returns empty string
+func (d SnowflakeDialect) AutoIncrStr() string {
+  return ""
+}
+
+func (d SnowflakeDialect) AutoIncrBindValue() string {
+  return "default"
+}
+
+func (d SnowflakeDialect) AutoIncrInsertSuffix(col *ColumnMap) string {
+  return ""
+}
+
+// Returns suffix
+func (d SnowflakeDialect) CreateTableSuffix() string {
+  return d.suffix
+}
+
+func (d SnowflakeDialect) CreateIndexSuffix() string {
+  return ""
+}
+
+func (d SnowflakeDialect) DropIndexSuffix() string {
+  return ""
+}
+
+func (d SnowflakeDialect) TruncateClause() string {
+  return "truncate"
+}
+
+// Returns "$(i+1)"
+func (d SnowflakeDialect) BindVar(i int) string {
+  return "?"
+}
+
+func (d SnowflakeDialect) InsertAutoIncrToTarget(exec SqlExecutor, insertSql string, target interface{}, params ...interface{}) error {
+  rows, err := exec.Query(insertSql, params...)
+  if err != nil {
+    return err
+  }
+  defer rows.Close()
+
+  if !rows.Next() {
+    return fmt.Errorf("No serial value returned for insert: %s Encountered error: %s", insertSql, rows.Err())
+  }
+  if err := rows.Scan(target); err != nil {
+    return err
+  }
+  if rows.Next() {
+    return fmt.Errorf("more than two serial value returned for insert: %s", insertSql)
+  }
+  return rows.Err()
+}
+
+func (d SnowflakeDialect) QuoteField(f string) string {
+  if d.LowercaseFields {
+    return `"` + strings.ToLower(f) + `"`
+  }
+  return `"` + f + `"`
+}
+
+func (d SnowflakeDialect) QuotedTableForQuery(schema string, table string) string {
+  if strings.TrimSpace(schema) == "" {
+    return d.QuoteField(table)
+  }
+
+  return schema + "." + d.QuoteField(table)
+}
+
+func (d SnowflakeDialect) IfSchemaNotExists(command, schema string) string {
+  return fmt.Sprintf("%s if not exists", command)
+}
+
+func (d SnowflakeDialect) IfTableExists(command, schema, table string) string {
+  return fmt.Sprintf("%s if exists", command)
+}
+
+func (d SnowflakeDialect) IfTableNotExists(command, schema, table string) string {
+  return fmt.Sprintf("%s if not exists", command)
+}
diff --git a/vendor/github.com/go-gorp/gorp/v3/dialect_sqlite.go b/vendor/github.com/go-gorp/gorp/v3/dialect_sqlite.go
new file mode 100644
index 0000000000..2296275b95
--- /dev/null
+++ b/vendor/github.com/go-gorp/gorp/v3/dialect_sqlite.go
@@ -0,0 +1,112 @@
+// Copyright 2012 James Cooper. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package gorp
+
+import (
+	"fmt"
+	"reflect"
+)
+
+type SqliteDialect struct {
+	suffix string
+}
+
+func (d SqliteDialect) QuerySuffix() string { return ";" }
+
+func (d SqliteDialect) ToSqlType(val reflect.Type, maxsize int, isAutoIncr bool) string {
+	switch val.Kind() {
+	case reflect.Ptr:
+		return d.ToSqlType(val.Elem(), maxsize, isAutoIncr)
+	case reflect.Bool:
+		return "integer"
+	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64, reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64:
+		return "integer"
+	case reflect.Float64, reflect.Float32:
+		return "real"
+	case reflect.Slice:
+		if val.Elem().Kind() == reflect.Uint8 {
+			return "blob"
+		}
+	}
+
+	switch val.Name() {
+	case "NullInt64":
+		return "integer"
+	case "NullFloat64":
+		return "real"
+	case "NullBool":
+		return "integer"
+	case "Time":
+		return "datetime"
+	}
+
+	if maxsize < 1 {
+		maxsize = 255
+	}
+	return fmt.Sprintf("varchar(%d)", maxsize)
+}
+
+// Returns autoincrement
+func (d SqliteDialect) AutoIncrStr() string {
+	return "autoincrement"
+}
+
+func (d SqliteDialect) AutoIncrBindValue() string {
+	return "null"
+}
+
+func (d SqliteDialect) AutoIncrInsertSuffix(col *ColumnMap) string {
+	return ""
+}
+
+// Returns suffix
+func (d SqliteDialect) CreateTableSuffix() string {
+	return d.suffix
+}
+
+func (d SqliteDialect) CreateIndexSuffix() string {
+	return ""
+}
+
+func (d SqliteDialect) DropIndexSuffix() string {
+	return ""
+}
+
+// With sqlite, there technically isn't a TRUNCATE statement,
+// but a DELETE FROM uses a truncate optimization:
+// http://www.sqlite.org/lang_delete.html
+func (d SqliteDialect) TruncateClause() string {
+	return "delete from"
+}
+
+// Returns "?"
+func (d SqliteDialect) BindVar(i int) string {
+	return "?"
+}
+
+func (d SqliteDialect) InsertAutoIncr(exec SqlExecutor, insertSql string, params ...interface{}) (int64, error) {
+	return standardInsertAutoIncr(exec, insertSql, params...)
+}
+
+func (d SqliteDialect) QuoteField(f string) string {
+	return `"` + f + `"`
+}
+
+// sqlite does not have schemas like PostgreSQL does, so just escape it like normal
+func (d SqliteDialect) QuotedTableForQuery(schema string, table string) string {
+	return d.QuoteField(table)
+}
+
+func (d SqliteDialect) IfSchemaNotExists(command, schema string) string {
+	return fmt.Sprintf("%s if not exists", command)
+}
+
+func (d SqliteDialect) IfTableExists(command, schema, table string) string {
+	return fmt.Sprintf("%s if exists", command)
+}
+
+func (d SqliteDialect) IfTableNotExists(command, schema, table string) string {
+	return fmt.Sprintf("%s if not exists", command)
+}
diff --git a/vendor/github.com/go-gorp/gorp/v3/dialect_sqlserver.go b/vendor/github.com/go-gorp/gorp/v3/dialect_sqlserver.go
new file mode 100644
index 0000000000..ec06aed66f
--- /dev/null
+++ b/vendor/github.com/go-gorp/gorp/v3/dialect_sqlserver.go
@@ -0,0 +1,145 @@
+// Copyright 2012 James Cooper. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package gorp
+
+import (
+	"fmt"
+	"reflect"
+	"strings"
+)
+
+// Implementation of Dialect for Microsoft SQL Server databases.
+// Use gorp.SqlServerDialect{"2005"} for legacy datatypes.
+// Tested with driver: github.com/denisenkom/go-mssqldb
+
+type SqlServerDialect struct {
+
+	// If set to "2005" legacy datatypes will be used
+	Version string
+}
+
+func (d SqlServerDialect) ToSqlType(val reflect.Type, maxsize int, isAutoIncr bool) string {
+	switch val.Kind() {
+	case reflect.Ptr:
+		return d.ToSqlType(val.Elem(), maxsize, isAutoIncr)
+	case reflect.Bool:
+		return "bit"
+	case reflect.Int8:
+		return "tinyint"
+	case reflect.Uint8:
+		return "smallint"
+	case reflect.Int16:
+		return "smallint"
+	case reflect.Uint16:
+		return "int"
+	case reflect.Int, reflect.Int32:
+		return "int"
+	case reflect.Uint, reflect.Uint32:
+		return "bigint"
+	case reflect.Int64:
+		return "bigint"
+	case reflect.Uint64:
+		return "numeric(20,0)"
+	case reflect.Float32:
+		return "float(24)"
+	case reflect.Float64:
+		return "float(53)"
+	case reflect.Slice:
+		if val.Elem().Kind() == reflect.Uint8 {
+			return "varbinary"
+		}
+	}
+
+	switch val.Name() {
+	case "NullInt64":
+		return "bigint"
+	case "NullFloat64":
+		return "float(53)"
+	case "NullBool":
+		return "bit"
+	case "NullTime", "Time":
+		if d.Version == "2005" {
+			return "datetime"
+		}
+		return "datetime2"
+	}
+
+	if maxsize < 1 {
+		if d.Version == "2005" {
+			maxsize = 255
+		} else {
+			return fmt.Sprintf("nvarchar(max)")
+		}
+	}
+	return fmt.Sprintf("nvarchar(%d)", maxsize)
+}
+
+// Returns auto_increment
+func (d SqlServerDialect) AutoIncrStr() string {
+	return "identity(0,1)"
+}
+
+// Empty string removes autoincrement columns from the INSERT statements.
+func (d SqlServerDialect) AutoIncrBindValue() string {
+	return ""
+}
+
+func (d SqlServerDialect) AutoIncrInsertSuffix(col *ColumnMap) string {
+	return ""
+}
+
+func (d SqlServerDialect) CreateTableSuffix() string { return ";" }
+
+func (d SqlServerDialect) TruncateClause() string {
+	return "truncate table"
+}
+
+// Returns "?"
+func (d SqlServerDialect) BindVar(i int) string {
+	return "?"
+}
+
+func (d SqlServerDialect) InsertAutoIncr(exec SqlExecutor, insertSql string, params ...interface{}) (int64, error) {
+	return standardInsertAutoIncr(exec, insertSql, params...)
+}
+
+func (d SqlServerDialect) QuoteField(f string) string {
+	return "[" + strings.Replace(f, "]", "]]", -1) + "]"
+}
+
+func (d SqlServerDialect) QuotedTableForQuery(schema string, table string) string {
+	if strings.TrimSpace(schema) == "" {
+		return d.QuoteField(table)
+	}
+	return d.QuoteField(schema) + "." + d.QuoteField(table)
+}
+
+func (d SqlServerDialect) QuerySuffix() string { return ";" }
+
+func (d SqlServerDialect) IfSchemaNotExists(command, schema string) string {
+	s := fmt.Sprintf("if schema_id(N'%s') is null %s", schema, command)
+	return s
+}
+
+func (d SqlServerDialect) IfTableExists(command, schema, table string) string {
+	var schema_clause string
+	if strings.TrimSpace(schema) != "" {
+		schema_clause = fmt.Sprintf("%s.", d.QuoteField(schema))
+	}
+	s := fmt.Sprintf("if object_id('%s%s') is not null %s", schema_clause, d.QuoteField(table), command)
+	return s
+}
+
+func (d SqlServerDialect) IfTableNotExists(command, schema, table string) string {
+	var schema_clause string
+	if strings.TrimSpace(schema) != "" {
+		schema_clause = fmt.Sprintf("%s.", schema)
+	}
+	s := fmt.Sprintf("if object_id('%s%s') is null %s", schema_clause, table, command)
+	return s
+}
+
+func (d SqlServerDialect) CreateIndexSuffix() string { return "" }
+func (d SqlServerDialect) DropIndexSuffix() string   { return "" }
diff --git a/vendor/github.com/go-gorp/gorp/v3/doc.go b/vendor/github.com/go-gorp/gorp/v3/doc.go
new file mode 100644
index 0000000000..593f1c3c12
--- /dev/null
+++ b/vendor/github.com/go-gorp/gorp/v3/doc.go
@@ -0,0 +1,11 @@
+// Copyright 2012 James Cooper. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+// Package gorp provides a simple way to marshal Go structs to and from
+// SQL databases.  It uses the database/sql package, and should work with any
+// compliant database/sql driver.
+//
+// Source code and project home:
+// https://github.com/go-gorp/gorp
+package gorp
diff --git a/vendor/github.com/go-gorp/gorp/v3/errors.go b/vendor/github.com/go-gorp/gorp/v3/errors.go
new file mode 100644
index 0000000000..752ad1bca4
--- /dev/null
+++ b/vendor/github.com/go-gorp/gorp/v3/errors.go
@@ -0,0 +1,31 @@
+// Copyright 2012 James Cooper. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package gorp
+
+import (
+	"fmt"
+)
+
+// A non-fatal error, when a select query returns columns that do not exist
+// as fields in the struct it is being mapped to
+// TODO: discuss wether this needs an error. encoding/json silently ignores missing fields
+type NoFieldInTypeError struct {
+	TypeName        string
+	MissingColNames []string
+}
+
+func (err *NoFieldInTypeError) Error() string {
+	return fmt.Sprintf("gorp: no fields %+v in type %s", err.MissingColNames, err.TypeName)
+}
+
+// returns true if the error is non-fatal (ie, we shouldn't immediately return)
+func NonFatalError(err error) bool {
+	switch err.(type) {
+	case *NoFieldInTypeError:
+		return true
+	default:
+		return false
+	}
+}
diff --git a/vendor/github.com/go-gorp/gorp/v3/gorp.go b/vendor/github.com/go-gorp/gorp/v3/gorp.go
new file mode 100644
index 0000000000..fc6545676d
--- /dev/null
+++ b/vendor/github.com/go-gorp/gorp/v3/gorp.go
@@ -0,0 +1,672 @@
+// Copyright 2012 James Cooper. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package gorp
+
+import (
+	"context"
+	"database/sql"
+	"database/sql/driver"
+	"fmt"
+	"reflect"
+	"regexp"
+	"strings"
+	"time"
+)
+
+// OracleString (empty string is null)
+// TODO: move to dialect/oracle?, rename to String?
+type OracleString struct {
+	sql.NullString
+}
+
+// Scan implements the Scanner interface.
+func (os *OracleString) Scan(value interface{}) error {
+	if value == nil {
+		os.String, os.Valid = "", false
+		return nil
+	}
+	os.Valid = true
+	return os.NullString.Scan(value)
+}
+
+// Value implements the driver Valuer interface.
+func (os OracleString) Value() (driver.Value, error) {
+	if !os.Valid || os.String == "" {
+		return nil, nil
+	}
+	return os.String, nil
+}
+
+// SqlTyper is a type that returns its database type.  Most of the
+// time, the type can just use "database/sql/driver".Valuer; but when
+// it returns nil for its empty value, it needs to implement SqlTyper
+// to have its column type detected properly during table creation.
+type SqlTyper interface {
+	SqlType() driver.Value
+}
+
+// legacySqlTyper prevents breaking clients who depended on the previous
+// SqlTyper interface
+type legacySqlTyper interface {
+	SqlType() driver.Valuer
+}
+
+// for fields that exists in DB table, but not exists in struct
+type dummyField struct{}
+
+// Scan implements the Scanner interface.
+func (nt *dummyField) Scan(value interface{}) error {
+	return nil
+}
+
+var zeroVal reflect.Value
+var versFieldConst = "[gorp_ver_field]"
+
+// The TypeConverter interface provides a way to map a value of one
+// type to another type when persisting to, or loading from, a database.
+//
+// Example use cases: Implement type converter to convert bool types to "y"/"n" strings,
+// or serialize a struct member as a JSON blob.
+type TypeConverter interface {
+	// ToDb converts val to another type. Called before INSERT/UPDATE operations
+	ToDb(val interface{}) (interface{}, error)
+
+	// FromDb returns a CustomScanner appropriate for this type. This will be used
+	// to hold values returned from SELECT queries.
+	//
+	// In particular the CustomScanner returned should implement a Binder
+	// function appropriate for the Go type you wish to convert the db value to
+	//
+	// If bool==false, then no custom scanner will be used for this field.
+	FromDb(target interface{}) (CustomScanner, bool)
+}
+
+// SqlExecutor exposes gorp operations that can be run from Pre/Post
+// hooks.  This hides whether the current operation that triggered the
+// hook is in a transaction.
+//
+// See the DbMap function docs for each of the functions below for more
+// information.
+type SqlExecutor interface {
+	WithContext(ctx context.Context) SqlExecutor
+	Get(i interface{}, keys ...interface{}) (interface{}, error)
+	Insert(list ...interface{}) error
+	Update(list ...interface{}) (int64, error)
+	Delete(list ...interface{}) (int64, error)
+	Exec(query string, args ...interface{}) (sql.Result, error)
+	Select(i interface{}, query string, args ...interface{}) ([]interface{}, error)
+	SelectInt(query string, args ...interface{}) (int64, error)
+	SelectNullInt(query string, args ...interface{}) (sql.NullInt64, error)
+	SelectFloat(query string, args ...interface{}) (float64, error)
+	SelectNullFloat(query string, args ...interface{}) (sql.NullFloat64, error)
+	SelectStr(query string, args ...interface{}) (string, error)
+	SelectNullStr(query string, args ...interface{}) (sql.NullString, error)
+	SelectOne(holder interface{}, query string, args ...interface{}) error
+	Query(query string, args ...interface{}) (*sql.Rows, error)
+	QueryRow(query string, args ...interface{}) *sql.Row
+}
+
+// DynamicTable allows the users of gorp to dynamically
+// use different database table names during runtime
+// while sharing the same golang struct for in-memory data
+type DynamicTable interface {
+	TableName() string
+	SetTableName(string)
+}
+
+// Compile-time check that DbMap and Transaction implement the SqlExecutor
+// interface.
+var _, _ SqlExecutor = &DbMap{}, &Transaction{}
+
+func argValue(a interface{}) interface{} {
+	v, ok := a.(driver.Valuer)
+	if !ok {
+		return a
+	}
+	vV := reflect.ValueOf(v)
+	if vV.Kind() == reflect.Ptr && vV.IsNil() {
+		return nil
+	}
+	ret, err := v.Value()
+	if err != nil {
+		return a
+	}
+	return ret
+}
+
+func argsString(args ...interface{}) string {
+	var margs string
+	for i, a := range args {
+		v := argValue(a)
+		switch v.(type) {
+		case string:
+			v = fmt.Sprintf("%q", v)
+		default:
+			v = fmt.Sprintf("%v", v)
+		}
+		margs += fmt.Sprintf("%d:%s", i+1, v)
+		if i+1 < len(args) {
+			margs += " "
+		}
+	}
+	return margs
+}
+
+// Calls the Exec function on the executor, but attempts to expand any eligible named
+// query arguments first.
+func maybeExpandNamedQueryAndExec(e SqlExecutor, query string, args ...interface{}) (sql.Result, error) {
+	dbMap := extractDbMap(e)
+
+	if len(args) == 1 {
+		query, args = maybeExpandNamedQuery(dbMap, query, args)
+	}
+
+	return exec(e, query, args...)
+}
+
+func extractDbMap(e SqlExecutor) *DbMap {
+	switch m := e.(type) {
+	case *DbMap:
+		return m
+	case *Transaction:
+		return m.dbmap
+	}
+	return nil
+}
+
+// executor exposes the sql.DB and sql.Tx functions so that it can be used
+// on internal functions that need to be agnostic to the underlying object.
+type executor interface {
+	Exec(query string, args ...interface{}) (sql.Result, error)
+	Prepare(query string) (*sql.Stmt, error)
+	QueryRow(query string, args ...interface{}) *sql.Row
+	Query(query string, args ...interface{}) (*sql.Rows, error)
+	ExecContext(ctx context.Context, query string, args ...interface{}) (sql.Result, error)
+	PrepareContext(ctx context.Context, query string) (*sql.Stmt, error)
+	QueryRowContext(ctx context.Context, query string, args ...interface{}) *sql.Row
+	QueryContext(ctx context.Context, query string, args ...interface{}) (*sql.Rows, error)
+}
+
+func extractExecutorAndContext(e SqlExecutor) (executor, context.Context) {
+	switch m := e.(type) {
+	case *DbMap:
+		return m.Db, m.ctx
+	case *Transaction:
+		return m.tx, m.ctx
+	}
+	return nil, nil
+}
+
+// maybeExpandNamedQuery checks the given arg to see if it's eligible to be used
+// as input to a named query.  If so, it rewrites the query to use
+// dialect-dependent bindvars and instantiates the corresponding slice of
+// parameters by extracting data from the map / struct.
+// If not, returns the input values unchanged.
+func maybeExpandNamedQuery(m *DbMap, query string, args []interface{}) (string, []interface{}) {
+	var (
+		arg    = args[0]
+		argval = reflect.ValueOf(arg)
+	)
+	if argval.Kind() == reflect.Ptr {
+		argval = argval.Elem()
+	}
+
+	if argval.Kind() == reflect.Map && argval.Type().Key().Kind() == reflect.String {
+		return expandNamedQuery(m, query, func(key string) reflect.Value {
+			return argval.MapIndex(reflect.ValueOf(key))
+		})
+	}
+	if argval.Kind() != reflect.Struct {
+		return query, args
+	}
+	if _, ok := arg.(time.Time); ok {
+		// time.Time is driver.Value
+		return query, args
+	}
+	if _, ok := arg.(driver.Valuer); ok {
+		// driver.Valuer will be converted to driver.Value.
+		return query, args
+	}
+
+	return expandNamedQuery(m, query, argval.FieldByName)
+}
+
+var keyRegexp = regexp.MustCompile(`:[[:word:]]+`)
+
+// expandNamedQuery accepts a query with placeholders of the form ":key", and a
+// single arg of Kind Struct or Map[string].  It returns the query with the
+// dialect's placeholders, and a slice of args ready for positional insertion
+// into the query.
+func expandNamedQuery(m *DbMap, query string, keyGetter func(key string) reflect.Value) (string, []interface{}) {
+	var (
+		n    int
+		args []interface{}
+	)
+	return keyRegexp.ReplaceAllStringFunc(query, func(key string) string {
+		val := keyGetter(key[1:])
+		if !val.IsValid() {
+			return key
+		}
+		args = append(args, val.Interface())
+		newVar := m.Dialect.BindVar(n)
+		n++
+		return newVar
+	}), args
+}
+
+func columnToFieldIndex(m *DbMap, t reflect.Type, name string, cols []string) ([][]int, error) {
+	colToFieldIndex := make([][]int, len(cols))
+
+	// check if type t is a mapped table - if so we'll
+	// check the table for column aliasing below
+	tableMapped := false
+	table := tableOrNil(m, t, name)
+	if table != nil {
+		tableMapped = true
+	}
+
+	// Loop over column names and find field in i to bind to
+	// based on column name. all returned columns must match
+	// a field in the i struct
+	missingColNames := []string{}
+	for x := range cols {
+		colName := strings.ToLower(cols[x])
+		field, found := t.FieldByNameFunc(func(fieldName string) bool {
+			field, _ := t.FieldByName(fieldName)
+			cArguments := strings.Split(field.Tag.Get("db"), ",")
+			fieldName = cArguments[0]
+
+			if fieldName == "-" {
+				return false
+			} else if fieldName == "" {
+				fieldName = field.Name
+			}
+			if tableMapped {
+				colMap := colMapOrNil(table, fieldName)
+				if colMap != nil {
+					fieldName = colMap.ColumnName
+				}
+			}
+			return colName == strings.ToLower(fieldName)
+		})
+		if found {
+			colToFieldIndex[x] = field.Index
+		}
+		if colToFieldIndex[x] == nil {
+			missingColNames = append(missingColNames, colName)
+		}
+	}
+	if len(missingColNames) > 0 {
+		return colToFieldIndex, &NoFieldInTypeError{
+			TypeName:        t.Name(),
+			MissingColNames: missingColNames,
+		}
+	}
+	return colToFieldIndex, nil
+}
+
+func fieldByName(val reflect.Value, fieldName string) *reflect.Value {
+	// try to find field by exact match
+	f := val.FieldByName(fieldName)
+
+	if f != zeroVal {
+		return &f
+	}
+
+	// try to find by case insensitive match - only the Postgres driver
+	// seems to require this - in the case where columns are aliased in the sql
+	fieldNameL := strings.ToLower(fieldName)
+	fieldCount := val.NumField()
+	t := val.Type()
+	for i := 0; i < fieldCount; i++ {
+		sf := t.Field(i)
+		if strings.ToLower(sf.Name) == fieldNameL {
+			f := val.Field(i)
+			return &f
+		}
+	}
+
+	return nil
+}
+
+// toSliceType returns the element type of the given object, if the object is a
+// "*[]*Element" or "*[]Element". If not, returns nil.
+// err is returned if the user was trying to pass a pointer-to-slice but failed.
+func toSliceType(i interface{}) (reflect.Type, error) {
+	t := reflect.TypeOf(i)
+	if t.Kind() != reflect.Ptr {
+		// If it's a slice, return a more helpful error message
+		if t.Kind() == reflect.Slice {
+			return nil, fmt.Errorf("gorp: cannot SELECT into a non-pointer slice: %v", t)
+		}
+		return nil, nil
+	}
+	if t = t.Elem(); t.Kind() != reflect.Slice {
+		return nil, nil
+	}
+	return t.Elem(), nil
+}
+
+func toType(i interface{}) (reflect.Type, error) {
+	t := reflect.TypeOf(i)
+
+	// If a Pointer to a type, follow
+	for t.Kind() == reflect.Ptr {
+		t = t.Elem()
+	}
+
+	if t.Kind() != reflect.Struct {
+		return nil, fmt.Errorf("gorp: cannot SELECT into this type: %v", reflect.TypeOf(i))
+	}
+	return t, nil
+}
+
+type foundTable struct {
+	table   *TableMap
+	dynName *string
+}
+
+func tableFor(m *DbMap, t reflect.Type, i interface{}) (*foundTable, error) {
+	if dyn, isDynamic := i.(DynamicTable); isDynamic {
+		tableName := dyn.TableName()
+		table, err := m.DynamicTableFor(tableName, true)
+		if err != nil {
+			return nil, err
+		}
+		return &foundTable{
+			table:   table,
+			dynName: &tableName,
+		}, nil
+	}
+	table, err := m.TableFor(t, true)
+	if err != nil {
+		return nil, err
+	}
+	return &foundTable{table: table}, nil
+}
+
+func get(m *DbMap, exec SqlExecutor, i interface{},
+	keys ...interface{}) (interface{}, error) {
+
+	t, err := toType(i)
+	if err != nil {
+		return nil, err
+	}
+
+	foundTable, err := tableFor(m, t, i)
+	if err != nil {
+		return nil, err
+	}
+	table := foundTable.table
+
+	plan := table.bindGet()
+
+	v := reflect.New(t)
+	if foundTable.dynName != nil {
+		retDyn := v.Interface().(DynamicTable)
+		retDyn.SetTableName(*foundTable.dynName)
+	}
+
+	dest := make([]interface{}, len(plan.argFields))
+
+	conv := m.TypeConverter
+	custScan := make([]CustomScanner, 0)
+
+	for x, fieldName := range plan.argFields {
+		f := v.Elem().FieldByName(fieldName)
+		target := f.Addr().Interface()
+		if conv != nil {
+			scanner, ok := conv.FromDb(target)
+			if ok {
+				target = scanner.Holder
+				custScan = append(custScan, scanner)
+			}
+		}
+		dest[x] = target
+	}
+
+	row := exec.QueryRow(plan.query, keys...)
+	err = row.Scan(dest...)
+	if err != nil {
+		if err == sql.ErrNoRows {
+			err = nil
+		}
+		return nil, err
+	}
+
+	for _, c := range custScan {
+		err = c.Bind()
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	if v, ok := v.Interface().(HasPostGet); ok {
+		err := v.PostGet(exec)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return v.Interface(), nil
+}
+
+func delete(m *DbMap, exec SqlExecutor, list ...interface{}) (int64, error) {
+	count := int64(0)
+	for _, ptr := range list {
+		table, elem, err := m.tableForPointer(ptr, true)
+		if err != nil {
+			return -1, err
+		}
+
+		eval := elem.Addr().Interface()
+		if v, ok := eval.(HasPreDelete); ok {
+			err = v.PreDelete(exec)
+			if err != nil {
+				return -1, err
+			}
+		}
+
+		bi, err := table.bindDelete(elem)
+		if err != nil {
+			return -1, err
+		}
+
+		res, err := exec.Exec(bi.query, bi.args...)
+		if err != nil {
+			return -1, err
+		}
+		rows, err := res.RowsAffected()
+		if err != nil {
+			return -1, err
+		}
+
+		if rows == 0 && bi.existingVersion > 0 {
+			return lockError(m, exec, table.TableName,
+				bi.existingVersion, elem, bi.keys...)
+		}
+
+		count += rows
+
+		if v, ok := eval.(HasPostDelete); ok {
+			err := v.PostDelete(exec)
+			if err != nil {
+				return -1, err
+			}
+		}
+	}
+
+	return count, nil
+}
+
+func update(m *DbMap, exec SqlExecutor, colFilter ColumnFilter, list ...interface{}) (int64, error) {
+	count := int64(0)
+	for _, ptr := range list {
+		table, elem, err := m.tableForPointer(ptr, true)
+		if err != nil {
+			return -1, err
+		}
+
+		eval := elem.Addr().Interface()
+		if v, ok := eval.(HasPreUpdate); ok {
+			err = v.PreUpdate(exec)
+			if err != nil {
+				return -1, err
+			}
+		}
+
+		bi, err := table.bindUpdate(elem, colFilter)
+		if err != nil {
+			return -1, err
+		}
+
+		res, err := exec.Exec(bi.query, bi.args...)
+		if err != nil {
+			return -1, err
+		}
+
+		rows, err := res.RowsAffected()
+		if err != nil {
+			return -1, err
+		}
+
+		if rows == 0 && bi.existingVersion > 0 {
+			return lockError(m, exec, table.TableName,
+				bi.existingVersion, elem, bi.keys...)
+		}
+
+		if bi.versField != "" {
+			elem.FieldByName(bi.versField).SetInt(bi.existingVersion + 1)
+		}
+
+		count += rows
+
+		if v, ok := eval.(HasPostUpdate); ok {
+			err = v.PostUpdate(exec)
+			if err != nil {
+				return -1, err
+			}
+		}
+	}
+	return count, nil
+}
+
+func insert(m *DbMap, exec SqlExecutor, list ...interface{}) error {
+	for _, ptr := range list {
+		table, elem, err := m.tableForPointer(ptr, false)
+		if err != nil {
+			return err
+		}
+
+		eval := elem.Addr().Interface()
+		if v, ok := eval.(HasPreInsert); ok {
+			err := v.PreInsert(exec)
+			if err != nil {
+				return err
+			}
+		}
+
+		bi, err := table.bindInsert(elem)
+		if err != nil {
+			return err
+		}
+
+		if bi.autoIncrIdx > -1 {
+			f := elem.FieldByName(bi.autoIncrFieldName)
+			switch inserter := m.Dialect.(type) {
+			case IntegerAutoIncrInserter:
+				id, err := inserter.InsertAutoIncr(exec, bi.query, bi.args...)
+				if err != nil {
+					return err
+				}
+				k := f.Kind()
+				if (k == reflect.Int) || (k == reflect.Int16) || (k == reflect.Int32) || (k == reflect.Int64) {
+					f.SetInt(id)
+				} else if (k == reflect.Uint) || (k == reflect.Uint16) || (k == reflect.Uint32) || (k == reflect.Uint64) {
+					f.SetUint(uint64(id))
+				} else {
+					return fmt.Errorf("gorp: cannot set autoincrement value on non-Int field. SQL=%s  autoIncrIdx=%d autoIncrFieldName=%s", bi.query, bi.autoIncrIdx, bi.autoIncrFieldName)
+				}
+			case TargetedAutoIncrInserter:
+				err := inserter.InsertAutoIncrToTarget(exec, bi.query, f.Addr().Interface(), bi.args...)
+				if err != nil {
+					return err
+				}
+			case TargetQueryInserter:
+				var idQuery = table.ColMap(bi.autoIncrFieldName).GeneratedIdQuery
+				if idQuery == "" {
+					return fmt.Errorf("gorp: cannot set %s value if its ColumnMap.GeneratedIdQuery is empty", bi.autoIncrFieldName)
+				}
+				err := inserter.InsertQueryToTarget(exec, bi.query, idQuery, f.Addr().Interface(), bi.args...)
+				if err != nil {
+					return err
+				}
+			default:
+				return fmt.Errorf("gorp: cannot use autoincrement fields on dialects that do not implement an autoincrementing interface")
+			}
+		} else {
+			_, err := exec.Exec(bi.query, bi.args...)
+			if err != nil {
+				return err
+			}
+		}
+
+		if v, ok := eval.(HasPostInsert); ok {
+			err := v.PostInsert(exec)
+			if err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+func exec(e SqlExecutor, query string, args ...interface{}) (sql.Result, error) {
+	executor, ctx := extractExecutorAndContext(e)
+
+	if ctx != nil {
+		return executor.ExecContext(ctx, query, args...)
+	}
+
+	return executor.Exec(query, args...)
+}
+
+func prepare(e SqlExecutor, query string) (*sql.Stmt, error) {
+	executor, ctx := extractExecutorAndContext(e)
+
+	if ctx != nil {
+		return executor.PrepareContext(ctx, query)
+	}
+
+	return executor.Prepare(query)
+}
+
+func queryRow(e SqlExecutor, query string, args ...interface{}) *sql.Row {
+	executor, ctx := extractExecutorAndContext(e)
+
+	if ctx != nil {
+		return executor.QueryRowContext(ctx, query, args...)
+	}
+
+	return executor.QueryRow(query, args...)
+}
+
+func query(e SqlExecutor, query string, args ...interface{}) (*sql.Rows, error) {
+	executor, ctx := extractExecutorAndContext(e)
+
+	if ctx != nil {
+		return executor.QueryContext(ctx, query, args...)
+	}
+
+	return executor.Query(query, args...)
+}
+
+func begin(m *DbMap) (*sql.Tx, error) {
+	if m.ctx != nil {
+		return m.Db.BeginTx(m.ctx, nil)
+	}
+
+	return m.Db.Begin()
+}
diff --git a/vendor/github.com/go-gorp/gorp/v3/hooks.go b/vendor/github.com/go-gorp/gorp/v3/hooks.go
new file mode 100644
index 0000000000..1e80bca7ee
--- /dev/null
+++ b/vendor/github.com/go-gorp/gorp/v3/hooks.go
@@ -0,0 +1,42 @@
+// Copyright 2012 James Cooper. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package gorp
+
+//++ TODO v2-phase3: HasPostGet => PostGetter, HasPostDelete => PostDeleter, etc.
+
+// HasPostGet provides PostGet() which will be executed after the GET statement.
+type HasPostGet interface {
+	PostGet(SqlExecutor) error
+}
+
+// HasPostDelete provides PostDelete() which will be executed after the DELETE statement
+type HasPostDelete interface {
+	PostDelete(SqlExecutor) error
+}
+
+// HasPostUpdate provides PostUpdate() which will be executed after the UPDATE statement
+type HasPostUpdate interface {
+	PostUpdate(SqlExecutor) error
+}
+
+// HasPostInsert provides PostInsert() which will be executed after the INSERT statement
+type HasPostInsert interface {
+	PostInsert(SqlExecutor) error
+}
+
+// HasPreDelete provides PreDelete() which will be executed before the DELETE statement.
+type HasPreDelete interface {
+	PreDelete(SqlExecutor) error
+}
+
+// HasPreUpdate provides PreUpdate() which will be executed before UPDATE statement.
+type HasPreUpdate interface {
+	PreUpdate(SqlExecutor) error
+}
+
+// HasPreInsert provides PreInsert() which will be executed before INSERT statement.
+type HasPreInsert interface {
+	PreInsert(SqlExecutor) error
+}
diff --git a/vendor/github.com/go-gorp/gorp/v3/index.go b/vendor/github.com/go-gorp/gorp/v3/index.go
new file mode 100644
index 0000000000..df1cf55205
--- /dev/null
+++ b/vendor/github.com/go-gorp/gorp/v3/index.go
@@ -0,0 +1,49 @@
+// Copyright 2012 James Cooper. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package gorp
+
+// IndexMap represents a mapping between a Go struct field and a single
+// index in a table.
+// Unique and MaxSize only inform the
+// CreateTables() function and are not used by Insert/Update/Delete/Get.
+type IndexMap struct {
+	// Index name in db table
+	IndexName string
+
+	// If true, " unique" is added to create index statements.
+	// Not used elsewhere
+	Unique bool
+
+	// Index type supported by Dialect
+	// Postgres:  B-tree, Hash, GiST and GIN.
+	// Mysql: Btree, Hash.
+	// Sqlite: nil.
+	IndexType string
+
+	// Columns name for single and multiple indexes
+	columns []string
+}
+
+// Rename allows you to specify the index name in the table
+//
+// Example:  table.IndMap("customer_test_idx").Rename("customer_idx")
+//
+func (idx *IndexMap) Rename(indname string) *IndexMap {
+	idx.IndexName = indname
+	return idx
+}
+
+// SetUnique adds "unique" to the create index statements for this
+// index, if b is true.
+func (idx *IndexMap) SetUnique(b bool) *IndexMap {
+	idx.Unique = b
+	return idx
+}
+
+// SetIndexType specifies the index type supported by chousen SQL Dialect
+func (idx *IndexMap) SetIndexType(indtype string) *IndexMap {
+	idx.IndexType = indtype
+	return idx
+}
diff --git a/vendor/github.com/go-gorp/gorp/v3/lockerror.go b/vendor/github.com/go-gorp/gorp/v3/lockerror.go
new file mode 100644
index 0000000000..7e81891e2b
--- /dev/null
+++ b/vendor/github.com/go-gorp/gorp/v3/lockerror.go
@@ -0,0 +1,56 @@
+// Copyright 2012 James Cooper. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package gorp
+
+import (
+	"fmt"
+	"reflect"
+)
+
+// OptimisticLockError is returned by Update() or Delete() if the
+// struct being modified has a Version field and the value is not equal to
+// the current value in the database
+type OptimisticLockError struct {
+	// Table name where the lock error occurred
+	TableName string
+
+	// Primary key values of the row being updated/deleted
+	Keys []interface{}
+
+	// true if a row was found with those keys, indicating the
+	// LocalVersion is stale.  false if no value was found with those
+	// keys, suggesting the row has been deleted since loaded, or
+	// was never inserted to begin with
+	RowExists bool
+
+	// Version value on the struct passed to Update/Delete. This value is
+	// out of sync with the database.
+	LocalVersion int64
+}
+
+// Error returns a description of the cause of the lock error
+func (e OptimisticLockError) Error() string {
+	if e.RowExists {
+		return fmt.Sprintf("gorp: OptimisticLockError table=%s keys=%v out of date version=%d", e.TableName, e.Keys, e.LocalVersion)
+	}
+
+	return fmt.Sprintf("gorp: OptimisticLockError no row found for table=%s keys=%v", e.TableName, e.Keys)
+}
+
+func lockError(m *DbMap, exec SqlExecutor, tableName string,
+	existingVer int64, elem reflect.Value,
+	keys ...interface{}) (int64, error) {
+
+	existing, err := get(m, exec, elem.Interface(), keys...)
+	if err != nil {
+		return -1, err
+	}
+
+	ole := OptimisticLockError{tableName, keys, true, existingVer}
+	if existing == nil {
+		ole.RowExists = false
+	}
+	return -1, ole
+}
diff --git a/vendor/github.com/go-gorp/gorp/v3/logging.go b/vendor/github.com/go-gorp/gorp/v3/logging.go
new file mode 100644
index 0000000000..e8cba3db2c
--- /dev/null
+++ b/vendor/github.com/go-gorp/gorp/v3/logging.go
@@ -0,0 +1,42 @@
+// Copyright 2012 James Cooper. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package gorp
+
+import "fmt"
+
+// GorpLogger is a deprecated alias of Logger.
+type GorpLogger = Logger
+
+// Logger is the type that gorp uses to log SQL statements.
+// See DbMap.TraceOn.
+type Logger interface {
+	Printf(format string, v ...interface{})
+}
+
+// TraceOn turns on SQL statement logging for this DbMap.  After this is
+// called, all SQL statements will be sent to the logger.  If prefix is
+// a non-empty string, it will be written to the front of all logged
+// strings, which can aid in filtering log lines.
+//
+// Use TraceOn if you want to spy on the SQL statements that gorp
+// generates.
+//
+// Note that the base log.Logger type satisfies Logger, but adapters can
+// easily be written for other logging packages (e.g., the golang-sanctioned
+// glog framework).
+func (m *DbMap) TraceOn(prefix string, logger Logger) {
+	m.logger = logger
+	if prefix == "" {
+		m.logPrefix = prefix
+	} else {
+		m.logPrefix = fmt.Sprintf("%s ", prefix)
+	}
+}
+
+// TraceOff turns off tracing. It is idempotent.
+func (m *DbMap) TraceOff() {
+	m.logger = nil
+	m.logPrefix = ""
+}
diff --git a/vendor/github.com/go-gorp/gorp/v3/nulltypes.go b/vendor/github.com/go-gorp/gorp/v3/nulltypes.go
new file mode 100644
index 0000000000..87b21f83fa
--- /dev/null
+++ b/vendor/github.com/go-gorp/gorp/v3/nulltypes.go
@@ -0,0 +1,65 @@
+// Copyright 2012 James Cooper. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package gorp
+
+import (
+	"database/sql/driver"
+	"log"
+	"time"
+)
+
+// A nullable Time value
+type NullTime struct {
+	Time  time.Time
+	Valid bool // Valid is true if Time is not NULL
+}
+
+// Scan implements the Scanner interface.
+func (nt *NullTime) Scan(value interface{}) error {
+	log.Printf("Time scan value is: %#v", value)
+	switch t := value.(type) {
+	case time.Time:
+		nt.Time, nt.Valid = t, true
+	case []byte:
+		v := strToTime(string(t))
+		if v != nil {
+			nt.Valid = true
+			nt.Time = *v
+		}
+	case string:
+		v := strToTime(t)
+		if v != nil {
+			nt.Valid = true
+			nt.Time = *v
+		}
+	}
+	return nil
+}
+
+func strToTime(v string) *time.Time {
+	for _, dtfmt := range []string{
+		"2006-01-02 15:04:05.999999999",
+		"2006-01-02T15:04:05.999999999",
+		"2006-01-02 15:04:05",
+		"2006-01-02T15:04:05",
+		"2006-01-02 15:04",
+		"2006-01-02T15:04",
+		"2006-01-02",
+		"2006-01-02 15:04:05-07:00",
+	} {
+		if t, err := time.Parse(dtfmt, v); err == nil {
+			return &t
+		}
+	}
+	return nil
+}
+
+// Value implements the driver Valuer interface.
+func (nt NullTime) Value() (driver.Value, error) {
+	if !nt.Valid {
+		return nil, nil
+	}
+	return nt.Time, nil
+}
diff --git a/vendor/github.com/go-gorp/gorp/v3/select.go b/vendor/github.com/go-gorp/gorp/v3/select.go
new file mode 100644
index 0000000000..2d2d596186
--- /dev/null
+++ b/vendor/github.com/go-gorp/gorp/v3/select.go
@@ -0,0 +1,359 @@
+// Copyright 2012 James Cooper. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package gorp
+
+import (
+	"database/sql"
+	"fmt"
+	"reflect"
+)
+
+// SelectInt executes the given query, which should be a SELECT statement for a single
+// integer column, and returns the value of the first row returned.  If no rows are
+// found, zero is returned.
+func SelectInt(e SqlExecutor, query string, args ...interface{}) (int64, error) {
+	var h int64
+	err := selectVal(e, &h, query, args...)
+	if err != nil && err != sql.ErrNoRows {
+		return 0, err
+	}
+	return h, nil
+}
+
+// SelectNullInt executes the given query, which should be a SELECT statement for a single
+// integer column, and returns the value of the first row returned.  If no rows are
+// found, the empty sql.NullInt64 value is returned.
+func SelectNullInt(e SqlExecutor, query string, args ...interface{}) (sql.NullInt64, error) {
+	var h sql.NullInt64
+	err := selectVal(e, &h, query, args...)
+	if err != nil && err != sql.ErrNoRows {
+		return h, err
+	}
+	return h, nil
+}
+
+// SelectFloat executes the given query, which should be a SELECT statement for a single
+// float column, and returns the value of the first row returned. If no rows are
+// found, zero is returned.
+func SelectFloat(e SqlExecutor, query string, args ...interface{}) (float64, error) {
+	var h float64
+	err := selectVal(e, &h, query, args...)
+	if err != nil && err != sql.ErrNoRows {
+		return 0, err
+	}
+	return h, nil
+}
+
+// SelectNullFloat executes the given query, which should be a SELECT statement for a single
+// float column, and returns the value of the first row returned. If no rows are
+// found, the empty sql.NullInt64 value is returned.
+func SelectNullFloat(e SqlExecutor, query string, args ...interface{}) (sql.NullFloat64, error) {
+	var h sql.NullFloat64
+	err := selectVal(e, &h, query, args...)
+	if err != nil && err != sql.ErrNoRows {
+		return h, err
+	}
+	return h, nil
+}
+
+// SelectStr executes the given query, which should be a SELECT statement for a single
+// char/varchar column, and returns the value of the first row returned.  If no rows are
+// found, an empty string is returned.
+func SelectStr(e SqlExecutor, query string, args ...interface{}) (string, error) {
+	var h string
+	err := selectVal(e, &h, query, args...)
+	if err != nil && err != sql.ErrNoRows {
+		return "", err
+	}
+	return h, nil
+}
+
+// SelectNullStr executes the given query, which should be a SELECT
+// statement for a single char/varchar column, and returns the value
+// of the first row returned.  If no rows are found, the empty
+// sql.NullString is returned.
+func SelectNullStr(e SqlExecutor, query string, args ...interface{}) (sql.NullString, error) {
+	var h sql.NullString
+	err := selectVal(e, &h, query, args...)
+	if err != nil && err != sql.ErrNoRows {
+		return h, err
+	}
+	return h, nil
+}
+
+// SelectOne executes the given query (which should be a SELECT statement)
+// and binds the result to holder, which must be a pointer.
+//
+// If no row is found, an error (sql.ErrNoRows specifically) will be returned
+//
+// If more than one row is found, an error will be returned.
+//
+func SelectOne(m *DbMap, e SqlExecutor, holder interface{}, query string, args ...interface{}) error {
+	t := reflect.TypeOf(holder)
+	if t.Kind() == reflect.Ptr {
+		t = t.Elem()
+	} else {
+		return fmt.Errorf("gorp: SelectOne holder must be a pointer, but got: %t", holder)
+	}
+
+	// Handle pointer to pointer
+	isptr := false
+	if t.Kind() == reflect.Ptr {
+		isptr = true
+		t = t.Elem()
+	}
+
+	if t.Kind() == reflect.Struct {
+		var nonFatalErr error
+
+		list, err := hookedselect(m, e, holder, query, args...)
+		if err != nil {
+			if !NonFatalError(err) { // FIXME: double negative, rename NonFatalError to FatalError
+				return err
+			}
+			nonFatalErr = err
+		}
+
+		dest := reflect.ValueOf(holder)
+		if isptr {
+			dest = dest.Elem()
+		}
+
+		if list != nil && len(list) > 0 { // FIXME: invert if/else
+			// check for multiple rows
+			if len(list) > 1 {
+				return fmt.Errorf("gorp: multiple rows returned for: %s - %v", query, args)
+			}
+
+			// Initialize if nil
+			if dest.IsNil() {
+				dest.Set(reflect.New(t))
+			}
+
+			// only one row found
+			src := reflect.ValueOf(list[0])
+			dest.Elem().Set(src.Elem())
+		} else {
+			// No rows found, return a proper error.
+			return sql.ErrNoRows
+		}
+
+		return nonFatalErr
+	}
+
+	return selectVal(e, holder, query, args...)
+}
+
+func selectVal(e SqlExecutor, holder interface{}, query string, args ...interface{}) error {
+	if len(args) == 1 {
+		switch m := e.(type) {
+		case *DbMap:
+			query, args = maybeExpandNamedQuery(m, query, args)
+		case *Transaction:
+			query, args = maybeExpandNamedQuery(m.dbmap, query, args)
+		}
+	}
+	rows, err := e.Query(query, args...)
+	if err != nil {
+		return err
+	}
+	defer rows.Close()
+
+	if !rows.Next() {
+		if err := rows.Err(); err != nil {
+			return err
+		}
+		return sql.ErrNoRows
+	}
+
+	return rows.Scan(holder)
+}
+
+func hookedselect(m *DbMap, exec SqlExecutor, i interface{}, query string,
+	args ...interface{}) ([]interface{}, error) {
+
+	var nonFatalErr error
+
+	list, err := rawselect(m, exec, i, query, args...)
+	if err != nil {
+		if !NonFatalError(err) {
+			return nil, err
+		}
+		nonFatalErr = err
+	}
+
+	// Determine where the results are: written to i, or returned in list
+	if t, _ := toSliceType(i); t == nil {
+		for _, v := range list {
+			if v, ok := v.(HasPostGet); ok {
+				err := v.PostGet(exec)
+				if err != nil {
+					return nil, err
+				}
+			}
+		}
+	} else {
+		resultsValue := reflect.Indirect(reflect.ValueOf(i))
+		for i := 0; i < resultsValue.Len(); i++ {
+			if v, ok := resultsValue.Index(i).Interface().(HasPostGet); ok {
+				err := v.PostGet(exec)
+				if err != nil {
+					return nil, err
+				}
+			}
+		}
+	}
+	return list, nonFatalErr
+}
+
+func rawselect(m *DbMap, exec SqlExecutor, i interface{}, query string,
+	args ...interface{}) ([]interface{}, error) {
+	var (
+		appendToSlice   = false // Write results to i directly?
+		intoStruct      = true  // Selecting into a struct?
+		pointerElements = true  // Are the slice elements pointers (vs values)?
+	)
+
+	var nonFatalErr error
+
+	tableName := ""
+	var dynObj DynamicTable
+	isDynamic := false
+	if dynObj, isDynamic = i.(DynamicTable); isDynamic {
+		tableName = dynObj.TableName()
+	}
+
+	// get type for i, verifying it's a supported destination
+	t, err := toType(i)
+	if err != nil {
+		var err2 error
+		if t, err2 = toSliceType(i); t == nil {
+			if err2 != nil {
+				return nil, err2
+			}
+			return nil, err
+		}
+		pointerElements = t.Kind() == reflect.Ptr
+		if pointerElements {
+			t = t.Elem()
+		}
+		appendToSlice = true
+		intoStruct = t.Kind() == reflect.Struct
+	}
+
+	// If the caller supplied a single struct/map argument, assume a "named
+	// parameter" query.  Extract the named arguments from the struct/map, create
+	// the flat arg slice, and rewrite the query to use the dialect's placeholder.
+	if len(args) == 1 {
+		query, args = maybeExpandNamedQuery(m, query, args)
+	}
+
+	// Run the query
+	rows, err := exec.Query(query, args...)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+
+	// Fetch the column names as returned from db
+	cols, err := rows.Columns()
+	if err != nil {
+		return nil, err
+	}
+
+	if !intoStruct && len(cols) > 1 {
+		return nil, fmt.Errorf("gorp: select into non-struct slice requires 1 column, got %d", len(cols))
+	}
+
+	var colToFieldIndex [][]int
+	if intoStruct {
+		colToFieldIndex, err = columnToFieldIndex(m, t, tableName, cols)
+		if err != nil {
+			if !NonFatalError(err) {
+				return nil, err
+			}
+			nonFatalErr = err
+		}
+	}
+
+	conv := m.TypeConverter
+
+	// Add results to one of these two slices.
+	var (
+		list       = make([]interface{}, 0)
+		sliceValue = reflect.Indirect(reflect.ValueOf(i))
+	)
+
+	for {
+		if !rows.Next() {
+			// if error occured return rawselect
+			if rows.Err() != nil {
+				return nil, rows.Err()
+			}
+			// time to exit from outer "for" loop
+			break
+		}
+		v := reflect.New(t)
+
+		if isDynamic {
+			v.Interface().(DynamicTable).SetTableName(tableName)
+		}
+
+		dest := make([]interface{}, len(cols))
+
+		custScan := make([]CustomScanner, 0)
+
+		for x := range cols {
+			f := v.Elem()
+			if intoStruct {
+				index := colToFieldIndex[x]
+				if index == nil {
+					// this field is not present in the struct, so create a dummy
+					// value for rows.Scan to scan into
+					var dummy dummyField
+					dest[x] = &dummy
+					continue
+				}
+				f = f.FieldByIndex(index)
+			}
+			target := f.Addr().Interface()
+			if conv != nil {
+				scanner, ok := conv.FromDb(target)
+				if ok {
+					target = scanner.Holder
+					custScan = append(custScan, scanner)
+				}
+			}
+			dest[x] = target
+		}
+
+		err = rows.Scan(dest...)
+		if err != nil {
+			return nil, err
+		}
+
+		for _, c := range custScan {
+			err = c.Bind()
+			if err != nil {
+				return nil, err
+			}
+		}
+
+		if appendToSlice {
+			if !pointerElements {
+				v = v.Elem()
+			}
+			sliceValue.Set(reflect.Append(sliceValue, v))
+		} else {
+			list = append(list, v.Interface())
+		}
+	}
+
+	if appendToSlice && sliceValue.IsNil() {
+		sliceValue.Set(reflect.MakeSlice(sliceValue.Type(), 0, 0))
+	}
+
+	return list, nonFatalErr
+}
diff --git a/vendor/github.com/go-gorp/gorp/v3/table.go b/vendor/github.com/go-gorp/gorp/v3/table.go
new file mode 100644
index 0000000000..5931b2d9eb
--- /dev/null
+++ b/vendor/github.com/go-gorp/gorp/v3/table.go
@@ -0,0 +1,258 @@
+// Copyright 2012 James Cooper. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package gorp
+
+import (
+	"bytes"
+	"fmt"
+	"reflect"
+	"strings"
+)
+
+// TableMap represents a mapping between a Go struct and a database table
+// Use dbmap.AddTable() or dbmap.AddTableWithName() to create these
+type TableMap struct {
+	// Name of database table.
+	TableName      string
+	SchemaName     string
+	gotype         reflect.Type
+	Columns        []*ColumnMap
+	keys           []*ColumnMap
+	indexes        []*IndexMap
+	uniqueTogether [][]string
+	version        *ColumnMap
+	insertPlan     bindPlan
+	updatePlan     bindPlan
+	deletePlan     bindPlan
+	getPlan        bindPlan
+	dbmap          *DbMap
+}
+
+// ResetSql removes cached insert/update/select/delete SQL strings
+// associated with this TableMap.  Call this if you've modified
+// any column names or the table name itself.
+func (t *TableMap) ResetSql() {
+	t.insertPlan = bindPlan{}
+	t.updatePlan = bindPlan{}
+	t.deletePlan = bindPlan{}
+	t.getPlan = bindPlan{}
+}
+
+// SetKeys lets you specify the fields on a struct that map to primary
+// key columns on the table.  If isAutoIncr is set, result.LastInsertId()
+// will be used after INSERT to bind the generated id to the Go struct.
+//
+// Automatically calls ResetSql() to ensure SQL statements are regenerated.
+//
+// Panics if isAutoIncr is true, and fieldNames length != 1
+//
+func (t *TableMap) SetKeys(isAutoIncr bool, fieldNames ...string) *TableMap {
+	if isAutoIncr && len(fieldNames) != 1 {
+		panic(fmt.Sprintf(
+			"gorp: SetKeys: fieldNames length must be 1 if key is auto-increment. (Saw %v fieldNames)",
+			len(fieldNames)))
+	}
+	t.keys = make([]*ColumnMap, 0)
+	for _, name := range fieldNames {
+		colmap := t.ColMap(name)
+		colmap.isPK = true
+		colmap.isAutoIncr = isAutoIncr
+		t.keys = append(t.keys, colmap)
+	}
+	t.ResetSql()
+
+	return t
+}
+
+// SetUniqueTogether lets you specify uniqueness constraints across multiple
+// columns on the table. Each call adds an additional constraint for the
+// specified columns.
+//
+// Automatically calls ResetSql() to ensure SQL statements are regenerated.
+//
+// Panics if fieldNames length < 2.
+//
+func (t *TableMap) SetUniqueTogether(fieldNames ...string) *TableMap {
+	if len(fieldNames) < 2 {
+		panic(fmt.Sprintf(
+			"gorp: SetUniqueTogether: must provide at least two fieldNames to set uniqueness constraint."))
+	}
+
+	columns := make([]string, 0, len(fieldNames))
+	for _, name := range fieldNames {
+		columns = append(columns, name)
+	}
+
+	for _, existingColumns := range t.uniqueTogether {
+		if equal(existingColumns, columns) {
+			return t
+		}
+	}
+	t.uniqueTogether = append(t.uniqueTogether, columns)
+	t.ResetSql()
+
+	return t
+}
+
+// ColMap returns the ColumnMap pointer matching the given struct field
+// name.  It panics if the struct does not contain a field matching this
+// name.
+func (t *TableMap) ColMap(field string) *ColumnMap {
+	col := colMapOrNil(t, field)
+	if col == nil {
+		e := fmt.Sprintf("No ColumnMap in table %s type %s with field %s",
+			t.TableName, t.gotype.Name(), field)
+
+		panic(e)
+	}
+	return col
+}
+
+func colMapOrNil(t *TableMap, field string) *ColumnMap {
+	for _, col := range t.Columns {
+		if col.fieldName == field || col.ColumnName == field {
+			return col
+		}
+	}
+	return nil
+}
+
+// IdxMap returns the IndexMap pointer matching the given index name.
+func (t *TableMap) IdxMap(field string) *IndexMap {
+	for _, idx := range t.indexes {
+		if idx.IndexName == field {
+			return idx
+		}
+	}
+	return nil
+}
+
+// AddIndex registers the index with gorp for specified table with given parameters.
+// This operation is idempotent. If index is already mapped, the
+// existing *IndexMap is returned
+// Function will panic if one of the given for index columns does not exists
+//
+// Automatically calls ResetSql() to ensure SQL statements are regenerated.
+//
+func (t *TableMap) AddIndex(name string, idxtype string, columns []string) *IndexMap {
+	// check if we have a index with this name already
+	for _, idx := range t.indexes {
+		if idx.IndexName == name {
+			return idx
+		}
+	}
+	for _, icol := range columns {
+		if res := t.ColMap(icol); res == nil {
+			e := fmt.Sprintf("No ColumnName in table %s to create index on", t.TableName)
+			panic(e)
+		}
+	}
+
+	idx := &IndexMap{IndexName: name, Unique: false, IndexType: idxtype, columns: columns}
+	t.indexes = append(t.indexes, idx)
+	t.ResetSql()
+	return idx
+}
+
+// SetVersionCol sets the column to use as the Version field.  By default
+// the "Version" field is used.  Returns the column found, or panics
+// if the struct does not contain a field matching this name.
+//
+// Automatically calls ResetSql() to ensure SQL statements are regenerated.
+func (t *TableMap) SetVersionCol(field string) *ColumnMap {
+	c := t.ColMap(field)
+	t.version = c
+	t.ResetSql()
+	return c
+}
+
+// SqlForCreateTable gets a sequence of SQL commands that will create
+// the specified table and any associated schema
+func (t *TableMap) SqlForCreate(ifNotExists bool) string {
+	s := bytes.Buffer{}
+	dialect := t.dbmap.Dialect
+
+	if strings.TrimSpace(t.SchemaName) != "" {
+		schemaCreate := "create schema"
+		if ifNotExists {
+			s.WriteString(dialect.IfSchemaNotExists(schemaCreate, t.SchemaName))
+		} else {
+			s.WriteString(schemaCreate)
+		}
+		s.WriteString(fmt.Sprintf(" %s;", t.SchemaName))
+	}
+
+	tableCreate := "create table"
+	if ifNotExists {
+		s.WriteString(dialect.IfTableNotExists(tableCreate, t.SchemaName, t.TableName))
+	} else {
+		s.WriteString(tableCreate)
+	}
+	s.WriteString(fmt.Sprintf(" %s (", dialect.QuotedTableForQuery(t.SchemaName, t.TableName)))
+
+	x := 0
+	for _, col := range t.Columns {
+		if !col.Transient {
+			if x > 0 {
+				s.WriteString(", ")
+			}
+			stype := dialect.ToSqlType(col.gotype, col.MaxSize, col.isAutoIncr)
+			s.WriteString(fmt.Sprintf("%s %s", dialect.QuoteField(col.ColumnName), stype))
+
+			if col.isPK || col.isNotNull {
+				s.WriteString(" not null")
+			}
+			if col.isPK && len(t.keys) == 1 {
+				s.WriteString(" primary key")
+			}
+			if col.Unique {
+				s.WriteString(" unique")
+			}
+			if col.isAutoIncr {
+				s.WriteString(fmt.Sprintf(" %s", dialect.AutoIncrStr()))
+			}
+
+			x++
+		}
+	}
+	if len(t.keys) > 1 {
+		s.WriteString(", primary key (")
+		for x := range t.keys {
+			if x > 0 {
+				s.WriteString(", ")
+			}
+			s.WriteString(dialect.QuoteField(t.keys[x].ColumnName))
+		}
+		s.WriteString(")")
+	}
+	if len(t.uniqueTogether) > 0 {
+		for _, columns := range t.uniqueTogether {
+			s.WriteString(", unique (")
+			for i, column := range columns {
+				if i > 0 {
+					s.WriteString(", ")
+				}
+				s.WriteString(dialect.QuoteField(column))
+			}
+			s.WriteString(")")
+		}
+	}
+	s.WriteString(") ")
+	s.WriteString(dialect.CreateTableSuffix())
+	s.WriteString(dialect.QuerySuffix())
+	return s.String()
+}
+
+func equal(a, b []string) bool {
+	if len(a) != len(b) {
+		return false
+	}
+	for i := range a {
+		if a[i] != b[i] {
+			return false
+		}
+	}
+	return true
+}
diff --git a/vendor/github.com/go-gorp/gorp/v3/table_bindings.go b/vendor/github.com/go-gorp/gorp/v3/table_bindings.go
new file mode 100644
index 0000000000..43c0b3dd48
--- /dev/null
+++ b/vendor/github.com/go-gorp/gorp/v3/table_bindings.go
@@ -0,0 +1,305 @@
+// Copyright 2012 James Cooper. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package gorp
+
+import (
+	"bytes"
+	"fmt"
+	"reflect"
+	"sync"
+)
+
+// CustomScanner binds a database column value to a Go type
+type CustomScanner struct {
+	// After a row is scanned, Holder will contain the value from the database column.
+	// Initialize the CustomScanner with the concrete Go type you wish the database
+	// driver to scan the raw column into.
+	Holder interface{}
+	// Target typically holds a pointer to the target struct field to bind the Holder
+	// value to.
+	Target interface{}
+	// Binder is a custom function that converts the holder value to the target type
+	// and sets target accordingly.  This function should return error if a problem
+	// occurs converting the holder to the target.
+	Binder func(holder interface{}, target interface{}) error
+}
+
+// Used to filter columns when selectively updating
+type ColumnFilter func(*ColumnMap) bool
+
+func acceptAllFilter(col *ColumnMap) bool {
+	return true
+}
+
+// Bind is called automatically by gorp after Scan()
+func (me CustomScanner) Bind() error {
+	return me.Binder(me.Holder, me.Target)
+}
+
+type bindPlan struct {
+	query             string
+	argFields         []string
+	keyFields         []string
+	versField         string
+	autoIncrIdx       int
+	autoIncrFieldName string
+	once              sync.Once
+}
+
+func (plan *bindPlan) createBindInstance(elem reflect.Value, conv TypeConverter) (bindInstance, error) {
+	bi := bindInstance{query: plan.query, autoIncrIdx: plan.autoIncrIdx, autoIncrFieldName: plan.autoIncrFieldName, versField: plan.versField}
+	if plan.versField != "" {
+		bi.existingVersion = elem.FieldByName(plan.versField).Int()
+	}
+
+	var err error
+
+	for i := 0; i < len(plan.argFields); i++ {
+		k := plan.argFields[i]
+		if k == versFieldConst {
+			newVer := bi.existingVersion + 1
+			bi.args = append(bi.args, newVer)
+			if bi.existingVersion == 0 {
+				elem.FieldByName(plan.versField).SetInt(int64(newVer))
+			}
+		} else {
+			val := elem.FieldByName(k).Interface()
+			if conv != nil {
+				val, err = conv.ToDb(val)
+				if err != nil {
+					return bindInstance{}, err
+				}
+			}
+			bi.args = append(bi.args, val)
+		}
+	}
+
+	for i := 0; i < len(plan.keyFields); i++ {
+		k := plan.keyFields[i]
+		val := elem.FieldByName(k).Interface()
+		if conv != nil {
+			val, err = conv.ToDb(val)
+			if err != nil {
+				return bindInstance{}, err
+			}
+		}
+		bi.keys = append(bi.keys, val)
+	}
+
+	return bi, nil
+}
+
+type bindInstance struct {
+	query             string
+	args              []interface{}
+	keys              []interface{}
+	existingVersion   int64
+	versField         string
+	autoIncrIdx       int
+	autoIncrFieldName string
+}
+
+func (t *TableMap) bindInsert(elem reflect.Value) (bindInstance, error) {
+	plan := &t.insertPlan
+	plan.once.Do(func() {
+		plan.autoIncrIdx = -1
+
+		s := bytes.Buffer{}
+		s2 := bytes.Buffer{}
+		s.WriteString(fmt.Sprintf("insert into %s (", t.dbmap.Dialect.QuotedTableForQuery(t.SchemaName, t.TableName)))
+
+		x := 0
+		first := true
+		for y := range t.Columns {
+			col := t.Columns[y]
+			if !(col.isAutoIncr && t.dbmap.Dialect.AutoIncrBindValue() == "") {
+				if !col.Transient {
+					if !first {
+						s.WriteString(",")
+						s2.WriteString(",")
+					}
+					s.WriteString(t.dbmap.Dialect.QuoteField(col.ColumnName))
+
+					if col.isAutoIncr {
+						s2.WriteString(t.dbmap.Dialect.AutoIncrBindValue())
+						plan.autoIncrIdx = y
+						plan.autoIncrFieldName = col.fieldName
+					} else {
+						if col.DefaultValue == "" {
+							s2.WriteString(t.dbmap.Dialect.BindVar(x))
+							if col == t.version {
+								plan.versField = col.fieldName
+								plan.argFields = append(plan.argFields, versFieldConst)
+							} else {
+								plan.argFields = append(plan.argFields, col.fieldName)
+							}
+							x++
+						} else {
+							s2.WriteString(col.DefaultValue)
+						}
+					}
+					first = false
+				}
+			} else {
+				plan.autoIncrIdx = y
+				plan.autoIncrFieldName = col.fieldName
+			}
+		}
+		s.WriteString(") values (")
+		s.WriteString(s2.String())
+		s.WriteString(")")
+		if plan.autoIncrIdx > -1 {
+			s.WriteString(t.dbmap.Dialect.AutoIncrInsertSuffix(t.Columns[plan.autoIncrIdx]))
+		}
+		s.WriteString(t.dbmap.Dialect.QuerySuffix())
+
+		plan.query = s.String()
+	})
+
+	return plan.createBindInstance(elem, t.dbmap.TypeConverter)
+}
+
+func (t *TableMap) bindUpdate(elem reflect.Value, colFilter ColumnFilter) (bindInstance, error) {
+	if colFilter == nil {
+		colFilter = acceptAllFilter
+	}
+
+	plan := &t.updatePlan
+	plan.once.Do(func() {
+		s := bytes.Buffer{}
+		s.WriteString(fmt.Sprintf("update %s set ", t.dbmap.Dialect.QuotedTableForQuery(t.SchemaName, t.TableName)))
+		x := 0
+
+		for y := range t.Columns {
+			col := t.Columns[y]
+			if !col.isAutoIncr && !col.Transient && colFilter(col) {
+				if x > 0 {
+					s.WriteString(", ")
+				}
+				s.WriteString(t.dbmap.Dialect.QuoteField(col.ColumnName))
+				s.WriteString("=")
+				s.WriteString(t.dbmap.Dialect.BindVar(x))
+
+				if col == t.version {
+					plan.versField = col.fieldName
+					plan.argFields = append(plan.argFields, versFieldConst)
+				} else {
+					plan.argFields = append(plan.argFields, col.fieldName)
+				}
+				x++
+			}
+		}
+
+		s.WriteString(" where ")
+		for y := range t.keys {
+			col := t.keys[y]
+			if y > 0 {
+				s.WriteString(" and ")
+			}
+			s.WriteString(t.dbmap.Dialect.QuoteField(col.ColumnName))
+			s.WriteString("=")
+			s.WriteString(t.dbmap.Dialect.BindVar(x))
+
+			plan.argFields = append(plan.argFields, col.fieldName)
+			plan.keyFields = append(plan.keyFields, col.fieldName)
+			x++
+		}
+		if plan.versField != "" {
+			s.WriteString(" and ")
+			s.WriteString(t.dbmap.Dialect.QuoteField(t.version.ColumnName))
+			s.WriteString("=")
+			s.WriteString(t.dbmap.Dialect.BindVar(x))
+			plan.argFields = append(plan.argFields, plan.versField)
+		}
+		s.WriteString(t.dbmap.Dialect.QuerySuffix())
+
+		plan.query = s.String()
+	})
+
+	return plan.createBindInstance(elem, t.dbmap.TypeConverter)
+}
+
+func (t *TableMap) bindDelete(elem reflect.Value) (bindInstance, error) {
+	plan := &t.deletePlan
+	plan.once.Do(func() {
+		s := bytes.Buffer{}
+		s.WriteString(fmt.Sprintf("delete from %s", t.dbmap.Dialect.QuotedTableForQuery(t.SchemaName, t.TableName)))
+
+		for y := range t.Columns {
+			col := t.Columns[y]
+			if !col.Transient {
+				if col == t.version {
+					plan.versField = col.fieldName
+				}
+			}
+		}
+
+		s.WriteString(" where ")
+		for x := range t.keys {
+			k := t.keys[x]
+			if x > 0 {
+				s.WriteString(" and ")
+			}
+			s.WriteString(t.dbmap.Dialect.QuoteField(k.ColumnName))
+			s.WriteString("=")
+			s.WriteString(t.dbmap.Dialect.BindVar(x))
+
+			plan.keyFields = append(plan.keyFields, k.fieldName)
+			plan.argFields = append(plan.argFields, k.fieldName)
+		}
+		if plan.versField != "" {
+			s.WriteString(" and ")
+			s.WriteString(t.dbmap.Dialect.QuoteField(t.version.ColumnName))
+			s.WriteString("=")
+			s.WriteString(t.dbmap.Dialect.BindVar(len(plan.argFields)))
+
+			plan.argFields = append(plan.argFields, plan.versField)
+		}
+		s.WriteString(t.dbmap.Dialect.QuerySuffix())
+
+		plan.query = s.String()
+	})
+
+	return plan.createBindInstance(elem, t.dbmap.TypeConverter)
+}
+
+func (t *TableMap) bindGet() *bindPlan {
+	plan := &t.getPlan
+	plan.once.Do(func() {
+		s := bytes.Buffer{}
+		s.WriteString("select ")
+
+		x := 0
+		for _, col := range t.Columns {
+			if !col.Transient {
+				if x > 0 {
+					s.WriteString(",")
+				}
+				s.WriteString(t.dbmap.Dialect.QuoteField(col.ColumnName))
+				plan.argFields = append(plan.argFields, col.fieldName)
+				x++
+			}
+		}
+		s.WriteString(" from ")
+		s.WriteString(t.dbmap.Dialect.QuotedTableForQuery(t.SchemaName, t.TableName))
+		s.WriteString(" where ")
+		for x := range t.keys {
+			col := t.keys[x]
+			if x > 0 {
+				s.WriteString(" and ")
+			}
+			s.WriteString(t.dbmap.Dialect.QuoteField(col.ColumnName))
+			s.WriteString("=")
+			s.WriteString(t.dbmap.Dialect.BindVar(x))
+
+			plan.keyFields = append(plan.keyFields, col.fieldName)
+		}
+		s.WriteString(t.dbmap.Dialect.QuerySuffix())
+
+		plan.query = s.String()
+	})
+
+	return plan
+}
diff --git a/vendor/github.com/go-gorp/gorp/v3/test_all.sh b/vendor/github.com/go-gorp/gorp/v3/test_all.sh
new file mode 100644
index 0000000000..91007d6454
--- /dev/null
+++ b/vendor/github.com/go-gorp/gorp/v3/test_all.sh
@@ -0,0 +1,23 @@
+#!/bin/bash -ex
+
+# on macs, you may need to:
+# export GOBUILDFLAG=-ldflags -linkmode=external
+
+echo "Running unit tests"
+go test -race
+
+echo "Testing against postgres"
+export GORP_TEST_DSN="host=postgres user=gorptest password=gorptest dbname=gorptest sslmode=disable"
+export GORP_TEST_DIALECT=postgres
+go test -tags integration $GOBUILDFLAG $@ .
+
+echo "Testing against sqlite"
+export GORP_TEST_DSN=/tmp/gorptest.bin
+export GORP_TEST_DIALECT=sqlite
+go test -tags integration $GOBUILDFLAG $@ .
+rm -f /tmp/gorptest.bin
+
+echo "Testing against mysql"
+export GORP_TEST_DSN="gorptest:gorptest@tcp(mysql)/gorptest"
+export GORP_TEST_DIALECT=mysql
+go test -tags integration $GOBUILDFLAG $@ .
diff --git a/vendor/github.com/go-gorp/gorp/v3/transaction.go b/vendor/github.com/go-gorp/gorp/v3/transaction.go
new file mode 100644
index 0000000000..d505d94c91
--- /dev/null
+++ b/vendor/github.com/go-gorp/gorp/v3/transaction.go
@@ -0,0 +1,239 @@
+// Copyright 2012 James Cooper. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package gorp
+
+import (
+	"context"
+	"database/sql"
+	"time"
+)
+
+// Transaction represents a database transaction.
+// Insert/Update/Delete/Get/Exec operations will be run in the context
+// of that transaction.  Transactions should be terminated with
+// a call to Commit() or Rollback()
+type Transaction struct {
+	ctx    context.Context
+	dbmap  *DbMap
+	tx     *sql.Tx
+	closed bool
+}
+
+func (t *Transaction) WithContext(ctx context.Context) SqlExecutor {
+	copy := &Transaction{}
+	*copy = *t
+	copy.ctx = ctx
+	return copy
+}
+
+// Insert has the same behavior as DbMap.Insert(), but runs in a transaction.
+func (t *Transaction) Insert(list ...interface{}) error {
+	return insert(t.dbmap, t, list...)
+}
+
+// Update had the same behavior as DbMap.Update(), but runs in a transaction.
+func (t *Transaction) Update(list ...interface{}) (int64, error) {
+	return update(t.dbmap, t, nil, list...)
+}
+
+// UpdateColumns had the same behavior as DbMap.UpdateColumns(), but runs in a transaction.
+func (t *Transaction) UpdateColumns(filter ColumnFilter, list ...interface{}) (int64, error) {
+	return update(t.dbmap, t, filter, list...)
+}
+
+// Delete has the same behavior as DbMap.Delete(), but runs in a transaction.
+func (t *Transaction) Delete(list ...interface{}) (int64, error) {
+	return delete(t.dbmap, t, list...)
+}
+
+// Get has the same behavior as DbMap.Get(), but runs in a transaction.
+func (t *Transaction) Get(i interface{}, keys ...interface{}) (interface{}, error) {
+	return get(t.dbmap, t, i, keys...)
+}
+
+// Select has the same behavior as DbMap.Select(), but runs in a transaction.
+func (t *Transaction) Select(i interface{}, query string, args ...interface{}) ([]interface{}, error) {
+	if t.dbmap.ExpandSliceArgs {
+		expandSliceArgs(&query, args...)
+	}
+
+	return hookedselect(t.dbmap, t, i, query, args...)
+}
+
+// Exec has the same behavior as DbMap.Exec(), but runs in a transaction.
+func (t *Transaction) Exec(query string, args ...interface{}) (sql.Result, error) {
+	if t.dbmap.ExpandSliceArgs {
+		expandSliceArgs(&query, args...)
+	}
+
+	if t.dbmap.logger != nil {
+		now := time.Now()
+		defer t.dbmap.trace(now, query, args...)
+	}
+	return maybeExpandNamedQueryAndExec(t, query, args...)
+}
+
+// SelectInt is a convenience wrapper around the gorp.SelectInt function.
+func (t *Transaction) SelectInt(query string, args ...interface{}) (int64, error) {
+	if t.dbmap.ExpandSliceArgs {
+		expandSliceArgs(&query, args...)
+	}
+
+	return SelectInt(t, query, args...)
+}
+
+// SelectNullInt is a convenience wrapper around the gorp.SelectNullInt function.
+func (t *Transaction) SelectNullInt(query string, args ...interface{}) (sql.NullInt64, error) {
+	if t.dbmap.ExpandSliceArgs {
+		expandSliceArgs(&query, args...)
+	}
+
+	return SelectNullInt(t, query, args...)
+}
+
+// SelectFloat is a convenience wrapper around the gorp.SelectFloat function.
+func (t *Transaction) SelectFloat(query string, args ...interface{}) (float64, error) {
+	if t.dbmap.ExpandSliceArgs {
+		expandSliceArgs(&query, args...)
+	}
+
+	return SelectFloat(t, query, args...)
+}
+
+// SelectNullFloat is a convenience wrapper around the gorp.SelectNullFloat function.
+func (t *Transaction) SelectNullFloat(query string, args ...interface{}) (sql.NullFloat64, error) {
+	if t.dbmap.ExpandSliceArgs {
+		expandSliceArgs(&query, args...)
+	}
+
+	return SelectNullFloat(t, query, args...)
+}
+
+// SelectStr is a convenience wrapper around the gorp.SelectStr function.
+func (t *Transaction) SelectStr(query string, args ...interface{}) (string, error) {
+	if t.dbmap.ExpandSliceArgs {
+		expandSliceArgs(&query, args...)
+	}
+
+	return SelectStr(t, query, args...)
+}
+
+// SelectNullStr is a convenience wrapper around the gorp.SelectNullStr function.
+func (t *Transaction) SelectNullStr(query string, args ...interface{}) (sql.NullString, error) {
+	if t.dbmap.ExpandSliceArgs {
+		expandSliceArgs(&query, args...)
+	}
+
+	return SelectNullStr(t, query, args...)
+}
+
+// SelectOne is a convenience wrapper around the gorp.SelectOne function.
+func (t *Transaction) SelectOne(holder interface{}, query string, args ...interface{}) error {
+	if t.dbmap.ExpandSliceArgs {
+		expandSliceArgs(&query, args...)
+	}
+
+	return SelectOne(t.dbmap, t, holder, query, args...)
+}
+
+// Commit commits the underlying database transaction.
+func (t *Transaction) Commit() error {
+	if !t.closed {
+		t.closed = true
+		if t.dbmap.logger != nil {
+			now := time.Now()
+			defer t.dbmap.trace(now, "commit;")
+		}
+		return t.tx.Commit()
+	}
+
+	return sql.ErrTxDone
+}
+
+// Rollback rolls back the underlying database transaction.
+func (t *Transaction) Rollback() error {
+	if !t.closed {
+		t.closed = true
+		if t.dbmap.logger != nil {
+			now := time.Now()
+			defer t.dbmap.trace(now, "rollback;")
+		}
+		return t.tx.Rollback()
+	}
+
+	return sql.ErrTxDone
+}
+
+// Savepoint creates a savepoint with the given name. The name is interpolated
+// directly into the SQL SAVEPOINT statement, so you must sanitize it if it is
+// derived from user input.
+func (t *Transaction) Savepoint(name string) error {
+	query := "savepoint " + t.dbmap.Dialect.QuoteField(name)
+	if t.dbmap.logger != nil {
+		now := time.Now()
+		defer t.dbmap.trace(now, query, nil)
+	}
+	_, err := exec(t, query)
+	return err
+}
+
+// RollbackToSavepoint rolls back to the savepoint with the given name. The
+// name is interpolated directly into the SQL SAVEPOINT statement, so you must
+// sanitize it if it is derived from user input.
+func (t *Transaction) RollbackToSavepoint(savepoint string) error {
+	query := "rollback to savepoint " + t.dbmap.Dialect.QuoteField(savepoint)
+	if t.dbmap.logger != nil {
+		now := time.Now()
+		defer t.dbmap.trace(now, query, nil)
+	}
+	_, err := exec(t, query)
+	return err
+}
+
+// ReleaseSavepint releases the savepoint with the given name. The name is
+// interpolated directly into the SQL SAVEPOINT statement, so you must sanitize
+// it if it is derived from user input.
+func (t *Transaction) ReleaseSavepoint(savepoint string) error {
+	query := "release savepoint " + t.dbmap.Dialect.QuoteField(savepoint)
+	if t.dbmap.logger != nil {
+		now := time.Now()
+		defer t.dbmap.trace(now, query, nil)
+	}
+	_, err := exec(t, query)
+	return err
+}
+
+// Prepare has the same behavior as DbMap.Prepare(), but runs in a transaction.
+func (t *Transaction) Prepare(query string) (*sql.Stmt, error) {
+	if t.dbmap.logger != nil {
+		now := time.Now()
+		defer t.dbmap.trace(now, query, nil)
+	}
+	return prepare(t, query)
+}
+
+func (t *Transaction) QueryRow(query string, args ...interface{}) *sql.Row {
+	if t.dbmap.ExpandSliceArgs {
+		expandSliceArgs(&query, args...)
+	}
+
+	if t.dbmap.logger != nil {
+		now := time.Now()
+		defer t.dbmap.trace(now, query, args...)
+	}
+	return queryRow(t, query, args...)
+}
+
+func (t *Transaction) Query(q string, args ...interface{}) (*sql.Rows, error) {
+	if t.dbmap.ExpandSliceArgs {
+		expandSliceArgs(&q, args...)
+	}
+
+	if t.dbmap.logger != nil {
+		now := time.Now()
+		defer t.dbmap.trace(now, q, args...)
+	}
+	return query(t, q, args...)
+}
diff --git a/vendor/github.com/go-openapi/jsonpointer/.cliff.toml b/vendor/github.com/go-openapi/jsonpointer/.cliff.toml
new file mode 100644
index 0000000000..702629f5dc
--- /dev/null
+++ b/vendor/github.com/go-openapi/jsonpointer/.cliff.toml
@@ -0,0 +1,181 @@
+# git-cliff ~ configuration file
+# https://git-cliff.org/docs/configuration
+
+[changelog]
+header = """
+"""
+
+footer = """
+
+-----
+
+**[{{ remote.github.repo }}]({{ self::remote_url() }}) license terms**
+
+[![License][license-badge]][license-url]
+
+[license-badge]: http://img.shields.io/badge/license-Apache%20v2-orange.svg
+[license-url]: {{ self::remote_url() }}/?tab=Apache-2.0-1-ov-file#readme
+
+{%- macro remote_url() -%}
+  https://github.com/{{ remote.github.owner }}/{{ remote.github.repo }}
+{%- endmacro -%}
+"""
+
+body = """
+{%- if version %}
+## [{{ version | trim_start_matches(pat="v") }}]({{ self::remote_url() }}/tree/{{ version }}) - {{ timestamp | date(format="%Y-%m-%d") }}
+{%- else %}
+## [unreleased]
+{%- endif %}
+{%- if message %}
+  {%- raw %}\n{% endraw %}
+{{ message }}
+  {%- raw %}\n{% endraw %}
+{%- endif %}
+{%- if version %}
+  {%- if previous.version %}
+
+**Full Changelog**: <{{ self::remote_url() }}/compare/{{ previous.version }}...{{ version }}>
+  {%- endif %}
+{%- else %}
+  {%- raw %}\n{% endraw %}
+{%- endif %}
+
+{%- if statistics %}{% if statistics.commit_count %}
+  {%- raw %}\n{% endraw %}
+{{ statistics.commit_count }} commits in this release.
+  {%- raw %}\n{% endraw %}
+{%- endif %}{% endif %}
+-----
+
+{%- for group, commits in commits | group_by(attribute="group") %}
+  {%- raw %}\n{% endraw %}
+### {{ group | upper_first }}
+    {%- raw %}\n{% endraw %}
+    {%- for commit in commits %}
+      {%- if commit.remote.pr_title %}
+        {%- set commit_message = commit.remote.pr_title %}
+      {%- else %}
+        {%- set commit_message = commit.message %}
+      {%- endif %}
+* {{ commit_message | split(pat="\n") | first | trim }}
+      {%- if commit.remote.username %}
+{%- raw %} {% endraw %}by [@{{ commit.remote.username }}](https://github.com/{{ commit.remote.username }})
+      {%- endif %}
+      {%- if commit.remote.pr_number %}
+{%- raw %} {% endraw %}in [#{{ commit.remote.pr_number }}]({{ self::remote_url() }}/pull/{{ commit.remote.pr_number }})
+      {%- endif %}
+{%- raw %} {% endraw %}[...]({{ self::remote_url() }}/commit/{{ commit.id }})
+  {%- endfor %}
+{%- endfor %}
+
+{%- if github %}
+{%- raw %}\n{% endraw -%}
+  {%- set all_contributors = github.contributors | length %}
+  {%- if github.contributors | filter(attribute="username", value="dependabot[bot]") | length < all_contributors %}
+-----
+
+### People who contributed to this release
+  {% endif %}
+  {%- for contributor in github.contributors | filter(attribute="username") | sort(attribute="username") %}
+    {%- if contributor.username != "dependabot[bot]" and contributor.username != "github-actions[bot]" %}
+* [@{{ contributor.username }}](https://github.com/{{ contributor.username }})
+    {%- endif %}
+  {%- endfor %}
+
+  {% if github.contributors | filter(attribute="is_first_time", value=true) | length != 0 %}
+-----
+    {%- raw %}\n{% endraw %}
+
+### New Contributors
+  {%- endif %}
+
+  {%- for contributor in github.contributors | filter(attribute="is_first_time", value=true) %}
+    {%- if contributor.username != "dependabot[bot]" and contributor.username != "github-actions[bot]" %}
+* @{{ contributor.username }} made their first contribution
+      {%- if contributor.pr_number %}
+  in [#{{ contributor.pr_number }}]({{ self::remote_url() }}/pull/{{ contributor.pr_number }}) \
+      {%- endif %}
+    {%- endif %}
+  {%- endfor %}
+{%- endif %}
+
+{%- raw %}\n{% endraw %}
+
+{%- macro remote_url() -%}
+  https://github.com/{{ remote.github.owner }}/{{ remote.github.repo }}
+{%- endmacro -%}
+"""
+# Remove leading and trailing whitespaces from the changelog's body.
+trim = true
+# Render body even when there are no releases to process.
+render_always = true
+# An array of regex based postprocessors to modify the changelog.
+postprocessors = [
+    # Replace the placeholder <REPO> with a URL.
+    #{ pattern = '<REPO>', replace = "https://github.com/orhun/git-cliff" },
+]
+# output file path
+# output = "test.md"
+
+[git]
+# Parse commits according to the conventional commits specification.
+# See https://www.conventionalcommits.org
+conventional_commits = false
+# Exclude commits that do not match the conventional commits specification.
+filter_unconventional = false
+# Require all commits to be conventional.
+# Takes precedence over filter_unconventional.
+require_conventional = false
+# Split commits on newlines, treating each line as an individual commit.
+split_commits = false
+# An array of regex based parsers to modify commit messages prior to further processing.
+commit_preprocessors = [
+    # Replace issue numbers with link templates to be updated in `changelog.postprocessors`.
+    #{ pattern = '\((\w+\s)?#([0-9]+)\)', replace = "([#${2}](<REPO>/issues/${2}))"},
+    # Check spelling of the commit message using https://github.com/crate-ci/typos.
+    # If the spelling is incorrect, it will be fixed automatically.
+    #{ pattern = '.*', replace_command = 'typos --write-changes -' }
+]
+# Prevent commits that are breaking from being excluded by commit parsers.
+protect_breaking_commits = false
+# An array of regex based parsers for extracting data from the commit message.
+# Assigns commits to groups.
+# Optionally sets the commit's scope and can decide to exclude commits from further processing.
+commit_parsers = [
+    { message = "^[Cc]hore\\([Rr]elease\\): prepare for", skip = true },
+    { message = "(^[Mm]erge)|([Mm]erge conflict)", skip = true },
+    { field = "author.name", pattern = "dependabot*", group = "<!-- 0A -->Updates" },
+    { message = "([Ss]ecurity)|([Vv]uln)", group = "<!-- 08 -->Security" },
+    { body = "(.*[Ss]ecurity)|([Vv]uln)", group = "<!-- 08 -->Security" },
+    { message = "([Cc]hore\\(lint\\))|(style)|(lint)|(codeql)|(golangci)", group = "<!-- 05 -->Code quality" },
+    { message = "(^[Dd]oc)|((?i)readme)|(badge)|(typo)|(documentation)", group = "<!-- 03 -->Documentation" },
+    { message = "(^[Ff]eat)|(^[Ee]nhancement)", group = "<!-- 00 -->Implemented enhancements" },
+    { message = "(^ci)|(\\(ci\\))|(fixup\\s+ci)|(fix\\s+ci)|(license)|(example)", group = "<!-- 07 -->Miscellaneous tasks" },
+    { message = "^test", group = "<!-- 06 -->Testing" },
+    { message = "(^fix)|(panic)", group = "<!-- 01 -->Fixed bugs" },
+    { message = "(^refact)|(rework)", group = "<!-- 02 -->Refactor" },
+    { message = "(^[Pp]erf)|(performance)", group = "<!-- 04 -->Performance" },
+    { message = "(^[Cc]hore)", group = "<!-- 07 -->Miscellaneous tasks" },
+    { message = "^[Rr]evert", group = "<!-- 09 -->Reverted changes" },
+    { message = "(upgrade.*?go)|(go\\s+version)", group = "<!-- 0A -->Updates" },
+    { message = ".*", group = "<!-- 0B -->Other" },
+]
+# Exclude commits that are not matched by any commit parser.
+filter_commits = false
+# An array of link parsers for extracting external references, and turning them into URLs, using regex.
+link_parsers = []
+# Include only the tags that belong to the current branch.
+use_branch_tags = false
+# Order releases topologically instead of chronologically.
+topo_order = false
+# Order releases topologically instead of chronologically.
+topo_order_commits = true
+# Order of commits in each group/release within the changelog.
+# Allowed values: newest, oldest
+sort_commits = "newest"
+# Process submodules commits
+recurse_submodules = false
+
+#[remote.github]
+#owner = "go-openapi"
diff --git a/vendor/github.com/go-openapi/jsonpointer/.gitignore b/vendor/github.com/go-openapi/jsonpointer/.gitignore
index 769c244007..59cd294891 100644
--- a/vendor/github.com/go-openapi/jsonpointer/.gitignore
+++ b/vendor/github.com/go-openapi/jsonpointer/.gitignore
@@ -1 +1,4 @@
-secrets.yml
+*.out
+*.cov
+.idea
+.env
diff --git a/vendor/github.com/go-openapi/jsonpointer/.golangci.yml b/vendor/github.com/go-openapi/jsonpointer/.golangci.yml
index 500630621f..fdae591bce 100644
--- a/vendor/github.com/go-openapi/jsonpointer/.golangci.yml
+++ b/vendor/github.com/go-openapi/jsonpointer/.golangci.yml
@@ -2,43 +2,37 @@ version: "2"
 linters:
   default: all
   disable:
-    - cyclop
     - depguard
-    - errchkjson
-    - errorlint
-    - exhaustruct
-    - forcetypeassert
     - funlen
-    - gochecknoglobals
-    - gochecknoinits
-    - gocognit
-    - godot
     - godox
-    - gosmopolitan
-    - inamedparam
-    - ireturn
-    - lll
-    - musttag
-    - nestif
+    - exhaustruct
     - nlreturn
     - nonamedreturns
+    - noinlineerr
     - paralleltest
+    - recvcheck
     - testpackage
-    - thelper
     - tparallel
-    - unparam
     - varnamelen
     - whitespace
     - wrapcheck
     - wsl
+    - wsl_v5
   settings:
     dupl:
       threshold: 200
     goconst:
       min-len: 2
       min-occurrences: 3
+    cyclop:
+      max-complexity: 20
     gocyclo:
-      min-complexity: 45
+      min-complexity: 20
+    exhaustive:
+      default-signifies-exhaustive: true
+      default-case-required: true
+    lll:
+      line-length: 180
   exclusions:
     generated: lax
     presets:
@@ -54,9 +48,19 @@ formatters:
   enable:
     - gofmt
     - goimports
+    - gofumpt
   exclusions:
     generated: lax
     paths:
       - third_party$
       - builtin$
       - examples$
+issues:
+  # Maximum issues count per one linter.
+  # Set to 0 to disable.
+  # Default: 50
+  max-issues-per-linter: 0
+  # Maximum count of issues with the same text.
+  # Set to 0 to disable.
+  # Default: 3
+  max-same-issues: 0
diff --git a/vendor/github.com/go-openapi/jsonpointer/CONTRIBUTORS.md b/vendor/github.com/go-openapi/jsonpointer/CONTRIBUTORS.md
new file mode 100644
index 0000000000..03c098316d
--- /dev/null
+++ b/vendor/github.com/go-openapi/jsonpointer/CONTRIBUTORS.md
@@ -0,0 +1,24 @@
+# Contributors
+
+- Repository: ['go-openapi/jsonpointer']
+
+| Total Contributors | Total Contributions |
+| --- | --- |
+| 12  | 95  |
+
+| Username | All Time Contribution Count | All Commits |
+| --- | --- | --- |
+| @fredbi | 48 | https://github.com/go-openapi/jsonpointer/commits?author=fredbi |
+| @casualjim | 33 | https://github.com/go-openapi/jsonpointer/commits?author=casualjim |
+| @magodo | 3 | https://github.com/go-openapi/jsonpointer/commits?author=magodo |
+| @youyuanwu | 3 | https://github.com/go-openapi/jsonpointer/commits?author=youyuanwu |
+| @gaiaz-iusipov | 1 | https://github.com/go-openapi/jsonpointer/commits?author=gaiaz-iusipov |
+| @gbjk | 1 | https://github.com/go-openapi/jsonpointer/commits?author=gbjk |
+| @gordallott | 1 | https://github.com/go-openapi/jsonpointer/commits?author=gordallott |
+| @ianlancetaylor | 1 | https://github.com/go-openapi/jsonpointer/commits?author=ianlancetaylor |
+| @mfleader | 1 | https://github.com/go-openapi/jsonpointer/commits?author=mfleader |
+| @Neo2308 | 1 | https://github.com/go-openapi/jsonpointer/commits?author=Neo2308 |
+| @olivierlemasle | 1 | https://github.com/go-openapi/jsonpointer/commits?author=olivierlemasle |
+| @testwill | 1 | https://github.com/go-openapi/jsonpointer/commits?author=testwill |
+
+ _this file was generated by the [Contributors GitHub Action](https://github.com/github/contributors)_
diff --git a/vendor/github.com/go-openapi/jsonpointer/LICENSE b/vendor/github.com/go-openapi/jsonpointer/LICENSE
index d645695673..261eeb9e9f 100644
--- a/vendor/github.com/go-openapi/jsonpointer/LICENSE
+++ b/vendor/github.com/go-openapi/jsonpointer/LICENSE
@@ -1,4 +1,3 @@
-
                                  Apache License
                            Version 2.0, January 2004
                         http://www.apache.org/licenses/
diff --git a/vendor/github.com/go-openapi/jsonpointer/NOTICE b/vendor/github.com/go-openapi/jsonpointer/NOTICE
new file mode 100644
index 0000000000..f3b51939a9
--- /dev/null
+++ b/vendor/github.com/go-openapi/jsonpointer/NOTICE
@@ -0,0 +1,39 @@
+Copyright 2015-2025 go-swagger maintainers
+
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+This software library, github.com/go-openapi/jsonpointer, includes software developed
+by the go-swagger and go-openapi maintainers ("go-swagger maintainers").
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this software except in compliance with the License.
+
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0.
+
+This software is copied from, derived from, and inspired by other original software products.
+It ships with copies of other software which license terms are recalled below.
+
+The original software was authored on 25-02-2013 by sigu-399 (https://github.com/sigu-399, sigu.399@gmail.com).
+
+github.com/sigh-399/jsonpointer
+===========================
+
+// SPDX-FileCopyrightText: Copyright 2013 sigu-399 ( https://github.com/sigu-399 )
+// SPDX-License-Identifier: Apache-2.0
+
+Copyright 2013 sigu-399 ( https://github.com/sigu-399 )
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
diff --git a/vendor/github.com/go-openapi/jsonpointer/README.md b/vendor/github.com/go-openapi/jsonpointer/README.md
index 0108f1d572..b61b63fd9a 100644
--- a/vendor/github.com/go-openapi/jsonpointer/README.md
+++ b/vendor/github.com/go-openapi/jsonpointer/README.md
@@ -1,19 +1,149 @@
-# gojsonpointer [![Build Status](https://github.com/go-openapi/jsonpointer/actions/workflows/go-test.yml/badge.svg)](https://github.com/go-openapi/jsonpointer/actions?query=workflow%3A"go+test") [![codecov](https://codecov.io/gh/go-openapi/jsonpointer/branch/master/graph/badge.svg)](https://codecov.io/gh/go-openapi/jsonpointer)
+# jsonpointer
 
-[![Slack Status](https://slackin.goswagger.io/badge.svg)](https://slackin.goswagger.io)
-[![license](http://img.shields.io/badge/license-Apache%20v2-orange.svg)](https://raw.githubusercontent.com/go-openapi/jsonpointer/master/LICENSE)
-[![Go Reference](https://pkg.go.dev/badge/github.com/go-openapi/jsonpointer.svg)](https://pkg.go.dev/github.com/go-openapi/jsonpointer)
-[![Go Report Card](https://goreportcard.com/badge/github.com/go-openapi/jsonpointer)](https://goreportcard.com/report/github.com/go-openapi/jsonpointer)
+<!-- Badges: status  -->
+[![Tests][test-badge]][test-url] [![Coverage][cov-badge]][cov-url] [![CI vuln scan][vuln-scan-badge]][vuln-scan-url] [![CodeQL][codeql-badge]][codeql-url]
+<!-- Badges: release & docker images  -->
+<!-- Badges: code quality  -->
+<!-- Badges: license & compliance -->
+[![Release][release-badge]][release-url] [![Go Report Card][gocard-badge]][gocard-url] [![CodeFactor Grade][codefactor-badge]][codefactor-url] [![License][license-badge]][license-url]
+<!-- Badges: documentation & support -->
+<!-- Badges: others & stats -->
+[![GoDoc][godoc-badge]][godoc-url] [![Slack Channel][slack-logo]![slack-badge]][slack-url] [![go version][goversion-badge]][goversion-url] ![Top language][top-badge] ![Commits since latest release][commits-badge]
 
-An implementation of JSON Pointer - Go language
+---
+
+An implementation of JSON Pointer for golang, which supports go `struct`.
 
 ## Status
-Completed YES
 
-Tested YES
+API is stable.
+
+## Import this library in your project
+
+```cmd
+go get github.com/go-openapi/jsonpointer
+```
+
+## Basic usage
+
+See also some [examples](./examples_test.go)
+
+### Retrieving a value
+
+```go
+  import (
+    "github.com/go-openapi/jsonpointer"
+  )
+
+
+  var doc any
+
+  ...
+
+	pointer, err := jsonpointer.New("/foo/1")
+	if err != nil {
+		... // error: e.g. invalid JSON pointer specification
+	}
+
+	value, kind, err := pointer.Get(doc)
+	if err != nil {
+		... // error: e.g. key not found, index out of bounds, etc.
+	}
+
+  ...
+```
+
+### Setting a value
+
+```go
+  ...
+  var doc any
+  ...
+	pointer, err := jsonpointer.New("/foo/1")
+	if err != nil {
+		... // error: e.g. invalid JSON pointer specification
+  }
+
+	doc, err = p.Set(doc, "value")
+	if err != nil {
+		... // error: e.g. key not found, index out of bounds, etc.
+	}
+```
+
+## Change log
+
+See <https://github.com/go-openapi/jsonpointer/releases>
 
 ## References
-http://tools.ietf.org/html/draft-ietf-appsawg-json-pointer-07
 
-### Note
-The 4.Evaluation part of the previous reference, starting with 'If the currently referenced value is a JSON array, the reference token MUST contain either...' is not implemented.
+<https://tools.ietf.org/html/draft-ietf-appsawg-json-pointer-07>
+
+also known as [RFC6901](https://www.rfc-editor.org/rfc/rfc6901)
+
+## Licensing
+
+This library ships under the [SPDX-License-Identifier: Apache-2.0](./LICENSE).
+
+See the license [NOTICE](./NOTICE), which recalls the licensing terms of all the pieces of software
+on top of which it has been built.
+
+## Limitations
+
+The 4.Evaluation part of the previous reference, starting with 'If the currently referenced value is a JSON array,
+the reference token MUST contain either...' is not implemented.
+
+That is because our implementation of the JSON pointer only supports explicit references to array elements:
+the provision in the spec to resolve non-existent members as "the last element in the array",
+using the special trailing character "-" is not implemented.
+
+## Other documentation
+
+* [All-time contributors](./CONTRIBUTORS.md)
+* [Contributing guidelines](.github/CONTRIBUTING.md)
+* [Maintainers documentation](docs/MAINTAINERS.md)
+* [Code style](docs/STYLE.md)
+
+## Cutting a new release
+
+Maintainers can cut a new release by either:
+
+* running [this workflow](https://github.com/go-openapi/jsonpointer/actions/workflows/bump-release.yml)
+* or pushing a semver tag
+  * signed tags are preferred
+  * The tag message is prepended to release notes
+
+<!-- Badges: status  -->
+[test-badge]: https://github.com/go-openapi/jsonpointer/actions/workflows/go-test.yml/badge.svg
+[test-url]: https://github.com/go-openapi/jsonpointer/actions/workflows/go-test.yml
+[cov-badge]: https://codecov.io/gh/go-openapi/jsonpointer/branch/master/graph/badge.svg
+[cov-url]: https://codecov.io/gh/go-openapi/jsonpointer
+[vuln-scan-badge]: https://github.com/go-openapi/jsonpointer/actions/workflows/scanner.yml/badge.svg
+[vuln-scan-url]: https://github.com/go-openapi/jsonpointer/actions/workflows/scanner.yml
+[codeql-badge]: https://github.com/go-openapi/jsonpointer/actions/workflows/codeql.yml/badge.svg
+[codeql-url]: https://github.com/go-openapi/jsonpointer/actions/workflows/codeql.yml
+<!-- Badges: release & docker images  -->
+[release-badge]: https://badge.fury.io/gh/go-openapi%2Fjsonpointer.svg
+[release-url]: https://badge.fury.io/gh/go-openapi%2Fjsonpointer
+[gomod-badge]: https://badge.fury.io/go/github.com%2Fgo-openapi%2Fjsonpointer.svg
+[gomod-url]: https://badge.fury.io/go/github.com%2Fgo-openapi%2Fjsonpointer
+<!-- Badges: code quality  -->
+[gocard-badge]: https://goreportcard.com/badge/github.com/go-openapi/jsonpointer
+[gocard-url]: https://goreportcard.com/report/github.com/go-openapi/jsonpointer
+[codefactor-badge]: https://img.shields.io/codefactor/grade/github/go-openapi/jsonpointer
+[codefactor-url]: https://www.codefactor.io/repository/github/go-openapi/jsonpointer
+<!-- Badges: documentation & support -->
+[doc-badge]: https://img.shields.io/badge/doc-site-blue?link=https%3A%2F%2Fgoswagger.io%2Fgo-openapi%2F
+[doc-url]: https://goswagger.io/go-openapi
+[godoc-badge]: https://pkg.go.dev/badge/github.com/go-openapi/jsonpointer
+[godoc-url]: http://pkg.go.dev/github.com/go-openapi/jsonpointer
+[slack-logo]: https://a.slack-edge.com/e6a93c1/img/icons/favicon-32.png
+[slack-badge]: https://img.shields.io/badge/slack-blue?link=https%3A%2F%2Fgoswagger.slack.com%2Farchives%2FC04R30YM
+[slack-url]: https://goswagger.slack.com/archives/C04R30YMU
+<!-- Badges: license & compliance -->
+[license-badge]: http://img.shields.io/badge/license-Apache%20v2-orange.svg
+[license-url]: https://github.com/go-openapi/jsonpointer/?tab=Apache-2.0-1-ov-file#readme
+<!-- Badges: others & stats -->
+[goversion-badge]: https://img.shields.io/github/go-mod/go-version/go-openapi/jsonpointer
+[goversion-url]: https://github.com/go-openapi/jsonpointer/blob/master/go.mod
+[top-badge]: https://img.shields.io/github/languages/top/go-openapi/jsonpointer
+[commits-badge]: https://img.shields.io/github/commits-since/go-openapi/jsonpointer/latest
diff --git a/vendor/github.com/go-openapi/jsonpointer/SECURITY.md b/vendor/github.com/go-openapi/jsonpointer/SECURITY.md
new file mode 100644
index 0000000000..2a7b6f0910
--- /dev/null
+++ b/vendor/github.com/go-openapi/jsonpointer/SECURITY.md
@@ -0,0 +1,19 @@
+# Security Policy
+
+This policy outlines the commitment and practices of the go-openapi maintainers regarding security.
+
+## Supported Versions
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 0.22.x  | :white_check_mark: |
+
+## Reporting a vulnerability
+
+If you become aware of a security vulnerability that affects the current repository,
+please report it privately to the maintainers.
+
+Please follow the instructions provided by github to
+[Privately report a security vulnerability](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability).
+
+TL;DR: on Github, navigate to the project's "Security" tab then click on "Report a vulnerability".
diff --git a/vendor/github.com/go-openapi/jsonpointer/errors.go b/vendor/github.com/go-openapi/jsonpointer/errors.go
index b84343d9d7..8c50dde8bc 100644
--- a/vendor/github.com/go-openapi/jsonpointer/errors.go
+++ b/vendor/github.com/go-openapi/jsonpointer/errors.go
@@ -1,5 +1,10 @@
+// SPDX-FileCopyrightText: Copyright (c) 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
 package jsonpointer
 
+import "fmt"
+
 type pointerError string
 
 func (e pointerError) Error() string {
@@ -7,12 +12,24 @@ func (e pointerError) Error() string {
 }
 
 const (
-	// ErrPointer is an error raised by the jsonpointer package
+	// ErrPointer is a sentinel error raised by all errors from this package.
 	ErrPointer pointerError = "JSON pointer error"
 
-	// ErrInvalidStart states that a JSON pointer must start with a separator ("/")
+	// ErrInvalidStart states that a JSON pointer must start with a separator ("/").
 	ErrInvalidStart pointerError = `JSON pointer must be empty or start with a "` + pointerSeparator
 
-	// ErrUnsupportedValueType indicates that a value of the wrong type is being set
+	// ErrUnsupportedValueType indicates that a value of the wrong type is being set.
 	ErrUnsupportedValueType pointerError = "only structs, pointers, maps and slices are supported for setting values"
 )
+
+func errNoKey(key string) error {
+	return fmt.Errorf("object has no key %q: %w", key, ErrPointer)
+}
+
+func errOutOfBounds(length, idx int) error {
+	return fmt.Errorf("index out of bounds array[0,%d] index '%d': %w", length-1, idx, ErrPointer)
+}
+
+func errInvalidReference(token string) error {
+	return fmt.Errorf("invalid token reference %q: %w", token, ErrPointer)
+}
diff --git a/vendor/github.com/go-openapi/jsonpointer/pointer.go b/vendor/github.com/go-openapi/jsonpointer/pointer.go
index 6136210572..7df49af3b9 100644
--- a/vendor/github.com/go-openapi/jsonpointer/pointer.go
+++ b/vendor/github.com/go-openapi/jsonpointer/pointer.go
@@ -1,28 +1,7 @@
-// Copyright 2013 sigu-399 ( https://github.com/sigu-399 )
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//   http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-// author       sigu-399
-// author-github  https://github.com/sigu-399
-// author-mail    sigu.399@gmail.com
-//
-// repository-name  jsonpointer
-// repository-desc  An implementation of JSON Pointer - Go language
-//
-// description    Main and unique file.
-//
-// created        25-02-2013
+// SPDX-FileCopyrightText: Copyright (c) 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
 
+// Package jsonpointer provides a golang implementation for json pointers.
 package jsonpointer
 
 import (
@@ -33,7 +12,7 @@ import (
 	"strconv"
 	"strings"
 
-	"github.com/go-openapi/swag"
+	"github.com/go-openapi/swag/jsonname"
 )
 
 const (
@@ -41,70 +20,273 @@ const (
 	pointerSeparator = `/`
 )
 
-var jsonPointableType = reflect.TypeOf(new(JSONPointable)).Elem()
-var jsonSetableType = reflect.TypeOf(new(JSONSetable)).Elem()
-
-// JSONPointable is an interface for structs to implement when they need to customize the
-// json pointer process
+// JSONPointable is an interface for structs to implement,
+// when they need to customize the json pointer process or want to avoid the use of reflection.
 type JSONPointable interface {
-	JSONLookup(string) (any, error)
+	// JSONLookup returns a value pointed at this (unescaped) key.
+	JSONLookup(key string) (any, error)
 }
 
-// JSONSetable is an interface for structs to implement when they need to customize the
-// json pointer process
+// JSONSetable is an interface for structs to implement,
+// when they need to customize the json pointer process or want to avoid the use of reflection.
 type JSONSetable interface {
-	JSONSet(string, any) error
+	// JSONSet sets the value pointed at the (unescaped) key.
+	JSONSet(key string, value any) error
 }
 
-// New creates a new json pointer for the given string
-func New(jsonPointerString string) (Pointer, error) {
+// Pointer is a representation of a json pointer.
+//
+// Use [Pointer.Get] to retrieve a value or [Pointer.Set] to set a value.
+//
+// It works with any go type interpreted as a JSON document, which means:
+//
+//   - if a type implements [JSONPointable], its [JSONPointable.JSONLookup] method is used to resolve [Pointer.Get]
+//   - if a type implements [JSONSetable], its [JSONPointable.JSONSet] method is used to resolve [Pointer.Set]
+//   - a go map[K]V is interpreted as an object, with type K assignable to a string
+//   - a go slice []T is interpreted as an array
+//   - a go struct is interpreted as an object, with exported fields interpreted as keys
+//   - promoted fields from an embedded struct are traversed
+//   - scalars (e.g. int, float64 ...), channels, functions and go arrays cannot be traversed
+//
+// For struct s resolved by reflection, key mappings honor the conventional struct tag `json`.
+//
+// Fields that do not specify a `json` tag, or specify an empty one, or are tagged as `json:"-"` are ignored.
+//
+// # Limitations
+//
+//   - Unlike go standard marshaling, untagged fields do not default to the go field name and are ignored.
+//   - anonymous fields are not traversed if untagged
+type Pointer struct {
+	referenceTokens []string
+}
 
+// New creates a new json pointer from its string representation.
+func New(jsonPointerString string) (Pointer, error) {
 	var p Pointer
 	err := p.parse(jsonPointerString)
+
 	return p, err
+}
 
+// Get uses the pointer to retrieve a value from a JSON document.
+//
+// It returns the value with its type as a [reflect.Kind] or an error.
+func (p *Pointer) Get(document any) (any, reflect.Kind, error) {
+	return p.get(document, jsonname.DefaultJSONNameProvider)
 }
 
-// Pointer the json pointer reprsentation
-type Pointer struct {
-	referenceTokens []string
+// Set uses the pointer to set a value from a data type
+// that represent a JSON document.
+//
+// It returns the updated document.
+func (p *Pointer) Set(document any, value any) (any, error) {
+	return document, p.set(document, value, jsonname.DefaultJSONNameProvider)
 }
 
-// "Constructor", parses the given string JSON pointer
-func (p *Pointer) parse(jsonPointerString string) error {
+// DecodedTokens returns the decoded (unescaped) tokens of this JSON pointer.
+func (p *Pointer) DecodedTokens() []string {
+	result := make([]string, 0, len(p.referenceTokens))
+	for _, token := range p.referenceTokens {
+		result = append(result, Unescape(token))
+	}
 
-	var err error
+	return result
+}
 
-	if jsonPointerString != emptyPointer {
-		if !strings.HasPrefix(jsonPointerString, pointerSeparator) {
-			err = errors.Join(ErrInvalidStart, ErrPointer)
-		} else {
-			referenceTokens := strings.Split(jsonPointerString, pointerSeparator)
-			p.referenceTokens = append(p.referenceTokens, referenceTokens[1:]...)
-		}
+// IsEmpty returns true if this is an empty json pointer.
+//
+// This indicates that it points to the root document.
+func (p *Pointer) IsEmpty() bool {
+	return len(p.referenceTokens) == 0
+}
+
+// String representation of a pointer.
+func (p *Pointer) String() string {
+	if len(p.referenceTokens) == 0 {
+		return emptyPointer
 	}
 
-	return err
+	return pointerSeparator + strings.Join(p.referenceTokens, pointerSeparator)
 }
 
-// Get uses the pointer to retrieve a value from a JSON document
-func (p *Pointer) Get(document any) (any, reflect.Kind, error) {
-	return p.get(document, swag.DefaultJSONNameProvider)
+func (p *Pointer) Offset(document string) (int64, error) {
+	dec := json.NewDecoder(strings.NewReader(document))
+	var offset int64
+	for _, ttk := range p.DecodedTokens() {
+		tk, err := dec.Token()
+		if err != nil {
+			return 0, err
+		}
+		switch tk := tk.(type) {
+		case json.Delim:
+			switch tk {
+			case '{':
+				offset, err = offsetSingleObject(dec, ttk)
+				if err != nil {
+					return 0, err
+				}
+			case '[':
+				offset, err = offsetSingleArray(dec, ttk)
+				if err != nil {
+					return 0, err
+				}
+			default:
+				return 0, fmt.Errorf("invalid token %#v: %w", tk, ErrPointer)
+			}
+		default:
+			return 0, fmt.Errorf("invalid token %#v: %w", tk, ErrPointer)
+		}
+	}
+	return offset, nil
 }
 
-// Set uses the pointer to set a value from a JSON document
-func (p *Pointer) Set(document any, value any) (any, error) {
-	return document, p.set(document, value, swag.DefaultJSONNameProvider)
+// "Constructor", parses the given string JSON pointer.
+func (p *Pointer) parse(jsonPointerString string) error {
+	if jsonPointerString == emptyPointer {
+		return nil
+	}
+
+	if !strings.HasPrefix(jsonPointerString, pointerSeparator) {
+		// non empty pointer must start with "/"
+		return errors.Join(ErrInvalidStart, ErrPointer)
+	}
+
+	referenceTokens := strings.Split(jsonPointerString, pointerSeparator)
+	p.referenceTokens = append(p.referenceTokens, referenceTokens[1:]...)
+
+	return nil
 }
 
-// GetForToken gets a value for a json pointer token 1 level deep
-func GetForToken(document any, decodedToken string) (any, reflect.Kind, error) {
-	return getSingleImpl(document, decodedToken, swag.DefaultJSONNameProvider)
+func (p *Pointer) get(node any, nameProvider *jsonname.NameProvider) (any, reflect.Kind, error) {
+	if nameProvider == nil {
+		nameProvider = jsonname.DefaultJSONNameProvider
+	}
+
+	kind := reflect.Invalid
+
+	// full document when empty
+	if len(p.referenceTokens) == 0 {
+		return node, kind, nil
+	}
+
+	for _, token := range p.referenceTokens {
+		decodedToken := Unescape(token)
+
+		r, knd, err := getSingleImpl(node, decodedToken, nameProvider)
+		if err != nil {
+			return nil, knd, err
+		}
+		node = r
+	}
+
+	rValue := reflect.ValueOf(node)
+	kind = rValue.Kind()
+
+	return node, kind, nil
 }
 
-// SetForToken gets a value for a json pointer token 1 level deep
-func SetForToken(document any, decodedToken string, value any) (any, error) {
-	return document, setSingleImpl(document, value, decodedToken, swag.DefaultJSONNameProvider)
+func (p *Pointer) set(node, data any, nameProvider *jsonname.NameProvider) error {
+	knd := reflect.ValueOf(node).Kind()
+
+	if knd != reflect.Pointer && knd != reflect.Struct && knd != reflect.Map && knd != reflect.Slice && knd != reflect.Array {
+		return errors.Join(
+			fmt.Errorf("unexpected type: %T", node), //nolint:err113 // err wrapping is carried out by errors.Join, not fmt.Errorf.
+			ErrUnsupportedValueType,
+			ErrPointer,
+		)
+	}
+
+	l := len(p.referenceTokens)
+
+	// full document when empty
+	if l == 0 {
+		return nil
+	}
+
+	if nameProvider == nil {
+		nameProvider = jsonname.DefaultJSONNameProvider
+	}
+
+	var decodedToken string
+	lastIndex := l - 1
+
+	if lastIndex > 0 { // skip if we only have one token in pointer
+		for _, token := range p.referenceTokens[:lastIndex] {
+			decodedToken = Unescape(token)
+			next, err := p.resolveNodeForToken(node, decodedToken, nameProvider)
+			if err != nil {
+				return err
+			}
+
+			node = next
+		}
+	}
+
+	// last token
+	decodedToken = Unescape(p.referenceTokens[lastIndex])
+
+	return setSingleImpl(node, data, decodedToken, nameProvider)
+}
+
+func (p *Pointer) resolveNodeForToken(node any, decodedToken string, nameProvider *jsonname.NameProvider) (next any, err error) {
+	// check for nil during traversal
+	if isNil(node) {
+		return nil, fmt.Errorf("cannot traverse through nil value at %q: %w", decodedToken, ErrPointer)
+	}
+
+	pointable, ok := node.(JSONPointable)
+	if ok {
+		r, err := pointable.JSONLookup(decodedToken)
+		if err != nil {
+			return nil, err
+		}
+
+		fld := reflect.ValueOf(r)
+		if fld.CanAddr() && fld.Kind() != reflect.Interface && fld.Kind() != reflect.Map && fld.Kind() != reflect.Slice && fld.Kind() != reflect.Pointer {
+			return fld.Addr().Interface(), nil
+		}
+
+		return r, nil
+	}
+
+	rValue := reflect.Indirect(reflect.ValueOf(node))
+	kind := rValue.Kind()
+
+	switch kind {
+	case reflect.Struct:
+		nm, ok := nameProvider.GetGoNameForType(rValue.Type(), decodedToken)
+		if !ok {
+			return nil, fmt.Errorf("object has no field %q: %w", decodedToken, ErrPointer)
+		}
+
+		return typeFromValue(rValue.FieldByName(nm)), nil
+
+	case reflect.Map:
+		kv := reflect.ValueOf(decodedToken)
+		mv := rValue.MapIndex(kv)
+
+		if !mv.IsValid() {
+			return nil, errNoKey(decodedToken)
+		}
+
+		return typeFromValue(mv), nil
+
+	case reflect.Slice:
+		tokenIndex, err := strconv.Atoi(decodedToken)
+		if err != nil {
+			return nil, errors.Join(err, ErrPointer)
+		}
+
+		sLength := rValue.Len()
+		if tokenIndex < 0 || tokenIndex >= sLength {
+			return nil, errOutOfBounds(sLength, tokenIndex)
+		}
+
+		return typeFromValue(rValue.Index(tokenIndex)), nil
+
+	default:
+		return nil, errInvalidReference(decodedToken)
+	}
 }
 
 func isNil(input any) bool {
@@ -113,15 +295,33 @@ func isNil(input any) bool {
 	}
 
 	kind := reflect.TypeOf(input).Kind()
-	switch kind { //nolint:exhaustive
-	case reflect.Ptr, reflect.Map, reflect.Slice, reflect.Chan:
+	switch kind {
+	case reflect.Pointer, reflect.Map, reflect.Slice, reflect.Chan:
 		return reflect.ValueOf(input).IsNil()
 	default:
 		return false
 	}
 }
 
-func getSingleImpl(node any, decodedToken string, nameProvider *swag.NameProvider) (any, reflect.Kind, error) {
+func typeFromValue(v reflect.Value) any {
+	if v.CanAddr() && v.Kind() != reflect.Interface && v.Kind() != reflect.Map && v.Kind() != reflect.Slice && v.Kind() != reflect.Pointer {
+		return v.Addr().Interface()
+	}
+
+	return v.Interface()
+}
+
+// GetForToken gets a value for a json pointer token 1 level deep.
+func GetForToken(document any, decodedToken string) (any, reflect.Kind, error) {
+	return getSingleImpl(document, decodedToken, jsonname.DefaultJSONNameProvider)
+}
+
+// SetForToken sets a value for a json pointer token 1 level deep.
+func SetForToken(document any, decodedToken string, value any) (any, error) {
+	return document, setSingleImpl(document, value, decodedToken, jsonname.DefaultJSONNameProvider)
+}
+
+func getSingleImpl(node any, decodedToken string, nameProvider *jsonname.NameProvider) (any, reflect.Kind, error) {
 	rValue := reflect.Indirect(reflect.ValueOf(node))
 	kind := rValue.Kind()
 	if isNil(node) {
@@ -139,13 +339,15 @@ func getSingleImpl(node any, decodedToken string, nameProvider *swag.NameProvide
 		return getSingleImpl(*typed, decodedToken, nameProvider)
 	}
 
-	switch kind { //nolint:exhaustive
+	switch kind {
 	case reflect.Struct:
 		nm, ok := nameProvider.GetGoNameForType(rValue.Type(), decodedToken)
 		if !ok {
 			return nil, kind, fmt.Errorf("object has no field %q: %w", decodedToken, ErrPointer)
 		}
+
 		fld := rValue.FieldByName(nm)
+
 		return fld.Interface(), kind, nil
 
 	case reflect.Map:
@@ -155,271 +357,100 @@ func getSingleImpl(node any, decodedToken string, nameProvider *swag.NameProvide
 		if mv.IsValid() {
 			return mv.Interface(), kind, nil
 		}
-		return nil, kind, fmt.Errorf("object has no key %q: %w", decodedToken, ErrPointer)
+
+		return nil, kind, errNoKey(decodedToken)
 
 	case reflect.Slice:
 		tokenIndex, err := strconv.Atoi(decodedToken)
 		if err != nil {
-			return nil, kind, err
+			return nil, kind, errors.Join(err, ErrPointer)
 		}
 		sLength := rValue.Len()
 		if tokenIndex < 0 || tokenIndex >= sLength {
-			return nil, kind, fmt.Errorf("index out of bounds array[0,%d] index '%d': %w", sLength-1, tokenIndex, ErrPointer)
+			return nil, kind, errOutOfBounds(sLength, tokenIndex)
 		}
 
 		elem := rValue.Index(tokenIndex)
 		return elem.Interface(), kind, nil
 
 	default:
-		return nil, kind, fmt.Errorf("invalid token reference %q: %w", decodedToken, ErrPointer)
+		return nil, kind, errInvalidReference(decodedToken)
 	}
-
 }
 
-func setSingleImpl(node, data any, decodedToken string, nameProvider *swag.NameProvider) error {
-	rValue := reflect.Indirect(reflect.ValueOf(node))
-
-	// Check for nil to prevent panic when calling rValue.Type()
+func setSingleImpl(node, data any, decodedToken string, nameProvider *jsonname.NameProvider) error {
+	// check for nil to prevent panic when calling rValue.Type()
 	if isNil(node) {
 		return fmt.Errorf("cannot set field %q on nil value: %w", decodedToken, ErrPointer)
 	}
 
-	if ns, ok := node.(JSONSetable); ok { // pointer impl
+	if ns, ok := node.(JSONSetable); ok {
 		return ns.JSONSet(decodedToken, data)
 	}
 
-	if rValue.Type().Implements(jsonSetableType) {
-		return node.(JSONSetable).JSONSet(decodedToken, data)
-	}
+	rValue := reflect.Indirect(reflect.ValueOf(node))
 
-	switch rValue.Kind() { //nolint:exhaustive
+	switch rValue.Kind() {
 	case reflect.Struct:
 		nm, ok := nameProvider.GetGoNameForType(rValue.Type(), decodedToken)
 		if !ok {
 			return fmt.Errorf("object has no field %q: %w", decodedToken, ErrPointer)
 		}
+
 		fld := rValue.FieldByName(nm)
-		if fld.IsValid() {
-			fld.Set(reflect.ValueOf(data))
+		if !fld.CanSet() {
+			return fmt.Errorf("can't set struct field %s to %v: %w", nm, data, ErrPointer)
+		}
+
+		value := reflect.ValueOf(data)
+		valueType := value.Type()
+		assignedType := fld.Type()
+
+		if !valueType.AssignableTo(assignedType) {
+			return fmt.Errorf("can't set value with type %T to field %s with type %v: %w", data, nm, assignedType, ErrPointer)
 		}
+
+		fld.Set(value)
+
 		return nil
 
 	case reflect.Map:
 		kv := reflect.ValueOf(decodedToken)
 		rValue.SetMapIndex(kv, reflect.ValueOf(data))
+
 		return nil
 
 	case reflect.Slice:
 		tokenIndex, err := strconv.Atoi(decodedToken)
 		if err != nil {
-			return err
+			return errors.Join(err, ErrPointer)
 		}
+
 		sLength := rValue.Len()
 		if tokenIndex < 0 || tokenIndex >= sLength {
-			return fmt.Errorf("index out of bounds array[0,%d] index '%d': %w", sLength, tokenIndex, ErrPointer)
+			return errOutOfBounds(sLength, tokenIndex)
 		}
 
 		elem := rValue.Index(tokenIndex)
 		if !elem.CanSet() {
 			return fmt.Errorf("can't set slice index %s to %v: %w", decodedToken, data, ErrPointer)
 		}
-		elem.Set(reflect.ValueOf(data))
-		return nil
-
-	default:
-		return fmt.Errorf("invalid token reference %q: %w", decodedToken, ErrPointer)
-	}
-
-}
 
-func (p *Pointer) get(node any, nameProvider *swag.NameProvider) (any, reflect.Kind, error) {
+		value := reflect.ValueOf(data)
+		valueType := value.Type()
+		assignedType := elem.Type()
 
-	if nameProvider == nil {
-		nameProvider = swag.DefaultJSONNameProvider
-	}
-
-	kind := reflect.Invalid
-
-	// Full document when empty
-	if len(p.referenceTokens) == 0 {
-		return node, kind, nil
-	}
-
-	for _, token := range p.referenceTokens {
-		decodedToken := Unescape(token)
-
-		r, knd, err := getSingleImpl(node, decodedToken, nameProvider)
-		if err != nil {
-			return nil, knd, err
+		if !valueType.AssignableTo(assignedType) {
+			return fmt.Errorf("can't set value with type %T to slice element %d with type %v: %w", data, tokenIndex, assignedType, ErrPointer)
 		}
-		node = r
-	}
-
-	rValue := reflect.ValueOf(node)
-	kind = rValue.Kind()
 
-	return node, kind, nil
-}
+		elem.Set(value)
 
-func (p *Pointer) set(node, data any, nameProvider *swag.NameProvider) error {
-	knd := reflect.ValueOf(node).Kind()
-
-	if knd != reflect.Ptr && knd != reflect.Struct && knd != reflect.Map && knd != reflect.Slice && knd != reflect.Array {
-		return errors.Join(
-			ErrUnsupportedValueType,
-			ErrPointer,
-		)
-	}
-
-	if nameProvider == nil {
-		nameProvider = swag.DefaultJSONNameProvider
-	}
-
-	// Full document when empty
-	if len(p.referenceTokens) == 0 {
 		return nil
-	}
-
-	lastI := len(p.referenceTokens) - 1
-	for i, token := range p.referenceTokens {
-		isLastToken := i == lastI
-		decodedToken := Unescape(token)
-
-		if isLastToken {
-
-			return setSingleImpl(node, data, decodedToken, nameProvider)
-		}
-
-		// Check for nil during traversal
-		if isNil(node) {
-			return fmt.Errorf("cannot traverse through nil value at %q: %w", decodedToken, ErrPointer)
-		}
-
-		rValue := reflect.Indirect(reflect.ValueOf(node))
-		kind := rValue.Kind()
-
-		if rValue.Type().Implements(jsonPointableType) {
-			r, err := node.(JSONPointable).JSONLookup(decodedToken)
-			if err != nil {
-				return err
-			}
-			fld := reflect.ValueOf(r)
-			if fld.CanAddr() && fld.Kind() != reflect.Interface && fld.Kind() != reflect.Map && fld.Kind() != reflect.Slice && fld.Kind() != reflect.Ptr {
-				node = fld.Addr().Interface()
-				continue
-			}
-			node = r
-			continue
-		}
-
-		switch kind { //nolint:exhaustive
-		case reflect.Struct:
-			nm, ok := nameProvider.GetGoNameForType(rValue.Type(), decodedToken)
-			if !ok {
-				return fmt.Errorf("object has no field %q: %w", decodedToken, ErrPointer)
-			}
-			fld := rValue.FieldByName(nm)
-			if fld.CanAddr() && fld.Kind() != reflect.Interface && fld.Kind() != reflect.Map && fld.Kind() != reflect.Slice && fld.Kind() != reflect.Ptr {
-				node = fld.Addr().Interface()
-				continue
-			}
-			node = fld.Interface()
-
-		case reflect.Map:
-			kv := reflect.ValueOf(decodedToken)
-			mv := rValue.MapIndex(kv)
-
-			if !mv.IsValid() {
-				return fmt.Errorf("object has no key %q: %w", decodedToken, ErrPointer)
-			}
-			if mv.CanAddr() && mv.Kind() != reflect.Interface && mv.Kind() != reflect.Map && mv.Kind() != reflect.Slice && mv.Kind() != reflect.Ptr {
-				node = mv.Addr().Interface()
-				continue
-			}
-			node = mv.Interface()
-
-		case reflect.Slice:
-			tokenIndex, err := strconv.Atoi(decodedToken)
-			if err != nil {
-				return err
-			}
-			sLength := rValue.Len()
-			if tokenIndex < 0 || tokenIndex >= sLength {
-				return fmt.Errorf("index out of bounds array[0,%d] index '%d': %w", sLength, tokenIndex, ErrPointer)
-			}
-
-			elem := rValue.Index(tokenIndex)
-			if elem.CanAddr() && elem.Kind() != reflect.Interface && elem.Kind() != reflect.Map && elem.Kind() != reflect.Slice && elem.Kind() != reflect.Ptr {
-				node = elem.Addr().Interface()
-				continue
-			}
-			node = elem.Interface()
-
-		default:
-			return fmt.Errorf("invalid token reference %q: %w", decodedToken, ErrPointer)
-		}
-
-	}
-
-	return nil
-}
-
-// DecodedTokens returns the decoded tokens
-func (p *Pointer) DecodedTokens() []string {
-	result := make([]string, 0, len(p.referenceTokens))
-	for _, t := range p.referenceTokens {
-		result = append(result, Unescape(t))
-	}
-	return result
-}
-
-// IsEmpty returns true if this is an empty json pointer
-// this indicates that it points to the root document
-func (p *Pointer) IsEmpty() bool {
-	return len(p.referenceTokens) == 0
-}
-
-// Pointer to string representation function
-func (p *Pointer) String() string {
-
-	if len(p.referenceTokens) == 0 {
-		return emptyPointer
-	}
 
-	pointerString := pointerSeparator + strings.Join(p.referenceTokens, pointerSeparator)
-
-	return pointerString
-}
-
-func (p *Pointer) Offset(document string) (int64, error) {
-	dec := json.NewDecoder(strings.NewReader(document))
-	var offset int64
-	for _, ttk := range p.DecodedTokens() {
-		tk, err := dec.Token()
-		if err != nil {
-			return 0, err
-		}
-		switch tk := tk.(type) {
-		case json.Delim:
-			switch tk {
-			case '{':
-				offset, err = offsetSingleObject(dec, ttk)
-				if err != nil {
-					return 0, err
-				}
-			case '[':
-				offset, err = offsetSingleArray(dec, ttk)
-				if err != nil {
-					return 0, err
-				}
-			default:
-				return 0, fmt.Errorf("invalid token %#v: %w", tk, ErrPointer)
-			}
-		default:
-			return 0, fmt.Errorf("invalid token %#v: %w", tk, ErrPointer)
-		}
+	default:
+		return errInvalidReference(decodedToken)
 	}
-	return offset, nil
 }
 
 func offsetSingleObject(dec *json.Decoder, decodedToken string) (int64, error) {
@@ -449,13 +480,14 @@ func offsetSingleObject(dec *json.Decoder, decodedToken string) (int64, error) {
 			return 0, fmt.Errorf("invalid token %#v: %w", tk, ErrPointer)
 		}
 	}
+
 	return 0, fmt.Errorf("token reference %q not found: %w", decodedToken, ErrPointer)
 }
 
 func offsetSingleArray(dec *json.Decoder, decodedToken string) (int64, error) {
 	idx, err := strconv.Atoi(decodedToken)
 	if err != nil {
-		return 0, fmt.Errorf("token reference %q is not a number: %v: %w", decodedToken, err, ErrPointer)
+		return 0, fmt.Errorf("token reference %q is not a number: %w: %w", decodedToken, err, ErrPointer)
 	}
 	var i int
 	for i = 0; i < idx && dec.More(); i++ {
@@ -481,10 +513,12 @@ func offsetSingleArray(dec *json.Decoder, decodedToken string) (int64, error) {
 	if !dec.More() {
 		return 0, fmt.Errorf("token reference %q not found: %w", decodedToken, ErrPointer)
 	}
+
 	return dec.InputOffset(), nil
 }
 
 // drainSingle drains a single level of object or array.
+//
 // The decoder has to guarantee the beginning delim (i.e. '{' or '[') has been consumed.
 func drainSingle(dec *json.Decoder) error {
 	for dec.More() {
@@ -506,14 +540,15 @@ func drainSingle(dec *json.Decoder) error {
 		}
 	}
 
-	// Consumes the ending delim
+	// consumes the ending delim
 	if _, err := dec.Token(); err != nil {
 		return err
 	}
+
 	return nil
 }
 
-// Specific JSON pointer encoding here
+// JSON pointer encoding:
 // ~0 => ~
 // ~1 => /
 // ... and vice versa
@@ -525,16 +560,24 @@ const (
 	decRefTok1 = `/`
 )
 
-// Unescape unescapes a json pointer reference token string to the original representation
+var (
+	encRefTokReplacer = strings.NewReplacer(encRefTok1, decRefTok1, encRefTok0, decRefTok0) //nolint:gochecknoglobals // it's okay to declare a replacer as a private global
+	decRefTokReplacer = strings.NewReplacer(decRefTok1, encRefTok1, decRefTok0, encRefTok0) //nolint:gochecknoglobals // it's okay to declare a replacer as a private global
+)
+
+// Unescape unescapes a json pointer reference token string to the original representation.
 func Unescape(token string) string {
-	step1 := strings.ReplaceAll(token, encRefTok1, decRefTok1)
-	step2 := strings.ReplaceAll(step1, encRefTok0, decRefTok0)
-	return step2
+	return encRefTokReplacer.Replace(token)
 }
 
-// Escape escapes a pointer reference token string
+// Escape escapes a pointer reference token string.
+//
+// The JSONPointer specification defines "/" as a separator and "~" as an escape prefix.
+//
+// Keys containing such characters are escaped with the following rules:
+//
+//   - "~" is escaped as "~0"
+//   - "/" is escaped as "~1"
 func Escape(token string) string {
-	step1 := strings.ReplaceAll(token, decRefTok0, encRefTok0)
-	step2 := strings.ReplaceAll(step1, decRefTok1, encRefTok1)
-	return step2
+	return decRefTokReplacer.Replace(token)
 }
diff --git a/vendor/github.com/go-openapi/jsonreference/.cliff.toml b/vendor/github.com/go-openapi/jsonreference/.cliff.toml
new file mode 100644
index 0000000000..702629f5dc
--- /dev/null
+++ b/vendor/github.com/go-openapi/jsonreference/.cliff.toml
@@ -0,0 +1,181 @@
+# git-cliff ~ configuration file
+# https://git-cliff.org/docs/configuration
+
+[changelog]
+header = """
+"""
+
+footer = """
+
+-----
+
+**[{{ remote.github.repo }}]({{ self::remote_url() }}) license terms**
+
+[![License][license-badge]][license-url]
+
+[license-badge]: http://img.shields.io/badge/license-Apache%20v2-orange.svg
+[license-url]: {{ self::remote_url() }}/?tab=Apache-2.0-1-ov-file#readme
+
+{%- macro remote_url() -%}
+  https://github.com/{{ remote.github.owner }}/{{ remote.github.repo }}
+{%- endmacro -%}
+"""
+
+body = """
+{%- if version %}
+## [{{ version | trim_start_matches(pat="v") }}]({{ self::remote_url() }}/tree/{{ version }}) - {{ timestamp | date(format="%Y-%m-%d") }}
+{%- else %}
+## [unreleased]
+{%- endif %}
+{%- if message %}
+  {%- raw %}\n{% endraw %}
+{{ message }}
+  {%- raw %}\n{% endraw %}
+{%- endif %}
+{%- if version %}
+  {%- if previous.version %}
+
+**Full Changelog**: <{{ self::remote_url() }}/compare/{{ previous.version }}...{{ version }}>
+  {%- endif %}
+{%- else %}
+  {%- raw %}\n{% endraw %}
+{%- endif %}
+
+{%- if statistics %}{% if statistics.commit_count %}
+  {%- raw %}\n{% endraw %}
+{{ statistics.commit_count }} commits in this release.
+  {%- raw %}\n{% endraw %}
+{%- endif %}{% endif %}
+-----
+
+{%- for group, commits in commits | group_by(attribute="group") %}
+  {%- raw %}\n{% endraw %}
+### {{ group | upper_first }}
+    {%- raw %}\n{% endraw %}
+    {%- for commit in commits %}
+      {%- if commit.remote.pr_title %}
+        {%- set commit_message = commit.remote.pr_title %}
+      {%- else %}
+        {%- set commit_message = commit.message %}
+      {%- endif %}
+* {{ commit_message | split(pat="\n") | first | trim }}
+      {%- if commit.remote.username %}
+{%- raw %} {% endraw %}by [@{{ commit.remote.username }}](https://github.com/{{ commit.remote.username }})
+      {%- endif %}
+      {%- if commit.remote.pr_number %}
+{%- raw %} {% endraw %}in [#{{ commit.remote.pr_number }}]({{ self::remote_url() }}/pull/{{ commit.remote.pr_number }})
+      {%- endif %}
+{%- raw %} {% endraw %}[...]({{ self::remote_url() }}/commit/{{ commit.id }})
+  {%- endfor %}
+{%- endfor %}
+
+{%- if github %}
+{%- raw %}\n{% endraw -%}
+  {%- set all_contributors = github.contributors | length %}
+  {%- if github.contributors | filter(attribute="username", value="dependabot[bot]") | length < all_contributors %}
+-----
+
+### People who contributed to this release
+  {% endif %}
+  {%- for contributor in github.contributors | filter(attribute="username") | sort(attribute="username") %}
+    {%- if contributor.username != "dependabot[bot]" and contributor.username != "github-actions[bot]" %}
+* [@{{ contributor.username }}](https://github.com/{{ contributor.username }})
+    {%- endif %}
+  {%- endfor %}
+
+  {% if github.contributors | filter(attribute="is_first_time", value=true) | length != 0 %}
+-----
+    {%- raw %}\n{% endraw %}
+
+### New Contributors
+  {%- endif %}
+
+  {%- for contributor in github.contributors | filter(attribute="is_first_time", value=true) %}
+    {%- if contributor.username != "dependabot[bot]" and contributor.username != "github-actions[bot]" %}
+* @{{ contributor.username }} made their first contribution
+      {%- if contributor.pr_number %}
+  in [#{{ contributor.pr_number }}]({{ self::remote_url() }}/pull/{{ contributor.pr_number }}) \
+      {%- endif %}
+    {%- endif %}
+  {%- endfor %}
+{%- endif %}
+
+{%- raw %}\n{% endraw %}
+
+{%- macro remote_url() -%}
+  https://github.com/{{ remote.github.owner }}/{{ remote.github.repo }}
+{%- endmacro -%}
+"""
+# Remove leading and trailing whitespaces from the changelog's body.
+trim = true
+# Render body even when there are no releases to process.
+render_always = true
+# An array of regex based postprocessors to modify the changelog.
+postprocessors = [
+    # Replace the placeholder <REPO> with a URL.
+    #{ pattern = '<REPO>', replace = "https://github.com/orhun/git-cliff" },
+]
+# output file path
+# output = "test.md"
+
+[git]
+# Parse commits according to the conventional commits specification.
+# See https://www.conventionalcommits.org
+conventional_commits = false
+# Exclude commits that do not match the conventional commits specification.
+filter_unconventional = false
+# Require all commits to be conventional.
+# Takes precedence over filter_unconventional.
+require_conventional = false
+# Split commits on newlines, treating each line as an individual commit.
+split_commits = false
+# An array of regex based parsers to modify commit messages prior to further processing.
+commit_preprocessors = [
+    # Replace issue numbers with link templates to be updated in `changelog.postprocessors`.
+    #{ pattern = '\((\w+\s)?#([0-9]+)\)', replace = "([#${2}](<REPO>/issues/${2}))"},
+    # Check spelling of the commit message using https://github.com/crate-ci/typos.
+    # If the spelling is incorrect, it will be fixed automatically.
+    #{ pattern = '.*', replace_command = 'typos --write-changes -' }
+]
+# Prevent commits that are breaking from being excluded by commit parsers.
+protect_breaking_commits = false
+# An array of regex based parsers for extracting data from the commit message.
+# Assigns commits to groups.
+# Optionally sets the commit's scope and can decide to exclude commits from further processing.
+commit_parsers = [
+    { message = "^[Cc]hore\\([Rr]elease\\): prepare for", skip = true },
+    { message = "(^[Mm]erge)|([Mm]erge conflict)", skip = true },
+    { field = "author.name", pattern = "dependabot*", group = "<!-- 0A -->Updates" },
+    { message = "([Ss]ecurity)|([Vv]uln)", group = "<!-- 08 -->Security" },
+    { body = "(.*[Ss]ecurity)|([Vv]uln)", group = "<!-- 08 -->Security" },
+    { message = "([Cc]hore\\(lint\\))|(style)|(lint)|(codeql)|(golangci)", group = "<!-- 05 -->Code quality" },
+    { message = "(^[Dd]oc)|((?i)readme)|(badge)|(typo)|(documentation)", group = "<!-- 03 -->Documentation" },
+    { message = "(^[Ff]eat)|(^[Ee]nhancement)", group = "<!-- 00 -->Implemented enhancements" },
+    { message = "(^ci)|(\\(ci\\))|(fixup\\s+ci)|(fix\\s+ci)|(license)|(example)", group = "<!-- 07 -->Miscellaneous tasks" },
+    { message = "^test", group = "<!-- 06 -->Testing" },
+    { message = "(^fix)|(panic)", group = "<!-- 01 -->Fixed bugs" },
+    { message = "(^refact)|(rework)", group = "<!-- 02 -->Refactor" },
+    { message = "(^[Pp]erf)|(performance)", group = "<!-- 04 -->Performance" },
+    { message = "(^[Cc]hore)", group = "<!-- 07 -->Miscellaneous tasks" },
+    { message = "^[Rr]evert", group = "<!-- 09 -->Reverted changes" },
+    { message = "(upgrade.*?go)|(go\\s+version)", group = "<!-- 0A -->Updates" },
+    { message = ".*", group = "<!-- 0B -->Other" },
+]
+# Exclude commits that are not matched by any commit parser.
+filter_commits = false
+# An array of link parsers for extracting external references, and turning them into URLs, using regex.
+link_parsers = []
+# Include only the tags that belong to the current branch.
+use_branch_tags = false
+# Order releases topologically instead of chronologically.
+topo_order = false
+# Order releases topologically instead of chronologically.
+topo_order_commits = true
+# Order of commits in each group/release within the changelog.
+# Allowed values: newest, oldest
+sort_commits = "newest"
+# Process submodules commits
+recurse_submodules = false
+
+#[remote.github]
+#owner = "go-openapi"
diff --git a/vendor/github.com/go-openapi/jsonreference/.editorconfig b/vendor/github.com/go-openapi/jsonreference/.editorconfig
new file mode 100644
index 0000000000..3152da69a5
--- /dev/null
+++ b/vendor/github.com/go-openapi/jsonreference/.editorconfig
@@ -0,0 +1,26 @@
+# top-most EditorConfig file
+root = true
+
+# Unix-style newlines with a newline ending every file
+[*]
+end_of_line = lf
+insert_final_newline = true
+indent_style = space
+indent_size = 2
+trim_trailing_whitespace = true
+
+# Set default charset
+[*.{js,py,go,scala,rb,java,html,css,less,sass,md}]
+charset = utf-8
+
+# Tab indentation (no size specified)
+[*.go]
+indent_style = tab
+
+[*.md]
+trim_trailing_whitespace = false
+
+# Matches the exact files either package.json or .travis.yml
+[{package.json,.travis.yml}]
+indent_style = space
+indent_size = 2
diff --git a/vendor/github.com/go-openapi/jsonreference/.golangci.yml b/vendor/github.com/go-openapi/jsonreference/.golangci.yml
index 22f8d21cca..fdae591bce 100644
--- a/vendor/github.com/go-openapi/jsonreference/.golangci.yml
+++ b/vendor/github.com/go-openapi/jsonreference/.golangci.yml
@@ -1,61 +1,66 @@
-linters-settings:
-  govet:
-    check-shadowing: true
-  golint:
-    min-confidence: 0
-  gocyclo:
-    min-complexity: 45
-  maligned:
-    suggest-new: true
-  dupl:
-    threshold: 200
-  goconst:
-    min-len: 2
-    min-occurrences: 3
-
+version: "2"
 linters:
-  enable-all: true
+  default: all
   disable:
-    - maligned
-    - unparam
-    - lll
-    - gochecknoinits
-    - gochecknoglobals
+    - depguard
     - funlen
     - godox
-    - gocognit
-    - whitespace
-    - wsl
-    - wrapcheck
-    - testpackage
+    - exhaustruct
     - nlreturn
-    - gomnd
-    - exhaustivestruct
-    - goerr113
-    - errorlint
-    - nestif
-    - godot
-    - gofumpt
+    - nonamedreturns
+    - noinlineerr
     - paralleltest
+    - recvcheck
+    - testpackage
     - tparallel
-    - thelper
-    - ifshort
-    - exhaustruct
     - varnamelen
-    - gci
-    - depguard
-    - errchkjson
-    - inamedparam
-    - nonamedreturns
-    - musttag
-    - ireturn
-    - forcetypeassert
-    - cyclop
-    # deprecated linters
-    - deadcode
-    - interfacer
-    - scopelint
-    - varcheck
-    - structcheck
-    - golint
-    - nosnakecase
+    - whitespace
+    - wrapcheck
+    - wsl
+    - wsl_v5
+  settings:
+    dupl:
+      threshold: 200
+    goconst:
+      min-len: 2
+      min-occurrences: 3
+    cyclop:
+      max-complexity: 20
+    gocyclo:
+      min-complexity: 20
+    exhaustive:
+      default-signifies-exhaustive: true
+      default-case-required: true
+    lll:
+      line-length: 180
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+formatters:
+  enable:
+    - gofmt
+    - goimports
+    - gofumpt
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+issues:
+  # Maximum issues count per one linter.
+  # Set to 0 to disable.
+  # Default: 50
+  max-issues-per-linter: 0
+  # Maximum count of issues with the same text.
+  # Set to 0 to disable.
+  # Default: 3
+  max-same-issues: 0
diff --git a/vendor/github.com/go-openapi/jsonreference/CONTRIBUTORS.md b/vendor/github.com/go-openapi/jsonreference/CONTRIBUTORS.md
new file mode 100644
index 0000000000..9907d5d212
--- /dev/null
+++ b/vendor/github.com/go-openapi/jsonreference/CONTRIBUTORS.md
@@ -0,0 +1,21 @@
+# Contributors
+
+- Repository: ['go-openapi/jsonreference']
+
+| Total Contributors | Total Contributions |
+| --- | --- |
+| 9  | 68  |
+
+| Username | All Time Contribution Count | All Commits |
+| --- | --- | --- |
+| @fredbi | 31 | https://github.com/go-openapi/jsonreference/commits?author=fredbi |
+| @casualjim | 25 | https://github.com/go-openapi/jsonreference/commits?author=casualjim |
+| @youyuanwu | 5 | https://github.com/go-openapi/jsonreference/commits?author=youyuanwu |
+| @olivierlemasle | 2 | https://github.com/go-openapi/jsonreference/commits?author=olivierlemasle |
+| @apelisse | 1 | https://github.com/go-openapi/jsonreference/commits?author=apelisse |
+| @gbjk | 1 | https://github.com/go-openapi/jsonreference/commits?author=gbjk |
+| @honza | 1 | https://github.com/go-openapi/jsonreference/commits?author=honza |
+| @Neo2308 | 1 | https://github.com/go-openapi/jsonreference/commits?author=Neo2308 |
+| @erraggy | 1 | https://github.com/go-openapi/jsonreference/commits?author=erraggy |
+
+ _this file was generated by the [Contributors GitHub Action](https://github.com/github/contributors)_
diff --git a/vendor/github.com/go-openapi/jsonreference/NOTICE b/vendor/github.com/go-openapi/jsonreference/NOTICE
new file mode 100644
index 0000000000..f3b51939a9
--- /dev/null
+++ b/vendor/github.com/go-openapi/jsonreference/NOTICE
@@ -0,0 +1,39 @@
+Copyright 2015-2025 go-swagger maintainers
+
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+This software library, github.com/go-openapi/jsonpointer, includes software developed
+by the go-swagger and go-openapi maintainers ("go-swagger maintainers").
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this software except in compliance with the License.
+
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0.
+
+This software is copied from, derived from, and inspired by other original software products.
+It ships with copies of other software which license terms are recalled below.
+
+The original software was authored on 25-02-2013 by sigu-399 (https://github.com/sigu-399, sigu.399@gmail.com).
+
+github.com/sigh-399/jsonpointer
+===========================
+
+// SPDX-FileCopyrightText: Copyright 2013 sigu-399 ( https://github.com/sigu-399 )
+// SPDX-License-Identifier: Apache-2.0
+
+Copyright 2013 sigu-399 ( https://github.com/sigu-399 )
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
diff --git a/vendor/github.com/go-openapi/jsonreference/README.md b/vendor/github.com/go-openapi/jsonreference/README.md
index c7fc2049c1..d479dbdc73 100644
--- a/vendor/github.com/go-openapi/jsonreference/README.md
+++ b/vendor/github.com/go-openapi/jsonreference/README.md
@@ -1,19 +1,99 @@
-# gojsonreference [![Build Status](https://github.com/go-openapi/jsonreference/actions/workflows/go-test.yml/badge.svg)](https://github.com/go-openapi/jsonreference/actions?query=workflow%3A"go+test") [![codecov](https://codecov.io/gh/go-openapi/jsonreference/branch/master/graph/badge.svg)](https://codecov.io/gh/go-openapi/jsonreference)
+# jsonreference
 
-[![Slack Status](https://slackin.goswagger.io/badge.svg)](https://slackin.goswagger.io)
-[![license](http://img.shields.io/badge/license-Apache%20v2-orange.svg)](https://raw.githubusercontent.com/go-openapi/jsonreference/master/LICENSE)
-[![Go Reference](https://pkg.go.dev/badge/github.com/go-openapi/jsonreference.svg)](https://pkg.go.dev/github.com/go-openapi/jsonreference)
-[![Go Report Card](https://goreportcard.com/badge/github.com/go-openapi/jsonreference)](https://goreportcard.com/report/github.com/go-openapi/jsonreference)
+<!-- Badges: status  -->
+[![Tests][test-badge]][test-url] [![Coverage][cov-badge]][cov-url] [![CI vuln scan][vuln-scan-badge]][vuln-scan-url] [![CodeQL][codeql-badge]][codeql-url]
+<!-- Badges: release & docker images  -->
+<!-- Badges: code quality  -->
+<!-- Badges: license & compliance -->
+[![Release][release-badge]][release-url] [![Go Report Card][gocard-badge]][gocard-url] [![CodeFactor Grade][codefactor-badge]][codefactor-url] [![License][license-badge]][license-url]
+<!-- Badges: documentation & support -->
+<!-- Badges: others & stats -->
+[![GoDoc][godoc-badge]][godoc-url] [![Slack Channel][slack-logo]![slack-badge]][slack-url] [![go version][goversion-badge]][goversion-url] ![Top language][top-badge] ![Commits since latest release][commits-badge]
 
-An implementation of JSON Reference - Go language
+---
+
+An implementation of JSON Reference for golang.
 
 ## Status
-Feature complete. Stable API
+
+API is stable.
+
+## Import this library in your project
+
+```cmd
+go get github.com/go-openapi/jsonreference
+```
 
 ## Dependencies
+
 * https://github.com/go-openapi/jsonpointer
 
+## Basic usage
+
+## Change log
+
+See <https://github.com/go-openapi/jsonreference/releases>
+
 ## References
 
 * http://tools.ietf.org/html/draft-ietf-appsawg-json-pointer-07
 * http://tools.ietf.org/html/draft-pbryan-zyp-json-ref-03
+
+## Licensing
+
+This library ships under the [SPDX-License-Identifier: Apache-2.0](./LICENSE).
+
+See the license [NOTICE](./NOTICE), which recalls the licensing terms of all the pieces of software
+on top of which it has been built.
+
+## Other documentation
+
+* [All-time contributors](./CONTRIBUTORS.md)
+* [Contributing guidelines](.github/CONTRIBUTING.md)
+* [Maintainers documentation](docs/MAINTAINERS.md)
+* [Code style](docs/STYLE.md)
+
+## Cutting a new release
+
+Maintainers can cut a new release by either:
+
+* running [this workflow](https://github.com/go-openapi/jsonreference/actions/workflows/bump-release.yml)
+* or pushing a semver tag
+  * signed tags are preferred
+  * The tag message is prepended to release notes
+
+<!-- Badges: status  -->
+[test-badge]: https://github.com/go-openapi/jsonreference/actions/workflows/go-test.yml/badge.svg
+[test-url]: https://github.com/go-openapi/jsonreference/actions/workflows/go-test.yml
+[cov-badge]: https://codecov.io/gh/go-openapi/jsonreference/branch/master/graph/badge.svg
+[cov-url]: https://codecov.io/gh/go-openapi/jsonreference
+[vuln-scan-badge]: https://github.com/go-openapi/jsonreference/actions/workflows/scanner.yml/badge.svg
+[vuln-scan-url]: https://github.com/go-openapi/jsonreference/actions/workflows/scanner.yml
+[codeql-badge]: https://github.com/go-openapi/jsonreference/actions/workflows/codeql.yml/badge.svg
+[codeql-url]: https://github.com/go-openapi/jsonreference/actions/workflows/codeql.yml
+<!-- Badges: release & docker images  -->
+[release-badge]: https://badge.fury.io/gh/go-openapi%2Fjsonreference.svg
+[release-url]: https://badge.fury.io/gh/go-openapi%2Fjsonreference
+[gomod-badge]: https://badge.fury.io/go/github.com%2Fgo-openapi%2Fjsonreference.svg
+[gomod-url]: https://badge.fury.io/go/github.com%2Fgo-openapi%2Fjsonreference
+<!-- Badges: code quality  -->
+[gocard-badge]: https://goreportcard.com/badge/github.com/go-openapi/jsonreference
+[gocard-url]: https://goreportcard.com/report/github.com/go-openapi/jsonreference
+[codefactor-badge]: https://img.shields.io/codefactor/grade/github/go-openapi/jsonreference
+[codefactor-url]: https://www.codefactor.io/repository/github/go-openapi/jsonreference
+<!-- Badges: documentation & support -->
+[doc-badge]: https://img.shields.io/badge/doc-site-blue?link=https%3A%2F%2Fgoswagger.io%2Fgo-openapi%2F
+[doc-url]: https://goswagger.io/go-openapi
+[godoc-badge]: https://pkg.go.dev/badge/github.com/go-openapi/jsonreference
+[godoc-url]: http://pkg.go.dev/github.com/go-openapi/jsonreference
+[slack-logo]: https://a.slack-edge.com/e6a93c1/img/icons/favicon-32.png
+[slack-badge]: https://img.shields.io/badge/slack-blue?link=https%3A%2F%2Fgoswagger.slack.com%2Farchives%2FC04R30YM
+[slack-url]: https://goswagger.slack.com/archives/C04R30YMU
+<!-- Badges: license & compliance -->
+[license-badge]: http://img.shields.io/badge/license-Apache%20v2-orange.svg
+[license-url]: https://github.com/go-openapi/jsonreference/?tab=Apache-2.0-1-ov-file#readme
+<!-- Badges: others & stats -->
+[goversion-badge]: https://img.shields.io/github/go-mod/go-version/go-openapi/jsonreference
+[goversion-url]: https://github.com/go-openapi/jsonreference/blob/master/go.mod
+[top-badge]: https://img.shields.io/github/languages/top/go-openapi/jsonreference
+[commits-badge]: https://img.shields.io/github/commits-since/go-openapi/jsonreference/latest
diff --git a/vendor/github.com/go-openapi/jsonreference/SECURITY.md b/vendor/github.com/go-openapi/jsonreference/SECURITY.md
new file mode 100644
index 0000000000..2a7b6f0910
--- /dev/null
+++ b/vendor/github.com/go-openapi/jsonreference/SECURITY.md
@@ -0,0 +1,19 @@
+# Security Policy
+
+This policy outlines the commitment and practices of the go-openapi maintainers regarding security.
+
+## Supported Versions
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 0.22.x  | :white_check_mark: |
+
+## Reporting a vulnerability
+
+If you become aware of a security vulnerability that affects the current repository,
+please report it privately to the maintainers.
+
+Please follow the instructions provided by github to
+[Privately report a security vulnerability](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability).
+
+TL;DR: on Github, navigate to the project's "Security" tab then click on "Report a vulnerability".
diff --git a/vendor/github.com/go-openapi/jsonreference/internal/normalize_url.go b/vendor/github.com/go-openapi/jsonreference/internal/normalize_url.go
index f0610cf1e5..a08b47320e 100644
--- a/vendor/github.com/go-openapi/jsonreference/internal/normalize_url.go
+++ b/vendor/github.com/go-openapi/jsonreference/internal/normalize_url.go
@@ -1,3 +1,6 @@
+// SPDX-FileCopyrightText: Copyright (c) 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
 package internal
 
 import (
@@ -11,9 +14,11 @@ const (
 	defaultHTTPSPort = ":443"
 )
 
-// Regular expressions used by the normalizations
-var rxPort = regexp.MustCompile(`(:\d+)/?$`)
-var rxDupSlashes = regexp.MustCompile(`/{2,}`)
+// Regular expressions used by the normalizations.
+var (
+	rxPort       = regexp.MustCompile(`(:\d+)/?$`)
+	rxDupSlashes = regexp.MustCompile(`/{2,}`)
+)
 
 // NormalizeURL will normalize the specified URL
 // This was added to replace a previous call to the no longer maintained purell library:
diff --git a/vendor/github.com/go-openapi/jsonreference/reference.go b/vendor/github.com/go-openapi/jsonreference/reference.go
index cfdef03e5d..6e3ae49951 100644
--- a/vendor/github.com/go-openapi/jsonreference/reference.go
+++ b/vendor/github.com/go-openapi/jsonreference/reference.go
@@ -1,27 +1,5 @@
-// Copyright 2013 sigu-399 ( https://github.com/sigu-399 )
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//   http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-// author       sigu-399
-// author-github  https://github.com/sigu-399
-// author-mail    sigu.399@gmail.com
-//
-// repository-name  jsonreference
-// repository-desc  An implementation of JSON Reference - Go language
-//
-// description    Main and unique file.
-//
-// created        26-02-2013
+// SPDX-FileCopyrightText: Copyright (c) 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
 
 package jsonreference
 
@@ -38,50 +16,50 @@ const (
 	fragmentRune = `#`
 )
 
-// New creates a new reference for the given string
-func New(jsonReferenceString string) (Ref, error) {
+var ErrChildURL = errors.New("child url is nil")
+
+// Ref represents a json reference object.
+type Ref struct {
+	referenceURL     *url.URL
+	referencePointer jsonpointer.Pointer
+
+	HasFullURL      bool
+	HasURLPathOnly  bool
+	HasFragmentOnly bool
+	HasFileScheme   bool
+	HasFullFilePath bool
+}
 
+// New creates a new reference for the given string.
+func New(jsonReferenceString string) (Ref, error) {
 	var r Ref
 	err := r.parse(jsonReferenceString)
 	return r, err
-
 }
 
 // MustCreateRef parses the ref string and panics when it's invalid.
-// Use the New method for a version that returns an error
+// Use the New method for a version that returns an error.
 func MustCreateRef(ref string) Ref {
 	r, err := New(ref)
 	if err != nil {
 		panic(err)
 	}
-	return r
-}
 
-// Ref represents a json reference object
-type Ref struct {
-	referenceURL     *url.URL
-	referencePointer jsonpointer.Pointer
-
-	HasFullURL      bool
-	HasURLPathOnly  bool
-	HasFragmentOnly bool
-	HasFileScheme   bool
-	HasFullFilePath bool
+	return r
 }
 
-// GetURL gets the URL for this reference
+// GetURL gets the URL for this reference.
 func (r *Ref) GetURL() *url.URL {
 	return r.referenceURL
 }
 
-// GetPointer gets the json pointer for this reference
+// GetPointer gets the json pointer for this reference.
 func (r *Ref) GetPointer() *jsonpointer.Pointer {
 	return &r.referencePointer
 }
 
-// String returns the best version of the url for this reference
+// String returns the best version of the url for this reference.
 func (r *Ref) String() string {
-
 	if r.referenceURL != nil {
 		return r.referenceURL.String()
 	}
@@ -93,7 +71,7 @@ func (r *Ref) String() string {
 	return r.referencePointer.String()
 }
 
-// IsRoot returns true if this reference is a root document
+// IsRoot returns true if this reference is a root document.
 func (r *Ref) IsRoot() bool {
 	return r.referenceURL != nil &&
 		!r.IsCanonical() &&
@@ -101,14 +79,32 @@ func (r *Ref) IsRoot() bool {
 		r.referenceURL.Fragment == ""
 }
 
-// IsCanonical returns true when this pointer starts with http(s):// or file://
+// IsCanonical returns true when this pointer starts with http(s):// or file://.
 func (r *Ref) IsCanonical() bool {
 	return (r.HasFileScheme && r.HasFullFilePath) || (!r.HasFileScheme && r.HasFullURL)
 }
 
-// "Constructor", parses the given string JSON reference
-func (r *Ref) parse(jsonReferenceString string) error {
+// Inherits creates a new reference from a parent and a child
+// If the child cannot inherit from the parent, an error is returned.
+func (r *Ref) Inherits(child Ref) (*Ref, error) {
+	childURL := child.GetURL()
+	parentURL := r.GetURL()
+	if childURL == nil {
+		return nil, ErrChildURL
+	}
+	if parentURL == nil {
+		return &child, nil
+	}
+
+	ref, err := New(parentURL.ResolveReference(childURL).String())
+	if err != nil {
+		return nil, err
+	}
+	return &ref, nil
+}
 
+// "Constructor", parses the given string JSON reference.
+func (r *Ref) parse(jsonReferenceString string) error {
 	parsed, err := url.Parse(jsonReferenceString)
 	if err != nil {
 		return err
@@ -137,22 +133,3 @@ func (r *Ref) parse(jsonReferenceString string) error {
 
 	return nil
 }
-
-// Inherits creates a new reference from a parent and a child
-// If the child cannot inherit from the parent, an error is returned
-func (r *Ref) Inherits(child Ref) (*Ref, error) {
-	childURL := child.GetURL()
-	parentURL := r.GetURL()
-	if childURL == nil {
-		return nil, errors.New("child url is nil")
-	}
-	if parentURL == nil {
-		return &child, nil
-	}
-
-	ref, err := New(parentURL.ResolveReference(childURL).String())
-	if err != nil {
-		return nil, err
-	}
-	return &ref, nil
-}
diff --git a/vendor/github.com/go-openapi/swag/.codecov.yml b/vendor/github.com/go-openapi/swag/.codecov.yml
new file mode 100644
index 0000000000..3354f44b28
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/.codecov.yml
@@ -0,0 +1,4 @@
+ignore:
+  - jsonutils/fixtures_test
+  - jsonutils/adapters/ifaces/mocks
+  - jsonutils/adapters/testintegration/benchmarks
diff --git a/vendor/github.com/go-openapi/swag/.golangci.yml b/vendor/github.com/go-openapi/swag/.golangci.yml
index d2fafb8a2b..126264a6b8 100644
--- a/vendor/github.com/go-openapi/swag/.golangci.yml
+++ b/vendor/github.com/go-openapi/swag/.golangci.yml
@@ -1,56 +1,78 @@
-linters-settings:
-  gocyclo:
-    min-complexity: 45
-  dupl:
-    threshold: 200
-  goconst:
-    min-len: 2
-    min-occurrences: 3
-
+version: "2"
 linters:
-  enable-all: true
+  default: all
   disable:
-    - recvcheck
-    - unparam
-    - lll
-    - gochecknoinits
-    - gochecknoglobals
+    - cyclop
+    - depguard
+    - errchkjson
+    - errorlint
+    - exhaustruct
+    - forcetypeassert
     - funlen
-    - godox
+    - gochecknoglobals
+    - gochecknoinits
     - gocognit
-    - whitespace
-    - wsl
-    - wrapcheck
-    - testpackage
-    - nlreturn
-    - errorlint
-    - nestif
     - godot
-    - gofumpt
+    - godox
+    - gomoddirectives
+    - gosmopolitan
+    - inamedparam
+    - intrange
+    - ireturn
+    - lll
+    - musttag
+    - modernize
+    - nestif
+    - nlreturn
+    - nonamedreturns
+    - noinlineerr
     - paralleltest
-    - tparallel
+    - recvcheck
+    - testpackage
     - thelper
-    - exhaustruct
+    - tagliatelle
+    - tparallel
+    - unparam
     - varnamelen
-    - gci
-    - depguard
-    - errchkjson
-    - inamedparam
-    - nonamedreturns
-    - musttag
-    - ireturn
-    - forcetypeassert
-    - cyclop
-    # deprecated linters
-    #- deadcode
-    #- interfacer
-    #- scopelint
-    #- varcheck
-    #- structcheck
-    #- golint
-    #- nosnakecase
-    #- maligned
-    #- goerr113
-    #- ifshort
-    #- gomnd
-    #- exhaustivestruct
+    - whitespace
+    - wrapcheck
+    - wsl
+    - wsl_v5
+  settings:
+    dupl:
+      threshold: 200
+    goconst:
+      min-len: 2
+      min-occurrences: 3
+    gocyclo:
+      min-complexity: 45
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+formatters:
+  enable:
+    - gofmt
+    - goimports
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+issues:
+  # Maximum issues count per one linter.
+  # Set to 0 to disable.
+  # Default: 50
+  max-issues-per-linter: 0
+  # Maximum count of issues with the same text.
+  # Set to 0 to disable.
+  # Default: 3
+  max-same-issues: 0
diff --git a/vendor/github.com/go-openapi/swag/.mockery.yml b/vendor/github.com/go-openapi/swag/.mockery.yml
new file mode 100644
index 0000000000..8557cb58d3
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/.mockery.yml
@@ -0,0 +1,30 @@
+all: false
+dir: '{{.InterfaceDir}}'
+filename: mocks_test.go
+force-file-write: true
+formatter: goimports
+include-auto-generated: false
+log-level: info
+structname: '{{.Mock}}{{.InterfaceName}}'
+pkgname: '{{.SrcPackageName}}'
+recursive: false
+require-template-schema-exists: true
+template: matryer
+template-schema: '{{.Template}}.schema.json'
+packages:
+  github.com/go-openapi/swag/jsonutils/adapters/ifaces:
+    config:
+      dir: jsonutils/adapters/ifaces/mocks
+      filename: mocks.go
+      pkgname: 'mocks'
+      force-file-write: true
+      all: true
+  github.com/go-openapi/swag/jsonutils/adapters/testintegration:
+    config:
+      inpackage: true
+      dir: jsonutils/adapters/testintegration
+      force-file-write: true
+      all: true
+    interfaces:
+      EJMarshaler:
+      EJUnmarshaler:
diff --git a/vendor/github.com/go-openapi/swag/README.md b/vendor/github.com/go-openapi/swag/README.md
index a729222998..371fd55fdc 100644
--- a/vendor/github.com/go-openapi/swag/README.md
+++ b/vendor/github.com/go-openapi/swag/README.md
@@ -1,23 +1,239 @@
 # Swag [![Build Status](https://github.com/go-openapi/swag/actions/workflows/go-test.yml/badge.svg)](https://github.com/go-openapi/swag/actions?query=workflow%3A"go+test") [![codecov](https://codecov.io/gh/go-openapi/swag/branch/master/graph/badge.svg)](https://codecov.io/gh/go-openapi/swag)
 
 [![Slack Status](https://slackin.goswagger.io/badge.svg)](https://slackin.goswagger.io)
-[![license](http://img.shields.io/badge/license-Apache%20v2-orange.svg)](https://raw.githubusercontent.com/go-openapi/swag/master/LICENSE)
+[![license](https://img.shields.io/badge/license-Apache%20v2-orange.svg)](https://raw.githubusercontent.com/go-openapi/swag/master/LICENSE)
 [![Go Reference](https://pkg.go.dev/badge/github.com/go-openapi/swag.svg)](https://pkg.go.dev/github.com/go-openapi/swag)
 [![Go Report Card](https://goreportcard.com/badge/github.com/go-openapi/swag)](https://goreportcard.com/report/github.com/go-openapi/swag)
 
-Contains a bunch of helper functions for go-openapi and go-swagger projects.
+Package `swag` contains a bunch of helper functions for go-openapi and go-swagger projects.
 
 You may also use it standalone for your projects.
 
-* convert between value and pointers for builtin types
-* convert from string to builtin types (wraps strconv)
-* fast json concatenation
-* search in path
-* load from file or http
-* name mangling
+> **NOTE**
+> `swag` is one of the foundational building blocks of the go-openapi initiative.
+> Most repositories in `github.com/go-openapi/...` depend on it in some way.
+> And so does our CLI tool `github.com/go-swagger/go-swagger`,
+> as well as the code generated by this tool.
 
+* [Contents](#contents)
+* [Dependencies](#dependencies)
+* [Release Notes](#release-notes)
+* [Licensing](#licensing)
+* [Note to contributors](#note-to-contributors)
+* [TODOs, suggestions and plans](#todos-suggestions-and-plans)
 
-This repo has only few dependencies outside of the standard library:
+## Contents
 
-* YAML utilities depend on `gopkg.in/yaml.v3`
-* `github.com/mailru/easyjson v0.7.7`
+`go-openapi/swag` exposes a collection of relatively independent modules.
+
+Moving forward, no additional feature will be added to the `swag` API directly at the root package level,
+which remains there for backward-compatibility purposes. All exported top-level features are now deprecated.
+
+Child modules will continue to evolve and some new ones may be added in the future.
+
+| Module        | Content | Main features |
+|---------------|---------|---------------|
+| `cmdutils`     | utilities to work with CLIs ||
+| `conv`        | type conversion utilities | convert between values and pointers for any types<br />convert from string to builtin types (wraps `strconv`)<br />require `./typeutils` (test dependency)<br /> |
+| `fileutils`   | file utilities | |
+| `jsonname`    | JSON utilities | infer JSON names from `go` properties<br /> | 
+| `jsonutils`   | JSON utilities | fast json concatenation<br />read and write JSON from and to dynamic `go` data structures<br />~require `github.com/mailru/easyjson`~<br /> |
+| `loading`     | file loading | load from file or http<br />require `./yamlutils`<br /> |
+| `mangling`    | safe name generation | name mangling for `go`<br /> |
+| `netutils`    | networking utilities | host, port from address<br /> |
+| `stringutils` | `string` utilities | search in slice (with case-insensitive)<br />split/join query parameters as arrays<br /> |
+| `typeutils`   | `go` types utilities | check the zero value for any type<br />safe check for a nil value<br /> |
+| `yamlutils`   | YAML utilities | converting YAML to JSON<br />loading YAML into a dynamic YAML document<br />maintaining the original order of keys in YAML objects<br />require `./jsonutils`<br />~require `github.com/mailru/easyjson`~<br />require `go.yaml.in/yaml/v3`<br /> |
+
+---
+
+## Dependencies
+
+The root module `github.com/go-openapi/swag` at the repo level maintains a few 
+dependencies outside of the standard library.
+
+* YAML utilities depend on `go.yaml.in/yaml/v3`
+* JSON utilities depend on their registered adapter module:
+   * by default, only the standard library is used
+   * `github.com/mailru/easyjson` is now only a dependency for module
+     `github.com/go-openapi/swag/jsonutils/adapters/easyjson/json`,
+     for users willing to import that module.
+   * integration tests and benchmarks use all the dependencies are published as their own module
+* other dependencies are test dependencies drawn from `github.com/stretchr/testify`
+
+## Release notes
+
+### v0.25.4
+
+** mangling**
+
+Bug fix
+
+* [x] mangler may panic with pluralized overlapping initialisms
+
+Tests
+
+* [x] introduced fuzz tests
+
+### v0.25.3
+
+** mangling**
+
+Bug fix
+
+* [x] mangler may panic with pluralized initialisms
+
+### v0.25.2
+
+Minor changes due to internal maintenance that don't affect the behavior of the library.
+
+* [x] removed indirect test dependencies by switching all tests to `go-openapi/testify`,
+  a fork of `stretch/testify` with zero-dependencies.
+* [x] improvements to CI to catch test reports.
+* [x] modernized licensing annotations in source code, using the more compact SPDX annotations
+  rather than the full license terms.
+* [x] simplified a bit JSON & YAML testing by using newly available assertions
+* started the journey to an OpenSSF score card badge:
+  * [x] explicited permissions in CI workflows
+  * [x] published security policy
+  * pinned dependencies to github actions
+  * introduced fuzzing in tests
+
+### v0.25.1
+
+* fixes a data race that could occur when using the standard library implementation of a JSON ordered map
+
+### v0.25.0
+
+**New with this release**:
+
+* requires `go1.24`, as iterators are being introduced
+* removes the dependency to `mailru/easyjson` by default (#68)
+  * functionality remains the same, but performance may somewhat degrade for applications
+    that relied on `easyjson`
+  * users of the JSON or YAML utilities who want to use `easyjson` as their preferred JSON serializer library
+    will be able to do so by registering this the corresponding JSON adapter at runtime. See below.
+  * ordered keys in JSON and YAML objects: this feature used to rely solely on `easyjson`.
+    With this release, an implementation relying on the standard `encoding/json` is provided.
+  * an independent [benchmark](./jsonutils/adapters/testintegration/benchmarks/README.md) to compare the different adapters
+* improves the "float is integer" check (`conv.IsFloat64AJSONInteger`) (#59)
+* removes the _direct_ dependency to `gopkg.in/yaml.v3` (indirect dependency is still incurred through `stretchr/testify`) (#127)
+* exposed `conv.IsNil()` (previously kept private): a safe nil check (accounting for the "non-nil interface with nil value" nonsensical go trick)
+
+**What coming next?**
+
+Moving forward, we want to :
+* provide an implementation of the JSON adapter based on `encoding/json/v2`, for `go1.25` builds.
+* provide similar implementations for `goccy/go-json` and `jsoniterator/go`, and perhaps some other
+  similar libraries may be interesting too.
+
+
+**How to explicitly register a dependency at runtime**?
+
+The following would maintain how JSON utilities proposed by `swag` used work, up to `v0.24.1`.
+
+  ```go
+  import (
+    "github.com/go-openapi/swag/jsonutils/adapters"
+    easyjson "github.com/go-openapi/swag/jsonutils/adapters/easyjson/json"
+  )
+
+  func init() {
+	  easyjson.Register(adapters.Registry)
+  }
+  ```
+
+Subsequent calls to `jsonutils.ReadJSON()` or `jsonutils.WriteJSON()` will switch to `easyjson`
+whenever the passed data structures implement the `easyjson.Unmarshaler` or `easyjson.Marshaler` respectively,
+or fallback to the standard library.
+
+For more details, you may also look at our
+[integration tests](jsonutils/adapters/testintegration/integration_suite_test.go#29).
+
+### v0.24.0
+
+With this release, we have largely modernized the API of `swag`:
+
+* The traditional `swag` API is still supported: code that imports `swag` will still
+  compile and work the same.
+* A deprecation notice is published to encourage consumers of this library to adopt
+  the newer API
+* **Deprecation notice** 
+  * configuration through global variables is now deprecated, in favor of options passed as parameters
+  * all helper functions are moved to more specialized packages, which are exposed as 
+    go modules. Importing such a module would reduce the footprint of dependencies.
+  * _all_ functions, variables, constants exposed by the deprecated API have now moved, so
+    that consumers of the new API no longer need to import github.com/go-openapi/swag, but
+    should import the desired sub-module(s).
+
+**New with this release**:
+
+* [x] type converters and pointer to value helpers now support generic types
+* [x] name mangling now support pluralized initialisms (issue #46)
+      Strings like "contact IDs" are now recognized as such a plural form and mangled as a linter would expect.
+* [x] performance: small improvements to reduce the overhead of convert/format wrappers (see issues #110, or PR #108)
+* [x] performance: name mangling utilities run ~ 10% faster (PR #115)
+
+---
+
+## Licensing
+
+This library ships under the [SPDX-License-Identifier: Apache-2.0](./LICENSE).
+
+## Note to contributors
+
+A mono-repo structure comes with some unavoidable extra pains...
+
+* Testing
+
+> The usual `go test ./...` command, run from the root of this repo won't work any longer to test all submodules.
+>
+> Each module constitutes an independant unit of test. So you have to run `go test` inside each module.
+> Or you may take a look at how this is achieved by CI
+> [here] https://github.com/go-openapi/swag/blob/master/.github/workflows/go-test.yml).
+>
+> There are also some alternative tricks using `go work`, for local development, if you feel comfortable with
+> go workspaces. Perhaps some day, we'll have a `go work test` to run all tests without any hack.
+
+* Releasing
+
+> Each module follows its own independant module versioning.
+>
+> So you have tags like `mangling/v0.24.0`, `fileutils/v0.24.0` etc that are used by `go mod` and `go get`
+> to refer to the tagged version of each module specifically.
+>
+> This means we may release patches etc to each module independently.
+>
+> We'd like to adopt the rule that modules in this repo would only differ by a patch version
+> (e.g. `v0.24.5` vs `v0.24.3`), and we'll level all modules whenever a minor version is introduced.
+>
+> A script in `./hack` is provided to tag all modules with the same version in one go.
+
+* Continuous integration
+
+> At this moment, all tests in all modules are systematically run over the full test matrix (3 platform x 2 go releases).
+> This generates quite a lot of jobs.
+>
+> We ought to reduce the number of jobs required to test a PR focused on only a few modules.
+
+## Todos, suggestions and plans
+
+All kinds of contributions are welcome.
+
+A few ideas:
+
+* [x] Complete the split of dependencies to isolate easyjson from the rest
+* [x] Improve CI to reduce needed tests
+* [x] Replace dependency to `gopkg.in/yaml.v3` (`yamlutil`)
+* [ ] Improve mangling utilities (improve readability, support for capitalized words,
+      better word substitution for non-letter symbols...)
+* [ ] Move back to this common shared pot a few of the technical features introduced by go-swagger independently
+      (e.g. mangle go package names, search package with go modules support, ...)
+* [ ] Apply a similar mono-repo approach to go-openapi/strfmt which suffer from similar woes: bloated API,
+      imposed dependency to some database driver.
+* [ ] Adapt `go-swagger` (incl. generated code) to the new `swag` API.
+* [ ] Factorize some tests, as there is a lot of redundant testing code in `jsonutils`
+* [ ] Benchmark & profiling: publish independently the tool built to analyze and chart benchmarks (e.g. similar to `benchvisual`)
+* [ ] more thorough testing for nil / null case
+* [ ] ci pipeline to manage releases
+* [ ] cleaner mockery generation (doesn't work out of the box for all sub-modules)
diff --git a/vendor/github.com/go-openapi/swag/SECURITY.md b/vendor/github.com/go-openapi/swag/SECURITY.md
new file mode 100644
index 0000000000..72296a8313
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/SECURITY.md
@@ -0,0 +1,19 @@
+# Security Policy
+
+This policy outlines the commitment and practices of the go-openapi maintainers regarding security.
+
+## Supported Versions
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 0.25.x  | :white_check_mark: |
+
+## Reporting a vulnerability
+
+If you become aware of a security vulnerability that affects the current repository,
+please report it privately to the maintainers.
+
+Please follow the instructions provided by github to
+[Privately report a security vulnerability](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability).
+
+TL;DR: on Github, navigate to the project's "Security" tab then click on "Report a vulnerability".
diff --git a/vendor/github.com/go-openapi/swag/cmdutils/LICENSE b/vendor/github.com/go-openapi/swag/cmdutils/LICENSE
new file mode 100644
index 0000000000..d645695673
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/cmdutils/LICENSE
@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/vendor/github.com/go-openapi/swag/cmdutils/cmd_utils.go b/vendor/github.com/go-openapi/swag/cmdutils/cmd_utils.go
new file mode 100644
index 0000000000..6c7bbb26f0
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/cmdutils/cmd_utils.go
@@ -0,0 +1,13 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+package cmdutils
+
+// CommandLineOptionsGroup represents a group of user-defined command line options.
+//
+// This is for instance used to configure command line arguments in API servers generated by go-swagger.
+type CommandLineOptionsGroup struct {
+	ShortDescription string
+	LongDescription  string
+	Options          any
+}
diff --git a/vendor/github.com/go-openapi/swag/cmdutils/doc.go b/vendor/github.com/go-openapi/swag/cmdutils/doc.go
new file mode 100644
index 0000000000..31f2c37538
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/cmdutils/doc.go
@@ -0,0 +1,5 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+// Package cmdutils brings helpers for CLIs produced by go-openapi
+package cmdutils
diff --git a/vendor/github.com/go-openapi/swag/cmdutils_iface.go b/vendor/github.com/go-openapi/swag/cmdutils_iface.go
new file mode 100644
index 0000000000..bd0c1fc128
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/cmdutils_iface.go
@@ -0,0 +1,11 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+package swag
+
+import "github.com/go-openapi/swag/cmdutils"
+
+// CommandLineOptionsGroup represents a group of user-defined command line options.
+//
+// Deprecated: use [cmdutils.CommandLineOptionsGroup] instead.
+type CommandLineOptionsGroup = cmdutils.CommandLineOptionsGroup
diff --git a/vendor/github.com/go-openapi/swag/conv/LICENSE b/vendor/github.com/go-openapi/swag/conv/LICENSE
new file mode 100644
index 0000000000..d645695673
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/conv/LICENSE
@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/vendor/github.com/go-openapi/swag/conv/convert.go b/vendor/github.com/go-openapi/swag/conv/convert.go
new file mode 100644
index 0000000000..f205c39134
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/conv/convert.go
@@ -0,0 +1,161 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+package conv
+
+import (
+	"math"
+	"strconv"
+	"strings"
+)
+
+// same as ECMA Number.MAX_SAFE_INTEGER and Number.MIN_SAFE_INTEGER
+const (
+	maxJSONFloat         = float64(1<<53 - 1)  // 9007199254740991.0 	 	 2^53 - 1
+	minJSONFloat         = -float64(1<<53 - 1) //-9007199254740991.0	-2^53 - 1
+	epsilon      float64 = 1e-9
+)
+
+// IsFloat64AJSONInteger allows for integers [-2^53, 2^53-1] inclusive.
+func IsFloat64AJSONInteger(f float64) bool {
+	if math.IsNaN(f) || math.IsInf(f, 0) || f < minJSONFloat || f > maxJSONFloat {
+		return false
+	}
+	rounded := math.Round(f)
+	if f == rounded {
+		return true
+	}
+	if rounded == 0 { // f = 0.0 exited above
+		return false
+	}
+
+	diff := math.Abs(f - rounded)
+	if diff == 0 {
+		return true
+	}
+
+	// relative error Abs{f - Round(f)) / Round(f)} < ε ; Round(f)
+	return diff < epsilon*math.Abs(rounded)
+}
+
+// ConvertFloat turns a string into a float numerical value.
+func ConvertFloat[T Float](str string) (T, error) {
+	var v T
+	f, err := strconv.ParseFloat(str, bitsize(v))
+	if err != nil {
+		return 0, err
+	}
+
+	return T(f), nil
+}
+
+// ConvertInteger turns a string into a signed integer.
+func ConvertInteger[T Signed](str string) (T, error) {
+	var v T
+	f, err := strconv.ParseInt(str, 10, bitsize(v))
+	if err != nil {
+		return 0, err
+	}
+
+	return T(f), nil
+}
+
+// ConvertUinteger turns a string into an unsigned integer.
+func ConvertUinteger[T Unsigned](str string) (T, error) {
+	var v T
+	f, err := strconv.ParseUint(str, 10, bitsize(v))
+	if err != nil {
+		return 0, err
+	}
+
+	return T(f), nil
+}
+
+// ConvertBool turns a string into a boolean.
+//
+// It supports a few more "true" strings than [strconv.ParseBool]:
+//
+//   - it is not case sensitive ("trUe" or "FalsE" work)
+//   - "ok", "yes", "y", "on", "selected", "checked", "enabled" are all true
+//   - everything that is not true is false: there is never an actual error returned
+func ConvertBool(str string) (bool, error) {
+	switch strings.ToLower(str) {
+	case "true",
+		"1",
+		"yes",
+		"ok",
+		"y",
+		"on",
+		"selected",
+		"checked",
+		"t",
+		"enabled":
+		return true, nil
+	default:
+		return false, nil
+	}
+}
+
+// ConvertFloat32 turns a string into a float32.
+func ConvertFloat32(str string) (float32, error) { return ConvertFloat[float32](str) }
+
+// ConvertFloat64 turns a string into a float64
+func ConvertFloat64(str string) (float64, error) { return ConvertFloat[float64](str) }
+
+// ConvertInt8 turns a string into an int8
+func ConvertInt8(str string) (int8, error) { return ConvertInteger[int8](str) }
+
+// ConvertInt16 turns a string into an int16
+func ConvertInt16(str string) (int16, error) {
+	i, err := strconv.ParseInt(str, 10, 16)
+	if err != nil {
+		return 0, err
+	}
+	return int16(i), nil
+}
+
+// ConvertInt32 turns a string into an int32
+func ConvertInt32(str string) (int32, error) {
+	i, err := strconv.ParseInt(str, 10, 32)
+	if err != nil {
+		return 0, err
+	}
+	return int32(i), nil
+}
+
+// ConvertInt64 turns a string into an int64
+func ConvertInt64(str string) (int64, error) {
+	return strconv.ParseInt(str, 10, 64)
+}
+
+// ConvertUint8 turns a string into an uint8
+func ConvertUint8(str string) (uint8, error) {
+	i, err := strconv.ParseUint(str, 10, 8)
+	if err != nil {
+		return 0, err
+	}
+	return uint8(i), nil
+}
+
+// ConvertUint16 turns a string into an uint16
+func ConvertUint16(str string) (uint16, error) {
+	i, err := strconv.ParseUint(str, 10, 16)
+	if err != nil {
+		return 0, err
+	}
+	return uint16(i), nil
+}
+
+// ConvertUint32 turns a string into an uint32
+func ConvertUint32(str string) (uint32, error) {
+	i, err := strconv.ParseUint(str, 10, 32)
+	if err != nil {
+		return 0, err
+	}
+	return uint32(i), nil
+}
+
+// ConvertUint64 turns a string into an uint64
+func ConvertUint64(str string) (uint64, error) {
+	return strconv.ParseUint(str, 10, 64)
+}
diff --git a/vendor/github.com/go-openapi/swag/conv/convert_types.go b/vendor/github.com/go-openapi/swag/conv/convert_types.go
new file mode 100644
index 0000000000..cf4c6495eb
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/conv/convert_types.go
@@ -0,0 +1,72 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+package conv
+
+// Unlicensed credits (idea, concept)
+//
+// The idea to convert values to pointers and the other way around, was inspired, eons ago, by the aws go sdk.
+//
+// Nowadays, all sensible API sdk's expose a similar functionality.
+
+// Pointer returns a pointer to the value passed in.
+func Pointer[T any](v T) *T {
+	return &v
+}
+
+// Value returns a shallow copy of the value of the pointer passed in.
+//
+// If the pointer is nil, the returned value is the zero value.
+func Value[T any](v *T) T {
+	if v != nil {
+		return *v
+	}
+
+	var zero T
+	return zero
+}
+
+// PointerSlice converts a slice of values into a slice of pointers.
+func PointerSlice[T any](src []T) []*T {
+	dst := make([]*T, len(src))
+	for i := 0; i < len(src); i++ {
+		dst[i] = &(src[i])
+	}
+	return dst
+}
+
+// ValueSlice converts a slice of pointers into a slice of values.
+//
+// nil elements are zero values.
+func ValueSlice[T any](src []*T) []T {
+	dst := make([]T, len(src))
+	for i := 0; i < len(src); i++ {
+		if src[i] != nil {
+			dst[i] = *(src[i])
+		}
+	}
+	return dst
+}
+
+// PointerMap converts a map of values into a map of pointers.
+func PointerMap[K comparable, T any](src map[K]T) map[K]*T {
+	dst := make(map[K]*T)
+	for k, val := range src {
+		v := val
+		dst[k] = &v
+	}
+	return dst
+}
+
+// ValueMap converts a map of pointers into a map of values.
+//
+// nil elements are skipped.
+func ValueMap[K comparable, T any](src map[K]*T) map[K]T {
+	dst := make(map[K]T)
+	for k, val := range src {
+		if val != nil {
+			dst[k] = *val
+		}
+	}
+	return dst
+}
diff --git a/vendor/github.com/go-openapi/swag/conv/doc.go b/vendor/github.com/go-openapi/swag/conv/doc.go
new file mode 100644
index 0000000000..1bd6ead6e2
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/conv/doc.go
@@ -0,0 +1,15 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+// Package conv exposes utilities to convert types.
+//
+// The Convert and Format families of functions are essentially a shorthand to [strconv] functions,
+// using the decimal representation of numbers.
+//
+// Features:
+//
+//   - from string representation to value ("Convert*") and reciprocally ("Format*")
+//   - from pointer to value ([Value]) and reciprocally ([Pointer])
+//   - from slice of values to slice of pointers ([PointerSlice]) and reciprocally ([ValueSlice])
+//   - from map of values to map of pointers ([PointerMap]) and reciprocally ([ValueMap])
+package conv
diff --git a/vendor/github.com/go-openapi/swag/conv/format.go b/vendor/github.com/go-openapi/swag/conv/format.go
new file mode 100644
index 0000000000..5b87b8e146
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/conv/format.go
@@ -0,0 +1,28 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+package conv
+
+import (
+	"strconv"
+)
+
+// FormatInteger turns an integer type into a string.
+func FormatInteger[T Signed](value T) string {
+	return strconv.FormatInt(int64(value), 10)
+}
+
+// FormatUinteger turns an unsigned integer type into a string.
+func FormatUinteger[T Unsigned](value T) string {
+	return strconv.FormatUint(uint64(value), 10)
+}
+
+// FormatFloat turns a floating point numerical value into a string.
+func FormatFloat[T Float](value T) string {
+	return strconv.FormatFloat(float64(value), 'f', -1, bitsize(value))
+}
+
+// FormatBool turns a boolean into a string.
+func FormatBool(value bool) string {
+	return strconv.FormatBool(value)
+}
diff --git a/vendor/github.com/go-openapi/swag/conv/sizeof.go b/vendor/github.com/go-openapi/swag/conv/sizeof.go
new file mode 100644
index 0000000000..4943465573
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/conv/sizeof.go
@@ -0,0 +1,20 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+package conv
+
+import "unsafe"
+
+// bitsize returns the size in bits of a type.
+//
+// NOTE: [unsafe.SizeOf] simply returns the size in bytes of the value.
+// For primitive types T, the generic stencil is precompiled and this value
+// is resolved at compile time, resulting in an immediate call to [strconv.ParseFloat].
+//
+// We may leave up to the go compiler to simplify this function into a
+// constant value, which happens in practice at least for primitive types
+// (e.g. numerical types).
+func bitsize[T Numerical](value T) int {
+	const bitsPerByte = 8
+	return int(unsafe.Sizeof(value)) * bitsPerByte
+}
diff --git a/vendor/github.com/go-openapi/swag/conv/type_constraints.go b/vendor/github.com/go-openapi/swag/conv/type_constraints.go
new file mode 100644
index 0000000000..81135e827e
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/conv/type_constraints.go
@@ -0,0 +1,29 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+package conv
+
+type (
+	// these type constraints are redefined after golang.org/x/exp/constraints,
+	// because importing that package causes an undesired go upgrade.
+
+	// Signed integer types, cf. [golang.org/x/exp/constraints.Signed]
+	Signed interface {
+		~int | ~int8 | ~int16 | ~int32 | ~int64
+	}
+
+	// Unsigned integer types, cf. [golang.org/x/exp/constraints.Unsigned]
+	Unsigned interface {
+		~uint | ~uint8 | ~uint16 | ~uint32 | ~uint64 | ~uintptr
+	}
+
+	// Float numerical types, cf. [golang.org/x/exp/constraints.Float]
+	Float interface {
+		~float32 | ~float64
+	}
+
+	// Numerical types
+	Numerical interface {
+		Signed | Unsigned | Float
+	}
+)
diff --git a/vendor/github.com/go-openapi/swag/conv_iface.go b/vendor/github.com/go-openapi/swag/conv_iface.go
new file mode 100644
index 0000000000..eea7b2e56e
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/conv_iface.go
@@ -0,0 +1,486 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+package swag
+
+import (
+	"time"
+
+	"github.com/go-openapi/swag/conv"
+)
+
+// IsFloat64AJSONInteger allows for integers [-2^53, 2^53-1] inclusive.
+//
+// Deprecated: use [conv.IsFloat64AJSONInteger] instead.
+func IsFloat64AJSONInteger(f float64) bool { return conv.IsFloat64AJSONInteger(f) }
+
+// ConvertBool turns a string into a boolean.
+//
+// Deprecated: use [conv.ConvertBool] instead.
+func ConvertBool(str string) (bool, error) { return conv.ConvertBool(str) }
+
+// ConvertFloat32 turns a string into a float32.
+//
+// Deprecated: use [conv.ConvertFloat32] instead. Alternatively, you may use the generic version [conv.ConvertFloat].
+func ConvertFloat32(str string) (float32, error) { return conv.ConvertFloat[float32](str) }
+
+// ConvertFloat64 turns a string into a float64.
+//
+// Deprecated: use [conv.ConvertFloat64] instead. Alternatively, you may use the generic version [conv.ConvertFloat].
+func ConvertFloat64(str string) (float64, error) { return conv.ConvertFloat[float64](str) }
+
+// ConvertInt8 turns a string into an int8.
+//
+// Deprecated: use [conv.ConvertInt8] instead. Alternatively, you may use the generic version [conv.ConvertInteger].
+func ConvertInt8(str string) (int8, error) { return conv.ConvertInteger[int8](str) }
+
+// ConvertInt16 turns a string into an int16.
+//
+// Deprecated: use [conv.ConvertInt16] instead. Alternatively, you may use the generic version [conv.ConvertInteger].
+func ConvertInt16(str string) (int16, error) { return conv.ConvertInteger[int16](str) }
+
+// ConvertInt32 turns a string into an int32.
+//
+// Deprecated: use [conv.ConvertInt32] instead. Alternatively, you may use the generic version [conv.ConvertInteger].
+func ConvertInt32(str string) (int32, error) { return conv.ConvertInteger[int32](str) }
+
+// ConvertInt64 turns a string into an int64.
+//
+// Deprecated: use [conv.ConvertInt64] instead. Alternatively, you may use the generic version [conv.ConvertInteger].
+func ConvertInt64(str string) (int64, error) { return conv.ConvertInteger[int64](str) }
+
+// ConvertUint8 turns a string into an uint8.
+//
+// Deprecated: use [conv.ConvertUint8] instead. Alternatively, you may use the generic version [conv.ConvertUinteger].
+func ConvertUint8(str string) (uint8, error) { return conv.ConvertUinteger[uint8](str) }
+
+// ConvertUint16 turns a string into an uint16.
+//
+// Deprecated: use [conv.ConvertUint16] instead. Alternatively, you may use the generic version [conv.ConvertUinteger].
+func ConvertUint16(str string) (uint16, error) { return conv.ConvertUinteger[uint16](str) }
+
+// ConvertUint32 turns a string into an uint32.
+//
+// Deprecated: use [conv.ConvertUint32] instead. Alternatively, you may use the generic version [conv.ConvertUinteger].
+func ConvertUint32(str string) (uint32, error) { return conv.ConvertUinteger[uint32](str) }
+
+// ConvertUint64 turns a string into an uint64.
+//
+// Deprecated: use [conv.ConvertUint64] instead. Alternatively, you may use the generic version [conv.ConvertUinteger].
+func ConvertUint64(str string) (uint64, error) { return conv.ConvertUinteger[uint64](str) }
+
+// FormatBool turns a boolean into a string.
+//
+// Deprecated: use [conv.FormatBool] instead.
+func FormatBool(value bool) string { return conv.FormatBool(value) }
+
+// FormatFloat32 turns a float32 into a string.
+//
+// Deprecated: use [conv.FormatFloat] instead.
+func FormatFloat32(value float32) string { return conv.FormatFloat(value) }
+
+// FormatFloat64 turns a float64 into a string.
+//
+// Deprecated: use [conv.FormatFloat] instead.
+func FormatFloat64(value float64) string { return conv.FormatFloat(value) }
+
+// FormatInt8 turns an int8 into a string.
+//
+// Deprecated: use [conv.FormatInteger] instead.
+func FormatInt8(value int8) string { return conv.FormatInteger(value) }
+
+// FormatInt16 turns an int16 into a string.
+//
+// Deprecated: use [conv.FormatInteger] instead.
+func FormatInt16(value int16) string { return conv.FormatInteger(value) }
+
+// FormatInt32 turns an int32 into a string
+//
+// Deprecated: use [conv.FormatInteger] instead.
+func FormatInt32(value int32) string { return conv.FormatInteger(value) }
+
+// FormatInt64 turns an int64 into a string.
+//
+// Deprecated: use [conv.FormatInteger] instead.
+func FormatInt64(value int64) string { return conv.FormatInteger(value) }
+
+// FormatUint8 turns an uint8 into a string.
+//
+// Deprecated: use [conv.FormatUinteger] instead.
+func FormatUint8(value uint8) string { return conv.FormatUinteger(value) }
+
+// FormatUint16 turns an uint16 into a string.
+//
+// Deprecated: use [conv.FormatUinteger] instead.
+func FormatUint16(value uint16) string { return conv.FormatUinteger(value) }
+
+// FormatUint32 turns an uint32 into a string.
+//
+// Deprecated: use [conv.FormatUinteger] instead.
+func FormatUint32(value uint32) string { return conv.FormatUinteger(value) }
+
+// FormatUint64 turns an uint64 into a string.
+//
+// Deprecated: use [conv.FormatUinteger] instead.
+func FormatUint64(value uint64) string { return conv.FormatUinteger(value) }
+
+// String turn a pointer to of the string value passed in.
+//
+// Deprecated: use [conv.Pointer] instead.
+func String(v string) *string { return conv.Pointer(v) }
+
+// StringValue turn the value of the string pointer passed in or
+// "" if the pointer is nil.
+//
+// Deprecated: use [conv.Value] instead.
+func StringValue(v *string) string { return conv.Value(v) }
+
+// StringSlice converts a slice of string values into a slice of string pointers.
+//
+// Deprecated: use [conv.PointerSlice] instead.
+func StringSlice(src []string) []*string { return conv.PointerSlice(src) }
+
+// StringValueSlice converts a slice of string pointers into a slice of string values.
+//
+// Deprecated: use [conv.ValueSlice] instead.
+func StringValueSlice(src []*string) []string { return conv.ValueSlice(src) }
+
+// StringMap converts a string map of string values into a string map of string pointers.
+//
+// Deprecated: use [conv.PointerMap] instead.
+func StringMap(src map[string]string) map[string]*string { return conv.PointerMap(src) }
+
+// StringValueMap converts a string map of string pointers into a string map of string values.
+//
+// Deprecated: use [conv.ValueMap] instead.
+func StringValueMap(src map[string]*string) map[string]string { return conv.ValueMap(src) }
+
+// Bool turn a pointer to of the bool value passed in.
+//
+// Deprecated: use [conv.Pointer] instead.
+func Bool(v bool) *bool { return conv.Pointer(v) }
+
+// BoolValue turn the value of the bool pointer passed in or false if the pointer is nil.
+//
+// Deprecated: use [conv.Value] instead.
+func BoolValue(v *bool) bool { return conv.Value(v) }
+
+// BoolSlice converts a slice of bool values into a slice of bool pointers.
+//
+// Deprecated: use [conv.PointerSlice] instead.
+func BoolSlice(src []bool) []*bool { return conv.PointerSlice(src) }
+
+// BoolValueSlice converts a slice of bool pointers into a slice of bool values.
+//
+// Deprecated: use [conv.ValueSlice] instead.
+func BoolValueSlice(src []*bool) []bool { return conv.ValueSlice(src) }
+
+// BoolMap converts a string map of bool values into a string map of bool pointers.
+//
+// Deprecated: use [conv.PointerMap] instead.
+func BoolMap(src map[string]bool) map[string]*bool { return conv.PointerMap(src) }
+
+// BoolValueMap converts a string map of bool pointers into a string map of bool values.
+//
+// Deprecated: use [conv.ValueMap] instead.
+func BoolValueMap(src map[string]*bool) map[string]bool { return conv.ValueMap(src) }
+
+// Int turn a pointer to of the int value passed in.
+//
+// Deprecated: use [conv.Pointer] instead.
+func Int(v int) *int { return conv.Pointer(v) }
+
+// IntValue turn the value of the int pointer passed in or 0 if the pointer is nil.
+//
+// Deprecated: use [conv.Value] instead.
+func IntValue(v *int) int { return conv.Value(v) }
+
+// IntSlice converts a slice of int values into a slice of int pointers.
+//
+// Deprecated: use [conv.PointerSlice] instead.
+func IntSlice(src []int) []*int { return conv.PointerSlice(src) }
+
+// IntValueSlice converts a slice of int pointers into a slice of int values.
+//
+// Deprecated: use [conv.ValueSlice] instead.
+func IntValueSlice(src []*int) []int { return conv.ValueSlice(src) }
+
+// IntMap converts a string map of int values into a string map of int pointers.
+//
+// Deprecated: use [conv.PointerMap] instead.
+func IntMap(src map[string]int) map[string]*int { return conv.PointerMap(src) }
+
+// IntValueMap converts a string map of int pointers into a string map of int values.
+//
+// Deprecated: use [conv.ValueMap] instead.
+func IntValueMap(src map[string]*int) map[string]int { return conv.ValueMap(src) }
+
+// Int32 turn a pointer to of the int32 value passed in.
+//
+// Deprecated: use [conv.Pointer] instead.
+func Int32(v int32) *int32 { return conv.Pointer(v) }
+
+// Int32Value turn the value of the int32 pointer passed in or 0 if the pointer is nil.
+//
+// Deprecated: use [conv.Value] instead.
+func Int32Value(v *int32) int32 { return conv.Value(v) }
+
+// Int32Slice converts a slice of int32 values into a slice of int32 pointers.
+//
+// Deprecated: use [conv.PointerSlice] instead.
+func Int32Slice(src []int32) []*int32 { return conv.PointerSlice(src) }
+
+// Int32ValueSlice converts a slice of int32 pointers into a slice of int32 values.
+//
+// Deprecated: use [conv.ValueSlice] instead.
+func Int32ValueSlice(src []*int32) []int32 { return conv.ValueSlice(src) }
+
+// Int32Map converts a string map of int32 values into a string map of int32 pointers.
+//
+// Deprecated: use [conv.PointerMap] instead.
+func Int32Map(src map[string]int32) map[string]*int32 { return conv.PointerMap(src) }
+
+// Int32ValueMap converts a string map of int32 pointers into a string map of int32 values.
+//
+// Deprecated: use [conv.ValueMap] instead.
+func Int32ValueMap(src map[string]*int32) map[string]int32 { return conv.ValueMap(src) }
+
+// Int64 turn a pointer to of the int64 value passed in.
+//
+// Deprecated: use [conv.Pointer] instead.
+func Int64(v int64) *int64 { return conv.Pointer(v) }
+
+// Int64Value turn the value of the int64 pointer passed in or 0 if the pointer is nil.
+//
+// Deprecated: use [conv.Value] instead.
+func Int64Value(v *int64) int64 { return conv.Value(v) }
+
+// Int64Slice converts a slice of int64 values into a slice of int64 pointers.
+//
+// Deprecated: use [conv.PointerSlice] instead.
+func Int64Slice(src []int64) []*int64 { return conv.PointerSlice(src) }
+
+// Int64ValueSlice converts a slice of int64 pointers into a slice of int64 values.
+//
+// Deprecated: use [conv.ValueSlice] instead.
+func Int64ValueSlice(src []*int64) []int64 { return conv.ValueSlice(src) }
+
+// Int64Map converts a string map of int64 values into a string map of int64 pointers.
+//
+// Deprecated: use [conv.PointerMap] instead.
+func Int64Map(src map[string]int64) map[string]*int64 { return conv.PointerMap(src) }
+
+// Int64ValueMap converts a string map of int64 pointers into a string map of int64 values.
+//
+// Deprecated: use [conv.ValueMap] instead.
+func Int64ValueMap(src map[string]*int64) map[string]int64 { return conv.ValueMap(src) }
+
+// Uint16 turn a pointer to of the uint16 value passed in.
+//
+// Deprecated: use [conv.Pointer] instead.
+func Uint16(v uint16) *uint16 { return conv.Pointer(v) }
+
+// Uint16Value turn the value of the uint16 pointer passed in or 0 if the pointer is nil.
+//
+// Deprecated: use [conv.Value] instead.
+func Uint16Value(v *uint16) uint16 { return conv.Value(v) }
+
+// Uint16Slice converts a slice of uint16 values into a slice of uint16 pointers.
+//
+// Deprecated: use [conv.PointerSlice] instead.
+func Uint16Slice(src []uint16) []*uint16 { return conv.PointerSlice(src) }
+
+// Uint16ValueSlice converts a slice of uint16 pointers into a slice of uint16 values.
+//
+// Deprecated: use [conv.ValueSlice] instead.
+func Uint16ValueSlice(src []*uint16) []uint16 { return conv.ValueSlice(src) }
+
+// Uint16Map converts a string map of uint16 values into a string map of uint16 pointers.
+//
+// Deprecated: use [conv.PointerMap] instead.
+func Uint16Map(src map[string]uint16) map[string]*uint16 { return conv.PointerMap(src) }
+
+// Uint16ValueMap converts a string map of uint16 pointers into a string map of uint16 values.
+//
+// Deprecated: use [conv.ValueMap] instead.
+func Uint16ValueMap(src map[string]*uint16) map[string]uint16 { return conv.ValueMap(src) }
+
+// Uint turn a pointer to of the uint value passed in.
+//
+// Deprecated: use [conv.Pointer] instead.
+func Uint(v uint) *uint { return conv.Pointer(v) }
+
+// UintValue turn the value of the uint pointer passed in or 0 if the pointer is nil.
+//
+// Deprecated: use [conv.Value] instead.
+func UintValue(v *uint) uint { return conv.Value(v) }
+
+// UintSlice converts a slice of uint values into a slice of uint pointers.
+//
+// Deprecated: use [conv.PointerSlice] instead.
+func UintSlice(src []uint) []*uint { return conv.PointerSlice(src) }
+
+// UintValueSlice converts a slice of uint pointers into a slice of uint values.
+//
+// Deprecated: use [conv.ValueSlice] instead.
+func UintValueSlice(src []*uint) []uint { return conv.ValueSlice(src) }
+
+// UintMap converts a string map of uint values into a string map of uint pointers.
+//
+// Deprecated: use [conv.PointerMap] instead.
+func UintMap(src map[string]uint) map[string]*uint { return conv.PointerMap(src) }
+
+// UintValueMap converts a string map of uint pointers into a string map of uint values.
+//
+// Deprecated: use [conv.ValueMap] instead.
+func UintValueMap(src map[string]*uint) map[string]uint { return conv.ValueMap(src) }
+
+// Uint32 turn a pointer to of the uint32 value passed in.
+//
+// Deprecated: use [conv.Pointer] instead.
+func Uint32(v uint32) *uint32 { return conv.Pointer(v) }
+
+// Uint32Value turn the value of the uint32 pointer passed in or 0 if the pointer is nil.
+//
+// Deprecated: use [conv.Value] instead.
+func Uint32Value(v *uint32) uint32 { return conv.Value(v) }
+
+// Uint32Slice converts a slice of uint32 values into a slice of uint32 pointers.
+//
+// Deprecated: use [conv.PointerSlice] instead.
+func Uint32Slice(src []uint32) []*uint32 { return conv.PointerSlice(src) }
+
+// Uint32ValueSlice converts a slice of uint32 pointers into a slice of uint32 values.
+//
+// Deprecated: use [conv.ValueSlice] instead.
+func Uint32ValueSlice(src []*uint32) []uint32 { return conv.ValueSlice(src) }
+
+// Uint32Map converts a string map of uint32 values into a string map of uint32 pointers.
+//
+// Deprecated: use [conv.PointerMap] instead.
+func Uint32Map(src map[string]uint32) map[string]*uint32 { return conv.PointerMap(src) }
+
+// Uint32ValueMap converts a string map of uint32 pointers into a string map of uint32 values.
+//
+// Deprecated: use [conv.ValueMap] instead.
+func Uint32ValueMap(src map[string]*uint32) map[string]uint32 { return conv.ValueMap(src) }
+
+// Uint64 turn a pointer to of the uint64 value passed in.
+//
+// Deprecated: use [conv.Pointer] instead.
+func Uint64(v uint64) *uint64 { return conv.Pointer(v) }
+
+// Uint64Value turn the value of the uint64 pointer passed in or 0 if the pointer is nil.
+//
+// Deprecated: use [conv.Value] instead.
+func Uint64Value(v *uint64) uint64 { return conv.Value(v) }
+
+// Uint64Slice converts a slice of uint64 values into a slice of uint64 pointers.
+//
+// Deprecated: use [conv.PointerSlice] instead.
+func Uint64Slice(src []uint64) []*uint64 { return conv.PointerSlice(src) }
+
+// Uint64ValueSlice converts a slice of uint64 pointers into a slice of uint64 values.
+//
+// Deprecated: use [conv.ValueSlice] instead.
+func Uint64ValueSlice(src []*uint64) []uint64 { return conv.ValueSlice(src) }
+
+// Uint64Map converts a string map of uint64 values into a string map of uint64 pointers.
+//
+// Deprecated: use [conv.PointerMap] instead.
+func Uint64Map(src map[string]uint64) map[string]*uint64 { return conv.PointerMap(src) }
+
+// Uint64ValueMap converts a string map of uint64 pointers into a string map of uint64 values.
+//
+// Deprecated: use [conv.ValueMap] instead.
+func Uint64ValueMap(src map[string]*uint64) map[string]uint64 { return conv.ValueMap(src) }
+
+// Float32 turn a pointer to of the float32 value passed in.
+//
+// Deprecated: use [conv.Pointer] instead.
+func Float32(v float32) *float32 { return conv.Pointer(v) }
+
+// Float32Value turn the value of the float32 pointer passed in or 0 if the pointer is nil.
+//
+// Deprecated: use [conv.Value] instead.
+func Float32Value(v *float32) float32 { return conv.Value(v) }
+
+// Float32Slice converts a slice of float32 values into a slice of float32 pointers.
+//
+// Deprecated: use [conv.PointerSlice] instead.
+func Float32Slice(src []float32) []*float32 { return conv.PointerSlice(src) }
+
+// Float32ValueSlice converts a slice of float32 pointers into a slice of float32 values.
+//
+// Deprecated: use [conv.ValueSlice] instead.
+func Float32ValueSlice(src []*float32) []float32 { return conv.ValueSlice(src) }
+
+// Float32Map converts a string map of float32 values into a string map of float32 pointers.
+//
+// Deprecated: use [conv.PointerMap] instead.
+func Float32Map(src map[string]float32) map[string]*float32 { return conv.PointerMap(src) }
+
+// Float32ValueMap converts a string map of float32 pointers into a string map of float32 values.
+//
+// Deprecated: use [conv.ValueMap] instead.
+func Float32ValueMap(src map[string]*float32) map[string]float32 { return conv.ValueMap(src) }
+
+// Float64 turn a pointer to of the float64 value passed in.
+//
+// Deprecated: use [conv.Pointer] instead.
+func Float64(v float64) *float64 { return conv.Pointer(v) }
+
+// Float64Value turn the value of the float64 pointer passed in or 0 if the pointer is nil.
+//
+// Deprecated: use [conv.Value] instead.
+func Float64Value(v *float64) float64 { return conv.Value(v) }
+
+// Float64Slice converts a slice of float64 values into a slice of float64 pointers.
+//
+// Deprecated: use [conv.PointerSlice] instead.
+func Float64Slice(src []float64) []*float64 { return conv.PointerSlice(src) }
+
+// Float64ValueSlice converts a slice of float64 pointers into a slice of float64 values.
+//
+// Deprecated: use [conv.ValueSlice] instead.
+func Float64ValueSlice(src []*float64) []float64 { return conv.ValueSlice(src) }
+
+// Float64Map converts a string map of float64 values into a string map of float64 pointers.
+//
+// Deprecated: use [conv.PointerMap] instead.
+func Float64Map(src map[string]float64) map[string]*float64 { return conv.PointerMap(src) }
+
+// Float64ValueMap converts a string map of float64 pointers into a string map of float64 values.
+//
+// Deprecated: use [conv.ValueMap] instead.
+func Float64ValueMap(src map[string]*float64) map[string]float64 { return conv.ValueMap(src) }
+
+// Time turn a pointer to of the time.Time value passed in.
+//
+// Deprecated: use [conv.Pointer] instead.
+func Time(v time.Time) *time.Time { return conv.Pointer(v) }
+
+// TimeValue turn the value of the time.Time pointer passed in or time.Time{} if the pointer is nil.
+//
+// Deprecated: use [conv.Value] instead.
+func TimeValue(v *time.Time) time.Time { return conv.Value(v) }
+
+// TimeSlice converts a slice of time.Time values into a slice of time.Time pointers.
+//
+// Deprecated: use [conv.PointerSlice] instead.
+func TimeSlice(src []time.Time) []*time.Time { return conv.PointerSlice(src) }
+
+// TimeValueSlice converts a slice of time.Time pointers into a slice of time.Time values
+//
+// Deprecated: use [conv.ValueSlice] instead.
+func TimeValueSlice(src []*time.Time) []time.Time { return conv.ValueSlice(src) }
+
+// TimeMap converts a string map of time.Time values into a string map of time.Time pointers.
+//
+// Deprecated: use [conv.PointerMap] instead.
+func TimeMap(src map[string]time.Time) map[string]*time.Time { return conv.PointerMap(src) }
+
+// TimeValueMap converts a string map of time.Time pointers into a string map of time.Time values.
+//
+// Deprecated: use [conv.ValueMap] instead.
+func TimeValueMap(src map[string]*time.Time) map[string]time.Time { return conv.ValueMap(src) }
diff --git a/vendor/github.com/go-openapi/swag/convert.go b/vendor/github.com/go-openapi/swag/convert.go
deleted file mode 100644
index fc085aeb8e..0000000000
--- a/vendor/github.com/go-openapi/swag/convert.go
+++ /dev/null
@@ -1,208 +0,0 @@
-// Copyright 2015 go-swagger maintainers
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//    http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package swag
-
-import (
-	"math"
-	"strconv"
-	"strings"
-)
-
-// same as ECMA Number.MAX_SAFE_INTEGER and Number.MIN_SAFE_INTEGER
-const (
-	maxJSONFloat         = float64(1<<53 - 1)  // 9007199254740991.0 	 	 2^53 - 1
-	minJSONFloat         = -float64(1<<53 - 1) //-9007199254740991.0	-2^53 - 1
-	epsilon      float64 = 1e-9
-)
-
-// IsFloat64AJSONInteger allow for integers [-2^53, 2^53-1] inclusive
-func IsFloat64AJSONInteger(f float64) bool {
-	if math.IsNaN(f) || math.IsInf(f, 0) || f < minJSONFloat || f > maxJSONFloat {
-		return false
-	}
-	fa := math.Abs(f)
-	g := float64(uint64(f))
-	ga := math.Abs(g)
-
-	diff := math.Abs(f - g)
-
-	// more info: https://floating-point-gui.de/errors/comparison/#look-out-for-edge-cases
-	switch {
-	case f == g: // best case
-		return true
-	case f == float64(int64(f)) || f == float64(uint64(f)): // optimistic case
-		return true
-	case f == 0 || g == 0 || diff < math.SmallestNonzeroFloat64: // very close to 0 values
-		return diff < (epsilon * math.SmallestNonzeroFloat64)
-	}
-	// check the relative error
-	return diff/math.Min(fa+ga, math.MaxFloat64) < epsilon
-}
-
-var evaluatesAsTrue map[string]struct{}
-
-func init() {
-	evaluatesAsTrue = map[string]struct{}{
-		"true":     {},
-		"1":        {},
-		"yes":      {},
-		"ok":       {},
-		"y":        {},
-		"on":       {},
-		"selected": {},
-		"checked":  {},
-		"t":        {},
-		"enabled":  {},
-	}
-}
-
-// ConvertBool turn a string into a boolean
-func ConvertBool(str string) (bool, error) {
-	_, ok := evaluatesAsTrue[strings.ToLower(str)]
-	return ok, nil
-}
-
-// ConvertFloat32 turn a string into a float32
-func ConvertFloat32(str string) (float32, error) {
-	f, err := strconv.ParseFloat(str, 32)
-	if err != nil {
-		return 0, err
-	}
-	return float32(f), nil
-}
-
-// ConvertFloat64 turn a string into a float64
-func ConvertFloat64(str string) (float64, error) {
-	return strconv.ParseFloat(str, 64)
-}
-
-// ConvertInt8 turn a string into an int8
-func ConvertInt8(str string) (int8, error) {
-	i, err := strconv.ParseInt(str, 10, 8)
-	if err != nil {
-		return 0, err
-	}
-	return int8(i), nil
-}
-
-// ConvertInt16 turn a string into an int16
-func ConvertInt16(str string) (int16, error) {
-	i, err := strconv.ParseInt(str, 10, 16)
-	if err != nil {
-		return 0, err
-	}
-	return int16(i), nil
-}
-
-// ConvertInt32 turn a string into an int32
-func ConvertInt32(str string) (int32, error) {
-	i, err := strconv.ParseInt(str, 10, 32)
-	if err != nil {
-		return 0, err
-	}
-	return int32(i), nil
-}
-
-// ConvertInt64 turn a string into an int64
-func ConvertInt64(str string) (int64, error) {
-	return strconv.ParseInt(str, 10, 64)
-}
-
-// ConvertUint8 turn a string into an uint8
-func ConvertUint8(str string) (uint8, error) {
-	i, err := strconv.ParseUint(str, 10, 8)
-	if err != nil {
-		return 0, err
-	}
-	return uint8(i), nil
-}
-
-// ConvertUint16 turn a string into an uint16
-func ConvertUint16(str string) (uint16, error) {
-	i, err := strconv.ParseUint(str, 10, 16)
-	if err != nil {
-		return 0, err
-	}
-	return uint16(i), nil
-}
-
-// ConvertUint32 turn a string into an uint32
-func ConvertUint32(str string) (uint32, error) {
-	i, err := strconv.ParseUint(str, 10, 32)
-	if err != nil {
-		return 0, err
-	}
-	return uint32(i), nil
-}
-
-// ConvertUint64 turn a string into an uint64
-func ConvertUint64(str string) (uint64, error) {
-	return strconv.ParseUint(str, 10, 64)
-}
-
-// FormatBool turns a boolean into a string
-func FormatBool(value bool) string {
-	return strconv.FormatBool(value)
-}
-
-// FormatFloat32 turns a float32 into a string
-func FormatFloat32(value float32) string {
-	return strconv.FormatFloat(float64(value), 'f', -1, 32)
-}
-
-// FormatFloat64 turns a float64 into a string
-func FormatFloat64(value float64) string {
-	return strconv.FormatFloat(value, 'f', -1, 64)
-}
-
-// FormatInt8 turns an int8 into a string
-func FormatInt8(value int8) string {
-	return strconv.FormatInt(int64(value), 10)
-}
-
-// FormatInt16 turns an int16 into a string
-func FormatInt16(value int16) string {
-	return strconv.FormatInt(int64(value), 10)
-}
-
-// FormatInt32 turns an int32 into a string
-func FormatInt32(value int32) string {
-	return strconv.Itoa(int(value))
-}
-
-// FormatInt64 turns an int64 into a string
-func FormatInt64(value int64) string {
-	return strconv.FormatInt(value, 10)
-}
-
-// FormatUint8 turns an uint8 into a string
-func FormatUint8(value uint8) string {
-	return strconv.FormatUint(uint64(value), 10)
-}
-
-// FormatUint16 turns an uint16 into a string
-func FormatUint16(value uint16) string {
-	return strconv.FormatUint(uint64(value), 10)
-}
-
-// FormatUint32 turns an uint32 into a string
-func FormatUint32(value uint32) string {
-	return strconv.FormatUint(uint64(value), 10)
-}
-
-// FormatUint64 turns an uint64 into a string
-func FormatUint64(value uint64) string {
-	return strconv.FormatUint(value, 10)
-}
diff --git a/vendor/github.com/go-openapi/swag/convert_types.go b/vendor/github.com/go-openapi/swag/convert_types.go
deleted file mode 100644
index c49cc473a8..0000000000
--- a/vendor/github.com/go-openapi/swag/convert_types.go
+++ /dev/null
@@ -1,730 +0,0 @@
-package swag
-
-import "time"
-
-// This file was taken from the aws go sdk
-
-// String returns a pointer to of the string value passed in.
-func String(v string) *string {
-	return &v
-}
-
-// StringValue returns the value of the string pointer passed in or
-// "" if the pointer is nil.
-func StringValue(v *string) string {
-	if v != nil {
-		return *v
-	}
-	return ""
-}
-
-// StringSlice converts a slice of string values into a slice of
-// string pointers
-func StringSlice(src []string) []*string {
-	dst := make([]*string, len(src))
-	for i := 0; i < len(src); i++ {
-		dst[i] = &(src[i])
-	}
-	return dst
-}
-
-// StringValueSlice converts a slice of string pointers into a slice of
-// string values
-func StringValueSlice(src []*string) []string {
-	dst := make([]string, len(src))
-	for i := 0; i < len(src); i++ {
-		if src[i] != nil {
-			dst[i] = *(src[i])
-		}
-	}
-	return dst
-}
-
-// StringMap converts a string map of string values into a string
-// map of string pointers
-func StringMap(src map[string]string) map[string]*string {
-	dst := make(map[string]*string)
-	for k, val := range src {
-		v := val
-		dst[k] = &v
-	}
-	return dst
-}
-
-// StringValueMap converts a string map of string pointers into a string
-// map of string values
-func StringValueMap(src map[string]*string) map[string]string {
-	dst := make(map[string]string)
-	for k, val := range src {
-		if val != nil {
-			dst[k] = *val
-		}
-	}
-	return dst
-}
-
-// Bool returns a pointer to of the bool value passed in.
-func Bool(v bool) *bool {
-	return &v
-}
-
-// BoolValue returns the value of the bool pointer passed in or
-// false if the pointer is nil.
-func BoolValue(v *bool) bool {
-	if v != nil {
-		return *v
-	}
-	return false
-}
-
-// BoolSlice converts a slice of bool values into a slice of
-// bool pointers
-func BoolSlice(src []bool) []*bool {
-	dst := make([]*bool, len(src))
-	for i := 0; i < len(src); i++ {
-		dst[i] = &(src[i])
-	}
-	return dst
-}
-
-// BoolValueSlice converts a slice of bool pointers into a slice of
-// bool values
-func BoolValueSlice(src []*bool) []bool {
-	dst := make([]bool, len(src))
-	for i := 0; i < len(src); i++ {
-		if src[i] != nil {
-			dst[i] = *(src[i])
-		}
-	}
-	return dst
-}
-
-// BoolMap converts a string map of bool values into a string
-// map of bool pointers
-func BoolMap(src map[string]bool) map[string]*bool {
-	dst := make(map[string]*bool)
-	for k, val := range src {
-		v := val
-		dst[k] = &v
-	}
-	return dst
-}
-
-// BoolValueMap converts a string map of bool pointers into a string
-// map of bool values
-func BoolValueMap(src map[string]*bool) map[string]bool {
-	dst := make(map[string]bool)
-	for k, val := range src {
-		if val != nil {
-			dst[k] = *val
-		}
-	}
-	return dst
-}
-
-// Int returns a pointer to of the int value passed in.
-func Int(v int) *int {
-	return &v
-}
-
-// IntValue returns the value of the int pointer passed in or
-// 0 if the pointer is nil.
-func IntValue(v *int) int {
-	if v != nil {
-		return *v
-	}
-	return 0
-}
-
-// IntSlice converts a slice of int values into a slice of
-// int pointers
-func IntSlice(src []int) []*int {
-	dst := make([]*int, len(src))
-	for i := 0; i < len(src); i++ {
-		dst[i] = &(src[i])
-	}
-	return dst
-}
-
-// IntValueSlice converts a slice of int pointers into a slice of
-// int values
-func IntValueSlice(src []*int) []int {
-	dst := make([]int, len(src))
-	for i := 0; i < len(src); i++ {
-		if src[i] != nil {
-			dst[i] = *(src[i])
-		}
-	}
-	return dst
-}
-
-// IntMap converts a string map of int values into a string
-// map of int pointers
-func IntMap(src map[string]int) map[string]*int {
-	dst := make(map[string]*int)
-	for k, val := range src {
-		v := val
-		dst[k] = &v
-	}
-	return dst
-}
-
-// IntValueMap converts a string map of int pointers into a string
-// map of int values
-func IntValueMap(src map[string]*int) map[string]int {
-	dst := make(map[string]int)
-	for k, val := range src {
-		if val != nil {
-			dst[k] = *val
-		}
-	}
-	return dst
-}
-
-// Int32 returns a pointer to of the int32 value passed in.
-func Int32(v int32) *int32 {
-	return &v
-}
-
-// Int32Value returns the value of the int32 pointer passed in or
-// 0 if the pointer is nil.
-func Int32Value(v *int32) int32 {
-	if v != nil {
-		return *v
-	}
-	return 0
-}
-
-// Int32Slice converts a slice of int32 values into a slice of
-// int32 pointers
-func Int32Slice(src []int32) []*int32 {
-	dst := make([]*int32, len(src))
-	for i := 0; i < len(src); i++ {
-		dst[i] = &(src[i])
-	}
-	return dst
-}
-
-// Int32ValueSlice converts a slice of int32 pointers into a slice of
-// int32 values
-func Int32ValueSlice(src []*int32) []int32 {
-	dst := make([]int32, len(src))
-	for i := 0; i < len(src); i++ {
-		if src[i] != nil {
-			dst[i] = *(src[i])
-		}
-	}
-	return dst
-}
-
-// Int32Map converts a string map of int32 values into a string
-// map of int32 pointers
-func Int32Map(src map[string]int32) map[string]*int32 {
-	dst := make(map[string]*int32)
-	for k, val := range src {
-		v := val
-		dst[k] = &v
-	}
-	return dst
-}
-
-// Int32ValueMap converts a string map of int32 pointers into a string
-// map of int32 values
-func Int32ValueMap(src map[string]*int32) map[string]int32 {
-	dst := make(map[string]int32)
-	for k, val := range src {
-		if val != nil {
-			dst[k] = *val
-		}
-	}
-	return dst
-}
-
-// Int64 returns a pointer to of the int64 value passed in.
-func Int64(v int64) *int64 {
-	return &v
-}
-
-// Int64Value returns the value of the int64 pointer passed in or
-// 0 if the pointer is nil.
-func Int64Value(v *int64) int64 {
-	if v != nil {
-		return *v
-	}
-	return 0
-}
-
-// Int64Slice converts a slice of int64 values into a slice of
-// int64 pointers
-func Int64Slice(src []int64) []*int64 {
-	dst := make([]*int64, len(src))
-	for i := 0; i < len(src); i++ {
-		dst[i] = &(src[i])
-	}
-	return dst
-}
-
-// Int64ValueSlice converts a slice of int64 pointers into a slice of
-// int64 values
-func Int64ValueSlice(src []*int64) []int64 {
-	dst := make([]int64, len(src))
-	for i := 0; i < len(src); i++ {
-		if src[i] != nil {
-			dst[i] = *(src[i])
-		}
-	}
-	return dst
-}
-
-// Int64Map converts a string map of int64 values into a string
-// map of int64 pointers
-func Int64Map(src map[string]int64) map[string]*int64 {
-	dst := make(map[string]*int64)
-	for k, val := range src {
-		v := val
-		dst[k] = &v
-	}
-	return dst
-}
-
-// Int64ValueMap converts a string map of int64 pointers into a string
-// map of int64 values
-func Int64ValueMap(src map[string]*int64) map[string]int64 {
-	dst := make(map[string]int64)
-	for k, val := range src {
-		if val != nil {
-			dst[k] = *val
-		}
-	}
-	return dst
-}
-
-// Uint16 returns a pointer to of the uint16 value passed in.
-func Uint16(v uint16) *uint16 {
-	return &v
-}
-
-// Uint16Value returns the value of the uint16 pointer passed in or
-// 0 if the pointer is nil.
-func Uint16Value(v *uint16) uint16 {
-	if v != nil {
-		return *v
-	}
-
-	return 0
-}
-
-// Uint16Slice converts a slice of uint16 values into a slice of
-// uint16 pointers
-func Uint16Slice(src []uint16) []*uint16 {
-	dst := make([]*uint16, len(src))
-	for i := 0; i < len(src); i++ {
-		dst[i] = &(src[i])
-	}
-
-	return dst
-}
-
-// Uint16ValueSlice converts a slice of uint16 pointers into a slice of
-// uint16 values
-func Uint16ValueSlice(src []*uint16) []uint16 {
-	dst := make([]uint16, len(src))
-
-	for i := 0; i < len(src); i++ {
-		if src[i] != nil {
-			dst[i] = *(src[i])
-		}
-	}
-
-	return dst
-}
-
-// Uint16Map converts a string map of uint16 values into a string
-// map of uint16 pointers
-func Uint16Map(src map[string]uint16) map[string]*uint16 {
-	dst := make(map[string]*uint16)
-
-	for k, val := range src {
-		v := val
-		dst[k] = &v
-	}
-
-	return dst
-}
-
-// Uint16ValueMap converts a string map of uint16 pointers into a string
-// map of uint16 values
-func Uint16ValueMap(src map[string]*uint16) map[string]uint16 {
-	dst := make(map[string]uint16)
-
-	for k, val := range src {
-		if val != nil {
-			dst[k] = *val
-		}
-	}
-
-	return dst
-}
-
-// Uint returns a pointer to of the uint value passed in.
-func Uint(v uint) *uint {
-	return &v
-}
-
-// UintValue returns the value of the uint pointer passed in or
-// 0 if the pointer is nil.
-func UintValue(v *uint) uint {
-	if v != nil {
-		return *v
-	}
-	return 0
-}
-
-// UintSlice converts a slice of uint values into a slice of
-// uint pointers
-func UintSlice(src []uint) []*uint {
-	dst := make([]*uint, len(src))
-	for i := 0; i < len(src); i++ {
-		dst[i] = &(src[i])
-	}
-	return dst
-}
-
-// UintValueSlice converts a slice of uint pointers into a slice of
-// uint values
-func UintValueSlice(src []*uint) []uint {
-	dst := make([]uint, len(src))
-	for i := 0; i < len(src); i++ {
-		if src[i] != nil {
-			dst[i] = *(src[i])
-		}
-	}
-	return dst
-}
-
-// UintMap converts a string map of uint values into a string
-// map of uint pointers
-func UintMap(src map[string]uint) map[string]*uint {
-	dst := make(map[string]*uint)
-	for k, val := range src {
-		v := val
-		dst[k] = &v
-	}
-	return dst
-}
-
-// UintValueMap converts a string map of uint pointers into a string
-// map of uint values
-func UintValueMap(src map[string]*uint) map[string]uint {
-	dst := make(map[string]uint)
-	for k, val := range src {
-		if val != nil {
-			dst[k] = *val
-		}
-	}
-	return dst
-}
-
-// Uint32 returns a pointer to of the uint32 value passed in.
-func Uint32(v uint32) *uint32 {
-	return &v
-}
-
-// Uint32Value returns the value of the uint32 pointer passed in or
-// 0 if the pointer is nil.
-func Uint32Value(v *uint32) uint32 {
-	if v != nil {
-		return *v
-	}
-	return 0
-}
-
-// Uint32Slice converts a slice of uint32 values into a slice of
-// uint32 pointers
-func Uint32Slice(src []uint32) []*uint32 {
-	dst := make([]*uint32, len(src))
-	for i := 0; i < len(src); i++ {
-		dst[i] = &(src[i])
-	}
-	return dst
-}
-
-// Uint32ValueSlice converts a slice of uint32 pointers into a slice of
-// uint32 values
-func Uint32ValueSlice(src []*uint32) []uint32 {
-	dst := make([]uint32, len(src))
-	for i := 0; i < len(src); i++ {
-		if src[i] != nil {
-			dst[i] = *(src[i])
-		}
-	}
-	return dst
-}
-
-// Uint32Map converts a string map of uint32 values into a string
-// map of uint32 pointers
-func Uint32Map(src map[string]uint32) map[string]*uint32 {
-	dst := make(map[string]*uint32)
-	for k, val := range src {
-		v := val
-		dst[k] = &v
-	}
-	return dst
-}
-
-// Uint32ValueMap converts a string map of uint32 pointers into a string
-// map of uint32 values
-func Uint32ValueMap(src map[string]*uint32) map[string]uint32 {
-	dst := make(map[string]uint32)
-	for k, val := range src {
-		if val != nil {
-			dst[k] = *val
-		}
-	}
-	return dst
-}
-
-// Uint64 returns a pointer to of the uint64 value passed in.
-func Uint64(v uint64) *uint64 {
-	return &v
-}
-
-// Uint64Value returns the value of the uint64 pointer passed in or
-// 0 if the pointer is nil.
-func Uint64Value(v *uint64) uint64 {
-	if v != nil {
-		return *v
-	}
-	return 0
-}
-
-// Uint64Slice converts a slice of uint64 values into a slice of
-// uint64 pointers
-func Uint64Slice(src []uint64) []*uint64 {
-	dst := make([]*uint64, len(src))
-	for i := 0; i < len(src); i++ {
-		dst[i] = &(src[i])
-	}
-	return dst
-}
-
-// Uint64ValueSlice converts a slice of uint64 pointers into a slice of
-// uint64 values
-func Uint64ValueSlice(src []*uint64) []uint64 {
-	dst := make([]uint64, len(src))
-	for i := 0; i < len(src); i++ {
-		if src[i] != nil {
-			dst[i] = *(src[i])
-		}
-	}
-	return dst
-}
-
-// Uint64Map converts a string map of uint64 values into a string
-// map of uint64 pointers
-func Uint64Map(src map[string]uint64) map[string]*uint64 {
-	dst := make(map[string]*uint64)
-	for k, val := range src {
-		v := val
-		dst[k] = &v
-	}
-	return dst
-}
-
-// Uint64ValueMap converts a string map of uint64 pointers into a string
-// map of uint64 values
-func Uint64ValueMap(src map[string]*uint64) map[string]uint64 {
-	dst := make(map[string]uint64)
-	for k, val := range src {
-		if val != nil {
-			dst[k] = *val
-		}
-	}
-	return dst
-}
-
-// Float32 returns a pointer to of the float32 value passed in.
-func Float32(v float32) *float32 {
-	return &v
-}
-
-// Float32Value returns the value of the float32 pointer passed in or
-// 0 if the pointer is nil.
-func Float32Value(v *float32) float32 {
-	if v != nil {
-		return *v
-	}
-
-	return 0
-}
-
-// Float32Slice converts a slice of float32 values into a slice of
-// float32 pointers
-func Float32Slice(src []float32) []*float32 {
-	dst := make([]*float32, len(src))
-
-	for i := 0; i < len(src); i++ {
-		dst[i] = &(src[i])
-	}
-
-	return dst
-}
-
-// Float32ValueSlice converts a slice of float32 pointers into a slice of
-// float32 values
-func Float32ValueSlice(src []*float32) []float32 {
-	dst := make([]float32, len(src))
-
-	for i := 0; i < len(src); i++ {
-		if src[i] != nil {
-			dst[i] = *(src[i])
-		}
-	}
-
-	return dst
-}
-
-// Float32Map converts a string map of float32 values into a string
-// map of float32 pointers
-func Float32Map(src map[string]float32) map[string]*float32 {
-	dst := make(map[string]*float32)
-
-	for k, val := range src {
-		v := val
-		dst[k] = &v
-	}
-
-	return dst
-}
-
-// Float32ValueMap converts a string map of float32 pointers into a string
-// map of float32 values
-func Float32ValueMap(src map[string]*float32) map[string]float32 {
-	dst := make(map[string]float32)
-
-	for k, val := range src {
-		if val != nil {
-			dst[k] = *val
-		}
-	}
-
-	return dst
-}
-
-// Float64 returns a pointer to of the float64 value passed in.
-func Float64(v float64) *float64 {
-	return &v
-}
-
-// Float64Value returns the value of the float64 pointer passed in or
-// 0 if the pointer is nil.
-func Float64Value(v *float64) float64 {
-	if v != nil {
-		return *v
-	}
-	return 0
-}
-
-// Float64Slice converts a slice of float64 values into a slice of
-// float64 pointers
-func Float64Slice(src []float64) []*float64 {
-	dst := make([]*float64, len(src))
-	for i := 0; i < len(src); i++ {
-		dst[i] = &(src[i])
-	}
-	return dst
-}
-
-// Float64ValueSlice converts a slice of float64 pointers into a slice of
-// float64 values
-func Float64ValueSlice(src []*float64) []float64 {
-	dst := make([]float64, len(src))
-	for i := 0; i < len(src); i++ {
-		if src[i] != nil {
-			dst[i] = *(src[i])
-		}
-	}
-	return dst
-}
-
-// Float64Map converts a string map of float64 values into a string
-// map of float64 pointers
-func Float64Map(src map[string]float64) map[string]*float64 {
-	dst := make(map[string]*float64)
-	for k, val := range src {
-		v := val
-		dst[k] = &v
-	}
-	return dst
-}
-
-// Float64ValueMap converts a string map of float64 pointers into a string
-// map of float64 values
-func Float64ValueMap(src map[string]*float64) map[string]float64 {
-	dst := make(map[string]float64)
-	for k, val := range src {
-		if val != nil {
-			dst[k] = *val
-		}
-	}
-	return dst
-}
-
-// Time returns a pointer to of the time.Time value passed in.
-func Time(v time.Time) *time.Time {
-	return &v
-}
-
-// TimeValue returns the value of the time.Time pointer passed in or
-// time.Time{} if the pointer is nil.
-func TimeValue(v *time.Time) time.Time {
-	if v != nil {
-		return *v
-	}
-	return time.Time{}
-}
-
-// TimeSlice converts a slice of time.Time values into a slice of
-// time.Time pointers
-func TimeSlice(src []time.Time) []*time.Time {
-	dst := make([]*time.Time, len(src))
-	for i := 0; i < len(src); i++ {
-		dst[i] = &(src[i])
-	}
-	return dst
-}
-
-// TimeValueSlice converts a slice of time.Time pointers into a slice of
-// time.Time values
-func TimeValueSlice(src []*time.Time) []time.Time {
-	dst := make([]time.Time, len(src))
-	for i := 0; i < len(src); i++ {
-		if src[i] != nil {
-			dst[i] = *(src[i])
-		}
-	}
-	return dst
-}
-
-// TimeMap converts a string map of time.Time values into a string
-// map of time.Time pointers
-func TimeMap(src map[string]time.Time) map[string]*time.Time {
-	dst := make(map[string]*time.Time)
-	for k, val := range src {
-		v := val
-		dst[k] = &v
-	}
-	return dst
-}
-
-// TimeValueMap converts a string map of time.Time pointers into a string
-// map of time.Time values
-func TimeValueMap(src map[string]*time.Time) map[string]time.Time {
-	dst := make(map[string]time.Time)
-	for k, val := range src {
-		if val != nil {
-			dst[k] = *val
-		}
-	}
-	return dst
-}
diff --git a/vendor/github.com/go-openapi/swag/doc.go b/vendor/github.com/go-openapi/swag/doc.go
index 55094cb74c..b54b57478a 100644
--- a/vendor/github.com/go-openapi/swag/doc.go
+++ b/vendor/github.com/go-openapi/swag/doc.go
@@ -1,31 +1,47 @@
-// Copyright 2015 go-swagger maintainers
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+// Package swag contains a bunch of helper functions for go-openapi and go-swagger projects.
 //
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
+// You may also use it standalone for your projects.
 //
-//    http://www.apache.org/licenses/LICENSE-2.0
+// NOTE: all features that used to be exposed as package-level members (constants, variables,
+// functions and types) are now deprecated and are superseded by equivalent features in
+// more specialized sub-packages.
+// Moving forward, no additional feature will be added to the [swag] API directly at the root package level,
+// which remains there for backward-compatibility purposes.
 //
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-/*
-Package swag contains a bunch of helper functions for go-openapi and go-swagger projects.
-
-You may also use it standalone for your projects.
-
-  - convert between value and pointers for builtin types
-  - convert from string to builtin types (wraps strconv)
-  - fast json concatenation
-  - search in path
-  - load from file or http
-  - name mangling
-
-This repo has only few dependencies outside of the standard library:
-
-  - YAML utilities depend on gopkg.in/yaml.v2
-*/
+// Child modules will continue to evolve or some new ones may be added in the future.
+//
+// # Modules
+//
+//   - [cmdutils]      utilities to work with CLIs
+//
+//   - [conv]          type conversion utilities
+//
+//   - [fileutils]     file utilities
+//
+//   - [jsonname]      JSON utilities
+//
+//   - [jsonutils]     JSON utilities
+//
+//   - [loading]       file loading
+//
+//   - [mangling]      safe name generation
+//
+//   - [netutils]      networking utilities
+//
+//   - [stringutils]   `string` utilities
+//
+//   - [typeutils]     `go` types utilities
+//
+//   - [yamlutils]     YAML utilities
+//
+// # Dependencies
+//
+// This repo has a few dependencies outside of the standard library:
+//
+//   - YAML utilities depend on [go.yaml.in/yaml/v3]
 package swag
+
+//go:generate mockery
diff --git a/vendor/github.com/go-openapi/swag/errors.go b/vendor/github.com/go-openapi/swag/errors.go
deleted file mode 100644
index 6c67fbf92e..0000000000
--- a/vendor/github.com/go-openapi/swag/errors.go
+++ /dev/null
@@ -1,15 +0,0 @@
-package swag
-
-type swagError string
-
-const (
-	// ErrYAML is an error raised by YAML utilities
-	ErrYAML swagError = "yaml error"
-
-	// ErrLoader is an error raised by the file loader utility
-	ErrLoader swagError = "loader error"
-)
-
-func (e swagError) Error() string {
-	return string(e)
-}
diff --git a/vendor/github.com/go-openapi/swag/fileutils/LICENSE b/vendor/github.com/go-openapi/swag/fileutils/LICENSE
new file mode 100644
index 0000000000..d645695673
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/fileutils/LICENSE
@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/vendor/github.com/go-openapi/swag/fileutils/doc.go b/vendor/github.com/go-openapi/swag/fileutils/doc.go
new file mode 100644
index 0000000000..859a200d84
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/fileutils/doc.go
@@ -0,0 +1,10 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+// Package fileutils exposes utilities to deal with files and paths.
+//
+// Currently, there is:
+//   - [File] to represent an abstraction of an uploaded file.
+//     For instance, this is used by [github.com/go-openapi/runtime.File].
+//   - path search utilities (e.g. finding packages in the GO search path)
+package fileutils
diff --git a/vendor/github.com/go-openapi/swag/fileutils/file.go b/vendor/github.com/go-openapi/swag/fileutils/file.go
new file mode 100644
index 0000000000..5ad4cfaeaf
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/fileutils/file.go
@@ -0,0 +1,22 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+package fileutils
+
+import "mime/multipart"
+
+// File represents an uploaded file.
+type File struct {
+	Data   multipart.File
+	Header *multipart.FileHeader
+}
+
+// Read bytes from the file
+func (f *File) Read(p []byte) (n int, err error) {
+	return f.Data.Read(p)
+}
+
+// Close the file
+func (f *File) Close() error {
+	return f.Data.Close()
+}
diff --git a/vendor/github.com/go-openapi/swag/path.go b/vendor/github.com/go-openapi/swag/fileutils/path.go
similarity index 58%
rename from vendor/github.com/go-openapi/swag/path.go
rename to vendor/github.com/go-openapi/swag/fileutils/path.go
index 941bd0176b..dd09f690bf 100644
--- a/vendor/github.com/go-openapi/swag/path.go
+++ b/vendor/github.com/go-openapi/swag/fileutils/path.go
@@ -1,18 +1,7 @@
-// Copyright 2015 go-swagger maintainers
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//    http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
 
-package swag
+package fileutils
 
 import (
 	"os"
@@ -21,10 +10,8 @@ import (
 	"strings"
 )
 
-const (
-	// GOPATHKey represents the env key for gopath
-	GOPATHKey = "GOPATH"
-)
+// GOPATHKey represents the env key for gopath
+const GOPATHKey = "GOPATH"
 
 // FindInSearchPath finds a package in a provided lists of paths
 func FindInSearchPath(searchPath, pkg string) string {
@@ -40,11 +27,17 @@ func FindInSearchPath(searchPath, pkg string) string {
 }
 
 // FindInGoSearchPath finds a package in the $GOPATH:$GOROOT
+//
+// Deprecated: this function is no longer relevant with modern go.
+// It uses [runtime.GOROOT] under the hood, which is deprecated as of go1.24.
 func FindInGoSearchPath(pkg string) string {
 	return FindInSearchPath(FullGoSearchPath(), pkg)
 }
 
 // FullGoSearchPath gets the search paths for finding packages
+//
+// Deprecated: this function is no longer relevant with modern go.
+// It uses [runtime.GOROOT] under the hood, which is deprecated as of go1.24.
 func FullGoSearchPath() string {
 	allPaths := os.Getenv(GOPATHKey)
 	if allPaths == "" {
diff --git a/vendor/github.com/go-openapi/swag/fileutils_iface.go b/vendor/github.com/go-openapi/swag/fileutils_iface.go
new file mode 100644
index 0000000000..f3e79a0e4b
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/fileutils_iface.go
@@ -0,0 +1,33 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+package swag
+
+import "github.com/go-openapi/swag/fileutils"
+
+// GOPATHKey represents the env key for gopath
+//
+// Deprecated: use [fileutils.GOPATHKey] instead.
+const GOPATHKey = fileutils.GOPATHKey
+
+// File represents an uploaded file.
+//
+// Deprecated: use [fileutils.File] instead.
+type File = fileutils.File
+
+// FindInSearchPath finds a package in a provided lists of paths.
+//
+// Deprecated: use [fileutils.FindInSearchPath] instead.
+func FindInSearchPath(searchPath, pkg string) string {
+	return fileutils.FindInSearchPath(searchPath, pkg)
+}
+
+// FindInGoSearchPath finds a package in the $GOPATH:$GOROOT
+//
+// Deprecated: use [fileutils.FindInGoSearchPath] instead.
+func FindInGoSearchPath(pkg string) string { return fileutils.FindInGoSearchPath(pkg) }
+
+// FullGoSearchPath gets the search paths for finding packages
+//
+// Deprecated: use [fileutils.FullGoSearchPath] instead.
+func FullGoSearchPath() string { return fileutils.FullGoSearchPath() }
diff --git a/vendor/github.com/go-openapi/swag/go.work b/vendor/github.com/go-openapi/swag/go.work
new file mode 100644
index 0000000000..1e537f0749
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/go.work
@@ -0,0 +1,20 @@
+use (
+	.
+	./cmdutils
+	./conv
+	./fileutils
+	./jsonname
+	./jsonutils
+	./jsonutils/adapters/easyjson
+	./jsonutils/adapters/testintegration
+	./jsonutils/adapters/testintegration/benchmarks
+	./jsonutils/fixtures_test
+	./loading
+	./mangling
+	./netutils
+	./stringutils
+	./typeutils
+	./yamlutils
+)
+
+go 1.24.0
diff --git a/vendor/github.com/go-openapi/swag/go.work.sum b/vendor/github.com/go-openapi/swag/go.work.sum
new file mode 100644
index 0000000000..c1308cafa6
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/go.work.sum
@@ -0,0 +1,7 @@
+github.com/go-openapi/testify/v2 v2.0.1/go.mod h1:HCPmvFFnheKK2BuwSA0TbbdxJ3I16pjwMkYkP4Ywn54=
+golang.org/x/mod v0.21.0 h1:vvrHzRwRfVKSiLrG+d4FMl/Qi4ukBCE6kZlTUkDYRT0=
+golang.org/x/mod v0.21.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
+golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo=
+golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/tools v0.26.0 h1:v/60pFQmzmT9ExmjDv2gGIfi3OqfKoEP6I5+umXlbnQ=
+golang.org/x/tools v0.26.0/go.mod h1:TPVVj70c7JJ3WCazhD8OdXcZg/og+b9+tH/KxylGwH0=
diff --git a/vendor/github.com/go-openapi/swag/initialism_index.go b/vendor/github.com/go-openapi/swag/initialism_index.go
deleted file mode 100644
index 20a359bb60..0000000000
--- a/vendor/github.com/go-openapi/swag/initialism_index.go
+++ /dev/null
@@ -1,202 +0,0 @@
-// Copyright 2015 go-swagger maintainers
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//    http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package swag
-
-import (
-	"sort"
-	"strings"
-	"sync"
-)
-
-var (
-	// commonInitialisms are common acronyms that are kept as whole uppercased words.
-	commonInitialisms *indexOfInitialisms
-
-	// initialisms is a slice of sorted initialisms
-	initialisms []string
-
-	// a copy of initialisms pre-baked as []rune
-	initialismsRunes      [][]rune
-	initialismsUpperCased [][]rune
-
-	isInitialism func(string) bool
-
-	maxAllocMatches int
-)
-
-func init() {
-	// Taken from https://github.com/golang/lint/blob/3390df4df2787994aea98de825b964ac7944b817/lint.go#L732-L769
-	configuredInitialisms := map[string]bool{
-		"ACL":   true,
-		"API":   true,
-		"ASCII": true,
-		"CPU":   true,
-		"CSS":   true,
-		"DNS":   true,
-		"EOF":   true,
-		"GUID":  true,
-		"HTML":  true,
-		"HTTPS": true,
-		"HTTP":  true,
-		"ID":    true,
-		"IP":    true,
-		"IPv4":  true,
-		"IPv6":  true,
-		"JSON":  true,
-		"LHS":   true,
-		"OAI":   true,
-		"QPS":   true,
-		"RAM":   true,
-		"RHS":   true,
-		"RPC":   true,
-		"SLA":   true,
-		"SMTP":  true,
-		"SQL":   true,
-		"SSH":   true,
-		"TCP":   true,
-		"TLS":   true,
-		"TTL":   true,
-		"UDP":   true,
-		"UI":    true,
-		"UID":   true,
-		"UUID":  true,
-		"URI":   true,
-		"URL":   true,
-		"UTF8":  true,
-		"VM":    true,
-		"XML":   true,
-		"XMPP":  true,
-		"XSRF":  true,
-		"XSS":   true,
-	}
-
-	// a thread-safe index of initialisms
-	commonInitialisms = newIndexOfInitialisms().load(configuredInitialisms)
-	initialisms = commonInitialisms.sorted()
-	initialismsRunes = asRunes(initialisms)
-	initialismsUpperCased = asUpperCased(initialisms)
-	maxAllocMatches = maxAllocHeuristic(initialismsRunes)
-
-	// a test function
-	isInitialism = commonInitialisms.isInitialism
-}
-
-func asRunes(in []string) [][]rune {
-	out := make([][]rune, len(in))
-	for i, initialism := range in {
-		out[i] = []rune(initialism)
-	}
-
-	return out
-}
-
-func asUpperCased(in []string) [][]rune {
-	out := make([][]rune, len(in))
-
-	for i, initialism := range in {
-		out[i] = []rune(upper(trim(initialism)))
-	}
-
-	return out
-}
-
-func maxAllocHeuristic(in [][]rune) int {
-	heuristic := make(map[rune]int)
-	for _, initialism := range in {
-		heuristic[initialism[0]]++
-	}
-
-	var maxAlloc int
-	for _, val := range heuristic {
-		if val > maxAlloc {
-			maxAlloc = val
-		}
-	}
-
-	return maxAlloc
-}
-
-// AddInitialisms add additional initialisms
-func AddInitialisms(words ...string) {
-	for _, word := range words {
-		// commonInitialisms[upper(word)] = true
-		commonInitialisms.add(upper(word))
-	}
-	// sort again
-	initialisms = commonInitialisms.sorted()
-	initialismsRunes = asRunes(initialisms)
-	initialismsUpperCased = asUpperCased(initialisms)
-}
-
-// indexOfInitialisms is a thread-safe implementation of the sorted index of initialisms.
-// Since go1.9, this may be implemented with sync.Map.
-type indexOfInitialisms struct {
-	sortMutex *sync.Mutex
-	index     *sync.Map
-}
-
-func newIndexOfInitialisms() *indexOfInitialisms {
-	return &indexOfInitialisms{
-		sortMutex: new(sync.Mutex),
-		index:     new(sync.Map),
-	}
-}
-
-func (m *indexOfInitialisms) load(initial map[string]bool) *indexOfInitialisms {
-	m.sortMutex.Lock()
-	defer m.sortMutex.Unlock()
-	for k, v := range initial {
-		m.index.Store(k, v)
-	}
-	return m
-}
-
-func (m *indexOfInitialisms) isInitialism(key string) bool {
-	_, ok := m.index.Load(key)
-	return ok
-}
-
-func (m *indexOfInitialisms) add(key string) *indexOfInitialisms {
-	m.index.Store(key, true)
-	return m
-}
-
-func (m *indexOfInitialisms) sorted() (result []string) {
-	m.sortMutex.Lock()
-	defer m.sortMutex.Unlock()
-	m.index.Range(func(key, _ interface{}) bool {
-		k := key.(string)
-		result = append(result, k)
-		return true
-	})
-	sort.Sort(sort.Reverse(byInitialism(result)))
-	return
-}
-
-type byInitialism []string
-
-func (s byInitialism) Len() int {
-	return len(s)
-}
-func (s byInitialism) Swap(i, j int) {
-	s[i], s[j] = s[j], s[i]
-}
-func (s byInitialism) Less(i, j int) bool {
-	if len(s[i]) != len(s[j]) {
-		return len(s[i]) < len(s[j])
-	}
-
-	return strings.Compare(s[i], s[j]) > 0
-}
diff --git a/vendor/github.com/go-openapi/swag/json.go b/vendor/github.com/go-openapi/swag/json.go
deleted file mode 100644
index c7caa9908f..0000000000
--- a/vendor/github.com/go-openapi/swag/json.go
+++ /dev/null
@@ -1,313 +0,0 @@
-// Copyright 2015 go-swagger maintainers
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//    http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package swag
-
-import (
-	"bytes"
-	"encoding/json"
-	"log"
-	"reflect"
-	"strings"
-	"sync"
-
-	"github.com/mailru/easyjson/jlexer"
-	"github.com/mailru/easyjson/jwriter"
-)
-
-// nullJSON represents a JSON object with null type
-var nullJSON = []byte("null")
-
-// DefaultJSONNameProvider the default cache for types
-var DefaultJSONNameProvider = NewNameProvider()
-
-const comma = byte(',')
-
-var closers map[byte]byte
-
-func init() {
-	closers = map[byte]byte{
-		'{': '}',
-		'[': ']',
-	}
-}
-
-type ejMarshaler interface {
-	MarshalEasyJSON(w *jwriter.Writer)
-}
-
-type ejUnmarshaler interface {
-	UnmarshalEasyJSON(w *jlexer.Lexer)
-}
-
-// WriteJSON writes json data, prefers finding an appropriate interface to short-circuit the marshaler
-// so it takes the fastest option available.
-func WriteJSON(data interface{}) ([]byte, error) {
-	if d, ok := data.(ejMarshaler); ok {
-		jw := new(jwriter.Writer)
-		d.MarshalEasyJSON(jw)
-		return jw.BuildBytes()
-	}
-	if d, ok := data.(json.Marshaler); ok {
-		return d.MarshalJSON()
-	}
-	return json.Marshal(data)
-}
-
-// ReadJSON reads json data, prefers finding an appropriate interface to short-circuit the unmarshaler
-// so it takes the fastest option available
-func ReadJSON(data []byte, value interface{}) error {
-	trimmedData := bytes.Trim(data, "\x00")
-	if d, ok := value.(ejUnmarshaler); ok {
-		jl := &jlexer.Lexer{Data: trimmedData}
-		d.UnmarshalEasyJSON(jl)
-		return jl.Error()
-	}
-	if d, ok := value.(json.Unmarshaler); ok {
-		return d.UnmarshalJSON(trimmedData)
-	}
-	return json.Unmarshal(trimmedData, value)
-}
-
-// DynamicJSONToStruct converts an untyped json structure into a struct
-func DynamicJSONToStruct(data interface{}, target interface{}) error {
-	// TODO: convert straight to a json typed map  (mergo + iterate?)
-	b, err := WriteJSON(data)
-	if err != nil {
-		return err
-	}
-	return ReadJSON(b, target)
-}
-
-// ConcatJSON concatenates multiple json objects efficiently
-func ConcatJSON(blobs ...[]byte) []byte {
-	if len(blobs) == 0 {
-		return nil
-	}
-
-	last := len(blobs) - 1
-	for blobs[last] == nil || bytes.Equal(blobs[last], nullJSON) {
-		// strips trailing null objects
-		last--
-		if last < 0 {
-			// there was nothing but "null"s or nil...
-			return nil
-		}
-	}
-	if last == 0 {
-		return blobs[0]
-	}
-
-	var opening, closing byte
-	var idx, a int
-	buf := bytes.NewBuffer(nil)
-
-	for i, b := range blobs[:last+1] {
-		if b == nil || bytes.Equal(b, nullJSON) {
-			// a null object is in the list: skip it
-			continue
-		}
-		if len(b) > 0 && opening == 0 { // is this an array or an object?
-			opening, closing = b[0], closers[b[0]]
-		}
-
-		if opening != '{' && opening != '[' {
-			continue // don't know how to concatenate non container objects
-		}
-
-		const minLengthIfNotEmpty = 3
-		if len(b) < minLengthIfNotEmpty { // yep empty but also the last one, so closing this thing
-			if i == last && a > 0 {
-				if err := buf.WriteByte(closing); err != nil {
-					log.Println(err)
-				}
-			}
-			continue
-		}
-
-		idx = 0
-		if a > 0 { // we need to join with a comma for everything beyond the first non-empty item
-			if err := buf.WriteByte(comma); err != nil {
-				log.Println(err)
-			}
-			idx = 1 // this is not the first or the last so we want to drop the leading bracket
-		}
-
-		if i != last { // not the last one, strip brackets
-			if _, err := buf.Write(b[idx : len(b)-1]); err != nil {
-				log.Println(err)
-			}
-		} else { // last one, strip only the leading bracket
-			if _, err := buf.Write(b[idx:]); err != nil {
-				log.Println(err)
-			}
-		}
-		a++
-	}
-	// somehow it ended up being empty, so provide a default value
-	if buf.Len() == 0 {
-		if err := buf.WriteByte(opening); err != nil {
-			log.Println(err)
-		}
-		if err := buf.WriteByte(closing); err != nil {
-			log.Println(err)
-		}
-	}
-	return buf.Bytes()
-}
-
-// ToDynamicJSON turns an object into a properly JSON typed structure
-func ToDynamicJSON(data interface{}) interface{} {
-	// TODO: convert straight to a json typed map (mergo + iterate?)
-	b, err := json.Marshal(data)
-	if err != nil {
-		log.Println(err)
-	}
-	var res interface{}
-	if err := json.Unmarshal(b, &res); err != nil {
-		log.Println(err)
-	}
-	return res
-}
-
-// FromDynamicJSON turns an object into a properly JSON typed structure
-func FromDynamicJSON(data, target interface{}) error {
-	b, err := json.Marshal(data)
-	if err != nil {
-		log.Println(err)
-	}
-	return json.Unmarshal(b, target)
-}
-
-// NameProvider represents an object capable of translating from go property names
-// to json property names
-// This type is thread-safe.
-type NameProvider struct {
-	lock  *sync.Mutex
-	index map[reflect.Type]nameIndex
-}
-
-type nameIndex struct {
-	jsonNames map[string]string
-	goNames   map[string]string
-}
-
-// NewNameProvider creates a new name provider
-func NewNameProvider() *NameProvider {
-	return &NameProvider{
-		lock:  &sync.Mutex{},
-		index: make(map[reflect.Type]nameIndex),
-	}
-}
-
-func buildnameIndex(tpe reflect.Type, idx, reverseIdx map[string]string) {
-	for i := 0; i < tpe.NumField(); i++ {
-		targetDes := tpe.Field(i)
-
-		if targetDes.PkgPath != "" { // unexported
-			continue
-		}
-
-		if targetDes.Anonymous { // walk embedded structures tree down first
-			buildnameIndex(targetDes.Type, idx, reverseIdx)
-			continue
-		}
-
-		if tag := targetDes.Tag.Get("json"); tag != "" {
-
-			parts := strings.Split(tag, ",")
-			if len(parts) == 0 {
-				continue
-			}
-
-			nm := parts[0]
-			if nm == "-" {
-				continue
-			}
-			if nm == "" { // empty string means we want to use the Go name
-				nm = targetDes.Name
-			}
-
-			idx[nm] = targetDes.Name
-			reverseIdx[targetDes.Name] = nm
-		}
-	}
-}
-
-func newNameIndex(tpe reflect.Type) nameIndex {
-	var idx = make(map[string]string, tpe.NumField())
-	var reverseIdx = make(map[string]string, tpe.NumField())
-
-	buildnameIndex(tpe, idx, reverseIdx)
-	return nameIndex{jsonNames: idx, goNames: reverseIdx}
-}
-
-// GetJSONNames gets all the json property names for a type
-func (n *NameProvider) GetJSONNames(subject interface{}) []string {
-	n.lock.Lock()
-	defer n.lock.Unlock()
-	tpe := reflect.Indirect(reflect.ValueOf(subject)).Type()
-	names, ok := n.index[tpe]
-	if !ok {
-		names = n.makeNameIndex(tpe)
-	}
-
-	res := make([]string, 0, len(names.jsonNames))
-	for k := range names.jsonNames {
-		res = append(res, k)
-	}
-	return res
-}
-
-// GetJSONName gets the json name for a go property name
-func (n *NameProvider) GetJSONName(subject interface{}, name string) (string, bool) {
-	tpe := reflect.Indirect(reflect.ValueOf(subject)).Type()
-	return n.GetJSONNameForType(tpe, name)
-}
-
-// GetJSONNameForType gets the json name for a go property name on a given type
-func (n *NameProvider) GetJSONNameForType(tpe reflect.Type, name string) (string, bool) {
-	n.lock.Lock()
-	defer n.lock.Unlock()
-	names, ok := n.index[tpe]
-	if !ok {
-		names = n.makeNameIndex(tpe)
-	}
-	nme, ok := names.goNames[name]
-	return nme, ok
-}
-
-func (n *NameProvider) makeNameIndex(tpe reflect.Type) nameIndex {
-	names := newNameIndex(tpe)
-	n.index[tpe] = names
-	return names
-}
-
-// GetGoName gets the go name for a json property name
-func (n *NameProvider) GetGoName(subject interface{}, name string) (string, bool) {
-	tpe := reflect.Indirect(reflect.ValueOf(subject)).Type()
-	return n.GetGoNameForType(tpe, name)
-}
-
-// GetGoNameForType gets the go name for a given type for a json property name
-func (n *NameProvider) GetGoNameForType(tpe reflect.Type, name string) (string, bool) {
-	n.lock.Lock()
-	defer n.lock.Unlock()
-	names, ok := n.index[tpe]
-	if !ok {
-		names = n.makeNameIndex(tpe)
-	}
-	nme, ok := names.jsonNames[name]
-	return nme, ok
-}
diff --git a/vendor/github.com/go-openapi/swag/jsonname/LICENSE b/vendor/github.com/go-openapi/swag/jsonname/LICENSE
new file mode 100644
index 0000000000..d645695673
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/jsonname/LICENSE
@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/vendor/github.com/go-openapi/swag/jsonname/doc.go b/vendor/github.com/go-openapi/swag/jsonname/doc.go
new file mode 100644
index 0000000000..79232eaca4
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/jsonname/doc.go
@@ -0,0 +1,5 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+// Package jsonname is a provider of json property names from go properties.
+package jsonname
diff --git a/vendor/github.com/go-openapi/swag/jsonname/name_provider.go b/vendor/github.com/go-openapi/swag/jsonname/name_provider.go
new file mode 100644
index 0000000000..8eaf1bece8
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/jsonname/name_provider.go
@@ -0,0 +1,138 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+package jsonname
+
+import (
+	"reflect"
+	"strings"
+	"sync"
+)
+
+// DefaultJSONNameProvider is the default cache for types.
+var DefaultJSONNameProvider = NewNameProvider()
+
+// NameProvider represents an object capable of translating from go property names
+// to json property names.
+//
+// This type is thread-safe.
+//
+// See [github.com/go-openapi/jsonpointer.Pointer] for an example.
+type NameProvider struct {
+	lock  *sync.Mutex
+	index map[reflect.Type]nameIndex
+}
+
+type nameIndex struct {
+	jsonNames map[string]string
+	goNames   map[string]string
+}
+
+// NewNameProvider creates a new name provider
+func NewNameProvider() *NameProvider {
+	return &NameProvider{
+		lock:  &sync.Mutex{},
+		index: make(map[reflect.Type]nameIndex),
+	}
+}
+
+func buildnameIndex(tpe reflect.Type, idx, reverseIdx map[string]string) {
+	for i := 0; i < tpe.NumField(); i++ {
+		targetDes := tpe.Field(i)
+
+		if targetDes.PkgPath != "" { // unexported
+			continue
+		}
+
+		if targetDes.Anonymous { // walk embedded structures tree down first
+			buildnameIndex(targetDes.Type, idx, reverseIdx)
+			continue
+		}
+
+		if tag := targetDes.Tag.Get("json"); tag != "" {
+
+			parts := strings.Split(tag, ",")
+			if len(parts) == 0 {
+				continue
+			}
+
+			nm := parts[0]
+			if nm == "-" {
+				continue
+			}
+			if nm == "" { // empty string means we want to use the Go name
+				nm = targetDes.Name
+			}
+
+			idx[nm] = targetDes.Name
+			reverseIdx[targetDes.Name] = nm
+		}
+	}
+}
+
+func newNameIndex(tpe reflect.Type) nameIndex {
+	var idx = make(map[string]string, tpe.NumField())
+	var reverseIdx = make(map[string]string, tpe.NumField())
+
+	buildnameIndex(tpe, idx, reverseIdx)
+	return nameIndex{jsonNames: idx, goNames: reverseIdx}
+}
+
+// GetJSONNames gets all the json property names for a type
+func (n *NameProvider) GetJSONNames(subject any) []string {
+	n.lock.Lock()
+	defer n.lock.Unlock()
+	tpe := reflect.Indirect(reflect.ValueOf(subject)).Type()
+	names, ok := n.index[tpe]
+	if !ok {
+		names = n.makeNameIndex(tpe)
+	}
+
+	res := make([]string, 0, len(names.jsonNames))
+	for k := range names.jsonNames {
+		res = append(res, k)
+	}
+	return res
+}
+
+// GetJSONName gets the json name for a go property name
+func (n *NameProvider) GetJSONName(subject any, name string) (string, bool) {
+	tpe := reflect.Indirect(reflect.ValueOf(subject)).Type()
+	return n.GetJSONNameForType(tpe, name)
+}
+
+// GetJSONNameForType gets the json name for a go property name on a given type
+func (n *NameProvider) GetJSONNameForType(tpe reflect.Type, name string) (string, bool) {
+	n.lock.Lock()
+	defer n.lock.Unlock()
+	names, ok := n.index[tpe]
+	if !ok {
+		names = n.makeNameIndex(tpe)
+	}
+	nme, ok := names.goNames[name]
+	return nme, ok
+}
+
+// GetGoName gets the go name for a json property name
+func (n *NameProvider) GetGoName(subject any, name string) (string, bool) {
+	tpe := reflect.Indirect(reflect.ValueOf(subject)).Type()
+	return n.GetGoNameForType(tpe, name)
+}
+
+// GetGoNameForType gets the go name for a given type for a json property name
+func (n *NameProvider) GetGoNameForType(tpe reflect.Type, name string) (string, bool) {
+	n.lock.Lock()
+	defer n.lock.Unlock()
+	names, ok := n.index[tpe]
+	if !ok {
+		names = n.makeNameIndex(tpe)
+	}
+	nme, ok := names.jsonNames[name]
+	return nme, ok
+}
+
+func (n *NameProvider) makeNameIndex(tpe reflect.Type) nameIndex {
+	names := newNameIndex(tpe)
+	n.index[tpe] = names
+	return names
+}
diff --git a/vendor/github.com/go-openapi/swag/jsonname_iface.go b/vendor/github.com/go-openapi/swag/jsonname_iface.go
new file mode 100644
index 0000000000..303a007f6f
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/jsonname_iface.go
@@ -0,0 +1,24 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+package swag
+
+import (
+	"github.com/go-openapi/swag/jsonname"
+)
+
+// DefaultJSONNameProvider is the default cache for types
+//
+// Deprecated: use [jsonname.DefaultJSONNameProvider] instead.
+var DefaultJSONNameProvider = jsonname.DefaultJSONNameProvider
+
+// NameProvider represents an object capable of translating from go property names
+// to json property names.
+//
+// Deprecated: use [jsonname.NameProvider] instead.
+type NameProvider = jsonname.NameProvider
+
+// NewNameProvider creates a new name provider
+//
+// Deprecated: use [jsonname.NewNameProvider] instead.
+func NewNameProvider() *NameProvider { return jsonname.NewNameProvider() }
diff --git a/vendor/github.com/go-openapi/swag/jsonutils/LICENSE b/vendor/github.com/go-openapi/swag/jsonutils/LICENSE
new file mode 100644
index 0000000000..d645695673
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/jsonutils/LICENSE
@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/vendor/github.com/go-openapi/swag/jsonutils/README.md b/vendor/github.com/go-openapi/swag/jsonutils/README.md
new file mode 100644
index 0000000000..d745cdb466
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/jsonutils/README.md
@@ -0,0 +1,108 @@
+ # jsonutils
+
+`jsonutils` exposes a few tools to work with JSON:
+
+- a fast, simple `Concat` to concatenate (not merge) JSON objects and arrays
+- `FromDynamicJSON` to convert a data structure into a "dynamic JSON" data structure
+- `ReadJSON` and `WriteJSON` behave like `json.Unmarshal` and `json.Marshal`,
+   with the ability to use another underlying serialization library through an `Adapter` 
+   configured at runtime
+- a `JSONMapSlice` structure that may be used to store JSON objects with the order of keys maintained
+
+## Dynamic JSON
+
+We call "dynamic JSON" the go data structure that results from unmarshaling JSON like this:
+
+```go
+  var value any
+  jsonBytes := `{"a": 1, ... }`
+  _ = json.Unmarshal(jsonBytes, &value)
+```
+
+In this configuration, the standard library mappings are as follows:
+
+| JSON      | go               |
+|-----------|------------------|
+| `number`  | `float64`        |
+| `string`  | `string`         |
+| `boolean` | `bool`           |
+| `null`    | `nil`            |
+| `object`  | `map[string]any` |
+| `array`   | `[]any`          |
+
+## Map slices
+
+When using `JSONMapSlice`, the ordering of keys is ensured by replacing
+mappings to `map[string]any` by a `JSONMapSlice` which is an (ordered)
+slice of `JSONMapItem`s.
+
+Notice that a similar feature is available for YAML (see [`yamlutils`](../yamlutils)),
+with a `YAMLMapSlice` type based on the `JSONMapSlice`.
+
+`JSONMapSlice` is similar to an ordered map, but the keys are not retrieved
+in constant time.
+
+Another difference with the the above standard mappings is that numbers don't always map
+to a `float64`: if the value is a JSON integer, it unmarshals to `int64`.
+
+See also [some examples](https://pkg.go.dev/github.com/go-openapi/swag/jsonutils#pkg-examples)
+
+## Adapters
+
+`ReadJSON`, `WriteJSON` and `FromDynamicJSON` (which is a combination of the latter two)
+are wrappers on top of `json.Unmarshal` and `json.Marshal`.
+
+By default, the adapter merely wraps the standard library.
+
+The adapter may be used to register other JSON serialization libraries,
+possibly several ones at the same time.
+
+If the value passed is identified as an "ordered map" (i.e. implements `ifaces.Ordered`
+or `ifaces.SetOrdered`, the adapter favors the "ordered" JSON behavior and tries to
+find a registered implementation that support ordered keys in objects.
+
+Our standard library implementation supports this.
+
+As of `v0.25.0`, we support through such an adapter the popular `mailru/easyjson`
+library, which kicks in when the passed values support the `easyjson.Unmarshaler` 
+or `easyjson.Marshaler` interfaces.
+
+In the future, we plan to add more similar libraries that compete on the go JSON
+serializers scene.
+
+## Registering an adapter
+
+In package `github.com/go-openapi/swag/easyjson/adapters`, several adapters are available.
+
+Each adapter is an independent go module. Hence you'll pick its dependencies only if you import it.
+
+At this moment we provide:
+* `stdlib`: JSON adapter based on the standard library
+* `easyjson`: JSON adapter based on the `github.com/mailru/easyjson`
+
+The adapters provide the basic `Marshal` and `Unmarshal` capabilities, plus an implementation
+of the `MapSlice` pattern.
+
+You may also build your own adapter based on your specific use-case. An adapter is not required to implement
+all capabilities.
+
+Every adapter comes with a `Register` function, possibly with some options, to register the adapter
+to a global registry.
+
+For example, to enable `easyjson` to be used in `ReadJSON` and `WriteJSON`, you would write something like:
+
+```go
+  import (
+	  "github.com/go-openapi/swag/jsonutils/adapters"
+	  easyjson "github.com/go-openapi/swag/jsonutils/adapters/easyjson/json"
+  )
+
+  func init() {
+	  easyjson.Register(adapters.Registry)
+  }
+```
+
+You may register several adapters. In this case, capability matching is evaluated from the last registered
+adapters (LIFO).
+
+## [Benchmarks](./adapters/testintegration/benchmarks/README.md)
diff --git a/vendor/github.com/go-openapi/swag/jsonutils/adapters/doc.go b/vendor/github.com/go-openapi/swag/jsonutils/adapters/doc.go
new file mode 100644
index 0000000000..76d3898fca
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/jsonutils/adapters/doc.go
@@ -0,0 +1,8 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+// Package adapters exposes a registry of adapters to multiple
+// JSON serialization libraries.
+//
+// All interfaces are defined in package [ifaces.Adapter].
+package adapters
diff --git a/vendor/github.com/go-openapi/swag/jsonutils/adapters/ifaces/doc.go b/vendor/github.com/go-openapi/swag/jsonutils/adapters/ifaces/doc.go
new file mode 100644
index 0000000000..1fd43a1fad
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/jsonutils/adapters/ifaces/doc.go
@@ -0,0 +1,5 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+// Package ifaces exposes all interfaces to work with adapters.
+package ifaces
diff --git a/vendor/github.com/go-openapi/swag/jsonutils/adapters/ifaces/ifaces.go b/vendor/github.com/go-openapi/swag/jsonutils/adapters/ifaces/ifaces.go
new file mode 100644
index 0000000000..7805e5e5e3
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/jsonutils/adapters/ifaces/ifaces.go
@@ -0,0 +1,84 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+package ifaces
+
+import (
+	_ "encoding/json" // for documentation purpose
+	"iter"
+)
+
+// Ordered knows how to iterate over the (key,value) pairs of a JSON object.
+type Ordered interface {
+	OrderedItems() iter.Seq2[string, any]
+}
+
+// SetOrdered knows how to append or update the keys of a JSON object,
+// given an iterator over (key,value) pairs.
+//
+// If the provided iterator is nil then the receiver should be set to nil.
+type SetOrdered interface {
+	SetOrderedItems(iter.Seq2[string, any])
+}
+
+// OrderedMap represent a JSON object (i.e. like a map[string,any]),
+// and knows how to serialize and deserialize JSON with the order of keys maintained.
+type OrderedMap interface {
+	Ordered
+	SetOrdered
+
+	OrderedMarshalJSON() ([]byte, error)
+	OrderedUnmarshalJSON([]byte) error
+}
+
+// MarshalAdapter behaves likes the standard library [json.Marshal].
+type MarshalAdapter interface {
+	Poolable
+
+	Marshal(any) ([]byte, error)
+}
+
+// OrderedMarshalAdapter behaves likes the standard library [json.Marshal], preserving the order of keys in objects.
+type OrderedMarshalAdapter interface {
+	Poolable
+
+	OrderedMarshal(Ordered) ([]byte, error)
+}
+
+// UnmarshalAdapter behaves likes the standard library [json.Unmarshal].
+type UnmarshalAdapter interface {
+	Poolable
+
+	Unmarshal([]byte, any) error
+}
+
+// OrderedUnmarshalAdapter behaves likes the standard library [json.Unmarshal], preserving the order of keys in objects.
+type OrderedUnmarshalAdapter interface {
+	Poolable
+
+	OrderedUnmarshal([]byte, SetOrdered) error
+}
+
+// Adapter exposes an interface like the standard [json] library.
+type Adapter interface {
+	MarshalAdapter
+	UnmarshalAdapter
+
+	OrderedAdapter
+}
+
+// OrderedAdapter exposes interfaces to process JSON and keep the order of object keys.
+type OrderedAdapter interface {
+	OrderedMarshalAdapter
+	OrderedUnmarshalAdapter
+	NewOrderedMap(capacity int) OrderedMap
+}
+
+type Poolable interface {
+	// Self-redeem: for [Adapter] s that are allocated from a pool.
+	// The [Adapter] must not be used after calling [Redeem].
+	Redeem()
+
+	// Reset the state of the [Adapter], if any.
+	Reset()
+}
diff --git a/vendor/github.com/go-openapi/swag/jsonutils/adapters/ifaces/registry_iface.go b/vendor/github.com/go-openapi/swag/jsonutils/adapters/ifaces/registry_iface.go
new file mode 100644
index 0000000000..2d6c69f4e6
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/jsonutils/adapters/ifaces/registry_iface.go
@@ -0,0 +1,91 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+package ifaces
+
+import (
+	"strings"
+)
+
+// Capability indicates what a JSON adapter is capable of.
+type Capability uint8
+
+const (
+	CapabilityMarshalJSON Capability = 1 << iota
+	CapabilityUnmarshalJSON
+	CapabilityOrderedMarshalJSON
+	CapabilityOrderedUnmarshalJSON
+	CapabilityOrderedMap
+)
+
+func (c Capability) String() string {
+	switch c {
+	case CapabilityMarshalJSON:
+		return "MarshalJSON"
+	case CapabilityUnmarshalJSON:
+		return "UnmarshalJSON"
+	case CapabilityOrderedMarshalJSON:
+		return "OrderedMarshalJSON"
+	case CapabilityOrderedUnmarshalJSON:
+		return "OrderedUnmarshalJSON"
+	case CapabilityOrderedMap:
+		return "OrderedMap"
+	default:
+		return "<unknown>"
+	}
+}
+
+// Capabilities holds several unitary capability flags
+type Capabilities uint8
+
+// Has some capability flag enabled.
+func (c Capabilities) Has(capability Capability) bool {
+	return Capability(c)&capability > 0
+}
+
+func (c Capabilities) String() string {
+	var w strings.Builder
+
+	first := true
+	for _, capability := range []Capability{
+		CapabilityMarshalJSON,
+		CapabilityUnmarshalJSON,
+		CapabilityOrderedMarshalJSON,
+		CapabilityOrderedUnmarshalJSON,
+		CapabilityOrderedMap,
+	} {
+		if c.Has(capability) {
+			if !first {
+				w.WriteByte('|')
+			} else {
+				first = false
+			}
+			w.WriteString(capability.String())
+		}
+	}
+
+	return w.String()
+}
+
+const (
+	AllCapabilities Capabilities = Capabilities(uint8(CapabilityMarshalJSON) |
+		uint8(CapabilityUnmarshalJSON) |
+		uint8(CapabilityOrderedMarshalJSON) |
+		uint8(CapabilityOrderedUnmarshalJSON) |
+		uint8(CapabilityOrderedMap))
+
+	AllUnorderedCapabilities Capabilities = Capabilities(uint8(CapabilityMarshalJSON) | uint8(CapabilityUnmarshalJSON))
+)
+
+// RegistryEntry describes how any given adapter registers its capabilities to the [Registrar].
+type RegistryEntry struct {
+	Who         string
+	What        Capabilities
+	Constructor func() Adapter
+	Support     func(what Capability, value any) bool
+}
+
+// Registrar is a type that knows how to keep registration calls from adapters.
+type Registrar interface {
+	RegisterFor(RegistryEntry)
+}
diff --git a/vendor/github.com/go-openapi/swag/jsonutils/adapters/registry.go b/vendor/github.com/go-openapi/swag/jsonutils/adapters/registry.go
new file mode 100644
index 0000000000..3062acaff2
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/jsonutils/adapters/registry.go
@@ -0,0 +1,229 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+package adapters
+
+import (
+	"fmt"
+	"reflect"
+	"slices"
+	"sync"
+
+	"github.com/go-openapi/swag/jsonutils/adapters/ifaces"
+	stdlib "github.com/go-openapi/swag/jsonutils/adapters/stdlib/json"
+)
+
+// Registry holds the global registry for registered adapters.
+var Registry = NewRegistrar()
+
+var (
+	defaultRegistered = stdlib.Register
+
+	_ ifaces.Registrar = &Registrar{}
+)
+
+type registryError string
+
+func (e registryError) Error() string {
+	return string(e)
+}
+
+// ErrRegistry indicates an error returned by the [Registrar].
+var ErrRegistry registryError = "JSON adapters registry error"
+
+type registry []*ifaces.RegistryEntry
+
+// Registrar holds registered [ifaces.Adapters] for different serialization capabilities.
+//
+// Internally, it maintains a cache for data types that favor a given adapter.
+type Registrar struct {
+	marshalerRegistry          registry
+	unmarshalerRegistry        registry
+	orderedMarshalerRegistry   registry
+	orderedUnmarshalerRegistry registry
+	orderedMapRegistry         registry
+
+	gmx sync.RWMutex
+
+	// cache indexed by value type, so we don't have to lookup
+	marshalerCache          map[reflect.Type]*ifaces.RegistryEntry
+	unmarshalerCache        map[reflect.Type]*ifaces.RegistryEntry
+	orderedMarshalerCache   map[reflect.Type]*ifaces.RegistryEntry
+	orderedUnmarshalerCache map[reflect.Type]*ifaces.RegistryEntry
+	orderedMapCache         map[reflect.Type]*ifaces.RegistryEntry
+}
+
+func NewRegistrar() *Registrar {
+	r := &Registrar{}
+
+	r.marshalerRegistry = make(registry, 0, 1)
+	r.unmarshalerRegistry = make(registry, 0, 1)
+	r.orderedMarshalerRegistry = make(registry, 0, 1)
+	r.orderedUnmarshalerRegistry = make(registry, 0, 1)
+	r.orderedMapRegistry = make(registry, 0, 1)
+
+	r.marshalerCache = make(map[reflect.Type]*ifaces.RegistryEntry)
+	r.unmarshalerCache = make(map[reflect.Type]*ifaces.RegistryEntry)
+	r.orderedMarshalerCache = make(map[reflect.Type]*ifaces.RegistryEntry)
+	r.orderedUnmarshalerCache = make(map[reflect.Type]*ifaces.RegistryEntry)
+	r.orderedMapCache = make(map[reflect.Type]*ifaces.RegistryEntry)
+
+	defaultRegistered(r)
+
+	return r
+}
+
+// ClearCache resets the internal type cache.
+func (r *Registrar) ClearCache() {
+	r.gmx.Lock()
+	r.clearCache()
+	r.gmx.Unlock()
+}
+
+// Reset the [Registrar] to its defaults.
+func (r *Registrar) Reset() {
+	r.gmx.Lock()
+	r.clearCache()
+	r.marshalerRegistry = r.marshalerRegistry[:0]
+	r.unmarshalerRegistry = r.unmarshalerRegistry[:0]
+	r.orderedMarshalerRegistry = r.orderedMarshalerRegistry[:0]
+	r.orderedUnmarshalerRegistry = r.orderedUnmarshalerRegistry[:0]
+	r.orderedMapRegistry = r.orderedMapRegistry[:0]
+	r.gmx.Unlock()
+
+	defaultRegistered(r)
+}
+
+// RegisterFor registers an adapter for some JSON capabilities.
+func (r *Registrar) RegisterFor(entry ifaces.RegistryEntry) {
+	r.gmx.Lock()
+	if entry.What.Has(ifaces.CapabilityMarshalJSON) {
+		e := entry
+		e.What &= ifaces.Capabilities(ifaces.CapabilityMarshalJSON)
+		r.marshalerRegistry = slices.Insert(r.marshalerRegistry, 0, &e)
+	}
+	if entry.What.Has(ifaces.CapabilityUnmarshalJSON) {
+		e := entry
+		e.What &= ifaces.Capabilities(ifaces.CapabilityUnmarshalJSON)
+		r.unmarshalerRegistry = slices.Insert(r.unmarshalerRegistry, 0, &e)
+	}
+	if entry.What.Has(ifaces.CapabilityOrderedMarshalJSON) {
+		e := entry
+		e.What &= ifaces.Capabilities(ifaces.CapabilityOrderedMarshalJSON)
+		r.orderedMarshalerRegistry = slices.Insert(r.orderedMarshalerRegistry, 0, &e)
+	}
+	if entry.What.Has(ifaces.CapabilityOrderedUnmarshalJSON) {
+		e := entry
+		e.What &= ifaces.Capabilities(ifaces.CapabilityOrderedUnmarshalJSON)
+		r.orderedUnmarshalerRegistry = slices.Insert(r.orderedUnmarshalerRegistry, 0, &e)
+	}
+	if entry.What.Has(ifaces.CapabilityOrderedMap) {
+		e := entry
+		e.What &= ifaces.Capabilities(ifaces.CapabilityOrderedMap)
+		r.orderedMapRegistry = slices.Insert(r.orderedMapRegistry, 0, &e)
+	}
+	r.gmx.Unlock()
+}
+
+// AdapterFor returns an [ifaces.Adapter] that supports this capability for this type of value.
+//
+// The [ifaces.Adapter] may be redeemed to its pool using its Redeem() method, for adapters that support global
+// pooling. When this is not the case, the redeem function is just a no-operation.
+func (r *Registrar) AdapterFor(capability ifaces.Capability, value any) ifaces.Adapter {
+	entry := r.findFirstFor(capability, value)
+	if entry == nil {
+		return nil
+	}
+
+	return entry.Constructor()
+}
+
+func (r *Registrar) clearCache() {
+	clear(r.marshalerCache)
+	clear(r.unmarshalerCache)
+	clear(r.orderedMarshalerCache)
+	clear(r.orderedUnmarshalerCache)
+	clear(r.orderedMapCache)
+}
+
+func (r *Registrar) findFirstFor(capability ifaces.Capability, value any) *ifaces.RegistryEntry {
+	switch capability {
+	case ifaces.CapabilityMarshalJSON:
+		return r.findFirstInRegistryFor(r.marshalerRegistry, r.marshalerCache, capability, value)
+	case ifaces.CapabilityUnmarshalJSON:
+		return r.findFirstInRegistryFor(r.unmarshalerRegistry, r.unmarshalerCache, capability, value)
+	case ifaces.CapabilityOrderedMarshalJSON:
+		return r.findFirstInRegistryFor(r.orderedMarshalerRegistry, r.orderedMarshalerCache, capability, value)
+	case ifaces.CapabilityOrderedUnmarshalJSON:
+		return r.findFirstInRegistryFor(r.orderedUnmarshalerRegistry, r.orderedUnmarshalerCache, capability, value)
+	case ifaces.CapabilityOrderedMap:
+		return r.findFirstInRegistryFor(r.orderedMapRegistry, r.orderedMapCache, capability, value)
+	default:
+		panic(fmt.Errorf("unsupported capability %d: %w", capability, ErrRegistry))
+	}
+}
+
+func (r *Registrar) findFirstInRegistryFor(reg registry, cache map[reflect.Type]*ifaces.RegistryEntry, capability ifaces.Capability, value any) *ifaces.RegistryEntry {
+	r.gmx.RLock()
+	if len(reg) > 1 {
+		if entry, ok := cache[reflect.TypeOf(value)]; ok {
+			// cache hit
+			r.gmx.RUnlock()
+			return entry
+		}
+	}
+
+	for _, entry := range reg {
+		if !entry.Support(capability, value) {
+			continue
+		}
+
+		r.gmx.RUnlock()
+
+		// update the internal cache
+		r.gmx.Lock()
+		cache[reflect.TypeOf(value)] = entry
+		r.gmx.Unlock()
+
+		return entry
+	}
+
+	// no adapter found
+	r.gmx.RUnlock()
+
+	return nil
+}
+
+// MarshalAdapterFor returns the first adapter that knows how to Marshal this type of value.
+func MarshalAdapterFor(value any) ifaces.MarshalAdapter {
+	return Registry.AdapterFor(ifaces.CapabilityMarshalJSON, value)
+}
+
+// OrderedMarshalAdapterFor returns the first adapter that knows how to OrderedMarshal this type of value.
+func OrderedMarshalAdapterFor(value ifaces.Ordered) ifaces.OrderedMarshalAdapter {
+	return Registry.AdapterFor(ifaces.CapabilityOrderedMarshalJSON, value)
+}
+
+// UnmarshalAdapterFor returns the first adapter that knows how to Unmarshal this type of value.
+func UnmarshalAdapterFor(value any) ifaces.UnmarshalAdapter {
+	return Registry.AdapterFor(ifaces.CapabilityUnmarshalJSON, value)
+}
+
+// OrderedUnmarshalAdapterFor provides the first adapter that knows how to OrderedUnmarshal this type of value.
+func OrderedUnmarshalAdapterFor(value ifaces.SetOrdered) ifaces.OrderedUnmarshalAdapter {
+	return Registry.AdapterFor(ifaces.CapabilityOrderedUnmarshalJSON, value)
+}
+
+// NewOrderedMap provides the "ordered map" implementation provided by the registry.
+func NewOrderedMap(capacity int) ifaces.OrderedMap {
+	var v any
+	adapter := Registry.AdapterFor(ifaces.CapabilityOrderedUnmarshalJSON, v)
+	if adapter == nil {
+		return nil
+	}
+
+	defer adapter.Redeem()
+	return adapter.NewOrderedMap(capacity)
+}
+
+func noopRedeemer() {}
diff --git a/vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/adapter.go b/vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/adapter.go
new file mode 100644
index 0000000000..0213ff5c29
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/adapter.go
@@ -0,0 +1,115 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+package json
+
+import (
+	stdjson "encoding/json"
+
+	"github.com/go-openapi/swag/jsonutils/adapters/ifaces"
+	"github.com/go-openapi/swag/typeutils"
+)
+
+const sensibleBufferSize = 8192
+
+type jsonError string
+
+func (e jsonError) Error() string {
+	return string(e)
+}
+
+// ErrStdlib indicates that an error comes from the stdlib JSON adapter
+var ErrStdlib jsonError = "error from the JSON adapter stdlib"
+
+var _ ifaces.Adapter = &Adapter{}
+
+type Adapter struct {
+}
+
+// NewAdapter yields an [ifaces.Adapter] using the standard library.
+func NewAdapter() *Adapter {
+	return &Adapter{}
+}
+
+func (a *Adapter) Marshal(value any) ([]byte, error) {
+	return stdjson.Marshal(value)
+}
+
+func (a *Adapter) Unmarshal(data []byte, value any) error {
+	return stdjson.Unmarshal(data, value)
+}
+
+func (a *Adapter) OrderedMarshal(value ifaces.Ordered) ([]byte, error) {
+	w := poolOfWriters.Borrow()
+	defer func() {
+		poolOfWriters.Redeem(w)
+	}()
+
+	if typeutils.IsNil(value) {
+		w.RawString("null")
+
+		return w.BuildBytes()
+	}
+
+	w.RawByte('{')
+	first := true
+	for k, v := range value.OrderedItems() {
+		if first {
+			first = false
+		} else {
+			w.RawByte(',')
+		}
+
+		w.String(k)
+		w.RawByte(':')
+
+		switch val := v.(type) {
+		case ifaces.Ordered:
+			w.Raw(a.OrderedMarshal(val))
+		default:
+			w.Raw(stdjson.Marshal(v))
+		}
+	}
+
+	w.RawByte('}')
+
+	return w.BuildBytes()
+}
+
+func (a *Adapter) OrderedUnmarshal(data []byte, value ifaces.SetOrdered) error {
+	var m MapSlice
+	if err := m.OrderedUnmarshalJSON(data); err != nil {
+		return err
+	}
+
+	if typeutils.IsNil(m) {
+		// force input value to nil
+		value.SetOrderedItems(nil)
+
+		return nil
+	}
+
+	value.SetOrderedItems(m.OrderedItems())
+
+	return nil
+}
+
+func (a *Adapter) NewOrderedMap(capacity int) ifaces.OrderedMap {
+	m := make(MapSlice, 0, capacity)
+
+	return &m
+}
+
+// Redeem the [Adapter] when it comes from a pool.
+//
+// The adapter becomes immediately unusable once redeemed.
+func (a *Adapter) Redeem() {
+	if a == nil {
+		return
+	}
+
+	RedeemAdapter(a)
+}
+
+func (a *Adapter) Reset() {
+}
diff --git a/vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/doc.go b/vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/doc.go
new file mode 100644
index 0000000000..5ea1b44042
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/doc.go
@@ -0,0 +1,5 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+// Package json implements an [ifaces.Adapter] using the standard library.
+package json
diff --git a/vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/lexer.go b/vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/lexer.go
new file mode 100644
index 0000000000..b5aa1c7972
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/lexer.go
@@ -0,0 +1,320 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+package json
+
+import (
+	stdjson "encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"math"
+	"strconv"
+
+	"github.com/go-openapi/swag/conv"
+)
+
+type token struct {
+	stdjson.Token
+}
+
+func (t token) String() string {
+	if t == invalidToken {
+		return "invalid token"
+	}
+	if t == eofToken {
+		return "EOF"
+	}
+
+	return fmt.Sprintf("%v", t.Token)
+}
+
+func (t token) Kind() tokenKind {
+	switch t.Token.(type) {
+	case nil:
+		return tokenNull
+	case stdjson.Delim:
+		return tokenDelim
+	case bool:
+		return tokenBool
+	case float64:
+		return tokenFloat
+	case stdjson.Number:
+		return tokenNumber
+	case string:
+		return tokenString
+	default:
+		return tokenUndef
+	}
+}
+
+func (t token) Delim() byte {
+	r, ok := t.Token.(stdjson.Delim)
+	if !ok {
+		return 0
+	}
+
+	return byte(r)
+}
+
+type tokenKind uint8
+
+const (
+	tokenUndef tokenKind = iota
+	tokenString
+	tokenNumber
+	tokenFloat
+	tokenBool
+	tokenNull
+	tokenDelim
+)
+
+var (
+	invalidToken = token{
+		Token: stdjson.Token(struct{}{}),
+	}
+
+	eofToken = token{
+		Token: stdjson.Token(&struct{}{}),
+	}
+
+	undefToken = token{
+		Token: stdjson.Token(uint8(0)),
+	}
+)
+
+// jlexer apes easyjson's jlexer, but uses the standard library decoder under the hood.
+type jlexer struct {
+	buf *bytesReader
+	dec *stdjson.Decoder
+	err error
+	// current token
+	next token
+	// started bool
+}
+
+type bytesReader struct {
+	buf    []byte
+	offset int
+}
+
+func (b *bytesReader) Reset() {
+	b.buf = nil
+	b.offset = 0
+}
+
+func (b *bytesReader) Read(p []byte) (int, error) {
+	if b.offset >= len(b.buf) {
+		return 0, io.EOF
+	}
+
+	n := len(p)
+	buf := b.buf[b.offset:]
+	m := len(buf)
+
+	if n >= m {
+		copy(p, buf)
+		b.offset += m
+
+		return m, nil
+	}
+
+	copy(p, buf[:n])
+	b.offset += n
+
+	return n, nil
+}
+
+var _ io.Reader = &bytesReader{}
+
+func newLexer(data []byte) *jlexer {
+	l := &jlexer{
+		// current: undefToken,
+		next: undefToken,
+	}
+	l.buf = &bytesReader{
+		buf: data,
+	}
+	l.dec = stdjson.NewDecoder(l.buf) // unfortunately, cannot pool this
+
+	return l
+}
+
+func (l *jlexer) Reset() {
+	l.err = nil
+	l.next = undefToken
+	// leave l.dec and l.buf alone, since they are replaced at every Borrow
+}
+
+func (l *jlexer) Error() error {
+	return l.err
+}
+
+func (l *jlexer) SetErr(err error) {
+	l.err = err
+}
+
+func (l *jlexer) Ok() bool {
+	return l.err == nil
+}
+
+// NextToken consumes a token
+func (l *jlexer) NextToken() token {
+	if !l.Ok() {
+		return invalidToken
+	}
+
+	if l.next != undefToken {
+		next := l.next
+		l.next = undefToken
+
+		return next
+	}
+
+	return l.fetchToken()
+}
+
+// PeekToken returns the next token without consuming it
+func (l *jlexer) PeekToken() token {
+	if l.next == undefToken {
+		l.next = l.fetchToken()
+	}
+
+	return l.next
+}
+
+func (l *jlexer) Skip() {
+	_ = l.NextToken()
+}
+
+func (l *jlexer) IsDelim(c byte) bool {
+	if !l.Ok() {
+		return false
+	}
+
+	next := l.PeekToken()
+	if next.Kind() != tokenDelim {
+		return false
+	}
+
+	if next.Delim() != c {
+		return false
+	}
+
+	return true
+}
+
+func (l *jlexer) IsNull() bool {
+	if !l.Ok() {
+		return false
+	}
+
+	next := l.PeekToken()
+
+	return next.Kind() == tokenNull
+}
+
+func (l *jlexer) Delim(c byte) {
+	if !l.Ok() {
+		return
+	}
+
+	tok := l.NextToken()
+	if tok.Kind() != tokenDelim {
+		l.err = fmt.Errorf("expected a delimiter token but got '%v': %w", tok, ErrStdlib)
+
+		return
+	}
+
+	if tok.Delim() != c {
+		l.err = fmt.Errorf("expected delimiter '%q' but got '%q': %w", c, tok.Delim(), ErrStdlib)
+	}
+}
+
+func (l *jlexer) Null() {
+	if !l.Ok() {
+		return
+	}
+
+	tok := l.NextToken()
+	if tok.Kind() != tokenNull {
+		l.err = fmt.Errorf("expected a null token but got '%v': %w", tok, ErrStdlib)
+	}
+}
+
+func (l *jlexer) Number() any {
+	if !l.Ok() {
+		return 0
+	}
+
+	tok := l.NextToken()
+
+	switch tok.Kind() { //nolint:exhaustive
+	case tokenNumber:
+		n := tok.Token.(stdjson.Number).String()
+		f, _ := strconv.ParseFloat(n, 64)
+		if conv.IsFloat64AJSONInteger(f) {
+			return int64(math.Trunc(f))
+		}
+
+		return f
+
+	case tokenFloat:
+		f := tok.Token.(float64)
+		if conv.IsFloat64AJSONInteger(f) {
+			return int64(math.Trunc(f))
+		}
+
+		return f
+
+	default:
+		l.err = fmt.Errorf("expected a number token but got '%v': %w", tok, ErrStdlib)
+
+		return 0
+	}
+}
+
+func (l *jlexer) Bool() bool {
+	if !l.Ok() {
+		return false
+	}
+
+	tok := l.NextToken()
+	if tok.Kind() != tokenBool {
+		l.err = fmt.Errorf("expected a bool token but got '%v': %w", tok, ErrStdlib)
+
+		return false
+	}
+
+	return tok.Token.(bool)
+}
+
+func (l *jlexer) String() string {
+	if !l.Ok() {
+		return ""
+	}
+
+	tok := l.NextToken()
+	if tok.Kind() != tokenString {
+		l.err = fmt.Errorf("expected a string token but got '%v': %w", tok, ErrStdlib)
+
+		return ""
+	}
+
+	return tok.Token.(string)
+}
+
+// Commas and colons are elided.
+func (l *jlexer) fetchToken() token {
+	jtok, err := l.dec.Token()
+	if err != nil {
+		if errors.Is(err, io.EOF) {
+			return eofToken
+		}
+
+		l.err = errors.Join(err, ErrStdlib)
+		return invalidToken
+	}
+
+	return token{Token: jtok}
+}
diff --git a/vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/ordered_map.go b/vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/ordered_map.go
new file mode 100644
index 0000000000..54deef406f
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/ordered_map.go
@@ -0,0 +1,266 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+package json
+
+import (
+	stdjson "encoding/json"
+	"fmt"
+	"iter"
+
+	"github.com/go-openapi/swag/jsonutils/adapters/ifaces"
+)
+
+var _ ifaces.OrderedMap = &MapSlice{}
+
+// MapSlice represents a JSON object, with the order of keys maintained.
+type MapSlice []MapItem
+
+func (s MapSlice) OrderedItems() iter.Seq2[string, any] {
+	return func(yield func(string, any) bool) {
+		for _, item := range s {
+			if !yield(item.Key, item.Value) {
+				return
+			}
+		}
+	}
+}
+
+func (s *MapSlice) SetOrderedItems(items iter.Seq2[string, any]) {
+	if items == nil {
+		*s = nil
+
+		return
+	}
+
+	m := *s
+	if len(m) > 0 {
+		// update mode
+		idx := make(map[string]int, len(m))
+
+		for i, item := range m {
+			idx[item.Key] = i
+		}
+
+		for k, v := range items {
+			idx, ok := idx[k]
+			if ok {
+				m[idx].Value = v
+
+				continue
+			}
+			m = append(m, MapItem{Key: k, Value: v})
+		}
+
+		*s = m
+
+		return
+	}
+
+	for k, v := range items {
+		m = append(m, MapItem{Key: k, Value: v})
+	}
+
+	*s = m
+}
+
+// MarshalJSON renders a [MapSlice] as JSON bytes, preserving the order of keys.
+func (s MapSlice) MarshalJSON() ([]byte, error) {
+	return s.OrderedMarshalJSON()
+}
+
+func (s MapSlice) OrderedMarshalJSON() ([]byte, error) {
+	w := poolOfWriters.Borrow()
+	defer func() {
+		poolOfWriters.Redeem(w)
+	}()
+
+	s.marshalObject(w)
+
+	return w.BuildBytes() // this clones data, so it's okay to redeem the writer and its buffer
+}
+
+// UnmarshalJSON builds a [MapSlice] from JSON bytes, preserving the order of keys.
+//
+// Inner objects are unmarshaled as [MapSlice] slices and not map[string]any.
+func (s *MapSlice) UnmarshalJSON(data []byte) error {
+	return s.OrderedUnmarshalJSON(data)
+}
+
+func (s *MapSlice) OrderedUnmarshalJSON(data []byte) error {
+	l := poolOfLexers.Borrow(data)
+	defer func() {
+		poolOfLexers.Redeem(l)
+	}()
+
+	s.unmarshalObject(l)
+
+	return l.Error()
+}
+
+func (s MapSlice) marshalObject(w *jwriter) {
+	if s == nil {
+		w.RawString("null")
+
+		return
+	}
+
+	w.RawByte('{')
+
+	if len(s) == 0 {
+		w.RawByte('}')
+
+		return
+	}
+
+	s[0].marshalJSON(w)
+
+	for i := 1; i < len(s); i++ {
+		w.RawByte(',')
+		s[i].marshalJSON(w)
+	}
+
+	w.RawByte('}')
+}
+
+func (s *MapSlice) unmarshalObject(in *jlexer) {
+	if in.IsNull() {
+		in.Skip()
+
+		return
+	}
+
+	in.Delim('{') // consume token
+	if !in.Ok() {
+		return
+	}
+
+	result := make(MapSlice, 0)
+
+	for in.Ok() && !in.IsDelim('}') {
+		var mi MapItem
+
+		mi.unmarshalKeyValue(in)
+		result = append(result, mi)
+	}
+
+	in.Delim('}')
+
+	if !in.Ok() {
+		return
+	}
+
+	*s = result
+}
+
+// MapItem represents the value of a key in a JSON object held by [MapSlice].
+//
+// Notice that [MapItem] should not be marshaled to or unmarshaled from JSON directly,
+// use this type as part of a [MapSlice] when dealing with JSON bytes.
+type MapItem struct {
+	Key   string
+	Value any
+}
+
+func (s MapItem) marshalJSON(w *jwriter) {
+	w.String(s.Key)
+	w.RawByte(':')
+	w.Raw(stdjson.Marshal(s.Value))
+}
+
+func (s *MapItem) unmarshalKeyValue(in *jlexer) {
+	key := in.String()         // consume string
+	value := s.asInterface(in) // consume any value, including termination tokens '}' or ']'
+
+	if !in.Ok() {
+		return
+	}
+
+	s.Key = key
+	s.Value = value
+}
+
+func (s *MapItem) unmarshalArray(in *jlexer) []any {
+	if in.IsNull() {
+		in.Skip()
+
+		return nil
+	}
+
+	in.Delim('[') // consume token
+	if !in.Ok() {
+		return nil
+	}
+
+	ret := make([]any, 0)
+
+	for in.Ok() && !in.IsDelim(']') {
+		ret = append(ret, s.asInterface(in))
+	}
+
+	in.Delim(']')
+	if !in.Ok() {
+		return nil
+	}
+
+	return ret
+}
+
+// asInterface is very much like [jlexer.Lexer.Interface], but unmarshals an object
+// into a [MapSlice], not a map[string]any.
+//
+// We have to force parsing errors somehow, since [jlexer.Lexer] doesn't let us
+// set a parsing error directly.
+func (s *MapItem) asInterface(in *jlexer) any {
+	if !in.Ok() {
+		return nil
+	}
+
+	tok := in.PeekToken() // look-ahead what the next token looks like
+	kind := tok.Kind()
+
+	switch kind {
+	case tokenString:
+		return in.String() // consume string
+
+	case tokenNumber, tokenFloat:
+		return in.Number()
+
+	case tokenBool:
+		return in.Bool()
+
+	case tokenNull:
+		in.Null()
+
+		return nil
+
+	case tokenDelim:
+		switch tok.Delim() {
+		case '{': // not consumed yet
+			ret := make(MapSlice, 0)
+			ret.unmarshalObject(in) // consumes the terminating '}'
+
+			if in.Ok() {
+				return ret
+			}
+
+			// lexer is in an error state: will exhaust
+			return nil
+
+		case '[': // not consumed yet
+			return s.unmarshalArray(in) // consumes the terminating ']'
+		default:
+			in.SetErr(fmt.Errorf("unexpected delimiter: %v: %w", tok, ErrStdlib)) // force error
+			return nil
+		}
+
+	case tokenUndef:
+		fallthrough
+	default:
+		if in.Ok() {
+			in.SetErr(fmt.Errorf("unexpected token: %v: %w", tok, ErrStdlib)) // force error
+		}
+
+		return nil
+	}
+}
diff --git a/vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/pool.go b/vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/pool.go
new file mode 100644
index 0000000000..709b97c304
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/pool.go
@@ -0,0 +1,143 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+package json
+
+import (
+	"encoding/json"
+	"sync"
+
+	"github.com/go-openapi/swag/jsonutils/adapters/ifaces"
+)
+
+type adaptersPool struct {
+	sync.Pool
+}
+
+func (p *adaptersPool) Borrow() *Adapter {
+	return p.Get().(*Adapter)
+}
+
+func (p *adaptersPool) BorrowIface() ifaces.Adapter {
+	return p.Get().(*Adapter)
+}
+
+func (p *adaptersPool) Redeem(a *Adapter) {
+	p.Put(a)
+}
+
+type writersPool struct {
+	sync.Pool
+}
+
+func (p *writersPool) Borrow() *jwriter {
+	ptr := p.Get()
+
+	jw := ptr.(*jwriter)
+	jw.Reset()
+
+	return jw
+}
+
+func (p *writersPool) Redeem(w *jwriter) {
+	p.Put(w)
+}
+
+type lexersPool struct {
+	sync.Pool
+}
+
+func (p *lexersPool) Borrow(data []byte) *jlexer {
+	ptr := p.Get()
+
+	l := ptr.(*jlexer)
+	l.buf = poolOfReaders.Borrow(data)
+	l.dec = json.NewDecoder(l.buf) // cannot pool, not exposed by the encoding/json API
+	l.Reset()
+
+	return l
+}
+
+func (p *lexersPool) Redeem(l *jlexer) {
+	l.dec = nil
+	discard := l.buf
+	l.buf = nil
+	poolOfReaders.Redeem(discard)
+	p.Put(l)
+}
+
+type readersPool struct {
+	sync.Pool
+}
+
+func (p *readersPool) Borrow(data []byte) *bytesReader {
+	ptr := p.Get()
+
+	b := ptr.(*bytesReader)
+	b.Reset()
+	b.buf = data
+
+	return b
+}
+
+func (p *readersPool) Redeem(b *bytesReader) {
+	p.Put(b)
+}
+
+var (
+	poolOfAdapters = &adaptersPool{
+		Pool: sync.Pool{
+			New: func() any {
+				return NewAdapter()
+			},
+		},
+	}
+
+	poolOfWriters = &writersPool{
+		Pool: sync.Pool{
+			New: func() any {
+				return newJWriter()
+			},
+		},
+	}
+
+	poolOfLexers = &lexersPool{
+		Pool: sync.Pool{
+			New: func() any {
+				return newLexer(nil)
+			},
+		},
+	}
+
+	poolOfReaders = &readersPool{
+		Pool: sync.Pool{
+			New: func() any {
+				return &bytesReader{}
+			},
+		},
+	}
+)
+
+// BorrowAdapter borrows an [Adapter] from the pool, recycling already allocated instances.
+func BorrowAdapter() *Adapter {
+	return poolOfAdapters.Borrow()
+}
+
+// BorrowAdapterIface borrows a stdlib [Adapter] and converts it directly
+// to [ifaces.Adapter]. This is useful to avoid further allocations when
+// translating the concrete type into an interface.
+func BorrowAdapterIface() ifaces.Adapter {
+	return poolOfAdapters.BorrowIface()
+}
+
+// RedeemAdapter redeems an [Adapter] to the pool, so it may be recycled.
+func RedeemAdapter(a *Adapter) {
+	poolOfAdapters.Redeem(a)
+}
+
+func RedeemAdapterIface(a ifaces.Adapter) {
+	concrete, ok := a.(*Adapter)
+	if ok {
+		poolOfAdapters.Redeem(concrete)
+	}
+}
diff --git a/vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/register.go b/vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/register.go
new file mode 100644
index 0000000000..fc8818694e
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/register.go
@@ -0,0 +1,26 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+package json
+
+import (
+	"fmt"
+	"reflect"
+
+	"github.com/go-openapi/swag/jsonutils/adapters/ifaces"
+)
+
+func Register(dispatcher ifaces.Registrar) {
+	t := reflect.TypeOf(Adapter{})
+	dispatcher.RegisterFor(
+		ifaces.RegistryEntry{
+			Who:         fmt.Sprintf("%s.%s", t.PkgPath(), t.Name()),
+			What:        ifaces.AllCapabilities,
+			Constructor: BorrowAdapterIface,
+			Support:     support,
+		})
+}
+
+func support(_ ifaces.Capability, _ any) bool {
+	return true
+}
diff --git a/vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/writer.go b/vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/writer.go
new file mode 100644
index 0000000000..dc2325c1a3
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/writer.go
@@ -0,0 +1,75 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+package json
+
+import (
+	"bytes"
+	"encoding/json"
+	"strings"
+)
+
+type jwriter struct {
+	buf *bytes.Buffer
+	err error
+}
+
+func newJWriter() *jwriter {
+	buf := make([]byte, 0, sensibleBufferSize)
+
+	return &jwriter{buf: bytes.NewBuffer(buf)}
+}
+
+func (w *jwriter) Reset() {
+	w.buf.Reset()
+	w.err = nil
+}
+
+func (w *jwriter) RawString(s string) {
+	if w.err != nil {
+		return
+	}
+	w.buf.WriteString(s)
+}
+
+func (w *jwriter) Raw(b []byte, err error) {
+	if w.err != nil {
+		return
+	}
+	if err != nil {
+		w.err = err
+		return
+	}
+
+	_, _ = w.buf.Write(b)
+}
+
+func (w *jwriter) RawByte(c byte) {
+	if w.err != nil {
+		return
+	}
+	w.buf.WriteByte(c)
+}
+
+var quoteReplacer = strings.NewReplacer(`"`, `\"`, `\`, `\\`)
+
+func (w *jwriter) String(s string) {
+	if w.err != nil {
+		return
+	}
+	// escape quotes and \
+	s = quoteReplacer.Replace(s)
+
+	_ = w.buf.WriteByte('"')
+	json.HTMLEscape(w.buf, []byte(s))
+	_ = w.buf.WriteByte('"')
+}
+
+// BuildBytes returns a clone of the internal buffer.
+func (w *jwriter) BuildBytes() ([]byte, error) {
+	if w.err != nil {
+		return nil, w.err
+	}
+
+	return bytes.Clone(w.buf.Bytes()), nil
+}
diff --git a/vendor/github.com/go-openapi/swag/jsonutils/concat.go b/vendor/github.com/go-openapi/swag/jsonutils/concat.go
new file mode 100644
index 0000000000..2068503af0
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/jsonutils/concat.go
@@ -0,0 +1,92 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+package jsonutils
+
+import (
+	"bytes"
+)
+
+// nullJSON represents a JSON object with null type
+var nullJSON = []byte("null")
+
+const comma = byte(',')
+
+var closers map[byte]byte
+
+func init() {
+	closers = map[byte]byte{
+		'{': '}',
+		'[': ']',
+	}
+}
+
+// ConcatJSON concatenates multiple json objects or arrays efficiently.
+//
+// Note that [ConcatJSON] performs a very simple (and fast) concatenation
+// operation: it does not attempt to merge objects.
+func ConcatJSON(blobs ...[]byte) []byte {
+	if len(blobs) == 0 {
+		return nil
+	}
+
+	last := len(blobs) - 1
+	for blobs[last] == nil || bytes.Equal(blobs[last], nullJSON) {
+		// strips trailing null objects
+		last--
+		if last < 0 {
+			// there was nothing but "null"s or nil...
+			return nil
+		}
+	}
+	if last == 0 {
+		return blobs[0]
+	}
+
+	var opening, closing byte
+	var idx, a int
+	buf := bytes.NewBuffer(nil)
+
+	for i, b := range blobs[:last+1] {
+		if b == nil || bytes.Equal(b, nullJSON) {
+			// a null object is in the list: skip it
+			continue
+		}
+		if len(b) > 0 && opening == 0 { // is this an array or an object?
+			opening, closing = b[0], closers[b[0]]
+		}
+
+		if opening != '{' && opening != '[' {
+			continue // don't know how to concatenate non container objects
+		}
+
+		const minLengthIfNotEmpty = 3
+		if len(b) < minLengthIfNotEmpty { // yep empty but also the last one, so closing this thing
+			if i == last && a > 0 {
+				_ = buf.WriteByte(closing) // never returns err != nil
+			}
+			continue
+		}
+
+		idx = 0
+		if a > 0 { // we need to join with a comma for everything beyond the first non-empty item
+			_ = buf.WriteByte(comma) // never returns err != nil
+			idx = 1                  // this is not the first or the last so we want to drop the leading bracket
+		}
+
+		if i != last { // not the last one, strip brackets
+			_, _ = buf.Write(b[idx : len(b)-1]) // never returns err != nil
+		} else { // last one, strip only the leading bracket
+			_, _ = buf.Write(b[idx:])
+		}
+		a++
+	}
+
+	// somehow it ended up being empty, so provide a default value
+	if buf.Len() == 0 && (opening == '{' || opening == '[') {
+		_ = buf.WriteByte(opening) // never returns err != nil
+		_ = buf.WriteByte(closing)
+	}
+
+	return buf.Bytes()
+}
diff --git a/vendor/github.com/go-openapi/swag/jsonutils/doc.go b/vendor/github.com/go-openapi/swag/jsonutils/doc.go
new file mode 100644
index 0000000000..3926cc58d1
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/jsonutils/doc.go
@@ -0,0 +1,7 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+// Package jsonutils provides helpers to work with JSON.
+//
+// These utilities work with dynamic go structures to and from JSON.
+package jsonutils
diff --git a/vendor/github.com/go-openapi/swag/jsonutils/json.go b/vendor/github.com/go-openapi/swag/jsonutils/json.go
new file mode 100644
index 0000000000..40753ce03f
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/jsonutils/json.go
@@ -0,0 +1,116 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+package jsonutils
+
+import (
+	"bytes"
+	"encoding/json"
+
+	"github.com/go-openapi/swag/jsonutils/adapters"
+	"github.com/go-openapi/swag/jsonutils/adapters/ifaces"
+)
+
+// WriteJSON marshals a data structure as JSON.
+//
+// The difference with [json.Marshal] is that it may check among several alternatives
+// to do so.
+//
+// See [adapters.Registrar] for more details about how to configure
+// multiple serialization alternatives.
+//
+// NOTE: to allow types that are [easyjson.Marshaler] s to use that route to process JSON,
+// you now need to register the adapter for easyjson at runtime.
+func WriteJSON(value any) ([]byte, error) {
+	if orderedMap, isOrdered := value.(ifaces.Ordered); isOrdered {
+		orderedMarshaler := adapters.OrderedMarshalAdapterFor(orderedMap)
+
+		if orderedMarshaler != nil {
+			defer orderedMarshaler.Redeem()
+
+			return orderedMarshaler.OrderedMarshal(orderedMap)
+		}
+
+		// no support found in registered adapters, fallback to the default (unordered) case
+	}
+
+	marshaler := adapters.MarshalAdapterFor(value)
+	if marshaler != nil {
+		defer marshaler.Redeem()
+
+		return marshaler.Marshal(value)
+	}
+
+	// no support found in registered adapters, fallback to the default standard library.
+	//
+	// This only happens when tinkering with the global registry of adapters, since the default handles all the above cases.
+	return json.Marshal(value) // Codecov ignore // this is a safeguard not easily simulated in tests
+}
+
+// ReadJSON unmarshals JSON data into a data structure.
+//
+// The difference with [json.Unmarshal] is that it may check among several alternatives
+// to do so.
+//
+// See [adapters.Registrar] for more details about how to configure
+// multiple serialization alternatives.
+//
+// NOTE: value must be a pointer.
+//
+// If the provided value implements [ifaces.SetOrdered], it is a considered an "ordered map" and [ReadJSON]
+// will favor an adapter that supports the [ifaces.OrderedUnmarshal] feature, or fallback to
+// an unordered behavior if none is found.
+//
+// NOTE: to allow types that are [easyjson.Unmarshaler] s to use that route to process JSON,
+// you now need to register the adapter for easyjson at runtime.
+func ReadJSON(data []byte, value any) error {
+	trimmedData := bytes.Trim(data, "\x00")
+
+	if orderedMap, isOrdered := value.(ifaces.SetOrdered); isOrdered {
+		// if the value is an ordered map, favors support for OrderedUnmarshal.
+
+		orderedUnmarshaler := adapters.OrderedUnmarshalAdapterFor(orderedMap)
+
+		if orderedUnmarshaler != nil {
+			defer orderedUnmarshaler.Redeem()
+
+			return orderedUnmarshaler.OrderedUnmarshal(trimmedData, orderedMap)
+		}
+
+		// no support found in registered adapters, fallback to the default (unordered) case
+	}
+
+	unmarshaler := adapters.UnmarshalAdapterFor(value)
+	if unmarshaler != nil {
+		defer unmarshaler.Redeem()
+
+		return unmarshaler.Unmarshal(trimmedData, value)
+	}
+
+	// no support found in registered adapters, fallback to the default standard library.
+	//
+	// This only happens when tinkering with the global registry of adapters, since the default handles all the above cases.
+	return json.Unmarshal(trimmedData, value) // Codecov ignore // this is a safeguard not easily simulated in tests
+}
+
+// FromDynamicJSON turns a go value into a properly JSON typed structure.
+//
+// "Dynamic JSON" refers to what you get when unmarshaling JSON into an untyped any,
+// i.e. objects are represented by map[string]any, arrays by []any, and
+// all numbers are represented as float64.
+//
+// NOTE: target must be a pointer.
+//
+// # Maintaining the order of keys in objects
+//
+// If source and target implement [ifaces.Ordered] and [ifaces.SetOrdered] respectively,
+// they are considered "ordered maps" and the order of keys is maintained in the
+// "jsonification" process. In that case, map[string]any values are replaced by (ordered) [JSONMapSlice] ones.
+func FromDynamicJSON(source, target any) error {
+	b, err := WriteJSON(source)
+	if err != nil {
+		return err
+	}
+
+	return ReadJSON(b, target)
+}
diff --git a/vendor/github.com/go-openapi/swag/jsonutils/ordered_map.go b/vendor/github.com/go-openapi/swag/jsonutils/ordered_map.go
new file mode 100644
index 0000000000..38dd3e2444
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/jsonutils/ordered_map.go
@@ -0,0 +1,114 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+package jsonutils
+
+import (
+	"iter"
+
+	"github.com/go-openapi/swag/jsonutils/adapters"
+	"github.com/go-openapi/swag/typeutils"
+)
+
+// JSONMapSlice represents a JSON object, with the order of keys maintained.
+//
+// It behaves like an ordered map, but keys can't be accessed in constant time.
+type JSONMapSlice []JSONMapItem
+
+// OrderedItems iterates over all (key,value) pairs with the order of keys maintained.
+//
+// This implements the [ifaces.Ordered] interface, so that [ifaces.Adapter] s know how to marshal
+// keys in the desired order.
+func (s JSONMapSlice) OrderedItems() iter.Seq2[string, any] {
+	return func(yield func(string, any) bool) {
+		for _, item := range s {
+			if !yield(item.Key, item.Value) {
+				return
+			}
+		}
+	}
+}
+
+// SetOrderedItems sets keys in the [JSONMapSlice] objects, as presented by
+// the provided iterator.
+//
+// As a special case, if items is nil, this sets to receiver to a nil slice.
+//
+// This implements the [ifaces.SetOrdered] interface, so that [ifaces.Adapter] s know how to unmarshal
+// keys in the desired order.
+func (s *JSONMapSlice) SetOrderedItems(items iter.Seq2[string, any]) {
+	if items == nil {
+		// force receiver to be a nil slice
+		*s = nil
+
+		return
+	}
+
+	m := *s
+	if len(m) > 0 {
+		// update mode: short-circuited when unmarshaling fresh data structures
+		idx := make(map[string]int, len(m))
+
+		for i, item := range m {
+			idx[item.Key] = i
+		}
+
+		for k, v := range items {
+			idx, ok := idx[k]
+			if ok {
+				m[idx].Value = v
+
+				continue
+			}
+
+			m = append(m, JSONMapItem{Key: k, Value: v})
+		}
+
+		*s = m
+
+		return
+	}
+
+	for k, v := range items {
+		m = append(m, JSONMapItem{Key: k, Value: v})
+	}
+
+	*s = m
+}
+
+// MarshalJSON renders a [JSONMapSlice] as JSON bytes, preserving the order of keys.
+//
+// It will pick the JSON library currently configured by the [adapters.Registry] (defaults to the standard library).
+func (s JSONMapSlice) MarshalJSON() ([]byte, error) {
+	orderedMarshaler := adapters.OrderedMarshalAdapterFor(s)
+	defer orderedMarshaler.Redeem()
+
+	return orderedMarshaler.OrderedMarshal(s)
+}
+
+// UnmarshalJSON builds a [JSONMapSlice] from JSON bytes, preserving the order of keys.
+//
+// Inner objects are unmarshaled as ordered [JSONMapSlice] slices and not map[string]any.
+//
+// It will pick the JSON library currently configured by the [adapters.Registry] (defaults to the standard library).
+func (s *JSONMapSlice) UnmarshalJSON(data []byte) error {
+	if typeutils.IsNil(*s) {
+		// allow to unmarshal with a simple var declaration (nil slice)
+		*s = JSONMapSlice{}
+	}
+
+	orderedUnmarshaler := adapters.OrderedUnmarshalAdapterFor(s)
+	defer orderedUnmarshaler.Redeem()
+
+	return orderedUnmarshaler.OrderedUnmarshal(data, s)
+}
+
+// JSONMapItem represents the value of a key in a JSON object held by [JSONMapSlice].
+//
+// Notice that JSONMapItem should not be marshaled to or unmarshaled from JSON directly.
+//
+// Use this type as part of a [JSONMapSlice] when dealing with JSON bytes.
+type JSONMapItem struct {
+	Key   string
+	Value any
+}
diff --git a/vendor/github.com/go-openapi/swag/jsonutils_iface.go b/vendor/github.com/go-openapi/swag/jsonutils_iface.go
new file mode 100644
index 0000000000..7bd4105fa5
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/jsonutils_iface.go
@@ -0,0 +1,65 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+package swag
+
+import (
+	"log"
+
+	"github.com/go-openapi/swag/jsonutils"
+)
+
+// JSONMapSlice represents a JSON object, with the order of keys maintained
+//
+// Deprecated: use [jsonutils.JSONMapSlice] instead, or [yamlutils.YAMLMapSlice] if you marshal YAML.
+type JSONMapSlice = jsonutils.JSONMapSlice
+
+// JSONMapItem represents a JSON object, with the order of keys maintained
+//
+// Deprecated: use [jsonutils.JSONMapItem] instead.
+type JSONMapItem = jsonutils.JSONMapItem
+
+// WriteJSON writes json data.
+//
+// Deprecated: use [jsonutils.WriteJSON] instead.
+func WriteJSON(data any) ([]byte, error) { return jsonutils.WriteJSON(data) }
+
+// ReadJSON reads json data.
+//
+// Deprecated: use [jsonutils.ReadJSON] instead.
+func ReadJSON(data []byte, value any) error { return jsonutils.ReadJSON(data, value) }
+
+// DynamicJSONToStruct converts an untyped JSON structure into a target data type.
+//
+// Deprecated: use [jsonutils.FromDynamicJSON] instead.
+func DynamicJSONToStruct(data any, target any) error {
+	return jsonutils.FromDynamicJSON(data, target)
+}
+
+// ConcatJSON concatenates multiple JSON objects efficiently.
+//
+// Deprecated: use [jsonutils.ConcatJSON] instead.
+func ConcatJSON(blobs ...[]byte) []byte { return jsonutils.ConcatJSON(blobs...) }
+
+// ToDynamicJSON turns a go value into a properly JSON untyped structure.
+//
+// It is the same as [FromDynamicJSON], but doesn't check for errors.
+//
+// Deprecated: this function is a misnomer and is unsafe. Use [jsonutils.FromDynamicJSON] instead.
+func ToDynamicJSON(value any) any {
+	var res any
+	if err := FromDynamicJSON(value, &res); err != nil {
+		log.Println(err)
+	}
+
+	return res
+}
+
+// FromDynamicJSON turns a go value into a properly JSON typed structure.
+//
+// "Dynamic JSON" refers to what you get when unmarshaling JSON into an untyped any,
+// i.e. objects are represented by map[string]any, arrays by []any, and all
+// scalar values are any.
+//
+// Deprecated: use [jsonutils.FromDynamicJSON] instead.
+func FromDynamicJSON(data, target any) error { return jsonutils.FromDynamicJSON(data, target) }
diff --git a/vendor/github.com/go-openapi/swag/loading/LICENSE b/vendor/github.com/go-openapi/swag/loading/LICENSE
new file mode 100644
index 0000000000..d645695673
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/loading/LICENSE
@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/vendor/github.com/go-openapi/swag/loading/doc.go b/vendor/github.com/go-openapi/swag/loading/doc.go
new file mode 100644
index 0000000000..8cf7bcb8b9
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/loading/doc.go
@@ -0,0 +1,5 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+// Package loading provides tools to load a file from http or from a local file system.
+package loading
diff --git a/vendor/github.com/go-openapi/swag/loading/errors.go b/vendor/github.com/go-openapi/swag/loading/errors.go
new file mode 100644
index 0000000000..b3964289c7
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/loading/errors.go
@@ -0,0 +1,15 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+package loading
+
+type loadingError string
+
+const (
+	// ErrLoader is an error raised by the file loader utility
+	ErrLoader loadingError = "loader error"
+)
+
+func (e loadingError) Error() string {
+	return string(e)
+}
diff --git a/vendor/github.com/go-openapi/swag/loading/json.go b/vendor/github.com/go-openapi/swag/loading/json.go
new file mode 100644
index 0000000000..59db12f5cf
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/loading/json.go
@@ -0,0 +1,25 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+package loading
+
+import (
+	"encoding/json"
+	"errors"
+	"path/filepath"
+)
+
+// JSONMatcher matches json for a file loader.
+func JSONMatcher(path string) bool {
+	ext := filepath.Ext(path)
+	return ext == ".json" || ext == ".jsn" || ext == ".jso"
+}
+
+// JSONDoc loads a json document from either a file or a remote url.
+func JSONDoc(path string, opts ...Option) (json.RawMessage, error) {
+	data, err := LoadFromFileOrHTTP(path, opts...)
+	if err != nil {
+		return nil, errors.Join(err, ErrLoader)
+	}
+	return json.RawMessage(data), nil
+}
diff --git a/vendor/github.com/go-openapi/swag/loading.go b/vendor/github.com/go-openapi/swag/loading/loading.go
similarity index 61%
rename from vendor/github.com/go-openapi/swag/loading.go
rename to vendor/github.com/go-openapi/swag/loading/loading.go
index 658a24b789..269fb74d16 100644
--- a/vendor/github.com/go-openapi/swag/loading.go
+++ b/vendor/github.com/go-openapi/swag/loading/loading.go
@@ -1,54 +1,26 @@
-// Copyright 2015 go-swagger maintainers
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//    http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
 
-package swag
+package loading
 
 import (
+	"context"
+	"embed"
 	"fmt"
 	"io"
 	"log"
 	"net/http"
 	"net/url"
-	"os"
 	"path"
 	"path/filepath"
 	"runtime"
 	"strings"
-	"time"
 )
 
-// LoadHTTPTimeout the default timeout for load requests
-var LoadHTTPTimeout = 30 * time.Second
-
-// LoadHTTPBasicAuthUsername the username to use when load requests require basic auth
-var LoadHTTPBasicAuthUsername = ""
-
-// LoadHTTPBasicAuthPassword the password to use when load requests require basic auth
-var LoadHTTPBasicAuthPassword = ""
-
-// LoadHTTPCustomHeaders an optional collection of custom HTTP headers for load requests
-var LoadHTTPCustomHeaders = map[string]string{}
-
 // LoadFromFileOrHTTP loads the bytes from a file or a remote http server based on the path passed in
-func LoadFromFileOrHTTP(pth string) ([]byte, error) {
-	return LoadStrategy(pth, os.ReadFile, loadHTTPBytes(LoadHTTPTimeout))(pth)
-}
-
-// LoadFromFileOrHTTPWithTimeout loads the bytes from a file or a remote http server based on the path passed in
-// timeout arg allows for per request overriding of the request timeout
-func LoadFromFileOrHTTPWithTimeout(pth string, timeout time.Duration) ([]byte, error) {
-	return LoadStrategy(pth, os.ReadFile, loadHTTPBytes(timeout))(pth)
+func LoadFromFileOrHTTP(pth string, opts ...Option) ([]byte, error) {
+	o := optionsWithDefaults(opts)
+	return LoadStrategy(pth, o.ReadFileFunc(), loadHTTPBytes(opts...), opts...)(pth)
 }
 
 // LoadStrategy returns a loader function for a given path or URI.
@@ -81,10 +53,12 @@ func LoadFromFileOrHTTPWithTimeout(pth string, timeout time.Duration) ([]byte, e
 // - `file://host/folder/file` becomes an UNC path like `\\host\folder\file` (no port specification is supported)
 // - `file:///c:/folder/file` becomes `C:\folder\file`
 // - `file://c:/folder/file` is tolerated (without leading `/`) and becomes `c:\folder\file`
-func LoadStrategy(pth string, local, remote func(string) ([]byte, error)) func(string) ([]byte, error) {
+func LoadStrategy(pth string, local, remote func(string) ([]byte, error), opts ...Option) func(string) ([]byte, error) {
 	if strings.HasPrefix(pth, "http") {
 		return remote
 	}
+	o := optionsWithDefaults(opts)
+	_, isEmbedFS := o.fs.(embed.FS)
 
 	return func(p string) ([]byte, error) {
 		upth, err := url.PathUnescape(p)
@@ -92,19 +66,19 @@ func LoadStrategy(pth string, local, remote func(string) ([]byte, error)) func(s
 			return nil, err
 		}
 
-		if !strings.HasPrefix(p, `file://`) {
+		cpth, hasPrefix := strings.CutPrefix(upth, "file://")
+		if !hasPrefix || isEmbedFS || runtime.GOOS != "windows" {
+			// crude processing: trim the file:// prefix. This leaves full URIs with a host with a (mostly) unexpected result
 			// regular file path provided: just normalize slashes
-			return local(filepath.FromSlash(upth))
-		}
-
-		if runtime.GOOS != "windows" {
-			// crude processing: this leaves full URIs with a host with a (mostly) unexpected result
-			upth = strings.TrimPrefix(upth, `file://`)
+			if isEmbedFS {
+				// on windows, we need to slash the path if FS is an embed FS.
+				return local(strings.TrimLeft(filepath.ToSlash(cpth), "./")) // remove invalid leading characters for embed FS
+			}
 
-			return local(filepath.FromSlash(upth))
+			return local(filepath.FromSlash(cpth))
 		}
 
-		// windows-only pre-processing of file://... URIs
+		// windows-only pre-processing of file://... URIs, excluding embed.FS
 
 		// support for canonical file URIs on windows.
 		u, err := url.Parse(filepath.ToSlash(upth))
@@ -139,19 +113,29 @@ func LoadStrategy(pth string, local, remote func(string) ([]byte, error)) func(s
 	}
 }
 
-func loadHTTPBytes(timeout time.Duration) func(path string) ([]byte, error) {
+func loadHTTPBytes(opts ...Option) func(path string) ([]byte, error) {
+	o := optionsWithDefaults(opts)
+
 	return func(path string) ([]byte, error) {
-		client := &http.Client{Timeout: timeout}
-		req, err := http.NewRequest(http.MethodGet, path, nil) //nolint:noctx
+		client := o.client
+		timeoutCtx := context.Background()
+		var cancel func()
+
+		if o.httpTimeout > 0 {
+			timeoutCtx, cancel = context.WithTimeout(timeoutCtx, o.httpTimeout)
+			defer cancel()
+		}
+
+		req, err := http.NewRequestWithContext(timeoutCtx, http.MethodGet, path, nil)
 		if err != nil {
 			return nil, err
 		}
 
-		if LoadHTTPBasicAuthUsername != "" && LoadHTTPBasicAuthPassword != "" {
-			req.SetBasicAuth(LoadHTTPBasicAuthUsername, LoadHTTPBasicAuthPassword)
+		if o.basicAuthUsername != "" && o.basicAuthPassword != "" {
+			req.SetBasicAuth(o.basicAuthUsername, o.basicAuthPassword)
 		}
 
-		for key, val := range LoadHTTPCustomHeaders {
+		for key, val := range o.customHeaders {
 			req.Header.Set(key, val)
 		}
 
diff --git a/vendor/github.com/go-openapi/swag/loading/options.go b/vendor/github.com/go-openapi/swag/loading/options.go
new file mode 100644
index 0000000000..6674ac69e6
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/loading/options.go
@@ -0,0 +1,125 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+package loading
+
+import (
+	"io/fs"
+	"net/http"
+	"os"
+	"time"
+)
+
+type (
+	// Option provides options for loading a file over HTTP or from a file.
+	Option func(*options)
+
+	httpOptions struct {
+		httpTimeout       time.Duration
+		basicAuthUsername string
+		basicAuthPassword string
+		customHeaders     map[string]string
+		client            *http.Client
+	}
+
+	fileOptions struct {
+		fs fs.ReadFileFS
+	}
+
+	options struct {
+		httpOptions
+		fileOptions
+	}
+)
+
+func (fo fileOptions) ReadFileFunc() func(string) ([]byte, error) {
+	if fo.fs == nil {
+		return os.ReadFile
+	}
+
+	return fo.fs.ReadFile
+}
+
+// WithTimeout sets a timeout for the remote file loader.
+//
+// The default timeout is 30s.
+func WithTimeout(timeout time.Duration) Option {
+	return func(o *options) {
+		o.httpTimeout = timeout
+	}
+}
+
+// WithBasicAuth sets a basic authentication scheme for the remote file loader.
+func WithBasicAuth(username, password string) Option {
+	return func(o *options) {
+		o.basicAuthUsername = username
+		o.basicAuthPassword = password
+	}
+}
+
+// WithCustomHeaders sets custom headers for the remote file loader.
+func WithCustomHeaders(headers map[string]string) Option {
+	return func(o *options) {
+		if o.customHeaders == nil {
+			o.customHeaders = make(map[string]string, len(headers))
+		}
+
+		for header, value := range headers {
+			o.customHeaders[header] = value
+		}
+	}
+}
+
+// WithHTTPClient overrides the default HTTP client used to fetch a remote file.
+//
+// By default, [http.DefaultClient] is used.
+func WithHTTPClient(client *http.Client) Option {
+	return func(o *options) {
+		o.client = client
+	}
+}
+
+// WithFS sets a file system for the local file loader.
+//
+// If the provided file system is a [fs.ReadFileFS], the ReadFile function is used.
+// Otherwise, ReadFile is wrapped using [fs.ReadFile].
+//
+// By default, the file system is the one provided by the os package.
+//
+// For example, this may be set to consume from an embedded file system, or a rooted FS.
+func WithFS(filesystem fs.FS) Option {
+	return func(o *options) {
+		if rfs, ok := filesystem.(fs.ReadFileFS); ok {
+			o.fs = rfs
+
+			return
+		}
+		o.fs = readFileFS{FS: filesystem}
+	}
+}
+
+type readFileFS struct {
+	fs.FS
+}
+
+func (r readFileFS) ReadFile(name string) ([]byte, error) {
+	return fs.ReadFile(r.FS, name)
+}
+
+func optionsWithDefaults(opts []Option) options {
+	const defaultTimeout = 30 * time.Second
+
+	o := options{
+		// package level defaults
+		httpOptions: httpOptions{
+			httpTimeout: defaultTimeout,
+			client:      http.DefaultClient,
+		},
+	}
+
+	for _, apply := range opts {
+		apply(&o)
+	}
+
+	return o
+}
diff --git a/vendor/github.com/go-openapi/swag/loading/yaml.go b/vendor/github.com/go-openapi/swag/loading/yaml.go
new file mode 100644
index 0000000000..3ebb53668c
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/loading/yaml.go
@@ -0,0 +1,37 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+package loading
+
+import (
+	"encoding/json"
+	"path/filepath"
+
+	"github.com/go-openapi/swag/yamlutils"
+)
+
+// YAMLMatcher matches yaml for a file loader.
+func YAMLMatcher(path string) bool {
+	ext := filepath.Ext(path)
+	return ext == ".yaml" || ext == ".yml"
+}
+
+// YAMLDoc loads a yaml document from either http or a file and converts it to json.
+func YAMLDoc(path string, opts ...Option) (json.RawMessage, error) {
+	yamlDoc, err := YAMLData(path, opts...)
+	if err != nil {
+		return nil, err
+	}
+
+	return yamlutils.YAMLToJSON(yamlDoc)
+}
+
+// YAMLData loads a yaml document from either http or a file.
+func YAMLData(path string, opts ...Option) (any, error) {
+	data, err := LoadFromFileOrHTTP(path, opts...)
+	if err != nil {
+		return nil, err
+	}
+
+	return yamlutils.BytesToYAMLDoc(data)
+}
diff --git a/vendor/github.com/go-openapi/swag/loading_iface.go b/vendor/github.com/go-openapi/swag/loading_iface.go
new file mode 100644
index 0000000000..27ec3fb8c3
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/loading_iface.go
@@ -0,0 +1,91 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+package swag
+
+import (
+	"encoding/json"
+	"time"
+
+	"github.com/go-openapi/swag/loading"
+)
+
+var (
+	// Package-level defaults for the file loading utilities (deprecated).
+
+	// LoadHTTPTimeout the default timeout for load requests.
+	//
+	// Deprecated: use [loading.WithTimeout] instead.
+	LoadHTTPTimeout = 30 * time.Second
+
+	// LoadHTTPBasicAuthUsername the username to use when load requests require basic auth.
+	//
+	// Deprecated: use [loading.WithBasicAuth] instead.
+	LoadHTTPBasicAuthUsername = ""
+
+	// LoadHTTPBasicAuthPassword the password to use when load requests require basic auth.
+	//
+	// Deprecated: use [loading.WithBasicAuth] instead.
+	LoadHTTPBasicAuthPassword = ""
+
+	// LoadHTTPCustomHeaders an optional collection of custom HTTP headers for load requests.
+	//
+	// Deprecated: use [loading.WithCustomHeaders] instead.
+	LoadHTTPCustomHeaders = map[string]string{}
+)
+
+// LoadFromFileOrHTTP loads the bytes from a file or a remote http server based on the provided path.
+//
+// Deprecated: use [loading.LoadFromFileOrHTTP] instead.
+func LoadFromFileOrHTTP(pth string, opts ...loading.Option) ([]byte, error) {
+	return loading.LoadFromFileOrHTTP(pth, loadingOptionsWithDefaults(opts)...)
+}
+
+// LoadFromFileOrHTTPWithTimeout loads the bytes from a file or a remote http server based on the path passed in
+// timeout arg allows for per request overriding of the request timeout.
+//
+// Deprecated: use [loading.LoadFileOrHTTP] with the [loading.WithTimeout] option instead.
+func LoadFromFileOrHTTPWithTimeout(pth string, timeout time.Duration, opts ...loading.Option) ([]byte, error) {
+	opts = append(opts, loading.WithTimeout(timeout))
+
+	return LoadFromFileOrHTTP(pth, opts...)
+}
+
+// LoadStrategy returns a loader function for a given path or URL.
+//
+// Deprecated: use [loading.LoadStrategy] instead.
+func LoadStrategy(pth string, local, remote func(string) ([]byte, error), opts ...loading.Option) func(string) ([]byte, error) {
+	return loading.LoadStrategy(pth, local, remote, loadingOptionsWithDefaults(opts)...)
+}
+
+// YAMLMatcher matches yaml for a file loader.
+//
+// Deprecated: use [loading.YAMLMatcher] instead.
+func YAMLMatcher(path string) bool { return loading.YAMLMatcher(path) }
+
+// YAMLDoc loads a yaml document from either http or a file and converts it to json.
+//
+// Deprecated: use [loading.YAMLDoc] instead.
+func YAMLDoc(path string) (json.RawMessage, error) {
+	return loading.YAMLDoc(path)
+}
+
+// YAMLData loads a yaml document from either http or a file.
+//
+// Deprecated: use [loading.YAMLData] instead.
+func YAMLData(path string) (any, error) {
+	return loading.YAMLData(path)
+}
+
+// loadingOptionsWithDefaults bridges deprecated default settings that use package-level variables,
+// with the recommended use of loading.Option.
+func loadingOptionsWithDefaults(opts []loading.Option) []loading.Option {
+	o := []loading.Option{
+		loading.WithTimeout(LoadHTTPTimeout),
+		loading.WithBasicAuth(LoadHTTPBasicAuthUsername, LoadHTTPBasicAuthPassword),
+		loading.WithCustomHeaders(LoadHTTPCustomHeaders),
+	}
+	o = append(o, opts...)
+
+	return o
+}
diff --git a/vendor/github.com/go-openapi/swag/BENCHMARK.md b/vendor/github.com/go-openapi/swag/mangling/BENCHMARK.md
similarity index 53%
rename from vendor/github.com/go-openapi/swag/BENCHMARK.md
rename to vendor/github.com/go-openapi/swag/mangling/BENCHMARK.md
index e7f28ed6b7..6674c63b72 100644
--- a/vendor/github.com/go-openapi/swag/BENCHMARK.md
+++ b/vendor/github.com/go-openapi/swag/mangling/BENCHMARK.md
@@ -1,12 +1,10 @@
-# Benchmarks
-
-## Name mangling utilities
+# Benchmarking name mangling utilities
 
 ```bash
 go test -bench XXX -run XXX -benchtime 30s
 ```
 
-### Benchmarks at b3e7a5386f996177e4808f11acb2aa93a0f660df
+## Benchmarks at b3e7a5386f996177e4808f11acb2aa93a0f660df
 
 ```
 goos: linux
@@ -21,7 +19,7 @@ BenchmarkToXXXName/ToHumanNameLower-4 	  895334	     40354 ns/op	   10472 B/op
 BenchmarkToXXXName/ToHumanNameTitle-4 	  882441	     40678 ns/op	   10566 B/op	     749 allocs/op
 ```
 
-### Benchmarks after PR #79
+## Benchmarks after PR #79
 
 ~ x10 performance improvement and ~ /100 memory allocations.
 
@@ -50,3 +48,43 @@ BenchmarkToXXXName/ToCommandName-16    	32256634	      1137 ns/op	     147 B/op
 BenchmarkToXXXName/ToHumanNameLower-16 	18599661	      1946 ns/op	      92 B/op	       6 allocs/op
 BenchmarkToXXXName/ToHumanNameTitle-16 	17581353	      2054 ns/op	     105 B/op	       6 allocs/op
 ```
+
+## Benchmarks at d7d2d1b895f5b6747afaff312dd2a402e69e818b
+
+go1.24
+
+```
+goos: linux
+goarch: amd64
+pkg: github.com/go-openapi/swag
+cpu: AMD Ryzen 7 5800X 8-Core Processor             
+BenchmarkToXXXName/ToGoName-16         	19757858	      1881 ns/op	      42 B/op	       5 allocs/op
+BenchmarkToXXXName/ToVarName-16        	17494111	      2094 ns/op	      74 B/op	       7 allocs/op
+BenchmarkToXXXName/ToFileName-16       	28161226	      1492 ns/op	     158 B/op	       7 allocs/op
+BenchmarkToXXXName/ToCommandName-16    	23787333	      1489 ns/op	     158 B/op	       7 allocs/op
+BenchmarkToXXXName/ToHumanNameLower-16 	17537257	      2030 ns/op	     103 B/op	       6 allocs/op
+BenchmarkToXXXName/ToHumanNameTitle-16 	16977453	      2156 ns/op	     105 B/op	       6 allocs/op
+```
+
+## Benchmarks after PR #106
+
+Moving the scope of everything down to a struct allowed to reduce a bit garbage and pooling.
+
+On top of that, ToGoName (and thus ToVarName) have been subject to a minor optimization, removing a few allocations.
+
+Overall timings improve by ~ -10%.
+
+go1.24
+
+```
+goos: linux
+goarch: amd64
+pkg: github.com/go-openapi/swag/mangling
+cpu: AMD Ryzen 7 5800X 8-Core Processor             
+BenchmarkToXXXName/ToGoName-16         	22496130	      1618 ns/op	      31 B/op	       3 allocs/op
+BenchmarkToXXXName/ToVarName-16        	22538068	      1618 ns/op	      33 B/op	       3 allocs/op
+BenchmarkToXXXName/ToFileName-16       	27722977	      1236 ns/op	     105 B/op	       6 allocs/op
+BenchmarkToXXXName/ToCommandName-16    	27967395	      1258 ns/op	     105 B/op	       6 allocs/op
+BenchmarkToXXXName/ToHumanNameLower-16 	18587901	      1917 ns/op	     103 B/op	       6 allocs/op
+BenchmarkToXXXName/ToHumanNameTitle-16 	17193208	      2019 ns/op	     108 B/op	       7 allocs/op
+```
diff --git a/vendor/github.com/go-openapi/swag/mangling/LICENSE b/vendor/github.com/go-openapi/swag/mangling/LICENSE
new file mode 100644
index 0000000000..d645695673
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/mangling/LICENSE
@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/vendor/github.com/go-openapi/swag/mangling/doc.go b/vendor/github.com/go-openapi/swag/mangling/doc.go
new file mode 100644
index 0000000000..ce0d890485
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/mangling/doc.go
@@ -0,0 +1,25 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+// Package mangling provides name mangling capabilities.
+//
+// Name mangling is an important stage when generating code:
+// it helps construct safe program identifiers that abide by the language rules
+// and play along with linters.
+//
+// Examples:
+//
+// Suppose we get an object name taken from an API spec: "json_object",
+//
+// We may generate a legit go type name using [NameMangler.ToGoName]: "JsonObject".
+//
+// We may then locate this type in a source file named using [NameMangler.ToFileName]: "json_object.go".
+//
+// The methods exposed by the NameMangler are used to generate code in many different contexts, such as:
+//
+//   - generating exported or unexported go identifiers from a JSON schema or an API spec
+//   - generating file names
+//   - generating human-readable comments for types and variables
+//   - generating JSON-like API identifiers from go code
+//   - ...
+package mangling
diff --git a/vendor/github.com/go-openapi/swag/mangling/initialism_index.go b/vendor/github.com/go-openapi/swag/mangling/initialism_index.go
new file mode 100644
index 0000000000..e5b70c1493
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/mangling/initialism_index.go
@@ -0,0 +1,270 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+package mangling
+
+import (
+	"sort"
+	"strings"
+	"unicode"
+	"unicode/utf8"
+)
+
+// DefaultInitialisms returns all the initialisms configured by default for this package.
+//
+// # Motivation
+//
+// Common initialisms are acronyms for which the ordinary camel-casing rules are altered and
+// for which we retain the original case.
+//
+// This is largely specific to the go naming conventions enforced by golint (now revive).
+//
+// # Example
+//
+// In go, "id" is a good-looking identifier, but "Id" is not and "ID" is preferred
+// (notice that this stems only from conventions: the go compiler accepts all of these).
+//
+// Similarly, we may use "http", but not "Http". In this case, "HTTP" is preferred.
+//
+// # Reference and customization
+//
+// The default list of these casing-style exceptions is taken from the [github.com/mgechev/revive] linter for go:
+// https://github.com/mgechev/revive/blob/master/lint/name.go#L93
+//
+// There are a few additions to the original list, such as IPv4, IPv6 and OAI ("OpenAPI").
+//
+// For these additions, "IPv4" would be preferred to "Ipv4" or "IPV4", and "OAI" to "Oai"
+//
+// You may redefine this list entirely using the mangler option [WithInitialisms], or simply add extra definitions
+// using [WithAdditionalInitialisms].
+//
+// # Mixed-case and plurals
+//
+// Notice that initialisms are not necessarily fully upper-cased: a mixed-case initialism indicates the preferred casing.
+//
+// Obviously, lower-case only initialisms do not make a lot of sense: if lower-case only initialisms are added,
+// they will be considered fully capitalized.
+//
+// Plural forms use mixed case like "IDs". And so do values like "IPv4" or "IPv6".
+//
+// The [NameMangler] automatically detects simple plurals for words such as "IDs" or "APIs",
+// so you don't need to configure these variants.
+//
+// At this moment, it doesn't support pluralization of terms that ends with an 's' (or 'S'), since there is
+// no clear consensus on whether a word like DNS should be pluralized as DNSes or remain invariant.
+// The [NameMangler] consider those invariant. Therefore DNSs or DNSes are not recognized as plurals for DNS.
+//
+// Besids, we don't want to support pluralization of terms which would otherwise conflict with another one,
+// like "HTTPs" vs "HTTPS". All these should be considered invariant. Hence: "Https" matches "HTTPS" and
+// "HTTPSS" is "HTTPS" followed by "S".
+func DefaultInitialisms() []string {
+	return []string{
+		"ACL",
+		"API",
+		"ASCII",
+		"CPU",
+		"CSS",
+		"DNS",
+		"EOF",
+		"GUID",
+		"HTML",
+		"HTTPS",
+		"HTTP",
+		"ID",
+		"IP",
+		"IPv4", // prefer the mixed case outcome IPv4 over the capitalized IPV4
+		"IPv6", // prefer the mixed case outcome IPv6 over the capitalized IPV6
+		"JSON",
+		"LHS",
+		"OAI",
+		"QPS",
+		"RAM",
+		"RHS",
+		"RPC",
+		"SLA",
+		"SMTP",
+		"SQL",
+		"SSH",
+		"TCP",
+		"TLS",
+		"TTL",
+		"UDP",
+		"UI",
+		"UID",
+		"UUID",
+		"URI",
+		"URL",
+		"UTF8",
+		"VM",
+		"XML",
+		"XMPP",
+		"XSRF",
+		"XSS",
+	}
+}
+
+type indexOfInitialisms struct {
+	initialismsCache
+
+	index map[string]struct{}
+}
+
+func newIndexOfInitialisms() *indexOfInitialisms {
+	return &indexOfInitialisms{
+		index: make(map[string]struct{}),
+	}
+}
+
+func (m *indexOfInitialisms) add(words ...string) *indexOfInitialisms {
+	for _, word := range words {
+		// sanitization of injected words: trimmed from blanks, and must start with a letter
+		trimmed := strings.TrimSpace(word)
+
+		firstRune, _ := utf8.DecodeRuneInString(trimmed)
+		if !unicode.IsLetter(firstRune) {
+			continue
+		}
+
+		// Initialisms are case-sensitive. This means that we support mixed-case words.
+		// However, if specified as a lower-case string, the initialism should be fully capitalized.
+		if trimmed == strings.ToLower(trimmed) {
+			m.index[strings.ToUpper(trimmed)] = struct{}{}
+
+			continue
+		}
+
+		m.index[trimmed] = struct{}{}
+	}
+	return m
+}
+
+func (m *indexOfInitialisms) sorted() []string {
+	result := make([]string, 0, len(m.index))
+	for k := range m.index {
+		result = append(result, k)
+	}
+	sort.Sort(sort.Reverse(byInitialism(result)))
+	return result
+}
+
+func (m *indexOfInitialisms) buildCache() {
+	m.build(m.sorted(), m.pluralForm)
+}
+
+// initialismsCache caches all needed pre-computed and converted initialism entries,
+// in the desired resolution order.
+type initialismsCache struct {
+	initialisms           []string
+	initialismsRunes      [][]rune
+	initialismsUpperCased [][]rune // initialisms cached in their trimmed, upper-cased version
+	initialismsPluralForm []pluralForm
+}
+
+func (c *initialismsCache) build(in []string, pluralfunc func(string) pluralForm) {
+	c.initialisms = in
+	c.initialismsRunes = asRunes(c.initialisms)
+	c.initialismsUpperCased = asUpperCased(c.initialisms)
+	c.initialismsPluralForm = asPluralForms(c.initialisms, pluralfunc)
+}
+
+// pluralForm denotes the kind of pluralization to be used for initialisms.
+//
+// At this moment, initialisms are either invariant or follow a simple plural form with an
+// extra (lower case) "s".
+type pluralForm uint8
+
+const (
+	notPlural pluralForm = iota
+	invariantPlural
+	simplePlural
+)
+
+func (f pluralForm) String() string {
+	switch f {
+	case notPlural:
+		return "notPlural"
+	case invariantPlural:
+		return "invariantPlural"
+	case simplePlural:
+		return "simplePlural"
+	default:
+		return "<unknown>"
+	}
+}
+
+// pluralForm indicates how we want to pluralize a given initialism.
+//
+// Besides configured invariant forms (like HTTP and HTTPS),
+// an initialism is normally pluralized by adding a single 's', like in IDs.
+//
+// Initialisms ending with an 'S' or an 's' are configured as invariant (we don't
+// support plural forms like CSSes or DNSes, however the mechanism could be extended to
+// do just that).
+func (m *indexOfInitialisms) pluralForm(key string) pluralForm {
+	if _, ok := m.index[key]; !ok {
+		return notPlural
+	}
+
+	if strings.HasSuffix(strings.ToUpper(key), "S") {
+		return invariantPlural
+	}
+
+	if _, ok := m.index[key+"s"]; ok {
+		return invariantPlural
+	}
+
+	if _, ok := m.index[key+"S"]; ok {
+		return invariantPlural
+	}
+
+	return simplePlural
+}
+
+type byInitialism []string
+
+func (s byInitialism) Len() int {
+	return len(s)
+}
+func (s byInitialism) Swap(i, j int) {
+	s[i], s[j] = s[j], s[i]
+}
+
+// Less specifies the order in which initialisms are prioritized:
+// 1. match longest first
+// 2. when equal length, match in reverse lexicographical order, lower case match comes first
+func (s byInitialism) Less(i, j int) bool {
+	if len(s[i]) != len(s[j]) {
+		return len(s[i]) < len(s[j])
+	}
+
+	return s[i] < s[j]
+}
+
+func asRunes(in []string) [][]rune {
+	out := make([][]rune, len(in))
+	for i, initialism := range in {
+		out[i] = []rune(initialism)
+	}
+
+	return out
+}
+
+func asUpperCased(in []string) [][]rune {
+	out := make([][]rune, len(in))
+
+	for i, initialism := range in {
+		out[i] = []rune(upper(trim(initialism)))
+	}
+
+	return out
+}
+
+// asPluralForms bakes an index of pluralization support.
+func asPluralForms(in []string, pluralFunc func(string) pluralForm) []pluralForm {
+	out := make([]pluralForm, len(in))
+	for i, initialism := range in {
+		out[i] = pluralFunc(initialism)
+	}
+
+	return out
+}
diff --git a/vendor/github.com/go-openapi/swag/mangling/name_lexem.go b/vendor/github.com/go-openapi/swag/mangling/name_lexem.go
new file mode 100644
index 0000000000..bc837e3b9f
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/mangling/name_lexem.go
@@ -0,0 +1,186 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+package mangling
+
+import (
+	"bytes"
+	"strings"
+	"unicode"
+	"unicode/utf8"
+)
+
+type (
+	lexemKind uint8
+
+	nameLexem struct {
+		original          string
+		matchedInitialism string
+		kind              lexemKind
+	}
+)
+
+const (
+	lexemKindCasualName lexemKind = iota
+	lexemKindInitialismName
+)
+
+func newInitialismNameLexem(original, matchedInitialism string) nameLexem {
+	return nameLexem{
+		kind:              lexemKindInitialismName,
+		original:          original,
+		matchedInitialism: matchedInitialism,
+	}
+}
+
+func newCasualNameLexem(original string) nameLexem {
+	return nameLexem{
+		kind:     lexemKindCasualName,
+		original: trim(original), // TODO: save on calls to trim
+	}
+}
+
+// WriteTitleized writes the titleized lexeme to a bytes.Buffer.
+//
+// If the first letter cannot be capitalized, it doesn't write anything and return false,
+// so the caller may attempt some workaround strategy.
+func (l nameLexem) WriteTitleized(w *bytes.Buffer, alwaysUpper bool) bool {
+	if l.kind == lexemKindInitialismName {
+		w.WriteString(l.matchedInitialism)
+
+		return true
+	}
+
+	if len(l.original) == 0 {
+		return true
+	}
+
+	if len(l.original) == 1 {
+		// identifier is too short: casing will depend on the context
+		firstByte := l.original[0]
+		switch {
+		case 'A' <= firstByte && firstByte <= 'Z':
+			// safe
+			w.WriteByte(firstByte)
+
+			return true
+		case alwaysUpper && 'a' <= firstByte && firstByte <= 'z':
+			w.WriteByte(firstByte - 'a' + 'A')
+
+			return true
+		default:
+
+			// not a letter: skip and let the caller decide
+			return false
+		}
+	}
+
+	if firstByte := l.original[0]; firstByte < utf8.RuneSelf {
+		// ASCII
+		switch {
+		case 'A' <= firstByte && firstByte <= 'Z':
+			// already an upper case letter
+			w.WriteString(l.original)
+
+			return true
+		case 'a' <= firstByte && firstByte <= 'z':
+			w.WriteByte(firstByte - 'a' + 'A')
+			w.WriteString(l.original[1:])
+
+			return true
+		default:
+			// not a good candidate: doesn't start with a letter
+			return false
+		}
+	}
+
+	// unicode
+	firstRune, idx := utf8.DecodeRuneInString(l.original)
+	if !unicode.IsLetter(firstRune) || !unicode.IsUpper(unicode.ToUpper(firstRune)) {
+		// not a good candidate: doesn't start with a letter
+		// or a rune for which case doesn't make sense (e.g. East-Asian runes etc)
+		return false
+	}
+
+	rest := l.original[idx:]
+	w.WriteRune(unicode.ToUpper(firstRune))
+	w.WriteString(strings.ToLower(rest))
+
+	return true
+}
+
+// WriteLower is like write titleized but it writes a lower-case version of the lexeme.
+//
+// Similarly, there is no writing if the casing of the first rune doesn't make sense.
+func (l nameLexem) WriteLower(w *bytes.Buffer, alwaysLower bool) bool {
+	if l.kind == lexemKindInitialismName {
+		w.WriteString(lower(l.matchedInitialism))
+
+		return true
+	}
+
+	if len(l.original) == 0 {
+		return true
+	}
+
+	if len(l.original) == 1 {
+		// identifier is too short: casing will depend on the context
+		firstByte := l.original[0]
+		switch {
+		case 'a' <= firstByte && firstByte <= 'z':
+			// safe
+			w.WriteByte(firstByte)
+
+			return true
+		case alwaysLower && 'A' <= firstByte && firstByte <= 'Z':
+			w.WriteByte(firstByte - 'A' + 'a')
+
+			return true
+		default:
+
+			// not a letter: skip and let the caller decide
+			return false
+		}
+	}
+
+	if firstByte := l.original[0]; firstByte < utf8.RuneSelf {
+		// ASCII
+		switch {
+		case 'a' <= firstByte && firstByte <= 'z':
+			// already a lower case letter
+			w.WriteString(l.original)
+
+			return true
+		case 'A' <= firstByte && firstByte <= 'Z':
+			w.WriteByte(firstByte - 'A' + 'a')
+			w.WriteString(l.original[1:])
+
+			return true
+		default:
+			// not a good candidate: doesn't start with a letter
+			return false
+		}
+	}
+
+	// unicode
+	firstRune, idx := utf8.DecodeRuneInString(l.original)
+	if !unicode.IsLetter(firstRune) || !unicode.IsLower(unicode.ToLower(firstRune)) {
+		// not a good candidate: doesn't start with a letter
+		// or a rune for which case doesn't make sense (e.g. East-Asian runes etc)
+		return false
+	}
+
+	rest := l.original[idx:]
+	w.WriteRune(unicode.ToLower(firstRune))
+	w.WriteString(rest)
+
+	return true
+}
+
+func (l nameLexem) GetOriginal() string {
+	return l.original
+}
+
+func (l nameLexem) IsInitialism() bool {
+	return l.kind == lexemKindInitialismName
+}
diff --git a/vendor/github.com/go-openapi/swag/mangling/name_mangler.go b/vendor/github.com/go-openapi/swag/mangling/name_mangler.go
new file mode 100644
index 0000000000..da685681d0
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/mangling/name_mangler.go
@@ -0,0 +1,370 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+package mangling
+
+import (
+	"strings"
+	"unicode"
+)
+
+// NameMangler knows how to transform sentences or words into
+// identifiers that are a better fit in contexts such as:
+//
+//   - unexported or exported go variable identifiers
+//   - file names
+//   - camel cased identifiers
+//   - ...
+//
+// The [NameMangler] is safe for concurrent use, save for its [NameMangler.AddInitialisms] method,
+// which is not.
+//
+// # Known limitations
+//
+// At this moment, the [NameMangler] doesn't play well with "all caps" text:
+//
+// unless every single upper-cased word is declared as an initialism, capitalized words would generally
+// not be transformed with the expected result, e.g.
+//
+//	ToFileName("THIS_IS_ALL_CAPS")
+//
+// yields the weird outcome
+//
+//	"t_h_i_s_i_s_a_l_l_c_a_p_s"
+type NameMangler struct {
+	options
+
+	index *indexOfInitialisms
+
+	splitter              splitter
+	splitterWithPostSplit splitter
+
+	_ struct{}
+}
+
+// NewNameMangler builds a name mangler ready to convert strings.
+//
+// The default name mangler is configured with default common initialisms and all default options.
+func NewNameMangler(opts ...Option) NameMangler {
+	m := NameMangler{
+		options: optionsWithDefaults(opts),
+		index:   newIndexOfInitialisms(),
+	}
+	m.addInitialisms(m.commonInitialisms...)
+
+	// a splitter that returns matches lexemes as ready-to-assemble strings:
+	// details of the lexemes are redeemed.
+	m.splitter = newSplitter(
+		withInitialismsCache(&m.index.initialismsCache),
+		withReplaceFunc(m.replaceFunc),
+	)
+
+	// a splitter that returns matches lexemes ready for post-processing
+	m.splitterWithPostSplit = newSplitter(
+		withInitialismsCache(&m.index.initialismsCache),
+		withReplaceFunc(m.replaceFunc),
+		withPostSplitInitialismCheck,
+	)
+
+	return m
+}
+
+// AddInitialisms declares extra initialisms to the mangler.
+//
+// It declares extra words as "initialisms" (i.e. words that won't be camel cased or titled cased),
+// on top of the existing list of common initialisms (such as ID, HTTP...).
+//
+// Added words must start with a (unicode) letter. If some don't, they are ignored.
+// Added words are either fully capitalized or mixed-cased. Lower-case only words are considered capitalized.
+//
+// It is typically used just after initializing the [NameMangler].
+//
+// When all initialisms are known at the time the mangler is initialized, it is preferable to
+// use [NewNameMangler] with the option [WithAdditionalInitialisms].
+//
+// Adding initialisms mutates the mangler and should not be carried out concurrently with other calls to the mangler.
+func (m *NameMangler) AddInitialisms(words ...string) {
+	m.addInitialisms(words...)
+}
+
+// Initialisms renders the list of initialisms supported by this mangler.
+func (m *NameMangler) Initialisms() []string {
+	return m.index.initialisms
+}
+
+// Camelize a single word.
+//
+// Example:
+//
+//   - "HELLO" and "hello" become "Hello".
+func (m NameMangler) Camelize(word string) string {
+	ru := []rune(word)
+
+	switch len(ru) {
+	case 0:
+		return ""
+	case 1:
+		return string(unicode.ToUpper(ru[0]))
+	default:
+		camelized := poolOfBuffers.BorrowBuffer(len(word))
+		camelized.Grow(len(word))
+		defer func() {
+			poolOfBuffers.RedeemBuffer(camelized)
+		}()
+
+		camelized.WriteRune(unicode.ToUpper(ru[0]))
+		for _, ru := range ru[1:] {
+			camelized.WriteRune(unicode.ToLower(ru))
+		}
+
+		return camelized.String()
+	}
+}
+
+// ToFileName generates a suitable snake-case file name from a sentence.
+//
+// It lower-cases everything with underscore (_) as a word separator.
+//
+// Examples:
+//
+//   - "Hello, Swagger" becomes "hello_swagger"
+//   - "HelloSwagger" becomes "hello_swagger"
+func (m NameMangler) ToFileName(name string) string {
+	inptr := m.split(name)
+	in := *inptr
+	out := make([]string, 0, len(in))
+
+	for _, w := range in {
+		out = append(out, lower(w))
+	}
+	poolOfStrings.RedeemStrings(inptr)
+
+	return strings.Join(out, "_")
+}
+
+// ToCommandName generates a suitable CLI command name from a sentence.
+//
+// It lower-cases everything with dash (-) as a word separator.
+//
+// Examples:
+//
+//   - "Hello, Swagger" becomes "hello-swagger"
+//   - "HelloSwagger" becomes "hello-swagger"
+func (m NameMangler) ToCommandName(name string) string {
+	inptr := m.split(name)
+	in := *inptr
+	out := make([]string, 0, len(in))
+
+	for _, w := range in {
+		out = append(out, lower(w))
+	}
+	poolOfStrings.RedeemStrings(inptr)
+
+	return strings.Join(out, "-")
+}
+
+// ToHumanNameLower represents a code name as a human-readable series of words.
+//
+// It lower-cases everything with blank space as a word separator.
+//
+// NOTE: parts recognized as initialisms just keep their original casing.
+//
+// Examples:
+//
+//   - "Hello, Swagger" becomes "hello swagger"
+//   - "HelloSwagger" or "Hello-Swagger" become "hello swagger"
+func (m NameMangler) ToHumanNameLower(name string) string {
+	s := m.splitterWithPostSplit
+	in := s.split(name)
+	out := make([]string, 0, len(*in))
+
+	for _, w := range *in {
+		if !w.IsInitialism() {
+			out = append(out, lower(w.GetOriginal()))
+		} else {
+			out = append(out, trim(w.GetOriginal()))
+		}
+	}
+
+	poolOfLexems.RedeemLexems(in)
+
+	return strings.Join(out, " ")
+}
+
+// ToHumanNameTitle represents a code name as a human-readable series of titleized words.
+//
+// It titleizes every word with blank space as a word separator.
+//
+// Examples:
+//
+//   - "hello, Swagger" becomes "Hello Swagger"
+//   - "helloSwagger" becomes "Hello Swagger"
+func (m NameMangler) ToHumanNameTitle(name string) string {
+	s := m.splitterWithPostSplit
+	in := s.split(name)
+
+	out := make([]string, 0, len(*in))
+	for _, w := range *in {
+		original := trim(w.GetOriginal())
+		if !w.IsInitialism() {
+			out = append(out, m.Camelize(original))
+		} else {
+			out = append(out, original)
+		}
+	}
+	poolOfLexems.RedeemLexems(in)
+
+	return strings.Join(out, " ")
+}
+
+// ToJSONName generates a camelized single-word version of a sentence.
+//
+// The output assembles every camelized word, but for the first word, which
+// is lower-cased.
+//
+// Example:
+//
+//   - "Hello_swagger" becomes "helloSwagger"
+func (m NameMangler) ToJSONName(name string) string {
+	inptr := m.split(name)
+	in := *inptr
+	out := make([]string, 0, len(in))
+
+	for i, w := range in {
+		if i == 0 {
+			out = append(out, lower(w))
+			continue
+		}
+		out = append(out, m.Camelize(trim(w)))
+	}
+
+	poolOfStrings.RedeemStrings(inptr)
+
+	return strings.Join(out, "")
+}
+
+// ToVarName generates a legit unexported go variable name from a sentence.
+//
+// The generated name plays well with linters (see also [NameMangler.ToGoName]).
+//
+// Examples:
+//
+//   - "Hello_swagger" becomes "helloSwagger"
+//   - "Http_server" becomes "httpServer"
+//
+// This name applies the same rules as [NameMangler.ToGoName] (legit exported variable), save the
+// capitalization of the initial rune.
+//
+// Special case: when the initial part is a recognized as an initialism (like in the example above),
+// the full part is lower-cased.
+func (m NameMangler) ToVarName(name string) string {
+	return m.goIdentifier(name, false)
+}
+
+// ToGoName generates a legit exported go variable name from a sentence.
+//
+// The generated name plays well with most linters.
+//
+// ToGoName abides by the go "exported" symbol rule starting with an upper-case letter.
+//
+// Examples:
+//
+//   - "hello_swagger" becomes "HelloSwagger"
+//   - "Http_server" becomes "HTTPServer"
+//
+// # Edge cases
+//
+// Whenever the first rune is not eligible to upper case, a special prefix is prepended to the resulting name.
+// By default this is simply "X" and you may customize this behavior using the [WithGoNamePrefixFunc] option.
+//
+// This happens when the first rune is not a letter, e.g. a digit, or a symbol that has no word transliteration
+// (see also [WithReplaceFunc] about symbol transliterations),
+// as well as for most East Asian or Devanagari runes, for which there is no such concept as upper-case.
+//
+// # Linting
+//
+// [revive], the successor of golint is the reference linter.
+//
+// This means that [NameMangler.ToGoName] supports the initialisms that revive checks (see also [DefaultInitialisms]).
+//
+// At this moment, there is no attempt to transliterate unicode into ascii, meaning that some linters
+// (e.g. asciicheck, gosmopolitan) may croak on go identifiers generated from unicode input.
+//
+// [revive]: https://github.com/mgechev/revive
+func (m NameMangler) ToGoName(name string) string {
+	return m.goIdentifier(name, true)
+}
+
+func (m NameMangler) goIdentifier(name string, exported bool) string {
+	s := m.splitterWithPostSplit
+	lexems := s.split(name)
+	defer func() {
+		poolOfLexems.RedeemLexems(lexems)
+	}()
+	lexemes := *lexems
+
+	if len(lexemes) == 0 {
+		return ""
+	}
+
+	result := poolOfBuffers.BorrowBuffer(len(name))
+	defer func() {
+		poolOfBuffers.RedeemBuffer(result)
+	}()
+
+	firstPart := lexemes[0]
+	if !exported {
+		if ok := firstPart.WriteLower(result, true); !ok {
+			// NOTE: an initialism as the first part is lower-cased: no longer generates stuff like hTTPxyz.
+			//
+			// same prefixing rule applied to unexported variable as to an exported one, so that we have consistent
+			// names, whether the generated identifier is exported or not.
+			result.WriteString(strings.ToLower(m.prefixFunc()(name)))
+			result.WriteString(lexemes[0].GetOriginal())
+		}
+	} else {
+		if ok := firstPart.WriteTitleized(result, true); !ok {
+			// "repairs" a lexeme that doesn't start with a letter to become
+			// the start a legit go name. The current strategy is very crude and simply adds a fixed prefix,
+			// e.g. "X".
+			// For instance "1_sesame_street" would be split into lexemes ["1", "sesame", "street"] and
+			// the first one ("1") would result in something like "X1" (with the default prefix function).
+			//
+			// NOTE: no longer forcing the first part to be fully upper-cased
+			result.WriteString(m.prefixFunc()(name))
+			result.WriteString(lexemes[0].GetOriginal())
+		}
+	}
+
+	for _, lexem := range lexemes[1:] {
+		// NOTE: no longer forcing initialism parts to be fully upper-cased:
+		// * pluralized initialism preserve their trailing "s"
+		// * mixed-cased initialisms, such as IPv4, are preserved
+		if ok := lexem.WriteTitleized(result, false); !ok {
+			// it's not titleized: perhaps it's too short, perhaps the first rune is not a letter.
+			// write anyway
+			result.WriteString(lexem.GetOriginal())
+		}
+	}
+
+	return result.String()
+}
+
+func (m *NameMangler) addInitialisms(words ...string) {
+	m.index.add(words...)
+	m.index.buildCache()
+}
+
+// split calls the inner splitter.
+func (m NameMangler) split(str string) *[]string {
+	s := m.splitter
+	lexems := s.split(str)
+	result := poolOfStrings.BorrowStrings()
+
+	for _, lexem := range *lexems {
+		*result = append(*result, lexem.GetOriginal())
+	}
+	poolOfLexems.RedeemLexems(lexems)
+
+	return result
+}
diff --git a/vendor/github.com/go-openapi/swag/mangling/options.go b/vendor/github.com/go-openapi/swag/mangling/options.go
new file mode 100644
index 0000000000..3c92b2f18b
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/mangling/options.go
@@ -0,0 +1,150 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+package mangling
+
+type (
+	// PrefixFunc defines a safeguard rule (that may depend on the input string), to prefix
+	// a generated go name (in [NameMangler.ToGoName] and [NameMangler.ToVarName]).
+	//
+	// See [NameMangler.ToGoName] for more about which edge cases the prefix function covers.
+	PrefixFunc func(string) string
+
+	// ReplaceFunc is a transliteration function to replace special runes by a word.
+	ReplaceFunc func(r rune) (string, bool)
+
+	// Option to configure a [NameMangler].
+	Option func(*options)
+
+	options struct {
+		commonInitialisms []string
+
+		goNamePrefixFunc    PrefixFunc
+		goNamePrefixFuncPtr *PrefixFunc
+		replaceFunc         func(r rune) (string, bool)
+	}
+)
+
+func (o *options) prefixFunc() PrefixFunc {
+	if o.goNamePrefixFuncPtr != nil && *o.goNamePrefixFuncPtr != nil {
+		return *o.goNamePrefixFuncPtr
+	}
+
+	return o.goNamePrefixFunc
+}
+
+// WithGoNamePrefixFunc overrides the default prefix rule to safeguard generated go names.
+//
+// Example:
+//
+// This helps convert "123" into "{prefix}123" (a very crude strategy indeed, but it works).
+//
+// See [github.com/go-swagger/go-swagger/generator.DefaultFuncMap] for an example.
+//
+// The prefix function is assumed to return a string that starts with an upper case letter.
+//
+// The default is to prefix with "X".
+//
+// See [NameMangler.ToGoName] for more about which edge cases the prefix function covers.
+func WithGoNamePrefixFunc(fn PrefixFunc) Option {
+	return func(o *options) {
+		o.goNamePrefixFunc = fn
+	}
+}
+
+// WithGoNamePrefixFuncPtr is like [WithGoNamePrefixFunc] but it specifies a pointer to a function.
+//
+// [WithGoNamePrefixFunc] should be preferred in most situations. This option should only serve the
+// purpose of handling special situations where the prefix function is not an internal variable
+// (e.g. an exported package global).
+//
+// [WithGoNamePrefixFuncPtr] supersedes [WithGoNamePrefixFunc] if it also specified.
+//
+// If the provided pointer is nil or points to a nil value, this option has no effect.
+//
+// The caller should ensure that no undesirable concurrent changes are applied to the function pointed to.
+func WithGoNamePrefixFuncPtr(ptr *PrefixFunc) Option {
+	return func(o *options) {
+		o.goNamePrefixFuncPtr = ptr
+	}
+}
+
+// WithInitialisms declares the initialisms this mangler supports.
+//
+// This supersedes any pre-loaded defaults (see [DefaultInitialisms] for more about what initialisms are).
+//
+// It declares words to be recognized as "initialisms" (i.e. words that won't be camel cased or titled cased).
+//
+// Words must start with a (unicode) letter. If some don't, they are ignored.
+// Words are either fully capitalized or mixed-cased. Lower-case only words are considered capitalized.
+func WithInitialisms(words ...string) Option {
+	return func(o *options) {
+		o.commonInitialisms = words
+	}
+}
+
+// WithAdditionalInitialisms adds new initialisms to the currently supported list (see [DefaultInitialisms]).
+//
+// The same sanitization rules apply as those described for [WithInitialisms].
+func WithAdditionalInitialisms(words ...string) Option {
+	return func(o *options) {
+		o.commonInitialisms = append(o.commonInitialisms, words...)
+	}
+}
+
+// WithReplaceFunc specifies a custom transliteration function instead of the default.
+//
+// The default translates the following characters into words as follows:
+//
+//   - '@' -> 'At'
+//   - '&' -> 'And'
+//   - '|' -> 'Pipe'
+//   - '$' -> 'Dollar'
+//   - '!' -> 'Bang'
+//
+// Notice that the outcome of a transliteration should always be titleized.
+func WithReplaceFunc(fn ReplaceFunc) Option {
+	return func(o *options) {
+		o.replaceFunc = fn
+	}
+}
+
+func defaultPrefixFunc(_ string) string {
+	return "X"
+}
+
+// defaultReplaceTable finds a word representation for special characters.
+func defaultReplaceTable(r rune) (string, bool) {
+	switch r {
+	case '@':
+		return "At ", true
+	case '&':
+		return "And ", true
+	case '|':
+		return "Pipe ", true
+	case '$':
+		return "Dollar ", true
+	case '!':
+		return "Bang ", true
+	case '-':
+		return "", true
+	case '_':
+		return "", true
+	default:
+		return "", false
+	}
+}
+
+func optionsWithDefaults(opts []Option) options {
+	o := options{
+		commonInitialisms: DefaultInitialisms(),
+		goNamePrefixFunc:  defaultPrefixFunc,
+		replaceFunc:       defaultReplaceTable,
+	}
+
+	for _, apply := range opts {
+		apply(&o)
+	}
+
+	return o
+}
diff --git a/vendor/github.com/go-openapi/swag/mangling/pools.go b/vendor/github.com/go-openapi/swag/mangling/pools.go
new file mode 100644
index 0000000000..f810435144
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/mangling/pools.go
@@ -0,0 +1,123 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+package mangling
+
+import (
+	"bytes"
+	"sync"
+)
+
+const maxAllocMatches = 8
+
+type (
+	// memory pools of temporary objects.
+	//
+	// These are used to recycle temporarily allocated objects
+	// and relieve the GC from undue pressure.
+
+	matchesPool struct {
+		*sync.Pool
+	}
+
+	buffersPool struct {
+		*sync.Pool
+	}
+
+	lexemsPool struct {
+		*sync.Pool
+	}
+
+	stringsPool struct {
+		*sync.Pool
+	}
+)
+
+var (
+	// poolOfMatches holds temporary slices for recycling during the initialism match process
+	poolOfMatches = matchesPool{
+		Pool: &sync.Pool{
+			New: func() any {
+				s := make(initialismMatches, 0, maxAllocMatches)
+
+				return &s
+			},
+		},
+	}
+
+	poolOfBuffers = buffersPool{
+		Pool: &sync.Pool{
+			New: func() any {
+				return new(bytes.Buffer)
+			},
+		},
+	}
+
+	poolOfLexems = lexemsPool{
+		Pool: &sync.Pool{
+			New: func() any {
+				s := make([]nameLexem, 0, maxAllocMatches)
+
+				return &s
+			},
+		},
+	}
+
+	poolOfStrings = stringsPool{
+		Pool: &sync.Pool{
+			New: func() any {
+				s := make([]string, 0, maxAllocMatches)
+
+				return &s
+			},
+		},
+	}
+)
+
+func (p matchesPool) BorrowMatches() *initialismMatches {
+	s := p.Get().(*initialismMatches)
+	*s = (*s)[:0] // reset slice, keep allocated capacity
+
+	return s
+}
+
+func (p buffersPool) BorrowBuffer(size int) *bytes.Buffer {
+	s := p.Get().(*bytes.Buffer)
+	s.Reset()
+
+	if s.Cap() < size {
+		s.Grow(size)
+	}
+
+	return s
+}
+
+func (p lexemsPool) BorrowLexems() *[]nameLexem {
+	s := p.Get().(*[]nameLexem)
+	*s = (*s)[:0] // reset slice, keep allocated capacity
+
+	return s
+}
+
+func (p stringsPool) BorrowStrings() *[]string {
+	s := p.Get().(*[]string)
+	*s = (*s)[:0] // reset slice, keep allocated capacity
+
+	return s
+}
+
+func (p matchesPool) RedeemMatches(s *initialismMatches) {
+	p.Put(s)
+}
+
+func (p buffersPool) RedeemBuffer(s *bytes.Buffer) {
+	p.Put(s)
+}
+
+func (p lexemsPool) RedeemLexems(s *[]nameLexem) {
+	p.Put(s)
+}
+
+func (p stringsPool) RedeemStrings(s *[]string) {
+	p.Put(s)
+}
diff --git a/vendor/github.com/go-openapi/swag/mangling/split.go b/vendor/github.com/go-openapi/swag/mangling/split.go
new file mode 100644
index 0000000000..ed12ea2567
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/mangling/split.go
@@ -0,0 +1,341 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+package mangling
+
+import (
+	"fmt"
+	"unicode"
+)
+
+type splitterOption func(*splitter)
+
+// withPostSplitInitialismCheck allows to catch initialisms after main split process
+func withPostSplitInitialismCheck(s *splitter) {
+	s.postSplitInitialismCheck = true
+}
+
+func withReplaceFunc(fn ReplaceFunc) func(*splitter) {
+	return func(s *splitter) {
+		s.replaceFunc = fn
+	}
+}
+
+func withInitialismsCache(c *initialismsCache) splitterOption {
+	return func(s *splitter) {
+		s.initialismsCache = c
+	}
+}
+
+type (
+	initialismMatch struct {
+		body       []rune
+		start, end int
+		complete   bool
+		hasPlural  pluralForm
+	}
+	initialismMatches []initialismMatch
+)
+
+// String representation of a match, e.g. for debugging.
+func (m initialismMatch) String() string {
+	return fmt.Sprintf("{body: %s (%d), start: %d, end; %d, complete: %t, hasPlural: %v}",
+		string(m.body), len(m.body), m.start, m.end, m.complete, m.hasPlural,
+	)
+}
+
+func (m initialismMatch) isZero() bool {
+	return m.start == 0 && m.end == 0
+}
+
+type splitter struct {
+	*initialismsCache
+
+	postSplitInitialismCheck bool
+	replaceFunc              ReplaceFunc
+}
+
+func newSplitter(options ...splitterOption) splitter {
+	var s splitter
+
+	for _, option := range options {
+		option(&s)
+	}
+
+	if s.replaceFunc == nil {
+		s.replaceFunc = defaultReplaceTable
+	}
+
+	return s
+}
+
+func (s splitter) split(name string) *[]nameLexem {
+	nameRunes := []rune(name)
+	matches := s.gatherInitialismMatches(nameRunes)
+	if matches == nil {
+		return poolOfLexems.BorrowLexems()
+	}
+
+	return s.mapMatchesToNameLexems(nameRunes, matches)
+}
+
+func (s splitter) gatherInitialismMatches(nameRunes []rune) *initialismMatches {
+	matches := poolOfMatches.BorrowMatches()
+	const minLenInitialism = 1
+	if len(nameRunes) < minLenInitialism+1 {
+		// can't match initialism with 0 or 1 rune
+		return matches
+	}
+
+	// first iteration
+	s.findMatches(matches, nameRunes, nameRunes[0], 0)
+
+	for i, currentRune := range nameRunes[1:] {
+		currentRunePosition := i + 1
+		// recycle allocations as we loop over runes
+		// with such recycling, only 2 slices should be allocated per call
+		// instead of o(n).
+		//
+		// BorrowMatches always yields slices with zero length (with some capacity)
+		newMatches := poolOfMatches.BorrowMatches()
+
+		// check current initialism matches
+		for _, match := range *matches {
+			if keepCompleteMatch := match.complete; keepCompleteMatch {
+				// the match is already complete: keep it then move on to the next match
+				*newMatches = append(*newMatches, match)
+				continue
+			}
+
+			if currentRunePosition-match.start == len(match.body) {
+				// unmatched: skip
+				continue
+			}
+
+			// 1. by construction of the matches, we can't have currentRunePosition - match.start < 0
+			// because matches have been computed with their start <= currentRunePosition in the previous
+			// iterations.
+			// 2. by construction of the matches, we can't have currentRunePosition - match.start >= len(match.body)
+
+			currentMatchRune := match.body[currentRunePosition-match.start]
+			if currentMatchRune != currentRune {
+				// failed match, discard it then move on to the next match
+				continue
+			}
+
+			// try to complete the current match
+			if currentRunePosition-match.start == len(match.body)-1 {
+				// we are close: the next step is to check the symbol ahead
+				// if it is a lowercase letter, then it is not the end of match
+				// but the beginning of the next word.
+				//
+				// NOTE(fredbi): this heuristic sometimes leads to counterintuitive splits and
+				// perhaps (not sure yet) we should check against case _alternance_.
+				//
+				// Example:
+				//
+				// In the current version, in the sentence "IDS initialism", "ID" is recognized as an initialism,
+				// leading to a split like "id_s_initialism" (or IDSInitialism),
+				// whereas in the sentence "IDx initialism", it is not and produces something like
+				// "i_d_x_initialism" (or IDxInitialism). The generated file name is not great.
+				//
+				// Both go identifiers are tolerated by linters.
+				//
+				// Notice that the slightly different input "IDs initialism" is correctly detected
+				// as a pluralized initialism and produces something like "ids_initialism" (or IDsInitialism).
+
+				if currentRunePosition < len(nameRunes)-1 { // when before the last rune
+					nextRune := nameRunes[currentRunePosition+1]
+
+					// recognize a plural form for this initialism (only simple english pluralization is supported).
+					if nextRune == 's' && match.hasPlural == simplePlural {
+						// detected a pluralized initialism
+						match.body = append(match.body, nextRune)
+						lookAhead := currentRunePosition + 1
+						if lookAhead < len(nameRunes)-1 {
+							nextRune = nameRunes[lookAhead+1]
+							if newWord := unicode.IsLower(nextRune); newWord {
+								// it is the start of a new word.
+								// Match is only partial and the initialism is not recognized:
+								// move on to the next match, but do not advance the rune position
+								continue
+							}
+						}
+
+						// this is a pluralized match: keep it
+						currentRunePosition++
+						match.complete = true
+						match.hasPlural = simplePlural
+						match.end = currentRunePosition
+						*newMatches = append(*newMatches, match)
+
+						// match is complete: keep it then move on to the next match
+						continue
+					}
+
+					// other cases
+					// example: invariant plural such as "TLS"
+					if newWord := unicode.IsLower(nextRune); newWord {
+						// it is the start of a new word
+						// Match is only partial and the initialism is not recognized : move on
+						continue
+					}
+				}
+
+				match.complete = true
+				match.end = currentRunePosition
+			}
+
+			// append the ongoing matching attempt: it is not necessarily complete, but was successful so far.
+			// Let's see if it still matches on the next rune.
+			*newMatches = append(*newMatches, match)
+		}
+
+		s.findMatches(newMatches, nameRunes, currentRune, currentRunePosition)
+
+		poolOfMatches.RedeemMatches(matches)
+		matches = newMatches
+	}
+
+	// it is up to the caller to redeem this last slice
+	return matches
+}
+
+func (s splitter) findMatches(newMatches *initialismMatches, nameRunes []rune, currentRune rune, currentRunePosition int) {
+	// check for new initialism matches, based on the first character
+	for i, r := range s.initialismsRunes {
+		if r[0] != currentRune {
+			continue
+		}
+
+		if currentRunePosition+len(r) > len(nameRunes) {
+			continue // not eligible: would spilll over the initial string
+		}
+
+		// possible matches: all initialisms starting with the current rune and that can fit the given string (nameRunes)
+		*newMatches = append(*newMatches, initialismMatch{
+			start:     currentRunePosition,
+			body:      r,
+			complete:  false,
+			hasPlural: s.initialismsPluralForm[i],
+		})
+	}
+}
+
+func (s splitter) mapMatchesToNameLexems(nameRunes []rune, matches *initialismMatches) *[]nameLexem {
+	nameLexems := poolOfLexems.BorrowLexems()
+
+	var lastAcceptedMatch initialismMatch
+	for _, match := range *matches {
+		if !match.complete {
+			continue
+		}
+
+		if firstMatch := lastAcceptedMatch.isZero(); firstMatch {
+			s.appendBrokenDownCasualString(nameLexems, nameRunes[:match.start])
+			*nameLexems = append(*nameLexems, s.breakInitialism(string(match.body)))
+
+			lastAcceptedMatch = match
+
+			continue
+		}
+
+		if overlappedMatch := match.start <= lastAcceptedMatch.end; overlappedMatch {
+			continue
+		}
+
+		middle := nameRunes[lastAcceptedMatch.end+1 : match.start]
+		s.appendBrokenDownCasualString(nameLexems, middle)
+		*nameLexems = append(*nameLexems, s.breakInitialism(string(match.body)))
+
+		lastAcceptedMatch = match
+	}
+
+	// we have not found any accepted matches
+	if lastAcceptedMatch.isZero() {
+		*nameLexems = (*nameLexems)[:0]
+		s.appendBrokenDownCasualString(nameLexems, nameRunes)
+	} else if lastAcceptedMatch.end+1 != len(nameRunes) {
+		rest := nameRunes[lastAcceptedMatch.end+1:]
+		s.appendBrokenDownCasualString(nameLexems, rest)
+	}
+
+	poolOfMatches.RedeemMatches(matches)
+
+	return nameLexems
+}
+
+func (s splitter) breakInitialism(original string) nameLexem {
+	return newInitialismNameLexem(original, original)
+}
+
+func (s splitter) appendBrokenDownCasualString(segments *[]nameLexem, str []rune) {
+	currentSegment := poolOfBuffers.BorrowBuffer(len(str)) // unlike strings.Builder, bytes.Buffer initial storage can reused
+	defer func() {
+		poolOfBuffers.RedeemBuffer(currentSegment)
+	}()
+
+	addCasualNameLexem := func(original string) {
+		*segments = append(*segments, newCasualNameLexem(original))
+	}
+
+	addInitialismNameLexem := func(original, match string) {
+		*segments = append(*segments, newInitialismNameLexem(original, match))
+	}
+
+	var addNameLexem func(string)
+	if s.postSplitInitialismCheck {
+		addNameLexem = func(original string) {
+			for i := range s.initialisms {
+				if isEqualFoldIgnoreSpace(s.initialismsUpperCased[i], original) {
+					addInitialismNameLexem(original, s.initialisms[i])
+
+					return
+				}
+			}
+
+			addCasualNameLexem(original)
+		}
+	} else {
+		addNameLexem = addCasualNameLexem
+	}
+
+	// NOTE: (performance). The few remaining non-amortized allocations
+	// lay in the code below: using String() forces
+	for _, rn := range str {
+		if replace, found := s.replaceFunc(rn); found {
+			if currentSegment.Len() > 0 {
+				addNameLexem(currentSegment.String())
+				currentSegment.Reset()
+			}
+
+			if replace != "" {
+				addNameLexem(replace)
+			}
+
+			continue
+		}
+
+		if !unicode.In(rn, unicode.L, unicode.M, unicode.N, unicode.Pc) {
+			if currentSegment.Len() > 0 {
+				addNameLexem(currentSegment.String())
+				currentSegment.Reset()
+			}
+
+			continue
+		}
+
+		if unicode.IsUpper(rn) {
+			if currentSegment.Len() > 0 {
+				addNameLexem(currentSegment.String())
+			}
+			currentSegment.Reset()
+		}
+
+		currentSegment.WriteRune(rn)
+	}
+
+	if currentSegment.Len() > 0 {
+		addNameLexem(currentSegment.String())
+	}
+}
diff --git a/vendor/github.com/go-openapi/swag/string_bytes.go b/vendor/github.com/go-openapi/swag/mangling/string_bytes.go
similarity index 60%
rename from vendor/github.com/go-openapi/swag/string_bytes.go
rename to vendor/github.com/go-openapi/swag/mangling/string_bytes.go
index 90745d5ca9..28daaf72b1 100644
--- a/vendor/github.com/go-openapi/swag/string_bytes.go
+++ b/vendor/github.com/go-openapi/swag/mangling/string_bytes.go
@@ -1,4 +1,7 @@
-package swag
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+package mangling
 
 import "unsafe"
 
diff --git a/vendor/github.com/go-openapi/swag/mangling/util.go b/vendor/github.com/go-openapi/swag/mangling/util.go
new file mode 100644
index 0000000000..0636417e36
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/mangling/util.go
@@ -0,0 +1,118 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+package mangling
+
+import (
+	"strings"
+	"unicode"
+	"unicode/utf8"
+)
+
+// Removes leading whitespaces
+func trim(str string) string { return strings.TrimSpace(str) }
+
+// upper is strings.ToUpper() combined with trim
+func upper(str string) string {
+	return strings.ToUpper(trim(str))
+}
+
+// lower is strings.ToLower() combined with trim
+func lower(str string) string {
+	return strings.ToLower(trim(str))
+}
+
+// isEqualFoldIgnoreSpace is the same as strings.EqualFold, but
+// it ignores leading and trailing blank spaces in the compared
+// string.
+//
+// base is assumed to be composed of upper-cased runes, and be already
+// trimmed.
+//
+// This code is heavily inspired from strings.EqualFold.
+func isEqualFoldIgnoreSpace(base []rune, str string) bool {
+	var i, baseIndex int
+	// equivalent to b := []byte(str), but without data copy
+	b := hackStringBytes(str)
+
+	for i < len(b) {
+		if c := b[i]; c < utf8.RuneSelf {
+			// fast path for ASCII
+			if c != ' ' && c != '\t' {
+				break
+			}
+			i++
+
+			continue
+		}
+
+		// unicode case
+		r, size := utf8.DecodeRune(b[i:])
+		if !unicode.IsSpace(r) {
+			break
+		}
+		i += size
+	}
+
+	if i >= len(b) {
+		return len(base) == 0
+	}
+
+	for _, baseRune := range base {
+		if i >= len(b) {
+			break
+		}
+
+		if c := b[i]; c < utf8.RuneSelf {
+			// single byte rune case (ASCII)
+			if baseRune >= utf8.RuneSelf {
+				return false
+			}
+
+			baseChar := byte(baseRune)
+			if c != baseChar && ((c < 'a') || (c > 'z') || (c-'a'+'A' != baseChar)) {
+				return false
+			}
+
+			baseIndex++
+			i++
+
+			continue
+		}
+
+		// unicode case
+		r, size := utf8.DecodeRune(b[i:])
+		if unicode.ToUpper(r) != baseRune {
+			return false
+		}
+		baseIndex++
+		i += size
+	}
+
+	if baseIndex != len(base) {
+		return false
+	}
+
+	// all passed: now we should only have blanks
+	for i < len(b) {
+		if c := b[i]; c < utf8.RuneSelf {
+			// fast path for ASCII
+			if c != ' ' && c != '\t' {
+				return false
+			}
+			i++
+
+			continue
+		}
+
+		// unicode case
+		r, size := utf8.DecodeRune(b[i:])
+		if !unicode.IsSpace(r) {
+			return false
+		}
+
+		i += size
+	}
+
+	return true
+}
diff --git a/vendor/github.com/go-openapi/swag/mangling_iface.go b/vendor/github.com/go-openapi/swag/mangling_iface.go
new file mode 100644
index 0000000000..98b9a99929
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/mangling_iface.go
@@ -0,0 +1,69 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+package swag
+
+import "github.com/go-openapi/swag/mangling"
+
+// GoNamePrefixFunc sets an optional rule to prefix go names
+// which do not start with a letter.
+//
+// GoNamePrefixFunc should not be written to while concurrently using the other mangling functions of this package.
+//
+// Deprecated: use [mangling.WithGoNamePrefixFunc] instead.
+var GoNamePrefixFunc mangling.PrefixFunc
+
+// swagNameMangler is a global instance of the name mangler specifically alloted
+// to support deprecated functions.
+var swagNameMangler = mangling.NewNameMangler(
+	mangling.WithGoNamePrefixFuncPtr(&GoNamePrefixFunc),
+)
+
+// AddInitialisms adds additional initialisms to the default list (see [mangling.DefaultInitialisms]).
+//
+// AddInitialisms is not safe to be called concurrently.
+//
+// Deprecated: use [mangling.WithAdditionalInitialisms] instead.
+func AddInitialisms(words ...string) {
+	swagNameMangler.AddInitialisms(words...)
+}
+
+// Camelize a single word.
+//
+// Deprecated: use [mangling.NameMangler.Camelize] instead.
+func Camelize(word string) string { return swagNameMangler.Camelize(word) }
+
+// ToFileName lowercases and underscores a go type name.
+//
+// Deprecated: use [mangling.NameMangler.ToFileName] instead.
+func ToFileName(name string) string { return swagNameMangler.ToFileName(name) }
+
+// ToCommandName lowercases and underscores a go type name.
+//
+// Deprecated: use [mangling.NameMangler.ToCommandName] instead.
+func ToCommandName(name string) string { return swagNameMangler.ToCommandName(name) }
+
+// ToHumanNameLower represents a code name as a human series of words.
+//
+// Deprecated: use [mangling.NameMangler.ToHumanNameLower] instead.
+func ToHumanNameLower(name string) string { return swagNameMangler.ToHumanNameLower(name) }
+
+// ToHumanNameTitle represents a code name as a human series of words with the first letters titleized.
+//
+// Deprecated: use [mangling.NameMangler.ToHumanNameTitle] instead.
+func ToHumanNameTitle(name string) string { return swagNameMangler.ToHumanNameTitle(name) }
+
+// ToJSONName camel-cases a name which can be underscored or pascal-cased.
+//
+// Deprecated: use [mangling.NameMangler.ToJSONName] instead.
+func ToJSONName(name string) string { return swagNameMangler.ToJSONName(name) }
+
+// ToVarName camel-cases a name which can be underscored or pascal-cased.
+//
+// Deprecated: use [mangling.NameMangler.ToVarName] instead.
+func ToVarName(name string) string { return swagNameMangler.ToVarName(name) }
+
+// ToGoName translates a swagger name which can be underscored or camel cased to a name that golint likes.
+//
+// Deprecated: use [mangling.NameMangler.ToGoName] instead.
+func ToGoName(name string) string { return swagNameMangler.ToGoName(name) }
diff --git a/vendor/github.com/go-openapi/swag/name_lexem.go b/vendor/github.com/go-openapi/swag/name_lexem.go
deleted file mode 100644
index 8bb64ac32f..0000000000
--- a/vendor/github.com/go-openapi/swag/name_lexem.go
+++ /dev/null
@@ -1,93 +0,0 @@
-// Copyright 2015 go-swagger maintainers
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//    http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package swag
-
-import (
-	"unicode"
-	"unicode/utf8"
-)
-
-type (
-	lexemKind uint8
-
-	nameLexem struct {
-		original          string
-		matchedInitialism string
-		kind              lexemKind
-	}
-)
-
-const (
-	lexemKindCasualName lexemKind = iota
-	lexemKindInitialismName
-)
-
-func newInitialismNameLexem(original, matchedInitialism string) nameLexem {
-	return nameLexem{
-		kind:              lexemKindInitialismName,
-		original:          original,
-		matchedInitialism: matchedInitialism,
-	}
-}
-
-func newCasualNameLexem(original string) nameLexem {
-	return nameLexem{
-		kind:     lexemKindCasualName,
-		original: original,
-	}
-}
-
-func (l nameLexem) GetUnsafeGoName() string {
-	if l.kind == lexemKindInitialismName {
-		return l.matchedInitialism
-	}
-
-	var (
-		first rune
-		rest  string
-	)
-
-	for i, orig := range l.original {
-		if i == 0 {
-			first = orig
-			continue
-		}
-
-		if i > 0 {
-			rest = l.original[i:]
-			break
-		}
-	}
-
-	if len(l.original) > 1 {
-		b := poolOfBuffers.BorrowBuffer(utf8.UTFMax + len(rest))
-		defer func() {
-			poolOfBuffers.RedeemBuffer(b)
-		}()
-		b.WriteRune(unicode.ToUpper(first))
-		b.WriteString(lower(rest))
-		return b.String()
-	}
-
-	return l.original
-}
-
-func (l nameLexem) GetOriginal() string {
-	return l.original
-}
-
-func (l nameLexem) IsInitialism() bool {
-	return l.kind == lexemKindInitialismName
-}
diff --git a/vendor/github.com/go-openapi/swag/netutils/LICENSE b/vendor/github.com/go-openapi/swag/netutils/LICENSE
new file mode 100644
index 0000000000..d645695673
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/netutils/LICENSE
@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/vendor/github.com/go-openapi/swag/netutils/doc.go b/vendor/github.com/go-openapi/swag/netutils/doc.go
new file mode 100644
index 0000000000..74282f8e51
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/netutils/doc.go
@@ -0,0 +1,5 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+// Package netutils provides helpers for network-related tasks.
+package netutils
diff --git a/vendor/github.com/go-openapi/swag/netutils/net.go b/vendor/github.com/go-openapi/swag/netutils/net.go
new file mode 100644
index 0000000000..82a1544af7
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/netutils/net.go
@@ -0,0 +1,31 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+package netutils
+
+import (
+	"net"
+	"strconv"
+)
+
+// SplitHostPort splits a network address into a host and a port.
+//
+// The difference with the standard net.SplitHostPort is that the port is converted to an int.
+//
+// The port is -1 when there is no port to be found.
+func SplitHostPort(addr string) (host string, port int, err error) {
+	h, p, err := net.SplitHostPort(addr)
+	if err != nil {
+		return "", -1, err
+	}
+	if p == "" {
+		return "", -1, &net.AddrError{Err: "missing port in address", Addr: addr}
+	}
+
+	pi, err := strconv.Atoi(p)
+	if err != nil {
+		return "", -1, err
+	}
+
+	return h, pi, nil
+}
diff --git a/vendor/github.com/go-openapi/swag/netutils_iface.go b/vendor/github.com/go-openapi/swag/netutils_iface.go
new file mode 100644
index 0000000000..d658de25b3
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/netutils_iface.go
@@ -0,0 +1,13 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+package swag
+
+import "github.com/go-openapi/swag/netutils"
+
+// SplitHostPort splits a network address into a host and a port.
+//
+// Deprecated: use [netutils.SplitHostPort] instead.
+func SplitHostPort(addr string) (host string, port int, err error) {
+	return netutils.SplitHostPort(addr)
+}
diff --git a/vendor/github.com/go-openapi/swag/split.go b/vendor/github.com/go-openapi/swag/split.go
deleted file mode 100644
index 274727a866..0000000000
--- a/vendor/github.com/go-openapi/swag/split.go
+++ /dev/null
@@ -1,508 +0,0 @@
-// Copyright 2015 go-swagger maintainers
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//    http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package swag
-
-import (
-	"bytes"
-	"sync"
-	"unicode"
-	"unicode/utf8"
-)
-
-type (
-	splitter struct {
-		initialisms              []string
-		initialismsRunes         [][]rune
-		initialismsUpperCased    [][]rune // initialisms cached in their trimmed, upper-cased version
-		postSplitInitialismCheck bool
-	}
-
-	splitterOption func(*splitter)
-
-	initialismMatch struct {
-		body       []rune
-		start, end int
-		complete   bool
-	}
-	initialismMatches []initialismMatch
-)
-
-type (
-	// memory pools of temporary objects.
-	//
-	// These are used to recycle temporarily allocated objects
-	// and relieve the GC from undue pressure.
-
-	matchesPool struct {
-		*sync.Pool
-	}
-
-	buffersPool struct {
-		*sync.Pool
-	}
-
-	lexemsPool struct {
-		*sync.Pool
-	}
-
-	splittersPool struct {
-		*sync.Pool
-	}
-)
-
-var (
-	// poolOfMatches holds temporary slices for recycling during the initialism match process
-	poolOfMatches = matchesPool{
-		Pool: &sync.Pool{
-			New: func() any {
-				s := make(initialismMatches, 0, maxAllocMatches)
-
-				return &s
-			},
-		},
-	}
-
-	poolOfBuffers = buffersPool{
-		Pool: &sync.Pool{
-			New: func() any {
-				return new(bytes.Buffer)
-			},
-		},
-	}
-
-	poolOfLexems = lexemsPool{
-		Pool: &sync.Pool{
-			New: func() any {
-				s := make([]nameLexem, 0, maxAllocMatches)
-
-				return &s
-			},
-		},
-	}
-
-	poolOfSplitters = splittersPool{
-		Pool: &sync.Pool{
-			New: func() any {
-				s := newSplitter()
-
-				return &s
-			},
-		},
-	}
-)
-
-// nameReplaceTable finds a word representation for special characters.
-func nameReplaceTable(r rune) (string, bool) {
-	switch r {
-	case '@':
-		return "At ", true
-	case '&':
-		return "And ", true
-	case '|':
-		return "Pipe ", true
-	case '$':
-		return "Dollar ", true
-	case '!':
-		return "Bang ", true
-	case '-':
-		return "", true
-	case '_':
-		return "", true
-	default:
-		return "", false
-	}
-}
-
-// split calls the splitter.
-//
-// Use newSplitter for more control and options
-func split(str string) []string {
-	s := poolOfSplitters.BorrowSplitter()
-	lexems := s.split(str)
-	result := make([]string, 0, len(*lexems))
-
-	for _, lexem := range *lexems {
-		result = append(result, lexem.GetOriginal())
-	}
-	poolOfLexems.RedeemLexems(lexems)
-	poolOfSplitters.RedeemSplitter(s)
-
-	return result
-
-}
-
-func newSplitter(options ...splitterOption) splitter {
-	s := splitter{
-		postSplitInitialismCheck: false,
-		initialisms:              initialisms,
-		initialismsRunes:         initialismsRunes,
-		initialismsUpperCased:    initialismsUpperCased,
-	}
-
-	for _, option := range options {
-		option(&s)
-	}
-
-	return s
-}
-
-// withPostSplitInitialismCheck allows to catch initialisms after main split process
-func withPostSplitInitialismCheck(s *splitter) {
-	s.postSplitInitialismCheck = true
-}
-
-func (p matchesPool) BorrowMatches() *initialismMatches {
-	s := p.Get().(*initialismMatches)
-	*s = (*s)[:0] // reset slice, keep allocated capacity
-
-	return s
-}
-
-func (p buffersPool) BorrowBuffer(size int) *bytes.Buffer {
-	s := p.Get().(*bytes.Buffer)
-	s.Reset()
-
-	if s.Cap() < size {
-		s.Grow(size)
-	}
-
-	return s
-}
-
-func (p lexemsPool) BorrowLexems() *[]nameLexem {
-	s := p.Get().(*[]nameLexem)
-	*s = (*s)[:0] // reset slice, keep allocated capacity
-
-	return s
-}
-
-func (p splittersPool) BorrowSplitter(options ...splitterOption) *splitter {
-	s := p.Get().(*splitter)
-	s.postSplitInitialismCheck = false // reset options
-	for _, apply := range options {
-		apply(s)
-	}
-
-	return s
-}
-
-func (p matchesPool) RedeemMatches(s *initialismMatches) {
-	p.Put(s)
-}
-
-func (p buffersPool) RedeemBuffer(s *bytes.Buffer) {
-	p.Put(s)
-}
-
-func (p lexemsPool) RedeemLexems(s *[]nameLexem) {
-	p.Put(s)
-}
-
-func (p splittersPool) RedeemSplitter(s *splitter) {
-	p.Put(s)
-}
-
-func (m initialismMatch) isZero() bool {
-	return m.start == 0 && m.end == 0
-}
-
-func (s splitter) split(name string) *[]nameLexem {
-	nameRunes := []rune(name)
-	matches := s.gatherInitialismMatches(nameRunes)
-	if matches == nil {
-		return poolOfLexems.BorrowLexems()
-	}
-
-	return s.mapMatchesToNameLexems(nameRunes, matches)
-}
-
-func (s splitter) gatherInitialismMatches(nameRunes []rune) *initialismMatches {
-	var matches *initialismMatches
-
-	for currentRunePosition, currentRune := range nameRunes {
-		// recycle these allocations as we loop over runes
-		// with such recycling, only 2 slices should be allocated per call
-		// instead of o(n).
-		newMatches := poolOfMatches.BorrowMatches()
-
-		// check current initialism matches
-		if matches != nil { // skip first iteration
-			for _, match := range *matches {
-				if keepCompleteMatch := match.complete; keepCompleteMatch {
-					*newMatches = append(*newMatches, match)
-					continue
-				}
-
-				// drop failed match
-				currentMatchRune := match.body[currentRunePosition-match.start]
-				if currentMatchRune != currentRune {
-					continue
-				}
-
-				// try to complete ongoing match
-				if currentRunePosition-match.start == len(match.body)-1 {
-					// we are close; the next step is to check the symbol ahead
-					// if it is a small letter, then it is not the end of match
-					// but beginning of the next word
-
-					if currentRunePosition < len(nameRunes)-1 {
-						nextRune := nameRunes[currentRunePosition+1]
-						if newWord := unicode.IsLower(nextRune); newWord {
-							// oh ok, it was the start of a new word
-							continue
-						}
-					}
-
-					match.complete = true
-					match.end = currentRunePosition
-				}
-
-				*newMatches = append(*newMatches, match)
-			}
-		}
-
-		// check for new initialism matches
-		for i := range s.initialisms {
-			initialismRunes := s.initialismsRunes[i]
-			if initialismRunes[0] == currentRune {
-				*newMatches = append(*newMatches, initialismMatch{
-					start:    currentRunePosition,
-					body:     initialismRunes,
-					complete: false,
-				})
-			}
-		}
-
-		if matches != nil {
-			poolOfMatches.RedeemMatches(matches)
-		}
-		matches = newMatches
-	}
-
-	// up to the caller to redeem this last slice
-	return matches
-}
-
-func (s splitter) mapMatchesToNameLexems(nameRunes []rune, matches *initialismMatches) *[]nameLexem {
-	nameLexems := poolOfLexems.BorrowLexems()
-
-	var lastAcceptedMatch initialismMatch
-	for _, match := range *matches {
-		if !match.complete {
-			continue
-		}
-
-		if firstMatch := lastAcceptedMatch.isZero(); firstMatch {
-			s.appendBrokenDownCasualString(nameLexems, nameRunes[:match.start])
-			*nameLexems = append(*nameLexems, s.breakInitialism(string(match.body)))
-
-			lastAcceptedMatch = match
-
-			continue
-		}
-
-		if overlappedMatch := match.start <= lastAcceptedMatch.end; overlappedMatch {
-			continue
-		}
-
-		middle := nameRunes[lastAcceptedMatch.end+1 : match.start]
-		s.appendBrokenDownCasualString(nameLexems, middle)
-		*nameLexems = append(*nameLexems, s.breakInitialism(string(match.body)))
-
-		lastAcceptedMatch = match
-	}
-
-	// we have not found any accepted matches
-	if lastAcceptedMatch.isZero() {
-		*nameLexems = (*nameLexems)[:0]
-		s.appendBrokenDownCasualString(nameLexems, nameRunes)
-	} else if lastAcceptedMatch.end+1 != len(nameRunes) {
-		rest := nameRunes[lastAcceptedMatch.end+1:]
-		s.appendBrokenDownCasualString(nameLexems, rest)
-	}
-
-	poolOfMatches.RedeemMatches(matches)
-
-	return nameLexems
-}
-
-func (s splitter) breakInitialism(original string) nameLexem {
-	return newInitialismNameLexem(original, original)
-}
-
-func (s splitter) appendBrokenDownCasualString(segments *[]nameLexem, str []rune) {
-	currentSegment := poolOfBuffers.BorrowBuffer(len(str)) // unlike strings.Builder, bytes.Buffer initial storage can reused
-	defer func() {
-		poolOfBuffers.RedeemBuffer(currentSegment)
-	}()
-
-	addCasualNameLexem := func(original string) {
-		*segments = append(*segments, newCasualNameLexem(original))
-	}
-
-	addInitialismNameLexem := func(original, match string) {
-		*segments = append(*segments, newInitialismNameLexem(original, match))
-	}
-
-	var addNameLexem func(string)
-	if s.postSplitInitialismCheck {
-		addNameLexem = func(original string) {
-			for i := range s.initialisms {
-				if isEqualFoldIgnoreSpace(s.initialismsUpperCased[i], original) {
-					addInitialismNameLexem(original, s.initialisms[i])
-
-					return
-				}
-			}
-
-			addCasualNameLexem(original)
-		}
-	} else {
-		addNameLexem = addCasualNameLexem
-	}
-
-	for _, rn := range str {
-		if replace, found := nameReplaceTable(rn); found {
-			if currentSegment.Len() > 0 {
-				addNameLexem(currentSegment.String())
-				currentSegment.Reset()
-			}
-
-			if replace != "" {
-				addNameLexem(replace)
-			}
-
-			continue
-		}
-
-		if !unicode.In(rn, unicode.L, unicode.M, unicode.N, unicode.Pc) {
-			if currentSegment.Len() > 0 {
-				addNameLexem(currentSegment.String())
-				currentSegment.Reset()
-			}
-
-			continue
-		}
-
-		if unicode.IsUpper(rn) {
-			if currentSegment.Len() > 0 {
-				addNameLexem(currentSegment.String())
-			}
-			currentSegment.Reset()
-		}
-
-		currentSegment.WriteRune(rn)
-	}
-
-	if currentSegment.Len() > 0 {
-		addNameLexem(currentSegment.String())
-	}
-}
-
-// isEqualFoldIgnoreSpace is the same as strings.EqualFold, but
-// it ignores leading and trailing blank spaces in the compared
-// string.
-//
-// base is assumed to be composed of upper-cased runes, and be already
-// trimmed.
-//
-// This code is heavily inspired from strings.EqualFold.
-func isEqualFoldIgnoreSpace(base []rune, str string) bool {
-	var i, baseIndex int
-	// equivalent to b := []byte(str), but without data copy
-	b := hackStringBytes(str)
-
-	for i < len(b) {
-		if c := b[i]; c < utf8.RuneSelf {
-			// fast path for ASCII
-			if c != ' ' && c != '\t' {
-				break
-			}
-			i++
-
-			continue
-		}
-
-		// unicode case
-		r, size := utf8.DecodeRune(b[i:])
-		if !unicode.IsSpace(r) {
-			break
-		}
-		i += size
-	}
-
-	if i >= len(b) {
-		return len(base) == 0
-	}
-
-	for _, baseRune := range base {
-		if i >= len(b) {
-			break
-		}
-
-		if c := b[i]; c < utf8.RuneSelf {
-			// single byte rune case (ASCII)
-			if baseRune >= utf8.RuneSelf {
-				return false
-			}
-
-			baseChar := byte(baseRune)
-			if c != baseChar &&
-				!('a' <= c && c <= 'z' && c-'a'+'A' == baseChar) {
-				return false
-			}
-
-			baseIndex++
-			i++
-
-			continue
-		}
-
-		// unicode case
-		r, size := utf8.DecodeRune(b[i:])
-		if unicode.ToUpper(r) != baseRune {
-			return false
-		}
-		baseIndex++
-		i += size
-	}
-
-	if baseIndex != len(base) {
-		return false
-	}
-
-	// all passed: now we should only have blanks
-	for i < len(b) {
-		if c := b[i]; c < utf8.RuneSelf {
-			// fast path for ASCII
-			if c != ' ' && c != '\t' {
-				return false
-			}
-			i++
-
-			continue
-		}
-
-		// unicode case
-		r, size := utf8.DecodeRune(b[i:])
-		if !unicode.IsSpace(r) {
-			return false
-		}
-
-		i += size
-	}
-
-	return true
-}
diff --git a/vendor/github.com/go-openapi/swag/stringutils/LICENSE b/vendor/github.com/go-openapi/swag/stringutils/LICENSE
new file mode 100644
index 0000000000..d645695673
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/stringutils/LICENSE
@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/vendor/github.com/go-openapi/swag/stringutils/collection_formats.go b/vendor/github.com/go-openapi/swag/stringutils/collection_formats.go
new file mode 100644
index 0000000000..28056ad25c
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/stringutils/collection_formats.go
@@ -0,0 +1,74 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+package stringutils
+
+import "strings"
+
+const (
+	// collectionFormatComma = "csv"
+	collectionFormatSpace = "ssv"
+	collectionFormatTab   = "tsv"
+	collectionFormatPipe  = "pipes"
+	collectionFormatMulti = "multi"
+
+	collectionFormatDefaultSep = ","
+)
+
+// JoinByFormat joins a string array by a known format (e.g. swagger's collectionFormat attribute):
+//
+//	ssv: space separated value
+//	tsv: tab separated value
+//	pipes: pipe (|) separated value
+//	csv: comma separated value (default)
+func JoinByFormat(data []string, format string) []string {
+	if len(data) == 0 {
+		return data
+	}
+	var sep string
+	switch format {
+	case collectionFormatSpace:
+		sep = " "
+	case collectionFormatTab:
+		sep = "\t"
+	case collectionFormatPipe:
+		sep = "|"
+	case collectionFormatMulti:
+		return data
+	default:
+		sep = collectionFormatDefaultSep
+	}
+	return []string{strings.Join(data, sep)}
+}
+
+// SplitByFormat splits a string by a known format:
+//
+//	ssv: space separated value
+//	tsv: tab separated value
+//	pipes: pipe (|) separated value
+//	csv: comma separated value (default)
+func SplitByFormat(data, format string) []string {
+	if data == "" {
+		return nil
+	}
+	var sep string
+	switch format {
+	case collectionFormatSpace:
+		sep = " "
+	case collectionFormatTab:
+		sep = "\t"
+	case collectionFormatPipe:
+		sep = "|"
+	case collectionFormatMulti:
+		return nil
+	default:
+		sep = collectionFormatDefaultSep
+	}
+	var result []string
+	for _, s := range strings.Split(data, sep) {
+		if ts := strings.TrimSpace(s); ts != "" {
+			result = append(result, ts)
+		}
+	}
+	return result
+}
diff --git a/vendor/github.com/go-openapi/swag/stringutils/doc.go b/vendor/github.com/go-openapi/swag/stringutils/doc.go
new file mode 100644
index 0000000000..c6d17a1160
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/stringutils/doc.go
@@ -0,0 +1,5 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+// Package stringutils exposes helpers to search and process strings.
+package stringutils
diff --git a/vendor/github.com/go-openapi/swag/stringutils/strings.go b/vendor/github.com/go-openapi/swag/stringutils/strings.go
new file mode 100644
index 0000000000..cd792b7d08
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/stringutils/strings.go
@@ -0,0 +1,23 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+package stringutils
+
+import (
+	"slices"
+	"strings"
+)
+
+// ContainsStrings searches a slice of strings for a case-sensitive match
+//
+// Now equivalent to the standard library [slice.Contains].
+func ContainsStrings(coll []string, item string) bool {
+	return slices.Contains(coll, item)
+}
+
+// ContainsStringsCI searches a slice of strings for a case-insensitive match
+func ContainsStringsCI(coll []string, item string) bool {
+	return slices.ContainsFunc(coll, func(e string) bool {
+		return strings.EqualFold(e, item)
+	})
+}
diff --git a/vendor/github.com/go-openapi/swag/stringutils_iface.go b/vendor/github.com/go-openapi/swag/stringutils_iface.go
new file mode 100644
index 0000000000..dbfa484843
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/stringutils_iface.go
@@ -0,0 +1,34 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+package swag
+
+import "github.com/go-openapi/swag/stringutils"
+
+// ContainsStrings searches a slice of strings for a case-sensitive match.
+//
+// Deprecated: use [slices.Contains] or [stringutils.ContainsStrings] instead.
+func ContainsStrings(coll []string, item string) bool {
+	return stringutils.ContainsStrings(coll, item)
+}
+
+// ContainsStringsCI searches a slice of strings for a case-insensitive match.
+//
+// Deprecated: use [stringutils.ContainsStringsCI] instead.
+func ContainsStringsCI(coll []string, item string) bool {
+	return stringutils.ContainsStringsCI(coll, item)
+}
+
+// JoinByFormat joins a string array by a known format (e.g. swagger's collectionFormat attribute).
+//
+// Deprecated: use [stringutils.JoinByFormat] instead.
+func JoinByFormat(data []string, format string) []string {
+	return stringutils.JoinByFormat(data, format)
+}
+
+// SplitByFormat splits a string by a known format.
+//
+// Deprecated: use [stringutils.SplitByFormat] instead.
+func SplitByFormat(data, format string) []string {
+	return stringutils.SplitByFormat(data, format)
+}
diff --git a/vendor/github.com/go-openapi/swag/typeutils/LICENSE b/vendor/github.com/go-openapi/swag/typeutils/LICENSE
new file mode 100644
index 0000000000..d645695673
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/typeutils/LICENSE
@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/vendor/github.com/go-openapi/swag/typeutils/doc.go b/vendor/github.com/go-openapi/swag/typeutils/doc.go
new file mode 100644
index 0000000000..66bed20dff
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/typeutils/doc.go
@@ -0,0 +1,5 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+// Package typeutils exposes utilities to inspect generic types.
+package typeutils
diff --git a/vendor/github.com/go-openapi/swag/typeutils/types.go b/vendor/github.com/go-openapi/swag/typeutils/types.go
new file mode 100644
index 0000000000..55487a673c
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/typeutils/types.go
@@ -0,0 +1,80 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+package typeutils
+
+import "reflect"
+
+type zeroable interface {
+	IsZero() bool
+}
+
+// IsZero returns true when the value passed into the function is a zero value.
+// This allows for safer checking of interface values.
+func IsZero(data any) bool {
+	v := reflect.ValueOf(data)
+	// check for nil data
+	switch v.Kind() { //nolint:exhaustive
+	case
+		reflect.Interface,
+		reflect.Func,
+		reflect.Chan,
+		reflect.Pointer,
+		reflect.UnsafePointer,
+		reflect.Map,
+		reflect.Slice:
+		if v.IsNil() {
+			return true
+		}
+	}
+
+	// check for things that have an IsZero method instead
+	if vv, ok := data.(zeroable); ok {
+		return vv.IsZero()
+	}
+
+	// continue with slightly more complex reflection
+	switch v.Kind() { //nolint:exhaustive
+	case reflect.String:
+		return v.Len() == 0
+	case reflect.Bool:
+		return !v.Bool()
+	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
+		return v.Int() == 0
+	case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr:
+		return v.Uint() == 0
+	case reflect.Float32, reflect.Float64:
+		return v.Float() == 0
+	case reflect.Struct, reflect.Array:
+		return reflect.DeepEqual(data, reflect.Zero(v.Type()).Interface())
+	case reflect.Invalid:
+		return true
+	default:
+		return false
+	}
+}
+
+// IsNil checks if input is nil.
+//
+// For types chan, func, interface, map, pointer, or slice it returns true if its argument is nil.
+//
+// See [reflect.Value.IsNil].
+func IsNil(input any) bool {
+	if input == nil {
+		return true
+	}
+
+	kind := reflect.TypeOf(input).Kind()
+	switch kind { //nolint:exhaustive
+	case reflect.Pointer,
+		reflect.UnsafePointer,
+		reflect.Map,
+		reflect.Slice,
+		reflect.Chan,
+		reflect.Interface,
+		reflect.Func:
+		return reflect.ValueOf(input).IsNil()
+	default:
+		return false
+	}
+}
diff --git a/vendor/github.com/go-openapi/swag/typeutils_iface.go b/vendor/github.com/go-openapi/swag/typeutils_iface.go
new file mode 100644
index 0000000000..b63813ea40
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/typeutils_iface.go
@@ -0,0 +1,12 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+package swag
+
+import "github.com/go-openapi/swag/typeutils"
+
+// IsZero returns true when the value passed into the function is a zero value.
+// This allows for safer checking of interface values.
+//
+// Deprecated: use [typeutils.IsZero] instead.
+func IsZero(data any) bool { return typeutils.IsZero(data) }
diff --git a/vendor/github.com/go-openapi/swag/util.go b/vendor/github.com/go-openapi/swag/util.go
deleted file mode 100644
index 5051401c49..0000000000
--- a/vendor/github.com/go-openapi/swag/util.go
+++ /dev/null
@@ -1,364 +0,0 @@
-// Copyright 2015 go-swagger maintainers
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//    http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package swag
-
-import (
-	"reflect"
-	"strings"
-	"unicode"
-	"unicode/utf8"
-)
-
-// GoNamePrefixFunc sets an optional rule to prefix go names
-// which do not start with a letter.
-//
-// The prefix function is assumed to return a string that starts with an upper case letter.
-//
-// e.g. to help convert "123" into "{prefix}123"
-//
-// The default is to prefix with "X"
-var GoNamePrefixFunc func(string) string
-
-func prefixFunc(name, in string) string {
-	if GoNamePrefixFunc == nil {
-		return "X" + in
-	}
-
-	return GoNamePrefixFunc(name) + in
-}
-
-const (
-	// collectionFormatComma = "csv"
-	collectionFormatSpace = "ssv"
-	collectionFormatTab   = "tsv"
-	collectionFormatPipe  = "pipes"
-	collectionFormatMulti = "multi"
-)
-
-// JoinByFormat joins a string array by a known format (e.g. swagger's collectionFormat attribute):
-//
-//	ssv: space separated value
-//	tsv: tab separated value
-//	pipes: pipe (|) separated value
-//	csv: comma separated value (default)
-func JoinByFormat(data []string, format string) []string {
-	if len(data) == 0 {
-		return data
-	}
-	var sep string
-	switch format {
-	case collectionFormatSpace:
-		sep = " "
-	case collectionFormatTab:
-		sep = "\t"
-	case collectionFormatPipe:
-		sep = "|"
-	case collectionFormatMulti:
-		return data
-	default:
-		sep = ","
-	}
-	return []string{strings.Join(data, sep)}
-}
-
-// SplitByFormat splits a string by a known format:
-//
-//	ssv: space separated value
-//	tsv: tab separated value
-//	pipes: pipe (|) separated value
-//	csv: comma separated value (default)
-func SplitByFormat(data, format string) []string {
-	if data == "" {
-		return nil
-	}
-	var sep string
-	switch format {
-	case collectionFormatSpace:
-		sep = " "
-	case collectionFormatTab:
-		sep = "\t"
-	case collectionFormatPipe:
-		sep = "|"
-	case collectionFormatMulti:
-		return nil
-	default:
-		sep = ","
-	}
-	var result []string
-	for _, s := range strings.Split(data, sep) {
-		if ts := strings.TrimSpace(s); ts != "" {
-			result = append(result, ts)
-		}
-	}
-	return result
-}
-
-// Removes leading whitespaces
-func trim(str string) string {
-	return strings.TrimSpace(str)
-}
-
-// Shortcut to strings.ToUpper()
-func upper(str string) string {
-	return strings.ToUpper(trim(str))
-}
-
-// Shortcut to strings.ToLower()
-func lower(str string) string {
-	return strings.ToLower(trim(str))
-}
-
-// Camelize an uppercased word
-func Camelize(word string) string {
-	camelized := poolOfBuffers.BorrowBuffer(len(word))
-	defer func() {
-		poolOfBuffers.RedeemBuffer(camelized)
-	}()
-
-	for pos, ru := range []rune(word) {
-		if pos > 0 {
-			camelized.WriteRune(unicode.ToLower(ru))
-		} else {
-			camelized.WriteRune(unicode.ToUpper(ru))
-		}
-	}
-	return camelized.String()
-}
-
-// ToFileName lowercases and underscores a go type name
-func ToFileName(name string) string {
-	in := split(name)
-	out := make([]string, 0, len(in))
-
-	for _, w := range in {
-		out = append(out, lower(w))
-	}
-
-	return strings.Join(out, "_")
-}
-
-// ToCommandName lowercases and underscores a go type name
-func ToCommandName(name string) string {
-	in := split(name)
-	out := make([]string, 0, len(in))
-
-	for _, w := range in {
-		out = append(out, lower(w))
-	}
-	return strings.Join(out, "-")
-}
-
-// ToHumanNameLower represents a code name as a human series of words
-func ToHumanNameLower(name string) string {
-	s := poolOfSplitters.BorrowSplitter(withPostSplitInitialismCheck)
-	in := s.split(name)
-	poolOfSplitters.RedeemSplitter(s)
-	out := make([]string, 0, len(*in))
-
-	for _, w := range *in {
-		if !w.IsInitialism() {
-			out = append(out, lower(w.GetOriginal()))
-		} else {
-			out = append(out, trim(w.GetOriginal()))
-		}
-	}
-	poolOfLexems.RedeemLexems(in)
-
-	return strings.Join(out, " ")
-}
-
-// ToHumanNameTitle represents a code name as a human series of words with the first letters titleized
-func ToHumanNameTitle(name string) string {
-	s := poolOfSplitters.BorrowSplitter(withPostSplitInitialismCheck)
-	in := s.split(name)
-	poolOfSplitters.RedeemSplitter(s)
-
-	out := make([]string, 0, len(*in))
-	for _, w := range *in {
-		original := trim(w.GetOriginal())
-		if !w.IsInitialism() {
-			out = append(out, Camelize(original))
-		} else {
-			out = append(out, original)
-		}
-	}
-	poolOfLexems.RedeemLexems(in)
-
-	return strings.Join(out, " ")
-}
-
-// ToJSONName camelcases a name which can be underscored or pascal cased
-func ToJSONName(name string) string {
-	in := split(name)
-	out := make([]string, 0, len(in))
-
-	for i, w := range in {
-		if i == 0 {
-			out = append(out, lower(w))
-			continue
-		}
-		out = append(out, Camelize(trim(w)))
-	}
-	return strings.Join(out, "")
-}
-
-// ToVarName camelcases a name which can be underscored or pascal cased
-func ToVarName(name string) string {
-	res := ToGoName(name)
-	if isInitialism(res) {
-		return lower(res)
-	}
-	if len(res) <= 1 {
-		return lower(res)
-	}
-	return lower(res[:1]) + res[1:]
-}
-
-// ToGoName translates a swagger name which can be underscored or camel cased to a name that golint likes
-func ToGoName(name string) string {
-	s := poolOfSplitters.BorrowSplitter(withPostSplitInitialismCheck)
-	lexems := s.split(name)
-	poolOfSplitters.RedeemSplitter(s)
-	defer func() {
-		poolOfLexems.RedeemLexems(lexems)
-	}()
-	lexemes := *lexems
-
-	if len(lexemes) == 0 {
-		return ""
-	}
-
-	result := poolOfBuffers.BorrowBuffer(len(name))
-	defer func() {
-		poolOfBuffers.RedeemBuffer(result)
-	}()
-
-	// check if not starting with a letter, upper case
-	firstPart := lexemes[0].GetUnsafeGoName()
-	if lexemes[0].IsInitialism() {
-		firstPart = upper(firstPart)
-	}
-
-	if c := firstPart[0]; c < utf8.RuneSelf {
-		// ASCII
-		switch {
-		case 'A' <= c && c <= 'Z':
-			result.WriteString(firstPart)
-		case 'a' <= c && c <= 'z':
-			result.WriteByte(c - 'a' + 'A')
-			result.WriteString(firstPart[1:])
-		default:
-			result.WriteString(prefixFunc(name, firstPart))
-			// NOTE: no longer check if prefixFunc returns a string that starts with uppercase:
-			// assume this is always the case
-		}
-	} else {
-		// unicode
-		firstRune, _ := utf8.DecodeRuneInString(firstPart)
-		switch {
-		case !unicode.IsLetter(firstRune):
-			result.WriteString(prefixFunc(name, firstPart))
-		case !unicode.IsUpper(firstRune):
-			result.WriteString(prefixFunc(name, firstPart))
-			/*
-				result.WriteRune(unicode.ToUpper(firstRune))
-				result.WriteString(firstPart[offset:])
-			*/
-		default:
-			result.WriteString(firstPart)
-		}
-	}
-
-	for _, lexem := range lexemes[1:] {
-		goName := lexem.GetUnsafeGoName()
-
-		// to support old behavior
-		if lexem.IsInitialism() {
-			goName = upper(goName)
-		}
-		result.WriteString(goName)
-	}
-
-	return result.String()
-}
-
-// ContainsStrings searches a slice of strings for a case-sensitive match
-func ContainsStrings(coll []string, item string) bool {
-	for _, a := range coll {
-		if a == item {
-			return true
-		}
-	}
-	return false
-}
-
-// ContainsStringsCI searches a slice of strings for a case-insensitive match
-func ContainsStringsCI(coll []string, item string) bool {
-	for _, a := range coll {
-		if strings.EqualFold(a, item) {
-			return true
-		}
-	}
-	return false
-}
-
-type zeroable interface {
-	IsZero() bool
-}
-
-// IsZero returns true when the value passed into the function is a zero value.
-// This allows for safer checking of interface values.
-func IsZero(data interface{}) bool {
-	v := reflect.ValueOf(data)
-	// check for nil data
-	switch v.Kind() { //nolint:exhaustive
-	case reflect.Interface, reflect.Map, reflect.Ptr, reflect.Slice:
-		if v.IsNil() {
-			return true
-		}
-	}
-
-	// check for things that have an IsZero method instead
-	if vv, ok := data.(zeroable); ok {
-		return vv.IsZero()
-	}
-
-	// continue with slightly more complex reflection
-	switch v.Kind() { //nolint:exhaustive
-	case reflect.String:
-		return v.Len() == 0
-	case reflect.Bool:
-		return !v.Bool()
-	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
-		return v.Int() == 0
-	case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr:
-		return v.Uint() == 0
-	case reflect.Float32, reflect.Float64:
-		return v.Float() == 0
-	case reflect.Struct, reflect.Array:
-		return reflect.DeepEqual(data, reflect.Zero(v.Type()).Interface())
-	case reflect.Invalid:
-		return true
-	default:
-		return false
-	}
-}
-
-// CommandLineOptionsGroup represents a group of user-defined command line options
-type CommandLineOptionsGroup struct {
-	ShortDescription string
-	LongDescription  string
-	Options          interface{}
-}
diff --git a/vendor/github.com/go-openapi/swag/yaml.go b/vendor/github.com/go-openapi/swag/yaml.go
deleted file mode 100644
index 575346539a..0000000000
--- a/vendor/github.com/go-openapi/swag/yaml.go
+++ /dev/null
@@ -1,481 +0,0 @@
-// Copyright 2015 go-swagger maintainers
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//    http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package swag
-
-import (
-	"encoding/json"
-	"fmt"
-	"path/filepath"
-	"reflect"
-	"sort"
-	"strconv"
-
-	"github.com/mailru/easyjson/jlexer"
-	"github.com/mailru/easyjson/jwriter"
-	yaml "gopkg.in/yaml.v3"
-)
-
-// YAMLMatcher matches yaml
-func YAMLMatcher(path string) bool {
-	ext := filepath.Ext(path)
-	return ext == ".yaml" || ext == ".yml"
-}
-
-// YAMLToJSON converts YAML unmarshaled data into json compatible data
-func YAMLToJSON(data interface{}) (json.RawMessage, error) {
-	jm, err := transformData(data)
-	if err != nil {
-		return nil, err
-	}
-	b, err := WriteJSON(jm)
-	return json.RawMessage(b), err
-}
-
-// BytesToYAMLDoc converts a byte slice into a YAML document
-func BytesToYAMLDoc(data []byte) (interface{}, error) {
-	var document yaml.Node // preserve order that is present in the document
-	if err := yaml.Unmarshal(data, &document); err != nil {
-		return nil, err
-	}
-	if document.Kind != yaml.DocumentNode || len(document.Content) != 1 || document.Content[0].Kind != yaml.MappingNode {
-		return nil, fmt.Errorf("only YAML documents that are objects are supported: %w", ErrYAML)
-	}
-	return &document, nil
-}
-
-func yamlNode(root *yaml.Node) (interface{}, error) {
-	switch root.Kind {
-	case yaml.DocumentNode:
-		return yamlDocument(root)
-	case yaml.SequenceNode:
-		return yamlSequence(root)
-	case yaml.MappingNode:
-		return yamlMapping(root)
-	case yaml.ScalarNode:
-		return yamlScalar(root)
-	case yaml.AliasNode:
-		return yamlNode(root.Alias)
-	default:
-		return nil, fmt.Errorf("unsupported YAML node type: %v: %w", root.Kind, ErrYAML)
-	}
-}
-
-func yamlDocument(node *yaml.Node) (interface{}, error) {
-	if len(node.Content) != 1 {
-		return nil, fmt.Errorf("unexpected YAML Document node content length: %d: %w", len(node.Content), ErrYAML)
-	}
-	return yamlNode(node.Content[0])
-}
-
-func yamlMapping(node *yaml.Node) (interface{}, error) {
-	const sensibleAllocDivider = 2
-	m := make(JSONMapSlice, len(node.Content)/sensibleAllocDivider)
-
-	var j int
-	for i := 0; i < len(node.Content); i += 2 {
-		var nmi JSONMapItem
-		k, err := yamlStringScalarC(node.Content[i])
-		if err != nil {
-			return nil, fmt.Errorf("unable to decode YAML map key: %w: %w", err, ErrYAML)
-		}
-		nmi.Key = k
-		v, err := yamlNode(node.Content[i+1])
-		if err != nil {
-			return nil, fmt.Errorf("unable to process YAML map value for key %q: %w: %w", k, err, ErrYAML)
-		}
-		nmi.Value = v
-		m[j] = nmi
-		j++
-	}
-	return m, nil
-}
-
-func yamlSequence(node *yaml.Node) (interface{}, error) {
-	s := make([]interface{}, 0)
-
-	for i := 0; i < len(node.Content); i++ {
-
-		v, err := yamlNode(node.Content[i])
-		if err != nil {
-			return nil, fmt.Errorf("unable to decode YAML sequence value: %w: %w", err, ErrYAML)
-		}
-		s = append(s, v)
-	}
-	return s, nil
-}
-
-const ( // See https://yaml.org/type/
-	yamlStringScalar = "tag:yaml.org,2002:str"
-	yamlIntScalar    = "tag:yaml.org,2002:int"
-	yamlBoolScalar   = "tag:yaml.org,2002:bool"
-	yamlFloatScalar  = "tag:yaml.org,2002:float"
-	yamlTimestamp    = "tag:yaml.org,2002:timestamp"
-	yamlNull         = "tag:yaml.org,2002:null"
-)
-
-func yamlScalar(node *yaml.Node) (interface{}, error) {
-	switch node.LongTag() {
-	case yamlStringScalar:
-		return node.Value, nil
-	case yamlBoolScalar:
-		b, err := strconv.ParseBool(node.Value)
-		if err != nil {
-			return nil, fmt.Errorf("unable to process scalar node. Got %q. Expecting bool content: %w: %w", node.Value, err, ErrYAML)
-		}
-		return b, nil
-	case yamlIntScalar:
-		i, err := strconv.ParseInt(node.Value, 10, 64)
-		if err != nil {
-			return nil, fmt.Errorf("unable to process scalar node. Got %q. Expecting integer content: %w: %w", node.Value, err, ErrYAML)
-		}
-		return i, nil
-	case yamlFloatScalar:
-		f, err := strconv.ParseFloat(node.Value, 64)
-		if err != nil {
-			return nil, fmt.Errorf("unable to process scalar node. Got %q. Expecting float content: %w: %w", node.Value, err, ErrYAML)
-		}
-		return f, nil
-	case yamlTimestamp:
-		return node.Value, nil
-	case yamlNull:
-		return nil, nil //nolint:nilnil
-	default:
-		return nil, fmt.Errorf("YAML tag %q is not supported: %w", node.LongTag(), ErrYAML)
-	}
-}
-
-func yamlStringScalarC(node *yaml.Node) (string, error) {
-	if node.Kind != yaml.ScalarNode {
-		return "", fmt.Errorf("expecting a string scalar but got %q: %w", node.Kind, ErrYAML)
-	}
-	switch node.LongTag() {
-	case yamlStringScalar, yamlIntScalar, yamlFloatScalar:
-		return node.Value, nil
-	default:
-		return "", fmt.Errorf("YAML tag %q is not supported as map key: %w", node.LongTag(), ErrYAML)
-	}
-}
-
-// JSONMapSlice represent a JSON object, with the order of keys maintained
-type JSONMapSlice []JSONMapItem
-
-// MarshalJSON renders a JSONMapSlice as JSON
-func (s JSONMapSlice) MarshalJSON() ([]byte, error) {
-	w := &jwriter.Writer{Flags: jwriter.NilMapAsEmpty | jwriter.NilSliceAsEmpty}
-	s.MarshalEasyJSON(w)
-	return w.BuildBytes()
-}
-
-// MarshalEasyJSON renders a JSONMapSlice as JSON, using easyJSON
-func (s JSONMapSlice) MarshalEasyJSON(w *jwriter.Writer) {
-	w.RawByte('{')
-
-	ln := len(s)
-	last := ln - 1
-	for i := 0; i < ln; i++ {
-		s[i].MarshalEasyJSON(w)
-		if i != last { // last item
-			w.RawByte(',')
-		}
-	}
-
-	w.RawByte('}')
-}
-
-// UnmarshalJSON makes a JSONMapSlice from JSON
-func (s *JSONMapSlice) UnmarshalJSON(data []byte) error {
-	l := jlexer.Lexer{Data: data}
-	s.UnmarshalEasyJSON(&l)
-	return l.Error()
-}
-
-// UnmarshalEasyJSON makes a JSONMapSlice from JSON, using easyJSON
-func (s *JSONMapSlice) UnmarshalEasyJSON(in *jlexer.Lexer) {
-	if in.IsNull() {
-		in.Skip()
-		return
-	}
-
-	var result JSONMapSlice
-	in.Delim('{')
-	for !in.IsDelim('}') {
-		var mi JSONMapItem
-		mi.UnmarshalEasyJSON(in)
-		result = append(result, mi)
-	}
-	*s = result
-}
-
-func (s JSONMapSlice) MarshalYAML() (interface{}, error) {
-	var n yaml.Node
-	n.Kind = yaml.DocumentNode
-	var nodes []*yaml.Node
-	for _, item := range s {
-		nn, err := json2yaml(item.Value)
-		if err != nil {
-			return nil, err
-		}
-		ns := []*yaml.Node{
-			{
-				Kind:  yaml.ScalarNode,
-				Tag:   yamlStringScalar,
-				Value: item.Key,
-			},
-			nn,
-		}
-		nodes = append(nodes, ns...)
-	}
-
-	n.Content = []*yaml.Node{
-		{
-			Kind:    yaml.MappingNode,
-			Content: nodes,
-		},
-	}
-
-	return yaml.Marshal(&n)
-}
-
-func isNil(input interface{}) bool {
-	if input == nil {
-		return true
-	}
-	kind := reflect.TypeOf(input).Kind()
-	switch kind { //nolint:exhaustive
-	case reflect.Ptr, reflect.Map, reflect.Slice, reflect.Chan:
-		return reflect.ValueOf(input).IsNil()
-	default:
-		return false
-	}
-}
-
-func json2yaml(item interface{}) (*yaml.Node, error) {
-	if isNil(item) {
-		return &yaml.Node{
-			Kind:  yaml.ScalarNode,
-			Value: "null",
-		}, nil
-	}
-
-	switch val := item.(type) {
-	case JSONMapSlice:
-		var n yaml.Node
-		n.Kind = yaml.MappingNode
-		for i := range val {
-			childNode, err := json2yaml(&val[i].Value)
-			if err != nil {
-				return nil, err
-			}
-			n.Content = append(n.Content, &yaml.Node{
-				Kind:  yaml.ScalarNode,
-				Tag:   yamlStringScalar,
-				Value: val[i].Key,
-			}, childNode)
-		}
-		return &n, nil
-	case map[string]interface{}:
-		var n yaml.Node
-		n.Kind = yaml.MappingNode
-		keys := make([]string, 0, len(val))
-		for k := range val {
-			keys = append(keys, k)
-		}
-		sort.Strings(keys)
-
-		for _, k := range keys {
-			v := val[k]
-			childNode, err := json2yaml(v)
-			if err != nil {
-				return nil, err
-			}
-			n.Content = append(n.Content, &yaml.Node{
-				Kind:  yaml.ScalarNode,
-				Tag:   yamlStringScalar,
-				Value: k,
-			}, childNode)
-		}
-		return &n, nil
-	case []interface{}:
-		var n yaml.Node
-		n.Kind = yaml.SequenceNode
-		for i := range val {
-			childNode, err := json2yaml(val[i])
-			if err != nil {
-				return nil, err
-			}
-			n.Content = append(n.Content, childNode)
-		}
-		return &n, nil
-	case string:
-		return &yaml.Node{
-			Kind:  yaml.ScalarNode,
-			Tag:   yamlStringScalar,
-			Value: val,
-		}, nil
-	case float64:
-		return &yaml.Node{
-			Kind:  yaml.ScalarNode,
-			Tag:   yamlFloatScalar,
-			Value: strconv.FormatFloat(val, 'f', -1, 64),
-		}, nil
-	case int64:
-		return &yaml.Node{
-			Kind:  yaml.ScalarNode,
-			Tag:   yamlIntScalar,
-			Value: strconv.FormatInt(val, 10),
-		}, nil
-	case uint64:
-		return &yaml.Node{
-			Kind:  yaml.ScalarNode,
-			Tag:   yamlIntScalar,
-			Value: strconv.FormatUint(val, 10),
-		}, nil
-	case bool:
-		return &yaml.Node{
-			Kind:  yaml.ScalarNode,
-			Tag:   yamlBoolScalar,
-			Value: strconv.FormatBool(val),
-		}, nil
-	default:
-		return nil, fmt.Errorf("unhandled type: %T: %w", val, ErrYAML)
-	}
-}
-
-// JSONMapItem represents the value of a key in a JSON object held by JSONMapSlice
-type JSONMapItem struct {
-	Key   string
-	Value interface{}
-}
-
-// MarshalJSON renders a JSONMapItem as JSON
-func (s JSONMapItem) MarshalJSON() ([]byte, error) {
-	w := &jwriter.Writer{Flags: jwriter.NilMapAsEmpty | jwriter.NilSliceAsEmpty}
-	s.MarshalEasyJSON(w)
-	return w.BuildBytes()
-}
-
-// MarshalEasyJSON renders a JSONMapItem as JSON, using easyJSON
-func (s JSONMapItem) MarshalEasyJSON(w *jwriter.Writer) {
-	w.String(s.Key)
-	w.RawByte(':')
-	w.Raw(WriteJSON(s.Value))
-}
-
-// UnmarshalJSON makes a JSONMapItem from JSON
-func (s *JSONMapItem) UnmarshalJSON(data []byte) error {
-	l := jlexer.Lexer{Data: data}
-	s.UnmarshalEasyJSON(&l)
-	return l.Error()
-}
-
-// UnmarshalEasyJSON makes a JSONMapItem from JSON, using easyJSON
-func (s *JSONMapItem) UnmarshalEasyJSON(in *jlexer.Lexer) {
-	key := in.UnsafeString()
-	in.WantColon()
-	value := in.Interface()
-	in.WantComma()
-	s.Key = key
-	s.Value = value
-}
-
-func transformData(input interface{}) (out interface{}, err error) {
-	format := func(t interface{}) (string, error) {
-		switch k := t.(type) {
-		case string:
-			return k, nil
-		case uint:
-			return strconv.FormatUint(uint64(k), 10), nil
-		case uint8:
-			return strconv.FormatUint(uint64(k), 10), nil
-		case uint16:
-			return strconv.FormatUint(uint64(k), 10), nil
-		case uint32:
-			return strconv.FormatUint(uint64(k), 10), nil
-		case uint64:
-			return strconv.FormatUint(k, 10), nil
-		case int:
-			return strconv.Itoa(k), nil
-		case int8:
-			return strconv.FormatInt(int64(k), 10), nil
-		case int16:
-			return strconv.FormatInt(int64(k), 10), nil
-		case int32:
-			return strconv.FormatInt(int64(k), 10), nil
-		case int64:
-			return strconv.FormatInt(k, 10), nil
-		default:
-			return "", fmt.Errorf("unexpected map key type, got: %T: %w", k, ErrYAML)
-		}
-	}
-
-	switch in := input.(type) {
-	case yaml.Node:
-		return yamlNode(&in)
-	case *yaml.Node:
-		return yamlNode(in)
-	case map[interface{}]interface{}:
-		o := make(JSONMapSlice, 0, len(in))
-		for ke, va := range in {
-			var nmi JSONMapItem
-			if nmi.Key, err = format(ke); err != nil {
-				return nil, err
-			}
-
-			v, ert := transformData(va)
-			if ert != nil {
-				return nil, ert
-			}
-			nmi.Value = v
-			o = append(o, nmi)
-		}
-		return o, nil
-	case []interface{}:
-		len1 := len(in)
-		o := make([]interface{}, len1)
-		for i := 0; i < len1; i++ {
-			o[i], err = transformData(in[i])
-			if err != nil {
-				return nil, err
-			}
-		}
-		return o, nil
-	}
-	return input, nil
-}
-
-// YAMLDoc loads a yaml document from either http or a file and converts it to json
-func YAMLDoc(path string) (json.RawMessage, error) {
-	yamlDoc, err := YAMLData(path)
-	if err != nil {
-		return nil, err
-	}
-
-	data, err := YAMLToJSON(yamlDoc)
-	if err != nil {
-		return nil, err
-	}
-
-	return data, nil
-}
-
-// YAMLData loads a yaml document from either http or a file
-func YAMLData(path string) (interface{}, error) {
-	data, err := LoadFromFileOrHTTP(path)
-	if err != nil {
-		return nil, err
-	}
-
-	return BytesToYAMLDoc(data)
-}
diff --git a/vendor/github.com/go-openapi/swag/yamlutils/LICENSE b/vendor/github.com/go-openapi/swag/yamlutils/LICENSE
new file mode 100644
index 0000000000..d645695673
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/yamlutils/LICENSE
@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/vendor/github.com/go-openapi/swag/yamlutils/doc.go b/vendor/github.com/go-openapi/swag/yamlutils/doc.go
new file mode 100644
index 0000000000..7bb92a82f1
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/yamlutils/doc.go
@@ -0,0 +1,13 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+// Package yamlutils provides utilities to work with YAML documents.
+//
+//   - [BytesToYAMLDoc] to construct a [yaml.Node] document
+//   - [YAMLToJSON] to convert a [yaml.Node] document to JSON bytes
+//   - [YAMLMapSlice] to serialize and deserialize YAML with the order of keys maintained
+package yamlutils
+
+import (
+	_ "go.yaml.in/yaml/v3" // for documentation purpose only
+)
diff --git a/vendor/github.com/go-openapi/swag/yamlutils/errors.go b/vendor/github.com/go-openapi/swag/yamlutils/errors.go
new file mode 100644
index 0000000000..e87bc5e8be
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/yamlutils/errors.go
@@ -0,0 +1,15 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+package yamlutils
+
+type yamlError string
+
+const (
+	// ErrYAML is an error raised by YAML utilities
+	ErrYAML yamlError = "yaml error"
+)
+
+func (e yamlError) Error() string {
+	return string(e)
+}
diff --git a/vendor/github.com/go-openapi/swag/yamlutils/ordered_map.go b/vendor/github.com/go-openapi/swag/yamlutils/ordered_map.go
new file mode 100644
index 0000000000..3daf68dbba
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/yamlutils/ordered_map.go
@@ -0,0 +1,316 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+package yamlutils
+
+import (
+	"fmt"
+	"iter"
+	"slices"
+	"sort"
+	"strconv"
+
+	"github.com/go-openapi/swag/conv"
+	"github.com/go-openapi/swag/jsonutils"
+	"github.com/go-openapi/swag/jsonutils/adapters/ifaces"
+	"github.com/go-openapi/swag/typeutils"
+	yaml "go.yaml.in/yaml/v3"
+)
+
+var (
+	_ yaml.Marshaler   = YAMLMapSlice{}
+	_ yaml.Unmarshaler = &YAMLMapSlice{}
+)
+
+// YAMLMapSlice represents a YAML object, with the order of keys maintained.
+//
+// It is similar to [jsonutils.JSONMapSlice] and also knows how to marshal and unmarshal YAML.
+//
+// It behaves like an ordered map, but keys can't be accessed in constant time.
+type YAMLMapSlice []YAMLMapItem
+
+// YAMLMapItem represents the value of a key in a YAML object held by [YAMLMapSlice].
+//
+// It is entirely equivalent to [jsonutils.JSONMapItem], with the same limitation that
+// you should not Marshal or Unmarshal directly this type, outside of a [YAMLMapSlice].
+type YAMLMapItem = jsonutils.JSONMapItem
+
+func (s YAMLMapSlice) OrderedItems() iter.Seq2[string, any] {
+	return func(yield func(string, any) bool) {
+		for _, item := range s {
+			if !yield(item.Key, item.Value) {
+				return
+			}
+		}
+	}
+}
+
+// SetOrderedItems implements [ifaces.SetOrdered]: it merges keys passed by the iterator argument
+// into the [YAMLMapSlice].
+func (s *YAMLMapSlice) SetOrderedItems(items iter.Seq2[string, any]) {
+	if items == nil {
+		// force receiver to be a nil slice
+		*s = nil
+
+		return
+	}
+
+	m := *s
+	if len(m) > 0 {
+		// update mode: short-circuited when unmarshaling fresh data structures
+		idx := make(map[string]int, len(m))
+
+		for i, item := range m {
+			idx[item.Key] = i
+		}
+
+		for k, v := range items {
+			idx, ok := idx[k]
+			if ok {
+				m[idx].Value = v
+
+				continue
+			}
+
+			m = append(m, YAMLMapItem{Key: k, Value: v})
+		}
+
+		*s = m
+
+		return
+	}
+
+	for k, v := range items {
+		m = append(m, YAMLMapItem{Key: k, Value: v})
+	}
+
+	*s = m
+}
+
+// MarshalJSON renders this YAML object as JSON bytes.
+//
+// The difference with standard JSON marshaling is that the order of keys is maintained.
+func (s YAMLMapSlice) MarshalJSON() ([]byte, error) {
+	return jsonutils.JSONMapSlice(s).MarshalJSON()
+}
+
+// UnmarshalJSON builds this YAML object from JSON bytes.
+//
+// The difference with standard JSON marshaling is that the order of keys is maintained.
+func (s *YAMLMapSlice) UnmarshalJSON(data []byte) error {
+	js := jsonutils.JSONMapSlice(*s)
+
+	if err := js.UnmarshalJSON(data); err != nil {
+		return err
+	}
+
+	*s = YAMLMapSlice(js)
+
+	return nil
+}
+
+// MarshalYAML produces a YAML document as bytes
+//
+// The difference with standard YAML marshaling is that the order of keys is maintained.
+//
+// It implements [yaml.Marshaler].
+func (s YAMLMapSlice) MarshalYAML() (any, error) {
+	if typeutils.IsNil(s) {
+		return []byte("null\n"), nil
+	}
+	var n yaml.Node
+	n.Kind = yaml.DocumentNode
+	var nodes []*yaml.Node
+
+	for _, item := range s {
+		nn, err := json2yaml(item.Value)
+		if err != nil {
+			return nil, err
+		}
+
+		ns := []*yaml.Node{
+			{
+				Kind:  yaml.ScalarNode,
+				Tag:   yamlStringScalar,
+				Value: item.Key,
+			},
+			nn,
+		}
+		nodes = append(nodes, ns...)
+	}
+
+	n.Content = []*yaml.Node{
+		{
+			Kind:    yaml.MappingNode,
+			Content: nodes,
+		},
+	}
+
+	return yaml.Marshal(&n)
+}
+
+// UnmarshalYAML builds a YAMLMapSlice object from a YAML document [yaml.Node].
+//
+// It implements [yaml.Unmarshaler].
+func (s *YAMLMapSlice) UnmarshalYAML(node *yaml.Node) error {
+	if typeutils.IsNil(*s) {
+		// allow to unmarshal with a simple var declaration (nil slice)
+		*s = YAMLMapSlice{}
+	}
+	if node == nil {
+		*s = nil
+		return nil
+	}
+
+	const sensibleAllocDivider = 2
+	m := slices.Grow(*s, len(node.Content)/sensibleAllocDivider)
+	m = m[:0]
+
+	for i := 0; i < len(node.Content); i += 2 {
+		var nmi YAMLMapItem
+		k, err := yamlStringScalarC(node.Content[i])
+		if err != nil {
+			return fmt.Errorf("unable to decode YAML map key: %w: %w", err, ErrYAML)
+		}
+		nmi.Key = k
+		v, err := yamlNode(node.Content[i+1])
+		if err != nil {
+			return fmt.Errorf("unable to process YAML map value for key %q: %w: %w", k, err, ErrYAML)
+		}
+		nmi.Value = v
+		m = append(m, nmi)
+	}
+
+	*s = m
+
+	return nil
+}
+
+func json2yaml(item any) (*yaml.Node, error) {
+	if typeutils.IsNil(item) {
+		return &yaml.Node{
+			Kind:  yaml.ScalarNode,
+			Value: "null",
+		}, nil
+	}
+
+	switch val := item.(type) {
+	case ifaces.Ordered:
+		return orderedYAML(val)
+
+	case map[string]any:
+		var n yaml.Node
+		n.Kind = yaml.MappingNode
+		keys := make([]string, 0, len(val))
+		for k := range val {
+			keys = append(keys, k)
+		}
+		sort.Strings(keys)
+
+		for _, k := range keys {
+			v := val[k]
+			childNode, err := json2yaml(v)
+			if err != nil {
+				return nil, err
+			}
+			n.Content = append(n.Content, &yaml.Node{
+				Kind:  yaml.ScalarNode,
+				Tag:   yamlStringScalar,
+				Value: k,
+			}, childNode)
+		}
+		return &n, nil
+
+	case []any:
+		var n yaml.Node
+		n.Kind = yaml.SequenceNode
+		for i := range val {
+			childNode, err := json2yaml(val[i])
+			if err != nil {
+				return nil, err
+			}
+			n.Content = append(n.Content, childNode)
+		}
+		return &n, nil
+	case string:
+		return &yaml.Node{
+			Kind:  yaml.ScalarNode,
+			Tag:   yamlStringScalar,
+			Value: val,
+		}, nil
+	case float32:
+		return floatNode(val)
+	case float64:
+		return floatNode(val)
+	case int:
+		return integerNode(val)
+	case int8:
+		return integerNode(val)
+	case int16:
+		return integerNode(val)
+	case int32:
+		return integerNode(val)
+	case int64:
+		return integerNode(val)
+	case uint:
+		return uintegerNode(val)
+	case uint8:
+		return uintegerNode(val)
+	case uint16:
+		return uintegerNode(val)
+	case uint32:
+		return uintegerNode(val)
+	case uint64:
+		return uintegerNode(val)
+	case bool:
+		return &yaml.Node{
+			Kind:  yaml.ScalarNode,
+			Tag:   yamlBoolScalar,
+			Value: strconv.FormatBool(val),
+		}, nil
+	default:
+		return nil, fmt.Errorf("unhandled type: %T: %w", val, ErrYAML)
+	}
+}
+
+func floatNode[T conv.Float](val T) (*yaml.Node, error) {
+	return &yaml.Node{
+		Kind:  yaml.ScalarNode,
+		Tag:   yamlFloatScalar,
+		Value: conv.FormatFloat(val),
+	}, nil
+}
+
+func integerNode[T conv.Signed](val T) (*yaml.Node, error) {
+	return &yaml.Node{
+		Kind:  yaml.ScalarNode,
+		Tag:   yamlIntScalar,
+		Value: conv.FormatInteger(val),
+	}, nil
+}
+
+func uintegerNode[T conv.Unsigned](val T) (*yaml.Node, error) {
+	return &yaml.Node{
+		Kind:  yaml.ScalarNode,
+		Tag:   yamlIntScalar,
+		Value: conv.FormatUinteger(val),
+	}, nil
+}
+
+func orderedYAML[T ifaces.Ordered](val T) (*yaml.Node, error) {
+	var n yaml.Node
+	n.Kind = yaml.MappingNode
+	for key, value := range val.OrderedItems() {
+		childNode, err := json2yaml(value)
+		if err != nil {
+			return nil, err
+		}
+
+		n.Content = append(n.Content, &yaml.Node{
+			Kind:  yaml.ScalarNode,
+			Tag:   yamlStringScalar,
+			Value: key,
+		}, childNode)
+	}
+	return &n, nil
+}
diff --git a/vendor/github.com/go-openapi/swag/yamlutils/yaml.go b/vendor/github.com/go-openapi/swag/yamlutils/yaml.go
new file mode 100644
index 0000000000..e3aff3c2fd
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/yamlutils/yaml.go
@@ -0,0 +1,211 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+package yamlutils
+
+import (
+	json "encoding/json"
+	"fmt"
+	"strconv"
+
+	"github.com/go-openapi/swag/jsonutils"
+	yaml "go.yaml.in/yaml/v3"
+)
+
+// YAMLToJSON converts a YAML document into JSON bytes.
+//
+// Note: a YAML document is the output from a [yaml.Marshaler], e.g a pointer to a [yaml.Node].
+//
+// [YAMLToJSON] is typically called after [BytesToYAMLDoc].
+func YAMLToJSON(value any) (json.RawMessage, error) {
+	jm, err := transformData(value)
+	if err != nil {
+		return nil, err
+	}
+
+	b, err := jsonutils.WriteJSON(jm)
+
+	return json.RawMessage(b), err
+}
+
+// BytesToYAMLDoc converts a byte slice into a YAML document.
+//
+// This function only supports root documents that are objects.
+//
+// A YAML document is a pointer to a [yaml.Node].
+func BytesToYAMLDoc(data []byte) (any, error) {
+	var document yaml.Node // preserve order that is present in the document
+	if err := yaml.Unmarshal(data, &document); err != nil {
+		return nil, err
+	}
+	if document.Kind != yaml.DocumentNode || len(document.Content) != 1 || document.Content[0].Kind != yaml.MappingNode {
+		return nil, fmt.Errorf("only YAML documents that are objects are supported: %w", ErrYAML)
+	}
+	return &document, nil
+}
+
+func yamlNode(root *yaml.Node) (any, error) {
+	switch root.Kind {
+	case yaml.DocumentNode:
+		return yamlDocument(root)
+	case yaml.SequenceNode:
+		return yamlSequence(root)
+	case yaml.MappingNode:
+		return yamlMapping(root)
+	case yaml.ScalarNode:
+		return yamlScalar(root)
+	case yaml.AliasNode:
+		return yamlNode(root.Alias)
+	default:
+		return nil, fmt.Errorf("unsupported YAML node type: %v: %w", root.Kind, ErrYAML)
+	}
+}
+
+func yamlDocument(node *yaml.Node) (any, error) {
+	if len(node.Content) != 1 {
+		return nil, fmt.Errorf("unexpected YAML Document node content length: %d: %w", len(node.Content), ErrYAML)
+	}
+	return yamlNode(node.Content[0])
+}
+
+func yamlMapping(node *yaml.Node) (any, error) {
+	const sensibleAllocDivider = 2 // nodes concatenate (key,value) sequences
+	m := make(YAMLMapSlice, len(node.Content)/sensibleAllocDivider)
+
+	if err := m.UnmarshalYAML(node); err != nil {
+		return nil, err
+	}
+
+	return m, nil
+}
+
+func yamlSequence(node *yaml.Node) (any, error) {
+	s := make([]any, 0)
+
+	for i := range len(node.Content) {
+		v, err := yamlNode(node.Content[i])
+		if err != nil {
+			return nil, fmt.Errorf("unable to decode YAML sequence value: %w: %w", err, ErrYAML)
+		}
+		s = append(s, v)
+	}
+	return s, nil
+}
+
+const ( // See https://yaml.org/type/
+	yamlStringScalar = "tag:yaml.org,2002:str"
+	yamlIntScalar    = "tag:yaml.org,2002:int"
+	yamlBoolScalar   = "tag:yaml.org,2002:bool"
+	yamlFloatScalar  = "tag:yaml.org,2002:float"
+	yamlTimestamp    = "tag:yaml.org,2002:timestamp"
+	yamlNull         = "tag:yaml.org,2002:null"
+)
+
+func yamlScalar(node *yaml.Node) (any, error) {
+	switch node.LongTag() {
+	case yamlStringScalar:
+		return node.Value, nil
+	case yamlBoolScalar:
+		b, err := strconv.ParseBool(node.Value)
+		if err != nil {
+			return nil, fmt.Errorf("unable to process scalar node. Got %q. Expecting bool content: %w: %w", node.Value, err, ErrYAML)
+		}
+		return b, nil
+	case yamlIntScalar:
+		i, err := strconv.ParseInt(node.Value, 10, 64)
+		if err != nil {
+			return nil, fmt.Errorf("unable to process scalar node. Got %q. Expecting integer content: %w: %w", node.Value, err, ErrYAML)
+		}
+		return i, nil
+	case yamlFloatScalar:
+		f, err := strconv.ParseFloat(node.Value, 64)
+		if err != nil {
+			return nil, fmt.Errorf("unable to process scalar node. Got %q. Expecting float content: %w: %w", node.Value, err, ErrYAML)
+		}
+		return f, nil
+	case yamlTimestamp:
+		// YAML timestamp is marshaled as string, not time
+		return node.Value, nil
+	case yamlNull:
+		return nil, nil //nolint:nilnil
+	default:
+		return nil, fmt.Errorf("YAML tag %q is not supported: %w", node.LongTag(), ErrYAML)
+	}
+}
+
+func yamlStringScalarC(node *yaml.Node) (string, error) {
+	if node.Kind != yaml.ScalarNode {
+		return "", fmt.Errorf("expecting a string scalar but got %q: %w", node.Kind, ErrYAML)
+	}
+	switch node.LongTag() {
+	case yamlStringScalar, yamlIntScalar, yamlFloatScalar:
+		return node.Value, nil
+	default:
+		return "", fmt.Errorf("YAML tag %q is not supported as map key: %w", node.LongTag(), ErrYAML)
+	}
+}
+
+func format(t any) (string, error) {
+	switch k := t.(type) {
+	case string:
+		return k, nil
+	case uint:
+		return strconv.FormatUint(uint64(k), 10), nil
+	case uint8:
+		return strconv.FormatUint(uint64(k), 10), nil
+	case uint16:
+		return strconv.FormatUint(uint64(k), 10), nil
+	case uint32:
+		return strconv.FormatUint(uint64(k), 10), nil
+	case uint64:
+		return strconv.FormatUint(k, 10), nil
+	case int:
+		return strconv.Itoa(k), nil
+	case int8:
+		return strconv.FormatInt(int64(k), 10), nil
+	case int16:
+		return strconv.FormatInt(int64(k), 10), nil
+	case int32:
+		return strconv.FormatInt(int64(k), 10), nil
+	case int64:
+		return strconv.FormatInt(k, 10), nil
+	default:
+		return "", fmt.Errorf("unexpected map key type, got: %T: %w", k, ErrYAML)
+	}
+}
+
+func transformData(input any) (out any, err error) {
+	switch in := input.(type) {
+	case yaml.Node:
+		return yamlNode(&in)
+	case *yaml.Node:
+		return yamlNode(in)
+	case map[any]any:
+		o := make(YAMLMapSlice, 0, len(in))
+		for ke, va := range in {
+			var nmi YAMLMapItem
+			if nmi.Key, err = format(ke); err != nil {
+				return nil, err
+			}
+
+			v, ert := transformData(va)
+			if ert != nil {
+				return nil, ert
+			}
+			nmi.Value = v
+			o = append(o, nmi)
+		}
+		return o, nil
+	case []any:
+		len1 := len(in)
+		o := make([]any, len1)
+		for i := range len1 {
+			o[i], err = transformData(in[i])
+			if err != nil {
+				return nil, err
+			}
+		}
+		return o, nil
+	}
+	return input, nil
+}
diff --git a/vendor/github.com/go-openapi/swag/yamlutils_iface.go b/vendor/github.com/go-openapi/swag/yamlutils_iface.go
new file mode 100644
index 0000000000..57767efc56
--- /dev/null
+++ b/vendor/github.com/go-openapi/swag/yamlutils_iface.go
@@ -0,0 +1,20 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+package swag
+
+import (
+	"encoding/json"
+
+	"github.com/go-openapi/swag/yamlutils"
+)
+
+// YAMLToJSON converts YAML unmarshaled data into json compatible data
+//
+// Deprecated: use [yamlutils.YAMLToJSON] instead.
+func YAMLToJSON(data any) (json.RawMessage, error) { return yamlutils.YAMLToJSON(data) }
+
+// BytesToYAMLDoc converts a byte slice into a YAML document
+//
+// Deprecated: use [yamlutils.BytesToYAMLDoc] instead.
+func BytesToYAMLDoc(data []byte) (any, error) { return yamlutils.BytesToYAMLDoc(data) }
diff --git a/vendor/github.com/gobwas/glob/.gitignore b/vendor/github.com/gobwas/glob/.gitignore
new file mode 100644
index 0000000000..b4ae623be5
--- /dev/null
+++ b/vendor/github.com/gobwas/glob/.gitignore
@@ -0,0 +1,8 @@
+glob.iml
+.idea
+*.cpu
+*.mem
+*.test
+*.dot
+*.png
+*.svg
diff --git a/vendor/github.com/gobwas/glob/.travis.yml b/vendor/github.com/gobwas/glob/.travis.yml
new file mode 100644
index 0000000000..e8a276826c
--- /dev/null
+++ b/vendor/github.com/gobwas/glob/.travis.yml
@@ -0,0 +1,9 @@
+sudo: false
+
+language: go
+
+go:
+  - 1.5.3
+
+script:
+  - go test -v ./...
diff --git a/vendor/github.com/gobwas/glob/LICENSE b/vendor/github.com/gobwas/glob/LICENSE
new file mode 100644
index 0000000000..9d4735cad9
--- /dev/null
+++ b/vendor/github.com/gobwas/glob/LICENSE
@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2016 Sergey Kamardin
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
\ No newline at end of file
diff --git a/vendor/github.com/gobwas/glob/bench.sh b/vendor/github.com/gobwas/glob/bench.sh
new file mode 100644
index 0000000000..804cf22e64
--- /dev/null
+++ b/vendor/github.com/gobwas/glob/bench.sh
@@ -0,0 +1,26 @@
+#! /bin/bash
+
+bench() {
+    filename="/tmp/$1-$2.bench"
+    if test -e "${filename}";
+    then
+        echo "Already exists ${filename}"
+    else
+        backup=`git rev-parse --abbrev-ref HEAD`
+        git checkout $1
+        echo -n "Creating ${filename}... "
+        go test ./... -run=NONE -bench=$2 > "${filename}" -benchmem
+        echo "OK"
+        git checkout ${backup}
+        sleep 5
+    fi
+}
+
+
+to=$1
+current=`git rev-parse --abbrev-ref HEAD`
+
+bench ${to} $2
+bench ${current} $2
+
+benchcmp $3 "/tmp/${to}-$2.bench" "/tmp/${current}-$2.bench"
diff --git a/vendor/github.com/gobwas/glob/compiler/compiler.go b/vendor/github.com/gobwas/glob/compiler/compiler.go
new file mode 100644
index 0000000000..02e7de80a0
--- /dev/null
+++ b/vendor/github.com/gobwas/glob/compiler/compiler.go
@@ -0,0 +1,525 @@
+package compiler
+
+// TODO use constructor with all matchers, and to their structs private
+// TODO glue multiple Text nodes (like after QuoteMeta)
+
+import (
+	"fmt"
+	"reflect"
+
+	"github.com/gobwas/glob/match"
+	"github.com/gobwas/glob/syntax/ast"
+	"github.com/gobwas/glob/util/runes"
+)
+
+func optimizeMatcher(matcher match.Matcher) match.Matcher {
+	switch m := matcher.(type) {
+
+	case match.Any:
+		if len(m.Separators) == 0 {
+			return match.NewSuper()
+		}
+
+	case match.AnyOf:
+		if len(m.Matchers) == 1 {
+			return m.Matchers[0]
+		}
+
+		return m
+
+	case match.List:
+		if m.Not == false && len(m.List) == 1 {
+			return match.NewText(string(m.List))
+		}
+
+		return m
+
+	case match.BTree:
+		m.Left = optimizeMatcher(m.Left)
+		m.Right = optimizeMatcher(m.Right)
+
+		r, ok := m.Value.(match.Text)
+		if !ok {
+			return m
+		}
+
+		var (
+			leftNil  = m.Left == nil
+			rightNil = m.Right == nil
+		)
+		if leftNil && rightNil {
+			return match.NewText(r.Str)
+		}
+
+		_, leftSuper := m.Left.(match.Super)
+		lp, leftPrefix := m.Left.(match.Prefix)
+		la, leftAny := m.Left.(match.Any)
+
+		_, rightSuper := m.Right.(match.Super)
+		rs, rightSuffix := m.Right.(match.Suffix)
+		ra, rightAny := m.Right.(match.Any)
+
+		switch {
+		case leftSuper && rightSuper:
+			return match.NewContains(r.Str, false)
+
+		case leftSuper && rightNil:
+			return match.NewSuffix(r.Str)
+
+		case rightSuper && leftNil:
+			return match.NewPrefix(r.Str)
+
+		case leftNil && rightSuffix:
+			return match.NewPrefixSuffix(r.Str, rs.Suffix)
+
+		case rightNil && leftPrefix:
+			return match.NewPrefixSuffix(lp.Prefix, r.Str)
+
+		case rightNil && leftAny:
+			return match.NewSuffixAny(r.Str, la.Separators)
+
+		case leftNil && rightAny:
+			return match.NewPrefixAny(r.Str, ra.Separators)
+		}
+
+		return m
+	}
+
+	return matcher
+}
+
+func compileMatchers(matchers []match.Matcher) (match.Matcher, error) {
+	if len(matchers) == 0 {
+		return nil, fmt.Errorf("compile error: need at least one matcher")
+	}
+	if len(matchers) == 1 {
+		return matchers[0], nil
+	}
+	if m := glueMatchers(matchers); m != nil {
+		return m, nil
+	}
+
+	idx := -1
+	maxLen := -1
+	var val match.Matcher
+	for i, matcher := range matchers {
+		if l := matcher.Len(); l != -1 && l >= maxLen {
+			maxLen = l
+			idx = i
+			val = matcher
+		}
+	}
+
+	if val == nil { // not found matcher with static length
+		r, err := compileMatchers(matchers[1:])
+		if err != nil {
+			return nil, err
+		}
+		return match.NewBTree(matchers[0], nil, r), nil
+	}
+
+	left := matchers[:idx]
+	var right []match.Matcher
+	if len(matchers) > idx+1 {
+		right = matchers[idx+1:]
+	}
+
+	var l, r match.Matcher
+	var err error
+	if len(left) > 0 {
+		l, err = compileMatchers(left)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	if len(right) > 0 {
+		r, err = compileMatchers(right)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return match.NewBTree(val, l, r), nil
+}
+
+func glueMatchers(matchers []match.Matcher) match.Matcher {
+	if m := glueMatchersAsEvery(matchers); m != nil {
+		return m
+	}
+	if m := glueMatchersAsRow(matchers); m != nil {
+		return m
+	}
+	return nil
+}
+
+func glueMatchersAsRow(matchers []match.Matcher) match.Matcher {
+	if len(matchers) <= 1 {
+		return nil
+	}
+
+	var (
+		c []match.Matcher
+		l int
+	)
+	for _, matcher := range matchers {
+		if ml := matcher.Len(); ml == -1 {
+			return nil
+		} else {
+			c = append(c, matcher)
+			l += ml
+		}
+	}
+	return match.NewRow(l, c...)
+}
+
+func glueMatchersAsEvery(matchers []match.Matcher) match.Matcher {
+	if len(matchers) <= 1 {
+		return nil
+	}
+
+	var (
+		hasAny    bool
+		hasSuper  bool
+		hasSingle bool
+		min       int
+		separator []rune
+	)
+
+	for i, matcher := range matchers {
+		var sep []rune
+
+		switch m := matcher.(type) {
+		case match.Super:
+			sep = []rune{}
+			hasSuper = true
+
+		case match.Any:
+			sep = m.Separators
+			hasAny = true
+
+		case match.Single:
+			sep = m.Separators
+			hasSingle = true
+			min++
+
+		case match.List:
+			if !m.Not {
+				return nil
+			}
+			sep = m.List
+			hasSingle = true
+			min++
+
+		default:
+			return nil
+		}
+
+		// initialize
+		if i == 0 {
+			separator = sep
+		}
+
+		if runes.Equal(sep, separator) {
+			continue
+		}
+
+		return nil
+	}
+
+	if hasSuper && !hasAny && !hasSingle {
+		return match.NewSuper()
+	}
+
+	if hasAny && !hasSuper && !hasSingle {
+		return match.NewAny(separator)
+	}
+
+	if (hasAny || hasSuper) && min > 0 && len(separator) == 0 {
+		return match.NewMin(min)
+	}
+
+	every := match.NewEveryOf()
+
+	if min > 0 {
+		every.Add(match.NewMin(min))
+
+		if !hasAny && !hasSuper {
+			every.Add(match.NewMax(min))
+		}
+	}
+
+	if len(separator) > 0 {
+		every.Add(match.NewContains(string(separator), true))
+	}
+
+	return every
+}
+
+func minimizeMatchers(matchers []match.Matcher) []match.Matcher {
+	var done match.Matcher
+	var left, right, count int
+
+	for l := 0; l < len(matchers); l++ {
+		for r := len(matchers); r > l; r-- {
+			if glued := glueMatchers(matchers[l:r]); glued != nil {
+				var swap bool
+
+				if done == nil {
+					swap = true
+				} else {
+					cl, gl := done.Len(), glued.Len()
+					swap = cl > -1 && gl > -1 && gl > cl
+					swap = swap || count < r-l
+				}
+
+				if swap {
+					done = glued
+					left = l
+					right = r
+					count = r - l
+				}
+			}
+		}
+	}
+
+	if done == nil {
+		return matchers
+	}
+
+	next := append(append([]match.Matcher{}, matchers[:left]...), done)
+	if right < len(matchers) {
+		next = append(next, matchers[right:]...)
+	}
+
+	if len(next) == len(matchers) {
+		return next
+	}
+
+	return minimizeMatchers(next)
+}
+
+// minimizeAnyOf tries to apply some heuristics to minimize number of nodes in given tree
+func minimizeTree(tree *ast.Node) *ast.Node {
+	switch tree.Kind {
+	case ast.KindAnyOf:
+		return minimizeTreeAnyOf(tree)
+	default:
+		return nil
+	}
+}
+
+// minimizeAnyOf tries to find common children of given node of AnyOf pattern
+// it searches for common children from left and from right
+// if any common children are found – then it returns new optimized ast tree
+// else it returns nil
+func minimizeTreeAnyOf(tree *ast.Node) *ast.Node {
+	if !areOfSameKind(tree.Children, ast.KindPattern) {
+		return nil
+	}
+
+	commonLeft, commonRight := commonChildren(tree.Children)
+	commonLeftCount, commonRightCount := len(commonLeft), len(commonRight)
+	if commonLeftCount == 0 && commonRightCount == 0 { // there are no common parts
+		return nil
+	}
+
+	var result []*ast.Node
+	if commonLeftCount > 0 {
+		result = append(result, ast.NewNode(ast.KindPattern, nil, commonLeft...))
+	}
+
+	var anyOf []*ast.Node
+	for _, child := range tree.Children {
+		reuse := child.Children[commonLeftCount : len(child.Children)-commonRightCount]
+		var node *ast.Node
+		if len(reuse) == 0 {
+			// this pattern is completely reduced by commonLeft and commonRight patterns
+			// so it become nothing
+			node = ast.NewNode(ast.KindNothing, nil)
+		} else {
+			node = ast.NewNode(ast.KindPattern, nil, reuse...)
+		}
+		anyOf = appendIfUnique(anyOf, node)
+	}
+	switch {
+	case len(anyOf) == 1 && anyOf[0].Kind != ast.KindNothing:
+		result = append(result, anyOf[0])
+	case len(anyOf) > 1:
+		result = append(result, ast.NewNode(ast.KindAnyOf, nil, anyOf...))
+	}
+
+	if commonRightCount > 0 {
+		result = append(result, ast.NewNode(ast.KindPattern, nil, commonRight...))
+	}
+
+	return ast.NewNode(ast.KindPattern, nil, result...)
+}
+
+func commonChildren(nodes []*ast.Node) (commonLeft, commonRight []*ast.Node) {
+	if len(nodes) <= 1 {
+		return
+	}
+
+	// find node that has least number of children
+	idx := leastChildren(nodes)
+	if idx == -1 {
+		return
+	}
+	tree := nodes[idx]
+	treeLength := len(tree.Children)
+
+	// allocate max able size for rightCommon slice
+	// to get ability insert elements in reverse order (from end to start)
+	// without sorting
+	commonRight = make([]*ast.Node, treeLength)
+	lastRight := treeLength // will use this to get results as commonRight[lastRight:]
+
+	var (
+		breakLeft   bool
+		breakRight  bool
+		commonTotal int
+	)
+	for i, j := 0, treeLength-1; commonTotal < treeLength && j >= 0 && !(breakLeft && breakRight); i, j = i+1, j-1 {
+		treeLeft := tree.Children[i]
+		treeRight := tree.Children[j]
+
+		for k := 0; k < len(nodes) && !(breakLeft && breakRight); k++ {
+			// skip least children node
+			if k == idx {
+				continue
+			}
+
+			restLeft := nodes[k].Children[i]
+			restRight := nodes[k].Children[j+len(nodes[k].Children)-treeLength]
+
+			breakLeft = breakLeft || !treeLeft.Equal(restLeft)
+
+			// disable searching for right common parts, if left part is already overlapping
+			breakRight = breakRight || (!breakLeft && j <= i)
+			breakRight = breakRight || !treeRight.Equal(restRight)
+		}
+
+		if !breakLeft {
+			commonTotal++
+			commonLeft = append(commonLeft, treeLeft)
+		}
+		if !breakRight {
+			commonTotal++
+			lastRight = j
+			commonRight[j] = treeRight
+		}
+	}
+
+	commonRight = commonRight[lastRight:]
+
+	return
+}
+
+func appendIfUnique(target []*ast.Node, val *ast.Node) []*ast.Node {
+	for _, n := range target {
+		if reflect.DeepEqual(n, val) {
+			return target
+		}
+	}
+	return append(target, val)
+}
+
+func areOfSameKind(nodes []*ast.Node, kind ast.Kind) bool {
+	for _, n := range nodes {
+		if n.Kind != kind {
+			return false
+		}
+	}
+	return true
+}
+
+func leastChildren(nodes []*ast.Node) int {
+	min := -1
+	idx := -1
+	for i, n := range nodes {
+		if idx == -1 || (len(n.Children) < min) {
+			min = len(n.Children)
+			idx = i
+		}
+	}
+	return idx
+}
+
+func compileTreeChildren(tree *ast.Node, sep []rune) ([]match.Matcher, error) {
+	var matchers []match.Matcher
+	for _, desc := range tree.Children {
+		m, err := compile(desc, sep)
+		if err != nil {
+			return nil, err
+		}
+		matchers = append(matchers, optimizeMatcher(m))
+	}
+	return matchers, nil
+}
+
+func compile(tree *ast.Node, sep []rune) (m match.Matcher, err error) {
+	switch tree.Kind {
+	case ast.KindAnyOf:
+		// todo this could be faster on pattern_alternatives_combine_lite (see glob_test.go)
+		if n := minimizeTree(tree); n != nil {
+			return compile(n, sep)
+		}
+		matchers, err := compileTreeChildren(tree, sep)
+		if err != nil {
+			return nil, err
+		}
+		return match.NewAnyOf(matchers...), nil
+
+	case ast.KindPattern:
+		if len(tree.Children) == 0 {
+			return match.NewNothing(), nil
+		}
+		matchers, err := compileTreeChildren(tree, sep)
+		if err != nil {
+			return nil, err
+		}
+		m, err = compileMatchers(minimizeMatchers(matchers))
+		if err != nil {
+			return nil, err
+		}
+
+	case ast.KindAny:
+		m = match.NewAny(sep)
+
+	case ast.KindSuper:
+		m = match.NewSuper()
+
+	case ast.KindSingle:
+		m = match.NewSingle(sep)
+
+	case ast.KindNothing:
+		m = match.NewNothing()
+
+	case ast.KindList:
+		l := tree.Value.(ast.List)
+		m = match.NewList([]rune(l.Chars), l.Not)
+
+	case ast.KindRange:
+		r := tree.Value.(ast.Range)
+		m = match.NewRange(r.Lo, r.Hi, r.Not)
+
+	case ast.KindText:
+		t := tree.Value.(ast.Text)
+		m = match.NewText(t.Text)
+
+	default:
+		return nil, fmt.Errorf("could not compile tree: unknown node type")
+	}
+
+	return optimizeMatcher(m), nil
+}
+
+func Compile(tree *ast.Node, sep []rune) (match.Matcher, error) {
+	m, err := compile(tree, sep)
+	if err != nil {
+		return nil, err
+	}
+
+	return m, nil
+}
diff --git a/vendor/github.com/gobwas/glob/glob.go b/vendor/github.com/gobwas/glob/glob.go
new file mode 100644
index 0000000000..2afde343af
--- /dev/null
+++ b/vendor/github.com/gobwas/glob/glob.go
@@ -0,0 +1,80 @@
+package glob
+
+import (
+	"github.com/gobwas/glob/compiler"
+	"github.com/gobwas/glob/syntax"
+)
+
+// Glob represents compiled glob pattern.
+type Glob interface {
+	Match(string) bool
+}
+
+// Compile creates Glob for given pattern and strings (if any present after pattern) as separators.
+// The pattern syntax is:
+//
+//    pattern:
+//        { term }
+//
+//    term:
+//        `*`         matches any sequence of non-separator characters
+//        `**`        matches any sequence of characters
+//        `?`         matches any single non-separator character
+//        `[` [ `!` ] { character-range } `]`
+//                    character class (must be non-empty)
+//        `{` pattern-list `}`
+//                    pattern alternatives
+//        c           matches character c (c != `*`, `**`, `?`, `\`, `[`, `{`, `}`)
+//        `\` c       matches character c
+//
+//    character-range:
+//        c           matches character c (c != `\\`, `-`, `]`)
+//        `\` c       matches character c
+//        lo `-` hi   matches character c for lo <= c <= hi
+//
+//    pattern-list:
+//        pattern { `,` pattern }
+//                    comma-separated (without spaces) patterns
+//
+func Compile(pattern string, separators ...rune) (Glob, error) {
+	ast, err := syntax.Parse(pattern)
+	if err != nil {
+		return nil, err
+	}
+
+	matcher, err := compiler.Compile(ast, separators)
+	if err != nil {
+		return nil, err
+	}
+
+	return matcher, nil
+}
+
+// MustCompile is the same as Compile, except that if Compile returns error, this will panic
+func MustCompile(pattern string, separators ...rune) Glob {
+	g, err := Compile(pattern, separators...)
+	if err != nil {
+		panic(err)
+	}
+
+	return g
+}
+
+// QuoteMeta returns a string that quotes all glob pattern meta characters
+// inside the argument text; For example, QuoteMeta(`{foo*}`) returns `\[foo\*\]`.
+func QuoteMeta(s string) string {
+	b := make([]byte, 2*len(s))
+
+	// a byte loop is correct because all meta characters are ASCII
+	j := 0
+	for i := 0; i < len(s); i++ {
+		if syntax.Special(s[i]) {
+			b[j] = '\\'
+			j++
+		}
+		b[j] = s[i]
+		j++
+	}
+
+	return string(b[0:j])
+}
diff --git a/vendor/github.com/gobwas/glob/match/any.go b/vendor/github.com/gobwas/glob/match/any.go
new file mode 100644
index 0000000000..514a9a5c45
--- /dev/null
+++ b/vendor/github.com/gobwas/glob/match/any.go
@@ -0,0 +1,45 @@
+package match
+
+import (
+	"fmt"
+	"github.com/gobwas/glob/util/strings"
+)
+
+type Any struct {
+	Separators []rune
+}
+
+func NewAny(s []rune) Any {
+	return Any{s}
+}
+
+func (self Any) Match(s string) bool {
+	return strings.IndexAnyRunes(s, self.Separators) == -1
+}
+
+func (self Any) Index(s string) (int, []int) {
+	found := strings.IndexAnyRunes(s, self.Separators)
+	switch found {
+	case -1:
+	case 0:
+		return 0, segments0
+	default:
+		s = s[:found]
+	}
+
+	segments := acquireSegments(len(s))
+	for i := range s {
+		segments = append(segments, i)
+	}
+	segments = append(segments, len(s))
+
+	return 0, segments
+}
+
+func (self Any) Len() int {
+	return lenNo
+}
+
+func (self Any) String() string {
+	return fmt.Sprintf("<any:![%s]>", string(self.Separators))
+}
diff --git a/vendor/github.com/gobwas/glob/match/any_of.go b/vendor/github.com/gobwas/glob/match/any_of.go
new file mode 100644
index 0000000000..8e65356cdc
--- /dev/null
+++ b/vendor/github.com/gobwas/glob/match/any_of.go
@@ -0,0 +1,82 @@
+package match
+
+import "fmt"
+
+type AnyOf struct {
+	Matchers Matchers
+}
+
+func NewAnyOf(m ...Matcher) AnyOf {
+	return AnyOf{Matchers(m)}
+}
+
+func (self *AnyOf) Add(m Matcher) error {
+	self.Matchers = append(self.Matchers, m)
+	return nil
+}
+
+func (self AnyOf) Match(s string) bool {
+	for _, m := range self.Matchers {
+		if m.Match(s) {
+			return true
+		}
+	}
+
+	return false
+}
+
+func (self AnyOf) Index(s string) (int, []int) {
+	index := -1
+
+	segments := acquireSegments(len(s))
+	for _, m := range self.Matchers {
+		idx, seg := m.Index(s)
+		if idx == -1 {
+			continue
+		}
+
+		if index == -1 || idx < index {
+			index = idx
+			segments = append(segments[:0], seg...)
+			continue
+		}
+
+		if idx > index {
+			continue
+		}
+
+		// here idx == index
+		segments = appendMerge(segments, seg)
+	}
+
+	if index == -1 {
+		releaseSegments(segments)
+		return -1, nil
+	}
+
+	return index, segments
+}
+
+func (self AnyOf) Len() (l int) {
+	l = -1
+	for _, m := range self.Matchers {
+		ml := m.Len()
+		switch {
+		case l == -1:
+			l = ml
+			continue
+
+		case ml == -1:
+			return -1
+
+		case l != ml:
+			return -1
+		}
+	}
+
+	return
+}
+
+func (self AnyOf) String() string {
+	return fmt.Sprintf("<any_of:[%s]>", self.Matchers)
+}
diff --git a/vendor/github.com/gobwas/glob/match/btree.go b/vendor/github.com/gobwas/glob/match/btree.go
new file mode 100644
index 0000000000..a8130e93ea
--- /dev/null
+++ b/vendor/github.com/gobwas/glob/match/btree.go
@@ -0,0 +1,146 @@
+package match
+
+import (
+	"fmt"
+	"unicode/utf8"
+)
+
+type BTree struct {
+	Value            Matcher
+	Left             Matcher
+	Right            Matcher
+	ValueLengthRunes int
+	LeftLengthRunes  int
+	RightLengthRunes int
+	LengthRunes      int
+}
+
+func NewBTree(Value, Left, Right Matcher) (tree BTree) {
+	tree.Value = Value
+	tree.Left = Left
+	tree.Right = Right
+
+	lenOk := true
+	if tree.ValueLengthRunes = Value.Len(); tree.ValueLengthRunes == -1 {
+		lenOk = false
+	}
+
+	if Left != nil {
+		if tree.LeftLengthRunes = Left.Len(); tree.LeftLengthRunes == -1 {
+			lenOk = false
+		}
+	}
+
+	if Right != nil {
+		if tree.RightLengthRunes = Right.Len(); tree.RightLengthRunes == -1 {
+			lenOk = false
+		}
+	}
+
+	if lenOk {
+		tree.LengthRunes = tree.LeftLengthRunes + tree.ValueLengthRunes + tree.RightLengthRunes
+	} else {
+		tree.LengthRunes = -1
+	}
+
+	return tree
+}
+
+func (self BTree) Len() int {
+	return self.LengthRunes
+}
+
+// todo?
+func (self BTree) Index(s string) (int, []int) {
+	return -1, nil
+}
+
+func (self BTree) Match(s string) bool {
+	inputLen := len(s)
+
+	// self.Length, self.RLen and self.LLen are values meaning the length of runes for each part
+	// here we manipulating byte length for better optimizations
+	// but these checks still works, cause minLen of 1-rune string is 1 byte.
+	if self.LengthRunes != -1 && self.LengthRunes > inputLen {
+		return false
+	}
+
+	// try to cut unnecessary parts
+	// by knowledge of length of right and left part
+	var offset, limit int
+	if self.LeftLengthRunes >= 0 {
+		offset = self.LeftLengthRunes
+	}
+	if self.RightLengthRunes >= 0 {
+		limit = inputLen - self.RightLengthRunes
+	} else {
+		limit = inputLen
+	}
+
+	for offset < limit {
+		// search for matching part in substring
+		index, segments := self.Value.Index(s[offset:limit])
+		if index == -1 {
+			releaseSegments(segments)
+			return false
+		}
+
+		l := s[:offset+index]
+		var left bool
+		if self.Left != nil {
+			left = self.Left.Match(l)
+		} else {
+			left = l == ""
+		}
+
+		if left {
+			for i := len(segments) - 1; i >= 0; i-- {
+				length := segments[i]
+
+				var right bool
+				var r string
+				// if there is no string for the right branch
+				if inputLen <= offset+index+length {
+					r = ""
+				} else {
+					r = s[offset+index+length:]
+				}
+
+				if self.Right != nil {
+					right = self.Right.Match(r)
+				} else {
+					right = r == ""
+				}
+
+				if right {
+					releaseSegments(segments)
+					return true
+				}
+			}
+		}
+
+		_, step := utf8.DecodeRuneInString(s[offset+index:])
+		offset += index + step
+
+		releaseSegments(segments)
+	}
+
+	return false
+}
+
+func (self BTree) String() string {
+	const n string = "<nil>"
+	var l, r string
+	if self.Left == nil {
+		l = n
+	} else {
+		l = self.Left.String()
+	}
+	if self.Right == nil {
+		r = n
+	} else {
+		r = self.Right.String()
+	}
+
+	return fmt.Sprintf("<btree:[%s<-%s->%s]>", l, self.Value, r)
+}
diff --git a/vendor/github.com/gobwas/glob/match/contains.go b/vendor/github.com/gobwas/glob/match/contains.go
new file mode 100644
index 0000000000..0998e95b0e
--- /dev/null
+++ b/vendor/github.com/gobwas/glob/match/contains.go
@@ -0,0 +1,58 @@
+package match
+
+import (
+	"fmt"
+	"strings"
+)
+
+type Contains struct {
+	Needle string
+	Not    bool
+}
+
+func NewContains(needle string, not bool) Contains {
+	return Contains{needle, not}
+}
+
+func (self Contains) Match(s string) bool {
+	return strings.Contains(s, self.Needle) != self.Not
+}
+
+func (self Contains) Index(s string) (int, []int) {
+	var offset int
+
+	idx := strings.Index(s, self.Needle)
+
+	if !self.Not {
+		if idx == -1 {
+			return -1, nil
+		}
+
+		offset = idx + len(self.Needle)
+		if len(s) <= offset {
+			return 0, []int{offset}
+		}
+		s = s[offset:]
+	} else if idx != -1 {
+		s = s[:idx]
+	}
+
+	segments := acquireSegments(len(s) + 1)
+	for i := range s {
+		segments = append(segments, offset+i)
+	}
+
+	return 0, append(segments, offset+len(s))
+}
+
+func (self Contains) Len() int {
+	return lenNo
+}
+
+func (self Contains) String() string {
+	var not string
+	if self.Not {
+		not = "!"
+	}
+	return fmt.Sprintf("<contains:%s[%s]>", not, self.Needle)
+}
diff --git a/vendor/github.com/gobwas/glob/match/every_of.go b/vendor/github.com/gobwas/glob/match/every_of.go
new file mode 100644
index 0000000000..7c968ee368
--- /dev/null
+++ b/vendor/github.com/gobwas/glob/match/every_of.go
@@ -0,0 +1,99 @@
+package match
+
+import (
+	"fmt"
+)
+
+type EveryOf struct {
+	Matchers Matchers
+}
+
+func NewEveryOf(m ...Matcher) EveryOf {
+	return EveryOf{Matchers(m)}
+}
+
+func (self *EveryOf) Add(m Matcher) error {
+	self.Matchers = append(self.Matchers, m)
+	return nil
+}
+
+func (self EveryOf) Len() (l int) {
+	for _, m := range self.Matchers {
+		if ml := m.Len(); l > 0 {
+			l += ml
+		} else {
+			return -1
+		}
+	}
+
+	return
+}
+
+func (self EveryOf) Index(s string) (int, []int) {
+	var index int
+	var offset int
+
+	// make `in` with cap as len(s),
+	// cause it is the maximum size of output segments values
+	next := acquireSegments(len(s))
+	current := acquireSegments(len(s))
+
+	sub := s
+	for i, m := range self.Matchers {
+		idx, seg := m.Index(sub)
+		if idx == -1 {
+			releaseSegments(next)
+			releaseSegments(current)
+			return -1, nil
+		}
+
+		if i == 0 {
+			// we use copy here instead of `current = seg`
+			// cause seg is a slice from reusable buffer `in`
+			// and it could be overwritten in next iteration
+			current = append(current, seg...)
+		} else {
+			// clear the next
+			next = next[:0]
+
+			delta := index - (idx + offset)
+			for _, ex := range current {
+				for _, n := range seg {
+					if ex+delta == n {
+						next = append(next, n)
+					}
+				}
+			}
+
+			if len(next) == 0 {
+				releaseSegments(next)
+				releaseSegments(current)
+				return -1, nil
+			}
+
+			current = append(current[:0], next...)
+		}
+
+		index = idx + offset
+		sub = s[index:]
+		offset += idx
+	}
+
+	releaseSegments(next)
+
+	return index, current
+}
+
+func (self EveryOf) Match(s string) bool {
+	for _, m := range self.Matchers {
+		if !m.Match(s) {
+			return false
+		}
+	}
+
+	return true
+}
+
+func (self EveryOf) String() string {
+	return fmt.Sprintf("<every_of:[%s]>", self.Matchers)
+}
diff --git a/vendor/github.com/gobwas/glob/match/list.go b/vendor/github.com/gobwas/glob/match/list.go
new file mode 100644
index 0000000000..7fd763ecd8
--- /dev/null
+++ b/vendor/github.com/gobwas/glob/match/list.go
@@ -0,0 +1,49 @@
+package match
+
+import (
+	"fmt"
+	"github.com/gobwas/glob/util/runes"
+	"unicode/utf8"
+)
+
+type List struct {
+	List []rune
+	Not  bool
+}
+
+func NewList(list []rune, not bool) List {
+	return List{list, not}
+}
+
+func (self List) Match(s string) bool {
+	r, w := utf8.DecodeRuneInString(s)
+	if len(s) > w {
+		return false
+	}
+
+	inList := runes.IndexRune(self.List, r) != -1
+	return inList == !self.Not
+}
+
+func (self List) Len() int {
+	return lenOne
+}
+
+func (self List) Index(s string) (int, []int) {
+	for i, r := range s {
+		if self.Not == (runes.IndexRune(self.List, r) == -1) {
+			return i, segmentsByRuneLength[utf8.RuneLen(r)]
+		}
+	}
+
+	return -1, nil
+}
+
+func (self List) String() string {
+	var not string
+	if self.Not {
+		not = "!"
+	}
+
+	return fmt.Sprintf("<list:%s[%s]>", not, string(self.List))
+}
diff --git a/vendor/github.com/gobwas/glob/match/match.go b/vendor/github.com/gobwas/glob/match/match.go
new file mode 100644
index 0000000000..f80e007fb8
--- /dev/null
+++ b/vendor/github.com/gobwas/glob/match/match.go
@@ -0,0 +1,81 @@
+package match
+
+// todo common table of rune's length
+
+import (
+	"fmt"
+	"strings"
+)
+
+const lenOne = 1
+const lenZero = 0
+const lenNo = -1
+
+type Matcher interface {
+	Match(string) bool
+	Index(string) (int, []int)
+	Len() int
+	String() string
+}
+
+type Matchers []Matcher
+
+func (m Matchers) String() string {
+	var s []string
+	for _, matcher := range m {
+		s = append(s, fmt.Sprint(matcher))
+	}
+
+	return fmt.Sprintf("%s", strings.Join(s, ","))
+}
+
+// appendMerge merges and sorts given already SORTED and UNIQUE segments.
+func appendMerge(target, sub []int) []int {
+	lt, ls := len(target), len(sub)
+	out := make([]int, 0, lt+ls)
+
+	for x, y := 0, 0; x < lt || y < ls; {
+		if x >= lt {
+			out = append(out, sub[y:]...)
+			break
+		}
+
+		if y >= ls {
+			out = append(out, target[x:]...)
+			break
+		}
+
+		xValue := target[x]
+		yValue := sub[y]
+
+		switch {
+
+		case xValue == yValue:
+			out = append(out, xValue)
+			x++
+			y++
+
+		case xValue < yValue:
+			out = append(out, xValue)
+			x++
+
+		case yValue < xValue:
+			out = append(out, yValue)
+			y++
+
+		}
+	}
+
+	target = append(target[:0], out...)
+
+	return target
+}
+
+func reverseSegments(input []int) {
+	l := len(input)
+	m := l / 2
+
+	for i := 0; i < m; i++ {
+		input[i], input[l-i-1] = input[l-i-1], input[i]
+	}
+}
diff --git a/vendor/github.com/gobwas/glob/match/max.go b/vendor/github.com/gobwas/glob/match/max.go
new file mode 100644
index 0000000000..d72f69efff
--- /dev/null
+++ b/vendor/github.com/gobwas/glob/match/max.go
@@ -0,0 +1,49 @@
+package match
+
+import (
+	"fmt"
+	"unicode/utf8"
+)
+
+type Max struct {
+	Limit int
+}
+
+func NewMax(l int) Max {
+	return Max{l}
+}
+
+func (self Max) Match(s string) bool {
+	var l int
+	for range s {
+		l += 1
+		if l > self.Limit {
+			return false
+		}
+	}
+
+	return true
+}
+
+func (self Max) Index(s string) (int, []int) {
+	segments := acquireSegments(self.Limit + 1)
+	segments = append(segments, 0)
+	var count int
+	for i, r := range s {
+		count++
+		if count > self.Limit {
+			break
+		}
+		segments = append(segments, i+utf8.RuneLen(r))
+	}
+
+	return 0, segments
+}
+
+func (self Max) Len() int {
+	return lenNo
+}
+
+func (self Max) String() string {
+	return fmt.Sprintf("<max:%d>", self.Limit)
+}
diff --git a/vendor/github.com/gobwas/glob/match/min.go b/vendor/github.com/gobwas/glob/match/min.go
new file mode 100644
index 0000000000..db57ac8eb4
--- /dev/null
+++ b/vendor/github.com/gobwas/glob/match/min.go
@@ -0,0 +1,57 @@
+package match
+
+import (
+	"fmt"
+	"unicode/utf8"
+)
+
+type Min struct {
+	Limit int
+}
+
+func NewMin(l int) Min {
+	return Min{l}
+}
+
+func (self Min) Match(s string) bool {
+	var l int
+	for range s {
+		l += 1
+		if l >= self.Limit {
+			return true
+		}
+	}
+
+	return false
+}
+
+func (self Min) Index(s string) (int, []int) {
+	var count int
+
+	c := len(s) - self.Limit + 1
+	if c <= 0 {
+		return -1, nil
+	}
+
+	segments := acquireSegments(c)
+	for i, r := range s {
+		count++
+		if count >= self.Limit {
+			segments = append(segments, i+utf8.RuneLen(r))
+		}
+	}
+
+	if len(segments) == 0 {
+		return -1, nil
+	}
+
+	return 0, segments
+}
+
+func (self Min) Len() int {
+	return lenNo
+}
+
+func (self Min) String() string {
+	return fmt.Sprintf("<min:%d>", self.Limit)
+}
diff --git a/vendor/github.com/gobwas/glob/match/nothing.go b/vendor/github.com/gobwas/glob/match/nothing.go
new file mode 100644
index 0000000000..0d4ecd36b8
--- /dev/null
+++ b/vendor/github.com/gobwas/glob/match/nothing.go
@@ -0,0 +1,27 @@
+package match
+
+import (
+	"fmt"
+)
+
+type Nothing struct{}
+
+func NewNothing() Nothing {
+	return Nothing{}
+}
+
+func (self Nothing) Match(s string) bool {
+	return len(s) == 0
+}
+
+func (self Nothing) Index(s string) (int, []int) {
+	return 0, segments0
+}
+
+func (self Nothing) Len() int {
+	return lenZero
+}
+
+func (self Nothing) String() string {
+	return fmt.Sprintf("<nothing>")
+}
diff --git a/vendor/github.com/gobwas/glob/match/prefix.go b/vendor/github.com/gobwas/glob/match/prefix.go
new file mode 100644
index 0000000000..a7347250e8
--- /dev/null
+++ b/vendor/github.com/gobwas/glob/match/prefix.go
@@ -0,0 +1,50 @@
+package match
+
+import (
+	"fmt"
+	"strings"
+	"unicode/utf8"
+)
+
+type Prefix struct {
+	Prefix string
+}
+
+func NewPrefix(p string) Prefix {
+	return Prefix{p}
+}
+
+func (self Prefix) Index(s string) (int, []int) {
+	idx := strings.Index(s, self.Prefix)
+	if idx == -1 {
+		return -1, nil
+	}
+
+	length := len(self.Prefix)
+	var sub string
+	if len(s) > idx+length {
+		sub = s[idx+length:]
+	} else {
+		sub = ""
+	}
+
+	segments := acquireSegments(len(sub) + 1)
+	segments = append(segments, length)
+	for i, r := range sub {
+		segments = append(segments, length+i+utf8.RuneLen(r))
+	}
+
+	return idx, segments
+}
+
+func (self Prefix) Len() int {
+	return lenNo
+}
+
+func (self Prefix) Match(s string) bool {
+	return strings.HasPrefix(s, self.Prefix)
+}
+
+func (self Prefix) String() string {
+	return fmt.Sprintf("<prefix:%s>", self.Prefix)
+}
diff --git a/vendor/github.com/gobwas/glob/match/prefix_any.go b/vendor/github.com/gobwas/glob/match/prefix_any.go
new file mode 100644
index 0000000000..8ee58fe1b3
--- /dev/null
+++ b/vendor/github.com/gobwas/glob/match/prefix_any.go
@@ -0,0 +1,55 @@
+package match
+
+import (
+	"fmt"
+	"strings"
+	"unicode/utf8"
+
+	sutil "github.com/gobwas/glob/util/strings"
+)
+
+type PrefixAny struct {
+	Prefix     string
+	Separators []rune
+}
+
+func NewPrefixAny(s string, sep []rune) PrefixAny {
+	return PrefixAny{s, sep}
+}
+
+func (self PrefixAny) Index(s string) (int, []int) {
+	idx := strings.Index(s, self.Prefix)
+	if idx == -1 {
+		return -1, nil
+	}
+
+	n := len(self.Prefix)
+	sub := s[idx+n:]
+	i := sutil.IndexAnyRunes(sub, self.Separators)
+	if i > -1 {
+		sub = sub[:i]
+	}
+
+	seg := acquireSegments(len(sub) + 1)
+	seg = append(seg, n)
+	for i, r := range sub {
+		seg = append(seg, n+i+utf8.RuneLen(r))
+	}
+
+	return idx, seg
+}
+
+func (self PrefixAny) Len() int {
+	return lenNo
+}
+
+func (self PrefixAny) Match(s string) bool {
+	if !strings.HasPrefix(s, self.Prefix) {
+		return false
+	}
+	return sutil.IndexAnyRunes(s[len(self.Prefix):], self.Separators) == -1
+}
+
+func (self PrefixAny) String() string {
+	return fmt.Sprintf("<prefix_any:%s![%s]>", self.Prefix, string(self.Separators))
+}
diff --git a/vendor/github.com/gobwas/glob/match/prefix_suffix.go b/vendor/github.com/gobwas/glob/match/prefix_suffix.go
new file mode 100644
index 0000000000..8208085a19
--- /dev/null
+++ b/vendor/github.com/gobwas/glob/match/prefix_suffix.go
@@ -0,0 +1,62 @@
+package match
+
+import (
+	"fmt"
+	"strings"
+)
+
+type PrefixSuffix struct {
+	Prefix, Suffix string
+}
+
+func NewPrefixSuffix(p, s string) PrefixSuffix {
+	return PrefixSuffix{p, s}
+}
+
+func (self PrefixSuffix) Index(s string) (int, []int) {
+	prefixIdx := strings.Index(s, self.Prefix)
+	if prefixIdx == -1 {
+		return -1, nil
+	}
+
+	suffixLen := len(self.Suffix)
+	if suffixLen <= 0 {
+		return prefixIdx, []int{len(s) - prefixIdx}
+	}
+
+	if (len(s) - prefixIdx) <= 0 {
+		return -1, nil
+	}
+
+	segments := acquireSegments(len(s) - prefixIdx)
+	for sub := s[prefixIdx:]; ; {
+		suffixIdx := strings.LastIndex(sub, self.Suffix)
+		if suffixIdx == -1 {
+			break
+		}
+
+		segments = append(segments, suffixIdx+suffixLen)
+		sub = sub[:suffixIdx]
+	}
+
+	if len(segments) == 0 {
+		releaseSegments(segments)
+		return -1, nil
+	}
+
+	reverseSegments(segments)
+
+	return prefixIdx, segments
+}
+
+func (self PrefixSuffix) Len() int {
+	return lenNo
+}
+
+func (self PrefixSuffix) Match(s string) bool {
+	return strings.HasPrefix(s, self.Prefix) && strings.HasSuffix(s, self.Suffix)
+}
+
+func (self PrefixSuffix) String() string {
+	return fmt.Sprintf("<prefix_suffix:[%s,%s]>", self.Prefix, self.Suffix)
+}
diff --git a/vendor/github.com/gobwas/glob/match/range.go b/vendor/github.com/gobwas/glob/match/range.go
new file mode 100644
index 0000000000..ce30245a40
--- /dev/null
+++ b/vendor/github.com/gobwas/glob/match/range.go
@@ -0,0 +1,48 @@
+package match
+
+import (
+	"fmt"
+	"unicode/utf8"
+)
+
+type Range struct {
+	Lo, Hi rune
+	Not    bool
+}
+
+func NewRange(lo, hi rune, not bool) Range {
+	return Range{lo, hi, not}
+}
+
+func (self Range) Len() int {
+	return lenOne
+}
+
+func (self Range) Match(s string) bool {
+	r, w := utf8.DecodeRuneInString(s)
+	if len(s) > w {
+		return false
+	}
+
+	inRange := r >= self.Lo && r <= self.Hi
+
+	return inRange == !self.Not
+}
+
+func (self Range) Index(s string) (int, []int) {
+	for i, r := range s {
+		if self.Not != (r >= self.Lo && r <= self.Hi) {
+			return i, segmentsByRuneLength[utf8.RuneLen(r)]
+		}
+	}
+
+	return -1, nil
+}
+
+func (self Range) String() string {
+	var not string
+	if self.Not {
+		not = "!"
+	}
+	return fmt.Sprintf("<range:%s[%s,%s]>", not, string(self.Lo), string(self.Hi))
+}
diff --git a/vendor/github.com/gobwas/glob/match/row.go b/vendor/github.com/gobwas/glob/match/row.go
new file mode 100644
index 0000000000..4379042e42
--- /dev/null
+++ b/vendor/github.com/gobwas/glob/match/row.go
@@ -0,0 +1,77 @@
+package match
+
+import (
+	"fmt"
+)
+
+type Row struct {
+	Matchers    Matchers
+	RunesLength int
+	Segments    []int
+}
+
+func NewRow(len int, m ...Matcher) Row {
+	return Row{
+		Matchers:    Matchers(m),
+		RunesLength: len,
+		Segments:    []int{len},
+	}
+}
+
+func (self Row) matchAll(s string) bool {
+	var idx int
+	for _, m := range self.Matchers {
+		length := m.Len()
+
+		var next, i int
+		for next = range s[idx:] {
+			i++
+			if i == length {
+				break
+			}
+		}
+
+		if i < length || !m.Match(s[idx:idx+next+1]) {
+			return false
+		}
+
+		idx += next + 1
+	}
+
+	return true
+}
+
+func (self Row) lenOk(s string) bool {
+	var i int
+	for range s {
+		i++
+		if i > self.RunesLength {
+			return false
+		}
+	}
+	return self.RunesLength == i
+}
+
+func (self Row) Match(s string) bool {
+	return self.lenOk(s) && self.matchAll(s)
+}
+
+func (self Row) Len() (l int) {
+	return self.RunesLength
+}
+
+func (self Row) Index(s string) (int, []int) {
+	for i := range s {
+		if len(s[i:]) < self.RunesLength {
+			break
+		}
+		if self.matchAll(s[i:]) {
+			return i, self.Segments
+		}
+	}
+	return -1, nil
+}
+
+func (self Row) String() string {
+	return fmt.Sprintf("<row_%d:[%s]>", self.RunesLength, self.Matchers)
+}
diff --git a/vendor/github.com/gobwas/glob/match/segments.go b/vendor/github.com/gobwas/glob/match/segments.go
new file mode 100644
index 0000000000..9ea6f30943
--- /dev/null
+++ b/vendor/github.com/gobwas/glob/match/segments.go
@@ -0,0 +1,91 @@
+package match
+
+import (
+	"sync"
+)
+
+type SomePool interface {
+	Get() []int
+	Put([]int)
+}
+
+var segmentsPools [1024]sync.Pool
+
+func toPowerOfTwo(v int) int {
+	v--
+	v |= v >> 1
+	v |= v >> 2
+	v |= v >> 4
+	v |= v >> 8
+	v |= v >> 16
+	v++
+
+	return v
+}
+
+const (
+	cacheFrom             = 16
+	cacheToAndHigher      = 1024
+	cacheFromIndex        = 15
+	cacheToAndHigherIndex = 1023
+)
+
+var (
+	segments0 = []int{0}
+	segments1 = []int{1}
+	segments2 = []int{2}
+	segments3 = []int{3}
+	segments4 = []int{4}
+)
+
+var segmentsByRuneLength [5][]int = [5][]int{
+	0: segments0,
+	1: segments1,
+	2: segments2,
+	3: segments3,
+	4: segments4,
+}
+
+func init() {
+	for i := cacheToAndHigher; i >= cacheFrom; i >>= 1 {
+		func(i int) {
+			segmentsPools[i-1] = sync.Pool{New: func() interface{} {
+				return make([]int, 0, i)
+			}}
+		}(i)
+	}
+}
+
+func getTableIndex(c int) int {
+	p := toPowerOfTwo(c)
+	switch {
+	case p >= cacheToAndHigher:
+		return cacheToAndHigherIndex
+	case p <= cacheFrom:
+		return cacheFromIndex
+	default:
+		return p - 1
+	}
+}
+
+func acquireSegments(c int) []int {
+	// make []int with less capacity than cacheFrom
+	// is faster than acquiring it from pool
+	if c < cacheFrom {
+		return make([]int, 0, c)
+	}
+
+	return segmentsPools[getTableIndex(c)].Get().([]int)[:0]
+}
+
+func releaseSegments(s []int) {
+	c := cap(s)
+
+	// make []int with less capacity than cacheFrom
+	// is faster than acquiring it from pool
+	if c < cacheFrom {
+		return
+	}
+
+	segmentsPools[getTableIndex(c)].Put(s)
+}
diff --git a/vendor/github.com/gobwas/glob/match/single.go b/vendor/github.com/gobwas/glob/match/single.go
new file mode 100644
index 0000000000..ee6e3954c1
--- /dev/null
+++ b/vendor/github.com/gobwas/glob/match/single.go
@@ -0,0 +1,43 @@
+package match
+
+import (
+	"fmt"
+	"github.com/gobwas/glob/util/runes"
+	"unicode/utf8"
+)
+
+// single represents ?
+type Single struct {
+	Separators []rune
+}
+
+func NewSingle(s []rune) Single {
+	return Single{s}
+}
+
+func (self Single) Match(s string) bool {
+	r, w := utf8.DecodeRuneInString(s)
+	if len(s) > w {
+		return false
+	}
+
+	return runes.IndexRune(self.Separators, r) == -1
+}
+
+func (self Single) Len() int {
+	return lenOne
+}
+
+func (self Single) Index(s string) (int, []int) {
+	for i, r := range s {
+		if runes.IndexRune(self.Separators, r) == -1 {
+			return i, segmentsByRuneLength[utf8.RuneLen(r)]
+		}
+	}
+
+	return -1, nil
+}
+
+func (self Single) String() string {
+	return fmt.Sprintf("<single:![%s]>", string(self.Separators))
+}
diff --git a/vendor/github.com/gobwas/glob/match/suffix.go b/vendor/github.com/gobwas/glob/match/suffix.go
new file mode 100644
index 0000000000..85bea8c68e
--- /dev/null
+++ b/vendor/github.com/gobwas/glob/match/suffix.go
@@ -0,0 +1,35 @@
+package match
+
+import (
+	"fmt"
+	"strings"
+)
+
+type Suffix struct {
+	Suffix string
+}
+
+func NewSuffix(s string) Suffix {
+	return Suffix{s}
+}
+
+func (self Suffix) Len() int {
+	return lenNo
+}
+
+func (self Suffix) Match(s string) bool {
+	return strings.HasSuffix(s, self.Suffix)
+}
+
+func (self Suffix) Index(s string) (int, []int) {
+	idx := strings.Index(s, self.Suffix)
+	if idx == -1 {
+		return -1, nil
+	}
+
+	return 0, []int{idx + len(self.Suffix)}
+}
+
+func (self Suffix) String() string {
+	return fmt.Sprintf("<suffix:%s>", self.Suffix)
+}
diff --git a/vendor/github.com/gobwas/glob/match/suffix_any.go b/vendor/github.com/gobwas/glob/match/suffix_any.go
new file mode 100644
index 0000000000..c5106f8196
--- /dev/null
+++ b/vendor/github.com/gobwas/glob/match/suffix_any.go
@@ -0,0 +1,43 @@
+package match
+
+import (
+	"fmt"
+	"strings"
+
+	sutil "github.com/gobwas/glob/util/strings"
+)
+
+type SuffixAny struct {
+	Suffix     string
+	Separators []rune
+}
+
+func NewSuffixAny(s string, sep []rune) SuffixAny {
+	return SuffixAny{s, sep}
+}
+
+func (self SuffixAny) Index(s string) (int, []int) {
+	idx := strings.Index(s, self.Suffix)
+	if idx == -1 {
+		return -1, nil
+	}
+
+	i := sutil.LastIndexAnyRunes(s[:idx], self.Separators) + 1
+
+	return i, []int{idx + len(self.Suffix) - i}
+}
+
+func (self SuffixAny) Len() int {
+	return lenNo
+}
+
+func (self SuffixAny) Match(s string) bool {
+	if !strings.HasSuffix(s, self.Suffix) {
+		return false
+	}
+	return sutil.IndexAnyRunes(s[:len(s)-len(self.Suffix)], self.Separators) == -1
+}
+
+func (self SuffixAny) String() string {
+	return fmt.Sprintf("<suffix_any:![%s]%s>", string(self.Separators), self.Suffix)
+}
diff --git a/vendor/github.com/gobwas/glob/match/super.go b/vendor/github.com/gobwas/glob/match/super.go
new file mode 100644
index 0000000000..3875950bb8
--- /dev/null
+++ b/vendor/github.com/gobwas/glob/match/super.go
@@ -0,0 +1,33 @@
+package match
+
+import (
+	"fmt"
+)
+
+type Super struct{}
+
+func NewSuper() Super {
+	return Super{}
+}
+
+func (self Super) Match(s string) bool {
+	return true
+}
+
+func (self Super) Len() int {
+	return lenNo
+}
+
+func (self Super) Index(s string) (int, []int) {
+	segments := acquireSegments(len(s) + 1)
+	for i := range s {
+		segments = append(segments, i)
+	}
+	segments = append(segments, len(s))
+
+	return 0, segments
+}
+
+func (self Super) String() string {
+	return fmt.Sprintf("<super>")
+}
diff --git a/vendor/github.com/gobwas/glob/match/text.go b/vendor/github.com/gobwas/glob/match/text.go
new file mode 100644
index 0000000000..0a17616d3c
--- /dev/null
+++ b/vendor/github.com/gobwas/glob/match/text.go
@@ -0,0 +1,45 @@
+package match
+
+import (
+	"fmt"
+	"strings"
+	"unicode/utf8"
+)
+
+// raw represents raw string to match
+type Text struct {
+	Str         string
+	RunesLength int
+	BytesLength int
+	Segments    []int
+}
+
+func NewText(s string) Text {
+	return Text{
+		Str:         s,
+		RunesLength: utf8.RuneCountInString(s),
+		BytesLength: len(s),
+		Segments:    []int{len(s)},
+	}
+}
+
+func (self Text) Match(s string) bool {
+	return self.Str == s
+}
+
+func (self Text) Len() int {
+	return self.RunesLength
+}
+
+func (self Text) Index(s string) (int, []int) {
+	index := strings.Index(s, self.Str)
+	if index == -1 {
+		return -1, nil
+	}
+
+	return index, self.Segments
+}
+
+func (self Text) String() string {
+	return fmt.Sprintf("<text:`%v`>", self.Str)
+}
diff --git a/vendor/github.com/gobwas/glob/readme.md b/vendor/github.com/gobwas/glob/readme.md
new file mode 100644
index 0000000000..f58144e733
--- /dev/null
+++ b/vendor/github.com/gobwas/glob/readme.md
@@ -0,0 +1,148 @@
+# glob.[go](https://golang.org)
+
+[![GoDoc][godoc-image]][godoc-url] [![Build Status][travis-image]][travis-url]
+
+> Go Globbing Library.
+
+## Install
+
+```shell
+    go get github.com/gobwas/glob
+```
+
+## Example
+
+```go
+
+package main
+
+import "github.com/gobwas/glob"
+
+func main() {
+    var g glob.Glob
+    
+    // create simple glob
+    g = glob.MustCompile("*.github.com")
+    g.Match("api.github.com") // true
+    
+    // quote meta characters and then create simple glob 
+    g = glob.MustCompile(glob.QuoteMeta("*.github.com"))
+    g.Match("*.github.com") // true
+    
+    // create new glob with set of delimiters as ["."]
+    g = glob.MustCompile("api.*.com", '.')
+    g.Match("api.github.com") // true
+    g.Match("api.gi.hub.com") // false
+    
+    // create new glob with set of delimiters as ["."]
+    // but now with super wildcard
+    g = glob.MustCompile("api.**.com", '.')
+    g.Match("api.github.com") // true
+    g.Match("api.gi.hub.com") // true
+        
+    // create glob with single symbol wildcard
+    g = glob.MustCompile("?at")
+    g.Match("cat") // true
+    g.Match("fat") // true
+    g.Match("at") // false
+    
+    // create glob with single symbol wildcard and delimiters ['f']
+    g = glob.MustCompile("?at", 'f')
+    g.Match("cat") // true
+    g.Match("fat") // false
+    g.Match("at") // false 
+    
+    // create glob with character-list matchers 
+    g = glob.MustCompile("[abc]at")
+    g.Match("cat") // true
+    g.Match("bat") // true
+    g.Match("fat") // false
+    g.Match("at") // false
+    
+    // create glob with character-list matchers 
+    g = glob.MustCompile("[!abc]at")
+    g.Match("cat") // false
+    g.Match("bat") // false
+    g.Match("fat") // true
+    g.Match("at") // false 
+    
+    // create glob with character-range matchers 
+    g = glob.MustCompile("[a-c]at")
+    g.Match("cat") // true
+    g.Match("bat") // true
+    g.Match("fat") // false
+    g.Match("at") // false
+    
+    // create glob with character-range matchers 
+    g = glob.MustCompile("[!a-c]at")
+    g.Match("cat") // false
+    g.Match("bat") // false
+    g.Match("fat") // true
+    g.Match("at") // false 
+    
+    // create glob with pattern-alternatives list 
+    g = glob.MustCompile("{cat,bat,[fr]at}")
+    g.Match("cat") // true
+    g.Match("bat") // true
+    g.Match("fat") // true
+    g.Match("rat") // true
+    g.Match("at") // false 
+    g.Match("zat") // false 
+}
+
+```
+
+## Performance
+
+This library is created for compile-once patterns. This means, that compilation could take time, but 
+strings matching is done faster, than in case when always parsing template.
+
+If you will not use compiled `glob.Glob` object, and do `g := glob.MustCompile(pattern); g.Match(...)` every time, then your code will be much more slower.
+
+Run `go test -bench=.` from source root to see the benchmarks:
+
+Pattern | Fixture | Match | Speed (ns/op)
+--------|---------|-------|--------------
+`[a-z][!a-x]*cat*[h][!b]*eyes*` | `my cat has very bright eyes` | `true` | 432
+`[a-z][!a-x]*cat*[h][!b]*eyes*` | `my dog has very bright eyes` | `false` | 199
+`https://*.google.*` | `https://account.google.com` | `true` | 96
+`https://*.google.*` | `https://google.com` | `false` | 66
+`{https://*.google.*,*yandex.*,*yahoo.*,*mail.ru}` | `http://yahoo.com` | `true` | 163
+`{https://*.google.*,*yandex.*,*yahoo.*,*mail.ru}` | `http://google.com` | `false` | 197
+`{https://*gobwas.com,http://exclude.gobwas.com}` | `https://safe.gobwas.com` | `true` | 22
+`{https://*gobwas.com,http://exclude.gobwas.com}` | `http://safe.gobwas.com` | `false` | 24
+`abc*` | `abcdef` | `true` | 8.15
+`abc*` | `af` | `false` | 5.68
+`*def` | `abcdef` | `true` | 8.84
+`*def` | `af` | `false` | 5.74
+`ab*ef` | `abcdef` | `true` | 15.2
+`ab*ef` | `af` | `false` | 10.4
+
+The same things with `regexp` package:
+
+Pattern | Fixture | Match | Speed (ns/op)
+--------|---------|-------|--------------
+`^[a-z][^a-x].*cat.*[h][^b].*eyes.*$` | `my cat has very bright eyes` | `true` | 2553
+`^[a-z][^a-x].*cat.*[h][^b].*eyes.*$` | `my dog has very bright eyes` | `false` | 1383
+`^https:\/\/.*\.google\..*$` | `https://account.google.com` | `true` | 1205
+`^https:\/\/.*\.google\..*$` | `https://google.com` | `false` | 767
+`^(https:\/\/.*\.google\..*|.*yandex\..*|.*yahoo\..*|.*mail\.ru)$` | `http://yahoo.com` | `true` | 1435
+`^(https:\/\/.*\.google\..*|.*yandex\..*|.*yahoo\..*|.*mail\.ru)$` | `http://google.com` | `false` | 1674
+`^(https:\/\/.*gobwas\.com|http://exclude.gobwas.com)$` | `https://safe.gobwas.com` | `true` | 1039
+`^(https:\/\/.*gobwas\.com|http://exclude.gobwas.com)$` | `http://safe.gobwas.com` | `false` | 272
+`^abc.*$` | `abcdef` | `true` | 237
+`^abc.*$` | `af` | `false` | 100
+`^.*def$` | `abcdef` | `true` | 464
+`^.*def$` | `af` | `false` | 265
+`^ab.*ef$` | `abcdef` | `true` | 375
+`^ab.*ef$` | `af` | `false` | 145
+
+[godoc-image]: https://godoc.org/github.com/gobwas/glob?status.svg
+[godoc-url]: https://godoc.org/github.com/gobwas/glob
+[travis-image]: https://travis-ci.org/gobwas/glob.svg?branch=master
+[travis-url]: https://travis-ci.org/gobwas/glob
+
+## Syntax
+
+Syntax is inspired by [standard wildcards](http://tldp.org/LDP/GNU-Linux-Tools-Summary/html/x11655.htm),
+except that `**` is aka super-asterisk, that do not sensitive for separators.
\ No newline at end of file
diff --git a/vendor/github.com/gobwas/glob/syntax/ast/ast.go b/vendor/github.com/gobwas/glob/syntax/ast/ast.go
new file mode 100644
index 0000000000..3220a694a9
--- /dev/null
+++ b/vendor/github.com/gobwas/glob/syntax/ast/ast.go
@@ -0,0 +1,122 @@
+package ast
+
+import (
+	"bytes"
+	"fmt"
+)
+
+type Node struct {
+	Parent   *Node
+	Children []*Node
+	Value    interface{}
+	Kind     Kind
+}
+
+func NewNode(k Kind, v interface{}, ch ...*Node) *Node {
+	n := &Node{
+		Kind:  k,
+		Value: v,
+	}
+	for _, c := range ch {
+		Insert(n, c)
+	}
+	return n
+}
+
+func (a *Node) Equal(b *Node) bool {
+	if a.Kind != b.Kind {
+		return false
+	}
+	if a.Value != b.Value {
+		return false
+	}
+	if len(a.Children) != len(b.Children) {
+		return false
+	}
+	for i, c := range a.Children {
+		if !c.Equal(b.Children[i]) {
+			return false
+		}
+	}
+	return true
+}
+
+func (a *Node) String() string {
+	var buf bytes.Buffer
+	buf.WriteString(a.Kind.String())
+	if a.Value != nil {
+		buf.WriteString(" =")
+		buf.WriteString(fmt.Sprintf("%v", a.Value))
+	}
+	if len(a.Children) > 0 {
+		buf.WriteString(" [")
+		for i, c := range a.Children {
+			if i > 0 {
+				buf.WriteString(", ")
+			}
+			buf.WriteString(c.String())
+		}
+		buf.WriteString("]")
+	}
+	return buf.String()
+}
+
+func Insert(parent *Node, children ...*Node) {
+	parent.Children = append(parent.Children, children...)
+	for _, ch := range children {
+		ch.Parent = parent
+	}
+}
+
+type List struct {
+	Not   bool
+	Chars string
+}
+
+type Range struct {
+	Not    bool
+	Lo, Hi rune
+}
+
+type Text struct {
+	Text string
+}
+
+type Kind int
+
+const (
+	KindNothing Kind = iota
+	KindPattern
+	KindList
+	KindRange
+	KindText
+	KindAny
+	KindSuper
+	KindSingle
+	KindAnyOf
+)
+
+func (k Kind) String() string {
+	switch k {
+	case KindNothing:
+		return "Nothing"
+	case KindPattern:
+		return "Pattern"
+	case KindList:
+		return "List"
+	case KindRange:
+		return "Range"
+	case KindText:
+		return "Text"
+	case KindAny:
+		return "Any"
+	case KindSuper:
+		return "Super"
+	case KindSingle:
+		return "Single"
+	case KindAnyOf:
+		return "AnyOf"
+	default:
+		return ""
+	}
+}
diff --git a/vendor/github.com/gobwas/glob/syntax/ast/parser.go b/vendor/github.com/gobwas/glob/syntax/ast/parser.go
new file mode 100644
index 0000000000..429b409430
--- /dev/null
+++ b/vendor/github.com/gobwas/glob/syntax/ast/parser.go
@@ -0,0 +1,157 @@
+package ast
+
+import (
+	"errors"
+	"fmt"
+	"github.com/gobwas/glob/syntax/lexer"
+	"unicode/utf8"
+)
+
+type Lexer interface {
+	Next() lexer.Token
+}
+
+type parseFn func(*Node, Lexer) (parseFn, *Node, error)
+
+func Parse(lexer Lexer) (*Node, error) {
+	var parser parseFn
+
+	root := NewNode(KindPattern, nil)
+
+	var (
+		tree *Node
+		err  error
+	)
+	for parser, tree = parserMain, root; parser != nil; {
+		parser, tree, err = parser(tree, lexer)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return root, nil
+}
+
+func parserMain(tree *Node, lex Lexer) (parseFn, *Node, error) {
+	for {
+		token := lex.Next()
+		switch token.Type {
+		case lexer.EOF:
+			return nil, tree, nil
+
+		case lexer.Error:
+			return nil, tree, errors.New(token.Raw)
+
+		case lexer.Text:
+			Insert(tree, NewNode(KindText, Text{token.Raw}))
+			return parserMain, tree, nil
+
+		case lexer.Any:
+			Insert(tree, NewNode(KindAny, nil))
+			return parserMain, tree, nil
+
+		case lexer.Super:
+			Insert(tree, NewNode(KindSuper, nil))
+			return parserMain, tree, nil
+
+		case lexer.Single:
+			Insert(tree, NewNode(KindSingle, nil))
+			return parserMain, tree, nil
+
+		case lexer.RangeOpen:
+			return parserRange, tree, nil
+
+		case lexer.TermsOpen:
+			a := NewNode(KindAnyOf, nil)
+			Insert(tree, a)
+
+			p := NewNode(KindPattern, nil)
+			Insert(a, p)
+
+			return parserMain, p, nil
+
+		case lexer.Separator:
+			p := NewNode(KindPattern, nil)
+			Insert(tree.Parent, p)
+
+			return parserMain, p, nil
+
+		case lexer.TermsClose:
+			return parserMain, tree.Parent.Parent, nil
+
+		default:
+			return nil, tree, fmt.Errorf("unexpected token: %s", token)
+		}
+	}
+	return nil, tree, fmt.Errorf("unknown error")
+}
+
+func parserRange(tree *Node, lex Lexer) (parseFn, *Node, error) {
+	var (
+		not   bool
+		lo    rune
+		hi    rune
+		chars string
+	)
+	for {
+		token := lex.Next()
+		switch token.Type {
+		case lexer.EOF:
+			return nil, tree, errors.New("unexpected end")
+
+		case lexer.Error:
+			return nil, tree, errors.New(token.Raw)
+
+		case lexer.Not:
+			not = true
+
+		case lexer.RangeLo:
+			r, w := utf8.DecodeRuneInString(token.Raw)
+			if len(token.Raw) > w {
+				return nil, tree, fmt.Errorf("unexpected length of lo character")
+			}
+			lo = r
+
+		case lexer.RangeBetween:
+			//
+
+		case lexer.RangeHi:
+			r, w := utf8.DecodeRuneInString(token.Raw)
+			if len(token.Raw) > w {
+				return nil, tree, fmt.Errorf("unexpected length of lo character")
+			}
+
+			hi = r
+
+			if hi < lo {
+				return nil, tree, fmt.Errorf("hi character '%s' should be greater than lo '%s'", string(hi), string(lo))
+			}
+
+		case lexer.Text:
+			chars = token.Raw
+
+		case lexer.RangeClose:
+			isRange := lo != 0 && hi != 0
+			isChars := chars != ""
+
+			if isChars == isRange {
+				return nil, tree, fmt.Errorf("could not parse range")
+			}
+
+			if isRange {
+				Insert(tree, NewNode(KindRange, Range{
+					Lo:  lo,
+					Hi:  hi,
+					Not: not,
+				}))
+			} else {
+				Insert(tree, NewNode(KindList, List{
+					Chars: chars,
+					Not:   not,
+				}))
+			}
+
+			return parserMain, tree, nil
+		}
+	}
+}
diff --git a/vendor/github.com/gobwas/glob/syntax/lexer/lexer.go b/vendor/github.com/gobwas/glob/syntax/lexer/lexer.go
new file mode 100644
index 0000000000..a1c8d1962a
--- /dev/null
+++ b/vendor/github.com/gobwas/glob/syntax/lexer/lexer.go
@@ -0,0 +1,273 @@
+package lexer
+
+import (
+	"bytes"
+	"fmt"
+	"github.com/gobwas/glob/util/runes"
+	"unicode/utf8"
+)
+
+const (
+	char_any           = '*'
+	char_comma         = ','
+	char_single        = '?'
+	char_escape        = '\\'
+	char_range_open    = '['
+	char_range_close   = ']'
+	char_terms_open    = '{'
+	char_terms_close   = '}'
+	char_range_not     = '!'
+	char_range_between = '-'
+)
+
+var specials = []byte{
+	char_any,
+	char_single,
+	char_escape,
+	char_range_open,
+	char_range_close,
+	char_terms_open,
+	char_terms_close,
+}
+
+func Special(c byte) bool {
+	return bytes.IndexByte(specials, c) != -1
+}
+
+type tokens []Token
+
+func (i *tokens) shift() (ret Token) {
+	ret = (*i)[0]
+	copy(*i, (*i)[1:])
+	*i = (*i)[:len(*i)-1]
+	return
+}
+
+func (i *tokens) push(v Token) {
+	*i = append(*i, v)
+}
+
+func (i *tokens) empty() bool {
+	return len(*i) == 0
+}
+
+var eof rune = 0
+
+type lexer struct {
+	data string
+	pos  int
+	err  error
+
+	tokens     tokens
+	termsLevel int
+
+	lastRune     rune
+	lastRuneSize int
+	hasRune      bool
+}
+
+func NewLexer(source string) *lexer {
+	l := &lexer{
+		data:   source,
+		tokens: tokens(make([]Token, 0, 4)),
+	}
+	return l
+}
+
+func (l *lexer) Next() Token {
+	if l.err != nil {
+		return Token{Error, l.err.Error()}
+	}
+	if !l.tokens.empty() {
+		return l.tokens.shift()
+	}
+
+	l.fetchItem()
+	return l.Next()
+}
+
+func (l *lexer) peek() (r rune, w int) {
+	if l.pos == len(l.data) {
+		return eof, 0
+	}
+
+	r, w = utf8.DecodeRuneInString(l.data[l.pos:])
+	if r == utf8.RuneError {
+		l.errorf("could not read rune")
+		r = eof
+		w = 0
+	}
+
+	return
+}
+
+func (l *lexer) read() rune {
+	if l.hasRune {
+		l.hasRune = false
+		l.seek(l.lastRuneSize)
+		return l.lastRune
+	}
+
+	r, s := l.peek()
+	l.seek(s)
+
+	l.lastRune = r
+	l.lastRuneSize = s
+
+	return r
+}
+
+func (l *lexer) seek(w int) {
+	l.pos += w
+}
+
+func (l *lexer) unread() {
+	if l.hasRune {
+		l.errorf("could not unread rune")
+		return
+	}
+	l.seek(-l.lastRuneSize)
+	l.hasRune = true
+}
+
+func (l *lexer) errorf(f string, v ...interface{}) {
+	l.err = fmt.Errorf(f, v...)
+}
+
+func (l *lexer) inTerms() bool {
+	return l.termsLevel > 0
+}
+
+func (l *lexer) termsEnter() {
+	l.termsLevel++
+}
+
+func (l *lexer) termsLeave() {
+	l.termsLevel--
+}
+
+var inTextBreakers = []rune{char_single, char_any, char_range_open, char_terms_open}
+var inTermsBreakers = append(inTextBreakers, char_terms_close, char_comma)
+
+func (l *lexer) fetchItem() {
+	r := l.read()
+	switch {
+	case r == eof:
+		l.tokens.push(Token{EOF, ""})
+
+	case r == char_terms_open:
+		l.termsEnter()
+		l.tokens.push(Token{TermsOpen, string(r)})
+
+	case r == char_comma && l.inTerms():
+		l.tokens.push(Token{Separator, string(r)})
+
+	case r == char_terms_close && l.inTerms():
+		l.tokens.push(Token{TermsClose, string(r)})
+		l.termsLeave()
+
+	case r == char_range_open:
+		l.tokens.push(Token{RangeOpen, string(r)})
+		l.fetchRange()
+
+	case r == char_single:
+		l.tokens.push(Token{Single, string(r)})
+
+	case r == char_any:
+		if l.read() == char_any {
+			l.tokens.push(Token{Super, string(r) + string(r)})
+		} else {
+			l.unread()
+			l.tokens.push(Token{Any, string(r)})
+		}
+
+	default:
+		l.unread()
+
+		var breakers []rune
+		if l.inTerms() {
+			breakers = inTermsBreakers
+		} else {
+			breakers = inTextBreakers
+		}
+		l.fetchText(breakers)
+	}
+}
+
+func (l *lexer) fetchRange() {
+	var wantHi bool
+	var wantClose bool
+	var seenNot bool
+	for {
+		r := l.read()
+		if r == eof {
+			l.errorf("unexpected end of input")
+			return
+		}
+
+		if wantClose {
+			if r != char_range_close {
+				l.errorf("expected close range character")
+			} else {
+				l.tokens.push(Token{RangeClose, string(r)})
+			}
+			return
+		}
+
+		if wantHi {
+			l.tokens.push(Token{RangeHi, string(r)})
+			wantClose = true
+			continue
+		}
+
+		if !seenNot && r == char_range_not {
+			l.tokens.push(Token{Not, string(r)})
+			seenNot = true
+			continue
+		}
+
+		if n, w := l.peek(); n == char_range_between {
+			l.seek(w)
+			l.tokens.push(Token{RangeLo, string(r)})
+			l.tokens.push(Token{RangeBetween, string(n)})
+			wantHi = true
+			continue
+		}
+
+		l.unread() // unread first peek and fetch as text
+		l.fetchText([]rune{char_range_close})
+		wantClose = true
+	}
+}
+
+func (l *lexer) fetchText(breakers []rune) {
+	var data []rune
+	var escaped bool
+
+reading:
+	for {
+		r := l.read()
+		if r == eof {
+			break
+		}
+
+		if !escaped {
+			if r == char_escape {
+				escaped = true
+				continue
+			}
+
+			if runes.IndexRune(breakers, r) != -1 {
+				l.unread()
+				break reading
+			}
+		}
+
+		escaped = false
+		data = append(data, r)
+	}
+
+	if len(data) > 0 {
+		l.tokens.push(Token{Text, string(data)})
+	}
+}
diff --git a/vendor/github.com/gobwas/glob/syntax/lexer/token.go b/vendor/github.com/gobwas/glob/syntax/lexer/token.go
new file mode 100644
index 0000000000..2797c4e83a
--- /dev/null
+++ b/vendor/github.com/gobwas/glob/syntax/lexer/token.go
@@ -0,0 +1,88 @@
+package lexer
+
+import "fmt"
+
+type TokenType int
+
+const (
+	EOF TokenType = iota
+	Error
+	Text
+	Char
+	Any
+	Super
+	Single
+	Not
+	Separator
+	RangeOpen
+	RangeClose
+	RangeLo
+	RangeHi
+	RangeBetween
+	TermsOpen
+	TermsClose
+)
+
+func (tt TokenType) String() string {
+	switch tt {
+	case EOF:
+		return "eof"
+
+	case Error:
+		return "error"
+
+	case Text:
+		return "text"
+
+	case Char:
+		return "char"
+
+	case Any:
+		return "any"
+
+	case Super:
+		return "super"
+
+	case Single:
+		return "single"
+
+	case Not:
+		return "not"
+
+	case Separator:
+		return "separator"
+
+	case RangeOpen:
+		return "range_open"
+
+	case RangeClose:
+		return "range_close"
+
+	case RangeLo:
+		return "range_lo"
+
+	case RangeHi:
+		return "range_hi"
+
+	case RangeBetween:
+		return "range_between"
+
+	case TermsOpen:
+		return "terms_open"
+
+	case TermsClose:
+		return "terms_close"
+
+	default:
+		return "undef"
+	}
+}
+
+type Token struct {
+	Type TokenType
+	Raw  string
+}
+
+func (t Token) String() string {
+	return fmt.Sprintf("%v<%q>", t.Type, t.Raw)
+}
diff --git a/vendor/github.com/gobwas/glob/syntax/syntax.go b/vendor/github.com/gobwas/glob/syntax/syntax.go
new file mode 100644
index 0000000000..1d168b1482
--- /dev/null
+++ b/vendor/github.com/gobwas/glob/syntax/syntax.go
@@ -0,0 +1,14 @@
+package syntax
+
+import (
+	"github.com/gobwas/glob/syntax/ast"
+	"github.com/gobwas/glob/syntax/lexer"
+)
+
+func Parse(s string) (*ast.Node, error) {
+	return ast.Parse(lexer.NewLexer(s))
+}
+
+func Special(b byte) bool {
+	return lexer.Special(b)
+}
diff --git a/vendor/github.com/gobwas/glob/util/runes/runes.go b/vendor/github.com/gobwas/glob/util/runes/runes.go
new file mode 100644
index 0000000000..a723556410
--- /dev/null
+++ b/vendor/github.com/gobwas/glob/util/runes/runes.go
@@ -0,0 +1,154 @@
+package runes
+
+func Index(s, needle []rune) int {
+	ls, ln := len(s), len(needle)
+
+	switch {
+	case ln == 0:
+		return 0
+	case ln == 1:
+		return IndexRune(s, needle[0])
+	case ln == ls:
+		if Equal(s, needle) {
+			return 0
+		}
+		return -1
+	case ln > ls:
+		return -1
+	}
+
+head:
+	for i := 0; i < ls && ls-i >= ln; i++ {
+		for y := 0; y < ln; y++ {
+			if s[i+y] != needle[y] {
+				continue head
+			}
+		}
+
+		return i
+	}
+
+	return -1
+}
+
+func LastIndex(s, needle []rune) int {
+	ls, ln := len(s), len(needle)
+
+	switch {
+	case ln == 0:
+		if ls == 0 {
+			return 0
+		}
+		return ls
+	case ln == 1:
+		return IndexLastRune(s, needle[0])
+	case ln == ls:
+		if Equal(s, needle) {
+			return 0
+		}
+		return -1
+	case ln > ls:
+		return -1
+	}
+
+head:
+	for i := ls - 1; i >= 0 && i >= ln; i-- {
+		for y := ln - 1; y >= 0; y-- {
+			if s[i-(ln-y-1)] != needle[y] {
+				continue head
+			}
+		}
+
+		return i - ln + 1
+	}
+
+	return -1
+}
+
+// IndexAny returns the index of the first instance of any Unicode code point
+// from chars in s, or -1 if no Unicode code point from chars is present in s.
+func IndexAny(s, chars []rune) int {
+	if len(chars) > 0 {
+		for i, c := range s {
+			for _, m := range chars {
+				if c == m {
+					return i
+				}
+			}
+		}
+	}
+	return -1
+}
+
+func Contains(s, needle []rune) bool {
+	return Index(s, needle) >= 0
+}
+
+func Max(s []rune) (max rune) {
+	for _, r := range s {
+		if r > max {
+			max = r
+		}
+	}
+
+	return
+}
+
+func Min(s []rune) rune {
+	min := rune(-1)
+	for _, r := range s {
+		if min == -1 {
+			min = r
+			continue
+		}
+
+		if r < min {
+			min = r
+		}
+	}
+
+	return min
+}
+
+func IndexRune(s []rune, r rune) int {
+	for i, c := range s {
+		if c == r {
+			return i
+		}
+	}
+	return -1
+}
+
+func IndexLastRune(s []rune, r rune) int {
+	for i := len(s) - 1; i >= 0; i-- {
+		if s[i] == r {
+			return i
+		}
+	}
+
+	return -1
+}
+
+func Equal(a, b []rune) bool {
+	if len(a) == len(b) {
+		for i := 0; i < len(a); i++ {
+			if a[i] != b[i] {
+				return false
+			}
+		}
+
+		return true
+	}
+
+	return false
+}
+
+// HasPrefix tests whether the string s begins with prefix.
+func HasPrefix(s, prefix []rune) bool {
+	return len(s) >= len(prefix) && Equal(s[0:len(prefix)], prefix)
+}
+
+// HasSuffix tests whether the string s ends with suffix.
+func HasSuffix(s, suffix []rune) bool {
+	return len(s) >= len(suffix) && Equal(s[len(s)-len(suffix):], suffix)
+}
diff --git a/vendor/github.com/gobwas/glob/util/strings/strings.go b/vendor/github.com/gobwas/glob/util/strings/strings.go
new file mode 100644
index 0000000000..e8ee1920b1
--- /dev/null
+++ b/vendor/github.com/gobwas/glob/util/strings/strings.go
@@ -0,0 +1,39 @@
+package strings
+
+import (
+	"strings"
+	"unicode/utf8"
+)
+
+func IndexAnyRunes(s string, rs []rune) int {
+	for _, r := range rs {
+		if i := strings.IndexRune(s, r); i != -1 {
+			return i
+		}
+	}
+
+	return -1
+}
+
+func LastIndexAnyRunes(s string, rs []rune) int {
+	for _, r := range rs {
+		i := -1
+		if 0 <= r && r < utf8.RuneSelf {
+			i = strings.LastIndexByte(s, byte(r))
+		} else {
+			sub := s
+			for len(sub) > 0 {
+				j := strings.IndexRune(s, r)
+				if j == -1 {
+					break
+				}
+				i = j
+				sub = sub[i+1:]
+			}
+		}
+		if i != -1 {
+			return i
+		}
+	}
+	return -1
+}
diff --git a/vendor/github.com/google/gnostic-models/extensions/extension.proto b/vendor/github.com/google/gnostic-models/extensions/extension.proto
index 875137c1a8..a600429890 100644
--- a/vendor/github.com/google/gnostic-models/extensions/extension.proto
+++ b/vendor/github.com/google/gnostic-models/extensions/extension.proto
@@ -42,7 +42,7 @@ option java_package = "org.gnostic.v1";
 option objc_class_prefix = "GNX";
 
 // The Go package name.
-option go_package = "./extensions;gnostic_extension_v1";
+option go_package = "github.com/google/gnostic-models/extensions;gnostic_extension_v1";
 
 // The version number of Gnostic.
 message Version {
diff --git a/vendor/github.com/google/gnostic-models/openapiv2/OpenAPIv2.proto b/vendor/github.com/google/gnostic-models/openapiv2/OpenAPIv2.proto
index 1c59b2f4ae..49adafcc8e 100644
--- a/vendor/github.com/google/gnostic-models/openapiv2/OpenAPIv2.proto
+++ b/vendor/github.com/google/gnostic-models/openapiv2/OpenAPIv2.proto
@@ -42,7 +42,7 @@ option java_package = "org.openapi_v2";
 option objc_class_prefix = "OAS";
 
 // The Go package name.
-option go_package = "./openapiv2;openapi_v2";
+option go_package = "github.com/google/gnostic-models/openapiv2;openapi_v2";
 
 message AdditionalPropertiesItem {
   oneof oneof {
diff --git a/vendor/github.com/google/gnostic-models/openapiv3/OpenAPIv3.proto b/vendor/github.com/google/gnostic-models/openapiv3/OpenAPIv3.proto
index 1be335b89b..af4b6254bc 100644
--- a/vendor/github.com/google/gnostic-models/openapiv3/OpenAPIv3.proto
+++ b/vendor/github.com/google/gnostic-models/openapiv3/OpenAPIv3.proto
@@ -42,7 +42,7 @@ option java_package = "org.openapi_v3";
 option objc_class_prefix = "OAS";
 
 // The Go package name.
-option go_package = "./openapiv3;openapi_v3";
+option go_package = "github.com/google/gnostic-models/openapiv3;openapi_v3";
 
 message AdditionalPropertiesItem {
   oneof oneof {
diff --git a/vendor/github.com/google/gnostic-models/openapiv3/annotations.proto b/vendor/github.com/google/gnostic-models/openapiv3/annotations.proto
index 09ee0aac51..895b4567cd 100644
--- a/vendor/github.com/google/gnostic-models/openapiv3/annotations.proto
+++ b/vendor/github.com/google/gnostic-models/openapiv3/annotations.proto
@@ -20,7 +20,7 @@ import "google/protobuf/descriptor.proto";
 import "openapiv3/OpenAPIv3.proto";
 
 // The Go package name.
-option go_package = "./openapiv3;openapi_v3";
+option go_package = "github.com/google/gnostic-models/openapiv3;openapi_v3";
 // This option lets the proto compiler generate Java code inside the package
 // name (see below) instead of inside an outer class. It creates a simpler
 // developer experience by reducing one-level of name nesting and be
diff --git a/vendor/github.com/gosuri/uitable/.travis.yml b/vendor/github.com/gosuri/uitable/.travis.yml
new file mode 100644
index 0000000000..26fc3b438b
--- /dev/null
+++ b/vendor/github.com/gosuri/uitable/.travis.yml
@@ -0,0 +1,6 @@
+language: go
+sudo: false
+install:
+  - go get ./...
+go:
+  - tip
diff --git a/vendor/github.com/gosuri/uitable/LICENSE b/vendor/github.com/gosuri/uitable/LICENSE
new file mode 100644
index 0000000000..e436d90439
--- /dev/null
+++ b/vendor/github.com/gosuri/uitable/LICENSE
@@ -0,0 +1,10 @@
+MIT License
+===========
+
+Copyright (c) 2015, Greg Osuri
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
diff --git a/vendor/github.com/gosuri/uitable/Makefile b/vendor/github.com/gosuri/uitable/Makefile
new file mode 100644
index 0000000000..60246a8a93
--- /dev/null
+++ b/vendor/github.com/gosuri/uitable/Makefile
@@ -0,0 +1,4 @@
+test:
+	@go test ./...
+
+.PHONY: test
diff --git a/vendor/github.com/gosuri/uitable/README.md b/vendor/github.com/gosuri/uitable/README.md
new file mode 100644
index 0000000000..683b538d13
--- /dev/null
+++ b/vendor/github.com/gosuri/uitable/README.md
@@ -0,0 +1,67 @@
+# uitable [![GoDoc](https://godoc.org/github.com/gosuri/uitable?status.svg)](https://godoc.org/github.com/gosuri/uitable) [![Build Status](https://travis-ci.org/gosuri/uitable.svg?branch=master)](https://travis-ci.org/gosuri/uitable)
+
+uitable is a go library for representing data as tables for terminal applications. It provides primitives for sizing and wrapping columns to improve readability.
+
+## Example Usage
+
+Full source code for the example is available at [example/main.go](example/main.go)
+
+```go
+table := uitable.New()
+table.MaxColWidth = 50
+
+table.AddRow("NAME", "BIRTHDAY", "BIO")
+for _, hacker := range hackers {
+  table.AddRow(hacker.Name, hacker.Birthday, hacker.Bio)
+}
+fmt.Println(table)
+```
+
+Will render the data as:
+
+```sh
+NAME          BIRTHDAY          BIO
+Ada Lovelace  December 10, 1815 Ada was a British mathematician and writer, chi...
+Alan Turing   June 23, 1912     Alan was a British pioneering computer scientis...
+```
+
+For wrapping in two columns:
+
+```go
+table = uitable.New()
+table.MaxColWidth = 80
+table.Wrap = true // wrap columns
+
+for _, hacker := range hackers {
+  table.AddRow("Name:", hacker.Name)
+  table.AddRow("Birthday:", hacker.Birthday)
+  table.AddRow("Bio:", hacker.Bio)
+  table.AddRow("") // blank
+}
+fmt.Println(table)
+```
+
+Will render the data as:
+
+```
+Name:     Ada Lovelace
+Birthday: December 10, 1815
+Bio:      Ada was a British mathematician and writer, chiefly known for her work on
+          Charles Babbage's early mechanical general-purpose computer, the Analytical
+          Engine
+
+Name:     Alan Turing
+Birthday: June 23, 1912
+Bio:      Alan was a British pioneering computer scientist, mathematician, logician,
+          cryptanalyst and theoretical biologist
+```
+
+## Installation
+
+```
+$ go get -v github.com/gosuri/uitable
+```
+
+
+[![Bitdeli Badge](https://d2weczhvl823v0.cloudfront.net/gosuri/uitable/trend.png)](https://bitdeli.com/free "Bitdeli Badge")
+
diff --git a/vendor/github.com/gosuri/uitable/table.go b/vendor/github.com/gosuri/uitable/table.go
new file mode 100644
index 0000000000..b764e51502
--- /dev/null
+++ b/vendor/github.com/gosuri/uitable/table.go
@@ -0,0 +1,205 @@
+// Package uitable provides a decorator for formating data as a table
+package uitable
+
+import (
+	"fmt"
+	"strings"
+	"sync"
+
+	"github.com/fatih/color"
+	"github.com/gosuri/uitable/util/strutil"
+	"github.com/gosuri/uitable/util/wordwrap"
+)
+
+// Separator is the default column seperator
+var Separator = "\t"
+
+// Table represents a decorator that renders the data in formatted in a table
+type Table struct {
+	// Rows is the collection of rows in the table
+	Rows []*Row
+
+	// MaxColWidth is the maximum allowed width for cells in the table
+	MaxColWidth uint
+
+	// Wrap when set to true wraps the contents of the columns when the length exceeds the MaxColWidth
+	Wrap bool
+
+	// Separator is the seperator for columns in the table. Default is "\t"
+	Separator string
+
+	mtx        *sync.RWMutex
+	rightAlign map[int]bool
+}
+
+// New returns a new Table with default values
+func New() *Table {
+	return &Table{
+		Separator:  Separator,
+		mtx:        new(sync.RWMutex),
+		rightAlign: map[int]bool{},
+	}
+}
+
+// AddRow adds a new row to the table
+func (t *Table) AddRow(data ...interface{}) *Table {
+	t.mtx.Lock()
+	defer t.mtx.Unlock()
+	r := NewRow(data...)
+	t.Rows = append(t.Rows, r)
+	return t
+}
+
+// Bytes returns the []byte value of table
+func (t *Table) Bytes() []byte {
+	return []byte(t.String())
+}
+
+func (t *Table) RightAlign(col int) {
+	t.mtx.Lock()
+	t.rightAlign[col] = true
+	t.mtx.Unlock()
+}
+
+// String returns the string value of table
+func (t *Table) String() string {
+	t.mtx.RLock()
+	defer t.mtx.RUnlock()
+
+	if len(t.Rows) == 0 {
+		return ""
+	}
+
+	// determine the width for each column (cell in a row)
+	var colwidths []uint
+	for _, row := range t.Rows {
+		for i, cell := range row.Cells {
+			// resize colwidth array
+			if i+1 > len(colwidths) {
+				colwidths = append(colwidths, 0)
+			}
+			cellwidth := cell.LineWidth()
+			if t.MaxColWidth != 0 && cellwidth > t.MaxColWidth {
+				cellwidth = t.MaxColWidth
+			}
+
+			if cellwidth > colwidths[i] {
+				colwidths[i] = cellwidth
+			}
+		}
+	}
+
+	var lines []string
+	for _, row := range t.Rows {
+		row.Separator = t.Separator
+		for i, cell := range row.Cells {
+			cell.Width = colwidths[i]
+			cell.Wrap = t.Wrap
+			cell.RightAlign = t.rightAlign[i]
+		}
+		lines = append(lines, row.String())
+	}
+	return strutil.Join(lines, "\n")
+}
+
+// Row represents a row in a table
+type Row struct {
+	// Cells is the group of cell for the row
+	Cells []*Cell
+
+	// Separator for tabular columns
+	Separator string
+}
+
+// NewRow returns a new Row and adds the data to the row
+func NewRow(data ...interface{}) *Row {
+	r := &Row{Cells: make([]*Cell, len(data))}
+	for i, d := range data {
+		r.Cells[i] = &Cell{Data: d}
+	}
+	return r
+}
+
+// String returns the string representation of the row
+func (r *Row) String() string {
+	// get the max number of lines for each cell
+	var lc int // line count
+	for _, cell := range r.Cells {
+		if clc := len(strings.Split(cell.String(), "\n")); clc > lc {
+			lc = clc
+		}
+	}
+
+	// allocate a two-dimentional array of cells for each line and add size them
+	cells := make([][]*Cell, lc)
+	for x := 0; x < lc; x++ {
+		cells[x] = make([]*Cell, len(r.Cells))
+		for y := 0; y < len(r.Cells); y++ {
+			cells[x][y] = &Cell{Width: r.Cells[y].Width}
+		}
+	}
+
+	// insert each line in a cell as new cell in the cells array
+	for y, cell := range r.Cells {
+		lines := strings.Split(cell.String(), "\n")
+		for x, line := range lines {
+			cells[x][y].Data = line
+		}
+	}
+
+	// format each line
+	lines := make([]string, lc)
+	for x := range lines {
+		line := make([]string, len(cells[x]))
+		for y := range cells[x] {
+			line[y] = cells[x][y].String()
+		}
+		lines[x] = strutil.Join(line, r.Separator)
+	}
+	return strings.Join(lines, "\n")
+}
+
+// Cell represents a column in a row
+type Cell struct {
+	// Width is the width of the cell
+	Width uint
+
+	// Wrap when true wraps the contents of the cell when the lenght exceeds the width
+	Wrap bool
+
+	// RightAlign when true aligns contents to the right
+	RightAlign bool
+
+	// Data is the cell data
+	Data interface{}
+}
+
+// LineWidth returns the max width of all the lines in a cell
+func (c *Cell) LineWidth() uint {
+	width := 0
+	for _, s := range strings.Split(c.String(), "\n") {
+		w := strutil.StringWidth(s)
+		if w > width {
+			width = w
+		}
+	}
+	return uint(width)
+}
+
+// String returns the string formated representation of the cell
+func (c *Cell) String() string {
+	if c.Data == nil {
+		return strutil.PadLeft(" ", int(c.Width), ' ')
+	}
+	col := color.New(color.FgBlack)
+	col.DisableColor()
+	s := fmt.Sprintf("%v", col.Sprint(c.Data))
+	if c.Width > 0 {
+		if c.Wrap && uint(len(s)) > c.Width {
+			return wordwrap.WrapString(s, c.Width)
+		} else {
+			return strutil.Resize(s, c.Width, c.RightAlign)
+		}
+	}
+	return s
+}
diff --git a/vendor/github.com/gosuri/uitable/util/strutil/strutil.go b/vendor/github.com/gosuri/uitable/util/strutil/strutil.go
new file mode 100644
index 0000000000..53f30a8fd3
--- /dev/null
+++ b/vendor/github.com/gosuri/uitable/util/strutil/strutil.go
@@ -0,0 +1,101 @@
+// Package strutil provides various utilities for manipulating strings
+package strutil
+
+import (
+	"bytes"
+	"regexp"
+
+	"github.com/mattn/go-runewidth"
+)
+
+const ansi = "[\u001B\u009B][[\\]()#;?]*(?:(?:(?:[a-zA-Z\\d]*(?:;[a-zA-Z\\d]*)*)?\u0007)|(?:(?:\\d{1,4}(?:;\\d{0,4})*)?[\\dA-PRZcf-ntqry=><~]))"
+
+var re = regexp.MustCompile(ansi)
+
+// PadRight returns a new string of a specified length in which the end of the current string is padded with spaces or with a specified Unicode character.
+func PadRight(str string, length int, pad byte) string {
+	slen := StringWidth(str)
+	if slen >= length {
+		return str
+	}
+	buf := bytes.NewBufferString(str)
+	for i := 0; i < length-slen; i++ {
+		buf.WriteByte(pad)
+	}
+	return buf.String()
+}
+
+// PadLeft returns a new string of a specified length in which the beginning of the current string is padded with spaces or with a specified Unicode character.
+func PadLeft(str string, length int, pad byte) string {
+	slen := StringWidth(str)
+	if slen >= length {
+		return str
+	}
+	var buf bytes.Buffer
+	for i := 0; i < length-slen; i++ {
+		buf.WriteByte(pad)
+	}
+	buf.WriteString(str)
+	return buf.String()
+}
+
+// Resize resizes the string with the given length. It ellipses with '...' when the string's length exceeds
+// the desired length or pads spaces to the right of the string when length is smaller than desired
+func Resize(s string, length uint, rightAlign bool) string {
+	slen := StringWidth(s)
+	n := int(length)
+	if slen == n {
+		return s
+	}
+	// Pads only when length of the string smaller than len needed
+	if rightAlign {
+		s = PadLeft(s, n, ' ')
+	} else {
+		s = PadRight(s, n, ' ')
+	}
+	if slen > n {
+		rs := []rune(s)
+		var buf bytes.Buffer
+		w := 0
+		for _, r := range rs {
+			buf.WriteRune(r)
+			rw := RuneWidth(r)
+			if w+rw >= n-3 {
+				break
+			}
+			w += rw
+		}
+		buf.WriteString("...")
+		s = buf.String()
+	}
+	return s
+}
+
+// Join joins the list of the string with the delim provided.
+// Returns an empty string for empty list
+func Join(list []string, delim string) string {
+	if len(list) == 0 {
+		return ""
+	}
+	var buf bytes.Buffer
+	for i := 0; i < len(list)-1; i++ {
+		buf.WriteString(list[i] + delim)
+	}
+	buf.WriteString(list[len(list)-1])
+	return buf.String()
+}
+
+// Strip strips the string of all colors
+func Strip(s string) string {
+	return re.ReplaceAllString(s, "")
+}
+
+// StringWidth returns the actual width of the string without colors
+func StringWidth(s string) int {
+	return runewidth.StringWidth(Strip(s))
+}
+
+// RuneWidth returns the actual width of the rune
+func RuneWidth(s rune) int {
+	return runewidth.RuneWidth(s)
+}
diff --git a/vendor/github.com/gosuri/uitable/util/wordwrap/LICENSE.md b/vendor/github.com/gosuri/uitable/util/wordwrap/LICENSE.md
new file mode 100644
index 0000000000..2298515904
--- /dev/null
+++ b/vendor/github.com/gosuri/uitable/util/wordwrap/LICENSE.md
@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2014 Mitchell Hashimoto
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
diff --git a/vendor/github.com/gosuri/uitable/util/wordwrap/README.md b/vendor/github.com/gosuri/uitable/util/wordwrap/README.md
new file mode 100644
index 0000000000..60ae311700
--- /dev/null
+++ b/vendor/github.com/gosuri/uitable/util/wordwrap/README.md
@@ -0,0 +1,39 @@
+# go-wordwrap
+
+`go-wordwrap` (Golang package: `wordwrap`) is a package for Go that
+automatically wraps words into multiple lines. The primary use case for this
+is in formatting CLI output, but of course word wrapping is a generally useful
+thing to do.
+
+## Installation and Usage
+
+Install using `go get github.com/mitchellh/go-wordwrap`.
+
+Full documentation is available at
+http://godoc.org/github.com/mitchellh/go-wordwrap
+
+Below is an example of its usage ignoring errors:
+
+```go
+wrapped := wordwrap.WrapString("foo bar baz", 3)
+fmt.Println(wrapped)
+```
+
+Would output:
+
+```
+foo
+bar
+baz
+```
+
+## Word Wrap Algorithm
+
+This library doesn't use any clever algorithm for word wrapping. The wrapping
+is actually very naive: whenever there is whitespace or an explicit linebreak.
+The goal of this library is for word wrapping CLI output, so the input is
+typically pretty well controlled human language. Because of this, the naive
+approach typically works just fine.
+
+In the future, we'd like to make the algorithm more advanced. We would do
+so without breaking the API.
diff --git a/vendor/github.com/gosuri/uitable/util/wordwrap/wordwrap.go b/vendor/github.com/gosuri/uitable/util/wordwrap/wordwrap.go
new file mode 100644
index 0000000000..b2c63b8795
--- /dev/null
+++ b/vendor/github.com/gosuri/uitable/util/wordwrap/wordwrap.go
@@ -0,0 +1,85 @@
+// Package wordwrap provides methods for wrapping the contents of a string
+package wordwrap
+
+import (
+	"bytes"
+	"unicode"
+
+	"github.com/gosuri/uitable/util/strutil"
+)
+
+// WrapString wraps the given string within lim width in characters.
+//
+// Wrapping is currently naive and only happens at white-space. A future
+// version of the library will implement smarter wrapping. This means that
+// pathological cases can dramatically reach past the limit, such as a very
+// long word.
+func WrapString(s string, lim uint) string {
+	// Initialize a buffer with a slightly larger size to account for breaks
+	init := make([]byte, 0, len(s))
+	buf := bytes.NewBuffer(init)
+
+	var current uint
+	var wordBuf, spaceBuf bytes.Buffer
+	var wordWidth, spaceWidth int
+
+	for _, char := range s {
+		if char == '\n' {
+			if wordBuf.Len() == 0 {
+				if current+uint(spaceWidth) > lim {
+					current = 0
+				} else {
+					current += uint(spaceWidth)
+					spaceBuf.WriteTo(buf)
+					spaceWidth += strutil.StringWidth(buf.String())
+				}
+				spaceBuf.Reset()
+				spaceWidth = 0
+			} else {
+				current += uint(spaceWidth + wordWidth)
+				spaceBuf.WriteTo(buf)
+				spaceBuf.Reset()
+				wordBuf.WriteTo(buf)
+				wordBuf.Reset()
+				spaceWidth = 0
+				wordWidth = 0
+			}
+			buf.WriteRune(char)
+			current = 0
+		} else if unicode.IsSpace(char) {
+			if spaceBuf.Len() == 0 || wordBuf.Len() > 0 {
+				current += uint(spaceWidth + wordWidth)
+				spaceBuf.WriteTo(buf)
+				spaceBuf.Reset()
+				wordBuf.WriteTo(buf)
+				wordBuf.Reset()
+				spaceWidth = 0
+				wordWidth = 0
+			}
+
+			spaceBuf.WriteRune(char)
+			spaceWidth += strutil.RuneWidth(char)
+		} else {
+			wordBuf.WriteRune(char)
+			wordWidth += strutil.RuneWidth(char)
+
+			if current+uint(spaceWidth+wordWidth) > lim && uint(wordWidth) < lim {
+				buf.WriteRune('\n')
+				current = 0
+				spaceBuf.Reset()
+				spaceWidth = 0
+			}
+		}
+	}
+
+	if wordBuf.Len() == 0 {
+		if current+uint(spaceWidth) <= lim {
+			spaceBuf.WriteTo(buf)
+		}
+	} else {
+		spaceBuf.WriteTo(buf)
+		wordBuf.WriteTo(buf)
+	}
+
+	return buf.String()
+}
diff --git a/vendor/github.com/gregjones/httpcache/.travis.yml b/vendor/github.com/gregjones/httpcache/.travis.yml
new file mode 100644
index 0000000000..597bc9996f
--- /dev/null
+++ b/vendor/github.com/gregjones/httpcache/.travis.yml
@@ -0,0 +1,18 @@
+sudo: false
+language: go
+matrix:
+  allow_failures:
+    - go: master
+  fast_finish: true
+  include:
+    - go: 1.10.x
+    - go: 1.11.x
+      env: GOFMT=1
+    - go: master
+install:
+  - # Do nothing. This is needed to prevent default install action "go get -t -v ./..." from happening here (we want it to happen inside script step).
+script:
+  - go get -t -v ./...
+  - if test -n "${GOFMT}"; then gofmt -w -s . && git diff --exit-code; fi
+  - go tool vet .
+  - go test -v -race ./...
diff --git a/vendor/github.com/gregjones/httpcache/LICENSE.txt b/vendor/github.com/gregjones/httpcache/LICENSE.txt
new file mode 100644
index 0000000000..81316beb0c
--- /dev/null
+++ b/vendor/github.com/gregjones/httpcache/LICENSE.txt
@@ -0,0 +1,7 @@
+Copyright © 2012 Greg Jones (greg.jones@gmail.com)
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software�), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED “AS IS�, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
\ No newline at end of file
diff --git a/vendor/github.com/gregjones/httpcache/README.md b/vendor/github.com/gregjones/httpcache/README.md
new file mode 100644
index 0000000000..51e7d23d09
--- /dev/null
+++ b/vendor/github.com/gregjones/httpcache/README.md
@@ -0,0 +1,29 @@
+httpcache
+=========
+
+[![Build Status](https://travis-ci.org/gregjones/httpcache.svg?branch=master)](https://travis-ci.org/gregjones/httpcache) [![GoDoc](https://godoc.org/github.com/gregjones/httpcache?status.svg)](https://godoc.org/github.com/gregjones/httpcache)
+
+Package httpcache provides a http.RoundTripper implementation that works as a mostly [RFC 7234](https://tools.ietf.org/html/rfc7234) compliant cache for http responses.
+
+It is only suitable for use as a 'private' cache (i.e. for a web-browser or an API-client and not for a shared proxy).
+
+This project isn't actively maintained; it works for what I, and seemingly others, want to do with it, and I consider it "done". That said, if you find any issues, please open a Pull Request and I will try to review it. Any changes now that change the public API won't be considered.
+
+Cache Backends
+--------------
+
+- The built-in 'memory' cache stores responses in an in-memory map.
+- [`github.com/gregjones/httpcache/diskcache`](https://github.com/gregjones/httpcache/tree/master/diskcache) provides a filesystem-backed cache using the [diskv](https://github.com/peterbourgon/diskv) library.
+- [`github.com/gregjones/httpcache/memcache`](https://github.com/gregjones/httpcache/tree/master/memcache) provides memcache implementations, for both App Engine and 'normal' memcache servers.
+- [`sourcegraph.com/sourcegraph/s3cache`](https://sourcegraph.com/github.com/sourcegraph/s3cache) uses Amazon S3 for storage.
+- [`github.com/gregjones/httpcache/leveldbcache`](https://github.com/gregjones/httpcache/tree/master/leveldbcache) provides a filesystem-backed cache using [leveldb](https://github.com/syndtr/goleveldb/leveldb).
+- [`github.com/die-net/lrucache`](https://github.com/die-net/lrucache) provides an in-memory cache that will evict least-recently used entries.
+- [`github.com/die-net/lrucache/twotier`](https://github.com/die-net/lrucache/tree/master/twotier) allows caches to be combined, for example to use lrucache above with a persistent disk-cache.
+- [`github.com/birkelund/boltdbcache`](https://github.com/birkelund/boltdbcache) provides a BoltDB implementation (based on the [bbolt](https://github.com/coreos/bbolt) fork).
+
+If you implement any other backend and wish it to be linked here, please send a PR editing this file.
+
+License
+-------
+
+-	[MIT License](LICENSE.txt)
diff --git a/vendor/github.com/gregjones/httpcache/httpcache.go b/vendor/github.com/gregjones/httpcache/httpcache.go
new file mode 100644
index 0000000000..b41a63d1ff
--- /dev/null
+++ b/vendor/github.com/gregjones/httpcache/httpcache.go
@@ -0,0 +1,551 @@
+// Package httpcache provides a http.RoundTripper implementation that works as a
+// mostly RFC-compliant cache for http responses.
+//
+// It is only suitable for use as a 'private' cache (i.e. for a web-browser or an API-client
+// and not for a shared proxy).
+//
+package httpcache
+
+import (
+	"bufio"
+	"bytes"
+	"errors"
+	"io"
+	"io/ioutil"
+	"net/http"
+	"net/http/httputil"
+	"strings"
+	"sync"
+	"time"
+)
+
+const (
+	stale = iota
+	fresh
+	transparent
+	// XFromCache is the header added to responses that are returned from the cache
+	XFromCache = "X-From-Cache"
+)
+
+// A Cache interface is used by the Transport to store and retrieve responses.
+type Cache interface {
+	// Get returns the []byte representation of a cached response and a bool
+	// set to true if the value isn't empty
+	Get(key string) (responseBytes []byte, ok bool)
+	// Set stores the []byte representation of a response against a key
+	Set(key string, responseBytes []byte)
+	// Delete removes the value associated with the key
+	Delete(key string)
+}
+
+// cacheKey returns the cache key for req.
+func cacheKey(req *http.Request) string {
+	if req.Method == http.MethodGet {
+		return req.URL.String()
+	} else {
+		return req.Method + " " + req.URL.String()
+	}
+}
+
+// CachedResponse returns the cached http.Response for req if present, and nil
+// otherwise.
+func CachedResponse(c Cache, req *http.Request) (resp *http.Response, err error) {
+	cachedVal, ok := c.Get(cacheKey(req))
+	if !ok {
+		return
+	}
+
+	b := bytes.NewBuffer(cachedVal)
+	return http.ReadResponse(bufio.NewReader(b), req)
+}
+
+// MemoryCache is an implemtation of Cache that stores responses in an in-memory map.
+type MemoryCache struct {
+	mu    sync.RWMutex
+	items map[string][]byte
+}
+
+// Get returns the []byte representation of the response and true if present, false if not
+func (c *MemoryCache) Get(key string) (resp []byte, ok bool) {
+	c.mu.RLock()
+	resp, ok = c.items[key]
+	c.mu.RUnlock()
+	return resp, ok
+}
+
+// Set saves response resp to the cache with key
+func (c *MemoryCache) Set(key string, resp []byte) {
+	c.mu.Lock()
+	c.items[key] = resp
+	c.mu.Unlock()
+}
+
+// Delete removes key from the cache
+func (c *MemoryCache) Delete(key string) {
+	c.mu.Lock()
+	delete(c.items, key)
+	c.mu.Unlock()
+}
+
+// NewMemoryCache returns a new Cache that will store items in an in-memory map
+func NewMemoryCache() *MemoryCache {
+	c := &MemoryCache{items: map[string][]byte{}}
+	return c
+}
+
+// Transport is an implementation of http.RoundTripper that will return values from a cache
+// where possible (avoiding a network request) and will additionally add validators (etag/if-modified-since)
+// to repeated requests allowing servers to return 304 / Not Modified
+type Transport struct {
+	// The RoundTripper interface actually used to make requests
+	// If nil, http.DefaultTransport is used
+	Transport http.RoundTripper
+	Cache     Cache
+	// If true, responses returned from the cache will be given an extra header, X-From-Cache
+	MarkCachedResponses bool
+}
+
+// NewTransport returns a new Transport with the
+// provided Cache implementation and MarkCachedResponses set to true
+func NewTransport(c Cache) *Transport {
+	return &Transport{Cache: c, MarkCachedResponses: true}
+}
+
+// Client returns an *http.Client that caches responses.
+func (t *Transport) Client() *http.Client {
+	return &http.Client{Transport: t}
+}
+
+// varyMatches will return false unless all of the cached values for the headers listed in Vary
+// match the new request
+func varyMatches(cachedResp *http.Response, req *http.Request) bool {
+	for _, header := range headerAllCommaSepValues(cachedResp.Header, "vary") {
+		header = http.CanonicalHeaderKey(header)
+		if header != "" && req.Header.Get(header) != cachedResp.Header.Get("X-Varied-"+header) {
+			return false
+		}
+	}
+	return true
+}
+
+// RoundTrip takes a Request and returns a Response
+//
+// If there is a fresh Response already in cache, then it will be returned without connecting to
+// the server.
+//
+// If there is a stale Response, then any validators it contains will be set on the new request
+// to give the server a chance to respond with NotModified. If this happens, then the cached Response
+// will be returned.
+func (t *Transport) RoundTrip(req *http.Request) (resp *http.Response, err error) {
+	cacheKey := cacheKey(req)
+	cacheable := (req.Method == "GET" || req.Method == "HEAD") && req.Header.Get("range") == ""
+	var cachedResp *http.Response
+	if cacheable {
+		cachedResp, err = CachedResponse(t.Cache, req)
+	} else {
+		// Need to invalidate an existing value
+		t.Cache.Delete(cacheKey)
+	}
+
+	transport := t.Transport
+	if transport == nil {
+		transport = http.DefaultTransport
+	}
+
+	if cacheable && cachedResp != nil && err == nil {
+		if t.MarkCachedResponses {
+			cachedResp.Header.Set(XFromCache, "1")
+		}
+
+		if varyMatches(cachedResp, req) {
+			// Can only use cached value if the new request doesn't Vary significantly
+			freshness := getFreshness(cachedResp.Header, req.Header)
+			if freshness == fresh {
+				return cachedResp, nil
+			}
+
+			if freshness == stale {
+				var req2 *http.Request
+				// Add validators if caller hasn't already done so
+				etag := cachedResp.Header.Get("etag")
+				if etag != "" && req.Header.Get("etag") == "" {
+					req2 = cloneRequest(req)
+					req2.Header.Set("if-none-match", etag)
+				}
+				lastModified := cachedResp.Header.Get("last-modified")
+				if lastModified != "" && req.Header.Get("last-modified") == "" {
+					if req2 == nil {
+						req2 = cloneRequest(req)
+					}
+					req2.Header.Set("if-modified-since", lastModified)
+				}
+				if req2 != nil {
+					req = req2
+				}
+			}
+		}
+
+		resp, err = transport.RoundTrip(req)
+		if err == nil && req.Method == "GET" && resp.StatusCode == http.StatusNotModified {
+			// Replace the 304 response with the one from cache, but update with some new headers
+			endToEndHeaders := getEndToEndHeaders(resp.Header)
+			for _, header := range endToEndHeaders {
+				cachedResp.Header[header] = resp.Header[header]
+			}
+			resp = cachedResp
+		} else if (err != nil || (cachedResp != nil && resp.StatusCode >= 500)) &&
+			req.Method == "GET" && canStaleOnError(cachedResp.Header, req.Header) {
+			// In case of transport failure and stale-if-error activated, returns cached content
+			// when available
+			return cachedResp, nil
+		} else {
+			if err != nil || resp.StatusCode != http.StatusOK {
+				t.Cache.Delete(cacheKey)
+			}
+			if err != nil {
+				return nil, err
+			}
+		}
+	} else {
+		reqCacheControl := parseCacheControl(req.Header)
+		if _, ok := reqCacheControl["only-if-cached"]; ok {
+			resp = newGatewayTimeoutResponse(req)
+		} else {
+			resp, err = transport.RoundTrip(req)
+			if err != nil {
+				return nil, err
+			}
+		}
+	}
+
+	if cacheable && canStore(parseCacheControl(req.Header), parseCacheControl(resp.Header)) {
+		for _, varyKey := range headerAllCommaSepValues(resp.Header, "vary") {
+			varyKey = http.CanonicalHeaderKey(varyKey)
+			fakeHeader := "X-Varied-" + varyKey
+			reqValue := req.Header.Get(varyKey)
+			if reqValue != "" {
+				resp.Header.Set(fakeHeader, reqValue)
+			}
+		}
+		switch req.Method {
+		case "GET":
+			// Delay caching until EOF is reached.
+			resp.Body = &cachingReadCloser{
+				R: resp.Body,
+				OnEOF: func(r io.Reader) {
+					resp := *resp
+					resp.Body = ioutil.NopCloser(r)
+					respBytes, err := httputil.DumpResponse(&resp, true)
+					if err == nil {
+						t.Cache.Set(cacheKey, respBytes)
+					}
+				},
+			}
+		default:
+			respBytes, err := httputil.DumpResponse(resp, true)
+			if err == nil {
+				t.Cache.Set(cacheKey, respBytes)
+			}
+		}
+	} else {
+		t.Cache.Delete(cacheKey)
+	}
+	return resp, nil
+}
+
+// ErrNoDateHeader indicates that the HTTP headers contained no Date header.
+var ErrNoDateHeader = errors.New("no Date header")
+
+// Date parses and returns the value of the Date header.
+func Date(respHeaders http.Header) (date time.Time, err error) {
+	dateHeader := respHeaders.Get("date")
+	if dateHeader == "" {
+		err = ErrNoDateHeader
+		return
+	}
+
+	return time.Parse(time.RFC1123, dateHeader)
+}
+
+type realClock struct{}
+
+func (c *realClock) since(d time.Time) time.Duration {
+	return time.Since(d)
+}
+
+type timer interface {
+	since(d time.Time) time.Duration
+}
+
+var clock timer = &realClock{}
+
+// getFreshness will return one of fresh/stale/transparent based on the cache-control
+// values of the request and the response
+//
+// fresh indicates the response can be returned
+// stale indicates that the response needs validating before it is returned
+// transparent indicates the response should not be used to fulfil the request
+//
+// Because this is only a private cache, 'public' and 'private' in cache-control aren't
+// signficant. Similarly, smax-age isn't used.
+func getFreshness(respHeaders, reqHeaders http.Header) (freshness int) {
+	respCacheControl := parseCacheControl(respHeaders)
+	reqCacheControl := parseCacheControl(reqHeaders)
+	if _, ok := reqCacheControl["no-cache"]; ok {
+		return transparent
+	}
+	if _, ok := respCacheControl["no-cache"]; ok {
+		return stale
+	}
+	if _, ok := reqCacheControl["only-if-cached"]; ok {
+		return fresh
+	}
+
+	date, err := Date(respHeaders)
+	if err != nil {
+		return stale
+	}
+	currentAge := clock.since(date)
+
+	var lifetime time.Duration
+	var zeroDuration time.Duration
+
+	// If a response includes both an Expires header and a max-age directive,
+	// the max-age directive overrides the Expires header, even if the Expires header is more restrictive.
+	if maxAge, ok := respCacheControl["max-age"]; ok {
+		lifetime, err = time.ParseDuration(maxAge + "s")
+		if err != nil {
+			lifetime = zeroDuration
+		}
+	} else {
+		expiresHeader := respHeaders.Get("Expires")
+		if expiresHeader != "" {
+			expires, err := time.Parse(time.RFC1123, expiresHeader)
+			if err != nil {
+				lifetime = zeroDuration
+			} else {
+				lifetime = expires.Sub(date)
+			}
+		}
+	}
+
+	if maxAge, ok := reqCacheControl["max-age"]; ok {
+		// the client is willing to accept a response whose age is no greater than the specified time in seconds
+		lifetime, err = time.ParseDuration(maxAge + "s")
+		if err != nil {
+			lifetime = zeroDuration
+		}
+	}
+	if minfresh, ok := reqCacheControl["min-fresh"]; ok {
+		//  the client wants a response that will still be fresh for at least the specified number of seconds.
+		minfreshDuration, err := time.ParseDuration(minfresh + "s")
+		if err == nil {
+			currentAge = time.Duration(currentAge + minfreshDuration)
+		}
+	}
+
+	if maxstale, ok := reqCacheControl["max-stale"]; ok {
+		// Indicates that the client is willing to accept a response that has exceeded its expiration time.
+		// If max-stale is assigned a value, then the client is willing to accept a response that has exceeded
+		// its expiration time by no more than the specified number of seconds.
+		// If no value is assigned to max-stale, then the client is willing to accept a stale response of any age.
+		//
+		// Responses served only because of a max-stale value are supposed to have a Warning header added to them,
+		// but that seems like a  hassle, and is it actually useful? If so, then there needs to be a different
+		// return-value available here.
+		if maxstale == "" {
+			return fresh
+		}
+		maxstaleDuration, err := time.ParseDuration(maxstale + "s")
+		if err == nil {
+			currentAge = time.Duration(currentAge - maxstaleDuration)
+		}
+	}
+
+	if lifetime > currentAge {
+		return fresh
+	}
+
+	return stale
+}
+
+// Returns true if either the request or the response includes the stale-if-error
+// cache control extension: https://tools.ietf.org/html/rfc5861
+func canStaleOnError(respHeaders, reqHeaders http.Header) bool {
+	respCacheControl := parseCacheControl(respHeaders)
+	reqCacheControl := parseCacheControl(reqHeaders)
+
+	var err error
+	lifetime := time.Duration(-1)
+
+	if staleMaxAge, ok := respCacheControl["stale-if-error"]; ok {
+		if staleMaxAge != "" {
+			lifetime, err = time.ParseDuration(staleMaxAge + "s")
+			if err != nil {
+				return false
+			}
+		} else {
+			return true
+		}
+	}
+	if staleMaxAge, ok := reqCacheControl["stale-if-error"]; ok {
+		if staleMaxAge != "" {
+			lifetime, err = time.ParseDuration(staleMaxAge + "s")
+			if err != nil {
+				return false
+			}
+		} else {
+			return true
+		}
+	}
+
+	if lifetime >= 0 {
+		date, err := Date(respHeaders)
+		if err != nil {
+			return false
+		}
+		currentAge := clock.since(date)
+		if lifetime > currentAge {
+			return true
+		}
+	}
+
+	return false
+}
+
+func getEndToEndHeaders(respHeaders http.Header) []string {
+	// These headers are always hop-by-hop
+	hopByHopHeaders := map[string]struct{}{
+		"Connection":          {},
+		"Keep-Alive":          {},
+		"Proxy-Authenticate":  {},
+		"Proxy-Authorization": {},
+		"Te":                  {},
+		"Trailers":            {},
+		"Transfer-Encoding":   {},
+		"Upgrade":             {},
+	}
+
+	for _, extra := range strings.Split(respHeaders.Get("connection"), ",") {
+		// any header listed in connection, if present, is also considered hop-by-hop
+		if strings.Trim(extra, " ") != "" {
+			hopByHopHeaders[http.CanonicalHeaderKey(extra)] = struct{}{}
+		}
+	}
+	endToEndHeaders := []string{}
+	for respHeader := range respHeaders {
+		if _, ok := hopByHopHeaders[respHeader]; !ok {
+			endToEndHeaders = append(endToEndHeaders, respHeader)
+		}
+	}
+	return endToEndHeaders
+}
+
+func canStore(reqCacheControl, respCacheControl cacheControl) (canStore bool) {
+	if _, ok := respCacheControl["no-store"]; ok {
+		return false
+	}
+	if _, ok := reqCacheControl["no-store"]; ok {
+		return false
+	}
+	return true
+}
+
+func newGatewayTimeoutResponse(req *http.Request) *http.Response {
+	var braw bytes.Buffer
+	braw.WriteString("HTTP/1.1 504 Gateway Timeout\r\n\r\n")
+	resp, err := http.ReadResponse(bufio.NewReader(&braw), req)
+	if err != nil {
+		panic(err)
+	}
+	return resp
+}
+
+// cloneRequest returns a clone of the provided *http.Request.
+// The clone is a shallow copy of the struct and its Header map.
+// (This function copyright goauth2 authors: https://code.google.com/p/goauth2)
+func cloneRequest(r *http.Request) *http.Request {
+	// shallow copy of the struct
+	r2 := new(http.Request)
+	*r2 = *r
+	// deep copy of the Header
+	r2.Header = make(http.Header)
+	for k, s := range r.Header {
+		r2.Header[k] = s
+	}
+	return r2
+}
+
+type cacheControl map[string]string
+
+func parseCacheControl(headers http.Header) cacheControl {
+	cc := cacheControl{}
+	ccHeader := headers.Get("Cache-Control")
+	for _, part := range strings.Split(ccHeader, ",") {
+		part = strings.Trim(part, " ")
+		if part == "" {
+			continue
+		}
+		if strings.ContainsRune(part, '=') {
+			keyval := strings.Split(part, "=")
+			cc[strings.Trim(keyval[0], " ")] = strings.Trim(keyval[1], ",")
+		} else {
+			cc[part] = ""
+		}
+	}
+	return cc
+}
+
+// headerAllCommaSepValues returns all comma-separated values (each
+// with whitespace trimmed) for header name in headers. According to
+// Section 4.2 of the HTTP/1.1 spec
+// (http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2),
+// values from multiple occurrences of a header should be concatenated, if
+// the header's value is a comma-separated list.
+func headerAllCommaSepValues(headers http.Header, name string) []string {
+	var vals []string
+	for _, val := range headers[http.CanonicalHeaderKey(name)] {
+		fields := strings.Split(val, ",")
+		for i, f := range fields {
+			fields[i] = strings.TrimSpace(f)
+		}
+		vals = append(vals, fields...)
+	}
+	return vals
+}
+
+// cachingReadCloser is a wrapper around ReadCloser R that calls OnEOF
+// handler with a full copy of the content read from R when EOF is
+// reached.
+type cachingReadCloser struct {
+	// Underlying ReadCloser.
+	R io.ReadCloser
+	// OnEOF is called with a copy of the content of R when EOF is reached.
+	OnEOF func(io.Reader)
+
+	buf bytes.Buffer // buf stores a copy of the content of R.
+}
+
+// Read reads the next len(p) bytes from R or until R is drained. The
+// return value n is the number of bytes read. If R has no data to
+// return, err is io.EOF and OnEOF is called with a full copy of what
+// has been read so far.
+func (r *cachingReadCloser) Read(p []byte) (n int, err error) {
+	n, err = r.R.Read(p)
+	r.buf.Write(p[:n])
+	if err == io.EOF {
+		r.OnEOF(bytes.NewReader(r.buf.Bytes()))
+	}
+	return n, err
+}
+
+func (r *cachingReadCloser) Close() error {
+	return r.R.Close()
+}
+
+// NewMemoryCacheTransport returns a new Transport using the in-memory cache implementation
+func NewMemoryCacheTransport() *Transport {
+	c := NewMemoryCache()
+	t := NewTransport(c)
+	return t
+}
diff --git a/vendor/github.com/hashicorp/errwrap/LICENSE b/vendor/github.com/hashicorp/errwrap/LICENSE
new file mode 100644
index 0000000000..c33dcc7c92
--- /dev/null
+++ b/vendor/github.com/hashicorp/errwrap/LICENSE
@@ -0,0 +1,354 @@
+Mozilla Public License, version 2.0
+
+1. Definitions
+
+1.1. “Contributor�
+
+     means each individual or legal entity that creates, contributes to the
+     creation of, or owns Covered Software.
+
+1.2. “Contributor Version�
+
+     means the combination of the Contributions of others (if any) used by a
+     Contributor and that particular Contributor’s Contribution.
+
+1.3. “Contribution�
+
+     means Covered Software of a particular Contributor.
+
+1.4. “Covered Software�
+
+     means Source Code Form to which the initial Contributor has attached the
+     notice in Exhibit A, the Executable Form of such Source Code Form, and
+     Modifications of such Source Code Form, in each case including portions
+     thereof.
+
+1.5. “Incompatible With Secondary Licenses�
+     means
+
+     a. that the initial Contributor has attached the notice described in
+        Exhibit B to the Covered Software; or
+
+     b. that the Covered Software was made available under the terms of version
+        1.1 or earlier of the License, but not also under the terms of a
+        Secondary License.
+
+1.6. “Executable Form�
+
+     means any form of the work other than Source Code Form.
+
+1.7. “Larger Work�
+
+     means a work that combines Covered Software with other material, in a separate
+     file or files, that is not Covered Software.
+
+1.8. “License�
+
+     means this document.
+
+1.9. “Licensable�
+
+     means having the right to grant, to the maximum extent possible, whether at the
+     time of the initial grant or subsequently, any and all of the rights conveyed by
+     this License.
+
+1.10. “Modifications�
+
+     means any of the following:
+
+     a. any file in Source Code Form that results from an addition to, deletion
+        from, or modification of the contents of Covered Software; or
+
+     b. any new file in Source Code Form that contains any Covered Software.
+
+1.11. “Patent Claims� of a Contributor
+
+      means any patent claim(s), including without limitation, method, process,
+      and apparatus claims, in any patent Licensable by such Contributor that
+      would be infringed, but for the grant of the License, by the making,
+      using, selling, offering for sale, having made, import, or transfer of
+      either its Contributions or its Contributor Version.
+
+1.12. “Secondary License�
+
+      means either the GNU General Public License, Version 2.0, the GNU Lesser
+      General Public License, Version 2.1, the GNU Affero General Public
+      License, Version 3.0, or any later versions of those licenses.
+
+1.13. “Source Code Form�
+
+      means the form of the work preferred for making modifications.
+
+1.14. “You� (or “Your�)
+
+      means an individual or a legal entity exercising rights under this
+      License. For legal entities, “You� includes any entity that controls, is
+      controlled by, or is under common control with You. For purposes of this
+      definition, “control� means (a) the power, direct or indirect, to cause
+      the direction or management of such entity, whether by contract or
+      otherwise, or (b) ownership of more than fifty percent (50%) of the
+      outstanding shares or beneficial ownership of such entity.
+
+
+2. License Grants and Conditions
+
+2.1. Grants
+
+     Each Contributor hereby grants You a world-wide, royalty-free,
+     non-exclusive license:
+
+     a. under intellectual property rights (other than patent or trademark)
+        Licensable by such Contributor to use, reproduce, make available,
+        modify, display, perform, distribute, and otherwise exploit its
+        Contributions, either on an unmodified basis, with Modifications, or as
+        part of a Larger Work; and
+
+     b. under Patent Claims of such Contributor to make, use, sell, offer for
+        sale, have made, import, and otherwise transfer either its Contributions
+        or its Contributor Version.
+
+2.2. Effective Date
+
+     The licenses granted in Section 2.1 with respect to any Contribution become
+     effective for each Contribution on the date the Contributor first distributes
+     such Contribution.
+
+2.3. Limitations on Grant Scope
+
+     The licenses granted in this Section 2 are the only rights granted under this
+     License. No additional rights or licenses will be implied from the distribution
+     or licensing of Covered Software under this License. Notwithstanding Section
+     2.1(b) above, no patent license is granted by a Contributor:
+
+     a. for any code that a Contributor has removed from Covered Software; or
+
+     b. for infringements caused by: (i) Your and any other third party’s
+        modifications of Covered Software, or (ii) the combination of its
+        Contributions with other software (except as part of its Contributor
+        Version); or
+
+     c. under Patent Claims infringed by Covered Software in the absence of its
+        Contributions.
+
+     This License does not grant any rights in the trademarks, service marks, or
+     logos of any Contributor (except as may be necessary to comply with the
+     notice requirements in Section 3.4).
+
+2.4. Subsequent Licenses
+
+     No Contributor makes additional grants as a result of Your choice to
+     distribute the Covered Software under a subsequent version of this License
+     (see Section 10.2) or under the terms of a Secondary License (if permitted
+     under the terms of Section 3.3).
+
+2.5. Representation
+
+     Each Contributor represents that the Contributor believes its Contributions
+     are its original creation(s) or it has sufficient rights to grant the
+     rights to its Contributions conveyed by this License.
+
+2.6. Fair Use
+
+     This License is not intended to limit any rights You have under applicable
+     copyright doctrines of fair use, fair dealing, or other equivalents.
+
+2.7. Conditions
+
+     Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in
+     Section 2.1.
+
+
+3. Responsibilities
+
+3.1. Distribution of Source Form
+
+     All distribution of Covered Software in Source Code Form, including any
+     Modifications that You create or to which You contribute, must be under the
+     terms of this License. You must inform recipients that the Source Code Form
+     of the Covered Software is governed by the terms of this License, and how
+     they can obtain a copy of this License. You may not attempt to alter or
+     restrict the recipients’ rights in the Source Code Form.
+
+3.2. Distribution of Executable Form
+
+     If You distribute Covered Software in Executable Form then:
+
+     a. such Covered Software must also be made available in Source Code Form,
+        as described in Section 3.1, and You must inform recipients of the
+        Executable Form how they can obtain a copy of such Source Code Form by
+        reasonable means in a timely manner, at a charge no more than the cost
+        of distribution to the recipient; and
+
+     b. You may distribute such Executable Form under the terms of this License,
+        or sublicense it under different terms, provided that the license for
+        the Executable Form does not attempt to limit or alter the recipients’
+        rights in the Source Code Form under this License.
+
+3.3. Distribution of a Larger Work
+
+     You may create and distribute a Larger Work under terms of Your choice,
+     provided that You also comply with the requirements of this License for the
+     Covered Software. If the Larger Work is a combination of Covered Software
+     with a work governed by one or more Secondary Licenses, and the Covered
+     Software is not Incompatible With Secondary Licenses, this License permits
+     You to additionally distribute such Covered Software under the terms of
+     such Secondary License(s), so that the recipient of the Larger Work may, at
+     their option, further distribute the Covered Software under the terms of
+     either this License or such Secondary License(s).
+
+3.4. Notices
+
+     You may not remove or alter the substance of any license notices (including
+     copyright notices, patent notices, disclaimers of warranty, or limitations
+     of liability) contained within the Source Code Form of the Covered
+     Software, except that You may alter any license notices to the extent
+     required to remedy known factual inaccuracies.
+
+3.5. Application of Additional Terms
+
+     You may choose to offer, and to charge a fee for, warranty, support,
+     indemnity or liability obligations to one or more recipients of Covered
+     Software. However, You may do so only on Your own behalf, and not on behalf
+     of any Contributor. You must make it absolutely clear that any such
+     warranty, support, indemnity, or liability obligation is offered by You
+     alone, and You hereby agree to indemnify every Contributor for any
+     liability incurred by such Contributor as a result of warranty, support,
+     indemnity or liability terms You offer. You may include additional
+     disclaimers of warranty and limitations of liability specific to any
+     jurisdiction.
+
+4. Inability to Comply Due to Statute or Regulation
+
+   If it is impossible for You to comply with any of the terms of this License
+   with respect to some or all of the Covered Software due to statute, judicial
+   order, or regulation then You must: (a) comply with the terms of this License
+   to the maximum extent possible; and (b) describe the limitations and the code
+   they affect. Such description must be placed in a text file included with all
+   distributions of the Covered Software under this License. Except to the
+   extent prohibited by statute or regulation, such description must be
+   sufficiently detailed for a recipient of ordinary skill to be able to
+   understand it.
+
+5. Termination
+
+5.1. The rights granted under this License will terminate automatically if You
+     fail to comply with any of its terms. However, if You become compliant,
+     then the rights granted under this License from a particular Contributor
+     are reinstated (a) provisionally, unless and until such Contributor
+     explicitly and finally terminates Your grants, and (b) on an ongoing basis,
+     if such Contributor fails to notify You of the non-compliance by some
+     reasonable means prior to 60 days after You have come back into compliance.
+     Moreover, Your grants from a particular Contributor are reinstated on an
+     ongoing basis if such Contributor notifies You of the non-compliance by
+     some reasonable means, this is the first time You have received notice of
+     non-compliance with this License from such Contributor, and You become
+     compliant prior to 30 days after Your receipt of the notice.
+
+5.2. If You initiate litigation against any entity by asserting a patent
+     infringement claim (excluding declaratory judgment actions, counter-claims,
+     and cross-claims) alleging that a Contributor Version directly or
+     indirectly infringes any patent, then the rights granted to You by any and
+     all Contributors for the Covered Software under Section 2.1 of this License
+     shall terminate.
+
+5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user
+     license agreements (excluding distributors and resellers) which have been
+     validly granted by You or Your distributors under this License prior to
+     termination shall survive termination.
+
+6. Disclaimer of Warranty
+
+   Covered Software is provided under this License on an “as is� basis, without
+   warranty of any kind, either expressed, implied, or statutory, including,
+   without limitation, warranties that the Covered Software is free of defects,
+   merchantable, fit for a particular purpose or non-infringing. The entire
+   risk as to the quality and performance of the Covered Software is with You.
+   Should any Covered Software prove defective in any respect, You (not any
+   Contributor) assume the cost of any necessary servicing, repair, or
+   correction. This disclaimer of warranty constitutes an essential part of this
+   License. No use of  any Covered Software is authorized under this License
+   except under this disclaimer.
+
+7. Limitation of Liability
+
+   Under no circumstances and under no legal theory, whether tort (including
+   negligence), contract, or otherwise, shall any Contributor, or anyone who
+   distributes Covered Software as permitted above, be liable to You for any
+   direct, indirect, special, incidental, or consequential damages of any
+   character including, without limitation, damages for lost profits, loss of
+   goodwill, work stoppage, computer failure or malfunction, or any and all
+   other commercial damages or losses, even if such party shall have been
+   informed of the possibility of such damages. This limitation of liability
+   shall not apply to liability for death or personal injury resulting from such
+   party’s negligence to the extent applicable law prohibits such limitation.
+   Some jurisdictions do not allow the exclusion or limitation of incidental or
+   consequential damages, so this exclusion and limitation may not apply to You.
+
+8. Litigation
+
+   Any litigation relating to this License may be brought only in the courts of
+   a jurisdiction where the defendant maintains its principal place of business
+   and such litigation shall be governed by laws of that jurisdiction, without
+   reference to its conflict-of-law provisions. Nothing in this Section shall
+   prevent a party’s ability to bring cross-claims or counter-claims.
+
+9. Miscellaneous
+
+   This License represents the complete agreement concerning the subject matter
+   hereof. If any provision of this License is held to be unenforceable, such
+   provision shall be reformed only to the extent necessary to make it
+   enforceable. Any law or regulation which provides that the language of a
+   contract shall be construed against the drafter shall not be used to construe
+   this License against a Contributor.
+
+
+10. Versions of the License
+
+10.1. New Versions
+
+      Mozilla Foundation is the license steward. Except as provided in Section
+      10.3, no one other than the license steward has the right to modify or
+      publish new versions of this License. Each version will be given a
+      distinguishing version number.
+
+10.2. Effect of New Versions
+
+      You may distribute the Covered Software under the terms of the version of
+      the License under which You originally received the Covered Software, or
+      under the terms of any subsequent version published by the license
+      steward.
+
+10.3. Modified Versions
+
+      If you create software not governed by this License, and you want to
+      create a new license for such software, you may create and use a modified
+      version of this License if you rename the license and remove any
+      references to the name of the license steward (except to note that such
+      modified license differs from this License).
+
+10.4. Distributing Source Code Form that is Incompatible With Secondary Licenses
+      If You choose to distribute Source Code Form that is Incompatible With
+      Secondary Licenses under the terms of this version of the License, the
+      notice described in Exhibit B of this License must be attached.
+
+Exhibit A - Source Code Form License Notice
+
+      This Source Code Form is subject to the
+      terms of the Mozilla Public License, v.
+      2.0. If a copy of the MPL was not
+      distributed with this file, You can
+      obtain one at
+      http://mozilla.org/MPL/2.0/.
+
+If it is not possible or desirable to put the notice in a particular file, then
+You may include the notice in a location (such as a LICENSE file in a relevant
+directory) where a recipient would be likely to look for such a notice.
+
+You may add additional accurate notices of copyright ownership.
+
+Exhibit B - “Incompatible With Secondary Licenses� Notice
+
+      This Source Code Form is “Incompatible
+      With Secondary Licenses�, as defined by
+      the Mozilla Public License, v. 2.0.
+
diff --git a/vendor/github.com/hashicorp/errwrap/README.md b/vendor/github.com/hashicorp/errwrap/README.md
new file mode 100644
index 0000000000..444df08f8e
--- /dev/null
+++ b/vendor/github.com/hashicorp/errwrap/README.md
@@ -0,0 +1,89 @@
+# errwrap
+
+`errwrap` is a package for Go that formalizes the pattern of wrapping errors
+and checking if an error contains another error.
+
+There is a common pattern in Go of taking a returned `error` value and
+then wrapping it (such as with `fmt.Errorf`) before returning it. The problem
+with this pattern is that you completely lose the original `error` structure.
+
+Arguably the _correct_ approach is that you should make a custom structure
+implementing the `error` interface, and have the original error as a field
+on that structure, such [as this example](http://golang.org/pkg/os/#PathError).
+This is a good approach, but you have to know the entire chain of possible
+rewrapping that happens, when you might just care about one.
+
+`errwrap` formalizes this pattern (it doesn't matter what approach you use
+above) by giving a single interface for wrapping errors, checking if a specific
+error is wrapped, and extracting that error.
+
+## Installation and Docs
+
+Install using `go get github.com/hashicorp/errwrap`.
+
+Full documentation is available at
+http://godoc.org/github.com/hashicorp/errwrap
+
+## Usage
+
+#### Basic Usage
+
+Below is a very basic example of its usage:
+
+```go
+// A function that always returns an error, but wraps it, like a real
+// function might.
+func tryOpen() error {
+	_, err := os.Open("/i/dont/exist")
+	if err != nil {
+		return errwrap.Wrapf("Doesn't exist: {{err}}", err)
+	}
+
+	return nil
+}
+
+func main() {
+	err := tryOpen()
+
+	// We can use the Contains helpers to check if an error contains
+	// another error. It is safe to do this with a nil error, or with
+	// an error that doesn't even use the errwrap package.
+	if errwrap.Contains(err, "does not exist") {
+		// Do something
+	}
+	if errwrap.ContainsType(err, new(os.PathError)) {
+		// Do something
+	}
+
+	// Or we can use the associated `Get` functions to just extract
+	// a specific error. This would return nil if that specific error doesn't
+	// exist.
+	perr := errwrap.GetType(err, new(os.PathError))
+}
+```
+
+#### Custom Types
+
+If you're already making custom types that properly wrap errors, then
+you can get all the functionality of `errwraps.Contains` and such by
+implementing the `Wrapper` interface with just one function. Example:
+
+```go
+type AppError {
+  Code ErrorCode
+  Err  error
+}
+
+func (e *AppError) WrappedErrors() []error {
+  return []error{e.Err}
+}
+```
+
+Now this works:
+
+```go
+err := &AppError{Err: fmt.Errorf("an error")}
+if errwrap.ContainsType(err, fmt.Errorf("")) {
+	// This will work!
+}
+```
diff --git a/vendor/github.com/hashicorp/errwrap/errwrap.go b/vendor/github.com/hashicorp/errwrap/errwrap.go
new file mode 100644
index 0000000000..44e368e569
--- /dev/null
+++ b/vendor/github.com/hashicorp/errwrap/errwrap.go
@@ -0,0 +1,178 @@
+// Package errwrap implements methods to formalize error wrapping in Go.
+//
+// All of the top-level functions that take an `error` are built to be able
+// to take any error, not just wrapped errors. This allows you to use errwrap
+// without having to type-check and type-cast everywhere.
+package errwrap
+
+import (
+	"errors"
+	"reflect"
+	"strings"
+)
+
+// WalkFunc is the callback called for Walk.
+type WalkFunc func(error)
+
+// Wrapper is an interface that can be implemented by custom types to
+// have all the Contains, Get, etc. functions in errwrap work.
+//
+// When Walk reaches a Wrapper, it will call the callback for every
+// wrapped error in addition to the wrapper itself. Since all the top-level
+// functions in errwrap use Walk, this means that all those functions work
+// with your custom type.
+type Wrapper interface {
+	WrappedErrors() []error
+}
+
+// Wrap defines that outer wraps inner, returning an error type that
+// can be cleanly used with the other methods in this package, such as
+// Contains, GetAll, etc.
+//
+// This function won't modify the error message at all (the outer message
+// will be used).
+func Wrap(outer, inner error) error {
+	return &wrappedError{
+		Outer: outer,
+		Inner: inner,
+	}
+}
+
+// Wrapf wraps an error with a formatting message. This is similar to using
+// `fmt.Errorf` to wrap an error. If you're using `fmt.Errorf` to wrap
+// errors, you should replace it with this.
+//
+// format is the format of the error message. The string '{{err}}' will
+// be replaced with the original error message.
+//
+// Deprecated: Use fmt.Errorf()
+func Wrapf(format string, err error) error {
+	outerMsg := "<nil>"
+	if err != nil {
+		outerMsg = err.Error()
+	}
+
+	outer := errors.New(strings.Replace(
+		format, "{{err}}", outerMsg, -1))
+
+	return Wrap(outer, err)
+}
+
+// Contains checks if the given error contains an error with the
+// message msg. If err is not a wrapped error, this will always return
+// false unless the error itself happens to match this msg.
+func Contains(err error, msg string) bool {
+	return len(GetAll(err, msg)) > 0
+}
+
+// ContainsType checks if the given error contains an error with
+// the same concrete type as v. If err is not a wrapped error, this will
+// check the err itself.
+func ContainsType(err error, v interface{}) bool {
+	return len(GetAllType(err, v)) > 0
+}
+
+// Get is the same as GetAll but returns the deepest matching error.
+func Get(err error, msg string) error {
+	es := GetAll(err, msg)
+	if len(es) > 0 {
+		return es[len(es)-1]
+	}
+
+	return nil
+}
+
+// GetType is the same as GetAllType but returns the deepest matching error.
+func GetType(err error, v interface{}) error {
+	es := GetAllType(err, v)
+	if len(es) > 0 {
+		return es[len(es)-1]
+	}
+
+	return nil
+}
+
+// GetAll gets all the errors that might be wrapped in err with the
+// given message. The order of the errors is such that the outermost
+// matching error (the most recent wrap) is index zero, and so on.
+func GetAll(err error, msg string) []error {
+	var result []error
+
+	Walk(err, func(err error) {
+		if err.Error() == msg {
+			result = append(result, err)
+		}
+	})
+
+	return result
+}
+
+// GetAllType gets all the errors that are the same type as v.
+//
+// The order of the return value is the same as described in GetAll.
+func GetAllType(err error, v interface{}) []error {
+	var result []error
+
+	var search string
+	if v != nil {
+		search = reflect.TypeOf(v).String()
+	}
+	Walk(err, func(err error) {
+		var needle string
+		if err != nil {
+			needle = reflect.TypeOf(err).String()
+		}
+
+		if needle == search {
+			result = append(result, err)
+		}
+	})
+
+	return result
+}
+
+// Walk walks all the wrapped errors in err and calls the callback. If
+// err isn't a wrapped error, this will be called once for err. If err
+// is a wrapped error, the callback will be called for both the wrapper
+// that implements error as well as the wrapped error itself.
+func Walk(err error, cb WalkFunc) {
+	if err == nil {
+		return
+	}
+
+	switch e := err.(type) {
+	case *wrappedError:
+		cb(e.Outer)
+		Walk(e.Inner, cb)
+	case Wrapper:
+		cb(err)
+
+		for _, err := range e.WrappedErrors() {
+			Walk(err, cb)
+		}
+	case interface{ Unwrap() error }:
+		cb(err)
+		Walk(e.Unwrap(), cb)
+	default:
+		cb(err)
+	}
+}
+
+// wrappedError is an implementation of error that has both the
+// outer and inner errors.
+type wrappedError struct {
+	Outer error
+	Inner error
+}
+
+func (w *wrappedError) Error() string {
+	return w.Outer.Error()
+}
+
+func (w *wrappedError) WrappedErrors() []error {
+	return []error{w.Outer, w.Inner}
+}
+
+func (w *wrappedError) Unwrap() error {
+	return w.Inner
+}
diff --git a/vendor/github.com/hashicorp/go-multierror/LICENSE b/vendor/github.com/hashicorp/go-multierror/LICENSE
new file mode 100644
index 0000000000..82b4de97c7
--- /dev/null
+++ b/vendor/github.com/hashicorp/go-multierror/LICENSE
@@ -0,0 +1,353 @@
+Mozilla Public License, version 2.0
+
+1. Definitions
+
+1.1. “Contributor�
+
+     means each individual or legal entity that creates, contributes to the
+     creation of, or owns Covered Software.
+
+1.2. “Contributor Version�
+
+     means the combination of the Contributions of others (if any) used by a
+     Contributor and that particular Contributor’s Contribution.
+
+1.3. “Contribution�
+
+     means Covered Software of a particular Contributor.
+
+1.4. “Covered Software�
+
+     means Source Code Form to which the initial Contributor has attached the
+     notice in Exhibit A, the Executable Form of such Source Code Form, and
+     Modifications of such Source Code Form, in each case including portions
+     thereof.
+
+1.5. “Incompatible With Secondary Licenses�
+     means
+
+     a. that the initial Contributor has attached the notice described in
+        Exhibit B to the Covered Software; or
+
+     b. that the Covered Software was made available under the terms of version
+        1.1 or earlier of the License, but not also under the terms of a
+        Secondary License.
+
+1.6. “Executable Form�
+
+     means any form of the work other than Source Code Form.
+
+1.7. “Larger Work�
+
+     means a work that combines Covered Software with other material, in a separate
+     file or files, that is not Covered Software.
+
+1.8. “License�
+
+     means this document.
+
+1.9. “Licensable�
+
+     means having the right to grant, to the maximum extent possible, whether at the
+     time of the initial grant or subsequently, any and all of the rights conveyed by
+     this License.
+
+1.10. “Modifications�
+
+     means any of the following:
+
+     a. any file in Source Code Form that results from an addition to, deletion
+        from, or modification of the contents of Covered Software; or
+
+     b. any new file in Source Code Form that contains any Covered Software.
+
+1.11. “Patent Claims� of a Contributor
+
+      means any patent claim(s), including without limitation, method, process,
+      and apparatus claims, in any patent Licensable by such Contributor that
+      would be infringed, but for the grant of the License, by the making,
+      using, selling, offering for sale, having made, import, or transfer of
+      either its Contributions or its Contributor Version.
+
+1.12. “Secondary License�
+
+      means either the GNU General Public License, Version 2.0, the GNU Lesser
+      General Public License, Version 2.1, the GNU Affero General Public
+      License, Version 3.0, or any later versions of those licenses.
+
+1.13. “Source Code Form�
+
+      means the form of the work preferred for making modifications.
+
+1.14. “You� (or “Your�)
+
+      means an individual or a legal entity exercising rights under this
+      License. For legal entities, “You� includes any entity that controls, is
+      controlled by, or is under common control with You. For purposes of this
+      definition, “control� means (a) the power, direct or indirect, to cause
+      the direction or management of such entity, whether by contract or
+      otherwise, or (b) ownership of more than fifty percent (50%) of the
+      outstanding shares or beneficial ownership of such entity.
+
+
+2. License Grants and Conditions
+
+2.1. Grants
+
+     Each Contributor hereby grants You a world-wide, royalty-free,
+     non-exclusive license:
+
+     a. under intellectual property rights (other than patent or trademark)
+        Licensable by such Contributor to use, reproduce, make available,
+        modify, display, perform, distribute, and otherwise exploit its
+        Contributions, either on an unmodified basis, with Modifications, or as
+        part of a Larger Work; and
+
+     b. under Patent Claims of such Contributor to make, use, sell, offer for
+        sale, have made, import, and otherwise transfer either its Contributions
+        or its Contributor Version.
+
+2.2. Effective Date
+
+     The licenses granted in Section 2.1 with respect to any Contribution become
+     effective for each Contribution on the date the Contributor first distributes
+     such Contribution.
+
+2.3. Limitations on Grant Scope
+
+     The licenses granted in this Section 2 are the only rights granted under this
+     License. No additional rights or licenses will be implied from the distribution
+     or licensing of Covered Software under this License. Notwithstanding Section
+     2.1(b) above, no patent license is granted by a Contributor:
+
+     a. for any code that a Contributor has removed from Covered Software; or
+
+     b. for infringements caused by: (i) Your and any other third party’s
+        modifications of Covered Software, or (ii) the combination of its
+        Contributions with other software (except as part of its Contributor
+        Version); or
+
+     c. under Patent Claims infringed by Covered Software in the absence of its
+        Contributions.
+
+     This License does not grant any rights in the trademarks, service marks, or
+     logos of any Contributor (except as may be necessary to comply with the
+     notice requirements in Section 3.4).
+
+2.4. Subsequent Licenses
+
+     No Contributor makes additional grants as a result of Your choice to
+     distribute the Covered Software under a subsequent version of this License
+     (see Section 10.2) or under the terms of a Secondary License (if permitted
+     under the terms of Section 3.3).
+
+2.5. Representation
+
+     Each Contributor represents that the Contributor believes its Contributions
+     are its original creation(s) or it has sufficient rights to grant the
+     rights to its Contributions conveyed by this License.
+
+2.6. Fair Use
+
+     This License is not intended to limit any rights You have under applicable
+     copyright doctrines of fair use, fair dealing, or other equivalents.
+
+2.7. Conditions
+
+     Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in
+     Section 2.1.
+
+
+3. Responsibilities
+
+3.1. Distribution of Source Form
+
+     All distribution of Covered Software in Source Code Form, including any
+     Modifications that You create or to which You contribute, must be under the
+     terms of this License. You must inform recipients that the Source Code Form
+     of the Covered Software is governed by the terms of this License, and how
+     they can obtain a copy of this License. You may not attempt to alter or
+     restrict the recipients’ rights in the Source Code Form.
+
+3.2. Distribution of Executable Form
+
+     If You distribute Covered Software in Executable Form then:
+
+     a. such Covered Software must also be made available in Source Code Form,
+        as described in Section 3.1, and You must inform recipients of the
+        Executable Form how they can obtain a copy of such Source Code Form by
+        reasonable means in a timely manner, at a charge no more than the cost
+        of distribution to the recipient; and
+
+     b. You may distribute such Executable Form under the terms of this License,
+        or sublicense it under different terms, provided that the license for
+        the Executable Form does not attempt to limit or alter the recipients’
+        rights in the Source Code Form under this License.
+
+3.3. Distribution of a Larger Work
+
+     You may create and distribute a Larger Work under terms of Your choice,
+     provided that You also comply with the requirements of this License for the
+     Covered Software. If the Larger Work is a combination of Covered Software
+     with a work governed by one or more Secondary Licenses, and the Covered
+     Software is not Incompatible With Secondary Licenses, this License permits
+     You to additionally distribute such Covered Software under the terms of
+     such Secondary License(s), so that the recipient of the Larger Work may, at
+     their option, further distribute the Covered Software under the terms of
+     either this License or such Secondary License(s).
+
+3.4. Notices
+
+     You may not remove or alter the substance of any license notices (including
+     copyright notices, patent notices, disclaimers of warranty, or limitations
+     of liability) contained within the Source Code Form of the Covered
+     Software, except that You may alter any license notices to the extent
+     required to remedy known factual inaccuracies.
+
+3.5. Application of Additional Terms
+
+     You may choose to offer, and to charge a fee for, warranty, support,
+     indemnity or liability obligations to one or more recipients of Covered
+     Software. However, You may do so only on Your own behalf, and not on behalf
+     of any Contributor. You must make it absolutely clear that any such
+     warranty, support, indemnity, or liability obligation is offered by You
+     alone, and You hereby agree to indemnify every Contributor for any
+     liability incurred by such Contributor as a result of warranty, support,
+     indemnity or liability terms You offer. You may include additional
+     disclaimers of warranty and limitations of liability specific to any
+     jurisdiction.
+
+4. Inability to Comply Due to Statute or Regulation
+
+   If it is impossible for You to comply with any of the terms of this License
+   with respect to some or all of the Covered Software due to statute, judicial
+   order, or regulation then You must: (a) comply with the terms of this License
+   to the maximum extent possible; and (b) describe the limitations and the code
+   they affect. Such description must be placed in a text file included with all
+   distributions of the Covered Software under this License. Except to the
+   extent prohibited by statute or regulation, such description must be
+   sufficiently detailed for a recipient of ordinary skill to be able to
+   understand it.
+
+5. Termination
+
+5.1. The rights granted under this License will terminate automatically if You
+     fail to comply with any of its terms. However, if You become compliant,
+     then the rights granted under this License from a particular Contributor
+     are reinstated (a) provisionally, unless and until such Contributor
+     explicitly and finally terminates Your grants, and (b) on an ongoing basis,
+     if such Contributor fails to notify You of the non-compliance by some
+     reasonable means prior to 60 days after You have come back into compliance.
+     Moreover, Your grants from a particular Contributor are reinstated on an
+     ongoing basis if such Contributor notifies You of the non-compliance by
+     some reasonable means, this is the first time You have received notice of
+     non-compliance with this License from such Contributor, and You become
+     compliant prior to 30 days after Your receipt of the notice.
+
+5.2. If You initiate litigation against any entity by asserting a patent
+     infringement claim (excluding declaratory judgment actions, counter-claims,
+     and cross-claims) alleging that a Contributor Version directly or
+     indirectly infringes any patent, then the rights granted to You by any and
+     all Contributors for the Covered Software under Section 2.1 of this License
+     shall terminate.
+
+5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user
+     license agreements (excluding distributors and resellers) which have been
+     validly granted by You or Your distributors under this License prior to
+     termination shall survive termination.
+
+6. Disclaimer of Warranty
+
+   Covered Software is provided under this License on an “as is� basis, without
+   warranty of any kind, either expressed, implied, or statutory, including,
+   without limitation, warranties that the Covered Software is free of defects,
+   merchantable, fit for a particular purpose or non-infringing. The entire
+   risk as to the quality and performance of the Covered Software is with You.
+   Should any Covered Software prove defective in any respect, You (not any
+   Contributor) assume the cost of any necessary servicing, repair, or
+   correction. This disclaimer of warranty constitutes an essential part of this
+   License. No use of  any Covered Software is authorized under this License
+   except under this disclaimer.
+
+7. Limitation of Liability
+
+   Under no circumstances and under no legal theory, whether tort (including
+   negligence), contract, or otherwise, shall any Contributor, or anyone who
+   distributes Covered Software as permitted above, be liable to You for any
+   direct, indirect, special, incidental, or consequential damages of any
+   character including, without limitation, damages for lost profits, loss of
+   goodwill, work stoppage, computer failure or malfunction, or any and all
+   other commercial damages or losses, even if such party shall have been
+   informed of the possibility of such damages. This limitation of liability
+   shall not apply to liability for death or personal injury resulting from such
+   party’s negligence to the extent applicable law prohibits such limitation.
+   Some jurisdictions do not allow the exclusion or limitation of incidental or
+   consequential damages, so this exclusion and limitation may not apply to You.
+
+8. Litigation
+
+   Any litigation relating to this License may be brought only in the courts of
+   a jurisdiction where the defendant maintains its principal place of business
+   and such litigation shall be governed by laws of that jurisdiction, without
+   reference to its conflict-of-law provisions. Nothing in this Section shall
+   prevent a party’s ability to bring cross-claims or counter-claims.
+
+9. Miscellaneous
+
+   This License represents the complete agreement concerning the subject matter
+   hereof. If any provision of this License is held to be unenforceable, such
+   provision shall be reformed only to the extent necessary to make it
+   enforceable. Any law or regulation which provides that the language of a
+   contract shall be construed against the drafter shall not be used to construe
+   this License against a Contributor.
+
+
+10. Versions of the License
+
+10.1. New Versions
+
+      Mozilla Foundation is the license steward. Except as provided in Section
+      10.3, no one other than the license steward has the right to modify or
+      publish new versions of this License. Each version will be given a
+      distinguishing version number.
+
+10.2. Effect of New Versions
+
+      You may distribute the Covered Software under the terms of the version of
+      the License under which You originally received the Covered Software, or
+      under the terms of any subsequent version published by the license
+      steward.
+
+10.3. Modified Versions
+
+      If you create software not governed by this License, and you want to
+      create a new license for such software, you may create and use a modified
+      version of this License if you rename the license and remove any
+      references to the name of the license steward (except to note that such
+      modified license differs from this License).
+
+10.4. Distributing Source Code Form that is Incompatible With Secondary Licenses
+      If You choose to distribute Source Code Form that is Incompatible With
+      Secondary Licenses under the terms of this version of the License, the
+      notice described in Exhibit B of this License must be attached.
+
+Exhibit A - Source Code Form License Notice
+
+      This Source Code Form is subject to the
+      terms of the Mozilla Public License, v.
+      2.0. If a copy of the MPL was not
+      distributed with this file, You can
+      obtain one at
+      http://mozilla.org/MPL/2.0/.
+
+If it is not possible or desirable to put the notice in a particular file, then
+You may include the notice in a location (such as a LICENSE file in a relevant
+directory) where a recipient would be likely to look for such a notice.
+
+You may add additional accurate notices of copyright ownership.
+
+Exhibit B - “Incompatible With Secondary Licenses� Notice
+
+      This Source Code Form is “Incompatible
+      With Secondary Licenses�, as defined by
+      the Mozilla Public License, v. 2.0.
diff --git a/vendor/github.com/hashicorp/go-multierror/Makefile b/vendor/github.com/hashicorp/go-multierror/Makefile
new file mode 100644
index 0000000000..b97cd6ed02
--- /dev/null
+++ b/vendor/github.com/hashicorp/go-multierror/Makefile
@@ -0,0 +1,31 @@
+TEST?=./...
+
+default: test
+
+# test runs the test suite and vets the code.
+test: generate
+	@echo "==> Running tests..."
+	@go list $(TEST) \
+		| grep -v "/vendor/" \
+		| xargs -n1 go test -timeout=60s -parallel=10 ${TESTARGS}
+
+# testrace runs the race checker
+testrace: generate
+	@echo "==> Running tests (race)..."
+	@go list $(TEST) \
+		| grep -v "/vendor/" \
+		| xargs -n1 go test -timeout=60s -race ${TESTARGS}
+
+# updatedeps installs all the dependencies needed to run and build.
+updatedeps:
+	@sh -c "'${CURDIR}/scripts/deps.sh' '${NAME}'"
+
+# generate runs `go generate` to build the dynamically generated source files.
+generate:
+	@echo "==> Generating..."
+	@find . -type f -name '.DS_Store' -delete
+	@go list ./... \
+		| grep -v "/vendor/" \
+		| xargs -n1 go generate
+
+.PHONY: default test testrace updatedeps generate
diff --git a/vendor/github.com/hashicorp/go-multierror/README.md b/vendor/github.com/hashicorp/go-multierror/README.md
new file mode 100644
index 0000000000..71dd308ed8
--- /dev/null
+++ b/vendor/github.com/hashicorp/go-multierror/README.md
@@ -0,0 +1,150 @@
+# go-multierror
+
+[![CircleCI](https://img.shields.io/circleci/build/github/hashicorp/go-multierror/master)](https://circleci.com/gh/hashicorp/go-multierror)
+[![Go Reference](https://pkg.go.dev/badge/github.com/hashicorp/go-multierror.svg)](https://pkg.go.dev/github.com/hashicorp/go-multierror)
+![GitHub go.mod Go version](https://img.shields.io/github/go-mod/go-version/hashicorp/go-multierror)
+
+[circleci]: https://app.circleci.com/pipelines/github/hashicorp/go-multierror
+[godocs]: https://pkg.go.dev/github.com/hashicorp/go-multierror
+
+`go-multierror` is a package for Go that provides a mechanism for
+representing a list of `error` values as a single `error`.
+
+This allows a function in Go to return an `error` that might actually
+be a list of errors. If the caller knows this, they can unwrap the
+list and access the errors. If the caller doesn't know, the error
+formats to a nice human-readable format.
+
+`go-multierror` is fully compatible with the Go standard library
+[errors](https://golang.org/pkg/errors/) package, including the
+functions `As`, `Is`, and `Unwrap`. This provides a standardized approach
+for introspecting on error values.
+
+## Installation and Docs
+
+Install using `go get github.com/hashicorp/go-multierror`.
+
+Full documentation is available at
+https://pkg.go.dev/github.com/hashicorp/go-multierror
+
+### Requires go version 1.13 or newer
+
+`go-multierror` requires go version 1.13 or newer. Go 1.13 introduced
+[error wrapping](https://golang.org/doc/go1.13#error_wrapping), which
+this library takes advantage of.
+
+If you need to use an earlier version of go, you can use the
+[v1.0.0](https://github.com/hashicorp/go-multierror/tree/v1.0.0)
+tag, which doesn't rely on features in go 1.13.
+
+If you see compile errors that look like the below, it's likely that
+you're on an older version of go:
+
+```
+/go/src/github.com/hashicorp/go-multierror/multierror.go:112:9: undefined: errors.As
+/go/src/github.com/hashicorp/go-multierror/multierror.go:117:9: undefined: errors.Is
+```
+
+## Usage
+
+go-multierror is easy to use and purposely built to be unobtrusive in
+existing Go applications/libraries that may not be aware of it.
+
+**Building a list of errors**
+
+The `Append` function is used to create a list of errors. This function
+behaves a lot like the Go built-in `append` function: it doesn't matter
+if the first argument is nil, a `multierror.Error`, or any other `error`,
+the function behaves as you would expect.
+
+```go
+var result error
+
+if err := step1(); err != nil {
+	result = multierror.Append(result, err)
+}
+if err := step2(); err != nil {
+	result = multierror.Append(result, err)
+}
+
+return result
+```
+
+**Customizing the formatting of the errors**
+
+By specifying a custom `ErrorFormat`, you can customize the format
+of the `Error() string` function:
+
+```go
+var result *multierror.Error
+
+// ... accumulate errors here, maybe using Append
+
+if result != nil {
+	result.ErrorFormat = func([]error) string {
+		return "errors!"
+	}
+}
+```
+
+**Accessing the list of errors**
+
+`multierror.Error` implements `error` so if the caller doesn't know about
+multierror, it will work just fine. But if you're aware a multierror might
+be returned, you can use type switches to access the list of errors:
+
+```go
+if err := something(); err != nil {
+	if merr, ok := err.(*multierror.Error); ok {
+		// Use merr.Errors
+	}
+}
+```
+
+You can also use the standard [`errors.Unwrap`](https://golang.org/pkg/errors/#Unwrap)
+function. This will continue to unwrap into subsequent errors until none exist.
+
+**Extracting an error**
+
+The standard library [`errors.As`](https://golang.org/pkg/errors/#As)
+function can be used directly with a multierror to extract a specific error:
+
+```go
+// Assume err is a multierror value
+err := somefunc()
+
+// We want to know if "err" has a "RichErrorType" in it and extract it.
+var errRich RichErrorType
+if errors.As(err, &errRich) {
+	// It has it, and now errRich is populated.
+}
+```
+
+**Checking for an exact error value**
+
+Some errors are returned as exact errors such as the [`ErrNotExist`](https://golang.org/pkg/os/#pkg-variables)
+error in the `os` package. You can check if this error is present by using
+the standard [`errors.Is`](https://golang.org/pkg/errors/#Is) function.
+
+```go
+// Assume err is a multierror value
+err := somefunc()
+if errors.Is(err, os.ErrNotExist) {
+	// err contains os.ErrNotExist
+}
+```
+
+**Returning a multierror only if there are errors**
+
+If you build a `multierror.Error`, you can use the `ErrorOrNil` function
+to return an `error` implementation only if there are errors to return:
+
+```go
+var result *multierror.Error
+
+// ... accumulate errors here
+
+// Return the `error` only if errors were added to the multierror, otherwise
+// return nil since there are no errors.
+return result.ErrorOrNil()
+```
diff --git a/vendor/github.com/hashicorp/go-multierror/append.go b/vendor/github.com/hashicorp/go-multierror/append.go
new file mode 100644
index 0000000000..3e2589bfde
--- /dev/null
+++ b/vendor/github.com/hashicorp/go-multierror/append.go
@@ -0,0 +1,43 @@
+package multierror
+
+// Append is a helper function that will append more errors
+// onto an Error in order to create a larger multi-error.
+//
+// If err is not a multierror.Error, then it will be turned into
+// one. If any of the errs are multierr.Error, they will be flattened
+// one level into err.
+// Any nil errors within errs will be ignored. If err is nil, a new
+// *Error will be returned.
+func Append(err error, errs ...error) *Error {
+	switch err := err.(type) {
+	case *Error:
+		// Typed nils can reach here, so initialize if we are nil
+		if err == nil {
+			err = new(Error)
+		}
+
+		// Go through each error and flatten
+		for _, e := range errs {
+			switch e := e.(type) {
+			case *Error:
+				if e != nil {
+					err.Errors = append(err.Errors, e.Errors...)
+				}
+			default:
+				if e != nil {
+					err.Errors = append(err.Errors, e)
+				}
+			}
+		}
+
+		return err
+	default:
+		newErrs := make([]error, 0, len(errs)+1)
+		if err != nil {
+			newErrs = append(newErrs, err)
+		}
+		newErrs = append(newErrs, errs...)
+
+		return Append(&Error{}, newErrs...)
+	}
+}
diff --git a/vendor/github.com/hashicorp/go-multierror/flatten.go b/vendor/github.com/hashicorp/go-multierror/flatten.go
new file mode 100644
index 0000000000..aab8e9abec
--- /dev/null
+++ b/vendor/github.com/hashicorp/go-multierror/flatten.go
@@ -0,0 +1,26 @@
+package multierror
+
+// Flatten flattens the given error, merging any *Errors together into
+// a single *Error.
+func Flatten(err error) error {
+	// If it isn't an *Error, just return the error as-is
+	if _, ok := err.(*Error); !ok {
+		return err
+	}
+
+	// Otherwise, make the result and flatten away!
+	flatErr := new(Error)
+	flatten(err, flatErr)
+	return flatErr
+}
+
+func flatten(err error, flatErr *Error) {
+	switch err := err.(type) {
+	case *Error:
+		for _, e := range err.Errors {
+			flatten(e, flatErr)
+		}
+	default:
+		flatErr.Errors = append(flatErr.Errors, err)
+	}
+}
diff --git a/vendor/github.com/hashicorp/go-multierror/format.go b/vendor/github.com/hashicorp/go-multierror/format.go
new file mode 100644
index 0000000000..47f13c49a6
--- /dev/null
+++ b/vendor/github.com/hashicorp/go-multierror/format.go
@@ -0,0 +1,27 @@
+package multierror
+
+import (
+	"fmt"
+	"strings"
+)
+
+// ErrorFormatFunc is a function callback that is called by Error to
+// turn the list of errors into a string.
+type ErrorFormatFunc func([]error) string
+
+// ListFormatFunc is a basic formatter that outputs the number of errors
+// that occurred along with a bullet point list of the errors.
+func ListFormatFunc(es []error) string {
+	if len(es) == 1 {
+		return fmt.Sprintf("1 error occurred:\n\t* %s\n\n", es[0])
+	}
+
+	points := make([]string, len(es))
+	for i, err := range es {
+		points[i] = fmt.Sprintf("* %s", err)
+	}
+
+	return fmt.Sprintf(
+		"%d errors occurred:\n\t%s\n\n",
+		len(es), strings.Join(points, "\n\t"))
+}
diff --git a/vendor/github.com/hashicorp/go-multierror/group.go b/vendor/github.com/hashicorp/go-multierror/group.go
new file mode 100644
index 0000000000..9c29efb7f8
--- /dev/null
+++ b/vendor/github.com/hashicorp/go-multierror/group.go
@@ -0,0 +1,38 @@
+package multierror
+
+import "sync"
+
+// Group is a collection of goroutines which return errors that need to be
+// coalesced.
+type Group struct {
+	mutex sync.Mutex
+	err   *Error
+	wg    sync.WaitGroup
+}
+
+// Go calls the given function in a new goroutine.
+//
+// If the function returns an error it is added to the group multierror which
+// is returned by Wait.
+func (g *Group) Go(f func() error) {
+	g.wg.Add(1)
+
+	go func() {
+		defer g.wg.Done()
+
+		if err := f(); err != nil {
+			g.mutex.Lock()
+			g.err = Append(g.err, err)
+			g.mutex.Unlock()
+		}
+	}()
+}
+
+// Wait blocks until all function calls from the Go method have returned, then
+// returns the multierror.
+func (g *Group) Wait() *Error {
+	g.wg.Wait()
+	g.mutex.Lock()
+	defer g.mutex.Unlock()
+	return g.err
+}
diff --git a/vendor/github.com/hashicorp/go-multierror/multierror.go b/vendor/github.com/hashicorp/go-multierror/multierror.go
new file mode 100644
index 0000000000..f545743264
--- /dev/null
+++ b/vendor/github.com/hashicorp/go-multierror/multierror.go
@@ -0,0 +1,121 @@
+package multierror
+
+import (
+	"errors"
+	"fmt"
+)
+
+// Error is an error type to track multiple errors. This is used to
+// accumulate errors in cases and return them as a single "error".
+type Error struct {
+	Errors      []error
+	ErrorFormat ErrorFormatFunc
+}
+
+func (e *Error) Error() string {
+	fn := e.ErrorFormat
+	if fn == nil {
+		fn = ListFormatFunc
+	}
+
+	return fn(e.Errors)
+}
+
+// ErrorOrNil returns an error interface if this Error represents
+// a list of errors, or returns nil if the list of errors is empty. This
+// function is useful at the end of accumulation to make sure that the value
+// returned represents the existence of errors.
+func (e *Error) ErrorOrNil() error {
+	if e == nil {
+		return nil
+	}
+	if len(e.Errors) == 0 {
+		return nil
+	}
+
+	return e
+}
+
+func (e *Error) GoString() string {
+	return fmt.Sprintf("*%#v", *e)
+}
+
+// WrappedErrors returns the list of errors that this Error is wrapping. It is
+// an implementation of the errwrap.Wrapper interface so that multierror.Error
+// can be used with that library.
+//
+// This method is not safe to be called concurrently. Unlike accessing the
+// Errors field directly, this function also checks if the multierror is nil to
+// prevent a null-pointer panic. It satisfies the errwrap.Wrapper interface.
+func (e *Error) WrappedErrors() []error {
+	if e == nil {
+		return nil
+	}
+	return e.Errors
+}
+
+// Unwrap returns an error from Error (or nil if there are no errors).
+// This error returned will further support Unwrap to get the next error,
+// etc. The order will match the order of Errors in the multierror.Error
+// at the time of calling.
+//
+// The resulting error supports errors.As/Is/Unwrap so you can continue
+// to use the stdlib errors package to introspect further.
+//
+// This will perform a shallow copy of the errors slice. Any errors appended
+// to this error after calling Unwrap will not be available until a new
+// Unwrap is called on the multierror.Error.
+func (e *Error) Unwrap() error {
+	// If we have no errors then we do nothing
+	if e == nil || len(e.Errors) == 0 {
+		return nil
+	}
+
+	// If we have exactly one error, we can just return that directly.
+	if len(e.Errors) == 1 {
+		return e.Errors[0]
+	}
+
+	// Shallow copy the slice
+	errs := make([]error, len(e.Errors))
+	copy(errs, e.Errors)
+	return chain(errs)
+}
+
+// chain implements the interfaces necessary for errors.Is/As/Unwrap to
+// work in a deterministic way with multierror. A chain tracks a list of
+// errors while accounting for the current represented error. This lets
+// Is/As be meaningful.
+//
+// Unwrap returns the next error. In the cleanest form, Unwrap would return
+// the wrapped error here but we can't do that if we want to properly
+// get access to all the errors. Instead, users are recommended to use
+// Is/As to get the correct error type out.
+//
+// Precondition: []error is non-empty (len > 0)
+type chain []error
+
+// Error implements the error interface
+func (e chain) Error() string {
+	return e[0].Error()
+}
+
+// Unwrap implements errors.Unwrap by returning the next error in the
+// chain or nil if there are no more errors.
+func (e chain) Unwrap() error {
+	if len(e) == 1 {
+		return nil
+	}
+
+	return e[1:]
+}
+
+// As implements errors.As by attempting to map to the current value.
+func (e chain) As(target interface{}) bool {
+	return errors.As(e[0], target)
+}
+
+// Is implements errors.Is by comparing the current value directly.
+func (e chain) Is(target error) bool {
+	return errors.Is(e[0], target)
+}
diff --git a/vendor/github.com/hashicorp/go-multierror/prefix.go b/vendor/github.com/hashicorp/go-multierror/prefix.go
new file mode 100644
index 0000000000..5c477abe44
--- /dev/null
+++ b/vendor/github.com/hashicorp/go-multierror/prefix.go
@@ -0,0 +1,37 @@
+package multierror
+
+import (
+	"fmt"
+
+	"github.com/hashicorp/errwrap"
+)
+
+// Prefix is a helper function that will prefix some text
+// to the given error. If the error is a multierror.Error, then
+// it will be prefixed to each wrapped error.
+//
+// This is useful to use when appending multiple multierrors
+// together in order to give better scoping.
+func Prefix(err error, prefix string) error {
+	if err == nil {
+		return nil
+	}
+
+	format := fmt.Sprintf("%s {{err}}", prefix)
+	switch err := err.(type) {
+	case *Error:
+		// Typed nils can reach here, so initialize if we are nil
+		if err == nil {
+			err = new(Error)
+		}
+
+		// Wrap each of the errors
+		for i, e := range err.Errors {
+			err.Errors[i] = errwrap.Wrapf(format, e)
+		}
+
+		return err
+	default:
+		return errwrap.Wrapf(format, err)
+	}
+}
diff --git a/vendor/github.com/hashicorp/go-multierror/sort.go b/vendor/github.com/hashicorp/go-multierror/sort.go
new file mode 100644
index 0000000000..fecb14e81c
--- /dev/null
+++ b/vendor/github.com/hashicorp/go-multierror/sort.go
@@ -0,0 +1,16 @@
+package multierror
+
+// Len implements sort.Interface function for length
+func (err Error) Len() int {
+	return len(err.Errors)
+}
+
+// Swap implements sort.Interface function for swapping elements
+func (err Error) Swap(i, j int) {
+	err.Errors[i], err.Errors[j] = err.Errors[j], err.Errors[i]
+}
+
+// Less implements sort.Interface function for determining order
+func (err Error) Less(i, j int) bool {
+	return err.Errors[i].Error() < err.Errors[j].Error()
+}
diff --git a/vendor/github.com/huandu/xstrings/.gitignore b/vendor/github.com/huandu/xstrings/.gitignore
new file mode 100644
index 0000000000..daf913b1b3
--- /dev/null
+++ b/vendor/github.com/huandu/xstrings/.gitignore
@@ -0,0 +1,24 @@
+# Compiled Object files, Static and Dynamic libs (Shared Objects)
+*.o
+*.a
+*.so
+
+# Folders
+_obj
+_test
+
+# Architecture specific extensions/prefixes
+*.[568vq]
+[568vq].out
+
+*.cgo1.go
+*.cgo2.c
+_cgo_defun.c
+_cgo_gotypes.go
+_cgo_export.*
+
+_testmain.go
+
+*.exe
+*.test
+*.prof
diff --git a/vendor/github.com/huandu/xstrings/CONTRIBUTING.md b/vendor/github.com/huandu/xstrings/CONTRIBUTING.md
new file mode 100644
index 0000000000..d7b4b8d584
--- /dev/null
+++ b/vendor/github.com/huandu/xstrings/CONTRIBUTING.md
@@ -0,0 +1,23 @@
+# Contributing #
+
+Thanks for your contribution in advance. No matter what you will contribute to this project, pull request or bug report or feature discussion, it's always highly appreciated.
+
+## New API or feature ##
+
+I want to speak more about how to add new functions to this package.
+
+Package `xstring` is a collection of useful string functions which should be implemented in Go. It's a bit subject to say which function should be included and which should not. I set up following rules in order to make it clear and as objective as possible.
+
+* Rule 1: Only string algorithm, which takes string as input, can be included.
+* Rule 2: If a function has been implemented in package `string`, it must not be included.
+* Rule 3: If a function is not language neutral, it must not be included.
+* Rule 4: If a function is a part of standard library in other languages, it can be included.
+* Rule 5: If a function is quite useful in some famous framework or library, it can be included.
+
+New function must be discussed in project issues before submitting any code. If a pull request with new functions is sent without any ref issue, it will be rejected.
+
+## Pull request ##
+
+Pull request is always welcome. Just make sure you have run `go fmt` and all test cases passed before submit.
+
+If the pull request is to add a new API or feature, don't forget to update README.md and add new API in function list.
diff --git a/vendor/github.com/huandu/xstrings/LICENSE b/vendor/github.com/huandu/xstrings/LICENSE
new file mode 100644
index 0000000000..2701772593
--- /dev/null
+++ b/vendor/github.com/huandu/xstrings/LICENSE
@@ -0,0 +1,22 @@
+The MIT License (MIT)
+
+Copyright (c) 2015 Huan Du
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
diff --git a/vendor/github.com/huandu/xstrings/README.md b/vendor/github.com/huandu/xstrings/README.md
new file mode 100644
index 0000000000..e809c79abc
--- /dev/null
+++ b/vendor/github.com/huandu/xstrings/README.md
@@ -0,0 +1,118 @@
+# xstrings
+
+[![Build Status](https://github.com/huandu/xstrings/workflows/Go/badge.svg)](https://github.com/huandu/xstrings/actions)
+[![Go Doc](https://godoc.org/github.com/huandu/xstrings?status.svg)](https://pkg.go.dev/github.com/huandu/xstrings)
+[![Go Report](https://goreportcard.com/badge/github.com/huandu/xstrings)](https://goreportcard.com/report/github.com/huandu/xstrings)
+[![Coverage Status](https://coveralls.io/repos/github/huandu/xstrings/badge.svg?branch=master)](https://coveralls.io/github/huandu/xstrings?branch=master)
+
+Go package [xstrings](https://godoc.org/github.com/huandu/xstrings) is a collection of string functions, which are widely used in other languages but absent in Go package [strings](http://golang.org/pkg/strings).
+
+All functions are well tested and carefully tuned for performance.
+
+## Propose a new function
+
+Please review [contributing guideline](CONTRIBUTING.md) and [create new issue](https://github.com/huandu/xstrings/issues) to state why it should be included.
+
+## Install
+
+Use `go get` to install this library.
+
+    go get github.com/huandu/xstrings
+
+## API document
+
+See [GoDoc](https://godoc.org/github.com/huandu/xstrings) for full document.
+
+## Function list
+
+Go functions have a unique naming style. One, who has experience in other language but new in Go, may have difficulties to find out right string function to use.
+
+Here is a list of functions in [strings](http://golang.org/pkg/strings) and [xstrings](https://godoc.org/github.com/huandu/xstrings) with enough extra information about how to map these functions to their friends in other languages. Hope this list could be helpful for fresh gophers.
+
+### Package `xstrings` functions
+
+_Keep this table sorted by Function in ascending order._
+
+| Function                                                                          | Friends                                                                         | #                                                   |
+| --------------------------------------------------------------------------------- | ------------------------------------------------------------------------------- | --------------------------------------------------- |
+| [Center](https://godoc.org/github.com/huandu/xstrings#Center)                     | `str.center` in Python; `String#center` in Ruby                                 | [#30](https://github.com/huandu/xstrings/issues/30) |
+| [Count](https://godoc.org/github.com/huandu/xstrings#Count)                       | `String#count` in Ruby                                                          | [#16](https://github.com/huandu/xstrings/issues/16) |
+| [Delete](https://godoc.org/github.com/huandu/xstrings#Delete)                     | `String#delete` in Ruby                                                         | [#17](https://github.com/huandu/xstrings/issues/17) |
+| [ExpandTabs](https://godoc.org/github.com/huandu/xstrings#ExpandTabs)             | `str.expandtabs` in Python                                                      | [#27](https://github.com/huandu/xstrings/issues/27) |
+| [FirstRuneToLower](https://godoc.org/github.com/huandu/xstrings#FirstRuneToLower) | `lcfirst` in PHP or Perl                                                         | [#15](https://github.com/huandu/xstrings/issues/15) |
+| [FirstRuneToUpper](https://godoc.org/github.com/huandu/xstrings#FirstRuneToUpper) | `String#capitalize` in Ruby; `ucfirst` in PHP or Perl                            | [#15](https://github.com/huandu/xstrings/issues/15) |
+| [Insert](https://godoc.org/github.com/huandu/xstrings#Insert)                     | `String#insert` in Ruby                                                         | [#18](https://github.com/huandu/xstrings/issues/18) |
+| [LastPartition](https://godoc.org/github.com/huandu/xstrings#LastPartition)       | `str.rpartition` in Python; `String#rpartition` in Ruby                         | [#19](https://github.com/huandu/xstrings/issues/19) |
+| [LeftJustify](https://godoc.org/github.com/huandu/xstrings#LeftJustify)           | `str.ljust` in Python; `String#ljust` in Ruby                                   | [#28](https://github.com/huandu/xstrings/issues/28) |
+| [Len](https://godoc.org/github.com/huandu/xstrings#Len)                           | `mb_strlen` in PHP                                                              | [#23](https://github.com/huandu/xstrings/issues/23) |
+| [Partition](https://godoc.org/github.com/huandu/xstrings#Partition)               | `str.partition` in Python; `String#partition` in Ruby                           | [#10](https://github.com/huandu/xstrings/issues/10) |
+| [Reverse](https://godoc.org/github.com/huandu/xstrings#Reverse)                   | `String#reverse` in Ruby; `strrev` in PHP; `reverse` in Perl                    | [#7](https://github.com/huandu/xstrings/issues/7)   |
+| [RightJustify](https://godoc.org/github.com/huandu/xstrings#RightJustify)         | `str.rjust` in Python; `String#rjust` in Ruby                                   | [#29](https://github.com/huandu/xstrings/issues/29) |
+| [RuneWidth](https://godoc.org/github.com/huandu/xstrings#RuneWidth)               | -                                                                               | [#27](https://github.com/huandu/xstrings/issues/27) |
+| [Scrub](https://godoc.org/github.com/huandu/xstrings#Scrub)                       | `String#scrub` in Ruby                                                          | [#20](https://github.com/huandu/xstrings/issues/20) |
+| [Shuffle](https://godoc.org/github.com/huandu/xstrings#Shuffle)                     | `str_shuffle` in PHP                                                             | [#13](https://github.com/huandu/xstrings/issues/13) |
+| [ShuffleSource](https://godoc.org/github.com/huandu/xstrings#ShuffleSource)         | `str_shuffle` in PHP                                                             | [#13](https://github.com/huandu/xstrings/issues/13) |
+| [Slice](https://godoc.org/github.com/huandu/xstrings#Slice)                       | `mb_substr` in PHP                                                              | [#9](https://github.com/huandu/xstrings/issues/9)   |
+| [Squeeze](https://godoc.org/github.com/huandu/xstrings#Squeeze)                   | `String#squeeze` in Ruby                                                        | [#11](https://github.com/huandu/xstrings/issues/11) |
+| [Successor](https://godoc.org/github.com/huandu/xstrings#Successor)               | `String#succ` or `String#next` in Ruby                                          | [#22](https://github.com/huandu/xstrings/issues/22) |
+| [SwapCase](https://godoc.org/github.com/huandu/xstrings#SwapCase)                 | `str.swapcase` in Python; `String#swapcase` in Ruby                             | [#12](https://github.com/huandu/xstrings/issues/12) |
+| [ToCamelCase](https://godoc.org/github.com/huandu/xstrings#ToCamelCase)           | `String#camelize` in RoR                                                        | [#1](https://github.com/huandu/xstrings/issues/1)   |
+| [ToKebab](https://godoc.org/github.com/huandu/xstrings#ToKebabCase)               | -                                                                               | [#41](https://github.com/huandu/xstrings/issues/41) |
+| [ToPascalCase](https://godoc.org/github.com/huandu/xstrings#ToPascalCase)         | -                                                                               | [#1](https://github.com/huandu/xstrings/issues/1)   |
+| [ToSnakeCase](https://godoc.org/github.com/huandu/xstrings#ToSnakeCase)           | `String#underscore` in RoR                                                      | [#1](https://github.com/huandu/xstrings/issues/1)   |
+| [Translate](https://godoc.org/github.com/huandu/xstrings#Translate)               | `str.translate` in Python; `String#tr` in Ruby; `strtr` in PHP; `tr///` in Perl | [#21](https://github.com/huandu/xstrings/issues/21) |
+| [Width](https://godoc.org/github.com/huandu/xstrings#Width)                       | `mb_strwidth` in PHP                                                            | [#26](https://github.com/huandu/xstrings/issues/26) |
+| [WordCount](https://godoc.org/github.com/huandu/xstrings#WordCount)               | `str_word_count` in PHP                                                         | [#14](https://github.com/huandu/xstrings/issues/14) |
+| [WordSplit](https://godoc.org/github.com/huandu/xstrings#WordSplit)               | -                                                                               | [#14](https://github.com/huandu/xstrings/issues/14) |
+
+### Package `strings` functions
+
+_Keep this table sorted by Function in ascending order._
+
+| Function                                                        | Friends                                                                             |
+| --------------------------------------------------------------- | ----------------------------------------------------------------------------------- |
+| [Contains](http://golang.org/pkg/strings/#Contains)             | `String#include?` in Ruby                                                           |
+| [ContainsAny](http://golang.org/pkg/strings/#ContainsAny)       | -                                                                                   |
+| [ContainsRune](http://golang.org/pkg/strings/#ContainsRune)     | -                                                                                   |
+| [Count](http://golang.org/pkg/strings/#Count)                   | `str.count` in Python; `substr_count` in PHP                                        |
+| [EqualFold](http://golang.org/pkg/strings/#EqualFold)           | `stricmp` in PHP; `String#casecmp` in Ruby                                          |
+| [Fields](http://golang.org/pkg/strings/#Fields)                 | `str.split` in Python; `split` in Perl; `String#split` in Ruby                      |
+| [FieldsFunc](http://golang.org/pkg/strings/#FieldsFunc)         | -                                                                                   |
+| [HasPrefix](http://golang.org/pkg/strings/#HasPrefix)           | `str.startswith` in Python; `String#start_with?` in Ruby                            |
+| [HasSuffix](http://golang.org/pkg/strings/#HasSuffix)           | `str.endswith` in Python; `String#end_with?` in Ruby                                |
+| [Index](http://golang.org/pkg/strings/#Index)                   | `str.index` in Python; `String#index` in Ruby; `strpos` in PHP; `index` in Perl     |
+| [IndexAny](http://golang.org/pkg/strings/#IndexAny)             | -                                                                                   |
+| [IndexByte](http://golang.org/pkg/strings/#IndexByte)           | -                                                                                   |
+| [IndexFunc](http://golang.org/pkg/strings/#IndexFunc)           | -                                                                                   |
+| [IndexRune](http://golang.org/pkg/strings/#IndexRune)           | -                                                                                   |
+| [Join](http://golang.org/pkg/strings/#Join)                     | `str.join` in Python; `Array#join` in Ruby; `implode` in PHP; `join` in Perl        |
+| [LastIndex](http://golang.org/pkg/strings/#LastIndex)           | `str.rindex` in Python; `String#rindex`; `strrpos` in PHP; `rindex` in Perl         |
+| [LastIndexAny](http://golang.org/pkg/strings/#LastIndexAny)     | -                                                                                   |
+| [LastIndexFunc](http://golang.org/pkg/strings/#LastIndexFunc)   | -                                                                                   |
+| [Map](http://golang.org/pkg/strings/#Map)                       | `String#each_codepoint` in Ruby                                                     |
+| [Repeat](http://golang.org/pkg/strings/#Repeat)                 | operator `*` in Python and Ruby; `str_repeat` in PHP                                |
+| [Replace](http://golang.org/pkg/strings/#Replace)               | `str.replace` in Python; `String#sub` in Ruby; `str_replace` in PHP                 |
+| [Split](http://golang.org/pkg/strings/#Split)                   | `str.split` in Python; `String#split` in Ruby; `explode` in PHP; `split` in Perl    |
+| [SplitAfter](http://golang.org/pkg/strings/#SplitAfter)         | -                                                                                   |
+| [SplitAfterN](http://golang.org/pkg/strings/#SplitAfterN)       | -                                                                                   |
+| [SplitN](http://golang.org/pkg/strings/#SplitN)                 | `str.split` in Python; `String#split` in Ruby; `explode` in PHP; `split` in Perl    |
+| [Title](http://golang.org/pkg/strings/#Title)                   | `str.title` in Python                                                               |
+| [ToLower](http://golang.org/pkg/strings/#ToLower)               | `str.lower` in Python; `String#downcase` in Ruby; `strtolower` in PHP; `lc` in Perl |
+| [ToLowerSpecial](http://golang.org/pkg/strings/#ToLowerSpecial) | -                                                                                   |
+| [ToTitle](http://golang.org/pkg/strings/#ToTitle)               | -                                                                                   |
+| [ToTitleSpecial](http://golang.org/pkg/strings/#ToTitleSpecial) | -                                                                                   |
+| [ToUpper](http://golang.org/pkg/strings/#ToUpper)               | `str.upper` in Python; `String#upcase` in Ruby; `strtoupper` in PHP; `uc` in Perl   |
+| [ToUpperSpecial](http://golang.org/pkg/strings/#ToUpperSpecial) | -                                                                                   |
+| [Trim](http://golang.org/pkg/strings/#Trim)                     | `str.strip` in Python; `String#strip` in Ruby; `trim` in PHP                        |
+| [TrimFunc](http://golang.org/pkg/strings/#TrimFunc)             | -                                                                                   |
+| [TrimLeft](http://golang.org/pkg/strings/#TrimLeft)             | `str.lstrip` in Python; `String#lstrip` in Ruby; `ltrim` in PHP                     |
+| [TrimLeftFunc](http://golang.org/pkg/strings/#TrimLeftFunc)     | -                                                                                   |
+| [TrimPrefix](http://golang.org/pkg/strings/#TrimPrefix)         | -                                                                                   |
+| [TrimRight](http://golang.org/pkg/strings/#TrimRight)           | `str.rstrip` in Python; `String#rstrip` in Ruby; `rtrim` in PHP                     |
+| [TrimRightFunc](http://golang.org/pkg/strings/#TrimRightFunc)   | -                                                                                   |
+| [TrimSpace](http://golang.org/pkg/strings/#TrimSpace)           | `str.strip` in Python; `String#strip` in Ruby; `trim` in PHP                        |
+| [TrimSuffix](http://golang.org/pkg/strings/#TrimSuffix)         | `String#chomp` in Ruby; `chomp` in Perl                                             |
+
+## License
+
+This library is licensed under MIT license. See LICENSE for details.
diff --git a/vendor/github.com/huandu/xstrings/common.go b/vendor/github.com/huandu/xstrings/common.go
new file mode 100644
index 0000000000..f427cc84e2
--- /dev/null
+++ b/vendor/github.com/huandu/xstrings/common.go
@@ -0,0 +1,21 @@
+// Copyright 2015 Huan Du. All rights reserved.
+// Licensed under the MIT license that can be found in the LICENSE file.
+
+package xstrings
+
+const bufferMaxInitGrowSize = 2048
+
+// Lazy initialize a buffer.
+func allocBuffer(orig, cur string) *stringBuilder {
+	output := &stringBuilder{}
+	maxSize := len(orig) * 4
+
+	// Avoid to reserve too much memory at once.
+	if maxSize > bufferMaxInitGrowSize {
+		maxSize = bufferMaxInitGrowSize
+	}
+
+	output.Grow(maxSize)
+	output.WriteString(orig[:len(orig)-len(cur)])
+	return output
+}
diff --git a/vendor/github.com/huandu/xstrings/convert.go b/vendor/github.com/huandu/xstrings/convert.go
new file mode 100644
index 0000000000..5d8cfee470
--- /dev/null
+++ b/vendor/github.com/huandu/xstrings/convert.go
@@ -0,0 +1,633 @@
+// Copyright 2015 Huan Du. All rights reserved.
+// Licensed under the MIT license that can be found in the LICENSE file.
+
+package xstrings
+
+import (
+	"math/rand"
+	"unicode"
+	"unicode/utf8"
+)
+
+// ToCamelCase is to convert words separated by space, underscore and hyphen to camel case.
+//
+// Some samples.
+//
+//	"some_words"      => "someWords"
+//	"http_server"     => "httpServer"
+//	"no_https"        => "noHttps"
+//	"_complex__case_" => "_complex_Case_"
+//	"some words"      => "someWords"
+//	"GOLANG_IS_GREAT" => "golangIsGreat"
+func ToCamelCase(str string) string {
+	return toCamelCase(str, false)
+}
+
+// ToPascalCase is to convert words separated by space, underscore and hyphen to pascal case.
+//
+// Some samples.
+//
+//	"some_words"      => "SomeWords"
+//	"http_server"     => "HttpServer"
+//	"no_https"        => "NoHttps"
+//	"_complex__case_" => "_Complex_Case_"
+//	"some words"      => "SomeWords"
+//	"GOLANG_IS_GREAT" => "GolangIsGreat"
+func ToPascalCase(str string) string {
+	return toCamelCase(str, true)
+}
+
+func toCamelCase(str string, isBig bool) string {
+	if len(str) == 0 {
+		return ""
+	}
+
+	buf := &stringBuilder{}
+	var isFirstRuneUpper bool
+	var r0, r1 rune
+	var size int
+
+	// leading connector will appear in output.
+	for len(str) > 0 {
+		r0, size = utf8.DecodeRuneInString(str)
+		str = str[size:]
+
+		if !isConnector(r0) {
+			isFirstRuneUpper = unicode.IsUpper(r0)
+
+			if isBig {
+				r0 = unicode.ToUpper(r0)
+			} else {
+				r0 = unicode.ToLower(r0)
+			}
+
+			break
+		}
+
+		buf.WriteRune(r0)
+	}
+
+	if len(str) == 0 {
+		// A special case for a string contains only 1 rune.
+		if size != 0 {
+			buf.WriteRune(r0)
+		}
+
+		return buf.String()
+	}
+
+	for len(str) > 0 {
+		r1 = r0
+		r0, size = utf8.DecodeRuneInString(str)
+		str = str[size:]
+
+		if isConnector(r0) && isConnector(r1) {
+			buf.WriteRune(r1)
+			continue
+		}
+
+		if isConnector(r1) {
+			isFirstRuneUpper = unicode.IsUpper(r0)
+			r0 = unicode.ToUpper(r0)
+		} else {
+			if isFirstRuneUpper {
+				if unicode.IsUpper(r0) {
+					r0 = unicode.ToLower(r0)
+				} else {
+					isFirstRuneUpper = false
+				}
+			}
+
+			buf.WriteRune(r1)
+		}
+	}
+
+	if isFirstRuneUpper && !isBig {
+		r0 = unicode.ToLower(r0)
+	}
+
+	buf.WriteRune(r0)
+	return buf.String()
+}
+
+// ToSnakeCase can convert all upper case characters in a string to
+// snake case format.
+//
+// Some samples.
+//
+//	"FirstName"    => "first_name"
+//	"HTTPServer"   => "http_server"
+//	"NoHTTPS"      => "no_https"
+//	"GO_PATH"      => "go_path"
+//	"GO PATH"      => "go_path"  // space is converted to underscore.
+//	"GO-PATH"      => "go_path"  // hyphen is converted to underscore.
+//	"http2xx"      => "http_2xx" // insert an underscore before a number and after an alphabet.
+//	"HTTP20xOK"    => "http_20x_ok"
+//	"Duration2m3s" => "duration_2m3s"
+//	"Bld4Floor3rd" => "bld4_floor_3rd"
+func ToSnakeCase(str string) string {
+	return camelCaseToLowerCase(str, '_')
+}
+
+// ToKebabCase can convert all upper case characters in a string to
+// kebab case format.
+//
+// Some samples.
+//
+//	"FirstName"    => "first-name"
+//	"HTTPServer"   => "http-server"
+//	"NoHTTPS"      => "no-https"
+//	"GO_PATH"      => "go-path"
+//	"GO PATH"      => "go-path"  // space is converted to '-'.
+//	"GO-PATH"      => "go-path"  // hyphen is converted to '-'.
+//	"http2xx"      => "http-2xx" // insert an underscore before a number and after an alphabet.
+//	"HTTP20xOK"    => "http-20x-ok"
+//	"Duration2m3s" => "duration-2m3s"
+//	"Bld4Floor3rd" => "bld4-floor-3rd"
+func ToKebabCase(str string) string {
+	return camelCaseToLowerCase(str, '-')
+}
+
+func camelCaseToLowerCase(str string, connector rune) string {
+	if len(str) == 0 {
+		return ""
+	}
+
+	buf := &stringBuilder{}
+	wt, word, remaining := nextWord(str)
+
+	for len(remaining) > 0 {
+		if wt != connectorWord {
+			toLower(buf, wt, word, connector)
+		}
+
+		prev := wt
+		last := word
+		wt, word, remaining = nextWord(remaining)
+
+		switch prev {
+		case numberWord:
+			for wt == alphabetWord || wt == numberWord {
+				toLower(buf, wt, word, connector)
+				wt, word, remaining = nextWord(remaining)
+			}
+
+			if wt != invalidWord && wt != punctWord && wt != connectorWord {
+				buf.WriteRune(connector)
+			}
+
+		case connectorWord:
+			toLower(buf, prev, last, connector)
+
+		case punctWord:
+			// nothing.
+
+		default:
+			if wt != numberWord {
+				if wt != connectorWord && wt != punctWord {
+					buf.WriteRune(connector)
+				}
+
+				break
+			}
+
+			if len(remaining) == 0 {
+				break
+			}
+
+			last := word
+			wt, word, remaining = nextWord(remaining)
+
+			// consider number as a part of previous word.
+			// e.g. "Bld4Floor" => "bld4_floor"
+			if wt != alphabetWord {
+				toLower(buf, numberWord, last, connector)
+
+				if wt != connectorWord && wt != punctWord {
+					buf.WriteRune(connector)
+				}
+
+				break
+			}
+
+			// if there are some lower case letters following a number,
+			// add connector before the number.
+			// e.g. "HTTP2xx" => "http_2xx"
+			buf.WriteRune(connector)
+			toLower(buf, numberWord, last, connector)
+
+			for wt == alphabetWord || wt == numberWord {
+				toLower(buf, wt, word, connector)
+				wt, word, remaining = nextWord(remaining)
+			}
+
+			if wt != invalidWord && wt != connectorWord && wt != punctWord {
+				buf.WriteRune(connector)
+			}
+		}
+	}
+
+	toLower(buf, wt, word, connector)
+	return buf.String()
+}
+
+func isConnector(r rune) bool {
+	return r == '-' || r == '_' || unicode.IsSpace(r)
+}
+
+type wordType int
+
+const (
+	invalidWord wordType = iota
+	numberWord
+	upperCaseWord
+	alphabetWord
+	connectorWord
+	punctWord
+	otherWord
+)
+
+func nextWord(str string) (wt wordType, word, remaining string) {
+	if len(str) == 0 {
+		return
+	}
+
+	var offset int
+	remaining = str
+	r, size := nextValidRune(remaining, utf8.RuneError)
+	offset += size
+
+	if r == utf8.RuneError {
+		wt = invalidWord
+		word = str[:offset]
+		remaining = str[offset:]
+		return
+	}
+
+	switch {
+	case isConnector(r):
+		wt = connectorWord
+		remaining = remaining[size:]
+
+		for len(remaining) > 0 {
+			r, size = nextValidRune(remaining, r)
+
+			if !isConnector(r) {
+				break
+			}
+
+			offset += size
+			remaining = remaining[size:]
+		}
+
+	case unicode.IsPunct(r):
+		wt = punctWord
+		remaining = remaining[size:]
+
+		for len(remaining) > 0 {
+			r, size = nextValidRune(remaining, r)
+
+			if !unicode.IsPunct(r) {
+				break
+			}
+
+			offset += size
+			remaining = remaining[size:]
+		}
+
+	case unicode.IsUpper(r):
+		wt = upperCaseWord
+		remaining = remaining[size:]
+
+		if len(remaining) == 0 {
+			break
+		}
+
+		r, size = nextValidRune(remaining, r)
+
+		switch {
+		case unicode.IsUpper(r):
+			prevSize := size
+			offset += size
+			remaining = remaining[size:]
+
+			for len(remaining) > 0 {
+				r, size = nextValidRune(remaining, r)
+
+				if !unicode.IsUpper(r) {
+					break
+				}
+
+				prevSize = size
+				offset += size
+				remaining = remaining[size:]
+			}
+
+			// it's a bit complex when dealing with a case like "HTTPStatus".
+			// it's expected to be splitted into "HTTP" and "Status".
+			// Therefore "S" should be in remaining instead of word.
+			if len(remaining) > 0 && isAlphabet(r) {
+				offset -= prevSize
+				remaining = str[offset:]
+			}
+
+		case isAlphabet(r):
+			offset += size
+			remaining = remaining[size:]
+
+			for len(remaining) > 0 {
+				r, size = nextValidRune(remaining, r)
+
+				if !isAlphabet(r) || unicode.IsUpper(r) {
+					break
+				}
+
+				offset += size
+				remaining = remaining[size:]
+			}
+		}
+
+	case isAlphabet(r):
+		wt = alphabetWord
+		remaining = remaining[size:]
+
+		for len(remaining) > 0 {
+			r, size = nextValidRune(remaining, r)
+
+			if !isAlphabet(r) || unicode.IsUpper(r) {
+				break
+			}
+
+			offset += size
+			remaining = remaining[size:]
+		}
+
+	case unicode.IsNumber(r):
+		wt = numberWord
+		remaining = remaining[size:]
+
+		for len(remaining) > 0 {
+			r, size = nextValidRune(remaining, r)
+
+			if !unicode.IsNumber(r) {
+				break
+			}
+
+			offset += size
+			remaining = remaining[size:]
+		}
+
+	default:
+		wt = otherWord
+		remaining = remaining[size:]
+
+		for len(remaining) > 0 {
+			r, size = nextValidRune(remaining, r)
+
+			if size == 0 || isConnector(r) || isAlphabet(r) || unicode.IsNumber(r) || unicode.IsPunct(r) {
+				break
+			}
+
+			offset += size
+			remaining = remaining[size:]
+		}
+	}
+
+	word = str[:offset]
+	return
+}
+
+func nextValidRune(str string, prev rune) (r rune, size int) {
+	var sz int
+
+	for len(str) > 0 {
+		r, sz = utf8.DecodeRuneInString(str)
+		size += sz
+
+		if r != utf8.RuneError {
+			return
+		}
+
+		str = str[sz:]
+	}
+
+	r = prev
+	return
+}
+
+func toLower(buf *stringBuilder, wt wordType, str string, connector rune) {
+	buf.Grow(buf.Len() + len(str))
+
+	if wt != upperCaseWord && wt != connectorWord {
+		buf.WriteString(str)
+		return
+	}
+
+	for len(str) > 0 {
+		r, size := utf8.DecodeRuneInString(str)
+		str = str[size:]
+
+		if isConnector(r) {
+			buf.WriteRune(connector)
+		} else if unicode.IsUpper(r) {
+			buf.WriteRune(unicode.ToLower(r))
+		} else {
+			buf.WriteRune(r)
+		}
+	}
+}
+
+// SwapCase will swap characters case from upper to lower or lower to upper.
+func SwapCase(str string) string {
+	var r rune
+	var size int
+
+	buf := &stringBuilder{}
+
+	for len(str) > 0 {
+		r, size = utf8.DecodeRuneInString(str)
+
+		switch {
+		case unicode.IsUpper(r):
+			buf.WriteRune(unicode.ToLower(r))
+
+		case unicode.IsLower(r):
+			buf.WriteRune(unicode.ToUpper(r))
+
+		default:
+			buf.WriteRune(r)
+		}
+
+		str = str[size:]
+	}
+
+	return buf.String()
+}
+
+// FirstRuneToUpper converts first rune to upper case if necessary.
+func FirstRuneToUpper(str string) string {
+	if str == "" {
+		return str
+	}
+
+	r, size := utf8.DecodeRuneInString(str)
+
+	if !unicode.IsLower(r) {
+		return str
+	}
+
+	buf := &stringBuilder{}
+	buf.WriteRune(unicode.ToUpper(r))
+	buf.WriteString(str[size:])
+	return buf.String()
+}
+
+// FirstRuneToLower converts first rune to lower case if necessary.
+func FirstRuneToLower(str string) string {
+	if str == "" {
+		return str
+	}
+
+	r, size := utf8.DecodeRuneInString(str)
+
+	if !unicode.IsUpper(r) {
+		return str
+	}
+
+	buf := &stringBuilder{}
+	buf.WriteRune(unicode.ToLower(r))
+	buf.WriteString(str[size:])
+	return buf.String()
+}
+
+// Shuffle randomizes runes in a string and returns the result.
+// It uses default random source in `math/rand`.
+func Shuffle(str string) string {
+	if str == "" {
+		return str
+	}
+
+	runes := []rune(str)
+	index := 0
+
+	for i := len(runes) - 1; i > 0; i-- {
+		index = rand.Intn(i + 1)
+
+		if i != index {
+			runes[i], runes[index] = runes[index], runes[i]
+		}
+	}
+
+	return string(runes)
+}
+
+// ShuffleSource randomizes runes in a string with given random source.
+func ShuffleSource(str string, src rand.Source) string {
+	if str == "" {
+		return str
+	}
+
+	runes := []rune(str)
+	index := 0
+	r := rand.New(src)
+
+	for i := len(runes) - 1; i > 0; i-- {
+		index = r.Intn(i + 1)
+
+		if i != index {
+			runes[i], runes[index] = runes[index], runes[i]
+		}
+	}
+
+	return string(runes)
+}
+
+// Successor returns the successor to string.
+//
+// If there is one alphanumeric rune is found in string, increase the rune by 1.
+// If increment generates a "carry", the rune to the left of it is incremented.
+// This process repeats until there is no carry, adding an additional rune if necessary.
+//
+// If there is no alphanumeric rune, the rightmost rune will be increased by 1
+// regardless whether the result is a valid rune or not.
+//
+// Only following characters are alphanumeric.
+//   - a - z
+//   - A - Z
+//   - 0 - 9
+//
+// Samples (borrowed from ruby's String#succ document):
+//
+//	"abcd"      => "abce"
+//	"THX1138"   => "THX1139"
+//	"<<koala>>" => "<<koalb>>"
+//	"1999zzz"   => "2000aaa"
+//	"ZZZ9999"   => "AAAA0000"
+//	"***"       => "**+"
+func Successor(str string) string {
+	if str == "" {
+		return str
+	}
+
+	var r rune
+	var i int
+	carry := ' '
+	runes := []rune(str)
+	l := len(runes)
+	lastAlphanumeric := l
+
+	for i = l - 1; i >= 0; i-- {
+		r = runes[i]
+
+		if ('a' <= r && r <= 'y') ||
+			('A' <= r && r <= 'Y') ||
+			('0' <= r && r <= '8') {
+			runes[i]++
+			carry = ' '
+			lastAlphanumeric = i
+			break
+		}
+
+		switch r {
+		case 'z':
+			runes[i] = 'a'
+			carry = 'a'
+			lastAlphanumeric = i
+
+		case 'Z':
+			runes[i] = 'A'
+			carry = 'A'
+			lastAlphanumeric = i
+
+		case '9':
+			runes[i] = '0'
+			carry = '0'
+			lastAlphanumeric = i
+		}
+	}
+
+	// Needs to add one character for carry.
+	if i < 0 && carry != ' ' {
+		buf := &stringBuilder{}
+		buf.Grow(l + 4) // Reserve enough space for write.
+
+		if lastAlphanumeric != 0 {
+			buf.WriteString(str[:lastAlphanumeric])
+		}
+
+		buf.WriteRune(carry)
+
+		for _, r = range runes[lastAlphanumeric:] {
+			buf.WriteRune(r)
+		}
+
+		return buf.String()
+	}
+
+	// No alphanumeric character. Simply increase last rune's value.
+	if lastAlphanumeric == l {
+		runes[l-1]++
+	}
+
+	return string(runes)
+}
diff --git a/vendor/github.com/huandu/xstrings/count.go b/vendor/github.com/huandu/xstrings/count.go
new file mode 100644
index 0000000000..f96e38703a
--- /dev/null
+++ b/vendor/github.com/huandu/xstrings/count.go
@@ -0,0 +1,120 @@
+// Copyright 2015 Huan Du. All rights reserved.
+// Licensed under the MIT license that can be found in the LICENSE file.
+
+package xstrings
+
+import (
+	"unicode"
+	"unicode/utf8"
+)
+
+// Len returns str's utf8 rune length.
+func Len(str string) int {
+	return utf8.RuneCountInString(str)
+}
+
+// WordCount returns number of words in a string.
+//
+// Word is defined as a locale dependent string containing alphabetic characters,
+// which may also contain but not start with `'` and `-` characters.
+func WordCount(str string) int {
+	var r rune
+	var size, n int
+
+	inWord := false
+
+	for len(str) > 0 {
+		r, size = utf8.DecodeRuneInString(str)
+
+		switch {
+		case isAlphabet(r):
+			if !inWord {
+				inWord = true
+				n++
+			}
+
+		case inWord && (r == '\'' || r == '-'):
+			// Still in word.
+
+		default:
+			inWord = false
+		}
+
+		str = str[size:]
+	}
+
+	return n
+}
+
+const minCJKCharacter = '\u3400'
+
+// Checks r is a letter but not CJK character.
+func isAlphabet(r rune) bool {
+	if !unicode.IsLetter(r) {
+		return false
+	}
+
+	switch {
+	// Quick check for non-CJK character.
+	case r < minCJKCharacter:
+		return true
+
+	// Common CJK characters.
+	case r >= '\u4E00' && r <= '\u9FCC':
+		return false
+
+	// Rare CJK characters.
+	case r >= '\u3400' && r <= '\u4D85':
+		return false
+
+	// Rare and historic CJK characters.
+	case r >= '\U00020000' && r <= '\U0002B81D':
+		return false
+	}
+
+	return true
+}
+
+// Width returns string width in monotype font.
+// Multi-byte characters are usually twice the width of single byte characters.
+//
+// Algorithm comes from `mb_strwidth` in PHP.
+// http://php.net/manual/en/function.mb-strwidth.php
+func Width(str string) int {
+	var r rune
+	var size, n int
+
+	for len(str) > 0 {
+		r, size = utf8.DecodeRuneInString(str)
+		n += RuneWidth(r)
+		str = str[size:]
+	}
+
+	return n
+}
+
+// RuneWidth returns character width in monotype font.
+// Multi-byte characters are usually twice the width of single byte characters.
+//
+// Algorithm comes from `mb_strwidth` in PHP.
+// http://php.net/manual/en/function.mb-strwidth.php
+func RuneWidth(r rune) int {
+	switch {
+	case r == utf8.RuneError || r < '\x20':
+		return 0
+
+	case '\x20' <= r && r < '\u2000':
+		return 1
+
+	case '\u2000' <= r && r < '\uFF61':
+		return 2
+
+	case '\uFF61' <= r && r < '\uFFA0':
+		return 1
+
+	case '\uFFA0' <= r:
+		return 2
+	}
+
+	return 0
+}
diff --git a/vendor/github.com/huandu/xstrings/doc.go b/vendor/github.com/huandu/xstrings/doc.go
new file mode 100644
index 0000000000..1a6ef069f6
--- /dev/null
+++ b/vendor/github.com/huandu/xstrings/doc.go
@@ -0,0 +1,8 @@
+// Copyright 2015 Huan Du. All rights reserved.
+// Licensed under the MIT license that can be found in the LICENSE file.
+
+// Package xstrings is to provide string algorithms which are useful but not included in `strings` package.
+// See project home page for details. https://github.com/huandu/xstrings
+//
+// Package xstrings assumes all strings are encoded in utf8.
+package xstrings
diff --git a/vendor/github.com/huandu/xstrings/format.go b/vendor/github.com/huandu/xstrings/format.go
new file mode 100644
index 0000000000..b32219bbd5
--- /dev/null
+++ b/vendor/github.com/huandu/xstrings/format.go
@@ -0,0 +1,173 @@
+// Copyright 2015 Huan Du. All rights reserved.
+// Licensed under the MIT license that can be found in the LICENSE file.
+
+package xstrings
+
+import (
+	"unicode/utf8"
+)
+
+// ExpandTabs can expand tabs ('\t') rune in str to one or more spaces dpending on
+// current column and tabSize.
+// The column number is reset to zero after each newline ('\n') occurring in the str.
+//
+// ExpandTabs uses RuneWidth to decide rune's width.
+// For example, CJK characters will be treated as two characters.
+//
+// If tabSize <= 0, ExpandTabs panics with error.
+//
+// Samples:
+//
+//	ExpandTabs("a\tbc\tdef\tghij\tk", 4) => "a   bc  def ghij    k"
+//	ExpandTabs("abcdefg\thij\nk\tl", 4)  => "abcdefg hij\nk   l"
+//	ExpandTabs("z中\t文\tw", 4)           => "z中 文  w"
+func ExpandTabs(str string, tabSize int) string {
+	if tabSize <= 0 {
+		panic("tab size must be positive")
+	}
+
+	var r rune
+	var i, size, column, expand int
+	var output *stringBuilder
+
+	orig := str
+
+	for len(str) > 0 {
+		r, size = utf8.DecodeRuneInString(str)
+
+		if r == '\t' {
+			expand = tabSize - column%tabSize
+
+			if output == nil {
+				output = allocBuffer(orig, str)
+			}
+
+			for i = 0; i < expand; i++ {
+				output.WriteRune(' ')
+			}
+
+			column += expand
+		} else {
+			if r == '\n' {
+				column = 0
+			} else {
+				column += RuneWidth(r)
+			}
+
+			if output != nil {
+				output.WriteRune(r)
+			}
+		}
+
+		str = str[size:]
+	}
+
+	if output == nil {
+		return orig
+	}
+
+	return output.String()
+}
+
+// LeftJustify returns a string with pad string at right side if str's rune length is smaller than length.
+// If str's rune length is larger than length, str itself will be returned.
+//
+// If pad is an empty string, str will be returned.
+//
+// Samples:
+//
+//	LeftJustify("hello", 4, " ")    => "hello"
+//	LeftJustify("hello", 10, " ")   => "hello     "
+//	LeftJustify("hello", 10, "123") => "hello12312"
+func LeftJustify(str string, length int, pad string) string {
+	l := Len(str)
+
+	if l >= length || pad == "" {
+		return str
+	}
+
+	remains := length - l
+	padLen := Len(pad)
+
+	output := &stringBuilder{}
+	output.Grow(len(str) + (remains/padLen+1)*len(pad))
+	output.WriteString(str)
+	writePadString(output, pad, padLen, remains)
+	return output.String()
+}
+
+// RightJustify returns a string with pad string at left side if str's rune length is smaller than length.
+// If str's rune length is larger than length, str itself will be returned.
+//
+// If pad is an empty string, str will be returned.
+//
+// Samples:
+//
+//	RightJustify("hello", 4, " ")    => "hello"
+//	RightJustify("hello", 10, " ")   => "     hello"
+//	RightJustify("hello", 10, "123") => "12312hello"
+func RightJustify(str string, length int, pad string) string {
+	l := Len(str)
+
+	if l >= length || pad == "" {
+		return str
+	}
+
+	remains := length - l
+	padLen := Len(pad)
+
+	output := &stringBuilder{}
+	output.Grow(len(str) + (remains/padLen+1)*len(pad))
+	writePadString(output, pad, padLen, remains)
+	output.WriteString(str)
+	return output.String()
+}
+
+// Center returns a string with pad string at both side if str's rune length is smaller than length.
+// If str's rune length is larger than length, str itself will be returned.
+//
+// If pad is an empty string, str will be returned.
+//
+// Samples:
+//
+//	Center("hello", 4, " ")    => "hello"
+//	Center("hello", 10, " ")   => "  hello   "
+//	Center("hello", 10, "123") => "12hello123"
+func Center(str string, length int, pad string) string {
+	l := Len(str)
+
+	if l >= length || pad == "" {
+		return str
+	}
+
+	remains := length - l
+	padLen := Len(pad)
+
+	output := &stringBuilder{}
+	output.Grow(len(str) + (remains/padLen+1)*len(pad))
+	writePadString(output, pad, padLen, remains/2)
+	output.WriteString(str)
+	writePadString(output, pad, padLen, (remains+1)/2)
+	return output.String()
+}
+
+func writePadString(output *stringBuilder, pad string, padLen, remains int) {
+	var r rune
+	var size int
+
+	repeats := remains / padLen
+
+	for i := 0; i < repeats; i++ {
+		output.WriteString(pad)
+	}
+
+	remains = remains % padLen
+
+	if remains != 0 {
+		for i := 0; i < remains; i++ {
+			r, size = utf8.DecodeRuneInString(pad)
+			output.WriteRune(r)
+			pad = pad[size:]
+		}
+	}
+}
diff --git a/vendor/github.com/huandu/xstrings/manipulate.go b/vendor/github.com/huandu/xstrings/manipulate.go
new file mode 100644
index 0000000000..ab42fe0fec
--- /dev/null
+++ b/vendor/github.com/huandu/xstrings/manipulate.go
@@ -0,0 +1,220 @@
+// Copyright 2015 Huan Du. All rights reserved.
+// Licensed under the MIT license that can be found in the LICENSE file.
+
+package xstrings
+
+import (
+	"strings"
+	"unicode/utf8"
+)
+
+// Reverse a utf8 encoded string.
+func Reverse(str string) string {
+	var size int
+
+	tail := len(str)
+	buf := make([]byte, tail)
+	s := buf
+
+	for len(str) > 0 {
+		_, size = utf8.DecodeRuneInString(str)
+		tail -= size
+		s = append(s[:tail], []byte(str[:size])...)
+		str = str[size:]
+	}
+
+	return string(buf)
+}
+
+// Slice a string by rune.
+//
+// Start must satisfy 0 <= start <= rune length.
+//
+// End can be positive, zero or negative.
+// If end >= 0, start and end must satisfy start <= end <= rune length.
+// If end < 0, it means slice to the end of string.
+//
+// Otherwise, Slice will panic as out of range.
+func Slice(str string, start, end int) string {
+	var size, startPos, endPos int
+
+	origin := str
+
+	if start < 0 || end > len(str) || (end >= 0 && start > end) {
+		panic("out of range")
+	}
+
+	if end >= 0 {
+		end -= start
+	}
+
+	for start > 0 && len(str) > 0 {
+		_, size = utf8.DecodeRuneInString(str)
+		start--
+		startPos += size
+		str = str[size:]
+	}
+
+	if end < 0 {
+		return origin[startPos:]
+	}
+
+	endPos = startPos
+
+	for end > 0 && len(str) > 0 {
+		_, size = utf8.DecodeRuneInString(str)
+		end--
+		endPos += size
+		str = str[size:]
+	}
+
+	if len(str) == 0 && (start > 0 || end > 0) {
+		panic("out of range")
+	}
+
+	return origin[startPos:endPos]
+}
+
+// Partition splits a string by sep into three parts.
+// The return value is a slice of strings with head, match and tail.
+//
+// If str contains sep, for example "hello" and "l", Partition returns
+//
+//	"he", "l", "lo"
+//
+// If str doesn't contain sep, for example "hello" and "x", Partition returns
+//
+//	"hello", "", ""
+func Partition(str, sep string) (head, match, tail string) {
+	index := strings.Index(str, sep)
+
+	if index == -1 {
+		head = str
+		return
+	}
+
+	head = str[:index]
+	match = str[index : index+len(sep)]
+	tail = str[index+len(sep):]
+	return
+}
+
+// LastPartition splits a string by last instance of sep into three parts.
+// The return value is a slice of strings with head, match and tail.
+//
+// If str contains sep, for example "hello" and "l", LastPartition returns
+//
+//	"hel", "l", "o"
+//
+// If str doesn't contain sep, for example "hello" and "x", LastPartition returns
+//
+//	"", "", "hello"
+func LastPartition(str, sep string) (head, match, tail string) {
+	index := strings.LastIndex(str, sep)
+
+	if index == -1 {
+		tail = str
+		return
+	}
+
+	head = str[:index]
+	match = str[index : index+len(sep)]
+	tail = str[index+len(sep):]
+	return
+}
+
+// Insert src into dst at given rune index.
+// Index is counted by runes instead of bytes.
+//
+// If index is out of range of dst, panic with out of range.
+func Insert(dst, src string, index int) string {
+	return Slice(dst, 0, index) + src + Slice(dst, index, -1)
+}
+
+// Scrub scrubs invalid utf8 bytes with repl string.
+// Adjacent invalid bytes are replaced only once.
+func Scrub(str, repl string) string {
+	var buf *stringBuilder
+	var r rune
+	var size, pos int
+	var hasError bool
+
+	origin := str
+
+	for len(str) > 0 {
+		r, size = utf8.DecodeRuneInString(str)
+
+		if r == utf8.RuneError {
+			if !hasError {
+				if buf == nil {
+					buf = &stringBuilder{}
+				}
+
+				buf.WriteString(origin[:pos])
+				hasError = true
+			}
+		} else if hasError {
+			hasError = false
+			buf.WriteString(repl)
+
+			origin = origin[pos:]
+			pos = 0
+		}
+
+		pos += size
+		str = str[size:]
+	}
+
+	if buf != nil {
+		buf.WriteString(origin)
+		return buf.String()
+	}
+
+	// No invalid byte.
+	return origin
+}
+
+// WordSplit splits a string into words. Returns a slice of words.
+// If there is no word in a string, return nil.
+//
+// Word is defined as a locale dependent string containing alphabetic characters,
+// which may also contain but not start with `'` and `-` characters.
+func WordSplit(str string) []string {
+	var word string
+	var words []string
+	var r rune
+	var size, pos int
+
+	inWord := false
+
+	for len(str) > 0 {
+		r, size = utf8.DecodeRuneInString(str)
+
+		switch {
+		case isAlphabet(r):
+			if !inWord {
+				inWord = true
+				word = str
+				pos = 0
+			}
+
+		case inWord && (r == '\'' || r == '-'):
+			// Still in word.
+
+		default:
+			if inWord {
+				inWord = false
+				words = append(words, word[:pos])
+			}
+		}
+
+		pos += size
+		str = str[size:]
+	}
+
+	if inWord {
+		words = append(words, word[:pos])
+	}
+
+	return words
+}
diff --git a/vendor/github.com/huandu/xstrings/stringbuilder.go b/vendor/github.com/huandu/xstrings/stringbuilder.go
new file mode 100644
index 0000000000..06812fea07
--- /dev/null
+++ b/vendor/github.com/huandu/xstrings/stringbuilder.go
@@ -0,0 +1,8 @@
+//go:build go1.10
+// +build go1.10
+
+package xstrings
+
+import "strings"
+
+type stringBuilder = strings.Builder
diff --git a/vendor/github.com/huandu/xstrings/stringbuilder_go110.go b/vendor/github.com/huandu/xstrings/stringbuilder_go110.go
new file mode 100644
index 0000000000..ccaa5aedd3
--- /dev/null
+++ b/vendor/github.com/huandu/xstrings/stringbuilder_go110.go
@@ -0,0 +1,10 @@
+//go:build !go1.10
+// +build !go1.10
+
+package xstrings
+
+import "bytes"
+
+type stringBuilder struct {
+	bytes.Buffer
+}
diff --git a/vendor/github.com/huandu/xstrings/translate.go b/vendor/github.com/huandu/xstrings/translate.go
new file mode 100644
index 0000000000..1fac6a00be
--- /dev/null
+++ b/vendor/github.com/huandu/xstrings/translate.go
@@ -0,0 +1,552 @@
+// Copyright 2015 Huan Du. All rights reserved.
+// Licensed under the MIT license that can be found in the LICENSE file.
+
+package xstrings
+
+import (
+	"unicode"
+	"unicode/utf8"
+)
+
+type runeRangeMap struct {
+	FromLo rune // Lower bound of range map.
+	FromHi rune // An inclusive higher bound of range map.
+	ToLo   rune
+	ToHi   rune
+}
+
+type runeDict struct {
+	Dict [unicode.MaxASCII + 1]rune
+}
+
+type runeMap map[rune]rune
+
+// Translator can translate string with pre-compiled from and to patterns.
+// If a from/to pattern pair needs to be used more than once, it's recommended
+// to create a Translator and reuse it.
+type Translator struct {
+	quickDict  *runeDict       // A quick dictionary to look up rune by index. Only available for latin runes.
+	runeMap    runeMap         // Rune map for translation.
+	ranges     []*runeRangeMap // Ranges of runes.
+	mappedRune rune            // If mappedRune >= 0, all matched runes are translated to the mappedRune.
+	reverted   bool            // If to pattern is empty, all matched characters will be deleted.
+	hasPattern bool
+}
+
+// NewTranslator creates new Translator through a from/to pattern pair.
+func NewTranslator(from, to string) *Translator {
+	tr := &Translator{}
+
+	if from == "" {
+		return tr
+	}
+
+	reverted := from[0] == '^'
+	deletion := len(to) == 0
+
+	if reverted {
+		from = from[1:]
+	}
+
+	var fromStart, fromEnd, fromRangeStep rune
+	var toStart, toEnd, toRangeStep rune
+	var fromRangeSize, toRangeSize rune
+	var singleRunes []rune
+
+	// Update the to rune range.
+	updateRange := func() {
+		// No more rune to read in the to rune pattern.
+		if toEnd == utf8.RuneError {
+			return
+		}
+
+		if toRangeStep == 0 {
+			to, toStart, toEnd, toRangeStep = nextRuneRange(to, toEnd)
+			return
+		}
+
+		// Current range is not empty. Consume 1 rune from start.
+		if toStart != toEnd {
+			toStart += toRangeStep
+			return
+		}
+
+		// No more rune. Repeat the last rune.
+		if to == "" {
+			toEnd = utf8.RuneError
+			return
+		}
+
+		// Both start and end are used. Read two more runes from the to pattern.
+		to, toStart, toEnd, toRangeStep = nextRuneRange(to, utf8.RuneError)
+	}
+
+	if deletion {
+		toStart = utf8.RuneError
+		toEnd = utf8.RuneError
+	} else {
+		// If from pattern is reverted, only the last rune in the to pattern will be used.
+		if reverted {
+			var size int
+
+			for len(to) > 0 {
+				toStart, size = utf8.DecodeRuneInString(to)
+				to = to[size:]
+			}
+
+			toEnd = utf8.RuneError
+		} else {
+			to, toStart, toEnd, toRangeStep = nextRuneRange(to, utf8.RuneError)
+		}
+	}
+
+	fromEnd = utf8.RuneError
+
+	for len(from) > 0 {
+		from, fromStart, fromEnd, fromRangeStep = nextRuneRange(from, fromEnd)
+
+		// fromStart is a single character. Just map it with a rune in the to pattern.
+		if fromRangeStep == 0 {
+			singleRunes = tr.addRune(fromStart, toStart, singleRunes)
+			updateRange()
+			continue
+		}
+
+		for toEnd != utf8.RuneError && fromStart != fromEnd {
+			// If mapped rune is a single character instead of a range, simply shift first
+			// rune in the range.
+			if toRangeStep == 0 {
+				singleRunes = tr.addRune(fromStart, toStart, singleRunes)
+				updateRange()
+				fromStart += fromRangeStep
+				continue
+			}
+
+			fromRangeSize = (fromEnd - fromStart) * fromRangeStep
+			toRangeSize = (toEnd - toStart) * toRangeStep
+
+			// Not enough runes in the to pattern. Need to read more.
+			if fromRangeSize > toRangeSize {
+				fromStart, toStart = tr.addRuneRange(fromStart, fromStart+toRangeSize*fromRangeStep, toStart, toEnd, singleRunes)
+				fromStart += fromRangeStep
+				updateRange()
+
+				// Edge case: If fromRangeSize == toRangeSize + 1, the last fromStart value needs be considered
+				// as a single rune.
+				if fromStart == fromEnd {
+					singleRunes = tr.addRune(fromStart, toStart, singleRunes)
+					updateRange()
+				}
+
+				continue
+			}
+
+			fromStart, toStart = tr.addRuneRange(fromStart, fromEnd, toStart, toStart+fromRangeSize*toRangeStep, singleRunes)
+			updateRange()
+			break
+		}
+
+		if fromStart == fromEnd {
+			fromEnd = utf8.RuneError
+			continue
+		}
+
+		_, toStart = tr.addRuneRange(fromStart, fromEnd, toStart, toStart, singleRunes)
+		fromEnd = utf8.RuneError
+	}
+
+	if fromEnd != utf8.RuneError {
+		tr.addRune(fromEnd, toStart, singleRunes)
+	}
+
+	tr.reverted = reverted
+	tr.mappedRune = -1
+	tr.hasPattern = true
+
+	// Translate RuneError only if in deletion or reverted mode.
+	if deletion || reverted {
+		tr.mappedRune = toStart
+	}
+
+	return tr
+}
+
+func (tr *Translator) addRune(from, to rune, singleRunes []rune) []rune {
+	if from <= unicode.MaxASCII {
+		if tr.quickDict == nil {
+			tr.quickDict = &runeDict{}
+		}
+
+		tr.quickDict.Dict[from] = to
+	} else {
+		if tr.runeMap == nil {
+			tr.runeMap = make(runeMap)
+		}
+
+		tr.runeMap[from] = to
+	}
+
+	singleRunes = append(singleRunes, from)
+	return singleRunes
+}
+
+func (tr *Translator) addRuneRange(fromLo, fromHi, toLo, toHi rune, singleRunes []rune) (rune, rune) {
+	var r rune
+	var rrm *runeRangeMap
+
+	if fromLo < fromHi {
+		rrm = &runeRangeMap{
+			FromLo: fromLo,
+			FromHi: fromHi,
+			ToLo:   toLo,
+			ToHi:   toHi,
+		}
+	} else {
+		rrm = &runeRangeMap{
+			FromLo: fromHi,
+			FromHi: fromLo,
+			ToLo:   toHi,
+			ToHi:   toLo,
+		}
+	}
+
+	// If there is any single rune conflicts with this rune range, clear single rune record.
+	for _, r = range singleRunes {
+		if rrm.FromLo <= r && r <= rrm.FromHi {
+			if r <= unicode.MaxASCII {
+				tr.quickDict.Dict[r] = 0
+			} else {
+				delete(tr.runeMap, r)
+			}
+		}
+	}
+
+	tr.ranges = append(tr.ranges, rrm)
+	return fromHi, toHi
+}
+
+func nextRuneRange(str string, last rune) (remaining string, start, end rune, rangeStep rune) {
+	var r rune
+	var size int
+
+	remaining = str
+	escaping := false
+	isRange := false
+
+	for len(remaining) > 0 {
+		r, size = utf8.DecodeRuneInString(remaining)
+		remaining = remaining[size:]
+
+		// Parse special characters.
+		if !escaping {
+			if r == '\\' {
+				escaping = true
+				continue
+			}
+
+			if r == '-' {
+				// Ignore slash at beginning of string.
+				if last == utf8.RuneError {
+					continue
+				}
+
+				start = last
+				isRange = true
+				continue
+			}
+		}
+
+		escaping = false
+
+		if last != utf8.RuneError {
+			// This is a range which start and end are the same.
+			// Considier it as a normal character.
+			if isRange && last == r {
+				isRange = false
+				continue
+			}
+
+			start = last
+			end = r
+
+			if isRange {
+				if start < end {
+					rangeStep = 1
+				} else {
+					rangeStep = -1
+				}
+			}
+
+			return
+		}
+
+		last = r
+	}
+
+	start = last
+	end = utf8.RuneError
+	return
+}
+
+// Translate str with a from/to pattern pair.
+//
+// See comment in Translate function for usage and samples.
+func (tr *Translator) Translate(str string) string {
+	if !tr.hasPattern || str == "" {
+		return str
+	}
+
+	var r rune
+	var size int
+	var needTr bool
+
+	orig := str
+
+	var output *stringBuilder
+
+	for len(str) > 0 {
+		r, size = utf8.DecodeRuneInString(str)
+		r, needTr = tr.TranslateRune(r)
+
+		if needTr && output == nil {
+			output = allocBuffer(orig, str)
+		}
+
+		if r != utf8.RuneError && output != nil {
+			output.WriteRune(r)
+		}
+
+		str = str[size:]
+	}
+
+	// No character is translated.
+	if output == nil {
+		return orig
+	}
+
+	return output.String()
+}
+
+// TranslateRune return translated rune and true if r matches the from pattern.
+// If r doesn't match the pattern, original r is returned and translated is false.
+func (tr *Translator) TranslateRune(r rune) (result rune, translated bool) {
+	switch {
+	case tr.quickDict != nil:
+		if r <= unicode.MaxASCII {
+			result = tr.quickDict.Dict[r]
+
+			if result != 0 {
+				translated = true
+
+				if tr.mappedRune >= 0 {
+					result = tr.mappedRune
+				}
+
+				break
+			}
+		}
+
+		fallthrough
+
+	case tr.runeMap != nil:
+		var ok bool
+
+		if result, ok = tr.runeMap[r]; ok {
+			translated = true
+
+			if tr.mappedRune >= 0 {
+				result = tr.mappedRune
+			}
+
+			break
+		}
+
+		fallthrough
+
+	default:
+		var rrm *runeRangeMap
+		ranges := tr.ranges
+
+		for i := len(ranges) - 1; i >= 0; i-- {
+			rrm = ranges[i]
+
+			if rrm.FromLo <= r && r <= rrm.FromHi {
+				translated = true
+
+				if tr.mappedRune >= 0 {
+					result = tr.mappedRune
+					break
+				}
+
+				if rrm.ToLo < rrm.ToHi {
+					result = rrm.ToLo + r - rrm.FromLo
+				} else if rrm.ToLo > rrm.ToHi {
+					// ToHi can be smaller than ToLo if range is from higher to lower.
+					result = rrm.ToLo - r + rrm.FromLo
+				} else {
+					result = rrm.ToLo
+				}
+
+				break
+			}
+		}
+	}
+
+	if tr.reverted {
+		if !translated {
+			result = tr.mappedRune
+		}
+
+		translated = !translated
+	}
+
+	if !translated {
+		result = r
+	}
+
+	return
+}
+
+// HasPattern returns true if Translator has one pattern at least.
+func (tr *Translator) HasPattern() bool {
+	return tr.hasPattern
+}
+
+// Translate str with the characters defined in from replaced by characters defined in to.
+//
+// From and to are patterns representing a set of characters. Pattern is defined as following.
+//
+// Special characters:
+//
+//  1. '-' means a range of runes, e.g.
+//     "a-z" means all characters from 'a' to 'z' inclusive;
+//     "z-a" means all characters from 'z' to 'a' inclusive.
+//  2. '^' as first character means a set of all runes excepted listed, e.g.
+//     "^a-z" means all characters except 'a' to 'z' inclusive.
+//  3. '\' escapes special characters.
+//
+// Normal character represents itself, e.g. "abc" is a set including 'a', 'b' and 'c'.
+//
+// Translate will try to find a 1:1 mapping from from to to.
+// If to is smaller than from, last rune in to will be used to map "out of range" characters in from.
+//
+// Note that '^' only works in the from pattern. It will be considered as a normal character in the to pattern.
+//
+// If the to pattern is an empty string, Translate works exactly the same as Delete.
+//
+// Samples:
+//
+//	Translate("hello", "aeiou", "12345")    => "h2ll4"
+//	Translate("hello", "a-z", "A-Z")        => "HELLO"
+//	Translate("hello", "z-a", "a-z")        => "svool"
+//	Translate("hello", "aeiou", "*")        => "h*ll*"
+//	Translate("hello", "^l", "*")           => "**ll*"
+//	Translate("hello ^ world", `\^lo`, "*") => "he*** * w*r*d"
+func Translate(str, from, to string) string {
+	tr := NewTranslator(from, to)
+	return tr.Translate(str)
+}
+
+// Delete runes in str matching the pattern.
+// Pattern is defined in Translate function.
+//
+// Samples:
+//
+//	Delete("hello", "aeiou") => "hll"
+//	Delete("hello", "a-k")   => "llo"
+//	Delete("hello", "^a-k")  => "he"
+func Delete(str, pattern string) string {
+	tr := NewTranslator(pattern, "")
+	return tr.Translate(str)
+}
+
+// Count how many runes in str match the pattern.
+// Pattern is defined in Translate function.
+//
+// Samples:
+//
+//	Count("hello", "aeiou") => 3
+//	Count("hello", "a-k")   => 3
+//	Count("hello", "^a-k")  => 2
+func Count(str, pattern string) int {
+	if pattern == "" || str == "" {
+		return 0
+	}
+
+	var r rune
+	var size int
+	var matched bool
+
+	tr := NewTranslator(pattern, "")
+	cnt := 0
+
+	for len(str) > 0 {
+		r, size = utf8.DecodeRuneInString(str)
+		str = str[size:]
+
+		if _, matched = tr.TranslateRune(r); matched {
+			cnt++
+		}
+	}
+
+	return cnt
+}
+
+// Squeeze deletes adjacent repeated runes in str.
+// If pattern is not empty, only runes matching the pattern will be squeezed.
+//
+// Samples:
+//
+//	Squeeze("hello", "")             => "helo"
+//	Squeeze("hello", "m-z")          => "hello"
+//	Squeeze("hello   world", " ")    => "hello world"
+func Squeeze(str, pattern string) string {
+	var last, r rune
+	var size int
+	var skipSqueeze, matched bool
+	var tr *Translator
+	var output *stringBuilder
+
+	orig := str
+	last = -1
+
+	if len(pattern) > 0 {
+		tr = NewTranslator(pattern, "")
+	}
+
+	for len(str) > 0 {
+		r, size = utf8.DecodeRuneInString(str)
+
+		// Need to squeeze the str.
+		if last == r && !skipSqueeze {
+			if tr != nil {
+				if _, matched = tr.TranslateRune(r); !matched {
+					skipSqueeze = true
+				}
+			}
+
+			if output == nil {
+				output = allocBuffer(orig, str)
+			}
+
+			if skipSqueeze {
+				output.WriteRune(r)
+			}
+		} else {
+			if output != nil {
+				output.WriteRune(r)
+			}
+
+			last = r
+			skipSqueeze = false
+		}
+
+		str = str[size:]
+	}
+
+	if output == nil {
+		return orig
+	}
+
+	return output.String()
+}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/api/v1/istio_types.go b/vendor/github.com/istio-ecosystem/sail-operator/api/v1/istio_types.go
index 9dca59d898..ac39731796 100644
--- a/vendor/github.com/istio-ecosystem/sail-operator/api/v1/istio_types.go
+++ b/vendor/github.com/istio-ecosystem/sail-operator/api/v1/istio_types.go
@@ -37,10 +37,10 @@ const (
 type IstioSpec struct {
 	// +sail:version
 	// Defines the version of Istio to install.
-	// Must be one of: v1.25-latest, v1.25.2, v1.25.1, v1.24-latest, v1.24.5, v1.24.4, v1.24.3, v1.24.2, v1.24.1, v1.24.0, v1.23-latest, v1.23.6, v1.23.5, v1.23.4, v1.23.3, v1.23.2, v1.22-latest, v1.22.8, v1.22.7, v1.22.6, v1.22.5, v1.21.6, master, v1.27-alpha.f23c2f66.
-	// +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Istio Version",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:v1.25-latest", "urn:alm:descriptor:com.tectonic.ui:select:v1.25.2", "urn:alm:descriptor:com.tectonic.ui:select:v1.25.1", "urn:alm:descriptor:com.tectonic.ui:select:v1.24-latest", "urn:alm:descriptor:com.tectonic.ui:select:v1.24.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.24.4", "urn:alm:descriptor:com.tectonic.ui:select:v1.24.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.24.2", "urn:alm:descriptor:com.tectonic.ui:select:v1.24.1", "urn:alm:descriptor:com.tectonic.ui:select:v1.24.0", "urn:alm:descriptor:com.tectonic.ui:select:v1.23-latest", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.6", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.4", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.2", "urn:alm:descriptor:com.tectonic.ui:select:v1.22-latest", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.8", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.7", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.6", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.21.6", "urn:alm:descriptor:com.tectonic.ui:select:master", "urn:alm:descriptor:com.tectonic.ui:select:v1.27-alpha.f23c2f66"}
-	// +kubebuilder:validation:Enum=v1.25-latest;v1.25.2;v1.25.1;v1.24-latest;v1.24.5;v1.24.4;v1.24.3;v1.24.2;v1.24.1;v1.24.0;v1.23-latest;v1.23.6;v1.23.5;v1.23.4;v1.23.3;v1.23.2;v1.22-latest;v1.22.8;v1.22.7;v1.22.6;v1.22.5;v1.21.6;master;v1.27-alpha.f23c2f66
-	// +kubebuilder:default=v1.25.2
+	// Must be one of: v1.28-latest, v1.28.3, v1.28.2, v1.28.1, v1.28.0, v1.27-latest, v1.27.5, v1.27.4, v1.27.3, v1.27.2, v1.27.1, v1.27.0, master, v1.30-alpha.a30ad733.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Istio Version",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:v1.28-latest", "urn:alm:descriptor:com.tectonic.ui:select:v1.28.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.28.2", "urn:alm:descriptor:com.tectonic.ui:select:v1.28.1", "urn:alm:descriptor:com.tectonic.ui:select:v1.28.0", "urn:alm:descriptor:com.tectonic.ui:select:v1.27-latest", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.4", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.2", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.1", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.0", "urn:alm:descriptor:com.tectonic.ui:select:master", "urn:alm:descriptor:com.tectonic.ui:select:v1.30-alpha.a30ad733"}
+	// +kubebuilder:validation:Enum=v1.28-latest;v1.28.3;v1.28.2;v1.28.1;v1.28.0;v1.27-latest;v1.27.5;v1.27.4;v1.27.3;v1.27.2;v1.27.1;v1.27.0;v1.26-latest;v1.26.8;v1.26.7;v1.26.6;v1.26.5;v1.26.4;v1.26.3;v1.26.2;v1.26.1;v1.26.0;v1.25-latest;v1.25.5;v1.25.4;v1.25.3;v1.25.2;v1.25.1;v1.24-latest;v1.24.6;v1.24.5;v1.24.4;v1.24.3;v1.24.2;v1.24.1;v1.24.0;v1.23-latest;v1.23.6;v1.23.5;v1.23.4;v1.23.3;v1.23.2;v1.22-latest;v1.22.8;v1.22.7;v1.22.6;v1.22.5;v1.21.6;master;v1.30-alpha.a30ad733
+	// +kubebuilder:default=v1.28.3
 	Version string `json:"version"`
 
 	// Defines the update strategy to use when the version in the Istio CR is updated.
@@ -51,10 +51,9 @@ type IstioSpec struct {
 	// +sail:profile
 	// The built-in installation configuration profile to use.
 	// The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'.
-	// Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, remote, stable.
-	// +++PROFILES-DROPDOWN-HIDDEN-UNTIL-WE-FULLY-IMPLEMENT-THEM+++operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Profile",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:ambient", "urn:alm:descriptor:com.tectonic.ui:select:default", "urn:alm:descriptor:com.tectonic.ui:select:demo", "urn:alm:descriptor:com.tectonic.ui:select:empty", "urn:alm:descriptor:com.tectonic.ui:select:external", "urn:alm:descriptor:com.tectonic.ui:select:minimal", "urn:alm:descriptor:com.tectonic.ui:select:preview", "urn:alm:descriptor:com.tectonic.ui:select:remote"}
-	// +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:hidden"}
-	// +kubebuilder:validation:Enum=ambient;default;demo;empty;external;openshift-ambient;openshift;preview;remote;stable
+	// Must be one of: ambient, default, demo, empty, openshift, openshift-ambient, preview, remote, stable.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Profile",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:ambient", "urn:alm:descriptor:com.tectonic.ui:select:default", "urn:alm:descriptor:com.tectonic.ui:select:demo", "urn:alm:descriptor:com.tectonic.ui:select:empty", "urn:alm:descriptor:com.tectonic.ui:select:openshift", "urn:alm:descriptor:com.tectonic.ui:select:openshift-ambient", "urn:alm:descriptor:com.tectonic.ui:select:preview", "urn:alm:descriptor:com.tectonic.ui:select:remote", "urn:alm:descriptor:com.tectonic.ui:select:stable"}
+	// +kubebuilder:validation:Enum=ambient;default;demo;empty;external;openshift;openshift-ambient;preview;remote;stable
 	Profile string `json:"profile,omitempty"`
 
 	// Namespace to which the Istio components should be installed. Note that this field is immutable.
@@ -262,7 +261,7 @@ const (
 // +kubebuilder:resource:scope=Cluster,categories=istio-io
 // +kubebuilder:subresource:status
 // +kubebuilder:printcolumn:name="Namespace",type="string",JSONPath=".spec.namespace",description="The namespace for the control plane components."
-// +kubebuilder:printcolumn:name="Profile",type="string",JSONPath=".spec.values.profile",description="The selected profile (collection of value presets)."
+// +kubebuilder:printcolumn:name="Profile",type="string",JSONPath=".spec.profile",description="The selected profile (collection of value presets)."
 // +kubebuilder:printcolumn:name="Revisions",type="string",JSONPath=".status.revisions.total",description="Total number of IstioRevision objects currently associated with this object."
 // +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.revisions.ready",description="Number of revisions that are ready."
 // +kubebuilder:printcolumn:name="In use",type="string",JSONPath=".status.revisions.inUse",description="Number of revisions that are currently being used by workloads."
@@ -283,7 +282,7 @@ type Istio struct {
 	// +optional
 	metav1.ObjectMeta `json:"metadata"`
 
-	// +kubebuilder:default={version: "v1.25.2", namespace: "istio-system", updateStrategy: {type:"InPlace"}}
+	// +kubebuilder:default={version: "v1.28.3", namespace: "istio-system", updateStrategy: {type:"InPlace"}}
 	// +optional
 	Spec IstioSpec `json:"spec"`
 
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/api/v1/istiocni_types.go b/vendor/github.com/istio-ecosystem/sail-operator/api/v1/istiocni_types.go
index 3f743c5974..5abb6eda95 100644
--- a/vendor/github.com/istio-ecosystem/sail-operator/api/v1/istiocni_types.go
+++ b/vendor/github.com/istio-ecosystem/sail-operator/api/v1/istiocni_types.go
@@ -28,19 +28,18 @@ const (
 type IstioCNISpec struct {
 	// +sail:version
 	// Defines the version of Istio to install.
-	// Must be one of: v1.25-latest, v1.25.2, v1.25.1, v1.24-latest, v1.24.5, v1.24.4, v1.24.3, v1.24.2, v1.24.1, v1.24.0, v1.23-latest, v1.23.6, v1.23.5, v1.23.4, v1.23.3, v1.23.2, v1.22-latest, v1.22.8, v1.22.7, v1.22.6, v1.22.5, v1.21.6, master, v1.27-alpha.f23c2f66.
-	// +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Istio Version",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:v1.25-latest", "urn:alm:descriptor:com.tectonic.ui:select:v1.25.2", "urn:alm:descriptor:com.tectonic.ui:select:v1.25.1", "urn:alm:descriptor:com.tectonic.ui:select:v1.24-latest", "urn:alm:descriptor:com.tectonic.ui:select:v1.24.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.24.4", "urn:alm:descriptor:com.tectonic.ui:select:v1.24.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.24.2", "urn:alm:descriptor:com.tectonic.ui:select:v1.24.1", "urn:alm:descriptor:com.tectonic.ui:select:v1.24.0", "urn:alm:descriptor:com.tectonic.ui:select:v1.23-latest", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.6", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.4", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.2", "urn:alm:descriptor:com.tectonic.ui:select:v1.22-latest", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.8", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.7", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.6", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.21.6", "urn:alm:descriptor:com.tectonic.ui:select:master", "urn:alm:descriptor:com.tectonic.ui:select:v1.27-alpha.f23c2f66"}
-	// +kubebuilder:validation:Enum=v1.25-latest;v1.25.2;v1.25.1;v1.24-latest;v1.24.5;v1.24.4;v1.24.3;v1.24.2;v1.24.1;v1.24.0;v1.23-latest;v1.23.6;v1.23.5;v1.23.4;v1.23.3;v1.23.2;v1.22-latest;v1.22.8;v1.22.7;v1.22.6;v1.22.5;v1.21.6;master;v1.27-alpha.f23c2f66
-	// +kubebuilder:default=v1.25.2
+	// Must be one of: v1.28-latest, v1.28.3, v1.28.2, v1.28.1, v1.28.0, v1.27-latest, v1.27.5, v1.27.4, v1.27.3, v1.27.2, v1.27.1, v1.27.0, master, v1.30-alpha.a30ad733.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Istio Version",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:v1.28-latest", "urn:alm:descriptor:com.tectonic.ui:select:v1.28.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.28.2", "urn:alm:descriptor:com.tectonic.ui:select:v1.28.1", "urn:alm:descriptor:com.tectonic.ui:select:v1.28.0", "urn:alm:descriptor:com.tectonic.ui:select:v1.27-latest", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.4", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.2", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.1", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.0", "urn:alm:descriptor:com.tectonic.ui:select:master", "urn:alm:descriptor:com.tectonic.ui:select:v1.30-alpha.a30ad733"}
+	// +kubebuilder:validation:Enum=v1.28-latest;v1.28.3;v1.28.2;v1.28.1;v1.28.0;v1.27-latest;v1.27.5;v1.27.4;v1.27.3;v1.27.2;v1.27.1;v1.27.0;v1.26-latest;v1.26.8;v1.26.7;v1.26.6;v1.26.5;v1.26.4;v1.26.3;v1.26.2;v1.26.1;v1.26.0;v1.25-latest;v1.25.5;v1.25.4;v1.25.3;v1.25.2;v1.25.1;v1.24-latest;v1.24.6;v1.24.5;v1.24.4;v1.24.3;v1.24.2;v1.24.1;v1.24.0;v1.23-latest;v1.23.6;v1.23.5;v1.23.4;v1.23.3;v1.23.2;v1.22-latest;v1.22.8;v1.22.7;v1.22.6;v1.22.5;v1.21.6;master;v1.30-alpha.a30ad733
+	// +kubebuilder:default=v1.28.3
 	Version string `json:"version"`
 
 	// +sail:profile
 	// The built-in installation configuration profile to use.
 	// The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'.
-	// Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, remote, stable.
-	// +++PROFILES-DROPDOWN-HIDDEN-UNTIL-WE-FULLY-IMPLEMENT-THEM+++operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Profile",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:ambient", "urn:alm:descriptor:com.tectonic.ui:select:default", "urn:alm:descriptor:com.tectonic.ui:select:demo", "urn:alm:descriptor:com.tectonic.ui:select:empty", "urn:alm:descriptor:com.tectonic.ui:select:external", "urn:alm:descriptor:com.tectonic.ui:select:minimal", "urn:alm:descriptor:com.tectonic.ui:select:preview", "urn:alm:descriptor:com.tectonic.ui:select:remote"}
-	// +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:hidden"}
-	// +kubebuilder:validation:Enum=ambient;default;demo;empty;external;openshift-ambient;openshift;preview;remote;stable
+	// Must be one of: ambient, default, demo, empty, openshift, openshift-ambient, preview, remote, stable.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Profile",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:ambient", "urn:alm:descriptor:com.tectonic.ui:select:default", "urn:alm:descriptor:com.tectonic.ui:select:demo", "urn:alm:descriptor:com.tectonic.ui:select:empty", "urn:alm:descriptor:com.tectonic.ui:select:openshift", "urn:alm:descriptor:com.tectonic.ui:select:openshift-ambient", "urn:alm:descriptor:com.tectonic.ui:select:preview", "urn:alm:descriptor:com.tectonic.ui:select:remote", "urn:alm:descriptor:com.tectonic.ui:select:stable"}
+	// +kubebuilder:validation:Enum=ambient;default;demo;empty;external;openshift;openshift-ambient;preview;remote;stable
 	Profile string `json:"profile,omitempty"`
 
 	// Namespace to which the Istio CNI component should be installed. Note that this field is immutable.
@@ -169,7 +168,7 @@ const (
 // +kubebuilder:resource:scope=Cluster,categories=istio-io
 // +kubebuilder:subresource:status
 // +kubebuilder:printcolumn:name="Namespace",type="string",JSONPath=".spec.namespace",description="The namespace of the istio-cni-node DaemonSet."
-// +kubebuilder:printcolumn:name="Profile",type="string",JSONPath=".spec.values.profile",description="The selected profile (collection of value presets)."
+// +kubebuilder:printcolumn:name="Profile",type="string",JSONPath=".spec.profile",description="The selected profile (collection of value presets)."
 // +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].status",description="Whether the Istio CNI installation is ready to handle requests."
 // +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.state",description="The current state of this object."
 // +kubebuilder:printcolumn:name="Version",type="string",JSONPath=".spec.version",description="The version of the Istio CNI installation."
@@ -182,7 +181,7 @@ type IstioCNI struct {
 	// +optional
 	metav1.ObjectMeta `json:"metadata"`
 
-	// +kubebuilder:default={version: "v1.25.2", namespace: "istio-cni"}
+	// +kubebuilder:default={version: "v1.28.3", namespace: "istio-cni"}
 	// +optional
 	Spec IstioCNISpec `json:"spec"`
 
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/api/v1/istiorevision_types.go b/vendor/github.com/istio-ecosystem/sail-operator/api/v1/istiorevision_types.go
index 6bd39cea8b..03185e649a 100644
--- a/vendor/github.com/istio-ecosystem/sail-operator/api/v1/istiorevision_types.go
+++ b/vendor/github.com/istio-ecosystem/sail-operator/api/v1/istiorevision_types.go
@@ -30,9 +30,9 @@ const (
 type IstioRevisionSpec struct {
 	// +sail:version
 	// Defines the version of Istio to install.
-	// Must be one of: v1.25.2, v1.25.1, v1.24.5, v1.24.4, v1.24.3, v1.24.2, v1.24.1, v1.24.0, v1.23.6, v1.23.5, v1.23.4, v1.23.3, v1.23.2, v1.22.8, v1.22.7, v1.22.6, v1.22.5, v1.21.6, v1.27-alpha.f23c2f66.
-	// +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Istio Version",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:v1.25.2", "urn:alm:descriptor:com.tectonic.ui:select:v1.25.1", "urn:alm:descriptor:com.tectonic.ui:select:v1.24.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.24.4", "urn:alm:descriptor:com.tectonic.ui:select:v1.24.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.24.2", "urn:alm:descriptor:com.tectonic.ui:select:v1.24.1", "urn:alm:descriptor:com.tectonic.ui:select:v1.24.0", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.6", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.4", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.2", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.8", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.7", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.6", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.21.6", "urn:alm:descriptor:com.tectonic.ui:select:v1.27-alpha.f23c2f66"}
-	// +kubebuilder:validation:Enum=v1.25.2;v1.25.1;v1.24.5;v1.24.4;v1.24.3;v1.24.2;v1.24.1;v1.24.0;v1.23.6;v1.23.5;v1.23.4;v1.23.3;v1.23.2;v1.22.8;v1.22.7;v1.22.6;v1.22.5;v1.21.6;v1.27-alpha.f23c2f66
+	// Must be one of: v1.28.3, v1.28.2, v1.28.1, v1.28.0, v1.27.5, v1.27.4, v1.27.3, v1.27.2, v1.27.1, v1.27.0, v1.30-alpha.a30ad733.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Istio Version",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:v1.28.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.28.2", "urn:alm:descriptor:com.tectonic.ui:select:v1.28.1", "urn:alm:descriptor:com.tectonic.ui:select:v1.28.0", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.4", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.2", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.1", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.0", "urn:alm:descriptor:com.tectonic.ui:select:v1.30-alpha.a30ad733"}
+	// +kubebuilder:validation:Enum=v1.28.3;v1.28.2;v1.28.1;v1.28.0;v1.27.5;v1.27.4;v1.27.3;v1.27.2;v1.27.1;v1.27.0;v1.26.8;v1.26.7;v1.26.6;v1.26.5;v1.26.4;v1.26.3;v1.26.2;v1.26.1;v1.26.0;v1.25.5;v1.25.4;v1.25.3;v1.25.2;v1.25.1;v1.24.6;v1.24.5;v1.24.4;v1.24.3;v1.24.2;v1.24.1;v1.24.0;v1.23.6;v1.23.5;v1.23.4;v1.23.3;v1.23.2;v1.22.8;v1.22.7;v1.22.6;v1.22.5;v1.21.6;v1.30-alpha.a30ad733
 	Version string `json:"version"`
 
 	// Namespace to which the Istio components should be installed.
@@ -148,6 +148,9 @@ const (
 	// IstioRevisionReasonIstiodNotReady indicates that the control plane is fully reconciled, but istiod is not ready.
 	IstioRevisionReasonIstiodNotReady IstioRevisionConditionReason = "IstiodNotReady"
 
+	// IstioRevisionTagNameAlreadyExists indicates that a IstioRevisionTag with the same name as the IstioRevision already exists.
+	IstioRevisionReasonNameAlreadyExists IstioRevisionConditionReason = "NameAlreadyExists"
+
 	// IstioRevisionReasonRemoteIstiodNotReady indicates that the remote istiod is not ready.
 	IstioRevisionReasonRemoteIstiodNotReady IstioRevisionConditionReason = "RemoteIstiodNotReady"
 
@@ -182,6 +185,12 @@ const (
 	// IstioRevisionReasonIstioCNINotHealthy indicates that the IstioCNI resource is not healthy.
 	IstioRevisionReasonIstioCNINotHealthy IstioRevisionConditionReason = "IstioCNINotHealthy"
 
+	// IstioRevisionReasonZTunnelNotFound indicates that the ZTunnel resource is not found.
+	IstioRevisionReasonZTunnelNotFound IstioRevisionConditionReason = "ZTunnelNotFound"
+
+	// IstioRevisionReasonZTunnelNotHealthy indicates that the ZTunnel resource is not healthy.
+	IstioRevisionReasonZTunnelNotHealthy IstioRevisionConditionReason = "ZTunnelNotHealthy"
+
 	// IstioRevisionDependencyCheckFailed indicates that the status of the dependencies could not be ascertained.
 	IstioRevisionDependencyCheckFailed IstioRevisionConditionReason = "DependencyCheckFailed"
 )
@@ -206,7 +215,7 @@ const (
 // Users shouldn't create IstioRevision objects directly. Instead, they should
 // create an Istio object and allow the operator to create the underlying
 // IstioRevision object(s).
-// +kubebuilder:validation:XValidation:rule="self.metadata.name == 'default' ? (!has(self.spec.values.revision) || size(self.spec.values.revision) == 0) : self.spec.values.revision == self.metadata.name",message="spec.values.revision must match metadata.name"
+// +kubebuilder:validation:XValidation:rule="self.metadata.name == 'default' ? (!has(self.spec.values.revision) || size(self.spec.values.revision) == 0) : self.spec.values.revision == self.metadata.name",message="spec.values.revision must match metadata.name or be empty when the name is 'default'"
 type IstioRevision struct {
 	metav1.TypeMeta `json:",inline"`
 	// +optional
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/api/v1/istiorevisiontags_types.go b/vendor/github.com/istio-ecosystem/sail-operator/api/v1/istiorevisiontags_types.go
index 1558fdd3fc..4ae3330475 100644
--- a/vendor/github.com/istio-ecosystem/sail-operator/api/v1/istiorevisiontags_types.go
+++ b/vendor/github.com/istio-ecosystem/sail-operator/api/v1/istiorevisiontags_types.go
@@ -145,7 +145,7 @@ const (
 	// successfully reconciled the resources defined through the CR.
 	IstioRevisionTagConditionReconciled IstioRevisionTagConditionType = "Reconciled"
 
-	// IstioRevisionTagNameAlreadyExists indicates that the a revision with the same name as the IstioRevisionTag already exists.
+	// IstioRevisionTagNameAlreadyExists indicates that an IstioRevision with the same name as the IstioRevisionTag already exists.
 	IstioRevisionTagReasonNameAlreadyExists IstioRevisionTagConditionReason = "NameAlreadyExists"
 
 	// IstioRevisionTagReasonReferenceNotFound indicates that the resource referenced by the tag's TargetRef was not found
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/api/v1/values_types.gen.go b/vendor/github.com/istio-ecosystem/sail-operator/api/v1/values_types.gen.go
index aa2875a561..f1edb47441 100644
--- a/vendor/github.com/istio-ecosystem/sail-operator/api/v1/values_types.gen.go
+++ b/vendor/github.com/istio-ecosystem/sail-operator/api/v1/values_types.gen.go
@@ -24,6 +24,16 @@ import (
 	intstr "k8s.io/apimachinery/pkg/util/intstr"
 )
 
+// +kubebuilder:validation:Enum=undefined;all;cluster;namespace
+type ResourceScope string
+
+const (
+	ResourceScopeUndefined ResourceScope = "undefined"
+	ResourceScopeAll       ResourceScope = "all"
+	ResourceScopeCluster   ResourceScope = "cluster"
+	ResourceScopeNamespace ResourceScope = "namespace"
+)
+
 // Mode for the ingress controller.
 // +kubebuilder:validation:Enum=UNSPECIFIED;DEFAULT;STRICT;OFF
 type IngressControllerMode string
@@ -106,10 +116,22 @@ type CNIConfig struct {
 	ExcludeNamespaces []string `json:"excludeNamespaces,omitempty"`
 	// K8s affinity to set on the istio-cni Pods. Can be used to exclude istio-cni from being scheduled on specified nodes.
 	Affinity *k8sv1.Affinity `json:"affinity,omitempty"`
+	// Environment variables passed to the CNI container.
+	//
+	// Examples:
+	// env:
+	//
+	//	ENV_VAR_1: value1
+	//	ENV_VAR_2: value2
+	Env map[string]string `json:"env,omitempty"`
+	// Additional labels to apply to the istio-cni DaemonSet.
+	DaemonSetLabels map[string]string `json:"daemonSetLabels,omitempty"`
 	// Additional annotations to apply to the istio-cni Pods.
 	//
 	// Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
 	PodAnnotations map[string]string `json:"podAnnotations,omitempty"`
+	// Additional labels to apply to the istio-cni Pods.
+	PodLabels map[string]string `json:"podLabels,omitempty"`
 	// PodSecurityPolicy cluster role. No longer used anywhere.
 	PspClusterRole *string `json:"psp_cluster_role,omitempty"`
 
@@ -120,7 +142,7 @@ type CNIConfig struct {
 	// Configure the plugin as a chained CNI plugin. When true, the configuration is added to the CNI chain; when false,
 	// the configuration is added as a standalone file in the CNI configuration directory.
 	Chained *bool `json:"chained,omitempty"`
-	// The resource quotas configration for the CNI DaemonSet.
+	// The resource quotas configuration for the CNI DaemonSet.
 	ResourceQuotas *ResourceQuotas `json:"resource_quotas,omitempty"`
 	// The k8s resource requests and limits for the istio-cni Pods.
 	Resources *k8sv1.ResourceRequirements `json:"resources,omitempty"`
@@ -145,6 +167,9 @@ type CNIConfig struct {
 	// of pods at the start of the update.
 	// +kubebuilder:validation:XIntOrString
 	RollingMaxUnavailable *intstr.IntOrString `json:"rollingMaxUnavailable,omitempty"`
+	// Specifies if an Istio owned CNI config should be created.
+	IstioOwnedCNIConfig         *bool   `json:"istioOwnedCNIConfig,omitempty"`
+	IstioOwnedCNIConfigFileName *string `json:"istioOwnedCNIConfigFileName,omitempty"`
 }
 
 type CNIUsageConfig struct {
@@ -423,10 +448,23 @@ type GlobalConfig struct {
 	// Specifies how waypoints are configured within Istio.
 	Waypoint *WaypointConfig `json:"waypoint,omitempty"`
 	// Select a custom name for istiod's CA Root Cert ConfigMap.
-	TrustBundleName *string `json:"trustBundleName,omitempty"` // The next available key is 74
+	TrustBundleName *string `json:"trustBundleName,omitempty"`
+	// Specifies whether native nftables rules should be used instead of iptables rules for traffic redirection.
+	NativeNftables *bool `json:"nativeNftables,omitempty"`
+	// Settings related to Kubernetes NetworkPolicy.
+	NetworkPolicy *NetworkPolicyConfig `json:"networkPolicy,omitempty"`
+	// Specifies resource scope for discovery selectors.
+	// This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator.
+	ResourceScope ResourceScope `json:"resourceScope,omitempty"`
+	// Specifies how proxies are configured within Istio.
+	Agentgateway *Agentgateway `json:"agentgateway,omitempty"` // The next available key is 78
 
 }
 
+type Agentgateway struct {
+	Image *string `json:"image,omitempty"`
+}
+
 // Configuration for Security Token Service (STS) server.
 //
 // See https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16
@@ -617,7 +655,9 @@ type PilotConfig struct {
 	// Configuration for the istio-discovery chart when istiod is running in a remote cluster (e.g. "remote control plane").
 	IstiodRemote *IstiodRemoteConfig `json:"istiodRemote,omitempty"`
 	// Configuration for the istio-discovery chart
-	EnvVarFrom []k8sv1.EnvFromSource `json:"envVarFrom,omitempty"`
+	EnvVarFrom []k8sv1.EnvVar `json:"envVarFrom,omitempty"`
+	// Select a custom name for istiod's plugged-in CA CRL ConfigMap.
+	CrlConfigMapName *string `json:"crlConfigMapName,omitempty"`
 }
 
 type PilotTaintControllerConfig struct {
@@ -728,6 +768,10 @@ type ProxyConfig struct {
 	ReadinessPeriodSeconds *uint32 `json:"readinessPeriodSeconds,omitempty"`
 	// Sets the number of successive failed probes before indicating readiness failure.
 	ReadinessFailureThreshold *uint32 `json:"readinessFailureThreshold,omitempty"`
+	// Configures the seccomp profile for the istio-validation and istio-proxy containers.
+	//
+	// See: https://kubernetes.io/docs/tutorials/security/seccomp/
+	SeccompProfile *k8sv1.SeccompProfile `json:"seccompProfile,omitempty"`
 	// Configures the startup probe for the istio-proxy container.
 	StartupProbe *StartupProbe `json:"startupProbe,omitempty"`
 	// Default port used for the Pilot agent's health checks.
@@ -912,6 +956,9 @@ type IstiodRemoteConfig struct {
 	InjectionCABundle *string `json:"injectionCABundle,omitempty"`
 	// Indicates if this cluster/install should consume a "remote" istiod instance,
 	Enabled *bool `json:"enabled,omitempty"`
+	// If `true`, indicates that this cluster/install should consume a "local istiod" installation,
+	// local istiod inject sidecars
+	EnabledLocalInjectorIstiod *bool `json:"enabledLocalInjectorIstiod,omitempty"`
 }
 
 type Values struct {
@@ -955,6 +1002,8 @@ type Values struct {
 	// +kubebuilder:validation:Schemaless
 	Experimental json.RawMessage `json:"experimental,omitempty"`
 	// Configuration for Gateway Classes
+	// +kubebuilder:pruning:PreserveUnknownFields
+	// +kubebuilder:validation:Schemaless
 	GatewayClasses json.RawMessage `json:"gatewayClasses,omitempty"`
 }
 
@@ -988,15 +1037,21 @@ type WaypointConfig struct {
 	Toleration []*k8sv1.Toleration `json:"toleration,omitempty"`
 }
 
+// Configuration for NetworkPolicy
+type NetworkPolicyConfig struct {
+	// Controls whether default NetworkPolicy resources will be created.
+	Enabled *bool `json:"enabled,omitempty"`
+}
+
 const filePkgApisValuesTypesProtoRawDesc = "" +
 	"\n" +
-	"\x1bpkg/apis/values_types.proto\x12\x17istio.operator.v1alpha1\x1a\x19google/protobuf/any.proto\x1a\x1egoogle/protobuf/duration.proto\x1a\x1cgoogle/protobuf/struct.proto\x1a\x1egoogle/protobuf/wrappers.proto\x1a\"k8s.io/api/core/v1/generated.proto\x1a4k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto\"h\n" +
+	"\x1bpkg/apis/values_types.proto\x12\x17istio.operator.v1alpha1\x1a\x19google/protobuf/any.proto\x1a\x1egoogle/protobuf/duration.proto\x1a\x1cgoogle/protobuf/struct.proto\x1a\x1egoogle/protobuf/wrappers.proto\"h\n" +
 	"\n" +
 	"ArchConfig\x12\x14\n" +
 	"\x05amd64\x18\x01 \x01(\rR\x05amd64\x12\x18\n" +
 	"\appc64le\x18\x02 \x01(\rR\appc64le\x12\x14\n" +
 	"\x05s390x\x18\x03 \x01(\rR\x05s390x\x12\x14\n" +
-	"\x05arm64\x18\x04 \x01(\rR\x05arm64\"\xeb\t\n" +
+	"\x05arm64\x18\x04 \x01(\rR\x05arm64\"\x90\f\n" +
 	"\tCNIConfig\x124\n" +
 	"\aenabled\x18\x01 \x01(\v2\x1a.google.protobuf.BoolValueR\aenabled\x12\x10\n" +
 	"\x03hub\x18\x02 \x01(\tR\x03hub\x12(\n" +
@@ -1012,10 +1067,13 @@ const filePkgApisValuesTypesProtoRawDesc = "" +
 	"cniConfDir\x12(\n" +
 	"\x0fcniConfFileName\x18\b \x01(\tR\x0fcniConfFileName\x12 \n" +
 	"\vcniNetnsDir\x18\x1f \x01(\tR\vcniNetnsDir\x12,\n" +
-	"\x11excludeNamespaces\x18\t \x03(\tR\x11excludeNamespaces\x128\n" +
-	"\baffinity\x18\x14 \x01(\v2\x1c.k8s.io.api.core.v1.AffinityR\baffinity\x12C\n" +
+	"\x11excludeNamespaces\x18\t \x03(\tR\x11excludeNamespaces\x123\n" +
+	"\baffinity\x18\x14 \x01(\v2\x17.google.protobuf.StructR\baffinity\x12)\n" +
+	"\x03env\x18  \x01(\v2\x17.google.protobuf.StructR\x03env\x12A\n" +
+	"\x0fdaemonSetLabels\x18! \x01(\v2\x17.google.protobuf.StructR\x0fdaemonSetLabels\x12C\n" +
 	"\x0epodAnnotations\x18\n" +
-	" \x01(\v2\x17.google.protobuf.StructB\x02\x18\x01R\x0epodAnnotations\x12(\n" +
+	" \x01(\v2\x17.google.protobuf.StructB\x02\x18\x01R\x0epodAnnotations\x125\n" +
+	"\tpodLabels\x18\" \x01(\v2\x17.google.protobuf.StructR\tpodLabels\x12(\n" +
 	"\x10psp_cluster_role\x18\v \x01(\tR\x0epspClusterRole\x12\x1e\n" +
 	"\blogLevel\x18\f \x01(\tB\x02\x18\x01R\blogLevel\x12F\n" +
 	"\alogging\x18\x19 \x01(\v2,.istio.operator.v1alpha1.GlobalLoggingConfigR\alogging\x12@\n" +
@@ -1025,11 +1083,13 @@ const filePkgApisValuesTypesProtoRawDesc = "" +
 	"\tresources\x18\x11 \x01(\v2\".istio.operator.v1alpha1.ResourcesR\tresources\x12>\n" +
 	"\n" +
 	"privileged\x18\x12 \x01(\v2\x1a.google.protobuf.BoolValueB\x02\x18\x01R\n" +
-	"privileged\x12J\n" +
-	"\x0eseccompProfile\x18\x13 \x01(\v2\".k8s.io.api.core.v1.SeccompProfileR\x0eseccompProfile\x12C\n" +
+	"privileged\x12?\n" +
+	"\x0eseccompProfile\x18\x13 \x01(\v2\x17.google.protobuf.StructR\x0eseccompProfile\x12C\n" +
 	"\aambient\x18\x15 \x01(\v2).istio.operator.v1alpha1.CNIAmbientConfigR\aambient\x12\x1a\n" +
 	"\bprovider\x18\x16 \x01(\tR\bprovider\x12Z\n" +
-	"\x15rollingMaxUnavailable\x18\x17 \x01(\v2$.istio.operator.v1alpha1.IntOrStringR\x15rollingMaxUnavailable\"\x9c\x01\n" +
+	"\x15rollingMaxUnavailable\x18\x17 \x01(\v2$.istio.operator.v1alpha1.IntOrStringR\x15rollingMaxUnavailable\x12L\n" +
+	"\x13istioOwnedCNIConfig\x18# \x01(\v2\x1a.google.protobuf.BoolValueR\x13istioOwnedCNIConfig\x12@\n" +
+	"\x1bistioOwnedCNIConfigFileName\x18$ \x01(\tR\x1bistioOwnedCNIConfigFileName\"\x9c\x01\n" +
 	"\x0eCNIUsageConfig\x124\n" +
 	"\aenabled\x18\x01 \x01(\v2\x1a.google.protobuf.BoolValueR\aenabled\x128\n" +
 	"\achained\x18\x02 \x01(\v2\x1a.google.protobuf.BoolValueB\x02\x18\x01R\achained\x12\x1a\n" +
@@ -1078,7 +1138,7 @@ const filePkgApisValuesTypesProtoRawDesc = "" +
 	" DefaultPodDisruptionBudgetConfig\x124\n" +
 	"\aenabled\x18\x01 \x01(\v2\x1a.google.protobuf.BoolValueR\aenabled\"f\n" +
 	"\x16DefaultResourcesConfig\x12L\n" +
-	"\brequests\x18\x01 \x01(\v20.istio.operator.v1alpha1.ResourcesRequestsConfigR\brequests\"\xbb\x0f\n" +
+	"\brequests\x18\x01 \x01(\v20.istio.operator.v1alpha1.ResourcesRequestsConfigR\brequests\"\xfb\x0e\n" +
 	"\x13EgressGatewayConfig\x12F\n" +
 	"\x10autoscaleEnabled\x18\x01 \x01(\v2\x1a.google.protobuf.BoolValueR\x10autoscaleEnabled\x12\"\n" +
 	"\fautoscaleMax\x18\x02 \x01(\rR\fautoscaleMax\x12\"\n" +
@@ -1092,15 +1152,15 @@ const filePkgApisValuesTypesProtoRawDesc = "" +
 	"\x04name\x18\x19 \x01(\tR\x04name\x12?\n" +
 	"\fnodeSelector\x18\n" +
 	" \x01(\v2\x17.google.protobuf.StructB\x02\x18\x01R\fnodeSelector\x12C\n" +
-	"\x0epodAnnotations\x18\v \x01(\v2\x17.google.protobuf.StructB\x02\x18\x01R\x0epodAnnotations\x12{\n" +
-	"\x1cpodAntiAffinityLabelSelector\x18\f \x03(\v23.k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelectorB\x02\x18\x01R\x1cpodAntiAffinityLabelSelector\x12\x83\x01\n" +
-	" podAntiAffinityTermLabelSelector\x18\r \x03(\v23.k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelectorB\x02\x18\x01R podAntiAffinityTermLabelSelector\x12:\n" +
+	"\x0epodAnnotations\x18\v \x01(\v2\x17.google.protobuf.StructB\x02\x18\x01R\x0epodAnnotations\x12_\n" +
+	"\x1cpodAntiAffinityLabelSelector\x18\f \x03(\v2\x17.google.protobuf.StructB\x02\x18\x01R\x1cpodAntiAffinityLabelSelector\x12g\n" +
+	" podAntiAffinityTermLabelSelector\x18\r \x03(\v2\x17.google.protobuf.StructB\x02\x18\x01R podAntiAffinityTermLabelSelector\x12:\n" +
 	"\x05ports\x18\x0e \x03(\v2$.istio.operator.v1alpha1.PortsConfigR\x05ports\x12D\n" +
 	"\tresources\x18\x0f \x01(\v2\".istio.operator.v1alpha1.ResourcesB\x02\x18\x01R\tresources\x12K\n" +
 	"\rsecretVolumes\x18\x10 \x03(\v2%.istio.operator.v1alpha1.SecretVolumeR\rsecretVolumes\x12G\n" +
 	"\x12serviceAnnotations\x18\x11 \x01(\v2\x17.google.protobuf.StructR\x12serviceAnnotations\x12\x12\n" +
-	"\x04type\x18\x12 \x01(\tR\x04type\x12D\n" +
-	"\vtolerations\x18\x14 \x03(\v2\x1e.k8s.io.api.core.v1.TolerationB\x02\x18\x01R\vtolerations\x12R\n" +
+	"\x04type\x18\x12 \x01(\tR\x04type\x12=\n" +
+	"\vtolerations\x18\x14 \x03(\v2\x17.google.protobuf.StructB\x02\x18\x01R\vtolerations\x12R\n" +
 	"\x0frollingMaxSurge\x18\x15 \x01(\v2$.istio.operator.v1alpha1.IntOrStringB\x02\x18\x01R\x0frollingMaxSurge\x12^\n" +
 	"\x15rollingMaxUnavailable\x18\x16 \x01(\v2$.istio.operator.v1alpha1.IntOrStringB\x02\x18\x01R\x15rollingMaxUnavailable\x12=\n" +
 	"\rconfigVolumes\x18\x17 \x03(\v2\x17.google.protobuf.StructR\rconfigVolumes\x12K\n" +
@@ -1121,15 +1181,15 @@ const filePkgApisValuesTypesProtoRawDesc = "" +
 	"\x14istio_ingressgateway\x18\x04 \x01(\v2-.istio.operator.v1alpha1.IngressGatewayConfigR\x14istio-ingressgateway\x12@\n" +
 	"\x0fsecurityContext\x18\n" +
 	" \x01(\v2\x16.google.protobuf.ValueR\x0fsecurityContext\x12>\n" +
-	"\x0eseccompProfile\x18\f \x01(\v2\x16.google.protobuf.ValueR\x0eseccompProfile\"\xc7\x12\n" +
+	"\x0eseccompProfile\x18\f \x01(\v2\x16.google.protobuf.ValueR\x0eseccompProfile\"\xf1\x14\n" +
 	"\fGlobalConfig\x12;\n" +
 	"\x04arch\x18\x01 \x01(\v2#.istio.operator.v1alpha1.ArchConfigB\x02\x18\x01R\x04arch\x12 \n" +
 	"\vcertSigners\x18D \x03(\tR\vcertSigners\x12F\n" +
 	"\x10configValidation\x18\x03 \x01(\v2\x1a.google.protobuf.BoolValueR\x10configValidation\x12M\n" +
 	"\x13defaultNodeSelector\x18\x06 \x01(\v2\x17.google.protobuf.StructB\x02\x18\x01R\x13defaultNodeSelector\x12y\n" +
 	"\x1adefaultPodDisruptionBudget\x18\a \x01(\v29.istio.operator.v1alpha1.DefaultPodDisruptionBudgetConfigR\x1adefaultPodDisruptionBudget\x12_\n" +
-	"\x10defaultResources\x18\t \x01(\v2/.istio.operator.v1alpha1.DefaultResourcesConfigB\x02\x18\x01R\x10defaultResources\x12R\n" +
-	"\x12defaultTolerations\x187 \x03(\v2\x1e.k8s.io.api.core.v1.TolerationB\x02\x18\x01R\x12defaultTolerations\x12\x10\n" +
+	"\x10defaultResources\x18\t \x01(\v2/.istio.operator.v1alpha1.DefaultResourcesConfigB\x02\x18\x01R\x10defaultResources\x12K\n" +
+	"\x12defaultTolerations\x187 \x03(\v2\x17.google.protobuf.StructB\x02\x18\x01R\x12defaultTolerations\x12\x10\n" +
 	"\x03hub\x18\f \x01(\tR\x03hub\x12(\n" +
 	"\x0fimagePullPolicy\x18\r \x01(\tR\x0fimagePullPolicy\x12*\n" +
 	"\x10imagePullSecrets\x18% \x03(\tR\x10imagePullSecrets\x12&\n" +
@@ -1169,13 +1229,19 @@ const filePkgApisValuesTypesProtoRawDesc = "" +
 	"ipFamilies\x12&\n" +
 	"\x0eipFamilyPolicy\x18G \x01(\tR\x0eipFamilyPolicy\x12C\n" +
 	"\bwaypoint\x18H \x01(\v2'.istio.operator.v1alpha1.WaypointConfigR\bwaypoint\x12(\n" +
-	"\x0ftrustBundleName\x18I \x01(\tR\x0ftrustBundleName\"-\n" +
+	"\x0ftrustBundleName\x18I \x01(\tR\x0ftrustBundleName\x12B\n" +
+	"\x0enativeNftables\x18J \x01(\v2\x1a.google.protobuf.BoolValueR\x0enativeNftables\x12R\n" +
+	"\rnetworkPolicy\x18K \x01(\v2,.istio.operator.v1alpha1.NetworkPolicyConfigR\rnetworkPolicy\x12L\n" +
+	"\rresourceScope\x18L \x01(\x0e2&.istio.operator.v1alpha1.ResourceScopeR\rresourceScope\x12I\n" +
+	"\fagentgateway\x18M \x01(\v2%.istio.operator.v1alpha1.AgentgatewayR\fagentgateway\"$\n" +
+	"\fAgentgateway\x12\x14\n" +
+	"\x05image\x18\x01 \x01(\tR\x05image\"-\n" +
 	"\tSTSConfig\x12 \n" +
 	"\vservicePort\x18\x01 \x01(\rR\vservicePort\"R\n" +
 	"\fIstiodConfig\x12B\n" +
 	"\x0eenableAnalysis\x18\x02 \x01(\v2\x1a.google.protobuf.BoolValueR\x0eenableAnalysis\"+\n" +
 	"\x13GlobalLoggingConfig\x12\x14\n" +
-	"\x05level\x18\x01 \x01(\tR\x05level\"\xb1\x11\n" +
+	"\x05level\x18\x01 \x01(\tR\x05level\"\xf1\x10\n" +
 	"\x14IngressGatewayConfig\x12F\n" +
 	"\x10autoscaleEnabled\x18\x01 \x01(\v2\x1a.google.protobuf.BoolValueR\x10autoscaleEnabled\x12\"\n" +
 	"\fautoscaleMax\x18\x02 \x01(\rR\fautoscaleMax\x12\"\n" +
@@ -1191,9 +1257,9 @@ const filePkgApisValuesTypesProtoRawDesc = "" +
 	"\x18loadBalancerSourceRanges\x18\x11 \x03(\tR\x18loadBalancerSourceRanges\x12\x12\n" +
 	"\x04name\x18, \x01(\tR\x04name\x12?\n" +
 	"\fnodeSelector\x18\x13 \x01(\v2\x17.google.protobuf.StructB\x02\x18\x01R\fnodeSelector\x12C\n" +
-	"\x0epodAnnotations\x18\x14 \x01(\v2\x17.google.protobuf.StructB\x02\x18\x01R\x0epodAnnotations\x12{\n" +
-	"\x1cpodAntiAffinityLabelSelector\x18\x15 \x03(\v23.k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelectorB\x02\x18\x01R\x1cpodAntiAffinityLabelSelector\x12\x83\x01\n" +
-	" podAntiAffinityTermLabelSelector\x18\x16 \x03(\v23.k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelectorB\x02\x18\x01R podAntiAffinityTermLabelSelector\x12:\n" +
+	"\x0epodAnnotations\x18\x14 \x01(\v2\x17.google.protobuf.StructB\x02\x18\x01R\x0epodAnnotations\x12_\n" +
+	"\x1cpodAntiAffinityLabelSelector\x18\x15 \x03(\v2\x17.google.protobuf.StructB\x02\x18\x01R\x1cpodAntiAffinityLabelSelector\x12g\n" +
+	" podAntiAffinityTermLabelSelector\x18\x16 \x03(\v2\x17.google.protobuf.StructB\x02\x18\x01R podAntiAffinityTermLabelSelector\x12:\n" +
 	"\x05ports\x18\x17 \x03(\v2$.istio.operator.v1alpha1.PortsConfigR\x05ports\x12&\n" +
 	"\freplicaCount\x18\x18 \x01(\rB\x02\x18\x01R\freplicaCount\x129\n" +
 	"\tresources\x18\x19 \x01(\v2\x17.google.protobuf.StructB\x02\x18\x01R\tresources\x12K\n" +
@@ -1202,8 +1268,8 @@ const filePkgApisValuesTypesProtoRawDesc = "" +
 	"\x04type\x18\x1d \x01(\tR\x04type\x12R\n" +
 	"\x0frollingMaxSurge\x18\x1f \x01(\v2$.istio.operator.v1alpha1.IntOrStringB\x02\x18\x01R\x0frollingMaxSurge\x12^\n" +
 	"\x15rollingMaxUnavailable\x18  \x01(\v2$.istio.operator.v1alpha1.IntOrStringB\x02\x18\x01R\x15rollingMaxUnavailable\x124\n" +
-	"\x15externalTrafficPolicy\x18\" \x01(\tR\x15externalTrafficPolicy\x12D\n" +
-	"\vtolerations\x18# \x03(\v2\x1e.k8s.io.api.core.v1.TolerationB\x02\x18\x01R\vtolerations\x12;\n" +
+	"\x15externalTrafficPolicy\x18\" \x01(\tR\x15externalTrafficPolicy\x12=\n" +
+	"\vtolerations\x18# \x03(\v2\x17.google.protobuf.StructB\x02\x18\x01R\vtolerations\x12;\n" +
 	"\fingressPorts\x18$ \x03(\v2\x17.google.protobuf.StructR\fingressPorts\x12K\n" +
 	"\x14additionalContainers\x18% \x03(\v2\x17.google.protobuf.StructR\x14additionalContainers\x12=\n" +
 	"\rconfigVolumes\x18& \x03(\v2\x17.google.protobuf.StructR\rconfigVolumes\x128\n" +
@@ -1226,7 +1292,7 @@ const filePkgApisValuesTypesProtoRawDesc = "" +
 	"\x04mode\x18\x02 \x01(\x0e29.istio.operator.v1alpha1.OutboundTrafficPolicyConfig.ModeR\x04mode\"(\n" +
 	"\x04Mode\x12\r\n" +
 	"\tALLOW_ANY\x10\x00\x12\x11\n" +
-	"\rREGISTRY_ONLY\x10\x01\"\x98\x13\n" +
+	"\rREGISTRY_ONLY\x10\x01\"\x8d\x13\n" +
 	"\vPilotConfig\x124\n" +
 	"\aenabled\x18\x01 \x01(\v2\x1a.google.protobuf.BoolValueR\aenabled\x12F\n" +
 	"\x10autoscaleEnabled\x18\x02 \x01(\v2\x1a.google.protobuf.BoolValueR\x10autoscaleEnabled\x12\"\n" +
@@ -1243,23 +1309,23 @@ const filePkgApisValuesTypesProtoRawDesc = "" +
 	"\x10deploymentLabels\x18\x0e \x01(\v2\x17.google.protobuf.StructR\x10deploymentLabels\x125\n" +
 	"\tpodLabels\x18$ \x01(\v2\x17.google.protobuf.StructR\tpodLabels\x128\n" +
 	"\tconfigMap\x18\x12 \x01(\v2\x1a.google.protobuf.BoolValueR\tconfigMap\x12)\n" +
-	"\x03env\x18\x15 \x01(\v2\x17.google.protobuf.StructR\x03env\x128\n" +
-	"\baffinity\x18\x16 \x01(\v2\x1c.k8s.io.api.core.v1.AffinityR\baffinity\x12R\n" +
+	"\x03env\x18\x15 \x01(\v2\x17.google.protobuf.StructR\x03env\x123\n" +
+	"\baffinity\x18\x16 \x01(\v2\x17.google.protobuf.StructR\baffinity\x12R\n" +
 	"\x0frollingMaxSurge\x18\x18 \x01(\v2$.istio.operator.v1alpha1.IntOrStringB\x02\x18\x01R\x0frollingMaxSurge\x12^\n" +
-	"\x15rollingMaxUnavailable\x18\x19 \x01(\v2$.istio.operator.v1alpha1.IntOrStringB\x02\x18\x01R\x15rollingMaxUnavailable\x12D\n" +
-	"\vtolerations\x18\x1a \x03(\v2\x1e.k8s.io.api.core.v1.TolerationB\x02\x18\x01R\vtolerations\x12C\n" +
+	"\x15rollingMaxUnavailable\x18\x19 \x01(\v2$.istio.operator.v1alpha1.IntOrStringB\x02\x18\x01R\x15rollingMaxUnavailable\x12=\n" +
+	"\vtolerations\x18\x1a \x03(\v2\x17.google.protobuf.StructB\x02\x18\x01R\vtolerations\x12C\n" +
 	"\x0epodAnnotations\x18\x1e \x01(\v2\x17.google.protobuf.StructB\x02\x18\x01R\x0epodAnnotations\x12G\n" +
 	"\x12serviceAnnotations\x18% \x01(\v2\x17.google.protobuf.StructR\x12serviceAnnotations\x12U\n" +
 	"\x19serviceAccountAnnotations\x188 \x01(\v2\x17.google.protobuf.StructR\x19serviceAccountAnnotations\x128\n" +
 	"\x17jwksResolverExtraRootCA\x18  \x01(\tR\x17jwksResolverExtraRootCA\x12\x10\n" +
 	"\x03hub\x18\" \x01(\tR\x03hub\x12(\n" +
 	"\x03tag\x18# \x01(\v2\x16.google.protobuf.ValueR\x03tag\x12\x18\n" +
-	"\avariant\x18' \x01(\tR\avariant\x12J\n" +
-	"\x0eseccompProfile\x18& \x01(\v2\".k8s.io.api.core.v1.SeccompProfileR\x0eseccompProfile\x12j\n" +
-	"\x19topologySpreadConstraints\x18) \x03(\v2,.k8s.io.api.core.v1.TopologySpreadConstraintR\x19topologySpreadConstraints\x12G\n" +
-	"\x12extraContainerArgs\x18* \x03(\v2\x17.google.protobuf.StructR\x12extraContainerArgs\x12C\n" +
-	"\fvolumeMounts\x181 \x03(\v2\x1f.k8s.io.api.core.v1.VolumeMountR\fvolumeMounts\x124\n" +
-	"\avolumes\x183 \x03(\v2\x1a.k8s.io.api.core.v1.VolumeR\avolumes\x12\x1e\n" +
+	"\avariant\x18' \x01(\tR\avariant\x12?\n" +
+	"\x0eseccompProfile\x18& \x01(\v2\x17.google.protobuf.StructR\x0eseccompProfile\x12U\n" +
+	"\x19topologySpreadConstraints\x18) \x03(\v2\x17.google.protobuf.StructR\x19topologySpreadConstraints\x12G\n" +
+	"\x12extraContainerArgs\x18* \x03(\v2\x17.google.protobuf.StructR\x12extraContainerArgs\x12;\n" +
+	"\fvolumeMounts\x181 \x03(\v2\x17.google.protobuf.StructR\fvolumeMounts\x121\n" +
+	"\avolumes\x183 \x03(\v2\x17.google.protobuf.StructR\avolumes\x12\x1e\n" +
 	"\n" +
 	"ipFamilies\x184 \x03(\tR\n" +
 	"ipFamilies\x12&\n" +
@@ -1271,7 +1337,8 @@ const filePkgApisValuesTypesProtoRawDesc = "" +
 	"\fistiodRemote\x18= \x01(\v2+.istio.operator.v1alpha1.IstiodRemoteConfigR\fistiodRemote\x127\n" +
 	"\n" +
 	"envVarFrom\x18> \x03(\v2\x17.google.protobuf.StructR\n" +
-	"envVarFrom\"T\n" +
+	"envVarFrom\x12*\n" +
+	"\x10crlConfigMapName\x18? \x01(\tR\x10crlConfigMapName\"T\n" +
 	"\x1aPilotTaintControllerConfig\x12\x18\n" +
 	"\aenabled\x18\x01 \x01(\bR\aenabled\x12\x1c\n" +
 	"\tnamespace\x18\x02 \x01(\tR\tnamespace\"\xc6\x01\n" +
@@ -1301,7 +1368,8 @@ const filePkgApisValuesTypesProtoRawDesc = "" +
 	"\n" +
 	"targetPort\x18\x04 \x01(\x05R\n" +
 	"targetPort\x12\x1a\n" +
-	"\bprotocol\x18\x05 \x01(\tR\bprotocol\"\xca\t\n" +
+	"\bprotocol\x18\x05 \x01(\tR\bprotocol\"\x85\n" +
+	"\n" +
 	"\vProxyConfig\x12\x1e\n" +
 	"\n" +
 	"autoInject\x18\x04 \x01(\tR\n" +
@@ -1320,15 +1388,16 @@ const filePkgApisValuesTypesProtoRawDesc = "" +
 	"privileged\x12B\n" +
 	"\x1creadinessInitialDelaySeconds\x18\x14 \x01(\rR\x1creadinessInitialDelaySeconds\x126\n" +
 	"\x16readinessPeriodSeconds\x18\x15 \x01(\rR\x16readinessPeriodSeconds\x12<\n" +
-	"\x19readinessFailureThreshold\x18\x16 \x01(\rR\x19readinessFailureThreshold\x12I\n" +
+	"\x19readinessFailureThreshold\x18\x16 \x01(\rR\x19readinessFailureThreshold\x12?\n" +
+	"\x0eseccompProfile\x18+ \x01(\v2\x17.google.protobuf.StructR\x0eseccompProfile\x12I\n" +
 	"\fstartupProbe\x18) \x01(\v2%.istio.operator.v1alpha1.StartupProbeR\fstartupProbe\x12\x1e\n" +
 	"\n" +
 	"statusPort\x18\x17 \x01(\rR\n" +
 	"statusPort\x12D\n" +
 	"\tresources\x18\x18 \x01(\v2\".istio.operator.v1alpha1.ResourcesB\x02\x18\x01R\tresources\x127\n" +
 	"\x06tracer\x18\x19 \x01(\x0e2\x1f.istio.operator.v1alpha1.tracerR\x06tracer\x122\n" +
-	"\x14excludeOutboundPorts\x18\x1c \x01(\tR\x14excludeOutboundPorts\x12;\n" +
-	"\tlifecycle\x18$ \x01(\v2\x1d.k8s.io.api.core.v1.LifecycleR\tlifecycle\x12h\n" +
+	"\x14excludeOutboundPorts\x18\x1c \x01(\tR\x14excludeOutboundPorts\x125\n" +
+	"\tlifecycle\x18$ \x01(\v2\x17.google.protobuf.StructR\tlifecycle\x12h\n" +
 	"\x1fholdApplicationUntilProxyStarts\x18% \x01(\v2\x1a.google.protobuf.BoolValueB\x02\x18\x01R\x1fholdApplicationUntilProxyStarts\x120\n" +
 	"\x13includeInboundPorts\x18& \x01(\tR\x13includeInboundPorts\x122\n" +
 	"\x14includeOutboundPorts\x18' \x01(\tR\x14includeOutboundPorts\"p\n" +
@@ -1348,12 +1417,12 @@ const filePkgApisValuesTypesProtoRawDesc = "" +
 	"\x04name\x18\x02 \x01(\tR\x04name\x12\x1e\n" +
 	"\n" +
 	"secretName\x18\x03 \x01(\tR\n" +
-	"secretName\"\x91\x05\n" +
+	"secretName\"\xd9\x04\n" +
 	"\x15SidecarInjectorConfig\x12X\n" +
 	"\x19enableNamespacesByDefault\x18\x02 \x01(\v2\x1a.google.protobuf.BoolValueR\x19enableNamespacesByDefault\x12.\n" +
-	"\x12reinvocationPolicy\x18\x03 \x01(\tR\x12reinvocationPolicy\x12e\n" +
-	"\x13neverInjectSelector\x18\v \x03(\v23.k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelectorR\x13neverInjectSelector\x12g\n" +
-	"\x14alwaysInjectSelector\x18\f \x03(\v23.k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelectorR\x14alwaysInjectSelector\x12L\n" +
+	"\x12reinvocationPolicy\x18\x03 \x01(\tR\x12reinvocationPolicy\x12I\n" +
+	"\x13neverInjectSelector\x18\v \x03(\v2\x17.google.protobuf.StructR\x13neverInjectSelector\x12K\n" +
+	"\x14alwaysInjectSelector\x18\f \x03(\v2\x17.google.protobuf.StructR\x14alwaysInjectSelector\x12L\n" +
 	"\x13rewriteAppHTTPProbe\x18\x10 \x01(\v2\x1a.google.protobuf.BoolValueR\x13rewriteAppHTTPProbe\x12I\n" +
 	"\x13injectedAnnotations\x18\x13 \x01(\v2\x17.google.protobuf.StructR\x13injectedAnnotations\x12\"\n" +
 	"\finjectionURL\x18\x16 \x01(\tR\finjectionURL\x125\n" +
@@ -1383,12 +1452,13 @@ const filePkgApisValuesTypesProtoRawDesc = "" +
 	"\rvalidationURL\x18\x02 \x01(\tR\rvalidationURL\x12P\n" +
 	"\x15enableIstioConfigCRDs\x18\x03 \x01(\v2\x1a.google.protobuf.BoolValueR\x15enableIstioConfigCRDs\x12D\n" +
 	"\x0fvalidateGateway\x18\x04 \x01(\v2\x1a.google.protobuf.BoolValueR\x0fvalidateGateway\x12.\n" +
-	"\x12validationCABundle\x18\x05 \x01(\tR\x12validationCABundle\"\xc2\x01\n" +
+	"\x12validationCABundle\x18\x05 \x01(\tR\x12validationCABundle\"\x9e\x02\n" +
 	"\x12IstiodRemoteConfig\x12\"\n" +
 	"\finjectionURL\x18\x01 \x01(\tR\finjectionURL\x12$\n" +
 	"\rinjectionPath\x18\x02 \x01(\tR\rinjectionPath\x12,\n" +
 	"\x11injectionCABundle\x18\x03 \x01(\tR\x11injectionCABundle\x124\n" +
-	"\aenabled\x18\x05 \x01(\v2\x1a.google.protobuf.BoolValueR\aenabled\"\xd7\b\n" +
+	"\aenabled\x18\x05 \x01(\v2\x1a.google.protobuf.BoolValueR\aenabled\x12Z\n" +
+	"\x1aenabledLocalInjectorIstiod\x18\x06 \x01(\v2\x1a.google.protobuf.BoolValueR\x1aenabledLocalInjectorIstiod\"\xd7\b\n" +
 	"\x06Values\x124\n" +
 	"\x03cni\x18\x02 \x01(\v2\".istio.operator.v1alpha1.CNIConfigR\x03cni\x12C\n" +
 	"\bgateways\x18\x05 \x01(\v2'.istio.operator.v1alpha1.GatewaysConfigR\bgateways\x12=\n" +
@@ -1417,15 +1487,22 @@ const filePkgApisValuesTypesProtoRawDesc = "" +
 	"\vIntOrString\x12\x12\n" +
 	"\x04type\x18\x01 \x01(\x03R\x04type\x123\n" +
 	"\x06intVal\x18\x02 \x01(\v2\x1b.google.protobuf.Int32ValueR\x06intVal\x124\n" +
-	"\x06strVal\x18\x03 \x01(\v2\x1c.google.protobuf.StringValueR\x06strVal\"\xfe\x02\n" +
+	"\x06strVal\x18\x03 \x01(\v2\x1c.google.protobuf.StringValueR\x06strVal\"\xd4\x02\n" +
 	"\x0eWaypointConfig\x12@\n" +
-	"\tresources\x18\x01 \x01(\v2\".istio.operator.v1alpha1.ResourcesR\tresources\x128\n" +
-	"\baffinity\x18\x02 \x01(\v2\x1c.k8s.io.api.core.v1.AffinityR\baffinity\x12j\n" +
-	"\x19topologySpreadConstraints\x18\x03 \x03(\v2,.k8s.io.api.core.v1.TopologySpreadConstraintR\x19topologySpreadConstraints\x12D\n" +
-	"\fnodeSelector\x18\x04 \x01(\v2 .k8s.io.api.core.v1.NodeSelectorR\fnodeSelector\x12>\n" +
+	"\tresources\x18\x01 \x01(\v2\".istio.operator.v1alpha1.ResourcesR\tresources\x123\n" +
+	"\baffinity\x18\x02 \x01(\v2\x17.google.protobuf.StructR\baffinity\x12U\n" +
+	"\x19topologySpreadConstraints\x18\x03 \x03(\v2\x17.google.protobuf.StructR\x19topologySpreadConstraints\x12;\n" +
+	"\fnodeSelector\x18\x04 \x01(\v2\x17.google.protobuf.StructR\fnodeSelector\x127\n" +
 	"\n" +
-	"toleration\x18\x05 \x03(\v2\x1e.k8s.io.api.core.v1.TolerationR\n" +
-	"toleration*J\n" +
+	"toleration\x18\x05 \x03(\v2\x17.google.protobuf.StructR\n" +
+	"toleration\"K\n" +
+	"\x13NetworkPolicyConfig\x124\n" +
+	"\aenabled\x18\x01 \x01(\v2\x1a.google.protobuf.BoolValueR\aenabled*C\n" +
+	"\rResourceScope\x12\r\n" +
+	"\tundefined\x10\x00\x12\a\n" +
+	"\x03all\x10\x01\x12\v\n" +
+	"\acluster\x10\x02\x12\r\n" +
+	"\tnamespace\x10\x03*J\n" +
 	"\x15ingressControllerMode\x12\x0f\n" +
 	"\vUNSPECIFIED\x10\x00\x12\v\n" +
 	"\aDEFAULT\x10\x01\x12\n" +
@@ -1474,6 +1551,9 @@ type CNIGlobalConfig struct { // Default k8s resources settings for all Istio co
 	// An empty value means it is a vanilla Kubernetes distribution, therefore no special
 	// treatment will be considered.
 	Platform *string `json:"platform,omitempty"`
+
+	// Specifies whether native nftables rules should be used instead of iptables rules for traffic redirection.
+	NativeNftables *bool `json:"nativeNftables,omitempty"`
 }
 
 // Resource describes the source of configuration
@@ -1569,6 +1649,30 @@ const (
 	MeshConfigInboundTrafficPolicyModeLocalhost MeshConfigInboundTrafficPolicyMode = "LOCALHOST"
 )
 
+// The scope of the matching service. Used to determine if the service is available locally
+// (cluster local) or globally (mesh-wide).
+// +kubebuilder:validation:Enum=LOCAL;GLOBAL
+type MeshConfigServiceScopeConfigsScope string
+
+const (
+	MeshConfigServiceScopeConfigsScopeLocal  MeshConfigServiceScopeConfigsScope = "LOCAL"
+	MeshConfigServiceScopeConfigsScopeGlobal MeshConfigServiceScopeConfigsScope = "GLOBAL"
+)
+
+// Available trace context options for handling different trace header formats.
+// +kubebuilder:validation:Enum=USE_B3;USE_B3_WITH_W3C_PROPAGATION
+type MeshConfigExtensionProviderZipkinTracingProviderTraceContextOption string
+
+const (
+	// Use B3 headers only (default behavior).
+	MeshConfigExtensionProviderZipkinTracingProviderTraceContextOptionUseB3 MeshConfigExtensionProviderZipkinTracingProviderTraceContextOption = "USE_B3"
+	// Enable B3 and W3C dual header support:
+	// - For downstream: Extract from B3 headers first, fallback to W3C traceparent if B3 is unavailable.
+	// - For upstream: Inject both B3 and W3C traceparent headers.
+	// When this option is NOT set, only B3 headers are used for both extraction and injection.
+	MeshConfigExtensionProviderZipkinTracingProviderTraceContextOptionUseB3WithW3cPropagation MeshConfigExtensionProviderZipkinTracingProviderTraceContextOption = "USE_B3_WITH_W3C_PROPAGATION"
+)
+
 // TraceContext selects the context propagation headers used for
 // distributed tracing.
 // +kubebuilder:validation:Enum=UNSPECIFIED;W3C_TRACE_CONTEXT;GRPC_BIN;CLOUD_TRACE_CONTEXT;B3
@@ -1642,6 +1746,14 @@ type MeshConfig struct {
 	// Connection timeout used by Envoy. (MUST be >=1ms)
 	// Default timeout is 10s.
 	ConnectTimeout *metav1.Duration `json:"connectTimeout,omitempty"`
+	// Idle timeout configured on Envoy proxies for their connection pools to ztunnel via HBONE.
+	// This controls how long Envoy will keep idle connections to ztunnel before closing them.
+	// Note: This setting is applied only on the Envoy proxy side; ztunnel does not use it.
+	// Default timeout is 1 hour (3600s).
+	// For environments with aggressive IP address reuse, it is recommended to set
+	// this to a value less than the CNI IP cooldown period to prevent stale connection reuse.
+	// For example, if your CNI has a 30s cooldown period, setting this to 15s is recommended.
+	HboneIdleTimeout *metav1.Duration `json:"hboneIdleTimeout,omitempty"`
 	// +hidefromdoc
 	// Automatic protocol detection uses a set of heuristics to
 	// determine whether the connection is using TLS or not (on the
@@ -1857,6 +1969,8 @@ type MeshConfig struct {
 	// +hidefromdoc
 	// Settings to be applied to select services.
 	ServiceSettings []*MeshConfigServiceSettings `json:"serviceSettings,omitempty"`
+	// Scope to be applied to select services.
+	ServiceScopeConfigs []*MeshConfigServiceScopeConfigs `json:"serviceScopeConfigs,omitempty"`
 	// If enabled, Istio agent will merge metrics exposed by the application with metrics from Envoy
 	// and Istio agent. The sidecar injection will replace `prometheus.io` annotations present on the pod
 	// and redirect them towards Istio agent, which will then merge metrics of from the application with Istio metrics.
@@ -1963,7 +2077,6 @@ type MeshConfig struct {
 	// Note: Mesh mTLS does not respect ECDH curves.
 	MeshMTLS *MeshConfigTLSConfig `json:"meshMTLS,omitempty"`
 	// Configuration of TLS for all traffic except for ISTIO_MUTUAL mode.
-	// Currently, this supports configuration of ecdhCurves and cipherSuites only.
 	// For ISTIO_MUTUAL TLS settings, use meshMTLS configuration.
 	TlsDefaults *MeshConfigTLSConfig `json:"tlsDefaults,omitempty"`
 }
@@ -2068,6 +2181,14 @@ type MeshConfigCertificateData struct {
 //   - "bar.baz.svc.cluster.local"
 //
 // ```
+//
+// When in ambient mode, if ServiceSettings are defined they will be considered in addition to the
+// ServiceScopeConfigs. If a service is defined by ServiceSetting to be cluster local and matches a
+// global service scope selector, the service will be considered cluster local. If a service is
+// considered global by ServiceSettings and does not match a global service scope selector
+// the serive will be considered local. Local scope takes precedence over global scope. Since
+// ServiceScopeConfigs is local by default, all services are considered local unless it is considered
+// global by ServiceSettings AND ServiceScopeConfigs.
 type MeshConfigServiceSettings struct {
 	// The settings to apply to the selected services.
 	Settings *MeshConfigServiceSettingsSettings `json:"settings,omitempty"`
@@ -2078,6 +2199,43 @@ type MeshConfigServiceSettings struct {
 	Hosts []string `json:"hosts,omitempty"`
 }
 
+// Configuration for ambient mode multicluster service scope. This setting allows mesh administrators
+// to define the criteria by which the cluster's control plane determines which services in other
+// clusters in the mesh are treated as global (accessible across multiple clusters) versus local
+// (restricted to a single cluster). The configuration can be applied to services based on namespace
+// and/or other matching criteria. This is particularly  useful in multicluster service mesh deployments
+// to control service visibility and access across clusters. This API is not intended to enforce
+// security policies. Resources like DestinationRules should be used to enforce authorization policies.
+// If a service matches a global service scope selector, the service's endpoints will be globally
+// exposed. If a service is locally scoped, its endpoints will only be exposed to local cluster
+// services.
+//
+// For example, the following configures the scope of all services with the "istio.io/global" label
+// in matching namespaces to be available globally:
+//
+// ```yaml
+// serviceScopeConfigs:
+//   - namespacesSelector:
+//     matchExpressions:
+//   - key: istio.io/global
+//     operator: In
+//     values: [true]
+//     servicesSelector:
+//     matchExpressions:
+//   - key: istio.io/global
+//     operator: Exists
+//     scope: GLOBAL
+//
+// ```
+type MeshConfigServiceScopeConfigs struct {
+	// Match expression for namespaces.
+	NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty"`
+	// Match expression for serivces.
+	ServicesSelector *metav1.LabelSelector `json:"servicesSelector,omitempty"`
+	// Specifics the available scope for matching services.
+	Scope MeshConfigServiceScopeConfigsScope `json:"scope,omitempty"`
+}
+
 type MeshConfigCA struct {
 	// REQUIRED. Address of the CA server implementing the Istio CA gRPC API.
 	// Can be IP address or a fully qualified DNS name with port
@@ -2100,7 +2258,7 @@ type MeshConfigCA struct {
 	IstiodSide *bool `json:"istiodSide,omitempty"`
 }
 
-// +kubebuilder:validation:XValidation:message="At most one of [envoyExtAuthzHttp envoyExtAuthzGrpc zipkin lightstep datadog stackdriver opencensus skywalking opentelemetry prometheus envoyFileAccessLog envoyHttpAls envoyTcpAls envoyOtelAls] should be set",rule="(has(self.envoyExtAuthzHttp)?1:0) + (has(self.envoyExtAuthzGrpc)?1:0) + (has(self.zipkin)?1:0) + (has(self.lightstep)?1:0) + (has(self.datadog)?1:0) + (has(self.stackdriver)?1:0) + (has(self.opencensus)?1:0) + (has(self.skywalking)?1:0) + (has(self.opentelemetry)?1:0) + (has(self.prometheus)?1:0) + (has(self.envoyFileAccessLog)?1:0) + (has(self.envoyHttpAls)?1:0) + (has(self.envoyTcpAls)?1:0) + (has(self.envoyOtelAls)?1:0) <= 1"
+// +kubebuilder:validation:XValidation:message="At most one of [envoyExtAuthzHttp envoyExtAuthzGrpc zipkin lightstep datadog stackdriver opencensus skywalking opentelemetry prometheus envoyFileAccessLog envoyHttpAls envoyTcpAls envoyOtelAls sds] should be set",rule="(has(self.envoyExtAuthzHttp)?1:0) + (has(self.envoyExtAuthzGrpc)?1:0) + (has(self.zipkin)?1:0) + (has(self.lightstep)?1:0) + (has(self.datadog)?1:0) + (has(self.stackdriver)?1:0) + (has(self.opencensus)?1:0) + (has(self.skywalking)?1:0) + (has(self.opentelemetry)?1:0) + (has(self.prometheus)?1:0) + (has(self.envoyFileAccessLog)?1:0) + (has(self.envoyHttpAls)?1:0) + (has(self.envoyTcpAls)?1:0) + (has(self.envoyOtelAls)?1:0) + (has(self.sds)?1:0) <= 1"
 type MeshConfigExtensionProvider struct {
 	// REQUIRED. A unique name identifying the extension provider.
 	// +kubebuilder:validation:Required
@@ -2156,6 +2314,12 @@ type MeshConfigExtensionProvider struct {
 
 	// Configures an Envoy Open Telemetry Access Logging Service provider.
 	EnvoyOtelAls *MeshConfigExtensionProviderEnvoyOpenTelemetryLogProvider `json:"envoyOtelAls,omitempty"`
+
+	// Configures an Extension Provider for SDS. This can be used to
+	// configure an external SDS service to supply secrets for certain Gateways for example.
+	// This is useful for scenarios where the secrets are stored in an external secret store like Vault.
+	// The secret should be configured with sds://provider-name format.
+	Sds *MeshConfigExtensionProviderSDSProvider `json:"sds,omitempty"`
 }
 
 // Holds the name references to the providers that will be used by default
@@ -2391,6 +2555,16 @@ type MeshConfigExtensionProviderZipkinTracingProvider struct {
 	// Optional. Specifies the endpoint of Zipkin API.
 	// The default value is "/api/v2/spans".
 	Path *string `json:"path,omitempty"`
+	// Optional. Determines which trace context format to use for trace header extraction and propagation.
+	// This controls both downstream request header extraction and upstream request header injection.
+	// The default value is USE_B3 to maintain backward compatibility.
+	TraceContextOption MeshConfigExtensionProviderZipkinTracingProviderTraceContextOption `json:"traceContextOption,omitempty"`
+	// Optional. The timeout for the HTTP request to the Zipkin collector.
+	// If not specified, the default timeout from Envoy's configuration will be used (which is 5 seconds currently).
+	Timeout *metav1.Duration `json:"timeout,omitempty"`
+	// Optional. Additional HTTP headers to include in the request to the Zipkin collector.
+	// These headers will be added to the HTTP request when sending spans to the collector.
+	Headers []*MeshConfigExtensionProviderHttpHeader `json:"headers,omitempty"`
 }
 
 // Defines configuration for a Lightstep tracer.
@@ -2767,6 +2941,24 @@ type MeshConfigExtensionProviderOpenTelemetryTracingProvider struct {
 	DynatraceSampler *MeshConfigExtensionProviderOpenTelemetryTracingProviderDynatraceSampler `json:"dynatraceSampler,omitempty"`
 }
 
+// Defines configuration for an Gateway SDS provider.
+type MeshConfigExtensionProviderSDSProvider struct {
+	// REQUIRED. Specifies the name of the provider. This should be used to configure the Gateway SDS.
+	// +kubebuilder:validation:Required
+	Name *string `json:"name"`
+	// REQUIRED. Specifies the service that implements the  SDS service.
+	// The format is `[<Namespace>/]<Hostname>`. The specification of `<Namespace>` is required only when it is insufficient
+	// to unambiguously resolve a service in the service registry. The `<Hostname>` is a fully qualified host name of a
+	// service defined by the Kubernetes service or ServiceEntry.
+	//
+	// Example: "gateway-sds.foo.svc.cluster.local" or "bar/gateway-sds.example.com".
+	// +kubebuilder:validation:Required
+	Service *string `json:"service"`
+	// REQUIRED. Specifies the port of the service.
+	// +kubebuilder:validation:Required
+	Port *uint32 `json:"port"`
+}
+
 // Defines configuration for an HTTP service that can be used by an Extension Provider.
 // that does communication via HTTP.
 type MeshConfigExtensionProviderHttpService struct {
@@ -2943,13 +3135,14 @@ type MeshConfigExtensionProviderResourceDetectorsDynatraceResourceDetector struc
 
 const fileMeshV1alpha1ConfigProtoRawDesc = "" +
 	"\n" +
-	"\x1amesh/v1alpha1/config.proto\x12\x13istio.mesh.v1alpha1\x1a\x1egoogle/protobuf/duration.proto\x1a\x1cgoogle/protobuf/struct.proto\x1a\x1egoogle/protobuf/wrappers.proto\x1a\x19mesh/v1alpha1/proxy.proto\x1a*networking/v1alpha3/destination_rule.proto\x1a)networking/v1alpha3/virtual_service.proto\"\xebh\n" +
+	"\x1amesh/v1alpha1/config.proto\x12\x13istio.mesh.v1alpha1\x1a\x1egoogle/protobuf/duration.proto\x1a\x1cgoogle/protobuf/struct.proto\x1a\x1egoogle/protobuf/wrappers.proto\x1a\x19mesh/v1alpha1/proxy.proto\x1a*networking/v1alpha3/destination_rule.proto\x1a)networking/v1alpha3/virtual_service.proto\"\x83q\n" +
 	"\n" +
 	"MeshConfig\x12*\n" +
 	"\x11proxy_listen_port\x18\x04 \x01(\x05R\x0fproxyListenPort\x129\n" +
 	"\x19proxy_inbound_listen_port\x18A \x01(\x05R\x16proxyInboundListenPort\x12&\n" +
 	"\x0fproxy_http_port\x18\x05 \x01(\x05R\rproxyHttpPort\x12B\n" +
-	"\x0fconnect_timeout\x18\x06 \x01(\v2\x19.google.protobuf.DurationR\x0econnectTimeout\x12W\n" +
+	"\x0fconnect_timeout\x18\x06 \x01(\v2\x19.google.protobuf.DurationR\x0econnectTimeout\x12G\n" +
+	"\x12hbone_idle_timeout\x18F \x01(\v2\x19.google.protobuf.DurationR\x10hboneIdleTimeout\x12W\n" +
 	"\x1aprotocol_detection_timeout\x18* \x01(\v2\x19.google.protobuf.DurationR\x18protocolDetectionTimeout\x12o\n" +
 	"\rtcp_keepalive\x18\x1c \x01(\v2J.istio.networking.v1alpha3.ConnectionPoolSettings.TCPSettings.TcpKeepaliveR\ftcpKeepalive\x12#\n" +
 	"\ringress_class\x18\a \x01(\tR\fingressClass\x12'\n" +
@@ -2980,7 +3173,8 @@ const fileMeshV1alpha1ConfigProtoRawDesc = "" +
 	"\x19inbound_cluster_stat_name\x18, \x01(\tR\x16inboundClusterStatName\x12;\n" +
 	"\x1aoutbound_cluster_stat_name\x18- \x01(\tR\x17outboundClusterStatName\x12H\n" +
 	"\fcertificates\x18/ \x03(\v2 .istio.mesh.v1alpha1.CertificateB\x02\x18\x01R\fcertificates\x12Z\n" +
-	"\x10service_settings\x182 \x03(\v2/.istio.mesh.v1alpha1.MeshConfig.ServiceSettingsR\x0fserviceSettings\x12R\n" +
+	"\x10service_settings\x182 \x03(\v2/.istio.mesh.v1alpha1.MeshConfig.ServiceSettingsR\x0fserviceSettings\x12g\n" +
+	"\x15service_scope_configs\x18C \x03(\v23.istio.mesh.v1alpha1.MeshConfig.ServiceScopeConfigsR\x13serviceScopeConfigs\x12R\n" +
 	"\x17enable_prometheus_merge\x183 \x01(\v2\x1a.google.protobuf.BoolValueR\x15enablePrometheusMerge\x12_\n" +
 	"\x1cverify_certificate_at_client\x186 \x01(\v2\x1a.google.protobuf.BoolValueB\x02\x18\x01R\x19verifyCertificateAtClient\x122\n" +
 	"\x02ca\x187 \x01(\v2\".istio.mesh.v1alpha1.MeshConfig.CAR\x02ca\x12b\n" +
@@ -3011,13 +3205,21 @@ const fileMeshV1alpha1ConfigProtoRawDesc = "" +
 	"\bsettings\x18\x01 \x01(\v28.istio.mesh.v1alpha1.MeshConfig.ServiceSettings.SettingsR\bsettings\x12\x14\n" +
 	"\x05hosts\x18\x02 \x03(\tR\x05hosts\x1a/\n" +
 	"\bSettings\x12#\n" +
-	"\rcluster_local\x18\x01 \x01(\bR\fclusterLocal\x1a\xd4\x01\n" +
+	"\rcluster_local\x18\x01 \x01(\bR\fclusterLocal\x1a\xaa\x02\n" +
+	"\x13ServiceScopeConfigs\x12Q\n" +
+	"\x12namespace_selector\x18\x01 \x01(\v2\".istio.mesh.v1alpha1.LabelSelectorR\x11namespaceSelector\x12O\n" +
+	"\x11services_selector\x18\x02 \x01(\v2\".istio.mesh.v1alpha1.LabelSelectorR\x10servicesSelector\x12O\n" +
+	"\x05scope\x18\x03 \x01(\x0e29.istio.mesh.v1alpha1.MeshConfig.ServiceScopeConfigs.ScopeR\x05scope\"\x1e\n" +
+	"\x05Scope\x12\t\n" +
+	"\x05LOCAL\x10\x00\x12\n" +
+	"\n" +
+	"\x06GLOBAL\x10\x01\x1a\xd4\x01\n" +
 	"\x02CA\x12\x18\n" +
 	"\aaddress\x18\x01 \x01(\tR\aaddress\x12O\n" +
 	"\ftls_settings\x18\x02 \x01(\v2,.istio.networking.v1alpha3.ClientTLSSettingsR\vtlsSettings\x12B\n" +
 	"\x0frequest_timeout\x18\x03 \x01(\v2\x19.google.protobuf.DurationR\x0erequestTimeout\x12\x1f\n" +
 	"\vistiod_side\x18\x04 \x01(\bR\n" +
-	"istiodSide\x1a\xcc=\n" +
+	"istiodSide\x1a\xcfA\n" +
 	"\x11ExtensionProvider\x12\x12\n" +
 	"\x04name\x18\x01 \x01(\tR\x04name\x12\x8b\x01\n" +
 	"\x14envoy_ext_authz_http\x18\x02 \x01(\v2X.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProviderH\x00R\x11envoyExtAuthzHttp\x12\x8b\x01\n" +
@@ -3040,7 +3242,8 @@ const fileMeshV1alpha1ConfigProtoRawDesc = "" +
 	"\x15envoy_file_access_log\x18\v \x01(\v2L.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyFileAccessLogProviderH\x00R\x12envoyFileAccessLog\x12t\n" +
 	"\x0eenvoy_http_als\x18\f \x01(\v2L.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyHttpGrpcV3LogProviderH\x00R\fenvoyHttpAls\x12q\n" +
 	"\renvoy_tcp_als\x18\r \x01(\v2K.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyTcpGrpcV3LogProviderH\x00R\venvoyTcpAls\x12w\n" +
-	"\x0eenvoy_otel_als\x18\x0e \x01(\v2O.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyOpenTelemetryLogProviderH\x00R\fenvoyOtelAls\x1a\xab\x01\n" +
+	"\x0eenvoy_otel_als\x18\x0e \x01(\v2O.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyOpenTelemetryLogProviderH\x00R\fenvoyOtelAls\x12Q\n" +
+	"\x03sds\x18\x10 \x01(\v2=.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.SDSProviderH\x00R\x03sds\x1a\xab\x01\n" +
 	"%EnvoyExternalAuthorizationRequestBody\x12*\n" +
 	"\x11max_request_bytes\x18\x01 \x01(\rR\x0fmaxRequestBytes\x122\n" +
 	"\x15allow_partial_message\x18\x02 \x01(\bR\x13allowPartialMessage\x12\"\n" +
@@ -3072,13 +3275,20 @@ const fileMeshV1alpha1ConfigProtoRawDesc = "" +
 	"\tfail_open\x18\x03 \x01(\bR\bfailOpen\x12*\n" +
 	"\x11clear_route_cache\x18\a \x01(\bR\x0fclearRouteCache\x12&\n" +
 	"\x0fstatus_on_error\x18\x04 \x01(\tR\rstatusOnError\x12\x99\x01\n" +
-	"\x1dinclude_request_body_in_check\x18\x06 \x01(\v2W.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationRequestBodyR\x19includeRequestBodyInCheck\x1a\xb2\x01\n" +
+	"\x1dinclude_request_body_in_check\x18\x06 \x01(\v2W.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationRequestBodyR\x19includeRequestBodyInCheck\x1a\x91\x04\n" +
 	"\x15ZipkinTracingProvider\x12\x18\n" +
 	"\aservice\x18\x01 \x01(\tR\aservice\x12\x12\n" +
 	"\x04port\x18\x02 \x01(\rR\x04port\x12$\n" +
 	"\x0emax_tag_length\x18\x03 \x01(\rR\fmaxTagLength\x121\n" +
 	"\x15enable_64bit_trace_id\x18\x04 \x01(\bR\x12enable64bitTraceId\x12\x12\n" +
-	"\x04path\x18\x05 \x01(\tR\x04path\x1a\x91\x01\n" +
+	"\x04path\x18\x05 \x01(\tR\x04path\x12\x8c\x01\n" +
+	"\x14trace_context_option\x18\x06 \x01(\x0e2Z.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.ZipkinTracingProvider.TraceContextOptionR\x12traceContextOption\x123\n" +
+	"\atimeout\x18\a \x01(\v2\x19.google.protobuf.DurationR\atimeout\x12V\n" +
+	"\aheaders\x18\b \x03(\v2<.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.HttpHeaderR\aheaders\"A\n" +
+	"\x12TraceContextOption\x12\n" +
+	"\n" +
+	"\x06USE_B3\x10\x00\x12\x1f\n" +
+	"\x1bUSE_B3_WITH_W3C_PROPAGATION\x10\x01\x1a\x91\x01\n" +
 	"\x18LightstepTracingProvider\x12\x18\n" +
 	"\aservice\x18\x01 \x01(\tR\aservice\x12\x12\n" +
 	"\x04port\x18\x02 \x01(\rR\x04port\x12!\n" +
@@ -3167,7 +3377,11 @@ const fileMeshV1alpha1ConfigProtoRawDesc = "" +
 	"\x04port\x18\x02 \x01(\rR\x04port\x12Q\n" +
 	"\x04http\x18\x03 \x01(\v2=.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.HttpServiceR\x04httpB\n" +
 	"\n" +
-	"\bsampling\x1a\xae\x01\n" +
+	"\bsampling\x1aO\n" +
+	"\vSDSProvider\x12\x12\n" +
+	"\x04name\x18\x01 \x01(\tR\x04name\x12\x18\n" +
+	"\aservice\x18\x02 \x01(\tR\aservice\x12\x12\n" +
+	"\x04port\x18\x03 \x01(\rR\x04port\x1a\xae\x01\n" +
 	"\vHttpService\x12\x12\n" +
 	"\x04path\x18\x01 \x01(\tR\x04path\x123\n" +
 	"\atimeout\x18\x02 \x01(\v2\x19.google.protobuf.DurationR\atimeout\x12V\n" +
@@ -3226,7 +3440,7 @@ const fileMeshV1alpha1ConfigProtoRawDesc = "" +
 	"\x0fH2UpgradePolicy\x12\x12\n" +
 	"\x0eDO_NOT_UPGRADE\x10\x00\x12\v\n" +
 	"\aUPGRADE\x10\x01J\x04\b1\x102J\x04\b\x01\x10\x02J\x04\b\x02\x10\x03J\x04\b\x03\x10\x04J\x04\b0\x101J\x04\b\x19\x10\x1aJ\x04\b\x1e\x10\x1fJ\x04\b\n" +
-	"\x10\vJ\x04\b\v\x10\fJ\x04\b\x0f\x10\x10J\x04\b\x10\x10\x11J\x04\b\x12\x10\x13J\x04\b\x13\x10\x14J\x04\b\x14\x10\x15J\x04\b\x15\x10\x16J\x04\b\x17\x10\x18J\x04\b\x1d\x10\x1eJ\x04\b5\x106J\x04\b%\x10&J\x04\b&\x10'J\x04\b'\x10(R\rthrift_configR\x12mixer_check_serverR\x13mixer_report_serverR\x15disable_policy_checksR\x1adisable_mixer_http_reportsR\x16policy_check_fail_openR%sidecar_to_telemetry_session_affinityR\vauth_policyR\x11rds_refresh_delayR\rmixer_addressR\x1fenable_client_side_policy_checkR\fsds_uds_pathR\x11sds_refresh_delayR\x16enable_sds_token_mountR\x12sds_use_k8s_sa_jwtR\x1atermination_drain_durationR\x14disable_report_batchR\x18report_batch_max_entriesR\x15report_batch_max_time\"\x81\x02\n" +
+	"\x10\vJ\x04\b\v\x10\fJ\x04\b\x0f\x10\x10J\x04\b\x10\x10\x11J\x04\b\x12\x10\x13J\x04\b\x13\x10\x14J\x04\b\x14\x10\x15J\x04\b\x15\x10\x16J\x04\b\x17\x10\x18J\x04\b\x1d\x10\x1eJ\x04\b5\x106J\x04\b%\x10&J\x04\b&\x10'J\x04\b'\x10(J\x04\bD\x10EJ\x04\bE\x10FR\rthrift_configR\x12mixer_check_serverR\x13mixer_report_serverR\x15disable_policy_checksR\x1adisable_mixer_http_reportsR\x16policy_check_fail_openR%sidecar_to_telemetry_session_affinityR\vauth_policyR\x11rds_refresh_delayR\rmixer_addressR\x1fenable_client_side_policy_checkR\fsds_uds_pathR\x11sds_refresh_delayR\x16enable_sds_token_mountR\x12sds_use_k8s_sa_jwtR\x1atermination_drain_durationR\x14disable_report_batchR\x18report_batch_max_entriesR\x15report_batch_max_timeR\x13file_flush_intervalR\x13file_flush_min_size\"\x81\x02\n" +
 	"\rLabelSelector\x12U\n" +
 	"\vmatchLabels\x18\x01 \x03(\v23.istio.mesh.v1alpha1.LabelSelector.MatchLabelsEntryR\vmatchLabels\x12Y\n" +
 	"\x10matchExpressions\x18\x02 \x03(\v2-.istio.mesh.v1alpha1.LabelSelectorRequirementR\x10matchExpressions\x1a>\n" +
@@ -3818,7 +4032,7 @@ type MeshConfigProxyConfig struct {
 	// ```yaml
 	// proxyHeaders:
 	//
-	//	perserveHttp1HeaderCase: true
+	//	preserveHttp1HeaderCase: true
 	//
 	// ```
 	//
@@ -3841,6 +4055,19 @@ type MeshConfigProxyConfig struct {
 	//
 	// ```
 	ProxyHeaders *ProxyConfigProxyHeaders `json:"proxyHeaders,omitempty"`
+	// File flush interval for envoy flushes buffers to disk in milliseconds.
+	// The duration needs to be set to a value greater than or equal to 1 millisecond.
+	// Default is 1000ms.
+	// Optional.
+	FileFlushInterval *metav1.Duration `json:"fileFlushInterval,omitempty"`
+	// File flush buffer size for envoy flushes buffers to disk in kilobytes.
+	// Defaults to 64.
+	// Optional.
+	FileFlushMinSizeKb *uint32 `json:"fileFlushMinSizeKb,omitempty"`
+	// Offer HTTP compression for stats
+	// Defaults to true.
+	// Optional.
+	StatsCompression *bool `json:"statsCompression,omitempty"`
 }
 
 type RemoteService struct {
@@ -4051,6 +4278,15 @@ type ProxyConfigProxyHeaders struct {
 	// requests and automatically normalize headers to lowercase, ensuring compliance with HTTP/2
 	// standards.
 	PreserveHttp1HeaderCase *bool `json:"preserveHttp1HeaderCase,omitempty"`
+	// Controls the `X-Forwarded-Host` header. If enabled, the `X-Forwarded-Host` header is appended
+	// with the original host when it is rewritten.
+	// This header is disabled by default.
+	XForwardedHost *ProxyConfigProxyHeadersXForwardedHost `json:"xForwardedHost,omitempty"`
+	// Controls the `X-Forwarded-Port` header. If enabled, the `X-Forwarded-Port` header is header with the port value
+	// client used to connect to Envoy. It will be ignored if the “x-forwarded-port“ header has been set by any
+	// trusted proxy in front of Envoy.
+	// This header is disabled by default.
+	XForwardedPort *ProxyConfigProxyHeadersXForwardedPort `json:"xForwardedPort,omitempty"`
 }
 
 type ProxyConfigProxyHeadersServer struct {
@@ -4067,6 +4303,14 @@ type ProxyConfigProxyHeadersAttemptCount struct {
 	Disabled *bool `json:"disabled,omitempty"`
 }
 
+type ProxyConfigProxyHeadersXForwardedHost struct {
+	Enabled *bool `json:"enabled,omitempty"`
+}
+
+type ProxyConfigProxyHeadersXForwardedPort struct {
+	Enabled *bool `json:"enabled,omitempty"`
+}
+
 type ProxyConfigProxyHeadersEnvoyDebugHeaders struct {
 	Disabled *bool `json:"disabled,omitempty"`
 }
@@ -4169,7 +4413,7 @@ const fileMeshV1alpha1ProxyProtoRawDesc = "" +
 	"poll_delay\x18\x01 \x01(\v2\x19.google.protobuf.DurationR\tpollDelay\x126\n" +
 	"\bfallback\x18\x02 \x01(\v2\x1a.google.protobuf.BoolValueR\bfallbackB\n" +
 	"\n" +
-	"\bprovider\"\xc3#\n" +
+	"\bprovider\"\xeb'\n" +
 	"\vProxyConfig\x12\x1f\n" +
 	"\vconfig_path\x18\x01 \x01(\tR\n" +
 	"configPath\x12\x1f\n" +
@@ -4210,7 +4454,10 @@ const fileMeshV1alpha1ProxyProtoRawDesc = "" +
 	"\x13ca_certificates_pem\x18\" \x03(\tR\x11caCertificatesPem\x12:\n" +
 	"\x05image\x18# \x01(\v2$.istio.networking.v1beta1.ProxyImageR\x05image\x12Y\n" +
 	"\x14private_key_provider\x18& \x01(\v2'.istio.mesh.v1alpha1.PrivateKeyProviderR\x12privateKeyProvider\x12R\n" +
-	"\rproxy_headers\x18' \x01(\v2-.istio.mesh.v1alpha1.ProxyConfig.ProxyHeadersR\fproxyHeaders\x1a@\n" +
+	"\rproxy_headers\x18' \x01(\v2-.istio.mesh.v1alpha1.ProxyConfig.ProxyHeadersR\fproxyHeaders\x12I\n" +
+	"\x13file_flush_interval\x18( \x01(\v2\x19.google.protobuf.DurationR\x11fileFlushInterval\x122\n" +
+	"\x16file_flush_min_size_kb\x18) \x01(\rR\x12fileFlushMinSizeKb\x12G\n" +
+	"\x11stats_compression\x18* \x01(\v2\x1a.google.protobuf.BoolValueR\x10statsCompression\x1a@\n" +
 	"\x12ProxyMetadataEntry\x12\x10\n" +
 	"\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" +
 	"\x05value\x18\x02 \x01(\tR\x05value:\x028\x01\x1a@\n" +
@@ -4220,7 +4467,7 @@ const fileMeshV1alpha1ProxyProtoRawDesc = "" +
 	"\x11ProxyStatsMatcher\x12-\n" +
 	"\x12inclusion_prefixes\x18\x01 \x03(\tR\x11inclusionPrefixes\x12-\n" +
 	"\x12inclusion_suffixes\x18\x02 \x03(\tR\x11inclusionSuffixes\x12+\n" +
-	"\x11inclusion_regexps\x18\x03 \x03(\tR\x10inclusionRegexps\x1a\xc5\f\n" +
+	"\x11inclusion_regexps\x18\x03 \x03(\tR\x10inclusionRegexps\x1a\xa5\x0f\n" +
 	"\fProxyHeaders\x12a\n" +
 	"\x15forwarded_client_cert\x18\x01 \x01(\x0e2-.istio.mesh.v1alpha1.ForwardClientCertDetailsR\x13forwardedClientCert\x12\x8f\x01\n" +
 	"\x1fset_current_client_cert_details\x18\a \x01(\v2I.istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.SetCurrentClientCertDetailsR\x1bsetCurrentClientCertDetails\x12V\n" +
@@ -4230,14 +4477,20 @@ const fileMeshV1alpha1ProxyProtoRawDesc = "" +
 	"\rattempt_count\x18\x04 \x01(\v2:.istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.AttemptCountR\fattemptCount\x12o\n" +
 	"\x13envoy_debug_headers\x18\x05 \x01(\v2?.istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.EnvoyDebugHeadersR\x11envoyDebugHeaders\x12\x81\x01\n" +
 	"\x19metadata_exchange_headers\x18\x06 \x01(\v2E.istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.MetadataExchangeHeadersR\x17metadataExchangeHeaders\x12W\n" +
-	"\x1apreserve_http1_header_case\x18( \x01(\v2\x1a.google.protobuf.BoolValueR\x17preserveHttp1HeaderCase\x1aV\n" +
+	"\x1apreserve_http1_header_case\x18( \x01(\v2\x1a.google.protobuf.BoolValueR\x17preserveHttp1HeaderCase\x12f\n" +
+	"\x10x_forwarded_host\x18) \x01(\v2<.istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.XForwardedHostR\x0exForwardedHost\x12f\n" +
+	"\x10x_forwarded_port\x18* \x01(\v2<.istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.XForwardedPortR\x0exForwardedPort\x1aV\n" +
 	"\x06Server\x126\n" +
 	"\bdisabled\x18\x01 \x01(\v2\x1a.google.protobuf.BoolValueR\bdisabled\x12\x14\n" +
 	"\x05value\x18\x02 \x01(\tR\x05value\x1aC\n" +
 	"\tRequestId\x126\n" +
 	"\bdisabled\x18\x01 \x01(\v2\x1a.google.protobuf.BoolValueR\bdisabled\x1aF\n" +
 	"\fAttemptCount\x126\n" +
-	"\bdisabled\x18\x01 \x01(\v2\x1a.google.protobuf.BoolValueR\bdisabled\x1aK\n" +
+	"\bdisabled\x18\x01 \x01(\v2\x1a.google.protobuf.BoolValueR\bdisabled\x1aF\n" +
+	"\x0eXForwardedHost\x124\n" +
+	"\aenabled\x18\x01 \x01(\v2\x1a.google.protobuf.BoolValueR\aenabled\x1aF\n" +
+	"\x0eXForwardedPort\x124\n" +
+	"\aenabled\x18\x01 \x01(\v2\x1a.google.protobuf.BoolValueR\aenabled\x1aK\n" +
 	"\x11EnvoyDebugHeaders\x126\n" +
 	"\bdisabled\x18\x01 \x01(\v2\x1a.google.protobuf.BoolValueR\bdisabled\x1aq\n" +
 	"\x17MetadataExchangeHeaders\x12V\n" +
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/api/v1/values_types_extra.go b/vendor/github.com/istio-ecosystem/sail-operator/api/v1/values_types_extra.go
index 637f8db30e..b6f2a5f059 100644
--- a/vendor/github.com/istio-ecosystem/sail-operator/api/v1/values_types_extra.go
+++ b/vendor/github.com/istio-ecosystem/sail-operator/api/v1/values_types_extra.go
@@ -15,6 +15,7 @@
 package v1
 
 import (
+	appsv1 "k8s.io/api/apps/v1"
 	k8sv1 "k8s.io/api/core/v1"
 )
 
@@ -49,6 +50,10 @@ type ZTunnelConfig struct {
 	// Image name to pull from. Image will be `Hub/Image:Tag-Variant`.
 	// If Image contains a "/", it will replace the entire `image` in the pod.
 	Image *string `json:"image,omitempty"`
+	// defines the network this cluster belong to. This name corresponds to the networks in the map of mesh networks.
+	Network *string `json:"network,omitempty"`
+	// K8s affinity to set on the ztunnel Pods. Can be used to exclude ztunnel from being scheduled on specified nodes.
+	Affinity *k8sv1.Affinity `json:"affinity,omitempty"`
 	// resourceName, if set, will override the naming of resources. If not set, will default to the release name.
 	// It is recommended to not set this; this is primarily for backwards compatibility.
 	ResourceName *string `json:"resourceName,omitempty"`
@@ -60,12 +65,20 @@ type ZTunnelConfig struct {
 	VolumeMounts []k8sv1.VolumeMount `json:"volumeMounts,omitempty"`
 	// Additional volumes to add to the ztunnel Pod.
 	Volumes []k8sv1.Volume `json:"volumes,omitempty"`
+	// Tolerations for the ztunnel pod
+	Tolerations []k8sv1.Toleration `json:"tolerations,omitempty"`
 	// Annotations added to each pod. The default annotations are required for scraping prometheus (in most environments).
 	PodAnnotations map[string]string `json:"podAnnotations,omitempty"`
 	// Additional labels to apply on the pod level.
 	PodLabels map[string]string `json:"podLabels,omitempty"`
 	// The k8s resource requests and limits for the ztunnel Pods.
 	Resources *k8sv1.ResourceRequirements `json:"resources,omitempty"`
+	// The resource quotas configuration for ztunnel
+	ResourceQuotas *ResourceQuotas `json:"resourceQuotas,omitempty"`
+	// K8s node selector settings.
+	//
+	// See https://kubernetes.io/docs/user-guide/node-selection/
+	NodeSelector map[string]string `json:"nodeSelector,omitempty"`
 	// List of secret names to add to the service account as image pull secrets
 	// to use for pulling any images in pods that reference this ServiceAccount.
 	// Must be set for any cluster configured with private docker registry.
@@ -82,9 +95,6 @@ type ZTunnelConfig struct {
 	// The name of the cluster we are installing in. Note this is a user-defined name, which must be consistent
 	// with Istiod configuration.
 	MultiCluster *MultiClusterConfig `json:"multiCluster,omitempty"`
-	// meshConfig defines runtime configuration of components.
-	// For ztunnel, only defaultConfig is used, but this is nested under `meshConfig` for consistency with other components.
-	MeshConfig *MeshConfig `json:"meshConfig,omitempty"`
 	// This value defines:
 	// 1. how many seconds kube waits for ztunnel pod to gracefully exit before forcibly terminating it (this value)
 	// 2. how many seconds ztunnel waits to drain its own connections (this value - 1 sec)
@@ -105,6 +115,10 @@ type ZTunnelConfig struct {
 	LogLevel *string `json:"logLevel,omitempty"`
 	// Specifies whether istio components should output logs in json format by adding --log_as_json argument to each container.
 	LogAsJSON *bool `json:"logAsJson,omitempty"`
+	// Set seLinux options for the ztunnel pod
+	SeLinuxOptions *k8sv1.SELinuxOptions `json:"seLinuxOptions,omitempty"`
+	// Defines the update strategy to use when the version in the Ztunnel CR is updated.
+	UpdateStrategy *appsv1.DaemonSetUpdateStrategy `json:"updateStrategy,omitempty"`
 }
 
 // ZTunnelGlobalConfig is a subset of the Global Configuration used in the Istio ztunnel chart.
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/api/v1/ztunnel_types.go b/vendor/github.com/istio-ecosystem/sail-operator/api/v1/ztunnel_types.go
new file mode 100644
index 0000000000..802a6dbd95
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/api/v1/ztunnel_types.go
@@ -0,0 +1,194 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package v1
+
+import (
+	"time"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+const (
+	ZTunnelKind = "ZTunnel"
+)
+
+// ZTunnelSpec defines the desired state of ZTunnel
+type ZTunnelSpec struct {
+	// +sail:version
+	// Defines the version of Istio to install.
+	// Must be one of: v1.28-latest, v1.28.3, v1.28.2, v1.28.1, v1.28.0, v1.27-latest, v1.27.5, v1.27.4, v1.27.3, v1.27.2, v1.27.1, v1.27.0, master, v1.30-alpha.a30ad733.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Istio Version",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:v1.28-latest", "urn:alm:descriptor:com.tectonic.ui:select:v1.28.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.28.2", "urn:alm:descriptor:com.tectonic.ui:select:v1.28.1", "urn:alm:descriptor:com.tectonic.ui:select:v1.28.0", "urn:alm:descriptor:com.tectonic.ui:select:v1.27-latest", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.4", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.2", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.1", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.0", "urn:alm:descriptor:com.tectonic.ui:select:master", "urn:alm:descriptor:com.tectonic.ui:select:v1.30-alpha.a30ad733"}
+	// +kubebuilder:validation:Enum=v1.28-latest;v1.28.3;v1.28.2;v1.28.1;v1.28.0;v1.27-latest;v1.27.5;v1.27.4;v1.27.3;v1.27.2;v1.27.1;v1.27.0;v1.26-latest;v1.26.8;v1.26.7;v1.26.6;v1.26.5;v1.26.4;v1.26.3;v1.26.2;v1.26.1;v1.26.0;v1.25-latest;v1.25.5;v1.25.4;v1.25.3;v1.25.2;v1.25.1;v1.24-latest;v1.24.6;v1.24.5;v1.24.4;v1.24.3;v1.24.2;v1.24.1;v1.24.0;master;v1.30-alpha.a30ad733
+	// +kubebuilder:default=v1.28.3
+	Version string `json:"version"`
+
+	// Namespace to which the Istio ztunnel component should be installed.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:io.kubernetes:Namespace"}
+	// +kubebuilder:default=ztunnel
+	Namespace string `json:"namespace"`
+
+	// Defines the values to be passed to the Helm charts when installing Istio ztunnel.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Helm Values"
+	Values *ZTunnelValues `json:"values,omitempty"`
+}
+
+// ZTunnelStatus defines the observed state of ZTunnel
+type ZTunnelStatus struct {
+	// ObservedGeneration is the most recent generation observed for this
+	// ZTunnel object. It corresponds to the object's generation, which is
+	// updated on mutation by the API Server. The information in the status
+	// pertains to this particular generation of the object.
+	ObservedGeneration int64 `json:"observedGeneration,omitempty"`
+
+	// Represents the latest available observations of the object's current state.
+	Conditions []ZTunnelCondition `json:"conditions,omitempty"`
+
+	// Reports the current state of the object.
+	State ZTunnelConditionReason `json:"state,omitempty"`
+}
+
+// GetCondition returns the condition of the specified type
+func (s *ZTunnelStatus) GetCondition(conditionType ZTunnelConditionType) ZTunnelCondition {
+	if s != nil {
+		for i := range s.Conditions {
+			if s.Conditions[i].Type == conditionType {
+				return s.Conditions[i]
+			}
+		}
+	}
+	return ZTunnelCondition{Type: conditionType, Status: metav1.ConditionUnknown}
+}
+
+// SetCondition sets a specific condition in the list of conditions
+func (s *ZTunnelStatus) SetCondition(condition ZTunnelCondition) {
+	var now time.Time
+	if testTime == nil {
+		now = time.Now()
+	} else {
+		now = *testTime
+	}
+
+	// The lastTransitionTime only gets serialized out to the second.  This can
+	// break update skipping, as the time in the resource returned from the client
+	// may not match the time in our cached status during a reconcile.  We truncate
+	// here to save any problems down the line.
+	lastTransitionTime := metav1.NewTime(now.Truncate(time.Second))
+
+	for i, prevCondition := range s.Conditions {
+		if prevCondition.Type == condition.Type {
+			if prevCondition.Status != condition.Status {
+				condition.LastTransitionTime = lastTransitionTime
+			} else {
+				condition.LastTransitionTime = prevCondition.LastTransitionTime
+			}
+			s.Conditions[i] = condition
+			return
+		}
+	}
+
+	// If the condition does not exist, initialize the lastTransitionTime
+	condition.LastTransitionTime = lastTransitionTime
+	s.Conditions = append(s.Conditions, condition)
+}
+
+// ZTunnelCondition represents a specific observation of the ZTunnel object's state.
+type ZTunnelCondition struct {
+	// The type of this condition.
+	Type ZTunnelConditionType `json:"type,omitempty"`
+
+	// The status of this condition. Can be True, False or Unknown.
+	Status metav1.ConditionStatus `json:"status,omitempty"`
+
+	// Unique, single-word, CamelCase reason for the condition's last transition.
+	Reason ZTunnelConditionReason `json:"reason,omitempty"`
+
+	// Human-readable message indicating details about the last transition.
+	Message string `json:"message,omitempty"`
+
+	// Last time the condition transitioned from one status to another.
+	// +optional
+	LastTransitionTime metav1.Time `json:"lastTransitionTime,omitzero"`
+}
+
+// ZTunnelConditionType represents the type of the condition.  Condition stages are:
+// Installed, Reconciled, Ready
+type ZTunnelConditionType string
+
+// ZTunnelConditionReason represents a short message indicating how the condition came
+// to be in its present state.
+type ZTunnelConditionReason string
+
+const (
+	// ZTunnelConditionReconciled signifies whether the controller has
+	// successfully reconciled the resources defined through the CR.
+	ZTunnelConditionReconciled ZTunnelConditionType = "Reconciled"
+
+	// ZTunnelReasonReconcileError indicates that the reconciliation of the resource has failed, but will be retried.
+	ZTunnelReasonReconcileError ZTunnelConditionReason = "ReconcileError"
+)
+
+const (
+	// ZTunnelConditionReady signifies whether the ztunnel DaemonSet is ready.
+	ZTunnelConditionReady ZTunnelConditionType = "Ready"
+
+	// ZTunnelDaemonSetNotReady indicates that the ztunnel DaemonSet is not ready.
+	ZTunnelDaemonSetNotReady ZTunnelConditionReason = "DaemonSetNotReady"
+
+	// ZTunnelReasonReadinessCheckFailed indicates that the DaemonSet readiness status could not be ascertained.
+	ZTunnelReasonReadinessCheckFailed ZTunnelConditionReason = "ReadinessCheckFailed"
+)
+
+const (
+	// ZTunnelReasonHealthy indicates that the control plane is fully reconciled and that all components are ready.
+	ZTunnelReasonHealthy ZTunnelConditionReason = "Healthy"
+)
+
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:scope=Cluster,categories=istio-io
+// +kubebuilder:subresource:status
+// +kubebuilder:storageversion
+// +kubebuilder:printcolumn:name="Namespace",type="string",JSONPath=".spec.namespace",description="The namespace for the ztunnel component."
+// +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].status",description="Whether the Istio ztunnel installation is ready to handle requests."
+// +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.state",description="The current state of this object."
+// +kubebuilder:printcolumn:name="Version",type="string",JSONPath=".spec.version",description="The version of the Istio ztunnel installation."
+// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description="The age of the object"
+// +kubebuilder:validation:XValidation:rule="self.metadata.name == 'default'",message="metadata.name must be 'default'"
+
+// ZTunnel represents a deployment of the Istio ztunnel component.
+type ZTunnel struct {
+	metav1.TypeMeta `json:",inline"`
+	// +optional
+	metav1.ObjectMeta `json:"metadata"`
+
+	// +kubebuilder:default={version: "v1.28.3", namespace: "ztunnel"}
+	// +optional
+	Spec ZTunnelSpec `json:"spec"`
+
+	// +optional
+	Status ZTunnelStatus `json:"status"`
+}
+
+// +kubebuilder:object:root=true
+
+// ZTunnelList contains a list of ZTunnel
+type ZTunnelList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata"`
+	Items           []ZTunnel `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&ZTunnel{}, &ZTunnelList{})
+}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/api/v1/zz_generated.deepcopy.go b/vendor/github.com/istio-ecosystem/sail-operator/api/v1/zz_generated.deepcopy.go
index baac7292dc..685cb83cc6 100644
--- a/vendor/github.com/istio-ecosystem/sail-operator/api/v1/zz_generated.deepcopy.go
+++ b/vendor/github.com/istio-ecosystem/sail-operator/api/v1/zz_generated.deepcopy.go
@@ -20,6 +20,7 @@ package v1
 
 import (
 	"encoding/json"
+	appsv1 "k8s.io/api/apps/v1"
 	"k8s.io/api/autoscaling/v2"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -27,6 +28,26 @@ import (
 	"k8s.io/apimachinery/pkg/util/intstr"
 )
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Agentgateway) DeepCopyInto(out *Agentgateway) {
+	*out = *in
+	if in.Image != nil {
+		in, out := &in.Image, &out.Image
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Agentgateway.
+func (in *Agentgateway) DeepCopy() *Agentgateway {
+	if in == nil {
+		return nil
+	}
+	out := new(Agentgateway)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ArchConfig) DeepCopyInto(out *ArchConfig) {
 	*out = *in
@@ -190,6 +211,20 @@ func (in *CNIConfig) DeepCopyInto(out *CNIConfig) {
 		*out = new(corev1.Affinity)
 		(*in).DeepCopyInto(*out)
 	}
+	if in.Env != nil {
+		in, out := &in.Env, &out.Env
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	if in.DaemonSetLabels != nil {
+		in, out := &in.DaemonSetLabels, &out.DaemonSetLabels
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
 	if in.PodAnnotations != nil {
 		in, out := &in.PodAnnotations, &out.PodAnnotations
 		*out = make(map[string]string, len(*in))
@@ -197,6 +232,13 @@ func (in *CNIConfig) DeepCopyInto(out *CNIConfig) {
 			(*out)[key] = val
 		}
 	}
+	if in.PodLabels != nil {
+		in, out := &in.PodLabels, &out.PodLabels
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
 	if in.PspClusterRole != nil {
 		in, out := &in.PspClusterRole, &out.PspClusterRole
 		*out = new(string)
@@ -252,6 +294,16 @@ func (in *CNIConfig) DeepCopyInto(out *CNIConfig) {
 		*out = new(intstr.IntOrString)
 		**out = **in
 	}
+	if in.IstioOwnedCNIConfig != nil {
+		in, out := &in.IstioOwnedCNIConfig, &out.IstioOwnedCNIConfig
+		*out = new(bool)
+		**out = **in
+	}
+	if in.IstioOwnedCNIConfigFileName != nil {
+		in, out := &in.IstioOwnedCNIConfigFileName, &out.IstioOwnedCNIConfigFileName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CNIConfig.
@@ -312,6 +364,11 @@ func (in *CNIGlobalConfig) DeepCopyInto(out *CNIGlobalConfig) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.NativeNftables != nil {
+		in, out := &in.NativeNftables, &out.NativeNftables
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CNIGlobalConfig.
@@ -848,6 +905,21 @@ func (in *GlobalConfig) DeepCopyInto(out *GlobalConfig) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.NativeNftables != nil {
+		in, out := &in.NativeNftables, &out.NativeNftables
+		*out = new(bool)
+		**out = **in
+	}
+	if in.NetworkPolicy != nil {
+		in, out := &in.NetworkPolicy, &out.NetworkPolicy
+		*out = new(NetworkPolicyConfig)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Agentgateway != nil {
+		in, out := &in.Agentgateway, &out.Agentgateway
+		*out = new(Agentgateway)
+		(*in).DeepCopyInto(*out)
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GlobalConfig.
@@ -1473,6 +1545,11 @@ func (in *IstiodRemoteConfig) DeepCopyInto(out *IstiodRemoteConfig) {
 		*out = new(bool)
 		**out = **in
 	}
+	if in.EnabledLocalInjectorIstiod != nil {
+		in, out := &in.EnabledLocalInjectorIstiod, &out.EnabledLocalInjectorIstiod
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IstiodRemoteConfig.
@@ -1607,6 +1684,11 @@ func (in *MeshConfig) DeepCopyInto(out *MeshConfig) {
 		*out = new(metav1.Duration)
 		**out = **in
 	}
+	if in.HboneIdleTimeout != nil {
+		in, out := &in.HboneIdleTimeout, &out.HboneIdleTimeout
+		*out = new(metav1.Duration)
+		**out = **in
+	}
 	if in.ProtocolDetectionTimeout != nil {
 		in, out := &in.ProtocolDetectionTimeout, &out.ProtocolDetectionTimeout
 		*out = new(metav1.Duration)
@@ -1771,6 +1853,17 @@ func (in *MeshConfig) DeepCopyInto(out *MeshConfig) {
 			}
 		}
 	}
+	if in.ServiceScopeConfigs != nil {
+		in, out := &in.ServiceScopeConfigs, &out.ServiceScopeConfigs
+		*out = make([]*MeshConfigServiceScopeConfigs, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(MeshConfigServiceScopeConfigs)
+				(*in).DeepCopyInto(*out)
+			}
+		}
+	}
 	if in.EnablePrometheusMerge != nil {
 		in, out := &in.EnablePrometheusMerge, &out.EnablePrometheusMerge
 		*out = new(bool)
@@ -2023,6 +2116,11 @@ func (in *MeshConfigExtensionProvider) DeepCopyInto(out *MeshConfigExtensionProv
 		*out = new(MeshConfigExtensionProviderEnvoyOpenTelemetryLogProvider)
 		(*in).DeepCopyInto(*out)
 	}
+	if in.Sds != nil {
+		in, out := &in.Sds, &out.Sds
+		*out = new(MeshConfigExtensionProviderSDSProvider)
+		(*in).DeepCopyInto(*out)
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MeshConfigExtensionProvider.
@@ -2788,6 +2886,36 @@ func (in *MeshConfigExtensionProviderResourceDetectorsEnvironmentResourceDetecto
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *MeshConfigExtensionProviderSDSProvider) DeepCopyInto(out *MeshConfigExtensionProviderSDSProvider) {
+	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Service != nil {
+		in, out := &in.Service, &out.Service
+		*out = new(string)
+		**out = **in
+	}
+	if in.Port != nil {
+		in, out := &in.Port, &out.Port
+		*out = new(uint32)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MeshConfigExtensionProviderSDSProvider.
+func (in *MeshConfigExtensionProviderSDSProvider) DeepCopy() *MeshConfigExtensionProviderSDSProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(MeshConfigExtensionProviderSDSProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MeshConfigExtensionProviderSkyWalkingTracingProvider) DeepCopyInto(out *MeshConfigExtensionProviderSkyWalkingTracingProvider) {
 	*out = *in
@@ -2913,6 +3041,22 @@ func (in *MeshConfigExtensionProviderZipkinTracingProvider) DeepCopyInto(out *Me
 		*out = new(string)
 		**out = **in
 	}
+	if in.Timeout != nil {
+		in, out := &in.Timeout, &out.Timeout
+		*out = new(metav1.Duration)
+		**out = **in
+	}
+	if in.Headers != nil {
+		in, out := &in.Headers, &out.Headers
+		*out = make([]*MeshConfigExtensionProviderHttpHeader, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(MeshConfigExtensionProviderHttpHeader)
+				(*in).DeepCopyInto(*out)
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MeshConfigExtensionProviderZipkinTracingProvider.
@@ -3127,6 +3271,21 @@ func (in *MeshConfigProxyConfig) DeepCopyInto(out *MeshConfigProxyConfig) {
 		*out = new(ProxyConfigProxyHeaders)
 		(*in).DeepCopyInto(*out)
 	}
+	if in.FileFlushInterval != nil {
+		in, out := &in.FileFlushInterval, &out.FileFlushInterval
+		*out = new(metav1.Duration)
+		**out = **in
+	}
+	if in.FileFlushMinSizeKb != nil {
+		in, out := &in.FileFlushMinSizeKb, &out.FileFlushMinSizeKb
+		*out = new(uint32)
+		**out = **in
+	}
+	if in.StatsCompression != nil {
+		in, out := &in.StatsCompression, &out.StatsCompression
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MeshConfigProxyConfig.
@@ -3154,6 +3313,31 @@ func (in *MeshConfigProxyPathNormalization) DeepCopy() *MeshConfigProxyPathNorma
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *MeshConfigServiceScopeConfigs) DeepCopyInto(out *MeshConfigServiceScopeConfigs) {
+	*out = *in
+	if in.NamespaceSelector != nil {
+		in, out := &in.NamespaceSelector, &out.NamespaceSelector
+		*out = new(metav1.LabelSelector)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.ServicesSelector != nil {
+		in, out := &in.ServicesSelector, &out.ServicesSelector
+		*out = new(metav1.LabelSelector)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MeshConfigServiceScopeConfigs.
+func (in *MeshConfigServiceScopeConfigs) DeepCopy() *MeshConfigServiceScopeConfigs {
+	if in == nil {
+		return nil
+	}
+	out := new(MeshConfigServiceScopeConfigs)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MeshConfigServiceSettings) DeepCopyInto(out *MeshConfigServiceSettings) {
 	*out = *in
@@ -3387,6 +3571,26 @@ func (in *NetworkNetworkEndpoints) DeepCopy() *NetworkNetworkEndpoints {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NetworkPolicyConfig) DeepCopyInto(out *NetworkPolicyConfig) {
+	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkPolicyConfig.
+func (in *NetworkPolicyConfig) DeepCopy() *NetworkPolicyConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(NetworkPolicyConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OutboundTrafficPolicyConfig) DeepCopyInto(out *OutboundTrafficPolicyConfig) {
 	*out = *in
@@ -3624,11 +3828,16 @@ func (in *PilotConfig) DeepCopyInto(out *PilotConfig) {
 	}
 	if in.EnvVarFrom != nil {
 		in, out := &in.EnvVarFrom, &out.EnvVarFrom
-		*out = make([]corev1.EnvFromSource, len(*in))
+		*out = make([]corev1.EnvVar, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.CrlConfigMapName != nil {
+		in, out := &in.CrlConfigMapName, &out.CrlConfigMapName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PilotConfig.
@@ -3929,6 +4138,11 @@ func (in *ProxyConfig) DeepCopyInto(out *ProxyConfig) {
 		*out = new(uint32)
 		**out = **in
 	}
+	if in.SeccompProfile != nil {
+		in, out := &in.SeccompProfile, &out.SeccompProfile
+		*out = new(corev1.SeccompProfile)
+		(*in).DeepCopyInto(*out)
+	}
 	if in.StartupProbe != nil {
 		in, out := &in.StartupProbe, &out.StartupProbe
 		*out = new(StartupProbe)
@@ -4019,6 +4233,16 @@ func (in *ProxyConfigProxyHeaders) DeepCopyInto(out *ProxyConfigProxyHeaders) {
 		*out = new(bool)
 		**out = **in
 	}
+	if in.XForwardedHost != nil {
+		in, out := &in.XForwardedHost, &out.XForwardedHost
+		*out = new(ProxyConfigProxyHeadersXForwardedHost)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.XForwardedPort != nil {
+		in, out := &in.XForwardedPort, &out.XForwardedPort
+		*out = new(ProxyConfigProxyHeadersXForwardedPort)
+		(*in).DeepCopyInto(*out)
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProxyConfigProxyHeaders.
@@ -4171,6 +4395,46 @@ func (in *ProxyConfigProxyHeadersSetCurrentClientCertDetails) DeepCopy() *ProxyC
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ProxyConfigProxyHeadersXForwardedHost) DeepCopyInto(out *ProxyConfigProxyHeadersXForwardedHost) {
+	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProxyConfigProxyHeadersXForwardedHost.
+func (in *ProxyConfigProxyHeadersXForwardedHost) DeepCopy() *ProxyConfigProxyHeadersXForwardedHost {
+	if in == nil {
+		return nil
+	}
+	out := new(ProxyConfigProxyHeadersXForwardedHost)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ProxyConfigProxyHeadersXForwardedPort) DeepCopyInto(out *ProxyConfigProxyHeadersXForwardedPort) {
+	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProxyConfigProxyHeadersXForwardedPort.
+func (in *ProxyConfigProxyHeadersXForwardedPort) DeepCopy() *ProxyConfigProxyHeadersXForwardedPort {
+	if in == nil {
+		return nil
+	}
+	out := new(ProxyConfigProxyHeadersXForwardedPort)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ProxyConfigProxyStatsMatcher) DeepCopyInto(out *ProxyConfigProxyStatsMatcher) {
 	*out = *in
@@ -5289,6 +5553,49 @@ func (in *WorkloadSelector) DeepCopy() *WorkloadSelector {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ZTunnel) DeepCopyInto(out *ZTunnel) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ZTunnel.
+func (in *ZTunnel) DeepCopy() *ZTunnel {
+	if in == nil {
+		return nil
+	}
+	out := new(ZTunnel)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ZTunnel) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ZTunnelCondition) DeepCopyInto(out *ZTunnelCondition) {
+	*out = *in
+	in.LastTransitionTime.DeepCopyInto(&out.LastTransitionTime)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ZTunnelCondition.
+func (in *ZTunnelCondition) DeepCopy() *ZTunnelCondition {
+	if in == nil {
+		return nil
+	}
+	out := new(ZTunnelCondition)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ZTunnelConfig) DeepCopyInto(out *ZTunnelConfig) {
 	*out = *in
@@ -5312,6 +5619,16 @@ func (in *ZTunnelConfig) DeepCopyInto(out *ZTunnelConfig) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Network != nil {
+		in, out := &in.Network, &out.Network
+		*out = new(string)
+		**out = **in
+	}
+	if in.Affinity != nil {
+		in, out := &in.Affinity, &out.Affinity
+		*out = new(corev1.Affinity)
+		(*in).DeepCopyInto(*out)
+	}
 	if in.ResourceName != nil {
 		in, out := &in.ResourceName, &out.ResourceName
 		*out = new(string)
@@ -5345,6 +5662,13 @@ func (in *ZTunnelConfig) DeepCopyInto(out *ZTunnelConfig) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.Tolerations != nil {
+		in, out := &in.Tolerations, &out.Tolerations
+		*out = make([]corev1.Toleration, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.PodAnnotations != nil {
 		in, out := &in.PodAnnotations, &out.PodAnnotations
 		*out = make(map[string]string, len(*in))
@@ -5364,6 +5688,18 @@ func (in *ZTunnelConfig) DeepCopyInto(out *ZTunnelConfig) {
 		*out = new(corev1.ResourceRequirements)
 		(*in).DeepCopyInto(*out)
 	}
+	if in.ResourceQuotas != nil {
+		in, out := &in.ResourceQuotas, &out.ResourceQuotas
+		*out = new(ResourceQuotas)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.NodeSelector != nil {
+		in, out := &in.NodeSelector, &out.NodeSelector
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
 	if in.ImagePullSecrets != nil {
 		in, out := &in.ImagePullSecrets, &out.ImagePullSecrets
 		*out = make([]string, len(*in))
@@ -5386,11 +5722,6 @@ func (in *ZTunnelConfig) DeepCopyInto(out *ZTunnelConfig) {
 		*out = new(MultiClusterConfig)
 		(*in).DeepCopyInto(*out)
 	}
-	if in.MeshConfig != nil {
-		in, out := &in.MeshConfig, &out.MeshConfig
-		*out = new(MeshConfig)
-		(*in).DeepCopyInto(*out)
-	}
 	if in.TerminationGracePeriodSeconds != nil {
 		in, out := &in.TerminationGracePeriodSeconds, &out.TerminationGracePeriodSeconds
 		*out = new(int64)
@@ -5426,6 +5757,16 @@ func (in *ZTunnelConfig) DeepCopyInto(out *ZTunnelConfig) {
 		*out = new(bool)
 		**out = **in
 	}
+	if in.SeLinuxOptions != nil {
+		in, out := &in.SeLinuxOptions, &out.SeLinuxOptions
+		*out = new(corev1.SELinuxOptions)
+		**out = **in
+	}
+	if in.UpdateStrategy != nil {
+		in, out := &in.UpdateStrategy, &out.UpdateStrategy
+		*out = new(appsv1.DaemonSetUpdateStrategy)
+		(*in).DeepCopyInto(*out)
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ZTunnelConfig.
@@ -5498,6 +5839,80 @@ func (in *ZTunnelGlobalConfig) DeepCopy() *ZTunnelGlobalConfig {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ZTunnelList) DeepCopyInto(out *ZTunnelList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]ZTunnel, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ZTunnelList.
+func (in *ZTunnelList) DeepCopy() *ZTunnelList {
+	if in == nil {
+		return nil
+	}
+	out := new(ZTunnelList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ZTunnelList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ZTunnelSpec) DeepCopyInto(out *ZTunnelSpec) {
+	*out = *in
+	if in.Values != nil {
+		in, out := &in.Values, &out.Values
+		*out = new(ZTunnelValues)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ZTunnelSpec.
+func (in *ZTunnelSpec) DeepCopy() *ZTunnelSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ZTunnelSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ZTunnelStatus) DeepCopyInto(out *ZTunnelStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]ZTunnelCondition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ZTunnelStatus.
+func (in *ZTunnelStatus) DeepCopy() *ZTunnelStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(ZTunnelStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ZTunnelValues) DeepCopyInto(out *ZTunnelValues) {
 	*out = *in
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/crds.go b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/crds.go
new file mode 100644
index 0000000000..4c8e382daa
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/crds.go
@@ -0,0 +1,27 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package crds provides embedded CRD YAML files for Istio and Sail resources.
+package crds
+
+import "embed"
+
+// FS contains all CRD YAML files from the chart/crds directory.
+// This allows programmatic access to CRDs for installation.
+//
+// CRD files follow the naming convention: {group}_{plural}.yaml
+// Example: extensions.istio.io_wasmplugins.yaml
+//
+//go:embed *.yaml
+var FS embed.FS
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/extensions.istio.io_wasmplugins.yaml b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/extensions.istio.io_wasmplugins.yaml
new file mode 100644
index 0000000000..61922e95af
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/extensions.istio.io_wasmplugins.yaml
@@ -0,0 +1,361 @@
+# DO NOT EDIT - Generated by Cue OpenAPI generator based on Istio APIs.
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    "helm.sh/resource-policy": keep
+  labels:
+    app: istio-pilot
+    chart: istio
+    heritage: Tiller
+    release: istio
+  name: wasmplugins.extensions.istio.io
+spec:
+  group: extensions.istio.io
+  names:
+    categories:
+    - istio-io
+    - extensions-istio-io
+    kind: WasmPlugin
+    listKind: WasmPluginList
+    plural: wasmplugins
+    singular: wasmplugin
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - description: 'CreationTimestamp is a timestamp representing the server time
+        when this object was created. It is not guaranteed to be set in happens-before
+        order across separate operations. Clients may not set this value. It is represented
+        in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+        lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        properties:
+          spec:
+            description: 'Extend the functionality provided by the Istio proxy through
+              WebAssembly filters. See more details at: https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html'
+            properties:
+              failStrategy:
+                description: |-
+                  Specifies the failure behavior for the plugin due to fatal errors.
+
+                  Valid Options: FAIL_CLOSE, FAIL_OPEN, FAIL_RELOAD
+                enum:
+                - FAIL_CLOSE
+                - FAIL_OPEN
+                - FAIL_RELOAD
+                type: string
+              imagePullPolicy:
+                description: |-
+                  The pull behaviour to be applied when fetching Wasm module by either OCI image or `http/https`.
+
+                  Valid Options: IfNotPresent, Always
+                enum:
+                - UNSPECIFIED_POLICY
+                - IfNotPresent
+                - Always
+                type: string
+              imagePullSecret:
+                description: Credentials to use for OCI image pulling.
+                maxLength: 253
+                minLength: 1
+                type: string
+              match:
+                description: Specifies the criteria to determine which traffic is
+                  passed to WasmPlugin.
+                items:
+                  properties:
+                    mode:
+                      description: |-
+                        Criteria for selecting traffic by their direction.
+
+                        Valid Options: CLIENT, SERVER, CLIENT_AND_SERVER
+                      enum:
+                      - UNDEFINED
+                      - CLIENT
+                      - SERVER
+                      - CLIENT_AND_SERVER
+                      type: string
+                    ports:
+                      description: Criteria for selecting traffic by their destination
+                        port.
+                      items:
+                        properties:
+                          number:
+                            maximum: 65535
+                            minimum: 1
+                            type: integer
+                        required:
+                        - number
+                        type: object
+                      type: array
+                      x-kubernetes-list-map-keys:
+                      - number
+                      x-kubernetes-list-type: map
+                  type: object
+                type: array
+              phase:
+                description: |-
+                  Determines where in the filter chain this `WasmPlugin` is to be injected.
+
+                  Valid Options: AUTHN, AUTHZ, STATS
+                enum:
+                - UNSPECIFIED_PHASE
+                - AUTHN
+                - AUTHZ
+                - STATS
+                type: string
+              pluginConfig:
+                description: The configuration that will be passed on to the plugin.
+                type: object
+                x-kubernetes-preserve-unknown-fields: true
+              pluginName:
+                description: The plugin name to be used in the Envoy configuration
+                  (used to be called `rootID`).
+                maxLength: 256
+                minLength: 1
+                type: string
+              priority:
+                description: Determines ordering of `WasmPlugins` in the same `phase`.
+                format: int32
+                nullable: true
+                type: integer
+              selector:
+                description: Criteria used to select the specific set of pods/VMs
+                  on which this plugin configuration should be applied.
+                properties:
+                  matchLabels:
+                    additionalProperties:
+                      maxLength: 63
+                      type: string
+                      x-kubernetes-validations:
+                      - message: wildcard not allowed in label value match
+                        rule: '!self.contains("*")'
+                    description: One or more labels that indicate a specific set of
+                      pods/VMs on which a policy should be applied.
+                    maxProperties: 4096
+                    type: object
+                    x-kubernetes-validations:
+                    - message: wildcard not allowed in label key match
+                      rule: self.all(key, !key.contains("*"))
+                    - message: key must not be empty
+                      rule: self.all(key, key.size() != 0)
+                type: object
+              sha256:
+                description: SHA256 checksum that will be used to verify Wasm module
+                  or OCI container.
+                pattern: (^$|^[a-f0-9]{64}$)
+                type: string
+              targetRef:
+                properties:
+                  group:
+                    description: group is the group of the target resource.
+                    maxLength: 253
+                    pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                    type: string
+                  kind:
+                    description: kind is kind of the target resource.
+                    maxLength: 63
+                    minLength: 1
+                    pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                    type: string
+                  name:
+                    description: name is the name of the target resource.
+                    maxLength: 253
+                    minLength: 1
+                    type: string
+                  namespace:
+                    description: namespace is the namespace of the referent.
+                    type: string
+                    x-kubernetes-validations:
+                    - message: cross namespace referencing is not currently supported
+                      rule: self.size() == 0
+                required:
+                - kind
+                - name
+                type: object
+              targetRefs:
+                description: Optional.
+                items:
+                  properties:
+                    group:
+                      description: group is the group of the target resource.
+                      maxLength: 253
+                      pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                      type: string
+                    kind:
+                      description: kind is kind of the target resource.
+                      maxLength: 63
+                      minLength: 1
+                      pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                      type: string
+                    name:
+                      description: name is the name of the target resource.
+                      maxLength: 253
+                      minLength: 1
+                      type: string
+                    namespace:
+                      description: namespace is the namespace of the referent.
+                      type: string
+                      x-kubernetes-validations:
+                      - message: cross namespace referencing is not currently supported
+                        rule: self.size() == 0
+                  required:
+                  - kind
+                  - name
+                  type: object
+                maxItems: 16
+                type: array
+              type:
+                description: |-
+                  Specifies the type of Wasm Extension to be used.
+
+                  Valid Options: HTTP, NETWORK
+                enum:
+                - UNSPECIFIED_PLUGIN_TYPE
+                - HTTP
+                - NETWORK
+                type: string
+              url:
+                description: URL of a Wasm module or OCI container.
+                minLength: 1
+                type: string
+                x-kubernetes-validations:
+                - message: url must have schema one of [http, https, file, oci]
+                  rule: |-
+                    isURL(self) ? (url(self).getScheme() in ["", "http", "https", "oci", "file"]) : (isURL("http://" + self) &&
+                    url("http://" + self).getScheme() in ["", "http", "https", "oci", "file"])
+              verificationKey:
+                type: string
+              vmConfig:
+                description: Configuration for a Wasm VM.
+                properties:
+                  env:
+                    description: Specifies environment variables to be injected to
+                      this VM.
+                    items:
+                      properties:
+                        name:
+                          description: Name of the environment variable.
+                          maxLength: 256
+                          minLength: 1
+                          type: string
+                        value:
+                          description: Value for the environment variable.
+                          maxLength: 2048
+                          type: string
+                        valueFrom:
+                          description: |-
+                            Source for the environment variable's value.
+
+                            Valid Options: INLINE, HOST
+                          enum:
+                          - INLINE
+                          - HOST
+                          type: string
+                      required:
+                      - name
+                      type: object
+                      x-kubernetes-validations:
+                      - message: value may only be set when valueFrom is INLINE
+                        rule: '(has(self.valueFrom) ? self.valueFrom : "") != "HOST"
+                          || !has(self.value)'
+                    maxItems: 256
+                    type: array
+                    x-kubernetes-list-map-keys:
+                    - name
+                    x-kubernetes-list-type: map
+                type: object
+            required:
+            - url
+            type: object
+            x-kubernetes-validations:
+            - message: only one of targetRefs or selector can be set
+              rule: '(has(self.selector) ? 1 : 0) + (has(self.targetRef) ? 1 : 0)
+                + (has(self.targetRefs) ? 1 : 0) <= 1'
+          status:
+            properties:
+              conditions:
+                description: Current service state of the resource.
+                items:
+                  properties:
+                    lastProbeTime:
+                      description: Last time we probed the condition.
+                      format: date-time
+                      type: string
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Human-readable message indicating details about
+                        last transition.
+                      type: string
+                    observedGeneration:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      description: Resource Generation to which the Condition refers.
+                      x-kubernetes-int-or-string: true
+                    reason:
+                      description: Unique, one-word, CamelCase reason for the condition's
+                        last transition.
+                      type: string
+                    status:
+                      description: Status is the status of the condition.
+                      type: string
+                    type:
+                      description: Type is the type of the condition.
+                      type: string
+                  type: object
+                type: array
+              observedGeneration:
+                anyOf:
+                - type: integer
+                - type: string
+                x-kubernetes-int-or-string: true
+              validationMessages:
+                description: Includes any errors or warnings detected by Istio's analyzers.
+                items:
+                  properties:
+                    documentationUrl:
+                      description: A url pointing to the Istio documentation for this
+                        specific error type.
+                      type: string
+                    level:
+                      description: |-
+                        Represents how severe a message is.
+
+                        Valid Options: UNKNOWN, ERROR, WARNING, INFO
+                      enum:
+                      - UNKNOWN
+                      - ERROR
+                      - WARNING
+                      - INFO
+                      type: string
+                    type:
+                      properties:
+                        code:
+                          description: A 7 character code matching `^IST[0-9]{4}$`
+                            intended to uniquely identify the message type.
+                          type: string
+                        name:
+                          description: A human-readable name for the message type.
+                          type: string
+                      type: object
+                  type: object
+                type: array
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_destinationrules.yaml b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_destinationrules.yaml
new file mode 100644
index 0000000000..db1f194794
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_destinationrules.yaml
@@ -0,0 +1,6028 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    "helm.sh/resource-policy": keep
+  labels:
+    app: istio-pilot
+    chart: istio
+    heritage: Tiller
+    release: istio
+  name: destinationrules.networking.istio.io
+spec:
+  group: networking.istio.io
+  names:
+    categories:
+    - istio-io
+    - networking-istio-io
+    kind: DestinationRule
+    listKind: DestinationRuleList
+    plural: destinationrules
+    shortNames:
+    - dr
+    singular: destinationrule
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - description: The name of a service from the service registry
+      jsonPath: .spec.host
+      name: Host
+      type: string
+    - description: CreationTimestamp is a timestamp representing the server time when
+        this object was created. It is not guaranteed to be set in happens-before
+        order across separate operations. Clients may not set this value. It is represented
+        in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+        lists. For more information, see [Kubernetes API Conventions](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1
+    schema:
+      openAPIV3Schema:
+        properties:
+          spec:
+            description: 'Configuration affecting load balancing, outlier detection,
+              etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html'
+            properties:
+              exportTo:
+                description: A list of namespaces to which this destination rule is
+                  exported.
+                items:
+                  type: string
+                type: array
+              host:
+                description: The name of a service from the service registry.
+                type: string
+              subsets:
+                description: One or more named sets that represent individual versions
+                  of a service.
+                items:
+                  properties:
+                    labels:
+                      additionalProperties:
+                        type: string
+                      description: Labels apply a filter over the endpoints of a service
+                        in the service registry.
+                      type: object
+                    name:
+                      description: Name of the subset.
+                      type: string
+                    trafficPolicy:
+                      description: Traffic policies that apply to this subset.
+                      properties:
+                        connectionPool:
+                          properties:
+                            http:
+                              description: HTTP connection pool settings.
+                              properties:
+                                h2UpgradePolicy:
+                                  description: |-
+                                    Specify if http1.1 connection should be upgraded to http2 for the associated destination.
+
+                                    Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE
+                                  enum:
+                                  - DEFAULT
+                                  - DO_NOT_UPGRADE
+                                  - UPGRADE
+                                  type: string
+                                http1MaxPendingRequests:
+                                  description: Maximum number of requests that will
+                                    be queued while waiting for a ready connection
+                                    pool connection.
+                                  format: int32
+                                  type: integer
+                                http2MaxRequests:
+                                  description: Maximum number of active requests to
+                                    a destination.
+                                  format: int32
+                                  type: integer
+                                idleTimeout:
+                                  description: The idle timeout for upstream connection
+                                    pool connections.
+                                  type: string
+                                  x-kubernetes-validations:
+                                  - message: must be a valid duration greater than
+                                      1ms
+                                    rule: duration(self) >= duration('1ms')
+                                maxConcurrentStreams:
+                                  description: The maximum number of concurrent streams
+                                    allowed for a peer on one HTTP/2 connection.
+                                  format: int32
+                                  type: integer
+                                maxRequestsPerConnection:
+                                  description: Maximum number of requests per connection
+                                    to a backend.
+                                  format: int32
+                                  type: integer
+                                maxRetries:
+                                  description: Maximum number of retries that can
+                                    be outstanding to all hosts in a cluster at a
+                                    given time.
+                                  format: int32
+                                  type: integer
+                                useClientProtocol:
+                                  description: If set to true, client protocol will
+                                    be preserved while initiating connection to backend.
+                                  type: boolean
+                              type: object
+                            tcp:
+                              description: Settings common to both HTTP and TCP upstream
+                                connections.
+                              properties:
+                                connectTimeout:
+                                  description: TCP connection timeout.
+                                  type: string
+                                  x-kubernetes-validations:
+                                  - message: must be a valid duration greater than
+                                      1ms
+                                    rule: duration(self) >= duration('1ms')
+                                idleTimeout:
+                                  description: The idle timeout for TCP connections.
+                                  type: string
+                                maxConnectionDuration:
+                                  description: The maximum duration of a connection.
+                                  type: string
+                                  x-kubernetes-validations:
+                                  - message: must be a valid duration greater than
+                                      1ms
+                                    rule: duration(self) >= duration('1ms')
+                                maxConnections:
+                                  description: Maximum number of HTTP1 /TCP connections
+                                    to a destination host.
+                                  format: int32
+                                  type: integer
+                                tcpKeepalive:
+                                  description: If set then set SO_KEEPALIVE on the
+                                    socket to enable TCP Keepalives.
+                                  properties:
+                                    interval:
+                                      description: The time duration between keep-alive
+                                        probes.
+                                      type: string
+                                      x-kubernetes-validations:
+                                      - message: must be a valid duration greater
+                                          than 1ms
+                                        rule: duration(self) >= duration('1ms')
+                                    probes:
+                                      description: Maximum number of keepalive probes
+                                        to send without response before deciding the
+                                        connection is dead.
+                                      maximum: 4294967295
+                                      minimum: 0
+                                      type: integer
+                                    time:
+                                      description: The time duration a connection
+                                        needs to be idle before keep-alive probes
+                                        start being sent.
+                                      type: string
+                                      x-kubernetes-validations:
+                                      - message: must be a valid duration greater
+                                          than 1ms
+                                        rule: duration(self) >= duration('1ms')
+                                  type: object
+                              type: object
+                          type: object
+                        loadBalancer:
+                          description: Settings controlling the load balancer algorithms.
+                          oneOf:
+                          - not:
+                              anyOf:
+                              - required:
+                                - simple
+                              - required:
+                                - consistentHash
+                          - required:
+                            - simple
+                          - required:
+                            - consistentHash
+                          properties:
+                            consistentHash:
+                              allOf:
+                              - oneOf:
+                                - not:
+                                    anyOf:
+                                    - required:
+                                      - httpHeaderName
+                                    - required:
+                                      - httpCookie
+                                    - required:
+                                      - useSourceIp
+                                    - required:
+                                      - httpQueryParameterName
+                                - required:
+                                  - httpHeaderName
+                                - required:
+                                  - httpCookie
+                                - required:
+                                  - useSourceIp
+                                - required:
+                                  - httpQueryParameterName
+                              - oneOf:
+                                - not:
+                                    anyOf:
+                                    - required:
+                                      - ringHash
+                                    - required:
+                                      - maglev
+                                - required:
+                                  - ringHash
+                                - required:
+                                  - maglev
+                              properties:
+                                httpCookie:
+                                  description: Hash based on HTTP cookie.
+                                  properties:
+                                    attributes:
+                                      description: Additional attributes for the cookie.
+                                      items:
+                                        properties:
+                                          name:
+                                            description: The name of the cookie attribute.
+                                            type: string
+                                          value:
+                                            description: The optional value of the
+                                              cookie attribute.
+                                            type: string
+                                        required:
+                                        - name
+                                        type: object
+                                      type: array
+                                    name:
+                                      description: Name of the cookie.
+                                      type: string
+                                    path:
+                                      description: Path to set for the cookie.
+                                      type: string
+                                    ttl:
+                                      description: Lifetime of the cookie.
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                httpHeaderName:
+                                  description: Hash based on a specific HTTP header.
+                                  type: string
+                                httpQueryParameterName:
+                                  description: Hash based on a specific HTTP query
+                                    parameter.
+                                  type: string
+                                maglev:
+                                  description: The Maglev load balancer implements
+                                    consistent hashing to backend hosts.
+                                  properties:
+                                    tableSize:
+                                      description: The table size for Maglev hashing.
+                                      minimum: 0
+                                      type: integer
+                                  type: object
+                                minimumRingSize:
+                                  description: Deprecated.
+                                  minimum: 0
+                                  type: integer
+                                ringHash:
+                                  description: The ring/modulo hash load balancer
+                                    implements consistent hashing to backend hosts.
+                                  properties:
+                                    minimumRingSize:
+                                      description: The minimum number of virtual nodes
+                                        to use for the hash ring.
+                                      minimum: 0
+                                      type: integer
+                                  type: object
+                                useSourceIp:
+                                  description: Hash based on the source IP address.
+                                  type: boolean
+                              type: object
+                            localityLbSetting:
+                              properties:
+                                distribute:
+                                  description: 'Optional: only one of distribute,
+                                    failover or failoverPriority can be set.'
+                                  items:
+                                    properties:
+                                      from:
+                                        description: Originating locality, '/' separated,
+                                          e.g.
+                                        type: string
+                                      to:
+                                        additionalProperties:
+                                          maximum: 4294967295
+                                          minimum: 0
+                                          type: integer
+                                        description: Map of upstream localities to
+                                          traffic distribution weights.
+                                        type: object
+                                    type: object
+                                  type: array
+                                enabled:
+                                  description: Enable locality load balancing.
+                                  nullable: true
+                                  type: boolean
+                                failover:
+                                  description: 'Optional: only one of distribute,
+                                    failover or failoverPriority can be set.'
+                                  items:
+                                    properties:
+                                      from:
+                                        description: Originating region.
+                                        type: string
+                                      to:
+                                        description: Destination region the traffic
+                                          will fail over to when endpoints in the
+                                          'from' region becomes unhealthy.
+                                        type: string
+                                    type: object
+                                  type: array
+                                failoverPriority:
+                                  description: failoverPriority is an ordered list
+                                    of labels used to sort endpoints to do priority
+                                    based load balancing.
+                                  items:
+                                    type: string
+                                  type: array
+                              type: object
+                            simple:
+                              description: |2-
+
+
+                                Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST
+                              enum:
+                              - UNSPECIFIED
+                              - LEAST_CONN
+                              - RANDOM
+                              - PASSTHROUGH
+                              - ROUND_ROBIN
+                              - LEAST_REQUEST
+                              type: string
+                            warmup:
+                              description: Represents the warmup configuration of
+                                Service.
+                              properties:
+                                aggression:
+                                  description: This parameter controls the speed of
+                                    traffic increase over the warmup duration.
+                                  format: double
+                                  minimum: 0
+                                  nullable: true
+                                  type: number
+                                duration:
+                                  type: string
+                                  x-kubernetes-validations:
+                                  - message: must be a valid duration greater than
+                                      1ms
+                                    rule: duration(self) >= duration('1ms')
+                                minimumPercent:
+                                  format: double
+                                  maximum: 100
+                                  minimum: 0
+                                  nullable: true
+                                  type: number
+                              required:
+                              - duration
+                              type: object
+                            warmupDurationSecs:
+                              description: 'Deprecated: use `warmup` instead.'
+                              type: string
+                              x-kubernetes-validations:
+                              - message: must be a valid duration greater than 1ms
+                                rule: duration(self) >= duration('1ms')
+                          type: object
+                        outlierDetection:
+                          properties:
+                            baseEjectionTime:
+                              description: Minimum ejection duration.
+                              type: string
+                              x-kubernetes-validations:
+                              - message: must be a valid duration greater than 1ms
+                                rule: duration(self) >= duration('1ms')
+                            consecutive5xxErrors:
+                              description: Number of 5xx errors before a host is ejected
+                                from the connection pool.
+                              maximum: 4294967295
+                              minimum: 0
+                              nullable: true
+                              type: integer
+                            consecutiveErrors:
+                              format: int32
+                              type: integer
+                            consecutiveGatewayErrors:
+                              description: Number of gateway errors before a host
+                                is ejected from the connection pool.
+                              maximum: 4294967295
+                              minimum: 0
+                              nullable: true
+                              type: integer
+                            consecutiveLocalOriginFailures:
+                              description: The number of consecutive locally originated
+                                failures before ejection occurs.
+                              maximum: 4294967295
+                              minimum: 0
+                              nullable: true
+                              type: integer
+                            interval:
+                              description: Time interval between ejection sweep analysis.
+                              type: string
+                              x-kubernetes-validations:
+                              - message: must be a valid duration greater than 1ms
+                                rule: duration(self) >= duration('1ms')
+                            maxEjectionPercent:
+                              description: Maximum % of hosts in the load balancing
+                                pool for the upstream service that can be ejected.
+                              format: int32
+                              type: integer
+                            minHealthPercent:
+                              description: Outlier detection will be enabled as long
+                                as the associated load balancing pool has at least
+                                `minHealthPercent` hosts in healthy mode.
+                              format: int32
+                              type: integer
+                            splitExternalLocalOriginErrors:
+                              description: Determines whether to distinguish local
+                                origin failures from external errors.
+                              type: boolean
+                          type: object
+                        portLevelSettings:
+                          description: Traffic policies specific to individual ports.
+                          items:
+                            properties:
+                              connectionPool:
+                                properties:
+                                  http:
+                                    description: HTTP connection pool settings.
+                                    properties:
+                                      h2UpgradePolicy:
+                                        description: |-
+                                          Specify if http1.1 connection should be upgraded to http2 for the associated destination.
+
+                                          Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE
+                                        enum:
+                                        - DEFAULT
+                                        - DO_NOT_UPGRADE
+                                        - UPGRADE
+                                        type: string
+                                      http1MaxPendingRequests:
+                                        description: Maximum number of requests that
+                                          will be queued while waiting for a ready
+                                          connection pool connection.
+                                        format: int32
+                                        type: integer
+                                      http2MaxRequests:
+                                        description: Maximum number of active requests
+                                          to a destination.
+                                        format: int32
+                                        type: integer
+                                      idleTimeout:
+                                        description: The idle timeout for upstream
+                                          connection pool connections.
+                                        type: string
+                                        x-kubernetes-validations:
+                                        - message: must be a valid duration greater
+                                            than 1ms
+                                          rule: duration(self) >= duration('1ms')
+                                      maxConcurrentStreams:
+                                        description: The maximum number of concurrent
+                                          streams allowed for a peer on one HTTP/2
+                                          connection.
+                                        format: int32
+                                        type: integer
+                                      maxRequestsPerConnection:
+                                        description: Maximum number of requests per
+                                          connection to a backend.
+                                        format: int32
+                                        type: integer
+                                      maxRetries:
+                                        description: Maximum number of retries that
+                                          can be outstanding to all hosts in a cluster
+                                          at a given time.
+                                        format: int32
+                                        type: integer
+                                      useClientProtocol:
+                                        description: If set to true, client protocol
+                                          will be preserved while initiating connection
+                                          to backend.
+                                        type: boolean
+                                    type: object
+                                  tcp:
+                                    description: Settings common to both HTTP and
+                                      TCP upstream connections.
+                                    properties:
+                                      connectTimeout:
+                                        description: TCP connection timeout.
+                                        type: string
+                                        x-kubernetes-validations:
+                                        - message: must be a valid duration greater
+                                            than 1ms
+                                          rule: duration(self) >= duration('1ms')
+                                      idleTimeout:
+                                        description: The idle timeout for TCP connections.
+                                        type: string
+                                      maxConnectionDuration:
+                                        description: The maximum duration of a connection.
+                                        type: string
+                                        x-kubernetes-validations:
+                                        - message: must be a valid duration greater
+                                            than 1ms
+                                          rule: duration(self) >= duration('1ms')
+                                      maxConnections:
+                                        description: Maximum number of HTTP1 /TCP
+                                          connections to a destination host.
+                                        format: int32
+                                        type: integer
+                                      tcpKeepalive:
+                                        description: If set then set SO_KEEPALIVE
+                                          on the socket to enable TCP Keepalives.
+                                        properties:
+                                          interval:
+                                            description: The time duration between
+                                              keep-alive probes.
+                                            type: string
+                                            x-kubernetes-validations:
+                                            - message: must be a valid duration greater
+                                                than 1ms
+                                              rule: duration(self) >= duration('1ms')
+                                          probes:
+                                            description: Maximum number of keepalive
+                                              probes to send without response before
+                                              deciding the connection is dead.
+                                            maximum: 4294967295
+                                            minimum: 0
+                                            type: integer
+                                          time:
+                                            description: The time duration a connection
+                                              needs to be idle before keep-alive probes
+                                              start being sent.
+                                            type: string
+                                            x-kubernetes-validations:
+                                            - message: must be a valid duration greater
+                                                than 1ms
+                                              rule: duration(self) >= duration('1ms')
+                                        type: object
+                                    type: object
+                                type: object
+                              loadBalancer:
+                                description: Settings controlling the load balancer
+                                  algorithms.
+                                oneOf:
+                                - not:
+                                    anyOf:
+                                    - required:
+                                      - simple
+                                    - required:
+                                      - consistentHash
+                                - required:
+                                  - simple
+                                - required:
+                                  - consistentHash
+                                properties:
+                                  consistentHash:
+                                    allOf:
+                                    - oneOf:
+                                      - not:
+                                          anyOf:
+                                          - required:
+                                            - httpHeaderName
+                                          - required:
+                                            - httpCookie
+                                          - required:
+                                            - useSourceIp
+                                          - required:
+                                            - httpQueryParameterName
+                                      - required:
+                                        - httpHeaderName
+                                      - required:
+                                        - httpCookie
+                                      - required:
+                                        - useSourceIp
+                                      - required:
+                                        - httpQueryParameterName
+                                    - oneOf:
+                                      - not:
+                                          anyOf:
+                                          - required:
+                                            - ringHash
+                                          - required:
+                                            - maglev
+                                      - required:
+                                        - ringHash
+                                      - required:
+                                        - maglev
+                                    properties:
+                                      httpCookie:
+                                        description: Hash based on HTTP cookie.
+                                        properties:
+                                          attributes:
+                                            description: Additional attributes for
+                                              the cookie.
+                                            items:
+                                              properties:
+                                                name:
+                                                  description: The name of the cookie
+                                                    attribute.
+                                                  type: string
+                                                value:
+                                                  description: The optional value
+                                                    of the cookie attribute.
+                                                  type: string
+                                              required:
+                                              - name
+                                              type: object
+                                            type: array
+                                          name:
+                                            description: Name of the cookie.
+                                            type: string
+                                          path:
+                                            description: Path to set for the cookie.
+                                            type: string
+                                          ttl:
+                                            description: Lifetime of the cookie.
+                                            type: string
+                                        required:
+                                        - name
+                                        type: object
+                                      httpHeaderName:
+                                        description: Hash based on a specific HTTP
+                                          header.
+                                        type: string
+                                      httpQueryParameterName:
+                                        description: Hash based on a specific HTTP
+                                          query parameter.
+                                        type: string
+                                      maglev:
+                                        description: The Maglev load balancer implements
+                                          consistent hashing to backend hosts.
+                                        properties:
+                                          tableSize:
+                                            description: The table size for Maglev
+                                              hashing.
+                                            minimum: 0
+                                            type: integer
+                                        type: object
+                                      minimumRingSize:
+                                        description: Deprecated.
+                                        minimum: 0
+                                        type: integer
+                                      ringHash:
+                                        description: The ring/modulo hash load balancer
+                                          implements consistent hashing to backend
+                                          hosts.
+                                        properties:
+                                          minimumRingSize:
+                                            description: The minimum number of virtual
+                                              nodes to use for the hash ring.
+                                            minimum: 0
+                                            type: integer
+                                        type: object
+                                      useSourceIp:
+                                        description: Hash based on the source IP address.
+                                        type: boolean
+                                    type: object
+                                  localityLbSetting:
+                                    properties:
+                                      distribute:
+                                        description: 'Optional: only one of distribute,
+                                          failover or failoverPriority can be set.'
+                                        items:
+                                          properties:
+                                            from:
+                                              description: Originating locality, '/'
+                                                separated, e.g.
+                                              type: string
+                                            to:
+                                              additionalProperties:
+                                                maximum: 4294967295
+                                                minimum: 0
+                                                type: integer
+                                              description: Map of upstream localities
+                                                to traffic distribution weights.
+                                              type: object
+                                          type: object
+                                        type: array
+                                      enabled:
+                                        description: Enable locality load balancing.
+                                        nullable: true
+                                        type: boolean
+                                      failover:
+                                        description: 'Optional: only one of distribute,
+                                          failover or failoverPriority can be set.'
+                                        items:
+                                          properties:
+                                            from:
+                                              description: Originating region.
+                                              type: string
+                                            to:
+                                              description: Destination region the
+                                                traffic will fail over to when endpoints
+                                                in the 'from' region becomes unhealthy.
+                                              type: string
+                                          type: object
+                                        type: array
+                                      failoverPriority:
+                                        description: failoverPriority is an ordered
+                                          list of labels used to sort endpoints to
+                                          do priority based load balancing.
+                                        items:
+                                          type: string
+                                        type: array
+                                    type: object
+                                  simple:
+                                    description: |2-
+
+
+                                      Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST
+                                    enum:
+                                    - UNSPECIFIED
+                                    - LEAST_CONN
+                                    - RANDOM
+                                    - PASSTHROUGH
+                                    - ROUND_ROBIN
+                                    - LEAST_REQUEST
+                                    type: string
+                                  warmup:
+                                    description: Represents the warmup configuration
+                                      of Service.
+                                    properties:
+                                      aggression:
+                                        description: This parameter controls the speed
+                                          of traffic increase over the warmup duration.
+                                        format: double
+                                        minimum: 0
+                                        nullable: true
+                                        type: number
+                                      duration:
+                                        type: string
+                                        x-kubernetes-validations:
+                                        - message: must be a valid duration greater
+                                            than 1ms
+                                          rule: duration(self) >= duration('1ms')
+                                      minimumPercent:
+                                        format: double
+                                        maximum: 100
+                                        minimum: 0
+                                        nullable: true
+                                        type: number
+                                    required:
+                                    - duration
+                                    type: object
+                                  warmupDurationSecs:
+                                    description: 'Deprecated: use `warmup` instead.'
+                                    type: string
+                                    x-kubernetes-validations:
+                                    - message: must be a valid duration greater than
+                                        1ms
+                                      rule: duration(self) >= duration('1ms')
+                                type: object
+                              outlierDetection:
+                                properties:
+                                  baseEjectionTime:
+                                    description: Minimum ejection duration.
+                                    type: string
+                                    x-kubernetes-validations:
+                                    - message: must be a valid duration greater than
+                                        1ms
+                                      rule: duration(self) >= duration('1ms')
+                                  consecutive5xxErrors:
+                                    description: Number of 5xx errors before a host
+                                      is ejected from the connection pool.
+                                    maximum: 4294967295
+                                    minimum: 0
+                                    nullable: true
+                                    type: integer
+                                  consecutiveErrors:
+                                    format: int32
+                                    type: integer
+                                  consecutiveGatewayErrors:
+                                    description: Number of gateway errors before a
+                                      host is ejected from the connection pool.
+                                    maximum: 4294967295
+                                    minimum: 0
+                                    nullable: true
+                                    type: integer
+                                  consecutiveLocalOriginFailures:
+                                    description: The number of consecutive locally
+                                      originated failures before ejection occurs.
+                                    maximum: 4294967295
+                                    minimum: 0
+                                    nullable: true
+                                    type: integer
+                                  interval:
+                                    description: Time interval between ejection sweep
+                                      analysis.
+                                    type: string
+                                    x-kubernetes-validations:
+                                    - message: must be a valid duration greater than
+                                        1ms
+                                      rule: duration(self) >= duration('1ms')
+                                  maxEjectionPercent:
+                                    description: Maximum % of hosts in the load balancing
+                                      pool for the upstream service that can be ejected.
+                                    format: int32
+                                    type: integer
+                                  minHealthPercent:
+                                    description: Outlier detection will be enabled
+                                      as long as the associated load balancing pool
+                                      has at least `minHealthPercent` hosts in healthy
+                                      mode.
+                                    format: int32
+                                    type: integer
+                                  splitExternalLocalOriginErrors:
+                                    description: Determines whether to distinguish
+                                      local origin failures from external errors.
+                                    type: boolean
+                                type: object
+                              port:
+                                description: Specifies the number of a port on the
+                                  destination service on which this policy is being
+                                  applied.
+                                properties:
+                                  number:
+                                    maximum: 4294967295
+                                    minimum: 0
+                                    type: integer
+                                type: object
+                              tls:
+                                description: TLS related settings for connections
+                                  to the upstream service.
+                                properties:
+                                  caCertificates:
+                                    description: 'OPTIONAL: The path to the file containing
+                                      certificate authority certificates to use in
+                                      verifying a presented server certificate.'
+                                    type: string
+                                  caCrl:
+                                    description: 'OPTIONAL: The path to the file containing
+                                      the certificate revocation list (CRL) to use
+                                      in verifying a presented server certificate.'
+                                    type: string
+                                  clientCertificate:
+                                    description: REQUIRED if mode is `MUTUAL`.
+                                    type: string
+                                  credentialName:
+                                    description: The name of the secret that holds
+                                      the TLS certs for the client including the CA
+                                      certificates.
+                                    type: string
+                                  insecureSkipVerify:
+                                    description: '`insecureSkipVerify` specifies whether
+                                      the proxy should skip verifying the CA signature
+                                      and SAN for the server certificate corresponding
+                                      to the host.'
+                                    nullable: true
+                                    type: boolean
+                                  mode:
+                                    description: |-
+                                      Indicates whether connections to this port should be secured using TLS.
+
+                                      Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
+                                    enum:
+                                    - DISABLE
+                                    - SIMPLE
+                                    - MUTUAL
+                                    - ISTIO_MUTUAL
+                                    type: string
+                                  privateKey:
+                                    description: REQUIRED if mode is `MUTUAL`.
+                                    type: string
+                                  sni:
+                                    description: SNI string to present to the server
+                                      during TLS handshake.
+                                    type: string
+                                  subjectAltNames:
+                                    description: A list of alternate names to verify
+                                      the subject identity in the certificate.
+                                    items:
+                                      type: string
+                                    type: array
+                                type: object
+                            type: object
+                          maxItems: 4096
+                          type: array
+                        proxyProtocol:
+                          description: The upstream PROXY protocol settings.
+                          properties:
+                            version:
+                              description: |-
+                                The PROXY protocol version to use.
+
+                                Valid Options: V1, V2
+                              enum:
+                              - V1
+                              - V2
+                              type: string
+                          type: object
+                        retryBudget:
+                          description: Specifies a limit on concurrent retries in
+                            relation to the number of active requests.
+                          properties:
+                            minRetryConcurrency:
+                              description: Specifies the minimum retry concurrency
+                                allowed for the retry budget.
+                              maximum: 4294967295
+                              minimum: 0
+                              type: integer
+                            percent:
+                              description: Specifies the limit on concurrent retries
+                                as a percentage of the sum of active requests and
+                                active pending requests.
+                              format: double
+                              maximum: 100
+                              minimum: 0
+                              nullable: true
+                              type: number
+                          type: object
+                        tls:
+                          description: TLS related settings for connections to the
+                            upstream service.
+                          properties:
+                            caCertificates:
+                              description: 'OPTIONAL: The path to the file containing
+                                certificate authority certificates to use in verifying
+                                a presented server certificate.'
+                              type: string
+                            caCrl:
+                              description: 'OPTIONAL: The path to the file containing
+                                the certificate revocation list (CRL) to use in verifying
+                                a presented server certificate.'
+                              type: string
+                            clientCertificate:
+                              description: REQUIRED if mode is `MUTUAL`.
+                              type: string
+                            credentialName:
+                              description: The name of the secret that holds the TLS
+                                certs for the client including the CA certificates.
+                              type: string
+                            insecureSkipVerify:
+                              description: '`insecureSkipVerify` specifies whether
+                                the proxy should skip verifying the CA signature and
+                                SAN for the server certificate corresponding to the
+                                host.'
+                              nullable: true
+                              type: boolean
+                            mode:
+                              description: |-
+                                Indicates whether connections to this port should be secured using TLS.
+
+                                Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
+                              enum:
+                              - DISABLE
+                              - SIMPLE
+                              - MUTUAL
+                              - ISTIO_MUTUAL
+                              type: string
+                            privateKey:
+                              description: REQUIRED if mode is `MUTUAL`.
+                              type: string
+                            sni:
+                              description: SNI string to present to the server during
+                                TLS handshake.
+                              type: string
+                            subjectAltNames:
+                              description: A list of alternate names to verify the
+                                subject identity in the certificate.
+                              items:
+                                type: string
+                              type: array
+                          type: object
+                        tunnel:
+                          description: Configuration of tunneling TCP over other transport
+                            or application layers for the host configured in the DestinationRule.
+                          properties:
+                            protocol:
+                              description: Specifies which protocol to use for tunneling
+                                the downstream connection.
+                              type: string
+                            targetHost:
+                              description: Specifies a host to which the downstream
+                                connection is tunneled.
+                              type: string
+                            targetPort:
+                              description: Specifies a port to which the downstream
+                                connection is tunneled.
+                              maximum: 4294967295
+                              minimum: 0
+                              type: integer
+                          required:
+                          - targetHost
+                          - targetPort
+                          type: object
+                      type: object
+                  required:
+                  - name
+                  type: object
+                type: array
+              trafficPolicy:
+                description: Traffic policies to apply (load balancing policy, connection
+                  pool sizes, outlier detection).
+                properties:
+                  connectionPool:
+                    properties:
+                      http:
+                        description: HTTP connection pool settings.
+                        properties:
+                          h2UpgradePolicy:
+                            description: |-
+                              Specify if http1.1 connection should be upgraded to http2 for the associated destination.
+
+                              Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE
+                            enum:
+                            - DEFAULT
+                            - DO_NOT_UPGRADE
+                            - UPGRADE
+                            type: string
+                          http1MaxPendingRequests:
+                            description: Maximum number of requests that will be queued
+                              while waiting for a ready connection pool connection.
+                            format: int32
+                            type: integer
+                          http2MaxRequests:
+                            description: Maximum number of active requests to a destination.
+                            format: int32
+                            type: integer
+                          idleTimeout:
+                            description: The idle timeout for upstream connection
+                              pool connections.
+                            type: string
+                            x-kubernetes-validations:
+                            - message: must be a valid duration greater than 1ms
+                              rule: duration(self) >= duration('1ms')
+                          maxConcurrentStreams:
+                            description: The maximum number of concurrent streams
+                              allowed for a peer on one HTTP/2 connection.
+                            format: int32
+                            type: integer
+                          maxRequestsPerConnection:
+                            description: Maximum number of requests per connection
+                              to a backend.
+                            format: int32
+                            type: integer
+                          maxRetries:
+                            description: Maximum number of retries that can be outstanding
+                              to all hosts in a cluster at a given time.
+                            format: int32
+                            type: integer
+                          useClientProtocol:
+                            description: If set to true, client protocol will be preserved
+                              while initiating connection to backend.
+                            type: boolean
+                        type: object
+                      tcp:
+                        description: Settings common to both HTTP and TCP upstream
+                          connections.
+                        properties:
+                          connectTimeout:
+                            description: TCP connection timeout.
+                            type: string
+                            x-kubernetes-validations:
+                            - message: must be a valid duration greater than 1ms
+                              rule: duration(self) >= duration('1ms')
+                          idleTimeout:
+                            description: The idle timeout for TCP connections.
+                            type: string
+                          maxConnectionDuration:
+                            description: The maximum duration of a connection.
+                            type: string
+                            x-kubernetes-validations:
+                            - message: must be a valid duration greater than 1ms
+                              rule: duration(self) >= duration('1ms')
+                          maxConnections:
+                            description: Maximum number of HTTP1 /TCP connections
+                              to a destination host.
+                            format: int32
+                            type: integer
+                          tcpKeepalive:
+                            description: If set then set SO_KEEPALIVE on the socket
+                              to enable TCP Keepalives.
+                            properties:
+                              interval:
+                                description: The time duration between keep-alive
+                                  probes.
+                                type: string
+                                x-kubernetes-validations:
+                                - message: must be a valid duration greater than 1ms
+                                  rule: duration(self) >= duration('1ms')
+                              probes:
+                                description: Maximum number of keepalive probes to
+                                  send without response before deciding the connection
+                                  is dead.
+                                maximum: 4294967295
+                                minimum: 0
+                                type: integer
+                              time:
+                                description: The time duration a connection needs
+                                  to be idle before keep-alive probes start being
+                                  sent.
+                                type: string
+                                x-kubernetes-validations:
+                                - message: must be a valid duration greater than 1ms
+                                  rule: duration(self) >= duration('1ms')
+                            type: object
+                        type: object
+                    type: object
+                  loadBalancer:
+                    description: Settings controlling the load balancer algorithms.
+                    oneOf:
+                    - not:
+                        anyOf:
+                        - required:
+                          - simple
+                        - required:
+                          - consistentHash
+                    - required:
+                      - simple
+                    - required:
+                      - consistentHash
+                    properties:
+                      consistentHash:
+                        allOf:
+                        - oneOf:
+                          - not:
+                              anyOf:
+                              - required:
+                                - httpHeaderName
+                              - required:
+                                - httpCookie
+                              - required:
+                                - useSourceIp
+                              - required:
+                                - httpQueryParameterName
+                          - required:
+                            - httpHeaderName
+                          - required:
+                            - httpCookie
+                          - required:
+                            - useSourceIp
+                          - required:
+                            - httpQueryParameterName
+                        - oneOf:
+                          - not:
+                              anyOf:
+                              - required:
+                                - ringHash
+                              - required:
+                                - maglev
+                          - required:
+                            - ringHash
+                          - required:
+                            - maglev
+                        properties:
+                          httpCookie:
+                            description: Hash based on HTTP cookie.
+                            properties:
+                              attributes:
+                                description: Additional attributes for the cookie.
+                                items:
+                                  properties:
+                                    name:
+                                      description: The name of the cookie attribute.
+                                      type: string
+                                    value:
+                                      description: The optional value of the cookie
+                                        attribute.
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                type: array
+                              name:
+                                description: Name of the cookie.
+                                type: string
+                              path:
+                                description: Path to set for the cookie.
+                                type: string
+                              ttl:
+                                description: Lifetime of the cookie.
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          httpHeaderName:
+                            description: Hash based on a specific HTTP header.
+                            type: string
+                          httpQueryParameterName:
+                            description: Hash based on a specific HTTP query parameter.
+                            type: string
+                          maglev:
+                            description: The Maglev load balancer implements consistent
+                              hashing to backend hosts.
+                            properties:
+                              tableSize:
+                                description: The table size for Maglev hashing.
+                                minimum: 0
+                                type: integer
+                            type: object
+                          minimumRingSize:
+                            description: Deprecated.
+                            minimum: 0
+                            type: integer
+                          ringHash:
+                            description: The ring/modulo hash load balancer implements
+                              consistent hashing to backend hosts.
+                            properties:
+                              minimumRingSize:
+                                description: The minimum number of virtual nodes to
+                                  use for the hash ring.
+                                minimum: 0
+                                type: integer
+                            type: object
+                          useSourceIp:
+                            description: Hash based on the source IP address.
+                            type: boolean
+                        type: object
+                      localityLbSetting:
+                        properties:
+                          distribute:
+                            description: 'Optional: only one of distribute, failover
+                              or failoverPriority can be set.'
+                            items:
+                              properties:
+                                from:
+                                  description: Originating locality, '/' separated,
+                                    e.g.
+                                  type: string
+                                to:
+                                  additionalProperties:
+                                    maximum: 4294967295
+                                    minimum: 0
+                                    type: integer
+                                  description: Map of upstream localities to traffic
+                                    distribution weights.
+                                  type: object
+                              type: object
+                            type: array
+                          enabled:
+                            description: Enable locality load balancing.
+                            nullable: true
+                            type: boolean
+                          failover:
+                            description: 'Optional: only one of distribute, failover
+                              or failoverPriority can be set.'
+                            items:
+                              properties:
+                                from:
+                                  description: Originating region.
+                                  type: string
+                                to:
+                                  description: Destination region the traffic will
+                                    fail over to when endpoints in the 'from' region
+                                    becomes unhealthy.
+                                  type: string
+                              type: object
+                            type: array
+                          failoverPriority:
+                            description: failoverPriority is an ordered list of labels
+                              used to sort endpoints to do priority based load balancing.
+                            items:
+                              type: string
+                            type: array
+                        type: object
+                      simple:
+                        description: |2-
+
+
+                          Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST
+                        enum:
+                        - UNSPECIFIED
+                        - LEAST_CONN
+                        - RANDOM
+                        - PASSTHROUGH
+                        - ROUND_ROBIN
+                        - LEAST_REQUEST
+                        type: string
+                      warmup:
+                        description: Represents the warmup configuration of Service.
+                        properties:
+                          aggression:
+                            description: This parameter controls the speed of traffic
+                              increase over the warmup duration.
+                            format: double
+                            minimum: 0
+                            nullable: true
+                            type: number
+                          duration:
+                            type: string
+                            x-kubernetes-validations:
+                            - message: must be a valid duration greater than 1ms
+                              rule: duration(self) >= duration('1ms')
+                          minimumPercent:
+                            format: double
+                            maximum: 100
+                            minimum: 0
+                            nullable: true
+                            type: number
+                        required:
+                        - duration
+                        type: object
+                      warmupDurationSecs:
+                        description: 'Deprecated: use `warmup` instead.'
+                        type: string
+                        x-kubernetes-validations:
+                        - message: must be a valid duration greater than 1ms
+                          rule: duration(self) >= duration('1ms')
+                    type: object
+                  outlierDetection:
+                    properties:
+                      baseEjectionTime:
+                        description: Minimum ejection duration.
+                        type: string
+                        x-kubernetes-validations:
+                        - message: must be a valid duration greater than 1ms
+                          rule: duration(self) >= duration('1ms')
+                      consecutive5xxErrors:
+                        description: Number of 5xx errors before a host is ejected
+                          from the connection pool.
+                        maximum: 4294967295
+                        minimum: 0
+                        nullable: true
+                        type: integer
+                      consecutiveErrors:
+                        format: int32
+                        type: integer
+                      consecutiveGatewayErrors:
+                        description: Number of gateway errors before a host is ejected
+                          from the connection pool.
+                        maximum: 4294967295
+                        minimum: 0
+                        nullable: true
+                        type: integer
+                      consecutiveLocalOriginFailures:
+                        description: The number of consecutive locally originated
+                          failures before ejection occurs.
+                        maximum: 4294967295
+                        minimum: 0
+                        nullable: true
+                        type: integer
+                      interval:
+                        description: Time interval between ejection sweep analysis.
+                        type: string
+                        x-kubernetes-validations:
+                        - message: must be a valid duration greater than 1ms
+                          rule: duration(self) >= duration('1ms')
+                      maxEjectionPercent:
+                        description: Maximum % of hosts in the load balancing pool
+                          for the upstream service that can be ejected.
+                        format: int32
+                        type: integer
+                      minHealthPercent:
+                        description: Outlier detection will be enabled as long as
+                          the associated load balancing pool has at least `minHealthPercent`
+                          hosts in healthy mode.
+                        format: int32
+                        type: integer
+                      splitExternalLocalOriginErrors:
+                        description: Determines whether to distinguish local origin
+                          failures from external errors.
+                        type: boolean
+                    type: object
+                  portLevelSettings:
+                    description: Traffic policies specific to individual ports.
+                    items:
+                      properties:
+                        connectionPool:
+                          properties:
+                            http:
+                              description: HTTP connection pool settings.
+                              properties:
+                                h2UpgradePolicy:
+                                  description: |-
+                                    Specify if http1.1 connection should be upgraded to http2 for the associated destination.
+
+                                    Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE
+                                  enum:
+                                  - DEFAULT
+                                  - DO_NOT_UPGRADE
+                                  - UPGRADE
+                                  type: string
+                                http1MaxPendingRequests:
+                                  description: Maximum number of requests that will
+                                    be queued while waiting for a ready connection
+                                    pool connection.
+                                  format: int32
+                                  type: integer
+                                http2MaxRequests:
+                                  description: Maximum number of active requests to
+                                    a destination.
+                                  format: int32
+                                  type: integer
+                                idleTimeout:
+                                  description: The idle timeout for upstream connection
+                                    pool connections.
+                                  type: string
+                                  x-kubernetes-validations:
+                                  - message: must be a valid duration greater than
+                                      1ms
+                                    rule: duration(self) >= duration('1ms')
+                                maxConcurrentStreams:
+                                  description: The maximum number of concurrent streams
+                                    allowed for a peer on one HTTP/2 connection.
+                                  format: int32
+                                  type: integer
+                                maxRequestsPerConnection:
+                                  description: Maximum number of requests per connection
+                                    to a backend.
+                                  format: int32
+                                  type: integer
+                                maxRetries:
+                                  description: Maximum number of retries that can
+                                    be outstanding to all hosts in a cluster at a
+                                    given time.
+                                  format: int32
+                                  type: integer
+                                useClientProtocol:
+                                  description: If set to true, client protocol will
+                                    be preserved while initiating connection to backend.
+                                  type: boolean
+                              type: object
+                            tcp:
+                              description: Settings common to both HTTP and TCP upstream
+                                connections.
+                              properties:
+                                connectTimeout:
+                                  description: TCP connection timeout.
+                                  type: string
+                                  x-kubernetes-validations:
+                                  - message: must be a valid duration greater than
+                                      1ms
+                                    rule: duration(self) >= duration('1ms')
+                                idleTimeout:
+                                  description: The idle timeout for TCP connections.
+                                  type: string
+                                maxConnectionDuration:
+                                  description: The maximum duration of a connection.
+                                  type: string
+                                  x-kubernetes-validations:
+                                  - message: must be a valid duration greater than
+                                      1ms
+                                    rule: duration(self) >= duration('1ms')
+                                maxConnections:
+                                  description: Maximum number of HTTP1 /TCP connections
+                                    to a destination host.
+                                  format: int32
+                                  type: integer
+                                tcpKeepalive:
+                                  description: If set then set SO_KEEPALIVE on the
+                                    socket to enable TCP Keepalives.
+                                  properties:
+                                    interval:
+                                      description: The time duration between keep-alive
+                                        probes.
+                                      type: string
+                                      x-kubernetes-validations:
+                                      - message: must be a valid duration greater
+                                          than 1ms
+                                        rule: duration(self) >= duration('1ms')
+                                    probes:
+                                      description: Maximum number of keepalive probes
+                                        to send without response before deciding the
+                                        connection is dead.
+                                      maximum: 4294967295
+                                      minimum: 0
+                                      type: integer
+                                    time:
+                                      description: The time duration a connection
+                                        needs to be idle before keep-alive probes
+                                        start being sent.
+                                      type: string
+                                      x-kubernetes-validations:
+                                      - message: must be a valid duration greater
+                                          than 1ms
+                                        rule: duration(self) >= duration('1ms')
+                                  type: object
+                              type: object
+                          type: object
+                        loadBalancer:
+                          description: Settings controlling the load balancer algorithms.
+                          oneOf:
+                          - not:
+                              anyOf:
+                              - required:
+                                - simple
+                              - required:
+                                - consistentHash
+                          - required:
+                            - simple
+                          - required:
+                            - consistentHash
+                          properties:
+                            consistentHash:
+                              allOf:
+                              - oneOf:
+                                - not:
+                                    anyOf:
+                                    - required:
+                                      - httpHeaderName
+                                    - required:
+                                      - httpCookie
+                                    - required:
+                                      - useSourceIp
+                                    - required:
+                                      - httpQueryParameterName
+                                - required:
+                                  - httpHeaderName
+                                - required:
+                                  - httpCookie
+                                - required:
+                                  - useSourceIp
+                                - required:
+                                  - httpQueryParameterName
+                              - oneOf:
+                                - not:
+                                    anyOf:
+                                    - required:
+                                      - ringHash
+                                    - required:
+                                      - maglev
+                                - required:
+                                  - ringHash
+                                - required:
+                                  - maglev
+                              properties:
+                                httpCookie:
+                                  description: Hash based on HTTP cookie.
+                                  properties:
+                                    attributes:
+                                      description: Additional attributes for the cookie.
+                                      items:
+                                        properties:
+                                          name:
+                                            description: The name of the cookie attribute.
+                                            type: string
+                                          value:
+                                            description: The optional value of the
+                                              cookie attribute.
+                                            type: string
+                                        required:
+                                        - name
+                                        type: object
+                                      type: array
+                                    name:
+                                      description: Name of the cookie.
+                                      type: string
+                                    path:
+                                      description: Path to set for the cookie.
+                                      type: string
+                                    ttl:
+                                      description: Lifetime of the cookie.
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                httpHeaderName:
+                                  description: Hash based on a specific HTTP header.
+                                  type: string
+                                httpQueryParameterName:
+                                  description: Hash based on a specific HTTP query
+                                    parameter.
+                                  type: string
+                                maglev:
+                                  description: The Maglev load balancer implements
+                                    consistent hashing to backend hosts.
+                                  properties:
+                                    tableSize:
+                                      description: The table size for Maglev hashing.
+                                      minimum: 0
+                                      type: integer
+                                  type: object
+                                minimumRingSize:
+                                  description: Deprecated.
+                                  minimum: 0
+                                  type: integer
+                                ringHash:
+                                  description: The ring/modulo hash load balancer
+                                    implements consistent hashing to backend hosts.
+                                  properties:
+                                    minimumRingSize:
+                                      description: The minimum number of virtual nodes
+                                        to use for the hash ring.
+                                      minimum: 0
+                                      type: integer
+                                  type: object
+                                useSourceIp:
+                                  description: Hash based on the source IP address.
+                                  type: boolean
+                              type: object
+                            localityLbSetting:
+                              properties:
+                                distribute:
+                                  description: 'Optional: only one of distribute,
+                                    failover or failoverPriority can be set.'
+                                  items:
+                                    properties:
+                                      from:
+                                        description: Originating locality, '/' separated,
+                                          e.g.
+                                        type: string
+                                      to:
+                                        additionalProperties:
+                                          maximum: 4294967295
+                                          minimum: 0
+                                          type: integer
+                                        description: Map of upstream localities to
+                                          traffic distribution weights.
+                                        type: object
+                                    type: object
+                                  type: array
+                                enabled:
+                                  description: Enable locality load balancing.
+                                  nullable: true
+                                  type: boolean
+                                failover:
+                                  description: 'Optional: only one of distribute,
+                                    failover or failoverPriority can be set.'
+                                  items:
+                                    properties:
+                                      from:
+                                        description: Originating region.
+                                        type: string
+                                      to:
+                                        description: Destination region the traffic
+                                          will fail over to when endpoints in the
+                                          'from' region becomes unhealthy.
+                                        type: string
+                                    type: object
+                                  type: array
+                                failoverPriority:
+                                  description: failoverPriority is an ordered list
+                                    of labels used to sort endpoints to do priority
+                                    based load balancing.
+                                  items:
+                                    type: string
+                                  type: array
+                              type: object
+                            simple:
+                              description: |2-
+
+
+                                Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST
+                              enum:
+                              - UNSPECIFIED
+                              - LEAST_CONN
+                              - RANDOM
+                              - PASSTHROUGH
+                              - ROUND_ROBIN
+                              - LEAST_REQUEST
+                              type: string
+                            warmup:
+                              description: Represents the warmup configuration of
+                                Service.
+                              properties:
+                                aggression:
+                                  description: This parameter controls the speed of
+                                    traffic increase over the warmup duration.
+                                  format: double
+                                  minimum: 0
+                                  nullable: true
+                                  type: number
+                                duration:
+                                  type: string
+                                  x-kubernetes-validations:
+                                  - message: must be a valid duration greater than
+                                      1ms
+                                    rule: duration(self) >= duration('1ms')
+                                minimumPercent:
+                                  format: double
+                                  maximum: 100
+                                  minimum: 0
+                                  nullable: true
+                                  type: number
+                              required:
+                              - duration
+                              type: object
+                            warmupDurationSecs:
+                              description: 'Deprecated: use `warmup` instead.'
+                              type: string
+                              x-kubernetes-validations:
+                              - message: must be a valid duration greater than 1ms
+                                rule: duration(self) >= duration('1ms')
+                          type: object
+                        outlierDetection:
+                          properties:
+                            baseEjectionTime:
+                              description: Minimum ejection duration.
+                              type: string
+                              x-kubernetes-validations:
+                              - message: must be a valid duration greater than 1ms
+                                rule: duration(self) >= duration('1ms')
+                            consecutive5xxErrors:
+                              description: Number of 5xx errors before a host is ejected
+                                from the connection pool.
+                              maximum: 4294967295
+                              minimum: 0
+                              nullable: true
+                              type: integer
+                            consecutiveErrors:
+                              format: int32
+                              type: integer
+                            consecutiveGatewayErrors:
+                              description: Number of gateway errors before a host
+                                is ejected from the connection pool.
+                              maximum: 4294967295
+                              minimum: 0
+                              nullable: true
+                              type: integer
+                            consecutiveLocalOriginFailures:
+                              description: The number of consecutive locally originated
+                                failures before ejection occurs.
+                              maximum: 4294967295
+                              minimum: 0
+                              nullable: true
+                              type: integer
+                            interval:
+                              description: Time interval between ejection sweep analysis.
+                              type: string
+                              x-kubernetes-validations:
+                              - message: must be a valid duration greater than 1ms
+                                rule: duration(self) >= duration('1ms')
+                            maxEjectionPercent:
+                              description: Maximum % of hosts in the load balancing
+                                pool for the upstream service that can be ejected.
+                              format: int32
+                              type: integer
+                            minHealthPercent:
+                              description: Outlier detection will be enabled as long
+                                as the associated load balancing pool has at least
+                                `minHealthPercent` hosts in healthy mode.
+                              format: int32
+                              type: integer
+                            splitExternalLocalOriginErrors:
+                              description: Determines whether to distinguish local
+                                origin failures from external errors.
+                              type: boolean
+                          type: object
+                        port:
+                          description: Specifies the number of a port on the destination
+                            service on which this policy is being applied.
+                          properties:
+                            number:
+                              maximum: 4294967295
+                              minimum: 0
+                              type: integer
+                          type: object
+                        tls:
+                          description: TLS related settings for connections to the
+                            upstream service.
+                          properties:
+                            caCertificates:
+                              description: 'OPTIONAL: The path to the file containing
+                                certificate authority certificates to use in verifying
+                                a presented server certificate.'
+                              type: string
+                            caCrl:
+                              description: 'OPTIONAL: The path to the file containing
+                                the certificate revocation list (CRL) to use in verifying
+                                a presented server certificate.'
+                              type: string
+                            clientCertificate:
+                              description: REQUIRED if mode is `MUTUAL`.
+                              type: string
+                            credentialName:
+                              description: The name of the secret that holds the TLS
+                                certs for the client including the CA certificates.
+                              type: string
+                            insecureSkipVerify:
+                              description: '`insecureSkipVerify` specifies whether
+                                the proxy should skip verifying the CA signature and
+                                SAN for the server certificate corresponding to the
+                                host.'
+                              nullable: true
+                              type: boolean
+                            mode:
+                              description: |-
+                                Indicates whether connections to this port should be secured using TLS.
+
+                                Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
+                              enum:
+                              - DISABLE
+                              - SIMPLE
+                              - MUTUAL
+                              - ISTIO_MUTUAL
+                              type: string
+                            privateKey:
+                              description: REQUIRED if mode is `MUTUAL`.
+                              type: string
+                            sni:
+                              description: SNI string to present to the server during
+                                TLS handshake.
+                              type: string
+                            subjectAltNames:
+                              description: A list of alternate names to verify the
+                                subject identity in the certificate.
+                              items:
+                                type: string
+                              type: array
+                          type: object
+                      type: object
+                    maxItems: 4096
+                    type: array
+                  proxyProtocol:
+                    description: The upstream PROXY protocol settings.
+                    properties:
+                      version:
+                        description: |-
+                          The PROXY protocol version to use.
+
+                          Valid Options: V1, V2
+                        enum:
+                        - V1
+                        - V2
+                        type: string
+                    type: object
+                  retryBudget:
+                    description: Specifies a limit on concurrent retries in relation
+                      to the number of active requests.
+                    properties:
+                      minRetryConcurrency:
+                        description: Specifies the minimum retry concurrency allowed
+                          for the retry budget.
+                        maximum: 4294967295
+                        minimum: 0
+                        type: integer
+                      percent:
+                        description: Specifies the limit on concurrent retries as
+                          a percentage of the sum of active requests and active pending
+                          requests.
+                        format: double
+                        maximum: 100
+                        minimum: 0
+                        nullable: true
+                        type: number
+                    type: object
+                  tls:
+                    description: TLS related settings for connections to the upstream
+                      service.
+                    properties:
+                      caCertificates:
+                        description: 'OPTIONAL: The path to the file containing certificate
+                          authority certificates to use in verifying a presented server
+                          certificate.'
+                        type: string
+                      caCrl:
+                        description: 'OPTIONAL: The path to the file containing the
+                          certificate revocation list (CRL) to use in verifying a
+                          presented server certificate.'
+                        type: string
+                      clientCertificate:
+                        description: REQUIRED if mode is `MUTUAL`.
+                        type: string
+                      credentialName:
+                        description: The name of the secret that holds the TLS certs
+                          for the client including the CA certificates.
+                        type: string
+                      insecureSkipVerify:
+                        description: '`insecureSkipVerify` specifies whether the proxy
+                          should skip verifying the CA signature and SAN for the server
+                          certificate corresponding to the host.'
+                        nullable: true
+                        type: boolean
+                      mode:
+                        description: |-
+                          Indicates whether connections to this port should be secured using TLS.
+
+                          Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
+                        enum:
+                        - DISABLE
+                        - SIMPLE
+                        - MUTUAL
+                        - ISTIO_MUTUAL
+                        type: string
+                      privateKey:
+                        description: REQUIRED if mode is `MUTUAL`.
+                        type: string
+                      sni:
+                        description: SNI string to present to the server during TLS
+                          handshake.
+                        type: string
+                      subjectAltNames:
+                        description: A list of alternate names to verify the subject
+                          identity in the certificate.
+                        items:
+                          type: string
+                        type: array
+                    type: object
+                  tunnel:
+                    description: Configuration of tunneling TCP over other transport
+                      or application layers for the host configured in the DestinationRule.
+                    properties:
+                      protocol:
+                        description: Specifies which protocol to use for tunneling
+                          the downstream connection.
+                        type: string
+                      targetHost:
+                        description: Specifies a host to which the downstream connection
+                          is tunneled.
+                        type: string
+                      targetPort:
+                        description: Specifies a port to which the downstream connection
+                          is tunneled.
+                        maximum: 4294967295
+                        minimum: 0
+                        type: integer
+                    required:
+                    - targetHost
+                    - targetPort
+                    type: object
+                type: object
+              workloadSelector:
+                description: Criteria used to select the specific set of pods/VMs
+                  on which this `DestinationRule` configuration should be applied.
+                properties:
+                  matchLabels:
+                    additionalProperties:
+                      maxLength: 63
+                      type: string
+                      x-kubernetes-validations:
+                      - message: wildcard not allowed in label value match
+                        rule: '!self.contains("*")'
+                    description: One or more labels that indicate a specific set of
+                      pods/VMs on which a policy should be applied.
+                    maxProperties: 4096
+                    type: object
+                    x-kubernetes-validations:
+                    - message: wildcard not allowed in label key match
+                      rule: self.all(key, !key.contains("*"))
+                    - message: key must not be empty
+                      rule: self.all(key, key.size() != 0)
+                type: object
+            required:
+            - host
+            type: object
+          status:
+            properties:
+              conditions:
+                description: Current service state of the resource.
+                items:
+                  properties:
+                    lastProbeTime:
+                      description: Last time we probed the condition.
+                      format: date-time
+                      type: string
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Human-readable message indicating details about
+                        last transition.
+                      type: string
+                    observedGeneration:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      description: Resource Generation to which the Condition refers.
+                      x-kubernetes-int-or-string: true
+                    reason:
+                      description: Unique, one-word, CamelCase reason for the condition's
+                        last transition.
+                      type: string
+                    status:
+                      description: Status is the status of the condition.
+                      type: string
+                    type:
+                      description: Type is the type of the condition.
+                      type: string
+                  type: object
+                type: array
+              observedGeneration:
+                anyOf:
+                - type: integer
+                - type: string
+                x-kubernetes-int-or-string: true
+              validationMessages:
+                description: Includes any errors or warnings detected by Istio's analyzers.
+                items:
+                  properties:
+                    documentationUrl:
+                      description: A url pointing to the Istio documentation for this
+                        specific error type.
+                      type: string
+                    level:
+                      description: |-
+                        Represents how severe a message is.
+
+                        Valid Options: UNKNOWN, ERROR, WARNING, INFO
+                      enum:
+                      - UNKNOWN
+                      - ERROR
+                      - WARNING
+                      - INFO
+                      type: string
+                    type:
+                      properties:
+                        code:
+                          description: A 7 character code matching `^IST[0-9]{4}$`
+                            intended to uniquely identify the message type.
+                          type: string
+                        name:
+                          description: A human-readable name for the message type.
+                          type: string
+                      type: object
+                  type: object
+                type: array
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+  - additionalPrinterColumns:
+    - description: The name of a service from the service registry
+      jsonPath: .spec.host
+      name: Host
+      type: string
+    - description: CreationTimestamp is a timestamp representing the server time when
+        this object was created. It is not guaranteed to be set in happens-before
+        order across separate operations. Clients may not set this value. It is represented
+        in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+        lists. For more information, see [Kubernetes API Conventions](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha3
+    schema:
+      openAPIV3Schema:
+        properties:
+          spec:
+            description: 'Configuration affecting load balancing, outlier detection,
+              etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html'
+            properties:
+              exportTo:
+                description: A list of namespaces to which this destination rule is
+                  exported.
+                items:
+                  type: string
+                type: array
+              host:
+                description: The name of a service from the service registry.
+                type: string
+              subsets:
+                description: One or more named sets that represent individual versions
+                  of a service.
+                items:
+                  properties:
+                    labels:
+                      additionalProperties:
+                        type: string
+                      description: Labels apply a filter over the endpoints of a service
+                        in the service registry.
+                      type: object
+                    name:
+                      description: Name of the subset.
+                      type: string
+                    trafficPolicy:
+                      description: Traffic policies that apply to this subset.
+                      properties:
+                        connectionPool:
+                          properties:
+                            http:
+                              description: HTTP connection pool settings.
+                              properties:
+                                h2UpgradePolicy:
+                                  description: |-
+                                    Specify if http1.1 connection should be upgraded to http2 for the associated destination.
+
+                                    Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE
+                                  enum:
+                                  - DEFAULT
+                                  - DO_NOT_UPGRADE
+                                  - UPGRADE
+                                  type: string
+                                http1MaxPendingRequests:
+                                  description: Maximum number of requests that will
+                                    be queued while waiting for a ready connection
+                                    pool connection.
+                                  format: int32
+                                  type: integer
+                                http2MaxRequests:
+                                  description: Maximum number of active requests to
+                                    a destination.
+                                  format: int32
+                                  type: integer
+                                idleTimeout:
+                                  description: The idle timeout for upstream connection
+                                    pool connections.
+                                  type: string
+                                  x-kubernetes-validations:
+                                  - message: must be a valid duration greater than
+                                      1ms
+                                    rule: duration(self) >= duration('1ms')
+                                maxConcurrentStreams:
+                                  description: The maximum number of concurrent streams
+                                    allowed for a peer on one HTTP/2 connection.
+                                  format: int32
+                                  type: integer
+                                maxRequestsPerConnection:
+                                  description: Maximum number of requests per connection
+                                    to a backend.
+                                  format: int32
+                                  type: integer
+                                maxRetries:
+                                  description: Maximum number of retries that can
+                                    be outstanding to all hosts in a cluster at a
+                                    given time.
+                                  format: int32
+                                  type: integer
+                                useClientProtocol:
+                                  description: If set to true, client protocol will
+                                    be preserved while initiating connection to backend.
+                                  type: boolean
+                              type: object
+                            tcp:
+                              description: Settings common to both HTTP and TCP upstream
+                                connections.
+                              properties:
+                                connectTimeout:
+                                  description: TCP connection timeout.
+                                  type: string
+                                  x-kubernetes-validations:
+                                  - message: must be a valid duration greater than
+                                      1ms
+                                    rule: duration(self) >= duration('1ms')
+                                idleTimeout:
+                                  description: The idle timeout for TCP connections.
+                                  type: string
+                                maxConnectionDuration:
+                                  description: The maximum duration of a connection.
+                                  type: string
+                                  x-kubernetes-validations:
+                                  - message: must be a valid duration greater than
+                                      1ms
+                                    rule: duration(self) >= duration('1ms')
+                                maxConnections:
+                                  description: Maximum number of HTTP1 /TCP connections
+                                    to a destination host.
+                                  format: int32
+                                  type: integer
+                                tcpKeepalive:
+                                  description: If set then set SO_KEEPALIVE on the
+                                    socket to enable TCP Keepalives.
+                                  properties:
+                                    interval:
+                                      description: The time duration between keep-alive
+                                        probes.
+                                      type: string
+                                      x-kubernetes-validations:
+                                      - message: must be a valid duration greater
+                                          than 1ms
+                                        rule: duration(self) >= duration('1ms')
+                                    probes:
+                                      description: Maximum number of keepalive probes
+                                        to send without response before deciding the
+                                        connection is dead.
+                                      maximum: 4294967295
+                                      minimum: 0
+                                      type: integer
+                                    time:
+                                      description: The time duration a connection
+                                        needs to be idle before keep-alive probes
+                                        start being sent.
+                                      type: string
+                                      x-kubernetes-validations:
+                                      - message: must be a valid duration greater
+                                          than 1ms
+                                        rule: duration(self) >= duration('1ms')
+                                  type: object
+                              type: object
+                          type: object
+                        loadBalancer:
+                          description: Settings controlling the load balancer algorithms.
+                          oneOf:
+                          - not:
+                              anyOf:
+                              - required:
+                                - simple
+                              - required:
+                                - consistentHash
+                          - required:
+                            - simple
+                          - required:
+                            - consistentHash
+                          properties:
+                            consistentHash:
+                              allOf:
+                              - oneOf:
+                                - not:
+                                    anyOf:
+                                    - required:
+                                      - httpHeaderName
+                                    - required:
+                                      - httpCookie
+                                    - required:
+                                      - useSourceIp
+                                    - required:
+                                      - httpQueryParameterName
+                                - required:
+                                  - httpHeaderName
+                                - required:
+                                  - httpCookie
+                                - required:
+                                  - useSourceIp
+                                - required:
+                                  - httpQueryParameterName
+                              - oneOf:
+                                - not:
+                                    anyOf:
+                                    - required:
+                                      - ringHash
+                                    - required:
+                                      - maglev
+                                - required:
+                                  - ringHash
+                                - required:
+                                  - maglev
+                              properties:
+                                httpCookie:
+                                  description: Hash based on HTTP cookie.
+                                  properties:
+                                    attributes:
+                                      description: Additional attributes for the cookie.
+                                      items:
+                                        properties:
+                                          name:
+                                            description: The name of the cookie attribute.
+                                            type: string
+                                          value:
+                                            description: The optional value of the
+                                              cookie attribute.
+                                            type: string
+                                        required:
+                                        - name
+                                        type: object
+                                      type: array
+                                    name:
+                                      description: Name of the cookie.
+                                      type: string
+                                    path:
+                                      description: Path to set for the cookie.
+                                      type: string
+                                    ttl:
+                                      description: Lifetime of the cookie.
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                httpHeaderName:
+                                  description: Hash based on a specific HTTP header.
+                                  type: string
+                                httpQueryParameterName:
+                                  description: Hash based on a specific HTTP query
+                                    parameter.
+                                  type: string
+                                maglev:
+                                  description: The Maglev load balancer implements
+                                    consistent hashing to backend hosts.
+                                  properties:
+                                    tableSize:
+                                      description: The table size for Maglev hashing.
+                                      minimum: 0
+                                      type: integer
+                                  type: object
+                                minimumRingSize:
+                                  description: Deprecated.
+                                  minimum: 0
+                                  type: integer
+                                ringHash:
+                                  description: The ring/modulo hash load balancer
+                                    implements consistent hashing to backend hosts.
+                                  properties:
+                                    minimumRingSize:
+                                      description: The minimum number of virtual nodes
+                                        to use for the hash ring.
+                                      minimum: 0
+                                      type: integer
+                                  type: object
+                                useSourceIp:
+                                  description: Hash based on the source IP address.
+                                  type: boolean
+                              type: object
+                            localityLbSetting:
+                              properties:
+                                distribute:
+                                  description: 'Optional: only one of distribute,
+                                    failover or failoverPriority can be set.'
+                                  items:
+                                    properties:
+                                      from:
+                                        description: Originating locality, '/' separated,
+                                          e.g.
+                                        type: string
+                                      to:
+                                        additionalProperties:
+                                          maximum: 4294967295
+                                          minimum: 0
+                                          type: integer
+                                        description: Map of upstream localities to
+                                          traffic distribution weights.
+                                        type: object
+                                    type: object
+                                  type: array
+                                enabled:
+                                  description: Enable locality load balancing.
+                                  nullable: true
+                                  type: boolean
+                                failover:
+                                  description: 'Optional: only one of distribute,
+                                    failover or failoverPriority can be set.'
+                                  items:
+                                    properties:
+                                      from:
+                                        description: Originating region.
+                                        type: string
+                                      to:
+                                        description: Destination region the traffic
+                                          will fail over to when endpoints in the
+                                          'from' region becomes unhealthy.
+                                        type: string
+                                    type: object
+                                  type: array
+                                failoverPriority:
+                                  description: failoverPriority is an ordered list
+                                    of labels used to sort endpoints to do priority
+                                    based load balancing.
+                                  items:
+                                    type: string
+                                  type: array
+                              type: object
+                            simple:
+                              description: |2-
+
+
+                                Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST
+                              enum:
+                              - UNSPECIFIED
+                              - LEAST_CONN
+                              - RANDOM
+                              - PASSTHROUGH
+                              - ROUND_ROBIN
+                              - LEAST_REQUEST
+                              type: string
+                            warmup:
+                              description: Represents the warmup configuration of
+                                Service.
+                              properties:
+                                aggression:
+                                  description: This parameter controls the speed of
+                                    traffic increase over the warmup duration.
+                                  format: double
+                                  minimum: 0
+                                  nullable: true
+                                  type: number
+                                duration:
+                                  type: string
+                                  x-kubernetes-validations:
+                                  - message: must be a valid duration greater than
+                                      1ms
+                                    rule: duration(self) >= duration('1ms')
+                                minimumPercent:
+                                  format: double
+                                  maximum: 100
+                                  minimum: 0
+                                  nullable: true
+                                  type: number
+                              required:
+                              - duration
+                              type: object
+                            warmupDurationSecs:
+                              description: 'Deprecated: use `warmup` instead.'
+                              type: string
+                              x-kubernetes-validations:
+                              - message: must be a valid duration greater than 1ms
+                                rule: duration(self) >= duration('1ms')
+                          type: object
+                        outlierDetection:
+                          properties:
+                            baseEjectionTime:
+                              description: Minimum ejection duration.
+                              type: string
+                              x-kubernetes-validations:
+                              - message: must be a valid duration greater than 1ms
+                                rule: duration(self) >= duration('1ms')
+                            consecutive5xxErrors:
+                              description: Number of 5xx errors before a host is ejected
+                                from the connection pool.
+                              maximum: 4294967295
+                              minimum: 0
+                              nullable: true
+                              type: integer
+                            consecutiveErrors:
+                              format: int32
+                              type: integer
+                            consecutiveGatewayErrors:
+                              description: Number of gateway errors before a host
+                                is ejected from the connection pool.
+                              maximum: 4294967295
+                              minimum: 0
+                              nullable: true
+                              type: integer
+                            consecutiveLocalOriginFailures:
+                              description: The number of consecutive locally originated
+                                failures before ejection occurs.
+                              maximum: 4294967295
+                              minimum: 0
+                              nullable: true
+                              type: integer
+                            interval:
+                              description: Time interval between ejection sweep analysis.
+                              type: string
+                              x-kubernetes-validations:
+                              - message: must be a valid duration greater than 1ms
+                                rule: duration(self) >= duration('1ms')
+                            maxEjectionPercent:
+                              description: Maximum % of hosts in the load balancing
+                                pool for the upstream service that can be ejected.
+                              format: int32
+                              type: integer
+                            minHealthPercent:
+                              description: Outlier detection will be enabled as long
+                                as the associated load balancing pool has at least
+                                `minHealthPercent` hosts in healthy mode.
+                              format: int32
+                              type: integer
+                            splitExternalLocalOriginErrors:
+                              description: Determines whether to distinguish local
+                                origin failures from external errors.
+                              type: boolean
+                          type: object
+                        portLevelSettings:
+                          description: Traffic policies specific to individual ports.
+                          items:
+                            properties:
+                              connectionPool:
+                                properties:
+                                  http:
+                                    description: HTTP connection pool settings.
+                                    properties:
+                                      h2UpgradePolicy:
+                                        description: |-
+                                          Specify if http1.1 connection should be upgraded to http2 for the associated destination.
+
+                                          Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE
+                                        enum:
+                                        - DEFAULT
+                                        - DO_NOT_UPGRADE
+                                        - UPGRADE
+                                        type: string
+                                      http1MaxPendingRequests:
+                                        description: Maximum number of requests that
+                                          will be queued while waiting for a ready
+                                          connection pool connection.
+                                        format: int32
+                                        type: integer
+                                      http2MaxRequests:
+                                        description: Maximum number of active requests
+                                          to a destination.
+                                        format: int32
+                                        type: integer
+                                      idleTimeout:
+                                        description: The idle timeout for upstream
+                                          connection pool connections.
+                                        type: string
+                                        x-kubernetes-validations:
+                                        - message: must be a valid duration greater
+                                            than 1ms
+                                          rule: duration(self) >= duration('1ms')
+                                      maxConcurrentStreams:
+                                        description: The maximum number of concurrent
+                                          streams allowed for a peer on one HTTP/2
+                                          connection.
+                                        format: int32
+                                        type: integer
+                                      maxRequestsPerConnection:
+                                        description: Maximum number of requests per
+                                          connection to a backend.
+                                        format: int32
+                                        type: integer
+                                      maxRetries:
+                                        description: Maximum number of retries that
+                                          can be outstanding to all hosts in a cluster
+                                          at a given time.
+                                        format: int32
+                                        type: integer
+                                      useClientProtocol:
+                                        description: If set to true, client protocol
+                                          will be preserved while initiating connection
+                                          to backend.
+                                        type: boolean
+                                    type: object
+                                  tcp:
+                                    description: Settings common to both HTTP and
+                                      TCP upstream connections.
+                                    properties:
+                                      connectTimeout:
+                                        description: TCP connection timeout.
+                                        type: string
+                                        x-kubernetes-validations:
+                                        - message: must be a valid duration greater
+                                            than 1ms
+                                          rule: duration(self) >= duration('1ms')
+                                      idleTimeout:
+                                        description: The idle timeout for TCP connections.
+                                        type: string
+                                      maxConnectionDuration:
+                                        description: The maximum duration of a connection.
+                                        type: string
+                                        x-kubernetes-validations:
+                                        - message: must be a valid duration greater
+                                            than 1ms
+                                          rule: duration(self) >= duration('1ms')
+                                      maxConnections:
+                                        description: Maximum number of HTTP1 /TCP
+                                          connections to a destination host.
+                                        format: int32
+                                        type: integer
+                                      tcpKeepalive:
+                                        description: If set then set SO_KEEPALIVE
+                                          on the socket to enable TCP Keepalives.
+                                        properties:
+                                          interval:
+                                            description: The time duration between
+                                              keep-alive probes.
+                                            type: string
+                                            x-kubernetes-validations:
+                                            - message: must be a valid duration greater
+                                                than 1ms
+                                              rule: duration(self) >= duration('1ms')
+                                          probes:
+                                            description: Maximum number of keepalive
+                                              probes to send without response before
+                                              deciding the connection is dead.
+                                            maximum: 4294967295
+                                            minimum: 0
+                                            type: integer
+                                          time:
+                                            description: The time duration a connection
+                                              needs to be idle before keep-alive probes
+                                              start being sent.
+                                            type: string
+                                            x-kubernetes-validations:
+                                            - message: must be a valid duration greater
+                                                than 1ms
+                                              rule: duration(self) >= duration('1ms')
+                                        type: object
+                                    type: object
+                                type: object
+                              loadBalancer:
+                                description: Settings controlling the load balancer
+                                  algorithms.
+                                oneOf:
+                                - not:
+                                    anyOf:
+                                    - required:
+                                      - simple
+                                    - required:
+                                      - consistentHash
+                                - required:
+                                  - simple
+                                - required:
+                                  - consistentHash
+                                properties:
+                                  consistentHash:
+                                    allOf:
+                                    - oneOf:
+                                      - not:
+                                          anyOf:
+                                          - required:
+                                            - httpHeaderName
+                                          - required:
+                                            - httpCookie
+                                          - required:
+                                            - useSourceIp
+                                          - required:
+                                            - httpQueryParameterName
+                                      - required:
+                                        - httpHeaderName
+                                      - required:
+                                        - httpCookie
+                                      - required:
+                                        - useSourceIp
+                                      - required:
+                                        - httpQueryParameterName
+                                    - oneOf:
+                                      - not:
+                                          anyOf:
+                                          - required:
+                                            - ringHash
+                                          - required:
+                                            - maglev
+                                      - required:
+                                        - ringHash
+                                      - required:
+                                        - maglev
+                                    properties:
+                                      httpCookie:
+                                        description: Hash based on HTTP cookie.
+                                        properties:
+                                          attributes:
+                                            description: Additional attributes for
+                                              the cookie.
+                                            items:
+                                              properties:
+                                                name:
+                                                  description: The name of the cookie
+                                                    attribute.
+                                                  type: string
+                                                value:
+                                                  description: The optional value
+                                                    of the cookie attribute.
+                                                  type: string
+                                              required:
+                                              - name
+                                              type: object
+                                            type: array
+                                          name:
+                                            description: Name of the cookie.
+                                            type: string
+                                          path:
+                                            description: Path to set for the cookie.
+                                            type: string
+                                          ttl:
+                                            description: Lifetime of the cookie.
+                                            type: string
+                                        required:
+                                        - name
+                                        type: object
+                                      httpHeaderName:
+                                        description: Hash based on a specific HTTP
+                                          header.
+                                        type: string
+                                      httpQueryParameterName:
+                                        description: Hash based on a specific HTTP
+                                          query parameter.
+                                        type: string
+                                      maglev:
+                                        description: The Maglev load balancer implements
+                                          consistent hashing to backend hosts.
+                                        properties:
+                                          tableSize:
+                                            description: The table size for Maglev
+                                              hashing.
+                                            minimum: 0
+                                            type: integer
+                                        type: object
+                                      minimumRingSize:
+                                        description: Deprecated.
+                                        minimum: 0
+                                        type: integer
+                                      ringHash:
+                                        description: The ring/modulo hash load balancer
+                                          implements consistent hashing to backend
+                                          hosts.
+                                        properties:
+                                          minimumRingSize:
+                                            description: The minimum number of virtual
+                                              nodes to use for the hash ring.
+                                            minimum: 0
+                                            type: integer
+                                        type: object
+                                      useSourceIp:
+                                        description: Hash based on the source IP address.
+                                        type: boolean
+                                    type: object
+                                  localityLbSetting:
+                                    properties:
+                                      distribute:
+                                        description: 'Optional: only one of distribute,
+                                          failover or failoverPriority can be set.'
+                                        items:
+                                          properties:
+                                            from:
+                                              description: Originating locality, '/'
+                                                separated, e.g.
+                                              type: string
+                                            to:
+                                              additionalProperties:
+                                                maximum: 4294967295
+                                                minimum: 0
+                                                type: integer
+                                              description: Map of upstream localities
+                                                to traffic distribution weights.
+                                              type: object
+                                          type: object
+                                        type: array
+                                      enabled:
+                                        description: Enable locality load balancing.
+                                        nullable: true
+                                        type: boolean
+                                      failover:
+                                        description: 'Optional: only one of distribute,
+                                          failover or failoverPriority can be set.'
+                                        items:
+                                          properties:
+                                            from:
+                                              description: Originating region.
+                                              type: string
+                                            to:
+                                              description: Destination region the
+                                                traffic will fail over to when endpoints
+                                                in the 'from' region becomes unhealthy.
+                                              type: string
+                                          type: object
+                                        type: array
+                                      failoverPriority:
+                                        description: failoverPriority is an ordered
+                                          list of labels used to sort endpoints to
+                                          do priority based load balancing.
+                                        items:
+                                          type: string
+                                        type: array
+                                    type: object
+                                  simple:
+                                    description: |2-
+
+
+                                      Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST
+                                    enum:
+                                    - UNSPECIFIED
+                                    - LEAST_CONN
+                                    - RANDOM
+                                    - PASSTHROUGH
+                                    - ROUND_ROBIN
+                                    - LEAST_REQUEST
+                                    type: string
+                                  warmup:
+                                    description: Represents the warmup configuration
+                                      of Service.
+                                    properties:
+                                      aggression:
+                                        description: This parameter controls the speed
+                                          of traffic increase over the warmup duration.
+                                        format: double
+                                        minimum: 0
+                                        nullable: true
+                                        type: number
+                                      duration:
+                                        type: string
+                                        x-kubernetes-validations:
+                                        - message: must be a valid duration greater
+                                            than 1ms
+                                          rule: duration(self) >= duration('1ms')
+                                      minimumPercent:
+                                        format: double
+                                        maximum: 100
+                                        minimum: 0
+                                        nullable: true
+                                        type: number
+                                    required:
+                                    - duration
+                                    type: object
+                                  warmupDurationSecs:
+                                    description: 'Deprecated: use `warmup` instead.'
+                                    type: string
+                                    x-kubernetes-validations:
+                                    - message: must be a valid duration greater than
+                                        1ms
+                                      rule: duration(self) >= duration('1ms')
+                                type: object
+                              outlierDetection:
+                                properties:
+                                  baseEjectionTime:
+                                    description: Minimum ejection duration.
+                                    type: string
+                                    x-kubernetes-validations:
+                                    - message: must be a valid duration greater than
+                                        1ms
+                                      rule: duration(self) >= duration('1ms')
+                                  consecutive5xxErrors:
+                                    description: Number of 5xx errors before a host
+                                      is ejected from the connection pool.
+                                    maximum: 4294967295
+                                    minimum: 0
+                                    nullable: true
+                                    type: integer
+                                  consecutiveErrors:
+                                    format: int32
+                                    type: integer
+                                  consecutiveGatewayErrors:
+                                    description: Number of gateway errors before a
+                                      host is ejected from the connection pool.
+                                    maximum: 4294967295
+                                    minimum: 0
+                                    nullable: true
+                                    type: integer
+                                  consecutiveLocalOriginFailures:
+                                    description: The number of consecutive locally
+                                      originated failures before ejection occurs.
+                                    maximum: 4294967295
+                                    minimum: 0
+                                    nullable: true
+                                    type: integer
+                                  interval:
+                                    description: Time interval between ejection sweep
+                                      analysis.
+                                    type: string
+                                    x-kubernetes-validations:
+                                    - message: must be a valid duration greater than
+                                        1ms
+                                      rule: duration(self) >= duration('1ms')
+                                  maxEjectionPercent:
+                                    description: Maximum % of hosts in the load balancing
+                                      pool for the upstream service that can be ejected.
+                                    format: int32
+                                    type: integer
+                                  minHealthPercent:
+                                    description: Outlier detection will be enabled
+                                      as long as the associated load balancing pool
+                                      has at least `minHealthPercent` hosts in healthy
+                                      mode.
+                                    format: int32
+                                    type: integer
+                                  splitExternalLocalOriginErrors:
+                                    description: Determines whether to distinguish
+                                      local origin failures from external errors.
+                                    type: boolean
+                                type: object
+                              port:
+                                description: Specifies the number of a port on the
+                                  destination service on which this policy is being
+                                  applied.
+                                properties:
+                                  number:
+                                    maximum: 4294967295
+                                    minimum: 0
+                                    type: integer
+                                type: object
+                              tls:
+                                description: TLS related settings for connections
+                                  to the upstream service.
+                                properties:
+                                  caCertificates:
+                                    description: 'OPTIONAL: The path to the file containing
+                                      certificate authority certificates to use in
+                                      verifying a presented server certificate.'
+                                    type: string
+                                  caCrl:
+                                    description: 'OPTIONAL: The path to the file containing
+                                      the certificate revocation list (CRL) to use
+                                      in verifying a presented server certificate.'
+                                    type: string
+                                  clientCertificate:
+                                    description: REQUIRED if mode is `MUTUAL`.
+                                    type: string
+                                  credentialName:
+                                    description: The name of the secret that holds
+                                      the TLS certs for the client including the CA
+                                      certificates.
+                                    type: string
+                                  insecureSkipVerify:
+                                    description: '`insecureSkipVerify` specifies whether
+                                      the proxy should skip verifying the CA signature
+                                      and SAN for the server certificate corresponding
+                                      to the host.'
+                                    nullable: true
+                                    type: boolean
+                                  mode:
+                                    description: |-
+                                      Indicates whether connections to this port should be secured using TLS.
+
+                                      Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
+                                    enum:
+                                    - DISABLE
+                                    - SIMPLE
+                                    - MUTUAL
+                                    - ISTIO_MUTUAL
+                                    type: string
+                                  privateKey:
+                                    description: REQUIRED if mode is `MUTUAL`.
+                                    type: string
+                                  sni:
+                                    description: SNI string to present to the server
+                                      during TLS handshake.
+                                    type: string
+                                  subjectAltNames:
+                                    description: A list of alternate names to verify
+                                      the subject identity in the certificate.
+                                    items:
+                                      type: string
+                                    type: array
+                                type: object
+                            type: object
+                          maxItems: 4096
+                          type: array
+                        proxyProtocol:
+                          description: The upstream PROXY protocol settings.
+                          properties:
+                            version:
+                              description: |-
+                                The PROXY protocol version to use.
+
+                                Valid Options: V1, V2
+                              enum:
+                              - V1
+                              - V2
+                              type: string
+                          type: object
+                        retryBudget:
+                          description: Specifies a limit on concurrent retries in
+                            relation to the number of active requests.
+                          properties:
+                            minRetryConcurrency:
+                              description: Specifies the minimum retry concurrency
+                                allowed for the retry budget.
+                              maximum: 4294967295
+                              minimum: 0
+                              type: integer
+                            percent:
+                              description: Specifies the limit on concurrent retries
+                                as a percentage of the sum of active requests and
+                                active pending requests.
+                              format: double
+                              maximum: 100
+                              minimum: 0
+                              nullable: true
+                              type: number
+                          type: object
+                        tls:
+                          description: TLS related settings for connections to the
+                            upstream service.
+                          properties:
+                            caCertificates:
+                              description: 'OPTIONAL: The path to the file containing
+                                certificate authority certificates to use in verifying
+                                a presented server certificate.'
+                              type: string
+                            caCrl:
+                              description: 'OPTIONAL: The path to the file containing
+                                the certificate revocation list (CRL) to use in verifying
+                                a presented server certificate.'
+                              type: string
+                            clientCertificate:
+                              description: REQUIRED if mode is `MUTUAL`.
+                              type: string
+                            credentialName:
+                              description: The name of the secret that holds the TLS
+                                certs for the client including the CA certificates.
+                              type: string
+                            insecureSkipVerify:
+                              description: '`insecureSkipVerify` specifies whether
+                                the proxy should skip verifying the CA signature and
+                                SAN for the server certificate corresponding to the
+                                host.'
+                              nullable: true
+                              type: boolean
+                            mode:
+                              description: |-
+                                Indicates whether connections to this port should be secured using TLS.
+
+                                Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
+                              enum:
+                              - DISABLE
+                              - SIMPLE
+                              - MUTUAL
+                              - ISTIO_MUTUAL
+                              type: string
+                            privateKey:
+                              description: REQUIRED if mode is `MUTUAL`.
+                              type: string
+                            sni:
+                              description: SNI string to present to the server during
+                                TLS handshake.
+                              type: string
+                            subjectAltNames:
+                              description: A list of alternate names to verify the
+                                subject identity in the certificate.
+                              items:
+                                type: string
+                              type: array
+                          type: object
+                        tunnel:
+                          description: Configuration of tunneling TCP over other transport
+                            or application layers for the host configured in the DestinationRule.
+                          properties:
+                            protocol:
+                              description: Specifies which protocol to use for tunneling
+                                the downstream connection.
+                              type: string
+                            targetHost:
+                              description: Specifies a host to which the downstream
+                                connection is tunneled.
+                              type: string
+                            targetPort:
+                              description: Specifies a port to which the downstream
+                                connection is tunneled.
+                              maximum: 4294967295
+                              minimum: 0
+                              type: integer
+                          required:
+                          - targetHost
+                          - targetPort
+                          type: object
+                      type: object
+                  required:
+                  - name
+                  type: object
+                type: array
+              trafficPolicy:
+                description: Traffic policies to apply (load balancing policy, connection
+                  pool sizes, outlier detection).
+                properties:
+                  connectionPool:
+                    properties:
+                      http:
+                        description: HTTP connection pool settings.
+                        properties:
+                          h2UpgradePolicy:
+                            description: |-
+                              Specify if http1.1 connection should be upgraded to http2 for the associated destination.
+
+                              Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE
+                            enum:
+                            - DEFAULT
+                            - DO_NOT_UPGRADE
+                            - UPGRADE
+                            type: string
+                          http1MaxPendingRequests:
+                            description: Maximum number of requests that will be queued
+                              while waiting for a ready connection pool connection.
+                            format: int32
+                            type: integer
+                          http2MaxRequests:
+                            description: Maximum number of active requests to a destination.
+                            format: int32
+                            type: integer
+                          idleTimeout:
+                            description: The idle timeout for upstream connection
+                              pool connections.
+                            type: string
+                            x-kubernetes-validations:
+                            - message: must be a valid duration greater than 1ms
+                              rule: duration(self) >= duration('1ms')
+                          maxConcurrentStreams:
+                            description: The maximum number of concurrent streams
+                              allowed for a peer on one HTTP/2 connection.
+                            format: int32
+                            type: integer
+                          maxRequestsPerConnection:
+                            description: Maximum number of requests per connection
+                              to a backend.
+                            format: int32
+                            type: integer
+                          maxRetries:
+                            description: Maximum number of retries that can be outstanding
+                              to all hosts in a cluster at a given time.
+                            format: int32
+                            type: integer
+                          useClientProtocol:
+                            description: If set to true, client protocol will be preserved
+                              while initiating connection to backend.
+                            type: boolean
+                        type: object
+                      tcp:
+                        description: Settings common to both HTTP and TCP upstream
+                          connections.
+                        properties:
+                          connectTimeout:
+                            description: TCP connection timeout.
+                            type: string
+                            x-kubernetes-validations:
+                            - message: must be a valid duration greater than 1ms
+                              rule: duration(self) >= duration('1ms')
+                          idleTimeout:
+                            description: The idle timeout for TCP connections.
+                            type: string
+                          maxConnectionDuration:
+                            description: The maximum duration of a connection.
+                            type: string
+                            x-kubernetes-validations:
+                            - message: must be a valid duration greater than 1ms
+                              rule: duration(self) >= duration('1ms')
+                          maxConnections:
+                            description: Maximum number of HTTP1 /TCP connections
+                              to a destination host.
+                            format: int32
+                            type: integer
+                          tcpKeepalive:
+                            description: If set then set SO_KEEPALIVE on the socket
+                              to enable TCP Keepalives.
+                            properties:
+                              interval:
+                                description: The time duration between keep-alive
+                                  probes.
+                                type: string
+                                x-kubernetes-validations:
+                                - message: must be a valid duration greater than 1ms
+                                  rule: duration(self) >= duration('1ms')
+                              probes:
+                                description: Maximum number of keepalive probes to
+                                  send without response before deciding the connection
+                                  is dead.
+                                maximum: 4294967295
+                                minimum: 0
+                                type: integer
+                              time:
+                                description: The time duration a connection needs
+                                  to be idle before keep-alive probes start being
+                                  sent.
+                                type: string
+                                x-kubernetes-validations:
+                                - message: must be a valid duration greater than 1ms
+                                  rule: duration(self) >= duration('1ms')
+                            type: object
+                        type: object
+                    type: object
+                  loadBalancer:
+                    description: Settings controlling the load balancer algorithms.
+                    oneOf:
+                    - not:
+                        anyOf:
+                        - required:
+                          - simple
+                        - required:
+                          - consistentHash
+                    - required:
+                      - simple
+                    - required:
+                      - consistentHash
+                    properties:
+                      consistentHash:
+                        allOf:
+                        - oneOf:
+                          - not:
+                              anyOf:
+                              - required:
+                                - httpHeaderName
+                              - required:
+                                - httpCookie
+                              - required:
+                                - useSourceIp
+                              - required:
+                                - httpQueryParameterName
+                          - required:
+                            - httpHeaderName
+                          - required:
+                            - httpCookie
+                          - required:
+                            - useSourceIp
+                          - required:
+                            - httpQueryParameterName
+                        - oneOf:
+                          - not:
+                              anyOf:
+                              - required:
+                                - ringHash
+                              - required:
+                                - maglev
+                          - required:
+                            - ringHash
+                          - required:
+                            - maglev
+                        properties:
+                          httpCookie:
+                            description: Hash based on HTTP cookie.
+                            properties:
+                              attributes:
+                                description: Additional attributes for the cookie.
+                                items:
+                                  properties:
+                                    name:
+                                      description: The name of the cookie attribute.
+                                      type: string
+                                    value:
+                                      description: The optional value of the cookie
+                                        attribute.
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                type: array
+                              name:
+                                description: Name of the cookie.
+                                type: string
+                              path:
+                                description: Path to set for the cookie.
+                                type: string
+                              ttl:
+                                description: Lifetime of the cookie.
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          httpHeaderName:
+                            description: Hash based on a specific HTTP header.
+                            type: string
+                          httpQueryParameterName:
+                            description: Hash based on a specific HTTP query parameter.
+                            type: string
+                          maglev:
+                            description: The Maglev load balancer implements consistent
+                              hashing to backend hosts.
+                            properties:
+                              tableSize:
+                                description: The table size for Maglev hashing.
+                                minimum: 0
+                                type: integer
+                            type: object
+                          minimumRingSize:
+                            description: Deprecated.
+                            minimum: 0
+                            type: integer
+                          ringHash:
+                            description: The ring/modulo hash load balancer implements
+                              consistent hashing to backend hosts.
+                            properties:
+                              minimumRingSize:
+                                description: The minimum number of virtual nodes to
+                                  use for the hash ring.
+                                minimum: 0
+                                type: integer
+                            type: object
+                          useSourceIp:
+                            description: Hash based on the source IP address.
+                            type: boolean
+                        type: object
+                      localityLbSetting:
+                        properties:
+                          distribute:
+                            description: 'Optional: only one of distribute, failover
+                              or failoverPriority can be set.'
+                            items:
+                              properties:
+                                from:
+                                  description: Originating locality, '/' separated,
+                                    e.g.
+                                  type: string
+                                to:
+                                  additionalProperties:
+                                    maximum: 4294967295
+                                    minimum: 0
+                                    type: integer
+                                  description: Map of upstream localities to traffic
+                                    distribution weights.
+                                  type: object
+                              type: object
+                            type: array
+                          enabled:
+                            description: Enable locality load balancing.
+                            nullable: true
+                            type: boolean
+                          failover:
+                            description: 'Optional: only one of distribute, failover
+                              or failoverPriority can be set.'
+                            items:
+                              properties:
+                                from:
+                                  description: Originating region.
+                                  type: string
+                                to:
+                                  description: Destination region the traffic will
+                                    fail over to when endpoints in the 'from' region
+                                    becomes unhealthy.
+                                  type: string
+                              type: object
+                            type: array
+                          failoverPriority:
+                            description: failoverPriority is an ordered list of labels
+                              used to sort endpoints to do priority based load balancing.
+                            items:
+                              type: string
+                            type: array
+                        type: object
+                      simple:
+                        description: |2-
+
+
+                          Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST
+                        enum:
+                        - UNSPECIFIED
+                        - LEAST_CONN
+                        - RANDOM
+                        - PASSTHROUGH
+                        - ROUND_ROBIN
+                        - LEAST_REQUEST
+                        type: string
+                      warmup:
+                        description: Represents the warmup configuration of Service.
+                        properties:
+                          aggression:
+                            description: This parameter controls the speed of traffic
+                              increase over the warmup duration.
+                            format: double
+                            minimum: 0
+                            nullable: true
+                            type: number
+                          duration:
+                            type: string
+                            x-kubernetes-validations:
+                            - message: must be a valid duration greater than 1ms
+                              rule: duration(self) >= duration('1ms')
+                          minimumPercent:
+                            format: double
+                            maximum: 100
+                            minimum: 0
+                            nullable: true
+                            type: number
+                        required:
+                        - duration
+                        type: object
+                      warmupDurationSecs:
+                        description: 'Deprecated: use `warmup` instead.'
+                        type: string
+                        x-kubernetes-validations:
+                        - message: must be a valid duration greater than 1ms
+                          rule: duration(self) >= duration('1ms')
+                    type: object
+                  outlierDetection:
+                    properties:
+                      baseEjectionTime:
+                        description: Minimum ejection duration.
+                        type: string
+                        x-kubernetes-validations:
+                        - message: must be a valid duration greater than 1ms
+                          rule: duration(self) >= duration('1ms')
+                      consecutive5xxErrors:
+                        description: Number of 5xx errors before a host is ejected
+                          from the connection pool.
+                        maximum: 4294967295
+                        minimum: 0
+                        nullable: true
+                        type: integer
+                      consecutiveErrors:
+                        format: int32
+                        type: integer
+                      consecutiveGatewayErrors:
+                        description: Number of gateway errors before a host is ejected
+                          from the connection pool.
+                        maximum: 4294967295
+                        minimum: 0
+                        nullable: true
+                        type: integer
+                      consecutiveLocalOriginFailures:
+                        description: The number of consecutive locally originated
+                          failures before ejection occurs.
+                        maximum: 4294967295
+                        minimum: 0
+                        nullable: true
+                        type: integer
+                      interval:
+                        description: Time interval between ejection sweep analysis.
+                        type: string
+                        x-kubernetes-validations:
+                        - message: must be a valid duration greater than 1ms
+                          rule: duration(self) >= duration('1ms')
+                      maxEjectionPercent:
+                        description: Maximum % of hosts in the load balancing pool
+                          for the upstream service that can be ejected.
+                        format: int32
+                        type: integer
+                      minHealthPercent:
+                        description: Outlier detection will be enabled as long as
+                          the associated load balancing pool has at least `minHealthPercent`
+                          hosts in healthy mode.
+                        format: int32
+                        type: integer
+                      splitExternalLocalOriginErrors:
+                        description: Determines whether to distinguish local origin
+                          failures from external errors.
+                        type: boolean
+                    type: object
+                  portLevelSettings:
+                    description: Traffic policies specific to individual ports.
+                    items:
+                      properties:
+                        connectionPool:
+                          properties:
+                            http:
+                              description: HTTP connection pool settings.
+                              properties:
+                                h2UpgradePolicy:
+                                  description: |-
+                                    Specify if http1.1 connection should be upgraded to http2 for the associated destination.
+
+                                    Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE
+                                  enum:
+                                  - DEFAULT
+                                  - DO_NOT_UPGRADE
+                                  - UPGRADE
+                                  type: string
+                                http1MaxPendingRequests:
+                                  description: Maximum number of requests that will
+                                    be queued while waiting for a ready connection
+                                    pool connection.
+                                  format: int32
+                                  type: integer
+                                http2MaxRequests:
+                                  description: Maximum number of active requests to
+                                    a destination.
+                                  format: int32
+                                  type: integer
+                                idleTimeout:
+                                  description: The idle timeout for upstream connection
+                                    pool connections.
+                                  type: string
+                                  x-kubernetes-validations:
+                                  - message: must be a valid duration greater than
+                                      1ms
+                                    rule: duration(self) >= duration('1ms')
+                                maxConcurrentStreams:
+                                  description: The maximum number of concurrent streams
+                                    allowed for a peer on one HTTP/2 connection.
+                                  format: int32
+                                  type: integer
+                                maxRequestsPerConnection:
+                                  description: Maximum number of requests per connection
+                                    to a backend.
+                                  format: int32
+                                  type: integer
+                                maxRetries:
+                                  description: Maximum number of retries that can
+                                    be outstanding to all hosts in a cluster at a
+                                    given time.
+                                  format: int32
+                                  type: integer
+                                useClientProtocol:
+                                  description: If set to true, client protocol will
+                                    be preserved while initiating connection to backend.
+                                  type: boolean
+                              type: object
+                            tcp:
+                              description: Settings common to both HTTP and TCP upstream
+                                connections.
+                              properties:
+                                connectTimeout:
+                                  description: TCP connection timeout.
+                                  type: string
+                                  x-kubernetes-validations:
+                                  - message: must be a valid duration greater than
+                                      1ms
+                                    rule: duration(self) >= duration('1ms')
+                                idleTimeout:
+                                  description: The idle timeout for TCP connections.
+                                  type: string
+                                maxConnectionDuration:
+                                  description: The maximum duration of a connection.
+                                  type: string
+                                  x-kubernetes-validations:
+                                  - message: must be a valid duration greater than
+                                      1ms
+                                    rule: duration(self) >= duration('1ms')
+                                maxConnections:
+                                  description: Maximum number of HTTP1 /TCP connections
+                                    to a destination host.
+                                  format: int32
+                                  type: integer
+                                tcpKeepalive:
+                                  description: If set then set SO_KEEPALIVE on the
+                                    socket to enable TCP Keepalives.
+                                  properties:
+                                    interval:
+                                      description: The time duration between keep-alive
+                                        probes.
+                                      type: string
+                                      x-kubernetes-validations:
+                                      - message: must be a valid duration greater
+                                          than 1ms
+                                        rule: duration(self) >= duration('1ms')
+                                    probes:
+                                      description: Maximum number of keepalive probes
+                                        to send without response before deciding the
+                                        connection is dead.
+                                      maximum: 4294967295
+                                      minimum: 0
+                                      type: integer
+                                    time:
+                                      description: The time duration a connection
+                                        needs to be idle before keep-alive probes
+                                        start being sent.
+                                      type: string
+                                      x-kubernetes-validations:
+                                      - message: must be a valid duration greater
+                                          than 1ms
+                                        rule: duration(self) >= duration('1ms')
+                                  type: object
+                              type: object
+                          type: object
+                        loadBalancer:
+                          description: Settings controlling the load balancer algorithms.
+                          oneOf:
+                          - not:
+                              anyOf:
+                              - required:
+                                - simple
+                              - required:
+                                - consistentHash
+                          - required:
+                            - simple
+                          - required:
+                            - consistentHash
+                          properties:
+                            consistentHash:
+                              allOf:
+                              - oneOf:
+                                - not:
+                                    anyOf:
+                                    - required:
+                                      - httpHeaderName
+                                    - required:
+                                      - httpCookie
+                                    - required:
+                                      - useSourceIp
+                                    - required:
+                                      - httpQueryParameterName
+                                - required:
+                                  - httpHeaderName
+                                - required:
+                                  - httpCookie
+                                - required:
+                                  - useSourceIp
+                                - required:
+                                  - httpQueryParameterName
+                              - oneOf:
+                                - not:
+                                    anyOf:
+                                    - required:
+                                      - ringHash
+                                    - required:
+                                      - maglev
+                                - required:
+                                  - ringHash
+                                - required:
+                                  - maglev
+                              properties:
+                                httpCookie:
+                                  description: Hash based on HTTP cookie.
+                                  properties:
+                                    attributes:
+                                      description: Additional attributes for the cookie.
+                                      items:
+                                        properties:
+                                          name:
+                                            description: The name of the cookie attribute.
+                                            type: string
+                                          value:
+                                            description: The optional value of the
+                                              cookie attribute.
+                                            type: string
+                                        required:
+                                        - name
+                                        type: object
+                                      type: array
+                                    name:
+                                      description: Name of the cookie.
+                                      type: string
+                                    path:
+                                      description: Path to set for the cookie.
+                                      type: string
+                                    ttl:
+                                      description: Lifetime of the cookie.
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                httpHeaderName:
+                                  description: Hash based on a specific HTTP header.
+                                  type: string
+                                httpQueryParameterName:
+                                  description: Hash based on a specific HTTP query
+                                    parameter.
+                                  type: string
+                                maglev:
+                                  description: The Maglev load balancer implements
+                                    consistent hashing to backend hosts.
+                                  properties:
+                                    tableSize:
+                                      description: The table size for Maglev hashing.
+                                      minimum: 0
+                                      type: integer
+                                  type: object
+                                minimumRingSize:
+                                  description: Deprecated.
+                                  minimum: 0
+                                  type: integer
+                                ringHash:
+                                  description: The ring/modulo hash load balancer
+                                    implements consistent hashing to backend hosts.
+                                  properties:
+                                    minimumRingSize:
+                                      description: The minimum number of virtual nodes
+                                        to use for the hash ring.
+                                      minimum: 0
+                                      type: integer
+                                  type: object
+                                useSourceIp:
+                                  description: Hash based on the source IP address.
+                                  type: boolean
+                              type: object
+                            localityLbSetting:
+                              properties:
+                                distribute:
+                                  description: 'Optional: only one of distribute,
+                                    failover or failoverPriority can be set.'
+                                  items:
+                                    properties:
+                                      from:
+                                        description: Originating locality, '/' separated,
+                                          e.g.
+                                        type: string
+                                      to:
+                                        additionalProperties:
+                                          maximum: 4294967295
+                                          minimum: 0
+                                          type: integer
+                                        description: Map of upstream localities to
+                                          traffic distribution weights.
+                                        type: object
+                                    type: object
+                                  type: array
+                                enabled:
+                                  description: Enable locality load balancing.
+                                  nullable: true
+                                  type: boolean
+                                failover:
+                                  description: 'Optional: only one of distribute,
+                                    failover or failoverPriority can be set.'
+                                  items:
+                                    properties:
+                                      from:
+                                        description: Originating region.
+                                        type: string
+                                      to:
+                                        description: Destination region the traffic
+                                          will fail over to when endpoints in the
+                                          'from' region becomes unhealthy.
+                                        type: string
+                                    type: object
+                                  type: array
+                                failoverPriority:
+                                  description: failoverPriority is an ordered list
+                                    of labels used to sort endpoints to do priority
+                                    based load balancing.
+                                  items:
+                                    type: string
+                                  type: array
+                              type: object
+                            simple:
+                              description: |2-
+
+
+                                Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST
+                              enum:
+                              - UNSPECIFIED
+                              - LEAST_CONN
+                              - RANDOM
+                              - PASSTHROUGH
+                              - ROUND_ROBIN
+                              - LEAST_REQUEST
+                              type: string
+                            warmup:
+                              description: Represents the warmup configuration of
+                                Service.
+                              properties:
+                                aggression:
+                                  description: This parameter controls the speed of
+                                    traffic increase over the warmup duration.
+                                  format: double
+                                  minimum: 0
+                                  nullable: true
+                                  type: number
+                                duration:
+                                  type: string
+                                  x-kubernetes-validations:
+                                  - message: must be a valid duration greater than
+                                      1ms
+                                    rule: duration(self) >= duration('1ms')
+                                minimumPercent:
+                                  format: double
+                                  maximum: 100
+                                  minimum: 0
+                                  nullable: true
+                                  type: number
+                              required:
+                              - duration
+                              type: object
+                            warmupDurationSecs:
+                              description: 'Deprecated: use `warmup` instead.'
+                              type: string
+                              x-kubernetes-validations:
+                              - message: must be a valid duration greater than 1ms
+                                rule: duration(self) >= duration('1ms')
+                          type: object
+                        outlierDetection:
+                          properties:
+                            baseEjectionTime:
+                              description: Minimum ejection duration.
+                              type: string
+                              x-kubernetes-validations:
+                              - message: must be a valid duration greater than 1ms
+                                rule: duration(self) >= duration('1ms')
+                            consecutive5xxErrors:
+                              description: Number of 5xx errors before a host is ejected
+                                from the connection pool.
+                              maximum: 4294967295
+                              minimum: 0
+                              nullable: true
+                              type: integer
+                            consecutiveErrors:
+                              format: int32
+                              type: integer
+                            consecutiveGatewayErrors:
+                              description: Number of gateway errors before a host
+                                is ejected from the connection pool.
+                              maximum: 4294967295
+                              minimum: 0
+                              nullable: true
+                              type: integer
+                            consecutiveLocalOriginFailures:
+                              description: The number of consecutive locally originated
+                                failures before ejection occurs.
+                              maximum: 4294967295
+                              minimum: 0
+                              nullable: true
+                              type: integer
+                            interval:
+                              description: Time interval between ejection sweep analysis.
+                              type: string
+                              x-kubernetes-validations:
+                              - message: must be a valid duration greater than 1ms
+                                rule: duration(self) >= duration('1ms')
+                            maxEjectionPercent:
+                              description: Maximum % of hosts in the load balancing
+                                pool for the upstream service that can be ejected.
+                              format: int32
+                              type: integer
+                            minHealthPercent:
+                              description: Outlier detection will be enabled as long
+                                as the associated load balancing pool has at least
+                                `minHealthPercent` hosts in healthy mode.
+                              format: int32
+                              type: integer
+                            splitExternalLocalOriginErrors:
+                              description: Determines whether to distinguish local
+                                origin failures from external errors.
+                              type: boolean
+                          type: object
+                        port:
+                          description: Specifies the number of a port on the destination
+                            service on which this policy is being applied.
+                          properties:
+                            number:
+                              maximum: 4294967295
+                              minimum: 0
+                              type: integer
+                          type: object
+                        tls:
+                          description: TLS related settings for connections to the
+                            upstream service.
+                          properties:
+                            caCertificates:
+                              description: 'OPTIONAL: The path to the file containing
+                                certificate authority certificates to use in verifying
+                                a presented server certificate.'
+                              type: string
+                            caCrl:
+                              description: 'OPTIONAL: The path to the file containing
+                                the certificate revocation list (CRL) to use in verifying
+                                a presented server certificate.'
+                              type: string
+                            clientCertificate:
+                              description: REQUIRED if mode is `MUTUAL`.
+                              type: string
+                            credentialName:
+                              description: The name of the secret that holds the TLS
+                                certs for the client including the CA certificates.
+                              type: string
+                            insecureSkipVerify:
+                              description: '`insecureSkipVerify` specifies whether
+                                the proxy should skip verifying the CA signature and
+                                SAN for the server certificate corresponding to the
+                                host.'
+                              nullable: true
+                              type: boolean
+                            mode:
+                              description: |-
+                                Indicates whether connections to this port should be secured using TLS.
+
+                                Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
+                              enum:
+                              - DISABLE
+                              - SIMPLE
+                              - MUTUAL
+                              - ISTIO_MUTUAL
+                              type: string
+                            privateKey:
+                              description: REQUIRED if mode is `MUTUAL`.
+                              type: string
+                            sni:
+                              description: SNI string to present to the server during
+                                TLS handshake.
+                              type: string
+                            subjectAltNames:
+                              description: A list of alternate names to verify the
+                                subject identity in the certificate.
+                              items:
+                                type: string
+                              type: array
+                          type: object
+                      type: object
+                    maxItems: 4096
+                    type: array
+                  proxyProtocol:
+                    description: The upstream PROXY protocol settings.
+                    properties:
+                      version:
+                        description: |-
+                          The PROXY protocol version to use.
+
+                          Valid Options: V1, V2
+                        enum:
+                        - V1
+                        - V2
+                        type: string
+                    type: object
+                  retryBudget:
+                    description: Specifies a limit on concurrent retries in relation
+                      to the number of active requests.
+                    properties:
+                      minRetryConcurrency:
+                        description: Specifies the minimum retry concurrency allowed
+                          for the retry budget.
+                        maximum: 4294967295
+                        minimum: 0
+                        type: integer
+                      percent:
+                        description: Specifies the limit on concurrent retries as
+                          a percentage of the sum of active requests and active pending
+                          requests.
+                        format: double
+                        maximum: 100
+                        minimum: 0
+                        nullable: true
+                        type: number
+                    type: object
+                  tls:
+                    description: TLS related settings for connections to the upstream
+                      service.
+                    properties:
+                      caCertificates:
+                        description: 'OPTIONAL: The path to the file containing certificate
+                          authority certificates to use in verifying a presented server
+                          certificate.'
+                        type: string
+                      caCrl:
+                        description: 'OPTIONAL: The path to the file containing the
+                          certificate revocation list (CRL) to use in verifying a
+                          presented server certificate.'
+                        type: string
+                      clientCertificate:
+                        description: REQUIRED if mode is `MUTUAL`.
+                        type: string
+                      credentialName:
+                        description: The name of the secret that holds the TLS certs
+                          for the client including the CA certificates.
+                        type: string
+                      insecureSkipVerify:
+                        description: '`insecureSkipVerify` specifies whether the proxy
+                          should skip verifying the CA signature and SAN for the server
+                          certificate corresponding to the host.'
+                        nullable: true
+                        type: boolean
+                      mode:
+                        description: |-
+                          Indicates whether connections to this port should be secured using TLS.
+
+                          Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
+                        enum:
+                        - DISABLE
+                        - SIMPLE
+                        - MUTUAL
+                        - ISTIO_MUTUAL
+                        type: string
+                      privateKey:
+                        description: REQUIRED if mode is `MUTUAL`.
+                        type: string
+                      sni:
+                        description: SNI string to present to the server during TLS
+                          handshake.
+                        type: string
+                      subjectAltNames:
+                        description: A list of alternate names to verify the subject
+                          identity in the certificate.
+                        items:
+                          type: string
+                        type: array
+                    type: object
+                  tunnel:
+                    description: Configuration of tunneling TCP over other transport
+                      or application layers for the host configured in the DestinationRule.
+                    properties:
+                      protocol:
+                        description: Specifies which protocol to use for tunneling
+                          the downstream connection.
+                        type: string
+                      targetHost:
+                        description: Specifies a host to which the downstream connection
+                          is tunneled.
+                        type: string
+                      targetPort:
+                        description: Specifies a port to which the downstream connection
+                          is tunneled.
+                        maximum: 4294967295
+                        minimum: 0
+                        type: integer
+                    required:
+                    - targetHost
+                    - targetPort
+                    type: object
+                type: object
+              workloadSelector:
+                description: Criteria used to select the specific set of pods/VMs
+                  on which this `DestinationRule` configuration should be applied.
+                properties:
+                  matchLabels:
+                    additionalProperties:
+                      maxLength: 63
+                      type: string
+                      x-kubernetes-validations:
+                      - message: wildcard not allowed in label value match
+                        rule: '!self.contains("*")'
+                    description: One or more labels that indicate a specific set of
+                      pods/VMs on which a policy should be applied.
+                    maxProperties: 4096
+                    type: object
+                    x-kubernetes-validations:
+                    - message: wildcard not allowed in label key match
+                      rule: self.all(key, !key.contains("*"))
+                    - message: key must not be empty
+                      rule: self.all(key, key.size() != 0)
+                type: object
+            required:
+            - host
+            type: object
+          status:
+            properties:
+              conditions:
+                description: Current service state of the resource.
+                items:
+                  properties:
+                    lastProbeTime:
+                      description: Last time we probed the condition.
+                      format: date-time
+                      type: string
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Human-readable message indicating details about
+                        last transition.
+                      type: string
+                    observedGeneration:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      description: Resource Generation to which the Condition refers.
+                      x-kubernetes-int-or-string: true
+                    reason:
+                      description: Unique, one-word, CamelCase reason for the condition's
+                        last transition.
+                      type: string
+                    status:
+                      description: Status is the status of the condition.
+                      type: string
+                    type:
+                      description: Type is the type of the condition.
+                      type: string
+                  type: object
+                type: array
+              observedGeneration:
+                anyOf:
+                - type: integer
+                - type: string
+                x-kubernetes-int-or-string: true
+              validationMessages:
+                description: Includes any errors or warnings detected by Istio's analyzers.
+                items:
+                  properties:
+                    documentationUrl:
+                      description: A url pointing to the Istio documentation for this
+                        specific error type.
+                      type: string
+                    level:
+                      description: |-
+                        Represents how severe a message is.
+
+                        Valid Options: UNKNOWN, ERROR, WARNING, INFO
+                      enum:
+                      - UNKNOWN
+                      - ERROR
+                      - WARNING
+                      - INFO
+                      type: string
+                    type:
+                      properties:
+                        code:
+                          description: A 7 character code matching `^IST[0-9]{4}$`
+                            intended to uniquely identify the message type.
+                          type: string
+                        name:
+                          description: A human-readable name for the message type.
+                          type: string
+                      type: object
+                  type: object
+                type: array
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+  - additionalPrinterColumns:
+    - description: The name of a service from the service registry
+      jsonPath: .spec.host
+      name: Host
+      type: string
+    - description: CreationTimestamp is a timestamp representing the server time when
+        this object was created. It is not guaranteed to be set in happens-before
+        order across separate operations. Clients may not set this value. It is represented
+        in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+        lists. For more information, see [Kubernetes API Conventions](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1beta1
+    schema:
+      openAPIV3Schema:
+        properties:
+          spec:
+            description: 'Configuration affecting load balancing, outlier detection,
+              etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html'
+            properties:
+              exportTo:
+                description: A list of namespaces to which this destination rule is
+                  exported.
+                items:
+                  type: string
+                type: array
+              host:
+                description: The name of a service from the service registry.
+                type: string
+              subsets:
+                description: One or more named sets that represent individual versions
+                  of a service.
+                items:
+                  properties:
+                    labels:
+                      additionalProperties:
+                        type: string
+                      description: Labels apply a filter over the endpoints of a service
+                        in the service registry.
+                      type: object
+                    name:
+                      description: Name of the subset.
+                      type: string
+                    trafficPolicy:
+                      description: Traffic policies that apply to this subset.
+                      properties:
+                        connectionPool:
+                          properties:
+                            http:
+                              description: HTTP connection pool settings.
+                              properties:
+                                h2UpgradePolicy:
+                                  description: |-
+                                    Specify if http1.1 connection should be upgraded to http2 for the associated destination.
+
+                                    Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE
+                                  enum:
+                                  - DEFAULT
+                                  - DO_NOT_UPGRADE
+                                  - UPGRADE
+                                  type: string
+                                http1MaxPendingRequests:
+                                  description: Maximum number of requests that will
+                                    be queued while waiting for a ready connection
+                                    pool connection.
+                                  format: int32
+                                  type: integer
+                                http2MaxRequests:
+                                  description: Maximum number of active requests to
+                                    a destination.
+                                  format: int32
+                                  type: integer
+                                idleTimeout:
+                                  description: The idle timeout for upstream connection
+                                    pool connections.
+                                  type: string
+                                  x-kubernetes-validations:
+                                  - message: must be a valid duration greater than
+                                      1ms
+                                    rule: duration(self) >= duration('1ms')
+                                maxConcurrentStreams:
+                                  description: The maximum number of concurrent streams
+                                    allowed for a peer on one HTTP/2 connection.
+                                  format: int32
+                                  type: integer
+                                maxRequestsPerConnection:
+                                  description: Maximum number of requests per connection
+                                    to a backend.
+                                  format: int32
+                                  type: integer
+                                maxRetries:
+                                  description: Maximum number of retries that can
+                                    be outstanding to all hosts in a cluster at a
+                                    given time.
+                                  format: int32
+                                  type: integer
+                                useClientProtocol:
+                                  description: If set to true, client protocol will
+                                    be preserved while initiating connection to backend.
+                                  type: boolean
+                              type: object
+                            tcp:
+                              description: Settings common to both HTTP and TCP upstream
+                                connections.
+                              properties:
+                                connectTimeout:
+                                  description: TCP connection timeout.
+                                  type: string
+                                  x-kubernetes-validations:
+                                  - message: must be a valid duration greater than
+                                      1ms
+                                    rule: duration(self) >= duration('1ms')
+                                idleTimeout:
+                                  description: The idle timeout for TCP connections.
+                                  type: string
+                                maxConnectionDuration:
+                                  description: The maximum duration of a connection.
+                                  type: string
+                                  x-kubernetes-validations:
+                                  - message: must be a valid duration greater than
+                                      1ms
+                                    rule: duration(self) >= duration('1ms')
+                                maxConnections:
+                                  description: Maximum number of HTTP1 /TCP connections
+                                    to a destination host.
+                                  format: int32
+                                  type: integer
+                                tcpKeepalive:
+                                  description: If set then set SO_KEEPALIVE on the
+                                    socket to enable TCP Keepalives.
+                                  properties:
+                                    interval:
+                                      description: The time duration between keep-alive
+                                        probes.
+                                      type: string
+                                      x-kubernetes-validations:
+                                      - message: must be a valid duration greater
+                                          than 1ms
+                                        rule: duration(self) >= duration('1ms')
+                                    probes:
+                                      description: Maximum number of keepalive probes
+                                        to send without response before deciding the
+                                        connection is dead.
+                                      maximum: 4294967295
+                                      minimum: 0
+                                      type: integer
+                                    time:
+                                      description: The time duration a connection
+                                        needs to be idle before keep-alive probes
+                                        start being sent.
+                                      type: string
+                                      x-kubernetes-validations:
+                                      - message: must be a valid duration greater
+                                          than 1ms
+                                        rule: duration(self) >= duration('1ms')
+                                  type: object
+                              type: object
+                          type: object
+                        loadBalancer:
+                          description: Settings controlling the load balancer algorithms.
+                          oneOf:
+                          - not:
+                              anyOf:
+                              - required:
+                                - simple
+                              - required:
+                                - consistentHash
+                          - required:
+                            - simple
+                          - required:
+                            - consistentHash
+                          properties:
+                            consistentHash:
+                              allOf:
+                              - oneOf:
+                                - not:
+                                    anyOf:
+                                    - required:
+                                      - httpHeaderName
+                                    - required:
+                                      - httpCookie
+                                    - required:
+                                      - useSourceIp
+                                    - required:
+                                      - httpQueryParameterName
+                                - required:
+                                  - httpHeaderName
+                                - required:
+                                  - httpCookie
+                                - required:
+                                  - useSourceIp
+                                - required:
+                                  - httpQueryParameterName
+                              - oneOf:
+                                - not:
+                                    anyOf:
+                                    - required:
+                                      - ringHash
+                                    - required:
+                                      - maglev
+                                - required:
+                                  - ringHash
+                                - required:
+                                  - maglev
+                              properties:
+                                httpCookie:
+                                  description: Hash based on HTTP cookie.
+                                  properties:
+                                    attributes:
+                                      description: Additional attributes for the cookie.
+                                      items:
+                                        properties:
+                                          name:
+                                            description: The name of the cookie attribute.
+                                            type: string
+                                          value:
+                                            description: The optional value of the
+                                              cookie attribute.
+                                            type: string
+                                        required:
+                                        - name
+                                        type: object
+                                      type: array
+                                    name:
+                                      description: Name of the cookie.
+                                      type: string
+                                    path:
+                                      description: Path to set for the cookie.
+                                      type: string
+                                    ttl:
+                                      description: Lifetime of the cookie.
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                httpHeaderName:
+                                  description: Hash based on a specific HTTP header.
+                                  type: string
+                                httpQueryParameterName:
+                                  description: Hash based on a specific HTTP query
+                                    parameter.
+                                  type: string
+                                maglev:
+                                  description: The Maglev load balancer implements
+                                    consistent hashing to backend hosts.
+                                  properties:
+                                    tableSize:
+                                      description: The table size for Maglev hashing.
+                                      minimum: 0
+                                      type: integer
+                                  type: object
+                                minimumRingSize:
+                                  description: Deprecated.
+                                  minimum: 0
+                                  type: integer
+                                ringHash:
+                                  description: The ring/modulo hash load balancer
+                                    implements consistent hashing to backend hosts.
+                                  properties:
+                                    minimumRingSize:
+                                      description: The minimum number of virtual nodes
+                                        to use for the hash ring.
+                                      minimum: 0
+                                      type: integer
+                                  type: object
+                                useSourceIp:
+                                  description: Hash based on the source IP address.
+                                  type: boolean
+                              type: object
+                            localityLbSetting:
+                              properties:
+                                distribute:
+                                  description: 'Optional: only one of distribute,
+                                    failover or failoverPriority can be set.'
+                                  items:
+                                    properties:
+                                      from:
+                                        description: Originating locality, '/' separated,
+                                          e.g.
+                                        type: string
+                                      to:
+                                        additionalProperties:
+                                          maximum: 4294967295
+                                          minimum: 0
+                                          type: integer
+                                        description: Map of upstream localities to
+                                          traffic distribution weights.
+                                        type: object
+                                    type: object
+                                  type: array
+                                enabled:
+                                  description: Enable locality load balancing.
+                                  nullable: true
+                                  type: boolean
+                                failover:
+                                  description: 'Optional: only one of distribute,
+                                    failover or failoverPriority can be set.'
+                                  items:
+                                    properties:
+                                      from:
+                                        description: Originating region.
+                                        type: string
+                                      to:
+                                        description: Destination region the traffic
+                                          will fail over to when endpoints in the
+                                          'from' region becomes unhealthy.
+                                        type: string
+                                    type: object
+                                  type: array
+                                failoverPriority:
+                                  description: failoverPriority is an ordered list
+                                    of labels used to sort endpoints to do priority
+                                    based load balancing.
+                                  items:
+                                    type: string
+                                  type: array
+                              type: object
+                            simple:
+                              description: |2-
+
+
+                                Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST
+                              enum:
+                              - UNSPECIFIED
+                              - LEAST_CONN
+                              - RANDOM
+                              - PASSTHROUGH
+                              - ROUND_ROBIN
+                              - LEAST_REQUEST
+                              type: string
+                            warmup:
+                              description: Represents the warmup configuration of
+                                Service.
+                              properties:
+                                aggression:
+                                  description: This parameter controls the speed of
+                                    traffic increase over the warmup duration.
+                                  format: double
+                                  minimum: 0
+                                  nullable: true
+                                  type: number
+                                duration:
+                                  type: string
+                                  x-kubernetes-validations:
+                                  - message: must be a valid duration greater than
+                                      1ms
+                                    rule: duration(self) >= duration('1ms')
+                                minimumPercent:
+                                  format: double
+                                  maximum: 100
+                                  minimum: 0
+                                  nullable: true
+                                  type: number
+                              required:
+                              - duration
+                              type: object
+                            warmupDurationSecs:
+                              description: 'Deprecated: use `warmup` instead.'
+                              type: string
+                              x-kubernetes-validations:
+                              - message: must be a valid duration greater than 1ms
+                                rule: duration(self) >= duration('1ms')
+                          type: object
+                        outlierDetection:
+                          properties:
+                            baseEjectionTime:
+                              description: Minimum ejection duration.
+                              type: string
+                              x-kubernetes-validations:
+                              - message: must be a valid duration greater than 1ms
+                                rule: duration(self) >= duration('1ms')
+                            consecutive5xxErrors:
+                              description: Number of 5xx errors before a host is ejected
+                                from the connection pool.
+                              maximum: 4294967295
+                              minimum: 0
+                              nullable: true
+                              type: integer
+                            consecutiveErrors:
+                              format: int32
+                              type: integer
+                            consecutiveGatewayErrors:
+                              description: Number of gateway errors before a host
+                                is ejected from the connection pool.
+                              maximum: 4294967295
+                              minimum: 0
+                              nullable: true
+                              type: integer
+                            consecutiveLocalOriginFailures:
+                              description: The number of consecutive locally originated
+                                failures before ejection occurs.
+                              maximum: 4294967295
+                              minimum: 0
+                              nullable: true
+                              type: integer
+                            interval:
+                              description: Time interval between ejection sweep analysis.
+                              type: string
+                              x-kubernetes-validations:
+                              - message: must be a valid duration greater than 1ms
+                                rule: duration(self) >= duration('1ms')
+                            maxEjectionPercent:
+                              description: Maximum % of hosts in the load balancing
+                                pool for the upstream service that can be ejected.
+                              format: int32
+                              type: integer
+                            minHealthPercent:
+                              description: Outlier detection will be enabled as long
+                                as the associated load balancing pool has at least
+                                `minHealthPercent` hosts in healthy mode.
+                              format: int32
+                              type: integer
+                            splitExternalLocalOriginErrors:
+                              description: Determines whether to distinguish local
+                                origin failures from external errors.
+                              type: boolean
+                          type: object
+                        portLevelSettings:
+                          description: Traffic policies specific to individual ports.
+                          items:
+                            properties:
+                              connectionPool:
+                                properties:
+                                  http:
+                                    description: HTTP connection pool settings.
+                                    properties:
+                                      h2UpgradePolicy:
+                                        description: |-
+                                          Specify if http1.1 connection should be upgraded to http2 for the associated destination.
+
+                                          Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE
+                                        enum:
+                                        - DEFAULT
+                                        - DO_NOT_UPGRADE
+                                        - UPGRADE
+                                        type: string
+                                      http1MaxPendingRequests:
+                                        description: Maximum number of requests that
+                                          will be queued while waiting for a ready
+                                          connection pool connection.
+                                        format: int32
+                                        type: integer
+                                      http2MaxRequests:
+                                        description: Maximum number of active requests
+                                          to a destination.
+                                        format: int32
+                                        type: integer
+                                      idleTimeout:
+                                        description: The idle timeout for upstream
+                                          connection pool connections.
+                                        type: string
+                                        x-kubernetes-validations:
+                                        - message: must be a valid duration greater
+                                            than 1ms
+                                          rule: duration(self) >= duration('1ms')
+                                      maxConcurrentStreams:
+                                        description: The maximum number of concurrent
+                                          streams allowed for a peer on one HTTP/2
+                                          connection.
+                                        format: int32
+                                        type: integer
+                                      maxRequestsPerConnection:
+                                        description: Maximum number of requests per
+                                          connection to a backend.
+                                        format: int32
+                                        type: integer
+                                      maxRetries:
+                                        description: Maximum number of retries that
+                                          can be outstanding to all hosts in a cluster
+                                          at a given time.
+                                        format: int32
+                                        type: integer
+                                      useClientProtocol:
+                                        description: If set to true, client protocol
+                                          will be preserved while initiating connection
+                                          to backend.
+                                        type: boolean
+                                    type: object
+                                  tcp:
+                                    description: Settings common to both HTTP and
+                                      TCP upstream connections.
+                                    properties:
+                                      connectTimeout:
+                                        description: TCP connection timeout.
+                                        type: string
+                                        x-kubernetes-validations:
+                                        - message: must be a valid duration greater
+                                            than 1ms
+                                          rule: duration(self) >= duration('1ms')
+                                      idleTimeout:
+                                        description: The idle timeout for TCP connections.
+                                        type: string
+                                      maxConnectionDuration:
+                                        description: The maximum duration of a connection.
+                                        type: string
+                                        x-kubernetes-validations:
+                                        - message: must be a valid duration greater
+                                            than 1ms
+                                          rule: duration(self) >= duration('1ms')
+                                      maxConnections:
+                                        description: Maximum number of HTTP1 /TCP
+                                          connections to a destination host.
+                                        format: int32
+                                        type: integer
+                                      tcpKeepalive:
+                                        description: If set then set SO_KEEPALIVE
+                                          on the socket to enable TCP Keepalives.
+                                        properties:
+                                          interval:
+                                            description: The time duration between
+                                              keep-alive probes.
+                                            type: string
+                                            x-kubernetes-validations:
+                                            - message: must be a valid duration greater
+                                                than 1ms
+                                              rule: duration(self) >= duration('1ms')
+                                          probes:
+                                            description: Maximum number of keepalive
+                                              probes to send without response before
+                                              deciding the connection is dead.
+                                            maximum: 4294967295
+                                            minimum: 0
+                                            type: integer
+                                          time:
+                                            description: The time duration a connection
+                                              needs to be idle before keep-alive probes
+                                              start being sent.
+                                            type: string
+                                            x-kubernetes-validations:
+                                            - message: must be a valid duration greater
+                                                than 1ms
+                                              rule: duration(self) >= duration('1ms')
+                                        type: object
+                                    type: object
+                                type: object
+                              loadBalancer:
+                                description: Settings controlling the load balancer
+                                  algorithms.
+                                oneOf:
+                                - not:
+                                    anyOf:
+                                    - required:
+                                      - simple
+                                    - required:
+                                      - consistentHash
+                                - required:
+                                  - simple
+                                - required:
+                                  - consistentHash
+                                properties:
+                                  consistentHash:
+                                    allOf:
+                                    - oneOf:
+                                      - not:
+                                          anyOf:
+                                          - required:
+                                            - httpHeaderName
+                                          - required:
+                                            - httpCookie
+                                          - required:
+                                            - useSourceIp
+                                          - required:
+                                            - httpQueryParameterName
+                                      - required:
+                                        - httpHeaderName
+                                      - required:
+                                        - httpCookie
+                                      - required:
+                                        - useSourceIp
+                                      - required:
+                                        - httpQueryParameterName
+                                    - oneOf:
+                                      - not:
+                                          anyOf:
+                                          - required:
+                                            - ringHash
+                                          - required:
+                                            - maglev
+                                      - required:
+                                        - ringHash
+                                      - required:
+                                        - maglev
+                                    properties:
+                                      httpCookie:
+                                        description: Hash based on HTTP cookie.
+                                        properties:
+                                          attributes:
+                                            description: Additional attributes for
+                                              the cookie.
+                                            items:
+                                              properties:
+                                                name:
+                                                  description: The name of the cookie
+                                                    attribute.
+                                                  type: string
+                                                value:
+                                                  description: The optional value
+                                                    of the cookie attribute.
+                                                  type: string
+                                              required:
+                                              - name
+                                              type: object
+                                            type: array
+                                          name:
+                                            description: Name of the cookie.
+                                            type: string
+                                          path:
+                                            description: Path to set for the cookie.
+                                            type: string
+                                          ttl:
+                                            description: Lifetime of the cookie.
+                                            type: string
+                                        required:
+                                        - name
+                                        type: object
+                                      httpHeaderName:
+                                        description: Hash based on a specific HTTP
+                                          header.
+                                        type: string
+                                      httpQueryParameterName:
+                                        description: Hash based on a specific HTTP
+                                          query parameter.
+                                        type: string
+                                      maglev:
+                                        description: The Maglev load balancer implements
+                                          consistent hashing to backend hosts.
+                                        properties:
+                                          tableSize:
+                                            description: The table size for Maglev
+                                              hashing.
+                                            minimum: 0
+                                            type: integer
+                                        type: object
+                                      minimumRingSize:
+                                        description: Deprecated.
+                                        minimum: 0
+                                        type: integer
+                                      ringHash:
+                                        description: The ring/modulo hash load balancer
+                                          implements consistent hashing to backend
+                                          hosts.
+                                        properties:
+                                          minimumRingSize:
+                                            description: The minimum number of virtual
+                                              nodes to use for the hash ring.
+                                            minimum: 0
+                                            type: integer
+                                        type: object
+                                      useSourceIp:
+                                        description: Hash based on the source IP address.
+                                        type: boolean
+                                    type: object
+                                  localityLbSetting:
+                                    properties:
+                                      distribute:
+                                        description: 'Optional: only one of distribute,
+                                          failover or failoverPriority can be set.'
+                                        items:
+                                          properties:
+                                            from:
+                                              description: Originating locality, '/'
+                                                separated, e.g.
+                                              type: string
+                                            to:
+                                              additionalProperties:
+                                                maximum: 4294967295
+                                                minimum: 0
+                                                type: integer
+                                              description: Map of upstream localities
+                                                to traffic distribution weights.
+                                              type: object
+                                          type: object
+                                        type: array
+                                      enabled:
+                                        description: Enable locality load balancing.
+                                        nullable: true
+                                        type: boolean
+                                      failover:
+                                        description: 'Optional: only one of distribute,
+                                          failover or failoverPriority can be set.'
+                                        items:
+                                          properties:
+                                            from:
+                                              description: Originating region.
+                                              type: string
+                                            to:
+                                              description: Destination region the
+                                                traffic will fail over to when endpoints
+                                                in the 'from' region becomes unhealthy.
+                                              type: string
+                                          type: object
+                                        type: array
+                                      failoverPriority:
+                                        description: failoverPriority is an ordered
+                                          list of labels used to sort endpoints to
+                                          do priority based load balancing.
+                                        items:
+                                          type: string
+                                        type: array
+                                    type: object
+                                  simple:
+                                    description: |2-
+
+
+                                      Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST
+                                    enum:
+                                    - UNSPECIFIED
+                                    - LEAST_CONN
+                                    - RANDOM
+                                    - PASSTHROUGH
+                                    - ROUND_ROBIN
+                                    - LEAST_REQUEST
+                                    type: string
+                                  warmup:
+                                    description: Represents the warmup configuration
+                                      of Service.
+                                    properties:
+                                      aggression:
+                                        description: This parameter controls the speed
+                                          of traffic increase over the warmup duration.
+                                        format: double
+                                        minimum: 0
+                                        nullable: true
+                                        type: number
+                                      duration:
+                                        type: string
+                                        x-kubernetes-validations:
+                                        - message: must be a valid duration greater
+                                            than 1ms
+                                          rule: duration(self) >= duration('1ms')
+                                      minimumPercent:
+                                        format: double
+                                        maximum: 100
+                                        minimum: 0
+                                        nullable: true
+                                        type: number
+                                    required:
+                                    - duration
+                                    type: object
+                                  warmupDurationSecs:
+                                    description: 'Deprecated: use `warmup` instead.'
+                                    type: string
+                                    x-kubernetes-validations:
+                                    - message: must be a valid duration greater than
+                                        1ms
+                                      rule: duration(self) >= duration('1ms')
+                                type: object
+                              outlierDetection:
+                                properties:
+                                  baseEjectionTime:
+                                    description: Minimum ejection duration.
+                                    type: string
+                                    x-kubernetes-validations:
+                                    - message: must be a valid duration greater than
+                                        1ms
+                                      rule: duration(self) >= duration('1ms')
+                                  consecutive5xxErrors:
+                                    description: Number of 5xx errors before a host
+                                      is ejected from the connection pool.
+                                    maximum: 4294967295
+                                    minimum: 0
+                                    nullable: true
+                                    type: integer
+                                  consecutiveErrors:
+                                    format: int32
+                                    type: integer
+                                  consecutiveGatewayErrors:
+                                    description: Number of gateway errors before a
+                                      host is ejected from the connection pool.
+                                    maximum: 4294967295
+                                    minimum: 0
+                                    nullable: true
+                                    type: integer
+                                  consecutiveLocalOriginFailures:
+                                    description: The number of consecutive locally
+                                      originated failures before ejection occurs.
+                                    maximum: 4294967295
+                                    minimum: 0
+                                    nullable: true
+                                    type: integer
+                                  interval:
+                                    description: Time interval between ejection sweep
+                                      analysis.
+                                    type: string
+                                    x-kubernetes-validations:
+                                    - message: must be a valid duration greater than
+                                        1ms
+                                      rule: duration(self) >= duration('1ms')
+                                  maxEjectionPercent:
+                                    description: Maximum % of hosts in the load balancing
+                                      pool for the upstream service that can be ejected.
+                                    format: int32
+                                    type: integer
+                                  minHealthPercent:
+                                    description: Outlier detection will be enabled
+                                      as long as the associated load balancing pool
+                                      has at least `minHealthPercent` hosts in healthy
+                                      mode.
+                                    format: int32
+                                    type: integer
+                                  splitExternalLocalOriginErrors:
+                                    description: Determines whether to distinguish
+                                      local origin failures from external errors.
+                                    type: boolean
+                                type: object
+                              port:
+                                description: Specifies the number of a port on the
+                                  destination service on which this policy is being
+                                  applied.
+                                properties:
+                                  number:
+                                    maximum: 4294967295
+                                    minimum: 0
+                                    type: integer
+                                type: object
+                              tls:
+                                description: TLS related settings for connections
+                                  to the upstream service.
+                                properties:
+                                  caCertificates:
+                                    description: 'OPTIONAL: The path to the file containing
+                                      certificate authority certificates to use in
+                                      verifying a presented server certificate.'
+                                    type: string
+                                  caCrl:
+                                    description: 'OPTIONAL: The path to the file containing
+                                      the certificate revocation list (CRL) to use
+                                      in verifying a presented server certificate.'
+                                    type: string
+                                  clientCertificate:
+                                    description: REQUIRED if mode is `MUTUAL`.
+                                    type: string
+                                  credentialName:
+                                    description: The name of the secret that holds
+                                      the TLS certs for the client including the CA
+                                      certificates.
+                                    type: string
+                                  insecureSkipVerify:
+                                    description: '`insecureSkipVerify` specifies whether
+                                      the proxy should skip verifying the CA signature
+                                      and SAN for the server certificate corresponding
+                                      to the host.'
+                                    nullable: true
+                                    type: boolean
+                                  mode:
+                                    description: |-
+                                      Indicates whether connections to this port should be secured using TLS.
+
+                                      Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
+                                    enum:
+                                    - DISABLE
+                                    - SIMPLE
+                                    - MUTUAL
+                                    - ISTIO_MUTUAL
+                                    type: string
+                                  privateKey:
+                                    description: REQUIRED if mode is `MUTUAL`.
+                                    type: string
+                                  sni:
+                                    description: SNI string to present to the server
+                                      during TLS handshake.
+                                    type: string
+                                  subjectAltNames:
+                                    description: A list of alternate names to verify
+                                      the subject identity in the certificate.
+                                    items:
+                                      type: string
+                                    type: array
+                                type: object
+                            type: object
+                          maxItems: 4096
+                          type: array
+                        proxyProtocol:
+                          description: The upstream PROXY protocol settings.
+                          properties:
+                            version:
+                              description: |-
+                                The PROXY protocol version to use.
+
+                                Valid Options: V1, V2
+                              enum:
+                              - V1
+                              - V2
+                              type: string
+                          type: object
+                        retryBudget:
+                          description: Specifies a limit on concurrent retries in
+                            relation to the number of active requests.
+                          properties:
+                            minRetryConcurrency:
+                              description: Specifies the minimum retry concurrency
+                                allowed for the retry budget.
+                              maximum: 4294967295
+                              minimum: 0
+                              type: integer
+                            percent:
+                              description: Specifies the limit on concurrent retries
+                                as a percentage of the sum of active requests and
+                                active pending requests.
+                              format: double
+                              maximum: 100
+                              minimum: 0
+                              nullable: true
+                              type: number
+                          type: object
+                        tls:
+                          description: TLS related settings for connections to the
+                            upstream service.
+                          properties:
+                            caCertificates:
+                              description: 'OPTIONAL: The path to the file containing
+                                certificate authority certificates to use in verifying
+                                a presented server certificate.'
+                              type: string
+                            caCrl:
+                              description: 'OPTIONAL: The path to the file containing
+                                the certificate revocation list (CRL) to use in verifying
+                                a presented server certificate.'
+                              type: string
+                            clientCertificate:
+                              description: REQUIRED if mode is `MUTUAL`.
+                              type: string
+                            credentialName:
+                              description: The name of the secret that holds the TLS
+                                certs for the client including the CA certificates.
+                              type: string
+                            insecureSkipVerify:
+                              description: '`insecureSkipVerify` specifies whether
+                                the proxy should skip verifying the CA signature and
+                                SAN for the server certificate corresponding to the
+                                host.'
+                              nullable: true
+                              type: boolean
+                            mode:
+                              description: |-
+                                Indicates whether connections to this port should be secured using TLS.
+
+                                Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
+                              enum:
+                              - DISABLE
+                              - SIMPLE
+                              - MUTUAL
+                              - ISTIO_MUTUAL
+                              type: string
+                            privateKey:
+                              description: REQUIRED if mode is `MUTUAL`.
+                              type: string
+                            sni:
+                              description: SNI string to present to the server during
+                                TLS handshake.
+                              type: string
+                            subjectAltNames:
+                              description: A list of alternate names to verify the
+                                subject identity in the certificate.
+                              items:
+                                type: string
+                              type: array
+                          type: object
+                        tunnel:
+                          description: Configuration of tunneling TCP over other transport
+                            or application layers for the host configured in the DestinationRule.
+                          properties:
+                            protocol:
+                              description: Specifies which protocol to use for tunneling
+                                the downstream connection.
+                              type: string
+                            targetHost:
+                              description: Specifies a host to which the downstream
+                                connection is tunneled.
+                              type: string
+                            targetPort:
+                              description: Specifies a port to which the downstream
+                                connection is tunneled.
+                              maximum: 4294967295
+                              minimum: 0
+                              type: integer
+                          required:
+                          - targetHost
+                          - targetPort
+                          type: object
+                      type: object
+                  required:
+                  - name
+                  type: object
+                type: array
+              trafficPolicy:
+                description: Traffic policies to apply (load balancing policy, connection
+                  pool sizes, outlier detection).
+                properties:
+                  connectionPool:
+                    properties:
+                      http:
+                        description: HTTP connection pool settings.
+                        properties:
+                          h2UpgradePolicy:
+                            description: |-
+                              Specify if http1.1 connection should be upgraded to http2 for the associated destination.
+
+                              Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE
+                            enum:
+                            - DEFAULT
+                            - DO_NOT_UPGRADE
+                            - UPGRADE
+                            type: string
+                          http1MaxPendingRequests:
+                            description: Maximum number of requests that will be queued
+                              while waiting for a ready connection pool connection.
+                            format: int32
+                            type: integer
+                          http2MaxRequests:
+                            description: Maximum number of active requests to a destination.
+                            format: int32
+                            type: integer
+                          idleTimeout:
+                            description: The idle timeout for upstream connection
+                              pool connections.
+                            type: string
+                            x-kubernetes-validations:
+                            - message: must be a valid duration greater than 1ms
+                              rule: duration(self) >= duration('1ms')
+                          maxConcurrentStreams:
+                            description: The maximum number of concurrent streams
+                              allowed for a peer on one HTTP/2 connection.
+                            format: int32
+                            type: integer
+                          maxRequestsPerConnection:
+                            description: Maximum number of requests per connection
+                              to a backend.
+                            format: int32
+                            type: integer
+                          maxRetries:
+                            description: Maximum number of retries that can be outstanding
+                              to all hosts in a cluster at a given time.
+                            format: int32
+                            type: integer
+                          useClientProtocol:
+                            description: If set to true, client protocol will be preserved
+                              while initiating connection to backend.
+                            type: boolean
+                        type: object
+                      tcp:
+                        description: Settings common to both HTTP and TCP upstream
+                          connections.
+                        properties:
+                          connectTimeout:
+                            description: TCP connection timeout.
+                            type: string
+                            x-kubernetes-validations:
+                            - message: must be a valid duration greater than 1ms
+                              rule: duration(self) >= duration('1ms')
+                          idleTimeout:
+                            description: The idle timeout for TCP connections.
+                            type: string
+                          maxConnectionDuration:
+                            description: The maximum duration of a connection.
+                            type: string
+                            x-kubernetes-validations:
+                            - message: must be a valid duration greater than 1ms
+                              rule: duration(self) >= duration('1ms')
+                          maxConnections:
+                            description: Maximum number of HTTP1 /TCP connections
+                              to a destination host.
+                            format: int32
+                            type: integer
+                          tcpKeepalive:
+                            description: If set then set SO_KEEPALIVE on the socket
+                              to enable TCP Keepalives.
+                            properties:
+                              interval:
+                                description: The time duration between keep-alive
+                                  probes.
+                                type: string
+                                x-kubernetes-validations:
+                                - message: must be a valid duration greater than 1ms
+                                  rule: duration(self) >= duration('1ms')
+                              probes:
+                                description: Maximum number of keepalive probes to
+                                  send without response before deciding the connection
+                                  is dead.
+                                maximum: 4294967295
+                                minimum: 0
+                                type: integer
+                              time:
+                                description: The time duration a connection needs
+                                  to be idle before keep-alive probes start being
+                                  sent.
+                                type: string
+                                x-kubernetes-validations:
+                                - message: must be a valid duration greater than 1ms
+                                  rule: duration(self) >= duration('1ms')
+                            type: object
+                        type: object
+                    type: object
+                  loadBalancer:
+                    description: Settings controlling the load balancer algorithms.
+                    oneOf:
+                    - not:
+                        anyOf:
+                        - required:
+                          - simple
+                        - required:
+                          - consistentHash
+                    - required:
+                      - simple
+                    - required:
+                      - consistentHash
+                    properties:
+                      consistentHash:
+                        allOf:
+                        - oneOf:
+                          - not:
+                              anyOf:
+                              - required:
+                                - httpHeaderName
+                              - required:
+                                - httpCookie
+                              - required:
+                                - useSourceIp
+                              - required:
+                                - httpQueryParameterName
+                          - required:
+                            - httpHeaderName
+                          - required:
+                            - httpCookie
+                          - required:
+                            - useSourceIp
+                          - required:
+                            - httpQueryParameterName
+                        - oneOf:
+                          - not:
+                              anyOf:
+                              - required:
+                                - ringHash
+                              - required:
+                                - maglev
+                          - required:
+                            - ringHash
+                          - required:
+                            - maglev
+                        properties:
+                          httpCookie:
+                            description: Hash based on HTTP cookie.
+                            properties:
+                              attributes:
+                                description: Additional attributes for the cookie.
+                                items:
+                                  properties:
+                                    name:
+                                      description: The name of the cookie attribute.
+                                      type: string
+                                    value:
+                                      description: The optional value of the cookie
+                                        attribute.
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                type: array
+                              name:
+                                description: Name of the cookie.
+                                type: string
+                              path:
+                                description: Path to set for the cookie.
+                                type: string
+                              ttl:
+                                description: Lifetime of the cookie.
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          httpHeaderName:
+                            description: Hash based on a specific HTTP header.
+                            type: string
+                          httpQueryParameterName:
+                            description: Hash based on a specific HTTP query parameter.
+                            type: string
+                          maglev:
+                            description: The Maglev load balancer implements consistent
+                              hashing to backend hosts.
+                            properties:
+                              tableSize:
+                                description: The table size for Maglev hashing.
+                                minimum: 0
+                                type: integer
+                            type: object
+                          minimumRingSize:
+                            description: Deprecated.
+                            minimum: 0
+                            type: integer
+                          ringHash:
+                            description: The ring/modulo hash load balancer implements
+                              consistent hashing to backend hosts.
+                            properties:
+                              minimumRingSize:
+                                description: The minimum number of virtual nodes to
+                                  use for the hash ring.
+                                minimum: 0
+                                type: integer
+                            type: object
+                          useSourceIp:
+                            description: Hash based on the source IP address.
+                            type: boolean
+                        type: object
+                      localityLbSetting:
+                        properties:
+                          distribute:
+                            description: 'Optional: only one of distribute, failover
+                              or failoverPriority can be set.'
+                            items:
+                              properties:
+                                from:
+                                  description: Originating locality, '/' separated,
+                                    e.g.
+                                  type: string
+                                to:
+                                  additionalProperties:
+                                    maximum: 4294967295
+                                    minimum: 0
+                                    type: integer
+                                  description: Map of upstream localities to traffic
+                                    distribution weights.
+                                  type: object
+                              type: object
+                            type: array
+                          enabled:
+                            description: Enable locality load balancing.
+                            nullable: true
+                            type: boolean
+                          failover:
+                            description: 'Optional: only one of distribute, failover
+                              or failoverPriority can be set.'
+                            items:
+                              properties:
+                                from:
+                                  description: Originating region.
+                                  type: string
+                                to:
+                                  description: Destination region the traffic will
+                                    fail over to when endpoints in the 'from' region
+                                    becomes unhealthy.
+                                  type: string
+                              type: object
+                            type: array
+                          failoverPriority:
+                            description: failoverPriority is an ordered list of labels
+                              used to sort endpoints to do priority based load balancing.
+                            items:
+                              type: string
+                            type: array
+                        type: object
+                      simple:
+                        description: |2-
+
+
+                          Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST
+                        enum:
+                        - UNSPECIFIED
+                        - LEAST_CONN
+                        - RANDOM
+                        - PASSTHROUGH
+                        - ROUND_ROBIN
+                        - LEAST_REQUEST
+                        type: string
+                      warmup:
+                        description: Represents the warmup configuration of Service.
+                        properties:
+                          aggression:
+                            description: This parameter controls the speed of traffic
+                              increase over the warmup duration.
+                            format: double
+                            minimum: 0
+                            nullable: true
+                            type: number
+                          duration:
+                            type: string
+                            x-kubernetes-validations:
+                            - message: must be a valid duration greater than 1ms
+                              rule: duration(self) >= duration('1ms')
+                          minimumPercent:
+                            format: double
+                            maximum: 100
+                            minimum: 0
+                            nullable: true
+                            type: number
+                        required:
+                        - duration
+                        type: object
+                      warmupDurationSecs:
+                        description: 'Deprecated: use `warmup` instead.'
+                        type: string
+                        x-kubernetes-validations:
+                        - message: must be a valid duration greater than 1ms
+                          rule: duration(self) >= duration('1ms')
+                    type: object
+                  outlierDetection:
+                    properties:
+                      baseEjectionTime:
+                        description: Minimum ejection duration.
+                        type: string
+                        x-kubernetes-validations:
+                        - message: must be a valid duration greater than 1ms
+                          rule: duration(self) >= duration('1ms')
+                      consecutive5xxErrors:
+                        description: Number of 5xx errors before a host is ejected
+                          from the connection pool.
+                        maximum: 4294967295
+                        minimum: 0
+                        nullable: true
+                        type: integer
+                      consecutiveErrors:
+                        format: int32
+                        type: integer
+                      consecutiveGatewayErrors:
+                        description: Number of gateway errors before a host is ejected
+                          from the connection pool.
+                        maximum: 4294967295
+                        minimum: 0
+                        nullable: true
+                        type: integer
+                      consecutiveLocalOriginFailures:
+                        description: The number of consecutive locally originated
+                          failures before ejection occurs.
+                        maximum: 4294967295
+                        minimum: 0
+                        nullable: true
+                        type: integer
+                      interval:
+                        description: Time interval between ejection sweep analysis.
+                        type: string
+                        x-kubernetes-validations:
+                        - message: must be a valid duration greater than 1ms
+                          rule: duration(self) >= duration('1ms')
+                      maxEjectionPercent:
+                        description: Maximum % of hosts in the load balancing pool
+                          for the upstream service that can be ejected.
+                        format: int32
+                        type: integer
+                      minHealthPercent:
+                        description: Outlier detection will be enabled as long as
+                          the associated load balancing pool has at least `minHealthPercent`
+                          hosts in healthy mode.
+                        format: int32
+                        type: integer
+                      splitExternalLocalOriginErrors:
+                        description: Determines whether to distinguish local origin
+                          failures from external errors.
+                        type: boolean
+                    type: object
+                  portLevelSettings:
+                    description: Traffic policies specific to individual ports.
+                    items:
+                      properties:
+                        connectionPool:
+                          properties:
+                            http:
+                              description: HTTP connection pool settings.
+                              properties:
+                                h2UpgradePolicy:
+                                  description: |-
+                                    Specify if http1.1 connection should be upgraded to http2 for the associated destination.
+
+                                    Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE
+                                  enum:
+                                  - DEFAULT
+                                  - DO_NOT_UPGRADE
+                                  - UPGRADE
+                                  type: string
+                                http1MaxPendingRequests:
+                                  description: Maximum number of requests that will
+                                    be queued while waiting for a ready connection
+                                    pool connection.
+                                  format: int32
+                                  type: integer
+                                http2MaxRequests:
+                                  description: Maximum number of active requests to
+                                    a destination.
+                                  format: int32
+                                  type: integer
+                                idleTimeout:
+                                  description: The idle timeout for upstream connection
+                                    pool connections.
+                                  type: string
+                                  x-kubernetes-validations:
+                                  - message: must be a valid duration greater than
+                                      1ms
+                                    rule: duration(self) >= duration('1ms')
+                                maxConcurrentStreams:
+                                  description: The maximum number of concurrent streams
+                                    allowed for a peer on one HTTP/2 connection.
+                                  format: int32
+                                  type: integer
+                                maxRequestsPerConnection:
+                                  description: Maximum number of requests per connection
+                                    to a backend.
+                                  format: int32
+                                  type: integer
+                                maxRetries:
+                                  description: Maximum number of retries that can
+                                    be outstanding to all hosts in a cluster at a
+                                    given time.
+                                  format: int32
+                                  type: integer
+                                useClientProtocol:
+                                  description: If set to true, client protocol will
+                                    be preserved while initiating connection to backend.
+                                  type: boolean
+                              type: object
+                            tcp:
+                              description: Settings common to both HTTP and TCP upstream
+                                connections.
+                              properties:
+                                connectTimeout:
+                                  description: TCP connection timeout.
+                                  type: string
+                                  x-kubernetes-validations:
+                                  - message: must be a valid duration greater than
+                                      1ms
+                                    rule: duration(self) >= duration('1ms')
+                                idleTimeout:
+                                  description: The idle timeout for TCP connections.
+                                  type: string
+                                maxConnectionDuration:
+                                  description: The maximum duration of a connection.
+                                  type: string
+                                  x-kubernetes-validations:
+                                  - message: must be a valid duration greater than
+                                      1ms
+                                    rule: duration(self) >= duration('1ms')
+                                maxConnections:
+                                  description: Maximum number of HTTP1 /TCP connections
+                                    to a destination host.
+                                  format: int32
+                                  type: integer
+                                tcpKeepalive:
+                                  description: If set then set SO_KEEPALIVE on the
+                                    socket to enable TCP Keepalives.
+                                  properties:
+                                    interval:
+                                      description: The time duration between keep-alive
+                                        probes.
+                                      type: string
+                                      x-kubernetes-validations:
+                                      - message: must be a valid duration greater
+                                          than 1ms
+                                        rule: duration(self) >= duration('1ms')
+                                    probes:
+                                      description: Maximum number of keepalive probes
+                                        to send without response before deciding the
+                                        connection is dead.
+                                      maximum: 4294967295
+                                      minimum: 0
+                                      type: integer
+                                    time:
+                                      description: The time duration a connection
+                                        needs to be idle before keep-alive probes
+                                        start being sent.
+                                      type: string
+                                      x-kubernetes-validations:
+                                      - message: must be a valid duration greater
+                                          than 1ms
+                                        rule: duration(self) >= duration('1ms')
+                                  type: object
+                              type: object
+                          type: object
+                        loadBalancer:
+                          description: Settings controlling the load balancer algorithms.
+                          oneOf:
+                          - not:
+                              anyOf:
+                              - required:
+                                - simple
+                              - required:
+                                - consistentHash
+                          - required:
+                            - simple
+                          - required:
+                            - consistentHash
+                          properties:
+                            consistentHash:
+                              allOf:
+                              - oneOf:
+                                - not:
+                                    anyOf:
+                                    - required:
+                                      - httpHeaderName
+                                    - required:
+                                      - httpCookie
+                                    - required:
+                                      - useSourceIp
+                                    - required:
+                                      - httpQueryParameterName
+                                - required:
+                                  - httpHeaderName
+                                - required:
+                                  - httpCookie
+                                - required:
+                                  - useSourceIp
+                                - required:
+                                  - httpQueryParameterName
+                              - oneOf:
+                                - not:
+                                    anyOf:
+                                    - required:
+                                      - ringHash
+                                    - required:
+                                      - maglev
+                                - required:
+                                  - ringHash
+                                - required:
+                                  - maglev
+                              properties:
+                                httpCookie:
+                                  description: Hash based on HTTP cookie.
+                                  properties:
+                                    attributes:
+                                      description: Additional attributes for the cookie.
+                                      items:
+                                        properties:
+                                          name:
+                                            description: The name of the cookie attribute.
+                                            type: string
+                                          value:
+                                            description: The optional value of the
+                                              cookie attribute.
+                                            type: string
+                                        required:
+                                        - name
+                                        type: object
+                                      type: array
+                                    name:
+                                      description: Name of the cookie.
+                                      type: string
+                                    path:
+                                      description: Path to set for the cookie.
+                                      type: string
+                                    ttl:
+                                      description: Lifetime of the cookie.
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                httpHeaderName:
+                                  description: Hash based on a specific HTTP header.
+                                  type: string
+                                httpQueryParameterName:
+                                  description: Hash based on a specific HTTP query
+                                    parameter.
+                                  type: string
+                                maglev:
+                                  description: The Maglev load balancer implements
+                                    consistent hashing to backend hosts.
+                                  properties:
+                                    tableSize:
+                                      description: The table size for Maglev hashing.
+                                      minimum: 0
+                                      type: integer
+                                  type: object
+                                minimumRingSize:
+                                  description: Deprecated.
+                                  minimum: 0
+                                  type: integer
+                                ringHash:
+                                  description: The ring/modulo hash load balancer
+                                    implements consistent hashing to backend hosts.
+                                  properties:
+                                    minimumRingSize:
+                                      description: The minimum number of virtual nodes
+                                        to use for the hash ring.
+                                      minimum: 0
+                                      type: integer
+                                  type: object
+                                useSourceIp:
+                                  description: Hash based on the source IP address.
+                                  type: boolean
+                              type: object
+                            localityLbSetting:
+                              properties:
+                                distribute:
+                                  description: 'Optional: only one of distribute,
+                                    failover or failoverPriority can be set.'
+                                  items:
+                                    properties:
+                                      from:
+                                        description: Originating locality, '/' separated,
+                                          e.g.
+                                        type: string
+                                      to:
+                                        additionalProperties:
+                                          maximum: 4294967295
+                                          minimum: 0
+                                          type: integer
+                                        description: Map of upstream localities to
+                                          traffic distribution weights.
+                                        type: object
+                                    type: object
+                                  type: array
+                                enabled:
+                                  description: Enable locality load balancing.
+                                  nullable: true
+                                  type: boolean
+                                failover:
+                                  description: 'Optional: only one of distribute,
+                                    failover or failoverPriority can be set.'
+                                  items:
+                                    properties:
+                                      from:
+                                        description: Originating region.
+                                        type: string
+                                      to:
+                                        description: Destination region the traffic
+                                          will fail over to when endpoints in the
+                                          'from' region becomes unhealthy.
+                                        type: string
+                                    type: object
+                                  type: array
+                                failoverPriority:
+                                  description: failoverPriority is an ordered list
+                                    of labels used to sort endpoints to do priority
+                                    based load balancing.
+                                  items:
+                                    type: string
+                                  type: array
+                              type: object
+                            simple:
+                              description: |2-
+
+
+                                Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST
+                              enum:
+                              - UNSPECIFIED
+                              - LEAST_CONN
+                              - RANDOM
+                              - PASSTHROUGH
+                              - ROUND_ROBIN
+                              - LEAST_REQUEST
+                              type: string
+                            warmup:
+                              description: Represents the warmup configuration of
+                                Service.
+                              properties:
+                                aggression:
+                                  description: This parameter controls the speed of
+                                    traffic increase over the warmup duration.
+                                  format: double
+                                  minimum: 0
+                                  nullable: true
+                                  type: number
+                                duration:
+                                  type: string
+                                  x-kubernetes-validations:
+                                  - message: must be a valid duration greater than
+                                      1ms
+                                    rule: duration(self) >= duration('1ms')
+                                minimumPercent:
+                                  format: double
+                                  maximum: 100
+                                  minimum: 0
+                                  nullable: true
+                                  type: number
+                              required:
+                              - duration
+                              type: object
+                            warmupDurationSecs:
+                              description: 'Deprecated: use `warmup` instead.'
+                              type: string
+                              x-kubernetes-validations:
+                              - message: must be a valid duration greater than 1ms
+                                rule: duration(self) >= duration('1ms')
+                          type: object
+                        outlierDetection:
+                          properties:
+                            baseEjectionTime:
+                              description: Minimum ejection duration.
+                              type: string
+                              x-kubernetes-validations:
+                              - message: must be a valid duration greater than 1ms
+                                rule: duration(self) >= duration('1ms')
+                            consecutive5xxErrors:
+                              description: Number of 5xx errors before a host is ejected
+                                from the connection pool.
+                              maximum: 4294967295
+                              minimum: 0
+                              nullable: true
+                              type: integer
+                            consecutiveErrors:
+                              format: int32
+                              type: integer
+                            consecutiveGatewayErrors:
+                              description: Number of gateway errors before a host
+                                is ejected from the connection pool.
+                              maximum: 4294967295
+                              minimum: 0
+                              nullable: true
+                              type: integer
+                            consecutiveLocalOriginFailures:
+                              description: The number of consecutive locally originated
+                                failures before ejection occurs.
+                              maximum: 4294967295
+                              minimum: 0
+                              nullable: true
+                              type: integer
+                            interval:
+                              description: Time interval between ejection sweep analysis.
+                              type: string
+                              x-kubernetes-validations:
+                              - message: must be a valid duration greater than 1ms
+                                rule: duration(self) >= duration('1ms')
+                            maxEjectionPercent:
+                              description: Maximum % of hosts in the load balancing
+                                pool for the upstream service that can be ejected.
+                              format: int32
+                              type: integer
+                            minHealthPercent:
+                              description: Outlier detection will be enabled as long
+                                as the associated load balancing pool has at least
+                                `minHealthPercent` hosts in healthy mode.
+                              format: int32
+                              type: integer
+                            splitExternalLocalOriginErrors:
+                              description: Determines whether to distinguish local
+                                origin failures from external errors.
+                              type: boolean
+                          type: object
+                        port:
+                          description: Specifies the number of a port on the destination
+                            service on which this policy is being applied.
+                          properties:
+                            number:
+                              maximum: 4294967295
+                              minimum: 0
+                              type: integer
+                          type: object
+                        tls:
+                          description: TLS related settings for connections to the
+                            upstream service.
+                          properties:
+                            caCertificates:
+                              description: 'OPTIONAL: The path to the file containing
+                                certificate authority certificates to use in verifying
+                                a presented server certificate.'
+                              type: string
+                            caCrl:
+                              description: 'OPTIONAL: The path to the file containing
+                                the certificate revocation list (CRL) to use in verifying
+                                a presented server certificate.'
+                              type: string
+                            clientCertificate:
+                              description: REQUIRED if mode is `MUTUAL`.
+                              type: string
+                            credentialName:
+                              description: The name of the secret that holds the TLS
+                                certs for the client including the CA certificates.
+                              type: string
+                            insecureSkipVerify:
+                              description: '`insecureSkipVerify` specifies whether
+                                the proxy should skip verifying the CA signature and
+                                SAN for the server certificate corresponding to the
+                                host.'
+                              nullable: true
+                              type: boolean
+                            mode:
+                              description: |-
+                                Indicates whether connections to this port should be secured using TLS.
+
+                                Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
+                              enum:
+                              - DISABLE
+                              - SIMPLE
+                              - MUTUAL
+                              - ISTIO_MUTUAL
+                              type: string
+                            privateKey:
+                              description: REQUIRED if mode is `MUTUAL`.
+                              type: string
+                            sni:
+                              description: SNI string to present to the server during
+                                TLS handshake.
+                              type: string
+                            subjectAltNames:
+                              description: A list of alternate names to verify the
+                                subject identity in the certificate.
+                              items:
+                                type: string
+                              type: array
+                          type: object
+                      type: object
+                    maxItems: 4096
+                    type: array
+                  proxyProtocol:
+                    description: The upstream PROXY protocol settings.
+                    properties:
+                      version:
+                        description: |-
+                          The PROXY protocol version to use.
+
+                          Valid Options: V1, V2
+                        enum:
+                        - V1
+                        - V2
+                        type: string
+                    type: object
+                  retryBudget:
+                    description: Specifies a limit on concurrent retries in relation
+                      to the number of active requests.
+                    properties:
+                      minRetryConcurrency:
+                        description: Specifies the minimum retry concurrency allowed
+                          for the retry budget.
+                        maximum: 4294967295
+                        minimum: 0
+                        type: integer
+                      percent:
+                        description: Specifies the limit on concurrent retries as
+                          a percentage of the sum of active requests and active pending
+                          requests.
+                        format: double
+                        maximum: 100
+                        minimum: 0
+                        nullable: true
+                        type: number
+                    type: object
+                  tls:
+                    description: TLS related settings for connections to the upstream
+                      service.
+                    properties:
+                      caCertificates:
+                        description: 'OPTIONAL: The path to the file containing certificate
+                          authority certificates to use in verifying a presented server
+                          certificate.'
+                        type: string
+                      caCrl:
+                        description: 'OPTIONAL: The path to the file containing the
+                          certificate revocation list (CRL) to use in verifying a
+                          presented server certificate.'
+                        type: string
+                      clientCertificate:
+                        description: REQUIRED if mode is `MUTUAL`.
+                        type: string
+                      credentialName:
+                        description: The name of the secret that holds the TLS certs
+                          for the client including the CA certificates.
+                        type: string
+                      insecureSkipVerify:
+                        description: '`insecureSkipVerify` specifies whether the proxy
+                          should skip verifying the CA signature and SAN for the server
+                          certificate corresponding to the host.'
+                        nullable: true
+                        type: boolean
+                      mode:
+                        description: |-
+                          Indicates whether connections to this port should be secured using TLS.
+
+                          Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
+                        enum:
+                        - DISABLE
+                        - SIMPLE
+                        - MUTUAL
+                        - ISTIO_MUTUAL
+                        type: string
+                      privateKey:
+                        description: REQUIRED if mode is `MUTUAL`.
+                        type: string
+                      sni:
+                        description: SNI string to present to the server during TLS
+                          handshake.
+                        type: string
+                      subjectAltNames:
+                        description: A list of alternate names to verify the subject
+                          identity in the certificate.
+                        items:
+                          type: string
+                        type: array
+                    type: object
+                  tunnel:
+                    description: Configuration of tunneling TCP over other transport
+                      or application layers for the host configured in the DestinationRule.
+                    properties:
+                      protocol:
+                        description: Specifies which protocol to use for tunneling
+                          the downstream connection.
+                        type: string
+                      targetHost:
+                        description: Specifies a host to which the downstream connection
+                          is tunneled.
+                        type: string
+                      targetPort:
+                        description: Specifies a port to which the downstream connection
+                          is tunneled.
+                        maximum: 4294967295
+                        minimum: 0
+                        type: integer
+                    required:
+                    - targetHost
+                    - targetPort
+                    type: object
+                type: object
+              workloadSelector:
+                description: Criteria used to select the specific set of pods/VMs
+                  on which this `DestinationRule` configuration should be applied.
+                properties:
+                  matchLabels:
+                    additionalProperties:
+                      maxLength: 63
+                      type: string
+                      x-kubernetes-validations:
+                      - message: wildcard not allowed in label value match
+                        rule: '!self.contains("*")'
+                    description: One or more labels that indicate a specific set of
+                      pods/VMs on which a policy should be applied.
+                    maxProperties: 4096
+                    type: object
+                    x-kubernetes-validations:
+                    - message: wildcard not allowed in label key match
+                      rule: self.all(key, !key.contains("*"))
+                    - message: key must not be empty
+                      rule: self.all(key, key.size() != 0)
+                type: object
+            required:
+            - host
+            type: object
+          status:
+            properties:
+              conditions:
+                description: Current service state of the resource.
+                items:
+                  properties:
+                    lastProbeTime:
+                      description: Last time we probed the condition.
+                      format: date-time
+                      type: string
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Human-readable message indicating details about
+                        last transition.
+                      type: string
+                    observedGeneration:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      description: Resource Generation to which the Condition refers.
+                      x-kubernetes-int-or-string: true
+                    reason:
+                      description: Unique, one-word, CamelCase reason for the condition's
+                        last transition.
+                      type: string
+                    status:
+                      description: Status is the status of the condition.
+                      type: string
+                    type:
+                      description: Type is the type of the condition.
+                      type: string
+                  type: object
+                type: array
+              observedGeneration:
+                anyOf:
+                - type: integer
+                - type: string
+                x-kubernetes-int-or-string: true
+              validationMessages:
+                description: Includes any errors or warnings detected by Istio's analyzers.
+                items:
+                  properties:
+                    documentationUrl:
+                      description: A url pointing to the Istio documentation for this
+                        specific error type.
+                      type: string
+                    level:
+                      description: |-
+                        Represents how severe a message is.
+
+                        Valid Options: UNKNOWN, ERROR, WARNING, INFO
+                      enum:
+                      - UNKNOWN
+                      - ERROR
+                      - WARNING
+                      - INFO
+                      type: string
+                    type:
+                      properties:
+                        code:
+                          description: A 7 character code matching `^IST[0-9]{4}$`
+                            intended to uniquely identify the message type.
+                          type: string
+                        name:
+                          description: A human-readable name for the message type.
+                          type: string
+                      type: object
+                  type: object
+                type: array
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_envoyfilters.yaml b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_envoyfilters.yaml
new file mode 100644
index 0000000000..6f0e329bbf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_envoyfilters.yaml
@@ -0,0 +1,450 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    "helm.sh/resource-policy": keep
+  labels:
+    app: istio-pilot
+    chart: istio
+    heritage: Tiller
+    release: istio
+  name: envoyfilters.networking.istio.io
+spec:
+  group: networking.istio.io
+  names:
+    categories:
+    - istio-io
+    - networking-istio-io
+    kind: EnvoyFilter
+    listKind: EnvoyFilterList
+    plural: envoyfilters
+    singular: envoyfilter
+  scope: Namespaced
+  versions:
+  - name: v1alpha3
+    schema:
+      openAPIV3Schema:
+        properties:
+          spec:
+            description: 'Customizing Envoy configuration generated by Istio. See
+              more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html'
+            properties:
+              configPatches:
+                description: One or more patches with match conditions.
+                items:
+                  properties:
+                    applyTo:
+                      description: |-
+                        Specifies where in the Envoy configuration, the patch should be applied.
+
+                        Valid Options: LISTENER, FILTER_CHAIN, NETWORK_FILTER, HTTP_FILTER, ROUTE_CONFIGURATION, VIRTUAL_HOST, HTTP_ROUTE, CLUSTER, EXTENSION_CONFIG, BOOTSTRAP, LISTENER_FILTER
+                      enum:
+                      - INVALID
+                      - LISTENER
+                      - FILTER_CHAIN
+                      - NETWORK_FILTER
+                      - HTTP_FILTER
+                      - ROUTE_CONFIGURATION
+                      - VIRTUAL_HOST
+                      - HTTP_ROUTE
+                      - CLUSTER
+                      - EXTENSION_CONFIG
+                      - BOOTSTRAP
+                      - LISTENER_FILTER
+                      type: string
+                    match:
+                      description: Match on listener/route configuration/cluster.
+                      oneOf:
+                      - not:
+                          anyOf:
+                          - required:
+                            - listener
+                          - required:
+                            - routeConfiguration
+                          - required:
+                            - cluster
+                          - required:
+                            - waypoint
+                      - required:
+                        - listener
+                      - required:
+                        - routeConfiguration
+                      - required:
+                        - cluster
+                      - required:
+                        - waypoint
+                      properties:
+                        cluster:
+                          description: Match on envoy cluster attributes.
+                          properties:
+                            name:
+                              description: The exact name of the cluster to match.
+                              type: string
+                            portNumber:
+                              description: The service port for which this cluster
+                                was generated.
+                              maximum: 4294967295
+                              minimum: 0
+                              type: integer
+                            service:
+                              description: The fully qualified service name for this
+                                cluster.
+                              type: string
+                            subset:
+                              description: The subset associated with the service.
+                              type: string
+                          type: object
+                        context:
+                          description: |-
+                            The specific config generation context to match on.
+
+                            Valid Options: ANY, SIDECAR_INBOUND, SIDECAR_OUTBOUND, GATEWAY, WAYPOINT
+                          enum:
+                          - ANY
+                          - SIDECAR_INBOUND
+                          - SIDECAR_OUTBOUND
+                          - GATEWAY
+                          - WAYPOINT
+                          type: string
+                        listener:
+                          description: Match on envoy listener attributes.
+                          properties:
+                            filterChain:
+                              description: Match a specific filter chain in a listener.
+                              properties:
+                                applicationProtocols:
+                                  description: Applies only to sidecars.
+                                  type: string
+                                destinationPort:
+                                  description: The destination_port value used by
+                                    a filter chain's match condition.
+                                  maximum: 4294967295
+                                  minimum: 0
+                                  type: integer
+                                filter:
+                                  description: The name of a specific filter to apply
+                                    the patch to.
+                                  properties:
+                                    name:
+                                      description: The filter name to match on.
+                                      type: string
+                                    subFilter:
+                                      description: The next level filter within this
+                                        filter to match upon.
+                                      properties:
+                                        name:
+                                          description: The filter name to match on.
+                                          type: string
+                                      type: object
+                                  type: object
+                                name:
+                                  description: The name assigned to the filter chain.
+                                  type: string
+                                sni:
+                                  description: The SNI value used by a filter chain's
+                                    match condition.
+                                  type: string
+                                transportProtocol:
+                                  description: Applies only to `SIDECAR_INBOUND` context.
+                                  type: string
+                              type: object
+                            listenerFilter:
+                              description: Match a specific listener filter.
+                              type: string
+                            name:
+                              description: Match a specific listener by its name.
+                              type: string
+                            portName:
+                              type: string
+                            portNumber:
+                              description: The service port/gateway port to which
+                                traffic is being sent/received.
+                              maximum: 4294967295
+                              minimum: 0
+                              type: integer
+                          type: object
+                        proxy:
+                          description: Match on properties associated with a proxy.
+                          properties:
+                            metadata:
+                              additionalProperties:
+                                type: string
+                              description: Match on the node metadata supplied by
+                                a proxy when connecting to istiod.
+                              type: object
+                            proxyVersion:
+                              description: A regular expression in golang regex format
+                                (RE2) that can be used to select proxies using a specific
+                                version of istio proxy.
+                              type: string
+                          type: object
+                        routeConfiguration:
+                          description: Match on envoy HTTP route configuration attributes.
+                          properties:
+                            gateway:
+                              description: The Istio gateway config's namespace/name
+                                for which this route configuration was generated.
+                              type: string
+                            name:
+                              description: Route configuration name to match on.
+                              type: string
+                            portName:
+                              description: Applicable only for GATEWAY context.
+                              type: string
+                            portNumber:
+                              description: The service port number or gateway server
+                                port number for which this route configuration was
+                                generated.
+                              maximum: 4294967295
+                              minimum: 0
+                              type: integer
+                            vhost:
+                              description: Match a specific virtual host in a route
+                                configuration and apply the patch to the virtual host.
+                              properties:
+                                domainName:
+                                  description: Match a domain name in a virtual host.
+                                  type: string
+                                name:
+                                  description: The VirtualHosts objects generated
+                                    by Istio are named as host:port, where the host
+                                    typically corresponds to the VirtualService's
+                                    host field or the hostname of a service in the
+                                    registry.
+                                  type: string
+                                route:
+                                  description: Match a specific route within the virtual
+                                    host.
+                                  properties:
+                                    action:
+                                      description: |-
+                                        Match a route with specific action type.
+
+                                        Valid Options: ANY, ROUTE, REDIRECT, DIRECT_RESPONSE
+                                      enum:
+                                      - ANY
+                                      - ROUTE
+                                      - REDIRECT
+                                      - DIRECT_RESPONSE
+                                      type: string
+                                    name:
+                                      description: The Route objects generated by
+                                        default are named as default.
+                                      type: string
+                                  type: object
+                              type: object
+                          type: object
+                        waypoint:
+                          properties:
+                            filter:
+                              description: The name of a specific filter to apply
+                                the patch to.
+                              properties:
+                                name:
+                                  description: The filter name to match on.
+                                  type: string
+                                subFilter:
+                                  description: The next level filter within this filter
+                                    to match on.
+                                  properties:
+                                    name:
+                                      description: The filter name to match on.
+                                      type: string
+                                  type: object
+                              type: object
+                            portNumber:
+                              description: The service port to match on.
+                              maximum: 4294967295
+                              minimum: 0
+                              type: integer
+                              x-kubernetes-validations:
+                              - message: port must be between 1-65535
+                                rule: 0 < self && self <= 6553
+                            route:
+                              description: Match a specific route.
+                              properties:
+                                name:
+                                  description: The Route objects generated by default
+                                    are named as default.
+                                  type: string
+                              type: object
+                          type: object
+                      type: object
+                      x-kubernetes-validations:
+                      - message: only support waypointMatch when context is WAYPOINT
+                        rule: 'has(self.context) ? ((self.context == "WAYPOINT") ?
+                          has(self.waypoint) : !has(self.waypoint)) : !has(self.waypoint)'
+                    patch:
+                      description: The patch to apply along with the operation.
+                      properties:
+                        filterClass:
+                          description: |-
+                            Determines the filter insertion order.
+
+                            Valid Options: AUTHN, AUTHZ, STATS
+                          enum:
+                          - UNSPECIFIED
+                          - AUTHN
+                          - AUTHZ
+                          - STATS
+                          type: string
+                        operation:
+                          description: |-
+                            Determines how the patch should be applied.
+
+                            Valid Options: MERGE, ADD, REMOVE, INSERT_BEFORE, INSERT_AFTER, INSERT_FIRST, REPLACE
+                          enum:
+                          - INVALID
+                          - MERGE
+                          - ADD
+                          - REMOVE
+                          - INSERT_BEFORE
+                          - INSERT_AFTER
+                          - INSERT_FIRST
+                          - REPLACE
+                          type: string
+                        value:
+                          description: The JSON config of the object being patched.
+                          type: object
+                          x-kubernetes-preserve-unknown-fields: true
+                      type: object
+                  type: object
+                type: array
+              priority:
+                description: Priority defines the order in which patch sets are applied
+                  within a context.
+                format: int32
+                type: integer
+              targetRefs:
+                description: Optional.
+                items:
+                  properties:
+                    group:
+                      description: group is the group of the target resource.
+                      maxLength: 253
+                      pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                      type: string
+                    kind:
+                      description: kind is kind of the target resource.
+                      maxLength: 63
+                      minLength: 1
+                      pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                      type: string
+                    name:
+                      description: name is the name of the target resource.
+                      maxLength: 253
+                      minLength: 1
+                      type: string
+                    namespace:
+                      description: namespace is the namespace of the referent.
+                      type: string
+                      x-kubernetes-validations:
+                      - message: cross namespace referencing is not currently supported
+                        rule: self.size() == 0
+                  required:
+                  - kind
+                  - name
+                  type: object
+                maxItems: 16
+                type: array
+              workloadSelector:
+                description: Criteria used to select the specific set of pods/VMs
+                  on which this patch configuration should be applied.
+                properties:
+                  labels:
+                    additionalProperties:
+                      maxLength: 63
+                      type: string
+                      x-kubernetes-validations:
+                      - message: wildcard is not supported in selector
+                        rule: '!self.contains("*")'
+                    description: One or more labels that indicate a specific set of
+                      pods/VMs on which the configuration should be applied.
+                    maxProperties: 256
+                    type: object
+                type: object
+            type: object
+            x-kubernetes-validations:
+            - message: only one of targetRefs or workloadSelector can be set
+              rule: '(has(self.workloadSelector) ? 1 : 0) + (has(self.targetRefs)
+                ? 1 : 0) <= 1'
+          status:
+            properties:
+              conditions:
+                description: Current service state of the resource.
+                items:
+                  properties:
+                    lastProbeTime:
+                      description: Last time we probed the condition.
+                      format: date-time
+                      type: string
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Human-readable message indicating details about
+                        last transition.
+                      type: string
+                    observedGeneration:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      description: Resource Generation to which the Condition refers.
+                      x-kubernetes-int-or-string: true
+                    reason:
+                      description: Unique, one-word, CamelCase reason for the condition's
+                        last transition.
+                      type: string
+                    status:
+                      description: Status is the status of the condition.
+                      type: string
+                    type:
+                      description: Type is the type of the condition.
+                      type: string
+                  type: object
+                type: array
+              observedGeneration:
+                anyOf:
+                - type: integer
+                - type: string
+                x-kubernetes-int-or-string: true
+              validationMessages:
+                description: Includes any errors or warnings detected by Istio's analyzers.
+                items:
+                  properties:
+                    documentationUrl:
+                      description: A url pointing to the Istio documentation for this
+                        specific error type.
+                      type: string
+                    level:
+                      description: |-
+                        Represents how severe a message is.
+
+                        Valid Options: UNKNOWN, ERROR, WARNING, INFO
+                      enum:
+                      - UNKNOWN
+                      - ERROR
+                      - WARNING
+                      - INFO
+                      type: string
+                    type:
+                      properties:
+                        code:
+                          description: A 7 character code matching `^IST[0-9]{4}$`
+                            intended to uniquely identify the message type.
+                          type: string
+                        name:
+                          description: A human-readable name for the message type.
+                          type: string
+                      type: object
+                  type: object
+                type: array
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_gateways.yaml b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_gateways.yaml
new file mode 100644
index 0000000000..5e064d2a9d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_gateways.yaml
@@ -0,0 +1,850 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    "helm.sh/resource-policy": keep
+  labels:
+    app: istio-pilot
+    chart: istio
+    heritage: Tiller
+    release: istio
+  name: gateways.networking.istio.io
+spec:
+  group: networking.istio.io
+  names:
+    categories:
+    - istio-io
+    - networking-istio-io
+    kind: Gateway
+    listKind: GatewayList
+    plural: gateways
+    shortNames:
+    - gw
+    singular: gateway
+  scope: Namespaced
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        properties:
+          spec:
+            description: 'Configuration affecting edge load balancer. See more details
+              at: https://istio.io/docs/reference/config/networking/gateway.html'
+            properties:
+              selector:
+                additionalProperties:
+                  type: string
+                description: One or more labels that indicate a specific set of pods/VMs
+                  on which this gateway configuration should be applied.
+                type: object
+              servers:
+                description: A list of server specifications.
+                items:
+                  properties:
+                    bind:
+                      description: The ip or the Unix domain socket to which the listener
+                        should be bound to.
+                      type: string
+                    defaultEndpoint:
+                      type: string
+                    hosts:
+                      description: One or more hosts exposed by this gateway.
+                      items:
+                        type: string
+                      type: array
+                    name:
+                      description: An optional name of the server, when set must be
+                        unique across all servers.
+                      type: string
+                    port:
+                      description: The Port on which the proxy should listen for incoming
+                        connections.
+                      properties:
+                        name:
+                          description: Label assigned to the port.
+                          type: string
+                        number:
+                          description: A valid non-negative integer port number.
+                          maximum: 4294967295
+                          minimum: 0
+                          type: integer
+                        protocol:
+                          description: The protocol exposed on the port.
+                          type: string
+                        targetPort:
+                          maximum: 4294967295
+                          minimum: 0
+                          type: integer
+                      required:
+                      - number
+                      - protocol
+                      - name
+                      type: object
+                    tls:
+                      description: Set of TLS related options that govern the server's
+                        behavior.
+                      properties:
+                        caCertCredentialName:
+                          description: For mutual TLS, the name of the secret or the
+                            configmap that holds CA certificates.
+                          type: string
+                        caCertificates:
+                          description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
+                          type: string
+                        caCrl:
+                          description: 'OPTIONAL: The path to the file containing
+                            the certificate revocation list (CRL) to use in verifying
+                            a presented client side certificate.'
+                          type: string
+                        cipherSuites:
+                          description: 'Optional: If specified, only support the specified
+                            cipher list.'
+                          items:
+                            type: string
+                          type: array
+                        credentialName:
+                          description: For gateways running on Kubernetes, the name
+                            of the secret that holds the TLS certs including the CA
+                            certificates.
+                          type: string
+                        credentialNames:
+                          description: Same as CredentialName but for multiple certificates.
+                          items:
+                            type: string
+                          maxItems: 2
+                          minItems: 1
+                          type: array
+                        httpsRedirect:
+                          description: If set to true, the load balancer will send
+                            a 301 redirect for all http connections, asking the clients
+                            to use HTTPS.
+                          type: boolean
+                        maxProtocolVersion:
+                          description: |-
+                            Optional: Maximum TLS protocol version.
+
+                            Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3
+                          enum:
+                          - TLS_AUTO
+                          - TLSV1_0
+                          - TLSV1_1
+                          - TLSV1_2
+                          - TLSV1_3
+                          type: string
+                        minProtocolVersion:
+                          description: |-
+                            Optional: Minimum TLS protocol version.
+
+                            Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3
+                          enum:
+                          - TLS_AUTO
+                          - TLSV1_0
+                          - TLSV1_1
+                          - TLSV1_2
+                          - TLSV1_3
+                          type: string
+                        mode:
+                          description: |-
+                            Optional: Indicates whether connections to this port should be secured using TLS.
+
+                            Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL
+                          enum:
+                          - PASSTHROUGH
+                          - SIMPLE
+                          - MUTUAL
+                          - AUTO_PASSTHROUGH
+                          - ISTIO_MUTUAL
+                          - OPTIONAL_MUTUAL
+                          type: string
+                        privateKey:
+                          description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+                          type: string
+                        serverCertificate:
+                          description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+                          type: string
+                        subjectAltNames:
+                          description: A list of alternate names to verify the subject
+                            identity in the certificate presented by the client.
+                          items:
+                            type: string
+                          type: array
+                        tlsCertificates:
+                          description: Only one of `server_certificate`, `private_key`
+                            or `credential_name` or `credential_names` or `tls_certificates`
+                            should be specified.
+                          items:
+                            properties:
+                              caCertificates:
+                                type: string
+                              privateKey:
+                                description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+                                type: string
+                              serverCertificate:
+                                description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+                                type: string
+                            type: object
+                          maxItems: 2
+                          minItems: 1
+                          type: array
+                        verifyCertificateHash:
+                          description: An optional list of hex-encoded SHA-256 hashes
+                            of the authorized client certificates.
+                          items:
+                            type: string
+                          type: array
+                        verifyCertificateSpki:
+                          description: An optional list of base64-encoded SHA-256
+                            hashes of the SPKIs of authorized client certificates.
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                      x-kubernetes-validations:
+                      - message: only one of credentialNames or tlsCertificates can
+                          be set
+                        rule: '(has(self.tlsCertificates) ? 1 : 0) + (has(self.credentialNames)
+                          ? 1 : 0) <= 1'
+                      - message: only one of credentialName or credentialNames can
+                          be set
+                        rule: '(has(self.credentialName) ? 1 : 0) + (has(self.credentialNames)
+                          ? 1 : 0) <= 1'
+                      - message: only one of credentialName or tlsCertificates can
+                          be set
+                        rule: '(has(self.credentialNames) ? 1 : 0) + (has(self.tlsCertificates)
+                          ? 1 : 0) <= 1'
+                  required:
+                  - port
+                  - hosts
+                  type: object
+                type: array
+            type: object
+          status:
+            properties:
+              conditions:
+                description: Current service state of the resource.
+                items:
+                  properties:
+                    lastProbeTime:
+                      description: Last time we probed the condition.
+                      format: date-time
+                      type: string
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Human-readable message indicating details about
+                        last transition.
+                      type: string
+                    observedGeneration:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      description: Resource Generation to which the Condition refers.
+                      x-kubernetes-int-or-string: true
+                    reason:
+                      description: Unique, one-word, CamelCase reason for the condition's
+                        last transition.
+                      type: string
+                    status:
+                      description: Status is the status of the condition.
+                      type: string
+                    type:
+                      description: Type is the type of the condition.
+                      type: string
+                  type: object
+                type: array
+              observedGeneration:
+                anyOf:
+                - type: integer
+                - type: string
+                x-kubernetes-int-or-string: true
+              validationMessages:
+                description: Includes any errors or warnings detected by Istio's analyzers.
+                items:
+                  properties:
+                    documentationUrl:
+                      description: A url pointing to the Istio documentation for this
+                        specific error type.
+                      type: string
+                    level:
+                      description: |-
+                        Represents how severe a message is.
+
+                        Valid Options: UNKNOWN, ERROR, WARNING, INFO
+                      enum:
+                      - UNKNOWN
+                      - ERROR
+                      - WARNING
+                      - INFO
+                      type: string
+                    type:
+                      properties:
+                        code:
+                          description: A 7 character code matching `^IST[0-9]{4}$`
+                            intended to uniquely identify the message type.
+                          type: string
+                        name:
+                          description: A human-readable name for the message type.
+                          type: string
+                      type: object
+                  type: object
+                type: array
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+  - name: v1alpha3
+    schema:
+      openAPIV3Schema:
+        properties:
+          spec:
+            description: 'Configuration affecting edge load balancer. See more details
+              at: https://istio.io/docs/reference/config/networking/gateway.html'
+            properties:
+              selector:
+                additionalProperties:
+                  type: string
+                description: One or more labels that indicate a specific set of pods/VMs
+                  on which this gateway configuration should be applied.
+                type: object
+              servers:
+                description: A list of server specifications.
+                items:
+                  properties:
+                    bind:
+                      description: The ip or the Unix domain socket to which the listener
+                        should be bound to.
+                      type: string
+                    defaultEndpoint:
+                      type: string
+                    hosts:
+                      description: One or more hosts exposed by this gateway.
+                      items:
+                        type: string
+                      type: array
+                    name:
+                      description: An optional name of the server, when set must be
+                        unique across all servers.
+                      type: string
+                    port:
+                      description: The Port on which the proxy should listen for incoming
+                        connections.
+                      properties:
+                        name:
+                          description: Label assigned to the port.
+                          type: string
+                        number:
+                          description: A valid non-negative integer port number.
+                          maximum: 4294967295
+                          minimum: 0
+                          type: integer
+                        protocol:
+                          description: The protocol exposed on the port.
+                          type: string
+                        targetPort:
+                          maximum: 4294967295
+                          minimum: 0
+                          type: integer
+                      required:
+                      - number
+                      - protocol
+                      - name
+                      type: object
+                    tls:
+                      description: Set of TLS related options that govern the server's
+                        behavior.
+                      properties:
+                        caCertCredentialName:
+                          description: For mutual TLS, the name of the secret or the
+                            configmap that holds CA certificates.
+                          type: string
+                        caCertificates:
+                          description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
+                          type: string
+                        caCrl:
+                          description: 'OPTIONAL: The path to the file containing
+                            the certificate revocation list (CRL) to use in verifying
+                            a presented client side certificate.'
+                          type: string
+                        cipherSuites:
+                          description: 'Optional: If specified, only support the specified
+                            cipher list.'
+                          items:
+                            type: string
+                          type: array
+                        credentialName:
+                          description: For gateways running on Kubernetes, the name
+                            of the secret that holds the TLS certs including the CA
+                            certificates.
+                          type: string
+                        credentialNames:
+                          description: Same as CredentialName but for multiple certificates.
+                          items:
+                            type: string
+                          maxItems: 2
+                          minItems: 1
+                          type: array
+                        httpsRedirect:
+                          description: If set to true, the load balancer will send
+                            a 301 redirect for all http connections, asking the clients
+                            to use HTTPS.
+                          type: boolean
+                        maxProtocolVersion:
+                          description: |-
+                            Optional: Maximum TLS protocol version.
+
+                            Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3
+                          enum:
+                          - TLS_AUTO
+                          - TLSV1_0
+                          - TLSV1_1
+                          - TLSV1_2
+                          - TLSV1_3
+                          type: string
+                        minProtocolVersion:
+                          description: |-
+                            Optional: Minimum TLS protocol version.
+
+                            Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3
+                          enum:
+                          - TLS_AUTO
+                          - TLSV1_0
+                          - TLSV1_1
+                          - TLSV1_2
+                          - TLSV1_3
+                          type: string
+                        mode:
+                          description: |-
+                            Optional: Indicates whether connections to this port should be secured using TLS.
+
+                            Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL
+                          enum:
+                          - PASSTHROUGH
+                          - SIMPLE
+                          - MUTUAL
+                          - AUTO_PASSTHROUGH
+                          - ISTIO_MUTUAL
+                          - OPTIONAL_MUTUAL
+                          type: string
+                        privateKey:
+                          description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+                          type: string
+                        serverCertificate:
+                          description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+                          type: string
+                        subjectAltNames:
+                          description: A list of alternate names to verify the subject
+                            identity in the certificate presented by the client.
+                          items:
+                            type: string
+                          type: array
+                        tlsCertificates:
+                          description: Only one of `server_certificate`, `private_key`
+                            or `credential_name` or `credential_names` or `tls_certificates`
+                            should be specified.
+                          items:
+                            properties:
+                              caCertificates:
+                                type: string
+                              privateKey:
+                                description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+                                type: string
+                              serverCertificate:
+                                description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+                                type: string
+                            type: object
+                          maxItems: 2
+                          minItems: 1
+                          type: array
+                        verifyCertificateHash:
+                          description: An optional list of hex-encoded SHA-256 hashes
+                            of the authorized client certificates.
+                          items:
+                            type: string
+                          type: array
+                        verifyCertificateSpki:
+                          description: An optional list of base64-encoded SHA-256
+                            hashes of the SPKIs of authorized client certificates.
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                      x-kubernetes-validations:
+                      - message: only one of credentialNames or tlsCertificates can
+                          be set
+                        rule: '(has(self.tlsCertificates) ? 1 : 0) + (has(self.credentialNames)
+                          ? 1 : 0) <= 1'
+                      - message: only one of credentialName or credentialNames can
+                          be set
+                        rule: '(has(self.credentialName) ? 1 : 0) + (has(self.credentialNames)
+                          ? 1 : 0) <= 1'
+                      - message: only one of credentialName or tlsCertificates can
+                          be set
+                        rule: '(has(self.credentialNames) ? 1 : 0) + (has(self.tlsCertificates)
+                          ? 1 : 0) <= 1'
+                  required:
+                  - port
+                  - hosts
+                  type: object
+                type: array
+            type: object
+          status:
+            properties:
+              conditions:
+                description: Current service state of the resource.
+                items:
+                  properties:
+                    lastProbeTime:
+                      description: Last time we probed the condition.
+                      format: date-time
+                      type: string
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Human-readable message indicating details about
+                        last transition.
+                      type: string
+                    observedGeneration:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      description: Resource Generation to which the Condition refers.
+                      x-kubernetes-int-or-string: true
+                    reason:
+                      description: Unique, one-word, CamelCase reason for the condition's
+                        last transition.
+                      type: string
+                    status:
+                      description: Status is the status of the condition.
+                      type: string
+                    type:
+                      description: Type is the type of the condition.
+                      type: string
+                  type: object
+                type: array
+              observedGeneration:
+                anyOf:
+                - type: integer
+                - type: string
+                x-kubernetes-int-or-string: true
+              validationMessages:
+                description: Includes any errors or warnings detected by Istio's analyzers.
+                items:
+                  properties:
+                    documentationUrl:
+                      description: A url pointing to the Istio documentation for this
+                        specific error type.
+                      type: string
+                    level:
+                      description: |-
+                        Represents how severe a message is.
+
+                        Valid Options: UNKNOWN, ERROR, WARNING, INFO
+                      enum:
+                      - UNKNOWN
+                      - ERROR
+                      - WARNING
+                      - INFO
+                      type: string
+                    type:
+                      properties:
+                        code:
+                          description: A 7 character code matching `^IST[0-9]{4}$`
+                            intended to uniquely identify the message type.
+                          type: string
+                        name:
+                          description: A human-readable name for the message type.
+                          type: string
+                      type: object
+                  type: object
+                type: array
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+  - name: v1beta1
+    schema:
+      openAPIV3Schema:
+        properties:
+          spec:
+            description: 'Configuration affecting edge load balancer. See more details
+              at: https://istio.io/docs/reference/config/networking/gateway.html'
+            properties:
+              selector:
+                additionalProperties:
+                  type: string
+                description: One or more labels that indicate a specific set of pods/VMs
+                  on which this gateway configuration should be applied.
+                type: object
+              servers:
+                description: A list of server specifications.
+                items:
+                  properties:
+                    bind:
+                      description: The ip or the Unix domain socket to which the listener
+                        should be bound to.
+                      type: string
+                    defaultEndpoint:
+                      type: string
+                    hosts:
+                      description: One or more hosts exposed by this gateway.
+                      items:
+                        type: string
+                      type: array
+                    name:
+                      description: An optional name of the server, when set must be
+                        unique across all servers.
+                      type: string
+                    port:
+                      description: The Port on which the proxy should listen for incoming
+                        connections.
+                      properties:
+                        name:
+                          description: Label assigned to the port.
+                          type: string
+                        number:
+                          description: A valid non-negative integer port number.
+                          maximum: 4294967295
+                          minimum: 0
+                          type: integer
+                        protocol:
+                          description: The protocol exposed on the port.
+                          type: string
+                        targetPort:
+                          maximum: 4294967295
+                          minimum: 0
+                          type: integer
+                      required:
+                      - number
+                      - protocol
+                      - name
+                      type: object
+                    tls:
+                      description: Set of TLS related options that govern the server's
+                        behavior.
+                      properties:
+                        caCertCredentialName:
+                          description: For mutual TLS, the name of the secret or the
+                            configmap that holds CA certificates.
+                          type: string
+                        caCertificates:
+                          description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
+                          type: string
+                        caCrl:
+                          description: 'OPTIONAL: The path to the file containing
+                            the certificate revocation list (CRL) to use in verifying
+                            a presented client side certificate.'
+                          type: string
+                        cipherSuites:
+                          description: 'Optional: If specified, only support the specified
+                            cipher list.'
+                          items:
+                            type: string
+                          type: array
+                        credentialName:
+                          description: For gateways running on Kubernetes, the name
+                            of the secret that holds the TLS certs including the CA
+                            certificates.
+                          type: string
+                        credentialNames:
+                          description: Same as CredentialName but for multiple certificates.
+                          items:
+                            type: string
+                          maxItems: 2
+                          minItems: 1
+                          type: array
+                        httpsRedirect:
+                          description: If set to true, the load balancer will send
+                            a 301 redirect for all http connections, asking the clients
+                            to use HTTPS.
+                          type: boolean
+                        maxProtocolVersion:
+                          description: |-
+                            Optional: Maximum TLS protocol version.
+
+                            Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3
+                          enum:
+                          - TLS_AUTO
+                          - TLSV1_0
+                          - TLSV1_1
+                          - TLSV1_2
+                          - TLSV1_3
+                          type: string
+                        minProtocolVersion:
+                          description: |-
+                            Optional: Minimum TLS protocol version.
+
+                            Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3
+                          enum:
+                          - TLS_AUTO
+                          - TLSV1_0
+                          - TLSV1_1
+                          - TLSV1_2
+                          - TLSV1_3
+                          type: string
+                        mode:
+                          description: |-
+                            Optional: Indicates whether connections to this port should be secured using TLS.
+
+                            Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL
+                          enum:
+                          - PASSTHROUGH
+                          - SIMPLE
+                          - MUTUAL
+                          - AUTO_PASSTHROUGH
+                          - ISTIO_MUTUAL
+                          - OPTIONAL_MUTUAL
+                          type: string
+                        privateKey:
+                          description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+                          type: string
+                        serverCertificate:
+                          description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+                          type: string
+                        subjectAltNames:
+                          description: A list of alternate names to verify the subject
+                            identity in the certificate presented by the client.
+                          items:
+                            type: string
+                          type: array
+                        tlsCertificates:
+                          description: Only one of `server_certificate`, `private_key`
+                            or `credential_name` or `credential_names` or `tls_certificates`
+                            should be specified.
+                          items:
+                            properties:
+                              caCertificates:
+                                type: string
+                              privateKey:
+                                description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+                                type: string
+                              serverCertificate:
+                                description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+                                type: string
+                            type: object
+                          maxItems: 2
+                          minItems: 1
+                          type: array
+                        verifyCertificateHash:
+                          description: An optional list of hex-encoded SHA-256 hashes
+                            of the authorized client certificates.
+                          items:
+                            type: string
+                          type: array
+                        verifyCertificateSpki:
+                          description: An optional list of base64-encoded SHA-256
+                            hashes of the SPKIs of authorized client certificates.
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                      x-kubernetes-validations:
+                      - message: only one of credentialNames or tlsCertificates can
+                          be set
+                        rule: '(has(self.tlsCertificates) ? 1 : 0) + (has(self.credentialNames)
+                          ? 1 : 0) <= 1'
+                      - message: only one of credentialName or credentialNames can
+                          be set
+                        rule: '(has(self.credentialName) ? 1 : 0) + (has(self.credentialNames)
+                          ? 1 : 0) <= 1'
+                      - message: only one of credentialName or tlsCertificates can
+                          be set
+                        rule: '(has(self.credentialNames) ? 1 : 0) + (has(self.tlsCertificates)
+                          ? 1 : 0) <= 1'
+                  required:
+                  - port
+                  - hosts
+                  type: object
+                type: array
+            type: object
+          status:
+            properties:
+              conditions:
+                description: Current service state of the resource.
+                items:
+                  properties:
+                    lastProbeTime:
+                      description: Last time we probed the condition.
+                      format: date-time
+                      type: string
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Human-readable message indicating details about
+                        last transition.
+                      type: string
+                    observedGeneration:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      description: Resource Generation to which the Condition refers.
+                      x-kubernetes-int-or-string: true
+                    reason:
+                      description: Unique, one-word, CamelCase reason for the condition's
+                        last transition.
+                      type: string
+                    status:
+                      description: Status is the status of the condition.
+                      type: string
+                    type:
+                      description: Type is the type of the condition.
+                      type: string
+                  type: object
+                type: array
+              observedGeneration:
+                anyOf:
+                - type: integer
+                - type: string
+                x-kubernetes-int-or-string: true
+              validationMessages:
+                description: Includes any errors or warnings detected by Istio's analyzers.
+                items:
+                  properties:
+                    documentationUrl:
+                      description: A url pointing to the Istio documentation for this
+                        specific error type.
+                      type: string
+                    level:
+                      description: |-
+                        Represents how severe a message is.
+
+                        Valid Options: UNKNOWN, ERROR, WARNING, INFO
+                      enum:
+                      - UNKNOWN
+                      - ERROR
+                      - WARNING
+                      - INFO
+                      type: string
+                    type:
+                      properties:
+                        code:
+                          description: A 7 character code matching `^IST[0-9]{4}$`
+                            intended to uniquely identify the message type.
+                          type: string
+                        name:
+                          description: A human-readable name for the message type.
+                          type: string
+                      type: object
+                  type: object
+                type: array
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_proxyconfigs.yaml b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_proxyconfigs.yaml
new file mode 100644
index 0000000000..ff7c7d9ccd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_proxyconfigs.yaml
@@ -0,0 +1,151 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    "helm.sh/resource-policy": keep
+  labels:
+    app: istio-pilot
+    chart: istio
+    heritage: Tiller
+    release: istio
+  name: proxyconfigs.networking.istio.io
+spec:
+  group: networking.istio.io
+  names:
+    categories:
+    - istio-io
+    - networking-istio-io
+    kind: ProxyConfig
+    listKind: ProxyConfigList
+    plural: proxyconfigs
+    singular: proxyconfig
+  scope: Namespaced
+  versions:
+  - name: v1beta1
+    schema:
+      openAPIV3Schema:
+        properties:
+          spec:
+            description: 'Provides configuration for individual workloads. See more
+              details at: https://istio.io/docs/reference/config/networking/proxy-config.html'
+            properties:
+              concurrency:
+                description: The number of worker threads to run.
+                format: int32
+                minimum: 0
+                nullable: true
+                type: integer
+              environmentVariables:
+                additionalProperties:
+                  maxLength: 2048
+                  type: string
+                description: Additional environment variables for the proxy.
+                type: object
+              image:
+                description: Specifies the details of the proxy image.
+                properties:
+                  imageType:
+                    description: The image type of the image.
+                    type: string
+                type: object
+              selector:
+                description: Optional.
+                properties:
+                  matchLabels:
+                    additionalProperties:
+                      maxLength: 63
+                      type: string
+                      x-kubernetes-validations:
+                      - message: wildcard not allowed in label value match
+                        rule: '!self.contains("*")'
+                    description: One or more labels that indicate a specific set of
+                      pods/VMs on which a policy should be applied.
+                    maxProperties: 4096
+                    type: object
+                    x-kubernetes-validations:
+                    - message: wildcard not allowed in label key match
+                      rule: self.all(key, !key.contains("*"))
+                    - message: key must not be empty
+                      rule: self.all(key, key.size() != 0)
+                type: object
+            type: object
+          status:
+            properties:
+              conditions:
+                description: Current service state of the resource.
+                items:
+                  properties:
+                    lastProbeTime:
+                      description: Last time we probed the condition.
+                      format: date-time
+                      type: string
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Human-readable message indicating details about
+                        last transition.
+                      type: string
+                    observedGeneration:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      description: Resource Generation to which the Condition refers.
+                      x-kubernetes-int-or-string: true
+                    reason:
+                      description: Unique, one-word, CamelCase reason for the condition's
+                        last transition.
+                      type: string
+                    status:
+                      description: Status is the status of the condition.
+                      type: string
+                    type:
+                      description: Type is the type of the condition.
+                      type: string
+                  type: object
+                type: array
+              observedGeneration:
+                anyOf:
+                - type: integer
+                - type: string
+                x-kubernetes-int-or-string: true
+              validationMessages:
+                description: Includes any errors or warnings detected by Istio's analyzers.
+                items:
+                  properties:
+                    documentationUrl:
+                      description: A url pointing to the Istio documentation for this
+                        specific error type.
+                      type: string
+                    level:
+                      description: |-
+                        Represents how severe a message is.
+
+                        Valid Options: UNKNOWN, ERROR, WARNING, INFO
+                      enum:
+                      - UNKNOWN
+                      - ERROR
+                      - WARNING
+                      - INFO
+                      type: string
+                    type:
+                      properties:
+                        code:
+                          description: A 7 character code matching `^IST[0-9]{4}$`
+                            intended to uniquely identify the message type.
+                          type: string
+                        name:
+                          description: A human-readable name for the message type.
+                          type: string
+                      type: object
+                  type: object
+                type: array
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_serviceentries.yaml b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_serviceentries.yaml
new file mode 100644
index 0000000000..fa28464a9b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_serviceentries.yaml
@@ -0,0 +1,922 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    "helm.sh/resource-policy": keep
+  labels:
+    app: istio-pilot
+    chart: istio
+    heritage: Tiller
+    release: istio
+  name: serviceentries.networking.istio.io
+spec:
+  group: networking.istio.io
+  names:
+    categories:
+    - istio-io
+    - networking-istio-io
+    kind: ServiceEntry
+    listKind: ServiceEntryList
+    plural: serviceentries
+    shortNames:
+    - se
+    singular: serviceentry
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - description: The hosts associated with the ServiceEntry
+      jsonPath: .spec.hosts
+      name: Hosts
+      type: string
+    - description: Whether the service is external to the mesh or part of the mesh
+        (MESH_EXTERNAL or MESH_INTERNAL)
+      jsonPath: .spec.location
+      name: Location
+      type: string
+    - description: Service resolution mode for the hosts (NONE, STATIC, or DNS)
+      jsonPath: .spec.resolution
+      name: Resolution
+      type: string
+    - description: 'CreationTimestamp is a timestamp representing the server time
+        when this object was created. It is not guaranteed to be set in happens-before
+        order across separate operations. Clients may not set this value. It is represented
+        in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+        lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1
+    schema:
+      openAPIV3Schema:
+        properties:
+          spec:
+            description: 'Configuration affecting service registry. See more details
+              at: https://istio.io/docs/reference/config/networking/service-entry.html'
+            properties:
+              addresses:
+                description: The virtual IP addresses associated with the service.
+                items:
+                  maxLength: 64
+                  type: string
+                maxItems: 256
+                type: array
+              endpoints:
+                description: One or more endpoints associated with the service.
+                items:
+                  properties:
+                    address:
+                      description: Address associated with the network endpoint without
+                        the port.
+                      maxLength: 256
+                      type: string
+                      x-kubernetes-validations:
+                      - message: UDS must be an absolute path or abstract socket
+                        rule: 'self.startsWith("unix://") ? (self.substring(7, 8)
+                          == "/" || self.substring(7, 8) == "@") : true'
+                      - message: UDS may not be a dir
+                        rule: 'self.startsWith("unix://") ? !self.endsWith("/") :
+                          true'
+                    labels:
+                      additionalProperties:
+                        type: string
+                      description: One or more labels associated with the endpoint.
+                      maxProperties: 256
+                      type: object
+                    locality:
+                      description: The locality associated with the endpoint.
+                      maxLength: 2048
+                      type: string
+                    network:
+                      description: Network enables Istio to group endpoints resident
+                        in the same L3 domain/network.
+                      maxLength: 2048
+                      type: string
+                    ports:
+                      additionalProperties:
+                        maximum: 4294967295
+                        minimum: 0
+                        type: integer
+                        x-kubernetes-validations:
+                        - message: port must be between 1-65535
+                          rule: 0 < self && self <= 65535
+                      description: Set of ports associated with the endpoint.
+                      maxProperties: 128
+                      type: object
+                      x-kubernetes-validations:
+                      - message: port name must be valid
+                        rule: self.all(key, size(key) < 63 && key.matches("^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$"))
+                    serviceAccount:
+                      description: The service account associated with the workload
+                        if a sidecar is present in the workload.
+                      maxLength: 253
+                      type: string
+                    weight:
+                      description: The load balancing weight associated with the endpoint.
+                      maximum: 4294967295
+                      minimum: 0
+                      type: integer
+                  type: object
+                  x-kubernetes-validations:
+                  - message: Address is required
+                    rule: has(self.address) || has(self.network)
+                  - message: UDS may not include ports
+                    rule: '(has(self.address) ? self.address : "").startsWith("unix://")
+                      ? !has(self.ports) : true'
+                maxItems: 4096
+                type: array
+              exportTo:
+                description: A list of namespaces to which this service is exported.
+                items:
+                  type: string
+                type: array
+              hosts:
+                description: The hosts associated with the ServiceEntry.
+                items:
+                  type: string
+                  x-kubernetes-validations:
+                  - message: hostname cannot be wildcard
+                    rule: self != "*"
+                maxItems: 256
+                minItems: 1
+                type: array
+              location:
+                description: |-
+                  Specify whether the service should be considered external to the mesh or part of the mesh.
+
+                  Valid Options: MESH_EXTERNAL, MESH_INTERNAL
+                enum:
+                - MESH_EXTERNAL
+                - MESH_INTERNAL
+                type: string
+              ports:
+                description: The ports associated with the external service.
+                items:
+                  properties:
+                    name:
+                      description: Label assigned to the port.
+                      maxLength: 256
+                      type: string
+                    number:
+                      description: A valid non-negative integer port number.
+                      maximum: 4294967295
+                      minimum: 0
+                      type: integer
+                      x-kubernetes-validations:
+                      - message: port must be between 1-65535
+                        rule: 0 < self && self <= 65535
+                    protocol:
+                      description: The protocol exposed on the port.
+                      maxLength: 256
+                      type: string
+                    targetPort:
+                      description: The port number on the endpoint where the traffic
+                        will be received.
+                      maximum: 4294967295
+                      minimum: 0
+                      type: integer
+                      x-kubernetes-validations:
+                      - message: port must be between 1-65535
+                        rule: 0 < self && self <= 65535
+                  required:
+                  - number
+                  - name
+                  type: object
+                maxItems: 256
+                type: array
+                x-kubernetes-list-map-keys:
+                - name
+                x-kubernetes-list-type: map
+                x-kubernetes-validations:
+                - message: port number cannot be duplicated
+                  rule: self.all(l1, self.exists_one(l2, l1.number == l2.number))
+              resolution:
+                description: |-
+                  Service resolution mode for the hosts.
+
+                  Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN, DYNAMIC_DNS
+                enum:
+                - NONE
+                - STATIC
+                - DNS
+                - DNS_ROUND_ROBIN
+                - DYNAMIC_DNS
+                type: string
+              subjectAltNames:
+                description: If specified, the proxy will verify that the server certificate's
+                  subject alternate name matches one of the specified values.
+                items:
+                  type: string
+                type: array
+              workloadSelector:
+                description: Applicable only for MESH_INTERNAL services.
+                properties:
+                  labels:
+                    additionalProperties:
+                      maxLength: 63
+                      type: string
+                      x-kubernetes-validations:
+                      - message: wildcard is not supported in selector
+                        rule: '!self.contains("*")'
+                    description: One or more labels that indicate a specific set of
+                      pods/VMs on which the configuration should be applied.
+                    maxProperties: 256
+                    type: object
+                type: object
+            required:
+            - hosts
+            type: object
+            x-kubernetes-validations:
+            - message: only one of WorkloadSelector or Endpoints can be set
+              rule: '(has(self.workloadSelector) ? 1 : 0) + (has(self.endpoints) ?
+                1 : 0) <= 1'
+            - message: CIDR addresses are allowed only for NONE/STATIC resolution
+                types
+              rule: '!((has(self.addresses) ? self.addresses : []).exists(k, k.contains("/"))
+                && !((has(self.resolution) ? self.resolution : "NONE") in ["STATIC",
+                "NONE"]))'
+            - message: NONE mode cannot set endpoints
+              rule: '((has(self.resolution) ? self.resolution : "NONE") == "NONE")
+                ? !has(self.endpoints) : true'
+            - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints
+              rule: '((has(self.resolution) ? self.resolution : "") == "DNS_ROUND_ROBIN")
+                ? ((has(self.endpoints) ? self.endpoints : []).size() <= 1) : true'
+          status:
+            properties:
+              conditions:
+                description: Current service state of the resource.
+                items:
+                  properties:
+                    lastProbeTime:
+                      description: Last time we probed the condition.
+                      format: date-time
+                      type: string
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Human-readable message indicating details about
+                        last transition.
+                      type: string
+                    observedGeneration:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      description: Resource Generation to which the Condition refers.
+                      x-kubernetes-int-or-string: true
+                    reason:
+                      description: Unique, one-word, CamelCase reason for the condition's
+                        last transition.
+                      type: string
+                    status:
+                      description: Status is the status of the condition.
+                      type: string
+                    type:
+                      description: Type is the type of the condition.
+                      type: string
+                  type: object
+                type: array
+              observedGeneration:
+                anyOf:
+                - type: integer
+                - type: string
+                x-kubernetes-int-or-string: true
+              validationMessages:
+                description: Includes any errors or warnings detected by Istio's analyzers.
+                items:
+                  properties:
+                    documentationUrl:
+                      description: A url pointing to the Istio documentation for this
+                        specific error type.
+                      type: string
+                    level:
+                      description: |-
+                        Represents how severe a message is.
+
+                        Valid Options: UNKNOWN, ERROR, WARNING, INFO
+                      enum:
+                      - UNKNOWN
+                      - ERROR
+                      - WARNING
+                      - INFO
+                      type: string
+                    type:
+                      properties:
+                        code:
+                          description: A 7 character code matching `^IST[0-9]{4}$`
+                            intended to uniquely identify the message type.
+                          type: string
+                        name:
+                          description: A human-readable name for the message type.
+                          type: string
+                      type: object
+                  type: object
+                type: array
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+  - additionalPrinterColumns:
+    - description: The hosts associated with the ServiceEntry
+      jsonPath: .spec.hosts
+      name: Hosts
+      type: string
+    - description: Whether the service is external to the mesh or part of the mesh
+        (MESH_EXTERNAL or MESH_INTERNAL)
+      jsonPath: .spec.location
+      name: Location
+      type: string
+    - description: Service resolution mode for the hosts (NONE, STATIC, or DNS)
+      jsonPath: .spec.resolution
+      name: Resolution
+      type: string
+    - description: 'CreationTimestamp is a timestamp representing the server time
+        when this object was created. It is not guaranteed to be set in happens-before
+        order across separate operations. Clients may not set this value. It is represented
+        in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+        lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha3
+    schema:
+      openAPIV3Schema:
+        properties:
+          spec:
+            description: 'Configuration affecting service registry. See more details
+              at: https://istio.io/docs/reference/config/networking/service-entry.html'
+            properties:
+              addresses:
+                description: The virtual IP addresses associated with the service.
+                items:
+                  maxLength: 64
+                  type: string
+                maxItems: 256
+                type: array
+              endpoints:
+                description: One or more endpoints associated with the service.
+                items:
+                  properties:
+                    address:
+                      description: Address associated with the network endpoint without
+                        the port.
+                      maxLength: 256
+                      type: string
+                      x-kubernetes-validations:
+                      - message: UDS must be an absolute path or abstract socket
+                        rule: 'self.startsWith("unix://") ? (self.substring(7, 8)
+                          == "/" || self.substring(7, 8) == "@") : true'
+                      - message: UDS may not be a dir
+                        rule: 'self.startsWith("unix://") ? !self.endsWith("/") :
+                          true'
+                    labels:
+                      additionalProperties:
+                        type: string
+                      description: One or more labels associated with the endpoint.
+                      maxProperties: 256
+                      type: object
+                    locality:
+                      description: The locality associated with the endpoint.
+                      maxLength: 2048
+                      type: string
+                    network:
+                      description: Network enables Istio to group endpoints resident
+                        in the same L3 domain/network.
+                      maxLength: 2048
+                      type: string
+                    ports:
+                      additionalProperties:
+                        maximum: 4294967295
+                        minimum: 0
+                        type: integer
+                        x-kubernetes-validations:
+                        - message: port must be between 1-65535
+                          rule: 0 < self && self <= 65535
+                      description: Set of ports associated with the endpoint.
+                      maxProperties: 128
+                      type: object
+                      x-kubernetes-validations:
+                      - message: port name must be valid
+                        rule: self.all(key, size(key) < 63 && key.matches("^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$"))
+                    serviceAccount:
+                      description: The service account associated with the workload
+                        if a sidecar is present in the workload.
+                      maxLength: 253
+                      type: string
+                    weight:
+                      description: The load balancing weight associated with the endpoint.
+                      maximum: 4294967295
+                      minimum: 0
+                      type: integer
+                  type: object
+                  x-kubernetes-validations:
+                  - message: Address is required
+                    rule: has(self.address) || has(self.network)
+                  - message: UDS may not include ports
+                    rule: '(has(self.address) ? self.address : "").startsWith("unix://")
+                      ? !has(self.ports) : true'
+                maxItems: 4096
+                type: array
+              exportTo:
+                description: A list of namespaces to which this service is exported.
+                items:
+                  type: string
+                type: array
+              hosts:
+                description: The hosts associated with the ServiceEntry.
+                items:
+                  type: string
+                  x-kubernetes-validations:
+                  - message: hostname cannot be wildcard
+                    rule: self != "*"
+                maxItems: 256
+                minItems: 1
+                type: array
+              location:
+                description: |-
+                  Specify whether the service should be considered external to the mesh or part of the mesh.
+
+                  Valid Options: MESH_EXTERNAL, MESH_INTERNAL
+                enum:
+                - MESH_EXTERNAL
+                - MESH_INTERNAL
+                type: string
+              ports:
+                description: The ports associated with the external service.
+                items:
+                  properties:
+                    name:
+                      description: Label assigned to the port.
+                      maxLength: 256
+                      type: string
+                    number:
+                      description: A valid non-negative integer port number.
+                      maximum: 4294967295
+                      minimum: 0
+                      type: integer
+                      x-kubernetes-validations:
+                      - message: port must be between 1-65535
+                        rule: 0 < self && self <= 65535
+                    protocol:
+                      description: The protocol exposed on the port.
+                      maxLength: 256
+                      type: string
+                    targetPort:
+                      description: The port number on the endpoint where the traffic
+                        will be received.
+                      maximum: 4294967295
+                      minimum: 0
+                      type: integer
+                      x-kubernetes-validations:
+                      - message: port must be between 1-65535
+                        rule: 0 < self && self <= 65535
+                  required:
+                  - number
+                  - name
+                  type: object
+                maxItems: 256
+                type: array
+                x-kubernetes-list-map-keys:
+                - name
+                x-kubernetes-list-type: map
+                x-kubernetes-validations:
+                - message: port number cannot be duplicated
+                  rule: self.all(l1, self.exists_one(l2, l1.number == l2.number))
+              resolution:
+                description: |-
+                  Service resolution mode for the hosts.
+
+                  Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN, DYNAMIC_DNS
+                enum:
+                - NONE
+                - STATIC
+                - DNS
+                - DNS_ROUND_ROBIN
+                - DYNAMIC_DNS
+                type: string
+              subjectAltNames:
+                description: If specified, the proxy will verify that the server certificate's
+                  subject alternate name matches one of the specified values.
+                items:
+                  type: string
+                type: array
+              workloadSelector:
+                description: Applicable only for MESH_INTERNAL services.
+                properties:
+                  labels:
+                    additionalProperties:
+                      maxLength: 63
+                      type: string
+                      x-kubernetes-validations:
+                      - message: wildcard is not supported in selector
+                        rule: '!self.contains("*")'
+                    description: One or more labels that indicate a specific set of
+                      pods/VMs on which the configuration should be applied.
+                    maxProperties: 256
+                    type: object
+                type: object
+            required:
+            - hosts
+            type: object
+            x-kubernetes-validations:
+            - message: only one of WorkloadSelector or Endpoints can be set
+              rule: '(has(self.workloadSelector) ? 1 : 0) + (has(self.endpoints) ?
+                1 : 0) <= 1'
+            - message: CIDR addresses are allowed only for NONE/STATIC resolution
+                types
+              rule: '!((has(self.addresses) ? self.addresses : []).exists(k, k.contains("/"))
+                && !((has(self.resolution) ? self.resolution : "NONE") in ["STATIC",
+                "NONE"]))'
+            - message: NONE mode cannot set endpoints
+              rule: '((has(self.resolution) ? self.resolution : "NONE") == "NONE")
+                ? !has(self.endpoints) : true'
+            - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints
+              rule: '((has(self.resolution) ? self.resolution : "") == "DNS_ROUND_ROBIN")
+                ? ((has(self.endpoints) ? self.endpoints : []).size() <= 1) : true'
+          status:
+            properties:
+              conditions:
+                description: Current service state of the resource.
+                items:
+                  properties:
+                    lastProbeTime:
+                      description: Last time we probed the condition.
+                      format: date-time
+                      type: string
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Human-readable message indicating details about
+                        last transition.
+                      type: string
+                    observedGeneration:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      description: Resource Generation to which the Condition refers.
+                      x-kubernetes-int-or-string: true
+                    reason:
+                      description: Unique, one-word, CamelCase reason for the condition's
+                        last transition.
+                      type: string
+                    status:
+                      description: Status is the status of the condition.
+                      type: string
+                    type:
+                      description: Type is the type of the condition.
+                      type: string
+                  type: object
+                type: array
+              observedGeneration:
+                anyOf:
+                - type: integer
+                - type: string
+                x-kubernetes-int-or-string: true
+              validationMessages:
+                description: Includes any errors or warnings detected by Istio's analyzers.
+                items:
+                  properties:
+                    documentationUrl:
+                      description: A url pointing to the Istio documentation for this
+                        specific error type.
+                      type: string
+                    level:
+                      description: |-
+                        Represents how severe a message is.
+
+                        Valid Options: UNKNOWN, ERROR, WARNING, INFO
+                      enum:
+                      - UNKNOWN
+                      - ERROR
+                      - WARNING
+                      - INFO
+                      type: string
+                    type:
+                      properties:
+                        code:
+                          description: A 7 character code matching `^IST[0-9]{4}$`
+                            intended to uniquely identify the message type.
+                          type: string
+                        name:
+                          description: A human-readable name for the message type.
+                          type: string
+                      type: object
+                  type: object
+                type: array
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        required:
+        - spec
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+  - additionalPrinterColumns:
+    - description: The hosts associated with the ServiceEntry
+      jsonPath: .spec.hosts
+      name: Hosts
+      type: string
+    - description: Whether the service is external to the mesh or part of the mesh
+        (MESH_EXTERNAL or MESH_INTERNAL)
+      jsonPath: .spec.location
+      name: Location
+      type: string
+    - description: Service resolution mode for the hosts (NONE, STATIC, or DNS)
+      jsonPath: .spec.resolution
+      name: Resolution
+      type: string
+    - description: 'CreationTimestamp is a timestamp representing the server time
+        when this object was created. It is not guaranteed to be set in happens-before
+        order across separate operations. Clients may not set this value. It is represented
+        in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+        lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1beta1
+    schema:
+      openAPIV3Schema:
+        properties:
+          spec:
+            description: 'Configuration affecting service registry. See more details
+              at: https://istio.io/docs/reference/config/networking/service-entry.html'
+            properties:
+              addresses:
+                description: The virtual IP addresses associated with the service.
+                items:
+                  maxLength: 64
+                  type: string
+                maxItems: 256
+                type: array
+              endpoints:
+                description: One or more endpoints associated with the service.
+                items:
+                  properties:
+                    address:
+                      description: Address associated with the network endpoint without
+                        the port.
+                      maxLength: 256
+                      type: string
+                      x-kubernetes-validations:
+                      - message: UDS must be an absolute path or abstract socket
+                        rule: 'self.startsWith("unix://") ? (self.substring(7, 8)
+                          == "/" || self.substring(7, 8) == "@") : true'
+                      - message: UDS may not be a dir
+                        rule: 'self.startsWith("unix://") ? !self.endsWith("/") :
+                          true'
+                    labels:
+                      additionalProperties:
+                        type: string
+                      description: One or more labels associated with the endpoint.
+                      maxProperties: 256
+                      type: object
+                    locality:
+                      description: The locality associated with the endpoint.
+                      maxLength: 2048
+                      type: string
+                    network:
+                      description: Network enables Istio to group endpoints resident
+                        in the same L3 domain/network.
+                      maxLength: 2048
+                      type: string
+                    ports:
+                      additionalProperties:
+                        maximum: 4294967295
+                        minimum: 0
+                        type: integer
+                        x-kubernetes-validations:
+                        - message: port must be between 1-65535
+                          rule: 0 < self && self <= 65535
+                      description: Set of ports associated with the endpoint.
+                      maxProperties: 128
+                      type: object
+                      x-kubernetes-validations:
+                      - message: port name must be valid
+                        rule: self.all(key, size(key) < 63 && key.matches("^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$"))
+                    serviceAccount:
+                      description: The service account associated with the workload
+                        if a sidecar is present in the workload.
+                      maxLength: 253
+                      type: string
+                    weight:
+                      description: The load balancing weight associated with the endpoint.
+                      maximum: 4294967295
+                      minimum: 0
+                      type: integer
+                  type: object
+                  x-kubernetes-validations:
+                  - message: Address is required
+                    rule: has(self.address) || has(self.network)
+                  - message: UDS may not include ports
+                    rule: '(has(self.address) ? self.address : "").startsWith("unix://")
+                      ? !has(self.ports) : true'
+                maxItems: 4096
+                type: array
+              exportTo:
+                description: A list of namespaces to which this service is exported.
+                items:
+                  type: string
+                type: array
+              hosts:
+                description: The hosts associated with the ServiceEntry.
+                items:
+                  type: string
+                  x-kubernetes-validations:
+                  - message: hostname cannot be wildcard
+                    rule: self != "*"
+                maxItems: 256
+                minItems: 1
+                type: array
+              location:
+                description: |-
+                  Specify whether the service should be considered external to the mesh or part of the mesh.
+
+                  Valid Options: MESH_EXTERNAL, MESH_INTERNAL
+                enum:
+                - MESH_EXTERNAL
+                - MESH_INTERNAL
+                type: string
+              ports:
+                description: The ports associated with the external service.
+                items:
+                  properties:
+                    name:
+                      description: Label assigned to the port.
+                      maxLength: 256
+                      type: string
+                    number:
+                      description: A valid non-negative integer port number.
+                      maximum: 4294967295
+                      minimum: 0
+                      type: integer
+                      x-kubernetes-validations:
+                      - message: port must be between 1-65535
+                        rule: 0 < self && self <= 65535
+                    protocol:
+                      description: The protocol exposed on the port.
+                      maxLength: 256
+                      type: string
+                    targetPort:
+                      description: The port number on the endpoint where the traffic
+                        will be received.
+                      maximum: 4294967295
+                      minimum: 0
+                      type: integer
+                      x-kubernetes-validations:
+                      - message: port must be between 1-65535
+                        rule: 0 < self && self <= 65535
+                  required:
+                  - number
+                  - name
+                  type: object
+                maxItems: 256
+                type: array
+                x-kubernetes-list-map-keys:
+                - name
+                x-kubernetes-list-type: map
+                x-kubernetes-validations:
+                - message: port number cannot be duplicated
+                  rule: self.all(l1, self.exists_one(l2, l1.number == l2.number))
+              resolution:
+                description: |-
+                  Service resolution mode for the hosts.
+
+                  Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN, DYNAMIC_DNS
+                enum:
+                - NONE
+                - STATIC
+                - DNS
+                - DNS_ROUND_ROBIN
+                - DYNAMIC_DNS
+                type: string
+              subjectAltNames:
+                description: If specified, the proxy will verify that the server certificate's
+                  subject alternate name matches one of the specified values.
+                items:
+                  type: string
+                type: array
+              workloadSelector:
+                description: Applicable only for MESH_INTERNAL services.
+                properties:
+                  labels:
+                    additionalProperties:
+                      maxLength: 63
+                      type: string
+                      x-kubernetes-validations:
+                      - message: wildcard is not supported in selector
+                        rule: '!self.contains("*")'
+                    description: One or more labels that indicate a specific set of
+                      pods/VMs on which the configuration should be applied.
+                    maxProperties: 256
+                    type: object
+                type: object
+            required:
+            - hosts
+            type: object
+            x-kubernetes-validations:
+            - message: only one of WorkloadSelector or Endpoints can be set
+              rule: '(has(self.workloadSelector) ? 1 : 0) + (has(self.endpoints) ?
+                1 : 0) <= 1'
+            - message: CIDR addresses are allowed only for NONE/STATIC resolution
+                types
+              rule: '!((has(self.addresses) ? self.addresses : []).exists(k, k.contains("/"))
+                && !((has(self.resolution) ? self.resolution : "NONE") in ["STATIC",
+                "NONE"]))'
+            - message: NONE mode cannot set endpoints
+              rule: '((has(self.resolution) ? self.resolution : "NONE") == "NONE")
+                ? !has(self.endpoints) : true'
+            - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints
+              rule: '((has(self.resolution) ? self.resolution : "") == "DNS_ROUND_ROBIN")
+                ? ((has(self.endpoints) ? self.endpoints : []).size() <= 1) : true'
+          status:
+            properties:
+              conditions:
+                description: Current service state of the resource.
+                items:
+                  properties:
+                    lastProbeTime:
+                      description: Last time we probed the condition.
+                      format: date-time
+                      type: string
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Human-readable message indicating details about
+                        last transition.
+                      type: string
+                    observedGeneration:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      description: Resource Generation to which the Condition refers.
+                      x-kubernetes-int-or-string: true
+                    reason:
+                      description: Unique, one-word, CamelCase reason for the condition's
+                        last transition.
+                      type: string
+                    status:
+                      description: Status is the status of the condition.
+                      type: string
+                    type:
+                      description: Type is the type of the condition.
+                      type: string
+                  type: object
+                type: array
+              observedGeneration:
+                anyOf:
+                - type: integer
+                - type: string
+                x-kubernetes-int-or-string: true
+              validationMessages:
+                description: Includes any errors or warnings detected by Istio's analyzers.
+                items:
+                  properties:
+                    documentationUrl:
+                      description: A url pointing to the Istio documentation for this
+                        specific error type.
+                      type: string
+                    level:
+                      description: |-
+                        Represents how severe a message is.
+
+                        Valid Options: UNKNOWN, ERROR, WARNING, INFO
+                      enum:
+                      - UNKNOWN
+                      - ERROR
+                      - WARNING
+                      - INFO
+                      type: string
+                    type:
+                      properties:
+                        code:
+                          description: A 7 character code matching `^IST[0-9]{4}$`
+                            intended to uniquely identify the message type.
+                          type: string
+                        name:
+                          description: A human-readable name for the message type.
+                          type: string
+                      type: object
+                  type: object
+                type: array
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        required:
+        - spec
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_sidecars.yaml b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_sidecars.yaml
new file mode 100644
index 0000000000..e531c557c4
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_sidecars.yaml
@@ -0,0 +1,1757 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    "helm.sh/resource-policy": keep
+  labels:
+    app: istio-pilot
+    chart: istio
+    heritage: Tiller
+    release: istio
+  name: sidecars.networking.istio.io
+spec:
+  group: networking.istio.io
+  names:
+    categories:
+    - istio-io
+    - networking-istio-io
+    kind: Sidecar
+    listKind: SidecarList
+    plural: sidecars
+    singular: sidecar
+  scope: Namespaced
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        properties:
+          spec:
+            description: 'Configuration affecting network reachability of a sidecar.
+              See more details at: https://istio.io/docs/reference/config/networking/sidecar.html'
+            properties:
+              egress:
+                description: Egress specifies the configuration of the sidecar for
+                  processing outbound traffic from the attached workload instance
+                  to other services in the mesh.
+                items:
+                  properties:
+                    bind:
+                      description: The IP(IPv4 or IPv6) or the Unix domain socket
+                        to which the listener should be bound to.
+                      type: string
+                    captureMode:
+                      description: |-
+                        When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not).
+
+                        Valid Options: DEFAULT, IPTABLES, NONE
+                      enum:
+                      - DEFAULT
+                      - IPTABLES
+                      - NONE
+                      type: string
+                    hosts:
+                      description: One or more service hosts exposed by the listener
+                        in `namespace/dnsName` format.
+                      items:
+                        type: string
+                      type: array
+                    port:
+                      description: The port associated with the listener.
+                      properties:
+                        name:
+                          description: Label assigned to the port.
+                          type: string
+                        number:
+                          description: A valid non-negative integer port number.
+                          maximum: 4294967295
+                          minimum: 0
+                          type: integer
+                        protocol:
+                          description: The protocol exposed on the port.
+                          type: string
+                        targetPort:
+                          maximum: 4294967295
+                          minimum: 0
+                          type: integer
+                      type: object
+                  required:
+                  - hosts
+                  type: object
+                type: array
+              inboundConnectionPool:
+                description: Settings controlling the volume of connections Envoy
+                  will accept from the network.
+                properties:
+                  http:
+                    description: HTTP connection pool settings.
+                    properties:
+                      h2UpgradePolicy:
+                        description: |-
+                          Specify if http1.1 connection should be upgraded to http2 for the associated destination.
+
+                          Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE
+                        enum:
+                        - DEFAULT
+                        - DO_NOT_UPGRADE
+                        - UPGRADE
+                        type: string
+                      http1MaxPendingRequests:
+                        description: Maximum number of requests that will be queued
+                          while waiting for a ready connection pool connection.
+                        format: int32
+                        type: integer
+                      http2MaxRequests:
+                        description: Maximum number of active requests to a destination.
+                        format: int32
+                        type: integer
+                      idleTimeout:
+                        description: The idle timeout for upstream connection pool
+                          connections.
+                        type: string
+                        x-kubernetes-validations:
+                        - message: must be a valid duration greater than 1ms
+                          rule: duration(self) >= duration('1ms')
+                      maxConcurrentStreams:
+                        description: The maximum number of concurrent streams allowed
+                          for a peer on one HTTP/2 connection.
+                        format: int32
+                        type: integer
+                      maxRequestsPerConnection:
+                        description: Maximum number of requests per connection to
+                          a backend.
+                        format: int32
+                        type: integer
+                      maxRetries:
+                        description: Maximum number of retries that can be outstanding
+                          to all hosts in a cluster at a given time.
+                        format: int32
+                        type: integer
+                      useClientProtocol:
+                        description: If set to true, client protocol will be preserved
+                          while initiating connection to backend.
+                        type: boolean
+                    type: object
+                  tcp:
+                    description: Settings common to both HTTP and TCP upstream connections.
+                    properties:
+                      connectTimeout:
+                        description: TCP connection timeout.
+                        type: string
+                        x-kubernetes-validations:
+                        - message: must be a valid duration greater than 1ms
+                          rule: duration(self) >= duration('1ms')
+                      idleTimeout:
+                        description: The idle timeout for TCP connections.
+                        type: string
+                      maxConnectionDuration:
+                        description: The maximum duration of a connection.
+                        type: string
+                        x-kubernetes-validations:
+                        - message: must be a valid duration greater than 1ms
+                          rule: duration(self) >= duration('1ms')
+                      maxConnections:
+                        description: Maximum number of HTTP1 /TCP connections to a
+                          destination host.
+                        format: int32
+                        type: integer
+                      tcpKeepalive:
+                        description: If set then set SO_KEEPALIVE on the socket to
+                          enable TCP Keepalives.
+                        properties:
+                          interval:
+                            description: The time duration between keep-alive probes.
+                            type: string
+                            x-kubernetes-validations:
+                            - message: must be a valid duration greater than 1ms
+                              rule: duration(self) >= duration('1ms')
+                          probes:
+                            description: Maximum number of keepalive probes to send
+                              without response before deciding the connection is dead.
+                            maximum: 4294967295
+                            minimum: 0
+                            type: integer
+                          time:
+                            description: The time duration a connection needs to be
+                              idle before keep-alive probes start being sent.
+                            type: string
+                            x-kubernetes-validations:
+                            - message: must be a valid duration greater than 1ms
+                              rule: duration(self) >= duration('1ms')
+                        type: object
+                    type: object
+                type: object
+              ingress:
+                description: Ingress specifies the configuration of the sidecar for
+                  processing inbound traffic to the attached workload instance.
+                items:
+                  properties:
+                    bind:
+                      description: The IP(IPv4 or IPv6) to which the listener should
+                        be bound.
+                      type: string
+                    captureMode:
+                      description: |-
+                        The captureMode option dictates how traffic to the listener is expected to be captured (or not).
+
+                        Valid Options: DEFAULT, IPTABLES, NONE
+                      enum:
+                      - DEFAULT
+                      - IPTABLES
+                      - NONE
+                      type: string
+                    connectionPool:
+                      description: Settings controlling the volume of connections
+                        Envoy will accept from the network.
+                      properties:
+                        http:
+                          description: HTTP connection pool settings.
+                          properties:
+                            h2UpgradePolicy:
+                              description: |-
+                                Specify if http1.1 connection should be upgraded to http2 for the associated destination.
+
+                                Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE
+                              enum:
+                              - DEFAULT
+                              - DO_NOT_UPGRADE
+                              - UPGRADE
+                              type: string
+                            http1MaxPendingRequests:
+                              description: Maximum number of requests that will be
+                                queued while waiting for a ready connection pool connection.
+                              format: int32
+                              type: integer
+                            http2MaxRequests:
+                              description: Maximum number of active requests to a
+                                destination.
+                              format: int32
+                              type: integer
+                            idleTimeout:
+                              description: The idle timeout for upstream connection
+                                pool connections.
+                              type: string
+                              x-kubernetes-validations:
+                              - message: must be a valid duration greater than 1ms
+                                rule: duration(self) >= duration('1ms')
+                            maxConcurrentStreams:
+                              description: The maximum number of concurrent streams
+                                allowed for a peer on one HTTP/2 connection.
+                              format: int32
+                              type: integer
+                            maxRequestsPerConnection:
+                              description: Maximum number of requests per connection
+                                to a backend.
+                              format: int32
+                              type: integer
+                            maxRetries:
+                              description: Maximum number of retries that can be outstanding
+                                to all hosts in a cluster at a given time.
+                              format: int32
+                              type: integer
+                            useClientProtocol:
+                              description: If set to true, client protocol will be
+                                preserved while initiating connection to backend.
+                              type: boolean
+                          type: object
+                        tcp:
+                          description: Settings common to both HTTP and TCP upstream
+                            connections.
+                          properties:
+                            connectTimeout:
+                              description: TCP connection timeout.
+                              type: string
+                              x-kubernetes-validations:
+                              - message: must be a valid duration greater than 1ms
+                                rule: duration(self) >= duration('1ms')
+                            idleTimeout:
+                              description: The idle timeout for TCP connections.
+                              type: string
+                            maxConnectionDuration:
+                              description: The maximum duration of a connection.
+                              type: string
+                              x-kubernetes-validations:
+                              - message: must be a valid duration greater than 1ms
+                                rule: duration(self) >= duration('1ms')
+                            maxConnections:
+                              description: Maximum number of HTTP1 /TCP connections
+                                to a destination host.
+                              format: int32
+                              type: integer
+                            tcpKeepalive:
+                              description: If set then set SO_KEEPALIVE on the socket
+                                to enable TCP Keepalives.
+                              properties:
+                                interval:
+                                  description: The time duration between keep-alive
+                                    probes.
+                                  type: string
+                                  x-kubernetes-validations:
+                                  - message: must be a valid duration greater than
+                                      1ms
+                                    rule: duration(self) >= duration('1ms')
+                                probes:
+                                  description: Maximum number of keepalive probes
+                                    to send without response before deciding the connection
+                                    is dead.
+                                  maximum: 4294967295
+                                  minimum: 0
+                                  type: integer
+                                time:
+                                  description: The time duration a connection needs
+                                    to be idle before keep-alive probes start being
+                                    sent.
+                                  type: string
+                                  x-kubernetes-validations:
+                                  - message: must be a valid duration greater than
+                                      1ms
+                                    rule: duration(self) >= duration('1ms')
+                              type: object
+                          type: object
+                      type: object
+                    defaultEndpoint:
+                      description: The IP endpoint or Unix domain socket to which
+                        traffic should be forwarded to.
+                      type: string
+                    port:
+                      description: The port associated with the listener.
+                      properties:
+                        name:
+                          description: Label assigned to the port.
+                          type: string
+                        number:
+                          description: A valid non-negative integer port number.
+                          maximum: 4294967295
+                          minimum: 0
+                          type: integer
+                        protocol:
+                          description: The protocol exposed on the port.
+                          type: string
+                        targetPort:
+                          maximum: 4294967295
+                          minimum: 0
+                          type: integer
+                      type: object
+                    tls:
+                      description: Set of TLS related options that will enable TLS
+                        termination on the sidecar for requests originating from outside
+                        the mesh.
+                      properties:
+                        caCertCredentialName:
+                          description: For mutual TLS, the name of the secret or the
+                            configmap that holds CA certificates.
+                          type: string
+                        caCertificates:
+                          description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
+                          type: string
+                        caCrl:
+                          description: 'OPTIONAL: The path to the file containing
+                            the certificate revocation list (CRL) to use in verifying
+                            a presented client side certificate.'
+                          type: string
+                        cipherSuites:
+                          description: 'Optional: If specified, only support the specified
+                            cipher list.'
+                          items:
+                            type: string
+                          type: array
+                        credentialName:
+                          description: For gateways running on Kubernetes, the name
+                            of the secret that holds the TLS certs including the CA
+                            certificates.
+                          type: string
+                        credentialNames:
+                          description: Same as CredentialName but for multiple certificates.
+                          items:
+                            type: string
+                          maxItems: 2
+                          minItems: 1
+                          type: array
+                        httpsRedirect:
+                          description: If set to true, the load balancer will send
+                            a 301 redirect for all http connections, asking the clients
+                            to use HTTPS.
+                          type: boolean
+                        maxProtocolVersion:
+                          description: |-
+                            Optional: Maximum TLS protocol version.
+
+                            Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3
+                          enum:
+                          - TLS_AUTO
+                          - TLSV1_0
+                          - TLSV1_1
+                          - TLSV1_2
+                          - TLSV1_3
+                          type: string
+                        minProtocolVersion:
+                          description: |-
+                            Optional: Minimum TLS protocol version.
+
+                            Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3
+                          enum:
+                          - TLS_AUTO
+                          - TLSV1_0
+                          - TLSV1_1
+                          - TLSV1_2
+                          - TLSV1_3
+                          type: string
+                        mode:
+                          description: |-
+                            Optional: Indicates whether connections to this port should be secured using TLS.
+
+                            Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL
+                          enum:
+                          - PASSTHROUGH
+                          - SIMPLE
+                          - MUTUAL
+                          - AUTO_PASSTHROUGH
+                          - ISTIO_MUTUAL
+                          - OPTIONAL_MUTUAL
+                          type: string
+                        privateKey:
+                          description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+                          type: string
+                        serverCertificate:
+                          description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+                          type: string
+                        subjectAltNames:
+                          description: A list of alternate names to verify the subject
+                            identity in the certificate presented by the client.
+                          items:
+                            type: string
+                          type: array
+                        tlsCertificates:
+                          description: Only one of `server_certificate`, `private_key`
+                            or `credential_name` or `credential_names` or `tls_certificates`
+                            should be specified.
+                          items:
+                            properties:
+                              caCertificates:
+                                type: string
+                              privateKey:
+                                description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+                                type: string
+                              serverCertificate:
+                                description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+                                type: string
+                            type: object
+                          maxItems: 2
+                          minItems: 1
+                          type: array
+                        verifyCertificateHash:
+                          description: An optional list of hex-encoded SHA-256 hashes
+                            of the authorized client certificates.
+                          items:
+                            type: string
+                          type: array
+                        verifyCertificateSpki:
+                          description: An optional list of base64-encoded SHA-256
+                            hashes of the SPKIs of authorized client certificates.
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                      x-kubernetes-validations:
+                      - message: only one of credentialNames or tlsCertificates can
+                          be set
+                        rule: '(has(self.tlsCertificates) ? 1 : 0) + (has(self.credentialNames)
+                          ? 1 : 0) <= 1'
+                      - message: only one of credentialName or credentialNames can
+                          be set
+                        rule: '(has(self.credentialName) ? 1 : 0) + (has(self.credentialNames)
+                          ? 1 : 0) <= 1'
+                      - message: only one of credentialName or tlsCertificates can
+                          be set
+                        rule: '(has(self.credentialNames) ? 1 : 0) + (has(self.tlsCertificates)
+                          ? 1 : 0) <= 1'
+                  required:
+                  - port
+                  type: object
+                type: array
+              outboundTrafficPolicy:
+                description: Set the default behavior of the sidecar for handling
+                  outbound traffic from the application.
+                properties:
+                  egressProxy:
+                    properties:
+                      host:
+                        description: The name of a service from the service registry.
+                        type: string
+                      port:
+                        description: Specifies the port on the host that is being
+                          addressed.
+                        properties:
+                          number:
+                            maximum: 4294967295
+                            minimum: 0
+                            type: integer
+                        type: object
+                      subset:
+                        description: The name of a subset within the service.
+                        type: string
+                    required:
+                    - host
+                    type: object
+                  mode:
+                    description: |2-
+
+
+                      Valid Options: REGISTRY_ONLY, ALLOW_ANY
+                    enum:
+                    - REGISTRY_ONLY
+                    - ALLOW_ANY
+                    type: string
+                type: object
+              workloadSelector:
+                description: Criteria used to select the specific set of pods/VMs
+                  on which this `Sidecar` configuration should be applied.
+                properties:
+                  labels:
+                    additionalProperties:
+                      maxLength: 63
+                      type: string
+                      x-kubernetes-validations:
+                      - message: wildcard is not supported in selector
+                        rule: '!self.contains("*")'
+                    description: One or more labels that indicate a specific set of
+                      pods/VMs on which the configuration should be applied.
+                    maxProperties: 256
+                    type: object
+                type: object
+            type: object
+          status:
+            properties:
+              conditions:
+                description: Current service state of the resource.
+                items:
+                  properties:
+                    lastProbeTime:
+                      description: Last time we probed the condition.
+                      format: date-time
+                      type: string
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Human-readable message indicating details about
+                        last transition.
+                      type: string
+                    observedGeneration:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      description: Resource Generation to which the Condition refers.
+                      x-kubernetes-int-or-string: true
+                    reason:
+                      description: Unique, one-word, CamelCase reason for the condition's
+                        last transition.
+                      type: string
+                    status:
+                      description: Status is the status of the condition.
+                      type: string
+                    type:
+                      description: Type is the type of the condition.
+                      type: string
+                  type: object
+                type: array
+              observedGeneration:
+                anyOf:
+                - type: integer
+                - type: string
+                x-kubernetes-int-or-string: true
+              validationMessages:
+                description: Includes any errors or warnings detected by Istio's analyzers.
+                items:
+                  properties:
+                    documentationUrl:
+                      description: A url pointing to the Istio documentation for this
+                        specific error type.
+                      type: string
+                    level:
+                      description: |-
+                        Represents how severe a message is.
+
+                        Valid Options: UNKNOWN, ERROR, WARNING, INFO
+                      enum:
+                      - UNKNOWN
+                      - ERROR
+                      - WARNING
+                      - INFO
+                      type: string
+                    type:
+                      properties:
+                        code:
+                          description: A 7 character code matching `^IST[0-9]{4}$`
+                            intended to uniquely identify the message type.
+                          type: string
+                        name:
+                          description: A human-readable name for the message type.
+                          type: string
+                      type: object
+                  type: object
+                type: array
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+  - name: v1alpha3
+    schema:
+      openAPIV3Schema:
+        properties:
+          spec:
+            description: 'Configuration affecting network reachability of a sidecar.
+              See more details at: https://istio.io/docs/reference/config/networking/sidecar.html'
+            properties:
+              egress:
+                description: Egress specifies the configuration of the sidecar for
+                  processing outbound traffic from the attached workload instance
+                  to other services in the mesh.
+                items:
+                  properties:
+                    bind:
+                      description: The IP(IPv4 or IPv6) or the Unix domain socket
+                        to which the listener should be bound to.
+                      type: string
+                    captureMode:
+                      description: |-
+                        When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not).
+
+                        Valid Options: DEFAULT, IPTABLES, NONE
+                      enum:
+                      - DEFAULT
+                      - IPTABLES
+                      - NONE
+                      type: string
+                    hosts:
+                      description: One or more service hosts exposed by the listener
+                        in `namespace/dnsName` format.
+                      items:
+                        type: string
+                      type: array
+                    port:
+                      description: The port associated with the listener.
+                      properties:
+                        name:
+                          description: Label assigned to the port.
+                          type: string
+                        number:
+                          description: A valid non-negative integer port number.
+                          maximum: 4294967295
+                          minimum: 0
+                          type: integer
+                        protocol:
+                          description: The protocol exposed on the port.
+                          type: string
+                        targetPort:
+                          maximum: 4294967295
+                          minimum: 0
+                          type: integer
+                      type: object
+                  required:
+                  - hosts
+                  type: object
+                type: array
+              inboundConnectionPool:
+                description: Settings controlling the volume of connections Envoy
+                  will accept from the network.
+                properties:
+                  http:
+                    description: HTTP connection pool settings.
+                    properties:
+                      h2UpgradePolicy:
+                        description: |-
+                          Specify if http1.1 connection should be upgraded to http2 for the associated destination.
+
+                          Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE
+                        enum:
+                        - DEFAULT
+                        - DO_NOT_UPGRADE
+                        - UPGRADE
+                        type: string
+                      http1MaxPendingRequests:
+                        description: Maximum number of requests that will be queued
+                          while waiting for a ready connection pool connection.
+                        format: int32
+                        type: integer
+                      http2MaxRequests:
+                        description: Maximum number of active requests to a destination.
+                        format: int32
+                        type: integer
+                      idleTimeout:
+                        description: The idle timeout for upstream connection pool
+                          connections.
+                        type: string
+                        x-kubernetes-validations:
+                        - message: must be a valid duration greater than 1ms
+                          rule: duration(self) >= duration('1ms')
+                      maxConcurrentStreams:
+                        description: The maximum number of concurrent streams allowed
+                          for a peer on one HTTP/2 connection.
+                        format: int32
+                        type: integer
+                      maxRequestsPerConnection:
+                        description: Maximum number of requests per connection to
+                          a backend.
+                        format: int32
+                        type: integer
+                      maxRetries:
+                        description: Maximum number of retries that can be outstanding
+                          to all hosts in a cluster at a given time.
+                        format: int32
+                        type: integer
+                      useClientProtocol:
+                        description: If set to true, client protocol will be preserved
+                          while initiating connection to backend.
+                        type: boolean
+                    type: object
+                  tcp:
+                    description: Settings common to both HTTP and TCP upstream connections.
+                    properties:
+                      connectTimeout:
+                        description: TCP connection timeout.
+                        type: string
+                        x-kubernetes-validations:
+                        - message: must be a valid duration greater than 1ms
+                          rule: duration(self) >= duration('1ms')
+                      idleTimeout:
+                        description: The idle timeout for TCP connections.
+                        type: string
+                      maxConnectionDuration:
+                        description: The maximum duration of a connection.
+                        type: string
+                        x-kubernetes-validations:
+                        - message: must be a valid duration greater than 1ms
+                          rule: duration(self) >= duration('1ms')
+                      maxConnections:
+                        description: Maximum number of HTTP1 /TCP connections to a
+                          destination host.
+                        format: int32
+                        type: integer
+                      tcpKeepalive:
+                        description: If set then set SO_KEEPALIVE on the socket to
+                          enable TCP Keepalives.
+                        properties:
+                          interval:
+                            description: The time duration between keep-alive probes.
+                            type: string
+                            x-kubernetes-validations:
+                            - message: must be a valid duration greater than 1ms
+                              rule: duration(self) >= duration('1ms')
+                          probes:
+                            description: Maximum number of keepalive probes to send
+                              without response before deciding the connection is dead.
+                            maximum: 4294967295
+                            minimum: 0
+                            type: integer
+                          time:
+                            description: The time duration a connection needs to be
+                              idle before keep-alive probes start being sent.
+                            type: string
+                            x-kubernetes-validations:
+                            - message: must be a valid duration greater than 1ms
+                              rule: duration(self) >= duration('1ms')
+                        type: object
+                    type: object
+                type: object
+              ingress:
+                description: Ingress specifies the configuration of the sidecar for
+                  processing inbound traffic to the attached workload instance.
+                items:
+                  properties:
+                    bind:
+                      description: The IP(IPv4 or IPv6) to which the listener should
+                        be bound.
+                      type: string
+                    captureMode:
+                      description: |-
+                        The captureMode option dictates how traffic to the listener is expected to be captured (or not).
+
+                        Valid Options: DEFAULT, IPTABLES, NONE
+                      enum:
+                      - DEFAULT
+                      - IPTABLES
+                      - NONE
+                      type: string
+                    connectionPool:
+                      description: Settings controlling the volume of connections
+                        Envoy will accept from the network.
+                      properties:
+                        http:
+                          description: HTTP connection pool settings.
+                          properties:
+                            h2UpgradePolicy:
+                              description: |-
+                                Specify if http1.1 connection should be upgraded to http2 for the associated destination.
+
+                                Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE
+                              enum:
+                              - DEFAULT
+                              - DO_NOT_UPGRADE
+                              - UPGRADE
+                              type: string
+                            http1MaxPendingRequests:
+                              description: Maximum number of requests that will be
+                                queued while waiting for a ready connection pool connection.
+                              format: int32
+                              type: integer
+                            http2MaxRequests:
+                              description: Maximum number of active requests to a
+                                destination.
+                              format: int32
+                              type: integer
+                            idleTimeout:
+                              description: The idle timeout for upstream connection
+                                pool connections.
+                              type: string
+                              x-kubernetes-validations:
+                              - message: must be a valid duration greater than 1ms
+                                rule: duration(self) >= duration('1ms')
+                            maxConcurrentStreams:
+                              description: The maximum number of concurrent streams
+                                allowed for a peer on one HTTP/2 connection.
+                              format: int32
+                              type: integer
+                            maxRequestsPerConnection:
+                              description: Maximum number of requests per connection
+                                to a backend.
+                              format: int32
+                              type: integer
+                            maxRetries:
+                              description: Maximum number of retries that can be outstanding
+                                to all hosts in a cluster at a given time.
+                              format: int32
+                              type: integer
+                            useClientProtocol:
+                              description: If set to true, client protocol will be
+                                preserved while initiating connection to backend.
+                              type: boolean
+                          type: object
+                        tcp:
+                          description: Settings common to both HTTP and TCP upstream
+                            connections.
+                          properties:
+                            connectTimeout:
+                              description: TCP connection timeout.
+                              type: string
+                              x-kubernetes-validations:
+                              - message: must be a valid duration greater than 1ms
+                                rule: duration(self) >= duration('1ms')
+                            idleTimeout:
+                              description: The idle timeout for TCP connections.
+                              type: string
+                            maxConnectionDuration:
+                              description: The maximum duration of a connection.
+                              type: string
+                              x-kubernetes-validations:
+                              - message: must be a valid duration greater than 1ms
+                                rule: duration(self) >= duration('1ms')
+                            maxConnections:
+                              description: Maximum number of HTTP1 /TCP connections
+                                to a destination host.
+                              format: int32
+                              type: integer
+                            tcpKeepalive:
+                              description: If set then set SO_KEEPALIVE on the socket
+                                to enable TCP Keepalives.
+                              properties:
+                                interval:
+                                  description: The time duration between keep-alive
+                                    probes.
+                                  type: string
+                                  x-kubernetes-validations:
+                                  - message: must be a valid duration greater than
+                                      1ms
+                                    rule: duration(self) >= duration('1ms')
+                                probes:
+                                  description: Maximum number of keepalive probes
+                                    to send without response before deciding the connection
+                                    is dead.
+                                  maximum: 4294967295
+                                  minimum: 0
+                                  type: integer
+                                time:
+                                  description: The time duration a connection needs
+                                    to be idle before keep-alive probes start being
+                                    sent.
+                                  type: string
+                                  x-kubernetes-validations:
+                                  - message: must be a valid duration greater than
+                                      1ms
+                                    rule: duration(self) >= duration('1ms')
+                              type: object
+                          type: object
+                      type: object
+                    defaultEndpoint:
+                      description: The IP endpoint or Unix domain socket to which
+                        traffic should be forwarded to.
+                      type: string
+                    port:
+                      description: The port associated with the listener.
+                      properties:
+                        name:
+                          description: Label assigned to the port.
+                          type: string
+                        number:
+                          description: A valid non-negative integer port number.
+                          maximum: 4294967295
+                          minimum: 0
+                          type: integer
+                        protocol:
+                          description: The protocol exposed on the port.
+                          type: string
+                        targetPort:
+                          maximum: 4294967295
+                          minimum: 0
+                          type: integer
+                      type: object
+                    tls:
+                      description: Set of TLS related options that will enable TLS
+                        termination on the sidecar for requests originating from outside
+                        the mesh.
+                      properties:
+                        caCertCredentialName:
+                          description: For mutual TLS, the name of the secret or the
+                            configmap that holds CA certificates.
+                          type: string
+                        caCertificates:
+                          description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
+                          type: string
+                        caCrl:
+                          description: 'OPTIONAL: The path to the file containing
+                            the certificate revocation list (CRL) to use in verifying
+                            a presented client side certificate.'
+                          type: string
+                        cipherSuites:
+                          description: 'Optional: If specified, only support the specified
+                            cipher list.'
+                          items:
+                            type: string
+                          type: array
+                        credentialName:
+                          description: For gateways running on Kubernetes, the name
+                            of the secret that holds the TLS certs including the CA
+                            certificates.
+                          type: string
+                        credentialNames:
+                          description: Same as CredentialName but for multiple certificates.
+                          items:
+                            type: string
+                          maxItems: 2
+                          minItems: 1
+                          type: array
+                        httpsRedirect:
+                          description: If set to true, the load balancer will send
+                            a 301 redirect for all http connections, asking the clients
+                            to use HTTPS.
+                          type: boolean
+                        maxProtocolVersion:
+                          description: |-
+                            Optional: Maximum TLS protocol version.
+
+                            Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3
+                          enum:
+                          - TLS_AUTO
+                          - TLSV1_0
+                          - TLSV1_1
+                          - TLSV1_2
+                          - TLSV1_3
+                          type: string
+                        minProtocolVersion:
+                          description: |-
+                            Optional: Minimum TLS protocol version.
+
+                            Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3
+                          enum:
+                          - TLS_AUTO
+                          - TLSV1_0
+                          - TLSV1_1
+                          - TLSV1_2
+                          - TLSV1_3
+                          type: string
+                        mode:
+                          description: |-
+                            Optional: Indicates whether connections to this port should be secured using TLS.
+
+                            Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL
+                          enum:
+                          - PASSTHROUGH
+                          - SIMPLE
+                          - MUTUAL
+                          - AUTO_PASSTHROUGH
+                          - ISTIO_MUTUAL
+                          - OPTIONAL_MUTUAL
+                          type: string
+                        privateKey:
+                          description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+                          type: string
+                        serverCertificate:
+                          description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+                          type: string
+                        subjectAltNames:
+                          description: A list of alternate names to verify the subject
+                            identity in the certificate presented by the client.
+                          items:
+                            type: string
+                          type: array
+                        tlsCertificates:
+                          description: Only one of `server_certificate`, `private_key`
+                            or `credential_name` or `credential_names` or `tls_certificates`
+                            should be specified.
+                          items:
+                            properties:
+                              caCertificates:
+                                type: string
+                              privateKey:
+                                description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+                                type: string
+                              serverCertificate:
+                                description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+                                type: string
+                            type: object
+                          maxItems: 2
+                          minItems: 1
+                          type: array
+                        verifyCertificateHash:
+                          description: An optional list of hex-encoded SHA-256 hashes
+                            of the authorized client certificates.
+                          items:
+                            type: string
+                          type: array
+                        verifyCertificateSpki:
+                          description: An optional list of base64-encoded SHA-256
+                            hashes of the SPKIs of authorized client certificates.
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                      x-kubernetes-validations:
+                      - message: only one of credentialNames or tlsCertificates can
+                          be set
+                        rule: '(has(self.tlsCertificates) ? 1 : 0) + (has(self.credentialNames)
+                          ? 1 : 0) <= 1'
+                      - message: only one of credentialName or credentialNames can
+                          be set
+                        rule: '(has(self.credentialName) ? 1 : 0) + (has(self.credentialNames)
+                          ? 1 : 0) <= 1'
+                      - message: only one of credentialName or tlsCertificates can
+                          be set
+                        rule: '(has(self.credentialNames) ? 1 : 0) + (has(self.tlsCertificates)
+                          ? 1 : 0) <= 1'
+                  required:
+                  - port
+                  type: object
+                type: array
+              outboundTrafficPolicy:
+                description: Set the default behavior of the sidecar for handling
+                  outbound traffic from the application.
+                properties:
+                  egressProxy:
+                    properties:
+                      host:
+                        description: The name of a service from the service registry.
+                        type: string
+                      port:
+                        description: Specifies the port on the host that is being
+                          addressed.
+                        properties:
+                          number:
+                            maximum: 4294967295
+                            minimum: 0
+                            type: integer
+                        type: object
+                      subset:
+                        description: The name of a subset within the service.
+                        type: string
+                    required:
+                    - host
+                    type: object
+                  mode:
+                    description: |2-
+
+
+                      Valid Options: REGISTRY_ONLY, ALLOW_ANY
+                    enum:
+                    - REGISTRY_ONLY
+                    - ALLOW_ANY
+                    type: string
+                type: object
+              workloadSelector:
+                description: Criteria used to select the specific set of pods/VMs
+                  on which this `Sidecar` configuration should be applied.
+                properties:
+                  labels:
+                    additionalProperties:
+                      maxLength: 63
+                      type: string
+                      x-kubernetes-validations:
+                      - message: wildcard is not supported in selector
+                        rule: '!self.contains("*")'
+                    description: One or more labels that indicate a specific set of
+                      pods/VMs on which the configuration should be applied.
+                    maxProperties: 256
+                    type: object
+                type: object
+            type: object
+          status:
+            properties:
+              conditions:
+                description: Current service state of the resource.
+                items:
+                  properties:
+                    lastProbeTime:
+                      description: Last time we probed the condition.
+                      format: date-time
+                      type: string
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Human-readable message indicating details about
+                        last transition.
+                      type: string
+                    observedGeneration:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      description: Resource Generation to which the Condition refers.
+                      x-kubernetes-int-or-string: true
+                    reason:
+                      description: Unique, one-word, CamelCase reason for the condition's
+                        last transition.
+                      type: string
+                    status:
+                      description: Status is the status of the condition.
+                      type: string
+                    type:
+                      description: Type is the type of the condition.
+                      type: string
+                  type: object
+                type: array
+              observedGeneration:
+                anyOf:
+                - type: integer
+                - type: string
+                x-kubernetes-int-or-string: true
+              validationMessages:
+                description: Includes any errors or warnings detected by Istio's analyzers.
+                items:
+                  properties:
+                    documentationUrl:
+                      description: A url pointing to the Istio documentation for this
+                        specific error type.
+                      type: string
+                    level:
+                      description: |-
+                        Represents how severe a message is.
+
+                        Valid Options: UNKNOWN, ERROR, WARNING, INFO
+                      enum:
+                      - UNKNOWN
+                      - ERROR
+                      - WARNING
+                      - INFO
+                      type: string
+                    type:
+                      properties:
+                        code:
+                          description: A 7 character code matching `^IST[0-9]{4}$`
+                            intended to uniquely identify the message type.
+                          type: string
+                        name:
+                          description: A human-readable name for the message type.
+                          type: string
+                      type: object
+                  type: object
+                type: array
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+  - name: v1beta1
+    schema:
+      openAPIV3Schema:
+        properties:
+          spec:
+            description: 'Configuration affecting network reachability of a sidecar.
+              See more details at: https://istio.io/docs/reference/config/networking/sidecar.html'
+            properties:
+              egress:
+                description: Egress specifies the configuration of the sidecar for
+                  processing outbound traffic from the attached workload instance
+                  to other services in the mesh.
+                items:
+                  properties:
+                    bind:
+                      description: The IP(IPv4 or IPv6) or the Unix domain socket
+                        to which the listener should be bound to.
+                      type: string
+                    captureMode:
+                      description: |-
+                        When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not).
+
+                        Valid Options: DEFAULT, IPTABLES, NONE
+                      enum:
+                      - DEFAULT
+                      - IPTABLES
+                      - NONE
+                      type: string
+                    hosts:
+                      description: One or more service hosts exposed by the listener
+                        in `namespace/dnsName` format.
+                      items:
+                        type: string
+                      type: array
+                    port:
+                      description: The port associated with the listener.
+                      properties:
+                        name:
+                          description: Label assigned to the port.
+                          type: string
+                        number:
+                          description: A valid non-negative integer port number.
+                          maximum: 4294967295
+                          minimum: 0
+                          type: integer
+                        protocol:
+                          description: The protocol exposed on the port.
+                          type: string
+                        targetPort:
+                          maximum: 4294967295
+                          minimum: 0
+                          type: integer
+                      type: object
+                  required:
+                  - hosts
+                  type: object
+                type: array
+              inboundConnectionPool:
+                description: Settings controlling the volume of connections Envoy
+                  will accept from the network.
+                properties:
+                  http:
+                    description: HTTP connection pool settings.
+                    properties:
+                      h2UpgradePolicy:
+                        description: |-
+                          Specify if http1.1 connection should be upgraded to http2 for the associated destination.
+
+                          Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE
+                        enum:
+                        - DEFAULT
+                        - DO_NOT_UPGRADE
+                        - UPGRADE
+                        type: string
+                      http1MaxPendingRequests:
+                        description: Maximum number of requests that will be queued
+                          while waiting for a ready connection pool connection.
+                        format: int32
+                        type: integer
+                      http2MaxRequests:
+                        description: Maximum number of active requests to a destination.
+                        format: int32
+                        type: integer
+                      idleTimeout:
+                        description: The idle timeout for upstream connection pool
+                          connections.
+                        type: string
+                        x-kubernetes-validations:
+                        - message: must be a valid duration greater than 1ms
+                          rule: duration(self) >= duration('1ms')
+                      maxConcurrentStreams:
+                        description: The maximum number of concurrent streams allowed
+                          for a peer on one HTTP/2 connection.
+                        format: int32
+                        type: integer
+                      maxRequestsPerConnection:
+                        description: Maximum number of requests per connection to
+                          a backend.
+                        format: int32
+                        type: integer
+                      maxRetries:
+                        description: Maximum number of retries that can be outstanding
+                          to all hosts in a cluster at a given time.
+                        format: int32
+                        type: integer
+                      useClientProtocol:
+                        description: If set to true, client protocol will be preserved
+                          while initiating connection to backend.
+                        type: boolean
+                    type: object
+                  tcp:
+                    description: Settings common to both HTTP and TCP upstream connections.
+                    properties:
+                      connectTimeout:
+                        description: TCP connection timeout.
+                        type: string
+                        x-kubernetes-validations:
+                        - message: must be a valid duration greater than 1ms
+                          rule: duration(self) >= duration('1ms')
+                      idleTimeout:
+                        description: The idle timeout for TCP connections.
+                        type: string
+                      maxConnectionDuration:
+                        description: The maximum duration of a connection.
+                        type: string
+                        x-kubernetes-validations:
+                        - message: must be a valid duration greater than 1ms
+                          rule: duration(self) >= duration('1ms')
+                      maxConnections:
+                        description: Maximum number of HTTP1 /TCP connections to a
+                          destination host.
+                        format: int32
+                        type: integer
+                      tcpKeepalive:
+                        description: If set then set SO_KEEPALIVE on the socket to
+                          enable TCP Keepalives.
+                        properties:
+                          interval:
+                            description: The time duration between keep-alive probes.
+                            type: string
+                            x-kubernetes-validations:
+                            - message: must be a valid duration greater than 1ms
+                              rule: duration(self) >= duration('1ms')
+                          probes:
+                            description: Maximum number of keepalive probes to send
+                              without response before deciding the connection is dead.
+                            maximum: 4294967295
+                            minimum: 0
+                            type: integer
+                          time:
+                            description: The time duration a connection needs to be
+                              idle before keep-alive probes start being sent.
+                            type: string
+                            x-kubernetes-validations:
+                            - message: must be a valid duration greater than 1ms
+                              rule: duration(self) >= duration('1ms')
+                        type: object
+                    type: object
+                type: object
+              ingress:
+                description: Ingress specifies the configuration of the sidecar for
+                  processing inbound traffic to the attached workload instance.
+                items:
+                  properties:
+                    bind:
+                      description: The IP(IPv4 or IPv6) to which the listener should
+                        be bound.
+                      type: string
+                    captureMode:
+                      description: |-
+                        The captureMode option dictates how traffic to the listener is expected to be captured (or not).
+
+                        Valid Options: DEFAULT, IPTABLES, NONE
+                      enum:
+                      - DEFAULT
+                      - IPTABLES
+                      - NONE
+                      type: string
+                    connectionPool:
+                      description: Settings controlling the volume of connections
+                        Envoy will accept from the network.
+                      properties:
+                        http:
+                          description: HTTP connection pool settings.
+                          properties:
+                            h2UpgradePolicy:
+                              description: |-
+                                Specify if http1.1 connection should be upgraded to http2 for the associated destination.
+
+                                Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE
+                              enum:
+                              - DEFAULT
+                              - DO_NOT_UPGRADE
+                              - UPGRADE
+                              type: string
+                            http1MaxPendingRequests:
+                              description: Maximum number of requests that will be
+                                queued while waiting for a ready connection pool connection.
+                              format: int32
+                              type: integer
+                            http2MaxRequests:
+                              description: Maximum number of active requests to a
+                                destination.
+                              format: int32
+                              type: integer
+                            idleTimeout:
+                              description: The idle timeout for upstream connection
+                                pool connections.
+                              type: string
+                              x-kubernetes-validations:
+                              - message: must be a valid duration greater than 1ms
+                                rule: duration(self) >= duration('1ms')
+                            maxConcurrentStreams:
+                              description: The maximum number of concurrent streams
+                                allowed for a peer on one HTTP/2 connection.
+                              format: int32
+                              type: integer
+                            maxRequestsPerConnection:
+                              description: Maximum number of requests per connection
+                                to a backend.
+                              format: int32
+                              type: integer
+                            maxRetries:
+                              description: Maximum number of retries that can be outstanding
+                                to all hosts in a cluster at a given time.
+                              format: int32
+                              type: integer
+                            useClientProtocol:
+                              description: If set to true, client protocol will be
+                                preserved while initiating connection to backend.
+                              type: boolean
+                          type: object
+                        tcp:
+                          description: Settings common to both HTTP and TCP upstream
+                            connections.
+                          properties:
+                            connectTimeout:
+                              description: TCP connection timeout.
+                              type: string
+                              x-kubernetes-validations:
+                              - message: must be a valid duration greater than 1ms
+                                rule: duration(self) >= duration('1ms')
+                            idleTimeout:
+                              description: The idle timeout for TCP connections.
+                              type: string
+                            maxConnectionDuration:
+                              description: The maximum duration of a connection.
+                              type: string
+                              x-kubernetes-validations:
+                              - message: must be a valid duration greater than 1ms
+                                rule: duration(self) >= duration('1ms')
+                            maxConnections:
+                              description: Maximum number of HTTP1 /TCP connections
+                                to a destination host.
+                              format: int32
+                              type: integer
+                            tcpKeepalive:
+                              description: If set then set SO_KEEPALIVE on the socket
+                                to enable TCP Keepalives.
+                              properties:
+                                interval:
+                                  description: The time duration between keep-alive
+                                    probes.
+                                  type: string
+                                  x-kubernetes-validations:
+                                  - message: must be a valid duration greater than
+                                      1ms
+                                    rule: duration(self) >= duration('1ms')
+                                probes:
+                                  description: Maximum number of keepalive probes
+                                    to send without response before deciding the connection
+                                    is dead.
+                                  maximum: 4294967295
+                                  minimum: 0
+                                  type: integer
+                                time:
+                                  description: The time duration a connection needs
+                                    to be idle before keep-alive probes start being
+                                    sent.
+                                  type: string
+                                  x-kubernetes-validations:
+                                  - message: must be a valid duration greater than
+                                      1ms
+                                    rule: duration(self) >= duration('1ms')
+                              type: object
+                          type: object
+                      type: object
+                    defaultEndpoint:
+                      description: The IP endpoint or Unix domain socket to which
+                        traffic should be forwarded to.
+                      type: string
+                    port:
+                      description: The port associated with the listener.
+                      properties:
+                        name:
+                          description: Label assigned to the port.
+                          type: string
+                        number:
+                          description: A valid non-negative integer port number.
+                          maximum: 4294967295
+                          minimum: 0
+                          type: integer
+                        protocol:
+                          description: The protocol exposed on the port.
+                          type: string
+                        targetPort:
+                          maximum: 4294967295
+                          minimum: 0
+                          type: integer
+                      type: object
+                    tls:
+                      description: Set of TLS related options that will enable TLS
+                        termination on the sidecar for requests originating from outside
+                        the mesh.
+                      properties:
+                        caCertCredentialName:
+                          description: For mutual TLS, the name of the secret or the
+                            configmap that holds CA certificates.
+                          type: string
+                        caCertificates:
+                          description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
+                          type: string
+                        caCrl:
+                          description: 'OPTIONAL: The path to the file containing
+                            the certificate revocation list (CRL) to use in verifying
+                            a presented client side certificate.'
+                          type: string
+                        cipherSuites:
+                          description: 'Optional: If specified, only support the specified
+                            cipher list.'
+                          items:
+                            type: string
+                          type: array
+                        credentialName:
+                          description: For gateways running on Kubernetes, the name
+                            of the secret that holds the TLS certs including the CA
+                            certificates.
+                          type: string
+                        credentialNames:
+                          description: Same as CredentialName but for multiple certificates.
+                          items:
+                            type: string
+                          maxItems: 2
+                          minItems: 1
+                          type: array
+                        httpsRedirect:
+                          description: If set to true, the load balancer will send
+                            a 301 redirect for all http connections, asking the clients
+                            to use HTTPS.
+                          type: boolean
+                        maxProtocolVersion:
+                          description: |-
+                            Optional: Maximum TLS protocol version.
+
+                            Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3
+                          enum:
+                          - TLS_AUTO
+                          - TLSV1_0
+                          - TLSV1_1
+                          - TLSV1_2
+                          - TLSV1_3
+                          type: string
+                        minProtocolVersion:
+                          description: |-
+                            Optional: Minimum TLS protocol version.
+
+                            Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3
+                          enum:
+                          - TLS_AUTO
+                          - TLSV1_0
+                          - TLSV1_1
+                          - TLSV1_2
+                          - TLSV1_3
+                          type: string
+                        mode:
+                          description: |-
+                            Optional: Indicates whether connections to this port should be secured using TLS.
+
+                            Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL
+                          enum:
+                          - PASSTHROUGH
+                          - SIMPLE
+                          - MUTUAL
+                          - AUTO_PASSTHROUGH
+                          - ISTIO_MUTUAL
+                          - OPTIONAL_MUTUAL
+                          type: string
+                        privateKey:
+                          description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+                          type: string
+                        serverCertificate:
+                          description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+                          type: string
+                        subjectAltNames:
+                          description: A list of alternate names to verify the subject
+                            identity in the certificate presented by the client.
+                          items:
+                            type: string
+                          type: array
+                        tlsCertificates:
+                          description: Only one of `server_certificate`, `private_key`
+                            or `credential_name` or `credential_names` or `tls_certificates`
+                            should be specified.
+                          items:
+                            properties:
+                              caCertificates:
+                                type: string
+                              privateKey:
+                                description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+                                type: string
+                              serverCertificate:
+                                description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+                                type: string
+                            type: object
+                          maxItems: 2
+                          minItems: 1
+                          type: array
+                        verifyCertificateHash:
+                          description: An optional list of hex-encoded SHA-256 hashes
+                            of the authorized client certificates.
+                          items:
+                            type: string
+                          type: array
+                        verifyCertificateSpki:
+                          description: An optional list of base64-encoded SHA-256
+                            hashes of the SPKIs of authorized client certificates.
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                      x-kubernetes-validations:
+                      - message: only one of credentialNames or tlsCertificates can
+                          be set
+                        rule: '(has(self.tlsCertificates) ? 1 : 0) + (has(self.credentialNames)
+                          ? 1 : 0) <= 1'
+                      - message: only one of credentialName or credentialNames can
+                          be set
+                        rule: '(has(self.credentialName) ? 1 : 0) + (has(self.credentialNames)
+                          ? 1 : 0) <= 1'
+                      - message: only one of credentialName or tlsCertificates can
+                          be set
+                        rule: '(has(self.credentialNames) ? 1 : 0) + (has(self.tlsCertificates)
+                          ? 1 : 0) <= 1'
+                  required:
+                  - port
+                  type: object
+                type: array
+              outboundTrafficPolicy:
+                description: Set the default behavior of the sidecar for handling
+                  outbound traffic from the application.
+                properties:
+                  egressProxy:
+                    properties:
+                      host:
+                        description: The name of a service from the service registry.
+                        type: string
+                      port:
+                        description: Specifies the port on the host that is being
+                          addressed.
+                        properties:
+                          number:
+                            maximum: 4294967295
+                            minimum: 0
+                            type: integer
+                        type: object
+                      subset:
+                        description: The name of a subset within the service.
+                        type: string
+                    required:
+                    - host
+                    type: object
+                  mode:
+                    description: |2-
+
+
+                      Valid Options: REGISTRY_ONLY, ALLOW_ANY
+                    enum:
+                    - REGISTRY_ONLY
+                    - ALLOW_ANY
+                    type: string
+                type: object
+              workloadSelector:
+                description: Criteria used to select the specific set of pods/VMs
+                  on which this `Sidecar` configuration should be applied.
+                properties:
+                  labels:
+                    additionalProperties:
+                      maxLength: 63
+                      type: string
+                      x-kubernetes-validations:
+                      - message: wildcard is not supported in selector
+                        rule: '!self.contains("*")'
+                    description: One or more labels that indicate a specific set of
+                      pods/VMs on which the configuration should be applied.
+                    maxProperties: 256
+                    type: object
+                type: object
+            type: object
+          status:
+            properties:
+              conditions:
+                description: Current service state of the resource.
+                items:
+                  properties:
+                    lastProbeTime:
+                      description: Last time we probed the condition.
+                      format: date-time
+                      type: string
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Human-readable message indicating details about
+                        last transition.
+                      type: string
+                    observedGeneration:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      description: Resource Generation to which the Condition refers.
+                      x-kubernetes-int-or-string: true
+                    reason:
+                      description: Unique, one-word, CamelCase reason for the condition's
+                        last transition.
+                      type: string
+                    status:
+                      description: Status is the status of the condition.
+                      type: string
+                    type:
+                      description: Type is the type of the condition.
+                      type: string
+                  type: object
+                type: array
+              observedGeneration:
+                anyOf:
+                - type: integer
+                - type: string
+                x-kubernetes-int-or-string: true
+              validationMessages:
+                description: Includes any errors or warnings detected by Istio's analyzers.
+                items:
+                  properties:
+                    documentationUrl:
+                      description: A url pointing to the Istio documentation for this
+                        specific error type.
+                      type: string
+                    level:
+                      description: |-
+                        Represents how severe a message is.
+
+                        Valid Options: UNKNOWN, ERROR, WARNING, INFO
+                      enum:
+                      - UNKNOWN
+                      - ERROR
+                      - WARNING
+                      - INFO
+                      type: string
+                    type:
+                      properties:
+                        code:
+                          description: A 7 character code matching `^IST[0-9]{4}$`
+                            intended to uniquely identify the message type.
+                          type: string
+                        name:
+                          description: A human-readable name for the message type.
+                          type: string
+                      type: object
+                  type: object
+                type: array
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_virtualservices.yaml b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_virtualservices.yaml
new file mode 100644
index 0000000000..8d26d69d2d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_virtualservices.yaml
@@ -0,0 +1,3181 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    "helm.sh/resource-policy": keep
+  labels:
+    app: istio-pilot
+    chart: istio
+    heritage: Tiller
+    release: istio
+  name: virtualservices.networking.istio.io
+spec:
+  group: networking.istio.io
+  names:
+    categories:
+    - istio-io
+    - networking-istio-io
+    kind: VirtualService
+    listKind: VirtualServiceList
+    plural: virtualservices
+    shortNames:
+    - vs
+    singular: virtualservice
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - description: The names of gateways and sidecars that should apply these routes
+      jsonPath: .spec.gateways
+      name: Gateways
+      type: string
+    - description: The destination hosts to which traffic is being sent
+      jsonPath: .spec.hosts
+      name: Hosts
+      type: string
+    - description: 'CreationTimestamp is a timestamp representing the server time
+        when this object was created. It is not guaranteed to be set in happens-before
+        order across separate operations. Clients may not set this value. It is represented
+        in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+        lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1
+    schema:
+      openAPIV3Schema:
+        properties:
+          spec:
+            description: 'Configuration affecting label/content routing, sni routing,
+              etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html'
+            properties:
+              exportTo:
+                description: A list of namespaces to which this virtual service is
+                  exported.
+                items:
+                  type: string
+                type: array
+              gateways:
+                description: The names of gateways and sidecars that should apply
+                  these routes.
+                items:
+                  type: string
+                type: array
+              hosts:
+                description: The destination hosts to which traffic is being sent.
+                items:
+                  type: string
+                type: array
+              http:
+                description: An ordered list of route rules for HTTP traffic.
+                items:
+                  properties:
+                    corsPolicy:
+                      description: Cross-Origin Resource Sharing policy (CORS).
+                      properties:
+                        allowCredentials:
+                          description: Indicates whether the caller is allowed to
+                            send the actual request (not the preflight) using credentials.
+                          nullable: true
+                          type: boolean
+                        allowHeaders:
+                          description: List of HTTP headers that can be used when
+                            requesting the resource.
+                          items:
+                            type: string
+                          type: array
+                        allowMethods:
+                          description: List of HTTP methods allowed to access the
+                            resource.
+                          items:
+                            type: string
+                          type: array
+                        allowOrigin:
+                          items:
+                            type: string
+                          type: array
+                        allowOrigins:
+                          description: String patterns that match allowed origins.
+                          items:
+                            oneOf:
+                            - not:
+                                anyOf:
+                                - required:
+                                  - exact
+                                - required:
+                                  - prefix
+                                - required:
+                                  - regex
+                            - required:
+                              - exact
+                            - required:
+                              - prefix
+                            - required:
+                              - regex
+                            properties:
+                              exact:
+                                type: string
+                              prefix:
+                                type: string
+                              regex:
+                                description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+                                type: string
+                            type: object
+                          type: array
+                        exposeHeaders:
+                          description: A list of HTTP headers that the browsers are
+                            allowed to access.
+                          items:
+                            type: string
+                          type: array
+                        maxAge:
+                          description: Specifies how long the results of a preflight
+                            request can be cached.
+                          type: string
+                          x-kubernetes-validations:
+                          - message: must be a valid duration greater than 1ms
+                            rule: duration(self) >= duration('1ms')
+                        unmatchedPreflights:
+                          description: |-
+                            Indicates whether preflight requests not matching the configured allowed origin shouldn't be forwarded to the upstream.
+
+                            Valid Options: FORWARD, IGNORE
+                          enum:
+                          - UNSPECIFIED
+                          - FORWARD
+                          - IGNORE
+                          type: string
+                      type: object
+                    delegate:
+                      description: Delegate is used to specify the particular VirtualService
+                        which can be used to define delegate HTTPRoute.
+                      properties:
+                        name:
+                          description: Name specifies the name of the delegate VirtualService.
+                          type: string
+                        namespace:
+                          description: Namespace specifies the namespace where the
+                            delegate VirtualService resides.
+                          type: string
+                      type: object
+                    directResponse:
+                      description: A HTTP rule can either return a direct_response,
+                        redirect or forward (default) traffic.
+                      properties:
+                        body:
+                          description: Specifies the content of the response body.
+                          oneOf:
+                          - not:
+                              anyOf:
+                              - required:
+                                - string
+                              - required:
+                                - bytes
+                          - required:
+                            - string
+                          - required:
+                            - bytes
+                          properties:
+                            bytes:
+                              description: response body as base64 encoded bytes.
+                              format: byte
+                              type: string
+                            string:
+                              type: string
+                          type: object
+                        status:
+                          description: Specifies the HTTP response status to be returned.
+                          maximum: 4294967295
+                          minimum: 0
+                          type: integer
+                      required:
+                      - status
+                      type: object
+                    fault:
+                      description: Fault injection policy to apply on HTTP traffic
+                        at the client side.
+                      properties:
+                        abort:
+                          description: Abort Http request attempts and return error
+                            codes back to downstream service, giving the impression
+                            that the upstream service is faulty.
+                          oneOf:
+                          - not:
+                              anyOf:
+                              - required:
+                                - httpStatus
+                              - required:
+                                - grpcStatus
+                              - required:
+                                - http2Error
+                          - required:
+                            - httpStatus
+                          - required:
+                            - grpcStatus
+                          - required:
+                            - http2Error
+                          properties:
+                            grpcStatus:
+                              description: GRPC status code to use to abort the request.
+                              type: string
+                            http2Error:
+                              type: string
+                            httpStatus:
+                              description: HTTP status code to use to abort the Http
+                                request.
+                              format: int32
+                              type: integer
+                            percentage:
+                              description: Percentage of requests to be aborted with
+                                the error code provided.
+                              properties:
+                                value:
+                                  format: double
+                                  type: number
+                              type: object
+                          type: object
+                        delay:
+                          description: Delay requests before forwarding, emulating
+                            various failures such as network issues, overloaded upstream
+                            service, etc.
+                          oneOf:
+                          - not:
+                              anyOf:
+                              - required:
+                                - fixedDelay
+                              - required:
+                                - exponentialDelay
+                          - required:
+                            - fixedDelay
+                          - required:
+                            - exponentialDelay
+                          properties:
+                            exponentialDelay:
+                              type: string
+                              x-kubernetes-validations:
+                              - message: must be a valid duration greater than 1ms
+                                rule: duration(self) >= duration('1ms')
+                            fixedDelay:
+                              description: Add a fixed delay before forwarding the
+                                request.
+                              type: string
+                              x-kubernetes-validations:
+                              - message: must be a valid duration greater than 1ms
+                                rule: duration(self) >= duration('1ms')
+                            percent:
+                              description: Percentage of requests on which the delay
+                                will be injected (0-100).
+                              format: int32
+                              type: integer
+                            percentage:
+                              description: Percentage of requests on which the delay
+                                will be injected.
+                              properties:
+                                value:
+                                  format: double
+                                  type: number
+                              type: object
+                          type: object
+                      type: object
+                    headers:
+                      properties:
+                        request:
+                          properties:
+                            add:
+                              additionalProperties:
+                                type: string
+                              type: object
+                            remove:
+                              items:
+                                type: string
+                              type: array
+                            set:
+                              additionalProperties:
+                                type: string
+                              type: object
+                          type: object
+                        response:
+                          properties:
+                            add:
+                              additionalProperties:
+                                type: string
+                              type: object
+                            remove:
+                              items:
+                                type: string
+                              type: array
+                            set:
+                              additionalProperties:
+                                type: string
+                              type: object
+                          type: object
+                      type: object
+                    match:
+                      description: Match conditions to be satisfied for the rule to
+                        be activated.
+                      items:
+                        properties:
+                          authority:
+                            description: 'HTTP Authority values are case-sensitive
+                              and formatted as follows: - `exact: "value"` for exact
+                              string match - `prefix: "value"` for prefix-based match
+                              - `regex: "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+                            oneOf:
+                            - not:
+                                anyOf:
+                                - required:
+                                  - exact
+                                - required:
+                                  - prefix
+                                - required:
+                                  - regex
+                            - required:
+                              - exact
+                            - required:
+                              - prefix
+                            - required:
+                              - regex
+                            properties:
+                              exact:
+                                type: string
+                              prefix:
+                                type: string
+                              regex:
+                                description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+                                type: string
+                            type: object
+                          gateways:
+                            description: Names of gateways where the rule should be
+                              applied.
+                            items:
+                              type: string
+                            type: array
+                          headers:
+                            additionalProperties:
+                              oneOf:
+                              - not:
+                                  anyOf:
+                                  - required:
+                                    - exact
+                                  - required:
+                                    - prefix
+                                  - required:
+                                    - regex
+                              - required:
+                                - exact
+                              - required:
+                                - prefix
+                              - required:
+                                - regex
+                              properties:
+                                exact:
+                                  type: string
+                                prefix:
+                                  type: string
+                                regex:
+                                  description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+                                  type: string
+                              type: object
+                            description: The header keys must be lowercase and use
+                              hyphen as the separator, e.g.
+                            type: object
+                          ignoreUriCase:
+                            description: Flag to specify whether the URI matching
+                              should be case-insensitive.
+                            type: boolean
+                          method:
+                            description: 'HTTP Method values are case-sensitive and
+                              formatted as follows: - `exact: "value"` for exact string
+                              match - `prefix: "value"` for prefix-based match - `regex:
+                              "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+                            oneOf:
+                            - not:
+                                anyOf:
+                                - required:
+                                  - exact
+                                - required:
+                                  - prefix
+                                - required:
+                                  - regex
+                            - required:
+                              - exact
+                            - required:
+                              - prefix
+                            - required:
+                              - regex
+                            properties:
+                              exact:
+                                type: string
+                              prefix:
+                                type: string
+                              regex:
+                                description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+                                type: string
+                            type: object
+                          name:
+                            description: The name assigned to a match.
+                            type: string
+                          port:
+                            description: Specifies the ports on the host that is being
+                              addressed.
+                            maximum: 4294967295
+                            minimum: 0
+                            type: integer
+                          queryParams:
+                            additionalProperties:
+                              oneOf:
+                              - not:
+                                  anyOf:
+                                  - required:
+                                    - exact
+                                  - required:
+                                    - prefix
+                                  - required:
+                                    - regex
+                              - required:
+                                - exact
+                              - required:
+                                - prefix
+                              - required:
+                                - regex
+                              properties:
+                                exact:
+                                  type: string
+                                prefix:
+                                  type: string
+                                regex:
+                                  description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+                                  type: string
+                              type: object
+                            description: Query parameters for matching.
+                            type: object
+                          scheme:
+                            description: 'URI Scheme values are case-sensitive and
+                              formatted as follows: - `exact: "value"` for exact string
+                              match - `prefix: "value"` for prefix-based match - `regex:
+                              "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+                            oneOf:
+                            - not:
+                                anyOf:
+                                - required:
+                                  - exact
+                                - required:
+                                  - prefix
+                                - required:
+                                  - regex
+                            - required:
+                              - exact
+                            - required:
+                              - prefix
+                            - required:
+                              - regex
+                            properties:
+                              exact:
+                                type: string
+                              prefix:
+                                type: string
+                              regex:
+                                description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+                                type: string
+                            type: object
+                          sourceLabels:
+                            additionalProperties:
+                              type: string
+                            description: One or more labels that constrain the applicability
+                              of a rule to source (client) workloads with the given
+                              labels.
+                            type: object
+                          sourceNamespace:
+                            description: Source namespace constraining the applicability
+                              of a rule to workloads in that namespace.
+                            type: string
+                          statPrefix:
+                            description: The human readable prefix to use when emitting
+                              statistics for this route.
+                            type: string
+                          uri:
+                            description: 'URI to match values are case-sensitive and
+                              formatted as follows: - `exact: "value"` for exact string
+                              match - `prefix: "value"` for prefix-based match - `regex:
+                              "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+                            oneOf:
+                            - not:
+                                anyOf:
+                                - required:
+                                  - exact
+                                - required:
+                                  - prefix
+                                - required:
+                                  - regex
+                            - required:
+                              - exact
+                            - required:
+                              - prefix
+                            - required:
+                              - regex
+                            properties:
+                              exact:
+                                type: string
+                              prefix:
+                                type: string
+                              regex:
+                                description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+                                type: string
+                            type: object
+                          withoutHeaders:
+                            additionalProperties:
+                              oneOf:
+                              - not:
+                                  anyOf:
+                                  - required:
+                                    - exact
+                                  - required:
+                                    - prefix
+                                  - required:
+                                    - regex
+                              - required:
+                                - exact
+                              - required:
+                                - prefix
+                              - required:
+                                - regex
+                              properties:
+                                exact:
+                                  type: string
+                                prefix:
+                                  type: string
+                                regex:
+                                  description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+                                  type: string
+                              type: object
+                            description: withoutHeader has the same syntax with the
+                              header, but has opposite meaning.
+                            type: object
+                        type: object
+                      type: array
+                    mirror:
+                      description: Mirror HTTP traffic to a another destination in
+                        addition to forwarding the requests to the intended destination.
+                      properties:
+                        host:
+                          description: The name of a service from the service registry.
+                          type: string
+                        port:
+                          description: Specifies the port on the host that is being
+                            addressed.
+                          properties:
+                            number:
+                              maximum: 4294967295
+                              minimum: 0
+                              type: integer
+                          type: object
+                        subset:
+                          description: The name of a subset within the service.
+                          type: string
+                      required:
+                      - host
+                      type: object
+                    mirror_percent:
+                      maximum: 4294967295
+                      minimum: 0
+                      nullable: true
+                      type: integer
+                    mirrorPercent:
+                      maximum: 4294967295
+                      minimum: 0
+                      nullable: true
+                      type: integer
+                    mirrorPercentage:
+                      description: Percentage of the traffic to be mirrored by the
+                        `mirror` field.
+                      properties:
+                        value:
+                          format: double
+                          type: number
+                      type: object
+                    mirrors:
+                      description: Specifies the destinations to mirror HTTP traffic
+                        in addition to the original destination.
+                      items:
+                        properties:
+                          destination:
+                            description: Destination specifies the target of the mirror
+                              operation.
+                            properties:
+                              host:
+                                description: The name of a service from the service
+                                  registry.
+                                type: string
+                              port:
+                                description: Specifies the port on the host that is
+                                  being addressed.
+                                properties:
+                                  number:
+                                    maximum: 4294967295
+                                    minimum: 0
+                                    type: integer
+                                type: object
+                              subset:
+                                description: The name of a subset within the service.
+                                type: string
+                            required:
+                            - host
+                            type: object
+                          percentage:
+                            description: Percentage of the traffic to be mirrored
+                              by the `destination` field.
+                            properties:
+                              value:
+                                format: double
+                                type: number
+                            type: object
+                        required:
+                        - destination
+                        type: object
+                      type: array
+                    name:
+                      description: The name assigned to the route for debugging purposes.
+                      type: string
+                    redirect:
+                      description: A HTTP rule can either return a direct_response,
+                        redirect or forward (default) traffic.
+                      oneOf:
+                      - not:
+                          anyOf:
+                          - required:
+                            - port
+                          - required:
+                            - derivePort
+                      - required:
+                        - port
+                      - required:
+                        - derivePort
+                      properties:
+                        authority:
+                          description: On a redirect, overwrite the Authority/Host
+                            portion of the URL with this value.
+                          type: string
+                        derivePort:
+                          description: |-
+                            On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS.
+
+                            Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT
+                          enum:
+                          - FROM_PROTOCOL_DEFAULT
+                          - FROM_REQUEST_PORT
+                          type: string
+                        port:
+                          description: On a redirect, overwrite the port portion of
+                            the URL with this value.
+                          maximum: 4294967295
+                          minimum: 0
+                          type: integer
+                        redirectCode:
+                          description: On a redirect, Specifies the HTTP status code
+                            to use in the redirect response.
+                          maximum: 4294967295
+                          minimum: 0
+                          type: integer
+                        scheme:
+                          description: On a redirect, overwrite the scheme portion
+                            of the URL with this value.
+                          type: string
+                        uri:
+                          description: On a redirect, overwrite the Path portion of
+                            the URL with this value.
+                          type: string
+                      type: object
+                    retries:
+                      description: Retry policy for HTTP requests.
+                      properties:
+                        attempts:
+                          description: Number of retries to be allowed for a given
+                            request.
+                          format: int32
+                          type: integer
+                        backoff:
+                          description: Specifies the minimum duration between retry
+                            attempts.
+                          type: string
+                          x-kubernetes-validations:
+                          - message: must be a valid duration greater than 1ms
+                            rule: duration(self) >= duration('1ms')
+                        perTryTimeout:
+                          description: Timeout per attempt for a given request, including
+                            the initial call and any retries.
+                          type: string
+                          x-kubernetes-validations:
+                          - message: must be a valid duration greater than 1ms
+                            rule: duration(self) >= duration('1ms')
+                        retryIgnorePreviousHosts:
+                          description: Flag to specify whether the retries should
+                            ignore previously tried hosts during retry.
+                          nullable: true
+                          type: boolean
+                        retryOn:
+                          description: Specifies the conditions under which retry
+                            takes place.
+                          type: string
+                        retryRemoteLocalities:
+                          description: Flag to specify whether the retries should
+                            retry to other localities.
+                          nullable: true
+                          type: boolean
+                      type: object
+                    rewrite:
+                      description: Rewrite HTTP URIs and Authority headers.
+                      properties:
+                        authority:
+                          description: rewrite the Authority/Host header with this
+                            value.
+                          type: string
+                        uri:
+                          description: rewrite the path (or the prefix) portion of
+                            the URI with this value.
+                          type: string
+                        uriRegexRewrite:
+                          description: rewrite the path portion of the URI with the
+                            specified regex.
+                          properties:
+                            match:
+                              description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+                              type: string
+                            rewrite:
+                              description: The string that should replace into matching
+                                portions of original URI.
+                              type: string
+                          type: object
+                      type: object
+                    route:
+                      description: A HTTP rule can either return a direct_response,
+                        redirect or forward (default) traffic.
+                      items:
+                        properties:
+                          destination:
+                            description: Destination uniquely identifies the instances
+                              of a service to which the request/connection should
+                              be forwarded to.
+                            properties:
+                              host:
+                                description: The name of a service from the service
+                                  registry.
+                                type: string
+                              port:
+                                description: Specifies the port on the host that is
+                                  being addressed.
+                                properties:
+                                  number:
+                                    maximum: 4294967295
+                                    minimum: 0
+                                    type: integer
+                                type: object
+                              subset:
+                                description: The name of a subset within the service.
+                                type: string
+                            required:
+                            - host
+                            type: object
+                          headers:
+                            properties:
+                              request:
+                                properties:
+                                  add:
+                                    additionalProperties:
+                                      type: string
+                                    type: object
+                                  remove:
+                                    items:
+                                      type: string
+                                    type: array
+                                  set:
+                                    additionalProperties:
+                                      type: string
+                                    type: object
+                                type: object
+                              response:
+                                properties:
+                                  add:
+                                    additionalProperties:
+                                      type: string
+                                    type: object
+                                  remove:
+                                    items:
+                                      type: string
+                                    type: array
+                                  set:
+                                    additionalProperties:
+                                      type: string
+                                    type: object
+                                type: object
+                            type: object
+                          weight:
+                            description: Weight specifies the relative proportion
+                              of traffic to be forwarded to the destination.
+                            format: int32
+                            type: integer
+                        required:
+                        - destination
+                        type: object
+                      type: array
+                    timeout:
+                      description: Timeout for HTTP requests, default is disabled.
+                      type: string
+                      x-kubernetes-validations:
+                      - message: must be a valid duration greater than 1ms
+                        rule: duration(self) >= duration('1ms')
+                  type: object
+                type: array
+              tcp:
+                description: An ordered list of route rules for opaque TCP traffic.
+                items:
+                  properties:
+                    match:
+                      description: Match conditions to be satisfied for the rule to
+                        be activated.
+                      items:
+                        properties:
+                          destinationSubnets:
+                            description: IPv4 or IPv6 ip addresses of destination
+                              with optional subnet.
+                            items:
+                              type: string
+                            type: array
+                          gateways:
+                            description: Names of gateways where the rule should be
+                              applied.
+                            items:
+                              type: string
+                            type: array
+                          port:
+                            description: Specifies the port on the host that is being
+                              addressed.
+                            maximum: 4294967295
+                            minimum: 0
+                            type: integer
+                          sourceLabels:
+                            additionalProperties:
+                              type: string
+                            description: One or more labels that constrain the applicability
+                              of a rule to workloads with the given labels.
+                            type: object
+                          sourceNamespace:
+                            description: Source namespace constraining the applicability
+                              of a rule to workloads in that namespace.
+                            type: string
+                          sourceSubnet:
+                            type: string
+                        type: object
+                      type: array
+                    route:
+                      description: The destination to which the connection should
+                        be forwarded to.
+                      items:
+                        properties:
+                          destination:
+                            description: Destination uniquely identifies the instances
+                              of a service to which the request/connection should
+                              be forwarded to.
+                            properties:
+                              host:
+                                description: The name of a service from the service
+                                  registry.
+                                type: string
+                              port:
+                                description: Specifies the port on the host that is
+                                  being addressed.
+                                properties:
+                                  number:
+                                    maximum: 4294967295
+                                    minimum: 0
+                                    type: integer
+                                type: object
+                              subset:
+                                description: The name of a subset within the service.
+                                type: string
+                            required:
+                            - host
+                            type: object
+                          weight:
+                            description: Weight specifies the relative proportion
+                              of traffic to be forwarded to the destination.
+                            format: int32
+                            type: integer
+                        required:
+                        - destination
+                        type: object
+                      type: array
+                  type: object
+                type: array
+              tls:
+                description: An ordered list of route rule for non-terminated TLS
+                  & HTTPS traffic.
+                items:
+                  properties:
+                    match:
+                      description: Match conditions to be satisfied for the rule to
+                        be activated.
+                      items:
+                        properties:
+                          destinationSubnets:
+                            description: IPv4 or IPv6 ip addresses of destination
+                              with optional subnet.
+                            items:
+                              type: string
+                            type: array
+                          gateways:
+                            description: Names of gateways where the rule should be
+                              applied.
+                            items:
+                              type: string
+                            type: array
+                          port:
+                            description: Specifies the port on the host that is being
+                              addressed.
+                            maximum: 4294967295
+                            minimum: 0
+                            type: integer
+                          sniHosts:
+                            description: SNI (server name indicator) to match on.
+                            items:
+                              type: string
+                            type: array
+                          sourceLabels:
+                            additionalProperties:
+                              type: string
+                            description: One or more labels that constrain the applicability
+                              of a rule to workloads with the given labels.
+                            type: object
+                          sourceNamespace:
+                            description: Source namespace constraining the applicability
+                              of a rule to workloads in that namespace.
+                            type: string
+                        required:
+                        - sniHosts
+                        type: object
+                      type: array
+                    route:
+                      description: The destination to which the connection should
+                        be forwarded to.
+                      items:
+                        properties:
+                          destination:
+                            description: Destination uniquely identifies the instances
+                              of a service to which the request/connection should
+                              be forwarded to.
+                            properties:
+                              host:
+                                description: The name of a service from the service
+                                  registry.
+                                type: string
+                              port:
+                                description: Specifies the port on the host that is
+                                  being addressed.
+                                properties:
+                                  number:
+                                    maximum: 4294967295
+                                    minimum: 0
+                                    type: integer
+                                type: object
+                              subset:
+                                description: The name of a subset within the service.
+                                type: string
+                            required:
+                            - host
+                            type: object
+                          weight:
+                            description: Weight specifies the relative proportion
+                              of traffic to be forwarded to the destination.
+                            format: int32
+                            type: integer
+                        required:
+                        - destination
+                        type: object
+                      type: array
+                  required:
+                  - match
+                  type: object
+                type: array
+            type: object
+          status:
+            properties:
+              conditions:
+                description: Current service state of the resource.
+                items:
+                  properties:
+                    lastProbeTime:
+                      description: Last time we probed the condition.
+                      format: date-time
+                      type: string
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Human-readable message indicating details about
+                        last transition.
+                      type: string
+                    observedGeneration:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      description: Resource Generation to which the Condition refers.
+                      x-kubernetes-int-or-string: true
+                    reason:
+                      description: Unique, one-word, CamelCase reason for the condition's
+                        last transition.
+                      type: string
+                    status:
+                      description: Status is the status of the condition.
+                      type: string
+                    type:
+                      description: Type is the type of the condition.
+                      type: string
+                  type: object
+                type: array
+              observedGeneration:
+                anyOf:
+                - type: integer
+                - type: string
+                x-kubernetes-int-or-string: true
+              validationMessages:
+                description: Includes any errors or warnings detected by Istio's analyzers.
+                items:
+                  properties:
+                    documentationUrl:
+                      description: A url pointing to the Istio documentation for this
+                        specific error type.
+                      type: string
+                    level:
+                      description: |-
+                        Represents how severe a message is.
+
+                        Valid Options: UNKNOWN, ERROR, WARNING, INFO
+                      enum:
+                      - UNKNOWN
+                      - ERROR
+                      - WARNING
+                      - INFO
+                      type: string
+                    type:
+                      properties:
+                        code:
+                          description: A 7 character code matching `^IST[0-9]{4}$`
+                            intended to uniquely identify the message type.
+                          type: string
+                        name:
+                          description: A human-readable name for the message type.
+                          type: string
+                      type: object
+                  type: object
+                type: array
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+  - additionalPrinterColumns:
+    - description: The names of gateways and sidecars that should apply these routes
+      jsonPath: .spec.gateways
+      name: Gateways
+      type: string
+    - description: The destination hosts to which traffic is being sent
+      jsonPath: .spec.hosts
+      name: Hosts
+      type: string
+    - description: 'CreationTimestamp is a timestamp representing the server time
+        when this object was created. It is not guaranteed to be set in happens-before
+        order across separate operations. Clients may not set this value. It is represented
+        in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+        lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha3
+    schema:
+      openAPIV3Schema:
+        properties:
+          spec:
+            description: 'Configuration affecting label/content routing, sni routing,
+              etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html'
+            properties:
+              exportTo:
+                description: A list of namespaces to which this virtual service is
+                  exported.
+                items:
+                  type: string
+                type: array
+              gateways:
+                description: The names of gateways and sidecars that should apply
+                  these routes.
+                items:
+                  type: string
+                type: array
+              hosts:
+                description: The destination hosts to which traffic is being sent.
+                items:
+                  type: string
+                type: array
+              http:
+                description: An ordered list of route rules for HTTP traffic.
+                items:
+                  properties:
+                    corsPolicy:
+                      description: Cross-Origin Resource Sharing policy (CORS).
+                      properties:
+                        allowCredentials:
+                          description: Indicates whether the caller is allowed to
+                            send the actual request (not the preflight) using credentials.
+                          nullable: true
+                          type: boolean
+                        allowHeaders:
+                          description: List of HTTP headers that can be used when
+                            requesting the resource.
+                          items:
+                            type: string
+                          type: array
+                        allowMethods:
+                          description: List of HTTP methods allowed to access the
+                            resource.
+                          items:
+                            type: string
+                          type: array
+                        allowOrigin:
+                          items:
+                            type: string
+                          type: array
+                        allowOrigins:
+                          description: String patterns that match allowed origins.
+                          items:
+                            oneOf:
+                            - not:
+                                anyOf:
+                                - required:
+                                  - exact
+                                - required:
+                                  - prefix
+                                - required:
+                                  - regex
+                            - required:
+                              - exact
+                            - required:
+                              - prefix
+                            - required:
+                              - regex
+                            properties:
+                              exact:
+                                type: string
+                              prefix:
+                                type: string
+                              regex:
+                                description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+                                type: string
+                            type: object
+                          type: array
+                        exposeHeaders:
+                          description: A list of HTTP headers that the browsers are
+                            allowed to access.
+                          items:
+                            type: string
+                          type: array
+                        maxAge:
+                          description: Specifies how long the results of a preflight
+                            request can be cached.
+                          type: string
+                          x-kubernetes-validations:
+                          - message: must be a valid duration greater than 1ms
+                            rule: duration(self) >= duration('1ms')
+                        unmatchedPreflights:
+                          description: |-
+                            Indicates whether preflight requests not matching the configured allowed origin shouldn't be forwarded to the upstream.
+
+                            Valid Options: FORWARD, IGNORE
+                          enum:
+                          - UNSPECIFIED
+                          - FORWARD
+                          - IGNORE
+                          type: string
+                      type: object
+                    delegate:
+                      description: Delegate is used to specify the particular VirtualService
+                        which can be used to define delegate HTTPRoute.
+                      properties:
+                        name:
+                          description: Name specifies the name of the delegate VirtualService.
+                          type: string
+                        namespace:
+                          description: Namespace specifies the namespace where the
+                            delegate VirtualService resides.
+                          type: string
+                      type: object
+                    directResponse:
+                      description: A HTTP rule can either return a direct_response,
+                        redirect or forward (default) traffic.
+                      properties:
+                        body:
+                          description: Specifies the content of the response body.
+                          oneOf:
+                          - not:
+                              anyOf:
+                              - required:
+                                - string
+                              - required:
+                                - bytes
+                          - required:
+                            - string
+                          - required:
+                            - bytes
+                          properties:
+                            bytes:
+                              description: response body as base64 encoded bytes.
+                              format: byte
+                              type: string
+                            string:
+                              type: string
+                          type: object
+                        status:
+                          description: Specifies the HTTP response status to be returned.
+                          maximum: 4294967295
+                          minimum: 0
+                          type: integer
+                      required:
+                      - status
+                      type: object
+                    fault:
+                      description: Fault injection policy to apply on HTTP traffic
+                        at the client side.
+                      properties:
+                        abort:
+                          description: Abort Http request attempts and return error
+                            codes back to downstream service, giving the impression
+                            that the upstream service is faulty.
+                          oneOf:
+                          - not:
+                              anyOf:
+                              - required:
+                                - httpStatus
+                              - required:
+                                - grpcStatus
+                              - required:
+                                - http2Error
+                          - required:
+                            - httpStatus
+                          - required:
+                            - grpcStatus
+                          - required:
+                            - http2Error
+                          properties:
+                            grpcStatus:
+                              description: GRPC status code to use to abort the request.
+                              type: string
+                            http2Error:
+                              type: string
+                            httpStatus:
+                              description: HTTP status code to use to abort the Http
+                                request.
+                              format: int32
+                              type: integer
+                            percentage:
+                              description: Percentage of requests to be aborted with
+                                the error code provided.
+                              properties:
+                                value:
+                                  format: double
+                                  type: number
+                              type: object
+                          type: object
+                        delay:
+                          description: Delay requests before forwarding, emulating
+                            various failures such as network issues, overloaded upstream
+                            service, etc.
+                          oneOf:
+                          - not:
+                              anyOf:
+                              - required:
+                                - fixedDelay
+                              - required:
+                                - exponentialDelay
+                          - required:
+                            - fixedDelay
+                          - required:
+                            - exponentialDelay
+                          properties:
+                            exponentialDelay:
+                              type: string
+                              x-kubernetes-validations:
+                              - message: must be a valid duration greater than 1ms
+                                rule: duration(self) >= duration('1ms')
+                            fixedDelay:
+                              description: Add a fixed delay before forwarding the
+                                request.
+                              type: string
+                              x-kubernetes-validations:
+                              - message: must be a valid duration greater than 1ms
+                                rule: duration(self) >= duration('1ms')
+                            percent:
+                              description: Percentage of requests on which the delay
+                                will be injected (0-100).
+                              format: int32
+                              type: integer
+                            percentage:
+                              description: Percentage of requests on which the delay
+                                will be injected.
+                              properties:
+                                value:
+                                  format: double
+                                  type: number
+                              type: object
+                          type: object
+                      type: object
+                    headers:
+                      properties:
+                        request:
+                          properties:
+                            add:
+                              additionalProperties:
+                                type: string
+                              type: object
+                            remove:
+                              items:
+                                type: string
+                              type: array
+                            set:
+                              additionalProperties:
+                                type: string
+                              type: object
+                          type: object
+                        response:
+                          properties:
+                            add:
+                              additionalProperties:
+                                type: string
+                              type: object
+                            remove:
+                              items:
+                                type: string
+                              type: array
+                            set:
+                              additionalProperties:
+                                type: string
+                              type: object
+                          type: object
+                      type: object
+                    match:
+                      description: Match conditions to be satisfied for the rule to
+                        be activated.
+                      items:
+                        properties:
+                          authority:
+                            description: 'HTTP Authority values are case-sensitive
+                              and formatted as follows: - `exact: "value"` for exact
+                              string match - `prefix: "value"` for prefix-based match
+                              - `regex: "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+                            oneOf:
+                            - not:
+                                anyOf:
+                                - required:
+                                  - exact
+                                - required:
+                                  - prefix
+                                - required:
+                                  - regex
+                            - required:
+                              - exact
+                            - required:
+                              - prefix
+                            - required:
+                              - regex
+                            properties:
+                              exact:
+                                type: string
+                              prefix:
+                                type: string
+                              regex:
+                                description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+                                type: string
+                            type: object
+                          gateways:
+                            description: Names of gateways where the rule should be
+                              applied.
+                            items:
+                              type: string
+                            type: array
+                          headers:
+                            additionalProperties:
+                              oneOf:
+                              - not:
+                                  anyOf:
+                                  - required:
+                                    - exact
+                                  - required:
+                                    - prefix
+                                  - required:
+                                    - regex
+                              - required:
+                                - exact
+                              - required:
+                                - prefix
+                              - required:
+                                - regex
+                              properties:
+                                exact:
+                                  type: string
+                                prefix:
+                                  type: string
+                                regex:
+                                  description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+                                  type: string
+                              type: object
+                            description: The header keys must be lowercase and use
+                              hyphen as the separator, e.g.
+                            type: object
+                          ignoreUriCase:
+                            description: Flag to specify whether the URI matching
+                              should be case-insensitive.
+                            type: boolean
+                          method:
+                            description: 'HTTP Method values are case-sensitive and
+                              formatted as follows: - `exact: "value"` for exact string
+                              match - `prefix: "value"` for prefix-based match - `regex:
+                              "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+                            oneOf:
+                            - not:
+                                anyOf:
+                                - required:
+                                  - exact
+                                - required:
+                                  - prefix
+                                - required:
+                                  - regex
+                            - required:
+                              - exact
+                            - required:
+                              - prefix
+                            - required:
+                              - regex
+                            properties:
+                              exact:
+                                type: string
+                              prefix:
+                                type: string
+                              regex:
+                                description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+                                type: string
+                            type: object
+                          name:
+                            description: The name assigned to a match.
+                            type: string
+                          port:
+                            description: Specifies the ports on the host that is being
+                              addressed.
+                            maximum: 4294967295
+                            minimum: 0
+                            type: integer
+                          queryParams:
+                            additionalProperties:
+                              oneOf:
+                              - not:
+                                  anyOf:
+                                  - required:
+                                    - exact
+                                  - required:
+                                    - prefix
+                                  - required:
+                                    - regex
+                              - required:
+                                - exact
+                              - required:
+                                - prefix
+                              - required:
+                                - regex
+                              properties:
+                                exact:
+                                  type: string
+                                prefix:
+                                  type: string
+                                regex:
+                                  description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+                                  type: string
+                              type: object
+                            description: Query parameters for matching.
+                            type: object
+                          scheme:
+                            description: 'URI Scheme values are case-sensitive and
+                              formatted as follows: - `exact: "value"` for exact string
+                              match - `prefix: "value"` for prefix-based match - `regex:
+                              "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+                            oneOf:
+                            - not:
+                                anyOf:
+                                - required:
+                                  - exact
+                                - required:
+                                  - prefix
+                                - required:
+                                  - regex
+                            - required:
+                              - exact
+                            - required:
+                              - prefix
+                            - required:
+                              - regex
+                            properties:
+                              exact:
+                                type: string
+                              prefix:
+                                type: string
+                              regex:
+                                description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+                                type: string
+                            type: object
+                          sourceLabels:
+                            additionalProperties:
+                              type: string
+                            description: One or more labels that constrain the applicability
+                              of a rule to source (client) workloads with the given
+                              labels.
+                            type: object
+                          sourceNamespace:
+                            description: Source namespace constraining the applicability
+                              of a rule to workloads in that namespace.
+                            type: string
+                          statPrefix:
+                            description: The human readable prefix to use when emitting
+                              statistics for this route.
+                            type: string
+                          uri:
+                            description: 'URI to match values are case-sensitive and
+                              formatted as follows: - `exact: "value"` for exact string
+                              match - `prefix: "value"` for prefix-based match - `regex:
+                              "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+                            oneOf:
+                            - not:
+                                anyOf:
+                                - required:
+                                  - exact
+                                - required:
+                                  - prefix
+                                - required:
+                                  - regex
+                            - required:
+                              - exact
+                            - required:
+                              - prefix
+                            - required:
+                              - regex
+                            properties:
+                              exact:
+                                type: string
+                              prefix:
+                                type: string
+                              regex:
+                                description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+                                type: string
+                            type: object
+                          withoutHeaders:
+                            additionalProperties:
+                              oneOf:
+                              - not:
+                                  anyOf:
+                                  - required:
+                                    - exact
+                                  - required:
+                                    - prefix
+                                  - required:
+                                    - regex
+                              - required:
+                                - exact
+                              - required:
+                                - prefix
+                              - required:
+                                - regex
+                              properties:
+                                exact:
+                                  type: string
+                                prefix:
+                                  type: string
+                                regex:
+                                  description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+                                  type: string
+                              type: object
+                            description: withoutHeader has the same syntax with the
+                              header, but has opposite meaning.
+                            type: object
+                        type: object
+                      type: array
+                    mirror:
+                      description: Mirror HTTP traffic to a another destination in
+                        addition to forwarding the requests to the intended destination.
+                      properties:
+                        host:
+                          description: The name of a service from the service registry.
+                          type: string
+                        port:
+                          description: Specifies the port on the host that is being
+                            addressed.
+                          properties:
+                            number:
+                              maximum: 4294967295
+                              minimum: 0
+                              type: integer
+                          type: object
+                        subset:
+                          description: The name of a subset within the service.
+                          type: string
+                      required:
+                      - host
+                      type: object
+                    mirror_percent:
+                      maximum: 4294967295
+                      minimum: 0
+                      nullable: true
+                      type: integer
+                    mirrorPercent:
+                      maximum: 4294967295
+                      minimum: 0
+                      nullable: true
+                      type: integer
+                    mirrorPercentage:
+                      description: Percentage of the traffic to be mirrored by the
+                        `mirror` field.
+                      properties:
+                        value:
+                          format: double
+                          type: number
+                      type: object
+                    mirrors:
+                      description: Specifies the destinations to mirror HTTP traffic
+                        in addition to the original destination.
+                      items:
+                        properties:
+                          destination:
+                            description: Destination specifies the target of the mirror
+                              operation.
+                            properties:
+                              host:
+                                description: The name of a service from the service
+                                  registry.
+                                type: string
+                              port:
+                                description: Specifies the port on the host that is
+                                  being addressed.
+                                properties:
+                                  number:
+                                    maximum: 4294967295
+                                    minimum: 0
+                                    type: integer
+                                type: object
+                              subset:
+                                description: The name of a subset within the service.
+                                type: string
+                            required:
+                            - host
+                            type: object
+                          percentage:
+                            description: Percentage of the traffic to be mirrored
+                              by the `destination` field.
+                            properties:
+                              value:
+                                format: double
+                                type: number
+                            type: object
+                        required:
+                        - destination
+                        type: object
+                      type: array
+                    name:
+                      description: The name assigned to the route for debugging purposes.
+                      type: string
+                    redirect:
+                      description: A HTTP rule can either return a direct_response,
+                        redirect or forward (default) traffic.
+                      oneOf:
+                      - not:
+                          anyOf:
+                          - required:
+                            - port
+                          - required:
+                            - derivePort
+                      - required:
+                        - port
+                      - required:
+                        - derivePort
+                      properties:
+                        authority:
+                          description: On a redirect, overwrite the Authority/Host
+                            portion of the URL with this value.
+                          type: string
+                        derivePort:
+                          description: |-
+                            On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS.
+
+                            Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT
+                          enum:
+                          - FROM_PROTOCOL_DEFAULT
+                          - FROM_REQUEST_PORT
+                          type: string
+                        port:
+                          description: On a redirect, overwrite the port portion of
+                            the URL with this value.
+                          maximum: 4294967295
+                          minimum: 0
+                          type: integer
+                        redirectCode:
+                          description: On a redirect, Specifies the HTTP status code
+                            to use in the redirect response.
+                          maximum: 4294967295
+                          minimum: 0
+                          type: integer
+                        scheme:
+                          description: On a redirect, overwrite the scheme portion
+                            of the URL with this value.
+                          type: string
+                        uri:
+                          description: On a redirect, overwrite the Path portion of
+                            the URL with this value.
+                          type: string
+                      type: object
+                    retries:
+                      description: Retry policy for HTTP requests.
+                      properties:
+                        attempts:
+                          description: Number of retries to be allowed for a given
+                            request.
+                          format: int32
+                          type: integer
+                        backoff:
+                          description: Specifies the minimum duration between retry
+                            attempts.
+                          type: string
+                          x-kubernetes-validations:
+                          - message: must be a valid duration greater than 1ms
+                            rule: duration(self) >= duration('1ms')
+                        perTryTimeout:
+                          description: Timeout per attempt for a given request, including
+                            the initial call and any retries.
+                          type: string
+                          x-kubernetes-validations:
+                          - message: must be a valid duration greater than 1ms
+                            rule: duration(self) >= duration('1ms')
+                        retryIgnorePreviousHosts:
+                          description: Flag to specify whether the retries should
+                            ignore previously tried hosts during retry.
+                          nullable: true
+                          type: boolean
+                        retryOn:
+                          description: Specifies the conditions under which retry
+                            takes place.
+                          type: string
+                        retryRemoteLocalities:
+                          description: Flag to specify whether the retries should
+                            retry to other localities.
+                          nullable: true
+                          type: boolean
+                      type: object
+                    rewrite:
+                      description: Rewrite HTTP URIs and Authority headers.
+                      properties:
+                        authority:
+                          description: rewrite the Authority/Host header with this
+                            value.
+                          type: string
+                        uri:
+                          description: rewrite the path (or the prefix) portion of
+                            the URI with this value.
+                          type: string
+                        uriRegexRewrite:
+                          description: rewrite the path portion of the URI with the
+                            specified regex.
+                          properties:
+                            match:
+                              description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+                              type: string
+                            rewrite:
+                              description: The string that should replace into matching
+                                portions of original URI.
+                              type: string
+                          type: object
+                      type: object
+                    route:
+                      description: A HTTP rule can either return a direct_response,
+                        redirect or forward (default) traffic.
+                      items:
+                        properties:
+                          destination:
+                            description: Destination uniquely identifies the instances
+                              of a service to which the request/connection should
+                              be forwarded to.
+                            properties:
+                              host:
+                                description: The name of a service from the service
+                                  registry.
+                                type: string
+                              port:
+                                description: Specifies the port on the host that is
+                                  being addressed.
+                                properties:
+                                  number:
+                                    maximum: 4294967295
+                                    minimum: 0
+                                    type: integer
+                                type: object
+                              subset:
+                                description: The name of a subset within the service.
+                                type: string
+                            required:
+                            - host
+                            type: object
+                          headers:
+                            properties:
+                              request:
+                                properties:
+                                  add:
+                                    additionalProperties:
+                                      type: string
+                                    type: object
+                                  remove:
+                                    items:
+                                      type: string
+                                    type: array
+                                  set:
+                                    additionalProperties:
+                                      type: string
+                                    type: object
+                                type: object
+                              response:
+                                properties:
+                                  add:
+                                    additionalProperties:
+                                      type: string
+                                    type: object
+                                  remove:
+                                    items:
+                                      type: string
+                                    type: array
+                                  set:
+                                    additionalProperties:
+                                      type: string
+                                    type: object
+                                type: object
+                            type: object
+                          weight:
+                            description: Weight specifies the relative proportion
+                              of traffic to be forwarded to the destination.
+                            format: int32
+                            type: integer
+                        required:
+                        - destination
+                        type: object
+                      type: array
+                    timeout:
+                      description: Timeout for HTTP requests, default is disabled.
+                      type: string
+                      x-kubernetes-validations:
+                      - message: must be a valid duration greater than 1ms
+                        rule: duration(self) >= duration('1ms')
+                  type: object
+                type: array
+              tcp:
+                description: An ordered list of route rules for opaque TCP traffic.
+                items:
+                  properties:
+                    match:
+                      description: Match conditions to be satisfied for the rule to
+                        be activated.
+                      items:
+                        properties:
+                          destinationSubnets:
+                            description: IPv4 or IPv6 ip addresses of destination
+                              with optional subnet.
+                            items:
+                              type: string
+                            type: array
+                          gateways:
+                            description: Names of gateways where the rule should be
+                              applied.
+                            items:
+                              type: string
+                            type: array
+                          port:
+                            description: Specifies the port on the host that is being
+                              addressed.
+                            maximum: 4294967295
+                            minimum: 0
+                            type: integer
+                          sourceLabels:
+                            additionalProperties:
+                              type: string
+                            description: One or more labels that constrain the applicability
+                              of a rule to workloads with the given labels.
+                            type: object
+                          sourceNamespace:
+                            description: Source namespace constraining the applicability
+                              of a rule to workloads in that namespace.
+                            type: string
+                          sourceSubnet:
+                            type: string
+                        type: object
+                      type: array
+                    route:
+                      description: The destination to which the connection should
+                        be forwarded to.
+                      items:
+                        properties:
+                          destination:
+                            description: Destination uniquely identifies the instances
+                              of a service to which the request/connection should
+                              be forwarded to.
+                            properties:
+                              host:
+                                description: The name of a service from the service
+                                  registry.
+                                type: string
+                              port:
+                                description: Specifies the port on the host that is
+                                  being addressed.
+                                properties:
+                                  number:
+                                    maximum: 4294967295
+                                    minimum: 0
+                                    type: integer
+                                type: object
+                              subset:
+                                description: The name of a subset within the service.
+                                type: string
+                            required:
+                            - host
+                            type: object
+                          weight:
+                            description: Weight specifies the relative proportion
+                              of traffic to be forwarded to the destination.
+                            format: int32
+                            type: integer
+                        required:
+                        - destination
+                        type: object
+                      type: array
+                  type: object
+                type: array
+              tls:
+                description: An ordered list of route rule for non-terminated TLS
+                  & HTTPS traffic.
+                items:
+                  properties:
+                    match:
+                      description: Match conditions to be satisfied for the rule to
+                        be activated.
+                      items:
+                        properties:
+                          destinationSubnets:
+                            description: IPv4 or IPv6 ip addresses of destination
+                              with optional subnet.
+                            items:
+                              type: string
+                            type: array
+                          gateways:
+                            description: Names of gateways where the rule should be
+                              applied.
+                            items:
+                              type: string
+                            type: array
+                          port:
+                            description: Specifies the port on the host that is being
+                              addressed.
+                            maximum: 4294967295
+                            minimum: 0
+                            type: integer
+                          sniHosts:
+                            description: SNI (server name indicator) to match on.
+                            items:
+                              type: string
+                            type: array
+                          sourceLabels:
+                            additionalProperties:
+                              type: string
+                            description: One or more labels that constrain the applicability
+                              of a rule to workloads with the given labels.
+                            type: object
+                          sourceNamespace:
+                            description: Source namespace constraining the applicability
+                              of a rule to workloads in that namespace.
+                            type: string
+                        required:
+                        - sniHosts
+                        type: object
+                      type: array
+                    route:
+                      description: The destination to which the connection should
+                        be forwarded to.
+                      items:
+                        properties:
+                          destination:
+                            description: Destination uniquely identifies the instances
+                              of a service to which the request/connection should
+                              be forwarded to.
+                            properties:
+                              host:
+                                description: The name of a service from the service
+                                  registry.
+                                type: string
+                              port:
+                                description: Specifies the port on the host that is
+                                  being addressed.
+                                properties:
+                                  number:
+                                    maximum: 4294967295
+                                    minimum: 0
+                                    type: integer
+                                type: object
+                              subset:
+                                description: The name of a subset within the service.
+                                type: string
+                            required:
+                            - host
+                            type: object
+                          weight:
+                            description: Weight specifies the relative proportion
+                              of traffic to be forwarded to the destination.
+                            format: int32
+                            type: integer
+                        required:
+                        - destination
+                        type: object
+                      type: array
+                  required:
+                  - match
+                  type: object
+                type: array
+            type: object
+          status:
+            properties:
+              conditions:
+                description: Current service state of the resource.
+                items:
+                  properties:
+                    lastProbeTime:
+                      description: Last time we probed the condition.
+                      format: date-time
+                      type: string
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Human-readable message indicating details about
+                        last transition.
+                      type: string
+                    observedGeneration:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      description: Resource Generation to which the Condition refers.
+                      x-kubernetes-int-or-string: true
+                    reason:
+                      description: Unique, one-word, CamelCase reason for the condition's
+                        last transition.
+                      type: string
+                    status:
+                      description: Status is the status of the condition.
+                      type: string
+                    type:
+                      description: Type is the type of the condition.
+                      type: string
+                  type: object
+                type: array
+              observedGeneration:
+                anyOf:
+                - type: integer
+                - type: string
+                x-kubernetes-int-or-string: true
+              validationMessages:
+                description: Includes any errors or warnings detected by Istio's analyzers.
+                items:
+                  properties:
+                    documentationUrl:
+                      description: A url pointing to the Istio documentation for this
+                        specific error type.
+                      type: string
+                    level:
+                      description: |-
+                        Represents how severe a message is.
+
+                        Valid Options: UNKNOWN, ERROR, WARNING, INFO
+                      enum:
+                      - UNKNOWN
+                      - ERROR
+                      - WARNING
+                      - INFO
+                      type: string
+                    type:
+                      properties:
+                        code:
+                          description: A 7 character code matching `^IST[0-9]{4}$`
+                            intended to uniquely identify the message type.
+                          type: string
+                        name:
+                          description: A human-readable name for the message type.
+                          type: string
+                      type: object
+                  type: object
+                type: array
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+  - additionalPrinterColumns:
+    - description: The names of gateways and sidecars that should apply these routes
+      jsonPath: .spec.gateways
+      name: Gateways
+      type: string
+    - description: The destination hosts to which traffic is being sent
+      jsonPath: .spec.hosts
+      name: Hosts
+      type: string
+    - description: 'CreationTimestamp is a timestamp representing the server time
+        when this object was created. It is not guaranteed to be set in happens-before
+        order across separate operations. Clients may not set this value. It is represented
+        in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+        lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1beta1
+    schema:
+      openAPIV3Schema:
+        properties:
+          spec:
+            description: 'Configuration affecting label/content routing, sni routing,
+              etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html'
+            properties:
+              exportTo:
+                description: A list of namespaces to which this virtual service is
+                  exported.
+                items:
+                  type: string
+                type: array
+              gateways:
+                description: The names of gateways and sidecars that should apply
+                  these routes.
+                items:
+                  type: string
+                type: array
+              hosts:
+                description: The destination hosts to which traffic is being sent.
+                items:
+                  type: string
+                type: array
+              http:
+                description: An ordered list of route rules for HTTP traffic.
+                items:
+                  properties:
+                    corsPolicy:
+                      description: Cross-Origin Resource Sharing policy (CORS).
+                      properties:
+                        allowCredentials:
+                          description: Indicates whether the caller is allowed to
+                            send the actual request (not the preflight) using credentials.
+                          nullable: true
+                          type: boolean
+                        allowHeaders:
+                          description: List of HTTP headers that can be used when
+                            requesting the resource.
+                          items:
+                            type: string
+                          type: array
+                        allowMethods:
+                          description: List of HTTP methods allowed to access the
+                            resource.
+                          items:
+                            type: string
+                          type: array
+                        allowOrigin:
+                          items:
+                            type: string
+                          type: array
+                        allowOrigins:
+                          description: String patterns that match allowed origins.
+                          items:
+                            oneOf:
+                            - not:
+                                anyOf:
+                                - required:
+                                  - exact
+                                - required:
+                                  - prefix
+                                - required:
+                                  - regex
+                            - required:
+                              - exact
+                            - required:
+                              - prefix
+                            - required:
+                              - regex
+                            properties:
+                              exact:
+                                type: string
+                              prefix:
+                                type: string
+                              regex:
+                                description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+                                type: string
+                            type: object
+                          type: array
+                        exposeHeaders:
+                          description: A list of HTTP headers that the browsers are
+                            allowed to access.
+                          items:
+                            type: string
+                          type: array
+                        maxAge:
+                          description: Specifies how long the results of a preflight
+                            request can be cached.
+                          type: string
+                          x-kubernetes-validations:
+                          - message: must be a valid duration greater than 1ms
+                            rule: duration(self) >= duration('1ms')
+                        unmatchedPreflights:
+                          description: |-
+                            Indicates whether preflight requests not matching the configured allowed origin shouldn't be forwarded to the upstream.
+
+                            Valid Options: FORWARD, IGNORE
+                          enum:
+                          - UNSPECIFIED
+                          - FORWARD
+                          - IGNORE
+                          type: string
+                      type: object
+                    delegate:
+                      description: Delegate is used to specify the particular VirtualService
+                        which can be used to define delegate HTTPRoute.
+                      properties:
+                        name:
+                          description: Name specifies the name of the delegate VirtualService.
+                          type: string
+                        namespace:
+                          description: Namespace specifies the namespace where the
+                            delegate VirtualService resides.
+                          type: string
+                      type: object
+                    directResponse:
+                      description: A HTTP rule can either return a direct_response,
+                        redirect or forward (default) traffic.
+                      properties:
+                        body:
+                          description: Specifies the content of the response body.
+                          oneOf:
+                          - not:
+                              anyOf:
+                              - required:
+                                - string
+                              - required:
+                                - bytes
+                          - required:
+                            - string
+                          - required:
+                            - bytes
+                          properties:
+                            bytes:
+                              description: response body as base64 encoded bytes.
+                              format: byte
+                              type: string
+                            string:
+                              type: string
+                          type: object
+                        status:
+                          description: Specifies the HTTP response status to be returned.
+                          maximum: 4294967295
+                          minimum: 0
+                          type: integer
+                      required:
+                      - status
+                      type: object
+                    fault:
+                      description: Fault injection policy to apply on HTTP traffic
+                        at the client side.
+                      properties:
+                        abort:
+                          description: Abort Http request attempts and return error
+                            codes back to downstream service, giving the impression
+                            that the upstream service is faulty.
+                          oneOf:
+                          - not:
+                              anyOf:
+                              - required:
+                                - httpStatus
+                              - required:
+                                - grpcStatus
+                              - required:
+                                - http2Error
+                          - required:
+                            - httpStatus
+                          - required:
+                            - grpcStatus
+                          - required:
+                            - http2Error
+                          properties:
+                            grpcStatus:
+                              description: GRPC status code to use to abort the request.
+                              type: string
+                            http2Error:
+                              type: string
+                            httpStatus:
+                              description: HTTP status code to use to abort the Http
+                                request.
+                              format: int32
+                              type: integer
+                            percentage:
+                              description: Percentage of requests to be aborted with
+                                the error code provided.
+                              properties:
+                                value:
+                                  format: double
+                                  type: number
+                              type: object
+                          type: object
+                        delay:
+                          description: Delay requests before forwarding, emulating
+                            various failures such as network issues, overloaded upstream
+                            service, etc.
+                          oneOf:
+                          - not:
+                              anyOf:
+                              - required:
+                                - fixedDelay
+                              - required:
+                                - exponentialDelay
+                          - required:
+                            - fixedDelay
+                          - required:
+                            - exponentialDelay
+                          properties:
+                            exponentialDelay:
+                              type: string
+                              x-kubernetes-validations:
+                              - message: must be a valid duration greater than 1ms
+                                rule: duration(self) >= duration('1ms')
+                            fixedDelay:
+                              description: Add a fixed delay before forwarding the
+                                request.
+                              type: string
+                              x-kubernetes-validations:
+                              - message: must be a valid duration greater than 1ms
+                                rule: duration(self) >= duration('1ms')
+                            percent:
+                              description: Percentage of requests on which the delay
+                                will be injected (0-100).
+                              format: int32
+                              type: integer
+                            percentage:
+                              description: Percentage of requests on which the delay
+                                will be injected.
+                              properties:
+                                value:
+                                  format: double
+                                  type: number
+                              type: object
+                          type: object
+                      type: object
+                    headers:
+                      properties:
+                        request:
+                          properties:
+                            add:
+                              additionalProperties:
+                                type: string
+                              type: object
+                            remove:
+                              items:
+                                type: string
+                              type: array
+                            set:
+                              additionalProperties:
+                                type: string
+                              type: object
+                          type: object
+                        response:
+                          properties:
+                            add:
+                              additionalProperties:
+                                type: string
+                              type: object
+                            remove:
+                              items:
+                                type: string
+                              type: array
+                            set:
+                              additionalProperties:
+                                type: string
+                              type: object
+                          type: object
+                      type: object
+                    match:
+                      description: Match conditions to be satisfied for the rule to
+                        be activated.
+                      items:
+                        properties:
+                          authority:
+                            description: 'HTTP Authority values are case-sensitive
+                              and formatted as follows: - `exact: "value"` for exact
+                              string match - `prefix: "value"` for prefix-based match
+                              - `regex: "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+                            oneOf:
+                            - not:
+                                anyOf:
+                                - required:
+                                  - exact
+                                - required:
+                                  - prefix
+                                - required:
+                                  - regex
+                            - required:
+                              - exact
+                            - required:
+                              - prefix
+                            - required:
+                              - regex
+                            properties:
+                              exact:
+                                type: string
+                              prefix:
+                                type: string
+                              regex:
+                                description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+                                type: string
+                            type: object
+                          gateways:
+                            description: Names of gateways where the rule should be
+                              applied.
+                            items:
+                              type: string
+                            type: array
+                          headers:
+                            additionalProperties:
+                              oneOf:
+                              - not:
+                                  anyOf:
+                                  - required:
+                                    - exact
+                                  - required:
+                                    - prefix
+                                  - required:
+                                    - regex
+                              - required:
+                                - exact
+                              - required:
+                                - prefix
+                              - required:
+                                - regex
+                              properties:
+                                exact:
+                                  type: string
+                                prefix:
+                                  type: string
+                                regex:
+                                  description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+                                  type: string
+                              type: object
+                            description: The header keys must be lowercase and use
+                              hyphen as the separator, e.g.
+                            type: object
+                          ignoreUriCase:
+                            description: Flag to specify whether the URI matching
+                              should be case-insensitive.
+                            type: boolean
+                          method:
+                            description: 'HTTP Method values are case-sensitive and
+                              formatted as follows: - `exact: "value"` for exact string
+                              match - `prefix: "value"` for prefix-based match - `regex:
+                              "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+                            oneOf:
+                            - not:
+                                anyOf:
+                                - required:
+                                  - exact
+                                - required:
+                                  - prefix
+                                - required:
+                                  - regex
+                            - required:
+                              - exact
+                            - required:
+                              - prefix
+                            - required:
+                              - regex
+                            properties:
+                              exact:
+                                type: string
+                              prefix:
+                                type: string
+                              regex:
+                                description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+                                type: string
+                            type: object
+                          name:
+                            description: The name assigned to a match.
+                            type: string
+                          port:
+                            description: Specifies the ports on the host that is being
+                              addressed.
+                            maximum: 4294967295
+                            minimum: 0
+                            type: integer
+                          queryParams:
+                            additionalProperties:
+                              oneOf:
+                              - not:
+                                  anyOf:
+                                  - required:
+                                    - exact
+                                  - required:
+                                    - prefix
+                                  - required:
+                                    - regex
+                              - required:
+                                - exact
+                              - required:
+                                - prefix
+                              - required:
+                                - regex
+                              properties:
+                                exact:
+                                  type: string
+                                prefix:
+                                  type: string
+                                regex:
+                                  description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+                                  type: string
+                              type: object
+                            description: Query parameters for matching.
+                            type: object
+                          scheme:
+                            description: 'URI Scheme values are case-sensitive and
+                              formatted as follows: - `exact: "value"` for exact string
+                              match - `prefix: "value"` for prefix-based match - `regex:
+                              "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+                            oneOf:
+                            - not:
+                                anyOf:
+                                - required:
+                                  - exact
+                                - required:
+                                  - prefix
+                                - required:
+                                  - regex
+                            - required:
+                              - exact
+                            - required:
+                              - prefix
+                            - required:
+                              - regex
+                            properties:
+                              exact:
+                                type: string
+                              prefix:
+                                type: string
+                              regex:
+                                description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+                                type: string
+                            type: object
+                          sourceLabels:
+                            additionalProperties:
+                              type: string
+                            description: One or more labels that constrain the applicability
+                              of a rule to source (client) workloads with the given
+                              labels.
+                            type: object
+                          sourceNamespace:
+                            description: Source namespace constraining the applicability
+                              of a rule to workloads in that namespace.
+                            type: string
+                          statPrefix:
+                            description: The human readable prefix to use when emitting
+                              statistics for this route.
+                            type: string
+                          uri:
+                            description: 'URI to match values are case-sensitive and
+                              formatted as follows: - `exact: "value"` for exact string
+                              match - `prefix: "value"` for prefix-based match - `regex:
+                              "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+                            oneOf:
+                            - not:
+                                anyOf:
+                                - required:
+                                  - exact
+                                - required:
+                                  - prefix
+                                - required:
+                                  - regex
+                            - required:
+                              - exact
+                            - required:
+                              - prefix
+                            - required:
+                              - regex
+                            properties:
+                              exact:
+                                type: string
+                              prefix:
+                                type: string
+                              regex:
+                                description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+                                type: string
+                            type: object
+                          withoutHeaders:
+                            additionalProperties:
+                              oneOf:
+                              - not:
+                                  anyOf:
+                                  - required:
+                                    - exact
+                                  - required:
+                                    - prefix
+                                  - required:
+                                    - regex
+                              - required:
+                                - exact
+                              - required:
+                                - prefix
+                              - required:
+                                - regex
+                              properties:
+                                exact:
+                                  type: string
+                                prefix:
+                                  type: string
+                                regex:
+                                  description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+                                  type: string
+                              type: object
+                            description: withoutHeader has the same syntax with the
+                              header, but has opposite meaning.
+                            type: object
+                        type: object
+                      type: array
+                    mirror:
+                      description: Mirror HTTP traffic to a another destination in
+                        addition to forwarding the requests to the intended destination.
+                      properties:
+                        host:
+                          description: The name of a service from the service registry.
+                          type: string
+                        port:
+                          description: Specifies the port on the host that is being
+                            addressed.
+                          properties:
+                            number:
+                              maximum: 4294967295
+                              minimum: 0
+                              type: integer
+                          type: object
+                        subset:
+                          description: The name of a subset within the service.
+                          type: string
+                      required:
+                      - host
+                      type: object
+                    mirror_percent:
+                      maximum: 4294967295
+                      minimum: 0
+                      nullable: true
+                      type: integer
+                    mirrorPercent:
+                      maximum: 4294967295
+                      minimum: 0
+                      nullable: true
+                      type: integer
+                    mirrorPercentage:
+                      description: Percentage of the traffic to be mirrored by the
+                        `mirror` field.
+                      properties:
+                        value:
+                          format: double
+                          type: number
+                      type: object
+                    mirrors:
+                      description: Specifies the destinations to mirror HTTP traffic
+                        in addition to the original destination.
+                      items:
+                        properties:
+                          destination:
+                            description: Destination specifies the target of the mirror
+                              operation.
+                            properties:
+                              host:
+                                description: The name of a service from the service
+                                  registry.
+                                type: string
+                              port:
+                                description: Specifies the port on the host that is
+                                  being addressed.
+                                properties:
+                                  number:
+                                    maximum: 4294967295
+                                    minimum: 0
+                                    type: integer
+                                type: object
+                              subset:
+                                description: The name of a subset within the service.
+                                type: string
+                            required:
+                            - host
+                            type: object
+                          percentage:
+                            description: Percentage of the traffic to be mirrored
+                              by the `destination` field.
+                            properties:
+                              value:
+                                format: double
+                                type: number
+                            type: object
+                        required:
+                        - destination
+                        type: object
+                      type: array
+                    name:
+                      description: The name assigned to the route for debugging purposes.
+                      type: string
+                    redirect:
+                      description: A HTTP rule can either return a direct_response,
+                        redirect or forward (default) traffic.
+                      oneOf:
+                      - not:
+                          anyOf:
+                          - required:
+                            - port
+                          - required:
+                            - derivePort
+                      - required:
+                        - port
+                      - required:
+                        - derivePort
+                      properties:
+                        authority:
+                          description: On a redirect, overwrite the Authority/Host
+                            portion of the URL with this value.
+                          type: string
+                        derivePort:
+                          description: |-
+                            On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS.
+
+                            Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT
+                          enum:
+                          - FROM_PROTOCOL_DEFAULT
+                          - FROM_REQUEST_PORT
+                          type: string
+                        port:
+                          description: On a redirect, overwrite the port portion of
+                            the URL with this value.
+                          maximum: 4294967295
+                          minimum: 0
+                          type: integer
+                        redirectCode:
+                          description: On a redirect, Specifies the HTTP status code
+                            to use in the redirect response.
+                          maximum: 4294967295
+                          minimum: 0
+                          type: integer
+                        scheme:
+                          description: On a redirect, overwrite the scheme portion
+                            of the URL with this value.
+                          type: string
+                        uri:
+                          description: On a redirect, overwrite the Path portion of
+                            the URL with this value.
+                          type: string
+                      type: object
+                    retries:
+                      description: Retry policy for HTTP requests.
+                      properties:
+                        attempts:
+                          description: Number of retries to be allowed for a given
+                            request.
+                          format: int32
+                          type: integer
+                        backoff:
+                          description: Specifies the minimum duration between retry
+                            attempts.
+                          type: string
+                          x-kubernetes-validations:
+                          - message: must be a valid duration greater than 1ms
+                            rule: duration(self) >= duration('1ms')
+                        perTryTimeout:
+                          description: Timeout per attempt for a given request, including
+                            the initial call and any retries.
+                          type: string
+                          x-kubernetes-validations:
+                          - message: must be a valid duration greater than 1ms
+                            rule: duration(self) >= duration('1ms')
+                        retryIgnorePreviousHosts:
+                          description: Flag to specify whether the retries should
+                            ignore previously tried hosts during retry.
+                          nullable: true
+                          type: boolean
+                        retryOn:
+                          description: Specifies the conditions under which retry
+                            takes place.
+                          type: string
+                        retryRemoteLocalities:
+                          description: Flag to specify whether the retries should
+                            retry to other localities.
+                          nullable: true
+                          type: boolean
+                      type: object
+                    rewrite:
+                      description: Rewrite HTTP URIs and Authority headers.
+                      properties:
+                        authority:
+                          description: rewrite the Authority/Host header with this
+                            value.
+                          type: string
+                        uri:
+                          description: rewrite the path (or the prefix) portion of
+                            the URI with this value.
+                          type: string
+                        uriRegexRewrite:
+                          description: rewrite the path portion of the URI with the
+                            specified regex.
+                          properties:
+                            match:
+                              description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+                              type: string
+                            rewrite:
+                              description: The string that should replace into matching
+                                portions of original URI.
+                              type: string
+                          type: object
+                      type: object
+                    route:
+                      description: A HTTP rule can either return a direct_response,
+                        redirect or forward (default) traffic.
+                      items:
+                        properties:
+                          destination:
+                            description: Destination uniquely identifies the instances
+                              of a service to which the request/connection should
+                              be forwarded to.
+                            properties:
+                              host:
+                                description: The name of a service from the service
+                                  registry.
+                                type: string
+                              port:
+                                description: Specifies the port on the host that is
+                                  being addressed.
+                                properties:
+                                  number:
+                                    maximum: 4294967295
+                                    minimum: 0
+                                    type: integer
+                                type: object
+                              subset:
+                                description: The name of a subset within the service.
+                                type: string
+                            required:
+                            - host
+                            type: object
+                          headers:
+                            properties:
+                              request:
+                                properties:
+                                  add:
+                                    additionalProperties:
+                                      type: string
+                                    type: object
+                                  remove:
+                                    items:
+                                      type: string
+                                    type: array
+                                  set:
+                                    additionalProperties:
+                                      type: string
+                                    type: object
+                                type: object
+                              response:
+                                properties:
+                                  add:
+                                    additionalProperties:
+                                      type: string
+                                    type: object
+                                  remove:
+                                    items:
+                                      type: string
+                                    type: array
+                                  set:
+                                    additionalProperties:
+                                      type: string
+                                    type: object
+                                type: object
+                            type: object
+                          weight:
+                            description: Weight specifies the relative proportion
+                              of traffic to be forwarded to the destination.
+                            format: int32
+                            type: integer
+                        required:
+                        - destination
+                        type: object
+                      type: array
+                    timeout:
+                      description: Timeout for HTTP requests, default is disabled.
+                      type: string
+                      x-kubernetes-validations:
+                      - message: must be a valid duration greater than 1ms
+                        rule: duration(self) >= duration('1ms')
+                  type: object
+                type: array
+              tcp:
+                description: An ordered list of route rules for opaque TCP traffic.
+                items:
+                  properties:
+                    match:
+                      description: Match conditions to be satisfied for the rule to
+                        be activated.
+                      items:
+                        properties:
+                          destinationSubnets:
+                            description: IPv4 or IPv6 ip addresses of destination
+                              with optional subnet.
+                            items:
+                              type: string
+                            type: array
+                          gateways:
+                            description: Names of gateways where the rule should be
+                              applied.
+                            items:
+                              type: string
+                            type: array
+                          port:
+                            description: Specifies the port on the host that is being
+                              addressed.
+                            maximum: 4294967295
+                            minimum: 0
+                            type: integer
+                          sourceLabels:
+                            additionalProperties:
+                              type: string
+                            description: One or more labels that constrain the applicability
+                              of a rule to workloads with the given labels.
+                            type: object
+                          sourceNamespace:
+                            description: Source namespace constraining the applicability
+                              of a rule to workloads in that namespace.
+                            type: string
+                          sourceSubnet:
+                            type: string
+                        type: object
+                      type: array
+                    route:
+                      description: The destination to which the connection should
+                        be forwarded to.
+                      items:
+                        properties:
+                          destination:
+                            description: Destination uniquely identifies the instances
+                              of a service to which the request/connection should
+                              be forwarded to.
+                            properties:
+                              host:
+                                description: The name of a service from the service
+                                  registry.
+                                type: string
+                              port:
+                                description: Specifies the port on the host that is
+                                  being addressed.
+                                properties:
+                                  number:
+                                    maximum: 4294967295
+                                    minimum: 0
+                                    type: integer
+                                type: object
+                              subset:
+                                description: The name of a subset within the service.
+                                type: string
+                            required:
+                            - host
+                            type: object
+                          weight:
+                            description: Weight specifies the relative proportion
+                              of traffic to be forwarded to the destination.
+                            format: int32
+                            type: integer
+                        required:
+                        - destination
+                        type: object
+                      type: array
+                  type: object
+                type: array
+              tls:
+                description: An ordered list of route rule for non-terminated TLS
+                  & HTTPS traffic.
+                items:
+                  properties:
+                    match:
+                      description: Match conditions to be satisfied for the rule to
+                        be activated.
+                      items:
+                        properties:
+                          destinationSubnets:
+                            description: IPv4 or IPv6 ip addresses of destination
+                              with optional subnet.
+                            items:
+                              type: string
+                            type: array
+                          gateways:
+                            description: Names of gateways where the rule should be
+                              applied.
+                            items:
+                              type: string
+                            type: array
+                          port:
+                            description: Specifies the port on the host that is being
+                              addressed.
+                            maximum: 4294967295
+                            minimum: 0
+                            type: integer
+                          sniHosts:
+                            description: SNI (server name indicator) to match on.
+                            items:
+                              type: string
+                            type: array
+                          sourceLabels:
+                            additionalProperties:
+                              type: string
+                            description: One or more labels that constrain the applicability
+                              of a rule to workloads with the given labels.
+                            type: object
+                          sourceNamespace:
+                            description: Source namespace constraining the applicability
+                              of a rule to workloads in that namespace.
+                            type: string
+                        required:
+                        - sniHosts
+                        type: object
+                      type: array
+                    route:
+                      description: The destination to which the connection should
+                        be forwarded to.
+                      items:
+                        properties:
+                          destination:
+                            description: Destination uniquely identifies the instances
+                              of a service to which the request/connection should
+                              be forwarded to.
+                            properties:
+                              host:
+                                description: The name of a service from the service
+                                  registry.
+                                type: string
+                              port:
+                                description: Specifies the port on the host that is
+                                  being addressed.
+                                properties:
+                                  number:
+                                    maximum: 4294967295
+                                    minimum: 0
+                                    type: integer
+                                type: object
+                              subset:
+                                description: The name of a subset within the service.
+                                type: string
+                            required:
+                            - host
+                            type: object
+                          weight:
+                            description: Weight specifies the relative proportion
+                              of traffic to be forwarded to the destination.
+                            format: int32
+                            type: integer
+                        required:
+                        - destination
+                        type: object
+                      type: array
+                  required:
+                  - match
+                  type: object
+                type: array
+            type: object
+          status:
+            properties:
+              conditions:
+                description: Current service state of the resource.
+                items:
+                  properties:
+                    lastProbeTime:
+                      description: Last time we probed the condition.
+                      format: date-time
+                      type: string
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Human-readable message indicating details about
+                        last transition.
+                      type: string
+                    observedGeneration:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      description: Resource Generation to which the Condition refers.
+                      x-kubernetes-int-or-string: true
+                    reason:
+                      description: Unique, one-word, CamelCase reason for the condition's
+                        last transition.
+                      type: string
+                    status:
+                      description: Status is the status of the condition.
+                      type: string
+                    type:
+                      description: Type is the type of the condition.
+                      type: string
+                  type: object
+                type: array
+              observedGeneration:
+                anyOf:
+                - type: integer
+                - type: string
+                x-kubernetes-int-or-string: true
+              validationMessages:
+                description: Includes any errors or warnings detected by Istio's analyzers.
+                items:
+                  properties:
+                    documentationUrl:
+                      description: A url pointing to the Istio documentation for this
+                        specific error type.
+                      type: string
+                    level:
+                      description: |-
+                        Represents how severe a message is.
+
+                        Valid Options: UNKNOWN, ERROR, WARNING, INFO
+                      enum:
+                      - UNKNOWN
+                      - ERROR
+                      - WARNING
+                      - INFO
+                      type: string
+                    type:
+                      properties:
+                        code:
+                          description: A 7 character code matching `^IST[0-9]{4}$`
+                            intended to uniquely identify the message type.
+                          type: string
+                        name:
+                          description: A human-readable name for the message type.
+                          type: string
+                      type: object
+                  type: object
+                type: array
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_workloadentries.yaml b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_workloadentries.yaml
new file mode 100644
index 0000000000..4e254f3683
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_workloadentries.yaml
@@ -0,0 +1,505 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    "helm.sh/resource-policy": keep
+  labels:
+    app: istio-pilot
+    chart: istio
+    heritage: Tiller
+    release: istio
+  name: workloadentries.networking.istio.io
+spec:
+  group: networking.istio.io
+  names:
+    categories:
+    - istio-io
+    - networking-istio-io
+    kind: WorkloadEntry
+    listKind: WorkloadEntryList
+    plural: workloadentries
+    shortNames:
+    - we
+    singular: workloadentry
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - description: 'CreationTimestamp is a timestamp representing the server time
+        when this object was created. It is not guaranteed to be set in happens-before
+        order across separate operations. Clients may not set this value. It is represented
+        in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+        lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    - description: Address associated with the network endpoint.
+      jsonPath: .spec.address
+      name: Address
+      type: string
+    name: v1
+    schema:
+      openAPIV3Schema:
+        properties:
+          spec:
+            description: 'Configuration affecting VMs onboarded into the mesh. See
+              more details at: https://istio.io/docs/reference/config/networking/workload-entry.html'
+            properties:
+              address:
+                description: Address associated with the network endpoint without
+                  the port.
+                maxLength: 256
+                type: string
+                x-kubernetes-validations:
+                - message: UDS must be an absolute path or abstract socket
+                  rule: 'self.startsWith("unix://") ? (self.substring(7, 8) == "/"
+                    || self.substring(7, 8) == "@") : true'
+                - message: UDS may not be a dir
+                  rule: 'self.startsWith("unix://") ? !self.endsWith("/") : true'
+              labels:
+                additionalProperties:
+                  type: string
+                description: One or more labels associated with the endpoint.
+                maxProperties: 256
+                type: object
+              locality:
+                description: The locality associated with the endpoint.
+                maxLength: 2048
+                type: string
+              network:
+                description: Network enables Istio to group endpoints resident in
+                  the same L3 domain/network.
+                maxLength: 2048
+                type: string
+              ports:
+                additionalProperties:
+                  maximum: 4294967295
+                  minimum: 0
+                  type: integer
+                  x-kubernetes-validations:
+                  - message: port must be between 1-65535
+                    rule: 0 < self && self <= 65535
+                description: Set of ports associated with the endpoint.
+                maxProperties: 128
+                type: object
+                x-kubernetes-validations:
+                - message: port name must be valid
+                  rule: self.all(key, size(key) < 63 && key.matches("^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$"))
+              serviceAccount:
+                description: The service account associated with the workload if a
+                  sidecar is present in the workload.
+                maxLength: 253
+                type: string
+              weight:
+                description: The load balancing weight associated with the endpoint.
+                maximum: 4294967295
+                minimum: 0
+                type: integer
+            type: object
+            x-kubernetes-validations:
+            - message: Address is required
+              rule: has(self.address) || has(self.network)
+            - message: UDS may not include ports
+              rule: '(has(self.address) ? self.address : "").startsWith("unix://")
+                ? !has(self.ports) : true'
+          status:
+            properties:
+              conditions:
+                description: Current service state of the resource.
+                items:
+                  properties:
+                    lastProbeTime:
+                      description: Last time we probed the condition.
+                      format: date-time
+                      type: string
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Human-readable message indicating details about
+                        last transition.
+                      type: string
+                    observedGeneration:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      description: Resource Generation to which the Condition refers.
+                      x-kubernetes-int-or-string: true
+                    reason:
+                      description: Unique, one-word, CamelCase reason for the condition's
+                        last transition.
+                      type: string
+                    status:
+                      description: Status is the status of the condition.
+                      type: string
+                    type:
+                      description: Type is the type of the condition.
+                      type: string
+                  type: object
+                type: array
+              observedGeneration:
+                anyOf:
+                - type: integer
+                - type: string
+                x-kubernetes-int-or-string: true
+              validationMessages:
+                description: Includes any errors or warnings detected by Istio's analyzers.
+                items:
+                  properties:
+                    documentationUrl:
+                      description: A url pointing to the Istio documentation for this
+                        specific error type.
+                      type: string
+                    level:
+                      description: |-
+                        Represents how severe a message is.
+
+                        Valid Options: UNKNOWN, ERROR, WARNING, INFO
+                      enum:
+                      - UNKNOWN
+                      - ERROR
+                      - WARNING
+                      - INFO
+                      type: string
+                    type:
+                      properties:
+                        code:
+                          description: A 7 character code matching `^IST[0-9]{4}$`
+                            intended to uniquely identify the message type.
+                          type: string
+                        name:
+                          description: A human-readable name for the message type.
+                          type: string
+                      type: object
+                  type: object
+                type: array
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+  - additionalPrinterColumns:
+    - description: 'CreationTimestamp is a timestamp representing the server time
+        when this object was created. It is not guaranteed to be set in happens-before
+        order across separate operations. Clients may not set this value. It is represented
+        in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+        lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    - description: Address associated with the network endpoint.
+      jsonPath: .spec.address
+      name: Address
+      type: string
+    name: v1alpha3
+    schema:
+      openAPIV3Schema:
+        properties:
+          spec:
+            description: 'Configuration affecting VMs onboarded into the mesh. See
+              more details at: https://istio.io/docs/reference/config/networking/workload-entry.html'
+            properties:
+              address:
+                description: Address associated with the network endpoint without
+                  the port.
+                maxLength: 256
+                type: string
+                x-kubernetes-validations:
+                - message: UDS must be an absolute path or abstract socket
+                  rule: 'self.startsWith("unix://") ? (self.substring(7, 8) == "/"
+                    || self.substring(7, 8) == "@") : true'
+                - message: UDS may not be a dir
+                  rule: 'self.startsWith("unix://") ? !self.endsWith("/") : true'
+              labels:
+                additionalProperties:
+                  type: string
+                description: One or more labels associated with the endpoint.
+                maxProperties: 256
+                type: object
+              locality:
+                description: The locality associated with the endpoint.
+                maxLength: 2048
+                type: string
+              network:
+                description: Network enables Istio to group endpoints resident in
+                  the same L3 domain/network.
+                maxLength: 2048
+                type: string
+              ports:
+                additionalProperties:
+                  maximum: 4294967295
+                  minimum: 0
+                  type: integer
+                  x-kubernetes-validations:
+                  - message: port must be between 1-65535
+                    rule: 0 < self && self <= 65535
+                description: Set of ports associated with the endpoint.
+                maxProperties: 128
+                type: object
+                x-kubernetes-validations:
+                - message: port name must be valid
+                  rule: self.all(key, size(key) < 63 && key.matches("^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$"))
+              serviceAccount:
+                description: The service account associated with the workload if a
+                  sidecar is present in the workload.
+                maxLength: 253
+                type: string
+              weight:
+                description: The load balancing weight associated with the endpoint.
+                maximum: 4294967295
+                minimum: 0
+                type: integer
+            type: object
+            x-kubernetes-validations:
+            - message: Address is required
+              rule: has(self.address) || has(self.network)
+            - message: UDS may not include ports
+              rule: '(has(self.address) ? self.address : "").startsWith("unix://")
+                ? !has(self.ports) : true'
+          status:
+            properties:
+              conditions:
+                description: Current service state of the resource.
+                items:
+                  properties:
+                    lastProbeTime:
+                      description: Last time we probed the condition.
+                      format: date-time
+                      type: string
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Human-readable message indicating details about
+                        last transition.
+                      type: string
+                    observedGeneration:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      description: Resource Generation to which the Condition refers.
+                      x-kubernetes-int-or-string: true
+                    reason:
+                      description: Unique, one-word, CamelCase reason for the condition's
+                        last transition.
+                      type: string
+                    status:
+                      description: Status is the status of the condition.
+                      type: string
+                    type:
+                      description: Type is the type of the condition.
+                      type: string
+                  type: object
+                type: array
+              observedGeneration:
+                anyOf:
+                - type: integer
+                - type: string
+                x-kubernetes-int-or-string: true
+              validationMessages:
+                description: Includes any errors or warnings detected by Istio's analyzers.
+                items:
+                  properties:
+                    documentationUrl:
+                      description: A url pointing to the Istio documentation for this
+                        specific error type.
+                      type: string
+                    level:
+                      description: |-
+                        Represents how severe a message is.
+
+                        Valid Options: UNKNOWN, ERROR, WARNING, INFO
+                      enum:
+                      - UNKNOWN
+                      - ERROR
+                      - WARNING
+                      - INFO
+                      type: string
+                    type:
+                      properties:
+                        code:
+                          description: A 7 character code matching `^IST[0-9]{4}$`
+                            intended to uniquely identify the message type.
+                          type: string
+                        name:
+                          description: A human-readable name for the message type.
+                          type: string
+                      type: object
+                  type: object
+                type: array
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        required:
+        - spec
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+  - additionalPrinterColumns:
+    - description: 'CreationTimestamp is a timestamp representing the server time
+        when this object was created. It is not guaranteed to be set in happens-before
+        order across separate operations. Clients may not set this value. It is represented
+        in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+        lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    - description: Address associated with the network endpoint.
+      jsonPath: .spec.address
+      name: Address
+      type: string
+    name: v1beta1
+    schema:
+      openAPIV3Schema:
+        properties:
+          spec:
+            description: 'Configuration affecting VMs onboarded into the mesh. See
+              more details at: https://istio.io/docs/reference/config/networking/workload-entry.html'
+            properties:
+              address:
+                description: Address associated with the network endpoint without
+                  the port.
+                maxLength: 256
+                type: string
+                x-kubernetes-validations:
+                - message: UDS must be an absolute path or abstract socket
+                  rule: 'self.startsWith("unix://") ? (self.substring(7, 8) == "/"
+                    || self.substring(7, 8) == "@") : true'
+                - message: UDS may not be a dir
+                  rule: 'self.startsWith("unix://") ? !self.endsWith("/") : true'
+              labels:
+                additionalProperties:
+                  type: string
+                description: One or more labels associated with the endpoint.
+                maxProperties: 256
+                type: object
+              locality:
+                description: The locality associated with the endpoint.
+                maxLength: 2048
+                type: string
+              network:
+                description: Network enables Istio to group endpoints resident in
+                  the same L3 domain/network.
+                maxLength: 2048
+                type: string
+              ports:
+                additionalProperties:
+                  maximum: 4294967295
+                  minimum: 0
+                  type: integer
+                  x-kubernetes-validations:
+                  - message: port must be between 1-65535
+                    rule: 0 < self && self <= 65535
+                description: Set of ports associated with the endpoint.
+                maxProperties: 128
+                type: object
+                x-kubernetes-validations:
+                - message: port name must be valid
+                  rule: self.all(key, size(key) < 63 && key.matches("^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$"))
+              serviceAccount:
+                description: The service account associated with the workload if a
+                  sidecar is present in the workload.
+                maxLength: 253
+                type: string
+              weight:
+                description: The load balancing weight associated with the endpoint.
+                maximum: 4294967295
+                minimum: 0
+                type: integer
+            type: object
+            x-kubernetes-validations:
+            - message: Address is required
+              rule: has(self.address) || has(self.network)
+            - message: UDS may not include ports
+              rule: '(has(self.address) ? self.address : "").startsWith("unix://")
+                ? !has(self.ports) : true'
+          status:
+            properties:
+              conditions:
+                description: Current service state of the resource.
+                items:
+                  properties:
+                    lastProbeTime:
+                      description: Last time we probed the condition.
+                      format: date-time
+                      type: string
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Human-readable message indicating details about
+                        last transition.
+                      type: string
+                    observedGeneration:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      description: Resource Generation to which the Condition refers.
+                      x-kubernetes-int-or-string: true
+                    reason:
+                      description: Unique, one-word, CamelCase reason for the condition's
+                        last transition.
+                      type: string
+                    status:
+                      description: Status is the status of the condition.
+                      type: string
+                    type:
+                      description: Type is the type of the condition.
+                      type: string
+                  type: object
+                type: array
+              observedGeneration:
+                anyOf:
+                - type: integer
+                - type: string
+                x-kubernetes-int-or-string: true
+              validationMessages:
+                description: Includes any errors or warnings detected by Istio's analyzers.
+                items:
+                  properties:
+                    documentationUrl:
+                      description: A url pointing to the Istio documentation for this
+                        specific error type.
+                      type: string
+                    level:
+                      description: |-
+                        Represents how severe a message is.
+
+                        Valid Options: UNKNOWN, ERROR, WARNING, INFO
+                      enum:
+                      - UNKNOWN
+                      - ERROR
+                      - WARNING
+                      - INFO
+                      type: string
+                    type:
+                      properties:
+                        code:
+                          description: A 7 character code matching `^IST[0-9]{4}$`
+                            intended to uniquely identify the message type.
+                          type: string
+                        name:
+                          description: A human-readable name for the message type.
+                          type: string
+                      type: object
+                  type: object
+                type: array
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        required:
+        - spec
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_workloadgroups.yaml b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_workloadgroups.yaml
new file mode 100644
index 0000000000..c1e02618f9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_workloadgroups.yaml
@@ -0,0 +1,949 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    "helm.sh/resource-policy": keep
+  labels:
+    app: istio-pilot
+    chart: istio
+    heritage: Tiller
+    release: istio
+  name: workloadgroups.networking.istio.io
+spec:
+  group: networking.istio.io
+  names:
+    categories:
+    - istio-io
+    - networking-istio-io
+    kind: WorkloadGroup
+    listKind: WorkloadGroupList
+    plural: workloadgroups
+    shortNames:
+    - wg
+    singular: workloadgroup
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - description: 'CreationTimestamp is a timestamp representing the server time
+        when this object was created. It is not guaranteed to be set in happens-before
+        order across separate operations. Clients may not set this value. It is represented
+        in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+        lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1
+    schema:
+      openAPIV3Schema:
+        properties:
+          spec:
+            description: 'Describes a collection of workload instances. See more details
+              at: https://istio.io/docs/reference/config/networking/workload-group.html'
+            properties:
+              metadata:
+                description: Metadata that will be used for all corresponding `WorkloadEntries`.
+                properties:
+                  annotations:
+                    additionalProperties:
+                      type: string
+                    maxProperties: 256
+                    type: object
+                  labels:
+                    additionalProperties:
+                      type: string
+                    maxProperties: 256
+                    type: object
+                type: object
+              probe:
+                description: '`ReadinessProbe` describes the configuration the user
+                  must provide for healthchecking on their workload.'
+                oneOf:
+                - not:
+                    anyOf:
+                    - required:
+                      - httpGet
+                    - required:
+                      - tcpSocket
+                    - required:
+                      - exec
+                    - required:
+                      - grpc
+                - required:
+                  - httpGet
+                - required:
+                  - tcpSocket
+                - required:
+                  - exec
+                - required:
+                  - grpc
+                properties:
+                  exec:
+                    description: Health is determined by how the command that is executed
+                      exited.
+                    properties:
+                      command:
+                        description: Command to run.
+                        items:
+                          minLength: 1
+                          type: string
+                        type: array
+                    required:
+                    - command
+                    type: object
+                  failureThreshold:
+                    description: Minimum consecutive failures for the probe to be
+                      considered failed after having succeeded.
+                    format: int32
+                    minimum: 0
+                    type: integer
+                  grpc:
+                    description: GRPC call is made and response/error is used to determine
+                      health.
+                    properties:
+                      port:
+                        description: Port on which the endpoint lives.
+                        maximum: 4294967295
+                        minimum: 0
+                        type: integer
+                        x-kubernetes-validations:
+                        - message: port must be between 1-65535
+                          rule: 0 < self && self <= 65535
+                      service:
+                        type: string
+                    type: object
+                  httpGet:
+                    description: '`httpGet` is performed to a given endpoint and the
+                      status/able to connect determines health.'
+                    properties:
+                      host:
+                        description: Host name to connect to, defaults to the pod
+                          IP.
+                        type: string
+                      httpHeaders:
+                        description: Headers the proxy will pass on to make the request.
+                        items:
+                          properties:
+                            name:
+                              pattern: ^[-_A-Za-z0-9]+$
+                              type: string
+                            value:
+                              type: string
+                          type: object
+                        type: array
+                      path:
+                        description: Path to access on the HTTP server.
+                        type: string
+                      port:
+                        description: Port on which the endpoint lives.
+                        maximum: 4294967295
+                        minimum: 0
+                        type: integer
+                        x-kubernetes-validations:
+                        - message: port must be between 1-65535
+                          rule: 0 < self && self <= 65535
+                      scheme:
+                        type: string
+                        x-kubernetes-validations:
+                        - message: scheme must be one of [HTTP, HTTPS]
+                          rule: self in ["", "HTTP", "HTTPS"]
+                    required:
+                    - port
+                    type: object
+                  initialDelaySeconds:
+                    description: Number of seconds after the container has started
+                      before readiness probes are initiated.
+                    format: int32
+                    minimum: 0
+                    type: integer
+                  periodSeconds:
+                    description: How often (in seconds) to perform the probe.
+                    format: int32
+                    minimum: 0
+                    type: integer
+                  successThreshold:
+                    description: Minimum consecutive successes for the probe to be
+                      considered successful after having failed.
+                    format: int32
+                    minimum: 0
+                    type: integer
+                  tcpSocket:
+                    description: Health is determined by if the proxy is able to connect.
+                    properties:
+                      host:
+                        type: string
+                      port:
+                        maximum: 4294967295
+                        minimum: 0
+                        type: integer
+                        x-kubernetes-validations:
+                        - message: port must be between 1-65535
+                          rule: 0 < self && self <= 65535
+                    required:
+                    - port
+                    type: object
+                  timeoutSeconds:
+                    description: Number of seconds after which the probe times out.
+                    format: int32
+                    minimum: 0
+                    type: integer
+                type: object
+              template:
+                description: Template to be used for the generation of `WorkloadEntry`
+                  resources that belong to this `WorkloadGroup`.
+                properties:
+                  address:
+                    description: Address associated with the network endpoint without
+                      the port.
+                    maxLength: 256
+                    type: string
+                    x-kubernetes-validations:
+                    - message: UDS must be an absolute path or abstract socket
+                      rule: 'self.startsWith("unix://") ? (self.substring(7, 8) ==
+                        "/" || self.substring(7, 8) == "@") : true'
+                    - message: UDS may not be a dir
+                      rule: 'self.startsWith("unix://") ? !self.endsWith("/") : true'
+                  labels:
+                    additionalProperties:
+                      type: string
+                    description: One or more labels associated with the endpoint.
+                    maxProperties: 256
+                    type: object
+                  locality:
+                    description: The locality associated with the endpoint.
+                    maxLength: 2048
+                    type: string
+                  network:
+                    description: Network enables Istio to group endpoints resident
+                      in the same L3 domain/network.
+                    maxLength: 2048
+                    type: string
+                  ports:
+                    additionalProperties:
+                      maximum: 4294967295
+                      minimum: 0
+                      type: integer
+                      x-kubernetes-validations:
+                      - message: port must be between 1-65535
+                        rule: 0 < self && self <= 65535
+                    description: Set of ports associated with the endpoint.
+                    maxProperties: 128
+                    type: object
+                    x-kubernetes-validations:
+                    - message: port name must be valid
+                      rule: self.all(key, size(key) < 63 && key.matches("^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$"))
+                  serviceAccount:
+                    description: The service account associated with the workload
+                      if a sidecar is present in the workload.
+                    maxLength: 253
+                    type: string
+                  weight:
+                    description: The load balancing weight associated with the endpoint.
+                    maximum: 4294967295
+                    minimum: 0
+                    type: integer
+                type: object
+                x-kubernetes-validations:
+                - message: UDS may not include ports
+                  rule: '(has(self.address) ? self.address : "").startsWith("unix://")
+                    ? !has(self.ports) : true'
+            required:
+            - template
+            type: object
+          status:
+            properties:
+              conditions:
+                description: Current service state of the resource.
+                items:
+                  properties:
+                    lastProbeTime:
+                      description: Last time we probed the condition.
+                      format: date-time
+                      type: string
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Human-readable message indicating details about
+                        last transition.
+                      type: string
+                    observedGeneration:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      description: Resource Generation to which the Condition refers.
+                      x-kubernetes-int-or-string: true
+                    reason:
+                      description: Unique, one-word, CamelCase reason for the condition's
+                        last transition.
+                      type: string
+                    status:
+                      description: Status is the status of the condition.
+                      type: string
+                    type:
+                      description: Type is the type of the condition.
+                      type: string
+                  type: object
+                type: array
+              observedGeneration:
+                anyOf:
+                - type: integer
+                - type: string
+                x-kubernetes-int-or-string: true
+              validationMessages:
+                description: Includes any errors or warnings detected by Istio's analyzers.
+                items:
+                  properties:
+                    documentationUrl:
+                      description: A url pointing to the Istio documentation for this
+                        specific error type.
+                      type: string
+                    level:
+                      description: |-
+                        Represents how severe a message is.
+
+                        Valid Options: UNKNOWN, ERROR, WARNING, INFO
+                      enum:
+                      - UNKNOWN
+                      - ERROR
+                      - WARNING
+                      - INFO
+                      type: string
+                    type:
+                      properties:
+                        code:
+                          description: A 7 character code matching `^IST[0-9]{4}$`
+                            intended to uniquely identify the message type.
+                          type: string
+                        name:
+                          description: A human-readable name for the message type.
+                          type: string
+                      type: object
+                  type: object
+                type: array
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+  - additionalPrinterColumns:
+    - description: 'CreationTimestamp is a timestamp representing the server time
+        when this object was created. It is not guaranteed to be set in happens-before
+        order across separate operations. Clients may not set this value. It is represented
+        in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+        lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha3
+    schema:
+      openAPIV3Schema:
+        properties:
+          spec:
+            description: 'Describes a collection of workload instances. See more details
+              at: https://istio.io/docs/reference/config/networking/workload-group.html'
+            properties:
+              metadata:
+                description: Metadata that will be used for all corresponding `WorkloadEntries`.
+                properties:
+                  annotations:
+                    additionalProperties:
+                      type: string
+                    maxProperties: 256
+                    type: object
+                  labels:
+                    additionalProperties:
+                      type: string
+                    maxProperties: 256
+                    type: object
+                type: object
+              probe:
+                description: '`ReadinessProbe` describes the configuration the user
+                  must provide for healthchecking on their workload.'
+                oneOf:
+                - not:
+                    anyOf:
+                    - required:
+                      - httpGet
+                    - required:
+                      - tcpSocket
+                    - required:
+                      - exec
+                    - required:
+                      - grpc
+                - required:
+                  - httpGet
+                - required:
+                  - tcpSocket
+                - required:
+                  - exec
+                - required:
+                  - grpc
+                properties:
+                  exec:
+                    description: Health is determined by how the command that is executed
+                      exited.
+                    properties:
+                      command:
+                        description: Command to run.
+                        items:
+                          minLength: 1
+                          type: string
+                        type: array
+                    required:
+                    - command
+                    type: object
+                  failureThreshold:
+                    description: Minimum consecutive failures for the probe to be
+                      considered failed after having succeeded.
+                    format: int32
+                    minimum: 0
+                    type: integer
+                  grpc:
+                    description: GRPC call is made and response/error is used to determine
+                      health.
+                    properties:
+                      port:
+                        description: Port on which the endpoint lives.
+                        maximum: 4294967295
+                        minimum: 0
+                        type: integer
+                        x-kubernetes-validations:
+                        - message: port must be between 1-65535
+                          rule: 0 < self && self <= 65535
+                      service:
+                        type: string
+                    type: object
+                  httpGet:
+                    description: '`httpGet` is performed to a given endpoint and the
+                      status/able to connect determines health.'
+                    properties:
+                      host:
+                        description: Host name to connect to, defaults to the pod
+                          IP.
+                        type: string
+                      httpHeaders:
+                        description: Headers the proxy will pass on to make the request.
+                        items:
+                          properties:
+                            name:
+                              pattern: ^[-_A-Za-z0-9]+$
+                              type: string
+                            value:
+                              type: string
+                          type: object
+                        type: array
+                      path:
+                        description: Path to access on the HTTP server.
+                        type: string
+                      port:
+                        description: Port on which the endpoint lives.
+                        maximum: 4294967295
+                        minimum: 0
+                        type: integer
+                        x-kubernetes-validations:
+                        - message: port must be between 1-65535
+                          rule: 0 < self && self <= 65535
+                      scheme:
+                        type: string
+                        x-kubernetes-validations:
+                        - message: scheme must be one of [HTTP, HTTPS]
+                          rule: self in ["", "HTTP", "HTTPS"]
+                    required:
+                    - port
+                    type: object
+                  initialDelaySeconds:
+                    description: Number of seconds after the container has started
+                      before readiness probes are initiated.
+                    format: int32
+                    minimum: 0
+                    type: integer
+                  periodSeconds:
+                    description: How often (in seconds) to perform the probe.
+                    format: int32
+                    minimum: 0
+                    type: integer
+                  successThreshold:
+                    description: Minimum consecutive successes for the probe to be
+                      considered successful after having failed.
+                    format: int32
+                    minimum: 0
+                    type: integer
+                  tcpSocket:
+                    description: Health is determined by if the proxy is able to connect.
+                    properties:
+                      host:
+                        type: string
+                      port:
+                        maximum: 4294967295
+                        minimum: 0
+                        type: integer
+                        x-kubernetes-validations:
+                        - message: port must be between 1-65535
+                          rule: 0 < self && self <= 65535
+                    required:
+                    - port
+                    type: object
+                  timeoutSeconds:
+                    description: Number of seconds after which the probe times out.
+                    format: int32
+                    minimum: 0
+                    type: integer
+                type: object
+              template:
+                description: Template to be used for the generation of `WorkloadEntry`
+                  resources that belong to this `WorkloadGroup`.
+                properties:
+                  address:
+                    description: Address associated with the network endpoint without
+                      the port.
+                    maxLength: 256
+                    type: string
+                    x-kubernetes-validations:
+                    - message: UDS must be an absolute path or abstract socket
+                      rule: 'self.startsWith("unix://") ? (self.substring(7, 8) ==
+                        "/" || self.substring(7, 8) == "@") : true'
+                    - message: UDS may not be a dir
+                      rule: 'self.startsWith("unix://") ? !self.endsWith("/") : true'
+                  labels:
+                    additionalProperties:
+                      type: string
+                    description: One or more labels associated with the endpoint.
+                    maxProperties: 256
+                    type: object
+                  locality:
+                    description: The locality associated with the endpoint.
+                    maxLength: 2048
+                    type: string
+                  network:
+                    description: Network enables Istio to group endpoints resident
+                      in the same L3 domain/network.
+                    maxLength: 2048
+                    type: string
+                  ports:
+                    additionalProperties:
+                      maximum: 4294967295
+                      minimum: 0
+                      type: integer
+                      x-kubernetes-validations:
+                      - message: port must be between 1-65535
+                        rule: 0 < self && self <= 65535
+                    description: Set of ports associated with the endpoint.
+                    maxProperties: 128
+                    type: object
+                    x-kubernetes-validations:
+                    - message: port name must be valid
+                      rule: self.all(key, size(key) < 63 && key.matches("^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$"))
+                  serviceAccount:
+                    description: The service account associated with the workload
+                      if a sidecar is present in the workload.
+                    maxLength: 253
+                    type: string
+                  weight:
+                    description: The load balancing weight associated with the endpoint.
+                    maximum: 4294967295
+                    minimum: 0
+                    type: integer
+                type: object
+                x-kubernetes-validations:
+                - message: UDS may not include ports
+                  rule: '(has(self.address) ? self.address : "").startsWith("unix://")
+                    ? !has(self.ports) : true'
+            required:
+            - template
+            type: object
+          status:
+            properties:
+              conditions:
+                description: Current service state of the resource.
+                items:
+                  properties:
+                    lastProbeTime:
+                      description: Last time we probed the condition.
+                      format: date-time
+                      type: string
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Human-readable message indicating details about
+                        last transition.
+                      type: string
+                    observedGeneration:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      description: Resource Generation to which the Condition refers.
+                      x-kubernetes-int-or-string: true
+                    reason:
+                      description: Unique, one-word, CamelCase reason for the condition's
+                        last transition.
+                      type: string
+                    status:
+                      description: Status is the status of the condition.
+                      type: string
+                    type:
+                      description: Type is the type of the condition.
+                      type: string
+                  type: object
+                type: array
+              observedGeneration:
+                anyOf:
+                - type: integer
+                - type: string
+                x-kubernetes-int-or-string: true
+              validationMessages:
+                description: Includes any errors or warnings detected by Istio's analyzers.
+                items:
+                  properties:
+                    documentationUrl:
+                      description: A url pointing to the Istio documentation for this
+                        specific error type.
+                      type: string
+                    level:
+                      description: |-
+                        Represents how severe a message is.
+
+                        Valid Options: UNKNOWN, ERROR, WARNING, INFO
+                      enum:
+                      - UNKNOWN
+                      - ERROR
+                      - WARNING
+                      - INFO
+                      type: string
+                    type:
+                      properties:
+                        code:
+                          description: A 7 character code matching `^IST[0-9]{4}$`
+                            intended to uniquely identify the message type.
+                          type: string
+                        name:
+                          description: A human-readable name for the message type.
+                          type: string
+                      type: object
+                  type: object
+                type: array
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        required:
+        - spec
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+  - additionalPrinterColumns:
+    - description: 'CreationTimestamp is a timestamp representing the server time
+        when this object was created. It is not guaranteed to be set in happens-before
+        order across separate operations. Clients may not set this value. It is represented
+        in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+        lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1beta1
+    schema:
+      openAPIV3Schema:
+        properties:
+          spec:
+            description: 'Describes a collection of workload instances. See more details
+              at: https://istio.io/docs/reference/config/networking/workload-group.html'
+            properties:
+              metadata:
+                description: Metadata that will be used for all corresponding `WorkloadEntries`.
+                properties:
+                  annotations:
+                    additionalProperties:
+                      type: string
+                    maxProperties: 256
+                    type: object
+                  labels:
+                    additionalProperties:
+                      type: string
+                    maxProperties: 256
+                    type: object
+                type: object
+              probe:
+                description: '`ReadinessProbe` describes the configuration the user
+                  must provide for healthchecking on their workload.'
+                oneOf:
+                - not:
+                    anyOf:
+                    - required:
+                      - httpGet
+                    - required:
+                      - tcpSocket
+                    - required:
+                      - exec
+                    - required:
+                      - grpc
+                - required:
+                  - httpGet
+                - required:
+                  - tcpSocket
+                - required:
+                  - exec
+                - required:
+                  - grpc
+                properties:
+                  exec:
+                    description: Health is determined by how the command that is executed
+                      exited.
+                    properties:
+                      command:
+                        description: Command to run.
+                        items:
+                          minLength: 1
+                          type: string
+                        type: array
+                    required:
+                    - command
+                    type: object
+                  failureThreshold:
+                    description: Minimum consecutive failures for the probe to be
+                      considered failed after having succeeded.
+                    format: int32
+                    minimum: 0
+                    type: integer
+                  grpc:
+                    description: GRPC call is made and response/error is used to determine
+                      health.
+                    properties:
+                      port:
+                        description: Port on which the endpoint lives.
+                        maximum: 4294967295
+                        minimum: 0
+                        type: integer
+                        x-kubernetes-validations:
+                        - message: port must be between 1-65535
+                          rule: 0 < self && self <= 65535
+                      service:
+                        type: string
+                    type: object
+                  httpGet:
+                    description: '`httpGet` is performed to a given endpoint and the
+                      status/able to connect determines health.'
+                    properties:
+                      host:
+                        description: Host name to connect to, defaults to the pod
+                          IP.
+                        type: string
+                      httpHeaders:
+                        description: Headers the proxy will pass on to make the request.
+                        items:
+                          properties:
+                            name:
+                              pattern: ^[-_A-Za-z0-9]+$
+                              type: string
+                            value:
+                              type: string
+                          type: object
+                        type: array
+                      path:
+                        description: Path to access on the HTTP server.
+                        type: string
+                      port:
+                        description: Port on which the endpoint lives.
+                        maximum: 4294967295
+                        minimum: 0
+                        type: integer
+                        x-kubernetes-validations:
+                        - message: port must be between 1-65535
+                          rule: 0 < self && self <= 65535
+                      scheme:
+                        type: string
+                        x-kubernetes-validations:
+                        - message: scheme must be one of [HTTP, HTTPS]
+                          rule: self in ["", "HTTP", "HTTPS"]
+                    required:
+                    - port
+                    type: object
+                  initialDelaySeconds:
+                    description: Number of seconds after the container has started
+                      before readiness probes are initiated.
+                    format: int32
+                    minimum: 0
+                    type: integer
+                  periodSeconds:
+                    description: How often (in seconds) to perform the probe.
+                    format: int32
+                    minimum: 0
+                    type: integer
+                  successThreshold:
+                    description: Minimum consecutive successes for the probe to be
+                      considered successful after having failed.
+                    format: int32
+                    minimum: 0
+                    type: integer
+                  tcpSocket:
+                    description: Health is determined by if the proxy is able to connect.
+                    properties:
+                      host:
+                        type: string
+                      port:
+                        maximum: 4294967295
+                        minimum: 0
+                        type: integer
+                        x-kubernetes-validations:
+                        - message: port must be between 1-65535
+                          rule: 0 < self && self <= 65535
+                    required:
+                    - port
+                    type: object
+                  timeoutSeconds:
+                    description: Number of seconds after which the probe times out.
+                    format: int32
+                    minimum: 0
+                    type: integer
+                type: object
+              template:
+                description: Template to be used for the generation of `WorkloadEntry`
+                  resources that belong to this `WorkloadGroup`.
+                properties:
+                  address:
+                    description: Address associated with the network endpoint without
+                      the port.
+                    maxLength: 256
+                    type: string
+                    x-kubernetes-validations:
+                    - message: UDS must be an absolute path or abstract socket
+                      rule: 'self.startsWith("unix://") ? (self.substring(7, 8) ==
+                        "/" || self.substring(7, 8) == "@") : true'
+                    - message: UDS may not be a dir
+                      rule: 'self.startsWith("unix://") ? !self.endsWith("/") : true'
+                  labels:
+                    additionalProperties:
+                      type: string
+                    description: One or more labels associated with the endpoint.
+                    maxProperties: 256
+                    type: object
+                  locality:
+                    description: The locality associated with the endpoint.
+                    maxLength: 2048
+                    type: string
+                  network:
+                    description: Network enables Istio to group endpoints resident
+                      in the same L3 domain/network.
+                    maxLength: 2048
+                    type: string
+                  ports:
+                    additionalProperties:
+                      maximum: 4294967295
+                      minimum: 0
+                      type: integer
+                      x-kubernetes-validations:
+                      - message: port must be between 1-65535
+                        rule: 0 < self && self <= 65535
+                    description: Set of ports associated with the endpoint.
+                    maxProperties: 128
+                    type: object
+                    x-kubernetes-validations:
+                    - message: port name must be valid
+                      rule: self.all(key, size(key) < 63 && key.matches("^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$"))
+                  serviceAccount:
+                    description: The service account associated with the workload
+                      if a sidecar is present in the workload.
+                    maxLength: 253
+                    type: string
+                  weight:
+                    description: The load balancing weight associated with the endpoint.
+                    maximum: 4294967295
+                    minimum: 0
+                    type: integer
+                type: object
+                x-kubernetes-validations:
+                - message: UDS may not include ports
+                  rule: '(has(self.address) ? self.address : "").startsWith("unix://")
+                    ? !has(self.ports) : true'
+            required:
+            - template
+            type: object
+          status:
+            properties:
+              conditions:
+                description: Current service state of the resource.
+                items:
+                  properties:
+                    lastProbeTime:
+                      description: Last time we probed the condition.
+                      format: date-time
+                      type: string
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Human-readable message indicating details about
+                        last transition.
+                      type: string
+                    observedGeneration:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      description: Resource Generation to which the Condition refers.
+                      x-kubernetes-int-or-string: true
+                    reason:
+                      description: Unique, one-word, CamelCase reason for the condition's
+                        last transition.
+                      type: string
+                    status:
+                      description: Status is the status of the condition.
+                      type: string
+                    type:
+                      description: Type is the type of the condition.
+                      type: string
+                  type: object
+                type: array
+              observedGeneration:
+                anyOf:
+                - type: integer
+                - type: string
+                x-kubernetes-int-or-string: true
+              validationMessages:
+                description: Includes any errors or warnings detected by Istio's analyzers.
+                items:
+                  properties:
+                    documentationUrl:
+                      description: A url pointing to the Istio documentation for this
+                        specific error type.
+                      type: string
+                    level:
+                      description: |-
+                        Represents how severe a message is.
+
+                        Valid Options: UNKNOWN, ERROR, WARNING, INFO
+                      enum:
+                      - UNKNOWN
+                      - ERROR
+                      - WARNING
+                      - INFO
+                      type: string
+                    type:
+                      properties:
+                        code:
+                          description: A 7 character code matching `^IST[0-9]{4}$`
+                            intended to uniquely identify the message type.
+                          type: string
+                        name:
+                          description: A human-readable name for the message type.
+                          type: string
+                      type: object
+                  type: object
+                type: array
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        required:
+        - spec
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/sailoperator.io_istiocnis.yaml b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/sailoperator.io_istiocnis.yaml
new file mode 100644
index 0000000000..61871b3bbf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/sailoperator.io_istiocnis.yaml
@@ -0,0 +1,1577 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.20.0
+  name: istiocnis.sailoperator.io
+spec:
+  group: sailoperator.io
+  names:
+    categories:
+    - istio-io
+    kind: IstioCNI
+    listKind: IstioCNIList
+    plural: istiocnis
+    singular: istiocni
+  scope: Cluster
+  versions:
+  - additionalPrinterColumns:
+    - description: The namespace of the istio-cni-node DaemonSet.
+      jsonPath: .spec.namespace
+      name: Namespace
+      type: string
+    - description: The selected profile (collection of value presets).
+      jsonPath: .spec.profile
+      name: Profile
+      type: string
+    - description: Whether the Istio CNI installation is ready to handle requests.
+      jsonPath: .status.conditions[?(@.type=="Ready")].status
+      name: Ready
+      type: string
+    - description: The current state of this object.
+      jsonPath: .status.state
+      name: Status
+      type: string
+    - description: The version of the Istio CNI installation.
+      jsonPath: .spec.version
+      name: Version
+      type: string
+    - description: The age of the object
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1
+    schema:
+      openAPIV3Schema:
+        description: IstioCNI represents a deployment of the Istio CNI component.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            default:
+              namespace: istio-cni
+              version: v1.28.3
+            description: IstioCNISpec defines the desired state of IstioCNI
+            properties:
+              namespace:
+                default: istio-cni
+                description: Namespace to which the Istio CNI component should be
+                  installed. Note that this field is immutable.
+                type: string
+                x-kubernetes-validations:
+                - message: Value is immutable
+                  rule: self == oldSelf
+              profile:
+                description: |-
+                  The built-in installation configuration profile to use.
+                  The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'.
+                  Must be one of: ambient, default, demo, empty, openshift, openshift-ambient, preview, remote, stable.
+                enum:
+                - ambient
+                - default
+                - demo
+                - empty
+                - external
+                - openshift
+                - openshift-ambient
+                - preview
+                - remote
+                - stable
+                type: string
+              values:
+                description: Defines the values to be passed to the Helm charts when
+                  installing Istio CNI.
+                properties:
+                  cni:
+                    description: Configuration for the Istio CNI plugin.
+                    properties:
+                      affinity:
+                        description: K8s affinity to set on the istio-cni Pods. Can
+                          be used to exclude istio-cni from being scheduled on specified
+                          nodes.
+                        properties:
+                          nodeAffinity:
+                            description: Describes node affinity scheduling rules
+                              for the pod.
+                            properties:
+                              preferredDuringSchedulingIgnoredDuringExecution:
+                                description: |-
+                                  The scheduler will prefer to schedule pods to nodes that satisfy
+                                  the affinity expressions specified by this field, but it may choose
+                                  a node that violates one or more of the expressions. The node that is
+                                  most preferred is the one with the greatest sum of weights, i.e.
+                                  for each node that meets all of the scheduling requirements (resource
+                                  request, requiredDuringScheduling affinity expressions, etc.),
+                                  compute a sum by iterating through the elements of this field and adding
+                                  "weight" to the sum if the node matches the corresponding matchExpressions; the
+                                  node(s) with the highest sum are the most preferred.
+                                items:
+                                  description: |-
+                                    An empty preferred scheduling term matches all objects with implicit weight 0
+                                    (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+                                  properties:
+                                    preference:
+                                      description: A node selector term, associated
+                                        with the corresponding weight.
+                                      properties:
+                                        matchExpressions:
+                                          description: A list of node selector requirements
+                                            by node's labels.
+                                          items:
+                                            description: |-
+                                              A node selector requirement is a selector that contains values, a key, and an operator
+                                              that relates the key and values.
+                                            properties:
+                                              key:
+                                                description: The label key that the
+                                                  selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  Represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  An array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. If the operator is Gt or Lt, the values
+                                                  array must have a single element, which will be interpreted as an integer.
+                                                  This array is replaced during a strategic merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                                x-kubernetes-list-type: atomic
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        matchFields:
+                                          description: A list of node selector requirements
+                                            by node's fields.
+                                          items:
+                                            description: |-
+                                              A node selector requirement is a selector that contains values, a key, and an operator
+                                              that relates the key and values.
+                                            properties:
+                                              key:
+                                                description: The label key that the
+                                                  selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  Represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  An array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. If the operator is Gt or Lt, the values
+                                                  array must have a single element, which will be interpreted as an integer.
+                                                  This array is replaced during a strategic merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                                x-kubernetes-list-type: atomic
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    weight:
+                                      description: Weight associated with matching
+                                        the corresponding nodeSelectorTerm, in the
+                                        range 1-100.
+                                      format: int32
+                                      type: integer
+                                  required:
+                                  - preference
+                                  - weight
+                                  type: object
+                                type: array
+                                x-kubernetes-list-type: atomic
+                              requiredDuringSchedulingIgnoredDuringExecution:
+                                description: |-
+                                  If the affinity requirements specified by this field are not met at
+                                  scheduling time, the pod will not be scheduled onto the node.
+                                  If the affinity requirements specified by this field cease to be met
+                                  at some point during pod execution (e.g. due to an update), the system
+                                  may or may not try to eventually evict the pod from its node.
+                                properties:
+                                  nodeSelectorTerms:
+                                    description: Required. A list of node selector
+                                      terms. The terms are ORed.
+                                    items:
+                                      description: |-
+                                        A null or empty node selector term matches no objects. The requirements of
+                                        them are ANDed.
+                                        The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+                                      properties:
+                                        matchExpressions:
+                                          description: A list of node selector requirements
+                                            by node's labels.
+                                          items:
+                                            description: |-
+                                              A node selector requirement is a selector that contains values, a key, and an operator
+                                              that relates the key and values.
+                                            properties:
+                                              key:
+                                                description: The label key that the
+                                                  selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  Represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  An array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. If the operator is Gt or Lt, the values
+                                                  array must have a single element, which will be interpreted as an integer.
+                                                  This array is replaced during a strategic merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                                x-kubernetes-list-type: atomic
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        matchFields:
+                                          description: A list of node selector requirements
+                                            by node's fields.
+                                          items:
+                                            description: |-
+                                              A node selector requirement is a selector that contains values, a key, and an operator
+                                              that relates the key and values.
+                                            properties:
+                                              key:
+                                                description: The label key that the
+                                                  selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  Represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  An array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. If the operator is Gt or Lt, the values
+                                                  array must have a single element, which will be interpreted as an integer.
+                                                  This array is replaced during a strategic merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                                x-kubernetes-list-type: atomic
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    type: array
+                                    x-kubernetes-list-type: atomic
+                                required:
+                                - nodeSelectorTerms
+                                type: object
+                                x-kubernetes-map-type: atomic
+                            type: object
+                          podAffinity:
+                            description: Describes pod affinity scheduling rules (e.g.
+                              co-locate this pod in the same node, zone, etc. as some
+                              other pod(s)).
+                            properties:
+                              preferredDuringSchedulingIgnoredDuringExecution:
+                                description: |-
+                                  The scheduler will prefer to schedule pods to nodes that satisfy
+                                  the affinity expressions specified by this field, but it may choose
+                                  a node that violates one or more of the expressions. The node that is
+                                  most preferred is the one with the greatest sum of weights, i.e.
+                                  for each node that meets all of the scheduling requirements (resource
+                                  request, requiredDuringScheduling affinity expressions, etc.),
+                                  compute a sum by iterating through the elements of this field and adding
+                                  "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+                                  node(s) with the highest sum are the most preferred.
+                                items:
+                                  description: The weights of all of the matched WeightedPodAffinityTerm
+                                    fields are added per-node to find the most preferred
+                                    node(s)
+                                  properties:
+                                    podAffinityTerm:
+                                      description: Required. A pod affinity term,
+                                        associated with the corresponding weight.
+                                      properties:
+                                        labelSelector:
+                                          description: |-
+                                            A label query over a set of resources, in this case pods.
+                                            If it's null, this PodAffinityTerm matches with no Pods.
+                                          properties:
+                                            matchExpressions:
+                                              description: matchExpressions is a list
+                                                of label selector requirements. The
+                                                requirements are ANDed.
+                                              items:
+                                                description: |-
+                                                  A label selector requirement is a selector that contains values, a key, and an operator that
+                                                  relates the key and values.
+                                                properties:
+                                                  key:
+                                                    description: key is the label
+                                                      key that the selector applies
+                                                      to.
+                                                    type: string
+                                                  operator:
+                                                    description: |-
+                                                      operator represents a key's relationship to a set of values.
+                                                      Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                    type: string
+                                                  values:
+                                                    description: |-
+                                                      values is an array of string values. If the operator is In or NotIn,
+                                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                      the values array must be empty. This array is replaced during a strategic
+                                                      merge patch.
+                                                    items:
+                                                      type: string
+                                                    type: array
+                                                    x-kubernetes-list-type: atomic
+                                                required:
+                                                - key
+                                                - operator
+                                                type: object
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                            matchLabels:
+                                              additionalProperties:
+                                                type: string
+                                              description: |-
+                                                matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                                map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                                operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                              type: object
+                                          type: object
+                                          x-kubernetes-map-type: atomic
+                                        matchLabelKeys:
+                                          description: |-
+                                            MatchLabelKeys is a set of pod label keys to select which pods will
+                                            be taken into consideration. The keys are used to lookup values from the
+                                            incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+                                            to select the group of existing pods which pods will be taken into consideration
+                                            for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                            pod labels will be ignored. The default value is empty.
+                                            The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+                                            Also, matchLabelKeys cannot be set when labelSelector isn't set.
+                                          items:
+                                            type: string
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        mismatchLabelKeys:
+                                          description: |-
+                                            MismatchLabelKeys is a set of pod label keys to select which pods will
+                                            be taken into consideration. The keys are used to lookup values from the
+                                            incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+                                            to select the group of existing pods which pods will be taken into consideration
+                                            for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                            pod labels will be ignored. The default value is empty.
+                                            The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+                                            Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+                                          items:
+                                            type: string
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        namespaceSelector:
+                                          description: |-
+                                            A label query over the set of namespaces that the term applies to.
+                                            The term is applied to the union of the namespaces selected by this field
+                                            and the ones listed in the namespaces field.
+                                            null selector and null or empty namespaces list means "this pod's namespace".
+                                            An empty selector ({}) matches all namespaces.
+                                          properties:
+                                            matchExpressions:
+                                              description: matchExpressions is a list
+                                                of label selector requirements. The
+                                                requirements are ANDed.
+                                              items:
+                                                description: |-
+                                                  A label selector requirement is a selector that contains values, a key, and an operator that
+                                                  relates the key and values.
+                                                properties:
+                                                  key:
+                                                    description: key is the label
+                                                      key that the selector applies
+                                                      to.
+                                                    type: string
+                                                  operator:
+                                                    description: |-
+                                                      operator represents a key's relationship to a set of values.
+                                                      Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                    type: string
+                                                  values:
+                                                    description: |-
+                                                      values is an array of string values. If the operator is In or NotIn,
+                                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                      the values array must be empty. This array is replaced during a strategic
+                                                      merge patch.
+                                                    items:
+                                                      type: string
+                                                    type: array
+                                                    x-kubernetes-list-type: atomic
+                                                required:
+                                                - key
+                                                - operator
+                                                type: object
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                            matchLabels:
+                                              additionalProperties:
+                                                type: string
+                                              description: |-
+                                                matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                                map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                                operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                              type: object
+                                          type: object
+                                          x-kubernetes-map-type: atomic
+                                        namespaces:
+                                          description: |-
+                                            namespaces specifies a static list of namespace names that the term applies to.
+                                            The term is applied to the union of the namespaces listed in this field
+                                            and the ones selected by namespaceSelector.
+                                            null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+                                          items:
+                                            type: string
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        topologyKey:
+                                          description: |-
+                                            This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+                                            the labelSelector in the specified namespaces, where co-located is defined as running on a node
+                                            whose value of the label with key topologyKey matches that of any node on which any of the
+                                            selected pods is running.
+                                            Empty topologyKey is not allowed.
+                                          type: string
+                                      required:
+                                      - topologyKey
+                                      type: object
+                                    weight:
+                                      description: |-
+                                        weight associated with matching the corresponding podAffinityTerm,
+                                        in the range 1-100.
+                                      format: int32
+                                      type: integer
+                                  required:
+                                  - podAffinityTerm
+                                  - weight
+                                  type: object
+                                type: array
+                                x-kubernetes-list-type: atomic
+                              requiredDuringSchedulingIgnoredDuringExecution:
+                                description: |-
+                                  If the affinity requirements specified by this field are not met at
+                                  scheduling time, the pod will not be scheduled onto the node.
+                                  If the affinity requirements specified by this field cease to be met
+                                  at some point during pod execution (e.g. due to a pod label update), the
+                                  system may or may not try to eventually evict the pod from its node.
+                                  When there are multiple elements, the lists of nodes corresponding to each
+                                  podAffinityTerm are intersected, i.e. all terms must be satisfied.
+                                items:
+                                  description: |-
+                                    Defines a set of pods (namely those matching the labelSelector
+                                    relative to the given namespace(s)) that this pod should be
+                                    co-located (affinity) or not co-located (anti-affinity) with,
+                                    where co-located is defined as running on a node whose value of
+                                    the label with key <topologyKey> matches that of any node on which
+                                    a pod of the set of pods is running
+                                  properties:
+                                    labelSelector:
+                                      description: |-
+                                        A label query over a set of resources, in this case pods.
+                                        If it's null, this PodAffinityTerm matches with no Pods.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                                x-kubernetes-list-type: atomic
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    matchLabelKeys:
+                                      description: |-
+                                        MatchLabelKeys is a set of pod label keys to select which pods will
+                                        be taken into consideration. The keys are used to lookup values from the
+                                        incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+                                        to select the group of existing pods which pods will be taken into consideration
+                                        for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                        pod labels will be ignored. The default value is empty.
+                                        The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+                                        Also, matchLabelKeys cannot be set when labelSelector isn't set.
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    mismatchLabelKeys:
+                                      description: |-
+                                        MismatchLabelKeys is a set of pod label keys to select which pods will
+                                        be taken into consideration. The keys are used to lookup values from the
+                                        incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+                                        to select the group of existing pods which pods will be taken into consideration
+                                        for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                        pod labels will be ignored. The default value is empty.
+                                        The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+                                        Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    namespaceSelector:
+                                      description: |-
+                                        A label query over the set of namespaces that the term applies to.
+                                        The term is applied to the union of the namespaces selected by this field
+                                        and the ones listed in the namespaces field.
+                                        null selector and null or empty namespaces list means "this pod's namespace".
+                                        An empty selector ({}) matches all namespaces.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                                x-kubernetes-list-type: atomic
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    namespaces:
+                                      description: |-
+                                        namespaces specifies a static list of namespace names that the term applies to.
+                                        The term is applied to the union of the namespaces listed in this field
+                                        and the ones selected by namespaceSelector.
+                                        null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    topologyKey:
+                                      description: |-
+                                        This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+                                        the labelSelector in the specified namespaces, where co-located is defined as running on a node
+                                        whose value of the label with key topologyKey matches that of any node on which any of the
+                                        selected pods is running.
+                                        Empty topologyKey is not allowed.
+                                      type: string
+                                  required:
+                                  - topologyKey
+                                  type: object
+                                type: array
+                                x-kubernetes-list-type: atomic
+                            type: object
+                          podAntiAffinity:
+                            description: Describes pod anti-affinity scheduling rules
+                              (e.g. avoid putting this pod in the same node, zone,
+                              etc. as some other pod(s)).
+                            properties:
+                              preferredDuringSchedulingIgnoredDuringExecution:
+                                description: |-
+                                  The scheduler will prefer to schedule pods to nodes that satisfy
+                                  the anti-affinity expressions specified by this field, but it may choose
+                                  a node that violates one or more of the expressions. The node that is
+                                  most preferred is the one with the greatest sum of weights, i.e.
+                                  for each node that meets all of the scheduling requirements (resource
+                                  request, requiredDuringScheduling anti-affinity expressions, etc.),
+                                  compute a sum by iterating through the elements of this field and subtracting
+                                  "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
+                                  node(s) with the highest sum are the most preferred.
+                                items:
+                                  description: The weights of all of the matched WeightedPodAffinityTerm
+                                    fields are added per-node to find the most preferred
+                                    node(s)
+                                  properties:
+                                    podAffinityTerm:
+                                      description: Required. A pod affinity term,
+                                        associated with the corresponding weight.
+                                      properties:
+                                        labelSelector:
+                                          description: |-
+                                            A label query over a set of resources, in this case pods.
+                                            If it's null, this PodAffinityTerm matches with no Pods.
+                                          properties:
+                                            matchExpressions:
+                                              description: matchExpressions is a list
+                                                of label selector requirements. The
+                                                requirements are ANDed.
+                                              items:
+                                                description: |-
+                                                  A label selector requirement is a selector that contains values, a key, and an operator that
+                                                  relates the key and values.
+                                                properties:
+                                                  key:
+                                                    description: key is the label
+                                                      key that the selector applies
+                                                      to.
+                                                    type: string
+                                                  operator:
+                                                    description: |-
+                                                      operator represents a key's relationship to a set of values.
+                                                      Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                    type: string
+                                                  values:
+                                                    description: |-
+                                                      values is an array of string values. If the operator is In or NotIn,
+                                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                      the values array must be empty. This array is replaced during a strategic
+                                                      merge patch.
+                                                    items:
+                                                      type: string
+                                                    type: array
+                                                    x-kubernetes-list-type: atomic
+                                                required:
+                                                - key
+                                                - operator
+                                                type: object
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                            matchLabels:
+                                              additionalProperties:
+                                                type: string
+                                              description: |-
+                                                matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                                map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                                operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                              type: object
+                                          type: object
+                                          x-kubernetes-map-type: atomic
+                                        matchLabelKeys:
+                                          description: |-
+                                            MatchLabelKeys is a set of pod label keys to select which pods will
+                                            be taken into consideration. The keys are used to lookup values from the
+                                            incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+                                            to select the group of existing pods which pods will be taken into consideration
+                                            for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                            pod labels will be ignored. The default value is empty.
+                                            The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+                                            Also, matchLabelKeys cannot be set when labelSelector isn't set.
+                                          items:
+                                            type: string
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        mismatchLabelKeys:
+                                          description: |-
+                                            MismatchLabelKeys is a set of pod label keys to select which pods will
+                                            be taken into consideration. The keys are used to lookup values from the
+                                            incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+                                            to select the group of existing pods which pods will be taken into consideration
+                                            for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                            pod labels will be ignored. The default value is empty.
+                                            The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+                                            Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+                                          items:
+                                            type: string
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        namespaceSelector:
+                                          description: |-
+                                            A label query over the set of namespaces that the term applies to.
+                                            The term is applied to the union of the namespaces selected by this field
+                                            and the ones listed in the namespaces field.
+                                            null selector and null or empty namespaces list means "this pod's namespace".
+                                            An empty selector ({}) matches all namespaces.
+                                          properties:
+                                            matchExpressions:
+                                              description: matchExpressions is a list
+                                                of label selector requirements. The
+                                                requirements are ANDed.
+                                              items:
+                                                description: |-
+                                                  A label selector requirement is a selector that contains values, a key, and an operator that
+                                                  relates the key and values.
+                                                properties:
+                                                  key:
+                                                    description: key is the label
+                                                      key that the selector applies
+                                                      to.
+                                                    type: string
+                                                  operator:
+                                                    description: |-
+                                                      operator represents a key's relationship to a set of values.
+                                                      Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                    type: string
+                                                  values:
+                                                    description: |-
+                                                      values is an array of string values. If the operator is In or NotIn,
+                                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                      the values array must be empty. This array is replaced during a strategic
+                                                      merge patch.
+                                                    items:
+                                                      type: string
+                                                    type: array
+                                                    x-kubernetes-list-type: atomic
+                                                required:
+                                                - key
+                                                - operator
+                                                type: object
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                            matchLabels:
+                                              additionalProperties:
+                                                type: string
+                                              description: |-
+                                                matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                                map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                                operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                              type: object
+                                          type: object
+                                          x-kubernetes-map-type: atomic
+                                        namespaces:
+                                          description: |-
+                                            namespaces specifies a static list of namespace names that the term applies to.
+                                            The term is applied to the union of the namespaces listed in this field
+                                            and the ones selected by namespaceSelector.
+                                            null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+                                          items:
+                                            type: string
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        topologyKey:
+                                          description: |-
+                                            This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+                                            the labelSelector in the specified namespaces, where co-located is defined as running on a node
+                                            whose value of the label with key topologyKey matches that of any node on which any of the
+                                            selected pods is running.
+                                            Empty topologyKey is not allowed.
+                                          type: string
+                                      required:
+                                      - topologyKey
+                                      type: object
+                                    weight:
+                                      description: |-
+                                        weight associated with matching the corresponding podAffinityTerm,
+                                        in the range 1-100.
+                                      format: int32
+                                      type: integer
+                                  required:
+                                  - podAffinityTerm
+                                  - weight
+                                  type: object
+                                type: array
+                                x-kubernetes-list-type: atomic
+                              requiredDuringSchedulingIgnoredDuringExecution:
+                                description: |-
+                                  If the anti-affinity requirements specified by this field are not met at
+                                  scheduling time, the pod will not be scheduled onto the node.
+                                  If the anti-affinity requirements specified by this field cease to be met
+                                  at some point during pod execution (e.g. due to a pod label update), the
+                                  system may or may not try to eventually evict the pod from its node.
+                                  When there are multiple elements, the lists of nodes corresponding to each
+                                  podAffinityTerm are intersected, i.e. all terms must be satisfied.
+                                items:
+                                  description: |-
+                                    Defines a set of pods (namely those matching the labelSelector
+                                    relative to the given namespace(s)) that this pod should be
+                                    co-located (affinity) or not co-located (anti-affinity) with,
+                                    where co-located is defined as running on a node whose value of
+                                    the label with key <topologyKey> matches that of any node on which
+                                    a pod of the set of pods is running
+                                  properties:
+                                    labelSelector:
+                                      description: |-
+                                        A label query over a set of resources, in this case pods.
+                                        If it's null, this PodAffinityTerm matches with no Pods.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                                x-kubernetes-list-type: atomic
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    matchLabelKeys:
+                                      description: |-
+                                        MatchLabelKeys is a set of pod label keys to select which pods will
+                                        be taken into consideration. The keys are used to lookup values from the
+                                        incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+                                        to select the group of existing pods which pods will be taken into consideration
+                                        for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                        pod labels will be ignored. The default value is empty.
+                                        The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+                                        Also, matchLabelKeys cannot be set when labelSelector isn't set.
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    mismatchLabelKeys:
+                                      description: |-
+                                        MismatchLabelKeys is a set of pod label keys to select which pods will
+                                        be taken into consideration. The keys are used to lookup values from the
+                                        incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+                                        to select the group of existing pods which pods will be taken into consideration
+                                        for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                        pod labels will be ignored. The default value is empty.
+                                        The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+                                        Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    namespaceSelector:
+                                      description: |-
+                                        A label query over the set of namespaces that the term applies to.
+                                        The term is applied to the union of the namespaces selected by this field
+                                        and the ones listed in the namespaces field.
+                                        null selector and null or empty namespaces list means "this pod's namespace".
+                                        An empty selector ({}) matches all namespaces.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                                x-kubernetes-list-type: atomic
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    namespaces:
+                                      description: |-
+                                        namespaces specifies a static list of namespace names that the term applies to.
+                                        The term is applied to the union of the namespaces listed in this field
+                                        and the ones selected by namespaceSelector.
+                                        null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    topologyKey:
+                                      description: |-
+                                        This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+                                        the labelSelector in the specified namespaces, where co-located is defined as running on a node
+                                        whose value of the label with key topologyKey matches that of any node on which any of the
+                                        selected pods is running.
+                                        Empty topologyKey is not allowed.
+                                      type: string
+                                  required:
+                                  - topologyKey
+                                  type: object
+                                type: array
+                                x-kubernetes-list-type: atomic
+                            type: object
+                        type: object
+                      ambient:
+                        description: Configuration for Istio Ambient.
+                        properties:
+                          configDir:
+                            description: The directory path containing the configuration
+                              files for Ambient. Defaults to /etc/ambient-config.
+                            type: string
+                          dnsCapture:
+                            description: If enabled, and ambient is enabled, DNS redirection
+                              will be enabled.
+                            type: boolean
+                          enabled:
+                            description: Controls whether ambient redirection is enabled
+                            type: boolean
+                          ipv6:
+                            description: 'UNSTABLE: If enabled, and ambient is enabled,
+                              enables ipv6 support'
+                            type: boolean
+                          reconcileIptablesOnStartup:
+                            description: If enabled, and ambient is enabled, iptables
+                              reconciliation will be enabled.
+                            type: boolean
+                        type: object
+                      chained:
+                        description: |-
+                          Configure the plugin as a chained CNI plugin. When true, the configuration is added to the CNI chain; when false,
+                          the configuration is added as a standalone file in the CNI configuration directory.
+                        type: boolean
+                      cniBinDir:
+                        description: The directory path within the cluster node's
+                          filesystem where the CNI binaries are to be installed. Typically
+                          /var/lib/cni/bin.
+                        type: string
+                      cniConfDir:
+                        description: The directory path within the cluster node's
+                          filesystem where the CNI configuration files are to be installed.
+                          Typically /etc/cni/net.d.
+                        type: string
+                      cniConfFileName:
+                        description: The name of the CNI plugin configuration file.
+                          Defaults to istio-cni.conf.
+                        type: string
+                      cniNetnsDir:
+                        description: |-
+                          The directory path within the cluster node's filesystem where network namespaces are located.
+                          Defaults to '/var/run/netns', in minikube/docker/others can be '/var/run/docker/netns'.
+                        type: string
+                      daemonSetLabels:
+                        additionalProperties:
+                          type: string
+                        description: Additional labels to apply to the istio-cni DaemonSet.
+                        type: object
+                      env:
+                        additionalProperties:
+                          type: string
+                        description: "Environment variables passed to the CNI container.\n\nExamples:\nenv:\n\n\tENV_VAR_1:
+                          value1\n\tENV_VAR_2: value2"
+                        type: object
+                      excludeNamespaces:
+                        description: List of namespaces that should be ignored by
+                          the CNI plugin.
+                        items:
+                          type: string
+                        type: array
+                      hub:
+                        description: Hub to pull the container image from. Image will
+                          be `Hub/Image:Tag-Variant`.
+                        type: string
+                      image:
+                        description: |-
+                          Image name to pull from. Image will be `Hub/Image:Tag-Variant`.
+                          If Image contains a "/", it will replace the entire `image` in the pod.
+                        type: string
+                      istioOwnedCNIConfig:
+                        description: Specifies if an Istio owned CNI config should
+                          be created.
+                        type: boolean
+                      istioOwnedCNIConfigFileName:
+                        type: string
+                      logging:
+                        description: Same as `global.logging.level`, but will override
+                          it if set
+                        properties:
+                          level:
+                            description: |-
+                              Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
+                              The control plane has different scopes depending on component, but can configure default log level across all components
+                              If empty, default scope and level will be used as configured in code
+                            type: string
+                        type: object
+                      podAnnotations:
+                        additionalProperties:
+                          type: string
+                        description: |-
+                          Additional annotations to apply to the istio-cni Pods.
+
+                          Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
+                        type: object
+                      podLabels:
+                        additionalProperties:
+                          type: string
+                        description: Additional labels to apply to the istio-cni Pods.
+                        type: object
+                      privileged:
+                        description: |-
+                          No longer used for CNI. See: https://github.com/istio/istio/issues/49004
+
+                          Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
+                        type: boolean
+                      provider:
+                        description: |-
+                          Specifies the CNI provider. Can be either "default" or "multus". When set to "multus", an additional
+                          NetworkAttachmentDefinition resource is deployed to the cluster to allow the istio-cni plugin to be
+                          invoked in a cluster using the Multus CNI plugin.
+                        type: string
+                      psp_cluster_role:
+                        description: PodSecurityPolicy cluster role. No longer used
+                          anywhere.
+                        type: string
+                      pullPolicy:
+                        description: |-
+                          Specifies the image pull policy. one of Always, Never, IfNotPresent.
+                          Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated.
+
+                          More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
+                        enum:
+                        - Always
+                        - Never
+                        - IfNotPresent
+                        type: string
+                      repair:
+                        description: Configuration for the CNI Repair controller.
+                        properties:
+                          brokenPodLabelKey:
+                            description: The label key to apply to a broken pod when
+                              the controller is in labelPods mode.
+                            type: string
+                          brokenPodLabelValue:
+                            description: The label value to apply to a broken pod
+                              when the controller is in labelPods mode.
+                            type: string
+                          createEvents:
+                            description: |-
+                              No longer used.
+
+                              Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
+                            type: string
+                          deletePods:
+                            description: |-
+                              The Repair controller has 3 modes (labelPods, deletePods, and repairPods). Pick which one meets your use cases. Note only one may be used.
+                              The mode defines the action the controller will take when a pod is detected as broken.
+                              If deletePods is true, the controller will delete the broken pod. The pod will then be rescheduled, hopefully onto a node that is fully ready.
+                              Note this gives the DaemonSet a relatively high privilege, as it can delete any Pod.
+                            type: boolean
+                          enabled:
+                            description: Controls whether repair behavior is enabled.
+                            type: boolean
+                          hub:
+                            description: Hub to pull the container image from. Image
+                              will be `Hub/Image:Tag-Variant`.
+                            type: string
+                          image:
+                            description: |-
+                              Image name to pull from. Image will be `Hub/Image:Tag-Variant`.
+                              If Image contains a "/", it will replace the entire `image` in the pod.
+                            type: string
+                          initContainerName:
+                            description: The name of the init container to use for
+                              the repairPods mode.
+                            type: string
+                          labelPods:
+                            description: |-
+                              The Repair controller has 3 modes (labelPods, deletePods, and repairPods). Pick which one meets your use cases. Note only one may be used.
+                              The mode defines the action the controller will take when a pod is detected as broken.
+                              If labelPods is true, the controller will label all broken pods with <brokenPodLabelKey>=<brokenPodLabelValue>.
+                              This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them).
+                              Note this gives the DaemonSet a relatively high privilege, as modifying pod metadata/status can have wider impacts.
+                            type: boolean
+                          repairPods:
+                            description: |-
+                              The Repair controller has 3 modes (labelPods, deletePods, and repairPods). Pick which one meets your use cases. Note only one may be used.
+                              The mode defines the action the controller will take when a pod is detected as broken.
+                              If repairPods is true, the controller will dynamically repair any broken pod by setting up the pod networking configuration even after it has started.
+                              Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs.
+                              This requires no RBAC privilege, but will require the CNI agent to run as a privileged pod.
+                            type: boolean
+                          tag:
+                            description: The container image tag to pull. Image will
+                              be `Hub/Image:Tag-Variant`.
+                            type: string
+                        type: object
+                      resource_quotas:
+                        description: The resource quotas configuration for the CNI
+                          DaemonSet.
+                        properties:
+                          enabled:
+                            description: Controls whether to create resource quotas
+                              or not for the CNI DaemonSet.
+                            type: boolean
+                          pods:
+                            description: The hard limit on the number of pods in the
+                              namespace where the CNI DaemonSet is deployed.
+                            format: int64
+                            type: integer
+                        type: object
+                      resources:
+                        description: The k8s resource requests and limits for the
+                          istio-cni Pods.
+                        properties:
+                          claims:
+                            description: |-
+                              Claims lists the names of resources, defined in spec.resourceClaims,
+                              that are used by this container.
+
+                              This field depends on the
+                              DynamicResourceAllocation feature gate.
+
+                              This field is immutable. It can only be set for containers.
+                            items:
+                              description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+                              properties:
+                                name:
+                                  description: |-
+                                    Name must match the name of one entry in pod.spec.resourceClaims of
+                                    the Pod where this field is used. It makes that resource available
+                                    inside a container.
+                                  type: string
+                                request:
+                                  description: |-
+                                    Request is the name chosen for a request in the referenced claim.
+                                    If empty, everything from the claim is made available, otherwise
+                                    only the result of this request.
+                                  type: string
+                              required:
+                              - name
+                              type: object
+                            type: array
+                            x-kubernetes-list-map-keys:
+                            - name
+                            x-kubernetes-list-type: map
+                          limits:
+                            additionalProperties:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                              x-kubernetes-int-or-string: true
+                            description: |-
+                              Limits describes the maximum amount of compute resources allowed.
+                              More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                            type: object
+                          requests:
+                            additionalProperties:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                              x-kubernetes-int-or-string: true
+                            description: |-
+                              Requests describes the minimum amount of compute resources required.
+                              If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+                              otherwise to an implementation-defined value. Requests cannot exceed Limits.
+                              More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                            type: object
+                        type: object
+                      rollingMaxUnavailable:
+                        anyOf:
+                        - type: integer
+                        - type: string
+                        description: |-
+                          The number of pods that can be unavailable during a rolling update of the CNI DaemonSet (see
+                          `updateStrategy.rollingUpdate.maxUnavailable` here:
+                          https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec).
+                          May be specified as a number of pods or as a percent of the total number
+                          of pods at the start of the update.
+                        x-kubernetes-int-or-string: true
+                      seccompProfile:
+                        description: |-
+                          The Container seccompProfile
+
+                          See: https://kubernetes.io/docs/tutorials/security/seccomp/
+                        properties:
+                          localhostProfile:
+                            description: |-
+                              localhostProfile indicates a profile defined in a file on the node should be used.
+                              The profile must be preconfigured on the node to work.
+                              Must be a descending path, relative to the kubelet's configured seccomp profile location.
+                              Must be set if type is "Localhost". Must NOT be set for any other type.
+                            type: string
+                          type:
+                            description: |-
+                              type indicates which kind of seccomp profile will be applied.
+                              Valid options are:
+
+                              Localhost - a profile defined in a file on the node should be used.
+                              RuntimeDefault - the container runtime default profile should be used.
+                              Unconfined - no profile should be applied.
+                            type: string
+                        required:
+                        - type
+                        type: object
+                      tag:
+                        description: The container image tag to pull. Image will be
+                          `Hub/Image:Tag-Variant`.
+                        type: string
+                      variant:
+                        description: The container image variant to pull. Options
+                          are "debug" or "distroless". Unset will use the default
+                          for the given version.
+                        type: string
+                    type: object
+                  global:
+                    description: Part of the global configuration applicable to the
+                      Istio CNI component.
+                    properties:
+                      defaultResources:
+                        description: |-
+                          See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
+
+                          Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
+                        properties:
+                          claims:
+                            description: |-
+                              Claims lists the names of resources, defined in spec.resourceClaims,
+                              that are used by this container.
+
+                              This field depends on the
+                              DynamicResourceAllocation feature gate.
+
+                              This field is immutable. It can only be set for containers.
+                            items:
+                              description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+                              properties:
+                                name:
+                                  description: |-
+                                    Name must match the name of one entry in pod.spec.resourceClaims of
+                                    the Pod where this field is used. It makes that resource available
+                                    inside a container.
+                                  type: string
+                                request:
+                                  description: |-
+                                    Request is the name chosen for a request in the referenced claim.
+                                    If empty, everything from the claim is made available, otherwise
+                                    only the result of this request.
+                                  type: string
+                              required:
+                              - name
+                              type: object
+                            type: array
+                            x-kubernetes-list-map-keys:
+                            - name
+                            x-kubernetes-list-type: map
+                          limits:
+                            additionalProperties:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                              x-kubernetes-int-or-string: true
+                            description: |-
+                              Limits describes the maximum amount of compute resources allowed.
+                              More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                            type: object
+                          requests:
+                            additionalProperties:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                              x-kubernetes-int-or-string: true
+                            description: |-
+                              Requests describes the minimum amount of compute resources required.
+                              If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+                              otherwise to an implementation-defined value. Requests cannot exceed Limits.
+                              More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                            type: object
+                        type: object
+                      hub:
+                        description: Specifies the docker hub for Istio images.
+                        type: string
+                      imagePullPolicy:
+                        description: |-
+                          Specifies the image pull policy for the Istio images. one of Always, Never, IfNotPresent.
+                          Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated.
+
+                          More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
+                        enum:
+                        - Always
+                        - Never
+                        - IfNotPresent
+                        type: string
+                      imagePullSecrets:
+                        description: |-
+                          ImagePullSecrets for the control plane ServiceAccount, list of secrets in the same namespace
+                          to use for pulling any images in pods that reference this ServiceAccount.
+                          Must be set for any cluster configured with private docker registry.
+                        items:
+                          type: string
+                        type: array
+                      logAsJson:
+                        description: Specifies whether istio components should output
+                          logs in json format by adding --log_as_json argument to
+                          each container.
+                        type: boolean
+                      logging:
+                        description: Specifies the global logging level settings for
+                          the Istio control plane components.
+                        properties:
+                          level:
+                            description: |-
+                              Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
+                              The control plane has different scopes depending on component, but can configure default log level across all components
+                              If empty, default scope and level will be used as configured in code
+                            type: string
+                        type: object
+                      nativeNftables:
+                        description: Specifies whether native nftables rules should
+                          be used instead of iptables rules for traffic redirection.
+                        type: boolean
+                      platform:
+                        description: |-
+                          Platform in which Istio is deployed. Possible values are: "openshift" and "gcp"
+                          An empty value means it is a vanilla Kubernetes distribution, therefore no special
+                          treatment will be considered.
+                        type: string
+                      tag:
+                        description: Specifies the tag for the Istio docker images.
+                        type: string
+                      variant:
+                        description: The variant of the Istio container images to
+                          use. Options are "debug" or "distroless". Unset will use
+                          the default for the given version.
+                        type: string
+                    type: object
+                type: object
+              version:
+                default: v1.28.3
+                description: |-
+                  Defines the version of Istio to install.
+                  Must be one of: v1.28-latest, v1.28.3, v1.28.2, v1.28.1, v1.28.0, v1.27-latest, v1.27.5, v1.27.4, v1.27.3, v1.27.2, v1.27.1, v1.27.0, master, v1.30-alpha.a30ad733.
+                enum:
+                - v1.28-latest
+                - v1.28.3
+                - v1.28.2
+                - v1.28.1
+                - v1.28.0
+                - v1.27-latest
+                - v1.27.5
+                - v1.27.4
+                - v1.27.3
+                - v1.27.2
+                - v1.27.1
+                - v1.27.0
+                - v1.26-latest
+                - v1.26.8
+                - v1.26.7
+                - v1.26.6
+                - v1.26.5
+                - v1.26.4
+                - v1.26.3
+                - v1.26.2
+                - v1.26.1
+                - v1.26.0
+                - v1.25-latest
+                - v1.25.5
+                - v1.25.4
+                - v1.25.3
+                - v1.25.2
+                - v1.25.1
+                - v1.24-latest
+                - v1.24.6
+                - v1.24.5
+                - v1.24.4
+                - v1.24.3
+                - v1.24.2
+                - v1.24.1
+                - v1.24.0
+                - v1.23-latest
+                - v1.23.6
+                - v1.23.5
+                - v1.23.4
+                - v1.23.3
+                - v1.23.2
+                - v1.22-latest
+                - v1.22.8
+                - v1.22.7
+                - v1.22.6
+                - v1.22.5
+                - v1.21.6
+                - master
+                - v1.30-alpha.a30ad733
+                type: string
+            required:
+            - namespace
+            - version
+            type: object
+          status:
+            description: IstioCNIStatus defines the observed state of IstioCNI
+            properties:
+              conditions:
+                description: Represents the latest available observations of the object's
+                  current state.
+                items:
+                  description: IstioCNICondition represents a specific observation
+                    of the IstioCNI object's state.
+                  properties:
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Human-readable message indicating details about
+                        the last transition.
+                      type: string
+                    reason:
+                      description: Unique, single-word, CamelCase reason for the condition's
+                        last transition.
+                      type: string
+                    status:
+                      description: The status of this condition. Can be True, False
+                        or Unknown.
+                      type: string
+                    type:
+                      description: The type of this condition.
+                      type: string
+                  type: object
+                type: array
+              observedGeneration:
+                description: |-
+                  ObservedGeneration is the most recent generation observed for this
+                  IstioCNI object. It corresponds to the object's generation, which is
+                  updated on mutation by the API Server. The information in the status
+                  pertains to this particular generation of the object.
+                format: int64
+                type: integer
+              state:
+                description: Reports the current state of the object.
+                type: string
+            type: object
+        type: object
+        x-kubernetes-validations:
+        - message: metadata.name must be 'default'
+          rule: self.metadata.name == 'default'
+    served: true
+    storage: true
+    subresources:
+      status: {}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/sailoperator.io_istiorevisions.yaml b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/sailoperator.io_istiorevisions.yaml
new file mode 100644
index 0000000000..44ba32d2a7
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/sailoperator.io_istiorevisions.yaml
@@ -0,0 +1,10230 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.20.0
+  name: istiorevisions.sailoperator.io
+spec:
+  group: sailoperator.io
+  names:
+    categories:
+    - istio-io
+    kind: IstioRevision
+    listKind: IstioRevisionList
+    plural: istiorevisions
+    shortNames:
+    - istiorev
+    singular: istiorevision
+  scope: Cluster
+  versions:
+  - additionalPrinterColumns:
+    - description: The namespace for the control plane components.
+      jsonPath: .spec.namespace
+      name: Namespace
+      type: string
+    - description: The selected profile (collection of value presets).
+      jsonPath: .spec.values.profile
+      name: Profile
+      type: string
+    - description: Whether the control plane installation is ready to handle requests.
+      jsonPath: .status.conditions[?(@.type=="Ready")].status
+      name: Ready
+      type: string
+    - description: The current state of this object.
+      jsonPath: .status.state
+      name: Status
+      type: string
+    - description: Whether the revision is being used by workloads.
+      jsonPath: .status.conditions[?(@.type=="InUse")].status
+      name: In use
+      type: string
+    - description: The version of the control plane installation.
+      jsonPath: .spec.version
+      name: Version
+      type: string
+    - description: The age of the object
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1
+    schema:
+      openAPIV3Schema:
+        description: |-
+          IstioRevision represents a single revision of an Istio Service Mesh deployment.
+          Users shouldn't create IstioRevision objects directly. Instead, they should
+          create an Istio object and allow the operator to create the underlying
+          IstioRevision object(s).
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: IstioRevisionSpec defines the desired state of IstioRevision
+            properties:
+              namespace:
+                description: Namespace to which the Istio components should be installed.
+                type: string
+                x-kubernetes-validations:
+                - message: Value is immutable
+                  rule: self == oldSelf
+              values:
+                description: Defines the values to be passed to the Helm charts when
+                  installing Istio.
+                properties:
+                  base:
+                    description: Configuration for the base component.
+                    properties:
+                      excludedCRDs:
+                        description: CRDs to exclude. Requires `enableCRDTemplates`
+                        items:
+                          type: string
+                        type: array
+                      validationCABundle:
+                        description: validation webhook CA bundle
+                        type: string
+                      validationURL:
+                        description: URL to use for validating webhook.
+                        type: string
+                    type: object
+                  compatibilityVersion:
+                    description: |-
+                      Specifies the compatibility version to use. When this is set, the control plane will
+                      be configured with the same defaults as the specified version.
+                    type: string
+                  defaultRevision:
+                    description: |-
+                      The name of the default revision in the cluster.
+                      Deprecated: This field is ignored. The default revision is expected to be configurable elsewhere.
+                    type: string
+                  experimental:
+                    description: Specifies experimental helm fields that could be
+                      removed or changed in the future
+                    x-kubernetes-preserve-unknown-fields: true
+                  gatewayClasses:
+                    description: Configuration for Gateway Classes
+                    x-kubernetes-preserve-unknown-fields: true
+                  global:
+                    description: Global configuration for Istio components.
+                    properties:
+                      agentgateway:
+                        description: Specifies how proxies are configured within Istio.
+                        properties:
+                          image:
+                            type: string
+                        type: object
+                      arch:
+                        description: "Specifies pod scheduling arch(amd64, ppc64le,
+                          s390x, arm64) and weight as follows:\n\n\t0 - Never scheduled\n\t1
+                          - Least preferred\n\t2 - No preference\n\t3 - Most preferred\n\nDeprecated:
+                          replaced by the affinity k8s settings which allows architecture
+                          nodeAffinity configuration of this behavior.\n\nDeprecated:
+                          Marked as deprecated in pkg/apis/values_types.proto."
+                        properties:
+                          amd64:
+                            description: Sets pod scheduling weight for amd64 arch
+                            format: int32
+                            type: integer
+                          arm64:
+                            description: Sets pod scheduling weight for arm64 arch.
+                            format: int32
+                            type: integer
+                          ppc64le:
+                            description: Sets pod scheduling weight for ppc64le arch.
+                            format: int32
+                            type: integer
+                          s390x:
+                            description: Sets pod scheduling weight for s390x arch.
+                            format: int32
+                            type: integer
+                        type: object
+                      caAddress:
+                        description: The address of the CA for CSR.
+                        type: string
+                      caName:
+                        description: |-
+                          The name of the CA for workloads.
+                          For example, when caName=GkeWorkloadCertificate, GKE workload certificates
+                          will be used as the certificates for workloads.
+                          The default value is "" and when caName="", the CA will be configured by other
+                          mechanisms (e.g., environmental variable CA_PROVIDER).
+                        type: string
+                      certSigners:
+                        description: List of certSigners to allow "approve" action
+                          in the ClusterRole
+                        items:
+                          type: string
+                        type: array
+                      configCluster:
+                        description: Controls whether a remote cluster is the config
+                          cluster for an external istiod
+                        type: boolean
+                      configValidation:
+                        description: Controls whether the server-side validation is
+                          enabled.
+                        type: boolean
+                      defaultNodeSelector:
+                        additionalProperties:
+                          type: string
+                        description: |-
+                          Default k8s node selector for all the Istio control plane components
+
+                          See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
+
+                          Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
+                        type: object
+                      defaultPodDisruptionBudget:
+                        description: Specifies the default pod disruption budget configuration.
+                        properties:
+                          enabled:
+                            description: Controls whether a PodDisruptionBudget with
+                              a default minAvailable value of 1 is created for each
+                              deployment.
+                            type: boolean
+                        type: object
+                      defaultResources:
+                        description: |-
+                          Default k8s resources settings for all Istio control plane components.
+
+                          See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
+
+                          Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
+                        properties:
+                          claims:
+                            description: |-
+                              Claims lists the names of resources, defined in spec.resourceClaims,
+                              that are used by this container.
+
+                              This field depends on the
+                              DynamicResourceAllocation feature gate.
+
+                              This field is immutable. It can only be set for containers.
+                            items:
+                              description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+                              properties:
+                                name:
+                                  description: |-
+                                    Name must match the name of one entry in pod.spec.resourceClaims of
+                                    the Pod where this field is used. It makes that resource available
+                                    inside a container.
+                                  type: string
+                                request:
+                                  description: |-
+                                    Request is the name chosen for a request in the referenced claim.
+                                    If empty, everything from the claim is made available, otherwise
+                                    only the result of this request.
+                                  type: string
+                              required:
+                              - name
+                              type: object
+                            type: array
+                            x-kubernetes-list-map-keys:
+                            - name
+                            x-kubernetes-list-type: map
+                          limits:
+                            additionalProperties:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                              x-kubernetes-int-or-string: true
+                            description: |-
+                              Limits describes the maximum amount of compute resources allowed.
+                              More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                            type: object
+                          requests:
+                            additionalProperties:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                              x-kubernetes-int-or-string: true
+                            description: |-
+                              Requests describes the minimum amount of compute resources required.
+                              If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+                              otherwise to an implementation-defined value. Requests cannot exceed Limits.
+                              More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                            type: object
+                        type: object
+                      defaultTolerations:
+                        description: |-
+                          Default node tolerations to be applied to all deployments so that all pods can be
+                          scheduled to nodes with matching taints. Each component can overwrite
+                          these default values by adding its tolerations block in the relevant section below
+                          and setting the desired values.
+                          Configure this field in case that all pods of Istio control plane are expected to
+                          be scheduled to particular nodes with specified taints.
+
+                          Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
+                        items:
+                          description: |-
+                            The pod this Toleration is attached to tolerates any taint that matches
+                            the triple <key,value,effect> using the matching operator <operator>.
+                          properties:
+                            effect:
+                              description: |-
+                                Effect indicates the taint effect to match. Empty means match all taint effects.
+                                When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+                              type: string
+                            key:
+                              description: |-
+                                Key is the taint key that the toleration applies to. Empty means match all taint keys.
+                                If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+                              type: string
+                            operator:
+                              description: |-
+                                Operator represents a key's relationship to the value.
+                                Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal.
+                                Exists is equivalent to wildcard for value, so that a pod can
+                                tolerate all taints of a particular category.
+                                Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators).
+                              type: string
+                            tolerationSeconds:
+                              description: |-
+                                TolerationSeconds represents the period of time the toleration (which must be
+                                of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+                                it is not set, which means tolerate the taint forever (do not evict). Zero and
+                                negative values will be treated as 0 (evict immediately) by the system.
+                              format: int64
+                              type: integer
+                            value:
+                              description: |-
+                                Value is the taint value the toleration matches to.
+                                If the operator is Exists, the value should be empty, otherwise just a regular string.
+                              type: string
+                          type: object
+                        type: array
+                      externalIstiod:
+                        description: Controls whether one external istiod is enabled.
+                        type: boolean
+                      hub:
+                        description: Specifies the docker hub for Istio images.
+                        type: string
+                      imagePullPolicy:
+                        description: |-
+                          Specifies the image pull policy for the Istio images. one of Always, Never, IfNotPresent.
+                          Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated.
+
+                          More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
+                        enum:
+                        - Always
+                        - Never
+                        - IfNotPresent
+                        type: string
+                      imagePullSecrets:
+                        description: |-
+                          ImagePullSecrets for the control plane ServiceAccount, list of secrets in the same namespace
+                          to use for pulling any images in pods that reference this ServiceAccount.
+                          Must be set for any cluster configured with private docker registry.
+                        items:
+                          type: string
+                        type: array
+                      ipFamilies:
+                        description: |-
+                          Defines which IP family to use for single stack or the order of IP families for dual-stack.
+                          Valid list items are "IPv4", "IPv6".
+                          More info: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
+                        items:
+                          type: string
+                        type: array
+                      ipFamilyPolicy:
+                        description: |-
+                          Controls whether Services are configured to use IPv4, IPv6, or both. Valid options
+                          are PreferDualStack, RequireDualStack, and SingleStack.
+                          More info: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
+                        type: string
+                      istioNamespace:
+                        description: Specifies the default namespace for the Istio
+                          control plane components.
+                        type: string
+                      istiod:
+                        description: Specifies the configution of istiod
+                        properties:
+                          enableAnalysis:
+                            description: If enabled, istiod will perform config analysis
+                            type: boolean
+                        type: object
+                      jwtPolicy:
+                        description: |-
+                          Configure the policy for validating JWT.
+                          This is deprecated and has no effect.
+
+                          Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
+                        type: string
+                      logAsJson:
+                        description: Specifies whether istio components should output
+                          logs in json format by adding --log_as_json argument to
+                          each container.
+                        type: boolean
+                      logging:
+                        description: Specifies the global logging level settings for
+                          the Istio control plane components.
+                        properties:
+                          level:
+                            description: |-
+                              Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
+                              The control plane has different scopes depending on component, but can configure default log level across all components
+                              If empty, default scope and level will be used as configured in code
+                            type: string
+                        type: object
+                      meshID:
+                        description: |-
+                          The Mesh Identifier. It should be unique within the scope where
+                          meshes will interact with each other, but it is not required to be
+                          globally/universally unique. For example, if any of the following are true,
+                          then two meshes must have different Mesh IDs:
+                          - Meshes will have their telemetry aggregated in one place
+                          - Meshes will be federated together
+                          - Policy will be written referencing one mesh from the other
+
+                          If an administrator expects that any of these conditions may become true in
+                          the future, they should ensure their meshes have different Mesh IDs
+                          assigned.
+
+                          Within a multicluster mesh, each cluster must be (manually or auto)
+                          configured to have the same Mesh ID value. If an existing cluster 'joins' a
+                          multicluster mesh, it will need to be migrated to the new mesh ID. Details
+                          of migration TBD, and it may be a disruptive operation to change the Mesh
+                          ID post-install.
+
+                          If the mesh admin does not specify a value, Istio will use the value of the
+                          mesh's Trust Domain. The best practice is to select a proper Trust Domain
+                          value.
+                        type: string
+                      meshNetworks:
+                        additionalProperties:
+                          description: |-
+                            Network provides information about the endpoints in a routable L3
+                            network. A single routable L3 network can have one or more service
+                            registries. Note that the network has no relation to the locality of the
+                            endpoint. The endpoint locality will be obtained from the service
+                            registry.
+                          properties:
+                            endpoints:
+                              description: |-
+                                The list of endpoints in the network (obtained through the
+                                constituent service registries or from CIDR ranges). All endpoints in
+                                the network are directly accessible to one another.
+                              items:
+                                description: "NetworkEndpoints describes how the network
+                                  associated with an endpoint\nshould be inferred.
+                                  An endpoint will be assigned to a network based
+                                  on\nthe following rules:\n\n1. Implicitly: If the
+                                  registry explicitly provides information about\nthe
+                                  network to which the endpoint belongs to. In some
+                                  cases, its\npossible to indicate the network associated
+                                  with the endpoint by\nadding the `ISTIO_META_NETWORK`
+                                  environment variable to the sidecar.\n\n2. Explicitly:\n\n\ta.
+                                  By matching the registry name with one of the \"fromRegistry\"\n\tin
+                                  the mesh config. A \"fromRegistry\" can only be
+                                  assigned to a\n\tsingle network.\n\n\tb. By matching
+                                  the IP against one of the CIDR ranges in a mesh\n\tconfig
+                                  network. The CIDR ranges must not overlap and be
+                                  assigned to\n\ta single network.\n\n(2) will override
+                                  (1) if both are present."
+                                properties:
+                                  fromCidr:
+                                    description: |-
+                                      A CIDR range for the set of endpoints in this network. The CIDR
+                                      ranges for endpoints from different networks must not overlap.
+                                    type: string
+                                  fromRegistry:
+                                    description: |-
+                                      Add all endpoints from the specified registry into this network.
+                                      The names of the registries should correspond to the kubeconfig file name
+                                      inside the secret that was used to configure the registry (Kubernetes
+                                      multicluster) or supplied by MCP server.
+                                    type: string
+                                type: object
+                                x-kubernetes-validations:
+                                - message: At most one of [fromCidr fromRegistry]
+                                    should be set
+                                  rule: (has(self.fromCidr)?1:0) + (has(self.fromRegistry)?1:0)
+                                    <= 1
+                              type: array
+                            gateways:
+                              description: Set of gateways associated with the network.
+                              items:
+                                description: |-
+                                  The gateway associated with this network. Traffic from remote networks
+                                  will arrive at the specified gateway:port. All incoming traffic must
+                                  use mTLS.
+                                properties:
+                                  address:
+                                    description: IP address or externally resolvable
+                                      DNS address associated with the gateway.
+                                    type: string
+                                  locality:
+                                    description: The locality associated with an explicitly
+                                      specified gateway (i.e. ip)
+                                    type: string
+                                  port:
+                                    format: int32
+                                    type: integer
+                                  registryServiceName:
+                                    description: |-
+                                      A fully qualified domain name of the gateway service.  istiod will
+                                      lookup the service from the service registries in the network and
+                                      obtain the endpoint IPs of the gateway from the service
+                                      registry. Note that while the service name is a fully qualified
+                                      domain name, it need not be resolvable outside the orchestration
+                                      platform for the registry. e.g., this could be
+                                      istio-ingressgateway.istio-system.svc.cluster.local.
+                                    type: string
+                                type: object
+                                x-kubernetes-validations:
+                                - message: At most one of [registryServiceName address]
+                                    should be set
+                                  rule: (has(self.registryServiceName)?1:0) + (has(self.address)?1:0)
+                                    <= 1
+                              type: array
+                          type: object
+                        description: "Configure the mesh networks to be used by the
+                          Split Horizon EDS.\n\nThe following example defines two
+                          networks with different endpoints association methods.\nFor
+                          `network1` all endpoints that their IP belongs to the provided
+                          CIDR range will be\nmapped to network1. The gateway for
+                          this network example is specified by its public IP\naddress
+                          and port.\nThe second network, `network2`, in this example
+                          is defined differently with all endpoints\nretrieved through
+                          the specified Multi-Cluster registry being mapped to network2.
+                          The\ngateway is also defined differently with the name of
+                          the gateway service on the remote\ncluster. The public IP
+                          for the gateway will be determined from that remote service
+                          (only\nLoadBalancer gateway service type is currently supported,
+                          for a NodePort type gateway service,\nit still need to be
+                          configured manually).\n\nmeshNetworks:\n\n\tnetwork1:\n\t
+                          \ endpoints:\n\t  - fromCidr: \"192.168.0.1/24\"\n\t  gateways:\n\t
+                          \ - address: 1.1.1.1\n\t    port: 80\n\tnetwork2:\n\t  endpoints:\n\t
+                          \ - fromRegistry: reg1\n\t  gateways:\n\t  - registryServiceName:
+                          istio-ingressgateway.istio-system.svc.cluster.local\n\t
+                          \   port: 443"
+                        type: object
+                      mountMtlsCerts:
+                        description: Controls whether the in-cluster MTLS key and
+                          certs are loaded from the secret volume mounts.
+                        type: boolean
+                      multiCluster:
+                        description: Specifies the Configuration for Istio mesh across
+                          multiple clusters through Istio gateways.
+                        properties:
+                          clusterName:
+                            description: |-
+                              The name of the cluster this installation will run in. This is required for sidecar injection
+                              to properly label proxies
+                            type: string
+                          enabled:
+                            description: |-
+                              Enables the connection between two kubernetes clusters via their respective ingressgateway services.
+                              Use if the pods in each cluster cannot directly talk to one another.
+                            type: boolean
+                          globalDomainSuffix:
+                            description: The suffix for global service names.
+                            type: string
+                          includeEnvoyFilter:
+                            description: Enable envoy filter to translate `globalDomainSuffix`
+                              to cluster local suffix for cross cluster communication.
+                            type: boolean
+                        type: object
+                      nativeNftables:
+                        description: Specifies whether native nftables rules should
+                          be used instead of iptables rules for traffic redirection.
+                        type: boolean
+                      network:
+                        description: |-
+                          Network defines the network this cluster belong to. This name
+                          corresponds to the networks in the map of mesh networks.
+                        type: string
+                      networkPolicy:
+                        description: Settings related to Kubernetes NetworkPolicy.
+                        properties:
+                          enabled:
+                            description: Controls whether default NetworkPolicy resources
+                              will be created.
+                            type: boolean
+                        type: object
+                      omitSidecarInjectorConfigMap:
+                        description: |-
+                          Controls whether the creation of the sidecar injector ConfigMap should be skipped.
+                          Defaults to false. When set to true, the sidecar injector ConfigMap will not be created.
+                        type: boolean
+                      operatorManageWebhooks:
+                        description: |-
+                          Controls whether the WebhookConfiguration resource(s) should be created. The current behavior
+                          of Istiod is to manage its own webhook configurations.
+                          When this option is set to true, Istio Operator, instead of webhooks, manages the
+                          webhook configurations. When this option is set as false, webhooks manage their
+                          own webhook configurations.
+                        type: boolean
+                      pilotCertProvider:
+                        description: |-
+                          Configure the Pilot certificate provider.
+                          Currently, four providers are supported: "kubernetes", "istiod", "custom" and "none".
+                        type: string
+                      platform:
+                        description: |-
+                          Platform in which Istio is deployed. Possible values are: "openshift" and "gcp"
+                          An empty value means it is a vanilla Kubernetes distribution, therefore no special
+                          treatment will be considered.
+                        type: string
+                      podDNSSearchNamespaces:
+                        description: |-
+                          Custom DNS config for the pod to resolve names of services in other
+                          clusters. Use this to add additional search domains, and other settings.
+                          see https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config
+                          This does not apply to gateway pods as they typically need a different
+                          set of DNS settings than the normal application pods (e.g. in multicluster scenarios).
+                        items:
+                          type: string
+                        type: array
+                      priorityClassName:
+                        description: |-
+                          Specifies the k8s priorityClassName for the istio control plane components.
+
+                          See https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
+
+                          Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
+                        type: string
+                      proxy:
+                        description: Specifies how proxies are configured within Istio.
+                        properties:
+                          autoInject:
+                            description: Controls the 'policy' in the sidecar injector.
+                            type: string
+                          clusterDomain:
+                            description: |-
+                              Domain for the cluster, default: "cluster.local".
+
+                              K8s allows this to be customized, see https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/
+                            type: string
+                          componentLogLevel:
+                            description: |-
+                              Per Component log level for proxy, applies to gateways and sidecars.
+
+                              If a component level is not set, then the global "logLevel" will be used. If left empty, "misc:error" is used.
+                            type: string
+                          enableCoreDump:
+                            description: |-
+                              Enables core dumps for newly injected sidecars.
+
+                              If set, newly injected sidecars will have core dumps enabled.
+
+                              Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
+                            type: boolean
+                          excludeIPRanges:
+                            description: Lists the excluded IP ranges of Istio egress
+                              traffic that the sidecar captures.
+                            type: string
+                          excludeInboundPorts:
+                            description: Specifies the Istio ingress ports not to
+                              capture.
+                            type: string
+                          excludeOutboundPorts:
+                            description: A comma separated list of outbound ports
+                              to be excluded from redirection to Envoy.
+                            type: string
+                          holdApplicationUntilProxyStarts:
+                            description: |-
+                              Controls if sidecar is injected at the front of the container list and blocks the start of the other containers until the proxy is ready
+
+                              Deprecated: replaced by ProxyConfig setting which allows per-pod configuration of this behavior.
+
+                              Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
+                            type: boolean
+                          image:
+                            description: |-
+                              Image name or path for the proxy, default: "proxyv2".
+
+                              If registry or tag are not specified, global.hub and global.tag are used.
+
+                              Examples: my-proxy (uses global.hub/tag), docker.io/myrepo/my-proxy:v1.0.0
+                            type: string
+                          includeIPRanges:
+                            description: |-
+                              Lists the IP ranges of Istio egress traffic that the sidecar captures.
+
+                              Example: "172.30.0.0/16,172.20.0.0/16"
+                              This would only capture egress traffic on those two IP Ranges, all other outbound traffic would # be allowed by the sidecar."
+                            type: string
+                          includeInboundPorts:
+                            description: |-
+                              A comma separated list of inbound ports for which traffic is to be redirected to Envoy.
+                              The wildcard character '*' can be used to configure redirection for all ports.
+                            type: string
+                          includeOutboundPorts:
+                            description: A comma separated list of outbound ports
+                              for which traffic is to be redirected to Envoy, regardless
+                              of the destination IP.
+                            type: string
+                          lifecycle:
+                            description: |-
+                              The k8s lifecycle hooks definition (pod.spec.containers.lifecycle) for the proxy container.
+                              More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
+                            properties:
+                              postStart:
+                                description: |-
+                                  PostStart is called immediately after a container is created. If the handler fails,
+                                  the container is terminated and restarted according to its restart policy.
+                                  Other management of the container blocks until the hook completes.
+                                  More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
+                                properties:
+                                  exec:
+                                    description: Exec specifies a command to execute
+                                      in the container.
+                                    properties:
+                                      command:
+                                        description: |-
+                                          Command is the command line to execute inside the container, the working directory for the
+                                          command  is root ('/') in the container's filesystem. The command is simply exec'd, it is
+                                          not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+                                          a shell, you need to explicitly call out to that shell.
+                                          Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
+                                        items:
+                                          type: string
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    type: object
+                                  httpGet:
+                                    description: HTTPGet specifies an HTTP GET request
+                                      to perform.
+                                    properties:
+                                      host:
+                                        description: |-
+                                          Host name to connect to, defaults to the pod IP. You probably want to set
+                                          "Host" in httpHeaders instead.
+                                        type: string
+                                      httpHeaders:
+                                        description: Custom headers to set in the
+                                          request. HTTP allows repeated headers.
+                                        items:
+                                          description: HTTPHeader describes a custom
+                                            header to be used in HTTP probes
+                                          properties:
+                                            name:
+                                              description: |-
+                                                The header field name.
+                                                This will be canonicalized upon output, so case-variant names will be understood as the same header.
+                                              type: string
+                                            value:
+                                              description: The header field value
+                                              type: string
+                                          required:
+                                          - name
+                                          - value
+                                          type: object
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                      path:
+                                        description: Path to access on the HTTP server.
+                                        type: string
+                                      port:
+                                        anyOf:
+                                        - type: integer
+                                        - type: string
+                                        description: |-
+                                          Name or number of the port to access on the container.
+                                          Number must be in the range 1 to 65535.
+                                          Name must be an IANA_SVC_NAME.
+                                        x-kubernetes-int-or-string: true
+                                      scheme:
+                                        description: |-
+                                          Scheme to use for connecting to the host.
+                                          Defaults to HTTP.
+                                        type: string
+                                    required:
+                                    - port
+                                    type: object
+                                  sleep:
+                                    description: Sleep represents a duration that
+                                      the container should sleep.
+                                    properties:
+                                      seconds:
+                                        description: Seconds is the number of seconds
+                                          to sleep.
+                                        format: int64
+                                        type: integer
+                                    required:
+                                    - seconds
+                                    type: object
+                                  tcpSocket:
+                                    description: |-
+                                      Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
+                                      for backward compatibility. There is no validation of this field and
+                                      lifecycle hooks will fail at runtime when it is specified.
+                                    properties:
+                                      host:
+                                        description: 'Optional: Host name to connect
+                                          to, defaults to the pod IP.'
+                                        type: string
+                                      port:
+                                        anyOf:
+                                        - type: integer
+                                        - type: string
+                                        description: |-
+                                          Number or name of the port to access on the container.
+                                          Number must be in the range 1 to 65535.
+                                          Name must be an IANA_SVC_NAME.
+                                        x-kubernetes-int-or-string: true
+                                    required:
+                                    - port
+                                    type: object
+                                type: object
+                              preStop:
+                                description: |-
+                                  PreStop is called immediately before a container is terminated due to an
+                                  API request or management event such as liveness/startup probe failure,
+                                  preemption, resource contention, etc. The handler is not called if the
+                                  container crashes or exits. The Pod's termination grace period countdown begins before the
+                                  PreStop hook is executed. Regardless of the outcome of the handler, the
+                                  container will eventually terminate within the Pod's termination grace
+                                  period (unless delayed by finalizers). Other management of the container blocks until the hook completes
+                                  or until the termination grace period is reached.
+                                  More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
+                                properties:
+                                  exec:
+                                    description: Exec specifies a command to execute
+                                      in the container.
+                                    properties:
+                                      command:
+                                        description: |-
+                                          Command is the command line to execute inside the container, the working directory for the
+                                          command  is root ('/') in the container's filesystem. The command is simply exec'd, it is
+                                          not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+                                          a shell, you need to explicitly call out to that shell.
+                                          Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
+                                        items:
+                                          type: string
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    type: object
+                                  httpGet:
+                                    description: HTTPGet specifies an HTTP GET request
+                                      to perform.
+                                    properties:
+                                      host:
+                                        description: |-
+                                          Host name to connect to, defaults to the pod IP. You probably want to set
+                                          "Host" in httpHeaders instead.
+                                        type: string
+                                      httpHeaders:
+                                        description: Custom headers to set in the
+                                          request. HTTP allows repeated headers.
+                                        items:
+                                          description: HTTPHeader describes a custom
+                                            header to be used in HTTP probes
+                                          properties:
+                                            name:
+                                              description: |-
+                                                The header field name.
+                                                This will be canonicalized upon output, so case-variant names will be understood as the same header.
+                                              type: string
+                                            value:
+                                              description: The header field value
+                                              type: string
+                                          required:
+                                          - name
+                                          - value
+                                          type: object
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                      path:
+                                        description: Path to access on the HTTP server.
+                                        type: string
+                                      port:
+                                        anyOf:
+                                        - type: integer
+                                        - type: string
+                                        description: |-
+                                          Name or number of the port to access on the container.
+                                          Number must be in the range 1 to 65535.
+                                          Name must be an IANA_SVC_NAME.
+                                        x-kubernetes-int-or-string: true
+                                      scheme:
+                                        description: |-
+                                          Scheme to use for connecting to the host.
+                                          Defaults to HTTP.
+                                        type: string
+                                    required:
+                                    - port
+                                    type: object
+                                  sleep:
+                                    description: Sleep represents a duration that
+                                      the container should sleep.
+                                    properties:
+                                      seconds:
+                                        description: Seconds is the number of seconds
+                                          to sleep.
+                                        format: int64
+                                        type: integer
+                                    required:
+                                    - seconds
+                                    type: object
+                                  tcpSocket:
+                                    description: |-
+                                      Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
+                                      for backward compatibility. There is no validation of this field and
+                                      lifecycle hooks will fail at runtime when it is specified.
+                                    properties:
+                                      host:
+                                        description: 'Optional: Host name to connect
+                                          to, defaults to the pod IP.'
+                                        type: string
+                                      port:
+                                        anyOf:
+                                        - type: integer
+                                        - type: string
+                                        description: |-
+                                          Number or name of the port to access on the container.
+                                          Number must be in the range 1 to 65535.
+                                          Name must be an IANA_SVC_NAME.
+                                        x-kubernetes-int-or-string: true
+                                    required:
+                                    - port
+                                    type: object
+                                type: object
+                              stopSignal:
+                                description: |-
+                                  StopSignal defines which signal will be sent to a container when it is being stopped.
+                                  If not specified, the default is defined by the container runtime in use.
+                                  StopSignal can only be set for Pods with a non-empty .spec.os.name
+                                type: string
+                            type: object
+                          logLevel:
+                            description: 'Log level for proxy, applies to gateways
+                              and sidecars. If left empty, "warning" is used. Expected
+                              values are: trace\|debug\|info\|warning\|error\|critical\|off'
+                            type: string
+                          outlierLogPath:
+                            description: |-
+                              Path to the file to which the proxy will write outlier detection logs.
+
+                              Example: "/dev/stdout"
+                              This would write the logs to standard output.
+                            type: string
+                          privileged:
+                            description: |-
+                              Enables privileged securityContext for the istio-proxy container.
+
+                              See https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+                            type: boolean
+                          readinessFailureThreshold:
+                            description: Sets the number of successive failed probes
+                              before indicating readiness failure.
+                            format: int32
+                            type: integer
+                          readinessInitialDelaySeconds:
+                            description: Sets the initial delay for readiness probes
+                              in seconds.
+                            format: int32
+                            type: integer
+                          readinessPeriodSeconds:
+                            description: Sets the interval between readiness probes
+                              in seconds.
+                            format: int32
+                            type: integer
+                          resources:
+                            description: |-
+                              K8s resources settings.
+
+                              See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
+
+                              Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
+                            properties:
+                              claims:
+                                description: |-
+                                  Claims lists the names of resources, defined in spec.resourceClaims,
+                                  that are used by this container.
+
+                                  This field depends on the
+                                  DynamicResourceAllocation feature gate.
+
+                                  This field is immutable. It can only be set for containers.
+                                items:
+                                  description: ResourceClaim references one entry
+                                    in PodSpec.ResourceClaims.
+                                  properties:
+                                    name:
+                                      description: |-
+                                        Name must match the name of one entry in pod.spec.resourceClaims of
+                                        the Pod where this field is used. It makes that resource available
+                                        inside a container.
+                                      type: string
+                                    request:
+                                      description: |-
+                                        Request is the name chosen for a request in the referenced claim.
+                                        If empty, everything from the claim is made available, otherwise
+                                        only the result of this request.
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                type: array
+                                x-kubernetes-list-map-keys:
+                                - name
+                                x-kubernetes-list-type: map
+                              limits:
+                                additionalProperties:
+                                  anyOf:
+                                  - type: integer
+                                  - type: string
+                                  pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                  x-kubernetes-int-or-string: true
+                                description: |-
+                                  Limits describes the maximum amount of compute resources allowed.
+                                  More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                                type: object
+                              requests:
+                                additionalProperties:
+                                  anyOf:
+                                  - type: integer
+                                  - type: string
+                                  pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                  x-kubernetes-int-or-string: true
+                                description: |-
+                                  Requests describes the minimum amount of compute resources required.
+                                  If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+                                  otherwise to an implementation-defined value. Requests cannot exceed Limits.
+                                  More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                                type: object
+                            type: object
+                          seccompProfile:
+                            description: |-
+                              Configures the seccomp profile for the istio-validation and istio-proxy containers.
+
+                              See: https://kubernetes.io/docs/tutorials/security/seccomp/
+                            properties:
+                              localhostProfile:
+                                description: |-
+                                  localhostProfile indicates a profile defined in a file on the node should be used.
+                                  The profile must be preconfigured on the node to work.
+                                  Must be a descending path, relative to the kubelet's configured seccomp profile location.
+                                  Must be set if type is "Localhost". Must NOT be set for any other type.
+                                type: string
+                              type:
+                                description: |-
+                                  type indicates which kind of seccomp profile will be applied.
+                                  Valid options are:
+
+                                  Localhost - a profile defined in a file on the node should be used.
+                                  RuntimeDefault - the container runtime default profile should be used.
+                                  Unconfined - no profile should be applied.
+                                type: string
+                            required:
+                            - type
+                            type: object
+                          startupProbe:
+                            description: Configures the startup probe for the istio-proxy
+                              container.
+                            properties:
+                              enabled:
+                                description: |-
+                                  Enables or disables a startup probe.
+                                  For optimal startup times, changing this should be tied to the readiness probe values.
+
+                                  If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4.
+                                  This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval),
+                                  and doesn't spam the readiness endpoint too much
+
+                                  If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30.
+                                  This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly.
+                                type: boolean
+                              failureThreshold:
+                                description: Minimum consecutive failures for the
+                                  probe to be considered failed after having succeeded.
+                                format: int32
+                                type: integer
+                            type: object
+                          statusPort:
+                            description: Default port used for the Pilot agent's health
+                              checks.
+                            format: int32
+                            type: integer
+                          tracer:
+                            description: |-
+                              Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver.
+                              If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file.
+                            enum:
+                            - zipkin
+                            - lightstep
+                            - datadog
+                            - stackdriver
+                            - openCensusAgent
+                            - none
+                            type: string
+                        type: object
+                      proxy_init:
+                        description: Specifies the Configuration for proxy_init container
+                          which sets the pods' networking to intercept the inbound/outbound
+                          traffic.
+                        properties:
+                          image:
+                            description: Specifies the image for the proxy_init container.
+                            type: string
+                          resources:
+                            description: |-
+                              K8s resources settings.
+
+                              See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
+
+                              Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
+                            properties:
+                              claims:
+                                description: |-
+                                  Claims lists the names of resources, defined in spec.resourceClaims,
+                                  that are used by this container.
+
+                                  This field depends on the
+                                  DynamicResourceAllocation feature gate.
+
+                                  This field is immutable. It can only be set for containers.
+                                items:
+                                  description: ResourceClaim references one entry
+                                    in PodSpec.ResourceClaims.
+                                  properties:
+                                    name:
+                                      description: |-
+                                        Name must match the name of one entry in pod.spec.resourceClaims of
+                                        the Pod where this field is used. It makes that resource available
+                                        inside a container.
+                                      type: string
+                                    request:
+                                      description: |-
+                                        Request is the name chosen for a request in the referenced claim.
+                                        If empty, everything from the claim is made available, otherwise
+                                        only the result of this request.
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                type: array
+                                x-kubernetes-list-map-keys:
+                                - name
+                                x-kubernetes-list-type: map
+                              limits:
+                                additionalProperties:
+                                  anyOf:
+                                  - type: integer
+                                  - type: string
+                                  pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                  x-kubernetes-int-or-string: true
+                                description: |-
+                                  Limits describes the maximum amount of compute resources allowed.
+                                  More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                                type: object
+                              requests:
+                                additionalProperties:
+                                  anyOf:
+                                  - type: integer
+                                  - type: string
+                                  pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                  x-kubernetes-int-or-string: true
+                                description: |-
+                                  Requests describes the minimum amount of compute resources required.
+                                  If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+                                  otherwise to an implementation-defined value. Requests cannot exceed Limits.
+                                  More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                                type: object
+                            type: object
+                        type: object
+                      remotePilotAddress:
+                        description: Specifies the Istio control plane’s pilot Pod
+                          IP address or remote cluster DNS resolvable hostname.
+                        type: string
+                      resourceScope:
+                        description: |-
+                          Specifies resource scope for discovery selectors.
+                          This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator.
+                        enum:
+                        - undefined
+                        - all
+                        - cluster
+                        - namespace
+                        type: string
+                      revision:
+                        description: Configures the revision this control plane is
+                          a part of
+                        type: string
+                      sds:
+                        description: Specifies the Configuration for the SecretDiscoveryService
+                          instead of using K8S secrets to mount the certificates.
+                        properties:
+                          token:
+                            description: 'Deprecated: Marked as deprecated in pkg/apis/values_types.proto.'
+                            properties:
+                              aud:
+                                type: string
+                            type: object
+                        type: object
+                      sts:
+                        description: Specifies the configuration for Security Token
+                          Service.
+                        properties:
+                          servicePort:
+                            format: int32
+                            type: integer
+                        type: object
+                      tag:
+                        description: Specifies the tag for the Istio docker images.
+                        type: string
+                      tracer:
+                        description: Specifies the Configuration for each of the supported
+                          tracers.
+                        properties:
+                          datadog:
+                            description: Configuration for the datadog tracing service.
+                            properties:
+                              address:
+                                description: Address in host:port format for reporting
+                                  trace data to the Datadog agent.
+                                type: string
+                            type: object
+                          lightstep:
+                            description: Configuration for the lightstep tracing service.
+                            properties:
+                              accessToken:
+                                description: Sets the lightstep access token.
+                                type: string
+                              address:
+                                description: Sets the lightstep satellite pool address
+                                  in host:port format for reporting trace data.
+                                type: string
+                            type: object
+                          stackdriver:
+                            description: Configuration for the stackdriver tracing
+                              service.
+                            properties:
+                              debug:
+                                description: enables trace output to stdout.
+                                type: boolean
+                              maxNumberOfAnnotations:
+                                description: The global default max number of annotation
+                                  events per span.
+                                format: int32
+                                type: integer
+                              maxNumberOfAttributes:
+                                description: The global default max number of attributes
+                                  per span.
+                                format: int32
+                                type: integer
+                              maxNumberOfMessageEvents:
+                                description: The global default max number of message
+                                  events per span.
+                                format: int32
+                                type: integer
+                            type: object
+                          zipkin:
+                            description: Configuration for the zipkin tracing service.
+                            properties:
+                              address:
+                                description: |-
+                                  Address of zipkin instance in host:port format for reporting trace data.
+
+                                  Example: <zipkin-collector-service>.<zipkin-collector-namespace>:941
+                                type: string
+                            type: object
+                        type: object
+                      trustBundleName:
+                        description: Select a custom name for istiod's CA Root Cert
+                          ConfigMap.
+                        type: string
+                      variant:
+                        description: The variant of the Istio container images to
+                          use. Options are "debug" or "distroless". Unset will use
+                          the default for the given version.
+                        type: string
+                      waypoint:
+                        description: Specifies how waypoints are configured within
+                          Istio.
+                        properties:
+                          affinity:
+                            description: |-
+                              K8s affinity settings for waypoint pods.
+
+                              See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
+                            properties:
+                              nodeAffinity:
+                                description: Describes node affinity scheduling rules
+                                  for the pod.
+                                properties:
+                                  preferredDuringSchedulingIgnoredDuringExecution:
+                                    description: |-
+                                      The scheduler will prefer to schedule pods to nodes that satisfy
+                                      the affinity expressions specified by this field, but it may choose
+                                      a node that violates one or more of the expressions. The node that is
+                                      most preferred is the one with the greatest sum of weights, i.e.
+                                      for each node that meets all of the scheduling requirements (resource
+                                      request, requiredDuringScheduling affinity expressions, etc.),
+                                      compute a sum by iterating through the elements of this field and adding
+                                      "weight" to the sum if the node matches the corresponding matchExpressions; the
+                                      node(s) with the highest sum are the most preferred.
+                                    items:
+                                      description: |-
+                                        An empty preferred scheduling term matches all objects with implicit weight 0
+                                        (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+                                      properties:
+                                        preference:
+                                          description: A node selector term, associated
+                                            with the corresponding weight.
+                                          properties:
+                                            matchExpressions:
+                                              description: A list of node selector
+                                                requirements by node's labels.
+                                              items:
+                                                description: |-
+                                                  A node selector requirement is a selector that contains values, a key, and an operator
+                                                  that relates the key and values.
+                                                properties:
+                                                  key:
+                                                    description: The label key that
+                                                      the selector applies to.
+                                                    type: string
+                                                  operator:
+                                                    description: |-
+                                                      Represents a key's relationship to a set of values.
+                                                      Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                                    type: string
+                                                  values:
+                                                    description: |-
+                                                      An array of string values. If the operator is In or NotIn,
+                                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                      the values array must be empty. If the operator is Gt or Lt, the values
+                                                      array must have a single element, which will be interpreted as an integer.
+                                                      This array is replaced during a strategic merge patch.
+                                                    items:
+                                                      type: string
+                                                    type: array
+                                                    x-kubernetes-list-type: atomic
+                                                required:
+                                                - key
+                                                - operator
+                                                type: object
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                            matchFields:
+                                              description: A list of node selector
+                                                requirements by node's fields.
+                                              items:
+                                                description: |-
+                                                  A node selector requirement is a selector that contains values, a key, and an operator
+                                                  that relates the key and values.
+                                                properties:
+                                                  key:
+                                                    description: The label key that
+                                                      the selector applies to.
+                                                    type: string
+                                                  operator:
+                                                    description: |-
+                                                      Represents a key's relationship to a set of values.
+                                                      Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                                    type: string
+                                                  values:
+                                                    description: |-
+                                                      An array of string values. If the operator is In or NotIn,
+                                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                      the values array must be empty. If the operator is Gt or Lt, the values
+                                                      array must have a single element, which will be interpreted as an integer.
+                                                      This array is replaced during a strategic merge patch.
+                                                    items:
+                                                      type: string
+                                                    type: array
+                                                    x-kubernetes-list-type: atomic
+                                                required:
+                                                - key
+                                                - operator
+                                                type: object
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                          type: object
+                                          x-kubernetes-map-type: atomic
+                                        weight:
+                                          description: Weight associated with matching
+                                            the corresponding nodeSelectorTerm, in
+                                            the range 1-100.
+                                          format: int32
+                                          type: integer
+                                      required:
+                                      - preference
+                                      - weight
+                                      type: object
+                                    type: array
+                                    x-kubernetes-list-type: atomic
+                                  requiredDuringSchedulingIgnoredDuringExecution:
+                                    description: |-
+                                      If the affinity requirements specified by this field are not met at
+                                      scheduling time, the pod will not be scheduled onto the node.
+                                      If the affinity requirements specified by this field cease to be met
+                                      at some point during pod execution (e.g. due to an update), the system
+                                      may or may not try to eventually evict the pod from its node.
+                                    properties:
+                                      nodeSelectorTerms:
+                                        description: Required. A list of node selector
+                                          terms. The terms are ORed.
+                                        items:
+                                          description: |-
+                                            A null or empty node selector term matches no objects. The requirements of
+                                            them are ANDed.
+                                            The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+                                          properties:
+                                            matchExpressions:
+                                              description: A list of node selector
+                                                requirements by node's labels.
+                                              items:
+                                                description: |-
+                                                  A node selector requirement is a selector that contains values, a key, and an operator
+                                                  that relates the key and values.
+                                                properties:
+                                                  key:
+                                                    description: The label key that
+                                                      the selector applies to.
+                                                    type: string
+                                                  operator:
+                                                    description: |-
+                                                      Represents a key's relationship to a set of values.
+                                                      Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                                    type: string
+                                                  values:
+                                                    description: |-
+                                                      An array of string values. If the operator is In or NotIn,
+                                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                      the values array must be empty. If the operator is Gt or Lt, the values
+                                                      array must have a single element, which will be interpreted as an integer.
+                                                      This array is replaced during a strategic merge patch.
+                                                    items:
+                                                      type: string
+                                                    type: array
+                                                    x-kubernetes-list-type: atomic
+                                                required:
+                                                - key
+                                                - operator
+                                                type: object
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                            matchFields:
+                                              description: A list of node selector
+                                                requirements by node's fields.
+                                              items:
+                                                description: |-
+                                                  A node selector requirement is a selector that contains values, a key, and an operator
+                                                  that relates the key and values.
+                                                properties:
+                                                  key:
+                                                    description: The label key that
+                                                      the selector applies to.
+                                                    type: string
+                                                  operator:
+                                                    description: |-
+                                                      Represents a key's relationship to a set of values.
+                                                      Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                                    type: string
+                                                  values:
+                                                    description: |-
+                                                      An array of string values. If the operator is In or NotIn,
+                                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                      the values array must be empty. If the operator is Gt or Lt, the values
+                                                      array must have a single element, which will be interpreted as an integer.
+                                                      This array is replaced during a strategic merge patch.
+                                                    items:
+                                                      type: string
+                                                    type: array
+                                                    x-kubernetes-list-type: atomic
+                                                required:
+                                                - key
+                                                - operator
+                                                type: object
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                          type: object
+                                          x-kubernetes-map-type: atomic
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    required:
+                                    - nodeSelectorTerms
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                type: object
+                              podAffinity:
+                                description: Describes pod affinity scheduling rules
+                                  (e.g. co-locate this pod in the same node, zone,
+                                  etc. as some other pod(s)).
+                                properties:
+                                  preferredDuringSchedulingIgnoredDuringExecution:
+                                    description: |-
+                                      The scheduler will prefer to schedule pods to nodes that satisfy
+                                      the affinity expressions specified by this field, but it may choose
+                                      a node that violates one or more of the expressions. The node that is
+                                      most preferred is the one with the greatest sum of weights, i.e.
+                                      for each node that meets all of the scheduling requirements (resource
+                                      request, requiredDuringScheduling affinity expressions, etc.),
+                                      compute a sum by iterating through the elements of this field and adding
+                                      "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+                                      node(s) with the highest sum are the most preferred.
+                                    items:
+                                      description: The weights of all of the matched
+                                        WeightedPodAffinityTerm fields are added per-node
+                                        to find the most preferred node(s)
+                                      properties:
+                                        podAffinityTerm:
+                                          description: Required. A pod affinity term,
+                                            associated with the corresponding weight.
+                                          properties:
+                                            labelSelector:
+                                              description: |-
+                                                A label query over a set of resources, in this case pods.
+                                                If it's null, this PodAffinityTerm matches with no Pods.
+                                              properties:
+                                                matchExpressions:
+                                                  description: matchExpressions is
+                                                    a list of label selector requirements.
+                                                    The requirements are ANDed.
+                                                  items:
+                                                    description: |-
+                                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                                      relates the key and values.
+                                                    properties:
+                                                      key:
+                                                        description: key is the label
+                                                          key that the selector applies
+                                                          to.
+                                                        type: string
+                                                      operator:
+                                                        description: |-
+                                                          operator represents a key's relationship to a set of values.
+                                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                        type: string
+                                                      values:
+                                                        description: |-
+                                                          values is an array of string values. If the operator is In or NotIn,
+                                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                          the values array must be empty. This array is replaced during a strategic
+                                                          merge patch.
+                                                        items:
+                                                          type: string
+                                                        type: array
+                                                        x-kubernetes-list-type: atomic
+                                                    required:
+                                                    - key
+                                                    - operator
+                                                    type: object
+                                                  type: array
+                                                  x-kubernetes-list-type: atomic
+                                                matchLabels:
+                                                  additionalProperties:
+                                                    type: string
+                                                  description: |-
+                                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                                  type: object
+                                              type: object
+                                              x-kubernetes-map-type: atomic
+                                            matchLabelKeys:
+                                              description: |-
+                                                MatchLabelKeys is a set of pod label keys to select which pods will
+                                                be taken into consideration. The keys are used to lookup values from the
+                                                incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+                                                to select the group of existing pods which pods will be taken into consideration
+                                                for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                                pod labels will be ignored. The default value is empty.
+                                                The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+                                                Also, matchLabelKeys cannot be set when labelSelector isn't set.
+                                              items:
+                                                type: string
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                            mismatchLabelKeys:
+                                              description: |-
+                                                MismatchLabelKeys is a set of pod label keys to select which pods will
+                                                be taken into consideration. The keys are used to lookup values from the
+                                                incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+                                                to select the group of existing pods which pods will be taken into consideration
+                                                for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                                pod labels will be ignored. The default value is empty.
+                                                The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+                                                Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+                                              items:
+                                                type: string
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                            namespaceSelector:
+                                              description: |-
+                                                A label query over the set of namespaces that the term applies to.
+                                                The term is applied to the union of the namespaces selected by this field
+                                                and the ones listed in the namespaces field.
+                                                null selector and null or empty namespaces list means "this pod's namespace".
+                                                An empty selector ({}) matches all namespaces.
+                                              properties:
+                                                matchExpressions:
+                                                  description: matchExpressions is
+                                                    a list of label selector requirements.
+                                                    The requirements are ANDed.
+                                                  items:
+                                                    description: |-
+                                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                                      relates the key and values.
+                                                    properties:
+                                                      key:
+                                                        description: key is the label
+                                                          key that the selector applies
+                                                          to.
+                                                        type: string
+                                                      operator:
+                                                        description: |-
+                                                          operator represents a key's relationship to a set of values.
+                                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                        type: string
+                                                      values:
+                                                        description: |-
+                                                          values is an array of string values. If the operator is In or NotIn,
+                                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                          the values array must be empty. This array is replaced during a strategic
+                                                          merge patch.
+                                                        items:
+                                                          type: string
+                                                        type: array
+                                                        x-kubernetes-list-type: atomic
+                                                    required:
+                                                    - key
+                                                    - operator
+                                                    type: object
+                                                  type: array
+                                                  x-kubernetes-list-type: atomic
+                                                matchLabels:
+                                                  additionalProperties:
+                                                    type: string
+                                                  description: |-
+                                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                                  type: object
+                                              type: object
+                                              x-kubernetes-map-type: atomic
+                                            namespaces:
+                                              description: |-
+                                                namespaces specifies a static list of namespace names that the term applies to.
+                                                The term is applied to the union of the namespaces listed in this field
+                                                and the ones selected by namespaceSelector.
+                                                null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+                                              items:
+                                                type: string
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                            topologyKey:
+                                              description: |-
+                                                This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+                                                the labelSelector in the specified namespaces, where co-located is defined as running on a node
+                                                whose value of the label with key topologyKey matches that of any node on which any of the
+                                                selected pods is running.
+                                                Empty topologyKey is not allowed.
+                                              type: string
+                                          required:
+                                          - topologyKey
+                                          type: object
+                                        weight:
+                                          description: |-
+                                            weight associated with matching the corresponding podAffinityTerm,
+                                            in the range 1-100.
+                                          format: int32
+                                          type: integer
+                                      required:
+                                      - podAffinityTerm
+                                      - weight
+                                      type: object
+                                    type: array
+                                    x-kubernetes-list-type: atomic
+                                  requiredDuringSchedulingIgnoredDuringExecution:
+                                    description: |-
+                                      If the affinity requirements specified by this field are not met at
+                                      scheduling time, the pod will not be scheduled onto the node.
+                                      If the affinity requirements specified by this field cease to be met
+                                      at some point during pod execution (e.g. due to a pod label update), the
+                                      system may or may not try to eventually evict the pod from its node.
+                                      When there are multiple elements, the lists of nodes corresponding to each
+                                      podAffinityTerm are intersected, i.e. all terms must be satisfied.
+                                    items:
+                                      description: |-
+                                        Defines a set of pods (namely those matching the labelSelector
+                                        relative to the given namespace(s)) that this pod should be
+                                        co-located (affinity) or not co-located (anti-affinity) with,
+                                        where co-located is defined as running on a node whose value of
+                                        the label with key <topologyKey> matches that of any node on which
+                                        a pod of the set of pods is running
+                                      properties:
+                                        labelSelector:
+                                          description: |-
+                                            A label query over a set of resources, in this case pods.
+                                            If it's null, this PodAffinityTerm matches with no Pods.
+                                          properties:
+                                            matchExpressions:
+                                              description: matchExpressions is a list
+                                                of label selector requirements. The
+                                                requirements are ANDed.
+                                              items:
+                                                description: |-
+                                                  A label selector requirement is a selector that contains values, a key, and an operator that
+                                                  relates the key and values.
+                                                properties:
+                                                  key:
+                                                    description: key is the label
+                                                      key that the selector applies
+                                                      to.
+                                                    type: string
+                                                  operator:
+                                                    description: |-
+                                                      operator represents a key's relationship to a set of values.
+                                                      Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                    type: string
+                                                  values:
+                                                    description: |-
+                                                      values is an array of string values. If the operator is In or NotIn,
+                                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                      the values array must be empty. This array is replaced during a strategic
+                                                      merge patch.
+                                                    items:
+                                                      type: string
+                                                    type: array
+                                                    x-kubernetes-list-type: atomic
+                                                required:
+                                                - key
+                                                - operator
+                                                type: object
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                            matchLabels:
+                                              additionalProperties:
+                                                type: string
+                                              description: |-
+                                                matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                                map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                                operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                              type: object
+                                          type: object
+                                          x-kubernetes-map-type: atomic
+                                        matchLabelKeys:
+                                          description: |-
+                                            MatchLabelKeys is a set of pod label keys to select which pods will
+                                            be taken into consideration. The keys are used to lookup values from the
+                                            incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+                                            to select the group of existing pods which pods will be taken into consideration
+                                            for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                            pod labels will be ignored. The default value is empty.
+                                            The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+                                            Also, matchLabelKeys cannot be set when labelSelector isn't set.
+                                          items:
+                                            type: string
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        mismatchLabelKeys:
+                                          description: |-
+                                            MismatchLabelKeys is a set of pod label keys to select which pods will
+                                            be taken into consideration. The keys are used to lookup values from the
+                                            incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+                                            to select the group of existing pods which pods will be taken into consideration
+                                            for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                            pod labels will be ignored. The default value is empty.
+                                            The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+                                            Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+                                          items:
+                                            type: string
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        namespaceSelector:
+                                          description: |-
+                                            A label query over the set of namespaces that the term applies to.
+                                            The term is applied to the union of the namespaces selected by this field
+                                            and the ones listed in the namespaces field.
+                                            null selector and null or empty namespaces list means "this pod's namespace".
+                                            An empty selector ({}) matches all namespaces.
+                                          properties:
+                                            matchExpressions:
+                                              description: matchExpressions is a list
+                                                of label selector requirements. The
+                                                requirements are ANDed.
+                                              items:
+                                                description: |-
+                                                  A label selector requirement is a selector that contains values, a key, and an operator that
+                                                  relates the key and values.
+                                                properties:
+                                                  key:
+                                                    description: key is the label
+                                                      key that the selector applies
+                                                      to.
+                                                    type: string
+                                                  operator:
+                                                    description: |-
+                                                      operator represents a key's relationship to a set of values.
+                                                      Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                    type: string
+                                                  values:
+                                                    description: |-
+                                                      values is an array of string values. If the operator is In or NotIn,
+                                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                      the values array must be empty. This array is replaced during a strategic
+                                                      merge patch.
+                                                    items:
+                                                      type: string
+                                                    type: array
+                                                    x-kubernetes-list-type: atomic
+                                                required:
+                                                - key
+                                                - operator
+                                                type: object
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                            matchLabels:
+                                              additionalProperties:
+                                                type: string
+                                              description: |-
+                                                matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                                map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                                operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                              type: object
+                                          type: object
+                                          x-kubernetes-map-type: atomic
+                                        namespaces:
+                                          description: |-
+                                            namespaces specifies a static list of namespace names that the term applies to.
+                                            The term is applied to the union of the namespaces listed in this field
+                                            and the ones selected by namespaceSelector.
+                                            null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+                                          items:
+                                            type: string
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        topologyKey:
+                                          description: |-
+                                            This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+                                            the labelSelector in the specified namespaces, where co-located is defined as running on a node
+                                            whose value of the label with key topologyKey matches that of any node on which any of the
+                                            selected pods is running.
+                                            Empty topologyKey is not allowed.
+                                          type: string
+                                      required:
+                                      - topologyKey
+                                      type: object
+                                    type: array
+                                    x-kubernetes-list-type: atomic
+                                type: object
+                              podAntiAffinity:
+                                description: Describes pod anti-affinity scheduling
+                                  rules (e.g. avoid putting this pod in the same node,
+                                  zone, etc. as some other pod(s)).
+                                properties:
+                                  preferredDuringSchedulingIgnoredDuringExecution:
+                                    description: |-
+                                      The scheduler will prefer to schedule pods to nodes that satisfy
+                                      the anti-affinity expressions specified by this field, but it may choose
+                                      a node that violates one or more of the expressions. The node that is
+                                      most preferred is the one with the greatest sum of weights, i.e.
+                                      for each node that meets all of the scheduling requirements (resource
+                                      request, requiredDuringScheduling anti-affinity expressions, etc.),
+                                      compute a sum by iterating through the elements of this field and subtracting
+                                      "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
+                                      node(s) with the highest sum are the most preferred.
+                                    items:
+                                      description: The weights of all of the matched
+                                        WeightedPodAffinityTerm fields are added per-node
+                                        to find the most preferred node(s)
+                                      properties:
+                                        podAffinityTerm:
+                                          description: Required. A pod affinity term,
+                                            associated with the corresponding weight.
+                                          properties:
+                                            labelSelector:
+                                              description: |-
+                                                A label query over a set of resources, in this case pods.
+                                                If it's null, this PodAffinityTerm matches with no Pods.
+                                              properties:
+                                                matchExpressions:
+                                                  description: matchExpressions is
+                                                    a list of label selector requirements.
+                                                    The requirements are ANDed.
+                                                  items:
+                                                    description: |-
+                                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                                      relates the key and values.
+                                                    properties:
+                                                      key:
+                                                        description: key is the label
+                                                          key that the selector applies
+                                                          to.
+                                                        type: string
+                                                      operator:
+                                                        description: |-
+                                                          operator represents a key's relationship to a set of values.
+                                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                        type: string
+                                                      values:
+                                                        description: |-
+                                                          values is an array of string values. If the operator is In or NotIn,
+                                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                          the values array must be empty. This array is replaced during a strategic
+                                                          merge patch.
+                                                        items:
+                                                          type: string
+                                                        type: array
+                                                        x-kubernetes-list-type: atomic
+                                                    required:
+                                                    - key
+                                                    - operator
+                                                    type: object
+                                                  type: array
+                                                  x-kubernetes-list-type: atomic
+                                                matchLabels:
+                                                  additionalProperties:
+                                                    type: string
+                                                  description: |-
+                                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                                  type: object
+                                              type: object
+                                              x-kubernetes-map-type: atomic
+                                            matchLabelKeys:
+                                              description: |-
+                                                MatchLabelKeys is a set of pod label keys to select which pods will
+                                                be taken into consideration. The keys are used to lookup values from the
+                                                incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+                                                to select the group of existing pods which pods will be taken into consideration
+                                                for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                                pod labels will be ignored. The default value is empty.
+                                                The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+                                                Also, matchLabelKeys cannot be set when labelSelector isn't set.
+                                              items:
+                                                type: string
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                            mismatchLabelKeys:
+                                              description: |-
+                                                MismatchLabelKeys is a set of pod label keys to select which pods will
+                                                be taken into consideration. The keys are used to lookup values from the
+                                                incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+                                                to select the group of existing pods which pods will be taken into consideration
+                                                for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                                pod labels will be ignored. The default value is empty.
+                                                The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+                                                Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+                                              items:
+                                                type: string
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                            namespaceSelector:
+                                              description: |-
+                                                A label query over the set of namespaces that the term applies to.
+                                                The term is applied to the union of the namespaces selected by this field
+                                                and the ones listed in the namespaces field.
+                                                null selector and null or empty namespaces list means "this pod's namespace".
+                                                An empty selector ({}) matches all namespaces.
+                                              properties:
+                                                matchExpressions:
+                                                  description: matchExpressions is
+                                                    a list of label selector requirements.
+                                                    The requirements are ANDed.
+                                                  items:
+                                                    description: |-
+                                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                                      relates the key and values.
+                                                    properties:
+                                                      key:
+                                                        description: key is the label
+                                                          key that the selector applies
+                                                          to.
+                                                        type: string
+                                                      operator:
+                                                        description: |-
+                                                          operator represents a key's relationship to a set of values.
+                                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                        type: string
+                                                      values:
+                                                        description: |-
+                                                          values is an array of string values. If the operator is In or NotIn,
+                                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                          the values array must be empty. This array is replaced during a strategic
+                                                          merge patch.
+                                                        items:
+                                                          type: string
+                                                        type: array
+                                                        x-kubernetes-list-type: atomic
+                                                    required:
+                                                    - key
+                                                    - operator
+                                                    type: object
+                                                  type: array
+                                                  x-kubernetes-list-type: atomic
+                                                matchLabels:
+                                                  additionalProperties:
+                                                    type: string
+                                                  description: |-
+                                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                                  type: object
+                                              type: object
+                                              x-kubernetes-map-type: atomic
+                                            namespaces:
+                                              description: |-
+                                                namespaces specifies a static list of namespace names that the term applies to.
+                                                The term is applied to the union of the namespaces listed in this field
+                                                and the ones selected by namespaceSelector.
+                                                null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+                                              items:
+                                                type: string
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                            topologyKey:
+                                              description: |-
+                                                This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+                                                the labelSelector in the specified namespaces, where co-located is defined as running on a node
+                                                whose value of the label with key topologyKey matches that of any node on which any of the
+                                                selected pods is running.
+                                                Empty topologyKey is not allowed.
+                                              type: string
+                                          required:
+                                          - topologyKey
+                                          type: object
+                                        weight:
+                                          description: |-
+                                            weight associated with matching the corresponding podAffinityTerm,
+                                            in the range 1-100.
+                                          format: int32
+                                          type: integer
+                                      required:
+                                      - podAffinityTerm
+                                      - weight
+                                      type: object
+                                    type: array
+                                    x-kubernetes-list-type: atomic
+                                  requiredDuringSchedulingIgnoredDuringExecution:
+                                    description: |-
+                                      If the anti-affinity requirements specified by this field are not met at
+                                      scheduling time, the pod will not be scheduled onto the node.
+                                      If the anti-affinity requirements specified by this field cease to be met
+                                      at some point during pod execution (e.g. due to a pod label update), the
+                                      system may or may not try to eventually evict the pod from its node.
+                                      When there are multiple elements, the lists of nodes corresponding to each
+                                      podAffinityTerm are intersected, i.e. all terms must be satisfied.
+                                    items:
+                                      description: |-
+                                        Defines a set of pods (namely those matching the labelSelector
+                                        relative to the given namespace(s)) that this pod should be
+                                        co-located (affinity) or not co-located (anti-affinity) with,
+                                        where co-located is defined as running on a node whose value of
+                                        the label with key <topologyKey> matches that of any node on which
+                                        a pod of the set of pods is running
+                                      properties:
+                                        labelSelector:
+                                          description: |-
+                                            A label query over a set of resources, in this case pods.
+                                            If it's null, this PodAffinityTerm matches with no Pods.
+                                          properties:
+                                            matchExpressions:
+                                              description: matchExpressions is a list
+                                                of label selector requirements. The
+                                                requirements are ANDed.
+                                              items:
+                                                description: |-
+                                                  A label selector requirement is a selector that contains values, a key, and an operator that
+                                                  relates the key and values.
+                                                properties:
+                                                  key:
+                                                    description: key is the label
+                                                      key that the selector applies
+                                                      to.
+                                                    type: string
+                                                  operator:
+                                                    description: |-
+                                                      operator represents a key's relationship to a set of values.
+                                                      Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                    type: string
+                                                  values:
+                                                    description: |-
+                                                      values is an array of string values. If the operator is In or NotIn,
+                                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                      the values array must be empty. This array is replaced during a strategic
+                                                      merge patch.
+                                                    items:
+                                                      type: string
+                                                    type: array
+                                                    x-kubernetes-list-type: atomic
+                                                required:
+                                                - key
+                                                - operator
+                                                type: object
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                            matchLabels:
+                                              additionalProperties:
+                                                type: string
+                                              description: |-
+                                                matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                                map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                                operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                              type: object
+                                          type: object
+                                          x-kubernetes-map-type: atomic
+                                        matchLabelKeys:
+                                          description: |-
+                                            MatchLabelKeys is a set of pod label keys to select which pods will
+                                            be taken into consideration. The keys are used to lookup values from the
+                                            incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+                                            to select the group of existing pods which pods will be taken into consideration
+                                            for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                            pod labels will be ignored. The default value is empty.
+                                            The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+                                            Also, matchLabelKeys cannot be set when labelSelector isn't set.
+                                          items:
+                                            type: string
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        mismatchLabelKeys:
+                                          description: |-
+                                            MismatchLabelKeys is a set of pod label keys to select which pods will
+                                            be taken into consideration. The keys are used to lookup values from the
+                                            incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+                                            to select the group of existing pods which pods will be taken into consideration
+                                            for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                            pod labels will be ignored. The default value is empty.
+                                            The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+                                            Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+                                          items:
+                                            type: string
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        namespaceSelector:
+                                          description: |-
+                                            A label query over the set of namespaces that the term applies to.
+                                            The term is applied to the union of the namespaces selected by this field
+                                            and the ones listed in the namespaces field.
+                                            null selector and null or empty namespaces list means "this pod's namespace".
+                                            An empty selector ({}) matches all namespaces.
+                                          properties:
+                                            matchExpressions:
+                                              description: matchExpressions is a list
+                                                of label selector requirements. The
+                                                requirements are ANDed.
+                                              items:
+                                                description: |-
+                                                  A label selector requirement is a selector that contains values, a key, and an operator that
+                                                  relates the key and values.
+                                                properties:
+                                                  key:
+                                                    description: key is the label
+                                                      key that the selector applies
+                                                      to.
+                                                    type: string
+                                                  operator:
+                                                    description: |-
+                                                      operator represents a key's relationship to a set of values.
+                                                      Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                    type: string
+                                                  values:
+                                                    description: |-
+                                                      values is an array of string values. If the operator is In or NotIn,
+                                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                      the values array must be empty. This array is replaced during a strategic
+                                                      merge patch.
+                                                    items:
+                                                      type: string
+                                                    type: array
+                                                    x-kubernetes-list-type: atomic
+                                                required:
+                                                - key
+                                                - operator
+                                                type: object
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                            matchLabels:
+                                              additionalProperties:
+                                                type: string
+                                              description: |-
+                                                matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                                map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                                operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                              type: object
+                                          type: object
+                                          x-kubernetes-map-type: atomic
+                                        namespaces:
+                                          description: |-
+                                            namespaces specifies a static list of namespace names that the term applies to.
+                                            The term is applied to the union of the namespaces listed in this field
+                                            and the ones selected by namespaceSelector.
+                                            null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+                                          items:
+                                            type: string
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        topologyKey:
+                                          description: |-
+                                            This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+                                            the labelSelector in the specified namespaces, where co-located is defined as running on a node
+                                            whose value of the label with key topologyKey matches that of any node on which any of the
+                                            selected pods is running.
+                                            Empty topologyKey is not allowed.
+                                          type: string
+                                      required:
+                                      - topologyKey
+                                      type: object
+                                    type: array
+                                    x-kubernetes-list-type: atomic
+                                type: object
+                            type: object
+                          nodeSelector:
+                            description: |-
+                              K8s node labels settings.
+
+                              See https://kubernetes.io/docs/user-guide/node-selection/
+                            properties:
+                              nodeSelectorTerms:
+                                description: Required. A list of node selector terms.
+                                  The terms are ORed.
+                                items:
+                                  description: |-
+                                    A null or empty node selector term matches no objects. The requirements of
+                                    them are ANDed.
+                                    The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+                                  properties:
+                                    matchExpressions:
+                                      description: A list of node selector requirements
+                                        by node's labels.
+                                      items:
+                                        description: |-
+                                          A node selector requirement is a selector that contains values, a key, and an operator
+                                          that relates the key and values.
+                                        properties:
+                                          key:
+                                            description: The label key that the selector
+                                              applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              Represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              An array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. If the operator is Gt or Lt, the values
+                                              array must have a single element, which will be interpreted as an integer.
+                                              This array is replaced during a strategic merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    matchFields:
+                                      description: A list of node selector requirements
+                                        by node's fields.
+                                      items:
+                                        description: |-
+                                          A node selector requirement is a selector that contains values, a key, and an operator
+                                          that relates the key and values.
+                                        properties:
+                                          key:
+                                            description: The label key that the selector
+                                              applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              Represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              An array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. If the operator is Gt or Lt, the values
+                                              array must have a single element, which will be interpreted as an integer.
+                                              This array is replaced during a strategic merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                type: array
+                                x-kubernetes-list-type: atomic
+                            required:
+                            - nodeSelectorTerms
+                            type: object
+                            x-kubernetes-map-type: atomic
+                          resources:
+                            description: |-
+                              K8s resource settings.
+
+                              See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
+                            properties:
+                              claims:
+                                description: |-
+                                  Claims lists the names of resources, defined in spec.resourceClaims,
+                                  that are used by this container.
+
+                                  This field depends on the
+                                  DynamicResourceAllocation feature gate.
+
+                                  This field is immutable. It can only be set for containers.
+                                items:
+                                  description: ResourceClaim references one entry
+                                    in PodSpec.ResourceClaims.
+                                  properties:
+                                    name:
+                                      description: |-
+                                        Name must match the name of one entry in pod.spec.resourceClaims of
+                                        the Pod where this field is used. It makes that resource available
+                                        inside a container.
+                                      type: string
+                                    request:
+                                      description: |-
+                                        Request is the name chosen for a request in the referenced claim.
+                                        If empty, everything from the claim is made available, otherwise
+                                        only the result of this request.
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                type: array
+                                x-kubernetes-list-map-keys:
+                                - name
+                                x-kubernetes-list-type: map
+                              limits:
+                                additionalProperties:
+                                  anyOf:
+                                  - type: integer
+                                  - type: string
+                                  pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                  x-kubernetes-int-or-string: true
+                                description: |-
+                                  Limits describes the maximum amount of compute resources allowed.
+                                  More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                                type: object
+                              requests:
+                                additionalProperties:
+                                  anyOf:
+                                  - type: integer
+                                  - type: string
+                                  pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                  x-kubernetes-int-or-string: true
+                                description: |-
+                                  Requests describes the minimum amount of compute resources required.
+                                  If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+                                  otherwise to an implementation-defined value. Requests cannot exceed Limits.
+                                  More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                                type: object
+                            type: object
+                          toleration:
+                            description: |-
+                              K8s tolerations settings.
+
+                              See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+                            items:
+                              description: |-
+                                The pod this Toleration is attached to tolerates any taint that matches
+                                the triple <key,value,effect> using the matching operator <operator>.
+                              properties:
+                                effect:
+                                  description: |-
+                                    Effect indicates the taint effect to match. Empty means match all taint effects.
+                                    When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+                                  type: string
+                                key:
+                                  description: |-
+                                    Key is the taint key that the toleration applies to. Empty means match all taint keys.
+                                    If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+                                  type: string
+                                operator:
+                                  description: |-
+                                    Operator represents a key's relationship to the value.
+                                    Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal.
+                                    Exists is equivalent to wildcard for value, so that a pod can
+                                    tolerate all taints of a particular category.
+                                    Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators).
+                                  type: string
+                                tolerationSeconds:
+                                  description: |-
+                                    TolerationSeconds represents the period of time the toleration (which must be
+                                    of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+                                    it is not set, which means tolerate the taint forever (do not evict). Zero and
+                                    negative values will be treated as 0 (evict immediately) by the system.
+                                  format: int64
+                                  type: integer
+                                value:
+                                  description: |-
+                                    Value is the taint value the toleration matches to.
+                                    If the operator is Exists, the value should be empty, otherwise just a regular string.
+                                  type: string
+                              type: object
+                            type: array
+                          topologySpreadConstraints:
+                            description: |-
+                              K8s topology spread constraints settings.
+
+                              See https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
+                            items:
+                              description: TopologySpreadConstraint specifies how
+                                to spread matching pods among the given topology.
+                              properties:
+                                labelSelector:
+                                  description: |-
+                                    LabelSelector is used to find matching pods.
+                                    Pods that match this label selector are counted to determine the number of pods
+                                    in their corresponding topology domain.
+                                  properties:
+                                    matchExpressions:
+                                      description: matchExpressions is a list of label
+                                        selector requirements. The requirements are
+                                        ANDed.
+                                      items:
+                                        description: |-
+                                          A label selector requirement is a selector that contains values, a key, and an operator that
+                                          relates the key and values.
+                                        properties:
+                                          key:
+                                            description: key is the label key that
+                                              the selector applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              operator represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              values is an array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. This array is replaced during a strategic
+                                              merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    matchLabels:
+                                      additionalProperties:
+                                        type: string
+                                      description: |-
+                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                      type: object
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                matchLabelKeys:
+                                  description: |-
+                                    MatchLabelKeys is a set of pod label keys to select the pods over which
+                                    spreading will be calculated. The keys are used to lookup values from the
+                                    incoming pod labels, those key-value labels are ANDed with labelSelector
+                                    to select the group of existing pods over which spreading will be calculated
+                                    for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+                                    MatchLabelKeys cannot be set when LabelSelector isn't set.
+                                    Keys that don't exist in the incoming pod labels will
+                                    be ignored. A null or empty list means only match against labelSelector.
+
+                                    This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).
+                                  items:
+                                    type: string
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                maxSkew:
+                                  description: |-
+                                    MaxSkew describes the degree to which pods may be unevenly distributed.
+                                    When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference
+                                    between the number of matching pods in the target topology and the global minimum.
+                                    The global minimum is the minimum number of matching pods in an eligible domain
+                                    or zero if the number of eligible domains is less than MinDomains.
+                                    For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+                                    labelSelector spread as 2/2/1:
+                                    In this case, the global minimum is 1.
+                                    | zone1 | zone2 | zone3 |
+                                    |  P P  |  P P  |   P   |
+                                    - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2;
+                                    scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2)
+                                    violate MaxSkew(1).
+                                    - if MaxSkew is 2, incoming pod can be scheduled onto any zone.
+                                    When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence
+                                    to topologies that satisfy it.
+                                    It's a required field. Default value is 1 and 0 is not allowed.
+                                  format: int32
+                                  type: integer
+                                minDomains:
+                                  description: |-
+                                    MinDomains indicates a minimum number of eligible domains.
+                                    When the number of eligible domains with matching topology keys is less than minDomains,
+                                    Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed.
+                                    And when the number of eligible domains with matching topology keys equals or greater than minDomains,
+                                    this value has no effect on scheduling.
+                                    As a result, when the number of eligible domains is less than minDomains,
+                                    scheduler won't schedule more than maxSkew Pods to those domains.
+                                    If value is nil, the constraint behaves as if MinDomains is equal to 1.
+                                    Valid values are integers greater than 0.
+                                    When value is not nil, WhenUnsatisfiable must be DoNotSchedule.
+
+                                    For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same
+                                    labelSelector spread as 2/2/2:
+                                    | zone1 | zone2 | zone3 |
+                                    |  P P  |  P P  |  P P  |
+                                    The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0.
+                                    In this situation, new pod with the same labelSelector cannot be scheduled,
+                                    because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,
+                                    it will violate MaxSkew.
+                                  format: int32
+                                  type: integer
+                                nodeAffinityPolicy:
+                                  description: |-
+                                    NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector
+                                    when calculating pod topology spread skew. Options are:
+                                    - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
+                                    - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
+
+                                    If this value is nil, the behavior is equivalent to the Honor policy.
+                                  type: string
+                                nodeTaintsPolicy:
+                                  description: |-
+                                    NodeTaintsPolicy indicates how we will treat node taints when calculating
+                                    pod topology spread skew. Options are:
+                                    - Honor: nodes without taints, along with tainted nodes for which the incoming pod
+                                    has a toleration, are included.
+                                    - Ignore: node taints are ignored. All nodes are included.
+
+                                    If this value is nil, the behavior is equivalent to the Ignore policy.
+                                  type: string
+                                topologyKey:
+                                  description: |-
+                                    TopologyKey is the key of node labels. Nodes that have a label with this key
+                                    and identical values are considered to be in the same topology.
+                                    We consider each <key, value> as a "bucket", and try to put balanced number
+                                    of pods into each bucket.
+                                    We define a domain as a particular instance of a topology.
+                                    Also, we define an eligible domain as a domain whose nodes meet the requirements of
+                                    nodeAffinityPolicy and nodeTaintsPolicy.
+                                    e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology.
+                                    And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology.
+                                    It's a required field.
+                                  type: string
+                                whenUnsatisfiable:
+                                  description: |-
+                                    WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy
+                                    the spread constraint.
+                                    - DoNotSchedule (default) tells the scheduler not to schedule it.
+                                    - ScheduleAnyway tells the scheduler to schedule the pod in any location,
+                                      but giving higher precedence to topologies that would help reduce the
+                                      skew.
+                                    A constraint is considered "Unsatisfiable" for an incoming pod
+                                    if and only if every possible node assignment for that pod would violate
+                                    "MaxSkew" on some topology.
+                                    For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+                                    labelSelector spread as 3/1/1:
+                                    | zone1 | zone2 | zone3 |
+                                    | P P P |   P   |   P   |
+                                    If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled
+                                    to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies
+                                    MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler
+                                    won't make it *more* imbalanced.
+                                    It's a required field.
+                                  type: string
+                              required:
+                              - maxSkew
+                              - topologyKey
+                              - whenUnsatisfiable
+                              type: object
+                            type: array
+                        type: object
+                    type: object
+                  istiodRemote:
+                    description: |-
+                      Configuration for istiod-remote.
+                      DEPRECATED - istiod-remote chart is removed and replaced with
+                      `istio-discovery --set values.istiodRemote.enabled=true`
+
+                      Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
+                    properties:
+                      enabled:
+                        description: Indicates if this cluster/install should consume
+                          a "remote" istiod instance,
+                        type: boolean
+                      enabledLocalInjectorIstiod:
+                        description: |-
+                          If `true`, indicates that this cluster/install should consume a "local istiod" installation,
+                          local istiod inject sidecars
+                        type: boolean
+                      injectionCABundle:
+                        description: injector ca bundle
+                        type: string
+                      injectionPath:
+                        description: Path to use for the sidecar injector webhook
+                          service.
+                        type: string
+                      injectionURL:
+                        description: URL to use for sidecar injector webhook.
+                        type: string
+                    type: object
+                  meshConfig:
+                    description: |-
+                      Defines runtime configuration of components, including Istiod and istio-agent behavior.
+                      See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options.
+                    properties:
+                      accessLogEncoding:
+                        description: |-
+                          Encoding for the proxy access log (`TEXT` or `JSON`).
+                          Default value is `TEXT`.
+                        enum:
+                        - TEXT
+                        - JSON
+                        type: string
+                      accessLogFile:
+                        description: |-
+                          File address for the proxy access log (e.g. /dev/stdout).
+                          Empty value disables access logging.
+                        type: string
+                      accessLogFormat:
+                        description: |-
+                          Format for the proxy access log
+                          Empty value results in proxy's default access log format
+                        type: string
+                      ca:
+                        description: |-
+                          If specified, Istiod will authorize and forward the CSRs from the workloads to the specified external CA
+                          using the Istio CA gRPC API.
+                        properties:
+                          address:
+                            description: |-
+                              REQUIRED. Address of the CA server implementing the Istio CA gRPC API.
+                              Can be IP address or a fully qualified DNS name with port
+                              Eg: custom-ca.default.svc.cluster.local:8932, 192.168.23.2:9000
+                            type: string
+                          istiodSide:
+                            description: |-
+                              Use istiodSide to specify CA Server integrate to Istiod side or Agent side
+                              Default: true
+                            type: boolean
+                          requestTimeout:
+                            description: |-
+                              timeout for forward CSR requests from Istiod to External CA
+                              Default: 10s
+                            type: string
+                          tlsSettings:
+                            description: |-
+                              Use the tlsSettings to specify the tls mode to use.
+                              Regarding tlsSettings:
+                              - DISABLE MODE is legitimate for the case Istiod is making the request via an Envoy sidecar.
+                              DISABLE MODE can also be used for testing
+                              - TLS MUTUAL MODE be on by default. If the CA certificates
+                              (cert bundle to verify the CA server's certificate) is omitted, Istiod will
+                              use the system root certs to verify the CA server's certificate.
+                            properties:
+                              caCertificates:
+                                description: |-
+                                  OPTIONAL: The path to the file containing certificate authority
+                                  certificates to use in verifying a presented server certificate. If
+                                  omitted, the proxy will verify the server's certificate using
+                                  the OS CA certificates.
+                                  Should be empty if mode is `ISTIO_MUTUAL`.
+                                type: string
+                              caCrl:
+                                description: |-
+                                  OPTIONAL: The path to the file containing the certificate revocation list (CRL)
+                                  to use in verifying a presented server certificate. `CRL` is a list of certificates
+                                  that have been revoked by the CA (Certificate Authority) before their scheduled expiration date.
+                                  If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates.
+                                  If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set,
+                                  `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential.
+                                type: string
+                              clientCertificate:
+                                description: |-
+                                  REQUIRED if mode is `MUTUAL`. The path to the file holding the
+                                  client-side TLS certificate to use.
+                                  Should be empty if mode is `ISTIO_MUTUAL`.
+                                type: string
+                              credentialName:
+                                description: |-
+                                  The name of the secret that holds the TLS certs for the
+                                  client including the CA certificates. This secret must exist in
+                                  the namespace of the proxy using the certificates.
+                                  An Opaque secret should contain the following keys and values:
+                                  `key: <privateKey>`, `cert: <clientCert>`, `cacert: <CACertificate>`,
+                                  `crl: <certificateRevocationList>`
+                                  Here CACertificate is used to verify the server certificate.
+                                  For mutual TLS, `cacert: <CACertificate>` can be provided in the
+                                  same secret or a separate secret named `<secret>-cacert`.
+                                  A TLS secret for client certificates with an additional
+                                  `ca.crt` key for CA certificates and `ca.crl` key for
+                                  certificate revocation list(CRL) is also supported.
+                                  Only one of client certificates and CA certificate
+                                  or credentialName can be specified.
+
+                                  **NOTE:** This field is applicable at sidecars only if
+                                  `DestinationRule` has a `workloadSelector` specified.
+                                  Otherwise the field will be applicable only at gateways, and
+                                  sidecars will continue to use the certificate paths.
+                                type: string
+                              insecureSkipVerify:
+                                description: |-
+                                  `insecureSkipVerify` specifies whether the proxy should skip verifying the
+                                  CA signature and SAN for the server certificate corresponding to the host.
+                                  The default value of this field is false.
+                                type: boolean
+                              mode:
+                                description: |-
+                                  Indicates whether connections to this port should be secured
+                                  using TLS. The value of this field determines how TLS is enforced.
+                                enum:
+                                - DISABLE
+                                - SIMPLE
+                                - MUTUAL
+                                - ISTIO_MUTUAL
+                                type: string
+                              privateKey:
+                                description: |-
+                                  REQUIRED if mode is `MUTUAL`. The path to the file holding the
+                                  client's private key.
+                                  Should be empty if mode is `ISTIO_MUTUAL`.
+                                type: string
+                              sni:
+                                description: |-
+                                  SNI string to present to the server during TLS handshake.
+                                  If unspecified, SNI will be automatically set based on downstream HTTP
+                                  host/authority header for SIMPLE and MUTUAL TLS modes.
+                                type: string
+                              subjectAltNames:
+                                description: |-
+                                  A list of alternate names to verify the subject identity in the
+                                  certificate. If specified, the proxy will verify that the server
+                                  certificate's subject alt name matches one of the specified values.
+                                  If specified, this list overrides the value of `subjectAltNames`
+                                  from the `ServiceEntry`. If unspecified, automatic validation of upstream
+                                  presented certificate for new upstream connections will be done based on the
+                                  downstream HTTP host/authority header.
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                        required:
+                        - address
+                        type: object
+                      caCertificates:
+                        description: |-
+                          The extra root certificates for workload-to-workload communication.
+                          The plugin certificates (the 'cacerts' secret) or self-signed certificates (the 'istio-ca-secret' secret)
+                          are automatically added by Istiod.
+                          The CA certificate that signs the workload certificates is automatically added by Istio Agent.
+                        items:
+                          properties:
+                            certSigners:
+                              description: |-
+                                when Istiod is acting as RA(registration authority)
+                                If set, they are used for these signers. Otherwise, this trustAnchor is used for all signers.
+                              items:
+                                type: string
+                              type: array
+                            pem:
+                              description: The PEM data of the certificate.
+                              type: string
+                            spiffeBundleUrl:
+                              description: |-
+                                The SPIFFE bundle endpoint URL that complies to:
+                                https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#the-spiffe-trust-domain-and-bundle
+                                The endpoint should support authentication based on Web PKI:
+                                https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#521-web-pki
+                                The certificate is retrieved from the endpoint.
+                              type: string
+                            trustDomains:
+                              description: |-
+                                Optional. Specify the list of trust domains to which this trustAnchor data belongs.
+                                If set, they are used for these trust domains. Otherwise, this trustAnchor is used for default trust domain
+                                and its aliases.
+                                Note that we can have multiple trustAnchor data for a same trustDomain.
+                                In that case, trustAnchors with a same trust domain will be merged and used together to verify peer certificates.
+                                If neither certSigners nor trustDomains is set, this trustAnchor is used for all trust domains and all signers.
+                                If only trustDomains is set, this trustAnchor is used for these trustDomains and all signers.
+                                If only certSigners is set, this trustAnchor is used for these certSigners and all trust domains.
+                                If both certSigners and trustDomains is set, this trustAnchor is only used for these signers and trust domains.
+                              items:
+                                type: string
+                              type: array
+                          type: object
+                          x-kubernetes-validations:
+                          - message: At most one of [pem spiffeBundleUrl] should be
+                              set
+                            rule: (has(self.pem)?1:0) + (has(self.spiffeBundleUrl)?1:0)
+                              <= 1
+                        type: array
+                      certificates:
+                        description: |-
+                          Configure the provision of certificates.
+
+                          Note: Deprecated, please refer to Cert-Manager or other cert provisioning solutions to sign DNS certificates.
+
+                          Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto.
+                        items:
+                          description: "Certificate configures the provision of a
+                            certificate and its key.\nExample 1: key and cert stored
+                            in a secret\n```\n{ secretName: galley-cert\n\n\t  secretNamespace:
+                            istio-system\n\t  dnsNames:\n\t    - galley.istio-system.svc\n\t
+                            \   - galley.mydomain.com\n\t}\n\n```\nExample 2: key
+                            and cert stored in a directory\n```\n{ dnsNames:\n  -
+                            pilot.istio-system\n  - pilot.istio-system.svc\n  - pilot.mydomain.com\n
+                            \   }\n\n```"
+                          properties:
+                            dnsNames:
+                              description: |-
+                                The DNS names for the certificate. A certificate may contain
+                                multiple DNS names.
+                              items:
+                                type: string
+                              type: array
+                            secretName:
+                              description: |-
+                                Name of the secret the certificate and its key will be stored into.
+                                If it is empty, it will not be stored into a secret.
+                                Instead, the certificate and its key will be stored into a hard-coded directory.
+                              type: string
+                          type: object
+                        type: array
+                      configSources:
+                        description: |-
+                          ConfigSource describes a source of configuration data for networking
+                          rules, and other Istio configuration artifacts. Multiple data sources
+                          can be configured for a single control plane.
+                        items:
+                          description: |-
+                            ConfigSource describes information about a configuration store inside a
+                            mesh. A single control plane instance can interact with one or more data
+                            sources.
+                          properties:
+                            address:
+                              description: |-
+                                Address of the server implementing the Istio Mesh Configuration
+                                protocol (MCP). Can be IP address or a fully qualified DNS name.
+                                Use xds:// to specify a grpc-based xds backend, k8s:// to specify a k8s controller or
+                                fs:/// to specify a file-based backend with absolute path to the directory.
+                              type: string
+                            subscribedResources:
+                              description: Describes the source of configuration,
+                                if nothing is specified default is MCP
+                              items:
+                                description: Resource describes the source of configuration
+                                enum:
+                                - SERVICE_REGISTRY
+                                type: string
+                              type: array
+                            tlsSettings:
+                              description: |-
+                                Use the tlsSettings to specify the tls mode to use. If the MCP server
+                                uses Istio mutual TLS and shares the root CA with istiod, specify the TLS
+                                mode as `ISTIO_MUTUAL`.
+                              properties:
+                                caCertificates:
+                                  description: |-
+                                    OPTIONAL: The path to the file containing certificate authority
+                                    certificates to use in verifying a presented server certificate. If
+                                    omitted, the proxy will verify the server's certificate using
+                                    the OS CA certificates.
+                                    Should be empty if mode is `ISTIO_MUTUAL`.
+                                  type: string
+                                caCrl:
+                                  description: |-
+                                    OPTIONAL: The path to the file containing the certificate revocation list (CRL)
+                                    to use in verifying a presented server certificate. `CRL` is a list of certificates
+                                    that have been revoked by the CA (Certificate Authority) before their scheduled expiration date.
+                                    If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates.
+                                    If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set,
+                                    `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential.
+                                  type: string
+                                clientCertificate:
+                                  description: |-
+                                    REQUIRED if mode is `MUTUAL`. The path to the file holding the
+                                    client-side TLS certificate to use.
+                                    Should be empty if mode is `ISTIO_MUTUAL`.
+                                  type: string
+                                credentialName:
+                                  description: |-
+                                    The name of the secret that holds the TLS certs for the
+                                    client including the CA certificates. This secret must exist in
+                                    the namespace of the proxy using the certificates.
+                                    An Opaque secret should contain the following keys and values:
+                                    `key: <privateKey>`, `cert: <clientCert>`, `cacert: <CACertificate>`,
+                                    `crl: <certificateRevocationList>`
+                                    Here CACertificate is used to verify the server certificate.
+                                    For mutual TLS, `cacert: <CACertificate>` can be provided in the
+                                    same secret or a separate secret named `<secret>-cacert`.
+                                    A TLS secret for client certificates with an additional
+                                    `ca.crt` key for CA certificates and `ca.crl` key for
+                                    certificate revocation list(CRL) is also supported.
+                                    Only one of client certificates and CA certificate
+                                    or credentialName can be specified.
+
+                                    **NOTE:** This field is applicable at sidecars only if
+                                    `DestinationRule` has a `workloadSelector` specified.
+                                    Otherwise the field will be applicable only at gateways, and
+                                    sidecars will continue to use the certificate paths.
+                                  type: string
+                                insecureSkipVerify:
+                                  description: |-
+                                    `insecureSkipVerify` specifies whether the proxy should skip verifying the
+                                    CA signature and SAN for the server certificate corresponding to the host.
+                                    The default value of this field is false.
+                                  type: boolean
+                                mode:
+                                  description: |-
+                                    Indicates whether connections to this port should be secured
+                                    using TLS. The value of this field determines how TLS is enforced.
+                                  enum:
+                                  - DISABLE
+                                  - SIMPLE
+                                  - MUTUAL
+                                  - ISTIO_MUTUAL
+                                  type: string
+                                privateKey:
+                                  description: |-
+                                    REQUIRED if mode is `MUTUAL`. The path to the file holding the
+                                    client's private key.
+                                    Should be empty if mode is `ISTIO_MUTUAL`.
+                                  type: string
+                                sni:
+                                  description: |-
+                                    SNI string to present to the server during TLS handshake.
+                                    If unspecified, SNI will be automatically set based on downstream HTTP
+                                    host/authority header for SIMPLE and MUTUAL TLS modes.
+                                  type: string
+                                subjectAltNames:
+                                  description: |-
+                                    A list of alternate names to verify the subject identity in the
+                                    certificate. If specified, the proxy will verify that the server
+                                    certificate's subject alt name matches one of the specified values.
+                                    If specified, this list overrides the value of `subjectAltNames`
+                                    from the `ServiceEntry`. If unspecified, automatic validation of upstream
+                                    presented certificate for new upstream connections will be done based on the
+                                    downstream HTTP host/authority header.
+                                  items:
+                                    type: string
+                                  type: array
+                              type: object
+                          type: object
+                        type: array
+                      connectTimeout:
+                        description: |-
+                          Connection timeout used by Envoy. (MUST be >=1ms)
+                          Default timeout is 10s.
+                        type: string
+                      defaultConfig:
+                        description: |-
+                          Default proxy config used by gateway and sidecars.
+                          In case of Kubernetes, the proxy config is applied once during the injection process,
+                          and remain constant for the duration of the pod. The rest of the mesh config can be changed
+                          at runtime and config gets distributed dynamically.
+                          On Kubernetes, this can be overridden on individual pods with the `proxy.istio.io/config` annotation.
+                        properties:
+                          availabilityZone:
+                            description: 'Deprecated: Marked as deprecated in mesh/v1alpha1/proxy.proto.'
+                            type: string
+                          binaryPath:
+                            description: Path to the proxy binary
+                            type: string
+                          caCertificatesPem:
+                            description: |-
+                              The PEM data of the extra root certificates for workload-to-workload communication.
+                              This includes the certificates defined in MeshConfig and any other certificates that Istiod uses as CA.
+                              The plugin certificates (the 'cacerts' secret), self-signed certificates (the 'istio-ca-secret' secret)
+                              are added automatically by Istiod.
+                            items:
+                              type: string
+                            type: array
+                          concurrency:
+                            description: |-
+                              The number of worker threads to run.
+                              If unset, which is recommended, this will be automatically determined based on CPU requests/limits.
+                              If set to 0, all cores on the machine will be used, ignoring CPU requests or limits. This can lead to major performance
+                              issues if CPU limits are also set.
+                            format: int32
+                            type: integer
+                          configPath:
+                            description: |-
+                              Path to the generated configuration file directory.
+                              Proxy agent generates the actual configuration and stores it in this directory.
+                            type: string
+                          controlPlaneAuthPolicy:
+                            description: |-
+                              AuthenticationPolicy defines how the proxy is authenticated when it connects to the control plane.
+                              Default is set to `MUTUAL_TLS`.
+                            enum:
+                            - NONE
+                            - MUTUAL_TLS
+                            - INHERIT
+                            type: string
+                          customConfigFile:
+                            description: |-
+                              File path of custom proxy configuration, currently used by proxies
+                              in front of istiod.
+                            type: string
+                          discoveryAddress:
+                            description: |-
+                              Address of the discovery service exposing xDS with mTLS connection.
+                              The inject configuration may override this value.
+                            type: string
+                          discoveryRefreshDelay:
+                            description: 'Deprecated: Marked as deprecated in mesh/v1alpha1/proxy.proto.'
+                            type: string
+                          drainDuration:
+                            description: |-
+                              restart. MUST be >=1s (e.g., _1s/1m/1h_)
+                              Default drain duration is `45s`.
+                            type: string
+                          envoyAccessLogService:
+                            description: |-
+                              Address of the service to which access logs from Envoys should be
+                              sent. (e.g. `accesslog-service:15000`). See [Access Log
+                              Service](https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/accesslog/v2/als.proto)
+                              for details about Envoy's gRPC Access Log Service API.
+                            properties:
+                              address:
+                                description: |-
+                                  Address of a remove service used for various purposes (access log
+                                  receiver, metrics receiver, etc.). Can be IP address or a fully
+                                  qualified DNS name.
+                                type: string
+                              tcpKeepalive:
+                                description: If set then set `SO_KEEPALIVE` on the
+                                  socket to enable TCP Keepalives.
+                                properties:
+                                  interval:
+                                    description: |-
+                                      The time duration between keep-alive probes.
+                                      Default is to use the OS level configuration
+                                      (unless overridden, Linux defaults to 75s.)
+                                    type: string
+                                  probes:
+                                    description: |-
+                                      Maximum number of keepalive probes to send without response before
+                                      deciding the connection is dead. Default is to use the OS level configuration
+                                      (unless overridden, Linux defaults to 9.)
+                                    format: int32
+                                    type: integer
+                                  time:
+                                    description: |-
+                                      The time duration a connection needs to be idle before keep-alive
+                                      probes start being sent. Default is to use the OS level configuration
+                                      (unless overridden, Linux defaults to 7200s (ie 2 hours.)
+                                    type: string
+                                type: object
+                              tlsSettings:
+                                description: |-
+                                  Use the `tlsSettings` to specify the tls mode to use. If the remote service
+                                  uses Istio mutual TLS and shares the root CA with istiod, specify the TLS
+                                  mode as `ISTIO_MUTUAL`.
+                                properties:
+                                  caCertificates:
+                                    description: |-
+                                      OPTIONAL: The path to the file containing certificate authority
+                                      certificates to use in verifying a presented server certificate. If
+                                      omitted, the proxy will verify the server's certificate using
+                                      the OS CA certificates.
+                                      Should be empty if mode is `ISTIO_MUTUAL`.
+                                    type: string
+                                  caCrl:
+                                    description: |-
+                                      OPTIONAL: The path to the file containing the certificate revocation list (CRL)
+                                      to use in verifying a presented server certificate. `CRL` is a list of certificates
+                                      that have been revoked by the CA (Certificate Authority) before their scheduled expiration date.
+                                      If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates.
+                                      If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set,
+                                      `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential.
+                                    type: string
+                                  clientCertificate:
+                                    description: |-
+                                      REQUIRED if mode is `MUTUAL`. The path to the file holding the
+                                      client-side TLS certificate to use.
+                                      Should be empty if mode is `ISTIO_MUTUAL`.
+                                    type: string
+                                  credentialName:
+                                    description: |-
+                                      The name of the secret that holds the TLS certs for the
+                                      client including the CA certificates. This secret must exist in
+                                      the namespace of the proxy using the certificates.
+                                      An Opaque secret should contain the following keys and values:
+                                      `key: <privateKey>`, `cert: <clientCert>`, `cacert: <CACertificate>`,
+                                      `crl: <certificateRevocationList>`
+                                      Here CACertificate is used to verify the server certificate.
+                                      For mutual TLS, `cacert: <CACertificate>` can be provided in the
+                                      same secret or a separate secret named `<secret>-cacert`.
+                                      A TLS secret for client certificates with an additional
+                                      `ca.crt` key for CA certificates and `ca.crl` key for
+                                      certificate revocation list(CRL) is also supported.
+                                      Only one of client certificates and CA certificate
+                                      or credentialName can be specified.
+
+                                      **NOTE:** This field is applicable at sidecars only if
+                                      `DestinationRule` has a `workloadSelector` specified.
+                                      Otherwise the field will be applicable only at gateways, and
+                                      sidecars will continue to use the certificate paths.
+                                    type: string
+                                  insecureSkipVerify:
+                                    description: |-
+                                      `insecureSkipVerify` specifies whether the proxy should skip verifying the
+                                      CA signature and SAN for the server certificate corresponding to the host.
+                                      The default value of this field is false.
+                                    type: boolean
+                                  mode:
+                                    description: |-
+                                      Indicates whether connections to this port should be secured
+                                      using TLS. The value of this field determines how TLS is enforced.
+                                    enum:
+                                    - DISABLE
+                                    - SIMPLE
+                                    - MUTUAL
+                                    - ISTIO_MUTUAL
+                                    type: string
+                                  privateKey:
+                                    description: |-
+                                      REQUIRED if mode is `MUTUAL`. The path to the file holding the
+                                      client's private key.
+                                      Should be empty if mode is `ISTIO_MUTUAL`.
+                                    type: string
+                                  sni:
+                                    description: |-
+                                      SNI string to present to the server during TLS handshake.
+                                      If unspecified, SNI will be automatically set based on downstream HTTP
+                                      host/authority header for SIMPLE and MUTUAL TLS modes.
+                                    type: string
+                                  subjectAltNames:
+                                    description: |-
+                                      A list of alternate names to verify the subject identity in the
+                                      certificate. If specified, the proxy will verify that the server
+                                      certificate's subject alt name matches one of the specified values.
+                                      If specified, this list overrides the value of `subjectAltNames`
+                                      from the `ServiceEntry`. If unspecified, automatic validation of upstream
+                                      presented certificate for new upstream connections will be done based on the
+                                      downstream HTTP host/authority header.
+                                    items:
+                                      type: string
+                                    type: array
+                                type: object
+                            type: object
+                          envoyMetricsService:
+                            description: |-
+                              Address of the Envoy Metrics Service implementation (e.g. `metrics-service:15000`).
+                              See [Metric Service](https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/metrics/v2/metrics_service.proto)
+                              for details about Envoy's Metrics Service API.
+                            properties:
+                              address:
+                                description: |-
+                                  Address of a remove service used for various purposes (access log
+                                  receiver, metrics receiver, etc.). Can be IP address or a fully
+                                  qualified DNS name.
+                                type: string
+                              tcpKeepalive:
+                                description: If set then set `SO_KEEPALIVE` on the
+                                  socket to enable TCP Keepalives.
+                                properties:
+                                  interval:
+                                    description: |-
+                                      The time duration between keep-alive probes.
+                                      Default is to use the OS level configuration
+                                      (unless overridden, Linux defaults to 75s.)
+                                    type: string
+                                  probes:
+                                    description: |-
+                                      Maximum number of keepalive probes to send without response before
+                                      deciding the connection is dead. Default is to use the OS level configuration
+                                      (unless overridden, Linux defaults to 9.)
+                                    format: int32
+                                    type: integer
+                                  time:
+                                    description: |-
+                                      The time duration a connection needs to be idle before keep-alive
+                                      probes start being sent. Default is to use the OS level configuration
+                                      (unless overridden, Linux defaults to 7200s (ie 2 hours.)
+                                    type: string
+                                type: object
+                              tlsSettings:
+                                description: |-
+                                  Use the `tlsSettings` to specify the tls mode to use. If the remote service
+                                  uses Istio mutual TLS and shares the root CA with istiod, specify the TLS
+                                  mode as `ISTIO_MUTUAL`.
+                                properties:
+                                  caCertificates:
+                                    description: |-
+                                      OPTIONAL: The path to the file containing certificate authority
+                                      certificates to use in verifying a presented server certificate. If
+                                      omitted, the proxy will verify the server's certificate using
+                                      the OS CA certificates.
+                                      Should be empty if mode is `ISTIO_MUTUAL`.
+                                    type: string
+                                  caCrl:
+                                    description: |-
+                                      OPTIONAL: The path to the file containing the certificate revocation list (CRL)
+                                      to use in verifying a presented server certificate. `CRL` is a list of certificates
+                                      that have been revoked by the CA (Certificate Authority) before their scheduled expiration date.
+                                      If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates.
+                                      If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set,
+                                      `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential.
+                                    type: string
+                                  clientCertificate:
+                                    description: |-
+                                      REQUIRED if mode is `MUTUAL`. The path to the file holding the
+                                      client-side TLS certificate to use.
+                                      Should be empty if mode is `ISTIO_MUTUAL`.
+                                    type: string
+                                  credentialName:
+                                    description: |-
+                                      The name of the secret that holds the TLS certs for the
+                                      client including the CA certificates. This secret must exist in
+                                      the namespace of the proxy using the certificates.
+                                      An Opaque secret should contain the following keys and values:
+                                      `key: <privateKey>`, `cert: <clientCert>`, `cacert: <CACertificate>`,
+                                      `crl: <certificateRevocationList>`
+                                      Here CACertificate is used to verify the server certificate.
+                                      For mutual TLS, `cacert: <CACertificate>` can be provided in the
+                                      same secret or a separate secret named `<secret>-cacert`.
+                                      A TLS secret for client certificates with an additional
+                                      `ca.crt` key for CA certificates and `ca.crl` key for
+                                      certificate revocation list(CRL) is also supported.
+                                      Only one of client certificates and CA certificate
+                                      or credentialName can be specified.
+
+                                      **NOTE:** This field is applicable at sidecars only if
+                                      `DestinationRule` has a `workloadSelector` specified.
+                                      Otherwise the field will be applicable only at gateways, and
+                                      sidecars will continue to use the certificate paths.
+                                    type: string
+                                  insecureSkipVerify:
+                                    description: |-
+                                      `insecureSkipVerify` specifies whether the proxy should skip verifying the
+                                      CA signature and SAN for the server certificate corresponding to the host.
+                                      The default value of this field is false.
+                                    type: boolean
+                                  mode:
+                                    description: |-
+                                      Indicates whether connections to this port should be secured
+                                      using TLS. The value of this field determines how TLS is enforced.
+                                    enum:
+                                    - DISABLE
+                                    - SIMPLE
+                                    - MUTUAL
+                                    - ISTIO_MUTUAL
+                                    type: string
+                                  privateKey:
+                                    description: |-
+                                      REQUIRED if mode is `MUTUAL`. The path to the file holding the
+                                      client's private key.
+                                      Should be empty if mode is `ISTIO_MUTUAL`.
+                                    type: string
+                                  sni:
+                                    description: |-
+                                      SNI string to present to the server during TLS handshake.
+                                      If unspecified, SNI will be automatically set based on downstream HTTP
+                                      host/authority header for SIMPLE and MUTUAL TLS modes.
+                                    type: string
+                                  subjectAltNames:
+                                    description: |-
+                                      A list of alternate names to verify the subject identity in the
+                                      certificate. If specified, the proxy will verify that the server
+                                      certificate's subject alt name matches one of the specified values.
+                                      If specified, this list overrides the value of `subjectAltNames`
+                                      from the `ServiceEntry`. If unspecified, automatic validation of upstream
+                                      presented certificate for new upstream connections will be done based on the
+                                      downstream HTTP host/authority header.
+                                    items:
+                                      type: string
+                                    type: array
+                                type: object
+                            type: object
+                          envoyMetricsServiceAddress:
+                            description: 'Deprecated: Marked as deprecated in mesh/v1alpha1/proxy.proto.'
+                            type: string
+                          extraStatTags:
+                            description: |-
+                              An additional list of tags to extract from the in-proxy Istio telemetry. These extra tags can be
+                              added by configuring the telemetry extension. Each additional tag needs to be present in this list.
+                              Extra tags emitted by the telemetry extensions must be listed here so that they can be processed
+                              and exposed as Prometheus metrics.
+                              Deprecated: `istio.stats` is a native filter now, this field is no longer needed.
+                            items:
+                              type: string
+                            type: array
+                          fileFlushInterval:
+                            description: |-
+                              File flush interval for envoy flushes buffers to disk in milliseconds.
+                              The duration needs to be set to a value greater than or equal to 1 millisecond.
+                              Default is 1000ms.
+                              Optional.
+                            type: string
+                          fileFlushMinSizeKb:
+                            description: |-
+                              File flush buffer size for envoy flushes buffers to disk in kilobytes.
+                              Defaults to 64.
+                              Optional.
+                            format: int32
+                            type: integer
+                          gatewayTopology:
+                            description: |-
+                              Topology encapsulates the configuration which describes where the proxy is
+                              located i.e. behind a (or N) trusted proxy (proxies) or directly exposed
+                              to the internet. This configuration only effects gateways and is applied
+                              to all the gateways in the cluster unless overridden via annotations of the
+                              gateway workloads.
+                            properties:
+                              forwardClientCertDetails:
+                                description: |-
+                                  Configures how the gateway proxy handles x-forwarded-client-cert (XFCC)
+                                  header in the incoming request.
+                                enum:
+                                - UNDEFINED
+                                - SANITIZE
+                                - FORWARD_ONLY
+                                - APPEND_FORWARD
+                                - SANITIZE_SET
+                                - ALWAYS_FORWARD_ONLY
+                                type: string
+                              numTrustedProxies:
+                                description: |-
+                                  Number of trusted proxies deployed in front of the Istio gateway proxy.
+                                  When this option is set to value N greater than zero, the trusted client
+                                  address is assumed to be the Nth address from the right end of the
+                                  X-Forwarded-For (XFF) header from the incoming request. If the
+                                  X-Forwarded-For (XFF) header is missing or has fewer than N addresses, the
+                                  gateway proxy falls back to using the immediate downstream connection's
+                                  source address as the trusted client address.
+                                  Note that the gateway proxy will append the downstream connection's source
+                                  address to the X-Forwarded-For (XFF) address and set the
+                                  X-Envoy-External-Address header to the trusted client address before
+                                  forwarding it to the upstream services in the cluster.
+                                  The default value of numTrustedProxies is 0.
+                                  See [Envoy XFF](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-for)
+                                  header handling for more details.
+                                format: int32
+                                type: integer
+                              proxyProtocol:
+                                description: |-
+                                  Enables [PROXY protocol](http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt) for
+                                  downstream connections on a gateway.
+                                type: object
+                            type: object
+                          holdApplicationUntilProxyStarts:
+                            description: |-
+                              Boolean flag for enabling/disabling the holdApplicationUntilProxyStarts behavior.
+                              This feature adds hooks to delay application startup until the pod proxy
+                              is ready to accept traffic, mitigating some startup race conditions.
+                              Default value is 'false'.
+                            type: boolean
+                          image:
+                            description: Specifies the details of the proxy image.
+                            properties:
+                              imageType:
+                                description: |-
+                                  The image type of the image.
+                                  Istio publishes default, debug, and distroless images.
+                                  Other values are allowed if those image types (example: centos) are published to the specified hub.
+                                  supported values: default, debug, distroless.
+                                type: string
+                            type: object
+                          interceptionMode:
+                            description: The mode used to redirect inbound traffic
+                              to Envoy.
+                            enum:
+                            - REDIRECT
+                            - TPROXY
+                            - NONE
+                            type: string
+                          meshId:
+                            description: |-
+                              The unique identifier for the [service mesh](https://istio.io/docs/reference/glossary/#service-mesh)
+                              All control planes running in the same service mesh should specify the same mesh ID.
+                              Mesh ID is used to label telemetry reports for cases where telemetry from multiple meshes is mixed together.
+                            type: string
+                          privateKeyProvider:
+                            description: Specifies the details of the Private Key
+                              Provider configuration for gateway and sidecar proxies.
+                            properties:
+                              cryptomb:
+                                description: Use CryptoMb private key provider
+                                properties:
+                                  fallback:
+                                    description: |-
+                                      If the private key provider isn’t available (eg. the required hardware capability doesn’t existed)
+                                      Envoy will fallback to the BoringSSL default implementation when the fallback is true.
+                                      The default value is false.
+                                    type: boolean
+                                  pollDelay:
+                                    description: |-
+                                      How long to wait until the per-thread processing queue should be processed. If the processing queue
+                                      gets full (eight sign or decrypt requests are received) it is processed immediately.
+                                      However, if the queue is not filled before the delay has expired, the requests already in the queue
+                                      are processed, even if the queue is not full.
+                                      In effect, this value controls the balance between latency and throughput.
+                                      The duration needs to be set to a value greater than or equal to 1 millisecond.
+                                    type: string
+                                type: object
+                              qat:
+                                description: Use QAT private key provider
+                                properties:
+                                  fallback:
+                                    description: |-
+                                      If the private key provider isn’t available (eg. the required hardware capability doesn’t existed)
+                                      Envoy will fallback to the BoringSSL default implementation when the fallback is true.
+                                      The default value is false.
+                                    type: boolean
+                                  pollDelay:
+                                    description: |-
+                                      How long to wait before polling the hardware accelerator after a request has been submitted there.
+                                      Having a small value leads to quicker answers from the hardware but causes more polling loop spins,
+                                      leading to potentially larger CPU usage.
+                                      The duration needs to be set to a value greater than or equal to 1 millisecond.
+                                    type: string
+                                type: object
+                            type: object
+                            x-kubernetes-validations:
+                            - message: At most one of [cryptomb qat] should be set
+                              rule: (has(self.cryptomb)?1:0) + (has(self.qat)?1:0)
+                                <= 1
+                          proxyAdminPort:
+                            description: |-
+                              Port on which Envoy should listen for administrative commands.
+                              Default port is `15000`.
+                            format: int32
+                            type: integer
+                          proxyBootstrapTemplatePath:
+                            description: Path to the proxy bootstrap template file
+                            type: string
+                          proxyHeaders:
+                            description: "Define the set of headers to add/modify
+                              for HTTP request/responses.\n\nTo enable an optional
+                              header, simply set the field. If no specific configuration
+                              is required, an empty object (`{}`) will enable it.\nNote:
+                              currently all headers are enabled by default.\n\nBelow
+                              shows an example of customizing the `server` header
+                              and disabling the `X-Envoy-Attempt-Count` header:\n\n```yaml\nproxyHeaders:\n\n\tserver:\n\t
+                              \ value: \"my-custom-server\"\n\t# Explicitly enable
+                              Request IDs.\n\t# As this is the default, this has no
+                              effect.\n\trequestId: {}\n\tattemptCount:\n\t  disabled:
+                              true\n\n```\n\n# Below shows an example of preserving
+                              the header case for HTTP 1.x requests\n\n```yaml\nproxyHeaders:\n\n\tpreserveHttp1HeaderCase:
+                              true\n\n```\n\nSome headers are enabled by default,
+                              and require explicitly disabling. See below for an example
+                              of disabling all default-enabled headers:\n\n```yaml\nproxyHeaders:\n\n\tforwardedClientCert:
+                              SANITIZE\n\tserver:\n\t  disabled: true\n\trequestId:\n\t
+                              \ disabled: true\n\tattemptCount:\n\t  disabled: true\n\tenvoyDebugHeaders:\n\t
+                              \ disabled: true\n\tmetadataExchangeHeaders:\n\t  mode:
+                              IN_MESH\n\n```"
+                            properties:
+                              attemptCount:
+                                description: |-
+                                  Controls the `X-Envoy-Attempt-Count` header.
+                                  If enabled, this header will be added on outbound request headers (including gateways) that have retries configured.
+                                  If disabled, this header will not be set. If it is already present, it will be preserved.
+                                  This header is enabled by default if not configured.
+                                properties:
+                                  disabled:
+                                    type: boolean
+                                type: object
+                              envoyDebugHeaders:
+                                description: |-
+                                  Controls various `X-Envoy-*` headers, such as `X-Envoy-Overloaded` and `X-Envoy-Upstream-Service-Time`. If enabled,
+                                  these headers will be included.
+                                  If disabled, these headers will not be set. If they are already present, they will be preserved.
+                                  See the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/router/v3/router.proto#envoy-v3-api-field-extensions-filters-http-router-v3-router-suppress-envoy-headers) for more details.
+                                  These headers are enabled by default if not configured.
+                                properties:
+                                  disabled:
+                                    type: boolean
+                                type: object
+                              forwardedClientCert:
+                                description: |-
+                                  Controls the `X-Forwarded-Client-Cert` header for inbound sidecar requests. To set this on gateways, use the `Topology` setting.
+                                  To disable the header, configure either `SANITIZE` (to always remove the header, if present) or `FORWARD_ONLY` (to leave the header as-is).
+                                  By default, `APPEND_FORWARD` will be used.
+                                enum:
+                                - UNDEFINED
+                                - SANITIZE
+                                - FORWARD_ONLY
+                                - APPEND_FORWARD
+                                - SANITIZE_SET
+                                - ALWAYS_FORWARD_ONLY
+                                type: string
+                              metadataExchangeHeaders:
+                                description: |-
+                                  Controls Istio metadata exchange headers `X-Envoy-Peer-Metadata` and `X-Envoy-Peer-Metadata-Id`.
+                                  By default, the behavior is unspecified.
+                                  If IN_MESH, these headers will not be appended to outbound requests from sidecars to services not in-mesh.
+                                properties:
+                                  mode:
+                                    enum:
+                                    - UNDEFINED
+                                    - IN_MESH
+                                    type: string
+                                type: object
+                              preserveHttp1HeaderCase:
+                                description: |-
+                                  When true, the original case of HTTP/1.x headers will be preserved
+                                  as they pass through the proxy, rather than normalizing them to lowercase.
+                                  This field is particularly useful for applications that require case-sensitive
+                                  headers for interoperability with downstream systems or APIs that expect specific
+                                  casing.
+                                  The preserve_http1_header_case option only applies to HTTP/1.x traffic, as HTTP/2 requires all headers
+                                  to be lowercase per the protocol specification. Envoy will ignore this field for HTTP/2
+                                  requests and automatically normalize headers to lowercase, ensuring compliance with HTTP/2
+                                  standards.
+                                type: boolean
+                              requestId:
+                                description: |-
+                                  Controls the `X-Request-Id` header. If enabled, a request ID is generated for each request if one is not already set.
+                                  This applies to all types of traffic (inbound, outbound, and gateways).
+                                  If disabled, no request ID will be generate for the request. If it is already present, it will be preserved.
+                                  Warning: request IDs are a critical component to mesh tracing and logging, so disabling this is not recommended.
+                                  This header is enabled by default if not configured.
+                                properties:
+                                  disabled:
+                                    type: boolean
+                                type: object
+                              server:
+                                description: |-
+                                  Controls the `server` header. If enabled, the `Server: istio-envoy` header is set in response headers for inbound traffic (including gateways).
+                                  If disabled, the `Server` header is not modified. If it is already present, it will be preserved.
+                                properties:
+                                  disabled:
+                                    type: boolean
+                                  value:
+                                    description: If set, and the server header is
+                                      enabled, this value will be set as the server
+                                      header. By default, `istio-envoy` will be used.
+                                    type: string
+                                type: object
+                              setCurrentClientCertDetails:
+                                description: |-
+                                  This field is valid only when forward_client_cert_details is APPEND_FORWARD or SANITIZE_SET
+                                  and the client connection is mTLS. It specifies the fields in
+                                  the client certificate to be forwarded. Note that `Hash` is always set, and
+                                  `By` is always set when the client certificate presents the URI type Subject Alternative Name value.
+                                properties:
+                                  cert:
+                                    description: |-
+                                      Whether to forward the entire client cert in URL encoded PEM format. This will appear in the
+                                      XFCC header comma separated from other values with the value Cert="PEM".
+                                      Defaults to false.
+                                    type: boolean
+                                  chain:
+                                    description: |-
+                                      Whether to forward the entire client cert chain (including the leaf cert) in URL encoded PEM
+                                      format. This will appear in the XFCC header comma separated from other values with the value
+                                      Chain="PEM".
+                                      Defaults to false.
+                                    type: boolean
+                                  dns:
+                                    description: |-
+                                      Whether to forward the DNS type Subject Alternative Names of the client cert.
+                                      Defaults to true.
+                                    type: boolean
+                                  subject:
+                                    description: Whether to forward the subject of
+                                      the client cert. Defaults to true.
+                                    type: boolean
+                                  uri:
+                                    description: |-
+                                      Whether to forward the URI type Subject Alternative Name of the client cert. Defaults to
+                                      true.
+                                    type: boolean
+                                type: object
+                              xForwardedHost:
+                                description: |-
+                                  Controls the `X-Forwarded-Host` header. If enabled, the `X-Forwarded-Host` header is appended
+                                  with the original host when it is rewritten.
+                                  This header is disabled by default.
+                                properties:
+                                  enabled:
+                                    type: boolean
+                                type: object
+                              xForwardedPort:
+                                description: |-
+                                  Controls the `X-Forwarded-Port` header. If enabled, the `X-Forwarded-Port` header is header with the port value
+                                  client used to connect to Envoy. It will be ignored if the “x-forwarded-port“ header has been set by any
+                                  trusted proxy in front of Envoy.
+                                  This header is disabled by default.
+                                properties:
+                                  enabled:
+                                    type: boolean
+                                type: object
+                            type: object
+                          proxyMetadata:
+                            additionalProperties:
+                              type: string
+                            description: |-
+                              Additional environment variables for the proxy.
+                              Names starting with `ISTIO_META_` will be included in the generated bootstrap and sent to the XDS server.
+                            type: object
+                          proxyStatsMatcher:
+                            description: "Proxy stats matcher defines configuration
+                              for reporting custom Envoy stats.\nTo reduce memory
+                              and CPU overhead from Envoy stats system, Istio proxies
+                              by\ndefault create and expose only a subset of Envoy
+                              stats. This option is to\ncontrol creation of additional
+                              Envoy stats with prefix, suffix, and regex\nexpressions
+                              match on the name of the stats. This replaces the stats\ninclusion
+                              annotations\n(`sidecar.istio.io/statsInclusionPrefixes`,\n`sidecar.istio.io/statsInclusionRegexps`,
+                              and\n`sidecar.istio.io/statsInclusionSuffixes`). For
+                              example, to enable stats\nfor circuit breakers, request
+                              retries, upstream connections, and request timeouts,\nyou
+                              can specify stats matcher as follows:\n```yaml\nproxyStatsMatcher:\n\n\tinclusionRegexps:\n\t
+                              \ - .*outlier_detection.*\n\t  - .*upstream_rq_retry.*\n\t
+                              \ - .*upstream_cx_.*\n\tinclusionSuffixes:\n\t  - upstream_rq_timeout\n\n```\nNote
+                              including more Envoy stats might increase number of
+                              time series\ncollected by prometheus significantly.
+                              Care needs to be taken on Prometheus\nresource provision
+                              and configuration to reduce cardinality."
+                            properties:
+                              inclusionPrefixes:
+                                description: Proxy stats name prefix matcher for inclusion.
+                                items:
+                                  type: string
+                                type: array
+                              inclusionRegexps:
+                                description: Proxy stats name regexps matcher for
+                                  inclusion.
+                                items:
+                                  type: string
+                                type: array
+                              inclusionSuffixes:
+                                description: Proxy stats name suffix matcher for inclusion.
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          readinessProbe:
+                            description: |-
+                              VM Health Checking readiness probe. This health check config exactly mirrors the
+                              kubernetes readiness probe configuration both in schema and logic.
+                              Only one health check method of 3 can be set at a time.
+                            properties:
+                              exec:
+                                description: Exec specifies a command to execute in
+                                  the container.
+                                properties:
+                                  command:
+                                    description: |-
+                                      Command is the command line to execute inside the container, the working directory for the
+                                      command  is root ('/') in the container's filesystem. The command is simply exec'd, it is
+                                      not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+                                      a shell, you need to explicitly call out to that shell.
+                                      Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
+                                    items:
+                                      type: string
+                                    type: array
+                                    x-kubernetes-list-type: atomic
+                                type: object
+                              failureThreshold:
+                                description: |-
+                                  Minimum consecutive failures for the probe to be considered failed after having succeeded.
+                                  Defaults to 3. Minimum value is 1.
+                                format: int32
+                                type: integer
+                              grpc:
+                                description: GRPC specifies a GRPC HealthCheckRequest.
+                                properties:
+                                  port:
+                                    description: Port number of the gRPC service.
+                                      Number must be in the range 1 to 65535.
+                                    format: int32
+                                    type: integer
+                                  service:
+                                    default: ""
+                                    description: |-
+                                      Service is the name of the service to place in the gRPC HealthCheckRequest
+                                      (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
+
+                                      If this is not specified, the default behavior is defined by gRPC.
+                                    type: string
+                                required:
+                                - port
+                                type: object
+                              httpGet:
+                                description: HTTPGet specifies an HTTP GET request
+                                  to perform.
+                                properties:
+                                  host:
+                                    description: |-
+                                      Host name to connect to, defaults to the pod IP. You probably want to set
+                                      "Host" in httpHeaders instead.
+                                    type: string
+                                  httpHeaders:
+                                    description: Custom headers to set in the request.
+                                      HTTP allows repeated headers.
+                                    items:
+                                      description: HTTPHeader describes a custom header
+                                        to be used in HTTP probes
+                                      properties:
+                                        name:
+                                          description: |-
+                                            The header field name.
+                                            This will be canonicalized upon output, so case-variant names will be understood as the same header.
+                                          type: string
+                                        value:
+                                          description: The header field value
+                                          type: string
+                                      required:
+                                      - name
+                                      - value
+                                      type: object
+                                    type: array
+                                    x-kubernetes-list-type: atomic
+                                  path:
+                                    description: Path to access on the HTTP server.
+                                    type: string
+                                  port:
+                                    anyOf:
+                                    - type: integer
+                                    - type: string
+                                    description: |-
+                                      Name or number of the port to access on the container.
+                                      Number must be in the range 1 to 65535.
+                                      Name must be an IANA_SVC_NAME.
+                                    x-kubernetes-int-or-string: true
+                                  scheme:
+                                    description: |-
+                                      Scheme to use for connecting to the host.
+                                      Defaults to HTTP.
+                                    type: string
+                                required:
+                                - port
+                                type: object
+                              initialDelaySeconds:
+                                description: |-
+                                  Number of seconds after the container has started before liveness probes are initiated.
+                                  More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+                                format: int32
+                                type: integer
+                              periodSeconds:
+                                description: |-
+                                  How often (in seconds) to perform the probe.
+                                  Default to 10 seconds. Minimum value is 1.
+                                format: int32
+                                type: integer
+                              successThreshold:
+                                description: |-
+                                  Minimum consecutive successes for the probe to be considered successful after having failed.
+                                  Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.
+                                format: int32
+                                type: integer
+                              tcpSocket:
+                                description: TCPSocket specifies a connection to a
+                                  TCP port.
+                                properties:
+                                  host:
+                                    description: 'Optional: Host name to connect to,
+                                      defaults to the pod IP.'
+                                    type: string
+                                  port:
+                                    anyOf:
+                                    - type: integer
+                                    - type: string
+                                    description: |-
+                                      Number or name of the port to access on the container.
+                                      Number must be in the range 1 to 65535.
+                                      Name must be an IANA_SVC_NAME.
+                                    x-kubernetes-int-or-string: true
+                                required:
+                                - port
+                                type: object
+                              terminationGracePeriodSeconds:
+                                description: |-
+                                  Optional duration in seconds the pod needs to terminate gracefully upon probe failure.
+                                  The grace period is the duration in seconds after the processes running in the pod are sent
+                                  a termination signal and the time when the processes are forcibly halted with a kill signal.
+                                  Set this value longer than the expected cleanup time for your process.
+                                  If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this
+                                  value overrides the value provided by the pod spec.
+                                  Value must be non-negative integer. The value zero indicates stop immediately via
+                                  the kill signal (no opportunity to shut down).
+                                  This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.
+                                  Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset.
+                                format: int64
+                                type: integer
+                              timeoutSeconds:
+                                description: |-
+                                  Number of seconds after which the probe times out.
+                                  Defaults to 1 second. Minimum value is 1.
+                                  More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+                                format: int32
+                                type: integer
+                            type: object
+                          runtimeValues:
+                            additionalProperties:
+                              type: string
+                            description: |-
+                              Envoy [runtime configuration](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/operations/runtime) to set during bootstrapping.
+                              This enables setting experimental, unsafe, unsupported, and deprecated features that should be used with extreme caution.
+                            type: object
+                          sds:
+                            description: |-
+                              Secret Discovery Service(SDS) configuration to be used by the proxy.
+
+                              Deprecated: Marked as deprecated in mesh/v1alpha1/proxy.proto.
+                            properties:
+                              enabled:
+                                description: True if SDS is enabled.
+                                type: boolean
+                              k8sSaJwtPath:
+                                description: Path of k8s service account JWT path.
+                                type: string
+                            type: object
+                          serviceCluster:
+                            description: |-
+                              Service cluster defines the name for the `service_cluster` that is
+                              shared by all Envoy instances. This setting corresponds to
+                              `--service-cluster` flag in Envoy.  In a typical Envoy deployment, the
+                              `service-cluster` flag is used to identify the caller, for
+                              source-based routing scenarios.
+
+                              Since Istio does not assign a local `service/service` version to each
+                              Envoy instance, the name is same for all of them.  However, the
+                              source/caller's identity (e.g., IP address) is encoded in the
+                              `--service-node` flag when launching Envoy.  When the RDS service
+                              receives API calls from Envoy, it uses the value of the `service-node`
+                              flag to compute routes that are relative to the service instances
+                              located at that IP address.
+                            type: string
+                          statNameLength:
+                            description: |-
+                              Maximum length of name field in Envoy's metrics. The length of the name field
+                              is determined by the length of a name field in a service and the set of labels that
+                              comprise a particular version of the service. The default value is set to 189 characters.
+                              Envoy's internal metrics take up 67 characters, for a total of 256 character name per metric.
+                              Increase the value of this field if you find that the metrics from Envoys are truncated.
+                            format: int32
+                            type: integer
+                          statsCompression:
+                            description: |-
+                              Offer HTTP compression for stats
+                              Defaults to true.
+                              Optional.
+                            type: boolean
+                          statsdUdpAddress:
+                            description: IP Address and Port of a statsd UDP listener
+                              (e.g. `10.75.241.127:9125`).
+                            type: string
+                          statusPort:
+                            description: |-
+                              Port on which the agent should listen for administrative commands such as readiness probe.
+                              Default is set to port `15020`.
+                            format: int32
+                            type: integer
+                          terminationDrainDuration:
+                            description: |-
+                              The amount of time allowed for connections to complete on proxy shutdown.
+                              On receiving `SIGTERM` or `SIGINT`, `istio-agent` tells the active Envoy to start gracefully draining,
+                              discouraging any new connections and allowing existing connections to complete. It then
+                              sleeps for the `terminationDrainDuration` and then kills any remaining active Envoy processes.
+                              If not set, a default of `5s` will be applied.
+                            type: string
+                          tracing:
+                            description: Tracing configuration to be used by the proxy.
+                            properties:
+                              customTags:
+                                additionalProperties:
+                                  description: |-
+                                    Configure custom tags that will be added to any active span.
+                                    Tags can be generated via literals, environment variables or an incoming request header.
+                                  properties:
+                                    environment:
+                                      description: |-
+                                        The custom tag's value should be populated from an environmental
+                                        variable
+                                      properties:
+                                        defaultValue:
+                                          description: |-
+                                            When the environment variable is not found,
+                                            the tag's value will be populated with this default value if specified,
+                                            otherwise the tag will not be populated.
+                                          type: string
+                                        name:
+                                          description: Name of the environment variable
+                                            used to populate the tag's value
+                                          type: string
+                                      type: object
+                                    header:
+                                      description: |-
+                                        The custom tag's value is populated by an http header from
+                                        an incoming request.
+                                      properties:
+                                        defaultValue:
+                                          description: |-
+                                            Default value to be used for the tag when the named HTTP header does not exist.
+                                            The tag will be skipped if no default value is provided.
+                                          type: string
+                                        name:
+                                          description: HTTP header name used to obtain
+                                            the value from to populate the tag value.
+                                          type: string
+                                      type: object
+                                    literal:
+                                      description: The custom tag's value is the specified
+                                        literal.
+                                      properties:
+                                        value:
+                                          description: Static literal value used to
+                                            populate the tag value.
+                                          type: string
+                                      type: object
+                                  type: object
+                                  x-kubernetes-validations:
+                                  - message: At most one of [literal environment header]
+                                      should be set
+                                    rule: (has(self.literal)?1:0) + (has(self.environment)?1:0)
+                                      + (has(self.header)?1:0) <= 1
+                                description: "and gateways).\nThe key represents the
+                                  name of the tag.\nEx:\n```yaml\ncustom_tags:\n\n\tnew_tag_name:\n\t
+                                  \ header:\n\t    name: custom-http-header-name\n\t
+                                  \   default_value: defaulted-value-from-custom-header\n\n```"
+                                type: object
+                              datadog:
+                                description: Use a Datadog tracer.
+                                properties:
+                                  address:
+                                    description: Address of the Datadog Agent.
+                                    type: string
+                                type: object
+                              enableIstioTags:
+                                description: |-
+                                  Determines whether or not trace spans generated by Envoy will include Istio specific tags.
+                                  By default Istio specific tags are included in the trace spans.
+                                type: boolean
+                              lightstep:
+                                description: |-
+                                  Use a Lightstep tracer.
+                                  NOTE: For Istio 1.15+, this configuration option will result
+                                  in using OpenTelemetry-based Lightstep integration.
+                                properties:
+                                  accessToken:
+                                    description: The Lightstep access token.
+                                    type: string
+                                  address:
+                                    description: Address of the Lightstep Satellite
+                                      pool.
+                                    type: string
+                                type: object
+                              maxPathTagLength:
+                                description: |-
+                                  Configures the maximum length of the request path to extract and include in the
+                                  HttpUrl tag. Used to truncate length request paths to meet the needs of tracing
+                                  backend. If not set, then a length of 256 will be used.
+                                format: int32
+                                type: integer
+                              openCensusAgent:
+                                description: Use an OpenCensus tracer exporting to
+                                  an OpenCensus agent.
+                                properties:
+                                  address:
+                                    description: |-
+                                      gRPC address for the OpenCensus agent (e.g. dns://authority/host:port or
+                                      unix:path). See [gRPC naming
+                                      docs](https://github.com/grpc/grpc/blob/master/doc/naming.md) for
+                                      details.
+                                    type: string
+                                  context:
+                                    description: |-
+                                      Specifies the set of context propagation headers used for distributed
+                                      tracing. Default is `["W3C_TRACE_CONTEXT"]`. If multiple values are specified,
+                                      the proxy will attempt to read each header for each request and will
+                                      write all headers.
+                                    items:
+                                      description: |-
+                                        TraceContext selects the context propagation headers used for
+                                        distributed tracing.
+                                      enum:
+                                      - UNSPECIFIED
+                                      - W3C_TRACE_CONTEXT
+                                      - GRPC_BIN
+                                      - CLOUD_TRACE_CONTEXT
+                                      - B3
+                                      type: string
+                                    type: array
+                                type: object
+                              sampling:
+                                description: |-
+                                  The percentage of requests (0.0 - 100.0) that will be randomly selected for trace generation,
+                                  if not requested by the client or not forced. Default is 1.0.
+                                type: number
+                              stackdriver:
+                                description: Use a Stackdriver tracer.
+                                properties:
+                                  debug:
+                                    description: debug enables trace output to stdout.
+                                    type: boolean
+                                  maxNumberOfAnnotations:
+                                    description: |-
+                                      The global default max number of annotation events per span.
+                                      default is 200.
+                                    format: int64
+                                    type: integer
+                                  maxNumberOfAttributes:
+                                    description: |-
+                                      The global default max number of attributes per span.
+                                      default is 200.
+                                    format: int64
+                                    type: integer
+                                  maxNumberOfMessageEvents:
+                                    description: |-
+                                      The global default max number of message events per span.
+                                      default is 200.
+                                    format: int64
+                                    type: integer
+                                type: object
+                              tlsSettings:
+                                description: |-
+                                  Use the tlsSettings to specify the tls mode to use. If the remote tracing service
+                                  uses Istio mutual TLS and shares the root CA with istiod, specify the TLS
+                                  mode as `ISTIO_MUTUAL`.
+                                properties:
+                                  caCertificates:
+                                    description: |-
+                                      OPTIONAL: The path to the file containing certificate authority
+                                      certificates to use in verifying a presented server certificate. If
+                                      omitted, the proxy will verify the server's certificate using
+                                      the OS CA certificates.
+                                      Should be empty if mode is `ISTIO_MUTUAL`.
+                                    type: string
+                                  caCrl:
+                                    description: |-
+                                      OPTIONAL: The path to the file containing the certificate revocation list (CRL)
+                                      to use in verifying a presented server certificate. `CRL` is a list of certificates
+                                      that have been revoked by the CA (Certificate Authority) before their scheduled expiration date.
+                                      If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates.
+                                      If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set,
+                                      `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential.
+                                    type: string
+                                  clientCertificate:
+                                    description: |-
+                                      REQUIRED if mode is `MUTUAL`. The path to the file holding the
+                                      client-side TLS certificate to use.
+                                      Should be empty if mode is `ISTIO_MUTUAL`.
+                                    type: string
+                                  credentialName:
+                                    description: |-
+                                      The name of the secret that holds the TLS certs for the
+                                      client including the CA certificates. This secret must exist in
+                                      the namespace of the proxy using the certificates.
+                                      An Opaque secret should contain the following keys and values:
+                                      `key: <privateKey>`, `cert: <clientCert>`, `cacert: <CACertificate>`,
+                                      `crl: <certificateRevocationList>`
+                                      Here CACertificate is used to verify the server certificate.
+                                      For mutual TLS, `cacert: <CACertificate>` can be provided in the
+                                      same secret or a separate secret named `<secret>-cacert`.
+                                      A TLS secret for client certificates with an additional
+                                      `ca.crt` key for CA certificates and `ca.crl` key for
+                                      certificate revocation list(CRL) is also supported.
+                                      Only one of client certificates and CA certificate
+                                      or credentialName can be specified.
+
+                                      **NOTE:** This field is applicable at sidecars only if
+                                      `DestinationRule` has a `workloadSelector` specified.
+                                      Otherwise the field will be applicable only at gateways, and
+                                      sidecars will continue to use the certificate paths.
+                                    type: string
+                                  insecureSkipVerify:
+                                    description: |-
+                                      `insecureSkipVerify` specifies whether the proxy should skip verifying the
+                                      CA signature and SAN for the server certificate corresponding to the host.
+                                      The default value of this field is false.
+                                    type: boolean
+                                  mode:
+                                    description: |-
+                                      Indicates whether connections to this port should be secured
+                                      using TLS. The value of this field determines how TLS is enforced.
+                                    enum:
+                                    - DISABLE
+                                    - SIMPLE
+                                    - MUTUAL
+                                    - ISTIO_MUTUAL
+                                    type: string
+                                  privateKey:
+                                    description: |-
+                                      REQUIRED if mode is `MUTUAL`. The path to the file holding the
+                                      client's private key.
+                                      Should be empty if mode is `ISTIO_MUTUAL`.
+                                    type: string
+                                  sni:
+                                    description: |-
+                                      SNI string to present to the server during TLS handshake.
+                                      If unspecified, SNI will be automatically set based on downstream HTTP
+                                      host/authority header for SIMPLE and MUTUAL TLS modes.
+                                    type: string
+                                  subjectAltNames:
+                                    description: |-
+                                      A list of alternate names to verify the subject identity in the
+                                      certificate. If specified, the proxy will verify that the server
+                                      certificate's subject alt name matches one of the specified values.
+                                      If specified, this list overrides the value of `subjectAltNames`
+                                      from the `ServiceEntry`. If unspecified, automatic validation of upstream
+                                      presented certificate for new upstream connections will be done based on the
+                                      downstream HTTP host/authority header.
+                                    items:
+                                      type: string
+                                    type: array
+                                type: object
+                              zipkin:
+                                description: Use a Zipkin tracer.
+                                properties:
+                                  address:
+                                    description: Address of the Zipkin service (e.g.
+                                      _zipkin:9411_).
+                                    type: string
+                                type: object
+                            type: object
+                            x-kubernetes-validations:
+                            - message: At most one of [zipkin lightstep datadog stackdriver
+                                openCensusAgent] should be set
+                              rule: (has(self.zipkin)?1:0) + (has(self.lightstep)?1:0)
+                                + (has(self.datadog)?1:0) + (has(self.stackdriver)?1:0)
+                                + (has(self.openCensusAgent)?1:0) <= 1
+                          tracingServiceName:
+                            description: |-
+                              Used by Envoy proxies to assign the values for the service names in trace
+                              spans.
+                            enum:
+                            - APP_LABEL_AND_NAMESPACE
+                            - CANONICAL_NAME_ONLY
+                            - CANONICAL_NAME_AND_NAMESPACE
+                            type: string
+                          zipkinAddress:
+                            description: |-
+                              Address of the Zipkin service (e.g. _zipkin:9411_).
+                              DEPRECATED: Use [tracing][istio.mesh.v1alpha1.ProxyConfig.tracing] instead.
+
+                              Deprecated: Marked as deprecated in mesh/v1alpha1/proxy.proto.
+                            type: string
+                        type: object
+                        x-kubernetes-validations:
+                        - message: At most one of [serviceCluster tracingServiceName]
+                            should be set
+                          rule: (has(self.serviceCluster)?1:0) + (has(self.tracingServiceName)?1:0)
+                            <= 1
+                      defaultDestinationRuleExportTo:
+                        description: |-
+                          The default value for the `DestinationRule.exportTo` field. Has the same
+                          syntax as `defaultServiceExportTo`.
+
+                          If not set the system will use "*" as the default value which implies that
+                          destination rules are exported to all namespaces
+                        items:
+                          type: string
+                        type: array
+                      defaultHttpRetryPolicy:
+                        description: "Configure the default HTTP retry policy.\nThe
+                          default number of retry attempts is set at 2 for these errors:\n\n\t\"connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes\".\n\nSetting
+                          the number of attempts to 0 disables retry policy globally.\nThis
+                          setting can be overridden on a per-host basis using the
+                          Virtual Service\nAPI.\nAll settings in the retry policy
+                          except `perTryTimeout` can currently be\nconfigured globally
+                          via this field."
+                        properties:
+                          attempts:
+                            description: |-
+                              Number of retries to be allowed for a given request. The interval
+                              between retries will be determined automatically (25ms+). When request
+                              `timeout` of the [HTTP route](https://istio.io/docs/reference/config/networking/virtual-service/#HTTPRoute)
+                              or `per_try_timeout` is configured, the actual number of retries attempted also depends on
+                              the specified request `timeout` and `per_try_timeout` values. MUST be >= 0. If `0`, retries will be disabled.
+                              The maximum possible number of requests made will be 1 + `attempts`.
+                            format: int32
+                            type: integer
+                          backoff:
+                            description: |-
+                              Specifies the minimum duration between retry attempts.
+                              If unset, default minimum duration of 25ms is used as base interval for exponetial backoff.
+                              This has an impact on the total number of retries that will be attempted based on the `attempts` field
+                              and route timeout. For example, with attempts is set to 3, backoff to 2s and timeout to 3s, the request will
+                              be retried only once.
+                            type: string
+                          perTryTimeout:
+                            description: |-
+                              Timeout per attempt for a given request, including the initial call and any retries. Format: 1h/1m/1s/1ms. MUST be >=1ms.
+                              Default is same value as request
+                              `timeout` of the [HTTP route](https://istio.io/docs/reference/config/networking/virtual-service/#HTTPRoute),
+                              which means no timeout.
+                            type: string
+                          retryIgnorePreviousHosts:
+                            description: |-
+                              Flag to specify whether the retries should ignore previously tried hosts during retry.
+                              Defaults to true.
+                            type: boolean
+                          retryOn:
+                            description: |-
+                              Specifies the conditions under which retry takes place.
+                              One or more policies can be specified using a ‘,’ delimited list.
+                              See the [retry policies](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-on)
+                              and [gRPC retry policies](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-grpc-on) for more details.
+
+                              In addition to the policies specified above, a list of HTTP status codes can be passed, such as `retryOn: "503,reset"`.
+                              Note these status codes refer to the actual responses received from the destination.
+                              For example, if a connection is reset, Istio will translate this to 503 for it's response.
+                              However, the destination did not return a 503 error, so this would not match `"503"` (it would, however, match `"reset"`).
+
+                              If not specified, this defaults to `connect-failure,refused-stream,unavailable,cancelled`.
+                            type: string
+                          retryRemoteLocalities:
+                            description: |-
+                              Flag to specify whether the retries should retry to other localities.
+                              See the [retry plugin configuration](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/http/http_connection_management#retry-plugin-configuration) for more details.
+                            type: boolean
+                        type: object
+                      defaultProviders:
+                        description: Specifies extension providers to use by default
+                          in Istio configuration resources.
+                        properties:
+                          accessLogging:
+                            description: Name of the default provider(s) for access
+                              logging.
+                            items:
+                              type: string
+                            type: array
+                          metrics:
+                            description: Name of the default provider(s) for metrics.
+                            items:
+                              type: string
+                            type: array
+                          tracing:
+                            description: Name of the default provider(s) for tracing.
+                            items:
+                              type: string
+                            type: array
+                        type: object
+                      defaultServiceExportTo:
+                        description: |-
+                          The default value for the ServiceEntry.exportTo field and services
+                          imported through container registry integrations, e.g. this applies to
+                          Kubernetes Service resources. The value is a list of namespace names and
+                          reserved namespace aliases. The allowed namespace aliases are:
+                          ```
+                          * - All Namespaces
+                          . - Current Namespace
+                          ~ - No Namespace
+                          ```
+                          If not set the system will use "*" as the default value which implies that
+                          services are exported to all namespaces.
+
+                          `All namespaces` is a reasonable default for implementations that don't
+                          need to restrict access or visibility of services across namespace
+                          boundaries. If that requirement is present it is generally good practice to
+                          make the default `Current namespace` so that services are only visible
+                          within their own namespaces by default. Operators can then expand the
+                          visibility of services to other namespaces as needed. Use of `No Namespace`
+                          is expected to be rare but can have utility for deployments where
+                          dependency management needs to be precise even within the scope of a single
+                          namespace.
+
+                          For further discussion see the reference documentation for `ServiceEntry`,
+                          `Sidecar`, and `Gateway`.
+                        items:
+                          type: string
+                        type: array
+                      defaultVirtualServiceExportTo:
+                        description: |-
+                          The default value for the VirtualService.exportTo field. Has the same
+                          syntax as `defaultServiceExportTo`.
+
+                          If not set the system will use "*" as the default value which implies that
+                          virtual services are exported to all namespaces
+                        items:
+                          type: string
+                        type: array
+                      disableEnvoyListenerLog:
+                        description: |-
+                          This flag disables Envoy Listener logs.
+                          See [Listener Access Log](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-access-log)
+                          Istio Enables Envoy's listener access logs on "NoRoute" response flag.
+                          Default value is `false`.
+                        type: boolean
+                      discoverySelectors:
+                        description: |-
+                          A list of Kubernetes selectors that specify the set of namespaces that Istio considers when
+                          computing configuration updates for sidecars. This can be used to reduce Istio's computational load
+                          by limiting the number of entities (including services, pods, and endpoints) that are watched and processed.
+                          If omitted, Istio will use the default behavior of processing all namespaces in the cluster.
+                          Elements in the list are disjunctive (OR semantics), i.e. a namespace will be included if it matches any selector.
+                          The following example selects any namespace that matches either below:
+                          1. The namespace has both of these labels: `env: prod` and `region: us-east1`
+                          2. The namespace has label `app` equal to `cassandra` or `spark`.
+                          ```yaml
+                          discoverySelectors:
+                            - matchLabels:
+                              env: prod
+                              region: us-east1
+                            - matchExpressions:
+                            - key: app
+                              operator: In
+                              values:
+                            - cassandra
+                            - spark
+
+                          ```
+                          Refer to the [Kubernetes selector docs](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors)
+                          for additional detail on selector semantics.
+                        items:
+                          description: |-
+                            A label selector is a label query over a set of resources. The result of matchLabels and
+                            matchExpressions are ANDed. An empty label selector matches all objects. A null
+                            label selector matches no objects.
+                          properties:
+                            matchExpressions:
+                              description: matchExpressions is a list of label selector
+                                requirements. The requirements are ANDed.
+                              items:
+                                description: |-
+                                  A label selector requirement is a selector that contains values, a key, and an operator that
+                                  relates the key and values.
+                                properties:
+                                  key:
+                                    description: key is the label key that the selector
+                                      applies to.
+                                    type: string
+                                  operator:
+                                    description: |-
+                                      operator represents a key's relationship to a set of values.
+                                      Valid operators are In, NotIn, Exists and DoesNotExist.
+                                    type: string
+                                  values:
+                                    description: |-
+                                      values is an array of string values. If the operator is In or NotIn,
+                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                      the values array must be empty. This array is replaced during a strategic
+                                      merge patch.
+                                    items:
+                                      type: string
+                                    type: array
+                                    x-kubernetes-list-type: atomic
+                                required:
+                                - key
+                                - operator
+                                type: object
+                              type: array
+                              x-kubernetes-list-type: atomic
+                            matchLabels:
+                              additionalProperties:
+                                type: string
+                              description: |-
+                                matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                operator is "In", and the values array contains only "value". The requirements are ANDed.
+                              type: object
+                          type: object
+                          x-kubernetes-map-type: atomic
+                        type: array
+                      dnsRefreshRate:
+                        description: |-
+                          Configures DNS refresh rate for Envoy clusters of type `STRICT_DNS`
+                          Default refresh rate is `60s`.
+                        type: string
+                      enableAutoMtls:
+                        description: |-
+                          This flag is used to enable mutual `TLS` automatically for service to service communication
+                          within the mesh, default true.
+                          If set to true, and a given service does not have a corresponding `DestinationRule` configured,
+                          or its `DestinationRule` does not have ClientTLSSettings specified, Istio configures client side
+                          TLS configuration appropriately. More specifically,
+                          If the upstream authentication policy is in `STRICT` mode, use Istio provisioned certificate
+                          for mutual `TLS` to connect to upstream.
+                          If upstream service is in plain text mode, use plain text.
+                          If the upstream authentication policy is in PERMISSIVE mode, Istio configures clients to use
+                          mutual `TLS` when server sides are capable of accepting mutual `TLS` traffic.
+                          If service `DestinationRule` exists and has `ClientTLSSettings` specified, that is always used instead.
+                        type: boolean
+                      enableEnvoyAccessLogService:
+                        description: |-
+                          This flag enables Envoy's gRPC Access Log Service.
+                          See [Access Log Service](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/grpc/v3/als.proto)
+                          for details about Envoy's gRPC Access Log Service API.
+                          Default value is `false`.
+                        type: boolean
+                      enablePrometheusMerge:
+                        description: |-
+                          If enabled, Istio agent will merge metrics exposed by the application with metrics from Envoy
+                          and Istio agent. The sidecar injection will replace `prometheus.io` annotations present on the pod
+                          and redirect them towards Istio agent, which will then merge metrics of from the application with Istio metrics.
+                          This relies on the annotations `prometheus.io/scrape`, `prometheus.io/port`, and
+                          `prometheus.io/path` annotations.
+                          If you are running a separately managed Envoy with an Istio sidecar, this may cause issues, as the metrics will collide.
+                          In this case, it is recommended to disable aggregation on that deployment with the
+                          `prometheus.istio.io/merge-metrics: "false"` annotation.
+                          If not specified, this will be enabled by default.
+                        type: boolean
+                      enableTracing:
+                        description: |-
+                          Flag to control generation of trace spans and request IDs.
+                          Requires a trace span collector defined in the proxy configuration.
+                        type: boolean
+                      extensionProviders:
+                        description: |-
+                          Defines a list of extension providers that extend Istio's functionality. For example, the AuthorizationPolicy
+                          can be used with an extension provider to delegate the authorization decision to a custom authorization system.
+                        items:
+                          properties:
+                            datadog:
+                              description: Configures a Datadog tracing provider.
+                              properties:
+                                maxTagLength:
+                                  description: |-
+                                    Optional. Controls the overall path length allowed in a reported span.
+                                    NOTE: currently only controls max length of the path tag.
+                                  format: int32
+                                  type: integer
+                                port:
+                                  description: REQUIRED. Specifies the port of the
+                                    service.
+                                  format: int32
+                                  type: integer
+                                service:
+                                  description: |-
+                                    REQUIRED. Specifies the service for the Datadog agent.
+                                    The format is `[<Namespace>/]<Hostname>`. The specification of `<Namespace>` is required only when it is insufficient
+                                    to unambiguously resolve a service in the service registry. The `<Hostname>` is a fully qualified host name of a
+                                    service defined by the Kubernetes service or ServiceEntry.
+
+                                    Example: "datadog.default.svc.cluster.local" or "bar/datadog.example.com".
+                                  type: string
+                              required:
+                              - port
+                              - service
+                              type: object
+                            envoyExtAuthzGrpc:
+                              description: Configures an external authorizer that
+                                implements the Envoy ext_authz filter authorization
+                                check service using the gRPC API.
+                              properties:
+                                clearRouteCache:
+                                  description: |-
+                                    If true, clears route cache in order to allow the external authorization service to correctly affect routing decisions.
+                                    If true, recalculate routes with the new ExtAuthZ added/removed headers.
+                                    Default is false
+                                  type: boolean
+                                failOpen:
+                                  description: |-
+                                    If true, the HTTP request or TCP connection will be allowed even if the communication with the authorization service has failed,
+                                    or if the authorization service has returned a HTTP 5xx error.
+                                    Default is false. For HTTP request, it will be rejected with 403 (HTTP Forbidden). For TCP connection, it will be closed immediately.
+                                  type: boolean
+                                includeRequestBodyInCheck:
+                                  description: If set, the client request body will
+                                    be included in the authorization request sent
+                                    to the authorization service.
+                                  properties:
+                                    allowPartialMessage:
+                                      description: |-
+                                        When this field is true, ext-authz filter will buffer the message until maxRequestBytes is reached.
+                                        The authorization request will be dispatched and no 413 HTTP error will be returned by the filter.
+                                        A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message
+                                        indicating if the body data is partial.
+                                      type: boolean
+                                    maxRequestBytes:
+                                      description: |-
+                                        Sets the maximum size of a message body that the ext-authz filter will hold in memory.
+                                        If maxRequestBytes is reached, and allowPartialMessage is false, Envoy will return a 413 (Payload Too Large).
+                                        Otherwise the request will be sent to the provider with a partial message.
+                                        Note that this setting will have precedence over the failOpen field, the 413 will be returned even when the
+                                        failOpen is set to true.
+                                      format: int32
+                                      type: integer
+                                    packAsBytes:
+                                      description: |-
+                                        If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes
+                                        in the [raw_body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153).
+                                        Otherwise, it will be filled with UTF-8 string in the [body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147).
+                                        This field only works with the envoyExtAuthzGrpc provider and has no effect for the envoyExtAuthzHttp provider.
+                                      type: boolean
+                                  type: object
+                                port:
+                                  description: REQUIRED. Specifies the port of the
+                                    service.
+                                  format: int32
+                                  type: integer
+                                service:
+                                  description: |-
+                                    REQUIRED. Specifies the service that implements the Envoy ext_authz gRPC authorization service.
+                                    The format is `[<Namespace>/]<Hostname>`. The specification of `<Namespace>` is required only when it is insufficient
+                                    to unambiguously resolve a service in the service registry. The `<Hostname>` is a fully qualified host name of a
+                                    service defined by the Kubernetes service or ServiceEntry.
+
+                                    Example: "my-ext-authz.foo.svc.cluster.local" or "bar/my-ext-authz.example.com".
+                                  type: string
+                                statusOnError:
+                                  description: |-
+                                    Sets the HTTP status that is returned to the client when there is a network error to the authorization service.
+                                    The default status is "403" (HTTP Forbidden).
+                                  type: string
+                                timeout:
+                                  description: |-
+                                    The maximum duration that the proxy will wait for a response from the provider, this is the timeout for a specific request (default timeout: 600s).
+                                    When this timeout condition is met, the proxy marks the communication to the authorization service as failure.
+                                    In this situation, the response sent back to the client will depend on the configured `failOpen` field.
+                                  type: string
+                              required:
+                              - port
+                              - service
+                              type: object
+                            envoyExtAuthzHttp:
+                              description: Configures an external authorizer that
+                                implements the Envoy ext_authz filter authorization
+                                check service using the HTTP API.
+                              properties:
+                                clearRouteCache:
+                                  description: |-
+                                    If true, clears route cache in order to allow the external authorization service to correctly affect routing decisions.
+                                    If true, recalculate routes with the new ExtAuthZ added/removed headers.
+                                    Default is false
+                                  type: boolean
+                                failOpen:
+                                  description: |-
+                                    If true, the user request will be allowed even if the communication with the authorization service has failed,
+                                    or if the authorization service has returned a HTTP 5xx error.
+                                    Default is false and the request will be rejected with "Forbidden" response.
+                                  type: boolean
+                                headersToDownstreamOnAllow:
+                                  description: |-
+                                    List of headers from the authorization service that should be forwarded to downstream when the authorization
+                                    check result is allowed (HTTP code 200).
+                                    If not specified, the original response will not be modified and forwarded to downstream as-is.
+                                    Note, any existing headers will be overridden.
+
+                                    Exact, prefix and suffix matches are supported (similar to the
+                                    [authorization policy rule syntax](https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule)
+                                    except the presence match):
+                                    - Exact match: "abc" will match on value "abc".
+                                    - Prefix match: "abc*" will match on value "abc" and "abcd".
+                                    - Suffix match: "*abc" will match on value "abc" and "xabc".
+                                  items:
+                                    type: string
+                                  type: array
+                                headersToDownstreamOnDeny:
+                                  description: |-
+                                    List of headers from the authorization service that should be forwarded to downstream when the authorization
+                                    check result is not allowed (HTTP code other than 200).
+                                    If not specified, all the authorization response headers, except *Authority (Host)* will be in the response to
+                                    the downstream.
+                                    When a header is included in this list, *Path*, *Status*, *Content-Length*, *WWWAuthenticate* and *Location* are
+                                    automatically added.
+                                    Note, the body from the authorization service is always included in the response to downstream.
+
+                                    Exact, prefix and suffix matches are supported (similar to the
+                                    [authorization policy rule syntax](https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule)
+                                    except the presence match):
+                                    - Exact match: "abc" will match on value "abc".
+                                    - Prefix match: "abc*" will match on value "abc" and "abcd".
+                                    - Suffix match: "*abc" will match on value "abc" and "xabc".
+                                  items:
+                                    type: string
+                                  type: array
+                                headersToUpstreamOnAllow:
+                                  description: |-
+                                    List of headers from the authorization service that should be added or overridden in the original request and
+                                    forwarded to the upstream when the authorization check result is allowed (HTTP code 200).
+                                    If not specified, the original request will not be modified and forwarded to backend as-is.
+                                    Note, any existing headers will be overridden.
+
+                                    Exact, prefix and suffix matches are supported (similar to the
+                                    [authorization policy rule syntax](https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule)
+                                    except the presence match):
+                                    - Exact match: "abc" will match on value "abc".
+                                    - Prefix match: "abc*" will match on value "abc" and "abcd".
+                                    - Suffix match: "*abc" will match on value "abc" and "xabc".
+                                  items:
+                                    type: string
+                                  type: array
+                                includeAdditionalHeadersInCheck:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    Set of additional fixed headers that should be included in the authorization request sent to the authorization service.
+                                    Key is the header name and value is the header value.
+                                    Note that client request of the same key or headers specified in includeRequestHeadersInCheck will be overridden.
+                                  type: object
+                                includeHeadersInCheck:
+                                  description: |-
+                                    DEPRECATED. Use includeRequestHeadersInCheck instead.
+
+                                    Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto.
+                                  items:
+                                    type: string
+                                  type: array
+                                includeRequestBodyInCheck:
+                                  description: If set, the client request body will
+                                    be included in the authorization request sent
+                                    to the authorization service.
+                                  properties:
+                                    allowPartialMessage:
+                                      description: |-
+                                        When this field is true, ext-authz filter will buffer the message until maxRequestBytes is reached.
+                                        The authorization request will be dispatched and no 413 HTTP error will be returned by the filter.
+                                        A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message
+                                        indicating if the body data is partial.
+                                      type: boolean
+                                    maxRequestBytes:
+                                      description: |-
+                                        Sets the maximum size of a message body that the ext-authz filter will hold in memory.
+                                        If maxRequestBytes is reached, and allowPartialMessage is false, Envoy will return a 413 (Payload Too Large).
+                                        Otherwise the request will be sent to the provider with a partial message.
+                                        Note that this setting will have precedence over the failOpen field, the 413 will be returned even when the
+                                        failOpen is set to true.
+                                      format: int32
+                                      type: integer
+                                    packAsBytes:
+                                      description: |-
+                                        If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes
+                                        in the [raw_body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153).
+                                        Otherwise, it will be filled with UTF-8 string in the [body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147).
+                                        This field only works with the envoyExtAuthzGrpc provider and has no effect for the envoyExtAuthzHttp provider.
+                                      type: boolean
+                                  type: object
+                                includeRequestHeadersInCheck:
+                                  description: |-
+                                    List of client request headers that should be included in the authorization request sent to the authorization service.
+                                    Note that in addition to the headers specified here following headers are included by default:
+                                    1. *Host*, *Method*, *Path* and *Content-Length* are automatically sent.
+                                    2. *Content-Length* will be set to 0 and the request will not have a message body. However, the authorization
+                                    request can include the buffered client request body (controlled by includeRequestBodyInCheck setting),
+                                    consequently the value of Content-Length of the authorization request reflects the size of its payload size.
+
+                                    Exact, prefix and suffix matches are supported (similar to the
+                                    [authorization policy rule syntax](https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule)
+                                    except the presence match):
+                                    - Exact match: "abc" will match on value "abc".
+                                    - Prefix match: "abc*" will match on value "abc" and "abcd".
+                                    - Suffix match: "*abc" will match on value "abc" and "xabc".
+                                  items:
+                                    type: string
+                                  type: array
+                                pathPrefix:
+                                  description: |-
+                                    Sets a prefix to the value of authorization request header *Path*.
+                                    For example, setting this to "/check" for an original user request at path "/admin" will cause the
+                                    authorization check request to be sent to the authorization service at the path "/check/admin" instead of "/admin".
+                                  type: string
+                                port:
+                                  description: REQUIRED. Specifies the port of the
+                                    service.
+                                  format: int32
+                                  type: integer
+                                service:
+                                  description: |-
+                                    REQUIRED. Specifies the service that implements the Envoy ext_authz HTTP authorization service.
+                                    The format is `[<Namespace>/]<Hostname>`. The specification of `<Namespace>` is required only when it is insufficient
+                                    to unambiguously resolve a service in the service registry. The `<Hostname>` is a fully qualified host name of a
+                                    service defined by the Kubernetes service or ServiceEntry.
+
+                                    Example: "my-ext-authz.foo.svc.cluster.local" or "bar/my-ext-authz.example.com".
+                                  type: string
+                                statusOnError:
+                                  description: |-
+                                    Sets the HTTP status that is returned to the client when there is a network error to the authorization service.
+                                    The default status is "403" (HTTP Forbidden).
+                                  type: string
+                                timeout:
+                                  description: |-
+                                    The maximum duration that the proxy will wait for a response from the provider (default timeout: 600s).
+                                    When this timeout condition is met, the proxy marks the communication to the authorization service as failure.
+                                    In this situation, the response sent back to the client will depend on the configured `failOpen` field.
+                                  type: string
+                              required:
+                              - port
+                              - service
+                              type: object
+                            envoyFileAccessLog:
+                              description: Configures an Envoy File Access Log provider.
+                              properties:
+                                logFormat:
+                                  description: Optional. Allows overriding of the
+                                    default access log format.
+                                  properties:
+                                    labels:
+                                      additionalProperties:
+                                        type: string
+                                      description: "JSON structured format for the
+                                        envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators)\ncan
+                                        be used as values for fields within the Struct.
+                                        Values are rendered\nas strings, numbers,
+                                        or boolean values, as appropriate\n(see: [format
+                                        dictionaries](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-dictionaries)).
+                                        Nested JSON is\nsupported for some command
+                                        operators (e.g. `FILTER_STATE` or `DYNAMIC_METADATA`).\nUse
+                                        `labels: {}` for default envoy JSON log format.\n\nExample:\n```\nlabels:\n\n\tstatus:
+                                        \"%RESPONSE_CODE%\"\n\tmessage: \"%LOCAL_REPLY_BODY%\"\n\n```"
+                                      type: object
+                                    text:
+                                      description: |-
+                                        Textual format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) may be
+                                        used in the format. The [format string documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings)
+                                        provides more information.
+
+                                        NOTE: Istio will insert a newline ('\n') on all formats (if missing).
+
+                                        Example: `text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"`
+                                      type: string
+                                  type: object
+                                  x-kubernetes-validations:
+                                  - message: At most one of [text labels] should be
+                                      set
+                                    rule: (has(self.text)?1:0) + (has(self.labels)?1:0)
+                                      <= 1
+                                omitEmptyValues:
+                                  description: |-
+                                    Optional. If set to true, when command operators are evaluated to null,
+                                    For text format, the output of the empty operator is changed from "-" to an empty string.
+                                    For json format, the keys with null values are omitted in the output structure.
+                                  type: boolean
+                                path:
+                                  description: |-
+                                    Path to a local file to write the access log entries.
+                                    This may be used to write to streams, via `/dev/stderr` and `/dev/stdout`
+                                    If unspecified, defaults to `/dev/stdout`.
+                                  type: string
+                              type: object
+                            envoyHttpAls:
+                              description: Configures an Envoy Access Logging Service
+                                provider for HTTP traffic.
+                              properties:
+                                additionalRequestHeadersToLog:
+                                  description: Optional. Additional request headers
+                                    to log.
+                                  items:
+                                    type: string
+                                  type: array
+                                additionalResponseHeadersToLog:
+                                  description: Optional. Additional response headers
+                                    to log.
+                                  items:
+                                    type: string
+                                  type: array
+                                additionalResponseTrailersToLog:
+                                  description: Optional. Additional response trailers
+                                    to log.
+                                  items:
+                                    type: string
+                                  type: array
+                                filterStateObjectsToLog:
+                                  description: Optional. Additional filter state objects
+                                    to log.
+                                  items:
+                                    type: string
+                                  type: array
+                                logName:
+                                  description: |-
+                                    Optional. The friendly name of the access log.
+                                    Defaults:
+                                    -  "http_envoy_accesslog"
+                                    -  "listener_envoy_accesslog"
+                                  type: string
+                                port:
+                                  description: REQUIRED. Specifies the port of the
+                                    service.
+                                  format: int32
+                                  type: integer
+                                service:
+                                  description: |-
+                                    REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service.
+                                    The format is `[<Namespace>/]<Hostname>`. The specification of `<Namespace>` is required only when it is insufficient
+                                    to unambiguously resolve a service in the service registry. The `<Hostname>` is a fully qualified host name of a
+                                    service defined by the Kubernetes service or ServiceEntry.
+
+                                    Example: "envoy-als.foo.svc.cluster.local" or "bar/envoy-als.example.com".
+                                  type: string
+                              required:
+                              - port
+                              - service
+                              type: object
+                            envoyOtelAls:
+                              description: Configures an Envoy Open Telemetry Access
+                                Logging Service provider.
+                              properties:
+                                logFormat:
+                                  description: |-
+                                    Optional. Format for the proxy access log
+                                    Empty value results in proxy's default access log format, following Envoy access logging formatting.
+                                  properties:
+                                    labels:
+                                      additionalProperties:
+                                        type: string
+                                      description: "Optional. Additional attributes
+                                        that describe the specific event occurrence.\nStructured
+                                        format for the envoy access logs. Envoy [command
+                                        operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators)\ncan
+                                        be used as values for fields within the Struct.
+                                        Values are rendered\nas strings, numbers,
+                                        or boolean values, as appropriate\n(see: [format
+                                        dictionaries](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-dictionaries)).
+                                        Nested JSON is\nsupported for some command
+                                        operators (e.g. FILTER_STATE or DYNAMIC_METADATA).\nAlias
+                                        to `attributes` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)\n\nExample:\n```\nlabels:\n\n\tstatus:
+                                        \"%RESPONSE_CODE%\"\n\tmessage: \"%LOCAL_REPLY_BODY%\"\n\n```"
+                                      type: object
+                                    text:
+                                      description: |-
+                                        Textual format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) may be
+                                        used in the format. The [format string documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings)
+                                        provides more information.
+                                        Alias to `body` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)
+                                        Example: `text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"`
+                                      type: string
+                                  type: object
+                                logName:
+                                  description: |-
+                                    Optional. The friendly name of the access log.
+                                    Defaults:
+                                    - "otel_envoy_accesslog"
+                                  type: string
+                                port:
+                                  description: REQUIRED. Specifies the port of the
+                                    service.
+                                  format: int32
+                                  type: integer
+                                service:
+                                  description: |-
+                                    REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service.
+                                    The format is `[<Namespace>/]<Hostname>`. The specification of `<Namespace>` is required only when it is insufficient
+                                    to unambiguously resolve a service in the service registry. The `<Hostname>` is a fully qualified host name of a
+                                    service defined by the Kubernetes service or ServiceEntry.
+
+                                    Example: "envoy-als.foo.svc.cluster.local" or "bar/envoy-als.example.com".
+                                  type: string
+                              required:
+                              - port
+                              - service
+                              type: object
+                            envoyTcpAls:
+                              description: Configures an Envoy Access Logging Service
+                                provider for TCP traffic.
+                              properties:
+                                filterStateObjectsToLog:
+                                  description: Optional. Additional filter state objects
+                                    to log.
+                                  items:
+                                    type: string
+                                  type: array
+                                logName:
+                                  description: |-
+                                    Optional. The friendly name of the access log.
+                                    Defaults:
+                                    - "tcp_envoy_accesslog"
+                                    - "listener_envoy_accesslog"
+                                  type: string
+                                port:
+                                  description: REQUIRED. Specifies the port of the
+                                    service.
+                                  format: int32
+                                  type: integer
+                                service:
+                                  description: |-
+                                    REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service.
+                                    The format is `[<Namespace>/]<Hostname>`. The specification of `<Namespace>` is required only when it is insufficient
+                                    to unambiguously resolve a service in the service registry. The `<Hostname>` is a fully qualified host name of a
+                                    service defined by the Kubernetes service or ServiceEntry.
+
+                                    Example: "envoy-als.foo.svc.cluster.local" or "bar/envoy-als.example.com".
+                                  type: string
+                              required:
+                              - port
+                              - service
+                              type: object
+                            lightstep:
+                              description: |-
+                                Configures a Lightstep tracing provider.
+                                Deprecated: For Istio 1.15+, please use an OpenTelemetryTracingProvider instead, more details can be found at https://github.com/istio/istio/issues/40027
+
+                                Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto.
+                              properties:
+                                accessToken:
+                                  description: The Lightstep access token.
+                                  type: string
+                                maxTagLength:
+                                  description: |-
+                                    Optional. Controls the overall path length allowed in a reported span.
+                                    NOTE: currently only controls max length of the path tag.
+                                  format: int32
+                                  type: integer
+                                port:
+                                  description: REQUIRED. Specifies the port of the
+                                    service.
+                                  format: int32
+                                  type: integer
+                                service:
+                                  description: |-
+                                    REQUIRED. Specifies the service for the Lightstep collector.
+                                    The format is `[<Namespace>/]<Hostname>`. The specification of `<Namespace>` is required only when it is insufficient
+                                    to unambiguously resolve a service in the service registry. The `<Hostname>` is a fully qualified host name of a
+                                    service defined by the Kubernetes service or ServiceEntry.
+
+                                    Example: "lightstep.default.svc.cluster.local" or "bar/lightstep.example.com".
+                                  type: string
+                              required:
+                              - port
+                              - service
+                              type: object
+                            name:
+                              description: REQUIRED. A unique name identifying the
+                                extension provider.
+                              type: string
+                            opencensus:
+                              description: |-
+                                Configures an OpenCensusAgent tracing provider.
+                                Deprecated: OpenCensus is deprecated, more details can be found at https://opentelemetry.io/blog/2023/sunsetting-opencensus/
+
+                                Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto.
+                              properties:
+                                context:
+                                  description: |-
+                                    Specifies the set of context propagation headers used for distributed
+                                    tracing. Default is `["W3C_TRACE_CONTEXT"]`. If multiple values are specified,
+                                    the proxy will attempt to read each header for each request and will
+                                    write all headers.
+                                  items:
+                                    description: |-
+                                      TraceContext selects the context propagation headers used for
+                                      distributed tracing.
+                                    enum:
+                                    - UNSPECIFIED
+                                    - W3C_TRACE_CONTEXT
+                                    - GRPC_BIN
+                                    - CLOUD_TRACE_CONTEXT
+                                    - B3
+                                    type: string
+                                  type: array
+                                maxTagLength:
+                                  description: |-
+                                    Optional. Controls the overall path length allowed in a reported span.
+                                    NOTE: currently only controls max length of the path tag.
+                                  format: int32
+                                  type: integer
+                                port:
+                                  description: REQUIRED. Specifies the port of the
+                                    service.
+                                  format: int32
+                                  type: integer
+                                service:
+                                  description: |-
+                                    REQUIRED. Specifies the service for the OpenCensusAgent.
+                                    The format is `[<Namespace>/]<Hostname>`. The specification of `<Namespace>` is required only when it is insufficient
+                                    to unambiguously resolve a service in the service registry. The `<Hostname>` is a fully qualified host name of a
+                                    service defined by the Kubernetes service or ServiceEntry.
+
+                                    Example: "ocagent.default.svc.cluster.local" or "bar/ocagent.example.com".
+                                  type: string
+                              required:
+                              - port
+                              - service
+                              type: object
+                            opentelemetry:
+                              description: Configures an OpenTelemetry tracing provider.
+                              properties:
+                                dynatraceSampler:
+                                  description: |-
+                                    The Dynatrace adaptive traffic management (ATM) sampler.
+
+                                    Example configuration:
+
+                                    ```yaml
+                                      - name: otel-tracing
+                                        opentelemetry:
+                                        port: 443
+                                        service: "{your-environment-id}.live.dynatrace.com"
+                                        http:
+                                        path: "/api/v2/otlp/v1/traces"
+                                        timeout: 10s
+                                        headers:
+                                      - name: "Authorization"
+                                        value: "Api-Token dt0c01."
+                                        resourceDetectors:
+                                        dynatrace: {}
+                                        dynatraceSampler:
+                                        tenant: "{your-environment-id}"
+                                        clusterId: 1234
+                                  properties:
+                                    clusterId:
+                                      description: |-
+                                        REQUIRED. The identifier of the cluster in the Dynatrace platform.
+                                        The cluster here is Dynatrace-specific concept and not related to the cluster concept in Istio/Envoy.
+
+                                        The value can be obtained from the Istio deployment page in Dynatrace.
+                                      format: int32
+                                      type: integer
+                                    httpService:
+                                      description: |-
+                                        Optional. Dynatrace HTTP API to obtain sampling configuration.
+
+                                        When not provided, the Dynatrace Sampler will re-use the configuration from the OpenTelemetryTracingProvider HTTP Exporter
+                                        (`service`, `port` and `http`), including the access token.
+                                      properties:
+                                        http:
+                                          description: REQUIRED. Specifies sampling
+                                            configuration URI.
+                                          properties:
+                                            headers:
+                                              description: |-
+                                                Optional. Allows specifying custom HTTP headers that will be added
+                                                to each HTTP request sent.
+                                              items:
+                                                properties:
+                                                  envName:
+                                                    description: |-
+                                                      The HTTP header value from the environment variable.
+
+                                                      Warning:
+                                                      - The environment variable must be set in the istiod pod spec.
+                                                      - This is not a end-to-end secure.
+                                                    type: string
+                                                  name:
+                                                    description: REQUIRED. The HTTP
+                                                      header name.
+                                                    type: string
+                                                  value:
+                                                    description: The HTTP header value.
+                                                    type: string
+                                                required:
+                                                - name
+                                                type: object
+                                                x-kubernetes-validations:
+                                                - message: At most one of [value envName]
+                                                    should be set
+                                                  rule: (has(self.value)?1:0) + (has(self.envName)?1:0)
+                                                    <= 1
+                                              type: array
+                                            path:
+                                              description: REQUIRED. Specifies the
+                                                path on the service.
+                                              type: string
+                                            timeout:
+                                              description: |-
+                                                Optional. Specifies the timeout for the HTTP request.
+                                                If not specified, the default is 3s.
+                                              type: string
+                                          required:
+                                          - path
+                                          type: object
+                                        port:
+                                          description: REQUIRED. Specifies the port
+                                            of the service.
+                                          format: int32
+                                          type: integer
+                                        service:
+                                          description: |-
+                                            REQUIRED. Specifies the Dynatrace environment to obtain the sampling configuration.
+                                            The format is `<Hostname>`, where `<Hostname>` is the fully qualified Dynatrace environment
+                                            host name defined in the ServiceEntry.
+
+                                            Example: "{your-environment-id}.live.dynatrace.com".
+                                          type: string
+                                      required:
+                                      - http
+                                      - port
+                                      - service
+                                      type: object
+                                    rootSpansPerMinute:
+                                      description: |-
+                                        Optional. Number of sampled spans per minute to be used
+                                        when the adaptive value cannot be obtained from the Dynatrace API.
+
+                                        A default value of `1000` is used when:
+
+                                        - `rootSpansPerMinute` is unset
+                                        - `rootSpansPerMinute` is set to 0
+                                      format: int32
+                                      type: integer
+                                    tenant:
+                                      description: |-
+                                        REQUIRED. The Dynatrace customer's tenant identifier.
+
+                                        The value can be obtained from the Istio deployment page in Dynatrace.
+                                      type: string
+                                  required:
+                                  - clusterId
+                                  - tenant
+                                  type: object
+                                grpc:
+                                  description: "Optional. Specifies the configuration
+                                    for exporting OTLP traces via GRPC.\nWhen empty,
+                                    traces will check whether HTTP is set.\nIf not,
+                                    traces will use default GRPC configurations.\n\nThe
+                                    following example shows how to configure the OpenTelemetry
+                                    ExtensionProvider to export via GRPC:\n\n1. Add/change
+                                    the OpenTelemetry extension provider in `MeshConfig`\n```yaml\n
+                                    \ - name: opentelemetry\n    opentelemetry:\n
+                                    \   port: 8090\n    service: tracing.example.com\n
+                                    \   grpc:\n    timeout: 10s\n    initialMetadata:\n
+                                    \ - name: \"Authentication\"\n    value: \"token-xxxxx\"\n\n```\n\n2.
+                                    Deploy a `ServiceEntry` for the observability
+                                    back-end\n```yaml\napiVersion: networking.istio.io/v1alpha3\nkind:
+                                    ServiceEntry\nmetadata:\n\n\tname: tracing-grpc\n\nspec:\n\n\thosts:\n\t-
+                                    tracing.example.com\n\tports:\n\t- number: 8090\n\t
+                                    \ name: grpc-port\n\t  protocol: GRPC\n\tresolution:
+                                    DNS\n\tlocation: MESH_EXTERNAL\n\n```"
+                                  properties:
+                                    initialMetadata:
+                                      description: |-
+                                        Optional. Additional metadata to include in streams initiated to the GrpcService. This can be used for
+                                        scenarios in which additional ad hoc authorization headers (e.g. "x-foo-bar: baz-key") are to
+                                        be injected.
+                                      items:
+                                        properties:
+                                          envName:
+                                            description: |-
+                                              The HTTP header value from the environment variable.
+
+                                              Warning:
+                                              - The environment variable must be set in the istiod pod spec.
+                                              - This is not a end-to-end secure.
+                                            type: string
+                                          name:
+                                            description: REQUIRED. The HTTP header
+                                              name.
+                                            type: string
+                                          value:
+                                            description: The HTTP header value.
+                                            type: string
+                                        required:
+                                        - name
+                                        type: object
+                                        x-kubernetes-validations:
+                                        - message: At most one of [value envName]
+                                            should be set
+                                          rule: (has(self.value)?1:0) + (has(self.envName)?1:0)
+                                            <= 1
+                                      type: array
+                                    timeout:
+                                      description: Optional. Specifies the timeout
+                                        for the GRPC request.
+                                      type: string
+                                  type: object
+                                http:
+                                  description: "Optional. Specifies the configuration
+                                    for exporting OTLP traces via HTTP.\nWhen empty,
+                                    traces will be exported via gRPC.\n\nThe following
+                                    example shows how to configure the OpenTelemetry
+                                    ExtensionProvider to export via HTTP:\n\n1. Add/change
+                                    the OpenTelemetry extension provider in `MeshConfig`\n```yaml\n
+                                    \ - name: otel-tracing\n    opentelemetry:\n    port:
+                                    443\n    service: my.olly-backend.com\n    http:\n
+                                    \   path: \"/api/otlp/traces\"\n    timeout: 10s\n
+                                    \   headers:\n  - name: \"my-custom-header\"\n
+                                    \   value: \"some value\"\n\n```\n\n2. Deploy
+                                    a `ServiceEntry` for the observability back-end\n```yaml\napiVersion:
+                                    networking.istio.io/v1alpha3\nkind: ServiceEntry\nmetadata:\n\n\tname:
+                                    my-olly-backend\n\nspec:\n\n\thosts:\n\t- my.olly-backend.com\n\tports:\n\t-
+                                    number: 443\n\t  name: https-port\n\t  protocol:
+                                    HTTPS\n\tresolution: DNS\n\tlocation: MESH_EXTERNAL\n\n---\napiVersion:
+                                    networking.istio.io/v1alpha3\nkind: DestinationRule\nmetadata:\n\n\tname:
+                                    my-olly-backend\n\nspec:\n\n\thost: my.olly-backend.com\n\ttrafficPolicy:\n\t
+                                    \ portLevelSettings:\n\t  - port:\n\t      number:
+                                    443\n\t    tls:\n\t      mode: SIMPLE\n\n```"
+                                  properties:
+                                    headers:
+                                      description: |-
+                                        Optional. Allows specifying custom HTTP headers that will be added
+                                        to each HTTP request sent.
+                                      items:
+                                        properties:
+                                          envName:
+                                            description: |-
+                                              The HTTP header value from the environment variable.
+
+                                              Warning:
+                                              - The environment variable must be set in the istiod pod spec.
+                                              - This is not a end-to-end secure.
+                                            type: string
+                                          name:
+                                            description: REQUIRED. The HTTP header
+                                              name.
+                                            type: string
+                                          value:
+                                            description: The HTTP header value.
+                                            type: string
+                                        required:
+                                        - name
+                                        type: object
+                                        x-kubernetes-validations:
+                                        - message: At most one of [value envName]
+                                            should be set
+                                          rule: (has(self.value)?1:0) + (has(self.envName)?1:0)
+                                            <= 1
+                                      type: array
+                                    path:
+                                      description: REQUIRED. Specifies the path on
+                                        the service.
+                                      type: string
+                                    timeout:
+                                      description: |-
+                                        Optional. Specifies the timeout for the HTTP request.
+                                        If not specified, the default is 3s.
+                                      type: string
+                                  required:
+                                  - path
+                                  type: object
+                                maxTagLength:
+                                  description: |-
+                                    Optional. Controls the overall path length allowed in a reported span.
+                                    NOTE: currently only controls max length of the path tag.
+                                  format: int32
+                                  type: integer
+                                port:
+                                  description: REQUIRED. Specifies the port of the
+                                    service.
+                                  format: int32
+                                  type: integer
+                                resourceDetectors:
+                                  description: |-
+                                    Optional. Specifies [Resource Detectors](https://opentelemetry.io/docs/specs/otel/resource/sdk/)
+                                    to be used by the OpenTelemetry Tracer. When multiple resources are provided, they are merged
+                                    according to the OpenTelemetry [Resource specification](https://opentelemetry.io/docs/specs/otel/resource/sdk/#merge).
+
+                                    The following example shows how to configure the Environment Resource Detector, that will
+                                    read the attributes from the environment variable `OTEL_RESOURCE_ATTRIBUTES`:
+
+                                    ```yaml
+                                      - name: otel-tracing
+                                        opentelemetry:
+                                        port: 443
+                                        service: my.olly-backend.com
+                                        resourceDetectors:
+                                        environment: {}
+
+                                    ```
+                                  properties:
+                                    dynatrace:
+                                      description: |-
+                                        Dynatrace Resource Detector.
+                                        The resource detector reads from the Dynatrace enrichment files
+                                        and adds host/process related attributes to the OpenTelemetry resource.
+
+                                        See: [Enrich ingested data with Dynatrace-specific dimensions](https://docs.dynatrace.com/docs/shortlink/enrichment-files)
+                                      type: object
+                                    environment:
+                                      description: |-
+                                        OpenTelemetry Environment Resource Detector.
+                                        The resource detector reads attributes from the environment variable `OTEL_RESOURCE_ATTRIBUTES`
+                                        and adds them to the OpenTelemetry resource.
+
+                                        See: [Resource specification](https://opentelemetry.io/docs/specs/otel/resource/sdk/#specifying-resource-information-via-an-environment-variable)
+                                      type: object
+                                  type: object
+                                service:
+                                  description: |-
+                                    REQUIRED. Specifies the OpenTelemetry endpoint that will receive OTLP traces.
+                                    The format is `[<Namespace>/]<Hostname>`. The specification of `<Namespace>` is required only when it is insufficient
+                                    to unambiguously resolve a service in the service registry. The `<Hostname>` is a fully qualified host name of a
+                                    service defined by the Kubernetes service or ServiceEntry.
+
+                                    Example: "otlp.default.svc.cluster.local" or "bar/otlp.example.com".
+                                  type: string
+                              required:
+                              - port
+                              - service
+                              type: object
+                              x-kubernetes-validations:
+                              - message: At most one of [dynatraceSampler] should
+                                  be set
+                                rule: (has(self.dynatraceSampler)?1:0) <= 1
+                            prometheus:
+                              description: Configures a Prometheus metrics provider.
+                              type: object
+                            sds:
+                              description: |-
+                                Configures an Extension Provider for SDS. This can be used to
+                                configure an external SDS service to supply secrets for certain Gateways for example.
+                                This is useful for scenarios where the secrets are stored in an external secret store like Vault.
+                                The secret should be configured with sds://provider-name format.
+                              properties:
+                                name:
+                                  description: REQUIRED. Specifies the name of the
+                                    provider. This should be used to configure the
+                                    Gateway SDS.
+                                  type: string
+                                port:
+                                  description: REQUIRED. Specifies the port of the
+                                    service.
+                                  format: int32
+                                  type: integer
+                                service:
+                                  description: |-
+                                    REQUIRED. Specifies the service that implements the  SDS service.
+                                    The format is `[<Namespace>/]<Hostname>`. The specification of `<Namespace>` is required only when it is insufficient
+                                    to unambiguously resolve a service in the service registry. The `<Hostname>` is a fully qualified host name of a
+                                    service defined by the Kubernetes service or ServiceEntry.
+
+                                    Example: "gateway-sds.foo.svc.cluster.local" or "bar/gateway-sds.example.com".
+                                  type: string
+                              required:
+                              - name
+                              - port
+                              - service
+                              type: object
+                            skywalking:
+                              description: Configures a Apache SkyWalking provider.
+                              properties:
+                                accessToken:
+                                  description: Optional. The SkyWalking OAP access
+                                    token.
+                                  type: string
+                                port:
+                                  description: REQUIRED. Specifies the port of the
+                                    service.
+                                  format: int32
+                                  type: integer
+                                service:
+                                  description: |-
+                                    REQUIRED. Specifies the service for the SkyWalking receiver.
+                                    The format is `[<Namespace>/]<Hostname>`. The specification of `<Namespace>` is required only when it is insufficient
+                                    to unambiguously resolve a service in the service registry. The `<Hostname>` is a fully qualified host name of a
+                                    service defined by the Kubernetes service or ServiceEntry.
+
+                                    Example: "skywalking.default.svc.cluster.local" or "bar/skywalking.example.com".
+                                  type: string
+                              required:
+                              - port
+                              - service
+                              type: object
+                            stackdriver:
+                              description: Configures a Stackdriver provider.
+                              properties:
+                                debug:
+                                  description: |-
+                                    debug enables trace output to stdout.
+
+                                    Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto.
+                                  type: boolean
+                                logging:
+                                  description: Optional. Controls Stackdriver logging
+                                    behavior.
+                                  properties:
+                                    labels:
+                                      additionalProperties:
+                                        type: string
+                                      description: "Collection of tag names and tag
+                                        expressions to include in the log\nentry.
+                                        Conflicts are resolved by the tag name by
+                                        overriding previously\nsupplied values.\n\nExample:\n\n\tlabels:\n\t
+                                        \ path: request.url_path\n\t  foo: request.headers['x-foo']"
+                                      type: object
+                                  type: object
+                                maxNumberOfAnnotations:
+                                  description: |-
+                                    The global default max number of annotation events per span.
+                                    default is 200.
+
+                                    Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto.
+                                  format: int64
+                                  type: integer
+                                maxNumberOfAttributes:
+                                  description: |-
+                                    The global default max number of attributes per span.
+                                    default is 200.
+
+                                    Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto.
+                                  format: int64
+                                  type: integer
+                                maxNumberOfMessageEvents:
+                                  description: |-
+                                    The global default max number of message events per span.
+                                    default is 200.
+
+                                    Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto.
+                                  format: int64
+                                  type: integer
+                                maxTagLength:
+                                  description: |-
+                                    Optional. Controls the overall path length allowed in a reported span.
+                                    NOTE: currently only controls max length of the path tag.
+                                  format: int32
+                                  type: integer
+                              type: object
+                            zipkin:
+                              description: Configures a tracing provider that uses
+                                the Zipkin API.
+                              properties:
+                                enable64bitTraceId:
+                                  description: |-
+                                    Optional. A 128 bit trace id will be used in Istio.
+                                    If true, will result in a 64 bit trace id being used.
+                                  type: boolean
+                                headers:
+                                  description: |-
+                                    Optional. Additional HTTP headers to include in the request to the Zipkin collector.
+                                    These headers will be added to the HTTP request when sending spans to the collector.
+                                  items:
+                                    properties:
+                                      envName:
+                                        description: |-
+                                          The HTTP header value from the environment variable.
+
+                                          Warning:
+                                          - The environment variable must be set in the istiod pod spec.
+                                          - This is not a end-to-end secure.
+                                        type: string
+                                      name:
+                                        description: REQUIRED. The HTTP header name.
+                                        type: string
+                                      value:
+                                        description: The HTTP header value.
+                                        type: string
+                                    required:
+                                    - name
+                                    type: object
+                                    x-kubernetes-validations:
+                                    - message: At most one of [value envName] should
+                                        be set
+                                      rule: (has(self.value)?1:0) + (has(self.envName)?1:0)
+                                        <= 1
+                                  type: array
+                                maxTagLength:
+                                  description: |-
+                                    Optional. Controls the overall path length allowed in a reported span.
+                                    NOTE: currently only controls max length of the path tag.
+                                  format: int32
+                                  type: integer
+                                path:
+                                  description: |-
+                                    Optional. Specifies the endpoint of Zipkin API.
+                                    The default value is "/api/v2/spans".
+                                  type: string
+                                port:
+                                  description: REQUIRED. Specifies the port of the
+                                    service.
+                                  format: int32
+                                  type: integer
+                                service:
+                                  description: |-
+                                    REQUIRED. Specifies the service that the Zipkin API.
+                                    The format is `[<Namespace>/]<Hostname>`. The specification of `<Namespace>` is required only when it is insufficient
+                                    to unambiguously resolve a service in the service registry. The `<Hostname>` is a fully qualified host name of a
+                                    service defined by the Kubernetes service or ServiceEntry.
+
+                                    Example: "zipkin.default.svc.cluster.local" or "bar/zipkin.example.com".
+                                  type: string
+                                timeout:
+                                  description: |-
+                                    Optional. The timeout for the HTTP request to the Zipkin collector.
+                                    If not specified, the default timeout from Envoy's configuration will be used (which is 5 seconds currently).
+                                  type: string
+                                traceContextOption:
+                                  description: |-
+                                    Optional. Determines which trace context format to use for trace header extraction and propagation.
+                                    This controls both downstream request header extraction and upstream request header injection.
+                                    The default value is USE_B3 to maintain backward compatibility.
+                                  enum:
+                                  - USE_B3
+                                  - USE_B3_WITH_W3C_PROPAGATION
+                                  type: string
+                              required:
+                              - port
+                              - service
+                              type: object
+                          required:
+                          - name
+                          type: object
+                          x-kubernetes-validations:
+                          - message: At most one of [envoyExtAuthzHttp envoyExtAuthzGrpc
+                              zipkin lightstep datadog stackdriver opencensus skywalking
+                              opentelemetry prometheus envoyFileAccessLog envoyHttpAls
+                              envoyTcpAls envoyOtelAls sds] should be set
+                            rule: (has(self.envoyExtAuthzHttp)?1:0) + (has(self.envoyExtAuthzGrpc)?1:0)
+                              + (has(self.zipkin)?1:0) + (has(self.lightstep)?1:0)
+                              + (has(self.datadog)?1:0) + (has(self.stackdriver)?1:0)
+                              + (has(self.opencensus)?1:0) + (has(self.skywalking)?1:0)
+                              + (has(self.opentelemetry)?1:0) + (has(self.prometheus)?1:0)
+                              + (has(self.envoyFileAccessLog)?1:0) + (has(self.envoyHttpAls)?1:0)
+                              + (has(self.envoyTcpAls)?1:0) + (has(self.envoyOtelAls)?1:0)
+                              + (has(self.sds)?1:0) <= 1
+                        maxItems: 1000
+                        type: array
+                      h2UpgradePolicy:
+                        description: |-
+                          Specify if http1.1 connections should be upgraded to http2 by default.
+                          if sidecar is installed on all pods in the mesh, then this should be set to `UPGRADE`.
+                          If one or more services or namespaces do not have sidecar(s), then this should be set to `DO_NOT_UPGRADE`.
+                          It can be enabled by destination using the `destinationRule.trafficPolicy.connectionPool.http.h2UpgradePolicy` override.
+                        enum:
+                        - DO_NOT_UPGRADE
+                        - UPGRADE
+                        type: string
+                      hboneIdleTimeout:
+                        description: |-
+                          Idle timeout configured on Envoy proxies for their connection pools to ztunnel via HBONE.
+                          This controls how long Envoy will keep idle connections to ztunnel before closing them.
+                          Note: This setting is applied only on the Envoy proxy side; ztunnel does not use it.
+                          Default timeout is 1 hour (3600s).
+                          For environments with aggressive IP address reuse, it is recommended to set
+                          this to a value less than the CNI IP cooldown period to prevent stale connection reuse.
+                          For example, if your CNI has a 30s cooldown period, setting this to 15s is recommended.
+                        type: string
+                      inboundClusterStatName:
+                        description: |-
+                          Name to be used while emitting statistics for inbound clusters. The same pattern is used while computing stat prefix for
+                          network filters like TCP and Redis.
+                          By default, Istio emits statistics with the pattern `inbound|<port>|<port-name>|<service-FQDN>`.
+                          For example `inbound|7443|grpc-reviews|reviews.prod.svc.cluster.local`. This can be used to override that pattern.
+
+                          A Pattern can be composed of various pre-defined variables. The following variables are supported.
+
+                          - `%SERVICE%` - Will be substituted with short hostname of the service.
+                          - `%SERVICE_NAME%` - Will be substituted with name of the service.
+                          - `%SERVICE_FQDN%` - Will be substituted with FQDN of the service.
+                          - `%SERVICE_PORT%` - Will be substituted with port of the service.
+                          - `%TARGET_PORT%`  - Will be substituted with the target port of the service.
+                          - `%SERVICE_PORT_NAME%` - Will be substituted with port name of the service.
+
+                          Following are some examples of supported patterns for reviews:
+
+                          - `%SERVICE_FQDN%_%SERVICE_PORT%` will use reviews.prod.svc.cluster.local_7443 as the stats name.
+                          - `%SERVICE%` will use reviews.prod as the stats name.
+                        type: string
+                      inboundTrafficPolicy:
+                        description: |-
+                          Set the default behavior of the sidecar for handling inbound
+                          traffic to the application.  If your application listens on
+                          localhost, you will need to set this to `LOCALHOST`.
+                        properties:
+                          mode:
+                            enum:
+                            - PASSTHROUGH
+                            - LOCALHOST
+                            type: string
+                        type: object
+                      ingressClass:
+                        description: |-
+                          Class of ingress resources to be processed by Istio ingress
+                          controller. This corresponds to the value of
+                          `kubernetes.io/ingress.class` annotation.
+                        type: string
+                      ingressControllerMode:
+                        description: |-
+                          Defines whether to use Istio ingress controller for annotated or all ingress resources.
+                          Default mode is `STRICT`.
+                        enum:
+                        - UNSPECIFIED
+                        - "OFF"
+                        - DEFAULT
+                        - STRICT
+                        type: string
+                      ingressSelector:
+                        description: |-
+                          Defines which gateway deployment to use as the Ingress controller. This field corresponds to
+                          the Gateway.selector field, and will be set as `istio: INGRESS_SELECTOR`.
+                          By default, `ingressgateway` is used, which will select the default IngressGateway as it has the
+                          `istio: ingressgateway` labels.
+                          It is recommended that this is the same value as ingressService.
+                        type: string
+                      ingressService:
+                        description: |-
+                          Name of the Kubernetes service used for the istio ingress controller.
+                          If no ingress controller is specified, the default value `istio-ingressgateway` is used.
+                        type: string
+                      localityLbSetting:
+                        description: |-
+                          Locality based load balancing distribution or failover settings.
+                          If unspecified, locality based load balancing will be enabled by default.
+                          However, this requires outlierDetection to actually take effect for a particular
+                          service, see https://istio.io/latest/docs/tasks/traffic-management/locality-load-balancing/failover/
+                        properties:
+                          distribute:
+                            description: |-
+                              Optional: only one of distribute, failover or failoverPriority can be set.
+                              Explicitly specify loadbalancing weight across different zones and geographical locations.
+                              Refer to [Locality weighted load balancing](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/locality_weight)
+                              If empty, the locality weight is set according to the endpoints number within it.
+                            items:
+                              description: |-
+                                Describes how traffic originating in the 'from' zone or sub-zone is
+                                distributed over a set of 'to' zones. Syntax for specifying a zone is
+                                {region}/{zone}/{sub-zone} and terminal wildcards are allowed on any
+                                segment of the specification. Examples:
+
+                                `*` - matches all localities
+
+                                `us-west/*` - all zones and sub-zones within the us-west region
+
+                                `us-west/zone-1/*` - all sub-zones within us-west/zone-1
+                              properties:
+                                from:
+                                  description: Originating locality, '/' separated,
+                                    e.g. 'region/zone/sub_zone'.
+                                  type: string
+                                to:
+                                  additionalProperties:
+                                    format: int32
+                                    type: integer
+                                  description: |-
+                                    Map of upstream localities to traffic distribution weights. The sum of
+                                    all weights should be 100. Any locality not present will
+                                    receive no traffic.
+                                  type: object
+                              type: object
+                            type: array
+                          enabled:
+                            description: |-
+                              Enable locality load balancing. This is DestinationRule-level and will override mesh-wide settings in entirety.
+                              e.g. true means that turn on locality load balancing for this DestinationRule no matter what mesh-wide settings is.
+                            type: boolean
+                          failover:
+                            description: |-
+                              Optional: only one of distribute, failover or failoverPriority can be set.
+                              Explicitly specify the region traffic will land on when endpoints in local region becomes unhealthy.
+                              Should be used together with OutlierDetection to detect unhealthy endpoints.
+                              Note: if no OutlierDetection specified, this will not take effect.
+                            items:
+                              description: |-
+                                Specify the traffic failover policy across regions. Since zone and sub-zone
+                                failover is supported by default this only needs to be specified for
+                                regions when the operator needs to constrain traffic failover so that
+                                the default behavior of failing over to any endpoint globally does not
+                                apply. This is useful when failing over traffic across regions would not
+                                improve service health or may need to be restricted for other reasons
+                                like regulatory controls.
+                              properties:
+                                from:
+                                  description: Originating region.
+                                  type: string
+                                to:
+                                  description: |-
+                                    Destination region the traffic will fail over to when endpoints in
+                                    the 'from' region becomes unhealthy.
+                                  type: string
+                              type: object
+                            type: array
+                          failoverPriority:
+                            description: |-
+                              failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing.
+                              This is to support traffic failover across different groups of endpoints.
+                              Two kinds of labels can be specified:
+
+                                - Specify only label keys `[key1, key2, key3]`, istio would compare the label values of client with endpoints.
+                                  Suppose there are total N label keys `[key1, key2, key3, ...keyN]` specified:
+
+                                  1. Endpoints matching all N labels with the client proxy have priority P(0) i.e. the highest priority.
+                                  2. Endpoints matching the first N-1 labels with the client proxy have priority P(1) i.e. second highest priority.
+                                  3. By extension of this logic, endpoints matching only the first label with the client proxy has priority P(N-1) i.e. second lowest priority.
+                                  4. All the other endpoints have priority P(N) i.e. lowest priority.
+
+                                - Specify labels with key and value `[key1=value1, key2=value2, key3=value3]`, istio would compare the labels with endpoints.
+                                  Suppose there are total N labels `[key1=value1, key2=value2, key3=value3, ...keyN=valueN]` specified:
+
+                                  1. Endpoints matching all N labels have priority P(0) i.e. the highest priority.
+                                  2. Endpoints matching the first N-1 labels have priority P(1) i.e. second highest priority.
+                                  3. By extension of this logic, endpoints matching only the first label has priority P(N-1) i.e. second lowest priority.
+                                  4. All the other endpoints have priority P(N) i.e. lowest priority.
+
+                              Note: For a label to be considered for match, the previous labels must match, i.e. nth label would be considered matched only if first n-1 labels match.
+
+                              It can be any label specified on both client and server workloads.
+                              The following labels which have special semantic meaning are also supported:
+
+                                - `topology.istio.io/network` is used to match the network metadata of an endpoint, which can be specified by pod/namespace label `topology.istio.io/network`, sidecar env `ISTIO_META_NETWORK` or MeshNetworks.
+                                - `topology.istio.io/cluster` is used to match the clusterID of an endpoint, which can be specified by pod label `topology.istio.io/cluster` or pod env `ISTIO_META_CLUSTER_ID`.
+                                - `topology.kubernetes.io/region` is used to match the region metadata of an endpoint, which maps to Kubernetes node label `topology.kubernetes.io/region` or the deprecated label `failure-domain.beta.kubernetes.io/region`.
+                                - `topology.kubernetes.io/zone` is used to match the zone metadata of an endpoint, which maps to Kubernetes node label `topology.kubernetes.io/zone` or the deprecated label `failure-domain.beta.kubernetes.io/zone`.
+                                - `topology.istio.io/subzone` is used to match the subzone metadata of an endpoint, which maps to Istio node label `topology.istio.io/subzone`.
+                                - `kubernetes.io/hostname` is used to match the current node of an endpoint, which maps to Kubernetes node label `kubernetes.io/hostname`.
+
+                              The below topology config indicates the following priority levels:
+
+                              ```yaml
+                              failoverPriority:
+                              - "topology.istio.io/network"
+                              - "topology.kubernetes.io/region"
+                              - "topology.kubernetes.io/zone"
+                              - "topology.istio.io/subzone"
+                              ```
+
+                              1. endpoints match same [network, region, zone, subzone] label with the client proxy have the highest priority.
+                              2. endpoints have same [network, region, zone] label but different [subzone] label with the client proxy have the second highest priority.
+                              3. endpoints have same [network, region] label but different [zone] label with the client proxy have the third highest priority.
+                              4. endpoints have same [network] but different [region] labels with the client proxy have the fourth highest priority.
+                              5. all the other endpoints have the same lowest priority.
+
+                              Suppose a service associated endpoints reside in multi clusters, the below example represents:
+                              1. endpoints in `clusterA` and has `version=v1` label have P(0) priority.
+                              2. endpoints not in `clusterA` but has `version=v1` label have P(1) priority.
+                              2. all the other endpoints have P(2) priority.
+
+                              ```yaml
+                              failoverPriority:
+                              - "version=v1"
+                              - "topology.istio.io/cluster=clusterA"
+                              ```
+
+                              Optional: only one of distribute, failover or failoverPriority can be set.
+                              And it should be used together with `OutlierDetection` to detect unhealthy endpoints, otherwise has no effect.
+                            items:
+                              type: string
+                            type: array
+                        type: object
+                      meshMTLS:
+                        description: "The below configuration parameters can be used
+                          to specify TLSConfig for mesh traffic.\nFor example, a user
+                          could enable min TLS version for ISTIO_MUTUAL traffic and
+                          specify a curve for non ISTIO_MUTUAL traffic like below:\n```yaml\nmeshConfig:\n\n\tmeshMTLS:\n\t
+                          \ minProtocolVersion: TLSV1_3\n\ttlsDefaults:\n\t  Note:
+                          applicable only for non ISTIO_MUTUAL scenarios\n\t  ecdhCurves:\n\t
+                          \   - P-256\n\t    - P-512\n\n```\nConfiguration of mTLS
+                          for traffic between workloads with ISTIO_MUTUAL TLS traffic.\n\nNote:
+                          Mesh mTLS does not respect ECDH curves."
+                        properties:
+                          cipherSuites:
+                            description: |-
+                              Optional: If specified, the TLS connection will only support the specified cipher list when negotiating TLS 1.0-1.2.
+                              If not specified, the following cipher suites will be used:
+                              ```
+                              ECDHE-ECDSA-AES256-GCM-SHA384
+                              ECDHE-RSA-AES256-GCM-SHA384
+                              ECDHE-ECDSA-AES128-GCM-SHA256
+                              ECDHE-RSA-AES128-GCM-SHA256
+                              AES256-GCM-SHA384
+                              AES128-GCM-SHA256
+                              ```
+                            items:
+                              type: string
+                            type: array
+                          ecdhCurves:
+                            description: |-
+                              Optional: If specified, the TLS connection will only support the specified ECDH curves for the DH key exchange.
+                              If not specified, the default curves enforced by Envoy will be used. For details about the default curves, refer to
+                              [Ecdh Curves](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto).
+                            items:
+                              type: string
+                            type: array
+                          minProtocolVersion:
+                            description: |-
+                              Optional: the minimum TLS protocol version. The default minimum
+                              TLS version will be TLS 1.2. As servers may not be Envoy and be
+                              set to TLS 1.2 (e.g., workloads using mTLS without sidecars), the
+                              minimum TLS version for clients may also be TLS 1.2.
+                              In the current Istio implementation, the maximum TLS protocol version
+                              is TLS 1.3.
+                            enum:
+                            - TLS_AUTO
+                            - TLSV1_2
+                            - TLSV1_3
+                            type: string
+                        type: object
+                      outboundClusterStatName:
+                        description: |-
+                          Name to be used while emitting statistics for outbound clusters. The same pattern is used while computing stat prefix for
+                          network filters like TCP and Redis.
+                          By default, Istio emits statistics with the pattern `outbound|<port>|<subsetname>|<service-FQDN>`.
+                          For example `outbound|8080|v2|reviews.prod.svc.cluster.local`. This can be used to override that pattern.
+
+                          A Pattern can be composed of various pre-defined variables. The following variables are supported.
+
+                          - `%SERVICE%` - Will be substituted with short hostname of the service.
+                          - `%SERVICE_NAME%` - Will be substituted with name of the service.
+                          - `%SERVICE_FQDN%` - Will be substituted with FQDN of the service.
+                          - `%SERVICE_PORT%` - Will be substituted with port of the service.
+                          - `%SERVICE_PORT_NAME%` - Will be substituted with port name of the service.
+                          - `%SUBSET_NAME%` - Will be substituted with subset.
+
+                          Following are some examples of supported patterns for reviews:
+
+                          - `%SERVICE_FQDN%_%SERVICE_PORT%` will use `reviews.prod.svc.cluster.local_7443` as the stats name.
+                          - `%SERVICE%` will use reviews.prod as the stats name.
+                        type: string
+                      outboundTrafficPolicy:
+                        description: |-
+                          Set the default behavior of the sidecar for handling outbound
+                          traffic from the application.
+
+                          Can be overridden at a Sidecar level by setting the `OutboundTrafficPolicy` in the
+                          [Sidecar API](https://istio.io/docs/reference/config/networking/sidecar/#OutboundTrafficPolicy).
+
+                          Default mode is `ALLOW_ANY`, which means outbound traffic to unknown destinations will be allowed.
+                        properties:
+                          mode:
+                            enum:
+                            - REGISTRY_ONLY
+                            - ALLOW_ANY
+                            type: string
+                        type: object
+                      pathNormalization:
+                        description: |-
+                          ProxyPathNormalization configures how URL paths in incoming and outgoing HTTP requests are
+                          normalized by the sidecars and gateways.
+                          The normalized paths will be used in all aspects through the requests' lifetime on the
+                          sidecars and gateways, which includes routing decisions in outbound direction (client proxy),
+                          authorization policy match and enforcement in inbound direction (server proxy), and the URL
+                          path proxied to the upstream service.
+                          If not set, the NormalizationType.DEFAULT configuration will be used.
+                        properties:
+                          normalization:
+                            enum:
+                            - DEFAULT
+                            - NONE
+                            - BASE
+                            - MERGE_SLASHES
+                            - DECODE_AND_MERGE_SLASHES
+                            type: string
+                        type: object
+                      protocolDetectionTimeout:
+                        description: |-
+                          Automatic protocol detection uses a set of heuristics to
+                          determine whether the connection is using TLS or not (on the
+                          server side), as well as the application protocol being used
+                          (e.g., http vs tcp). These heuristics rely on the client sending
+                          the first bits of data. For server first protocols like MySQL,
+                          MongoDB, etc. Envoy will timeout on the protocol detection after
+                          the specified period, defaulting to non mTLS plain TCP
+                          traffic. Set this field to tweak the period that Envoy will wait
+                          for the client to send the first bits of data. (MUST be >=1ms or
+                          0s to disable). Default detection timeout is 0s (no timeout).
+
+                          Setting a timeout is not recommended nor safe. Even high timeouts (>5s) will be hit
+                          occasionally, and when they occur the result is typically broken traffic that may not
+                          recover on its own. Exceptionally high values might solve this, but injecting 60s delays
+                          onto new connections is generally not tenable anyways.
+                        type: string
+                      proxyHttpPort:
+                        description: Port on which Envoy should listen for HTTP PROXY
+                          requests if set.
+                        format: int32
+                        type: integer
+                      proxyInboundListenPort:
+                        description: |-
+                          Port on which Envoy should listen for all inbound traffic to the pod/vm will be captured to.
+                          Default port is 15006.
+                        format: int32
+                        type: integer
+                      proxyListenPort:
+                        description: |-
+                          Port on which Envoy should listen for all outbound traffic to other services.
+                          Default port is 15001.
+                        format: int32
+                        type: integer
+                      rootNamespace:
+                        description: |-
+                          The namespace to treat as the administrative root namespace for
+                          Istio configuration. When processing a leaf namespace Istio will search for
+                          declarations in that namespace first and if none are found it will
+                          search in the root namespace. Any matching declaration found in the root
+                          namespace is processed as if it were declared in the leaf namespace.
+
+                          The precise semantics of this processing are documented on each resource
+                          type.
+                        type: string
+                      serviceScopeConfigs:
+                        description: Scope to be applied to select services.
+                        items:
+                          description: |-
+                            Configuration for ambient mode multicluster service scope. This setting allows mesh administrators
+                            to define the criteria by which the cluster's control plane determines which services in other
+                            clusters in the mesh are treated as global (accessible across multiple clusters) versus local
+                            (restricted to a single cluster). The configuration can be applied to services based on namespace
+                            and/or other matching criteria. This is particularly  useful in multicluster service mesh deployments
+                            to control service visibility and access across clusters. This API is not intended to enforce
+                            security policies. Resources like DestinationRules should be used to enforce authorization policies.
+                            If a service matches a global service scope selector, the service's endpoints will be globally
+                            exposed. If a service is locally scoped, its endpoints will only be exposed to local cluster
+                            services.
+
+                            For example, the following configures the scope of all services with the "istio.io/global" label
+                            in matching namespaces to be available globally:
+
+                            ```yaml
+                            serviceScopeConfigs:
+                              - namespacesSelector:
+                                matchExpressions:
+                              - key: istio.io/global
+                                operator: In
+                                values: [true]
+                                servicesSelector:
+                                matchExpressions:
+                              - key: istio.io/global
+                                operator: Exists
+                                scope: GLOBAL
+
+                            ```
+                          properties:
+                            namespaceSelector:
+                              description: Match expression for namespaces.
+                              properties:
+                                matchExpressions:
+                                  description: matchExpressions is a list of label
+                                    selector requirements. The requirements are ANDed.
+                                  items:
+                                    description: |-
+                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                      relates the key and values.
+                                    properties:
+                                      key:
+                                        description: key is the label key that the
+                                          selector applies to.
+                                        type: string
+                                      operator:
+                                        description: |-
+                                          operator represents a key's relationship to a set of values.
+                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                        type: string
+                                      values:
+                                        description: |-
+                                          values is an array of string values. If the operator is In or NotIn,
+                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                          the values array must be empty. This array is replaced during a strategic
+                                          merge patch.
+                                        items:
+                                          type: string
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    required:
+                                    - key
+                                    - operator
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                matchLabels:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                  type: object
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            scope:
+                              description: Specifics the available scope for matching
+                                services.
+                              enum:
+                              - LOCAL
+                              - GLOBAL
+                              type: string
+                            servicesSelector:
+                              description: Match expression for serivces.
+                              properties:
+                                matchExpressions:
+                                  description: matchExpressions is a list of label
+                                    selector requirements. The requirements are ANDed.
+                                  items:
+                                    description: |-
+                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                      relates the key and values.
+                                    properties:
+                                      key:
+                                        description: key is the label key that the
+                                          selector applies to.
+                                        type: string
+                                      operator:
+                                        description: |-
+                                          operator represents a key's relationship to a set of values.
+                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                        type: string
+                                      values:
+                                        description: |-
+                                          values is an array of string values. If the operator is In or NotIn,
+                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                          the values array must be empty. This array is replaced during a strategic
+                                          merge patch.
+                                        items:
+                                          type: string
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    required:
+                                    - key
+                                    - operator
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                matchLabels:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                  type: object
+                              type: object
+                              x-kubernetes-map-type: atomic
+                          type: object
+                        type: array
+                      serviceSettings:
+                        description: Settings to be applied to select services.
+                        items:
+                          description: |-
+                            Settings to be applied to select services.
+
+                            For example, the following configures all services in namespace "foo" as well as the
+                            "bar" service in namespace "baz" to be considered cluster-local:
+
+                            ```yaml
+                            serviceSettings:
+                              - settings:
+                                clusterLocal: true
+                                hosts:
+                              - "*.foo.svc.cluster.local"
+                              - "bar.baz.svc.cluster.local"
+
+                            ```
+
+                            When in ambient mode, if ServiceSettings are defined they will be considered in addition to the
+                            ServiceScopeConfigs. If a service is defined by ServiceSetting to be cluster local and matches a
+                            global service scope selector, the service will be considered cluster local. If a service is
+                            considered global by ServiceSettings and does not match a global service scope selector
+                            the serive will be considered local. Local scope takes precedence over global scope. Since
+                            ServiceScopeConfigs is local by default, all services are considered local unless it is considered
+                            global by ServiceSettings AND ServiceScopeConfigs.
+                          properties:
+                            hosts:
+                              description: |-
+                                The services to which the Settings should be applied. Services are selected using the hostname
+                                matching rules used by DestinationRule.
+
+                                For example: foo.bar.svc.cluster.local, *.baz.svc.cluster.local
+                              items:
+                                type: string
+                              type: array
+                            settings:
+                              description: The settings to apply to the selected services.
+                              properties:
+                                clusterLocal:
+                                  description: |-
+                                    If true, specifies that the client and service endpoints must reside in the same cluster.
+                                    By default, in multi-cluster deployments, the Istio control plane assumes all service
+                                    endpoints to be reachable from any client in any of the clusters which are part of the
+                                    mesh. This configuration option limits the set of service endpoints visible to a client
+                                    to be cluster scoped.
+
+                                    There are some common scenarios when this can be useful:
+
+                                      - A service (or group of services) is inherently local to the cluster and has local storage
+                                        for that cluster. For example, the kube-system namespace (e.g. the Kube API Server).
+                                      - A mesh administrator wants to slowly migrate services to Istio. They might start by first
+                                        having services cluster-local and then slowly transition them to mesh-wide. They could do
+                                        this service-by-service (e.g. mysvc.myns.svc.cluster.local) or as a group
+                                        (e.g. *.myns.svc.cluster.local).
+
+                                    By default Istio will consider kubernetes.default.svc (i.e. the API Server) as well as all
+                                    services in the kube-system namespace to be cluster-local, unless explicitly overridden here.
+                                  type: boolean
+                              type: object
+                          type: object
+                        type: array
+                      tcpKeepalive:
+                        description: If set then set `SO_KEEPALIVE` on the socket
+                          to enable TCP Keepalives.
+                        properties:
+                          interval:
+                            description: |-
+                              The time duration between keep-alive probes.
+                              Default is to use the OS level configuration
+                              (unless overridden, Linux defaults to 75s.)
+                            type: string
+                          probes:
+                            description: |-
+                              Maximum number of keepalive probes to send without response before
+                              deciding the connection is dead. Default is to use the OS level configuration
+                              (unless overridden, Linux defaults to 9.)
+                            format: int32
+                            type: integer
+                          time:
+                            description: |-
+                              The time duration a connection needs to be idle before keep-alive
+                              probes start being sent. Default is to use the OS level configuration
+                              (unless overridden, Linux defaults to 7200s (ie 2 hours.)
+                            type: string
+                        type: object
+                      tlsDefaults:
+                        description: |-
+                          Configuration of TLS for all traffic except for ISTIO_MUTUAL mode.
+                          For ISTIO_MUTUAL TLS settings, use meshMTLS configuration.
+                        properties:
+                          cipherSuites:
+                            description: |-
+                              Optional: If specified, the TLS connection will only support the specified cipher list when negotiating TLS 1.0-1.2.
+                              If not specified, the following cipher suites will be used:
+                              ```
+                              ECDHE-ECDSA-AES256-GCM-SHA384
+                              ECDHE-RSA-AES256-GCM-SHA384
+                              ECDHE-ECDSA-AES128-GCM-SHA256
+                              ECDHE-RSA-AES128-GCM-SHA256
+                              AES256-GCM-SHA384
+                              AES128-GCM-SHA256
+                              ```
+                            items:
+                              type: string
+                            type: array
+                          ecdhCurves:
+                            description: |-
+                              Optional: If specified, the TLS connection will only support the specified ECDH curves for the DH key exchange.
+                              If not specified, the default curves enforced by Envoy will be used. For details about the default curves, refer to
+                              [Ecdh Curves](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto).
+                            items:
+                              type: string
+                            type: array
+                          minProtocolVersion:
+                            description: |-
+                              Optional: the minimum TLS protocol version. The default minimum
+                              TLS version will be TLS 1.2. As servers may not be Envoy and be
+                              set to TLS 1.2 (e.g., workloads using mTLS without sidecars), the
+                              minimum TLS version for clients may also be TLS 1.2.
+                              In the current Istio implementation, the maximum TLS protocol version
+                              is TLS 1.3.
+                            enum:
+                            - TLS_AUTO
+                            - TLSV1_2
+                            - TLSV1_3
+                            type: string
+                        type: object
+                      trustDomain:
+                        description: |-
+                          The trust domain corresponds to the trust root of a system.
+                          Refer to [SPIFFE-ID](https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain)
+                        type: string
+                      trustDomainAliases:
+                        description: |-
+                          The trust domain aliases represent the aliases of `trustDomain`.
+                          For example, if we have
+                          ```yaml
+                          trustDomain: td1
+                          trustDomainAliases: ["td2", "td3"]
+                          ```
+                          Any service with the identity `td1/ns/foo/sa/a-service-account`, `td2/ns/foo/sa/a-service-account`,
+                          or `td3/ns/foo/sa/a-service-account` will be treated the same in the Istio mesh.
+                        items:
+                          type: string
+                        type: array
+                      verifyCertificateAtClient:
+                        description: |-
+                          `VerifyCertificateAtClient` sets the mesh global default for peer certificate validation
+                          at the client-side proxy when `SIMPLE` TLS or `MUTUAL` TLS (non `ISTIO_MUTUAL`) origination
+                          modes are used. This setting can be overridden at the host level via DestinationRule API.
+                          By default, `VerifyCertificateAtClient` is `true`.
+
+                          `CaCertificates`: If set, proxy verifies CA signature based on given CaCertificates. If unset,
+                          and VerifyCertificateAtClient is true, proxy uses default System CA bundle. If unset and
+                          `VerifyCertificateAtClient` is false, proxy will not verify the CA.
+
+                          `SubjectAltNames`: If set, proxy verifies subject alt names are present in the SAN. If unset,
+                          and `VerifyCertificateAtClient` is true, proxy uses host in destination rule to verify the SANs.
+                          If unset, and `VerifyCertificateAtClient` is false, proxy does not verify SANs.
+
+                          For SAN, client-side proxy will exact match host in `DestinationRule` as well as one level
+                          wildcard if the specified host in DestinationRule doesn't contain a wildcard.
+                          For example, if the host in `DestinationRule` is `x.y.com`, client-side proxy will
+                          match either `x.y.com` or `*.y.com` for the SAN in the presented server certificate.
+                          For wildcard host name in DestinationRule, client-side proxy will do a suffix match. For example,
+                          if host is `*.x.y.com`, client-side proxy will verify the presented server certificate SAN matches
+                          `.x.y.com` suffix.
+
+                          Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto.
+                        type: boolean
+                    type: object
+                  pilot:
+                    description: Configuration for the Pilot component.
+                    properties:
+                      affinity:
+                        description: K8s affinity to set on the Pilot Pods.
+                        properties:
+                          nodeAffinity:
+                            description: Describes node affinity scheduling rules
+                              for the pod.
+                            properties:
+                              preferredDuringSchedulingIgnoredDuringExecution:
+                                description: |-
+                                  The scheduler will prefer to schedule pods to nodes that satisfy
+                                  the affinity expressions specified by this field, but it may choose
+                                  a node that violates one or more of the expressions. The node that is
+                                  most preferred is the one with the greatest sum of weights, i.e.
+                                  for each node that meets all of the scheduling requirements (resource
+                                  request, requiredDuringScheduling affinity expressions, etc.),
+                                  compute a sum by iterating through the elements of this field and adding
+                                  "weight" to the sum if the node matches the corresponding matchExpressions; the
+                                  node(s) with the highest sum are the most preferred.
+                                items:
+                                  description: |-
+                                    An empty preferred scheduling term matches all objects with implicit weight 0
+                                    (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+                                  properties:
+                                    preference:
+                                      description: A node selector term, associated
+                                        with the corresponding weight.
+                                      properties:
+                                        matchExpressions:
+                                          description: A list of node selector requirements
+                                            by node's labels.
+                                          items:
+                                            description: |-
+                                              A node selector requirement is a selector that contains values, a key, and an operator
+                                              that relates the key and values.
+                                            properties:
+                                              key:
+                                                description: The label key that the
+                                                  selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  Represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  An array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. If the operator is Gt or Lt, the values
+                                                  array must have a single element, which will be interpreted as an integer.
+                                                  This array is replaced during a strategic merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                                x-kubernetes-list-type: atomic
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        matchFields:
+                                          description: A list of node selector requirements
+                                            by node's fields.
+                                          items:
+                                            description: |-
+                                              A node selector requirement is a selector that contains values, a key, and an operator
+                                              that relates the key and values.
+                                            properties:
+                                              key:
+                                                description: The label key that the
+                                                  selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  Represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  An array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. If the operator is Gt or Lt, the values
+                                                  array must have a single element, which will be interpreted as an integer.
+                                                  This array is replaced during a strategic merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                                x-kubernetes-list-type: atomic
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    weight:
+                                      description: Weight associated with matching
+                                        the corresponding nodeSelectorTerm, in the
+                                        range 1-100.
+                                      format: int32
+                                      type: integer
+                                  required:
+                                  - preference
+                                  - weight
+                                  type: object
+                                type: array
+                                x-kubernetes-list-type: atomic
+                              requiredDuringSchedulingIgnoredDuringExecution:
+                                description: |-
+                                  If the affinity requirements specified by this field are not met at
+                                  scheduling time, the pod will not be scheduled onto the node.
+                                  If the affinity requirements specified by this field cease to be met
+                                  at some point during pod execution (e.g. due to an update), the system
+                                  may or may not try to eventually evict the pod from its node.
+                                properties:
+                                  nodeSelectorTerms:
+                                    description: Required. A list of node selector
+                                      terms. The terms are ORed.
+                                    items:
+                                      description: |-
+                                        A null or empty node selector term matches no objects. The requirements of
+                                        them are ANDed.
+                                        The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+                                      properties:
+                                        matchExpressions:
+                                          description: A list of node selector requirements
+                                            by node's labels.
+                                          items:
+                                            description: |-
+                                              A node selector requirement is a selector that contains values, a key, and an operator
+                                              that relates the key and values.
+                                            properties:
+                                              key:
+                                                description: The label key that the
+                                                  selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  Represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  An array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. If the operator is Gt or Lt, the values
+                                                  array must have a single element, which will be interpreted as an integer.
+                                                  This array is replaced during a strategic merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                                x-kubernetes-list-type: atomic
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        matchFields:
+                                          description: A list of node selector requirements
+                                            by node's fields.
+                                          items:
+                                            description: |-
+                                              A node selector requirement is a selector that contains values, a key, and an operator
+                                              that relates the key and values.
+                                            properties:
+                                              key:
+                                                description: The label key that the
+                                                  selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  Represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  An array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. If the operator is Gt or Lt, the values
+                                                  array must have a single element, which will be interpreted as an integer.
+                                                  This array is replaced during a strategic merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                                x-kubernetes-list-type: atomic
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    type: array
+                                    x-kubernetes-list-type: atomic
+                                required:
+                                - nodeSelectorTerms
+                                type: object
+                                x-kubernetes-map-type: atomic
+                            type: object
+                          podAffinity:
+                            description: Describes pod affinity scheduling rules (e.g.
+                              co-locate this pod in the same node, zone, etc. as some
+                              other pod(s)).
+                            properties:
+                              preferredDuringSchedulingIgnoredDuringExecution:
+                                description: |-
+                                  The scheduler will prefer to schedule pods to nodes that satisfy
+                                  the affinity expressions specified by this field, but it may choose
+                                  a node that violates one or more of the expressions. The node that is
+                                  most preferred is the one with the greatest sum of weights, i.e.
+                                  for each node that meets all of the scheduling requirements (resource
+                                  request, requiredDuringScheduling affinity expressions, etc.),
+                                  compute a sum by iterating through the elements of this field and adding
+                                  "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+                                  node(s) with the highest sum are the most preferred.
+                                items:
+                                  description: The weights of all of the matched WeightedPodAffinityTerm
+                                    fields are added per-node to find the most preferred
+                                    node(s)
+                                  properties:
+                                    podAffinityTerm:
+                                      description: Required. A pod affinity term,
+                                        associated with the corresponding weight.
+                                      properties:
+                                        labelSelector:
+                                          description: |-
+                                            A label query over a set of resources, in this case pods.
+                                            If it's null, this PodAffinityTerm matches with no Pods.
+                                          properties:
+                                            matchExpressions:
+                                              description: matchExpressions is a list
+                                                of label selector requirements. The
+                                                requirements are ANDed.
+                                              items:
+                                                description: |-
+                                                  A label selector requirement is a selector that contains values, a key, and an operator that
+                                                  relates the key and values.
+                                                properties:
+                                                  key:
+                                                    description: key is the label
+                                                      key that the selector applies
+                                                      to.
+                                                    type: string
+                                                  operator:
+                                                    description: |-
+                                                      operator represents a key's relationship to a set of values.
+                                                      Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                    type: string
+                                                  values:
+                                                    description: |-
+                                                      values is an array of string values. If the operator is In or NotIn,
+                                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                      the values array must be empty. This array is replaced during a strategic
+                                                      merge patch.
+                                                    items:
+                                                      type: string
+                                                    type: array
+                                                    x-kubernetes-list-type: atomic
+                                                required:
+                                                - key
+                                                - operator
+                                                type: object
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                            matchLabels:
+                                              additionalProperties:
+                                                type: string
+                                              description: |-
+                                                matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                                map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                                operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                              type: object
+                                          type: object
+                                          x-kubernetes-map-type: atomic
+                                        matchLabelKeys:
+                                          description: |-
+                                            MatchLabelKeys is a set of pod label keys to select which pods will
+                                            be taken into consideration. The keys are used to lookup values from the
+                                            incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+                                            to select the group of existing pods which pods will be taken into consideration
+                                            for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                            pod labels will be ignored. The default value is empty.
+                                            The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+                                            Also, matchLabelKeys cannot be set when labelSelector isn't set.
+                                          items:
+                                            type: string
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        mismatchLabelKeys:
+                                          description: |-
+                                            MismatchLabelKeys is a set of pod label keys to select which pods will
+                                            be taken into consideration. The keys are used to lookup values from the
+                                            incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+                                            to select the group of existing pods which pods will be taken into consideration
+                                            for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                            pod labels will be ignored. The default value is empty.
+                                            The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+                                            Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+                                          items:
+                                            type: string
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        namespaceSelector:
+                                          description: |-
+                                            A label query over the set of namespaces that the term applies to.
+                                            The term is applied to the union of the namespaces selected by this field
+                                            and the ones listed in the namespaces field.
+                                            null selector and null or empty namespaces list means "this pod's namespace".
+                                            An empty selector ({}) matches all namespaces.
+                                          properties:
+                                            matchExpressions:
+                                              description: matchExpressions is a list
+                                                of label selector requirements. The
+                                                requirements are ANDed.
+                                              items:
+                                                description: |-
+                                                  A label selector requirement is a selector that contains values, a key, and an operator that
+                                                  relates the key and values.
+                                                properties:
+                                                  key:
+                                                    description: key is the label
+                                                      key that the selector applies
+                                                      to.
+                                                    type: string
+                                                  operator:
+                                                    description: |-
+                                                      operator represents a key's relationship to a set of values.
+                                                      Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                    type: string
+                                                  values:
+                                                    description: |-
+                                                      values is an array of string values. If the operator is In or NotIn,
+                                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                      the values array must be empty. This array is replaced during a strategic
+                                                      merge patch.
+                                                    items:
+                                                      type: string
+                                                    type: array
+                                                    x-kubernetes-list-type: atomic
+                                                required:
+                                                - key
+                                                - operator
+                                                type: object
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                            matchLabels:
+                                              additionalProperties:
+                                                type: string
+                                              description: |-
+                                                matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                                map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                                operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                              type: object
+                                          type: object
+                                          x-kubernetes-map-type: atomic
+                                        namespaces:
+                                          description: |-
+                                            namespaces specifies a static list of namespace names that the term applies to.
+                                            The term is applied to the union of the namespaces listed in this field
+                                            and the ones selected by namespaceSelector.
+                                            null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+                                          items:
+                                            type: string
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        topologyKey:
+                                          description: |-
+                                            This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+                                            the labelSelector in the specified namespaces, where co-located is defined as running on a node
+                                            whose value of the label with key topologyKey matches that of any node on which any of the
+                                            selected pods is running.
+                                            Empty topologyKey is not allowed.
+                                          type: string
+                                      required:
+                                      - topologyKey
+                                      type: object
+                                    weight:
+                                      description: |-
+                                        weight associated with matching the corresponding podAffinityTerm,
+                                        in the range 1-100.
+                                      format: int32
+                                      type: integer
+                                  required:
+                                  - podAffinityTerm
+                                  - weight
+                                  type: object
+                                type: array
+                                x-kubernetes-list-type: atomic
+                              requiredDuringSchedulingIgnoredDuringExecution:
+                                description: |-
+                                  If the affinity requirements specified by this field are not met at
+                                  scheduling time, the pod will not be scheduled onto the node.
+                                  If the affinity requirements specified by this field cease to be met
+                                  at some point during pod execution (e.g. due to a pod label update), the
+                                  system may or may not try to eventually evict the pod from its node.
+                                  When there are multiple elements, the lists of nodes corresponding to each
+                                  podAffinityTerm are intersected, i.e. all terms must be satisfied.
+                                items:
+                                  description: |-
+                                    Defines a set of pods (namely those matching the labelSelector
+                                    relative to the given namespace(s)) that this pod should be
+                                    co-located (affinity) or not co-located (anti-affinity) with,
+                                    where co-located is defined as running on a node whose value of
+                                    the label with key <topologyKey> matches that of any node on which
+                                    a pod of the set of pods is running
+                                  properties:
+                                    labelSelector:
+                                      description: |-
+                                        A label query over a set of resources, in this case pods.
+                                        If it's null, this PodAffinityTerm matches with no Pods.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                                x-kubernetes-list-type: atomic
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    matchLabelKeys:
+                                      description: |-
+                                        MatchLabelKeys is a set of pod label keys to select which pods will
+                                        be taken into consideration. The keys are used to lookup values from the
+                                        incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+                                        to select the group of existing pods which pods will be taken into consideration
+                                        for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                        pod labels will be ignored. The default value is empty.
+                                        The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+                                        Also, matchLabelKeys cannot be set when labelSelector isn't set.
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    mismatchLabelKeys:
+                                      description: |-
+                                        MismatchLabelKeys is a set of pod label keys to select which pods will
+                                        be taken into consideration. The keys are used to lookup values from the
+                                        incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+                                        to select the group of existing pods which pods will be taken into consideration
+                                        for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                        pod labels will be ignored. The default value is empty.
+                                        The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+                                        Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    namespaceSelector:
+                                      description: |-
+                                        A label query over the set of namespaces that the term applies to.
+                                        The term is applied to the union of the namespaces selected by this field
+                                        and the ones listed in the namespaces field.
+                                        null selector and null or empty namespaces list means "this pod's namespace".
+                                        An empty selector ({}) matches all namespaces.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                                x-kubernetes-list-type: atomic
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    namespaces:
+                                      description: |-
+                                        namespaces specifies a static list of namespace names that the term applies to.
+                                        The term is applied to the union of the namespaces listed in this field
+                                        and the ones selected by namespaceSelector.
+                                        null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    topologyKey:
+                                      description: |-
+                                        This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+                                        the labelSelector in the specified namespaces, where co-located is defined as running on a node
+                                        whose value of the label with key topologyKey matches that of any node on which any of the
+                                        selected pods is running.
+                                        Empty topologyKey is not allowed.
+                                      type: string
+                                  required:
+                                  - topologyKey
+                                  type: object
+                                type: array
+                                x-kubernetes-list-type: atomic
+                            type: object
+                          podAntiAffinity:
+                            description: Describes pod anti-affinity scheduling rules
+                              (e.g. avoid putting this pod in the same node, zone,
+                              etc. as some other pod(s)).
+                            properties:
+                              preferredDuringSchedulingIgnoredDuringExecution:
+                                description: |-
+                                  The scheduler will prefer to schedule pods to nodes that satisfy
+                                  the anti-affinity expressions specified by this field, but it may choose
+                                  a node that violates one or more of the expressions. The node that is
+                                  most preferred is the one with the greatest sum of weights, i.e.
+                                  for each node that meets all of the scheduling requirements (resource
+                                  request, requiredDuringScheduling anti-affinity expressions, etc.),
+                                  compute a sum by iterating through the elements of this field and subtracting
+                                  "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
+                                  node(s) with the highest sum are the most preferred.
+                                items:
+                                  description: The weights of all of the matched WeightedPodAffinityTerm
+                                    fields are added per-node to find the most preferred
+                                    node(s)
+                                  properties:
+                                    podAffinityTerm:
+                                      description: Required. A pod affinity term,
+                                        associated with the corresponding weight.
+                                      properties:
+                                        labelSelector:
+                                          description: |-
+                                            A label query over a set of resources, in this case pods.
+                                            If it's null, this PodAffinityTerm matches with no Pods.
+                                          properties:
+                                            matchExpressions:
+                                              description: matchExpressions is a list
+                                                of label selector requirements. The
+                                                requirements are ANDed.
+                                              items:
+                                                description: |-
+                                                  A label selector requirement is a selector that contains values, a key, and an operator that
+                                                  relates the key and values.
+                                                properties:
+                                                  key:
+                                                    description: key is the label
+                                                      key that the selector applies
+                                                      to.
+                                                    type: string
+                                                  operator:
+                                                    description: |-
+                                                      operator represents a key's relationship to a set of values.
+                                                      Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                    type: string
+                                                  values:
+                                                    description: |-
+                                                      values is an array of string values. If the operator is In or NotIn,
+                                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                      the values array must be empty. This array is replaced during a strategic
+                                                      merge patch.
+                                                    items:
+                                                      type: string
+                                                    type: array
+                                                    x-kubernetes-list-type: atomic
+                                                required:
+                                                - key
+                                                - operator
+                                                type: object
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                            matchLabels:
+                                              additionalProperties:
+                                                type: string
+                                              description: |-
+                                                matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                                map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                                operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                              type: object
+                                          type: object
+                                          x-kubernetes-map-type: atomic
+                                        matchLabelKeys:
+                                          description: |-
+                                            MatchLabelKeys is a set of pod label keys to select which pods will
+                                            be taken into consideration. The keys are used to lookup values from the
+                                            incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+                                            to select the group of existing pods which pods will be taken into consideration
+                                            for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                            pod labels will be ignored. The default value is empty.
+                                            The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+                                            Also, matchLabelKeys cannot be set when labelSelector isn't set.
+                                          items:
+                                            type: string
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        mismatchLabelKeys:
+                                          description: |-
+                                            MismatchLabelKeys is a set of pod label keys to select which pods will
+                                            be taken into consideration. The keys are used to lookup values from the
+                                            incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+                                            to select the group of existing pods which pods will be taken into consideration
+                                            for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                            pod labels will be ignored. The default value is empty.
+                                            The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+                                            Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+                                          items:
+                                            type: string
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        namespaceSelector:
+                                          description: |-
+                                            A label query over the set of namespaces that the term applies to.
+                                            The term is applied to the union of the namespaces selected by this field
+                                            and the ones listed in the namespaces field.
+                                            null selector and null or empty namespaces list means "this pod's namespace".
+                                            An empty selector ({}) matches all namespaces.
+                                          properties:
+                                            matchExpressions:
+                                              description: matchExpressions is a list
+                                                of label selector requirements. The
+                                                requirements are ANDed.
+                                              items:
+                                                description: |-
+                                                  A label selector requirement is a selector that contains values, a key, and an operator that
+                                                  relates the key and values.
+                                                properties:
+                                                  key:
+                                                    description: key is the label
+                                                      key that the selector applies
+                                                      to.
+                                                    type: string
+                                                  operator:
+                                                    description: |-
+                                                      operator represents a key's relationship to a set of values.
+                                                      Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                    type: string
+                                                  values:
+                                                    description: |-
+                                                      values is an array of string values. If the operator is In or NotIn,
+                                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                      the values array must be empty. This array is replaced during a strategic
+                                                      merge patch.
+                                                    items:
+                                                      type: string
+                                                    type: array
+                                                    x-kubernetes-list-type: atomic
+                                                required:
+                                                - key
+                                                - operator
+                                                type: object
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                            matchLabels:
+                                              additionalProperties:
+                                                type: string
+                                              description: |-
+                                                matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                                map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                                operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                              type: object
+                                          type: object
+                                          x-kubernetes-map-type: atomic
+                                        namespaces:
+                                          description: |-
+                                            namespaces specifies a static list of namespace names that the term applies to.
+                                            The term is applied to the union of the namespaces listed in this field
+                                            and the ones selected by namespaceSelector.
+                                            null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+                                          items:
+                                            type: string
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        topologyKey:
+                                          description: |-
+                                            This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+                                            the labelSelector in the specified namespaces, where co-located is defined as running on a node
+                                            whose value of the label with key topologyKey matches that of any node on which any of the
+                                            selected pods is running.
+                                            Empty topologyKey is not allowed.
+                                          type: string
+                                      required:
+                                      - topologyKey
+                                      type: object
+                                    weight:
+                                      description: |-
+                                        weight associated with matching the corresponding podAffinityTerm,
+                                        in the range 1-100.
+                                      format: int32
+                                      type: integer
+                                  required:
+                                  - podAffinityTerm
+                                  - weight
+                                  type: object
+                                type: array
+                                x-kubernetes-list-type: atomic
+                              requiredDuringSchedulingIgnoredDuringExecution:
+                                description: |-
+                                  If the anti-affinity requirements specified by this field are not met at
+                                  scheduling time, the pod will not be scheduled onto the node.
+                                  If the anti-affinity requirements specified by this field cease to be met
+                                  at some point during pod execution (e.g. due to a pod label update), the
+                                  system may or may not try to eventually evict the pod from its node.
+                                  When there are multiple elements, the lists of nodes corresponding to each
+                                  podAffinityTerm are intersected, i.e. all terms must be satisfied.
+                                items:
+                                  description: |-
+                                    Defines a set of pods (namely those matching the labelSelector
+                                    relative to the given namespace(s)) that this pod should be
+                                    co-located (affinity) or not co-located (anti-affinity) with,
+                                    where co-located is defined as running on a node whose value of
+                                    the label with key <topologyKey> matches that of any node on which
+                                    a pod of the set of pods is running
+                                  properties:
+                                    labelSelector:
+                                      description: |-
+                                        A label query over a set of resources, in this case pods.
+                                        If it's null, this PodAffinityTerm matches with no Pods.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                                x-kubernetes-list-type: atomic
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    matchLabelKeys:
+                                      description: |-
+                                        MatchLabelKeys is a set of pod label keys to select which pods will
+                                        be taken into consideration. The keys are used to lookup values from the
+                                        incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+                                        to select the group of existing pods which pods will be taken into consideration
+                                        for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                        pod labels will be ignored. The default value is empty.
+                                        The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+                                        Also, matchLabelKeys cannot be set when labelSelector isn't set.
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    mismatchLabelKeys:
+                                      description: |-
+                                        MismatchLabelKeys is a set of pod label keys to select which pods will
+                                        be taken into consideration. The keys are used to lookup values from the
+                                        incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+                                        to select the group of existing pods which pods will be taken into consideration
+                                        for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                        pod labels will be ignored. The default value is empty.
+                                        The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+                                        Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    namespaceSelector:
+                                      description: |-
+                                        A label query over the set of namespaces that the term applies to.
+                                        The term is applied to the union of the namespaces selected by this field
+                                        and the ones listed in the namespaces field.
+                                        null selector and null or empty namespaces list means "this pod's namespace".
+                                        An empty selector ({}) matches all namespaces.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                                x-kubernetes-list-type: atomic
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    namespaces:
+                                      description: |-
+                                        namespaces specifies a static list of namespace names that the term applies to.
+                                        The term is applied to the union of the namespaces listed in this field
+                                        and the ones selected by namespaceSelector.
+                                        null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    topologyKey:
+                                      description: |-
+                                        This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+                                        the labelSelector in the specified namespaces, where co-located is defined as running on a node
+                                        whose value of the label with key topologyKey matches that of any node on which any of the
+                                        selected pods is running.
+                                        Empty topologyKey is not allowed.
+                                      type: string
+                                  required:
+                                  - topologyKey
+                                  type: object
+                                type: array
+                                x-kubernetes-list-type: atomic
+                            type: object
+                        type: object
+                      autoscaleBehavior:
+                        description: See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configurable-scaling-behavior
+                        properties:
+                          scaleDown:
+                            description: |-
+                              scaleDown is scaling policy for scaling Down.
+                              If not set, the default value is to allow to scale down to minReplicas pods, with a
+                              300 second stabilization window (i.e., the highest recommendation for
+                              the last 300sec is used).
+                            properties:
+                              policies:
+                                description: |-
+                                  policies is a list of potential scaling polices which can be used during scaling.
+                                  If not set, use the default values:
+                                  - For scale up: allow doubling the number of pods, or an absolute change of 4 pods in a 15s window.
+                                  - For scale down: allow all pods to be removed in a 15s window.
+                                items:
+                                  description: HPAScalingPolicy is a single policy
+                                    which must hold true for a specified past interval.
+                                  properties:
+                                    periodSeconds:
+                                      description: |-
+                                        periodSeconds specifies the window of time for which the policy should hold true.
+                                        PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min).
+                                      format: int32
+                                      type: integer
+                                    type:
+                                      description: type is used to specify the scaling
+                                        policy.
+                                      type: string
+                                    value:
+                                      description: |-
+                                        value contains the amount of change which is permitted by the policy.
+                                        It must be greater than zero
+                                      format: int32
+                                      type: integer
+                                  required:
+                                  - periodSeconds
+                                  - type
+                                  - value
+                                  type: object
+                                type: array
+                                x-kubernetes-list-type: atomic
+                              selectPolicy:
+                                description: |-
+                                  selectPolicy is used to specify which policy should be used.
+                                  If not set, the default value Max is used.
+                                type: string
+                              stabilizationWindowSeconds:
+                                description: |-
+                                  stabilizationWindowSeconds is the number of seconds for which past recommendations should be
+                                  considered while scaling up or scaling down.
+                                  StabilizationWindowSeconds must be greater than or equal to zero and less than or equal to 3600 (one hour).
+                                  If not set, use the default values:
+                                  - For scale up: 0 (i.e. no stabilization is done).
+                                  - For scale down: 300 (i.e. the stabilization window is 300 seconds long).
+                                format: int32
+                                type: integer
+                              tolerance:
+                                anyOf:
+                                - type: integer
+                                - type: string
+                                description: |-
+                                  tolerance is the tolerance on the ratio between the current and desired
+                                  metric value under which no updates are made to the desired number of
+                                  replicas (e.g. 0.01 for 1%). Must be greater than or equal to zero. If not
+                                  set, the default cluster-wide tolerance is applied (by default 10%).
+
+                                  For example, if autoscaling is configured with a memory consumption target of 100Mi,
+                                  and scale-down and scale-up tolerances of 5% and 1% respectively, scaling will be
+                                  triggered when the actual consumption falls below 95Mi or exceeds 101Mi.
+
+                                  This is an beta field and requires the HPAConfigurableTolerance feature
+                                  gate to be enabled.
+                                pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                x-kubernetes-int-or-string: true
+                            type: object
+                          scaleUp:
+                            description: |-
+                              scaleUp is scaling policy for scaling Up.
+                              If not set, the default value is the higher of:
+                                * increase no more than 4 pods per 60 seconds
+                                * double the number of pods per 60 seconds
+                              No stabilization is used.
+                            properties:
+                              policies:
+                                description: |-
+                                  policies is a list of potential scaling polices which can be used during scaling.
+                                  If not set, use the default values:
+                                  - For scale up: allow doubling the number of pods, or an absolute change of 4 pods in a 15s window.
+                                  - For scale down: allow all pods to be removed in a 15s window.
+                                items:
+                                  description: HPAScalingPolicy is a single policy
+                                    which must hold true for a specified past interval.
+                                  properties:
+                                    periodSeconds:
+                                      description: |-
+                                        periodSeconds specifies the window of time for which the policy should hold true.
+                                        PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min).
+                                      format: int32
+                                      type: integer
+                                    type:
+                                      description: type is used to specify the scaling
+                                        policy.
+                                      type: string
+                                    value:
+                                      description: |-
+                                        value contains the amount of change which is permitted by the policy.
+                                        It must be greater than zero
+                                      format: int32
+                                      type: integer
+                                  required:
+                                  - periodSeconds
+                                  - type
+                                  - value
+                                  type: object
+                                type: array
+                                x-kubernetes-list-type: atomic
+                              selectPolicy:
+                                description: |-
+                                  selectPolicy is used to specify which policy should be used.
+                                  If not set, the default value Max is used.
+                                type: string
+                              stabilizationWindowSeconds:
+                                description: |-
+                                  stabilizationWindowSeconds is the number of seconds for which past recommendations should be
+                                  considered while scaling up or scaling down.
+                                  StabilizationWindowSeconds must be greater than or equal to zero and less than or equal to 3600 (one hour).
+                                  If not set, use the default values:
+                                  - For scale up: 0 (i.e. no stabilization is done).
+                                  - For scale down: 300 (i.e. the stabilization window is 300 seconds long).
+                                format: int32
+                                type: integer
+                              tolerance:
+                                anyOf:
+                                - type: integer
+                                - type: string
+                                description: |-
+                                  tolerance is the tolerance on the ratio between the current and desired
+                                  metric value under which no updates are made to the desired number of
+                                  replicas (e.g. 0.01 for 1%). Must be greater than or equal to zero. If not
+                                  set, the default cluster-wide tolerance is applied (by default 10%).
+
+                                  For example, if autoscaling is configured with a memory consumption target of 100Mi,
+                                  and scale-down and scale-up tolerances of 5% and 1% respectively, scaling will be
+                                  triggered when the actual consumption falls below 95Mi or exceeds 101Mi.
+
+                                  This is an beta field and requires the HPAConfigurableTolerance feature
+                                  gate to be enabled.
+                                pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                x-kubernetes-int-or-string: true
+                            type: object
+                        type: object
+                      autoscaleEnabled:
+                        description: Controls whether a HorizontalPodAutoscaler is
+                          installed for Pilot.
+                        type: boolean
+                      autoscaleMax:
+                        description: Maximum number of replicas in the HorizontalPodAutoscaler
+                          for Pilot.
+                        format: int32
+                        type: integer
+                      autoscaleMin:
+                        description: Minimum number of replicas in the HorizontalPodAutoscaler
+                          for Pilot.
+                        format: int32
+                        type: integer
+                      cni:
+                        description: Configures whether to use an existing CNI installation
+                          for workloads
+                        properties:
+                          enabled:
+                            description: Controls whether CNI should be used.
+                            type: boolean
+                          provider:
+                            description: |-
+                              Specifies the CNI provider. Can be either "default" or "multus". When set to "multus", an annotation
+                              `k8s.v1.cni.cncf.io/networks` is set on injected pods to point to a NetworkAttachmentDefinition
+                            type: string
+                        type: object
+                      configMap:
+                        description: |-
+                          Configuration settings passed to Pilot as a ConfigMap.
+
+                          This controls whether the mesh config map, generated from values.yaml is generated.
+                          If false, pilot wil use default values or user-supplied values, in that order of preference.
+                        type: boolean
+                      cpu:
+                        description: |-
+                          Target CPU utilization used in HorizontalPodAutoscaler.
+
+                          See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
+
+                          Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
+                        properties:
+                          targetAverageUtilization:
+                            description: |-
+                              K8s utilization setting for HorizontalPodAutoscaler target.
+
+                              See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
+                            format: int32
+                            type: integer
+                        type: object
+                      crlConfigMapName:
+                        description: Select a custom name for istiod's plugged-in
+                          CA CRL ConfigMap.
+                        type: string
+                      deploymentLabels:
+                        additionalProperties:
+                          type: string
+                        description: |-
+                          Labels that are added to Pilot deployment.
+
+                          See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+                        type: object
+                      enabled:
+                        description: Controls whether Pilot is enabled.
+                        type: boolean
+                      env:
+                        additionalProperties:
+                          type: string
+                        description: "Environment variables passed to the Pilot container.\n\nExamples:\nenv:\n\n\tENV_VAR_1:
+                          value1\n\tENV_VAR_2: value2"
+                        type: object
+                      envVarFrom:
+                        description: Configuration for the istio-discovery chart
+                        items:
+                          description: EnvVar represents an environment variable present
+                            in a Container.
+                          properties:
+                            name:
+                              description: |-
+                                Name of the environment variable.
+                                May consist of any printable ASCII characters except '='.
+                              type: string
+                            value:
+                              description: |-
+                                Variable references $(VAR_NAME) are expanded
+                                using the previously defined environment variables in the container and
+                                any service environment variables. If a variable cannot be resolved,
+                                the reference in the input string will be unchanged. Double $$ are reduced
+                                to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e.
+                                "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)".
+                                Escaped references will never be expanded, regardless of whether the variable
+                                exists or not.
+                                Defaults to "".
+                              type: string
+                            valueFrom:
+                              description: Source for the environment variable's value.
+                                Cannot be used if value is not empty.
+                              properties:
+                                configMapKeyRef:
+                                  description: Selects a key of a ConfigMap.
+                                  properties:
+                                    key:
+                                      description: The key to select.
+                                      type: string
+                                    name:
+                                      default: ""
+                                      description: |-
+                                        Name of the referent.
+                                        This field is effectively required, but due to backwards compatibility is
+                                        allowed to be empty. Instances of this type with an empty value here are
+                                        almost certainly wrong.
+                                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                      type: string
+                                    optional:
+                                      description: Specify whether the ConfigMap or
+                                        its key must be defined
+                                      type: boolean
+                                  required:
+                                  - key
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                fieldRef:
+                                  description: |-
+                                    Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['<KEY>']`, `metadata.annotations['<KEY>']`,
+                                    spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.
+                                  properties:
+                                    apiVersion:
+                                      description: Version of the schema the FieldPath
+                                        is written in terms of, defaults to "v1".
+                                      type: string
+                                    fieldPath:
+                                      description: Path of the field to select in
+                                        the specified API version.
+                                      type: string
+                                  required:
+                                  - fieldPath
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                fileKeyRef:
+                                  description: |-
+                                    FileKeyRef selects a key of the env file.
+                                    Requires the EnvFiles feature gate to be enabled.
+                                  properties:
+                                    key:
+                                      description: |-
+                                        The key within the env file. An invalid key will prevent the pod from starting.
+                                        The keys defined within a source may consist of any printable ASCII characters except '='.
+                                        During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.
+                                      type: string
+                                    optional:
+                                      default: false
+                                      description: |-
+                                        Specify whether the file or its key must be defined. If the file or key
+                                        does not exist, then the env var is not published.
+                                        If optional is set to true and the specified key does not exist,
+                                        the environment variable will not be set in the Pod's containers.
+
+                                        If optional is set to false and the specified key does not exist,
+                                        an error will be returned during Pod creation.
+                                      type: boolean
+                                    path:
+                                      description: |-
+                                        The path within the volume from which to select the file.
+                                        Must be relative and may not contain the '..' path or start with '..'.
+                                      type: string
+                                    volumeName:
+                                      description: The name of the volume mount containing
+                                        the env file.
+                                      type: string
+                                  required:
+                                  - key
+                                  - path
+                                  - volumeName
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                resourceFieldRef:
+                                  description: |-
+                                    Selects a resource of the container: only resources limits and requests
+                                    (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.
+                                  properties:
+                                    containerName:
+                                      description: 'Container name: required for volumes,
+                                        optional for env vars'
+                                      type: string
+                                    divisor:
+                                      anyOf:
+                                      - type: integer
+                                      - type: string
+                                      description: Specifies the output format of
+                                        the exposed resources, defaults to "1"
+                                      pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                      x-kubernetes-int-or-string: true
+                                    resource:
+                                      description: 'Required: resource to select'
+                                      type: string
+                                  required:
+                                  - resource
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                secretKeyRef:
+                                  description: Selects a key of a secret in the pod's
+                                    namespace
+                                  properties:
+                                    key:
+                                      description: The key of the secret to select
+                                        from.  Must be a valid secret key.
+                                      type: string
+                                    name:
+                                      default: ""
+                                      description: |-
+                                        Name of the referent.
+                                        This field is effectively required, but due to backwards compatibility is
+                                        allowed to be empty. Instances of this type with an empty value here are
+                                        almost certainly wrong.
+                                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                      type: string
+                                    optional:
+                                      description: Specify whether the Secret or its
+                                        key must be defined
+                                      type: boolean
+                                  required:
+                                  - key
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                              type: object
+                          required:
+                          - name
+                          type: object
+                        type: array
+                      extraContainerArgs:
+                        description: Additional container arguments for the Pilot
+                          container.
+                        items:
+                          type: string
+                        type: array
+                      hub:
+                        description: Hub to pull the container image from. Image will
+                          be `Hub/Image:Tag-Variant`.
+                        type: string
+                      image:
+                        description: |-
+                          Image name used for Pilot.
+
+                          This can be set either to image name if hub is also set, or can be set to the full hub:name string.
+
+                          Examples: custom-pilot, docker.io/someuser:custom-pilot
+                        type: string
+                      ipFamilies:
+                        description: |-
+                          Defines which IP family to use for single stack or the order of IP families for dual-stack.
+                          Valid list items are "IPv4", "IPv6".
+                          More info: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
+                        items:
+                          type: string
+                        type: array
+                      ipFamilyPolicy:
+                        description: |-
+                          Controls whether Services are configured to use IPv4, IPv6, or both. Valid options
+                          are PreferDualStack, RequireDualStack, and SingleStack.
+                          More info: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
+                        type: string
+                      istiodRemote:
+                        description: Configuration for the istio-discovery chart when
+                          istiod is running in a remote cluster (e.g. "remote control
+                          plane").
+                        properties:
+                          enabled:
+                            description: Indicates if this cluster/install should
+                              consume a "remote" istiod instance,
+                            type: boolean
+                          enabledLocalInjectorIstiod:
+                            description: |-
+                              If `true`, indicates that this cluster/install should consume a "local istiod" installation,
+                              local istiod inject sidecars
+                            type: boolean
+                          injectionCABundle:
+                            description: injector ca bundle
+                            type: string
+                          injectionPath:
+                            description: Path to use for the sidecar injector webhook
+                              service.
+                            type: string
+                          injectionURL:
+                            description: URL to use for sidecar injector webhook.
+                            type: string
+                        type: object
+                      jwksResolverExtraRootCA:
+                        description: |-
+                          Specifies an extra root certificate in PEM format. This certificate will be trusted
+                          by pilot when resolving JWKS URIs.
+                        type: string
+                      keepaliveMaxServerConnectionAge:
+                        description: |-
+                          Maximum duration that a sidecar can be connected to a pilot.
+
+                          This setting balances out load across pilot instances, but adds some resource overhead.
+
+                          Examples: 300s, 30m, 1h
+                        type: string
+                      memory:
+                        description: |-
+                          Target memory utilization used in HorizontalPodAutoscaler.
+
+                          See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
+
+                          Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
+                        properties:
+                          targetAverageUtilization:
+                            description: |-
+                              K8s utilization setting for HorizontalPodAutoscaler target.
+
+                              See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
+                            format: int32
+                            type: integer
+                        type: object
+                      nodeSelector:
+                        additionalProperties:
+                          type: string
+                        description: |-
+                          K8s node selector.
+
+                          See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
+
+                          Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
+                        type: object
+                      podAnnotations:
+                        additionalProperties:
+                          type: string
+                        description: |-
+                          K8s annotations for pods.
+
+                          See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+
+                          Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
+                        type: object
+                      podLabels:
+                        additionalProperties:
+                          type: string
+                        description: |-
+                          Labels that are added to Pilot pods.
+
+                          See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+                        type: object
+                      replicaCount:
+                        description: |-
+                          Number of replicas in the Pilot Deployment.
+
+                          Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
+                        format: int32
+                        type: integer
+                      resources:
+                        description: |-
+                          K8s resources settings.
+
+                          See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
+
+                          Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
+                        properties:
+                          claims:
+                            description: |-
+                              Claims lists the names of resources, defined in spec.resourceClaims,
+                              that are used by this container.
+
+                              This field depends on the
+                              DynamicResourceAllocation feature gate.
+
+                              This field is immutable. It can only be set for containers.
+                            items:
+                              description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+                              properties:
+                                name:
+                                  description: |-
+                                    Name must match the name of one entry in pod.spec.resourceClaims of
+                                    the Pod where this field is used. It makes that resource available
+                                    inside a container.
+                                  type: string
+                                request:
+                                  description: |-
+                                    Request is the name chosen for a request in the referenced claim.
+                                    If empty, everything from the claim is made available, otherwise
+                                    only the result of this request.
+                                  type: string
+                              required:
+                              - name
+                              type: object
+                            type: array
+                            x-kubernetes-list-map-keys:
+                            - name
+                            x-kubernetes-list-type: map
+                          limits:
+                            additionalProperties:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                              x-kubernetes-int-or-string: true
+                            description: |-
+                              Limits describes the maximum amount of compute resources allowed.
+                              More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                            type: object
+                          requests:
+                            additionalProperties:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                              x-kubernetes-int-or-string: true
+                            description: |-
+                              Requests describes the minimum amount of compute resources required.
+                              If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+                              otherwise to an implementation-defined value. Requests cannot exceed Limits.
+                              More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                            type: object
+                        type: object
+                      rollingMaxSurge:
+                        anyOf:
+                        - type: integer
+                        - type: string
+                        description: |-
+                          K8s rolling update strategy
+
+                          Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
+                        x-kubernetes-int-or-string: true
+                      rollingMaxUnavailable:
+                        anyOf:
+                        - type: integer
+                        - type: string
+                        description: |-
+                          The number of pods that can be unavailable during a rolling update (see
+                          `strategy.rollingUpdate.maxUnavailable` here:
+                          https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/deployment-v1/#DeploymentSpec).
+                          May be specified as a number of pods or as a percent of the total number
+                          of pods at the start of the update.
+
+                          Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
+                        x-kubernetes-int-or-string: true
+                      seccompProfile:
+                        description: |-
+                          The seccompProfile for the Pilot container.
+
+                          See: https://kubernetes.io/docs/tutorials/security/seccomp/
+                        properties:
+                          localhostProfile:
+                            description: |-
+                              localhostProfile indicates a profile defined in a file on the node should be used.
+                              The profile must be preconfigured on the node to work.
+                              Must be a descending path, relative to the kubelet's configured seccomp profile location.
+                              Must be set if type is "Localhost". Must NOT be set for any other type.
+                            type: string
+                          type:
+                            description: |-
+                              type indicates which kind of seccomp profile will be applied.
+                              Valid options are:
+
+                              Localhost - a profile defined in a file on the node should be used.
+                              RuntimeDefault - the container runtime default profile should be used.
+                              Unconfined - no profile should be applied.
+                            type: string
+                        required:
+                        - type
+                        type: object
+                      serviceAccountAnnotations:
+                        additionalProperties:
+                          type: string
+                        description: K8s annotations for the service account
+                        type: object
+                      serviceAnnotations:
+                        additionalProperties:
+                          type: string
+                        description: |-
+                          K8s annotations for the Service.
+
+                          See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+                        type: object
+                      tag:
+                        description: The container image tag to pull. Image will be
+                          `Hub/Image:Tag-Variant`.
+                        type: string
+                      taint:
+                        properties:
+                          enabled:
+                            description: |-
+                              Enable the untaint controller for new nodes. This aims to solve a race for CNI installation on
+                              new nodes. For this to work, the newly added nodes need to have the istio CNI taint as they are
+                              added to the cluster. This is usually done by configuring the cluster infra provider.
+                            type: boolean
+                          namespace:
+                            description: The namespace of the CNI daemonset, incase
+                              it's not the same as istiod.
+                            type: string
+                        type: object
+                      tolerations:
+                        description: |-
+                          The node tolerations to be applied to the Pilot deployment so that it can be
+                          scheduled to particular nodes with matching taints.
+                          More info: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling
+
+                          Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
+                        items:
+                          description: |-
+                            The pod this Toleration is attached to tolerates any taint that matches
+                            the triple <key,value,effect> using the matching operator <operator>.
+                          properties:
+                            effect:
+                              description: |-
+                                Effect indicates the taint effect to match. Empty means match all taint effects.
+                                When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+                              type: string
+                            key:
+                              description: |-
+                                Key is the taint key that the toleration applies to. Empty means match all taint keys.
+                                If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+                              type: string
+                            operator:
+                              description: |-
+                                Operator represents a key's relationship to the value.
+                                Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal.
+                                Exists is equivalent to wildcard for value, so that a pod can
+                                tolerate all taints of a particular category.
+                                Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators).
+                              type: string
+                            tolerationSeconds:
+                              description: |-
+                                TolerationSeconds represents the period of time the toleration (which must be
+                                of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+                                it is not set, which means tolerate the taint forever (do not evict). Zero and
+                                negative values will be treated as 0 (evict immediately) by the system.
+                              format: int64
+                              type: integer
+                            value:
+                              description: |-
+                                Value is the taint value the toleration matches to.
+                                If the operator is Exists, the value should be empty, otherwise just a regular string.
+                              type: string
+                          type: object
+                        type: array
+                      topologySpreadConstraints:
+                        description: The k8s topologySpreadConstraints for the Pilot
+                          pods.
+                        items:
+                          description: TopologySpreadConstraint specifies how to spread
+                            matching pods among the given topology.
+                          properties:
+                            labelSelector:
+                              description: |-
+                                LabelSelector is used to find matching pods.
+                                Pods that match this label selector are counted to determine the number of pods
+                                in their corresponding topology domain.
+                              properties:
+                                matchExpressions:
+                                  description: matchExpressions is a list of label
+                                    selector requirements. The requirements are ANDed.
+                                  items:
+                                    description: |-
+                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                      relates the key and values.
+                                    properties:
+                                      key:
+                                        description: key is the label key that the
+                                          selector applies to.
+                                        type: string
+                                      operator:
+                                        description: |-
+                                          operator represents a key's relationship to a set of values.
+                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                        type: string
+                                      values:
+                                        description: |-
+                                          values is an array of string values. If the operator is In or NotIn,
+                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                          the values array must be empty. This array is replaced during a strategic
+                                          merge patch.
+                                        items:
+                                          type: string
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    required:
+                                    - key
+                                    - operator
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                matchLabels:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                  type: object
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            matchLabelKeys:
+                              description: |-
+                                MatchLabelKeys is a set of pod label keys to select the pods over which
+                                spreading will be calculated. The keys are used to lookup values from the
+                                incoming pod labels, those key-value labels are ANDed with labelSelector
+                                to select the group of existing pods over which spreading will be calculated
+                                for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+                                MatchLabelKeys cannot be set when LabelSelector isn't set.
+                                Keys that don't exist in the incoming pod labels will
+                                be ignored. A null or empty list means only match against labelSelector.
+
+                                This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).
+                              items:
+                                type: string
+                              type: array
+                              x-kubernetes-list-type: atomic
+                            maxSkew:
+                              description: |-
+                                MaxSkew describes the degree to which pods may be unevenly distributed.
+                                When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference
+                                between the number of matching pods in the target topology and the global minimum.
+                                The global minimum is the minimum number of matching pods in an eligible domain
+                                or zero if the number of eligible domains is less than MinDomains.
+                                For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+                                labelSelector spread as 2/2/1:
+                                In this case, the global minimum is 1.
+                                | zone1 | zone2 | zone3 |
+                                |  P P  |  P P  |   P   |
+                                - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2;
+                                scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2)
+                                violate MaxSkew(1).
+                                - if MaxSkew is 2, incoming pod can be scheduled onto any zone.
+                                When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence
+                                to topologies that satisfy it.
+                                It's a required field. Default value is 1 and 0 is not allowed.
+                              format: int32
+                              type: integer
+                            minDomains:
+                              description: |-
+                                MinDomains indicates a minimum number of eligible domains.
+                                When the number of eligible domains with matching topology keys is less than minDomains,
+                                Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed.
+                                And when the number of eligible domains with matching topology keys equals or greater than minDomains,
+                                this value has no effect on scheduling.
+                                As a result, when the number of eligible domains is less than minDomains,
+                                scheduler won't schedule more than maxSkew Pods to those domains.
+                                If value is nil, the constraint behaves as if MinDomains is equal to 1.
+                                Valid values are integers greater than 0.
+                                When value is not nil, WhenUnsatisfiable must be DoNotSchedule.
+
+                                For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same
+                                labelSelector spread as 2/2/2:
+                                | zone1 | zone2 | zone3 |
+                                |  P P  |  P P  |  P P  |
+                                The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0.
+                                In this situation, new pod with the same labelSelector cannot be scheduled,
+                                because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,
+                                it will violate MaxSkew.
+                              format: int32
+                              type: integer
+                            nodeAffinityPolicy:
+                              description: |-
+                                NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector
+                                when calculating pod topology spread skew. Options are:
+                                - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
+                                - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
+
+                                If this value is nil, the behavior is equivalent to the Honor policy.
+                              type: string
+                            nodeTaintsPolicy:
+                              description: |-
+                                NodeTaintsPolicy indicates how we will treat node taints when calculating
+                                pod topology spread skew. Options are:
+                                - Honor: nodes without taints, along with tainted nodes for which the incoming pod
+                                has a toleration, are included.
+                                - Ignore: node taints are ignored. All nodes are included.
+
+                                If this value is nil, the behavior is equivalent to the Ignore policy.
+                              type: string
+                            topologyKey:
+                              description: |-
+                                TopologyKey is the key of node labels. Nodes that have a label with this key
+                                and identical values are considered to be in the same topology.
+                                We consider each <key, value> as a "bucket", and try to put balanced number
+                                of pods into each bucket.
+                                We define a domain as a particular instance of a topology.
+                                Also, we define an eligible domain as a domain whose nodes meet the requirements of
+                                nodeAffinityPolicy and nodeTaintsPolicy.
+                                e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology.
+                                And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology.
+                                It's a required field.
+                              type: string
+                            whenUnsatisfiable:
+                              description: |-
+                                WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy
+                                the spread constraint.
+                                - DoNotSchedule (default) tells the scheduler not to schedule it.
+                                - ScheduleAnyway tells the scheduler to schedule the pod in any location,
+                                  but giving higher precedence to topologies that would help reduce the
+                                  skew.
+                                A constraint is considered "Unsatisfiable" for an incoming pod
+                                if and only if every possible node assignment for that pod would violate
+                                "MaxSkew" on some topology.
+                                For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+                                labelSelector spread as 3/1/1:
+                                | zone1 | zone2 | zone3 |
+                                | P P P |   P   |   P   |
+                                If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled
+                                to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies
+                                MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler
+                                won't make it *more* imbalanced.
+                                It's a required field.
+                              type: string
+                          required:
+                          - maxSkew
+                          - topologyKey
+                          - whenUnsatisfiable
+                          type: object
+                        type: array
+                      traceSampling:
+                        description: |-
+                          Trace sampling fraction.
+
+                          Used to set the fraction of time that traces are sampled. Higher values are more accurate but add CPU overhead.
+
+                          Allowed values: 0.0 to 1.0
+                        type: number
+                      trustedZtunnelNamespace:
+                        description: |-
+                          If set, `istiod` will allow connections from trusted node proxy ztunnels
+                          in the provided namespace.
+                        type: string
+                      variant:
+                        description: The container image variant to pull. Options
+                          are "debug" or "distroless". Unset will use the default
+                          for the given version.
+                        type: string
+                      volumeMounts:
+                        description: Additional volumeMounts to add to the Pilot container.
+                        items:
+                          description: VolumeMount describes a mounting of a Volume
+                            within a container.
+                          properties:
+                            mountPath:
+                              description: |-
+                                Path within the container at which the volume should be mounted.  Must
+                                not contain ':'.
+                              type: string
+                            mountPropagation:
+                              description: |-
+                                mountPropagation determines how mounts are propagated from the host
+                                to container and the other way around.
+                                When not set, MountPropagationNone is used.
+                                This field is beta in 1.10.
+                                When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+                                (which defaults to None).
+                              type: string
+                            name:
+                              description: This must match the Name of a Volume.
+                              type: string
+                            readOnly:
+                              description: |-
+                                Mounted read-only if true, read-write otherwise (false or unspecified).
+                                Defaults to false.
+                              type: boolean
+                            recursiveReadOnly:
+                              description: |-
+                                RecursiveReadOnly specifies whether read-only mounts should be handled
+                                recursively.
+
+                                If ReadOnly is false, this field has no meaning and must be unspecified.
+
+                                If ReadOnly is true, and this field is set to Disabled, the mount is not made
+                                recursively read-only.  If this field is set to IfPossible, the mount is made
+                                recursively read-only, if it is supported by the container runtime.  If this
+                                field is set to Enabled, the mount is made recursively read-only if it is
+                                supported by the container runtime, otherwise the pod will not be started and
+                                an error will be generated to indicate the reason.
+
+                                If this field is set to IfPossible or Enabled, MountPropagation must be set to
+                                None (or be unspecified, which defaults to None).
+
+                                If this field is not specified, it is treated as an equivalent of Disabled.
+                              type: string
+                            subPath:
+                              description: |-
+                                Path within the volume from which the container's volume should be mounted.
+                                Defaults to "" (volume's root).
+                              type: string
+                            subPathExpr:
+                              description: |-
+                                Expanded path within the volume from which the container's volume should be mounted.
+                                Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.
+                                Defaults to "" (volume's root).
+                                SubPathExpr and SubPath are mutually exclusive.
+                              type: string
+                          required:
+                          - mountPath
+                          - name
+                          type: object
+                        type: array
+                      volumes:
+                        description: Additional volumes to add to the Pilot Pod.
+                        items:
+                          description: Volume represents a named volume in a pod that
+                            may be accessed by any container in the pod.
+                          properties:
+                            awsElasticBlockStore:
+                              description: |-
+                                awsElasticBlockStore represents an AWS Disk resource that is attached to a
+                                kubelet's host machine and then exposed to the pod.
+                                Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree
+                                awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+                              properties:
+                                fsType:
+                                  description: |-
+                                    fsType is the filesystem type of the volume that you want to mount.
+                                    Tip: Ensure that the filesystem type is supported by the host operating system.
+                                    Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+                                  type: string
+                                partition:
+                                  description: |-
+                                    partition is the partition in the volume that you want to mount.
+                                    If omitted, the default is to mount by volume name.
+                                    Examples: For volume /dev/sda1, you specify the partition as "1".
+                                    Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).
+                                  format: int32
+                                  type: integer
+                                readOnly:
+                                  description: |-
+                                    readOnly value true will force the readOnly setting in VolumeMounts.
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+                                  type: boolean
+                                volumeID:
+                                  description: |-
+                                    volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume).
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+                                  type: string
+                              required:
+                              - volumeID
+                              type: object
+                            azureDisk:
+                              description: |-
+                                azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
+                                Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type
+                                are redirected to the disk.csi.azure.com CSI driver.
+                              properties:
+                                cachingMode:
+                                  description: 'cachingMode is the Host Caching mode:
+                                    None, Read Only, Read Write.'
+                                  type: string
+                                diskName:
+                                  description: diskName is the Name of the data disk
+                                    in the blob storage
+                                  type: string
+                                diskURI:
+                                  description: diskURI is the URI of data disk in
+                                    the blob storage
+                                  type: string
+                                fsType:
+                                  default: ext4
+                                  description: |-
+                                    fsType is Filesystem type to mount.
+                                    Must be a filesystem type supported by the host operating system.
+                                    Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                  type: string
+                                kind:
+                                  description: 'kind expected values are Shared: multiple
+                                    blob disks per storage account  Dedicated: single
+                                    blob disk per storage account  Managed: azure
+                                    managed data disk (only in managed availability
+                                    set). defaults to shared'
+                                  type: string
+                                readOnly:
+                                  default: false
+                                  description: |-
+                                    readOnly Defaults to false (read/write). ReadOnly here will force
+                                    the ReadOnly setting in VolumeMounts.
+                                  type: boolean
+                              required:
+                              - diskName
+                              - diskURI
+                              type: object
+                            azureFile:
+                              description: |-
+                                azureFile represents an Azure File Service mount on the host and bind mount to the pod.
+                                Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type
+                                are redirected to the file.csi.azure.com CSI driver.
+                              properties:
+                                readOnly:
+                                  description: |-
+                                    readOnly defaults to false (read/write). ReadOnly here will force
+                                    the ReadOnly setting in VolumeMounts.
+                                  type: boolean
+                                secretName:
+                                  description: secretName is the  name of secret that
+                                    contains Azure Storage Account Name and Key
+                                  type: string
+                                shareName:
+                                  description: shareName is the azure share Name
+                                  type: string
+                              required:
+                              - secretName
+                              - shareName
+                              type: object
+                            cephfs:
+                              description: |-
+                                cephFS represents a Ceph FS mount on the host that shares a pod's lifetime.
+                                Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported.
+                              properties:
+                                monitors:
+                                  description: |-
+                                    monitors is Required: Monitors is a collection of Ceph monitors
+                                    More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+                                  items:
+                                    type: string
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                path:
+                                  description: 'path is Optional: Used as the mounted
+                                    root, rather than the full Ceph tree, default
+                                    is /'
+                                  type: string
+                                readOnly:
+                                  description: |-
+                                    readOnly is Optional: Defaults to false (read/write). ReadOnly here will force
+                                    the ReadOnly setting in VolumeMounts.
+                                    More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+                                  type: boolean
+                                secretFile:
+                                  description: |-
+                                    secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret
+                                    More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+                                  type: string
+                                secretRef:
+                                  description: |-
+                                    secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty.
+                                    More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+                                  properties:
+                                    name:
+                                      default: ""
+                                      description: |-
+                                        Name of the referent.
+                                        This field is effectively required, but due to backwards compatibility is
+                                        allowed to be empty. Instances of this type with an empty value here are
+                                        almost certainly wrong.
+                                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                      type: string
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                user:
+                                  description: |-
+                                    user is optional: User is the rados user name, default is admin
+                                    More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+                                  type: string
+                              required:
+                              - monitors
+                              type: object
+                            cinder:
+                              description: |-
+                                cinder represents a cinder volume attached and mounted on kubelets host machine.
+                                Deprecated: Cinder is deprecated. All operations for the in-tree cinder type
+                                are redirected to the cinder.csi.openstack.org CSI driver.
+                                More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+                              properties:
+                                fsType:
+                                  description: |-
+                                    fsType is the filesystem type to mount.
+                                    Must be a filesystem type supported by the host operating system.
+                                    Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                    More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+                                  type: string
+                                readOnly:
+                                  description: |-
+                                    readOnly defaults to false (read/write). ReadOnly here will force
+                                    the ReadOnly setting in VolumeMounts.
+                                    More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+                                  type: boolean
+                                secretRef:
+                                  description: |-
+                                    secretRef is optional: points to a secret object containing parameters used to connect
+                                    to OpenStack.
+                                  properties:
+                                    name:
+                                      default: ""
+                                      description: |-
+                                        Name of the referent.
+                                        This field is effectively required, but due to backwards compatibility is
+                                        allowed to be empty. Instances of this type with an empty value here are
+                                        almost certainly wrong.
+                                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                      type: string
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                volumeID:
+                                  description: |-
+                                    volumeID used to identify the volume in cinder.
+                                    More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+                                  type: string
+                              required:
+                              - volumeID
+                              type: object
+                            configMap:
+                              description: configMap represents a configMap that should
+                                populate this volume
+                              properties:
+                                defaultMode:
+                                  description: |-
+                                    defaultMode is optional: mode bits used to set permissions on created files by default.
+                                    Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                    YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                    Defaults to 0644.
+                                    Directories within the path are not affected by this setting.
+                                    This might be in conflict with other options that affect the file
+                                    mode, like fsGroup, and the result can be other mode bits set.
+                                  format: int32
+                                  type: integer
+                                items:
+                                  description: |-
+                                    items if unspecified, each key-value pair in the Data field of the referenced
+                                    ConfigMap will be projected into the volume as a file whose name is the
+                                    key and content is the value. If specified, the listed keys will be
+                                    projected into the specified paths, and unlisted keys will not be
+                                    present. If a key is specified which is not present in the ConfigMap,
+                                    the volume setup will error unless it is marked optional. Paths must be
+                                    relative and may not contain the '..' path or start with '..'.
+                                  items:
+                                    description: Maps a string key to a path within
+                                      a volume.
+                                    properties:
+                                      key:
+                                        description: key is the key to project.
+                                        type: string
+                                      mode:
+                                        description: |-
+                                          mode is Optional: mode bits used to set permissions on this file.
+                                          Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                          YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                          If not specified, the volume defaultMode will be used.
+                                          This might be in conflict with other options that affect the file
+                                          mode, like fsGroup, and the result can be other mode bits set.
+                                        format: int32
+                                        type: integer
+                                      path:
+                                        description: |-
+                                          path is the relative path of the file to map the key to.
+                                          May not be an absolute path.
+                                          May not contain the path element '..'.
+                                          May not start with the string '..'.
+                                        type: string
+                                    required:
+                                    - key
+                                    - path
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                name:
+                                  default: ""
+                                  description: |-
+                                    Name of the referent.
+                                    This field is effectively required, but due to backwards compatibility is
+                                    allowed to be empty. Instances of this type with an empty value here are
+                                    almost certainly wrong.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                  type: string
+                                optional:
+                                  description: optional specify whether the ConfigMap
+                                    or its keys must be defined
+                                  type: boolean
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            csi:
+                              description: csi (Container Storage Interface) represents
+                                ephemeral storage that is handled by certain external
+                                CSI drivers.
+                              properties:
+                                driver:
+                                  description: |-
+                                    driver is the name of the CSI driver that handles this volume.
+                                    Consult with your admin for the correct name as registered in the cluster.
+                                  type: string
+                                fsType:
+                                  description: |-
+                                    fsType to mount. Ex. "ext4", "xfs", "ntfs".
+                                    If not provided, the empty value is passed to the associated CSI driver
+                                    which will determine the default filesystem to apply.
+                                  type: string
+                                nodePublishSecretRef:
+                                  description: |-
+                                    nodePublishSecretRef is a reference to the secret object containing
+                                    sensitive information to pass to the CSI driver to complete the CSI
+                                    NodePublishVolume and NodeUnpublishVolume calls.
+                                    This field is optional, and  may be empty if no secret is required. If the
+                                    secret object contains more than one secret, all secret references are passed.
+                                  properties:
+                                    name:
+                                      default: ""
+                                      description: |-
+                                        Name of the referent.
+                                        This field is effectively required, but due to backwards compatibility is
+                                        allowed to be empty. Instances of this type with an empty value here are
+                                        almost certainly wrong.
+                                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                      type: string
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                readOnly:
+                                  description: |-
+                                    readOnly specifies a read-only configuration for the volume.
+                                    Defaults to false (read/write).
+                                  type: boolean
+                                volumeAttributes:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    volumeAttributes stores driver-specific properties that are passed to the CSI
+                                    driver. Consult your driver's documentation for supported values.
+                                  type: object
+                              required:
+                              - driver
+                              type: object
+                            downwardAPI:
+                              description: downwardAPI represents downward API about
+                                the pod that should populate this volume
+                              properties:
+                                defaultMode:
+                                  description: |-
+                                    Optional: mode bits to use on created files by default. Must be a
+                                    Optional: mode bits used to set permissions on created files by default.
+                                    Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                    YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                    Defaults to 0644.
+                                    Directories within the path are not affected by this setting.
+                                    This might be in conflict with other options that affect the file
+                                    mode, like fsGroup, and the result can be other mode bits set.
+                                  format: int32
+                                  type: integer
+                                items:
+                                  description: Items is a list of downward API volume
+                                    file
+                                  items:
+                                    description: DownwardAPIVolumeFile represents
+                                      information to create the file containing the
+                                      pod field
+                                    properties:
+                                      fieldRef:
+                                        description: 'Required: Selects a field of
+                                          the pod: only annotations, labels, name,
+                                          namespace and uid are supported.'
+                                        properties:
+                                          apiVersion:
+                                            description: Version of the schema the
+                                              FieldPath is written in terms of, defaults
+                                              to "v1".
+                                            type: string
+                                          fieldPath:
+                                            description: Path of the field to select
+                                              in the specified API version.
+                                            type: string
+                                        required:
+                                        - fieldPath
+                                        type: object
+                                        x-kubernetes-map-type: atomic
+                                      mode:
+                                        description: |-
+                                          Optional: mode bits used to set permissions on this file, must be an octal value
+                                          between 0000 and 0777 or a decimal value between 0 and 511.
+                                          YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                          If not specified, the volume defaultMode will be used.
+                                          This might be in conflict with other options that affect the file
+                                          mode, like fsGroup, and the result can be other mode bits set.
+                                        format: int32
+                                        type: integer
+                                      path:
+                                        description: 'Required: Path is  the relative
+                                          path name of the file to be created. Must
+                                          not be absolute or contain the ''..'' path.
+                                          Must be utf-8 encoded. The first item of
+                                          the relative path must not start with ''..'''
+                                        type: string
+                                      resourceFieldRef:
+                                        description: |-
+                                          Selects a resource of the container: only resources limits and requests
+                                          (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
+                                        properties:
+                                          containerName:
+                                            description: 'Container name: required
+                                              for volumes, optional for env vars'
+                                            type: string
+                                          divisor:
+                                            anyOf:
+                                            - type: integer
+                                            - type: string
+                                            description: Specifies the output format
+                                              of the exposed resources, defaults to
+                                              "1"
+                                            pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                            x-kubernetes-int-or-string: true
+                                          resource:
+                                            description: 'Required: resource to select'
+                                            type: string
+                                        required:
+                                        - resource
+                                        type: object
+                                        x-kubernetes-map-type: atomic
+                                    required:
+                                    - path
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                              type: object
+                            emptyDir:
+                              description: |-
+                                emptyDir represents a temporary directory that shares a pod's lifetime.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+                              properties:
+                                medium:
+                                  description: |-
+                                    medium represents what type of storage medium should back this directory.
+                                    The default is "" which means to use the node's default medium.
+                                    Must be an empty string (default) or Memory.
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+                                  type: string
+                                sizeLimit:
+                                  anyOf:
+                                  - type: integer
+                                  - type: string
+                                  description: |-
+                                    sizeLimit is the total amount of local storage required for this EmptyDir volume.
+                                    The size limit is also applicable for memory medium.
+                                    The maximum usage on memory medium EmptyDir would be the minimum value between
+                                    the SizeLimit specified here and the sum of memory limits of all containers in a pod.
+                                    The default is nil which means that the limit is undefined.
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+                                  pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                  x-kubernetes-int-or-string: true
+                              type: object
+                            ephemeral:
+                              description: |-
+                                ephemeral represents a volume that is handled by a cluster storage driver.
+                                The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts,
+                                and deleted when the pod is removed.
+
+                                Use this if:
+                                a) the volume is only needed while the pod runs,
+                                b) features of normal volumes like restoring from snapshot or capacity
+                                   tracking are needed,
+                                c) the storage driver is specified through a storage class, and
+                                d) the storage driver supports dynamic volume provisioning through
+                                   a PersistentVolumeClaim (see EphemeralVolumeSource for more
+                                   information on the connection between this volume type
+                                   and PersistentVolumeClaim).
+
+                                Use PersistentVolumeClaim or one of the vendor-specific
+                                APIs for volumes that persist for longer than the lifecycle
+                                of an individual pod.
+
+                                Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to
+                                be used that way - see the documentation of the driver for
+                                more information.
+
+                                A pod can use both types of ephemeral volumes and
+                                persistent volumes at the same time.
+                              properties:
+                                volumeClaimTemplate:
+                                  description: |-
+                                    Will be used to create a stand-alone PVC to provision the volume.
+                                    The pod in which this EphemeralVolumeSource is embedded will be the
+                                    owner of the PVC, i.e. the PVC will be deleted together with the
+                                    pod.  The name of the PVC will be `<pod name>-<volume name>` where
+                                    `<volume name>` is the name from the `PodSpec.Volumes` array
+                                    entry. Pod validation will reject the pod if the concatenated name
+                                    is not valid for a PVC (for example, too long).
+
+                                    An existing PVC with that name that is not owned by the pod
+                                    will *not* be used for the pod to avoid using an unrelated
+                                    volume by mistake. Starting the pod is then blocked until
+                                    the unrelated PVC is removed. If such a pre-created PVC is
+                                    meant to be used by the pod, the PVC has to updated with an
+                                    owner reference to the pod once the pod exists. Normally
+                                    this should not be necessary, but it may be useful when
+                                    manually reconstructing a broken cluster.
+
+                                    This field is read-only and no changes will be made by Kubernetes
+                                    to the PVC after it has been created.
+
+                                    Required, must not be nil.
+                                  properties:
+                                    metadata:
+                                      description: |-
+                                        May contain labels and annotations that will be copied into the PVC
+                                        when creating it. No other fields are allowed and will be rejected during
+                                        validation.
+                                      type: object
+                                    spec:
+                                      description: |-
+                                        The specification for the PersistentVolumeClaim. The entire content is
+                                        copied unchanged into the PVC that gets created from this
+                                        template. The same fields as in a PersistentVolumeClaim
+                                        are also valid here.
+                                      properties:
+                                        accessModes:
+                                          description: |-
+                                            accessModes contains the desired access modes the volume should have.
+                                            More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1
+                                          items:
+                                            type: string
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        dataSource:
+                                          description: |-
+                                            dataSource field can be used to specify either:
+                                            * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot)
+                                            * An existing PVC (PersistentVolumeClaim)
+                                            If the provisioner or an external controller can support the specified data source,
+                                            it will create a new volume based on the contents of the specified data source.
+                                            When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef,
+                                            and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified.
+                                            If the namespace is specified, then dataSourceRef will not be copied to dataSource.
+                                          properties:
+                                            apiGroup:
+                                              description: |-
+                                                APIGroup is the group for the resource being referenced.
+                                                If APIGroup is not specified, the specified Kind must be in the core API group.
+                                                For any other third-party types, APIGroup is required.
+                                              type: string
+                                            kind:
+                                              description: Kind is the type of resource
+                                                being referenced
+                                              type: string
+                                            name:
+                                              description: Name is the name of resource
+                                                being referenced
+                                              type: string
+                                          required:
+                                          - kind
+                                          - name
+                                          type: object
+                                          x-kubernetes-map-type: atomic
+                                        dataSourceRef:
+                                          description: |-
+                                            dataSourceRef specifies the object from which to populate the volume with data, if a non-empty
+                                            volume is desired. This may be any object from a non-empty API group (non
+                                            core object) or a PersistentVolumeClaim object.
+                                            When this field is specified, volume binding will only succeed if the type of
+                                            the specified object matches some installed volume populator or dynamic
+                                            provisioner.
+                                            This field will replace the functionality of the dataSource field and as such
+                                            if both fields are non-empty, they must have the same value. For backwards
+                                            compatibility, when namespace isn't specified in dataSourceRef,
+                                            both fields (dataSource and dataSourceRef) will be set to the same
+                                            value automatically if one of them is empty and the other is non-empty.
+                                            When namespace is specified in dataSourceRef,
+                                            dataSource isn't set to the same value and must be empty.
+                                            There are three important differences between dataSource and dataSourceRef:
+                                            * While dataSource only allows two specific types of objects, dataSourceRef
+                                              allows any non-core object, as well as PersistentVolumeClaim objects.
+                                            * While dataSource ignores disallowed values (dropping them), dataSourceRef
+                                              preserves all values, and generates an error if a disallowed value is
+                                              specified.
+                                            * While dataSource only allows local objects, dataSourceRef allows objects
+                                              in any namespaces.
+                                            (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled.
+                                            (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled.
+                                          properties:
+                                            apiGroup:
+                                              description: |-
+                                                APIGroup is the group for the resource being referenced.
+                                                If APIGroup is not specified, the specified Kind must be in the core API group.
+                                                For any other third-party types, APIGroup is required.
+                                              type: string
+                                            kind:
+                                              description: Kind is the type of resource
+                                                being referenced
+                                              type: string
+                                            name:
+                                              description: Name is the name of resource
+                                                being referenced
+                                              type: string
+                                            namespace:
+                                              description: |-
+                                                Namespace is the namespace of resource being referenced
+                                                Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details.
+                                                (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled.
+                                              type: string
+                                          required:
+                                          - kind
+                                          - name
+                                          type: object
+                                        resources:
+                                          description: |-
+                                            resources represents the minimum resources the volume should have.
+                                            Users are allowed to specify resource requirements
+                                            that are lower than previous value but must still be higher than capacity recorded in the
+                                            status field of the claim.
+                                            More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
+                                          properties:
+                                            limits:
+                                              additionalProperties:
+                                                anyOf:
+                                                - type: integer
+                                                - type: string
+                                                pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                                x-kubernetes-int-or-string: true
+                                              description: |-
+                                                Limits describes the maximum amount of compute resources allowed.
+                                                More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                                              type: object
+                                            requests:
+                                              additionalProperties:
+                                                anyOf:
+                                                - type: integer
+                                                - type: string
+                                                pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                                x-kubernetes-int-or-string: true
+                                              description: |-
+                                                Requests describes the minimum amount of compute resources required.
+                                                If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+                                                otherwise to an implementation-defined value. Requests cannot exceed Limits.
+                                                More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                                              type: object
+                                          type: object
+                                        selector:
+                                          description: selector is a label query over
+                                            volumes to consider for binding.
+                                          properties:
+                                            matchExpressions:
+                                              description: matchExpressions is a list
+                                                of label selector requirements. The
+                                                requirements are ANDed.
+                                              items:
+                                                description: |-
+                                                  A label selector requirement is a selector that contains values, a key, and an operator that
+                                                  relates the key and values.
+                                                properties:
+                                                  key:
+                                                    description: key is the label
+                                                      key that the selector applies
+                                                      to.
+                                                    type: string
+                                                  operator:
+                                                    description: |-
+                                                      operator represents a key's relationship to a set of values.
+                                                      Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                    type: string
+                                                  values:
+                                                    description: |-
+                                                      values is an array of string values. If the operator is In or NotIn,
+                                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                      the values array must be empty. This array is replaced during a strategic
+                                                      merge patch.
+                                                    items:
+                                                      type: string
+                                                    type: array
+                                                    x-kubernetes-list-type: atomic
+                                                required:
+                                                - key
+                                                - operator
+                                                type: object
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                            matchLabels:
+                                              additionalProperties:
+                                                type: string
+                                              description: |-
+                                                matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                                map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                                operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                              type: object
+                                          type: object
+                                          x-kubernetes-map-type: atomic
+                                        storageClassName:
+                                          description: |-
+                                            storageClassName is the name of the StorageClass required by the claim.
+                                            More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1
+                                          type: string
+                                        volumeAttributesClassName:
+                                          description: |-
+                                            volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
+                                            If specified, the CSI driver will create or update the volume with the attributes defined
+                                            in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
+                                            it can be changed after the claim is created. An empty string or nil value indicates that no
+                                            VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state,
+                                            this field can be reset to its previous value (including nil) to cancel the modification.
+                                            If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
+                                            set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
+                                            exists.
+                                            More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
+                                          type: string
+                                        volumeMode:
+                                          description: |-
+                                            volumeMode defines what type of volume is required by the claim.
+                                            Value of Filesystem is implied when not included in claim spec.
+                                          type: string
+                                        volumeName:
+                                          description: volumeName is the binding reference
+                                            to the PersistentVolume backing this claim.
+                                          type: string
+                                      type: object
+                                  required:
+                                  - spec
+                                  type: object
+                              type: object
+                            fc:
+                              description: fc represents a Fibre Channel resource
+                                that is attached to a kubelet's host machine and then
+                                exposed to the pod.
+                              properties:
+                                fsType:
+                                  description: |-
+                                    fsType is the filesystem type to mount.
+                                    Must be a filesystem type supported by the host operating system.
+                                    Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                  type: string
+                                lun:
+                                  description: 'lun is Optional: FC target lun number'
+                                  format: int32
+                                  type: integer
+                                readOnly:
+                                  description: |-
+                                    readOnly is Optional: Defaults to false (read/write). ReadOnly here will force
+                                    the ReadOnly setting in VolumeMounts.
+                                  type: boolean
+                                targetWWNs:
+                                  description: 'targetWWNs is Optional: FC target
+                                    worldwide names (WWNs)'
+                                  items:
+                                    type: string
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                wwids:
+                                  description: |-
+                                    wwids Optional: FC volume world wide identifiers (wwids)
+                                    Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously.
+                                  items:
+                                    type: string
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                              type: object
+                            flexVolume:
+                              description: |-
+                                flexVolume represents a generic volume resource that is
+                                provisioned/attached using an exec based plugin.
+                                Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead.
+                              properties:
+                                driver:
+                                  description: driver is the name of the driver to
+                                    use for this volume.
+                                  type: string
+                                fsType:
+                                  description: |-
+                                    fsType is the filesystem type to mount.
+                                    Must be a filesystem type supported by the host operating system.
+                                    Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script.
+                                  type: string
+                                options:
+                                  additionalProperties:
+                                    type: string
+                                  description: 'options is Optional: this field holds
+                                    extra command options if any.'
+                                  type: object
+                                readOnly:
+                                  description: |-
+                                    readOnly is Optional: defaults to false (read/write). ReadOnly here will force
+                                    the ReadOnly setting in VolumeMounts.
+                                  type: boolean
+                                secretRef:
+                                  description: |-
+                                    secretRef is Optional: secretRef is reference to the secret object containing
+                                    sensitive information to pass to the plugin scripts. This may be
+                                    empty if no secret object is specified. If the secret object
+                                    contains more than one secret, all secrets are passed to the plugin
+                                    scripts.
+                                  properties:
+                                    name:
+                                      default: ""
+                                      description: |-
+                                        Name of the referent.
+                                        This field is effectively required, but due to backwards compatibility is
+                                        allowed to be empty. Instances of this type with an empty value here are
+                                        almost certainly wrong.
+                                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                      type: string
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                              required:
+                              - driver
+                              type: object
+                            flocker:
+                              description: |-
+                                flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running.
+                                Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported.
+                              properties:
+                                datasetName:
+                                  description: |-
+                                    datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker
+                                    should be considered as deprecated
+                                  type: string
+                                datasetUUID:
+                                  description: datasetUUID is the UUID of the dataset.
+                                    This is unique identifier of a Flocker dataset
+                                  type: string
+                              type: object
+                            gcePersistentDisk:
+                              description: |-
+                                gcePersistentDisk represents a GCE Disk resource that is attached to a
+                                kubelet's host machine and then exposed to the pod.
+                                Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree
+                                gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+                              properties:
+                                fsType:
+                                  description: |-
+                                    fsType is filesystem type of the volume that you want to mount.
+                                    Tip: Ensure that the filesystem type is supported by the host operating system.
+                                    Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+                                  type: string
+                                partition:
+                                  description: |-
+                                    partition is the partition in the volume that you want to mount.
+                                    If omitted, the default is to mount by volume name.
+                                    Examples: For volume /dev/sda1, you specify the partition as "1".
+                                    Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+                                  format: int32
+                                  type: integer
+                                pdName:
+                                  description: |-
+                                    pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE.
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+                                  type: string
+                                readOnly:
+                                  description: |-
+                                    readOnly here will force the ReadOnly setting in VolumeMounts.
+                                    Defaults to false.
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+                                  type: boolean
+                              required:
+                              - pdName
+                              type: object
+                            gitRepo:
+                              description: |-
+                                gitRepo represents a git repository at a particular revision.
+                                Deprecated: GitRepo is deprecated. To provision a container with a git repo, mount an
+                                EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir
+                                into the Pod's container.
+                              properties:
+                                directory:
+                                  description: |-
+                                    directory is the target directory name.
+                                    Must not contain or start with '..'.  If '.' is supplied, the volume directory will be the
+                                    git repository.  Otherwise, if specified, the volume will contain the git repository in
+                                    the subdirectory with the given name.
+                                  type: string
+                                repository:
+                                  description: repository is the URL
+                                  type: string
+                                revision:
+                                  description: revision is the commit hash for the
+                                    specified revision.
+                                  type: string
+                              required:
+                              - repository
+                              type: object
+                            glusterfs:
+                              description: |-
+                                glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
+                                Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported.
+                              properties:
+                                endpoints:
+                                  description: endpoints is the endpoint name that
+                                    details Glusterfs topology.
+                                  type: string
+                                path:
+                                  description: |-
+                                    path is the Glusterfs volume path.
+                                    More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+                                  type: string
+                                readOnly:
+                                  description: |-
+                                    readOnly here will force the Glusterfs volume to be mounted with read-only permissions.
+                                    Defaults to false.
+                                    More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+                                  type: boolean
+                              required:
+                              - endpoints
+                              - path
+                              type: object
+                            hostPath:
+                              description: |-
+                                hostPath represents a pre-existing file or directory on the host
+                                machine that is directly exposed to the container. This is generally
+                                used for system agents or other privileged things that are allowed
+                                to see the host machine. Most containers will NOT need this.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+                              properties:
+                                path:
+                                  description: |-
+                                    path of the directory on the host.
+                                    If the path is a symlink, it will follow the link to the real path.
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+                                  type: string
+                                type:
+                                  description: |-
+                                    type for HostPath Volume
+                                    Defaults to ""
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+                                  type: string
+                              required:
+                              - path
+                              type: object
+                            image:
+                              description: |-
+                                image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine.
+                                The volume is resolved at pod startup depending on which PullPolicy value is provided:
+
+                                - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+                                - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+                                - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+
+                                The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation.
+                                A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message.
+                                The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field.
+                                The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images.
+                                The volume will be mounted read-only (ro) and non-executable files (noexec).
+                                Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath) before 1.33.
+                                The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.
+                              properties:
+                                pullPolicy:
+                                  description: |-
+                                    Policy for pulling OCI objects. Possible values are:
+                                    Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+                                    Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+                                    IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+                                    Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.
+                                  type: string
+                                reference:
+                                  description: |-
+                                    Required: Image or artifact reference to be used.
+                                    Behaves in the same way as pod.spec.containers[*].image.
+                                    Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets.
+                                    More info: https://kubernetes.io/docs/concepts/containers/images
+                                    This field is optional to allow higher level config management to default or override
+                                    container images in workload controllers like Deployments and StatefulSets.
+                                  type: string
+                              type: object
+                            iscsi:
+                              description: |-
+                                iscsi represents an ISCSI Disk resource that is attached to a
+                                kubelet's host machine and then exposed to the pod.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes/#iscsi
+                              properties:
+                                chapAuthDiscovery:
+                                  description: chapAuthDiscovery defines whether support
+                                    iSCSI Discovery CHAP authentication
+                                  type: boolean
+                                chapAuthSession:
+                                  description: chapAuthSession defines whether support
+                                    iSCSI Session CHAP authentication
+                                  type: boolean
+                                fsType:
+                                  description: |-
+                                    fsType is the filesystem type of the volume that you want to mount.
+                                    Tip: Ensure that the filesystem type is supported by the host operating system.
+                                    Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi
+                                  type: string
+                                initiatorName:
+                                  description: |-
+                                    initiatorName is the custom iSCSI Initiator Name.
+                                    If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface
+                                    <target portal>:<volume name> will be created for the connection.
+                                  type: string
+                                iqn:
+                                  description: iqn is the target iSCSI Qualified Name.
+                                  type: string
+                                iscsiInterface:
+                                  default: default
+                                  description: |-
+                                    iscsiInterface is the interface Name that uses an iSCSI transport.
+                                    Defaults to 'default' (tcp).
+                                  type: string
+                                lun:
+                                  description: lun represents iSCSI Target Lun number.
+                                  format: int32
+                                  type: integer
+                                portals:
+                                  description: |-
+                                    portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port
+                                    is other than default (typically TCP ports 860 and 3260).
+                                  items:
+                                    type: string
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                readOnly:
+                                  description: |-
+                                    readOnly here will force the ReadOnly setting in VolumeMounts.
+                                    Defaults to false.
+                                  type: boolean
+                                secretRef:
+                                  description: secretRef is the CHAP Secret for iSCSI
+                                    target and initiator authentication
+                                  properties:
+                                    name:
+                                      default: ""
+                                      description: |-
+                                        Name of the referent.
+                                        This field is effectively required, but due to backwards compatibility is
+                                        allowed to be empty. Instances of this type with an empty value here are
+                                        almost certainly wrong.
+                                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                      type: string
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                targetPortal:
+                                  description: |-
+                                    targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port
+                                    is other than default (typically TCP ports 860 and 3260).
+                                  type: string
+                              required:
+                              - iqn
+                              - lun
+                              - targetPortal
+                              type: object
+                            name:
+                              description: |-
+                                name of the volume.
+                                Must be a DNS_LABEL and unique within the pod.
+                                More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                              type: string
+                            nfs:
+                              description: |-
+                                nfs represents an NFS mount on the host that shares a pod's lifetime
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+                              properties:
+                                path:
+                                  description: |-
+                                    path that is exported by the NFS server.
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+                                  type: string
+                                readOnly:
+                                  description: |-
+                                    readOnly here will force the NFS export to be mounted with read-only permissions.
+                                    Defaults to false.
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+                                  type: boolean
+                                server:
+                                  description: |-
+                                    server is the hostname or IP address of the NFS server.
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+                                  type: string
+                              required:
+                              - path
+                              - server
+                              type: object
+                            persistentVolumeClaim:
+                              description: |-
+                                persistentVolumeClaimVolumeSource represents a reference to a
+                                PersistentVolumeClaim in the same namespace.
+                                More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+                              properties:
+                                claimName:
+                                  description: |-
+                                    claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume.
+                                    More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+                                  type: string
+                                readOnly:
+                                  description: |-
+                                    readOnly Will force the ReadOnly setting in VolumeMounts.
+                                    Default false.
+                                  type: boolean
+                              required:
+                              - claimName
+                              type: object
+                            photonPersistentDisk:
+                              description: |-
+                                photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine.
+                                Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported.
+                              properties:
+                                fsType:
+                                  description: |-
+                                    fsType is the filesystem type to mount.
+                                    Must be a filesystem type supported by the host operating system.
+                                    Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                  type: string
+                                pdID:
+                                  description: pdID is the ID that identifies Photon
+                                    Controller persistent disk
+                                  type: string
+                              required:
+                              - pdID
+                              type: object
+                            portworxVolume:
+                              description: |-
+                                portworxVolume represents a portworx volume attached and mounted on kubelets host machine.
+                                Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type
+                                are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate
+                                is on.
+                              properties:
+                                fsType:
+                                  description: |-
+                                    fSType represents the filesystem type to mount
+                                    Must be a filesystem type supported by the host operating system.
+                                    Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified.
+                                  type: string
+                                readOnly:
+                                  description: |-
+                                    readOnly defaults to false (read/write). ReadOnly here will force
+                                    the ReadOnly setting in VolumeMounts.
+                                  type: boolean
+                                volumeID:
+                                  description: volumeID uniquely identifies a Portworx
+                                    volume
+                                  type: string
+                              required:
+                              - volumeID
+                              type: object
+                            projected:
+                              description: projected items for all in one resources
+                                secrets, configmaps, and downward API
+                              properties:
+                                defaultMode:
+                                  description: |-
+                                    defaultMode are the mode bits used to set permissions on created files by default.
+                                    Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                    YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                    Directories within the path are not affected by this setting.
+                                    This might be in conflict with other options that affect the file
+                                    mode, like fsGroup, and the result can be other mode bits set.
+                                  format: int32
+                                  type: integer
+                                sources:
+                                  description: |-
+                                    sources is the list of volume projections. Each entry in this list
+                                    handles one source.
+                                  items:
+                                    description: |-
+                                      Projection that may be projected along with other supported volume types.
+                                      Exactly one of these fields must be set.
+                                    properties:
+                                      clusterTrustBundle:
+                                        description: |-
+                                          ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field
+                                          of ClusterTrustBundle objects in an auto-updating file.
+
+                                          Alpha, gated by the ClusterTrustBundleProjection feature gate.
+
+                                          ClusterTrustBundle objects can either be selected by name, or by the
+                                          combination of signer name and a label selector.
+
+                                          Kubelet performs aggressive normalization of the PEM contents written
+                                          into the pod filesystem.  Esoteric PEM features such as inter-block
+                                          comments and block headers are stripped.  Certificates are deduplicated.
+                                          The ordering of certificates within the file is arbitrary, and Kubelet
+                                          may change the order over time.
+                                        properties:
+                                          labelSelector:
+                                            description: |-
+                                              Select all ClusterTrustBundles that match this label selector.  Only has
+                                              effect if signerName is set.  Mutually-exclusive with name.  If unset,
+                                              interpreted as "match nothing".  If set but empty, interpreted as "match
+                                              everything".
+                                            properties:
+                                              matchExpressions:
+                                                description: matchExpressions is a
+                                                  list of label selector requirements.
+                                                  The requirements are ANDed.
+                                                items:
+                                                  description: |-
+                                                    A label selector requirement is a selector that contains values, a key, and an operator that
+                                                    relates the key and values.
+                                                  properties:
+                                                    key:
+                                                      description: key is the label
+                                                        key that the selector applies
+                                                        to.
+                                                      type: string
+                                                    operator:
+                                                      description: |-
+                                                        operator represents a key's relationship to a set of values.
+                                                        Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                      type: string
+                                                    values:
+                                                      description: |-
+                                                        values is an array of string values. If the operator is In or NotIn,
+                                                        the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                        the values array must be empty. This array is replaced during a strategic
+                                                        merge patch.
+                                                      items:
+                                                        type: string
+                                                      type: array
+                                                      x-kubernetes-list-type: atomic
+                                                  required:
+                                                  - key
+                                                  - operator
+                                                  type: object
+                                                type: array
+                                                x-kubernetes-list-type: atomic
+                                              matchLabels:
+                                                additionalProperties:
+                                                  type: string
+                                                description: |-
+                                                  matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                                  map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                                  operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                                type: object
+                                            type: object
+                                            x-kubernetes-map-type: atomic
+                                          name:
+                                            description: |-
+                                              Select a single ClusterTrustBundle by object name.  Mutually-exclusive
+                                              with signerName and labelSelector.
+                                            type: string
+                                          optional:
+                                            description: |-
+                                              If true, don't block pod startup if the referenced ClusterTrustBundle(s)
+                                              aren't available.  If using name, then the named ClusterTrustBundle is
+                                              allowed not to exist.  If using signerName, then the combination of
+                                              signerName and labelSelector is allowed to match zero
+                                              ClusterTrustBundles.
+                                            type: boolean
+                                          path:
+                                            description: Relative path from the volume
+                                              root to write the bundle.
+                                            type: string
+                                          signerName:
+                                            description: |-
+                                              Select all ClusterTrustBundles that match this signer name.
+                                              Mutually-exclusive with name.  The contents of all selected
+                                              ClusterTrustBundles will be unified and deduplicated.
+                                            type: string
+                                        required:
+                                        - path
+                                        type: object
+                                      configMap:
+                                        description: configMap information about the
+                                          configMap data to project
+                                        properties:
+                                          items:
+                                            description: |-
+                                              items if unspecified, each key-value pair in the Data field of the referenced
+                                              ConfigMap will be projected into the volume as a file whose name is the
+                                              key and content is the value. If specified, the listed keys will be
+                                              projected into the specified paths, and unlisted keys will not be
+                                              present. If a key is specified which is not present in the ConfigMap,
+                                              the volume setup will error unless it is marked optional. Paths must be
+                                              relative and may not contain the '..' path or start with '..'.
+                                            items:
+                                              description: Maps a string key to a
+                                                path within a volume.
+                                              properties:
+                                                key:
+                                                  description: key is the key to project.
+                                                  type: string
+                                                mode:
+                                                  description: |-
+                                                    mode is Optional: mode bits used to set permissions on this file.
+                                                    Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                                    YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                                    If not specified, the volume defaultMode will be used.
+                                                    This might be in conflict with other options that affect the file
+                                                    mode, like fsGroup, and the result can be other mode bits set.
+                                                  format: int32
+                                                  type: integer
+                                                path:
+                                                  description: |-
+                                                    path is the relative path of the file to map the key to.
+                                                    May not be an absolute path.
+                                                    May not contain the path element '..'.
+                                                    May not start with the string '..'.
+                                                  type: string
+                                              required:
+                                              - key
+                                              - path
+                                              type: object
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                          name:
+                                            default: ""
+                                            description: |-
+                                              Name of the referent.
+                                              This field is effectively required, but due to backwards compatibility is
+                                              allowed to be empty. Instances of this type with an empty value here are
+                                              almost certainly wrong.
+                                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                            type: string
+                                          optional:
+                                            description: optional specify whether
+                                              the ConfigMap or its keys must be defined
+                                            type: boolean
+                                        type: object
+                                        x-kubernetes-map-type: atomic
+                                      downwardAPI:
+                                        description: downwardAPI information about
+                                          the downwardAPI data to project
+                                        properties:
+                                          items:
+                                            description: Items is a list of DownwardAPIVolume
+                                              file
+                                            items:
+                                              description: DownwardAPIVolumeFile represents
+                                                information to create the file containing
+                                                the pod field
+                                              properties:
+                                                fieldRef:
+                                                  description: 'Required: Selects
+                                                    a field of the pod: only annotations,
+                                                    labels, name, namespace and uid
+                                                    are supported.'
+                                                  properties:
+                                                    apiVersion:
+                                                      description: Version of the
+                                                        schema the FieldPath is written
+                                                        in terms of, defaults to "v1".
+                                                      type: string
+                                                    fieldPath:
+                                                      description: Path of the field
+                                                        to select in the specified
+                                                        API version.
+                                                      type: string
+                                                  required:
+                                                  - fieldPath
+                                                  type: object
+                                                  x-kubernetes-map-type: atomic
+                                                mode:
+                                                  description: |-
+                                                    Optional: mode bits used to set permissions on this file, must be an octal value
+                                                    between 0000 and 0777 or a decimal value between 0 and 511.
+                                                    YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                                    If not specified, the volume defaultMode will be used.
+                                                    This might be in conflict with other options that affect the file
+                                                    mode, like fsGroup, and the result can be other mode bits set.
+                                                  format: int32
+                                                  type: integer
+                                                path:
+                                                  description: 'Required: Path is  the
+                                                    relative path name of the file
+                                                    to be created. Must not be absolute
+                                                    or contain the ''..'' path. Must
+                                                    be utf-8 encoded. The first item
+                                                    of the relative path must not
+                                                    start with ''..'''
+                                                  type: string
+                                                resourceFieldRef:
+                                                  description: |-
+                                                    Selects a resource of the container: only resources limits and requests
+                                                    (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
+                                                  properties:
+                                                    containerName:
+                                                      description: 'Container name:
+                                                        required for volumes, optional
+                                                        for env vars'
+                                                      type: string
+                                                    divisor:
+                                                      anyOf:
+                                                      - type: integer
+                                                      - type: string
+                                                      description: Specifies the output
+                                                        format of the exposed resources,
+                                                        defaults to "1"
+                                                      pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                                      x-kubernetes-int-or-string: true
+                                                    resource:
+                                                      description: 'Required: resource
+                                                        to select'
+                                                      type: string
+                                                  required:
+                                                  - resource
+                                                  type: object
+                                                  x-kubernetes-map-type: atomic
+                                              required:
+                                              - path
+                                              type: object
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                        type: object
+                                      podCertificate:
+                                        description: |-
+                                          Projects an auto-rotating credential bundle (private key and certificate
+                                          chain) that the pod can use either as a TLS client or server.
+
+                                          Kubelet generates a private key and uses it to send a
+                                          PodCertificateRequest to the named signer.  Once the signer approves the
+                                          request and issues a certificate chain, Kubelet writes the key and
+                                          certificate chain to the pod filesystem.  The pod does not start until
+                                          certificates have been issued for each podCertificate projected volume
+                                          source in its spec.
+
+                                          Kubelet will begin trying to rotate the certificate at the time indicated
+                                          by the signer using the PodCertificateRequest.Status.BeginRefreshAt
+                                          timestamp.
+
+                                          Kubelet can write a single file, indicated by the credentialBundlePath
+                                          field, or separate files, indicated by the keyPath and
+                                          certificateChainPath fields.
+
+                                          The credential bundle is a single file in PEM format.  The first PEM
+                                          entry is the private key (in PKCS#8 format), and the remaining PEM
+                                          entries are the certificate chain issued by the signer (typically,
+                                          signers will return their certificate chain in leaf-to-root order).
+
+                                          Prefer using the credential bundle format, since your application code
+                                          can read it atomically.  If you use keyPath and certificateChainPath,
+                                          your application must make two separate file reads. If these coincide
+                                          with a certificate rotation, it is possible that the private key and leaf
+                                          certificate you read may not correspond to each other.  Your application
+                                          will need to check for this condition, and re-read until they are
+                                          consistent.
+
+                                          The named signer controls chooses the format of the certificate it
+                                          issues; consult the signer implementation's documentation to learn how to
+                                          use the certificates it issues.
+                                        properties:
+                                          certificateChainPath:
+                                            description: |-
+                                              Write the certificate chain at this path in the projected volume.
+
+                                              Most applications should use credentialBundlePath.  When using keyPath
+                                              and certificateChainPath, your application needs to check that the key
+                                              and leaf certificate are consistent, because it is possible to read the
+                                              files mid-rotation.
+                                            type: string
+                                          credentialBundlePath:
+                                            description: |-
+                                              Write the credential bundle at this path in the projected volume.
+
+                                              The credential bundle is a single file that contains multiple PEM blocks.
+                                              The first PEM block is a PRIVATE KEY block, containing a PKCS#8 private
+                                              key.
+
+                                              The remaining blocks are CERTIFICATE blocks, containing the issued
+                                              certificate chain from the signer (leaf and any intermediates).
+
+                                              Using credentialBundlePath lets your Pod's application code make a single
+                                              atomic read that retrieves a consistent key and certificate chain.  If you
+                                              project them to separate files, your application code will need to
+                                              additionally check that the leaf certificate was issued to the key.
+                                            type: string
+                                          keyPath:
+                                            description: |-
+                                              Write the key at this path in the projected volume.
+
+                                              Most applications should use credentialBundlePath.  When using keyPath
+                                              and certificateChainPath, your application needs to check that the key
+                                              and leaf certificate are consistent, because it is possible to read the
+                                              files mid-rotation.
+                                            type: string
+                                          keyType:
+                                            description: |-
+                                              The type of keypair Kubelet will generate for the pod.
+
+                                              Valid values are "RSA3072", "RSA4096", "ECDSAP256", "ECDSAP384",
+                                              "ECDSAP521", and "ED25519".
+                                            type: string
+                                          maxExpirationSeconds:
+                                            description: |-
+                                              maxExpirationSeconds is the maximum lifetime permitted for the
+                                              certificate.
+
+                                              Kubelet copies this value verbatim into the PodCertificateRequests it
+                                              generates for this projection.
+
+                                              If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver
+                                              will reject values shorter than 3600 (1 hour).  The maximum allowable
+                                              value is 7862400 (91 days).
+
+                                              The signer implementation is then free to issue a certificate with any
+                                              lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600
+                                              seconds (1 hour).  This constraint is enforced by kube-apiserver.
+                                              `kubernetes.io` signers will never issue certificates with a lifetime
+                                              longer than 24 hours.
+                                            format: int32
+                                            type: integer
+                                          signerName:
+                                            description: Kubelet's generated CSRs
+                                              will be addressed to this signer.
+                                            type: string
+                                          userAnnotations:
+                                            additionalProperties:
+                                              type: string
+                                            description: |-
+                                              userAnnotations allow pod authors to pass additional information to
+                                              the signer implementation.  Kubernetes does not restrict or validate this
+                                              metadata in any way.
+
+                                              These values are copied verbatim into the `spec.unverifiedUserAnnotations` field of
+                                              the PodCertificateRequest objects that Kubelet creates.
+
+                                              Entries are subject to the same validation as object metadata annotations,
+                                              with the addition that all keys must be domain-prefixed. No restrictions
+                                              are placed on values, except an overall size limitation on the entire field.
+
+                                              Signers should document the keys and values they support. Signers should
+                                              deny requests that contain keys they do not recognize.
+                                            type: object
+                                        required:
+                                        - keyType
+                                        - signerName
+                                        type: object
+                                      secret:
+                                        description: secret information about the
+                                          secret data to project
+                                        properties:
+                                          items:
+                                            description: |-
+                                              items if unspecified, each key-value pair in the Data field of the referenced
+                                              Secret will be projected into the volume as a file whose name is the
+                                              key and content is the value. If specified, the listed keys will be
+                                              projected into the specified paths, and unlisted keys will not be
+                                              present. If a key is specified which is not present in the Secret,
+                                              the volume setup will error unless it is marked optional. Paths must be
+                                              relative and may not contain the '..' path or start with '..'.
+                                            items:
+                                              description: Maps a string key to a
+                                                path within a volume.
+                                              properties:
+                                                key:
+                                                  description: key is the key to project.
+                                                  type: string
+                                                mode:
+                                                  description: |-
+                                                    mode is Optional: mode bits used to set permissions on this file.
+                                                    Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                                    YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                                    If not specified, the volume defaultMode will be used.
+                                                    This might be in conflict with other options that affect the file
+                                                    mode, like fsGroup, and the result can be other mode bits set.
+                                                  format: int32
+                                                  type: integer
+                                                path:
+                                                  description: |-
+                                                    path is the relative path of the file to map the key to.
+                                                    May not be an absolute path.
+                                                    May not contain the path element '..'.
+                                                    May not start with the string '..'.
+                                                  type: string
+                                              required:
+                                              - key
+                                              - path
+                                              type: object
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                          name:
+                                            default: ""
+                                            description: |-
+                                              Name of the referent.
+                                              This field is effectively required, but due to backwards compatibility is
+                                              allowed to be empty. Instances of this type with an empty value here are
+                                              almost certainly wrong.
+                                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                            type: string
+                                          optional:
+                                            description: optional field specify whether
+                                              the Secret or its key must be defined
+                                            type: boolean
+                                        type: object
+                                        x-kubernetes-map-type: atomic
+                                      serviceAccountToken:
+                                        description: serviceAccountToken is information
+                                          about the serviceAccountToken data to project
+                                        properties:
+                                          audience:
+                                            description: |-
+                                              audience is the intended audience of the token. A recipient of a token
+                                              must identify itself with an identifier specified in the audience of the
+                                              token, and otherwise should reject the token. The audience defaults to the
+                                              identifier of the apiserver.
+                                            type: string
+                                          expirationSeconds:
+                                            description: |-
+                                              expirationSeconds is the requested duration of validity of the service
+                                              account token. As the token approaches expiration, the kubelet volume
+                                              plugin will proactively rotate the service account token. The kubelet will
+                                              start trying to rotate the token if the token is older than 80 percent of
+                                              its time to live or if the token is older than 24 hours.Defaults to 1 hour
+                                              and must be at least 10 minutes.
+                                            format: int64
+                                            type: integer
+                                          path:
+                                            description: |-
+                                              path is the path relative to the mount point of the file to project the
+                                              token into.
+                                            type: string
+                                        required:
+                                        - path
+                                        type: object
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                              type: object
+                            quobyte:
+                              description: |-
+                                quobyte represents a Quobyte mount on the host that shares a pod's lifetime.
+                                Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported.
+                              properties:
+                                group:
+                                  description: |-
+                                    group to map volume access to
+                                    Default is no group
+                                  type: string
+                                readOnly:
+                                  description: |-
+                                    readOnly here will force the Quobyte volume to be mounted with read-only permissions.
+                                    Defaults to false.
+                                  type: boolean
+                                registry:
+                                  description: |-
+                                    registry represents a single or multiple Quobyte Registry services
+                                    specified as a string as host:port pair (multiple entries are separated with commas)
+                                    which acts as the central registry for volumes
+                                  type: string
+                                tenant:
+                                  description: |-
+                                    tenant owning the given Quobyte volume in the Backend
+                                    Used with dynamically provisioned Quobyte volumes, value is set by the plugin
+                                  type: string
+                                user:
+                                  description: |-
+                                    user to map volume access to
+                                    Defaults to serivceaccount user
+                                  type: string
+                                volume:
+                                  description: volume is a string that references
+                                    an already created Quobyte volume by name.
+                                  type: string
+                              required:
+                              - registry
+                              - volume
+                              type: object
+                            rbd:
+                              description: |-
+                                rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
+                                Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported.
+                              properties:
+                                fsType:
+                                  description: |-
+                                    fsType is the filesystem type of the volume that you want to mount.
+                                    Tip: Ensure that the filesystem type is supported by the host operating system.
+                                    Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd
+                                  type: string
+                                image:
+                                  description: |-
+                                    image is the rados image name.
+                                    More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                                  type: string
+                                keyring:
+                                  default: /etc/ceph/keyring
+                                  description: |-
+                                    keyring is the path to key ring for RBDUser.
+                                    Default is /etc/ceph/keyring.
+                                    More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                                  type: string
+                                monitors:
+                                  description: |-
+                                    monitors is a collection of Ceph monitors.
+                                    More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                                  items:
+                                    type: string
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                pool:
+                                  default: rbd
+                                  description: |-
+                                    pool is the rados pool name.
+                                    Default is rbd.
+                                    More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                                  type: string
+                                readOnly:
+                                  description: |-
+                                    readOnly here will force the ReadOnly setting in VolumeMounts.
+                                    Defaults to false.
+                                    More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                                  type: boolean
+                                secretRef:
+                                  description: |-
+                                    secretRef is name of the authentication secret for RBDUser. If provided
+                                    overrides keyring.
+                                    Default is nil.
+                                    More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                                  properties:
+                                    name:
+                                      default: ""
+                                      description: |-
+                                        Name of the referent.
+                                        This field is effectively required, but due to backwards compatibility is
+                                        allowed to be empty. Instances of this type with an empty value here are
+                                        almost certainly wrong.
+                                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                      type: string
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                user:
+                                  default: admin
+                                  description: |-
+                                    user is the rados user name.
+                                    Default is admin.
+                                    More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                                  type: string
+                              required:
+                              - image
+                              - monitors
+                              type: object
+                            scaleIO:
+                              description: |-
+                                scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.
+                                Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported.
+                              properties:
+                                fsType:
+                                  default: xfs
+                                  description: |-
+                                    fsType is the filesystem type to mount.
+                                    Must be a filesystem type supported by the host operating system.
+                                    Ex. "ext4", "xfs", "ntfs".
+                                    Default is "xfs".
+                                  type: string
+                                gateway:
+                                  description: gateway is the host address of the
+                                    ScaleIO API Gateway.
+                                  type: string
+                                protectionDomain:
+                                  description: protectionDomain is the name of the
+                                    ScaleIO Protection Domain for the configured storage.
+                                  type: string
+                                readOnly:
+                                  description: |-
+                                    readOnly Defaults to false (read/write). ReadOnly here will force
+                                    the ReadOnly setting in VolumeMounts.
+                                  type: boolean
+                                secretRef:
+                                  description: |-
+                                    secretRef references to the secret for ScaleIO user and other
+                                    sensitive information. If this is not provided, Login operation will fail.
+                                  properties:
+                                    name:
+                                      default: ""
+                                      description: |-
+                                        Name of the referent.
+                                        This field is effectively required, but due to backwards compatibility is
+                                        allowed to be empty. Instances of this type with an empty value here are
+                                        almost certainly wrong.
+                                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                      type: string
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                sslEnabled:
+                                  description: sslEnabled Flag enable/disable SSL
+                                    communication with Gateway, default false
+                                  type: boolean
+                                storageMode:
+                                  default: ThinProvisioned
+                                  description: |-
+                                    storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned.
+                                    Default is ThinProvisioned.
+                                  type: string
+                                storagePool:
+                                  description: storagePool is the ScaleIO Storage
+                                    Pool associated with the protection domain.
+                                  type: string
+                                system:
+                                  description: system is the name of the storage system
+                                    as configured in ScaleIO.
+                                  type: string
+                                volumeName:
+                                  description: |-
+                                    volumeName is the name of a volume already created in the ScaleIO system
+                                    that is associated with this volume source.
+                                  type: string
+                              required:
+                              - gateway
+                              - secretRef
+                              - system
+                              type: object
+                            secret:
+                              description: |-
+                                secret represents a secret that should populate this volume.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
+                              properties:
+                                defaultMode:
+                                  description: |-
+                                    defaultMode is Optional: mode bits used to set permissions on created files by default.
+                                    Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                    YAML accepts both octal and decimal values, JSON requires decimal values
+                                    for mode bits. Defaults to 0644.
+                                    Directories within the path are not affected by this setting.
+                                    This might be in conflict with other options that affect the file
+                                    mode, like fsGroup, and the result can be other mode bits set.
+                                  format: int32
+                                  type: integer
+                                items:
+                                  description: |-
+                                    items If unspecified, each key-value pair in the Data field of the referenced
+                                    Secret will be projected into the volume as a file whose name is the
+                                    key and content is the value. If specified, the listed keys will be
+                                    projected into the specified paths, and unlisted keys will not be
+                                    present. If a key is specified which is not present in the Secret,
+                                    the volume setup will error unless it is marked optional. Paths must be
+                                    relative and may not contain the '..' path or start with '..'.
+                                  items:
+                                    description: Maps a string key to a path within
+                                      a volume.
+                                    properties:
+                                      key:
+                                        description: key is the key to project.
+                                        type: string
+                                      mode:
+                                        description: |-
+                                          mode is Optional: mode bits used to set permissions on this file.
+                                          Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                          YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                          If not specified, the volume defaultMode will be used.
+                                          This might be in conflict with other options that affect the file
+                                          mode, like fsGroup, and the result can be other mode bits set.
+                                        format: int32
+                                        type: integer
+                                      path:
+                                        description: |-
+                                          path is the relative path of the file to map the key to.
+                                          May not be an absolute path.
+                                          May not contain the path element '..'.
+                                          May not start with the string '..'.
+                                        type: string
+                                    required:
+                                    - key
+                                    - path
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                optional:
+                                  description: optional field specify whether the
+                                    Secret or its keys must be defined
+                                  type: boolean
+                                secretName:
+                                  description: |-
+                                    secretName is the name of the secret in the pod's namespace to use.
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
+                                  type: string
+                              type: object
+                            storageos:
+                              description: |-
+                                storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes.
+                                Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported.
+                              properties:
+                                fsType:
+                                  description: |-
+                                    fsType is the filesystem type to mount.
+                                    Must be a filesystem type supported by the host operating system.
+                                    Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                  type: string
+                                readOnly:
+                                  description: |-
+                                    readOnly defaults to false (read/write). ReadOnly here will force
+                                    the ReadOnly setting in VolumeMounts.
+                                  type: boolean
+                                secretRef:
+                                  description: |-
+                                    secretRef specifies the secret to use for obtaining the StorageOS API
+                                    credentials.  If not specified, default values will be attempted.
+                                  properties:
+                                    name:
+                                      default: ""
+                                      description: |-
+                                        Name of the referent.
+                                        This field is effectively required, but due to backwards compatibility is
+                                        allowed to be empty. Instances of this type with an empty value here are
+                                        almost certainly wrong.
+                                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                      type: string
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                volumeName:
+                                  description: |-
+                                    volumeName is the human-readable name of the StorageOS volume.  Volume
+                                    names are only unique within a namespace.
+                                  type: string
+                                volumeNamespace:
+                                  description: |-
+                                    volumeNamespace specifies the scope of the volume within StorageOS.  If no
+                                    namespace is specified then the Pod's namespace will be used.  This allows the
+                                    Kubernetes name scoping to be mirrored within StorageOS for tighter integration.
+                                    Set VolumeName to any name to override the default behaviour.
+                                    Set to "default" if you are not using namespaces within StorageOS.
+                                    Namespaces that do not pre-exist within StorageOS will be created.
+                                  type: string
+                              type: object
+                            vsphereVolume:
+                              description: |-
+                                vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine.
+                                Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type
+                                are redirected to the csi.vsphere.vmware.com CSI driver.
+                              properties:
+                                fsType:
+                                  description: |-
+                                    fsType is filesystem type to mount.
+                                    Must be a filesystem type supported by the host operating system.
+                                    Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                  type: string
+                                storagePolicyID:
+                                  description: storagePolicyID is the storage Policy
+                                    Based Management (SPBM) profile ID associated
+                                    with the StoragePolicyName.
+                                  type: string
+                                storagePolicyName:
+                                  description: storagePolicyName is the storage Policy
+                                    Based Management (SPBM) profile name.
+                                  type: string
+                                volumePath:
+                                  description: volumePath is the path that identifies
+                                    vSphere volume vmdk
+                                  type: string
+                              required:
+                              - volumePath
+                              type: object
+                          required:
+                          - name
+                          type: object
+                        type: array
+                    type: object
+                  profile:
+                    description: Specifies which installation configuration profile
+                      to apply.
+                    type: string
+                  revision:
+                    description: Identifies the revision this installation is associated
+                      with.
+                    type: string
+                  sidecarInjectorWebhook:
+                    description: Configuration for the sidecar injector webhook.
+                    properties:
+                      alwaysInjectSelector:
+                        description: See NeverInjectSelector.
+                        items:
+                          description: |-
+                            A label selector is a label query over a set of resources. The result of matchLabels and
+                            matchExpressions are ANDed. An empty label selector matches all objects. A null
+                            label selector matches no objects.
+                          properties:
+                            matchExpressions:
+                              description: matchExpressions is a list of label selector
+                                requirements. The requirements are ANDed.
+                              items:
+                                description: |-
+                                  A label selector requirement is a selector that contains values, a key, and an operator that
+                                  relates the key and values.
+                                properties:
+                                  key:
+                                    description: key is the label key that the selector
+                                      applies to.
+                                    type: string
+                                  operator:
+                                    description: |-
+                                      operator represents a key's relationship to a set of values.
+                                      Valid operators are In, NotIn, Exists and DoesNotExist.
+                                    type: string
+                                  values:
+                                    description: |-
+                                      values is an array of string values. If the operator is In or NotIn,
+                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                      the values array must be empty. This array is replaced during a strategic
+                                      merge patch.
+                                    items:
+                                      type: string
+                                    type: array
+                                    x-kubernetes-list-type: atomic
+                                required:
+                                - key
+                                - operator
+                                type: object
+                              type: array
+                              x-kubernetes-list-type: atomic
+                            matchLabels:
+                              additionalProperties:
+                                type: string
+                              description: |-
+                                matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                operator is "In", and the values array contains only "value". The requirements are ANDed.
+                              type: object
+                          type: object
+                          x-kubernetes-map-type: atomic
+                        type: array
+                      defaultTemplates:
+                        description: 'defaultTemplates: ["sidecar", "hello"]'
+                        items:
+                          type: string
+                        type: array
+                      enableNamespacesByDefault:
+                        description: Enables sidecar auto-injection in namespaces
+                          by default.
+                        type: boolean
+                      injectedAnnotations:
+                        additionalProperties:
+                          type: string
+                        description: |-
+                          injectedAnnotations are additional annotations that will be added to the pod spec after injection
+                          This is primarily to support PSP annotations.
+                        type: object
+                      injectionURL:
+                        description: Configure the injection url for sidecar injector
+                          webhook
+                        type: string
+                      neverInjectSelector:
+                        description: |-
+                          Instructs Istio to not inject the sidecar on those pods, based on labels that are present in those pods.
+
+                          Annotations in the pods have higher precedence than the label selectors.
+                          Order of evaluation: Pod Annotations → NeverInjectSelector → AlwaysInjectSelector → Default Policy.
+                          See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions
+                        items:
+                          description: |-
+                            A label selector is a label query over a set of resources. The result of matchLabels and
+                            matchExpressions are ANDed. An empty label selector matches all objects. A null
+                            label selector matches no objects.
+                          properties:
+                            matchExpressions:
+                              description: matchExpressions is a list of label selector
+                                requirements. The requirements are ANDed.
+                              items:
+                                description: |-
+                                  A label selector requirement is a selector that contains values, a key, and an operator that
+                                  relates the key and values.
+                                properties:
+                                  key:
+                                    description: key is the label key that the selector
+                                      applies to.
+                                    type: string
+                                  operator:
+                                    description: |-
+                                      operator represents a key's relationship to a set of values.
+                                      Valid operators are In, NotIn, Exists and DoesNotExist.
+                                    type: string
+                                  values:
+                                    description: |-
+                                      values is an array of string values. If the operator is In or NotIn,
+                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                      the values array must be empty. This array is replaced during a strategic
+                                      merge patch.
+                                    items:
+                                      type: string
+                                    type: array
+                                    x-kubernetes-list-type: atomic
+                                required:
+                                - key
+                                - operator
+                                type: object
+                              type: array
+                              x-kubernetes-list-type: atomic
+                            matchLabels:
+                              additionalProperties:
+                                type: string
+                              description: |-
+                                matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                operator is "In", and the values array contains only "value". The requirements are ANDed.
+                              type: object
+                          type: object
+                          x-kubernetes-map-type: atomic
+                        type: array
+                      reinvocationPolicy:
+                        description: 'Setting this to `IfNeeded` will result in the
+                          sidecar injector being run again if additional mutations
+                          occur. Default: Never'
+                        type: string
+                      rewriteAppHTTPProbe:
+                        description: If true, webhook or istioctl injector will rewrite
+                          PodSpec for liveness health check to redirect request to
+                          sidecar. This makes liveness check work even when mTLS is
+                          enabled.
+                        type: boolean
+                      templates:
+                        additionalProperties:
+                          type: string
+                        description: "Templates defines a set of custom injection
+                          templates that can be used. For example, defining:\n\ntemplates:\n\n\thello:
+                          |\n\t  metadata:\n\t    labels:\n\t      hello: world\n\nThen
+                          starting a pod with the `inject.istio.io/templates: hello`
+                          annotation, will result in the pod\nbeing injected with
+                          the hello=world labels.\nThis is intended for advanced configuration
+                          only; most users should use the built in template"
+                        type: object
+                    type: object
+                  telemetry:
+                    description: Controls whether telemetry is exported for Pilot.
+                    properties:
+                      enabled:
+                        description: Controls whether telemetry is exported for Pilot.
+                        type: boolean
+                      v2:
+                        description: Configuration for Telemetry v2.
+                        properties:
+                          enabled:
+                            description: Controls whether pilot will configure telemetry
+                              v2.
+                            type: boolean
+                          prometheus:
+                            description: Telemetry v2 settings for prometheus.
+                            properties:
+                              enabled:
+                                description: Controls whether stats envoyfilter would
+                                  be enabled or not.
+                                type: boolean
+                            type: object
+                          stackdriver:
+                            description: Telemetry v2 settings for stackdriver.
+                            properties:
+                              enabled:
+                                type: boolean
+                            type: object
+                        type: object
+                    type: object
+                type: object
+              version:
+                description: |-
+                  Defines the version of Istio to install.
+                  Must be one of: v1.28.3, v1.28.2, v1.28.1, v1.28.0, v1.27.5, v1.27.4, v1.27.3, v1.27.2, v1.27.1, v1.27.0, v1.30-alpha.a30ad733.
+                enum:
+                - v1.28.3
+                - v1.28.2
+                - v1.28.1
+                - v1.28.0
+                - v1.27.5
+                - v1.27.4
+                - v1.27.3
+                - v1.27.2
+                - v1.27.1
+                - v1.27.0
+                - v1.26.8
+                - v1.26.7
+                - v1.26.6
+                - v1.26.5
+                - v1.26.4
+                - v1.26.3
+                - v1.26.2
+                - v1.26.1
+                - v1.26.0
+                - v1.25.5
+                - v1.25.4
+                - v1.25.3
+                - v1.25.2
+                - v1.25.1
+                - v1.24.6
+                - v1.24.5
+                - v1.24.4
+                - v1.24.3
+                - v1.24.2
+                - v1.24.1
+                - v1.24.0
+                - v1.23.6
+                - v1.23.5
+                - v1.23.4
+                - v1.23.3
+                - v1.23.2
+                - v1.22.8
+                - v1.22.7
+                - v1.22.6
+                - v1.22.5
+                - v1.21.6
+                - v1.30-alpha.a30ad733
+                type: string
+            required:
+            - namespace
+            - version
+            type: object
+            x-kubernetes-validations:
+            - message: spec.values.global.istioNamespace must match spec.namespace
+              rule: self.values.global.istioNamespace == self.__namespace__
+          status:
+            description: IstioRevisionStatus defines the observed state of IstioRevision
+            properties:
+              conditions:
+                description: Represents the latest available observations of the object's
+                  current state.
+                items:
+                  description: IstioRevisionCondition represents a specific observation
+                    of the IstioRevision object's state.
+                  properties:
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Human-readable message indicating details about
+                        the last transition.
+                      type: string
+                    reason:
+                      description: Unique, single-word, CamelCase reason for the condition's
+                        last transition.
+                      type: string
+                    status:
+                      description: The status of this condition. Can be True, False
+                        or Unknown.
+                      type: string
+                    type:
+                      description: The type of this condition.
+                      type: string
+                  type: object
+                type: array
+              observedGeneration:
+                description: |-
+                  ObservedGeneration is the most recent generation observed for this
+                  IstioRevision object. It corresponds to the object's generation, which is
+                  updated on mutation by the API Server. The information in the status
+                  pertains to this particular generation of the object.
+                format: int64
+                type: integer
+              state:
+                description: Reports the current state of the object.
+                type: string
+            type: object
+        type: object
+        x-kubernetes-validations:
+        - message: spec.values.revision must match metadata.name or be empty when
+            the name is 'default'
+          rule: 'self.metadata.name == ''default'' ? (!has(self.spec.values.revision)
+            || size(self.spec.values.revision) == 0) : self.spec.values.revision ==
+            self.metadata.name'
+    served: true
+    storage: true
+    subresources:
+      status: {}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/sailoperator.io_istiorevisiontags.yaml b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/sailoperator.io_istiorevisiontags.yaml
new file mode 100644
index 0000000000..02b3c65657
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/sailoperator.io_istiorevisiontags.yaml
@@ -0,0 +1,147 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.20.0
+  name: istiorevisiontags.sailoperator.io
+spec:
+  group: sailoperator.io
+  names:
+    categories:
+    - istio-io
+    kind: IstioRevisionTag
+    listKind: IstioRevisionTagList
+    plural: istiorevisiontags
+    shortNames:
+    - istiorevtag
+    singular: istiorevisiontag
+  scope: Cluster
+  versions:
+  - additionalPrinterColumns:
+    - description: The current state of this object.
+      jsonPath: .status.state
+      name: Status
+      type: string
+    - description: Whether the tag is being used by workloads.
+      jsonPath: .status.conditions[?(@.type=="InUse")].status
+      name: In use
+      type: string
+    - description: The IstioRevision this object is referencing.
+      jsonPath: .status.istioRevision
+      name: Revision
+      type: string
+    - description: The age of the object
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1
+    schema:
+      openAPIV3Schema:
+        description: IstioRevisionTag references an Istio or IstioRevision object
+          and serves as an alias for sidecar injection. It can be used to manage stable
+          revision tags without having to use istioctl or helm directly. See https://istio.io/latest/docs/setup/upgrade/canary/#stable-revision-labels
+          for more information on the concept.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: IstioRevisionTagSpec defines the desired state of IstioRevisionTag
+            properties:
+              targetRef:
+                description: IstioRevisionTagTargetReference can reference either
+                  Istio or IstioRevision objects in the cluster. In the case of referencing
+                  an Istio object, the Sail Operator will automatically update the
+                  reference to the Istio object's Active Revision.
+                properties:
+                  kind:
+                    description: Kind is the kind of the target resource.
+                    maxLength: 253
+                    minLength: 1
+                    type: string
+                  name:
+                    description: Name is the name of the target resource.
+                    maxLength: 253
+                    minLength: 1
+                    type: string
+                required:
+                - kind
+                - name
+                type: object
+            required:
+            - targetRef
+            type: object
+          status:
+            description: IstioRevisionStatus defines the observed state of IstioRevision
+            properties:
+              conditions:
+                description: Represents the latest available observations of the object's
+                  current state.
+                items:
+                  description: IstioRevisionCondition represents a specific observation
+                    of the IstioRevision object's state.
+                  properties:
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Human-readable message indicating details about
+                        the last transition.
+                      type: string
+                    reason:
+                      description: Unique, single-word, CamelCase reason for the condition's
+                        last transition.
+                      type: string
+                    status:
+                      description: The status of this condition. Can be True, False
+                        or Unknown.
+                      type: string
+                    type:
+                      description: The type of this condition.
+                      type: string
+                  type: object
+                type: array
+              istioRevision:
+                description: IstioRevision stores the name of the referenced IstioRevision
+                type: string
+              istiodNamespace:
+                description: IstiodNamespace stores the namespace of the corresponding
+                  Istiod instance
+                type: string
+              observedGeneration:
+                description: |-
+                  ObservedGeneration is the most recent generation observed for this
+                  IstioRevisionTag object. It corresponds to the object's generation, which is
+                  updated on mutation by the API Server. The information in the status
+                  pertains to this particular generation of the object.
+                format: int64
+                type: integer
+              state:
+                description: Reports the current state of the object.
+                type: string
+            required:
+            - istioRevision
+            - istiodNamespace
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/sailoperator.io_istios.yaml b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/sailoperator.io_istios.yaml
new file mode 100644
index 0000000000..c5660a7c74
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/sailoperator.io_istios.yaml
@@ -0,0 +1,10331 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.20.0
+  name: istios.sailoperator.io
+spec:
+  group: sailoperator.io
+  names:
+    categories:
+    - istio-io
+    kind: Istio
+    listKind: IstioList
+    plural: istios
+    singular: istio
+  scope: Cluster
+  versions:
+  - additionalPrinterColumns:
+    - description: The namespace for the control plane components.
+      jsonPath: .spec.namespace
+      name: Namespace
+      type: string
+    - description: The selected profile (collection of value presets).
+      jsonPath: .spec.profile
+      name: Profile
+      type: string
+    - description: Total number of IstioRevision objects currently associated with
+        this object.
+      jsonPath: .status.revisions.total
+      name: Revisions
+      type: string
+    - description: Number of revisions that are ready.
+      jsonPath: .status.revisions.ready
+      name: Ready
+      type: string
+    - description: Number of revisions that are currently being used by workloads.
+      jsonPath: .status.revisions.inUse
+      name: In use
+      type: string
+    - description: The name of the currently active revision.
+      jsonPath: .status.activeRevisionName
+      name: Active Revision
+      type: string
+    - description: The current state of the active revision.
+      jsonPath: .status.state
+      name: Status
+      type: string
+    - description: The version of the control plane installation.
+      jsonPath: .spec.version
+      name: Version
+      type: string
+    - description: The age of the object
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1
+    schema:
+      openAPIV3Schema:
+        description: |-
+          Istio represents an Istio Service Mesh deployment consisting of one or more
+          control plane instances (represented by one or more IstioRevision objects).
+          To deploy an Istio Service Mesh, a user creates an Istio object with the
+          desired Istio version and configuration. The operator then creates
+          an IstioRevision object, which in turn creates the underlying Deployment
+          objects for istiod and other control plane components, similar to how a
+          Deployment object in Kubernetes creates ReplicaSets that create the Pods.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            default:
+              namespace: istio-system
+              updateStrategy:
+                type: InPlace
+              version: v1.28.3
+            description: IstioSpec defines the desired state of Istio
+            properties:
+              namespace:
+                default: istio-system
+                description: Namespace to which the Istio components should be installed.
+                  Note that this field is immutable.
+                type: string
+                x-kubernetes-validations:
+                - message: Value is immutable
+                  rule: self == oldSelf
+              profile:
+                description: |-
+                  The built-in installation configuration profile to use.
+                  The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'.
+                  Must be one of: ambient, default, demo, empty, openshift, openshift-ambient, preview, remote, stable.
+                enum:
+                - ambient
+                - default
+                - demo
+                - empty
+                - external
+                - openshift
+                - openshift-ambient
+                - preview
+                - remote
+                - stable
+                type: string
+              updateStrategy:
+                default:
+                  type: InPlace
+                description: Defines the update strategy to use when the version in
+                  the Istio CR is updated.
+                properties:
+                  inactiveRevisionDeletionGracePeriodSeconds:
+                    description: |-
+                      Defines how many seconds the operator should wait before removing a non-active revision after all
+                      the workloads have stopped using it. You may want to set this value on the order of minutes.
+                      The minimum is 0 and the default value is 30.
+                    format: int64
+                    minimum: 0
+                    type: integer
+                  type:
+                    default: InPlace
+                    description: "Type of strategy to use. Can be \"InPlace\" or \"RevisionBased\".
+                      When the \"InPlace\" strategy\nis used, the existing Istio control
+                      plane is updated in-place. The workloads therefore\ndon't need
+                      to be moved from one control plane instance to another. When
+                      the \"RevisionBased\"\nstrategy is used, a new Istio control
+                      plane instance is created for every change to the\nIstio.spec.version
+                      field. The old control plane remains in place until all workloads
+                      have\nbeen moved to the new control plane instance.\n\nThe \"InPlace\"
+                      strategy is the default.\tTODO: change default to \"RevisionBased\""
+                    enum:
+                    - InPlace
+                    - RevisionBased
+                    type: string
+                  updateWorkloads:
+                    description: |-
+                      Defines whether the workloads should be moved from one control plane instance to another
+                      automatically. If updateWorkloads is true, the operator moves the workloads from the old
+                      control plane instance to the new one after the new control plane is ready.
+                      If updateWorkloads is false, the user must move the workloads manually by updating the
+                      istio.io/rev labels on the namespace and/or the pods.
+                      Defaults to false.
+                    type: boolean
+                type: object
+              values:
+                description: Defines the values to be passed to the Helm charts when
+                  installing Istio.
+                properties:
+                  base:
+                    description: Configuration for the base component.
+                    properties:
+                      excludedCRDs:
+                        description: CRDs to exclude. Requires `enableCRDTemplates`
+                        items:
+                          type: string
+                        type: array
+                      validationCABundle:
+                        description: validation webhook CA bundle
+                        type: string
+                      validationURL:
+                        description: URL to use for validating webhook.
+                        type: string
+                    type: object
+                  compatibilityVersion:
+                    description: |-
+                      Specifies the compatibility version to use. When this is set, the control plane will
+                      be configured with the same defaults as the specified version.
+                    type: string
+                  defaultRevision:
+                    description: |-
+                      The name of the default revision in the cluster.
+                      Deprecated: This field is ignored. The default revision is expected to be configurable elsewhere.
+                    type: string
+                  experimental:
+                    description: Specifies experimental helm fields that could be
+                      removed or changed in the future
+                    x-kubernetes-preserve-unknown-fields: true
+                  gatewayClasses:
+                    description: Configuration for Gateway Classes
+                    x-kubernetes-preserve-unknown-fields: true
+                  global:
+                    description: Global configuration for Istio components.
+                    properties:
+                      agentgateway:
+                        description: Specifies how proxies are configured within Istio.
+                        properties:
+                          image:
+                            type: string
+                        type: object
+                      arch:
+                        description: "Specifies pod scheduling arch(amd64, ppc64le,
+                          s390x, arm64) and weight as follows:\n\n\t0 - Never scheduled\n\t1
+                          - Least preferred\n\t2 - No preference\n\t3 - Most preferred\n\nDeprecated:
+                          replaced by the affinity k8s settings which allows architecture
+                          nodeAffinity configuration of this behavior.\n\nDeprecated:
+                          Marked as deprecated in pkg/apis/values_types.proto."
+                        properties:
+                          amd64:
+                            description: Sets pod scheduling weight for amd64 arch
+                            format: int32
+                            type: integer
+                          arm64:
+                            description: Sets pod scheduling weight for arm64 arch.
+                            format: int32
+                            type: integer
+                          ppc64le:
+                            description: Sets pod scheduling weight for ppc64le arch.
+                            format: int32
+                            type: integer
+                          s390x:
+                            description: Sets pod scheduling weight for s390x arch.
+                            format: int32
+                            type: integer
+                        type: object
+                      caAddress:
+                        description: The address of the CA for CSR.
+                        type: string
+                      caName:
+                        description: |-
+                          The name of the CA for workloads.
+                          For example, when caName=GkeWorkloadCertificate, GKE workload certificates
+                          will be used as the certificates for workloads.
+                          The default value is "" and when caName="", the CA will be configured by other
+                          mechanisms (e.g., environmental variable CA_PROVIDER).
+                        type: string
+                      certSigners:
+                        description: List of certSigners to allow "approve" action
+                          in the ClusterRole
+                        items:
+                          type: string
+                        type: array
+                      configCluster:
+                        description: Controls whether a remote cluster is the config
+                          cluster for an external istiod
+                        type: boolean
+                      configValidation:
+                        description: Controls whether the server-side validation is
+                          enabled.
+                        type: boolean
+                      defaultNodeSelector:
+                        additionalProperties:
+                          type: string
+                        description: |-
+                          Default k8s node selector for all the Istio control plane components
+
+                          See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
+
+                          Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
+                        type: object
+                      defaultPodDisruptionBudget:
+                        description: Specifies the default pod disruption budget configuration.
+                        properties:
+                          enabled:
+                            description: Controls whether a PodDisruptionBudget with
+                              a default minAvailable value of 1 is created for each
+                              deployment.
+                            type: boolean
+                        type: object
+                      defaultResources:
+                        description: |-
+                          Default k8s resources settings for all Istio control plane components.
+
+                          See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
+
+                          Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
+                        properties:
+                          claims:
+                            description: |-
+                              Claims lists the names of resources, defined in spec.resourceClaims,
+                              that are used by this container.
+
+                              This field depends on the
+                              DynamicResourceAllocation feature gate.
+
+                              This field is immutable. It can only be set for containers.
+                            items:
+                              description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+                              properties:
+                                name:
+                                  description: |-
+                                    Name must match the name of one entry in pod.spec.resourceClaims of
+                                    the Pod where this field is used. It makes that resource available
+                                    inside a container.
+                                  type: string
+                                request:
+                                  description: |-
+                                    Request is the name chosen for a request in the referenced claim.
+                                    If empty, everything from the claim is made available, otherwise
+                                    only the result of this request.
+                                  type: string
+                              required:
+                              - name
+                              type: object
+                            type: array
+                            x-kubernetes-list-map-keys:
+                            - name
+                            x-kubernetes-list-type: map
+                          limits:
+                            additionalProperties:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                              x-kubernetes-int-or-string: true
+                            description: |-
+                              Limits describes the maximum amount of compute resources allowed.
+                              More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                            type: object
+                          requests:
+                            additionalProperties:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                              x-kubernetes-int-or-string: true
+                            description: |-
+                              Requests describes the minimum amount of compute resources required.
+                              If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+                              otherwise to an implementation-defined value. Requests cannot exceed Limits.
+                              More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                            type: object
+                        type: object
+                      defaultTolerations:
+                        description: |-
+                          Default node tolerations to be applied to all deployments so that all pods can be
+                          scheduled to nodes with matching taints. Each component can overwrite
+                          these default values by adding its tolerations block in the relevant section below
+                          and setting the desired values.
+                          Configure this field in case that all pods of Istio control plane are expected to
+                          be scheduled to particular nodes with specified taints.
+
+                          Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
+                        items:
+                          description: |-
+                            The pod this Toleration is attached to tolerates any taint that matches
+                            the triple <key,value,effect> using the matching operator <operator>.
+                          properties:
+                            effect:
+                              description: |-
+                                Effect indicates the taint effect to match. Empty means match all taint effects.
+                                When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+                              type: string
+                            key:
+                              description: |-
+                                Key is the taint key that the toleration applies to. Empty means match all taint keys.
+                                If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+                              type: string
+                            operator:
+                              description: |-
+                                Operator represents a key's relationship to the value.
+                                Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal.
+                                Exists is equivalent to wildcard for value, so that a pod can
+                                tolerate all taints of a particular category.
+                                Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators).
+                              type: string
+                            tolerationSeconds:
+                              description: |-
+                                TolerationSeconds represents the period of time the toleration (which must be
+                                of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+                                it is not set, which means tolerate the taint forever (do not evict). Zero and
+                                negative values will be treated as 0 (evict immediately) by the system.
+                              format: int64
+                              type: integer
+                            value:
+                              description: |-
+                                Value is the taint value the toleration matches to.
+                                If the operator is Exists, the value should be empty, otherwise just a regular string.
+                              type: string
+                          type: object
+                        type: array
+                      externalIstiod:
+                        description: Controls whether one external istiod is enabled.
+                        type: boolean
+                      hub:
+                        description: Specifies the docker hub for Istio images.
+                        type: string
+                      imagePullPolicy:
+                        description: |-
+                          Specifies the image pull policy for the Istio images. one of Always, Never, IfNotPresent.
+                          Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated.
+
+                          More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
+                        enum:
+                        - Always
+                        - Never
+                        - IfNotPresent
+                        type: string
+                      imagePullSecrets:
+                        description: |-
+                          ImagePullSecrets for the control plane ServiceAccount, list of secrets in the same namespace
+                          to use for pulling any images in pods that reference this ServiceAccount.
+                          Must be set for any cluster configured with private docker registry.
+                        items:
+                          type: string
+                        type: array
+                      ipFamilies:
+                        description: |-
+                          Defines which IP family to use for single stack or the order of IP families for dual-stack.
+                          Valid list items are "IPv4", "IPv6".
+                          More info: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
+                        items:
+                          type: string
+                        type: array
+                      ipFamilyPolicy:
+                        description: |-
+                          Controls whether Services are configured to use IPv4, IPv6, or both. Valid options
+                          are PreferDualStack, RequireDualStack, and SingleStack.
+                          More info: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
+                        type: string
+                      istioNamespace:
+                        description: Specifies the default namespace for the Istio
+                          control plane components.
+                        type: string
+                      istiod:
+                        description: Specifies the configution of istiod
+                        properties:
+                          enableAnalysis:
+                            description: If enabled, istiod will perform config analysis
+                            type: boolean
+                        type: object
+                      jwtPolicy:
+                        description: |-
+                          Configure the policy for validating JWT.
+                          This is deprecated and has no effect.
+
+                          Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
+                        type: string
+                      logAsJson:
+                        description: Specifies whether istio components should output
+                          logs in json format by adding --log_as_json argument to
+                          each container.
+                        type: boolean
+                      logging:
+                        description: Specifies the global logging level settings for
+                          the Istio control plane components.
+                        properties:
+                          level:
+                            description: |-
+                              Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
+                              The control plane has different scopes depending on component, but can configure default log level across all components
+                              If empty, default scope and level will be used as configured in code
+                            type: string
+                        type: object
+                      meshID:
+                        description: |-
+                          The Mesh Identifier. It should be unique within the scope where
+                          meshes will interact with each other, but it is not required to be
+                          globally/universally unique. For example, if any of the following are true,
+                          then two meshes must have different Mesh IDs:
+                          - Meshes will have their telemetry aggregated in one place
+                          - Meshes will be federated together
+                          - Policy will be written referencing one mesh from the other
+
+                          If an administrator expects that any of these conditions may become true in
+                          the future, they should ensure their meshes have different Mesh IDs
+                          assigned.
+
+                          Within a multicluster mesh, each cluster must be (manually or auto)
+                          configured to have the same Mesh ID value. If an existing cluster 'joins' a
+                          multicluster mesh, it will need to be migrated to the new mesh ID. Details
+                          of migration TBD, and it may be a disruptive operation to change the Mesh
+                          ID post-install.
+
+                          If the mesh admin does not specify a value, Istio will use the value of the
+                          mesh's Trust Domain. The best practice is to select a proper Trust Domain
+                          value.
+                        type: string
+                      meshNetworks:
+                        additionalProperties:
+                          description: |-
+                            Network provides information about the endpoints in a routable L3
+                            network. A single routable L3 network can have one or more service
+                            registries. Note that the network has no relation to the locality of the
+                            endpoint. The endpoint locality will be obtained from the service
+                            registry.
+                          properties:
+                            endpoints:
+                              description: |-
+                                The list of endpoints in the network (obtained through the
+                                constituent service registries or from CIDR ranges). All endpoints in
+                                the network are directly accessible to one another.
+                              items:
+                                description: "NetworkEndpoints describes how the network
+                                  associated with an endpoint\nshould be inferred.
+                                  An endpoint will be assigned to a network based
+                                  on\nthe following rules:\n\n1. Implicitly: If the
+                                  registry explicitly provides information about\nthe
+                                  network to which the endpoint belongs to. In some
+                                  cases, its\npossible to indicate the network associated
+                                  with the endpoint by\nadding the `ISTIO_META_NETWORK`
+                                  environment variable to the sidecar.\n\n2. Explicitly:\n\n\ta.
+                                  By matching the registry name with one of the \"fromRegistry\"\n\tin
+                                  the mesh config. A \"fromRegistry\" can only be
+                                  assigned to a\n\tsingle network.\n\n\tb. By matching
+                                  the IP against one of the CIDR ranges in a mesh\n\tconfig
+                                  network. The CIDR ranges must not overlap and be
+                                  assigned to\n\ta single network.\n\n(2) will override
+                                  (1) if both are present."
+                                properties:
+                                  fromCidr:
+                                    description: |-
+                                      A CIDR range for the set of endpoints in this network. The CIDR
+                                      ranges for endpoints from different networks must not overlap.
+                                    type: string
+                                  fromRegistry:
+                                    description: |-
+                                      Add all endpoints from the specified registry into this network.
+                                      The names of the registries should correspond to the kubeconfig file name
+                                      inside the secret that was used to configure the registry (Kubernetes
+                                      multicluster) or supplied by MCP server.
+                                    type: string
+                                type: object
+                                x-kubernetes-validations:
+                                - message: At most one of [fromCidr fromRegistry]
+                                    should be set
+                                  rule: (has(self.fromCidr)?1:0) + (has(self.fromRegistry)?1:0)
+                                    <= 1
+                              type: array
+                            gateways:
+                              description: Set of gateways associated with the network.
+                              items:
+                                description: |-
+                                  The gateway associated with this network. Traffic from remote networks
+                                  will arrive at the specified gateway:port. All incoming traffic must
+                                  use mTLS.
+                                properties:
+                                  address:
+                                    description: IP address or externally resolvable
+                                      DNS address associated with the gateway.
+                                    type: string
+                                  locality:
+                                    description: The locality associated with an explicitly
+                                      specified gateway (i.e. ip)
+                                    type: string
+                                  port:
+                                    format: int32
+                                    type: integer
+                                  registryServiceName:
+                                    description: |-
+                                      A fully qualified domain name of the gateway service.  istiod will
+                                      lookup the service from the service registries in the network and
+                                      obtain the endpoint IPs of the gateway from the service
+                                      registry. Note that while the service name is a fully qualified
+                                      domain name, it need not be resolvable outside the orchestration
+                                      platform for the registry. e.g., this could be
+                                      istio-ingressgateway.istio-system.svc.cluster.local.
+                                    type: string
+                                type: object
+                                x-kubernetes-validations:
+                                - message: At most one of [registryServiceName address]
+                                    should be set
+                                  rule: (has(self.registryServiceName)?1:0) + (has(self.address)?1:0)
+                                    <= 1
+                              type: array
+                          type: object
+                        description: "Configure the mesh networks to be used by the
+                          Split Horizon EDS.\n\nThe following example defines two
+                          networks with different endpoints association methods.\nFor
+                          `network1` all endpoints that their IP belongs to the provided
+                          CIDR range will be\nmapped to network1. The gateway for
+                          this network example is specified by its public IP\naddress
+                          and port.\nThe second network, `network2`, in this example
+                          is defined differently with all endpoints\nretrieved through
+                          the specified Multi-Cluster registry being mapped to network2.
+                          The\ngateway is also defined differently with the name of
+                          the gateway service on the remote\ncluster. The public IP
+                          for the gateway will be determined from that remote service
+                          (only\nLoadBalancer gateway service type is currently supported,
+                          for a NodePort type gateway service,\nit still need to be
+                          configured manually).\n\nmeshNetworks:\n\n\tnetwork1:\n\t
+                          \ endpoints:\n\t  - fromCidr: \"192.168.0.1/24\"\n\t  gateways:\n\t
+                          \ - address: 1.1.1.1\n\t    port: 80\n\tnetwork2:\n\t  endpoints:\n\t
+                          \ - fromRegistry: reg1\n\t  gateways:\n\t  - registryServiceName:
+                          istio-ingressgateway.istio-system.svc.cluster.local\n\t
+                          \   port: 443"
+                        type: object
+                      mountMtlsCerts:
+                        description: Controls whether the in-cluster MTLS key and
+                          certs are loaded from the secret volume mounts.
+                        type: boolean
+                      multiCluster:
+                        description: Specifies the Configuration for Istio mesh across
+                          multiple clusters through Istio gateways.
+                        properties:
+                          clusterName:
+                            description: |-
+                              The name of the cluster this installation will run in. This is required for sidecar injection
+                              to properly label proxies
+                            type: string
+                          enabled:
+                            description: |-
+                              Enables the connection between two kubernetes clusters via their respective ingressgateway services.
+                              Use if the pods in each cluster cannot directly talk to one another.
+                            type: boolean
+                          globalDomainSuffix:
+                            description: The suffix for global service names.
+                            type: string
+                          includeEnvoyFilter:
+                            description: Enable envoy filter to translate `globalDomainSuffix`
+                              to cluster local suffix for cross cluster communication.
+                            type: boolean
+                        type: object
+                      nativeNftables:
+                        description: Specifies whether native nftables rules should
+                          be used instead of iptables rules for traffic redirection.
+                        type: boolean
+                      network:
+                        description: |-
+                          Network defines the network this cluster belong to. This name
+                          corresponds to the networks in the map of mesh networks.
+                        type: string
+                      networkPolicy:
+                        description: Settings related to Kubernetes NetworkPolicy.
+                        properties:
+                          enabled:
+                            description: Controls whether default NetworkPolicy resources
+                              will be created.
+                            type: boolean
+                        type: object
+                      omitSidecarInjectorConfigMap:
+                        description: |-
+                          Controls whether the creation of the sidecar injector ConfigMap should be skipped.
+                          Defaults to false. When set to true, the sidecar injector ConfigMap will not be created.
+                        type: boolean
+                      operatorManageWebhooks:
+                        description: |-
+                          Controls whether the WebhookConfiguration resource(s) should be created. The current behavior
+                          of Istiod is to manage its own webhook configurations.
+                          When this option is set to true, Istio Operator, instead of webhooks, manages the
+                          webhook configurations. When this option is set as false, webhooks manage their
+                          own webhook configurations.
+                        type: boolean
+                      pilotCertProvider:
+                        description: |-
+                          Configure the Pilot certificate provider.
+                          Currently, four providers are supported: "kubernetes", "istiod", "custom" and "none".
+                        type: string
+                      platform:
+                        description: |-
+                          Platform in which Istio is deployed. Possible values are: "openshift" and "gcp"
+                          An empty value means it is a vanilla Kubernetes distribution, therefore no special
+                          treatment will be considered.
+                        type: string
+                      podDNSSearchNamespaces:
+                        description: |-
+                          Custom DNS config for the pod to resolve names of services in other
+                          clusters. Use this to add additional search domains, and other settings.
+                          see https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config
+                          This does not apply to gateway pods as they typically need a different
+                          set of DNS settings than the normal application pods (e.g. in multicluster scenarios).
+                        items:
+                          type: string
+                        type: array
+                      priorityClassName:
+                        description: |-
+                          Specifies the k8s priorityClassName for the istio control plane components.
+
+                          See https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
+
+                          Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
+                        type: string
+                      proxy:
+                        description: Specifies how proxies are configured within Istio.
+                        properties:
+                          autoInject:
+                            description: Controls the 'policy' in the sidecar injector.
+                            type: string
+                          clusterDomain:
+                            description: |-
+                              Domain for the cluster, default: "cluster.local".
+
+                              K8s allows this to be customized, see https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/
+                            type: string
+                          componentLogLevel:
+                            description: |-
+                              Per Component log level for proxy, applies to gateways and sidecars.
+
+                              If a component level is not set, then the global "logLevel" will be used. If left empty, "misc:error" is used.
+                            type: string
+                          enableCoreDump:
+                            description: |-
+                              Enables core dumps for newly injected sidecars.
+
+                              If set, newly injected sidecars will have core dumps enabled.
+
+                              Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
+                            type: boolean
+                          excludeIPRanges:
+                            description: Lists the excluded IP ranges of Istio egress
+                              traffic that the sidecar captures.
+                            type: string
+                          excludeInboundPorts:
+                            description: Specifies the Istio ingress ports not to
+                              capture.
+                            type: string
+                          excludeOutboundPorts:
+                            description: A comma separated list of outbound ports
+                              to be excluded from redirection to Envoy.
+                            type: string
+                          holdApplicationUntilProxyStarts:
+                            description: |-
+                              Controls if sidecar is injected at the front of the container list and blocks the start of the other containers until the proxy is ready
+
+                              Deprecated: replaced by ProxyConfig setting which allows per-pod configuration of this behavior.
+
+                              Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
+                            type: boolean
+                          image:
+                            description: |-
+                              Image name or path for the proxy, default: "proxyv2".
+
+                              If registry or tag are not specified, global.hub and global.tag are used.
+
+                              Examples: my-proxy (uses global.hub/tag), docker.io/myrepo/my-proxy:v1.0.0
+                            type: string
+                          includeIPRanges:
+                            description: |-
+                              Lists the IP ranges of Istio egress traffic that the sidecar captures.
+
+                              Example: "172.30.0.0/16,172.20.0.0/16"
+                              This would only capture egress traffic on those two IP Ranges, all other outbound traffic would # be allowed by the sidecar."
+                            type: string
+                          includeInboundPorts:
+                            description: |-
+                              A comma separated list of inbound ports for which traffic is to be redirected to Envoy.
+                              The wildcard character '*' can be used to configure redirection for all ports.
+                            type: string
+                          includeOutboundPorts:
+                            description: A comma separated list of outbound ports
+                              for which traffic is to be redirected to Envoy, regardless
+                              of the destination IP.
+                            type: string
+                          lifecycle:
+                            description: |-
+                              The k8s lifecycle hooks definition (pod.spec.containers.lifecycle) for the proxy container.
+                              More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
+                            properties:
+                              postStart:
+                                description: |-
+                                  PostStart is called immediately after a container is created. If the handler fails,
+                                  the container is terminated and restarted according to its restart policy.
+                                  Other management of the container blocks until the hook completes.
+                                  More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
+                                properties:
+                                  exec:
+                                    description: Exec specifies a command to execute
+                                      in the container.
+                                    properties:
+                                      command:
+                                        description: |-
+                                          Command is the command line to execute inside the container, the working directory for the
+                                          command  is root ('/') in the container's filesystem. The command is simply exec'd, it is
+                                          not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+                                          a shell, you need to explicitly call out to that shell.
+                                          Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
+                                        items:
+                                          type: string
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    type: object
+                                  httpGet:
+                                    description: HTTPGet specifies an HTTP GET request
+                                      to perform.
+                                    properties:
+                                      host:
+                                        description: |-
+                                          Host name to connect to, defaults to the pod IP. You probably want to set
+                                          "Host" in httpHeaders instead.
+                                        type: string
+                                      httpHeaders:
+                                        description: Custom headers to set in the
+                                          request. HTTP allows repeated headers.
+                                        items:
+                                          description: HTTPHeader describes a custom
+                                            header to be used in HTTP probes
+                                          properties:
+                                            name:
+                                              description: |-
+                                                The header field name.
+                                                This will be canonicalized upon output, so case-variant names will be understood as the same header.
+                                              type: string
+                                            value:
+                                              description: The header field value
+                                              type: string
+                                          required:
+                                          - name
+                                          - value
+                                          type: object
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                      path:
+                                        description: Path to access on the HTTP server.
+                                        type: string
+                                      port:
+                                        anyOf:
+                                        - type: integer
+                                        - type: string
+                                        description: |-
+                                          Name or number of the port to access on the container.
+                                          Number must be in the range 1 to 65535.
+                                          Name must be an IANA_SVC_NAME.
+                                        x-kubernetes-int-or-string: true
+                                      scheme:
+                                        description: |-
+                                          Scheme to use for connecting to the host.
+                                          Defaults to HTTP.
+                                        type: string
+                                    required:
+                                    - port
+                                    type: object
+                                  sleep:
+                                    description: Sleep represents a duration that
+                                      the container should sleep.
+                                    properties:
+                                      seconds:
+                                        description: Seconds is the number of seconds
+                                          to sleep.
+                                        format: int64
+                                        type: integer
+                                    required:
+                                    - seconds
+                                    type: object
+                                  tcpSocket:
+                                    description: |-
+                                      Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
+                                      for backward compatibility. There is no validation of this field and
+                                      lifecycle hooks will fail at runtime when it is specified.
+                                    properties:
+                                      host:
+                                        description: 'Optional: Host name to connect
+                                          to, defaults to the pod IP.'
+                                        type: string
+                                      port:
+                                        anyOf:
+                                        - type: integer
+                                        - type: string
+                                        description: |-
+                                          Number or name of the port to access on the container.
+                                          Number must be in the range 1 to 65535.
+                                          Name must be an IANA_SVC_NAME.
+                                        x-kubernetes-int-or-string: true
+                                    required:
+                                    - port
+                                    type: object
+                                type: object
+                              preStop:
+                                description: |-
+                                  PreStop is called immediately before a container is terminated due to an
+                                  API request or management event such as liveness/startup probe failure,
+                                  preemption, resource contention, etc. The handler is not called if the
+                                  container crashes or exits. The Pod's termination grace period countdown begins before the
+                                  PreStop hook is executed. Regardless of the outcome of the handler, the
+                                  container will eventually terminate within the Pod's termination grace
+                                  period (unless delayed by finalizers). Other management of the container blocks until the hook completes
+                                  or until the termination grace period is reached.
+                                  More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
+                                properties:
+                                  exec:
+                                    description: Exec specifies a command to execute
+                                      in the container.
+                                    properties:
+                                      command:
+                                        description: |-
+                                          Command is the command line to execute inside the container, the working directory for the
+                                          command  is root ('/') in the container's filesystem. The command is simply exec'd, it is
+                                          not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+                                          a shell, you need to explicitly call out to that shell.
+                                          Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
+                                        items:
+                                          type: string
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    type: object
+                                  httpGet:
+                                    description: HTTPGet specifies an HTTP GET request
+                                      to perform.
+                                    properties:
+                                      host:
+                                        description: |-
+                                          Host name to connect to, defaults to the pod IP. You probably want to set
+                                          "Host" in httpHeaders instead.
+                                        type: string
+                                      httpHeaders:
+                                        description: Custom headers to set in the
+                                          request. HTTP allows repeated headers.
+                                        items:
+                                          description: HTTPHeader describes a custom
+                                            header to be used in HTTP probes
+                                          properties:
+                                            name:
+                                              description: |-
+                                                The header field name.
+                                                This will be canonicalized upon output, so case-variant names will be understood as the same header.
+                                              type: string
+                                            value:
+                                              description: The header field value
+                                              type: string
+                                          required:
+                                          - name
+                                          - value
+                                          type: object
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                      path:
+                                        description: Path to access on the HTTP server.
+                                        type: string
+                                      port:
+                                        anyOf:
+                                        - type: integer
+                                        - type: string
+                                        description: |-
+                                          Name or number of the port to access on the container.
+                                          Number must be in the range 1 to 65535.
+                                          Name must be an IANA_SVC_NAME.
+                                        x-kubernetes-int-or-string: true
+                                      scheme:
+                                        description: |-
+                                          Scheme to use for connecting to the host.
+                                          Defaults to HTTP.
+                                        type: string
+                                    required:
+                                    - port
+                                    type: object
+                                  sleep:
+                                    description: Sleep represents a duration that
+                                      the container should sleep.
+                                    properties:
+                                      seconds:
+                                        description: Seconds is the number of seconds
+                                          to sleep.
+                                        format: int64
+                                        type: integer
+                                    required:
+                                    - seconds
+                                    type: object
+                                  tcpSocket:
+                                    description: |-
+                                      Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
+                                      for backward compatibility. There is no validation of this field and
+                                      lifecycle hooks will fail at runtime when it is specified.
+                                    properties:
+                                      host:
+                                        description: 'Optional: Host name to connect
+                                          to, defaults to the pod IP.'
+                                        type: string
+                                      port:
+                                        anyOf:
+                                        - type: integer
+                                        - type: string
+                                        description: |-
+                                          Number or name of the port to access on the container.
+                                          Number must be in the range 1 to 65535.
+                                          Name must be an IANA_SVC_NAME.
+                                        x-kubernetes-int-or-string: true
+                                    required:
+                                    - port
+                                    type: object
+                                type: object
+                              stopSignal:
+                                description: |-
+                                  StopSignal defines which signal will be sent to a container when it is being stopped.
+                                  If not specified, the default is defined by the container runtime in use.
+                                  StopSignal can only be set for Pods with a non-empty .spec.os.name
+                                type: string
+                            type: object
+                          logLevel:
+                            description: 'Log level for proxy, applies to gateways
+                              and sidecars. If left empty, "warning" is used. Expected
+                              values are: trace\|debug\|info\|warning\|error\|critical\|off'
+                            type: string
+                          outlierLogPath:
+                            description: |-
+                              Path to the file to which the proxy will write outlier detection logs.
+
+                              Example: "/dev/stdout"
+                              This would write the logs to standard output.
+                            type: string
+                          privileged:
+                            description: |-
+                              Enables privileged securityContext for the istio-proxy container.
+
+                              See https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+                            type: boolean
+                          readinessFailureThreshold:
+                            description: Sets the number of successive failed probes
+                              before indicating readiness failure.
+                            format: int32
+                            type: integer
+                          readinessInitialDelaySeconds:
+                            description: Sets the initial delay for readiness probes
+                              in seconds.
+                            format: int32
+                            type: integer
+                          readinessPeriodSeconds:
+                            description: Sets the interval between readiness probes
+                              in seconds.
+                            format: int32
+                            type: integer
+                          resources:
+                            description: |-
+                              K8s resources settings.
+
+                              See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
+
+                              Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
+                            properties:
+                              claims:
+                                description: |-
+                                  Claims lists the names of resources, defined in spec.resourceClaims,
+                                  that are used by this container.
+
+                                  This field depends on the
+                                  DynamicResourceAllocation feature gate.
+
+                                  This field is immutable. It can only be set for containers.
+                                items:
+                                  description: ResourceClaim references one entry
+                                    in PodSpec.ResourceClaims.
+                                  properties:
+                                    name:
+                                      description: |-
+                                        Name must match the name of one entry in pod.spec.resourceClaims of
+                                        the Pod where this field is used. It makes that resource available
+                                        inside a container.
+                                      type: string
+                                    request:
+                                      description: |-
+                                        Request is the name chosen for a request in the referenced claim.
+                                        If empty, everything from the claim is made available, otherwise
+                                        only the result of this request.
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                type: array
+                                x-kubernetes-list-map-keys:
+                                - name
+                                x-kubernetes-list-type: map
+                              limits:
+                                additionalProperties:
+                                  anyOf:
+                                  - type: integer
+                                  - type: string
+                                  pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                  x-kubernetes-int-or-string: true
+                                description: |-
+                                  Limits describes the maximum amount of compute resources allowed.
+                                  More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                                type: object
+                              requests:
+                                additionalProperties:
+                                  anyOf:
+                                  - type: integer
+                                  - type: string
+                                  pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                  x-kubernetes-int-or-string: true
+                                description: |-
+                                  Requests describes the minimum amount of compute resources required.
+                                  If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+                                  otherwise to an implementation-defined value. Requests cannot exceed Limits.
+                                  More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                                type: object
+                            type: object
+                          seccompProfile:
+                            description: |-
+                              Configures the seccomp profile for the istio-validation and istio-proxy containers.
+
+                              See: https://kubernetes.io/docs/tutorials/security/seccomp/
+                            properties:
+                              localhostProfile:
+                                description: |-
+                                  localhostProfile indicates a profile defined in a file on the node should be used.
+                                  The profile must be preconfigured on the node to work.
+                                  Must be a descending path, relative to the kubelet's configured seccomp profile location.
+                                  Must be set if type is "Localhost". Must NOT be set for any other type.
+                                type: string
+                              type:
+                                description: |-
+                                  type indicates which kind of seccomp profile will be applied.
+                                  Valid options are:
+
+                                  Localhost - a profile defined in a file on the node should be used.
+                                  RuntimeDefault - the container runtime default profile should be used.
+                                  Unconfined - no profile should be applied.
+                                type: string
+                            required:
+                            - type
+                            type: object
+                          startupProbe:
+                            description: Configures the startup probe for the istio-proxy
+                              container.
+                            properties:
+                              enabled:
+                                description: |-
+                                  Enables or disables a startup probe.
+                                  For optimal startup times, changing this should be tied to the readiness probe values.
+
+                                  If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4.
+                                  This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval),
+                                  and doesn't spam the readiness endpoint too much
+
+                                  If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30.
+                                  This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly.
+                                type: boolean
+                              failureThreshold:
+                                description: Minimum consecutive failures for the
+                                  probe to be considered failed after having succeeded.
+                                format: int32
+                                type: integer
+                            type: object
+                          statusPort:
+                            description: Default port used for the Pilot agent's health
+                              checks.
+                            format: int32
+                            type: integer
+                          tracer:
+                            description: |-
+                              Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver.
+                              If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file.
+                            enum:
+                            - zipkin
+                            - lightstep
+                            - datadog
+                            - stackdriver
+                            - openCensusAgent
+                            - none
+                            type: string
+                        type: object
+                      proxy_init:
+                        description: Specifies the Configuration for proxy_init container
+                          which sets the pods' networking to intercept the inbound/outbound
+                          traffic.
+                        properties:
+                          image:
+                            description: Specifies the image for the proxy_init container.
+                            type: string
+                          resources:
+                            description: |-
+                              K8s resources settings.
+
+                              See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
+
+                              Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
+                            properties:
+                              claims:
+                                description: |-
+                                  Claims lists the names of resources, defined in spec.resourceClaims,
+                                  that are used by this container.
+
+                                  This field depends on the
+                                  DynamicResourceAllocation feature gate.
+
+                                  This field is immutable. It can only be set for containers.
+                                items:
+                                  description: ResourceClaim references one entry
+                                    in PodSpec.ResourceClaims.
+                                  properties:
+                                    name:
+                                      description: |-
+                                        Name must match the name of one entry in pod.spec.resourceClaims of
+                                        the Pod where this field is used. It makes that resource available
+                                        inside a container.
+                                      type: string
+                                    request:
+                                      description: |-
+                                        Request is the name chosen for a request in the referenced claim.
+                                        If empty, everything from the claim is made available, otherwise
+                                        only the result of this request.
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                type: array
+                                x-kubernetes-list-map-keys:
+                                - name
+                                x-kubernetes-list-type: map
+                              limits:
+                                additionalProperties:
+                                  anyOf:
+                                  - type: integer
+                                  - type: string
+                                  pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                  x-kubernetes-int-or-string: true
+                                description: |-
+                                  Limits describes the maximum amount of compute resources allowed.
+                                  More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                                type: object
+                              requests:
+                                additionalProperties:
+                                  anyOf:
+                                  - type: integer
+                                  - type: string
+                                  pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                  x-kubernetes-int-or-string: true
+                                description: |-
+                                  Requests describes the minimum amount of compute resources required.
+                                  If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+                                  otherwise to an implementation-defined value. Requests cannot exceed Limits.
+                                  More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                                type: object
+                            type: object
+                        type: object
+                      remotePilotAddress:
+                        description: Specifies the Istio control plane’s pilot Pod
+                          IP address or remote cluster DNS resolvable hostname.
+                        type: string
+                      resourceScope:
+                        description: |-
+                          Specifies resource scope for discovery selectors.
+                          This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator.
+                        enum:
+                        - undefined
+                        - all
+                        - cluster
+                        - namespace
+                        type: string
+                      revision:
+                        description: Configures the revision this control plane is
+                          a part of
+                        type: string
+                      sds:
+                        description: Specifies the Configuration for the SecretDiscoveryService
+                          instead of using K8S secrets to mount the certificates.
+                        properties:
+                          token:
+                            description: 'Deprecated: Marked as deprecated in pkg/apis/values_types.proto.'
+                            properties:
+                              aud:
+                                type: string
+                            type: object
+                        type: object
+                      sts:
+                        description: Specifies the configuration for Security Token
+                          Service.
+                        properties:
+                          servicePort:
+                            format: int32
+                            type: integer
+                        type: object
+                      tag:
+                        description: Specifies the tag for the Istio docker images.
+                        type: string
+                      tracer:
+                        description: Specifies the Configuration for each of the supported
+                          tracers.
+                        properties:
+                          datadog:
+                            description: Configuration for the datadog tracing service.
+                            properties:
+                              address:
+                                description: Address in host:port format for reporting
+                                  trace data to the Datadog agent.
+                                type: string
+                            type: object
+                          lightstep:
+                            description: Configuration for the lightstep tracing service.
+                            properties:
+                              accessToken:
+                                description: Sets the lightstep access token.
+                                type: string
+                              address:
+                                description: Sets the lightstep satellite pool address
+                                  in host:port format for reporting trace data.
+                                type: string
+                            type: object
+                          stackdriver:
+                            description: Configuration for the stackdriver tracing
+                              service.
+                            properties:
+                              debug:
+                                description: enables trace output to stdout.
+                                type: boolean
+                              maxNumberOfAnnotations:
+                                description: The global default max number of annotation
+                                  events per span.
+                                format: int32
+                                type: integer
+                              maxNumberOfAttributes:
+                                description: The global default max number of attributes
+                                  per span.
+                                format: int32
+                                type: integer
+                              maxNumberOfMessageEvents:
+                                description: The global default max number of message
+                                  events per span.
+                                format: int32
+                                type: integer
+                            type: object
+                          zipkin:
+                            description: Configuration for the zipkin tracing service.
+                            properties:
+                              address:
+                                description: |-
+                                  Address of zipkin instance in host:port format for reporting trace data.
+
+                                  Example: <zipkin-collector-service>.<zipkin-collector-namespace>:941
+                                type: string
+                            type: object
+                        type: object
+                      trustBundleName:
+                        description: Select a custom name for istiod's CA Root Cert
+                          ConfigMap.
+                        type: string
+                      variant:
+                        description: The variant of the Istio container images to
+                          use. Options are "debug" or "distroless". Unset will use
+                          the default for the given version.
+                        type: string
+                      waypoint:
+                        description: Specifies how waypoints are configured within
+                          Istio.
+                        properties:
+                          affinity:
+                            description: |-
+                              K8s affinity settings for waypoint pods.
+
+                              See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
+                            properties:
+                              nodeAffinity:
+                                description: Describes node affinity scheduling rules
+                                  for the pod.
+                                properties:
+                                  preferredDuringSchedulingIgnoredDuringExecution:
+                                    description: |-
+                                      The scheduler will prefer to schedule pods to nodes that satisfy
+                                      the affinity expressions specified by this field, but it may choose
+                                      a node that violates one or more of the expressions. The node that is
+                                      most preferred is the one with the greatest sum of weights, i.e.
+                                      for each node that meets all of the scheduling requirements (resource
+                                      request, requiredDuringScheduling affinity expressions, etc.),
+                                      compute a sum by iterating through the elements of this field and adding
+                                      "weight" to the sum if the node matches the corresponding matchExpressions; the
+                                      node(s) with the highest sum are the most preferred.
+                                    items:
+                                      description: |-
+                                        An empty preferred scheduling term matches all objects with implicit weight 0
+                                        (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+                                      properties:
+                                        preference:
+                                          description: A node selector term, associated
+                                            with the corresponding weight.
+                                          properties:
+                                            matchExpressions:
+                                              description: A list of node selector
+                                                requirements by node's labels.
+                                              items:
+                                                description: |-
+                                                  A node selector requirement is a selector that contains values, a key, and an operator
+                                                  that relates the key and values.
+                                                properties:
+                                                  key:
+                                                    description: The label key that
+                                                      the selector applies to.
+                                                    type: string
+                                                  operator:
+                                                    description: |-
+                                                      Represents a key's relationship to a set of values.
+                                                      Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                                    type: string
+                                                  values:
+                                                    description: |-
+                                                      An array of string values. If the operator is In or NotIn,
+                                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                      the values array must be empty. If the operator is Gt or Lt, the values
+                                                      array must have a single element, which will be interpreted as an integer.
+                                                      This array is replaced during a strategic merge patch.
+                                                    items:
+                                                      type: string
+                                                    type: array
+                                                    x-kubernetes-list-type: atomic
+                                                required:
+                                                - key
+                                                - operator
+                                                type: object
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                            matchFields:
+                                              description: A list of node selector
+                                                requirements by node's fields.
+                                              items:
+                                                description: |-
+                                                  A node selector requirement is a selector that contains values, a key, and an operator
+                                                  that relates the key and values.
+                                                properties:
+                                                  key:
+                                                    description: The label key that
+                                                      the selector applies to.
+                                                    type: string
+                                                  operator:
+                                                    description: |-
+                                                      Represents a key's relationship to a set of values.
+                                                      Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                                    type: string
+                                                  values:
+                                                    description: |-
+                                                      An array of string values. If the operator is In or NotIn,
+                                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                      the values array must be empty. If the operator is Gt or Lt, the values
+                                                      array must have a single element, which will be interpreted as an integer.
+                                                      This array is replaced during a strategic merge patch.
+                                                    items:
+                                                      type: string
+                                                    type: array
+                                                    x-kubernetes-list-type: atomic
+                                                required:
+                                                - key
+                                                - operator
+                                                type: object
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                          type: object
+                                          x-kubernetes-map-type: atomic
+                                        weight:
+                                          description: Weight associated with matching
+                                            the corresponding nodeSelectorTerm, in
+                                            the range 1-100.
+                                          format: int32
+                                          type: integer
+                                      required:
+                                      - preference
+                                      - weight
+                                      type: object
+                                    type: array
+                                    x-kubernetes-list-type: atomic
+                                  requiredDuringSchedulingIgnoredDuringExecution:
+                                    description: |-
+                                      If the affinity requirements specified by this field are not met at
+                                      scheduling time, the pod will not be scheduled onto the node.
+                                      If the affinity requirements specified by this field cease to be met
+                                      at some point during pod execution (e.g. due to an update), the system
+                                      may or may not try to eventually evict the pod from its node.
+                                    properties:
+                                      nodeSelectorTerms:
+                                        description: Required. A list of node selector
+                                          terms. The terms are ORed.
+                                        items:
+                                          description: |-
+                                            A null or empty node selector term matches no objects. The requirements of
+                                            them are ANDed.
+                                            The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+                                          properties:
+                                            matchExpressions:
+                                              description: A list of node selector
+                                                requirements by node's labels.
+                                              items:
+                                                description: |-
+                                                  A node selector requirement is a selector that contains values, a key, and an operator
+                                                  that relates the key and values.
+                                                properties:
+                                                  key:
+                                                    description: The label key that
+                                                      the selector applies to.
+                                                    type: string
+                                                  operator:
+                                                    description: |-
+                                                      Represents a key's relationship to a set of values.
+                                                      Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                                    type: string
+                                                  values:
+                                                    description: |-
+                                                      An array of string values. If the operator is In or NotIn,
+                                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                      the values array must be empty. If the operator is Gt or Lt, the values
+                                                      array must have a single element, which will be interpreted as an integer.
+                                                      This array is replaced during a strategic merge patch.
+                                                    items:
+                                                      type: string
+                                                    type: array
+                                                    x-kubernetes-list-type: atomic
+                                                required:
+                                                - key
+                                                - operator
+                                                type: object
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                            matchFields:
+                                              description: A list of node selector
+                                                requirements by node's fields.
+                                              items:
+                                                description: |-
+                                                  A node selector requirement is a selector that contains values, a key, and an operator
+                                                  that relates the key and values.
+                                                properties:
+                                                  key:
+                                                    description: The label key that
+                                                      the selector applies to.
+                                                    type: string
+                                                  operator:
+                                                    description: |-
+                                                      Represents a key's relationship to a set of values.
+                                                      Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                                    type: string
+                                                  values:
+                                                    description: |-
+                                                      An array of string values. If the operator is In or NotIn,
+                                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                      the values array must be empty. If the operator is Gt or Lt, the values
+                                                      array must have a single element, which will be interpreted as an integer.
+                                                      This array is replaced during a strategic merge patch.
+                                                    items:
+                                                      type: string
+                                                    type: array
+                                                    x-kubernetes-list-type: atomic
+                                                required:
+                                                - key
+                                                - operator
+                                                type: object
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                          type: object
+                                          x-kubernetes-map-type: atomic
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    required:
+                                    - nodeSelectorTerms
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                type: object
+                              podAffinity:
+                                description: Describes pod affinity scheduling rules
+                                  (e.g. co-locate this pod in the same node, zone,
+                                  etc. as some other pod(s)).
+                                properties:
+                                  preferredDuringSchedulingIgnoredDuringExecution:
+                                    description: |-
+                                      The scheduler will prefer to schedule pods to nodes that satisfy
+                                      the affinity expressions specified by this field, but it may choose
+                                      a node that violates one or more of the expressions. The node that is
+                                      most preferred is the one with the greatest sum of weights, i.e.
+                                      for each node that meets all of the scheduling requirements (resource
+                                      request, requiredDuringScheduling affinity expressions, etc.),
+                                      compute a sum by iterating through the elements of this field and adding
+                                      "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+                                      node(s) with the highest sum are the most preferred.
+                                    items:
+                                      description: The weights of all of the matched
+                                        WeightedPodAffinityTerm fields are added per-node
+                                        to find the most preferred node(s)
+                                      properties:
+                                        podAffinityTerm:
+                                          description: Required. A pod affinity term,
+                                            associated with the corresponding weight.
+                                          properties:
+                                            labelSelector:
+                                              description: |-
+                                                A label query over a set of resources, in this case pods.
+                                                If it's null, this PodAffinityTerm matches with no Pods.
+                                              properties:
+                                                matchExpressions:
+                                                  description: matchExpressions is
+                                                    a list of label selector requirements.
+                                                    The requirements are ANDed.
+                                                  items:
+                                                    description: |-
+                                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                                      relates the key and values.
+                                                    properties:
+                                                      key:
+                                                        description: key is the label
+                                                          key that the selector applies
+                                                          to.
+                                                        type: string
+                                                      operator:
+                                                        description: |-
+                                                          operator represents a key's relationship to a set of values.
+                                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                        type: string
+                                                      values:
+                                                        description: |-
+                                                          values is an array of string values. If the operator is In or NotIn,
+                                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                          the values array must be empty. This array is replaced during a strategic
+                                                          merge patch.
+                                                        items:
+                                                          type: string
+                                                        type: array
+                                                        x-kubernetes-list-type: atomic
+                                                    required:
+                                                    - key
+                                                    - operator
+                                                    type: object
+                                                  type: array
+                                                  x-kubernetes-list-type: atomic
+                                                matchLabels:
+                                                  additionalProperties:
+                                                    type: string
+                                                  description: |-
+                                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                                  type: object
+                                              type: object
+                                              x-kubernetes-map-type: atomic
+                                            matchLabelKeys:
+                                              description: |-
+                                                MatchLabelKeys is a set of pod label keys to select which pods will
+                                                be taken into consideration. The keys are used to lookup values from the
+                                                incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+                                                to select the group of existing pods which pods will be taken into consideration
+                                                for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                                pod labels will be ignored. The default value is empty.
+                                                The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+                                                Also, matchLabelKeys cannot be set when labelSelector isn't set.
+                                              items:
+                                                type: string
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                            mismatchLabelKeys:
+                                              description: |-
+                                                MismatchLabelKeys is a set of pod label keys to select which pods will
+                                                be taken into consideration. The keys are used to lookup values from the
+                                                incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+                                                to select the group of existing pods which pods will be taken into consideration
+                                                for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                                pod labels will be ignored. The default value is empty.
+                                                The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+                                                Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+                                              items:
+                                                type: string
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                            namespaceSelector:
+                                              description: |-
+                                                A label query over the set of namespaces that the term applies to.
+                                                The term is applied to the union of the namespaces selected by this field
+                                                and the ones listed in the namespaces field.
+                                                null selector and null or empty namespaces list means "this pod's namespace".
+                                                An empty selector ({}) matches all namespaces.
+                                              properties:
+                                                matchExpressions:
+                                                  description: matchExpressions is
+                                                    a list of label selector requirements.
+                                                    The requirements are ANDed.
+                                                  items:
+                                                    description: |-
+                                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                                      relates the key and values.
+                                                    properties:
+                                                      key:
+                                                        description: key is the label
+                                                          key that the selector applies
+                                                          to.
+                                                        type: string
+                                                      operator:
+                                                        description: |-
+                                                          operator represents a key's relationship to a set of values.
+                                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                        type: string
+                                                      values:
+                                                        description: |-
+                                                          values is an array of string values. If the operator is In or NotIn,
+                                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                          the values array must be empty. This array is replaced during a strategic
+                                                          merge patch.
+                                                        items:
+                                                          type: string
+                                                        type: array
+                                                        x-kubernetes-list-type: atomic
+                                                    required:
+                                                    - key
+                                                    - operator
+                                                    type: object
+                                                  type: array
+                                                  x-kubernetes-list-type: atomic
+                                                matchLabels:
+                                                  additionalProperties:
+                                                    type: string
+                                                  description: |-
+                                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                                  type: object
+                                              type: object
+                                              x-kubernetes-map-type: atomic
+                                            namespaces:
+                                              description: |-
+                                                namespaces specifies a static list of namespace names that the term applies to.
+                                                The term is applied to the union of the namespaces listed in this field
+                                                and the ones selected by namespaceSelector.
+                                                null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+                                              items:
+                                                type: string
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                            topologyKey:
+                                              description: |-
+                                                This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+                                                the labelSelector in the specified namespaces, where co-located is defined as running on a node
+                                                whose value of the label with key topologyKey matches that of any node on which any of the
+                                                selected pods is running.
+                                                Empty topologyKey is not allowed.
+                                              type: string
+                                          required:
+                                          - topologyKey
+                                          type: object
+                                        weight:
+                                          description: |-
+                                            weight associated with matching the corresponding podAffinityTerm,
+                                            in the range 1-100.
+                                          format: int32
+                                          type: integer
+                                      required:
+                                      - podAffinityTerm
+                                      - weight
+                                      type: object
+                                    type: array
+                                    x-kubernetes-list-type: atomic
+                                  requiredDuringSchedulingIgnoredDuringExecution:
+                                    description: |-
+                                      If the affinity requirements specified by this field are not met at
+                                      scheduling time, the pod will not be scheduled onto the node.
+                                      If the affinity requirements specified by this field cease to be met
+                                      at some point during pod execution (e.g. due to a pod label update), the
+                                      system may or may not try to eventually evict the pod from its node.
+                                      When there are multiple elements, the lists of nodes corresponding to each
+                                      podAffinityTerm are intersected, i.e. all terms must be satisfied.
+                                    items:
+                                      description: |-
+                                        Defines a set of pods (namely those matching the labelSelector
+                                        relative to the given namespace(s)) that this pod should be
+                                        co-located (affinity) or not co-located (anti-affinity) with,
+                                        where co-located is defined as running on a node whose value of
+                                        the label with key <topologyKey> matches that of any node on which
+                                        a pod of the set of pods is running
+                                      properties:
+                                        labelSelector:
+                                          description: |-
+                                            A label query over a set of resources, in this case pods.
+                                            If it's null, this PodAffinityTerm matches with no Pods.
+                                          properties:
+                                            matchExpressions:
+                                              description: matchExpressions is a list
+                                                of label selector requirements. The
+                                                requirements are ANDed.
+                                              items:
+                                                description: |-
+                                                  A label selector requirement is a selector that contains values, a key, and an operator that
+                                                  relates the key and values.
+                                                properties:
+                                                  key:
+                                                    description: key is the label
+                                                      key that the selector applies
+                                                      to.
+                                                    type: string
+                                                  operator:
+                                                    description: |-
+                                                      operator represents a key's relationship to a set of values.
+                                                      Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                    type: string
+                                                  values:
+                                                    description: |-
+                                                      values is an array of string values. If the operator is In or NotIn,
+                                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                      the values array must be empty. This array is replaced during a strategic
+                                                      merge patch.
+                                                    items:
+                                                      type: string
+                                                    type: array
+                                                    x-kubernetes-list-type: atomic
+                                                required:
+                                                - key
+                                                - operator
+                                                type: object
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                            matchLabels:
+                                              additionalProperties:
+                                                type: string
+                                              description: |-
+                                                matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                                map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                                operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                              type: object
+                                          type: object
+                                          x-kubernetes-map-type: atomic
+                                        matchLabelKeys:
+                                          description: |-
+                                            MatchLabelKeys is a set of pod label keys to select which pods will
+                                            be taken into consideration. The keys are used to lookup values from the
+                                            incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+                                            to select the group of existing pods which pods will be taken into consideration
+                                            for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                            pod labels will be ignored. The default value is empty.
+                                            The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+                                            Also, matchLabelKeys cannot be set when labelSelector isn't set.
+                                          items:
+                                            type: string
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        mismatchLabelKeys:
+                                          description: |-
+                                            MismatchLabelKeys is a set of pod label keys to select which pods will
+                                            be taken into consideration. The keys are used to lookup values from the
+                                            incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+                                            to select the group of existing pods which pods will be taken into consideration
+                                            for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                            pod labels will be ignored. The default value is empty.
+                                            The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+                                            Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+                                          items:
+                                            type: string
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        namespaceSelector:
+                                          description: |-
+                                            A label query over the set of namespaces that the term applies to.
+                                            The term is applied to the union of the namespaces selected by this field
+                                            and the ones listed in the namespaces field.
+                                            null selector and null or empty namespaces list means "this pod's namespace".
+                                            An empty selector ({}) matches all namespaces.
+                                          properties:
+                                            matchExpressions:
+                                              description: matchExpressions is a list
+                                                of label selector requirements. The
+                                                requirements are ANDed.
+                                              items:
+                                                description: |-
+                                                  A label selector requirement is a selector that contains values, a key, and an operator that
+                                                  relates the key and values.
+                                                properties:
+                                                  key:
+                                                    description: key is the label
+                                                      key that the selector applies
+                                                      to.
+                                                    type: string
+                                                  operator:
+                                                    description: |-
+                                                      operator represents a key's relationship to a set of values.
+                                                      Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                    type: string
+                                                  values:
+                                                    description: |-
+                                                      values is an array of string values. If the operator is In or NotIn,
+                                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                      the values array must be empty. This array is replaced during a strategic
+                                                      merge patch.
+                                                    items:
+                                                      type: string
+                                                    type: array
+                                                    x-kubernetes-list-type: atomic
+                                                required:
+                                                - key
+                                                - operator
+                                                type: object
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                            matchLabels:
+                                              additionalProperties:
+                                                type: string
+                                              description: |-
+                                                matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                                map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                                operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                              type: object
+                                          type: object
+                                          x-kubernetes-map-type: atomic
+                                        namespaces:
+                                          description: |-
+                                            namespaces specifies a static list of namespace names that the term applies to.
+                                            The term is applied to the union of the namespaces listed in this field
+                                            and the ones selected by namespaceSelector.
+                                            null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+                                          items:
+                                            type: string
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        topologyKey:
+                                          description: |-
+                                            This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+                                            the labelSelector in the specified namespaces, where co-located is defined as running on a node
+                                            whose value of the label with key topologyKey matches that of any node on which any of the
+                                            selected pods is running.
+                                            Empty topologyKey is not allowed.
+                                          type: string
+                                      required:
+                                      - topologyKey
+                                      type: object
+                                    type: array
+                                    x-kubernetes-list-type: atomic
+                                type: object
+                              podAntiAffinity:
+                                description: Describes pod anti-affinity scheduling
+                                  rules (e.g. avoid putting this pod in the same node,
+                                  zone, etc. as some other pod(s)).
+                                properties:
+                                  preferredDuringSchedulingIgnoredDuringExecution:
+                                    description: |-
+                                      The scheduler will prefer to schedule pods to nodes that satisfy
+                                      the anti-affinity expressions specified by this field, but it may choose
+                                      a node that violates one or more of the expressions. The node that is
+                                      most preferred is the one with the greatest sum of weights, i.e.
+                                      for each node that meets all of the scheduling requirements (resource
+                                      request, requiredDuringScheduling anti-affinity expressions, etc.),
+                                      compute a sum by iterating through the elements of this field and subtracting
+                                      "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
+                                      node(s) with the highest sum are the most preferred.
+                                    items:
+                                      description: The weights of all of the matched
+                                        WeightedPodAffinityTerm fields are added per-node
+                                        to find the most preferred node(s)
+                                      properties:
+                                        podAffinityTerm:
+                                          description: Required. A pod affinity term,
+                                            associated with the corresponding weight.
+                                          properties:
+                                            labelSelector:
+                                              description: |-
+                                                A label query over a set of resources, in this case pods.
+                                                If it's null, this PodAffinityTerm matches with no Pods.
+                                              properties:
+                                                matchExpressions:
+                                                  description: matchExpressions is
+                                                    a list of label selector requirements.
+                                                    The requirements are ANDed.
+                                                  items:
+                                                    description: |-
+                                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                                      relates the key and values.
+                                                    properties:
+                                                      key:
+                                                        description: key is the label
+                                                          key that the selector applies
+                                                          to.
+                                                        type: string
+                                                      operator:
+                                                        description: |-
+                                                          operator represents a key's relationship to a set of values.
+                                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                        type: string
+                                                      values:
+                                                        description: |-
+                                                          values is an array of string values. If the operator is In or NotIn,
+                                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                          the values array must be empty. This array is replaced during a strategic
+                                                          merge patch.
+                                                        items:
+                                                          type: string
+                                                        type: array
+                                                        x-kubernetes-list-type: atomic
+                                                    required:
+                                                    - key
+                                                    - operator
+                                                    type: object
+                                                  type: array
+                                                  x-kubernetes-list-type: atomic
+                                                matchLabels:
+                                                  additionalProperties:
+                                                    type: string
+                                                  description: |-
+                                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                                  type: object
+                                              type: object
+                                              x-kubernetes-map-type: atomic
+                                            matchLabelKeys:
+                                              description: |-
+                                                MatchLabelKeys is a set of pod label keys to select which pods will
+                                                be taken into consideration. The keys are used to lookup values from the
+                                                incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+                                                to select the group of existing pods which pods will be taken into consideration
+                                                for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                                pod labels will be ignored. The default value is empty.
+                                                The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+                                                Also, matchLabelKeys cannot be set when labelSelector isn't set.
+                                              items:
+                                                type: string
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                            mismatchLabelKeys:
+                                              description: |-
+                                                MismatchLabelKeys is a set of pod label keys to select which pods will
+                                                be taken into consideration. The keys are used to lookup values from the
+                                                incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+                                                to select the group of existing pods which pods will be taken into consideration
+                                                for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                                pod labels will be ignored. The default value is empty.
+                                                The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+                                                Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+                                              items:
+                                                type: string
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                            namespaceSelector:
+                                              description: |-
+                                                A label query over the set of namespaces that the term applies to.
+                                                The term is applied to the union of the namespaces selected by this field
+                                                and the ones listed in the namespaces field.
+                                                null selector and null or empty namespaces list means "this pod's namespace".
+                                                An empty selector ({}) matches all namespaces.
+                                              properties:
+                                                matchExpressions:
+                                                  description: matchExpressions is
+                                                    a list of label selector requirements.
+                                                    The requirements are ANDed.
+                                                  items:
+                                                    description: |-
+                                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                                      relates the key and values.
+                                                    properties:
+                                                      key:
+                                                        description: key is the label
+                                                          key that the selector applies
+                                                          to.
+                                                        type: string
+                                                      operator:
+                                                        description: |-
+                                                          operator represents a key's relationship to a set of values.
+                                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                        type: string
+                                                      values:
+                                                        description: |-
+                                                          values is an array of string values. If the operator is In or NotIn,
+                                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                          the values array must be empty. This array is replaced during a strategic
+                                                          merge patch.
+                                                        items:
+                                                          type: string
+                                                        type: array
+                                                        x-kubernetes-list-type: atomic
+                                                    required:
+                                                    - key
+                                                    - operator
+                                                    type: object
+                                                  type: array
+                                                  x-kubernetes-list-type: atomic
+                                                matchLabels:
+                                                  additionalProperties:
+                                                    type: string
+                                                  description: |-
+                                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                                  type: object
+                                              type: object
+                                              x-kubernetes-map-type: atomic
+                                            namespaces:
+                                              description: |-
+                                                namespaces specifies a static list of namespace names that the term applies to.
+                                                The term is applied to the union of the namespaces listed in this field
+                                                and the ones selected by namespaceSelector.
+                                                null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+                                              items:
+                                                type: string
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                            topologyKey:
+                                              description: |-
+                                                This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+                                                the labelSelector in the specified namespaces, where co-located is defined as running on a node
+                                                whose value of the label with key topologyKey matches that of any node on which any of the
+                                                selected pods is running.
+                                                Empty topologyKey is not allowed.
+                                              type: string
+                                          required:
+                                          - topologyKey
+                                          type: object
+                                        weight:
+                                          description: |-
+                                            weight associated with matching the corresponding podAffinityTerm,
+                                            in the range 1-100.
+                                          format: int32
+                                          type: integer
+                                      required:
+                                      - podAffinityTerm
+                                      - weight
+                                      type: object
+                                    type: array
+                                    x-kubernetes-list-type: atomic
+                                  requiredDuringSchedulingIgnoredDuringExecution:
+                                    description: |-
+                                      If the anti-affinity requirements specified by this field are not met at
+                                      scheduling time, the pod will not be scheduled onto the node.
+                                      If the anti-affinity requirements specified by this field cease to be met
+                                      at some point during pod execution (e.g. due to a pod label update), the
+                                      system may or may not try to eventually evict the pod from its node.
+                                      When there are multiple elements, the lists of nodes corresponding to each
+                                      podAffinityTerm are intersected, i.e. all terms must be satisfied.
+                                    items:
+                                      description: |-
+                                        Defines a set of pods (namely those matching the labelSelector
+                                        relative to the given namespace(s)) that this pod should be
+                                        co-located (affinity) or not co-located (anti-affinity) with,
+                                        where co-located is defined as running on a node whose value of
+                                        the label with key <topologyKey> matches that of any node on which
+                                        a pod of the set of pods is running
+                                      properties:
+                                        labelSelector:
+                                          description: |-
+                                            A label query over a set of resources, in this case pods.
+                                            If it's null, this PodAffinityTerm matches with no Pods.
+                                          properties:
+                                            matchExpressions:
+                                              description: matchExpressions is a list
+                                                of label selector requirements. The
+                                                requirements are ANDed.
+                                              items:
+                                                description: |-
+                                                  A label selector requirement is a selector that contains values, a key, and an operator that
+                                                  relates the key and values.
+                                                properties:
+                                                  key:
+                                                    description: key is the label
+                                                      key that the selector applies
+                                                      to.
+                                                    type: string
+                                                  operator:
+                                                    description: |-
+                                                      operator represents a key's relationship to a set of values.
+                                                      Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                    type: string
+                                                  values:
+                                                    description: |-
+                                                      values is an array of string values. If the operator is In or NotIn,
+                                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                      the values array must be empty. This array is replaced during a strategic
+                                                      merge patch.
+                                                    items:
+                                                      type: string
+                                                    type: array
+                                                    x-kubernetes-list-type: atomic
+                                                required:
+                                                - key
+                                                - operator
+                                                type: object
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                            matchLabels:
+                                              additionalProperties:
+                                                type: string
+                                              description: |-
+                                                matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                                map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                                operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                              type: object
+                                          type: object
+                                          x-kubernetes-map-type: atomic
+                                        matchLabelKeys:
+                                          description: |-
+                                            MatchLabelKeys is a set of pod label keys to select which pods will
+                                            be taken into consideration. The keys are used to lookup values from the
+                                            incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+                                            to select the group of existing pods which pods will be taken into consideration
+                                            for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                            pod labels will be ignored. The default value is empty.
+                                            The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+                                            Also, matchLabelKeys cannot be set when labelSelector isn't set.
+                                          items:
+                                            type: string
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        mismatchLabelKeys:
+                                          description: |-
+                                            MismatchLabelKeys is a set of pod label keys to select which pods will
+                                            be taken into consideration. The keys are used to lookup values from the
+                                            incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+                                            to select the group of existing pods which pods will be taken into consideration
+                                            for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                            pod labels will be ignored. The default value is empty.
+                                            The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+                                            Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+                                          items:
+                                            type: string
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        namespaceSelector:
+                                          description: |-
+                                            A label query over the set of namespaces that the term applies to.
+                                            The term is applied to the union of the namespaces selected by this field
+                                            and the ones listed in the namespaces field.
+                                            null selector and null or empty namespaces list means "this pod's namespace".
+                                            An empty selector ({}) matches all namespaces.
+                                          properties:
+                                            matchExpressions:
+                                              description: matchExpressions is a list
+                                                of label selector requirements. The
+                                                requirements are ANDed.
+                                              items:
+                                                description: |-
+                                                  A label selector requirement is a selector that contains values, a key, and an operator that
+                                                  relates the key and values.
+                                                properties:
+                                                  key:
+                                                    description: key is the label
+                                                      key that the selector applies
+                                                      to.
+                                                    type: string
+                                                  operator:
+                                                    description: |-
+                                                      operator represents a key's relationship to a set of values.
+                                                      Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                    type: string
+                                                  values:
+                                                    description: |-
+                                                      values is an array of string values. If the operator is In or NotIn,
+                                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                      the values array must be empty. This array is replaced during a strategic
+                                                      merge patch.
+                                                    items:
+                                                      type: string
+                                                    type: array
+                                                    x-kubernetes-list-type: atomic
+                                                required:
+                                                - key
+                                                - operator
+                                                type: object
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                            matchLabels:
+                                              additionalProperties:
+                                                type: string
+                                              description: |-
+                                                matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                                map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                                operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                              type: object
+                                          type: object
+                                          x-kubernetes-map-type: atomic
+                                        namespaces:
+                                          description: |-
+                                            namespaces specifies a static list of namespace names that the term applies to.
+                                            The term is applied to the union of the namespaces listed in this field
+                                            and the ones selected by namespaceSelector.
+                                            null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+                                          items:
+                                            type: string
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        topologyKey:
+                                          description: |-
+                                            This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+                                            the labelSelector in the specified namespaces, where co-located is defined as running on a node
+                                            whose value of the label with key topologyKey matches that of any node on which any of the
+                                            selected pods is running.
+                                            Empty topologyKey is not allowed.
+                                          type: string
+                                      required:
+                                      - topologyKey
+                                      type: object
+                                    type: array
+                                    x-kubernetes-list-type: atomic
+                                type: object
+                            type: object
+                          nodeSelector:
+                            description: |-
+                              K8s node labels settings.
+
+                              See https://kubernetes.io/docs/user-guide/node-selection/
+                            properties:
+                              nodeSelectorTerms:
+                                description: Required. A list of node selector terms.
+                                  The terms are ORed.
+                                items:
+                                  description: |-
+                                    A null or empty node selector term matches no objects. The requirements of
+                                    them are ANDed.
+                                    The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+                                  properties:
+                                    matchExpressions:
+                                      description: A list of node selector requirements
+                                        by node's labels.
+                                      items:
+                                        description: |-
+                                          A node selector requirement is a selector that contains values, a key, and an operator
+                                          that relates the key and values.
+                                        properties:
+                                          key:
+                                            description: The label key that the selector
+                                              applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              Represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              An array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. If the operator is Gt or Lt, the values
+                                              array must have a single element, which will be interpreted as an integer.
+                                              This array is replaced during a strategic merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    matchFields:
+                                      description: A list of node selector requirements
+                                        by node's fields.
+                                      items:
+                                        description: |-
+                                          A node selector requirement is a selector that contains values, a key, and an operator
+                                          that relates the key and values.
+                                        properties:
+                                          key:
+                                            description: The label key that the selector
+                                              applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              Represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              An array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. If the operator is Gt or Lt, the values
+                                              array must have a single element, which will be interpreted as an integer.
+                                              This array is replaced during a strategic merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                type: array
+                                x-kubernetes-list-type: atomic
+                            required:
+                            - nodeSelectorTerms
+                            type: object
+                            x-kubernetes-map-type: atomic
+                          resources:
+                            description: |-
+                              K8s resource settings.
+
+                              See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
+                            properties:
+                              claims:
+                                description: |-
+                                  Claims lists the names of resources, defined in spec.resourceClaims,
+                                  that are used by this container.
+
+                                  This field depends on the
+                                  DynamicResourceAllocation feature gate.
+
+                                  This field is immutable. It can only be set for containers.
+                                items:
+                                  description: ResourceClaim references one entry
+                                    in PodSpec.ResourceClaims.
+                                  properties:
+                                    name:
+                                      description: |-
+                                        Name must match the name of one entry in pod.spec.resourceClaims of
+                                        the Pod where this field is used. It makes that resource available
+                                        inside a container.
+                                      type: string
+                                    request:
+                                      description: |-
+                                        Request is the name chosen for a request in the referenced claim.
+                                        If empty, everything from the claim is made available, otherwise
+                                        only the result of this request.
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
+                                type: array
+                                x-kubernetes-list-map-keys:
+                                - name
+                                x-kubernetes-list-type: map
+                              limits:
+                                additionalProperties:
+                                  anyOf:
+                                  - type: integer
+                                  - type: string
+                                  pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                  x-kubernetes-int-or-string: true
+                                description: |-
+                                  Limits describes the maximum amount of compute resources allowed.
+                                  More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                                type: object
+                              requests:
+                                additionalProperties:
+                                  anyOf:
+                                  - type: integer
+                                  - type: string
+                                  pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                  x-kubernetes-int-or-string: true
+                                description: |-
+                                  Requests describes the minimum amount of compute resources required.
+                                  If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+                                  otherwise to an implementation-defined value. Requests cannot exceed Limits.
+                                  More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                                type: object
+                            type: object
+                          toleration:
+                            description: |-
+                              K8s tolerations settings.
+
+                              See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+                            items:
+                              description: |-
+                                The pod this Toleration is attached to tolerates any taint that matches
+                                the triple <key,value,effect> using the matching operator <operator>.
+                              properties:
+                                effect:
+                                  description: |-
+                                    Effect indicates the taint effect to match. Empty means match all taint effects.
+                                    When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+                                  type: string
+                                key:
+                                  description: |-
+                                    Key is the taint key that the toleration applies to. Empty means match all taint keys.
+                                    If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+                                  type: string
+                                operator:
+                                  description: |-
+                                    Operator represents a key's relationship to the value.
+                                    Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal.
+                                    Exists is equivalent to wildcard for value, so that a pod can
+                                    tolerate all taints of a particular category.
+                                    Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators).
+                                  type: string
+                                tolerationSeconds:
+                                  description: |-
+                                    TolerationSeconds represents the period of time the toleration (which must be
+                                    of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+                                    it is not set, which means tolerate the taint forever (do not evict). Zero and
+                                    negative values will be treated as 0 (evict immediately) by the system.
+                                  format: int64
+                                  type: integer
+                                value:
+                                  description: |-
+                                    Value is the taint value the toleration matches to.
+                                    If the operator is Exists, the value should be empty, otherwise just a regular string.
+                                  type: string
+                              type: object
+                            type: array
+                          topologySpreadConstraints:
+                            description: |-
+                              K8s topology spread constraints settings.
+
+                              See https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
+                            items:
+                              description: TopologySpreadConstraint specifies how
+                                to spread matching pods among the given topology.
+                              properties:
+                                labelSelector:
+                                  description: |-
+                                    LabelSelector is used to find matching pods.
+                                    Pods that match this label selector are counted to determine the number of pods
+                                    in their corresponding topology domain.
+                                  properties:
+                                    matchExpressions:
+                                      description: matchExpressions is a list of label
+                                        selector requirements. The requirements are
+                                        ANDed.
+                                      items:
+                                        description: |-
+                                          A label selector requirement is a selector that contains values, a key, and an operator that
+                                          relates the key and values.
+                                        properties:
+                                          key:
+                                            description: key is the label key that
+                                              the selector applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              operator represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              values is an array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. This array is replaced during a strategic
+                                              merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    matchLabels:
+                                      additionalProperties:
+                                        type: string
+                                      description: |-
+                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                      type: object
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                matchLabelKeys:
+                                  description: |-
+                                    MatchLabelKeys is a set of pod label keys to select the pods over which
+                                    spreading will be calculated. The keys are used to lookup values from the
+                                    incoming pod labels, those key-value labels are ANDed with labelSelector
+                                    to select the group of existing pods over which spreading will be calculated
+                                    for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+                                    MatchLabelKeys cannot be set when LabelSelector isn't set.
+                                    Keys that don't exist in the incoming pod labels will
+                                    be ignored. A null or empty list means only match against labelSelector.
+
+                                    This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).
+                                  items:
+                                    type: string
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                maxSkew:
+                                  description: |-
+                                    MaxSkew describes the degree to which pods may be unevenly distributed.
+                                    When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference
+                                    between the number of matching pods in the target topology and the global minimum.
+                                    The global minimum is the minimum number of matching pods in an eligible domain
+                                    or zero if the number of eligible domains is less than MinDomains.
+                                    For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+                                    labelSelector spread as 2/2/1:
+                                    In this case, the global minimum is 1.
+                                    | zone1 | zone2 | zone3 |
+                                    |  P P  |  P P  |   P   |
+                                    - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2;
+                                    scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2)
+                                    violate MaxSkew(1).
+                                    - if MaxSkew is 2, incoming pod can be scheduled onto any zone.
+                                    When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence
+                                    to topologies that satisfy it.
+                                    It's a required field. Default value is 1 and 0 is not allowed.
+                                  format: int32
+                                  type: integer
+                                minDomains:
+                                  description: |-
+                                    MinDomains indicates a minimum number of eligible domains.
+                                    When the number of eligible domains with matching topology keys is less than minDomains,
+                                    Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed.
+                                    And when the number of eligible domains with matching topology keys equals or greater than minDomains,
+                                    this value has no effect on scheduling.
+                                    As a result, when the number of eligible domains is less than minDomains,
+                                    scheduler won't schedule more than maxSkew Pods to those domains.
+                                    If value is nil, the constraint behaves as if MinDomains is equal to 1.
+                                    Valid values are integers greater than 0.
+                                    When value is not nil, WhenUnsatisfiable must be DoNotSchedule.
+
+                                    For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same
+                                    labelSelector spread as 2/2/2:
+                                    | zone1 | zone2 | zone3 |
+                                    |  P P  |  P P  |  P P  |
+                                    The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0.
+                                    In this situation, new pod with the same labelSelector cannot be scheduled,
+                                    because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,
+                                    it will violate MaxSkew.
+                                  format: int32
+                                  type: integer
+                                nodeAffinityPolicy:
+                                  description: |-
+                                    NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector
+                                    when calculating pod topology spread skew. Options are:
+                                    - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
+                                    - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
+
+                                    If this value is nil, the behavior is equivalent to the Honor policy.
+                                  type: string
+                                nodeTaintsPolicy:
+                                  description: |-
+                                    NodeTaintsPolicy indicates how we will treat node taints when calculating
+                                    pod topology spread skew. Options are:
+                                    - Honor: nodes without taints, along with tainted nodes for which the incoming pod
+                                    has a toleration, are included.
+                                    - Ignore: node taints are ignored. All nodes are included.
+
+                                    If this value is nil, the behavior is equivalent to the Ignore policy.
+                                  type: string
+                                topologyKey:
+                                  description: |-
+                                    TopologyKey is the key of node labels. Nodes that have a label with this key
+                                    and identical values are considered to be in the same topology.
+                                    We consider each <key, value> as a "bucket", and try to put balanced number
+                                    of pods into each bucket.
+                                    We define a domain as a particular instance of a topology.
+                                    Also, we define an eligible domain as a domain whose nodes meet the requirements of
+                                    nodeAffinityPolicy and nodeTaintsPolicy.
+                                    e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology.
+                                    And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology.
+                                    It's a required field.
+                                  type: string
+                                whenUnsatisfiable:
+                                  description: |-
+                                    WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy
+                                    the spread constraint.
+                                    - DoNotSchedule (default) tells the scheduler not to schedule it.
+                                    - ScheduleAnyway tells the scheduler to schedule the pod in any location,
+                                      but giving higher precedence to topologies that would help reduce the
+                                      skew.
+                                    A constraint is considered "Unsatisfiable" for an incoming pod
+                                    if and only if every possible node assignment for that pod would violate
+                                    "MaxSkew" on some topology.
+                                    For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+                                    labelSelector spread as 3/1/1:
+                                    | zone1 | zone2 | zone3 |
+                                    | P P P |   P   |   P   |
+                                    If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled
+                                    to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies
+                                    MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler
+                                    won't make it *more* imbalanced.
+                                    It's a required field.
+                                  type: string
+                              required:
+                              - maxSkew
+                              - topologyKey
+                              - whenUnsatisfiable
+                              type: object
+                            type: array
+                        type: object
+                    type: object
+                  istiodRemote:
+                    description: |-
+                      Configuration for istiod-remote.
+                      DEPRECATED - istiod-remote chart is removed and replaced with
+                      `istio-discovery --set values.istiodRemote.enabled=true`
+
+                      Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
+                    properties:
+                      enabled:
+                        description: Indicates if this cluster/install should consume
+                          a "remote" istiod instance,
+                        type: boolean
+                      enabledLocalInjectorIstiod:
+                        description: |-
+                          If `true`, indicates that this cluster/install should consume a "local istiod" installation,
+                          local istiod inject sidecars
+                        type: boolean
+                      injectionCABundle:
+                        description: injector ca bundle
+                        type: string
+                      injectionPath:
+                        description: Path to use for the sidecar injector webhook
+                          service.
+                        type: string
+                      injectionURL:
+                        description: URL to use for sidecar injector webhook.
+                        type: string
+                    type: object
+                  meshConfig:
+                    description: |-
+                      Defines runtime configuration of components, including Istiod and istio-agent behavior.
+                      See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options.
+                    properties:
+                      accessLogEncoding:
+                        description: |-
+                          Encoding for the proxy access log (`TEXT` or `JSON`).
+                          Default value is `TEXT`.
+                        enum:
+                        - TEXT
+                        - JSON
+                        type: string
+                      accessLogFile:
+                        description: |-
+                          File address for the proxy access log (e.g. /dev/stdout).
+                          Empty value disables access logging.
+                        type: string
+                      accessLogFormat:
+                        description: |-
+                          Format for the proxy access log
+                          Empty value results in proxy's default access log format
+                        type: string
+                      ca:
+                        description: |-
+                          If specified, Istiod will authorize and forward the CSRs from the workloads to the specified external CA
+                          using the Istio CA gRPC API.
+                        properties:
+                          address:
+                            description: |-
+                              REQUIRED. Address of the CA server implementing the Istio CA gRPC API.
+                              Can be IP address or a fully qualified DNS name with port
+                              Eg: custom-ca.default.svc.cluster.local:8932, 192.168.23.2:9000
+                            type: string
+                          istiodSide:
+                            description: |-
+                              Use istiodSide to specify CA Server integrate to Istiod side or Agent side
+                              Default: true
+                            type: boolean
+                          requestTimeout:
+                            description: |-
+                              timeout for forward CSR requests from Istiod to External CA
+                              Default: 10s
+                            type: string
+                          tlsSettings:
+                            description: |-
+                              Use the tlsSettings to specify the tls mode to use.
+                              Regarding tlsSettings:
+                              - DISABLE MODE is legitimate for the case Istiod is making the request via an Envoy sidecar.
+                              DISABLE MODE can also be used for testing
+                              - TLS MUTUAL MODE be on by default. If the CA certificates
+                              (cert bundle to verify the CA server's certificate) is omitted, Istiod will
+                              use the system root certs to verify the CA server's certificate.
+                            properties:
+                              caCertificates:
+                                description: |-
+                                  OPTIONAL: The path to the file containing certificate authority
+                                  certificates to use in verifying a presented server certificate. If
+                                  omitted, the proxy will verify the server's certificate using
+                                  the OS CA certificates.
+                                  Should be empty if mode is `ISTIO_MUTUAL`.
+                                type: string
+                              caCrl:
+                                description: |-
+                                  OPTIONAL: The path to the file containing the certificate revocation list (CRL)
+                                  to use in verifying a presented server certificate. `CRL` is a list of certificates
+                                  that have been revoked by the CA (Certificate Authority) before their scheduled expiration date.
+                                  If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates.
+                                  If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set,
+                                  `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential.
+                                type: string
+                              clientCertificate:
+                                description: |-
+                                  REQUIRED if mode is `MUTUAL`. The path to the file holding the
+                                  client-side TLS certificate to use.
+                                  Should be empty if mode is `ISTIO_MUTUAL`.
+                                type: string
+                              credentialName:
+                                description: |-
+                                  The name of the secret that holds the TLS certs for the
+                                  client including the CA certificates. This secret must exist in
+                                  the namespace of the proxy using the certificates.
+                                  An Opaque secret should contain the following keys and values:
+                                  `key: <privateKey>`, `cert: <clientCert>`, `cacert: <CACertificate>`,
+                                  `crl: <certificateRevocationList>`
+                                  Here CACertificate is used to verify the server certificate.
+                                  For mutual TLS, `cacert: <CACertificate>` can be provided in the
+                                  same secret or a separate secret named `<secret>-cacert`.
+                                  A TLS secret for client certificates with an additional
+                                  `ca.crt` key for CA certificates and `ca.crl` key for
+                                  certificate revocation list(CRL) is also supported.
+                                  Only one of client certificates and CA certificate
+                                  or credentialName can be specified.
+
+                                  **NOTE:** This field is applicable at sidecars only if
+                                  `DestinationRule` has a `workloadSelector` specified.
+                                  Otherwise the field will be applicable only at gateways, and
+                                  sidecars will continue to use the certificate paths.
+                                type: string
+                              insecureSkipVerify:
+                                description: |-
+                                  `insecureSkipVerify` specifies whether the proxy should skip verifying the
+                                  CA signature and SAN for the server certificate corresponding to the host.
+                                  The default value of this field is false.
+                                type: boolean
+                              mode:
+                                description: |-
+                                  Indicates whether connections to this port should be secured
+                                  using TLS. The value of this field determines how TLS is enforced.
+                                enum:
+                                - DISABLE
+                                - SIMPLE
+                                - MUTUAL
+                                - ISTIO_MUTUAL
+                                type: string
+                              privateKey:
+                                description: |-
+                                  REQUIRED if mode is `MUTUAL`. The path to the file holding the
+                                  client's private key.
+                                  Should be empty if mode is `ISTIO_MUTUAL`.
+                                type: string
+                              sni:
+                                description: |-
+                                  SNI string to present to the server during TLS handshake.
+                                  If unspecified, SNI will be automatically set based on downstream HTTP
+                                  host/authority header for SIMPLE and MUTUAL TLS modes.
+                                type: string
+                              subjectAltNames:
+                                description: |-
+                                  A list of alternate names to verify the subject identity in the
+                                  certificate. If specified, the proxy will verify that the server
+                                  certificate's subject alt name matches one of the specified values.
+                                  If specified, this list overrides the value of `subjectAltNames`
+                                  from the `ServiceEntry`. If unspecified, automatic validation of upstream
+                                  presented certificate for new upstream connections will be done based on the
+                                  downstream HTTP host/authority header.
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                        required:
+                        - address
+                        type: object
+                      caCertificates:
+                        description: |-
+                          The extra root certificates for workload-to-workload communication.
+                          The plugin certificates (the 'cacerts' secret) or self-signed certificates (the 'istio-ca-secret' secret)
+                          are automatically added by Istiod.
+                          The CA certificate that signs the workload certificates is automatically added by Istio Agent.
+                        items:
+                          properties:
+                            certSigners:
+                              description: |-
+                                when Istiod is acting as RA(registration authority)
+                                If set, they are used for these signers. Otherwise, this trustAnchor is used for all signers.
+                              items:
+                                type: string
+                              type: array
+                            pem:
+                              description: The PEM data of the certificate.
+                              type: string
+                            spiffeBundleUrl:
+                              description: |-
+                                The SPIFFE bundle endpoint URL that complies to:
+                                https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#the-spiffe-trust-domain-and-bundle
+                                The endpoint should support authentication based on Web PKI:
+                                https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#521-web-pki
+                                The certificate is retrieved from the endpoint.
+                              type: string
+                            trustDomains:
+                              description: |-
+                                Optional. Specify the list of trust domains to which this trustAnchor data belongs.
+                                If set, they are used for these trust domains. Otherwise, this trustAnchor is used for default trust domain
+                                and its aliases.
+                                Note that we can have multiple trustAnchor data for a same trustDomain.
+                                In that case, trustAnchors with a same trust domain will be merged and used together to verify peer certificates.
+                                If neither certSigners nor trustDomains is set, this trustAnchor is used for all trust domains and all signers.
+                                If only trustDomains is set, this trustAnchor is used for these trustDomains and all signers.
+                                If only certSigners is set, this trustAnchor is used for these certSigners and all trust domains.
+                                If both certSigners and trustDomains is set, this trustAnchor is only used for these signers and trust domains.
+                              items:
+                                type: string
+                              type: array
+                          type: object
+                          x-kubernetes-validations:
+                          - message: At most one of [pem spiffeBundleUrl] should be
+                              set
+                            rule: (has(self.pem)?1:0) + (has(self.spiffeBundleUrl)?1:0)
+                              <= 1
+                        type: array
+                      certificates:
+                        description: |-
+                          Configure the provision of certificates.
+
+                          Note: Deprecated, please refer to Cert-Manager or other cert provisioning solutions to sign DNS certificates.
+
+                          Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto.
+                        items:
+                          description: "Certificate configures the provision of a
+                            certificate and its key.\nExample 1: key and cert stored
+                            in a secret\n```\n{ secretName: galley-cert\n\n\t  secretNamespace:
+                            istio-system\n\t  dnsNames:\n\t    - galley.istio-system.svc\n\t
+                            \   - galley.mydomain.com\n\t}\n\n```\nExample 2: key
+                            and cert stored in a directory\n```\n{ dnsNames:\n  -
+                            pilot.istio-system\n  - pilot.istio-system.svc\n  - pilot.mydomain.com\n
+                            \   }\n\n```"
+                          properties:
+                            dnsNames:
+                              description: |-
+                                The DNS names for the certificate. A certificate may contain
+                                multiple DNS names.
+                              items:
+                                type: string
+                              type: array
+                            secretName:
+                              description: |-
+                                Name of the secret the certificate and its key will be stored into.
+                                If it is empty, it will not be stored into a secret.
+                                Instead, the certificate and its key will be stored into a hard-coded directory.
+                              type: string
+                          type: object
+                        type: array
+                      configSources:
+                        description: |-
+                          ConfigSource describes a source of configuration data for networking
+                          rules, and other Istio configuration artifacts. Multiple data sources
+                          can be configured for a single control plane.
+                        items:
+                          description: |-
+                            ConfigSource describes information about a configuration store inside a
+                            mesh. A single control plane instance can interact with one or more data
+                            sources.
+                          properties:
+                            address:
+                              description: |-
+                                Address of the server implementing the Istio Mesh Configuration
+                                protocol (MCP). Can be IP address or a fully qualified DNS name.
+                                Use xds:// to specify a grpc-based xds backend, k8s:// to specify a k8s controller or
+                                fs:/// to specify a file-based backend with absolute path to the directory.
+                              type: string
+                            subscribedResources:
+                              description: Describes the source of configuration,
+                                if nothing is specified default is MCP
+                              items:
+                                description: Resource describes the source of configuration
+                                enum:
+                                - SERVICE_REGISTRY
+                                type: string
+                              type: array
+                            tlsSettings:
+                              description: |-
+                                Use the tlsSettings to specify the tls mode to use. If the MCP server
+                                uses Istio mutual TLS and shares the root CA with istiod, specify the TLS
+                                mode as `ISTIO_MUTUAL`.
+                              properties:
+                                caCertificates:
+                                  description: |-
+                                    OPTIONAL: The path to the file containing certificate authority
+                                    certificates to use in verifying a presented server certificate. If
+                                    omitted, the proxy will verify the server's certificate using
+                                    the OS CA certificates.
+                                    Should be empty if mode is `ISTIO_MUTUAL`.
+                                  type: string
+                                caCrl:
+                                  description: |-
+                                    OPTIONAL: The path to the file containing the certificate revocation list (CRL)
+                                    to use in verifying a presented server certificate. `CRL` is a list of certificates
+                                    that have been revoked by the CA (Certificate Authority) before their scheduled expiration date.
+                                    If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates.
+                                    If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set,
+                                    `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential.
+                                  type: string
+                                clientCertificate:
+                                  description: |-
+                                    REQUIRED if mode is `MUTUAL`. The path to the file holding the
+                                    client-side TLS certificate to use.
+                                    Should be empty if mode is `ISTIO_MUTUAL`.
+                                  type: string
+                                credentialName:
+                                  description: |-
+                                    The name of the secret that holds the TLS certs for the
+                                    client including the CA certificates. This secret must exist in
+                                    the namespace of the proxy using the certificates.
+                                    An Opaque secret should contain the following keys and values:
+                                    `key: <privateKey>`, `cert: <clientCert>`, `cacert: <CACertificate>`,
+                                    `crl: <certificateRevocationList>`
+                                    Here CACertificate is used to verify the server certificate.
+                                    For mutual TLS, `cacert: <CACertificate>` can be provided in the
+                                    same secret or a separate secret named `<secret>-cacert`.
+                                    A TLS secret for client certificates with an additional
+                                    `ca.crt` key for CA certificates and `ca.crl` key for
+                                    certificate revocation list(CRL) is also supported.
+                                    Only one of client certificates and CA certificate
+                                    or credentialName can be specified.
+
+                                    **NOTE:** This field is applicable at sidecars only if
+                                    `DestinationRule` has a `workloadSelector` specified.
+                                    Otherwise the field will be applicable only at gateways, and
+                                    sidecars will continue to use the certificate paths.
+                                  type: string
+                                insecureSkipVerify:
+                                  description: |-
+                                    `insecureSkipVerify` specifies whether the proxy should skip verifying the
+                                    CA signature and SAN for the server certificate corresponding to the host.
+                                    The default value of this field is false.
+                                  type: boolean
+                                mode:
+                                  description: |-
+                                    Indicates whether connections to this port should be secured
+                                    using TLS. The value of this field determines how TLS is enforced.
+                                  enum:
+                                  - DISABLE
+                                  - SIMPLE
+                                  - MUTUAL
+                                  - ISTIO_MUTUAL
+                                  type: string
+                                privateKey:
+                                  description: |-
+                                    REQUIRED if mode is `MUTUAL`. The path to the file holding the
+                                    client's private key.
+                                    Should be empty if mode is `ISTIO_MUTUAL`.
+                                  type: string
+                                sni:
+                                  description: |-
+                                    SNI string to present to the server during TLS handshake.
+                                    If unspecified, SNI will be automatically set based on downstream HTTP
+                                    host/authority header for SIMPLE and MUTUAL TLS modes.
+                                  type: string
+                                subjectAltNames:
+                                  description: |-
+                                    A list of alternate names to verify the subject identity in the
+                                    certificate. If specified, the proxy will verify that the server
+                                    certificate's subject alt name matches one of the specified values.
+                                    If specified, this list overrides the value of `subjectAltNames`
+                                    from the `ServiceEntry`. If unspecified, automatic validation of upstream
+                                    presented certificate for new upstream connections will be done based on the
+                                    downstream HTTP host/authority header.
+                                  items:
+                                    type: string
+                                  type: array
+                              type: object
+                          type: object
+                        type: array
+                      connectTimeout:
+                        description: |-
+                          Connection timeout used by Envoy. (MUST be >=1ms)
+                          Default timeout is 10s.
+                        type: string
+                      defaultConfig:
+                        description: |-
+                          Default proxy config used by gateway and sidecars.
+                          In case of Kubernetes, the proxy config is applied once during the injection process,
+                          and remain constant for the duration of the pod. The rest of the mesh config can be changed
+                          at runtime and config gets distributed dynamically.
+                          On Kubernetes, this can be overridden on individual pods with the `proxy.istio.io/config` annotation.
+                        properties:
+                          availabilityZone:
+                            description: 'Deprecated: Marked as deprecated in mesh/v1alpha1/proxy.proto.'
+                            type: string
+                          binaryPath:
+                            description: Path to the proxy binary
+                            type: string
+                          caCertificatesPem:
+                            description: |-
+                              The PEM data of the extra root certificates for workload-to-workload communication.
+                              This includes the certificates defined in MeshConfig and any other certificates that Istiod uses as CA.
+                              The plugin certificates (the 'cacerts' secret), self-signed certificates (the 'istio-ca-secret' secret)
+                              are added automatically by Istiod.
+                            items:
+                              type: string
+                            type: array
+                          concurrency:
+                            description: |-
+                              The number of worker threads to run.
+                              If unset, which is recommended, this will be automatically determined based on CPU requests/limits.
+                              If set to 0, all cores on the machine will be used, ignoring CPU requests or limits. This can lead to major performance
+                              issues if CPU limits are also set.
+                            format: int32
+                            type: integer
+                          configPath:
+                            description: |-
+                              Path to the generated configuration file directory.
+                              Proxy agent generates the actual configuration and stores it in this directory.
+                            type: string
+                          controlPlaneAuthPolicy:
+                            description: |-
+                              AuthenticationPolicy defines how the proxy is authenticated when it connects to the control plane.
+                              Default is set to `MUTUAL_TLS`.
+                            enum:
+                            - NONE
+                            - MUTUAL_TLS
+                            - INHERIT
+                            type: string
+                          customConfigFile:
+                            description: |-
+                              File path of custom proxy configuration, currently used by proxies
+                              in front of istiod.
+                            type: string
+                          discoveryAddress:
+                            description: |-
+                              Address of the discovery service exposing xDS with mTLS connection.
+                              The inject configuration may override this value.
+                            type: string
+                          discoveryRefreshDelay:
+                            description: 'Deprecated: Marked as deprecated in mesh/v1alpha1/proxy.proto.'
+                            type: string
+                          drainDuration:
+                            description: |-
+                              restart. MUST be >=1s (e.g., _1s/1m/1h_)
+                              Default drain duration is `45s`.
+                            type: string
+                          envoyAccessLogService:
+                            description: |-
+                              Address of the service to which access logs from Envoys should be
+                              sent. (e.g. `accesslog-service:15000`). See [Access Log
+                              Service](https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/accesslog/v2/als.proto)
+                              for details about Envoy's gRPC Access Log Service API.
+                            properties:
+                              address:
+                                description: |-
+                                  Address of a remove service used for various purposes (access log
+                                  receiver, metrics receiver, etc.). Can be IP address or a fully
+                                  qualified DNS name.
+                                type: string
+                              tcpKeepalive:
+                                description: If set then set `SO_KEEPALIVE` on the
+                                  socket to enable TCP Keepalives.
+                                properties:
+                                  interval:
+                                    description: |-
+                                      The time duration between keep-alive probes.
+                                      Default is to use the OS level configuration
+                                      (unless overridden, Linux defaults to 75s.)
+                                    type: string
+                                  probes:
+                                    description: |-
+                                      Maximum number of keepalive probes to send without response before
+                                      deciding the connection is dead. Default is to use the OS level configuration
+                                      (unless overridden, Linux defaults to 9.)
+                                    format: int32
+                                    type: integer
+                                  time:
+                                    description: |-
+                                      The time duration a connection needs to be idle before keep-alive
+                                      probes start being sent. Default is to use the OS level configuration
+                                      (unless overridden, Linux defaults to 7200s (ie 2 hours.)
+                                    type: string
+                                type: object
+                              tlsSettings:
+                                description: |-
+                                  Use the `tlsSettings` to specify the tls mode to use. If the remote service
+                                  uses Istio mutual TLS and shares the root CA with istiod, specify the TLS
+                                  mode as `ISTIO_MUTUAL`.
+                                properties:
+                                  caCertificates:
+                                    description: |-
+                                      OPTIONAL: The path to the file containing certificate authority
+                                      certificates to use in verifying a presented server certificate. If
+                                      omitted, the proxy will verify the server's certificate using
+                                      the OS CA certificates.
+                                      Should be empty if mode is `ISTIO_MUTUAL`.
+                                    type: string
+                                  caCrl:
+                                    description: |-
+                                      OPTIONAL: The path to the file containing the certificate revocation list (CRL)
+                                      to use in verifying a presented server certificate. `CRL` is a list of certificates
+                                      that have been revoked by the CA (Certificate Authority) before their scheduled expiration date.
+                                      If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates.
+                                      If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set,
+                                      `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential.
+                                    type: string
+                                  clientCertificate:
+                                    description: |-
+                                      REQUIRED if mode is `MUTUAL`. The path to the file holding the
+                                      client-side TLS certificate to use.
+                                      Should be empty if mode is `ISTIO_MUTUAL`.
+                                    type: string
+                                  credentialName:
+                                    description: |-
+                                      The name of the secret that holds the TLS certs for the
+                                      client including the CA certificates. This secret must exist in
+                                      the namespace of the proxy using the certificates.
+                                      An Opaque secret should contain the following keys and values:
+                                      `key: <privateKey>`, `cert: <clientCert>`, `cacert: <CACertificate>`,
+                                      `crl: <certificateRevocationList>`
+                                      Here CACertificate is used to verify the server certificate.
+                                      For mutual TLS, `cacert: <CACertificate>` can be provided in the
+                                      same secret or a separate secret named `<secret>-cacert`.
+                                      A TLS secret for client certificates with an additional
+                                      `ca.crt` key for CA certificates and `ca.crl` key for
+                                      certificate revocation list(CRL) is also supported.
+                                      Only one of client certificates and CA certificate
+                                      or credentialName can be specified.
+
+                                      **NOTE:** This field is applicable at sidecars only if
+                                      `DestinationRule` has a `workloadSelector` specified.
+                                      Otherwise the field will be applicable only at gateways, and
+                                      sidecars will continue to use the certificate paths.
+                                    type: string
+                                  insecureSkipVerify:
+                                    description: |-
+                                      `insecureSkipVerify` specifies whether the proxy should skip verifying the
+                                      CA signature and SAN for the server certificate corresponding to the host.
+                                      The default value of this field is false.
+                                    type: boolean
+                                  mode:
+                                    description: |-
+                                      Indicates whether connections to this port should be secured
+                                      using TLS. The value of this field determines how TLS is enforced.
+                                    enum:
+                                    - DISABLE
+                                    - SIMPLE
+                                    - MUTUAL
+                                    - ISTIO_MUTUAL
+                                    type: string
+                                  privateKey:
+                                    description: |-
+                                      REQUIRED if mode is `MUTUAL`. The path to the file holding the
+                                      client's private key.
+                                      Should be empty if mode is `ISTIO_MUTUAL`.
+                                    type: string
+                                  sni:
+                                    description: |-
+                                      SNI string to present to the server during TLS handshake.
+                                      If unspecified, SNI will be automatically set based on downstream HTTP
+                                      host/authority header for SIMPLE and MUTUAL TLS modes.
+                                    type: string
+                                  subjectAltNames:
+                                    description: |-
+                                      A list of alternate names to verify the subject identity in the
+                                      certificate. If specified, the proxy will verify that the server
+                                      certificate's subject alt name matches one of the specified values.
+                                      If specified, this list overrides the value of `subjectAltNames`
+                                      from the `ServiceEntry`. If unspecified, automatic validation of upstream
+                                      presented certificate for new upstream connections will be done based on the
+                                      downstream HTTP host/authority header.
+                                    items:
+                                      type: string
+                                    type: array
+                                type: object
+                            type: object
+                          envoyMetricsService:
+                            description: |-
+                              Address of the Envoy Metrics Service implementation (e.g. `metrics-service:15000`).
+                              See [Metric Service](https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/metrics/v2/metrics_service.proto)
+                              for details about Envoy's Metrics Service API.
+                            properties:
+                              address:
+                                description: |-
+                                  Address of a remove service used for various purposes (access log
+                                  receiver, metrics receiver, etc.). Can be IP address or a fully
+                                  qualified DNS name.
+                                type: string
+                              tcpKeepalive:
+                                description: If set then set `SO_KEEPALIVE` on the
+                                  socket to enable TCP Keepalives.
+                                properties:
+                                  interval:
+                                    description: |-
+                                      The time duration between keep-alive probes.
+                                      Default is to use the OS level configuration
+                                      (unless overridden, Linux defaults to 75s.)
+                                    type: string
+                                  probes:
+                                    description: |-
+                                      Maximum number of keepalive probes to send without response before
+                                      deciding the connection is dead. Default is to use the OS level configuration
+                                      (unless overridden, Linux defaults to 9.)
+                                    format: int32
+                                    type: integer
+                                  time:
+                                    description: |-
+                                      The time duration a connection needs to be idle before keep-alive
+                                      probes start being sent. Default is to use the OS level configuration
+                                      (unless overridden, Linux defaults to 7200s (ie 2 hours.)
+                                    type: string
+                                type: object
+                              tlsSettings:
+                                description: |-
+                                  Use the `tlsSettings` to specify the tls mode to use. If the remote service
+                                  uses Istio mutual TLS and shares the root CA with istiod, specify the TLS
+                                  mode as `ISTIO_MUTUAL`.
+                                properties:
+                                  caCertificates:
+                                    description: |-
+                                      OPTIONAL: The path to the file containing certificate authority
+                                      certificates to use in verifying a presented server certificate. If
+                                      omitted, the proxy will verify the server's certificate using
+                                      the OS CA certificates.
+                                      Should be empty if mode is `ISTIO_MUTUAL`.
+                                    type: string
+                                  caCrl:
+                                    description: |-
+                                      OPTIONAL: The path to the file containing the certificate revocation list (CRL)
+                                      to use in verifying a presented server certificate. `CRL` is a list of certificates
+                                      that have been revoked by the CA (Certificate Authority) before their scheduled expiration date.
+                                      If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates.
+                                      If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set,
+                                      `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential.
+                                    type: string
+                                  clientCertificate:
+                                    description: |-
+                                      REQUIRED if mode is `MUTUAL`. The path to the file holding the
+                                      client-side TLS certificate to use.
+                                      Should be empty if mode is `ISTIO_MUTUAL`.
+                                    type: string
+                                  credentialName:
+                                    description: |-
+                                      The name of the secret that holds the TLS certs for the
+                                      client including the CA certificates. This secret must exist in
+                                      the namespace of the proxy using the certificates.
+                                      An Opaque secret should contain the following keys and values:
+                                      `key: <privateKey>`, `cert: <clientCert>`, `cacert: <CACertificate>`,
+                                      `crl: <certificateRevocationList>`
+                                      Here CACertificate is used to verify the server certificate.
+                                      For mutual TLS, `cacert: <CACertificate>` can be provided in the
+                                      same secret or a separate secret named `<secret>-cacert`.
+                                      A TLS secret for client certificates with an additional
+                                      `ca.crt` key for CA certificates and `ca.crl` key for
+                                      certificate revocation list(CRL) is also supported.
+                                      Only one of client certificates and CA certificate
+                                      or credentialName can be specified.
+
+                                      **NOTE:** This field is applicable at sidecars only if
+                                      `DestinationRule` has a `workloadSelector` specified.
+                                      Otherwise the field will be applicable only at gateways, and
+                                      sidecars will continue to use the certificate paths.
+                                    type: string
+                                  insecureSkipVerify:
+                                    description: |-
+                                      `insecureSkipVerify` specifies whether the proxy should skip verifying the
+                                      CA signature and SAN for the server certificate corresponding to the host.
+                                      The default value of this field is false.
+                                    type: boolean
+                                  mode:
+                                    description: |-
+                                      Indicates whether connections to this port should be secured
+                                      using TLS. The value of this field determines how TLS is enforced.
+                                    enum:
+                                    - DISABLE
+                                    - SIMPLE
+                                    - MUTUAL
+                                    - ISTIO_MUTUAL
+                                    type: string
+                                  privateKey:
+                                    description: |-
+                                      REQUIRED if mode is `MUTUAL`. The path to the file holding the
+                                      client's private key.
+                                      Should be empty if mode is `ISTIO_MUTUAL`.
+                                    type: string
+                                  sni:
+                                    description: |-
+                                      SNI string to present to the server during TLS handshake.
+                                      If unspecified, SNI will be automatically set based on downstream HTTP
+                                      host/authority header for SIMPLE and MUTUAL TLS modes.
+                                    type: string
+                                  subjectAltNames:
+                                    description: |-
+                                      A list of alternate names to verify the subject identity in the
+                                      certificate. If specified, the proxy will verify that the server
+                                      certificate's subject alt name matches one of the specified values.
+                                      If specified, this list overrides the value of `subjectAltNames`
+                                      from the `ServiceEntry`. If unspecified, automatic validation of upstream
+                                      presented certificate for new upstream connections will be done based on the
+                                      downstream HTTP host/authority header.
+                                    items:
+                                      type: string
+                                    type: array
+                                type: object
+                            type: object
+                          envoyMetricsServiceAddress:
+                            description: 'Deprecated: Marked as deprecated in mesh/v1alpha1/proxy.proto.'
+                            type: string
+                          extraStatTags:
+                            description: |-
+                              An additional list of tags to extract from the in-proxy Istio telemetry. These extra tags can be
+                              added by configuring the telemetry extension. Each additional tag needs to be present in this list.
+                              Extra tags emitted by the telemetry extensions must be listed here so that they can be processed
+                              and exposed as Prometheus metrics.
+                              Deprecated: `istio.stats` is a native filter now, this field is no longer needed.
+                            items:
+                              type: string
+                            type: array
+                          fileFlushInterval:
+                            description: |-
+                              File flush interval for envoy flushes buffers to disk in milliseconds.
+                              The duration needs to be set to a value greater than or equal to 1 millisecond.
+                              Default is 1000ms.
+                              Optional.
+                            type: string
+                          fileFlushMinSizeKb:
+                            description: |-
+                              File flush buffer size for envoy flushes buffers to disk in kilobytes.
+                              Defaults to 64.
+                              Optional.
+                            format: int32
+                            type: integer
+                          gatewayTopology:
+                            description: |-
+                              Topology encapsulates the configuration which describes where the proxy is
+                              located i.e. behind a (or N) trusted proxy (proxies) or directly exposed
+                              to the internet. This configuration only effects gateways and is applied
+                              to all the gateways in the cluster unless overridden via annotations of the
+                              gateway workloads.
+                            properties:
+                              forwardClientCertDetails:
+                                description: |-
+                                  Configures how the gateway proxy handles x-forwarded-client-cert (XFCC)
+                                  header in the incoming request.
+                                enum:
+                                - UNDEFINED
+                                - SANITIZE
+                                - FORWARD_ONLY
+                                - APPEND_FORWARD
+                                - SANITIZE_SET
+                                - ALWAYS_FORWARD_ONLY
+                                type: string
+                              numTrustedProxies:
+                                description: |-
+                                  Number of trusted proxies deployed in front of the Istio gateway proxy.
+                                  When this option is set to value N greater than zero, the trusted client
+                                  address is assumed to be the Nth address from the right end of the
+                                  X-Forwarded-For (XFF) header from the incoming request. If the
+                                  X-Forwarded-For (XFF) header is missing or has fewer than N addresses, the
+                                  gateway proxy falls back to using the immediate downstream connection's
+                                  source address as the trusted client address.
+                                  Note that the gateway proxy will append the downstream connection's source
+                                  address to the X-Forwarded-For (XFF) address and set the
+                                  X-Envoy-External-Address header to the trusted client address before
+                                  forwarding it to the upstream services in the cluster.
+                                  The default value of numTrustedProxies is 0.
+                                  See [Envoy XFF](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-for)
+                                  header handling for more details.
+                                format: int32
+                                type: integer
+                              proxyProtocol:
+                                description: |-
+                                  Enables [PROXY protocol](http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt) for
+                                  downstream connections on a gateway.
+                                type: object
+                            type: object
+                          holdApplicationUntilProxyStarts:
+                            description: |-
+                              Boolean flag for enabling/disabling the holdApplicationUntilProxyStarts behavior.
+                              This feature adds hooks to delay application startup until the pod proxy
+                              is ready to accept traffic, mitigating some startup race conditions.
+                              Default value is 'false'.
+                            type: boolean
+                          image:
+                            description: Specifies the details of the proxy image.
+                            properties:
+                              imageType:
+                                description: |-
+                                  The image type of the image.
+                                  Istio publishes default, debug, and distroless images.
+                                  Other values are allowed if those image types (example: centos) are published to the specified hub.
+                                  supported values: default, debug, distroless.
+                                type: string
+                            type: object
+                          interceptionMode:
+                            description: The mode used to redirect inbound traffic
+                              to Envoy.
+                            enum:
+                            - REDIRECT
+                            - TPROXY
+                            - NONE
+                            type: string
+                          meshId:
+                            description: |-
+                              The unique identifier for the [service mesh](https://istio.io/docs/reference/glossary/#service-mesh)
+                              All control planes running in the same service mesh should specify the same mesh ID.
+                              Mesh ID is used to label telemetry reports for cases where telemetry from multiple meshes is mixed together.
+                            type: string
+                          privateKeyProvider:
+                            description: Specifies the details of the Private Key
+                              Provider configuration for gateway and sidecar proxies.
+                            properties:
+                              cryptomb:
+                                description: Use CryptoMb private key provider
+                                properties:
+                                  fallback:
+                                    description: |-
+                                      If the private key provider isn’t available (eg. the required hardware capability doesn’t existed)
+                                      Envoy will fallback to the BoringSSL default implementation when the fallback is true.
+                                      The default value is false.
+                                    type: boolean
+                                  pollDelay:
+                                    description: |-
+                                      How long to wait until the per-thread processing queue should be processed. If the processing queue
+                                      gets full (eight sign or decrypt requests are received) it is processed immediately.
+                                      However, if the queue is not filled before the delay has expired, the requests already in the queue
+                                      are processed, even if the queue is not full.
+                                      In effect, this value controls the balance between latency and throughput.
+                                      The duration needs to be set to a value greater than or equal to 1 millisecond.
+                                    type: string
+                                type: object
+                              qat:
+                                description: Use QAT private key provider
+                                properties:
+                                  fallback:
+                                    description: |-
+                                      If the private key provider isn’t available (eg. the required hardware capability doesn’t existed)
+                                      Envoy will fallback to the BoringSSL default implementation when the fallback is true.
+                                      The default value is false.
+                                    type: boolean
+                                  pollDelay:
+                                    description: |-
+                                      How long to wait before polling the hardware accelerator after a request has been submitted there.
+                                      Having a small value leads to quicker answers from the hardware but causes more polling loop spins,
+                                      leading to potentially larger CPU usage.
+                                      The duration needs to be set to a value greater than or equal to 1 millisecond.
+                                    type: string
+                                type: object
+                            type: object
+                            x-kubernetes-validations:
+                            - message: At most one of [cryptomb qat] should be set
+                              rule: (has(self.cryptomb)?1:0) + (has(self.qat)?1:0)
+                                <= 1
+                          proxyAdminPort:
+                            description: |-
+                              Port on which Envoy should listen for administrative commands.
+                              Default port is `15000`.
+                            format: int32
+                            type: integer
+                          proxyBootstrapTemplatePath:
+                            description: Path to the proxy bootstrap template file
+                            type: string
+                          proxyHeaders:
+                            description: "Define the set of headers to add/modify
+                              for HTTP request/responses.\n\nTo enable an optional
+                              header, simply set the field. If no specific configuration
+                              is required, an empty object (`{}`) will enable it.\nNote:
+                              currently all headers are enabled by default.\n\nBelow
+                              shows an example of customizing the `server` header
+                              and disabling the `X-Envoy-Attempt-Count` header:\n\n```yaml\nproxyHeaders:\n\n\tserver:\n\t
+                              \ value: \"my-custom-server\"\n\t# Explicitly enable
+                              Request IDs.\n\t# As this is the default, this has no
+                              effect.\n\trequestId: {}\n\tattemptCount:\n\t  disabled:
+                              true\n\n```\n\n# Below shows an example of preserving
+                              the header case for HTTP 1.x requests\n\n```yaml\nproxyHeaders:\n\n\tpreserveHttp1HeaderCase:
+                              true\n\n```\n\nSome headers are enabled by default,
+                              and require explicitly disabling. See below for an example
+                              of disabling all default-enabled headers:\n\n```yaml\nproxyHeaders:\n\n\tforwardedClientCert:
+                              SANITIZE\n\tserver:\n\t  disabled: true\n\trequestId:\n\t
+                              \ disabled: true\n\tattemptCount:\n\t  disabled: true\n\tenvoyDebugHeaders:\n\t
+                              \ disabled: true\n\tmetadataExchangeHeaders:\n\t  mode:
+                              IN_MESH\n\n```"
+                            properties:
+                              attemptCount:
+                                description: |-
+                                  Controls the `X-Envoy-Attempt-Count` header.
+                                  If enabled, this header will be added on outbound request headers (including gateways) that have retries configured.
+                                  If disabled, this header will not be set. If it is already present, it will be preserved.
+                                  This header is enabled by default if not configured.
+                                properties:
+                                  disabled:
+                                    type: boolean
+                                type: object
+                              envoyDebugHeaders:
+                                description: |-
+                                  Controls various `X-Envoy-*` headers, such as `X-Envoy-Overloaded` and `X-Envoy-Upstream-Service-Time`. If enabled,
+                                  these headers will be included.
+                                  If disabled, these headers will not be set. If they are already present, they will be preserved.
+                                  See the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/router/v3/router.proto#envoy-v3-api-field-extensions-filters-http-router-v3-router-suppress-envoy-headers) for more details.
+                                  These headers are enabled by default if not configured.
+                                properties:
+                                  disabled:
+                                    type: boolean
+                                type: object
+                              forwardedClientCert:
+                                description: |-
+                                  Controls the `X-Forwarded-Client-Cert` header for inbound sidecar requests. To set this on gateways, use the `Topology` setting.
+                                  To disable the header, configure either `SANITIZE` (to always remove the header, if present) or `FORWARD_ONLY` (to leave the header as-is).
+                                  By default, `APPEND_FORWARD` will be used.
+                                enum:
+                                - UNDEFINED
+                                - SANITIZE
+                                - FORWARD_ONLY
+                                - APPEND_FORWARD
+                                - SANITIZE_SET
+                                - ALWAYS_FORWARD_ONLY
+                                type: string
+                              metadataExchangeHeaders:
+                                description: |-
+                                  Controls Istio metadata exchange headers `X-Envoy-Peer-Metadata` and `X-Envoy-Peer-Metadata-Id`.
+                                  By default, the behavior is unspecified.
+                                  If IN_MESH, these headers will not be appended to outbound requests from sidecars to services not in-mesh.
+                                properties:
+                                  mode:
+                                    enum:
+                                    - UNDEFINED
+                                    - IN_MESH
+                                    type: string
+                                type: object
+                              preserveHttp1HeaderCase:
+                                description: |-
+                                  When true, the original case of HTTP/1.x headers will be preserved
+                                  as they pass through the proxy, rather than normalizing them to lowercase.
+                                  This field is particularly useful for applications that require case-sensitive
+                                  headers for interoperability with downstream systems or APIs that expect specific
+                                  casing.
+                                  The preserve_http1_header_case option only applies to HTTP/1.x traffic, as HTTP/2 requires all headers
+                                  to be lowercase per the protocol specification. Envoy will ignore this field for HTTP/2
+                                  requests and automatically normalize headers to lowercase, ensuring compliance with HTTP/2
+                                  standards.
+                                type: boolean
+                              requestId:
+                                description: |-
+                                  Controls the `X-Request-Id` header. If enabled, a request ID is generated for each request if one is not already set.
+                                  This applies to all types of traffic (inbound, outbound, and gateways).
+                                  If disabled, no request ID will be generate for the request. If it is already present, it will be preserved.
+                                  Warning: request IDs are a critical component to mesh tracing and logging, so disabling this is not recommended.
+                                  This header is enabled by default if not configured.
+                                properties:
+                                  disabled:
+                                    type: boolean
+                                type: object
+                              server:
+                                description: |-
+                                  Controls the `server` header. If enabled, the `Server: istio-envoy` header is set in response headers for inbound traffic (including gateways).
+                                  If disabled, the `Server` header is not modified. If it is already present, it will be preserved.
+                                properties:
+                                  disabled:
+                                    type: boolean
+                                  value:
+                                    description: If set, and the server header is
+                                      enabled, this value will be set as the server
+                                      header. By default, `istio-envoy` will be used.
+                                    type: string
+                                type: object
+                              setCurrentClientCertDetails:
+                                description: |-
+                                  This field is valid only when forward_client_cert_details is APPEND_FORWARD or SANITIZE_SET
+                                  and the client connection is mTLS. It specifies the fields in
+                                  the client certificate to be forwarded. Note that `Hash` is always set, and
+                                  `By` is always set when the client certificate presents the URI type Subject Alternative Name value.
+                                properties:
+                                  cert:
+                                    description: |-
+                                      Whether to forward the entire client cert in URL encoded PEM format. This will appear in the
+                                      XFCC header comma separated from other values with the value Cert="PEM".
+                                      Defaults to false.
+                                    type: boolean
+                                  chain:
+                                    description: |-
+                                      Whether to forward the entire client cert chain (including the leaf cert) in URL encoded PEM
+                                      format. This will appear in the XFCC header comma separated from other values with the value
+                                      Chain="PEM".
+                                      Defaults to false.
+                                    type: boolean
+                                  dns:
+                                    description: |-
+                                      Whether to forward the DNS type Subject Alternative Names of the client cert.
+                                      Defaults to true.
+                                    type: boolean
+                                  subject:
+                                    description: Whether to forward the subject of
+                                      the client cert. Defaults to true.
+                                    type: boolean
+                                  uri:
+                                    description: |-
+                                      Whether to forward the URI type Subject Alternative Name of the client cert. Defaults to
+                                      true.
+                                    type: boolean
+                                type: object
+                              xForwardedHost:
+                                description: |-
+                                  Controls the `X-Forwarded-Host` header. If enabled, the `X-Forwarded-Host` header is appended
+                                  with the original host when it is rewritten.
+                                  This header is disabled by default.
+                                properties:
+                                  enabled:
+                                    type: boolean
+                                type: object
+                              xForwardedPort:
+                                description: |-
+                                  Controls the `X-Forwarded-Port` header. If enabled, the `X-Forwarded-Port` header is header with the port value
+                                  client used to connect to Envoy. It will be ignored if the “x-forwarded-port“ header has been set by any
+                                  trusted proxy in front of Envoy.
+                                  This header is disabled by default.
+                                properties:
+                                  enabled:
+                                    type: boolean
+                                type: object
+                            type: object
+                          proxyMetadata:
+                            additionalProperties:
+                              type: string
+                            description: |-
+                              Additional environment variables for the proxy.
+                              Names starting with `ISTIO_META_` will be included in the generated bootstrap and sent to the XDS server.
+                            type: object
+                          proxyStatsMatcher:
+                            description: "Proxy stats matcher defines configuration
+                              for reporting custom Envoy stats.\nTo reduce memory
+                              and CPU overhead from Envoy stats system, Istio proxies
+                              by\ndefault create and expose only a subset of Envoy
+                              stats. This option is to\ncontrol creation of additional
+                              Envoy stats with prefix, suffix, and regex\nexpressions
+                              match on the name of the stats. This replaces the stats\ninclusion
+                              annotations\n(`sidecar.istio.io/statsInclusionPrefixes`,\n`sidecar.istio.io/statsInclusionRegexps`,
+                              and\n`sidecar.istio.io/statsInclusionSuffixes`). For
+                              example, to enable stats\nfor circuit breakers, request
+                              retries, upstream connections, and request timeouts,\nyou
+                              can specify stats matcher as follows:\n```yaml\nproxyStatsMatcher:\n\n\tinclusionRegexps:\n\t
+                              \ - .*outlier_detection.*\n\t  - .*upstream_rq_retry.*\n\t
+                              \ - .*upstream_cx_.*\n\tinclusionSuffixes:\n\t  - upstream_rq_timeout\n\n```\nNote
+                              including more Envoy stats might increase number of
+                              time series\ncollected by prometheus significantly.
+                              Care needs to be taken on Prometheus\nresource provision
+                              and configuration to reduce cardinality."
+                            properties:
+                              inclusionPrefixes:
+                                description: Proxy stats name prefix matcher for inclusion.
+                                items:
+                                  type: string
+                                type: array
+                              inclusionRegexps:
+                                description: Proxy stats name regexps matcher for
+                                  inclusion.
+                                items:
+                                  type: string
+                                type: array
+                              inclusionSuffixes:
+                                description: Proxy stats name suffix matcher for inclusion.
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          readinessProbe:
+                            description: |-
+                              VM Health Checking readiness probe. This health check config exactly mirrors the
+                              kubernetes readiness probe configuration both in schema and logic.
+                              Only one health check method of 3 can be set at a time.
+                            properties:
+                              exec:
+                                description: Exec specifies a command to execute in
+                                  the container.
+                                properties:
+                                  command:
+                                    description: |-
+                                      Command is the command line to execute inside the container, the working directory for the
+                                      command  is root ('/') in the container's filesystem. The command is simply exec'd, it is
+                                      not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+                                      a shell, you need to explicitly call out to that shell.
+                                      Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
+                                    items:
+                                      type: string
+                                    type: array
+                                    x-kubernetes-list-type: atomic
+                                type: object
+                              failureThreshold:
+                                description: |-
+                                  Minimum consecutive failures for the probe to be considered failed after having succeeded.
+                                  Defaults to 3. Minimum value is 1.
+                                format: int32
+                                type: integer
+                              grpc:
+                                description: GRPC specifies a GRPC HealthCheckRequest.
+                                properties:
+                                  port:
+                                    description: Port number of the gRPC service.
+                                      Number must be in the range 1 to 65535.
+                                    format: int32
+                                    type: integer
+                                  service:
+                                    default: ""
+                                    description: |-
+                                      Service is the name of the service to place in the gRPC HealthCheckRequest
+                                      (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
+
+                                      If this is not specified, the default behavior is defined by gRPC.
+                                    type: string
+                                required:
+                                - port
+                                type: object
+                              httpGet:
+                                description: HTTPGet specifies an HTTP GET request
+                                  to perform.
+                                properties:
+                                  host:
+                                    description: |-
+                                      Host name to connect to, defaults to the pod IP. You probably want to set
+                                      "Host" in httpHeaders instead.
+                                    type: string
+                                  httpHeaders:
+                                    description: Custom headers to set in the request.
+                                      HTTP allows repeated headers.
+                                    items:
+                                      description: HTTPHeader describes a custom header
+                                        to be used in HTTP probes
+                                      properties:
+                                        name:
+                                          description: |-
+                                            The header field name.
+                                            This will be canonicalized upon output, so case-variant names will be understood as the same header.
+                                          type: string
+                                        value:
+                                          description: The header field value
+                                          type: string
+                                      required:
+                                      - name
+                                      - value
+                                      type: object
+                                    type: array
+                                    x-kubernetes-list-type: atomic
+                                  path:
+                                    description: Path to access on the HTTP server.
+                                    type: string
+                                  port:
+                                    anyOf:
+                                    - type: integer
+                                    - type: string
+                                    description: |-
+                                      Name or number of the port to access on the container.
+                                      Number must be in the range 1 to 65535.
+                                      Name must be an IANA_SVC_NAME.
+                                    x-kubernetes-int-or-string: true
+                                  scheme:
+                                    description: |-
+                                      Scheme to use for connecting to the host.
+                                      Defaults to HTTP.
+                                    type: string
+                                required:
+                                - port
+                                type: object
+                              initialDelaySeconds:
+                                description: |-
+                                  Number of seconds after the container has started before liveness probes are initiated.
+                                  More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+                                format: int32
+                                type: integer
+                              periodSeconds:
+                                description: |-
+                                  How often (in seconds) to perform the probe.
+                                  Default to 10 seconds. Minimum value is 1.
+                                format: int32
+                                type: integer
+                              successThreshold:
+                                description: |-
+                                  Minimum consecutive successes for the probe to be considered successful after having failed.
+                                  Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.
+                                format: int32
+                                type: integer
+                              tcpSocket:
+                                description: TCPSocket specifies a connection to a
+                                  TCP port.
+                                properties:
+                                  host:
+                                    description: 'Optional: Host name to connect to,
+                                      defaults to the pod IP.'
+                                    type: string
+                                  port:
+                                    anyOf:
+                                    - type: integer
+                                    - type: string
+                                    description: |-
+                                      Number or name of the port to access on the container.
+                                      Number must be in the range 1 to 65535.
+                                      Name must be an IANA_SVC_NAME.
+                                    x-kubernetes-int-or-string: true
+                                required:
+                                - port
+                                type: object
+                              terminationGracePeriodSeconds:
+                                description: |-
+                                  Optional duration in seconds the pod needs to terminate gracefully upon probe failure.
+                                  The grace period is the duration in seconds after the processes running in the pod are sent
+                                  a termination signal and the time when the processes are forcibly halted with a kill signal.
+                                  Set this value longer than the expected cleanup time for your process.
+                                  If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this
+                                  value overrides the value provided by the pod spec.
+                                  Value must be non-negative integer. The value zero indicates stop immediately via
+                                  the kill signal (no opportunity to shut down).
+                                  This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.
+                                  Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset.
+                                format: int64
+                                type: integer
+                              timeoutSeconds:
+                                description: |-
+                                  Number of seconds after which the probe times out.
+                                  Defaults to 1 second. Minimum value is 1.
+                                  More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+                                format: int32
+                                type: integer
+                            type: object
+                          runtimeValues:
+                            additionalProperties:
+                              type: string
+                            description: |-
+                              Envoy [runtime configuration](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/operations/runtime) to set during bootstrapping.
+                              This enables setting experimental, unsafe, unsupported, and deprecated features that should be used with extreme caution.
+                            type: object
+                          sds:
+                            description: |-
+                              Secret Discovery Service(SDS) configuration to be used by the proxy.
+
+                              Deprecated: Marked as deprecated in mesh/v1alpha1/proxy.proto.
+                            properties:
+                              enabled:
+                                description: True if SDS is enabled.
+                                type: boolean
+                              k8sSaJwtPath:
+                                description: Path of k8s service account JWT path.
+                                type: string
+                            type: object
+                          serviceCluster:
+                            description: |-
+                              Service cluster defines the name for the `service_cluster` that is
+                              shared by all Envoy instances. This setting corresponds to
+                              `--service-cluster` flag in Envoy.  In a typical Envoy deployment, the
+                              `service-cluster` flag is used to identify the caller, for
+                              source-based routing scenarios.
+
+                              Since Istio does not assign a local `service/service` version to each
+                              Envoy instance, the name is same for all of them.  However, the
+                              source/caller's identity (e.g., IP address) is encoded in the
+                              `--service-node` flag when launching Envoy.  When the RDS service
+                              receives API calls from Envoy, it uses the value of the `service-node`
+                              flag to compute routes that are relative to the service instances
+                              located at that IP address.
+                            type: string
+                          statNameLength:
+                            description: |-
+                              Maximum length of name field in Envoy's metrics. The length of the name field
+                              is determined by the length of a name field in a service and the set of labels that
+                              comprise a particular version of the service. The default value is set to 189 characters.
+                              Envoy's internal metrics take up 67 characters, for a total of 256 character name per metric.
+                              Increase the value of this field if you find that the metrics from Envoys are truncated.
+                            format: int32
+                            type: integer
+                          statsCompression:
+                            description: |-
+                              Offer HTTP compression for stats
+                              Defaults to true.
+                              Optional.
+                            type: boolean
+                          statsdUdpAddress:
+                            description: IP Address and Port of a statsd UDP listener
+                              (e.g. `10.75.241.127:9125`).
+                            type: string
+                          statusPort:
+                            description: |-
+                              Port on which the agent should listen for administrative commands such as readiness probe.
+                              Default is set to port `15020`.
+                            format: int32
+                            type: integer
+                          terminationDrainDuration:
+                            description: |-
+                              The amount of time allowed for connections to complete on proxy shutdown.
+                              On receiving `SIGTERM` or `SIGINT`, `istio-agent` tells the active Envoy to start gracefully draining,
+                              discouraging any new connections and allowing existing connections to complete. It then
+                              sleeps for the `terminationDrainDuration` and then kills any remaining active Envoy processes.
+                              If not set, a default of `5s` will be applied.
+                            type: string
+                          tracing:
+                            description: Tracing configuration to be used by the proxy.
+                            properties:
+                              customTags:
+                                additionalProperties:
+                                  description: |-
+                                    Configure custom tags that will be added to any active span.
+                                    Tags can be generated via literals, environment variables or an incoming request header.
+                                  properties:
+                                    environment:
+                                      description: |-
+                                        The custom tag's value should be populated from an environmental
+                                        variable
+                                      properties:
+                                        defaultValue:
+                                          description: |-
+                                            When the environment variable is not found,
+                                            the tag's value will be populated with this default value if specified,
+                                            otherwise the tag will not be populated.
+                                          type: string
+                                        name:
+                                          description: Name of the environment variable
+                                            used to populate the tag's value
+                                          type: string
+                                      type: object
+                                    header:
+                                      description: |-
+                                        The custom tag's value is populated by an http header from
+                                        an incoming request.
+                                      properties:
+                                        defaultValue:
+                                          description: |-
+                                            Default value to be used for the tag when the named HTTP header does not exist.
+                                            The tag will be skipped if no default value is provided.
+                                          type: string
+                                        name:
+                                          description: HTTP header name used to obtain
+                                            the value from to populate the tag value.
+                                          type: string
+                                      type: object
+                                    literal:
+                                      description: The custom tag's value is the specified
+                                        literal.
+                                      properties:
+                                        value:
+                                          description: Static literal value used to
+                                            populate the tag value.
+                                          type: string
+                                      type: object
+                                  type: object
+                                  x-kubernetes-validations:
+                                  - message: At most one of [literal environment header]
+                                      should be set
+                                    rule: (has(self.literal)?1:0) + (has(self.environment)?1:0)
+                                      + (has(self.header)?1:0) <= 1
+                                description: "and gateways).\nThe key represents the
+                                  name of the tag.\nEx:\n```yaml\ncustom_tags:\n\n\tnew_tag_name:\n\t
+                                  \ header:\n\t    name: custom-http-header-name\n\t
+                                  \   default_value: defaulted-value-from-custom-header\n\n```"
+                                type: object
+                              datadog:
+                                description: Use a Datadog tracer.
+                                properties:
+                                  address:
+                                    description: Address of the Datadog Agent.
+                                    type: string
+                                type: object
+                              enableIstioTags:
+                                description: |-
+                                  Determines whether or not trace spans generated by Envoy will include Istio specific tags.
+                                  By default Istio specific tags are included in the trace spans.
+                                type: boolean
+                              lightstep:
+                                description: |-
+                                  Use a Lightstep tracer.
+                                  NOTE: For Istio 1.15+, this configuration option will result
+                                  in using OpenTelemetry-based Lightstep integration.
+                                properties:
+                                  accessToken:
+                                    description: The Lightstep access token.
+                                    type: string
+                                  address:
+                                    description: Address of the Lightstep Satellite
+                                      pool.
+                                    type: string
+                                type: object
+                              maxPathTagLength:
+                                description: |-
+                                  Configures the maximum length of the request path to extract and include in the
+                                  HttpUrl tag. Used to truncate length request paths to meet the needs of tracing
+                                  backend. If not set, then a length of 256 will be used.
+                                format: int32
+                                type: integer
+                              openCensusAgent:
+                                description: Use an OpenCensus tracer exporting to
+                                  an OpenCensus agent.
+                                properties:
+                                  address:
+                                    description: |-
+                                      gRPC address for the OpenCensus agent (e.g. dns://authority/host:port or
+                                      unix:path). See [gRPC naming
+                                      docs](https://github.com/grpc/grpc/blob/master/doc/naming.md) for
+                                      details.
+                                    type: string
+                                  context:
+                                    description: |-
+                                      Specifies the set of context propagation headers used for distributed
+                                      tracing. Default is `["W3C_TRACE_CONTEXT"]`. If multiple values are specified,
+                                      the proxy will attempt to read each header for each request and will
+                                      write all headers.
+                                    items:
+                                      description: |-
+                                        TraceContext selects the context propagation headers used for
+                                        distributed tracing.
+                                      enum:
+                                      - UNSPECIFIED
+                                      - W3C_TRACE_CONTEXT
+                                      - GRPC_BIN
+                                      - CLOUD_TRACE_CONTEXT
+                                      - B3
+                                      type: string
+                                    type: array
+                                type: object
+                              sampling:
+                                description: |-
+                                  The percentage of requests (0.0 - 100.0) that will be randomly selected for trace generation,
+                                  if not requested by the client or not forced. Default is 1.0.
+                                type: number
+                              stackdriver:
+                                description: Use a Stackdriver tracer.
+                                properties:
+                                  debug:
+                                    description: debug enables trace output to stdout.
+                                    type: boolean
+                                  maxNumberOfAnnotations:
+                                    description: |-
+                                      The global default max number of annotation events per span.
+                                      default is 200.
+                                    format: int64
+                                    type: integer
+                                  maxNumberOfAttributes:
+                                    description: |-
+                                      The global default max number of attributes per span.
+                                      default is 200.
+                                    format: int64
+                                    type: integer
+                                  maxNumberOfMessageEvents:
+                                    description: |-
+                                      The global default max number of message events per span.
+                                      default is 200.
+                                    format: int64
+                                    type: integer
+                                type: object
+                              tlsSettings:
+                                description: |-
+                                  Use the tlsSettings to specify the tls mode to use. If the remote tracing service
+                                  uses Istio mutual TLS and shares the root CA with istiod, specify the TLS
+                                  mode as `ISTIO_MUTUAL`.
+                                properties:
+                                  caCertificates:
+                                    description: |-
+                                      OPTIONAL: The path to the file containing certificate authority
+                                      certificates to use in verifying a presented server certificate. If
+                                      omitted, the proxy will verify the server's certificate using
+                                      the OS CA certificates.
+                                      Should be empty if mode is `ISTIO_MUTUAL`.
+                                    type: string
+                                  caCrl:
+                                    description: |-
+                                      OPTIONAL: The path to the file containing the certificate revocation list (CRL)
+                                      to use in verifying a presented server certificate. `CRL` is a list of certificates
+                                      that have been revoked by the CA (Certificate Authority) before their scheduled expiration date.
+                                      If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates.
+                                      If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set,
+                                      `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential.
+                                    type: string
+                                  clientCertificate:
+                                    description: |-
+                                      REQUIRED if mode is `MUTUAL`. The path to the file holding the
+                                      client-side TLS certificate to use.
+                                      Should be empty if mode is `ISTIO_MUTUAL`.
+                                    type: string
+                                  credentialName:
+                                    description: |-
+                                      The name of the secret that holds the TLS certs for the
+                                      client including the CA certificates. This secret must exist in
+                                      the namespace of the proxy using the certificates.
+                                      An Opaque secret should contain the following keys and values:
+                                      `key: <privateKey>`, `cert: <clientCert>`, `cacert: <CACertificate>`,
+                                      `crl: <certificateRevocationList>`
+                                      Here CACertificate is used to verify the server certificate.
+                                      For mutual TLS, `cacert: <CACertificate>` can be provided in the
+                                      same secret or a separate secret named `<secret>-cacert`.
+                                      A TLS secret for client certificates with an additional
+                                      `ca.crt` key for CA certificates and `ca.crl` key for
+                                      certificate revocation list(CRL) is also supported.
+                                      Only one of client certificates and CA certificate
+                                      or credentialName can be specified.
+
+                                      **NOTE:** This field is applicable at sidecars only if
+                                      `DestinationRule` has a `workloadSelector` specified.
+                                      Otherwise the field will be applicable only at gateways, and
+                                      sidecars will continue to use the certificate paths.
+                                    type: string
+                                  insecureSkipVerify:
+                                    description: |-
+                                      `insecureSkipVerify` specifies whether the proxy should skip verifying the
+                                      CA signature and SAN for the server certificate corresponding to the host.
+                                      The default value of this field is false.
+                                    type: boolean
+                                  mode:
+                                    description: |-
+                                      Indicates whether connections to this port should be secured
+                                      using TLS. The value of this field determines how TLS is enforced.
+                                    enum:
+                                    - DISABLE
+                                    - SIMPLE
+                                    - MUTUAL
+                                    - ISTIO_MUTUAL
+                                    type: string
+                                  privateKey:
+                                    description: |-
+                                      REQUIRED if mode is `MUTUAL`. The path to the file holding the
+                                      client's private key.
+                                      Should be empty if mode is `ISTIO_MUTUAL`.
+                                    type: string
+                                  sni:
+                                    description: |-
+                                      SNI string to present to the server during TLS handshake.
+                                      If unspecified, SNI will be automatically set based on downstream HTTP
+                                      host/authority header for SIMPLE and MUTUAL TLS modes.
+                                    type: string
+                                  subjectAltNames:
+                                    description: |-
+                                      A list of alternate names to verify the subject identity in the
+                                      certificate. If specified, the proxy will verify that the server
+                                      certificate's subject alt name matches one of the specified values.
+                                      If specified, this list overrides the value of `subjectAltNames`
+                                      from the `ServiceEntry`. If unspecified, automatic validation of upstream
+                                      presented certificate for new upstream connections will be done based on the
+                                      downstream HTTP host/authority header.
+                                    items:
+                                      type: string
+                                    type: array
+                                type: object
+                              zipkin:
+                                description: Use a Zipkin tracer.
+                                properties:
+                                  address:
+                                    description: Address of the Zipkin service (e.g.
+                                      _zipkin:9411_).
+                                    type: string
+                                type: object
+                            type: object
+                            x-kubernetes-validations:
+                            - message: At most one of [zipkin lightstep datadog stackdriver
+                                openCensusAgent] should be set
+                              rule: (has(self.zipkin)?1:0) + (has(self.lightstep)?1:0)
+                                + (has(self.datadog)?1:0) + (has(self.stackdriver)?1:0)
+                                + (has(self.openCensusAgent)?1:0) <= 1
+                          tracingServiceName:
+                            description: |-
+                              Used by Envoy proxies to assign the values for the service names in trace
+                              spans.
+                            enum:
+                            - APP_LABEL_AND_NAMESPACE
+                            - CANONICAL_NAME_ONLY
+                            - CANONICAL_NAME_AND_NAMESPACE
+                            type: string
+                          zipkinAddress:
+                            description: |-
+                              Address of the Zipkin service (e.g. _zipkin:9411_).
+                              DEPRECATED: Use [tracing][istio.mesh.v1alpha1.ProxyConfig.tracing] instead.
+
+                              Deprecated: Marked as deprecated in mesh/v1alpha1/proxy.proto.
+                            type: string
+                        type: object
+                        x-kubernetes-validations:
+                        - message: At most one of [serviceCluster tracingServiceName]
+                            should be set
+                          rule: (has(self.serviceCluster)?1:0) + (has(self.tracingServiceName)?1:0)
+                            <= 1
+                      defaultDestinationRuleExportTo:
+                        description: |-
+                          The default value for the `DestinationRule.exportTo` field. Has the same
+                          syntax as `defaultServiceExportTo`.
+
+                          If not set the system will use "*" as the default value which implies that
+                          destination rules are exported to all namespaces
+                        items:
+                          type: string
+                        type: array
+                      defaultHttpRetryPolicy:
+                        description: "Configure the default HTTP retry policy.\nThe
+                          default number of retry attempts is set at 2 for these errors:\n\n\t\"connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes\".\n\nSetting
+                          the number of attempts to 0 disables retry policy globally.\nThis
+                          setting can be overridden on a per-host basis using the
+                          Virtual Service\nAPI.\nAll settings in the retry policy
+                          except `perTryTimeout` can currently be\nconfigured globally
+                          via this field."
+                        properties:
+                          attempts:
+                            description: |-
+                              Number of retries to be allowed for a given request. The interval
+                              between retries will be determined automatically (25ms+). When request
+                              `timeout` of the [HTTP route](https://istio.io/docs/reference/config/networking/virtual-service/#HTTPRoute)
+                              or `per_try_timeout` is configured, the actual number of retries attempted also depends on
+                              the specified request `timeout` and `per_try_timeout` values. MUST be >= 0. If `0`, retries will be disabled.
+                              The maximum possible number of requests made will be 1 + `attempts`.
+                            format: int32
+                            type: integer
+                          backoff:
+                            description: |-
+                              Specifies the minimum duration between retry attempts.
+                              If unset, default minimum duration of 25ms is used as base interval for exponetial backoff.
+                              This has an impact on the total number of retries that will be attempted based on the `attempts` field
+                              and route timeout. For example, with attempts is set to 3, backoff to 2s and timeout to 3s, the request will
+                              be retried only once.
+                            type: string
+                          perTryTimeout:
+                            description: |-
+                              Timeout per attempt for a given request, including the initial call and any retries. Format: 1h/1m/1s/1ms. MUST be >=1ms.
+                              Default is same value as request
+                              `timeout` of the [HTTP route](https://istio.io/docs/reference/config/networking/virtual-service/#HTTPRoute),
+                              which means no timeout.
+                            type: string
+                          retryIgnorePreviousHosts:
+                            description: |-
+                              Flag to specify whether the retries should ignore previously tried hosts during retry.
+                              Defaults to true.
+                            type: boolean
+                          retryOn:
+                            description: |-
+                              Specifies the conditions under which retry takes place.
+                              One or more policies can be specified using a ‘,’ delimited list.
+                              See the [retry policies](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-on)
+                              and [gRPC retry policies](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-grpc-on) for more details.
+
+                              In addition to the policies specified above, a list of HTTP status codes can be passed, such as `retryOn: "503,reset"`.
+                              Note these status codes refer to the actual responses received from the destination.
+                              For example, if a connection is reset, Istio will translate this to 503 for it's response.
+                              However, the destination did not return a 503 error, so this would not match `"503"` (it would, however, match `"reset"`).
+
+                              If not specified, this defaults to `connect-failure,refused-stream,unavailable,cancelled`.
+                            type: string
+                          retryRemoteLocalities:
+                            description: |-
+                              Flag to specify whether the retries should retry to other localities.
+                              See the [retry plugin configuration](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/http/http_connection_management#retry-plugin-configuration) for more details.
+                            type: boolean
+                        type: object
+                      defaultProviders:
+                        description: Specifies extension providers to use by default
+                          in Istio configuration resources.
+                        properties:
+                          accessLogging:
+                            description: Name of the default provider(s) for access
+                              logging.
+                            items:
+                              type: string
+                            type: array
+                          metrics:
+                            description: Name of the default provider(s) for metrics.
+                            items:
+                              type: string
+                            type: array
+                          tracing:
+                            description: Name of the default provider(s) for tracing.
+                            items:
+                              type: string
+                            type: array
+                        type: object
+                      defaultServiceExportTo:
+                        description: |-
+                          The default value for the ServiceEntry.exportTo field and services
+                          imported through container registry integrations, e.g. this applies to
+                          Kubernetes Service resources. The value is a list of namespace names and
+                          reserved namespace aliases. The allowed namespace aliases are:
+                          ```
+                          * - All Namespaces
+                          . - Current Namespace
+                          ~ - No Namespace
+                          ```
+                          If not set the system will use "*" as the default value which implies that
+                          services are exported to all namespaces.
+
+                          `All namespaces` is a reasonable default for implementations that don't
+                          need to restrict access or visibility of services across namespace
+                          boundaries. If that requirement is present it is generally good practice to
+                          make the default `Current namespace` so that services are only visible
+                          within their own namespaces by default. Operators can then expand the
+                          visibility of services to other namespaces as needed. Use of `No Namespace`
+                          is expected to be rare but can have utility for deployments where
+                          dependency management needs to be precise even within the scope of a single
+                          namespace.
+
+                          For further discussion see the reference documentation for `ServiceEntry`,
+                          `Sidecar`, and `Gateway`.
+                        items:
+                          type: string
+                        type: array
+                      defaultVirtualServiceExportTo:
+                        description: |-
+                          The default value for the VirtualService.exportTo field. Has the same
+                          syntax as `defaultServiceExportTo`.
+
+                          If not set the system will use "*" as the default value which implies that
+                          virtual services are exported to all namespaces
+                        items:
+                          type: string
+                        type: array
+                      disableEnvoyListenerLog:
+                        description: |-
+                          This flag disables Envoy Listener logs.
+                          See [Listener Access Log](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-access-log)
+                          Istio Enables Envoy's listener access logs on "NoRoute" response flag.
+                          Default value is `false`.
+                        type: boolean
+                      discoverySelectors:
+                        description: |-
+                          A list of Kubernetes selectors that specify the set of namespaces that Istio considers when
+                          computing configuration updates for sidecars. This can be used to reduce Istio's computational load
+                          by limiting the number of entities (including services, pods, and endpoints) that are watched and processed.
+                          If omitted, Istio will use the default behavior of processing all namespaces in the cluster.
+                          Elements in the list are disjunctive (OR semantics), i.e. a namespace will be included if it matches any selector.
+                          The following example selects any namespace that matches either below:
+                          1. The namespace has both of these labels: `env: prod` and `region: us-east1`
+                          2. The namespace has label `app` equal to `cassandra` or `spark`.
+                          ```yaml
+                          discoverySelectors:
+                            - matchLabels:
+                              env: prod
+                              region: us-east1
+                            - matchExpressions:
+                            - key: app
+                              operator: In
+                              values:
+                            - cassandra
+                            - spark
+
+                          ```
+                          Refer to the [Kubernetes selector docs](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors)
+                          for additional detail on selector semantics.
+                        items:
+                          description: |-
+                            A label selector is a label query over a set of resources. The result of matchLabels and
+                            matchExpressions are ANDed. An empty label selector matches all objects. A null
+                            label selector matches no objects.
+                          properties:
+                            matchExpressions:
+                              description: matchExpressions is a list of label selector
+                                requirements. The requirements are ANDed.
+                              items:
+                                description: |-
+                                  A label selector requirement is a selector that contains values, a key, and an operator that
+                                  relates the key and values.
+                                properties:
+                                  key:
+                                    description: key is the label key that the selector
+                                      applies to.
+                                    type: string
+                                  operator:
+                                    description: |-
+                                      operator represents a key's relationship to a set of values.
+                                      Valid operators are In, NotIn, Exists and DoesNotExist.
+                                    type: string
+                                  values:
+                                    description: |-
+                                      values is an array of string values. If the operator is In or NotIn,
+                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                      the values array must be empty. This array is replaced during a strategic
+                                      merge patch.
+                                    items:
+                                      type: string
+                                    type: array
+                                    x-kubernetes-list-type: atomic
+                                required:
+                                - key
+                                - operator
+                                type: object
+                              type: array
+                              x-kubernetes-list-type: atomic
+                            matchLabels:
+                              additionalProperties:
+                                type: string
+                              description: |-
+                                matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                operator is "In", and the values array contains only "value". The requirements are ANDed.
+                              type: object
+                          type: object
+                          x-kubernetes-map-type: atomic
+                        type: array
+                      dnsRefreshRate:
+                        description: |-
+                          Configures DNS refresh rate for Envoy clusters of type `STRICT_DNS`
+                          Default refresh rate is `60s`.
+                        type: string
+                      enableAutoMtls:
+                        description: |-
+                          This flag is used to enable mutual `TLS` automatically for service to service communication
+                          within the mesh, default true.
+                          If set to true, and a given service does not have a corresponding `DestinationRule` configured,
+                          or its `DestinationRule` does not have ClientTLSSettings specified, Istio configures client side
+                          TLS configuration appropriately. More specifically,
+                          If the upstream authentication policy is in `STRICT` mode, use Istio provisioned certificate
+                          for mutual `TLS` to connect to upstream.
+                          If upstream service is in plain text mode, use plain text.
+                          If the upstream authentication policy is in PERMISSIVE mode, Istio configures clients to use
+                          mutual `TLS` when server sides are capable of accepting mutual `TLS` traffic.
+                          If service `DestinationRule` exists and has `ClientTLSSettings` specified, that is always used instead.
+                        type: boolean
+                      enableEnvoyAccessLogService:
+                        description: |-
+                          This flag enables Envoy's gRPC Access Log Service.
+                          See [Access Log Service](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/grpc/v3/als.proto)
+                          for details about Envoy's gRPC Access Log Service API.
+                          Default value is `false`.
+                        type: boolean
+                      enablePrometheusMerge:
+                        description: |-
+                          If enabled, Istio agent will merge metrics exposed by the application with metrics from Envoy
+                          and Istio agent. The sidecar injection will replace `prometheus.io` annotations present on the pod
+                          and redirect them towards Istio agent, which will then merge metrics of from the application with Istio metrics.
+                          This relies on the annotations `prometheus.io/scrape`, `prometheus.io/port`, and
+                          `prometheus.io/path` annotations.
+                          If you are running a separately managed Envoy with an Istio sidecar, this may cause issues, as the metrics will collide.
+                          In this case, it is recommended to disable aggregation on that deployment with the
+                          `prometheus.istio.io/merge-metrics: "false"` annotation.
+                          If not specified, this will be enabled by default.
+                        type: boolean
+                      enableTracing:
+                        description: |-
+                          Flag to control generation of trace spans and request IDs.
+                          Requires a trace span collector defined in the proxy configuration.
+                        type: boolean
+                      extensionProviders:
+                        description: |-
+                          Defines a list of extension providers that extend Istio's functionality. For example, the AuthorizationPolicy
+                          can be used with an extension provider to delegate the authorization decision to a custom authorization system.
+                        items:
+                          properties:
+                            datadog:
+                              description: Configures a Datadog tracing provider.
+                              properties:
+                                maxTagLength:
+                                  description: |-
+                                    Optional. Controls the overall path length allowed in a reported span.
+                                    NOTE: currently only controls max length of the path tag.
+                                  format: int32
+                                  type: integer
+                                port:
+                                  description: REQUIRED. Specifies the port of the
+                                    service.
+                                  format: int32
+                                  type: integer
+                                service:
+                                  description: |-
+                                    REQUIRED. Specifies the service for the Datadog agent.
+                                    The format is `[<Namespace>/]<Hostname>`. The specification of `<Namespace>` is required only when it is insufficient
+                                    to unambiguously resolve a service in the service registry. The `<Hostname>` is a fully qualified host name of a
+                                    service defined by the Kubernetes service or ServiceEntry.
+
+                                    Example: "datadog.default.svc.cluster.local" or "bar/datadog.example.com".
+                                  type: string
+                              required:
+                              - port
+                              - service
+                              type: object
+                            envoyExtAuthzGrpc:
+                              description: Configures an external authorizer that
+                                implements the Envoy ext_authz filter authorization
+                                check service using the gRPC API.
+                              properties:
+                                clearRouteCache:
+                                  description: |-
+                                    If true, clears route cache in order to allow the external authorization service to correctly affect routing decisions.
+                                    If true, recalculate routes with the new ExtAuthZ added/removed headers.
+                                    Default is false
+                                  type: boolean
+                                failOpen:
+                                  description: |-
+                                    If true, the HTTP request or TCP connection will be allowed even if the communication with the authorization service has failed,
+                                    or if the authorization service has returned a HTTP 5xx error.
+                                    Default is false. For HTTP request, it will be rejected with 403 (HTTP Forbidden). For TCP connection, it will be closed immediately.
+                                  type: boolean
+                                includeRequestBodyInCheck:
+                                  description: If set, the client request body will
+                                    be included in the authorization request sent
+                                    to the authorization service.
+                                  properties:
+                                    allowPartialMessage:
+                                      description: |-
+                                        When this field is true, ext-authz filter will buffer the message until maxRequestBytes is reached.
+                                        The authorization request will be dispatched and no 413 HTTP error will be returned by the filter.
+                                        A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message
+                                        indicating if the body data is partial.
+                                      type: boolean
+                                    maxRequestBytes:
+                                      description: |-
+                                        Sets the maximum size of a message body that the ext-authz filter will hold in memory.
+                                        If maxRequestBytes is reached, and allowPartialMessage is false, Envoy will return a 413 (Payload Too Large).
+                                        Otherwise the request will be sent to the provider with a partial message.
+                                        Note that this setting will have precedence over the failOpen field, the 413 will be returned even when the
+                                        failOpen is set to true.
+                                      format: int32
+                                      type: integer
+                                    packAsBytes:
+                                      description: |-
+                                        If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes
+                                        in the [raw_body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153).
+                                        Otherwise, it will be filled with UTF-8 string in the [body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147).
+                                        This field only works with the envoyExtAuthzGrpc provider and has no effect for the envoyExtAuthzHttp provider.
+                                      type: boolean
+                                  type: object
+                                port:
+                                  description: REQUIRED. Specifies the port of the
+                                    service.
+                                  format: int32
+                                  type: integer
+                                service:
+                                  description: |-
+                                    REQUIRED. Specifies the service that implements the Envoy ext_authz gRPC authorization service.
+                                    The format is `[<Namespace>/]<Hostname>`. The specification of `<Namespace>` is required only when it is insufficient
+                                    to unambiguously resolve a service in the service registry. The `<Hostname>` is a fully qualified host name of a
+                                    service defined by the Kubernetes service or ServiceEntry.
+
+                                    Example: "my-ext-authz.foo.svc.cluster.local" or "bar/my-ext-authz.example.com".
+                                  type: string
+                                statusOnError:
+                                  description: |-
+                                    Sets the HTTP status that is returned to the client when there is a network error to the authorization service.
+                                    The default status is "403" (HTTP Forbidden).
+                                  type: string
+                                timeout:
+                                  description: |-
+                                    The maximum duration that the proxy will wait for a response from the provider, this is the timeout for a specific request (default timeout: 600s).
+                                    When this timeout condition is met, the proxy marks the communication to the authorization service as failure.
+                                    In this situation, the response sent back to the client will depend on the configured `failOpen` field.
+                                  type: string
+                              required:
+                              - port
+                              - service
+                              type: object
+                            envoyExtAuthzHttp:
+                              description: Configures an external authorizer that
+                                implements the Envoy ext_authz filter authorization
+                                check service using the HTTP API.
+                              properties:
+                                clearRouteCache:
+                                  description: |-
+                                    If true, clears route cache in order to allow the external authorization service to correctly affect routing decisions.
+                                    If true, recalculate routes with the new ExtAuthZ added/removed headers.
+                                    Default is false
+                                  type: boolean
+                                failOpen:
+                                  description: |-
+                                    If true, the user request will be allowed even if the communication with the authorization service has failed,
+                                    or if the authorization service has returned a HTTP 5xx error.
+                                    Default is false and the request will be rejected with "Forbidden" response.
+                                  type: boolean
+                                headersToDownstreamOnAllow:
+                                  description: |-
+                                    List of headers from the authorization service that should be forwarded to downstream when the authorization
+                                    check result is allowed (HTTP code 200).
+                                    If not specified, the original response will not be modified and forwarded to downstream as-is.
+                                    Note, any existing headers will be overridden.
+
+                                    Exact, prefix and suffix matches are supported (similar to the
+                                    [authorization policy rule syntax](https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule)
+                                    except the presence match):
+                                    - Exact match: "abc" will match on value "abc".
+                                    - Prefix match: "abc*" will match on value "abc" and "abcd".
+                                    - Suffix match: "*abc" will match on value "abc" and "xabc".
+                                  items:
+                                    type: string
+                                  type: array
+                                headersToDownstreamOnDeny:
+                                  description: |-
+                                    List of headers from the authorization service that should be forwarded to downstream when the authorization
+                                    check result is not allowed (HTTP code other than 200).
+                                    If not specified, all the authorization response headers, except *Authority (Host)* will be in the response to
+                                    the downstream.
+                                    When a header is included in this list, *Path*, *Status*, *Content-Length*, *WWWAuthenticate* and *Location* are
+                                    automatically added.
+                                    Note, the body from the authorization service is always included in the response to downstream.
+
+                                    Exact, prefix and suffix matches are supported (similar to the
+                                    [authorization policy rule syntax](https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule)
+                                    except the presence match):
+                                    - Exact match: "abc" will match on value "abc".
+                                    - Prefix match: "abc*" will match on value "abc" and "abcd".
+                                    - Suffix match: "*abc" will match on value "abc" and "xabc".
+                                  items:
+                                    type: string
+                                  type: array
+                                headersToUpstreamOnAllow:
+                                  description: |-
+                                    List of headers from the authorization service that should be added or overridden in the original request and
+                                    forwarded to the upstream when the authorization check result is allowed (HTTP code 200).
+                                    If not specified, the original request will not be modified and forwarded to backend as-is.
+                                    Note, any existing headers will be overridden.
+
+                                    Exact, prefix and suffix matches are supported (similar to the
+                                    [authorization policy rule syntax](https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule)
+                                    except the presence match):
+                                    - Exact match: "abc" will match on value "abc".
+                                    - Prefix match: "abc*" will match on value "abc" and "abcd".
+                                    - Suffix match: "*abc" will match on value "abc" and "xabc".
+                                  items:
+                                    type: string
+                                  type: array
+                                includeAdditionalHeadersInCheck:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    Set of additional fixed headers that should be included in the authorization request sent to the authorization service.
+                                    Key is the header name and value is the header value.
+                                    Note that client request of the same key or headers specified in includeRequestHeadersInCheck will be overridden.
+                                  type: object
+                                includeHeadersInCheck:
+                                  description: |-
+                                    DEPRECATED. Use includeRequestHeadersInCheck instead.
+
+                                    Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto.
+                                  items:
+                                    type: string
+                                  type: array
+                                includeRequestBodyInCheck:
+                                  description: If set, the client request body will
+                                    be included in the authorization request sent
+                                    to the authorization service.
+                                  properties:
+                                    allowPartialMessage:
+                                      description: |-
+                                        When this field is true, ext-authz filter will buffer the message until maxRequestBytes is reached.
+                                        The authorization request will be dispatched and no 413 HTTP error will be returned by the filter.
+                                        A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message
+                                        indicating if the body data is partial.
+                                      type: boolean
+                                    maxRequestBytes:
+                                      description: |-
+                                        Sets the maximum size of a message body that the ext-authz filter will hold in memory.
+                                        If maxRequestBytes is reached, and allowPartialMessage is false, Envoy will return a 413 (Payload Too Large).
+                                        Otherwise the request will be sent to the provider with a partial message.
+                                        Note that this setting will have precedence over the failOpen field, the 413 will be returned even when the
+                                        failOpen is set to true.
+                                      format: int32
+                                      type: integer
+                                    packAsBytes:
+                                      description: |-
+                                        If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes
+                                        in the [raw_body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153).
+                                        Otherwise, it will be filled with UTF-8 string in the [body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147).
+                                        This field only works with the envoyExtAuthzGrpc provider and has no effect for the envoyExtAuthzHttp provider.
+                                      type: boolean
+                                  type: object
+                                includeRequestHeadersInCheck:
+                                  description: |-
+                                    List of client request headers that should be included in the authorization request sent to the authorization service.
+                                    Note that in addition to the headers specified here following headers are included by default:
+                                    1. *Host*, *Method*, *Path* and *Content-Length* are automatically sent.
+                                    2. *Content-Length* will be set to 0 and the request will not have a message body. However, the authorization
+                                    request can include the buffered client request body (controlled by includeRequestBodyInCheck setting),
+                                    consequently the value of Content-Length of the authorization request reflects the size of its payload size.
+
+                                    Exact, prefix and suffix matches are supported (similar to the
+                                    [authorization policy rule syntax](https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule)
+                                    except the presence match):
+                                    - Exact match: "abc" will match on value "abc".
+                                    - Prefix match: "abc*" will match on value "abc" and "abcd".
+                                    - Suffix match: "*abc" will match on value "abc" and "xabc".
+                                  items:
+                                    type: string
+                                  type: array
+                                pathPrefix:
+                                  description: |-
+                                    Sets a prefix to the value of authorization request header *Path*.
+                                    For example, setting this to "/check" for an original user request at path "/admin" will cause the
+                                    authorization check request to be sent to the authorization service at the path "/check/admin" instead of "/admin".
+                                  type: string
+                                port:
+                                  description: REQUIRED. Specifies the port of the
+                                    service.
+                                  format: int32
+                                  type: integer
+                                service:
+                                  description: |-
+                                    REQUIRED. Specifies the service that implements the Envoy ext_authz HTTP authorization service.
+                                    The format is `[<Namespace>/]<Hostname>`. The specification of `<Namespace>` is required only when it is insufficient
+                                    to unambiguously resolve a service in the service registry. The `<Hostname>` is a fully qualified host name of a
+                                    service defined by the Kubernetes service or ServiceEntry.
+
+                                    Example: "my-ext-authz.foo.svc.cluster.local" or "bar/my-ext-authz.example.com".
+                                  type: string
+                                statusOnError:
+                                  description: |-
+                                    Sets the HTTP status that is returned to the client when there is a network error to the authorization service.
+                                    The default status is "403" (HTTP Forbidden).
+                                  type: string
+                                timeout:
+                                  description: |-
+                                    The maximum duration that the proxy will wait for a response from the provider (default timeout: 600s).
+                                    When this timeout condition is met, the proxy marks the communication to the authorization service as failure.
+                                    In this situation, the response sent back to the client will depend on the configured `failOpen` field.
+                                  type: string
+                              required:
+                              - port
+                              - service
+                              type: object
+                            envoyFileAccessLog:
+                              description: Configures an Envoy File Access Log provider.
+                              properties:
+                                logFormat:
+                                  description: Optional. Allows overriding of the
+                                    default access log format.
+                                  properties:
+                                    labels:
+                                      additionalProperties:
+                                        type: string
+                                      description: "JSON structured format for the
+                                        envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators)\ncan
+                                        be used as values for fields within the Struct.
+                                        Values are rendered\nas strings, numbers,
+                                        or boolean values, as appropriate\n(see: [format
+                                        dictionaries](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-dictionaries)).
+                                        Nested JSON is\nsupported for some command
+                                        operators (e.g. `FILTER_STATE` or `DYNAMIC_METADATA`).\nUse
+                                        `labels: {}` for default envoy JSON log format.\n\nExample:\n```\nlabels:\n\n\tstatus:
+                                        \"%RESPONSE_CODE%\"\n\tmessage: \"%LOCAL_REPLY_BODY%\"\n\n```"
+                                      type: object
+                                    text:
+                                      description: |-
+                                        Textual format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) may be
+                                        used in the format. The [format string documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings)
+                                        provides more information.
+
+                                        NOTE: Istio will insert a newline ('\n') on all formats (if missing).
+
+                                        Example: `text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"`
+                                      type: string
+                                  type: object
+                                  x-kubernetes-validations:
+                                  - message: At most one of [text labels] should be
+                                      set
+                                    rule: (has(self.text)?1:0) + (has(self.labels)?1:0)
+                                      <= 1
+                                omitEmptyValues:
+                                  description: |-
+                                    Optional. If set to true, when command operators are evaluated to null,
+                                    For text format, the output of the empty operator is changed from "-" to an empty string.
+                                    For json format, the keys with null values are omitted in the output structure.
+                                  type: boolean
+                                path:
+                                  description: |-
+                                    Path to a local file to write the access log entries.
+                                    This may be used to write to streams, via `/dev/stderr` and `/dev/stdout`
+                                    If unspecified, defaults to `/dev/stdout`.
+                                  type: string
+                              type: object
+                            envoyHttpAls:
+                              description: Configures an Envoy Access Logging Service
+                                provider for HTTP traffic.
+                              properties:
+                                additionalRequestHeadersToLog:
+                                  description: Optional. Additional request headers
+                                    to log.
+                                  items:
+                                    type: string
+                                  type: array
+                                additionalResponseHeadersToLog:
+                                  description: Optional. Additional response headers
+                                    to log.
+                                  items:
+                                    type: string
+                                  type: array
+                                additionalResponseTrailersToLog:
+                                  description: Optional. Additional response trailers
+                                    to log.
+                                  items:
+                                    type: string
+                                  type: array
+                                filterStateObjectsToLog:
+                                  description: Optional. Additional filter state objects
+                                    to log.
+                                  items:
+                                    type: string
+                                  type: array
+                                logName:
+                                  description: |-
+                                    Optional. The friendly name of the access log.
+                                    Defaults:
+                                    -  "http_envoy_accesslog"
+                                    -  "listener_envoy_accesslog"
+                                  type: string
+                                port:
+                                  description: REQUIRED. Specifies the port of the
+                                    service.
+                                  format: int32
+                                  type: integer
+                                service:
+                                  description: |-
+                                    REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service.
+                                    The format is `[<Namespace>/]<Hostname>`. The specification of `<Namespace>` is required only when it is insufficient
+                                    to unambiguously resolve a service in the service registry. The `<Hostname>` is a fully qualified host name of a
+                                    service defined by the Kubernetes service or ServiceEntry.
+
+                                    Example: "envoy-als.foo.svc.cluster.local" or "bar/envoy-als.example.com".
+                                  type: string
+                              required:
+                              - port
+                              - service
+                              type: object
+                            envoyOtelAls:
+                              description: Configures an Envoy Open Telemetry Access
+                                Logging Service provider.
+                              properties:
+                                logFormat:
+                                  description: |-
+                                    Optional. Format for the proxy access log
+                                    Empty value results in proxy's default access log format, following Envoy access logging formatting.
+                                  properties:
+                                    labels:
+                                      additionalProperties:
+                                        type: string
+                                      description: "Optional. Additional attributes
+                                        that describe the specific event occurrence.\nStructured
+                                        format for the envoy access logs. Envoy [command
+                                        operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators)\ncan
+                                        be used as values for fields within the Struct.
+                                        Values are rendered\nas strings, numbers,
+                                        or boolean values, as appropriate\n(see: [format
+                                        dictionaries](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-dictionaries)).
+                                        Nested JSON is\nsupported for some command
+                                        operators (e.g. FILTER_STATE or DYNAMIC_METADATA).\nAlias
+                                        to `attributes` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)\n\nExample:\n```\nlabels:\n\n\tstatus:
+                                        \"%RESPONSE_CODE%\"\n\tmessage: \"%LOCAL_REPLY_BODY%\"\n\n```"
+                                      type: object
+                                    text:
+                                      description: |-
+                                        Textual format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) may be
+                                        used in the format. The [format string documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings)
+                                        provides more information.
+                                        Alias to `body` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)
+                                        Example: `text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"`
+                                      type: string
+                                  type: object
+                                logName:
+                                  description: |-
+                                    Optional. The friendly name of the access log.
+                                    Defaults:
+                                    - "otel_envoy_accesslog"
+                                  type: string
+                                port:
+                                  description: REQUIRED. Specifies the port of the
+                                    service.
+                                  format: int32
+                                  type: integer
+                                service:
+                                  description: |-
+                                    REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service.
+                                    The format is `[<Namespace>/]<Hostname>`. The specification of `<Namespace>` is required only when it is insufficient
+                                    to unambiguously resolve a service in the service registry. The `<Hostname>` is a fully qualified host name of a
+                                    service defined by the Kubernetes service or ServiceEntry.
+
+                                    Example: "envoy-als.foo.svc.cluster.local" or "bar/envoy-als.example.com".
+                                  type: string
+                              required:
+                              - port
+                              - service
+                              type: object
+                            envoyTcpAls:
+                              description: Configures an Envoy Access Logging Service
+                                provider for TCP traffic.
+                              properties:
+                                filterStateObjectsToLog:
+                                  description: Optional. Additional filter state objects
+                                    to log.
+                                  items:
+                                    type: string
+                                  type: array
+                                logName:
+                                  description: |-
+                                    Optional. The friendly name of the access log.
+                                    Defaults:
+                                    - "tcp_envoy_accesslog"
+                                    - "listener_envoy_accesslog"
+                                  type: string
+                                port:
+                                  description: REQUIRED. Specifies the port of the
+                                    service.
+                                  format: int32
+                                  type: integer
+                                service:
+                                  description: |-
+                                    REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service.
+                                    The format is `[<Namespace>/]<Hostname>`. The specification of `<Namespace>` is required only when it is insufficient
+                                    to unambiguously resolve a service in the service registry. The `<Hostname>` is a fully qualified host name of a
+                                    service defined by the Kubernetes service or ServiceEntry.
+
+                                    Example: "envoy-als.foo.svc.cluster.local" or "bar/envoy-als.example.com".
+                                  type: string
+                              required:
+                              - port
+                              - service
+                              type: object
+                            lightstep:
+                              description: |-
+                                Configures a Lightstep tracing provider.
+                                Deprecated: For Istio 1.15+, please use an OpenTelemetryTracingProvider instead, more details can be found at https://github.com/istio/istio/issues/40027
+
+                                Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto.
+                              properties:
+                                accessToken:
+                                  description: The Lightstep access token.
+                                  type: string
+                                maxTagLength:
+                                  description: |-
+                                    Optional. Controls the overall path length allowed in a reported span.
+                                    NOTE: currently only controls max length of the path tag.
+                                  format: int32
+                                  type: integer
+                                port:
+                                  description: REQUIRED. Specifies the port of the
+                                    service.
+                                  format: int32
+                                  type: integer
+                                service:
+                                  description: |-
+                                    REQUIRED. Specifies the service for the Lightstep collector.
+                                    The format is `[<Namespace>/]<Hostname>`. The specification of `<Namespace>` is required only when it is insufficient
+                                    to unambiguously resolve a service in the service registry. The `<Hostname>` is a fully qualified host name of a
+                                    service defined by the Kubernetes service or ServiceEntry.
+
+                                    Example: "lightstep.default.svc.cluster.local" or "bar/lightstep.example.com".
+                                  type: string
+                              required:
+                              - port
+                              - service
+                              type: object
+                            name:
+                              description: REQUIRED. A unique name identifying the
+                                extension provider.
+                              type: string
+                            opencensus:
+                              description: |-
+                                Configures an OpenCensusAgent tracing provider.
+                                Deprecated: OpenCensus is deprecated, more details can be found at https://opentelemetry.io/blog/2023/sunsetting-opencensus/
+
+                                Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto.
+                              properties:
+                                context:
+                                  description: |-
+                                    Specifies the set of context propagation headers used for distributed
+                                    tracing. Default is `["W3C_TRACE_CONTEXT"]`. If multiple values are specified,
+                                    the proxy will attempt to read each header for each request and will
+                                    write all headers.
+                                  items:
+                                    description: |-
+                                      TraceContext selects the context propagation headers used for
+                                      distributed tracing.
+                                    enum:
+                                    - UNSPECIFIED
+                                    - W3C_TRACE_CONTEXT
+                                    - GRPC_BIN
+                                    - CLOUD_TRACE_CONTEXT
+                                    - B3
+                                    type: string
+                                  type: array
+                                maxTagLength:
+                                  description: |-
+                                    Optional. Controls the overall path length allowed in a reported span.
+                                    NOTE: currently only controls max length of the path tag.
+                                  format: int32
+                                  type: integer
+                                port:
+                                  description: REQUIRED. Specifies the port of the
+                                    service.
+                                  format: int32
+                                  type: integer
+                                service:
+                                  description: |-
+                                    REQUIRED. Specifies the service for the OpenCensusAgent.
+                                    The format is `[<Namespace>/]<Hostname>`. The specification of `<Namespace>` is required only when it is insufficient
+                                    to unambiguously resolve a service in the service registry. The `<Hostname>` is a fully qualified host name of a
+                                    service defined by the Kubernetes service or ServiceEntry.
+
+                                    Example: "ocagent.default.svc.cluster.local" or "bar/ocagent.example.com".
+                                  type: string
+                              required:
+                              - port
+                              - service
+                              type: object
+                            opentelemetry:
+                              description: Configures an OpenTelemetry tracing provider.
+                              properties:
+                                dynatraceSampler:
+                                  description: |-
+                                    The Dynatrace adaptive traffic management (ATM) sampler.
+
+                                    Example configuration:
+
+                                    ```yaml
+                                      - name: otel-tracing
+                                        opentelemetry:
+                                        port: 443
+                                        service: "{your-environment-id}.live.dynatrace.com"
+                                        http:
+                                        path: "/api/v2/otlp/v1/traces"
+                                        timeout: 10s
+                                        headers:
+                                      - name: "Authorization"
+                                        value: "Api-Token dt0c01."
+                                        resourceDetectors:
+                                        dynatrace: {}
+                                        dynatraceSampler:
+                                        tenant: "{your-environment-id}"
+                                        clusterId: 1234
+                                  properties:
+                                    clusterId:
+                                      description: |-
+                                        REQUIRED. The identifier of the cluster in the Dynatrace platform.
+                                        The cluster here is Dynatrace-specific concept and not related to the cluster concept in Istio/Envoy.
+
+                                        The value can be obtained from the Istio deployment page in Dynatrace.
+                                      format: int32
+                                      type: integer
+                                    httpService:
+                                      description: |-
+                                        Optional. Dynatrace HTTP API to obtain sampling configuration.
+
+                                        When not provided, the Dynatrace Sampler will re-use the configuration from the OpenTelemetryTracingProvider HTTP Exporter
+                                        (`service`, `port` and `http`), including the access token.
+                                      properties:
+                                        http:
+                                          description: REQUIRED. Specifies sampling
+                                            configuration URI.
+                                          properties:
+                                            headers:
+                                              description: |-
+                                                Optional. Allows specifying custom HTTP headers that will be added
+                                                to each HTTP request sent.
+                                              items:
+                                                properties:
+                                                  envName:
+                                                    description: |-
+                                                      The HTTP header value from the environment variable.
+
+                                                      Warning:
+                                                      - The environment variable must be set in the istiod pod spec.
+                                                      - This is not a end-to-end secure.
+                                                    type: string
+                                                  name:
+                                                    description: REQUIRED. The HTTP
+                                                      header name.
+                                                    type: string
+                                                  value:
+                                                    description: The HTTP header value.
+                                                    type: string
+                                                required:
+                                                - name
+                                                type: object
+                                                x-kubernetes-validations:
+                                                - message: At most one of [value envName]
+                                                    should be set
+                                                  rule: (has(self.value)?1:0) + (has(self.envName)?1:0)
+                                                    <= 1
+                                              type: array
+                                            path:
+                                              description: REQUIRED. Specifies the
+                                                path on the service.
+                                              type: string
+                                            timeout:
+                                              description: |-
+                                                Optional. Specifies the timeout for the HTTP request.
+                                                If not specified, the default is 3s.
+                                              type: string
+                                          required:
+                                          - path
+                                          type: object
+                                        port:
+                                          description: REQUIRED. Specifies the port
+                                            of the service.
+                                          format: int32
+                                          type: integer
+                                        service:
+                                          description: |-
+                                            REQUIRED. Specifies the Dynatrace environment to obtain the sampling configuration.
+                                            The format is `<Hostname>`, where `<Hostname>` is the fully qualified Dynatrace environment
+                                            host name defined in the ServiceEntry.
+
+                                            Example: "{your-environment-id}.live.dynatrace.com".
+                                          type: string
+                                      required:
+                                      - http
+                                      - port
+                                      - service
+                                      type: object
+                                    rootSpansPerMinute:
+                                      description: |-
+                                        Optional. Number of sampled spans per minute to be used
+                                        when the adaptive value cannot be obtained from the Dynatrace API.
+
+                                        A default value of `1000` is used when:
+
+                                        - `rootSpansPerMinute` is unset
+                                        - `rootSpansPerMinute` is set to 0
+                                      format: int32
+                                      type: integer
+                                    tenant:
+                                      description: |-
+                                        REQUIRED. The Dynatrace customer's tenant identifier.
+
+                                        The value can be obtained from the Istio deployment page in Dynatrace.
+                                      type: string
+                                  required:
+                                  - clusterId
+                                  - tenant
+                                  type: object
+                                grpc:
+                                  description: "Optional. Specifies the configuration
+                                    for exporting OTLP traces via GRPC.\nWhen empty,
+                                    traces will check whether HTTP is set.\nIf not,
+                                    traces will use default GRPC configurations.\n\nThe
+                                    following example shows how to configure the OpenTelemetry
+                                    ExtensionProvider to export via GRPC:\n\n1. Add/change
+                                    the OpenTelemetry extension provider in `MeshConfig`\n```yaml\n
+                                    \ - name: opentelemetry\n    opentelemetry:\n
+                                    \   port: 8090\n    service: tracing.example.com\n
+                                    \   grpc:\n    timeout: 10s\n    initialMetadata:\n
+                                    \ - name: \"Authentication\"\n    value: \"token-xxxxx\"\n\n```\n\n2.
+                                    Deploy a `ServiceEntry` for the observability
+                                    back-end\n```yaml\napiVersion: networking.istio.io/v1alpha3\nkind:
+                                    ServiceEntry\nmetadata:\n\n\tname: tracing-grpc\n\nspec:\n\n\thosts:\n\t-
+                                    tracing.example.com\n\tports:\n\t- number: 8090\n\t
+                                    \ name: grpc-port\n\t  protocol: GRPC\n\tresolution:
+                                    DNS\n\tlocation: MESH_EXTERNAL\n\n```"
+                                  properties:
+                                    initialMetadata:
+                                      description: |-
+                                        Optional. Additional metadata to include in streams initiated to the GrpcService. This can be used for
+                                        scenarios in which additional ad hoc authorization headers (e.g. "x-foo-bar: baz-key") are to
+                                        be injected.
+                                      items:
+                                        properties:
+                                          envName:
+                                            description: |-
+                                              The HTTP header value from the environment variable.
+
+                                              Warning:
+                                              - The environment variable must be set in the istiod pod spec.
+                                              - This is not a end-to-end secure.
+                                            type: string
+                                          name:
+                                            description: REQUIRED. The HTTP header
+                                              name.
+                                            type: string
+                                          value:
+                                            description: The HTTP header value.
+                                            type: string
+                                        required:
+                                        - name
+                                        type: object
+                                        x-kubernetes-validations:
+                                        - message: At most one of [value envName]
+                                            should be set
+                                          rule: (has(self.value)?1:0) + (has(self.envName)?1:0)
+                                            <= 1
+                                      type: array
+                                    timeout:
+                                      description: Optional. Specifies the timeout
+                                        for the GRPC request.
+                                      type: string
+                                  type: object
+                                http:
+                                  description: "Optional. Specifies the configuration
+                                    for exporting OTLP traces via HTTP.\nWhen empty,
+                                    traces will be exported via gRPC.\n\nThe following
+                                    example shows how to configure the OpenTelemetry
+                                    ExtensionProvider to export via HTTP:\n\n1. Add/change
+                                    the OpenTelemetry extension provider in `MeshConfig`\n```yaml\n
+                                    \ - name: otel-tracing\n    opentelemetry:\n    port:
+                                    443\n    service: my.olly-backend.com\n    http:\n
+                                    \   path: \"/api/otlp/traces\"\n    timeout: 10s\n
+                                    \   headers:\n  - name: \"my-custom-header\"\n
+                                    \   value: \"some value\"\n\n```\n\n2. Deploy
+                                    a `ServiceEntry` for the observability back-end\n```yaml\napiVersion:
+                                    networking.istio.io/v1alpha3\nkind: ServiceEntry\nmetadata:\n\n\tname:
+                                    my-olly-backend\n\nspec:\n\n\thosts:\n\t- my.olly-backend.com\n\tports:\n\t-
+                                    number: 443\n\t  name: https-port\n\t  protocol:
+                                    HTTPS\n\tresolution: DNS\n\tlocation: MESH_EXTERNAL\n\n---\napiVersion:
+                                    networking.istio.io/v1alpha3\nkind: DestinationRule\nmetadata:\n\n\tname:
+                                    my-olly-backend\n\nspec:\n\n\thost: my.olly-backend.com\n\ttrafficPolicy:\n\t
+                                    \ portLevelSettings:\n\t  - port:\n\t      number:
+                                    443\n\t    tls:\n\t      mode: SIMPLE\n\n```"
+                                  properties:
+                                    headers:
+                                      description: |-
+                                        Optional. Allows specifying custom HTTP headers that will be added
+                                        to each HTTP request sent.
+                                      items:
+                                        properties:
+                                          envName:
+                                            description: |-
+                                              The HTTP header value from the environment variable.
+
+                                              Warning:
+                                              - The environment variable must be set in the istiod pod spec.
+                                              - This is not a end-to-end secure.
+                                            type: string
+                                          name:
+                                            description: REQUIRED. The HTTP header
+                                              name.
+                                            type: string
+                                          value:
+                                            description: The HTTP header value.
+                                            type: string
+                                        required:
+                                        - name
+                                        type: object
+                                        x-kubernetes-validations:
+                                        - message: At most one of [value envName]
+                                            should be set
+                                          rule: (has(self.value)?1:0) + (has(self.envName)?1:0)
+                                            <= 1
+                                      type: array
+                                    path:
+                                      description: REQUIRED. Specifies the path on
+                                        the service.
+                                      type: string
+                                    timeout:
+                                      description: |-
+                                        Optional. Specifies the timeout for the HTTP request.
+                                        If not specified, the default is 3s.
+                                      type: string
+                                  required:
+                                  - path
+                                  type: object
+                                maxTagLength:
+                                  description: |-
+                                    Optional. Controls the overall path length allowed in a reported span.
+                                    NOTE: currently only controls max length of the path tag.
+                                  format: int32
+                                  type: integer
+                                port:
+                                  description: REQUIRED. Specifies the port of the
+                                    service.
+                                  format: int32
+                                  type: integer
+                                resourceDetectors:
+                                  description: |-
+                                    Optional. Specifies [Resource Detectors](https://opentelemetry.io/docs/specs/otel/resource/sdk/)
+                                    to be used by the OpenTelemetry Tracer. When multiple resources are provided, they are merged
+                                    according to the OpenTelemetry [Resource specification](https://opentelemetry.io/docs/specs/otel/resource/sdk/#merge).
+
+                                    The following example shows how to configure the Environment Resource Detector, that will
+                                    read the attributes from the environment variable `OTEL_RESOURCE_ATTRIBUTES`:
+
+                                    ```yaml
+                                      - name: otel-tracing
+                                        opentelemetry:
+                                        port: 443
+                                        service: my.olly-backend.com
+                                        resourceDetectors:
+                                        environment: {}
+
+                                    ```
+                                  properties:
+                                    dynatrace:
+                                      description: |-
+                                        Dynatrace Resource Detector.
+                                        The resource detector reads from the Dynatrace enrichment files
+                                        and adds host/process related attributes to the OpenTelemetry resource.
+
+                                        See: [Enrich ingested data with Dynatrace-specific dimensions](https://docs.dynatrace.com/docs/shortlink/enrichment-files)
+                                      type: object
+                                    environment:
+                                      description: |-
+                                        OpenTelemetry Environment Resource Detector.
+                                        The resource detector reads attributes from the environment variable `OTEL_RESOURCE_ATTRIBUTES`
+                                        and adds them to the OpenTelemetry resource.
+
+                                        See: [Resource specification](https://opentelemetry.io/docs/specs/otel/resource/sdk/#specifying-resource-information-via-an-environment-variable)
+                                      type: object
+                                  type: object
+                                service:
+                                  description: |-
+                                    REQUIRED. Specifies the OpenTelemetry endpoint that will receive OTLP traces.
+                                    The format is `[<Namespace>/]<Hostname>`. The specification of `<Namespace>` is required only when it is insufficient
+                                    to unambiguously resolve a service in the service registry. The `<Hostname>` is a fully qualified host name of a
+                                    service defined by the Kubernetes service or ServiceEntry.
+
+                                    Example: "otlp.default.svc.cluster.local" or "bar/otlp.example.com".
+                                  type: string
+                              required:
+                              - port
+                              - service
+                              type: object
+                              x-kubernetes-validations:
+                              - message: At most one of [dynatraceSampler] should
+                                  be set
+                                rule: (has(self.dynatraceSampler)?1:0) <= 1
+                            prometheus:
+                              description: Configures a Prometheus metrics provider.
+                              type: object
+                            sds:
+                              description: |-
+                                Configures an Extension Provider for SDS. This can be used to
+                                configure an external SDS service to supply secrets for certain Gateways for example.
+                                This is useful for scenarios where the secrets are stored in an external secret store like Vault.
+                                The secret should be configured with sds://provider-name format.
+                              properties:
+                                name:
+                                  description: REQUIRED. Specifies the name of the
+                                    provider. This should be used to configure the
+                                    Gateway SDS.
+                                  type: string
+                                port:
+                                  description: REQUIRED. Specifies the port of the
+                                    service.
+                                  format: int32
+                                  type: integer
+                                service:
+                                  description: |-
+                                    REQUIRED. Specifies the service that implements the  SDS service.
+                                    The format is `[<Namespace>/]<Hostname>`. The specification of `<Namespace>` is required only when it is insufficient
+                                    to unambiguously resolve a service in the service registry. The `<Hostname>` is a fully qualified host name of a
+                                    service defined by the Kubernetes service or ServiceEntry.
+
+                                    Example: "gateway-sds.foo.svc.cluster.local" or "bar/gateway-sds.example.com".
+                                  type: string
+                              required:
+                              - name
+                              - port
+                              - service
+                              type: object
+                            skywalking:
+                              description: Configures a Apache SkyWalking provider.
+                              properties:
+                                accessToken:
+                                  description: Optional. The SkyWalking OAP access
+                                    token.
+                                  type: string
+                                port:
+                                  description: REQUIRED. Specifies the port of the
+                                    service.
+                                  format: int32
+                                  type: integer
+                                service:
+                                  description: |-
+                                    REQUIRED. Specifies the service for the SkyWalking receiver.
+                                    The format is `[<Namespace>/]<Hostname>`. The specification of `<Namespace>` is required only when it is insufficient
+                                    to unambiguously resolve a service in the service registry. The `<Hostname>` is a fully qualified host name of a
+                                    service defined by the Kubernetes service or ServiceEntry.
+
+                                    Example: "skywalking.default.svc.cluster.local" or "bar/skywalking.example.com".
+                                  type: string
+                              required:
+                              - port
+                              - service
+                              type: object
+                            stackdriver:
+                              description: Configures a Stackdriver provider.
+                              properties:
+                                debug:
+                                  description: |-
+                                    debug enables trace output to stdout.
+
+                                    Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto.
+                                  type: boolean
+                                logging:
+                                  description: Optional. Controls Stackdriver logging
+                                    behavior.
+                                  properties:
+                                    labels:
+                                      additionalProperties:
+                                        type: string
+                                      description: "Collection of tag names and tag
+                                        expressions to include in the log\nentry.
+                                        Conflicts are resolved by the tag name by
+                                        overriding previously\nsupplied values.\n\nExample:\n\n\tlabels:\n\t
+                                        \ path: request.url_path\n\t  foo: request.headers['x-foo']"
+                                      type: object
+                                  type: object
+                                maxNumberOfAnnotations:
+                                  description: |-
+                                    The global default max number of annotation events per span.
+                                    default is 200.
+
+                                    Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto.
+                                  format: int64
+                                  type: integer
+                                maxNumberOfAttributes:
+                                  description: |-
+                                    The global default max number of attributes per span.
+                                    default is 200.
+
+                                    Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto.
+                                  format: int64
+                                  type: integer
+                                maxNumberOfMessageEvents:
+                                  description: |-
+                                    The global default max number of message events per span.
+                                    default is 200.
+
+                                    Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto.
+                                  format: int64
+                                  type: integer
+                                maxTagLength:
+                                  description: |-
+                                    Optional. Controls the overall path length allowed in a reported span.
+                                    NOTE: currently only controls max length of the path tag.
+                                  format: int32
+                                  type: integer
+                              type: object
+                            zipkin:
+                              description: Configures a tracing provider that uses
+                                the Zipkin API.
+                              properties:
+                                enable64bitTraceId:
+                                  description: |-
+                                    Optional. A 128 bit trace id will be used in Istio.
+                                    If true, will result in a 64 bit trace id being used.
+                                  type: boolean
+                                headers:
+                                  description: |-
+                                    Optional. Additional HTTP headers to include in the request to the Zipkin collector.
+                                    These headers will be added to the HTTP request when sending spans to the collector.
+                                  items:
+                                    properties:
+                                      envName:
+                                        description: |-
+                                          The HTTP header value from the environment variable.
+
+                                          Warning:
+                                          - The environment variable must be set in the istiod pod spec.
+                                          - This is not a end-to-end secure.
+                                        type: string
+                                      name:
+                                        description: REQUIRED. The HTTP header name.
+                                        type: string
+                                      value:
+                                        description: The HTTP header value.
+                                        type: string
+                                    required:
+                                    - name
+                                    type: object
+                                    x-kubernetes-validations:
+                                    - message: At most one of [value envName] should
+                                        be set
+                                      rule: (has(self.value)?1:0) + (has(self.envName)?1:0)
+                                        <= 1
+                                  type: array
+                                maxTagLength:
+                                  description: |-
+                                    Optional. Controls the overall path length allowed in a reported span.
+                                    NOTE: currently only controls max length of the path tag.
+                                  format: int32
+                                  type: integer
+                                path:
+                                  description: |-
+                                    Optional. Specifies the endpoint of Zipkin API.
+                                    The default value is "/api/v2/spans".
+                                  type: string
+                                port:
+                                  description: REQUIRED. Specifies the port of the
+                                    service.
+                                  format: int32
+                                  type: integer
+                                service:
+                                  description: |-
+                                    REQUIRED. Specifies the service that the Zipkin API.
+                                    The format is `[<Namespace>/]<Hostname>`. The specification of `<Namespace>` is required only when it is insufficient
+                                    to unambiguously resolve a service in the service registry. The `<Hostname>` is a fully qualified host name of a
+                                    service defined by the Kubernetes service or ServiceEntry.
+
+                                    Example: "zipkin.default.svc.cluster.local" or "bar/zipkin.example.com".
+                                  type: string
+                                timeout:
+                                  description: |-
+                                    Optional. The timeout for the HTTP request to the Zipkin collector.
+                                    If not specified, the default timeout from Envoy's configuration will be used (which is 5 seconds currently).
+                                  type: string
+                                traceContextOption:
+                                  description: |-
+                                    Optional. Determines which trace context format to use for trace header extraction and propagation.
+                                    This controls both downstream request header extraction and upstream request header injection.
+                                    The default value is USE_B3 to maintain backward compatibility.
+                                  enum:
+                                  - USE_B3
+                                  - USE_B3_WITH_W3C_PROPAGATION
+                                  type: string
+                              required:
+                              - port
+                              - service
+                              type: object
+                          required:
+                          - name
+                          type: object
+                          x-kubernetes-validations:
+                          - message: At most one of [envoyExtAuthzHttp envoyExtAuthzGrpc
+                              zipkin lightstep datadog stackdriver opencensus skywalking
+                              opentelemetry prometheus envoyFileAccessLog envoyHttpAls
+                              envoyTcpAls envoyOtelAls sds] should be set
+                            rule: (has(self.envoyExtAuthzHttp)?1:0) + (has(self.envoyExtAuthzGrpc)?1:0)
+                              + (has(self.zipkin)?1:0) + (has(self.lightstep)?1:0)
+                              + (has(self.datadog)?1:0) + (has(self.stackdriver)?1:0)
+                              + (has(self.opencensus)?1:0) + (has(self.skywalking)?1:0)
+                              + (has(self.opentelemetry)?1:0) + (has(self.prometheus)?1:0)
+                              + (has(self.envoyFileAccessLog)?1:0) + (has(self.envoyHttpAls)?1:0)
+                              + (has(self.envoyTcpAls)?1:0) + (has(self.envoyOtelAls)?1:0)
+                              + (has(self.sds)?1:0) <= 1
+                        maxItems: 1000
+                        type: array
+                      h2UpgradePolicy:
+                        description: |-
+                          Specify if http1.1 connections should be upgraded to http2 by default.
+                          if sidecar is installed on all pods in the mesh, then this should be set to `UPGRADE`.
+                          If one or more services or namespaces do not have sidecar(s), then this should be set to `DO_NOT_UPGRADE`.
+                          It can be enabled by destination using the `destinationRule.trafficPolicy.connectionPool.http.h2UpgradePolicy` override.
+                        enum:
+                        - DO_NOT_UPGRADE
+                        - UPGRADE
+                        type: string
+                      hboneIdleTimeout:
+                        description: |-
+                          Idle timeout configured on Envoy proxies for their connection pools to ztunnel via HBONE.
+                          This controls how long Envoy will keep idle connections to ztunnel before closing them.
+                          Note: This setting is applied only on the Envoy proxy side; ztunnel does not use it.
+                          Default timeout is 1 hour (3600s).
+                          For environments with aggressive IP address reuse, it is recommended to set
+                          this to a value less than the CNI IP cooldown period to prevent stale connection reuse.
+                          For example, if your CNI has a 30s cooldown period, setting this to 15s is recommended.
+                        type: string
+                      inboundClusterStatName:
+                        description: |-
+                          Name to be used while emitting statistics for inbound clusters. The same pattern is used while computing stat prefix for
+                          network filters like TCP and Redis.
+                          By default, Istio emits statistics with the pattern `inbound|<port>|<port-name>|<service-FQDN>`.
+                          For example `inbound|7443|grpc-reviews|reviews.prod.svc.cluster.local`. This can be used to override that pattern.
+
+                          A Pattern can be composed of various pre-defined variables. The following variables are supported.
+
+                          - `%SERVICE%` - Will be substituted with short hostname of the service.
+                          - `%SERVICE_NAME%` - Will be substituted with name of the service.
+                          - `%SERVICE_FQDN%` - Will be substituted with FQDN of the service.
+                          - `%SERVICE_PORT%` - Will be substituted with port of the service.
+                          - `%TARGET_PORT%`  - Will be substituted with the target port of the service.
+                          - `%SERVICE_PORT_NAME%` - Will be substituted with port name of the service.
+
+                          Following are some examples of supported patterns for reviews:
+
+                          - `%SERVICE_FQDN%_%SERVICE_PORT%` will use reviews.prod.svc.cluster.local_7443 as the stats name.
+                          - `%SERVICE%` will use reviews.prod as the stats name.
+                        type: string
+                      inboundTrafficPolicy:
+                        description: |-
+                          Set the default behavior of the sidecar for handling inbound
+                          traffic to the application.  If your application listens on
+                          localhost, you will need to set this to `LOCALHOST`.
+                        properties:
+                          mode:
+                            enum:
+                            - PASSTHROUGH
+                            - LOCALHOST
+                            type: string
+                        type: object
+                      ingressClass:
+                        description: |-
+                          Class of ingress resources to be processed by Istio ingress
+                          controller. This corresponds to the value of
+                          `kubernetes.io/ingress.class` annotation.
+                        type: string
+                      ingressControllerMode:
+                        description: |-
+                          Defines whether to use Istio ingress controller for annotated or all ingress resources.
+                          Default mode is `STRICT`.
+                        enum:
+                        - UNSPECIFIED
+                        - "OFF"
+                        - DEFAULT
+                        - STRICT
+                        type: string
+                      ingressSelector:
+                        description: |-
+                          Defines which gateway deployment to use as the Ingress controller. This field corresponds to
+                          the Gateway.selector field, and will be set as `istio: INGRESS_SELECTOR`.
+                          By default, `ingressgateway` is used, which will select the default IngressGateway as it has the
+                          `istio: ingressgateway` labels.
+                          It is recommended that this is the same value as ingressService.
+                        type: string
+                      ingressService:
+                        description: |-
+                          Name of the Kubernetes service used for the istio ingress controller.
+                          If no ingress controller is specified, the default value `istio-ingressgateway` is used.
+                        type: string
+                      localityLbSetting:
+                        description: |-
+                          Locality based load balancing distribution or failover settings.
+                          If unspecified, locality based load balancing will be enabled by default.
+                          However, this requires outlierDetection to actually take effect for a particular
+                          service, see https://istio.io/latest/docs/tasks/traffic-management/locality-load-balancing/failover/
+                        properties:
+                          distribute:
+                            description: |-
+                              Optional: only one of distribute, failover or failoverPriority can be set.
+                              Explicitly specify loadbalancing weight across different zones and geographical locations.
+                              Refer to [Locality weighted load balancing](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/locality_weight)
+                              If empty, the locality weight is set according to the endpoints number within it.
+                            items:
+                              description: |-
+                                Describes how traffic originating in the 'from' zone or sub-zone is
+                                distributed over a set of 'to' zones. Syntax for specifying a zone is
+                                {region}/{zone}/{sub-zone} and terminal wildcards are allowed on any
+                                segment of the specification. Examples:
+
+                                `*` - matches all localities
+
+                                `us-west/*` - all zones and sub-zones within the us-west region
+
+                                `us-west/zone-1/*` - all sub-zones within us-west/zone-1
+                              properties:
+                                from:
+                                  description: Originating locality, '/' separated,
+                                    e.g. 'region/zone/sub_zone'.
+                                  type: string
+                                to:
+                                  additionalProperties:
+                                    format: int32
+                                    type: integer
+                                  description: |-
+                                    Map of upstream localities to traffic distribution weights. The sum of
+                                    all weights should be 100. Any locality not present will
+                                    receive no traffic.
+                                  type: object
+                              type: object
+                            type: array
+                          enabled:
+                            description: |-
+                              Enable locality load balancing. This is DestinationRule-level and will override mesh-wide settings in entirety.
+                              e.g. true means that turn on locality load balancing for this DestinationRule no matter what mesh-wide settings is.
+                            type: boolean
+                          failover:
+                            description: |-
+                              Optional: only one of distribute, failover or failoverPriority can be set.
+                              Explicitly specify the region traffic will land on when endpoints in local region becomes unhealthy.
+                              Should be used together with OutlierDetection to detect unhealthy endpoints.
+                              Note: if no OutlierDetection specified, this will not take effect.
+                            items:
+                              description: |-
+                                Specify the traffic failover policy across regions. Since zone and sub-zone
+                                failover is supported by default this only needs to be specified for
+                                regions when the operator needs to constrain traffic failover so that
+                                the default behavior of failing over to any endpoint globally does not
+                                apply. This is useful when failing over traffic across regions would not
+                                improve service health or may need to be restricted for other reasons
+                                like regulatory controls.
+                              properties:
+                                from:
+                                  description: Originating region.
+                                  type: string
+                                to:
+                                  description: |-
+                                    Destination region the traffic will fail over to when endpoints in
+                                    the 'from' region becomes unhealthy.
+                                  type: string
+                              type: object
+                            type: array
+                          failoverPriority:
+                            description: |-
+                              failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing.
+                              This is to support traffic failover across different groups of endpoints.
+                              Two kinds of labels can be specified:
+
+                                - Specify only label keys `[key1, key2, key3]`, istio would compare the label values of client with endpoints.
+                                  Suppose there are total N label keys `[key1, key2, key3, ...keyN]` specified:
+
+                                  1. Endpoints matching all N labels with the client proxy have priority P(0) i.e. the highest priority.
+                                  2. Endpoints matching the first N-1 labels with the client proxy have priority P(1) i.e. second highest priority.
+                                  3. By extension of this logic, endpoints matching only the first label with the client proxy has priority P(N-1) i.e. second lowest priority.
+                                  4. All the other endpoints have priority P(N) i.e. lowest priority.
+
+                                - Specify labels with key and value `[key1=value1, key2=value2, key3=value3]`, istio would compare the labels with endpoints.
+                                  Suppose there are total N labels `[key1=value1, key2=value2, key3=value3, ...keyN=valueN]` specified:
+
+                                  1. Endpoints matching all N labels have priority P(0) i.e. the highest priority.
+                                  2. Endpoints matching the first N-1 labels have priority P(1) i.e. second highest priority.
+                                  3. By extension of this logic, endpoints matching only the first label has priority P(N-1) i.e. second lowest priority.
+                                  4. All the other endpoints have priority P(N) i.e. lowest priority.
+
+                              Note: For a label to be considered for match, the previous labels must match, i.e. nth label would be considered matched only if first n-1 labels match.
+
+                              It can be any label specified on both client and server workloads.
+                              The following labels which have special semantic meaning are also supported:
+
+                                - `topology.istio.io/network` is used to match the network metadata of an endpoint, which can be specified by pod/namespace label `topology.istio.io/network`, sidecar env `ISTIO_META_NETWORK` or MeshNetworks.
+                                - `topology.istio.io/cluster` is used to match the clusterID of an endpoint, which can be specified by pod label `topology.istio.io/cluster` or pod env `ISTIO_META_CLUSTER_ID`.
+                                - `topology.kubernetes.io/region` is used to match the region metadata of an endpoint, which maps to Kubernetes node label `topology.kubernetes.io/region` or the deprecated label `failure-domain.beta.kubernetes.io/region`.
+                                - `topology.kubernetes.io/zone` is used to match the zone metadata of an endpoint, which maps to Kubernetes node label `topology.kubernetes.io/zone` or the deprecated label `failure-domain.beta.kubernetes.io/zone`.
+                                - `topology.istio.io/subzone` is used to match the subzone metadata of an endpoint, which maps to Istio node label `topology.istio.io/subzone`.
+                                - `kubernetes.io/hostname` is used to match the current node of an endpoint, which maps to Kubernetes node label `kubernetes.io/hostname`.
+
+                              The below topology config indicates the following priority levels:
+
+                              ```yaml
+                              failoverPriority:
+                              - "topology.istio.io/network"
+                              - "topology.kubernetes.io/region"
+                              - "topology.kubernetes.io/zone"
+                              - "topology.istio.io/subzone"
+                              ```
+
+                              1. endpoints match same [network, region, zone, subzone] label with the client proxy have the highest priority.
+                              2. endpoints have same [network, region, zone] label but different [subzone] label with the client proxy have the second highest priority.
+                              3. endpoints have same [network, region] label but different [zone] label with the client proxy have the third highest priority.
+                              4. endpoints have same [network] but different [region] labels with the client proxy have the fourth highest priority.
+                              5. all the other endpoints have the same lowest priority.
+
+                              Suppose a service associated endpoints reside in multi clusters, the below example represents:
+                              1. endpoints in `clusterA` and has `version=v1` label have P(0) priority.
+                              2. endpoints not in `clusterA` but has `version=v1` label have P(1) priority.
+                              2. all the other endpoints have P(2) priority.
+
+                              ```yaml
+                              failoverPriority:
+                              - "version=v1"
+                              - "topology.istio.io/cluster=clusterA"
+                              ```
+
+                              Optional: only one of distribute, failover or failoverPriority can be set.
+                              And it should be used together with `OutlierDetection` to detect unhealthy endpoints, otherwise has no effect.
+                            items:
+                              type: string
+                            type: array
+                        type: object
+                      meshMTLS:
+                        description: "The below configuration parameters can be used
+                          to specify TLSConfig for mesh traffic.\nFor example, a user
+                          could enable min TLS version for ISTIO_MUTUAL traffic and
+                          specify a curve for non ISTIO_MUTUAL traffic like below:\n```yaml\nmeshConfig:\n\n\tmeshMTLS:\n\t
+                          \ minProtocolVersion: TLSV1_3\n\ttlsDefaults:\n\t  Note:
+                          applicable only for non ISTIO_MUTUAL scenarios\n\t  ecdhCurves:\n\t
+                          \   - P-256\n\t    - P-512\n\n```\nConfiguration of mTLS
+                          for traffic between workloads with ISTIO_MUTUAL TLS traffic.\n\nNote:
+                          Mesh mTLS does not respect ECDH curves."
+                        properties:
+                          cipherSuites:
+                            description: |-
+                              Optional: If specified, the TLS connection will only support the specified cipher list when negotiating TLS 1.0-1.2.
+                              If not specified, the following cipher suites will be used:
+                              ```
+                              ECDHE-ECDSA-AES256-GCM-SHA384
+                              ECDHE-RSA-AES256-GCM-SHA384
+                              ECDHE-ECDSA-AES128-GCM-SHA256
+                              ECDHE-RSA-AES128-GCM-SHA256
+                              AES256-GCM-SHA384
+                              AES128-GCM-SHA256
+                              ```
+                            items:
+                              type: string
+                            type: array
+                          ecdhCurves:
+                            description: |-
+                              Optional: If specified, the TLS connection will only support the specified ECDH curves for the DH key exchange.
+                              If not specified, the default curves enforced by Envoy will be used. For details about the default curves, refer to
+                              [Ecdh Curves](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto).
+                            items:
+                              type: string
+                            type: array
+                          minProtocolVersion:
+                            description: |-
+                              Optional: the minimum TLS protocol version. The default minimum
+                              TLS version will be TLS 1.2. As servers may not be Envoy and be
+                              set to TLS 1.2 (e.g., workloads using mTLS without sidecars), the
+                              minimum TLS version for clients may also be TLS 1.2.
+                              In the current Istio implementation, the maximum TLS protocol version
+                              is TLS 1.3.
+                            enum:
+                            - TLS_AUTO
+                            - TLSV1_2
+                            - TLSV1_3
+                            type: string
+                        type: object
+                      outboundClusterStatName:
+                        description: |-
+                          Name to be used while emitting statistics for outbound clusters. The same pattern is used while computing stat prefix for
+                          network filters like TCP and Redis.
+                          By default, Istio emits statistics with the pattern `outbound|<port>|<subsetname>|<service-FQDN>`.
+                          For example `outbound|8080|v2|reviews.prod.svc.cluster.local`. This can be used to override that pattern.
+
+                          A Pattern can be composed of various pre-defined variables. The following variables are supported.
+
+                          - `%SERVICE%` - Will be substituted with short hostname of the service.
+                          - `%SERVICE_NAME%` - Will be substituted with name of the service.
+                          - `%SERVICE_FQDN%` - Will be substituted with FQDN of the service.
+                          - `%SERVICE_PORT%` - Will be substituted with port of the service.
+                          - `%SERVICE_PORT_NAME%` - Will be substituted with port name of the service.
+                          - `%SUBSET_NAME%` - Will be substituted with subset.
+
+                          Following are some examples of supported patterns for reviews:
+
+                          - `%SERVICE_FQDN%_%SERVICE_PORT%` will use `reviews.prod.svc.cluster.local_7443` as the stats name.
+                          - `%SERVICE%` will use reviews.prod as the stats name.
+                        type: string
+                      outboundTrafficPolicy:
+                        description: |-
+                          Set the default behavior of the sidecar for handling outbound
+                          traffic from the application.
+
+                          Can be overridden at a Sidecar level by setting the `OutboundTrafficPolicy` in the
+                          [Sidecar API](https://istio.io/docs/reference/config/networking/sidecar/#OutboundTrafficPolicy).
+
+                          Default mode is `ALLOW_ANY`, which means outbound traffic to unknown destinations will be allowed.
+                        properties:
+                          mode:
+                            enum:
+                            - REGISTRY_ONLY
+                            - ALLOW_ANY
+                            type: string
+                        type: object
+                      pathNormalization:
+                        description: |-
+                          ProxyPathNormalization configures how URL paths in incoming and outgoing HTTP requests are
+                          normalized by the sidecars and gateways.
+                          The normalized paths will be used in all aspects through the requests' lifetime on the
+                          sidecars and gateways, which includes routing decisions in outbound direction (client proxy),
+                          authorization policy match and enforcement in inbound direction (server proxy), and the URL
+                          path proxied to the upstream service.
+                          If not set, the NormalizationType.DEFAULT configuration will be used.
+                        properties:
+                          normalization:
+                            enum:
+                            - DEFAULT
+                            - NONE
+                            - BASE
+                            - MERGE_SLASHES
+                            - DECODE_AND_MERGE_SLASHES
+                            type: string
+                        type: object
+                      protocolDetectionTimeout:
+                        description: |-
+                          Automatic protocol detection uses a set of heuristics to
+                          determine whether the connection is using TLS or not (on the
+                          server side), as well as the application protocol being used
+                          (e.g., http vs tcp). These heuristics rely on the client sending
+                          the first bits of data. For server first protocols like MySQL,
+                          MongoDB, etc. Envoy will timeout on the protocol detection after
+                          the specified period, defaulting to non mTLS plain TCP
+                          traffic. Set this field to tweak the period that Envoy will wait
+                          for the client to send the first bits of data. (MUST be >=1ms or
+                          0s to disable). Default detection timeout is 0s (no timeout).
+
+                          Setting a timeout is not recommended nor safe. Even high timeouts (>5s) will be hit
+                          occasionally, and when they occur the result is typically broken traffic that may not
+                          recover on its own. Exceptionally high values might solve this, but injecting 60s delays
+                          onto new connections is generally not tenable anyways.
+                        type: string
+                      proxyHttpPort:
+                        description: Port on which Envoy should listen for HTTP PROXY
+                          requests if set.
+                        format: int32
+                        type: integer
+                      proxyInboundListenPort:
+                        description: |-
+                          Port on which Envoy should listen for all inbound traffic to the pod/vm will be captured to.
+                          Default port is 15006.
+                        format: int32
+                        type: integer
+                      proxyListenPort:
+                        description: |-
+                          Port on which Envoy should listen for all outbound traffic to other services.
+                          Default port is 15001.
+                        format: int32
+                        type: integer
+                      rootNamespace:
+                        description: |-
+                          The namespace to treat as the administrative root namespace for
+                          Istio configuration. When processing a leaf namespace Istio will search for
+                          declarations in that namespace first and if none are found it will
+                          search in the root namespace. Any matching declaration found in the root
+                          namespace is processed as if it were declared in the leaf namespace.
+
+                          The precise semantics of this processing are documented on each resource
+                          type.
+                        type: string
+                      serviceScopeConfigs:
+                        description: Scope to be applied to select services.
+                        items:
+                          description: |-
+                            Configuration for ambient mode multicluster service scope. This setting allows mesh administrators
+                            to define the criteria by which the cluster's control plane determines which services in other
+                            clusters in the mesh are treated as global (accessible across multiple clusters) versus local
+                            (restricted to a single cluster). The configuration can be applied to services based on namespace
+                            and/or other matching criteria. This is particularly  useful in multicluster service mesh deployments
+                            to control service visibility and access across clusters. This API is not intended to enforce
+                            security policies. Resources like DestinationRules should be used to enforce authorization policies.
+                            If a service matches a global service scope selector, the service's endpoints will be globally
+                            exposed. If a service is locally scoped, its endpoints will only be exposed to local cluster
+                            services.
+
+                            For example, the following configures the scope of all services with the "istio.io/global" label
+                            in matching namespaces to be available globally:
+
+                            ```yaml
+                            serviceScopeConfigs:
+                              - namespacesSelector:
+                                matchExpressions:
+                              - key: istio.io/global
+                                operator: In
+                                values: [true]
+                                servicesSelector:
+                                matchExpressions:
+                              - key: istio.io/global
+                                operator: Exists
+                                scope: GLOBAL
+
+                            ```
+                          properties:
+                            namespaceSelector:
+                              description: Match expression for namespaces.
+                              properties:
+                                matchExpressions:
+                                  description: matchExpressions is a list of label
+                                    selector requirements. The requirements are ANDed.
+                                  items:
+                                    description: |-
+                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                      relates the key and values.
+                                    properties:
+                                      key:
+                                        description: key is the label key that the
+                                          selector applies to.
+                                        type: string
+                                      operator:
+                                        description: |-
+                                          operator represents a key's relationship to a set of values.
+                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                        type: string
+                                      values:
+                                        description: |-
+                                          values is an array of string values. If the operator is In or NotIn,
+                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                          the values array must be empty. This array is replaced during a strategic
+                                          merge patch.
+                                        items:
+                                          type: string
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    required:
+                                    - key
+                                    - operator
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                matchLabels:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                  type: object
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            scope:
+                              description: Specifics the available scope for matching
+                                services.
+                              enum:
+                              - LOCAL
+                              - GLOBAL
+                              type: string
+                            servicesSelector:
+                              description: Match expression for serivces.
+                              properties:
+                                matchExpressions:
+                                  description: matchExpressions is a list of label
+                                    selector requirements. The requirements are ANDed.
+                                  items:
+                                    description: |-
+                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                      relates the key and values.
+                                    properties:
+                                      key:
+                                        description: key is the label key that the
+                                          selector applies to.
+                                        type: string
+                                      operator:
+                                        description: |-
+                                          operator represents a key's relationship to a set of values.
+                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                        type: string
+                                      values:
+                                        description: |-
+                                          values is an array of string values. If the operator is In or NotIn,
+                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                          the values array must be empty. This array is replaced during a strategic
+                                          merge patch.
+                                        items:
+                                          type: string
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    required:
+                                    - key
+                                    - operator
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                matchLabels:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                  type: object
+                              type: object
+                              x-kubernetes-map-type: atomic
+                          type: object
+                        type: array
+                      serviceSettings:
+                        description: Settings to be applied to select services.
+                        items:
+                          description: |-
+                            Settings to be applied to select services.
+
+                            For example, the following configures all services in namespace "foo" as well as the
+                            "bar" service in namespace "baz" to be considered cluster-local:
+
+                            ```yaml
+                            serviceSettings:
+                              - settings:
+                                clusterLocal: true
+                                hosts:
+                              - "*.foo.svc.cluster.local"
+                              - "bar.baz.svc.cluster.local"
+
+                            ```
+
+                            When in ambient mode, if ServiceSettings are defined they will be considered in addition to the
+                            ServiceScopeConfigs. If a service is defined by ServiceSetting to be cluster local and matches a
+                            global service scope selector, the service will be considered cluster local. If a service is
+                            considered global by ServiceSettings and does not match a global service scope selector
+                            the serive will be considered local. Local scope takes precedence over global scope. Since
+                            ServiceScopeConfigs is local by default, all services are considered local unless it is considered
+                            global by ServiceSettings AND ServiceScopeConfigs.
+                          properties:
+                            hosts:
+                              description: |-
+                                The services to which the Settings should be applied. Services are selected using the hostname
+                                matching rules used by DestinationRule.
+
+                                For example: foo.bar.svc.cluster.local, *.baz.svc.cluster.local
+                              items:
+                                type: string
+                              type: array
+                            settings:
+                              description: The settings to apply to the selected services.
+                              properties:
+                                clusterLocal:
+                                  description: |-
+                                    If true, specifies that the client and service endpoints must reside in the same cluster.
+                                    By default, in multi-cluster deployments, the Istio control plane assumes all service
+                                    endpoints to be reachable from any client in any of the clusters which are part of the
+                                    mesh. This configuration option limits the set of service endpoints visible to a client
+                                    to be cluster scoped.
+
+                                    There are some common scenarios when this can be useful:
+
+                                      - A service (or group of services) is inherently local to the cluster and has local storage
+                                        for that cluster. For example, the kube-system namespace (e.g. the Kube API Server).
+                                      - A mesh administrator wants to slowly migrate services to Istio. They might start by first
+                                        having services cluster-local and then slowly transition them to mesh-wide. They could do
+                                        this service-by-service (e.g. mysvc.myns.svc.cluster.local) or as a group
+                                        (e.g. *.myns.svc.cluster.local).
+
+                                    By default Istio will consider kubernetes.default.svc (i.e. the API Server) as well as all
+                                    services in the kube-system namespace to be cluster-local, unless explicitly overridden here.
+                                  type: boolean
+                              type: object
+                          type: object
+                        type: array
+                      tcpKeepalive:
+                        description: If set then set `SO_KEEPALIVE` on the socket
+                          to enable TCP Keepalives.
+                        properties:
+                          interval:
+                            description: |-
+                              The time duration between keep-alive probes.
+                              Default is to use the OS level configuration
+                              (unless overridden, Linux defaults to 75s.)
+                            type: string
+                          probes:
+                            description: |-
+                              Maximum number of keepalive probes to send without response before
+                              deciding the connection is dead. Default is to use the OS level configuration
+                              (unless overridden, Linux defaults to 9.)
+                            format: int32
+                            type: integer
+                          time:
+                            description: |-
+                              The time duration a connection needs to be idle before keep-alive
+                              probes start being sent. Default is to use the OS level configuration
+                              (unless overridden, Linux defaults to 7200s (ie 2 hours.)
+                            type: string
+                        type: object
+                      tlsDefaults:
+                        description: |-
+                          Configuration of TLS for all traffic except for ISTIO_MUTUAL mode.
+                          For ISTIO_MUTUAL TLS settings, use meshMTLS configuration.
+                        properties:
+                          cipherSuites:
+                            description: |-
+                              Optional: If specified, the TLS connection will only support the specified cipher list when negotiating TLS 1.0-1.2.
+                              If not specified, the following cipher suites will be used:
+                              ```
+                              ECDHE-ECDSA-AES256-GCM-SHA384
+                              ECDHE-RSA-AES256-GCM-SHA384
+                              ECDHE-ECDSA-AES128-GCM-SHA256
+                              ECDHE-RSA-AES128-GCM-SHA256
+                              AES256-GCM-SHA384
+                              AES128-GCM-SHA256
+                              ```
+                            items:
+                              type: string
+                            type: array
+                          ecdhCurves:
+                            description: |-
+                              Optional: If specified, the TLS connection will only support the specified ECDH curves for the DH key exchange.
+                              If not specified, the default curves enforced by Envoy will be used. For details about the default curves, refer to
+                              [Ecdh Curves](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto).
+                            items:
+                              type: string
+                            type: array
+                          minProtocolVersion:
+                            description: |-
+                              Optional: the minimum TLS protocol version. The default minimum
+                              TLS version will be TLS 1.2. As servers may not be Envoy and be
+                              set to TLS 1.2 (e.g., workloads using mTLS without sidecars), the
+                              minimum TLS version for clients may also be TLS 1.2.
+                              In the current Istio implementation, the maximum TLS protocol version
+                              is TLS 1.3.
+                            enum:
+                            - TLS_AUTO
+                            - TLSV1_2
+                            - TLSV1_3
+                            type: string
+                        type: object
+                      trustDomain:
+                        description: |-
+                          The trust domain corresponds to the trust root of a system.
+                          Refer to [SPIFFE-ID](https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain)
+                        type: string
+                      trustDomainAliases:
+                        description: |-
+                          The trust domain aliases represent the aliases of `trustDomain`.
+                          For example, if we have
+                          ```yaml
+                          trustDomain: td1
+                          trustDomainAliases: ["td2", "td3"]
+                          ```
+                          Any service with the identity `td1/ns/foo/sa/a-service-account`, `td2/ns/foo/sa/a-service-account`,
+                          or `td3/ns/foo/sa/a-service-account` will be treated the same in the Istio mesh.
+                        items:
+                          type: string
+                        type: array
+                      verifyCertificateAtClient:
+                        description: |-
+                          `VerifyCertificateAtClient` sets the mesh global default for peer certificate validation
+                          at the client-side proxy when `SIMPLE` TLS or `MUTUAL` TLS (non `ISTIO_MUTUAL`) origination
+                          modes are used. This setting can be overridden at the host level via DestinationRule API.
+                          By default, `VerifyCertificateAtClient` is `true`.
+
+                          `CaCertificates`: If set, proxy verifies CA signature based on given CaCertificates. If unset,
+                          and VerifyCertificateAtClient is true, proxy uses default System CA bundle. If unset and
+                          `VerifyCertificateAtClient` is false, proxy will not verify the CA.
+
+                          `SubjectAltNames`: If set, proxy verifies subject alt names are present in the SAN. If unset,
+                          and `VerifyCertificateAtClient` is true, proxy uses host in destination rule to verify the SANs.
+                          If unset, and `VerifyCertificateAtClient` is false, proxy does not verify SANs.
+
+                          For SAN, client-side proxy will exact match host in `DestinationRule` as well as one level
+                          wildcard if the specified host in DestinationRule doesn't contain a wildcard.
+                          For example, if the host in `DestinationRule` is `x.y.com`, client-side proxy will
+                          match either `x.y.com` or `*.y.com` for the SAN in the presented server certificate.
+                          For wildcard host name in DestinationRule, client-side proxy will do a suffix match. For example,
+                          if host is `*.x.y.com`, client-side proxy will verify the presented server certificate SAN matches
+                          `.x.y.com` suffix.
+
+                          Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto.
+                        type: boolean
+                    type: object
+                  pilot:
+                    description: Configuration for the Pilot component.
+                    properties:
+                      affinity:
+                        description: K8s affinity to set on the Pilot Pods.
+                        properties:
+                          nodeAffinity:
+                            description: Describes node affinity scheduling rules
+                              for the pod.
+                            properties:
+                              preferredDuringSchedulingIgnoredDuringExecution:
+                                description: |-
+                                  The scheduler will prefer to schedule pods to nodes that satisfy
+                                  the affinity expressions specified by this field, but it may choose
+                                  a node that violates one or more of the expressions. The node that is
+                                  most preferred is the one with the greatest sum of weights, i.e.
+                                  for each node that meets all of the scheduling requirements (resource
+                                  request, requiredDuringScheduling affinity expressions, etc.),
+                                  compute a sum by iterating through the elements of this field and adding
+                                  "weight" to the sum if the node matches the corresponding matchExpressions; the
+                                  node(s) with the highest sum are the most preferred.
+                                items:
+                                  description: |-
+                                    An empty preferred scheduling term matches all objects with implicit weight 0
+                                    (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+                                  properties:
+                                    preference:
+                                      description: A node selector term, associated
+                                        with the corresponding weight.
+                                      properties:
+                                        matchExpressions:
+                                          description: A list of node selector requirements
+                                            by node's labels.
+                                          items:
+                                            description: |-
+                                              A node selector requirement is a selector that contains values, a key, and an operator
+                                              that relates the key and values.
+                                            properties:
+                                              key:
+                                                description: The label key that the
+                                                  selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  Represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  An array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. If the operator is Gt or Lt, the values
+                                                  array must have a single element, which will be interpreted as an integer.
+                                                  This array is replaced during a strategic merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                                x-kubernetes-list-type: atomic
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        matchFields:
+                                          description: A list of node selector requirements
+                                            by node's fields.
+                                          items:
+                                            description: |-
+                                              A node selector requirement is a selector that contains values, a key, and an operator
+                                              that relates the key and values.
+                                            properties:
+                                              key:
+                                                description: The label key that the
+                                                  selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  Represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  An array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. If the operator is Gt or Lt, the values
+                                                  array must have a single element, which will be interpreted as an integer.
+                                                  This array is replaced during a strategic merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                                x-kubernetes-list-type: atomic
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    weight:
+                                      description: Weight associated with matching
+                                        the corresponding nodeSelectorTerm, in the
+                                        range 1-100.
+                                      format: int32
+                                      type: integer
+                                  required:
+                                  - preference
+                                  - weight
+                                  type: object
+                                type: array
+                                x-kubernetes-list-type: atomic
+                              requiredDuringSchedulingIgnoredDuringExecution:
+                                description: |-
+                                  If the affinity requirements specified by this field are not met at
+                                  scheduling time, the pod will not be scheduled onto the node.
+                                  If the affinity requirements specified by this field cease to be met
+                                  at some point during pod execution (e.g. due to an update), the system
+                                  may or may not try to eventually evict the pod from its node.
+                                properties:
+                                  nodeSelectorTerms:
+                                    description: Required. A list of node selector
+                                      terms. The terms are ORed.
+                                    items:
+                                      description: |-
+                                        A null or empty node selector term matches no objects. The requirements of
+                                        them are ANDed.
+                                        The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+                                      properties:
+                                        matchExpressions:
+                                          description: A list of node selector requirements
+                                            by node's labels.
+                                          items:
+                                            description: |-
+                                              A node selector requirement is a selector that contains values, a key, and an operator
+                                              that relates the key and values.
+                                            properties:
+                                              key:
+                                                description: The label key that the
+                                                  selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  Represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  An array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. If the operator is Gt or Lt, the values
+                                                  array must have a single element, which will be interpreted as an integer.
+                                                  This array is replaced during a strategic merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                                x-kubernetes-list-type: atomic
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        matchFields:
+                                          description: A list of node selector requirements
+                                            by node's fields.
+                                          items:
+                                            description: |-
+                                              A node selector requirement is a selector that contains values, a key, and an operator
+                                              that relates the key and values.
+                                            properties:
+                                              key:
+                                                description: The label key that the
+                                                  selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  Represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  An array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. If the operator is Gt or Lt, the values
+                                                  array must have a single element, which will be interpreted as an integer.
+                                                  This array is replaced during a strategic merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                                x-kubernetes-list-type: atomic
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    type: array
+                                    x-kubernetes-list-type: atomic
+                                required:
+                                - nodeSelectorTerms
+                                type: object
+                                x-kubernetes-map-type: atomic
+                            type: object
+                          podAffinity:
+                            description: Describes pod affinity scheduling rules (e.g.
+                              co-locate this pod in the same node, zone, etc. as some
+                              other pod(s)).
+                            properties:
+                              preferredDuringSchedulingIgnoredDuringExecution:
+                                description: |-
+                                  The scheduler will prefer to schedule pods to nodes that satisfy
+                                  the affinity expressions specified by this field, but it may choose
+                                  a node that violates one or more of the expressions. The node that is
+                                  most preferred is the one with the greatest sum of weights, i.e.
+                                  for each node that meets all of the scheduling requirements (resource
+                                  request, requiredDuringScheduling affinity expressions, etc.),
+                                  compute a sum by iterating through the elements of this field and adding
+                                  "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+                                  node(s) with the highest sum are the most preferred.
+                                items:
+                                  description: The weights of all of the matched WeightedPodAffinityTerm
+                                    fields are added per-node to find the most preferred
+                                    node(s)
+                                  properties:
+                                    podAffinityTerm:
+                                      description: Required. A pod affinity term,
+                                        associated with the corresponding weight.
+                                      properties:
+                                        labelSelector:
+                                          description: |-
+                                            A label query over a set of resources, in this case pods.
+                                            If it's null, this PodAffinityTerm matches with no Pods.
+                                          properties:
+                                            matchExpressions:
+                                              description: matchExpressions is a list
+                                                of label selector requirements. The
+                                                requirements are ANDed.
+                                              items:
+                                                description: |-
+                                                  A label selector requirement is a selector that contains values, a key, and an operator that
+                                                  relates the key and values.
+                                                properties:
+                                                  key:
+                                                    description: key is the label
+                                                      key that the selector applies
+                                                      to.
+                                                    type: string
+                                                  operator:
+                                                    description: |-
+                                                      operator represents a key's relationship to a set of values.
+                                                      Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                    type: string
+                                                  values:
+                                                    description: |-
+                                                      values is an array of string values. If the operator is In or NotIn,
+                                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                      the values array must be empty. This array is replaced during a strategic
+                                                      merge patch.
+                                                    items:
+                                                      type: string
+                                                    type: array
+                                                    x-kubernetes-list-type: atomic
+                                                required:
+                                                - key
+                                                - operator
+                                                type: object
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                            matchLabels:
+                                              additionalProperties:
+                                                type: string
+                                              description: |-
+                                                matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                                map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                                operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                              type: object
+                                          type: object
+                                          x-kubernetes-map-type: atomic
+                                        matchLabelKeys:
+                                          description: |-
+                                            MatchLabelKeys is a set of pod label keys to select which pods will
+                                            be taken into consideration. The keys are used to lookup values from the
+                                            incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+                                            to select the group of existing pods which pods will be taken into consideration
+                                            for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                            pod labels will be ignored. The default value is empty.
+                                            The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+                                            Also, matchLabelKeys cannot be set when labelSelector isn't set.
+                                          items:
+                                            type: string
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        mismatchLabelKeys:
+                                          description: |-
+                                            MismatchLabelKeys is a set of pod label keys to select which pods will
+                                            be taken into consideration. The keys are used to lookup values from the
+                                            incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+                                            to select the group of existing pods which pods will be taken into consideration
+                                            for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                            pod labels will be ignored. The default value is empty.
+                                            The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+                                            Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+                                          items:
+                                            type: string
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        namespaceSelector:
+                                          description: |-
+                                            A label query over the set of namespaces that the term applies to.
+                                            The term is applied to the union of the namespaces selected by this field
+                                            and the ones listed in the namespaces field.
+                                            null selector and null or empty namespaces list means "this pod's namespace".
+                                            An empty selector ({}) matches all namespaces.
+                                          properties:
+                                            matchExpressions:
+                                              description: matchExpressions is a list
+                                                of label selector requirements. The
+                                                requirements are ANDed.
+                                              items:
+                                                description: |-
+                                                  A label selector requirement is a selector that contains values, a key, and an operator that
+                                                  relates the key and values.
+                                                properties:
+                                                  key:
+                                                    description: key is the label
+                                                      key that the selector applies
+                                                      to.
+                                                    type: string
+                                                  operator:
+                                                    description: |-
+                                                      operator represents a key's relationship to a set of values.
+                                                      Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                    type: string
+                                                  values:
+                                                    description: |-
+                                                      values is an array of string values. If the operator is In or NotIn,
+                                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                      the values array must be empty. This array is replaced during a strategic
+                                                      merge patch.
+                                                    items:
+                                                      type: string
+                                                    type: array
+                                                    x-kubernetes-list-type: atomic
+                                                required:
+                                                - key
+                                                - operator
+                                                type: object
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                            matchLabels:
+                                              additionalProperties:
+                                                type: string
+                                              description: |-
+                                                matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                                map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                                operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                              type: object
+                                          type: object
+                                          x-kubernetes-map-type: atomic
+                                        namespaces:
+                                          description: |-
+                                            namespaces specifies a static list of namespace names that the term applies to.
+                                            The term is applied to the union of the namespaces listed in this field
+                                            and the ones selected by namespaceSelector.
+                                            null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+                                          items:
+                                            type: string
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        topologyKey:
+                                          description: |-
+                                            This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+                                            the labelSelector in the specified namespaces, where co-located is defined as running on a node
+                                            whose value of the label with key topologyKey matches that of any node on which any of the
+                                            selected pods is running.
+                                            Empty topologyKey is not allowed.
+                                          type: string
+                                      required:
+                                      - topologyKey
+                                      type: object
+                                    weight:
+                                      description: |-
+                                        weight associated with matching the corresponding podAffinityTerm,
+                                        in the range 1-100.
+                                      format: int32
+                                      type: integer
+                                  required:
+                                  - podAffinityTerm
+                                  - weight
+                                  type: object
+                                type: array
+                                x-kubernetes-list-type: atomic
+                              requiredDuringSchedulingIgnoredDuringExecution:
+                                description: |-
+                                  If the affinity requirements specified by this field are not met at
+                                  scheduling time, the pod will not be scheduled onto the node.
+                                  If the affinity requirements specified by this field cease to be met
+                                  at some point during pod execution (e.g. due to a pod label update), the
+                                  system may or may not try to eventually evict the pod from its node.
+                                  When there are multiple elements, the lists of nodes corresponding to each
+                                  podAffinityTerm are intersected, i.e. all terms must be satisfied.
+                                items:
+                                  description: |-
+                                    Defines a set of pods (namely those matching the labelSelector
+                                    relative to the given namespace(s)) that this pod should be
+                                    co-located (affinity) or not co-located (anti-affinity) with,
+                                    where co-located is defined as running on a node whose value of
+                                    the label with key <topologyKey> matches that of any node on which
+                                    a pod of the set of pods is running
+                                  properties:
+                                    labelSelector:
+                                      description: |-
+                                        A label query over a set of resources, in this case pods.
+                                        If it's null, this PodAffinityTerm matches with no Pods.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                                x-kubernetes-list-type: atomic
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    matchLabelKeys:
+                                      description: |-
+                                        MatchLabelKeys is a set of pod label keys to select which pods will
+                                        be taken into consideration. The keys are used to lookup values from the
+                                        incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+                                        to select the group of existing pods which pods will be taken into consideration
+                                        for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                        pod labels will be ignored. The default value is empty.
+                                        The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+                                        Also, matchLabelKeys cannot be set when labelSelector isn't set.
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    mismatchLabelKeys:
+                                      description: |-
+                                        MismatchLabelKeys is a set of pod label keys to select which pods will
+                                        be taken into consideration. The keys are used to lookup values from the
+                                        incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+                                        to select the group of existing pods which pods will be taken into consideration
+                                        for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                        pod labels will be ignored. The default value is empty.
+                                        The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+                                        Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    namespaceSelector:
+                                      description: |-
+                                        A label query over the set of namespaces that the term applies to.
+                                        The term is applied to the union of the namespaces selected by this field
+                                        and the ones listed in the namespaces field.
+                                        null selector and null or empty namespaces list means "this pod's namespace".
+                                        An empty selector ({}) matches all namespaces.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                                x-kubernetes-list-type: atomic
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    namespaces:
+                                      description: |-
+                                        namespaces specifies a static list of namespace names that the term applies to.
+                                        The term is applied to the union of the namespaces listed in this field
+                                        and the ones selected by namespaceSelector.
+                                        null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    topologyKey:
+                                      description: |-
+                                        This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+                                        the labelSelector in the specified namespaces, where co-located is defined as running on a node
+                                        whose value of the label with key topologyKey matches that of any node on which any of the
+                                        selected pods is running.
+                                        Empty topologyKey is not allowed.
+                                      type: string
+                                  required:
+                                  - topologyKey
+                                  type: object
+                                type: array
+                                x-kubernetes-list-type: atomic
+                            type: object
+                          podAntiAffinity:
+                            description: Describes pod anti-affinity scheduling rules
+                              (e.g. avoid putting this pod in the same node, zone,
+                              etc. as some other pod(s)).
+                            properties:
+                              preferredDuringSchedulingIgnoredDuringExecution:
+                                description: |-
+                                  The scheduler will prefer to schedule pods to nodes that satisfy
+                                  the anti-affinity expressions specified by this field, but it may choose
+                                  a node that violates one or more of the expressions. The node that is
+                                  most preferred is the one with the greatest sum of weights, i.e.
+                                  for each node that meets all of the scheduling requirements (resource
+                                  request, requiredDuringScheduling anti-affinity expressions, etc.),
+                                  compute a sum by iterating through the elements of this field and subtracting
+                                  "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
+                                  node(s) with the highest sum are the most preferred.
+                                items:
+                                  description: The weights of all of the matched WeightedPodAffinityTerm
+                                    fields are added per-node to find the most preferred
+                                    node(s)
+                                  properties:
+                                    podAffinityTerm:
+                                      description: Required. A pod affinity term,
+                                        associated with the corresponding weight.
+                                      properties:
+                                        labelSelector:
+                                          description: |-
+                                            A label query over a set of resources, in this case pods.
+                                            If it's null, this PodAffinityTerm matches with no Pods.
+                                          properties:
+                                            matchExpressions:
+                                              description: matchExpressions is a list
+                                                of label selector requirements. The
+                                                requirements are ANDed.
+                                              items:
+                                                description: |-
+                                                  A label selector requirement is a selector that contains values, a key, and an operator that
+                                                  relates the key and values.
+                                                properties:
+                                                  key:
+                                                    description: key is the label
+                                                      key that the selector applies
+                                                      to.
+                                                    type: string
+                                                  operator:
+                                                    description: |-
+                                                      operator represents a key's relationship to a set of values.
+                                                      Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                    type: string
+                                                  values:
+                                                    description: |-
+                                                      values is an array of string values. If the operator is In or NotIn,
+                                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                      the values array must be empty. This array is replaced during a strategic
+                                                      merge patch.
+                                                    items:
+                                                      type: string
+                                                    type: array
+                                                    x-kubernetes-list-type: atomic
+                                                required:
+                                                - key
+                                                - operator
+                                                type: object
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                            matchLabels:
+                                              additionalProperties:
+                                                type: string
+                                              description: |-
+                                                matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                                map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                                operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                              type: object
+                                          type: object
+                                          x-kubernetes-map-type: atomic
+                                        matchLabelKeys:
+                                          description: |-
+                                            MatchLabelKeys is a set of pod label keys to select which pods will
+                                            be taken into consideration. The keys are used to lookup values from the
+                                            incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+                                            to select the group of existing pods which pods will be taken into consideration
+                                            for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                            pod labels will be ignored. The default value is empty.
+                                            The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+                                            Also, matchLabelKeys cannot be set when labelSelector isn't set.
+                                          items:
+                                            type: string
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        mismatchLabelKeys:
+                                          description: |-
+                                            MismatchLabelKeys is a set of pod label keys to select which pods will
+                                            be taken into consideration. The keys are used to lookup values from the
+                                            incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+                                            to select the group of existing pods which pods will be taken into consideration
+                                            for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                            pod labels will be ignored. The default value is empty.
+                                            The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+                                            Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+                                          items:
+                                            type: string
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        namespaceSelector:
+                                          description: |-
+                                            A label query over the set of namespaces that the term applies to.
+                                            The term is applied to the union of the namespaces selected by this field
+                                            and the ones listed in the namespaces field.
+                                            null selector and null or empty namespaces list means "this pod's namespace".
+                                            An empty selector ({}) matches all namespaces.
+                                          properties:
+                                            matchExpressions:
+                                              description: matchExpressions is a list
+                                                of label selector requirements. The
+                                                requirements are ANDed.
+                                              items:
+                                                description: |-
+                                                  A label selector requirement is a selector that contains values, a key, and an operator that
+                                                  relates the key and values.
+                                                properties:
+                                                  key:
+                                                    description: key is the label
+                                                      key that the selector applies
+                                                      to.
+                                                    type: string
+                                                  operator:
+                                                    description: |-
+                                                      operator represents a key's relationship to a set of values.
+                                                      Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                    type: string
+                                                  values:
+                                                    description: |-
+                                                      values is an array of string values. If the operator is In or NotIn,
+                                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                      the values array must be empty. This array is replaced during a strategic
+                                                      merge patch.
+                                                    items:
+                                                      type: string
+                                                    type: array
+                                                    x-kubernetes-list-type: atomic
+                                                required:
+                                                - key
+                                                - operator
+                                                type: object
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                            matchLabels:
+                                              additionalProperties:
+                                                type: string
+                                              description: |-
+                                                matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                                map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                                operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                              type: object
+                                          type: object
+                                          x-kubernetes-map-type: atomic
+                                        namespaces:
+                                          description: |-
+                                            namespaces specifies a static list of namespace names that the term applies to.
+                                            The term is applied to the union of the namespaces listed in this field
+                                            and the ones selected by namespaceSelector.
+                                            null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+                                          items:
+                                            type: string
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        topologyKey:
+                                          description: |-
+                                            This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+                                            the labelSelector in the specified namespaces, where co-located is defined as running on a node
+                                            whose value of the label with key topologyKey matches that of any node on which any of the
+                                            selected pods is running.
+                                            Empty topologyKey is not allowed.
+                                          type: string
+                                      required:
+                                      - topologyKey
+                                      type: object
+                                    weight:
+                                      description: |-
+                                        weight associated with matching the corresponding podAffinityTerm,
+                                        in the range 1-100.
+                                      format: int32
+                                      type: integer
+                                  required:
+                                  - podAffinityTerm
+                                  - weight
+                                  type: object
+                                type: array
+                                x-kubernetes-list-type: atomic
+                              requiredDuringSchedulingIgnoredDuringExecution:
+                                description: |-
+                                  If the anti-affinity requirements specified by this field are not met at
+                                  scheduling time, the pod will not be scheduled onto the node.
+                                  If the anti-affinity requirements specified by this field cease to be met
+                                  at some point during pod execution (e.g. due to a pod label update), the
+                                  system may or may not try to eventually evict the pod from its node.
+                                  When there are multiple elements, the lists of nodes corresponding to each
+                                  podAffinityTerm are intersected, i.e. all terms must be satisfied.
+                                items:
+                                  description: |-
+                                    Defines a set of pods (namely those matching the labelSelector
+                                    relative to the given namespace(s)) that this pod should be
+                                    co-located (affinity) or not co-located (anti-affinity) with,
+                                    where co-located is defined as running on a node whose value of
+                                    the label with key <topologyKey> matches that of any node on which
+                                    a pod of the set of pods is running
+                                  properties:
+                                    labelSelector:
+                                      description: |-
+                                        A label query over a set of resources, in this case pods.
+                                        If it's null, this PodAffinityTerm matches with no Pods.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                                x-kubernetes-list-type: atomic
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    matchLabelKeys:
+                                      description: |-
+                                        MatchLabelKeys is a set of pod label keys to select which pods will
+                                        be taken into consideration. The keys are used to lookup values from the
+                                        incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+                                        to select the group of existing pods which pods will be taken into consideration
+                                        for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                        pod labels will be ignored. The default value is empty.
+                                        The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+                                        Also, matchLabelKeys cannot be set when labelSelector isn't set.
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    mismatchLabelKeys:
+                                      description: |-
+                                        MismatchLabelKeys is a set of pod label keys to select which pods will
+                                        be taken into consideration. The keys are used to lookup values from the
+                                        incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+                                        to select the group of existing pods which pods will be taken into consideration
+                                        for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                        pod labels will be ignored. The default value is empty.
+                                        The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+                                        Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    namespaceSelector:
+                                      description: |-
+                                        A label query over the set of namespaces that the term applies to.
+                                        The term is applied to the union of the namespaces selected by this field
+                                        and the ones listed in the namespaces field.
+                                        null selector and null or empty namespaces list means "this pod's namespace".
+                                        An empty selector ({}) matches all namespaces.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                                x-kubernetes-list-type: atomic
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    namespaces:
+                                      description: |-
+                                        namespaces specifies a static list of namespace names that the term applies to.
+                                        The term is applied to the union of the namespaces listed in this field
+                                        and the ones selected by namespaceSelector.
+                                        null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    topologyKey:
+                                      description: |-
+                                        This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+                                        the labelSelector in the specified namespaces, where co-located is defined as running on a node
+                                        whose value of the label with key topologyKey matches that of any node on which any of the
+                                        selected pods is running.
+                                        Empty topologyKey is not allowed.
+                                      type: string
+                                  required:
+                                  - topologyKey
+                                  type: object
+                                type: array
+                                x-kubernetes-list-type: atomic
+                            type: object
+                        type: object
+                      autoscaleBehavior:
+                        description: See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configurable-scaling-behavior
+                        properties:
+                          scaleDown:
+                            description: |-
+                              scaleDown is scaling policy for scaling Down.
+                              If not set, the default value is to allow to scale down to minReplicas pods, with a
+                              300 second stabilization window (i.e., the highest recommendation for
+                              the last 300sec is used).
+                            properties:
+                              policies:
+                                description: |-
+                                  policies is a list of potential scaling polices which can be used during scaling.
+                                  If not set, use the default values:
+                                  - For scale up: allow doubling the number of pods, or an absolute change of 4 pods in a 15s window.
+                                  - For scale down: allow all pods to be removed in a 15s window.
+                                items:
+                                  description: HPAScalingPolicy is a single policy
+                                    which must hold true for a specified past interval.
+                                  properties:
+                                    periodSeconds:
+                                      description: |-
+                                        periodSeconds specifies the window of time for which the policy should hold true.
+                                        PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min).
+                                      format: int32
+                                      type: integer
+                                    type:
+                                      description: type is used to specify the scaling
+                                        policy.
+                                      type: string
+                                    value:
+                                      description: |-
+                                        value contains the amount of change which is permitted by the policy.
+                                        It must be greater than zero
+                                      format: int32
+                                      type: integer
+                                  required:
+                                  - periodSeconds
+                                  - type
+                                  - value
+                                  type: object
+                                type: array
+                                x-kubernetes-list-type: atomic
+                              selectPolicy:
+                                description: |-
+                                  selectPolicy is used to specify which policy should be used.
+                                  If not set, the default value Max is used.
+                                type: string
+                              stabilizationWindowSeconds:
+                                description: |-
+                                  stabilizationWindowSeconds is the number of seconds for which past recommendations should be
+                                  considered while scaling up or scaling down.
+                                  StabilizationWindowSeconds must be greater than or equal to zero and less than or equal to 3600 (one hour).
+                                  If not set, use the default values:
+                                  - For scale up: 0 (i.e. no stabilization is done).
+                                  - For scale down: 300 (i.e. the stabilization window is 300 seconds long).
+                                format: int32
+                                type: integer
+                              tolerance:
+                                anyOf:
+                                - type: integer
+                                - type: string
+                                description: |-
+                                  tolerance is the tolerance on the ratio between the current and desired
+                                  metric value under which no updates are made to the desired number of
+                                  replicas (e.g. 0.01 for 1%). Must be greater than or equal to zero. If not
+                                  set, the default cluster-wide tolerance is applied (by default 10%).
+
+                                  For example, if autoscaling is configured with a memory consumption target of 100Mi,
+                                  and scale-down and scale-up tolerances of 5% and 1% respectively, scaling will be
+                                  triggered when the actual consumption falls below 95Mi or exceeds 101Mi.
+
+                                  This is an beta field and requires the HPAConfigurableTolerance feature
+                                  gate to be enabled.
+                                pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                x-kubernetes-int-or-string: true
+                            type: object
+                          scaleUp:
+                            description: |-
+                              scaleUp is scaling policy for scaling Up.
+                              If not set, the default value is the higher of:
+                                * increase no more than 4 pods per 60 seconds
+                                * double the number of pods per 60 seconds
+                              No stabilization is used.
+                            properties:
+                              policies:
+                                description: |-
+                                  policies is a list of potential scaling polices which can be used during scaling.
+                                  If not set, use the default values:
+                                  - For scale up: allow doubling the number of pods, or an absolute change of 4 pods in a 15s window.
+                                  - For scale down: allow all pods to be removed in a 15s window.
+                                items:
+                                  description: HPAScalingPolicy is a single policy
+                                    which must hold true for a specified past interval.
+                                  properties:
+                                    periodSeconds:
+                                      description: |-
+                                        periodSeconds specifies the window of time for which the policy should hold true.
+                                        PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min).
+                                      format: int32
+                                      type: integer
+                                    type:
+                                      description: type is used to specify the scaling
+                                        policy.
+                                      type: string
+                                    value:
+                                      description: |-
+                                        value contains the amount of change which is permitted by the policy.
+                                        It must be greater than zero
+                                      format: int32
+                                      type: integer
+                                  required:
+                                  - periodSeconds
+                                  - type
+                                  - value
+                                  type: object
+                                type: array
+                                x-kubernetes-list-type: atomic
+                              selectPolicy:
+                                description: |-
+                                  selectPolicy is used to specify which policy should be used.
+                                  If not set, the default value Max is used.
+                                type: string
+                              stabilizationWindowSeconds:
+                                description: |-
+                                  stabilizationWindowSeconds is the number of seconds for which past recommendations should be
+                                  considered while scaling up or scaling down.
+                                  StabilizationWindowSeconds must be greater than or equal to zero and less than or equal to 3600 (one hour).
+                                  If not set, use the default values:
+                                  - For scale up: 0 (i.e. no stabilization is done).
+                                  - For scale down: 300 (i.e. the stabilization window is 300 seconds long).
+                                format: int32
+                                type: integer
+                              tolerance:
+                                anyOf:
+                                - type: integer
+                                - type: string
+                                description: |-
+                                  tolerance is the tolerance on the ratio between the current and desired
+                                  metric value under which no updates are made to the desired number of
+                                  replicas (e.g. 0.01 for 1%). Must be greater than or equal to zero. If not
+                                  set, the default cluster-wide tolerance is applied (by default 10%).
+
+                                  For example, if autoscaling is configured with a memory consumption target of 100Mi,
+                                  and scale-down and scale-up tolerances of 5% and 1% respectively, scaling will be
+                                  triggered when the actual consumption falls below 95Mi or exceeds 101Mi.
+
+                                  This is an beta field and requires the HPAConfigurableTolerance feature
+                                  gate to be enabled.
+                                pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                x-kubernetes-int-or-string: true
+                            type: object
+                        type: object
+                      autoscaleEnabled:
+                        description: Controls whether a HorizontalPodAutoscaler is
+                          installed for Pilot.
+                        type: boolean
+                      autoscaleMax:
+                        description: Maximum number of replicas in the HorizontalPodAutoscaler
+                          for Pilot.
+                        format: int32
+                        type: integer
+                      autoscaleMin:
+                        description: Minimum number of replicas in the HorizontalPodAutoscaler
+                          for Pilot.
+                        format: int32
+                        type: integer
+                      cni:
+                        description: Configures whether to use an existing CNI installation
+                          for workloads
+                        properties:
+                          enabled:
+                            description: Controls whether CNI should be used.
+                            type: boolean
+                          provider:
+                            description: |-
+                              Specifies the CNI provider. Can be either "default" or "multus". When set to "multus", an annotation
+                              `k8s.v1.cni.cncf.io/networks` is set on injected pods to point to a NetworkAttachmentDefinition
+                            type: string
+                        type: object
+                      configMap:
+                        description: |-
+                          Configuration settings passed to Pilot as a ConfigMap.
+
+                          This controls whether the mesh config map, generated from values.yaml is generated.
+                          If false, pilot wil use default values or user-supplied values, in that order of preference.
+                        type: boolean
+                      cpu:
+                        description: |-
+                          Target CPU utilization used in HorizontalPodAutoscaler.
+
+                          See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
+
+                          Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
+                        properties:
+                          targetAverageUtilization:
+                            description: |-
+                              K8s utilization setting for HorizontalPodAutoscaler target.
+
+                              See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
+                            format: int32
+                            type: integer
+                        type: object
+                      crlConfigMapName:
+                        description: Select a custom name for istiod's plugged-in
+                          CA CRL ConfigMap.
+                        type: string
+                      deploymentLabels:
+                        additionalProperties:
+                          type: string
+                        description: |-
+                          Labels that are added to Pilot deployment.
+
+                          See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+                        type: object
+                      enabled:
+                        description: Controls whether Pilot is enabled.
+                        type: boolean
+                      env:
+                        additionalProperties:
+                          type: string
+                        description: "Environment variables passed to the Pilot container.\n\nExamples:\nenv:\n\n\tENV_VAR_1:
+                          value1\n\tENV_VAR_2: value2"
+                        type: object
+                      envVarFrom:
+                        description: Configuration for the istio-discovery chart
+                        items:
+                          description: EnvVar represents an environment variable present
+                            in a Container.
+                          properties:
+                            name:
+                              description: |-
+                                Name of the environment variable.
+                                May consist of any printable ASCII characters except '='.
+                              type: string
+                            value:
+                              description: |-
+                                Variable references $(VAR_NAME) are expanded
+                                using the previously defined environment variables in the container and
+                                any service environment variables. If a variable cannot be resolved,
+                                the reference in the input string will be unchanged. Double $$ are reduced
+                                to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e.
+                                "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)".
+                                Escaped references will never be expanded, regardless of whether the variable
+                                exists or not.
+                                Defaults to "".
+                              type: string
+                            valueFrom:
+                              description: Source for the environment variable's value.
+                                Cannot be used if value is not empty.
+                              properties:
+                                configMapKeyRef:
+                                  description: Selects a key of a ConfigMap.
+                                  properties:
+                                    key:
+                                      description: The key to select.
+                                      type: string
+                                    name:
+                                      default: ""
+                                      description: |-
+                                        Name of the referent.
+                                        This field is effectively required, but due to backwards compatibility is
+                                        allowed to be empty. Instances of this type with an empty value here are
+                                        almost certainly wrong.
+                                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                      type: string
+                                    optional:
+                                      description: Specify whether the ConfigMap or
+                                        its key must be defined
+                                      type: boolean
+                                  required:
+                                  - key
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                fieldRef:
+                                  description: |-
+                                    Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['<KEY>']`, `metadata.annotations['<KEY>']`,
+                                    spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.
+                                  properties:
+                                    apiVersion:
+                                      description: Version of the schema the FieldPath
+                                        is written in terms of, defaults to "v1".
+                                      type: string
+                                    fieldPath:
+                                      description: Path of the field to select in
+                                        the specified API version.
+                                      type: string
+                                  required:
+                                  - fieldPath
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                fileKeyRef:
+                                  description: |-
+                                    FileKeyRef selects a key of the env file.
+                                    Requires the EnvFiles feature gate to be enabled.
+                                  properties:
+                                    key:
+                                      description: |-
+                                        The key within the env file. An invalid key will prevent the pod from starting.
+                                        The keys defined within a source may consist of any printable ASCII characters except '='.
+                                        During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.
+                                      type: string
+                                    optional:
+                                      default: false
+                                      description: |-
+                                        Specify whether the file or its key must be defined. If the file or key
+                                        does not exist, then the env var is not published.
+                                        If optional is set to true and the specified key does not exist,
+                                        the environment variable will not be set in the Pod's containers.
+
+                                        If optional is set to false and the specified key does not exist,
+                                        an error will be returned during Pod creation.
+                                      type: boolean
+                                    path:
+                                      description: |-
+                                        The path within the volume from which to select the file.
+                                        Must be relative and may not contain the '..' path or start with '..'.
+                                      type: string
+                                    volumeName:
+                                      description: The name of the volume mount containing
+                                        the env file.
+                                      type: string
+                                  required:
+                                  - key
+                                  - path
+                                  - volumeName
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                resourceFieldRef:
+                                  description: |-
+                                    Selects a resource of the container: only resources limits and requests
+                                    (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.
+                                  properties:
+                                    containerName:
+                                      description: 'Container name: required for volumes,
+                                        optional for env vars'
+                                      type: string
+                                    divisor:
+                                      anyOf:
+                                      - type: integer
+                                      - type: string
+                                      description: Specifies the output format of
+                                        the exposed resources, defaults to "1"
+                                      pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                      x-kubernetes-int-or-string: true
+                                    resource:
+                                      description: 'Required: resource to select'
+                                      type: string
+                                  required:
+                                  - resource
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                secretKeyRef:
+                                  description: Selects a key of a secret in the pod's
+                                    namespace
+                                  properties:
+                                    key:
+                                      description: The key of the secret to select
+                                        from.  Must be a valid secret key.
+                                      type: string
+                                    name:
+                                      default: ""
+                                      description: |-
+                                        Name of the referent.
+                                        This field is effectively required, but due to backwards compatibility is
+                                        allowed to be empty. Instances of this type with an empty value here are
+                                        almost certainly wrong.
+                                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                      type: string
+                                    optional:
+                                      description: Specify whether the Secret or its
+                                        key must be defined
+                                      type: boolean
+                                  required:
+                                  - key
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                              type: object
+                          required:
+                          - name
+                          type: object
+                        type: array
+                      extraContainerArgs:
+                        description: Additional container arguments for the Pilot
+                          container.
+                        items:
+                          type: string
+                        type: array
+                      hub:
+                        description: Hub to pull the container image from. Image will
+                          be `Hub/Image:Tag-Variant`.
+                        type: string
+                      image:
+                        description: |-
+                          Image name used for Pilot.
+
+                          This can be set either to image name if hub is also set, or can be set to the full hub:name string.
+
+                          Examples: custom-pilot, docker.io/someuser:custom-pilot
+                        type: string
+                      ipFamilies:
+                        description: |-
+                          Defines which IP family to use for single stack or the order of IP families for dual-stack.
+                          Valid list items are "IPv4", "IPv6".
+                          More info: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
+                        items:
+                          type: string
+                        type: array
+                      ipFamilyPolicy:
+                        description: |-
+                          Controls whether Services are configured to use IPv4, IPv6, or both. Valid options
+                          are PreferDualStack, RequireDualStack, and SingleStack.
+                          More info: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
+                        type: string
+                      istiodRemote:
+                        description: Configuration for the istio-discovery chart when
+                          istiod is running in a remote cluster (e.g. "remote control
+                          plane").
+                        properties:
+                          enabled:
+                            description: Indicates if this cluster/install should
+                              consume a "remote" istiod instance,
+                            type: boolean
+                          enabledLocalInjectorIstiod:
+                            description: |-
+                              If `true`, indicates that this cluster/install should consume a "local istiod" installation,
+                              local istiod inject sidecars
+                            type: boolean
+                          injectionCABundle:
+                            description: injector ca bundle
+                            type: string
+                          injectionPath:
+                            description: Path to use for the sidecar injector webhook
+                              service.
+                            type: string
+                          injectionURL:
+                            description: URL to use for sidecar injector webhook.
+                            type: string
+                        type: object
+                      jwksResolverExtraRootCA:
+                        description: |-
+                          Specifies an extra root certificate in PEM format. This certificate will be trusted
+                          by pilot when resolving JWKS URIs.
+                        type: string
+                      keepaliveMaxServerConnectionAge:
+                        description: |-
+                          Maximum duration that a sidecar can be connected to a pilot.
+
+                          This setting balances out load across pilot instances, but adds some resource overhead.
+
+                          Examples: 300s, 30m, 1h
+                        type: string
+                      memory:
+                        description: |-
+                          Target memory utilization used in HorizontalPodAutoscaler.
+
+                          See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
+
+                          Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
+                        properties:
+                          targetAverageUtilization:
+                            description: |-
+                              K8s utilization setting for HorizontalPodAutoscaler target.
+
+                              See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
+                            format: int32
+                            type: integer
+                        type: object
+                      nodeSelector:
+                        additionalProperties:
+                          type: string
+                        description: |-
+                          K8s node selector.
+
+                          See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
+
+                          Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
+                        type: object
+                      podAnnotations:
+                        additionalProperties:
+                          type: string
+                        description: |-
+                          K8s annotations for pods.
+
+                          See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+
+                          Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
+                        type: object
+                      podLabels:
+                        additionalProperties:
+                          type: string
+                        description: |-
+                          Labels that are added to Pilot pods.
+
+                          See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+                        type: object
+                      replicaCount:
+                        description: |-
+                          Number of replicas in the Pilot Deployment.
+
+                          Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
+                        format: int32
+                        type: integer
+                      resources:
+                        description: |-
+                          K8s resources settings.
+
+                          See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
+
+                          Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
+                        properties:
+                          claims:
+                            description: |-
+                              Claims lists the names of resources, defined in spec.resourceClaims,
+                              that are used by this container.
+
+                              This field depends on the
+                              DynamicResourceAllocation feature gate.
+
+                              This field is immutable. It can only be set for containers.
+                            items:
+                              description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+                              properties:
+                                name:
+                                  description: |-
+                                    Name must match the name of one entry in pod.spec.resourceClaims of
+                                    the Pod where this field is used. It makes that resource available
+                                    inside a container.
+                                  type: string
+                                request:
+                                  description: |-
+                                    Request is the name chosen for a request in the referenced claim.
+                                    If empty, everything from the claim is made available, otherwise
+                                    only the result of this request.
+                                  type: string
+                              required:
+                              - name
+                              type: object
+                            type: array
+                            x-kubernetes-list-map-keys:
+                            - name
+                            x-kubernetes-list-type: map
+                          limits:
+                            additionalProperties:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                              x-kubernetes-int-or-string: true
+                            description: |-
+                              Limits describes the maximum amount of compute resources allowed.
+                              More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                            type: object
+                          requests:
+                            additionalProperties:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                              x-kubernetes-int-or-string: true
+                            description: |-
+                              Requests describes the minimum amount of compute resources required.
+                              If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+                              otherwise to an implementation-defined value. Requests cannot exceed Limits.
+                              More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                            type: object
+                        type: object
+                      rollingMaxSurge:
+                        anyOf:
+                        - type: integer
+                        - type: string
+                        description: |-
+                          K8s rolling update strategy
+
+                          Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
+                        x-kubernetes-int-or-string: true
+                      rollingMaxUnavailable:
+                        anyOf:
+                        - type: integer
+                        - type: string
+                        description: |-
+                          The number of pods that can be unavailable during a rolling update (see
+                          `strategy.rollingUpdate.maxUnavailable` here:
+                          https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/deployment-v1/#DeploymentSpec).
+                          May be specified as a number of pods or as a percent of the total number
+                          of pods at the start of the update.
+
+                          Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
+                        x-kubernetes-int-or-string: true
+                      seccompProfile:
+                        description: |-
+                          The seccompProfile for the Pilot container.
+
+                          See: https://kubernetes.io/docs/tutorials/security/seccomp/
+                        properties:
+                          localhostProfile:
+                            description: |-
+                              localhostProfile indicates a profile defined in a file on the node should be used.
+                              The profile must be preconfigured on the node to work.
+                              Must be a descending path, relative to the kubelet's configured seccomp profile location.
+                              Must be set if type is "Localhost". Must NOT be set for any other type.
+                            type: string
+                          type:
+                            description: |-
+                              type indicates which kind of seccomp profile will be applied.
+                              Valid options are:
+
+                              Localhost - a profile defined in a file on the node should be used.
+                              RuntimeDefault - the container runtime default profile should be used.
+                              Unconfined - no profile should be applied.
+                            type: string
+                        required:
+                        - type
+                        type: object
+                      serviceAccountAnnotations:
+                        additionalProperties:
+                          type: string
+                        description: K8s annotations for the service account
+                        type: object
+                      serviceAnnotations:
+                        additionalProperties:
+                          type: string
+                        description: |-
+                          K8s annotations for the Service.
+
+                          See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+                        type: object
+                      tag:
+                        description: The container image tag to pull. Image will be
+                          `Hub/Image:Tag-Variant`.
+                        type: string
+                      taint:
+                        properties:
+                          enabled:
+                            description: |-
+                              Enable the untaint controller for new nodes. This aims to solve a race for CNI installation on
+                              new nodes. For this to work, the newly added nodes need to have the istio CNI taint as they are
+                              added to the cluster. This is usually done by configuring the cluster infra provider.
+                            type: boolean
+                          namespace:
+                            description: The namespace of the CNI daemonset, incase
+                              it's not the same as istiod.
+                            type: string
+                        type: object
+                      tolerations:
+                        description: |-
+                          The node tolerations to be applied to the Pilot deployment so that it can be
+                          scheduled to particular nodes with matching taints.
+                          More info: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling
+
+                          Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
+                        items:
+                          description: |-
+                            The pod this Toleration is attached to tolerates any taint that matches
+                            the triple <key,value,effect> using the matching operator <operator>.
+                          properties:
+                            effect:
+                              description: |-
+                                Effect indicates the taint effect to match. Empty means match all taint effects.
+                                When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+                              type: string
+                            key:
+                              description: |-
+                                Key is the taint key that the toleration applies to. Empty means match all taint keys.
+                                If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+                              type: string
+                            operator:
+                              description: |-
+                                Operator represents a key's relationship to the value.
+                                Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal.
+                                Exists is equivalent to wildcard for value, so that a pod can
+                                tolerate all taints of a particular category.
+                                Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators).
+                              type: string
+                            tolerationSeconds:
+                              description: |-
+                                TolerationSeconds represents the period of time the toleration (which must be
+                                of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+                                it is not set, which means tolerate the taint forever (do not evict). Zero and
+                                negative values will be treated as 0 (evict immediately) by the system.
+                              format: int64
+                              type: integer
+                            value:
+                              description: |-
+                                Value is the taint value the toleration matches to.
+                                If the operator is Exists, the value should be empty, otherwise just a regular string.
+                              type: string
+                          type: object
+                        type: array
+                      topologySpreadConstraints:
+                        description: The k8s topologySpreadConstraints for the Pilot
+                          pods.
+                        items:
+                          description: TopologySpreadConstraint specifies how to spread
+                            matching pods among the given topology.
+                          properties:
+                            labelSelector:
+                              description: |-
+                                LabelSelector is used to find matching pods.
+                                Pods that match this label selector are counted to determine the number of pods
+                                in their corresponding topology domain.
+                              properties:
+                                matchExpressions:
+                                  description: matchExpressions is a list of label
+                                    selector requirements. The requirements are ANDed.
+                                  items:
+                                    description: |-
+                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                      relates the key and values.
+                                    properties:
+                                      key:
+                                        description: key is the label key that the
+                                          selector applies to.
+                                        type: string
+                                      operator:
+                                        description: |-
+                                          operator represents a key's relationship to a set of values.
+                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                        type: string
+                                      values:
+                                        description: |-
+                                          values is an array of string values. If the operator is In or NotIn,
+                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                          the values array must be empty. This array is replaced during a strategic
+                                          merge patch.
+                                        items:
+                                          type: string
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    required:
+                                    - key
+                                    - operator
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                matchLabels:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                  type: object
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            matchLabelKeys:
+                              description: |-
+                                MatchLabelKeys is a set of pod label keys to select the pods over which
+                                spreading will be calculated. The keys are used to lookup values from the
+                                incoming pod labels, those key-value labels are ANDed with labelSelector
+                                to select the group of existing pods over which spreading will be calculated
+                                for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+                                MatchLabelKeys cannot be set when LabelSelector isn't set.
+                                Keys that don't exist in the incoming pod labels will
+                                be ignored. A null or empty list means only match against labelSelector.
+
+                                This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).
+                              items:
+                                type: string
+                              type: array
+                              x-kubernetes-list-type: atomic
+                            maxSkew:
+                              description: |-
+                                MaxSkew describes the degree to which pods may be unevenly distributed.
+                                When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference
+                                between the number of matching pods in the target topology and the global minimum.
+                                The global minimum is the minimum number of matching pods in an eligible domain
+                                or zero if the number of eligible domains is less than MinDomains.
+                                For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+                                labelSelector spread as 2/2/1:
+                                In this case, the global minimum is 1.
+                                | zone1 | zone2 | zone3 |
+                                |  P P  |  P P  |   P   |
+                                - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2;
+                                scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2)
+                                violate MaxSkew(1).
+                                - if MaxSkew is 2, incoming pod can be scheduled onto any zone.
+                                When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence
+                                to topologies that satisfy it.
+                                It's a required field. Default value is 1 and 0 is not allowed.
+                              format: int32
+                              type: integer
+                            minDomains:
+                              description: |-
+                                MinDomains indicates a minimum number of eligible domains.
+                                When the number of eligible domains with matching topology keys is less than minDomains,
+                                Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed.
+                                And when the number of eligible domains with matching topology keys equals or greater than minDomains,
+                                this value has no effect on scheduling.
+                                As a result, when the number of eligible domains is less than minDomains,
+                                scheduler won't schedule more than maxSkew Pods to those domains.
+                                If value is nil, the constraint behaves as if MinDomains is equal to 1.
+                                Valid values are integers greater than 0.
+                                When value is not nil, WhenUnsatisfiable must be DoNotSchedule.
+
+                                For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same
+                                labelSelector spread as 2/2/2:
+                                | zone1 | zone2 | zone3 |
+                                |  P P  |  P P  |  P P  |
+                                The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0.
+                                In this situation, new pod with the same labelSelector cannot be scheduled,
+                                because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,
+                                it will violate MaxSkew.
+                              format: int32
+                              type: integer
+                            nodeAffinityPolicy:
+                              description: |-
+                                NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector
+                                when calculating pod topology spread skew. Options are:
+                                - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
+                                - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
+
+                                If this value is nil, the behavior is equivalent to the Honor policy.
+                              type: string
+                            nodeTaintsPolicy:
+                              description: |-
+                                NodeTaintsPolicy indicates how we will treat node taints when calculating
+                                pod topology spread skew. Options are:
+                                - Honor: nodes without taints, along with tainted nodes for which the incoming pod
+                                has a toleration, are included.
+                                - Ignore: node taints are ignored. All nodes are included.
+
+                                If this value is nil, the behavior is equivalent to the Ignore policy.
+                              type: string
+                            topologyKey:
+                              description: |-
+                                TopologyKey is the key of node labels. Nodes that have a label with this key
+                                and identical values are considered to be in the same topology.
+                                We consider each <key, value> as a "bucket", and try to put balanced number
+                                of pods into each bucket.
+                                We define a domain as a particular instance of a topology.
+                                Also, we define an eligible domain as a domain whose nodes meet the requirements of
+                                nodeAffinityPolicy and nodeTaintsPolicy.
+                                e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology.
+                                And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology.
+                                It's a required field.
+                              type: string
+                            whenUnsatisfiable:
+                              description: |-
+                                WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy
+                                the spread constraint.
+                                - DoNotSchedule (default) tells the scheduler not to schedule it.
+                                - ScheduleAnyway tells the scheduler to schedule the pod in any location,
+                                  but giving higher precedence to topologies that would help reduce the
+                                  skew.
+                                A constraint is considered "Unsatisfiable" for an incoming pod
+                                if and only if every possible node assignment for that pod would violate
+                                "MaxSkew" on some topology.
+                                For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+                                labelSelector spread as 3/1/1:
+                                | zone1 | zone2 | zone3 |
+                                | P P P |   P   |   P   |
+                                If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled
+                                to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies
+                                MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler
+                                won't make it *more* imbalanced.
+                                It's a required field.
+                              type: string
+                          required:
+                          - maxSkew
+                          - topologyKey
+                          - whenUnsatisfiable
+                          type: object
+                        type: array
+                      traceSampling:
+                        description: |-
+                          Trace sampling fraction.
+
+                          Used to set the fraction of time that traces are sampled. Higher values are more accurate but add CPU overhead.
+
+                          Allowed values: 0.0 to 1.0
+                        type: number
+                      trustedZtunnelNamespace:
+                        description: |-
+                          If set, `istiod` will allow connections from trusted node proxy ztunnels
+                          in the provided namespace.
+                        type: string
+                      variant:
+                        description: The container image variant to pull. Options
+                          are "debug" or "distroless". Unset will use the default
+                          for the given version.
+                        type: string
+                      volumeMounts:
+                        description: Additional volumeMounts to add to the Pilot container.
+                        items:
+                          description: VolumeMount describes a mounting of a Volume
+                            within a container.
+                          properties:
+                            mountPath:
+                              description: |-
+                                Path within the container at which the volume should be mounted.  Must
+                                not contain ':'.
+                              type: string
+                            mountPropagation:
+                              description: |-
+                                mountPropagation determines how mounts are propagated from the host
+                                to container and the other way around.
+                                When not set, MountPropagationNone is used.
+                                This field is beta in 1.10.
+                                When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+                                (which defaults to None).
+                              type: string
+                            name:
+                              description: This must match the Name of a Volume.
+                              type: string
+                            readOnly:
+                              description: |-
+                                Mounted read-only if true, read-write otherwise (false or unspecified).
+                                Defaults to false.
+                              type: boolean
+                            recursiveReadOnly:
+                              description: |-
+                                RecursiveReadOnly specifies whether read-only mounts should be handled
+                                recursively.
+
+                                If ReadOnly is false, this field has no meaning and must be unspecified.
+
+                                If ReadOnly is true, and this field is set to Disabled, the mount is not made
+                                recursively read-only.  If this field is set to IfPossible, the mount is made
+                                recursively read-only, if it is supported by the container runtime.  If this
+                                field is set to Enabled, the mount is made recursively read-only if it is
+                                supported by the container runtime, otherwise the pod will not be started and
+                                an error will be generated to indicate the reason.
+
+                                If this field is set to IfPossible or Enabled, MountPropagation must be set to
+                                None (or be unspecified, which defaults to None).
+
+                                If this field is not specified, it is treated as an equivalent of Disabled.
+                              type: string
+                            subPath:
+                              description: |-
+                                Path within the volume from which the container's volume should be mounted.
+                                Defaults to "" (volume's root).
+                              type: string
+                            subPathExpr:
+                              description: |-
+                                Expanded path within the volume from which the container's volume should be mounted.
+                                Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.
+                                Defaults to "" (volume's root).
+                                SubPathExpr and SubPath are mutually exclusive.
+                              type: string
+                          required:
+                          - mountPath
+                          - name
+                          type: object
+                        type: array
+                      volumes:
+                        description: Additional volumes to add to the Pilot Pod.
+                        items:
+                          description: Volume represents a named volume in a pod that
+                            may be accessed by any container in the pod.
+                          properties:
+                            awsElasticBlockStore:
+                              description: |-
+                                awsElasticBlockStore represents an AWS Disk resource that is attached to a
+                                kubelet's host machine and then exposed to the pod.
+                                Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree
+                                awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+                              properties:
+                                fsType:
+                                  description: |-
+                                    fsType is the filesystem type of the volume that you want to mount.
+                                    Tip: Ensure that the filesystem type is supported by the host operating system.
+                                    Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+                                  type: string
+                                partition:
+                                  description: |-
+                                    partition is the partition in the volume that you want to mount.
+                                    If omitted, the default is to mount by volume name.
+                                    Examples: For volume /dev/sda1, you specify the partition as "1".
+                                    Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).
+                                  format: int32
+                                  type: integer
+                                readOnly:
+                                  description: |-
+                                    readOnly value true will force the readOnly setting in VolumeMounts.
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+                                  type: boolean
+                                volumeID:
+                                  description: |-
+                                    volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume).
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+                                  type: string
+                              required:
+                              - volumeID
+                              type: object
+                            azureDisk:
+                              description: |-
+                                azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
+                                Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type
+                                are redirected to the disk.csi.azure.com CSI driver.
+                              properties:
+                                cachingMode:
+                                  description: 'cachingMode is the Host Caching mode:
+                                    None, Read Only, Read Write.'
+                                  type: string
+                                diskName:
+                                  description: diskName is the Name of the data disk
+                                    in the blob storage
+                                  type: string
+                                diskURI:
+                                  description: diskURI is the URI of data disk in
+                                    the blob storage
+                                  type: string
+                                fsType:
+                                  default: ext4
+                                  description: |-
+                                    fsType is Filesystem type to mount.
+                                    Must be a filesystem type supported by the host operating system.
+                                    Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                  type: string
+                                kind:
+                                  description: 'kind expected values are Shared: multiple
+                                    blob disks per storage account  Dedicated: single
+                                    blob disk per storage account  Managed: azure
+                                    managed data disk (only in managed availability
+                                    set). defaults to shared'
+                                  type: string
+                                readOnly:
+                                  default: false
+                                  description: |-
+                                    readOnly Defaults to false (read/write). ReadOnly here will force
+                                    the ReadOnly setting in VolumeMounts.
+                                  type: boolean
+                              required:
+                              - diskName
+                              - diskURI
+                              type: object
+                            azureFile:
+                              description: |-
+                                azureFile represents an Azure File Service mount on the host and bind mount to the pod.
+                                Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type
+                                are redirected to the file.csi.azure.com CSI driver.
+                              properties:
+                                readOnly:
+                                  description: |-
+                                    readOnly defaults to false (read/write). ReadOnly here will force
+                                    the ReadOnly setting in VolumeMounts.
+                                  type: boolean
+                                secretName:
+                                  description: secretName is the  name of secret that
+                                    contains Azure Storage Account Name and Key
+                                  type: string
+                                shareName:
+                                  description: shareName is the azure share Name
+                                  type: string
+                              required:
+                              - secretName
+                              - shareName
+                              type: object
+                            cephfs:
+                              description: |-
+                                cephFS represents a Ceph FS mount on the host that shares a pod's lifetime.
+                                Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported.
+                              properties:
+                                monitors:
+                                  description: |-
+                                    monitors is Required: Monitors is a collection of Ceph monitors
+                                    More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+                                  items:
+                                    type: string
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                path:
+                                  description: 'path is Optional: Used as the mounted
+                                    root, rather than the full Ceph tree, default
+                                    is /'
+                                  type: string
+                                readOnly:
+                                  description: |-
+                                    readOnly is Optional: Defaults to false (read/write). ReadOnly here will force
+                                    the ReadOnly setting in VolumeMounts.
+                                    More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+                                  type: boolean
+                                secretFile:
+                                  description: |-
+                                    secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret
+                                    More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+                                  type: string
+                                secretRef:
+                                  description: |-
+                                    secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty.
+                                    More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+                                  properties:
+                                    name:
+                                      default: ""
+                                      description: |-
+                                        Name of the referent.
+                                        This field is effectively required, but due to backwards compatibility is
+                                        allowed to be empty. Instances of this type with an empty value here are
+                                        almost certainly wrong.
+                                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                      type: string
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                user:
+                                  description: |-
+                                    user is optional: User is the rados user name, default is admin
+                                    More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+                                  type: string
+                              required:
+                              - monitors
+                              type: object
+                            cinder:
+                              description: |-
+                                cinder represents a cinder volume attached and mounted on kubelets host machine.
+                                Deprecated: Cinder is deprecated. All operations for the in-tree cinder type
+                                are redirected to the cinder.csi.openstack.org CSI driver.
+                                More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+                              properties:
+                                fsType:
+                                  description: |-
+                                    fsType is the filesystem type to mount.
+                                    Must be a filesystem type supported by the host operating system.
+                                    Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                    More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+                                  type: string
+                                readOnly:
+                                  description: |-
+                                    readOnly defaults to false (read/write). ReadOnly here will force
+                                    the ReadOnly setting in VolumeMounts.
+                                    More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+                                  type: boolean
+                                secretRef:
+                                  description: |-
+                                    secretRef is optional: points to a secret object containing parameters used to connect
+                                    to OpenStack.
+                                  properties:
+                                    name:
+                                      default: ""
+                                      description: |-
+                                        Name of the referent.
+                                        This field is effectively required, but due to backwards compatibility is
+                                        allowed to be empty. Instances of this type with an empty value here are
+                                        almost certainly wrong.
+                                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                      type: string
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                volumeID:
+                                  description: |-
+                                    volumeID used to identify the volume in cinder.
+                                    More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+                                  type: string
+                              required:
+                              - volumeID
+                              type: object
+                            configMap:
+                              description: configMap represents a configMap that should
+                                populate this volume
+                              properties:
+                                defaultMode:
+                                  description: |-
+                                    defaultMode is optional: mode bits used to set permissions on created files by default.
+                                    Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                    YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                    Defaults to 0644.
+                                    Directories within the path are not affected by this setting.
+                                    This might be in conflict with other options that affect the file
+                                    mode, like fsGroup, and the result can be other mode bits set.
+                                  format: int32
+                                  type: integer
+                                items:
+                                  description: |-
+                                    items if unspecified, each key-value pair in the Data field of the referenced
+                                    ConfigMap will be projected into the volume as a file whose name is the
+                                    key and content is the value. If specified, the listed keys will be
+                                    projected into the specified paths, and unlisted keys will not be
+                                    present. If a key is specified which is not present in the ConfigMap,
+                                    the volume setup will error unless it is marked optional. Paths must be
+                                    relative and may not contain the '..' path or start with '..'.
+                                  items:
+                                    description: Maps a string key to a path within
+                                      a volume.
+                                    properties:
+                                      key:
+                                        description: key is the key to project.
+                                        type: string
+                                      mode:
+                                        description: |-
+                                          mode is Optional: mode bits used to set permissions on this file.
+                                          Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                          YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                          If not specified, the volume defaultMode will be used.
+                                          This might be in conflict with other options that affect the file
+                                          mode, like fsGroup, and the result can be other mode bits set.
+                                        format: int32
+                                        type: integer
+                                      path:
+                                        description: |-
+                                          path is the relative path of the file to map the key to.
+                                          May not be an absolute path.
+                                          May not contain the path element '..'.
+                                          May not start with the string '..'.
+                                        type: string
+                                    required:
+                                    - key
+                                    - path
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                name:
+                                  default: ""
+                                  description: |-
+                                    Name of the referent.
+                                    This field is effectively required, but due to backwards compatibility is
+                                    allowed to be empty. Instances of this type with an empty value here are
+                                    almost certainly wrong.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                  type: string
+                                optional:
+                                  description: optional specify whether the ConfigMap
+                                    or its keys must be defined
+                                  type: boolean
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            csi:
+                              description: csi (Container Storage Interface) represents
+                                ephemeral storage that is handled by certain external
+                                CSI drivers.
+                              properties:
+                                driver:
+                                  description: |-
+                                    driver is the name of the CSI driver that handles this volume.
+                                    Consult with your admin for the correct name as registered in the cluster.
+                                  type: string
+                                fsType:
+                                  description: |-
+                                    fsType to mount. Ex. "ext4", "xfs", "ntfs".
+                                    If not provided, the empty value is passed to the associated CSI driver
+                                    which will determine the default filesystem to apply.
+                                  type: string
+                                nodePublishSecretRef:
+                                  description: |-
+                                    nodePublishSecretRef is a reference to the secret object containing
+                                    sensitive information to pass to the CSI driver to complete the CSI
+                                    NodePublishVolume and NodeUnpublishVolume calls.
+                                    This field is optional, and  may be empty if no secret is required. If the
+                                    secret object contains more than one secret, all secret references are passed.
+                                  properties:
+                                    name:
+                                      default: ""
+                                      description: |-
+                                        Name of the referent.
+                                        This field is effectively required, but due to backwards compatibility is
+                                        allowed to be empty. Instances of this type with an empty value here are
+                                        almost certainly wrong.
+                                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                      type: string
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                readOnly:
+                                  description: |-
+                                    readOnly specifies a read-only configuration for the volume.
+                                    Defaults to false (read/write).
+                                  type: boolean
+                                volumeAttributes:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    volumeAttributes stores driver-specific properties that are passed to the CSI
+                                    driver. Consult your driver's documentation for supported values.
+                                  type: object
+                              required:
+                              - driver
+                              type: object
+                            downwardAPI:
+                              description: downwardAPI represents downward API about
+                                the pod that should populate this volume
+                              properties:
+                                defaultMode:
+                                  description: |-
+                                    Optional: mode bits to use on created files by default. Must be a
+                                    Optional: mode bits used to set permissions on created files by default.
+                                    Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                    YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                    Defaults to 0644.
+                                    Directories within the path are not affected by this setting.
+                                    This might be in conflict with other options that affect the file
+                                    mode, like fsGroup, and the result can be other mode bits set.
+                                  format: int32
+                                  type: integer
+                                items:
+                                  description: Items is a list of downward API volume
+                                    file
+                                  items:
+                                    description: DownwardAPIVolumeFile represents
+                                      information to create the file containing the
+                                      pod field
+                                    properties:
+                                      fieldRef:
+                                        description: 'Required: Selects a field of
+                                          the pod: only annotations, labels, name,
+                                          namespace and uid are supported.'
+                                        properties:
+                                          apiVersion:
+                                            description: Version of the schema the
+                                              FieldPath is written in terms of, defaults
+                                              to "v1".
+                                            type: string
+                                          fieldPath:
+                                            description: Path of the field to select
+                                              in the specified API version.
+                                            type: string
+                                        required:
+                                        - fieldPath
+                                        type: object
+                                        x-kubernetes-map-type: atomic
+                                      mode:
+                                        description: |-
+                                          Optional: mode bits used to set permissions on this file, must be an octal value
+                                          between 0000 and 0777 or a decimal value between 0 and 511.
+                                          YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                          If not specified, the volume defaultMode will be used.
+                                          This might be in conflict with other options that affect the file
+                                          mode, like fsGroup, and the result can be other mode bits set.
+                                        format: int32
+                                        type: integer
+                                      path:
+                                        description: 'Required: Path is  the relative
+                                          path name of the file to be created. Must
+                                          not be absolute or contain the ''..'' path.
+                                          Must be utf-8 encoded. The first item of
+                                          the relative path must not start with ''..'''
+                                        type: string
+                                      resourceFieldRef:
+                                        description: |-
+                                          Selects a resource of the container: only resources limits and requests
+                                          (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
+                                        properties:
+                                          containerName:
+                                            description: 'Container name: required
+                                              for volumes, optional for env vars'
+                                            type: string
+                                          divisor:
+                                            anyOf:
+                                            - type: integer
+                                            - type: string
+                                            description: Specifies the output format
+                                              of the exposed resources, defaults to
+                                              "1"
+                                            pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                            x-kubernetes-int-or-string: true
+                                          resource:
+                                            description: 'Required: resource to select'
+                                            type: string
+                                        required:
+                                        - resource
+                                        type: object
+                                        x-kubernetes-map-type: atomic
+                                    required:
+                                    - path
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                              type: object
+                            emptyDir:
+                              description: |-
+                                emptyDir represents a temporary directory that shares a pod's lifetime.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+                              properties:
+                                medium:
+                                  description: |-
+                                    medium represents what type of storage medium should back this directory.
+                                    The default is "" which means to use the node's default medium.
+                                    Must be an empty string (default) or Memory.
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+                                  type: string
+                                sizeLimit:
+                                  anyOf:
+                                  - type: integer
+                                  - type: string
+                                  description: |-
+                                    sizeLimit is the total amount of local storage required for this EmptyDir volume.
+                                    The size limit is also applicable for memory medium.
+                                    The maximum usage on memory medium EmptyDir would be the minimum value between
+                                    the SizeLimit specified here and the sum of memory limits of all containers in a pod.
+                                    The default is nil which means that the limit is undefined.
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+                                  pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                  x-kubernetes-int-or-string: true
+                              type: object
+                            ephemeral:
+                              description: |-
+                                ephemeral represents a volume that is handled by a cluster storage driver.
+                                The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts,
+                                and deleted when the pod is removed.
+
+                                Use this if:
+                                a) the volume is only needed while the pod runs,
+                                b) features of normal volumes like restoring from snapshot or capacity
+                                   tracking are needed,
+                                c) the storage driver is specified through a storage class, and
+                                d) the storage driver supports dynamic volume provisioning through
+                                   a PersistentVolumeClaim (see EphemeralVolumeSource for more
+                                   information on the connection between this volume type
+                                   and PersistentVolumeClaim).
+
+                                Use PersistentVolumeClaim or one of the vendor-specific
+                                APIs for volumes that persist for longer than the lifecycle
+                                of an individual pod.
+
+                                Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to
+                                be used that way - see the documentation of the driver for
+                                more information.
+
+                                A pod can use both types of ephemeral volumes and
+                                persistent volumes at the same time.
+                              properties:
+                                volumeClaimTemplate:
+                                  description: |-
+                                    Will be used to create a stand-alone PVC to provision the volume.
+                                    The pod in which this EphemeralVolumeSource is embedded will be the
+                                    owner of the PVC, i.e. the PVC will be deleted together with the
+                                    pod.  The name of the PVC will be `<pod name>-<volume name>` where
+                                    `<volume name>` is the name from the `PodSpec.Volumes` array
+                                    entry. Pod validation will reject the pod if the concatenated name
+                                    is not valid for a PVC (for example, too long).
+
+                                    An existing PVC with that name that is not owned by the pod
+                                    will *not* be used for the pod to avoid using an unrelated
+                                    volume by mistake. Starting the pod is then blocked until
+                                    the unrelated PVC is removed. If such a pre-created PVC is
+                                    meant to be used by the pod, the PVC has to updated with an
+                                    owner reference to the pod once the pod exists. Normally
+                                    this should not be necessary, but it may be useful when
+                                    manually reconstructing a broken cluster.
+
+                                    This field is read-only and no changes will be made by Kubernetes
+                                    to the PVC after it has been created.
+
+                                    Required, must not be nil.
+                                  properties:
+                                    metadata:
+                                      description: |-
+                                        May contain labels and annotations that will be copied into the PVC
+                                        when creating it. No other fields are allowed and will be rejected during
+                                        validation.
+                                      type: object
+                                    spec:
+                                      description: |-
+                                        The specification for the PersistentVolumeClaim. The entire content is
+                                        copied unchanged into the PVC that gets created from this
+                                        template. The same fields as in a PersistentVolumeClaim
+                                        are also valid here.
+                                      properties:
+                                        accessModes:
+                                          description: |-
+                                            accessModes contains the desired access modes the volume should have.
+                                            More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1
+                                          items:
+                                            type: string
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        dataSource:
+                                          description: |-
+                                            dataSource field can be used to specify either:
+                                            * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot)
+                                            * An existing PVC (PersistentVolumeClaim)
+                                            If the provisioner or an external controller can support the specified data source,
+                                            it will create a new volume based on the contents of the specified data source.
+                                            When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef,
+                                            and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified.
+                                            If the namespace is specified, then dataSourceRef will not be copied to dataSource.
+                                          properties:
+                                            apiGroup:
+                                              description: |-
+                                                APIGroup is the group for the resource being referenced.
+                                                If APIGroup is not specified, the specified Kind must be in the core API group.
+                                                For any other third-party types, APIGroup is required.
+                                              type: string
+                                            kind:
+                                              description: Kind is the type of resource
+                                                being referenced
+                                              type: string
+                                            name:
+                                              description: Name is the name of resource
+                                                being referenced
+                                              type: string
+                                          required:
+                                          - kind
+                                          - name
+                                          type: object
+                                          x-kubernetes-map-type: atomic
+                                        dataSourceRef:
+                                          description: |-
+                                            dataSourceRef specifies the object from which to populate the volume with data, if a non-empty
+                                            volume is desired. This may be any object from a non-empty API group (non
+                                            core object) or a PersistentVolumeClaim object.
+                                            When this field is specified, volume binding will only succeed if the type of
+                                            the specified object matches some installed volume populator or dynamic
+                                            provisioner.
+                                            This field will replace the functionality of the dataSource field and as such
+                                            if both fields are non-empty, they must have the same value. For backwards
+                                            compatibility, when namespace isn't specified in dataSourceRef,
+                                            both fields (dataSource and dataSourceRef) will be set to the same
+                                            value automatically if one of them is empty and the other is non-empty.
+                                            When namespace is specified in dataSourceRef,
+                                            dataSource isn't set to the same value and must be empty.
+                                            There are three important differences between dataSource and dataSourceRef:
+                                            * While dataSource only allows two specific types of objects, dataSourceRef
+                                              allows any non-core object, as well as PersistentVolumeClaim objects.
+                                            * While dataSource ignores disallowed values (dropping them), dataSourceRef
+                                              preserves all values, and generates an error if a disallowed value is
+                                              specified.
+                                            * While dataSource only allows local objects, dataSourceRef allows objects
+                                              in any namespaces.
+                                            (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled.
+                                            (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled.
+                                          properties:
+                                            apiGroup:
+                                              description: |-
+                                                APIGroup is the group for the resource being referenced.
+                                                If APIGroup is not specified, the specified Kind must be in the core API group.
+                                                For any other third-party types, APIGroup is required.
+                                              type: string
+                                            kind:
+                                              description: Kind is the type of resource
+                                                being referenced
+                                              type: string
+                                            name:
+                                              description: Name is the name of resource
+                                                being referenced
+                                              type: string
+                                            namespace:
+                                              description: |-
+                                                Namespace is the namespace of resource being referenced
+                                                Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details.
+                                                (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled.
+                                              type: string
+                                          required:
+                                          - kind
+                                          - name
+                                          type: object
+                                        resources:
+                                          description: |-
+                                            resources represents the minimum resources the volume should have.
+                                            Users are allowed to specify resource requirements
+                                            that are lower than previous value but must still be higher than capacity recorded in the
+                                            status field of the claim.
+                                            More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
+                                          properties:
+                                            limits:
+                                              additionalProperties:
+                                                anyOf:
+                                                - type: integer
+                                                - type: string
+                                                pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                                x-kubernetes-int-or-string: true
+                                              description: |-
+                                                Limits describes the maximum amount of compute resources allowed.
+                                                More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                                              type: object
+                                            requests:
+                                              additionalProperties:
+                                                anyOf:
+                                                - type: integer
+                                                - type: string
+                                                pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                                x-kubernetes-int-or-string: true
+                                              description: |-
+                                                Requests describes the minimum amount of compute resources required.
+                                                If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+                                                otherwise to an implementation-defined value. Requests cannot exceed Limits.
+                                                More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                                              type: object
+                                          type: object
+                                        selector:
+                                          description: selector is a label query over
+                                            volumes to consider for binding.
+                                          properties:
+                                            matchExpressions:
+                                              description: matchExpressions is a list
+                                                of label selector requirements. The
+                                                requirements are ANDed.
+                                              items:
+                                                description: |-
+                                                  A label selector requirement is a selector that contains values, a key, and an operator that
+                                                  relates the key and values.
+                                                properties:
+                                                  key:
+                                                    description: key is the label
+                                                      key that the selector applies
+                                                      to.
+                                                    type: string
+                                                  operator:
+                                                    description: |-
+                                                      operator represents a key's relationship to a set of values.
+                                                      Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                    type: string
+                                                  values:
+                                                    description: |-
+                                                      values is an array of string values. If the operator is In or NotIn,
+                                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                      the values array must be empty. This array is replaced during a strategic
+                                                      merge patch.
+                                                    items:
+                                                      type: string
+                                                    type: array
+                                                    x-kubernetes-list-type: atomic
+                                                required:
+                                                - key
+                                                - operator
+                                                type: object
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                            matchLabels:
+                                              additionalProperties:
+                                                type: string
+                                              description: |-
+                                                matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                                map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                                operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                              type: object
+                                          type: object
+                                          x-kubernetes-map-type: atomic
+                                        storageClassName:
+                                          description: |-
+                                            storageClassName is the name of the StorageClass required by the claim.
+                                            More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1
+                                          type: string
+                                        volumeAttributesClassName:
+                                          description: |-
+                                            volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
+                                            If specified, the CSI driver will create or update the volume with the attributes defined
+                                            in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
+                                            it can be changed after the claim is created. An empty string or nil value indicates that no
+                                            VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state,
+                                            this field can be reset to its previous value (including nil) to cancel the modification.
+                                            If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
+                                            set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
+                                            exists.
+                                            More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
+                                          type: string
+                                        volumeMode:
+                                          description: |-
+                                            volumeMode defines what type of volume is required by the claim.
+                                            Value of Filesystem is implied when not included in claim spec.
+                                          type: string
+                                        volumeName:
+                                          description: volumeName is the binding reference
+                                            to the PersistentVolume backing this claim.
+                                          type: string
+                                      type: object
+                                  required:
+                                  - spec
+                                  type: object
+                              type: object
+                            fc:
+                              description: fc represents a Fibre Channel resource
+                                that is attached to a kubelet's host machine and then
+                                exposed to the pod.
+                              properties:
+                                fsType:
+                                  description: |-
+                                    fsType is the filesystem type to mount.
+                                    Must be a filesystem type supported by the host operating system.
+                                    Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                  type: string
+                                lun:
+                                  description: 'lun is Optional: FC target lun number'
+                                  format: int32
+                                  type: integer
+                                readOnly:
+                                  description: |-
+                                    readOnly is Optional: Defaults to false (read/write). ReadOnly here will force
+                                    the ReadOnly setting in VolumeMounts.
+                                  type: boolean
+                                targetWWNs:
+                                  description: 'targetWWNs is Optional: FC target
+                                    worldwide names (WWNs)'
+                                  items:
+                                    type: string
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                wwids:
+                                  description: |-
+                                    wwids Optional: FC volume world wide identifiers (wwids)
+                                    Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously.
+                                  items:
+                                    type: string
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                              type: object
+                            flexVolume:
+                              description: |-
+                                flexVolume represents a generic volume resource that is
+                                provisioned/attached using an exec based plugin.
+                                Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead.
+                              properties:
+                                driver:
+                                  description: driver is the name of the driver to
+                                    use for this volume.
+                                  type: string
+                                fsType:
+                                  description: |-
+                                    fsType is the filesystem type to mount.
+                                    Must be a filesystem type supported by the host operating system.
+                                    Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script.
+                                  type: string
+                                options:
+                                  additionalProperties:
+                                    type: string
+                                  description: 'options is Optional: this field holds
+                                    extra command options if any.'
+                                  type: object
+                                readOnly:
+                                  description: |-
+                                    readOnly is Optional: defaults to false (read/write). ReadOnly here will force
+                                    the ReadOnly setting in VolumeMounts.
+                                  type: boolean
+                                secretRef:
+                                  description: |-
+                                    secretRef is Optional: secretRef is reference to the secret object containing
+                                    sensitive information to pass to the plugin scripts. This may be
+                                    empty if no secret object is specified. If the secret object
+                                    contains more than one secret, all secrets are passed to the plugin
+                                    scripts.
+                                  properties:
+                                    name:
+                                      default: ""
+                                      description: |-
+                                        Name of the referent.
+                                        This field is effectively required, but due to backwards compatibility is
+                                        allowed to be empty. Instances of this type with an empty value here are
+                                        almost certainly wrong.
+                                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                      type: string
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                              required:
+                              - driver
+                              type: object
+                            flocker:
+                              description: |-
+                                flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running.
+                                Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported.
+                              properties:
+                                datasetName:
+                                  description: |-
+                                    datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker
+                                    should be considered as deprecated
+                                  type: string
+                                datasetUUID:
+                                  description: datasetUUID is the UUID of the dataset.
+                                    This is unique identifier of a Flocker dataset
+                                  type: string
+                              type: object
+                            gcePersistentDisk:
+                              description: |-
+                                gcePersistentDisk represents a GCE Disk resource that is attached to a
+                                kubelet's host machine and then exposed to the pod.
+                                Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree
+                                gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+                              properties:
+                                fsType:
+                                  description: |-
+                                    fsType is filesystem type of the volume that you want to mount.
+                                    Tip: Ensure that the filesystem type is supported by the host operating system.
+                                    Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+                                  type: string
+                                partition:
+                                  description: |-
+                                    partition is the partition in the volume that you want to mount.
+                                    If omitted, the default is to mount by volume name.
+                                    Examples: For volume /dev/sda1, you specify the partition as "1".
+                                    Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+                                  format: int32
+                                  type: integer
+                                pdName:
+                                  description: |-
+                                    pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE.
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+                                  type: string
+                                readOnly:
+                                  description: |-
+                                    readOnly here will force the ReadOnly setting in VolumeMounts.
+                                    Defaults to false.
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+                                  type: boolean
+                              required:
+                              - pdName
+                              type: object
+                            gitRepo:
+                              description: |-
+                                gitRepo represents a git repository at a particular revision.
+                                Deprecated: GitRepo is deprecated. To provision a container with a git repo, mount an
+                                EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir
+                                into the Pod's container.
+                              properties:
+                                directory:
+                                  description: |-
+                                    directory is the target directory name.
+                                    Must not contain or start with '..'.  If '.' is supplied, the volume directory will be the
+                                    git repository.  Otherwise, if specified, the volume will contain the git repository in
+                                    the subdirectory with the given name.
+                                  type: string
+                                repository:
+                                  description: repository is the URL
+                                  type: string
+                                revision:
+                                  description: revision is the commit hash for the
+                                    specified revision.
+                                  type: string
+                              required:
+                              - repository
+                              type: object
+                            glusterfs:
+                              description: |-
+                                glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
+                                Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported.
+                              properties:
+                                endpoints:
+                                  description: endpoints is the endpoint name that
+                                    details Glusterfs topology.
+                                  type: string
+                                path:
+                                  description: |-
+                                    path is the Glusterfs volume path.
+                                    More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+                                  type: string
+                                readOnly:
+                                  description: |-
+                                    readOnly here will force the Glusterfs volume to be mounted with read-only permissions.
+                                    Defaults to false.
+                                    More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+                                  type: boolean
+                              required:
+                              - endpoints
+                              - path
+                              type: object
+                            hostPath:
+                              description: |-
+                                hostPath represents a pre-existing file or directory on the host
+                                machine that is directly exposed to the container. This is generally
+                                used for system agents or other privileged things that are allowed
+                                to see the host machine. Most containers will NOT need this.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+                              properties:
+                                path:
+                                  description: |-
+                                    path of the directory on the host.
+                                    If the path is a symlink, it will follow the link to the real path.
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+                                  type: string
+                                type:
+                                  description: |-
+                                    type for HostPath Volume
+                                    Defaults to ""
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+                                  type: string
+                              required:
+                              - path
+                              type: object
+                            image:
+                              description: |-
+                                image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine.
+                                The volume is resolved at pod startup depending on which PullPolicy value is provided:
+
+                                - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+                                - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+                                - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+
+                                The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation.
+                                A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message.
+                                The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field.
+                                The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images.
+                                The volume will be mounted read-only (ro) and non-executable files (noexec).
+                                Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath) before 1.33.
+                                The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.
+                              properties:
+                                pullPolicy:
+                                  description: |-
+                                    Policy for pulling OCI objects. Possible values are:
+                                    Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+                                    Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+                                    IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+                                    Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.
+                                  type: string
+                                reference:
+                                  description: |-
+                                    Required: Image or artifact reference to be used.
+                                    Behaves in the same way as pod.spec.containers[*].image.
+                                    Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets.
+                                    More info: https://kubernetes.io/docs/concepts/containers/images
+                                    This field is optional to allow higher level config management to default or override
+                                    container images in workload controllers like Deployments and StatefulSets.
+                                  type: string
+                              type: object
+                            iscsi:
+                              description: |-
+                                iscsi represents an ISCSI Disk resource that is attached to a
+                                kubelet's host machine and then exposed to the pod.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes/#iscsi
+                              properties:
+                                chapAuthDiscovery:
+                                  description: chapAuthDiscovery defines whether support
+                                    iSCSI Discovery CHAP authentication
+                                  type: boolean
+                                chapAuthSession:
+                                  description: chapAuthSession defines whether support
+                                    iSCSI Session CHAP authentication
+                                  type: boolean
+                                fsType:
+                                  description: |-
+                                    fsType is the filesystem type of the volume that you want to mount.
+                                    Tip: Ensure that the filesystem type is supported by the host operating system.
+                                    Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi
+                                  type: string
+                                initiatorName:
+                                  description: |-
+                                    initiatorName is the custom iSCSI Initiator Name.
+                                    If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface
+                                    <target portal>:<volume name> will be created for the connection.
+                                  type: string
+                                iqn:
+                                  description: iqn is the target iSCSI Qualified Name.
+                                  type: string
+                                iscsiInterface:
+                                  default: default
+                                  description: |-
+                                    iscsiInterface is the interface Name that uses an iSCSI transport.
+                                    Defaults to 'default' (tcp).
+                                  type: string
+                                lun:
+                                  description: lun represents iSCSI Target Lun number.
+                                  format: int32
+                                  type: integer
+                                portals:
+                                  description: |-
+                                    portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port
+                                    is other than default (typically TCP ports 860 and 3260).
+                                  items:
+                                    type: string
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                readOnly:
+                                  description: |-
+                                    readOnly here will force the ReadOnly setting in VolumeMounts.
+                                    Defaults to false.
+                                  type: boolean
+                                secretRef:
+                                  description: secretRef is the CHAP Secret for iSCSI
+                                    target and initiator authentication
+                                  properties:
+                                    name:
+                                      default: ""
+                                      description: |-
+                                        Name of the referent.
+                                        This field is effectively required, but due to backwards compatibility is
+                                        allowed to be empty. Instances of this type with an empty value here are
+                                        almost certainly wrong.
+                                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                      type: string
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                targetPortal:
+                                  description: |-
+                                    targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port
+                                    is other than default (typically TCP ports 860 and 3260).
+                                  type: string
+                              required:
+                              - iqn
+                              - lun
+                              - targetPortal
+                              type: object
+                            name:
+                              description: |-
+                                name of the volume.
+                                Must be a DNS_LABEL and unique within the pod.
+                                More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                              type: string
+                            nfs:
+                              description: |-
+                                nfs represents an NFS mount on the host that shares a pod's lifetime
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+                              properties:
+                                path:
+                                  description: |-
+                                    path that is exported by the NFS server.
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+                                  type: string
+                                readOnly:
+                                  description: |-
+                                    readOnly here will force the NFS export to be mounted with read-only permissions.
+                                    Defaults to false.
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+                                  type: boolean
+                                server:
+                                  description: |-
+                                    server is the hostname or IP address of the NFS server.
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+                                  type: string
+                              required:
+                              - path
+                              - server
+                              type: object
+                            persistentVolumeClaim:
+                              description: |-
+                                persistentVolumeClaimVolumeSource represents a reference to a
+                                PersistentVolumeClaim in the same namespace.
+                                More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+                              properties:
+                                claimName:
+                                  description: |-
+                                    claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume.
+                                    More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+                                  type: string
+                                readOnly:
+                                  description: |-
+                                    readOnly Will force the ReadOnly setting in VolumeMounts.
+                                    Default false.
+                                  type: boolean
+                              required:
+                              - claimName
+                              type: object
+                            photonPersistentDisk:
+                              description: |-
+                                photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine.
+                                Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported.
+                              properties:
+                                fsType:
+                                  description: |-
+                                    fsType is the filesystem type to mount.
+                                    Must be a filesystem type supported by the host operating system.
+                                    Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                  type: string
+                                pdID:
+                                  description: pdID is the ID that identifies Photon
+                                    Controller persistent disk
+                                  type: string
+                              required:
+                              - pdID
+                              type: object
+                            portworxVolume:
+                              description: |-
+                                portworxVolume represents a portworx volume attached and mounted on kubelets host machine.
+                                Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type
+                                are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate
+                                is on.
+                              properties:
+                                fsType:
+                                  description: |-
+                                    fSType represents the filesystem type to mount
+                                    Must be a filesystem type supported by the host operating system.
+                                    Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified.
+                                  type: string
+                                readOnly:
+                                  description: |-
+                                    readOnly defaults to false (read/write). ReadOnly here will force
+                                    the ReadOnly setting in VolumeMounts.
+                                  type: boolean
+                                volumeID:
+                                  description: volumeID uniquely identifies a Portworx
+                                    volume
+                                  type: string
+                              required:
+                              - volumeID
+                              type: object
+                            projected:
+                              description: projected items for all in one resources
+                                secrets, configmaps, and downward API
+                              properties:
+                                defaultMode:
+                                  description: |-
+                                    defaultMode are the mode bits used to set permissions on created files by default.
+                                    Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                    YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                    Directories within the path are not affected by this setting.
+                                    This might be in conflict with other options that affect the file
+                                    mode, like fsGroup, and the result can be other mode bits set.
+                                  format: int32
+                                  type: integer
+                                sources:
+                                  description: |-
+                                    sources is the list of volume projections. Each entry in this list
+                                    handles one source.
+                                  items:
+                                    description: |-
+                                      Projection that may be projected along with other supported volume types.
+                                      Exactly one of these fields must be set.
+                                    properties:
+                                      clusterTrustBundle:
+                                        description: |-
+                                          ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field
+                                          of ClusterTrustBundle objects in an auto-updating file.
+
+                                          Alpha, gated by the ClusterTrustBundleProjection feature gate.
+
+                                          ClusterTrustBundle objects can either be selected by name, or by the
+                                          combination of signer name and a label selector.
+
+                                          Kubelet performs aggressive normalization of the PEM contents written
+                                          into the pod filesystem.  Esoteric PEM features such as inter-block
+                                          comments and block headers are stripped.  Certificates are deduplicated.
+                                          The ordering of certificates within the file is arbitrary, and Kubelet
+                                          may change the order over time.
+                                        properties:
+                                          labelSelector:
+                                            description: |-
+                                              Select all ClusterTrustBundles that match this label selector.  Only has
+                                              effect if signerName is set.  Mutually-exclusive with name.  If unset,
+                                              interpreted as "match nothing".  If set but empty, interpreted as "match
+                                              everything".
+                                            properties:
+                                              matchExpressions:
+                                                description: matchExpressions is a
+                                                  list of label selector requirements.
+                                                  The requirements are ANDed.
+                                                items:
+                                                  description: |-
+                                                    A label selector requirement is a selector that contains values, a key, and an operator that
+                                                    relates the key and values.
+                                                  properties:
+                                                    key:
+                                                      description: key is the label
+                                                        key that the selector applies
+                                                        to.
+                                                      type: string
+                                                    operator:
+                                                      description: |-
+                                                        operator represents a key's relationship to a set of values.
+                                                        Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                      type: string
+                                                    values:
+                                                      description: |-
+                                                        values is an array of string values. If the operator is In or NotIn,
+                                                        the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                        the values array must be empty. This array is replaced during a strategic
+                                                        merge patch.
+                                                      items:
+                                                        type: string
+                                                      type: array
+                                                      x-kubernetes-list-type: atomic
+                                                  required:
+                                                  - key
+                                                  - operator
+                                                  type: object
+                                                type: array
+                                                x-kubernetes-list-type: atomic
+                                              matchLabels:
+                                                additionalProperties:
+                                                  type: string
+                                                description: |-
+                                                  matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                                  map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                                  operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                                type: object
+                                            type: object
+                                            x-kubernetes-map-type: atomic
+                                          name:
+                                            description: |-
+                                              Select a single ClusterTrustBundle by object name.  Mutually-exclusive
+                                              with signerName and labelSelector.
+                                            type: string
+                                          optional:
+                                            description: |-
+                                              If true, don't block pod startup if the referenced ClusterTrustBundle(s)
+                                              aren't available.  If using name, then the named ClusterTrustBundle is
+                                              allowed not to exist.  If using signerName, then the combination of
+                                              signerName and labelSelector is allowed to match zero
+                                              ClusterTrustBundles.
+                                            type: boolean
+                                          path:
+                                            description: Relative path from the volume
+                                              root to write the bundle.
+                                            type: string
+                                          signerName:
+                                            description: |-
+                                              Select all ClusterTrustBundles that match this signer name.
+                                              Mutually-exclusive with name.  The contents of all selected
+                                              ClusterTrustBundles will be unified and deduplicated.
+                                            type: string
+                                        required:
+                                        - path
+                                        type: object
+                                      configMap:
+                                        description: configMap information about the
+                                          configMap data to project
+                                        properties:
+                                          items:
+                                            description: |-
+                                              items if unspecified, each key-value pair in the Data field of the referenced
+                                              ConfigMap will be projected into the volume as a file whose name is the
+                                              key and content is the value. If specified, the listed keys will be
+                                              projected into the specified paths, and unlisted keys will not be
+                                              present. If a key is specified which is not present in the ConfigMap,
+                                              the volume setup will error unless it is marked optional. Paths must be
+                                              relative and may not contain the '..' path or start with '..'.
+                                            items:
+                                              description: Maps a string key to a
+                                                path within a volume.
+                                              properties:
+                                                key:
+                                                  description: key is the key to project.
+                                                  type: string
+                                                mode:
+                                                  description: |-
+                                                    mode is Optional: mode bits used to set permissions on this file.
+                                                    Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                                    YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                                    If not specified, the volume defaultMode will be used.
+                                                    This might be in conflict with other options that affect the file
+                                                    mode, like fsGroup, and the result can be other mode bits set.
+                                                  format: int32
+                                                  type: integer
+                                                path:
+                                                  description: |-
+                                                    path is the relative path of the file to map the key to.
+                                                    May not be an absolute path.
+                                                    May not contain the path element '..'.
+                                                    May not start with the string '..'.
+                                                  type: string
+                                              required:
+                                              - key
+                                              - path
+                                              type: object
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                          name:
+                                            default: ""
+                                            description: |-
+                                              Name of the referent.
+                                              This field is effectively required, but due to backwards compatibility is
+                                              allowed to be empty. Instances of this type with an empty value here are
+                                              almost certainly wrong.
+                                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                            type: string
+                                          optional:
+                                            description: optional specify whether
+                                              the ConfigMap or its keys must be defined
+                                            type: boolean
+                                        type: object
+                                        x-kubernetes-map-type: atomic
+                                      downwardAPI:
+                                        description: downwardAPI information about
+                                          the downwardAPI data to project
+                                        properties:
+                                          items:
+                                            description: Items is a list of DownwardAPIVolume
+                                              file
+                                            items:
+                                              description: DownwardAPIVolumeFile represents
+                                                information to create the file containing
+                                                the pod field
+                                              properties:
+                                                fieldRef:
+                                                  description: 'Required: Selects
+                                                    a field of the pod: only annotations,
+                                                    labels, name, namespace and uid
+                                                    are supported.'
+                                                  properties:
+                                                    apiVersion:
+                                                      description: Version of the
+                                                        schema the FieldPath is written
+                                                        in terms of, defaults to "v1".
+                                                      type: string
+                                                    fieldPath:
+                                                      description: Path of the field
+                                                        to select in the specified
+                                                        API version.
+                                                      type: string
+                                                  required:
+                                                  - fieldPath
+                                                  type: object
+                                                  x-kubernetes-map-type: atomic
+                                                mode:
+                                                  description: |-
+                                                    Optional: mode bits used to set permissions on this file, must be an octal value
+                                                    between 0000 and 0777 or a decimal value between 0 and 511.
+                                                    YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                                    If not specified, the volume defaultMode will be used.
+                                                    This might be in conflict with other options that affect the file
+                                                    mode, like fsGroup, and the result can be other mode bits set.
+                                                  format: int32
+                                                  type: integer
+                                                path:
+                                                  description: 'Required: Path is  the
+                                                    relative path name of the file
+                                                    to be created. Must not be absolute
+                                                    or contain the ''..'' path. Must
+                                                    be utf-8 encoded. The first item
+                                                    of the relative path must not
+                                                    start with ''..'''
+                                                  type: string
+                                                resourceFieldRef:
+                                                  description: |-
+                                                    Selects a resource of the container: only resources limits and requests
+                                                    (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
+                                                  properties:
+                                                    containerName:
+                                                      description: 'Container name:
+                                                        required for volumes, optional
+                                                        for env vars'
+                                                      type: string
+                                                    divisor:
+                                                      anyOf:
+                                                      - type: integer
+                                                      - type: string
+                                                      description: Specifies the output
+                                                        format of the exposed resources,
+                                                        defaults to "1"
+                                                      pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                                      x-kubernetes-int-or-string: true
+                                                    resource:
+                                                      description: 'Required: resource
+                                                        to select'
+                                                      type: string
+                                                  required:
+                                                  - resource
+                                                  type: object
+                                                  x-kubernetes-map-type: atomic
+                                              required:
+                                              - path
+                                              type: object
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                        type: object
+                                      podCertificate:
+                                        description: |-
+                                          Projects an auto-rotating credential bundle (private key and certificate
+                                          chain) that the pod can use either as a TLS client or server.
+
+                                          Kubelet generates a private key and uses it to send a
+                                          PodCertificateRequest to the named signer.  Once the signer approves the
+                                          request and issues a certificate chain, Kubelet writes the key and
+                                          certificate chain to the pod filesystem.  The pod does not start until
+                                          certificates have been issued for each podCertificate projected volume
+                                          source in its spec.
+
+                                          Kubelet will begin trying to rotate the certificate at the time indicated
+                                          by the signer using the PodCertificateRequest.Status.BeginRefreshAt
+                                          timestamp.
+
+                                          Kubelet can write a single file, indicated by the credentialBundlePath
+                                          field, or separate files, indicated by the keyPath and
+                                          certificateChainPath fields.
+
+                                          The credential bundle is a single file in PEM format.  The first PEM
+                                          entry is the private key (in PKCS#8 format), and the remaining PEM
+                                          entries are the certificate chain issued by the signer (typically,
+                                          signers will return their certificate chain in leaf-to-root order).
+
+                                          Prefer using the credential bundle format, since your application code
+                                          can read it atomically.  If you use keyPath and certificateChainPath,
+                                          your application must make two separate file reads. If these coincide
+                                          with a certificate rotation, it is possible that the private key and leaf
+                                          certificate you read may not correspond to each other.  Your application
+                                          will need to check for this condition, and re-read until they are
+                                          consistent.
+
+                                          The named signer controls chooses the format of the certificate it
+                                          issues; consult the signer implementation's documentation to learn how to
+                                          use the certificates it issues.
+                                        properties:
+                                          certificateChainPath:
+                                            description: |-
+                                              Write the certificate chain at this path in the projected volume.
+
+                                              Most applications should use credentialBundlePath.  When using keyPath
+                                              and certificateChainPath, your application needs to check that the key
+                                              and leaf certificate are consistent, because it is possible to read the
+                                              files mid-rotation.
+                                            type: string
+                                          credentialBundlePath:
+                                            description: |-
+                                              Write the credential bundle at this path in the projected volume.
+
+                                              The credential bundle is a single file that contains multiple PEM blocks.
+                                              The first PEM block is a PRIVATE KEY block, containing a PKCS#8 private
+                                              key.
+
+                                              The remaining blocks are CERTIFICATE blocks, containing the issued
+                                              certificate chain from the signer (leaf and any intermediates).
+
+                                              Using credentialBundlePath lets your Pod's application code make a single
+                                              atomic read that retrieves a consistent key and certificate chain.  If you
+                                              project them to separate files, your application code will need to
+                                              additionally check that the leaf certificate was issued to the key.
+                                            type: string
+                                          keyPath:
+                                            description: |-
+                                              Write the key at this path in the projected volume.
+
+                                              Most applications should use credentialBundlePath.  When using keyPath
+                                              and certificateChainPath, your application needs to check that the key
+                                              and leaf certificate are consistent, because it is possible to read the
+                                              files mid-rotation.
+                                            type: string
+                                          keyType:
+                                            description: |-
+                                              The type of keypair Kubelet will generate for the pod.
+
+                                              Valid values are "RSA3072", "RSA4096", "ECDSAP256", "ECDSAP384",
+                                              "ECDSAP521", and "ED25519".
+                                            type: string
+                                          maxExpirationSeconds:
+                                            description: |-
+                                              maxExpirationSeconds is the maximum lifetime permitted for the
+                                              certificate.
+
+                                              Kubelet copies this value verbatim into the PodCertificateRequests it
+                                              generates for this projection.
+
+                                              If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver
+                                              will reject values shorter than 3600 (1 hour).  The maximum allowable
+                                              value is 7862400 (91 days).
+
+                                              The signer implementation is then free to issue a certificate with any
+                                              lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600
+                                              seconds (1 hour).  This constraint is enforced by kube-apiserver.
+                                              `kubernetes.io` signers will never issue certificates with a lifetime
+                                              longer than 24 hours.
+                                            format: int32
+                                            type: integer
+                                          signerName:
+                                            description: Kubelet's generated CSRs
+                                              will be addressed to this signer.
+                                            type: string
+                                          userAnnotations:
+                                            additionalProperties:
+                                              type: string
+                                            description: |-
+                                              userAnnotations allow pod authors to pass additional information to
+                                              the signer implementation.  Kubernetes does not restrict or validate this
+                                              metadata in any way.
+
+                                              These values are copied verbatim into the `spec.unverifiedUserAnnotations` field of
+                                              the PodCertificateRequest objects that Kubelet creates.
+
+                                              Entries are subject to the same validation as object metadata annotations,
+                                              with the addition that all keys must be domain-prefixed. No restrictions
+                                              are placed on values, except an overall size limitation on the entire field.
+
+                                              Signers should document the keys and values they support. Signers should
+                                              deny requests that contain keys they do not recognize.
+                                            type: object
+                                        required:
+                                        - keyType
+                                        - signerName
+                                        type: object
+                                      secret:
+                                        description: secret information about the
+                                          secret data to project
+                                        properties:
+                                          items:
+                                            description: |-
+                                              items if unspecified, each key-value pair in the Data field of the referenced
+                                              Secret will be projected into the volume as a file whose name is the
+                                              key and content is the value. If specified, the listed keys will be
+                                              projected into the specified paths, and unlisted keys will not be
+                                              present. If a key is specified which is not present in the Secret,
+                                              the volume setup will error unless it is marked optional. Paths must be
+                                              relative and may not contain the '..' path or start with '..'.
+                                            items:
+                                              description: Maps a string key to a
+                                                path within a volume.
+                                              properties:
+                                                key:
+                                                  description: key is the key to project.
+                                                  type: string
+                                                mode:
+                                                  description: |-
+                                                    mode is Optional: mode bits used to set permissions on this file.
+                                                    Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                                    YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                                    If not specified, the volume defaultMode will be used.
+                                                    This might be in conflict with other options that affect the file
+                                                    mode, like fsGroup, and the result can be other mode bits set.
+                                                  format: int32
+                                                  type: integer
+                                                path:
+                                                  description: |-
+                                                    path is the relative path of the file to map the key to.
+                                                    May not be an absolute path.
+                                                    May not contain the path element '..'.
+                                                    May not start with the string '..'.
+                                                  type: string
+                                              required:
+                                              - key
+                                              - path
+                                              type: object
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                          name:
+                                            default: ""
+                                            description: |-
+                                              Name of the referent.
+                                              This field is effectively required, but due to backwards compatibility is
+                                              allowed to be empty. Instances of this type with an empty value here are
+                                              almost certainly wrong.
+                                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                            type: string
+                                          optional:
+                                            description: optional field specify whether
+                                              the Secret or its key must be defined
+                                            type: boolean
+                                        type: object
+                                        x-kubernetes-map-type: atomic
+                                      serviceAccountToken:
+                                        description: serviceAccountToken is information
+                                          about the serviceAccountToken data to project
+                                        properties:
+                                          audience:
+                                            description: |-
+                                              audience is the intended audience of the token. A recipient of a token
+                                              must identify itself with an identifier specified in the audience of the
+                                              token, and otherwise should reject the token. The audience defaults to the
+                                              identifier of the apiserver.
+                                            type: string
+                                          expirationSeconds:
+                                            description: |-
+                                              expirationSeconds is the requested duration of validity of the service
+                                              account token. As the token approaches expiration, the kubelet volume
+                                              plugin will proactively rotate the service account token. The kubelet will
+                                              start trying to rotate the token if the token is older than 80 percent of
+                                              its time to live or if the token is older than 24 hours.Defaults to 1 hour
+                                              and must be at least 10 minutes.
+                                            format: int64
+                                            type: integer
+                                          path:
+                                            description: |-
+                                              path is the path relative to the mount point of the file to project the
+                                              token into.
+                                            type: string
+                                        required:
+                                        - path
+                                        type: object
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                              type: object
+                            quobyte:
+                              description: |-
+                                quobyte represents a Quobyte mount on the host that shares a pod's lifetime.
+                                Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported.
+                              properties:
+                                group:
+                                  description: |-
+                                    group to map volume access to
+                                    Default is no group
+                                  type: string
+                                readOnly:
+                                  description: |-
+                                    readOnly here will force the Quobyte volume to be mounted with read-only permissions.
+                                    Defaults to false.
+                                  type: boolean
+                                registry:
+                                  description: |-
+                                    registry represents a single or multiple Quobyte Registry services
+                                    specified as a string as host:port pair (multiple entries are separated with commas)
+                                    which acts as the central registry for volumes
+                                  type: string
+                                tenant:
+                                  description: |-
+                                    tenant owning the given Quobyte volume in the Backend
+                                    Used with dynamically provisioned Quobyte volumes, value is set by the plugin
+                                  type: string
+                                user:
+                                  description: |-
+                                    user to map volume access to
+                                    Defaults to serivceaccount user
+                                  type: string
+                                volume:
+                                  description: volume is a string that references
+                                    an already created Quobyte volume by name.
+                                  type: string
+                              required:
+                              - registry
+                              - volume
+                              type: object
+                            rbd:
+                              description: |-
+                                rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
+                                Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported.
+                              properties:
+                                fsType:
+                                  description: |-
+                                    fsType is the filesystem type of the volume that you want to mount.
+                                    Tip: Ensure that the filesystem type is supported by the host operating system.
+                                    Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd
+                                  type: string
+                                image:
+                                  description: |-
+                                    image is the rados image name.
+                                    More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                                  type: string
+                                keyring:
+                                  default: /etc/ceph/keyring
+                                  description: |-
+                                    keyring is the path to key ring for RBDUser.
+                                    Default is /etc/ceph/keyring.
+                                    More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                                  type: string
+                                monitors:
+                                  description: |-
+                                    monitors is a collection of Ceph monitors.
+                                    More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                                  items:
+                                    type: string
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                pool:
+                                  default: rbd
+                                  description: |-
+                                    pool is the rados pool name.
+                                    Default is rbd.
+                                    More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                                  type: string
+                                readOnly:
+                                  description: |-
+                                    readOnly here will force the ReadOnly setting in VolumeMounts.
+                                    Defaults to false.
+                                    More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                                  type: boolean
+                                secretRef:
+                                  description: |-
+                                    secretRef is name of the authentication secret for RBDUser. If provided
+                                    overrides keyring.
+                                    Default is nil.
+                                    More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                                  properties:
+                                    name:
+                                      default: ""
+                                      description: |-
+                                        Name of the referent.
+                                        This field is effectively required, but due to backwards compatibility is
+                                        allowed to be empty. Instances of this type with an empty value here are
+                                        almost certainly wrong.
+                                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                      type: string
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                user:
+                                  default: admin
+                                  description: |-
+                                    user is the rados user name.
+                                    Default is admin.
+                                    More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                                  type: string
+                              required:
+                              - image
+                              - monitors
+                              type: object
+                            scaleIO:
+                              description: |-
+                                scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.
+                                Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported.
+                              properties:
+                                fsType:
+                                  default: xfs
+                                  description: |-
+                                    fsType is the filesystem type to mount.
+                                    Must be a filesystem type supported by the host operating system.
+                                    Ex. "ext4", "xfs", "ntfs".
+                                    Default is "xfs".
+                                  type: string
+                                gateway:
+                                  description: gateway is the host address of the
+                                    ScaleIO API Gateway.
+                                  type: string
+                                protectionDomain:
+                                  description: protectionDomain is the name of the
+                                    ScaleIO Protection Domain for the configured storage.
+                                  type: string
+                                readOnly:
+                                  description: |-
+                                    readOnly Defaults to false (read/write). ReadOnly here will force
+                                    the ReadOnly setting in VolumeMounts.
+                                  type: boolean
+                                secretRef:
+                                  description: |-
+                                    secretRef references to the secret for ScaleIO user and other
+                                    sensitive information. If this is not provided, Login operation will fail.
+                                  properties:
+                                    name:
+                                      default: ""
+                                      description: |-
+                                        Name of the referent.
+                                        This field is effectively required, but due to backwards compatibility is
+                                        allowed to be empty. Instances of this type with an empty value here are
+                                        almost certainly wrong.
+                                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                      type: string
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                sslEnabled:
+                                  description: sslEnabled Flag enable/disable SSL
+                                    communication with Gateway, default false
+                                  type: boolean
+                                storageMode:
+                                  default: ThinProvisioned
+                                  description: |-
+                                    storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned.
+                                    Default is ThinProvisioned.
+                                  type: string
+                                storagePool:
+                                  description: storagePool is the ScaleIO Storage
+                                    Pool associated with the protection domain.
+                                  type: string
+                                system:
+                                  description: system is the name of the storage system
+                                    as configured in ScaleIO.
+                                  type: string
+                                volumeName:
+                                  description: |-
+                                    volumeName is the name of a volume already created in the ScaleIO system
+                                    that is associated with this volume source.
+                                  type: string
+                              required:
+                              - gateway
+                              - secretRef
+                              - system
+                              type: object
+                            secret:
+                              description: |-
+                                secret represents a secret that should populate this volume.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
+                              properties:
+                                defaultMode:
+                                  description: |-
+                                    defaultMode is Optional: mode bits used to set permissions on created files by default.
+                                    Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                    YAML accepts both octal and decimal values, JSON requires decimal values
+                                    for mode bits. Defaults to 0644.
+                                    Directories within the path are not affected by this setting.
+                                    This might be in conflict with other options that affect the file
+                                    mode, like fsGroup, and the result can be other mode bits set.
+                                  format: int32
+                                  type: integer
+                                items:
+                                  description: |-
+                                    items If unspecified, each key-value pair in the Data field of the referenced
+                                    Secret will be projected into the volume as a file whose name is the
+                                    key and content is the value. If specified, the listed keys will be
+                                    projected into the specified paths, and unlisted keys will not be
+                                    present. If a key is specified which is not present in the Secret,
+                                    the volume setup will error unless it is marked optional. Paths must be
+                                    relative and may not contain the '..' path or start with '..'.
+                                  items:
+                                    description: Maps a string key to a path within
+                                      a volume.
+                                    properties:
+                                      key:
+                                        description: key is the key to project.
+                                        type: string
+                                      mode:
+                                        description: |-
+                                          mode is Optional: mode bits used to set permissions on this file.
+                                          Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                          YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                          If not specified, the volume defaultMode will be used.
+                                          This might be in conflict with other options that affect the file
+                                          mode, like fsGroup, and the result can be other mode bits set.
+                                        format: int32
+                                        type: integer
+                                      path:
+                                        description: |-
+                                          path is the relative path of the file to map the key to.
+                                          May not be an absolute path.
+                                          May not contain the path element '..'.
+                                          May not start with the string '..'.
+                                        type: string
+                                    required:
+                                    - key
+                                    - path
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                optional:
+                                  description: optional field specify whether the
+                                    Secret or its keys must be defined
+                                  type: boolean
+                                secretName:
+                                  description: |-
+                                    secretName is the name of the secret in the pod's namespace to use.
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
+                                  type: string
+                              type: object
+                            storageos:
+                              description: |-
+                                storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes.
+                                Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported.
+                              properties:
+                                fsType:
+                                  description: |-
+                                    fsType is the filesystem type to mount.
+                                    Must be a filesystem type supported by the host operating system.
+                                    Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                  type: string
+                                readOnly:
+                                  description: |-
+                                    readOnly defaults to false (read/write). ReadOnly here will force
+                                    the ReadOnly setting in VolumeMounts.
+                                  type: boolean
+                                secretRef:
+                                  description: |-
+                                    secretRef specifies the secret to use for obtaining the StorageOS API
+                                    credentials.  If not specified, default values will be attempted.
+                                  properties:
+                                    name:
+                                      default: ""
+                                      description: |-
+                                        Name of the referent.
+                                        This field is effectively required, but due to backwards compatibility is
+                                        allowed to be empty. Instances of this type with an empty value here are
+                                        almost certainly wrong.
+                                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                      type: string
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                volumeName:
+                                  description: |-
+                                    volumeName is the human-readable name of the StorageOS volume.  Volume
+                                    names are only unique within a namespace.
+                                  type: string
+                                volumeNamespace:
+                                  description: |-
+                                    volumeNamespace specifies the scope of the volume within StorageOS.  If no
+                                    namespace is specified then the Pod's namespace will be used.  This allows the
+                                    Kubernetes name scoping to be mirrored within StorageOS for tighter integration.
+                                    Set VolumeName to any name to override the default behaviour.
+                                    Set to "default" if you are not using namespaces within StorageOS.
+                                    Namespaces that do not pre-exist within StorageOS will be created.
+                                  type: string
+                              type: object
+                            vsphereVolume:
+                              description: |-
+                                vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine.
+                                Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type
+                                are redirected to the csi.vsphere.vmware.com CSI driver.
+                              properties:
+                                fsType:
+                                  description: |-
+                                    fsType is filesystem type to mount.
+                                    Must be a filesystem type supported by the host operating system.
+                                    Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                  type: string
+                                storagePolicyID:
+                                  description: storagePolicyID is the storage Policy
+                                    Based Management (SPBM) profile ID associated
+                                    with the StoragePolicyName.
+                                  type: string
+                                storagePolicyName:
+                                  description: storagePolicyName is the storage Policy
+                                    Based Management (SPBM) profile name.
+                                  type: string
+                                volumePath:
+                                  description: volumePath is the path that identifies
+                                    vSphere volume vmdk
+                                  type: string
+                              required:
+                              - volumePath
+                              type: object
+                          required:
+                          - name
+                          type: object
+                        type: array
+                    type: object
+                  profile:
+                    description: Specifies which installation configuration profile
+                      to apply.
+                    type: string
+                  revision:
+                    description: Identifies the revision this installation is associated
+                      with.
+                    type: string
+                  sidecarInjectorWebhook:
+                    description: Configuration for the sidecar injector webhook.
+                    properties:
+                      alwaysInjectSelector:
+                        description: See NeverInjectSelector.
+                        items:
+                          description: |-
+                            A label selector is a label query over a set of resources. The result of matchLabels and
+                            matchExpressions are ANDed. An empty label selector matches all objects. A null
+                            label selector matches no objects.
+                          properties:
+                            matchExpressions:
+                              description: matchExpressions is a list of label selector
+                                requirements. The requirements are ANDed.
+                              items:
+                                description: |-
+                                  A label selector requirement is a selector that contains values, a key, and an operator that
+                                  relates the key and values.
+                                properties:
+                                  key:
+                                    description: key is the label key that the selector
+                                      applies to.
+                                    type: string
+                                  operator:
+                                    description: |-
+                                      operator represents a key's relationship to a set of values.
+                                      Valid operators are In, NotIn, Exists and DoesNotExist.
+                                    type: string
+                                  values:
+                                    description: |-
+                                      values is an array of string values. If the operator is In or NotIn,
+                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                      the values array must be empty. This array is replaced during a strategic
+                                      merge patch.
+                                    items:
+                                      type: string
+                                    type: array
+                                    x-kubernetes-list-type: atomic
+                                required:
+                                - key
+                                - operator
+                                type: object
+                              type: array
+                              x-kubernetes-list-type: atomic
+                            matchLabels:
+                              additionalProperties:
+                                type: string
+                              description: |-
+                                matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                operator is "In", and the values array contains only "value". The requirements are ANDed.
+                              type: object
+                          type: object
+                          x-kubernetes-map-type: atomic
+                        type: array
+                      defaultTemplates:
+                        description: 'defaultTemplates: ["sidecar", "hello"]'
+                        items:
+                          type: string
+                        type: array
+                      enableNamespacesByDefault:
+                        description: Enables sidecar auto-injection in namespaces
+                          by default.
+                        type: boolean
+                      injectedAnnotations:
+                        additionalProperties:
+                          type: string
+                        description: |-
+                          injectedAnnotations are additional annotations that will be added to the pod spec after injection
+                          This is primarily to support PSP annotations.
+                        type: object
+                      injectionURL:
+                        description: Configure the injection url for sidecar injector
+                          webhook
+                        type: string
+                      neverInjectSelector:
+                        description: |-
+                          Instructs Istio to not inject the sidecar on those pods, based on labels that are present in those pods.
+
+                          Annotations in the pods have higher precedence than the label selectors.
+                          Order of evaluation: Pod Annotations → NeverInjectSelector → AlwaysInjectSelector → Default Policy.
+                          See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions
+                        items:
+                          description: |-
+                            A label selector is a label query over a set of resources. The result of matchLabels and
+                            matchExpressions are ANDed. An empty label selector matches all objects. A null
+                            label selector matches no objects.
+                          properties:
+                            matchExpressions:
+                              description: matchExpressions is a list of label selector
+                                requirements. The requirements are ANDed.
+                              items:
+                                description: |-
+                                  A label selector requirement is a selector that contains values, a key, and an operator that
+                                  relates the key and values.
+                                properties:
+                                  key:
+                                    description: key is the label key that the selector
+                                      applies to.
+                                    type: string
+                                  operator:
+                                    description: |-
+                                      operator represents a key's relationship to a set of values.
+                                      Valid operators are In, NotIn, Exists and DoesNotExist.
+                                    type: string
+                                  values:
+                                    description: |-
+                                      values is an array of string values. If the operator is In or NotIn,
+                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                      the values array must be empty. This array is replaced during a strategic
+                                      merge patch.
+                                    items:
+                                      type: string
+                                    type: array
+                                    x-kubernetes-list-type: atomic
+                                required:
+                                - key
+                                - operator
+                                type: object
+                              type: array
+                              x-kubernetes-list-type: atomic
+                            matchLabels:
+                              additionalProperties:
+                                type: string
+                              description: |-
+                                matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                operator is "In", and the values array contains only "value". The requirements are ANDed.
+                              type: object
+                          type: object
+                          x-kubernetes-map-type: atomic
+                        type: array
+                      reinvocationPolicy:
+                        description: 'Setting this to `IfNeeded` will result in the
+                          sidecar injector being run again if additional mutations
+                          occur. Default: Never'
+                        type: string
+                      rewriteAppHTTPProbe:
+                        description: If true, webhook or istioctl injector will rewrite
+                          PodSpec for liveness health check to redirect request to
+                          sidecar. This makes liveness check work even when mTLS is
+                          enabled.
+                        type: boolean
+                      templates:
+                        additionalProperties:
+                          type: string
+                        description: "Templates defines a set of custom injection
+                          templates that can be used. For example, defining:\n\ntemplates:\n\n\thello:
+                          |\n\t  metadata:\n\t    labels:\n\t      hello: world\n\nThen
+                          starting a pod with the `inject.istio.io/templates: hello`
+                          annotation, will result in the pod\nbeing injected with
+                          the hello=world labels.\nThis is intended for advanced configuration
+                          only; most users should use the built in template"
+                        type: object
+                    type: object
+                  telemetry:
+                    description: Controls whether telemetry is exported for Pilot.
+                    properties:
+                      enabled:
+                        description: Controls whether telemetry is exported for Pilot.
+                        type: boolean
+                      v2:
+                        description: Configuration for Telemetry v2.
+                        properties:
+                          enabled:
+                            description: Controls whether pilot will configure telemetry
+                              v2.
+                            type: boolean
+                          prometheus:
+                            description: Telemetry v2 settings for prometheus.
+                            properties:
+                              enabled:
+                                description: Controls whether stats envoyfilter would
+                                  be enabled or not.
+                                type: boolean
+                            type: object
+                          stackdriver:
+                            description: Telemetry v2 settings for stackdriver.
+                            properties:
+                              enabled:
+                                type: boolean
+                            type: object
+                        type: object
+                    type: object
+                type: object
+              version:
+                default: v1.28.3
+                description: |-
+                  Defines the version of Istio to install.
+                  Must be one of: v1.28-latest, v1.28.3, v1.28.2, v1.28.1, v1.28.0, v1.27-latest, v1.27.5, v1.27.4, v1.27.3, v1.27.2, v1.27.1, v1.27.0, master, v1.30-alpha.a30ad733.
+                enum:
+                - v1.28-latest
+                - v1.28.3
+                - v1.28.2
+                - v1.28.1
+                - v1.28.0
+                - v1.27-latest
+                - v1.27.5
+                - v1.27.4
+                - v1.27.3
+                - v1.27.2
+                - v1.27.1
+                - v1.27.0
+                - v1.26-latest
+                - v1.26.8
+                - v1.26.7
+                - v1.26.6
+                - v1.26.5
+                - v1.26.4
+                - v1.26.3
+                - v1.26.2
+                - v1.26.1
+                - v1.26.0
+                - v1.25-latest
+                - v1.25.5
+                - v1.25.4
+                - v1.25.3
+                - v1.25.2
+                - v1.25.1
+                - v1.24-latest
+                - v1.24.6
+                - v1.24.5
+                - v1.24.4
+                - v1.24.3
+                - v1.24.2
+                - v1.24.1
+                - v1.24.0
+                - v1.23-latest
+                - v1.23.6
+                - v1.23.5
+                - v1.23.4
+                - v1.23.3
+                - v1.23.2
+                - v1.22-latest
+                - v1.22.8
+                - v1.22.7
+                - v1.22.6
+                - v1.22.5
+                - v1.21.6
+                - master
+                - v1.30-alpha.a30ad733
+                type: string
+            required:
+            - namespace
+            - version
+            type: object
+            x-kubernetes-validations:
+            - message: spec.values.global.istioNamespace must match spec.namespace
+              rule: '!has(self.values) || !has(self.values.global) || !has(self.values.global.istioNamespace)
+                || self.values.global.istioNamespace == self.__namespace__'
+          status:
+            description: IstioStatus defines the observed state of Istio
+            properties:
+              activeRevisionName:
+                description: The name of the active revision.
+                type: string
+              conditions:
+                description: Represents the latest available observations of the object's
+                  current state.
+                items:
+                  description: IstioCondition represents a specific observation of
+                    the IstioCondition object's state.
+                  properties:
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Human-readable message indicating details about
+                        the last transition.
+                      type: string
+                    reason:
+                      description: Unique, single-word, CamelCase reason for the condition's
+                        last transition.
+                      type: string
+                    status:
+                      description: The status of this condition. Can be True, False
+                        or Unknown.
+                      type: string
+                    type:
+                      description: The type of this condition.
+                      type: string
+                  type: object
+                type: array
+              observedGeneration:
+                description: |-
+                  ObservedGeneration is the most recent generation observed for this
+                  Istio object. It corresponds to the object's generation, which is
+                  updated on mutation by the API Server. The information in the status
+                  pertains to this particular generation of the object.
+                format: int64
+                type: integer
+              revisions:
+                description: Reports information about the underlying IstioRevisions.
+                properties:
+                  inUse:
+                    description: Number of IstioRevisions that are currently in use.
+                    format: int32
+                    type: integer
+                  ready:
+                    description: Number of IstioRevisions that are Ready.
+                    format: int32
+                    type: integer
+                  total:
+                    description: Total number of IstioRevisions currently associated
+                      with this Istio.
+                    format: int32
+                    type: integer
+                required:
+                - inUse
+                - ready
+                - total
+                type: object
+              state:
+                description: Reports the current state of the object.
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/sailoperator.io_ztunnels.yaml b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/sailoperator.io_ztunnels.yaml
new file mode 100644
index 0000000000..8d5e2095fb
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/sailoperator.io_ztunnels.yaml
@@ -0,0 +1,7096 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.20.0
+  name: ztunnels.sailoperator.io
+spec:
+  group: sailoperator.io
+  names:
+    categories:
+    - istio-io
+    kind: ZTunnel
+    listKind: ZTunnelList
+    plural: ztunnels
+    singular: ztunnel
+  scope: Cluster
+  versions:
+  - additionalPrinterColumns:
+    - description: The namespace for the ztunnel component.
+      jsonPath: .spec.namespace
+      name: Namespace
+      type: string
+    - description: Whether the Istio ztunnel installation is ready to handle requests.
+      jsonPath: .status.conditions[?(@.type=="Ready")].status
+      name: Ready
+      type: string
+    - description: The current state of this object.
+      jsonPath: .status.state
+      name: Status
+      type: string
+    - description: The version of the Istio ztunnel installation.
+      jsonPath: .spec.version
+      name: Version
+      type: string
+    - description: The age of the object
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1
+    schema:
+      openAPIV3Schema:
+        description: ZTunnel represents a deployment of the Istio ztunnel component.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            default:
+              namespace: ztunnel
+              version: v1.28.3
+            description: ZTunnelSpec defines the desired state of ZTunnel
+            properties:
+              namespace:
+                default: ztunnel
+                description: Namespace to which the Istio ztunnel component should
+                  be installed.
+                type: string
+              values:
+                description: Defines the values to be passed to the Helm charts when
+                  installing Istio ztunnel.
+                properties:
+                  global:
+                    description: Part of the global configuration applicable to the
+                      Istio ztunnel component.
+                    properties:
+                      defaultResources:
+                        description: |-
+                          See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
+
+                          Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
+                        properties:
+                          claims:
+                            description: |-
+                              Claims lists the names of resources, defined in spec.resourceClaims,
+                              that are used by this container.
+
+                              This field depends on the
+                              DynamicResourceAllocation feature gate.
+
+                              This field is immutable. It can only be set for containers.
+                            items:
+                              description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+                              properties:
+                                name:
+                                  description: |-
+                                    Name must match the name of one entry in pod.spec.resourceClaims of
+                                    the Pod where this field is used. It makes that resource available
+                                    inside a container.
+                                  type: string
+                                request:
+                                  description: |-
+                                    Request is the name chosen for a request in the referenced claim.
+                                    If empty, everything from the claim is made available, otherwise
+                                    only the result of this request.
+                                  type: string
+                              required:
+                              - name
+                              type: object
+                            type: array
+                            x-kubernetes-list-map-keys:
+                            - name
+                            x-kubernetes-list-type: map
+                          limits:
+                            additionalProperties:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                              x-kubernetes-int-or-string: true
+                            description: |-
+                              Limits describes the maximum amount of compute resources allowed.
+                              More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                            type: object
+                          requests:
+                            additionalProperties:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                              x-kubernetes-int-or-string: true
+                            description: |-
+                              Requests describes the minimum amount of compute resources required.
+                              If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+                              otherwise to an implementation-defined value. Requests cannot exceed Limits.
+                              More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                            type: object
+                        type: object
+                      hub:
+                        description: Specifies the docker hub for Istio images.
+                        type: string
+                      imagePullPolicy:
+                        description: |-
+                          Specifies the image pull policy for the Istio images. one of Always, Never, IfNotPresent.
+                          Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated.
+
+                          More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
+                        enum:
+                        - Always
+                        - Never
+                        - IfNotPresent
+                        type: string
+                      imagePullSecrets:
+                        description: |-
+                          ImagePullSecrets for the control plane ServiceAccount, list of secrets in the same namespace
+                          to use for pulling any images in pods that reference this ServiceAccount.
+                          Must be set for any cluster configured with private docker registry.
+                        items:
+                          type: string
+                        type: array
+                      logAsJson:
+                        description: Specifies whether istio components should output
+                          logs in json format by adding --log_as_json argument to
+                          each container.
+                        type: boolean
+                      logging:
+                        description: Specifies the global logging level settings for
+                          the Istio control plane components.
+                        properties:
+                          level:
+                            description: |-
+                              Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
+                              The control plane has different scopes depending on component, but can configure default log level across all components
+                              If empty, default scope and level will be used as configured in code
+                            type: string
+                        type: object
+                      platform:
+                        description: |-
+                          Platform in which Istio is deployed. Possible values are: "openshift" and "gcp"
+                          An empty value means it is a vanilla Kubernetes distribution, therefore no special
+                          treatment will be considered.
+                        type: string
+                      tag:
+                        description: Specifies the tag for the Istio docker images.
+                        type: string
+                      variant:
+                        description: The variant of the Istio container images to
+                          use. Options are "debug" or "distroless". Unset will use
+                          the default for the given version.
+                        type: string
+                    type: object
+                  ztunnel:
+                    description: Configuration for the Istio ztunnel plugin.
+                    properties:
+                      Annotations:
+                        additionalProperties:
+                          type: string
+                        description: Annotations to apply to all top level resources
+                        type: object
+                      Labels:
+                        additionalProperties:
+                          type: string
+                        description: Labels to apply to all top level resources
+                        type: object
+                      affinity:
+                        description: K8s affinity to set on the ztunnel Pods. Can
+                          be used to exclude ztunnel from being scheduled on specified
+                          nodes.
+                        properties:
+                          nodeAffinity:
+                            description: Describes node affinity scheduling rules
+                              for the pod.
+                            properties:
+                              preferredDuringSchedulingIgnoredDuringExecution:
+                                description: |-
+                                  The scheduler will prefer to schedule pods to nodes that satisfy
+                                  the affinity expressions specified by this field, but it may choose
+                                  a node that violates one or more of the expressions. The node that is
+                                  most preferred is the one with the greatest sum of weights, i.e.
+                                  for each node that meets all of the scheduling requirements (resource
+                                  request, requiredDuringScheduling affinity expressions, etc.),
+                                  compute a sum by iterating through the elements of this field and adding
+                                  "weight" to the sum if the node matches the corresponding matchExpressions; the
+                                  node(s) with the highest sum are the most preferred.
+                                items:
+                                  description: |-
+                                    An empty preferred scheduling term matches all objects with implicit weight 0
+                                    (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+                                  properties:
+                                    preference:
+                                      description: A node selector term, associated
+                                        with the corresponding weight.
+                                      properties:
+                                        matchExpressions:
+                                          description: A list of node selector requirements
+                                            by node's labels.
+                                          items:
+                                            description: |-
+                                              A node selector requirement is a selector that contains values, a key, and an operator
+                                              that relates the key and values.
+                                            properties:
+                                              key:
+                                                description: The label key that the
+                                                  selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  Represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  An array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. If the operator is Gt or Lt, the values
+                                                  array must have a single element, which will be interpreted as an integer.
+                                                  This array is replaced during a strategic merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                                x-kubernetes-list-type: atomic
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        matchFields:
+                                          description: A list of node selector requirements
+                                            by node's fields.
+                                          items:
+                                            description: |-
+                                              A node selector requirement is a selector that contains values, a key, and an operator
+                                              that relates the key and values.
+                                            properties:
+                                              key:
+                                                description: The label key that the
+                                                  selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  Represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  An array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. If the operator is Gt or Lt, the values
+                                                  array must have a single element, which will be interpreted as an integer.
+                                                  This array is replaced during a strategic merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                                x-kubernetes-list-type: atomic
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    weight:
+                                      description: Weight associated with matching
+                                        the corresponding nodeSelectorTerm, in the
+                                        range 1-100.
+                                      format: int32
+                                      type: integer
+                                  required:
+                                  - preference
+                                  - weight
+                                  type: object
+                                type: array
+                                x-kubernetes-list-type: atomic
+                              requiredDuringSchedulingIgnoredDuringExecution:
+                                description: |-
+                                  If the affinity requirements specified by this field are not met at
+                                  scheduling time, the pod will not be scheduled onto the node.
+                                  If the affinity requirements specified by this field cease to be met
+                                  at some point during pod execution (e.g. due to an update), the system
+                                  may or may not try to eventually evict the pod from its node.
+                                properties:
+                                  nodeSelectorTerms:
+                                    description: Required. A list of node selector
+                                      terms. The terms are ORed.
+                                    items:
+                                      description: |-
+                                        A null or empty node selector term matches no objects. The requirements of
+                                        them are ANDed.
+                                        The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+                                      properties:
+                                        matchExpressions:
+                                          description: A list of node selector requirements
+                                            by node's labels.
+                                          items:
+                                            description: |-
+                                              A node selector requirement is a selector that contains values, a key, and an operator
+                                              that relates the key and values.
+                                            properties:
+                                              key:
+                                                description: The label key that the
+                                                  selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  Represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  An array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. If the operator is Gt or Lt, the values
+                                                  array must have a single element, which will be interpreted as an integer.
+                                                  This array is replaced during a strategic merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                                x-kubernetes-list-type: atomic
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        matchFields:
+                                          description: A list of node selector requirements
+                                            by node's fields.
+                                          items:
+                                            description: |-
+                                              A node selector requirement is a selector that contains values, a key, and an operator
+                                              that relates the key and values.
+                                            properties:
+                                              key:
+                                                description: The label key that the
+                                                  selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  Represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  An array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. If the operator is Gt or Lt, the values
+                                                  array must have a single element, which will be interpreted as an integer.
+                                                  This array is replaced during a strategic merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                                x-kubernetes-list-type: atomic
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    type: array
+                                    x-kubernetes-list-type: atomic
+                                required:
+                                - nodeSelectorTerms
+                                type: object
+                                x-kubernetes-map-type: atomic
+                            type: object
+                          podAffinity:
+                            description: Describes pod affinity scheduling rules (e.g.
+                              co-locate this pod in the same node, zone, etc. as some
+                              other pod(s)).
+                            properties:
+                              preferredDuringSchedulingIgnoredDuringExecution:
+                                description: |-
+                                  The scheduler will prefer to schedule pods to nodes that satisfy
+                                  the affinity expressions specified by this field, but it may choose
+                                  a node that violates one or more of the expressions. The node that is
+                                  most preferred is the one with the greatest sum of weights, i.e.
+                                  for each node that meets all of the scheduling requirements (resource
+                                  request, requiredDuringScheduling affinity expressions, etc.),
+                                  compute a sum by iterating through the elements of this field and adding
+                                  "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+                                  node(s) with the highest sum are the most preferred.
+                                items:
+                                  description: The weights of all of the matched WeightedPodAffinityTerm
+                                    fields are added per-node to find the most preferred
+                                    node(s)
+                                  properties:
+                                    podAffinityTerm:
+                                      description: Required. A pod affinity term,
+                                        associated with the corresponding weight.
+                                      properties:
+                                        labelSelector:
+                                          description: |-
+                                            A label query over a set of resources, in this case pods.
+                                            If it's null, this PodAffinityTerm matches with no Pods.
+                                          properties:
+                                            matchExpressions:
+                                              description: matchExpressions is a list
+                                                of label selector requirements. The
+                                                requirements are ANDed.
+                                              items:
+                                                description: |-
+                                                  A label selector requirement is a selector that contains values, a key, and an operator that
+                                                  relates the key and values.
+                                                properties:
+                                                  key:
+                                                    description: key is the label
+                                                      key that the selector applies
+                                                      to.
+                                                    type: string
+                                                  operator:
+                                                    description: |-
+                                                      operator represents a key's relationship to a set of values.
+                                                      Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                    type: string
+                                                  values:
+                                                    description: |-
+                                                      values is an array of string values. If the operator is In or NotIn,
+                                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                      the values array must be empty. This array is replaced during a strategic
+                                                      merge patch.
+                                                    items:
+                                                      type: string
+                                                    type: array
+                                                    x-kubernetes-list-type: atomic
+                                                required:
+                                                - key
+                                                - operator
+                                                type: object
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                            matchLabels:
+                                              additionalProperties:
+                                                type: string
+                                              description: |-
+                                                matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                                map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                                operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                              type: object
+                                          type: object
+                                          x-kubernetes-map-type: atomic
+                                        matchLabelKeys:
+                                          description: |-
+                                            MatchLabelKeys is a set of pod label keys to select which pods will
+                                            be taken into consideration. The keys are used to lookup values from the
+                                            incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+                                            to select the group of existing pods which pods will be taken into consideration
+                                            for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                            pod labels will be ignored. The default value is empty.
+                                            The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+                                            Also, matchLabelKeys cannot be set when labelSelector isn't set.
+                                          items:
+                                            type: string
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        mismatchLabelKeys:
+                                          description: |-
+                                            MismatchLabelKeys is a set of pod label keys to select which pods will
+                                            be taken into consideration. The keys are used to lookup values from the
+                                            incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+                                            to select the group of existing pods which pods will be taken into consideration
+                                            for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                            pod labels will be ignored. The default value is empty.
+                                            The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+                                            Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+                                          items:
+                                            type: string
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        namespaceSelector:
+                                          description: |-
+                                            A label query over the set of namespaces that the term applies to.
+                                            The term is applied to the union of the namespaces selected by this field
+                                            and the ones listed in the namespaces field.
+                                            null selector and null or empty namespaces list means "this pod's namespace".
+                                            An empty selector ({}) matches all namespaces.
+                                          properties:
+                                            matchExpressions:
+                                              description: matchExpressions is a list
+                                                of label selector requirements. The
+                                                requirements are ANDed.
+                                              items:
+                                                description: |-
+                                                  A label selector requirement is a selector that contains values, a key, and an operator that
+                                                  relates the key and values.
+                                                properties:
+                                                  key:
+                                                    description: key is the label
+                                                      key that the selector applies
+                                                      to.
+                                                    type: string
+                                                  operator:
+                                                    description: |-
+                                                      operator represents a key's relationship to a set of values.
+                                                      Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                    type: string
+                                                  values:
+                                                    description: |-
+                                                      values is an array of string values. If the operator is In or NotIn,
+                                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                      the values array must be empty. This array is replaced during a strategic
+                                                      merge patch.
+                                                    items:
+                                                      type: string
+                                                    type: array
+                                                    x-kubernetes-list-type: atomic
+                                                required:
+                                                - key
+                                                - operator
+                                                type: object
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                            matchLabels:
+                                              additionalProperties:
+                                                type: string
+                                              description: |-
+                                                matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                                map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                                operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                              type: object
+                                          type: object
+                                          x-kubernetes-map-type: atomic
+                                        namespaces:
+                                          description: |-
+                                            namespaces specifies a static list of namespace names that the term applies to.
+                                            The term is applied to the union of the namespaces listed in this field
+                                            and the ones selected by namespaceSelector.
+                                            null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+                                          items:
+                                            type: string
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        topologyKey:
+                                          description: |-
+                                            This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+                                            the labelSelector in the specified namespaces, where co-located is defined as running on a node
+                                            whose value of the label with key topologyKey matches that of any node on which any of the
+                                            selected pods is running.
+                                            Empty topologyKey is not allowed.
+                                          type: string
+                                      required:
+                                      - topologyKey
+                                      type: object
+                                    weight:
+                                      description: |-
+                                        weight associated with matching the corresponding podAffinityTerm,
+                                        in the range 1-100.
+                                      format: int32
+                                      type: integer
+                                  required:
+                                  - podAffinityTerm
+                                  - weight
+                                  type: object
+                                type: array
+                                x-kubernetes-list-type: atomic
+                              requiredDuringSchedulingIgnoredDuringExecution:
+                                description: |-
+                                  If the affinity requirements specified by this field are not met at
+                                  scheduling time, the pod will not be scheduled onto the node.
+                                  If the affinity requirements specified by this field cease to be met
+                                  at some point during pod execution (e.g. due to a pod label update), the
+                                  system may or may not try to eventually evict the pod from its node.
+                                  When there are multiple elements, the lists of nodes corresponding to each
+                                  podAffinityTerm are intersected, i.e. all terms must be satisfied.
+                                items:
+                                  description: |-
+                                    Defines a set of pods (namely those matching the labelSelector
+                                    relative to the given namespace(s)) that this pod should be
+                                    co-located (affinity) or not co-located (anti-affinity) with,
+                                    where co-located is defined as running on a node whose value of
+                                    the label with key <topologyKey> matches that of any node on which
+                                    a pod of the set of pods is running
+                                  properties:
+                                    labelSelector:
+                                      description: |-
+                                        A label query over a set of resources, in this case pods.
+                                        If it's null, this PodAffinityTerm matches with no Pods.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                                x-kubernetes-list-type: atomic
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    matchLabelKeys:
+                                      description: |-
+                                        MatchLabelKeys is a set of pod label keys to select which pods will
+                                        be taken into consideration. The keys are used to lookup values from the
+                                        incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+                                        to select the group of existing pods which pods will be taken into consideration
+                                        for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                        pod labels will be ignored. The default value is empty.
+                                        The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+                                        Also, matchLabelKeys cannot be set when labelSelector isn't set.
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    mismatchLabelKeys:
+                                      description: |-
+                                        MismatchLabelKeys is a set of pod label keys to select which pods will
+                                        be taken into consideration. The keys are used to lookup values from the
+                                        incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+                                        to select the group of existing pods which pods will be taken into consideration
+                                        for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                        pod labels will be ignored. The default value is empty.
+                                        The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+                                        Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    namespaceSelector:
+                                      description: |-
+                                        A label query over the set of namespaces that the term applies to.
+                                        The term is applied to the union of the namespaces selected by this field
+                                        and the ones listed in the namespaces field.
+                                        null selector and null or empty namespaces list means "this pod's namespace".
+                                        An empty selector ({}) matches all namespaces.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                                x-kubernetes-list-type: atomic
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    namespaces:
+                                      description: |-
+                                        namespaces specifies a static list of namespace names that the term applies to.
+                                        The term is applied to the union of the namespaces listed in this field
+                                        and the ones selected by namespaceSelector.
+                                        null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    topologyKey:
+                                      description: |-
+                                        This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+                                        the labelSelector in the specified namespaces, where co-located is defined as running on a node
+                                        whose value of the label with key topologyKey matches that of any node on which any of the
+                                        selected pods is running.
+                                        Empty topologyKey is not allowed.
+                                      type: string
+                                  required:
+                                  - topologyKey
+                                  type: object
+                                type: array
+                                x-kubernetes-list-type: atomic
+                            type: object
+                          podAntiAffinity:
+                            description: Describes pod anti-affinity scheduling rules
+                              (e.g. avoid putting this pod in the same node, zone,
+                              etc. as some other pod(s)).
+                            properties:
+                              preferredDuringSchedulingIgnoredDuringExecution:
+                                description: |-
+                                  The scheduler will prefer to schedule pods to nodes that satisfy
+                                  the anti-affinity expressions specified by this field, but it may choose
+                                  a node that violates one or more of the expressions. The node that is
+                                  most preferred is the one with the greatest sum of weights, i.e.
+                                  for each node that meets all of the scheduling requirements (resource
+                                  request, requiredDuringScheduling anti-affinity expressions, etc.),
+                                  compute a sum by iterating through the elements of this field and subtracting
+                                  "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
+                                  node(s) with the highest sum are the most preferred.
+                                items:
+                                  description: The weights of all of the matched WeightedPodAffinityTerm
+                                    fields are added per-node to find the most preferred
+                                    node(s)
+                                  properties:
+                                    podAffinityTerm:
+                                      description: Required. A pod affinity term,
+                                        associated with the corresponding weight.
+                                      properties:
+                                        labelSelector:
+                                          description: |-
+                                            A label query over a set of resources, in this case pods.
+                                            If it's null, this PodAffinityTerm matches with no Pods.
+                                          properties:
+                                            matchExpressions:
+                                              description: matchExpressions is a list
+                                                of label selector requirements. The
+                                                requirements are ANDed.
+                                              items:
+                                                description: |-
+                                                  A label selector requirement is a selector that contains values, a key, and an operator that
+                                                  relates the key and values.
+                                                properties:
+                                                  key:
+                                                    description: key is the label
+                                                      key that the selector applies
+                                                      to.
+                                                    type: string
+                                                  operator:
+                                                    description: |-
+                                                      operator represents a key's relationship to a set of values.
+                                                      Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                    type: string
+                                                  values:
+                                                    description: |-
+                                                      values is an array of string values. If the operator is In or NotIn,
+                                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                      the values array must be empty. This array is replaced during a strategic
+                                                      merge patch.
+                                                    items:
+                                                      type: string
+                                                    type: array
+                                                    x-kubernetes-list-type: atomic
+                                                required:
+                                                - key
+                                                - operator
+                                                type: object
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                            matchLabels:
+                                              additionalProperties:
+                                                type: string
+                                              description: |-
+                                                matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                                map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                                operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                              type: object
+                                          type: object
+                                          x-kubernetes-map-type: atomic
+                                        matchLabelKeys:
+                                          description: |-
+                                            MatchLabelKeys is a set of pod label keys to select which pods will
+                                            be taken into consideration. The keys are used to lookup values from the
+                                            incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+                                            to select the group of existing pods which pods will be taken into consideration
+                                            for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                            pod labels will be ignored. The default value is empty.
+                                            The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+                                            Also, matchLabelKeys cannot be set when labelSelector isn't set.
+                                          items:
+                                            type: string
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        mismatchLabelKeys:
+                                          description: |-
+                                            MismatchLabelKeys is a set of pod label keys to select which pods will
+                                            be taken into consideration. The keys are used to lookup values from the
+                                            incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+                                            to select the group of existing pods which pods will be taken into consideration
+                                            for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                            pod labels will be ignored. The default value is empty.
+                                            The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+                                            Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+                                          items:
+                                            type: string
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        namespaceSelector:
+                                          description: |-
+                                            A label query over the set of namespaces that the term applies to.
+                                            The term is applied to the union of the namespaces selected by this field
+                                            and the ones listed in the namespaces field.
+                                            null selector and null or empty namespaces list means "this pod's namespace".
+                                            An empty selector ({}) matches all namespaces.
+                                          properties:
+                                            matchExpressions:
+                                              description: matchExpressions is a list
+                                                of label selector requirements. The
+                                                requirements are ANDed.
+                                              items:
+                                                description: |-
+                                                  A label selector requirement is a selector that contains values, a key, and an operator that
+                                                  relates the key and values.
+                                                properties:
+                                                  key:
+                                                    description: key is the label
+                                                      key that the selector applies
+                                                      to.
+                                                    type: string
+                                                  operator:
+                                                    description: |-
+                                                      operator represents a key's relationship to a set of values.
+                                                      Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                    type: string
+                                                  values:
+                                                    description: |-
+                                                      values is an array of string values. If the operator is In or NotIn,
+                                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                      the values array must be empty. This array is replaced during a strategic
+                                                      merge patch.
+                                                    items:
+                                                      type: string
+                                                    type: array
+                                                    x-kubernetes-list-type: atomic
+                                                required:
+                                                - key
+                                                - operator
+                                                type: object
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                            matchLabels:
+                                              additionalProperties:
+                                                type: string
+                                              description: |-
+                                                matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                                map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                                operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                              type: object
+                                          type: object
+                                          x-kubernetes-map-type: atomic
+                                        namespaces:
+                                          description: |-
+                                            namespaces specifies a static list of namespace names that the term applies to.
+                                            The term is applied to the union of the namespaces listed in this field
+                                            and the ones selected by namespaceSelector.
+                                            null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+                                          items:
+                                            type: string
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        topologyKey:
+                                          description: |-
+                                            This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+                                            the labelSelector in the specified namespaces, where co-located is defined as running on a node
+                                            whose value of the label with key topologyKey matches that of any node on which any of the
+                                            selected pods is running.
+                                            Empty topologyKey is not allowed.
+                                          type: string
+                                      required:
+                                      - topologyKey
+                                      type: object
+                                    weight:
+                                      description: |-
+                                        weight associated with matching the corresponding podAffinityTerm,
+                                        in the range 1-100.
+                                      format: int32
+                                      type: integer
+                                  required:
+                                  - podAffinityTerm
+                                  - weight
+                                  type: object
+                                type: array
+                                x-kubernetes-list-type: atomic
+                              requiredDuringSchedulingIgnoredDuringExecution:
+                                description: |-
+                                  If the anti-affinity requirements specified by this field are not met at
+                                  scheduling time, the pod will not be scheduled onto the node.
+                                  If the anti-affinity requirements specified by this field cease to be met
+                                  at some point during pod execution (e.g. due to a pod label update), the
+                                  system may or may not try to eventually evict the pod from its node.
+                                  When there are multiple elements, the lists of nodes corresponding to each
+                                  podAffinityTerm are intersected, i.e. all terms must be satisfied.
+                                items:
+                                  description: |-
+                                    Defines a set of pods (namely those matching the labelSelector
+                                    relative to the given namespace(s)) that this pod should be
+                                    co-located (affinity) or not co-located (anti-affinity) with,
+                                    where co-located is defined as running on a node whose value of
+                                    the label with key <topologyKey> matches that of any node on which
+                                    a pod of the set of pods is running
+                                  properties:
+                                    labelSelector:
+                                      description: |-
+                                        A label query over a set of resources, in this case pods.
+                                        If it's null, this PodAffinityTerm matches with no Pods.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                                x-kubernetes-list-type: atomic
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    matchLabelKeys:
+                                      description: |-
+                                        MatchLabelKeys is a set of pod label keys to select which pods will
+                                        be taken into consideration. The keys are used to lookup values from the
+                                        incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+                                        to select the group of existing pods which pods will be taken into consideration
+                                        for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                        pod labels will be ignored. The default value is empty.
+                                        The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+                                        Also, matchLabelKeys cannot be set when labelSelector isn't set.
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    mismatchLabelKeys:
+                                      description: |-
+                                        MismatchLabelKeys is a set of pod label keys to select which pods will
+                                        be taken into consideration. The keys are used to lookup values from the
+                                        incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+                                        to select the group of existing pods which pods will be taken into consideration
+                                        for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                        pod labels will be ignored. The default value is empty.
+                                        The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+                                        Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    namespaceSelector:
+                                      description: |-
+                                        A label query over the set of namespaces that the term applies to.
+                                        The term is applied to the union of the namespaces selected by this field
+                                        and the ones listed in the namespaces field.
+                                        null selector and null or empty namespaces list means "this pod's namespace".
+                                        An empty selector ({}) matches all namespaces.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                                x-kubernetes-list-type: atomic
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    namespaces:
+                                      description: |-
+                                        namespaces specifies a static list of namespace names that the term applies to.
+                                        The term is applied to the union of the namespaces listed in this field
+                                        and the ones selected by namespaceSelector.
+                                        null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    topologyKey:
+                                      description: |-
+                                        This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+                                        the labelSelector in the specified namespaces, where co-located is defined as running on a node
+                                        whose value of the label with key topologyKey matches that of any node on which any of the
+                                        selected pods is running.
+                                        Empty topologyKey is not allowed.
+                                      type: string
+                                  required:
+                                  - topologyKey
+                                  type: object
+                                type: array
+                                x-kubernetes-list-type: atomic
+                            type: object
+                        type: object
+                      caAddress:
+                        description: The address of the CA for CSR.
+                        type: string
+                      env:
+                        additionalProperties:
+                          type: string
+                        description: 'A `key: value` mapping of environment variables
+                          to add to the pod'
+                        type: object
+                      hub:
+                        description: Hub to pull the container image from. Image will
+                          be `Hub/Image:Tag-Variant`.
+                        type: string
+                      image:
+                        description: |-
+                          Image name to pull from. Image will be `Hub/Image:Tag-Variant`.
+                          If Image contains a "/", it will replace the entire `image` in the pod.
+                        type: string
+                      imagePullPolicy:
+                        description: |-
+                          Specifies the image pull policy for the Istio images. one of Always, Never, IfNotPresent.
+                          Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated.
+
+                          More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
+                        enum:
+                        - Always
+                        - Never
+                        - IfNotPresent
+                        type: string
+                      imagePullSecrets:
+                        description: |-
+                          List of secret names to add to the service account as image pull secrets
+                          to use for pulling any images in pods that reference this ServiceAccount.
+                          Must be set for any cluster configured with private docker registry.
+                        items:
+                          type: string
+                        type: array
+                      istioNamespace:
+                        description: Specifies the default namespace for the Istio
+                          control plane components.
+                        type: string
+                      logAsJson:
+                        description: Specifies whether istio components should output
+                          logs in json format by adding --log_as_json argument to
+                          each container.
+                        type: boolean
+                      logLevel:
+                        default: info
+                        description: 'Configuration log level of ztunnel binary, default
+                          is info. Valid values are: trace, debug, info, warn, error.'
+                        enum:
+                        - trace
+                        - debug
+                        - info
+                        - warn
+                        - error
+                        type: string
+                      multiCluster:
+                        description: |-
+                          Settings for multicluster.
+                          The name of the cluster we are installing in. Note this is a user-defined name, which must be consistent
+                          with Istiod configuration.
+                        properties:
+                          clusterName:
+                            description: |-
+                              The name of the cluster this installation will run in. This is required for sidecar injection
+                              to properly label proxies
+                            type: string
+                          enabled:
+                            description: |-
+                              Enables the connection between two kubernetes clusters via their respective ingressgateway services.
+                              Use if the pods in each cluster cannot directly talk to one another.
+                            type: boolean
+                          globalDomainSuffix:
+                            description: The suffix for global service names.
+                            type: string
+                          includeEnvoyFilter:
+                            description: Enable envoy filter to translate `globalDomainSuffix`
+                              to cluster local suffix for cross cluster communication.
+                            type: boolean
+                        type: object
+                      network:
+                        description: defines the network this cluster belong to. This
+                          name corresponds to the networks in the map of mesh networks.
+                        type: string
+                      nodeSelector:
+                        additionalProperties:
+                          type: string
+                        description: |-
+                          K8s node selector settings.
+
+                          See https://kubernetes.io/docs/user-guide/node-selection/
+                        type: object
+                      podAnnotations:
+                        additionalProperties:
+                          type: string
+                        description: Annotations added to each pod. The default annotations
+                          are required for scraping prometheus (in most environments).
+                        type: object
+                      podLabels:
+                        additionalProperties:
+                          type: string
+                        description: Additional labels to apply on the pod level.
+                        type: object
+                      resourceName:
+                        description: |-
+                          resourceName, if set, will override the naming of resources. If not set, will default to the release name.
+                          It is recommended to not set this; this is primarily for backwards compatibility.
+                        type: string
+                      resourceQuotas:
+                        description: The resource quotas configuration for ztunnel
+                        properties:
+                          enabled:
+                            description: Controls whether to create resource quotas
+                              or not for the CNI DaemonSet.
+                            type: boolean
+                          pods:
+                            description: The hard limit on the number of pods in the
+                              namespace where the CNI DaemonSet is deployed.
+                            format: int64
+                            type: integer
+                        type: object
+                      resources:
+                        description: The k8s resource requests and limits for the
+                          ztunnel Pods.
+                        properties:
+                          claims:
+                            description: |-
+                              Claims lists the names of resources, defined in spec.resourceClaims,
+                              that are used by this container.
+
+                              This field depends on the
+                              DynamicResourceAllocation feature gate.
+
+                              This field is immutable. It can only be set for containers.
+                            items:
+                              description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+                              properties:
+                                name:
+                                  description: |-
+                                    Name must match the name of one entry in pod.spec.resourceClaims of
+                                    the Pod where this field is used. It makes that resource available
+                                    inside a container.
+                                  type: string
+                                request:
+                                  description: |-
+                                    Request is the name chosen for a request in the referenced claim.
+                                    If empty, everything from the claim is made available, otherwise
+                                    only the result of this request.
+                                  type: string
+                              required:
+                              - name
+                              type: object
+                            type: array
+                            x-kubernetes-list-map-keys:
+                            - name
+                            x-kubernetes-list-type: map
+                          limits:
+                            additionalProperties:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                              x-kubernetes-int-or-string: true
+                            description: |-
+                              Limits describes the maximum amount of compute resources allowed.
+                              More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                            type: object
+                          requests:
+                            additionalProperties:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                              x-kubernetes-int-or-string: true
+                            description: |-
+                              Requests describes the minimum amount of compute resources required.
+                              If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+                              otherwise to an implementation-defined value. Requests cannot exceed Limits.
+                              More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                            type: object
+                        type: object
+                      revision:
+                        description: Configures the revision this control plane is
+                          a part of
+                        type: string
+                      seLinuxOptions:
+                        description: Set seLinux options for the ztunnel pod
+                        properties:
+                          level:
+                            description: Level is SELinux level label that applies
+                              to the container.
+                            type: string
+                          role:
+                            description: Role is a SELinux role label that applies
+                              to the container.
+                            type: string
+                          type:
+                            description: Type is a SELinux type label that applies
+                              to the container.
+                            type: string
+                          user:
+                            description: User is a SELinux user label that applies
+                              to the container.
+                            type: string
+                        type: object
+                      tag:
+                        description: The container image tag to pull. Image will be
+                          `Hub/Image:Tag-Variant`.
+                        type: string
+                      terminationGracePeriodSeconds:
+                        default: 30
+                        description: |-
+                          This value defines:
+                          1. how many seconds kube waits for ztunnel pod to gracefully exit before forcibly terminating it (this value)
+                          2. how many seconds ztunnel waits to drain its own connections (this value - 1 sec)
+                        format: int64
+                        minimum: 0
+                        type: integer
+                      tolerations:
+                        description: Tolerations for the ztunnel pod
+                        items:
+                          description: |-
+                            The pod this Toleration is attached to tolerates any taint that matches
+                            the triple <key,value,effect> using the matching operator <operator>.
+                          properties:
+                            effect:
+                              description: |-
+                                Effect indicates the taint effect to match. Empty means match all taint effects.
+                                When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+                              type: string
+                            key:
+                              description: |-
+                                Key is the taint key that the toleration applies to. Empty means match all taint keys.
+                                If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+                              type: string
+                            operator:
+                              description: |-
+                                Operator represents a key's relationship to the value.
+                                Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal.
+                                Exists is equivalent to wildcard for value, so that a pod can
+                                tolerate all taints of a particular category.
+                                Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators).
+                              type: string
+                            tolerationSeconds:
+                              description: |-
+                                TolerationSeconds represents the period of time the toleration (which must be
+                                of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+                                it is not set, which means tolerate the taint forever (do not evict). Zero and
+                                negative values will be treated as 0 (evict immediately) by the system.
+                              format: int64
+                              type: integer
+                            value:
+                              description: |-
+                                Value is the taint value the toleration matches to.
+                                If the operator is Exists, the value should be empty, otherwise just a regular string.
+                              type: string
+                          type: object
+                        type: array
+                      updateStrategy:
+                        description: Defines the update strategy to use when the version
+                          in the Ztunnel CR is updated.
+                        properties:
+                          rollingUpdate:
+                            description: Rolling update config params. Present only
+                              if type = "RollingUpdate".
+                            properties:
+                              maxSurge:
+                                anyOf:
+                                - type: integer
+                                - type: string
+                                description: |-
+                                  The maximum number of nodes with an existing available DaemonSet pod that
+                                  can have an updated DaemonSet pod during during an update.
+                                  Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+                                  This can not be 0 if MaxUnavailable is 0.
+                                  Absolute number is calculated from percentage by rounding up to a minimum of 1.
+                                  Default value is 0.
+                                  Example: when this is set to 30%, at most 30% of the total number of nodes
+                                  that should be running the daemon pod (i.e. status.desiredNumberScheduled)
+                                  can have their a new pod created before the old pod is marked as deleted.
+                                  The update starts by launching new pods on 30% of nodes. Once an updated
+                                  pod is available (Ready for at least minReadySeconds) the old DaemonSet pod
+                                  on that node is marked deleted. If the old pod becomes unavailable for any
+                                  reason (Ready transitions to false, is evicted, or is drained) an updated
+                                  pod is immediately created on that node without considering surge limits.
+                                  Allowing surge implies the possibility that the resources consumed by the
+                                  daemonset on any given node can double if the readiness check fails, and
+                                  so resource intensive daemonsets should take into account that they may
+                                  cause evictions during disruption.
+                                x-kubernetes-int-or-string: true
+                              maxUnavailable:
+                                anyOf:
+                                - type: integer
+                                - type: string
+                                description: |-
+                                  The maximum number of DaemonSet pods that can be unavailable during the
+                                  update. Value can be an absolute number (ex: 5) or a percentage of total
+                                  number of DaemonSet pods at the start of the update (ex: 10%). Absolute
+                                  number is calculated from percentage by rounding up.
+                                  This cannot be 0 if MaxSurge is 0
+                                  Default value is 1.
+                                  Example: when this is set to 30%, at most 30% of the total number of nodes
+                                  that should be running the daemon pod (i.e. status.desiredNumberScheduled)
+                                  can have their pods stopped for an update at any given time. The update
+                                  starts by stopping at most 30% of those DaemonSet pods and then brings
+                                  up new DaemonSet pods in their place. Once the new pods are available,
+                                  it then proceeds onto other DaemonSet pods, thus ensuring that at least
+                                  70% of original number of DaemonSet pods are available at all times during
+                                  the update.
+                                x-kubernetes-int-or-string: true
+                            type: object
+                          type:
+                            description: Type of daemon set update. Can be "RollingUpdate"
+                              or "OnDelete". Default is RollingUpdate.
+                            type: string
+                        type: object
+                      variant:
+                        description: The container image variant to pull. Options
+                          are "debug" or "distroless". Unset will use the default
+                          for the given version.
+                        type: string
+                      volumeMounts:
+                        description: Additional volumeMounts to the ztunnel container
+                        items:
+                          description: VolumeMount describes a mounting of a Volume
+                            within a container.
+                          properties:
+                            mountPath:
+                              description: |-
+                                Path within the container at which the volume should be mounted.  Must
+                                not contain ':'.
+                              type: string
+                            mountPropagation:
+                              description: |-
+                                mountPropagation determines how mounts are propagated from the host
+                                to container and the other way around.
+                                When not set, MountPropagationNone is used.
+                                This field is beta in 1.10.
+                                When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+                                (which defaults to None).
+                              type: string
+                            name:
+                              description: This must match the Name of a Volume.
+                              type: string
+                            readOnly:
+                              description: |-
+                                Mounted read-only if true, read-write otherwise (false or unspecified).
+                                Defaults to false.
+                              type: boolean
+                            recursiveReadOnly:
+                              description: |-
+                                RecursiveReadOnly specifies whether read-only mounts should be handled
+                                recursively.
+
+                                If ReadOnly is false, this field has no meaning and must be unspecified.
+
+                                If ReadOnly is true, and this field is set to Disabled, the mount is not made
+                                recursively read-only.  If this field is set to IfPossible, the mount is made
+                                recursively read-only, if it is supported by the container runtime.  If this
+                                field is set to Enabled, the mount is made recursively read-only if it is
+                                supported by the container runtime, otherwise the pod will not be started and
+                                an error will be generated to indicate the reason.
+
+                                If this field is set to IfPossible or Enabled, MountPropagation must be set to
+                                None (or be unspecified, which defaults to None).
+
+                                If this field is not specified, it is treated as an equivalent of Disabled.
+                              type: string
+                            subPath:
+                              description: |-
+                                Path within the volume from which the container's volume should be mounted.
+                                Defaults to "" (volume's root).
+                              type: string
+                            subPathExpr:
+                              description: |-
+                                Expanded path within the volume from which the container's volume should be mounted.
+                                Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.
+                                Defaults to "" (volume's root).
+                                SubPathExpr and SubPath are mutually exclusive.
+                              type: string
+                          required:
+                          - mountPath
+                          - name
+                          type: object
+                        type: array
+                      volumes:
+                        description: Additional volumes to add to the ztunnel Pod.
+                        items:
+                          description: Volume represents a named volume in a pod that
+                            may be accessed by any container in the pod.
+                          properties:
+                            awsElasticBlockStore:
+                              description: |-
+                                awsElasticBlockStore represents an AWS Disk resource that is attached to a
+                                kubelet's host machine and then exposed to the pod.
+                                Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree
+                                awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+                              properties:
+                                fsType:
+                                  description: |-
+                                    fsType is the filesystem type of the volume that you want to mount.
+                                    Tip: Ensure that the filesystem type is supported by the host operating system.
+                                    Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+                                  type: string
+                                partition:
+                                  description: |-
+                                    partition is the partition in the volume that you want to mount.
+                                    If omitted, the default is to mount by volume name.
+                                    Examples: For volume /dev/sda1, you specify the partition as "1".
+                                    Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).
+                                  format: int32
+                                  type: integer
+                                readOnly:
+                                  description: |-
+                                    readOnly value true will force the readOnly setting in VolumeMounts.
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+                                  type: boolean
+                                volumeID:
+                                  description: |-
+                                    volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume).
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+                                  type: string
+                              required:
+                              - volumeID
+                              type: object
+                            azureDisk:
+                              description: |-
+                                azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
+                                Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type
+                                are redirected to the disk.csi.azure.com CSI driver.
+                              properties:
+                                cachingMode:
+                                  description: 'cachingMode is the Host Caching mode:
+                                    None, Read Only, Read Write.'
+                                  type: string
+                                diskName:
+                                  description: diskName is the Name of the data disk
+                                    in the blob storage
+                                  type: string
+                                diskURI:
+                                  description: diskURI is the URI of data disk in
+                                    the blob storage
+                                  type: string
+                                fsType:
+                                  default: ext4
+                                  description: |-
+                                    fsType is Filesystem type to mount.
+                                    Must be a filesystem type supported by the host operating system.
+                                    Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                  type: string
+                                kind:
+                                  description: 'kind expected values are Shared: multiple
+                                    blob disks per storage account  Dedicated: single
+                                    blob disk per storage account  Managed: azure
+                                    managed data disk (only in managed availability
+                                    set). defaults to shared'
+                                  type: string
+                                readOnly:
+                                  default: false
+                                  description: |-
+                                    readOnly Defaults to false (read/write). ReadOnly here will force
+                                    the ReadOnly setting in VolumeMounts.
+                                  type: boolean
+                              required:
+                              - diskName
+                              - diskURI
+                              type: object
+                            azureFile:
+                              description: |-
+                                azureFile represents an Azure File Service mount on the host and bind mount to the pod.
+                                Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type
+                                are redirected to the file.csi.azure.com CSI driver.
+                              properties:
+                                readOnly:
+                                  description: |-
+                                    readOnly defaults to false (read/write). ReadOnly here will force
+                                    the ReadOnly setting in VolumeMounts.
+                                  type: boolean
+                                secretName:
+                                  description: secretName is the  name of secret that
+                                    contains Azure Storage Account Name and Key
+                                  type: string
+                                shareName:
+                                  description: shareName is the azure share Name
+                                  type: string
+                              required:
+                              - secretName
+                              - shareName
+                              type: object
+                            cephfs:
+                              description: |-
+                                cephFS represents a Ceph FS mount on the host that shares a pod's lifetime.
+                                Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported.
+                              properties:
+                                monitors:
+                                  description: |-
+                                    monitors is Required: Monitors is a collection of Ceph monitors
+                                    More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+                                  items:
+                                    type: string
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                path:
+                                  description: 'path is Optional: Used as the mounted
+                                    root, rather than the full Ceph tree, default
+                                    is /'
+                                  type: string
+                                readOnly:
+                                  description: |-
+                                    readOnly is Optional: Defaults to false (read/write). ReadOnly here will force
+                                    the ReadOnly setting in VolumeMounts.
+                                    More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+                                  type: boolean
+                                secretFile:
+                                  description: |-
+                                    secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret
+                                    More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+                                  type: string
+                                secretRef:
+                                  description: |-
+                                    secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty.
+                                    More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+                                  properties:
+                                    name:
+                                      default: ""
+                                      description: |-
+                                        Name of the referent.
+                                        This field is effectively required, but due to backwards compatibility is
+                                        allowed to be empty. Instances of this type with an empty value here are
+                                        almost certainly wrong.
+                                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                      type: string
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                user:
+                                  description: |-
+                                    user is optional: User is the rados user name, default is admin
+                                    More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+                                  type: string
+                              required:
+                              - monitors
+                              type: object
+                            cinder:
+                              description: |-
+                                cinder represents a cinder volume attached and mounted on kubelets host machine.
+                                Deprecated: Cinder is deprecated. All operations for the in-tree cinder type
+                                are redirected to the cinder.csi.openstack.org CSI driver.
+                                More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+                              properties:
+                                fsType:
+                                  description: |-
+                                    fsType is the filesystem type to mount.
+                                    Must be a filesystem type supported by the host operating system.
+                                    Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                    More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+                                  type: string
+                                readOnly:
+                                  description: |-
+                                    readOnly defaults to false (read/write). ReadOnly here will force
+                                    the ReadOnly setting in VolumeMounts.
+                                    More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+                                  type: boolean
+                                secretRef:
+                                  description: |-
+                                    secretRef is optional: points to a secret object containing parameters used to connect
+                                    to OpenStack.
+                                  properties:
+                                    name:
+                                      default: ""
+                                      description: |-
+                                        Name of the referent.
+                                        This field is effectively required, but due to backwards compatibility is
+                                        allowed to be empty. Instances of this type with an empty value here are
+                                        almost certainly wrong.
+                                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                      type: string
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                volumeID:
+                                  description: |-
+                                    volumeID used to identify the volume in cinder.
+                                    More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+                                  type: string
+                              required:
+                              - volumeID
+                              type: object
+                            configMap:
+                              description: configMap represents a configMap that should
+                                populate this volume
+                              properties:
+                                defaultMode:
+                                  description: |-
+                                    defaultMode is optional: mode bits used to set permissions on created files by default.
+                                    Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                    YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                    Defaults to 0644.
+                                    Directories within the path are not affected by this setting.
+                                    This might be in conflict with other options that affect the file
+                                    mode, like fsGroup, and the result can be other mode bits set.
+                                  format: int32
+                                  type: integer
+                                items:
+                                  description: |-
+                                    items if unspecified, each key-value pair in the Data field of the referenced
+                                    ConfigMap will be projected into the volume as a file whose name is the
+                                    key and content is the value. If specified, the listed keys will be
+                                    projected into the specified paths, and unlisted keys will not be
+                                    present. If a key is specified which is not present in the ConfigMap,
+                                    the volume setup will error unless it is marked optional. Paths must be
+                                    relative and may not contain the '..' path or start with '..'.
+                                  items:
+                                    description: Maps a string key to a path within
+                                      a volume.
+                                    properties:
+                                      key:
+                                        description: key is the key to project.
+                                        type: string
+                                      mode:
+                                        description: |-
+                                          mode is Optional: mode bits used to set permissions on this file.
+                                          Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                          YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                          If not specified, the volume defaultMode will be used.
+                                          This might be in conflict with other options that affect the file
+                                          mode, like fsGroup, and the result can be other mode bits set.
+                                        format: int32
+                                        type: integer
+                                      path:
+                                        description: |-
+                                          path is the relative path of the file to map the key to.
+                                          May not be an absolute path.
+                                          May not contain the path element '..'.
+                                          May not start with the string '..'.
+                                        type: string
+                                    required:
+                                    - key
+                                    - path
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                name:
+                                  default: ""
+                                  description: |-
+                                    Name of the referent.
+                                    This field is effectively required, but due to backwards compatibility is
+                                    allowed to be empty. Instances of this type with an empty value here are
+                                    almost certainly wrong.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                  type: string
+                                optional:
+                                  description: optional specify whether the ConfigMap
+                                    or its keys must be defined
+                                  type: boolean
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            csi:
+                              description: csi (Container Storage Interface) represents
+                                ephemeral storage that is handled by certain external
+                                CSI drivers.
+                              properties:
+                                driver:
+                                  description: |-
+                                    driver is the name of the CSI driver that handles this volume.
+                                    Consult with your admin for the correct name as registered in the cluster.
+                                  type: string
+                                fsType:
+                                  description: |-
+                                    fsType to mount. Ex. "ext4", "xfs", "ntfs".
+                                    If not provided, the empty value is passed to the associated CSI driver
+                                    which will determine the default filesystem to apply.
+                                  type: string
+                                nodePublishSecretRef:
+                                  description: |-
+                                    nodePublishSecretRef is a reference to the secret object containing
+                                    sensitive information to pass to the CSI driver to complete the CSI
+                                    NodePublishVolume and NodeUnpublishVolume calls.
+                                    This field is optional, and  may be empty if no secret is required. If the
+                                    secret object contains more than one secret, all secret references are passed.
+                                  properties:
+                                    name:
+                                      default: ""
+                                      description: |-
+                                        Name of the referent.
+                                        This field is effectively required, but due to backwards compatibility is
+                                        allowed to be empty. Instances of this type with an empty value here are
+                                        almost certainly wrong.
+                                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                      type: string
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                readOnly:
+                                  description: |-
+                                    readOnly specifies a read-only configuration for the volume.
+                                    Defaults to false (read/write).
+                                  type: boolean
+                                volumeAttributes:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    volumeAttributes stores driver-specific properties that are passed to the CSI
+                                    driver. Consult your driver's documentation for supported values.
+                                  type: object
+                              required:
+                              - driver
+                              type: object
+                            downwardAPI:
+                              description: downwardAPI represents downward API about
+                                the pod that should populate this volume
+                              properties:
+                                defaultMode:
+                                  description: |-
+                                    Optional: mode bits to use on created files by default. Must be a
+                                    Optional: mode bits used to set permissions on created files by default.
+                                    Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                    YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                    Defaults to 0644.
+                                    Directories within the path are not affected by this setting.
+                                    This might be in conflict with other options that affect the file
+                                    mode, like fsGroup, and the result can be other mode bits set.
+                                  format: int32
+                                  type: integer
+                                items:
+                                  description: Items is a list of downward API volume
+                                    file
+                                  items:
+                                    description: DownwardAPIVolumeFile represents
+                                      information to create the file containing the
+                                      pod field
+                                    properties:
+                                      fieldRef:
+                                        description: 'Required: Selects a field of
+                                          the pod: only annotations, labels, name,
+                                          namespace and uid are supported.'
+                                        properties:
+                                          apiVersion:
+                                            description: Version of the schema the
+                                              FieldPath is written in terms of, defaults
+                                              to "v1".
+                                            type: string
+                                          fieldPath:
+                                            description: Path of the field to select
+                                              in the specified API version.
+                                            type: string
+                                        required:
+                                        - fieldPath
+                                        type: object
+                                        x-kubernetes-map-type: atomic
+                                      mode:
+                                        description: |-
+                                          Optional: mode bits used to set permissions on this file, must be an octal value
+                                          between 0000 and 0777 or a decimal value between 0 and 511.
+                                          YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                          If not specified, the volume defaultMode will be used.
+                                          This might be in conflict with other options that affect the file
+                                          mode, like fsGroup, and the result can be other mode bits set.
+                                        format: int32
+                                        type: integer
+                                      path:
+                                        description: 'Required: Path is  the relative
+                                          path name of the file to be created. Must
+                                          not be absolute or contain the ''..'' path.
+                                          Must be utf-8 encoded. The first item of
+                                          the relative path must not start with ''..'''
+                                        type: string
+                                      resourceFieldRef:
+                                        description: |-
+                                          Selects a resource of the container: only resources limits and requests
+                                          (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
+                                        properties:
+                                          containerName:
+                                            description: 'Container name: required
+                                              for volumes, optional for env vars'
+                                            type: string
+                                          divisor:
+                                            anyOf:
+                                            - type: integer
+                                            - type: string
+                                            description: Specifies the output format
+                                              of the exposed resources, defaults to
+                                              "1"
+                                            pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                            x-kubernetes-int-or-string: true
+                                          resource:
+                                            description: 'Required: resource to select'
+                                            type: string
+                                        required:
+                                        - resource
+                                        type: object
+                                        x-kubernetes-map-type: atomic
+                                    required:
+                                    - path
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                              type: object
+                            emptyDir:
+                              description: |-
+                                emptyDir represents a temporary directory that shares a pod's lifetime.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+                              properties:
+                                medium:
+                                  description: |-
+                                    medium represents what type of storage medium should back this directory.
+                                    The default is "" which means to use the node's default medium.
+                                    Must be an empty string (default) or Memory.
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+                                  type: string
+                                sizeLimit:
+                                  anyOf:
+                                  - type: integer
+                                  - type: string
+                                  description: |-
+                                    sizeLimit is the total amount of local storage required for this EmptyDir volume.
+                                    The size limit is also applicable for memory medium.
+                                    The maximum usage on memory medium EmptyDir would be the minimum value between
+                                    the SizeLimit specified here and the sum of memory limits of all containers in a pod.
+                                    The default is nil which means that the limit is undefined.
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+                                  pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                  x-kubernetes-int-or-string: true
+                              type: object
+                            ephemeral:
+                              description: |-
+                                ephemeral represents a volume that is handled by a cluster storage driver.
+                                The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts,
+                                and deleted when the pod is removed.
+
+                                Use this if:
+                                a) the volume is only needed while the pod runs,
+                                b) features of normal volumes like restoring from snapshot or capacity
+                                   tracking are needed,
+                                c) the storage driver is specified through a storage class, and
+                                d) the storage driver supports dynamic volume provisioning through
+                                   a PersistentVolumeClaim (see EphemeralVolumeSource for more
+                                   information on the connection between this volume type
+                                   and PersistentVolumeClaim).
+
+                                Use PersistentVolumeClaim or one of the vendor-specific
+                                APIs for volumes that persist for longer than the lifecycle
+                                of an individual pod.
+
+                                Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to
+                                be used that way - see the documentation of the driver for
+                                more information.
+
+                                A pod can use both types of ephemeral volumes and
+                                persistent volumes at the same time.
+                              properties:
+                                volumeClaimTemplate:
+                                  description: |-
+                                    Will be used to create a stand-alone PVC to provision the volume.
+                                    The pod in which this EphemeralVolumeSource is embedded will be the
+                                    owner of the PVC, i.e. the PVC will be deleted together with the
+                                    pod.  The name of the PVC will be `<pod name>-<volume name>` where
+                                    `<volume name>` is the name from the `PodSpec.Volumes` array
+                                    entry. Pod validation will reject the pod if the concatenated name
+                                    is not valid for a PVC (for example, too long).
+
+                                    An existing PVC with that name that is not owned by the pod
+                                    will *not* be used for the pod to avoid using an unrelated
+                                    volume by mistake. Starting the pod is then blocked until
+                                    the unrelated PVC is removed. If such a pre-created PVC is
+                                    meant to be used by the pod, the PVC has to updated with an
+                                    owner reference to the pod once the pod exists. Normally
+                                    this should not be necessary, but it may be useful when
+                                    manually reconstructing a broken cluster.
+
+                                    This field is read-only and no changes will be made by Kubernetes
+                                    to the PVC after it has been created.
+
+                                    Required, must not be nil.
+                                  properties:
+                                    metadata:
+                                      description: |-
+                                        May contain labels and annotations that will be copied into the PVC
+                                        when creating it. No other fields are allowed and will be rejected during
+                                        validation.
+                                      type: object
+                                    spec:
+                                      description: |-
+                                        The specification for the PersistentVolumeClaim. The entire content is
+                                        copied unchanged into the PVC that gets created from this
+                                        template. The same fields as in a PersistentVolumeClaim
+                                        are also valid here.
+                                      properties:
+                                        accessModes:
+                                          description: |-
+                                            accessModes contains the desired access modes the volume should have.
+                                            More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1
+                                          items:
+                                            type: string
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        dataSource:
+                                          description: |-
+                                            dataSource field can be used to specify either:
+                                            * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot)
+                                            * An existing PVC (PersistentVolumeClaim)
+                                            If the provisioner or an external controller can support the specified data source,
+                                            it will create a new volume based on the contents of the specified data source.
+                                            When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef,
+                                            and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified.
+                                            If the namespace is specified, then dataSourceRef will not be copied to dataSource.
+                                          properties:
+                                            apiGroup:
+                                              description: |-
+                                                APIGroup is the group for the resource being referenced.
+                                                If APIGroup is not specified, the specified Kind must be in the core API group.
+                                                For any other third-party types, APIGroup is required.
+                                              type: string
+                                            kind:
+                                              description: Kind is the type of resource
+                                                being referenced
+                                              type: string
+                                            name:
+                                              description: Name is the name of resource
+                                                being referenced
+                                              type: string
+                                          required:
+                                          - kind
+                                          - name
+                                          type: object
+                                          x-kubernetes-map-type: atomic
+                                        dataSourceRef:
+                                          description: |-
+                                            dataSourceRef specifies the object from which to populate the volume with data, if a non-empty
+                                            volume is desired. This may be any object from a non-empty API group (non
+                                            core object) or a PersistentVolumeClaim object.
+                                            When this field is specified, volume binding will only succeed if the type of
+                                            the specified object matches some installed volume populator or dynamic
+                                            provisioner.
+                                            This field will replace the functionality of the dataSource field and as such
+                                            if both fields are non-empty, they must have the same value. For backwards
+                                            compatibility, when namespace isn't specified in dataSourceRef,
+                                            both fields (dataSource and dataSourceRef) will be set to the same
+                                            value automatically if one of them is empty and the other is non-empty.
+                                            When namespace is specified in dataSourceRef,
+                                            dataSource isn't set to the same value and must be empty.
+                                            There are three important differences between dataSource and dataSourceRef:
+                                            * While dataSource only allows two specific types of objects, dataSourceRef
+                                              allows any non-core object, as well as PersistentVolumeClaim objects.
+                                            * While dataSource ignores disallowed values (dropping them), dataSourceRef
+                                              preserves all values, and generates an error if a disallowed value is
+                                              specified.
+                                            * While dataSource only allows local objects, dataSourceRef allows objects
+                                              in any namespaces.
+                                            (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled.
+                                            (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled.
+                                          properties:
+                                            apiGroup:
+                                              description: |-
+                                                APIGroup is the group for the resource being referenced.
+                                                If APIGroup is not specified, the specified Kind must be in the core API group.
+                                                For any other third-party types, APIGroup is required.
+                                              type: string
+                                            kind:
+                                              description: Kind is the type of resource
+                                                being referenced
+                                              type: string
+                                            name:
+                                              description: Name is the name of resource
+                                                being referenced
+                                              type: string
+                                            namespace:
+                                              description: |-
+                                                Namespace is the namespace of resource being referenced
+                                                Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details.
+                                                (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled.
+                                              type: string
+                                          required:
+                                          - kind
+                                          - name
+                                          type: object
+                                        resources:
+                                          description: |-
+                                            resources represents the minimum resources the volume should have.
+                                            Users are allowed to specify resource requirements
+                                            that are lower than previous value but must still be higher than capacity recorded in the
+                                            status field of the claim.
+                                            More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
+                                          properties:
+                                            limits:
+                                              additionalProperties:
+                                                anyOf:
+                                                - type: integer
+                                                - type: string
+                                                pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                                x-kubernetes-int-or-string: true
+                                              description: |-
+                                                Limits describes the maximum amount of compute resources allowed.
+                                                More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                                              type: object
+                                            requests:
+                                              additionalProperties:
+                                                anyOf:
+                                                - type: integer
+                                                - type: string
+                                                pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                                x-kubernetes-int-or-string: true
+                                              description: |-
+                                                Requests describes the minimum amount of compute resources required.
+                                                If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+                                                otherwise to an implementation-defined value. Requests cannot exceed Limits.
+                                                More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                                              type: object
+                                          type: object
+                                        selector:
+                                          description: selector is a label query over
+                                            volumes to consider for binding.
+                                          properties:
+                                            matchExpressions:
+                                              description: matchExpressions is a list
+                                                of label selector requirements. The
+                                                requirements are ANDed.
+                                              items:
+                                                description: |-
+                                                  A label selector requirement is a selector that contains values, a key, and an operator that
+                                                  relates the key and values.
+                                                properties:
+                                                  key:
+                                                    description: key is the label
+                                                      key that the selector applies
+                                                      to.
+                                                    type: string
+                                                  operator:
+                                                    description: |-
+                                                      operator represents a key's relationship to a set of values.
+                                                      Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                    type: string
+                                                  values:
+                                                    description: |-
+                                                      values is an array of string values. If the operator is In or NotIn,
+                                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                      the values array must be empty. This array is replaced during a strategic
+                                                      merge patch.
+                                                    items:
+                                                      type: string
+                                                    type: array
+                                                    x-kubernetes-list-type: atomic
+                                                required:
+                                                - key
+                                                - operator
+                                                type: object
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                            matchLabels:
+                                              additionalProperties:
+                                                type: string
+                                              description: |-
+                                                matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                                map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                                operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                              type: object
+                                          type: object
+                                          x-kubernetes-map-type: atomic
+                                        storageClassName:
+                                          description: |-
+                                            storageClassName is the name of the StorageClass required by the claim.
+                                            More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1
+                                          type: string
+                                        volumeAttributesClassName:
+                                          description: |-
+                                            volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
+                                            If specified, the CSI driver will create or update the volume with the attributes defined
+                                            in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
+                                            it can be changed after the claim is created. An empty string or nil value indicates that no
+                                            VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state,
+                                            this field can be reset to its previous value (including nil) to cancel the modification.
+                                            If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
+                                            set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
+                                            exists.
+                                            More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
+                                          type: string
+                                        volumeMode:
+                                          description: |-
+                                            volumeMode defines what type of volume is required by the claim.
+                                            Value of Filesystem is implied when not included in claim spec.
+                                          type: string
+                                        volumeName:
+                                          description: volumeName is the binding reference
+                                            to the PersistentVolume backing this claim.
+                                          type: string
+                                      type: object
+                                  required:
+                                  - spec
+                                  type: object
+                              type: object
+                            fc:
+                              description: fc represents a Fibre Channel resource
+                                that is attached to a kubelet's host machine and then
+                                exposed to the pod.
+                              properties:
+                                fsType:
+                                  description: |-
+                                    fsType is the filesystem type to mount.
+                                    Must be a filesystem type supported by the host operating system.
+                                    Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                  type: string
+                                lun:
+                                  description: 'lun is Optional: FC target lun number'
+                                  format: int32
+                                  type: integer
+                                readOnly:
+                                  description: |-
+                                    readOnly is Optional: Defaults to false (read/write). ReadOnly here will force
+                                    the ReadOnly setting in VolumeMounts.
+                                  type: boolean
+                                targetWWNs:
+                                  description: 'targetWWNs is Optional: FC target
+                                    worldwide names (WWNs)'
+                                  items:
+                                    type: string
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                wwids:
+                                  description: |-
+                                    wwids Optional: FC volume world wide identifiers (wwids)
+                                    Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously.
+                                  items:
+                                    type: string
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                              type: object
+                            flexVolume:
+                              description: |-
+                                flexVolume represents a generic volume resource that is
+                                provisioned/attached using an exec based plugin.
+                                Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead.
+                              properties:
+                                driver:
+                                  description: driver is the name of the driver to
+                                    use for this volume.
+                                  type: string
+                                fsType:
+                                  description: |-
+                                    fsType is the filesystem type to mount.
+                                    Must be a filesystem type supported by the host operating system.
+                                    Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script.
+                                  type: string
+                                options:
+                                  additionalProperties:
+                                    type: string
+                                  description: 'options is Optional: this field holds
+                                    extra command options if any.'
+                                  type: object
+                                readOnly:
+                                  description: |-
+                                    readOnly is Optional: defaults to false (read/write). ReadOnly here will force
+                                    the ReadOnly setting in VolumeMounts.
+                                  type: boolean
+                                secretRef:
+                                  description: |-
+                                    secretRef is Optional: secretRef is reference to the secret object containing
+                                    sensitive information to pass to the plugin scripts. This may be
+                                    empty if no secret object is specified. If the secret object
+                                    contains more than one secret, all secrets are passed to the plugin
+                                    scripts.
+                                  properties:
+                                    name:
+                                      default: ""
+                                      description: |-
+                                        Name of the referent.
+                                        This field is effectively required, but due to backwards compatibility is
+                                        allowed to be empty. Instances of this type with an empty value here are
+                                        almost certainly wrong.
+                                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                      type: string
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                              required:
+                              - driver
+                              type: object
+                            flocker:
+                              description: |-
+                                flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running.
+                                Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported.
+                              properties:
+                                datasetName:
+                                  description: |-
+                                    datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker
+                                    should be considered as deprecated
+                                  type: string
+                                datasetUUID:
+                                  description: datasetUUID is the UUID of the dataset.
+                                    This is unique identifier of a Flocker dataset
+                                  type: string
+                              type: object
+                            gcePersistentDisk:
+                              description: |-
+                                gcePersistentDisk represents a GCE Disk resource that is attached to a
+                                kubelet's host machine and then exposed to the pod.
+                                Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree
+                                gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+                              properties:
+                                fsType:
+                                  description: |-
+                                    fsType is filesystem type of the volume that you want to mount.
+                                    Tip: Ensure that the filesystem type is supported by the host operating system.
+                                    Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+                                  type: string
+                                partition:
+                                  description: |-
+                                    partition is the partition in the volume that you want to mount.
+                                    If omitted, the default is to mount by volume name.
+                                    Examples: For volume /dev/sda1, you specify the partition as "1".
+                                    Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+                                  format: int32
+                                  type: integer
+                                pdName:
+                                  description: |-
+                                    pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE.
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+                                  type: string
+                                readOnly:
+                                  description: |-
+                                    readOnly here will force the ReadOnly setting in VolumeMounts.
+                                    Defaults to false.
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+                                  type: boolean
+                              required:
+                              - pdName
+                              type: object
+                            gitRepo:
+                              description: |-
+                                gitRepo represents a git repository at a particular revision.
+                                Deprecated: GitRepo is deprecated. To provision a container with a git repo, mount an
+                                EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir
+                                into the Pod's container.
+                              properties:
+                                directory:
+                                  description: |-
+                                    directory is the target directory name.
+                                    Must not contain or start with '..'.  If '.' is supplied, the volume directory will be the
+                                    git repository.  Otherwise, if specified, the volume will contain the git repository in
+                                    the subdirectory with the given name.
+                                  type: string
+                                repository:
+                                  description: repository is the URL
+                                  type: string
+                                revision:
+                                  description: revision is the commit hash for the
+                                    specified revision.
+                                  type: string
+                              required:
+                              - repository
+                              type: object
+                            glusterfs:
+                              description: |-
+                                glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
+                                Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported.
+                              properties:
+                                endpoints:
+                                  description: endpoints is the endpoint name that
+                                    details Glusterfs topology.
+                                  type: string
+                                path:
+                                  description: |-
+                                    path is the Glusterfs volume path.
+                                    More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+                                  type: string
+                                readOnly:
+                                  description: |-
+                                    readOnly here will force the Glusterfs volume to be mounted with read-only permissions.
+                                    Defaults to false.
+                                    More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+                                  type: boolean
+                              required:
+                              - endpoints
+                              - path
+                              type: object
+                            hostPath:
+                              description: |-
+                                hostPath represents a pre-existing file or directory on the host
+                                machine that is directly exposed to the container. This is generally
+                                used for system agents or other privileged things that are allowed
+                                to see the host machine. Most containers will NOT need this.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+                              properties:
+                                path:
+                                  description: |-
+                                    path of the directory on the host.
+                                    If the path is a symlink, it will follow the link to the real path.
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+                                  type: string
+                                type:
+                                  description: |-
+                                    type for HostPath Volume
+                                    Defaults to ""
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+                                  type: string
+                              required:
+                              - path
+                              type: object
+                            image:
+                              description: |-
+                                image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine.
+                                The volume is resolved at pod startup depending on which PullPolicy value is provided:
+
+                                - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+                                - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+                                - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+
+                                The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation.
+                                A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message.
+                                The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field.
+                                The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images.
+                                The volume will be mounted read-only (ro) and non-executable files (noexec).
+                                Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath) before 1.33.
+                                The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.
+                              properties:
+                                pullPolicy:
+                                  description: |-
+                                    Policy for pulling OCI objects. Possible values are:
+                                    Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+                                    Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+                                    IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+                                    Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.
+                                  type: string
+                                reference:
+                                  description: |-
+                                    Required: Image or artifact reference to be used.
+                                    Behaves in the same way as pod.spec.containers[*].image.
+                                    Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets.
+                                    More info: https://kubernetes.io/docs/concepts/containers/images
+                                    This field is optional to allow higher level config management to default or override
+                                    container images in workload controllers like Deployments and StatefulSets.
+                                  type: string
+                              type: object
+                            iscsi:
+                              description: |-
+                                iscsi represents an ISCSI Disk resource that is attached to a
+                                kubelet's host machine and then exposed to the pod.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes/#iscsi
+                              properties:
+                                chapAuthDiscovery:
+                                  description: chapAuthDiscovery defines whether support
+                                    iSCSI Discovery CHAP authentication
+                                  type: boolean
+                                chapAuthSession:
+                                  description: chapAuthSession defines whether support
+                                    iSCSI Session CHAP authentication
+                                  type: boolean
+                                fsType:
+                                  description: |-
+                                    fsType is the filesystem type of the volume that you want to mount.
+                                    Tip: Ensure that the filesystem type is supported by the host operating system.
+                                    Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi
+                                  type: string
+                                initiatorName:
+                                  description: |-
+                                    initiatorName is the custom iSCSI Initiator Name.
+                                    If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface
+                                    <target portal>:<volume name> will be created for the connection.
+                                  type: string
+                                iqn:
+                                  description: iqn is the target iSCSI Qualified Name.
+                                  type: string
+                                iscsiInterface:
+                                  default: default
+                                  description: |-
+                                    iscsiInterface is the interface Name that uses an iSCSI transport.
+                                    Defaults to 'default' (tcp).
+                                  type: string
+                                lun:
+                                  description: lun represents iSCSI Target Lun number.
+                                  format: int32
+                                  type: integer
+                                portals:
+                                  description: |-
+                                    portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port
+                                    is other than default (typically TCP ports 860 and 3260).
+                                  items:
+                                    type: string
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                readOnly:
+                                  description: |-
+                                    readOnly here will force the ReadOnly setting in VolumeMounts.
+                                    Defaults to false.
+                                  type: boolean
+                                secretRef:
+                                  description: secretRef is the CHAP Secret for iSCSI
+                                    target and initiator authentication
+                                  properties:
+                                    name:
+                                      default: ""
+                                      description: |-
+                                        Name of the referent.
+                                        This field is effectively required, but due to backwards compatibility is
+                                        allowed to be empty. Instances of this type with an empty value here are
+                                        almost certainly wrong.
+                                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                      type: string
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                targetPortal:
+                                  description: |-
+                                    targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port
+                                    is other than default (typically TCP ports 860 and 3260).
+                                  type: string
+                              required:
+                              - iqn
+                              - lun
+                              - targetPortal
+                              type: object
+                            name:
+                              description: |-
+                                name of the volume.
+                                Must be a DNS_LABEL and unique within the pod.
+                                More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                              type: string
+                            nfs:
+                              description: |-
+                                nfs represents an NFS mount on the host that shares a pod's lifetime
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+                              properties:
+                                path:
+                                  description: |-
+                                    path that is exported by the NFS server.
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+                                  type: string
+                                readOnly:
+                                  description: |-
+                                    readOnly here will force the NFS export to be mounted with read-only permissions.
+                                    Defaults to false.
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+                                  type: boolean
+                                server:
+                                  description: |-
+                                    server is the hostname or IP address of the NFS server.
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+                                  type: string
+                              required:
+                              - path
+                              - server
+                              type: object
+                            persistentVolumeClaim:
+                              description: |-
+                                persistentVolumeClaimVolumeSource represents a reference to a
+                                PersistentVolumeClaim in the same namespace.
+                                More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+                              properties:
+                                claimName:
+                                  description: |-
+                                    claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume.
+                                    More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+                                  type: string
+                                readOnly:
+                                  description: |-
+                                    readOnly Will force the ReadOnly setting in VolumeMounts.
+                                    Default false.
+                                  type: boolean
+                              required:
+                              - claimName
+                              type: object
+                            photonPersistentDisk:
+                              description: |-
+                                photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine.
+                                Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported.
+                              properties:
+                                fsType:
+                                  description: |-
+                                    fsType is the filesystem type to mount.
+                                    Must be a filesystem type supported by the host operating system.
+                                    Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                  type: string
+                                pdID:
+                                  description: pdID is the ID that identifies Photon
+                                    Controller persistent disk
+                                  type: string
+                              required:
+                              - pdID
+                              type: object
+                            portworxVolume:
+                              description: |-
+                                portworxVolume represents a portworx volume attached and mounted on kubelets host machine.
+                                Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type
+                                are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate
+                                is on.
+                              properties:
+                                fsType:
+                                  description: |-
+                                    fSType represents the filesystem type to mount
+                                    Must be a filesystem type supported by the host operating system.
+                                    Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified.
+                                  type: string
+                                readOnly:
+                                  description: |-
+                                    readOnly defaults to false (read/write). ReadOnly here will force
+                                    the ReadOnly setting in VolumeMounts.
+                                  type: boolean
+                                volumeID:
+                                  description: volumeID uniquely identifies a Portworx
+                                    volume
+                                  type: string
+                              required:
+                              - volumeID
+                              type: object
+                            projected:
+                              description: projected items for all in one resources
+                                secrets, configmaps, and downward API
+                              properties:
+                                defaultMode:
+                                  description: |-
+                                    defaultMode are the mode bits used to set permissions on created files by default.
+                                    Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                    YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                    Directories within the path are not affected by this setting.
+                                    This might be in conflict with other options that affect the file
+                                    mode, like fsGroup, and the result can be other mode bits set.
+                                  format: int32
+                                  type: integer
+                                sources:
+                                  description: |-
+                                    sources is the list of volume projections. Each entry in this list
+                                    handles one source.
+                                  items:
+                                    description: |-
+                                      Projection that may be projected along with other supported volume types.
+                                      Exactly one of these fields must be set.
+                                    properties:
+                                      clusterTrustBundle:
+                                        description: |-
+                                          ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field
+                                          of ClusterTrustBundle objects in an auto-updating file.
+
+                                          Alpha, gated by the ClusterTrustBundleProjection feature gate.
+
+                                          ClusterTrustBundle objects can either be selected by name, or by the
+                                          combination of signer name and a label selector.
+
+                                          Kubelet performs aggressive normalization of the PEM contents written
+                                          into the pod filesystem.  Esoteric PEM features such as inter-block
+                                          comments and block headers are stripped.  Certificates are deduplicated.
+                                          The ordering of certificates within the file is arbitrary, and Kubelet
+                                          may change the order over time.
+                                        properties:
+                                          labelSelector:
+                                            description: |-
+                                              Select all ClusterTrustBundles that match this label selector.  Only has
+                                              effect if signerName is set.  Mutually-exclusive with name.  If unset,
+                                              interpreted as "match nothing".  If set but empty, interpreted as "match
+                                              everything".
+                                            properties:
+                                              matchExpressions:
+                                                description: matchExpressions is a
+                                                  list of label selector requirements.
+                                                  The requirements are ANDed.
+                                                items:
+                                                  description: |-
+                                                    A label selector requirement is a selector that contains values, a key, and an operator that
+                                                    relates the key and values.
+                                                  properties:
+                                                    key:
+                                                      description: key is the label
+                                                        key that the selector applies
+                                                        to.
+                                                      type: string
+                                                    operator:
+                                                      description: |-
+                                                        operator represents a key's relationship to a set of values.
+                                                        Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                      type: string
+                                                    values:
+                                                      description: |-
+                                                        values is an array of string values. If the operator is In or NotIn,
+                                                        the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                        the values array must be empty. This array is replaced during a strategic
+                                                        merge patch.
+                                                      items:
+                                                        type: string
+                                                      type: array
+                                                      x-kubernetes-list-type: atomic
+                                                  required:
+                                                  - key
+                                                  - operator
+                                                  type: object
+                                                type: array
+                                                x-kubernetes-list-type: atomic
+                                              matchLabels:
+                                                additionalProperties:
+                                                  type: string
+                                                description: |-
+                                                  matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                                  map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                                  operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                                type: object
+                                            type: object
+                                            x-kubernetes-map-type: atomic
+                                          name:
+                                            description: |-
+                                              Select a single ClusterTrustBundle by object name.  Mutually-exclusive
+                                              with signerName and labelSelector.
+                                            type: string
+                                          optional:
+                                            description: |-
+                                              If true, don't block pod startup if the referenced ClusterTrustBundle(s)
+                                              aren't available.  If using name, then the named ClusterTrustBundle is
+                                              allowed not to exist.  If using signerName, then the combination of
+                                              signerName and labelSelector is allowed to match zero
+                                              ClusterTrustBundles.
+                                            type: boolean
+                                          path:
+                                            description: Relative path from the volume
+                                              root to write the bundle.
+                                            type: string
+                                          signerName:
+                                            description: |-
+                                              Select all ClusterTrustBundles that match this signer name.
+                                              Mutually-exclusive with name.  The contents of all selected
+                                              ClusterTrustBundles will be unified and deduplicated.
+                                            type: string
+                                        required:
+                                        - path
+                                        type: object
+                                      configMap:
+                                        description: configMap information about the
+                                          configMap data to project
+                                        properties:
+                                          items:
+                                            description: |-
+                                              items if unspecified, each key-value pair in the Data field of the referenced
+                                              ConfigMap will be projected into the volume as a file whose name is the
+                                              key and content is the value. If specified, the listed keys will be
+                                              projected into the specified paths, and unlisted keys will not be
+                                              present. If a key is specified which is not present in the ConfigMap,
+                                              the volume setup will error unless it is marked optional. Paths must be
+                                              relative and may not contain the '..' path or start with '..'.
+                                            items:
+                                              description: Maps a string key to a
+                                                path within a volume.
+                                              properties:
+                                                key:
+                                                  description: key is the key to project.
+                                                  type: string
+                                                mode:
+                                                  description: |-
+                                                    mode is Optional: mode bits used to set permissions on this file.
+                                                    Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                                    YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                                    If not specified, the volume defaultMode will be used.
+                                                    This might be in conflict with other options that affect the file
+                                                    mode, like fsGroup, and the result can be other mode bits set.
+                                                  format: int32
+                                                  type: integer
+                                                path:
+                                                  description: |-
+                                                    path is the relative path of the file to map the key to.
+                                                    May not be an absolute path.
+                                                    May not contain the path element '..'.
+                                                    May not start with the string '..'.
+                                                  type: string
+                                              required:
+                                              - key
+                                              - path
+                                              type: object
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                          name:
+                                            default: ""
+                                            description: |-
+                                              Name of the referent.
+                                              This field is effectively required, but due to backwards compatibility is
+                                              allowed to be empty. Instances of this type with an empty value here are
+                                              almost certainly wrong.
+                                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                            type: string
+                                          optional:
+                                            description: optional specify whether
+                                              the ConfigMap or its keys must be defined
+                                            type: boolean
+                                        type: object
+                                        x-kubernetes-map-type: atomic
+                                      downwardAPI:
+                                        description: downwardAPI information about
+                                          the downwardAPI data to project
+                                        properties:
+                                          items:
+                                            description: Items is a list of DownwardAPIVolume
+                                              file
+                                            items:
+                                              description: DownwardAPIVolumeFile represents
+                                                information to create the file containing
+                                                the pod field
+                                              properties:
+                                                fieldRef:
+                                                  description: 'Required: Selects
+                                                    a field of the pod: only annotations,
+                                                    labels, name, namespace and uid
+                                                    are supported.'
+                                                  properties:
+                                                    apiVersion:
+                                                      description: Version of the
+                                                        schema the FieldPath is written
+                                                        in terms of, defaults to "v1".
+                                                      type: string
+                                                    fieldPath:
+                                                      description: Path of the field
+                                                        to select in the specified
+                                                        API version.
+                                                      type: string
+                                                  required:
+                                                  - fieldPath
+                                                  type: object
+                                                  x-kubernetes-map-type: atomic
+                                                mode:
+                                                  description: |-
+                                                    Optional: mode bits used to set permissions on this file, must be an octal value
+                                                    between 0000 and 0777 or a decimal value between 0 and 511.
+                                                    YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                                    If not specified, the volume defaultMode will be used.
+                                                    This might be in conflict with other options that affect the file
+                                                    mode, like fsGroup, and the result can be other mode bits set.
+                                                  format: int32
+                                                  type: integer
+                                                path:
+                                                  description: 'Required: Path is  the
+                                                    relative path name of the file
+                                                    to be created. Must not be absolute
+                                                    or contain the ''..'' path. Must
+                                                    be utf-8 encoded. The first item
+                                                    of the relative path must not
+                                                    start with ''..'''
+                                                  type: string
+                                                resourceFieldRef:
+                                                  description: |-
+                                                    Selects a resource of the container: only resources limits and requests
+                                                    (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
+                                                  properties:
+                                                    containerName:
+                                                      description: 'Container name:
+                                                        required for volumes, optional
+                                                        for env vars'
+                                                      type: string
+                                                    divisor:
+                                                      anyOf:
+                                                      - type: integer
+                                                      - type: string
+                                                      description: Specifies the output
+                                                        format of the exposed resources,
+                                                        defaults to "1"
+                                                      pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                                      x-kubernetes-int-or-string: true
+                                                    resource:
+                                                      description: 'Required: resource
+                                                        to select'
+                                                      type: string
+                                                  required:
+                                                  - resource
+                                                  type: object
+                                                  x-kubernetes-map-type: atomic
+                                              required:
+                                              - path
+                                              type: object
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                        type: object
+                                      podCertificate:
+                                        description: |-
+                                          Projects an auto-rotating credential bundle (private key and certificate
+                                          chain) that the pod can use either as a TLS client or server.
+
+                                          Kubelet generates a private key and uses it to send a
+                                          PodCertificateRequest to the named signer.  Once the signer approves the
+                                          request and issues a certificate chain, Kubelet writes the key and
+                                          certificate chain to the pod filesystem.  The pod does not start until
+                                          certificates have been issued for each podCertificate projected volume
+                                          source in its spec.
+
+                                          Kubelet will begin trying to rotate the certificate at the time indicated
+                                          by the signer using the PodCertificateRequest.Status.BeginRefreshAt
+                                          timestamp.
+
+                                          Kubelet can write a single file, indicated by the credentialBundlePath
+                                          field, or separate files, indicated by the keyPath and
+                                          certificateChainPath fields.
+
+                                          The credential bundle is a single file in PEM format.  The first PEM
+                                          entry is the private key (in PKCS#8 format), and the remaining PEM
+                                          entries are the certificate chain issued by the signer (typically,
+                                          signers will return their certificate chain in leaf-to-root order).
+
+                                          Prefer using the credential bundle format, since your application code
+                                          can read it atomically.  If you use keyPath and certificateChainPath,
+                                          your application must make two separate file reads. If these coincide
+                                          with a certificate rotation, it is possible that the private key and leaf
+                                          certificate you read may not correspond to each other.  Your application
+                                          will need to check for this condition, and re-read until they are
+                                          consistent.
+
+                                          The named signer controls chooses the format of the certificate it
+                                          issues; consult the signer implementation's documentation to learn how to
+                                          use the certificates it issues.
+                                        properties:
+                                          certificateChainPath:
+                                            description: |-
+                                              Write the certificate chain at this path in the projected volume.
+
+                                              Most applications should use credentialBundlePath.  When using keyPath
+                                              and certificateChainPath, your application needs to check that the key
+                                              and leaf certificate are consistent, because it is possible to read the
+                                              files mid-rotation.
+                                            type: string
+                                          credentialBundlePath:
+                                            description: |-
+                                              Write the credential bundle at this path in the projected volume.
+
+                                              The credential bundle is a single file that contains multiple PEM blocks.
+                                              The first PEM block is a PRIVATE KEY block, containing a PKCS#8 private
+                                              key.
+
+                                              The remaining blocks are CERTIFICATE blocks, containing the issued
+                                              certificate chain from the signer (leaf and any intermediates).
+
+                                              Using credentialBundlePath lets your Pod's application code make a single
+                                              atomic read that retrieves a consistent key and certificate chain.  If you
+                                              project them to separate files, your application code will need to
+                                              additionally check that the leaf certificate was issued to the key.
+                                            type: string
+                                          keyPath:
+                                            description: |-
+                                              Write the key at this path in the projected volume.
+
+                                              Most applications should use credentialBundlePath.  When using keyPath
+                                              and certificateChainPath, your application needs to check that the key
+                                              and leaf certificate are consistent, because it is possible to read the
+                                              files mid-rotation.
+                                            type: string
+                                          keyType:
+                                            description: |-
+                                              The type of keypair Kubelet will generate for the pod.
+
+                                              Valid values are "RSA3072", "RSA4096", "ECDSAP256", "ECDSAP384",
+                                              "ECDSAP521", and "ED25519".
+                                            type: string
+                                          maxExpirationSeconds:
+                                            description: |-
+                                              maxExpirationSeconds is the maximum lifetime permitted for the
+                                              certificate.
+
+                                              Kubelet copies this value verbatim into the PodCertificateRequests it
+                                              generates for this projection.
+
+                                              If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver
+                                              will reject values shorter than 3600 (1 hour).  The maximum allowable
+                                              value is 7862400 (91 days).
+
+                                              The signer implementation is then free to issue a certificate with any
+                                              lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600
+                                              seconds (1 hour).  This constraint is enforced by kube-apiserver.
+                                              `kubernetes.io` signers will never issue certificates with a lifetime
+                                              longer than 24 hours.
+                                            format: int32
+                                            type: integer
+                                          signerName:
+                                            description: Kubelet's generated CSRs
+                                              will be addressed to this signer.
+                                            type: string
+                                          userAnnotations:
+                                            additionalProperties:
+                                              type: string
+                                            description: |-
+                                              userAnnotations allow pod authors to pass additional information to
+                                              the signer implementation.  Kubernetes does not restrict or validate this
+                                              metadata in any way.
+
+                                              These values are copied verbatim into the `spec.unverifiedUserAnnotations` field of
+                                              the PodCertificateRequest objects that Kubelet creates.
+
+                                              Entries are subject to the same validation as object metadata annotations,
+                                              with the addition that all keys must be domain-prefixed. No restrictions
+                                              are placed on values, except an overall size limitation on the entire field.
+
+                                              Signers should document the keys and values they support. Signers should
+                                              deny requests that contain keys they do not recognize.
+                                            type: object
+                                        required:
+                                        - keyType
+                                        - signerName
+                                        type: object
+                                      secret:
+                                        description: secret information about the
+                                          secret data to project
+                                        properties:
+                                          items:
+                                            description: |-
+                                              items if unspecified, each key-value pair in the Data field of the referenced
+                                              Secret will be projected into the volume as a file whose name is the
+                                              key and content is the value. If specified, the listed keys will be
+                                              projected into the specified paths, and unlisted keys will not be
+                                              present. If a key is specified which is not present in the Secret,
+                                              the volume setup will error unless it is marked optional. Paths must be
+                                              relative and may not contain the '..' path or start with '..'.
+                                            items:
+                                              description: Maps a string key to a
+                                                path within a volume.
+                                              properties:
+                                                key:
+                                                  description: key is the key to project.
+                                                  type: string
+                                                mode:
+                                                  description: |-
+                                                    mode is Optional: mode bits used to set permissions on this file.
+                                                    Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                                    YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                                    If not specified, the volume defaultMode will be used.
+                                                    This might be in conflict with other options that affect the file
+                                                    mode, like fsGroup, and the result can be other mode bits set.
+                                                  format: int32
+                                                  type: integer
+                                                path:
+                                                  description: |-
+                                                    path is the relative path of the file to map the key to.
+                                                    May not be an absolute path.
+                                                    May not contain the path element '..'.
+                                                    May not start with the string '..'.
+                                                  type: string
+                                              required:
+                                              - key
+                                              - path
+                                              type: object
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                          name:
+                                            default: ""
+                                            description: |-
+                                              Name of the referent.
+                                              This field is effectively required, but due to backwards compatibility is
+                                              allowed to be empty. Instances of this type with an empty value here are
+                                              almost certainly wrong.
+                                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                            type: string
+                                          optional:
+                                            description: optional field specify whether
+                                              the Secret or its key must be defined
+                                            type: boolean
+                                        type: object
+                                        x-kubernetes-map-type: atomic
+                                      serviceAccountToken:
+                                        description: serviceAccountToken is information
+                                          about the serviceAccountToken data to project
+                                        properties:
+                                          audience:
+                                            description: |-
+                                              audience is the intended audience of the token. A recipient of a token
+                                              must identify itself with an identifier specified in the audience of the
+                                              token, and otherwise should reject the token. The audience defaults to the
+                                              identifier of the apiserver.
+                                            type: string
+                                          expirationSeconds:
+                                            description: |-
+                                              expirationSeconds is the requested duration of validity of the service
+                                              account token. As the token approaches expiration, the kubelet volume
+                                              plugin will proactively rotate the service account token. The kubelet will
+                                              start trying to rotate the token if the token is older than 80 percent of
+                                              its time to live or if the token is older than 24 hours.Defaults to 1 hour
+                                              and must be at least 10 minutes.
+                                            format: int64
+                                            type: integer
+                                          path:
+                                            description: |-
+                                              path is the path relative to the mount point of the file to project the
+                                              token into.
+                                            type: string
+                                        required:
+                                        - path
+                                        type: object
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                              type: object
+                            quobyte:
+                              description: |-
+                                quobyte represents a Quobyte mount on the host that shares a pod's lifetime.
+                                Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported.
+                              properties:
+                                group:
+                                  description: |-
+                                    group to map volume access to
+                                    Default is no group
+                                  type: string
+                                readOnly:
+                                  description: |-
+                                    readOnly here will force the Quobyte volume to be mounted with read-only permissions.
+                                    Defaults to false.
+                                  type: boolean
+                                registry:
+                                  description: |-
+                                    registry represents a single or multiple Quobyte Registry services
+                                    specified as a string as host:port pair (multiple entries are separated with commas)
+                                    which acts as the central registry for volumes
+                                  type: string
+                                tenant:
+                                  description: |-
+                                    tenant owning the given Quobyte volume in the Backend
+                                    Used with dynamically provisioned Quobyte volumes, value is set by the plugin
+                                  type: string
+                                user:
+                                  description: |-
+                                    user to map volume access to
+                                    Defaults to serivceaccount user
+                                  type: string
+                                volume:
+                                  description: volume is a string that references
+                                    an already created Quobyte volume by name.
+                                  type: string
+                              required:
+                              - registry
+                              - volume
+                              type: object
+                            rbd:
+                              description: |-
+                                rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
+                                Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported.
+                              properties:
+                                fsType:
+                                  description: |-
+                                    fsType is the filesystem type of the volume that you want to mount.
+                                    Tip: Ensure that the filesystem type is supported by the host operating system.
+                                    Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd
+                                  type: string
+                                image:
+                                  description: |-
+                                    image is the rados image name.
+                                    More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                                  type: string
+                                keyring:
+                                  default: /etc/ceph/keyring
+                                  description: |-
+                                    keyring is the path to key ring for RBDUser.
+                                    Default is /etc/ceph/keyring.
+                                    More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                                  type: string
+                                monitors:
+                                  description: |-
+                                    monitors is a collection of Ceph monitors.
+                                    More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                                  items:
+                                    type: string
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                pool:
+                                  default: rbd
+                                  description: |-
+                                    pool is the rados pool name.
+                                    Default is rbd.
+                                    More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                                  type: string
+                                readOnly:
+                                  description: |-
+                                    readOnly here will force the ReadOnly setting in VolumeMounts.
+                                    Defaults to false.
+                                    More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                                  type: boolean
+                                secretRef:
+                                  description: |-
+                                    secretRef is name of the authentication secret for RBDUser. If provided
+                                    overrides keyring.
+                                    Default is nil.
+                                    More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                                  properties:
+                                    name:
+                                      default: ""
+                                      description: |-
+                                        Name of the referent.
+                                        This field is effectively required, but due to backwards compatibility is
+                                        allowed to be empty. Instances of this type with an empty value here are
+                                        almost certainly wrong.
+                                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                      type: string
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                user:
+                                  default: admin
+                                  description: |-
+                                    user is the rados user name.
+                                    Default is admin.
+                                    More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                                  type: string
+                              required:
+                              - image
+                              - monitors
+                              type: object
+                            scaleIO:
+                              description: |-
+                                scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.
+                                Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported.
+                              properties:
+                                fsType:
+                                  default: xfs
+                                  description: |-
+                                    fsType is the filesystem type to mount.
+                                    Must be a filesystem type supported by the host operating system.
+                                    Ex. "ext4", "xfs", "ntfs".
+                                    Default is "xfs".
+                                  type: string
+                                gateway:
+                                  description: gateway is the host address of the
+                                    ScaleIO API Gateway.
+                                  type: string
+                                protectionDomain:
+                                  description: protectionDomain is the name of the
+                                    ScaleIO Protection Domain for the configured storage.
+                                  type: string
+                                readOnly:
+                                  description: |-
+                                    readOnly Defaults to false (read/write). ReadOnly here will force
+                                    the ReadOnly setting in VolumeMounts.
+                                  type: boolean
+                                secretRef:
+                                  description: |-
+                                    secretRef references to the secret for ScaleIO user and other
+                                    sensitive information. If this is not provided, Login operation will fail.
+                                  properties:
+                                    name:
+                                      default: ""
+                                      description: |-
+                                        Name of the referent.
+                                        This field is effectively required, but due to backwards compatibility is
+                                        allowed to be empty. Instances of this type with an empty value here are
+                                        almost certainly wrong.
+                                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                      type: string
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                sslEnabled:
+                                  description: sslEnabled Flag enable/disable SSL
+                                    communication with Gateway, default false
+                                  type: boolean
+                                storageMode:
+                                  default: ThinProvisioned
+                                  description: |-
+                                    storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned.
+                                    Default is ThinProvisioned.
+                                  type: string
+                                storagePool:
+                                  description: storagePool is the ScaleIO Storage
+                                    Pool associated with the protection domain.
+                                  type: string
+                                system:
+                                  description: system is the name of the storage system
+                                    as configured in ScaleIO.
+                                  type: string
+                                volumeName:
+                                  description: |-
+                                    volumeName is the name of a volume already created in the ScaleIO system
+                                    that is associated with this volume source.
+                                  type: string
+                              required:
+                              - gateway
+                              - secretRef
+                              - system
+                              type: object
+                            secret:
+                              description: |-
+                                secret represents a secret that should populate this volume.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
+                              properties:
+                                defaultMode:
+                                  description: |-
+                                    defaultMode is Optional: mode bits used to set permissions on created files by default.
+                                    Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                    YAML accepts both octal and decimal values, JSON requires decimal values
+                                    for mode bits. Defaults to 0644.
+                                    Directories within the path are not affected by this setting.
+                                    This might be in conflict with other options that affect the file
+                                    mode, like fsGroup, and the result can be other mode bits set.
+                                  format: int32
+                                  type: integer
+                                items:
+                                  description: |-
+                                    items If unspecified, each key-value pair in the Data field of the referenced
+                                    Secret will be projected into the volume as a file whose name is the
+                                    key and content is the value. If specified, the listed keys will be
+                                    projected into the specified paths, and unlisted keys will not be
+                                    present. If a key is specified which is not present in the Secret,
+                                    the volume setup will error unless it is marked optional. Paths must be
+                                    relative and may not contain the '..' path or start with '..'.
+                                  items:
+                                    description: Maps a string key to a path within
+                                      a volume.
+                                    properties:
+                                      key:
+                                        description: key is the key to project.
+                                        type: string
+                                      mode:
+                                        description: |-
+                                          mode is Optional: mode bits used to set permissions on this file.
+                                          Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                          YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                          If not specified, the volume defaultMode will be used.
+                                          This might be in conflict with other options that affect the file
+                                          mode, like fsGroup, and the result can be other mode bits set.
+                                        format: int32
+                                        type: integer
+                                      path:
+                                        description: |-
+                                          path is the relative path of the file to map the key to.
+                                          May not be an absolute path.
+                                          May not contain the path element '..'.
+                                          May not start with the string '..'.
+                                        type: string
+                                    required:
+                                    - key
+                                    - path
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                optional:
+                                  description: optional field specify whether the
+                                    Secret or its keys must be defined
+                                  type: boolean
+                                secretName:
+                                  description: |-
+                                    secretName is the name of the secret in the pod's namespace to use.
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
+                                  type: string
+                              type: object
+                            storageos:
+                              description: |-
+                                storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes.
+                                Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported.
+                              properties:
+                                fsType:
+                                  description: |-
+                                    fsType is the filesystem type to mount.
+                                    Must be a filesystem type supported by the host operating system.
+                                    Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                  type: string
+                                readOnly:
+                                  description: |-
+                                    readOnly defaults to false (read/write). ReadOnly here will force
+                                    the ReadOnly setting in VolumeMounts.
+                                  type: boolean
+                                secretRef:
+                                  description: |-
+                                    secretRef specifies the secret to use for obtaining the StorageOS API
+                                    credentials.  If not specified, default values will be attempted.
+                                  properties:
+                                    name:
+                                      default: ""
+                                      description: |-
+                                        Name of the referent.
+                                        This field is effectively required, but due to backwards compatibility is
+                                        allowed to be empty. Instances of this type with an empty value here are
+                                        almost certainly wrong.
+                                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                      type: string
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                volumeName:
+                                  description: |-
+                                    volumeName is the human-readable name of the StorageOS volume.  Volume
+                                    names are only unique within a namespace.
+                                  type: string
+                                volumeNamespace:
+                                  description: |-
+                                    volumeNamespace specifies the scope of the volume within StorageOS.  If no
+                                    namespace is specified then the Pod's namespace will be used.  This allows the
+                                    Kubernetes name scoping to be mirrored within StorageOS for tighter integration.
+                                    Set VolumeName to any name to override the default behaviour.
+                                    Set to "default" if you are not using namespaces within StorageOS.
+                                    Namespaces that do not pre-exist within StorageOS will be created.
+                                  type: string
+                              type: object
+                            vsphereVolume:
+                              description: |-
+                                vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine.
+                                Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type
+                                are redirected to the csi.vsphere.vmware.com CSI driver.
+                              properties:
+                                fsType:
+                                  description: |-
+                                    fsType is filesystem type to mount.
+                                    Must be a filesystem type supported by the host operating system.
+                                    Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                  type: string
+                                storagePolicyID:
+                                  description: storagePolicyID is the storage Policy
+                                    Based Management (SPBM) profile ID associated
+                                    with the StoragePolicyName.
+                                  type: string
+                                storagePolicyName:
+                                  description: storagePolicyName is the storage Policy
+                                    Based Management (SPBM) profile name.
+                                  type: string
+                                volumePath:
+                                  description: volumePath is the path that identifies
+                                    vSphere volume vmdk
+                                  type: string
+                              required:
+                              - volumePath
+                              type: object
+                          required:
+                          - name
+                          type: object
+                        type: array
+                      xdsAddress:
+                        description: The customized XDS address to retrieve configuration.
+                        type: string
+                    type: object
+                type: object
+              version:
+                default: v1.28.3
+                description: |-
+                  Defines the version of Istio to install.
+                  Must be one of: v1.28-latest, v1.28.3, v1.28.2, v1.28.1, v1.28.0, v1.27-latest, v1.27.5, v1.27.4, v1.27.3, v1.27.2, v1.27.1, v1.27.0, master, v1.30-alpha.a30ad733.
+                enum:
+                - v1.28-latest
+                - v1.28.3
+                - v1.28.2
+                - v1.28.1
+                - v1.28.0
+                - v1.27-latest
+                - v1.27.5
+                - v1.27.4
+                - v1.27.3
+                - v1.27.2
+                - v1.27.1
+                - v1.27.0
+                - v1.26-latest
+                - v1.26.8
+                - v1.26.7
+                - v1.26.6
+                - v1.26.5
+                - v1.26.4
+                - v1.26.3
+                - v1.26.2
+                - v1.26.1
+                - v1.26.0
+                - v1.25-latest
+                - v1.25.5
+                - v1.25.4
+                - v1.25.3
+                - v1.25.2
+                - v1.25.1
+                - v1.24-latest
+                - v1.24.6
+                - v1.24.5
+                - v1.24.4
+                - v1.24.3
+                - v1.24.2
+                - v1.24.1
+                - v1.24.0
+                - master
+                - v1.30-alpha.a30ad733
+                type: string
+            required:
+            - namespace
+            - version
+            type: object
+          status:
+            description: ZTunnelStatus defines the observed state of ZTunnel
+            properties:
+              conditions:
+                description: Represents the latest available observations of the object's
+                  current state.
+                items:
+                  description: ZTunnelCondition represents a specific observation
+                    of the ZTunnel object's state.
+                  properties:
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Human-readable message indicating details about
+                        the last transition.
+                      type: string
+                    reason:
+                      description: Unique, single-word, CamelCase reason for the condition's
+                        last transition.
+                      type: string
+                    status:
+                      description: The status of this condition. Can be True, False
+                        or Unknown.
+                      type: string
+                    type:
+                      description: The type of this condition.
+                      type: string
+                  type: object
+                type: array
+              observedGeneration:
+                description: |-
+                  ObservedGeneration is the most recent generation observed for this
+                  ZTunnel object. It corresponds to the object's generation, which is
+                  updated on mutation by the API Server. The information in the status
+                  pertains to this particular generation of the object.
+                format: int64
+                type: integer
+              state:
+                description: Reports the current state of the object.
+                type: string
+            type: object
+        type: object
+        x-kubernetes-validations:
+        - message: metadata.name must be 'default'
+          rule: self.metadata.name == 'default'
+    served: true
+    storage: true
+    subresources:
+      status: {}
+  - additionalPrinterColumns:
+    - description: The namespace for the ztunnel component.
+      jsonPath: .spec.namespace
+      name: Namespace
+      type: string
+    - description: The selected profile (collection of value presets).
+      jsonPath: .spec.values.profile
+      name: Profile
+      type: string
+    - description: Whether the Istio ztunnel installation is ready to handle requests.
+      jsonPath: .status.conditions[?(@.type=="Ready")].status
+      name: Ready
+      type: string
+    - description: The current state of this object.
+      jsonPath: .status.state
+      name: Status
+      type: string
+    - description: The version of the Istio ztunnel installation.
+      jsonPath: .spec.version
+      name: Version
+      type: string
+    - description: The age of the object
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    deprecated: true
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: ZTunnel represents a deployment of the Istio ztunnel component.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            default:
+              namespace: ztunnel
+              profile: ambient
+              version: v1.28.3
+            description: ZTunnelSpec defines the desired state of ZTunnel
+            properties:
+              namespace:
+                default: ztunnel
+                description: Namespace to which the Istio ztunnel component should
+                  be installed.
+                type: string
+              profile:
+                default: ambient
+                description: |-
+                  The built-in installation configuration profile to use.
+                  The 'default' profile is 'ambient' and it is always applied.
+                  Must be one of: ambient, default, demo, empty, external, preview, remote, stable.
+                enum:
+                - ambient
+                - default
+                - demo
+                - empty
+                - external
+                - openshift-ambient
+                - openshift
+                - preview
+                - remote
+                - stable
+                type: string
+              values:
+                description: Defines the values to be passed to the Helm charts when
+                  installing Istio ztunnel.
+                properties:
+                  global:
+                    description: Part of the global configuration applicable to the
+                      Istio ztunnel component.
+                    properties:
+                      defaultResources:
+                        description: |-
+                          See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
+
+                          Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
+                        properties:
+                          claims:
+                            description: |-
+                              Claims lists the names of resources, defined in spec.resourceClaims,
+                              that are used by this container.
+
+                              This field depends on the
+                              DynamicResourceAllocation feature gate.
+
+                              This field is immutable. It can only be set for containers.
+                            items:
+                              description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+                              properties:
+                                name:
+                                  description: |-
+                                    Name must match the name of one entry in pod.spec.resourceClaims of
+                                    the Pod where this field is used. It makes that resource available
+                                    inside a container.
+                                  type: string
+                                request:
+                                  description: |-
+                                    Request is the name chosen for a request in the referenced claim.
+                                    If empty, everything from the claim is made available, otherwise
+                                    only the result of this request.
+                                  type: string
+                              required:
+                              - name
+                              type: object
+                            type: array
+                            x-kubernetes-list-map-keys:
+                            - name
+                            x-kubernetes-list-type: map
+                          limits:
+                            additionalProperties:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                              x-kubernetes-int-or-string: true
+                            description: |-
+                              Limits describes the maximum amount of compute resources allowed.
+                              More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                            type: object
+                          requests:
+                            additionalProperties:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                              x-kubernetes-int-or-string: true
+                            description: |-
+                              Requests describes the minimum amount of compute resources required.
+                              If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+                              otherwise to an implementation-defined value. Requests cannot exceed Limits.
+                              More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                            type: object
+                        type: object
+                      hub:
+                        description: Specifies the docker hub for Istio images.
+                        type: string
+                      imagePullPolicy:
+                        description: |-
+                          Specifies the image pull policy for the Istio images. one of Always, Never, IfNotPresent.
+                          Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated.
+
+                          More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
+                        enum:
+                        - Always
+                        - Never
+                        - IfNotPresent
+                        type: string
+                      imagePullSecrets:
+                        description: |-
+                          ImagePullSecrets for the control plane ServiceAccount, list of secrets in the same namespace
+                          to use for pulling any images in pods that reference this ServiceAccount.
+                          Must be set for any cluster configured with private docker registry.
+                        items:
+                          type: string
+                        type: array
+                      logAsJson:
+                        description: Specifies whether istio components should output
+                          logs in json format by adding --log_as_json argument to
+                          each container.
+                        type: boolean
+                      logging:
+                        description: Specifies the global logging level settings for
+                          the Istio control plane components.
+                        properties:
+                          level:
+                            description: |-
+                              Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
+                              The control plane has different scopes depending on component, but can configure default log level across all components
+                              If empty, default scope and level will be used as configured in code
+                            type: string
+                        type: object
+                      platform:
+                        description: |-
+                          Platform in which Istio is deployed. Possible values are: "openshift" and "gcp"
+                          An empty value means it is a vanilla Kubernetes distribution, therefore no special
+                          treatment will be considered.
+                        type: string
+                      tag:
+                        description: Specifies the tag for the Istio docker images.
+                        type: string
+                      variant:
+                        description: The variant of the Istio container images to
+                          use. Options are "debug" or "distroless". Unset will use
+                          the default for the given version.
+                        type: string
+                    type: object
+                  ztunnel:
+                    description: Configuration for the Istio ztunnel plugin.
+                    properties:
+                      Annotations:
+                        additionalProperties:
+                          type: string
+                        description: Annotations to apply to all top level resources
+                        type: object
+                      Labels:
+                        additionalProperties:
+                          type: string
+                        description: Labels to apply to all top level resources
+                        type: object
+                      affinity:
+                        description: K8s affinity to set on the ztunnel Pods. Can
+                          be used to exclude ztunnel from being scheduled on specified
+                          nodes.
+                        properties:
+                          nodeAffinity:
+                            description: Describes node affinity scheduling rules
+                              for the pod.
+                            properties:
+                              preferredDuringSchedulingIgnoredDuringExecution:
+                                description: |-
+                                  The scheduler will prefer to schedule pods to nodes that satisfy
+                                  the affinity expressions specified by this field, but it may choose
+                                  a node that violates one or more of the expressions. The node that is
+                                  most preferred is the one with the greatest sum of weights, i.e.
+                                  for each node that meets all of the scheduling requirements (resource
+                                  request, requiredDuringScheduling affinity expressions, etc.),
+                                  compute a sum by iterating through the elements of this field and adding
+                                  "weight" to the sum if the node matches the corresponding matchExpressions; the
+                                  node(s) with the highest sum are the most preferred.
+                                items:
+                                  description: |-
+                                    An empty preferred scheduling term matches all objects with implicit weight 0
+                                    (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+                                  properties:
+                                    preference:
+                                      description: A node selector term, associated
+                                        with the corresponding weight.
+                                      properties:
+                                        matchExpressions:
+                                          description: A list of node selector requirements
+                                            by node's labels.
+                                          items:
+                                            description: |-
+                                              A node selector requirement is a selector that contains values, a key, and an operator
+                                              that relates the key and values.
+                                            properties:
+                                              key:
+                                                description: The label key that the
+                                                  selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  Represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  An array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. If the operator is Gt or Lt, the values
+                                                  array must have a single element, which will be interpreted as an integer.
+                                                  This array is replaced during a strategic merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                                x-kubernetes-list-type: atomic
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        matchFields:
+                                          description: A list of node selector requirements
+                                            by node's fields.
+                                          items:
+                                            description: |-
+                                              A node selector requirement is a selector that contains values, a key, and an operator
+                                              that relates the key and values.
+                                            properties:
+                                              key:
+                                                description: The label key that the
+                                                  selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  Represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  An array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. If the operator is Gt or Lt, the values
+                                                  array must have a single element, which will be interpreted as an integer.
+                                                  This array is replaced during a strategic merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                                x-kubernetes-list-type: atomic
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    weight:
+                                      description: Weight associated with matching
+                                        the corresponding nodeSelectorTerm, in the
+                                        range 1-100.
+                                      format: int32
+                                      type: integer
+                                  required:
+                                  - preference
+                                  - weight
+                                  type: object
+                                type: array
+                                x-kubernetes-list-type: atomic
+                              requiredDuringSchedulingIgnoredDuringExecution:
+                                description: |-
+                                  If the affinity requirements specified by this field are not met at
+                                  scheduling time, the pod will not be scheduled onto the node.
+                                  If the affinity requirements specified by this field cease to be met
+                                  at some point during pod execution (e.g. due to an update), the system
+                                  may or may not try to eventually evict the pod from its node.
+                                properties:
+                                  nodeSelectorTerms:
+                                    description: Required. A list of node selector
+                                      terms. The terms are ORed.
+                                    items:
+                                      description: |-
+                                        A null or empty node selector term matches no objects. The requirements of
+                                        them are ANDed.
+                                        The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+                                      properties:
+                                        matchExpressions:
+                                          description: A list of node selector requirements
+                                            by node's labels.
+                                          items:
+                                            description: |-
+                                              A node selector requirement is a selector that contains values, a key, and an operator
+                                              that relates the key and values.
+                                            properties:
+                                              key:
+                                                description: The label key that the
+                                                  selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  Represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  An array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. If the operator is Gt or Lt, the values
+                                                  array must have a single element, which will be interpreted as an integer.
+                                                  This array is replaced during a strategic merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                                x-kubernetes-list-type: atomic
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        matchFields:
+                                          description: A list of node selector requirements
+                                            by node's fields.
+                                          items:
+                                            description: |-
+                                              A node selector requirement is a selector that contains values, a key, and an operator
+                                              that relates the key and values.
+                                            properties:
+                                              key:
+                                                description: The label key that the
+                                                  selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  Represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  An array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. If the operator is Gt or Lt, the values
+                                                  array must have a single element, which will be interpreted as an integer.
+                                                  This array is replaced during a strategic merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                                x-kubernetes-list-type: atomic
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    type: array
+                                    x-kubernetes-list-type: atomic
+                                required:
+                                - nodeSelectorTerms
+                                type: object
+                                x-kubernetes-map-type: atomic
+                            type: object
+                          podAffinity:
+                            description: Describes pod affinity scheduling rules (e.g.
+                              co-locate this pod in the same node, zone, etc. as some
+                              other pod(s)).
+                            properties:
+                              preferredDuringSchedulingIgnoredDuringExecution:
+                                description: |-
+                                  The scheduler will prefer to schedule pods to nodes that satisfy
+                                  the affinity expressions specified by this field, but it may choose
+                                  a node that violates one or more of the expressions. The node that is
+                                  most preferred is the one with the greatest sum of weights, i.e.
+                                  for each node that meets all of the scheduling requirements (resource
+                                  request, requiredDuringScheduling affinity expressions, etc.),
+                                  compute a sum by iterating through the elements of this field and adding
+                                  "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+                                  node(s) with the highest sum are the most preferred.
+                                items:
+                                  description: The weights of all of the matched WeightedPodAffinityTerm
+                                    fields are added per-node to find the most preferred
+                                    node(s)
+                                  properties:
+                                    podAffinityTerm:
+                                      description: Required. A pod affinity term,
+                                        associated with the corresponding weight.
+                                      properties:
+                                        labelSelector:
+                                          description: |-
+                                            A label query over a set of resources, in this case pods.
+                                            If it's null, this PodAffinityTerm matches with no Pods.
+                                          properties:
+                                            matchExpressions:
+                                              description: matchExpressions is a list
+                                                of label selector requirements. The
+                                                requirements are ANDed.
+                                              items:
+                                                description: |-
+                                                  A label selector requirement is a selector that contains values, a key, and an operator that
+                                                  relates the key and values.
+                                                properties:
+                                                  key:
+                                                    description: key is the label
+                                                      key that the selector applies
+                                                      to.
+                                                    type: string
+                                                  operator:
+                                                    description: |-
+                                                      operator represents a key's relationship to a set of values.
+                                                      Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                    type: string
+                                                  values:
+                                                    description: |-
+                                                      values is an array of string values. If the operator is In or NotIn,
+                                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                      the values array must be empty. This array is replaced during a strategic
+                                                      merge patch.
+                                                    items:
+                                                      type: string
+                                                    type: array
+                                                    x-kubernetes-list-type: atomic
+                                                required:
+                                                - key
+                                                - operator
+                                                type: object
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                            matchLabels:
+                                              additionalProperties:
+                                                type: string
+                                              description: |-
+                                                matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                                map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                                operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                              type: object
+                                          type: object
+                                          x-kubernetes-map-type: atomic
+                                        matchLabelKeys:
+                                          description: |-
+                                            MatchLabelKeys is a set of pod label keys to select which pods will
+                                            be taken into consideration. The keys are used to lookup values from the
+                                            incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+                                            to select the group of existing pods which pods will be taken into consideration
+                                            for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                            pod labels will be ignored. The default value is empty.
+                                            The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+                                            Also, matchLabelKeys cannot be set when labelSelector isn't set.
+                                          items:
+                                            type: string
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        mismatchLabelKeys:
+                                          description: |-
+                                            MismatchLabelKeys is a set of pod label keys to select which pods will
+                                            be taken into consideration. The keys are used to lookup values from the
+                                            incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+                                            to select the group of existing pods which pods will be taken into consideration
+                                            for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                            pod labels will be ignored. The default value is empty.
+                                            The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+                                            Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+                                          items:
+                                            type: string
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        namespaceSelector:
+                                          description: |-
+                                            A label query over the set of namespaces that the term applies to.
+                                            The term is applied to the union of the namespaces selected by this field
+                                            and the ones listed in the namespaces field.
+                                            null selector and null or empty namespaces list means "this pod's namespace".
+                                            An empty selector ({}) matches all namespaces.
+                                          properties:
+                                            matchExpressions:
+                                              description: matchExpressions is a list
+                                                of label selector requirements. The
+                                                requirements are ANDed.
+                                              items:
+                                                description: |-
+                                                  A label selector requirement is a selector that contains values, a key, and an operator that
+                                                  relates the key and values.
+                                                properties:
+                                                  key:
+                                                    description: key is the label
+                                                      key that the selector applies
+                                                      to.
+                                                    type: string
+                                                  operator:
+                                                    description: |-
+                                                      operator represents a key's relationship to a set of values.
+                                                      Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                    type: string
+                                                  values:
+                                                    description: |-
+                                                      values is an array of string values. If the operator is In or NotIn,
+                                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                      the values array must be empty. This array is replaced during a strategic
+                                                      merge patch.
+                                                    items:
+                                                      type: string
+                                                    type: array
+                                                    x-kubernetes-list-type: atomic
+                                                required:
+                                                - key
+                                                - operator
+                                                type: object
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                            matchLabels:
+                                              additionalProperties:
+                                                type: string
+                                              description: |-
+                                                matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                                map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                                operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                              type: object
+                                          type: object
+                                          x-kubernetes-map-type: atomic
+                                        namespaces:
+                                          description: |-
+                                            namespaces specifies a static list of namespace names that the term applies to.
+                                            The term is applied to the union of the namespaces listed in this field
+                                            and the ones selected by namespaceSelector.
+                                            null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+                                          items:
+                                            type: string
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        topologyKey:
+                                          description: |-
+                                            This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+                                            the labelSelector in the specified namespaces, where co-located is defined as running on a node
+                                            whose value of the label with key topologyKey matches that of any node on which any of the
+                                            selected pods is running.
+                                            Empty topologyKey is not allowed.
+                                          type: string
+                                      required:
+                                      - topologyKey
+                                      type: object
+                                    weight:
+                                      description: |-
+                                        weight associated with matching the corresponding podAffinityTerm,
+                                        in the range 1-100.
+                                      format: int32
+                                      type: integer
+                                  required:
+                                  - podAffinityTerm
+                                  - weight
+                                  type: object
+                                type: array
+                                x-kubernetes-list-type: atomic
+                              requiredDuringSchedulingIgnoredDuringExecution:
+                                description: |-
+                                  If the affinity requirements specified by this field are not met at
+                                  scheduling time, the pod will not be scheduled onto the node.
+                                  If the affinity requirements specified by this field cease to be met
+                                  at some point during pod execution (e.g. due to a pod label update), the
+                                  system may or may not try to eventually evict the pod from its node.
+                                  When there are multiple elements, the lists of nodes corresponding to each
+                                  podAffinityTerm are intersected, i.e. all terms must be satisfied.
+                                items:
+                                  description: |-
+                                    Defines a set of pods (namely those matching the labelSelector
+                                    relative to the given namespace(s)) that this pod should be
+                                    co-located (affinity) or not co-located (anti-affinity) with,
+                                    where co-located is defined as running on a node whose value of
+                                    the label with key <topologyKey> matches that of any node on which
+                                    a pod of the set of pods is running
+                                  properties:
+                                    labelSelector:
+                                      description: |-
+                                        A label query over a set of resources, in this case pods.
+                                        If it's null, this PodAffinityTerm matches with no Pods.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                                x-kubernetes-list-type: atomic
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    matchLabelKeys:
+                                      description: |-
+                                        MatchLabelKeys is a set of pod label keys to select which pods will
+                                        be taken into consideration. The keys are used to lookup values from the
+                                        incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+                                        to select the group of existing pods which pods will be taken into consideration
+                                        for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                        pod labels will be ignored. The default value is empty.
+                                        The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+                                        Also, matchLabelKeys cannot be set when labelSelector isn't set.
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    mismatchLabelKeys:
+                                      description: |-
+                                        MismatchLabelKeys is a set of pod label keys to select which pods will
+                                        be taken into consideration. The keys are used to lookup values from the
+                                        incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+                                        to select the group of existing pods which pods will be taken into consideration
+                                        for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                        pod labels will be ignored. The default value is empty.
+                                        The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+                                        Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    namespaceSelector:
+                                      description: |-
+                                        A label query over the set of namespaces that the term applies to.
+                                        The term is applied to the union of the namespaces selected by this field
+                                        and the ones listed in the namespaces field.
+                                        null selector and null or empty namespaces list means "this pod's namespace".
+                                        An empty selector ({}) matches all namespaces.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                                x-kubernetes-list-type: atomic
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    namespaces:
+                                      description: |-
+                                        namespaces specifies a static list of namespace names that the term applies to.
+                                        The term is applied to the union of the namespaces listed in this field
+                                        and the ones selected by namespaceSelector.
+                                        null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    topologyKey:
+                                      description: |-
+                                        This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+                                        the labelSelector in the specified namespaces, where co-located is defined as running on a node
+                                        whose value of the label with key topologyKey matches that of any node on which any of the
+                                        selected pods is running.
+                                        Empty topologyKey is not allowed.
+                                      type: string
+                                  required:
+                                  - topologyKey
+                                  type: object
+                                type: array
+                                x-kubernetes-list-type: atomic
+                            type: object
+                          podAntiAffinity:
+                            description: Describes pod anti-affinity scheduling rules
+                              (e.g. avoid putting this pod in the same node, zone,
+                              etc. as some other pod(s)).
+                            properties:
+                              preferredDuringSchedulingIgnoredDuringExecution:
+                                description: |-
+                                  The scheduler will prefer to schedule pods to nodes that satisfy
+                                  the anti-affinity expressions specified by this field, but it may choose
+                                  a node that violates one or more of the expressions. The node that is
+                                  most preferred is the one with the greatest sum of weights, i.e.
+                                  for each node that meets all of the scheduling requirements (resource
+                                  request, requiredDuringScheduling anti-affinity expressions, etc.),
+                                  compute a sum by iterating through the elements of this field and subtracting
+                                  "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
+                                  node(s) with the highest sum are the most preferred.
+                                items:
+                                  description: The weights of all of the matched WeightedPodAffinityTerm
+                                    fields are added per-node to find the most preferred
+                                    node(s)
+                                  properties:
+                                    podAffinityTerm:
+                                      description: Required. A pod affinity term,
+                                        associated with the corresponding weight.
+                                      properties:
+                                        labelSelector:
+                                          description: |-
+                                            A label query over a set of resources, in this case pods.
+                                            If it's null, this PodAffinityTerm matches with no Pods.
+                                          properties:
+                                            matchExpressions:
+                                              description: matchExpressions is a list
+                                                of label selector requirements. The
+                                                requirements are ANDed.
+                                              items:
+                                                description: |-
+                                                  A label selector requirement is a selector that contains values, a key, and an operator that
+                                                  relates the key and values.
+                                                properties:
+                                                  key:
+                                                    description: key is the label
+                                                      key that the selector applies
+                                                      to.
+                                                    type: string
+                                                  operator:
+                                                    description: |-
+                                                      operator represents a key's relationship to a set of values.
+                                                      Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                    type: string
+                                                  values:
+                                                    description: |-
+                                                      values is an array of string values. If the operator is In or NotIn,
+                                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                      the values array must be empty. This array is replaced during a strategic
+                                                      merge patch.
+                                                    items:
+                                                      type: string
+                                                    type: array
+                                                    x-kubernetes-list-type: atomic
+                                                required:
+                                                - key
+                                                - operator
+                                                type: object
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                            matchLabels:
+                                              additionalProperties:
+                                                type: string
+                                              description: |-
+                                                matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                                map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                                operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                              type: object
+                                          type: object
+                                          x-kubernetes-map-type: atomic
+                                        matchLabelKeys:
+                                          description: |-
+                                            MatchLabelKeys is a set of pod label keys to select which pods will
+                                            be taken into consideration. The keys are used to lookup values from the
+                                            incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+                                            to select the group of existing pods which pods will be taken into consideration
+                                            for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                            pod labels will be ignored. The default value is empty.
+                                            The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+                                            Also, matchLabelKeys cannot be set when labelSelector isn't set.
+                                          items:
+                                            type: string
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        mismatchLabelKeys:
+                                          description: |-
+                                            MismatchLabelKeys is a set of pod label keys to select which pods will
+                                            be taken into consideration. The keys are used to lookup values from the
+                                            incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+                                            to select the group of existing pods which pods will be taken into consideration
+                                            for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                            pod labels will be ignored. The default value is empty.
+                                            The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+                                            Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+                                          items:
+                                            type: string
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        namespaceSelector:
+                                          description: |-
+                                            A label query over the set of namespaces that the term applies to.
+                                            The term is applied to the union of the namespaces selected by this field
+                                            and the ones listed in the namespaces field.
+                                            null selector and null or empty namespaces list means "this pod's namespace".
+                                            An empty selector ({}) matches all namespaces.
+                                          properties:
+                                            matchExpressions:
+                                              description: matchExpressions is a list
+                                                of label selector requirements. The
+                                                requirements are ANDed.
+                                              items:
+                                                description: |-
+                                                  A label selector requirement is a selector that contains values, a key, and an operator that
+                                                  relates the key and values.
+                                                properties:
+                                                  key:
+                                                    description: key is the label
+                                                      key that the selector applies
+                                                      to.
+                                                    type: string
+                                                  operator:
+                                                    description: |-
+                                                      operator represents a key's relationship to a set of values.
+                                                      Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                    type: string
+                                                  values:
+                                                    description: |-
+                                                      values is an array of string values. If the operator is In or NotIn,
+                                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                      the values array must be empty. This array is replaced during a strategic
+                                                      merge patch.
+                                                    items:
+                                                      type: string
+                                                    type: array
+                                                    x-kubernetes-list-type: atomic
+                                                required:
+                                                - key
+                                                - operator
+                                                type: object
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                            matchLabels:
+                                              additionalProperties:
+                                                type: string
+                                              description: |-
+                                                matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                                map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                                operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                              type: object
+                                          type: object
+                                          x-kubernetes-map-type: atomic
+                                        namespaces:
+                                          description: |-
+                                            namespaces specifies a static list of namespace names that the term applies to.
+                                            The term is applied to the union of the namespaces listed in this field
+                                            and the ones selected by namespaceSelector.
+                                            null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+                                          items:
+                                            type: string
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        topologyKey:
+                                          description: |-
+                                            This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+                                            the labelSelector in the specified namespaces, where co-located is defined as running on a node
+                                            whose value of the label with key topologyKey matches that of any node on which any of the
+                                            selected pods is running.
+                                            Empty topologyKey is not allowed.
+                                          type: string
+                                      required:
+                                      - topologyKey
+                                      type: object
+                                    weight:
+                                      description: |-
+                                        weight associated with matching the corresponding podAffinityTerm,
+                                        in the range 1-100.
+                                      format: int32
+                                      type: integer
+                                  required:
+                                  - podAffinityTerm
+                                  - weight
+                                  type: object
+                                type: array
+                                x-kubernetes-list-type: atomic
+                              requiredDuringSchedulingIgnoredDuringExecution:
+                                description: |-
+                                  If the anti-affinity requirements specified by this field are not met at
+                                  scheduling time, the pod will not be scheduled onto the node.
+                                  If the anti-affinity requirements specified by this field cease to be met
+                                  at some point during pod execution (e.g. due to a pod label update), the
+                                  system may or may not try to eventually evict the pod from its node.
+                                  When there are multiple elements, the lists of nodes corresponding to each
+                                  podAffinityTerm are intersected, i.e. all terms must be satisfied.
+                                items:
+                                  description: |-
+                                    Defines a set of pods (namely those matching the labelSelector
+                                    relative to the given namespace(s)) that this pod should be
+                                    co-located (affinity) or not co-located (anti-affinity) with,
+                                    where co-located is defined as running on a node whose value of
+                                    the label with key <topologyKey> matches that of any node on which
+                                    a pod of the set of pods is running
+                                  properties:
+                                    labelSelector:
+                                      description: |-
+                                        A label query over a set of resources, in this case pods.
+                                        If it's null, this PodAffinityTerm matches with no Pods.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                                x-kubernetes-list-type: atomic
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    matchLabelKeys:
+                                      description: |-
+                                        MatchLabelKeys is a set of pod label keys to select which pods will
+                                        be taken into consideration. The keys are used to lookup values from the
+                                        incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+                                        to select the group of existing pods which pods will be taken into consideration
+                                        for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                        pod labels will be ignored. The default value is empty.
+                                        The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+                                        Also, matchLabelKeys cannot be set when labelSelector isn't set.
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    mismatchLabelKeys:
+                                      description: |-
+                                        MismatchLabelKeys is a set of pod label keys to select which pods will
+                                        be taken into consideration. The keys are used to lookup values from the
+                                        incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+                                        to select the group of existing pods which pods will be taken into consideration
+                                        for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                        pod labels will be ignored. The default value is empty.
+                                        The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+                                        Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    namespaceSelector:
+                                      description: |-
+                                        A label query over the set of namespaces that the term applies to.
+                                        The term is applied to the union of the namespaces selected by this field
+                                        and the ones listed in the namespaces field.
+                                        null selector and null or empty namespaces list means "this pod's namespace".
+                                        An empty selector ({}) matches all namespaces.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                                x-kubernetes-list-type: atomic
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    namespaces:
+                                      description: |-
+                                        namespaces specifies a static list of namespace names that the term applies to.
+                                        The term is applied to the union of the namespaces listed in this field
+                                        and the ones selected by namespaceSelector.
+                                        null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    topologyKey:
+                                      description: |-
+                                        This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+                                        the labelSelector in the specified namespaces, where co-located is defined as running on a node
+                                        whose value of the label with key topologyKey matches that of any node on which any of the
+                                        selected pods is running.
+                                        Empty topologyKey is not allowed.
+                                      type: string
+                                  required:
+                                  - topologyKey
+                                  type: object
+                                type: array
+                                x-kubernetes-list-type: atomic
+                            type: object
+                        type: object
+                      caAddress:
+                        description: The address of the CA for CSR.
+                        type: string
+                      env:
+                        additionalProperties:
+                          type: string
+                        description: 'A `key: value` mapping of environment variables
+                          to add to the pod'
+                        type: object
+                      hub:
+                        description: Hub to pull the container image from. Image will
+                          be `Hub/Image:Tag-Variant`.
+                        type: string
+                      image:
+                        description: |-
+                          Image name to pull from. Image will be `Hub/Image:Tag-Variant`.
+                          If Image contains a "/", it will replace the entire `image` in the pod.
+                        type: string
+                      imagePullPolicy:
+                        description: |-
+                          Specifies the image pull policy for the Istio images. one of Always, Never, IfNotPresent.
+                          Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated.
+
+                          More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
+                        enum:
+                        - Always
+                        - Never
+                        - IfNotPresent
+                        type: string
+                      imagePullSecrets:
+                        description: |-
+                          List of secret names to add to the service account as image pull secrets
+                          to use for pulling any images in pods that reference this ServiceAccount.
+                          Must be set for any cluster configured with private docker registry.
+                        items:
+                          type: string
+                        type: array
+                      istioNamespace:
+                        description: Specifies the default namespace for the Istio
+                          control plane components.
+                        type: string
+                      logAsJson:
+                        description: Specifies whether istio components should output
+                          logs in json format by adding --log_as_json argument to
+                          each container.
+                        type: boolean
+                      logLevel:
+                        default: info
+                        description: 'Configuration log level of ztunnel binary, default
+                          is info. Valid values are: trace, debug, info, warn, error.'
+                        enum:
+                        - trace
+                        - debug
+                        - info
+                        - warn
+                        - error
+                        type: string
+                      multiCluster:
+                        description: |-
+                          Settings for multicluster.
+                          The name of the cluster we are installing in. Note this is a user-defined name, which must be consistent
+                          with Istiod configuration.
+                        properties:
+                          clusterName:
+                            description: |-
+                              The name of the cluster this installation will run in. This is required for sidecar injection
+                              to properly label proxies
+                            type: string
+                          enabled:
+                            description: |-
+                              Enables the connection between two kubernetes clusters via their respective ingressgateway services.
+                              Use if the pods in each cluster cannot directly talk to one another.
+                            type: boolean
+                          globalDomainSuffix:
+                            description: The suffix for global service names.
+                            type: string
+                          includeEnvoyFilter:
+                            description: Enable envoy filter to translate `globalDomainSuffix`
+                              to cluster local suffix for cross cluster communication.
+                            type: boolean
+                        type: object
+                      network:
+                        description: defines the network this cluster belong to. This
+                          name corresponds to the networks in the map of mesh networks.
+                        type: string
+                      nodeSelector:
+                        additionalProperties:
+                          type: string
+                        description: |-
+                          K8s node selector settings.
+
+                          See https://kubernetes.io/docs/user-guide/node-selection/
+                        type: object
+                      podAnnotations:
+                        additionalProperties:
+                          type: string
+                        description: Annotations added to each pod. The default annotations
+                          are required for scraping prometheus (in most environments).
+                        type: object
+                      podLabels:
+                        additionalProperties:
+                          type: string
+                        description: Additional labels to apply on the pod level.
+                        type: object
+                      resourceName:
+                        description: |-
+                          resourceName, if set, will override the naming of resources. If not set, will default to the release name.
+                          It is recommended to not set this; this is primarily for backwards compatibility.
+                        type: string
+                      resourceQuotas:
+                        description: The resource quotas configuration for ztunnel
+                        properties:
+                          enabled:
+                            description: Controls whether to create resource quotas
+                              or not for the CNI DaemonSet.
+                            type: boolean
+                          pods:
+                            description: The hard limit on the number of pods in the
+                              namespace where the CNI DaemonSet is deployed.
+                            format: int64
+                            type: integer
+                        type: object
+                      resources:
+                        description: The k8s resource requests and limits for the
+                          ztunnel Pods.
+                        properties:
+                          claims:
+                            description: |-
+                              Claims lists the names of resources, defined in spec.resourceClaims,
+                              that are used by this container.
+
+                              This field depends on the
+                              DynamicResourceAllocation feature gate.
+
+                              This field is immutable. It can only be set for containers.
+                            items:
+                              description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+                              properties:
+                                name:
+                                  description: |-
+                                    Name must match the name of one entry in pod.spec.resourceClaims of
+                                    the Pod where this field is used. It makes that resource available
+                                    inside a container.
+                                  type: string
+                                request:
+                                  description: |-
+                                    Request is the name chosen for a request in the referenced claim.
+                                    If empty, everything from the claim is made available, otherwise
+                                    only the result of this request.
+                                  type: string
+                              required:
+                              - name
+                              type: object
+                            type: array
+                            x-kubernetes-list-map-keys:
+                            - name
+                            x-kubernetes-list-type: map
+                          limits:
+                            additionalProperties:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                              x-kubernetes-int-or-string: true
+                            description: |-
+                              Limits describes the maximum amount of compute resources allowed.
+                              More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                            type: object
+                          requests:
+                            additionalProperties:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                              x-kubernetes-int-or-string: true
+                            description: |-
+                              Requests describes the minimum amount of compute resources required.
+                              If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+                              otherwise to an implementation-defined value. Requests cannot exceed Limits.
+                              More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                            type: object
+                        type: object
+                      revision:
+                        description: Configures the revision this control plane is
+                          a part of
+                        type: string
+                      seLinuxOptions:
+                        description: Set seLinux options for the ztunnel pod
+                        properties:
+                          level:
+                            description: Level is SELinux level label that applies
+                              to the container.
+                            type: string
+                          role:
+                            description: Role is a SELinux role label that applies
+                              to the container.
+                            type: string
+                          type:
+                            description: Type is a SELinux type label that applies
+                              to the container.
+                            type: string
+                          user:
+                            description: User is a SELinux user label that applies
+                              to the container.
+                            type: string
+                        type: object
+                      tag:
+                        description: The container image tag to pull. Image will be
+                          `Hub/Image:Tag-Variant`.
+                        type: string
+                      terminationGracePeriodSeconds:
+                        default: 30
+                        description: |-
+                          This value defines:
+                          1. how many seconds kube waits for ztunnel pod to gracefully exit before forcibly terminating it (this value)
+                          2. how many seconds ztunnel waits to drain its own connections (this value - 1 sec)
+                        format: int64
+                        minimum: 0
+                        type: integer
+                      tolerations:
+                        description: Tolerations for the ztunnel pod
+                        items:
+                          description: |-
+                            The pod this Toleration is attached to tolerates any taint that matches
+                            the triple <key,value,effect> using the matching operator <operator>.
+                          properties:
+                            effect:
+                              description: |-
+                                Effect indicates the taint effect to match. Empty means match all taint effects.
+                                When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+                              type: string
+                            key:
+                              description: |-
+                                Key is the taint key that the toleration applies to. Empty means match all taint keys.
+                                If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+                              type: string
+                            operator:
+                              description: |-
+                                Operator represents a key's relationship to the value.
+                                Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal.
+                                Exists is equivalent to wildcard for value, so that a pod can
+                                tolerate all taints of a particular category.
+                                Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators).
+                              type: string
+                            tolerationSeconds:
+                              description: |-
+                                TolerationSeconds represents the period of time the toleration (which must be
+                                of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+                                it is not set, which means tolerate the taint forever (do not evict). Zero and
+                                negative values will be treated as 0 (evict immediately) by the system.
+                              format: int64
+                              type: integer
+                            value:
+                              description: |-
+                                Value is the taint value the toleration matches to.
+                                If the operator is Exists, the value should be empty, otherwise just a regular string.
+                              type: string
+                          type: object
+                        type: array
+                      updateStrategy:
+                        description: Defines the update strategy to use when the version
+                          in the Ztunnel CR is updated.
+                        properties:
+                          rollingUpdate:
+                            description: Rolling update config params. Present only
+                              if type = "RollingUpdate".
+                            properties:
+                              maxSurge:
+                                anyOf:
+                                - type: integer
+                                - type: string
+                                description: |-
+                                  The maximum number of nodes with an existing available DaemonSet pod that
+                                  can have an updated DaemonSet pod during during an update.
+                                  Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+                                  This can not be 0 if MaxUnavailable is 0.
+                                  Absolute number is calculated from percentage by rounding up to a minimum of 1.
+                                  Default value is 0.
+                                  Example: when this is set to 30%, at most 30% of the total number of nodes
+                                  that should be running the daemon pod (i.e. status.desiredNumberScheduled)
+                                  can have their a new pod created before the old pod is marked as deleted.
+                                  The update starts by launching new pods on 30% of nodes. Once an updated
+                                  pod is available (Ready for at least minReadySeconds) the old DaemonSet pod
+                                  on that node is marked deleted. If the old pod becomes unavailable for any
+                                  reason (Ready transitions to false, is evicted, or is drained) an updated
+                                  pod is immediately created on that node without considering surge limits.
+                                  Allowing surge implies the possibility that the resources consumed by the
+                                  daemonset on any given node can double if the readiness check fails, and
+                                  so resource intensive daemonsets should take into account that they may
+                                  cause evictions during disruption.
+                                x-kubernetes-int-or-string: true
+                              maxUnavailable:
+                                anyOf:
+                                - type: integer
+                                - type: string
+                                description: |-
+                                  The maximum number of DaemonSet pods that can be unavailable during the
+                                  update. Value can be an absolute number (ex: 5) or a percentage of total
+                                  number of DaemonSet pods at the start of the update (ex: 10%). Absolute
+                                  number is calculated from percentage by rounding up.
+                                  This cannot be 0 if MaxSurge is 0
+                                  Default value is 1.
+                                  Example: when this is set to 30%, at most 30% of the total number of nodes
+                                  that should be running the daemon pod (i.e. status.desiredNumberScheduled)
+                                  can have their pods stopped for an update at any given time. The update
+                                  starts by stopping at most 30% of those DaemonSet pods and then brings
+                                  up new DaemonSet pods in their place. Once the new pods are available,
+                                  it then proceeds onto other DaemonSet pods, thus ensuring that at least
+                                  70% of original number of DaemonSet pods are available at all times during
+                                  the update.
+                                x-kubernetes-int-or-string: true
+                            type: object
+                          type:
+                            description: Type of daemon set update. Can be "RollingUpdate"
+                              or "OnDelete". Default is RollingUpdate.
+                            type: string
+                        type: object
+                      variant:
+                        description: The container image variant to pull. Options
+                          are "debug" or "distroless". Unset will use the default
+                          for the given version.
+                        type: string
+                      volumeMounts:
+                        description: Additional volumeMounts to the ztunnel container
+                        items:
+                          description: VolumeMount describes a mounting of a Volume
+                            within a container.
+                          properties:
+                            mountPath:
+                              description: |-
+                                Path within the container at which the volume should be mounted.  Must
+                                not contain ':'.
+                              type: string
+                            mountPropagation:
+                              description: |-
+                                mountPropagation determines how mounts are propagated from the host
+                                to container and the other way around.
+                                When not set, MountPropagationNone is used.
+                                This field is beta in 1.10.
+                                When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+                                (which defaults to None).
+                              type: string
+                            name:
+                              description: This must match the Name of a Volume.
+                              type: string
+                            readOnly:
+                              description: |-
+                                Mounted read-only if true, read-write otherwise (false or unspecified).
+                                Defaults to false.
+                              type: boolean
+                            recursiveReadOnly:
+                              description: |-
+                                RecursiveReadOnly specifies whether read-only mounts should be handled
+                                recursively.
+
+                                If ReadOnly is false, this field has no meaning and must be unspecified.
+
+                                If ReadOnly is true, and this field is set to Disabled, the mount is not made
+                                recursively read-only.  If this field is set to IfPossible, the mount is made
+                                recursively read-only, if it is supported by the container runtime.  If this
+                                field is set to Enabled, the mount is made recursively read-only if it is
+                                supported by the container runtime, otherwise the pod will not be started and
+                                an error will be generated to indicate the reason.
+
+                                If this field is set to IfPossible or Enabled, MountPropagation must be set to
+                                None (or be unspecified, which defaults to None).
+
+                                If this field is not specified, it is treated as an equivalent of Disabled.
+                              type: string
+                            subPath:
+                              description: |-
+                                Path within the volume from which the container's volume should be mounted.
+                                Defaults to "" (volume's root).
+                              type: string
+                            subPathExpr:
+                              description: |-
+                                Expanded path within the volume from which the container's volume should be mounted.
+                                Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.
+                                Defaults to "" (volume's root).
+                                SubPathExpr and SubPath are mutually exclusive.
+                              type: string
+                          required:
+                          - mountPath
+                          - name
+                          type: object
+                        type: array
+                      volumes:
+                        description: Additional volumes to add to the ztunnel Pod.
+                        items:
+                          description: Volume represents a named volume in a pod that
+                            may be accessed by any container in the pod.
+                          properties:
+                            awsElasticBlockStore:
+                              description: |-
+                                awsElasticBlockStore represents an AWS Disk resource that is attached to a
+                                kubelet's host machine and then exposed to the pod.
+                                Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree
+                                awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+                              properties:
+                                fsType:
+                                  description: |-
+                                    fsType is the filesystem type of the volume that you want to mount.
+                                    Tip: Ensure that the filesystem type is supported by the host operating system.
+                                    Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+                                  type: string
+                                partition:
+                                  description: |-
+                                    partition is the partition in the volume that you want to mount.
+                                    If omitted, the default is to mount by volume name.
+                                    Examples: For volume /dev/sda1, you specify the partition as "1".
+                                    Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).
+                                  format: int32
+                                  type: integer
+                                readOnly:
+                                  description: |-
+                                    readOnly value true will force the readOnly setting in VolumeMounts.
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+                                  type: boolean
+                                volumeID:
+                                  description: |-
+                                    volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume).
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+                                  type: string
+                              required:
+                              - volumeID
+                              type: object
+                            azureDisk:
+                              description: |-
+                                azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
+                                Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type
+                                are redirected to the disk.csi.azure.com CSI driver.
+                              properties:
+                                cachingMode:
+                                  description: 'cachingMode is the Host Caching mode:
+                                    None, Read Only, Read Write.'
+                                  type: string
+                                diskName:
+                                  description: diskName is the Name of the data disk
+                                    in the blob storage
+                                  type: string
+                                diskURI:
+                                  description: diskURI is the URI of data disk in
+                                    the blob storage
+                                  type: string
+                                fsType:
+                                  default: ext4
+                                  description: |-
+                                    fsType is Filesystem type to mount.
+                                    Must be a filesystem type supported by the host operating system.
+                                    Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                  type: string
+                                kind:
+                                  description: 'kind expected values are Shared: multiple
+                                    blob disks per storage account  Dedicated: single
+                                    blob disk per storage account  Managed: azure
+                                    managed data disk (only in managed availability
+                                    set). defaults to shared'
+                                  type: string
+                                readOnly:
+                                  default: false
+                                  description: |-
+                                    readOnly Defaults to false (read/write). ReadOnly here will force
+                                    the ReadOnly setting in VolumeMounts.
+                                  type: boolean
+                              required:
+                              - diskName
+                              - diskURI
+                              type: object
+                            azureFile:
+                              description: |-
+                                azureFile represents an Azure File Service mount on the host and bind mount to the pod.
+                                Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type
+                                are redirected to the file.csi.azure.com CSI driver.
+                              properties:
+                                readOnly:
+                                  description: |-
+                                    readOnly defaults to false (read/write). ReadOnly here will force
+                                    the ReadOnly setting in VolumeMounts.
+                                  type: boolean
+                                secretName:
+                                  description: secretName is the  name of secret that
+                                    contains Azure Storage Account Name and Key
+                                  type: string
+                                shareName:
+                                  description: shareName is the azure share Name
+                                  type: string
+                              required:
+                              - secretName
+                              - shareName
+                              type: object
+                            cephfs:
+                              description: |-
+                                cephFS represents a Ceph FS mount on the host that shares a pod's lifetime.
+                                Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported.
+                              properties:
+                                monitors:
+                                  description: |-
+                                    monitors is Required: Monitors is a collection of Ceph monitors
+                                    More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+                                  items:
+                                    type: string
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                path:
+                                  description: 'path is Optional: Used as the mounted
+                                    root, rather than the full Ceph tree, default
+                                    is /'
+                                  type: string
+                                readOnly:
+                                  description: |-
+                                    readOnly is Optional: Defaults to false (read/write). ReadOnly here will force
+                                    the ReadOnly setting in VolumeMounts.
+                                    More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+                                  type: boolean
+                                secretFile:
+                                  description: |-
+                                    secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret
+                                    More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+                                  type: string
+                                secretRef:
+                                  description: |-
+                                    secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty.
+                                    More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+                                  properties:
+                                    name:
+                                      default: ""
+                                      description: |-
+                                        Name of the referent.
+                                        This field is effectively required, but due to backwards compatibility is
+                                        allowed to be empty. Instances of this type with an empty value here are
+                                        almost certainly wrong.
+                                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                      type: string
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                user:
+                                  description: |-
+                                    user is optional: User is the rados user name, default is admin
+                                    More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+                                  type: string
+                              required:
+                              - monitors
+                              type: object
+                            cinder:
+                              description: |-
+                                cinder represents a cinder volume attached and mounted on kubelets host machine.
+                                Deprecated: Cinder is deprecated. All operations for the in-tree cinder type
+                                are redirected to the cinder.csi.openstack.org CSI driver.
+                                More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+                              properties:
+                                fsType:
+                                  description: |-
+                                    fsType is the filesystem type to mount.
+                                    Must be a filesystem type supported by the host operating system.
+                                    Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                    More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+                                  type: string
+                                readOnly:
+                                  description: |-
+                                    readOnly defaults to false (read/write). ReadOnly here will force
+                                    the ReadOnly setting in VolumeMounts.
+                                    More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+                                  type: boolean
+                                secretRef:
+                                  description: |-
+                                    secretRef is optional: points to a secret object containing parameters used to connect
+                                    to OpenStack.
+                                  properties:
+                                    name:
+                                      default: ""
+                                      description: |-
+                                        Name of the referent.
+                                        This field is effectively required, but due to backwards compatibility is
+                                        allowed to be empty. Instances of this type with an empty value here are
+                                        almost certainly wrong.
+                                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                      type: string
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                volumeID:
+                                  description: |-
+                                    volumeID used to identify the volume in cinder.
+                                    More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+                                  type: string
+                              required:
+                              - volumeID
+                              type: object
+                            configMap:
+                              description: configMap represents a configMap that should
+                                populate this volume
+                              properties:
+                                defaultMode:
+                                  description: |-
+                                    defaultMode is optional: mode bits used to set permissions on created files by default.
+                                    Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                    YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                    Defaults to 0644.
+                                    Directories within the path are not affected by this setting.
+                                    This might be in conflict with other options that affect the file
+                                    mode, like fsGroup, and the result can be other mode bits set.
+                                  format: int32
+                                  type: integer
+                                items:
+                                  description: |-
+                                    items if unspecified, each key-value pair in the Data field of the referenced
+                                    ConfigMap will be projected into the volume as a file whose name is the
+                                    key and content is the value. If specified, the listed keys will be
+                                    projected into the specified paths, and unlisted keys will not be
+                                    present. If a key is specified which is not present in the ConfigMap,
+                                    the volume setup will error unless it is marked optional. Paths must be
+                                    relative and may not contain the '..' path or start with '..'.
+                                  items:
+                                    description: Maps a string key to a path within
+                                      a volume.
+                                    properties:
+                                      key:
+                                        description: key is the key to project.
+                                        type: string
+                                      mode:
+                                        description: |-
+                                          mode is Optional: mode bits used to set permissions on this file.
+                                          Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                          YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                          If not specified, the volume defaultMode will be used.
+                                          This might be in conflict with other options that affect the file
+                                          mode, like fsGroup, and the result can be other mode bits set.
+                                        format: int32
+                                        type: integer
+                                      path:
+                                        description: |-
+                                          path is the relative path of the file to map the key to.
+                                          May not be an absolute path.
+                                          May not contain the path element '..'.
+                                          May not start with the string '..'.
+                                        type: string
+                                    required:
+                                    - key
+                                    - path
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                name:
+                                  default: ""
+                                  description: |-
+                                    Name of the referent.
+                                    This field is effectively required, but due to backwards compatibility is
+                                    allowed to be empty. Instances of this type with an empty value here are
+                                    almost certainly wrong.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                  type: string
+                                optional:
+                                  description: optional specify whether the ConfigMap
+                                    or its keys must be defined
+                                  type: boolean
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            csi:
+                              description: csi (Container Storage Interface) represents
+                                ephemeral storage that is handled by certain external
+                                CSI drivers.
+                              properties:
+                                driver:
+                                  description: |-
+                                    driver is the name of the CSI driver that handles this volume.
+                                    Consult with your admin for the correct name as registered in the cluster.
+                                  type: string
+                                fsType:
+                                  description: |-
+                                    fsType to mount. Ex. "ext4", "xfs", "ntfs".
+                                    If not provided, the empty value is passed to the associated CSI driver
+                                    which will determine the default filesystem to apply.
+                                  type: string
+                                nodePublishSecretRef:
+                                  description: |-
+                                    nodePublishSecretRef is a reference to the secret object containing
+                                    sensitive information to pass to the CSI driver to complete the CSI
+                                    NodePublishVolume and NodeUnpublishVolume calls.
+                                    This field is optional, and  may be empty if no secret is required. If the
+                                    secret object contains more than one secret, all secret references are passed.
+                                  properties:
+                                    name:
+                                      default: ""
+                                      description: |-
+                                        Name of the referent.
+                                        This field is effectively required, but due to backwards compatibility is
+                                        allowed to be empty. Instances of this type with an empty value here are
+                                        almost certainly wrong.
+                                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                      type: string
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                readOnly:
+                                  description: |-
+                                    readOnly specifies a read-only configuration for the volume.
+                                    Defaults to false (read/write).
+                                  type: boolean
+                                volumeAttributes:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    volumeAttributes stores driver-specific properties that are passed to the CSI
+                                    driver. Consult your driver's documentation for supported values.
+                                  type: object
+                              required:
+                              - driver
+                              type: object
+                            downwardAPI:
+                              description: downwardAPI represents downward API about
+                                the pod that should populate this volume
+                              properties:
+                                defaultMode:
+                                  description: |-
+                                    Optional: mode bits to use on created files by default. Must be a
+                                    Optional: mode bits used to set permissions on created files by default.
+                                    Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                    YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                    Defaults to 0644.
+                                    Directories within the path are not affected by this setting.
+                                    This might be in conflict with other options that affect the file
+                                    mode, like fsGroup, and the result can be other mode bits set.
+                                  format: int32
+                                  type: integer
+                                items:
+                                  description: Items is a list of downward API volume
+                                    file
+                                  items:
+                                    description: DownwardAPIVolumeFile represents
+                                      information to create the file containing the
+                                      pod field
+                                    properties:
+                                      fieldRef:
+                                        description: 'Required: Selects a field of
+                                          the pod: only annotations, labels, name,
+                                          namespace and uid are supported.'
+                                        properties:
+                                          apiVersion:
+                                            description: Version of the schema the
+                                              FieldPath is written in terms of, defaults
+                                              to "v1".
+                                            type: string
+                                          fieldPath:
+                                            description: Path of the field to select
+                                              in the specified API version.
+                                            type: string
+                                        required:
+                                        - fieldPath
+                                        type: object
+                                        x-kubernetes-map-type: atomic
+                                      mode:
+                                        description: |-
+                                          Optional: mode bits used to set permissions on this file, must be an octal value
+                                          between 0000 and 0777 or a decimal value between 0 and 511.
+                                          YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                          If not specified, the volume defaultMode will be used.
+                                          This might be in conflict with other options that affect the file
+                                          mode, like fsGroup, and the result can be other mode bits set.
+                                        format: int32
+                                        type: integer
+                                      path:
+                                        description: 'Required: Path is  the relative
+                                          path name of the file to be created. Must
+                                          not be absolute or contain the ''..'' path.
+                                          Must be utf-8 encoded. The first item of
+                                          the relative path must not start with ''..'''
+                                        type: string
+                                      resourceFieldRef:
+                                        description: |-
+                                          Selects a resource of the container: only resources limits and requests
+                                          (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
+                                        properties:
+                                          containerName:
+                                            description: 'Container name: required
+                                              for volumes, optional for env vars'
+                                            type: string
+                                          divisor:
+                                            anyOf:
+                                            - type: integer
+                                            - type: string
+                                            description: Specifies the output format
+                                              of the exposed resources, defaults to
+                                              "1"
+                                            pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                            x-kubernetes-int-or-string: true
+                                          resource:
+                                            description: 'Required: resource to select'
+                                            type: string
+                                        required:
+                                        - resource
+                                        type: object
+                                        x-kubernetes-map-type: atomic
+                                    required:
+                                    - path
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                              type: object
+                            emptyDir:
+                              description: |-
+                                emptyDir represents a temporary directory that shares a pod's lifetime.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+                              properties:
+                                medium:
+                                  description: |-
+                                    medium represents what type of storage medium should back this directory.
+                                    The default is "" which means to use the node's default medium.
+                                    Must be an empty string (default) or Memory.
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+                                  type: string
+                                sizeLimit:
+                                  anyOf:
+                                  - type: integer
+                                  - type: string
+                                  description: |-
+                                    sizeLimit is the total amount of local storage required for this EmptyDir volume.
+                                    The size limit is also applicable for memory medium.
+                                    The maximum usage on memory medium EmptyDir would be the minimum value between
+                                    the SizeLimit specified here and the sum of memory limits of all containers in a pod.
+                                    The default is nil which means that the limit is undefined.
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+                                  pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                  x-kubernetes-int-or-string: true
+                              type: object
+                            ephemeral:
+                              description: |-
+                                ephemeral represents a volume that is handled by a cluster storage driver.
+                                The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts,
+                                and deleted when the pod is removed.
+
+                                Use this if:
+                                a) the volume is only needed while the pod runs,
+                                b) features of normal volumes like restoring from snapshot or capacity
+                                   tracking are needed,
+                                c) the storage driver is specified through a storage class, and
+                                d) the storage driver supports dynamic volume provisioning through
+                                   a PersistentVolumeClaim (see EphemeralVolumeSource for more
+                                   information on the connection between this volume type
+                                   and PersistentVolumeClaim).
+
+                                Use PersistentVolumeClaim or one of the vendor-specific
+                                APIs for volumes that persist for longer than the lifecycle
+                                of an individual pod.
+
+                                Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to
+                                be used that way - see the documentation of the driver for
+                                more information.
+
+                                A pod can use both types of ephemeral volumes and
+                                persistent volumes at the same time.
+                              properties:
+                                volumeClaimTemplate:
+                                  description: |-
+                                    Will be used to create a stand-alone PVC to provision the volume.
+                                    The pod in which this EphemeralVolumeSource is embedded will be the
+                                    owner of the PVC, i.e. the PVC will be deleted together with the
+                                    pod.  The name of the PVC will be `<pod name>-<volume name>` where
+                                    `<volume name>` is the name from the `PodSpec.Volumes` array
+                                    entry. Pod validation will reject the pod if the concatenated name
+                                    is not valid for a PVC (for example, too long).
+
+                                    An existing PVC with that name that is not owned by the pod
+                                    will *not* be used for the pod to avoid using an unrelated
+                                    volume by mistake. Starting the pod is then blocked until
+                                    the unrelated PVC is removed. If such a pre-created PVC is
+                                    meant to be used by the pod, the PVC has to updated with an
+                                    owner reference to the pod once the pod exists. Normally
+                                    this should not be necessary, but it may be useful when
+                                    manually reconstructing a broken cluster.
+
+                                    This field is read-only and no changes will be made by Kubernetes
+                                    to the PVC after it has been created.
+
+                                    Required, must not be nil.
+                                  properties:
+                                    metadata:
+                                      description: |-
+                                        May contain labels and annotations that will be copied into the PVC
+                                        when creating it. No other fields are allowed and will be rejected during
+                                        validation.
+                                      type: object
+                                    spec:
+                                      description: |-
+                                        The specification for the PersistentVolumeClaim. The entire content is
+                                        copied unchanged into the PVC that gets created from this
+                                        template. The same fields as in a PersistentVolumeClaim
+                                        are also valid here.
+                                      properties:
+                                        accessModes:
+                                          description: |-
+                                            accessModes contains the desired access modes the volume should have.
+                                            More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1
+                                          items:
+                                            type: string
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        dataSource:
+                                          description: |-
+                                            dataSource field can be used to specify either:
+                                            * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot)
+                                            * An existing PVC (PersistentVolumeClaim)
+                                            If the provisioner or an external controller can support the specified data source,
+                                            it will create a new volume based on the contents of the specified data source.
+                                            When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef,
+                                            and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified.
+                                            If the namespace is specified, then dataSourceRef will not be copied to dataSource.
+                                          properties:
+                                            apiGroup:
+                                              description: |-
+                                                APIGroup is the group for the resource being referenced.
+                                                If APIGroup is not specified, the specified Kind must be in the core API group.
+                                                For any other third-party types, APIGroup is required.
+                                              type: string
+                                            kind:
+                                              description: Kind is the type of resource
+                                                being referenced
+                                              type: string
+                                            name:
+                                              description: Name is the name of resource
+                                                being referenced
+                                              type: string
+                                          required:
+                                          - kind
+                                          - name
+                                          type: object
+                                          x-kubernetes-map-type: atomic
+                                        dataSourceRef:
+                                          description: |-
+                                            dataSourceRef specifies the object from which to populate the volume with data, if a non-empty
+                                            volume is desired. This may be any object from a non-empty API group (non
+                                            core object) or a PersistentVolumeClaim object.
+                                            When this field is specified, volume binding will only succeed if the type of
+                                            the specified object matches some installed volume populator or dynamic
+                                            provisioner.
+                                            This field will replace the functionality of the dataSource field and as such
+                                            if both fields are non-empty, they must have the same value. For backwards
+                                            compatibility, when namespace isn't specified in dataSourceRef,
+                                            both fields (dataSource and dataSourceRef) will be set to the same
+                                            value automatically if one of them is empty and the other is non-empty.
+                                            When namespace is specified in dataSourceRef,
+                                            dataSource isn't set to the same value and must be empty.
+                                            There are three important differences between dataSource and dataSourceRef:
+                                            * While dataSource only allows two specific types of objects, dataSourceRef
+                                              allows any non-core object, as well as PersistentVolumeClaim objects.
+                                            * While dataSource ignores disallowed values (dropping them), dataSourceRef
+                                              preserves all values, and generates an error if a disallowed value is
+                                              specified.
+                                            * While dataSource only allows local objects, dataSourceRef allows objects
+                                              in any namespaces.
+                                            (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled.
+                                            (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled.
+                                          properties:
+                                            apiGroup:
+                                              description: |-
+                                                APIGroup is the group for the resource being referenced.
+                                                If APIGroup is not specified, the specified Kind must be in the core API group.
+                                                For any other third-party types, APIGroup is required.
+                                              type: string
+                                            kind:
+                                              description: Kind is the type of resource
+                                                being referenced
+                                              type: string
+                                            name:
+                                              description: Name is the name of resource
+                                                being referenced
+                                              type: string
+                                            namespace:
+                                              description: |-
+                                                Namespace is the namespace of resource being referenced
+                                                Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details.
+                                                (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled.
+                                              type: string
+                                          required:
+                                          - kind
+                                          - name
+                                          type: object
+                                        resources:
+                                          description: |-
+                                            resources represents the minimum resources the volume should have.
+                                            Users are allowed to specify resource requirements
+                                            that are lower than previous value but must still be higher than capacity recorded in the
+                                            status field of the claim.
+                                            More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
+                                          properties:
+                                            limits:
+                                              additionalProperties:
+                                                anyOf:
+                                                - type: integer
+                                                - type: string
+                                                pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                                x-kubernetes-int-or-string: true
+                                              description: |-
+                                                Limits describes the maximum amount of compute resources allowed.
+                                                More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                                              type: object
+                                            requests:
+                                              additionalProperties:
+                                                anyOf:
+                                                - type: integer
+                                                - type: string
+                                                pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                                x-kubernetes-int-or-string: true
+                                              description: |-
+                                                Requests describes the minimum amount of compute resources required.
+                                                If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+                                                otherwise to an implementation-defined value. Requests cannot exceed Limits.
+                                                More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                                              type: object
+                                          type: object
+                                        selector:
+                                          description: selector is a label query over
+                                            volumes to consider for binding.
+                                          properties:
+                                            matchExpressions:
+                                              description: matchExpressions is a list
+                                                of label selector requirements. The
+                                                requirements are ANDed.
+                                              items:
+                                                description: |-
+                                                  A label selector requirement is a selector that contains values, a key, and an operator that
+                                                  relates the key and values.
+                                                properties:
+                                                  key:
+                                                    description: key is the label
+                                                      key that the selector applies
+                                                      to.
+                                                    type: string
+                                                  operator:
+                                                    description: |-
+                                                      operator represents a key's relationship to a set of values.
+                                                      Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                    type: string
+                                                  values:
+                                                    description: |-
+                                                      values is an array of string values. If the operator is In or NotIn,
+                                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                      the values array must be empty. This array is replaced during a strategic
+                                                      merge patch.
+                                                    items:
+                                                      type: string
+                                                    type: array
+                                                    x-kubernetes-list-type: atomic
+                                                required:
+                                                - key
+                                                - operator
+                                                type: object
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                            matchLabels:
+                                              additionalProperties:
+                                                type: string
+                                              description: |-
+                                                matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                                map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                                operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                              type: object
+                                          type: object
+                                          x-kubernetes-map-type: atomic
+                                        storageClassName:
+                                          description: |-
+                                            storageClassName is the name of the StorageClass required by the claim.
+                                            More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1
+                                          type: string
+                                        volumeAttributesClassName:
+                                          description: |-
+                                            volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
+                                            If specified, the CSI driver will create or update the volume with the attributes defined
+                                            in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
+                                            it can be changed after the claim is created. An empty string or nil value indicates that no
+                                            VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state,
+                                            this field can be reset to its previous value (including nil) to cancel the modification.
+                                            If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
+                                            set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
+                                            exists.
+                                            More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
+                                          type: string
+                                        volumeMode:
+                                          description: |-
+                                            volumeMode defines what type of volume is required by the claim.
+                                            Value of Filesystem is implied when not included in claim spec.
+                                          type: string
+                                        volumeName:
+                                          description: volumeName is the binding reference
+                                            to the PersistentVolume backing this claim.
+                                          type: string
+                                      type: object
+                                  required:
+                                  - spec
+                                  type: object
+                              type: object
+                            fc:
+                              description: fc represents a Fibre Channel resource
+                                that is attached to a kubelet's host machine and then
+                                exposed to the pod.
+                              properties:
+                                fsType:
+                                  description: |-
+                                    fsType is the filesystem type to mount.
+                                    Must be a filesystem type supported by the host operating system.
+                                    Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                  type: string
+                                lun:
+                                  description: 'lun is Optional: FC target lun number'
+                                  format: int32
+                                  type: integer
+                                readOnly:
+                                  description: |-
+                                    readOnly is Optional: Defaults to false (read/write). ReadOnly here will force
+                                    the ReadOnly setting in VolumeMounts.
+                                  type: boolean
+                                targetWWNs:
+                                  description: 'targetWWNs is Optional: FC target
+                                    worldwide names (WWNs)'
+                                  items:
+                                    type: string
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                wwids:
+                                  description: |-
+                                    wwids Optional: FC volume world wide identifiers (wwids)
+                                    Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously.
+                                  items:
+                                    type: string
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                              type: object
+                            flexVolume:
+                              description: |-
+                                flexVolume represents a generic volume resource that is
+                                provisioned/attached using an exec based plugin.
+                                Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead.
+                              properties:
+                                driver:
+                                  description: driver is the name of the driver to
+                                    use for this volume.
+                                  type: string
+                                fsType:
+                                  description: |-
+                                    fsType is the filesystem type to mount.
+                                    Must be a filesystem type supported by the host operating system.
+                                    Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script.
+                                  type: string
+                                options:
+                                  additionalProperties:
+                                    type: string
+                                  description: 'options is Optional: this field holds
+                                    extra command options if any.'
+                                  type: object
+                                readOnly:
+                                  description: |-
+                                    readOnly is Optional: defaults to false (read/write). ReadOnly here will force
+                                    the ReadOnly setting in VolumeMounts.
+                                  type: boolean
+                                secretRef:
+                                  description: |-
+                                    secretRef is Optional: secretRef is reference to the secret object containing
+                                    sensitive information to pass to the plugin scripts. This may be
+                                    empty if no secret object is specified. If the secret object
+                                    contains more than one secret, all secrets are passed to the plugin
+                                    scripts.
+                                  properties:
+                                    name:
+                                      default: ""
+                                      description: |-
+                                        Name of the referent.
+                                        This field is effectively required, but due to backwards compatibility is
+                                        allowed to be empty. Instances of this type with an empty value here are
+                                        almost certainly wrong.
+                                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                      type: string
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                              required:
+                              - driver
+                              type: object
+                            flocker:
+                              description: |-
+                                flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running.
+                                Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported.
+                              properties:
+                                datasetName:
+                                  description: |-
+                                    datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker
+                                    should be considered as deprecated
+                                  type: string
+                                datasetUUID:
+                                  description: datasetUUID is the UUID of the dataset.
+                                    This is unique identifier of a Flocker dataset
+                                  type: string
+                              type: object
+                            gcePersistentDisk:
+                              description: |-
+                                gcePersistentDisk represents a GCE Disk resource that is attached to a
+                                kubelet's host machine and then exposed to the pod.
+                                Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree
+                                gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+                              properties:
+                                fsType:
+                                  description: |-
+                                    fsType is filesystem type of the volume that you want to mount.
+                                    Tip: Ensure that the filesystem type is supported by the host operating system.
+                                    Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+                                  type: string
+                                partition:
+                                  description: |-
+                                    partition is the partition in the volume that you want to mount.
+                                    If omitted, the default is to mount by volume name.
+                                    Examples: For volume /dev/sda1, you specify the partition as "1".
+                                    Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+                                  format: int32
+                                  type: integer
+                                pdName:
+                                  description: |-
+                                    pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE.
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+                                  type: string
+                                readOnly:
+                                  description: |-
+                                    readOnly here will force the ReadOnly setting in VolumeMounts.
+                                    Defaults to false.
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+                                  type: boolean
+                              required:
+                              - pdName
+                              type: object
+                            gitRepo:
+                              description: |-
+                                gitRepo represents a git repository at a particular revision.
+                                Deprecated: GitRepo is deprecated. To provision a container with a git repo, mount an
+                                EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir
+                                into the Pod's container.
+                              properties:
+                                directory:
+                                  description: |-
+                                    directory is the target directory name.
+                                    Must not contain or start with '..'.  If '.' is supplied, the volume directory will be the
+                                    git repository.  Otherwise, if specified, the volume will contain the git repository in
+                                    the subdirectory with the given name.
+                                  type: string
+                                repository:
+                                  description: repository is the URL
+                                  type: string
+                                revision:
+                                  description: revision is the commit hash for the
+                                    specified revision.
+                                  type: string
+                              required:
+                              - repository
+                              type: object
+                            glusterfs:
+                              description: |-
+                                glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
+                                Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported.
+                              properties:
+                                endpoints:
+                                  description: endpoints is the endpoint name that
+                                    details Glusterfs topology.
+                                  type: string
+                                path:
+                                  description: |-
+                                    path is the Glusterfs volume path.
+                                    More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+                                  type: string
+                                readOnly:
+                                  description: |-
+                                    readOnly here will force the Glusterfs volume to be mounted with read-only permissions.
+                                    Defaults to false.
+                                    More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+                                  type: boolean
+                              required:
+                              - endpoints
+                              - path
+                              type: object
+                            hostPath:
+                              description: |-
+                                hostPath represents a pre-existing file or directory on the host
+                                machine that is directly exposed to the container. This is generally
+                                used for system agents or other privileged things that are allowed
+                                to see the host machine. Most containers will NOT need this.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+                              properties:
+                                path:
+                                  description: |-
+                                    path of the directory on the host.
+                                    If the path is a symlink, it will follow the link to the real path.
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+                                  type: string
+                                type:
+                                  description: |-
+                                    type for HostPath Volume
+                                    Defaults to ""
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+                                  type: string
+                              required:
+                              - path
+                              type: object
+                            image:
+                              description: |-
+                                image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine.
+                                The volume is resolved at pod startup depending on which PullPolicy value is provided:
+
+                                - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+                                - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+                                - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+
+                                The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation.
+                                A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message.
+                                The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field.
+                                The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images.
+                                The volume will be mounted read-only (ro) and non-executable files (noexec).
+                                Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath) before 1.33.
+                                The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.
+                              properties:
+                                pullPolicy:
+                                  description: |-
+                                    Policy for pulling OCI objects. Possible values are:
+                                    Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+                                    Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+                                    IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+                                    Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.
+                                  type: string
+                                reference:
+                                  description: |-
+                                    Required: Image or artifact reference to be used.
+                                    Behaves in the same way as pod.spec.containers[*].image.
+                                    Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets.
+                                    More info: https://kubernetes.io/docs/concepts/containers/images
+                                    This field is optional to allow higher level config management to default or override
+                                    container images in workload controllers like Deployments and StatefulSets.
+                                  type: string
+                              type: object
+                            iscsi:
+                              description: |-
+                                iscsi represents an ISCSI Disk resource that is attached to a
+                                kubelet's host machine and then exposed to the pod.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes/#iscsi
+                              properties:
+                                chapAuthDiscovery:
+                                  description: chapAuthDiscovery defines whether support
+                                    iSCSI Discovery CHAP authentication
+                                  type: boolean
+                                chapAuthSession:
+                                  description: chapAuthSession defines whether support
+                                    iSCSI Session CHAP authentication
+                                  type: boolean
+                                fsType:
+                                  description: |-
+                                    fsType is the filesystem type of the volume that you want to mount.
+                                    Tip: Ensure that the filesystem type is supported by the host operating system.
+                                    Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi
+                                  type: string
+                                initiatorName:
+                                  description: |-
+                                    initiatorName is the custom iSCSI Initiator Name.
+                                    If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface
+                                    <target portal>:<volume name> will be created for the connection.
+                                  type: string
+                                iqn:
+                                  description: iqn is the target iSCSI Qualified Name.
+                                  type: string
+                                iscsiInterface:
+                                  default: default
+                                  description: |-
+                                    iscsiInterface is the interface Name that uses an iSCSI transport.
+                                    Defaults to 'default' (tcp).
+                                  type: string
+                                lun:
+                                  description: lun represents iSCSI Target Lun number.
+                                  format: int32
+                                  type: integer
+                                portals:
+                                  description: |-
+                                    portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port
+                                    is other than default (typically TCP ports 860 and 3260).
+                                  items:
+                                    type: string
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                readOnly:
+                                  description: |-
+                                    readOnly here will force the ReadOnly setting in VolumeMounts.
+                                    Defaults to false.
+                                  type: boolean
+                                secretRef:
+                                  description: secretRef is the CHAP Secret for iSCSI
+                                    target and initiator authentication
+                                  properties:
+                                    name:
+                                      default: ""
+                                      description: |-
+                                        Name of the referent.
+                                        This field is effectively required, but due to backwards compatibility is
+                                        allowed to be empty. Instances of this type with an empty value here are
+                                        almost certainly wrong.
+                                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                      type: string
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                targetPortal:
+                                  description: |-
+                                    targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port
+                                    is other than default (typically TCP ports 860 and 3260).
+                                  type: string
+                              required:
+                              - iqn
+                              - lun
+                              - targetPortal
+                              type: object
+                            name:
+                              description: |-
+                                name of the volume.
+                                Must be a DNS_LABEL and unique within the pod.
+                                More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                              type: string
+                            nfs:
+                              description: |-
+                                nfs represents an NFS mount on the host that shares a pod's lifetime
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+                              properties:
+                                path:
+                                  description: |-
+                                    path that is exported by the NFS server.
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+                                  type: string
+                                readOnly:
+                                  description: |-
+                                    readOnly here will force the NFS export to be mounted with read-only permissions.
+                                    Defaults to false.
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+                                  type: boolean
+                                server:
+                                  description: |-
+                                    server is the hostname or IP address of the NFS server.
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+                                  type: string
+                              required:
+                              - path
+                              - server
+                              type: object
+                            persistentVolumeClaim:
+                              description: |-
+                                persistentVolumeClaimVolumeSource represents a reference to a
+                                PersistentVolumeClaim in the same namespace.
+                                More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+                              properties:
+                                claimName:
+                                  description: |-
+                                    claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume.
+                                    More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+                                  type: string
+                                readOnly:
+                                  description: |-
+                                    readOnly Will force the ReadOnly setting in VolumeMounts.
+                                    Default false.
+                                  type: boolean
+                              required:
+                              - claimName
+                              type: object
+                            photonPersistentDisk:
+                              description: |-
+                                photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine.
+                                Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported.
+                              properties:
+                                fsType:
+                                  description: |-
+                                    fsType is the filesystem type to mount.
+                                    Must be a filesystem type supported by the host operating system.
+                                    Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                  type: string
+                                pdID:
+                                  description: pdID is the ID that identifies Photon
+                                    Controller persistent disk
+                                  type: string
+                              required:
+                              - pdID
+                              type: object
+                            portworxVolume:
+                              description: |-
+                                portworxVolume represents a portworx volume attached and mounted on kubelets host machine.
+                                Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type
+                                are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate
+                                is on.
+                              properties:
+                                fsType:
+                                  description: |-
+                                    fSType represents the filesystem type to mount
+                                    Must be a filesystem type supported by the host operating system.
+                                    Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified.
+                                  type: string
+                                readOnly:
+                                  description: |-
+                                    readOnly defaults to false (read/write). ReadOnly here will force
+                                    the ReadOnly setting in VolumeMounts.
+                                  type: boolean
+                                volumeID:
+                                  description: volumeID uniquely identifies a Portworx
+                                    volume
+                                  type: string
+                              required:
+                              - volumeID
+                              type: object
+                            projected:
+                              description: projected items for all in one resources
+                                secrets, configmaps, and downward API
+                              properties:
+                                defaultMode:
+                                  description: |-
+                                    defaultMode are the mode bits used to set permissions on created files by default.
+                                    Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                    YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                    Directories within the path are not affected by this setting.
+                                    This might be in conflict with other options that affect the file
+                                    mode, like fsGroup, and the result can be other mode bits set.
+                                  format: int32
+                                  type: integer
+                                sources:
+                                  description: |-
+                                    sources is the list of volume projections. Each entry in this list
+                                    handles one source.
+                                  items:
+                                    description: |-
+                                      Projection that may be projected along with other supported volume types.
+                                      Exactly one of these fields must be set.
+                                    properties:
+                                      clusterTrustBundle:
+                                        description: |-
+                                          ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field
+                                          of ClusterTrustBundle objects in an auto-updating file.
+
+                                          Alpha, gated by the ClusterTrustBundleProjection feature gate.
+
+                                          ClusterTrustBundle objects can either be selected by name, or by the
+                                          combination of signer name and a label selector.
+
+                                          Kubelet performs aggressive normalization of the PEM contents written
+                                          into the pod filesystem.  Esoteric PEM features such as inter-block
+                                          comments and block headers are stripped.  Certificates are deduplicated.
+                                          The ordering of certificates within the file is arbitrary, and Kubelet
+                                          may change the order over time.
+                                        properties:
+                                          labelSelector:
+                                            description: |-
+                                              Select all ClusterTrustBundles that match this label selector.  Only has
+                                              effect if signerName is set.  Mutually-exclusive with name.  If unset,
+                                              interpreted as "match nothing".  If set but empty, interpreted as "match
+                                              everything".
+                                            properties:
+                                              matchExpressions:
+                                                description: matchExpressions is a
+                                                  list of label selector requirements.
+                                                  The requirements are ANDed.
+                                                items:
+                                                  description: |-
+                                                    A label selector requirement is a selector that contains values, a key, and an operator that
+                                                    relates the key and values.
+                                                  properties:
+                                                    key:
+                                                      description: key is the label
+                                                        key that the selector applies
+                                                        to.
+                                                      type: string
+                                                    operator:
+                                                      description: |-
+                                                        operator represents a key's relationship to a set of values.
+                                                        Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                      type: string
+                                                    values:
+                                                      description: |-
+                                                        values is an array of string values. If the operator is In or NotIn,
+                                                        the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                        the values array must be empty. This array is replaced during a strategic
+                                                        merge patch.
+                                                      items:
+                                                        type: string
+                                                      type: array
+                                                      x-kubernetes-list-type: atomic
+                                                  required:
+                                                  - key
+                                                  - operator
+                                                  type: object
+                                                type: array
+                                                x-kubernetes-list-type: atomic
+                                              matchLabels:
+                                                additionalProperties:
+                                                  type: string
+                                                description: |-
+                                                  matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                                  map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                                  operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                                type: object
+                                            type: object
+                                            x-kubernetes-map-type: atomic
+                                          name:
+                                            description: |-
+                                              Select a single ClusterTrustBundle by object name.  Mutually-exclusive
+                                              with signerName and labelSelector.
+                                            type: string
+                                          optional:
+                                            description: |-
+                                              If true, don't block pod startup if the referenced ClusterTrustBundle(s)
+                                              aren't available.  If using name, then the named ClusterTrustBundle is
+                                              allowed not to exist.  If using signerName, then the combination of
+                                              signerName and labelSelector is allowed to match zero
+                                              ClusterTrustBundles.
+                                            type: boolean
+                                          path:
+                                            description: Relative path from the volume
+                                              root to write the bundle.
+                                            type: string
+                                          signerName:
+                                            description: |-
+                                              Select all ClusterTrustBundles that match this signer name.
+                                              Mutually-exclusive with name.  The contents of all selected
+                                              ClusterTrustBundles will be unified and deduplicated.
+                                            type: string
+                                        required:
+                                        - path
+                                        type: object
+                                      configMap:
+                                        description: configMap information about the
+                                          configMap data to project
+                                        properties:
+                                          items:
+                                            description: |-
+                                              items if unspecified, each key-value pair in the Data field of the referenced
+                                              ConfigMap will be projected into the volume as a file whose name is the
+                                              key and content is the value. If specified, the listed keys will be
+                                              projected into the specified paths, and unlisted keys will not be
+                                              present. If a key is specified which is not present in the ConfigMap,
+                                              the volume setup will error unless it is marked optional. Paths must be
+                                              relative and may not contain the '..' path or start with '..'.
+                                            items:
+                                              description: Maps a string key to a
+                                                path within a volume.
+                                              properties:
+                                                key:
+                                                  description: key is the key to project.
+                                                  type: string
+                                                mode:
+                                                  description: |-
+                                                    mode is Optional: mode bits used to set permissions on this file.
+                                                    Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                                    YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                                    If not specified, the volume defaultMode will be used.
+                                                    This might be in conflict with other options that affect the file
+                                                    mode, like fsGroup, and the result can be other mode bits set.
+                                                  format: int32
+                                                  type: integer
+                                                path:
+                                                  description: |-
+                                                    path is the relative path of the file to map the key to.
+                                                    May not be an absolute path.
+                                                    May not contain the path element '..'.
+                                                    May not start with the string '..'.
+                                                  type: string
+                                              required:
+                                              - key
+                                              - path
+                                              type: object
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                          name:
+                                            default: ""
+                                            description: |-
+                                              Name of the referent.
+                                              This field is effectively required, but due to backwards compatibility is
+                                              allowed to be empty. Instances of this type with an empty value here are
+                                              almost certainly wrong.
+                                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                            type: string
+                                          optional:
+                                            description: optional specify whether
+                                              the ConfigMap or its keys must be defined
+                                            type: boolean
+                                        type: object
+                                        x-kubernetes-map-type: atomic
+                                      downwardAPI:
+                                        description: downwardAPI information about
+                                          the downwardAPI data to project
+                                        properties:
+                                          items:
+                                            description: Items is a list of DownwardAPIVolume
+                                              file
+                                            items:
+                                              description: DownwardAPIVolumeFile represents
+                                                information to create the file containing
+                                                the pod field
+                                              properties:
+                                                fieldRef:
+                                                  description: 'Required: Selects
+                                                    a field of the pod: only annotations,
+                                                    labels, name, namespace and uid
+                                                    are supported.'
+                                                  properties:
+                                                    apiVersion:
+                                                      description: Version of the
+                                                        schema the FieldPath is written
+                                                        in terms of, defaults to "v1".
+                                                      type: string
+                                                    fieldPath:
+                                                      description: Path of the field
+                                                        to select in the specified
+                                                        API version.
+                                                      type: string
+                                                  required:
+                                                  - fieldPath
+                                                  type: object
+                                                  x-kubernetes-map-type: atomic
+                                                mode:
+                                                  description: |-
+                                                    Optional: mode bits used to set permissions on this file, must be an octal value
+                                                    between 0000 and 0777 or a decimal value between 0 and 511.
+                                                    YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                                    If not specified, the volume defaultMode will be used.
+                                                    This might be in conflict with other options that affect the file
+                                                    mode, like fsGroup, and the result can be other mode bits set.
+                                                  format: int32
+                                                  type: integer
+                                                path:
+                                                  description: 'Required: Path is  the
+                                                    relative path name of the file
+                                                    to be created. Must not be absolute
+                                                    or contain the ''..'' path. Must
+                                                    be utf-8 encoded. The first item
+                                                    of the relative path must not
+                                                    start with ''..'''
+                                                  type: string
+                                                resourceFieldRef:
+                                                  description: |-
+                                                    Selects a resource of the container: only resources limits and requests
+                                                    (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
+                                                  properties:
+                                                    containerName:
+                                                      description: 'Container name:
+                                                        required for volumes, optional
+                                                        for env vars'
+                                                      type: string
+                                                    divisor:
+                                                      anyOf:
+                                                      - type: integer
+                                                      - type: string
+                                                      description: Specifies the output
+                                                        format of the exposed resources,
+                                                        defaults to "1"
+                                                      pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                                      x-kubernetes-int-or-string: true
+                                                    resource:
+                                                      description: 'Required: resource
+                                                        to select'
+                                                      type: string
+                                                  required:
+                                                  - resource
+                                                  type: object
+                                                  x-kubernetes-map-type: atomic
+                                              required:
+                                              - path
+                                              type: object
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                        type: object
+                                      podCertificate:
+                                        description: |-
+                                          Projects an auto-rotating credential bundle (private key and certificate
+                                          chain) that the pod can use either as a TLS client or server.
+
+                                          Kubelet generates a private key and uses it to send a
+                                          PodCertificateRequest to the named signer.  Once the signer approves the
+                                          request and issues a certificate chain, Kubelet writes the key and
+                                          certificate chain to the pod filesystem.  The pod does not start until
+                                          certificates have been issued for each podCertificate projected volume
+                                          source in its spec.
+
+                                          Kubelet will begin trying to rotate the certificate at the time indicated
+                                          by the signer using the PodCertificateRequest.Status.BeginRefreshAt
+                                          timestamp.
+
+                                          Kubelet can write a single file, indicated by the credentialBundlePath
+                                          field, or separate files, indicated by the keyPath and
+                                          certificateChainPath fields.
+
+                                          The credential bundle is a single file in PEM format.  The first PEM
+                                          entry is the private key (in PKCS#8 format), and the remaining PEM
+                                          entries are the certificate chain issued by the signer (typically,
+                                          signers will return their certificate chain in leaf-to-root order).
+
+                                          Prefer using the credential bundle format, since your application code
+                                          can read it atomically.  If you use keyPath and certificateChainPath,
+                                          your application must make two separate file reads. If these coincide
+                                          with a certificate rotation, it is possible that the private key and leaf
+                                          certificate you read may not correspond to each other.  Your application
+                                          will need to check for this condition, and re-read until they are
+                                          consistent.
+
+                                          The named signer controls chooses the format of the certificate it
+                                          issues; consult the signer implementation's documentation to learn how to
+                                          use the certificates it issues.
+                                        properties:
+                                          certificateChainPath:
+                                            description: |-
+                                              Write the certificate chain at this path in the projected volume.
+
+                                              Most applications should use credentialBundlePath.  When using keyPath
+                                              and certificateChainPath, your application needs to check that the key
+                                              and leaf certificate are consistent, because it is possible to read the
+                                              files mid-rotation.
+                                            type: string
+                                          credentialBundlePath:
+                                            description: |-
+                                              Write the credential bundle at this path in the projected volume.
+
+                                              The credential bundle is a single file that contains multiple PEM blocks.
+                                              The first PEM block is a PRIVATE KEY block, containing a PKCS#8 private
+                                              key.
+
+                                              The remaining blocks are CERTIFICATE blocks, containing the issued
+                                              certificate chain from the signer (leaf and any intermediates).
+
+                                              Using credentialBundlePath lets your Pod's application code make a single
+                                              atomic read that retrieves a consistent key and certificate chain.  If you
+                                              project them to separate files, your application code will need to
+                                              additionally check that the leaf certificate was issued to the key.
+                                            type: string
+                                          keyPath:
+                                            description: |-
+                                              Write the key at this path in the projected volume.
+
+                                              Most applications should use credentialBundlePath.  When using keyPath
+                                              and certificateChainPath, your application needs to check that the key
+                                              and leaf certificate are consistent, because it is possible to read the
+                                              files mid-rotation.
+                                            type: string
+                                          keyType:
+                                            description: |-
+                                              The type of keypair Kubelet will generate for the pod.
+
+                                              Valid values are "RSA3072", "RSA4096", "ECDSAP256", "ECDSAP384",
+                                              "ECDSAP521", and "ED25519".
+                                            type: string
+                                          maxExpirationSeconds:
+                                            description: |-
+                                              maxExpirationSeconds is the maximum lifetime permitted for the
+                                              certificate.
+
+                                              Kubelet copies this value verbatim into the PodCertificateRequests it
+                                              generates for this projection.
+
+                                              If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver
+                                              will reject values shorter than 3600 (1 hour).  The maximum allowable
+                                              value is 7862400 (91 days).
+
+                                              The signer implementation is then free to issue a certificate with any
+                                              lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600
+                                              seconds (1 hour).  This constraint is enforced by kube-apiserver.
+                                              `kubernetes.io` signers will never issue certificates with a lifetime
+                                              longer than 24 hours.
+                                            format: int32
+                                            type: integer
+                                          signerName:
+                                            description: Kubelet's generated CSRs
+                                              will be addressed to this signer.
+                                            type: string
+                                          userAnnotations:
+                                            additionalProperties:
+                                              type: string
+                                            description: |-
+                                              userAnnotations allow pod authors to pass additional information to
+                                              the signer implementation.  Kubernetes does not restrict or validate this
+                                              metadata in any way.
+
+                                              These values are copied verbatim into the `spec.unverifiedUserAnnotations` field of
+                                              the PodCertificateRequest objects that Kubelet creates.
+
+                                              Entries are subject to the same validation as object metadata annotations,
+                                              with the addition that all keys must be domain-prefixed. No restrictions
+                                              are placed on values, except an overall size limitation on the entire field.
+
+                                              Signers should document the keys and values they support. Signers should
+                                              deny requests that contain keys they do not recognize.
+                                            type: object
+                                        required:
+                                        - keyType
+                                        - signerName
+                                        type: object
+                                      secret:
+                                        description: secret information about the
+                                          secret data to project
+                                        properties:
+                                          items:
+                                            description: |-
+                                              items if unspecified, each key-value pair in the Data field of the referenced
+                                              Secret will be projected into the volume as a file whose name is the
+                                              key and content is the value. If specified, the listed keys will be
+                                              projected into the specified paths, and unlisted keys will not be
+                                              present. If a key is specified which is not present in the Secret,
+                                              the volume setup will error unless it is marked optional. Paths must be
+                                              relative and may not contain the '..' path or start with '..'.
+                                            items:
+                                              description: Maps a string key to a
+                                                path within a volume.
+                                              properties:
+                                                key:
+                                                  description: key is the key to project.
+                                                  type: string
+                                                mode:
+                                                  description: |-
+                                                    mode is Optional: mode bits used to set permissions on this file.
+                                                    Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                                    YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                                    If not specified, the volume defaultMode will be used.
+                                                    This might be in conflict with other options that affect the file
+                                                    mode, like fsGroup, and the result can be other mode bits set.
+                                                  format: int32
+                                                  type: integer
+                                                path:
+                                                  description: |-
+                                                    path is the relative path of the file to map the key to.
+                                                    May not be an absolute path.
+                                                    May not contain the path element '..'.
+                                                    May not start with the string '..'.
+                                                  type: string
+                                              required:
+                                              - key
+                                              - path
+                                              type: object
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                          name:
+                                            default: ""
+                                            description: |-
+                                              Name of the referent.
+                                              This field is effectively required, but due to backwards compatibility is
+                                              allowed to be empty. Instances of this type with an empty value here are
+                                              almost certainly wrong.
+                                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                            type: string
+                                          optional:
+                                            description: optional field specify whether
+                                              the Secret or its key must be defined
+                                            type: boolean
+                                        type: object
+                                        x-kubernetes-map-type: atomic
+                                      serviceAccountToken:
+                                        description: serviceAccountToken is information
+                                          about the serviceAccountToken data to project
+                                        properties:
+                                          audience:
+                                            description: |-
+                                              audience is the intended audience of the token. A recipient of a token
+                                              must identify itself with an identifier specified in the audience of the
+                                              token, and otherwise should reject the token. The audience defaults to the
+                                              identifier of the apiserver.
+                                            type: string
+                                          expirationSeconds:
+                                            description: |-
+                                              expirationSeconds is the requested duration of validity of the service
+                                              account token. As the token approaches expiration, the kubelet volume
+                                              plugin will proactively rotate the service account token. The kubelet will
+                                              start trying to rotate the token if the token is older than 80 percent of
+                                              its time to live or if the token is older than 24 hours.Defaults to 1 hour
+                                              and must be at least 10 minutes.
+                                            format: int64
+                                            type: integer
+                                          path:
+                                            description: |-
+                                              path is the path relative to the mount point of the file to project the
+                                              token into.
+                                            type: string
+                                        required:
+                                        - path
+                                        type: object
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                              type: object
+                            quobyte:
+                              description: |-
+                                quobyte represents a Quobyte mount on the host that shares a pod's lifetime.
+                                Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported.
+                              properties:
+                                group:
+                                  description: |-
+                                    group to map volume access to
+                                    Default is no group
+                                  type: string
+                                readOnly:
+                                  description: |-
+                                    readOnly here will force the Quobyte volume to be mounted with read-only permissions.
+                                    Defaults to false.
+                                  type: boolean
+                                registry:
+                                  description: |-
+                                    registry represents a single or multiple Quobyte Registry services
+                                    specified as a string as host:port pair (multiple entries are separated with commas)
+                                    which acts as the central registry for volumes
+                                  type: string
+                                tenant:
+                                  description: |-
+                                    tenant owning the given Quobyte volume in the Backend
+                                    Used with dynamically provisioned Quobyte volumes, value is set by the plugin
+                                  type: string
+                                user:
+                                  description: |-
+                                    user to map volume access to
+                                    Defaults to serivceaccount user
+                                  type: string
+                                volume:
+                                  description: volume is a string that references
+                                    an already created Quobyte volume by name.
+                                  type: string
+                              required:
+                              - registry
+                              - volume
+                              type: object
+                            rbd:
+                              description: |-
+                                rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
+                                Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported.
+                              properties:
+                                fsType:
+                                  description: |-
+                                    fsType is the filesystem type of the volume that you want to mount.
+                                    Tip: Ensure that the filesystem type is supported by the host operating system.
+                                    Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd
+                                  type: string
+                                image:
+                                  description: |-
+                                    image is the rados image name.
+                                    More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                                  type: string
+                                keyring:
+                                  default: /etc/ceph/keyring
+                                  description: |-
+                                    keyring is the path to key ring for RBDUser.
+                                    Default is /etc/ceph/keyring.
+                                    More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                                  type: string
+                                monitors:
+                                  description: |-
+                                    monitors is a collection of Ceph monitors.
+                                    More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                                  items:
+                                    type: string
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                pool:
+                                  default: rbd
+                                  description: |-
+                                    pool is the rados pool name.
+                                    Default is rbd.
+                                    More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                                  type: string
+                                readOnly:
+                                  description: |-
+                                    readOnly here will force the ReadOnly setting in VolumeMounts.
+                                    Defaults to false.
+                                    More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                                  type: boolean
+                                secretRef:
+                                  description: |-
+                                    secretRef is name of the authentication secret for RBDUser. If provided
+                                    overrides keyring.
+                                    Default is nil.
+                                    More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                                  properties:
+                                    name:
+                                      default: ""
+                                      description: |-
+                                        Name of the referent.
+                                        This field is effectively required, but due to backwards compatibility is
+                                        allowed to be empty. Instances of this type with an empty value here are
+                                        almost certainly wrong.
+                                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                      type: string
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                user:
+                                  default: admin
+                                  description: |-
+                                    user is the rados user name.
+                                    Default is admin.
+                                    More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                                  type: string
+                              required:
+                              - image
+                              - monitors
+                              type: object
+                            scaleIO:
+                              description: |-
+                                scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.
+                                Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported.
+                              properties:
+                                fsType:
+                                  default: xfs
+                                  description: |-
+                                    fsType is the filesystem type to mount.
+                                    Must be a filesystem type supported by the host operating system.
+                                    Ex. "ext4", "xfs", "ntfs".
+                                    Default is "xfs".
+                                  type: string
+                                gateway:
+                                  description: gateway is the host address of the
+                                    ScaleIO API Gateway.
+                                  type: string
+                                protectionDomain:
+                                  description: protectionDomain is the name of the
+                                    ScaleIO Protection Domain for the configured storage.
+                                  type: string
+                                readOnly:
+                                  description: |-
+                                    readOnly Defaults to false (read/write). ReadOnly here will force
+                                    the ReadOnly setting in VolumeMounts.
+                                  type: boolean
+                                secretRef:
+                                  description: |-
+                                    secretRef references to the secret for ScaleIO user and other
+                                    sensitive information. If this is not provided, Login operation will fail.
+                                  properties:
+                                    name:
+                                      default: ""
+                                      description: |-
+                                        Name of the referent.
+                                        This field is effectively required, but due to backwards compatibility is
+                                        allowed to be empty. Instances of this type with an empty value here are
+                                        almost certainly wrong.
+                                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                      type: string
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                sslEnabled:
+                                  description: sslEnabled Flag enable/disable SSL
+                                    communication with Gateway, default false
+                                  type: boolean
+                                storageMode:
+                                  default: ThinProvisioned
+                                  description: |-
+                                    storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned.
+                                    Default is ThinProvisioned.
+                                  type: string
+                                storagePool:
+                                  description: storagePool is the ScaleIO Storage
+                                    Pool associated with the protection domain.
+                                  type: string
+                                system:
+                                  description: system is the name of the storage system
+                                    as configured in ScaleIO.
+                                  type: string
+                                volumeName:
+                                  description: |-
+                                    volumeName is the name of a volume already created in the ScaleIO system
+                                    that is associated with this volume source.
+                                  type: string
+                              required:
+                              - gateway
+                              - secretRef
+                              - system
+                              type: object
+                            secret:
+                              description: |-
+                                secret represents a secret that should populate this volume.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
+                              properties:
+                                defaultMode:
+                                  description: |-
+                                    defaultMode is Optional: mode bits used to set permissions on created files by default.
+                                    Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                    YAML accepts both octal and decimal values, JSON requires decimal values
+                                    for mode bits. Defaults to 0644.
+                                    Directories within the path are not affected by this setting.
+                                    This might be in conflict with other options that affect the file
+                                    mode, like fsGroup, and the result can be other mode bits set.
+                                  format: int32
+                                  type: integer
+                                items:
+                                  description: |-
+                                    items If unspecified, each key-value pair in the Data field of the referenced
+                                    Secret will be projected into the volume as a file whose name is the
+                                    key and content is the value. If specified, the listed keys will be
+                                    projected into the specified paths, and unlisted keys will not be
+                                    present. If a key is specified which is not present in the Secret,
+                                    the volume setup will error unless it is marked optional. Paths must be
+                                    relative and may not contain the '..' path or start with '..'.
+                                  items:
+                                    description: Maps a string key to a path within
+                                      a volume.
+                                    properties:
+                                      key:
+                                        description: key is the key to project.
+                                        type: string
+                                      mode:
+                                        description: |-
+                                          mode is Optional: mode bits used to set permissions on this file.
+                                          Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                          YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                          If not specified, the volume defaultMode will be used.
+                                          This might be in conflict with other options that affect the file
+                                          mode, like fsGroup, and the result can be other mode bits set.
+                                        format: int32
+                                        type: integer
+                                      path:
+                                        description: |-
+                                          path is the relative path of the file to map the key to.
+                                          May not be an absolute path.
+                                          May not contain the path element '..'.
+                                          May not start with the string '..'.
+                                        type: string
+                                    required:
+                                    - key
+                                    - path
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                optional:
+                                  description: optional field specify whether the
+                                    Secret or its keys must be defined
+                                  type: boolean
+                                secretName:
+                                  description: |-
+                                    secretName is the name of the secret in the pod's namespace to use.
+                                    More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
+                                  type: string
+                              type: object
+                            storageos:
+                              description: |-
+                                storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes.
+                                Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported.
+                              properties:
+                                fsType:
+                                  description: |-
+                                    fsType is the filesystem type to mount.
+                                    Must be a filesystem type supported by the host operating system.
+                                    Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                  type: string
+                                readOnly:
+                                  description: |-
+                                    readOnly defaults to false (read/write). ReadOnly here will force
+                                    the ReadOnly setting in VolumeMounts.
+                                  type: boolean
+                                secretRef:
+                                  description: |-
+                                    secretRef specifies the secret to use for obtaining the StorageOS API
+                                    credentials.  If not specified, default values will be attempted.
+                                  properties:
+                                    name:
+                                      default: ""
+                                      description: |-
+                                        Name of the referent.
+                                        This field is effectively required, but due to backwards compatibility is
+                                        allowed to be empty. Instances of this type with an empty value here are
+                                        almost certainly wrong.
+                                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                      type: string
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                volumeName:
+                                  description: |-
+                                    volumeName is the human-readable name of the StorageOS volume.  Volume
+                                    names are only unique within a namespace.
+                                  type: string
+                                volumeNamespace:
+                                  description: |-
+                                    volumeNamespace specifies the scope of the volume within StorageOS.  If no
+                                    namespace is specified then the Pod's namespace will be used.  This allows the
+                                    Kubernetes name scoping to be mirrored within StorageOS for tighter integration.
+                                    Set VolumeName to any name to override the default behaviour.
+                                    Set to "default" if you are not using namespaces within StorageOS.
+                                    Namespaces that do not pre-exist within StorageOS will be created.
+                                  type: string
+                              type: object
+                            vsphereVolume:
+                              description: |-
+                                vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine.
+                                Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type
+                                are redirected to the csi.vsphere.vmware.com CSI driver.
+                              properties:
+                                fsType:
+                                  description: |-
+                                    fsType is filesystem type to mount.
+                                    Must be a filesystem type supported by the host operating system.
+                                    Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                  type: string
+                                storagePolicyID:
+                                  description: storagePolicyID is the storage Policy
+                                    Based Management (SPBM) profile ID associated
+                                    with the StoragePolicyName.
+                                  type: string
+                                storagePolicyName:
+                                  description: storagePolicyName is the storage Policy
+                                    Based Management (SPBM) profile name.
+                                  type: string
+                                volumePath:
+                                  description: volumePath is the path that identifies
+                                    vSphere volume vmdk
+                                  type: string
+                              required:
+                              - volumePath
+                              type: object
+                          required:
+                          - name
+                          type: object
+                        type: array
+                      xdsAddress:
+                        description: The customized XDS address to retrieve configuration.
+                        type: string
+                    type: object
+                type: object
+              version:
+                default: v1.28.3
+                description: |-
+                  Defines the version of Istio to install.
+                  Must be one of: v1.28-latest, v1.28.3, v1.28.2, v1.28.1, v1.28.0, v1.27-latest, v1.27.5, v1.27.4, v1.27.3, v1.27.2, v1.27.1, v1.27.0, master, v1.30-alpha.a30ad733.
+                enum:
+                - v1.28-latest
+                - v1.28.3
+                - v1.28.2
+                - v1.28.1
+                - v1.28.0
+                - v1.27-latest
+                - v1.27.5
+                - v1.27.4
+                - v1.27.3
+                - v1.27.2
+                - v1.27.1
+                - v1.27.0
+                - v1.26-latest
+                - v1.26.8
+                - v1.26.7
+                - v1.26.6
+                - v1.26.5
+                - v1.26.4
+                - v1.26.3
+                - v1.26.2
+                - v1.26.1
+                - v1.26.0
+                - v1.25-latest
+                - v1.25.5
+                - v1.25.4
+                - v1.25.3
+                - v1.25.2
+                - v1.25.1
+                - v1.24-latest
+                - v1.24.6
+                - v1.24.5
+                - v1.24.4
+                - v1.24.3
+                - v1.24.2
+                - v1.24.1
+                - v1.24.0
+                - master
+                - v1.30-alpha.a30ad733
+                type: string
+            required:
+            - namespace
+            - version
+            type: object
+          status:
+            description: ZTunnelStatus defines the observed state of ZTunnel
+            properties:
+              conditions:
+                description: Represents the latest available observations of the object's
+                  current state.
+                items:
+                  description: ZTunnelCondition represents a specific observation
+                    of the ZTunnel object's state.
+                  properties:
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Human-readable message indicating details about
+                        the last transition.
+                      type: string
+                    reason:
+                      description: Unique, single-word, CamelCase reason for the condition's
+                        last transition.
+                      type: string
+                    status:
+                      description: The status of this condition. Can be True, False
+                        or Unknown.
+                      type: string
+                    type:
+                      description: The type of this condition.
+                      type: string
+                  type: object
+                type: array
+              observedGeneration:
+                description: |-
+                  ObservedGeneration is the most recent generation observed for this
+                  ZTunnel object. It corresponds to the object's generation, which is
+                  updated on mutation by the API Server. The information in the status
+                  pertains to this particular generation of the object.
+                format: int64
+                type: integer
+              state:
+                description: Reports the current state of the object.
+                type: string
+            type: object
+        type: object
+        x-kubernetes-validations:
+        - message: metadata.name must be 'default'
+          rule: self.metadata.name == 'default'
+    served: true
+    storage: false
+    subresources:
+      status: {}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/security.istio.io_authorizationpolicies.yaml b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/security.istio.io_authorizationpolicies.yaml
new file mode 100644
index 0000000000..8fc3def5ee
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/security.istio.io_authorizationpolicies.yaml
@@ -0,0 +1,766 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    "helm.sh/resource-policy": keep
+  labels:
+    app: istio-pilot
+    chart: istio
+    heritage: Tiller
+    istio: security
+    release: istio
+  name: authorizationpolicies.security.istio.io
+spec:
+  group: security.istio.io
+  names:
+    categories:
+    - istio-io
+    - security-istio-io
+    kind: AuthorizationPolicy
+    listKind: AuthorizationPolicyList
+    plural: authorizationpolicies
+    shortNames:
+    - ap
+    singular: authorizationpolicy
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - description: The operation to take.
+      jsonPath: .spec.action
+      name: Action
+      type: string
+    - description: 'CreationTimestamp is a timestamp representing the server time
+        when this object was created. It is not guaranteed to be set in happens-before
+        order across separate operations. Clients may not set this value. It is represented
+        in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+        lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1
+    schema:
+      openAPIV3Schema:
+        properties:
+          spec:
+            description: 'Configuration for access control on workloads. See more
+              details at: https://istio.io/docs/reference/config/security/authorization-policy.html'
+            oneOf:
+            - not:
+                anyOf:
+                - required:
+                  - provider
+            - required:
+              - provider
+            properties:
+              action:
+                description: |-
+                  Optional.
+
+                  Valid Options: ALLOW, DENY, AUDIT, CUSTOM
+                enum:
+                - ALLOW
+                - DENY
+                - AUDIT
+                - CUSTOM
+                type: string
+              provider:
+                description: Specifies detailed configuration of the CUSTOM action.
+                properties:
+                  name:
+                    description: Specifies the name of the extension provider.
+                    type: string
+                type: object
+              rules:
+                description: Optional.
+                items:
+                  properties:
+                    from:
+                      description: Optional.
+                      items:
+                        properties:
+                          source:
+                            description: Source specifies the source of a request.
+                            properties:
+                              ipBlocks:
+                                description: Optional.
+                                items:
+                                  type: string
+                                type: array
+                              namespaces:
+                                description: Optional.
+                                items:
+                                  type: string
+                                type: array
+                              notIpBlocks:
+                                description: Optional.
+                                items:
+                                  type: string
+                                type: array
+                              notNamespaces:
+                                description: Optional.
+                                items:
+                                  type: string
+                                type: array
+                              notPrincipals:
+                                description: Optional.
+                                items:
+                                  type: string
+                                type: array
+                              notRemoteIpBlocks:
+                                description: Optional.
+                                items:
+                                  type: string
+                                type: array
+                              notRequestPrincipals:
+                                description: Optional.
+                                items:
+                                  type: string
+                                type: array
+                              notServiceAccounts:
+                                description: Optional.
+                                items:
+                                  maxLength: 320
+                                  type: string
+                                maxItems: 16
+                                type: array
+                              principals:
+                                description: Optional.
+                                items:
+                                  type: string
+                                type: array
+                              remoteIpBlocks:
+                                description: Optional.
+                                items:
+                                  type: string
+                                type: array
+                              requestPrincipals:
+                                description: Optional.
+                                items:
+                                  type: string
+                                type: array
+                              serviceAccounts:
+                                description: Optional.
+                                items:
+                                  maxLength: 320
+                                  type: string
+                                maxItems: 16
+                                type: array
+                            type: object
+                            x-kubernetes-validations:
+                            - message: Cannot set serviceAccounts with namespaces
+                                or principals
+                              rule: |-
+                                (has(self.serviceAccounts) || has(self.notServiceAccounts)) ? (!has(self.principals) &&
+                                !has(self.notPrincipals) && !has(self.namespaces) && !has(self.notNamespaces)) : true
+                        type: object
+                      maxItems: 512
+                      type: array
+                    to:
+                      description: Optional.
+                      items:
+                        properties:
+                          operation:
+                            description: Operation specifies the operation of a request.
+                            properties:
+                              hosts:
+                                description: Optional.
+                                items:
+                                  type: string
+                                type: array
+                              methods:
+                                description: Optional.
+                                items:
+                                  type: string
+                                type: array
+                              notHosts:
+                                description: Optional.
+                                items:
+                                  type: string
+                                type: array
+                              notMethods:
+                                description: Optional.
+                                items:
+                                  type: string
+                                type: array
+                              notPaths:
+                                description: Optional.
+                                items:
+                                  type: string
+                                type: array
+                              notPorts:
+                                description: Optional.
+                                items:
+                                  type: string
+                                type: array
+                              paths:
+                                description: Optional.
+                                items:
+                                  type: string
+                                type: array
+                              ports:
+                                description: Optional.
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                        type: object
+                      type: array
+                    when:
+                      description: Optional.
+                      items:
+                        properties:
+                          key:
+                            description: The name of an Istio attribute.
+                            type: string
+                          notValues:
+                            description: Optional.
+                            items:
+                              type: string
+                            type: array
+                          values:
+                            description: Optional.
+                            items:
+                              type: string
+                            type: array
+                        required:
+                        - key
+                        type: object
+                      type: array
+                  type: object
+                maxItems: 512
+                type: array
+              selector:
+                description: Optional.
+                properties:
+                  matchLabels:
+                    additionalProperties:
+                      maxLength: 63
+                      type: string
+                      x-kubernetes-validations:
+                      - message: wildcard not allowed in label value match
+                        rule: '!self.contains("*")'
+                    description: One or more labels that indicate a specific set of
+                      pods/VMs on which a policy should be applied.
+                    maxProperties: 4096
+                    type: object
+                    x-kubernetes-validations:
+                    - message: wildcard not allowed in label key match
+                      rule: self.all(key, !key.contains("*"))
+                    - message: key must not be empty
+                      rule: self.all(key, key.size() != 0)
+                type: object
+              targetRef:
+                properties:
+                  group:
+                    description: group is the group of the target resource.
+                    maxLength: 253
+                    pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                    type: string
+                  kind:
+                    description: kind is kind of the target resource.
+                    maxLength: 63
+                    minLength: 1
+                    pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                    type: string
+                  name:
+                    description: name is the name of the target resource.
+                    maxLength: 253
+                    minLength: 1
+                    type: string
+                  namespace:
+                    description: namespace is the namespace of the referent.
+                    type: string
+                    x-kubernetes-validations:
+                    - message: cross namespace referencing is not currently supported
+                      rule: self.size() == 0
+                required:
+                - kind
+                - name
+                type: object
+              targetRefs:
+                description: Optional.
+                items:
+                  properties:
+                    group:
+                      description: group is the group of the target resource.
+                      maxLength: 253
+                      pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                      type: string
+                    kind:
+                      description: kind is kind of the target resource.
+                      maxLength: 63
+                      minLength: 1
+                      pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                      type: string
+                    name:
+                      description: name is the name of the target resource.
+                      maxLength: 253
+                      minLength: 1
+                      type: string
+                    namespace:
+                      description: namespace is the namespace of the referent.
+                      type: string
+                      x-kubernetes-validations:
+                      - message: cross namespace referencing is not currently supported
+                        rule: self.size() == 0
+                  required:
+                  - kind
+                  - name
+                  type: object
+                maxItems: 16
+                type: array
+            type: object
+            x-kubernetes-validations:
+            - message: only one of targetRefs or selector can be set
+              rule: '(has(self.selector) ? 1 : 0) + (has(self.targetRef) ? 1 : 0)
+                + (has(self.targetRefs) ? 1 : 0) <= 1'
+          status:
+            properties:
+              conditions:
+                description: Current service state of the resource.
+                items:
+                  properties:
+                    lastProbeTime:
+                      description: Last time we probed the condition.
+                      format: date-time
+                      type: string
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Human-readable message indicating details about
+                        last transition.
+                      type: string
+                    observedGeneration:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      description: Resource Generation to which the Condition refers.
+                      x-kubernetes-int-or-string: true
+                    reason:
+                      description: Unique, one-word, CamelCase reason for the condition's
+                        last transition.
+                      type: string
+                    status:
+                      description: Status is the status of the condition.
+                      type: string
+                    type:
+                      description: Type is the type of the condition.
+                      type: string
+                  type: object
+                type: array
+              observedGeneration:
+                anyOf:
+                - type: integer
+                - type: string
+                x-kubernetes-int-or-string: true
+              validationMessages:
+                description: Includes any errors or warnings detected by Istio's analyzers.
+                items:
+                  properties:
+                    documentationUrl:
+                      description: A url pointing to the Istio documentation for this
+                        specific error type.
+                      type: string
+                    level:
+                      description: |-
+                        Represents how severe a message is.
+
+                        Valid Options: UNKNOWN, ERROR, WARNING, INFO
+                      enum:
+                      - UNKNOWN
+                      - ERROR
+                      - WARNING
+                      - INFO
+                      type: string
+                    type:
+                      properties:
+                        code:
+                          description: A 7 character code matching `^IST[0-9]{4}$`
+                            intended to uniquely identify the message type.
+                          type: string
+                        name:
+                          description: A human-readable name for the message type.
+                          type: string
+                      type: object
+                  type: object
+                type: array
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+  - additionalPrinterColumns:
+    - description: The operation to take.
+      jsonPath: .spec.action
+      name: Action
+      type: string
+    - description: 'CreationTimestamp is a timestamp representing the server time
+        when this object was created. It is not guaranteed to be set in happens-before
+        order across separate operations. Clients may not set this value. It is represented
+        in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+        lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1beta1
+    schema:
+      openAPIV3Schema:
+        properties:
+          spec:
+            description: 'Configuration for access control on workloads. See more
+              details at: https://istio.io/docs/reference/config/security/authorization-policy.html'
+            oneOf:
+            - not:
+                anyOf:
+                - required:
+                  - provider
+            - required:
+              - provider
+            properties:
+              action:
+                description: |-
+                  Optional.
+
+                  Valid Options: ALLOW, DENY, AUDIT, CUSTOM
+                enum:
+                - ALLOW
+                - DENY
+                - AUDIT
+                - CUSTOM
+                type: string
+              provider:
+                description: Specifies detailed configuration of the CUSTOM action.
+                properties:
+                  name:
+                    description: Specifies the name of the extension provider.
+                    type: string
+                type: object
+              rules:
+                description: Optional.
+                items:
+                  properties:
+                    from:
+                      description: Optional.
+                      items:
+                        properties:
+                          source:
+                            description: Source specifies the source of a request.
+                            properties:
+                              ipBlocks:
+                                description: Optional.
+                                items:
+                                  type: string
+                                type: array
+                              namespaces:
+                                description: Optional.
+                                items:
+                                  type: string
+                                type: array
+                              notIpBlocks:
+                                description: Optional.
+                                items:
+                                  type: string
+                                type: array
+                              notNamespaces:
+                                description: Optional.
+                                items:
+                                  type: string
+                                type: array
+                              notPrincipals:
+                                description: Optional.
+                                items:
+                                  type: string
+                                type: array
+                              notRemoteIpBlocks:
+                                description: Optional.
+                                items:
+                                  type: string
+                                type: array
+                              notRequestPrincipals:
+                                description: Optional.
+                                items:
+                                  type: string
+                                type: array
+                              notServiceAccounts:
+                                description: Optional.
+                                items:
+                                  maxLength: 320
+                                  type: string
+                                maxItems: 16
+                                type: array
+                              principals:
+                                description: Optional.
+                                items:
+                                  type: string
+                                type: array
+                              remoteIpBlocks:
+                                description: Optional.
+                                items:
+                                  type: string
+                                type: array
+                              requestPrincipals:
+                                description: Optional.
+                                items:
+                                  type: string
+                                type: array
+                              serviceAccounts:
+                                description: Optional.
+                                items:
+                                  maxLength: 320
+                                  type: string
+                                maxItems: 16
+                                type: array
+                            type: object
+                            x-kubernetes-validations:
+                            - message: Cannot set serviceAccounts with namespaces
+                                or principals
+                              rule: |-
+                                (has(self.serviceAccounts) || has(self.notServiceAccounts)) ? (!has(self.principals) &&
+                                !has(self.notPrincipals) && !has(self.namespaces) && !has(self.notNamespaces)) : true
+                        type: object
+                      maxItems: 512
+                      type: array
+                    to:
+                      description: Optional.
+                      items:
+                        properties:
+                          operation:
+                            description: Operation specifies the operation of a request.
+                            properties:
+                              hosts:
+                                description: Optional.
+                                items:
+                                  type: string
+                                type: array
+                              methods:
+                                description: Optional.
+                                items:
+                                  type: string
+                                type: array
+                              notHosts:
+                                description: Optional.
+                                items:
+                                  type: string
+                                type: array
+                              notMethods:
+                                description: Optional.
+                                items:
+                                  type: string
+                                type: array
+                              notPaths:
+                                description: Optional.
+                                items:
+                                  type: string
+                                type: array
+                              notPorts:
+                                description: Optional.
+                                items:
+                                  type: string
+                                type: array
+                              paths:
+                                description: Optional.
+                                items:
+                                  type: string
+                                type: array
+                              ports:
+                                description: Optional.
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                        type: object
+                      type: array
+                    when:
+                      description: Optional.
+                      items:
+                        properties:
+                          key:
+                            description: The name of an Istio attribute.
+                            type: string
+                          notValues:
+                            description: Optional.
+                            items:
+                              type: string
+                            type: array
+                          values:
+                            description: Optional.
+                            items:
+                              type: string
+                            type: array
+                        required:
+                        - key
+                        type: object
+                      type: array
+                  type: object
+                maxItems: 512
+                type: array
+              selector:
+                description: Optional.
+                properties:
+                  matchLabels:
+                    additionalProperties:
+                      maxLength: 63
+                      type: string
+                      x-kubernetes-validations:
+                      - message: wildcard not allowed in label value match
+                        rule: '!self.contains("*")'
+                    description: One or more labels that indicate a specific set of
+                      pods/VMs on which a policy should be applied.
+                    maxProperties: 4096
+                    type: object
+                    x-kubernetes-validations:
+                    - message: wildcard not allowed in label key match
+                      rule: self.all(key, !key.contains("*"))
+                    - message: key must not be empty
+                      rule: self.all(key, key.size() != 0)
+                type: object
+              targetRef:
+                properties:
+                  group:
+                    description: group is the group of the target resource.
+                    maxLength: 253
+                    pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                    type: string
+                  kind:
+                    description: kind is kind of the target resource.
+                    maxLength: 63
+                    minLength: 1
+                    pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                    type: string
+                  name:
+                    description: name is the name of the target resource.
+                    maxLength: 253
+                    minLength: 1
+                    type: string
+                  namespace:
+                    description: namespace is the namespace of the referent.
+                    type: string
+                    x-kubernetes-validations:
+                    - message: cross namespace referencing is not currently supported
+                      rule: self.size() == 0
+                required:
+                - kind
+                - name
+                type: object
+              targetRefs:
+                description: Optional.
+                items:
+                  properties:
+                    group:
+                      description: group is the group of the target resource.
+                      maxLength: 253
+                      pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                      type: string
+                    kind:
+                      description: kind is kind of the target resource.
+                      maxLength: 63
+                      minLength: 1
+                      pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                      type: string
+                    name:
+                      description: name is the name of the target resource.
+                      maxLength: 253
+                      minLength: 1
+                      type: string
+                    namespace:
+                      description: namespace is the namespace of the referent.
+                      type: string
+                      x-kubernetes-validations:
+                      - message: cross namespace referencing is not currently supported
+                        rule: self.size() == 0
+                  required:
+                  - kind
+                  - name
+                  type: object
+                maxItems: 16
+                type: array
+            type: object
+            x-kubernetes-validations:
+            - message: only one of targetRefs or selector can be set
+              rule: '(has(self.selector) ? 1 : 0) + (has(self.targetRef) ? 1 : 0)
+                + (has(self.targetRefs) ? 1 : 0) <= 1'
+          status:
+            properties:
+              conditions:
+                description: Current service state of the resource.
+                items:
+                  properties:
+                    lastProbeTime:
+                      description: Last time we probed the condition.
+                      format: date-time
+                      type: string
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Human-readable message indicating details about
+                        last transition.
+                      type: string
+                    observedGeneration:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      description: Resource Generation to which the Condition refers.
+                      x-kubernetes-int-or-string: true
+                    reason:
+                      description: Unique, one-word, CamelCase reason for the condition's
+                        last transition.
+                      type: string
+                    status:
+                      description: Status is the status of the condition.
+                      type: string
+                    type:
+                      description: Type is the type of the condition.
+                      type: string
+                  type: object
+                type: array
+              observedGeneration:
+                anyOf:
+                - type: integer
+                - type: string
+                x-kubernetes-int-or-string: true
+              validationMessages:
+                description: Includes any errors or warnings detected by Istio's analyzers.
+                items:
+                  properties:
+                    documentationUrl:
+                      description: A url pointing to the Istio documentation for this
+                        specific error type.
+                      type: string
+                    level:
+                      description: |-
+                        Represents how severe a message is.
+
+                        Valid Options: UNKNOWN, ERROR, WARNING, INFO
+                      enum:
+                      - UNKNOWN
+                      - ERROR
+                      - WARNING
+                      - INFO
+                      type: string
+                    type:
+                      properties:
+                        code:
+                          description: A 7 character code matching `^IST[0-9]{4}$`
+                            intended to uniquely identify the message type.
+                          type: string
+                        name:
+                          description: A human-readable name for the message type.
+                          type: string
+                      type: object
+                  type: object
+                type: array
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/security.istio.io_peerauthentications.yaml b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/security.istio.io_peerauthentications.yaml
new file mode 100644
index 0000000000..37b3073a07
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/security.istio.io_peerauthentications.yaml
@@ -0,0 +1,352 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    "helm.sh/resource-policy": keep
+  labels:
+    app: istio-pilot
+    chart: istio
+    heritage: Tiller
+    istio: security
+    release: istio
+  name: peerauthentications.security.istio.io
+spec:
+  group: security.istio.io
+  names:
+    categories:
+    - istio-io
+    - security-istio-io
+    kind: PeerAuthentication
+    listKind: PeerAuthenticationList
+    plural: peerauthentications
+    shortNames:
+    - pa
+    singular: peerauthentication
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - description: Defines the mTLS mode used for peer authentication.
+      jsonPath: .spec.mtls.mode
+      name: Mode
+      type: string
+    - description: 'CreationTimestamp is a timestamp representing the server time
+        when this object was created. It is not guaranteed to be set in happens-before
+        order across separate operations. Clients may not set this value. It is represented
+        in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+        lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1
+    schema:
+      openAPIV3Schema:
+        properties:
+          spec:
+            description: 'Peer authentication configuration for workloads. See more
+              details at: https://istio.io/docs/reference/config/security/peer_authentication.html'
+            properties:
+              mtls:
+                description: Mutual TLS settings for workload.
+                properties:
+                  mode:
+                    description: |-
+                      Defines the mTLS mode used for peer authentication.
+
+                      Valid Options: DISABLE, PERMISSIVE, STRICT
+                    enum:
+                    - UNSET
+                    - DISABLE
+                    - PERMISSIVE
+                    - STRICT
+                    type: string
+                type: object
+              portLevelMtls:
+                additionalProperties:
+                  properties:
+                    mode:
+                      description: |-
+                        Defines the mTLS mode used for peer authentication.
+
+                        Valid Options: DISABLE, PERMISSIVE, STRICT
+                      enum:
+                      - UNSET
+                      - DISABLE
+                      - PERMISSIVE
+                      - STRICT
+                      type: string
+                  type: object
+                description: Port specific mutual TLS settings.
+                minProperties: 1
+                type: object
+                x-kubernetes-validations:
+                - message: port must be between 1-65535
+                  rule: self.all(key, 0 < int(key) && int(key) <= 65535)
+              selector:
+                description: The selector determines the workloads to apply the PeerAuthentication
+                  on.
+                properties:
+                  matchLabels:
+                    additionalProperties:
+                      maxLength: 63
+                      type: string
+                      x-kubernetes-validations:
+                      - message: wildcard not allowed in label value match
+                        rule: '!self.contains("*")'
+                    description: One or more labels that indicate a specific set of
+                      pods/VMs on which a policy should be applied.
+                    maxProperties: 4096
+                    type: object
+                    x-kubernetes-validations:
+                    - message: wildcard not allowed in label key match
+                      rule: self.all(key, !key.contains("*"))
+                    - message: key must not be empty
+                      rule: self.all(key, key.size() != 0)
+                type: object
+            type: object
+            x-kubernetes-validations:
+            - message: portLevelMtls requires selector
+              rule: 'has(self.portLevelMtls) ? (((has(self.selector) && has(self.selector.matchLabels))
+                ? self.selector.matchLabels : {}).size() > 0) : true'
+          status:
+            properties:
+              conditions:
+                description: Current service state of the resource.
+                items:
+                  properties:
+                    lastProbeTime:
+                      description: Last time we probed the condition.
+                      format: date-time
+                      type: string
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Human-readable message indicating details about
+                        last transition.
+                      type: string
+                    observedGeneration:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      description: Resource Generation to which the Condition refers.
+                      x-kubernetes-int-or-string: true
+                    reason:
+                      description: Unique, one-word, CamelCase reason for the condition's
+                        last transition.
+                      type: string
+                    status:
+                      description: Status is the status of the condition.
+                      type: string
+                    type:
+                      description: Type is the type of the condition.
+                      type: string
+                  type: object
+                type: array
+              observedGeneration:
+                anyOf:
+                - type: integer
+                - type: string
+                x-kubernetes-int-or-string: true
+              validationMessages:
+                description: Includes any errors or warnings detected by Istio's analyzers.
+                items:
+                  properties:
+                    documentationUrl:
+                      description: A url pointing to the Istio documentation for this
+                        specific error type.
+                      type: string
+                    level:
+                      description: |-
+                        Represents how severe a message is.
+
+                        Valid Options: UNKNOWN, ERROR, WARNING, INFO
+                      enum:
+                      - UNKNOWN
+                      - ERROR
+                      - WARNING
+                      - INFO
+                      type: string
+                    type:
+                      properties:
+                        code:
+                          description: A 7 character code matching `^IST[0-9]{4}$`
+                            intended to uniquely identify the message type.
+                          type: string
+                        name:
+                          description: A human-readable name for the message type.
+                          type: string
+                      type: object
+                  type: object
+                type: array
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+  - additionalPrinterColumns:
+    - description: Defines the mTLS mode used for peer authentication.
+      jsonPath: .spec.mtls.mode
+      name: Mode
+      type: string
+    - description: 'CreationTimestamp is a timestamp representing the server time
+        when this object was created. It is not guaranteed to be set in happens-before
+        order across separate operations. Clients may not set this value. It is represented
+        in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+        lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1beta1
+    schema:
+      openAPIV3Schema:
+        properties:
+          spec:
+            description: 'Peer authentication configuration for workloads. See more
+              details at: https://istio.io/docs/reference/config/security/peer_authentication.html'
+            properties:
+              mtls:
+                description: Mutual TLS settings for workload.
+                properties:
+                  mode:
+                    description: |-
+                      Defines the mTLS mode used for peer authentication.
+
+                      Valid Options: DISABLE, PERMISSIVE, STRICT
+                    enum:
+                    - UNSET
+                    - DISABLE
+                    - PERMISSIVE
+                    - STRICT
+                    type: string
+                type: object
+              portLevelMtls:
+                additionalProperties:
+                  properties:
+                    mode:
+                      description: |-
+                        Defines the mTLS mode used for peer authentication.
+
+                        Valid Options: DISABLE, PERMISSIVE, STRICT
+                      enum:
+                      - UNSET
+                      - DISABLE
+                      - PERMISSIVE
+                      - STRICT
+                      type: string
+                  type: object
+                description: Port specific mutual TLS settings.
+                minProperties: 1
+                type: object
+                x-kubernetes-validations:
+                - message: port must be between 1-65535
+                  rule: self.all(key, 0 < int(key) && int(key) <= 65535)
+              selector:
+                description: The selector determines the workloads to apply the PeerAuthentication
+                  on.
+                properties:
+                  matchLabels:
+                    additionalProperties:
+                      maxLength: 63
+                      type: string
+                      x-kubernetes-validations:
+                      - message: wildcard not allowed in label value match
+                        rule: '!self.contains("*")'
+                    description: One or more labels that indicate a specific set of
+                      pods/VMs on which a policy should be applied.
+                    maxProperties: 4096
+                    type: object
+                    x-kubernetes-validations:
+                    - message: wildcard not allowed in label key match
+                      rule: self.all(key, !key.contains("*"))
+                    - message: key must not be empty
+                      rule: self.all(key, key.size() != 0)
+                type: object
+            type: object
+            x-kubernetes-validations:
+            - message: portLevelMtls requires selector
+              rule: 'has(self.portLevelMtls) ? (((has(self.selector) && has(self.selector.matchLabels))
+                ? self.selector.matchLabels : {}).size() > 0) : true'
+          status:
+            properties:
+              conditions:
+                description: Current service state of the resource.
+                items:
+                  properties:
+                    lastProbeTime:
+                      description: Last time we probed the condition.
+                      format: date-time
+                      type: string
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Human-readable message indicating details about
+                        last transition.
+                      type: string
+                    observedGeneration:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      description: Resource Generation to which the Condition refers.
+                      x-kubernetes-int-or-string: true
+                    reason:
+                      description: Unique, one-word, CamelCase reason for the condition's
+                        last transition.
+                      type: string
+                    status:
+                      description: Status is the status of the condition.
+                      type: string
+                    type:
+                      description: Type is the type of the condition.
+                      type: string
+                  type: object
+                type: array
+              observedGeneration:
+                anyOf:
+                - type: integer
+                - type: string
+                x-kubernetes-int-or-string: true
+              validationMessages:
+                description: Includes any errors or warnings detected by Istio's analyzers.
+                items:
+                  properties:
+                    documentationUrl:
+                      description: A url pointing to the Istio documentation for this
+                        specific error type.
+                      type: string
+                    level:
+                      description: |-
+                        Represents how severe a message is.
+
+                        Valid Options: UNKNOWN, ERROR, WARNING, INFO
+                      enum:
+                      - UNKNOWN
+                      - ERROR
+                      - WARNING
+                      - INFO
+                      type: string
+                    type:
+                      properties:
+                        code:
+                          description: A 7 character code matching `^IST[0-9]{4}$`
+                            intended to uniquely identify the message type.
+                          type: string
+                        name:
+                          description: A human-readable name for the message type.
+                          type: string
+                      type: object
+                  type: object
+                type: array
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/security.istio.io_requestauthentications.yaml b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/security.istio.io_requestauthentications.yaml
new file mode 100644
index 0000000000..2c2be1c036
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/security.istio.io_requestauthentications.yaml
@@ -0,0 +1,604 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    "helm.sh/resource-policy": keep
+  labels:
+    app: istio-pilot
+    chart: istio
+    heritage: Tiller
+    istio: security
+    release: istio
+  name: requestauthentications.security.istio.io
+spec:
+  group: security.istio.io
+  names:
+    categories:
+    - istio-io
+    - security-istio-io
+    kind: RequestAuthentication
+    listKind: RequestAuthenticationList
+    plural: requestauthentications
+    shortNames:
+    - ra
+    singular: requestauthentication
+  scope: Namespaced
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        properties:
+          spec:
+            description: 'Request authentication configuration for workloads. See
+              more details at: https://istio.io/docs/reference/config/security/request_authentication.html'
+            properties:
+              jwtRules:
+                description: Define the list of JWTs that can be validated at the
+                  selected workloads' proxy.
+                items:
+                  properties:
+                    audiences:
+                      description: The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3)
+                        that are allowed to access.
+                      items:
+                        minLength: 1
+                        type: string
+                      type: array
+                    forwardOriginalToken:
+                      description: If set to true, the original token will be kept
+                        for the upstream request.
+                      type: boolean
+                    fromCookies:
+                      description: List of cookie names from which JWT is expected.
+                      items:
+                        minLength: 1
+                        type: string
+                      type: array
+                    fromHeaders:
+                      description: List of header locations from which JWT is expected.
+                      items:
+                        properties:
+                          name:
+                            description: The HTTP header name.
+                            minLength: 1
+                            type: string
+                          prefix:
+                            description: The prefix that should be stripped before
+                              decoding the token.
+                            type: string
+                        required:
+                        - name
+                        type: object
+                      type: array
+                    fromParams:
+                      description: List of query parameters from which JWT is expected.
+                      items:
+                        minLength: 1
+                        type: string
+                      type: array
+                    issuer:
+                      description: Identifies the issuer that issued the JWT.
+                      minLength: 1
+                      type: string
+                    jwks:
+                      description: JSON Web Key Set of public keys to validate signature
+                        of the JWT.
+                      type: string
+                    jwks_uri:
+                      description: URL of the provider's public key set to validate
+                        signature of the JWT.
+                      maxLength: 2048
+                      minLength: 1
+                      type: string
+                      x-kubernetes-validations:
+                      - message: url must have scheme http:// or https://
+                        rule: url(self).getScheme() in ["http", "https"]
+                    jwksUri:
+                      description: URL of the provider's public key set to validate
+                        signature of the JWT.
+                      maxLength: 2048
+                      minLength: 1
+                      type: string
+                      x-kubernetes-validations:
+                      - message: url must have scheme http:// or https://
+                        rule: url(self).getScheme() in ["http", "https"]
+                    outputClaimToHeaders:
+                      description: This field specifies a list of operations to copy
+                        the claim to HTTP headers on a successfully verified token.
+                      items:
+                        properties:
+                          claim:
+                            description: The name of the claim to be copied from.
+                            minLength: 1
+                            type: string
+                          header:
+                            description: The name of the header to be created.
+                            minLength: 1
+                            pattern: ^[-_A-Za-z0-9]+$
+                            type: string
+                        required:
+                        - header
+                        - claim
+                        type: object
+                      type: array
+                    outputPayloadToHeader:
+                      description: This field specifies the header name to output
+                        a successfully verified JWT payload to the backend.
+                      type: string
+                    spaceDelimitedClaims:
+                      description: List of JWT claim names that should be treated
+                        as space-delimited strings.
+                      items:
+                        minLength: 1
+                        type: string
+                      maxItems: 64
+                      type: array
+                    timeout:
+                      description: The maximum amount of time that the resolver, determined
+                        by the PILOT_JWT_ENABLE_REMOTE_JWKS environment variable,
+                        will spend waiting for the JWKS to be fetched.
+                      type: string
+                      x-kubernetes-validations:
+                      - message: must be a valid duration greater than 1ms
+                        rule: duration(self) >= duration('1ms')
+                  type: object
+                  x-kubernetes-validations:
+                  - message: only one of jwks or jwksUri can be set
+                    rule: '(has(self.jwksUri) ? 1 : 0) + (has(self.jwks_uri) ? 1 :
+                      0) + (has(self.jwks) ? 1 : 0) <= 1'
+                maxItems: 4096
+                type: array
+              selector:
+                description: Optional.
+                properties:
+                  matchLabels:
+                    additionalProperties:
+                      maxLength: 63
+                      type: string
+                      x-kubernetes-validations:
+                      - message: wildcard not allowed in label value match
+                        rule: '!self.contains("*")'
+                    description: One or more labels that indicate a specific set of
+                      pods/VMs on which a policy should be applied.
+                    maxProperties: 4096
+                    type: object
+                    x-kubernetes-validations:
+                    - message: wildcard not allowed in label key match
+                      rule: self.all(key, !key.contains("*"))
+                    - message: key must not be empty
+                      rule: self.all(key, key.size() != 0)
+                type: object
+              targetRef:
+                properties:
+                  group:
+                    description: group is the group of the target resource.
+                    maxLength: 253
+                    pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                    type: string
+                  kind:
+                    description: kind is kind of the target resource.
+                    maxLength: 63
+                    minLength: 1
+                    pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                    type: string
+                  name:
+                    description: name is the name of the target resource.
+                    maxLength: 253
+                    minLength: 1
+                    type: string
+                  namespace:
+                    description: namespace is the namespace of the referent.
+                    type: string
+                    x-kubernetes-validations:
+                    - message: cross namespace referencing is not currently supported
+                      rule: self.size() == 0
+                required:
+                - kind
+                - name
+                type: object
+              targetRefs:
+                description: Optional.
+                items:
+                  properties:
+                    group:
+                      description: group is the group of the target resource.
+                      maxLength: 253
+                      pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                      type: string
+                    kind:
+                      description: kind is kind of the target resource.
+                      maxLength: 63
+                      minLength: 1
+                      pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                      type: string
+                    name:
+                      description: name is the name of the target resource.
+                      maxLength: 253
+                      minLength: 1
+                      type: string
+                    namespace:
+                      description: namespace is the namespace of the referent.
+                      type: string
+                      x-kubernetes-validations:
+                      - message: cross namespace referencing is not currently supported
+                        rule: self.size() == 0
+                  required:
+                  - kind
+                  - name
+                  type: object
+                maxItems: 16
+                type: array
+            type: object
+            x-kubernetes-validations:
+            - message: only one of targetRefs or selector can be set
+              rule: '(has(self.selector) ? 1 : 0) + (has(self.targetRef) ? 1 : 0)
+                + (has(self.targetRefs) ? 1 : 0) <= 1'
+          status:
+            properties:
+              conditions:
+                description: Current service state of the resource.
+                items:
+                  properties:
+                    lastProbeTime:
+                      description: Last time we probed the condition.
+                      format: date-time
+                      type: string
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Human-readable message indicating details about
+                        last transition.
+                      type: string
+                    observedGeneration:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      description: Resource Generation to which the Condition refers.
+                      x-kubernetes-int-or-string: true
+                    reason:
+                      description: Unique, one-word, CamelCase reason for the condition's
+                        last transition.
+                      type: string
+                    status:
+                      description: Status is the status of the condition.
+                      type: string
+                    type:
+                      description: Type is the type of the condition.
+                      type: string
+                  type: object
+                type: array
+              observedGeneration:
+                anyOf:
+                - type: integer
+                - type: string
+                x-kubernetes-int-or-string: true
+              validationMessages:
+                description: Includes any errors or warnings detected by Istio's analyzers.
+                items:
+                  properties:
+                    documentationUrl:
+                      description: A url pointing to the Istio documentation for this
+                        specific error type.
+                      type: string
+                    level:
+                      description: |-
+                        Represents how severe a message is.
+
+                        Valid Options: UNKNOWN, ERROR, WARNING, INFO
+                      enum:
+                      - UNKNOWN
+                      - ERROR
+                      - WARNING
+                      - INFO
+                      type: string
+                    type:
+                      properties:
+                        code:
+                          description: A 7 character code matching `^IST[0-9]{4}$`
+                            intended to uniquely identify the message type.
+                          type: string
+                        name:
+                          description: A human-readable name for the message type.
+                          type: string
+                      type: object
+                  type: object
+                type: array
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+  - name: v1beta1
+    schema:
+      openAPIV3Schema:
+        properties:
+          spec:
+            description: 'Request authentication configuration for workloads. See
+              more details at: https://istio.io/docs/reference/config/security/request_authentication.html'
+            properties:
+              jwtRules:
+                description: Define the list of JWTs that can be validated at the
+                  selected workloads' proxy.
+                items:
+                  properties:
+                    audiences:
+                      description: The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3)
+                        that are allowed to access.
+                      items:
+                        minLength: 1
+                        type: string
+                      type: array
+                    forwardOriginalToken:
+                      description: If set to true, the original token will be kept
+                        for the upstream request.
+                      type: boolean
+                    fromCookies:
+                      description: List of cookie names from which JWT is expected.
+                      items:
+                        minLength: 1
+                        type: string
+                      type: array
+                    fromHeaders:
+                      description: List of header locations from which JWT is expected.
+                      items:
+                        properties:
+                          name:
+                            description: The HTTP header name.
+                            minLength: 1
+                            type: string
+                          prefix:
+                            description: The prefix that should be stripped before
+                              decoding the token.
+                            type: string
+                        required:
+                        - name
+                        type: object
+                      type: array
+                    fromParams:
+                      description: List of query parameters from which JWT is expected.
+                      items:
+                        minLength: 1
+                        type: string
+                      type: array
+                    issuer:
+                      description: Identifies the issuer that issued the JWT.
+                      minLength: 1
+                      type: string
+                    jwks:
+                      description: JSON Web Key Set of public keys to validate signature
+                        of the JWT.
+                      type: string
+                    jwks_uri:
+                      description: URL of the provider's public key set to validate
+                        signature of the JWT.
+                      maxLength: 2048
+                      minLength: 1
+                      type: string
+                      x-kubernetes-validations:
+                      - message: url must have scheme http:// or https://
+                        rule: url(self).getScheme() in ["http", "https"]
+                    jwksUri:
+                      description: URL of the provider's public key set to validate
+                        signature of the JWT.
+                      maxLength: 2048
+                      minLength: 1
+                      type: string
+                      x-kubernetes-validations:
+                      - message: url must have scheme http:// or https://
+                        rule: url(self).getScheme() in ["http", "https"]
+                    outputClaimToHeaders:
+                      description: This field specifies a list of operations to copy
+                        the claim to HTTP headers on a successfully verified token.
+                      items:
+                        properties:
+                          claim:
+                            description: The name of the claim to be copied from.
+                            minLength: 1
+                            type: string
+                          header:
+                            description: The name of the header to be created.
+                            minLength: 1
+                            pattern: ^[-_A-Za-z0-9]+$
+                            type: string
+                        required:
+                        - header
+                        - claim
+                        type: object
+                      type: array
+                    outputPayloadToHeader:
+                      description: This field specifies the header name to output
+                        a successfully verified JWT payload to the backend.
+                      type: string
+                    spaceDelimitedClaims:
+                      description: List of JWT claim names that should be treated
+                        as space-delimited strings.
+                      items:
+                        minLength: 1
+                        type: string
+                      maxItems: 64
+                      type: array
+                    timeout:
+                      description: The maximum amount of time that the resolver, determined
+                        by the PILOT_JWT_ENABLE_REMOTE_JWKS environment variable,
+                        will spend waiting for the JWKS to be fetched.
+                      type: string
+                      x-kubernetes-validations:
+                      - message: must be a valid duration greater than 1ms
+                        rule: duration(self) >= duration('1ms')
+                  type: object
+                  x-kubernetes-validations:
+                  - message: only one of jwks or jwksUri can be set
+                    rule: '(has(self.jwksUri) ? 1 : 0) + (has(self.jwks_uri) ? 1 :
+                      0) + (has(self.jwks) ? 1 : 0) <= 1'
+                maxItems: 4096
+                type: array
+              selector:
+                description: Optional.
+                properties:
+                  matchLabels:
+                    additionalProperties:
+                      maxLength: 63
+                      type: string
+                      x-kubernetes-validations:
+                      - message: wildcard not allowed in label value match
+                        rule: '!self.contains("*")'
+                    description: One or more labels that indicate a specific set of
+                      pods/VMs on which a policy should be applied.
+                    maxProperties: 4096
+                    type: object
+                    x-kubernetes-validations:
+                    - message: wildcard not allowed in label key match
+                      rule: self.all(key, !key.contains("*"))
+                    - message: key must not be empty
+                      rule: self.all(key, key.size() != 0)
+                type: object
+              targetRef:
+                properties:
+                  group:
+                    description: group is the group of the target resource.
+                    maxLength: 253
+                    pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                    type: string
+                  kind:
+                    description: kind is kind of the target resource.
+                    maxLength: 63
+                    minLength: 1
+                    pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                    type: string
+                  name:
+                    description: name is the name of the target resource.
+                    maxLength: 253
+                    minLength: 1
+                    type: string
+                  namespace:
+                    description: namespace is the namespace of the referent.
+                    type: string
+                    x-kubernetes-validations:
+                    - message: cross namespace referencing is not currently supported
+                      rule: self.size() == 0
+                required:
+                - kind
+                - name
+                type: object
+              targetRefs:
+                description: Optional.
+                items:
+                  properties:
+                    group:
+                      description: group is the group of the target resource.
+                      maxLength: 253
+                      pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                      type: string
+                    kind:
+                      description: kind is kind of the target resource.
+                      maxLength: 63
+                      minLength: 1
+                      pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                      type: string
+                    name:
+                      description: name is the name of the target resource.
+                      maxLength: 253
+                      minLength: 1
+                      type: string
+                    namespace:
+                      description: namespace is the namespace of the referent.
+                      type: string
+                      x-kubernetes-validations:
+                      - message: cross namespace referencing is not currently supported
+                        rule: self.size() == 0
+                  required:
+                  - kind
+                  - name
+                  type: object
+                maxItems: 16
+                type: array
+            type: object
+            x-kubernetes-validations:
+            - message: only one of targetRefs or selector can be set
+              rule: '(has(self.selector) ? 1 : 0) + (has(self.targetRef) ? 1 : 0)
+                + (has(self.targetRefs) ? 1 : 0) <= 1'
+          status:
+            properties:
+              conditions:
+                description: Current service state of the resource.
+                items:
+                  properties:
+                    lastProbeTime:
+                      description: Last time we probed the condition.
+                      format: date-time
+                      type: string
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Human-readable message indicating details about
+                        last transition.
+                      type: string
+                    observedGeneration:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      description: Resource Generation to which the Condition refers.
+                      x-kubernetes-int-or-string: true
+                    reason:
+                      description: Unique, one-word, CamelCase reason for the condition's
+                        last transition.
+                      type: string
+                    status:
+                      description: Status is the status of the condition.
+                      type: string
+                    type:
+                      description: Type is the type of the condition.
+                      type: string
+                  type: object
+                type: array
+              observedGeneration:
+                anyOf:
+                - type: integer
+                - type: string
+                x-kubernetes-int-or-string: true
+              validationMessages:
+                description: Includes any errors or warnings detected by Istio's analyzers.
+                items:
+                  properties:
+                    documentationUrl:
+                      description: A url pointing to the Istio documentation for this
+                        specific error type.
+                      type: string
+                    level:
+                      description: |-
+                        Represents how severe a message is.
+
+                        Valid Options: UNKNOWN, ERROR, WARNING, INFO
+                      enum:
+                      - UNKNOWN
+                      - ERROR
+                      - WARNING
+                      - INFO
+                      type: string
+                    type:
+                      properties:
+                        code:
+                          description: A 7 character code matching `^IST[0-9]{4}$`
+                            intended to uniquely identify the message type.
+                          type: string
+                        name:
+                          description: A human-readable name for the message type.
+                          type: string
+                      type: object
+                  type: object
+                type: array
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/telemetry.istio.io_telemetries.yaml b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/telemetry.istio.io_telemetries.yaml
new file mode 100644
index 0000000000..23747292e2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/telemetry.istio.io_telemetries.yaml
@@ -0,0 +1,954 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    "helm.sh/resource-policy": keep
+  labels:
+    app: istio-pilot
+    chart: istio
+    heritage: Tiller
+    istio: telemetry
+    release: istio
+  name: telemetries.telemetry.istio.io
+spec:
+  group: telemetry.istio.io
+  names:
+    categories:
+    - istio-io
+    - telemetry-istio-io
+    kind: Telemetry
+    listKind: TelemetryList
+    plural: telemetries
+    shortNames:
+    - telemetry
+    singular: telemetry
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - description: 'CreationTimestamp is a timestamp representing the server time
+        when this object was created. It is not guaranteed to be set in happens-before
+        order across separate operations. Clients may not set this value. It is represented
+        in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+        lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1
+    schema:
+      openAPIV3Schema:
+        properties:
+          spec:
+            description: 'Telemetry configuration for workloads. See more details
+              at: https://istio.io/docs/reference/config/telemetry.html'
+            properties:
+              accessLogging:
+                description: Optional.
+                items:
+                  properties:
+                    disabled:
+                      description: Controls logging.
+                      nullable: true
+                      type: boolean
+                    filter:
+                      description: Optional.
+                      properties:
+                        expression:
+                          description: CEL expression for selecting when requests/connections
+                            should be logged.
+                          type: string
+                      type: object
+                    match:
+                      description: Allows tailoring of logging behavior to specific
+                        conditions.
+                      properties:
+                        mode:
+                          description: |-
+                            This determines whether or not to apply the access logging configuration based on the direction of traffic relative to the proxied workload.
+
+                            Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER
+                          enum:
+                          - CLIENT_AND_SERVER
+                          - CLIENT
+                          - SERVER
+                          type: string
+                      type: object
+                    providers:
+                      description: Optional.
+                      items:
+                        properties:
+                          name:
+                            description: Required.
+                            minLength: 1
+                            type: string
+                        required:
+                        - name
+                        type: object
+                      type: array
+                  type: object
+                type: array
+              metrics:
+                description: Optional.
+                items:
+                  properties:
+                    overrides:
+                      description: Optional.
+                      items:
+                        properties:
+                          disabled:
+                            description: Optional.
+                            nullable: true
+                            type: boolean
+                          match:
+                            description: Match allows providing the scope of the override.
+                            oneOf:
+                            - not:
+                                anyOf:
+                                - required:
+                                  - metric
+                                - required:
+                                  - customMetric
+                            - required:
+                              - metric
+                            - required:
+                              - customMetric
+                            properties:
+                              customMetric:
+                                description: Allows free-form specification of a metric.
+                                minLength: 1
+                                type: string
+                              metric:
+                                description: |-
+                                  One of the well-known [Istio Standard Metrics](https://istio.io/latest/docs/reference/config/metrics/).
+
+                                  Valid Options: ALL_METRICS, REQUEST_COUNT, REQUEST_DURATION, REQUEST_SIZE, RESPONSE_SIZE, TCP_OPENED_CONNECTIONS, TCP_CLOSED_CONNECTIONS, TCP_SENT_BYTES, TCP_RECEIVED_BYTES, GRPC_REQUEST_MESSAGES, GRPC_RESPONSE_MESSAGES
+                                enum:
+                                - ALL_METRICS
+                                - REQUEST_COUNT
+                                - REQUEST_DURATION
+                                - REQUEST_SIZE
+                                - RESPONSE_SIZE
+                                - TCP_OPENED_CONNECTIONS
+                                - TCP_CLOSED_CONNECTIONS
+                                - TCP_SENT_BYTES
+                                - TCP_RECEIVED_BYTES
+                                - GRPC_REQUEST_MESSAGES
+                                - GRPC_RESPONSE_MESSAGES
+                                type: string
+                              mode:
+                                description: |-
+                                  Controls which mode of metrics generation is selected: `CLIENT`, `SERVER`, or `CLIENT_AND_SERVER`.
+
+                                  Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER
+                                enum:
+                                - CLIENT_AND_SERVER
+                                - CLIENT
+                                - SERVER
+                                type: string
+                            type: object
+                          tagOverrides:
+                            additionalProperties:
+                              properties:
+                                operation:
+                                  description: |-
+                                    Operation controls whether or not to update/add a tag, or to remove it.
+
+                                    Valid Options: UPSERT, REMOVE
+                                  enum:
+                                  - UPSERT
+                                  - REMOVE
+                                  type: string
+                                value:
+                                  description: Value is only considered if the operation
+                                    is `UPSERT`.
+                                  type: string
+                              type: object
+                              x-kubernetes-validations:
+                              - message: value must be set when operation is UPSERT
+                                rule: '((has(self.operation) ? self.operation : "")
+                                  == "UPSERT") ? (self.value != "") : true'
+                              - message: value must not be set when operation is REMOVE
+                                rule: '((has(self.operation) ? self.operation : "")
+                                  == "REMOVE") ? !has(self.value) : true'
+                            description: Optional.
+                            type: object
+                        type: object
+                      type: array
+                    providers:
+                      description: Optional.
+                      items:
+                        properties:
+                          name:
+                            description: Required.
+                            minLength: 1
+                            type: string
+                        required:
+                        - name
+                        type: object
+                      type: array
+                    reportingInterval:
+                      description: Optional.
+                      type: string
+                      x-kubernetes-validations:
+                      - message: must be a valid duration greater than 1ms
+                        rule: duration(self) >= duration('1ms')
+                  type: object
+                type: array
+              selector:
+                description: Optional.
+                properties:
+                  matchLabels:
+                    additionalProperties:
+                      maxLength: 63
+                      type: string
+                      x-kubernetes-validations:
+                      - message: wildcard not allowed in label value match
+                        rule: '!self.contains("*")'
+                    description: One or more labels that indicate a specific set of
+                      pods/VMs on which a policy should be applied.
+                    maxProperties: 4096
+                    type: object
+                    x-kubernetes-validations:
+                    - message: wildcard not allowed in label key match
+                      rule: self.all(key, !key.contains("*"))
+                    - message: key must not be empty
+                      rule: self.all(key, key.size() != 0)
+                type: object
+              targetRef:
+                properties:
+                  group:
+                    description: group is the group of the target resource.
+                    maxLength: 253
+                    pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                    type: string
+                  kind:
+                    description: kind is kind of the target resource.
+                    maxLength: 63
+                    minLength: 1
+                    pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                    type: string
+                  name:
+                    description: name is the name of the target resource.
+                    maxLength: 253
+                    minLength: 1
+                    type: string
+                  namespace:
+                    description: namespace is the namespace of the referent.
+                    type: string
+                    x-kubernetes-validations:
+                    - message: cross namespace referencing is not currently supported
+                      rule: self.size() == 0
+                required:
+                - kind
+                - name
+                type: object
+              targetRefs:
+                description: Optional.
+                items:
+                  properties:
+                    group:
+                      description: group is the group of the target resource.
+                      maxLength: 253
+                      pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                      type: string
+                    kind:
+                      description: kind is kind of the target resource.
+                      maxLength: 63
+                      minLength: 1
+                      pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                      type: string
+                    name:
+                      description: name is the name of the target resource.
+                      maxLength: 253
+                      minLength: 1
+                      type: string
+                    namespace:
+                      description: namespace is the namespace of the referent.
+                      type: string
+                      x-kubernetes-validations:
+                      - message: cross namespace referencing is not currently supported
+                        rule: self.size() == 0
+                  required:
+                  - kind
+                  - name
+                  type: object
+                maxItems: 16
+                type: array
+              tracing:
+                description: Optional.
+                items:
+                  properties:
+                    customTags:
+                      additionalProperties:
+                        oneOf:
+                        - not:
+                            anyOf:
+                            - required:
+                              - literal
+                            - required:
+                              - environment
+                            - required:
+                              - header
+                            - required:
+                              - formatter
+                        - required:
+                          - literal
+                        - required:
+                          - environment
+                        - required:
+                          - header
+                        - required:
+                          - formatter
+                        properties:
+                          environment:
+                            description: Environment adds the value of an environment
+                              variable to each span.
+                            properties:
+                              defaultValue:
+                                description: Optional.
+                                type: string
+                              name:
+                                description: Name of the environment variable from
+                                  which to extract the tag value.
+                                minLength: 1
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          formatter:
+                            description: Formatter adds the value of access logging
+                              substitution formatter.
+                            properties:
+                              value:
+                                description: The formatter tag value to use, same
+                                  formatter as HTTP access logging (e.g.
+                                minLength: 1
+                                type: string
+                            required:
+                            - value
+                            type: object
+                          header:
+                            description: RequestHeader adds the value of an header
+                              from the request to each span.
+                            properties:
+                              defaultValue:
+                                description: Optional.
+                                type: string
+                              name:
+                                description: Name of the header from which to extract
+                                  the tag value.
+                                minLength: 1
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          literal:
+                            description: Literal adds the same, hard-coded value to
+                              each span.
+                            properties:
+                              value:
+                                description: The tag value to use.
+                                minLength: 1
+                                type: string
+                            required:
+                            - value
+                            type: object
+                        type: object
+                      description: Optional.
+                      type: object
+                    disableSpanReporting:
+                      description: Controls span reporting.
+                      nullable: true
+                      type: boolean
+                    enableIstioTags:
+                      description: Determines whether or not trace spans generated
+                        by Envoy will include Istio specific tags.
+                      nullable: true
+                      type: boolean
+                    match:
+                      description: Allows tailoring of behavior to specific conditions.
+                      properties:
+                        mode:
+                          description: |-
+                            This determines whether or not to apply the tracing configuration based on the direction of traffic relative to the proxied workload.
+
+                            Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER
+                          enum:
+                          - CLIENT_AND_SERVER
+                          - CLIENT
+                          - SERVER
+                          type: string
+                      type: object
+                    providers:
+                      description: Optional.
+                      items:
+                        properties:
+                          name:
+                            description: Required.
+                            minLength: 1
+                            type: string
+                        required:
+                        - name
+                        type: object
+                      type: array
+                    randomSamplingPercentage:
+                      description: Controls the rate at which traffic will be selected
+                        for tracing if no prior sampling decision has been made.
+                      format: double
+                      maximum: 100
+                      minimum: 0
+                      nullable: true
+                      type: number
+                    useRequestIdForTraceSampling:
+                      nullable: true
+                      type: boolean
+                  type: object
+                type: array
+            type: object
+            x-kubernetes-validations:
+            - message: only one of targetRefs or selector can be set
+              rule: '(has(self.selector) ? 1 : 0) + (has(self.targetRef) ? 1 : 0)
+                + (has(self.targetRefs) ? 1 : 0) <= 1'
+          status:
+            properties:
+              conditions:
+                description: Current service state of the resource.
+                items:
+                  properties:
+                    lastProbeTime:
+                      description: Last time we probed the condition.
+                      format: date-time
+                      type: string
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Human-readable message indicating details about
+                        last transition.
+                      type: string
+                    observedGeneration:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      description: Resource Generation to which the Condition refers.
+                      x-kubernetes-int-or-string: true
+                    reason:
+                      description: Unique, one-word, CamelCase reason for the condition's
+                        last transition.
+                      type: string
+                    status:
+                      description: Status is the status of the condition.
+                      type: string
+                    type:
+                      description: Type is the type of the condition.
+                      type: string
+                  type: object
+                type: array
+              observedGeneration:
+                anyOf:
+                - type: integer
+                - type: string
+                x-kubernetes-int-or-string: true
+              validationMessages:
+                description: Includes any errors or warnings detected by Istio's analyzers.
+                items:
+                  properties:
+                    documentationUrl:
+                      description: A url pointing to the Istio documentation for this
+                        specific error type.
+                      type: string
+                    level:
+                      description: |-
+                        Represents how severe a message is.
+
+                        Valid Options: UNKNOWN, ERROR, WARNING, INFO
+                      enum:
+                      - UNKNOWN
+                      - ERROR
+                      - WARNING
+                      - INFO
+                      type: string
+                    type:
+                      properties:
+                        code:
+                          description: A 7 character code matching `^IST[0-9]{4}$`
+                            intended to uniquely identify the message type.
+                          type: string
+                        name:
+                          description: A human-readable name for the message type.
+                          type: string
+                      type: object
+                  type: object
+                type: array
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+  - additionalPrinterColumns:
+    - description: 'CreationTimestamp is a timestamp representing the server time
+        when this object was created. It is not guaranteed to be set in happens-before
+        order across separate operations. Clients may not set this value. It is represented
+        in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+        lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        properties:
+          spec:
+            description: 'Telemetry configuration for workloads. See more details
+              at: https://istio.io/docs/reference/config/telemetry.html'
+            properties:
+              accessLogging:
+                description: Optional.
+                items:
+                  properties:
+                    disabled:
+                      description: Controls logging.
+                      nullable: true
+                      type: boolean
+                    filter:
+                      description: Optional.
+                      properties:
+                        expression:
+                          description: CEL expression for selecting when requests/connections
+                            should be logged.
+                          type: string
+                      type: object
+                    match:
+                      description: Allows tailoring of logging behavior to specific
+                        conditions.
+                      properties:
+                        mode:
+                          description: |-
+                            This determines whether or not to apply the access logging configuration based on the direction of traffic relative to the proxied workload.
+
+                            Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER
+                          enum:
+                          - CLIENT_AND_SERVER
+                          - CLIENT
+                          - SERVER
+                          type: string
+                      type: object
+                    providers:
+                      description: Optional.
+                      items:
+                        properties:
+                          name:
+                            description: Required.
+                            minLength: 1
+                            type: string
+                        required:
+                        - name
+                        type: object
+                      type: array
+                  type: object
+                type: array
+              metrics:
+                description: Optional.
+                items:
+                  properties:
+                    overrides:
+                      description: Optional.
+                      items:
+                        properties:
+                          disabled:
+                            description: Optional.
+                            nullable: true
+                            type: boolean
+                          match:
+                            description: Match allows providing the scope of the override.
+                            oneOf:
+                            - not:
+                                anyOf:
+                                - required:
+                                  - metric
+                                - required:
+                                  - customMetric
+                            - required:
+                              - metric
+                            - required:
+                              - customMetric
+                            properties:
+                              customMetric:
+                                description: Allows free-form specification of a metric.
+                                minLength: 1
+                                type: string
+                              metric:
+                                description: |-
+                                  One of the well-known [Istio Standard Metrics](https://istio.io/latest/docs/reference/config/metrics/).
+
+                                  Valid Options: ALL_METRICS, REQUEST_COUNT, REQUEST_DURATION, REQUEST_SIZE, RESPONSE_SIZE, TCP_OPENED_CONNECTIONS, TCP_CLOSED_CONNECTIONS, TCP_SENT_BYTES, TCP_RECEIVED_BYTES, GRPC_REQUEST_MESSAGES, GRPC_RESPONSE_MESSAGES
+                                enum:
+                                - ALL_METRICS
+                                - REQUEST_COUNT
+                                - REQUEST_DURATION
+                                - REQUEST_SIZE
+                                - RESPONSE_SIZE
+                                - TCP_OPENED_CONNECTIONS
+                                - TCP_CLOSED_CONNECTIONS
+                                - TCP_SENT_BYTES
+                                - TCP_RECEIVED_BYTES
+                                - GRPC_REQUEST_MESSAGES
+                                - GRPC_RESPONSE_MESSAGES
+                                type: string
+                              mode:
+                                description: |-
+                                  Controls which mode of metrics generation is selected: `CLIENT`, `SERVER`, or `CLIENT_AND_SERVER`.
+
+                                  Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER
+                                enum:
+                                - CLIENT_AND_SERVER
+                                - CLIENT
+                                - SERVER
+                                type: string
+                            type: object
+                          tagOverrides:
+                            additionalProperties:
+                              properties:
+                                operation:
+                                  description: |-
+                                    Operation controls whether or not to update/add a tag, or to remove it.
+
+                                    Valid Options: UPSERT, REMOVE
+                                  enum:
+                                  - UPSERT
+                                  - REMOVE
+                                  type: string
+                                value:
+                                  description: Value is only considered if the operation
+                                    is `UPSERT`.
+                                  type: string
+                              type: object
+                              x-kubernetes-validations:
+                              - message: value must be set when operation is UPSERT
+                                rule: '((has(self.operation) ? self.operation : "")
+                                  == "UPSERT") ? (self.value != "") : true'
+                              - message: value must not be set when operation is REMOVE
+                                rule: '((has(self.operation) ? self.operation : "")
+                                  == "REMOVE") ? !has(self.value) : true'
+                            description: Optional.
+                            type: object
+                        type: object
+                      type: array
+                    providers:
+                      description: Optional.
+                      items:
+                        properties:
+                          name:
+                            description: Required.
+                            minLength: 1
+                            type: string
+                        required:
+                        - name
+                        type: object
+                      type: array
+                    reportingInterval:
+                      description: Optional.
+                      type: string
+                      x-kubernetes-validations:
+                      - message: must be a valid duration greater than 1ms
+                        rule: duration(self) >= duration('1ms')
+                  type: object
+                type: array
+              selector:
+                description: Optional.
+                properties:
+                  matchLabels:
+                    additionalProperties:
+                      maxLength: 63
+                      type: string
+                      x-kubernetes-validations:
+                      - message: wildcard not allowed in label value match
+                        rule: '!self.contains("*")'
+                    description: One or more labels that indicate a specific set of
+                      pods/VMs on which a policy should be applied.
+                    maxProperties: 4096
+                    type: object
+                    x-kubernetes-validations:
+                    - message: wildcard not allowed in label key match
+                      rule: self.all(key, !key.contains("*"))
+                    - message: key must not be empty
+                      rule: self.all(key, key.size() != 0)
+                type: object
+              targetRef:
+                properties:
+                  group:
+                    description: group is the group of the target resource.
+                    maxLength: 253
+                    pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                    type: string
+                  kind:
+                    description: kind is kind of the target resource.
+                    maxLength: 63
+                    minLength: 1
+                    pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                    type: string
+                  name:
+                    description: name is the name of the target resource.
+                    maxLength: 253
+                    minLength: 1
+                    type: string
+                  namespace:
+                    description: namespace is the namespace of the referent.
+                    type: string
+                    x-kubernetes-validations:
+                    - message: cross namespace referencing is not currently supported
+                      rule: self.size() == 0
+                required:
+                - kind
+                - name
+                type: object
+              targetRefs:
+                description: Optional.
+                items:
+                  properties:
+                    group:
+                      description: group is the group of the target resource.
+                      maxLength: 253
+                      pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                      type: string
+                    kind:
+                      description: kind is kind of the target resource.
+                      maxLength: 63
+                      minLength: 1
+                      pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                      type: string
+                    name:
+                      description: name is the name of the target resource.
+                      maxLength: 253
+                      minLength: 1
+                      type: string
+                    namespace:
+                      description: namespace is the namespace of the referent.
+                      type: string
+                      x-kubernetes-validations:
+                      - message: cross namespace referencing is not currently supported
+                        rule: self.size() == 0
+                  required:
+                  - kind
+                  - name
+                  type: object
+                maxItems: 16
+                type: array
+              tracing:
+                description: Optional.
+                items:
+                  properties:
+                    customTags:
+                      additionalProperties:
+                        oneOf:
+                        - not:
+                            anyOf:
+                            - required:
+                              - literal
+                            - required:
+                              - environment
+                            - required:
+                              - header
+                            - required:
+                              - formatter
+                        - required:
+                          - literal
+                        - required:
+                          - environment
+                        - required:
+                          - header
+                        - required:
+                          - formatter
+                        properties:
+                          environment:
+                            description: Environment adds the value of an environment
+                              variable to each span.
+                            properties:
+                              defaultValue:
+                                description: Optional.
+                                type: string
+                              name:
+                                description: Name of the environment variable from
+                                  which to extract the tag value.
+                                minLength: 1
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          formatter:
+                            description: Formatter adds the value of access logging
+                              substitution formatter.
+                            properties:
+                              value:
+                                description: The formatter tag value to use, same
+                                  formatter as HTTP access logging (e.g.
+                                minLength: 1
+                                type: string
+                            required:
+                            - value
+                            type: object
+                          header:
+                            description: RequestHeader adds the value of an header
+                              from the request to each span.
+                            properties:
+                              defaultValue:
+                                description: Optional.
+                                type: string
+                              name:
+                                description: Name of the header from which to extract
+                                  the tag value.
+                                minLength: 1
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          literal:
+                            description: Literal adds the same, hard-coded value to
+                              each span.
+                            properties:
+                              value:
+                                description: The tag value to use.
+                                minLength: 1
+                                type: string
+                            required:
+                            - value
+                            type: object
+                        type: object
+                      description: Optional.
+                      type: object
+                    disableSpanReporting:
+                      description: Controls span reporting.
+                      nullable: true
+                      type: boolean
+                    enableIstioTags:
+                      description: Determines whether or not trace spans generated
+                        by Envoy will include Istio specific tags.
+                      nullable: true
+                      type: boolean
+                    match:
+                      description: Allows tailoring of behavior to specific conditions.
+                      properties:
+                        mode:
+                          description: |-
+                            This determines whether or not to apply the tracing configuration based on the direction of traffic relative to the proxied workload.
+
+                            Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER
+                          enum:
+                          - CLIENT_AND_SERVER
+                          - CLIENT
+                          - SERVER
+                          type: string
+                      type: object
+                    providers:
+                      description: Optional.
+                      items:
+                        properties:
+                          name:
+                            description: Required.
+                            minLength: 1
+                            type: string
+                        required:
+                        - name
+                        type: object
+                      type: array
+                    randomSamplingPercentage:
+                      description: Controls the rate at which traffic will be selected
+                        for tracing if no prior sampling decision has been made.
+                      format: double
+                      maximum: 100
+                      minimum: 0
+                      nullable: true
+                      type: number
+                    useRequestIdForTraceSampling:
+                      nullable: true
+                      type: boolean
+                  type: object
+                type: array
+            type: object
+            x-kubernetes-validations:
+            - message: only one of targetRefs or selector can be set
+              rule: '(has(self.selector) ? 1 : 0) + (has(self.targetRef) ? 1 : 0)
+                + (has(self.targetRefs) ? 1 : 0) <= 1'
+          status:
+            properties:
+              conditions:
+                description: Current service state of the resource.
+                items:
+                  properties:
+                    lastProbeTime:
+                      description: Last time we probed the condition.
+                      format: date-time
+                      type: string
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Human-readable message indicating details about
+                        last transition.
+                      type: string
+                    observedGeneration:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      description: Resource Generation to which the Condition refers.
+                      x-kubernetes-int-or-string: true
+                    reason:
+                      description: Unique, one-word, CamelCase reason for the condition's
+                        last transition.
+                      type: string
+                    status:
+                      description: Status is the status of the condition.
+                      type: string
+                    type:
+                      description: Type is the type of the condition.
+                      type: string
+                  type: object
+                type: array
+              observedGeneration:
+                anyOf:
+                - type: integer
+                - type: string
+                x-kubernetes-int-or-string: true
+              validationMessages:
+                description: Includes any errors or warnings detected by Istio's analyzers.
+                items:
+                  properties:
+                    documentationUrl:
+                      description: A url pointing to the Istio documentation for this
+                        specific error type.
+                      type: string
+                    level:
+                      description: |-
+                        Represents how severe a message is.
+
+                        Valid Options: UNKNOWN, ERROR, WARNING, INFO
+                      enum:
+                      - UNKNOWN
+                      - ERROR
+                      - WARNING
+                      - INFO
+                      type: string
+                    type:
+                      properties:
+                        code:
+                          description: A 7 character code matching `^IST[0-9]{4}$`
+                            intended to uniquely identify the message type.
+                          type: string
+                        name:
+                          description: A human-readable name for the message type.
+                          type: string
+                      type: object
+                  type: object
+                type: array
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/config/config.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/config/config.go
new file mode 100644
index 0000000000..9c402b63c5
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/config/config.go
@@ -0,0 +1,66 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package config
+
+import (
+	"io/fs"
+	"strings"
+
+	"github.com/magiconair/properties"
+)
+
+var Config = OperatorConfig{}
+
+type OperatorConfig struct {
+	ImageDigests map[string]IstioImageConfig `properties:"images"`
+}
+
+type IstioImageConfig struct {
+	IstiodImage  string `properties:"istiod"`
+	ProxyImage   string `properties:"proxy"`
+	CNIImage     string `properties:"cni"`
+	ZTunnelImage string `properties:"ztunnel"`
+}
+
+type ReconcilerConfig struct {
+	ResourceFS              fs.FS
+	Platform                Platform
+	DefaultProfile          string
+	OperatorNamespace       string
+	MaxConcurrentReconciles int
+}
+
+func Read(configFile string) error {
+	p, err := properties.LoadFile(configFile, properties.UTF8)
+	if err != nil {
+		return err
+	}
+	// remove quotes
+	for _, key := range p.Keys() {
+		val, _ := p.Get(key)
+		_, _, _ = p.Set(key, strings.Trim(val, `"`))
+	}
+	err = p.Decode(&Config)
+	if err != nil {
+		return err
+	}
+	// replace "_" in versions with "." (e.g. v1_20_0 => v1.20.0)
+	newImageDigests := make(map[string]IstioImageConfig, len(Config.ImageDigests))
+	for k, v := range Config.ImageDigests {
+		newImageDigests[strings.Replace(k, "_", ".", -1)] = v
+	}
+	Config.ImageDigests = newImageDigests
+	return nil
+}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/config/platform.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/config/platform.go
new file mode 100644
index 0000000000..71bb233870
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/config/platform.go
@@ -0,0 +1,58 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package config
+
+import (
+	"fmt"
+
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/client-go/discovery"
+	"k8s.io/client-go/rest"
+)
+
+type Platform string
+
+const (
+	PlatformUndefined  Platform = ""
+	PlatformOpenShift  Platform = "openshift"
+	PlatformKubernetes Platform = "kubernetes"
+)
+
+const (
+	openshiftKind            = "OpenShiftAPIServer"
+	openshiftResourceGroup   = "operator.openshift.io"
+	openshiftResourceVersion = "v1"
+)
+
+func DetectPlatform(cfg *rest.Config) (Platform, error) {
+	dc, err := discovery.NewDiscoveryClientForConfig(cfg)
+	if err != nil {
+		return "", fmt.Errorf("failed to create discoveryClient: %w", err)
+	}
+
+	resources, err := dc.ServerResourcesForGroupVersion(openshiftResourceGroup + "/" + openshiftResourceVersion)
+	if errors.IsNotFound(err) {
+		return PlatformKubernetes, nil
+	} else if err != nil {
+		return "", err
+	}
+
+	for _, apiResource := range resources.APIResources {
+		if apiResource.Kind == openshiftKind {
+			return PlatformOpenShift, nil
+		}
+	}
+	return PlatformKubernetes, nil
+}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/constants/constants.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/constants/constants.go
new file mode 100644
index 0000000000..821880d4f7
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/constants/constants.go
@@ -0,0 +1,100 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package constants
+
+const (
+	// MetadataNamespace is the namespace for service mesh metadata (labels, annotations)
+	MetadataNamespace = "sailoperator.io"
+
+	// CreatedByKey is used in annotations to mark ServiceMeshMemberRolls created by the ServiceMeshMember controller
+	CreatedByKey = MetadataNamespace + "/created-by"
+
+	// OwnerKey represents the mesh (namespace) to which the resource relates
+	OwnerKey = MetadataNamespace + "/owner"
+
+	// OwnerNameKey represents the name of the SMCP to which the resource relates
+	OwnerNameKey = MetadataNamespace + "/owner-name"
+
+	// MemberOfKey represents the mesh (namespace) to which the resource relates
+	MemberOfKey = MetadataNamespace + "/member-of"
+
+	// IgnoreNamespaceKey indicates that sidecar injection should be disabled for the namespace
+	IgnoreNamespaceKey = MetadataNamespace + "/ignore-namespace"
+
+	// GenerationKey represents the generation to which the resource was last reconciled
+	GenerationKey = MetadataNamespace + "/generation"
+
+	// MeshGenerationKey represents the generation of the service mesh to which the resource was last reconciled.
+	// This uniquely identifies an installation, incorporating the operator version and the smcp resource generation.
+	MeshGenerationKey = MetadataNamespace + "/mesh-generation"
+
+	// InternalKey is used to identify the resource as being internal to the mesh itself (i.e. should not be applied to members)
+	InternalKey = MetadataNamespace + "/internal"
+
+	// FinalizerName is the finalizer name the controllers add to any resources that need to be finalized during deletion
+	FinalizerName = MetadataNamespace + "/sail-operator"
+
+	// KubernetesAppNamespace is the common namespace for application information
+	KubernetesAppNamespace    = "app.kubernetes.io"
+	KubernetesAppNameKey      = KubernetesAppNamespace + "/name"
+	KubernetesAppInstanceKey  = KubernetesAppNamespace + "/instance"
+	KubernetesAppVersionKey   = KubernetesAppNamespace + "/version"
+	KubernetesAppComponentKey = KubernetesAppNamespace + "/component"
+	KubernetesAppPartOfKey    = KubernetesAppNamespace + "/part-of"
+	KubernetesAppManagedByKey = KubernetesAppNamespace + "/managed-by"
+
+	// KubernetesAppPartOfValue is the KubernetesAppPartOfKey label value the operator sets on all objects it creates
+	KubernetesAppPartOfValue = "istio"
+
+	// ManagedByLabelKey is the key for the kubernetes resource label indicating the resource is managed by the Sail operator
+	ManagedByLabelKey = "managed-by"
+
+	// ManagedByLabelValue is the ManagedByKey label value the operator sets on all objects it creates
+	ManagedByLabelValue = "sail-operator"
+
+	// WebhookReadinessProbeStatusAnnotationKey is an annotation on the istio-sidecar-injection MutatingWebhookConfiguration that
+	// reports whether the remote control plane is ready or not
+	WebhookReadinessProbeStatusAnnotationKey = MetadataNamespace + "/readinessProbe.status"
+
+	// WebhookReadinessProbeStatusReasonAnnotationKey is an annotation on the istio-sidecar-injection MutatingWebhookConfiguration that
+	// reports why the remote control plane is not ready
+	WebhookReadinessProbeStatusReasonAnnotationKey = MetadataNamespace + "/readinessProbe.reason"
+
+	// WebhookReadinessProbePeriodSecondsAnnotationKey is an annotation on the istio-sidecar-injection MutatingWebhookConfiguration that
+	// specifies the period for the readiness probe
+	WebhookReadinessProbePeriodSecondsAnnotationKey = MetadataNamespace + "/readinessProbe.periodSeconds"
+
+	// WebhookReadinessProbeTimeoutSecondsAnnotationKey is an annotation on the istio-sidecar-injection MutatingWebhookConfiguration that
+	// specifies the timeout for the readiness probe
+	WebhookReadinessProbeTimeoutSecondsAnnotationKey = MetadataNamespace + "/readinessProbe.timeoutSeconds"
+
+	// IstioInjectionLabel is the label that is used to configure injection for the 'default' IstioRevision
+	IstioInjectionLabel = "istio-injection"
+
+	// IstioInjectionEnabledValue is the value for IstioInjectionLabel
+	IstioInjectionEnabledValue = "enabled"
+
+	// IstioRevLabel is the label that is used to configure injection for non-default IstioRevisions
+	IstioRevLabel = "istio.io/rev"
+
+	// IstioSidecarInjectLabel is the label that is used to configure injection for specific workloads
+	IstioSidecarInjectLabel = "sidecar.istio.io/inject"
+
+	// IstiodChartName is the name of the chart that installs istiod
+	IstiodChartName = "istiod"
+
+	// BaseChartName is the name of the base chart
+	BaseChartName = "base"
+)
diff --git a/vendor/github.com/go-openapi/swag/net.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/env/env.go
similarity index 51%
rename from vendor/github.com/go-openapi/swag/net.go
rename to vendor/github.com/istio-ecosystem/sail-operator/pkg/env/env.go
index 821235f84d..2acf59c1af 100644
--- a/vendor/github.com/go-openapi/swag/net.go
+++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/env/env.go
@@ -1,10 +1,10 @@
-// Copyright 2015 go-swagger maintainers
+// Copyright Istio Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
-//    http://www.apache.org/licenses/LICENSE-2.0
+//     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
@@ -12,27 +12,26 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-package swag
+package env
 
 import (
-	"net"
+	"os"
 	"strconv"
 )
 
-// SplitHostPort splits a network address into a host and a port.
-// The port is -1 when there is no port to be found
-func SplitHostPort(addr string) (host string, port int, err error) {
-	h, p, err := net.SplitHostPort(addr)
-	if err != nil {
-		return "", -1, err
-	}
-	if p == "" {
-		return "", -1, &net.AddrError{Err: "missing port in address", Addr: addr}
+func Get(key, defaultValue string) string {
+	value := os.Getenv(key)
+	if value == "" {
+		return defaultValue
 	}
+	return value
+}
 
-	pi, err := strconv.Atoi(p)
+func GetBool(key string, defaultValue bool) bool {
+	value := Get(key, strconv.FormatBool(defaultValue))
+	boolValue, err := strconv.ParseBool(value)
 	if err != nil {
-		return "", -1, err
+		return defaultValue
 	}
-	return h, pi, nil
+	return boolValue
 }
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/helm/chartmanager.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/helm/chartmanager.go
new file mode 100644
index 0000000000..99d1a149db
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/helm/chartmanager.go
@@ -0,0 +1,235 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package helm
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"io/fs"
+
+	"github.com/istio-ecosystem/sail-operator/pkg/constants"
+	"helm.sh/helm/v3/pkg/action"
+	"helm.sh/helm/v3/pkg/chart"
+	"helm.sh/helm/v3/pkg/release"
+	"helm.sh/helm/v3/pkg/storage/driver"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/cli-runtime/pkg/genericclioptions"
+	"k8s.io/client-go/rest"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
+)
+
+type ChartManager struct {
+	restClientGetter genericclioptions.RESTClientGetter
+	driver           string
+	managedByValue   string
+}
+
+// ChartManagerOption is a functional option for configuring a ChartManager.
+type ChartManagerOption func(*ChartManager)
+
+// WithManagedByValue overrides the value of the "managed-by" label that is
+// applied to every resource created by Helm install/upgrade. The default
+// value is constants.ManagedByLabelValue ("sail-operator").
+func WithManagedByValue(v string) ChartManagerOption {
+	return func(cm *ChartManager) {
+		cm.managedByValue = v
+	}
+}
+
+// NewChartManager creates a new Helm chart manager using cfg as the configuration
+// that Helm will use to connect to the cluster when installing or uninstalling
+// charts, and using the specified driver to store information about releases
+// (one of: memory, secret, configmap, sql, or "" (same as "secret")).
+func NewChartManager(cfg *rest.Config, driver string, opts ...ChartManagerOption) *ChartManager {
+	cm := &ChartManager{
+		restClientGetter: NewRESTClientGetter(cfg),
+		driver:           driver,
+		managedByValue:   constants.ManagedByLabelValue,
+	}
+	for _, o := range opts {
+		o(cm)
+	}
+	return cm
+}
+
+// newActionConfig Create a new Helm action config from in-cluster service account
+func (h *ChartManager) newActionConfig(ctx context.Context, namespace string) (*action.Configuration, error) {
+	logAdapter := func(format string, v ...any) {
+		log := logf.FromContext(ctx)
+		logv2 := log.V(2)
+		if logv2.Enabled() {
+			logv2.Info(fmt.Sprintf(format, v...))
+		}
+	}
+
+	actionConfig := new(action.Configuration)
+	err := actionConfig.Init(h.restClientGetter, namespace, h.driver, logAdapter)
+	return actionConfig, err
+}
+
+// UpgradeOrInstallChart upgrades a chart in cluster or installs it new if it does not already exist.
+// It loads the chart from an fs.FS (e.g., embed.FS or os.DirFS).
+func (h *ChartManager) UpgradeOrInstallChart(
+	ctx context.Context, resourceFS fs.FS, chartPath string, values Values,
+	namespace, releaseName string, ownerReference *metav1.OwnerReference,
+) (*release.Release, error) {
+	loadedChart, err := LoadChart(resourceFS, chartPath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to load chart from fs: %w", err)
+	}
+
+	return h.upgradeOrInstallChart(ctx, loadedChart, values, namespace, releaseName, ownerReference)
+}
+
+// upgradeOrInstallChart is the internal implementation that works with an already-loaded chart
+func (h *ChartManager) upgradeOrInstallChart(
+	ctx context.Context, chart *chart.Chart, values Values,
+	namespace, releaseName string, ownerReference *metav1.OwnerReference,
+) (*release.Release, error) {
+	log := logf.FromContext(ctx)
+
+	cfg, err := h.newActionConfig(ctx, namespace)
+	if err != nil {
+		return nil, err
+	}
+
+	rel, err := getRelease(cfg, releaseName)
+	if err != nil {
+		return rel, err
+	}
+
+	releaseExists := rel != nil
+
+	// A helm release can be stuck in pending state when:
+	// - operator exit/crashes during helm install/upgrade/uninstall
+	// - lost connection to apiserver
+	// - helm release timeouts (context timeouts, cancellation)
+	// - etc
+	// let's try to brutally unlock it and then remediate later by either rollback or uninstall
+	if releaseExists && rel.Info.Status.IsPending() {
+		log.V(2).Info("Unlocking helm release", "status", rel.Info.Status, "release", releaseName)
+		rel.SetStatus(release.StatusFailed, fmt.Sprintf("Release unlocked from %q state", rel.Info.Status))
+
+		if err := cfg.Releases.Update(rel); err != nil {
+			return nil, fmt.Errorf("failed to unlock helm release %s: %w", releaseName, err)
+		}
+	}
+
+	switch {
+	case !releaseExists:
+		break
+	case rel.Info.Status == release.StatusDeployed:
+		break
+	case rel.Info.Status == release.StatusFailed && rel.Version > 1:
+		log.V(2).Info("Performing helm rollback", "release", releaseName)
+		if err := action.NewRollback(cfg).Run(releaseName); err != nil {
+			return nil, fmt.Errorf("failed to roll back helm release %s: %w", releaseName, err)
+		}
+	case rel.Info.Status == release.StatusUninstalling,
+		rel.Info.Status == release.StatusFailed && rel.Version <= 1:
+		log.V(2).Info("Performing helm uninstall", "release", releaseName, "status", rel.Info.Status)
+		if _, err := action.NewUninstall(cfg).Run(releaseName); err != nil {
+			return nil, fmt.Errorf("failed to uninstall failed helm release %s: %w", releaseName, err)
+		}
+		releaseExists = false
+	default:
+		return nil, fmt.Errorf("unexpected helm release status %s", rel.Info.Status)
+	}
+
+	if releaseExists {
+		log.V(2).Info("Performing helm upgrade", "chartName", chart.Name())
+
+		updateAction := action.NewUpgrade(cfg)
+		updateAction.PostRenderer = NewHelmPostRenderer(ownerReference, "", true, h.managedByValue)
+		updateAction.MaxHistory = 1
+		updateAction.SkipCRDs = true
+		updateAction.DisableOpenAPIValidation = true
+
+		rel, err = updateAction.RunWithContext(ctx, releaseName, chart, values)
+		if err != nil {
+			return nil, fmt.Errorf("failed to update helm chart %s: %w", chart.Name(), err)
+		}
+	} else {
+		log.V(2).Info("Performing helm install", "chartName", chart.Name())
+
+		installAction := action.NewInstall(cfg)
+		installAction.PostRenderer = NewHelmPostRenderer(ownerReference, "", false, h.managedByValue)
+		installAction.Namespace = namespace
+		installAction.ReleaseName = releaseName
+		installAction.SkipCRDs = true
+		installAction.DisableOpenAPIValidation = true
+
+		rel, err = installAction.RunWithContext(ctx, chart, values)
+		if err != nil {
+			return nil, fmt.Errorf("failed to install helm chart %s: %w", chart.Name(), err)
+		}
+	}
+	return rel, nil
+}
+
+// UninstallChart removes a chart from the cluster
+func (h *ChartManager) UninstallChart(ctx context.Context, releaseName, namespace string) (*release.UninstallReleaseResponse, error) {
+	cfg, err := h.newActionConfig(ctx, namespace)
+	if err != nil {
+		return nil, err
+	}
+
+	if rel, err := getRelease(cfg, releaseName); err != nil {
+		return nil, err
+	} else if rel == nil {
+		// release does not exist; no need for uninstall
+		return &release.UninstallReleaseResponse{Info: "release not found"}, nil
+	}
+
+	return action.NewUninstall(cfg).Run(releaseName)
+}
+
+func getRelease(cfg *action.Configuration, releaseName string) (*release.Release, error) {
+	getAction := action.NewGet(cfg)
+	rel, err := getAction.Run(releaseName)
+	if err != nil && !errors.Is(err, driver.ErrReleaseNotFound) {
+		return nil, fmt.Errorf("failed to get helm release %s: %w", releaseName, err)
+	}
+	return rel, nil
+}
+
+func (h *ChartManager) GetRelease(ctx context.Context, namespace, releaseName string) (*release.Release, error) {
+	cfg, err := h.newActionConfig(ctx, namespace)
+	if err != nil {
+		return nil, err
+	}
+
+	return getRelease(cfg, releaseName)
+}
+
+func (h *ChartManager) UpdateRelease(ctx context.Context, namespace string, rel *release.Release) error {
+	cfg, err := h.newActionConfig(ctx, namespace)
+	if err != nil {
+		return err
+	}
+	return cfg.Releases.Update(rel)
+}
+
+func (h *ChartManager) ListReleases(ctx context.Context) ([]*release.Release, error) {
+	cfg, err := h.newActionConfig(ctx, "")
+	if err != nil {
+		return nil, err
+	}
+
+	listAction := action.NewList(cfg)
+	listAction.AllNamespaces = true
+	return listAction.Run()
+}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/helm/fsloader.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/helm/fsloader.go
new file mode 100644
index 0000000000..b382e2cef4
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/helm/fsloader.go
@@ -0,0 +1,113 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package helm
+
+import (
+	"fmt"
+	"io/fs"
+	"strings"
+
+	"helm.sh/helm/v3/pkg/chart"
+	chartLoader "helm.sh/helm/v3/pkg/chart/loader"
+	"helm.sh/helm/v3/pkg/chartutil"
+	"helm.sh/helm/v3/pkg/engine"
+)
+
+// LoadChart loads a Helm chart from an fs.FS at the specified path.
+// This allows loading charts from embed.FS, os.DirFS, or any other fs.FS implementation.
+//
+// The chartPath should be the path to the chart directory within the filesystem,
+// e.g., "v1.28.2/charts/istiod".
+func LoadChart(resourceFS fs.FS, chartPath string) (*chart.Chart, error) {
+	var files []*chartLoader.BufferedFile
+
+	err := fs.WalkDir(resourceFS, chartPath, func(path string, d fs.DirEntry, err error) error {
+		if err != nil {
+			return err
+		}
+
+		// Skip directories
+		if d.IsDir() {
+			return nil
+		}
+
+		data, err := fs.ReadFile(resourceFS, path)
+		if err != nil {
+			return fmt.Errorf("failed to read file %s: %w", path, err)
+		}
+
+		// Make path relative to chart root
+		// e.g., "v1.28.2/charts/istiod/Chart.yaml" -> "Chart.yaml"
+		relPath := strings.TrimPrefix(path, chartPath)
+		relPath = strings.TrimPrefix(relPath, "/")
+
+		files = append(files, &chartLoader.BufferedFile{
+			Name: relPath,
+			Data: data,
+		})
+		return nil
+	})
+	if err != nil {
+		return nil, fmt.Errorf("failed to walk chart directory %s: %w", chartPath, err)
+	}
+
+	if len(files) == 0 {
+		return nil, fmt.Errorf("no files found in chart directory %s", chartPath)
+	}
+
+	loadedChart, err := chartLoader.LoadFiles(files)
+	if err != nil {
+		return nil, fmt.Errorf("failed to load chart from files: %w", err)
+	}
+
+	return loadedChart, nil
+}
+
+// RenderChart renders a Helm chart's templates with the provided values.
+// This does not require cluster access - it's a pure template rendering operation.
+// Returns a map of template name to rendered content.
+func RenderChart(resourceFS fs.FS, chartPath string, values Values, namespace, releaseName string) (map[string]string, error) {
+	loadedChart, err := LoadChart(resourceFS, chartPath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to load chart: %w", err)
+	}
+
+	return RenderLoadedChart(loadedChart, values, namespace, releaseName)
+}
+
+// RenderLoadedChart renders an already-loaded chart's templates with the provided values.
+// Returns a map of template name to rendered content.
+func RenderLoadedChart(loadedChart *chart.Chart, values Values, namespace, releaseName string) (map[string]string, error) {
+	// Create release options for rendering
+	options := chartutil.ReleaseOptions{
+		Name:      releaseName,
+		Namespace: namespace,
+		IsInstall: true,
+	}
+
+	// Merge values with chart defaults
+	chartValues, err := chartutil.ToRenderValues(loadedChart, values, options, nil)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create render values: %w", err)
+	}
+
+	// Render templates
+	rendered, err := engine.Render(loadedChart, chartValues)
+	if err != nil {
+		return nil, fmt.Errorf("failed to render chart templates: %w", err)
+	}
+
+	return rendered, nil
+}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/helm/postrenderer.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/helm/postrenderer.go
new file mode 100644
index 0000000000..c74fe920ec
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/helm/postrenderer.go
@@ -0,0 +1,182 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package helm
+
+import (
+	"bytes"
+	"fmt"
+	"io"
+	"strings"
+
+	"github.com/istio-ecosystem/sail-operator/pkg/constants"
+	"gopkg.in/yaml.v3"
+	"helm.sh/helm/v3/pkg/postrender"
+	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+const (
+	AnnotationPrimaryResource     = "operator-sdk/primary-resource"
+	AnnotationPrimaryResourceType = "operator-sdk/primary-resource-type"
+)
+
+// NewHelmPostRenderer creates a Helm PostRenderer that adds the following to each rendered manifest:
+// - adds the "managed-by" label with the given managedByValue
+// - adds the specified OwnerReference
+// It also removes the failurePolicy field from ValidatingWebhookConfigurations on updates, so
+// the in-cluster setting stays as-is, to prevent clashing with the istiod validation controller.
+func NewHelmPostRenderer(ownerReference *metav1.OwnerReference, ownerNamespace string, isUpdate bool, managedByValue string) postrender.PostRenderer {
+	return HelmPostRenderer{
+		ownerReference: ownerReference,
+		ownerNamespace: ownerNamespace,
+		isUpdate:       isUpdate,
+		managedByValue: managedByValue,
+	}
+}
+
+type HelmPostRenderer struct {
+	ownerReference *metav1.OwnerReference
+	ownerNamespace string
+	isUpdate       bool
+	managedByValue string
+}
+
+var _ postrender.PostRenderer = HelmPostRenderer{}
+
+func (pr HelmPostRenderer) Run(renderedManifests *bytes.Buffer) (modifiedManifests *bytes.Buffer, err error) {
+	modifiedManifests = &bytes.Buffer{}
+	encoder := yaml.NewEncoder(modifiedManifests)
+	encoder.SetIndent(2)
+	decoder := yaml.NewDecoder(renderedManifests)
+	for {
+		manifest := map[string]any{}
+
+		if err := decoder.Decode(&manifest); err != nil {
+			if err == io.EOF {
+				break
+			}
+			return nil, err
+		}
+
+		if manifest == nil {
+			continue
+		}
+
+		manifest, err = pr.addOwnerReference(manifest)
+		if err != nil {
+			return nil, err
+		}
+
+		manifest, err = pr.addManagedByLabel(manifest)
+		if err != nil {
+			return nil, err
+		}
+
+		// Strip ValidatingWebhookConfiguration webhooks[].failurePolicy field if we're upgrading,
+		// to avoid overwriting the value set in-cluster by the istiod validation controller. On
+		// initial install we still want to set the field per the Helm template.
+		if pr.isUpdate {
+			manifest, err = pr.removeValidatingWebhookFailurePolicy(manifest)
+			if err != nil {
+				return nil, fmt.Errorf("error removing ValidatingWebhookConfiguration failurePolicy: %v", err)
+			}
+		}
+
+		if err := encoder.Encode(manifest); err != nil {
+			return nil, err
+		}
+	}
+	return modifiedManifests, nil
+}
+
+func (pr HelmPostRenderer) removeValidatingWebhookFailurePolicy(manifest map[string]any) (map[string]any, error) {
+	apiVersion, _, _ := unstructured.NestedString(manifest, "apiVersion")
+	if apiVersion != admissionregistrationv1.SchemeGroupVersion.String() {
+		return manifest, nil
+	}
+	kind, _, _ := unstructured.NestedString(manifest, "kind")
+	if kind != "ValidatingWebhookConfiguration" {
+		return manifest, nil
+	}
+
+	webhooksAny, found, err := unstructured.NestedFieldNoCopy(manifest, "webhooks")
+	if err != nil {
+		return nil, err
+	}
+	if !found {
+		return manifest, nil
+	}
+
+	webhooks, ok := webhooksAny.([]interface{})
+	if !ok {
+		return nil, fmt.Errorf("expected webhooks to be []interface{}, got %T", webhooksAny)
+	}
+
+	for _, webhookAny := range webhooks {
+		webhook, ok := webhookAny.(map[string]any)
+		if !ok {
+			return nil, fmt.Errorf("expected webhook to be map[string]interface{}, got %T", webhookAny)
+		}
+
+		delete(webhook, "failurePolicy")
+	}
+
+	return manifest, nil
+}
+
+func (pr HelmPostRenderer) addOwnerReference(manifest map[string]any) (map[string]any, error) {
+	if pr.ownerReference == nil {
+		return manifest, nil
+	}
+
+	objNamespace, objHasNamespace, err := unstructured.NestedFieldNoCopy(manifest, "metadata", "namespace")
+	if err != nil {
+		return nil, err
+	}
+	if pr.ownerNamespace == "" || objHasNamespace && objNamespace == pr.ownerNamespace {
+		ownerReferences, _, err := unstructured.NestedSlice(manifest, "metadata", "ownerReferences")
+		if err != nil {
+			return nil, err
+		}
+
+		ref, err := runtime.DefaultUnstructuredConverter.ToUnstructured(pr.ownerReference)
+		if err != nil {
+			return nil, err
+		}
+		ownerReferences = append(ownerReferences, ref)
+
+		if err := unstructured.SetNestedSlice(manifest, ownerReferences, "metadata", "ownerReferences"); err != nil {
+			return nil, err
+		}
+	} else {
+		ownerAPIGroup, _, _ := strings.Cut(pr.ownerReference.APIVersion, "/")
+		ownerType := pr.ownerReference.Kind + "." + ownerAPIGroup
+		ownerKey := pr.ownerNamespace + "/" + pr.ownerReference.Name
+		if err := unstructured.SetNestedField(manifest, ownerType, "metadata", "annotations", AnnotationPrimaryResourceType); err != nil {
+			return nil, err
+		}
+		if err := unstructured.SetNestedField(manifest, ownerKey, "metadata", "annotations", AnnotationPrimaryResource); err != nil {
+			return nil, err
+		}
+	}
+	return manifest, nil
+}
+
+func (pr HelmPostRenderer) addManagedByLabel(manifest map[string]any) (map[string]any, error) {
+	err := unstructured.SetNestedField(manifest, pr.managedByValue, "metadata", "labels", constants.ManagedByLabelKey)
+	return manifest, err
+}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/helm/restclientgetter.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/helm/restclientgetter.go
new file mode 100644
index 0000000000..0b9e906c6c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/helm/restclientgetter.go
@@ -0,0 +1,78 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package helm
+
+import (
+	"k8s.io/apimachinery/pkg/api/meta"
+	"k8s.io/cli-runtime/pkg/genericclioptions"
+	"k8s.io/client-go/discovery"
+	"k8s.io/client-go/discovery/cached/memory"
+	"k8s.io/client-go/rest"
+	"k8s.io/client-go/restmapper"
+	"k8s.io/client-go/tools/clientcmd"
+)
+
+// restClientGetter is required by helm to instantiate ActionConfig
+type restClientGetter struct {
+	config          *rest.Config
+	discoveryClient discovery.CachedDiscoveryInterface
+	restMapper      meta.RESTMapper
+}
+
+func NewRESTClientGetter(config *rest.Config) genericclioptions.RESTClientGetter {
+	return &restClientGetter{
+		config: config,
+	}
+}
+
+func (c *restClientGetter) ToRESTConfig() (*rest.Config, error) {
+	return c.config, nil
+}
+
+func (c *restClientGetter) ToDiscoveryClient() (discovery.CachedDiscoveryInterface, error) {
+	if c.discoveryClient == nil {
+		oldBurst := c.config.Burst
+		// use the default (high) burst for discovery
+		c.config.Burst = 0
+		// write back the old burst value after it has been copied for discovery client creation
+		defer func() { c.config.Burst = oldBurst }()
+
+		discoveryClient, _ := discovery.NewDiscoveryClientForConfig(c.config)
+		c.discoveryClient = memory.NewMemCacheClient(discoveryClient)
+	}
+	return c.discoveryClient, nil
+}
+
+func (c *restClientGetter) ToRESTMapper() (meta.RESTMapper, error) {
+	if c.restMapper == nil {
+		// we know err is always nil
+		discoveryClient, _ := c.ToDiscoveryClient()
+
+		mapper := restmapper.NewDeferredDiscoveryRESTMapper(discoveryClient)
+		c.restMapper = restmapper.NewShortcutExpander(mapper, discoveryClient, nil)
+	}
+	return c.restMapper, nil
+}
+
+func (c *restClientGetter) ToRawKubeConfigLoader() clientcmd.ClientConfig {
+	loadingRules := clientcmd.NewDefaultClientConfigLoadingRules()
+	// use the standard defaults for this client command
+	// DEPRECATED: remove and replace with something more accurate
+	loadingRules.DefaultClientConfig = &clientcmd.DefaultClientConfig
+
+	overrides := &clientcmd.ConfigOverrides{ClusterDefaults: clientcmd.ClusterDefaults}
+
+	return clientcmd.NewNonInteractiveDeferredLoadingClientConfig(loadingRules, overrides)
+}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/helm/values.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/helm/values.go
new file mode 100644
index 0000000000..6467a33ab8
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/helm/values.go
@@ -0,0 +1,92 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package helm
+
+import (
+	"encoding/json"
+	"fmt"
+	"strings"
+
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+)
+
+type Values map[string]any
+
+// GetBool returns the bool value of a nested field.
+// Returns false if value is not found and an error if not a bool.
+func (h *Values) GetBool(key string) (bool, bool, error) {
+	return unstructured.NestedBool(*h, toKeys(key)...)
+}
+
+// GetString returns the string value of a nested field.
+// Returns false if value is not found and an error if not a string.
+func (h *Values) GetString(key string) (string, bool, error) {
+	return unstructured.NestedString(*h, toKeys(key)...)
+}
+
+// Set sets the value of a nested field to a deep copy of the value provided.
+// Returns an error if value cannot be set because one of the nesting levels is not a map[string]any.
+func (h *Values) Set(key string, val any) error {
+	return unstructured.SetNestedField(*h, val, toKeys(key)...)
+}
+
+// Set sets the value of a nested string slice to the value provided.
+// Returns an error if value cannot be set because one of the nesting levels is not a map[string]any.
+func (h *Values) SetStringSlice(key string, val []string) error {
+	return unstructured.SetNestedStringSlice(*h, val, toKeys(key)...)
+}
+
+// SetIfAbsent sets the value of a nested field to a deep copy of the value
+// provided if the field does not exist.
+func (h *Values) SetIfAbsent(key string, val any) error {
+	if _, found, err := unstructured.NestedFieldNoCopy(*h, toKeys(key)...); err != nil {
+		return fmt.Errorf("failed to get value %s: %w", key, err)
+	} else if !found {
+		if err := h.Set(key, val); err != nil {
+			return fmt.Errorf("failed to set value %s: %w", key, err)
+		}
+	}
+	return nil
+}
+
+func toKeys(key string) []string {
+	return strings.Split(key, ".")
+}
+
+func FromValues(values any) Values {
+	var obj Values
+	data, err := json.Marshal(values)
+	if err != nil {
+		panic(err)
+	}
+	if err = json.Unmarshal(data, &obj); err != nil {
+		panic(err)
+	}
+	return obj
+}
+
+func ToValues[V any](helmValues Values, values V) (V, error) {
+	data, err := json.Marshal(helmValues)
+	if err != nil {
+		return values, fmt.Errorf("failed to marshal Values struct: %w", err)
+	}
+
+	decoder := json.NewDecoder(strings.NewReader(string(data)))
+	err = decoder.Decode(&values)
+	if err != nil {
+		return values, fmt.Errorf("failed to unmarshal into Values struct: %w:\n%v", err, string(data))
+	}
+	return values, nil
+}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/USAGE.md b/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/USAGE.md
new file mode 100644
index 0000000000..eea39b0c75
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/USAGE.md
@@ -0,0 +1,341 @@
+# Install Library - CIO Usage Example
+
+This document shows how the Cluster Ingress Operator (CIO) would wire the install library into its main and GatewayClass controller.
+
+## Architecture
+
+```
+┌──────────────────────────────────────────────────────────────�
+│  main.go                                                     │
+│                                                              │
+│  1. Create install.Library                                   │
+│  2. Start it (returns notifyCh)                              │
+│  3. Pass Library + notifyCh to GatewayClassReconciler        │
+│  4. Register notifyCh as source.Channel on the controller    │
+│  5. Start manager                                            │
+└──────────────────────────────────────────────────────────────┘
+         │ Apply(opts)                   ▲ notifyCh signal
+         ▼                               │
+┌──────────────────────────────────────────────────────────────�
+│  install.Library (internal goroutines)                       │
+│                                                              │
+│  - Classifies + installs/updates CRDs                        │
+│  - Installs istiod via Helm                                  │
+│  - Watches Helm resources for drift                          │
+│  - Watches CRDs for ownership changes                        │
+│  - Sends signal on notifyCh after each reconciliation        │
+└──────────────────────────────────────────────────────────────┘
+         │ Status()                      ▲ drift / CRD event
+         ▼                               │
+┌──────────────────────────────────────────────────────────────�
+│  GatewayClassReconciler.Reconcile()                          │
+│                                                              │
+│  1. Get GatewayClass                                         │
+│  2. Build values, call lib.Apply(opts)                       │
+│  3. Read lib.Status()                                        │
+│  4. Map status → GatewayClass conditions                     │
+│  5. Update GatewayClass status                               │
+└──────────────────────────────────────────────────────────────┘
+```
+
+## main.go
+
+```go
+package main
+
+import (
+	"os"
+
+	"github.com/istio-ecosystem/sail-operator/pkg/install"
+	"github.com/istio-ecosystem/sail-operator/resources"
+	gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
+
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/handler"
+	"sigs.k8s.io/controller-runtime/pkg/source"
+)
+
+func main() {
+	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{})
+	if err != nil {
+		os.Exit(1)
+	}
+
+	// 1. Create the install library.
+	//    resources.FS contains the embedded Helm charts, profiles, and CRDs.
+	lib, err := install.New(mgr.GetConfig(), resources.FS)
+	if err != nil {
+		os.Exit(1)
+	}
+
+	// 2. Start the library. This returns a notification channel that fires
+	//    every time the library finishes a reconciliation (install, drift
+	//    repair, CRD ownership change).
+	//    The library sits idle until the first Apply() call.
+	ctx := ctrl.SetupSignalHandler()
+	notifyCh := lib.Start(ctx)
+
+	// 3. Create the GatewayClass controller with the library injected.
+	reconciler := &GatewayClassReconciler{
+		Client: mgr.GetClient(),
+		Lib:    lib,
+	}
+
+	// 4. Register the controller. The source.Channel watch triggers a
+	//    reconcile whenever the library signals that something changed
+	//    (drift repaired, CRD ownership changed, install completed).
+	err = ctrl.NewControllerManagedBy(mgr).
+		For(&gwapiv1.GatewayClass{}).
+		WatchesRawSource(
+			source.Channel(notifyCh, &handler.EnqueueRequestForObject{}),
+		).
+		Complete(reconciler)
+	if err != nil {
+		os.Exit(1)
+	}
+
+	// 5. Start the manager. This blocks until ctx is cancelled.
+	if err := mgr.Start(ctx); err != nil {
+		os.Exit(1)
+	}
+}
+```
+
+> **Note on `source.Channel`**: The channel emits a `struct{}`, not a specific object key. You may need a custom `handler.EventHandler` that enqueues a fixed key (e.g. the GatewayClass name) instead of `EnqueueRequestForObject`. See the handler section below.
+
+## GatewayClass Controller
+
+```go
+package main
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/istio-ecosystem/sail-operator/pkg/install"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
+)
+
+const (
+	controllerName   = "openshift.io/ingress-controller"
+	gatewayClassName = "openshift-default"
+)
+
+// GatewayClassReconciler reconciles GatewayClass objects and drives
+// the install library to manage istiod.
+type GatewayClassReconciler struct {
+	client.Client
+	Lib *install.Library
+}
+
+func (r *GatewayClassReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
+	log := ctrl.LoggerFrom(ctx)
+
+	// 1. Get the GatewayClass.
+	gc := &gwapiv1.GatewayClass{}
+	if err := r.Get(ctx, req.NamespacedName, gc); err != nil {
+		return ctrl.Result{}, client.IgnoreNotFound(err)
+	}
+
+	// Only handle our GatewayClass.
+	if string(gc.Spec.ControllerName) != controllerName {
+		return ctrl.Result{}, nil
+	}
+
+	// 2. Build values and call Apply.
+	//    Apply is idempotent — if nothing changed, it's a no-op.
+	values := install.GatewayAPIDefaults()
+	values.Pilot.Env["PILOT_GATEWAY_API_CONTROLLER_NAME"] = controllerName
+	values.Pilot.Env["PILOT_GATEWAY_API_DEFAULT_GATEWAYCLASS_NAME"] = gatewayClassName
+
+	r.Lib.Apply(install.Options{
+		Namespace: "openshift-ingress",
+		Values:    values,
+	})
+
+	// 3. Read the latest status from the library.
+	status := r.Lib.Status()
+
+	// 4. Map library status to GatewayClass conditions.
+	conditions := mapStatusToConditions(status, gc.Generation)
+
+	// 5. Update GatewayClass status.
+	gc.Status.Conditions = conditions
+	if err := r.Status().Update(ctx, gc); err != nil {
+		return ctrl.Result{}, fmt.Errorf("failed to update GatewayClass status: %w", err)
+	}
+
+	log.Info("reconciled",
+		"installed", status.Installed,
+		"version", status.Version,
+		"crdState", status.CRDState,
+	)
+	return ctrl.Result{}, nil
+}
+
+// mapStatusToConditions translates the library Status into GatewayClass conditions.
+func mapStatusToConditions(status install.Status, generation int64) []metav1.Condition {
+	var conditions []metav1.Condition
+
+	// Accepted condition: true if istiod is installed.
+	accepted := metav1.Condition{
+		Type:               string(gwapiv1.GatewayClassConditionStatusAccepted),
+		ObservedGeneration: generation,
+		LastTransitionTime: metav1.Now(),
+	}
+	if status.Installed {
+		accepted.Status = metav1.ConditionTrue
+		accepted.Reason = "Installed"
+		accepted.Message = fmt.Sprintf("istiod %s installed", status.Version)
+	} else if status.Error != nil {
+		accepted.Status = metav1.ConditionFalse
+		accepted.Reason = "InstallFailed"
+		accepted.Message = status.Error.Error()
+	} else {
+		accepted.Status = metav1.ConditionUnknown
+		accepted.Reason = "Pending"
+		accepted.Message = "waiting for first reconciliation"
+	}
+	conditions = append(conditions, accepted)
+
+	// CRD condition: reflects CRD ownership state.
+	crd := metav1.Condition{
+		Type:               "CRDsReady",
+		ObservedGeneration: generation,
+		LastTransitionTime: metav1.Now(),
+	}
+	switch status.CRDState {
+	case install.CRDManagedByCIO:
+		crd.Status = metav1.ConditionTrue
+		crd.Reason = "ManagedByCIO"
+		crd.Message = status.CRDMessage
+	case install.CRDManagedByOLM:
+		crd.Status = metav1.ConditionTrue
+		crd.Reason = "ManagedByOLM"
+		crd.Message = status.CRDMessage
+	case install.CRDNoneExist:
+		crd.Status = metav1.ConditionUnknown
+		crd.Reason = "NoneExist"
+		crd.Message = "CRDs not yet installed"
+	case install.CRDMixedOwnership:
+		crd.Status = metav1.ConditionFalse
+		crd.Reason = "MixedOwnership"
+		crd.Message = status.CRDMessage
+	case install.CRDUnknownManagement:
+		crd.Status = metav1.ConditionFalse
+		crd.Reason = "UnknownManagement"
+		crd.Message = status.CRDMessage
+	}
+	conditions = append(conditions, crd)
+
+	return conditions
+}
+```
+
+## Custom Event Handler for source.Channel
+
+Since `source.Channel` receives `struct{}` (not a Kubernetes event), you need a handler that maps it to the right reconcile request:
+
+```go
+package main
+
+import (
+	"context"
+
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/client-go/util/workqueue"
+	"sigs.k8s.io/controller-runtime/pkg/event"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+)
+
+// enqueueGatewayClass returns an event handler that always enqueues
+// a reconcile request for the fixed GatewayClass name.
+type enqueueGatewayClass struct {
+	Name string
+}
+
+func (e *enqueueGatewayClass) Generic(_ context.Context, _ event.GenericEvent, q workqueue.RateLimitingInterface) {
+	q.Add(reconcile.Request{
+		NamespacedName: types.NamespacedName{Name: e.Name},
+	})
+}
+
+// Create, Update, Delete are unused — source.Channel only emits Generic events.
+func (e *enqueueGatewayClass) Create(context.Context, event.CreateEvent, workqueue.RateLimitingInterface)   {}
+func (e *enqueueGatewayClass) Update(context.Context, event.UpdateEvent, workqueue.RateLimitingInterface)   {}
+func (e *enqueueGatewayClass) Delete(context.Context, event.DeleteEvent, workqueue.RateLimitingInterface)   {}
+```
+
+Then in main:
+
+```go
+	err = ctrl.NewControllerManagedBy(mgr).
+		For(&gwapiv1.GatewayClass{}).
+		WatchesRawSource(
+			source.Channel(notifyCh, &enqueueGatewayClass{Name: gatewayClassName}),
+		).
+		Complete(reconciler)
+```
+
+## Sequence: What Happens When
+
+### Initial startup (no CRDs, no istiod)
+
+1. Manager starts, controller watches GatewayClass
+2. GatewayClass is created by admin or platform
+3. Controller reconciles: calls `lib.Apply(opts)`
+4. Library wakes up, classifies CRDs (none exist) → installs CRDs with CIO labels
+5. Library installs istiod via Helm
+6. Library sends signal on `notifyCh`
+7. Controller reconciles again: reads `lib.Status()` → sets Accepted=True, CRDsReady=True
+
+### OSSM installed later (CRD ownership conflict)
+
+1. Admin installs OSSM via OLM
+2. OLM updates CRDs, adds `olm.managed=true` label
+3. Library's CRD informer detects label change → re-reconciles
+4. Library classifies CRDs → `MixedOwnership` (some CIO, some OLM)
+5. Library skips CRD install/update, sets `Status.Error`
+6. Library sends signal on `notifyCh`
+7. Controller reconciles: reads status → sets CRDsReady=False, reason=MixedOwnership
+
+### Drift detected (someone deletes a ConfigMap)
+
+1. Someone deletes `istio` ConfigMap in the target namespace
+2. Library's Helm resource informer detects the delete event
+3. Library re-reconciles: Helm reinstalls the ConfigMap
+4. Library sends signal on `notifyCh`
+5. Controller reconciles: reads status → still Accepted=True (everything healthy)
+
+### No-op Apply (same values)
+
+1. Controller reconciles for some other reason (e.g. GatewayClass spec unchanged)
+2. Calls `lib.Apply(opts)` with identical options
+3. Library detects no change via `optionsEqual()` → does nothing
+4. No `notifyCh` signal, no unnecessary Helm work
+
+### External state change (e.g. OLM Subscription deleted)
+
+1. OLM Subscription managing Istio CRDs is deleted
+2. Controller detects the Subscription change (via its own watch)
+3. Calls `lib.Enqueue()` to force CRD re-classification
+4. Library re-reconciles with the previously applied options, re-classifying CRD ownership
+5. Library sends signal on `notifyCh`
+6. Controller reconciles: reads status → CRD state may have changed (e.g. takeover now possible)
+
+Use `Enqueue()` instead of `Apply()` when the Options haven't changed but external cluster state
+(CRD ownership, Subscription lifecycle, etc.) has. `Apply()` with identical options is a no-op,
+so it won't trigger re-evaluation. `Enqueue()` bypasses that check.
+
+## RBAC
+
+The library needs cluster-wide permissions. Aggregate them into your ClusterRole:
+
+```go
+rules := append(myOperatorRules, install.LibraryRBACRules()...)
+```
+
+Or in YAML, merge the rules from `install.LibraryRBACRules()` into your operator's ClusterRole manifest.
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/crds.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/crds.go
new file mode 100644
index 0000000000..052e83b3b6
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/crds.go
@@ -0,0 +1,415 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package install
+
+import (
+	"context"
+	"fmt"
+	"io/fs"
+	"strings"
+
+	v1 "github.com/istio-ecosystem/sail-operator/api/v1"
+	"github.com/istio-ecosystem/sail-operator/chart/crds"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/yaml"
+)
+
+// OverwriteOLMManagedCRDFunc is called when a CRD is detected with OLM ownership
+// labels. The CRD object is provided so the callback can inspect OLM
+// annotations/labels to determine whether the owning subscription still exists.
+// Return true to overwrite the CRD (take ownership), false to leave it alone.
+type OverwriteOLMManagedCRDFunc func(ctx context.Context, crd *apiextensionsv1.CustomResourceDefinition) bool
+
+// CRD ownership labels and annotations.
+const (
+	// labelManagedByCIO indicates the CRD is managed by the Cluster Ingress Operator.
+	labelManagedByCIO = "ingress.operator.openshift.io/owned"
+
+	// labelOLMManaged indicates the CRD is managed by OLM (OSSM subscription).
+	labelOLMManaged = "olm.managed"
+
+	// annotationHelmKeep prevents Helm from deleting the CRD during uninstall.
+	annotationHelmKeep = "helm.sh/resource-policy"
+)
+
+// CRDManagementState represents the aggregate ownership state of Istio CRDs on the cluster.
+type CRDManagementState string
+
+const (
+	// CRDManagedByCIO means all target CRDs are owned by the Cluster Ingress Operator.
+	// CRDs will be installed or updated.
+	CRDManagedByCIO CRDManagementState = "ManagedByCIO"
+
+	// CRDManagedByOLM means all target CRDs are owned by an OSSM subscription via OLM.
+	// CRDs are left alone; Helm install still proceeds.
+	CRDManagedByOLM CRDManagementState = "ManagedByOLM"
+
+	// CRDUnknownManagement means one or more CRDs exist but are not owned by CIO or OLM.
+	// CRDs are left alone; Helm install still proceeds; Status.Error is set.
+	CRDUnknownManagement CRDManagementState = "UnknownManagement"
+
+	// CRDMixedOwnership means CRDs have inconsistent ownership (some CIO, some OLM, some unknown, or some missing).
+	// CRDs are left alone; Helm install still proceeds; Status.Error is set.
+	CRDMixedOwnership CRDManagementState = "MixedOwnership"
+
+	// CRDNoneExist means no target CRDs exist on the cluster yet.
+	// CRDs will be installed with CIO ownership labels.
+	CRDNoneExist CRDManagementState = "NoneExist"
+)
+
+// CRDInfo describes the state of a single CRD on the cluster.
+type CRDInfo struct {
+	// Name is the CRD name, e.g. "wasmplugins.extensions.istio.io"
+	Name string
+
+	// State is the ownership state of this specific CRD.
+	// Only meaningful when Found is true.
+	State CRDManagementState
+
+	// Found indicates whether this CRD exists on the cluster.
+	Found bool
+}
+
+// crdResult bundles the outcome of CRD reconciliation.
+type crdResult struct {
+	// State is the aggregate ownership state of the target Istio CRDs.
+	State CRDManagementState
+
+	// CRDs contains per-CRD detail (name, ownership, found on cluster).
+	CRDs []CRDInfo
+
+	// Message is a human-readable description of the CRD state.
+	Message string
+
+	// Error is non-nil if CRD management encountered a problem.
+	Error error
+}
+
+// crdManager encapsulates all CRD classification, installation, and update logic.
+// It provides a single entry point (Reconcile) and keeps a client dependency
+// that can be swapped out in tests.
+type crdManager struct {
+	cl client.Client
+}
+
+// newCRDManager creates a crdManager with the given Kubernetes client.
+func newCRDManager(cl client.Client) *crdManager {
+	return &crdManager{cl: cl}
+}
+
+// classifyCRD checks a single CRD on the cluster and returns its ownership state.
+// If overwriteOLM is non-nil and the CRD has OLM labels, it is called to decide
+// whether to reclassify the CRD as CIO-managed (allowing adoption).
+func (m *crdManager) classifyCRD(ctx context.Context, crdName string, overwriteOLM OverwriteOLMManagedCRDFunc) CRDInfo {
+	existing := &apiextensionsv1.CustomResourceDefinition{}
+	err := m.cl.Get(ctx, client.ObjectKey{Name: crdName}, existing)
+	if err != nil {
+		if apierrors.IsNotFound(err) {
+			return CRDInfo{Name: crdName, Found: false}
+		}
+		// Treat API errors as unknown management (we can't determine ownership)
+		return CRDInfo{Name: crdName, Found: true, State: CRDUnknownManagement}
+	}
+
+	labels := existing.GetLabels()
+
+	// Check CIO ownership
+	if _, ok := labels[labelManagedByCIO]; ok {
+		return CRDInfo{Name: crdName, Found: true, State: CRDManagedByCIO}
+	}
+
+	// Check OLM ownership
+	if val, ok := labels[labelOLMManaged]; ok && val == "true" {
+		if overwriteOLM != nil && overwriteOLM(ctx, existing) {
+			return CRDInfo{Name: crdName, Found: true, State: CRDManagedByCIO}
+		}
+		return CRDInfo{Name: crdName, Found: true, State: CRDManagedByOLM}
+	}
+
+	// No recognized ownership labels
+	return CRDInfo{Name: crdName, Found: true, State: CRDUnknownManagement}
+}
+
+// classifyCRDs checks all target CRDs on the cluster and returns the aggregate state.
+func (m *crdManager) classifyCRDs(ctx context.Context, targets []string, overwriteOLM OverwriteOLMManagedCRDFunc) (CRDManagementState, []CRDInfo) {
+	if len(targets) == 0 {
+		return CRDNoneExist, nil
+	}
+
+	infos := make([]CRDInfo, len(targets))
+	for i, target := range targets {
+		infos[i] = m.classifyCRD(ctx, target, overwriteOLM)
+	}
+
+	return aggregateCRDState(infos), infos
+}
+
+// aggregateCRDState derives the batch state from individual CRD states.
+//
+// Rules:
+//   - All not found → CRDNoneExist
+//   - All found are CIO or unknown (no OLM), with at least one CIO → CRDManagedByCIO
+//     (unknown = label drift, missing = deleted; both get fixed by updateCRDs)
+//   - All found OLM, all present → CRDManagedByOLM
+//   - Pure unknown (no CIO, no OLM) → CRDUnknownManagement
+//   - Any mix involving OLM → CRDMixedOwnership
+func aggregateCRDState(infos []CRDInfo) CRDManagementState {
+	if len(infos) == 0 {
+		return CRDNoneExist
+	}
+
+	var foundCount, cioCount, olmCount, unknownCount int
+	for _, info := range infos {
+		if !info.Found {
+			continue
+		}
+		foundCount++
+		switch info.State {
+		case CRDManagedByCIO:
+			cioCount++
+		case CRDManagedByOLM:
+			olmCount++
+		default:
+			unknownCount++
+		}
+	}
+
+	total := len(infos)
+
+	// None exist on cluster
+	if foundCount == 0 {
+		return CRDNoneExist
+	}
+
+	// All found are CIO-owned (possibly with some missing or some that lost labels).
+	// No OLM involvement means we can safely reclaim unknowns and reinstall missing.
+	if cioCount > 0 && olmCount == 0 {
+		return CRDManagedByCIO
+	}
+
+	// All found and all OLM — only if none are missing
+	if foundCount == total && olmCount == total {
+		return CRDManagedByOLM
+	}
+
+	// Pure unknown — no CIO, no OLM labels on any found CRD
+	if unknownCount > 0 && cioCount == 0 && olmCount == 0 {
+		return CRDUnknownManagement
+	}
+
+	// Anything else is mixed: CIO+OLM, OLM with missing, etc.
+	return CRDMixedOwnership
+}
+
+// Reconcile classifies target CRDs and installs/updates them if we own them (or none exist).
+// This is the single entry point for CRD management.
+func (m *crdManager) Reconcile(ctx context.Context, values *v1.Values, includeAllCRDs bool, overwriteOLM OverwriteOLMManagedCRDFunc) crdResult {
+	targets, err := targetCRDsFromValues(values, includeAllCRDs)
+	if err != nil {
+		return crdResult{State: CRDNoneExist, Error: fmt.Errorf("failed to determine target CRDs: %w", err)}
+	}
+	if len(targets) == 0 {
+		return crdResult{State: CRDNoneExist, Message: "no target CRDs configured"}
+	}
+
+	state, infos := m.classifyCRDs(ctx, targets, overwriteOLM)
+
+	switch state {
+	case CRDNoneExist:
+		// Install all with CIO labels
+		if err := m.installCRDs(ctx, targets); err != nil {
+			return crdResult{State: state, CRDs: infos, Error: fmt.Errorf("failed to install CRDs: %w", err)}
+		}
+		// Update infos to reflect new state
+		for idx := range infos {
+			infos[idx].Found = true
+			infos[idx].State = CRDManagedByCIO
+		}
+		return crdResult{State: CRDManagedByCIO, CRDs: infos, Message: "CRDs installed by CIO"}
+
+	case CRDManagedByCIO:
+		// Update existing, reinstall missing, re-label unknowns
+		missing := missingCRDNames(infos)
+		unlabeled := unlabeledCRDNames(infos)
+		if err := m.updateCRDs(ctx, targets); err != nil {
+			return crdResult{State: state, CRDs: infos, Error: fmt.Errorf("failed to update CRDs: %w", err)}
+		}
+		// Update infos for any previously-missing or unlabeled CRDs
+		for idx := range infos {
+			if !infos[idx].Found || infos[idx].State == CRDUnknownManagement {
+				infos[idx].Found = true
+				infos[idx].State = CRDManagedByCIO
+			}
+		}
+		msg := "CRDs updated by CIO"
+		if len(missing) > 0 {
+			msg = fmt.Sprintf("CRDs updated by CIO; reinstalled: %s", strings.Join(missing, ", "))
+		}
+		if len(unlabeled) > 0 {
+			msg += fmt.Sprintf("; reclaimed: %s", strings.Join(unlabeled, ", "))
+		}
+		return crdResult{State: CRDManagedByCIO, CRDs: infos, Message: msg}
+
+	case CRDManagedByOLM:
+		return crdResult{State: CRDManagedByOLM, CRDs: infos, Message: "CRDs managed by OSSM subscription via OLM"}
+
+	case CRDUnknownManagement:
+		missing := missingCRDNames(infos)
+		msg := "CRDs exist with unknown management"
+		if len(missing) > 0 {
+			msg += fmt.Sprintf("; missing from other owner: %s", strings.Join(missing, ", "))
+		}
+		return crdResult{State: CRDUnknownManagement, CRDs: infos, Message: msg,
+			Error: fmt.Errorf("Istio CRDs are managed by an unknown party")}
+
+	case CRDMixedOwnership:
+		missing := missingCRDNames(infos)
+		msg := "CRDs have mixed ownership"
+		if len(missing) > 0 {
+			msg += fmt.Sprintf("; missing: %s", strings.Join(missing, ", "))
+		}
+		return crdResult{State: CRDMixedOwnership, CRDs: infos, Message: msg,
+			Error: fmt.Errorf("Istio CRDs have mixed ownership (CIO/OLM/other)")}
+
+	default:
+		return crdResult{State: state, CRDs: infos}
+	}
+}
+
+// WatchTargets computes the set of CRD names that should be watched for changes.
+// Returns nil if the target set cannot be determined.
+func (m *crdManager) WatchTargets(values *v1.Values, includeAllCRDs bool) map[string]struct{} {
+	var targets []string
+	var err error
+
+	if includeAllCRDs {
+		targets, err = allIstioCRDs()
+	} else if values != nil && values.Pilot != nil && values.Pilot.Env != nil {
+		targets, err = targetCRDsFromValues(values, false)
+	}
+
+	if err != nil || len(targets) == 0 {
+		return nil
+	}
+
+	names := make(map[string]struct{}, len(targets))
+	for _, name := range targets {
+		names[name] = struct{}{}
+	}
+	return names
+}
+
+// missingCRDNames returns the names of CRDs that were not found on the cluster.
+func missingCRDNames(infos []CRDInfo) []string {
+	var missing []string
+	for _, info := range infos {
+		if !info.Found {
+			missing = append(missing, info.Name)
+		}
+	}
+	return missing
+}
+
+// unlabeledCRDNames returns names of CRDs that exist but have unknown management (no CIO/OLM labels).
+func unlabeledCRDNames(infos []CRDInfo) []string {
+	var names []string
+	for _, info := range infos {
+		if info.Found && info.State == CRDUnknownManagement {
+			names = append(names, info.Name)
+		}
+	}
+	return names
+}
+
+// installCRDs installs all target CRDs with CIO ownership labels and Helm keep annotation.
+func (m *crdManager) installCRDs(ctx context.Context, targets []string) error {
+	for _, resource := range targets {
+		crd, err := loadCRD(resource)
+		if err != nil {
+			return err
+		}
+		applyCIOLabels(crd)
+		if err := m.cl.Create(ctx, crd); err != nil {
+			return fmt.Errorf("failed to create CRD %s: %w", crd.Name, err)
+		}
+	}
+	return nil
+}
+
+// updateCRDs updates existing CIO-owned CRDs and creates any missing ones.
+func (m *crdManager) updateCRDs(ctx context.Context, targets []string) error {
+	for _, resource := range targets {
+		crd, err := loadCRD(resource)
+		if err != nil {
+			return err
+		}
+		applyCIOLabels(crd)
+
+		existing := &apiextensionsv1.CustomResourceDefinition{}
+		if err := m.cl.Get(ctx, client.ObjectKey{Name: crd.Name}, existing); err != nil {
+			if apierrors.IsNotFound(err) {
+				// CRD was deleted — reinstall it
+				if err := m.cl.Create(ctx, crd); err != nil {
+					return fmt.Errorf("failed to create CRD %s: %w", crd.Name, err)
+				}
+				continue
+			}
+			return fmt.Errorf("failed to get existing CRD %s: %w", crd.Name, err)
+		}
+		crd.ResourceVersion = existing.ResourceVersion
+		if err := m.cl.Update(ctx, crd); err != nil {
+			return fmt.Errorf("failed to update CRD %s: %w", crd.Name, err)
+		}
+	}
+	return nil
+}
+
+// loadCRD reads and unmarshals a CRD from the embedded filesystem.
+func loadCRD(resource string) (*apiextensionsv1.CustomResourceDefinition, error) {
+	filename := resourceToCRDFilename(resource)
+	if filename == "" {
+		return nil, fmt.Errorf("invalid resource name: %s", resource)
+	}
+
+	data, err := fs.ReadFile(crds.FS, filename)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read CRD file %s: %w", filename, err)
+	}
+
+	crd := &apiextensionsv1.CustomResourceDefinition{}
+	if err := yaml.Unmarshal(data, crd); err != nil {
+		return nil, fmt.Errorf("failed to unmarshal CRD %s: %w", filename, err)
+	}
+	return crd, nil
+}
+
+// applyCIOLabels sets the CIO ownership label and Helm keep annotation on a CRD.
+func applyCIOLabels(crd *apiextensionsv1.CustomResourceDefinition) {
+	labels := crd.GetLabels()
+	if labels == nil {
+		labels = make(map[string]string)
+	}
+	labels[labelManagedByCIO] = "true"
+	crd.SetLabels(labels)
+
+	annotations := crd.GetAnnotations()
+	if annotations == nil {
+		annotations = make(map[string]string)
+	}
+	annotations[annotationHelmKeep] = "keep"
+	crd.SetAnnotations(annotations)
+}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/crds_filter.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/crds_filter.go
new file mode 100644
index 0000000000..f02c9b3240
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/crds_filter.go
@@ -0,0 +1,180 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package install
+
+import (
+	"fmt"
+	"io/fs"
+	"path/filepath"
+	"strings"
+
+	v1 "github.com/istio-ecosystem/sail-operator/api/v1"
+	"github.com/istio-ecosystem/sail-operator/chart/crds"
+)
+
+// Environment variable names for Istio resource filtering.
+// X_ prefix prevents Istio from processing until the feature is ready.
+// When activating, remove the X_ prefix.
+// See: https://github.com/istio/istio/commit/7e58d08397ee7b7119bf49abc9bd7b4f550f7839
+const (
+	envPilotIgnoreResources  = "X_PILOT_IGNORE_RESOURCES"
+	envPilotIncludeResources = "X_PILOT_INCLUDE_RESOURCES"
+)
+
+// Resource filtering values for Gateway API mode.
+// Ignore all istio.io resources except the 3 needed for gateway customization.
+const (
+	gatewayAPIIgnoreResources  = "*.istio.io"
+	gatewayAPIIncludeResources = "wasmplugins.extensions.istio.io,envoyfilters.networking.istio.io,destinationrules.networking.istio.io"
+)
+
+// resourceToCRDFilename converts a resource name to its CRD filename.
+// The naming convention is: "{plural}.{group}" -> "{group}_{plural}.yaml"
+// Example: "wasmplugins.extensions.istio.io" -> "extensions.istio.io_wasmplugins.yaml"
+func resourceToCRDFilename(resource string) string {
+	parts := strings.SplitN(resource, ".", 2)
+	if len(parts) != 2 {
+		return ""
+	}
+	plural := parts[0] // e.g., "wasmplugins"
+	group := parts[1]  // e.g., "extensions.istio.io"
+	return fmt.Sprintf("%s_%s.yaml", group, plural)
+}
+
+// crdFilenameToResource converts a CRD filename back to a resource name.
+// The naming convention is: "{group}_{plural}.yaml" -> "{plural}.{group}"
+// Example: "extensions.istio.io_wasmplugins.yaml" -> "wasmplugins.extensions.istio.io"
+func crdFilenameToResource(filename string) string {
+	// Strip .yaml suffix
+	name := strings.TrimSuffix(filename, ".yaml")
+	// Split on underscore: group_plural
+	parts := strings.SplitN(name, "_", 2)
+	if len(parts) != 2 {
+		return ""
+	}
+	group := parts[0]  // e.g., "extensions.istio.io"
+	plural := parts[1] // e.g., "wasmplugins"
+	return fmt.Sprintf("%s.%s", plural, group)
+}
+
+// matchesPattern checks if a resource matches a filter pattern.
+// Patterns support glob-style wildcards:
+//   - "*.istio.io" matches "virtualservices.networking.istio.io"
+//   - "virtualservices.networking.istio.io" matches exactly
+//
+// The resource format is "{plural}.{group}" (e.g., "wasmplugins.extensions.istio.io")
+func matchesPattern(resource, pattern string) bool {
+	// Handle glob patterns using filepath.Match
+	// Pattern "*.istio.io" should match "virtualservices.networking.istio.io"
+	matched, err := filepath.Match(pattern, resource)
+	if err != nil {
+		return false
+	}
+	return matched
+}
+
+// matchesAnyPattern checks if a resource matches any pattern in a comma-separated list.
+func matchesAnyPattern(resource, patterns string) bool {
+	if patterns == "" {
+		return false
+	}
+	for _, pattern := range strings.Split(patterns, ",") {
+		pattern = strings.TrimSpace(pattern)
+		if matchesPattern(resource, pattern) {
+			return true
+		}
+	}
+	return false
+}
+
+// shouldManageResource determines if a resource should be managed based on
+// IGNORE and INCLUDE filters. The logic follows Istio's resource filtering:
+//   - If resource matches INCLUDE, manage it (INCLUDE overrides IGNORE)
+//   - If resource matches IGNORE (and not INCLUDE), skip it
+//   - If resource matches neither, manage it (default allow)
+func shouldManageResource(resource, ignorePatterns, includePatterns string) bool {
+	// INCLUDE takes precedence - if explicitly included, always manage
+	if matchesAnyPattern(resource, includePatterns) {
+		return true
+	}
+	// If ignored (and not included), skip
+	if matchesAnyPattern(resource, ignorePatterns) {
+		return false
+	}
+	// Default: manage if not matched by any filter
+	return true
+}
+
+// allIstioCRDs returns all *.istio.io CRD resource names from the embedded CRD filesystem.
+// Sail operator CRDs (sailoperator.io) are excluded since those belong to the Sail operator.
+func allIstioCRDs() ([]string, error) {
+	entries, err := fs.ReadDir(crds.FS, ".")
+	if err != nil {
+		return nil, fmt.Errorf("failed to read CRD directory: %w", err)
+	}
+
+	var resources []string
+	for _, entry := range entries {
+		if entry.IsDir() || !strings.HasSuffix(entry.Name(), ".yaml") {
+			continue
+		}
+		// Skip Sail operator CRDs
+		if strings.HasPrefix(entry.Name(), "sailoperator.io_") {
+			continue
+		}
+		resource := crdFilenameToResource(entry.Name())
+		if resource != "" {
+			resources = append(resources, resource)
+		}
+	}
+	return resources, nil
+}
+
+// targetCRDsFromValues determines the target CRD set based on values and options.
+// If includeAllCRDs is true, returns all *.istio.io CRDs.
+// Otherwise, returns CRDs derived from PILOT_INCLUDE_RESOURCES in values.
+func targetCRDsFromValues(values *v1.Values, includeAllCRDs bool) ([]string, error) {
+	if includeAllCRDs {
+		return allIstioCRDs()
+	}
+
+	if values == nil || values.Pilot == nil || values.Pilot.Env == nil {
+		return nil, nil
+	}
+
+	ignorePatterns := values.Pilot.Env[envPilotIgnoreResources]
+	includePatterns := values.Pilot.Env[envPilotIncludeResources]
+
+	// If no filters defined, nothing to do
+	if ignorePatterns == "" && includePatterns == "" {
+		return nil, nil
+	}
+
+	var targets []string
+	if includePatterns != "" {
+		for _, resource := range strings.Split(includePatterns, ",") {
+			resource = strings.TrimSpace(resource)
+			if !shouldManageResource(resource, ignorePatterns, includePatterns) {
+				continue
+			}
+			// Skip resources that don't map to a valid CRD filename (e.g. wildcards)
+			if resourceToCRDFilename(resource) == "" {
+				continue
+			}
+			targets = append(targets, resource)
+		}
+	}
+	return targets, nil
+}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/images.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/images.go
new file mode 100644
index 0000000000..dc009087ae
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/images.go
@@ -0,0 +1,80 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package install
+
+import (
+	"fmt"
+	"io/fs"
+	"strings"
+
+	"github.com/istio-ecosystem/sail-operator/pkg/config"
+)
+
+const (
+	// downstream registry and image names for OpenShift
+	defaultRegistry     = "registry.redhat.io/openshift-service-mesh"
+	defaultIstiodImage  = "istio-pilot-rhel9"
+	defaultProxyImage   = "istio-proxyv2-rhel9"
+	defaultCNIImage     = "istio-cni-rhel9"
+	defaultZTunnelImage = "istio-ztunnel-rhel9"
+)
+
+// ImageNames defines the image name for each component (without registry or tag).
+type ImageNames struct {
+	Istiod  string
+	Proxy   string
+	CNI     string
+	ZTunnel string
+}
+
+// SetImageDefaults populates config.Config.ImageDigests by scanning resourceFS
+// for version directories and constructing image refs from the given registry
+// and image names.
+//
+// This is a no-op if config.Config.ImageDigests is already populated (e.g. by
+// config.Read() in the operator path).
+//
+// Example:
+//
+//	install.SetImageDefaults(resourceFS, "registry.redhat.io/openshift-service-mesh", install.ImageNames{
+//	    Istiod:  "istio-pilot-rhel9",
+//	    Proxy:   "istio-proxyv2-rhel9",
+//	    CNI:     "istio-cni-rhel9",
+//	    ZTunnel: "istio-ztunnel-rhel9",
+//	})
+func SetImageDefaults(resourceFS fs.FS, registry string, images ImageNames) error {
+	if config.Config.ImageDigests != nil {
+		return nil
+	}
+	entries, err := fs.ReadDir(resourceFS, ".")
+	if err != nil {
+		return fmt.Errorf("failed to read resource directory: %w", err)
+	}
+	config.Config.ImageDigests = make(map[string]config.IstioImageConfig)
+	for _, e := range entries {
+		if !e.IsDir() {
+			continue
+		}
+		v := e.Name()
+		tag := strings.TrimPrefix(v, "v")
+		config.Config.ImageDigests[v] = config.IstioImageConfig{
+			IstiodImage:  registry + "/" + images.Istiod + ":" + tag,
+			ProxyImage:   registry + "/" + images.Proxy + ":" + tag,
+			CNIImage:     registry + "/" + images.CNI + ":" + tag,
+			ZTunnelImage: registry + "/" + images.ZTunnel + ":" + tag,
+		}
+	}
+	return nil
+}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/informers.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/informers.go
new file mode 100644
index 0000000000..b516a34dcc
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/informers.go
@@ -0,0 +1,241 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package install
+
+import (
+	"time"
+
+	"k8s.io/apimachinery/pkg/api/meta"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/client-go/dynamic/dynamicinformer"
+	"k8s.io/client-go/tools/cache"
+	"k8s.io/utils/ptr"
+	ctrllog "sigs.k8s.io/controller-runtime/pkg/log"
+)
+
+const (
+	// defaultResyncPeriod is the default resync period for informers.
+	defaultResyncPeriod = 30 * time.Minute
+)
+
+// setupInformers creates dynamic informers for Helm resources and CRDs
+// based on the current desired options.
+func (l *Library) setupInformers(stopCh <-chan struct{}) {
+	log := ctrllog.Log.WithName("install")
+
+	l.mu.RLock()
+	opts := *l.desiredOpts
+	l.mu.RUnlock()
+
+	// Helm resource watches (drift detection)
+	specs, err := l.inst.getWatchSpecs(opts)
+	if err != nil {
+		log.Error(err, "Failed to compute watch specs; Helm drift detection disabled")
+		specs = nil
+	}
+
+	// CRD watches (ownership changes, creation, deletion)
+	if ptr.Deref(opts.ManageCRDs, true) {
+		crdSpec := l.buildCRDWatchSpec(opts)
+		if crdSpec != nil {
+			specs = append(specs, *crdSpec)
+		}
+	}
+
+	if len(specs) == 0 {
+		log.Info("No watch specs; informers not started")
+		return
+	}
+
+	log.Info("Setting up informers", "count", len(specs))
+
+	namespacedFactory := dynamicinformer.NewFilteredDynamicSharedInformerFactory(
+		l.dynamicCl,
+		defaultResyncPeriod,
+		opts.Namespace,
+		nil,
+	)
+	clusterScopedFactory := dynamicinformer.NewDynamicSharedInformerFactory(
+		l.dynamicCl,
+		defaultResyncPeriod,
+	)
+
+	// Capture revision and managedByValue once for all event handlers — no lock needed per event.
+	revision := opts.Revision
+	managedByValue := l.managedByValue
+	enqueue := l.enqueue
+
+	for _, spec := range specs {
+		var informer cache.SharedIndexInformer
+		gvr := gvkToGVR(spec.GVK)
+
+		if spec.ClusterScoped {
+			informer = clusterScopedFactory.ForResource(gvr).Informer()
+		} else {
+			informer = namespacedFactory.ForResource(gvr).Informer()
+		}
+
+		var handler cache.ResourceEventHandler
+		if spec.watchType == watchTypeCRD {
+			handler = makeCRDEventHandler(spec.TargetNames, enqueue)
+		} else {
+			handler = makeOwnedEventHandler(spec.GVK, spec.watchType, revision, managedByValue, enqueue)
+		}
+
+		if _, err := informer.AddEventHandler(handler); err != nil {
+			log.Error(err, "Failed to add event handler", "gvk", spec.GVK)
+			continue
+		}
+		log.V(1).Info("Watching", "gvk", spec.GVK, "type", spec.watchType, "clusterScoped", spec.ClusterScoped)
+	}
+
+	namespacedFactory.Start(stopCh)
+	clusterScopedFactory.Start(stopCh)
+	namespacedFactory.WaitForCacheSync(stopCh)
+	clusterScopedFactory.WaitForCacheSync(stopCh)
+	log.Info("Informers synced and watching for drift")
+}
+
+// buildCRDWatchSpec computes a watchSpec for Istio CRDs based on the current options.
+// Returns nil if the target CRD set cannot be determined.
+func (l *Library) buildCRDWatchSpec(opts Options) *watchSpec {
+	targetNames := l.inst.crdManager.WatchTargets(opts.Values, ptr.Deref(opts.IncludeAllCRDs, false))
+	if len(targetNames) == 0 {
+		return nil
+	}
+
+	return &watchSpec{
+		GVK:           crdGVK,
+		watchType:     watchTypeCRD,
+		ClusterScoped: true,
+		TargetNames:   targetNames,
+	}
+}
+
+// makeOwnedEventHandler handles events for Helm-managed and namespace resources.
+// It takes explicit dependencies instead of closing over Library, enabling unit testing
+// without concurrency machinery.
+func makeOwnedEventHandler(gvk schema.GroupVersionKind, wt watchType, revision, managedByValue string, enqueue func()) cache.ResourceEventHandler {
+	log := ctrllog.Log.WithName("install").WithValues("gvk", gvk, "watchType", wt)
+	return cache.ResourceEventHandlerFuncs{
+		// Add events fire during initial cache sync — ignore them.
+		AddFunc: func(obj interface{}) {},
+		UpdateFunc: func(oldObj, newObj interface{}) {
+			oldU, ok := oldObj.(*unstructured.Unstructured)
+			if !ok {
+				return
+			}
+			newU, ok := newObj.(*unstructured.Unstructured)
+			if !ok {
+				return
+			}
+
+			if !shouldReconcileOnUpdate(gvk, oldU, newU) {
+				log.V(2).Info("Skipping update (predicate)", "name", newU.GetName())
+				return
+			}
+
+			if wt == watchTypeOwned && !isOwnedResource(newU, revision, managedByValue) {
+				log.V(1).Info("Skipping update (not owned)", "name", newU.GetName(), "labels", newU.GetLabels())
+				return
+			}
+
+			log.Info("Drift detected (update)", "name", newU.GetName())
+			enqueue()
+		},
+		DeleteFunc: func(obj interface{}) {
+			if tombstone, ok := obj.(cache.DeletedFinalStateUnknown); ok {
+				obj = tombstone.Obj
+			}
+
+			u, ok := obj.(*unstructured.Unstructured)
+			if !ok {
+				return
+			}
+
+			if !shouldReconcileOnDelete(u) {
+				return
+			}
+
+			if wt == watchTypeOwned && !isOwnedResource(u, revision, managedByValue) {
+				log.V(1).Info("Skipping delete (not owned)", "name", u.GetName())
+				return
+			}
+
+			log.Info("Drift detected (delete)", "name", u.GetName())
+			enqueue()
+		},
+	}
+}
+
+// makeCRDEventHandler handles events for CRD resources. Unlike owned resources,
+// CRD events trigger on create (new CRD appeared), delete (CRD removed), and
+// label/annotation changes (ownership transfer). Events are filtered by name
+// to only watch target Istio CRDs.
+func makeCRDEventHandler(targets map[string]struct{}, enqueue func()) cache.ResourceEventHandler {
+	log := ctrllog.Log.WithName("install").WithValues("watchType", watchTypeCRD)
+	return cache.ResourceEventHandlerFuncs{
+		AddFunc: func(obj interface{}) {
+			u, ok := obj.(*unstructured.Unstructured)
+			if !ok {
+				return
+			}
+			if !isTargetCRD(u, targets) {
+				return
+			}
+			log.Info("Drift detected (CRD added)", "name", u.GetName())
+			enqueue()
+		},
+		UpdateFunc: func(oldObj, newObj interface{}) {
+			oldU, ok := oldObj.(*unstructured.Unstructured)
+			if !ok {
+				return
+			}
+			newU, ok := newObj.(*unstructured.Unstructured)
+			if !ok {
+				return
+			}
+			if !isTargetCRD(newU, targets) {
+				return
+			}
+			if !shouldReconcileCRDOnUpdate(oldU, newU) {
+				return
+			}
+			log.Info("Drift detected (CRD updated)", "name", newU.GetName())
+			enqueue()
+		},
+		DeleteFunc: func(obj interface{}) {
+			if tombstone, ok := obj.(cache.DeletedFinalStateUnknown); ok {
+				obj = tombstone.Obj
+			}
+			u, ok := obj.(*unstructured.Unstructured)
+			if !ok {
+				return
+			}
+			if !isTargetCRD(u, targets) {
+				return
+			}
+			log.Info("Drift detected (CRD deleted)", "name", u.GetName())
+			enqueue()
+		},
+	}
+}
+
+// gvkToGVR converts a GroupVersionKind to a GroupVersionResource.
+func gvkToGVR(gvk schema.GroupVersionKind) schema.GroupVersionResource {
+	plural, _ := meta.UnsafeGuessKindToResource(gvk)
+	return plural
+}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/installer.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/installer.go
new file mode 100644
index 0000000000..00c2a497c5
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/installer.go
@@ -0,0 +1,350 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package install
+
+import (
+	"bufio"
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"io/fs"
+	"sort"
+	"strings"
+
+	v1 "github.com/istio-ecosystem/sail-operator/api/v1"
+	"github.com/istio-ecosystem/sail-operator/pkg/config"
+	"github.com/istio-ecosystem/sail-operator/pkg/constants"
+	"github.com/istio-ecosystem/sail-operator/pkg/helm"
+	sharedreconcile "github.com/istio-ecosystem/sail-operator/pkg/reconcile"
+	"github.com/istio-ecosystem/sail-operator/pkg/revision"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/util/yaml"
+	"k8s.io/utils/ptr"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+// watchType indicates how events for a resource type should be handled.
+type watchType int
+
+const (
+	// watchTypeOwned indicates resources owned by the installation.
+	// Use owner reference filtering to only watch resources created by the installer.
+	watchTypeOwned watchType = iota
+
+	// watchTypeNamespace indicates namespace resources should be watched.
+	// Used to detect when the target namespace is created/deleted.
+	watchTypeNamespace
+
+	// watchTypeCRD indicates CRD resources that should be watched for ownership changes.
+	// Events are filtered by TargetNames and trigger on label/annotation changes,
+	// creation, or deletion — allowing the Library to re-classify CRD ownership.
+	watchTypeCRD
+)
+
+// String returns the string representation of the watchType.
+func (w watchType) String() string {
+	switch w {
+	case watchTypeOwned:
+		return "Owned"
+	case watchTypeNamespace:
+		return "Namespace"
+	case watchTypeCRD:
+		return "CRD"
+	default:
+		return fmt.Sprintf("Unknown(%d)", w)
+	}
+}
+
+// watchSpec describes a resource type that should be watched for drift detection.
+type watchSpec struct {
+	// GVK is the GroupVersionKind of the resource to watch.
+	GVK schema.GroupVersionKind
+
+	// watchType indicates how events should be handled.
+	watchType watchType
+
+	// ClusterScoped indicates if this is a cluster-scoped resource (vs namespaced).
+	// Cluster-scoped resources require a different informer factory setup.
+	ClusterScoped bool
+
+	// TargetNames is an optional set of resource names to filter on.
+	// Only used with watchTypeCRD to limit events to specific CRDs.
+	// When nil or empty, all resources of this GVK are watched.
+	TargetNames map[string]struct{}
+}
+
+// installer owns the worker dependencies and all install/watch logic.
+// It is separated from Library so that reconcile, uninstall, and watch-spec
+// computation can be tested and reasoned about without concurrency machinery.
+type installer struct {
+	resourceFS   fs.FS
+	chartManager *helm.ChartManager
+	cl           client.Client
+	crdManager   *crdManager
+}
+
+// resolveValues resolves the version and computes Helm values from Options.
+// This eliminates the duplication between reconcile and getWatchSpecs.
+func (inst *installer) resolveValues(opts Options) (string, *v1.Values, error) {
+	opts.applyDefaults()
+
+	// Default version from FS if not specified
+	if opts.Version == "" {
+		v, err := DefaultVersion(inst.resourceFS)
+		if err != nil {
+			return "", nil, fmt.Errorf("failed to determine default version: %w", err)
+		}
+		opts.Version = v
+	}
+
+	// Validate version
+	if err := ValidateVersion(inst.resourceFS, opts.Version); err != nil {
+		return "", nil, fmt.Errorf("invalid version %q: %w", opts.Version, err)
+	}
+
+	// Compute values
+	values, err := revision.ComputeValues(
+		opts.Values,
+		opts.Namespace,
+		opts.Version,
+		config.PlatformOpenShift,
+		defaultProfile,
+		"",
+		inst.resourceFS,
+		opts.Revision,
+	)
+	if err != nil {
+		return "", nil, fmt.Errorf("failed to compute values: %w", err)
+	}
+
+	return opts.Version, values, nil
+}
+
+// reconcile does the actual work: CRDs + Helm. Takes opts as an argument
+// so the caller reads opts under lock and passes them in — no lock access here.
+func (inst *installer) reconcile(ctx context.Context, opts Options) Status {
+	// Deep-copy Values so nothing in this function can mutate the
+	// stored desiredOpts through shared pointers.
+	if opts.Values != nil {
+		opts.Values = opts.Values.DeepCopy()
+	}
+
+	status := Status{}
+
+	resolvedVersion, values, err := inst.resolveValues(opts)
+	if err != nil {
+		status.Error = err
+		return status
+	}
+	status.Version = resolvedVersion
+
+	// Manage CRDs
+	if ptr.Deref(opts.ManageCRDs, true) {
+		result := inst.crdManager.Reconcile(ctx, values, ptr.Deref(opts.IncludeAllCRDs, false), opts.OverwriteOLMManagedCRD)
+		status.CRDState = result.State
+		status.CRDs = result.CRDs
+		status.CRDMessage = result.Message
+		if result.Error != nil {
+			status.Error = result.Error
+		}
+	}
+
+	// Helm install
+	reconcilerCfg := sharedreconcile.Config{
+		ResourceFS:        inst.resourceFS,
+		Platform:          config.PlatformOpenShift,
+		DefaultProfile:    defaultProfile,
+		OperatorNamespace: opts.Namespace,
+		ChartManager:      inst.chartManager,
+	}
+
+	istiodReconciler := sharedreconcile.NewIstiodReconciler(reconcilerCfg, inst.cl)
+
+	if err := istiodReconciler.Validate(ctx, resolvedVersion, opts.Namespace, values); err != nil {
+		status.Error = errors.Join(status.Error, fmt.Errorf("validation failed: %w", err))
+		return status
+	}
+
+	if err := istiodReconciler.Install(ctx, resolvedVersion, opts.Namespace, values, opts.Revision, nil); err != nil {
+		status.Error = errors.Join(status.Error, fmt.Errorf("installation failed: %w", err))
+		return status
+	}
+
+	status.Installed = true
+	return status
+}
+
+// uninstall removes the istiod Helm release.
+func (inst *installer) uninstall(ctx context.Context, namespace, revision string) error {
+	reconcilerCfg := sharedreconcile.Config{
+		ResourceFS:        inst.resourceFS,
+		Platform:          config.PlatformOpenShift,
+		DefaultProfile:    defaultProfile,
+		OperatorNamespace: namespace,
+		ChartManager:      inst.chartManager,
+	}
+
+	istiodReconciler := sharedreconcile.NewIstiodReconciler(reconcilerCfg, inst.cl)
+	if err := istiodReconciler.Uninstall(ctx, namespace, revision); err != nil {
+		return fmt.Errorf("uninstallation failed: %w", err)
+	}
+	return nil
+}
+
+// getWatchSpecs renders the istiod Helm charts and extracts the GVKs
+// of all resources that would be created. Used internally by the Library
+// to set up informers for drift detection.
+//
+// The returned specs include:
+//   - All resource types from the base and istiod charts (watchTypeOwned)
+//   - Namespace (watchTypeNamespace) for namespace existence checks
+func (inst *installer) getWatchSpecs(opts Options) ([]watchSpec, error) {
+	resolvedVersion, values, err := inst.resolveValues(opts)
+	if err != nil {
+		return nil, err
+	}
+	helmValues := helm.FromValues(values)
+
+	// Collect GVKs from both charts
+	gvkSet := make(map[schema.GroupVersionKind]struct{})
+
+	// Render base chart (for default revision)
+	if opts.Revision == defaultRevision {
+		baseChartPath := sharedreconcile.GetChartPath(resolvedVersion, constants.BaseChartName)
+		rendered, err := helm.RenderChart(inst.resourceFS, baseChartPath, helmValues, opts.Namespace, "base")
+		if err != nil {
+			return nil, fmt.Errorf("failed to render base chart: %w", err)
+		}
+		if err := extractGVKsFromRendered(rendered, gvkSet); err != nil {
+			return nil, fmt.Errorf("failed to extract GVKs from base chart: %w", err)
+		}
+	}
+
+	// Render istiod chart
+	istiodChartPath := sharedreconcile.GetChartPath(resolvedVersion, constants.IstiodChartName)
+	rendered, err := helm.RenderChart(inst.resourceFS, istiodChartPath, helmValues, opts.Namespace, "istiod")
+	if err != nil {
+		return nil, fmt.Errorf("failed to render istiod chart: %w", err)
+	}
+	if err := extractGVKsFromRendered(rendered, gvkSet); err != nil {
+		return nil, fmt.Errorf("failed to extract GVKs from istiod chart: %w", err)
+	}
+
+	// Convert to specs
+	specs := make([]watchSpec, 0, len(gvkSet)+1)
+	for gvk := range gvkSet {
+		specs = append(specs, watchSpec{
+			GVK:           gvk,
+			watchType:     watchTypeOwned,
+			ClusterScoped: isClusterScoped(gvk),
+		})
+	}
+
+	// Add Namespace watch
+	specs = append(specs, watchSpec{
+		GVK:           corev1.SchemeGroupVersion.WithKind("Namespace"),
+		watchType:     watchTypeNamespace,
+		ClusterScoped: true, // Namespaces are cluster-scoped
+	})
+
+	// Sort for deterministic output
+	sort.Slice(specs, func(i, j int) bool {
+		if specs[i].GVK.Group != specs[j].GVK.Group {
+			return specs[i].GVK.Group < specs[j].GVK.Group
+		}
+		if specs[i].GVK.Version != specs[j].GVK.Version {
+			return specs[i].GVK.Version < specs[j].GVK.Version
+		}
+		return specs[i].GVK.Kind < specs[j].GVK.Kind
+	})
+
+	return specs, nil
+}
+
+// extractGVKsFromRendered parses rendered Helm output and extracts GVKs.
+func extractGVKsFromRendered(rendered map[string]string, gvkSet map[schema.GroupVersionKind]struct{}) error {
+	for name, content := range rendered {
+		// Skip empty files and notes
+		if content == "" || strings.HasSuffix(name, "NOTES.txt") {
+			continue
+		}
+
+		// Parse multi-document YAML
+		decoder := yaml.NewYAMLOrJSONDecoder(
+			bufio.NewReader(strings.NewReader(content)),
+			4096,
+		)
+
+		for {
+			var obj map[string]interface{}
+			if err := decoder.Decode(&obj); err != nil {
+				if err == io.EOF {
+					break
+				}
+				return fmt.Errorf("failed to decode YAML from %s: %w", name, err)
+			}
+
+			// Skip empty documents
+			if obj == nil {
+				continue
+			}
+
+			// Extract apiVersion and kind
+			apiVersion, ok := obj["apiVersion"].(string)
+			if !ok {
+				continue
+			}
+			kind, ok := obj["kind"].(string)
+			if !ok {
+				continue
+			}
+
+			gvk := apiVersionKindToGVK(apiVersion, kind)
+			gvkSet[gvk] = struct{}{}
+		}
+	}
+	return nil
+}
+
+// apiVersionKindToGVK converts apiVersion and kind strings to a GroupVersionKind.
+func apiVersionKindToGVK(apiVersion, kind string) schema.GroupVersionKind {
+	gv, err := schema.ParseGroupVersion(apiVersion)
+	if err != nil {
+		// Fallback for malformed apiVersion
+		return schema.GroupVersionKind{
+			Group:   "",
+			Version: apiVersion,
+			Kind:    kind,
+		}
+	}
+	return gv.WithKind(kind)
+}
+
+// clusterScopedKinds is the set of known cluster-scoped kinds used in Istio charts.
+var clusterScopedKinds = map[string]bool{
+	"Namespace":                      true,
+	"ClusterRole":                    true,
+	"ClusterRoleBinding":             true,
+	"CustomResourceDefinition":       true,
+	"MutatingWebhookConfiguration":   true,
+	"ValidatingWebhookConfiguration": true,
+}
+
+// isClusterScoped returns true if the given GVK is a cluster-scoped resource.
+func isClusterScoped(gvk schema.GroupVersionKind) bool {
+	return clusterScopedKinds[gvk.Kind]
+}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/library.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/library.go
new file mode 100644
index 0000000000..425fda2653
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/library.go
@@ -0,0 +1,277 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package install provides a library for managing istiod installations.
+// It is designed for embedding in other operators (like OpenShift Ingress)
+// that need to install and maintain Istio without running a separate operator.
+//
+// The Library runs as an independent actor: the consumer sends desired state
+// via Apply(), and reads the result via Status(). A notification channel
+// returned by Start() signals when the Library has reconciled.
+//
+// Usage:
+//
+//	lib, _ := install.New(kubeConfig, resourceFS)
+//	notifyCh := lib.Start(ctx)
+//
+//	// In controller reconcile:
+//	lib.Apply(install.Options{Values: values, Namespace: "openshift-ingress"})
+//	status := lib.Status()
+//	// update GatewayClass conditions from status
+//
+//	// In a goroutine or source.Channel watch:
+//	for range notifyCh {
+//	    status := lib.Status()
+//	    // ...
+//	}
+package install
+
+import (
+	"fmt"
+	"io/fs"
+	"os"
+	"sync"
+
+	v1 "github.com/istio-ecosystem/sail-operator/api/v1"
+	"github.com/istio-ecosystem/sail-operator/pkg/helm"
+	"k8s.io/client-go/dynamic"
+	"k8s.io/client-go/rest"
+	"k8s.io/client-go/util/workqueue"
+	"k8s.io/utils/ptr"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+const (
+	defaultNamespace      = "istio-system"
+	defaultProfile        = "openshift"
+	defaultHelmDriver     = "secret"
+	defaultRevision       = v1.DefaultRevision
+	defaultManagedByValue = "sail-library"
+)
+
+// Status represents the result of a reconciliation, covering both
+// CRD management and Helm installation.
+type Status struct {
+	// CRDState is the aggregate ownership state of the target Istio CRDs.
+	CRDState CRDManagementState
+
+	// CRDMessage is a human-readable description of the CRD state.
+	CRDMessage string
+
+	// CRDs contains per-CRD detail (name, ownership, found on cluster).
+	CRDs []CRDInfo
+
+	// Installed is true if the Helm install/upgrade completed successfully.
+	Installed bool
+
+	// Version is the resolved Istio version (set even if Installed is false).
+	Version string
+
+	// Error is non-nil if something went wrong during CRD management or Helm installation.
+	// CRD ownership problems (UnknownManagement, MixedOwnership) set this but do not
+	// prevent Helm installation from being attempted.
+	Error error
+}
+
+// String returns a human-readable summary of the status.
+func (s Status) String() string {
+	state := "not installed"
+	if s.Installed {
+		state = "installed"
+	}
+
+	ver := s.Version
+	if ver == "" {
+		ver = "unknown"
+	}
+
+	msg := fmt.Sprintf("%s version=%s crds=%s", state, ver, s.CRDState)
+	if s.CRDMessage != "" {
+		msg += fmt.Sprintf(" (%s)", s.CRDMessage)
+	}
+	if len(s.CRDs) > 0 {
+		msg += " ["
+		for i, crd := range s.CRDs {
+			if i > 0 {
+				msg += ", "
+			}
+			if crd.Found {
+				msg += fmt.Sprintf("%s:%s", crd.Name, crd.State)
+			} else {
+				msg += fmt.Sprintf("%s:missing", crd.Name)
+			}
+		}
+		msg += "]"
+	}
+	if s.Error != nil {
+		msg += fmt.Sprintf(" error=%v", s.Error)
+	}
+	return msg
+}
+
+// Options for installing istiod.
+type Options struct {
+	// Namespace is the target namespace for installation.
+	// Defaults to "istio-system" if not specified.
+	Namespace string
+
+	// Version is the Istio version to install.
+	// Defaults to the latest supported version if not specified.
+	Version string
+
+	// Revision is the Istio revision name.
+	// Defaults to "default" if not specified.
+	Revision string
+
+	// Values are Helm value overrides.
+	// Use GatewayAPIDefaults() to get pre-configured values for Gateway API mode,
+	// then modify as needed before passing here.
+	Values *v1.Values
+
+	// ManageCRDs controls whether the Library manages Istio CRDs.
+	// When true (default), CRDs are classified by ownership and installed/updated
+	// if we own them or none exist.
+	// Set to false to skip CRD management entirely.
+	ManageCRDs *bool
+
+	// IncludeAllCRDs controls which CRDs are managed.
+	// When true, all *.istio.io CRDs from the embedded FS are managed.
+	// When false (default), only CRDs matching PILOT_INCLUDE_RESOURCES are managed.
+	IncludeAllCRDs *bool
+
+	// OverwriteOLMManagedCRD is called when a CRD is detected with OLM ownership labels.
+	// If provided and returns true, the CRD is overwritten with CIO labels and adopted.
+	// If nil or returns false, OLM-labeled CRDs are left alone.
+	OverwriteOLMManagedCRD OverwriteOLMManagedCRDFunc
+}
+
+// applyDefaults fills in default values for Options.
+// Version is not defaulted here — it requires access to the resource FS,
+// so it is resolved during reconciliation via DefaultVersion().
+func (o *Options) applyDefaults() {
+	o.Version = NormalizeVersion(o.Version)
+	if o.Namespace == "" {
+		o.Namespace = defaultNamespace
+	}
+	if o.Revision == "" {
+		o.Revision = defaultRevision
+	}
+	if o.ManageCRDs == nil {
+		o.ManageCRDs = ptr.To(true)
+	}
+	if o.IncludeAllCRDs == nil {
+		o.IncludeAllCRDs = ptr.To(false)
+	}
+}
+
+// Library manages the lifecycle of an istiod installation. It runs as an
+// independent actor: the consumer sends desired state via Apply() and reads
+// the result via Status(). Start() returns a notification channel that
+// signals when the Library has reconciled (drift repair, CRD change, or
+// a new Apply).
+type Library struct {
+	// Core install/uninstall logic (no concurrency concerns)
+	inst *installer
+
+	// managedByValue is the value of the "managed-by" label set on all
+	// Helm-managed resources. Used both by the post-renderer (write) and
+	// by informer predicates (read) for ownership filtering.
+	managedByValue string
+
+	// Infrastructure needed only by Library (informers, dynamic client)
+	kubeConfig *rest.Config
+	dynamicCl  dynamic.Interface
+
+	// Lifecycle serialization (Apply and Uninstall hold this)
+	lifecycleMu sync.Mutex
+
+	// Desired state (set by Apply, read by worker)
+	mu          sync.RWMutex
+	desiredOpts *Options // nil until first Apply(); nil again after Uninstall()
+
+	// Informer lifecycle (per install cycle)
+	informerStop   chan struct{} // closed to stop current informer cycle
+	processingDone chan struct{} // closed when processWorkQueue exits
+
+	// Latest status (written by worker, read by Status())
+	statusMu sync.RWMutex
+	status   Status
+
+	// Signal channel: Apply() sends on it to wake waitForDesiredState().
+	// Buffered 1, non-blocking write — if the signal is already pending,
+	// the new one is dropped.
+	applySignal chan struct{}
+
+	// Internal workqueue
+	workqueue workqueue.TypedRateLimitingInterface[string]
+}
+
+// New creates a new Library.
+//
+// Parameters:
+//   - kubeConfig: Kubernetes client configuration (required)
+//   - resourceFS: Filesystem containing Helm charts and profiles (required).
+//     Use resources.FS for embedded resources or FromDirectory() for a filesystem path.
+func New(kubeConfig *rest.Config, resourceFS fs.FS) (*Library, error) {
+	if kubeConfig == nil {
+		return nil, fmt.Errorf("kubeConfig is required")
+	}
+	if resourceFS == nil {
+		return nil, fmt.Errorf("resourceFS is required")
+	}
+
+	cl, err := client.New(kubeConfig, client.Options{})
+	if err != nil {
+		return nil, fmt.Errorf("failed to create client: %w", err)
+	}
+
+	dynamicCl, err := dynamic.NewForConfig(kubeConfig)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create dynamic client: %w", err)
+	}
+
+	// Populate default image refs from the provided FS (no-op if already set by config.Read)
+	if err := SetImageDefaults(resourceFS, defaultRegistry, ImageNames{
+		Istiod:  defaultIstiodImage,
+		Proxy:   defaultProxyImage,
+		CNI:     defaultCNIImage,
+		ZTunnel: defaultZTunnelImage,
+	}); err != nil {
+		return nil, fmt.Errorf("failed to set image defaults: %w", err)
+	}
+
+	return &Library{
+		inst: &installer{
+			resourceFS:   resourceFS,
+			chartManager: helm.NewChartManager(kubeConfig, defaultHelmDriver, helm.WithManagedByValue(defaultManagedByValue)),
+			cl:           cl,
+			crdManager:   newCRDManager(cl),
+		},
+		managedByValue: defaultManagedByValue,
+		kubeConfig:     kubeConfig,
+		dynamicCl:      dynamicCl,
+		applySignal:    make(chan struct{}, 1),
+	}, nil
+}
+
+// FromDirectory creates an fs.FS from a filesystem directory path.
+// This is a convenience function for consumers who want to load resources
+// from the filesystem instead of using embedded resources.
+//
+// Example:
+//
+//	lib, _ := install.New(kubeConfig, install.FromDirectory("/var/lib/sail-operator/resources"))
+func FromDirectory(path string) fs.FS {
+	return os.DirFS(path)
+}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/lifecycle.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/lifecycle.go
new file mode 100644
index 0000000000..77d4dc66b4
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/lifecycle.go
@@ -0,0 +1,310 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package install
+
+import (
+	"context"
+	"reflect"
+
+	"github.com/istio-ecosystem/sail-operator/pkg/helm"
+	"k8s.io/client-go/util/workqueue"
+	"k8s.io/utils/ptr"
+	ctrllog "sigs.k8s.io/controller-runtime/pkg/log"
+)
+
+const (
+	// reconcileKey is the single key used in the workqueue.
+	// Since we always reconcile the entire installation, we use a single key
+	// to coalesce multiple events into one reconciliation.
+	reconcileKey = "reconcile"
+)
+
+// Start begins the Library's internal reconciliation loop. It returns a
+// notification channel that receives a signal every time the Library
+// finishes a reconciliation (whether triggered by Apply, drift detection,
+// or CRD changes).
+//
+// The channel is owned by the Library and closed when ctx is cancelled.
+// Buffer of 1 with non-blocking write: if the consumer hasn't drained
+// the previous notification, the new one is dropped (latest-wins).
+//
+// Start is non-blocking — it launches goroutines internally and returns
+// immediately. The Library sits idle until the first Apply() call.
+func (l *Library) Start(ctx context.Context) <-chan struct{} {
+	notifyCh := make(chan struct{}, 1)
+	l.workqueue = workqueue.NewTypedRateLimitingQueue(workqueue.DefaultTypedControllerRateLimiter[string]())
+
+	// Start worker goroutine
+	go l.run(ctx, notifyCh)
+
+	return notifyCh
+}
+
+// Apply sets the desired installation state. If the options differ from
+// the previously applied options, a reconciliation is enqueued. If they
+// are the same, this is a no-op.
+//
+// Apply blocks if Uninstall is in progress (they share a lifecycle lock).
+// The result of the reconciliation will be available via Status() after
+// the notification channel signals.
+func (l *Library) Apply(opts Options) {
+	l.lifecycleMu.Lock()
+	defer l.lifecycleMu.Unlock()
+
+	opts.applyDefaults()
+
+	l.mu.Lock()
+	defer l.mu.Unlock()
+
+	if l.desiredOpts != nil && optionsEqual(*l.desiredOpts, opts) {
+		return // no change
+	}
+
+	copied := opts
+	if copied.Values != nil {
+		copied.Values = copied.Values.DeepCopy()
+	}
+	l.desiredOpts = &copied
+	l.enqueue()
+
+	// Wake waitForDesiredState if it's blocking
+	select {
+	case l.applySignal <- struct{}{}:
+	default:
+	}
+}
+
+// Enqueue forces a reconciliation without changing the desired options.
+// Use this when cluster state that affects reconciliation has changed
+// externally but the Options passed to Apply remain the same. For example,
+// if an OLM Subscription managing Istio CRDs is deleted, the CRD ownership
+// labels haven't changed yet, but the consumer knows a takeover is now
+// possible. Calling Enqueue triggers the Library to re-classify CRDs and
+// re-run the Helm install using the previously applied options.
+//
+// Enqueue is a no-op if Apply has not been called yet (no desired state).
+// It is safe to call from any goroutine.
+func (l *Library) Enqueue() {
+	l.enqueue()
+}
+
+// Status returns the latest reconciliation result. This is safe to call
+// from any goroutine. Returns a zero-value Status if no reconciliation
+// has completed yet.
+func (l *Library) Status() Status {
+	l.statusMu.RLock()
+	defer l.statusMu.RUnlock()
+	return l.status
+}
+
+// Uninstall stops drift detection and removes the istiod installation.
+// It first stops informers and waits for the processing loop to exit,
+// then performs the Helm uninstall. This prevents the drift-repair loop
+// from fighting the uninstall.
+//
+// Uninstall is a synchronous, blocking operation. It holds the lifecycle
+// lock, so Apply() will block until Uninstall completes.
+//
+// The caller provides the namespace and revision to uninstall. Empty strings
+// default to "istio-system" and "default" respectively. This allows Uninstall
+// to work even after a crash, when no prior Apply() state exists in memory.
+//
+// If an active reconcile loop is running, it is stopped before the Helm
+// uninstall proceeds. After Uninstall, calling Apply() will start a new
+// install cycle.
+func (l *Library) Uninstall(ctx context.Context, namespace, revision string) error {
+	l.lifecycleMu.Lock()
+	defer l.lifecycleMu.Unlock()
+
+	log := ctrllog.Log.WithName("install")
+
+	if namespace == "" {
+		namespace = defaultNamespace
+	}
+	if revision == "" {
+		revision = defaultRevision
+	}
+
+	// Clear desired state and capture loop handles so we can stop
+	// the processing loop if one is active.
+	l.mu.Lock()
+	l.desiredOpts = nil
+	informerStop := l.informerStop
+	processingDone := l.processingDone
+	l.mu.Unlock()
+
+	log.Info("Uninstalling", "namespace", namespace, "revision", revision)
+
+	// Stop informers so they don't fire events during teardown
+	if informerStop != nil {
+		close(informerStop)
+	}
+
+	// Enqueue a sentinel so processWorkQueue unblocks from Get()
+	// and checks the nil desiredOpts condition
+	l.enqueue()
+
+	// Wait for the processing loop to exit
+	if processingDone != nil {
+		<-processingDone
+	}
+
+	// Now safe to Helm uninstall — nothing is watching or reconciling
+	if err := l.inst.uninstall(ctx, namespace, revision); err != nil {
+		return err
+	}
+
+	log.Info("Uninstall complete", "namespace", namespace, "revision", revision)
+	return nil
+}
+
+// run is the main loop. It alternates between idle (waiting for Apply) and
+// active (informers running, processing workqueue). Uninstall() nils
+// desiredOpts, which causes processWorkQueue to exit and the loop to
+// return to idle. The loop exits only when ctx is cancelled.
+func (l *Library) run(ctx context.Context, notifyCh chan<- struct{}) {
+	log := ctrllog.Log.WithName("install")
+	defer close(notifyCh)
+	defer l.workqueue.ShutDown()
+
+	for {
+		// Idle: block until Apply() sets desiredOpts (or ctx cancelled)
+		if !l.waitForDesiredState(ctx) {
+			return // ctx cancelled
+		}
+
+		// Active: set up informers for this install cycle
+		l.mu.Lock()
+		l.informerStop = make(chan struct{})
+		l.processingDone = make(chan struct{})
+		l.mu.Unlock()
+
+		l.setupInformers(l.informerStop)
+
+		log.Info("Processing workqueue")
+		l.processWorkQueue(ctx, notifyCh)
+		log.Info("Workqueue processing stopped, returning to idle")
+
+		// Loop back to idle, waiting for next Apply()
+	}
+}
+
+// processWorkQueue processes work items until desiredOpts goes nil (Uninstall)
+// or the workqueue shuts down (ctx cancelled). It closes l.processingDone on exit
+// so Uninstall() can wait for processing to stop before doing Helm cleanup.
+func (l *Library) processWorkQueue(ctx context.Context, notifyCh chan<- struct{}) {
+	log := ctrllog.Log.WithName("install")
+	defer func() {
+		l.mu.RLock()
+		done := l.processingDone
+		l.mu.RUnlock()
+		if done != nil {
+			close(done)
+		}
+	}()
+
+	for {
+		key, shutdown := l.workqueue.Get()
+		if shutdown {
+			return
+		}
+
+		// Read desiredOpts once under a single lock to avoid a race
+		// where Uninstall() nils it between a nil-check and dereference.
+		l.mu.RLock()
+		optsPtr := l.desiredOpts
+		l.mu.RUnlock()
+
+		if optsPtr == nil {
+			l.workqueue.Done(key)
+			return // back to idle
+		}
+		opts := *optsPtr
+
+		log.Info("Reconciling")
+		status := l.inst.reconcile(ctx, opts)
+		l.setStatus(status)
+		log.Info("Reconcile complete", "installed", status.Installed, "error", status.Error)
+
+		// Non-blocking notify
+		select {
+		case notifyCh <- struct{}{}:
+		default:
+		}
+
+		// Don't retry on error — the library is event-driven.
+		// State changes trigger informer events, and Apply() enqueues explicitly.
+		// Retrying permanent errors (CRD classification, bad config) just spins.
+		l.workqueue.Forget(key)
+		l.workqueue.Done(key)
+	}
+}
+
+// waitForDesiredState blocks until Apply() has been called or ctx is cancelled.
+func (l *Library) waitForDesiredState(ctx context.Context) bool {
+	// Fast path: check if opts are already set (e.g. Uninstall->Apply cycle)
+	l.mu.RLock()
+	hasOpts := l.desiredOpts != nil
+	l.mu.RUnlock()
+	if hasOpts {
+		return true
+	}
+
+	for {
+		select {
+		case <-ctx.Done():
+			return false
+		case <-l.applySignal:
+			l.mu.RLock()
+			hasOpts := l.desiredOpts != nil
+			l.mu.RUnlock()
+			if hasOpts {
+				return true
+			}
+		}
+	}
+}
+
+// setStatus atomically updates the stored status.
+func (l *Library) setStatus(s Status) {
+	l.statusMu.Lock()
+	defer l.statusMu.Unlock()
+	l.status = s
+}
+
+// enqueue adds a reconciliation request to the workqueue.
+func (l *Library) enqueue() {
+	if l.workqueue != nil {
+		l.workqueue.Add(reconcileKey)
+	}
+}
+
+// optionsEqual compares two Options for equality.
+// Used by Apply() to skip no-op updates.
+func optionsEqual(a, b Options) bool {
+	if a.Namespace != b.Namespace ||
+		a.Version != b.Version ||
+		a.Revision != b.Revision ||
+		ptr.Deref(a.ManageCRDs, true) != ptr.Deref(b.ManageCRDs, true) ||
+		ptr.Deref(a.IncludeAllCRDs, false) != ptr.Deref(b.IncludeAllCRDs, false) {
+		return false
+	}
+
+	// Compare Values via map conversion for deep equality
+	aMap := helm.FromValues(a.Values)
+	bMap := helm.FromValues(b.Values)
+	return reflect.DeepEqual(aMap, bMap)
+}
+
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/predicates.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/predicates.go
new file mode 100644
index 0000000000..30a1506e85
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/predicates.go
@@ -0,0 +1,254 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package install
+
+import (
+	"reflect"
+	"regexp"
+
+	"github.com/istio-ecosystem/sail-operator/pkg/constants"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// istiodValidatorRe matches istiod-managed ValidatingWebhookConfiguration names.
+// Precompiled to avoid recompilation on every update event.
+var istiodValidatorRe = regexp.MustCompile(`^(istiod-.*-validator|istio-validator.*)$`)
+
+// Predicate filtering logic adapted from controllers/istiorevision for use with dynamic informers.
+// These functions determine whether a resource change should trigger reconciliation.
+
+const (
+	// ignoreAnnotation is the annotation that, when set to "true", causes updates to be ignored.
+	ignoreAnnotation = "sailoperator.io/ignore"
+)
+
+// GVKs that need special predicate handling
+var (
+	serviceGVK                        = schema.GroupVersionKind{Group: "", Version: "v1", Kind: "Service"}
+	serviceAccountGVK                 = schema.GroupVersionKind{Group: "", Version: "v1", Kind: "ServiceAccount"}
+	namespaceGVK                      = schema.GroupVersionKind{Group: "", Version: "v1", Kind: "Namespace"}
+	networkPolicyGVK                  = schema.GroupVersionKind{Group: "networking.k8s.io", Version: "v1", Kind: "NetworkPolicy"}
+	pdbGVK                            = schema.GroupVersionKind{Group: "policy", Version: "v1", Kind: "PodDisruptionBudget"}
+	hpaGVK                            = schema.GroupVersionKind{Group: "autoscaling", Version: "v2", Kind: "HorizontalPodAutoscaler"}
+	validatingWebhookConfigurationGVK = schema.GroupVersionKind{Group: "admissionregistration.k8s.io", Version: "v1", Kind: "ValidatingWebhookConfiguration"}
+	crdGVK                            = schema.GroupVersionKind{Group: "apiextensions.k8s.io", Version: "v1", Kind: "CustomResourceDefinition"}
+)
+
+// shouldReconcileOnCreate determines if a create event should trigger reconciliation.
+func shouldReconcileOnCreate(obj *unstructured.Unstructured) bool {
+	// Always reconcile on create
+	return true
+}
+
+// shouldReconcileOnDelete determines if a delete event should trigger reconciliation.
+func shouldReconcileOnDelete(obj *unstructured.Unstructured) bool {
+	// Always reconcile on delete to restore the resource
+	return true
+}
+
+// shouldReconcileOnUpdate determines if an update event should trigger reconciliation.
+// Implements the same logic as the operator's predicates.
+func shouldReconcileOnUpdate(gvk schema.GroupVersionKind, oldObj, newObj *unstructured.Unstructured) bool {
+	// Check ignore annotation first - applies to all resources
+	if hasIgnoreAnnotation(newObj) {
+		return false
+	}
+
+	// ServiceAccounts: ignore all updates to prevent removing pull secrets added by other controllers
+	if gvk == serviceAccountGVK {
+		return false
+	}
+
+	// ValidatingWebhookConfiguration: special handling for istiod-managed webhooks
+	if gvk == validatingWebhookConfigurationGVK {
+		return shouldReconcileValidatingWebhook(oldObj, newObj)
+	}
+
+	// Resources that need status-change filtering
+	if shouldFilterStatusChanges(gvk) {
+		return !isStatusOnlyChange(gvk, oldObj, newObj)
+	}
+
+	// Default: reconcile on any change
+	return true
+}
+
+// shouldFilterStatusChanges returns true for GVKs that should ignore status-only changes.
+func shouldFilterStatusChanges(gvk schema.GroupVersionKind) bool {
+	switch gvk {
+	case serviceGVK, networkPolicyGVK, pdbGVK, hpaGVK, namespaceGVK:
+		return true
+	default:
+		return false
+	}
+}
+
+// isStatusOnlyChange returns true if only the status changed (no spec/labels/annotations/etc).
+// This prevents unnecessary reconciliation when only status fields are updated.
+func isStatusOnlyChange(gvk schema.GroupVersionKind, oldObj, newObj *unstructured.Unstructured) bool {
+	// Check if spec was updated
+	if specWasUpdated(gvk, oldObj, newObj) {
+		return false
+	}
+
+	// Check if labels changed
+	if !reflect.DeepEqual(oldObj.GetLabels(), newObj.GetLabels()) {
+		return false
+	}
+
+	// Check if annotations changed
+	if !reflect.DeepEqual(oldObj.GetAnnotations(), newObj.GetAnnotations()) {
+		return false
+	}
+
+	// Check if owner references changed
+	if !reflect.DeepEqual(oldObj.GetOwnerReferences(), newObj.GetOwnerReferences()) {
+		return false
+	}
+
+	// Check if finalizers changed
+	if !reflect.DeepEqual(oldObj.GetFinalizers(), newObj.GetFinalizers()) {
+		return false
+	}
+
+	// Only status changed
+	return true
+}
+
+// specWasUpdated checks if the spec of a resource was updated.
+func specWasUpdated(gvk schema.GroupVersionKind, oldObj, newObj *unstructured.Unstructured) bool {
+	// For HPAs, k8s doesn't set metadata.generation, so we check the spec directly
+	if gvk == hpaGVK {
+		oldSpec, _, _ := unstructured.NestedMap(oldObj.Object, "spec")
+		newSpec, _, _ := unstructured.NestedMap(newObj.Object, "spec")
+		return !reflect.DeepEqual(oldSpec, newSpec)
+	}
+
+	// For other resources, comparing metadata.generation suffices
+	return oldObj.GetGeneration() != newObj.GetGeneration()
+}
+
+// hasIgnoreAnnotation checks if the resource has the sailoperator.io/ignore annotation set to "true".
+func hasIgnoreAnnotation(obj *unstructured.Unstructured) bool {
+	annotations := obj.GetAnnotations()
+	if annotations == nil {
+		return false
+	}
+	return annotations[ignoreAnnotation] == "true"
+}
+
+// shouldReconcileValidatingWebhook handles special filtering for ValidatingWebhookConfiguration.
+// Istiod updates the caBundle and failurePolicy fields in its validator webhook configs,
+// and we must ignore these changes to prevent an endless update loop.
+func shouldReconcileValidatingWebhook(oldObj, newObj *unstructured.Unstructured) bool {
+	name := newObj.GetName()
+
+	// Check if this is an istiod-managed validator webhook
+	if !istiodValidatorRe.MatchString(name) {
+		// Not an istiod validator, reconcile normally
+		return true
+	}
+
+	// For istiod validators, compare objects after clearing fields that istiod updates
+	oldCopy := clearWebhookIgnoredFields(oldObj.DeepCopy())
+	newCopy := clearWebhookIgnoredFields(newObj.DeepCopy())
+
+	return !reflect.DeepEqual(oldCopy.Object, newCopy.Object)
+}
+
+// clearWebhookIgnoredFields clears fields that should be ignored when comparing webhook configs.
+func clearWebhookIgnoredFields(obj *unstructured.Unstructured) *unstructured.Unstructured {
+	// Clear metadata fields that change frequently
+	obj.SetResourceVersion("")
+	obj.SetGeneration(0)
+	obj.SetManagedFields(nil)
+
+	// Clear failurePolicy in each webhook
+	webhooks, found, _ := unstructured.NestedSlice(obj.Object, "webhooks")
+	if found {
+		for i := range webhooks {
+			if webhook, ok := webhooks[i].(map[string]interface{}); ok {
+				delete(webhook, "failurePolicy")
+				webhooks[i] = webhook
+			}
+		}
+		_ = unstructured.SetNestedSlice(obj.Object, webhooks, "webhooks")
+	}
+
+	return obj
+}
+
+// isOwnedResource checks if the resource is owned by our installation
+// by examining Istio labels against the expected revision and the
+// managed-by label set by the post-renderer.
+func isOwnedResource(obj *unstructured.Unstructured, revision, managedByValue string) bool {
+	labels := obj.GetLabels()
+	if labels == nil {
+		return false
+	}
+
+	if rev, ok := labels["istio.io/rev"]; ok {
+		expectedRev := revision
+		if expectedRev == defaultRevision {
+			expectedRev = "default"
+		}
+		return rev == expectedRev
+	}
+
+	if _, ok := labels["operator.istio.io/component"]; ok {
+		return true
+	}
+
+	// Check the managed-by label set by HelmPostRenderer.
+	if managedBy, ok := labels[constants.ManagedByLabelKey]; ok {
+		return managedBy == managedByValue
+	}
+
+	// Fallback: Helm sets app.kubernetes.io/managed-by to "Helm" on chart resources.
+	if managedBy, ok := labels["app.kubernetes.io/managed-by"]; ok {
+		return managedBy == "Helm"
+	}
+
+	return false
+}
+
+// isTargetCRD checks if an unstructured CRD object's name is in the target set.
+func isTargetCRD(obj *unstructured.Unstructured, targets map[string]struct{}) bool {
+	if len(targets) == 0 {
+		return false
+	}
+	_, ok := targets[obj.GetName()]
+	return ok
+}
+
+// shouldReconcileCRDOnUpdate determines if a CRD update should trigger reconciliation.
+// We care about ownership label changes (CIO/OLM labels being added/removed) and
+// annotation changes (helm.sh/resource-policy). Spec/status changes on the CRD itself
+// are not relevant for ownership classification.
+func shouldReconcileCRDOnUpdate(oldObj, newObj *unstructured.Unstructured) bool {
+	if !reflect.DeepEqual(oldObj.GetLabels(), newObj.GetLabels()) {
+		return true
+	}
+	if !reflect.DeepEqual(oldObj.GetAnnotations(), newObj.GetAnnotations()) {
+		return true
+	}
+	// Spec changes on CRDs mean the CRD schema was updated — re-reconcile
+	// to ensure our version is still current.
+	if oldObj.GetGeneration() != newObj.GetGeneration() {
+		return true
+	}
+	return false
+}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/rbac.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/rbac.go
new file mode 100644
index 0000000000..34a8325b05
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/rbac.go
@@ -0,0 +1,113 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package install
+
+import rbacv1 "k8s.io/api/rbac/v1"
+
+// LibraryRBACRules returns the RBAC PolicyRules required when using the
+// install library. Consumers should aggregate these into their own ClusterRole.
+//
+// These rules are derived from chart/templates/rbac/role.yaml with
+// sailoperator.io CRs filtered out (those are for the operator, not the library).
+//
+// Example usage:
+//
+//	rules := append(myOperatorRules, install.LibraryRBACRules()...)
+//
+// TODO: Consider generating this from role.yaml or adding a verification test
+// to ensure these rules stay in sync with the Helm template.
+func LibraryRBACRules() []rbacv1.PolicyRule {
+	return []rbacv1.PolicyRule{
+		{
+			APIGroups: []string{""},
+			Resources: []string{
+				"configmaps",
+				"endpoints",
+				"events",
+				"namespaces",
+				"nodes",
+				"persistentvolumeclaims",
+				"pods",
+				"replicationcontrollers",
+				"resourcequotas",
+				"secrets",
+				"serviceaccounts",
+				"services",
+			},
+			Verbs: []string{"create", "delete", "get", "list", "patch", "update", "watch"},
+		},
+		{
+			APIGroups: []string{"admissionregistration.k8s.io"},
+			Resources: []string{
+				"mutatingwebhookconfigurations",
+				"validatingadmissionpolicies",
+				"validatingadmissionpolicybindings",
+				"validatingwebhookconfigurations",
+			},
+			Verbs: []string{"create", "delete", "get", "list", "patch", "update", "watch"},
+		},
+		{
+			APIGroups: []string{"apiextensions.k8s.io"},
+			Resources: []string{"customresourcedefinitions"},
+			Verbs:     []string{"get", "list", "watch"},
+		},
+		{
+			APIGroups: []string{"apps"},
+			Resources: []string{"daemonsets", "deployments"},
+			Verbs:     []string{"create", "delete", "get", "list", "patch", "update", "watch"},
+		},
+		{
+			APIGroups: []string{"autoscaling"},
+			Resources: []string{"horizontalpodautoscalers"},
+			Verbs:     []string{"create", "delete", "get", "list", "patch", "update", "watch"},
+		},
+		{
+			APIGroups: []string{"discovery.k8s.io"},
+			Resources: []string{"endpointslices"},
+			Verbs:     []string{"create", "delete", "get", "list", "patch", "update", "watch"},
+		},
+		{
+			APIGroups: []string{"k8s.cni.cncf.io"},
+			Resources: []string{"network-attachment-definitions"},
+			Verbs:     []string{"create", "delete", "get", "list", "patch", "update", "watch"},
+		},
+		{
+			APIGroups: []string{"networking.istio.io"},
+			Resources: []string{"envoyfilters"},
+			Verbs:     []string{"create", "delete", "get", "list", "patch", "update", "watch"},
+		},
+		{
+			APIGroups: []string{"networking.k8s.io"},
+			Resources: []string{"networkpolicies"},
+			Verbs:     []string{"create", "delete", "get", "list", "patch", "update", "watch"},
+		},
+		{
+			APIGroups: []string{"policy"},
+			Resources: []string{"poddisruptionbudgets"},
+			Verbs:     []string{"create", "delete", "get", "list", "patch", "update", "watch"},
+		},
+		{
+			APIGroups: []string{"rbac.authorization.k8s.io"},
+			Resources: []string{"clusterrolebindings", "clusterroles", "rolebindings", "roles"},
+			Verbs:     []string{"create", "delete", "get", "list", "patch", "update", "watch", "bind", "escalate"},
+		},
+		{
+			APIGroups:     []string{"security.openshift.io"},
+			Resources:     []string{"securitycontextconstraints"},
+			ResourceNames: []string{"privileged"},
+			Verbs:         []string{"use"},
+		},
+	}
+}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/values.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/values.go
new file mode 100644
index 0000000000..303a6c4301
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/values.go
@@ -0,0 +1,161 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package install
+
+import (
+	"fmt"
+
+	v1 "github.com/istio-ecosystem/sail-operator/api/v1"
+	"github.com/istio-ecosystem/sail-operator/pkg/helm"
+	"k8s.io/utils/ptr"
+)
+
+// GatewayAPIDefaults returns pre-configured values for Gateway API mode on OpenShift.
+// These values configure istiod to work as a Gateway API controller.
+//
+// Usage:
+//
+//	values := install.GatewayAPIDefaults()
+//	values.Pilot.Env["PILOT_GATEWAY_API_CONTROLLER_NAME"] = "my-controller"
+//	values.Pilot.Env["PILOT_GATEWAY_API_DEFAULT_GATEWAYCLASS_NAME"] = "my-class"
+//	installer.Install(ctx, Options{Values: values})
+//
+// Consumer must set:
+//   - pilot.env.PILOT_GATEWAY_API_CONTROLLER_NAME
+//   - pilot.env.PILOT_GATEWAY_API_DEFAULT_GATEWAYCLASS_NAME
+//
+// Consumer may optionally set:
+//   - global.trustBundleName (if using custom CA)
+func GatewayAPIDefaults() *v1.Values {
+	return &v1.Values{
+		Global: &v1.GlobalConfig{
+			// Disable PodDisruptionBudget - managed externally
+			DefaultPodDisruptionBudget: &v1.DefaultPodDisruptionBudgetConfig{
+				Enabled: ptr.To(false),
+			},
+			// Use cluster-critical priority for control plane
+			PriorityClassName: ptr.To("system-cluster-critical"),
+		},
+		Pilot: &v1.PilotConfig{
+			// Disable CNI - not needed for Gateway API only mode
+			Cni: &v1.CNIUsageConfig{
+				Enabled: ptr.To(false),
+			},
+			Enabled: ptr.To(true),
+			Env: map[string]string{
+				// Enable Gateway API support
+				"PILOT_ENABLE_GATEWAY_API": "true",
+				// Disable experimental/alpha Gateway API features
+				"PILOT_ENABLE_ALPHA_GATEWAY_API": "false",
+				// Enable status updates on Gateway API resources
+				"PILOT_ENABLE_GATEWAY_API_STATUS": "true",
+				// Enable automated deployment (creates Envoy proxy + service for gateways)
+				"PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER": "true",
+				// Disable gatewayclass controller (admin manages gatewayclass)
+				"PILOT_ENABLE_GATEWAY_API_GATEWAYCLASS_CONTROLLER": "false",
+				// Disable multi-network gateway discovery
+				"PILOT_MULTI_NETWORK_DISCOVER_GATEWAY_API": "false",
+				// Disable manual deployment (only automated deployment allowed)
+				"ENABLE_GATEWAY_API_MANUAL_DEPLOYMENT": "false",
+				// Only create CA bundle configmap in namespaces with gateways
+				"PILOT_ENABLE_GATEWAY_API_CA_CERT_ONLY": "true",
+				// Don't copy labels/annotations from gateways to generated resources
+				"PILOT_ENABLE_GATEWAY_API_COPY_LABELS_ANNOTATIONS": "false",
+				// Resource filtering for Gateway API mode (X_ prefix until Istio feature is ready)
+				// When active, istiod will only reconcile Gateway API + the 3 included Istio resources
+				envPilotIgnoreResources:  gatewayAPIIgnoreResources,
+				envPilotIncludeResources: gatewayAPIIncludeResources,
+			},
+		},
+		SidecarInjectorWebhook: &v1.SidecarInjectorConfig{
+			// Disable sidecar injection by default (Gateway API mode only)
+			EnableNamespacesByDefault: ptr.To(false),
+		},
+		MeshConfig: &v1.MeshConfig{
+			// Enable access logging
+			AccessLogFile: ptr.To("/dev/stdout"),
+			// Disable legacy ingress controller
+			IngressControllerMode: v1.MeshConfigIngressControllerModeOff,
+			// Configure proxy defaults
+			DefaultConfig: &v1.MeshConfigProxyConfig{
+				ProxyHeaders: &v1.ProxyConfigProxyHeaders{
+					// Don't set Server header
+					Server: &v1.ProxyConfigProxyHeadersServer{
+						Disabled: ptr.To(true),
+					},
+					// Don't set X-Envoy-* debug headers
+					EnvoyDebugHeaders: &v1.ProxyConfigProxyHeadersEnvoyDebugHeaders{
+						Disabled: ptr.To(true),
+					},
+					// Only exchange metadata headers for in-mesh traffic
+					MetadataExchangeHeaders: &v1.ProxyConfigProxyHeadersMetadataExchangeHeaders{
+						Mode: v1.ProxyConfigProxyHeadersMetadataExchangeModeInMesh,
+					},
+				},
+			},
+		},
+	}
+}
+
+// mergeOverwrite recursively merges overlay into base, with overlay taking precedence.
+// NOTE: This is a copy of istiovalues.mergeOverwrite. Consider exporting the original
+// to avoid duplication once the library API stabilizes.
+func mergeOverwrite(base map[string]any, overrides map[string]any) map[string]any {
+	if base == nil {
+		base = make(map[string]any, 1)
+	}
+	for key, value := range overrides {
+		if _, exists := base[key]; !exists {
+			base[key] = value
+			continue
+		}
+		childOverrides, overrideValueIsMap := value.(map[string]any)
+		childBase, baseValueIsMap := base[key].(map[string]any)
+		if baseValueIsMap && overrideValueIsMap {
+			base[key] = mergeOverwrite(childBase, childOverrides)
+		} else {
+			base[key] = value
+		}
+	}
+	return base
+}
+
+// MergeValues merges two Values structs, with overlay taking precedence.
+// This is useful for combining GatewayAPIDefaults() with custom overrides.
+//
+// Maps are merged recursively (overlay keys override base keys).
+// Lists are replaced entirely (overlay list replaces base list).
+//
+// Example:
+//
+//	base := install.GatewayAPIDefaults()
+//	overrides := &v1.Values{Global: &v1.GlobalConfig{Hub: ptr.To("my-registry")}}
+//	merged := install.MergeValues(base, overrides)
+func MergeValues(base, overlay *v1.Values) *v1.Values {
+	if base == nil {
+		return overlay
+	}
+	if overlay == nil {
+		return base
+	}
+	baseMap := helm.FromValues(base)
+	overlayMap := helm.FromValues(overlay)
+	merged := mergeOverwrite(baseMap, overlayMap)
+	result, err := helm.ToValues(merged, &v1.Values{})
+	if err != nil {
+		panic(fmt.Sprintf("failed to convert merged values: %v", err))
+	}
+	return result
+}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/version.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/version.go
new file mode 100644
index 0000000000..22d11a61c5
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/version.go
@@ -0,0 +1,80 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package install
+
+import (
+	"fmt"
+	"io/fs"
+	"strings"
+
+	"github.com/Masterminds/semver/v3"
+)
+
+// DefaultVersion scans resourceFS for version directories and returns the
+// highest stable (non-prerelease) semver version found.
+// Returns an error if no stable version is found.
+func DefaultVersion(resourceFS fs.FS) (string, error) {
+	entries, err := fs.ReadDir(resourceFS, ".")
+	if err != nil {
+		return "", fmt.Errorf("failed to read resource directory: %w", err)
+	}
+
+	var best *semver.Version
+	var bestName string
+	for _, e := range entries {
+		if !e.IsDir() {
+			continue
+		}
+		name := e.Name()
+		v, err := semver.NewVersion(strings.TrimPrefix(name, "v"))
+		if err != nil {
+			continue // skip non-semver directories
+		}
+		if v.Prerelease() != "" {
+			continue // skip alpha, beta, rc, etc.
+		}
+		if best == nil || v.GreaterThan(best) {
+			best = v
+			bestName = name
+		}
+	}
+	if best == nil {
+		return "", fmt.Errorf("no stable version found in resource filesystem")
+	}
+	return bestName, nil
+}
+
+// NormalizeVersion ensures the version string has a "v" prefix.
+// Returns the input unchanged if it is empty or already starts with "v".
+func NormalizeVersion(version string) string {
+	if version != "" && !strings.HasPrefix(version, "v") {
+		return "v" + version
+	}
+	return version
+}
+
+// ValidateVersion checks that a version directory exists in the resource filesystem.
+// Unlike istioversion.Resolve, this does not support aliases — only concrete
+// version directory names (e.g. "v1.28.3").
+func ValidateVersion(resourceFS fs.FS, version string) error {
+	info, err := fs.Stat(resourceFS, version)
+	if err != nil {
+		return fmt.Errorf("version %q not found in resource filesystem", version)
+	}
+	if !info.IsDir() {
+		return fmt.Errorf("version %q is not a directory", version)
+	}
+	return nil
+}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/istiovalues/digests.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/istiovalues/digests.go
new file mode 100644
index 0000000000..fffd86318a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/istiovalues/digests.go
@@ -0,0 +1,70 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package istiovalues
+
+import (
+	v1 "github.com/istio-ecosystem/sail-operator/api/v1"
+	"github.com/istio-ecosystem/sail-operator/pkg/config"
+)
+
+// ApplyDigests applies image digests from configuration, if not already set by user
+func ApplyDigests(version string, values *v1.Values, config config.OperatorConfig) *v1.Values {
+	imageDigests, digestsDefined := config.ImageDigests[version]
+	// if we don't have default image digests defined for this version, it's a no-op
+	if !digestsDefined {
+		return values
+	}
+
+	// if a global hub or tag value is configured by the user, don't set image digests for any components
+	if values != nil && values.Global != nil && (values.Global.Hub != nil || values.Global.Tag != nil) {
+		return values
+	}
+
+	if values == nil {
+		values = &v1.Values{}
+	}
+
+	// set image digests for components unless they've been configured by the user
+	if values.Pilot == nil {
+		values.Pilot = &v1.PilotConfig{}
+	}
+	if values.Pilot.Image == nil && values.Pilot.Hub == nil && values.Pilot.Tag == nil {
+		values.Pilot.Image = &imageDigests.IstiodImage
+	}
+
+	if values.Global == nil {
+		values.Global = &v1.GlobalConfig{}
+	}
+
+	if values.Global.Proxy == nil {
+		values.Global.Proxy = &v1.ProxyConfig{}
+	}
+	if values.Global.Proxy.Image == nil {
+		values.Global.Proxy.Image = &imageDigests.ProxyImage
+	}
+
+	if values.Global.ProxyInit == nil {
+		values.Global.ProxyInit = &v1.ProxyInitConfig{}
+	}
+	if values.Global.ProxyInit.Image == nil {
+		values.Global.ProxyInit.Image = &imageDigests.ProxyImage
+	}
+
+	// TODO: add this once the API supports ambient
+	// if !hasUserDefinedImage("ztunnel", values) {
+	// 	values.ZTunnel.Image = imageDigests.ZTunnelImage
+	// }
+	return values
+}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/istiovalues/fips.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/istiovalues/fips.go
new file mode 100644
index 0000000000..f8a10f5e47
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/istiovalues/fips.go
@@ -0,0 +1,55 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package istiovalues
+
+import (
+	"fmt"
+	"os"
+	"strings"
+
+	"github.com/istio-ecosystem/sail-operator/pkg/helm"
+)
+
+var (
+	FipsEnabled        bool
+	FipsEnableFilePath = "/proc/sys/crypto/fips_enabled"
+)
+
+// detectFipsMode checks if FIPS mode is enabled in the system.
+func init() {
+	detectFipsMode(FipsEnableFilePath)
+}
+
+func detectFipsMode(filepath string) {
+	contents, err := os.ReadFile(filepath)
+	if err != nil {
+		FipsEnabled = false
+	} else {
+		fipsEnabled := strings.TrimSuffix(string(contents), "\n")
+		if fipsEnabled == "1" {
+			FipsEnabled = true
+		}
+	}
+}
+
+// ApplyFipsValues sets value pilot.env.COMPLIANCE_POLICY if FIPS mode is enabled in the system.
+func ApplyFipsValues(values helm.Values) (helm.Values, error) {
+	if FipsEnabled {
+		if err := values.SetIfAbsent("pilot.env.COMPLIANCE_POLICY", "fips-140-2"); err != nil {
+			return nil, fmt.Errorf("failed to set pilot.env.COMPLIANCE_POLICY: %w", err)
+		}
+	}
+	return values, nil
+}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/istiovalues/overrides.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/istiovalues/overrides.go
new file mode 100644
index 0000000000..1485d50858
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/istiovalues/overrides.go
@@ -0,0 +1,41 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package istiovalues
+
+import (
+	v1 "github.com/istio-ecosystem/sail-operator/api/v1"
+
+	"istio.io/istio/pkg/ptr"
+)
+
+func ApplyOverrides(revisionName string, namespace string, values *v1.Values) {
+	// Set revision name to "" if revision name is "default". This is a temporary fix until we fix the injection
+	// mutatingwebhook manifest; the webhook performs injection on namespaces labeled with "istio-injection: enabled"
+	// only when revision is "", but not also for "default", which it should, since elsewhere in the same manifest,
+	// the "" revision is mapped to "default".
+	if revisionName == v1.DefaultRevision {
+		revisionName = ""
+	}
+	values.Revision = &revisionName
+
+	if values.Global == nil {
+		values.Global = &v1.GlobalConfig{}
+	}
+	values.Global.IstioNamespace = &namespace
+
+	// Force defaultRevision to be empty to prevent creation of the default validator webhook.
+	// This field is deprecated and should be ignored by the operator.
+	values.DefaultRevision = ptr.Of("")
+}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/istiovalues/profiles.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/istiovalues/profiles.go
new file mode 100644
index 0000000000..92dc11481b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/istiovalues/profiles.go
@@ -0,0 +1,153 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package istiovalues
+
+import (
+	"fmt"
+	"io/fs"
+	"path"
+
+	"github.com/istio-ecosystem/sail-operator/pkg/config"
+	"github.com/istio-ecosystem/sail-operator/pkg/helm"
+	"github.com/istio-ecosystem/sail-operator/pkg/reconciler"
+	"gopkg.in/yaml.v3"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+
+	"istio.io/istio/pkg/util/sets"
+)
+
+// ApplyProfilesAndPlatform loads profiles from an fs.FS and applies them with platform settings.
+// Works with embed.FS, os.DirFS, or any other fs.FS implementation.
+func ApplyProfilesAndPlatform(
+	resourceFS fs.FS, version string, platform config.Platform, defaultProfile, userProfile string, userValues helm.Values,
+) (helm.Values, error) {
+	profile := resolve(defaultProfile, userProfile)
+	profilesPath := path.Join(version, "profiles")
+	defaultValues, err := getValuesFromProfiles(resourceFS, profilesPath, profile)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get values from profile %q: %w", profile, err)
+	}
+	values := helm.Values(mergeOverwrite(defaultValues, userValues))
+
+	if platform != config.PlatformKubernetes && platform != config.PlatformUndefined {
+		if err = values.SetIfAbsent("global.platform", string(platform)); err != nil {
+			return nil, fmt.Errorf("failed to set global.platform: %w", err)
+		}
+	}
+	return values, nil
+}
+
+func ApplyUserValues(mergedValues, userValues helm.Values,
+) (helm.Values, error) {
+	values := helm.Values(mergeOverwrite(mergedValues, userValues))
+	return values, nil
+}
+
+func resolve(defaultProfile, userProfile string) []string {
+	switch {
+	case userProfile != "" && userProfile != "default":
+		return []string{"default", userProfile}
+	case defaultProfile != "" && defaultProfile != "default":
+		return []string{"default", defaultProfile}
+	default:
+		return []string{"default"}
+	}
+}
+
+func getValuesFromProfiles(resourceFS fs.FS, profilesDir string, profiles []string) (helm.Values, error) {
+	// start with an empty values map
+	values := helm.Values{}
+
+	// apply profiles in order, overwriting values from previous profiles
+	alreadyApplied := sets.New[string]()
+	for _, profile := range profiles {
+		if profile == "" {
+			return nil, reconciler.NewValidationError("profile name cannot be empty")
+		}
+		if alreadyApplied.Contains(profile) {
+			continue
+		}
+		alreadyApplied.Insert(profile)
+
+		file := path.Join(profilesDir, profile+".yaml")
+		// prevent path traversal attacks
+		if path.Dir(file) != profilesDir {
+			return nil, reconciler.NewValidationError(fmt.Sprintf("invalid profile name %s", profile))
+		}
+
+		profileValues, err := getProfileValues(resourceFS, file)
+		if err != nil {
+			return nil, err
+		}
+		values = mergeOverwrite(values, profileValues)
+	}
+
+	return values, nil
+}
+
+func getProfileValues(resourceFS fs.FS, file string) (helm.Values, error) {
+	fileContents, err := fs.ReadFile(resourceFS, file)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read profile file %v: %w", file, err)
+	}
+
+	return parseProfileYAML(fileContents, file)
+}
+
+// parseProfileYAML parses the profile YAML content and extracts spec.values
+func parseProfileYAML(fileContents []byte, filename string) (helm.Values, error) {
+	var profile map[string]any
+	err := yaml.Unmarshal(fileContents, &profile)
+	if err != nil {
+		return nil, fmt.Errorf("failed to unmarshal profile YAML %s: %w", filename, err)
+	}
+
+	val, found, err := unstructured.NestedFieldNoCopy(profile, "spec", "values")
+	if !found || err != nil {
+		return nil, err
+	}
+	m, ok := val.(map[string]any)
+	if !ok {
+		return nil, fmt.Errorf("spec.values is not a map[string]any")
+	}
+	return m, nil
+}
+
+func mergeOverwrite(base map[string]any, overrides map[string]any) map[string]any {
+	if base == nil {
+		base = make(map[string]any, 1)
+	}
+
+	for key, value := range overrides {
+		// if the key doesn't already exist, add it
+		if _, exists := base[key]; !exists {
+			base[key] = value
+			continue
+		}
+
+		// At this point, key exists in both base and overrides.
+		// If both are maps, recurse so that we override only specific values in the map.
+		// If only override value is a map, overwrite base value completely.
+		// If both are values, overwrite base.
+		childOverrides, overrideValueIsMap := value.(map[string]any)
+		childBase, baseValueIsMap := base[key].(map[string]any)
+		if baseValueIsMap && overrideValueIsMap {
+			base[key] = mergeOverwrite(childBase, childOverrides)
+		} else {
+			base[key] = value
+		}
+	}
+	return base
+}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/istiovalues/vendor_defaults.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/istiovalues/vendor_defaults.go
new file mode 100644
index 0000000000..531efb98ba
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/istiovalues/vendor_defaults.go
@@ -0,0 +1,119 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package istiovalues
+
+import (
+	_ "embed"
+	"fmt"
+	"strings"
+
+	v1 "github.com/istio-ecosystem/sail-operator/api/v1"
+	"github.com/istio-ecosystem/sail-operator/pkg/helm"
+	"gopkg.in/yaml.v3"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+var (
+	//go:embed vendor_defaults.yaml
+	vendorDefaultsYAML []byte
+	vendorDefaults     map[string]map[string]any
+)
+
+func init() {
+	vendorDefaults = MustParseVendorDefaultsYAML(vendorDefaultsYAML)
+}
+
+func MustParseVendorDefaultsYAML(defaultsYAML []byte) map[string]map[string]any {
+	var parsedDefaults map[string]map[string]any
+	err := yaml.Unmarshal(defaultsYAML, &parsedDefaults)
+	if err != nil {
+		panic("failed to read vendor_defaults.yaml: " + err.Error())
+	}
+	return parsedDefaults
+}
+
+// OverrideVendorDefaults allows tests to override the vendor defaults
+func OverrideVendorDefaults(defaults map[string]map[string]any) {
+	// Set the vendorDefaults to the provided defaults for testing purposes.
+	// This allows tests to override the defaults without modifying the original file.
+	vendorDefaults = defaults
+}
+
+// ApplyIstioVendorDefaults applies vendor-specific default values to the provided
+// Istio configuration (*v1.Values) for a given Istio version.
+func ApplyIstioVendorDefaults(version string, values *v1.Values) (*v1.Values, error) {
+	// Convert the specific *v1.Values struct to a generic map[string]any
+	userHelmValues := helm.FromValues(values)
+
+	mergedHelmValues, err := applyVendorDefaultsForResourceType(version, v1.IstioKind, userHelmValues)
+	if err != nil {
+		return nil, fmt.Errorf("failed to apply vendor defaults for istio: %w", err)
+	}
+
+	finalValues, err := helm.ToValues(mergedHelmValues, &v1.Values{})
+	if err != nil {
+		return nil, fmt.Errorf("failed to convert merged values back to *v1.Values: %w", err)
+	}
+
+	return finalValues, nil
+}
+
+// ApplyIstioCNIVendorDefaults applies vendor-specific default values to the provided
+// Istio CNI configuration (*v1.CNIValues) for a given Istio version.
+func ApplyIstioCNIVendorDefaults(version string, values *v1.CNIValues) (*v1.CNIValues, error) {
+	// Convert the specific *v1.CNIValues struct to a generic map[string]any
+	userHelmValues := helm.FromValues(values)
+
+	mergedHelmValues, err := applyVendorDefaultsForResourceType(version, v1.IstioCNIKind, userHelmValues)
+	if err != nil {
+		return nil, fmt.Errorf("failed to apply vendor defaults for istiocni: %w", err)
+	}
+
+	finalValues, err := helm.ToValues(mergedHelmValues, &v1.CNIValues{})
+	if err != nil {
+		return nil, fmt.Errorf("failed to convert merged values back to *v1.CNIValues: %w", err)
+	}
+
+	return finalValues, nil
+}
+
+// applyVendorDefaultsForResourceType retrieves defaults for
+// a given version and resourceType, current valid resources are: "istio" and "istiocni"
+// It returns the merged map and an error if the defaults are not found or malformed.
+// The userValuesMap is the 'base', and resource-specific defaults are 'overrides'.
+func applyVendorDefaultsForResourceType(version, resourceType string, userValuesMap map[string]any) (map[string]any, error) {
+	if len(vendorDefaults) == 0 {
+		return userValuesMap, nil // No vendor defaults defined
+	}
+
+	versionSpecificDefaults, versionExists := vendorDefaults[version]
+	if !versionExists {
+		return userValuesMap, nil // No vendor defaults defined for this version
+	}
+
+	resourceSpecificDefaults, resourceExists := versionSpecificDefaults[strings.ToLower(resourceType)]
+	if !resourceExists {
+		return userValuesMap, nil // No vendor defaults defined for this resource type in this version
+	}
+
+	// Check if the resource-specific defaults are a map[string]any
+	resourceSpecificDefaultsMap, ok := resourceSpecificDefaults.(map[string]any)
+	if !ok {
+		return nil, fmt.Errorf("vendor defaults for resource '%s' (version '%s') are not a map[string]any", resourceType, version)
+	}
+
+	valsMap := runtime.DeepCopyJSON(resourceSpecificDefaultsMap)
+	return mergeOverwrite(valsMap, userValuesMap), nil
+}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/istiovalues/vendor_defaults.yaml b/vendor/github.com/istio-ecosystem/sail-operator/pkg/istiovalues/vendor_defaults.yaml
new file mode 100644
index 0000000000..49f50e6bc0
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/istiovalues/vendor_defaults.yaml
@@ -0,0 +1,17 @@
+# This file can be overwritten in vendor distributions of sail-operator to set
+# vendor-specific defaults. You can configure version-specific defaults for
+# every field in `spec.values` for both Istio and IstioCNI resource, 
+# see the following example:
+# 
+# v1.26.0:
+#   istio:
+#     pilot:
+#       env:
+#         test: "true"
+#   istiocni:
+#     cni:
+#       cniConfDir: custom/cni/conf/dir
+#
+# These defaults are type-checked at compile time.
+# Note: After modifying this file, run `make test` to ensure that the
+# generated defaults values from this files are valid.
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/istioversion/version.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/istioversion/version.go
new file mode 100644
index 0000000000..1eefc0bbdf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/istioversion/version.go
@@ -0,0 +1,178 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package istioversion
+
+import (
+	"embed"
+	"fmt"
+	"maps"
+	"slices"
+	"sort"
+
+	"github.com/Masterminds/semver/v3"
+	"github.com/istio-ecosystem/sail-operator/pkg/env"
+	"gopkg.in/yaml.v3"
+
+	"istio.io/istio/pkg/log"
+)
+
+var (
+	//go:embed *.yaml
+	versionsFiles embed.FS
+
+	// versionsFilename is set via ldflags when building the binary and via an environment variable when running tests
+	versionsFilename = ""
+)
+
+// Versions represents the top-level structure of versions.yaml
+type Versions struct {
+	Versions []VersionInfo `json:"versions"`
+}
+
+// AliasInfo contains information about version aliases
+type AliasInfo struct {
+	Name string `json:"name"`
+	Ref  string `json:"ref"`
+}
+
+// VersionInfo contains information about a specific Istio version
+type VersionInfo struct {
+	Name    string          `json:"name"`
+	Ref     string          `json:"ref"`
+	Version *semver.Version `json:"version"`
+	Repo    string          `json:"repo"`
+	Branch  string          `json:"branch,omitempty"`
+	Commit  string          `json:"commit"`
+	Charts  []string        `json:"charts,omitempty"`
+	EOL     bool            `json:"eol"`
+}
+
+var (
+	// List contains all supported versions. Does not include aliases
+	List []VersionInfo
+	// Map contains version info mapped by version name. Includes mappings for aliases
+	Map map[string]VersionInfo
+	// Default is the default version
+	Default string
+	// Base is the previous supported version
+	Base string
+	// New is the latest version
+	New string
+	// aliasList is the alias for the version
+	aliasList []AliasInfo
+	// EOL is a list of version names that have gone out of support
+	EOL []string
+)
+
+func Resolve(version string) (string, error) {
+	info, ok := Map[version]
+	if !ok {
+		return "", fmt.Errorf("version %q not found", version)
+	}
+	return info.Name, nil
+}
+
+func init() {
+	// we can't use ldflags when running tests, use an env variable instead
+	// tmp workaround for https://github.com/golang/go/issues/64246
+	if versionsFilename == "" {
+		versionsFilename = env.Get("VERSIONS_YAML_FILE", "versions.yaml")
+	}
+	log.Info("loading supported istio versions from " + versionsFilename)
+	// Read the embedded versions.yaml file
+	data, err := versionsFiles.ReadFile(versionsFilename)
+	if err != nil {
+		panic(fmt.Errorf("failed to read versions from '%s': %w", versionsFilename, err))
+	}
+
+	List, Default, Base, New, Map, aliasList, EOL = mustParseVersionsYaml(data)
+}
+
+func mustParseVersionsYaml(yamlBytes []byte) (
+	list []VersionInfo,
+	defaultVersion string,
+	baseVersion string,
+	newVersion string,
+	versionMap map[string]VersionInfo,
+	aliasList []AliasInfo,
+	eolVersions []string,
+) {
+	versions := Versions{}
+	err := yaml.Unmarshal(yamlBytes, &versions)
+	if err != nil {
+		panic(fmt.Errorf("failed to parse versions data: %w", err))
+	}
+
+	versionMap = make(map[string]VersionInfo)
+
+	for _, v := range versions.Versions {
+		if v.EOL {
+			eolVersions = append(eolVersions, v.Name)
+			continue
+		}
+		if v.Ref == "" {
+			list = append(list, v)
+			versionMap[v.Name] = v
+		} else {
+			if v.Version != nil || v.Repo != "" || v.Commit != "" || v.Branch != "" || len(v.Charts) > 0 {
+				panic(fmt.Errorf("version %q has aliasFor set but the other fields cannot be specified", v.Name))
+			}
+			aliasList = append(aliasList, AliasInfo{
+				Name: v.Name,
+				Ref:  v.Ref,
+			})
+		}
+	}
+
+	// Process aliases after all versions are in the lookup map
+	for _, a := range aliasList {
+		v, ok := versionMap[a.Ref]
+		if !ok {
+			panic(fmt.Errorf("version %q not found", a.Ref))
+		}
+		versionMap[a.Name] = v
+	}
+
+	if len(list) > 0 {
+		newVersion = list[0].Name
+		defaultVersion = newVersion
+		if len(list) > 1 {
+			baseVersion = list[1].Name
+		}
+	}
+
+	return list, defaultVersion, baseVersion, newVersion, versionMap, aliasList, eolVersions
+}
+
+// GetLatestPatchVersions returns the latest patch versions for all the Major.Minor versions
+func GetLatestPatchVersions() []VersionInfo {
+	latestPatchVersions := make(map[string]VersionInfo)
+	for _, version := range List {
+		majorMinorVersion := fmt.Sprintf("%d.%d", version.Version.Major(), version.Version.Minor())
+		latestPatchVersion, ok := latestPatchVersions[majorMinorVersion]
+		if !ok || version.Version.GreaterThan(latestPatchVersion.Version) {
+			latestPatchVersions[majorMinorVersion] = version
+		}
+	}
+
+	latestSlice := slices.Collect(maps.Values(latestPatchVersions))
+
+	// Sort the slice in descending order based on the version.
+	sort.Slice(latestSlice, func(i, j int) bool {
+		return latestSlice[i].Version.GreaterThan(latestSlice[j].Version)
+	})
+
+	return latestSlice
+}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/istioversion/versions.yaml b/vendor/github.com/istio-ecosystem/sail-operator/pkg/istioversion/versions.yaml
new file mode 100644
index 0000000000..c8a2d4dabe
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/istioversion/versions.yaml
@@ -0,0 +1,211 @@
+# This file defines all the Istio versions supported by this operator.
+
+# The list of versions to support. Each item specifies the name of the version,
+# the Git repository and commit hash for retrieving the profiles, and
+# a list of URLs for retrieving the charts.
+# The first item in the list is the default version.
+#
+# IMPORTANT: in addition to the versions specified here, the versions of the
+# istio.io/istio and istio.io/api dependencies defined in go.mod must also be
+# updated to match the most recent version specified here. The versions in
+# go.mod affect the generated API schema for the Sail CRDs (e.g. IstioRevision),
+# as well as all the Istio CRDs (e.g. VirtualService).
+#
+# Versions marked as `eol: true` will not be installable, so no chart URLs are
+# required. They will stay valid input values for the spec.version field though,
+# to avoid breaking API guarantees.
+versions:
+  - name: v1.28-latest
+    ref: v1.28.3
+  - name: v1.28.3
+    version: 1.28.3
+    repo: https://github.com/istio/istio
+    commit: 1.28.3
+    charts:
+      - https://istio-release.storage.googleapis.com/charts/base-1.28.3.tgz
+      - https://istio-release.storage.googleapis.com/charts/istiod-1.28.3.tgz
+      - https://istio-release.storage.googleapis.com/charts/gateway-1.28.3.tgz
+      - https://istio-release.storage.googleapis.com/charts/cni-1.28.3.tgz
+      - https://istio-release.storage.googleapis.com/charts/ztunnel-1.28.3.tgz
+  - name: v1.28.2
+    version: 1.28.2
+    repo: https://github.com/istio/istio
+    commit: 1.28.2
+    charts:
+      - https://istio-release.storage.googleapis.com/charts/base-1.28.2.tgz
+      - https://istio-release.storage.googleapis.com/charts/istiod-1.28.2.tgz
+      - https://istio-release.storage.googleapis.com/charts/gateway-1.28.2.tgz
+      - https://istio-release.storage.googleapis.com/charts/cni-1.28.2.tgz
+      - https://istio-release.storage.googleapis.com/charts/ztunnel-1.28.2.tgz
+  - name: v1.28.1
+    version: 1.28.1
+    repo: https://github.com/istio/istio
+    commit: 1.28.1
+    charts:
+      - https://istio-release.storage.googleapis.com/charts/base-1.28.1.tgz
+      - https://istio-release.storage.googleapis.com/charts/istiod-1.28.1.tgz
+      - https://istio-release.storage.googleapis.com/charts/gateway-1.28.1.tgz
+      - https://istio-release.storage.googleapis.com/charts/cni-1.28.1.tgz
+      - https://istio-release.storage.googleapis.com/charts/ztunnel-1.28.1.tgz
+  - name: v1.28.0
+    version: 1.28.0
+    repo: https://github.com/istio/istio
+    commit: 1.28.0
+    charts:
+      - https://istio-release.storage.googleapis.com/charts/base-1.28.0.tgz
+      - https://istio-release.storage.googleapis.com/charts/istiod-1.28.0.tgz
+      - https://istio-release.storage.googleapis.com/charts/gateway-1.28.0.tgz
+      - https://istio-release.storage.googleapis.com/charts/cni-1.28.0.tgz
+      - https://istio-release.storage.googleapis.com/charts/ztunnel-1.28.0.tgz
+  - name: v1.27-latest
+    ref: v1.27.5
+  - name: v1.27.5
+    version: 1.27.5
+    repo: https://github.com/istio/istio
+    commit: 1.27.5
+    charts:
+      - https://istio-release.storage.googleapis.com/charts/base-1.27.5.tgz
+      - https://istio-release.storage.googleapis.com/charts/istiod-1.27.5.tgz
+      - https://istio-release.storage.googleapis.com/charts/gateway-1.27.5.tgz
+      - https://istio-release.storage.googleapis.com/charts/cni-1.27.5.tgz
+      - https://istio-release.storage.googleapis.com/charts/ztunnel-1.27.5.tgz
+  - name: v1.27.4
+    version: 1.27.4
+    repo: https://github.com/istio/istio
+    commit: 1.27.4
+    charts:
+      - https://istio-release.storage.googleapis.com/charts/base-1.27.4.tgz
+      - https://istio-release.storage.googleapis.com/charts/istiod-1.27.4.tgz
+      - https://istio-release.storage.googleapis.com/charts/gateway-1.27.4.tgz
+      - https://istio-release.storage.googleapis.com/charts/cni-1.27.4.tgz
+      - https://istio-release.storage.googleapis.com/charts/ztunnel-1.27.4.tgz
+  - name: v1.27.3
+    version: 1.27.3
+    repo: https://github.com/istio/istio
+    commit: 1.27.3
+    charts:
+      - https://istio-release.storage.googleapis.com/charts/base-1.27.3.tgz
+      - https://istio-release.storage.googleapis.com/charts/istiod-1.27.3.tgz
+      - https://istio-release.storage.googleapis.com/charts/gateway-1.27.3.tgz
+      - https://istio-release.storage.googleapis.com/charts/cni-1.27.3.tgz
+      - https://istio-release.storage.googleapis.com/charts/ztunnel-1.27.3.tgz
+  - name: v1.27.2
+    version: 1.27.2
+    repo: https://github.com/istio/istio
+    commit: 1.27.2
+    charts:
+      - https://istio-release.storage.googleapis.com/charts/base-1.27.2.tgz
+      - https://istio-release.storage.googleapis.com/charts/istiod-1.27.2.tgz
+      - https://istio-release.storage.googleapis.com/charts/gateway-1.27.2.tgz
+      - https://istio-release.storage.googleapis.com/charts/cni-1.27.2.tgz
+      - https://istio-release.storage.googleapis.com/charts/ztunnel-1.27.2.tgz
+  - name: v1.27.1
+    version: 1.27.1
+    repo: https://github.com/istio/istio
+    commit: 1.27.1
+    charts:
+      - https://istio-release.storage.googleapis.com/charts/base-1.27.1.tgz
+      - https://istio-release.storage.googleapis.com/charts/istiod-1.27.1.tgz
+      - https://istio-release.storage.googleapis.com/charts/gateway-1.27.1.tgz
+      - https://istio-release.storage.googleapis.com/charts/cni-1.27.1.tgz
+      - https://istio-release.storage.googleapis.com/charts/ztunnel-1.27.1.tgz
+  - name: v1.27.0
+    version: 1.27.0
+    repo: https://github.com/istio/istio
+    commit: 1.27.0
+    charts:
+      - https://istio-release.storage.googleapis.com/charts/base-1.27.0.tgz
+      - https://istio-release.storage.googleapis.com/charts/istiod-1.27.0.tgz
+      - https://istio-release.storage.googleapis.com/charts/gateway-1.27.0.tgz
+      - https://istio-release.storage.googleapis.com/charts/cni-1.27.0.tgz
+      - https://istio-release.storage.googleapis.com/charts/ztunnel-1.27.0.tgz
+  - name: v1.26-latest
+    ref: v1.26.8
+    eol: true
+  - name: v1.26.8
+    eol: true
+  - name: v1.26.7
+    eol: true
+  - name: v1.26.6
+    eol: true
+  - name: v1.26.5
+    eol: true
+  - name: v1.26.4
+    eol: true
+  - name: v1.26.3
+    eol: true
+  - name: v1.26.2
+    eol: true
+  - name: v1.26.1
+    eol: true
+  - name: v1.26.0
+    eol: true
+  - name: v1.25-latest
+    ref: v1.25.5
+    eol: true
+  - name: v1.25.5
+    eol: true
+  - name: v1.25.4
+    eol: true
+  - name: v1.25.3
+    eol: true
+  - name: v1.25.2
+    eol: true
+  - name: v1.25.1
+    eol: true
+  - name: v1.24-latest
+    ref: v1.24.6
+    eol: true
+  - name: v1.24.6
+    eol: true
+  - name: v1.24.5
+    eol: true
+  - name: v1.24.4
+    eol: true
+  - name: v1.24.3
+    eol: true
+  - name: v1.24.2
+    eol: true
+  - name: v1.24.1
+    eol: true
+  - name: v1.24.0
+    eol: true
+  - name: v1.23-latest
+    ref: v1.23.6
+    eol: true
+  - name: v1.23.6
+    eol: true
+  - name: v1.23.5
+    eol: true
+  - name: v1.23.4
+    eol: true
+  - name: v1.23.3
+    eol: true
+  - name: v1.23.2
+    eol: true
+  - name: v1.22-latest
+    ref: v1.22.8
+    eol: true
+  - name: v1.22.8
+    eol: true
+  - name: v1.22.7
+    eol: true
+  - name: v1.22.6
+    eol: true
+  - name: v1.22.5
+    eol: true
+  - name: v1.21.6
+    eol: true
+  - name: master
+    ref: v1.30-alpha.a30ad733
+  - name: v1.30-alpha.a30ad733
+    version: 1.30-alpha.a30ad73344d771ce45cba8a1d17b6bb2c209119d
+    repo: https://github.com/istio/istio
+    branch: master
+    commit: a30ad73344d771ce45cba8a1d17b6bb2c209119d
+    charts:
+      - https://storage.googleapis.com/istio-build/dev/1.30-alpha.a30ad73344d771ce45cba8a1d17b6bb2c209119d/helm/base-1.30-alpha.a30ad73344d771ce45cba8a1d17b6bb2c209119d.tgz
+      - https://storage.googleapis.com/istio-build/dev/1.30-alpha.a30ad73344d771ce45cba8a1d17b6bb2c209119d/helm/cni-1.30-alpha.a30ad73344d771ce45cba8a1d17b6bb2c209119d.tgz
+      - https://storage.googleapis.com/istio-build/dev/1.30-alpha.a30ad73344d771ce45cba8a1d17b6bb2c209119d/helm/gateway-1.30-alpha.a30ad73344d771ce45cba8a1d17b6bb2c209119d.tgz
+      - https://storage.googleapis.com/istio-build/dev/1.30-alpha.a30ad73344d771ce45cba8a1d17b6bb2c209119d/helm/istiod-1.30-alpha.a30ad73344d771ce45cba8a1d17b6bb2c209119d.tgz
+      - https://storage.googleapis.com/istio-build/dev/1.30-alpha.a30ad73344d771ce45cba8a1d17b6bb2c209119d/helm/ztunnel-1.30-alpha.a30ad73344d771ce45cba8a1d17b6bb2c209119d.tgz
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/kube/finalizers.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/kube/finalizers.go
new file mode 100644
index 0000000000..79db46cf2d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/kube/finalizers.go
@@ -0,0 +1,79 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package kube
+
+import (
+	"context"
+	"fmt"
+	"slices"
+	"time"
+
+	"k8s.io/apimachinery/pkg/api/errors"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
+
+	"istio.io/istio/pkg/util/sets"
+)
+
+const conflictRequeueDelay = 2 * time.Second
+
+func HasFinalizer(obj client.Object, finalizer string) bool {
+	return slices.Contains(obj.GetFinalizers(), finalizer)
+}
+
+func RemoveFinalizer(ctx context.Context, cl client.Client, obj client.Object, finalizer string) (ctrl.Result, error) {
+	log := logf.FromContext(ctx).WithValues("finalizer", finalizer)
+
+	finalizers := sets.New(obj.GetFinalizers()...)
+	finalizers.Delete(finalizer)
+	obj.SetFinalizers(finalizers.UnsortedList())
+
+	err := cl.Update(ctx, obj)
+	if errors.IsNotFound(err) {
+		log.Info("Resource no longer exists; no need to remove finalizer")
+		return ctrl.Result{}, nil
+	} else if errors.IsConflict(err) {
+		log.Info("Conflict while removing finalizer; will retry")
+		return ctrl.Result{RequeueAfter: conflictRequeueDelay}, nil
+	} else if err != nil {
+		return ctrl.Result{}, fmt.Errorf("could not remove finalizer from %s/%s: %w", obj.GetNamespace(), obj.GetName(), err)
+	}
+
+	log.Info("Removed finalizer")
+	return ctrl.Result{}, nil
+}
+
+func AddFinalizer(ctx context.Context, cl client.Client, obj client.Object, finalizer string) (ctrl.Result, error) {
+	log := logf.FromContext(ctx).WithValues("finalizer", finalizer)
+
+	finalizers := sets.New(obj.GetFinalizers()...)
+	finalizers.Insert(finalizer)
+	obj.SetFinalizers(finalizers.UnsortedList())
+
+	err := cl.Update(ctx, obj)
+	if errors.IsNotFound(err) {
+		log.Info("Resource no longer exists; no need to add finalizer")
+		return ctrl.Result{}, nil
+	} else if errors.IsConflict(err) {
+		log.Info("Conflict while adding finalizer; will retry")
+		return ctrl.Result{RequeueAfter: conflictRequeueDelay}, nil
+	} else if err != nil {
+		return ctrl.Result{}, fmt.Errorf("could not add finalizer to %s/%s: %w", obj.GetNamespace(), obj.GetName(), err)
+	}
+
+	log.Info("Added finalizer")
+	return ctrl.Result{}, nil
+}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/kube/key.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/kube/key.go
new file mode 100644
index 0000000000..98e3f19469
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/kube/key.go
@@ -0,0 +1,27 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package kube
+
+import "sigs.k8s.io/controller-runtime/pkg/client"
+
+// Key returns the client.ObjectKey for the given name and namespace. If no namespace is provided, it returns a key cluster scoped
+func Key(name string, namespace ...string) client.ObjectKey {
+	if len(namespace) > 1 {
+		panic("you can only provide one namespace")
+	} else if len(namespace) == 1 {
+		return client.ObjectKey{Name: name, Namespace: namespace[0]}
+	}
+	return client.ObjectKey{Name: name}
+}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/kube/status_patch.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/kube/status_patch.go
new file mode 100644
index 0000000000..e6af587b7a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/kube/status_patch.go
@@ -0,0 +1,52 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package kube
+
+import (
+	"encoding/json"
+
+	"gomodules.xyz/jsonpatch/v2"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+type StatusPatch struct {
+	status any
+}
+
+func NewStatusPatch(status any) *StatusPatch {
+	return &StatusPatch{
+		status: status,
+	}
+}
+
+func (p *StatusPatch) Type() types.PatchType {
+	return types.JSONPatchType
+}
+
+func (p *StatusPatch) Data(obj client.Object) ([]byte, error) {
+	data := []jsonpatch.Operation{
+		{
+			Operation: "replace",
+			Path:      "/status",
+			Value:     p.status,
+		},
+	}
+	statusJSON, err := json.Marshal(data)
+	if err != nil {
+		return nil, err
+	}
+	return statusJSON, nil
+}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/reconcile/cni.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/reconcile/cni.go
new file mode 100644
index 0000000000..e86f519220
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/reconcile/cni.go
@@ -0,0 +1,158 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package reconcile
+
+import (
+	"context"
+	"fmt"
+
+	v1 "github.com/istio-ecosystem/sail-operator/api/v1"
+	"github.com/istio-ecosystem/sail-operator/pkg/config"
+	"github.com/istio-ecosystem/sail-operator/pkg/helm"
+	"github.com/istio-ecosystem/sail-operator/pkg/istiovalues"
+	"github.com/istio-ecosystem/sail-operator/pkg/istioversion"
+	"github.com/istio-ecosystem/sail-operator/pkg/reconciler"
+	"github.com/istio-ecosystem/sail-operator/pkg/validation"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+const (
+	cniReleaseName = "istio-cni"
+	cniChartName   = "cni"
+)
+
+// CNIReconciler handles reconciliation of the istio-cni component.
+type CNIReconciler struct {
+	cfg    Config
+	client client.Client
+}
+
+// NewCNIReconciler creates a new CNIReconciler.
+func NewCNIReconciler(cfg Config, client client.Client) *CNIReconciler {
+	return &CNIReconciler{
+		cfg:    cfg,
+		client: client,
+	}
+}
+
+// Validate performs general validation of the CNI specification.
+// This includes basic field validation and Kubernetes API checks (namespace exists).
+func (r *CNIReconciler) Validate(ctx context.Context, version, namespace string) error {
+	if version == "" {
+		return reconciler.NewValidationError("version not set")
+	}
+	if namespace == "" {
+		return reconciler.NewValidationError("namespace not set")
+	}
+
+	// Validate target namespace exists
+	if err := validation.ValidateTargetNamespace(ctx, r.client, namespace); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// ComputeValues computes the final Helm values by applying digests, vendor defaults, and profiles.
+func (r *CNIReconciler) ComputeValues(version string, userValues *v1.CNIValues, profile string) (helm.Values, error) {
+	resolvedVersion, err := istioversion.Resolve(version)
+	if err != nil {
+		return nil, fmt.Errorf("failed to resolve CNI version: %w", err)
+	}
+
+	// Apply image digests from configuration, if not already set by user
+	userValues = ApplyCNIImageDigests(resolvedVersion, userValues, config.Config)
+
+	// Apply vendor-specific default values
+	userValues, err = istiovalues.ApplyIstioCNIVendorDefaults(resolvedVersion, userValues)
+	if err != nil {
+		return nil, fmt.Errorf("failed to apply vendor defaults: %w", err)
+	}
+
+	// Apply userValues on top of defaultValues from profiles
+	mergedHelmValues, err := istiovalues.ApplyProfilesAndPlatform(
+		r.cfg.ResourceFS, resolvedVersion, r.cfg.Platform, r.cfg.DefaultProfile, profile, helm.FromValues(userValues))
+	if err != nil {
+		return nil, fmt.Errorf("failed to apply profile: %w", err)
+	}
+
+	return mergedHelmValues, nil
+}
+
+// Install installs or upgrades the istio-cni Helm chart.
+func (r *CNIReconciler) Install(ctx context.Context, version, namespace string, values *v1.CNIValues, profile string, ownerRef *metav1.OwnerReference) error {
+	mergedHelmValues, err := r.ComputeValues(version, values, profile)
+	if err != nil {
+		return err
+	}
+
+	resolvedVersion, err := istioversion.Resolve(version)
+	if err != nil {
+		return fmt.Errorf("failed to resolve CNI version: %w", err)
+	}
+
+	chartPath := GetChartPath(resolvedVersion, cniChartName)
+	_, err = r.cfg.ChartManager.UpgradeOrInstallChart(
+		ctx,
+		r.cfg.ResourceFS,
+		chartPath,
+		mergedHelmValues,
+		namespace,
+		cniReleaseName,
+		ownerRef,
+	)
+	if err != nil {
+		return fmt.Errorf("failed to install/update Helm chart %q: %w", cniChartName, err)
+	}
+	return nil
+}
+
+// Uninstall removes the istio-cni Helm chart.
+func (r *CNIReconciler) Uninstall(ctx context.Context, namespace string) error {
+	_, err := r.cfg.ChartManager.UninstallChart(ctx, cniReleaseName, namespace)
+	if err != nil {
+		return fmt.Errorf("failed to uninstall Helm chart %q: %w", cniChartName, err)
+	}
+	return nil
+}
+
+// ApplyCNIImageDigests applies image digests to CNI values if not already set by user.
+// This function is exported for use by the controller and library.
+func ApplyCNIImageDigests(version string, values *v1.CNIValues, cfg config.OperatorConfig) *v1.CNIValues {
+	imageDigests, digestsDefined := cfg.ImageDigests[version]
+	// if we don't have default image digests defined for this version, it's a no-op
+	if !digestsDefined {
+		return values
+	}
+
+	// if a global hub or tag value is configured by the user, don't set image digests
+	if values != nil && values.Global != nil && (values.Global.Hub != nil || values.Global.Tag != nil) {
+		return values
+	}
+
+	if values == nil {
+		values = &v1.CNIValues{}
+	}
+
+	// set image digest unless any part of the image has been configured by the user
+	if values.Cni == nil {
+		values.Cni = &v1.CNIConfig{}
+	}
+	if values.Cni.Image == nil && values.Cni.Hub == nil && values.Cni.Tag == nil {
+		values.Cni.Image = &imageDigests.CNIImage
+	}
+	return values
+}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/reconcile/common.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/reconcile/common.go
new file mode 100644
index 0000000000..047cc835a4
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/reconcile/common.go
@@ -0,0 +1,51 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package reconcile provides shared reconciliation logic for Istio components.
+// It is used by both the operator controllers and the install library to ensure
+// consistent behavior across different deployment modes.
+package reconcile
+
+import (
+	"io/fs"
+	"path"
+
+	"github.com/istio-ecosystem/sail-operator/pkg/config"
+	"github.com/istio-ecosystem/sail-operator/pkg/helm"
+)
+
+// Config holds configuration needed for component reconciliation.
+// It contains all the dependencies required by reconcilers to validate,
+// compute values, and install Helm charts.
+type Config struct {
+	// ResourceFS is the filesystem containing Istio charts and profiles
+	ResourceFS fs.FS
+
+	// Platform is the target Kubernetes platform (e.g., OpenShift, vanilla Kubernetes)
+	Platform config.Platform
+
+	// DefaultProfile is the base profile applied before user-selected profiles
+	DefaultProfile string
+
+	// OperatorNamespace is the namespace where the operator is running
+	OperatorNamespace string
+
+	// ChartManager handles Helm chart installation and upgrades
+	ChartManager *helm.ChartManager
+}
+
+// GetChartPath returns the path to a chart for a given version.
+func GetChartPath(version, chartName string) string {
+	return path.Join(version, "charts", chartName)
+}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/reconcile/istiod.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/reconcile/istiod.go
new file mode 100644
index 0000000000..752b91f6ab
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/reconcile/istiod.go
@@ -0,0 +1,138 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package reconcile
+
+import (
+	"context"
+	"fmt"
+
+	v1 "github.com/istio-ecosystem/sail-operator/api/v1"
+	"github.com/istio-ecosystem/sail-operator/pkg/constants"
+	"github.com/istio-ecosystem/sail-operator/pkg/helm"
+	"github.com/istio-ecosystem/sail-operator/pkg/reconciler"
+	"github.com/istio-ecosystem/sail-operator/pkg/validation"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+// IstiodReconciler handles reconciliation of the istiod component.
+type IstiodReconciler struct {
+	cfg    Config
+	client client.Client
+}
+
+// NewIstiodReconciler creates a new IstiodReconciler.
+func NewIstiodReconciler(cfg Config, client client.Client) *IstiodReconciler {
+	return &IstiodReconciler{
+		cfg:    cfg,
+		client: client,
+	}
+}
+
+// Validate performs general validation of the istiod specification.
+// This includes basic field validation and Kubernetes API checks (namespace exists).
+// CRD-specific validations (revision name consistency, IstioRevisionTag conflicts)
+// should be performed by the controller before calling this method.
+func (r *IstiodReconciler) Validate(ctx context.Context, version, namespace string, values *v1.Values) error {
+	if version == "" {
+		return reconciler.NewValidationError("version not set")
+	}
+	if namespace == "" {
+		return reconciler.NewValidationError("namespace not set")
+	}
+	if values == nil {
+		return reconciler.NewValidationError("values not set")
+	}
+
+	// Validate target namespace exists
+	if err := validation.ValidateTargetNamespace(ctx, r.client, namespace); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// Install installs or upgrades the istiod Helm charts.
+func (r *IstiodReconciler) Install(
+	ctx context.Context,
+	version, namespace string,
+	values *v1.Values,
+	revisionName string,
+	ownerRef *metav1.OwnerReference,
+) error {
+	helmValues := helm.FromValues(values)
+
+	// Install istiod chart
+	istiodChartPath := GetChartPath(version, constants.IstiodChartName)
+	istiodReleaseName := getReleaseName(revisionName, constants.IstiodChartName)
+
+	_, err := r.cfg.ChartManager.UpgradeOrInstallChart(
+		ctx,
+		r.cfg.ResourceFS,
+		istiodChartPath,
+		helmValues,
+		namespace,
+		istiodReleaseName,
+		ownerRef,
+	)
+	if err != nil {
+		return fmt.Errorf("failed to install/update Helm chart %q: %w", constants.IstiodChartName, err)
+	}
+
+	// Install base chart for default revision
+	if revisionName == v1.DefaultRevision {
+		baseChartPath := GetChartPath(version, constants.BaseChartName)
+		baseReleaseName := getReleaseName(revisionName, constants.BaseChartName)
+
+		_, err := r.cfg.ChartManager.UpgradeOrInstallChart(
+			ctx,
+			r.cfg.ResourceFS,
+			baseChartPath,
+			helmValues,
+			r.cfg.OperatorNamespace,
+			baseReleaseName,
+			ownerRef,
+		)
+		if err != nil {
+			return fmt.Errorf("failed to install/update Helm chart %q: %w", constants.BaseChartName, err)
+		}
+	}
+
+	return nil
+}
+
+// Uninstall removes the istiod Helm charts.
+func (r *IstiodReconciler) Uninstall(ctx context.Context, namespace, revisionName string) error {
+	// Uninstall istiod chart
+	istiodReleaseName := getReleaseName(revisionName, constants.IstiodChartName)
+	if _, err := r.cfg.ChartManager.UninstallChart(ctx, istiodReleaseName, namespace); err != nil {
+		return fmt.Errorf("failed to uninstall Helm chart %q: %w", constants.IstiodChartName, err)
+	}
+
+	// Uninstall base chart for default revision
+	if revisionName == v1.DefaultRevision {
+		baseReleaseName := getReleaseName(revisionName, constants.BaseChartName)
+		if _, err := r.cfg.ChartManager.UninstallChart(ctx, baseReleaseName, r.cfg.OperatorNamespace); err != nil {
+			return fmt.Errorf("failed to uninstall Helm chart %q: %w", constants.BaseChartName, err)
+		}
+	}
+
+	return nil
+}
+
+// getReleaseName returns the Helm release name for a given revision and chart.
+func getReleaseName(revisionName, chartName string) string {
+	return fmt.Sprintf("%s-%s", revisionName, chartName)
+}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/reconcile/ztunnel.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/reconcile/ztunnel.go
new file mode 100644
index 0000000000..11712279e4
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/reconcile/ztunnel.go
@@ -0,0 +1,166 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package reconcile
+
+import (
+	"context"
+	"fmt"
+
+	v1 "github.com/istio-ecosystem/sail-operator/api/v1"
+	"github.com/istio-ecosystem/sail-operator/pkg/config"
+	"github.com/istio-ecosystem/sail-operator/pkg/helm"
+	"github.com/istio-ecosystem/sail-operator/pkg/istiovalues"
+	"github.com/istio-ecosystem/sail-operator/pkg/istioversion"
+	"github.com/istio-ecosystem/sail-operator/pkg/reconciler"
+	"github.com/istio-ecosystem/sail-operator/pkg/validation"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+const (
+	ztunnelReleaseName = "ztunnel"
+	ztunnelChartName   = "ztunnel"
+	ztunnelProfile     = "ambient"
+)
+
+// ZTunnelReconciler handles reconciliation of the ztunnel component.
+type ZTunnelReconciler struct {
+	cfg    Config
+	client client.Client
+}
+
+// NewZTunnelReconciler creates a new ZTunnelReconciler.
+func NewZTunnelReconciler(cfg Config, client client.Client) *ZTunnelReconciler {
+	return &ZTunnelReconciler{
+		cfg:    cfg,
+		client: client,
+	}
+}
+
+// Validate performs general validation of the ZTunnel specification.
+// This includes basic field validation and Kubernetes API checks (namespace exists).
+func (r *ZTunnelReconciler) Validate(ctx context.Context, version, namespace string) error {
+	if version == "" {
+		return reconciler.NewValidationError("version not set")
+	}
+	if namespace == "" {
+		return reconciler.NewValidationError("namespace not set")
+	}
+
+	// Validate target namespace exists
+	if err := validation.ValidateTargetNamespace(ctx, r.client, namespace); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// ComputeValues computes the final Helm values by applying digests, profiles, and user overrides.
+func (r *ZTunnelReconciler) ComputeValues(version string, userValues *v1.ZTunnelValues) (helm.Values, error) {
+	resolvedVersion, err := istioversion.Resolve(version)
+	if err != nil {
+		return nil, fmt.Errorf("failed to resolve ZTunnel version: %w", err)
+	}
+
+	if userValues == nil {
+		userValues = &v1.ZTunnelValues{}
+	}
+
+	// Apply image digests from configuration, if not already set by user
+	userValues = ApplyZTunnelImageDigests(resolvedVersion, userValues, config.Config)
+
+	// Apply userValues on top of defaultValues from profiles
+	mergedHelmValues, err := istiovalues.ApplyProfilesAndPlatform(
+		r.cfg.ResourceFS, resolvedVersion, r.cfg.Platform, r.cfg.DefaultProfile, ztunnelProfile, helm.FromValues(userValues))
+	if err != nil {
+		return nil, fmt.Errorf("failed to apply profile: %w", err)
+	}
+
+	// Apply any user Overrides configured as part of values.ztunnel
+	// This step was not required for the IstioCNI resource because the Helm templates[*] automatically override values.cni
+	// [*]https://github.com/istio/istio/blob/0200fd0d4c3963a72f36987c2e8c2887df172abf/manifests/charts/istio-cni/templates/zzy_descope_legacy.yaml#L3
+	// However, ztunnel charts do not have such a file, hence we are manually applying the mergeOperation here.
+	finalHelmValues, err := istiovalues.ApplyUserValues(helm.FromValues(mergedHelmValues), helm.FromValues(userValues.ZTunnel))
+	if err != nil {
+		return nil, fmt.Errorf("failed to apply user overrides: %w", err)
+	}
+
+	return finalHelmValues, nil
+}
+
+// Install installs or upgrades the ztunnel Helm chart.
+func (r *ZTunnelReconciler) Install(ctx context.Context, version, namespace string, values *v1.ZTunnelValues, ownerRef *metav1.OwnerReference) error {
+	finalHelmValues, err := r.ComputeValues(version, values)
+	if err != nil {
+		return err
+	}
+
+	resolvedVersion, err := istioversion.Resolve(version)
+	if err != nil {
+		return fmt.Errorf("failed to resolve ZTunnel version: %w", err)
+	}
+
+	chartPath := GetChartPath(resolvedVersion, ztunnelChartName)
+	_, err = r.cfg.ChartManager.UpgradeOrInstallChart(
+		ctx,
+		r.cfg.ResourceFS,
+		chartPath,
+		finalHelmValues,
+		namespace,
+		ztunnelReleaseName,
+		ownerRef,
+	)
+	if err != nil {
+		return fmt.Errorf("failed to install/update Helm chart %q: %w", ztunnelChartName, err)
+	}
+	return nil
+}
+
+// Uninstall removes the ztunnel Helm chart.
+func (r *ZTunnelReconciler) Uninstall(ctx context.Context, namespace string) error {
+	_, err := r.cfg.ChartManager.UninstallChart(ctx, ztunnelReleaseName, namespace)
+	if err != nil {
+		return fmt.Errorf("failed to uninstall Helm chart %q: %w", ztunnelChartName, err)
+	}
+	return nil
+}
+
+// ApplyZTunnelImageDigests applies image digests to ZTunnel values if not already set by user.
+// This function is exported for use by the controller and library.
+func ApplyZTunnelImageDigests(version string, values *v1.ZTunnelValues, cfg config.OperatorConfig) *v1.ZTunnelValues {
+	imageDigests, digestsDefined := cfg.ImageDigests[version]
+	// if we don't have default image digests defined for this version, it's a no-op
+	if !digestsDefined {
+		return values
+	}
+
+	// if a global hub or tag value is configured by the user, don't set image digests
+	if values != nil && values.Global != nil && (values.Global.Hub != nil || values.Global.Tag != nil) {
+		return values
+	}
+
+	if values == nil {
+		values = &v1.ZTunnelValues{}
+	}
+
+	// set image digest unless any part of the image has been configured by the user
+	if values.ZTunnel == nil {
+		values.ZTunnel = &v1.ZTunnelConfig{}
+	}
+	if values.ZTunnel.Image == nil && values.ZTunnel.Hub == nil && values.ZTunnel.Tag == nil {
+		values.ZTunnel.Image = &imageDigests.ZTunnelImage
+	}
+	return values
+}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/reconciler/errors.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/reconciler/errors.go
new file mode 100644
index 0000000000..d295d5b191
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/reconciler/errors.go
@@ -0,0 +1,79 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package reconciler
+
+import "errors"
+
+type ValidationError struct {
+	message string
+}
+
+func (v ValidationError) Error() string {
+	return "validation error: " + v.message
+}
+
+func NewValidationError(message string) error {
+	return &ValidationError{message: message}
+}
+
+func IsValidationError(err error) bool {
+	e := &ValidationError{}
+	return errors.As(err, &e)
+}
+
+// TransientError is an error returned by a Reconciler that will usually resolve itself when retrying, e.g. some resource not yet reconciled
+type TransientError struct {
+	message string
+}
+
+func (v TransientError) Error() string {
+	return "transient error: " + v.message
+}
+
+func NewTransientError(message string) error {
+	return &TransientError{message: message}
+}
+
+func IsTransientError(err error) bool {
+	e := &TransientError{}
+	return errors.As(err, &e)
+}
+
+type NameAlreadyExistsError struct {
+	Message       string
+	originalError error
+}
+
+func (err NameAlreadyExistsError) Error() string {
+	return err.Message
+}
+
+func (err NameAlreadyExistsError) Unwrap() error {
+	return err.originalError
+}
+
+func NewNameAlreadyExistsError(message string, originalError error) NameAlreadyExistsError {
+	return NameAlreadyExistsError{
+		Message:       message,
+		originalError: originalError,
+	}
+}
+
+func IsNameAlreadyExistsError(err error) bool {
+	if _, ok := err.(NameAlreadyExistsError); ok {
+		return true
+	}
+	return false
+}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/reconciler/reconciler.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/reconciler/reconciler.go
new file mode 100644
index 0000000000..b0b43002e4
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/reconciler/reconciler.go
@@ -0,0 +1,118 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package reconciler
+
+import (
+	"context"
+	"reflect"
+	"strings"
+
+	"github.com/istio-ecosystem/sail-operator/pkg/kube"
+	"k8s.io/apimachinery/pkg/api/errors"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
+)
+
+// ReconcileFunc is a function that reconciles an object.
+type ReconcileFunc[T client.Object] func(ctx context.Context, obj T) (ctrl.Result, error)
+
+// FinalizeFunc is a function that finalizes an object. It does not remove the finalizer.
+type FinalizeFunc[T client.Object] func(ctx context.Context, obj T) error
+
+// StandardReconciler encapsulates common reconciler behavior, allowing you to
+// implement a reconciler simply by providing a ReconcileFunc and an optional
+// FinalizeFunc. These functions are invoked at the appropriate time and are
+// passed the object being reconciled.
+type StandardReconciler[T client.Object] struct {
+	client    client.Client
+	reconcile ReconcileFunc[T]
+	finalizer string
+	finalize  FinalizeFunc[T]
+}
+
+// NewStandardReconciler creates a new StandardReconciler for objects of the specified type.
+func NewStandardReconciler[T client.Object](cl client.Client, reconcileFunc ReconcileFunc[T]) *StandardReconciler[T] {
+	return NewStandardReconcilerWithFinalizer[T](cl, reconcileFunc, nil, "")
+}
+
+// NewStandardReconcilerWithFinalizer is similar to NewStandardReconciler, but also accepts a finalizer and a
+// FinalizerFunc.
+func NewStandardReconcilerWithFinalizer[T client.Object](
+	cl client.Client, reconcileFunc ReconcileFunc[T], finalizeFunc FinalizeFunc[T], finalizer string,
+) *StandardReconciler[T] {
+	return &StandardReconciler[T]{
+		client:    cl,
+		reconcile: reconcileFunc,
+		finalizer: finalizer,
+		finalize:  finalizeFunc,
+	}
+}
+
+// Reconcile reconciles the object. It first fetches the object from the client, then invokes the
+// configured ReconcileFunc. If a finalizer is configured in the reconciler, and the object is new,
+// this function adds the finalizer to the object. When the object is being deleted, this function
+// invokes the configured FinalizerFunc and removes the finalizer afterward.
+func (r *StandardReconciler[T]) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
+	log := logf.FromContext(ctx)
+
+	obj := reflect.New(reflect.TypeOf(*new(T)).Elem()).Interface().(T)
+	if err := r.client.Get(ctx, req.NamespacedName, obj); err != nil {
+		if errors.IsNotFound(err) {
+			log.V(2).Info("Resource not found. Skipping reconciliation")
+			return ctrl.Result{}, nil
+		}
+		return ctrl.Result{}, err
+	}
+
+	if !obj.GetDeletionTimestamp().IsZero() {
+		if r.finalizationEnabled() && kube.HasFinalizer(obj, r.finalizer) {
+			if err := r.finalize(ctx, obj); err != nil {
+				return ctrl.Result{}, err
+			}
+			return kube.RemoveFinalizer(ctx, r.client, obj, r.finalizer)
+		}
+		return ctrl.Result{}, nil
+	}
+
+	if r.finalizationEnabled() && !kube.HasFinalizer(obj, r.finalizer) {
+		return kube.AddFinalizer(ctx, r.client, obj, r.finalizer)
+	}
+
+	result, err := r.reconcile(ctx, obj)
+	switch {
+	case errors.IsForbidden(err) && strings.Contains(err.Error(), "RESTMapping"):
+		log.Info("APIServer seems to be not ready - RESTMapper of gc admission plugin is not up to date. Retrying...", "error", err)
+		return ctrl.Result{Requeue: true}, nil
+	case errors.IsConflict(err):
+		log.Info("Conflict detected. Retrying...")
+		return ctrl.Result{Requeue: true}, nil
+	case errors.IsNotFound(err):
+		log.Info("Resource not found. Retrying...", "error", err)
+		return ctrl.Result{Requeue: true}, nil
+	case IsTransientError(err):
+		log.Info("Reconciliation failed. Retrying...", "error", err)
+		return ctrl.Result{Requeue: true}, nil
+	case IsValidationError(err):
+		log.Info("Validation failed", "error", err)
+		return ctrl.Result{}, nil
+	default:
+		return result, err
+	}
+}
+
+func (r *StandardReconciler[T]) finalizationEnabled() bool {
+	return r.finalizer != ""
+}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/revision/dependency.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/revision/dependency.go
new file mode 100644
index 0000000000..554faeabc7
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/revision/dependency.go
@@ -0,0 +1,71 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package revision
+
+import (
+	"io/fs"
+
+	v1 "github.com/istio-ecosystem/sail-operator/api/v1"
+	"github.com/istio-ecosystem/sail-operator/pkg/config"
+)
+
+type computeValuesFunc func(*v1.Values, string, string, config.Platform, string, string, fs.FS, string) (*v1.Values, error)
+
+var defaultComputeValues computeValuesFunc = ComputeValues
+
+// DependsOnIstioCNI returns true if CNI is enabled in the revision
+func DependsOnIstioCNI(rev *v1.IstioRevision, cfg config.ReconcilerConfig) bool {
+	values, err := defaultComputeValues(rev.Spec.Values, rev.Spec.Namespace, rev.Spec.Version,
+		cfg.Platform, cfg.DefaultProfile, "", cfg.ResourceFS, rev.Name)
+	if err != nil || values == nil {
+		return false
+	}
+	global := values.Global
+	pilot := values.Pilot
+
+	isOCPPlatform := global != nil && global.Platform != nil && *global.Platform == "openshift"
+	isCNIEnabled := pilot != nil && pilot.Cni != nil && pilot.Cni.Enabled != nil && *pilot.Cni.Enabled
+	isCNIExplicitlyDisabled := pilot != nil && pilot.Cni != nil && pilot.Cni.Enabled != nil && !*pilot.Cni.Enabled
+
+	// For OpenShift: CNI is enabled by default unless explicitly disabled
+	// For non-OpenShift: CNI must be explicitly enabled
+	if isOCPPlatform {
+		return !isCNIExplicitlyDisabled
+	}
+	return isCNIEnabled
+}
+
+// DependsOnZTunnel returns true if the revision is configured for ambient mode and requires ZTunnel
+func DependsOnZTunnel(rev *v1.IstioRevision, cfg config.ReconcilerConfig) bool {
+	values, err := defaultComputeValues(rev.Spec.Values, rev.Spec.Namespace, rev.Spec.Version,
+		cfg.Platform, cfg.DefaultProfile, "", cfg.ResourceFS, rev.Name)
+	if err != nil || values == nil {
+		return false
+	}
+
+	// Check if ambient mode is enabled via pilot.env.PILOT_ENABLE_AMBIENT
+	if values.Pilot != nil && values.Pilot.Env != nil {
+		if ambientEnabled, exists := values.Pilot.Env["PILOT_ENABLE_AMBIENT"]; exists && ambientEnabled == "true" {
+			return true
+		}
+	}
+
+	// Also check if ambient profile is being used
+	if values.Profile != nil && *values.Profile == "ambient" {
+		return true
+	}
+
+	return false
+}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/revision/list.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/revision/list.go
new file mode 100644
index 0000000000..50e5a693ea
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/revision/list.go
@@ -0,0 +1,52 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package revision
+
+import (
+	"context"
+	"fmt"
+
+	v1 "github.com/istio-ecosystem/sail-operator/api/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+// ListOwned returns all IstioRevisions owned by the given owner.
+func ListOwned(ctx context.Context, cl client.Client, ownerUID types.UID) ([]v1.IstioRevision, error) {
+	revList := v1.IstioRevisionList{}
+	if err := cl.List(ctx, &revList); err != nil {
+		return nil, fmt.Errorf("list failed: %w", err)
+	}
+
+	var revisions []v1.IstioRevision
+	for _, rev := range revList.Items {
+		if isOwnedRevision(rev, ownerUID) {
+			revisions = append(revisions, rev)
+		}
+	}
+	return revisions, nil
+}
+
+func isOwnedRevision(rev v1.IstioRevision, ownerUID types.UID) bool {
+	if ownerUID == "" {
+		panic("resource has no UID; did you forget to set it in your test?")
+	}
+	for _, owner := range rev.OwnerReferences {
+		if owner.UID == ownerUID {
+			return true
+		}
+	}
+	return false
+}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/revision/prune.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/revision/prune.go
new file mode 100644
index 0000000000..355e570d18
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/revision/prune.go
@@ -0,0 +1,86 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package revision
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	v1 "github.com/istio-ecosystem/sail-operator/api/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
+)
+
+// PruneInactive deletes IstioRevisions owned by the specified owner that are
+// not in use and whose grace period has expired.
+func PruneInactive(ctx context.Context, cl client.Client, ownerUID types.UID, activeRevisionName string, gracePeriod time.Duration) (ctrl.Result, error) {
+	log := logf.FromContext(ctx)
+	revisions, err := ListOwned(ctx, cl, ownerUID)
+	if err != nil {
+		return ctrl.Result{}, fmt.Errorf("failed to get revisions: %w", err)
+	}
+
+	// the following code does two things:
+	// - prunes revisions whose grace period has expired
+	// - finds the time when the next revision is to be pruned
+	var nextPruneTimestamp *time.Time
+	for _, rev := range revisions {
+		if rev.Name == activeRevisionName {
+			log.V(2).Info("IstioRevision is the active revision", "IstioRevision", rev.Name)
+			continue
+		}
+		inUseCondition := rev.Status.GetCondition(v1.IstioRevisionConditionInUse)
+
+		// Only prune revisions that are confirmed to be not in use (i.e., ConditionFalse).
+		// Skip revisions that are in use (ConditionTrue) or whose usage status is unknown (ConditionUnknown).
+		if inUseCondition.Status == metav1.ConditionTrue {
+			log.V(2).Info("IstioRevision is in use", "IstioRevision", rev.Name)
+			continue
+		}
+		if inUseCondition.Status != metav1.ConditionFalse {
+			log.V(2).Info("IstioRevision usage status is unknown, skipping pruning", "IstioRevision", rev.Name)
+			continue
+		}
+
+		pruneTimestamp := inUseCondition.LastTransitionTime.Time.Add(gracePeriod)
+		expired := pruneTimestamp.Before(time.Now())
+		if expired {
+			log.Info("Deleting expired IstioRevision", "IstioRevision", rev.Name)
+			err = cl.Delete(ctx, &rev)
+			if err != nil {
+				return ctrl.Result{}, fmt.Errorf("delete failed: %w", err)
+			}
+		} else {
+			log.V(2).Info("IstioRevision is not in use, but hasn't yet expired", "IstioRevision", rev.Name, "InUseLastTransitionTime", inUseCondition.LastTransitionTime)
+			if nextPruneTimestamp == nil || nextPruneTimestamp.After(pruneTimestamp) {
+				nextPruneTimestamp = &pruneTimestamp
+			}
+		}
+	}
+	if nextPruneTimestamp == nil {
+		log.V(2).Info("No IstioRevisions to prune")
+		return ctrl.Result{}, nil
+	}
+
+	requeueAfter := time.Until(*nextPruneTimestamp)
+	log.Info("Requeueing resource for cleanup of expired IstioRevision", "RequeueAfter", requeueAfter)
+	// requeue so that we prune the next revision at the right time (if we didn't, we would prune it when
+	// something else triggers another reconciliation)
+	return ctrl.Result{RequeueAfter: requeueAfter}, nil
+}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/revision/reconcile.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/revision/reconcile.go
new file mode 100644
index 0000000000..ceb78dee82
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/revision/reconcile.go
@@ -0,0 +1,81 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package revision
+
+import (
+	"context"
+	"fmt"
+
+	v1 "github.com/istio-ecosystem/sail-operator/api/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
+)
+
+func CreateOrUpdate(
+	ctx context.Context, cl client.Client, revName string, version string, namespace string,
+	values *v1.Values, ownerRef metav1.OwnerReference,
+) error {
+	log := logf.FromContext(ctx)
+	log = log.WithValues("IstioRevision", revName)
+
+	rev, found, err := getRevision(ctx, cl, revName)
+	if err != nil {
+		return fmt.Errorf("failed to get active IstioRevision: %w", err)
+	}
+
+	if found {
+		// update
+		rev.Spec.Version = version
+		rev.Spec.Values = values
+		log.Info("Updating IstioRevision")
+		if err = cl.Update(ctx, &rev); err != nil {
+			return fmt.Errorf("failed to update IstioRevision %q: %w", rev.Name, err)
+		}
+	} else {
+		// create new
+		rev = v1.IstioRevision{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:            revName,
+				OwnerReferences: []metav1.OwnerReference{ownerRef},
+			},
+			Spec: v1.IstioRevisionSpec{
+				Version:   version,
+				Namespace: namespace,
+				Values:    values,
+			},
+		}
+		log.Info("Creating IstioRevision")
+		if err = cl.Create(ctx, &rev); err != nil {
+			return fmt.Errorf("failed to create IstioRevision %q: %w", rev.Name, err)
+		}
+	}
+	return nil
+}
+
+func getRevision(ctx context.Context, cl client.Client, name string) (rev v1.IstioRevision, found bool, err error) {
+	key := types.NamespacedName{Name: name}
+	rev = v1.IstioRevision{}
+	err = cl.Get(ctx, key, &rev)
+	if err != nil {
+		if apierrors.IsNotFound(err) {
+			return rev, false, nil
+		}
+		return rev, false, fmt.Errorf("get failed: %w", err)
+	}
+	return rev, true, nil
+}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/revision/references.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/revision/references.go
new file mode 100644
index 0000000000..c84879d7c1
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/revision/references.go
@@ -0,0 +1,48 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package revision
+
+import (
+	v1 "github.com/istio-ecosystem/sail-operator/api/v1"
+	"github.com/istio-ecosystem/sail-operator/pkg/constants"
+)
+
+func GetReferencedRevisionFromNamespace(labels map[string]string) string {
+	// istio-injection label takes precedence over istio.io/rev
+	if labels[constants.IstioInjectionLabel] == constants.IstioInjectionEnabledValue {
+		return v1.DefaultRevision
+	}
+	return labels[constants.IstioRevLabel]
+	// TODO: if .Values.sidecarInjectorWebhook.enableNamespacesByDefault is true, then all namespaces except system namespaces should use the "default" revision
+}
+
+func GetReferencedRevisionFromPod(podLabels map[string]string) string {
+	// we only look at pod labels to identify injection intent
+	if podLabels[constants.IstioSidecarInjectLabel] != "false" {
+		if rev := podLabels[constants.IstioRevLabel]; rev != "" {
+			return rev
+		}
+		if podLabels[constants.IstioSidecarInjectLabel] == "true" {
+			return v1.DefaultRevision
+		}
+	}
+
+	return ""
+}
+
+func GetInjectedRevisionFromPod(podAnnotations map[string]string) string {
+	// if pod was already injected, the revision that did the injection is specified in the istio.io/rev annotation
+	return podAnnotations[constants.IstioRevLabel]
+}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/revision/remote.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/revision/remote.go
new file mode 100644
index 0000000000..b632af2879
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/revision/remote.go
@@ -0,0 +1,25 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package revision
+
+import v1 "github.com/istio-ecosystem/sail-operator/api/v1"
+
+// IsUsingRemoteControlPlane returns true if the IstioRevision is configured to
+// connect to a remote rather than deploy a local control plane.
+func IsUsingRemoteControlPlane(rev *v1.IstioRevision) bool {
+	// TODO: we should use values.istiodRemote.enabled instead of the profile, but we can't get the final set of values because of new profiles implementation
+	values := rev.Spec.Values
+	return values != nil && values.Profile != nil && *values.Profile == "remote"
+}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/revision/values.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/revision/values.go
new file mode 100644
index 0000000000..805d13cee4
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/revision/values.go
@@ -0,0 +1,68 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package revision
+
+import (
+	"fmt"
+	"io/fs"
+
+	v1 "github.com/istio-ecosystem/sail-operator/api/v1"
+	"github.com/istio-ecosystem/sail-operator/pkg/config"
+	"github.com/istio-ecosystem/sail-operator/pkg/helm"
+	"github.com/istio-ecosystem/sail-operator/pkg/istiovalues"
+)
+
+// ComputeValues computes the Istio Helm values for an IstioRevision as follows:
+// - applies image digests from the operator configuration
+// - applies vendor-specific default values
+// - applies the user-provided values on top of the default values from the default and user-selected profiles
+// - applies overrides that are not configurable by the user
+//
+// The resourceFS parameter accepts any fs.FS implementation (embed.FS, os.DirFS, etc.).
+func ComputeValues(
+	userValues *v1.Values, namespace string, version string,
+	platform config.Platform, defaultProfile, userProfile string, resourceFS fs.FS,
+	activeRevisionName string,
+) (*v1.Values, error) {
+	// apply image digests from configuration, if not already set by user
+	userValues = istiovalues.ApplyDigests(version, userValues, config.Config)
+
+	// apply vendor-specific default values
+	userValues, err := istiovalues.ApplyIstioVendorDefaults(version, userValues)
+	if err != nil {
+		return nil, fmt.Errorf("failed to apply vendor defaults: %w", err)
+	}
+
+	// apply userValues on top of defaultValues from profiles
+	mergedHelmValues, err := istiovalues.ApplyProfilesAndPlatform(resourceFS, version, platform, defaultProfile, userProfile, helm.FromValues(userValues))
+	if err != nil {
+		return nil, fmt.Errorf("failed to apply profile: %w", err)
+	}
+
+	// apply FipsValues on top of mergedHelmValues from profile
+	mergedHelmValues, err = istiovalues.ApplyFipsValues(mergedHelmValues)
+	if err != nil {
+		return nil, fmt.Errorf("failed to apply FIPS values: %w", err)
+	}
+
+	values, err := helm.ToValues(mergedHelmValues, &v1.Values{})
+	if err != nil {
+		return nil, fmt.Errorf("conversion to Helm values failed: %w", err)
+	}
+
+	// override values that are not configurable by the user
+	istiovalues.ApplyOverrides(activeRevisionName, namespace, values)
+	return values, nil
+}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/validation/validation.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/validation/validation.go
new file mode 100644
index 0000000000..6a365227fd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/validation/validation.go
@@ -0,0 +1,53 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package validation
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/istio-ecosystem/sail-operator/pkg/reconciler"
+	corev1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+// ValidateTargetNamespace checks if the target namespace exists and is not being deleted.
+func ValidateTargetNamespace(ctx context.Context, cl client.Client, namespace string) error {
+	ns := &corev1.Namespace{}
+	if err := cl.Get(ctx, types.NamespacedName{Name: namespace}, ns); err != nil {
+		if apierrors.IsNotFound(err) {
+			return reconciler.NewValidationError(fmt.Sprintf("namespace %q doesn't exist", namespace))
+		}
+		return fmt.Errorf("get failed: %w", err)
+	}
+	if ns.DeletionTimestamp != nil {
+		return reconciler.NewValidationError(fmt.Sprintf("namespace %q is being deleted", namespace))
+	}
+	return nil
+}
+
+// ResourceTakesPrecedence returns `true` if `object1` takes precedence over `object2`. This is used in
+// cases where IstioRevision and IstioRevisionTag objects have the same name, to decide which will get
+// reconciled.
+// The decision is based on creation date, but if those are equal, a lexicographic comparison of the
+// objects' UIDs is used as tie-breaker.
+func ResourceTakesPrecedence(object1 *metav1.ObjectMeta, object2 *metav1.ObjectMeta) bool {
+	return object1.CreationTimestamp.Before(&object2.CreationTimestamp) ||
+		(object1.CreationTimestamp.Equal(&object2.CreationTimestamp) && strings.Compare(string(object1.UID), string(object2.UID)) < 0)
+}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/resources.go b/vendor/github.com/istio-ecosystem/sail-operator/resources/resources.go
new file mode 100644
index 0000000000..081c6ea65d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/resources.go
@@ -0,0 +1,69 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package resources provides embedded Istio Helm charts and profiles.
+//
+// This package embeds all version directories (v1.28.2, etc.) containing
+// Helm charts and profiles. Importing this package will increase the binary
+// size significantly (~10MB) as it includes all chart files.
+//
+// This package is intended for consumers who want to embed the charts
+// directly in their binary.
+//
+// Usage:
+//
+//	import "github.com/istio-ecosystem/sail-operator/resources"
+//
+//	cfg := config.ReconcilerConfig{
+//	    ResourceFS: resources.FS,
+//	}
+//
+// The embedded paths are relative to this directory, e.g.:
+//   - v1.28.2/charts/istiod/Chart.yaml
+//   - v1.28.2/profiles/default.yaml
+package resources
+
+import (
+	"embed"
+	"io/fs"
+)
+
+// FS contains the embedded resources directory with all Helm charts and profiles.
+// Paths are relative to this directory (e.g., "v1.28.2/charts/istiod").
+//
+//go:embed all:v*
+var FS embed.FS
+
+// SubFS creates a sub-filesystem rooted at the specified directory.
+// This is useful for stripping prefixes from embedded filesystems.
+//
+// Example:
+//
+//	// If you have your own embed with a prefix:
+//	//go:embed my-resources
+//	var rawFS embed.FS
+//	fs := resources.SubFS(rawFS, "my-resources")
+func SubFS(fsys fs.FS, dir string) (fs.FS, error) {
+	return fs.Sub(fsys, dir)
+}
+
+// MustSubFS is like SubFS but panics on error.
+// Use this when the directory is known to exist.
+func MustSubFS(fsys fs.FS, dir string) fs.FS {
+	sub, err := fs.Sub(fsys, dir)
+	if err != nil {
+		panic("failed to create sub-filesystem for " + dir + ": " + err.Error())
+	}
+	return sub
+}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/base-1.27.0.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/base-1.27.0.tgz.etag
new file mode 100644
index 0000000000..0b7df0bf05
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/base-1.27.0.tgz.etag
@@ -0,0 +1 @@
+b26ddf910c7cd2943690d3c34e92aa12
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/Chart.yaml
new file mode 100644
index 0000000000..283476f0c9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/Chart.yaml
@@ -0,0 +1,10 @@
+apiVersion: v2
+appVersion: 1.27.0
+description: Helm chart for deploying Istio cluster resources and CRDs
+icon: https://istio.io/latest/favicons/android-192x192.png
+keywords:
+- istio
+name: base
+sources:
+- https://github.com/istio/istio
+version: 1.27.0
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/README.md
new file mode 100644
index 0000000000..ae8f6d5b0e
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/README.md
@@ -0,0 +1,35 @@
+# Istio base Helm Chart
+
+This chart installs resources shared by all Istio revisions. This includes Istio CRDs.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+To install the chart with the release name `istio-base`:
+
+```console
+kubectl create namespace istio-system
+helm install istio-base istio/base -n istio-system
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-compatibility-version-1.24.yaml
new file mode 100644
index 0000000000..4f3dbef7ea
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-compatibility-version-1.24.yaml
@@ -0,0 +1,15 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.24 behavioral changes
+    PILOT_ENABLE_IP_AUTOALLOCATE: "false"
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  dnsCapture: false
+  reconcileIptablesOnStartup: false
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..b2f45948c2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..af10697326
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/templates/NOTES.txt
new file mode 100644
index 0000000000..f12616f578
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/templates/NOTES.txt
@@ -0,0 +1,5 @@
+Istio base successfully installed!
+
+To learn more about the release, try:
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml
new file mode 100644
index 0000000000..2616b09c9a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml
@@ -0,0 +1,53 @@
+{{- if and .Values.experimental.stableValidationPolicy (not (eq .Values.defaultRevision "")) }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "stable-channel-default-policy.istio.io"
+  labels:
+    release: {{ .Release.Name }}
+    istio: istiod
+    istio.io/rev: {{ .Values.defaultRevision }}
+    app.kubernetes.io/name: "istiod"
+    {{ include "istio.labels" . | nindent 4 }}
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups:
+        - security.istio.io
+        - networking.istio.io
+        - telemetry.istio.io
+        - extensions.istio.io
+      apiVersions: ["*"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["*"]
+  variables:
+    - name: isEnvoyFilter
+      expression: "object.kind == 'EnvoyFilter'"
+    - name: isWasmPlugin
+      expression: "object.kind == 'WasmPlugin'"
+    - name: isProxyConfig
+      expression: "object.kind == 'ProxyConfig'"
+    - name: isTelemetry
+      expression: "object.kind == 'Telemetry'"
+  validations:
+    - expression: "!variables.isEnvoyFilter"
+    - expression: "!variables.isWasmPlugin"
+    - expression: "!variables.isProxyConfig"
+    - expression: |
+        !(
+          variables.isTelemetry && (
+            (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) ||
+            (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) ||
+            (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter))
+          )
+        )
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: "stable-channel-default-policy-binding.istio.io"
+spec:
+  policyName: "stable-channel-default-policy.istio.io"
+  validationActions: [Deny]
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml
new file mode 100644
index 0000000000..8cb76fd773
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml
@@ -0,0 +1,56 @@
+{{- if not (eq .Values.defaultRevision "") }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: istiod-default-validator
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    istio: istiod
+    istio.io/rev: {{ .Values.defaultRevision | quote }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+webhooks:
+  - name: validation.istio.io
+    clientConfig:
+      {{- if .Values.base.validationURL }}
+      url: {{ .Values.base.validationURL }}
+      {{- else }}
+      service:
+        {{- if (eq .Values.defaultRevision "default") }}
+        name: istiod
+        {{- else }}
+        name: istiod-{{ .Values.defaultRevision }}
+        {{- end }}
+        namespace: {{ .Values.global.istioNamespace }}
+        path: "/validate"
+      {{- end }}
+      {{- if .Values.base.validationCABundle }}
+      caBundle: "{{ .Values.base.validationCABundle }}"
+      {{- end }}
+    rules:
+      - operations:
+          - CREATE
+          - UPDATE
+        apiGroups:
+          - security.istio.io
+          - networking.istio.io
+          - telemetry.istio.io
+          - extensions.istio.io
+        apiVersions:
+          - "*"
+        resources:
+          - "*"
+
+    {{- if .Values.base.validationCABundle }}
+    # Disable webhook controller in Pilot to stop patching it
+    failurePolicy: Fail
+    {{- else }}
+    # Fail open until the validation webhook is ready. The webhook controller
+    # will update this to `Fail` and patch in the `caBundle` when the webhook
+    # endpoint is ready.
+    failurePolicy: Ignore
+    {{- end }}
+    sideEffects: None
+    admissionReviewVersions: ["v1"]
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/templates/reader-serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/templates/reader-serviceaccount.yaml
new file mode 100644
index 0000000000..ba829a6bfe
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/templates/reader-serviceaccount.yaml
@@ -0,0 +1,20 @@
+# This singleton service account aggregates reader permissions for the revisions in a given cluster
+# ATM this is a singleton per cluster with Istio installed, and is not revisioned. It maybe should be,
+# as otherwise compromising the token for this SA would give you access to *every* installed revision.
+# Should be used for remote secret creation.
+apiVersion: v1
+kind: ServiceAccount
+  {{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+  {{- range .Values.global.imagePullSecrets }}
+  - name: {{ . }}
+    {{- end }}
+    {{- end }}
+metadata:
+  name: istio-reader-service-account
+  namespace: {{ .Values.global.istioNamespace }}
+  labels:
+    app: istio-reader
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istio-reader"
+    {{- include "istio.labels" . | nindent 4 }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..3d84956485
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if false }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/values.yaml
new file mode 100644
index 0000000000..d18296f00a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/values.yaml
@@ -0,0 +1,37 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  global:
+
+    # ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace
+    # to use for pulling any images in pods that reference this ServiceAccount.
+    # Must be set for any cluster configured with private docker registry.
+    imagePullSecrets: []
+
+    # Used to locate istiod.
+    istioNamespace: istio-system
+  base:
+    # A list of CRDs to exclude. Requires `enableCRDTemplates` to be true.
+    # Example: `excludedCRDs: ["envoyfilters.networking.istio.io"]`.
+    # Note: when installing with `istioctl`, `enableIstioConfigCRDs=false` must also be set.
+    excludedCRDs: []
+    # Helm (as of V3) does not support upgrading CRDs, because it is not universally
+    # safe for them to support this.
+    # Istio as a project enforces certain backwards-compat guarantees that allow us
+    # to safely upgrade CRDs in spite of this, so we default to self-managing CRDs
+    # as standard K8S resources in Helm, and disable Helm's CRD management. See also:
+    # https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#method-2-separate-charts
+    enableCRDTemplates: true
+
+    # Validation webhook configuration url
+    # For example: https://$remotePilotAddress:15017/validate
+    validationURL: ""
+    # Validation webhook caBundle value. Useful when running pilot with a well known cert
+    validationCABundle: ""
+
+    # For istioctl usage to disable istio config crds in base
+    enableIstioConfigCRDs: true
+
+  defaultRevision: "default"
+  experimental:
+    stableValidationPolicy: false
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/Chart.yaml
new file mode 100644
index 0000000000..757c4fa7d1
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/Chart.yaml
@@ -0,0 +1,11 @@
+apiVersion: v2
+appVersion: 1.27.0
+description: Helm chart for istio-cni components
+icon: https://istio.io/latest/favicons/android-192x192.png
+keywords:
+- istio-cni
+- istio
+name: cni
+sources:
+- https://github.com/istio/istio
+version: 1.27.0
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/README.md
new file mode 100644
index 0000000000..a8b78d5bde
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/README.md
@@ -0,0 +1,65 @@
+# Istio CNI Helm Chart
+
+This chart installs the Istio CNI Plugin. See the [CNI installation guide](https://istio.io/latest/docs/setup/additional-setup/cni/)
+for more information.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+To install the chart with the release name `istio-cni`:
+
+```console
+helm install istio-cni istio/cni -n kube-system
+```
+
+Installation in `kube-system` is recommended to ensure the [`system-node-critical`](https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/)
+`priorityClassName` can be used. You can install in other namespace only on K8S clusters that allow
+'system-node-critical' outside of kube-system.
+
+## Configuration
+
+To view support configuration options and documentation, run:
+
+```console
+helm show values istio/istio-cni
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
+
+### Ambient
+
+To enable ambient, you can use the ambient profile: `--set profile=ambient`.
+
+#### Calico
+
+For Calico, you must also modify the settings to allow source spoofing:
+
+- if deployed by operator,  `kubectl patch felixconfigurations default --type='json' -p='[{"op": "add", "path": "/spec/workloadSourceSpoofing", "value": "Any"}]'`
+- if deployed by manifest, add env `FELIX_WORKLOADSOURCESPOOFING` with value `Any` in `spec.template.spec.containers.env` for daemonset `calico-node`. (This will allow PODs with specified annotation to skip the rpf check. )
+
+### GKE notes
+
+On GKE, 'kube-system' is required.
+
+If using `helm template`, `--set cni.cniBinDir=/home/kubernetes/bin` is required - with `helm install`
+it is auto-detected.
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-compatibility-version-1.24.yaml
new file mode 100644
index 0000000000..4f3dbef7ea
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-compatibility-version-1.24.yaml
@@ -0,0 +1,15 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.24 behavioral changes
+    PILOT_ENABLE_IP_AUTOALLOCATE: "false"
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  dnsCapture: false
+  reconcileIptablesOnStartup: false
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..b2f45948c2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..af10697326
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/templates/NOTES.txt
new file mode 100644
index 0000000000..fb35525b99
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/templates/NOTES.txt
@@ -0,0 +1,5 @@
+"{{ .Release.Name }}" successfully installed!
+
+To learn more about the release, try:
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/templates/_helpers.tpl
new file mode 100644
index 0000000000..73cc17b2f6
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/templates/_helpers.tpl
@@ -0,0 +1,8 @@
+{{- define "name" -}}
+    istio-cni
+{{- end }}
+
+
+{{- define "istio-tag" -}}
+    {{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/templates/clusterrole.yaml
new file mode 100644
index 0000000000..1779e0bb1d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/templates/clusterrole.yaml
@@ -0,0 +1,81 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "name" . }}
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+- apiGroups: ["security.openshift.io"] 
+  resources: ["securitycontextconstraints"] 
+  resourceNames: ["privileged"] 
+  verbs: ["use"]
+- apiGroups: [""]
+  resources: ["pods","nodes","namespaces"]
+  verbs: ["get", "list", "watch"]
+{{- if (eq ((coalesce .Values.platform .Values.global.platform) | default "") "openshift") }}
+- apiGroups: ["security.openshift.io"]
+  resources: ["securitycontextconstraints"]
+  resourceNames: ["privileged"]
+  verbs: ["use"]
+{{- end }}
+---
+{{- if .Values.repair.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "name" . }}-repair-role
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["create", "patch"]
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["watch", "get", "list"]
+{{- if .Values.repair.repairPods }}
+{{- /*  No privileges needed*/}}
+{{- else if .Values.repair.deletePods }}
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["delete"]
+{{- else if .Values.repair.labelPods }}
+  - apiGroups: [""]
+    {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}}
+    resources: ["pods/status"]
+    verbs: ["patch", "update"]
+{{- end }}
+{{- end }}
+---
+{{- if .Values.ambient.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "name" . }}-ambient
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+- apiGroups: [""]
+  {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}}
+  resources: ["pods/status"]
+  verbs: ["patch", "update"]
+- apiGroups: ["apps"]
+  resources: ["daemonsets"]
+  resourceNames: ["{{ template "name" . }}-node"]
+  verbs: ["get"]
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/templates/clusterrolebinding.yaml
new file mode 100644
index 0000000000..42fedab1fc
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/templates/clusterrolebinding.yaml
@@ -0,0 +1,63 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "name" . }}
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "name" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ template "name" . }}
+  namespace: {{ .Release.Namespace }}
+---
+{{- if .Values.repair.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "name" . }}-repair-rolebinding
+  labels:
+    k8s-app: {{ template "name" . }}-repair
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+subjects:
+- kind: ServiceAccount
+  name: {{ template "name" . }}
+  namespace: {{ .Release.Namespace}}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "name" . }}-repair-role
+{{- end }}
+---
+{{- if .Values.ambient.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "name" . }}-ambient
+  labels:
+    k8s-app: {{ template "name" . }}-repair
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "name" . }}
+    namespace: {{ .Release.Namespace}}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "name" . }}-ambient
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/templates/configmap-cni.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/templates/configmap-cni.yaml
new file mode 100644
index 0000000000..6f6ef329a2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/templates/configmap-cni.yaml
@@ -0,0 +1,41 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: {{ template "name" . }}-config
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+data:
+  CURRENT_AGENT_VERSION: {{ .Values.tag | default .Values.global.tag | quote }}
+  AMBIENT_ENABLED: {{ .Values.ambient.enabled | quote }}
+  AMBIENT_ENABLEMENT_SELECTOR: {{ .Values.ambient.enablementSelectors | toYaml | quote }}
+  AMBIENT_DNS_CAPTURE: {{ .Values.ambient.dnsCapture | quote  }}
+  AMBIENT_IPV6: {{ .Values.ambient.ipv6 | quote }}
+  AMBIENT_RECONCILE_POD_RULES_ON_STARTUP: {{ .Values.ambient.reconcileIptablesOnStartup | quote }}
+  {{- if .Values.cniConfFileName }} # K8S < 1.24 doesn't like empty values
+  CNI_CONF_NAME: {{ .Values.cniConfFileName }} # Name of the CNI config file to create. Only override if you know the exact path your CNI requires..
+  {{- end }}
+  ISTIO_OWNED_CNI_CONFIG: {{ .Values.istioOwnedCNIConfig | quote }}
+  {{- if .Values.istioOwnedCNIConfig }}
+  ISTIO_OWNED_CNI_CONF_FILENAME: {{ .Values.istioOwnedCNIConfigFileName | quote }}
+  {{- end }}
+  CHAINED_CNI_PLUGIN: {{ .Values.chained | quote }}
+  EXCLUDE_NAMESPACES: "{{ range $idx, $ns := .Values.excludeNamespaces }}{{ if $idx }},{{ end }}{{ $ns }}{{ end }}"
+  REPAIR_ENABLED: {{ .Values.repair.enabled | quote }}
+  REPAIR_LABEL_PODS: {{ .Values.repair.labelPods | quote }}
+  REPAIR_DELETE_PODS: {{ .Values.repair.deletePods | quote }}
+  REPAIR_REPAIR_PODS: {{ .Values.repair.repairPods | quote }}
+  REPAIR_INIT_CONTAINER_NAME: {{ .Values.repair.initContainerName | quote }}
+  REPAIR_BROKEN_POD_LABEL_KEY: {{ .Values.repair.brokenPodLabelKey | quote }}
+  REPAIR_BROKEN_POD_LABEL_VALUE: {{ .Values.repair.brokenPodLabelValue | quote }}
+  NATIVE_NFTABLES: {{ .Values.global.nativeNftables | quote }}
+  {{- with .Values.env }}
+  {{- range $key, $val := . }}
+  {{ $key }}: "{{ $val }}"
+  {{- end }}
+  {{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/templates/daemonset.yaml
new file mode 100644
index 0000000000..896de3d038
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/templates/daemonset.yaml
@@ -0,0 +1,248 @@
+# This manifest installs the Istio install-cni container, as well
+# as the Istio CNI plugin and config on
+# each master and worker node in a Kubernetes cluster.
+#
+# $detectedBinDir exists to support a GKE-specific platform override,
+# and is deprecated in favor of using the explicit `gke` platform profile.
+{{- $detectedBinDir := (.Capabilities.KubeVersion.GitVersion | contains "-gke") | ternary
+    "/home/kubernetes/bin"
+    "/opt/cni/bin"
+}}
+{{- if .Values.cniBinDir }}
+{{ $detectedBinDir = .Values.cniBinDir }}
+{{- end }}
+kind: DaemonSet
+apiVersion: apps/v1
+metadata:
+  # Note that this is templated but evaluates to a fixed name
+  # which the CNI plugin may fall back onto in some failsafe scenarios.
+  # if this name is changed, CNI plugin logic that checks for this name
+  # format should also be updated.
+  name: {{ template "name" . }}-node
+  namespace: {{ .Release.Namespace }}
+  labels:
+    k8s-app: {{ template "name" . }}-node
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      k8s-app: {{ template "name" . }}-node
+  {{- with .Values.updateStrategy }}
+  updateStrategy:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  template:
+    metadata:
+      labels:
+        k8s-app: {{ template "name" . }}-node
+        sidecar.istio.io/inject: "false"
+        istio.io/dataplane-mode: none
+        app.kubernetes.io/name: {{ template "name" . }}
+        {{- include "istio.labels" . | nindent 8 }}
+      annotations:
+        sidecar.istio.io/inject: "false"
+        # Add Prometheus Scrape annotations
+        prometheus.io/scrape: 'true'
+        prometheus.io/port: "15014"
+        prometheus.io/path: '/metrics'
+        # Add AppArmor annotation
+        # This is required to avoid conflicts with AppArmor profiles which block certain
+        # privileged pod capabilities.
+        # Required for Kubernetes 1.29 which does not support setting appArmorProfile in the
+        # securityContext which is otherwise preferred.
+        container.apparmor.security.beta.kubernetes.io/install-cni: unconfined
+        # Custom annotations
+        {{- if .Values.podAnnotations }}
+{{ toYaml .Values.podAnnotations | indent 8 }}
+        {{- end }}
+    spec:
+{{- if and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace }}
+      hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
+{{- end }}
+      nodeSelector:
+        kubernetes.io/os: linux
+      # Can be configured to allow for excluding istio-cni from being scheduled on specified nodes
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      priorityClassName: system-node-critical
+      serviceAccountName: {{ template "name" . }}
+      # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
+      # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
+      terminationGracePeriodSeconds: 5
+      containers:
+        # This container installs the Istio CNI binaries
+        # and CNI network config file on each node.
+        - name: install-cni
+{{- if contains "/" .Values.image }}
+          image: "{{ .Values.image }}"
+{{- else }}
+          image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "install-cni" }}:{{ template "istio-tag" . }}"
+{{- end }}
+{{- if or .Values.pullPolicy .Values.global.imagePullPolicy }}
+          imagePullPolicy: {{ .Values.pullPolicy | default .Values.global.imagePullPolicy }}
+{{- end }}
+          ports:
+          - containerPort: 15014
+            name: metrics
+            protocol: TCP
+          readinessProbe:
+            httpGet:
+              path: /readyz
+              port: 8000
+          securityContext:
+            privileged: false
+            runAsGroup: 0
+            runAsUser: 0
+            runAsNonRoot: false
+            # Both ambient and sidecar repair mode require elevated node privileges to function.
+            # But we don't need _everything_ in `privileged`, so explicitly set it to false and
+            # add capabilities based on feature.
+            capabilities:
+              drop:
+              - ALL
+              add:
+              # CAP_NET_ADMIN is required to allow ipset and route table access
+              - NET_ADMIN
+              # CAP_NET_RAW is required to allow iptables mutation of the `nat` table
+              - NET_RAW
+              # CAP_SYS_PTRACE is required for repair and ambient mode to describe
+              # the pod's network namespace.
+              - SYS_PTRACE
+              # CAP_SYS_ADMIN is required for both ambient and repair, in order to open
+              # network namespaces in `/proc` to obtain descriptors for entering pod network
+              # namespaces. There does not appear to be a more granular capability for this.
+              - SYS_ADMIN
+              # While we run as a 'root' (UID/GID 0), since we drop all capabilities we lose
+              # the typical ability to read/write to folders owned by others.
+              # This can cause problems if the hostPath mounts we use, which we require write access into,
+              # are owned by non-root. DAC_OVERRIDE bypasses these and gives us write access into any folder.
+              - DAC_OVERRIDE
+{{- if .Values.seLinuxOptions }}
+{{ with (merge .Values.seLinuxOptions (dict "type" "spc_t")) }}
+            seLinuxOptions:
+{{ toYaml . | trim | indent 14 }}
+{{- end }}
+{{- end }}
+{{- if .Values.seccompProfile }}
+            seccompProfile:
+{{ toYaml .Values.seccompProfile | trim | indent 14 }}
+{{- end }}
+          command: ["install-cni"]
+          args:
+            {{- if or .Values.logging.level .Values.global.logging.level }}
+            - --log_output_level={{ coalesce .Values.logging.level .Values.global.logging.level }}
+            {{- end}}
+            {{- if .Values.global.logAsJson }}
+            - --log_as_json
+            {{- end}}
+          envFrom:
+            - configMapRef:
+                name: {{ template "name" . }}-config
+          env:
+            - name: REPAIR_NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            - name: REPAIR_RUN_AS_DAEMON
+              value: "true"
+            - name: REPAIR_SIDECAR_ANNOTATION
+              value: "sidecar.istio.io/status"
+            {{- if not (and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace) }}
+            - name: ALLOW_SWITCH_TO_HOST_NS
+              value: "true"
+            {{- end }}
+            - name: NODE_NAME
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: spec.nodeName
+            - name: GOMEMLIMIT
+              valueFrom:
+                resourceFieldRef:
+                  resource: limits.memory
+                  divisor: '1'
+            - name: GOMAXPROCS
+              valueFrom:
+                resourceFieldRef:
+                  resource: limits.cpu
+                  divisor: '1'
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            {{- if .Values.env }}
+            {{- range $key, $val := .Values.env }}
+            - name: {{ $key }}
+              value: "{{ $val }}"
+            {{- end }}
+            {{- end }}
+          volumeMounts:
+            - mountPath: /host/opt/cni/bin
+              name: cni-bin-dir
+            {{- if or .Values.repair.repairPods .Values.ambient.enabled }}
+            - mountPath: /host/proc
+              name: cni-host-procfs
+              readOnly: true
+            {{- end }}
+            - mountPath: /host/etc/cni/net.d
+              name: cni-net-dir
+            - mountPath: /var/run/istio-cni
+              name: cni-socket-dir
+            {{- if .Values.ambient.enabled }}
+            - mountPath: /host/var/run/netns
+              mountPropagation: HostToContainer
+              name: cni-netns-dir
+            - mountPath: /var/run/ztunnel
+              name: cni-ztunnel-sock-dir
+            {{ end }}
+          resources:
+{{- if .Values.resources }}
+{{ toYaml .Values.resources | trim | indent 12 }}
+{{- else }}
+{{ toYaml .Values.global.defaultResources | trim | indent 12 }}
+{{- end }}
+      volumes:
+        # Used to install CNI.
+        - name: cni-bin-dir
+          hostPath:
+            path: {{ $detectedBinDir }}
+        {{- if or .Values.repair.repairPods .Values.ambient.enabled }}
+        - name: cni-host-procfs
+          hostPath:
+            path: /proc
+            type: Directory
+        {{- end }}
+        {{- if .Values.ambient.enabled }}
+        - name: cni-ztunnel-sock-dir
+          hostPath:
+            path: /var/run/ztunnel
+            type: DirectoryOrCreate
+        {{- end }}
+        - name: cni-net-dir
+          hostPath:
+            path: {{ .Values.cniConfDir }}
+        # Used for UDS sockets for logging, ambient eventing
+        - name: cni-socket-dir
+          hostPath:
+            path: /var/run/istio-cni
+        - name: cni-netns-dir
+          hostPath:
+            path: {{ .Values.cniNetnsDir }}
+            type: DirectoryOrCreate # DirectoryOrCreate instead of Directory for the following reason - CNI may not bind mount this until a non-hostnetwork pod is scheduled on the node,
+            # and we don't want to block CNI agent pod creation on waiting for the first non-hostnetwork pod.
+            # Once the CNI does mount this, it will get populated and we're good.
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/templates/network-attachment-definition.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/templates/network-attachment-definition.yaml
new file mode 100644
index 0000000000..86a2eb7c0b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/templates/network-attachment-definition.yaml
@@ -0,0 +1,11 @@
+{{- if eq .Values.provider "multus" }}
+apiVersion: k8s.cni.cncf.io/v1
+kind: NetworkAttachmentDefinition
+metadata:
+  name: {{ template "name" . }}
+  namespace: default
+  labels:
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/templates/resourcequota.yaml
new file mode 100644
index 0000000000..9a6d61ff91
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/templates/resourcequota.yaml
@@ -0,0 +1,19 @@
+{{- if .Values.resourceQuotas.enabled }}
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+  name: {{ template "name" . }}-resource-quota
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  hard:
+    pods: {{ .Values.resourceQuotas.pods | quote }}
+  scopeSelector:
+    matchExpressions:
+    - operator: In
+      scopeName: PriorityClass
+      values:
+      - system-node-critical
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/templates/serviceaccount.yaml
new file mode 100644
index 0000000000..3193d7b74a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/templates/serviceaccount.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: ServiceAccount
+{{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+{{- range .Values.global.imagePullSecrets }}
+  - name: {{ . }}
+{{- end }}
+{{- end }}
+metadata:
+  name: {{ template "name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/templates/zzy_descope_legacy.yaml
new file mode 100644
index 0000000000..a9584ac29f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/templates/zzy_descope_legacy.yaml
@@ -0,0 +1,3 @@
+{{/* Copy anything under `.cni` to `.`, to avoid the need to specify a redundant prefix.
+Due to the file naming, this always happens after zzz_profile.yaml */}}
+{{- $_ := mustMergeOverwrite $.Values (index $.Values "cni") }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..3d84956485
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if false }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/values.yaml
new file mode 100644
index 0000000000..7dfffb0605
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/values.yaml
@@ -0,0 +1,178 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  hub: ""
+  tag: ""
+  variant: ""
+  image: install-cni
+  pullPolicy: ""
+
+  # Same as `global.logging.level`, but will override it if set
+  logging:
+    level: ""
+
+  # Configuration file to insert istio-cni plugin configuration
+  # by default this will be the first file found in the cni-conf-dir
+  # Example
+  # cniConfFileName: 10-calico.conflist
+
+  # CNI-and-platform specific path defaults.
+  # These may need to be set to platform-specific values, consult
+  # overrides for your platform in `manifests/helm-profiles/platform-*.yaml`
+  cniBinDir: /opt/cni/bin
+  cniConfDir: /etc/cni/net.d
+  cniConfFileName: ""
+  cniNetnsDir: "/var/run/netns"
+
+  # If Istio owned CNI config is enabled, defaults to 02-istio-cni.conflist
+  istioOwnedCNIConfigFileName: "" 
+  istioOwnedCNIConfig: false
+
+  excludeNamespaces:
+    - kube-system
+
+  # Allows user to set custom affinity for the DaemonSet
+  affinity: {}
+
+  # Custom annotations on pod level, if you need them
+  podAnnotations: {}
+
+  # Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")?
+  # Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case
+  chained: true
+
+  # Custom configuration happens based on the CNI provider.
+  # Possible values: "default", "multus"
+  provider: "default"
+
+  # Configure ambient settings
+  ambient:
+    # If enabled, ambient redirection will be enabled
+    enabled: false
+    # If ambient is enabled, this selector will be used to identify the ambient-enabled pods
+    enablementSelectors: 
+    - podSelector:
+        matchLabels: {istio.io/dataplane-mode: ambient}
+    - podSelector:
+        matchExpressions:
+        - { key: istio.io/dataplane-mode, operator: NotIn, values: [none] }
+      namespaceSelector:
+        matchLabels: {istio.io/dataplane-mode: ambient}
+    # Set ambient config dir path: defaults to /etc/ambient-config
+    configDir: ""
+    # If enabled, and ambient is enabled, DNS redirection will be enabled
+    dnsCapture: true
+    # If enabled, and ambient is enabled, enables ipv6 support
+    ipv6: true
+    # If enabled, and ambient is enabled, the CNI agent will reconcile incompatible iptables rules and chains at startup.
+    # This will eventually be enabled by default
+    reconcileIptablesOnStartup: false
+    # If enabled, and ambient is enabled, the CNI agent will always share the network namespace of the host node it is running on
+    shareHostNetworkNamespace: false
+
+
+  repair:
+    enabled: true
+    hub: ""
+    tag: ""
+
+    # Repair controller has 3 modes. Pick which one meets your use cases. Note only one may be used.
+    # This defines the action the controller will take when a pod is detected as broken.
+
+    # labelPods will label all pods with <brokenPodLabelKey>=<brokenPodLabelValue>.
+    # This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them).
+    # Note this gives the DaemonSet a relatively high privilege, as modifying pod metadata/status can have wider impacts.
+    labelPods: false
+    # deletePods will delete any broken pod. These will then be rescheduled, hopefully onto a node that is fully ready.
+    # Note this gives the DaemonSet a relatively high privilege, as it can delete any Pod.
+    deletePods: false
+    # repairPods will dynamically repair any broken pod by setting up the pod networking configuration even after it has started.
+    # Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs.
+    # This requires no RBAC privilege, but does require `securityContext.privileged/CAP_SYS_ADMIN`.
+    repairPods: true
+
+    initContainerName: "istio-validation"
+
+    brokenPodLabelKey: "cni.istio.io/uninitialized"
+    brokenPodLabelValue: "true"
+
+  # Set to `type: RuntimeDefault` to use the default profile if available.
+  seccompProfile: {}
+
+  # SELinux options to set in the istio-cni-node pods. You may need to set this to `type: spc_t` for some platforms.
+  seLinuxOptions: {}
+
+  resources:
+    requests:
+      cpu: 100m
+      memory: 100Mi
+
+  resourceQuotas:
+    enabled: false
+    pods: 5000
+
+  tolerations:
+    # Make sure istio-cni-node gets scheduled on all nodes.
+    - effect: NoSchedule
+      operator: Exists
+    # Mark the pod as a critical add-on for rescheduling.
+    - key: CriticalAddonsOnly
+      operator: Exists
+    - effect: NoExecute
+      operator: Exists
+
+  # K8s DaemonSet update strategy.
+  # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec).
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 1
+
+  # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
+  revision: ""
+
+  # For Helm compatibility.
+  ownerName: ""
+
+  global:
+    # Default hub for Istio images.
+    # Releases are published to docker hub under 'istio' project.
+    # Dev builds from prow are on gcr.io
+    hub: gcr.io/istio-release
+
+    # Default tag for Istio images.
+    tag: 1.27.0
+
+    # Variant of the image to use.
+    # Currently supported are: [debug, distroless]
+    variant: ""
+
+    # Specify image pull policy if default behavior isn't desired.
+    # Default behavior: latest images will be Always else IfNotPresent.
+    imagePullPolicy: ""
+
+    # change cni scope level to control logging out of istio-cni-node DaemonSet
+    logging:
+      level: info
+
+    logAsJson: false
+
+    # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
+    # to use for pulling any images in pods that reference this ServiceAccount.
+    # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
+    # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
+    # Must be set for any cluster configured with private docker registry.
+    imagePullSecrets: []
+    # - private-registry-key
+
+    # Default resources allocated
+    defaultResources:
+      requests:
+        cpu: 100m
+        memory: 100Mi
+
+    # In order to use native nftable rules instead of iptable rules, set this flag to true.
+    nativeNftables: false
+
+  # A `key: value` mapping of environment variables to add to the pod
+  env: {}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/Chart.yaml
new file mode 100644
index 0000000000..3df0e88dc8
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v2
+appVersion: 1.27.0
+description: Helm chart for deploying Istio gateways
+icon: https://istio.io/latest/favicons/android-192x192.png
+keywords:
+- istio
+- gateways
+name: gateway
+sources:
+- https://github.com/istio/istio
+type: application
+version: 1.27.0
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/README.md
new file mode 100644
index 0000000000..5c064d165b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/README.md
@@ -0,0 +1,170 @@
+# Istio Gateway Helm Chart
+
+This chart installs an Istio gateway deployment.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+To install the chart with the release name `istio-ingressgateway`:
+
+```console
+helm install istio-ingressgateway istio/gateway
+```
+
+## Uninstalling the Chart
+
+To uninstall/delete the `istio-ingressgateway` deployment:
+
+```console
+helm delete istio-ingressgateway
+```
+
+## Configuration
+
+To view support configuration options and documentation, run:
+
+```console
+helm show values istio/gateway
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
+
+### OpenShift
+
+When deploying the gateway in an OpenShift cluster, use the `openshift` profile to override the default values, for example:
+
+```console
+helm install istio-ingressgateway istio/gateway --set profile=openshift
+```
+
+### `image: auto` Information
+
+The image used by the chart, `auto`, may be unintuitive.
+This exists because the pod spec will be automatically populated at runtime, using the same mechanism as [Sidecar Injection](istio.io/latest/docs/setup/additional-setup/sidecar-injection).
+This allows the same configurations and lifecycle to apply to gateways as sidecars.
+
+Note: this does mean that the namespace the gateway is deployed in must not have the `istio-injection=disabled` label.
+See [Controlling the injection policy](https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy) for more info.
+
+### Examples
+
+#### Egress Gateway
+
+Deploying a Gateway to be used as an [Egress Gateway](https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/):
+
+```yaml
+service:
+  # Egress gateways do not need an external LoadBalancer IP
+  type: ClusterIP
+```
+
+#### Multi-network/VM Gateway
+
+Deploying a Gateway to be used as a [Multi-network Gateway](https://istio.io/latest/docs/setup/install/multicluster/) for network `network-1`:
+
+```yaml
+networkGateway: network-1
+```
+
+### Migrating from other installation methods
+
+Installations from other installation methods (such as istioctl, Istio Operator, other helm charts, etc) can be migrated to use the new Helm charts
+following the guidance below.
+If you are able to, a clean installation is simpler. However, this often requires an external IP migration which can be challenging.
+
+WARNING: when installing over an existing deployment, the two deployments will be merged together by Helm, which may lead to unexpected results.
+
+#### Legacy Gateway Helm charts
+
+Istio historically offered two different charts - `manifests/charts/gateways/istio-ingress` and `manifests/charts/gateways/istio-egress`.
+These are replaced by this chart.
+While not required, it is recommended all new users use this chart, and existing users migrate when possible.
+
+This chart has the following benefits and differences:
+* Designed with Helm best practices in mind (standardized values options, values schema, values are not all nested under `gateways.istio-ingressgateway.*`, release name and namespace taken into account, etc).
+* Utilizes Gateway injection, simplifying upgrades, allowing gateways to run in any namespace, and avoiding repeating config for sidecars and gateways.
+* Published to official Istio Helm repository.
+* Single chart for all gateways (Ingress, Egress, East West).
+
+#### General concerns
+
+For a smooth migration, the resource names and `Deployment.spec.selector` labels must match.
+
+If you install with `helm install istio-gateway istio/gateway`, resources will be named `istio-gateway` and the `selector` labels set to:
+
+```yaml
+app: istio-gateway
+istio: gateway # the release name with leading istio- prefix stripped
+```
+
+If your existing installation doesn't follow these names, you can override them. For example, if you have resources named `my-custom-gateway` with `selector` labels
+`foo=bar,istio=ingressgateway`:
+
+```yaml
+name: my-custom-gateway # Override the name to match existing resources
+labels:
+  app: "" # Unset default app selector label
+  istio: ingressgateway # override default istio selector label
+  foo: bar # Add the existing custom selector label
+```
+
+#### Migrating an existing Helm release
+
+An existing helm release can be `helm upgrade`d to this chart by using the same release name. For example, if a previous
+installation was done like:
+
+```console
+helm install istio-ingress manifests/charts/gateways/istio-ingress -n istio-system
+```
+
+It could be upgraded with
+
+```console
+helm upgrade istio-ingress manifests/charts/gateway -n istio-system --set name=istio-ingressgateway --set labels.app=istio-ingressgateway --set labels.istio=ingressgateway
+```
+
+Note the name and labels are overridden to match the names of the existing installation.
+
+Warning: the helm charts here default to using port 80 and 443, while the old charts used 8080 and 8443.
+If you have AuthorizationPolicies that reference port these ports, you should update them during this process,
+or customize the ports to match the old defaults.
+See the [security advisory](https://istio.io/latest/news/security/istio-security-2021-002/) for more information.
+
+#### Other migrations
+
+If you see errors like `rendered manifests contain a resource that already exists` during installation, you may need to forcibly take ownership.
+
+The script below can handle this for you. Replace `RELEASE` and `NAMESPACE` with the name and namespace of the release:
+
+```console
+KINDS=(service deployment)
+RELEASE=istio-ingressgateway
+NAMESPACE=istio-system
+for KIND in "${KINDS[@]}"; do
+    kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-name=$RELEASE
+    kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-namespace=$NAMESPACE
+    kubectl --namespace $NAMESPACE --overwrite=true label $KIND $RELEASE app.kubernetes.io/managed-by=Helm
+done
+```
+
+You may ignore errors about resources not being found.
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-compatibility-version-1.24.yaml
new file mode 100644
index 0000000000..4f3dbef7ea
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-compatibility-version-1.24.yaml
@@ -0,0 +1,15 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.24 behavioral changes
+    PILOT_ENABLE_IP_AUTOALLOCATE: "false"
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  dnsCapture: false
+  reconcileIptablesOnStartup: false
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..b2f45948c2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..af10697326
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/templates/NOTES.txt
new file mode 100644
index 0000000000..fd0142911a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/templates/NOTES.txt
@@ -0,0 +1,9 @@
+"{{ include "gateway.name" . }}" successfully installed!
+
+To learn more about the release, try:
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
+
+Next steps:
+  * Deploy an HTTP Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-control/
+  * Deploy an HTTPS Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/templates/_helpers.tpl
new file mode 100644
index 0000000000..e5a0a9b3c2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/templates/_helpers.tpl
@@ -0,0 +1,40 @@
+{{- define "gateway.name" -}}
+{{- if eq .Release.Name "RELEASE-NAME" -}}
+  {{- .Values.name | default "istio-ingressgateway" -}}
+{{- else -}}
+  {{- .Values.name | default .Release.Name | default "istio-ingressgateway" -}}
+{{- end -}}
+{{- end }}
+
+{{- define "gateway.labels" -}}
+{{ include "gateway.selectorLabels" . }}
+{{- range $key, $val := .Values.labels }}
+{{- if and (ne $key "app") (ne $key "istio") }}
+{{ $key | quote }}: {{ $val | quote }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{- define "gateway.selectorLabels" -}}
+app: {{ (.Values.labels.app | quote) | default (include "gateway.name" .) }}
+istio: {{ (.Values.labels.istio | quote) | default (include "gateway.name" . | trimPrefix "istio-") }}
+{{- end }}
+
+{{/*
+Keep sidecar injection labels together
+https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy
+*/}}
+{{- define "gateway.sidecarInjectionLabels" -}}
+sidecar.istio.io/inject: "true"
+{{- with .Values.revision }}
+istio.io/rev: {{ . | quote }}
+{{- end }}
+{{- end }}
+
+{{- define "gateway.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- .Values.serviceAccount.name | default (include "gateway.name" .)    }}
+{{- else }}
+{{- .Values.serviceAccount.name | default "default" }}
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/templates/deployment.yaml
new file mode 100644
index 0000000000..1d8f93a472
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/templates/deployment.yaml
@@ -0,0 +1,145 @@
+apiVersion: apps/v1
+kind: {{ .Values.kind | default "Deployment" }}
+metadata:
+  name: {{ include "gateway.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4}}
+  annotations:
+    {{- .Values.annotations | toYaml | nindent 4 }}
+spec:
+  {{- if not .Values.autoscaling.enabled }}
+  {{- if and (hasKey .Values "replicaCount") (ne .Values.replicaCount nil) }}
+  replicas: {{ .Values.replicaCount }}
+  {{- end }}
+  {{- end }}
+  {{- with .Values.strategy }}
+  strategy:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with .Values.minReadySeconds }}
+  minReadySeconds: {{ . }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "gateway.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "gateway.sidecarInjectionLabels" . | nindent 8 }}
+        {{- include "gateway.selectorLabels" . | nindent 8 }}
+        app.kubernetes.io/name: {{ include "gateway.name" . }}
+        {{- include "istio.labels" .  | nindent 8}}
+        {{- range $key, $val := .Values.labels }}
+        {{- if and (ne $key "app") (ne $key "istio") }}
+        {{ $key | quote }}: {{ $val | quote }}
+        {{- end }}
+        {{- end }}
+        {{- with .Values.networkGateway }}
+        topology.istio.io/network: "{{.}}"
+        {{- end }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "gateway.serviceAccountName" . }}
+      securityContext:
+      {{- if .Values.securityContext }}
+        {{- toYaml .Values.securityContext | nindent 8 }}
+      {{- else }}
+        # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326
+        sysctls:
+        - name: net.ipv4.ip_unprivileged_port_start
+          value: "0"
+      {{- end }}
+      {{- with .Values.volumes }}
+      volumes:
+        {{ toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.initContainers }}
+      initContainers:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: istio-proxy
+          # "auto" will be populated at runtime by the mutating webhook. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection
+          image: auto
+          {{- with .Values.imagePullPolicy }}
+          imagePullPolicy: {{ . }}
+          {{- end }}
+          securityContext:
+          {{- if .Values.containerSecurityContext }}
+            {{- toYaml .Values.containerSecurityContext | nindent 12 }}
+          {{- else }}
+            capabilities:
+              drop:
+              - ALL
+            allowPrivilegeEscalation: false
+            privileged: false
+            readOnlyRootFilesystem: true
+            {{- if not (eq (.Values.platform | default "") "openshift") }}
+            runAsUser: 1337
+            runAsGroup: 1337
+            {{- end }}
+            runAsNonRoot: true
+          {{- end }}
+          env:
+          {{- with .Values.networkGateway }}
+          - name: ISTIO_META_REQUESTED_NETWORK_VIEW
+            value: "{{.}}"
+          {{- end }}
+          {{- range $key, $val := .Values.env }}
+          - name: {{ $key }}
+            value: {{ $val | quote }}
+          {{- end }}
+          {{- with .Values.envVarFrom }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
+          ports:
+          - containerPort: 15090
+            protocol: TCP
+            name: http-envoy-prom
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          {{- with .Values.volumeMounts }}
+          volumeMounts:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.readinessProbe }}
+          readinessProbe:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.lifecycle }}
+          lifecycle:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+      {{- with .Values.additionalContainers }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      terminationGracePeriodSeconds: {{ $.Values.terminationGracePeriodSeconds }}
+      {{- with .Values.priorityClassName }}
+      priorityClassName: {{ . }}
+      {{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/templates/hpa.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/templates/hpa.yaml
new file mode 100644
index 0000000000..64ecb6a4cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/templates/hpa.yaml
@@ -0,0 +1,40 @@
+{{- if and (.Values.autoscaling.enabled) (eq .Values.kind "Deployment") }}
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ include "gateway.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4 }}
+  annotations:
+    {{- .Values.annotations | toYaml | nindent 4 }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: {{ .Values.kind | default "Deployment" }}
+    name: {{ include "gateway.name" . }}
+  minReplicas: {{ .Values.autoscaling.minReplicas }}
+  maxReplicas: {{ .Values.autoscaling.maxReplicas }}
+  metrics:
+    {{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
+          type: Utilization
+    {{- end }}
+    {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: memory
+        target:
+          averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
+          type: Utilization
+    {{- end }}
+  {{- if .Values.autoscaling.autoscaleBehavior }}
+  behavior: {{ toYaml .Values.autoscaling.autoscaleBehavior | nindent 4 }}
+  {{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/templates/poddisruptionbudget.yaml
new file mode 100644
index 0000000000..b0155cdf05
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/templates/poddisruptionbudget.yaml
@@ -0,0 +1,18 @@
+{{- if .Values.podDisruptionBudget }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ include "gateway.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4}}
+spec:
+  selector:
+    matchLabels:
+  {{- include "gateway.selectorLabels" . | nindent 6 }}
+  {{- with .Values.podDisruptionBudget }}
+    {{- toYaml . | nindent 2 }}
+  {{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/templates/role.yaml
new file mode 100644
index 0000000000..3d16079632
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/templates/role.yaml
@@ -0,0 +1,37 @@
+{{/*Set up roles for Istio Gateway. Not required for gateway-api*/}}
+{{- if .Values.rbac.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "gateway.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4}}
+  annotations:
+    {{- .Values.annotations | toYaml | nindent 4 }}
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get", "watch", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "gateway.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4}}
+  annotations:
+    {{- .Values.annotations | toYaml | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "gateway.serviceAccountName" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "gateway.serviceAccountName" . }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/templates/service.yaml
new file mode 100644
index 0000000000..3e28418f7b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/templates/service.yaml
@@ -0,0 +1,69 @@
+{{- if not (eq .Values.service.type "None") }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "gateway.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4 }}
+    {{- with .Values.networkGateway }}
+    topology.istio.io/network: "{{.}}"
+    {{- end }}
+  annotations:
+    {{- merge (deepCopy .Values.service.annotations) .Values.annotations | toYaml | nindent 4 }}
+spec:
+{{- with .Values.service.loadBalancerIP }}
+  loadBalancerIP: "{{ . }}"
+{{- end }}
+{{- if eq .Values.service.type "LoadBalancer" }}
+  {{- if hasKey .Values.service "allocateLoadBalancerNodePorts" }}
+  allocateLoadBalancerNodePorts: {{ .Values.service.allocateLoadBalancerNodePorts }}
+  {{- end }}
+  {{- if hasKey .Values.service "loadBalancerClass" }}
+  loadBalancerClass: {{ .Values.service.loadBalancerClass }}
+  {{- end }}
+{{- end }}
+{{- if .Values.service.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }}
+{{- end }}
+{{- if .Values.service.ipFamilies }}
+  ipFamilies:
+{{- range .Values.service.ipFamilies }}
+  - {{ . }}
+{{- end }}
+{{- end }}
+{{- with .Values.service.loadBalancerSourceRanges }}
+  loadBalancerSourceRanges:
+{{ toYaml . | indent 4 }}
+{{- end }}
+{{- with .Values.service.externalTrafficPolicy }}
+  externalTrafficPolicy: "{{ . }}"
+{{- end }}
+  type: {{ .Values.service.type }}
+  ports:
+{{- if .Values.networkGateway }}
+  - name: status-port
+    port: 15021
+    targetPort: 15021
+  - name: tls
+    port: 15443
+    targetPort: 15443
+  - name: tls-istiod
+    port: 15012
+    targetPort: 15012
+  - name: tls-webhook
+    port: 15017
+    targetPort: 15017
+{{- else }}
+{{ .Values.service.ports | toYaml | indent 4 }}
+{{- end }}
+{{- if .Values.service.externalIPs }}
+  externalIPs: {{- range .Values.service.externalIPs }}
+    - {{.}}
+  {{- end }}
+{{- end }}
+  selector:
+    {{- include "gateway.selectorLabels" . | nindent 4 }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/templates/serviceaccount.yaml
new file mode 100644
index 0000000000..c88afeadd3
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/templates/serviceaccount.yaml
@@ -0,0 +1,15 @@
+{{- if .Values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "gateway.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..606c556697
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if true }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/values.schema.json b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/values.schema.json
new file mode 100644
index 0000000000..62ef87451c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/values.schema.json
@@ -0,0 +1,341 @@
+{
+  "$schema": "http://json-schema.org/schema#",
+  "$defs": {
+    "values": {
+      "type": "object",
+      "properties": {
+        "global": {
+          "type": "object"
+        },
+        "affinity": {
+          "type": "object"
+        },
+        "securityContext": {
+          "type": [
+            "object",
+            "null"
+          ]
+        },
+        "containerSecurityContext": {
+          "type": [
+            "object",
+            "null"
+          ]
+        },
+        "kind": {
+          "type": "string",
+          "enum": [
+            "Deployment",
+            "DaemonSet"
+          ]
+        },
+        "annotations": {
+          "additionalProperties": {
+            "type": [
+              "string",
+              "integer"
+            ]
+          },
+          "type": "object"
+        },
+        "autoscaling": {
+          "type": "object",
+          "properties": {
+            "enabled": {
+              "type": "boolean"
+            },
+            "maxReplicas": {
+              "type": "integer"
+            },
+            "minReplicas": {
+              "type": "integer"
+            },
+            "targetCPUUtilizationPercentage": {
+              "type": "integer"
+            }
+          }
+        },
+        "env": {
+          "type": "object"
+        },
+        "strategy": {
+          "type": "object"
+        },
+        "minReadySeconds": {
+          "type": [
+            "null",
+            "integer"
+          ]
+        },
+        "readinessProbe": {
+          "type": [
+            "null",
+            "object"
+          ]
+        },
+        "labels": {
+          "type": "object"
+        },
+        "name": {
+          "type": "string"
+        },
+        "nodeSelector": {
+          "type": "object"
+        },
+        "podAnnotations": {
+          "type": "object",
+          "properties": {
+            "inject.istio.io/templates": {
+              "type": "string"
+            },
+            "prometheus.io/path": {
+              "type": "string"
+            },
+            "prometheus.io/port": {
+              "type": "string"
+            },
+            "prometheus.io/scrape": {
+              "type": "string"
+            }
+          }
+        },
+        "replicaCount": {
+          "type": [
+            "integer",
+            "null"
+          ]
+        },
+        "resources": {
+          "type": "object",
+          "properties": {
+            "limits": {
+              "type": "object",
+              "properties": {
+                "cpu": {
+                  "type": [
+                    "string",
+                    "null"
+                  ]
+                },
+                "memory": {
+                  "type": [
+                    "string",
+                    "null"
+                  ]
+                }
+              }
+            },
+            "requests": {
+              "type": "object",
+              "properties": {
+                "cpu": {
+                  "type": [
+                    "string",
+                    "null"
+                  ]
+                },
+                "memory": {
+                  "type": [
+                    "string",
+                    "null"
+                  ]
+                }
+              }
+            }
+          }
+        },
+        "revision": {
+          "type": "string"
+        },
+        "compatibilityVersion": {
+          "type": "string"
+        },
+        "runAsRoot": {
+          "type": "boolean"
+        },
+        "unprivilegedPort": {
+          "type": [
+            "string",
+            "boolean"
+          ],
+          "enum": [
+            true,
+            false,
+            "auto"
+          ]
+        },
+        "service": {
+          "type": "object",
+          "properties": {
+            "annotations": {
+              "type": "object"
+            },
+            "externalTrafficPolicy": {
+              "type": "string"
+            },
+            "loadBalancerIP": {
+              "type": "string"
+            },
+            "loadBalancerSourceRanges": {
+              "type": "array"
+            },
+            "ipFamilies": {
+              "items": {
+                "type": "string",
+                "enum": [
+                  "IPv4",
+                  "IPv6"
+                ]
+              }
+            },
+            "ipFamilyPolicy": {
+              "type": "string",
+              "enum": [
+                "",
+                "SingleStack",
+                "PreferDualStack",
+                "RequireDualStack"
+              ]
+            },
+            "ports": {
+              "type": "array",
+              "items": {
+                "type": "object",
+                "properties": {
+                  "name": {
+                    "type": "string"
+                  },
+                  "port": {
+                    "type": "integer"
+                  },
+                  "protocol": {
+                    "type": "string"
+                  },
+                  "targetPort": {
+                    "type": "integer"
+                  }
+                }
+              }
+            },
+            "type": {
+              "type": "string"
+            }
+          }
+        },
+        "serviceAccount": {
+          "type": "object",
+          "properties": {
+            "annotations": {
+              "type": "object"
+            },
+            "name": {
+              "type": "string"
+            },
+            "create": {
+              "type": "boolean"
+            }
+          }
+        },
+        "rbac": {
+          "type": "object",
+          "properties": {
+            "enabled": {
+              "type": "boolean"
+            }
+          }
+        },
+        "tolerations": {
+          "type": "array"
+        },
+        "topologySpreadConstraints": {
+          "type": "array"
+        },
+        "networkGateway": {
+          "type": "string"
+        },
+        "imagePullPolicy": {
+          "type": "string",
+          "enum": [
+            "",
+            "Always",
+            "IfNotPresent",
+            "Never"
+          ]
+        },
+        "imagePullSecrets": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "properties": {
+              "name": {
+                "type": "string"
+              }
+            }
+          }
+        },
+        "podDisruptionBudget": {
+          "type": "object",
+          "properties": {
+            "minAvailable": {
+              "type": [
+                "integer",
+                "string"
+              ]
+            },
+            "maxUnavailable": {
+              "type": [
+                "integer",
+                "string"
+              ]
+            },
+            "unhealthyPodEvictionPolicy": {
+              "type": "string",
+              "enum": [
+                "",
+                "IfHealthyBudget",
+                "AlwaysAllow"
+              ]
+            }
+          }
+        },
+        "terminationGracePeriodSeconds": {
+          "type": "number"
+        },
+        "volumes": {
+          "type": "array",
+          "items": {
+            "type": "object"
+          }
+        },
+        "volumeMounts": {
+          "type": "array",
+          "items": {
+            "type": "object"
+          }
+        },
+        "priorityClassName": {
+          "type": "string"
+        },
+        "lifecycle": {
+          "type": "object",
+          "properties": {
+            "postStart": {
+              "type": "object"
+            },
+            "preStop": {
+              "type": "object"
+            }
+          }
+        },
+        "_internal_defaults_do_not_set": {
+          "type": "object"
+        }
+      },
+      "additionalProperties": false
+    }
+  },
+  "defaults": {
+    "$ref": "#/$defs/values"
+  },
+  "$ref": "#/$defs/values"
+}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/values.yaml
new file mode 100644
index 0000000000..c0147ce210
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/values.yaml
@@ -0,0 +1,192 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  # Name allows overriding the release name. Generally this should not be set
+  name: ""
+  # revision declares which revision this gateway is a part of
+  revision: ""
+
+  # Controls the spec.replicas setting for the Gateway deployment if set.
+  # Otherwise defaults to Kubernetes Deployment default (1).
+  replicaCount:
+
+  kind: Deployment
+
+  rbac:
+    # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed
+    # when using http://gateway-api.org/.
+    enabled: true
+
+  serviceAccount:
+    # If set, a service account will be created. Otherwise, the default is used
+    create: true
+    # Annotations to add to the service account
+    annotations: {}
+    # The name of the service account to use.
+    # If not set, the release name is used
+    name: ""
+
+  podAnnotations:
+    prometheus.io/port: "15020"
+    prometheus.io/scrape: "true"
+    prometheus.io/path: "/stats/prometheus"
+    inject.istio.io/templates: "gateway"
+    sidecar.istio.io/inject: "true"
+
+  # Define the security context for the pod.
+  # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
+  # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
+  securityContext: {}
+  containerSecurityContext: {}
+
+  service:
+    # Type of service. Set to "None" to disable the service entirely
+    type: LoadBalancer
+    ports:
+    - name: status-port
+      port: 15021
+      protocol: TCP
+      targetPort: 15021
+    - name: http2
+      port: 80
+      protocol: TCP
+      targetPort: 80
+    - name: https
+      port: 443
+      protocol: TCP
+      targetPort: 443
+    annotations: {}
+    loadBalancerIP: ""
+    loadBalancerSourceRanges: []
+    externalTrafficPolicy: ""
+    externalIPs: []
+    ipFamilyPolicy: ""
+    ipFamilies: []
+    ## Whether to automatically allocate NodePorts (only for LoadBalancers).
+    # allocateLoadBalancerNodePorts: false
+    ## Set LoadBalancer class (only for LoadBalancers).
+    # loadBalancerClass: ""
+
+  resources:
+    requests:
+      cpu: 100m
+      memory: 128Mi
+    limits:
+      cpu: 2000m
+      memory: 1024Mi
+
+  autoscaling:
+    enabled: true
+    minReplicas: 1
+    maxReplicas: 5
+    targetCPUUtilizationPercentage: 80
+    targetMemoryUtilizationPercentage: {}
+    autoscaleBehavior: {}
+
+  # Pod environment variables
+  env: {}
+
+  # Use envVarFrom to define full environment variable entries with complex sources,
+  # such as valueFrom.secretKeyRef, valueFrom.configMapKeyRef. Each item must include a `name` and `valueFrom`.
+  #
+  # Example:
+  # envVarFrom:
+  #   - name: EXAMPLE_SECRET
+  #     valueFrom:
+  #       secretKeyRef:
+  #         name: example-name
+  #         key: example-key
+  envVarFrom: []
+
+  # Deployment Update strategy
+  strategy: {}
+  
+  # Sets the Deployment minReadySeconds value
+  minReadySeconds:
+  
+  # Optionally configure a custom readinessProbe. By default the control plane
+  # automatically injects the readinessProbe. If you wish to override that
+  # behavior, you may define your own readinessProbe here.
+  readinessProbe: {}
+
+  # Labels to apply to all resources
+  labels:
+    # By default, don't enroll gateways into the ambient dataplane
+    "istio.io/dataplane-mode": none
+
+  # Annotations to apply to all resources
+  annotations: {}
+
+  nodeSelector: {}
+
+  tolerations: []
+
+  topologySpreadConstraints: []
+
+  affinity: {}
+
+  # If specified, the gateway will act as a network gateway for the given network.
+  networkGateway: ""
+
+  # Specify image pull policy if default behavior isn't desired.
+  # Default behavior: latest images will be Always else IfNotPresent
+  imagePullPolicy: ""
+
+  imagePullSecrets: []
+
+  # This value is used to configure a Kubernetes PodDisruptionBudget for the gateway.
+  #
+  # By default, the `podDisruptionBudget` is disabled (set to `{}`),
+  # which means that no PodDisruptionBudget resource will be created.
+  #
+  # To enable the PodDisruptionBudget, configure it by specifying the
+  # `minAvailable` or `maxUnavailable`. For example, to set the
+  # minimum number of available replicas to 1, you can update this value as follows:
+  #
+  # podDisruptionBudget:
+  #   minAvailable: 1
+  #
+  # Or, to allow a maximum of 1 unavailable replica, you can set:
+  #
+  # podDisruptionBudget:
+  #   maxUnavailable: 1
+  #
+  # You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`.
+  # For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows:
+  #
+  # podDisruptionBudget:
+  #   minAvailable: 1
+  #   unhealthyPodEvictionPolicy: AlwaysAllow
+  #
+  # To disable the PodDisruptionBudget, you can leave it as an empty object `{}`:
+  #
+  # podDisruptionBudget: {}
+  #
+  podDisruptionBudget: {}
+
+  # Sets the per-pod terminationGracePeriodSeconds setting.
+  terminationGracePeriodSeconds: 30
+
+  # A list of `Volumes` added into the Gateway Pods. See
+  # https://kubernetes.io/docs/concepts/storage/volumes/.
+  volumes: []
+
+  # A list of `VolumeMounts` added into the Gateway Pods. See
+  # https://kubernetes.io/docs/concepts/storage/volumes/.
+  volumeMounts: []
+
+  # Inject initContainers into the Gateway Pods.
+  initContainers: []
+
+  # Inject additional containers into the Gateway Pods.
+  additionalContainers: []
+
+  # Configure this to a higher priority class in order to make sure your Istio gateway pods
+  # will not be killed because of low priority class.
+  # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
+  # for more detail.
+  priorityClassName: ""
+
+  # Configure the lifecycle hooks for the gateway. See
+  # https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/.
+  lifecycle: {}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/Chart.yaml
new file mode 100644
index 0000000000..1b89d346e7
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v2
+appVersion: 1.27.0
+description: Helm chart for istio control plane
+icon: https://istio.io/latest/favicons/android-192x192.png
+keywords:
+- istio
+- istiod
+- istio-discovery
+name: istiod
+sources:
+- https://github.com/istio/istio
+version: 1.27.0
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/README.md
new file mode 100644
index 0000000000..ddbfbc8fec
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/README.md
@@ -0,0 +1,73 @@
+# Istiod Helm Chart
+
+This chart installs an Istiod deployment.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+Before installing, ensure CRDs are installed in the cluster (from the `istio/base` chart).
+
+To install the chart with the release name `istiod`:
+
+```console
+kubectl create namespace istio-system
+helm install istiod istio/istiod --namespace istio-system
+```
+
+## Uninstalling the Chart
+
+To uninstall/delete the `istiod` deployment:
+
+```console
+helm delete istiod --namespace istio-system
+```
+
+## Configuration
+
+To view support configuration options and documentation, run:
+
+```console
+helm show values istio/istiod
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
+
+### Examples
+
+#### Configuring mesh configuration settings
+
+Any [Mesh Config](https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/) options can be configured like below:
+
+```yaml
+meshConfig:
+  accessLogFile: /dev/stdout
+```
+
+#### Revisions
+
+Control plane revisions allow deploying multiple versions of the control plane in the same cluster.
+This allows safe [canary upgrades](https://istio.io/latest/docs/setup/upgrade/canary/)
+
+```yaml
+revision: my-revision-name
+```
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/gateway-injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/gateway-injection-template.yaml
new file mode 100644
index 0000000000..bc15ee3c31
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/gateway-injection-template.yaml
@@ -0,0 +1,274 @@
+{{- $containers := list }}
+{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
+metadata:
+  labels:
+    service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name  | quote }}
+    service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest"  | quote }}
+  annotations:
+    istio.io/rev: {{ .Revision | default "default" | quote }}
+    {{- if ge (len $containers) 1 }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }}
+    kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}"
+    {{- end }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }}
+    kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}"
+    {{- end }}
+    {{- end }}
+spec:
+  securityContext:
+  {{- if .Values.gateways.securityContext }}
+    {{- toYaml .Values.gateways.securityContext | nindent 4 }}
+  {{- else }}
+    sysctls:
+    - name: net.ipv4.ip_unprivileged_port_start
+      value: "0"
+  {{- end }}
+  containers:
+  - name: istio-proxy
+  {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+    image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+  {{- else }}
+    image: "{{ .ProxyImage }}"
+  {{- end }}
+    ports:
+    - containerPort: 15090
+      protocol: TCP
+      name: http-envoy-prom
+    args:
+    - proxy
+    - router
+    - --domain
+    - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+    - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
+    - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
+    - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
+  {{- if .Values.global.sts.servicePort }}
+    - --stsPort={{ .Values.global.sts.servicePort }}
+  {{- end }}
+  {{- if .Values.global.logAsJson }}
+    - --log_as_json
+  {{- end }}
+  {{- if .Values.global.proxy.lifecycle }}
+    lifecycle:
+      {{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
+  {{- end }}
+    securityContext:
+      runAsUser: {{ .ProxyUID | default "1337" }}
+      runAsGroup: {{ .ProxyGID | default "1337" }}
+    env:
+    - name: PILOT_CERT_PROVIDER
+      value: {{ .Values.global.pilotCertProvider }}
+    - name: CA_ADDR
+    {{- if .Values.global.caAddress }}
+      value: {{ .Values.global.caAddress }}
+    {{- else }}
+      value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+    {{- end }}
+    - name: POD_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.name
+    - name: POD_NAMESPACE
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.namespace
+    - name: INSTANCE_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.podIP
+    - name: SERVICE_ACCOUNT
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.serviceAccountName
+    - name: HOST_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.hostIP
+    - name: ISTIO_CPU_LIMIT
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.cpu
+    - name: PROXY_CONFIG
+      value: |
+             {{ protoToJSON .ProxyConfig }}
+    - name: ISTIO_META_POD_PORTS
+      value: |-
+        [
+        {{- $first := true }}
+        {{- range $index1, $c := .Spec.Containers }}
+          {{- range $index2, $p := $c.Ports }}
+            {{- if (structToJSON $p) }}
+            {{if not $first}},{{end}}{{ structToJSON $p }}
+            {{- $first = false }}
+            {{- end }}
+          {{- end}}
+        {{- end}}
+        ]
+    - name: GOMEMLIMIT
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.memory
+    - name: GOMAXPROCS
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.cpu
+    {{- if .CompliancePolicy }}
+    - name: COMPLIANCE_POLICY
+      value: "{{ .CompliancePolicy }}"
+    {{- end }}
+    - name: ISTIO_META_APP_CONTAINERS
+      value: "{{ $containers | join "," }}"
+    - name: ISTIO_META_CLUSTER_ID
+      value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
+    - name: ISTIO_META_NODE_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.nodeName
+    - name: ISTIO_META_INTERCEPTION_MODE
+      value: "{{ .ProxyConfig.InterceptionMode.String }}"
+    {{- if .Values.global.network }}
+    - name: ISTIO_META_NETWORK
+      value: "{{ .Values.global.network }}"
+    {{- end }}
+    {{- if .DeploymentMeta.Name }}
+    - name: ISTIO_META_WORKLOAD_NAME
+      value: "{{ .DeploymentMeta.Name }}"
+    {{ end }}
+    {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
+    - name: ISTIO_META_OWNER
+      value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
+    {{- end}}
+    {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+    - name: ISTIO_BOOTSTRAP_OVERRIDE
+      value: "/etc/istio/custom-bootstrap/custom_bootstrap.json"
+    {{- end }}
+    {{- if .Values.global.meshID }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ .Values.global.meshID }}"
+    {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+    {{- end }}
+    {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain)  }}
+    - name: TRUST_DOMAIN
+      value: "{{ . }}"
+    {{- end }}
+    {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+    - name: {{ $key }}
+      value: "{{ $value }}"
+    {{- end }}
+    {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+    readinessProbe:
+      httpGet:
+        path: /healthz/ready
+        port: 15021
+      initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }}
+      periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }}
+      timeoutSeconds: 3
+      failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }}
+    volumeMounts:
+    - name: workload-socket
+      mountPath: /var/run/secrets/workload-spiffe-uds
+    - name: credential-socket
+      mountPath: /var/run/secrets/credential-uds
+    {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+    - name: gke-workload-certificate
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+      readOnly: true
+    {{- else }}
+    - name: workload-certs
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+    {{- end }}
+    {{- if eq .Values.global.pilotCertProvider "istiod" }}
+    - mountPath: /var/run/secrets/istio
+      name: istiod-ca-cert
+    {{- end }}
+    - mountPath: /var/lib/istio/data
+      name: istio-data
+    {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+    - mountPath: /etc/istio/custom-bootstrap
+      name: custom-bootstrap-volume
+    {{- end }}
+    # SDS channel between istioagent and Envoy
+    - mountPath: /etc/istio/proxy
+      name: istio-envoy
+    - mountPath: /var/run/secrets/tokens
+      name: istio-token
+    {{- if .Values.global.mountMtlsCerts }}
+    # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+    - mountPath: /etc/certs/
+      name: istio-certs
+      readOnly: true
+    {{- end }}
+    - name: istio-podinfo
+      mountPath: /etc/istio/pod
+  volumes:
+  - emptyDir:
+    name: workload-socket
+  - emptyDir: {}
+    name: credential-socket
+  {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+  - name: gke-workload-certificate
+    csi:
+      driver: workloadcertificates.security.cloud.google.com
+  {{- else}}
+  - emptyDir: {}
+    name: workload-certs
+  {{- end }}
+  {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+  - name: custom-bootstrap-volume
+    configMap:
+      name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
+  {{- end }}
+  # SDS channel between istioagent and Envoy
+  - emptyDir:
+      medium: Memory
+    name: istio-envoy
+  - name: istio-data
+    emptyDir: {}
+  - name: istio-podinfo
+    downwardAPI:
+      items:
+        - path: "labels"
+          fieldRef:
+            fieldPath: metadata.labels
+        - path: "annotations"
+          fieldRef:
+            fieldPath: metadata.annotations
+  - name: istio-token
+    projected:
+      sources:
+      - serviceAccountToken:
+          path: istio-token
+          expirationSeconds: 43200
+          audience: {{ .Values.global.sds.token.aud }}
+  {{- if eq .Values.global.pilotCertProvider "istiod" }}
+  - name: istiod-ca-cert
+  {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+    projected:
+      sources:
+      - clusterTrustBundle:
+          name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+          path: root-cert.pem
+  {{- else }}
+    configMap:
+      name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+  {{- end }}
+  {{- end }}
+  {{- if .Values.global.mountMtlsCerts }}
+  # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+  - name: istio-certs
+    secret:
+      optional: true
+      {{ if eq .Spec.ServiceAccountName "" }}
+      secretName: istio.default
+      {{ else -}}
+      secretName: {{  printf "istio.%s" .Spec.ServiceAccountName }}
+      {{  end -}}
+  {{- end }}
+  {{- if .Values.global.imagePullSecrets }}
+  imagePullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+  {{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/grpc-agent.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/grpc-agent.yaml
new file mode 100644
index 0000000000..6e3102e4c8
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/grpc-agent.yaml
@@ -0,0 +1,318 @@
+{{- define "resources"  }}
+  {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
+    {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
+      requests:
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
+        cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
+        {{ end }}
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
+        memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
+        {{ end }}
+    {{- end }}
+    {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
+      limits:
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
+        cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}"
+        {{ end }}
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
+        memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}"
+        {{ end }}
+    {{- end }}
+  {{- else }}
+    {{- if .Values.global.proxy.resources }}
+      {{ toYaml .Values.global.proxy.resources | indent 6 }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+{{- $containers := list }}
+{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
+metadata:
+  labels:
+    {{/* security.istio.io/tlsMode: istio must be set by user, if gRPC is using mTLS initialization code. We can't set it automatically. */}}
+    service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name  | quote }}
+    service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest"  | quote }}
+  annotations: {
+    istio.io/rev: {{ .Revision | default "default" | quote }},
+    {{- if ge (len $containers) 1 }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }}
+    kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
+    {{- end }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }}
+    kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
+    {{- end }}
+    {{- end }}
+    sidecar.istio.io/rewriteAppHTTPProbers: "false",
+  }
+spec:
+  containers:
+  - name: istio-proxy
+  {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+    image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+  {{- else }}
+    image: "{{ .ProxyImage }}"
+  {{- end }}
+    ports:
+    - containerPort: 15020
+      protocol: TCP
+      name: mesh-metrics
+    args:
+    - proxy
+    - sidecar
+    - --domain
+    - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+    - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
+    - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
+    - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
+  {{- if .Values.global.sts.servicePort }}
+    - --stsPort={{ .Values.global.sts.servicePort }}
+  {{- end }}
+  {{- if .Values.global.logAsJson }}
+    - --log_as_json
+  {{- end }}
+    lifecycle:
+      postStart:
+        exec:
+          command:
+          - pilot-agent
+          - wait
+          - --url=http://localhost:15020/healthz/ready
+    env:
+    - name: ISTIO_META_GENERATOR
+      value: grpc
+    - name: OUTPUT_CERTS
+      value: /var/lib/istio/data
+    {{- if eq .InboundTrafficPolicyMode "localhost" }}
+    - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION
+      value: "true"
+    {{- end }}
+    - name: PILOT_CERT_PROVIDER
+      value: {{ .Values.global.pilotCertProvider }}
+    - name: CA_ADDR
+    {{- if .Values.global.caAddress }}
+      value: {{ .Values.global.caAddress }}
+    {{- else }}
+      value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+    {{- end }}
+    - name: POD_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.name
+    - name: POD_NAMESPACE
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.namespace
+    - name: INSTANCE_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.podIP
+    - name: SERVICE_ACCOUNT
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.serviceAccountName
+    - name: HOST_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.hostIP
+    - name: PROXY_CONFIG
+      value: |
+             {{ protoToJSON .ProxyConfig }}
+    - name: ISTIO_META_POD_PORTS
+      value: |-
+        [
+        {{- $first := true }}
+        {{- range $index1, $c := .Spec.Containers }}
+          {{- range $index2, $p := $c.Ports }}
+            {{- if (structToJSON $p) }}
+            {{if not $first}},{{end}}{{ structToJSON $p }}
+            {{- $first = false }}
+            {{- end }}
+          {{- end}}
+        {{- end}}
+        ]
+    - name: ISTIO_META_APP_CONTAINERS
+      value: "{{ $containers | join "," }}"
+    - name: ISTIO_META_CLUSTER_ID
+      value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
+    - name: ISTIO_META_NODE_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.nodeName
+    {{- if .Values.global.network }}
+    - name: ISTIO_META_NETWORK
+      value: "{{ .Values.global.network }}"
+    {{- end }}
+    {{- if .DeploymentMeta.Name }}
+    - name: ISTIO_META_WORKLOAD_NAME
+      value: "{{ .DeploymentMeta.Name }}"
+    {{ end }}
+    {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
+    - name: ISTIO_META_OWNER
+      value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
+    {{- end}}
+    {{- if .Values.global.meshID }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ .Values.global.meshID }}"
+    {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+    {{- end }}
+    {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain)  }}
+    - name: TRUST_DOMAIN
+      value: "{{ . }}"
+    {{- end }}
+    {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+    - name: {{ $key }}
+      value: "{{ $value }}"
+    {{- end }}
+    # grpc uses xds:/// to resolve – no need to resolve VIP
+    - name: ISTIO_META_DNS_CAPTURE
+      value: "false"
+    - name: DISABLE_ENVOY
+      value: "true"
+    {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+    {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
+    readinessProbe:
+      httpGet:
+        path: /healthz/ready
+        port: 15020
+      initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }}
+      periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }}
+      timeoutSeconds: 3
+      failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}
+    resources:
+  {{ template "resources" . }}
+    volumeMounts:
+    - name: workload-socket
+      mountPath: /var/run/secrets/workload-spiffe-uds
+    {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+    - name: gke-workload-certificate
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+      readOnly: true
+    {{- else }}
+    - name: workload-certs
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+    {{- end }}
+    {{- if eq .Values.global.pilotCertProvider "istiod" }}
+    - mountPath: /var/run/secrets/istio
+      name: istiod-ca-cert
+    {{- end }}
+    - mountPath: /var/lib/istio/data
+      name: istio-data
+    # UDS channel between istioagent and gRPC client for XDS/SDS
+    - mountPath: /etc/istio/proxy
+      name: istio-xds
+    - mountPath: /var/run/secrets/tokens
+      name: istio-token
+    {{- if .Values.global.mountMtlsCerts }}
+    # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+    - mountPath: /etc/certs/
+      name: istio-certs
+      readOnly: true
+    {{- end }}
+    - name: istio-podinfo
+      mountPath: /etc/istio/pod
+    {{- end }}
+      {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }}
+      {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}
+    - name: "{{  $index }}"
+      {{ toYaml $value | indent 6 }}
+      {{ end }}
+      {{- end }}
+{{- range $index, $container := .Spec.Containers  }}
+{{ if not (eq $container.Name "istio-proxy") }}
+  - name: {{ $container.Name }}
+    env:
+      - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT"
+        value: "true"
+      - name: "GRPC_XDS_BOOTSTRAP"
+        value: "/etc/istio/proxy/grpc-bootstrap.json"
+    volumeMounts:
+      - mountPath: /var/lib/istio/data
+        name: istio-data
+      # UDS channel between istioagent and gRPC client for XDS/SDS
+      - mountPath: /etc/istio/proxy
+        name: istio-xds
+      {{- if eq $.Values.global.caName "GkeWorkloadCertificate" }}
+      - name: gke-workload-certificate
+        mountPath: /var/run/secrets/workload-spiffe-credentials
+        readOnly: true
+      {{- else }}
+      - name: workload-certs
+        mountPath: /var/run/secrets/workload-spiffe-credentials
+      {{- end }}
+{{- end }}
+{{- end }}
+  volumes:
+  - emptyDir:
+    name: workload-socket
+  {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+  - name: gke-workload-certificate
+    csi:
+      driver: workloadcertificates.security.cloud.google.com
+  {{- else }}
+  - emptyDir:
+    name: workload-certs
+  {{- end }}
+  {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+  - name: custom-bootstrap-volume
+    configMap:
+      name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
+  {{- end }}
+  # SDS channel between istioagent and Envoy
+  - emptyDir:
+      medium: Memory
+    name: istio-xds
+  - name: istio-data
+    emptyDir: {}
+  - name: istio-podinfo
+    downwardAPI:
+      items:
+        - path: "labels"
+          fieldRef:
+            fieldPath: metadata.labels
+        - path: "annotations"
+          fieldRef:
+            fieldPath: metadata.annotations
+  - name: istio-token
+    projected:
+      sources:
+      - serviceAccountToken:
+          path: istio-token
+          expirationSeconds: 43200
+          audience: {{ .Values.global.sds.token.aud }}
+  {{- if eq .Values.global.pilotCertProvider "istiod" }}
+  - name: istiod-ca-cert
+  {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+    projected:
+      sources:
+      - clusterTrustBundle:
+          name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+          path: root-cert.pem
+  {{- else }}
+    configMap:
+      name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+  {{- end }}
+  {{- end }}
+  {{- if .Values.global.mountMtlsCerts }}
+  # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+  - name: istio-certs
+    secret:
+      optional: true
+      {{ if eq .Spec.ServiceAccountName "" }}
+      secretName: istio.default
+      {{ else -}}
+      secretName: {{  printf "istio.%s" .Spec.ServiceAccountName }}
+      {{  end -}}
+  {{- end }}
+    {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }}
+    {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}
+  - name: "{{ $index }}"
+    {{ toYaml $value | indent 4 }}
+    {{ end }}
+    {{ end }}
+  {{- if .Values.global.imagePullSecrets }}
+  imagePullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+  {{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/grpc-simple.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/grpc-simple.yaml
new file mode 100644
index 0000000000..9ba0c7a46a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/grpc-simple.yaml
@@ -0,0 +1,65 @@
+metadata:
+  annotations:
+    sidecar.istio.io/rewriteAppHTTPProbers: "false"
+spec:
+  initContainers:
+    - name: grpc-bootstrap-init
+      image: busybox:1.28
+      volumeMounts:
+        - mountPath: /var/lib/grpc/data/
+          name: grpc-io-proxyless-bootstrap
+      env:
+        - name: INSTANCE_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: ISTIO_NAMESPACE
+          value: |
+             {{ .Values.global.istioNamespace }}
+      command:
+        - sh
+        - "-c"
+        - |-
+          NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local"
+          SERVER_URI="dns:///istiod.${ISTIO_NAMESPACE}.svc:15010"
+          echo '
+          {
+            "xds_servers": [
+              {
+                "server_uri": "'${SERVER_URI}'",
+                "channel_creds": [{"type": "insecure"}],
+                "server_features" : ["xds_v3"]
+              }
+            ],
+            "node": {
+              "id": "'${NODE_ID}'",
+              "metadata": {
+                "GENERATOR": "grpc"
+              }
+            }
+          }' > /var/lib/grpc/data/bootstrap.json
+  containers:
+  {{- range $index, $container := .Spec.Containers }}
+  - name: {{ $container.Name }}
+    env:
+      - name: GRPC_XDS_BOOTSTRAP
+        value: /var/lib/grpc/data/bootstrap.json
+      - name: GRPC_GO_LOG_VERBOSITY_LEVEL
+        value: "99"
+      - name: GRPC_GO_LOG_SEVERITY_LEVEL
+        value: info
+    volumeMounts:
+      - mountPath: /var/lib/grpc/data/
+        name: grpc-io-proxyless-bootstrap
+  {{- end }}
+  volumes:
+    - name: grpc-io-proxyless-bootstrap
+      emptyDir: {}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/injection-template.yaml
new file mode 100644
index 0000000000..9705cfe5df
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/injection-template.yaml
@@ -0,0 +1,542 @@
+{{- define "resources"  }}
+  {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
+    {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
+      requests:
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
+        cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
+        {{ end }}
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
+        memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
+        {{ end }}
+    {{- end }}
+    {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
+      limits:
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
+        cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}"
+        {{ end }}
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
+        memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}"
+        {{ end }}
+    {{- end }}
+  {{- else }}
+    {{- if .Values.global.proxy.resources }}
+      {{ toYaml .Values.global.proxy.resources | indent 6 }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+{{ $tproxy := (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) }}
+{{ $capNetBindService := (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) }}
+{{ $nativeSidecar := ne (index .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar` | default (printf "%t" .NativeSidecars)) "false" }}
+{{- $containers := list }}
+{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
+metadata:
+  labels:
+    security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio"  | quote }}
+    {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }}
+    networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http"  | quote }}
+    {{- end }}
+    service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name  | trunc 63 | trimSuffix "-" | quote }}
+    service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest"  | quote }}
+  annotations: {
+    istio.io/rev: {{ .Revision | default "default" | quote }},
+    {{- if ge (len $containers) 1 }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }}
+    kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
+    {{- end }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }}
+    kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
+    {{- end }}
+    {{- end }}
+{{- if .Values.pilot.cni.enabled }}
+    {{- if eq .Values.pilot.cni.provider "multus" }}
+    k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}',
+    {{- end }}
+    sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}",
+    {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }}
+    {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }}
+    traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}",
+    traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}",
+    {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }}
+    traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}",
+    {{- end }}
+    {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }}
+    traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}",
+    {{- end }}
+    {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }}
+    {{ with index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}istio.io/reroute-virtual-interfaces: "{{.}}",{{ end }}
+    {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }}
+{{- end }}
+  }
+spec:
+  {{- $holdProxy := and
+      (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts)
+      (not $nativeSidecar) }}
+  {{- $noInitContainer := and
+      (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE`)
+      (not $nativeSidecar) }}
+  {{ if $noInitContainer }}
+  initContainers: []
+  {{ else -}}
+  initContainers:
+  {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }}
+  {{ if .Values.pilot.cni.enabled -}}
+  - name: istio-validation
+  {{ else -}}
+  - name: istio-init
+  {{ end -}}
+  {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }}
+    image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}"
+  {{- else }}
+    image: "{{ .ProxyImage }}"
+  {{- end }}
+    args:
+    - istio-iptables
+    - "-p"
+    - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }}
+    - "-z"
+    - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }}
+    - "-u"
+    - {{ if $tproxy }} "1337" {{ else }} {{ .ProxyUID | default "1337" | quote }} {{ end }}
+    - "-m"
+    - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}"
+    - "-i"
+    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}"
+    - "-x"
+    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}"
+    - "-b"
+    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}"
+    - "-d"
+  {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}
+    - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}"
+  {{- else }}
+    - "15090,15021"
+  {{- end }}
+    {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}}
+    - "-q"
+    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}"
+    {{ end -}}
+    {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}}
+    - "-o"
+    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}"
+    {{ end -}}
+    {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}}
+    - "-k"
+    - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}"
+    {{ end -}}
+    {{ if (isset .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces`) -}}
+    - "-k"
+    - "{{ index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}"
+    {{ end -}}
+     {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}}
+    - "-c"
+    - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}"
+    {{ end -}}
+    - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}"
+    {{ if .Values.global.logAsJson -}}
+    - "--log_as_json"
+    {{ end -}}
+    {{ if .Values.pilot.cni.enabled -}}
+    - "--run-validation"
+    - "--skip-rule-apply"
+    {{ else if .Values.global.proxy_init.forceApplyIptables -}}
+    - "--force-apply"
+    {{ end -}}
+    {{ if .Values.global.nativeNftables -}}
+    - "--native-nftables"
+    {{ end -}}
+    {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+  {{- if .ProxyConfig.ProxyMetadata }}
+    env:
+    {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+    - name: {{ $key }}
+      value: "{{ $value }}"
+    {{- end }}
+  {{- end }}
+    resources:
+  {{ template "resources" . }}
+    securityContext:
+      allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
+      privileged: {{ .Values.global.proxy.privileged }}
+      capabilities:
+    {{- if not .Values.pilot.cni.enabled }}
+        add:
+        - NET_ADMIN
+        - NET_RAW
+    {{- end }}
+        drop:
+        - ALL
+    {{- if not .Values.pilot.cni.enabled }}
+      readOnlyRootFilesystem: false
+      runAsGroup: 0
+      runAsNonRoot: false
+      runAsUser: 0
+    {{- else }}
+      readOnlyRootFilesystem: true
+      runAsGroup: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyGID | default "1337" }} {{ end }}
+      runAsUser: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyUID | default "1337" }} {{ end }}
+      runAsNonRoot: true
+    {{- end }}
+  {{ end -}}
+  {{ end -}}
+  {{ if not $nativeSidecar }}
+  containers:
+  {{ end }}
+  - name: istio-proxy
+  {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+    image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+  {{- else }}
+    image: "{{ .ProxyImage }}"
+  {{- end }}
+    {{ if $nativeSidecar }}restartPolicy: Always{{end}}
+    ports:
+    - containerPort: 15090
+      protocol: TCP
+      name: http-envoy-prom
+    args:
+    - proxy
+    - sidecar
+    - --domain
+    - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+    - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
+    - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
+    - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
+  {{- if .Values.global.sts.servicePort }}
+    - --stsPort={{ .Values.global.sts.servicePort }}
+  {{- end }}
+  {{- if .Values.global.logAsJson }}
+    - --log_as_json
+  {{- end }}
+  {{- if .Values.global.proxy.outlierLogPath }}
+    - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }}
+  {{- end}}
+  {{- if .Values.global.proxy.lifecycle }}
+    lifecycle:
+      {{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
+  {{- else if $holdProxy }}
+    lifecycle:
+      postStart:
+        exec:
+          command:
+          - pilot-agent
+          - wait
+  {{- else if $nativeSidecar }}
+    {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}}
+    lifecycle:
+      preStop:
+        exec:
+          command:
+          - pilot-agent
+          - request
+          - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}}
+          - POST
+          - drain
+  {{- end }}
+    env:
+    {{- if eq .InboundTrafficPolicyMode "localhost" }}
+    - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION
+      value: "true"
+    {{- end }}
+    - name: PILOT_CERT_PROVIDER
+      value: {{ .Values.global.pilotCertProvider }}
+    - name: CA_ADDR
+    {{- if .Values.global.caAddress }}
+      value: {{ .Values.global.caAddress }}
+    {{- else }}
+      value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+    {{- end }}
+    - name: POD_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.name
+    - name: POD_NAMESPACE
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.namespace
+    - name: INSTANCE_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.podIP
+    - name: SERVICE_ACCOUNT
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.serviceAccountName
+    - name: HOST_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.hostIP
+    - name: ISTIO_CPU_LIMIT
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.cpu
+    - name: PROXY_CONFIG
+      value: |
+             {{ protoToJSON .ProxyConfig }}
+    - name: ISTIO_META_POD_PORTS
+      value: |-
+        [
+        {{- $first := true }}
+        {{- range $index1, $c := .Spec.Containers }}
+          {{- range $index2, $p := $c.Ports }}
+            {{- if (structToJSON $p) }}
+            {{if not $first}},{{end}}{{ structToJSON $p }}
+            {{- $first = false }}
+            {{- end }}
+          {{- end}}
+        {{- end}}
+        ]
+    - name: ISTIO_META_APP_CONTAINERS
+      value: "{{ $containers | join "," }}"
+    - name: GOMEMLIMIT
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.memory
+    - name: GOMAXPROCS
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.cpu
+    {{- if .CompliancePolicy }}
+    - name: COMPLIANCE_POLICY
+      value: "{{ .CompliancePolicy }}"
+    {{- end }}
+    - name: ISTIO_META_CLUSTER_ID
+      value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
+    - name: ISTIO_META_NODE_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.nodeName
+    - name: ISTIO_META_INTERCEPTION_MODE
+      value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}"
+    {{- if .Values.global.network }}
+    - name: ISTIO_META_NETWORK
+      value: "{{ .Values.global.network }}"
+    {{- end }}
+    {{- with (index .ObjectMeta.Labels `service.istio.io/workload-name` | default .DeploymentMeta.Name) }}
+    - name: ISTIO_META_WORKLOAD_NAME
+      value: "{{ . }}"
+    {{ end }}
+    {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
+    - name: ISTIO_META_OWNER
+      value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
+    {{- end}}
+    {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+    - name: ISTIO_BOOTSTRAP_OVERRIDE
+      value: "/etc/istio/custom-bootstrap/custom_bootstrap.json"
+    {{- end }}
+    {{- if .Values.global.meshID }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ .Values.global.meshID }}"
+    {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+    {{- end }}
+    {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain)  }}
+    - name: TRUST_DOMAIN
+      value: "{{ . }}"
+    {{- end }}
+    {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
+    {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
+    - name: {{ $key }}
+      value: "{{ $value }}"
+    {{- end }}
+    {{- end }}
+    {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+    - name: {{ $key }}
+      value: "{{ $value }}"
+    {{- end }}
+    {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+    {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
+  {{ if .Values.global.proxy.startupProbe.enabled }}
+    startupProbe:
+      httpGet:
+        path: /healthz/ready
+        port: 15021
+      initialDelaySeconds: 0
+      periodSeconds: 1
+      timeoutSeconds: 3
+      failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }}
+  {{ end }}
+    readinessProbe:
+      httpGet:
+        path: /healthz/ready
+        port: 15021
+      initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }}
+      periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }}
+      timeoutSeconds: 3
+      failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}
+    {{ end -}}
+    securityContext:
+      {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }}
+      allowPrivilegeEscalation: true
+      capabilities:
+        add:
+        - NET_ADMIN
+        drop:
+        - ALL
+      privileged: true
+      readOnlyRootFilesystem: true
+      runAsGroup: {{ .ProxyGID | default "1337" }}
+      runAsNonRoot: false
+      runAsUser: 0
+      {{- else }}
+      allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
+      capabilities:
+        {{ if or $tproxy $capNetBindService -}}
+        add:
+        {{ if $tproxy -}}
+        - NET_ADMIN
+        {{- end }}
+        {{ if $capNetBindService -}}
+        - NET_BIND_SERVICE
+        {{- end }}
+        {{- end }}
+        drop:
+        - ALL
+      privileged: {{ .Values.global.proxy.privileged }}
+      readOnlyRootFilesystem: true
+      {{ if or $tproxy $capNetBindService -}}
+      runAsNonRoot: false
+      runAsUser: 0
+      runAsGroup: 1337
+      {{- else -}}
+      runAsNonRoot: true
+      runAsUser: {{ .ProxyUID | default "1337" }}
+      runAsGroup: {{ .ProxyGID | default "1337" }}
+      {{- end }}
+      {{- end }}
+    resources:
+  {{ template "resources" . }}
+    volumeMounts:
+    - name: workload-socket
+      mountPath: /var/run/secrets/workload-spiffe-uds
+    - name: credential-socket
+      mountPath: /var/run/secrets/credential-uds
+    {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+    - name: gke-workload-certificate
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+      readOnly: true
+    {{- else }}
+    - name: workload-certs
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+    {{- end }}
+    {{- if eq .Values.global.pilotCertProvider "istiod" }}
+    - mountPath: /var/run/secrets/istio
+      name: istiod-ca-cert
+    - mountPath: /var/run/secrets/istio/crl
+      name: istio-ca-crl
+    {{- end }}
+    - mountPath: /var/lib/istio/data
+      name: istio-data
+    {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+    - mountPath: /etc/istio/custom-bootstrap
+      name: custom-bootstrap-volume
+    {{- end }}
+    # SDS channel between istioagent and Envoy
+    - mountPath: /etc/istio/proxy
+      name: istio-envoy
+    - mountPath: /var/run/secrets/tokens
+      name: istio-token
+    {{- if .Values.global.mountMtlsCerts }}
+    # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+    - mountPath: /etc/certs/
+      name: istio-certs
+      readOnly: true
+    {{- end }}
+    - name: istio-podinfo
+      mountPath: /etc/istio/pod
+     {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }}
+    - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }}
+      name: lightstep-certs
+      readOnly: true
+    {{- end }}
+      {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }}
+      {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}
+    - name: "{{  $index }}"
+      {{ toYaml $value | indent 6 }}
+      {{ end }}
+      {{- end }}
+  volumes:
+  - emptyDir:
+    name: workload-socket
+  - emptyDir:
+    name: credential-socket
+  {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+  - name: gke-workload-certificate
+    csi:
+      driver: workloadcertificates.security.cloud.google.com
+  {{- else }}
+  - emptyDir:
+    name: workload-certs
+  {{- end }}
+  {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+  - name: custom-bootstrap-volume
+    configMap:
+      name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
+  {{- end }}
+  # SDS channel between istioagent and Envoy
+  - emptyDir:
+      medium: Memory
+    name: istio-envoy
+  - name: istio-data
+    emptyDir: {}
+  - name: istio-podinfo
+    downwardAPI:
+      items:
+        - path: "labels"
+          fieldRef:
+            fieldPath: metadata.labels
+        - path: "annotations"
+          fieldRef:
+            fieldPath: metadata.annotations
+  - name: istio-token
+    projected:
+      sources:
+      - serviceAccountToken:
+          path: istio-token
+          expirationSeconds: 43200
+          audience: {{ .Values.global.sds.token.aud }}
+  {{- if eq .Values.global.pilotCertProvider "istiod" }}
+  - name: istiod-ca-cert
+  {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+    projected:
+      sources:
+      - clusterTrustBundle:
+          name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+          path: root-cert.pem
+  {{- else }}
+    configMap:
+      name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+  {{- end }}
+  {{- end }}
+  - name: istio-ca-crl
+    configMap:
+      name: istio-ca-crl
+      optional: true
+  {{- if .Values.global.mountMtlsCerts }}
+  # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+  - name: istio-certs
+    secret:
+      optional: true
+      {{ if eq .Spec.ServiceAccountName "" }}
+      secretName: istio.default
+      {{ else -}}
+      secretName: {{  printf "istio.%s" .Spec.ServiceAccountName }}
+      {{  end -}}
+  {{- end }}
+    {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }}
+    {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}
+  - name: "{{ $index }}"
+    {{ toYaml $value | indent 4 }}
+    {{ end }}
+    {{ end }}
+  {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }}
+  - name: lightstep-certs
+    secret:
+      optional: true
+      secretName: lightstep.cacert
+  {{- end }}
+  {{- if .Values.global.imagePullSecrets }}
+  imagePullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+  {{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/kube-gateway.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/kube-gateway.yaml
new file mode 100644
index 0000000000..616fb42c71
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/kube-gateway.yaml
@@ -0,0 +1,401 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{.ServiceAccount | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+      ) | nindent 4 }}
+  {{- if ge .KubeVersion 128 }}
+  # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    name: "{{.Name}}"
+    uid: "{{.UID}}"
+  {{- end }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+        "gateway.istio.io/managed" "istio.io-gateway-controller"
+      ) | nindent 4 }}
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    name: {{.Name}}
+    uid: "{{.UID}}"
+spec:
+  selector:
+    matchLabels:
+      "{{.GatewayNameLabel}}": {{.Name}}
+  template:
+    metadata:
+      annotations:
+        {{- toJsonMap
+          (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version")
+          (strdict "istio.io/rev" (.Revision | default "default"))
+          (strdict
+            "prometheus.io/path" "/stats/prometheus"
+            "prometheus.io/port" "15020"
+            "prometheus.io/scrape" "true"
+          ) | nindent 8 }}
+      labels:
+        {{- toJsonMap
+          (strdict
+            "sidecar.istio.io/inject" "false"
+            "service.istio.io/canonical-name" .DeploymentName
+            "service.istio.io/canonical-revision" "latest"
+           )
+          .InfrastructureLabels
+          (strdict
+            "gateway.networking.k8s.io/gateway-name" .Name
+            "gateway.istio.io/managed" "istio.io-gateway-controller"
+          ) | nindent 8 }}
+    spec:
+      securityContext:
+      {{- if .Values.gateways.securityContext }}
+        {{- toYaml .Values.gateways.securityContext | nindent 8 }}
+      {{- else }}
+        sysctls:
+        - name: net.ipv4.ip_unprivileged_port_start
+          value: "0"
+      {{- if .Values.gateways.seccompProfile }}
+        seccompProfile:
+      {{- toYaml .Values.gateways.seccompProfile | nindent 10 }}
+      {{- end }}
+      {{- end }}
+      serviceAccountName: {{.ServiceAccount | quote}}
+      containers:
+      - name: istio-proxy
+      {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+        image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+      {{- else }}
+        image: "{{ .ProxyImage }}"
+      {{- end }}
+        {{- if .Values.global.proxy.resources }}
+        resources:
+          {{- toYaml .Values.global.proxy.resources | nindent 10 }}
+        {{- end }}
+        {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+        securityContext:
+          capabilities:
+            drop:
+            - ALL
+          allowPrivilegeEscalation: false
+          privileged: false
+          readOnlyRootFilesystem: true
+          runAsUser: {{ .ProxyUID | default "1337" }}
+          runAsGroup: {{ .ProxyGID | default "1337" }}
+          runAsNonRoot: true
+        ports:
+        - containerPort: 15020
+          name: metrics
+          protocol: TCP
+        - containerPort: 15021
+          name: status-port
+          protocol: TCP
+        - containerPort: 15090
+          protocol: TCP
+          name: http-envoy-prom
+        args:
+        - proxy
+        - router
+        - --domain
+        - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+        - --proxyLogLevel
+        - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}}
+        - --proxyComponentLogLevel
+        - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}}
+        - --log_output_level
+        - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}}
+      {{- if .Values.global.sts.servicePort }}
+        - --stsPort={{ .Values.global.sts.servicePort }}
+      {{- end }}
+      {{- if .Values.global.logAsJson }}
+        - --log_as_json
+      {{- end }}
+      {{- if .Values.global.proxy.lifecycle }}
+        lifecycle:
+          {{- toYaml .Values.global.proxy.lifecycle | nindent 10 }}
+      {{- end }}
+        env:
+        - name: PILOT_CERT_PROVIDER
+          value: {{ .Values.global.pilotCertProvider }}
+        - name: CA_ADDR
+        {{- if .Values.global.caAddress }}
+          value: {{ .Values.global.caAddress }}
+        {{- else }}
+          value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+        {{- end }}
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: INSTANCE_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: SERVICE_ACCOUNT
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.serviceAccountName
+        - name: HOST_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.hostIP
+        - name: ISTIO_CPU_LIMIT
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.cpu
+        - name: PROXY_CONFIG
+          value: |
+                 {{ protoToJSON .ProxyConfig }}
+        - name: ISTIO_META_POD_PORTS
+          value: "[]"
+        - name: ISTIO_META_APP_CONTAINERS
+          value: ""
+        - name: GOMEMLIMIT
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.memory
+        - name: GOMAXPROCS
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.cpu
+        - name: ISTIO_META_CLUSTER_ID
+          value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}"
+        - name: ISTIO_META_NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        - name: ISTIO_META_INTERCEPTION_MODE
+          value: "{{ .ProxyConfig.InterceptionMode.String }}"
+        {{- with (valueOrDefault  (index .InfrastructureLabels "topology.istio.io/network") .Values.global.network) }}
+        - name: ISTIO_META_NETWORK
+          value: {{.|quote}}
+        {{- end }}
+        - name: ISTIO_META_WORKLOAD_NAME
+          value: {{.DeploymentName|quote}}
+        - name: ISTIO_META_OWNER
+          value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}"
+        {{- if .Values.global.meshID }}
+        - name: ISTIO_META_MESH_ID
+          value: "{{ .Values.global.meshID }}"
+        {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+        - name: ISTIO_META_MESH_ID
+          value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+        {{- end }}
+        {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain)  }}
+        - name: TRUST_DOMAIN
+          value: "{{ . }}"
+        {{- end }}
+        {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+        - name: {{ $key }}
+          value: "{{ $value }}"
+        {{- end }}
+        {{- with (index .InfrastructureLabels "topology.istio.io/network") }}
+        - name: ISTIO_META_REQUESTED_NETWORK_VIEW
+          value: {{.|quote}}
+        {{- end }}
+        startupProbe:
+          failureThreshold: 30
+          httpGet:
+            path: /healthz/ready
+            port: 15021
+            scheme: HTTP
+          initialDelaySeconds: 1
+          periodSeconds: 1
+          successThreshold: 1
+          timeoutSeconds: 1
+        readinessProbe:
+          failureThreshold: 4
+          httpGet:
+            path: /healthz/ready
+            port: 15021
+            scheme: HTTP
+          initialDelaySeconds: 0
+          periodSeconds: 15
+          successThreshold: 1
+          timeoutSeconds: 1
+        volumeMounts:
+        - name: workload-socket
+          mountPath: /var/run/secrets/workload-spiffe-uds
+        - name: credential-socket
+          mountPath: /var/run/secrets/credential-uds
+        {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+        - name: gke-workload-certificate
+          mountPath: /var/run/secrets/workload-spiffe-credentials
+          readOnly: true
+        {{- else }}
+        - name: workload-certs
+          mountPath: /var/run/secrets/workload-spiffe-credentials
+        {{- end }}
+        {{- if eq .Values.global.pilotCertProvider "istiod" }}
+        - mountPath: /var/run/secrets/istio
+          name: istiod-ca-cert
+        {{- end }}
+        - mountPath: /var/lib/istio/data
+          name: istio-data
+        # SDS channel between istioagent and Envoy
+        - mountPath: /etc/istio/proxy
+          name: istio-envoy
+        - mountPath: /var/run/secrets/tokens
+          name: istio-token
+        - name: istio-podinfo
+          mountPath: /etc/istio/pod
+      volumes:
+      - emptyDir: {}
+        name: workload-socket
+      - emptyDir: {}
+        name: credential-socket
+      {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+      - name: gke-workload-certificate
+        csi:
+          driver: workloadcertificates.security.cloud.google.com
+      {{- else}}
+      - emptyDir: {}
+        name: workload-certs
+      {{- end }}
+      # SDS channel between istioagent and Envoy
+      - emptyDir:
+          medium: Memory
+        name: istio-envoy
+      - name: istio-data
+        emptyDir: {}
+      - name: istio-podinfo
+        downwardAPI:
+          items:
+            - path: "labels"
+              fieldRef:
+                fieldPath: metadata.labels
+            - path: "annotations"
+              fieldRef:
+                fieldPath: metadata.annotations
+      - name: istio-token
+        projected:
+          sources:
+          - serviceAccountToken:
+              path: istio-token
+              expirationSeconds: 43200
+              audience: {{ .Values.global.sds.token.aud }}
+      {{- if eq .Values.global.pilotCertProvider "istiod" }}
+      - name: istiod-ca-cert
+      {{- if eq ((.Values.pilot).env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+        projected:
+          sources:
+          - clusterTrustBundle:
+              name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+              path: root-cert.pem
+      {{- else }}
+        configMap:
+          name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+      {{- end }}
+      {{- end }}
+      {{- if .Values.global.imagePullSecrets }}
+      imagePullSecrets:
+        {{- range .Values.global.imagePullSecrets }}
+        - name: {{ . }}
+        {{- end }}
+      {{- end }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+      ) | nindent 4 }}
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    name: {{.Name}}
+    uid: {{.UID}}
+spec:
+  ipFamilyPolicy: PreferDualStack
+  ports:
+  {{- range $key, $val := .Ports }}
+  - name: {{ $val.Name | quote }}
+    port: {{ $val.Port }}
+    protocol: TCP
+    appProtocol: {{ $val.AppProtocol }}
+  {{- end }}
+  selector:
+    "{{.GatewayNameLabel}}": {{.Name}}
+  {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }}
+  loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}}
+  {{- end }}
+  type: {{ .ServiceType | quote }}
+---
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+          .InfrastructureLabels
+          (strdict
+          "gateway.networking.k8s.io/gateway-name" .Name
+          ) | nindent 4 }}
+  ownerReferences:
+    - apiVersion: gateway.networking.k8s.io/v1beta1
+      kind: Gateway
+      name: {{.Name}}
+      uid: "{{.UID}}"
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name:  {{.DeploymentName | quote}}
+  maxReplicas: 1
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+          .InfrastructureLabels
+          (strdict
+          "gateway.networking.k8s.io/gateway-name" .Name
+          ) | nindent 4 }}
+  ownerReferences:
+    - apiVersion: gateway.networking.k8s.io/v1beta1
+      kind: Gateway
+      name: {{.Name}}
+      uid: "{{.UID}}"
+spec:
+  selector:
+    matchLabels:
+      gateway.networking.k8s.io/gateway-name: {{.Name|quote}}
+
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-compatibility-version-1.24.yaml
new file mode 100644
index 0000000000..4f3dbef7ea
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-compatibility-version-1.24.yaml
@@ -0,0 +1,15 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.24 behavioral changes
+    PILOT_ENABLE_IP_AUTOALLOCATE: "false"
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  dnsCapture: false
+  reconcileIptablesOnStartup: false
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..b2f45948c2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..af10697326
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/waypoint.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/waypoint.yaml
new file mode 100644
index 0000000000..3e6a2f5dc1
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/waypoint.yaml
@@ -0,0 +1,396 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{.ServiceAccount | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+      ) | nindent 4 }}
+  {{- if ge .KubeVersion 128 }}
+  # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    name: "{{.Name}}"
+    uid: "{{.UID}}"
+  {{- end }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+        "gateway.istio.io/managed" .ControllerLabel
+      ) | nindent 4 }}
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    name: "{{.Name}}"
+    uid: "{{.UID}}"
+spec:
+  selector:
+    matchLabels:
+      "{{.GatewayNameLabel}}": "{{.Name}}"
+  template:
+    metadata:
+      annotations:
+        {{- toJsonMap
+          (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version")
+          (strdict "istio.io/rev" (.Revision | default "default"))
+          (strdict
+            "prometheus.io/path" "/stats/prometheus"
+            "prometheus.io/port" "15020"
+            "prometheus.io/scrape" "true"
+          ) | nindent 8 }}
+      labels:
+        {{- toJsonMap
+          (strdict
+            "sidecar.istio.io/inject" "false"
+            "istio.io/dataplane-mode" "none"
+            "service.istio.io/canonical-name" .DeploymentName
+            "service.istio.io/canonical-revision" "latest"
+           )
+          .InfrastructureLabels
+          (strdict
+            "gateway.networking.k8s.io/gateway-name" .Name
+            "gateway.istio.io/managed" .ControllerLabel
+          ) | nindent 8}}
+    spec:
+      {{- if .Values.global.waypoint.affinity }}
+      affinity:
+      {{- toYaml .Values.global.waypoint.affinity | nindent 8 }}
+      {{- end }}
+      {{- if .Values.global.waypoint.topologySpreadConstraints }}
+      topologySpreadConstraints:
+      {{- toYaml .Values.global.waypoint.topologySpreadConstraints | nindent 8 }}
+      {{- end }}
+      {{- if .Values.global.waypoint.nodeSelector }}
+      nodeSelector:
+      {{- toYaml .Values.global.waypoint.nodeSelector | nindent 8 }}
+      {{- end }}
+      {{- if .Values.global.waypoint.tolerations }}
+      tolerations:
+      {{- toYaml .Values.global.waypoint.tolerations | nindent 8 }}
+      {{- end }}
+      terminationGracePeriodSeconds: 2
+      serviceAccountName: {{.ServiceAccount | quote}}
+      containers:
+      - name: istio-proxy
+        ports:
+        - containerPort: 15020
+          name: metrics
+          protocol: TCP
+        - containerPort: 15021
+          name: status-port
+          protocol: TCP
+        - containerPort: 15090
+          protocol: TCP
+          name: http-envoy-prom
+        {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+        image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+        {{- else }}
+        image: "{{ .ProxyImage }}"
+        {{- end }}
+        {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+        args:
+        - proxy
+        - waypoint
+        - --domain
+        - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+        - --serviceCluster
+        - {{.ServiceAccount}}.$(POD_NAMESPACE)
+        - --proxyLogLevel
+        - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}}
+        - --proxyComponentLogLevel
+        - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}}
+        - --log_output_level
+        - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}}
+        {{- if .Values.global.logAsJson }}
+        - --log_as_json
+        {{- end }}
+        {{- if .Values.global.proxy.outlierLogPath }}
+        - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }}
+        {{- end}}
+        env:
+        - name: ISTIO_META_SERVICE_ACCOUNT
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.serviceAccountName
+        - name: ISTIO_META_NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        - name: PILOT_CERT_PROVIDER
+          value: {{ .Values.global.pilotCertProvider }}
+        - name: CA_ADDR
+        {{- if .Values.global.caAddress }}
+          value: {{ .Values.global.caAddress }}
+        {{- else }}
+          value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+        {{- end }}
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: INSTANCE_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: SERVICE_ACCOUNT
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.serviceAccountName
+        - name: HOST_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.hostIP
+        - name: ISTIO_CPU_LIMIT
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.cpu
+        - name: PROXY_CONFIG
+          value: |
+                 {{ protoToJSON .ProxyConfig }}
+        {{- if .ProxyConfig.ProxyMetadata }}
+        {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+        - name: {{ $key }}
+          value: "{{ $value }}"
+        {{- end }}
+        {{- end }}
+        - name: GOMEMLIMIT
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.memory
+        - name: GOMAXPROCS
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.cpu
+        - name: ISTIO_META_CLUSTER_ID
+          value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
+        {{- $network := valueOrDefault (index .InfrastructureLabels `topology.istio.io/network`) .Values.global.network }}
+        {{- if $network }}
+        - name: ISTIO_META_NETWORK
+          value: "{{ $network }}"
+        {{- end }}
+        - name: ISTIO_META_INTERCEPTION_MODE
+          value: REDIRECT
+        - name: ISTIO_META_WORKLOAD_NAME
+          value: {{.DeploymentName}}
+        - name: ISTIO_META_OWNER
+          value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}
+        {{- if .Values.global.meshID }}
+        - name: ISTIO_META_MESH_ID
+          value: "{{ .Values.global.meshID }}"
+        {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+        - name: ISTIO_META_MESH_ID
+          value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+        {{- end }}
+        {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+        - name: TRUST_DOMAIN
+          value: "{{ . }}"
+        {{- end }}
+        {{- if .Values.global.waypoint.resources }}
+        resources:
+        {{- toYaml .Values.global.waypoint.resources | nindent 10 }}
+        {{- end }}
+        startupProbe:
+          failureThreshold: 30
+          httpGet:
+            path: /healthz/ready
+            port: 15021
+            scheme: HTTP
+          initialDelaySeconds: 1
+          periodSeconds: 1
+          successThreshold: 1
+          timeoutSeconds: 1
+        readinessProbe:
+          failureThreshold: 4
+          httpGet:
+            path: /healthz/ready
+            port: 15021
+            scheme: HTTP
+          initialDelaySeconds: 0
+          periodSeconds: 15
+          successThreshold: 1
+          timeoutSeconds: 1
+        securityContext:
+          privileged: false
+        {{- if not (eq .Values.global.platform "openshift") }}
+          runAsGroup: 1337
+          runAsUser: 1337
+        {{- end }}
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          capabilities:
+            drop:
+            - ALL
+{{- if .Values.gateways.seccompProfile }}
+          seccompProfile:
+{{- toYaml .Values.gateways.seccompProfile | nindent 12 }}
+{{- end }}
+        volumeMounts:
+        - mountPath: /var/run/secrets/workload-spiffe-uds
+          name: workload-socket
+        - mountPath: /var/run/secrets/istio
+          name: istiod-ca-cert
+        - mountPath: /var/lib/istio/data
+          name: istio-data
+        - mountPath: /etc/istio/proxy
+          name: istio-envoy
+        - mountPath: /var/run/secrets/tokens
+          name: istio-token
+        - mountPath: /etc/istio/pod
+          name: istio-podinfo
+      volumes:
+      - emptyDir: {}
+        name: workload-socket
+      - emptyDir:
+          medium: Memory
+        name: istio-envoy
+      - emptyDir:
+          medium: Memory
+        name: go-proxy-envoy
+      - emptyDir: {}
+        name: istio-data
+      - emptyDir: {}
+        name: go-proxy-data
+      - downwardAPI:
+          items:
+          - fieldRef:
+              fieldPath: metadata.labels
+            path: labels
+          - fieldRef:
+              fieldPath: metadata.annotations
+            path: annotations
+        name: istio-podinfo
+      - name: istio-token
+        projected:
+          sources:
+          - serviceAccountToken:
+              audience: istio-ca
+              expirationSeconds: 43200
+              path: istio-token
+      - name: istiod-ca-cert
+      {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+        projected:
+          sources:
+          - clusterTrustBundle:
+              name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+              path: root-cert.pem
+      {{- else }}
+        configMap:
+          name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+      {{- end }}
+      {{- if .Values.global.imagePullSecrets }}
+      imagePullSecrets:
+        {{- range .Values.global.imagePullSecrets }}
+        - name: {{ . }}
+        {{- end }}
+      {{- end }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    {{ toJsonMap
+      (strdict "networking.istio.io/traffic-distribution" "PreferClose")
+      (omit .InfrastructureAnnotations
+        "kubectl.kubernetes.io/last-applied-configuration"
+        "gateway.istio.io/name-override"
+        "gateway.istio.io/service-account"
+        "gateway.istio.io/controller-version"
+      ) | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+      ) | nindent 4 }}
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    name: "{{.Name}}"
+    uid: "{{.UID}}"
+spec:
+  ipFamilyPolicy: PreferDualStack
+  ports:
+  {{- range $key, $val := .Ports }}
+  - name: {{ $val.Name | quote }}
+    port: {{ $val.Port }}
+    protocol: TCP
+    appProtocol: {{ $val.AppProtocol }}
+  {{- end }}
+  selector:
+    "{{.GatewayNameLabel}}": "{{.Name}}"
+  {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }}
+  loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}}
+  {{- end }}
+  type: {{ .ServiceType | quote }}
+---
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+          .InfrastructureLabels
+          (strdict
+          "gateway.networking.k8s.io/gateway-name" .Name
+          ) | nindent 4 }}
+  ownerReferences:
+    - apiVersion: gateway.networking.k8s.io/v1beta1
+      kind: Gateway
+      name: {{.Name}}
+      uid: "{{.UID}}"
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name:  {{.DeploymentName | quote}}
+  maxReplicas: 1
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+          .InfrastructureLabels
+          (strdict
+          "gateway.networking.k8s.io/gateway-name" .Name
+          ) | nindent 4 }}
+  ownerReferences:
+    - apiVersion: gateway.networking.k8s.io/v1beta1
+      kind: Gateway
+      name: {{.Name}}
+      uid: "{{.UID}}"
+spec:
+  selector:
+    matchLabels:
+      gateway.networking.k8s.io/gateway-name: {{.Name|quote}}
+
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/NOTES.txt
new file mode 100644
index 0000000000..0d07ea7f4c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/NOTES.txt
@@ -0,0 +1,82 @@
+"istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}" successfully installed!
+
+To learn more about the release, try:
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
+
+Next steps:
+{{- $profile := default "" .Values.profile }}
+{{- if (eq $profile "ambient") }}
+  * Get started with ambient: https://istio.io/latest/docs/ops/ambient/getting-started/
+  * Review ambient's architecture: https://istio.io/latest/docs/ops/ambient/architecture/
+{{- else }}
+  * Deploy a Gateway: https://istio.io/latest/docs/setup/additional-setup/gateway/
+  * Try out our tasks to get started on common configurations:
+    * https://istio.io/latest/docs/tasks/traffic-management
+    * https://istio.io/latest/docs/tasks/security/
+    * https://istio.io/latest/docs/tasks/policy-enforcement/
+{{- end }}
+  * Review the list of actively supported releases, CVE publications and our hardening guide:
+    * https://istio.io/latest/docs/releases/supported-releases/
+    * https://istio.io/latest/news/security/
+    * https://istio.io/latest/docs/ops/best-practices/security/
+
+For further documentation see https://istio.io website
+
+{{-
+  $deps := dict
+    "global.outboundTrafficPolicy" "meshConfig.outboundTrafficPolicy"
+    "global.certificates" "meshConfig.certificates"
+    "global.localityLbSetting" "meshConfig.localityLbSetting"
+    "global.policyCheckFailOpen" "meshConfig.policyCheckFailOpen"
+    "global.enableTracing" "meshConfig.enableTracing"
+    "global.proxy.accessLogFormat" "meshConfig.accessLogFormat"
+    "global.proxy.accessLogFile" "meshConfig.accessLogFile"
+    "global.proxy.concurrency" "meshConfig.defaultConfig.concurrency"
+    "global.proxy.envoyAccessLogService" "meshConfig.defaultConfig.envoyAccessLogService"
+    "global.proxy.envoyAccessLogService.enabled" "meshConfig.enableEnvoyAccessLogService"
+    "global.proxy.envoyMetricsService" "meshConfig.defaultConfig.envoyMetricsService"
+    "global.proxy.protocolDetectionTimeout" "meshConfig.protocolDetectionTimeout"
+    "global.proxy.holdApplicationUntilProxyStarts" "meshConfig.defaultConfig.holdApplicationUntilProxyStarts"
+    "pilot.ingress" "meshConfig.ingressService, meshConfig.ingressControllerMode, and meshConfig.ingressClass"
+    "global.mtls.enabled" "the PeerAuthentication resource"
+    "global.mtls.auto" "meshConfig.enableAutoMtls"
+    "global.tracer.lightstep.address" "meshConfig.defaultConfig.tracing.lightstep.address"
+    "global.tracer.lightstep.accessToken" "meshConfig.defaultConfig.tracing.lightstep.accessToken"
+    "global.tracer.zipkin.address" "meshConfig.defaultConfig.tracing.zipkin.address"
+    "global.tracer.datadog.address" "meshConfig.defaultConfig.tracing.datadog.address"
+    "global.meshExpansion.enabled" "Gateway and other Istio networking resources, such as in samples/multicluster/"
+    "istiocoredns.enabled" "the in-proxy DNS capturing (ISTIO_META_DNS_CAPTURE)"
+}}
+{{- range $dep, $replace := $deps }}
+{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}}
+{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(")  ".Values." (replace "." ")." $dep) ")}}") $}}
+{{- if not (eq $res "")}}
+WARNING: {{$dep|quote}} is deprecated; use {{$replace|quote}} instead.
+{{- end }}
+{{- end }}
+{{-
+  $failDeps := dict
+    "telemetry.v2.prometheus.configOverride"
+    "telemetry.v2.stackdriver.configOverride"
+    "telemetry.v2.stackdriver.disableOutbound"
+    "telemetry.v2.stackdriver.outboundAccessLogging"
+    "global.tracer.stackdriver.debug" "meshConfig.defaultConfig.tracing.stackdriver.debug"
+    "global.tracer.stackdriver.maxNumberOfAttributes" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes"
+    "global.tracer.stackdriver.maxNumberOfAnnotations" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations"
+    "global.tracer.stackdriver.maxNumberOfMessageEvents" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents"
+    "meshConfig.defaultConfig.tracing.stackdriver.debug" "Istio supported tracers"
+    "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes" "Istio supported tracers"
+    "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations" "Istio supported tracers"
+    "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents" "Istio supported tracers"
+}}
+{{- range $dep, $replace := $failDeps }}
+{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}}
+{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(")  ".Values." (replace "." ")." $dep) ")}}") $}}
+{{- if not (eq $res "")}}
+{{fail (print $dep " is removed")}}
+{{- end }}
+{{- end }}
+{{- if eq $.Values.global.pilotCertProvider "kubernetes" }}
+{{- fail "pilotCertProvider=kubernetes is not supported" }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/_helpers.tpl
new file mode 100644
index 0000000000..042c92538d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/_helpers.tpl
@@ -0,0 +1,23 @@
+{{/* Default Prometheus is enabled if its enabled and there are no config overrides set */}}
+{{ define "default-prometheus" }}
+{{- and
+  (not .Values.meshConfig.defaultProviders)
+  .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.prometheus.enabled
+}}
+{{- end }}
+
+{{/* SD has metrics and logging split. Default metrics are enabled if SD is enabled */}}
+{{ define "default-sd-metrics" }}
+{{- and
+  (not .Values.meshConfig.defaultProviders)
+  .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled
+}}
+{{- end }}
+
+{{/* SD has metrics and logging split. */}}
+{{ define "default-sd-logs" }}
+{{- and
+  (not .Values.meshConfig.defaultProviders)
+  .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled
+}}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/autoscale.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/autoscale.yaml
new file mode 100644
index 0000000000..9b952ba857
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/autoscale.yaml
@@ -0,0 +1,43 @@
+# Not created if istiod is running remotely
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }}
+{{- if and .Values.autoscaleEnabled .Values.autoscaleMin .Values.autoscaleMax }}
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  maxReplicas: {{ .Values.autoscaleMax }}
+  minReplicas: {{ .Values.autoscaleMin }}
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  metrics:
+  - type: Resource
+    resource:
+      name: cpu
+      target:
+        type: Utilization
+        averageUtilization: {{ .Values.cpu.targetAverageUtilization }}
+  {{- if .Values.memory.targetAverageUtilization }}
+  - type: Resource
+    resource:
+      name: memory
+      target:
+        type: Utilization
+        averageUtilization: {{ .Values.memory.targetAverageUtilization }}
+  {{- end }}
+  {{- if .Values.autoscaleBehavior }}
+  behavior: {{ toYaml .Values.autoscaleBehavior | nindent 4 }}
+  {{- end }}
+---
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/clusterrole.yaml
new file mode 100644
index 0000000000..d9c86f43fa
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/clusterrole.yaml
@@ -0,0 +1,213 @@
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+  # sidecar injection controller
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["mutatingwebhookconfigurations"]
+    verbs: ["get", "list", "watch", "update", "patch"]
+
+  # configuration validation webhook controller
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["validatingwebhookconfigurations"]
+    verbs: ["get", "list", "watch", "update"]
+
+  # istio configuration
+  # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382)
+  # please proceed with caution
+  - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"]
+    verbs: ["get", "watch", "list"]
+    resources: ["*"]
+{{- if .Values.global.istiod.enableAnalysis }}
+  - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"]
+    verbs: ["update", "patch"]
+    resources:
+    - authorizationpolicies/status
+    - destinationrules/status
+    - envoyfilters/status
+    - gateways/status
+    - peerauthentications/status
+    - proxyconfigs/status
+    - requestauthentications/status
+    - serviceentries/status
+    - sidecars/status
+    - telemetries/status
+    - virtualservices/status
+    - wasmplugins/status
+    - workloadentries/status
+    - workloadgroups/status
+{{- end }}
+  - apiGroups: ["networking.istio.io"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "workloadentries" ]
+  - apiGroups: ["networking.istio.io"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "workloadentries/status",  "serviceentries/status" ]
+  - apiGroups: ["security.istio.io"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "authorizationpolicies/status" ]
+  - apiGroups: [""]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "services/status" ]
+
+  # auto-detect installed CRD definitions
+  - apiGroups: ["apiextensions.k8s.io"]
+    resources: ["customresourcedefinitions"]
+    verbs: ["get", "list", "watch"]
+
+  # discovery and routing
+  - apiGroups: [""]
+    resources: ["pods", "nodes", "services", "namespaces", "endpoints"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["discovery.k8s.io"]
+    resources: ["endpointslices"]
+    verbs: ["get", "list", "watch"]
+
+{{- if .Values.taint.enabled }}
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["patch"]
+{{- end }}
+
+  # ingress controller
+{{- if .Values.global.istiod.enableAnalysis }}
+  - apiGroups: ["extensions", "networking.k8s.io"]
+    resources: ["ingresses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["extensions", "networking.k8s.io"]
+    resources: ["ingresses/status"]
+    verbs: ["*"]
+{{- end}}
+  - apiGroups: ["networking.k8s.io"]
+    resources: ["ingresses", "ingressclasses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["networking.k8s.io"]
+    resources: ["ingresses/status"]
+    verbs: ["*"]
+
+  # required for CA's namespace controller
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["create", "get", "list", "watch", "update"]
+
+  # Istiod and bootstrap.
+{{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}}
+{{- if or .Values.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }}
+  - apiGroups: ["certificates.k8s.io"]
+    resources:
+      - "certificatesigningrequests"
+      - "certificatesigningrequests/approval"
+      - "certificatesigningrequests/status"
+    verbs: ["update", "create", "get", "delete", "watch"]
+  - apiGroups: ["certificates.k8s.io"]
+    resources:
+      - "signers"
+    resourceNames:
+{{- range .Values.global.certSigners }}
+    - {{ . | quote }}
+{{- end }}
+    verbs: ["approve"]
+{{- end}}
+{{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+  - apiGroups: ["certificates.k8s.io"]
+    resources: ["clustertrustbundles"]
+    verbs: ["update", "create", "delete", "list", "watch", "get"]
+  - apiGroups: ["certificates.k8s.io"]
+    resources: ["signers"]
+    resourceNames: ["istio.io/istiod-ca"]
+    verbs: ["attest"]
+{{- end }}
+
+  # Used by Istiod to verify the JWT tokens
+  - apiGroups: ["authentication.k8s.io"]
+    resources: ["tokenreviews"]
+    verbs: ["create"]
+
+  # Used by Istiod to verify gateway SDS
+  - apiGroups: ["authorization.k8s.io"]
+    resources: ["subjectaccessreviews"]
+    verbs: ["create"]
+
+  # Use for Kubernetes Service APIs
+  - apiGroups: ["gateway.networking.k8s.io", "gateway.networking.x-k8s.io"]
+    resources: ["*"]
+    verbs: ["get", "watch", "list"]
+  - apiGroups: ["gateway.networking.x-k8s.io"]
+    resources:
+    - xbackendtrafficpolicies/status
+    - xlistenersets/status
+    verbs: ["update", "patch"]
+  - apiGroups: ["gateway.networking.k8s.io"]
+    resources:
+    - backendtlspolicies/status
+    - gatewayclasses/status
+    - gateways/status
+    - grpcroutes/status
+    - httproutes/status
+    - referencegrants/status
+    - tcproutes/status
+    - tlsroutes/status
+    - udproutes/status
+    verbs: ["update", "patch"]
+  - apiGroups: ["gateway.networking.k8s.io"]
+    resources: ["gatewayclasses"]
+    verbs: ["create", "update", "patch", "delete"]
+  - apiGroups: ["inference.networking.x-k8s.io"]
+    resources: ["inferencepools"]
+    verbs: ["get", "watch", "list"]
+  - apiGroups: ["inference.networking.x-k8s.io"]
+    resources: ["inferencepools/status"]
+    verbs: ["update", "patch"]
+
+  # Needed for multicluster secret reading, possibly ingress certs in the future
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "watch", "list"]
+
+  # Used for MCS serviceexport management
+  - apiGroups: ["{{ $mcsAPIGroup }}"]
+    resources: ["serviceexports"]
+    verbs: [ "get", "watch", "list", "create", "delete"]
+
+  # Used for MCS serviceimport management
+  - apiGroups: ["{{ $mcsAPIGroup }}"]
+    resources: ["serviceimports"]
+    verbs: ["get", "watch", "list"]
+---
+{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+  - apiGroups: ["apps"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "deployments" ]
+  - apiGroups: ["autoscaling"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "horizontalpodautoscalers" ]
+  - apiGroups: ["policy"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "poddisruptionbudgets" ]
+  - apiGroups: [""]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "services" ]
+  - apiGroups: [""]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "serviceaccounts"]
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/clusterrolebinding.yaml
new file mode 100644
index 0000000000..1b8fa4d079
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/clusterrolebinding.yaml
@@ -0,0 +1,40 @@
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+subjects:
+  - kind: ServiceAccount
+    name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+    namespace: {{ .Values.global.istioNamespace }}
+---
+{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+subjects:
+- kind: ServiceAccount
+  name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Values.global.istioNamespace }}
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/configmap-jwks.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/configmap-jwks.yaml
new file mode 100644
index 0000000000..9d931c4065
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/configmap-jwks.yaml
@@ -0,0 +1,18 @@
+# Not created if istiod is running remotely
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }}
+{{- if .Values.jwksResolverExtraRootCA }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+data:
+  extra.pem: {{ .Values.jwksResolverExtraRootCA | quote }}
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/configmap-values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/configmap-values.yaml
new file mode 100644
index 0000000000..75e6e0bcc6
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/configmap-values.yaml
@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: values{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    kubernetes.io/description: This ConfigMap contains the Helm values used during chart rendering. This ConfigMap is rendered for debugging purposes and external tooling; modifying these values has no effect.
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+data:
+  original-values: |-
+{{ .Values._original | toPrettyJson | indent 4 }}
+{{- $_ := unset $.Values "_original" }}
+  merged-values: |-
+{{ .Values | toPrettyJson | indent 4 }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/configmap.yaml
new file mode 100644
index 0000000000..a8446a6fc9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/configmap.yaml
@@ -0,0 +1,111 @@
+{{- define "mesh" }}
+    # The trust domain corresponds to the trust root of a system.
+    # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
+    trustDomain: "cluster.local"
+
+    # The namespace to treat as the administrative root namespace for Istio configuration.
+    # When processing a leaf namespace Istio will search for declarations in that namespace first
+    # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace
+    # is processed as if it were declared in the leaf namespace.
+    rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }}
+
+  {{ $prom := include "default-prometheus" . | eq "true" }}
+  {{ $sdMetrics := include "default-sd-metrics" . | eq "true" }}
+  {{ $sdLogs := include "default-sd-logs" . | eq "true" }}
+  {{- if or $prom $sdMetrics $sdLogs }}
+    defaultProviders:
+    {{- if or $prom $sdMetrics }}
+      metrics:
+      {{ if $prom }}- prometheus{{ end }}
+      {{ if and $sdMetrics $sdLogs }}- stackdriver{{ end }}
+    {{- end }}
+    {{- if and $sdMetrics $sdLogs }}
+      accessLogging:
+      - stackdriver
+    {{- end }}
+  {{- end }}
+
+    defaultConfig:
+      {{- if .Values.global.meshID }}
+      meshId: "{{ .Values.global.meshID }}"
+      {{- end }}
+      {{- with (.Values.global.proxy.variant | default .Values.global.variant) }}
+      image:
+        imageType: {{. | quote}}
+      {{- end }}
+      {{- if not (eq .Values.global.proxy.tracer "none") }}
+      tracing:
+      {{- if eq .Values.global.proxy.tracer "lightstep" }}
+        lightstep:
+          # Address of the LightStep Satellite pool
+          address: {{ .Values.global.tracer.lightstep.address }}
+          # Access Token used to communicate with the Satellite pool
+          accessToken: {{ .Values.global.tracer.lightstep.accessToken }}
+      {{- else if eq .Values.global.proxy.tracer "zipkin" }}
+        zipkin:
+          # Address of the Zipkin collector
+          address: {{ ((.Values.global.tracer).zipkin).address | default (print "zipkin." .Values.global.istioNamespace ":9411") }}
+      {{- else if eq .Values.global.proxy.tracer "datadog" }}
+        datadog:
+          # Address of the Datadog Agent
+          address: {{ ((.Values.global.tracer).datadog).address | default "$(HOST_IP):8126" }}
+      {{- else if eq .Values.global.proxy.tracer "stackdriver" }}
+        stackdriver:
+          # enables trace output to stdout.
+          debug: {{ (($.Values.global.tracer).stackdriver).debug | default "false" }}
+          # The global default max number of attributes per span.
+          maxNumberOfAttributes: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAttributes | default "200" }}
+          # The global default max number of annotation events per span.
+          maxNumberOfAnnotations: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAnnotations | default "200" }}
+          # The global default max number of message events per span.
+          maxNumberOfMessageEvents: {{ (($.Values.global.tracer).stackdriver).maxNumberOfMessageEvents | default "200" }}
+      {{- end }}
+      {{- end }}
+      {{- if .Values.global.remotePilotAddress }}
+      {{- if and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod }}
+      #  only primary `istiod` to xds and local `istiod` injection installs.
+      discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012
+      {{- else }}
+      discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012
+      {{- end }}
+      {{- else }}
+      discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012
+      {{- end }}
+{{- end }}
+
+{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}}
+{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}}
+{{- $originalMesh := include "mesh" . | fromYaml }}
+{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }}
+
+{{- if .Values.configMap }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+data:
+
+  # Configuration file for the mesh networks to be used by the Split Horizon EDS.
+  meshNetworks: |-
+  {{- if .Values.global.meshNetworks }}
+    networks:
+{{ toYaml .Values.global.meshNetworks | trim | indent 6 }}
+  {{- else }}
+    networks: {}
+  {{- end }}
+
+  mesh: |-
+{{- if .Values.meshConfig }}
+{{ $mesh | toYaml | indent 4 }}
+{{- else }}
+{{- include "mesh" . }}
+{{- end }}
+---
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/deployment.yaml
new file mode 100644
index 0000000000..1b769c6ec7
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/deployment.yaml
@@ -0,0 +1,312 @@
+# Not created if istiod is running remotely
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: istiod
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    istio: pilot
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+{{- range $key, $val := .Values.deploymentLabels }}
+    {{ $key }}: "{{ $val }}"
+{{- end }}
+  {{- if .Values.deploymentAnnotations }}
+  annotations:
+{{ toYaml .Values.deploymentAnnotations | indent 4 }}
+  {{- end }}
+spec:
+{{- if not .Values.autoscaleEnabled }}
+{{- if .Values.replicaCount }}
+  replicas: {{ .Values.replicaCount }}
+{{- end }}
+{{- end }}
+  strategy:
+    rollingUpdate:
+      maxSurge: {{ .Values.rollingMaxSurge }}
+      maxUnavailable: {{ .Values.rollingMaxUnavailable }}
+  selector:
+    matchLabels:
+      {{- if ne .Values.revision "" }}
+      app: istiod
+      istio.io/rev: {{ .Values.revision | default "default" | quote }}
+      {{- else }}
+      istio: pilot
+      {{- end }}
+  template:
+    metadata:
+      labels:
+        app: istiod
+        istio.io/rev: {{ .Values.revision | default "default" | quote }}
+        sidecar.istio.io/inject: "false"
+        operator.istio.io/component: "Pilot"
+        {{- if ne .Values.revision "" }}
+        istio: istiod
+        {{- else }}
+        istio: pilot
+        {{- end }}
+        {{- range $key, $val := .Values.podLabels }}
+        {{ $key }}: "{{ $val }}"
+        {{- end }}
+        istio.io/dataplane-mode: none
+        app.kubernetes.io/name: "istiod"
+        {{- include "istio.labels" . | nindent 8 }}
+      annotations:
+        prometheus.io/port: "15014"
+        prometheus.io/scrape: "true"
+        sidecar.istio.io/inject: "false"
+        {{- if .Values.podAnnotations }}
+{{ toYaml .Values.podAnnotations | indent 8 }}
+        {{- end }}
+    spec:
+{{- if .Values.nodeSelector }}
+      nodeSelector:
+{{ toYaml .Values.nodeSelector | indent 8 }}
+{{- end }}
+{{- with .Values.affinity }}
+      affinity:
+{{- toYaml . | nindent 8 }}
+{{- end }}
+      tolerations:
+        - key: cni.istio.io/not-ready
+          operator: "Exists"
+{{- with .Values.tolerations }}
+{{- toYaml . | nindent 8 }}
+{{- end }}
+{{- with .Values.topologySpreadConstraints }}
+      topologySpreadConstraints:
+{{- toYaml . | nindent 8 }}
+{{- end }}
+      serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+{{- if .Values.global.priorityClassName }}
+      priorityClassName: "{{ .Values.global.priorityClassName }}"
+{{- end }}
+{{- with .Values.initContainers }}
+      initContainers:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+{{- end }}
+      containers:
+        - name: discovery
+{{- if contains "/" .Values.image }}
+          image: "{{ .Values.image }}"
+{{- else }}
+          image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "pilot" }}:{{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}}"
+{{- end }}
+{{- if .Values.global.imagePullPolicy }}
+          imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+{{- end }}
+          args:
+          - "discovery"
+          - --monitoringAddr=:15014
+{{- if .Values.global.logging.level }}
+          - --log_output_level={{ .Values.global.logging.level }}
+{{- end}}
+{{- if .Values.global.logAsJson }}
+          - --log_as_json
+{{- end }}
+          - --domain
+          - {{ .Values.global.proxy.clusterDomain }}
+{{- if .Values.taint.namespace }}
+          - --cniNamespace={{ .Values.taint.namespace }}
+{{- end }}
+          - --keepaliveMaxServerConnectionAge
+          - "{{ .Values.keepaliveMaxServerConnectionAge }}"
+{{- if .Values.extraContainerArgs }}
+          {{- with .Values.extraContainerArgs }}
+            {{- toYaml . | nindent 10 }}
+          {{- end }}
+{{- end }}
+          ports:
+          - containerPort: 8080
+            protocol: TCP
+            name: http-debug
+          - containerPort: 15010
+            protocol: TCP
+            name: grpc-xds
+          - containerPort: 15012
+            protocol: TCP
+            name: tls-xds
+          - containerPort: 15017
+            protocol: TCP
+            name: https-webhooks
+          - containerPort: 15014
+            protocol: TCP
+            name: http-monitoring
+          readinessProbe:
+            httpGet:
+              path: /ready
+              port: 8080
+            initialDelaySeconds: 1
+            periodSeconds: 3
+            timeoutSeconds: 5
+          env:
+          - name: REVISION
+            value: "{{ .Values.revision | default `default` }}"
+          - name: PILOT_CERT_PROVIDER
+            value: {{ .Values.global.pilotCertProvider }}
+          - name: POD_NAME
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: metadata.name
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: metadata.namespace
+          - name: SERVICE_ACCOUNT
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: spec.serviceAccountName
+          - name: KUBECONFIG
+            value: /var/run/secrets/remote/config
+          # If you explicitly told us where ztunnel lives, use that.
+          # Otherwise, assume it lives in our namespace
+          # Also, check for an explicit ENV override (legacy approach) and prefer that
+          # if present
+          {{ $ztTrustedNS := or .Values.trustedZtunnelNamespace .Release.Namespace }}
+          {{ $ztTrustedName := or .Values.trustedZtunnelName "ztunnel" }}
+          {{- if not .Values.env.CA_TRUSTED_NODE_ACCOUNTS }}
+          - name: CA_TRUSTED_NODE_ACCOUNTS
+            value: "{{ $ztTrustedNS }}/{{ $ztTrustedName }}"
+          {{- end }}
+          {{- if .Values.env }}
+          {{- range $key, $val := .Values.env }}
+          - name: {{ $key }}
+            value: "{{ $val }}"
+          {{- end }}
+          {{- end }}
+          {{- with .Values.envVarFrom }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
+{{- if .Values.traceSampling }}
+          - name: PILOT_TRACE_SAMPLING
+            value: "{{ .Values.traceSampling }}"
+{{- end }}
+# If externalIstiod is set via Values.Global, then enable the pilot env variable. However, if it's set via Values.pilot.env, then
+# don't set it here to avoid duplication.
+# TODO (nshankar13): Move from Helm chart to code: https://github.com/istio/istio/issues/52449
+{{- if and .Values.global.externalIstiod (not (and .Values.env .Values.env.EXTERNAL_ISTIOD)) }}
+          - name: EXTERNAL_ISTIOD
+            value: "{{ .Values.global.externalIstiod }}"
+{{- end }}
+{{- if .Values.global.trustBundleName }}
+          - name: PILOT_CA_CERT_CONFIGMAP
+            value: "{{ .Values.global.trustBundleName }}"
+{{- end }}
+          - name: PILOT_ENABLE_ANALYSIS
+            value: "{{ .Values.global.istiod.enableAnalysis }}"
+          - name: CLUSTER_ID
+            value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
+          - name: GOMEMLIMIT
+            valueFrom:
+              resourceFieldRef:
+                resource: limits.memory
+                divisor: "1"
+          - name: GOMAXPROCS
+            valueFrom:
+              resourceFieldRef:
+                resource: limits.cpu
+                divisor: "1"
+          - name: PLATFORM
+            value: "{{ coalesce .Values.global.platform .Values.platform }}"
+          resources:
+{{- if .Values.resources }}
+{{ toYaml .Values.resources | trim | indent 12 }}
+{{- else }}
+{{ toYaml .Values.global.defaultResources | trim | indent 12 }}
+{{- end }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            capabilities:
+              drop:
+              - ALL
+{{- if .Values.seccompProfile }}
+            seccompProfile:
+{{ toYaml .Values.seccompProfile | trim | indent 14 }}
+{{- end }}
+          volumeMounts:
+          - name: istio-token
+            mountPath: /var/run/secrets/tokens
+            readOnly: true
+          - name: local-certs
+            mountPath: /var/run/secrets/istio-dns
+          - name: cacerts
+            mountPath: /etc/cacerts
+            readOnly: true
+          - name: istio-kubeconfig
+            mountPath: /var/run/secrets/remote
+            readOnly: true
+          {{- if .Values.jwksResolverExtraRootCA }}
+          - name: extracacerts
+            mountPath: /cacerts
+          {{- end }}
+          - name: istio-csr-dns-cert
+            mountPath: /var/run/secrets/istiod/tls
+            readOnly: true
+          - name: istio-csr-ca-configmap
+            mountPath: /var/run/secrets/istiod/ca
+            readOnly: true
+          {{- with .Values.volumeMounts }}
+            {{- toYaml . | nindent 10 }}
+          {{- end }}
+      volumes:
+      # Technically not needed on this pod - but it helps debugging/testing SDS
+      # Should be removed after everything works.
+      - emptyDir:
+          medium: Memory
+        name: local-certs
+      - name: istio-token
+        projected:
+          sources:
+            - serviceAccountToken:
+                audience: {{ .Values.global.sds.token.aud }}
+                expirationSeconds: 43200
+                path: istio-token
+      # Optional: user-generated root
+      - name: cacerts
+        secret:
+          secretName: cacerts
+          optional: true
+      - name: istio-kubeconfig
+        secret:
+          secretName: istio-kubeconfig
+          optional: true
+      # Optional: istio-csr dns pilot certs
+      - name: istio-csr-dns-cert
+        secret:
+          secretName: istiod-tls
+          optional: true
+      - name: istio-csr-ca-configmap
+  {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+        projected:
+          sources:
+          - clusterTrustBundle:
+              name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+              path: root-cert.pem
+              optional: true
+  {{- else }}
+        configMap:
+          name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+          defaultMode: 420
+          optional: true
+  {{- end }}
+  {{- if .Values.jwksResolverExtraRootCA }}
+      - name: extracacerts
+        configMap:
+          name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  {{- end }}
+      {{- with .Values.volumes }}
+        {{- toYaml . | nindent 6}}
+      {{- end }}
+
+---
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/gateway-class-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/gateway-class-configmap.yaml
new file mode 100644
index 0000000000..6b23d716a4
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/gateway-class-configmap.yaml
@@ -0,0 +1,20 @@
+{{ range $key, $value := .Values.gatewayClasses }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: istio-{{ $.Values.revision | default "default"  }}-gatewayclass-{{$key}}
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    istio.io/rev: {{ $.Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    release: {{ $.Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    gateway.istio.io/defaults-for-class: {{$key|quote}}
+    {{- include "istio.labels" $ | nindent 4 }}
+data:
+{{ range $kind, $overlay := $value }}
+  {{$kind}}: |
+{{$overlay|toYaml|trim|indent 4}}
+{{ end }}
+---
+{{ end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/istiod-injector-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/istiod-injector-configmap.yaml
new file mode 100644
index 0000000000..171aff8861
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/istiod-injector-configmap.yaml
@@ -0,0 +1,81 @@
+{{- if not .Values.global.omitSidecarInjectorConfigMap }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+data:
+{{/* Scope the values to just top level fields used in the template, to reduce the size. */}}
+  values: |-
+{{ $vals := pick .Values "global" "sidecarInjectorWebhook" "revision" -}}
+{{ $pilotVals := pick .Values "cni" "env" -}}
+{{ $vals = set $vals "pilot" $pilotVals -}}
+{{ $gatewayVals := pick .Values.gateways "securityContext" "seccompProfile" -}}
+{{ $vals = set $vals "gateways" $gatewayVals -}}
+{{ $vals | toPrettyJson | indent 4 }}
+
+  # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching
+  # and istiod webhook functionality.
+  #
+  # New fields should not use Values - it is a 'primary' config object, users should be able
+  # to fine tune it or use it with kube-inject.
+  config: |-
+    # defaultTemplates defines the default template to use for pods that do not explicitly specify a template
+    {{- if .Values.sidecarInjectorWebhook.defaultTemplates }}
+    defaultTemplates:
+{{- range .Values.sidecarInjectorWebhook.defaultTemplates}}
+    - {{ . }}
+{{- end }}
+    {{- else }}
+    defaultTemplates: [sidecar]
+    {{- end }}
+    policy: {{ .Values.global.proxy.autoInject }}
+    alwaysInjectSelector:
+{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }}
+    neverInjectSelector:
+{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }}
+    injectedAnnotations:
+      {{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }}
+      "{{ $key }}": {{ $val | quote }}
+      {{- end }}
+    {{- /* If someone ends up with this new template, but an older Istiod image, they will attempt to render this template
+         which will fail with "Pod injection failed: template: inject:1: function "Istio_1_9_Required_Template_And_Version_Mismatched" not defined".
+         This should make it obvious that their installation is broken.
+     */}}
+    template: {{ `{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}` | quote }}
+    templates:
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "sidecar") }}
+      sidecar: |
+{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }}
+      gateway: |
+{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }}
+      grpc-simple: |
+{{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }}
+      grpc-agent: |
+{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "waypoint") }}
+      waypoint: |
+{{ .Files.Get "files/waypoint.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "kube-gateway") }}
+      kube-gateway: |
+{{ .Files.Get "files/kube-gateway.yaml" | trim | indent 8 }}
+{{- end }}
+{{- with .Values.sidecarInjectorWebhook.templates }}
+{{ toYaml . | trim | indent 6 }}
+{{- end }}
+
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/mutatingwebhook.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/mutatingwebhook.yaml
new file mode 100644
index 0000000000..ca017194e6
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/mutatingwebhook.yaml
@@ -0,0 +1,164 @@
+# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that.
+{{- /* Core defines the common configuration used by all webhook segments */}}
+{{/* Copy just what we need to avoid expensive deepCopy */}}
+{{- $whv := dict
+"revision" .Values.revision
+  "injectionPath" .Values.istiodRemote.injectionPath
+  "injectionURL" .Values.istiodRemote.injectionURL
+  "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy
+  "caBundle" .Values.istiodRemote.injectionCABundle
+  "namespace" .Release.Namespace }}
+{{- define "core" }}
+{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign
+a unique prefix to each. */}}
+- name: {{.Prefix}}sidecar-injector.istio.io
+  clientConfig:
+    {{- if .injectionURL }}
+    url: "{{ .injectionURL }}"
+    {{- else }}
+    service:
+      name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }}
+      namespace: {{ .namespace }}
+      path: "{{ .injectionPath }}"
+      port: 443
+    {{- end }}
+    {{- if .caBundle }}
+    caBundle: "{{ .caBundle }}"
+    {{- end }}
+  sideEffects: None
+  rules:
+  - operations: [ "CREATE" ]
+    apiGroups: [""]
+    apiVersions: ["v1"]
+    resources: ["pods"]
+  failurePolicy: Fail
+  reinvocationPolicy: "{{ .reinvocationPolicy }}"
+  admissionReviewVersions: ["v1"]
+{{- end }}
+{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}}
+{{- if not .Values.global.operatorManageWebhooks }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+{{- if eq .Release.Namespace "istio-system"}}
+  name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+{{- else }}
+  name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+{{- end }}
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app: sidecar-injector
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+{{- if $.Values.sidecarInjectorWebhookAnnotations }}
+  annotations:
+{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }}
+{{- end }}
+webhooks:
+{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}}
+
+{{- /* Case 1: namespace selector matches, and object doesn't disable */}}
+{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: In
+      values:
+      {{- if (eq .Values.revision "") }}
+      - "default"
+      {{- else }}
+      - "{{ .Values.revision }}"
+      {{- end }}
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+
+{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+    - key: istio.io/rev
+      operator: In
+      values:
+      {{- if (eq .Values.revision "") }}
+      - "default"
+      {{- else }}
+      - "{{ .Values.revision }}"
+      {{- end }}
+
+
+{{- /* Webhooks for default revision */}}
+{{- if (eq .Values.revision "") }}
+
+{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: In
+      values:
+      - enabled
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+
+{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: In
+      values:
+      - "true"
+    - key: istio.io/rev
+      operator: DoesNotExist
+
+{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
+{{- /* Special case 3: no labels at all */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: "kubernetes.io/metadata.name"
+      operator: "NotIn"
+      values: ["kube-system","kube-public","kube-node-lease","local-path-storage"]
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+{{- end }}
+
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/poddisruptionbudget.yaml
new file mode 100644
index 0000000000..d21cd919d3
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/poddisruptionbudget.yaml
@@ -0,0 +1,36 @@
+# Not created if istiod is running remotely
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }}
+{{- if .Values.global.defaultPodDisruptionBudget.enabled }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: istiod
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    release: {{ .Release.Name }}
+    istio: pilot
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  {{- if and .Values.pdb.minAvailable (not (hasKey .Values.pdb "maxUnavailable")) }}
+  minAvailable: {{ .Values.pdb.minAvailable }}
+  {{- else if .Values.pdb.maxUnavailable }}
+  maxUnavailable: {{ .Values.pdb.maxUnavailable }}
+  {{- end }}
+  {{- if .Values.pdb.unhealthyPodEvictionPolicy }}
+  unhealthyPodEvictionPolicy: {{ .Values.pdb.unhealthyPodEvictionPolicy }}
+  {{- end }}
+  selector:
+    matchLabels:
+      app: istiod
+      {{- if ne .Values.revision "" }}
+      istio.io/rev: {{ .Values.revision | quote }}
+      {{- else }}
+      istio: pilot
+      {{- end }}
+---
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/reader-clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/reader-clusterrole.yaml
new file mode 100644
index 0000000000..dbaa805035
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/reader-clusterrole.yaml
@@ -0,0 +1,62 @@
+{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istio-reader
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istio-reader"
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - "config.istio.io"
+      - "security.istio.io"
+      - "networking.istio.io"
+      - "authentication.istio.io"
+      - "rbac.istio.io"
+      - "telemetry.istio.io"
+      - "extensions.istio.io"
+    resources: ["*"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["networking.istio.io"]
+    verbs: [ "get", "watch", "list" ]
+    resources: [ "workloadentries" ]
+  - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
+    resources: ["gateways"]
+    verbs: ["get", "watch", "list"]
+  - apiGroups: ["apiextensions.k8s.io"]
+    resources: ["customresourcedefinitions"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["discovery.k8s.io"]
+    resources: ["endpointslices"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["{{ $mcsAPIGroup }}"]
+    resources: ["serviceexports"]
+    verbs: ["get", "list", "watch", "create", "delete"]
+  - apiGroups: ["{{ $mcsAPIGroup }}"]
+    resources: ["serviceimports"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["apps"]
+    resources: ["replicasets"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["authentication.k8s.io"]
+    resources: ["tokenreviews"]
+    verbs: ["create"]
+  - apiGroups: ["authorization.k8s.io"]
+    resources: ["subjectaccessreviews"]
+    verbs: ["create"]
+{{- if .Values.istiodRemote.enabled }}
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["create", "get", "list", "watch", "update"]
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["mutatingwebhookconfigurations"]
+    verbs: ["get", "list", "watch", "update", "patch"]
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["validatingwebhookconfigurations"]
+    verbs: ["get", "list", "watch", "update"]
+{{- end}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/reader-clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/reader-clusterrolebinding.yaml
new file mode 100644
index 0000000000..aea9f01f7a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/reader-clusterrolebinding.yaml
@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istio-reader
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istio-reader"
+    {{- include "istio.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+subjects:
+  - kind: ServiceAccount
+    name: istio-reader-service-account
+    namespace: {{ .Values.global.istioNamespace }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/remote-istiod-endpoints.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/remote-istiod-endpoints.yaml
new file mode 100644
index 0000000000..f13b8ce9a9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/remote-istiod-endpoints.yaml
@@ -0,0 +1,30 @@
+{{- if and .Values.global.remotePilotAddress .Values.istiodRemote.enabled }}
+# if the remotePilotAddress is an IP addr
+{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }}
+apiVersion: v1
+kind: Endpoints
+metadata:
+  {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }}
+  # This file is only used for remote `istiod` installs.
+  # only primary `istiod` to xds and local `istiod` injection installs.
+  name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote
+  {{- else }}
+  name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}
+  {{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+subsets:
+- addresses:
+  - ip: {{ .Values.global.remotePilotAddress }}
+  ports:
+  - port: 15012
+    name: tcp-istiod
+    protocol: TCP
+  - port: 15017
+    name: tcp-webhook
+    protocol: TCP
+---
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/remote-istiod-service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/remote-istiod-service.yaml
new file mode 100644
index 0000000000..0a48b9918b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/remote-istiod-service.yaml
@@ -0,0 +1,41 @@
+# This file is only used for remote
+{{- if and .Values.global.remotePilotAddress .Values.istiodRemote.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }}
+  # only primary `istiod` to xds and local `istiod` injection installs.
+  name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote
+  {{- else }}
+  name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}
+  {{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    app.kubernetes.io/name: "istiod"
+    {{ include "istio.labels" . | nindent 4 }}
+spec:
+  ports:
+  - port: 15012
+    name: tcp-istiod
+    protocol: TCP
+  - port: 443
+    targetPort: 15017
+    name: tcp-webhook
+    protocol: TCP
+  {{- if and .Values.global.remotePilotAddress (not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress)) }}
+  # if the remotePilotAddress is not an IP addr, we use ExternalName
+  type: ExternalName
+  externalName: {{ .Values.global.remotePilotAddress }}
+  {{- end }}
+{{- if .Values.global.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.global.ipFamilyPolicy }}
+{{- end }}
+{{- if .Values.global.ipFamilies }}
+  ipFamilies:
+{{- range .Values.global.ipFamilies }}
+  - {{ . }}
+{{- end }}
+{{- end }}
+---
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/revision-tags.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/revision-tags.yaml
new file mode 100644
index 0000000000..06764a826e
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/revision-tags.yaml
@@ -0,0 +1,149 @@
+# Adapted from istio-discovery/templates/mutatingwebhook.yaml
+# Removed paths for legacy and default selectors since a revision tag
+# is inherently created from a specific revision
+# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that.
+{{- $whv := dict
+"revision" .Values.revision
+  "injectionPath" .Values.istiodRemote.injectionPath
+  "injectionURL" .Values.istiodRemote.injectionURL
+  "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy
+  "caBundle" .Values.istiodRemote.injectionCABundle
+  "namespace" .Release.Namespace }}
+{{- define "core" }}
+{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign
+a unique prefix to each. */}}
+- name: {{.Prefix}}sidecar-injector.istio.io
+  clientConfig:
+    {{- if .injectionURL }}
+    url: "{{ .injectionURL }}"
+    {{- else }}
+    service:
+      name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }}
+      namespace: {{ .namespace }}
+      path: "{{ .injectionPath }}"
+      port: 443
+    {{- end }}
+  sideEffects: None
+  rules:
+  - operations: [ "CREATE" ]
+    apiGroups: [""]
+    apiVersions: ["v1"]
+    resources: ["pods"]
+  failurePolicy: Fail
+  reinvocationPolicy: "{{ .reinvocationPolicy }}"
+  admissionReviewVersions: ["v1"]
+{{- end }}
+{{- range $tagName := $.Values.revisionTags }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+{{- if eq $.Release.Namespace "istio-system"}}
+  name: istio-revision-tag-{{ $tagName }}
+{{- else }}
+  name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }}
+{{- end }}
+  labels:
+    istio.io/tag: {{ $tagName }}
+    istio.io/rev: {{ $.Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app: sidecar-injector
+    release: {{ $.Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" $ | nindent 4 }}
+{{- if $.Values.sidecarInjectorWebhookAnnotations }}
+  annotations:
+{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }}
+{{- end }}
+webhooks:
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: In
+      values:
+      - "{{ $tagName }}"
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+    - key: istio.io/rev
+      operator: In
+      values:
+      - "{{ $tagName }}"
+
+{{- /* When the tag is "default" we want to create webhooks for the default revision */}}
+{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}}
+{{- if (eq $tagName "default") }}
+
+{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: In
+      values:
+      - enabled
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+
+{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: In
+      values:
+      - "true"
+    - key: istio.io/rev
+      operator: DoesNotExist
+
+{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
+{{- /* Special case 3: no labels at all */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: "kubernetes.io/metadata.name"
+      operator: "NotIn"
+      values: ["kube-system","kube-public","kube-node-lease","local-path-storage"]
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+{{- end }}
+
+{{- end }}
+---
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/role.yaml
new file mode 100644
index 0000000000..bbcfbe4356
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/role.yaml
@@ -0,0 +1,35 @@
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Values.global.istioNamespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+# permissions to verify the webhook is ready and rejecting
+# invalid config. We use --server-dry-run so no config is persisted.
+- apiGroups: ["networking.istio.io"]
+  verbs: ["create"]
+  resources: ["gateways"]
+
+# For storing CA secret
+- apiGroups: [""]
+  resources: ["secrets"]
+  # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config
+  verbs: ["create", "get", "watch", "list", "update", "delete"]
+
+# For status controller, so it can delete the distribution report configmap
+- apiGroups: [""]
+  resources: ["configmaps"]
+  verbs: ["delete"]
+
+# For gateway deployment controller
+- apiGroups: ["coordination.k8s.io"]
+  resources: ["leases"]
+  verbs: ["get", "update", "patch", "create"]
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/rolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/rolebinding.yaml
new file mode 100644
index 0000000000..0c66b38a7d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/rolebinding.yaml
@@ -0,0 +1,21 @@
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Values.global.istioNamespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+subjects:
+  - kind: ServiceAccount
+    name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+    namespace: {{ .Values.global.istioNamespace }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/service.yaml
new file mode 100644
index 0000000000..25bda4dfd2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/service.yaml
@@ -0,0 +1,57 @@
+# Not created if istiod is running remotely
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  {{- if .Values.serviceAnnotations }}
+  annotations:
+{{ toYaml .Values.serviceAnnotations | indent 4 }}
+  {{- end }}
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app: istiod
+    istio: pilot
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  ports:
+    - port: 15010
+      name: grpc-xds # plaintext
+      protocol: TCP
+    - port: 15012
+      name: https-dns # mTLS with k8s-signed cert
+      protocol: TCP
+    - port: 443
+      name: https-webhook # validation and injection
+      targetPort: 15017
+      protocol: TCP
+    - port: 15014
+      name: http-monitoring # prometheus stats
+      protocol: TCP
+  selector:
+    app: istiod
+    {{- if ne .Values.revision "" }}
+    istio.io/rev: {{ .Values.revision | quote }}
+    {{- else }}
+    # Label used by the 'default' service. For versioned deployments we match with app and version.
+    # This avoids default deployment picking the canary
+    istio: pilot
+    {{- end }}
+  {{- if .Values.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.ipFamilyPolicy }}
+  {{- end }}
+  {{- if .Values.ipFamilies }}
+  ipFamilies:
+  {{- range .Values.ipFamilies }}
+  - {{ . }}
+  {{- end }}
+  {{- end }}
+  {{- if .Values.trafficDistribution }}
+  trafficDistribution: {{ .Values.trafficDistribution }}
+  {{- end }}
+---
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/serviceaccount.yaml
new file mode 100644
index 0000000000..8b4a0c0faf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/serviceaccount.yaml
@@ -0,0 +1,24 @@
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+apiVersion: v1
+kind: ServiceAccount
+  {{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+  {{- range .Values.global.imagePullSecrets }}
+  - name: {{ . }}
+  {{- end }}
+  {{- end }}
+metadata:
+  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Values.global.istioNamespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+  {{- if .Values.serviceAccountAnnotations }}
+  annotations:
+{{- toYaml .Values.serviceAccountAnnotations | nindent 4 }}
+  {{- end }}
+{{- end }}
+---
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/validatingadmissionpolicy.yaml
new file mode 100644
index 0000000000..8562a52d59
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/validatingadmissionpolicy.yaml
@@ -0,0 +1,63 @@
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+{{- if .Values.experimental.stableValidationPolicy }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io"
+  labels:
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups:
+        - security.istio.io
+        - networking.istio.io
+        - telemetry.istio.io
+        - extensions.istio.io
+      apiVersions: ["*"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["*"]
+    objectSelector:
+      matchExpressions:
+        - key: istio.io/rev
+          operator: In
+          values:
+          {{- if (eq .Values.revision "") }}
+          - "default"
+          {{- else }}
+          - "{{ .Values.revision }}"
+          {{- end }}
+  variables:
+    - name: isEnvoyFilter
+      expression: "object.kind == 'EnvoyFilter'"
+    - name: isWasmPlugin
+      expression: "object.kind == 'WasmPlugin'"
+    - name: isProxyConfig
+      expression: "object.kind == 'ProxyConfig'"
+    - name: isTelemetry
+      expression: "object.kind == 'Telemetry'"
+  validations:
+    - expression: "!variables.isEnvoyFilter"
+    - expression: "!variables.isWasmPlugin"
+    - expression: "!variables.isProxyConfig"
+    - expression: |
+        !(
+          variables.isTelemetry && (
+            (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) ||
+            (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) ||
+            (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter))
+          )
+        )
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: "stable-channel-policy-binding{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io"
+spec:
+  policyName: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io"
+  validationActions: [Deny]
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/validatingwebhookconfiguration.yaml
new file mode 100644
index 0000000000..b49bf7fafd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/validatingwebhookconfiguration.yaml
@@ -0,0 +1,68 @@
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+{{- if .Values.global.configValidation }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    istio: istiod
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+webhooks:
+  # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks
+  # are rejecting invalid configs on a per-revision basis.
+  - name: rev.validation.istio.io
+    clientConfig:
+      # Should change from base but cannot for API compat
+      {{- if .Values.base.validationURL }}
+      url: {{ .Values.base.validationURL }}
+      {{- else }}
+      service:
+        name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+        namespace: {{ .Values.global.istioNamespace }}
+        path: "/validate"
+      {{- end }}
+      {{- if .Values.base.validationCABundle }}
+      caBundle: "{{ .Values.base.validationCABundle }}"
+      {{- end }}
+    rules:
+      - operations:
+          - CREATE
+          - UPDATE
+        apiGroups:
+          - security.istio.io
+          - networking.istio.io
+          - telemetry.istio.io
+          - extensions.istio.io
+        apiVersions:
+          - "*"
+        resources:
+          - "*"
+    {{- if .Values.base.validationCABundle }}
+    # Disable webhook controller in Pilot to stop patching it
+    failurePolicy: Fail
+    {{- else }}
+    # Fail open until the validation webhook is ready. The webhook controller
+    # will update this to `Fail` and patch in the `caBundle` when the webhook
+    # endpoint is ready.
+    failurePolicy: Ignore
+    {{- end }}
+    sideEffects: None
+    admissionReviewVersions: ["v1"]
+    objectSelector:
+      matchExpressions:
+        - key: istio.io/rev
+          operator: In
+          values:
+          {{- if (eq .Values.revision "") }}
+          - "default"
+          {{- else }}
+          - "{{ .Values.revision }}"
+          {{- end }}
+---
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/zzy_descope_legacy.yaml
new file mode 100644
index 0000000000..ae8fced298
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/zzy_descope_legacy.yaml
@@ -0,0 +1,3 @@
+{{/* Copy anything under `.pilot` to `.`, to avoid the need to specify a redundant prefix.
+Due to the file naming, this always happens after zzz_profile.yaml */}}
+{{- $_ := mustMergeOverwrite $.Values (index $.Values "pilot") }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..3d84956485
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if false }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/values.yaml
new file mode 100644
index 0000000000..ecd1ba2dc8
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/values.yaml
@@ -0,0 +1,569 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  autoscaleEnabled: true
+  autoscaleMin: 1
+  autoscaleMax: 5
+  autoscaleBehavior: {}
+  replicaCount: 1
+  rollingMaxSurge: 100%
+  rollingMaxUnavailable: 25%
+
+  hub: ""
+  tag: ""
+  variant: ""
+
+  # Can be a full hub/image:tag
+  image: pilot
+  traceSampling: 1.0
+
+  # Resources for a small pilot install
+  resources:
+    requests:
+      cpu: 500m
+      memory: 2048Mi
+
+  # Set to `type: RuntimeDefault` to use the default profile if available.
+  seccompProfile: {}
+
+  # Whether to use an existing CNI installation
+  cni:
+    enabled: false
+    provider: default
+
+  # Additional container arguments
+  extraContainerArgs: []
+
+  env: {}
+
+  envVarFrom: []
+
+  # Settings related to the untaint controller
+  # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready
+  # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes
+  taint:
+    # Controls whether or not the untaint controller is active
+    enabled: false
+    # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod
+    namespace: ""
+
+  affinity: {}
+
+  tolerations: []
+
+  cpu:
+    targetAverageUtilization: 80
+  memory: {}
+    # targetAverageUtilization: 80
+
+  # Additional volumeMounts to the istiod container
+  volumeMounts: []
+
+  # Additional volumes to the istiod pod
+  volumes: []
+
+  # Inject initContainers into the istiod pod
+  initContainers: []
+
+  nodeSelector: {}
+  podAnnotations: {}
+  serviceAnnotations: {}
+  serviceAccountAnnotations: {}
+  sidecarInjectorWebhookAnnotations: {}
+
+  topologySpreadConstraints: []
+
+  # You can use jwksResolverExtraRootCA to provide a root certificate
+  # in PEM format. This will then be trusted by pilot when resolving
+  # JWKS URIs.
+  jwksResolverExtraRootCA: ""
+
+  # The following is used to limit how long a sidecar can be connected
+  # to a pilot. It balances out load across pilot instances at the cost of
+  # increasing system churn.
+  keepaliveMaxServerConnectionAge: 30m
+
+  # Additional labels to apply to the deployment.
+  deploymentLabels: {}
+
+  # Annotations to apply to the istiod deployment.
+  deploymentAnnotations: {}
+
+  ## Mesh config settings
+
+  # Install the mesh config map, generated from values.yaml.
+  # If false, pilot wil use default values (by default) or user-supplied values.
+  configMap: true
+
+  # Additional labels to apply on the pod level for monitoring and logging configuration.
+  podLabels: {}
+
+  # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
+  ipFamilyPolicy: ""
+  ipFamilies: []
+
+  # Ambient mode only.
+  # Set this if you install ztunnel to a different namespace from `istiod`.
+  # If set, `istiod` will allow connections from trusted node proxy ztunnels
+  # in the provided namespace.
+  # If unset, `istiod` will assume the trusted node proxy ztunnel resides
+  # in the same namespace as itself.
+  trustedZtunnelNamespace: ""
+  # Set this if you install ztunnel with a name different from the default.
+  trustedZtunnelName: ""
+
+  sidecarInjectorWebhook:
+    # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or
+    # always skip the injection on pods that match that label selector, regardless of the global policy.
+    # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions
+    neverInjectSelector: []
+    alwaysInjectSelector: []
+
+    # injectedAnnotations are additional annotations that will be added to the pod spec after injection
+    # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations:
+    #
+    # annotations:
+    #   apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
+    #   apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
+    #
+    # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before
+    # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify:
+    # injectedAnnotations:
+    #   container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default
+    #   container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default
+    injectedAnnotations: {}
+
+    # This enables injection of sidecar in all namespaces,
+    # with the exception of namespaces with "istio-injection:disabled" annotation
+    # Only one environment should have this enabled.
+    enableNamespacesByDefault: false
+
+    # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run
+    # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten.
+    # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur.
+    reinvocationPolicy: Never
+
+    rewriteAppHTTPProbe: true
+
+    # Templates defines a set of custom injection templates that can be used. For example, defining:
+    #
+    # templates:
+    #   hello: |
+    #     metadata:
+    #       labels:
+    #         hello: world
+    #
+    # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod
+    # being injected with the hello=world labels.
+    # This is intended for advanced configuration only; most users should use the built in template
+    templates: {}
+
+    # Default templates specifies a set of default templates that are used in sidecar injection.
+    # By default, a template `sidecar` is always provided, which contains the template of default sidecar.
+    # To inject other additional templates, define it using the `templates` option, and add it to
+    # the default templates list.
+    # For example:
+    #
+    # templates:
+    #   hello: |
+    #     metadata:
+    #       labels:
+    #         hello: world
+    #
+    # defaultTemplates: ["sidecar", "hello"]
+    defaultTemplates: []
+  istiodRemote:
+    # If `true`, indicates that this cluster/install should consume a "remote istiod" installation,
+    # and istiod itself will NOT be installed in this cluster - only the support resources necessary
+    # to utilize a remote instance.
+    enabled: false
+
+    # If `true`, indicates that this cluster/install should consume a "local istiod" installation,
+    # local istiod inject sidecars
+    enabledLocalInjectorIstiod: false
+
+    # Sidecar injector mutating webhook configuration clientConfig.url value.
+    # For example: https://$remotePilotAddress:15017/inject
+    # The host should not refer to a service running in the cluster; use a service reference by specifying
+    # the clientConfig.service field instead.
+    injectionURL: ""
+
+    # Sidecar injector mutating webhook configuration path value for the clientConfig.service field.
+    # Override to pass env variables, for example: /inject/cluster/remote/net/network2
+    injectionPath: "/inject"
+
+    injectionCABundle: ""
+  telemetry:
+    enabled: true
+    v2:
+      # For Null VM case now.
+      # This also enables metadata exchange.
+      enabled: true
+      # Indicate if prometheus stats filter is enabled or not
+      prometheus:
+        enabled: true
+      # stackdriver filter settings.
+      stackdriver:
+        enabled: false
+  # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
+  revision: ""
+
+  # Revision tags are aliases to Istio control plane revisions
+  revisionTags: []
+
+  # For Helm compatibility.
+  ownerName: ""
+
+  # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior
+  # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options
+  meshConfig:
+    enablePrometheusMerge: true
+
+  experimental:
+    stableValidationPolicy: false
+
+  global:
+    # Used to locate istiod.
+    istioNamespace: istio-system
+    # List of cert-signers to allow "approve" action in the istio cluster role
+    #
+    # certSigners:
+    #   - clusterissuers.cert-manager.io/istio-ca
+    certSigners: []
+    # enable pod disruption budget for the control plane, which is used to
+    # ensure Istio control plane components are gradually upgraded or recovered.
+    defaultPodDisruptionBudget:
+      enabled: true
+      # The values aren't mutable due to a current PodDisruptionBudget limitation
+      # minAvailable: 1
+
+    # A minimal set of requested resources to applied to all deployments so that
+    # Horizontal Pod Autoscaler will be able to function (if set).
+    # Each component can overwrite these default values by adding its own resources
+    # block in the relevant section below and setting the desired resources values.
+    defaultResources:
+      requests:
+        cpu: 10m
+      #   memory: 128Mi
+      # limits:
+      #   cpu: 100m
+      #   memory: 128Mi
+
+    # Default hub for Istio images.
+    # Releases are published to docker hub under 'istio' project.
+    # Dev builds from prow are on gcr.io
+    hub: gcr.io/istio-release
+    # Default tag for Istio images.
+    tag: 1.27.0
+    # Variant of the image to use.
+    # Currently supported are: [debug, distroless]
+    variant: ""
+
+    # Specify image pull policy if default behavior isn't desired.
+    # Default behavior: latest images will be Always else IfNotPresent.
+    imagePullPolicy: ""
+
+    # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
+    # to use for pulling any images in pods that reference this ServiceAccount.
+    # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
+    # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
+    # Must be set for any cluster configured with private docker registry.
+    imagePullSecrets: []
+    # - private-registry-key
+
+    # Enabled by default in master for maximising testing.
+    istiod:
+      enableAnalysis: false
+
+    # To output all istio components logs in json format by adding --log_as_json argument to each container argument
+    logAsJson: false
+
+    # In order to use native nftable rules instead of iptable rules, set this flag to true.
+    nativeNftables: false
+
+    # Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
+    # The control plane has different scopes depending on component, but can configure default log level across all components
+    # If empty, default scope and level will be used as configured in code
+    logging:
+      level: "default:info"
+
+    omitSidecarInjectorConfigMap: false
+
+    # Configure whether Operator manages webhook configurations. The current behavior
+    # of Istiod is to manage its own webhook configurations.
+    # When this option is set as true, Istio Operator, instead of webhooks, manages the
+    # webhook configurations. When this option is set as false, webhooks manage their
+    # own webhook configurations.
+    operatorManageWebhooks: false
+
+    # Custom DNS config for the pod to resolve names of services in other
+    # clusters. Use this to add additional search domains, and other settings.
+    # see
+    # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config
+    # This does not apply to gateway pods as they typically need a different
+    # set of DNS settings than the normal application pods (e.g., in
+    # multicluster scenarios).
+    # NOTE: If using templates, follow the pattern in the commented example below.
+    #podDNSSearchNamespaces:
+    #- global
+    #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global"
+
+    # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
+    # system-node-critical, it is better to configure this in order to make sure your Istio pods
+    # will not be killed because of low priority class.
+    # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
+    # for more detail.
+    priorityClassName: ""
+
+    proxy:
+      image: proxyv2
+
+      # This controls the 'policy' in the sidecar injector.
+      autoInject: enabled
+
+      # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
+      # cluster domain. Default value is "cluster.local".
+      clusterDomain: "cluster.local"
+
+      # Per Component log level for proxy, applies to gateways and sidecars. If a component level is
+      # not set, then the global "logLevel" will be used.
+      componentLogLevel: "misc:error"
+
+      # istio ingress capture allowlist
+      # examples:
+      #     Redirect only selected ports:            --includeInboundPorts="80,8080"
+      excludeInboundPorts: ""
+      includeInboundPorts: "*"
+
+      # istio egress capture allowlist
+      # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
+      # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
+      # would only capture egress traffic on those two IP Ranges, all other outbound traffic would
+      # be allowed by the sidecar
+      includeIPRanges: "*"
+      excludeIPRanges: ""
+      includeOutboundPorts: ""
+      excludeOutboundPorts: ""
+
+      # Log level for proxy, applies to gateways and sidecars.
+      # Expected values are: trace|debug|info|warning|error|critical|off
+      logLevel: warning
+
+      # Specify the path to the outlier event log.
+      # Example: /dev/stdout
+      outlierLogPath: ""
+
+      #If set to true, istio-proxy container will have privileged securityContext
+      privileged: false
+
+      # The number of successive failed probes before indicating readiness failure.
+      readinessFailureThreshold: 4
+
+      # The initial delay for readiness probes in seconds.
+      readinessInitialDelaySeconds: 0
+
+      # The period between readiness probes.
+      readinessPeriodSeconds: 15
+
+      # Enables or disables a startup probe.
+      # For optimal startup times, changing this should be tied to the readiness probe values.
+      #
+      # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4.
+      # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval),
+      # and doesn't spam the readiness endpoint too much
+      #
+      # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30.
+      # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly.
+      startupProbe:
+        enabled: true
+        failureThreshold: 600 # 10 minutes
+
+      # Resources for the sidecar.
+      resources:
+        requests:
+          cpu: 100m
+          memory: 128Mi
+        limits:
+          cpu: 2000m
+          memory: 1024Mi
+
+      # Default port for Pilot agent health checks. A value of 0 will disable health checking.
+      statusPort: 15020
+
+      # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none.
+      # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file.
+      tracer: "none"
+
+    proxy_init:
+      # Base name for the proxy_init container, used to configure iptables.
+      image: proxyv2
+      # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures.
+      # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases.
+      forceApplyIptables: false
+
+    # configure remote pilot and istiod service and endpoint
+    remotePilotAddress: ""
+
+    ##############################################################################################
+    # The following values are found in other charts. To effectively modify these values, make   #
+    # make sure they are consistent across your Istio helm charts                                #
+    ##############################################################################################
+
+    # The customized CA address to retrieve certificates for the pods in the cluster.
+    # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
+    # If not set explicitly, default to the Istio discovery address.
+    caAddress: ""
+
+    # Enable control of remote clusters.
+    externalIstiod: false
+
+    # Configure a remote cluster as the config cluster for an external istiod.
+    configCluster: false
+
+    # configValidation enables the validation webhook for Istio configuration.
+    configValidation: true
+
+    # Mesh ID means Mesh Identifier. It should be unique within the scope where
+    # meshes will interact with each other, but it is not required to be
+    # globally/universally unique. For example, if any of the following are true,
+    # then two meshes must have different Mesh IDs:
+    # - Meshes will have their telemetry aggregated in one place
+    # - Meshes will be federated together
+    # - Policy will be written referencing one mesh from the other
+    #
+    # If an administrator expects that any of these conditions may become true in
+    # the future, they should ensure their meshes have different Mesh IDs
+    # assigned.
+    #
+    # Within a multicluster mesh, each cluster must be (manually or auto)
+    # configured to have the same Mesh ID value. If an existing cluster 'joins' a
+    # multicluster mesh, it will need to be migrated to the new mesh ID. Details
+    # of migration TBD, and it may be a disruptive operation to change the Mesh
+    # ID post-install.
+    #
+    # If the mesh admin does not specify a value, Istio will use the value of the
+    # mesh's Trust Domain. The best practice is to select a proper Trust Domain
+    # value.
+    meshID: ""
+
+    # Configure the mesh networks to be used by the Split Horizon EDS.
+    #
+    # The following example defines two networks with different endpoints association methods.
+    # For `network1` all endpoints that their IP belongs to the provided CIDR range will be
+    # mapped to network1. The gateway for this network example is specified by its public IP
+    # address and port.
+    # The second network, `network2`, in this example is defined differently with all endpoints
+    # retrieved through the specified Multi-Cluster registry being mapped to network2. The
+    # gateway is also defined differently with the name of the gateway service on the remote
+    # cluster. The public IP for the gateway will be determined from that remote service (only
+    # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service,
+    # it still need to be configured manually).
+    #
+    # meshNetworks:
+    #   network1:
+    #     endpoints:
+    #     - fromCidr: "192.168.0.1/24"
+    #     gateways:
+    #     - address: 1.1.1.1
+    #       port: 80
+    #   network2:
+    #     endpoints:
+    #     - fromRegistry: reg1
+    #     gateways:
+    #     - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
+    #       port: 443
+    #
+    meshNetworks: {}
+
+    # Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
+    mountMtlsCerts: false
+
+    multiCluster:
+      # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
+      # to properly label proxies
+      clusterName: ""
+
+    # Network defines the network this cluster belong to. This name
+    # corresponds to the networks in the map of mesh networks.
+    network: ""
+
+    # Configure the certificate provider for control plane communication.
+    # Currently, two providers are supported: "kubernetes" and "istiod".
+    # As some platforms may not have kubernetes signing APIs,
+    # Istiod is the default
+    pilotCertProvider: istiod
+
+    sds:
+      # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
+      # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the
+      # JWT is intended for the CA.
+      token:
+        aud: istio-ca
+
+    sts:
+      # The service port used by Security Token Service (STS) server to handle token exchange requests.
+      # Setting this port to a non-zero value enables STS server.
+      servicePort: 0
+
+    # The name of the CA for workload certificates.
+    # For example, when caName=GkeWorkloadCertificate, GKE workload certificates
+    # will be used as the certificates for workloads.
+    # The default value is "" and when caName="", the CA will be configured by other
+    # mechanisms (e.g., environmental variable CA_PROVIDER).
+    caName: ""
+
+    waypoint:
+      # Resources for the waypoint proxy.
+      resources:
+        requests:
+          cpu: 100m
+          memory: 128Mi
+        limits:
+          cpu: "2"
+          memory: 1Gi
+
+      # If specified, affinity defines the scheduling constraints of waypoint pods.
+      affinity: {}
+
+      # Topology Spread Constraints for the waypoint proxy.
+      topologySpreadConstraints: []
+
+      # Node labels for the waypoint proxy.
+      nodeSelector: {}
+
+      # Tolerations for the waypoint proxy.
+      tolerations: []
+
+  base:
+    # For istioctl usage to disable istio config crds in base
+    enableIstioConfigCRDs: true
+
+  # Gateway Settings
+  gateways:
+    # Define the security context for the pod.
+    # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
+    # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
+    securityContext: {}
+
+    # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it
+    seccompProfile: {}
+
+  # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass.
+  # For example:
+  # gatewayClasses:
+  #   istio:
+  #     service:
+  #       spec:
+  #         type: ClusterIP
+  # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field.
+  gatewayClasses: {}
+  
+  pdb:
+    # -- Minimum available pods set in PodDisruptionBudget.
+    # Define either 'minAvailable' or 'maxUnavailable', never both.
+    minAvailable: 1
+    # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored.
+    # maxUnavailable: 1
+    # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget.
+    # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/
+    unhealthyPodEvictionPolicy: ""
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/Chart.yaml
new file mode 100644
index 0000000000..aab11814a8
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/Chart.yaml
@@ -0,0 +1,8 @@
+apiVersion: v2
+appVersion: 1.27.0
+description: Helm chart for istio revision tags
+name: revisiontags
+sources:
+- https://github.com/istio-ecosystem/sail-operator
+version: 0.1.0
+
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-compatibility-version-1.24.yaml
new file mode 100644
index 0000000000..4f3dbef7ea
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-compatibility-version-1.24.yaml
@@ -0,0 +1,15 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.24 behavioral changes
+    PILOT_ENABLE_IP_AUTOALLOCATE: "false"
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  dnsCapture: false
+  reconcileIptablesOnStartup: false
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..b2f45948c2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..af10697326
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/templates/revision-tags.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/templates/revision-tags.yaml
new file mode 100644
index 0000000000..06764a826e
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/templates/revision-tags.yaml
@@ -0,0 +1,149 @@
+# Adapted from istio-discovery/templates/mutatingwebhook.yaml
+# Removed paths for legacy and default selectors since a revision tag
+# is inherently created from a specific revision
+# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that.
+{{- $whv := dict
+"revision" .Values.revision
+  "injectionPath" .Values.istiodRemote.injectionPath
+  "injectionURL" .Values.istiodRemote.injectionURL
+  "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy
+  "caBundle" .Values.istiodRemote.injectionCABundle
+  "namespace" .Release.Namespace }}
+{{- define "core" }}
+{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign
+a unique prefix to each. */}}
+- name: {{.Prefix}}sidecar-injector.istio.io
+  clientConfig:
+    {{- if .injectionURL }}
+    url: "{{ .injectionURL }}"
+    {{- else }}
+    service:
+      name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }}
+      namespace: {{ .namespace }}
+      path: "{{ .injectionPath }}"
+      port: 443
+    {{- end }}
+  sideEffects: None
+  rules:
+  - operations: [ "CREATE" ]
+    apiGroups: [""]
+    apiVersions: ["v1"]
+    resources: ["pods"]
+  failurePolicy: Fail
+  reinvocationPolicy: "{{ .reinvocationPolicy }}"
+  admissionReviewVersions: ["v1"]
+{{- end }}
+{{- range $tagName := $.Values.revisionTags }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+{{- if eq $.Release.Namespace "istio-system"}}
+  name: istio-revision-tag-{{ $tagName }}
+{{- else }}
+  name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }}
+{{- end }}
+  labels:
+    istio.io/tag: {{ $tagName }}
+    istio.io/rev: {{ $.Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app: sidecar-injector
+    release: {{ $.Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" $ | nindent 4 }}
+{{- if $.Values.sidecarInjectorWebhookAnnotations }}
+  annotations:
+{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }}
+{{- end }}
+webhooks:
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: In
+      values:
+      - "{{ $tagName }}"
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+    - key: istio.io/rev
+      operator: In
+      values:
+      - "{{ $tagName }}"
+
+{{- /* When the tag is "default" we want to create webhooks for the default revision */}}
+{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}}
+{{- if (eq $tagName "default") }}
+
+{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: In
+      values:
+      - enabled
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+
+{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: In
+      values:
+      - "true"
+    - key: istio.io/rev
+      operator: DoesNotExist
+
+{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
+{{- /* Special case 3: no labels at all */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: "kubernetes.io/metadata.name"
+      operator: "NotIn"
+      values: ["kube-system","kube-public","kube-node-lease","local-path-storage"]
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+{{- end }}
+
+{{- end }}
+---
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..3d84956485
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if false }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/values.yaml
new file mode 100644
index 0000000000..ecd1ba2dc8
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/values.yaml
@@ -0,0 +1,569 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  autoscaleEnabled: true
+  autoscaleMin: 1
+  autoscaleMax: 5
+  autoscaleBehavior: {}
+  replicaCount: 1
+  rollingMaxSurge: 100%
+  rollingMaxUnavailable: 25%
+
+  hub: ""
+  tag: ""
+  variant: ""
+
+  # Can be a full hub/image:tag
+  image: pilot
+  traceSampling: 1.0
+
+  # Resources for a small pilot install
+  resources:
+    requests:
+      cpu: 500m
+      memory: 2048Mi
+
+  # Set to `type: RuntimeDefault` to use the default profile if available.
+  seccompProfile: {}
+
+  # Whether to use an existing CNI installation
+  cni:
+    enabled: false
+    provider: default
+
+  # Additional container arguments
+  extraContainerArgs: []
+
+  env: {}
+
+  envVarFrom: []
+
+  # Settings related to the untaint controller
+  # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready
+  # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes
+  taint:
+    # Controls whether or not the untaint controller is active
+    enabled: false
+    # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod
+    namespace: ""
+
+  affinity: {}
+
+  tolerations: []
+
+  cpu:
+    targetAverageUtilization: 80
+  memory: {}
+    # targetAverageUtilization: 80
+
+  # Additional volumeMounts to the istiod container
+  volumeMounts: []
+
+  # Additional volumes to the istiod pod
+  volumes: []
+
+  # Inject initContainers into the istiod pod
+  initContainers: []
+
+  nodeSelector: {}
+  podAnnotations: {}
+  serviceAnnotations: {}
+  serviceAccountAnnotations: {}
+  sidecarInjectorWebhookAnnotations: {}
+
+  topologySpreadConstraints: []
+
+  # You can use jwksResolverExtraRootCA to provide a root certificate
+  # in PEM format. This will then be trusted by pilot when resolving
+  # JWKS URIs.
+  jwksResolverExtraRootCA: ""
+
+  # The following is used to limit how long a sidecar can be connected
+  # to a pilot. It balances out load across pilot instances at the cost of
+  # increasing system churn.
+  keepaliveMaxServerConnectionAge: 30m
+
+  # Additional labels to apply to the deployment.
+  deploymentLabels: {}
+
+  # Annotations to apply to the istiod deployment.
+  deploymentAnnotations: {}
+
+  ## Mesh config settings
+
+  # Install the mesh config map, generated from values.yaml.
+  # If false, pilot wil use default values (by default) or user-supplied values.
+  configMap: true
+
+  # Additional labels to apply on the pod level for monitoring and logging configuration.
+  podLabels: {}
+
+  # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
+  ipFamilyPolicy: ""
+  ipFamilies: []
+
+  # Ambient mode only.
+  # Set this if you install ztunnel to a different namespace from `istiod`.
+  # If set, `istiod` will allow connections from trusted node proxy ztunnels
+  # in the provided namespace.
+  # If unset, `istiod` will assume the trusted node proxy ztunnel resides
+  # in the same namespace as itself.
+  trustedZtunnelNamespace: ""
+  # Set this if you install ztunnel with a name different from the default.
+  trustedZtunnelName: ""
+
+  sidecarInjectorWebhook:
+    # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or
+    # always skip the injection on pods that match that label selector, regardless of the global policy.
+    # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions
+    neverInjectSelector: []
+    alwaysInjectSelector: []
+
+    # injectedAnnotations are additional annotations that will be added to the pod spec after injection
+    # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations:
+    #
+    # annotations:
+    #   apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
+    #   apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
+    #
+    # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before
+    # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify:
+    # injectedAnnotations:
+    #   container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default
+    #   container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default
+    injectedAnnotations: {}
+
+    # This enables injection of sidecar in all namespaces,
+    # with the exception of namespaces with "istio-injection:disabled" annotation
+    # Only one environment should have this enabled.
+    enableNamespacesByDefault: false
+
+    # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run
+    # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten.
+    # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur.
+    reinvocationPolicy: Never
+
+    rewriteAppHTTPProbe: true
+
+    # Templates defines a set of custom injection templates that can be used. For example, defining:
+    #
+    # templates:
+    #   hello: |
+    #     metadata:
+    #       labels:
+    #         hello: world
+    #
+    # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod
+    # being injected with the hello=world labels.
+    # This is intended for advanced configuration only; most users should use the built in template
+    templates: {}
+
+    # Default templates specifies a set of default templates that are used in sidecar injection.
+    # By default, a template `sidecar` is always provided, which contains the template of default sidecar.
+    # To inject other additional templates, define it using the `templates` option, and add it to
+    # the default templates list.
+    # For example:
+    #
+    # templates:
+    #   hello: |
+    #     metadata:
+    #       labels:
+    #         hello: world
+    #
+    # defaultTemplates: ["sidecar", "hello"]
+    defaultTemplates: []
+  istiodRemote:
+    # If `true`, indicates that this cluster/install should consume a "remote istiod" installation,
+    # and istiod itself will NOT be installed in this cluster - only the support resources necessary
+    # to utilize a remote instance.
+    enabled: false
+
+    # If `true`, indicates that this cluster/install should consume a "local istiod" installation,
+    # local istiod inject sidecars
+    enabledLocalInjectorIstiod: false
+
+    # Sidecar injector mutating webhook configuration clientConfig.url value.
+    # For example: https://$remotePilotAddress:15017/inject
+    # The host should not refer to a service running in the cluster; use a service reference by specifying
+    # the clientConfig.service field instead.
+    injectionURL: ""
+
+    # Sidecar injector mutating webhook configuration path value for the clientConfig.service field.
+    # Override to pass env variables, for example: /inject/cluster/remote/net/network2
+    injectionPath: "/inject"
+
+    injectionCABundle: ""
+  telemetry:
+    enabled: true
+    v2:
+      # For Null VM case now.
+      # This also enables metadata exchange.
+      enabled: true
+      # Indicate if prometheus stats filter is enabled or not
+      prometheus:
+        enabled: true
+      # stackdriver filter settings.
+      stackdriver:
+        enabled: false
+  # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
+  revision: ""
+
+  # Revision tags are aliases to Istio control plane revisions
+  revisionTags: []
+
+  # For Helm compatibility.
+  ownerName: ""
+
+  # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior
+  # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options
+  meshConfig:
+    enablePrometheusMerge: true
+
+  experimental:
+    stableValidationPolicy: false
+
+  global:
+    # Used to locate istiod.
+    istioNamespace: istio-system
+    # List of cert-signers to allow "approve" action in the istio cluster role
+    #
+    # certSigners:
+    #   - clusterissuers.cert-manager.io/istio-ca
+    certSigners: []
+    # enable pod disruption budget for the control plane, which is used to
+    # ensure Istio control plane components are gradually upgraded or recovered.
+    defaultPodDisruptionBudget:
+      enabled: true
+      # The values aren't mutable due to a current PodDisruptionBudget limitation
+      # minAvailable: 1
+
+    # A minimal set of requested resources to applied to all deployments so that
+    # Horizontal Pod Autoscaler will be able to function (if set).
+    # Each component can overwrite these default values by adding its own resources
+    # block in the relevant section below and setting the desired resources values.
+    defaultResources:
+      requests:
+        cpu: 10m
+      #   memory: 128Mi
+      # limits:
+      #   cpu: 100m
+      #   memory: 128Mi
+
+    # Default hub for Istio images.
+    # Releases are published to docker hub under 'istio' project.
+    # Dev builds from prow are on gcr.io
+    hub: gcr.io/istio-release
+    # Default tag for Istio images.
+    tag: 1.27.0
+    # Variant of the image to use.
+    # Currently supported are: [debug, distroless]
+    variant: ""
+
+    # Specify image pull policy if default behavior isn't desired.
+    # Default behavior: latest images will be Always else IfNotPresent.
+    imagePullPolicy: ""
+
+    # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
+    # to use for pulling any images in pods that reference this ServiceAccount.
+    # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
+    # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
+    # Must be set for any cluster configured with private docker registry.
+    imagePullSecrets: []
+    # - private-registry-key
+
+    # Enabled by default in master for maximising testing.
+    istiod:
+      enableAnalysis: false
+
+    # To output all istio components logs in json format by adding --log_as_json argument to each container argument
+    logAsJson: false
+
+    # In order to use native nftable rules instead of iptable rules, set this flag to true.
+    nativeNftables: false
+
+    # Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
+    # The control plane has different scopes depending on component, but can configure default log level across all components
+    # If empty, default scope and level will be used as configured in code
+    logging:
+      level: "default:info"
+
+    omitSidecarInjectorConfigMap: false
+
+    # Configure whether Operator manages webhook configurations. The current behavior
+    # of Istiod is to manage its own webhook configurations.
+    # When this option is set as true, Istio Operator, instead of webhooks, manages the
+    # webhook configurations. When this option is set as false, webhooks manage their
+    # own webhook configurations.
+    operatorManageWebhooks: false
+
+    # Custom DNS config for the pod to resolve names of services in other
+    # clusters. Use this to add additional search domains, and other settings.
+    # see
+    # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config
+    # This does not apply to gateway pods as they typically need a different
+    # set of DNS settings than the normal application pods (e.g., in
+    # multicluster scenarios).
+    # NOTE: If using templates, follow the pattern in the commented example below.
+    #podDNSSearchNamespaces:
+    #- global
+    #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global"
+
+    # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
+    # system-node-critical, it is better to configure this in order to make sure your Istio pods
+    # will not be killed because of low priority class.
+    # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
+    # for more detail.
+    priorityClassName: ""
+
+    proxy:
+      image: proxyv2
+
+      # This controls the 'policy' in the sidecar injector.
+      autoInject: enabled
+
+      # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
+      # cluster domain. Default value is "cluster.local".
+      clusterDomain: "cluster.local"
+
+      # Per Component log level for proxy, applies to gateways and sidecars. If a component level is
+      # not set, then the global "logLevel" will be used.
+      componentLogLevel: "misc:error"
+
+      # istio ingress capture allowlist
+      # examples:
+      #     Redirect only selected ports:            --includeInboundPorts="80,8080"
+      excludeInboundPorts: ""
+      includeInboundPorts: "*"
+
+      # istio egress capture allowlist
+      # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
+      # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
+      # would only capture egress traffic on those two IP Ranges, all other outbound traffic would
+      # be allowed by the sidecar
+      includeIPRanges: "*"
+      excludeIPRanges: ""
+      includeOutboundPorts: ""
+      excludeOutboundPorts: ""
+
+      # Log level for proxy, applies to gateways and sidecars.
+      # Expected values are: trace|debug|info|warning|error|critical|off
+      logLevel: warning
+
+      # Specify the path to the outlier event log.
+      # Example: /dev/stdout
+      outlierLogPath: ""
+
+      #If set to true, istio-proxy container will have privileged securityContext
+      privileged: false
+
+      # The number of successive failed probes before indicating readiness failure.
+      readinessFailureThreshold: 4
+
+      # The initial delay for readiness probes in seconds.
+      readinessInitialDelaySeconds: 0
+
+      # The period between readiness probes.
+      readinessPeriodSeconds: 15
+
+      # Enables or disables a startup probe.
+      # For optimal startup times, changing this should be tied to the readiness probe values.
+      #
+      # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4.
+      # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval),
+      # and doesn't spam the readiness endpoint too much
+      #
+      # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30.
+      # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly.
+      startupProbe:
+        enabled: true
+        failureThreshold: 600 # 10 minutes
+
+      # Resources for the sidecar.
+      resources:
+        requests:
+          cpu: 100m
+          memory: 128Mi
+        limits:
+          cpu: 2000m
+          memory: 1024Mi
+
+      # Default port for Pilot agent health checks. A value of 0 will disable health checking.
+      statusPort: 15020
+
+      # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none.
+      # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file.
+      tracer: "none"
+
+    proxy_init:
+      # Base name for the proxy_init container, used to configure iptables.
+      image: proxyv2
+      # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures.
+      # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases.
+      forceApplyIptables: false
+
+    # configure remote pilot and istiod service and endpoint
+    remotePilotAddress: ""
+
+    ##############################################################################################
+    # The following values are found in other charts. To effectively modify these values, make   #
+    # make sure they are consistent across your Istio helm charts                                #
+    ##############################################################################################
+
+    # The customized CA address to retrieve certificates for the pods in the cluster.
+    # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
+    # If not set explicitly, default to the Istio discovery address.
+    caAddress: ""
+
+    # Enable control of remote clusters.
+    externalIstiod: false
+
+    # Configure a remote cluster as the config cluster for an external istiod.
+    configCluster: false
+
+    # configValidation enables the validation webhook for Istio configuration.
+    configValidation: true
+
+    # Mesh ID means Mesh Identifier. It should be unique within the scope where
+    # meshes will interact with each other, but it is not required to be
+    # globally/universally unique. For example, if any of the following are true,
+    # then two meshes must have different Mesh IDs:
+    # - Meshes will have their telemetry aggregated in one place
+    # - Meshes will be federated together
+    # - Policy will be written referencing one mesh from the other
+    #
+    # If an administrator expects that any of these conditions may become true in
+    # the future, they should ensure their meshes have different Mesh IDs
+    # assigned.
+    #
+    # Within a multicluster mesh, each cluster must be (manually or auto)
+    # configured to have the same Mesh ID value. If an existing cluster 'joins' a
+    # multicluster mesh, it will need to be migrated to the new mesh ID. Details
+    # of migration TBD, and it may be a disruptive operation to change the Mesh
+    # ID post-install.
+    #
+    # If the mesh admin does not specify a value, Istio will use the value of the
+    # mesh's Trust Domain. The best practice is to select a proper Trust Domain
+    # value.
+    meshID: ""
+
+    # Configure the mesh networks to be used by the Split Horizon EDS.
+    #
+    # The following example defines two networks with different endpoints association methods.
+    # For `network1` all endpoints that their IP belongs to the provided CIDR range will be
+    # mapped to network1. The gateway for this network example is specified by its public IP
+    # address and port.
+    # The second network, `network2`, in this example is defined differently with all endpoints
+    # retrieved through the specified Multi-Cluster registry being mapped to network2. The
+    # gateway is also defined differently with the name of the gateway service on the remote
+    # cluster. The public IP for the gateway will be determined from that remote service (only
+    # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service,
+    # it still need to be configured manually).
+    #
+    # meshNetworks:
+    #   network1:
+    #     endpoints:
+    #     - fromCidr: "192.168.0.1/24"
+    #     gateways:
+    #     - address: 1.1.1.1
+    #       port: 80
+    #   network2:
+    #     endpoints:
+    #     - fromRegistry: reg1
+    #     gateways:
+    #     - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
+    #       port: 443
+    #
+    meshNetworks: {}
+
+    # Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
+    mountMtlsCerts: false
+
+    multiCluster:
+      # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
+      # to properly label proxies
+      clusterName: ""
+
+    # Network defines the network this cluster belong to. This name
+    # corresponds to the networks in the map of mesh networks.
+    network: ""
+
+    # Configure the certificate provider for control plane communication.
+    # Currently, two providers are supported: "kubernetes" and "istiod".
+    # As some platforms may not have kubernetes signing APIs,
+    # Istiod is the default
+    pilotCertProvider: istiod
+
+    sds:
+      # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
+      # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the
+      # JWT is intended for the CA.
+      token:
+        aud: istio-ca
+
+    sts:
+      # The service port used by Security Token Service (STS) server to handle token exchange requests.
+      # Setting this port to a non-zero value enables STS server.
+      servicePort: 0
+
+    # The name of the CA for workload certificates.
+    # For example, when caName=GkeWorkloadCertificate, GKE workload certificates
+    # will be used as the certificates for workloads.
+    # The default value is "" and when caName="", the CA will be configured by other
+    # mechanisms (e.g., environmental variable CA_PROVIDER).
+    caName: ""
+
+    waypoint:
+      # Resources for the waypoint proxy.
+      resources:
+        requests:
+          cpu: 100m
+          memory: 128Mi
+        limits:
+          cpu: "2"
+          memory: 1Gi
+
+      # If specified, affinity defines the scheduling constraints of waypoint pods.
+      affinity: {}
+
+      # Topology Spread Constraints for the waypoint proxy.
+      topologySpreadConstraints: []
+
+      # Node labels for the waypoint proxy.
+      nodeSelector: {}
+
+      # Tolerations for the waypoint proxy.
+      tolerations: []
+
+  base:
+    # For istioctl usage to disable istio config crds in base
+    enableIstioConfigCRDs: true
+
+  # Gateway Settings
+  gateways:
+    # Define the security context for the pod.
+    # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
+    # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
+    securityContext: {}
+
+    # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it
+    seccompProfile: {}
+
+  # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass.
+  # For example:
+  # gatewayClasses:
+  #   istio:
+  #     service:
+  #       spec:
+  #         type: ClusterIP
+  # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field.
+  gatewayClasses: {}
+  
+  pdb:
+    # -- Minimum available pods set in PodDisruptionBudget.
+    # Define either 'minAvailable' or 'maxUnavailable', never both.
+    minAvailable: 1
+    # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored.
+    # maxUnavailable: 1
+    # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget.
+    # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/
+    unhealthyPodEvictionPolicy: ""
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/Chart.yaml
new file mode 100644
index 0000000000..86cb446c97
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/Chart.yaml
@@ -0,0 +1,11 @@
+apiVersion: v2
+appVersion: 1.27.0
+description: Helm chart for istio ztunnel components
+icon: https://istio.io/latest/favicons/android-192x192.png
+keywords:
+- istio-ztunnel
+- istio
+name: ztunnel
+sources:
+- https://github.com/istio/istio
+version: 1.27.0
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/README.md
new file mode 100644
index 0000000000..ffe0b94fe8
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/README.md
@@ -0,0 +1,50 @@
+# Istio Ztunnel Helm Chart
+
+This chart installs an Istio ztunnel.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+To install the chart:
+
+```console
+helm install ztunnel istio/ztunnel
+```
+
+## Uninstalling the Chart
+
+To uninstall/delete the chart:
+
+```console
+helm delete ztunnel
+```
+
+## Configuration
+
+To view support configuration options and documentation, run:
+
+```console
+helm show values istio/ztunnel
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-compatibility-version-1.24.yaml
new file mode 100644
index 0000000000..4f3dbef7ea
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-compatibility-version-1.24.yaml
@@ -0,0 +1,15 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.24 behavioral changes
+    PILOT_ENABLE_IP_AUTOALLOCATE: "false"
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  dnsCapture: false
+  reconcileIptablesOnStartup: false
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..b2f45948c2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..af10697326
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/templates/NOTES.txt
new file mode 100644
index 0000000000..244f59db06
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/templates/NOTES.txt
@@ -0,0 +1,5 @@
+ztunnel successfully installed!
+
+To learn more about the release, try:
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/templates/_helpers.tpl
new file mode 100644
index 0000000000..46a7a0b79d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/templates/_helpers.tpl
@@ -0,0 +1 @@
+{{ define "ztunnel.release-name" }}{{ .Values.resourceName| default "ztunnel" }}{{ end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/templates/daemonset.yaml
new file mode 100644
index 0000000000..6b8ae5b6ad
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/templates/daemonset.yaml
@@ -0,0 +1,210 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: {{ include "ztunnel.release-name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: ztunnel
+    {{- include "istio.labels" . | nindent 4}}
+    {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }}
+  annotations:
+{{- if .Values.revision }}
+    {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }}
+    {{- toYaml $annos | nindent 4}}
+{{- else }}
+    {{- .Values.annotations | toYaml | nindent 4 }}
+{{- end }}
+spec:
+  {{- with .Values.updateStrategy }}
+  updateStrategy:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  selector:
+    matchLabels:
+      app: ztunnel
+  template:
+    metadata:
+      labels:
+        sidecar.istio.io/inject: "false"
+        istio.io/dataplane-mode: none
+        app: ztunnel
+        app.kubernetes.io/name: ztunnel
+        {{- include "istio.labels" . | nindent 8}}
+{{ with .Values.podLabels -}}{{ toYaml . | indent 8 }}{{ end }}
+      annotations:
+        sidecar.istio.io/inject: "false"
+{{- if .Values.revision }}
+        istio.io/rev: {{ .Values.revision }}
+{{- end }}
+{{ with .Values.podAnnotations -}}{{ toYaml . | indent 8 }}{{ end }}
+    spec:
+      nodeSelector:
+        kubernetes.io/os: linux
+{{- if .Values.nodeSelector }}
+{{ toYaml .Values.nodeSelector | indent 8 }}
+{{- end }}
+{{- if .Values.affinity }}
+      affinity:
+{{ toYaml .Values.affinity | trim | indent 8 }}
+{{- end }}
+      serviceAccountName: {{ include "ztunnel.release-name" . }}
+{{- if .Values.tolerations }}
+      tolerations:
+{{ toYaml .Values.tolerations | trim | indent 8 }}
+{{- end }}
+      containers:
+      - name: istio-proxy
+{{- if contains "/" .Values.image }}
+        image: "{{ .Values.image }}"
+{{- else }}
+        image: "{{ .Values.hub }}/{{ .Values.image | default "ztunnel" }}:{{ .Values.tag }}{{with (.Values.variant )}}-{{.}}{{end}}"
+{{- end }}
+        ports:
+        - containerPort: 15020
+          name: ztunnel-stats
+          protocol: TCP
+        resources:
+{{- if .Values.resources }}
+{{ toYaml .Values.resources | trim | indent 10 }}
+{{- end }}
+{{- with .Values.imagePullPolicy }}
+        imagePullPolicy: {{ . }}
+{{- end }}
+        securityContext:
+          # K8S docs are clear that CAP_SYS_ADMIN *or* privileged: true
+          # both force this to `true`: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+          # But there is a K8S validation bug that doesn't propery catch this: https://github.com/kubernetes/kubernetes/issues/119568
+          allowPrivilegeEscalation: true
+          privileged: false
+          capabilities:
+            drop:
+            - ALL
+            add: # See https://man7.org/linux/man-pages/man7/capabilities.7.html
+            - NET_ADMIN # Required for TPROXY and setsockopt
+            - SYS_ADMIN # Required for `setns` - doing things in other netns
+            - NET_RAW # Required for RAW/PACKET sockets, TPROXY
+          readOnlyRootFilesystem: true
+          runAsGroup: 1337
+          runAsNonRoot: false
+          runAsUser: 0
+{{- if .Values.seLinuxOptions }}
+          seLinuxOptions:
+{{ toYaml .Values.seLinuxOptions | trim | indent 12 }}
+{{- end }}
+        readinessProbe:
+          httpGet:
+            port: 15021
+            path: /healthz/ready
+        args:
+        - proxy
+        - ztunnel
+        env:
+        - name: CA_ADDRESS
+        {{- if .Values.caAddress }}
+          value: {{ .Values.caAddress }}
+        {{- else }}
+          value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012
+        {{- end }}
+        - name: XDS_ADDRESS
+        {{- if .Values.xdsAddress }}
+          value: {{ .Values.xdsAddress }}
+        {{- else }}
+          value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012
+        {{- end }}
+        {{- if .Values.logAsJson }}
+        - name: LOG_FORMAT
+          value: json
+        {{- end}}
+        {{- if .Values.global.network }}
+        - name: NETWORK
+          value: {{ .Values.global.network | quote }}
+        {{- end }}
+        - name: RUST_LOG
+          value: {{ .Values.logLevel | quote }}
+        - name: RUST_BACKTRACE
+          value: "1"
+        - name: ISTIO_META_CLUSTER_ID
+          value: {{ .Values.multiCluster.clusterName | default "Kubernetes" }}
+        - name: INPOD_ENABLED
+          value: "true"
+        - name: TERMINATION_GRACE_PERIOD_SECONDS
+          value: "{{ .Values.terminationGracePeriodSeconds }}"
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        - name: INSTANCE_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: SERVICE_ACCOUNT
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.serviceAccountName
+        {{- if .Values.meshConfig.defaultConfig.proxyMetadata }}
+        {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata}}
+        - name: {{ $key }}
+          value: "{{ $value }}"
+        {{- end }}
+        {{- end }}
+        - name: ZTUNNEL_CPU_LIMIT
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.cpu
+        {{- with .Values.env }}
+        {{- range $key, $val := . }}
+        - name: {{ $key }}
+          value: "{{ $val }}"
+        {{- end }}
+        {{- end }}
+        volumeMounts:
+        - mountPath: /var/run/secrets/istio
+          name: istiod-ca-cert
+        - mountPath: /var/run/secrets/tokens
+          name: istio-token
+        - mountPath: /var/run/ztunnel
+          name: cni-ztunnel-sock-dir
+        - mountPath: /tmp
+          name: tmp
+        {{- with .Values.volumeMounts }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      priorityClassName: system-node-critical
+      terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
+      volumes:
+      - name: istio-token
+        projected:
+          sources:
+          - serviceAccountToken:
+              path: istio-token
+              expirationSeconds: 43200
+              audience: istio-ca
+      - name: istiod-ca-cert
+        {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+        projected:
+          sources:
+          - clusterTrustBundle:
+              name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+              path: root-cert.pem
+        {{- else }}
+        configMap:
+          name: {{ .Values.trustBundleName | default "istio-ca-root-cert" }}
+        {{- end }}
+      - name: cni-ztunnel-sock-dir
+        hostPath:
+          path: /var/run/ztunnel
+          type: DirectoryOrCreate # ideally this would be a socket, but istio-cni may not have started yet.
+      # pprof needs a writable /tmp, and we don't have that thanks to `readOnlyRootFilesystem: true`, so mount one
+      - name: tmp
+        emptyDir: {}
+      {{- with .Values.volumes }}
+        {{- toYaml . | nindent 6}}
+      {{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/templates/rbac.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/templates/rbac.yaml
new file mode 100644
index 0000000000..0a8138c9a3
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/templates/rbac.yaml
@@ -0,0 +1,72 @@
+apiVersion: v1
+kind: ServiceAccount
+  {{- with .Values.imagePullSecrets }}
+imagePullSecrets:
+  {{- range . }}
+  - name: {{ . }}
+  {{- end }}
+  {{- end }}
+metadata:
+  name: {{ include "ztunnel.release-name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: ztunnel
+    {{- include "istio.labels" . | nindent 4}}
+    {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }}
+  annotations:
+{{- if .Values.revision }}
+    {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }}
+    {{- toYaml $annos | nindent 4}}
+{{- else }}
+    {{- .Values.annotations | toYaml | nindent 4 }}
+{{- end }}
+---
+{{- if (eq (.Values.platform | default "") "openshift") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "ztunnel.release-name" . }}
+  labels:
+    app: ztunnel
+    release: {{ include "ztunnel.release-name" . }}
+    app.kubernetes.io/name: ztunnel
+    {{- include "istio.labels" . | nindent 4}}
+  annotations:
+{{- if .Values.revision }}
+    {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }}
+    {{- toYaml $annos | nindent 4}}
+{{- else }}
+    {{- .Values.annotations | toYaml | nindent 4 }}
+{{- end }}
+rules:
+- apiGroups: ["security.openshift.io"]
+  resources: ["securitycontextconstraints"]
+  resourceNames: ["privileged"]
+  verbs: ["use"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "ztunnel.release-name" . }}
+  labels:
+    app: ztunnel
+    release: {{ include "ztunnel.release-name" . }}
+    app.kubernetes.io/name: ztunnel
+    {{- include "istio.labels" . | nindent 4}}
+  annotations:
+{{- if .Values.revision }}
+    {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }}
+    {{- toYaml $annos | nindent 4}}
+{{- else }}
+    {{- .Values.annotations | toYaml | nindent 4 }}
+{{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "ztunnel.release-name" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "ztunnel.release-name" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}
+---
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/templates/resourcequota.yaml
new file mode 100644
index 0000000000..a1c0e5496d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/templates/resourcequota.yaml
@@ -0,0 +1,20 @@
+{{- if .Values.resourceQuotas.enabled }}
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+  name: {{ include "ztunnel.release-name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: ztunnel
+    {{- include "istio.labels" . | nindent 4}}
+    {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }}
+spec:
+  hard:
+    pods: {{ .Values.resourceQuotas.pods | quote }}
+  scopeSelector:
+    matchExpressions:
+    - operator: In
+      scopeName: PriorityClass
+      values:
+      - system-node-critical
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..606c556697
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if true }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/values.yaml
new file mode 100644
index 0000000000..7550a4d594
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/values.yaml
@@ -0,0 +1,129 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  # Hub to pull from. Image will be `Hub/Image:Tag-Variant`
+  hub: gcr.io/istio-release
+  # Tag to pull from. Image will be `Hub/Image:Tag-Variant`
+  tag: 1.27.0
+  # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version.
+  variant: ""
+
+  # Image name to pull from. Image will be `Hub/Image:Tag-Variant`
+  # If Image contains a "/", it will replace the entire `image` in the pod.
+  image: ztunnel
+
+  # We keep the global namespace around for backwards-compatibility
+  global:
+    # Network defines the network this cluster belong to. This name
+    # corresponds to the networks in the map of mesh networks.
+    network: ""
+
+  # resourceName, if set, will override the naming of resources. If not set, will default to 'ztunnel'.
+  # If you set this, you MUST also set `trustedZtunnelName` in the `istiod` chart.
+  resourceName: ""
+
+  # Labels to apply to all top level resources
+  labels: {}
+  # Annotations to apply to all top level resources
+  annotations: {}
+
+  # Additional volumeMounts to the ztunnel container
+  volumeMounts: []
+
+  # Additional volumes to the ztunnel pod
+  volumes: []
+  
+  # Tolerations for the ztunnel pod
+  tolerations:
+    - effect: NoSchedule
+      operator: Exists
+    - key: CriticalAddonsOnly
+      operator: Exists
+    - effect: NoExecute
+      operator: Exists
+
+  # Annotations added to each pod. The default annotations are required for scraping prometheus (in most environments).
+  podAnnotations:
+    prometheus.io/port: "15020"
+    prometheus.io/scrape: "true"
+
+  # Additional labels to apply on the pod level
+  podLabels: {}
+
+  # Pod resource configuration
+  resources:
+    requests:
+      cpu: 200m
+      # Ztunnel memory scales with the size of the cluster and traffic load
+      # While there are many factors, this is enough for ~200k pod cluster or 100k concurrently open connections.
+      memory: 512Mi
+
+  resourceQuotas:
+    enabled: false
+    pods: 5000
+
+  # List of secret names to add to the service account as image pull secrets
+  imagePullSecrets: []
+
+  # A `key: value` mapping of environment variables to add to the pod
+  env: {}
+
+  # Override for the pod imagePullPolicy
+  imagePullPolicy: ""
+
+  # Settings for multicluster
+  multiCluster:
+    # The name of the cluster we are installing in. Note this is a user-defined name, which must be consistent
+    # with Istiod configuration.
+    clusterName: ""
+
+  # meshConfig defines runtime configuration of components.
+  # For ztunnel, only defaultConfig is used, but this is nested under `meshConfig` for consistency with other
+  # components.
+  # TODO: https://github.com/istio/istio/issues/43248
+  meshConfig:
+    defaultConfig:
+      proxyMetadata: {}
+
+  # This value defines:
+  # 1. how many seconds kube waits for ztunnel pod to gracefully exit before forcibly terminating it (this value)
+  # 2. how many seconds ztunnel waits to drain its own connections (this value - 1 sec)
+  # Default K8S value is 30 seconds
+  terminationGracePeriodSeconds: 30
+
+  # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
+  # Used to locate the XDS and CA, if caAddress or xdsAddress are not set explicitly.
+  revision: ""
+
+  # The customized CA address to retrieve certificates for the pods in the cluster.
+  # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
+  caAddress: ""
+
+  # The customized XDS address to retrieve configuration.
+  # This should include the port - 15012 for Istiod. TLS will be used with the certificates in "istiod-ca-cert" secret.
+  # By default, it is istiod.istio-system.svc:15012 if revision is not set, or istiod-<revision>.<istioNamespace>.svc:15012
+  xdsAddress: ""
+
+  # Used to locate the XDS and CA, if caAddress or xdsAddress are not set.
+  istioNamespace: istio-system
+
+  # Configuration log level of ztunnel binary, default is info.
+  # Valid values are: trace, debug, info, warn, error
+  logLevel: info
+
+  # To output all logs in json format
+  logAsJson: false
+
+  # Set to `type: RuntimeDefault` to use the default profile if available.
+  seLinuxOptions: {}
+  # TODO Ambient inpod - for OpenShift, set to the following to get writable sockets in hostmounts to work, eventually consider CSI driver instead
+  #seLinuxOptions:
+  #  type: spc_t
+
+  # K8s DaemonSet update strategy.
+  # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec).
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/cni-1.27.0.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/cni-1.27.0.tgz.etag
new file mode 100644
index 0000000000..124ddc9782
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/cni-1.27.0.tgz.etag
@@ -0,0 +1 @@
+fc3f3e6cd38df93ff10105c0729e9d65
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/commit b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/commit
new file mode 100644
index 0000000000..5db08bf2dc
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/commit
@@ -0,0 +1 @@
+1.27.0
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/gateway-1.27.0.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/gateway-1.27.0.tgz.etag
new file mode 100644
index 0000000000..989623b984
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/gateway-1.27.0.tgz.etag
@@ -0,0 +1 @@
+8540c46a559c45954a2a794d5f664925
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/istiod-1.27.0.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/istiod-1.27.0.tgz.etag
new file mode 100644
index 0000000000..27962f6160
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/istiod-1.27.0.tgz.etag
@@ -0,0 +1 @@
+3b9c0a33854bb060d8d4f87c81690909
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/profiles/ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/profiles/ambient.yaml
new file mode 100644
index 0000000000..71ea784a80
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/profiles/ambient.yaml
@@ -0,0 +1,5 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: ambient
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/profiles/default.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/profiles/default.yaml
new file mode 100644
index 0000000000..8f1ef19676
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/profiles/default.yaml
@@ -0,0 +1,12 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  # Most default values come from the helm chart's values.yaml
+  # Below are the things that differ
+  values:
+    defaultRevision: ""
+    global:
+      istioNamespace: istio-system
+      configValidation: true
+    ztunnel:
+      resourceName: ztunnel
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/profiles/demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/profiles/demo.yaml
new file mode 100644
index 0000000000..53c4b41633
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/profiles/demo.yaml
@@ -0,0 +1,5 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: demo
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/profiles/empty.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/profiles/empty.yaml
new file mode 100644
index 0000000000..4477cb1fe1
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/profiles/empty.yaml
@@ -0,0 +1,5 @@
+# The empty profile has everything disabled
+# This is useful as a base for custom user configuration
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec: {}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/profiles/openshift-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/profiles/openshift-ambient.yaml
new file mode 100644
index 0000000000..76edf00cd8
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/profiles/openshift-ambient.yaml
@@ -0,0 +1,7 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: ambient
+    global:
+      platform: openshift
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/profiles/openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/profiles/openshift.yaml
new file mode 100644
index 0000000000..41492660fe
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/profiles/openshift.yaml
@@ -0,0 +1,6 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    global:
+      platform: openshift
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/profiles/preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/profiles/preview.yaml
new file mode 100644
index 0000000000..59d545c840
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/profiles/preview.yaml
@@ -0,0 +1,8 @@
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: preview
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/profiles/remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/profiles/remote.yaml
new file mode 100644
index 0000000000..54c65c8ba9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/profiles/remote.yaml
@@ -0,0 +1,7 @@
+# The remote profile is used to configure a mesh cluster without a locally deployed control plane.
+# Only the injector mutating webhook configuration is installed.
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: remote
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/profiles/stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/profiles/stable.yaml
new file mode 100644
index 0000000000..285feba244
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/profiles/stable.yaml
@@ -0,0 +1,5 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: stable
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/ztunnel-1.27.0.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/ztunnel-1.27.0.tgz.etag
new file mode 100644
index 0000000000..b46e72dc4f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/ztunnel-1.27.0.tgz.etag
@@ -0,0 +1 @@
+64fede9b999cb988adeb8e92624d3de3
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/base-1.27.1.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/base-1.27.1.tgz.etag
new file mode 100644
index 0000000000..8c62e0d68a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/base-1.27.1.tgz.etag
@@ -0,0 +1 @@
+7f2f5fd5304de6f4c31f33b703061549
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/Chart.yaml
new file mode 100644
index 0000000000..90ccae188f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/Chart.yaml
@@ -0,0 +1,10 @@
+apiVersion: v2
+appVersion: 1.27.1
+description: Helm chart for deploying Istio cluster resources and CRDs
+icon: https://istio.io/latest/favicons/android-192x192.png
+keywords:
+- istio
+name: base
+sources:
+- https://github.com/istio/istio
+version: 1.27.1
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/README.md
new file mode 100644
index 0000000000..ae8f6d5b0e
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/README.md
@@ -0,0 +1,35 @@
+# Istio base Helm Chart
+
+This chart installs resources shared by all Istio revisions. This includes Istio CRDs.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+To install the chart with the release name `istio-base`:
+
+```console
+kubectl create namespace istio-system
+helm install istio-base istio/base -n istio-system
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-compatibility-version-1.24.yaml
new file mode 100644
index 0000000000..4f3dbef7ea
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-compatibility-version-1.24.yaml
@@ -0,0 +1,15 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.24 behavioral changes
+    PILOT_ENABLE_IP_AUTOALLOCATE: "false"
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  dnsCapture: false
+  reconcileIptablesOnStartup: false
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..b2f45948c2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..af10697326
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/templates/NOTES.txt
new file mode 100644
index 0000000000..f12616f578
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/templates/NOTES.txt
@@ -0,0 +1,5 @@
+Istio base successfully installed!
+
+To learn more about the release, try:
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml
new file mode 100644
index 0000000000..2616b09c9a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml
@@ -0,0 +1,53 @@
+{{- if and .Values.experimental.stableValidationPolicy (not (eq .Values.defaultRevision "")) }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "stable-channel-default-policy.istio.io"
+  labels:
+    release: {{ .Release.Name }}
+    istio: istiod
+    istio.io/rev: {{ .Values.defaultRevision }}
+    app.kubernetes.io/name: "istiod"
+    {{ include "istio.labels" . | nindent 4 }}
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups:
+        - security.istio.io
+        - networking.istio.io
+        - telemetry.istio.io
+        - extensions.istio.io
+      apiVersions: ["*"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["*"]
+  variables:
+    - name: isEnvoyFilter
+      expression: "object.kind == 'EnvoyFilter'"
+    - name: isWasmPlugin
+      expression: "object.kind == 'WasmPlugin'"
+    - name: isProxyConfig
+      expression: "object.kind == 'ProxyConfig'"
+    - name: isTelemetry
+      expression: "object.kind == 'Telemetry'"
+  validations:
+    - expression: "!variables.isEnvoyFilter"
+    - expression: "!variables.isWasmPlugin"
+    - expression: "!variables.isProxyConfig"
+    - expression: |
+        !(
+          variables.isTelemetry && (
+            (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) ||
+            (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) ||
+            (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter))
+          )
+        )
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: "stable-channel-default-policy-binding.istio.io"
+spec:
+  policyName: "stable-channel-default-policy.istio.io"
+  validationActions: [Deny]
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml
new file mode 100644
index 0000000000..8cb76fd773
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml
@@ -0,0 +1,56 @@
+{{- if not (eq .Values.defaultRevision "") }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: istiod-default-validator
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    istio: istiod
+    istio.io/rev: {{ .Values.defaultRevision | quote }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+webhooks:
+  - name: validation.istio.io
+    clientConfig:
+      {{- if .Values.base.validationURL }}
+      url: {{ .Values.base.validationURL }}
+      {{- else }}
+      service:
+        {{- if (eq .Values.defaultRevision "default") }}
+        name: istiod
+        {{- else }}
+        name: istiod-{{ .Values.defaultRevision }}
+        {{- end }}
+        namespace: {{ .Values.global.istioNamespace }}
+        path: "/validate"
+      {{- end }}
+      {{- if .Values.base.validationCABundle }}
+      caBundle: "{{ .Values.base.validationCABundle }}"
+      {{- end }}
+    rules:
+      - operations:
+          - CREATE
+          - UPDATE
+        apiGroups:
+          - security.istio.io
+          - networking.istio.io
+          - telemetry.istio.io
+          - extensions.istio.io
+        apiVersions:
+          - "*"
+        resources:
+          - "*"
+
+    {{- if .Values.base.validationCABundle }}
+    # Disable webhook controller in Pilot to stop patching it
+    failurePolicy: Fail
+    {{- else }}
+    # Fail open until the validation webhook is ready. The webhook controller
+    # will update this to `Fail` and patch in the `caBundle` when the webhook
+    # endpoint is ready.
+    failurePolicy: Ignore
+    {{- end }}
+    sideEffects: None
+    admissionReviewVersions: ["v1"]
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/templates/reader-serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/templates/reader-serviceaccount.yaml
new file mode 100644
index 0000000000..ba829a6bfe
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/templates/reader-serviceaccount.yaml
@@ -0,0 +1,20 @@
+# This singleton service account aggregates reader permissions for the revisions in a given cluster
+# ATM this is a singleton per cluster with Istio installed, and is not revisioned. It maybe should be,
+# as otherwise compromising the token for this SA would give you access to *every* installed revision.
+# Should be used for remote secret creation.
+apiVersion: v1
+kind: ServiceAccount
+  {{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+  {{- range .Values.global.imagePullSecrets }}
+  - name: {{ . }}
+    {{- end }}
+    {{- end }}
+metadata:
+  name: istio-reader-service-account
+  namespace: {{ .Values.global.istioNamespace }}
+  labels:
+    app: istio-reader
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istio-reader"
+    {{- include "istio.labels" . | nindent 4 }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..3d84956485
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if false }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/values.yaml
new file mode 100644
index 0000000000..d18296f00a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/values.yaml
@@ -0,0 +1,37 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  global:
+
+    # ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace
+    # to use for pulling any images in pods that reference this ServiceAccount.
+    # Must be set for any cluster configured with private docker registry.
+    imagePullSecrets: []
+
+    # Used to locate istiod.
+    istioNamespace: istio-system
+  base:
+    # A list of CRDs to exclude. Requires `enableCRDTemplates` to be true.
+    # Example: `excludedCRDs: ["envoyfilters.networking.istio.io"]`.
+    # Note: when installing with `istioctl`, `enableIstioConfigCRDs=false` must also be set.
+    excludedCRDs: []
+    # Helm (as of V3) does not support upgrading CRDs, because it is not universally
+    # safe for them to support this.
+    # Istio as a project enforces certain backwards-compat guarantees that allow us
+    # to safely upgrade CRDs in spite of this, so we default to self-managing CRDs
+    # as standard K8S resources in Helm, and disable Helm's CRD management. See also:
+    # https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#method-2-separate-charts
+    enableCRDTemplates: true
+
+    # Validation webhook configuration url
+    # For example: https://$remotePilotAddress:15017/validate
+    validationURL: ""
+    # Validation webhook caBundle value. Useful when running pilot with a well known cert
+    validationCABundle: ""
+
+    # For istioctl usage to disable istio config crds in base
+    enableIstioConfigCRDs: true
+
+  defaultRevision: "default"
+  experimental:
+    stableValidationPolicy: false
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/Chart.yaml
new file mode 100644
index 0000000000..6374f2dc27
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/Chart.yaml
@@ -0,0 +1,11 @@
+apiVersion: v2
+appVersion: 1.27.1
+description: Helm chart for istio-cni components
+icon: https://istio.io/latest/favicons/android-192x192.png
+keywords:
+- istio-cni
+- istio
+name: cni
+sources:
+- https://github.com/istio/istio
+version: 1.27.1
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/README.md
new file mode 100644
index 0000000000..a8b78d5bde
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/README.md
@@ -0,0 +1,65 @@
+# Istio CNI Helm Chart
+
+This chart installs the Istio CNI Plugin. See the [CNI installation guide](https://istio.io/latest/docs/setup/additional-setup/cni/)
+for more information.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+To install the chart with the release name `istio-cni`:
+
+```console
+helm install istio-cni istio/cni -n kube-system
+```
+
+Installation in `kube-system` is recommended to ensure the [`system-node-critical`](https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/)
+`priorityClassName` can be used. You can install in other namespace only on K8S clusters that allow
+'system-node-critical' outside of kube-system.
+
+## Configuration
+
+To view support configuration options and documentation, run:
+
+```console
+helm show values istio/istio-cni
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
+
+### Ambient
+
+To enable ambient, you can use the ambient profile: `--set profile=ambient`.
+
+#### Calico
+
+For Calico, you must also modify the settings to allow source spoofing:
+
+- if deployed by operator,  `kubectl patch felixconfigurations default --type='json' -p='[{"op": "add", "path": "/spec/workloadSourceSpoofing", "value": "Any"}]'`
+- if deployed by manifest, add env `FELIX_WORKLOADSOURCESPOOFING` with value `Any` in `spec.template.spec.containers.env` for daemonset `calico-node`. (This will allow PODs with specified annotation to skip the rpf check. )
+
+### GKE notes
+
+On GKE, 'kube-system' is required.
+
+If using `helm template`, `--set cni.cniBinDir=/home/kubernetes/bin` is required - with `helm install`
+it is auto-detected.
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-compatibility-version-1.24.yaml
new file mode 100644
index 0000000000..4f3dbef7ea
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-compatibility-version-1.24.yaml
@@ -0,0 +1,15 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.24 behavioral changes
+    PILOT_ENABLE_IP_AUTOALLOCATE: "false"
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  dnsCapture: false
+  reconcileIptablesOnStartup: false
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..b2f45948c2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..af10697326
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/templates/NOTES.txt
new file mode 100644
index 0000000000..fb35525b99
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/templates/NOTES.txt
@@ -0,0 +1,5 @@
+"{{ .Release.Name }}" successfully installed!
+
+To learn more about the release, try:
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/templates/_helpers.tpl
new file mode 100644
index 0000000000..73cc17b2f6
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/templates/_helpers.tpl
@@ -0,0 +1,8 @@
+{{- define "name" -}}
+    istio-cni
+{{- end }}
+
+
+{{- define "istio-tag" -}}
+    {{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/templates/clusterrole.yaml
new file mode 100644
index 0000000000..1779e0bb1d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/templates/clusterrole.yaml
@@ -0,0 +1,81 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "name" . }}
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+- apiGroups: ["security.openshift.io"] 
+  resources: ["securitycontextconstraints"] 
+  resourceNames: ["privileged"] 
+  verbs: ["use"]
+- apiGroups: [""]
+  resources: ["pods","nodes","namespaces"]
+  verbs: ["get", "list", "watch"]
+{{- if (eq ((coalesce .Values.platform .Values.global.platform) | default "") "openshift") }}
+- apiGroups: ["security.openshift.io"]
+  resources: ["securitycontextconstraints"]
+  resourceNames: ["privileged"]
+  verbs: ["use"]
+{{- end }}
+---
+{{- if .Values.repair.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "name" . }}-repair-role
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["create", "patch"]
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["watch", "get", "list"]
+{{- if .Values.repair.repairPods }}
+{{- /*  No privileges needed*/}}
+{{- else if .Values.repair.deletePods }}
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["delete"]
+{{- else if .Values.repair.labelPods }}
+  - apiGroups: [""]
+    {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}}
+    resources: ["pods/status"]
+    verbs: ["patch", "update"]
+{{- end }}
+{{- end }}
+---
+{{- if .Values.ambient.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "name" . }}-ambient
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+- apiGroups: [""]
+  {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}}
+  resources: ["pods/status"]
+  verbs: ["patch", "update"]
+- apiGroups: ["apps"]
+  resources: ["daemonsets"]
+  resourceNames: ["{{ template "name" . }}-node"]
+  verbs: ["get"]
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/templates/clusterrolebinding.yaml
new file mode 100644
index 0000000000..42fedab1fc
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/templates/clusterrolebinding.yaml
@@ -0,0 +1,63 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "name" . }}
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "name" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ template "name" . }}
+  namespace: {{ .Release.Namespace }}
+---
+{{- if .Values.repair.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "name" . }}-repair-rolebinding
+  labels:
+    k8s-app: {{ template "name" . }}-repair
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+subjects:
+- kind: ServiceAccount
+  name: {{ template "name" . }}
+  namespace: {{ .Release.Namespace}}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "name" . }}-repair-role
+{{- end }}
+---
+{{- if .Values.ambient.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "name" . }}-ambient
+  labels:
+    k8s-app: {{ template "name" . }}-repair
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "name" . }}
+    namespace: {{ .Release.Namespace}}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "name" . }}-ambient
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/templates/configmap-cni.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/templates/configmap-cni.yaml
new file mode 100644
index 0000000000..6f6ef329a2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/templates/configmap-cni.yaml
@@ -0,0 +1,41 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: {{ template "name" . }}-config
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+data:
+  CURRENT_AGENT_VERSION: {{ .Values.tag | default .Values.global.tag | quote }}
+  AMBIENT_ENABLED: {{ .Values.ambient.enabled | quote }}
+  AMBIENT_ENABLEMENT_SELECTOR: {{ .Values.ambient.enablementSelectors | toYaml | quote }}
+  AMBIENT_DNS_CAPTURE: {{ .Values.ambient.dnsCapture | quote  }}
+  AMBIENT_IPV6: {{ .Values.ambient.ipv6 | quote }}
+  AMBIENT_RECONCILE_POD_RULES_ON_STARTUP: {{ .Values.ambient.reconcileIptablesOnStartup | quote }}
+  {{- if .Values.cniConfFileName }} # K8S < 1.24 doesn't like empty values
+  CNI_CONF_NAME: {{ .Values.cniConfFileName }} # Name of the CNI config file to create. Only override if you know the exact path your CNI requires..
+  {{- end }}
+  ISTIO_OWNED_CNI_CONFIG: {{ .Values.istioOwnedCNIConfig | quote }}
+  {{- if .Values.istioOwnedCNIConfig }}
+  ISTIO_OWNED_CNI_CONF_FILENAME: {{ .Values.istioOwnedCNIConfigFileName | quote }}
+  {{- end }}
+  CHAINED_CNI_PLUGIN: {{ .Values.chained | quote }}
+  EXCLUDE_NAMESPACES: "{{ range $idx, $ns := .Values.excludeNamespaces }}{{ if $idx }},{{ end }}{{ $ns }}{{ end }}"
+  REPAIR_ENABLED: {{ .Values.repair.enabled | quote }}
+  REPAIR_LABEL_PODS: {{ .Values.repair.labelPods | quote }}
+  REPAIR_DELETE_PODS: {{ .Values.repair.deletePods | quote }}
+  REPAIR_REPAIR_PODS: {{ .Values.repair.repairPods | quote }}
+  REPAIR_INIT_CONTAINER_NAME: {{ .Values.repair.initContainerName | quote }}
+  REPAIR_BROKEN_POD_LABEL_KEY: {{ .Values.repair.brokenPodLabelKey | quote }}
+  REPAIR_BROKEN_POD_LABEL_VALUE: {{ .Values.repair.brokenPodLabelValue | quote }}
+  NATIVE_NFTABLES: {{ .Values.global.nativeNftables | quote }}
+  {{- with .Values.env }}
+  {{- range $key, $val := . }}
+  {{ $key }}: "{{ $val }}"
+  {{- end }}
+  {{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/templates/daemonset.yaml
new file mode 100644
index 0000000000..896de3d038
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/templates/daemonset.yaml
@@ -0,0 +1,248 @@
+# This manifest installs the Istio install-cni container, as well
+# as the Istio CNI plugin and config on
+# each master and worker node in a Kubernetes cluster.
+#
+# $detectedBinDir exists to support a GKE-specific platform override,
+# and is deprecated in favor of using the explicit `gke` platform profile.
+{{- $detectedBinDir := (.Capabilities.KubeVersion.GitVersion | contains "-gke") | ternary
+    "/home/kubernetes/bin"
+    "/opt/cni/bin"
+}}
+{{- if .Values.cniBinDir }}
+{{ $detectedBinDir = .Values.cniBinDir }}
+{{- end }}
+kind: DaemonSet
+apiVersion: apps/v1
+metadata:
+  # Note that this is templated but evaluates to a fixed name
+  # which the CNI plugin may fall back onto in some failsafe scenarios.
+  # if this name is changed, CNI plugin logic that checks for this name
+  # format should also be updated.
+  name: {{ template "name" . }}-node
+  namespace: {{ .Release.Namespace }}
+  labels:
+    k8s-app: {{ template "name" . }}-node
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      k8s-app: {{ template "name" . }}-node
+  {{- with .Values.updateStrategy }}
+  updateStrategy:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  template:
+    metadata:
+      labels:
+        k8s-app: {{ template "name" . }}-node
+        sidecar.istio.io/inject: "false"
+        istio.io/dataplane-mode: none
+        app.kubernetes.io/name: {{ template "name" . }}
+        {{- include "istio.labels" . | nindent 8 }}
+      annotations:
+        sidecar.istio.io/inject: "false"
+        # Add Prometheus Scrape annotations
+        prometheus.io/scrape: 'true'
+        prometheus.io/port: "15014"
+        prometheus.io/path: '/metrics'
+        # Add AppArmor annotation
+        # This is required to avoid conflicts with AppArmor profiles which block certain
+        # privileged pod capabilities.
+        # Required for Kubernetes 1.29 which does not support setting appArmorProfile in the
+        # securityContext which is otherwise preferred.
+        container.apparmor.security.beta.kubernetes.io/install-cni: unconfined
+        # Custom annotations
+        {{- if .Values.podAnnotations }}
+{{ toYaml .Values.podAnnotations | indent 8 }}
+        {{- end }}
+    spec:
+{{- if and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace }}
+      hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
+{{- end }}
+      nodeSelector:
+        kubernetes.io/os: linux
+      # Can be configured to allow for excluding istio-cni from being scheduled on specified nodes
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      priorityClassName: system-node-critical
+      serviceAccountName: {{ template "name" . }}
+      # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
+      # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
+      terminationGracePeriodSeconds: 5
+      containers:
+        # This container installs the Istio CNI binaries
+        # and CNI network config file on each node.
+        - name: install-cni
+{{- if contains "/" .Values.image }}
+          image: "{{ .Values.image }}"
+{{- else }}
+          image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "install-cni" }}:{{ template "istio-tag" . }}"
+{{- end }}
+{{- if or .Values.pullPolicy .Values.global.imagePullPolicy }}
+          imagePullPolicy: {{ .Values.pullPolicy | default .Values.global.imagePullPolicy }}
+{{- end }}
+          ports:
+          - containerPort: 15014
+            name: metrics
+            protocol: TCP
+          readinessProbe:
+            httpGet:
+              path: /readyz
+              port: 8000
+          securityContext:
+            privileged: false
+            runAsGroup: 0
+            runAsUser: 0
+            runAsNonRoot: false
+            # Both ambient and sidecar repair mode require elevated node privileges to function.
+            # But we don't need _everything_ in `privileged`, so explicitly set it to false and
+            # add capabilities based on feature.
+            capabilities:
+              drop:
+              - ALL
+              add:
+              # CAP_NET_ADMIN is required to allow ipset and route table access
+              - NET_ADMIN
+              # CAP_NET_RAW is required to allow iptables mutation of the `nat` table
+              - NET_RAW
+              # CAP_SYS_PTRACE is required for repair and ambient mode to describe
+              # the pod's network namespace.
+              - SYS_PTRACE
+              # CAP_SYS_ADMIN is required for both ambient and repair, in order to open
+              # network namespaces in `/proc` to obtain descriptors for entering pod network
+              # namespaces. There does not appear to be a more granular capability for this.
+              - SYS_ADMIN
+              # While we run as a 'root' (UID/GID 0), since we drop all capabilities we lose
+              # the typical ability to read/write to folders owned by others.
+              # This can cause problems if the hostPath mounts we use, which we require write access into,
+              # are owned by non-root. DAC_OVERRIDE bypasses these and gives us write access into any folder.
+              - DAC_OVERRIDE
+{{- if .Values.seLinuxOptions }}
+{{ with (merge .Values.seLinuxOptions (dict "type" "spc_t")) }}
+            seLinuxOptions:
+{{ toYaml . | trim | indent 14 }}
+{{- end }}
+{{- end }}
+{{- if .Values.seccompProfile }}
+            seccompProfile:
+{{ toYaml .Values.seccompProfile | trim | indent 14 }}
+{{- end }}
+          command: ["install-cni"]
+          args:
+            {{- if or .Values.logging.level .Values.global.logging.level }}
+            - --log_output_level={{ coalesce .Values.logging.level .Values.global.logging.level }}
+            {{- end}}
+            {{- if .Values.global.logAsJson }}
+            - --log_as_json
+            {{- end}}
+          envFrom:
+            - configMapRef:
+                name: {{ template "name" . }}-config
+          env:
+            - name: REPAIR_NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            - name: REPAIR_RUN_AS_DAEMON
+              value: "true"
+            - name: REPAIR_SIDECAR_ANNOTATION
+              value: "sidecar.istio.io/status"
+            {{- if not (and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace) }}
+            - name: ALLOW_SWITCH_TO_HOST_NS
+              value: "true"
+            {{- end }}
+            - name: NODE_NAME
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: spec.nodeName
+            - name: GOMEMLIMIT
+              valueFrom:
+                resourceFieldRef:
+                  resource: limits.memory
+                  divisor: '1'
+            - name: GOMAXPROCS
+              valueFrom:
+                resourceFieldRef:
+                  resource: limits.cpu
+                  divisor: '1'
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            {{- if .Values.env }}
+            {{- range $key, $val := .Values.env }}
+            - name: {{ $key }}
+              value: "{{ $val }}"
+            {{- end }}
+            {{- end }}
+          volumeMounts:
+            - mountPath: /host/opt/cni/bin
+              name: cni-bin-dir
+            {{- if or .Values.repair.repairPods .Values.ambient.enabled }}
+            - mountPath: /host/proc
+              name: cni-host-procfs
+              readOnly: true
+            {{- end }}
+            - mountPath: /host/etc/cni/net.d
+              name: cni-net-dir
+            - mountPath: /var/run/istio-cni
+              name: cni-socket-dir
+            {{- if .Values.ambient.enabled }}
+            - mountPath: /host/var/run/netns
+              mountPropagation: HostToContainer
+              name: cni-netns-dir
+            - mountPath: /var/run/ztunnel
+              name: cni-ztunnel-sock-dir
+            {{ end }}
+          resources:
+{{- if .Values.resources }}
+{{ toYaml .Values.resources | trim | indent 12 }}
+{{- else }}
+{{ toYaml .Values.global.defaultResources | trim | indent 12 }}
+{{- end }}
+      volumes:
+        # Used to install CNI.
+        - name: cni-bin-dir
+          hostPath:
+            path: {{ $detectedBinDir }}
+        {{- if or .Values.repair.repairPods .Values.ambient.enabled }}
+        - name: cni-host-procfs
+          hostPath:
+            path: /proc
+            type: Directory
+        {{- end }}
+        {{- if .Values.ambient.enabled }}
+        - name: cni-ztunnel-sock-dir
+          hostPath:
+            path: /var/run/ztunnel
+            type: DirectoryOrCreate
+        {{- end }}
+        - name: cni-net-dir
+          hostPath:
+            path: {{ .Values.cniConfDir }}
+        # Used for UDS sockets for logging, ambient eventing
+        - name: cni-socket-dir
+          hostPath:
+            path: /var/run/istio-cni
+        - name: cni-netns-dir
+          hostPath:
+            path: {{ .Values.cniNetnsDir }}
+            type: DirectoryOrCreate # DirectoryOrCreate instead of Directory for the following reason - CNI may not bind mount this until a non-hostnetwork pod is scheduled on the node,
+            # and we don't want to block CNI agent pod creation on waiting for the first non-hostnetwork pod.
+            # Once the CNI does mount this, it will get populated and we're good.
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/templates/network-attachment-definition.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/templates/network-attachment-definition.yaml
new file mode 100644
index 0000000000..86a2eb7c0b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/templates/network-attachment-definition.yaml
@@ -0,0 +1,11 @@
+{{- if eq .Values.provider "multus" }}
+apiVersion: k8s.cni.cncf.io/v1
+kind: NetworkAttachmentDefinition
+metadata:
+  name: {{ template "name" . }}
+  namespace: default
+  labels:
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/templates/resourcequota.yaml
new file mode 100644
index 0000000000..9a6d61ff91
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/templates/resourcequota.yaml
@@ -0,0 +1,19 @@
+{{- if .Values.resourceQuotas.enabled }}
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+  name: {{ template "name" . }}-resource-quota
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  hard:
+    pods: {{ .Values.resourceQuotas.pods | quote }}
+  scopeSelector:
+    matchExpressions:
+    - operator: In
+      scopeName: PriorityClass
+      values:
+      - system-node-critical
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/templates/serviceaccount.yaml
new file mode 100644
index 0000000000..3193d7b74a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/templates/serviceaccount.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: ServiceAccount
+{{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+{{- range .Values.global.imagePullSecrets }}
+  - name: {{ . }}
+{{- end }}
+{{- end }}
+metadata:
+  name: {{ template "name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/templates/zzy_descope_legacy.yaml
new file mode 100644
index 0000000000..a9584ac29f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/templates/zzy_descope_legacy.yaml
@@ -0,0 +1,3 @@
+{{/* Copy anything under `.cni` to `.`, to avoid the need to specify a redundant prefix.
+Due to the file naming, this always happens after zzz_profile.yaml */}}
+{{- $_ := mustMergeOverwrite $.Values (index $.Values "cni") }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..3d84956485
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if false }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/values.yaml
new file mode 100644
index 0000000000..ca36bdae50
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/values.yaml
@@ -0,0 +1,178 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  hub: ""
+  tag: ""
+  variant: ""
+  image: install-cni
+  pullPolicy: ""
+
+  # Same as `global.logging.level`, but will override it if set
+  logging:
+    level: ""
+
+  # Configuration file to insert istio-cni plugin configuration
+  # by default this will be the first file found in the cni-conf-dir
+  # Example
+  # cniConfFileName: 10-calico.conflist
+
+  # CNI-and-platform specific path defaults.
+  # These may need to be set to platform-specific values, consult
+  # overrides for your platform in `manifests/helm-profiles/platform-*.yaml`
+  cniBinDir: /opt/cni/bin
+  cniConfDir: /etc/cni/net.d
+  cniConfFileName: ""
+  cniNetnsDir: "/var/run/netns"
+
+  # If Istio owned CNI config is enabled, defaults to 02-istio-cni.conflist
+  istioOwnedCNIConfigFileName: "" 
+  istioOwnedCNIConfig: false
+
+  excludeNamespaces:
+    - kube-system
+
+  # Allows user to set custom affinity for the DaemonSet
+  affinity: {}
+
+  # Custom annotations on pod level, if you need them
+  podAnnotations: {}
+
+  # Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")?
+  # Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case
+  chained: true
+
+  # Custom configuration happens based on the CNI provider.
+  # Possible values: "default", "multus"
+  provider: "default"
+
+  # Configure ambient settings
+  ambient:
+    # If enabled, ambient redirection will be enabled
+    enabled: false
+    # If ambient is enabled, this selector will be used to identify the ambient-enabled pods
+    enablementSelectors: 
+    - podSelector:
+        matchLabels: {istio.io/dataplane-mode: ambient}
+    - podSelector:
+        matchExpressions:
+        - { key: istio.io/dataplane-mode, operator: NotIn, values: [none] }
+      namespaceSelector:
+        matchLabels: {istio.io/dataplane-mode: ambient}
+    # Set ambient config dir path: defaults to /etc/ambient-config
+    configDir: ""
+    # If enabled, and ambient is enabled, DNS redirection will be enabled
+    dnsCapture: true
+    # If enabled, and ambient is enabled, enables ipv6 support
+    ipv6: true
+    # If enabled, and ambient is enabled, the CNI agent will reconcile incompatible iptables rules and chains at startup.
+    # This will eventually be enabled by default
+    reconcileIptablesOnStartup: false
+    # If enabled, and ambient is enabled, the CNI agent will always share the network namespace of the host node it is running on
+    shareHostNetworkNamespace: false
+
+
+  repair:
+    enabled: true
+    hub: ""
+    tag: ""
+
+    # Repair controller has 3 modes. Pick which one meets your use cases. Note only one may be used.
+    # This defines the action the controller will take when a pod is detected as broken.
+
+    # labelPods will label all pods with <brokenPodLabelKey>=<brokenPodLabelValue>.
+    # This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them).
+    # Note this gives the DaemonSet a relatively high privilege, as modifying pod metadata/status can have wider impacts.
+    labelPods: false
+    # deletePods will delete any broken pod. These will then be rescheduled, hopefully onto a node that is fully ready.
+    # Note this gives the DaemonSet a relatively high privilege, as it can delete any Pod.
+    deletePods: false
+    # repairPods will dynamically repair any broken pod by setting up the pod networking configuration even after it has started.
+    # Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs.
+    # This requires no RBAC privilege, but does require `securityContext.privileged/CAP_SYS_ADMIN`.
+    repairPods: true
+
+    initContainerName: "istio-validation"
+
+    brokenPodLabelKey: "cni.istio.io/uninitialized"
+    brokenPodLabelValue: "true"
+
+  # Set to `type: RuntimeDefault` to use the default profile if available.
+  seccompProfile: {}
+
+  # SELinux options to set in the istio-cni-node pods. You may need to set this to `type: spc_t` for some platforms.
+  seLinuxOptions: {}
+
+  resources:
+    requests:
+      cpu: 100m
+      memory: 100Mi
+
+  resourceQuotas:
+    enabled: false
+    pods: 5000
+
+  tolerations:
+    # Make sure istio-cni-node gets scheduled on all nodes.
+    - effect: NoSchedule
+      operator: Exists
+    # Mark the pod as a critical add-on for rescheduling.
+    - key: CriticalAddonsOnly
+      operator: Exists
+    - effect: NoExecute
+      operator: Exists
+
+  # K8s DaemonSet update strategy.
+  # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec).
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 1
+
+  # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
+  revision: ""
+
+  # For Helm compatibility.
+  ownerName: ""
+
+  global:
+    # Default hub for Istio images.
+    # Releases are published to docker hub under 'istio' project.
+    # Dev builds from prow are on gcr.io
+    hub: gcr.io/istio-release
+
+    # Default tag for Istio images.
+    tag: 1.27.1
+
+    # Variant of the image to use.
+    # Currently supported are: [debug, distroless]
+    variant: ""
+
+    # Specify image pull policy if default behavior isn't desired.
+    # Default behavior: latest images will be Always else IfNotPresent.
+    imagePullPolicy: ""
+
+    # change cni scope level to control logging out of istio-cni-node DaemonSet
+    logging:
+      level: info
+
+    logAsJson: false
+
+    # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
+    # to use for pulling any images in pods that reference this ServiceAccount.
+    # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
+    # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
+    # Must be set for any cluster configured with private docker registry.
+    imagePullSecrets: []
+    # - private-registry-key
+
+    # Default resources allocated
+    defaultResources:
+      requests:
+        cpu: 100m
+        memory: 100Mi
+
+    # In order to use native nftable rules instead of iptable rules, set this flag to true.
+    nativeNftables: false
+
+  # A `key: value` mapping of environment variables to add to the pod
+  env: {}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/Chart.yaml
new file mode 100644
index 0000000000..f7522efaa4
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v2
+appVersion: 1.27.1
+description: Helm chart for deploying Istio gateways
+icon: https://istio.io/latest/favicons/android-192x192.png
+keywords:
+- istio
+- gateways
+name: gateway
+sources:
+- https://github.com/istio/istio
+type: application
+version: 1.27.1
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/README.md
new file mode 100644
index 0000000000..5c064d165b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/README.md
@@ -0,0 +1,170 @@
+# Istio Gateway Helm Chart
+
+This chart installs an Istio gateway deployment.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+To install the chart with the release name `istio-ingressgateway`:
+
+```console
+helm install istio-ingressgateway istio/gateway
+```
+
+## Uninstalling the Chart
+
+To uninstall/delete the `istio-ingressgateway` deployment:
+
+```console
+helm delete istio-ingressgateway
+```
+
+## Configuration
+
+To view support configuration options and documentation, run:
+
+```console
+helm show values istio/gateway
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
+
+### OpenShift
+
+When deploying the gateway in an OpenShift cluster, use the `openshift` profile to override the default values, for example:
+
+```console
+helm install istio-ingressgateway istio/gateway --set profile=openshift
+```
+
+### `image: auto` Information
+
+The image used by the chart, `auto`, may be unintuitive.
+This exists because the pod spec will be automatically populated at runtime, using the same mechanism as [Sidecar Injection](istio.io/latest/docs/setup/additional-setup/sidecar-injection).
+This allows the same configurations and lifecycle to apply to gateways as sidecars.
+
+Note: this does mean that the namespace the gateway is deployed in must not have the `istio-injection=disabled` label.
+See [Controlling the injection policy](https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy) for more info.
+
+### Examples
+
+#### Egress Gateway
+
+Deploying a Gateway to be used as an [Egress Gateway](https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/):
+
+```yaml
+service:
+  # Egress gateways do not need an external LoadBalancer IP
+  type: ClusterIP
+```
+
+#### Multi-network/VM Gateway
+
+Deploying a Gateway to be used as a [Multi-network Gateway](https://istio.io/latest/docs/setup/install/multicluster/) for network `network-1`:
+
+```yaml
+networkGateway: network-1
+```
+
+### Migrating from other installation methods
+
+Installations from other installation methods (such as istioctl, Istio Operator, other helm charts, etc) can be migrated to use the new Helm charts
+following the guidance below.
+If you are able to, a clean installation is simpler. However, this often requires an external IP migration which can be challenging.
+
+WARNING: when installing over an existing deployment, the two deployments will be merged together by Helm, which may lead to unexpected results.
+
+#### Legacy Gateway Helm charts
+
+Istio historically offered two different charts - `manifests/charts/gateways/istio-ingress` and `manifests/charts/gateways/istio-egress`.
+These are replaced by this chart.
+While not required, it is recommended all new users use this chart, and existing users migrate when possible.
+
+This chart has the following benefits and differences:
+* Designed with Helm best practices in mind (standardized values options, values schema, values are not all nested under `gateways.istio-ingressgateway.*`, release name and namespace taken into account, etc).
+* Utilizes Gateway injection, simplifying upgrades, allowing gateways to run in any namespace, and avoiding repeating config for sidecars and gateways.
+* Published to official Istio Helm repository.
+* Single chart for all gateways (Ingress, Egress, East West).
+
+#### General concerns
+
+For a smooth migration, the resource names and `Deployment.spec.selector` labels must match.
+
+If you install with `helm install istio-gateway istio/gateway`, resources will be named `istio-gateway` and the `selector` labels set to:
+
+```yaml
+app: istio-gateway
+istio: gateway # the release name with leading istio- prefix stripped
+```
+
+If your existing installation doesn't follow these names, you can override them. For example, if you have resources named `my-custom-gateway` with `selector` labels
+`foo=bar,istio=ingressgateway`:
+
+```yaml
+name: my-custom-gateway # Override the name to match existing resources
+labels:
+  app: "" # Unset default app selector label
+  istio: ingressgateway # override default istio selector label
+  foo: bar # Add the existing custom selector label
+```
+
+#### Migrating an existing Helm release
+
+An existing helm release can be `helm upgrade`d to this chart by using the same release name. For example, if a previous
+installation was done like:
+
+```console
+helm install istio-ingress manifests/charts/gateways/istio-ingress -n istio-system
+```
+
+It could be upgraded with
+
+```console
+helm upgrade istio-ingress manifests/charts/gateway -n istio-system --set name=istio-ingressgateway --set labels.app=istio-ingressgateway --set labels.istio=ingressgateway
+```
+
+Note the name and labels are overridden to match the names of the existing installation.
+
+Warning: the helm charts here default to using port 80 and 443, while the old charts used 8080 and 8443.
+If you have AuthorizationPolicies that reference port these ports, you should update them during this process,
+or customize the ports to match the old defaults.
+See the [security advisory](https://istio.io/latest/news/security/istio-security-2021-002/) for more information.
+
+#### Other migrations
+
+If you see errors like `rendered manifests contain a resource that already exists` during installation, you may need to forcibly take ownership.
+
+The script below can handle this for you. Replace `RELEASE` and `NAMESPACE` with the name and namespace of the release:
+
+```console
+KINDS=(service deployment)
+RELEASE=istio-ingressgateway
+NAMESPACE=istio-system
+for KIND in "${KINDS[@]}"; do
+    kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-name=$RELEASE
+    kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-namespace=$NAMESPACE
+    kubectl --namespace $NAMESPACE --overwrite=true label $KIND $RELEASE app.kubernetes.io/managed-by=Helm
+done
+```
+
+You may ignore errors about resources not being found.
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-compatibility-version-1.24.yaml
new file mode 100644
index 0000000000..4f3dbef7ea
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-compatibility-version-1.24.yaml
@@ -0,0 +1,15 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.24 behavioral changes
+    PILOT_ENABLE_IP_AUTOALLOCATE: "false"
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  dnsCapture: false
+  reconcileIptablesOnStartup: false
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..b2f45948c2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..af10697326
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/templates/NOTES.txt
new file mode 100644
index 0000000000..fd0142911a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/templates/NOTES.txt
@@ -0,0 +1,9 @@
+"{{ include "gateway.name" . }}" successfully installed!
+
+To learn more about the release, try:
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
+
+Next steps:
+  * Deploy an HTTP Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-control/
+  * Deploy an HTTPS Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/templates/_helpers.tpl
new file mode 100644
index 0000000000..e5a0a9b3c2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/templates/_helpers.tpl
@@ -0,0 +1,40 @@
+{{- define "gateway.name" -}}
+{{- if eq .Release.Name "RELEASE-NAME" -}}
+  {{- .Values.name | default "istio-ingressgateway" -}}
+{{- else -}}
+  {{- .Values.name | default .Release.Name | default "istio-ingressgateway" -}}
+{{- end -}}
+{{- end }}
+
+{{- define "gateway.labels" -}}
+{{ include "gateway.selectorLabels" . }}
+{{- range $key, $val := .Values.labels }}
+{{- if and (ne $key "app") (ne $key "istio") }}
+{{ $key | quote }}: {{ $val | quote }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{- define "gateway.selectorLabels" -}}
+app: {{ (.Values.labels.app | quote) | default (include "gateway.name" .) }}
+istio: {{ (.Values.labels.istio | quote) | default (include "gateway.name" . | trimPrefix "istio-") }}
+{{- end }}
+
+{{/*
+Keep sidecar injection labels together
+https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy
+*/}}
+{{- define "gateway.sidecarInjectionLabels" -}}
+sidecar.istio.io/inject: "true"
+{{- with .Values.revision }}
+istio.io/rev: {{ . | quote }}
+{{- end }}
+{{- end }}
+
+{{- define "gateway.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- .Values.serviceAccount.name | default (include "gateway.name" .)    }}
+{{- else }}
+{{- .Values.serviceAccount.name | default "default" }}
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/templates/deployment.yaml
new file mode 100644
index 0000000000..1d8f93a472
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/templates/deployment.yaml
@@ -0,0 +1,145 @@
+apiVersion: apps/v1
+kind: {{ .Values.kind | default "Deployment" }}
+metadata:
+  name: {{ include "gateway.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4}}
+  annotations:
+    {{- .Values.annotations | toYaml | nindent 4 }}
+spec:
+  {{- if not .Values.autoscaling.enabled }}
+  {{- if and (hasKey .Values "replicaCount") (ne .Values.replicaCount nil) }}
+  replicas: {{ .Values.replicaCount }}
+  {{- end }}
+  {{- end }}
+  {{- with .Values.strategy }}
+  strategy:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with .Values.minReadySeconds }}
+  minReadySeconds: {{ . }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "gateway.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "gateway.sidecarInjectionLabels" . | nindent 8 }}
+        {{- include "gateway.selectorLabels" . | nindent 8 }}
+        app.kubernetes.io/name: {{ include "gateway.name" . }}
+        {{- include "istio.labels" .  | nindent 8}}
+        {{- range $key, $val := .Values.labels }}
+        {{- if and (ne $key "app") (ne $key "istio") }}
+        {{ $key | quote }}: {{ $val | quote }}
+        {{- end }}
+        {{- end }}
+        {{- with .Values.networkGateway }}
+        topology.istio.io/network: "{{.}}"
+        {{- end }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "gateway.serviceAccountName" . }}
+      securityContext:
+      {{- if .Values.securityContext }}
+        {{- toYaml .Values.securityContext | nindent 8 }}
+      {{- else }}
+        # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326
+        sysctls:
+        - name: net.ipv4.ip_unprivileged_port_start
+          value: "0"
+      {{- end }}
+      {{- with .Values.volumes }}
+      volumes:
+        {{ toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.initContainers }}
+      initContainers:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: istio-proxy
+          # "auto" will be populated at runtime by the mutating webhook. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection
+          image: auto
+          {{- with .Values.imagePullPolicy }}
+          imagePullPolicy: {{ . }}
+          {{- end }}
+          securityContext:
+          {{- if .Values.containerSecurityContext }}
+            {{- toYaml .Values.containerSecurityContext | nindent 12 }}
+          {{- else }}
+            capabilities:
+              drop:
+              - ALL
+            allowPrivilegeEscalation: false
+            privileged: false
+            readOnlyRootFilesystem: true
+            {{- if not (eq (.Values.platform | default "") "openshift") }}
+            runAsUser: 1337
+            runAsGroup: 1337
+            {{- end }}
+            runAsNonRoot: true
+          {{- end }}
+          env:
+          {{- with .Values.networkGateway }}
+          - name: ISTIO_META_REQUESTED_NETWORK_VIEW
+            value: "{{.}}"
+          {{- end }}
+          {{- range $key, $val := .Values.env }}
+          - name: {{ $key }}
+            value: {{ $val | quote }}
+          {{- end }}
+          {{- with .Values.envVarFrom }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
+          ports:
+          - containerPort: 15090
+            protocol: TCP
+            name: http-envoy-prom
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          {{- with .Values.volumeMounts }}
+          volumeMounts:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.readinessProbe }}
+          readinessProbe:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.lifecycle }}
+          lifecycle:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+      {{- with .Values.additionalContainers }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      terminationGracePeriodSeconds: {{ $.Values.terminationGracePeriodSeconds }}
+      {{- with .Values.priorityClassName }}
+      priorityClassName: {{ . }}
+      {{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/templates/hpa.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/templates/hpa.yaml
new file mode 100644
index 0000000000..64ecb6a4cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/templates/hpa.yaml
@@ -0,0 +1,40 @@
+{{- if and (.Values.autoscaling.enabled) (eq .Values.kind "Deployment") }}
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ include "gateway.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4 }}
+  annotations:
+    {{- .Values.annotations | toYaml | nindent 4 }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: {{ .Values.kind | default "Deployment" }}
+    name: {{ include "gateway.name" . }}
+  minReplicas: {{ .Values.autoscaling.minReplicas }}
+  maxReplicas: {{ .Values.autoscaling.maxReplicas }}
+  metrics:
+    {{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
+          type: Utilization
+    {{- end }}
+    {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: memory
+        target:
+          averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
+          type: Utilization
+    {{- end }}
+  {{- if .Values.autoscaling.autoscaleBehavior }}
+  behavior: {{ toYaml .Values.autoscaling.autoscaleBehavior | nindent 4 }}
+  {{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/templates/poddisruptionbudget.yaml
new file mode 100644
index 0000000000..b0155cdf05
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/templates/poddisruptionbudget.yaml
@@ -0,0 +1,18 @@
+{{- if .Values.podDisruptionBudget }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ include "gateway.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4}}
+spec:
+  selector:
+    matchLabels:
+  {{- include "gateway.selectorLabels" . | nindent 6 }}
+  {{- with .Values.podDisruptionBudget }}
+    {{- toYaml . | nindent 2 }}
+  {{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/templates/role.yaml
new file mode 100644
index 0000000000..3d16079632
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/templates/role.yaml
@@ -0,0 +1,37 @@
+{{/*Set up roles for Istio Gateway. Not required for gateway-api*/}}
+{{- if .Values.rbac.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "gateway.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4}}
+  annotations:
+    {{- .Values.annotations | toYaml | nindent 4 }}
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get", "watch", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "gateway.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4}}
+  annotations:
+    {{- .Values.annotations | toYaml | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "gateway.serviceAccountName" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "gateway.serviceAccountName" . }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/templates/service.yaml
new file mode 100644
index 0000000000..3e28418f7b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/templates/service.yaml
@@ -0,0 +1,69 @@
+{{- if not (eq .Values.service.type "None") }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "gateway.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4 }}
+    {{- with .Values.networkGateway }}
+    topology.istio.io/network: "{{.}}"
+    {{- end }}
+  annotations:
+    {{- merge (deepCopy .Values.service.annotations) .Values.annotations | toYaml | nindent 4 }}
+spec:
+{{- with .Values.service.loadBalancerIP }}
+  loadBalancerIP: "{{ . }}"
+{{- end }}
+{{- if eq .Values.service.type "LoadBalancer" }}
+  {{- if hasKey .Values.service "allocateLoadBalancerNodePorts" }}
+  allocateLoadBalancerNodePorts: {{ .Values.service.allocateLoadBalancerNodePorts }}
+  {{- end }}
+  {{- if hasKey .Values.service "loadBalancerClass" }}
+  loadBalancerClass: {{ .Values.service.loadBalancerClass }}
+  {{- end }}
+{{- end }}
+{{- if .Values.service.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }}
+{{- end }}
+{{- if .Values.service.ipFamilies }}
+  ipFamilies:
+{{- range .Values.service.ipFamilies }}
+  - {{ . }}
+{{- end }}
+{{- end }}
+{{- with .Values.service.loadBalancerSourceRanges }}
+  loadBalancerSourceRanges:
+{{ toYaml . | indent 4 }}
+{{- end }}
+{{- with .Values.service.externalTrafficPolicy }}
+  externalTrafficPolicy: "{{ . }}"
+{{- end }}
+  type: {{ .Values.service.type }}
+  ports:
+{{- if .Values.networkGateway }}
+  - name: status-port
+    port: 15021
+    targetPort: 15021
+  - name: tls
+    port: 15443
+    targetPort: 15443
+  - name: tls-istiod
+    port: 15012
+    targetPort: 15012
+  - name: tls-webhook
+    port: 15017
+    targetPort: 15017
+{{- else }}
+{{ .Values.service.ports | toYaml | indent 4 }}
+{{- end }}
+{{- if .Values.service.externalIPs }}
+  externalIPs: {{- range .Values.service.externalIPs }}
+    - {{.}}
+  {{- end }}
+{{- end }}
+  selector:
+    {{- include "gateway.selectorLabels" . | nindent 4 }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/templates/serviceaccount.yaml
new file mode 100644
index 0000000000..c88afeadd3
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/templates/serviceaccount.yaml
@@ -0,0 +1,15 @@
+{{- if .Values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "gateway.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..606c556697
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if true }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/values.schema.json b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/values.schema.json
new file mode 100644
index 0000000000..bcbb30ccc8
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/values.schema.json
@@ -0,0 +1,353 @@
+{
+  "$schema": "http://json-schema.org/schema#",
+  "$defs": {
+    "values": {
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "_internal_defaults_do_not_set": {
+          "type": "object"
+        },
+        "global": {
+          "type": "object"
+        },
+        "affinity": {
+          "type": "object"
+        },
+        "securityContext": {
+          "type": [
+            "object",
+            "null"
+          ]
+        },
+        "containerSecurityContext": {
+          "type": [
+            "object",
+            "null"
+          ]
+        },
+        "kind": {
+          "type": "string",
+          "enum": [
+            "Deployment",
+            "DaemonSet"
+          ]
+        },
+        "annotations": {
+          "additionalProperties": {
+            "type": [
+              "string",
+              "integer"
+            ]
+          },
+          "type": "object"
+        },
+        "autoscaling": {
+          "type": "object",
+          "properties": {
+            "enabled": {
+              "type": "boolean"
+            },
+            "maxReplicas": {
+              "type": "integer"
+            },
+            "minReplicas": {
+              "type": "integer"
+            },
+            "targetCPUUtilizationPercentage": {
+              "type": "integer"
+            }
+          }
+        },
+        "env": {
+          "type": "object"
+        },
+        "envVarFrom": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "properties": {
+              "name": { "type": "string" },
+              "valueFrom": { "type": "object" }
+            }
+          }
+        },
+        "strategy": {
+          "type": "object"
+        },
+        "minReadySeconds": {
+          "type": [ "null", "integer" ]
+        },
+        "readinessProbe": {
+          "type": [ "null", "object" ]
+        },
+        "labels": {
+          "type": "object"
+        },
+        "name": {
+          "type": "string"
+        },
+        "nodeSelector": {
+          "type": "object"
+        },
+        "podAnnotations": {
+          "type": "object",
+          "properties": {
+            "inject.istio.io/templates": {
+              "type": "string"
+            },
+            "prometheus.io/path": {
+              "type": "string"
+            },
+            "prometheus.io/port": {
+              "type": "string"
+            },
+            "prometheus.io/scrape": {
+              "type": "string"
+            }
+          }
+        },
+        "replicaCount": {
+          "type": [
+            "integer",
+            "null"
+          ]
+        },
+        "resources": {
+          "type": "object",
+          "properties": {
+            "limits": {
+              "type": "object",
+              "properties": {
+                "cpu": {
+                  "type": ["string", "null"]
+                },
+                "memory": {
+                  "type": ["string", "null"]
+                }
+              }
+            },
+            "requests": {
+              "type": "object",
+              "properties": {
+                "cpu": {
+                  "type": ["string", "null"]
+                },
+                "memory": {
+                  "type": ["string", "null"]
+                }
+              }
+            }
+          }
+        },
+        "revision": {
+          "type": "string"
+        },
+        "defaultRevision": {
+          "type": "string"
+        },
+        "compatibilityVersion": {
+          "type": "string"
+        },
+        "profile": {
+          "type": "string"
+        },
+        "platform": {
+          "type": "string"
+        },
+        "pilot": {
+          "type": "object"
+        },
+        "runAsRoot": {
+          "type": "boolean"
+        },
+        "unprivilegedPort": {
+          "type": [
+            "string",
+            "boolean"
+          ],
+          "enum": [
+            true,
+            false,
+            "auto"
+          ]
+        },
+        "service": {
+          "type": "object",
+          "properties": {
+            "annotations": {
+              "type": "object"
+            },
+            "externalTrafficPolicy": {
+              "type": "string"
+            },
+            "loadBalancerIP": {
+              "type": "string"
+            },
+            "loadBalancerSourceRanges": {
+              "type": "array"
+            },
+            "ipFamilies": {
+              "items": {
+                "type": "string",
+                "enum": [
+                  "IPv4",
+                  "IPv6"
+                ]
+              }
+            },
+            "ipFamilyPolicy": {
+              "type": "string",
+              "enum": [
+                "",
+                "SingleStack",
+                "PreferDualStack",
+                "RequireDualStack"
+              ]
+            },
+            "ports": {
+              "type": "array",
+              "items": {
+                "type": "object",
+                "properties": {
+                  "name": {
+                    "type": "string"
+                  },
+                  "port": {
+                    "type": "integer"
+                  },
+                  "protocol": {
+                    "type": "string"
+                  },
+                  "targetPort": {
+                    "type": "integer"
+                  }
+                }
+              }
+            },
+            "type": {
+              "type": "string"
+            }
+          }
+        },
+        "serviceAccount": {
+          "type": "object",
+          "properties": {
+            "annotations": {
+              "type": "object"
+            },
+            "name": {
+              "type": "string"
+            },
+            "create": {
+              "type": "boolean"
+            }
+          }
+        },
+        "rbac": {
+          "type": "object",
+          "properties": {
+            "enabled": {
+              "type": "boolean"
+            }
+          }
+        },
+        "tolerations": {
+          "type": "array"
+        },
+        "topologySpreadConstraints": {
+          "type": "array"
+        },
+        "networkGateway": {
+          "type": "string"
+        },
+        "imagePullPolicy": {
+          "type": "string",
+          "enum": [
+            "",
+            "Always",
+            "IfNotPresent",
+            "Never"
+          ]
+        },
+        "imagePullSecrets": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "properties": {
+              "name": {
+                "type": "string"
+              }
+            }
+          }
+        },
+        "podDisruptionBudget": {
+          "type": "object",
+          "properties": {
+            "minAvailable": {
+              "type": [
+                "integer",
+                "string"
+              ]
+            },
+            "maxUnavailable": {
+              "type": [
+                "integer",
+                "string"
+              ]
+            },
+            "unhealthyPodEvictionPolicy": {
+              "type": "string",
+              "enum": [
+                "",
+                "IfHealthyBudget",
+                "AlwaysAllow"
+              ]
+            }
+          }
+        },
+        "terminationGracePeriodSeconds": {
+          "type": "number"
+        },
+        "volumes": {
+          "type": "array",
+          "items": {
+            "type": "object"
+          }
+        },
+        "volumeMounts": {
+          "type": "array",
+          "items": {
+            "type": "object"
+          }
+        },
+        "initContainers": {
+          "type": "array",
+          "items": { "type": "object" }
+        },
+        "additionalContainers": {
+          "type": "array",
+          "items": { "type": "object" }
+        },
+        "priorityClassName": {
+          "type": "string"
+        },
+        "lifecycle": {
+          "type": "object",
+          "properties": {
+            "postStart": {
+              "type": "object"
+            },
+            "preStop": {
+              "type": "object"
+            }
+          }
+        }
+      }
+    }
+  },
+  "defaults": {
+    "$ref": "#/$defs/values"
+  },
+  "$ref": "#/$defs/values"
+}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/values.yaml
new file mode 100644
index 0000000000..c0147ce210
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/values.yaml
@@ -0,0 +1,192 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  # Name allows overriding the release name. Generally this should not be set
+  name: ""
+  # revision declares which revision this gateway is a part of
+  revision: ""
+
+  # Controls the spec.replicas setting for the Gateway deployment if set.
+  # Otherwise defaults to Kubernetes Deployment default (1).
+  replicaCount:
+
+  kind: Deployment
+
+  rbac:
+    # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed
+    # when using http://gateway-api.org/.
+    enabled: true
+
+  serviceAccount:
+    # If set, a service account will be created. Otherwise, the default is used
+    create: true
+    # Annotations to add to the service account
+    annotations: {}
+    # The name of the service account to use.
+    # If not set, the release name is used
+    name: ""
+
+  podAnnotations:
+    prometheus.io/port: "15020"
+    prometheus.io/scrape: "true"
+    prometheus.io/path: "/stats/prometheus"
+    inject.istio.io/templates: "gateway"
+    sidecar.istio.io/inject: "true"
+
+  # Define the security context for the pod.
+  # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
+  # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
+  securityContext: {}
+  containerSecurityContext: {}
+
+  service:
+    # Type of service. Set to "None" to disable the service entirely
+    type: LoadBalancer
+    ports:
+    - name: status-port
+      port: 15021
+      protocol: TCP
+      targetPort: 15021
+    - name: http2
+      port: 80
+      protocol: TCP
+      targetPort: 80
+    - name: https
+      port: 443
+      protocol: TCP
+      targetPort: 443
+    annotations: {}
+    loadBalancerIP: ""
+    loadBalancerSourceRanges: []
+    externalTrafficPolicy: ""
+    externalIPs: []
+    ipFamilyPolicy: ""
+    ipFamilies: []
+    ## Whether to automatically allocate NodePorts (only for LoadBalancers).
+    # allocateLoadBalancerNodePorts: false
+    ## Set LoadBalancer class (only for LoadBalancers).
+    # loadBalancerClass: ""
+
+  resources:
+    requests:
+      cpu: 100m
+      memory: 128Mi
+    limits:
+      cpu: 2000m
+      memory: 1024Mi
+
+  autoscaling:
+    enabled: true
+    minReplicas: 1
+    maxReplicas: 5
+    targetCPUUtilizationPercentage: 80
+    targetMemoryUtilizationPercentage: {}
+    autoscaleBehavior: {}
+
+  # Pod environment variables
+  env: {}
+
+  # Use envVarFrom to define full environment variable entries with complex sources,
+  # such as valueFrom.secretKeyRef, valueFrom.configMapKeyRef. Each item must include a `name` and `valueFrom`.
+  #
+  # Example:
+  # envVarFrom:
+  #   - name: EXAMPLE_SECRET
+  #     valueFrom:
+  #       secretKeyRef:
+  #         name: example-name
+  #         key: example-key
+  envVarFrom: []
+
+  # Deployment Update strategy
+  strategy: {}
+  
+  # Sets the Deployment minReadySeconds value
+  minReadySeconds:
+  
+  # Optionally configure a custom readinessProbe. By default the control plane
+  # automatically injects the readinessProbe. If you wish to override that
+  # behavior, you may define your own readinessProbe here.
+  readinessProbe: {}
+
+  # Labels to apply to all resources
+  labels:
+    # By default, don't enroll gateways into the ambient dataplane
+    "istio.io/dataplane-mode": none
+
+  # Annotations to apply to all resources
+  annotations: {}
+
+  nodeSelector: {}
+
+  tolerations: []
+
+  topologySpreadConstraints: []
+
+  affinity: {}
+
+  # If specified, the gateway will act as a network gateway for the given network.
+  networkGateway: ""
+
+  # Specify image pull policy if default behavior isn't desired.
+  # Default behavior: latest images will be Always else IfNotPresent
+  imagePullPolicy: ""
+
+  imagePullSecrets: []
+
+  # This value is used to configure a Kubernetes PodDisruptionBudget for the gateway.
+  #
+  # By default, the `podDisruptionBudget` is disabled (set to `{}`),
+  # which means that no PodDisruptionBudget resource will be created.
+  #
+  # To enable the PodDisruptionBudget, configure it by specifying the
+  # `minAvailable` or `maxUnavailable`. For example, to set the
+  # minimum number of available replicas to 1, you can update this value as follows:
+  #
+  # podDisruptionBudget:
+  #   minAvailable: 1
+  #
+  # Or, to allow a maximum of 1 unavailable replica, you can set:
+  #
+  # podDisruptionBudget:
+  #   maxUnavailable: 1
+  #
+  # You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`.
+  # For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows:
+  #
+  # podDisruptionBudget:
+  #   minAvailable: 1
+  #   unhealthyPodEvictionPolicy: AlwaysAllow
+  #
+  # To disable the PodDisruptionBudget, you can leave it as an empty object `{}`:
+  #
+  # podDisruptionBudget: {}
+  #
+  podDisruptionBudget: {}
+
+  # Sets the per-pod terminationGracePeriodSeconds setting.
+  terminationGracePeriodSeconds: 30
+
+  # A list of `Volumes` added into the Gateway Pods. See
+  # https://kubernetes.io/docs/concepts/storage/volumes/.
+  volumes: []
+
+  # A list of `VolumeMounts` added into the Gateway Pods. See
+  # https://kubernetes.io/docs/concepts/storage/volumes/.
+  volumeMounts: []
+
+  # Inject initContainers into the Gateway Pods.
+  initContainers: []
+
+  # Inject additional containers into the Gateway Pods.
+  additionalContainers: []
+
+  # Configure this to a higher priority class in order to make sure your Istio gateway pods
+  # will not be killed because of low priority class.
+  # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
+  # for more detail.
+  priorityClassName: ""
+
+  # Configure the lifecycle hooks for the gateway. See
+  # https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/.
+  lifecycle: {}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/Chart.yaml
new file mode 100644
index 0000000000..6c2be4955f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v2
+appVersion: 1.27.1
+description: Helm chart for istio control plane
+icon: https://istio.io/latest/favicons/android-192x192.png
+keywords:
+- istio
+- istiod
+- istio-discovery
+name: istiod
+sources:
+- https://github.com/istio/istio
+version: 1.27.1
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/README.md
new file mode 100644
index 0000000000..ddbfbc8fec
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/README.md
@@ -0,0 +1,73 @@
+# Istiod Helm Chart
+
+This chart installs an Istiod deployment.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+Before installing, ensure CRDs are installed in the cluster (from the `istio/base` chart).
+
+To install the chart with the release name `istiod`:
+
+```console
+kubectl create namespace istio-system
+helm install istiod istio/istiod --namespace istio-system
+```
+
+## Uninstalling the Chart
+
+To uninstall/delete the `istiod` deployment:
+
+```console
+helm delete istiod --namespace istio-system
+```
+
+## Configuration
+
+To view support configuration options and documentation, run:
+
+```console
+helm show values istio/istiod
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
+
+### Examples
+
+#### Configuring mesh configuration settings
+
+Any [Mesh Config](https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/) options can be configured like below:
+
+```yaml
+meshConfig:
+  accessLogFile: /dev/stdout
+```
+
+#### Revisions
+
+Control plane revisions allow deploying multiple versions of the control plane in the same cluster.
+This allows safe [canary upgrades](https://istio.io/latest/docs/setup/upgrade/canary/)
+
+```yaml
+revision: my-revision-name
+```
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/gateway-injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/gateway-injection-template.yaml
new file mode 100644
index 0000000000..bc15ee3c31
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/gateway-injection-template.yaml
@@ -0,0 +1,274 @@
+{{- $containers := list }}
+{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
+metadata:
+  labels:
+    service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name  | quote }}
+    service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest"  | quote }}
+  annotations:
+    istio.io/rev: {{ .Revision | default "default" | quote }}
+    {{- if ge (len $containers) 1 }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }}
+    kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}"
+    {{- end }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }}
+    kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}"
+    {{- end }}
+    {{- end }}
+spec:
+  securityContext:
+  {{- if .Values.gateways.securityContext }}
+    {{- toYaml .Values.gateways.securityContext | nindent 4 }}
+  {{- else }}
+    sysctls:
+    - name: net.ipv4.ip_unprivileged_port_start
+      value: "0"
+  {{- end }}
+  containers:
+  - name: istio-proxy
+  {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+    image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+  {{- else }}
+    image: "{{ .ProxyImage }}"
+  {{- end }}
+    ports:
+    - containerPort: 15090
+      protocol: TCP
+      name: http-envoy-prom
+    args:
+    - proxy
+    - router
+    - --domain
+    - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+    - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
+    - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
+    - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
+  {{- if .Values.global.sts.servicePort }}
+    - --stsPort={{ .Values.global.sts.servicePort }}
+  {{- end }}
+  {{- if .Values.global.logAsJson }}
+    - --log_as_json
+  {{- end }}
+  {{- if .Values.global.proxy.lifecycle }}
+    lifecycle:
+      {{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
+  {{- end }}
+    securityContext:
+      runAsUser: {{ .ProxyUID | default "1337" }}
+      runAsGroup: {{ .ProxyGID | default "1337" }}
+    env:
+    - name: PILOT_CERT_PROVIDER
+      value: {{ .Values.global.pilotCertProvider }}
+    - name: CA_ADDR
+    {{- if .Values.global.caAddress }}
+      value: {{ .Values.global.caAddress }}
+    {{- else }}
+      value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+    {{- end }}
+    - name: POD_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.name
+    - name: POD_NAMESPACE
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.namespace
+    - name: INSTANCE_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.podIP
+    - name: SERVICE_ACCOUNT
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.serviceAccountName
+    - name: HOST_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.hostIP
+    - name: ISTIO_CPU_LIMIT
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.cpu
+    - name: PROXY_CONFIG
+      value: |
+             {{ protoToJSON .ProxyConfig }}
+    - name: ISTIO_META_POD_PORTS
+      value: |-
+        [
+        {{- $first := true }}
+        {{- range $index1, $c := .Spec.Containers }}
+          {{- range $index2, $p := $c.Ports }}
+            {{- if (structToJSON $p) }}
+            {{if not $first}},{{end}}{{ structToJSON $p }}
+            {{- $first = false }}
+            {{- end }}
+          {{- end}}
+        {{- end}}
+        ]
+    - name: GOMEMLIMIT
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.memory
+    - name: GOMAXPROCS
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.cpu
+    {{- if .CompliancePolicy }}
+    - name: COMPLIANCE_POLICY
+      value: "{{ .CompliancePolicy }}"
+    {{- end }}
+    - name: ISTIO_META_APP_CONTAINERS
+      value: "{{ $containers | join "," }}"
+    - name: ISTIO_META_CLUSTER_ID
+      value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
+    - name: ISTIO_META_NODE_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.nodeName
+    - name: ISTIO_META_INTERCEPTION_MODE
+      value: "{{ .ProxyConfig.InterceptionMode.String }}"
+    {{- if .Values.global.network }}
+    - name: ISTIO_META_NETWORK
+      value: "{{ .Values.global.network }}"
+    {{- end }}
+    {{- if .DeploymentMeta.Name }}
+    - name: ISTIO_META_WORKLOAD_NAME
+      value: "{{ .DeploymentMeta.Name }}"
+    {{ end }}
+    {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
+    - name: ISTIO_META_OWNER
+      value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
+    {{- end}}
+    {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+    - name: ISTIO_BOOTSTRAP_OVERRIDE
+      value: "/etc/istio/custom-bootstrap/custom_bootstrap.json"
+    {{- end }}
+    {{- if .Values.global.meshID }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ .Values.global.meshID }}"
+    {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+    {{- end }}
+    {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain)  }}
+    - name: TRUST_DOMAIN
+      value: "{{ . }}"
+    {{- end }}
+    {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+    - name: {{ $key }}
+      value: "{{ $value }}"
+    {{- end }}
+    {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+    readinessProbe:
+      httpGet:
+        path: /healthz/ready
+        port: 15021
+      initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }}
+      periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }}
+      timeoutSeconds: 3
+      failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }}
+    volumeMounts:
+    - name: workload-socket
+      mountPath: /var/run/secrets/workload-spiffe-uds
+    - name: credential-socket
+      mountPath: /var/run/secrets/credential-uds
+    {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+    - name: gke-workload-certificate
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+      readOnly: true
+    {{- else }}
+    - name: workload-certs
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+    {{- end }}
+    {{- if eq .Values.global.pilotCertProvider "istiod" }}
+    - mountPath: /var/run/secrets/istio
+      name: istiod-ca-cert
+    {{- end }}
+    - mountPath: /var/lib/istio/data
+      name: istio-data
+    {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+    - mountPath: /etc/istio/custom-bootstrap
+      name: custom-bootstrap-volume
+    {{- end }}
+    # SDS channel between istioagent and Envoy
+    - mountPath: /etc/istio/proxy
+      name: istio-envoy
+    - mountPath: /var/run/secrets/tokens
+      name: istio-token
+    {{- if .Values.global.mountMtlsCerts }}
+    # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+    - mountPath: /etc/certs/
+      name: istio-certs
+      readOnly: true
+    {{- end }}
+    - name: istio-podinfo
+      mountPath: /etc/istio/pod
+  volumes:
+  - emptyDir:
+    name: workload-socket
+  - emptyDir: {}
+    name: credential-socket
+  {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+  - name: gke-workload-certificate
+    csi:
+      driver: workloadcertificates.security.cloud.google.com
+  {{- else}}
+  - emptyDir: {}
+    name: workload-certs
+  {{- end }}
+  {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+  - name: custom-bootstrap-volume
+    configMap:
+      name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
+  {{- end }}
+  # SDS channel between istioagent and Envoy
+  - emptyDir:
+      medium: Memory
+    name: istio-envoy
+  - name: istio-data
+    emptyDir: {}
+  - name: istio-podinfo
+    downwardAPI:
+      items:
+        - path: "labels"
+          fieldRef:
+            fieldPath: metadata.labels
+        - path: "annotations"
+          fieldRef:
+            fieldPath: metadata.annotations
+  - name: istio-token
+    projected:
+      sources:
+      - serviceAccountToken:
+          path: istio-token
+          expirationSeconds: 43200
+          audience: {{ .Values.global.sds.token.aud }}
+  {{- if eq .Values.global.pilotCertProvider "istiod" }}
+  - name: istiod-ca-cert
+  {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+    projected:
+      sources:
+      - clusterTrustBundle:
+          name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+          path: root-cert.pem
+  {{- else }}
+    configMap:
+      name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+  {{- end }}
+  {{- end }}
+  {{- if .Values.global.mountMtlsCerts }}
+  # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+  - name: istio-certs
+    secret:
+      optional: true
+      {{ if eq .Spec.ServiceAccountName "" }}
+      secretName: istio.default
+      {{ else -}}
+      secretName: {{  printf "istio.%s" .Spec.ServiceAccountName }}
+      {{  end -}}
+  {{- end }}
+  {{- if .Values.global.imagePullSecrets }}
+  imagePullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+  {{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/grpc-agent.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/grpc-agent.yaml
new file mode 100644
index 0000000000..6e3102e4c8
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/grpc-agent.yaml
@@ -0,0 +1,318 @@
+{{- define "resources"  }}
+  {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
+    {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
+      requests:
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
+        cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
+        {{ end }}
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
+        memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
+        {{ end }}
+    {{- end }}
+    {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
+      limits:
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
+        cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}"
+        {{ end }}
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
+        memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}"
+        {{ end }}
+    {{- end }}
+  {{- else }}
+    {{- if .Values.global.proxy.resources }}
+      {{ toYaml .Values.global.proxy.resources | indent 6 }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+{{- $containers := list }}
+{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
+metadata:
+  labels:
+    {{/* security.istio.io/tlsMode: istio must be set by user, if gRPC is using mTLS initialization code. We can't set it automatically. */}}
+    service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name  | quote }}
+    service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest"  | quote }}
+  annotations: {
+    istio.io/rev: {{ .Revision | default "default" | quote }},
+    {{- if ge (len $containers) 1 }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }}
+    kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
+    {{- end }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }}
+    kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
+    {{- end }}
+    {{- end }}
+    sidecar.istio.io/rewriteAppHTTPProbers: "false",
+  }
+spec:
+  containers:
+  - name: istio-proxy
+  {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+    image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+  {{- else }}
+    image: "{{ .ProxyImage }}"
+  {{- end }}
+    ports:
+    - containerPort: 15020
+      protocol: TCP
+      name: mesh-metrics
+    args:
+    - proxy
+    - sidecar
+    - --domain
+    - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+    - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
+    - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
+    - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
+  {{- if .Values.global.sts.servicePort }}
+    - --stsPort={{ .Values.global.sts.servicePort }}
+  {{- end }}
+  {{- if .Values.global.logAsJson }}
+    - --log_as_json
+  {{- end }}
+    lifecycle:
+      postStart:
+        exec:
+          command:
+          - pilot-agent
+          - wait
+          - --url=http://localhost:15020/healthz/ready
+    env:
+    - name: ISTIO_META_GENERATOR
+      value: grpc
+    - name: OUTPUT_CERTS
+      value: /var/lib/istio/data
+    {{- if eq .InboundTrafficPolicyMode "localhost" }}
+    - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION
+      value: "true"
+    {{- end }}
+    - name: PILOT_CERT_PROVIDER
+      value: {{ .Values.global.pilotCertProvider }}
+    - name: CA_ADDR
+    {{- if .Values.global.caAddress }}
+      value: {{ .Values.global.caAddress }}
+    {{- else }}
+      value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+    {{- end }}
+    - name: POD_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.name
+    - name: POD_NAMESPACE
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.namespace
+    - name: INSTANCE_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.podIP
+    - name: SERVICE_ACCOUNT
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.serviceAccountName
+    - name: HOST_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.hostIP
+    - name: PROXY_CONFIG
+      value: |
+             {{ protoToJSON .ProxyConfig }}
+    - name: ISTIO_META_POD_PORTS
+      value: |-
+        [
+        {{- $first := true }}
+        {{- range $index1, $c := .Spec.Containers }}
+          {{- range $index2, $p := $c.Ports }}
+            {{- if (structToJSON $p) }}
+            {{if not $first}},{{end}}{{ structToJSON $p }}
+            {{- $first = false }}
+            {{- end }}
+          {{- end}}
+        {{- end}}
+        ]
+    - name: ISTIO_META_APP_CONTAINERS
+      value: "{{ $containers | join "," }}"
+    - name: ISTIO_META_CLUSTER_ID
+      value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
+    - name: ISTIO_META_NODE_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.nodeName
+    {{- if .Values.global.network }}
+    - name: ISTIO_META_NETWORK
+      value: "{{ .Values.global.network }}"
+    {{- end }}
+    {{- if .DeploymentMeta.Name }}
+    - name: ISTIO_META_WORKLOAD_NAME
+      value: "{{ .DeploymentMeta.Name }}"
+    {{ end }}
+    {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
+    - name: ISTIO_META_OWNER
+      value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
+    {{- end}}
+    {{- if .Values.global.meshID }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ .Values.global.meshID }}"
+    {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+    {{- end }}
+    {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain)  }}
+    - name: TRUST_DOMAIN
+      value: "{{ . }}"
+    {{- end }}
+    {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+    - name: {{ $key }}
+      value: "{{ $value }}"
+    {{- end }}
+    # grpc uses xds:/// to resolve – no need to resolve VIP
+    - name: ISTIO_META_DNS_CAPTURE
+      value: "false"
+    - name: DISABLE_ENVOY
+      value: "true"
+    {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+    {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
+    readinessProbe:
+      httpGet:
+        path: /healthz/ready
+        port: 15020
+      initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }}
+      periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }}
+      timeoutSeconds: 3
+      failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}
+    resources:
+  {{ template "resources" . }}
+    volumeMounts:
+    - name: workload-socket
+      mountPath: /var/run/secrets/workload-spiffe-uds
+    {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+    - name: gke-workload-certificate
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+      readOnly: true
+    {{- else }}
+    - name: workload-certs
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+    {{- end }}
+    {{- if eq .Values.global.pilotCertProvider "istiod" }}
+    - mountPath: /var/run/secrets/istio
+      name: istiod-ca-cert
+    {{- end }}
+    - mountPath: /var/lib/istio/data
+      name: istio-data
+    # UDS channel between istioagent and gRPC client for XDS/SDS
+    - mountPath: /etc/istio/proxy
+      name: istio-xds
+    - mountPath: /var/run/secrets/tokens
+      name: istio-token
+    {{- if .Values.global.mountMtlsCerts }}
+    # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+    - mountPath: /etc/certs/
+      name: istio-certs
+      readOnly: true
+    {{- end }}
+    - name: istio-podinfo
+      mountPath: /etc/istio/pod
+    {{- end }}
+      {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }}
+      {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}
+    - name: "{{  $index }}"
+      {{ toYaml $value | indent 6 }}
+      {{ end }}
+      {{- end }}
+{{- range $index, $container := .Spec.Containers  }}
+{{ if not (eq $container.Name "istio-proxy") }}
+  - name: {{ $container.Name }}
+    env:
+      - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT"
+        value: "true"
+      - name: "GRPC_XDS_BOOTSTRAP"
+        value: "/etc/istio/proxy/grpc-bootstrap.json"
+    volumeMounts:
+      - mountPath: /var/lib/istio/data
+        name: istio-data
+      # UDS channel between istioagent and gRPC client for XDS/SDS
+      - mountPath: /etc/istio/proxy
+        name: istio-xds
+      {{- if eq $.Values.global.caName "GkeWorkloadCertificate" }}
+      - name: gke-workload-certificate
+        mountPath: /var/run/secrets/workload-spiffe-credentials
+        readOnly: true
+      {{- else }}
+      - name: workload-certs
+        mountPath: /var/run/secrets/workload-spiffe-credentials
+      {{- end }}
+{{- end }}
+{{- end }}
+  volumes:
+  - emptyDir:
+    name: workload-socket
+  {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+  - name: gke-workload-certificate
+    csi:
+      driver: workloadcertificates.security.cloud.google.com
+  {{- else }}
+  - emptyDir:
+    name: workload-certs
+  {{- end }}
+  {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+  - name: custom-bootstrap-volume
+    configMap:
+      name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
+  {{- end }}
+  # SDS channel between istioagent and Envoy
+  - emptyDir:
+      medium: Memory
+    name: istio-xds
+  - name: istio-data
+    emptyDir: {}
+  - name: istio-podinfo
+    downwardAPI:
+      items:
+        - path: "labels"
+          fieldRef:
+            fieldPath: metadata.labels
+        - path: "annotations"
+          fieldRef:
+            fieldPath: metadata.annotations
+  - name: istio-token
+    projected:
+      sources:
+      - serviceAccountToken:
+          path: istio-token
+          expirationSeconds: 43200
+          audience: {{ .Values.global.sds.token.aud }}
+  {{- if eq .Values.global.pilotCertProvider "istiod" }}
+  - name: istiod-ca-cert
+  {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+    projected:
+      sources:
+      - clusterTrustBundle:
+          name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+          path: root-cert.pem
+  {{- else }}
+    configMap:
+      name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+  {{- end }}
+  {{- end }}
+  {{- if .Values.global.mountMtlsCerts }}
+  # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+  - name: istio-certs
+    secret:
+      optional: true
+      {{ if eq .Spec.ServiceAccountName "" }}
+      secretName: istio.default
+      {{ else -}}
+      secretName: {{  printf "istio.%s" .Spec.ServiceAccountName }}
+      {{  end -}}
+  {{- end }}
+    {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }}
+    {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}
+  - name: "{{ $index }}"
+    {{ toYaml $value | indent 4 }}
+    {{ end }}
+    {{ end }}
+  {{- if .Values.global.imagePullSecrets }}
+  imagePullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+  {{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/grpc-simple.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/grpc-simple.yaml
new file mode 100644
index 0000000000..9ba0c7a46a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/grpc-simple.yaml
@@ -0,0 +1,65 @@
+metadata:
+  annotations:
+    sidecar.istio.io/rewriteAppHTTPProbers: "false"
+spec:
+  initContainers:
+    - name: grpc-bootstrap-init
+      image: busybox:1.28
+      volumeMounts:
+        - mountPath: /var/lib/grpc/data/
+          name: grpc-io-proxyless-bootstrap
+      env:
+        - name: INSTANCE_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: ISTIO_NAMESPACE
+          value: |
+             {{ .Values.global.istioNamespace }}
+      command:
+        - sh
+        - "-c"
+        - |-
+          NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local"
+          SERVER_URI="dns:///istiod.${ISTIO_NAMESPACE}.svc:15010"
+          echo '
+          {
+            "xds_servers": [
+              {
+                "server_uri": "'${SERVER_URI}'",
+                "channel_creds": [{"type": "insecure"}],
+                "server_features" : ["xds_v3"]
+              }
+            ],
+            "node": {
+              "id": "'${NODE_ID}'",
+              "metadata": {
+                "GENERATOR": "grpc"
+              }
+            }
+          }' > /var/lib/grpc/data/bootstrap.json
+  containers:
+  {{- range $index, $container := .Spec.Containers }}
+  - name: {{ $container.Name }}
+    env:
+      - name: GRPC_XDS_BOOTSTRAP
+        value: /var/lib/grpc/data/bootstrap.json
+      - name: GRPC_GO_LOG_VERBOSITY_LEVEL
+        value: "99"
+      - name: GRPC_GO_LOG_SEVERITY_LEVEL
+        value: info
+    volumeMounts:
+      - mountPath: /var/lib/grpc/data/
+        name: grpc-io-proxyless-bootstrap
+  {{- end }}
+  volumes:
+    - name: grpc-io-proxyless-bootstrap
+      emptyDir: {}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/injection-template.yaml
new file mode 100644
index 0000000000..9705cfe5df
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/injection-template.yaml
@@ -0,0 +1,542 @@
+{{- define "resources"  }}
+  {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
+    {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
+      requests:
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
+        cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
+        {{ end }}
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
+        memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
+        {{ end }}
+    {{- end }}
+    {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
+      limits:
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
+        cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}"
+        {{ end }}
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
+        memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}"
+        {{ end }}
+    {{- end }}
+  {{- else }}
+    {{- if .Values.global.proxy.resources }}
+      {{ toYaml .Values.global.proxy.resources | indent 6 }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+{{ $tproxy := (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) }}
+{{ $capNetBindService := (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) }}
+{{ $nativeSidecar := ne (index .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar` | default (printf "%t" .NativeSidecars)) "false" }}
+{{- $containers := list }}
+{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
+metadata:
+  labels:
+    security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio"  | quote }}
+    {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }}
+    networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http"  | quote }}
+    {{- end }}
+    service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name  | trunc 63 | trimSuffix "-" | quote }}
+    service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest"  | quote }}
+  annotations: {
+    istio.io/rev: {{ .Revision | default "default" | quote }},
+    {{- if ge (len $containers) 1 }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }}
+    kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
+    {{- end }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }}
+    kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
+    {{- end }}
+    {{- end }}
+{{- if .Values.pilot.cni.enabled }}
+    {{- if eq .Values.pilot.cni.provider "multus" }}
+    k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}',
+    {{- end }}
+    sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}",
+    {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }}
+    {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }}
+    traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}",
+    traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}",
+    {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }}
+    traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}",
+    {{- end }}
+    {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }}
+    traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}",
+    {{- end }}
+    {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }}
+    {{ with index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}istio.io/reroute-virtual-interfaces: "{{.}}",{{ end }}
+    {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }}
+{{- end }}
+  }
+spec:
+  {{- $holdProxy := and
+      (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts)
+      (not $nativeSidecar) }}
+  {{- $noInitContainer := and
+      (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE`)
+      (not $nativeSidecar) }}
+  {{ if $noInitContainer }}
+  initContainers: []
+  {{ else -}}
+  initContainers:
+  {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }}
+  {{ if .Values.pilot.cni.enabled -}}
+  - name: istio-validation
+  {{ else -}}
+  - name: istio-init
+  {{ end -}}
+  {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }}
+    image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}"
+  {{- else }}
+    image: "{{ .ProxyImage }}"
+  {{- end }}
+    args:
+    - istio-iptables
+    - "-p"
+    - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }}
+    - "-z"
+    - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }}
+    - "-u"
+    - {{ if $tproxy }} "1337" {{ else }} {{ .ProxyUID | default "1337" | quote }} {{ end }}
+    - "-m"
+    - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}"
+    - "-i"
+    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}"
+    - "-x"
+    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}"
+    - "-b"
+    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}"
+    - "-d"
+  {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}
+    - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}"
+  {{- else }}
+    - "15090,15021"
+  {{- end }}
+    {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}}
+    - "-q"
+    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}"
+    {{ end -}}
+    {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}}
+    - "-o"
+    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}"
+    {{ end -}}
+    {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}}
+    - "-k"
+    - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}"
+    {{ end -}}
+    {{ if (isset .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces`) -}}
+    - "-k"
+    - "{{ index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}"
+    {{ end -}}
+     {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}}
+    - "-c"
+    - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}"
+    {{ end -}}
+    - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}"
+    {{ if .Values.global.logAsJson -}}
+    - "--log_as_json"
+    {{ end -}}
+    {{ if .Values.pilot.cni.enabled -}}
+    - "--run-validation"
+    - "--skip-rule-apply"
+    {{ else if .Values.global.proxy_init.forceApplyIptables -}}
+    - "--force-apply"
+    {{ end -}}
+    {{ if .Values.global.nativeNftables -}}
+    - "--native-nftables"
+    {{ end -}}
+    {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+  {{- if .ProxyConfig.ProxyMetadata }}
+    env:
+    {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+    - name: {{ $key }}
+      value: "{{ $value }}"
+    {{- end }}
+  {{- end }}
+    resources:
+  {{ template "resources" . }}
+    securityContext:
+      allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
+      privileged: {{ .Values.global.proxy.privileged }}
+      capabilities:
+    {{- if not .Values.pilot.cni.enabled }}
+        add:
+        - NET_ADMIN
+        - NET_RAW
+    {{- end }}
+        drop:
+        - ALL
+    {{- if not .Values.pilot.cni.enabled }}
+      readOnlyRootFilesystem: false
+      runAsGroup: 0
+      runAsNonRoot: false
+      runAsUser: 0
+    {{- else }}
+      readOnlyRootFilesystem: true
+      runAsGroup: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyGID | default "1337" }} {{ end }}
+      runAsUser: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyUID | default "1337" }} {{ end }}
+      runAsNonRoot: true
+    {{- end }}
+  {{ end -}}
+  {{ end -}}
+  {{ if not $nativeSidecar }}
+  containers:
+  {{ end }}
+  - name: istio-proxy
+  {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+    image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+  {{- else }}
+    image: "{{ .ProxyImage }}"
+  {{- end }}
+    {{ if $nativeSidecar }}restartPolicy: Always{{end}}
+    ports:
+    - containerPort: 15090
+      protocol: TCP
+      name: http-envoy-prom
+    args:
+    - proxy
+    - sidecar
+    - --domain
+    - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+    - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
+    - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
+    - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
+  {{- if .Values.global.sts.servicePort }}
+    - --stsPort={{ .Values.global.sts.servicePort }}
+  {{- end }}
+  {{- if .Values.global.logAsJson }}
+    - --log_as_json
+  {{- end }}
+  {{- if .Values.global.proxy.outlierLogPath }}
+    - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }}
+  {{- end}}
+  {{- if .Values.global.proxy.lifecycle }}
+    lifecycle:
+      {{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
+  {{- else if $holdProxy }}
+    lifecycle:
+      postStart:
+        exec:
+          command:
+          - pilot-agent
+          - wait
+  {{- else if $nativeSidecar }}
+    {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}}
+    lifecycle:
+      preStop:
+        exec:
+          command:
+          - pilot-agent
+          - request
+          - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}}
+          - POST
+          - drain
+  {{- end }}
+    env:
+    {{- if eq .InboundTrafficPolicyMode "localhost" }}
+    - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION
+      value: "true"
+    {{- end }}
+    - name: PILOT_CERT_PROVIDER
+      value: {{ .Values.global.pilotCertProvider }}
+    - name: CA_ADDR
+    {{- if .Values.global.caAddress }}
+      value: {{ .Values.global.caAddress }}
+    {{- else }}
+      value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+    {{- end }}
+    - name: POD_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.name
+    - name: POD_NAMESPACE
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.namespace
+    - name: INSTANCE_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.podIP
+    - name: SERVICE_ACCOUNT
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.serviceAccountName
+    - name: HOST_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.hostIP
+    - name: ISTIO_CPU_LIMIT
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.cpu
+    - name: PROXY_CONFIG
+      value: |
+             {{ protoToJSON .ProxyConfig }}
+    - name: ISTIO_META_POD_PORTS
+      value: |-
+        [
+        {{- $first := true }}
+        {{- range $index1, $c := .Spec.Containers }}
+          {{- range $index2, $p := $c.Ports }}
+            {{- if (structToJSON $p) }}
+            {{if not $first}},{{end}}{{ structToJSON $p }}
+            {{- $first = false }}
+            {{- end }}
+          {{- end}}
+        {{- end}}
+        ]
+    - name: ISTIO_META_APP_CONTAINERS
+      value: "{{ $containers | join "," }}"
+    - name: GOMEMLIMIT
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.memory
+    - name: GOMAXPROCS
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.cpu
+    {{- if .CompliancePolicy }}
+    - name: COMPLIANCE_POLICY
+      value: "{{ .CompliancePolicy }}"
+    {{- end }}
+    - name: ISTIO_META_CLUSTER_ID
+      value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
+    - name: ISTIO_META_NODE_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.nodeName
+    - name: ISTIO_META_INTERCEPTION_MODE
+      value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}"
+    {{- if .Values.global.network }}
+    - name: ISTIO_META_NETWORK
+      value: "{{ .Values.global.network }}"
+    {{- end }}
+    {{- with (index .ObjectMeta.Labels `service.istio.io/workload-name` | default .DeploymentMeta.Name) }}
+    - name: ISTIO_META_WORKLOAD_NAME
+      value: "{{ . }}"
+    {{ end }}
+    {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
+    - name: ISTIO_META_OWNER
+      value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
+    {{- end}}
+    {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+    - name: ISTIO_BOOTSTRAP_OVERRIDE
+      value: "/etc/istio/custom-bootstrap/custom_bootstrap.json"
+    {{- end }}
+    {{- if .Values.global.meshID }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ .Values.global.meshID }}"
+    {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+    {{- end }}
+    {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain)  }}
+    - name: TRUST_DOMAIN
+      value: "{{ . }}"
+    {{- end }}
+    {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
+    {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
+    - name: {{ $key }}
+      value: "{{ $value }}"
+    {{- end }}
+    {{- end }}
+    {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+    - name: {{ $key }}
+      value: "{{ $value }}"
+    {{- end }}
+    {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+    {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
+  {{ if .Values.global.proxy.startupProbe.enabled }}
+    startupProbe:
+      httpGet:
+        path: /healthz/ready
+        port: 15021
+      initialDelaySeconds: 0
+      periodSeconds: 1
+      timeoutSeconds: 3
+      failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }}
+  {{ end }}
+    readinessProbe:
+      httpGet:
+        path: /healthz/ready
+        port: 15021
+      initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }}
+      periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }}
+      timeoutSeconds: 3
+      failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}
+    {{ end -}}
+    securityContext:
+      {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }}
+      allowPrivilegeEscalation: true
+      capabilities:
+        add:
+        - NET_ADMIN
+        drop:
+        - ALL
+      privileged: true
+      readOnlyRootFilesystem: true
+      runAsGroup: {{ .ProxyGID | default "1337" }}
+      runAsNonRoot: false
+      runAsUser: 0
+      {{- else }}
+      allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
+      capabilities:
+        {{ if or $tproxy $capNetBindService -}}
+        add:
+        {{ if $tproxy -}}
+        - NET_ADMIN
+        {{- end }}
+        {{ if $capNetBindService -}}
+        - NET_BIND_SERVICE
+        {{- end }}
+        {{- end }}
+        drop:
+        - ALL
+      privileged: {{ .Values.global.proxy.privileged }}
+      readOnlyRootFilesystem: true
+      {{ if or $tproxy $capNetBindService -}}
+      runAsNonRoot: false
+      runAsUser: 0
+      runAsGroup: 1337
+      {{- else -}}
+      runAsNonRoot: true
+      runAsUser: {{ .ProxyUID | default "1337" }}
+      runAsGroup: {{ .ProxyGID | default "1337" }}
+      {{- end }}
+      {{- end }}
+    resources:
+  {{ template "resources" . }}
+    volumeMounts:
+    - name: workload-socket
+      mountPath: /var/run/secrets/workload-spiffe-uds
+    - name: credential-socket
+      mountPath: /var/run/secrets/credential-uds
+    {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+    - name: gke-workload-certificate
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+      readOnly: true
+    {{- else }}
+    - name: workload-certs
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+    {{- end }}
+    {{- if eq .Values.global.pilotCertProvider "istiod" }}
+    - mountPath: /var/run/secrets/istio
+      name: istiod-ca-cert
+    - mountPath: /var/run/secrets/istio/crl
+      name: istio-ca-crl
+    {{- end }}
+    - mountPath: /var/lib/istio/data
+      name: istio-data
+    {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+    - mountPath: /etc/istio/custom-bootstrap
+      name: custom-bootstrap-volume
+    {{- end }}
+    # SDS channel between istioagent and Envoy
+    - mountPath: /etc/istio/proxy
+      name: istio-envoy
+    - mountPath: /var/run/secrets/tokens
+      name: istio-token
+    {{- if .Values.global.mountMtlsCerts }}
+    # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+    - mountPath: /etc/certs/
+      name: istio-certs
+      readOnly: true
+    {{- end }}
+    - name: istio-podinfo
+      mountPath: /etc/istio/pod
+     {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }}
+    - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }}
+      name: lightstep-certs
+      readOnly: true
+    {{- end }}
+      {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }}
+      {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}
+    - name: "{{  $index }}"
+      {{ toYaml $value | indent 6 }}
+      {{ end }}
+      {{- end }}
+  volumes:
+  - emptyDir:
+    name: workload-socket
+  - emptyDir:
+    name: credential-socket
+  {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+  - name: gke-workload-certificate
+    csi:
+      driver: workloadcertificates.security.cloud.google.com
+  {{- else }}
+  - emptyDir:
+    name: workload-certs
+  {{- end }}
+  {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+  - name: custom-bootstrap-volume
+    configMap:
+      name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
+  {{- end }}
+  # SDS channel between istioagent and Envoy
+  - emptyDir:
+      medium: Memory
+    name: istio-envoy
+  - name: istio-data
+    emptyDir: {}
+  - name: istio-podinfo
+    downwardAPI:
+      items:
+        - path: "labels"
+          fieldRef:
+            fieldPath: metadata.labels
+        - path: "annotations"
+          fieldRef:
+            fieldPath: metadata.annotations
+  - name: istio-token
+    projected:
+      sources:
+      - serviceAccountToken:
+          path: istio-token
+          expirationSeconds: 43200
+          audience: {{ .Values.global.sds.token.aud }}
+  {{- if eq .Values.global.pilotCertProvider "istiod" }}
+  - name: istiod-ca-cert
+  {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+    projected:
+      sources:
+      - clusterTrustBundle:
+          name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+          path: root-cert.pem
+  {{- else }}
+    configMap:
+      name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+  {{- end }}
+  {{- end }}
+  - name: istio-ca-crl
+    configMap:
+      name: istio-ca-crl
+      optional: true
+  {{- if .Values.global.mountMtlsCerts }}
+  # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+  - name: istio-certs
+    secret:
+      optional: true
+      {{ if eq .Spec.ServiceAccountName "" }}
+      secretName: istio.default
+      {{ else -}}
+      secretName: {{  printf "istio.%s" .Spec.ServiceAccountName }}
+      {{  end -}}
+  {{- end }}
+    {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }}
+    {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}
+  - name: "{{ $index }}"
+    {{ toYaml $value | indent 4 }}
+    {{ end }}
+    {{ end }}
+  {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }}
+  - name: lightstep-certs
+    secret:
+      optional: true
+      secretName: lightstep.cacert
+  {{- end }}
+  {{- if .Values.global.imagePullSecrets }}
+  imagePullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+  {{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/kube-gateway.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/kube-gateway.yaml
new file mode 100644
index 0000000000..616fb42c71
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/kube-gateway.yaml
@@ -0,0 +1,401 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{.ServiceAccount | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+      ) | nindent 4 }}
+  {{- if ge .KubeVersion 128 }}
+  # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    name: "{{.Name}}"
+    uid: "{{.UID}}"
+  {{- end }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+        "gateway.istio.io/managed" "istio.io-gateway-controller"
+      ) | nindent 4 }}
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    name: {{.Name}}
+    uid: "{{.UID}}"
+spec:
+  selector:
+    matchLabels:
+      "{{.GatewayNameLabel}}": {{.Name}}
+  template:
+    metadata:
+      annotations:
+        {{- toJsonMap
+          (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version")
+          (strdict "istio.io/rev" (.Revision | default "default"))
+          (strdict
+            "prometheus.io/path" "/stats/prometheus"
+            "prometheus.io/port" "15020"
+            "prometheus.io/scrape" "true"
+          ) | nindent 8 }}
+      labels:
+        {{- toJsonMap
+          (strdict
+            "sidecar.istio.io/inject" "false"
+            "service.istio.io/canonical-name" .DeploymentName
+            "service.istio.io/canonical-revision" "latest"
+           )
+          .InfrastructureLabels
+          (strdict
+            "gateway.networking.k8s.io/gateway-name" .Name
+            "gateway.istio.io/managed" "istio.io-gateway-controller"
+          ) | nindent 8 }}
+    spec:
+      securityContext:
+      {{- if .Values.gateways.securityContext }}
+        {{- toYaml .Values.gateways.securityContext | nindent 8 }}
+      {{- else }}
+        sysctls:
+        - name: net.ipv4.ip_unprivileged_port_start
+          value: "0"
+      {{- if .Values.gateways.seccompProfile }}
+        seccompProfile:
+      {{- toYaml .Values.gateways.seccompProfile | nindent 10 }}
+      {{- end }}
+      {{- end }}
+      serviceAccountName: {{.ServiceAccount | quote}}
+      containers:
+      - name: istio-proxy
+      {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+        image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+      {{- else }}
+        image: "{{ .ProxyImage }}"
+      {{- end }}
+        {{- if .Values.global.proxy.resources }}
+        resources:
+          {{- toYaml .Values.global.proxy.resources | nindent 10 }}
+        {{- end }}
+        {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+        securityContext:
+          capabilities:
+            drop:
+            - ALL
+          allowPrivilegeEscalation: false
+          privileged: false
+          readOnlyRootFilesystem: true
+          runAsUser: {{ .ProxyUID | default "1337" }}
+          runAsGroup: {{ .ProxyGID | default "1337" }}
+          runAsNonRoot: true
+        ports:
+        - containerPort: 15020
+          name: metrics
+          protocol: TCP
+        - containerPort: 15021
+          name: status-port
+          protocol: TCP
+        - containerPort: 15090
+          protocol: TCP
+          name: http-envoy-prom
+        args:
+        - proxy
+        - router
+        - --domain
+        - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+        - --proxyLogLevel
+        - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}}
+        - --proxyComponentLogLevel
+        - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}}
+        - --log_output_level
+        - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}}
+      {{- if .Values.global.sts.servicePort }}
+        - --stsPort={{ .Values.global.sts.servicePort }}
+      {{- end }}
+      {{- if .Values.global.logAsJson }}
+        - --log_as_json
+      {{- end }}
+      {{- if .Values.global.proxy.lifecycle }}
+        lifecycle:
+          {{- toYaml .Values.global.proxy.lifecycle | nindent 10 }}
+      {{- end }}
+        env:
+        - name: PILOT_CERT_PROVIDER
+          value: {{ .Values.global.pilotCertProvider }}
+        - name: CA_ADDR
+        {{- if .Values.global.caAddress }}
+          value: {{ .Values.global.caAddress }}
+        {{- else }}
+          value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+        {{- end }}
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: INSTANCE_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: SERVICE_ACCOUNT
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.serviceAccountName
+        - name: HOST_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.hostIP
+        - name: ISTIO_CPU_LIMIT
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.cpu
+        - name: PROXY_CONFIG
+          value: |
+                 {{ protoToJSON .ProxyConfig }}
+        - name: ISTIO_META_POD_PORTS
+          value: "[]"
+        - name: ISTIO_META_APP_CONTAINERS
+          value: ""
+        - name: GOMEMLIMIT
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.memory
+        - name: GOMAXPROCS
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.cpu
+        - name: ISTIO_META_CLUSTER_ID
+          value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}"
+        - name: ISTIO_META_NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        - name: ISTIO_META_INTERCEPTION_MODE
+          value: "{{ .ProxyConfig.InterceptionMode.String }}"
+        {{- with (valueOrDefault  (index .InfrastructureLabels "topology.istio.io/network") .Values.global.network) }}
+        - name: ISTIO_META_NETWORK
+          value: {{.|quote}}
+        {{- end }}
+        - name: ISTIO_META_WORKLOAD_NAME
+          value: {{.DeploymentName|quote}}
+        - name: ISTIO_META_OWNER
+          value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}"
+        {{- if .Values.global.meshID }}
+        - name: ISTIO_META_MESH_ID
+          value: "{{ .Values.global.meshID }}"
+        {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+        - name: ISTIO_META_MESH_ID
+          value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+        {{- end }}
+        {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain)  }}
+        - name: TRUST_DOMAIN
+          value: "{{ . }}"
+        {{- end }}
+        {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+        - name: {{ $key }}
+          value: "{{ $value }}"
+        {{- end }}
+        {{- with (index .InfrastructureLabels "topology.istio.io/network") }}
+        - name: ISTIO_META_REQUESTED_NETWORK_VIEW
+          value: {{.|quote}}
+        {{- end }}
+        startupProbe:
+          failureThreshold: 30
+          httpGet:
+            path: /healthz/ready
+            port: 15021
+            scheme: HTTP
+          initialDelaySeconds: 1
+          periodSeconds: 1
+          successThreshold: 1
+          timeoutSeconds: 1
+        readinessProbe:
+          failureThreshold: 4
+          httpGet:
+            path: /healthz/ready
+            port: 15021
+            scheme: HTTP
+          initialDelaySeconds: 0
+          periodSeconds: 15
+          successThreshold: 1
+          timeoutSeconds: 1
+        volumeMounts:
+        - name: workload-socket
+          mountPath: /var/run/secrets/workload-spiffe-uds
+        - name: credential-socket
+          mountPath: /var/run/secrets/credential-uds
+        {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+        - name: gke-workload-certificate
+          mountPath: /var/run/secrets/workload-spiffe-credentials
+          readOnly: true
+        {{- else }}
+        - name: workload-certs
+          mountPath: /var/run/secrets/workload-spiffe-credentials
+        {{- end }}
+        {{- if eq .Values.global.pilotCertProvider "istiod" }}
+        - mountPath: /var/run/secrets/istio
+          name: istiod-ca-cert
+        {{- end }}
+        - mountPath: /var/lib/istio/data
+          name: istio-data
+        # SDS channel between istioagent and Envoy
+        - mountPath: /etc/istio/proxy
+          name: istio-envoy
+        - mountPath: /var/run/secrets/tokens
+          name: istio-token
+        - name: istio-podinfo
+          mountPath: /etc/istio/pod
+      volumes:
+      - emptyDir: {}
+        name: workload-socket
+      - emptyDir: {}
+        name: credential-socket
+      {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+      - name: gke-workload-certificate
+        csi:
+          driver: workloadcertificates.security.cloud.google.com
+      {{- else}}
+      - emptyDir: {}
+        name: workload-certs
+      {{- end }}
+      # SDS channel between istioagent and Envoy
+      - emptyDir:
+          medium: Memory
+        name: istio-envoy
+      - name: istio-data
+        emptyDir: {}
+      - name: istio-podinfo
+        downwardAPI:
+          items:
+            - path: "labels"
+              fieldRef:
+                fieldPath: metadata.labels
+            - path: "annotations"
+              fieldRef:
+                fieldPath: metadata.annotations
+      - name: istio-token
+        projected:
+          sources:
+          - serviceAccountToken:
+              path: istio-token
+              expirationSeconds: 43200
+              audience: {{ .Values.global.sds.token.aud }}
+      {{- if eq .Values.global.pilotCertProvider "istiod" }}
+      - name: istiod-ca-cert
+      {{- if eq ((.Values.pilot).env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+        projected:
+          sources:
+          - clusterTrustBundle:
+              name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+              path: root-cert.pem
+      {{- else }}
+        configMap:
+          name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+      {{- end }}
+      {{- end }}
+      {{- if .Values.global.imagePullSecrets }}
+      imagePullSecrets:
+        {{- range .Values.global.imagePullSecrets }}
+        - name: {{ . }}
+        {{- end }}
+      {{- end }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+      ) | nindent 4 }}
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    name: {{.Name}}
+    uid: {{.UID}}
+spec:
+  ipFamilyPolicy: PreferDualStack
+  ports:
+  {{- range $key, $val := .Ports }}
+  - name: {{ $val.Name | quote }}
+    port: {{ $val.Port }}
+    protocol: TCP
+    appProtocol: {{ $val.AppProtocol }}
+  {{- end }}
+  selector:
+    "{{.GatewayNameLabel}}": {{.Name}}
+  {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }}
+  loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}}
+  {{- end }}
+  type: {{ .ServiceType | quote }}
+---
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+          .InfrastructureLabels
+          (strdict
+          "gateway.networking.k8s.io/gateway-name" .Name
+          ) | nindent 4 }}
+  ownerReferences:
+    - apiVersion: gateway.networking.k8s.io/v1beta1
+      kind: Gateway
+      name: {{.Name}}
+      uid: "{{.UID}}"
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name:  {{.DeploymentName | quote}}
+  maxReplicas: 1
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+          .InfrastructureLabels
+          (strdict
+          "gateway.networking.k8s.io/gateway-name" .Name
+          ) | nindent 4 }}
+  ownerReferences:
+    - apiVersion: gateway.networking.k8s.io/v1beta1
+      kind: Gateway
+      name: {{.Name}}
+      uid: "{{.UID}}"
+spec:
+  selector:
+    matchLabels:
+      gateway.networking.k8s.io/gateway-name: {{.Name|quote}}
+
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-compatibility-version-1.24.yaml
new file mode 100644
index 0000000000..4f3dbef7ea
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-compatibility-version-1.24.yaml
@@ -0,0 +1,15 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.24 behavioral changes
+    PILOT_ENABLE_IP_AUTOALLOCATE: "false"
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  dnsCapture: false
+  reconcileIptablesOnStartup: false
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..b2f45948c2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..af10697326
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/waypoint.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/waypoint.yaml
new file mode 100644
index 0000000000..3e6a2f5dc1
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/waypoint.yaml
@@ -0,0 +1,396 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{.ServiceAccount | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+      ) | nindent 4 }}
+  {{- if ge .KubeVersion 128 }}
+  # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    name: "{{.Name}}"
+    uid: "{{.UID}}"
+  {{- end }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+        "gateway.istio.io/managed" .ControllerLabel
+      ) | nindent 4 }}
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    name: "{{.Name}}"
+    uid: "{{.UID}}"
+spec:
+  selector:
+    matchLabels:
+      "{{.GatewayNameLabel}}": "{{.Name}}"
+  template:
+    metadata:
+      annotations:
+        {{- toJsonMap
+          (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version")
+          (strdict "istio.io/rev" (.Revision | default "default"))
+          (strdict
+            "prometheus.io/path" "/stats/prometheus"
+            "prometheus.io/port" "15020"
+            "prometheus.io/scrape" "true"
+          ) | nindent 8 }}
+      labels:
+        {{- toJsonMap
+          (strdict
+            "sidecar.istio.io/inject" "false"
+            "istio.io/dataplane-mode" "none"
+            "service.istio.io/canonical-name" .DeploymentName
+            "service.istio.io/canonical-revision" "latest"
+           )
+          .InfrastructureLabels
+          (strdict
+            "gateway.networking.k8s.io/gateway-name" .Name
+            "gateway.istio.io/managed" .ControllerLabel
+          ) | nindent 8}}
+    spec:
+      {{- if .Values.global.waypoint.affinity }}
+      affinity:
+      {{- toYaml .Values.global.waypoint.affinity | nindent 8 }}
+      {{- end }}
+      {{- if .Values.global.waypoint.topologySpreadConstraints }}
+      topologySpreadConstraints:
+      {{- toYaml .Values.global.waypoint.topologySpreadConstraints | nindent 8 }}
+      {{- end }}
+      {{- if .Values.global.waypoint.nodeSelector }}
+      nodeSelector:
+      {{- toYaml .Values.global.waypoint.nodeSelector | nindent 8 }}
+      {{- end }}
+      {{- if .Values.global.waypoint.tolerations }}
+      tolerations:
+      {{- toYaml .Values.global.waypoint.tolerations | nindent 8 }}
+      {{- end }}
+      terminationGracePeriodSeconds: 2
+      serviceAccountName: {{.ServiceAccount | quote}}
+      containers:
+      - name: istio-proxy
+        ports:
+        - containerPort: 15020
+          name: metrics
+          protocol: TCP
+        - containerPort: 15021
+          name: status-port
+          protocol: TCP
+        - containerPort: 15090
+          protocol: TCP
+          name: http-envoy-prom
+        {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+        image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+        {{- else }}
+        image: "{{ .ProxyImage }}"
+        {{- end }}
+        {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+        args:
+        - proxy
+        - waypoint
+        - --domain
+        - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+        - --serviceCluster
+        - {{.ServiceAccount}}.$(POD_NAMESPACE)
+        - --proxyLogLevel
+        - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}}
+        - --proxyComponentLogLevel
+        - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}}
+        - --log_output_level
+        - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}}
+        {{- if .Values.global.logAsJson }}
+        - --log_as_json
+        {{- end }}
+        {{- if .Values.global.proxy.outlierLogPath }}
+        - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }}
+        {{- end}}
+        env:
+        - name: ISTIO_META_SERVICE_ACCOUNT
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.serviceAccountName
+        - name: ISTIO_META_NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        - name: PILOT_CERT_PROVIDER
+          value: {{ .Values.global.pilotCertProvider }}
+        - name: CA_ADDR
+        {{- if .Values.global.caAddress }}
+          value: {{ .Values.global.caAddress }}
+        {{- else }}
+          value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+        {{- end }}
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: INSTANCE_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: SERVICE_ACCOUNT
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.serviceAccountName
+        - name: HOST_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.hostIP
+        - name: ISTIO_CPU_LIMIT
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.cpu
+        - name: PROXY_CONFIG
+          value: |
+                 {{ protoToJSON .ProxyConfig }}
+        {{- if .ProxyConfig.ProxyMetadata }}
+        {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+        - name: {{ $key }}
+          value: "{{ $value }}"
+        {{- end }}
+        {{- end }}
+        - name: GOMEMLIMIT
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.memory
+        - name: GOMAXPROCS
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.cpu
+        - name: ISTIO_META_CLUSTER_ID
+          value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
+        {{- $network := valueOrDefault (index .InfrastructureLabels `topology.istio.io/network`) .Values.global.network }}
+        {{- if $network }}
+        - name: ISTIO_META_NETWORK
+          value: "{{ $network }}"
+        {{- end }}
+        - name: ISTIO_META_INTERCEPTION_MODE
+          value: REDIRECT
+        - name: ISTIO_META_WORKLOAD_NAME
+          value: {{.DeploymentName}}
+        - name: ISTIO_META_OWNER
+          value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}
+        {{- if .Values.global.meshID }}
+        - name: ISTIO_META_MESH_ID
+          value: "{{ .Values.global.meshID }}"
+        {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+        - name: ISTIO_META_MESH_ID
+          value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+        {{- end }}
+        {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+        - name: TRUST_DOMAIN
+          value: "{{ . }}"
+        {{- end }}
+        {{- if .Values.global.waypoint.resources }}
+        resources:
+        {{- toYaml .Values.global.waypoint.resources | nindent 10 }}
+        {{- end }}
+        startupProbe:
+          failureThreshold: 30
+          httpGet:
+            path: /healthz/ready
+            port: 15021
+            scheme: HTTP
+          initialDelaySeconds: 1
+          periodSeconds: 1
+          successThreshold: 1
+          timeoutSeconds: 1
+        readinessProbe:
+          failureThreshold: 4
+          httpGet:
+            path: /healthz/ready
+            port: 15021
+            scheme: HTTP
+          initialDelaySeconds: 0
+          periodSeconds: 15
+          successThreshold: 1
+          timeoutSeconds: 1
+        securityContext:
+          privileged: false
+        {{- if not (eq .Values.global.platform "openshift") }}
+          runAsGroup: 1337
+          runAsUser: 1337
+        {{- end }}
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          capabilities:
+            drop:
+            - ALL
+{{- if .Values.gateways.seccompProfile }}
+          seccompProfile:
+{{- toYaml .Values.gateways.seccompProfile | nindent 12 }}
+{{- end }}
+        volumeMounts:
+        - mountPath: /var/run/secrets/workload-spiffe-uds
+          name: workload-socket
+        - mountPath: /var/run/secrets/istio
+          name: istiod-ca-cert
+        - mountPath: /var/lib/istio/data
+          name: istio-data
+        - mountPath: /etc/istio/proxy
+          name: istio-envoy
+        - mountPath: /var/run/secrets/tokens
+          name: istio-token
+        - mountPath: /etc/istio/pod
+          name: istio-podinfo
+      volumes:
+      - emptyDir: {}
+        name: workload-socket
+      - emptyDir:
+          medium: Memory
+        name: istio-envoy
+      - emptyDir:
+          medium: Memory
+        name: go-proxy-envoy
+      - emptyDir: {}
+        name: istio-data
+      - emptyDir: {}
+        name: go-proxy-data
+      - downwardAPI:
+          items:
+          - fieldRef:
+              fieldPath: metadata.labels
+            path: labels
+          - fieldRef:
+              fieldPath: metadata.annotations
+            path: annotations
+        name: istio-podinfo
+      - name: istio-token
+        projected:
+          sources:
+          - serviceAccountToken:
+              audience: istio-ca
+              expirationSeconds: 43200
+              path: istio-token
+      - name: istiod-ca-cert
+      {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+        projected:
+          sources:
+          - clusterTrustBundle:
+              name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+              path: root-cert.pem
+      {{- else }}
+        configMap:
+          name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+      {{- end }}
+      {{- if .Values.global.imagePullSecrets }}
+      imagePullSecrets:
+        {{- range .Values.global.imagePullSecrets }}
+        - name: {{ . }}
+        {{- end }}
+      {{- end }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    {{ toJsonMap
+      (strdict "networking.istio.io/traffic-distribution" "PreferClose")
+      (omit .InfrastructureAnnotations
+        "kubectl.kubernetes.io/last-applied-configuration"
+        "gateway.istio.io/name-override"
+        "gateway.istio.io/service-account"
+        "gateway.istio.io/controller-version"
+      ) | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+      ) | nindent 4 }}
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    name: "{{.Name}}"
+    uid: "{{.UID}}"
+spec:
+  ipFamilyPolicy: PreferDualStack
+  ports:
+  {{- range $key, $val := .Ports }}
+  - name: {{ $val.Name | quote }}
+    port: {{ $val.Port }}
+    protocol: TCP
+    appProtocol: {{ $val.AppProtocol }}
+  {{- end }}
+  selector:
+    "{{.GatewayNameLabel}}": "{{.Name}}"
+  {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }}
+  loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}}
+  {{- end }}
+  type: {{ .ServiceType | quote }}
+---
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+          .InfrastructureLabels
+          (strdict
+          "gateway.networking.k8s.io/gateway-name" .Name
+          ) | nindent 4 }}
+  ownerReferences:
+    - apiVersion: gateway.networking.k8s.io/v1beta1
+      kind: Gateway
+      name: {{.Name}}
+      uid: "{{.UID}}"
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name:  {{.DeploymentName | quote}}
+  maxReplicas: 1
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+          .InfrastructureLabels
+          (strdict
+          "gateway.networking.k8s.io/gateway-name" .Name
+          ) | nindent 4 }}
+  ownerReferences:
+    - apiVersion: gateway.networking.k8s.io/v1beta1
+      kind: Gateway
+      name: {{.Name}}
+      uid: "{{.UID}}"
+spec:
+  selector:
+    matchLabels:
+      gateway.networking.k8s.io/gateway-name: {{.Name|quote}}
+
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/NOTES.txt
new file mode 100644
index 0000000000..0d07ea7f4c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/NOTES.txt
@@ -0,0 +1,82 @@
+"istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}" successfully installed!
+
+To learn more about the release, try:
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
+
+Next steps:
+{{- $profile := default "" .Values.profile }}
+{{- if (eq $profile "ambient") }}
+  * Get started with ambient: https://istio.io/latest/docs/ops/ambient/getting-started/
+  * Review ambient's architecture: https://istio.io/latest/docs/ops/ambient/architecture/
+{{- else }}
+  * Deploy a Gateway: https://istio.io/latest/docs/setup/additional-setup/gateway/
+  * Try out our tasks to get started on common configurations:
+    * https://istio.io/latest/docs/tasks/traffic-management
+    * https://istio.io/latest/docs/tasks/security/
+    * https://istio.io/latest/docs/tasks/policy-enforcement/
+{{- end }}
+  * Review the list of actively supported releases, CVE publications and our hardening guide:
+    * https://istio.io/latest/docs/releases/supported-releases/
+    * https://istio.io/latest/news/security/
+    * https://istio.io/latest/docs/ops/best-practices/security/
+
+For further documentation see https://istio.io website
+
+{{-
+  $deps := dict
+    "global.outboundTrafficPolicy" "meshConfig.outboundTrafficPolicy"
+    "global.certificates" "meshConfig.certificates"
+    "global.localityLbSetting" "meshConfig.localityLbSetting"
+    "global.policyCheckFailOpen" "meshConfig.policyCheckFailOpen"
+    "global.enableTracing" "meshConfig.enableTracing"
+    "global.proxy.accessLogFormat" "meshConfig.accessLogFormat"
+    "global.proxy.accessLogFile" "meshConfig.accessLogFile"
+    "global.proxy.concurrency" "meshConfig.defaultConfig.concurrency"
+    "global.proxy.envoyAccessLogService" "meshConfig.defaultConfig.envoyAccessLogService"
+    "global.proxy.envoyAccessLogService.enabled" "meshConfig.enableEnvoyAccessLogService"
+    "global.proxy.envoyMetricsService" "meshConfig.defaultConfig.envoyMetricsService"
+    "global.proxy.protocolDetectionTimeout" "meshConfig.protocolDetectionTimeout"
+    "global.proxy.holdApplicationUntilProxyStarts" "meshConfig.defaultConfig.holdApplicationUntilProxyStarts"
+    "pilot.ingress" "meshConfig.ingressService, meshConfig.ingressControllerMode, and meshConfig.ingressClass"
+    "global.mtls.enabled" "the PeerAuthentication resource"
+    "global.mtls.auto" "meshConfig.enableAutoMtls"
+    "global.tracer.lightstep.address" "meshConfig.defaultConfig.tracing.lightstep.address"
+    "global.tracer.lightstep.accessToken" "meshConfig.defaultConfig.tracing.lightstep.accessToken"
+    "global.tracer.zipkin.address" "meshConfig.defaultConfig.tracing.zipkin.address"
+    "global.tracer.datadog.address" "meshConfig.defaultConfig.tracing.datadog.address"
+    "global.meshExpansion.enabled" "Gateway and other Istio networking resources, such as in samples/multicluster/"
+    "istiocoredns.enabled" "the in-proxy DNS capturing (ISTIO_META_DNS_CAPTURE)"
+}}
+{{- range $dep, $replace := $deps }}
+{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}}
+{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(")  ".Values." (replace "." ")." $dep) ")}}") $}}
+{{- if not (eq $res "")}}
+WARNING: {{$dep|quote}} is deprecated; use {{$replace|quote}} instead.
+{{- end }}
+{{- end }}
+{{-
+  $failDeps := dict
+    "telemetry.v2.prometheus.configOverride"
+    "telemetry.v2.stackdriver.configOverride"
+    "telemetry.v2.stackdriver.disableOutbound"
+    "telemetry.v2.stackdriver.outboundAccessLogging"
+    "global.tracer.stackdriver.debug" "meshConfig.defaultConfig.tracing.stackdriver.debug"
+    "global.tracer.stackdriver.maxNumberOfAttributes" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes"
+    "global.tracer.stackdriver.maxNumberOfAnnotations" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations"
+    "global.tracer.stackdriver.maxNumberOfMessageEvents" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents"
+    "meshConfig.defaultConfig.tracing.stackdriver.debug" "Istio supported tracers"
+    "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes" "Istio supported tracers"
+    "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations" "Istio supported tracers"
+    "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents" "Istio supported tracers"
+}}
+{{- range $dep, $replace := $failDeps }}
+{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}}
+{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(")  ".Values." (replace "." ")." $dep) ")}}") $}}
+{{- if not (eq $res "")}}
+{{fail (print $dep " is removed")}}
+{{- end }}
+{{- end }}
+{{- if eq $.Values.global.pilotCertProvider "kubernetes" }}
+{{- fail "pilotCertProvider=kubernetes is not supported" }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/_helpers.tpl
new file mode 100644
index 0000000000..042c92538d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/_helpers.tpl
@@ -0,0 +1,23 @@
+{{/* Default Prometheus is enabled if its enabled and there are no config overrides set */}}
+{{ define "default-prometheus" }}
+{{- and
+  (not .Values.meshConfig.defaultProviders)
+  .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.prometheus.enabled
+}}
+{{- end }}
+
+{{/* SD has metrics and logging split. Default metrics are enabled if SD is enabled */}}
+{{ define "default-sd-metrics" }}
+{{- and
+  (not .Values.meshConfig.defaultProviders)
+  .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled
+}}
+{{- end }}
+
+{{/* SD has metrics and logging split. */}}
+{{ define "default-sd-logs" }}
+{{- and
+  (not .Values.meshConfig.defaultProviders)
+  .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled
+}}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/autoscale.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/autoscale.yaml
new file mode 100644
index 0000000000..9b952ba857
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/autoscale.yaml
@@ -0,0 +1,43 @@
+# Not created if istiod is running remotely
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }}
+{{- if and .Values.autoscaleEnabled .Values.autoscaleMin .Values.autoscaleMax }}
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  maxReplicas: {{ .Values.autoscaleMax }}
+  minReplicas: {{ .Values.autoscaleMin }}
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  metrics:
+  - type: Resource
+    resource:
+      name: cpu
+      target:
+        type: Utilization
+        averageUtilization: {{ .Values.cpu.targetAverageUtilization }}
+  {{- if .Values.memory.targetAverageUtilization }}
+  - type: Resource
+    resource:
+      name: memory
+      target:
+        type: Utilization
+        averageUtilization: {{ .Values.memory.targetAverageUtilization }}
+  {{- end }}
+  {{- if .Values.autoscaleBehavior }}
+  behavior: {{ toYaml .Values.autoscaleBehavior | nindent 4 }}
+  {{- end }}
+---
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/clusterrole.yaml
new file mode 100644
index 0000000000..d9c86f43fa
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/clusterrole.yaml
@@ -0,0 +1,213 @@
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+  # sidecar injection controller
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["mutatingwebhookconfigurations"]
+    verbs: ["get", "list", "watch", "update", "patch"]
+
+  # configuration validation webhook controller
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["validatingwebhookconfigurations"]
+    verbs: ["get", "list", "watch", "update"]
+
+  # istio configuration
+  # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382)
+  # please proceed with caution
+  - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"]
+    verbs: ["get", "watch", "list"]
+    resources: ["*"]
+{{- if .Values.global.istiod.enableAnalysis }}
+  - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"]
+    verbs: ["update", "patch"]
+    resources:
+    - authorizationpolicies/status
+    - destinationrules/status
+    - envoyfilters/status
+    - gateways/status
+    - peerauthentications/status
+    - proxyconfigs/status
+    - requestauthentications/status
+    - serviceentries/status
+    - sidecars/status
+    - telemetries/status
+    - virtualservices/status
+    - wasmplugins/status
+    - workloadentries/status
+    - workloadgroups/status
+{{- end }}
+  - apiGroups: ["networking.istio.io"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "workloadentries" ]
+  - apiGroups: ["networking.istio.io"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "workloadentries/status",  "serviceentries/status" ]
+  - apiGroups: ["security.istio.io"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "authorizationpolicies/status" ]
+  - apiGroups: [""]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "services/status" ]
+
+  # auto-detect installed CRD definitions
+  - apiGroups: ["apiextensions.k8s.io"]
+    resources: ["customresourcedefinitions"]
+    verbs: ["get", "list", "watch"]
+
+  # discovery and routing
+  - apiGroups: [""]
+    resources: ["pods", "nodes", "services", "namespaces", "endpoints"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["discovery.k8s.io"]
+    resources: ["endpointslices"]
+    verbs: ["get", "list", "watch"]
+
+{{- if .Values.taint.enabled }}
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["patch"]
+{{- end }}
+
+  # ingress controller
+{{- if .Values.global.istiod.enableAnalysis }}
+  - apiGroups: ["extensions", "networking.k8s.io"]
+    resources: ["ingresses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["extensions", "networking.k8s.io"]
+    resources: ["ingresses/status"]
+    verbs: ["*"]
+{{- end}}
+  - apiGroups: ["networking.k8s.io"]
+    resources: ["ingresses", "ingressclasses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["networking.k8s.io"]
+    resources: ["ingresses/status"]
+    verbs: ["*"]
+
+  # required for CA's namespace controller
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["create", "get", "list", "watch", "update"]
+
+  # Istiod and bootstrap.
+{{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}}
+{{- if or .Values.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }}
+  - apiGroups: ["certificates.k8s.io"]
+    resources:
+      - "certificatesigningrequests"
+      - "certificatesigningrequests/approval"
+      - "certificatesigningrequests/status"
+    verbs: ["update", "create", "get", "delete", "watch"]
+  - apiGroups: ["certificates.k8s.io"]
+    resources:
+      - "signers"
+    resourceNames:
+{{- range .Values.global.certSigners }}
+    - {{ . | quote }}
+{{- end }}
+    verbs: ["approve"]
+{{- end}}
+{{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+  - apiGroups: ["certificates.k8s.io"]
+    resources: ["clustertrustbundles"]
+    verbs: ["update", "create", "delete", "list", "watch", "get"]
+  - apiGroups: ["certificates.k8s.io"]
+    resources: ["signers"]
+    resourceNames: ["istio.io/istiod-ca"]
+    verbs: ["attest"]
+{{- end }}
+
+  # Used by Istiod to verify the JWT tokens
+  - apiGroups: ["authentication.k8s.io"]
+    resources: ["tokenreviews"]
+    verbs: ["create"]
+
+  # Used by Istiod to verify gateway SDS
+  - apiGroups: ["authorization.k8s.io"]
+    resources: ["subjectaccessreviews"]
+    verbs: ["create"]
+
+  # Use for Kubernetes Service APIs
+  - apiGroups: ["gateway.networking.k8s.io", "gateway.networking.x-k8s.io"]
+    resources: ["*"]
+    verbs: ["get", "watch", "list"]
+  - apiGroups: ["gateway.networking.x-k8s.io"]
+    resources:
+    - xbackendtrafficpolicies/status
+    - xlistenersets/status
+    verbs: ["update", "patch"]
+  - apiGroups: ["gateway.networking.k8s.io"]
+    resources:
+    - backendtlspolicies/status
+    - gatewayclasses/status
+    - gateways/status
+    - grpcroutes/status
+    - httproutes/status
+    - referencegrants/status
+    - tcproutes/status
+    - tlsroutes/status
+    - udproutes/status
+    verbs: ["update", "patch"]
+  - apiGroups: ["gateway.networking.k8s.io"]
+    resources: ["gatewayclasses"]
+    verbs: ["create", "update", "patch", "delete"]
+  - apiGroups: ["inference.networking.x-k8s.io"]
+    resources: ["inferencepools"]
+    verbs: ["get", "watch", "list"]
+  - apiGroups: ["inference.networking.x-k8s.io"]
+    resources: ["inferencepools/status"]
+    verbs: ["update", "patch"]
+
+  # Needed for multicluster secret reading, possibly ingress certs in the future
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "watch", "list"]
+
+  # Used for MCS serviceexport management
+  - apiGroups: ["{{ $mcsAPIGroup }}"]
+    resources: ["serviceexports"]
+    verbs: [ "get", "watch", "list", "create", "delete"]
+
+  # Used for MCS serviceimport management
+  - apiGroups: ["{{ $mcsAPIGroup }}"]
+    resources: ["serviceimports"]
+    verbs: ["get", "watch", "list"]
+---
+{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+  - apiGroups: ["apps"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "deployments" ]
+  - apiGroups: ["autoscaling"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "horizontalpodautoscalers" ]
+  - apiGroups: ["policy"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "poddisruptionbudgets" ]
+  - apiGroups: [""]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "services" ]
+  - apiGroups: [""]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "serviceaccounts"]
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/clusterrolebinding.yaml
new file mode 100644
index 0000000000..1b8fa4d079
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/clusterrolebinding.yaml
@@ -0,0 +1,40 @@
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+subjects:
+  - kind: ServiceAccount
+    name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+    namespace: {{ .Values.global.istioNamespace }}
+---
+{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+subjects:
+- kind: ServiceAccount
+  name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Values.global.istioNamespace }}
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/configmap-jwks.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/configmap-jwks.yaml
new file mode 100644
index 0000000000..9d931c4065
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/configmap-jwks.yaml
@@ -0,0 +1,18 @@
+# Not created if istiod is running remotely
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }}
+{{- if .Values.jwksResolverExtraRootCA }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+data:
+  extra.pem: {{ .Values.jwksResolverExtraRootCA | quote }}
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/configmap-values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/configmap-values.yaml
new file mode 100644
index 0000000000..75e6e0bcc6
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/configmap-values.yaml
@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: values{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    kubernetes.io/description: This ConfigMap contains the Helm values used during chart rendering. This ConfigMap is rendered for debugging purposes and external tooling; modifying these values has no effect.
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+data:
+  original-values: |-
+{{ .Values._original | toPrettyJson | indent 4 }}
+{{- $_ := unset $.Values "_original" }}
+  merged-values: |-
+{{ .Values | toPrettyJson | indent 4 }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/configmap.yaml
new file mode 100644
index 0000000000..a8446a6fc9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/configmap.yaml
@@ -0,0 +1,111 @@
+{{- define "mesh" }}
+    # The trust domain corresponds to the trust root of a system.
+    # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
+    trustDomain: "cluster.local"
+
+    # The namespace to treat as the administrative root namespace for Istio configuration.
+    # When processing a leaf namespace Istio will search for declarations in that namespace first
+    # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace
+    # is processed as if it were declared in the leaf namespace.
+    rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }}
+
+  {{ $prom := include "default-prometheus" . | eq "true" }}
+  {{ $sdMetrics := include "default-sd-metrics" . | eq "true" }}
+  {{ $sdLogs := include "default-sd-logs" . | eq "true" }}
+  {{- if or $prom $sdMetrics $sdLogs }}
+    defaultProviders:
+    {{- if or $prom $sdMetrics }}
+      metrics:
+      {{ if $prom }}- prometheus{{ end }}
+      {{ if and $sdMetrics $sdLogs }}- stackdriver{{ end }}
+    {{- end }}
+    {{- if and $sdMetrics $sdLogs }}
+      accessLogging:
+      - stackdriver
+    {{- end }}
+  {{- end }}
+
+    defaultConfig:
+      {{- if .Values.global.meshID }}
+      meshId: "{{ .Values.global.meshID }}"
+      {{- end }}
+      {{- with (.Values.global.proxy.variant | default .Values.global.variant) }}
+      image:
+        imageType: {{. | quote}}
+      {{- end }}
+      {{- if not (eq .Values.global.proxy.tracer "none") }}
+      tracing:
+      {{- if eq .Values.global.proxy.tracer "lightstep" }}
+        lightstep:
+          # Address of the LightStep Satellite pool
+          address: {{ .Values.global.tracer.lightstep.address }}
+          # Access Token used to communicate with the Satellite pool
+          accessToken: {{ .Values.global.tracer.lightstep.accessToken }}
+      {{- else if eq .Values.global.proxy.tracer "zipkin" }}
+        zipkin:
+          # Address of the Zipkin collector
+          address: {{ ((.Values.global.tracer).zipkin).address | default (print "zipkin." .Values.global.istioNamespace ":9411") }}
+      {{- else if eq .Values.global.proxy.tracer "datadog" }}
+        datadog:
+          # Address of the Datadog Agent
+          address: {{ ((.Values.global.tracer).datadog).address | default "$(HOST_IP):8126" }}
+      {{- else if eq .Values.global.proxy.tracer "stackdriver" }}
+        stackdriver:
+          # enables trace output to stdout.
+          debug: {{ (($.Values.global.tracer).stackdriver).debug | default "false" }}
+          # The global default max number of attributes per span.
+          maxNumberOfAttributes: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAttributes | default "200" }}
+          # The global default max number of annotation events per span.
+          maxNumberOfAnnotations: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAnnotations | default "200" }}
+          # The global default max number of message events per span.
+          maxNumberOfMessageEvents: {{ (($.Values.global.tracer).stackdriver).maxNumberOfMessageEvents | default "200" }}
+      {{- end }}
+      {{- end }}
+      {{- if .Values.global.remotePilotAddress }}
+      {{- if and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod }}
+      #  only primary `istiod` to xds and local `istiod` injection installs.
+      discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012
+      {{- else }}
+      discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012
+      {{- end }}
+      {{- else }}
+      discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012
+      {{- end }}
+{{- end }}
+
+{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}}
+{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}}
+{{- $originalMesh := include "mesh" . | fromYaml }}
+{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }}
+
+{{- if .Values.configMap }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+data:
+
+  # Configuration file for the mesh networks to be used by the Split Horizon EDS.
+  meshNetworks: |-
+  {{- if .Values.global.meshNetworks }}
+    networks:
+{{ toYaml .Values.global.meshNetworks | trim | indent 6 }}
+  {{- else }}
+    networks: {}
+  {{- end }}
+
+  mesh: |-
+{{- if .Values.meshConfig }}
+{{ $mesh | toYaml | indent 4 }}
+{{- else }}
+{{- include "mesh" . }}
+{{- end }}
+---
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/deployment.yaml
new file mode 100644
index 0000000000..1b769c6ec7
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/deployment.yaml
@@ -0,0 +1,312 @@
+# Not created if istiod is running remotely
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: istiod
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    istio: pilot
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+{{- range $key, $val := .Values.deploymentLabels }}
+    {{ $key }}: "{{ $val }}"
+{{- end }}
+  {{- if .Values.deploymentAnnotations }}
+  annotations:
+{{ toYaml .Values.deploymentAnnotations | indent 4 }}
+  {{- end }}
+spec:
+{{- if not .Values.autoscaleEnabled }}
+{{- if .Values.replicaCount }}
+  replicas: {{ .Values.replicaCount }}
+{{- end }}
+{{- end }}
+  strategy:
+    rollingUpdate:
+      maxSurge: {{ .Values.rollingMaxSurge }}
+      maxUnavailable: {{ .Values.rollingMaxUnavailable }}
+  selector:
+    matchLabels:
+      {{- if ne .Values.revision "" }}
+      app: istiod
+      istio.io/rev: {{ .Values.revision | default "default" | quote }}
+      {{- else }}
+      istio: pilot
+      {{- end }}
+  template:
+    metadata:
+      labels:
+        app: istiod
+        istio.io/rev: {{ .Values.revision | default "default" | quote }}
+        sidecar.istio.io/inject: "false"
+        operator.istio.io/component: "Pilot"
+        {{- if ne .Values.revision "" }}
+        istio: istiod
+        {{- else }}
+        istio: pilot
+        {{- end }}
+        {{- range $key, $val := .Values.podLabels }}
+        {{ $key }}: "{{ $val }}"
+        {{- end }}
+        istio.io/dataplane-mode: none
+        app.kubernetes.io/name: "istiod"
+        {{- include "istio.labels" . | nindent 8 }}
+      annotations:
+        prometheus.io/port: "15014"
+        prometheus.io/scrape: "true"
+        sidecar.istio.io/inject: "false"
+        {{- if .Values.podAnnotations }}
+{{ toYaml .Values.podAnnotations | indent 8 }}
+        {{- end }}
+    spec:
+{{- if .Values.nodeSelector }}
+      nodeSelector:
+{{ toYaml .Values.nodeSelector | indent 8 }}
+{{- end }}
+{{- with .Values.affinity }}
+      affinity:
+{{- toYaml . | nindent 8 }}
+{{- end }}
+      tolerations:
+        - key: cni.istio.io/not-ready
+          operator: "Exists"
+{{- with .Values.tolerations }}
+{{- toYaml . | nindent 8 }}
+{{- end }}
+{{- with .Values.topologySpreadConstraints }}
+      topologySpreadConstraints:
+{{- toYaml . | nindent 8 }}
+{{- end }}
+      serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+{{- if .Values.global.priorityClassName }}
+      priorityClassName: "{{ .Values.global.priorityClassName }}"
+{{- end }}
+{{- with .Values.initContainers }}
+      initContainers:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+{{- end }}
+      containers:
+        - name: discovery
+{{- if contains "/" .Values.image }}
+          image: "{{ .Values.image }}"
+{{- else }}
+          image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "pilot" }}:{{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}}"
+{{- end }}
+{{- if .Values.global.imagePullPolicy }}
+          imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+{{- end }}
+          args:
+          - "discovery"
+          - --monitoringAddr=:15014
+{{- if .Values.global.logging.level }}
+          - --log_output_level={{ .Values.global.logging.level }}
+{{- end}}
+{{- if .Values.global.logAsJson }}
+          - --log_as_json
+{{- end }}
+          - --domain
+          - {{ .Values.global.proxy.clusterDomain }}
+{{- if .Values.taint.namespace }}
+          - --cniNamespace={{ .Values.taint.namespace }}
+{{- end }}
+          - --keepaliveMaxServerConnectionAge
+          - "{{ .Values.keepaliveMaxServerConnectionAge }}"
+{{- if .Values.extraContainerArgs }}
+          {{- with .Values.extraContainerArgs }}
+            {{- toYaml . | nindent 10 }}
+          {{- end }}
+{{- end }}
+          ports:
+          - containerPort: 8080
+            protocol: TCP
+            name: http-debug
+          - containerPort: 15010
+            protocol: TCP
+            name: grpc-xds
+          - containerPort: 15012
+            protocol: TCP
+            name: tls-xds
+          - containerPort: 15017
+            protocol: TCP
+            name: https-webhooks
+          - containerPort: 15014
+            protocol: TCP
+            name: http-monitoring
+          readinessProbe:
+            httpGet:
+              path: /ready
+              port: 8080
+            initialDelaySeconds: 1
+            periodSeconds: 3
+            timeoutSeconds: 5
+          env:
+          - name: REVISION
+            value: "{{ .Values.revision | default `default` }}"
+          - name: PILOT_CERT_PROVIDER
+            value: {{ .Values.global.pilotCertProvider }}
+          - name: POD_NAME
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: metadata.name
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: metadata.namespace
+          - name: SERVICE_ACCOUNT
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: spec.serviceAccountName
+          - name: KUBECONFIG
+            value: /var/run/secrets/remote/config
+          # If you explicitly told us where ztunnel lives, use that.
+          # Otherwise, assume it lives in our namespace
+          # Also, check for an explicit ENV override (legacy approach) and prefer that
+          # if present
+          {{ $ztTrustedNS := or .Values.trustedZtunnelNamespace .Release.Namespace }}
+          {{ $ztTrustedName := or .Values.trustedZtunnelName "ztunnel" }}
+          {{- if not .Values.env.CA_TRUSTED_NODE_ACCOUNTS }}
+          - name: CA_TRUSTED_NODE_ACCOUNTS
+            value: "{{ $ztTrustedNS }}/{{ $ztTrustedName }}"
+          {{- end }}
+          {{- if .Values.env }}
+          {{- range $key, $val := .Values.env }}
+          - name: {{ $key }}
+            value: "{{ $val }}"
+          {{- end }}
+          {{- end }}
+          {{- with .Values.envVarFrom }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
+{{- if .Values.traceSampling }}
+          - name: PILOT_TRACE_SAMPLING
+            value: "{{ .Values.traceSampling }}"
+{{- end }}
+# If externalIstiod is set via Values.Global, then enable the pilot env variable. However, if it's set via Values.pilot.env, then
+# don't set it here to avoid duplication.
+# TODO (nshankar13): Move from Helm chart to code: https://github.com/istio/istio/issues/52449
+{{- if and .Values.global.externalIstiod (not (and .Values.env .Values.env.EXTERNAL_ISTIOD)) }}
+          - name: EXTERNAL_ISTIOD
+            value: "{{ .Values.global.externalIstiod }}"
+{{- end }}
+{{- if .Values.global.trustBundleName }}
+          - name: PILOT_CA_CERT_CONFIGMAP
+            value: "{{ .Values.global.trustBundleName }}"
+{{- end }}
+          - name: PILOT_ENABLE_ANALYSIS
+            value: "{{ .Values.global.istiod.enableAnalysis }}"
+          - name: CLUSTER_ID
+            value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
+          - name: GOMEMLIMIT
+            valueFrom:
+              resourceFieldRef:
+                resource: limits.memory
+                divisor: "1"
+          - name: GOMAXPROCS
+            valueFrom:
+              resourceFieldRef:
+                resource: limits.cpu
+                divisor: "1"
+          - name: PLATFORM
+            value: "{{ coalesce .Values.global.platform .Values.platform }}"
+          resources:
+{{- if .Values.resources }}
+{{ toYaml .Values.resources | trim | indent 12 }}
+{{- else }}
+{{ toYaml .Values.global.defaultResources | trim | indent 12 }}
+{{- end }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            capabilities:
+              drop:
+              - ALL
+{{- if .Values.seccompProfile }}
+            seccompProfile:
+{{ toYaml .Values.seccompProfile | trim | indent 14 }}
+{{- end }}
+          volumeMounts:
+          - name: istio-token
+            mountPath: /var/run/secrets/tokens
+            readOnly: true
+          - name: local-certs
+            mountPath: /var/run/secrets/istio-dns
+          - name: cacerts
+            mountPath: /etc/cacerts
+            readOnly: true
+          - name: istio-kubeconfig
+            mountPath: /var/run/secrets/remote
+            readOnly: true
+          {{- if .Values.jwksResolverExtraRootCA }}
+          - name: extracacerts
+            mountPath: /cacerts
+          {{- end }}
+          - name: istio-csr-dns-cert
+            mountPath: /var/run/secrets/istiod/tls
+            readOnly: true
+          - name: istio-csr-ca-configmap
+            mountPath: /var/run/secrets/istiod/ca
+            readOnly: true
+          {{- with .Values.volumeMounts }}
+            {{- toYaml . | nindent 10 }}
+          {{- end }}
+      volumes:
+      # Technically not needed on this pod - but it helps debugging/testing SDS
+      # Should be removed after everything works.
+      - emptyDir:
+          medium: Memory
+        name: local-certs
+      - name: istio-token
+        projected:
+          sources:
+            - serviceAccountToken:
+                audience: {{ .Values.global.sds.token.aud }}
+                expirationSeconds: 43200
+                path: istio-token
+      # Optional: user-generated root
+      - name: cacerts
+        secret:
+          secretName: cacerts
+          optional: true
+      - name: istio-kubeconfig
+        secret:
+          secretName: istio-kubeconfig
+          optional: true
+      # Optional: istio-csr dns pilot certs
+      - name: istio-csr-dns-cert
+        secret:
+          secretName: istiod-tls
+          optional: true
+      - name: istio-csr-ca-configmap
+  {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+        projected:
+          sources:
+          - clusterTrustBundle:
+              name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+              path: root-cert.pem
+              optional: true
+  {{- else }}
+        configMap:
+          name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+          defaultMode: 420
+          optional: true
+  {{- end }}
+  {{- if .Values.jwksResolverExtraRootCA }}
+      - name: extracacerts
+        configMap:
+          name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  {{- end }}
+      {{- with .Values.volumes }}
+        {{- toYaml . | nindent 6}}
+      {{- end }}
+
+---
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/gateway-class-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/gateway-class-configmap.yaml
new file mode 100644
index 0000000000..6b23d716a4
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/gateway-class-configmap.yaml
@@ -0,0 +1,20 @@
+{{ range $key, $value := .Values.gatewayClasses }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: istio-{{ $.Values.revision | default "default"  }}-gatewayclass-{{$key}}
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    istio.io/rev: {{ $.Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    release: {{ $.Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    gateway.istio.io/defaults-for-class: {{$key|quote}}
+    {{- include "istio.labels" $ | nindent 4 }}
+data:
+{{ range $kind, $overlay := $value }}
+  {{$kind}}: |
+{{$overlay|toYaml|trim|indent 4}}
+{{ end }}
+---
+{{ end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/istiod-injector-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/istiod-injector-configmap.yaml
new file mode 100644
index 0000000000..171aff8861
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/istiod-injector-configmap.yaml
@@ -0,0 +1,81 @@
+{{- if not .Values.global.omitSidecarInjectorConfigMap }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+data:
+{{/* Scope the values to just top level fields used in the template, to reduce the size. */}}
+  values: |-
+{{ $vals := pick .Values "global" "sidecarInjectorWebhook" "revision" -}}
+{{ $pilotVals := pick .Values "cni" "env" -}}
+{{ $vals = set $vals "pilot" $pilotVals -}}
+{{ $gatewayVals := pick .Values.gateways "securityContext" "seccompProfile" -}}
+{{ $vals = set $vals "gateways" $gatewayVals -}}
+{{ $vals | toPrettyJson | indent 4 }}
+
+  # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching
+  # and istiod webhook functionality.
+  #
+  # New fields should not use Values - it is a 'primary' config object, users should be able
+  # to fine tune it or use it with kube-inject.
+  config: |-
+    # defaultTemplates defines the default template to use for pods that do not explicitly specify a template
+    {{- if .Values.sidecarInjectorWebhook.defaultTemplates }}
+    defaultTemplates:
+{{- range .Values.sidecarInjectorWebhook.defaultTemplates}}
+    - {{ . }}
+{{- end }}
+    {{- else }}
+    defaultTemplates: [sidecar]
+    {{- end }}
+    policy: {{ .Values.global.proxy.autoInject }}
+    alwaysInjectSelector:
+{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }}
+    neverInjectSelector:
+{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }}
+    injectedAnnotations:
+      {{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }}
+      "{{ $key }}": {{ $val | quote }}
+      {{- end }}
+    {{- /* If someone ends up with this new template, but an older Istiod image, they will attempt to render this template
+         which will fail with "Pod injection failed: template: inject:1: function "Istio_1_9_Required_Template_And_Version_Mismatched" not defined".
+         This should make it obvious that their installation is broken.
+     */}}
+    template: {{ `{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}` | quote }}
+    templates:
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "sidecar") }}
+      sidecar: |
+{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }}
+      gateway: |
+{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }}
+      grpc-simple: |
+{{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }}
+      grpc-agent: |
+{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "waypoint") }}
+      waypoint: |
+{{ .Files.Get "files/waypoint.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "kube-gateway") }}
+      kube-gateway: |
+{{ .Files.Get "files/kube-gateway.yaml" | trim | indent 8 }}
+{{- end }}
+{{- with .Values.sidecarInjectorWebhook.templates }}
+{{ toYaml . | trim | indent 6 }}
+{{- end }}
+
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/mutatingwebhook.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/mutatingwebhook.yaml
new file mode 100644
index 0000000000..ca017194e6
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/mutatingwebhook.yaml
@@ -0,0 +1,164 @@
+# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that.
+{{- /* Core defines the common configuration used by all webhook segments */}}
+{{/* Copy just what we need to avoid expensive deepCopy */}}
+{{- $whv := dict
+"revision" .Values.revision
+  "injectionPath" .Values.istiodRemote.injectionPath
+  "injectionURL" .Values.istiodRemote.injectionURL
+  "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy
+  "caBundle" .Values.istiodRemote.injectionCABundle
+  "namespace" .Release.Namespace }}
+{{- define "core" }}
+{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign
+a unique prefix to each. */}}
+- name: {{.Prefix}}sidecar-injector.istio.io
+  clientConfig:
+    {{- if .injectionURL }}
+    url: "{{ .injectionURL }}"
+    {{- else }}
+    service:
+      name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }}
+      namespace: {{ .namespace }}
+      path: "{{ .injectionPath }}"
+      port: 443
+    {{- end }}
+    {{- if .caBundle }}
+    caBundle: "{{ .caBundle }}"
+    {{- end }}
+  sideEffects: None
+  rules:
+  - operations: [ "CREATE" ]
+    apiGroups: [""]
+    apiVersions: ["v1"]
+    resources: ["pods"]
+  failurePolicy: Fail
+  reinvocationPolicy: "{{ .reinvocationPolicy }}"
+  admissionReviewVersions: ["v1"]
+{{- end }}
+{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}}
+{{- if not .Values.global.operatorManageWebhooks }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+{{- if eq .Release.Namespace "istio-system"}}
+  name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+{{- else }}
+  name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+{{- end }}
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app: sidecar-injector
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+{{- if $.Values.sidecarInjectorWebhookAnnotations }}
+  annotations:
+{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }}
+{{- end }}
+webhooks:
+{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}}
+
+{{- /* Case 1: namespace selector matches, and object doesn't disable */}}
+{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: In
+      values:
+      {{- if (eq .Values.revision "") }}
+      - "default"
+      {{- else }}
+      - "{{ .Values.revision }}"
+      {{- end }}
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+
+{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+    - key: istio.io/rev
+      operator: In
+      values:
+      {{- if (eq .Values.revision "") }}
+      - "default"
+      {{- else }}
+      - "{{ .Values.revision }}"
+      {{- end }}
+
+
+{{- /* Webhooks for default revision */}}
+{{- if (eq .Values.revision "") }}
+
+{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: In
+      values:
+      - enabled
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+
+{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: In
+      values:
+      - "true"
+    - key: istio.io/rev
+      operator: DoesNotExist
+
+{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
+{{- /* Special case 3: no labels at all */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: "kubernetes.io/metadata.name"
+      operator: "NotIn"
+      values: ["kube-system","kube-public","kube-node-lease","local-path-storage"]
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+{{- end }}
+
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/poddisruptionbudget.yaml
new file mode 100644
index 0000000000..d21cd919d3
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/poddisruptionbudget.yaml
@@ -0,0 +1,36 @@
+# Not created if istiod is running remotely
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }}
+{{- if .Values.global.defaultPodDisruptionBudget.enabled }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: istiod
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    release: {{ .Release.Name }}
+    istio: pilot
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  {{- if and .Values.pdb.minAvailable (not (hasKey .Values.pdb "maxUnavailable")) }}
+  minAvailable: {{ .Values.pdb.minAvailable }}
+  {{- else if .Values.pdb.maxUnavailable }}
+  maxUnavailable: {{ .Values.pdb.maxUnavailable }}
+  {{- end }}
+  {{- if .Values.pdb.unhealthyPodEvictionPolicy }}
+  unhealthyPodEvictionPolicy: {{ .Values.pdb.unhealthyPodEvictionPolicy }}
+  {{- end }}
+  selector:
+    matchLabels:
+      app: istiod
+      {{- if ne .Values.revision "" }}
+      istio.io/rev: {{ .Values.revision | quote }}
+      {{- else }}
+      istio: pilot
+      {{- end }}
+---
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/reader-clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/reader-clusterrole.yaml
new file mode 100644
index 0000000000..dbaa805035
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/reader-clusterrole.yaml
@@ -0,0 +1,62 @@
+{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istio-reader
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istio-reader"
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - "config.istio.io"
+      - "security.istio.io"
+      - "networking.istio.io"
+      - "authentication.istio.io"
+      - "rbac.istio.io"
+      - "telemetry.istio.io"
+      - "extensions.istio.io"
+    resources: ["*"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["networking.istio.io"]
+    verbs: [ "get", "watch", "list" ]
+    resources: [ "workloadentries" ]
+  - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
+    resources: ["gateways"]
+    verbs: ["get", "watch", "list"]
+  - apiGroups: ["apiextensions.k8s.io"]
+    resources: ["customresourcedefinitions"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["discovery.k8s.io"]
+    resources: ["endpointslices"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["{{ $mcsAPIGroup }}"]
+    resources: ["serviceexports"]
+    verbs: ["get", "list", "watch", "create", "delete"]
+  - apiGroups: ["{{ $mcsAPIGroup }}"]
+    resources: ["serviceimports"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["apps"]
+    resources: ["replicasets"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["authentication.k8s.io"]
+    resources: ["tokenreviews"]
+    verbs: ["create"]
+  - apiGroups: ["authorization.k8s.io"]
+    resources: ["subjectaccessreviews"]
+    verbs: ["create"]
+{{- if .Values.istiodRemote.enabled }}
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["create", "get", "list", "watch", "update"]
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["mutatingwebhookconfigurations"]
+    verbs: ["get", "list", "watch", "update", "patch"]
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["validatingwebhookconfigurations"]
+    verbs: ["get", "list", "watch", "update"]
+{{- end}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/reader-clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/reader-clusterrolebinding.yaml
new file mode 100644
index 0000000000..aea9f01f7a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/reader-clusterrolebinding.yaml
@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istio-reader
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istio-reader"
+    {{- include "istio.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+subjects:
+  - kind: ServiceAccount
+    name: istio-reader-service-account
+    namespace: {{ .Values.global.istioNamespace }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/remote-istiod-endpoints.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/remote-istiod-endpoints.yaml
new file mode 100644
index 0000000000..f13b8ce9a9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/remote-istiod-endpoints.yaml
@@ -0,0 +1,30 @@
+{{- if and .Values.global.remotePilotAddress .Values.istiodRemote.enabled }}
+# if the remotePilotAddress is an IP addr
+{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }}
+apiVersion: v1
+kind: Endpoints
+metadata:
+  {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }}
+  # This file is only used for remote `istiod` installs.
+  # only primary `istiod` to xds and local `istiod` injection installs.
+  name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote
+  {{- else }}
+  name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}
+  {{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+subsets:
+- addresses:
+  - ip: {{ .Values.global.remotePilotAddress }}
+  ports:
+  - port: 15012
+    name: tcp-istiod
+    protocol: TCP
+  - port: 15017
+    name: tcp-webhook
+    protocol: TCP
+---
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/remote-istiod-service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/remote-istiod-service.yaml
new file mode 100644
index 0000000000..0a48b9918b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/remote-istiod-service.yaml
@@ -0,0 +1,41 @@
+# This file is only used for remote
+{{- if and .Values.global.remotePilotAddress .Values.istiodRemote.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }}
+  # only primary `istiod` to xds and local `istiod` injection installs.
+  name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote
+  {{- else }}
+  name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}
+  {{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    app.kubernetes.io/name: "istiod"
+    {{ include "istio.labels" . | nindent 4 }}
+spec:
+  ports:
+  - port: 15012
+    name: tcp-istiod
+    protocol: TCP
+  - port: 443
+    targetPort: 15017
+    name: tcp-webhook
+    protocol: TCP
+  {{- if and .Values.global.remotePilotAddress (not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress)) }}
+  # if the remotePilotAddress is not an IP addr, we use ExternalName
+  type: ExternalName
+  externalName: {{ .Values.global.remotePilotAddress }}
+  {{- end }}
+{{- if .Values.global.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.global.ipFamilyPolicy }}
+{{- end }}
+{{- if .Values.global.ipFamilies }}
+  ipFamilies:
+{{- range .Values.global.ipFamilies }}
+  - {{ . }}
+{{- end }}
+{{- end }}
+---
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/revision-tags.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/revision-tags.yaml
new file mode 100644
index 0000000000..06764a826e
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/revision-tags.yaml
@@ -0,0 +1,149 @@
+# Adapted from istio-discovery/templates/mutatingwebhook.yaml
+# Removed paths for legacy and default selectors since a revision tag
+# is inherently created from a specific revision
+# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that.
+{{- $whv := dict
+"revision" .Values.revision
+  "injectionPath" .Values.istiodRemote.injectionPath
+  "injectionURL" .Values.istiodRemote.injectionURL
+  "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy
+  "caBundle" .Values.istiodRemote.injectionCABundle
+  "namespace" .Release.Namespace }}
+{{- define "core" }}
+{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign
+a unique prefix to each. */}}
+- name: {{.Prefix}}sidecar-injector.istio.io
+  clientConfig:
+    {{- if .injectionURL }}
+    url: "{{ .injectionURL }}"
+    {{- else }}
+    service:
+      name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }}
+      namespace: {{ .namespace }}
+      path: "{{ .injectionPath }}"
+      port: 443
+    {{- end }}
+  sideEffects: None
+  rules:
+  - operations: [ "CREATE" ]
+    apiGroups: [""]
+    apiVersions: ["v1"]
+    resources: ["pods"]
+  failurePolicy: Fail
+  reinvocationPolicy: "{{ .reinvocationPolicy }}"
+  admissionReviewVersions: ["v1"]
+{{- end }}
+{{- range $tagName := $.Values.revisionTags }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+{{- if eq $.Release.Namespace "istio-system"}}
+  name: istio-revision-tag-{{ $tagName }}
+{{- else }}
+  name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }}
+{{- end }}
+  labels:
+    istio.io/tag: {{ $tagName }}
+    istio.io/rev: {{ $.Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app: sidecar-injector
+    release: {{ $.Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" $ | nindent 4 }}
+{{- if $.Values.sidecarInjectorWebhookAnnotations }}
+  annotations:
+{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }}
+{{- end }}
+webhooks:
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: In
+      values:
+      - "{{ $tagName }}"
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+    - key: istio.io/rev
+      operator: In
+      values:
+      - "{{ $tagName }}"
+
+{{- /* When the tag is "default" we want to create webhooks for the default revision */}}
+{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}}
+{{- if (eq $tagName "default") }}
+
+{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: In
+      values:
+      - enabled
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+
+{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: In
+      values:
+      - "true"
+    - key: istio.io/rev
+      operator: DoesNotExist
+
+{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
+{{- /* Special case 3: no labels at all */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: "kubernetes.io/metadata.name"
+      operator: "NotIn"
+      values: ["kube-system","kube-public","kube-node-lease","local-path-storage"]
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+{{- end }}
+
+{{- end }}
+---
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/role.yaml
new file mode 100644
index 0000000000..bbcfbe4356
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/role.yaml
@@ -0,0 +1,35 @@
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Values.global.istioNamespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+# permissions to verify the webhook is ready and rejecting
+# invalid config. We use --server-dry-run so no config is persisted.
+- apiGroups: ["networking.istio.io"]
+  verbs: ["create"]
+  resources: ["gateways"]
+
+# For storing CA secret
+- apiGroups: [""]
+  resources: ["secrets"]
+  # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config
+  verbs: ["create", "get", "watch", "list", "update", "delete"]
+
+# For status controller, so it can delete the distribution report configmap
+- apiGroups: [""]
+  resources: ["configmaps"]
+  verbs: ["delete"]
+
+# For gateway deployment controller
+- apiGroups: ["coordination.k8s.io"]
+  resources: ["leases"]
+  verbs: ["get", "update", "patch", "create"]
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/rolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/rolebinding.yaml
new file mode 100644
index 0000000000..0c66b38a7d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/rolebinding.yaml
@@ -0,0 +1,21 @@
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Values.global.istioNamespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+subjects:
+  - kind: ServiceAccount
+    name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+    namespace: {{ .Values.global.istioNamespace }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/service.yaml
new file mode 100644
index 0000000000..25bda4dfd2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/service.yaml
@@ -0,0 +1,57 @@
+# Not created if istiod is running remotely
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  {{- if .Values.serviceAnnotations }}
+  annotations:
+{{ toYaml .Values.serviceAnnotations | indent 4 }}
+  {{- end }}
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app: istiod
+    istio: pilot
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  ports:
+    - port: 15010
+      name: grpc-xds # plaintext
+      protocol: TCP
+    - port: 15012
+      name: https-dns # mTLS with k8s-signed cert
+      protocol: TCP
+    - port: 443
+      name: https-webhook # validation and injection
+      targetPort: 15017
+      protocol: TCP
+    - port: 15014
+      name: http-monitoring # prometheus stats
+      protocol: TCP
+  selector:
+    app: istiod
+    {{- if ne .Values.revision "" }}
+    istio.io/rev: {{ .Values.revision | quote }}
+    {{- else }}
+    # Label used by the 'default' service. For versioned deployments we match with app and version.
+    # This avoids default deployment picking the canary
+    istio: pilot
+    {{- end }}
+  {{- if .Values.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.ipFamilyPolicy }}
+  {{- end }}
+  {{- if .Values.ipFamilies }}
+  ipFamilies:
+  {{- range .Values.ipFamilies }}
+  - {{ . }}
+  {{- end }}
+  {{- end }}
+  {{- if .Values.trafficDistribution }}
+  trafficDistribution: {{ .Values.trafficDistribution }}
+  {{- end }}
+---
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/serviceaccount.yaml
new file mode 100644
index 0000000000..8b4a0c0faf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/serviceaccount.yaml
@@ -0,0 +1,24 @@
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+apiVersion: v1
+kind: ServiceAccount
+  {{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+  {{- range .Values.global.imagePullSecrets }}
+  - name: {{ . }}
+  {{- end }}
+  {{- end }}
+metadata:
+  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Values.global.istioNamespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+  {{- if .Values.serviceAccountAnnotations }}
+  annotations:
+{{- toYaml .Values.serviceAccountAnnotations | nindent 4 }}
+  {{- end }}
+{{- end }}
+---
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/validatingadmissionpolicy.yaml
new file mode 100644
index 0000000000..8562a52d59
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/validatingadmissionpolicy.yaml
@@ -0,0 +1,63 @@
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+{{- if .Values.experimental.stableValidationPolicy }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io"
+  labels:
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups:
+        - security.istio.io
+        - networking.istio.io
+        - telemetry.istio.io
+        - extensions.istio.io
+      apiVersions: ["*"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["*"]
+    objectSelector:
+      matchExpressions:
+        - key: istio.io/rev
+          operator: In
+          values:
+          {{- if (eq .Values.revision "") }}
+          - "default"
+          {{- else }}
+          - "{{ .Values.revision }}"
+          {{- end }}
+  variables:
+    - name: isEnvoyFilter
+      expression: "object.kind == 'EnvoyFilter'"
+    - name: isWasmPlugin
+      expression: "object.kind == 'WasmPlugin'"
+    - name: isProxyConfig
+      expression: "object.kind == 'ProxyConfig'"
+    - name: isTelemetry
+      expression: "object.kind == 'Telemetry'"
+  validations:
+    - expression: "!variables.isEnvoyFilter"
+    - expression: "!variables.isWasmPlugin"
+    - expression: "!variables.isProxyConfig"
+    - expression: |
+        !(
+          variables.isTelemetry && (
+            (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) ||
+            (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) ||
+            (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter))
+          )
+        )
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: "stable-channel-policy-binding{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io"
+spec:
+  policyName: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io"
+  validationActions: [Deny]
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/validatingwebhookconfiguration.yaml
new file mode 100644
index 0000000000..b49bf7fafd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/validatingwebhookconfiguration.yaml
@@ -0,0 +1,68 @@
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+{{- if .Values.global.configValidation }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    istio: istiod
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+webhooks:
+  # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks
+  # are rejecting invalid configs on a per-revision basis.
+  - name: rev.validation.istio.io
+    clientConfig:
+      # Should change from base but cannot for API compat
+      {{- if .Values.base.validationURL }}
+      url: {{ .Values.base.validationURL }}
+      {{- else }}
+      service:
+        name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+        namespace: {{ .Values.global.istioNamespace }}
+        path: "/validate"
+      {{- end }}
+      {{- if .Values.base.validationCABundle }}
+      caBundle: "{{ .Values.base.validationCABundle }}"
+      {{- end }}
+    rules:
+      - operations:
+          - CREATE
+          - UPDATE
+        apiGroups:
+          - security.istio.io
+          - networking.istio.io
+          - telemetry.istio.io
+          - extensions.istio.io
+        apiVersions:
+          - "*"
+        resources:
+          - "*"
+    {{- if .Values.base.validationCABundle }}
+    # Disable webhook controller in Pilot to stop patching it
+    failurePolicy: Fail
+    {{- else }}
+    # Fail open until the validation webhook is ready. The webhook controller
+    # will update this to `Fail` and patch in the `caBundle` when the webhook
+    # endpoint is ready.
+    failurePolicy: Ignore
+    {{- end }}
+    sideEffects: None
+    admissionReviewVersions: ["v1"]
+    objectSelector:
+      matchExpressions:
+        - key: istio.io/rev
+          operator: In
+          values:
+          {{- if (eq .Values.revision "") }}
+          - "default"
+          {{- else }}
+          - "{{ .Values.revision }}"
+          {{- end }}
+---
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/zzy_descope_legacy.yaml
new file mode 100644
index 0000000000..ae8fced298
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/zzy_descope_legacy.yaml
@@ -0,0 +1,3 @@
+{{/* Copy anything under `.pilot` to `.`, to avoid the need to specify a redundant prefix.
+Due to the file naming, this always happens after zzz_profile.yaml */}}
+{{- $_ := mustMergeOverwrite $.Values (index $.Values "pilot") }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..3d84956485
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if false }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/values.yaml
new file mode 100644
index 0000000000..b1a7151523
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/values.yaml
@@ -0,0 +1,569 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  autoscaleEnabled: true
+  autoscaleMin: 1
+  autoscaleMax: 5
+  autoscaleBehavior: {}
+  replicaCount: 1
+  rollingMaxSurge: 100%
+  rollingMaxUnavailable: 25%
+
+  hub: ""
+  tag: ""
+  variant: ""
+
+  # Can be a full hub/image:tag
+  image: pilot
+  traceSampling: 1.0
+
+  # Resources for a small pilot install
+  resources:
+    requests:
+      cpu: 500m
+      memory: 2048Mi
+
+  # Set to `type: RuntimeDefault` to use the default profile if available.
+  seccompProfile: {}
+
+  # Whether to use an existing CNI installation
+  cni:
+    enabled: false
+    provider: default
+
+  # Additional container arguments
+  extraContainerArgs: []
+
+  env: {}
+
+  envVarFrom: []
+
+  # Settings related to the untaint controller
+  # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready
+  # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes
+  taint:
+    # Controls whether or not the untaint controller is active
+    enabled: false
+    # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod
+    namespace: ""
+
+  affinity: {}
+
+  tolerations: []
+
+  cpu:
+    targetAverageUtilization: 80
+  memory: {}
+    # targetAverageUtilization: 80
+
+  # Additional volumeMounts to the istiod container
+  volumeMounts: []
+
+  # Additional volumes to the istiod pod
+  volumes: []
+
+  # Inject initContainers into the istiod pod
+  initContainers: []
+
+  nodeSelector: {}
+  podAnnotations: {}
+  serviceAnnotations: {}
+  serviceAccountAnnotations: {}
+  sidecarInjectorWebhookAnnotations: {}
+
+  topologySpreadConstraints: []
+
+  # You can use jwksResolverExtraRootCA to provide a root certificate
+  # in PEM format. This will then be trusted by pilot when resolving
+  # JWKS URIs.
+  jwksResolverExtraRootCA: ""
+
+  # The following is used to limit how long a sidecar can be connected
+  # to a pilot. It balances out load across pilot instances at the cost of
+  # increasing system churn.
+  keepaliveMaxServerConnectionAge: 30m
+
+  # Additional labels to apply to the deployment.
+  deploymentLabels: {}
+
+  # Annotations to apply to the istiod deployment.
+  deploymentAnnotations: {}
+
+  ## Mesh config settings
+
+  # Install the mesh config map, generated from values.yaml.
+  # If false, pilot wil use default values (by default) or user-supplied values.
+  configMap: true
+
+  # Additional labels to apply on the pod level for monitoring and logging configuration.
+  podLabels: {}
+
+  # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
+  ipFamilyPolicy: ""
+  ipFamilies: []
+
+  # Ambient mode only.
+  # Set this if you install ztunnel to a different namespace from `istiod`.
+  # If set, `istiod` will allow connections from trusted node proxy ztunnels
+  # in the provided namespace.
+  # If unset, `istiod` will assume the trusted node proxy ztunnel resides
+  # in the same namespace as itself.
+  trustedZtunnelNamespace: ""
+  # Set this if you install ztunnel with a name different from the default.
+  trustedZtunnelName: ""
+
+  sidecarInjectorWebhook:
+    # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or
+    # always skip the injection on pods that match that label selector, regardless of the global policy.
+    # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions
+    neverInjectSelector: []
+    alwaysInjectSelector: []
+
+    # injectedAnnotations are additional annotations that will be added to the pod spec after injection
+    # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations:
+    #
+    # annotations:
+    #   apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
+    #   apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
+    #
+    # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before
+    # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify:
+    # injectedAnnotations:
+    #   container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default
+    #   container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default
+    injectedAnnotations: {}
+
+    # This enables injection of sidecar in all namespaces,
+    # with the exception of namespaces with "istio-injection:disabled" annotation
+    # Only one environment should have this enabled.
+    enableNamespacesByDefault: false
+
+    # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run
+    # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten.
+    # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur.
+    reinvocationPolicy: Never
+
+    rewriteAppHTTPProbe: true
+
+    # Templates defines a set of custom injection templates that can be used. For example, defining:
+    #
+    # templates:
+    #   hello: |
+    #     metadata:
+    #       labels:
+    #         hello: world
+    #
+    # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod
+    # being injected with the hello=world labels.
+    # This is intended for advanced configuration only; most users should use the built in template
+    templates: {}
+
+    # Default templates specifies a set of default templates that are used in sidecar injection.
+    # By default, a template `sidecar` is always provided, which contains the template of default sidecar.
+    # To inject other additional templates, define it using the `templates` option, and add it to
+    # the default templates list.
+    # For example:
+    #
+    # templates:
+    #   hello: |
+    #     metadata:
+    #       labels:
+    #         hello: world
+    #
+    # defaultTemplates: ["sidecar", "hello"]
+    defaultTemplates: []
+  istiodRemote:
+    # If `true`, indicates that this cluster/install should consume a "remote istiod" installation,
+    # and istiod itself will NOT be installed in this cluster - only the support resources necessary
+    # to utilize a remote instance.
+    enabled: false
+
+    # If `true`, indicates that this cluster/install should consume a "local istiod" installation,
+    # local istiod inject sidecars
+    enabledLocalInjectorIstiod: false
+
+    # Sidecar injector mutating webhook configuration clientConfig.url value.
+    # For example: https://$remotePilotAddress:15017/inject
+    # The host should not refer to a service running in the cluster; use a service reference by specifying
+    # the clientConfig.service field instead.
+    injectionURL: ""
+
+    # Sidecar injector mutating webhook configuration path value for the clientConfig.service field.
+    # Override to pass env variables, for example: /inject/cluster/remote/net/network2
+    injectionPath: "/inject"
+
+    injectionCABundle: ""
+  telemetry:
+    enabled: true
+    v2:
+      # For Null VM case now.
+      # This also enables metadata exchange.
+      enabled: true
+      # Indicate if prometheus stats filter is enabled or not
+      prometheus:
+        enabled: true
+      # stackdriver filter settings.
+      stackdriver:
+        enabled: false
+  # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
+  revision: ""
+
+  # Revision tags are aliases to Istio control plane revisions
+  revisionTags: []
+
+  # For Helm compatibility.
+  ownerName: ""
+
+  # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior
+  # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options
+  meshConfig:
+    enablePrometheusMerge: true
+
+  experimental:
+    stableValidationPolicy: false
+
+  global:
+    # Used to locate istiod.
+    istioNamespace: istio-system
+    # List of cert-signers to allow "approve" action in the istio cluster role
+    #
+    # certSigners:
+    #   - clusterissuers.cert-manager.io/istio-ca
+    certSigners: []
+    # enable pod disruption budget for the control plane, which is used to
+    # ensure Istio control plane components are gradually upgraded or recovered.
+    defaultPodDisruptionBudget:
+      enabled: true
+      # The values aren't mutable due to a current PodDisruptionBudget limitation
+      # minAvailable: 1
+
+    # A minimal set of requested resources to applied to all deployments so that
+    # Horizontal Pod Autoscaler will be able to function (if set).
+    # Each component can overwrite these default values by adding its own resources
+    # block in the relevant section below and setting the desired resources values.
+    defaultResources:
+      requests:
+        cpu: 10m
+      #   memory: 128Mi
+      # limits:
+      #   cpu: 100m
+      #   memory: 128Mi
+
+    # Default hub for Istio images.
+    # Releases are published to docker hub under 'istio' project.
+    # Dev builds from prow are on gcr.io
+    hub: gcr.io/istio-release
+    # Default tag for Istio images.
+    tag: 1.27.1
+    # Variant of the image to use.
+    # Currently supported are: [debug, distroless]
+    variant: ""
+
+    # Specify image pull policy if default behavior isn't desired.
+    # Default behavior: latest images will be Always else IfNotPresent.
+    imagePullPolicy: ""
+
+    # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
+    # to use for pulling any images in pods that reference this ServiceAccount.
+    # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
+    # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
+    # Must be set for any cluster configured with private docker registry.
+    imagePullSecrets: []
+    # - private-registry-key
+
+    # Enabled by default in master for maximising testing.
+    istiod:
+      enableAnalysis: false
+
+    # To output all istio components logs in json format by adding --log_as_json argument to each container argument
+    logAsJson: false
+
+    # In order to use native nftable rules instead of iptable rules, set this flag to true.
+    nativeNftables: false
+
+    # Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
+    # The control plane has different scopes depending on component, but can configure default log level across all components
+    # If empty, default scope and level will be used as configured in code
+    logging:
+      level: "default:info"
+
+    omitSidecarInjectorConfigMap: false
+
+    # Configure whether Operator manages webhook configurations. The current behavior
+    # of Istiod is to manage its own webhook configurations.
+    # When this option is set as true, Istio Operator, instead of webhooks, manages the
+    # webhook configurations. When this option is set as false, webhooks manage their
+    # own webhook configurations.
+    operatorManageWebhooks: false
+
+    # Custom DNS config for the pod to resolve names of services in other
+    # clusters. Use this to add additional search domains, and other settings.
+    # see
+    # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config
+    # This does not apply to gateway pods as they typically need a different
+    # set of DNS settings than the normal application pods (e.g., in
+    # multicluster scenarios).
+    # NOTE: If using templates, follow the pattern in the commented example below.
+    #podDNSSearchNamespaces:
+    #- global
+    #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global"
+
+    # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
+    # system-node-critical, it is better to configure this in order to make sure your Istio pods
+    # will not be killed because of low priority class.
+    # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
+    # for more detail.
+    priorityClassName: ""
+
+    proxy:
+      image: proxyv2
+
+      # This controls the 'policy' in the sidecar injector.
+      autoInject: enabled
+
+      # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
+      # cluster domain. Default value is "cluster.local".
+      clusterDomain: "cluster.local"
+
+      # Per Component log level for proxy, applies to gateways and sidecars. If a component level is
+      # not set, then the global "logLevel" will be used.
+      componentLogLevel: "misc:error"
+
+      # istio ingress capture allowlist
+      # examples:
+      #     Redirect only selected ports:            --includeInboundPorts="80,8080"
+      excludeInboundPorts: ""
+      includeInboundPorts: "*"
+
+      # istio egress capture allowlist
+      # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
+      # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
+      # would only capture egress traffic on those two IP Ranges, all other outbound traffic would
+      # be allowed by the sidecar
+      includeIPRanges: "*"
+      excludeIPRanges: ""
+      includeOutboundPorts: ""
+      excludeOutboundPorts: ""
+
+      # Log level for proxy, applies to gateways and sidecars.
+      # Expected values are: trace|debug|info|warning|error|critical|off
+      logLevel: warning
+
+      # Specify the path to the outlier event log.
+      # Example: /dev/stdout
+      outlierLogPath: ""
+
+      #If set to true, istio-proxy container will have privileged securityContext
+      privileged: false
+
+      # The number of successive failed probes before indicating readiness failure.
+      readinessFailureThreshold: 4
+
+      # The initial delay for readiness probes in seconds.
+      readinessInitialDelaySeconds: 0
+
+      # The period between readiness probes.
+      readinessPeriodSeconds: 15
+
+      # Enables or disables a startup probe.
+      # For optimal startup times, changing this should be tied to the readiness probe values.
+      #
+      # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4.
+      # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval),
+      # and doesn't spam the readiness endpoint too much
+      #
+      # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30.
+      # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly.
+      startupProbe:
+        enabled: true
+        failureThreshold: 600 # 10 minutes
+
+      # Resources for the sidecar.
+      resources:
+        requests:
+          cpu: 100m
+          memory: 128Mi
+        limits:
+          cpu: 2000m
+          memory: 1024Mi
+
+      # Default port for Pilot agent health checks. A value of 0 will disable health checking.
+      statusPort: 15020
+
+      # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none.
+      # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file.
+      tracer: "none"
+
+    proxy_init:
+      # Base name for the proxy_init container, used to configure iptables.
+      image: proxyv2
+      # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures.
+      # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases.
+      forceApplyIptables: false
+
+    # configure remote pilot and istiod service and endpoint
+    remotePilotAddress: ""
+
+    ##############################################################################################
+    # The following values are found in other charts. To effectively modify these values, make   #
+    # make sure they are consistent across your Istio helm charts                                #
+    ##############################################################################################
+
+    # The customized CA address to retrieve certificates for the pods in the cluster.
+    # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
+    # If not set explicitly, default to the Istio discovery address.
+    caAddress: ""
+
+    # Enable control of remote clusters.
+    externalIstiod: false
+
+    # Configure a remote cluster as the config cluster for an external istiod.
+    configCluster: false
+
+    # configValidation enables the validation webhook for Istio configuration.
+    configValidation: true
+
+    # Mesh ID means Mesh Identifier. It should be unique within the scope where
+    # meshes will interact with each other, but it is not required to be
+    # globally/universally unique. For example, if any of the following are true,
+    # then two meshes must have different Mesh IDs:
+    # - Meshes will have their telemetry aggregated in one place
+    # - Meshes will be federated together
+    # - Policy will be written referencing one mesh from the other
+    #
+    # If an administrator expects that any of these conditions may become true in
+    # the future, they should ensure their meshes have different Mesh IDs
+    # assigned.
+    #
+    # Within a multicluster mesh, each cluster must be (manually or auto)
+    # configured to have the same Mesh ID value. If an existing cluster 'joins' a
+    # multicluster mesh, it will need to be migrated to the new mesh ID. Details
+    # of migration TBD, and it may be a disruptive operation to change the Mesh
+    # ID post-install.
+    #
+    # If the mesh admin does not specify a value, Istio will use the value of the
+    # mesh's Trust Domain. The best practice is to select a proper Trust Domain
+    # value.
+    meshID: ""
+
+    # Configure the mesh networks to be used by the Split Horizon EDS.
+    #
+    # The following example defines two networks with different endpoints association methods.
+    # For `network1` all endpoints that their IP belongs to the provided CIDR range will be
+    # mapped to network1. The gateway for this network example is specified by its public IP
+    # address and port.
+    # The second network, `network2`, in this example is defined differently with all endpoints
+    # retrieved through the specified Multi-Cluster registry being mapped to network2. The
+    # gateway is also defined differently with the name of the gateway service on the remote
+    # cluster. The public IP for the gateway will be determined from that remote service (only
+    # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service,
+    # it still need to be configured manually).
+    #
+    # meshNetworks:
+    #   network1:
+    #     endpoints:
+    #     - fromCidr: "192.168.0.1/24"
+    #     gateways:
+    #     - address: 1.1.1.1
+    #       port: 80
+    #   network2:
+    #     endpoints:
+    #     - fromRegistry: reg1
+    #     gateways:
+    #     - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
+    #       port: 443
+    #
+    meshNetworks: {}
+
+    # Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
+    mountMtlsCerts: false
+
+    multiCluster:
+      # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
+      # to properly label proxies
+      clusterName: ""
+
+    # Network defines the network this cluster belong to. This name
+    # corresponds to the networks in the map of mesh networks.
+    network: ""
+
+    # Configure the certificate provider for control plane communication.
+    # Currently, two providers are supported: "kubernetes" and "istiod".
+    # As some platforms may not have kubernetes signing APIs,
+    # Istiod is the default
+    pilotCertProvider: istiod
+
+    sds:
+      # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
+      # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the
+      # JWT is intended for the CA.
+      token:
+        aud: istio-ca
+
+    sts:
+      # The service port used by Security Token Service (STS) server to handle token exchange requests.
+      # Setting this port to a non-zero value enables STS server.
+      servicePort: 0
+
+    # The name of the CA for workload certificates.
+    # For example, when caName=GkeWorkloadCertificate, GKE workload certificates
+    # will be used as the certificates for workloads.
+    # The default value is "" and when caName="", the CA will be configured by other
+    # mechanisms (e.g., environmental variable CA_PROVIDER).
+    caName: ""
+
+    waypoint:
+      # Resources for the waypoint proxy.
+      resources:
+        requests:
+          cpu: 100m
+          memory: 128Mi
+        limits:
+          cpu: "2"
+          memory: 1Gi
+
+      # If specified, affinity defines the scheduling constraints of waypoint pods.
+      affinity: {}
+
+      # Topology Spread Constraints for the waypoint proxy.
+      topologySpreadConstraints: []
+
+      # Node labels for the waypoint proxy.
+      nodeSelector: {}
+
+      # Tolerations for the waypoint proxy.
+      tolerations: []
+
+  base:
+    # For istioctl usage to disable istio config crds in base
+    enableIstioConfigCRDs: true
+
+  # Gateway Settings
+  gateways:
+    # Define the security context for the pod.
+    # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
+    # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
+    securityContext: {}
+
+    # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it
+    seccompProfile: {}
+
+  # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass.
+  # For example:
+  # gatewayClasses:
+  #   istio:
+  #     service:
+  #       spec:
+  #         type: ClusterIP
+  # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field.
+  gatewayClasses: {}
+  
+  pdb:
+    # -- Minimum available pods set in PodDisruptionBudget.
+    # Define either 'minAvailable' or 'maxUnavailable', never both.
+    minAvailable: 1
+    # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored.
+    # maxUnavailable: 1
+    # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget.
+    # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/
+    unhealthyPodEvictionPolicy: ""
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/Chart.yaml
new file mode 100644
index 0000000000..aead968334
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/Chart.yaml
@@ -0,0 +1,8 @@
+apiVersion: v2
+appVersion: 1.27.1
+description: Helm chart for istio revision tags
+name: revisiontags
+sources:
+- https://github.com/istio-ecosystem/sail-operator
+version: 0.1.0
+
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-compatibility-version-1.24.yaml
new file mode 100644
index 0000000000..4f3dbef7ea
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-compatibility-version-1.24.yaml
@@ -0,0 +1,15 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.24 behavioral changes
+    PILOT_ENABLE_IP_AUTOALLOCATE: "false"
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  dnsCapture: false
+  reconcileIptablesOnStartup: false
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..b2f45948c2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..af10697326
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/templates/revision-tags.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/templates/revision-tags.yaml
new file mode 100644
index 0000000000..06764a826e
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/templates/revision-tags.yaml
@@ -0,0 +1,149 @@
+# Adapted from istio-discovery/templates/mutatingwebhook.yaml
+# Removed paths for legacy and default selectors since a revision tag
+# is inherently created from a specific revision
+# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that.
+{{- $whv := dict
+"revision" .Values.revision
+  "injectionPath" .Values.istiodRemote.injectionPath
+  "injectionURL" .Values.istiodRemote.injectionURL
+  "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy
+  "caBundle" .Values.istiodRemote.injectionCABundle
+  "namespace" .Release.Namespace }}
+{{- define "core" }}
+{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign
+a unique prefix to each. */}}
+- name: {{.Prefix}}sidecar-injector.istio.io
+  clientConfig:
+    {{- if .injectionURL }}
+    url: "{{ .injectionURL }}"
+    {{- else }}
+    service:
+      name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }}
+      namespace: {{ .namespace }}
+      path: "{{ .injectionPath }}"
+      port: 443
+    {{- end }}
+  sideEffects: None
+  rules:
+  - operations: [ "CREATE" ]
+    apiGroups: [""]
+    apiVersions: ["v1"]
+    resources: ["pods"]
+  failurePolicy: Fail
+  reinvocationPolicy: "{{ .reinvocationPolicy }}"
+  admissionReviewVersions: ["v1"]
+{{- end }}
+{{- range $tagName := $.Values.revisionTags }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+{{- if eq $.Release.Namespace "istio-system"}}
+  name: istio-revision-tag-{{ $tagName }}
+{{- else }}
+  name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }}
+{{- end }}
+  labels:
+    istio.io/tag: {{ $tagName }}
+    istio.io/rev: {{ $.Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app: sidecar-injector
+    release: {{ $.Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" $ | nindent 4 }}
+{{- if $.Values.sidecarInjectorWebhookAnnotations }}
+  annotations:
+{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }}
+{{- end }}
+webhooks:
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: In
+      values:
+      - "{{ $tagName }}"
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+    - key: istio.io/rev
+      operator: In
+      values:
+      - "{{ $tagName }}"
+
+{{- /* When the tag is "default" we want to create webhooks for the default revision */}}
+{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}}
+{{- if (eq $tagName "default") }}
+
+{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: In
+      values:
+      - enabled
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+
+{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: In
+      values:
+      - "true"
+    - key: istio.io/rev
+      operator: DoesNotExist
+
+{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
+{{- /* Special case 3: no labels at all */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: "kubernetes.io/metadata.name"
+      operator: "NotIn"
+      values: ["kube-system","kube-public","kube-node-lease","local-path-storage"]
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+{{- end }}
+
+{{- end }}
+---
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..3d84956485
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if false }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/values.yaml
new file mode 100644
index 0000000000..b1a7151523
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/values.yaml
@@ -0,0 +1,569 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  autoscaleEnabled: true
+  autoscaleMin: 1
+  autoscaleMax: 5
+  autoscaleBehavior: {}
+  replicaCount: 1
+  rollingMaxSurge: 100%
+  rollingMaxUnavailable: 25%
+
+  hub: ""
+  tag: ""
+  variant: ""
+
+  # Can be a full hub/image:tag
+  image: pilot
+  traceSampling: 1.0
+
+  # Resources for a small pilot install
+  resources:
+    requests:
+      cpu: 500m
+      memory: 2048Mi
+
+  # Set to `type: RuntimeDefault` to use the default profile if available.
+  seccompProfile: {}
+
+  # Whether to use an existing CNI installation
+  cni:
+    enabled: false
+    provider: default
+
+  # Additional container arguments
+  extraContainerArgs: []
+
+  env: {}
+
+  envVarFrom: []
+
+  # Settings related to the untaint controller
+  # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready
+  # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes
+  taint:
+    # Controls whether or not the untaint controller is active
+    enabled: false
+    # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod
+    namespace: ""
+
+  affinity: {}
+
+  tolerations: []
+
+  cpu:
+    targetAverageUtilization: 80
+  memory: {}
+    # targetAverageUtilization: 80
+
+  # Additional volumeMounts to the istiod container
+  volumeMounts: []
+
+  # Additional volumes to the istiod pod
+  volumes: []
+
+  # Inject initContainers into the istiod pod
+  initContainers: []
+
+  nodeSelector: {}
+  podAnnotations: {}
+  serviceAnnotations: {}
+  serviceAccountAnnotations: {}
+  sidecarInjectorWebhookAnnotations: {}
+
+  topologySpreadConstraints: []
+
+  # You can use jwksResolverExtraRootCA to provide a root certificate
+  # in PEM format. This will then be trusted by pilot when resolving
+  # JWKS URIs.
+  jwksResolverExtraRootCA: ""
+
+  # The following is used to limit how long a sidecar can be connected
+  # to a pilot. It balances out load across pilot instances at the cost of
+  # increasing system churn.
+  keepaliveMaxServerConnectionAge: 30m
+
+  # Additional labels to apply to the deployment.
+  deploymentLabels: {}
+
+  # Annotations to apply to the istiod deployment.
+  deploymentAnnotations: {}
+
+  ## Mesh config settings
+
+  # Install the mesh config map, generated from values.yaml.
+  # If false, pilot wil use default values (by default) or user-supplied values.
+  configMap: true
+
+  # Additional labels to apply on the pod level for monitoring and logging configuration.
+  podLabels: {}
+
+  # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
+  ipFamilyPolicy: ""
+  ipFamilies: []
+
+  # Ambient mode only.
+  # Set this if you install ztunnel to a different namespace from `istiod`.
+  # If set, `istiod` will allow connections from trusted node proxy ztunnels
+  # in the provided namespace.
+  # If unset, `istiod` will assume the trusted node proxy ztunnel resides
+  # in the same namespace as itself.
+  trustedZtunnelNamespace: ""
+  # Set this if you install ztunnel with a name different from the default.
+  trustedZtunnelName: ""
+
+  sidecarInjectorWebhook:
+    # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or
+    # always skip the injection on pods that match that label selector, regardless of the global policy.
+    # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions
+    neverInjectSelector: []
+    alwaysInjectSelector: []
+
+    # injectedAnnotations are additional annotations that will be added to the pod spec after injection
+    # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations:
+    #
+    # annotations:
+    #   apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
+    #   apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
+    #
+    # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before
+    # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify:
+    # injectedAnnotations:
+    #   container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default
+    #   container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default
+    injectedAnnotations: {}
+
+    # This enables injection of sidecar in all namespaces,
+    # with the exception of namespaces with "istio-injection:disabled" annotation
+    # Only one environment should have this enabled.
+    enableNamespacesByDefault: false
+
+    # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run
+    # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten.
+    # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur.
+    reinvocationPolicy: Never
+
+    rewriteAppHTTPProbe: true
+
+    # Templates defines a set of custom injection templates that can be used. For example, defining:
+    #
+    # templates:
+    #   hello: |
+    #     metadata:
+    #       labels:
+    #         hello: world
+    #
+    # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod
+    # being injected with the hello=world labels.
+    # This is intended for advanced configuration only; most users should use the built in template
+    templates: {}
+
+    # Default templates specifies a set of default templates that are used in sidecar injection.
+    # By default, a template `sidecar` is always provided, which contains the template of default sidecar.
+    # To inject other additional templates, define it using the `templates` option, and add it to
+    # the default templates list.
+    # For example:
+    #
+    # templates:
+    #   hello: |
+    #     metadata:
+    #       labels:
+    #         hello: world
+    #
+    # defaultTemplates: ["sidecar", "hello"]
+    defaultTemplates: []
+  istiodRemote:
+    # If `true`, indicates that this cluster/install should consume a "remote istiod" installation,
+    # and istiod itself will NOT be installed in this cluster - only the support resources necessary
+    # to utilize a remote instance.
+    enabled: false
+
+    # If `true`, indicates that this cluster/install should consume a "local istiod" installation,
+    # local istiod inject sidecars
+    enabledLocalInjectorIstiod: false
+
+    # Sidecar injector mutating webhook configuration clientConfig.url value.
+    # For example: https://$remotePilotAddress:15017/inject
+    # The host should not refer to a service running in the cluster; use a service reference by specifying
+    # the clientConfig.service field instead.
+    injectionURL: ""
+
+    # Sidecar injector mutating webhook configuration path value for the clientConfig.service field.
+    # Override to pass env variables, for example: /inject/cluster/remote/net/network2
+    injectionPath: "/inject"
+
+    injectionCABundle: ""
+  telemetry:
+    enabled: true
+    v2:
+      # For Null VM case now.
+      # This also enables metadata exchange.
+      enabled: true
+      # Indicate if prometheus stats filter is enabled or not
+      prometheus:
+        enabled: true
+      # stackdriver filter settings.
+      stackdriver:
+        enabled: false
+  # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
+  revision: ""
+
+  # Revision tags are aliases to Istio control plane revisions
+  revisionTags: []
+
+  # For Helm compatibility.
+  ownerName: ""
+
+  # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior
+  # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options
+  meshConfig:
+    enablePrometheusMerge: true
+
+  experimental:
+    stableValidationPolicy: false
+
+  global:
+    # Used to locate istiod.
+    istioNamespace: istio-system
+    # List of cert-signers to allow "approve" action in the istio cluster role
+    #
+    # certSigners:
+    #   - clusterissuers.cert-manager.io/istio-ca
+    certSigners: []
+    # enable pod disruption budget for the control plane, which is used to
+    # ensure Istio control plane components are gradually upgraded or recovered.
+    defaultPodDisruptionBudget:
+      enabled: true
+      # The values aren't mutable due to a current PodDisruptionBudget limitation
+      # minAvailable: 1
+
+    # A minimal set of requested resources to applied to all deployments so that
+    # Horizontal Pod Autoscaler will be able to function (if set).
+    # Each component can overwrite these default values by adding its own resources
+    # block in the relevant section below and setting the desired resources values.
+    defaultResources:
+      requests:
+        cpu: 10m
+      #   memory: 128Mi
+      # limits:
+      #   cpu: 100m
+      #   memory: 128Mi
+
+    # Default hub for Istio images.
+    # Releases are published to docker hub under 'istio' project.
+    # Dev builds from prow are on gcr.io
+    hub: gcr.io/istio-release
+    # Default tag for Istio images.
+    tag: 1.27.1
+    # Variant of the image to use.
+    # Currently supported are: [debug, distroless]
+    variant: ""
+
+    # Specify image pull policy if default behavior isn't desired.
+    # Default behavior: latest images will be Always else IfNotPresent.
+    imagePullPolicy: ""
+
+    # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
+    # to use for pulling any images in pods that reference this ServiceAccount.
+    # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
+    # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
+    # Must be set for any cluster configured with private docker registry.
+    imagePullSecrets: []
+    # - private-registry-key
+
+    # Enabled by default in master for maximising testing.
+    istiod:
+      enableAnalysis: false
+
+    # To output all istio components logs in json format by adding --log_as_json argument to each container argument
+    logAsJson: false
+
+    # In order to use native nftable rules instead of iptable rules, set this flag to true.
+    nativeNftables: false
+
+    # Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
+    # The control plane has different scopes depending on component, but can configure default log level across all components
+    # If empty, default scope and level will be used as configured in code
+    logging:
+      level: "default:info"
+
+    omitSidecarInjectorConfigMap: false
+
+    # Configure whether Operator manages webhook configurations. The current behavior
+    # of Istiod is to manage its own webhook configurations.
+    # When this option is set as true, Istio Operator, instead of webhooks, manages the
+    # webhook configurations. When this option is set as false, webhooks manage their
+    # own webhook configurations.
+    operatorManageWebhooks: false
+
+    # Custom DNS config for the pod to resolve names of services in other
+    # clusters. Use this to add additional search domains, and other settings.
+    # see
+    # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config
+    # This does not apply to gateway pods as they typically need a different
+    # set of DNS settings than the normal application pods (e.g., in
+    # multicluster scenarios).
+    # NOTE: If using templates, follow the pattern in the commented example below.
+    #podDNSSearchNamespaces:
+    #- global
+    #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global"
+
+    # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
+    # system-node-critical, it is better to configure this in order to make sure your Istio pods
+    # will not be killed because of low priority class.
+    # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
+    # for more detail.
+    priorityClassName: ""
+
+    proxy:
+      image: proxyv2
+
+      # This controls the 'policy' in the sidecar injector.
+      autoInject: enabled
+
+      # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
+      # cluster domain. Default value is "cluster.local".
+      clusterDomain: "cluster.local"
+
+      # Per Component log level for proxy, applies to gateways and sidecars. If a component level is
+      # not set, then the global "logLevel" will be used.
+      componentLogLevel: "misc:error"
+
+      # istio ingress capture allowlist
+      # examples:
+      #     Redirect only selected ports:            --includeInboundPorts="80,8080"
+      excludeInboundPorts: ""
+      includeInboundPorts: "*"
+
+      # istio egress capture allowlist
+      # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
+      # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
+      # would only capture egress traffic on those two IP Ranges, all other outbound traffic would
+      # be allowed by the sidecar
+      includeIPRanges: "*"
+      excludeIPRanges: ""
+      includeOutboundPorts: ""
+      excludeOutboundPorts: ""
+
+      # Log level for proxy, applies to gateways and sidecars.
+      # Expected values are: trace|debug|info|warning|error|critical|off
+      logLevel: warning
+
+      # Specify the path to the outlier event log.
+      # Example: /dev/stdout
+      outlierLogPath: ""
+
+      #If set to true, istio-proxy container will have privileged securityContext
+      privileged: false
+
+      # The number of successive failed probes before indicating readiness failure.
+      readinessFailureThreshold: 4
+
+      # The initial delay for readiness probes in seconds.
+      readinessInitialDelaySeconds: 0
+
+      # The period between readiness probes.
+      readinessPeriodSeconds: 15
+
+      # Enables or disables a startup probe.
+      # For optimal startup times, changing this should be tied to the readiness probe values.
+      #
+      # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4.
+      # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval),
+      # and doesn't spam the readiness endpoint too much
+      #
+      # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30.
+      # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly.
+      startupProbe:
+        enabled: true
+        failureThreshold: 600 # 10 minutes
+
+      # Resources for the sidecar.
+      resources:
+        requests:
+          cpu: 100m
+          memory: 128Mi
+        limits:
+          cpu: 2000m
+          memory: 1024Mi
+
+      # Default port for Pilot agent health checks. A value of 0 will disable health checking.
+      statusPort: 15020
+
+      # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none.
+      # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file.
+      tracer: "none"
+
+    proxy_init:
+      # Base name for the proxy_init container, used to configure iptables.
+      image: proxyv2
+      # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures.
+      # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases.
+      forceApplyIptables: false
+
+    # configure remote pilot and istiod service and endpoint
+    remotePilotAddress: ""
+
+    ##############################################################################################
+    # The following values are found in other charts. To effectively modify these values, make   #
+    # make sure they are consistent across your Istio helm charts                                #
+    ##############################################################################################
+
+    # The customized CA address to retrieve certificates for the pods in the cluster.
+    # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
+    # If not set explicitly, default to the Istio discovery address.
+    caAddress: ""
+
+    # Enable control of remote clusters.
+    externalIstiod: false
+
+    # Configure a remote cluster as the config cluster for an external istiod.
+    configCluster: false
+
+    # configValidation enables the validation webhook for Istio configuration.
+    configValidation: true
+
+    # Mesh ID means Mesh Identifier. It should be unique within the scope where
+    # meshes will interact with each other, but it is not required to be
+    # globally/universally unique. For example, if any of the following are true,
+    # then two meshes must have different Mesh IDs:
+    # - Meshes will have their telemetry aggregated in one place
+    # - Meshes will be federated together
+    # - Policy will be written referencing one mesh from the other
+    #
+    # If an administrator expects that any of these conditions may become true in
+    # the future, they should ensure their meshes have different Mesh IDs
+    # assigned.
+    #
+    # Within a multicluster mesh, each cluster must be (manually or auto)
+    # configured to have the same Mesh ID value. If an existing cluster 'joins' a
+    # multicluster mesh, it will need to be migrated to the new mesh ID. Details
+    # of migration TBD, and it may be a disruptive operation to change the Mesh
+    # ID post-install.
+    #
+    # If the mesh admin does not specify a value, Istio will use the value of the
+    # mesh's Trust Domain. The best practice is to select a proper Trust Domain
+    # value.
+    meshID: ""
+
+    # Configure the mesh networks to be used by the Split Horizon EDS.
+    #
+    # The following example defines two networks with different endpoints association methods.
+    # For `network1` all endpoints that their IP belongs to the provided CIDR range will be
+    # mapped to network1. The gateway for this network example is specified by its public IP
+    # address and port.
+    # The second network, `network2`, in this example is defined differently with all endpoints
+    # retrieved through the specified Multi-Cluster registry being mapped to network2. The
+    # gateway is also defined differently with the name of the gateway service on the remote
+    # cluster. The public IP for the gateway will be determined from that remote service (only
+    # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service,
+    # it still need to be configured manually).
+    #
+    # meshNetworks:
+    #   network1:
+    #     endpoints:
+    #     - fromCidr: "192.168.0.1/24"
+    #     gateways:
+    #     - address: 1.1.1.1
+    #       port: 80
+    #   network2:
+    #     endpoints:
+    #     - fromRegistry: reg1
+    #     gateways:
+    #     - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
+    #       port: 443
+    #
+    meshNetworks: {}
+
+    # Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
+    mountMtlsCerts: false
+
+    multiCluster:
+      # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
+      # to properly label proxies
+      clusterName: ""
+
+    # Network defines the network this cluster belong to. This name
+    # corresponds to the networks in the map of mesh networks.
+    network: ""
+
+    # Configure the certificate provider for control plane communication.
+    # Currently, two providers are supported: "kubernetes" and "istiod".
+    # As some platforms may not have kubernetes signing APIs,
+    # Istiod is the default
+    pilotCertProvider: istiod
+
+    sds:
+      # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
+      # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the
+      # JWT is intended for the CA.
+      token:
+        aud: istio-ca
+
+    sts:
+      # The service port used by Security Token Service (STS) server to handle token exchange requests.
+      # Setting this port to a non-zero value enables STS server.
+      servicePort: 0
+
+    # The name of the CA for workload certificates.
+    # For example, when caName=GkeWorkloadCertificate, GKE workload certificates
+    # will be used as the certificates for workloads.
+    # The default value is "" and when caName="", the CA will be configured by other
+    # mechanisms (e.g., environmental variable CA_PROVIDER).
+    caName: ""
+
+    waypoint:
+      # Resources for the waypoint proxy.
+      resources:
+        requests:
+          cpu: 100m
+          memory: 128Mi
+        limits:
+          cpu: "2"
+          memory: 1Gi
+
+      # If specified, affinity defines the scheduling constraints of waypoint pods.
+      affinity: {}
+
+      # Topology Spread Constraints for the waypoint proxy.
+      topologySpreadConstraints: []
+
+      # Node labels for the waypoint proxy.
+      nodeSelector: {}
+
+      # Tolerations for the waypoint proxy.
+      tolerations: []
+
+  base:
+    # For istioctl usage to disable istio config crds in base
+    enableIstioConfigCRDs: true
+
+  # Gateway Settings
+  gateways:
+    # Define the security context for the pod.
+    # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
+    # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
+    securityContext: {}
+
+    # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it
+    seccompProfile: {}
+
+  # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass.
+  # For example:
+  # gatewayClasses:
+  #   istio:
+  #     service:
+  #       spec:
+  #         type: ClusterIP
+  # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field.
+  gatewayClasses: {}
+  
+  pdb:
+    # -- Minimum available pods set in PodDisruptionBudget.
+    # Define either 'minAvailable' or 'maxUnavailable', never both.
+    minAvailable: 1
+    # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored.
+    # maxUnavailable: 1
+    # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget.
+    # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/
+    unhealthyPodEvictionPolicy: ""
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/Chart.yaml
new file mode 100644
index 0000000000..0f71ab7057
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/Chart.yaml
@@ -0,0 +1,11 @@
+apiVersion: v2
+appVersion: 1.27.1
+description: Helm chart for istio ztunnel components
+icon: https://istio.io/latest/favicons/android-192x192.png
+keywords:
+- istio-ztunnel
+- istio
+name: ztunnel
+sources:
+- https://github.com/istio/istio
+version: 1.27.1
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/README.md
new file mode 100644
index 0000000000..ffe0b94fe8
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/README.md
@@ -0,0 +1,50 @@
+# Istio Ztunnel Helm Chart
+
+This chart installs an Istio ztunnel.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+To install the chart:
+
+```console
+helm install ztunnel istio/ztunnel
+```
+
+## Uninstalling the Chart
+
+To uninstall/delete the chart:
+
+```console
+helm delete ztunnel
+```
+
+## Configuration
+
+To view support configuration options and documentation, run:
+
+```console
+helm show values istio/ztunnel
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-compatibility-version-1.24.yaml
new file mode 100644
index 0000000000..4f3dbef7ea
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-compatibility-version-1.24.yaml
@@ -0,0 +1,15 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.24 behavioral changes
+    PILOT_ENABLE_IP_AUTOALLOCATE: "false"
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  dnsCapture: false
+  reconcileIptablesOnStartup: false
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..b2f45948c2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..af10697326
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/templates/NOTES.txt
new file mode 100644
index 0000000000..244f59db06
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/templates/NOTES.txt
@@ -0,0 +1,5 @@
+ztunnel successfully installed!
+
+To learn more about the release, try:
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/templates/_helpers.tpl
new file mode 100644
index 0000000000..46a7a0b79d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/templates/_helpers.tpl
@@ -0,0 +1 @@
+{{ define "ztunnel.release-name" }}{{ .Values.resourceName| default "ztunnel" }}{{ end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/templates/daemonset.yaml
new file mode 100644
index 0000000000..6b8ae5b6ad
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/templates/daemonset.yaml
@@ -0,0 +1,210 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: {{ include "ztunnel.release-name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: ztunnel
+    {{- include "istio.labels" . | nindent 4}}
+    {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }}
+  annotations:
+{{- if .Values.revision }}
+    {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }}
+    {{- toYaml $annos | nindent 4}}
+{{- else }}
+    {{- .Values.annotations | toYaml | nindent 4 }}
+{{- end }}
+spec:
+  {{- with .Values.updateStrategy }}
+  updateStrategy:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  selector:
+    matchLabels:
+      app: ztunnel
+  template:
+    metadata:
+      labels:
+        sidecar.istio.io/inject: "false"
+        istio.io/dataplane-mode: none
+        app: ztunnel
+        app.kubernetes.io/name: ztunnel
+        {{- include "istio.labels" . | nindent 8}}
+{{ with .Values.podLabels -}}{{ toYaml . | indent 8 }}{{ end }}
+      annotations:
+        sidecar.istio.io/inject: "false"
+{{- if .Values.revision }}
+        istio.io/rev: {{ .Values.revision }}
+{{- end }}
+{{ with .Values.podAnnotations -}}{{ toYaml . | indent 8 }}{{ end }}
+    spec:
+      nodeSelector:
+        kubernetes.io/os: linux
+{{- if .Values.nodeSelector }}
+{{ toYaml .Values.nodeSelector | indent 8 }}
+{{- end }}
+{{- if .Values.affinity }}
+      affinity:
+{{ toYaml .Values.affinity | trim | indent 8 }}
+{{- end }}
+      serviceAccountName: {{ include "ztunnel.release-name" . }}
+{{- if .Values.tolerations }}
+      tolerations:
+{{ toYaml .Values.tolerations | trim | indent 8 }}
+{{- end }}
+      containers:
+      - name: istio-proxy
+{{- if contains "/" .Values.image }}
+        image: "{{ .Values.image }}"
+{{- else }}
+        image: "{{ .Values.hub }}/{{ .Values.image | default "ztunnel" }}:{{ .Values.tag }}{{with (.Values.variant )}}-{{.}}{{end}}"
+{{- end }}
+        ports:
+        - containerPort: 15020
+          name: ztunnel-stats
+          protocol: TCP
+        resources:
+{{- if .Values.resources }}
+{{ toYaml .Values.resources | trim | indent 10 }}
+{{- end }}
+{{- with .Values.imagePullPolicy }}
+        imagePullPolicy: {{ . }}
+{{- end }}
+        securityContext:
+          # K8S docs are clear that CAP_SYS_ADMIN *or* privileged: true
+          # both force this to `true`: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+          # But there is a K8S validation bug that doesn't propery catch this: https://github.com/kubernetes/kubernetes/issues/119568
+          allowPrivilegeEscalation: true
+          privileged: false
+          capabilities:
+            drop:
+            - ALL
+            add: # See https://man7.org/linux/man-pages/man7/capabilities.7.html
+            - NET_ADMIN # Required for TPROXY and setsockopt
+            - SYS_ADMIN # Required for `setns` - doing things in other netns
+            - NET_RAW # Required for RAW/PACKET sockets, TPROXY
+          readOnlyRootFilesystem: true
+          runAsGroup: 1337
+          runAsNonRoot: false
+          runAsUser: 0
+{{- if .Values.seLinuxOptions }}
+          seLinuxOptions:
+{{ toYaml .Values.seLinuxOptions | trim | indent 12 }}
+{{- end }}
+        readinessProbe:
+          httpGet:
+            port: 15021
+            path: /healthz/ready
+        args:
+        - proxy
+        - ztunnel
+        env:
+        - name: CA_ADDRESS
+        {{- if .Values.caAddress }}
+          value: {{ .Values.caAddress }}
+        {{- else }}
+          value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012
+        {{- end }}
+        - name: XDS_ADDRESS
+        {{- if .Values.xdsAddress }}
+          value: {{ .Values.xdsAddress }}
+        {{- else }}
+          value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012
+        {{- end }}
+        {{- if .Values.logAsJson }}
+        - name: LOG_FORMAT
+          value: json
+        {{- end}}
+        {{- if .Values.global.network }}
+        - name: NETWORK
+          value: {{ .Values.global.network | quote }}
+        {{- end }}
+        - name: RUST_LOG
+          value: {{ .Values.logLevel | quote }}
+        - name: RUST_BACKTRACE
+          value: "1"
+        - name: ISTIO_META_CLUSTER_ID
+          value: {{ .Values.multiCluster.clusterName | default "Kubernetes" }}
+        - name: INPOD_ENABLED
+          value: "true"
+        - name: TERMINATION_GRACE_PERIOD_SECONDS
+          value: "{{ .Values.terminationGracePeriodSeconds }}"
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        - name: INSTANCE_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: SERVICE_ACCOUNT
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.serviceAccountName
+        {{- if .Values.meshConfig.defaultConfig.proxyMetadata }}
+        {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata}}
+        - name: {{ $key }}
+          value: "{{ $value }}"
+        {{- end }}
+        {{- end }}
+        - name: ZTUNNEL_CPU_LIMIT
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.cpu
+        {{- with .Values.env }}
+        {{- range $key, $val := . }}
+        - name: {{ $key }}
+          value: "{{ $val }}"
+        {{- end }}
+        {{- end }}
+        volumeMounts:
+        - mountPath: /var/run/secrets/istio
+          name: istiod-ca-cert
+        - mountPath: /var/run/secrets/tokens
+          name: istio-token
+        - mountPath: /var/run/ztunnel
+          name: cni-ztunnel-sock-dir
+        - mountPath: /tmp
+          name: tmp
+        {{- with .Values.volumeMounts }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      priorityClassName: system-node-critical
+      terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
+      volumes:
+      - name: istio-token
+        projected:
+          sources:
+          - serviceAccountToken:
+              path: istio-token
+              expirationSeconds: 43200
+              audience: istio-ca
+      - name: istiod-ca-cert
+        {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+        projected:
+          sources:
+          - clusterTrustBundle:
+              name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+              path: root-cert.pem
+        {{- else }}
+        configMap:
+          name: {{ .Values.trustBundleName | default "istio-ca-root-cert" }}
+        {{- end }}
+      - name: cni-ztunnel-sock-dir
+        hostPath:
+          path: /var/run/ztunnel
+          type: DirectoryOrCreate # ideally this would be a socket, but istio-cni may not have started yet.
+      # pprof needs a writable /tmp, and we don't have that thanks to `readOnlyRootFilesystem: true`, so mount one
+      - name: tmp
+        emptyDir: {}
+      {{- with .Values.volumes }}
+        {{- toYaml . | nindent 6}}
+      {{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/templates/rbac.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/templates/rbac.yaml
new file mode 100644
index 0000000000..0a8138c9a3
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/templates/rbac.yaml
@@ -0,0 +1,72 @@
+apiVersion: v1
+kind: ServiceAccount
+  {{- with .Values.imagePullSecrets }}
+imagePullSecrets:
+  {{- range . }}
+  - name: {{ . }}
+  {{- end }}
+  {{- end }}
+metadata:
+  name: {{ include "ztunnel.release-name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: ztunnel
+    {{- include "istio.labels" . | nindent 4}}
+    {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }}
+  annotations:
+{{- if .Values.revision }}
+    {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }}
+    {{- toYaml $annos | nindent 4}}
+{{- else }}
+    {{- .Values.annotations | toYaml | nindent 4 }}
+{{- end }}
+---
+{{- if (eq (.Values.platform | default "") "openshift") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "ztunnel.release-name" . }}
+  labels:
+    app: ztunnel
+    release: {{ include "ztunnel.release-name" . }}
+    app.kubernetes.io/name: ztunnel
+    {{- include "istio.labels" . | nindent 4}}
+  annotations:
+{{- if .Values.revision }}
+    {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }}
+    {{- toYaml $annos | nindent 4}}
+{{- else }}
+    {{- .Values.annotations | toYaml | nindent 4 }}
+{{- end }}
+rules:
+- apiGroups: ["security.openshift.io"]
+  resources: ["securitycontextconstraints"]
+  resourceNames: ["privileged"]
+  verbs: ["use"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "ztunnel.release-name" . }}
+  labels:
+    app: ztunnel
+    release: {{ include "ztunnel.release-name" . }}
+    app.kubernetes.io/name: ztunnel
+    {{- include "istio.labels" . | nindent 4}}
+  annotations:
+{{- if .Values.revision }}
+    {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }}
+    {{- toYaml $annos | nindent 4}}
+{{- else }}
+    {{- .Values.annotations | toYaml | nindent 4 }}
+{{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "ztunnel.release-name" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "ztunnel.release-name" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}
+---
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/templates/resourcequota.yaml
new file mode 100644
index 0000000000..a1c0e5496d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/templates/resourcequota.yaml
@@ -0,0 +1,20 @@
+{{- if .Values.resourceQuotas.enabled }}
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+  name: {{ include "ztunnel.release-name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: ztunnel
+    {{- include "istio.labels" . | nindent 4}}
+    {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }}
+spec:
+  hard:
+    pods: {{ .Values.resourceQuotas.pods | quote }}
+  scopeSelector:
+    matchExpressions:
+    - operator: In
+      scopeName: PriorityClass
+      values:
+      - system-node-critical
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..606c556697
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if true }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/values.yaml
new file mode 100644
index 0000000000..fae7cad337
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/values.yaml
@@ -0,0 +1,129 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  # Hub to pull from. Image will be `Hub/Image:Tag-Variant`
+  hub: gcr.io/istio-release
+  # Tag to pull from. Image will be `Hub/Image:Tag-Variant`
+  tag: 1.27.1
+  # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version.
+  variant: ""
+
+  # Image name to pull from. Image will be `Hub/Image:Tag-Variant`
+  # If Image contains a "/", it will replace the entire `image` in the pod.
+  image: ztunnel
+
+  # We keep the global namespace around for backwards-compatibility
+  global:
+    # Network defines the network this cluster belong to. This name
+    # corresponds to the networks in the map of mesh networks.
+    network: ""
+
+  # resourceName, if set, will override the naming of resources. If not set, will default to 'ztunnel'.
+  # If you set this, you MUST also set `trustedZtunnelName` in the `istiod` chart.
+  resourceName: ""
+
+  # Labels to apply to all top level resources
+  labels: {}
+  # Annotations to apply to all top level resources
+  annotations: {}
+
+  # Additional volumeMounts to the ztunnel container
+  volumeMounts: []
+
+  # Additional volumes to the ztunnel pod
+  volumes: []
+  
+  # Tolerations for the ztunnel pod
+  tolerations:
+    - effect: NoSchedule
+      operator: Exists
+    - key: CriticalAddonsOnly
+      operator: Exists
+    - effect: NoExecute
+      operator: Exists
+
+  # Annotations added to each pod. The default annotations are required for scraping prometheus (in most environments).
+  podAnnotations:
+    prometheus.io/port: "15020"
+    prometheus.io/scrape: "true"
+
+  # Additional labels to apply on the pod level
+  podLabels: {}
+
+  # Pod resource configuration
+  resources:
+    requests:
+      cpu: 200m
+      # Ztunnel memory scales with the size of the cluster and traffic load
+      # While there are many factors, this is enough for ~200k pod cluster or 100k concurrently open connections.
+      memory: 512Mi
+
+  resourceQuotas:
+    enabled: false
+    pods: 5000
+
+  # List of secret names to add to the service account as image pull secrets
+  imagePullSecrets: []
+
+  # A `key: value` mapping of environment variables to add to the pod
+  env: {}
+
+  # Override for the pod imagePullPolicy
+  imagePullPolicy: ""
+
+  # Settings for multicluster
+  multiCluster:
+    # The name of the cluster we are installing in. Note this is a user-defined name, which must be consistent
+    # with Istiod configuration.
+    clusterName: ""
+
+  # meshConfig defines runtime configuration of components.
+  # For ztunnel, only defaultConfig is used, but this is nested under `meshConfig` for consistency with other
+  # components.
+  # TODO: https://github.com/istio/istio/issues/43248
+  meshConfig:
+    defaultConfig:
+      proxyMetadata: {}
+
+  # This value defines:
+  # 1. how many seconds kube waits for ztunnel pod to gracefully exit before forcibly terminating it (this value)
+  # 2. how many seconds ztunnel waits to drain its own connections (this value - 1 sec)
+  # Default K8S value is 30 seconds
+  terminationGracePeriodSeconds: 30
+
+  # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
+  # Used to locate the XDS and CA, if caAddress or xdsAddress are not set explicitly.
+  revision: ""
+
+  # The customized CA address to retrieve certificates for the pods in the cluster.
+  # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
+  caAddress: ""
+
+  # The customized XDS address to retrieve configuration.
+  # This should include the port - 15012 for Istiod. TLS will be used with the certificates in "istiod-ca-cert" secret.
+  # By default, it is istiod.istio-system.svc:15012 if revision is not set, or istiod-<revision>.<istioNamespace>.svc:15012
+  xdsAddress: ""
+
+  # Used to locate the XDS and CA, if caAddress or xdsAddress are not set.
+  istioNamespace: istio-system
+
+  # Configuration log level of ztunnel binary, default is info.
+  # Valid values are: trace, debug, info, warn, error
+  logLevel: info
+
+  # To output all logs in json format
+  logAsJson: false
+
+  # Set to `type: RuntimeDefault` to use the default profile if available.
+  seLinuxOptions: {}
+  # TODO Ambient inpod - for OpenShift, set to the following to get writable sockets in hostmounts to work, eventually consider CSI driver instead
+  #seLinuxOptions:
+  #  type: spc_t
+
+  # K8s DaemonSet update strategy.
+  # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec).
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/cni-1.27.1.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/cni-1.27.1.tgz.etag
new file mode 100644
index 0000000000..3400ad12f8
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/cni-1.27.1.tgz.etag
@@ -0,0 +1 @@
+b2bc44fca2bd70c198e3e1cb207fbf5f
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/commit b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/commit
new file mode 100644
index 0000000000..08002f86cc
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/commit
@@ -0,0 +1 @@
+1.27.1
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/gateway-1.27.1.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/gateway-1.27.1.tgz.etag
new file mode 100644
index 0000000000..ddcecb834f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/gateway-1.27.1.tgz.etag
@@ -0,0 +1 @@
+dbbc0d3a0ee648e909e0c6a6b87f601c
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/istiod-1.27.1.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/istiod-1.27.1.tgz.etag
new file mode 100644
index 0000000000..49dbc1857f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/istiod-1.27.1.tgz.etag
@@ -0,0 +1 @@
+4e50a475452cc800fadcdd81a2e08dd6
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/profiles/ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/profiles/ambient.yaml
new file mode 100644
index 0000000000..71ea784a80
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/profiles/ambient.yaml
@@ -0,0 +1,5 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: ambient
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/profiles/default.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/profiles/default.yaml
new file mode 100644
index 0000000000..8f1ef19676
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/profiles/default.yaml
@@ -0,0 +1,12 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  # Most default values come from the helm chart's values.yaml
+  # Below are the things that differ
+  values:
+    defaultRevision: ""
+    global:
+      istioNamespace: istio-system
+      configValidation: true
+    ztunnel:
+      resourceName: ztunnel
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/profiles/demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/profiles/demo.yaml
new file mode 100644
index 0000000000..53c4b41633
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/profiles/demo.yaml
@@ -0,0 +1,5 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: demo
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/profiles/empty.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/profiles/empty.yaml
new file mode 100644
index 0000000000..4477cb1fe1
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/profiles/empty.yaml
@@ -0,0 +1,5 @@
+# The empty profile has everything disabled
+# This is useful as a base for custom user configuration
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec: {}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/profiles/openshift-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/profiles/openshift-ambient.yaml
new file mode 100644
index 0000000000..76edf00cd8
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/profiles/openshift-ambient.yaml
@@ -0,0 +1,7 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: ambient
+    global:
+      platform: openshift
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/profiles/openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/profiles/openshift.yaml
new file mode 100644
index 0000000000..41492660fe
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/profiles/openshift.yaml
@@ -0,0 +1,6 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    global:
+      platform: openshift
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/profiles/preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/profiles/preview.yaml
new file mode 100644
index 0000000000..59d545c840
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/profiles/preview.yaml
@@ -0,0 +1,8 @@
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: preview
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/profiles/remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/profiles/remote.yaml
new file mode 100644
index 0000000000..54c65c8ba9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/profiles/remote.yaml
@@ -0,0 +1,7 @@
+# The remote profile is used to configure a mesh cluster without a locally deployed control plane.
+# Only the injector mutating webhook configuration is installed.
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: remote
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/profiles/stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/profiles/stable.yaml
new file mode 100644
index 0000000000..285feba244
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/profiles/stable.yaml
@@ -0,0 +1,5 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: stable
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/ztunnel-1.27.1.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/ztunnel-1.27.1.tgz.etag
new file mode 100644
index 0000000000..b022960ca7
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/ztunnel-1.27.1.tgz.etag
@@ -0,0 +1 @@
+84ba6127a9bbaa9a5b24d161d3740e08
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/base-1.27.2.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/base-1.27.2.tgz.etag
new file mode 100644
index 0000000000..8ca19cc00d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/base-1.27.2.tgz.etag
@@ -0,0 +1 @@
+3f9ec4213cb967f1c458fa5621511032
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/Chart.yaml
new file mode 100644
index 0000000000..fa036d7332
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/Chart.yaml
@@ -0,0 +1,10 @@
+apiVersion: v2
+appVersion: 1.27.2
+description: Helm chart for deploying Istio cluster resources and CRDs
+icon: https://istio.io/latest/favicons/android-192x192.png
+keywords:
+- istio
+name: base
+sources:
+- https://github.com/istio/istio
+version: 1.27.2
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/README.md
new file mode 100644
index 0000000000..ae8f6d5b0e
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/README.md
@@ -0,0 +1,35 @@
+# Istio base Helm Chart
+
+This chart installs resources shared by all Istio revisions. This includes Istio CRDs.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+To install the chart with the release name `istio-base`:
+
+```console
+kubectl create namespace istio-system
+helm install istio-base istio/base -n istio-system
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-compatibility-version-1.24.yaml
new file mode 100644
index 0000000000..4f3dbef7ea
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-compatibility-version-1.24.yaml
@@ -0,0 +1,15 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.24 behavioral changes
+    PILOT_ENABLE_IP_AUTOALLOCATE: "false"
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  dnsCapture: false
+  reconcileIptablesOnStartup: false
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..b2f45948c2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..af10697326
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/templates/NOTES.txt
new file mode 100644
index 0000000000..f12616f578
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/templates/NOTES.txt
@@ -0,0 +1,5 @@
+Istio base successfully installed!
+
+To learn more about the release, try:
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml
new file mode 100644
index 0000000000..2616b09c9a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml
@@ -0,0 +1,53 @@
+{{- if and .Values.experimental.stableValidationPolicy (not (eq .Values.defaultRevision "")) }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "stable-channel-default-policy.istio.io"
+  labels:
+    release: {{ .Release.Name }}
+    istio: istiod
+    istio.io/rev: {{ .Values.defaultRevision }}
+    app.kubernetes.io/name: "istiod"
+    {{ include "istio.labels" . | nindent 4 }}
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups:
+        - security.istio.io
+        - networking.istio.io
+        - telemetry.istio.io
+        - extensions.istio.io
+      apiVersions: ["*"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["*"]
+  variables:
+    - name: isEnvoyFilter
+      expression: "object.kind == 'EnvoyFilter'"
+    - name: isWasmPlugin
+      expression: "object.kind == 'WasmPlugin'"
+    - name: isProxyConfig
+      expression: "object.kind == 'ProxyConfig'"
+    - name: isTelemetry
+      expression: "object.kind == 'Telemetry'"
+  validations:
+    - expression: "!variables.isEnvoyFilter"
+    - expression: "!variables.isWasmPlugin"
+    - expression: "!variables.isProxyConfig"
+    - expression: |
+        !(
+          variables.isTelemetry && (
+            (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) ||
+            (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) ||
+            (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter))
+          )
+        )
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: "stable-channel-default-policy-binding.istio.io"
+spec:
+  policyName: "stable-channel-default-policy.istio.io"
+  validationActions: [Deny]
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml
new file mode 100644
index 0000000000..8cb76fd773
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml
@@ -0,0 +1,56 @@
+{{- if not (eq .Values.defaultRevision "") }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: istiod-default-validator
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    istio: istiod
+    istio.io/rev: {{ .Values.defaultRevision | quote }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+webhooks:
+  - name: validation.istio.io
+    clientConfig:
+      {{- if .Values.base.validationURL }}
+      url: {{ .Values.base.validationURL }}
+      {{- else }}
+      service:
+        {{- if (eq .Values.defaultRevision "default") }}
+        name: istiod
+        {{- else }}
+        name: istiod-{{ .Values.defaultRevision }}
+        {{- end }}
+        namespace: {{ .Values.global.istioNamespace }}
+        path: "/validate"
+      {{- end }}
+      {{- if .Values.base.validationCABundle }}
+      caBundle: "{{ .Values.base.validationCABundle }}"
+      {{- end }}
+    rules:
+      - operations:
+          - CREATE
+          - UPDATE
+        apiGroups:
+          - security.istio.io
+          - networking.istio.io
+          - telemetry.istio.io
+          - extensions.istio.io
+        apiVersions:
+          - "*"
+        resources:
+          - "*"
+
+    {{- if .Values.base.validationCABundle }}
+    # Disable webhook controller in Pilot to stop patching it
+    failurePolicy: Fail
+    {{- else }}
+    # Fail open until the validation webhook is ready. The webhook controller
+    # will update this to `Fail` and patch in the `caBundle` when the webhook
+    # endpoint is ready.
+    failurePolicy: Ignore
+    {{- end }}
+    sideEffects: None
+    admissionReviewVersions: ["v1"]
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/templates/reader-serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/templates/reader-serviceaccount.yaml
new file mode 100644
index 0000000000..ba829a6bfe
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/templates/reader-serviceaccount.yaml
@@ -0,0 +1,20 @@
+# This singleton service account aggregates reader permissions for the revisions in a given cluster
+# ATM this is a singleton per cluster with Istio installed, and is not revisioned. It maybe should be,
+# as otherwise compromising the token for this SA would give you access to *every* installed revision.
+# Should be used for remote secret creation.
+apiVersion: v1
+kind: ServiceAccount
+  {{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+  {{- range .Values.global.imagePullSecrets }}
+  - name: {{ . }}
+    {{- end }}
+    {{- end }}
+metadata:
+  name: istio-reader-service-account
+  namespace: {{ .Values.global.istioNamespace }}
+  labels:
+    app: istio-reader
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istio-reader"
+    {{- include "istio.labels" . | nindent 4 }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..3d84956485
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if false }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/values.yaml
new file mode 100644
index 0000000000..d18296f00a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/values.yaml
@@ -0,0 +1,37 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  global:
+
+    # ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace
+    # to use for pulling any images in pods that reference this ServiceAccount.
+    # Must be set for any cluster configured with private docker registry.
+    imagePullSecrets: []
+
+    # Used to locate istiod.
+    istioNamespace: istio-system
+  base:
+    # A list of CRDs to exclude. Requires `enableCRDTemplates` to be true.
+    # Example: `excludedCRDs: ["envoyfilters.networking.istio.io"]`.
+    # Note: when installing with `istioctl`, `enableIstioConfigCRDs=false` must also be set.
+    excludedCRDs: []
+    # Helm (as of V3) does not support upgrading CRDs, because it is not universally
+    # safe for them to support this.
+    # Istio as a project enforces certain backwards-compat guarantees that allow us
+    # to safely upgrade CRDs in spite of this, so we default to self-managing CRDs
+    # as standard K8S resources in Helm, and disable Helm's CRD management. See also:
+    # https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#method-2-separate-charts
+    enableCRDTemplates: true
+
+    # Validation webhook configuration url
+    # For example: https://$remotePilotAddress:15017/validate
+    validationURL: ""
+    # Validation webhook caBundle value. Useful when running pilot with a well known cert
+    validationCABundle: ""
+
+    # For istioctl usage to disable istio config crds in base
+    enableIstioConfigCRDs: true
+
+  defaultRevision: "default"
+  experimental:
+    stableValidationPolicy: false
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/Chart.yaml
new file mode 100644
index 0000000000..fd22b74314
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/Chart.yaml
@@ -0,0 +1,11 @@
+apiVersion: v2
+appVersion: 1.27.2
+description: Helm chart for istio-cni components
+icon: https://istio.io/latest/favicons/android-192x192.png
+keywords:
+- istio-cni
+- istio
+name: cni
+sources:
+- https://github.com/istio/istio
+version: 1.27.2
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/README.md
new file mode 100644
index 0000000000..a8b78d5bde
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/README.md
@@ -0,0 +1,65 @@
+# Istio CNI Helm Chart
+
+This chart installs the Istio CNI Plugin. See the [CNI installation guide](https://istio.io/latest/docs/setup/additional-setup/cni/)
+for more information.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+To install the chart with the release name `istio-cni`:
+
+```console
+helm install istio-cni istio/cni -n kube-system
+```
+
+Installation in `kube-system` is recommended to ensure the [`system-node-critical`](https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/)
+`priorityClassName` can be used. You can install in other namespace only on K8S clusters that allow
+'system-node-critical' outside of kube-system.
+
+## Configuration
+
+To view support configuration options and documentation, run:
+
+```console
+helm show values istio/istio-cni
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
+
+### Ambient
+
+To enable ambient, you can use the ambient profile: `--set profile=ambient`.
+
+#### Calico
+
+For Calico, you must also modify the settings to allow source spoofing:
+
+- if deployed by operator,  `kubectl patch felixconfigurations default --type='json' -p='[{"op": "add", "path": "/spec/workloadSourceSpoofing", "value": "Any"}]'`
+- if deployed by manifest, add env `FELIX_WORKLOADSOURCESPOOFING` with value `Any` in `spec.template.spec.containers.env` for daemonset `calico-node`. (This will allow PODs with specified annotation to skip the rpf check. )
+
+### GKE notes
+
+On GKE, 'kube-system' is required.
+
+If using `helm template`, `--set cni.cniBinDir=/home/kubernetes/bin` is required - with `helm install`
+it is auto-detected.
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-compatibility-version-1.24.yaml
new file mode 100644
index 0000000000..4f3dbef7ea
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-compatibility-version-1.24.yaml
@@ -0,0 +1,15 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.24 behavioral changes
+    PILOT_ENABLE_IP_AUTOALLOCATE: "false"
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  dnsCapture: false
+  reconcileIptablesOnStartup: false
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..b2f45948c2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..af10697326
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/templates/NOTES.txt
new file mode 100644
index 0000000000..fb35525b99
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/templates/NOTES.txt
@@ -0,0 +1,5 @@
+"{{ .Release.Name }}" successfully installed!
+
+To learn more about the release, try:
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/templates/_helpers.tpl
new file mode 100644
index 0000000000..73cc17b2f6
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/templates/_helpers.tpl
@@ -0,0 +1,8 @@
+{{- define "name" -}}
+    istio-cni
+{{- end }}
+
+
+{{- define "istio-tag" -}}
+    {{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/templates/clusterrole.yaml
new file mode 100644
index 0000000000..1779e0bb1d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/templates/clusterrole.yaml
@@ -0,0 +1,81 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "name" . }}
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+- apiGroups: ["security.openshift.io"] 
+  resources: ["securitycontextconstraints"] 
+  resourceNames: ["privileged"] 
+  verbs: ["use"]
+- apiGroups: [""]
+  resources: ["pods","nodes","namespaces"]
+  verbs: ["get", "list", "watch"]
+{{- if (eq ((coalesce .Values.platform .Values.global.platform) | default "") "openshift") }}
+- apiGroups: ["security.openshift.io"]
+  resources: ["securitycontextconstraints"]
+  resourceNames: ["privileged"]
+  verbs: ["use"]
+{{- end }}
+---
+{{- if .Values.repair.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "name" . }}-repair-role
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["create", "patch"]
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["watch", "get", "list"]
+{{- if .Values.repair.repairPods }}
+{{- /*  No privileges needed*/}}
+{{- else if .Values.repair.deletePods }}
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["delete"]
+{{- else if .Values.repair.labelPods }}
+  - apiGroups: [""]
+    {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}}
+    resources: ["pods/status"]
+    verbs: ["patch", "update"]
+{{- end }}
+{{- end }}
+---
+{{- if .Values.ambient.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "name" . }}-ambient
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+- apiGroups: [""]
+  {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}}
+  resources: ["pods/status"]
+  verbs: ["patch", "update"]
+- apiGroups: ["apps"]
+  resources: ["daemonsets"]
+  resourceNames: ["{{ template "name" . }}-node"]
+  verbs: ["get"]
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/templates/clusterrolebinding.yaml
new file mode 100644
index 0000000000..42fedab1fc
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/templates/clusterrolebinding.yaml
@@ -0,0 +1,63 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "name" . }}
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "name" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ template "name" . }}
+  namespace: {{ .Release.Namespace }}
+---
+{{- if .Values.repair.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "name" . }}-repair-rolebinding
+  labels:
+    k8s-app: {{ template "name" . }}-repair
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+subjects:
+- kind: ServiceAccount
+  name: {{ template "name" . }}
+  namespace: {{ .Release.Namespace}}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "name" . }}-repair-role
+{{- end }}
+---
+{{- if .Values.ambient.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "name" . }}-ambient
+  labels:
+    k8s-app: {{ template "name" . }}-repair
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "name" . }}
+    namespace: {{ .Release.Namespace}}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "name" . }}-ambient
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/templates/configmap-cni.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/templates/configmap-cni.yaml
new file mode 100644
index 0000000000..6f6ef329a2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/templates/configmap-cni.yaml
@@ -0,0 +1,41 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: {{ template "name" . }}-config
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+data:
+  CURRENT_AGENT_VERSION: {{ .Values.tag | default .Values.global.tag | quote }}
+  AMBIENT_ENABLED: {{ .Values.ambient.enabled | quote }}
+  AMBIENT_ENABLEMENT_SELECTOR: {{ .Values.ambient.enablementSelectors | toYaml | quote }}
+  AMBIENT_DNS_CAPTURE: {{ .Values.ambient.dnsCapture | quote  }}
+  AMBIENT_IPV6: {{ .Values.ambient.ipv6 | quote }}
+  AMBIENT_RECONCILE_POD_RULES_ON_STARTUP: {{ .Values.ambient.reconcileIptablesOnStartup | quote }}
+  {{- if .Values.cniConfFileName }} # K8S < 1.24 doesn't like empty values
+  CNI_CONF_NAME: {{ .Values.cniConfFileName }} # Name of the CNI config file to create. Only override if you know the exact path your CNI requires..
+  {{- end }}
+  ISTIO_OWNED_CNI_CONFIG: {{ .Values.istioOwnedCNIConfig | quote }}
+  {{- if .Values.istioOwnedCNIConfig }}
+  ISTIO_OWNED_CNI_CONF_FILENAME: {{ .Values.istioOwnedCNIConfigFileName | quote }}
+  {{- end }}
+  CHAINED_CNI_PLUGIN: {{ .Values.chained | quote }}
+  EXCLUDE_NAMESPACES: "{{ range $idx, $ns := .Values.excludeNamespaces }}{{ if $idx }},{{ end }}{{ $ns }}{{ end }}"
+  REPAIR_ENABLED: {{ .Values.repair.enabled | quote }}
+  REPAIR_LABEL_PODS: {{ .Values.repair.labelPods | quote }}
+  REPAIR_DELETE_PODS: {{ .Values.repair.deletePods | quote }}
+  REPAIR_REPAIR_PODS: {{ .Values.repair.repairPods | quote }}
+  REPAIR_INIT_CONTAINER_NAME: {{ .Values.repair.initContainerName | quote }}
+  REPAIR_BROKEN_POD_LABEL_KEY: {{ .Values.repair.brokenPodLabelKey | quote }}
+  REPAIR_BROKEN_POD_LABEL_VALUE: {{ .Values.repair.brokenPodLabelValue | quote }}
+  NATIVE_NFTABLES: {{ .Values.global.nativeNftables | quote }}
+  {{- with .Values.env }}
+  {{- range $key, $val := . }}
+  {{ $key }}: "{{ $val }}"
+  {{- end }}
+  {{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/templates/daemonset.yaml
new file mode 100644
index 0000000000..896de3d038
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/templates/daemonset.yaml
@@ -0,0 +1,248 @@
+# This manifest installs the Istio install-cni container, as well
+# as the Istio CNI plugin and config on
+# each master and worker node in a Kubernetes cluster.
+#
+# $detectedBinDir exists to support a GKE-specific platform override,
+# and is deprecated in favor of using the explicit `gke` platform profile.
+{{- $detectedBinDir := (.Capabilities.KubeVersion.GitVersion | contains "-gke") | ternary
+    "/home/kubernetes/bin"
+    "/opt/cni/bin"
+}}
+{{- if .Values.cniBinDir }}
+{{ $detectedBinDir = .Values.cniBinDir }}
+{{- end }}
+kind: DaemonSet
+apiVersion: apps/v1
+metadata:
+  # Note that this is templated but evaluates to a fixed name
+  # which the CNI plugin may fall back onto in some failsafe scenarios.
+  # if this name is changed, CNI plugin logic that checks for this name
+  # format should also be updated.
+  name: {{ template "name" . }}-node
+  namespace: {{ .Release.Namespace }}
+  labels:
+    k8s-app: {{ template "name" . }}-node
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      k8s-app: {{ template "name" . }}-node
+  {{- with .Values.updateStrategy }}
+  updateStrategy:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  template:
+    metadata:
+      labels:
+        k8s-app: {{ template "name" . }}-node
+        sidecar.istio.io/inject: "false"
+        istio.io/dataplane-mode: none
+        app.kubernetes.io/name: {{ template "name" . }}
+        {{- include "istio.labels" . | nindent 8 }}
+      annotations:
+        sidecar.istio.io/inject: "false"
+        # Add Prometheus Scrape annotations
+        prometheus.io/scrape: 'true'
+        prometheus.io/port: "15014"
+        prometheus.io/path: '/metrics'
+        # Add AppArmor annotation
+        # This is required to avoid conflicts with AppArmor profiles which block certain
+        # privileged pod capabilities.
+        # Required for Kubernetes 1.29 which does not support setting appArmorProfile in the
+        # securityContext which is otherwise preferred.
+        container.apparmor.security.beta.kubernetes.io/install-cni: unconfined
+        # Custom annotations
+        {{- if .Values.podAnnotations }}
+{{ toYaml .Values.podAnnotations | indent 8 }}
+        {{- end }}
+    spec:
+{{- if and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace }}
+      hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
+{{- end }}
+      nodeSelector:
+        kubernetes.io/os: linux
+      # Can be configured to allow for excluding istio-cni from being scheduled on specified nodes
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      priorityClassName: system-node-critical
+      serviceAccountName: {{ template "name" . }}
+      # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
+      # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
+      terminationGracePeriodSeconds: 5
+      containers:
+        # This container installs the Istio CNI binaries
+        # and CNI network config file on each node.
+        - name: install-cni
+{{- if contains "/" .Values.image }}
+          image: "{{ .Values.image }}"
+{{- else }}
+          image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "install-cni" }}:{{ template "istio-tag" . }}"
+{{- end }}
+{{- if or .Values.pullPolicy .Values.global.imagePullPolicy }}
+          imagePullPolicy: {{ .Values.pullPolicy | default .Values.global.imagePullPolicy }}
+{{- end }}
+          ports:
+          - containerPort: 15014
+            name: metrics
+            protocol: TCP
+          readinessProbe:
+            httpGet:
+              path: /readyz
+              port: 8000
+          securityContext:
+            privileged: false
+            runAsGroup: 0
+            runAsUser: 0
+            runAsNonRoot: false
+            # Both ambient and sidecar repair mode require elevated node privileges to function.
+            # But we don't need _everything_ in `privileged`, so explicitly set it to false and
+            # add capabilities based on feature.
+            capabilities:
+              drop:
+              - ALL
+              add:
+              # CAP_NET_ADMIN is required to allow ipset and route table access
+              - NET_ADMIN
+              # CAP_NET_RAW is required to allow iptables mutation of the `nat` table
+              - NET_RAW
+              # CAP_SYS_PTRACE is required for repair and ambient mode to describe
+              # the pod's network namespace.
+              - SYS_PTRACE
+              # CAP_SYS_ADMIN is required for both ambient and repair, in order to open
+              # network namespaces in `/proc` to obtain descriptors for entering pod network
+              # namespaces. There does not appear to be a more granular capability for this.
+              - SYS_ADMIN
+              # While we run as a 'root' (UID/GID 0), since we drop all capabilities we lose
+              # the typical ability to read/write to folders owned by others.
+              # This can cause problems if the hostPath mounts we use, which we require write access into,
+              # are owned by non-root. DAC_OVERRIDE bypasses these and gives us write access into any folder.
+              - DAC_OVERRIDE
+{{- if .Values.seLinuxOptions }}
+{{ with (merge .Values.seLinuxOptions (dict "type" "spc_t")) }}
+            seLinuxOptions:
+{{ toYaml . | trim | indent 14 }}
+{{- end }}
+{{- end }}
+{{- if .Values.seccompProfile }}
+            seccompProfile:
+{{ toYaml .Values.seccompProfile | trim | indent 14 }}
+{{- end }}
+          command: ["install-cni"]
+          args:
+            {{- if or .Values.logging.level .Values.global.logging.level }}
+            - --log_output_level={{ coalesce .Values.logging.level .Values.global.logging.level }}
+            {{- end}}
+            {{- if .Values.global.logAsJson }}
+            - --log_as_json
+            {{- end}}
+          envFrom:
+            - configMapRef:
+                name: {{ template "name" . }}-config
+          env:
+            - name: REPAIR_NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            - name: REPAIR_RUN_AS_DAEMON
+              value: "true"
+            - name: REPAIR_SIDECAR_ANNOTATION
+              value: "sidecar.istio.io/status"
+            {{- if not (and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace) }}
+            - name: ALLOW_SWITCH_TO_HOST_NS
+              value: "true"
+            {{- end }}
+            - name: NODE_NAME
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: spec.nodeName
+            - name: GOMEMLIMIT
+              valueFrom:
+                resourceFieldRef:
+                  resource: limits.memory
+                  divisor: '1'
+            - name: GOMAXPROCS
+              valueFrom:
+                resourceFieldRef:
+                  resource: limits.cpu
+                  divisor: '1'
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            {{- if .Values.env }}
+            {{- range $key, $val := .Values.env }}
+            - name: {{ $key }}
+              value: "{{ $val }}"
+            {{- end }}
+            {{- end }}
+          volumeMounts:
+            - mountPath: /host/opt/cni/bin
+              name: cni-bin-dir
+            {{- if or .Values.repair.repairPods .Values.ambient.enabled }}
+            - mountPath: /host/proc
+              name: cni-host-procfs
+              readOnly: true
+            {{- end }}
+            - mountPath: /host/etc/cni/net.d
+              name: cni-net-dir
+            - mountPath: /var/run/istio-cni
+              name: cni-socket-dir
+            {{- if .Values.ambient.enabled }}
+            - mountPath: /host/var/run/netns
+              mountPropagation: HostToContainer
+              name: cni-netns-dir
+            - mountPath: /var/run/ztunnel
+              name: cni-ztunnel-sock-dir
+            {{ end }}
+          resources:
+{{- if .Values.resources }}
+{{ toYaml .Values.resources | trim | indent 12 }}
+{{- else }}
+{{ toYaml .Values.global.defaultResources | trim | indent 12 }}
+{{- end }}
+      volumes:
+        # Used to install CNI.
+        - name: cni-bin-dir
+          hostPath:
+            path: {{ $detectedBinDir }}
+        {{- if or .Values.repair.repairPods .Values.ambient.enabled }}
+        - name: cni-host-procfs
+          hostPath:
+            path: /proc
+            type: Directory
+        {{- end }}
+        {{- if .Values.ambient.enabled }}
+        - name: cni-ztunnel-sock-dir
+          hostPath:
+            path: /var/run/ztunnel
+            type: DirectoryOrCreate
+        {{- end }}
+        - name: cni-net-dir
+          hostPath:
+            path: {{ .Values.cniConfDir }}
+        # Used for UDS sockets for logging, ambient eventing
+        - name: cni-socket-dir
+          hostPath:
+            path: /var/run/istio-cni
+        - name: cni-netns-dir
+          hostPath:
+            path: {{ .Values.cniNetnsDir }}
+            type: DirectoryOrCreate # DirectoryOrCreate instead of Directory for the following reason - CNI may not bind mount this until a non-hostnetwork pod is scheduled on the node,
+            # and we don't want to block CNI agent pod creation on waiting for the first non-hostnetwork pod.
+            # Once the CNI does mount this, it will get populated and we're good.
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/templates/network-attachment-definition.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/templates/network-attachment-definition.yaml
new file mode 100644
index 0000000000..86a2eb7c0b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/templates/network-attachment-definition.yaml
@@ -0,0 +1,11 @@
+{{- if eq .Values.provider "multus" }}
+apiVersion: k8s.cni.cncf.io/v1
+kind: NetworkAttachmentDefinition
+metadata:
+  name: {{ template "name" . }}
+  namespace: default
+  labels:
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/templates/resourcequota.yaml
new file mode 100644
index 0000000000..9a6d61ff91
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/templates/resourcequota.yaml
@@ -0,0 +1,19 @@
+{{- if .Values.resourceQuotas.enabled }}
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+  name: {{ template "name" . }}-resource-quota
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  hard:
+    pods: {{ .Values.resourceQuotas.pods | quote }}
+  scopeSelector:
+    matchExpressions:
+    - operator: In
+      scopeName: PriorityClass
+      values:
+      - system-node-critical
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/templates/serviceaccount.yaml
new file mode 100644
index 0000000000..3193d7b74a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/templates/serviceaccount.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: ServiceAccount
+{{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+{{- range .Values.global.imagePullSecrets }}
+  - name: {{ . }}
+{{- end }}
+{{- end }}
+metadata:
+  name: {{ template "name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/templates/zzy_descope_legacy.yaml
new file mode 100644
index 0000000000..a9584ac29f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/templates/zzy_descope_legacy.yaml
@@ -0,0 +1,3 @@
+{{/* Copy anything under `.cni` to `.`, to avoid the need to specify a redundant prefix.
+Due to the file naming, this always happens after zzz_profile.yaml */}}
+{{- $_ := mustMergeOverwrite $.Values (index $.Values "cni") }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..3d84956485
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if false }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/values.yaml
new file mode 100644
index 0000000000..d563739cf6
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/values.yaml
@@ -0,0 +1,178 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  hub: ""
+  tag: ""
+  variant: ""
+  image: install-cni
+  pullPolicy: ""
+
+  # Same as `global.logging.level`, but will override it if set
+  logging:
+    level: ""
+
+  # Configuration file to insert istio-cni plugin configuration
+  # by default this will be the first file found in the cni-conf-dir
+  # Example
+  # cniConfFileName: 10-calico.conflist
+
+  # CNI-and-platform specific path defaults.
+  # These may need to be set to platform-specific values, consult
+  # overrides for your platform in `manifests/helm-profiles/platform-*.yaml`
+  cniBinDir: /opt/cni/bin
+  cniConfDir: /etc/cni/net.d
+  cniConfFileName: ""
+  cniNetnsDir: "/var/run/netns"
+
+  # If Istio owned CNI config is enabled, defaults to 02-istio-cni.conflist
+  istioOwnedCNIConfigFileName: "" 
+  istioOwnedCNIConfig: false
+
+  excludeNamespaces:
+    - kube-system
+
+  # Allows user to set custom affinity for the DaemonSet
+  affinity: {}
+
+  # Custom annotations on pod level, if you need them
+  podAnnotations: {}
+
+  # Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")?
+  # Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case
+  chained: true
+
+  # Custom configuration happens based on the CNI provider.
+  # Possible values: "default", "multus"
+  provider: "default"
+
+  # Configure ambient settings
+  ambient:
+    # If enabled, ambient redirection will be enabled
+    enabled: false
+    # If ambient is enabled, this selector will be used to identify the ambient-enabled pods
+    enablementSelectors: 
+    - podSelector:
+        matchLabels: {istio.io/dataplane-mode: ambient}
+    - podSelector:
+        matchExpressions:
+        - { key: istio.io/dataplane-mode, operator: NotIn, values: [none] }
+      namespaceSelector:
+        matchLabels: {istio.io/dataplane-mode: ambient}
+    # Set ambient config dir path: defaults to /etc/ambient-config
+    configDir: ""
+    # If enabled, and ambient is enabled, DNS redirection will be enabled
+    dnsCapture: true
+    # If enabled, and ambient is enabled, enables ipv6 support
+    ipv6: true
+    # If enabled, and ambient is enabled, the CNI agent will reconcile incompatible iptables rules and chains at startup.
+    # This will eventually be enabled by default
+    reconcileIptablesOnStartup: false
+    # If enabled, and ambient is enabled, the CNI agent will always share the network namespace of the host node it is running on
+    shareHostNetworkNamespace: false
+
+
+  repair:
+    enabled: true
+    hub: ""
+    tag: ""
+
+    # Repair controller has 3 modes. Pick which one meets your use cases. Note only one may be used.
+    # This defines the action the controller will take when a pod is detected as broken.
+
+    # labelPods will label all pods with <brokenPodLabelKey>=<brokenPodLabelValue>.
+    # This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them).
+    # Note this gives the DaemonSet a relatively high privilege, as modifying pod metadata/status can have wider impacts.
+    labelPods: false
+    # deletePods will delete any broken pod. These will then be rescheduled, hopefully onto a node that is fully ready.
+    # Note this gives the DaemonSet a relatively high privilege, as it can delete any Pod.
+    deletePods: false
+    # repairPods will dynamically repair any broken pod by setting up the pod networking configuration even after it has started.
+    # Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs.
+    # This requires no RBAC privilege, but does require `securityContext.privileged/CAP_SYS_ADMIN`.
+    repairPods: true
+
+    initContainerName: "istio-validation"
+
+    brokenPodLabelKey: "cni.istio.io/uninitialized"
+    brokenPodLabelValue: "true"
+
+  # Set to `type: RuntimeDefault` to use the default profile if available.
+  seccompProfile: {}
+
+  # SELinux options to set in the istio-cni-node pods. You may need to set this to `type: spc_t` for some platforms.
+  seLinuxOptions: {}
+
+  resources:
+    requests:
+      cpu: 100m
+      memory: 100Mi
+
+  resourceQuotas:
+    enabled: false
+    pods: 5000
+
+  tolerations:
+    # Make sure istio-cni-node gets scheduled on all nodes.
+    - effect: NoSchedule
+      operator: Exists
+    # Mark the pod as a critical add-on for rescheduling.
+    - key: CriticalAddonsOnly
+      operator: Exists
+    - effect: NoExecute
+      operator: Exists
+
+  # K8s DaemonSet update strategy.
+  # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec).
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 1
+
+  # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
+  revision: ""
+
+  # For Helm compatibility.
+  ownerName: ""
+
+  global:
+    # Default hub for Istio images.
+    # Releases are published to docker hub under 'istio' project.
+    # Dev builds from prow are on gcr.io
+    hub: gcr.io/istio-release
+
+    # Default tag for Istio images.
+    tag: 1.27.2
+
+    # Variant of the image to use.
+    # Currently supported are: [debug, distroless]
+    variant: ""
+
+    # Specify image pull policy if default behavior isn't desired.
+    # Default behavior: latest images will be Always else IfNotPresent.
+    imagePullPolicy: ""
+
+    # change cni scope level to control logging out of istio-cni-node DaemonSet
+    logging:
+      level: info
+
+    logAsJson: false
+
+    # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
+    # to use for pulling any images in pods that reference this ServiceAccount.
+    # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
+    # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
+    # Must be set for any cluster configured with private docker registry.
+    imagePullSecrets: []
+    # - private-registry-key
+
+    # Default resources allocated
+    defaultResources:
+      requests:
+        cpu: 100m
+        memory: 100Mi
+
+    # In order to use native nftable rules instead of iptable rules, set this flag to true.
+    nativeNftables: false
+
+  # A `key: value` mapping of environment variables to add to the pod
+  env: {}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/Chart.yaml
new file mode 100644
index 0000000000..e485d21c6b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v2
+appVersion: 1.27.2
+description: Helm chart for deploying Istio gateways
+icon: https://istio.io/latest/favicons/android-192x192.png
+keywords:
+- istio
+- gateways
+name: gateway
+sources:
+- https://github.com/istio/istio
+type: application
+version: 1.27.2
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/README.md
new file mode 100644
index 0000000000..5c064d165b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/README.md
@@ -0,0 +1,170 @@
+# Istio Gateway Helm Chart
+
+This chart installs an Istio gateway deployment.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+To install the chart with the release name `istio-ingressgateway`:
+
+```console
+helm install istio-ingressgateway istio/gateway
+```
+
+## Uninstalling the Chart
+
+To uninstall/delete the `istio-ingressgateway` deployment:
+
+```console
+helm delete istio-ingressgateway
+```
+
+## Configuration
+
+To view support configuration options and documentation, run:
+
+```console
+helm show values istio/gateway
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
+
+### OpenShift
+
+When deploying the gateway in an OpenShift cluster, use the `openshift` profile to override the default values, for example:
+
+```console
+helm install istio-ingressgateway istio/gateway --set profile=openshift
+```
+
+### `image: auto` Information
+
+The image used by the chart, `auto`, may be unintuitive.
+This exists because the pod spec will be automatically populated at runtime, using the same mechanism as [Sidecar Injection](istio.io/latest/docs/setup/additional-setup/sidecar-injection).
+This allows the same configurations and lifecycle to apply to gateways as sidecars.
+
+Note: this does mean that the namespace the gateway is deployed in must not have the `istio-injection=disabled` label.
+See [Controlling the injection policy](https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy) for more info.
+
+### Examples
+
+#### Egress Gateway
+
+Deploying a Gateway to be used as an [Egress Gateway](https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/):
+
+```yaml
+service:
+  # Egress gateways do not need an external LoadBalancer IP
+  type: ClusterIP
+```
+
+#### Multi-network/VM Gateway
+
+Deploying a Gateway to be used as a [Multi-network Gateway](https://istio.io/latest/docs/setup/install/multicluster/) for network `network-1`:
+
+```yaml
+networkGateway: network-1
+```
+
+### Migrating from other installation methods
+
+Installations from other installation methods (such as istioctl, Istio Operator, other helm charts, etc) can be migrated to use the new Helm charts
+following the guidance below.
+If you are able to, a clean installation is simpler. However, this often requires an external IP migration which can be challenging.
+
+WARNING: when installing over an existing deployment, the two deployments will be merged together by Helm, which may lead to unexpected results.
+
+#### Legacy Gateway Helm charts
+
+Istio historically offered two different charts - `manifests/charts/gateways/istio-ingress` and `manifests/charts/gateways/istio-egress`.
+These are replaced by this chart.
+While not required, it is recommended all new users use this chart, and existing users migrate when possible.
+
+This chart has the following benefits and differences:
+* Designed with Helm best practices in mind (standardized values options, values schema, values are not all nested under `gateways.istio-ingressgateway.*`, release name and namespace taken into account, etc).
+* Utilizes Gateway injection, simplifying upgrades, allowing gateways to run in any namespace, and avoiding repeating config for sidecars and gateways.
+* Published to official Istio Helm repository.
+* Single chart for all gateways (Ingress, Egress, East West).
+
+#### General concerns
+
+For a smooth migration, the resource names and `Deployment.spec.selector` labels must match.
+
+If you install with `helm install istio-gateway istio/gateway`, resources will be named `istio-gateway` and the `selector` labels set to:
+
+```yaml
+app: istio-gateway
+istio: gateway # the release name with leading istio- prefix stripped
+```
+
+If your existing installation doesn't follow these names, you can override them. For example, if you have resources named `my-custom-gateway` with `selector` labels
+`foo=bar,istio=ingressgateway`:
+
+```yaml
+name: my-custom-gateway # Override the name to match existing resources
+labels:
+  app: "" # Unset default app selector label
+  istio: ingressgateway # override default istio selector label
+  foo: bar # Add the existing custom selector label
+```
+
+#### Migrating an existing Helm release
+
+An existing helm release can be `helm upgrade`d to this chart by using the same release name. For example, if a previous
+installation was done like:
+
+```console
+helm install istio-ingress manifests/charts/gateways/istio-ingress -n istio-system
+```
+
+It could be upgraded with
+
+```console
+helm upgrade istio-ingress manifests/charts/gateway -n istio-system --set name=istio-ingressgateway --set labels.app=istio-ingressgateway --set labels.istio=ingressgateway
+```
+
+Note the name and labels are overridden to match the names of the existing installation.
+
+Warning: the helm charts here default to using port 80 and 443, while the old charts used 8080 and 8443.
+If you have AuthorizationPolicies that reference port these ports, you should update them during this process,
+or customize the ports to match the old defaults.
+See the [security advisory](https://istio.io/latest/news/security/istio-security-2021-002/) for more information.
+
+#### Other migrations
+
+If you see errors like `rendered manifests contain a resource that already exists` during installation, you may need to forcibly take ownership.
+
+The script below can handle this for you. Replace `RELEASE` and `NAMESPACE` with the name and namespace of the release:
+
+```console
+KINDS=(service deployment)
+RELEASE=istio-ingressgateway
+NAMESPACE=istio-system
+for KIND in "${KINDS[@]}"; do
+    kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-name=$RELEASE
+    kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-namespace=$NAMESPACE
+    kubectl --namespace $NAMESPACE --overwrite=true label $KIND $RELEASE app.kubernetes.io/managed-by=Helm
+done
+```
+
+You may ignore errors about resources not being found.
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-compatibility-version-1.24.yaml
new file mode 100644
index 0000000000..4f3dbef7ea
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-compatibility-version-1.24.yaml
@@ -0,0 +1,15 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.24 behavioral changes
+    PILOT_ENABLE_IP_AUTOALLOCATE: "false"
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  dnsCapture: false
+  reconcileIptablesOnStartup: false
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..b2f45948c2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..af10697326
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/templates/NOTES.txt
new file mode 100644
index 0000000000..fd0142911a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/templates/NOTES.txt
@@ -0,0 +1,9 @@
+"{{ include "gateway.name" . }}" successfully installed!
+
+To learn more about the release, try:
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
+
+Next steps:
+  * Deploy an HTTP Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-control/
+  * Deploy an HTTPS Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/templates/_helpers.tpl
new file mode 100644
index 0000000000..e5a0a9b3c2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/templates/_helpers.tpl
@@ -0,0 +1,40 @@
+{{- define "gateway.name" -}}
+{{- if eq .Release.Name "RELEASE-NAME" -}}
+  {{- .Values.name | default "istio-ingressgateway" -}}
+{{- else -}}
+  {{- .Values.name | default .Release.Name | default "istio-ingressgateway" -}}
+{{- end -}}
+{{- end }}
+
+{{- define "gateway.labels" -}}
+{{ include "gateway.selectorLabels" . }}
+{{- range $key, $val := .Values.labels }}
+{{- if and (ne $key "app") (ne $key "istio") }}
+{{ $key | quote }}: {{ $val | quote }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{- define "gateway.selectorLabels" -}}
+app: {{ (.Values.labels.app | quote) | default (include "gateway.name" .) }}
+istio: {{ (.Values.labels.istio | quote) | default (include "gateway.name" . | trimPrefix "istio-") }}
+{{- end }}
+
+{{/*
+Keep sidecar injection labels together
+https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy
+*/}}
+{{- define "gateway.sidecarInjectionLabels" -}}
+sidecar.istio.io/inject: "true"
+{{- with .Values.revision }}
+istio.io/rev: {{ . | quote }}
+{{- end }}
+{{- end }}
+
+{{- define "gateway.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- .Values.serviceAccount.name | default (include "gateway.name" .)    }}
+{{- else }}
+{{- .Values.serviceAccount.name | default "default" }}
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/templates/deployment.yaml
new file mode 100644
index 0000000000..1d8f93a472
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/templates/deployment.yaml
@@ -0,0 +1,145 @@
+apiVersion: apps/v1
+kind: {{ .Values.kind | default "Deployment" }}
+metadata:
+  name: {{ include "gateway.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4}}
+  annotations:
+    {{- .Values.annotations | toYaml | nindent 4 }}
+spec:
+  {{- if not .Values.autoscaling.enabled }}
+  {{- if and (hasKey .Values "replicaCount") (ne .Values.replicaCount nil) }}
+  replicas: {{ .Values.replicaCount }}
+  {{- end }}
+  {{- end }}
+  {{- with .Values.strategy }}
+  strategy:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with .Values.minReadySeconds }}
+  minReadySeconds: {{ . }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "gateway.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "gateway.sidecarInjectionLabels" . | nindent 8 }}
+        {{- include "gateway.selectorLabels" . | nindent 8 }}
+        app.kubernetes.io/name: {{ include "gateway.name" . }}
+        {{- include "istio.labels" .  | nindent 8}}
+        {{- range $key, $val := .Values.labels }}
+        {{- if and (ne $key "app") (ne $key "istio") }}
+        {{ $key | quote }}: {{ $val | quote }}
+        {{- end }}
+        {{- end }}
+        {{- with .Values.networkGateway }}
+        topology.istio.io/network: "{{.}}"
+        {{- end }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "gateway.serviceAccountName" . }}
+      securityContext:
+      {{- if .Values.securityContext }}
+        {{- toYaml .Values.securityContext | nindent 8 }}
+      {{- else }}
+        # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326
+        sysctls:
+        - name: net.ipv4.ip_unprivileged_port_start
+          value: "0"
+      {{- end }}
+      {{- with .Values.volumes }}
+      volumes:
+        {{ toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.initContainers }}
+      initContainers:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: istio-proxy
+          # "auto" will be populated at runtime by the mutating webhook. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection
+          image: auto
+          {{- with .Values.imagePullPolicy }}
+          imagePullPolicy: {{ . }}
+          {{- end }}
+          securityContext:
+          {{- if .Values.containerSecurityContext }}
+            {{- toYaml .Values.containerSecurityContext | nindent 12 }}
+          {{- else }}
+            capabilities:
+              drop:
+              - ALL
+            allowPrivilegeEscalation: false
+            privileged: false
+            readOnlyRootFilesystem: true
+            {{- if not (eq (.Values.platform | default "") "openshift") }}
+            runAsUser: 1337
+            runAsGroup: 1337
+            {{- end }}
+            runAsNonRoot: true
+          {{- end }}
+          env:
+          {{- with .Values.networkGateway }}
+          - name: ISTIO_META_REQUESTED_NETWORK_VIEW
+            value: "{{.}}"
+          {{- end }}
+          {{- range $key, $val := .Values.env }}
+          - name: {{ $key }}
+            value: {{ $val | quote }}
+          {{- end }}
+          {{- with .Values.envVarFrom }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
+          ports:
+          - containerPort: 15090
+            protocol: TCP
+            name: http-envoy-prom
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          {{- with .Values.volumeMounts }}
+          volumeMounts:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.readinessProbe }}
+          readinessProbe:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.lifecycle }}
+          lifecycle:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+      {{- with .Values.additionalContainers }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      terminationGracePeriodSeconds: {{ $.Values.terminationGracePeriodSeconds }}
+      {{- with .Values.priorityClassName }}
+      priorityClassName: {{ . }}
+      {{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/templates/hpa.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/templates/hpa.yaml
new file mode 100644
index 0000000000..64ecb6a4cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/templates/hpa.yaml
@@ -0,0 +1,40 @@
+{{- if and (.Values.autoscaling.enabled) (eq .Values.kind "Deployment") }}
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ include "gateway.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4 }}
+  annotations:
+    {{- .Values.annotations | toYaml | nindent 4 }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: {{ .Values.kind | default "Deployment" }}
+    name: {{ include "gateway.name" . }}
+  minReplicas: {{ .Values.autoscaling.minReplicas }}
+  maxReplicas: {{ .Values.autoscaling.maxReplicas }}
+  metrics:
+    {{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
+          type: Utilization
+    {{- end }}
+    {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: memory
+        target:
+          averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
+          type: Utilization
+    {{- end }}
+  {{- if .Values.autoscaling.autoscaleBehavior }}
+  behavior: {{ toYaml .Values.autoscaling.autoscaleBehavior | nindent 4 }}
+  {{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/templates/poddisruptionbudget.yaml
new file mode 100644
index 0000000000..b0155cdf05
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/templates/poddisruptionbudget.yaml
@@ -0,0 +1,18 @@
+{{- if .Values.podDisruptionBudget }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ include "gateway.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4}}
+spec:
+  selector:
+    matchLabels:
+  {{- include "gateway.selectorLabels" . | nindent 6 }}
+  {{- with .Values.podDisruptionBudget }}
+    {{- toYaml . | nindent 2 }}
+  {{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/templates/role.yaml
new file mode 100644
index 0000000000..3d16079632
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/templates/role.yaml
@@ -0,0 +1,37 @@
+{{/*Set up roles for Istio Gateway. Not required for gateway-api*/}}
+{{- if .Values.rbac.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "gateway.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4}}
+  annotations:
+    {{- .Values.annotations | toYaml | nindent 4 }}
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get", "watch", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "gateway.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4}}
+  annotations:
+    {{- .Values.annotations | toYaml | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "gateway.serviceAccountName" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "gateway.serviceAccountName" . }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/templates/service.yaml
new file mode 100644
index 0000000000..3e28418f7b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/templates/service.yaml
@@ -0,0 +1,69 @@
+{{- if not (eq .Values.service.type "None") }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "gateway.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4 }}
+    {{- with .Values.networkGateway }}
+    topology.istio.io/network: "{{.}}"
+    {{- end }}
+  annotations:
+    {{- merge (deepCopy .Values.service.annotations) .Values.annotations | toYaml | nindent 4 }}
+spec:
+{{- with .Values.service.loadBalancerIP }}
+  loadBalancerIP: "{{ . }}"
+{{- end }}
+{{- if eq .Values.service.type "LoadBalancer" }}
+  {{- if hasKey .Values.service "allocateLoadBalancerNodePorts" }}
+  allocateLoadBalancerNodePorts: {{ .Values.service.allocateLoadBalancerNodePorts }}
+  {{- end }}
+  {{- if hasKey .Values.service "loadBalancerClass" }}
+  loadBalancerClass: {{ .Values.service.loadBalancerClass }}
+  {{- end }}
+{{- end }}
+{{- if .Values.service.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }}
+{{- end }}
+{{- if .Values.service.ipFamilies }}
+  ipFamilies:
+{{- range .Values.service.ipFamilies }}
+  - {{ . }}
+{{- end }}
+{{- end }}
+{{- with .Values.service.loadBalancerSourceRanges }}
+  loadBalancerSourceRanges:
+{{ toYaml . | indent 4 }}
+{{- end }}
+{{- with .Values.service.externalTrafficPolicy }}
+  externalTrafficPolicy: "{{ . }}"
+{{- end }}
+  type: {{ .Values.service.type }}
+  ports:
+{{- if .Values.networkGateway }}
+  - name: status-port
+    port: 15021
+    targetPort: 15021
+  - name: tls
+    port: 15443
+    targetPort: 15443
+  - name: tls-istiod
+    port: 15012
+    targetPort: 15012
+  - name: tls-webhook
+    port: 15017
+    targetPort: 15017
+{{- else }}
+{{ .Values.service.ports | toYaml | indent 4 }}
+{{- end }}
+{{- if .Values.service.externalIPs }}
+  externalIPs: {{- range .Values.service.externalIPs }}
+    - {{.}}
+  {{- end }}
+{{- end }}
+  selector:
+    {{- include "gateway.selectorLabels" . | nindent 4 }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/templates/serviceaccount.yaml
new file mode 100644
index 0000000000..c88afeadd3
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/templates/serviceaccount.yaml
@@ -0,0 +1,15 @@
+{{- if .Values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "gateway.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..606c556697
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if true }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/values.schema.json b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/values.schema.json
new file mode 100644
index 0000000000..bcbb30ccc8
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/values.schema.json
@@ -0,0 +1,353 @@
+{
+  "$schema": "http://json-schema.org/schema#",
+  "$defs": {
+    "values": {
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "_internal_defaults_do_not_set": {
+          "type": "object"
+        },
+        "global": {
+          "type": "object"
+        },
+        "affinity": {
+          "type": "object"
+        },
+        "securityContext": {
+          "type": [
+            "object",
+            "null"
+          ]
+        },
+        "containerSecurityContext": {
+          "type": [
+            "object",
+            "null"
+          ]
+        },
+        "kind": {
+          "type": "string",
+          "enum": [
+            "Deployment",
+            "DaemonSet"
+          ]
+        },
+        "annotations": {
+          "additionalProperties": {
+            "type": [
+              "string",
+              "integer"
+            ]
+          },
+          "type": "object"
+        },
+        "autoscaling": {
+          "type": "object",
+          "properties": {
+            "enabled": {
+              "type": "boolean"
+            },
+            "maxReplicas": {
+              "type": "integer"
+            },
+            "minReplicas": {
+              "type": "integer"
+            },
+            "targetCPUUtilizationPercentage": {
+              "type": "integer"
+            }
+          }
+        },
+        "env": {
+          "type": "object"
+        },
+        "envVarFrom": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "properties": {
+              "name": { "type": "string" },
+              "valueFrom": { "type": "object" }
+            }
+          }
+        },
+        "strategy": {
+          "type": "object"
+        },
+        "minReadySeconds": {
+          "type": [ "null", "integer" ]
+        },
+        "readinessProbe": {
+          "type": [ "null", "object" ]
+        },
+        "labels": {
+          "type": "object"
+        },
+        "name": {
+          "type": "string"
+        },
+        "nodeSelector": {
+          "type": "object"
+        },
+        "podAnnotations": {
+          "type": "object",
+          "properties": {
+            "inject.istio.io/templates": {
+              "type": "string"
+            },
+            "prometheus.io/path": {
+              "type": "string"
+            },
+            "prometheus.io/port": {
+              "type": "string"
+            },
+            "prometheus.io/scrape": {
+              "type": "string"
+            }
+          }
+        },
+        "replicaCount": {
+          "type": [
+            "integer",
+            "null"
+          ]
+        },
+        "resources": {
+          "type": "object",
+          "properties": {
+            "limits": {
+              "type": "object",
+              "properties": {
+                "cpu": {
+                  "type": ["string", "null"]
+                },
+                "memory": {
+                  "type": ["string", "null"]
+                }
+              }
+            },
+            "requests": {
+              "type": "object",
+              "properties": {
+                "cpu": {
+                  "type": ["string", "null"]
+                },
+                "memory": {
+                  "type": ["string", "null"]
+                }
+              }
+            }
+          }
+        },
+        "revision": {
+          "type": "string"
+        },
+        "defaultRevision": {
+          "type": "string"
+        },
+        "compatibilityVersion": {
+          "type": "string"
+        },
+        "profile": {
+          "type": "string"
+        },
+        "platform": {
+          "type": "string"
+        },
+        "pilot": {
+          "type": "object"
+        },
+        "runAsRoot": {
+          "type": "boolean"
+        },
+        "unprivilegedPort": {
+          "type": [
+            "string",
+            "boolean"
+          ],
+          "enum": [
+            true,
+            false,
+            "auto"
+          ]
+        },
+        "service": {
+          "type": "object",
+          "properties": {
+            "annotations": {
+              "type": "object"
+            },
+            "externalTrafficPolicy": {
+              "type": "string"
+            },
+            "loadBalancerIP": {
+              "type": "string"
+            },
+            "loadBalancerSourceRanges": {
+              "type": "array"
+            },
+            "ipFamilies": {
+              "items": {
+                "type": "string",
+                "enum": [
+                  "IPv4",
+                  "IPv6"
+                ]
+              }
+            },
+            "ipFamilyPolicy": {
+              "type": "string",
+              "enum": [
+                "",
+                "SingleStack",
+                "PreferDualStack",
+                "RequireDualStack"
+              ]
+            },
+            "ports": {
+              "type": "array",
+              "items": {
+                "type": "object",
+                "properties": {
+                  "name": {
+                    "type": "string"
+                  },
+                  "port": {
+                    "type": "integer"
+                  },
+                  "protocol": {
+                    "type": "string"
+                  },
+                  "targetPort": {
+                    "type": "integer"
+                  }
+                }
+              }
+            },
+            "type": {
+              "type": "string"
+            }
+          }
+        },
+        "serviceAccount": {
+          "type": "object",
+          "properties": {
+            "annotations": {
+              "type": "object"
+            },
+            "name": {
+              "type": "string"
+            },
+            "create": {
+              "type": "boolean"
+            }
+          }
+        },
+        "rbac": {
+          "type": "object",
+          "properties": {
+            "enabled": {
+              "type": "boolean"
+            }
+          }
+        },
+        "tolerations": {
+          "type": "array"
+        },
+        "topologySpreadConstraints": {
+          "type": "array"
+        },
+        "networkGateway": {
+          "type": "string"
+        },
+        "imagePullPolicy": {
+          "type": "string",
+          "enum": [
+            "",
+            "Always",
+            "IfNotPresent",
+            "Never"
+          ]
+        },
+        "imagePullSecrets": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "properties": {
+              "name": {
+                "type": "string"
+              }
+            }
+          }
+        },
+        "podDisruptionBudget": {
+          "type": "object",
+          "properties": {
+            "minAvailable": {
+              "type": [
+                "integer",
+                "string"
+              ]
+            },
+            "maxUnavailable": {
+              "type": [
+                "integer",
+                "string"
+              ]
+            },
+            "unhealthyPodEvictionPolicy": {
+              "type": "string",
+              "enum": [
+                "",
+                "IfHealthyBudget",
+                "AlwaysAllow"
+              ]
+            }
+          }
+        },
+        "terminationGracePeriodSeconds": {
+          "type": "number"
+        },
+        "volumes": {
+          "type": "array",
+          "items": {
+            "type": "object"
+          }
+        },
+        "volumeMounts": {
+          "type": "array",
+          "items": {
+            "type": "object"
+          }
+        },
+        "initContainers": {
+          "type": "array",
+          "items": { "type": "object" }
+        },
+        "additionalContainers": {
+          "type": "array",
+          "items": { "type": "object" }
+        },
+        "priorityClassName": {
+          "type": "string"
+        },
+        "lifecycle": {
+          "type": "object",
+          "properties": {
+            "postStart": {
+              "type": "object"
+            },
+            "preStop": {
+              "type": "object"
+            }
+          }
+        }
+      }
+    }
+  },
+  "defaults": {
+    "$ref": "#/$defs/values"
+  },
+  "$ref": "#/$defs/values"
+}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/values.yaml
new file mode 100644
index 0000000000..c0147ce210
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/values.yaml
@@ -0,0 +1,192 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  # Name allows overriding the release name. Generally this should not be set
+  name: ""
+  # revision declares which revision this gateway is a part of
+  revision: ""
+
+  # Controls the spec.replicas setting for the Gateway deployment if set.
+  # Otherwise defaults to Kubernetes Deployment default (1).
+  replicaCount:
+
+  kind: Deployment
+
+  rbac:
+    # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed
+    # when using http://gateway-api.org/.
+    enabled: true
+
+  serviceAccount:
+    # If set, a service account will be created. Otherwise, the default is used
+    create: true
+    # Annotations to add to the service account
+    annotations: {}
+    # The name of the service account to use.
+    # If not set, the release name is used
+    name: ""
+
+  podAnnotations:
+    prometheus.io/port: "15020"
+    prometheus.io/scrape: "true"
+    prometheus.io/path: "/stats/prometheus"
+    inject.istio.io/templates: "gateway"
+    sidecar.istio.io/inject: "true"
+
+  # Define the security context for the pod.
+  # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
+  # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
+  securityContext: {}
+  containerSecurityContext: {}
+
+  service:
+    # Type of service. Set to "None" to disable the service entirely
+    type: LoadBalancer
+    ports:
+    - name: status-port
+      port: 15021
+      protocol: TCP
+      targetPort: 15021
+    - name: http2
+      port: 80
+      protocol: TCP
+      targetPort: 80
+    - name: https
+      port: 443
+      protocol: TCP
+      targetPort: 443
+    annotations: {}
+    loadBalancerIP: ""
+    loadBalancerSourceRanges: []
+    externalTrafficPolicy: ""
+    externalIPs: []
+    ipFamilyPolicy: ""
+    ipFamilies: []
+    ## Whether to automatically allocate NodePorts (only for LoadBalancers).
+    # allocateLoadBalancerNodePorts: false
+    ## Set LoadBalancer class (only for LoadBalancers).
+    # loadBalancerClass: ""
+
+  resources:
+    requests:
+      cpu: 100m
+      memory: 128Mi
+    limits:
+      cpu: 2000m
+      memory: 1024Mi
+
+  autoscaling:
+    enabled: true
+    minReplicas: 1
+    maxReplicas: 5
+    targetCPUUtilizationPercentage: 80
+    targetMemoryUtilizationPercentage: {}
+    autoscaleBehavior: {}
+
+  # Pod environment variables
+  env: {}
+
+  # Use envVarFrom to define full environment variable entries with complex sources,
+  # such as valueFrom.secretKeyRef, valueFrom.configMapKeyRef. Each item must include a `name` and `valueFrom`.
+  #
+  # Example:
+  # envVarFrom:
+  #   - name: EXAMPLE_SECRET
+  #     valueFrom:
+  #       secretKeyRef:
+  #         name: example-name
+  #         key: example-key
+  envVarFrom: []
+
+  # Deployment Update strategy
+  strategy: {}
+  
+  # Sets the Deployment minReadySeconds value
+  minReadySeconds:
+  
+  # Optionally configure a custom readinessProbe. By default the control plane
+  # automatically injects the readinessProbe. If you wish to override that
+  # behavior, you may define your own readinessProbe here.
+  readinessProbe: {}
+
+  # Labels to apply to all resources
+  labels:
+    # By default, don't enroll gateways into the ambient dataplane
+    "istio.io/dataplane-mode": none
+
+  # Annotations to apply to all resources
+  annotations: {}
+
+  nodeSelector: {}
+
+  tolerations: []
+
+  topologySpreadConstraints: []
+
+  affinity: {}
+
+  # If specified, the gateway will act as a network gateway for the given network.
+  networkGateway: ""
+
+  # Specify image pull policy if default behavior isn't desired.
+  # Default behavior: latest images will be Always else IfNotPresent
+  imagePullPolicy: ""
+
+  imagePullSecrets: []
+
+  # This value is used to configure a Kubernetes PodDisruptionBudget for the gateway.
+  #
+  # By default, the `podDisruptionBudget` is disabled (set to `{}`),
+  # which means that no PodDisruptionBudget resource will be created.
+  #
+  # To enable the PodDisruptionBudget, configure it by specifying the
+  # `minAvailable` or `maxUnavailable`. For example, to set the
+  # minimum number of available replicas to 1, you can update this value as follows:
+  #
+  # podDisruptionBudget:
+  #   minAvailable: 1
+  #
+  # Or, to allow a maximum of 1 unavailable replica, you can set:
+  #
+  # podDisruptionBudget:
+  #   maxUnavailable: 1
+  #
+  # You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`.
+  # For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows:
+  #
+  # podDisruptionBudget:
+  #   minAvailable: 1
+  #   unhealthyPodEvictionPolicy: AlwaysAllow
+  #
+  # To disable the PodDisruptionBudget, you can leave it as an empty object `{}`:
+  #
+  # podDisruptionBudget: {}
+  #
+  podDisruptionBudget: {}
+
+  # Sets the per-pod terminationGracePeriodSeconds setting.
+  terminationGracePeriodSeconds: 30
+
+  # A list of `Volumes` added into the Gateway Pods. See
+  # https://kubernetes.io/docs/concepts/storage/volumes/.
+  volumes: []
+
+  # A list of `VolumeMounts` added into the Gateway Pods. See
+  # https://kubernetes.io/docs/concepts/storage/volumes/.
+  volumeMounts: []
+
+  # Inject initContainers into the Gateway Pods.
+  initContainers: []
+
+  # Inject additional containers into the Gateway Pods.
+  additionalContainers: []
+
+  # Configure this to a higher priority class in order to make sure your Istio gateway pods
+  # will not be killed because of low priority class.
+  # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
+  # for more detail.
+  priorityClassName: ""
+
+  # Configure the lifecycle hooks for the gateway. See
+  # https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/.
+  lifecycle: {}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/Chart.yaml
new file mode 100644
index 0000000000..af93a35361
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v2
+appVersion: 1.27.2
+description: Helm chart for istio control plane
+icon: https://istio.io/latest/favicons/android-192x192.png
+keywords:
+- istio
+- istiod
+- istio-discovery
+name: istiod
+sources:
+- https://github.com/istio/istio
+version: 1.27.2
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/README.md
new file mode 100644
index 0000000000..ddbfbc8fec
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/README.md
@@ -0,0 +1,73 @@
+# Istiod Helm Chart
+
+This chart installs an Istiod deployment.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+Before installing, ensure CRDs are installed in the cluster (from the `istio/base` chart).
+
+To install the chart with the release name `istiod`:
+
+```console
+kubectl create namespace istio-system
+helm install istiod istio/istiod --namespace istio-system
+```
+
+## Uninstalling the Chart
+
+To uninstall/delete the `istiod` deployment:
+
+```console
+helm delete istiod --namespace istio-system
+```
+
+## Configuration
+
+To view support configuration options and documentation, run:
+
+```console
+helm show values istio/istiod
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
+
+### Examples
+
+#### Configuring mesh configuration settings
+
+Any [Mesh Config](https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/) options can be configured like below:
+
+```yaml
+meshConfig:
+  accessLogFile: /dev/stdout
+```
+
+#### Revisions
+
+Control plane revisions allow deploying multiple versions of the control plane in the same cluster.
+This allows safe [canary upgrades](https://istio.io/latest/docs/setup/upgrade/canary/)
+
+```yaml
+revision: my-revision-name
+```
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/gateway-injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/gateway-injection-template.yaml
new file mode 100644
index 0000000000..bc15ee3c31
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/gateway-injection-template.yaml
@@ -0,0 +1,274 @@
+{{- $containers := list }}
+{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
+metadata:
+  labels:
+    service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name  | quote }}
+    service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest"  | quote }}
+  annotations:
+    istio.io/rev: {{ .Revision | default "default" | quote }}
+    {{- if ge (len $containers) 1 }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }}
+    kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}"
+    {{- end }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }}
+    kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}"
+    {{- end }}
+    {{- end }}
+spec:
+  securityContext:
+  {{- if .Values.gateways.securityContext }}
+    {{- toYaml .Values.gateways.securityContext | nindent 4 }}
+  {{- else }}
+    sysctls:
+    - name: net.ipv4.ip_unprivileged_port_start
+      value: "0"
+  {{- end }}
+  containers:
+  - name: istio-proxy
+  {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+    image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+  {{- else }}
+    image: "{{ .ProxyImage }}"
+  {{- end }}
+    ports:
+    - containerPort: 15090
+      protocol: TCP
+      name: http-envoy-prom
+    args:
+    - proxy
+    - router
+    - --domain
+    - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+    - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
+    - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
+    - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
+  {{- if .Values.global.sts.servicePort }}
+    - --stsPort={{ .Values.global.sts.servicePort }}
+  {{- end }}
+  {{- if .Values.global.logAsJson }}
+    - --log_as_json
+  {{- end }}
+  {{- if .Values.global.proxy.lifecycle }}
+    lifecycle:
+      {{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
+  {{- end }}
+    securityContext:
+      runAsUser: {{ .ProxyUID | default "1337" }}
+      runAsGroup: {{ .ProxyGID | default "1337" }}
+    env:
+    - name: PILOT_CERT_PROVIDER
+      value: {{ .Values.global.pilotCertProvider }}
+    - name: CA_ADDR
+    {{- if .Values.global.caAddress }}
+      value: {{ .Values.global.caAddress }}
+    {{- else }}
+      value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+    {{- end }}
+    - name: POD_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.name
+    - name: POD_NAMESPACE
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.namespace
+    - name: INSTANCE_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.podIP
+    - name: SERVICE_ACCOUNT
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.serviceAccountName
+    - name: HOST_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.hostIP
+    - name: ISTIO_CPU_LIMIT
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.cpu
+    - name: PROXY_CONFIG
+      value: |
+             {{ protoToJSON .ProxyConfig }}
+    - name: ISTIO_META_POD_PORTS
+      value: |-
+        [
+        {{- $first := true }}
+        {{- range $index1, $c := .Spec.Containers }}
+          {{- range $index2, $p := $c.Ports }}
+            {{- if (structToJSON $p) }}
+            {{if not $first}},{{end}}{{ structToJSON $p }}
+            {{- $first = false }}
+            {{- end }}
+          {{- end}}
+        {{- end}}
+        ]
+    - name: GOMEMLIMIT
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.memory
+    - name: GOMAXPROCS
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.cpu
+    {{- if .CompliancePolicy }}
+    - name: COMPLIANCE_POLICY
+      value: "{{ .CompliancePolicy }}"
+    {{- end }}
+    - name: ISTIO_META_APP_CONTAINERS
+      value: "{{ $containers | join "," }}"
+    - name: ISTIO_META_CLUSTER_ID
+      value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
+    - name: ISTIO_META_NODE_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.nodeName
+    - name: ISTIO_META_INTERCEPTION_MODE
+      value: "{{ .ProxyConfig.InterceptionMode.String }}"
+    {{- if .Values.global.network }}
+    - name: ISTIO_META_NETWORK
+      value: "{{ .Values.global.network }}"
+    {{- end }}
+    {{- if .DeploymentMeta.Name }}
+    - name: ISTIO_META_WORKLOAD_NAME
+      value: "{{ .DeploymentMeta.Name }}"
+    {{ end }}
+    {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
+    - name: ISTIO_META_OWNER
+      value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
+    {{- end}}
+    {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+    - name: ISTIO_BOOTSTRAP_OVERRIDE
+      value: "/etc/istio/custom-bootstrap/custom_bootstrap.json"
+    {{- end }}
+    {{- if .Values.global.meshID }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ .Values.global.meshID }}"
+    {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+    {{- end }}
+    {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain)  }}
+    - name: TRUST_DOMAIN
+      value: "{{ . }}"
+    {{- end }}
+    {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+    - name: {{ $key }}
+      value: "{{ $value }}"
+    {{- end }}
+    {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+    readinessProbe:
+      httpGet:
+        path: /healthz/ready
+        port: 15021
+      initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }}
+      periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }}
+      timeoutSeconds: 3
+      failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }}
+    volumeMounts:
+    - name: workload-socket
+      mountPath: /var/run/secrets/workload-spiffe-uds
+    - name: credential-socket
+      mountPath: /var/run/secrets/credential-uds
+    {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+    - name: gke-workload-certificate
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+      readOnly: true
+    {{- else }}
+    - name: workload-certs
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+    {{- end }}
+    {{- if eq .Values.global.pilotCertProvider "istiod" }}
+    - mountPath: /var/run/secrets/istio
+      name: istiod-ca-cert
+    {{- end }}
+    - mountPath: /var/lib/istio/data
+      name: istio-data
+    {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+    - mountPath: /etc/istio/custom-bootstrap
+      name: custom-bootstrap-volume
+    {{- end }}
+    # SDS channel between istioagent and Envoy
+    - mountPath: /etc/istio/proxy
+      name: istio-envoy
+    - mountPath: /var/run/secrets/tokens
+      name: istio-token
+    {{- if .Values.global.mountMtlsCerts }}
+    # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+    - mountPath: /etc/certs/
+      name: istio-certs
+      readOnly: true
+    {{- end }}
+    - name: istio-podinfo
+      mountPath: /etc/istio/pod
+  volumes:
+  - emptyDir:
+    name: workload-socket
+  - emptyDir: {}
+    name: credential-socket
+  {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+  - name: gke-workload-certificate
+    csi:
+      driver: workloadcertificates.security.cloud.google.com
+  {{- else}}
+  - emptyDir: {}
+    name: workload-certs
+  {{- end }}
+  {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+  - name: custom-bootstrap-volume
+    configMap:
+      name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
+  {{- end }}
+  # SDS channel between istioagent and Envoy
+  - emptyDir:
+      medium: Memory
+    name: istio-envoy
+  - name: istio-data
+    emptyDir: {}
+  - name: istio-podinfo
+    downwardAPI:
+      items:
+        - path: "labels"
+          fieldRef:
+            fieldPath: metadata.labels
+        - path: "annotations"
+          fieldRef:
+            fieldPath: metadata.annotations
+  - name: istio-token
+    projected:
+      sources:
+      - serviceAccountToken:
+          path: istio-token
+          expirationSeconds: 43200
+          audience: {{ .Values.global.sds.token.aud }}
+  {{- if eq .Values.global.pilotCertProvider "istiod" }}
+  - name: istiod-ca-cert
+  {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+    projected:
+      sources:
+      - clusterTrustBundle:
+          name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+          path: root-cert.pem
+  {{- else }}
+    configMap:
+      name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+  {{- end }}
+  {{- end }}
+  {{- if .Values.global.mountMtlsCerts }}
+  # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+  - name: istio-certs
+    secret:
+      optional: true
+      {{ if eq .Spec.ServiceAccountName "" }}
+      secretName: istio.default
+      {{ else -}}
+      secretName: {{  printf "istio.%s" .Spec.ServiceAccountName }}
+      {{  end -}}
+  {{- end }}
+  {{- if .Values.global.imagePullSecrets }}
+  imagePullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+  {{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/grpc-agent.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/grpc-agent.yaml
new file mode 100644
index 0000000000..6e3102e4c8
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/grpc-agent.yaml
@@ -0,0 +1,318 @@
+{{- define "resources"  }}
+  {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
+    {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
+      requests:
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
+        cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
+        {{ end }}
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
+        memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
+        {{ end }}
+    {{- end }}
+    {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
+      limits:
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
+        cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}"
+        {{ end }}
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
+        memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}"
+        {{ end }}
+    {{- end }}
+  {{- else }}
+    {{- if .Values.global.proxy.resources }}
+      {{ toYaml .Values.global.proxy.resources | indent 6 }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+{{- $containers := list }}
+{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
+metadata:
+  labels:
+    {{/* security.istio.io/tlsMode: istio must be set by user, if gRPC is using mTLS initialization code. We can't set it automatically. */}}
+    service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name  | quote }}
+    service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest"  | quote }}
+  annotations: {
+    istio.io/rev: {{ .Revision | default "default" | quote }},
+    {{- if ge (len $containers) 1 }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }}
+    kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
+    {{- end }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }}
+    kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
+    {{- end }}
+    {{- end }}
+    sidecar.istio.io/rewriteAppHTTPProbers: "false",
+  }
+spec:
+  containers:
+  - name: istio-proxy
+  {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+    image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+  {{- else }}
+    image: "{{ .ProxyImage }}"
+  {{- end }}
+    ports:
+    - containerPort: 15020
+      protocol: TCP
+      name: mesh-metrics
+    args:
+    - proxy
+    - sidecar
+    - --domain
+    - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+    - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
+    - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
+    - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
+  {{- if .Values.global.sts.servicePort }}
+    - --stsPort={{ .Values.global.sts.servicePort }}
+  {{- end }}
+  {{- if .Values.global.logAsJson }}
+    - --log_as_json
+  {{- end }}
+    lifecycle:
+      postStart:
+        exec:
+          command:
+          - pilot-agent
+          - wait
+          - --url=http://localhost:15020/healthz/ready
+    env:
+    - name: ISTIO_META_GENERATOR
+      value: grpc
+    - name: OUTPUT_CERTS
+      value: /var/lib/istio/data
+    {{- if eq .InboundTrafficPolicyMode "localhost" }}
+    - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION
+      value: "true"
+    {{- end }}
+    - name: PILOT_CERT_PROVIDER
+      value: {{ .Values.global.pilotCertProvider }}
+    - name: CA_ADDR
+    {{- if .Values.global.caAddress }}
+      value: {{ .Values.global.caAddress }}
+    {{- else }}
+      value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+    {{- end }}
+    - name: POD_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.name
+    - name: POD_NAMESPACE
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.namespace
+    - name: INSTANCE_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.podIP
+    - name: SERVICE_ACCOUNT
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.serviceAccountName
+    - name: HOST_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.hostIP
+    - name: PROXY_CONFIG
+      value: |
+             {{ protoToJSON .ProxyConfig }}
+    - name: ISTIO_META_POD_PORTS
+      value: |-
+        [
+        {{- $first := true }}
+        {{- range $index1, $c := .Spec.Containers }}
+          {{- range $index2, $p := $c.Ports }}
+            {{- if (structToJSON $p) }}
+            {{if not $first}},{{end}}{{ structToJSON $p }}
+            {{- $first = false }}
+            {{- end }}
+          {{- end}}
+        {{- end}}
+        ]
+    - name: ISTIO_META_APP_CONTAINERS
+      value: "{{ $containers | join "," }}"
+    - name: ISTIO_META_CLUSTER_ID
+      value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
+    - name: ISTIO_META_NODE_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.nodeName
+    {{- if .Values.global.network }}
+    - name: ISTIO_META_NETWORK
+      value: "{{ .Values.global.network }}"
+    {{- end }}
+    {{- if .DeploymentMeta.Name }}
+    - name: ISTIO_META_WORKLOAD_NAME
+      value: "{{ .DeploymentMeta.Name }}"
+    {{ end }}
+    {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
+    - name: ISTIO_META_OWNER
+      value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
+    {{- end}}
+    {{- if .Values.global.meshID }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ .Values.global.meshID }}"
+    {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+    {{- end }}
+    {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain)  }}
+    - name: TRUST_DOMAIN
+      value: "{{ . }}"
+    {{- end }}
+    {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+    - name: {{ $key }}
+      value: "{{ $value }}"
+    {{- end }}
+    # grpc uses xds:/// to resolve – no need to resolve VIP
+    - name: ISTIO_META_DNS_CAPTURE
+      value: "false"
+    - name: DISABLE_ENVOY
+      value: "true"
+    {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+    {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
+    readinessProbe:
+      httpGet:
+        path: /healthz/ready
+        port: 15020
+      initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }}
+      periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }}
+      timeoutSeconds: 3
+      failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}
+    resources:
+  {{ template "resources" . }}
+    volumeMounts:
+    - name: workload-socket
+      mountPath: /var/run/secrets/workload-spiffe-uds
+    {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+    - name: gke-workload-certificate
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+      readOnly: true
+    {{- else }}
+    - name: workload-certs
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+    {{- end }}
+    {{- if eq .Values.global.pilotCertProvider "istiod" }}
+    - mountPath: /var/run/secrets/istio
+      name: istiod-ca-cert
+    {{- end }}
+    - mountPath: /var/lib/istio/data
+      name: istio-data
+    # UDS channel between istioagent and gRPC client for XDS/SDS
+    - mountPath: /etc/istio/proxy
+      name: istio-xds
+    - mountPath: /var/run/secrets/tokens
+      name: istio-token
+    {{- if .Values.global.mountMtlsCerts }}
+    # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+    - mountPath: /etc/certs/
+      name: istio-certs
+      readOnly: true
+    {{- end }}
+    - name: istio-podinfo
+      mountPath: /etc/istio/pod
+    {{- end }}
+      {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }}
+      {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}
+    - name: "{{  $index }}"
+      {{ toYaml $value | indent 6 }}
+      {{ end }}
+      {{- end }}
+{{- range $index, $container := .Spec.Containers  }}
+{{ if not (eq $container.Name "istio-proxy") }}
+  - name: {{ $container.Name }}
+    env:
+      - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT"
+        value: "true"
+      - name: "GRPC_XDS_BOOTSTRAP"
+        value: "/etc/istio/proxy/grpc-bootstrap.json"
+    volumeMounts:
+      - mountPath: /var/lib/istio/data
+        name: istio-data
+      # UDS channel between istioagent and gRPC client for XDS/SDS
+      - mountPath: /etc/istio/proxy
+        name: istio-xds
+      {{- if eq $.Values.global.caName "GkeWorkloadCertificate" }}
+      - name: gke-workload-certificate
+        mountPath: /var/run/secrets/workload-spiffe-credentials
+        readOnly: true
+      {{- else }}
+      - name: workload-certs
+        mountPath: /var/run/secrets/workload-spiffe-credentials
+      {{- end }}
+{{- end }}
+{{- end }}
+  volumes:
+  - emptyDir:
+    name: workload-socket
+  {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+  - name: gke-workload-certificate
+    csi:
+      driver: workloadcertificates.security.cloud.google.com
+  {{- else }}
+  - emptyDir:
+    name: workload-certs
+  {{- end }}
+  {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+  - name: custom-bootstrap-volume
+    configMap:
+      name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
+  {{- end }}
+  # SDS channel between istioagent and Envoy
+  - emptyDir:
+      medium: Memory
+    name: istio-xds
+  - name: istio-data
+    emptyDir: {}
+  - name: istio-podinfo
+    downwardAPI:
+      items:
+        - path: "labels"
+          fieldRef:
+            fieldPath: metadata.labels
+        - path: "annotations"
+          fieldRef:
+            fieldPath: metadata.annotations
+  - name: istio-token
+    projected:
+      sources:
+      - serviceAccountToken:
+          path: istio-token
+          expirationSeconds: 43200
+          audience: {{ .Values.global.sds.token.aud }}
+  {{- if eq .Values.global.pilotCertProvider "istiod" }}
+  - name: istiod-ca-cert
+  {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+    projected:
+      sources:
+      - clusterTrustBundle:
+          name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+          path: root-cert.pem
+  {{- else }}
+    configMap:
+      name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+  {{- end }}
+  {{- end }}
+  {{- if .Values.global.mountMtlsCerts }}
+  # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+  - name: istio-certs
+    secret:
+      optional: true
+      {{ if eq .Spec.ServiceAccountName "" }}
+      secretName: istio.default
+      {{ else -}}
+      secretName: {{  printf "istio.%s" .Spec.ServiceAccountName }}
+      {{  end -}}
+  {{- end }}
+    {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }}
+    {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}
+  - name: "{{ $index }}"
+    {{ toYaml $value | indent 4 }}
+    {{ end }}
+    {{ end }}
+  {{- if .Values.global.imagePullSecrets }}
+  imagePullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+  {{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/grpc-simple.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/grpc-simple.yaml
new file mode 100644
index 0000000000..9ba0c7a46a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/grpc-simple.yaml
@@ -0,0 +1,65 @@
+metadata:
+  annotations:
+    sidecar.istio.io/rewriteAppHTTPProbers: "false"
+spec:
+  initContainers:
+    - name: grpc-bootstrap-init
+      image: busybox:1.28
+      volumeMounts:
+        - mountPath: /var/lib/grpc/data/
+          name: grpc-io-proxyless-bootstrap
+      env:
+        - name: INSTANCE_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: ISTIO_NAMESPACE
+          value: |
+             {{ .Values.global.istioNamespace }}
+      command:
+        - sh
+        - "-c"
+        - |-
+          NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local"
+          SERVER_URI="dns:///istiod.${ISTIO_NAMESPACE}.svc:15010"
+          echo '
+          {
+            "xds_servers": [
+              {
+                "server_uri": "'${SERVER_URI}'",
+                "channel_creds": [{"type": "insecure"}],
+                "server_features" : ["xds_v3"]
+              }
+            ],
+            "node": {
+              "id": "'${NODE_ID}'",
+              "metadata": {
+                "GENERATOR": "grpc"
+              }
+            }
+          }' > /var/lib/grpc/data/bootstrap.json
+  containers:
+  {{- range $index, $container := .Spec.Containers }}
+  - name: {{ $container.Name }}
+    env:
+      - name: GRPC_XDS_BOOTSTRAP
+        value: /var/lib/grpc/data/bootstrap.json
+      - name: GRPC_GO_LOG_VERBOSITY_LEVEL
+        value: "99"
+      - name: GRPC_GO_LOG_SEVERITY_LEVEL
+        value: info
+    volumeMounts:
+      - mountPath: /var/lib/grpc/data/
+        name: grpc-io-proxyless-bootstrap
+  {{- end }}
+  volumes:
+    - name: grpc-io-proxyless-bootstrap
+      emptyDir: {}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/injection-template.yaml
new file mode 100644
index 0000000000..df04baf847
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/injection-template.yaml
@@ -0,0 +1,541 @@
+{{- define "resources"  }}
+  {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
+    {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
+      requests:
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
+        cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
+        {{ end }}
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
+        memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
+        {{ end }}
+    {{- end }}
+    {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
+      limits:
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
+        cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}"
+        {{ end }}
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
+        memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}"
+        {{ end }}
+    {{- end }}
+  {{- else }}
+    {{- if .Values.global.proxy.resources }}
+      {{ toYaml .Values.global.proxy.resources | indent 6 }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+{{ $tproxy := (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) }}
+{{ $capNetBindService := (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) }}
+{{ $nativeSidecar := ne (index .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar` | default (printf "%t" .NativeSidecars)) "false" }}
+{{- $containers := list }}
+{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
+metadata:
+  labels:
+    security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio"  | quote }}
+    {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }}
+    networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http"  | quote }}
+    {{- end }}
+    service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name  | trunc 63 | trimSuffix "-" | quote }}
+    service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest"  | quote }}
+  annotations: {
+    istio.io/rev: {{ .Revision | default "default" | quote }},
+    {{- if ge (len $containers) 1 }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }}
+    kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
+    {{- end }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }}
+    kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
+    {{- end }}
+    {{- end }}
+{{- if .Values.pilot.cni.enabled }}
+    {{- if eq .Values.pilot.cni.provider "multus" }}
+    k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}',
+    {{- end }}
+    sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}",
+    {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }}
+    {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }}
+    traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}",
+    traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}",
+    {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }}
+    traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}",
+    {{- end }}
+    {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }}
+    traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}",
+    {{- end }}
+    {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }}
+    {{ with index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}istio.io/reroute-virtual-interfaces: "{{.}}",{{ end }}
+    {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }}
+{{- end }}
+  }
+spec:
+  {{- $holdProxy := and
+      (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts)
+      (not $nativeSidecar) }}
+  {{- $noInitContainer := and
+      (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE`)
+      (not $nativeSidecar) }}
+  {{ if $noInitContainer }}
+  initContainers: []
+  {{ else -}}
+  initContainers:
+  {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }}
+  {{ if .Values.pilot.cni.enabled -}}
+  - name: istio-validation
+  {{ else -}}
+  - name: istio-init
+  {{ end -}}
+  {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }}
+    image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}"
+  {{- else }}
+    image: "{{ .ProxyImage }}"
+  {{- end }}
+    args:
+    - istio-iptables
+    - "-p"
+    - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }}
+    - "-z"
+    - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }}
+    - "-u"
+    - {{ if $tproxy }} "1337" {{ else }} {{ .ProxyUID | default "1337" | quote }} {{ end }}
+    - "-m"
+    - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}"
+    - "-i"
+    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}"
+    - "-x"
+    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}"
+    - "-b"
+    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}"
+    - "-d"
+  {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}
+    - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}"
+  {{- else }}
+    - "15090,15021"
+  {{- end }}
+    {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}}
+    - "-q"
+    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}"
+    {{ end -}}
+    {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}}
+    - "-o"
+    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}"
+    {{ end -}}
+    {{ if (isset .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces`) -}}
+    - "-k"
+    - "{{ index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}"
+    {{ else if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}}
+    - "-k"
+    - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}"
+    {{ end -}}
+     {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}}
+    - "-c"
+    - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}"
+    {{ end -}}
+    - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}"
+    {{ if .Values.global.logAsJson -}}
+    - "--log_as_json"
+    {{ end -}}
+    {{ if .Values.pilot.cni.enabled -}}
+    - "--run-validation"
+    - "--skip-rule-apply"
+    {{ else if .Values.global.proxy_init.forceApplyIptables -}}
+    - "--force-apply"
+    {{ end -}}
+    {{ if .Values.global.nativeNftables -}}
+    - "--native-nftables"
+    {{ end -}}
+    {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+  {{- if .ProxyConfig.ProxyMetadata }}
+    env:
+    {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+    - name: {{ $key }}
+      value: "{{ $value }}"
+    {{- end }}
+  {{- end }}
+    resources:
+  {{ template "resources" . }}
+    securityContext:
+      allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
+      privileged: {{ .Values.global.proxy.privileged }}
+      capabilities:
+    {{- if not .Values.pilot.cni.enabled }}
+        add:
+        - NET_ADMIN
+        - NET_RAW
+    {{- end }}
+        drop:
+        - ALL
+    {{- if not .Values.pilot.cni.enabled }}
+      readOnlyRootFilesystem: false
+      runAsGroup: 0
+      runAsNonRoot: false
+      runAsUser: 0
+    {{- else }}
+      readOnlyRootFilesystem: true
+      runAsGroup: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyGID | default "1337" }} {{ end }}
+      runAsUser: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyUID | default "1337" }} {{ end }}
+      runAsNonRoot: true
+    {{- end }}
+  {{ end -}}
+  {{ end -}}
+  {{ if not $nativeSidecar }}
+  containers:
+  {{ end }}
+  - name: istio-proxy
+  {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+    image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+  {{- else }}
+    image: "{{ .ProxyImage }}"
+  {{- end }}
+    {{ if $nativeSidecar }}restartPolicy: Always{{end}}
+    ports:
+    - containerPort: 15090
+      protocol: TCP
+      name: http-envoy-prom
+    args:
+    - proxy
+    - sidecar
+    - --domain
+    - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+    - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
+    - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
+    - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
+  {{- if .Values.global.sts.servicePort }}
+    - --stsPort={{ .Values.global.sts.servicePort }}
+  {{- end }}
+  {{- if .Values.global.logAsJson }}
+    - --log_as_json
+  {{- end }}
+  {{- if .Values.global.proxy.outlierLogPath }}
+    - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }}
+  {{- end}}
+  {{- if .Values.global.proxy.lifecycle }}
+    lifecycle:
+      {{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
+  {{- else if $holdProxy }}
+    lifecycle:
+      postStart:
+        exec:
+          command:
+          - pilot-agent
+          - wait
+  {{- else if $nativeSidecar }}
+    {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}}
+    lifecycle:
+      preStop:
+        exec:
+          command:
+          - pilot-agent
+          - request
+          - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}}
+          - POST
+          - drain
+  {{- end }}
+    env:
+    {{- if eq .InboundTrafficPolicyMode "localhost" }}
+    - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION
+      value: "true"
+    {{- end }}
+    - name: PILOT_CERT_PROVIDER
+      value: {{ .Values.global.pilotCertProvider }}
+    - name: CA_ADDR
+    {{- if .Values.global.caAddress }}
+      value: {{ .Values.global.caAddress }}
+    {{- else }}
+      value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+    {{- end }}
+    - name: POD_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.name
+    - name: POD_NAMESPACE
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.namespace
+    - name: INSTANCE_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.podIP
+    - name: SERVICE_ACCOUNT
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.serviceAccountName
+    - name: HOST_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.hostIP
+    - name: ISTIO_CPU_LIMIT
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.cpu
+    - name: PROXY_CONFIG
+      value: |
+             {{ protoToJSON .ProxyConfig }}
+    - name: ISTIO_META_POD_PORTS
+      value: |-
+        [
+        {{- $first := true }}
+        {{- range $index1, $c := .Spec.Containers }}
+          {{- range $index2, $p := $c.Ports }}
+            {{- if (structToJSON $p) }}
+            {{if not $first}},{{end}}{{ structToJSON $p }}
+            {{- $first = false }}
+            {{- end }}
+          {{- end}}
+        {{- end}}
+        ]
+    - name: ISTIO_META_APP_CONTAINERS
+      value: "{{ $containers | join "," }}"
+    - name: GOMEMLIMIT
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.memory
+    - name: GOMAXPROCS
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.cpu
+    {{- if .CompliancePolicy }}
+    - name: COMPLIANCE_POLICY
+      value: "{{ .CompliancePolicy }}"
+    {{- end }}
+    - name: ISTIO_META_CLUSTER_ID
+      value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
+    - name: ISTIO_META_NODE_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.nodeName
+    - name: ISTIO_META_INTERCEPTION_MODE
+      value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}"
+    {{- if .Values.global.network }}
+    - name: ISTIO_META_NETWORK
+      value: "{{ .Values.global.network }}"
+    {{- end }}
+    {{- with (index .ObjectMeta.Labels `service.istio.io/workload-name` | default .DeploymentMeta.Name) }}
+    - name: ISTIO_META_WORKLOAD_NAME
+      value: "{{ . }}"
+    {{ end }}
+    {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
+    - name: ISTIO_META_OWNER
+      value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
+    {{- end}}
+    {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+    - name: ISTIO_BOOTSTRAP_OVERRIDE
+      value: "/etc/istio/custom-bootstrap/custom_bootstrap.json"
+    {{- end }}
+    {{- if .Values.global.meshID }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ .Values.global.meshID }}"
+    {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+    {{- end }}
+    {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain)  }}
+    - name: TRUST_DOMAIN
+      value: "{{ . }}"
+    {{- end }}
+    {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
+    {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
+    - name: {{ $key }}
+      value: "{{ $value }}"
+    {{- end }}
+    {{- end }}
+    {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+    - name: {{ $key }}
+      value: "{{ $value }}"
+    {{- end }}
+    {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+    {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
+  {{ if .Values.global.proxy.startupProbe.enabled }}
+    startupProbe:
+      httpGet:
+        path: /healthz/ready
+        port: 15021
+      initialDelaySeconds: 0
+      periodSeconds: 1
+      timeoutSeconds: 3
+      failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }}
+  {{ end }}
+    readinessProbe:
+      httpGet:
+        path: /healthz/ready
+        port: 15021
+      initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }}
+      periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }}
+      timeoutSeconds: 3
+      failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}
+    {{ end -}}
+    securityContext:
+      {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }}
+      allowPrivilegeEscalation: true
+      capabilities:
+        add:
+        - NET_ADMIN
+        drop:
+        - ALL
+      privileged: true
+      readOnlyRootFilesystem: true
+      runAsGroup: {{ .ProxyGID | default "1337" }}
+      runAsNonRoot: false
+      runAsUser: 0
+      {{- else }}
+      allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
+      capabilities:
+        {{ if or $tproxy $capNetBindService -}}
+        add:
+        {{ if $tproxy -}}
+        - NET_ADMIN
+        {{- end }}
+        {{ if $capNetBindService -}}
+        - NET_BIND_SERVICE
+        {{- end }}
+        {{- end }}
+        drop:
+        - ALL
+      privileged: {{ .Values.global.proxy.privileged }}
+      readOnlyRootFilesystem: true
+      {{ if or $tproxy $capNetBindService -}}
+      runAsNonRoot: false
+      runAsUser: 0
+      runAsGroup: 1337
+      {{- else -}}
+      runAsNonRoot: true
+      runAsUser: {{ .ProxyUID | default "1337" }}
+      runAsGroup: {{ .ProxyGID | default "1337" }}
+      {{- end }}
+      {{- end }}
+    resources:
+  {{ template "resources" . }}
+    volumeMounts:
+    - name: workload-socket
+      mountPath: /var/run/secrets/workload-spiffe-uds
+    - name: credential-socket
+      mountPath: /var/run/secrets/credential-uds
+    {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+    - name: gke-workload-certificate
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+      readOnly: true
+    {{- else }}
+    - name: workload-certs
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+    {{- end }}
+    {{- if eq .Values.global.pilotCertProvider "istiod" }}
+    - mountPath: /var/run/secrets/istio
+      name: istiod-ca-cert
+    - mountPath: /var/run/secrets/istio/crl
+      name: istio-ca-crl
+    {{- end }}
+    - mountPath: /var/lib/istio/data
+      name: istio-data
+    {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+    - mountPath: /etc/istio/custom-bootstrap
+      name: custom-bootstrap-volume
+    {{- end }}
+    # SDS channel between istioagent and Envoy
+    - mountPath: /etc/istio/proxy
+      name: istio-envoy
+    - mountPath: /var/run/secrets/tokens
+      name: istio-token
+    {{- if .Values.global.mountMtlsCerts }}
+    # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+    - mountPath: /etc/certs/
+      name: istio-certs
+      readOnly: true
+    {{- end }}
+    - name: istio-podinfo
+      mountPath: /etc/istio/pod
+     {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }}
+    - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }}
+      name: lightstep-certs
+      readOnly: true
+    {{- end }}
+      {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }}
+      {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}
+    - name: "{{  $index }}"
+      {{ toYaml $value | indent 6 }}
+      {{ end }}
+      {{- end }}
+  volumes:
+  - emptyDir:
+    name: workload-socket
+  - emptyDir:
+    name: credential-socket
+  {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+  - name: gke-workload-certificate
+    csi:
+      driver: workloadcertificates.security.cloud.google.com
+  {{- else }}
+  - emptyDir:
+    name: workload-certs
+  {{- end }}
+  {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+  - name: custom-bootstrap-volume
+    configMap:
+      name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
+  {{- end }}
+  # SDS channel between istioagent and Envoy
+  - emptyDir:
+      medium: Memory
+    name: istio-envoy
+  - name: istio-data
+    emptyDir: {}
+  - name: istio-podinfo
+    downwardAPI:
+      items:
+        - path: "labels"
+          fieldRef:
+            fieldPath: metadata.labels
+        - path: "annotations"
+          fieldRef:
+            fieldPath: metadata.annotations
+  - name: istio-token
+    projected:
+      sources:
+      - serviceAccountToken:
+          path: istio-token
+          expirationSeconds: 43200
+          audience: {{ .Values.global.sds.token.aud }}
+  {{- if eq .Values.global.pilotCertProvider "istiod" }}
+  - name: istiod-ca-cert
+  {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+    projected:
+      sources:
+      - clusterTrustBundle:
+          name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+          path: root-cert.pem
+  {{- else }}
+    configMap:
+      name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+  {{- end }}
+  {{- end }}
+  - name: istio-ca-crl
+    configMap:
+      name: istio-ca-crl
+      optional: true
+  {{- if .Values.global.mountMtlsCerts }}
+  # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+  - name: istio-certs
+    secret:
+      optional: true
+      {{ if eq .Spec.ServiceAccountName "" }}
+      secretName: istio.default
+      {{ else -}}
+      secretName: {{  printf "istio.%s" .Spec.ServiceAccountName }}
+      {{  end -}}
+  {{- end }}
+    {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }}
+    {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}
+  - name: "{{ $index }}"
+    {{ toYaml $value | indent 4 }}
+    {{ end }}
+    {{ end }}
+  {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }}
+  - name: lightstep-certs
+    secret:
+      optional: true
+      secretName: lightstep.cacert
+  {{- end }}
+  {{- if .Values.global.imagePullSecrets }}
+  imagePullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+  {{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/kube-gateway.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/kube-gateway.yaml
new file mode 100644
index 0000000000..616fb42c71
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/kube-gateway.yaml
@@ -0,0 +1,401 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{.ServiceAccount | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+      ) | nindent 4 }}
+  {{- if ge .KubeVersion 128 }}
+  # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    name: "{{.Name}}"
+    uid: "{{.UID}}"
+  {{- end }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+        "gateway.istio.io/managed" "istio.io-gateway-controller"
+      ) | nindent 4 }}
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    name: {{.Name}}
+    uid: "{{.UID}}"
+spec:
+  selector:
+    matchLabels:
+      "{{.GatewayNameLabel}}": {{.Name}}
+  template:
+    metadata:
+      annotations:
+        {{- toJsonMap
+          (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version")
+          (strdict "istio.io/rev" (.Revision | default "default"))
+          (strdict
+            "prometheus.io/path" "/stats/prometheus"
+            "prometheus.io/port" "15020"
+            "prometheus.io/scrape" "true"
+          ) | nindent 8 }}
+      labels:
+        {{- toJsonMap
+          (strdict
+            "sidecar.istio.io/inject" "false"
+            "service.istio.io/canonical-name" .DeploymentName
+            "service.istio.io/canonical-revision" "latest"
+           )
+          .InfrastructureLabels
+          (strdict
+            "gateway.networking.k8s.io/gateway-name" .Name
+            "gateway.istio.io/managed" "istio.io-gateway-controller"
+          ) | nindent 8 }}
+    spec:
+      securityContext:
+      {{- if .Values.gateways.securityContext }}
+        {{- toYaml .Values.gateways.securityContext | nindent 8 }}
+      {{- else }}
+        sysctls:
+        - name: net.ipv4.ip_unprivileged_port_start
+          value: "0"
+      {{- if .Values.gateways.seccompProfile }}
+        seccompProfile:
+      {{- toYaml .Values.gateways.seccompProfile | nindent 10 }}
+      {{- end }}
+      {{- end }}
+      serviceAccountName: {{.ServiceAccount | quote}}
+      containers:
+      - name: istio-proxy
+      {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+        image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+      {{- else }}
+        image: "{{ .ProxyImage }}"
+      {{- end }}
+        {{- if .Values.global.proxy.resources }}
+        resources:
+          {{- toYaml .Values.global.proxy.resources | nindent 10 }}
+        {{- end }}
+        {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+        securityContext:
+          capabilities:
+            drop:
+            - ALL
+          allowPrivilegeEscalation: false
+          privileged: false
+          readOnlyRootFilesystem: true
+          runAsUser: {{ .ProxyUID | default "1337" }}
+          runAsGroup: {{ .ProxyGID | default "1337" }}
+          runAsNonRoot: true
+        ports:
+        - containerPort: 15020
+          name: metrics
+          protocol: TCP
+        - containerPort: 15021
+          name: status-port
+          protocol: TCP
+        - containerPort: 15090
+          protocol: TCP
+          name: http-envoy-prom
+        args:
+        - proxy
+        - router
+        - --domain
+        - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+        - --proxyLogLevel
+        - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}}
+        - --proxyComponentLogLevel
+        - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}}
+        - --log_output_level
+        - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}}
+      {{- if .Values.global.sts.servicePort }}
+        - --stsPort={{ .Values.global.sts.servicePort }}
+      {{- end }}
+      {{- if .Values.global.logAsJson }}
+        - --log_as_json
+      {{- end }}
+      {{- if .Values.global.proxy.lifecycle }}
+        lifecycle:
+          {{- toYaml .Values.global.proxy.lifecycle | nindent 10 }}
+      {{- end }}
+        env:
+        - name: PILOT_CERT_PROVIDER
+          value: {{ .Values.global.pilotCertProvider }}
+        - name: CA_ADDR
+        {{- if .Values.global.caAddress }}
+          value: {{ .Values.global.caAddress }}
+        {{- else }}
+          value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+        {{- end }}
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: INSTANCE_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: SERVICE_ACCOUNT
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.serviceAccountName
+        - name: HOST_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.hostIP
+        - name: ISTIO_CPU_LIMIT
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.cpu
+        - name: PROXY_CONFIG
+          value: |
+                 {{ protoToJSON .ProxyConfig }}
+        - name: ISTIO_META_POD_PORTS
+          value: "[]"
+        - name: ISTIO_META_APP_CONTAINERS
+          value: ""
+        - name: GOMEMLIMIT
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.memory
+        - name: GOMAXPROCS
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.cpu
+        - name: ISTIO_META_CLUSTER_ID
+          value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}"
+        - name: ISTIO_META_NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        - name: ISTIO_META_INTERCEPTION_MODE
+          value: "{{ .ProxyConfig.InterceptionMode.String }}"
+        {{- with (valueOrDefault  (index .InfrastructureLabels "topology.istio.io/network") .Values.global.network) }}
+        - name: ISTIO_META_NETWORK
+          value: {{.|quote}}
+        {{- end }}
+        - name: ISTIO_META_WORKLOAD_NAME
+          value: {{.DeploymentName|quote}}
+        - name: ISTIO_META_OWNER
+          value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}"
+        {{- if .Values.global.meshID }}
+        - name: ISTIO_META_MESH_ID
+          value: "{{ .Values.global.meshID }}"
+        {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+        - name: ISTIO_META_MESH_ID
+          value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+        {{- end }}
+        {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain)  }}
+        - name: TRUST_DOMAIN
+          value: "{{ . }}"
+        {{- end }}
+        {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+        - name: {{ $key }}
+          value: "{{ $value }}"
+        {{- end }}
+        {{- with (index .InfrastructureLabels "topology.istio.io/network") }}
+        - name: ISTIO_META_REQUESTED_NETWORK_VIEW
+          value: {{.|quote}}
+        {{- end }}
+        startupProbe:
+          failureThreshold: 30
+          httpGet:
+            path: /healthz/ready
+            port: 15021
+            scheme: HTTP
+          initialDelaySeconds: 1
+          periodSeconds: 1
+          successThreshold: 1
+          timeoutSeconds: 1
+        readinessProbe:
+          failureThreshold: 4
+          httpGet:
+            path: /healthz/ready
+            port: 15021
+            scheme: HTTP
+          initialDelaySeconds: 0
+          periodSeconds: 15
+          successThreshold: 1
+          timeoutSeconds: 1
+        volumeMounts:
+        - name: workload-socket
+          mountPath: /var/run/secrets/workload-spiffe-uds
+        - name: credential-socket
+          mountPath: /var/run/secrets/credential-uds
+        {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+        - name: gke-workload-certificate
+          mountPath: /var/run/secrets/workload-spiffe-credentials
+          readOnly: true
+        {{- else }}
+        - name: workload-certs
+          mountPath: /var/run/secrets/workload-spiffe-credentials
+        {{- end }}
+        {{- if eq .Values.global.pilotCertProvider "istiod" }}
+        - mountPath: /var/run/secrets/istio
+          name: istiod-ca-cert
+        {{- end }}
+        - mountPath: /var/lib/istio/data
+          name: istio-data
+        # SDS channel between istioagent and Envoy
+        - mountPath: /etc/istio/proxy
+          name: istio-envoy
+        - mountPath: /var/run/secrets/tokens
+          name: istio-token
+        - name: istio-podinfo
+          mountPath: /etc/istio/pod
+      volumes:
+      - emptyDir: {}
+        name: workload-socket
+      - emptyDir: {}
+        name: credential-socket
+      {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+      - name: gke-workload-certificate
+        csi:
+          driver: workloadcertificates.security.cloud.google.com
+      {{- else}}
+      - emptyDir: {}
+        name: workload-certs
+      {{- end }}
+      # SDS channel between istioagent and Envoy
+      - emptyDir:
+          medium: Memory
+        name: istio-envoy
+      - name: istio-data
+        emptyDir: {}
+      - name: istio-podinfo
+        downwardAPI:
+          items:
+            - path: "labels"
+              fieldRef:
+                fieldPath: metadata.labels
+            - path: "annotations"
+              fieldRef:
+                fieldPath: metadata.annotations
+      - name: istio-token
+        projected:
+          sources:
+          - serviceAccountToken:
+              path: istio-token
+              expirationSeconds: 43200
+              audience: {{ .Values.global.sds.token.aud }}
+      {{- if eq .Values.global.pilotCertProvider "istiod" }}
+      - name: istiod-ca-cert
+      {{- if eq ((.Values.pilot).env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+        projected:
+          sources:
+          - clusterTrustBundle:
+              name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+              path: root-cert.pem
+      {{- else }}
+        configMap:
+          name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+      {{- end }}
+      {{- end }}
+      {{- if .Values.global.imagePullSecrets }}
+      imagePullSecrets:
+        {{- range .Values.global.imagePullSecrets }}
+        - name: {{ . }}
+        {{- end }}
+      {{- end }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+      ) | nindent 4 }}
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    name: {{.Name}}
+    uid: {{.UID}}
+spec:
+  ipFamilyPolicy: PreferDualStack
+  ports:
+  {{- range $key, $val := .Ports }}
+  - name: {{ $val.Name | quote }}
+    port: {{ $val.Port }}
+    protocol: TCP
+    appProtocol: {{ $val.AppProtocol }}
+  {{- end }}
+  selector:
+    "{{.GatewayNameLabel}}": {{.Name}}
+  {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }}
+  loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}}
+  {{- end }}
+  type: {{ .ServiceType | quote }}
+---
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+          .InfrastructureLabels
+          (strdict
+          "gateway.networking.k8s.io/gateway-name" .Name
+          ) | nindent 4 }}
+  ownerReferences:
+    - apiVersion: gateway.networking.k8s.io/v1beta1
+      kind: Gateway
+      name: {{.Name}}
+      uid: "{{.UID}}"
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name:  {{.DeploymentName | quote}}
+  maxReplicas: 1
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+          .InfrastructureLabels
+          (strdict
+          "gateway.networking.k8s.io/gateway-name" .Name
+          ) | nindent 4 }}
+  ownerReferences:
+    - apiVersion: gateway.networking.k8s.io/v1beta1
+      kind: Gateway
+      name: {{.Name}}
+      uid: "{{.UID}}"
+spec:
+  selector:
+    matchLabels:
+      gateway.networking.k8s.io/gateway-name: {{.Name|quote}}
+
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-compatibility-version-1.24.yaml
new file mode 100644
index 0000000000..4f3dbef7ea
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-compatibility-version-1.24.yaml
@@ -0,0 +1,15 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.24 behavioral changes
+    PILOT_ENABLE_IP_AUTOALLOCATE: "false"
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  dnsCapture: false
+  reconcileIptablesOnStartup: false
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..b2f45948c2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..af10697326
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/waypoint.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/waypoint.yaml
new file mode 100644
index 0000000000..3e6a2f5dc1
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/waypoint.yaml
@@ -0,0 +1,396 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{.ServiceAccount | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+      ) | nindent 4 }}
+  {{- if ge .KubeVersion 128 }}
+  # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    name: "{{.Name}}"
+    uid: "{{.UID}}"
+  {{- end }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+        "gateway.istio.io/managed" .ControllerLabel
+      ) | nindent 4 }}
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    name: "{{.Name}}"
+    uid: "{{.UID}}"
+spec:
+  selector:
+    matchLabels:
+      "{{.GatewayNameLabel}}": "{{.Name}}"
+  template:
+    metadata:
+      annotations:
+        {{- toJsonMap
+          (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version")
+          (strdict "istio.io/rev" (.Revision | default "default"))
+          (strdict
+            "prometheus.io/path" "/stats/prometheus"
+            "prometheus.io/port" "15020"
+            "prometheus.io/scrape" "true"
+          ) | nindent 8 }}
+      labels:
+        {{- toJsonMap
+          (strdict
+            "sidecar.istio.io/inject" "false"
+            "istio.io/dataplane-mode" "none"
+            "service.istio.io/canonical-name" .DeploymentName
+            "service.istio.io/canonical-revision" "latest"
+           )
+          .InfrastructureLabels
+          (strdict
+            "gateway.networking.k8s.io/gateway-name" .Name
+            "gateway.istio.io/managed" .ControllerLabel
+          ) | nindent 8}}
+    spec:
+      {{- if .Values.global.waypoint.affinity }}
+      affinity:
+      {{- toYaml .Values.global.waypoint.affinity | nindent 8 }}
+      {{- end }}
+      {{- if .Values.global.waypoint.topologySpreadConstraints }}
+      topologySpreadConstraints:
+      {{- toYaml .Values.global.waypoint.topologySpreadConstraints | nindent 8 }}
+      {{- end }}
+      {{- if .Values.global.waypoint.nodeSelector }}
+      nodeSelector:
+      {{- toYaml .Values.global.waypoint.nodeSelector | nindent 8 }}
+      {{- end }}
+      {{- if .Values.global.waypoint.tolerations }}
+      tolerations:
+      {{- toYaml .Values.global.waypoint.tolerations | nindent 8 }}
+      {{- end }}
+      terminationGracePeriodSeconds: 2
+      serviceAccountName: {{.ServiceAccount | quote}}
+      containers:
+      - name: istio-proxy
+        ports:
+        - containerPort: 15020
+          name: metrics
+          protocol: TCP
+        - containerPort: 15021
+          name: status-port
+          protocol: TCP
+        - containerPort: 15090
+          protocol: TCP
+          name: http-envoy-prom
+        {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+        image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+        {{- else }}
+        image: "{{ .ProxyImage }}"
+        {{- end }}
+        {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+        args:
+        - proxy
+        - waypoint
+        - --domain
+        - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+        - --serviceCluster
+        - {{.ServiceAccount}}.$(POD_NAMESPACE)
+        - --proxyLogLevel
+        - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}}
+        - --proxyComponentLogLevel
+        - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}}
+        - --log_output_level
+        - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}}
+        {{- if .Values.global.logAsJson }}
+        - --log_as_json
+        {{- end }}
+        {{- if .Values.global.proxy.outlierLogPath }}
+        - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }}
+        {{- end}}
+        env:
+        - name: ISTIO_META_SERVICE_ACCOUNT
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.serviceAccountName
+        - name: ISTIO_META_NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        - name: PILOT_CERT_PROVIDER
+          value: {{ .Values.global.pilotCertProvider }}
+        - name: CA_ADDR
+        {{- if .Values.global.caAddress }}
+          value: {{ .Values.global.caAddress }}
+        {{- else }}
+          value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+        {{- end }}
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: INSTANCE_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: SERVICE_ACCOUNT
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.serviceAccountName
+        - name: HOST_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.hostIP
+        - name: ISTIO_CPU_LIMIT
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.cpu
+        - name: PROXY_CONFIG
+          value: |
+                 {{ protoToJSON .ProxyConfig }}
+        {{- if .ProxyConfig.ProxyMetadata }}
+        {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+        - name: {{ $key }}
+          value: "{{ $value }}"
+        {{- end }}
+        {{- end }}
+        - name: GOMEMLIMIT
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.memory
+        - name: GOMAXPROCS
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.cpu
+        - name: ISTIO_META_CLUSTER_ID
+          value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
+        {{- $network := valueOrDefault (index .InfrastructureLabels `topology.istio.io/network`) .Values.global.network }}
+        {{- if $network }}
+        - name: ISTIO_META_NETWORK
+          value: "{{ $network }}"
+        {{- end }}
+        - name: ISTIO_META_INTERCEPTION_MODE
+          value: REDIRECT
+        - name: ISTIO_META_WORKLOAD_NAME
+          value: {{.DeploymentName}}
+        - name: ISTIO_META_OWNER
+          value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}
+        {{- if .Values.global.meshID }}
+        - name: ISTIO_META_MESH_ID
+          value: "{{ .Values.global.meshID }}"
+        {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+        - name: ISTIO_META_MESH_ID
+          value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+        {{- end }}
+        {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+        - name: TRUST_DOMAIN
+          value: "{{ . }}"
+        {{- end }}
+        {{- if .Values.global.waypoint.resources }}
+        resources:
+        {{- toYaml .Values.global.waypoint.resources | nindent 10 }}
+        {{- end }}
+        startupProbe:
+          failureThreshold: 30
+          httpGet:
+            path: /healthz/ready
+            port: 15021
+            scheme: HTTP
+          initialDelaySeconds: 1
+          periodSeconds: 1
+          successThreshold: 1
+          timeoutSeconds: 1
+        readinessProbe:
+          failureThreshold: 4
+          httpGet:
+            path: /healthz/ready
+            port: 15021
+            scheme: HTTP
+          initialDelaySeconds: 0
+          periodSeconds: 15
+          successThreshold: 1
+          timeoutSeconds: 1
+        securityContext:
+          privileged: false
+        {{- if not (eq .Values.global.platform "openshift") }}
+          runAsGroup: 1337
+          runAsUser: 1337
+        {{- end }}
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          capabilities:
+            drop:
+            - ALL
+{{- if .Values.gateways.seccompProfile }}
+          seccompProfile:
+{{- toYaml .Values.gateways.seccompProfile | nindent 12 }}
+{{- end }}
+        volumeMounts:
+        - mountPath: /var/run/secrets/workload-spiffe-uds
+          name: workload-socket
+        - mountPath: /var/run/secrets/istio
+          name: istiod-ca-cert
+        - mountPath: /var/lib/istio/data
+          name: istio-data
+        - mountPath: /etc/istio/proxy
+          name: istio-envoy
+        - mountPath: /var/run/secrets/tokens
+          name: istio-token
+        - mountPath: /etc/istio/pod
+          name: istio-podinfo
+      volumes:
+      - emptyDir: {}
+        name: workload-socket
+      - emptyDir:
+          medium: Memory
+        name: istio-envoy
+      - emptyDir:
+          medium: Memory
+        name: go-proxy-envoy
+      - emptyDir: {}
+        name: istio-data
+      - emptyDir: {}
+        name: go-proxy-data
+      - downwardAPI:
+          items:
+          - fieldRef:
+              fieldPath: metadata.labels
+            path: labels
+          - fieldRef:
+              fieldPath: metadata.annotations
+            path: annotations
+        name: istio-podinfo
+      - name: istio-token
+        projected:
+          sources:
+          - serviceAccountToken:
+              audience: istio-ca
+              expirationSeconds: 43200
+              path: istio-token
+      - name: istiod-ca-cert
+      {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+        projected:
+          sources:
+          - clusterTrustBundle:
+              name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+              path: root-cert.pem
+      {{- else }}
+        configMap:
+          name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+      {{- end }}
+      {{- if .Values.global.imagePullSecrets }}
+      imagePullSecrets:
+        {{- range .Values.global.imagePullSecrets }}
+        - name: {{ . }}
+        {{- end }}
+      {{- end }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    {{ toJsonMap
+      (strdict "networking.istio.io/traffic-distribution" "PreferClose")
+      (omit .InfrastructureAnnotations
+        "kubectl.kubernetes.io/last-applied-configuration"
+        "gateway.istio.io/name-override"
+        "gateway.istio.io/service-account"
+        "gateway.istio.io/controller-version"
+      ) | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+      ) | nindent 4 }}
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    name: "{{.Name}}"
+    uid: "{{.UID}}"
+spec:
+  ipFamilyPolicy: PreferDualStack
+  ports:
+  {{- range $key, $val := .Ports }}
+  - name: {{ $val.Name | quote }}
+    port: {{ $val.Port }}
+    protocol: TCP
+    appProtocol: {{ $val.AppProtocol }}
+  {{- end }}
+  selector:
+    "{{.GatewayNameLabel}}": "{{.Name}}"
+  {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }}
+  loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}}
+  {{- end }}
+  type: {{ .ServiceType | quote }}
+---
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+          .InfrastructureLabels
+          (strdict
+          "gateway.networking.k8s.io/gateway-name" .Name
+          ) | nindent 4 }}
+  ownerReferences:
+    - apiVersion: gateway.networking.k8s.io/v1beta1
+      kind: Gateway
+      name: {{.Name}}
+      uid: "{{.UID}}"
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name:  {{.DeploymentName | quote}}
+  maxReplicas: 1
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+          .InfrastructureLabels
+          (strdict
+          "gateway.networking.k8s.io/gateway-name" .Name
+          ) | nindent 4 }}
+  ownerReferences:
+    - apiVersion: gateway.networking.k8s.io/v1beta1
+      kind: Gateway
+      name: {{.Name}}
+      uid: "{{.UID}}"
+spec:
+  selector:
+    matchLabels:
+      gateway.networking.k8s.io/gateway-name: {{.Name|quote}}
+
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/NOTES.txt
new file mode 100644
index 0000000000..0d07ea7f4c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/NOTES.txt
@@ -0,0 +1,82 @@
+"istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}" successfully installed!
+
+To learn more about the release, try:
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
+
+Next steps:
+{{- $profile := default "" .Values.profile }}
+{{- if (eq $profile "ambient") }}
+  * Get started with ambient: https://istio.io/latest/docs/ops/ambient/getting-started/
+  * Review ambient's architecture: https://istio.io/latest/docs/ops/ambient/architecture/
+{{- else }}
+  * Deploy a Gateway: https://istio.io/latest/docs/setup/additional-setup/gateway/
+  * Try out our tasks to get started on common configurations:
+    * https://istio.io/latest/docs/tasks/traffic-management
+    * https://istio.io/latest/docs/tasks/security/
+    * https://istio.io/latest/docs/tasks/policy-enforcement/
+{{- end }}
+  * Review the list of actively supported releases, CVE publications and our hardening guide:
+    * https://istio.io/latest/docs/releases/supported-releases/
+    * https://istio.io/latest/news/security/
+    * https://istio.io/latest/docs/ops/best-practices/security/
+
+For further documentation see https://istio.io website
+
+{{-
+  $deps := dict
+    "global.outboundTrafficPolicy" "meshConfig.outboundTrafficPolicy"
+    "global.certificates" "meshConfig.certificates"
+    "global.localityLbSetting" "meshConfig.localityLbSetting"
+    "global.policyCheckFailOpen" "meshConfig.policyCheckFailOpen"
+    "global.enableTracing" "meshConfig.enableTracing"
+    "global.proxy.accessLogFormat" "meshConfig.accessLogFormat"
+    "global.proxy.accessLogFile" "meshConfig.accessLogFile"
+    "global.proxy.concurrency" "meshConfig.defaultConfig.concurrency"
+    "global.proxy.envoyAccessLogService" "meshConfig.defaultConfig.envoyAccessLogService"
+    "global.proxy.envoyAccessLogService.enabled" "meshConfig.enableEnvoyAccessLogService"
+    "global.proxy.envoyMetricsService" "meshConfig.defaultConfig.envoyMetricsService"
+    "global.proxy.protocolDetectionTimeout" "meshConfig.protocolDetectionTimeout"
+    "global.proxy.holdApplicationUntilProxyStarts" "meshConfig.defaultConfig.holdApplicationUntilProxyStarts"
+    "pilot.ingress" "meshConfig.ingressService, meshConfig.ingressControllerMode, and meshConfig.ingressClass"
+    "global.mtls.enabled" "the PeerAuthentication resource"
+    "global.mtls.auto" "meshConfig.enableAutoMtls"
+    "global.tracer.lightstep.address" "meshConfig.defaultConfig.tracing.lightstep.address"
+    "global.tracer.lightstep.accessToken" "meshConfig.defaultConfig.tracing.lightstep.accessToken"
+    "global.tracer.zipkin.address" "meshConfig.defaultConfig.tracing.zipkin.address"
+    "global.tracer.datadog.address" "meshConfig.defaultConfig.tracing.datadog.address"
+    "global.meshExpansion.enabled" "Gateway and other Istio networking resources, such as in samples/multicluster/"
+    "istiocoredns.enabled" "the in-proxy DNS capturing (ISTIO_META_DNS_CAPTURE)"
+}}
+{{- range $dep, $replace := $deps }}
+{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}}
+{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(")  ".Values." (replace "." ")." $dep) ")}}") $}}
+{{- if not (eq $res "")}}
+WARNING: {{$dep|quote}} is deprecated; use {{$replace|quote}} instead.
+{{- end }}
+{{- end }}
+{{-
+  $failDeps := dict
+    "telemetry.v2.prometheus.configOverride"
+    "telemetry.v2.stackdriver.configOverride"
+    "telemetry.v2.stackdriver.disableOutbound"
+    "telemetry.v2.stackdriver.outboundAccessLogging"
+    "global.tracer.stackdriver.debug" "meshConfig.defaultConfig.tracing.stackdriver.debug"
+    "global.tracer.stackdriver.maxNumberOfAttributes" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes"
+    "global.tracer.stackdriver.maxNumberOfAnnotations" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations"
+    "global.tracer.stackdriver.maxNumberOfMessageEvents" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents"
+    "meshConfig.defaultConfig.tracing.stackdriver.debug" "Istio supported tracers"
+    "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes" "Istio supported tracers"
+    "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations" "Istio supported tracers"
+    "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents" "Istio supported tracers"
+}}
+{{- range $dep, $replace := $failDeps }}
+{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}}
+{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(")  ".Values." (replace "." ")." $dep) ")}}") $}}
+{{- if not (eq $res "")}}
+{{fail (print $dep " is removed")}}
+{{- end }}
+{{- end }}
+{{- if eq $.Values.global.pilotCertProvider "kubernetes" }}
+{{- fail "pilotCertProvider=kubernetes is not supported" }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/_helpers.tpl
new file mode 100644
index 0000000000..042c92538d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/_helpers.tpl
@@ -0,0 +1,23 @@
+{{/* Default Prometheus is enabled if its enabled and there are no config overrides set */}}
+{{ define "default-prometheus" }}
+{{- and
+  (not .Values.meshConfig.defaultProviders)
+  .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.prometheus.enabled
+}}
+{{- end }}
+
+{{/* SD has metrics and logging split. Default metrics are enabled if SD is enabled */}}
+{{ define "default-sd-metrics" }}
+{{- and
+  (not .Values.meshConfig.defaultProviders)
+  .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled
+}}
+{{- end }}
+
+{{/* SD has metrics and logging split. */}}
+{{ define "default-sd-logs" }}
+{{- and
+  (not .Values.meshConfig.defaultProviders)
+  .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled
+}}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/autoscale.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/autoscale.yaml
new file mode 100644
index 0000000000..9b952ba857
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/autoscale.yaml
@@ -0,0 +1,43 @@
+# Not created if istiod is running remotely
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }}
+{{- if and .Values.autoscaleEnabled .Values.autoscaleMin .Values.autoscaleMax }}
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  maxReplicas: {{ .Values.autoscaleMax }}
+  minReplicas: {{ .Values.autoscaleMin }}
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  metrics:
+  - type: Resource
+    resource:
+      name: cpu
+      target:
+        type: Utilization
+        averageUtilization: {{ .Values.cpu.targetAverageUtilization }}
+  {{- if .Values.memory.targetAverageUtilization }}
+  - type: Resource
+    resource:
+      name: memory
+      target:
+        type: Utilization
+        averageUtilization: {{ .Values.memory.targetAverageUtilization }}
+  {{- end }}
+  {{- if .Values.autoscaleBehavior }}
+  behavior: {{ toYaml .Values.autoscaleBehavior | nindent 4 }}
+  {{- end }}
+---
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/clusterrole.yaml
new file mode 100644
index 0000000000..d9c86f43fa
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/clusterrole.yaml
@@ -0,0 +1,213 @@
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+  # sidecar injection controller
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["mutatingwebhookconfigurations"]
+    verbs: ["get", "list", "watch", "update", "patch"]
+
+  # configuration validation webhook controller
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["validatingwebhookconfigurations"]
+    verbs: ["get", "list", "watch", "update"]
+
+  # istio configuration
+  # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382)
+  # please proceed with caution
+  - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"]
+    verbs: ["get", "watch", "list"]
+    resources: ["*"]
+{{- if .Values.global.istiod.enableAnalysis }}
+  - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"]
+    verbs: ["update", "patch"]
+    resources:
+    - authorizationpolicies/status
+    - destinationrules/status
+    - envoyfilters/status
+    - gateways/status
+    - peerauthentications/status
+    - proxyconfigs/status
+    - requestauthentications/status
+    - serviceentries/status
+    - sidecars/status
+    - telemetries/status
+    - virtualservices/status
+    - wasmplugins/status
+    - workloadentries/status
+    - workloadgroups/status
+{{- end }}
+  - apiGroups: ["networking.istio.io"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "workloadentries" ]
+  - apiGroups: ["networking.istio.io"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "workloadentries/status",  "serviceentries/status" ]
+  - apiGroups: ["security.istio.io"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "authorizationpolicies/status" ]
+  - apiGroups: [""]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "services/status" ]
+
+  # auto-detect installed CRD definitions
+  - apiGroups: ["apiextensions.k8s.io"]
+    resources: ["customresourcedefinitions"]
+    verbs: ["get", "list", "watch"]
+
+  # discovery and routing
+  - apiGroups: [""]
+    resources: ["pods", "nodes", "services", "namespaces", "endpoints"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["discovery.k8s.io"]
+    resources: ["endpointslices"]
+    verbs: ["get", "list", "watch"]
+
+{{- if .Values.taint.enabled }}
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["patch"]
+{{- end }}
+
+  # ingress controller
+{{- if .Values.global.istiod.enableAnalysis }}
+  - apiGroups: ["extensions", "networking.k8s.io"]
+    resources: ["ingresses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["extensions", "networking.k8s.io"]
+    resources: ["ingresses/status"]
+    verbs: ["*"]
+{{- end}}
+  - apiGroups: ["networking.k8s.io"]
+    resources: ["ingresses", "ingressclasses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["networking.k8s.io"]
+    resources: ["ingresses/status"]
+    verbs: ["*"]
+
+  # required for CA's namespace controller
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["create", "get", "list", "watch", "update"]
+
+  # Istiod and bootstrap.
+{{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}}
+{{- if or .Values.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }}
+  - apiGroups: ["certificates.k8s.io"]
+    resources:
+      - "certificatesigningrequests"
+      - "certificatesigningrequests/approval"
+      - "certificatesigningrequests/status"
+    verbs: ["update", "create", "get", "delete", "watch"]
+  - apiGroups: ["certificates.k8s.io"]
+    resources:
+      - "signers"
+    resourceNames:
+{{- range .Values.global.certSigners }}
+    - {{ . | quote }}
+{{- end }}
+    verbs: ["approve"]
+{{- end}}
+{{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+  - apiGroups: ["certificates.k8s.io"]
+    resources: ["clustertrustbundles"]
+    verbs: ["update", "create", "delete", "list", "watch", "get"]
+  - apiGroups: ["certificates.k8s.io"]
+    resources: ["signers"]
+    resourceNames: ["istio.io/istiod-ca"]
+    verbs: ["attest"]
+{{- end }}
+
+  # Used by Istiod to verify the JWT tokens
+  - apiGroups: ["authentication.k8s.io"]
+    resources: ["tokenreviews"]
+    verbs: ["create"]
+
+  # Used by Istiod to verify gateway SDS
+  - apiGroups: ["authorization.k8s.io"]
+    resources: ["subjectaccessreviews"]
+    verbs: ["create"]
+
+  # Use for Kubernetes Service APIs
+  - apiGroups: ["gateway.networking.k8s.io", "gateway.networking.x-k8s.io"]
+    resources: ["*"]
+    verbs: ["get", "watch", "list"]
+  - apiGroups: ["gateway.networking.x-k8s.io"]
+    resources:
+    - xbackendtrafficpolicies/status
+    - xlistenersets/status
+    verbs: ["update", "patch"]
+  - apiGroups: ["gateway.networking.k8s.io"]
+    resources:
+    - backendtlspolicies/status
+    - gatewayclasses/status
+    - gateways/status
+    - grpcroutes/status
+    - httproutes/status
+    - referencegrants/status
+    - tcproutes/status
+    - tlsroutes/status
+    - udproutes/status
+    verbs: ["update", "patch"]
+  - apiGroups: ["gateway.networking.k8s.io"]
+    resources: ["gatewayclasses"]
+    verbs: ["create", "update", "patch", "delete"]
+  - apiGroups: ["inference.networking.x-k8s.io"]
+    resources: ["inferencepools"]
+    verbs: ["get", "watch", "list"]
+  - apiGroups: ["inference.networking.x-k8s.io"]
+    resources: ["inferencepools/status"]
+    verbs: ["update", "patch"]
+
+  # Needed for multicluster secret reading, possibly ingress certs in the future
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "watch", "list"]
+
+  # Used for MCS serviceexport management
+  - apiGroups: ["{{ $mcsAPIGroup }}"]
+    resources: ["serviceexports"]
+    verbs: [ "get", "watch", "list", "create", "delete"]
+
+  # Used for MCS serviceimport management
+  - apiGroups: ["{{ $mcsAPIGroup }}"]
+    resources: ["serviceimports"]
+    verbs: ["get", "watch", "list"]
+---
+{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+  - apiGroups: ["apps"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "deployments" ]
+  - apiGroups: ["autoscaling"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "horizontalpodautoscalers" ]
+  - apiGroups: ["policy"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "poddisruptionbudgets" ]
+  - apiGroups: [""]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "services" ]
+  - apiGroups: [""]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "serviceaccounts"]
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/clusterrolebinding.yaml
new file mode 100644
index 0000000000..1b8fa4d079
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/clusterrolebinding.yaml
@@ -0,0 +1,40 @@
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+subjects:
+  - kind: ServiceAccount
+    name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+    namespace: {{ .Values.global.istioNamespace }}
+---
+{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+subjects:
+- kind: ServiceAccount
+  name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Values.global.istioNamespace }}
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/configmap-jwks.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/configmap-jwks.yaml
new file mode 100644
index 0000000000..9d931c4065
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/configmap-jwks.yaml
@@ -0,0 +1,18 @@
+# Not created if istiod is running remotely
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }}
+{{- if .Values.jwksResolverExtraRootCA }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+data:
+  extra.pem: {{ .Values.jwksResolverExtraRootCA | quote }}
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/configmap-values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/configmap-values.yaml
new file mode 100644
index 0000000000..75e6e0bcc6
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/configmap-values.yaml
@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: values{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    kubernetes.io/description: This ConfigMap contains the Helm values used during chart rendering. This ConfigMap is rendered for debugging purposes and external tooling; modifying these values has no effect.
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+data:
+  original-values: |-
+{{ .Values._original | toPrettyJson | indent 4 }}
+{{- $_ := unset $.Values "_original" }}
+  merged-values: |-
+{{ .Values | toPrettyJson | indent 4 }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/configmap.yaml
new file mode 100644
index 0000000000..a8446a6fc9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/configmap.yaml
@@ -0,0 +1,111 @@
+{{- define "mesh" }}
+    # The trust domain corresponds to the trust root of a system.
+    # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
+    trustDomain: "cluster.local"
+
+    # The namespace to treat as the administrative root namespace for Istio configuration.
+    # When processing a leaf namespace Istio will search for declarations in that namespace first
+    # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace
+    # is processed as if it were declared in the leaf namespace.
+    rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }}
+
+  {{ $prom := include "default-prometheus" . | eq "true" }}
+  {{ $sdMetrics := include "default-sd-metrics" . | eq "true" }}
+  {{ $sdLogs := include "default-sd-logs" . | eq "true" }}
+  {{- if or $prom $sdMetrics $sdLogs }}
+    defaultProviders:
+    {{- if or $prom $sdMetrics }}
+      metrics:
+      {{ if $prom }}- prometheus{{ end }}
+      {{ if and $sdMetrics $sdLogs }}- stackdriver{{ end }}
+    {{- end }}
+    {{- if and $sdMetrics $sdLogs }}
+      accessLogging:
+      - stackdriver
+    {{- end }}
+  {{- end }}
+
+    defaultConfig:
+      {{- if .Values.global.meshID }}
+      meshId: "{{ .Values.global.meshID }}"
+      {{- end }}
+      {{- with (.Values.global.proxy.variant | default .Values.global.variant) }}
+      image:
+        imageType: {{. | quote}}
+      {{- end }}
+      {{- if not (eq .Values.global.proxy.tracer "none") }}
+      tracing:
+      {{- if eq .Values.global.proxy.tracer "lightstep" }}
+        lightstep:
+          # Address of the LightStep Satellite pool
+          address: {{ .Values.global.tracer.lightstep.address }}
+          # Access Token used to communicate with the Satellite pool
+          accessToken: {{ .Values.global.tracer.lightstep.accessToken }}
+      {{- else if eq .Values.global.proxy.tracer "zipkin" }}
+        zipkin:
+          # Address of the Zipkin collector
+          address: {{ ((.Values.global.tracer).zipkin).address | default (print "zipkin." .Values.global.istioNamespace ":9411") }}
+      {{- else if eq .Values.global.proxy.tracer "datadog" }}
+        datadog:
+          # Address of the Datadog Agent
+          address: {{ ((.Values.global.tracer).datadog).address | default "$(HOST_IP):8126" }}
+      {{- else if eq .Values.global.proxy.tracer "stackdriver" }}
+        stackdriver:
+          # enables trace output to stdout.
+          debug: {{ (($.Values.global.tracer).stackdriver).debug | default "false" }}
+          # The global default max number of attributes per span.
+          maxNumberOfAttributes: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAttributes | default "200" }}
+          # The global default max number of annotation events per span.
+          maxNumberOfAnnotations: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAnnotations | default "200" }}
+          # The global default max number of message events per span.
+          maxNumberOfMessageEvents: {{ (($.Values.global.tracer).stackdriver).maxNumberOfMessageEvents | default "200" }}
+      {{- end }}
+      {{- end }}
+      {{- if .Values.global.remotePilotAddress }}
+      {{- if and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod }}
+      #  only primary `istiod` to xds and local `istiod` injection installs.
+      discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012
+      {{- else }}
+      discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012
+      {{- end }}
+      {{- else }}
+      discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012
+      {{- end }}
+{{- end }}
+
+{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}}
+{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}}
+{{- $originalMesh := include "mesh" . | fromYaml }}
+{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }}
+
+{{- if .Values.configMap }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+data:
+
+  # Configuration file for the mesh networks to be used by the Split Horizon EDS.
+  meshNetworks: |-
+  {{- if .Values.global.meshNetworks }}
+    networks:
+{{ toYaml .Values.global.meshNetworks | trim | indent 6 }}
+  {{- else }}
+    networks: {}
+  {{- end }}
+
+  mesh: |-
+{{- if .Values.meshConfig }}
+{{ $mesh | toYaml | indent 4 }}
+{{- else }}
+{{- include "mesh" . }}
+{{- end }}
+---
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/deployment.yaml
new file mode 100644
index 0000000000..1b769c6ec7
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/deployment.yaml
@@ -0,0 +1,312 @@
+# Not created if istiod is running remotely
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: istiod
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    istio: pilot
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+{{- range $key, $val := .Values.deploymentLabels }}
+    {{ $key }}: "{{ $val }}"
+{{- end }}
+  {{- if .Values.deploymentAnnotations }}
+  annotations:
+{{ toYaml .Values.deploymentAnnotations | indent 4 }}
+  {{- end }}
+spec:
+{{- if not .Values.autoscaleEnabled }}
+{{- if .Values.replicaCount }}
+  replicas: {{ .Values.replicaCount }}
+{{- end }}
+{{- end }}
+  strategy:
+    rollingUpdate:
+      maxSurge: {{ .Values.rollingMaxSurge }}
+      maxUnavailable: {{ .Values.rollingMaxUnavailable }}
+  selector:
+    matchLabels:
+      {{- if ne .Values.revision "" }}
+      app: istiod
+      istio.io/rev: {{ .Values.revision | default "default" | quote }}
+      {{- else }}
+      istio: pilot
+      {{- end }}
+  template:
+    metadata:
+      labels:
+        app: istiod
+        istio.io/rev: {{ .Values.revision | default "default" | quote }}
+        sidecar.istio.io/inject: "false"
+        operator.istio.io/component: "Pilot"
+        {{- if ne .Values.revision "" }}
+        istio: istiod
+        {{- else }}
+        istio: pilot
+        {{- end }}
+        {{- range $key, $val := .Values.podLabels }}
+        {{ $key }}: "{{ $val }}"
+        {{- end }}
+        istio.io/dataplane-mode: none
+        app.kubernetes.io/name: "istiod"
+        {{- include "istio.labels" . | nindent 8 }}
+      annotations:
+        prometheus.io/port: "15014"
+        prometheus.io/scrape: "true"
+        sidecar.istio.io/inject: "false"
+        {{- if .Values.podAnnotations }}
+{{ toYaml .Values.podAnnotations | indent 8 }}
+        {{- end }}
+    spec:
+{{- if .Values.nodeSelector }}
+      nodeSelector:
+{{ toYaml .Values.nodeSelector | indent 8 }}
+{{- end }}
+{{- with .Values.affinity }}
+      affinity:
+{{- toYaml . | nindent 8 }}
+{{- end }}
+      tolerations:
+        - key: cni.istio.io/not-ready
+          operator: "Exists"
+{{- with .Values.tolerations }}
+{{- toYaml . | nindent 8 }}
+{{- end }}
+{{- with .Values.topologySpreadConstraints }}
+      topologySpreadConstraints:
+{{- toYaml . | nindent 8 }}
+{{- end }}
+      serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+{{- if .Values.global.priorityClassName }}
+      priorityClassName: "{{ .Values.global.priorityClassName }}"
+{{- end }}
+{{- with .Values.initContainers }}
+      initContainers:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+{{- end }}
+      containers:
+        - name: discovery
+{{- if contains "/" .Values.image }}
+          image: "{{ .Values.image }}"
+{{- else }}
+          image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "pilot" }}:{{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}}"
+{{- end }}
+{{- if .Values.global.imagePullPolicy }}
+          imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+{{- end }}
+          args:
+          - "discovery"
+          - --monitoringAddr=:15014
+{{- if .Values.global.logging.level }}
+          - --log_output_level={{ .Values.global.logging.level }}
+{{- end}}
+{{- if .Values.global.logAsJson }}
+          - --log_as_json
+{{- end }}
+          - --domain
+          - {{ .Values.global.proxy.clusterDomain }}
+{{- if .Values.taint.namespace }}
+          - --cniNamespace={{ .Values.taint.namespace }}
+{{- end }}
+          - --keepaliveMaxServerConnectionAge
+          - "{{ .Values.keepaliveMaxServerConnectionAge }}"
+{{- if .Values.extraContainerArgs }}
+          {{- with .Values.extraContainerArgs }}
+            {{- toYaml . | nindent 10 }}
+          {{- end }}
+{{- end }}
+          ports:
+          - containerPort: 8080
+            protocol: TCP
+            name: http-debug
+          - containerPort: 15010
+            protocol: TCP
+            name: grpc-xds
+          - containerPort: 15012
+            protocol: TCP
+            name: tls-xds
+          - containerPort: 15017
+            protocol: TCP
+            name: https-webhooks
+          - containerPort: 15014
+            protocol: TCP
+            name: http-monitoring
+          readinessProbe:
+            httpGet:
+              path: /ready
+              port: 8080
+            initialDelaySeconds: 1
+            periodSeconds: 3
+            timeoutSeconds: 5
+          env:
+          - name: REVISION
+            value: "{{ .Values.revision | default `default` }}"
+          - name: PILOT_CERT_PROVIDER
+            value: {{ .Values.global.pilotCertProvider }}
+          - name: POD_NAME
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: metadata.name
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: metadata.namespace
+          - name: SERVICE_ACCOUNT
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: spec.serviceAccountName
+          - name: KUBECONFIG
+            value: /var/run/secrets/remote/config
+          # If you explicitly told us where ztunnel lives, use that.
+          # Otherwise, assume it lives in our namespace
+          # Also, check for an explicit ENV override (legacy approach) and prefer that
+          # if present
+          {{ $ztTrustedNS := or .Values.trustedZtunnelNamespace .Release.Namespace }}
+          {{ $ztTrustedName := or .Values.trustedZtunnelName "ztunnel" }}
+          {{- if not .Values.env.CA_TRUSTED_NODE_ACCOUNTS }}
+          - name: CA_TRUSTED_NODE_ACCOUNTS
+            value: "{{ $ztTrustedNS }}/{{ $ztTrustedName }}"
+          {{- end }}
+          {{- if .Values.env }}
+          {{- range $key, $val := .Values.env }}
+          - name: {{ $key }}
+            value: "{{ $val }}"
+          {{- end }}
+          {{- end }}
+          {{- with .Values.envVarFrom }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
+{{- if .Values.traceSampling }}
+          - name: PILOT_TRACE_SAMPLING
+            value: "{{ .Values.traceSampling }}"
+{{- end }}
+# If externalIstiod is set via Values.Global, then enable the pilot env variable. However, if it's set via Values.pilot.env, then
+# don't set it here to avoid duplication.
+# TODO (nshankar13): Move from Helm chart to code: https://github.com/istio/istio/issues/52449
+{{- if and .Values.global.externalIstiod (not (and .Values.env .Values.env.EXTERNAL_ISTIOD)) }}
+          - name: EXTERNAL_ISTIOD
+            value: "{{ .Values.global.externalIstiod }}"
+{{- end }}
+{{- if .Values.global.trustBundleName }}
+          - name: PILOT_CA_CERT_CONFIGMAP
+            value: "{{ .Values.global.trustBundleName }}"
+{{- end }}
+          - name: PILOT_ENABLE_ANALYSIS
+            value: "{{ .Values.global.istiod.enableAnalysis }}"
+          - name: CLUSTER_ID
+            value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
+          - name: GOMEMLIMIT
+            valueFrom:
+              resourceFieldRef:
+                resource: limits.memory
+                divisor: "1"
+          - name: GOMAXPROCS
+            valueFrom:
+              resourceFieldRef:
+                resource: limits.cpu
+                divisor: "1"
+          - name: PLATFORM
+            value: "{{ coalesce .Values.global.platform .Values.platform }}"
+          resources:
+{{- if .Values.resources }}
+{{ toYaml .Values.resources | trim | indent 12 }}
+{{- else }}
+{{ toYaml .Values.global.defaultResources | trim | indent 12 }}
+{{- end }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            capabilities:
+              drop:
+              - ALL
+{{- if .Values.seccompProfile }}
+            seccompProfile:
+{{ toYaml .Values.seccompProfile | trim | indent 14 }}
+{{- end }}
+          volumeMounts:
+          - name: istio-token
+            mountPath: /var/run/secrets/tokens
+            readOnly: true
+          - name: local-certs
+            mountPath: /var/run/secrets/istio-dns
+          - name: cacerts
+            mountPath: /etc/cacerts
+            readOnly: true
+          - name: istio-kubeconfig
+            mountPath: /var/run/secrets/remote
+            readOnly: true
+          {{- if .Values.jwksResolverExtraRootCA }}
+          - name: extracacerts
+            mountPath: /cacerts
+          {{- end }}
+          - name: istio-csr-dns-cert
+            mountPath: /var/run/secrets/istiod/tls
+            readOnly: true
+          - name: istio-csr-ca-configmap
+            mountPath: /var/run/secrets/istiod/ca
+            readOnly: true
+          {{- with .Values.volumeMounts }}
+            {{- toYaml . | nindent 10 }}
+          {{- end }}
+      volumes:
+      # Technically not needed on this pod - but it helps debugging/testing SDS
+      # Should be removed after everything works.
+      - emptyDir:
+          medium: Memory
+        name: local-certs
+      - name: istio-token
+        projected:
+          sources:
+            - serviceAccountToken:
+                audience: {{ .Values.global.sds.token.aud }}
+                expirationSeconds: 43200
+                path: istio-token
+      # Optional: user-generated root
+      - name: cacerts
+        secret:
+          secretName: cacerts
+          optional: true
+      - name: istio-kubeconfig
+        secret:
+          secretName: istio-kubeconfig
+          optional: true
+      # Optional: istio-csr dns pilot certs
+      - name: istio-csr-dns-cert
+        secret:
+          secretName: istiod-tls
+          optional: true
+      - name: istio-csr-ca-configmap
+  {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+        projected:
+          sources:
+          - clusterTrustBundle:
+              name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+              path: root-cert.pem
+              optional: true
+  {{- else }}
+        configMap:
+          name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+          defaultMode: 420
+          optional: true
+  {{- end }}
+  {{- if .Values.jwksResolverExtraRootCA }}
+      - name: extracacerts
+        configMap:
+          name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  {{- end }}
+      {{- with .Values.volumes }}
+        {{- toYaml . | nindent 6}}
+      {{- end }}
+
+---
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/gateway-class-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/gateway-class-configmap.yaml
new file mode 100644
index 0000000000..6b23d716a4
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/gateway-class-configmap.yaml
@@ -0,0 +1,20 @@
+{{ range $key, $value := .Values.gatewayClasses }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: istio-{{ $.Values.revision | default "default"  }}-gatewayclass-{{$key}}
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    istio.io/rev: {{ $.Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    release: {{ $.Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    gateway.istio.io/defaults-for-class: {{$key|quote}}
+    {{- include "istio.labels" $ | nindent 4 }}
+data:
+{{ range $kind, $overlay := $value }}
+  {{$kind}}: |
+{{$overlay|toYaml|trim|indent 4}}
+{{ end }}
+---
+{{ end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/istiod-injector-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/istiod-injector-configmap.yaml
new file mode 100644
index 0000000000..171aff8861
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/istiod-injector-configmap.yaml
@@ -0,0 +1,81 @@
+{{- if not .Values.global.omitSidecarInjectorConfigMap }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+data:
+{{/* Scope the values to just top level fields used in the template, to reduce the size. */}}
+  values: |-
+{{ $vals := pick .Values "global" "sidecarInjectorWebhook" "revision" -}}
+{{ $pilotVals := pick .Values "cni" "env" -}}
+{{ $vals = set $vals "pilot" $pilotVals -}}
+{{ $gatewayVals := pick .Values.gateways "securityContext" "seccompProfile" -}}
+{{ $vals = set $vals "gateways" $gatewayVals -}}
+{{ $vals | toPrettyJson | indent 4 }}
+
+  # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching
+  # and istiod webhook functionality.
+  #
+  # New fields should not use Values - it is a 'primary' config object, users should be able
+  # to fine tune it or use it with kube-inject.
+  config: |-
+    # defaultTemplates defines the default template to use for pods that do not explicitly specify a template
+    {{- if .Values.sidecarInjectorWebhook.defaultTemplates }}
+    defaultTemplates:
+{{- range .Values.sidecarInjectorWebhook.defaultTemplates}}
+    - {{ . }}
+{{- end }}
+    {{- else }}
+    defaultTemplates: [sidecar]
+    {{- end }}
+    policy: {{ .Values.global.proxy.autoInject }}
+    alwaysInjectSelector:
+{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }}
+    neverInjectSelector:
+{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }}
+    injectedAnnotations:
+      {{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }}
+      "{{ $key }}": {{ $val | quote }}
+      {{- end }}
+    {{- /* If someone ends up with this new template, but an older Istiod image, they will attempt to render this template
+         which will fail with "Pod injection failed: template: inject:1: function "Istio_1_9_Required_Template_And_Version_Mismatched" not defined".
+         This should make it obvious that their installation is broken.
+     */}}
+    template: {{ `{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}` | quote }}
+    templates:
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "sidecar") }}
+      sidecar: |
+{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }}
+      gateway: |
+{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }}
+      grpc-simple: |
+{{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }}
+      grpc-agent: |
+{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "waypoint") }}
+      waypoint: |
+{{ .Files.Get "files/waypoint.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "kube-gateway") }}
+      kube-gateway: |
+{{ .Files.Get "files/kube-gateway.yaml" | trim | indent 8 }}
+{{- end }}
+{{- with .Values.sidecarInjectorWebhook.templates }}
+{{ toYaml . | trim | indent 6 }}
+{{- end }}
+
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/mutatingwebhook.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/mutatingwebhook.yaml
new file mode 100644
index 0000000000..ca017194e6
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/mutatingwebhook.yaml
@@ -0,0 +1,164 @@
+# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that.
+{{- /* Core defines the common configuration used by all webhook segments */}}
+{{/* Copy just what we need to avoid expensive deepCopy */}}
+{{- $whv := dict
+"revision" .Values.revision
+  "injectionPath" .Values.istiodRemote.injectionPath
+  "injectionURL" .Values.istiodRemote.injectionURL
+  "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy
+  "caBundle" .Values.istiodRemote.injectionCABundle
+  "namespace" .Release.Namespace }}
+{{- define "core" }}
+{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign
+a unique prefix to each. */}}
+- name: {{.Prefix}}sidecar-injector.istio.io
+  clientConfig:
+    {{- if .injectionURL }}
+    url: "{{ .injectionURL }}"
+    {{- else }}
+    service:
+      name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }}
+      namespace: {{ .namespace }}
+      path: "{{ .injectionPath }}"
+      port: 443
+    {{- end }}
+    {{- if .caBundle }}
+    caBundle: "{{ .caBundle }}"
+    {{- end }}
+  sideEffects: None
+  rules:
+  - operations: [ "CREATE" ]
+    apiGroups: [""]
+    apiVersions: ["v1"]
+    resources: ["pods"]
+  failurePolicy: Fail
+  reinvocationPolicy: "{{ .reinvocationPolicy }}"
+  admissionReviewVersions: ["v1"]
+{{- end }}
+{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}}
+{{- if not .Values.global.operatorManageWebhooks }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+{{- if eq .Release.Namespace "istio-system"}}
+  name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+{{- else }}
+  name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+{{- end }}
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app: sidecar-injector
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+{{- if $.Values.sidecarInjectorWebhookAnnotations }}
+  annotations:
+{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }}
+{{- end }}
+webhooks:
+{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}}
+
+{{- /* Case 1: namespace selector matches, and object doesn't disable */}}
+{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: In
+      values:
+      {{- if (eq .Values.revision "") }}
+      - "default"
+      {{- else }}
+      - "{{ .Values.revision }}"
+      {{- end }}
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+
+{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+    - key: istio.io/rev
+      operator: In
+      values:
+      {{- if (eq .Values.revision "") }}
+      - "default"
+      {{- else }}
+      - "{{ .Values.revision }}"
+      {{- end }}
+
+
+{{- /* Webhooks for default revision */}}
+{{- if (eq .Values.revision "") }}
+
+{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: In
+      values:
+      - enabled
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+
+{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: In
+      values:
+      - "true"
+    - key: istio.io/rev
+      operator: DoesNotExist
+
+{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
+{{- /* Special case 3: no labels at all */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: "kubernetes.io/metadata.name"
+      operator: "NotIn"
+      values: ["kube-system","kube-public","kube-node-lease","local-path-storage"]
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+{{- end }}
+
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/poddisruptionbudget.yaml
new file mode 100644
index 0000000000..d21cd919d3
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/poddisruptionbudget.yaml
@@ -0,0 +1,36 @@
+# Not created if istiod is running remotely
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }}
+{{- if .Values.global.defaultPodDisruptionBudget.enabled }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: istiod
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    release: {{ .Release.Name }}
+    istio: pilot
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  {{- if and .Values.pdb.minAvailable (not (hasKey .Values.pdb "maxUnavailable")) }}
+  minAvailable: {{ .Values.pdb.minAvailable }}
+  {{- else if .Values.pdb.maxUnavailable }}
+  maxUnavailable: {{ .Values.pdb.maxUnavailable }}
+  {{- end }}
+  {{- if .Values.pdb.unhealthyPodEvictionPolicy }}
+  unhealthyPodEvictionPolicy: {{ .Values.pdb.unhealthyPodEvictionPolicy }}
+  {{- end }}
+  selector:
+    matchLabels:
+      app: istiod
+      {{- if ne .Values.revision "" }}
+      istio.io/rev: {{ .Values.revision | quote }}
+      {{- else }}
+      istio: pilot
+      {{- end }}
+---
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/reader-clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/reader-clusterrole.yaml
new file mode 100644
index 0000000000..dbaa805035
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/reader-clusterrole.yaml
@@ -0,0 +1,62 @@
+{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istio-reader
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istio-reader"
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - "config.istio.io"
+      - "security.istio.io"
+      - "networking.istio.io"
+      - "authentication.istio.io"
+      - "rbac.istio.io"
+      - "telemetry.istio.io"
+      - "extensions.istio.io"
+    resources: ["*"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["networking.istio.io"]
+    verbs: [ "get", "watch", "list" ]
+    resources: [ "workloadentries" ]
+  - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
+    resources: ["gateways"]
+    verbs: ["get", "watch", "list"]
+  - apiGroups: ["apiextensions.k8s.io"]
+    resources: ["customresourcedefinitions"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["discovery.k8s.io"]
+    resources: ["endpointslices"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["{{ $mcsAPIGroup }}"]
+    resources: ["serviceexports"]
+    verbs: ["get", "list", "watch", "create", "delete"]
+  - apiGroups: ["{{ $mcsAPIGroup }}"]
+    resources: ["serviceimports"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["apps"]
+    resources: ["replicasets"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["authentication.k8s.io"]
+    resources: ["tokenreviews"]
+    verbs: ["create"]
+  - apiGroups: ["authorization.k8s.io"]
+    resources: ["subjectaccessreviews"]
+    verbs: ["create"]
+{{- if .Values.istiodRemote.enabled }}
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["create", "get", "list", "watch", "update"]
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["mutatingwebhookconfigurations"]
+    verbs: ["get", "list", "watch", "update", "patch"]
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["validatingwebhookconfigurations"]
+    verbs: ["get", "list", "watch", "update"]
+{{- end}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/reader-clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/reader-clusterrolebinding.yaml
new file mode 100644
index 0000000000..aea9f01f7a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/reader-clusterrolebinding.yaml
@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istio-reader
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istio-reader"
+    {{- include "istio.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+subjects:
+  - kind: ServiceAccount
+    name: istio-reader-service-account
+    namespace: {{ .Values.global.istioNamespace }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/remote-istiod-endpoints.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/remote-istiod-endpoints.yaml
new file mode 100644
index 0000000000..f13b8ce9a9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/remote-istiod-endpoints.yaml
@@ -0,0 +1,30 @@
+{{- if and .Values.global.remotePilotAddress .Values.istiodRemote.enabled }}
+# if the remotePilotAddress is an IP addr
+{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }}
+apiVersion: v1
+kind: Endpoints
+metadata:
+  {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }}
+  # This file is only used for remote `istiod` installs.
+  # only primary `istiod` to xds and local `istiod` injection installs.
+  name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote
+  {{- else }}
+  name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}
+  {{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+subsets:
+- addresses:
+  - ip: {{ .Values.global.remotePilotAddress }}
+  ports:
+  - port: 15012
+    name: tcp-istiod
+    protocol: TCP
+  - port: 15017
+    name: tcp-webhook
+    protocol: TCP
+---
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/remote-istiod-service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/remote-istiod-service.yaml
new file mode 100644
index 0000000000..0a48b9918b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/remote-istiod-service.yaml
@@ -0,0 +1,41 @@
+# This file is only used for remote
+{{- if and .Values.global.remotePilotAddress .Values.istiodRemote.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }}
+  # only primary `istiod` to xds and local `istiod` injection installs.
+  name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote
+  {{- else }}
+  name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}
+  {{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    app.kubernetes.io/name: "istiod"
+    {{ include "istio.labels" . | nindent 4 }}
+spec:
+  ports:
+  - port: 15012
+    name: tcp-istiod
+    protocol: TCP
+  - port: 443
+    targetPort: 15017
+    name: tcp-webhook
+    protocol: TCP
+  {{- if and .Values.global.remotePilotAddress (not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress)) }}
+  # if the remotePilotAddress is not an IP addr, we use ExternalName
+  type: ExternalName
+  externalName: {{ .Values.global.remotePilotAddress }}
+  {{- end }}
+{{- if .Values.global.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.global.ipFamilyPolicy }}
+{{- end }}
+{{- if .Values.global.ipFamilies }}
+  ipFamilies:
+{{- range .Values.global.ipFamilies }}
+  - {{ . }}
+{{- end }}
+{{- end }}
+---
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/revision-tags.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/revision-tags.yaml
new file mode 100644
index 0000000000..06764a826e
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/revision-tags.yaml
@@ -0,0 +1,149 @@
+# Adapted from istio-discovery/templates/mutatingwebhook.yaml
+# Removed paths for legacy and default selectors since a revision tag
+# is inherently created from a specific revision
+# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that.
+{{- $whv := dict
+"revision" .Values.revision
+  "injectionPath" .Values.istiodRemote.injectionPath
+  "injectionURL" .Values.istiodRemote.injectionURL
+  "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy
+  "caBundle" .Values.istiodRemote.injectionCABundle
+  "namespace" .Release.Namespace }}
+{{- define "core" }}
+{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign
+a unique prefix to each. */}}
+- name: {{.Prefix}}sidecar-injector.istio.io
+  clientConfig:
+    {{- if .injectionURL }}
+    url: "{{ .injectionURL }}"
+    {{- else }}
+    service:
+      name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }}
+      namespace: {{ .namespace }}
+      path: "{{ .injectionPath }}"
+      port: 443
+    {{- end }}
+  sideEffects: None
+  rules:
+  - operations: [ "CREATE" ]
+    apiGroups: [""]
+    apiVersions: ["v1"]
+    resources: ["pods"]
+  failurePolicy: Fail
+  reinvocationPolicy: "{{ .reinvocationPolicy }}"
+  admissionReviewVersions: ["v1"]
+{{- end }}
+{{- range $tagName := $.Values.revisionTags }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+{{- if eq $.Release.Namespace "istio-system"}}
+  name: istio-revision-tag-{{ $tagName }}
+{{- else }}
+  name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }}
+{{- end }}
+  labels:
+    istio.io/tag: {{ $tagName }}
+    istio.io/rev: {{ $.Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app: sidecar-injector
+    release: {{ $.Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" $ | nindent 4 }}
+{{- if $.Values.sidecarInjectorWebhookAnnotations }}
+  annotations:
+{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }}
+{{- end }}
+webhooks:
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: In
+      values:
+      - "{{ $tagName }}"
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+    - key: istio.io/rev
+      operator: In
+      values:
+      - "{{ $tagName }}"
+
+{{- /* When the tag is "default" we want to create webhooks for the default revision */}}
+{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}}
+{{- if (eq $tagName "default") }}
+
+{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: In
+      values:
+      - enabled
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+
+{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: In
+      values:
+      - "true"
+    - key: istio.io/rev
+      operator: DoesNotExist
+
+{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
+{{- /* Special case 3: no labels at all */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: "kubernetes.io/metadata.name"
+      operator: "NotIn"
+      values: ["kube-system","kube-public","kube-node-lease","local-path-storage"]
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+{{- end }}
+
+{{- end }}
+---
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/role.yaml
new file mode 100644
index 0000000000..bbcfbe4356
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/role.yaml
@@ -0,0 +1,35 @@
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Values.global.istioNamespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+# permissions to verify the webhook is ready and rejecting
+# invalid config. We use --server-dry-run so no config is persisted.
+- apiGroups: ["networking.istio.io"]
+  verbs: ["create"]
+  resources: ["gateways"]
+
+# For storing CA secret
+- apiGroups: [""]
+  resources: ["secrets"]
+  # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config
+  verbs: ["create", "get", "watch", "list", "update", "delete"]
+
+# For status controller, so it can delete the distribution report configmap
+- apiGroups: [""]
+  resources: ["configmaps"]
+  verbs: ["delete"]
+
+# For gateway deployment controller
+- apiGroups: ["coordination.k8s.io"]
+  resources: ["leases"]
+  verbs: ["get", "update", "patch", "create"]
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/rolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/rolebinding.yaml
new file mode 100644
index 0000000000..0c66b38a7d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/rolebinding.yaml
@@ -0,0 +1,21 @@
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Values.global.istioNamespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+subjects:
+  - kind: ServiceAccount
+    name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+    namespace: {{ .Values.global.istioNamespace }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/service.yaml
new file mode 100644
index 0000000000..25bda4dfd2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/service.yaml
@@ -0,0 +1,57 @@
+# Not created if istiod is running remotely
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  {{- if .Values.serviceAnnotations }}
+  annotations:
+{{ toYaml .Values.serviceAnnotations | indent 4 }}
+  {{- end }}
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app: istiod
+    istio: pilot
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  ports:
+    - port: 15010
+      name: grpc-xds # plaintext
+      protocol: TCP
+    - port: 15012
+      name: https-dns # mTLS with k8s-signed cert
+      protocol: TCP
+    - port: 443
+      name: https-webhook # validation and injection
+      targetPort: 15017
+      protocol: TCP
+    - port: 15014
+      name: http-monitoring # prometheus stats
+      protocol: TCP
+  selector:
+    app: istiod
+    {{- if ne .Values.revision "" }}
+    istio.io/rev: {{ .Values.revision | quote }}
+    {{- else }}
+    # Label used by the 'default' service. For versioned deployments we match with app and version.
+    # This avoids default deployment picking the canary
+    istio: pilot
+    {{- end }}
+  {{- if .Values.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.ipFamilyPolicy }}
+  {{- end }}
+  {{- if .Values.ipFamilies }}
+  ipFamilies:
+  {{- range .Values.ipFamilies }}
+  - {{ . }}
+  {{- end }}
+  {{- end }}
+  {{- if .Values.trafficDistribution }}
+  trafficDistribution: {{ .Values.trafficDistribution }}
+  {{- end }}
+---
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/serviceaccount.yaml
new file mode 100644
index 0000000000..8b4a0c0faf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/serviceaccount.yaml
@@ -0,0 +1,24 @@
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+apiVersion: v1
+kind: ServiceAccount
+  {{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+  {{- range .Values.global.imagePullSecrets }}
+  - name: {{ . }}
+  {{- end }}
+  {{- end }}
+metadata:
+  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Values.global.istioNamespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+  {{- if .Values.serviceAccountAnnotations }}
+  annotations:
+{{- toYaml .Values.serviceAccountAnnotations | nindent 4 }}
+  {{- end }}
+{{- end }}
+---
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/validatingadmissionpolicy.yaml
new file mode 100644
index 0000000000..8562a52d59
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/validatingadmissionpolicy.yaml
@@ -0,0 +1,63 @@
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+{{- if .Values.experimental.stableValidationPolicy }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io"
+  labels:
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups:
+        - security.istio.io
+        - networking.istio.io
+        - telemetry.istio.io
+        - extensions.istio.io
+      apiVersions: ["*"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["*"]
+    objectSelector:
+      matchExpressions:
+        - key: istio.io/rev
+          operator: In
+          values:
+          {{- if (eq .Values.revision "") }}
+          - "default"
+          {{- else }}
+          - "{{ .Values.revision }}"
+          {{- end }}
+  variables:
+    - name: isEnvoyFilter
+      expression: "object.kind == 'EnvoyFilter'"
+    - name: isWasmPlugin
+      expression: "object.kind == 'WasmPlugin'"
+    - name: isProxyConfig
+      expression: "object.kind == 'ProxyConfig'"
+    - name: isTelemetry
+      expression: "object.kind == 'Telemetry'"
+  validations:
+    - expression: "!variables.isEnvoyFilter"
+    - expression: "!variables.isWasmPlugin"
+    - expression: "!variables.isProxyConfig"
+    - expression: |
+        !(
+          variables.isTelemetry && (
+            (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) ||
+            (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) ||
+            (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter))
+          )
+        )
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: "stable-channel-policy-binding{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io"
+spec:
+  policyName: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io"
+  validationActions: [Deny]
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/validatingwebhookconfiguration.yaml
new file mode 100644
index 0000000000..b49bf7fafd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/validatingwebhookconfiguration.yaml
@@ -0,0 +1,68 @@
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+{{- if .Values.global.configValidation }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    istio: istiod
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+webhooks:
+  # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks
+  # are rejecting invalid configs on a per-revision basis.
+  - name: rev.validation.istio.io
+    clientConfig:
+      # Should change from base but cannot for API compat
+      {{- if .Values.base.validationURL }}
+      url: {{ .Values.base.validationURL }}
+      {{- else }}
+      service:
+        name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+        namespace: {{ .Values.global.istioNamespace }}
+        path: "/validate"
+      {{- end }}
+      {{- if .Values.base.validationCABundle }}
+      caBundle: "{{ .Values.base.validationCABundle }}"
+      {{- end }}
+    rules:
+      - operations:
+          - CREATE
+          - UPDATE
+        apiGroups:
+          - security.istio.io
+          - networking.istio.io
+          - telemetry.istio.io
+          - extensions.istio.io
+        apiVersions:
+          - "*"
+        resources:
+          - "*"
+    {{- if .Values.base.validationCABundle }}
+    # Disable webhook controller in Pilot to stop patching it
+    failurePolicy: Fail
+    {{- else }}
+    # Fail open until the validation webhook is ready. The webhook controller
+    # will update this to `Fail` and patch in the `caBundle` when the webhook
+    # endpoint is ready.
+    failurePolicy: Ignore
+    {{- end }}
+    sideEffects: None
+    admissionReviewVersions: ["v1"]
+    objectSelector:
+      matchExpressions:
+        - key: istio.io/rev
+          operator: In
+          values:
+          {{- if (eq .Values.revision "") }}
+          - "default"
+          {{- else }}
+          - "{{ .Values.revision }}"
+          {{- end }}
+---
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/zzy_descope_legacy.yaml
new file mode 100644
index 0000000000..ae8fced298
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/zzy_descope_legacy.yaml
@@ -0,0 +1,3 @@
+{{/* Copy anything under `.pilot` to `.`, to avoid the need to specify a redundant prefix.
+Due to the file naming, this always happens after zzz_profile.yaml */}}
+{{- $_ := mustMergeOverwrite $.Values (index $.Values "pilot") }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..3d84956485
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if false }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/values.yaml
new file mode 100644
index 0000000000..89d86fdb80
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/values.yaml
@@ -0,0 +1,569 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  autoscaleEnabled: true
+  autoscaleMin: 1
+  autoscaleMax: 5
+  autoscaleBehavior: {}
+  replicaCount: 1
+  rollingMaxSurge: 100%
+  rollingMaxUnavailable: 25%
+
+  hub: ""
+  tag: ""
+  variant: ""
+
+  # Can be a full hub/image:tag
+  image: pilot
+  traceSampling: 1.0
+
+  # Resources for a small pilot install
+  resources:
+    requests:
+      cpu: 500m
+      memory: 2048Mi
+
+  # Set to `type: RuntimeDefault` to use the default profile if available.
+  seccompProfile: {}
+
+  # Whether to use an existing CNI installation
+  cni:
+    enabled: false
+    provider: default
+
+  # Additional container arguments
+  extraContainerArgs: []
+
+  env: {}
+
+  envVarFrom: []
+
+  # Settings related to the untaint controller
+  # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready
+  # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes
+  taint:
+    # Controls whether or not the untaint controller is active
+    enabled: false
+    # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod
+    namespace: ""
+
+  affinity: {}
+
+  tolerations: []
+
+  cpu:
+    targetAverageUtilization: 80
+  memory: {}
+    # targetAverageUtilization: 80
+
+  # Additional volumeMounts to the istiod container
+  volumeMounts: []
+
+  # Additional volumes to the istiod pod
+  volumes: []
+
+  # Inject initContainers into the istiod pod
+  initContainers: []
+
+  nodeSelector: {}
+  podAnnotations: {}
+  serviceAnnotations: {}
+  serviceAccountAnnotations: {}
+  sidecarInjectorWebhookAnnotations: {}
+
+  topologySpreadConstraints: []
+
+  # You can use jwksResolverExtraRootCA to provide a root certificate
+  # in PEM format. This will then be trusted by pilot when resolving
+  # JWKS URIs.
+  jwksResolverExtraRootCA: ""
+
+  # The following is used to limit how long a sidecar can be connected
+  # to a pilot. It balances out load across pilot instances at the cost of
+  # increasing system churn.
+  keepaliveMaxServerConnectionAge: 30m
+
+  # Additional labels to apply to the deployment.
+  deploymentLabels: {}
+
+  # Annotations to apply to the istiod deployment.
+  deploymentAnnotations: {}
+
+  ## Mesh config settings
+
+  # Install the mesh config map, generated from values.yaml.
+  # If false, pilot wil use default values (by default) or user-supplied values.
+  configMap: true
+
+  # Additional labels to apply on the pod level for monitoring and logging configuration.
+  podLabels: {}
+
+  # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
+  ipFamilyPolicy: ""
+  ipFamilies: []
+
+  # Ambient mode only.
+  # Set this if you install ztunnel to a different namespace from `istiod`.
+  # If set, `istiod` will allow connections from trusted node proxy ztunnels
+  # in the provided namespace.
+  # If unset, `istiod` will assume the trusted node proxy ztunnel resides
+  # in the same namespace as itself.
+  trustedZtunnelNamespace: ""
+  # Set this if you install ztunnel with a name different from the default.
+  trustedZtunnelName: ""
+
+  sidecarInjectorWebhook:
+    # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or
+    # always skip the injection on pods that match that label selector, regardless of the global policy.
+    # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions
+    neverInjectSelector: []
+    alwaysInjectSelector: []
+
+    # injectedAnnotations are additional annotations that will be added to the pod spec after injection
+    # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations:
+    #
+    # annotations:
+    #   apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
+    #   apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
+    #
+    # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before
+    # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify:
+    # injectedAnnotations:
+    #   container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default
+    #   container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default
+    injectedAnnotations: {}
+
+    # This enables injection of sidecar in all namespaces,
+    # with the exception of namespaces with "istio-injection:disabled" annotation
+    # Only one environment should have this enabled.
+    enableNamespacesByDefault: false
+
+    # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run
+    # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten.
+    # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur.
+    reinvocationPolicy: Never
+
+    rewriteAppHTTPProbe: true
+
+    # Templates defines a set of custom injection templates that can be used. For example, defining:
+    #
+    # templates:
+    #   hello: |
+    #     metadata:
+    #       labels:
+    #         hello: world
+    #
+    # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod
+    # being injected with the hello=world labels.
+    # This is intended for advanced configuration only; most users should use the built in template
+    templates: {}
+
+    # Default templates specifies a set of default templates that are used in sidecar injection.
+    # By default, a template `sidecar` is always provided, which contains the template of default sidecar.
+    # To inject other additional templates, define it using the `templates` option, and add it to
+    # the default templates list.
+    # For example:
+    #
+    # templates:
+    #   hello: |
+    #     metadata:
+    #       labels:
+    #         hello: world
+    #
+    # defaultTemplates: ["sidecar", "hello"]
+    defaultTemplates: []
+  istiodRemote:
+    # If `true`, indicates that this cluster/install should consume a "remote istiod" installation,
+    # and istiod itself will NOT be installed in this cluster - only the support resources necessary
+    # to utilize a remote instance.
+    enabled: false
+
+    # If `true`, indicates that this cluster/install should consume a "local istiod" installation,
+    # local istiod inject sidecars
+    enabledLocalInjectorIstiod: false
+
+    # Sidecar injector mutating webhook configuration clientConfig.url value.
+    # For example: https://$remotePilotAddress:15017/inject
+    # The host should not refer to a service running in the cluster; use a service reference by specifying
+    # the clientConfig.service field instead.
+    injectionURL: ""
+
+    # Sidecar injector mutating webhook configuration path value for the clientConfig.service field.
+    # Override to pass env variables, for example: /inject/cluster/remote/net/network2
+    injectionPath: "/inject"
+
+    injectionCABundle: ""
+  telemetry:
+    enabled: true
+    v2:
+      # For Null VM case now.
+      # This also enables metadata exchange.
+      enabled: true
+      # Indicate if prometheus stats filter is enabled or not
+      prometheus:
+        enabled: true
+      # stackdriver filter settings.
+      stackdriver:
+        enabled: false
+  # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
+  revision: ""
+
+  # Revision tags are aliases to Istio control plane revisions
+  revisionTags: []
+
+  # For Helm compatibility.
+  ownerName: ""
+
+  # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior
+  # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options
+  meshConfig:
+    enablePrometheusMerge: true
+
+  experimental:
+    stableValidationPolicy: false
+
+  global:
+    # Used to locate istiod.
+    istioNamespace: istio-system
+    # List of cert-signers to allow "approve" action in the istio cluster role
+    #
+    # certSigners:
+    #   - clusterissuers.cert-manager.io/istio-ca
+    certSigners: []
+    # enable pod disruption budget for the control plane, which is used to
+    # ensure Istio control plane components are gradually upgraded or recovered.
+    defaultPodDisruptionBudget:
+      enabled: true
+      # The values aren't mutable due to a current PodDisruptionBudget limitation
+      # minAvailable: 1
+
+    # A minimal set of requested resources to applied to all deployments so that
+    # Horizontal Pod Autoscaler will be able to function (if set).
+    # Each component can overwrite these default values by adding its own resources
+    # block in the relevant section below and setting the desired resources values.
+    defaultResources:
+      requests:
+        cpu: 10m
+      #   memory: 128Mi
+      # limits:
+      #   cpu: 100m
+      #   memory: 128Mi
+
+    # Default hub for Istio images.
+    # Releases are published to docker hub under 'istio' project.
+    # Dev builds from prow are on gcr.io
+    hub: gcr.io/istio-release
+    # Default tag for Istio images.
+    tag: 1.27.2
+    # Variant of the image to use.
+    # Currently supported are: [debug, distroless]
+    variant: ""
+
+    # Specify image pull policy if default behavior isn't desired.
+    # Default behavior: latest images will be Always else IfNotPresent.
+    imagePullPolicy: ""
+
+    # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
+    # to use for pulling any images in pods that reference this ServiceAccount.
+    # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
+    # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
+    # Must be set for any cluster configured with private docker registry.
+    imagePullSecrets: []
+    # - private-registry-key
+
+    # Enabled by default in master for maximising testing.
+    istiod:
+      enableAnalysis: false
+
+    # To output all istio components logs in json format by adding --log_as_json argument to each container argument
+    logAsJson: false
+
+    # In order to use native nftable rules instead of iptable rules, set this flag to true.
+    nativeNftables: false
+
+    # Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
+    # The control plane has different scopes depending on component, but can configure default log level across all components
+    # If empty, default scope and level will be used as configured in code
+    logging:
+      level: "default:info"
+
+    omitSidecarInjectorConfigMap: false
+
+    # Configure whether Operator manages webhook configurations. The current behavior
+    # of Istiod is to manage its own webhook configurations.
+    # When this option is set as true, Istio Operator, instead of webhooks, manages the
+    # webhook configurations. When this option is set as false, webhooks manage their
+    # own webhook configurations.
+    operatorManageWebhooks: false
+
+    # Custom DNS config for the pod to resolve names of services in other
+    # clusters. Use this to add additional search domains, and other settings.
+    # see
+    # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config
+    # This does not apply to gateway pods as they typically need a different
+    # set of DNS settings than the normal application pods (e.g., in
+    # multicluster scenarios).
+    # NOTE: If using templates, follow the pattern in the commented example below.
+    #podDNSSearchNamespaces:
+    #- global
+    #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global"
+
+    # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
+    # system-node-critical, it is better to configure this in order to make sure your Istio pods
+    # will not be killed because of low priority class.
+    # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
+    # for more detail.
+    priorityClassName: ""
+
+    proxy:
+      image: proxyv2
+
+      # This controls the 'policy' in the sidecar injector.
+      autoInject: enabled
+
+      # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
+      # cluster domain. Default value is "cluster.local".
+      clusterDomain: "cluster.local"
+
+      # Per Component log level for proxy, applies to gateways and sidecars. If a component level is
+      # not set, then the global "logLevel" will be used.
+      componentLogLevel: "misc:error"
+
+      # istio ingress capture allowlist
+      # examples:
+      #     Redirect only selected ports:            --includeInboundPorts="80,8080"
+      excludeInboundPorts: ""
+      includeInboundPorts: "*"
+
+      # istio egress capture allowlist
+      # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
+      # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
+      # would only capture egress traffic on those two IP Ranges, all other outbound traffic would
+      # be allowed by the sidecar
+      includeIPRanges: "*"
+      excludeIPRanges: ""
+      includeOutboundPorts: ""
+      excludeOutboundPorts: ""
+
+      # Log level for proxy, applies to gateways and sidecars.
+      # Expected values are: trace|debug|info|warning|error|critical|off
+      logLevel: warning
+
+      # Specify the path to the outlier event log.
+      # Example: /dev/stdout
+      outlierLogPath: ""
+
+      #If set to true, istio-proxy container will have privileged securityContext
+      privileged: false
+
+      # The number of successive failed probes before indicating readiness failure.
+      readinessFailureThreshold: 4
+
+      # The initial delay for readiness probes in seconds.
+      readinessInitialDelaySeconds: 0
+
+      # The period between readiness probes.
+      readinessPeriodSeconds: 15
+
+      # Enables or disables a startup probe.
+      # For optimal startup times, changing this should be tied to the readiness probe values.
+      #
+      # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4.
+      # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval),
+      # and doesn't spam the readiness endpoint too much
+      #
+      # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30.
+      # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly.
+      startupProbe:
+        enabled: true
+        failureThreshold: 600 # 10 minutes
+
+      # Resources for the sidecar.
+      resources:
+        requests:
+          cpu: 100m
+          memory: 128Mi
+        limits:
+          cpu: 2000m
+          memory: 1024Mi
+
+      # Default port for Pilot agent health checks. A value of 0 will disable health checking.
+      statusPort: 15020
+
+      # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none.
+      # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file.
+      tracer: "none"
+
+    proxy_init:
+      # Base name for the proxy_init container, used to configure iptables.
+      image: proxyv2
+      # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures.
+      # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases.
+      forceApplyIptables: false
+
+    # configure remote pilot and istiod service and endpoint
+    remotePilotAddress: ""
+
+    ##############################################################################################
+    # The following values are found in other charts. To effectively modify these values, make   #
+    # make sure they are consistent across your Istio helm charts                                #
+    ##############################################################################################
+
+    # The customized CA address to retrieve certificates for the pods in the cluster.
+    # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
+    # If not set explicitly, default to the Istio discovery address.
+    caAddress: ""
+
+    # Enable control of remote clusters.
+    externalIstiod: false
+
+    # Configure a remote cluster as the config cluster for an external istiod.
+    configCluster: false
+
+    # configValidation enables the validation webhook for Istio configuration.
+    configValidation: true
+
+    # Mesh ID means Mesh Identifier. It should be unique within the scope where
+    # meshes will interact with each other, but it is not required to be
+    # globally/universally unique. For example, if any of the following are true,
+    # then two meshes must have different Mesh IDs:
+    # - Meshes will have their telemetry aggregated in one place
+    # - Meshes will be federated together
+    # - Policy will be written referencing one mesh from the other
+    #
+    # If an administrator expects that any of these conditions may become true in
+    # the future, they should ensure their meshes have different Mesh IDs
+    # assigned.
+    #
+    # Within a multicluster mesh, each cluster must be (manually or auto)
+    # configured to have the same Mesh ID value. If an existing cluster 'joins' a
+    # multicluster mesh, it will need to be migrated to the new mesh ID. Details
+    # of migration TBD, and it may be a disruptive operation to change the Mesh
+    # ID post-install.
+    #
+    # If the mesh admin does not specify a value, Istio will use the value of the
+    # mesh's Trust Domain. The best practice is to select a proper Trust Domain
+    # value.
+    meshID: ""
+
+    # Configure the mesh networks to be used by the Split Horizon EDS.
+    #
+    # The following example defines two networks with different endpoints association methods.
+    # For `network1` all endpoints that their IP belongs to the provided CIDR range will be
+    # mapped to network1. The gateway for this network example is specified by its public IP
+    # address and port.
+    # The second network, `network2`, in this example is defined differently with all endpoints
+    # retrieved through the specified Multi-Cluster registry being mapped to network2. The
+    # gateway is also defined differently with the name of the gateway service on the remote
+    # cluster. The public IP for the gateway will be determined from that remote service (only
+    # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service,
+    # it still need to be configured manually).
+    #
+    # meshNetworks:
+    #   network1:
+    #     endpoints:
+    #     - fromCidr: "192.168.0.1/24"
+    #     gateways:
+    #     - address: 1.1.1.1
+    #       port: 80
+    #   network2:
+    #     endpoints:
+    #     - fromRegistry: reg1
+    #     gateways:
+    #     - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
+    #       port: 443
+    #
+    meshNetworks: {}
+
+    # Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
+    mountMtlsCerts: false
+
+    multiCluster:
+      # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
+      # to properly label proxies
+      clusterName: ""
+
+    # Network defines the network this cluster belong to. This name
+    # corresponds to the networks in the map of mesh networks.
+    network: ""
+
+    # Configure the certificate provider for control plane communication.
+    # Currently, two providers are supported: "kubernetes" and "istiod".
+    # As some platforms may not have kubernetes signing APIs,
+    # Istiod is the default
+    pilotCertProvider: istiod
+
+    sds:
+      # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
+      # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the
+      # JWT is intended for the CA.
+      token:
+        aud: istio-ca
+
+    sts:
+      # The service port used by Security Token Service (STS) server to handle token exchange requests.
+      # Setting this port to a non-zero value enables STS server.
+      servicePort: 0
+
+    # The name of the CA for workload certificates.
+    # For example, when caName=GkeWorkloadCertificate, GKE workload certificates
+    # will be used as the certificates for workloads.
+    # The default value is "" and when caName="", the CA will be configured by other
+    # mechanisms (e.g., environmental variable CA_PROVIDER).
+    caName: ""
+
+    waypoint:
+      # Resources for the waypoint proxy.
+      resources:
+        requests:
+          cpu: 100m
+          memory: 128Mi
+        limits:
+          cpu: "2"
+          memory: 1Gi
+
+      # If specified, affinity defines the scheduling constraints of waypoint pods.
+      affinity: {}
+
+      # Topology Spread Constraints for the waypoint proxy.
+      topologySpreadConstraints: []
+
+      # Node labels for the waypoint proxy.
+      nodeSelector: {}
+
+      # Tolerations for the waypoint proxy.
+      tolerations: []
+
+  base:
+    # For istioctl usage to disable istio config crds in base
+    enableIstioConfigCRDs: true
+
+  # Gateway Settings
+  gateways:
+    # Define the security context for the pod.
+    # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
+    # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
+    securityContext: {}
+
+    # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it
+    seccompProfile: {}
+
+  # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass.
+  # For example:
+  # gatewayClasses:
+  #   istio:
+  #     service:
+  #       spec:
+  #         type: ClusterIP
+  # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field.
+  gatewayClasses: {}
+  
+  pdb:
+    # -- Minimum available pods set in PodDisruptionBudget.
+    # Define either 'minAvailable' or 'maxUnavailable', never both.
+    minAvailable: 1
+    # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored.
+    # maxUnavailable: 1
+    # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget.
+    # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/
+    unhealthyPodEvictionPolicy: ""
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/Chart.yaml
new file mode 100644
index 0000000000..cf8f6ce14f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/Chart.yaml
@@ -0,0 +1,8 @@
+apiVersion: v2
+appVersion: 1.27.2
+description: Helm chart for istio revision tags
+name: revisiontags
+sources:
+- https://github.com/istio-ecosystem/sail-operator
+version: 0.1.0
+
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-compatibility-version-1.24.yaml
new file mode 100644
index 0000000000..4f3dbef7ea
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-compatibility-version-1.24.yaml
@@ -0,0 +1,15 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.24 behavioral changes
+    PILOT_ENABLE_IP_AUTOALLOCATE: "false"
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  dnsCapture: false
+  reconcileIptablesOnStartup: false
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..b2f45948c2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..af10697326
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/templates/revision-tags.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/templates/revision-tags.yaml
new file mode 100644
index 0000000000..06764a826e
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/templates/revision-tags.yaml
@@ -0,0 +1,149 @@
+# Adapted from istio-discovery/templates/mutatingwebhook.yaml
+# Removed paths for legacy and default selectors since a revision tag
+# is inherently created from a specific revision
+# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that.
+{{- $whv := dict
+"revision" .Values.revision
+  "injectionPath" .Values.istiodRemote.injectionPath
+  "injectionURL" .Values.istiodRemote.injectionURL
+  "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy
+  "caBundle" .Values.istiodRemote.injectionCABundle
+  "namespace" .Release.Namespace }}
+{{- define "core" }}
+{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign
+a unique prefix to each. */}}
+- name: {{.Prefix}}sidecar-injector.istio.io
+  clientConfig:
+    {{- if .injectionURL }}
+    url: "{{ .injectionURL }}"
+    {{- else }}
+    service:
+      name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }}
+      namespace: {{ .namespace }}
+      path: "{{ .injectionPath }}"
+      port: 443
+    {{- end }}
+  sideEffects: None
+  rules:
+  - operations: [ "CREATE" ]
+    apiGroups: [""]
+    apiVersions: ["v1"]
+    resources: ["pods"]
+  failurePolicy: Fail
+  reinvocationPolicy: "{{ .reinvocationPolicy }}"
+  admissionReviewVersions: ["v1"]
+{{- end }}
+{{- range $tagName := $.Values.revisionTags }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+{{- if eq $.Release.Namespace "istio-system"}}
+  name: istio-revision-tag-{{ $tagName }}
+{{- else }}
+  name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }}
+{{- end }}
+  labels:
+    istio.io/tag: {{ $tagName }}
+    istio.io/rev: {{ $.Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app: sidecar-injector
+    release: {{ $.Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" $ | nindent 4 }}
+{{- if $.Values.sidecarInjectorWebhookAnnotations }}
+  annotations:
+{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }}
+{{- end }}
+webhooks:
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: In
+      values:
+      - "{{ $tagName }}"
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+    - key: istio.io/rev
+      operator: In
+      values:
+      - "{{ $tagName }}"
+
+{{- /* When the tag is "default" we want to create webhooks for the default revision */}}
+{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}}
+{{- if (eq $tagName "default") }}
+
+{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: In
+      values:
+      - enabled
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+
+{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: In
+      values:
+      - "true"
+    - key: istio.io/rev
+      operator: DoesNotExist
+
+{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
+{{- /* Special case 3: no labels at all */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: "kubernetes.io/metadata.name"
+      operator: "NotIn"
+      values: ["kube-system","kube-public","kube-node-lease","local-path-storage"]
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+{{- end }}
+
+{{- end }}
+---
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..3d84956485
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if false }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/values.yaml
new file mode 100644
index 0000000000..89d86fdb80
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/values.yaml
@@ -0,0 +1,569 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  autoscaleEnabled: true
+  autoscaleMin: 1
+  autoscaleMax: 5
+  autoscaleBehavior: {}
+  replicaCount: 1
+  rollingMaxSurge: 100%
+  rollingMaxUnavailable: 25%
+
+  hub: ""
+  tag: ""
+  variant: ""
+
+  # Can be a full hub/image:tag
+  image: pilot
+  traceSampling: 1.0
+
+  # Resources for a small pilot install
+  resources:
+    requests:
+      cpu: 500m
+      memory: 2048Mi
+
+  # Set to `type: RuntimeDefault` to use the default profile if available.
+  seccompProfile: {}
+
+  # Whether to use an existing CNI installation
+  cni:
+    enabled: false
+    provider: default
+
+  # Additional container arguments
+  extraContainerArgs: []
+
+  env: {}
+
+  envVarFrom: []
+
+  # Settings related to the untaint controller
+  # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready
+  # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes
+  taint:
+    # Controls whether or not the untaint controller is active
+    enabled: false
+    # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod
+    namespace: ""
+
+  affinity: {}
+
+  tolerations: []
+
+  cpu:
+    targetAverageUtilization: 80
+  memory: {}
+    # targetAverageUtilization: 80
+
+  # Additional volumeMounts to the istiod container
+  volumeMounts: []
+
+  # Additional volumes to the istiod pod
+  volumes: []
+
+  # Inject initContainers into the istiod pod
+  initContainers: []
+
+  nodeSelector: {}
+  podAnnotations: {}
+  serviceAnnotations: {}
+  serviceAccountAnnotations: {}
+  sidecarInjectorWebhookAnnotations: {}
+
+  topologySpreadConstraints: []
+
+  # You can use jwksResolverExtraRootCA to provide a root certificate
+  # in PEM format. This will then be trusted by pilot when resolving
+  # JWKS URIs.
+  jwksResolverExtraRootCA: ""
+
+  # The following is used to limit how long a sidecar can be connected
+  # to a pilot. It balances out load across pilot instances at the cost of
+  # increasing system churn.
+  keepaliveMaxServerConnectionAge: 30m
+
+  # Additional labels to apply to the deployment.
+  deploymentLabels: {}
+
+  # Annotations to apply to the istiod deployment.
+  deploymentAnnotations: {}
+
+  ## Mesh config settings
+
+  # Install the mesh config map, generated from values.yaml.
+  # If false, pilot wil use default values (by default) or user-supplied values.
+  configMap: true
+
+  # Additional labels to apply on the pod level for monitoring and logging configuration.
+  podLabels: {}
+
+  # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
+  ipFamilyPolicy: ""
+  ipFamilies: []
+
+  # Ambient mode only.
+  # Set this if you install ztunnel to a different namespace from `istiod`.
+  # If set, `istiod` will allow connections from trusted node proxy ztunnels
+  # in the provided namespace.
+  # If unset, `istiod` will assume the trusted node proxy ztunnel resides
+  # in the same namespace as itself.
+  trustedZtunnelNamespace: ""
+  # Set this if you install ztunnel with a name different from the default.
+  trustedZtunnelName: ""
+
+  sidecarInjectorWebhook:
+    # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or
+    # always skip the injection on pods that match that label selector, regardless of the global policy.
+    # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions
+    neverInjectSelector: []
+    alwaysInjectSelector: []
+
+    # injectedAnnotations are additional annotations that will be added to the pod spec after injection
+    # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations:
+    #
+    # annotations:
+    #   apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
+    #   apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
+    #
+    # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before
+    # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify:
+    # injectedAnnotations:
+    #   container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default
+    #   container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default
+    injectedAnnotations: {}
+
+    # This enables injection of sidecar in all namespaces,
+    # with the exception of namespaces with "istio-injection:disabled" annotation
+    # Only one environment should have this enabled.
+    enableNamespacesByDefault: false
+
+    # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run
+    # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten.
+    # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur.
+    reinvocationPolicy: Never
+
+    rewriteAppHTTPProbe: true
+
+    # Templates defines a set of custom injection templates that can be used. For example, defining:
+    #
+    # templates:
+    #   hello: |
+    #     metadata:
+    #       labels:
+    #         hello: world
+    #
+    # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod
+    # being injected with the hello=world labels.
+    # This is intended for advanced configuration only; most users should use the built in template
+    templates: {}
+
+    # Default templates specifies a set of default templates that are used in sidecar injection.
+    # By default, a template `sidecar` is always provided, which contains the template of default sidecar.
+    # To inject other additional templates, define it using the `templates` option, and add it to
+    # the default templates list.
+    # For example:
+    #
+    # templates:
+    #   hello: |
+    #     metadata:
+    #       labels:
+    #         hello: world
+    #
+    # defaultTemplates: ["sidecar", "hello"]
+    defaultTemplates: []
+  istiodRemote:
+    # If `true`, indicates that this cluster/install should consume a "remote istiod" installation,
+    # and istiod itself will NOT be installed in this cluster - only the support resources necessary
+    # to utilize a remote instance.
+    enabled: false
+
+    # If `true`, indicates that this cluster/install should consume a "local istiod" installation,
+    # local istiod inject sidecars
+    enabledLocalInjectorIstiod: false
+
+    # Sidecar injector mutating webhook configuration clientConfig.url value.
+    # For example: https://$remotePilotAddress:15017/inject
+    # The host should not refer to a service running in the cluster; use a service reference by specifying
+    # the clientConfig.service field instead.
+    injectionURL: ""
+
+    # Sidecar injector mutating webhook configuration path value for the clientConfig.service field.
+    # Override to pass env variables, for example: /inject/cluster/remote/net/network2
+    injectionPath: "/inject"
+
+    injectionCABundle: ""
+  telemetry:
+    enabled: true
+    v2:
+      # For Null VM case now.
+      # This also enables metadata exchange.
+      enabled: true
+      # Indicate if prometheus stats filter is enabled or not
+      prometheus:
+        enabled: true
+      # stackdriver filter settings.
+      stackdriver:
+        enabled: false
+  # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
+  revision: ""
+
+  # Revision tags are aliases to Istio control plane revisions
+  revisionTags: []
+
+  # For Helm compatibility.
+  ownerName: ""
+
+  # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior
+  # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options
+  meshConfig:
+    enablePrometheusMerge: true
+
+  experimental:
+    stableValidationPolicy: false
+
+  global:
+    # Used to locate istiod.
+    istioNamespace: istio-system
+    # List of cert-signers to allow "approve" action in the istio cluster role
+    #
+    # certSigners:
+    #   - clusterissuers.cert-manager.io/istio-ca
+    certSigners: []
+    # enable pod disruption budget for the control plane, which is used to
+    # ensure Istio control plane components are gradually upgraded or recovered.
+    defaultPodDisruptionBudget:
+      enabled: true
+      # The values aren't mutable due to a current PodDisruptionBudget limitation
+      # minAvailable: 1
+
+    # A minimal set of requested resources to applied to all deployments so that
+    # Horizontal Pod Autoscaler will be able to function (if set).
+    # Each component can overwrite these default values by adding its own resources
+    # block in the relevant section below and setting the desired resources values.
+    defaultResources:
+      requests:
+        cpu: 10m
+      #   memory: 128Mi
+      # limits:
+      #   cpu: 100m
+      #   memory: 128Mi
+
+    # Default hub for Istio images.
+    # Releases are published to docker hub under 'istio' project.
+    # Dev builds from prow are on gcr.io
+    hub: gcr.io/istio-release
+    # Default tag for Istio images.
+    tag: 1.27.2
+    # Variant of the image to use.
+    # Currently supported are: [debug, distroless]
+    variant: ""
+
+    # Specify image pull policy if default behavior isn't desired.
+    # Default behavior: latest images will be Always else IfNotPresent.
+    imagePullPolicy: ""
+
+    # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
+    # to use for pulling any images in pods that reference this ServiceAccount.
+    # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
+    # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
+    # Must be set for any cluster configured with private docker registry.
+    imagePullSecrets: []
+    # - private-registry-key
+
+    # Enabled by default in master for maximising testing.
+    istiod:
+      enableAnalysis: false
+
+    # To output all istio components logs in json format by adding --log_as_json argument to each container argument
+    logAsJson: false
+
+    # In order to use native nftable rules instead of iptable rules, set this flag to true.
+    nativeNftables: false
+
+    # Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
+    # The control plane has different scopes depending on component, but can configure default log level across all components
+    # If empty, default scope and level will be used as configured in code
+    logging:
+      level: "default:info"
+
+    omitSidecarInjectorConfigMap: false
+
+    # Configure whether Operator manages webhook configurations. The current behavior
+    # of Istiod is to manage its own webhook configurations.
+    # When this option is set as true, Istio Operator, instead of webhooks, manages the
+    # webhook configurations. When this option is set as false, webhooks manage their
+    # own webhook configurations.
+    operatorManageWebhooks: false
+
+    # Custom DNS config for the pod to resolve names of services in other
+    # clusters. Use this to add additional search domains, and other settings.
+    # see
+    # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config
+    # This does not apply to gateway pods as they typically need a different
+    # set of DNS settings than the normal application pods (e.g., in
+    # multicluster scenarios).
+    # NOTE: If using templates, follow the pattern in the commented example below.
+    #podDNSSearchNamespaces:
+    #- global
+    #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global"
+
+    # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
+    # system-node-critical, it is better to configure this in order to make sure your Istio pods
+    # will not be killed because of low priority class.
+    # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
+    # for more detail.
+    priorityClassName: ""
+
+    proxy:
+      image: proxyv2
+
+      # This controls the 'policy' in the sidecar injector.
+      autoInject: enabled
+
+      # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
+      # cluster domain. Default value is "cluster.local".
+      clusterDomain: "cluster.local"
+
+      # Per Component log level for proxy, applies to gateways and sidecars. If a component level is
+      # not set, then the global "logLevel" will be used.
+      componentLogLevel: "misc:error"
+
+      # istio ingress capture allowlist
+      # examples:
+      #     Redirect only selected ports:            --includeInboundPorts="80,8080"
+      excludeInboundPorts: ""
+      includeInboundPorts: "*"
+
+      # istio egress capture allowlist
+      # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
+      # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
+      # would only capture egress traffic on those two IP Ranges, all other outbound traffic would
+      # be allowed by the sidecar
+      includeIPRanges: "*"
+      excludeIPRanges: ""
+      includeOutboundPorts: ""
+      excludeOutboundPorts: ""
+
+      # Log level for proxy, applies to gateways and sidecars.
+      # Expected values are: trace|debug|info|warning|error|critical|off
+      logLevel: warning
+
+      # Specify the path to the outlier event log.
+      # Example: /dev/stdout
+      outlierLogPath: ""
+
+      #If set to true, istio-proxy container will have privileged securityContext
+      privileged: false
+
+      # The number of successive failed probes before indicating readiness failure.
+      readinessFailureThreshold: 4
+
+      # The initial delay for readiness probes in seconds.
+      readinessInitialDelaySeconds: 0
+
+      # The period between readiness probes.
+      readinessPeriodSeconds: 15
+
+      # Enables or disables a startup probe.
+      # For optimal startup times, changing this should be tied to the readiness probe values.
+      #
+      # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4.
+      # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval),
+      # and doesn't spam the readiness endpoint too much
+      #
+      # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30.
+      # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly.
+      startupProbe:
+        enabled: true
+        failureThreshold: 600 # 10 minutes
+
+      # Resources for the sidecar.
+      resources:
+        requests:
+          cpu: 100m
+          memory: 128Mi
+        limits:
+          cpu: 2000m
+          memory: 1024Mi
+
+      # Default port for Pilot agent health checks. A value of 0 will disable health checking.
+      statusPort: 15020
+
+      # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none.
+      # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file.
+      tracer: "none"
+
+    proxy_init:
+      # Base name for the proxy_init container, used to configure iptables.
+      image: proxyv2
+      # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures.
+      # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases.
+      forceApplyIptables: false
+
+    # configure remote pilot and istiod service and endpoint
+    remotePilotAddress: ""
+
+    ##############################################################################################
+    # The following values are found in other charts. To effectively modify these values, make   #
+    # make sure they are consistent across your Istio helm charts                                #
+    ##############################################################################################
+
+    # The customized CA address to retrieve certificates for the pods in the cluster.
+    # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
+    # If not set explicitly, default to the Istio discovery address.
+    caAddress: ""
+
+    # Enable control of remote clusters.
+    externalIstiod: false
+
+    # Configure a remote cluster as the config cluster for an external istiod.
+    configCluster: false
+
+    # configValidation enables the validation webhook for Istio configuration.
+    configValidation: true
+
+    # Mesh ID means Mesh Identifier. It should be unique within the scope where
+    # meshes will interact with each other, but it is not required to be
+    # globally/universally unique. For example, if any of the following are true,
+    # then two meshes must have different Mesh IDs:
+    # - Meshes will have their telemetry aggregated in one place
+    # - Meshes will be federated together
+    # - Policy will be written referencing one mesh from the other
+    #
+    # If an administrator expects that any of these conditions may become true in
+    # the future, they should ensure their meshes have different Mesh IDs
+    # assigned.
+    #
+    # Within a multicluster mesh, each cluster must be (manually or auto)
+    # configured to have the same Mesh ID value. If an existing cluster 'joins' a
+    # multicluster mesh, it will need to be migrated to the new mesh ID. Details
+    # of migration TBD, and it may be a disruptive operation to change the Mesh
+    # ID post-install.
+    #
+    # If the mesh admin does not specify a value, Istio will use the value of the
+    # mesh's Trust Domain. The best practice is to select a proper Trust Domain
+    # value.
+    meshID: ""
+
+    # Configure the mesh networks to be used by the Split Horizon EDS.
+    #
+    # The following example defines two networks with different endpoints association methods.
+    # For `network1` all endpoints that their IP belongs to the provided CIDR range will be
+    # mapped to network1. The gateway for this network example is specified by its public IP
+    # address and port.
+    # The second network, `network2`, in this example is defined differently with all endpoints
+    # retrieved through the specified Multi-Cluster registry being mapped to network2. The
+    # gateway is also defined differently with the name of the gateway service on the remote
+    # cluster. The public IP for the gateway will be determined from that remote service (only
+    # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service,
+    # it still need to be configured manually).
+    #
+    # meshNetworks:
+    #   network1:
+    #     endpoints:
+    #     - fromCidr: "192.168.0.1/24"
+    #     gateways:
+    #     - address: 1.1.1.1
+    #       port: 80
+    #   network2:
+    #     endpoints:
+    #     - fromRegistry: reg1
+    #     gateways:
+    #     - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
+    #       port: 443
+    #
+    meshNetworks: {}
+
+    # Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
+    mountMtlsCerts: false
+
+    multiCluster:
+      # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
+      # to properly label proxies
+      clusterName: ""
+
+    # Network defines the network this cluster belong to. This name
+    # corresponds to the networks in the map of mesh networks.
+    network: ""
+
+    # Configure the certificate provider for control plane communication.
+    # Currently, two providers are supported: "kubernetes" and "istiod".
+    # As some platforms may not have kubernetes signing APIs,
+    # Istiod is the default
+    pilotCertProvider: istiod
+
+    sds:
+      # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
+      # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the
+      # JWT is intended for the CA.
+      token:
+        aud: istio-ca
+
+    sts:
+      # The service port used by Security Token Service (STS) server to handle token exchange requests.
+      # Setting this port to a non-zero value enables STS server.
+      servicePort: 0
+
+    # The name of the CA for workload certificates.
+    # For example, when caName=GkeWorkloadCertificate, GKE workload certificates
+    # will be used as the certificates for workloads.
+    # The default value is "" and when caName="", the CA will be configured by other
+    # mechanisms (e.g., environmental variable CA_PROVIDER).
+    caName: ""
+
+    waypoint:
+      # Resources for the waypoint proxy.
+      resources:
+        requests:
+          cpu: 100m
+          memory: 128Mi
+        limits:
+          cpu: "2"
+          memory: 1Gi
+
+      # If specified, affinity defines the scheduling constraints of waypoint pods.
+      affinity: {}
+
+      # Topology Spread Constraints for the waypoint proxy.
+      topologySpreadConstraints: []
+
+      # Node labels for the waypoint proxy.
+      nodeSelector: {}
+
+      # Tolerations for the waypoint proxy.
+      tolerations: []
+
+  base:
+    # For istioctl usage to disable istio config crds in base
+    enableIstioConfigCRDs: true
+
+  # Gateway Settings
+  gateways:
+    # Define the security context for the pod.
+    # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
+    # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
+    securityContext: {}
+
+    # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it
+    seccompProfile: {}
+
+  # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass.
+  # For example:
+  # gatewayClasses:
+  #   istio:
+  #     service:
+  #       spec:
+  #         type: ClusterIP
+  # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field.
+  gatewayClasses: {}
+  
+  pdb:
+    # -- Minimum available pods set in PodDisruptionBudget.
+    # Define either 'minAvailable' or 'maxUnavailable', never both.
+    minAvailable: 1
+    # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored.
+    # maxUnavailable: 1
+    # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget.
+    # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/
+    unhealthyPodEvictionPolicy: ""
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/Chart.yaml
new file mode 100644
index 0000000000..0ef197b82f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/Chart.yaml
@@ -0,0 +1,11 @@
+apiVersion: v2
+appVersion: 1.27.2
+description: Helm chart for istio ztunnel components
+icon: https://istio.io/latest/favicons/android-192x192.png
+keywords:
+- istio-ztunnel
+- istio
+name: ztunnel
+sources:
+- https://github.com/istio/istio
+version: 1.27.2
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/README.md
new file mode 100644
index 0000000000..ffe0b94fe8
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/README.md
@@ -0,0 +1,50 @@
+# Istio Ztunnel Helm Chart
+
+This chart installs an Istio ztunnel.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+To install the chart:
+
+```console
+helm install ztunnel istio/ztunnel
+```
+
+## Uninstalling the Chart
+
+To uninstall/delete the chart:
+
+```console
+helm delete ztunnel
+```
+
+## Configuration
+
+To view support configuration options and documentation, run:
+
+```console
+helm show values istio/ztunnel
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-compatibility-version-1.24.yaml
new file mode 100644
index 0000000000..4f3dbef7ea
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-compatibility-version-1.24.yaml
@@ -0,0 +1,15 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.24 behavioral changes
+    PILOT_ENABLE_IP_AUTOALLOCATE: "false"
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  dnsCapture: false
+  reconcileIptablesOnStartup: false
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..b2f45948c2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..af10697326
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/templates/NOTES.txt
new file mode 100644
index 0000000000..244f59db06
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/templates/NOTES.txt
@@ -0,0 +1,5 @@
+ztunnel successfully installed!
+
+To learn more about the release, try:
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/templates/_helpers.tpl
new file mode 100644
index 0000000000..46a7a0b79d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/templates/_helpers.tpl
@@ -0,0 +1 @@
+{{ define "ztunnel.release-name" }}{{ .Values.resourceName| default "ztunnel" }}{{ end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/templates/daemonset.yaml
new file mode 100644
index 0000000000..7de85a2d18
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/templates/daemonset.yaml
@@ -0,0 +1,210 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: {{ include "ztunnel.release-name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: ztunnel
+    {{- include "istio.labels" . | nindent 4}}
+    {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }}
+  annotations:
+{{- if .Values.revision }}
+    {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }}
+    {{- toYaml $annos | nindent 4}}
+{{- else }}
+    {{- .Values.annotations | toYaml | nindent 4 }}
+{{- end }}
+spec:
+  {{- with .Values.updateStrategy }}
+  updateStrategy:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  selector:
+    matchLabels:
+      app: ztunnel
+  template:
+    metadata:
+      labels:
+        sidecar.istio.io/inject: "false"
+        istio.io/dataplane-mode: none
+        app: ztunnel
+        app.kubernetes.io/name: ztunnel
+        {{- include "istio.labels" . | nindent 8}}
+{{ with .Values.podLabels -}}{{ toYaml . | indent 8 }}{{ end }}
+      annotations:
+        sidecar.istio.io/inject: "false"
+{{- if .Values.revision }}
+        istio.io/rev: {{ .Values.revision }}
+{{- end }}
+{{ with .Values.podAnnotations -}}{{ toYaml . | indent 8 }}{{ end }}
+    spec:
+      nodeSelector:
+        kubernetes.io/os: linux
+{{- if .Values.nodeSelector }}
+{{ toYaml .Values.nodeSelector | indent 8 }}
+{{- end }}
+{{- if .Values.affinity }}
+      affinity:
+{{ toYaml .Values.affinity | trim | indent 8 }}
+{{- end }}
+      serviceAccountName: {{ include "ztunnel.release-name" . }}
+{{- if .Values.tolerations }}
+      tolerations:
+{{ toYaml .Values.tolerations | trim | indent 8 }}
+{{- end }}
+      containers:
+      - name: istio-proxy
+{{- if contains "/" .Values.image }}
+        image: "{{ .Values.image }}"
+{{- else }}
+        image: "{{ .Values.hub }}/{{ .Values.image | default "ztunnel" }}:{{ .Values.tag }}{{with (.Values.variant )}}-{{.}}{{end}}"
+{{- end }}
+        ports:
+        - containerPort: 15020
+          name: ztunnel-stats
+          protocol: TCP
+        resources:
+{{- if .Values.resources }}
+{{ toYaml .Values.resources | trim | indent 10 }}
+{{- end }}
+{{- with .Values.imagePullPolicy }}
+        imagePullPolicy: {{ . }}
+{{- end }}
+        securityContext:
+          # K8S docs are clear that CAP_SYS_ADMIN *or* privileged: true
+          # both force this to `true`: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+          # But there is a K8S validation bug that doesn't propery catch this: https://github.com/kubernetes/kubernetes/issues/119568
+          allowPrivilegeEscalation: true
+          privileged: false
+          capabilities:
+            drop:
+            - ALL
+            add: # See https://man7.org/linux/man-pages/man7/capabilities.7.html
+            - NET_ADMIN # Required for TPROXY and setsockopt
+            - SYS_ADMIN # Required for `setns` - doing things in other netns
+            - NET_RAW # Required for RAW/PACKET sockets, TPROXY
+          readOnlyRootFilesystem: true
+          runAsGroup: 1337
+          runAsNonRoot: false
+          runAsUser: 0
+{{- if .Values.seLinuxOptions }}
+          seLinuxOptions:
+{{ toYaml .Values.seLinuxOptions | trim | indent 12 }}
+{{- end }}
+        readinessProbe:
+          httpGet:
+            port: 15021
+            path: /healthz/ready
+        args:
+        - proxy
+        - ztunnel
+        env:
+        - name: CA_ADDRESS
+        {{- if .Values.caAddress }}
+          value: {{ .Values.caAddress }}
+        {{- else }}
+          value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012
+        {{- end }}
+        - name: XDS_ADDRESS
+        {{- if .Values.xdsAddress }}
+          value: {{ .Values.xdsAddress }}
+        {{- else }}
+          value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012
+        {{- end }}
+        {{- if .Values.logAsJson }}
+        - name: LOG_FORMAT
+          value: json
+        {{- end}}
+        {{- if .Values.network }}
+        - name: NETWORK
+          value: {{ .Values.network | quote }}
+        {{- end }}
+        - name: RUST_LOG
+          value: {{ .Values.logLevel | quote }}
+        - name: RUST_BACKTRACE
+          value: "1"
+        - name: ISTIO_META_CLUSTER_ID
+          value: {{ .Values.multiCluster.clusterName | default "Kubernetes" }}
+        - name: INPOD_ENABLED
+          value: "true"
+        - name: TERMINATION_GRACE_PERIOD_SECONDS
+          value: "{{ .Values.terminationGracePeriodSeconds }}"
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        - name: INSTANCE_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: SERVICE_ACCOUNT
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.serviceAccountName
+        {{- if .Values.meshConfig.defaultConfig.proxyMetadata }}
+        {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata}}
+        - name: {{ $key }}
+          value: "{{ $value }}"
+        {{- end }}
+        {{- end }}
+        - name: ZTUNNEL_CPU_LIMIT
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.cpu
+        {{- with .Values.env }}
+        {{- range $key, $val := . }}
+        - name: {{ $key }}
+          value: "{{ $val }}"
+        {{- end }}
+        {{- end }}
+        volumeMounts:
+        - mountPath: /var/run/secrets/istio
+          name: istiod-ca-cert
+        - mountPath: /var/run/secrets/tokens
+          name: istio-token
+        - mountPath: /var/run/ztunnel
+          name: cni-ztunnel-sock-dir
+        - mountPath: /tmp
+          name: tmp
+        {{- with .Values.volumeMounts }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      priorityClassName: system-node-critical
+      terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
+      volumes:
+      - name: istio-token
+        projected:
+          sources:
+          - serviceAccountToken:
+              path: istio-token
+              expirationSeconds: 43200
+              audience: istio-ca
+      - name: istiod-ca-cert
+        {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+        projected:
+          sources:
+          - clusterTrustBundle:
+              name: istio.io:istiod-ca:{{ .Values.trustBundleName | default "root-cert" }}
+              path: root-cert.pem
+        {{- else }}
+        configMap:
+          name: {{ .Values.trustBundleName | default "istio-ca-root-cert" }}
+        {{- end }}
+      - name: cni-ztunnel-sock-dir
+        hostPath:
+          path: /var/run/ztunnel
+          type: DirectoryOrCreate # ideally this would be a socket, but istio-cni may not have started yet.
+      # pprof needs a writable /tmp, and we don't have that thanks to `readOnlyRootFilesystem: true`, so mount one
+      - name: tmp
+        emptyDir: {}
+      {{- with .Values.volumes }}
+        {{- toYaml . | nindent 6}}
+      {{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/templates/rbac.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/templates/rbac.yaml
new file mode 100644
index 0000000000..0a8138c9a3
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/templates/rbac.yaml
@@ -0,0 +1,72 @@
+apiVersion: v1
+kind: ServiceAccount
+  {{- with .Values.imagePullSecrets }}
+imagePullSecrets:
+  {{- range . }}
+  - name: {{ . }}
+  {{- end }}
+  {{- end }}
+metadata:
+  name: {{ include "ztunnel.release-name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: ztunnel
+    {{- include "istio.labels" . | nindent 4}}
+    {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }}
+  annotations:
+{{- if .Values.revision }}
+    {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }}
+    {{- toYaml $annos | nindent 4}}
+{{- else }}
+    {{- .Values.annotations | toYaml | nindent 4 }}
+{{- end }}
+---
+{{- if (eq (.Values.platform | default "") "openshift") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "ztunnel.release-name" . }}
+  labels:
+    app: ztunnel
+    release: {{ include "ztunnel.release-name" . }}
+    app.kubernetes.io/name: ztunnel
+    {{- include "istio.labels" . | nindent 4}}
+  annotations:
+{{- if .Values.revision }}
+    {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }}
+    {{- toYaml $annos | nindent 4}}
+{{- else }}
+    {{- .Values.annotations | toYaml | nindent 4 }}
+{{- end }}
+rules:
+- apiGroups: ["security.openshift.io"]
+  resources: ["securitycontextconstraints"]
+  resourceNames: ["privileged"]
+  verbs: ["use"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "ztunnel.release-name" . }}
+  labels:
+    app: ztunnel
+    release: {{ include "ztunnel.release-name" . }}
+    app.kubernetes.io/name: ztunnel
+    {{- include "istio.labels" . | nindent 4}}
+  annotations:
+{{- if .Values.revision }}
+    {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }}
+    {{- toYaml $annos | nindent 4}}
+{{- else }}
+    {{- .Values.annotations | toYaml | nindent 4 }}
+{{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "ztunnel.release-name" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "ztunnel.release-name" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}
+---
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/templates/resourcequota.yaml
new file mode 100644
index 0000000000..a1c0e5496d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/templates/resourcequota.yaml
@@ -0,0 +1,20 @@
+{{- if .Values.resourceQuotas.enabled }}
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+  name: {{ include "ztunnel.release-name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: ztunnel
+    {{- include "istio.labels" . | nindent 4}}
+    {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }}
+spec:
+  hard:
+    pods: {{ .Values.resourceQuotas.pods | quote }}
+  scopeSelector:
+    matchExpressions:
+    - operator: In
+      scopeName: PriorityClass
+      values:
+      - system-node-critical
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..606c556697
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if true }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/values.yaml
new file mode 100644
index 0000000000..2b44dda274
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/values.yaml
@@ -0,0 +1,128 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  # Hub to pull from. Image will be `Hub/Image:Tag-Variant`
+  hub: gcr.io/istio-release
+  # Tag to pull from. Image will be `Hub/Image:Tag-Variant`
+  tag: 1.27.2
+  # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version.
+  variant: ""
+
+  # Image name to pull from. Image will be `Hub/Image:Tag-Variant`
+  # If Image contains a "/", it will replace the entire `image` in the pod.
+  image: ztunnel
+
+  # Same as `global.network`, but will override it if set.
+  # Network defines the network this cluster belong to. This name
+  # corresponds to the networks in the map of mesh networks.
+  network: ""
+
+  # resourceName, if set, will override the naming of resources. If not set, will default to 'ztunnel'.
+  # If you set this, you MUST also set `trustedZtunnelName` in the `istiod` chart.
+  resourceName: ""
+
+  # Labels to apply to all top level resources
+  labels: {}
+  # Annotations to apply to all top level resources
+  annotations: {}
+
+  # Additional volumeMounts to the ztunnel container
+  volumeMounts: []
+
+  # Additional volumes to the ztunnel pod
+  volumes: []
+  
+  # Tolerations for the ztunnel pod
+  tolerations:
+    - effect: NoSchedule
+      operator: Exists
+    - key: CriticalAddonsOnly
+      operator: Exists
+    - effect: NoExecute
+      operator: Exists
+
+  # Annotations added to each pod. The default annotations are required for scraping prometheus (in most environments).
+  podAnnotations:
+    prometheus.io/port: "15020"
+    prometheus.io/scrape: "true"
+
+  # Additional labels to apply on the pod level
+  podLabels: {}
+
+  # Pod resource configuration
+  resources:
+    requests:
+      cpu: 200m
+      # Ztunnel memory scales with the size of the cluster and traffic load
+      # While there are many factors, this is enough for ~200k pod cluster or 100k concurrently open connections.
+      memory: 512Mi
+
+  resourceQuotas:
+    enabled: false
+    pods: 5000
+
+  # List of secret names to add to the service account as image pull secrets
+  imagePullSecrets: []
+
+  # A `key: value` mapping of environment variables to add to the pod
+  env: {}
+
+  # Override for the pod imagePullPolicy
+  imagePullPolicy: ""
+
+  # Settings for multicluster
+  multiCluster:
+    # The name of the cluster we are installing in. Note this is a user-defined name, which must be consistent
+    # with Istiod configuration.
+    clusterName: ""
+
+  # meshConfig defines runtime configuration of components.
+  # For ztunnel, only defaultConfig is used, but this is nested under `meshConfig` for consistency with other
+  # components.
+  # TODO: https://github.com/istio/istio/issues/43248
+  meshConfig:
+    defaultConfig:
+      proxyMetadata: {}
+
+  # This value defines:
+  # 1. how many seconds kube waits for ztunnel pod to gracefully exit before forcibly terminating it (this value)
+  # 2. how many seconds ztunnel waits to drain its own connections (this value - 1 sec)
+  # Default K8S value is 30 seconds
+  terminationGracePeriodSeconds: 30
+
+  # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
+  # Used to locate the XDS and CA, if caAddress or xdsAddress are not set explicitly.
+  revision: ""
+
+  # The customized CA address to retrieve certificates for the pods in the cluster.
+  # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
+  caAddress: ""
+
+  # The customized XDS address to retrieve configuration.
+  # This should include the port - 15012 for Istiod. TLS will be used with the certificates in "istiod-ca-cert" secret.
+  # By default, it is istiod.istio-system.svc:15012 if revision is not set, or istiod-<revision>.<istioNamespace>.svc:15012
+  xdsAddress: ""
+
+  # Used to locate the XDS and CA, if caAddress or xdsAddress are not set.
+  istioNamespace: istio-system
+
+  # Configuration log level of ztunnel binary, default is info.
+  # Valid values are: trace, debug, info, warn, error
+  logLevel: info
+
+  # To output all logs in json format
+  logAsJson: false
+
+  # Set to `type: RuntimeDefault` to use the default profile if available.
+  seLinuxOptions: {}
+  # TODO Ambient inpod - for OpenShift, set to the following to get writable sockets in hostmounts to work, eventually consider CSI driver instead
+  #seLinuxOptions:
+  #  type: spc_t
+
+  # K8s DaemonSet update strategy.
+  # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec).
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/cni-1.27.2.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/cni-1.27.2.tgz.etag
new file mode 100644
index 0000000000..02228775e6
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/cni-1.27.2.tgz.etag
@@ -0,0 +1 @@
+472746bd7177d6917f231a5477bb42c0
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/commit b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/commit
new file mode 100644
index 0000000000..457f038546
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/commit
@@ -0,0 +1 @@
+1.27.2
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/gateway-1.27.2.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/gateway-1.27.2.tgz.etag
new file mode 100644
index 0000000000..400c21e39e
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/gateway-1.27.2.tgz.etag
@@ -0,0 +1 @@
+f41b30a1ecd3f8eb5e98a3836bc278c0
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/istiod-1.27.2.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/istiod-1.27.2.tgz.etag
new file mode 100644
index 0000000000..ce1391c25f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/istiod-1.27.2.tgz.etag
@@ -0,0 +1 @@
+78abcde440e50316bdc1423cfc191c7b
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/profiles/ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/profiles/ambient.yaml
new file mode 100644
index 0000000000..71ea784a80
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/profiles/ambient.yaml
@@ -0,0 +1,5 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: ambient
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/profiles/default.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/profiles/default.yaml
new file mode 100644
index 0000000000..8f1ef19676
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/profiles/default.yaml
@@ -0,0 +1,12 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  # Most default values come from the helm chart's values.yaml
+  # Below are the things that differ
+  values:
+    defaultRevision: ""
+    global:
+      istioNamespace: istio-system
+      configValidation: true
+    ztunnel:
+      resourceName: ztunnel
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/profiles/demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/profiles/demo.yaml
new file mode 100644
index 0000000000..53c4b41633
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/profiles/demo.yaml
@@ -0,0 +1,5 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: demo
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/profiles/empty.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/profiles/empty.yaml
new file mode 100644
index 0000000000..4477cb1fe1
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/profiles/empty.yaml
@@ -0,0 +1,5 @@
+# The empty profile has everything disabled
+# This is useful as a base for custom user configuration
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec: {}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/profiles/openshift-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/profiles/openshift-ambient.yaml
new file mode 100644
index 0000000000..76edf00cd8
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/profiles/openshift-ambient.yaml
@@ -0,0 +1,7 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: ambient
+    global:
+      platform: openshift
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/profiles/openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/profiles/openshift.yaml
new file mode 100644
index 0000000000..41492660fe
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/profiles/openshift.yaml
@@ -0,0 +1,6 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    global:
+      platform: openshift
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/profiles/preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/profiles/preview.yaml
new file mode 100644
index 0000000000..59d545c840
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/profiles/preview.yaml
@@ -0,0 +1,8 @@
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: preview
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/profiles/remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/profiles/remote.yaml
new file mode 100644
index 0000000000..54c65c8ba9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/profiles/remote.yaml
@@ -0,0 +1,7 @@
+# The remote profile is used to configure a mesh cluster without a locally deployed control plane.
+# Only the injector mutating webhook configuration is installed.
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: remote
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/profiles/stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/profiles/stable.yaml
new file mode 100644
index 0000000000..285feba244
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/profiles/stable.yaml
@@ -0,0 +1,5 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: stable
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/ztunnel-1.27.2.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/ztunnel-1.27.2.tgz.etag
new file mode 100644
index 0000000000..b6a19afbe9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/ztunnel-1.27.2.tgz.etag
@@ -0,0 +1 @@
+8c791fe726f190936c1d071b0d4f82f7
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/base-1.27.3.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/base-1.27.3.tgz.etag
new file mode 100644
index 0000000000..1677b79984
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/base-1.27.3.tgz.etag
@@ -0,0 +1 @@
+cce45283947bb5ef9df93c274ccf452e
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/Chart.yaml
new file mode 100644
index 0000000000..c5daa7c074
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/Chart.yaml
@@ -0,0 +1,10 @@
+apiVersion: v2
+appVersion: 1.27.3
+description: Helm chart for deploying Istio cluster resources and CRDs
+icon: https://istio.io/latest/favicons/android-192x192.png
+keywords:
+- istio
+name: base
+sources:
+- https://github.com/istio/istio
+version: 1.27.3
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/README.md
new file mode 100644
index 0000000000..ae8f6d5b0e
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/README.md
@@ -0,0 +1,35 @@
+# Istio base Helm Chart
+
+This chart installs resources shared by all Istio revisions. This includes Istio CRDs.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+To install the chart with the release name `istio-base`:
+
+```console
+kubectl create namespace istio-system
+helm install istio-base istio/base -n istio-system
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-compatibility-version-1.24.yaml
new file mode 100644
index 0000000000..4f3dbef7ea
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-compatibility-version-1.24.yaml
@@ -0,0 +1,15 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.24 behavioral changes
+    PILOT_ENABLE_IP_AUTOALLOCATE: "false"
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  dnsCapture: false
+  reconcileIptablesOnStartup: false
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..b2f45948c2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..af10697326
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/templates/NOTES.txt
new file mode 100644
index 0000000000..f12616f578
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/templates/NOTES.txt
@@ -0,0 +1,5 @@
+Istio base successfully installed!
+
+To learn more about the release, try:
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml
new file mode 100644
index 0000000000..2616b09c9a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml
@@ -0,0 +1,53 @@
+{{- if and .Values.experimental.stableValidationPolicy (not (eq .Values.defaultRevision "")) }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "stable-channel-default-policy.istio.io"
+  labels:
+    release: {{ .Release.Name }}
+    istio: istiod
+    istio.io/rev: {{ .Values.defaultRevision }}
+    app.kubernetes.io/name: "istiod"
+    {{ include "istio.labels" . | nindent 4 }}
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups:
+        - security.istio.io
+        - networking.istio.io
+        - telemetry.istio.io
+        - extensions.istio.io
+      apiVersions: ["*"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["*"]
+  variables:
+    - name: isEnvoyFilter
+      expression: "object.kind == 'EnvoyFilter'"
+    - name: isWasmPlugin
+      expression: "object.kind == 'WasmPlugin'"
+    - name: isProxyConfig
+      expression: "object.kind == 'ProxyConfig'"
+    - name: isTelemetry
+      expression: "object.kind == 'Telemetry'"
+  validations:
+    - expression: "!variables.isEnvoyFilter"
+    - expression: "!variables.isWasmPlugin"
+    - expression: "!variables.isProxyConfig"
+    - expression: |
+        !(
+          variables.isTelemetry && (
+            (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) ||
+            (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) ||
+            (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter))
+          )
+        )
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: "stable-channel-default-policy-binding.istio.io"
+spec:
+  policyName: "stable-channel-default-policy.istio.io"
+  validationActions: [Deny]
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml
new file mode 100644
index 0000000000..8cb76fd773
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml
@@ -0,0 +1,56 @@
+{{- if not (eq .Values.defaultRevision "") }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: istiod-default-validator
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    istio: istiod
+    istio.io/rev: {{ .Values.defaultRevision | quote }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+webhooks:
+  - name: validation.istio.io
+    clientConfig:
+      {{- if .Values.base.validationURL }}
+      url: {{ .Values.base.validationURL }}
+      {{- else }}
+      service:
+        {{- if (eq .Values.defaultRevision "default") }}
+        name: istiod
+        {{- else }}
+        name: istiod-{{ .Values.defaultRevision }}
+        {{- end }}
+        namespace: {{ .Values.global.istioNamespace }}
+        path: "/validate"
+      {{- end }}
+      {{- if .Values.base.validationCABundle }}
+      caBundle: "{{ .Values.base.validationCABundle }}"
+      {{- end }}
+    rules:
+      - operations:
+          - CREATE
+          - UPDATE
+        apiGroups:
+          - security.istio.io
+          - networking.istio.io
+          - telemetry.istio.io
+          - extensions.istio.io
+        apiVersions:
+          - "*"
+        resources:
+          - "*"
+
+    {{- if .Values.base.validationCABundle }}
+    # Disable webhook controller in Pilot to stop patching it
+    failurePolicy: Fail
+    {{- else }}
+    # Fail open until the validation webhook is ready. The webhook controller
+    # will update this to `Fail` and patch in the `caBundle` when the webhook
+    # endpoint is ready.
+    failurePolicy: Ignore
+    {{- end }}
+    sideEffects: None
+    admissionReviewVersions: ["v1"]
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/templates/reader-serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/templates/reader-serviceaccount.yaml
new file mode 100644
index 0000000000..ba829a6bfe
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/templates/reader-serviceaccount.yaml
@@ -0,0 +1,20 @@
+# This singleton service account aggregates reader permissions for the revisions in a given cluster
+# ATM this is a singleton per cluster with Istio installed, and is not revisioned. It maybe should be,
+# as otherwise compromising the token for this SA would give you access to *every* installed revision.
+# Should be used for remote secret creation.
+apiVersion: v1
+kind: ServiceAccount
+  {{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+  {{- range .Values.global.imagePullSecrets }}
+  - name: {{ . }}
+    {{- end }}
+    {{- end }}
+metadata:
+  name: istio-reader-service-account
+  namespace: {{ .Values.global.istioNamespace }}
+  labels:
+    app: istio-reader
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istio-reader"
+    {{- include "istio.labels" . | nindent 4 }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..3d84956485
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if false }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/values.yaml
new file mode 100644
index 0000000000..d18296f00a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/values.yaml
@@ -0,0 +1,37 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  global:
+
+    # ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace
+    # to use for pulling any images in pods that reference this ServiceAccount.
+    # Must be set for any cluster configured with private docker registry.
+    imagePullSecrets: []
+
+    # Used to locate istiod.
+    istioNamespace: istio-system
+  base:
+    # A list of CRDs to exclude. Requires `enableCRDTemplates` to be true.
+    # Example: `excludedCRDs: ["envoyfilters.networking.istio.io"]`.
+    # Note: when installing with `istioctl`, `enableIstioConfigCRDs=false` must also be set.
+    excludedCRDs: []
+    # Helm (as of V3) does not support upgrading CRDs, because it is not universally
+    # safe for them to support this.
+    # Istio as a project enforces certain backwards-compat guarantees that allow us
+    # to safely upgrade CRDs in spite of this, so we default to self-managing CRDs
+    # as standard K8S resources in Helm, and disable Helm's CRD management. See also:
+    # https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#method-2-separate-charts
+    enableCRDTemplates: true
+
+    # Validation webhook configuration url
+    # For example: https://$remotePilotAddress:15017/validate
+    validationURL: ""
+    # Validation webhook caBundle value. Useful when running pilot with a well known cert
+    validationCABundle: ""
+
+    # For istioctl usage to disable istio config crds in base
+    enableIstioConfigCRDs: true
+
+  defaultRevision: "default"
+  experimental:
+    stableValidationPolicy: false
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/Chart.yaml
new file mode 100644
index 0000000000..73fcf4c7b4
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/Chart.yaml
@@ -0,0 +1,11 @@
+apiVersion: v2
+appVersion: 1.27.3
+description: Helm chart for istio-cni components
+icon: https://istio.io/latest/favicons/android-192x192.png
+keywords:
+- istio-cni
+- istio
+name: cni
+sources:
+- https://github.com/istio/istio
+version: 1.27.3
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/README.md
new file mode 100644
index 0000000000..a8b78d5bde
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/README.md
@@ -0,0 +1,65 @@
+# Istio CNI Helm Chart
+
+This chart installs the Istio CNI Plugin. See the [CNI installation guide](https://istio.io/latest/docs/setup/additional-setup/cni/)
+for more information.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+To install the chart with the release name `istio-cni`:
+
+```console
+helm install istio-cni istio/cni -n kube-system
+```
+
+Installation in `kube-system` is recommended to ensure the [`system-node-critical`](https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/)
+`priorityClassName` can be used. You can install in other namespace only on K8S clusters that allow
+'system-node-critical' outside of kube-system.
+
+## Configuration
+
+To view support configuration options and documentation, run:
+
+```console
+helm show values istio/istio-cni
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
+
+### Ambient
+
+To enable ambient, you can use the ambient profile: `--set profile=ambient`.
+
+#### Calico
+
+For Calico, you must also modify the settings to allow source spoofing:
+
+- if deployed by operator,  `kubectl patch felixconfigurations default --type='json' -p='[{"op": "add", "path": "/spec/workloadSourceSpoofing", "value": "Any"}]'`
+- if deployed by manifest, add env `FELIX_WORKLOADSOURCESPOOFING` with value `Any` in `spec.template.spec.containers.env` for daemonset `calico-node`. (This will allow PODs with specified annotation to skip the rpf check. )
+
+### GKE notes
+
+On GKE, 'kube-system' is required.
+
+If using `helm template`, `--set cni.cniBinDir=/home/kubernetes/bin` is required - with `helm install`
+it is auto-detected.
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-compatibility-version-1.24.yaml
new file mode 100644
index 0000000000..4f3dbef7ea
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-compatibility-version-1.24.yaml
@@ -0,0 +1,15 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.24 behavioral changes
+    PILOT_ENABLE_IP_AUTOALLOCATE: "false"
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  dnsCapture: false
+  reconcileIptablesOnStartup: false
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..b2f45948c2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..af10697326
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/NOTES.txt
new file mode 100644
index 0000000000..fb35525b99
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/NOTES.txt
@@ -0,0 +1,5 @@
+"{{ .Release.Name }}" successfully installed!
+
+To learn more about the release, try:
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/_helpers.tpl
new file mode 100644
index 0000000000..73cc17b2f6
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/_helpers.tpl
@@ -0,0 +1,8 @@
+{{- define "name" -}}
+    istio-cni
+{{- end }}
+
+
+{{- define "istio-tag" -}}
+    {{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/clusterrole.yaml
new file mode 100644
index 0000000000..1779e0bb1d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/clusterrole.yaml
@@ -0,0 +1,81 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "name" . }}
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+- apiGroups: ["security.openshift.io"] 
+  resources: ["securitycontextconstraints"] 
+  resourceNames: ["privileged"] 
+  verbs: ["use"]
+- apiGroups: [""]
+  resources: ["pods","nodes","namespaces"]
+  verbs: ["get", "list", "watch"]
+{{- if (eq ((coalesce .Values.platform .Values.global.platform) | default "") "openshift") }}
+- apiGroups: ["security.openshift.io"]
+  resources: ["securitycontextconstraints"]
+  resourceNames: ["privileged"]
+  verbs: ["use"]
+{{- end }}
+---
+{{- if .Values.repair.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "name" . }}-repair-role
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["create", "patch"]
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["watch", "get", "list"]
+{{- if .Values.repair.repairPods }}
+{{- /*  No privileges needed*/}}
+{{- else if .Values.repair.deletePods }}
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["delete"]
+{{- else if .Values.repair.labelPods }}
+  - apiGroups: [""]
+    {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}}
+    resources: ["pods/status"]
+    verbs: ["patch", "update"]
+{{- end }}
+{{- end }}
+---
+{{- if .Values.ambient.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "name" . }}-ambient
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+- apiGroups: [""]
+  {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}}
+  resources: ["pods/status"]
+  verbs: ["patch", "update"]
+- apiGroups: ["apps"]
+  resources: ["daemonsets"]
+  resourceNames: ["{{ template "name" . }}-node"]
+  verbs: ["get"]
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/clusterrolebinding.yaml
new file mode 100644
index 0000000000..42fedab1fc
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/clusterrolebinding.yaml
@@ -0,0 +1,63 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "name" . }}
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "name" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ template "name" . }}
+  namespace: {{ .Release.Namespace }}
+---
+{{- if .Values.repair.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "name" . }}-repair-rolebinding
+  labels:
+    k8s-app: {{ template "name" . }}-repair
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+subjects:
+- kind: ServiceAccount
+  name: {{ template "name" . }}
+  namespace: {{ .Release.Namespace}}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "name" . }}-repair-role
+{{- end }}
+---
+{{- if .Values.ambient.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "name" . }}-ambient
+  labels:
+    k8s-app: {{ template "name" . }}-repair
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "name" . }}
+    namespace: {{ .Release.Namespace}}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "name" . }}-ambient
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/configmap-cni.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/configmap-cni.yaml
new file mode 100644
index 0000000000..6f6ef329a2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/configmap-cni.yaml
@@ -0,0 +1,41 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: {{ template "name" . }}-config
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+data:
+  CURRENT_AGENT_VERSION: {{ .Values.tag | default .Values.global.tag | quote }}
+  AMBIENT_ENABLED: {{ .Values.ambient.enabled | quote }}
+  AMBIENT_ENABLEMENT_SELECTOR: {{ .Values.ambient.enablementSelectors | toYaml | quote }}
+  AMBIENT_DNS_CAPTURE: {{ .Values.ambient.dnsCapture | quote  }}
+  AMBIENT_IPV6: {{ .Values.ambient.ipv6 | quote }}
+  AMBIENT_RECONCILE_POD_RULES_ON_STARTUP: {{ .Values.ambient.reconcileIptablesOnStartup | quote }}
+  {{- if .Values.cniConfFileName }} # K8S < 1.24 doesn't like empty values
+  CNI_CONF_NAME: {{ .Values.cniConfFileName }} # Name of the CNI config file to create. Only override if you know the exact path your CNI requires..
+  {{- end }}
+  ISTIO_OWNED_CNI_CONFIG: {{ .Values.istioOwnedCNIConfig | quote }}
+  {{- if .Values.istioOwnedCNIConfig }}
+  ISTIO_OWNED_CNI_CONF_FILENAME: {{ .Values.istioOwnedCNIConfigFileName | quote }}
+  {{- end }}
+  CHAINED_CNI_PLUGIN: {{ .Values.chained | quote }}
+  EXCLUDE_NAMESPACES: "{{ range $idx, $ns := .Values.excludeNamespaces }}{{ if $idx }},{{ end }}{{ $ns }}{{ end }}"
+  REPAIR_ENABLED: {{ .Values.repair.enabled | quote }}
+  REPAIR_LABEL_PODS: {{ .Values.repair.labelPods | quote }}
+  REPAIR_DELETE_PODS: {{ .Values.repair.deletePods | quote }}
+  REPAIR_REPAIR_PODS: {{ .Values.repair.repairPods | quote }}
+  REPAIR_INIT_CONTAINER_NAME: {{ .Values.repair.initContainerName | quote }}
+  REPAIR_BROKEN_POD_LABEL_KEY: {{ .Values.repair.brokenPodLabelKey | quote }}
+  REPAIR_BROKEN_POD_LABEL_VALUE: {{ .Values.repair.brokenPodLabelValue | quote }}
+  NATIVE_NFTABLES: {{ .Values.global.nativeNftables | quote }}
+  {{- with .Values.env }}
+  {{- range $key, $val := . }}
+  {{ $key }}: "{{ $val }}"
+  {{- end }}
+  {{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/daemonset.yaml
new file mode 100644
index 0000000000..896de3d038
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/daemonset.yaml
@@ -0,0 +1,248 @@
+# This manifest installs the Istio install-cni container, as well
+# as the Istio CNI plugin and config on
+# each master and worker node in a Kubernetes cluster.
+#
+# $detectedBinDir exists to support a GKE-specific platform override,
+# and is deprecated in favor of using the explicit `gke` platform profile.
+{{- $detectedBinDir := (.Capabilities.KubeVersion.GitVersion | contains "-gke") | ternary
+    "/home/kubernetes/bin"
+    "/opt/cni/bin"
+}}
+{{- if .Values.cniBinDir }}
+{{ $detectedBinDir = .Values.cniBinDir }}
+{{- end }}
+kind: DaemonSet
+apiVersion: apps/v1
+metadata:
+  # Note that this is templated but evaluates to a fixed name
+  # which the CNI plugin may fall back onto in some failsafe scenarios.
+  # if this name is changed, CNI plugin logic that checks for this name
+  # format should also be updated.
+  name: {{ template "name" . }}-node
+  namespace: {{ .Release.Namespace }}
+  labels:
+    k8s-app: {{ template "name" . }}-node
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      k8s-app: {{ template "name" . }}-node
+  {{- with .Values.updateStrategy }}
+  updateStrategy:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  template:
+    metadata:
+      labels:
+        k8s-app: {{ template "name" . }}-node
+        sidecar.istio.io/inject: "false"
+        istio.io/dataplane-mode: none
+        app.kubernetes.io/name: {{ template "name" . }}
+        {{- include "istio.labels" . | nindent 8 }}
+      annotations:
+        sidecar.istio.io/inject: "false"
+        # Add Prometheus Scrape annotations
+        prometheus.io/scrape: 'true'
+        prometheus.io/port: "15014"
+        prometheus.io/path: '/metrics'
+        # Add AppArmor annotation
+        # This is required to avoid conflicts with AppArmor profiles which block certain
+        # privileged pod capabilities.
+        # Required for Kubernetes 1.29 which does not support setting appArmorProfile in the
+        # securityContext which is otherwise preferred.
+        container.apparmor.security.beta.kubernetes.io/install-cni: unconfined
+        # Custom annotations
+        {{- if .Values.podAnnotations }}
+{{ toYaml .Values.podAnnotations | indent 8 }}
+        {{- end }}
+    spec:
+{{- if and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace }}
+      hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
+{{- end }}
+      nodeSelector:
+        kubernetes.io/os: linux
+      # Can be configured to allow for excluding istio-cni from being scheduled on specified nodes
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      priorityClassName: system-node-critical
+      serviceAccountName: {{ template "name" . }}
+      # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
+      # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
+      terminationGracePeriodSeconds: 5
+      containers:
+        # This container installs the Istio CNI binaries
+        # and CNI network config file on each node.
+        - name: install-cni
+{{- if contains "/" .Values.image }}
+          image: "{{ .Values.image }}"
+{{- else }}
+          image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "install-cni" }}:{{ template "istio-tag" . }}"
+{{- end }}
+{{- if or .Values.pullPolicy .Values.global.imagePullPolicy }}
+          imagePullPolicy: {{ .Values.pullPolicy | default .Values.global.imagePullPolicy }}
+{{- end }}
+          ports:
+          - containerPort: 15014
+            name: metrics
+            protocol: TCP
+          readinessProbe:
+            httpGet:
+              path: /readyz
+              port: 8000
+          securityContext:
+            privileged: false
+            runAsGroup: 0
+            runAsUser: 0
+            runAsNonRoot: false
+            # Both ambient and sidecar repair mode require elevated node privileges to function.
+            # But we don't need _everything_ in `privileged`, so explicitly set it to false and
+            # add capabilities based on feature.
+            capabilities:
+              drop:
+              - ALL
+              add:
+              # CAP_NET_ADMIN is required to allow ipset and route table access
+              - NET_ADMIN
+              # CAP_NET_RAW is required to allow iptables mutation of the `nat` table
+              - NET_RAW
+              # CAP_SYS_PTRACE is required for repair and ambient mode to describe
+              # the pod's network namespace.
+              - SYS_PTRACE
+              # CAP_SYS_ADMIN is required for both ambient and repair, in order to open
+              # network namespaces in `/proc` to obtain descriptors for entering pod network
+              # namespaces. There does not appear to be a more granular capability for this.
+              - SYS_ADMIN
+              # While we run as a 'root' (UID/GID 0), since we drop all capabilities we lose
+              # the typical ability to read/write to folders owned by others.
+              # This can cause problems if the hostPath mounts we use, which we require write access into,
+              # are owned by non-root. DAC_OVERRIDE bypasses these and gives us write access into any folder.
+              - DAC_OVERRIDE
+{{- if .Values.seLinuxOptions }}
+{{ with (merge .Values.seLinuxOptions (dict "type" "spc_t")) }}
+            seLinuxOptions:
+{{ toYaml . | trim | indent 14 }}
+{{- end }}
+{{- end }}
+{{- if .Values.seccompProfile }}
+            seccompProfile:
+{{ toYaml .Values.seccompProfile | trim | indent 14 }}
+{{- end }}
+          command: ["install-cni"]
+          args:
+            {{- if or .Values.logging.level .Values.global.logging.level }}
+            - --log_output_level={{ coalesce .Values.logging.level .Values.global.logging.level }}
+            {{- end}}
+            {{- if .Values.global.logAsJson }}
+            - --log_as_json
+            {{- end}}
+          envFrom:
+            - configMapRef:
+                name: {{ template "name" . }}-config
+          env:
+            - name: REPAIR_NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            - name: REPAIR_RUN_AS_DAEMON
+              value: "true"
+            - name: REPAIR_SIDECAR_ANNOTATION
+              value: "sidecar.istio.io/status"
+            {{- if not (and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace) }}
+            - name: ALLOW_SWITCH_TO_HOST_NS
+              value: "true"
+            {{- end }}
+            - name: NODE_NAME
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: spec.nodeName
+            - name: GOMEMLIMIT
+              valueFrom:
+                resourceFieldRef:
+                  resource: limits.memory
+                  divisor: '1'
+            - name: GOMAXPROCS
+              valueFrom:
+                resourceFieldRef:
+                  resource: limits.cpu
+                  divisor: '1'
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            {{- if .Values.env }}
+            {{- range $key, $val := .Values.env }}
+            - name: {{ $key }}
+              value: "{{ $val }}"
+            {{- end }}
+            {{- end }}
+          volumeMounts:
+            - mountPath: /host/opt/cni/bin
+              name: cni-bin-dir
+            {{- if or .Values.repair.repairPods .Values.ambient.enabled }}
+            - mountPath: /host/proc
+              name: cni-host-procfs
+              readOnly: true
+            {{- end }}
+            - mountPath: /host/etc/cni/net.d
+              name: cni-net-dir
+            - mountPath: /var/run/istio-cni
+              name: cni-socket-dir
+            {{- if .Values.ambient.enabled }}
+            - mountPath: /host/var/run/netns
+              mountPropagation: HostToContainer
+              name: cni-netns-dir
+            - mountPath: /var/run/ztunnel
+              name: cni-ztunnel-sock-dir
+            {{ end }}
+          resources:
+{{- if .Values.resources }}
+{{ toYaml .Values.resources | trim | indent 12 }}
+{{- else }}
+{{ toYaml .Values.global.defaultResources | trim | indent 12 }}
+{{- end }}
+      volumes:
+        # Used to install CNI.
+        - name: cni-bin-dir
+          hostPath:
+            path: {{ $detectedBinDir }}
+        {{- if or .Values.repair.repairPods .Values.ambient.enabled }}
+        - name: cni-host-procfs
+          hostPath:
+            path: /proc
+            type: Directory
+        {{- end }}
+        {{- if .Values.ambient.enabled }}
+        - name: cni-ztunnel-sock-dir
+          hostPath:
+            path: /var/run/ztunnel
+            type: DirectoryOrCreate
+        {{- end }}
+        - name: cni-net-dir
+          hostPath:
+            path: {{ .Values.cniConfDir }}
+        # Used for UDS sockets for logging, ambient eventing
+        - name: cni-socket-dir
+          hostPath:
+            path: /var/run/istio-cni
+        - name: cni-netns-dir
+          hostPath:
+            path: {{ .Values.cniNetnsDir }}
+            type: DirectoryOrCreate # DirectoryOrCreate instead of Directory for the following reason - CNI may not bind mount this until a non-hostnetwork pod is scheduled on the node,
+            # and we don't want to block CNI agent pod creation on waiting for the first non-hostnetwork pod.
+            # Once the CNI does mount this, it will get populated and we're good.
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/network-attachment-definition.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/network-attachment-definition.yaml
new file mode 100644
index 0000000000..86a2eb7c0b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/network-attachment-definition.yaml
@@ -0,0 +1,11 @@
+{{- if eq .Values.provider "multus" }}
+apiVersion: k8s.cni.cncf.io/v1
+kind: NetworkAttachmentDefinition
+metadata:
+  name: {{ template "name" . }}
+  namespace: default
+  labels:
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/resourcequota.yaml
new file mode 100644
index 0000000000..9a6d61ff91
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/resourcequota.yaml
@@ -0,0 +1,19 @@
+{{- if .Values.resourceQuotas.enabled }}
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+  name: {{ template "name" . }}-resource-quota
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  hard:
+    pods: {{ .Values.resourceQuotas.pods | quote }}
+  scopeSelector:
+    matchExpressions:
+    - operator: In
+      scopeName: PriorityClass
+      values:
+      - system-node-critical
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/serviceaccount.yaml
new file mode 100644
index 0000000000..3193d7b74a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/serviceaccount.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: ServiceAccount
+{{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+{{- range .Values.global.imagePullSecrets }}
+  - name: {{ . }}
+{{- end }}
+{{- end }}
+metadata:
+  name: {{ template "name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/zzy_descope_legacy.yaml
new file mode 100644
index 0000000000..a9584ac29f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/zzy_descope_legacy.yaml
@@ -0,0 +1,3 @@
+{{/* Copy anything under `.cni` to `.`, to avoid the need to specify a redundant prefix.
+Due to the file naming, this always happens after zzz_profile.yaml */}}
+{{- $_ := mustMergeOverwrite $.Values (index $.Values "cni") }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..3d84956485
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if false }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/values.yaml
new file mode 100644
index 0000000000..05415625c0
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/values.yaml
@@ -0,0 +1,178 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  hub: ""
+  tag: ""
+  variant: ""
+  image: install-cni
+  pullPolicy: ""
+
+  # Same as `global.logging.level`, but will override it if set
+  logging:
+    level: ""
+
+  # Configuration file to insert istio-cni plugin configuration
+  # by default this will be the first file found in the cni-conf-dir
+  # Example
+  # cniConfFileName: 10-calico.conflist
+
+  # CNI-and-platform specific path defaults.
+  # These may need to be set to platform-specific values, consult
+  # overrides for your platform in `manifests/helm-profiles/platform-*.yaml`
+  cniBinDir: /opt/cni/bin
+  cniConfDir: /etc/cni/net.d
+  cniConfFileName: ""
+  cniNetnsDir: "/var/run/netns"
+
+  # If Istio owned CNI config is enabled, defaults to 02-istio-cni.conflist
+  istioOwnedCNIConfigFileName: "" 
+  istioOwnedCNIConfig: false
+
+  excludeNamespaces:
+    - kube-system
+
+  # Allows user to set custom affinity for the DaemonSet
+  affinity: {}
+
+  # Custom annotations on pod level, if you need them
+  podAnnotations: {}
+
+  # Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")?
+  # Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case
+  chained: true
+
+  # Custom configuration happens based on the CNI provider.
+  # Possible values: "default", "multus"
+  provider: "default"
+
+  # Configure ambient settings
+  ambient:
+    # If enabled, ambient redirection will be enabled
+    enabled: false
+    # If ambient is enabled, this selector will be used to identify the ambient-enabled pods
+    enablementSelectors: 
+    - podSelector:
+        matchLabels: {istio.io/dataplane-mode: ambient}
+    - podSelector:
+        matchExpressions:
+        - { key: istio.io/dataplane-mode, operator: NotIn, values: [none] }
+      namespaceSelector:
+        matchLabels: {istio.io/dataplane-mode: ambient}
+    # Set ambient config dir path: defaults to /etc/ambient-config
+    configDir: ""
+    # If enabled, and ambient is enabled, DNS redirection will be enabled
+    dnsCapture: true
+    # If enabled, and ambient is enabled, enables ipv6 support
+    ipv6: true
+    # If enabled, and ambient is enabled, the CNI agent will reconcile incompatible iptables rules and chains at startup.
+    # This will eventually be enabled by default
+    reconcileIptablesOnStartup: false
+    # If enabled, and ambient is enabled, the CNI agent will always share the network namespace of the host node it is running on
+    shareHostNetworkNamespace: false
+
+
+  repair:
+    enabled: true
+    hub: ""
+    tag: ""
+
+    # Repair controller has 3 modes. Pick which one meets your use cases. Note only one may be used.
+    # This defines the action the controller will take when a pod is detected as broken.
+
+    # labelPods will label all pods with <brokenPodLabelKey>=<brokenPodLabelValue>.
+    # This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them).
+    # Note this gives the DaemonSet a relatively high privilege, as modifying pod metadata/status can have wider impacts.
+    labelPods: false
+    # deletePods will delete any broken pod. These will then be rescheduled, hopefully onto a node that is fully ready.
+    # Note this gives the DaemonSet a relatively high privilege, as it can delete any Pod.
+    deletePods: false
+    # repairPods will dynamically repair any broken pod by setting up the pod networking configuration even after it has started.
+    # Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs.
+    # This requires no RBAC privilege, but does require `securityContext.privileged/CAP_SYS_ADMIN`.
+    repairPods: true
+
+    initContainerName: "istio-validation"
+
+    brokenPodLabelKey: "cni.istio.io/uninitialized"
+    brokenPodLabelValue: "true"
+
+  # Set to `type: RuntimeDefault` to use the default profile if available.
+  seccompProfile: {}
+
+  # SELinux options to set in the istio-cni-node pods. You may need to set this to `type: spc_t` for some platforms.
+  seLinuxOptions: {}
+
+  resources:
+    requests:
+      cpu: 100m
+      memory: 100Mi
+
+  resourceQuotas:
+    enabled: false
+    pods: 5000
+
+  tolerations:
+    # Make sure istio-cni-node gets scheduled on all nodes.
+    - effect: NoSchedule
+      operator: Exists
+    # Mark the pod as a critical add-on for rescheduling.
+    - key: CriticalAddonsOnly
+      operator: Exists
+    - effect: NoExecute
+      operator: Exists
+
+  # K8s DaemonSet update strategy.
+  # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec).
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 1
+
+  # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
+  revision: ""
+
+  # For Helm compatibility.
+  ownerName: ""
+
+  global:
+    # Default hub for Istio images.
+    # Releases are published to docker hub under 'istio' project.
+    # Dev builds from prow are on gcr.io
+    hub: gcr.io/istio-release
+
+    # Default tag for Istio images.
+    tag: 1.27.3
+
+    # Variant of the image to use.
+    # Currently supported are: [debug, distroless]
+    variant: ""
+
+    # Specify image pull policy if default behavior isn't desired.
+    # Default behavior: latest images will be Always else IfNotPresent.
+    imagePullPolicy: ""
+
+    # change cni scope level to control logging out of istio-cni-node DaemonSet
+    logging:
+      level: info
+
+    logAsJson: false
+
+    # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
+    # to use for pulling any images in pods that reference this ServiceAccount.
+    # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
+    # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
+    # Must be set for any cluster configured with private docker registry.
+    imagePullSecrets: []
+    # - private-registry-key
+
+    # Default resources allocated
+    defaultResources:
+      requests:
+        cpu: 100m
+        memory: 100Mi
+
+    # In order to use native nftable rules instead of iptable rules, set this flag to true.
+    nativeNftables: false
+
+  # A `key: value` mapping of environment variables to add to the pod
+  env: {}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/Chart.yaml
new file mode 100644
index 0000000000..b806d50178
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v2
+appVersion: 1.27.3
+description: Helm chart for deploying Istio gateways
+icon: https://istio.io/latest/favicons/android-192x192.png
+keywords:
+- istio
+- gateways
+name: gateway
+sources:
+- https://github.com/istio/istio
+type: application
+version: 1.27.3
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/README.md
new file mode 100644
index 0000000000..5c064d165b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/README.md
@@ -0,0 +1,170 @@
+# Istio Gateway Helm Chart
+
+This chart installs an Istio gateway deployment.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+To install the chart with the release name `istio-ingressgateway`:
+
+```console
+helm install istio-ingressgateway istio/gateway
+```
+
+## Uninstalling the Chart
+
+To uninstall/delete the `istio-ingressgateway` deployment:
+
+```console
+helm delete istio-ingressgateway
+```
+
+## Configuration
+
+To view support configuration options and documentation, run:
+
+```console
+helm show values istio/gateway
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
+
+### OpenShift
+
+When deploying the gateway in an OpenShift cluster, use the `openshift` profile to override the default values, for example:
+
+```console
+helm install istio-ingressgateway istio/gateway --set profile=openshift
+```
+
+### `image: auto` Information
+
+The image used by the chart, `auto`, may be unintuitive.
+This exists because the pod spec will be automatically populated at runtime, using the same mechanism as [Sidecar Injection](istio.io/latest/docs/setup/additional-setup/sidecar-injection).
+This allows the same configurations and lifecycle to apply to gateways as sidecars.
+
+Note: this does mean that the namespace the gateway is deployed in must not have the `istio-injection=disabled` label.
+See [Controlling the injection policy](https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy) for more info.
+
+### Examples
+
+#### Egress Gateway
+
+Deploying a Gateway to be used as an [Egress Gateway](https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/):
+
+```yaml
+service:
+  # Egress gateways do not need an external LoadBalancer IP
+  type: ClusterIP
+```
+
+#### Multi-network/VM Gateway
+
+Deploying a Gateway to be used as a [Multi-network Gateway](https://istio.io/latest/docs/setup/install/multicluster/) for network `network-1`:
+
+```yaml
+networkGateway: network-1
+```
+
+### Migrating from other installation methods
+
+Installations from other installation methods (such as istioctl, Istio Operator, other helm charts, etc) can be migrated to use the new Helm charts
+following the guidance below.
+If you are able to, a clean installation is simpler. However, this often requires an external IP migration which can be challenging.
+
+WARNING: when installing over an existing deployment, the two deployments will be merged together by Helm, which may lead to unexpected results.
+
+#### Legacy Gateway Helm charts
+
+Istio historically offered two different charts - `manifests/charts/gateways/istio-ingress` and `manifests/charts/gateways/istio-egress`.
+These are replaced by this chart.
+While not required, it is recommended all new users use this chart, and existing users migrate when possible.
+
+This chart has the following benefits and differences:
+* Designed with Helm best practices in mind (standardized values options, values schema, values are not all nested under `gateways.istio-ingressgateway.*`, release name and namespace taken into account, etc).
+* Utilizes Gateway injection, simplifying upgrades, allowing gateways to run in any namespace, and avoiding repeating config for sidecars and gateways.
+* Published to official Istio Helm repository.
+* Single chart for all gateways (Ingress, Egress, East West).
+
+#### General concerns
+
+For a smooth migration, the resource names and `Deployment.spec.selector` labels must match.
+
+If you install with `helm install istio-gateway istio/gateway`, resources will be named `istio-gateway` and the `selector` labels set to:
+
+```yaml
+app: istio-gateway
+istio: gateway # the release name with leading istio- prefix stripped
+```
+
+If your existing installation doesn't follow these names, you can override them. For example, if you have resources named `my-custom-gateway` with `selector` labels
+`foo=bar,istio=ingressgateway`:
+
+```yaml
+name: my-custom-gateway # Override the name to match existing resources
+labels:
+  app: "" # Unset default app selector label
+  istio: ingressgateway # override default istio selector label
+  foo: bar # Add the existing custom selector label
+```
+
+#### Migrating an existing Helm release
+
+An existing helm release can be `helm upgrade`d to this chart by using the same release name. For example, if a previous
+installation was done like:
+
+```console
+helm install istio-ingress manifests/charts/gateways/istio-ingress -n istio-system
+```
+
+It could be upgraded with
+
+```console
+helm upgrade istio-ingress manifests/charts/gateway -n istio-system --set name=istio-ingressgateway --set labels.app=istio-ingressgateway --set labels.istio=ingressgateway
+```
+
+Note the name and labels are overridden to match the names of the existing installation.
+
+Warning: the helm charts here default to using port 80 and 443, while the old charts used 8080 and 8443.
+If you have AuthorizationPolicies that reference port these ports, you should update them during this process,
+or customize the ports to match the old defaults.
+See the [security advisory](https://istio.io/latest/news/security/istio-security-2021-002/) for more information.
+
+#### Other migrations
+
+If you see errors like `rendered manifests contain a resource that already exists` during installation, you may need to forcibly take ownership.
+
+The script below can handle this for you. Replace `RELEASE` and `NAMESPACE` with the name and namespace of the release:
+
+```console
+KINDS=(service deployment)
+RELEASE=istio-ingressgateway
+NAMESPACE=istio-system
+for KIND in "${KINDS[@]}"; do
+    kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-name=$RELEASE
+    kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-namespace=$NAMESPACE
+    kubectl --namespace $NAMESPACE --overwrite=true label $KIND $RELEASE app.kubernetes.io/managed-by=Helm
+done
+```
+
+You may ignore errors about resources not being found.
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-compatibility-version-1.24.yaml
new file mode 100644
index 0000000000..4f3dbef7ea
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-compatibility-version-1.24.yaml
@@ -0,0 +1,15 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.24 behavioral changes
+    PILOT_ENABLE_IP_AUTOALLOCATE: "false"
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  dnsCapture: false
+  reconcileIptablesOnStartup: false
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..b2f45948c2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..af10697326
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/templates/NOTES.txt
new file mode 100644
index 0000000000..fd0142911a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/templates/NOTES.txt
@@ -0,0 +1,9 @@
+"{{ include "gateway.name" . }}" successfully installed!
+
+To learn more about the release, try:
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
+
+Next steps:
+  * Deploy an HTTP Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-control/
+  * Deploy an HTTPS Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/templates/_helpers.tpl
new file mode 100644
index 0000000000..e5a0a9b3c2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/templates/_helpers.tpl
@@ -0,0 +1,40 @@
+{{- define "gateway.name" -}}
+{{- if eq .Release.Name "RELEASE-NAME" -}}
+  {{- .Values.name | default "istio-ingressgateway" -}}
+{{- else -}}
+  {{- .Values.name | default .Release.Name | default "istio-ingressgateway" -}}
+{{- end -}}
+{{- end }}
+
+{{- define "gateway.labels" -}}
+{{ include "gateway.selectorLabels" . }}
+{{- range $key, $val := .Values.labels }}
+{{- if and (ne $key "app") (ne $key "istio") }}
+{{ $key | quote }}: {{ $val | quote }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{- define "gateway.selectorLabels" -}}
+app: {{ (.Values.labels.app | quote) | default (include "gateway.name" .) }}
+istio: {{ (.Values.labels.istio | quote) | default (include "gateway.name" . | trimPrefix "istio-") }}
+{{- end }}
+
+{{/*
+Keep sidecar injection labels together
+https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy
+*/}}
+{{- define "gateway.sidecarInjectionLabels" -}}
+sidecar.istio.io/inject: "true"
+{{- with .Values.revision }}
+istio.io/rev: {{ . | quote }}
+{{- end }}
+{{- end }}
+
+{{- define "gateway.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- .Values.serviceAccount.name | default (include "gateway.name" .)    }}
+{{- else }}
+{{- .Values.serviceAccount.name | default "default" }}
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/templates/deployment.yaml
new file mode 100644
index 0000000000..1d8f93a472
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/templates/deployment.yaml
@@ -0,0 +1,145 @@
+apiVersion: apps/v1
+kind: {{ .Values.kind | default "Deployment" }}
+metadata:
+  name: {{ include "gateway.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4}}
+  annotations:
+    {{- .Values.annotations | toYaml | nindent 4 }}
+spec:
+  {{- if not .Values.autoscaling.enabled }}
+  {{- if and (hasKey .Values "replicaCount") (ne .Values.replicaCount nil) }}
+  replicas: {{ .Values.replicaCount }}
+  {{- end }}
+  {{- end }}
+  {{- with .Values.strategy }}
+  strategy:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with .Values.minReadySeconds }}
+  minReadySeconds: {{ . }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "gateway.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "gateway.sidecarInjectionLabels" . | nindent 8 }}
+        {{- include "gateway.selectorLabels" . | nindent 8 }}
+        app.kubernetes.io/name: {{ include "gateway.name" . }}
+        {{- include "istio.labels" .  | nindent 8}}
+        {{- range $key, $val := .Values.labels }}
+        {{- if and (ne $key "app") (ne $key "istio") }}
+        {{ $key | quote }}: {{ $val | quote }}
+        {{- end }}
+        {{- end }}
+        {{- with .Values.networkGateway }}
+        topology.istio.io/network: "{{.}}"
+        {{- end }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "gateway.serviceAccountName" . }}
+      securityContext:
+      {{- if .Values.securityContext }}
+        {{- toYaml .Values.securityContext | nindent 8 }}
+      {{- else }}
+        # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326
+        sysctls:
+        - name: net.ipv4.ip_unprivileged_port_start
+          value: "0"
+      {{- end }}
+      {{- with .Values.volumes }}
+      volumes:
+        {{ toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.initContainers }}
+      initContainers:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: istio-proxy
+          # "auto" will be populated at runtime by the mutating webhook. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection
+          image: auto
+          {{- with .Values.imagePullPolicy }}
+          imagePullPolicy: {{ . }}
+          {{- end }}
+          securityContext:
+          {{- if .Values.containerSecurityContext }}
+            {{- toYaml .Values.containerSecurityContext | nindent 12 }}
+          {{- else }}
+            capabilities:
+              drop:
+              - ALL
+            allowPrivilegeEscalation: false
+            privileged: false
+            readOnlyRootFilesystem: true
+            {{- if not (eq (.Values.platform | default "") "openshift") }}
+            runAsUser: 1337
+            runAsGroup: 1337
+            {{- end }}
+            runAsNonRoot: true
+          {{- end }}
+          env:
+          {{- with .Values.networkGateway }}
+          - name: ISTIO_META_REQUESTED_NETWORK_VIEW
+            value: "{{.}}"
+          {{- end }}
+          {{- range $key, $val := .Values.env }}
+          - name: {{ $key }}
+            value: {{ $val | quote }}
+          {{- end }}
+          {{- with .Values.envVarFrom }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
+          ports:
+          - containerPort: 15090
+            protocol: TCP
+            name: http-envoy-prom
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          {{- with .Values.volumeMounts }}
+          volumeMounts:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.readinessProbe }}
+          readinessProbe:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.lifecycle }}
+          lifecycle:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+      {{- with .Values.additionalContainers }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      terminationGracePeriodSeconds: {{ $.Values.terminationGracePeriodSeconds }}
+      {{- with .Values.priorityClassName }}
+      priorityClassName: {{ . }}
+      {{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/templates/hpa.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/templates/hpa.yaml
new file mode 100644
index 0000000000..64ecb6a4cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/templates/hpa.yaml
@@ -0,0 +1,40 @@
+{{- if and (.Values.autoscaling.enabled) (eq .Values.kind "Deployment") }}
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ include "gateway.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4 }}
+  annotations:
+    {{- .Values.annotations | toYaml | nindent 4 }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: {{ .Values.kind | default "Deployment" }}
+    name: {{ include "gateway.name" . }}
+  minReplicas: {{ .Values.autoscaling.minReplicas }}
+  maxReplicas: {{ .Values.autoscaling.maxReplicas }}
+  metrics:
+    {{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
+          type: Utilization
+    {{- end }}
+    {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: memory
+        target:
+          averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
+          type: Utilization
+    {{- end }}
+  {{- if .Values.autoscaling.autoscaleBehavior }}
+  behavior: {{ toYaml .Values.autoscaling.autoscaleBehavior | nindent 4 }}
+  {{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/templates/poddisruptionbudget.yaml
new file mode 100644
index 0000000000..b0155cdf05
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/templates/poddisruptionbudget.yaml
@@ -0,0 +1,18 @@
+{{- if .Values.podDisruptionBudget }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ include "gateway.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4}}
+spec:
+  selector:
+    matchLabels:
+  {{- include "gateway.selectorLabels" . | nindent 6 }}
+  {{- with .Values.podDisruptionBudget }}
+    {{- toYaml . | nindent 2 }}
+  {{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/templates/role.yaml
new file mode 100644
index 0000000000..3d16079632
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/templates/role.yaml
@@ -0,0 +1,37 @@
+{{/*Set up roles for Istio Gateway. Not required for gateway-api*/}}
+{{- if .Values.rbac.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "gateway.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4}}
+  annotations:
+    {{- .Values.annotations | toYaml | nindent 4 }}
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get", "watch", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "gateway.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4}}
+  annotations:
+    {{- .Values.annotations | toYaml | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "gateway.serviceAccountName" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "gateway.serviceAccountName" . }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/templates/service.yaml
new file mode 100644
index 0000000000..3e28418f7b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/templates/service.yaml
@@ -0,0 +1,69 @@
+{{- if not (eq .Values.service.type "None") }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "gateway.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4 }}
+    {{- with .Values.networkGateway }}
+    topology.istio.io/network: "{{.}}"
+    {{- end }}
+  annotations:
+    {{- merge (deepCopy .Values.service.annotations) .Values.annotations | toYaml | nindent 4 }}
+spec:
+{{- with .Values.service.loadBalancerIP }}
+  loadBalancerIP: "{{ . }}"
+{{- end }}
+{{- if eq .Values.service.type "LoadBalancer" }}
+  {{- if hasKey .Values.service "allocateLoadBalancerNodePorts" }}
+  allocateLoadBalancerNodePorts: {{ .Values.service.allocateLoadBalancerNodePorts }}
+  {{- end }}
+  {{- if hasKey .Values.service "loadBalancerClass" }}
+  loadBalancerClass: {{ .Values.service.loadBalancerClass }}
+  {{- end }}
+{{- end }}
+{{- if .Values.service.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }}
+{{- end }}
+{{- if .Values.service.ipFamilies }}
+  ipFamilies:
+{{- range .Values.service.ipFamilies }}
+  - {{ . }}
+{{- end }}
+{{- end }}
+{{- with .Values.service.loadBalancerSourceRanges }}
+  loadBalancerSourceRanges:
+{{ toYaml . | indent 4 }}
+{{- end }}
+{{- with .Values.service.externalTrafficPolicy }}
+  externalTrafficPolicy: "{{ . }}"
+{{- end }}
+  type: {{ .Values.service.type }}
+  ports:
+{{- if .Values.networkGateway }}
+  - name: status-port
+    port: 15021
+    targetPort: 15021
+  - name: tls
+    port: 15443
+    targetPort: 15443
+  - name: tls-istiod
+    port: 15012
+    targetPort: 15012
+  - name: tls-webhook
+    port: 15017
+    targetPort: 15017
+{{- else }}
+{{ .Values.service.ports | toYaml | indent 4 }}
+{{- end }}
+{{- if .Values.service.externalIPs }}
+  externalIPs: {{- range .Values.service.externalIPs }}
+    - {{.}}
+  {{- end }}
+{{- end }}
+  selector:
+    {{- include "gateway.selectorLabels" . | nindent 4 }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/templates/serviceaccount.yaml
new file mode 100644
index 0000000000..c88afeadd3
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/templates/serviceaccount.yaml
@@ -0,0 +1,15 @@
+{{- if .Values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "gateway.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..606c556697
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if true }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/values.schema.json b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/values.schema.json
new file mode 100644
index 0000000000..bcbb30ccc8
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/values.schema.json
@@ -0,0 +1,353 @@
+{
+  "$schema": "http://json-schema.org/schema#",
+  "$defs": {
+    "values": {
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "_internal_defaults_do_not_set": {
+          "type": "object"
+        },
+        "global": {
+          "type": "object"
+        },
+        "affinity": {
+          "type": "object"
+        },
+        "securityContext": {
+          "type": [
+            "object",
+            "null"
+          ]
+        },
+        "containerSecurityContext": {
+          "type": [
+            "object",
+            "null"
+          ]
+        },
+        "kind": {
+          "type": "string",
+          "enum": [
+            "Deployment",
+            "DaemonSet"
+          ]
+        },
+        "annotations": {
+          "additionalProperties": {
+            "type": [
+              "string",
+              "integer"
+            ]
+          },
+          "type": "object"
+        },
+        "autoscaling": {
+          "type": "object",
+          "properties": {
+            "enabled": {
+              "type": "boolean"
+            },
+            "maxReplicas": {
+              "type": "integer"
+            },
+            "minReplicas": {
+              "type": "integer"
+            },
+            "targetCPUUtilizationPercentage": {
+              "type": "integer"
+            }
+          }
+        },
+        "env": {
+          "type": "object"
+        },
+        "envVarFrom": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "properties": {
+              "name": { "type": "string" },
+              "valueFrom": { "type": "object" }
+            }
+          }
+        },
+        "strategy": {
+          "type": "object"
+        },
+        "minReadySeconds": {
+          "type": [ "null", "integer" ]
+        },
+        "readinessProbe": {
+          "type": [ "null", "object" ]
+        },
+        "labels": {
+          "type": "object"
+        },
+        "name": {
+          "type": "string"
+        },
+        "nodeSelector": {
+          "type": "object"
+        },
+        "podAnnotations": {
+          "type": "object",
+          "properties": {
+            "inject.istio.io/templates": {
+              "type": "string"
+            },
+            "prometheus.io/path": {
+              "type": "string"
+            },
+            "prometheus.io/port": {
+              "type": "string"
+            },
+            "prometheus.io/scrape": {
+              "type": "string"
+            }
+          }
+        },
+        "replicaCount": {
+          "type": [
+            "integer",
+            "null"
+          ]
+        },
+        "resources": {
+          "type": "object",
+          "properties": {
+            "limits": {
+              "type": "object",
+              "properties": {
+                "cpu": {
+                  "type": ["string", "null"]
+                },
+                "memory": {
+                  "type": ["string", "null"]
+                }
+              }
+            },
+            "requests": {
+              "type": "object",
+              "properties": {
+                "cpu": {
+                  "type": ["string", "null"]
+                },
+                "memory": {
+                  "type": ["string", "null"]
+                }
+              }
+            }
+          }
+        },
+        "revision": {
+          "type": "string"
+        },
+        "defaultRevision": {
+          "type": "string"
+        },
+        "compatibilityVersion": {
+          "type": "string"
+        },
+        "profile": {
+          "type": "string"
+        },
+        "platform": {
+          "type": "string"
+        },
+        "pilot": {
+          "type": "object"
+        },
+        "runAsRoot": {
+          "type": "boolean"
+        },
+        "unprivilegedPort": {
+          "type": [
+            "string",
+            "boolean"
+          ],
+          "enum": [
+            true,
+            false,
+            "auto"
+          ]
+        },
+        "service": {
+          "type": "object",
+          "properties": {
+            "annotations": {
+              "type": "object"
+            },
+            "externalTrafficPolicy": {
+              "type": "string"
+            },
+            "loadBalancerIP": {
+              "type": "string"
+            },
+            "loadBalancerSourceRanges": {
+              "type": "array"
+            },
+            "ipFamilies": {
+              "items": {
+                "type": "string",
+                "enum": [
+                  "IPv4",
+                  "IPv6"
+                ]
+              }
+            },
+            "ipFamilyPolicy": {
+              "type": "string",
+              "enum": [
+                "",
+                "SingleStack",
+                "PreferDualStack",
+                "RequireDualStack"
+              ]
+            },
+            "ports": {
+              "type": "array",
+              "items": {
+                "type": "object",
+                "properties": {
+                  "name": {
+                    "type": "string"
+                  },
+                  "port": {
+                    "type": "integer"
+                  },
+                  "protocol": {
+                    "type": "string"
+                  },
+                  "targetPort": {
+                    "type": "integer"
+                  }
+                }
+              }
+            },
+            "type": {
+              "type": "string"
+            }
+          }
+        },
+        "serviceAccount": {
+          "type": "object",
+          "properties": {
+            "annotations": {
+              "type": "object"
+            },
+            "name": {
+              "type": "string"
+            },
+            "create": {
+              "type": "boolean"
+            }
+          }
+        },
+        "rbac": {
+          "type": "object",
+          "properties": {
+            "enabled": {
+              "type": "boolean"
+            }
+          }
+        },
+        "tolerations": {
+          "type": "array"
+        },
+        "topologySpreadConstraints": {
+          "type": "array"
+        },
+        "networkGateway": {
+          "type": "string"
+        },
+        "imagePullPolicy": {
+          "type": "string",
+          "enum": [
+            "",
+            "Always",
+            "IfNotPresent",
+            "Never"
+          ]
+        },
+        "imagePullSecrets": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "properties": {
+              "name": {
+                "type": "string"
+              }
+            }
+          }
+        },
+        "podDisruptionBudget": {
+          "type": "object",
+          "properties": {
+            "minAvailable": {
+              "type": [
+                "integer",
+                "string"
+              ]
+            },
+            "maxUnavailable": {
+              "type": [
+                "integer",
+                "string"
+              ]
+            },
+            "unhealthyPodEvictionPolicy": {
+              "type": "string",
+              "enum": [
+                "",
+                "IfHealthyBudget",
+                "AlwaysAllow"
+              ]
+            }
+          }
+        },
+        "terminationGracePeriodSeconds": {
+          "type": "number"
+        },
+        "volumes": {
+          "type": "array",
+          "items": {
+            "type": "object"
+          }
+        },
+        "volumeMounts": {
+          "type": "array",
+          "items": {
+            "type": "object"
+          }
+        },
+        "initContainers": {
+          "type": "array",
+          "items": { "type": "object" }
+        },
+        "additionalContainers": {
+          "type": "array",
+          "items": { "type": "object" }
+        },
+        "priorityClassName": {
+          "type": "string"
+        },
+        "lifecycle": {
+          "type": "object",
+          "properties": {
+            "postStart": {
+              "type": "object"
+            },
+            "preStop": {
+              "type": "object"
+            }
+          }
+        }
+      }
+    }
+  },
+  "defaults": {
+    "$ref": "#/$defs/values"
+  },
+  "$ref": "#/$defs/values"
+}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/values.yaml
new file mode 100644
index 0000000000..c0147ce210
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/values.yaml
@@ -0,0 +1,192 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  # Name allows overriding the release name. Generally this should not be set
+  name: ""
+  # revision declares which revision this gateway is a part of
+  revision: ""
+
+  # Controls the spec.replicas setting for the Gateway deployment if set.
+  # Otherwise defaults to Kubernetes Deployment default (1).
+  replicaCount:
+
+  kind: Deployment
+
+  rbac:
+    # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed
+    # when using http://gateway-api.org/.
+    enabled: true
+
+  serviceAccount:
+    # If set, a service account will be created. Otherwise, the default is used
+    create: true
+    # Annotations to add to the service account
+    annotations: {}
+    # The name of the service account to use.
+    # If not set, the release name is used
+    name: ""
+
+  podAnnotations:
+    prometheus.io/port: "15020"
+    prometheus.io/scrape: "true"
+    prometheus.io/path: "/stats/prometheus"
+    inject.istio.io/templates: "gateway"
+    sidecar.istio.io/inject: "true"
+
+  # Define the security context for the pod.
+  # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
+  # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
+  securityContext: {}
+  containerSecurityContext: {}
+
+  service:
+    # Type of service. Set to "None" to disable the service entirely
+    type: LoadBalancer
+    ports:
+    - name: status-port
+      port: 15021
+      protocol: TCP
+      targetPort: 15021
+    - name: http2
+      port: 80
+      protocol: TCP
+      targetPort: 80
+    - name: https
+      port: 443
+      protocol: TCP
+      targetPort: 443
+    annotations: {}
+    loadBalancerIP: ""
+    loadBalancerSourceRanges: []
+    externalTrafficPolicy: ""
+    externalIPs: []
+    ipFamilyPolicy: ""
+    ipFamilies: []
+    ## Whether to automatically allocate NodePorts (only for LoadBalancers).
+    # allocateLoadBalancerNodePorts: false
+    ## Set LoadBalancer class (only for LoadBalancers).
+    # loadBalancerClass: ""
+
+  resources:
+    requests:
+      cpu: 100m
+      memory: 128Mi
+    limits:
+      cpu: 2000m
+      memory: 1024Mi
+
+  autoscaling:
+    enabled: true
+    minReplicas: 1
+    maxReplicas: 5
+    targetCPUUtilizationPercentage: 80
+    targetMemoryUtilizationPercentage: {}
+    autoscaleBehavior: {}
+
+  # Pod environment variables
+  env: {}
+
+  # Use envVarFrom to define full environment variable entries with complex sources,
+  # such as valueFrom.secretKeyRef, valueFrom.configMapKeyRef. Each item must include a `name` and `valueFrom`.
+  #
+  # Example:
+  # envVarFrom:
+  #   - name: EXAMPLE_SECRET
+  #     valueFrom:
+  #       secretKeyRef:
+  #         name: example-name
+  #         key: example-key
+  envVarFrom: []
+
+  # Deployment Update strategy
+  strategy: {}
+  
+  # Sets the Deployment minReadySeconds value
+  minReadySeconds:
+  
+  # Optionally configure a custom readinessProbe. By default the control plane
+  # automatically injects the readinessProbe. If you wish to override that
+  # behavior, you may define your own readinessProbe here.
+  readinessProbe: {}
+
+  # Labels to apply to all resources
+  labels:
+    # By default, don't enroll gateways into the ambient dataplane
+    "istio.io/dataplane-mode": none
+
+  # Annotations to apply to all resources
+  annotations: {}
+
+  nodeSelector: {}
+
+  tolerations: []
+
+  topologySpreadConstraints: []
+
+  affinity: {}
+
+  # If specified, the gateway will act as a network gateway for the given network.
+  networkGateway: ""
+
+  # Specify image pull policy if default behavior isn't desired.
+  # Default behavior: latest images will be Always else IfNotPresent
+  imagePullPolicy: ""
+
+  imagePullSecrets: []
+
+  # This value is used to configure a Kubernetes PodDisruptionBudget for the gateway.
+  #
+  # By default, the `podDisruptionBudget` is disabled (set to `{}`),
+  # which means that no PodDisruptionBudget resource will be created.
+  #
+  # To enable the PodDisruptionBudget, configure it by specifying the
+  # `minAvailable` or `maxUnavailable`. For example, to set the
+  # minimum number of available replicas to 1, you can update this value as follows:
+  #
+  # podDisruptionBudget:
+  #   minAvailable: 1
+  #
+  # Or, to allow a maximum of 1 unavailable replica, you can set:
+  #
+  # podDisruptionBudget:
+  #   maxUnavailable: 1
+  #
+  # You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`.
+  # For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows:
+  #
+  # podDisruptionBudget:
+  #   minAvailable: 1
+  #   unhealthyPodEvictionPolicy: AlwaysAllow
+  #
+  # To disable the PodDisruptionBudget, you can leave it as an empty object `{}`:
+  #
+  # podDisruptionBudget: {}
+  #
+  podDisruptionBudget: {}
+
+  # Sets the per-pod terminationGracePeriodSeconds setting.
+  terminationGracePeriodSeconds: 30
+
+  # A list of `Volumes` added into the Gateway Pods. See
+  # https://kubernetes.io/docs/concepts/storage/volumes/.
+  volumes: []
+
+  # A list of `VolumeMounts` added into the Gateway Pods. See
+  # https://kubernetes.io/docs/concepts/storage/volumes/.
+  volumeMounts: []
+
+  # Inject initContainers into the Gateway Pods.
+  initContainers: []
+
+  # Inject additional containers into the Gateway Pods.
+  additionalContainers: []
+
+  # Configure this to a higher priority class in order to make sure your Istio gateway pods
+  # will not be killed because of low priority class.
+  # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
+  # for more detail.
+  priorityClassName: ""
+
+  # Configure the lifecycle hooks for the gateway. See
+  # https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/.
+  lifecycle: {}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/Chart.yaml
new file mode 100644
index 0000000000..937648f120
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v2
+appVersion: 1.27.3
+description: Helm chart for istio control plane
+icon: https://istio.io/latest/favicons/android-192x192.png
+keywords:
+- istio
+- istiod
+- istio-discovery
+name: istiod
+sources:
+- https://github.com/istio/istio
+version: 1.27.3
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/README.md
new file mode 100644
index 0000000000..ddbfbc8fec
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/README.md
@@ -0,0 +1,73 @@
+# Istiod Helm Chart
+
+This chart installs an Istiod deployment.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+Before installing, ensure CRDs are installed in the cluster (from the `istio/base` chart).
+
+To install the chart with the release name `istiod`:
+
+```console
+kubectl create namespace istio-system
+helm install istiod istio/istiod --namespace istio-system
+```
+
+## Uninstalling the Chart
+
+To uninstall/delete the `istiod` deployment:
+
+```console
+helm delete istiod --namespace istio-system
+```
+
+## Configuration
+
+To view support configuration options and documentation, run:
+
+```console
+helm show values istio/istiod
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
+
+### Examples
+
+#### Configuring mesh configuration settings
+
+Any [Mesh Config](https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/) options can be configured like below:
+
+```yaml
+meshConfig:
+  accessLogFile: /dev/stdout
+```
+
+#### Revisions
+
+Control plane revisions allow deploying multiple versions of the control plane in the same cluster.
+This allows safe [canary upgrades](https://istio.io/latest/docs/setup/upgrade/canary/)
+
+```yaml
+revision: my-revision-name
+```
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/gateway-injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/gateway-injection-template.yaml
new file mode 100644
index 0000000000..bc15ee3c31
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/gateway-injection-template.yaml
@@ -0,0 +1,274 @@
+{{- $containers := list }}
+{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
+metadata:
+  labels:
+    service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name  | quote }}
+    service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest"  | quote }}
+  annotations:
+    istio.io/rev: {{ .Revision | default "default" | quote }}
+    {{- if ge (len $containers) 1 }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }}
+    kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}"
+    {{- end }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }}
+    kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}"
+    {{- end }}
+    {{- end }}
+spec:
+  securityContext:
+  {{- if .Values.gateways.securityContext }}
+    {{- toYaml .Values.gateways.securityContext | nindent 4 }}
+  {{- else }}
+    sysctls:
+    - name: net.ipv4.ip_unprivileged_port_start
+      value: "0"
+  {{- end }}
+  containers:
+  - name: istio-proxy
+  {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+    image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+  {{- else }}
+    image: "{{ .ProxyImage }}"
+  {{- end }}
+    ports:
+    - containerPort: 15090
+      protocol: TCP
+      name: http-envoy-prom
+    args:
+    - proxy
+    - router
+    - --domain
+    - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+    - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
+    - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
+    - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
+  {{- if .Values.global.sts.servicePort }}
+    - --stsPort={{ .Values.global.sts.servicePort }}
+  {{- end }}
+  {{- if .Values.global.logAsJson }}
+    - --log_as_json
+  {{- end }}
+  {{- if .Values.global.proxy.lifecycle }}
+    lifecycle:
+      {{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
+  {{- end }}
+    securityContext:
+      runAsUser: {{ .ProxyUID | default "1337" }}
+      runAsGroup: {{ .ProxyGID | default "1337" }}
+    env:
+    - name: PILOT_CERT_PROVIDER
+      value: {{ .Values.global.pilotCertProvider }}
+    - name: CA_ADDR
+    {{- if .Values.global.caAddress }}
+      value: {{ .Values.global.caAddress }}
+    {{- else }}
+      value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+    {{- end }}
+    - name: POD_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.name
+    - name: POD_NAMESPACE
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.namespace
+    - name: INSTANCE_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.podIP
+    - name: SERVICE_ACCOUNT
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.serviceAccountName
+    - name: HOST_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.hostIP
+    - name: ISTIO_CPU_LIMIT
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.cpu
+    - name: PROXY_CONFIG
+      value: |
+             {{ protoToJSON .ProxyConfig }}
+    - name: ISTIO_META_POD_PORTS
+      value: |-
+        [
+        {{- $first := true }}
+        {{- range $index1, $c := .Spec.Containers }}
+          {{- range $index2, $p := $c.Ports }}
+            {{- if (structToJSON $p) }}
+            {{if not $first}},{{end}}{{ structToJSON $p }}
+            {{- $first = false }}
+            {{- end }}
+          {{- end}}
+        {{- end}}
+        ]
+    - name: GOMEMLIMIT
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.memory
+    - name: GOMAXPROCS
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.cpu
+    {{- if .CompliancePolicy }}
+    - name: COMPLIANCE_POLICY
+      value: "{{ .CompliancePolicy }}"
+    {{- end }}
+    - name: ISTIO_META_APP_CONTAINERS
+      value: "{{ $containers | join "," }}"
+    - name: ISTIO_META_CLUSTER_ID
+      value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
+    - name: ISTIO_META_NODE_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.nodeName
+    - name: ISTIO_META_INTERCEPTION_MODE
+      value: "{{ .ProxyConfig.InterceptionMode.String }}"
+    {{- if .Values.global.network }}
+    - name: ISTIO_META_NETWORK
+      value: "{{ .Values.global.network }}"
+    {{- end }}
+    {{- if .DeploymentMeta.Name }}
+    - name: ISTIO_META_WORKLOAD_NAME
+      value: "{{ .DeploymentMeta.Name }}"
+    {{ end }}
+    {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
+    - name: ISTIO_META_OWNER
+      value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
+    {{- end}}
+    {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+    - name: ISTIO_BOOTSTRAP_OVERRIDE
+      value: "/etc/istio/custom-bootstrap/custom_bootstrap.json"
+    {{- end }}
+    {{- if .Values.global.meshID }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ .Values.global.meshID }}"
+    {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+    {{- end }}
+    {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain)  }}
+    - name: TRUST_DOMAIN
+      value: "{{ . }}"
+    {{- end }}
+    {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+    - name: {{ $key }}
+      value: "{{ $value }}"
+    {{- end }}
+    {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+    readinessProbe:
+      httpGet:
+        path: /healthz/ready
+        port: 15021
+      initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }}
+      periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }}
+      timeoutSeconds: 3
+      failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }}
+    volumeMounts:
+    - name: workload-socket
+      mountPath: /var/run/secrets/workload-spiffe-uds
+    - name: credential-socket
+      mountPath: /var/run/secrets/credential-uds
+    {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+    - name: gke-workload-certificate
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+      readOnly: true
+    {{- else }}
+    - name: workload-certs
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+    {{- end }}
+    {{- if eq .Values.global.pilotCertProvider "istiod" }}
+    - mountPath: /var/run/secrets/istio
+      name: istiod-ca-cert
+    {{- end }}
+    - mountPath: /var/lib/istio/data
+      name: istio-data
+    {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+    - mountPath: /etc/istio/custom-bootstrap
+      name: custom-bootstrap-volume
+    {{- end }}
+    # SDS channel between istioagent and Envoy
+    - mountPath: /etc/istio/proxy
+      name: istio-envoy
+    - mountPath: /var/run/secrets/tokens
+      name: istio-token
+    {{- if .Values.global.mountMtlsCerts }}
+    # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+    - mountPath: /etc/certs/
+      name: istio-certs
+      readOnly: true
+    {{- end }}
+    - name: istio-podinfo
+      mountPath: /etc/istio/pod
+  volumes:
+  - emptyDir:
+    name: workload-socket
+  - emptyDir: {}
+    name: credential-socket
+  {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+  - name: gke-workload-certificate
+    csi:
+      driver: workloadcertificates.security.cloud.google.com
+  {{- else}}
+  - emptyDir: {}
+    name: workload-certs
+  {{- end }}
+  {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+  - name: custom-bootstrap-volume
+    configMap:
+      name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
+  {{- end }}
+  # SDS channel between istioagent and Envoy
+  - emptyDir:
+      medium: Memory
+    name: istio-envoy
+  - name: istio-data
+    emptyDir: {}
+  - name: istio-podinfo
+    downwardAPI:
+      items:
+        - path: "labels"
+          fieldRef:
+            fieldPath: metadata.labels
+        - path: "annotations"
+          fieldRef:
+            fieldPath: metadata.annotations
+  - name: istio-token
+    projected:
+      sources:
+      - serviceAccountToken:
+          path: istio-token
+          expirationSeconds: 43200
+          audience: {{ .Values.global.sds.token.aud }}
+  {{- if eq .Values.global.pilotCertProvider "istiod" }}
+  - name: istiod-ca-cert
+  {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+    projected:
+      sources:
+      - clusterTrustBundle:
+          name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+          path: root-cert.pem
+  {{- else }}
+    configMap:
+      name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+  {{- end }}
+  {{- end }}
+  {{- if .Values.global.mountMtlsCerts }}
+  # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+  - name: istio-certs
+    secret:
+      optional: true
+      {{ if eq .Spec.ServiceAccountName "" }}
+      secretName: istio.default
+      {{ else -}}
+      secretName: {{  printf "istio.%s" .Spec.ServiceAccountName }}
+      {{  end -}}
+  {{- end }}
+  {{- if .Values.global.imagePullSecrets }}
+  imagePullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+  {{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/grpc-agent.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/grpc-agent.yaml
new file mode 100644
index 0000000000..6e3102e4c8
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/grpc-agent.yaml
@@ -0,0 +1,318 @@
+{{- define "resources"  }}
+  {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
+    {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
+      requests:
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
+        cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
+        {{ end }}
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
+        memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
+        {{ end }}
+    {{- end }}
+    {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
+      limits:
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
+        cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}"
+        {{ end }}
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
+        memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}"
+        {{ end }}
+    {{- end }}
+  {{- else }}
+    {{- if .Values.global.proxy.resources }}
+      {{ toYaml .Values.global.proxy.resources | indent 6 }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+{{- $containers := list }}
+{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
+metadata:
+  labels:
+    {{/* security.istio.io/tlsMode: istio must be set by user, if gRPC is using mTLS initialization code. We can't set it automatically. */}}
+    service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name  | quote }}
+    service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest"  | quote }}
+  annotations: {
+    istio.io/rev: {{ .Revision | default "default" | quote }},
+    {{- if ge (len $containers) 1 }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }}
+    kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
+    {{- end }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }}
+    kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
+    {{- end }}
+    {{- end }}
+    sidecar.istio.io/rewriteAppHTTPProbers: "false",
+  }
+spec:
+  containers:
+  - name: istio-proxy
+  {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+    image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+  {{- else }}
+    image: "{{ .ProxyImage }}"
+  {{- end }}
+    ports:
+    - containerPort: 15020
+      protocol: TCP
+      name: mesh-metrics
+    args:
+    - proxy
+    - sidecar
+    - --domain
+    - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+    - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
+    - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
+    - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
+  {{- if .Values.global.sts.servicePort }}
+    - --stsPort={{ .Values.global.sts.servicePort }}
+  {{- end }}
+  {{- if .Values.global.logAsJson }}
+    - --log_as_json
+  {{- end }}
+    lifecycle:
+      postStart:
+        exec:
+          command:
+          - pilot-agent
+          - wait
+          - --url=http://localhost:15020/healthz/ready
+    env:
+    - name: ISTIO_META_GENERATOR
+      value: grpc
+    - name: OUTPUT_CERTS
+      value: /var/lib/istio/data
+    {{- if eq .InboundTrafficPolicyMode "localhost" }}
+    - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION
+      value: "true"
+    {{- end }}
+    - name: PILOT_CERT_PROVIDER
+      value: {{ .Values.global.pilotCertProvider }}
+    - name: CA_ADDR
+    {{- if .Values.global.caAddress }}
+      value: {{ .Values.global.caAddress }}
+    {{- else }}
+      value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+    {{- end }}
+    - name: POD_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.name
+    - name: POD_NAMESPACE
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.namespace
+    - name: INSTANCE_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.podIP
+    - name: SERVICE_ACCOUNT
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.serviceAccountName
+    - name: HOST_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.hostIP
+    - name: PROXY_CONFIG
+      value: |
+             {{ protoToJSON .ProxyConfig }}
+    - name: ISTIO_META_POD_PORTS
+      value: |-
+        [
+        {{- $first := true }}
+        {{- range $index1, $c := .Spec.Containers }}
+          {{- range $index2, $p := $c.Ports }}
+            {{- if (structToJSON $p) }}
+            {{if not $first}},{{end}}{{ structToJSON $p }}
+            {{- $first = false }}
+            {{- end }}
+          {{- end}}
+        {{- end}}
+        ]
+    - name: ISTIO_META_APP_CONTAINERS
+      value: "{{ $containers | join "," }}"
+    - name: ISTIO_META_CLUSTER_ID
+      value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
+    - name: ISTIO_META_NODE_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.nodeName
+    {{- if .Values.global.network }}
+    - name: ISTIO_META_NETWORK
+      value: "{{ .Values.global.network }}"
+    {{- end }}
+    {{- if .DeploymentMeta.Name }}
+    - name: ISTIO_META_WORKLOAD_NAME
+      value: "{{ .DeploymentMeta.Name }}"
+    {{ end }}
+    {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
+    - name: ISTIO_META_OWNER
+      value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
+    {{- end}}
+    {{- if .Values.global.meshID }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ .Values.global.meshID }}"
+    {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+    {{- end }}
+    {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain)  }}
+    - name: TRUST_DOMAIN
+      value: "{{ . }}"
+    {{- end }}
+    {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+    - name: {{ $key }}
+      value: "{{ $value }}"
+    {{- end }}
+    # grpc uses xds:/// to resolve – no need to resolve VIP
+    - name: ISTIO_META_DNS_CAPTURE
+      value: "false"
+    - name: DISABLE_ENVOY
+      value: "true"
+    {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+    {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
+    readinessProbe:
+      httpGet:
+        path: /healthz/ready
+        port: 15020
+      initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }}
+      periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }}
+      timeoutSeconds: 3
+      failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}
+    resources:
+  {{ template "resources" . }}
+    volumeMounts:
+    - name: workload-socket
+      mountPath: /var/run/secrets/workload-spiffe-uds
+    {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+    - name: gke-workload-certificate
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+      readOnly: true
+    {{- else }}
+    - name: workload-certs
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+    {{- end }}
+    {{- if eq .Values.global.pilotCertProvider "istiod" }}
+    - mountPath: /var/run/secrets/istio
+      name: istiod-ca-cert
+    {{- end }}
+    - mountPath: /var/lib/istio/data
+      name: istio-data
+    # UDS channel between istioagent and gRPC client for XDS/SDS
+    - mountPath: /etc/istio/proxy
+      name: istio-xds
+    - mountPath: /var/run/secrets/tokens
+      name: istio-token
+    {{- if .Values.global.mountMtlsCerts }}
+    # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+    - mountPath: /etc/certs/
+      name: istio-certs
+      readOnly: true
+    {{- end }}
+    - name: istio-podinfo
+      mountPath: /etc/istio/pod
+    {{- end }}
+      {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }}
+      {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}
+    - name: "{{  $index }}"
+      {{ toYaml $value | indent 6 }}
+      {{ end }}
+      {{- end }}
+{{- range $index, $container := .Spec.Containers  }}
+{{ if not (eq $container.Name "istio-proxy") }}
+  - name: {{ $container.Name }}
+    env:
+      - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT"
+        value: "true"
+      - name: "GRPC_XDS_BOOTSTRAP"
+        value: "/etc/istio/proxy/grpc-bootstrap.json"
+    volumeMounts:
+      - mountPath: /var/lib/istio/data
+        name: istio-data
+      # UDS channel between istioagent and gRPC client for XDS/SDS
+      - mountPath: /etc/istio/proxy
+        name: istio-xds
+      {{- if eq $.Values.global.caName "GkeWorkloadCertificate" }}
+      - name: gke-workload-certificate
+        mountPath: /var/run/secrets/workload-spiffe-credentials
+        readOnly: true
+      {{- else }}
+      - name: workload-certs
+        mountPath: /var/run/secrets/workload-spiffe-credentials
+      {{- end }}
+{{- end }}
+{{- end }}
+  volumes:
+  - emptyDir:
+    name: workload-socket
+  {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+  - name: gke-workload-certificate
+    csi:
+      driver: workloadcertificates.security.cloud.google.com
+  {{- else }}
+  - emptyDir:
+    name: workload-certs
+  {{- end }}
+  {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+  - name: custom-bootstrap-volume
+    configMap:
+      name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
+  {{- end }}
+  # SDS channel between istioagent and Envoy
+  - emptyDir:
+      medium: Memory
+    name: istio-xds
+  - name: istio-data
+    emptyDir: {}
+  - name: istio-podinfo
+    downwardAPI:
+      items:
+        - path: "labels"
+          fieldRef:
+            fieldPath: metadata.labels
+        - path: "annotations"
+          fieldRef:
+            fieldPath: metadata.annotations
+  - name: istio-token
+    projected:
+      sources:
+      - serviceAccountToken:
+          path: istio-token
+          expirationSeconds: 43200
+          audience: {{ .Values.global.sds.token.aud }}
+  {{- if eq .Values.global.pilotCertProvider "istiod" }}
+  - name: istiod-ca-cert
+  {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+    projected:
+      sources:
+      - clusterTrustBundle:
+          name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+          path: root-cert.pem
+  {{- else }}
+    configMap:
+      name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+  {{- end }}
+  {{- end }}
+  {{- if .Values.global.mountMtlsCerts }}
+  # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+  - name: istio-certs
+    secret:
+      optional: true
+      {{ if eq .Spec.ServiceAccountName "" }}
+      secretName: istio.default
+      {{ else -}}
+      secretName: {{  printf "istio.%s" .Spec.ServiceAccountName }}
+      {{  end -}}
+  {{- end }}
+    {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }}
+    {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}
+  - name: "{{ $index }}"
+    {{ toYaml $value | indent 4 }}
+    {{ end }}
+    {{ end }}
+  {{- if .Values.global.imagePullSecrets }}
+  imagePullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+  {{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/grpc-simple.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/grpc-simple.yaml
new file mode 100644
index 0000000000..9ba0c7a46a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/grpc-simple.yaml
@@ -0,0 +1,65 @@
+metadata:
+  annotations:
+    sidecar.istio.io/rewriteAppHTTPProbers: "false"
+spec:
+  initContainers:
+    - name: grpc-bootstrap-init
+      image: busybox:1.28
+      volumeMounts:
+        - mountPath: /var/lib/grpc/data/
+          name: grpc-io-proxyless-bootstrap
+      env:
+        - name: INSTANCE_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: ISTIO_NAMESPACE
+          value: |
+             {{ .Values.global.istioNamespace }}
+      command:
+        - sh
+        - "-c"
+        - |-
+          NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local"
+          SERVER_URI="dns:///istiod.${ISTIO_NAMESPACE}.svc:15010"
+          echo '
+          {
+            "xds_servers": [
+              {
+                "server_uri": "'${SERVER_URI}'",
+                "channel_creds": [{"type": "insecure"}],
+                "server_features" : ["xds_v3"]
+              }
+            ],
+            "node": {
+              "id": "'${NODE_ID}'",
+              "metadata": {
+                "GENERATOR": "grpc"
+              }
+            }
+          }' > /var/lib/grpc/data/bootstrap.json
+  containers:
+  {{- range $index, $container := .Spec.Containers }}
+  - name: {{ $container.Name }}
+    env:
+      - name: GRPC_XDS_BOOTSTRAP
+        value: /var/lib/grpc/data/bootstrap.json
+      - name: GRPC_GO_LOG_VERBOSITY_LEVEL
+        value: "99"
+      - name: GRPC_GO_LOG_SEVERITY_LEVEL
+        value: info
+    volumeMounts:
+      - mountPath: /var/lib/grpc/data/
+        name: grpc-io-proxyless-bootstrap
+  {{- end }}
+  volumes:
+    - name: grpc-io-proxyless-bootstrap
+      emptyDir: {}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/injection-template.yaml
new file mode 100644
index 0000000000..df04baf847
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/injection-template.yaml
@@ -0,0 +1,541 @@
+{{- define "resources"  }}
+  {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
+    {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
+      requests:
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
+        cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
+        {{ end }}
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
+        memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
+        {{ end }}
+    {{- end }}
+    {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
+      limits:
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
+        cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}"
+        {{ end }}
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
+        memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}"
+        {{ end }}
+    {{- end }}
+  {{- else }}
+    {{- if .Values.global.proxy.resources }}
+      {{ toYaml .Values.global.proxy.resources | indent 6 }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+{{ $tproxy := (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) }}
+{{ $capNetBindService := (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) }}
+{{ $nativeSidecar := ne (index .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar` | default (printf "%t" .NativeSidecars)) "false" }}
+{{- $containers := list }}
+{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
+metadata:
+  labels:
+    security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio"  | quote }}
+    {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }}
+    networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http"  | quote }}
+    {{- end }}
+    service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name  | trunc 63 | trimSuffix "-" | quote }}
+    service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest"  | quote }}
+  annotations: {
+    istio.io/rev: {{ .Revision | default "default" | quote }},
+    {{- if ge (len $containers) 1 }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }}
+    kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
+    {{- end }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }}
+    kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
+    {{- end }}
+    {{- end }}
+{{- if .Values.pilot.cni.enabled }}
+    {{- if eq .Values.pilot.cni.provider "multus" }}
+    k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}',
+    {{- end }}
+    sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}",
+    {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }}
+    {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }}
+    traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}",
+    traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}",
+    {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }}
+    traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}",
+    {{- end }}
+    {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }}
+    traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}",
+    {{- end }}
+    {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }}
+    {{ with index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}istio.io/reroute-virtual-interfaces: "{{.}}",{{ end }}
+    {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }}
+{{- end }}
+  }
+spec:
+  {{- $holdProxy := and
+      (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts)
+      (not $nativeSidecar) }}
+  {{- $noInitContainer := and
+      (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE`)
+      (not $nativeSidecar) }}
+  {{ if $noInitContainer }}
+  initContainers: []
+  {{ else -}}
+  initContainers:
+  {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }}
+  {{ if .Values.pilot.cni.enabled -}}
+  - name: istio-validation
+  {{ else -}}
+  - name: istio-init
+  {{ end -}}
+  {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }}
+    image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}"
+  {{- else }}
+    image: "{{ .ProxyImage }}"
+  {{- end }}
+    args:
+    - istio-iptables
+    - "-p"
+    - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }}
+    - "-z"
+    - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }}
+    - "-u"
+    - {{ if $tproxy }} "1337" {{ else }} {{ .ProxyUID | default "1337" | quote }} {{ end }}
+    - "-m"
+    - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}"
+    - "-i"
+    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}"
+    - "-x"
+    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}"
+    - "-b"
+    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}"
+    - "-d"
+  {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}
+    - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}"
+  {{- else }}
+    - "15090,15021"
+  {{- end }}
+    {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}}
+    - "-q"
+    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}"
+    {{ end -}}
+    {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}}
+    - "-o"
+    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}"
+    {{ end -}}
+    {{ if (isset .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces`) -}}
+    - "-k"
+    - "{{ index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}"
+    {{ else if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}}
+    - "-k"
+    - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}"
+    {{ end -}}
+     {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}}
+    - "-c"
+    - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}"
+    {{ end -}}
+    - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}"
+    {{ if .Values.global.logAsJson -}}
+    - "--log_as_json"
+    {{ end -}}
+    {{ if .Values.pilot.cni.enabled -}}
+    - "--run-validation"
+    - "--skip-rule-apply"
+    {{ else if .Values.global.proxy_init.forceApplyIptables -}}
+    - "--force-apply"
+    {{ end -}}
+    {{ if .Values.global.nativeNftables -}}
+    - "--native-nftables"
+    {{ end -}}
+    {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+  {{- if .ProxyConfig.ProxyMetadata }}
+    env:
+    {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+    - name: {{ $key }}
+      value: "{{ $value }}"
+    {{- end }}
+  {{- end }}
+    resources:
+  {{ template "resources" . }}
+    securityContext:
+      allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
+      privileged: {{ .Values.global.proxy.privileged }}
+      capabilities:
+    {{- if not .Values.pilot.cni.enabled }}
+        add:
+        - NET_ADMIN
+        - NET_RAW
+    {{- end }}
+        drop:
+        - ALL
+    {{- if not .Values.pilot.cni.enabled }}
+      readOnlyRootFilesystem: false
+      runAsGroup: 0
+      runAsNonRoot: false
+      runAsUser: 0
+    {{- else }}
+      readOnlyRootFilesystem: true
+      runAsGroup: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyGID | default "1337" }} {{ end }}
+      runAsUser: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyUID | default "1337" }} {{ end }}
+      runAsNonRoot: true
+    {{- end }}
+  {{ end -}}
+  {{ end -}}
+  {{ if not $nativeSidecar }}
+  containers:
+  {{ end }}
+  - name: istio-proxy
+  {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+    image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+  {{- else }}
+    image: "{{ .ProxyImage }}"
+  {{- end }}
+    {{ if $nativeSidecar }}restartPolicy: Always{{end}}
+    ports:
+    - containerPort: 15090
+      protocol: TCP
+      name: http-envoy-prom
+    args:
+    - proxy
+    - sidecar
+    - --domain
+    - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+    - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
+    - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
+    - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
+  {{- if .Values.global.sts.servicePort }}
+    - --stsPort={{ .Values.global.sts.servicePort }}
+  {{- end }}
+  {{- if .Values.global.logAsJson }}
+    - --log_as_json
+  {{- end }}
+  {{- if .Values.global.proxy.outlierLogPath }}
+    - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }}
+  {{- end}}
+  {{- if .Values.global.proxy.lifecycle }}
+    lifecycle:
+      {{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
+  {{- else if $holdProxy }}
+    lifecycle:
+      postStart:
+        exec:
+          command:
+          - pilot-agent
+          - wait
+  {{- else if $nativeSidecar }}
+    {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}}
+    lifecycle:
+      preStop:
+        exec:
+          command:
+          - pilot-agent
+          - request
+          - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}}
+          - POST
+          - drain
+  {{- end }}
+    env:
+    {{- if eq .InboundTrafficPolicyMode "localhost" }}
+    - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION
+      value: "true"
+    {{- end }}
+    - name: PILOT_CERT_PROVIDER
+      value: {{ .Values.global.pilotCertProvider }}
+    - name: CA_ADDR
+    {{- if .Values.global.caAddress }}
+      value: {{ .Values.global.caAddress }}
+    {{- else }}
+      value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+    {{- end }}
+    - name: POD_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.name
+    - name: POD_NAMESPACE
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.namespace
+    - name: INSTANCE_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.podIP
+    - name: SERVICE_ACCOUNT
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.serviceAccountName
+    - name: HOST_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.hostIP
+    - name: ISTIO_CPU_LIMIT
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.cpu
+    - name: PROXY_CONFIG
+      value: |
+             {{ protoToJSON .ProxyConfig }}
+    - name: ISTIO_META_POD_PORTS
+      value: |-
+        [
+        {{- $first := true }}
+        {{- range $index1, $c := .Spec.Containers }}
+          {{- range $index2, $p := $c.Ports }}
+            {{- if (structToJSON $p) }}
+            {{if not $first}},{{end}}{{ structToJSON $p }}
+            {{- $first = false }}
+            {{- end }}
+          {{- end}}
+        {{- end}}
+        ]
+    - name: ISTIO_META_APP_CONTAINERS
+      value: "{{ $containers | join "," }}"
+    - name: GOMEMLIMIT
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.memory
+    - name: GOMAXPROCS
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.cpu
+    {{- if .CompliancePolicy }}
+    - name: COMPLIANCE_POLICY
+      value: "{{ .CompliancePolicy }}"
+    {{- end }}
+    - name: ISTIO_META_CLUSTER_ID
+      value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
+    - name: ISTIO_META_NODE_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.nodeName
+    - name: ISTIO_META_INTERCEPTION_MODE
+      value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}"
+    {{- if .Values.global.network }}
+    - name: ISTIO_META_NETWORK
+      value: "{{ .Values.global.network }}"
+    {{- end }}
+    {{- with (index .ObjectMeta.Labels `service.istio.io/workload-name` | default .DeploymentMeta.Name) }}
+    - name: ISTIO_META_WORKLOAD_NAME
+      value: "{{ . }}"
+    {{ end }}
+    {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
+    - name: ISTIO_META_OWNER
+      value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
+    {{- end}}
+    {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+    - name: ISTIO_BOOTSTRAP_OVERRIDE
+      value: "/etc/istio/custom-bootstrap/custom_bootstrap.json"
+    {{- end }}
+    {{- if .Values.global.meshID }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ .Values.global.meshID }}"
+    {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+    {{- end }}
+    {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain)  }}
+    - name: TRUST_DOMAIN
+      value: "{{ . }}"
+    {{- end }}
+    {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
+    {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
+    - name: {{ $key }}
+      value: "{{ $value }}"
+    {{- end }}
+    {{- end }}
+    {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+    - name: {{ $key }}
+      value: "{{ $value }}"
+    {{- end }}
+    {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+    {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
+  {{ if .Values.global.proxy.startupProbe.enabled }}
+    startupProbe:
+      httpGet:
+        path: /healthz/ready
+        port: 15021
+      initialDelaySeconds: 0
+      periodSeconds: 1
+      timeoutSeconds: 3
+      failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }}
+  {{ end }}
+    readinessProbe:
+      httpGet:
+        path: /healthz/ready
+        port: 15021
+      initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }}
+      periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }}
+      timeoutSeconds: 3
+      failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}
+    {{ end -}}
+    securityContext:
+      {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }}
+      allowPrivilegeEscalation: true
+      capabilities:
+        add:
+        - NET_ADMIN
+        drop:
+        - ALL
+      privileged: true
+      readOnlyRootFilesystem: true
+      runAsGroup: {{ .ProxyGID | default "1337" }}
+      runAsNonRoot: false
+      runAsUser: 0
+      {{- else }}
+      allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
+      capabilities:
+        {{ if or $tproxy $capNetBindService -}}
+        add:
+        {{ if $tproxy -}}
+        - NET_ADMIN
+        {{- end }}
+        {{ if $capNetBindService -}}
+        - NET_BIND_SERVICE
+        {{- end }}
+        {{- end }}
+        drop:
+        - ALL
+      privileged: {{ .Values.global.proxy.privileged }}
+      readOnlyRootFilesystem: true
+      {{ if or $tproxy $capNetBindService -}}
+      runAsNonRoot: false
+      runAsUser: 0
+      runAsGroup: 1337
+      {{- else -}}
+      runAsNonRoot: true
+      runAsUser: {{ .ProxyUID | default "1337" }}
+      runAsGroup: {{ .ProxyGID | default "1337" }}
+      {{- end }}
+      {{- end }}
+    resources:
+  {{ template "resources" . }}
+    volumeMounts:
+    - name: workload-socket
+      mountPath: /var/run/secrets/workload-spiffe-uds
+    - name: credential-socket
+      mountPath: /var/run/secrets/credential-uds
+    {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+    - name: gke-workload-certificate
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+      readOnly: true
+    {{- else }}
+    - name: workload-certs
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+    {{- end }}
+    {{- if eq .Values.global.pilotCertProvider "istiod" }}
+    - mountPath: /var/run/secrets/istio
+      name: istiod-ca-cert
+    - mountPath: /var/run/secrets/istio/crl
+      name: istio-ca-crl
+    {{- end }}
+    - mountPath: /var/lib/istio/data
+      name: istio-data
+    {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+    - mountPath: /etc/istio/custom-bootstrap
+      name: custom-bootstrap-volume
+    {{- end }}
+    # SDS channel between istioagent and Envoy
+    - mountPath: /etc/istio/proxy
+      name: istio-envoy
+    - mountPath: /var/run/secrets/tokens
+      name: istio-token
+    {{- if .Values.global.mountMtlsCerts }}
+    # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+    - mountPath: /etc/certs/
+      name: istio-certs
+      readOnly: true
+    {{- end }}
+    - name: istio-podinfo
+      mountPath: /etc/istio/pod
+     {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }}
+    - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }}
+      name: lightstep-certs
+      readOnly: true
+    {{- end }}
+      {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }}
+      {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}
+    - name: "{{  $index }}"
+      {{ toYaml $value | indent 6 }}
+      {{ end }}
+      {{- end }}
+  volumes:
+  - emptyDir:
+    name: workload-socket
+  - emptyDir:
+    name: credential-socket
+  {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+  - name: gke-workload-certificate
+    csi:
+      driver: workloadcertificates.security.cloud.google.com
+  {{- else }}
+  - emptyDir:
+    name: workload-certs
+  {{- end }}
+  {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+  - name: custom-bootstrap-volume
+    configMap:
+      name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
+  {{- end }}
+  # SDS channel between istioagent and Envoy
+  - emptyDir:
+      medium: Memory
+    name: istio-envoy
+  - name: istio-data
+    emptyDir: {}
+  - name: istio-podinfo
+    downwardAPI:
+      items:
+        - path: "labels"
+          fieldRef:
+            fieldPath: metadata.labels
+        - path: "annotations"
+          fieldRef:
+            fieldPath: metadata.annotations
+  - name: istio-token
+    projected:
+      sources:
+      - serviceAccountToken:
+          path: istio-token
+          expirationSeconds: 43200
+          audience: {{ .Values.global.sds.token.aud }}
+  {{- if eq .Values.global.pilotCertProvider "istiod" }}
+  - name: istiod-ca-cert
+  {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+    projected:
+      sources:
+      - clusterTrustBundle:
+          name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+          path: root-cert.pem
+  {{- else }}
+    configMap:
+      name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+  {{- end }}
+  {{- end }}
+  - name: istio-ca-crl
+    configMap:
+      name: istio-ca-crl
+      optional: true
+  {{- if .Values.global.mountMtlsCerts }}
+  # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+  - name: istio-certs
+    secret:
+      optional: true
+      {{ if eq .Spec.ServiceAccountName "" }}
+      secretName: istio.default
+      {{ else -}}
+      secretName: {{  printf "istio.%s" .Spec.ServiceAccountName }}
+      {{  end -}}
+  {{- end }}
+    {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }}
+    {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}
+  - name: "{{ $index }}"
+    {{ toYaml $value | indent 4 }}
+    {{ end }}
+    {{ end }}
+  {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }}
+  - name: lightstep-certs
+    secret:
+      optional: true
+      secretName: lightstep.cacert
+  {{- end }}
+  {{- if .Values.global.imagePullSecrets }}
+  imagePullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+  {{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/kube-gateway.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/kube-gateway.yaml
new file mode 100644
index 0000000000..616fb42c71
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/kube-gateway.yaml
@@ -0,0 +1,401 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{.ServiceAccount | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+      ) | nindent 4 }}
+  {{- if ge .KubeVersion 128 }}
+  # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    name: "{{.Name}}"
+    uid: "{{.UID}}"
+  {{- end }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+        "gateway.istio.io/managed" "istio.io-gateway-controller"
+      ) | nindent 4 }}
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    name: {{.Name}}
+    uid: "{{.UID}}"
+spec:
+  selector:
+    matchLabels:
+      "{{.GatewayNameLabel}}": {{.Name}}
+  template:
+    metadata:
+      annotations:
+        {{- toJsonMap
+          (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version")
+          (strdict "istio.io/rev" (.Revision | default "default"))
+          (strdict
+            "prometheus.io/path" "/stats/prometheus"
+            "prometheus.io/port" "15020"
+            "prometheus.io/scrape" "true"
+          ) | nindent 8 }}
+      labels:
+        {{- toJsonMap
+          (strdict
+            "sidecar.istio.io/inject" "false"
+            "service.istio.io/canonical-name" .DeploymentName
+            "service.istio.io/canonical-revision" "latest"
+           )
+          .InfrastructureLabels
+          (strdict
+            "gateway.networking.k8s.io/gateway-name" .Name
+            "gateway.istio.io/managed" "istio.io-gateway-controller"
+          ) | nindent 8 }}
+    spec:
+      securityContext:
+      {{- if .Values.gateways.securityContext }}
+        {{- toYaml .Values.gateways.securityContext | nindent 8 }}
+      {{- else }}
+        sysctls:
+        - name: net.ipv4.ip_unprivileged_port_start
+          value: "0"
+      {{- if .Values.gateways.seccompProfile }}
+        seccompProfile:
+      {{- toYaml .Values.gateways.seccompProfile | nindent 10 }}
+      {{- end }}
+      {{- end }}
+      serviceAccountName: {{.ServiceAccount | quote}}
+      containers:
+      - name: istio-proxy
+      {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+        image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+      {{- else }}
+        image: "{{ .ProxyImage }}"
+      {{- end }}
+        {{- if .Values.global.proxy.resources }}
+        resources:
+          {{- toYaml .Values.global.proxy.resources | nindent 10 }}
+        {{- end }}
+        {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+        securityContext:
+          capabilities:
+            drop:
+            - ALL
+          allowPrivilegeEscalation: false
+          privileged: false
+          readOnlyRootFilesystem: true
+          runAsUser: {{ .ProxyUID | default "1337" }}
+          runAsGroup: {{ .ProxyGID | default "1337" }}
+          runAsNonRoot: true
+        ports:
+        - containerPort: 15020
+          name: metrics
+          protocol: TCP
+        - containerPort: 15021
+          name: status-port
+          protocol: TCP
+        - containerPort: 15090
+          protocol: TCP
+          name: http-envoy-prom
+        args:
+        - proxy
+        - router
+        - --domain
+        - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+        - --proxyLogLevel
+        - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}}
+        - --proxyComponentLogLevel
+        - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}}
+        - --log_output_level
+        - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}}
+      {{- if .Values.global.sts.servicePort }}
+        - --stsPort={{ .Values.global.sts.servicePort }}
+      {{- end }}
+      {{- if .Values.global.logAsJson }}
+        - --log_as_json
+      {{- end }}
+      {{- if .Values.global.proxy.lifecycle }}
+        lifecycle:
+          {{- toYaml .Values.global.proxy.lifecycle | nindent 10 }}
+      {{- end }}
+        env:
+        - name: PILOT_CERT_PROVIDER
+          value: {{ .Values.global.pilotCertProvider }}
+        - name: CA_ADDR
+        {{- if .Values.global.caAddress }}
+          value: {{ .Values.global.caAddress }}
+        {{- else }}
+          value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+        {{- end }}
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: INSTANCE_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: SERVICE_ACCOUNT
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.serviceAccountName
+        - name: HOST_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.hostIP
+        - name: ISTIO_CPU_LIMIT
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.cpu
+        - name: PROXY_CONFIG
+          value: |
+                 {{ protoToJSON .ProxyConfig }}
+        - name: ISTIO_META_POD_PORTS
+          value: "[]"
+        - name: ISTIO_META_APP_CONTAINERS
+          value: ""
+        - name: GOMEMLIMIT
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.memory
+        - name: GOMAXPROCS
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.cpu
+        - name: ISTIO_META_CLUSTER_ID
+          value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}"
+        - name: ISTIO_META_NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        - name: ISTIO_META_INTERCEPTION_MODE
+          value: "{{ .ProxyConfig.InterceptionMode.String }}"
+        {{- with (valueOrDefault  (index .InfrastructureLabels "topology.istio.io/network") .Values.global.network) }}
+        - name: ISTIO_META_NETWORK
+          value: {{.|quote}}
+        {{- end }}
+        - name: ISTIO_META_WORKLOAD_NAME
+          value: {{.DeploymentName|quote}}
+        - name: ISTIO_META_OWNER
+          value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}"
+        {{- if .Values.global.meshID }}
+        - name: ISTIO_META_MESH_ID
+          value: "{{ .Values.global.meshID }}"
+        {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+        - name: ISTIO_META_MESH_ID
+          value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+        {{- end }}
+        {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain)  }}
+        - name: TRUST_DOMAIN
+          value: "{{ . }}"
+        {{- end }}
+        {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+        - name: {{ $key }}
+          value: "{{ $value }}"
+        {{- end }}
+        {{- with (index .InfrastructureLabels "topology.istio.io/network") }}
+        - name: ISTIO_META_REQUESTED_NETWORK_VIEW
+          value: {{.|quote}}
+        {{- end }}
+        startupProbe:
+          failureThreshold: 30
+          httpGet:
+            path: /healthz/ready
+            port: 15021
+            scheme: HTTP
+          initialDelaySeconds: 1
+          periodSeconds: 1
+          successThreshold: 1
+          timeoutSeconds: 1
+        readinessProbe:
+          failureThreshold: 4
+          httpGet:
+            path: /healthz/ready
+            port: 15021
+            scheme: HTTP
+          initialDelaySeconds: 0
+          periodSeconds: 15
+          successThreshold: 1
+          timeoutSeconds: 1
+        volumeMounts:
+        - name: workload-socket
+          mountPath: /var/run/secrets/workload-spiffe-uds
+        - name: credential-socket
+          mountPath: /var/run/secrets/credential-uds
+        {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+        - name: gke-workload-certificate
+          mountPath: /var/run/secrets/workload-spiffe-credentials
+          readOnly: true
+        {{- else }}
+        - name: workload-certs
+          mountPath: /var/run/secrets/workload-spiffe-credentials
+        {{- end }}
+        {{- if eq .Values.global.pilotCertProvider "istiod" }}
+        - mountPath: /var/run/secrets/istio
+          name: istiod-ca-cert
+        {{- end }}
+        - mountPath: /var/lib/istio/data
+          name: istio-data
+        # SDS channel between istioagent and Envoy
+        - mountPath: /etc/istio/proxy
+          name: istio-envoy
+        - mountPath: /var/run/secrets/tokens
+          name: istio-token
+        - name: istio-podinfo
+          mountPath: /etc/istio/pod
+      volumes:
+      - emptyDir: {}
+        name: workload-socket
+      - emptyDir: {}
+        name: credential-socket
+      {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+      - name: gke-workload-certificate
+        csi:
+          driver: workloadcertificates.security.cloud.google.com
+      {{- else}}
+      - emptyDir: {}
+        name: workload-certs
+      {{- end }}
+      # SDS channel between istioagent and Envoy
+      - emptyDir:
+          medium: Memory
+        name: istio-envoy
+      - name: istio-data
+        emptyDir: {}
+      - name: istio-podinfo
+        downwardAPI:
+          items:
+            - path: "labels"
+              fieldRef:
+                fieldPath: metadata.labels
+            - path: "annotations"
+              fieldRef:
+                fieldPath: metadata.annotations
+      - name: istio-token
+        projected:
+          sources:
+          - serviceAccountToken:
+              path: istio-token
+              expirationSeconds: 43200
+              audience: {{ .Values.global.sds.token.aud }}
+      {{- if eq .Values.global.pilotCertProvider "istiod" }}
+      - name: istiod-ca-cert
+      {{- if eq ((.Values.pilot).env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+        projected:
+          sources:
+          - clusterTrustBundle:
+              name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+              path: root-cert.pem
+      {{- else }}
+        configMap:
+          name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+      {{- end }}
+      {{- end }}
+      {{- if .Values.global.imagePullSecrets }}
+      imagePullSecrets:
+        {{- range .Values.global.imagePullSecrets }}
+        - name: {{ . }}
+        {{- end }}
+      {{- end }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+      ) | nindent 4 }}
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    name: {{.Name}}
+    uid: {{.UID}}
+spec:
+  ipFamilyPolicy: PreferDualStack
+  ports:
+  {{- range $key, $val := .Ports }}
+  - name: {{ $val.Name | quote }}
+    port: {{ $val.Port }}
+    protocol: TCP
+    appProtocol: {{ $val.AppProtocol }}
+  {{- end }}
+  selector:
+    "{{.GatewayNameLabel}}": {{.Name}}
+  {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }}
+  loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}}
+  {{- end }}
+  type: {{ .ServiceType | quote }}
+---
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+          .InfrastructureLabels
+          (strdict
+          "gateway.networking.k8s.io/gateway-name" .Name
+          ) | nindent 4 }}
+  ownerReferences:
+    - apiVersion: gateway.networking.k8s.io/v1beta1
+      kind: Gateway
+      name: {{.Name}}
+      uid: "{{.UID}}"
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name:  {{.DeploymentName | quote}}
+  maxReplicas: 1
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+          .InfrastructureLabels
+          (strdict
+          "gateway.networking.k8s.io/gateway-name" .Name
+          ) | nindent 4 }}
+  ownerReferences:
+    - apiVersion: gateway.networking.k8s.io/v1beta1
+      kind: Gateway
+      name: {{.Name}}
+      uid: "{{.UID}}"
+spec:
+  selector:
+    matchLabels:
+      gateway.networking.k8s.io/gateway-name: {{.Name|quote}}
+
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-compatibility-version-1.24.yaml
new file mode 100644
index 0000000000..4f3dbef7ea
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-compatibility-version-1.24.yaml
@@ -0,0 +1,15 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.24 behavioral changes
+    PILOT_ENABLE_IP_AUTOALLOCATE: "false"
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  dnsCapture: false
+  reconcileIptablesOnStartup: false
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..b2f45948c2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..af10697326
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/waypoint.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/waypoint.yaml
new file mode 100644
index 0000000000..3e6a2f5dc1
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/waypoint.yaml
@@ -0,0 +1,396 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{.ServiceAccount | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+      ) | nindent 4 }}
+  {{- if ge .KubeVersion 128 }}
+  # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    name: "{{.Name}}"
+    uid: "{{.UID}}"
+  {{- end }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+        "gateway.istio.io/managed" .ControllerLabel
+      ) | nindent 4 }}
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    name: "{{.Name}}"
+    uid: "{{.UID}}"
+spec:
+  selector:
+    matchLabels:
+      "{{.GatewayNameLabel}}": "{{.Name}}"
+  template:
+    metadata:
+      annotations:
+        {{- toJsonMap
+          (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version")
+          (strdict "istio.io/rev" (.Revision | default "default"))
+          (strdict
+            "prometheus.io/path" "/stats/prometheus"
+            "prometheus.io/port" "15020"
+            "prometheus.io/scrape" "true"
+          ) | nindent 8 }}
+      labels:
+        {{- toJsonMap
+          (strdict
+            "sidecar.istio.io/inject" "false"
+            "istio.io/dataplane-mode" "none"
+            "service.istio.io/canonical-name" .DeploymentName
+            "service.istio.io/canonical-revision" "latest"
+           )
+          .InfrastructureLabels
+          (strdict
+            "gateway.networking.k8s.io/gateway-name" .Name
+            "gateway.istio.io/managed" .ControllerLabel
+          ) | nindent 8}}
+    spec:
+      {{- if .Values.global.waypoint.affinity }}
+      affinity:
+      {{- toYaml .Values.global.waypoint.affinity | nindent 8 }}
+      {{- end }}
+      {{- if .Values.global.waypoint.topologySpreadConstraints }}
+      topologySpreadConstraints:
+      {{- toYaml .Values.global.waypoint.topologySpreadConstraints | nindent 8 }}
+      {{- end }}
+      {{- if .Values.global.waypoint.nodeSelector }}
+      nodeSelector:
+      {{- toYaml .Values.global.waypoint.nodeSelector | nindent 8 }}
+      {{- end }}
+      {{- if .Values.global.waypoint.tolerations }}
+      tolerations:
+      {{- toYaml .Values.global.waypoint.tolerations | nindent 8 }}
+      {{- end }}
+      terminationGracePeriodSeconds: 2
+      serviceAccountName: {{.ServiceAccount | quote}}
+      containers:
+      - name: istio-proxy
+        ports:
+        - containerPort: 15020
+          name: metrics
+          protocol: TCP
+        - containerPort: 15021
+          name: status-port
+          protocol: TCP
+        - containerPort: 15090
+          protocol: TCP
+          name: http-envoy-prom
+        {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+        image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+        {{- else }}
+        image: "{{ .ProxyImage }}"
+        {{- end }}
+        {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+        args:
+        - proxy
+        - waypoint
+        - --domain
+        - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+        - --serviceCluster
+        - {{.ServiceAccount}}.$(POD_NAMESPACE)
+        - --proxyLogLevel
+        - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}}
+        - --proxyComponentLogLevel
+        - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}}
+        - --log_output_level
+        - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}}
+        {{- if .Values.global.logAsJson }}
+        - --log_as_json
+        {{- end }}
+        {{- if .Values.global.proxy.outlierLogPath }}
+        - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }}
+        {{- end}}
+        env:
+        - name: ISTIO_META_SERVICE_ACCOUNT
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.serviceAccountName
+        - name: ISTIO_META_NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        - name: PILOT_CERT_PROVIDER
+          value: {{ .Values.global.pilotCertProvider }}
+        - name: CA_ADDR
+        {{- if .Values.global.caAddress }}
+          value: {{ .Values.global.caAddress }}
+        {{- else }}
+          value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+        {{- end }}
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: INSTANCE_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: SERVICE_ACCOUNT
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.serviceAccountName
+        - name: HOST_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.hostIP
+        - name: ISTIO_CPU_LIMIT
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.cpu
+        - name: PROXY_CONFIG
+          value: |
+                 {{ protoToJSON .ProxyConfig }}
+        {{- if .ProxyConfig.ProxyMetadata }}
+        {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+        - name: {{ $key }}
+          value: "{{ $value }}"
+        {{- end }}
+        {{- end }}
+        - name: GOMEMLIMIT
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.memory
+        - name: GOMAXPROCS
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.cpu
+        - name: ISTIO_META_CLUSTER_ID
+          value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
+        {{- $network := valueOrDefault (index .InfrastructureLabels `topology.istio.io/network`) .Values.global.network }}
+        {{- if $network }}
+        - name: ISTIO_META_NETWORK
+          value: "{{ $network }}"
+        {{- end }}
+        - name: ISTIO_META_INTERCEPTION_MODE
+          value: REDIRECT
+        - name: ISTIO_META_WORKLOAD_NAME
+          value: {{.DeploymentName}}
+        - name: ISTIO_META_OWNER
+          value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}
+        {{- if .Values.global.meshID }}
+        - name: ISTIO_META_MESH_ID
+          value: "{{ .Values.global.meshID }}"
+        {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+        - name: ISTIO_META_MESH_ID
+          value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+        {{- end }}
+        {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+        - name: TRUST_DOMAIN
+          value: "{{ . }}"
+        {{- end }}
+        {{- if .Values.global.waypoint.resources }}
+        resources:
+        {{- toYaml .Values.global.waypoint.resources | nindent 10 }}
+        {{- end }}
+        startupProbe:
+          failureThreshold: 30
+          httpGet:
+            path: /healthz/ready
+            port: 15021
+            scheme: HTTP
+          initialDelaySeconds: 1
+          periodSeconds: 1
+          successThreshold: 1
+          timeoutSeconds: 1
+        readinessProbe:
+          failureThreshold: 4
+          httpGet:
+            path: /healthz/ready
+            port: 15021
+            scheme: HTTP
+          initialDelaySeconds: 0
+          periodSeconds: 15
+          successThreshold: 1
+          timeoutSeconds: 1
+        securityContext:
+          privileged: false
+        {{- if not (eq .Values.global.platform "openshift") }}
+          runAsGroup: 1337
+          runAsUser: 1337
+        {{- end }}
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          capabilities:
+            drop:
+            - ALL
+{{- if .Values.gateways.seccompProfile }}
+          seccompProfile:
+{{- toYaml .Values.gateways.seccompProfile | nindent 12 }}
+{{- end }}
+        volumeMounts:
+        - mountPath: /var/run/secrets/workload-spiffe-uds
+          name: workload-socket
+        - mountPath: /var/run/secrets/istio
+          name: istiod-ca-cert
+        - mountPath: /var/lib/istio/data
+          name: istio-data
+        - mountPath: /etc/istio/proxy
+          name: istio-envoy
+        - mountPath: /var/run/secrets/tokens
+          name: istio-token
+        - mountPath: /etc/istio/pod
+          name: istio-podinfo
+      volumes:
+      - emptyDir: {}
+        name: workload-socket
+      - emptyDir:
+          medium: Memory
+        name: istio-envoy
+      - emptyDir:
+          medium: Memory
+        name: go-proxy-envoy
+      - emptyDir: {}
+        name: istio-data
+      - emptyDir: {}
+        name: go-proxy-data
+      - downwardAPI:
+          items:
+          - fieldRef:
+              fieldPath: metadata.labels
+            path: labels
+          - fieldRef:
+              fieldPath: metadata.annotations
+            path: annotations
+        name: istio-podinfo
+      - name: istio-token
+        projected:
+          sources:
+          - serviceAccountToken:
+              audience: istio-ca
+              expirationSeconds: 43200
+              path: istio-token
+      - name: istiod-ca-cert
+      {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+        projected:
+          sources:
+          - clusterTrustBundle:
+              name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+              path: root-cert.pem
+      {{- else }}
+        configMap:
+          name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+      {{- end }}
+      {{- if .Values.global.imagePullSecrets }}
+      imagePullSecrets:
+        {{- range .Values.global.imagePullSecrets }}
+        - name: {{ . }}
+        {{- end }}
+      {{- end }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    {{ toJsonMap
+      (strdict "networking.istio.io/traffic-distribution" "PreferClose")
+      (omit .InfrastructureAnnotations
+        "kubectl.kubernetes.io/last-applied-configuration"
+        "gateway.istio.io/name-override"
+        "gateway.istio.io/service-account"
+        "gateway.istio.io/controller-version"
+      ) | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+      ) | nindent 4 }}
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    name: "{{.Name}}"
+    uid: "{{.UID}}"
+spec:
+  ipFamilyPolicy: PreferDualStack
+  ports:
+  {{- range $key, $val := .Ports }}
+  - name: {{ $val.Name | quote }}
+    port: {{ $val.Port }}
+    protocol: TCP
+    appProtocol: {{ $val.AppProtocol }}
+  {{- end }}
+  selector:
+    "{{.GatewayNameLabel}}": "{{.Name}}"
+  {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }}
+  loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}}
+  {{- end }}
+  type: {{ .ServiceType | quote }}
+---
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+          .InfrastructureLabels
+          (strdict
+          "gateway.networking.k8s.io/gateway-name" .Name
+          ) | nindent 4 }}
+  ownerReferences:
+    - apiVersion: gateway.networking.k8s.io/v1beta1
+      kind: Gateway
+      name: {{.Name}}
+      uid: "{{.UID}}"
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name:  {{.DeploymentName | quote}}
+  maxReplicas: 1
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+          .InfrastructureLabels
+          (strdict
+          "gateway.networking.k8s.io/gateway-name" .Name
+          ) | nindent 4 }}
+  ownerReferences:
+    - apiVersion: gateway.networking.k8s.io/v1beta1
+      kind: Gateway
+      name: {{.Name}}
+      uid: "{{.UID}}"
+spec:
+  selector:
+    matchLabels:
+      gateway.networking.k8s.io/gateway-name: {{.Name|quote}}
+
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/NOTES.txt
new file mode 100644
index 0000000000..0d07ea7f4c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/NOTES.txt
@@ -0,0 +1,82 @@
+"istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}" successfully installed!
+
+To learn more about the release, try:
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
+
+Next steps:
+{{- $profile := default "" .Values.profile }}
+{{- if (eq $profile "ambient") }}
+  * Get started with ambient: https://istio.io/latest/docs/ops/ambient/getting-started/
+  * Review ambient's architecture: https://istio.io/latest/docs/ops/ambient/architecture/
+{{- else }}
+  * Deploy a Gateway: https://istio.io/latest/docs/setup/additional-setup/gateway/
+  * Try out our tasks to get started on common configurations:
+    * https://istio.io/latest/docs/tasks/traffic-management
+    * https://istio.io/latest/docs/tasks/security/
+    * https://istio.io/latest/docs/tasks/policy-enforcement/
+{{- end }}
+  * Review the list of actively supported releases, CVE publications and our hardening guide:
+    * https://istio.io/latest/docs/releases/supported-releases/
+    * https://istio.io/latest/news/security/
+    * https://istio.io/latest/docs/ops/best-practices/security/
+
+For further documentation see https://istio.io website
+
+{{-
+  $deps := dict
+    "global.outboundTrafficPolicy" "meshConfig.outboundTrafficPolicy"
+    "global.certificates" "meshConfig.certificates"
+    "global.localityLbSetting" "meshConfig.localityLbSetting"
+    "global.policyCheckFailOpen" "meshConfig.policyCheckFailOpen"
+    "global.enableTracing" "meshConfig.enableTracing"
+    "global.proxy.accessLogFormat" "meshConfig.accessLogFormat"
+    "global.proxy.accessLogFile" "meshConfig.accessLogFile"
+    "global.proxy.concurrency" "meshConfig.defaultConfig.concurrency"
+    "global.proxy.envoyAccessLogService" "meshConfig.defaultConfig.envoyAccessLogService"
+    "global.proxy.envoyAccessLogService.enabled" "meshConfig.enableEnvoyAccessLogService"
+    "global.proxy.envoyMetricsService" "meshConfig.defaultConfig.envoyMetricsService"
+    "global.proxy.protocolDetectionTimeout" "meshConfig.protocolDetectionTimeout"
+    "global.proxy.holdApplicationUntilProxyStarts" "meshConfig.defaultConfig.holdApplicationUntilProxyStarts"
+    "pilot.ingress" "meshConfig.ingressService, meshConfig.ingressControllerMode, and meshConfig.ingressClass"
+    "global.mtls.enabled" "the PeerAuthentication resource"
+    "global.mtls.auto" "meshConfig.enableAutoMtls"
+    "global.tracer.lightstep.address" "meshConfig.defaultConfig.tracing.lightstep.address"
+    "global.tracer.lightstep.accessToken" "meshConfig.defaultConfig.tracing.lightstep.accessToken"
+    "global.tracer.zipkin.address" "meshConfig.defaultConfig.tracing.zipkin.address"
+    "global.tracer.datadog.address" "meshConfig.defaultConfig.tracing.datadog.address"
+    "global.meshExpansion.enabled" "Gateway and other Istio networking resources, such as in samples/multicluster/"
+    "istiocoredns.enabled" "the in-proxy DNS capturing (ISTIO_META_DNS_CAPTURE)"
+}}
+{{- range $dep, $replace := $deps }}
+{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}}
+{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(")  ".Values." (replace "." ")." $dep) ")}}") $}}
+{{- if not (eq $res "")}}
+WARNING: {{$dep|quote}} is deprecated; use {{$replace|quote}} instead.
+{{- end }}
+{{- end }}
+{{-
+  $failDeps := dict
+    "telemetry.v2.prometheus.configOverride"
+    "telemetry.v2.stackdriver.configOverride"
+    "telemetry.v2.stackdriver.disableOutbound"
+    "telemetry.v2.stackdriver.outboundAccessLogging"
+    "global.tracer.stackdriver.debug" "meshConfig.defaultConfig.tracing.stackdriver.debug"
+    "global.tracer.stackdriver.maxNumberOfAttributes" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes"
+    "global.tracer.stackdriver.maxNumberOfAnnotations" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations"
+    "global.tracer.stackdriver.maxNumberOfMessageEvents" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents"
+    "meshConfig.defaultConfig.tracing.stackdriver.debug" "Istio supported tracers"
+    "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes" "Istio supported tracers"
+    "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations" "Istio supported tracers"
+    "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents" "Istio supported tracers"
+}}
+{{- range $dep, $replace := $failDeps }}
+{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}}
+{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(")  ".Values." (replace "." ")." $dep) ")}}") $}}
+{{- if not (eq $res "")}}
+{{fail (print $dep " is removed")}}
+{{- end }}
+{{- end }}
+{{- if eq $.Values.global.pilotCertProvider "kubernetes" }}
+{{- fail "pilotCertProvider=kubernetes is not supported" }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/_helpers.tpl
new file mode 100644
index 0000000000..042c92538d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/_helpers.tpl
@@ -0,0 +1,23 @@
+{{/* Default Prometheus is enabled if its enabled and there are no config overrides set */}}
+{{ define "default-prometheus" }}
+{{- and
+  (not .Values.meshConfig.defaultProviders)
+  .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.prometheus.enabled
+}}
+{{- end }}
+
+{{/* SD has metrics and logging split. Default metrics are enabled if SD is enabled */}}
+{{ define "default-sd-metrics" }}
+{{- and
+  (not .Values.meshConfig.defaultProviders)
+  .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled
+}}
+{{- end }}
+
+{{/* SD has metrics and logging split. */}}
+{{ define "default-sd-logs" }}
+{{- and
+  (not .Values.meshConfig.defaultProviders)
+  .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled
+}}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/autoscale.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/autoscale.yaml
new file mode 100644
index 0000000000..9b952ba857
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/autoscale.yaml
@@ -0,0 +1,43 @@
+# Not created if istiod is running remotely
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }}
+{{- if and .Values.autoscaleEnabled .Values.autoscaleMin .Values.autoscaleMax }}
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  maxReplicas: {{ .Values.autoscaleMax }}
+  minReplicas: {{ .Values.autoscaleMin }}
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  metrics:
+  - type: Resource
+    resource:
+      name: cpu
+      target:
+        type: Utilization
+        averageUtilization: {{ .Values.cpu.targetAverageUtilization }}
+  {{- if .Values.memory.targetAverageUtilization }}
+  - type: Resource
+    resource:
+      name: memory
+      target:
+        type: Utilization
+        averageUtilization: {{ .Values.memory.targetAverageUtilization }}
+  {{- end }}
+  {{- if .Values.autoscaleBehavior }}
+  behavior: {{ toYaml .Values.autoscaleBehavior | nindent 4 }}
+  {{- end }}
+---
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/clusterrole.yaml
new file mode 100644
index 0000000000..d9c86f43fa
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/clusterrole.yaml
@@ -0,0 +1,213 @@
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+  # sidecar injection controller
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["mutatingwebhookconfigurations"]
+    verbs: ["get", "list", "watch", "update", "patch"]
+
+  # configuration validation webhook controller
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["validatingwebhookconfigurations"]
+    verbs: ["get", "list", "watch", "update"]
+
+  # istio configuration
+  # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382)
+  # please proceed with caution
+  - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"]
+    verbs: ["get", "watch", "list"]
+    resources: ["*"]
+{{- if .Values.global.istiod.enableAnalysis }}
+  - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"]
+    verbs: ["update", "patch"]
+    resources:
+    - authorizationpolicies/status
+    - destinationrules/status
+    - envoyfilters/status
+    - gateways/status
+    - peerauthentications/status
+    - proxyconfigs/status
+    - requestauthentications/status
+    - serviceentries/status
+    - sidecars/status
+    - telemetries/status
+    - virtualservices/status
+    - wasmplugins/status
+    - workloadentries/status
+    - workloadgroups/status
+{{- end }}
+  - apiGroups: ["networking.istio.io"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "workloadentries" ]
+  - apiGroups: ["networking.istio.io"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "workloadentries/status",  "serviceentries/status" ]
+  - apiGroups: ["security.istio.io"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "authorizationpolicies/status" ]
+  - apiGroups: [""]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "services/status" ]
+
+  # auto-detect installed CRD definitions
+  - apiGroups: ["apiextensions.k8s.io"]
+    resources: ["customresourcedefinitions"]
+    verbs: ["get", "list", "watch"]
+
+  # discovery and routing
+  - apiGroups: [""]
+    resources: ["pods", "nodes", "services", "namespaces", "endpoints"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["discovery.k8s.io"]
+    resources: ["endpointslices"]
+    verbs: ["get", "list", "watch"]
+
+{{- if .Values.taint.enabled }}
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["patch"]
+{{- end }}
+
+  # ingress controller
+{{- if .Values.global.istiod.enableAnalysis }}
+  - apiGroups: ["extensions", "networking.k8s.io"]
+    resources: ["ingresses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["extensions", "networking.k8s.io"]
+    resources: ["ingresses/status"]
+    verbs: ["*"]
+{{- end}}
+  - apiGroups: ["networking.k8s.io"]
+    resources: ["ingresses", "ingressclasses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["networking.k8s.io"]
+    resources: ["ingresses/status"]
+    verbs: ["*"]
+
+  # required for CA's namespace controller
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["create", "get", "list", "watch", "update"]
+
+  # Istiod and bootstrap.
+{{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}}
+{{- if or .Values.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }}
+  - apiGroups: ["certificates.k8s.io"]
+    resources:
+      - "certificatesigningrequests"
+      - "certificatesigningrequests/approval"
+      - "certificatesigningrequests/status"
+    verbs: ["update", "create", "get", "delete", "watch"]
+  - apiGroups: ["certificates.k8s.io"]
+    resources:
+      - "signers"
+    resourceNames:
+{{- range .Values.global.certSigners }}
+    - {{ . | quote }}
+{{- end }}
+    verbs: ["approve"]
+{{- end}}
+{{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+  - apiGroups: ["certificates.k8s.io"]
+    resources: ["clustertrustbundles"]
+    verbs: ["update", "create", "delete", "list", "watch", "get"]
+  - apiGroups: ["certificates.k8s.io"]
+    resources: ["signers"]
+    resourceNames: ["istio.io/istiod-ca"]
+    verbs: ["attest"]
+{{- end }}
+
+  # Used by Istiod to verify the JWT tokens
+  - apiGroups: ["authentication.k8s.io"]
+    resources: ["tokenreviews"]
+    verbs: ["create"]
+
+  # Used by Istiod to verify gateway SDS
+  - apiGroups: ["authorization.k8s.io"]
+    resources: ["subjectaccessreviews"]
+    verbs: ["create"]
+
+  # Use for Kubernetes Service APIs
+  - apiGroups: ["gateway.networking.k8s.io", "gateway.networking.x-k8s.io"]
+    resources: ["*"]
+    verbs: ["get", "watch", "list"]
+  - apiGroups: ["gateway.networking.x-k8s.io"]
+    resources:
+    - xbackendtrafficpolicies/status
+    - xlistenersets/status
+    verbs: ["update", "patch"]
+  - apiGroups: ["gateway.networking.k8s.io"]
+    resources:
+    - backendtlspolicies/status
+    - gatewayclasses/status
+    - gateways/status
+    - grpcroutes/status
+    - httproutes/status
+    - referencegrants/status
+    - tcproutes/status
+    - tlsroutes/status
+    - udproutes/status
+    verbs: ["update", "patch"]
+  - apiGroups: ["gateway.networking.k8s.io"]
+    resources: ["gatewayclasses"]
+    verbs: ["create", "update", "patch", "delete"]
+  - apiGroups: ["inference.networking.x-k8s.io"]
+    resources: ["inferencepools"]
+    verbs: ["get", "watch", "list"]
+  - apiGroups: ["inference.networking.x-k8s.io"]
+    resources: ["inferencepools/status"]
+    verbs: ["update", "patch"]
+
+  # Needed for multicluster secret reading, possibly ingress certs in the future
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "watch", "list"]
+
+  # Used for MCS serviceexport management
+  - apiGroups: ["{{ $mcsAPIGroup }}"]
+    resources: ["serviceexports"]
+    verbs: [ "get", "watch", "list", "create", "delete"]
+
+  # Used for MCS serviceimport management
+  - apiGroups: ["{{ $mcsAPIGroup }}"]
+    resources: ["serviceimports"]
+    verbs: ["get", "watch", "list"]
+---
+{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+  - apiGroups: ["apps"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "deployments" ]
+  - apiGroups: ["autoscaling"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "horizontalpodautoscalers" ]
+  - apiGroups: ["policy"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "poddisruptionbudgets" ]
+  - apiGroups: [""]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "services" ]
+  - apiGroups: [""]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "serviceaccounts"]
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/clusterrolebinding.yaml
new file mode 100644
index 0000000000..1b8fa4d079
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/clusterrolebinding.yaml
@@ -0,0 +1,40 @@
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+subjects:
+  - kind: ServiceAccount
+    name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+    namespace: {{ .Values.global.istioNamespace }}
+---
+{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+subjects:
+- kind: ServiceAccount
+  name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Values.global.istioNamespace }}
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/configmap-jwks.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/configmap-jwks.yaml
new file mode 100644
index 0000000000..9d931c4065
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/configmap-jwks.yaml
@@ -0,0 +1,18 @@
+# Not created if istiod is running remotely
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }}
+{{- if .Values.jwksResolverExtraRootCA }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+data:
+  extra.pem: {{ .Values.jwksResolverExtraRootCA | quote }}
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/configmap-values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/configmap-values.yaml
new file mode 100644
index 0000000000..75e6e0bcc6
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/configmap-values.yaml
@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: values{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    kubernetes.io/description: This ConfigMap contains the Helm values used during chart rendering. This ConfigMap is rendered for debugging purposes and external tooling; modifying these values has no effect.
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+data:
+  original-values: |-
+{{ .Values._original | toPrettyJson | indent 4 }}
+{{- $_ := unset $.Values "_original" }}
+  merged-values: |-
+{{ .Values | toPrettyJson | indent 4 }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/configmap.yaml
new file mode 100644
index 0000000000..a8446a6fc9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/configmap.yaml
@@ -0,0 +1,111 @@
+{{- define "mesh" }}
+    # The trust domain corresponds to the trust root of a system.
+    # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
+    trustDomain: "cluster.local"
+
+    # The namespace to treat as the administrative root namespace for Istio configuration.
+    # When processing a leaf namespace Istio will search for declarations in that namespace first
+    # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace
+    # is processed as if it were declared in the leaf namespace.
+    rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }}
+
+  {{ $prom := include "default-prometheus" . | eq "true" }}
+  {{ $sdMetrics := include "default-sd-metrics" . | eq "true" }}
+  {{ $sdLogs := include "default-sd-logs" . | eq "true" }}
+  {{- if or $prom $sdMetrics $sdLogs }}
+    defaultProviders:
+    {{- if or $prom $sdMetrics }}
+      metrics:
+      {{ if $prom }}- prometheus{{ end }}
+      {{ if and $sdMetrics $sdLogs }}- stackdriver{{ end }}
+    {{- end }}
+    {{- if and $sdMetrics $sdLogs }}
+      accessLogging:
+      - stackdriver
+    {{- end }}
+  {{- end }}
+
+    defaultConfig:
+      {{- if .Values.global.meshID }}
+      meshId: "{{ .Values.global.meshID }}"
+      {{- end }}
+      {{- with (.Values.global.proxy.variant | default .Values.global.variant) }}
+      image:
+        imageType: {{. | quote}}
+      {{- end }}
+      {{- if not (eq .Values.global.proxy.tracer "none") }}
+      tracing:
+      {{- if eq .Values.global.proxy.tracer "lightstep" }}
+        lightstep:
+          # Address of the LightStep Satellite pool
+          address: {{ .Values.global.tracer.lightstep.address }}
+          # Access Token used to communicate with the Satellite pool
+          accessToken: {{ .Values.global.tracer.lightstep.accessToken }}
+      {{- else if eq .Values.global.proxy.tracer "zipkin" }}
+        zipkin:
+          # Address of the Zipkin collector
+          address: {{ ((.Values.global.tracer).zipkin).address | default (print "zipkin." .Values.global.istioNamespace ":9411") }}
+      {{- else if eq .Values.global.proxy.tracer "datadog" }}
+        datadog:
+          # Address of the Datadog Agent
+          address: {{ ((.Values.global.tracer).datadog).address | default "$(HOST_IP):8126" }}
+      {{- else if eq .Values.global.proxy.tracer "stackdriver" }}
+        stackdriver:
+          # enables trace output to stdout.
+          debug: {{ (($.Values.global.tracer).stackdriver).debug | default "false" }}
+          # The global default max number of attributes per span.
+          maxNumberOfAttributes: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAttributes | default "200" }}
+          # The global default max number of annotation events per span.
+          maxNumberOfAnnotations: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAnnotations | default "200" }}
+          # The global default max number of message events per span.
+          maxNumberOfMessageEvents: {{ (($.Values.global.tracer).stackdriver).maxNumberOfMessageEvents | default "200" }}
+      {{- end }}
+      {{- end }}
+      {{- if .Values.global.remotePilotAddress }}
+      {{- if and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod }}
+      #  only primary `istiod` to xds and local `istiod` injection installs.
+      discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012
+      {{- else }}
+      discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012
+      {{- end }}
+      {{- else }}
+      discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012
+      {{- end }}
+{{- end }}
+
+{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}}
+{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}}
+{{- $originalMesh := include "mesh" . | fromYaml }}
+{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }}
+
+{{- if .Values.configMap }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+data:
+
+  # Configuration file for the mesh networks to be used by the Split Horizon EDS.
+  meshNetworks: |-
+  {{- if .Values.global.meshNetworks }}
+    networks:
+{{ toYaml .Values.global.meshNetworks | trim | indent 6 }}
+  {{- else }}
+    networks: {}
+  {{- end }}
+
+  mesh: |-
+{{- if .Values.meshConfig }}
+{{ $mesh | toYaml | indent 4 }}
+{{- else }}
+{{- include "mesh" . }}
+{{- end }}
+---
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/deployment.yaml
new file mode 100644
index 0000000000..1b769c6ec7
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/deployment.yaml
@@ -0,0 +1,312 @@
+# Not created if istiod is running remotely
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: istiod
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    istio: pilot
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+{{- range $key, $val := .Values.deploymentLabels }}
+    {{ $key }}: "{{ $val }}"
+{{- end }}
+  {{- if .Values.deploymentAnnotations }}
+  annotations:
+{{ toYaml .Values.deploymentAnnotations | indent 4 }}
+  {{- end }}
+spec:
+{{- if not .Values.autoscaleEnabled }}
+{{- if .Values.replicaCount }}
+  replicas: {{ .Values.replicaCount }}
+{{- end }}
+{{- end }}
+  strategy:
+    rollingUpdate:
+      maxSurge: {{ .Values.rollingMaxSurge }}
+      maxUnavailable: {{ .Values.rollingMaxUnavailable }}
+  selector:
+    matchLabels:
+      {{- if ne .Values.revision "" }}
+      app: istiod
+      istio.io/rev: {{ .Values.revision | default "default" | quote }}
+      {{- else }}
+      istio: pilot
+      {{- end }}
+  template:
+    metadata:
+      labels:
+        app: istiod
+        istio.io/rev: {{ .Values.revision | default "default" | quote }}
+        sidecar.istio.io/inject: "false"
+        operator.istio.io/component: "Pilot"
+        {{- if ne .Values.revision "" }}
+        istio: istiod
+        {{- else }}
+        istio: pilot
+        {{- end }}
+        {{- range $key, $val := .Values.podLabels }}
+        {{ $key }}: "{{ $val }}"
+        {{- end }}
+        istio.io/dataplane-mode: none
+        app.kubernetes.io/name: "istiod"
+        {{- include "istio.labels" . | nindent 8 }}
+      annotations:
+        prometheus.io/port: "15014"
+        prometheus.io/scrape: "true"
+        sidecar.istio.io/inject: "false"
+        {{- if .Values.podAnnotations }}
+{{ toYaml .Values.podAnnotations | indent 8 }}
+        {{- end }}
+    spec:
+{{- if .Values.nodeSelector }}
+      nodeSelector:
+{{ toYaml .Values.nodeSelector | indent 8 }}
+{{- end }}
+{{- with .Values.affinity }}
+      affinity:
+{{- toYaml . | nindent 8 }}
+{{- end }}
+      tolerations:
+        - key: cni.istio.io/not-ready
+          operator: "Exists"
+{{- with .Values.tolerations }}
+{{- toYaml . | nindent 8 }}
+{{- end }}
+{{- with .Values.topologySpreadConstraints }}
+      topologySpreadConstraints:
+{{- toYaml . | nindent 8 }}
+{{- end }}
+      serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+{{- if .Values.global.priorityClassName }}
+      priorityClassName: "{{ .Values.global.priorityClassName }}"
+{{- end }}
+{{- with .Values.initContainers }}
+      initContainers:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+{{- end }}
+      containers:
+        - name: discovery
+{{- if contains "/" .Values.image }}
+          image: "{{ .Values.image }}"
+{{- else }}
+          image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "pilot" }}:{{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}}"
+{{- end }}
+{{- if .Values.global.imagePullPolicy }}
+          imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+{{- end }}
+          args:
+          - "discovery"
+          - --monitoringAddr=:15014
+{{- if .Values.global.logging.level }}
+          - --log_output_level={{ .Values.global.logging.level }}
+{{- end}}
+{{- if .Values.global.logAsJson }}
+          - --log_as_json
+{{- end }}
+          - --domain
+          - {{ .Values.global.proxy.clusterDomain }}
+{{- if .Values.taint.namespace }}
+          - --cniNamespace={{ .Values.taint.namespace }}
+{{- end }}
+          - --keepaliveMaxServerConnectionAge
+          - "{{ .Values.keepaliveMaxServerConnectionAge }}"
+{{- if .Values.extraContainerArgs }}
+          {{- with .Values.extraContainerArgs }}
+            {{- toYaml . | nindent 10 }}
+          {{- end }}
+{{- end }}
+          ports:
+          - containerPort: 8080
+            protocol: TCP
+            name: http-debug
+          - containerPort: 15010
+            protocol: TCP
+            name: grpc-xds
+          - containerPort: 15012
+            protocol: TCP
+            name: tls-xds
+          - containerPort: 15017
+            protocol: TCP
+            name: https-webhooks
+          - containerPort: 15014
+            protocol: TCP
+            name: http-monitoring
+          readinessProbe:
+            httpGet:
+              path: /ready
+              port: 8080
+            initialDelaySeconds: 1
+            periodSeconds: 3
+            timeoutSeconds: 5
+          env:
+          - name: REVISION
+            value: "{{ .Values.revision | default `default` }}"
+          - name: PILOT_CERT_PROVIDER
+            value: {{ .Values.global.pilotCertProvider }}
+          - name: POD_NAME
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: metadata.name
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: metadata.namespace
+          - name: SERVICE_ACCOUNT
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: spec.serviceAccountName
+          - name: KUBECONFIG
+            value: /var/run/secrets/remote/config
+          # If you explicitly told us where ztunnel lives, use that.
+          # Otherwise, assume it lives in our namespace
+          # Also, check for an explicit ENV override (legacy approach) and prefer that
+          # if present
+          {{ $ztTrustedNS := or .Values.trustedZtunnelNamespace .Release.Namespace }}
+          {{ $ztTrustedName := or .Values.trustedZtunnelName "ztunnel" }}
+          {{- if not .Values.env.CA_TRUSTED_NODE_ACCOUNTS }}
+          - name: CA_TRUSTED_NODE_ACCOUNTS
+            value: "{{ $ztTrustedNS }}/{{ $ztTrustedName }}"
+          {{- end }}
+          {{- if .Values.env }}
+          {{- range $key, $val := .Values.env }}
+          - name: {{ $key }}
+            value: "{{ $val }}"
+          {{- end }}
+          {{- end }}
+          {{- with .Values.envVarFrom }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
+{{- if .Values.traceSampling }}
+          - name: PILOT_TRACE_SAMPLING
+            value: "{{ .Values.traceSampling }}"
+{{- end }}
+# If externalIstiod is set via Values.Global, then enable the pilot env variable. However, if it's set via Values.pilot.env, then
+# don't set it here to avoid duplication.
+# TODO (nshankar13): Move from Helm chart to code: https://github.com/istio/istio/issues/52449
+{{- if and .Values.global.externalIstiod (not (and .Values.env .Values.env.EXTERNAL_ISTIOD)) }}
+          - name: EXTERNAL_ISTIOD
+            value: "{{ .Values.global.externalIstiod }}"
+{{- end }}
+{{- if .Values.global.trustBundleName }}
+          - name: PILOT_CA_CERT_CONFIGMAP
+            value: "{{ .Values.global.trustBundleName }}"
+{{- end }}
+          - name: PILOT_ENABLE_ANALYSIS
+            value: "{{ .Values.global.istiod.enableAnalysis }}"
+          - name: CLUSTER_ID
+            value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
+          - name: GOMEMLIMIT
+            valueFrom:
+              resourceFieldRef:
+                resource: limits.memory
+                divisor: "1"
+          - name: GOMAXPROCS
+            valueFrom:
+              resourceFieldRef:
+                resource: limits.cpu
+                divisor: "1"
+          - name: PLATFORM
+            value: "{{ coalesce .Values.global.platform .Values.platform }}"
+          resources:
+{{- if .Values.resources }}
+{{ toYaml .Values.resources | trim | indent 12 }}
+{{- else }}
+{{ toYaml .Values.global.defaultResources | trim | indent 12 }}
+{{- end }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            capabilities:
+              drop:
+              - ALL
+{{- if .Values.seccompProfile }}
+            seccompProfile:
+{{ toYaml .Values.seccompProfile | trim | indent 14 }}
+{{- end }}
+          volumeMounts:
+          - name: istio-token
+            mountPath: /var/run/secrets/tokens
+            readOnly: true
+          - name: local-certs
+            mountPath: /var/run/secrets/istio-dns
+          - name: cacerts
+            mountPath: /etc/cacerts
+            readOnly: true
+          - name: istio-kubeconfig
+            mountPath: /var/run/secrets/remote
+            readOnly: true
+          {{- if .Values.jwksResolverExtraRootCA }}
+          - name: extracacerts
+            mountPath: /cacerts
+          {{- end }}
+          - name: istio-csr-dns-cert
+            mountPath: /var/run/secrets/istiod/tls
+            readOnly: true
+          - name: istio-csr-ca-configmap
+            mountPath: /var/run/secrets/istiod/ca
+            readOnly: true
+          {{- with .Values.volumeMounts }}
+            {{- toYaml . | nindent 10 }}
+          {{- end }}
+      volumes:
+      # Technically not needed on this pod - but it helps debugging/testing SDS
+      # Should be removed after everything works.
+      - emptyDir:
+          medium: Memory
+        name: local-certs
+      - name: istio-token
+        projected:
+          sources:
+            - serviceAccountToken:
+                audience: {{ .Values.global.sds.token.aud }}
+                expirationSeconds: 43200
+                path: istio-token
+      # Optional: user-generated root
+      - name: cacerts
+        secret:
+          secretName: cacerts
+          optional: true
+      - name: istio-kubeconfig
+        secret:
+          secretName: istio-kubeconfig
+          optional: true
+      # Optional: istio-csr dns pilot certs
+      - name: istio-csr-dns-cert
+        secret:
+          secretName: istiod-tls
+          optional: true
+      - name: istio-csr-ca-configmap
+  {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+        projected:
+          sources:
+          - clusterTrustBundle:
+              name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+              path: root-cert.pem
+              optional: true
+  {{- else }}
+        configMap:
+          name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+          defaultMode: 420
+          optional: true
+  {{- end }}
+  {{- if .Values.jwksResolverExtraRootCA }}
+      - name: extracacerts
+        configMap:
+          name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  {{- end }}
+      {{- with .Values.volumes }}
+        {{- toYaml . | nindent 6}}
+      {{- end }}
+
+---
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/gateway-class-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/gateway-class-configmap.yaml
new file mode 100644
index 0000000000..6b23d716a4
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/gateway-class-configmap.yaml
@@ -0,0 +1,20 @@
+{{ range $key, $value := .Values.gatewayClasses }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: istio-{{ $.Values.revision | default "default"  }}-gatewayclass-{{$key}}
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    istio.io/rev: {{ $.Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    release: {{ $.Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    gateway.istio.io/defaults-for-class: {{$key|quote}}
+    {{- include "istio.labels" $ | nindent 4 }}
+data:
+{{ range $kind, $overlay := $value }}
+  {{$kind}}: |
+{{$overlay|toYaml|trim|indent 4}}
+{{ end }}
+---
+{{ end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/istiod-injector-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/istiod-injector-configmap.yaml
new file mode 100644
index 0000000000..171aff8861
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/istiod-injector-configmap.yaml
@@ -0,0 +1,81 @@
+{{- if not .Values.global.omitSidecarInjectorConfigMap }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+data:
+{{/* Scope the values to just top level fields used in the template, to reduce the size. */}}
+  values: |-
+{{ $vals := pick .Values "global" "sidecarInjectorWebhook" "revision" -}}
+{{ $pilotVals := pick .Values "cni" "env" -}}
+{{ $vals = set $vals "pilot" $pilotVals -}}
+{{ $gatewayVals := pick .Values.gateways "securityContext" "seccompProfile" -}}
+{{ $vals = set $vals "gateways" $gatewayVals -}}
+{{ $vals | toPrettyJson | indent 4 }}
+
+  # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching
+  # and istiod webhook functionality.
+  #
+  # New fields should not use Values - it is a 'primary' config object, users should be able
+  # to fine tune it or use it with kube-inject.
+  config: |-
+    # defaultTemplates defines the default template to use for pods that do not explicitly specify a template
+    {{- if .Values.sidecarInjectorWebhook.defaultTemplates }}
+    defaultTemplates:
+{{- range .Values.sidecarInjectorWebhook.defaultTemplates}}
+    - {{ . }}
+{{- end }}
+    {{- else }}
+    defaultTemplates: [sidecar]
+    {{- end }}
+    policy: {{ .Values.global.proxy.autoInject }}
+    alwaysInjectSelector:
+{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }}
+    neverInjectSelector:
+{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }}
+    injectedAnnotations:
+      {{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }}
+      "{{ $key }}": {{ $val | quote }}
+      {{- end }}
+    {{- /* If someone ends up with this new template, but an older Istiod image, they will attempt to render this template
+         which will fail with "Pod injection failed: template: inject:1: function "Istio_1_9_Required_Template_And_Version_Mismatched" not defined".
+         This should make it obvious that their installation is broken.
+     */}}
+    template: {{ `{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}` | quote }}
+    templates:
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "sidecar") }}
+      sidecar: |
+{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }}
+      gateway: |
+{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }}
+      grpc-simple: |
+{{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }}
+      grpc-agent: |
+{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "waypoint") }}
+      waypoint: |
+{{ .Files.Get "files/waypoint.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "kube-gateway") }}
+      kube-gateway: |
+{{ .Files.Get "files/kube-gateway.yaml" | trim | indent 8 }}
+{{- end }}
+{{- with .Values.sidecarInjectorWebhook.templates }}
+{{ toYaml . | trim | indent 6 }}
+{{- end }}
+
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/mutatingwebhook.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/mutatingwebhook.yaml
new file mode 100644
index 0000000000..ca017194e6
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/mutatingwebhook.yaml
@@ -0,0 +1,164 @@
+# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that.
+{{- /* Core defines the common configuration used by all webhook segments */}}
+{{/* Copy just what we need to avoid expensive deepCopy */}}
+{{- $whv := dict
+"revision" .Values.revision
+  "injectionPath" .Values.istiodRemote.injectionPath
+  "injectionURL" .Values.istiodRemote.injectionURL
+  "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy
+  "caBundle" .Values.istiodRemote.injectionCABundle
+  "namespace" .Release.Namespace }}
+{{- define "core" }}
+{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign
+a unique prefix to each. */}}
+- name: {{.Prefix}}sidecar-injector.istio.io
+  clientConfig:
+    {{- if .injectionURL }}
+    url: "{{ .injectionURL }}"
+    {{- else }}
+    service:
+      name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }}
+      namespace: {{ .namespace }}
+      path: "{{ .injectionPath }}"
+      port: 443
+    {{- end }}
+    {{- if .caBundle }}
+    caBundle: "{{ .caBundle }}"
+    {{- end }}
+  sideEffects: None
+  rules:
+  - operations: [ "CREATE" ]
+    apiGroups: [""]
+    apiVersions: ["v1"]
+    resources: ["pods"]
+  failurePolicy: Fail
+  reinvocationPolicy: "{{ .reinvocationPolicy }}"
+  admissionReviewVersions: ["v1"]
+{{- end }}
+{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}}
+{{- if not .Values.global.operatorManageWebhooks }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+{{- if eq .Release.Namespace "istio-system"}}
+  name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+{{- else }}
+  name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+{{- end }}
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app: sidecar-injector
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+{{- if $.Values.sidecarInjectorWebhookAnnotations }}
+  annotations:
+{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }}
+{{- end }}
+webhooks:
+{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}}
+
+{{- /* Case 1: namespace selector matches, and object doesn't disable */}}
+{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: In
+      values:
+      {{- if (eq .Values.revision "") }}
+      - "default"
+      {{- else }}
+      - "{{ .Values.revision }}"
+      {{- end }}
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+
+{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+    - key: istio.io/rev
+      operator: In
+      values:
+      {{- if (eq .Values.revision "") }}
+      - "default"
+      {{- else }}
+      - "{{ .Values.revision }}"
+      {{- end }}
+
+
+{{- /* Webhooks for default revision */}}
+{{- if (eq .Values.revision "") }}
+
+{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: In
+      values:
+      - enabled
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+
+{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: In
+      values:
+      - "true"
+    - key: istio.io/rev
+      operator: DoesNotExist
+
+{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
+{{- /* Special case 3: no labels at all */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: "kubernetes.io/metadata.name"
+      operator: "NotIn"
+      values: ["kube-system","kube-public","kube-node-lease","local-path-storage"]
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+{{- end }}
+
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/poddisruptionbudget.yaml
new file mode 100644
index 0000000000..d21cd919d3
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/poddisruptionbudget.yaml
@@ -0,0 +1,36 @@
+# Not created if istiod is running remotely
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }}
+{{- if .Values.global.defaultPodDisruptionBudget.enabled }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: istiod
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    release: {{ .Release.Name }}
+    istio: pilot
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  {{- if and .Values.pdb.minAvailable (not (hasKey .Values.pdb "maxUnavailable")) }}
+  minAvailable: {{ .Values.pdb.minAvailable }}
+  {{- else if .Values.pdb.maxUnavailable }}
+  maxUnavailable: {{ .Values.pdb.maxUnavailable }}
+  {{- end }}
+  {{- if .Values.pdb.unhealthyPodEvictionPolicy }}
+  unhealthyPodEvictionPolicy: {{ .Values.pdb.unhealthyPodEvictionPolicy }}
+  {{- end }}
+  selector:
+    matchLabels:
+      app: istiod
+      {{- if ne .Values.revision "" }}
+      istio.io/rev: {{ .Values.revision | quote }}
+      {{- else }}
+      istio: pilot
+      {{- end }}
+---
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/reader-clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/reader-clusterrole.yaml
new file mode 100644
index 0000000000..dbaa805035
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/reader-clusterrole.yaml
@@ -0,0 +1,62 @@
+{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istio-reader
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istio-reader"
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - "config.istio.io"
+      - "security.istio.io"
+      - "networking.istio.io"
+      - "authentication.istio.io"
+      - "rbac.istio.io"
+      - "telemetry.istio.io"
+      - "extensions.istio.io"
+    resources: ["*"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["networking.istio.io"]
+    verbs: [ "get", "watch", "list" ]
+    resources: [ "workloadentries" ]
+  - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
+    resources: ["gateways"]
+    verbs: ["get", "watch", "list"]
+  - apiGroups: ["apiextensions.k8s.io"]
+    resources: ["customresourcedefinitions"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["discovery.k8s.io"]
+    resources: ["endpointslices"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["{{ $mcsAPIGroup }}"]
+    resources: ["serviceexports"]
+    verbs: ["get", "list", "watch", "create", "delete"]
+  - apiGroups: ["{{ $mcsAPIGroup }}"]
+    resources: ["serviceimports"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["apps"]
+    resources: ["replicasets"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["authentication.k8s.io"]
+    resources: ["tokenreviews"]
+    verbs: ["create"]
+  - apiGroups: ["authorization.k8s.io"]
+    resources: ["subjectaccessreviews"]
+    verbs: ["create"]
+{{- if .Values.istiodRemote.enabled }}
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["create", "get", "list", "watch", "update"]
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["mutatingwebhookconfigurations"]
+    verbs: ["get", "list", "watch", "update", "patch"]
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["validatingwebhookconfigurations"]
+    verbs: ["get", "list", "watch", "update"]
+{{- end}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/reader-clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/reader-clusterrolebinding.yaml
new file mode 100644
index 0000000000..aea9f01f7a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/reader-clusterrolebinding.yaml
@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istio-reader
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istio-reader"
+    {{- include "istio.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+subjects:
+  - kind: ServiceAccount
+    name: istio-reader-service-account
+    namespace: {{ .Values.global.istioNamespace }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/remote-istiod-endpoints.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/remote-istiod-endpoints.yaml
new file mode 100644
index 0000000000..f13b8ce9a9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/remote-istiod-endpoints.yaml
@@ -0,0 +1,30 @@
+{{- if and .Values.global.remotePilotAddress .Values.istiodRemote.enabled }}
+# if the remotePilotAddress is an IP addr
+{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }}
+apiVersion: v1
+kind: Endpoints
+metadata:
+  {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }}
+  # This file is only used for remote `istiod` installs.
+  # only primary `istiod` to xds and local `istiod` injection installs.
+  name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote
+  {{- else }}
+  name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}
+  {{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+subsets:
+- addresses:
+  - ip: {{ .Values.global.remotePilotAddress }}
+  ports:
+  - port: 15012
+    name: tcp-istiod
+    protocol: TCP
+  - port: 15017
+    name: tcp-webhook
+    protocol: TCP
+---
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/remote-istiod-service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/remote-istiod-service.yaml
new file mode 100644
index 0000000000..0a48b9918b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/remote-istiod-service.yaml
@@ -0,0 +1,41 @@
+# This file is only used for remote
+{{- if and .Values.global.remotePilotAddress .Values.istiodRemote.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }}
+  # only primary `istiod` to xds and local `istiod` injection installs.
+  name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote
+  {{- else }}
+  name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}
+  {{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    app.kubernetes.io/name: "istiod"
+    {{ include "istio.labels" . | nindent 4 }}
+spec:
+  ports:
+  - port: 15012
+    name: tcp-istiod
+    protocol: TCP
+  - port: 443
+    targetPort: 15017
+    name: tcp-webhook
+    protocol: TCP
+  {{- if and .Values.global.remotePilotAddress (not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress)) }}
+  # if the remotePilotAddress is not an IP addr, we use ExternalName
+  type: ExternalName
+  externalName: {{ .Values.global.remotePilotAddress }}
+  {{- end }}
+{{- if .Values.global.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.global.ipFamilyPolicy }}
+{{- end }}
+{{- if .Values.global.ipFamilies }}
+  ipFamilies:
+{{- range .Values.global.ipFamilies }}
+  - {{ . }}
+{{- end }}
+{{- end }}
+---
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/revision-tags.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/revision-tags.yaml
new file mode 100644
index 0000000000..06764a826e
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/revision-tags.yaml
@@ -0,0 +1,149 @@
+# Adapted from istio-discovery/templates/mutatingwebhook.yaml
+# Removed paths for legacy and default selectors since a revision tag
+# is inherently created from a specific revision
+# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that.
+{{- $whv := dict
+"revision" .Values.revision
+  "injectionPath" .Values.istiodRemote.injectionPath
+  "injectionURL" .Values.istiodRemote.injectionURL
+  "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy
+  "caBundle" .Values.istiodRemote.injectionCABundle
+  "namespace" .Release.Namespace }}
+{{- define "core" }}
+{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign
+a unique prefix to each. */}}
+- name: {{.Prefix}}sidecar-injector.istio.io
+  clientConfig:
+    {{- if .injectionURL }}
+    url: "{{ .injectionURL }}"
+    {{- else }}
+    service:
+      name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }}
+      namespace: {{ .namespace }}
+      path: "{{ .injectionPath }}"
+      port: 443
+    {{- end }}
+  sideEffects: None
+  rules:
+  - operations: [ "CREATE" ]
+    apiGroups: [""]
+    apiVersions: ["v1"]
+    resources: ["pods"]
+  failurePolicy: Fail
+  reinvocationPolicy: "{{ .reinvocationPolicy }}"
+  admissionReviewVersions: ["v1"]
+{{- end }}
+{{- range $tagName := $.Values.revisionTags }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+{{- if eq $.Release.Namespace "istio-system"}}
+  name: istio-revision-tag-{{ $tagName }}
+{{- else }}
+  name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }}
+{{- end }}
+  labels:
+    istio.io/tag: {{ $tagName }}
+    istio.io/rev: {{ $.Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app: sidecar-injector
+    release: {{ $.Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" $ | nindent 4 }}
+{{- if $.Values.sidecarInjectorWebhookAnnotations }}
+  annotations:
+{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }}
+{{- end }}
+webhooks:
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: In
+      values:
+      - "{{ $tagName }}"
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+    - key: istio.io/rev
+      operator: In
+      values:
+      - "{{ $tagName }}"
+
+{{- /* When the tag is "default" we want to create webhooks for the default revision */}}
+{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}}
+{{- if (eq $tagName "default") }}
+
+{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: In
+      values:
+      - enabled
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+
+{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: In
+      values:
+      - "true"
+    - key: istio.io/rev
+      operator: DoesNotExist
+
+{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
+{{- /* Special case 3: no labels at all */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: "kubernetes.io/metadata.name"
+      operator: "NotIn"
+      values: ["kube-system","kube-public","kube-node-lease","local-path-storage"]
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+{{- end }}
+
+{{- end }}
+---
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/role.yaml
new file mode 100644
index 0000000000..bbcfbe4356
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/role.yaml
@@ -0,0 +1,35 @@
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Values.global.istioNamespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+# permissions to verify the webhook is ready and rejecting
+# invalid config. We use --server-dry-run so no config is persisted.
+- apiGroups: ["networking.istio.io"]
+  verbs: ["create"]
+  resources: ["gateways"]
+
+# For storing CA secret
+- apiGroups: [""]
+  resources: ["secrets"]
+  # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config
+  verbs: ["create", "get", "watch", "list", "update", "delete"]
+
+# For status controller, so it can delete the distribution report configmap
+- apiGroups: [""]
+  resources: ["configmaps"]
+  verbs: ["delete"]
+
+# For gateway deployment controller
+- apiGroups: ["coordination.k8s.io"]
+  resources: ["leases"]
+  verbs: ["get", "update", "patch", "create"]
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/rolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/rolebinding.yaml
new file mode 100644
index 0000000000..0c66b38a7d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/rolebinding.yaml
@@ -0,0 +1,21 @@
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Values.global.istioNamespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+subjects:
+  - kind: ServiceAccount
+    name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+    namespace: {{ .Values.global.istioNamespace }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/service.yaml
new file mode 100644
index 0000000000..25bda4dfd2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/service.yaml
@@ -0,0 +1,57 @@
+# Not created if istiod is running remotely
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  {{- if .Values.serviceAnnotations }}
+  annotations:
+{{ toYaml .Values.serviceAnnotations | indent 4 }}
+  {{- end }}
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app: istiod
+    istio: pilot
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  ports:
+    - port: 15010
+      name: grpc-xds # plaintext
+      protocol: TCP
+    - port: 15012
+      name: https-dns # mTLS with k8s-signed cert
+      protocol: TCP
+    - port: 443
+      name: https-webhook # validation and injection
+      targetPort: 15017
+      protocol: TCP
+    - port: 15014
+      name: http-monitoring # prometheus stats
+      protocol: TCP
+  selector:
+    app: istiod
+    {{- if ne .Values.revision "" }}
+    istio.io/rev: {{ .Values.revision | quote }}
+    {{- else }}
+    # Label used by the 'default' service. For versioned deployments we match with app and version.
+    # This avoids default deployment picking the canary
+    istio: pilot
+    {{- end }}
+  {{- if .Values.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.ipFamilyPolicy }}
+  {{- end }}
+  {{- if .Values.ipFamilies }}
+  ipFamilies:
+  {{- range .Values.ipFamilies }}
+  - {{ . }}
+  {{- end }}
+  {{- end }}
+  {{- if .Values.trafficDistribution }}
+  trafficDistribution: {{ .Values.trafficDistribution }}
+  {{- end }}
+---
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/serviceaccount.yaml
new file mode 100644
index 0000000000..8b4a0c0faf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/serviceaccount.yaml
@@ -0,0 +1,24 @@
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+apiVersion: v1
+kind: ServiceAccount
+  {{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+  {{- range .Values.global.imagePullSecrets }}
+  - name: {{ . }}
+  {{- end }}
+  {{- end }}
+metadata:
+  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Values.global.istioNamespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+  {{- if .Values.serviceAccountAnnotations }}
+  annotations:
+{{- toYaml .Values.serviceAccountAnnotations | nindent 4 }}
+  {{- end }}
+{{- end }}
+---
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/validatingadmissionpolicy.yaml
new file mode 100644
index 0000000000..8562a52d59
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/validatingadmissionpolicy.yaml
@@ -0,0 +1,63 @@
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+{{- if .Values.experimental.stableValidationPolicy }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io"
+  labels:
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups:
+        - security.istio.io
+        - networking.istio.io
+        - telemetry.istio.io
+        - extensions.istio.io
+      apiVersions: ["*"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["*"]
+    objectSelector:
+      matchExpressions:
+        - key: istio.io/rev
+          operator: In
+          values:
+          {{- if (eq .Values.revision "") }}
+          - "default"
+          {{- else }}
+          - "{{ .Values.revision }}"
+          {{- end }}
+  variables:
+    - name: isEnvoyFilter
+      expression: "object.kind == 'EnvoyFilter'"
+    - name: isWasmPlugin
+      expression: "object.kind == 'WasmPlugin'"
+    - name: isProxyConfig
+      expression: "object.kind == 'ProxyConfig'"
+    - name: isTelemetry
+      expression: "object.kind == 'Telemetry'"
+  validations:
+    - expression: "!variables.isEnvoyFilter"
+    - expression: "!variables.isWasmPlugin"
+    - expression: "!variables.isProxyConfig"
+    - expression: |
+        !(
+          variables.isTelemetry && (
+            (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) ||
+            (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) ||
+            (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter))
+          )
+        )
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: "stable-channel-policy-binding{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io"
+spec:
+  policyName: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io"
+  validationActions: [Deny]
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/validatingwebhookconfiguration.yaml
new file mode 100644
index 0000000000..b49bf7fafd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/validatingwebhookconfiguration.yaml
@@ -0,0 +1,68 @@
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+{{- if .Values.global.configValidation }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    istio: istiod
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+webhooks:
+  # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks
+  # are rejecting invalid configs on a per-revision basis.
+  - name: rev.validation.istio.io
+    clientConfig:
+      # Should change from base but cannot for API compat
+      {{- if .Values.base.validationURL }}
+      url: {{ .Values.base.validationURL }}
+      {{- else }}
+      service:
+        name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+        namespace: {{ .Values.global.istioNamespace }}
+        path: "/validate"
+      {{- end }}
+      {{- if .Values.base.validationCABundle }}
+      caBundle: "{{ .Values.base.validationCABundle }}"
+      {{- end }}
+    rules:
+      - operations:
+          - CREATE
+          - UPDATE
+        apiGroups:
+          - security.istio.io
+          - networking.istio.io
+          - telemetry.istio.io
+          - extensions.istio.io
+        apiVersions:
+          - "*"
+        resources:
+          - "*"
+    {{- if .Values.base.validationCABundle }}
+    # Disable webhook controller in Pilot to stop patching it
+    failurePolicy: Fail
+    {{- else }}
+    # Fail open until the validation webhook is ready. The webhook controller
+    # will update this to `Fail` and patch in the `caBundle` when the webhook
+    # endpoint is ready.
+    failurePolicy: Ignore
+    {{- end }}
+    sideEffects: None
+    admissionReviewVersions: ["v1"]
+    objectSelector:
+      matchExpressions:
+        - key: istio.io/rev
+          operator: In
+          values:
+          {{- if (eq .Values.revision "") }}
+          - "default"
+          {{- else }}
+          - "{{ .Values.revision }}"
+          {{- end }}
+---
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/zzy_descope_legacy.yaml
new file mode 100644
index 0000000000..ae8fced298
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/zzy_descope_legacy.yaml
@@ -0,0 +1,3 @@
+{{/* Copy anything under `.pilot` to `.`, to avoid the need to specify a redundant prefix.
+Due to the file naming, this always happens after zzz_profile.yaml */}}
+{{- $_ := mustMergeOverwrite $.Values (index $.Values "pilot") }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..3d84956485
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if false }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/values.yaml
new file mode 100644
index 0000000000..4f0d23eaf5
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/values.yaml
@@ -0,0 +1,569 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  autoscaleEnabled: true
+  autoscaleMin: 1
+  autoscaleMax: 5
+  autoscaleBehavior: {}
+  replicaCount: 1
+  rollingMaxSurge: 100%
+  rollingMaxUnavailable: 25%
+
+  hub: ""
+  tag: ""
+  variant: ""
+
+  # Can be a full hub/image:tag
+  image: pilot
+  traceSampling: 1.0
+
+  # Resources for a small pilot install
+  resources:
+    requests:
+      cpu: 500m
+      memory: 2048Mi
+
+  # Set to `type: RuntimeDefault` to use the default profile if available.
+  seccompProfile: {}
+
+  # Whether to use an existing CNI installation
+  cni:
+    enabled: false
+    provider: default
+
+  # Additional container arguments
+  extraContainerArgs: []
+
+  env: {}
+
+  envVarFrom: []
+
+  # Settings related to the untaint controller
+  # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready
+  # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes
+  taint:
+    # Controls whether or not the untaint controller is active
+    enabled: false
+    # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod
+    namespace: ""
+
+  affinity: {}
+
+  tolerations: []
+
+  cpu:
+    targetAverageUtilization: 80
+  memory: {}
+    # targetAverageUtilization: 80
+
+  # Additional volumeMounts to the istiod container
+  volumeMounts: []
+
+  # Additional volumes to the istiod pod
+  volumes: []
+
+  # Inject initContainers into the istiod pod
+  initContainers: []
+
+  nodeSelector: {}
+  podAnnotations: {}
+  serviceAnnotations: {}
+  serviceAccountAnnotations: {}
+  sidecarInjectorWebhookAnnotations: {}
+
+  topologySpreadConstraints: []
+
+  # You can use jwksResolverExtraRootCA to provide a root certificate
+  # in PEM format. This will then be trusted by pilot when resolving
+  # JWKS URIs.
+  jwksResolverExtraRootCA: ""
+
+  # The following is used to limit how long a sidecar can be connected
+  # to a pilot. It balances out load across pilot instances at the cost of
+  # increasing system churn.
+  keepaliveMaxServerConnectionAge: 30m
+
+  # Additional labels to apply to the deployment.
+  deploymentLabels: {}
+
+  # Annotations to apply to the istiod deployment.
+  deploymentAnnotations: {}
+
+  ## Mesh config settings
+
+  # Install the mesh config map, generated from values.yaml.
+  # If false, pilot wil use default values (by default) or user-supplied values.
+  configMap: true
+
+  # Additional labels to apply on the pod level for monitoring and logging configuration.
+  podLabels: {}
+
+  # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
+  ipFamilyPolicy: ""
+  ipFamilies: []
+
+  # Ambient mode only.
+  # Set this if you install ztunnel to a different namespace from `istiod`.
+  # If set, `istiod` will allow connections from trusted node proxy ztunnels
+  # in the provided namespace.
+  # If unset, `istiod` will assume the trusted node proxy ztunnel resides
+  # in the same namespace as itself.
+  trustedZtunnelNamespace: ""
+  # Set this if you install ztunnel with a name different from the default.
+  trustedZtunnelName: ""
+
+  sidecarInjectorWebhook:
+    # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or
+    # always skip the injection on pods that match that label selector, regardless of the global policy.
+    # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions
+    neverInjectSelector: []
+    alwaysInjectSelector: []
+
+    # injectedAnnotations are additional annotations that will be added to the pod spec after injection
+    # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations:
+    #
+    # annotations:
+    #   apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
+    #   apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
+    #
+    # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before
+    # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify:
+    # injectedAnnotations:
+    #   container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default
+    #   container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default
+    injectedAnnotations: {}
+
+    # This enables injection of sidecar in all namespaces,
+    # with the exception of namespaces with "istio-injection:disabled" annotation
+    # Only one environment should have this enabled.
+    enableNamespacesByDefault: false
+
+    # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run
+    # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten.
+    # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur.
+    reinvocationPolicy: Never
+
+    rewriteAppHTTPProbe: true
+
+    # Templates defines a set of custom injection templates that can be used. For example, defining:
+    #
+    # templates:
+    #   hello: |
+    #     metadata:
+    #       labels:
+    #         hello: world
+    #
+    # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod
+    # being injected with the hello=world labels.
+    # This is intended for advanced configuration only; most users should use the built in template
+    templates: {}
+
+    # Default templates specifies a set of default templates that are used in sidecar injection.
+    # By default, a template `sidecar` is always provided, which contains the template of default sidecar.
+    # To inject other additional templates, define it using the `templates` option, and add it to
+    # the default templates list.
+    # For example:
+    #
+    # templates:
+    #   hello: |
+    #     metadata:
+    #       labels:
+    #         hello: world
+    #
+    # defaultTemplates: ["sidecar", "hello"]
+    defaultTemplates: []
+  istiodRemote:
+    # If `true`, indicates that this cluster/install should consume a "remote istiod" installation,
+    # and istiod itself will NOT be installed in this cluster - only the support resources necessary
+    # to utilize a remote instance.
+    enabled: false
+
+    # If `true`, indicates that this cluster/install should consume a "local istiod" installation,
+    # local istiod inject sidecars
+    enabledLocalInjectorIstiod: false
+
+    # Sidecar injector mutating webhook configuration clientConfig.url value.
+    # For example: https://$remotePilotAddress:15017/inject
+    # The host should not refer to a service running in the cluster; use a service reference by specifying
+    # the clientConfig.service field instead.
+    injectionURL: ""
+
+    # Sidecar injector mutating webhook configuration path value for the clientConfig.service field.
+    # Override to pass env variables, for example: /inject/cluster/remote/net/network2
+    injectionPath: "/inject"
+
+    injectionCABundle: ""
+  telemetry:
+    enabled: true
+    v2:
+      # For Null VM case now.
+      # This also enables metadata exchange.
+      enabled: true
+      # Indicate if prometheus stats filter is enabled or not
+      prometheus:
+        enabled: true
+      # stackdriver filter settings.
+      stackdriver:
+        enabled: false
+  # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
+  revision: ""
+
+  # Revision tags are aliases to Istio control plane revisions
+  revisionTags: []
+
+  # For Helm compatibility.
+  ownerName: ""
+
+  # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior
+  # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options
+  meshConfig:
+    enablePrometheusMerge: true
+
+  experimental:
+    stableValidationPolicy: false
+
+  global:
+    # Used to locate istiod.
+    istioNamespace: istio-system
+    # List of cert-signers to allow "approve" action in the istio cluster role
+    #
+    # certSigners:
+    #   - clusterissuers.cert-manager.io/istio-ca
+    certSigners: []
+    # enable pod disruption budget for the control plane, which is used to
+    # ensure Istio control plane components are gradually upgraded or recovered.
+    defaultPodDisruptionBudget:
+      enabled: true
+      # The values aren't mutable due to a current PodDisruptionBudget limitation
+      # minAvailable: 1
+
+    # A minimal set of requested resources to applied to all deployments so that
+    # Horizontal Pod Autoscaler will be able to function (if set).
+    # Each component can overwrite these default values by adding its own resources
+    # block in the relevant section below and setting the desired resources values.
+    defaultResources:
+      requests:
+        cpu: 10m
+      #   memory: 128Mi
+      # limits:
+      #   cpu: 100m
+      #   memory: 128Mi
+
+    # Default hub for Istio images.
+    # Releases are published to docker hub under 'istio' project.
+    # Dev builds from prow are on gcr.io
+    hub: gcr.io/istio-release
+    # Default tag for Istio images.
+    tag: 1.27.3
+    # Variant of the image to use.
+    # Currently supported are: [debug, distroless]
+    variant: ""
+
+    # Specify image pull policy if default behavior isn't desired.
+    # Default behavior: latest images will be Always else IfNotPresent.
+    imagePullPolicy: ""
+
+    # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
+    # to use for pulling any images in pods that reference this ServiceAccount.
+    # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
+    # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
+    # Must be set for any cluster configured with private docker registry.
+    imagePullSecrets: []
+    # - private-registry-key
+
+    # Enabled by default in master for maximising testing.
+    istiod:
+      enableAnalysis: false
+
+    # To output all istio components logs in json format by adding --log_as_json argument to each container argument
+    logAsJson: false
+
+    # In order to use native nftable rules instead of iptable rules, set this flag to true.
+    nativeNftables: false
+
+    # Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
+    # The control plane has different scopes depending on component, but can configure default log level across all components
+    # If empty, default scope and level will be used as configured in code
+    logging:
+      level: "default:info"
+
+    omitSidecarInjectorConfigMap: false
+
+    # Configure whether Operator manages webhook configurations. The current behavior
+    # of Istiod is to manage its own webhook configurations.
+    # When this option is set as true, Istio Operator, instead of webhooks, manages the
+    # webhook configurations. When this option is set as false, webhooks manage their
+    # own webhook configurations.
+    operatorManageWebhooks: false
+
+    # Custom DNS config for the pod to resolve names of services in other
+    # clusters. Use this to add additional search domains, and other settings.
+    # see
+    # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config
+    # This does not apply to gateway pods as they typically need a different
+    # set of DNS settings than the normal application pods (e.g., in
+    # multicluster scenarios).
+    # NOTE: If using templates, follow the pattern in the commented example below.
+    #podDNSSearchNamespaces:
+    #- global
+    #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global"
+
+    # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
+    # system-node-critical, it is better to configure this in order to make sure your Istio pods
+    # will not be killed because of low priority class.
+    # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
+    # for more detail.
+    priorityClassName: ""
+
+    proxy:
+      image: proxyv2
+
+      # This controls the 'policy' in the sidecar injector.
+      autoInject: enabled
+
+      # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
+      # cluster domain. Default value is "cluster.local".
+      clusterDomain: "cluster.local"
+
+      # Per Component log level for proxy, applies to gateways and sidecars. If a component level is
+      # not set, then the global "logLevel" will be used.
+      componentLogLevel: "misc:error"
+
+      # istio ingress capture allowlist
+      # examples:
+      #     Redirect only selected ports:            --includeInboundPorts="80,8080"
+      excludeInboundPorts: ""
+      includeInboundPorts: "*"
+
+      # istio egress capture allowlist
+      # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
+      # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
+      # would only capture egress traffic on those two IP Ranges, all other outbound traffic would
+      # be allowed by the sidecar
+      includeIPRanges: "*"
+      excludeIPRanges: ""
+      includeOutboundPorts: ""
+      excludeOutboundPorts: ""
+
+      # Log level for proxy, applies to gateways and sidecars.
+      # Expected values are: trace|debug|info|warning|error|critical|off
+      logLevel: warning
+
+      # Specify the path to the outlier event log.
+      # Example: /dev/stdout
+      outlierLogPath: ""
+
+      #If set to true, istio-proxy container will have privileged securityContext
+      privileged: false
+
+      # The number of successive failed probes before indicating readiness failure.
+      readinessFailureThreshold: 4
+
+      # The initial delay for readiness probes in seconds.
+      readinessInitialDelaySeconds: 0
+
+      # The period between readiness probes.
+      readinessPeriodSeconds: 15
+
+      # Enables or disables a startup probe.
+      # For optimal startup times, changing this should be tied to the readiness probe values.
+      #
+      # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4.
+      # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval),
+      # and doesn't spam the readiness endpoint too much
+      #
+      # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30.
+      # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly.
+      startupProbe:
+        enabled: true
+        failureThreshold: 600 # 10 minutes
+
+      # Resources for the sidecar.
+      resources:
+        requests:
+          cpu: 100m
+          memory: 128Mi
+        limits:
+          cpu: 2000m
+          memory: 1024Mi
+
+      # Default port for Pilot agent health checks. A value of 0 will disable health checking.
+      statusPort: 15020
+
+      # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none.
+      # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file.
+      tracer: "none"
+
+    proxy_init:
+      # Base name for the proxy_init container, used to configure iptables.
+      image: proxyv2
+      # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures.
+      # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases.
+      forceApplyIptables: false
+
+    # configure remote pilot and istiod service and endpoint
+    remotePilotAddress: ""
+
+    ##############################################################################################
+    # The following values are found in other charts. To effectively modify these values, make   #
+    # make sure they are consistent across your Istio helm charts                                #
+    ##############################################################################################
+
+    # The customized CA address to retrieve certificates for the pods in the cluster.
+    # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
+    # If not set explicitly, default to the Istio discovery address.
+    caAddress: ""
+
+    # Enable control of remote clusters.
+    externalIstiod: false
+
+    # Configure a remote cluster as the config cluster for an external istiod.
+    configCluster: false
+
+    # configValidation enables the validation webhook for Istio configuration.
+    configValidation: true
+
+    # Mesh ID means Mesh Identifier. It should be unique within the scope where
+    # meshes will interact with each other, but it is not required to be
+    # globally/universally unique. For example, if any of the following are true,
+    # then two meshes must have different Mesh IDs:
+    # - Meshes will have their telemetry aggregated in one place
+    # - Meshes will be federated together
+    # - Policy will be written referencing one mesh from the other
+    #
+    # If an administrator expects that any of these conditions may become true in
+    # the future, they should ensure their meshes have different Mesh IDs
+    # assigned.
+    #
+    # Within a multicluster mesh, each cluster must be (manually or auto)
+    # configured to have the same Mesh ID value. If an existing cluster 'joins' a
+    # multicluster mesh, it will need to be migrated to the new mesh ID. Details
+    # of migration TBD, and it may be a disruptive operation to change the Mesh
+    # ID post-install.
+    #
+    # If the mesh admin does not specify a value, Istio will use the value of the
+    # mesh's Trust Domain. The best practice is to select a proper Trust Domain
+    # value.
+    meshID: ""
+
+    # Configure the mesh networks to be used by the Split Horizon EDS.
+    #
+    # The following example defines two networks with different endpoints association methods.
+    # For `network1` all endpoints that their IP belongs to the provided CIDR range will be
+    # mapped to network1. The gateway for this network example is specified by its public IP
+    # address and port.
+    # The second network, `network2`, in this example is defined differently with all endpoints
+    # retrieved through the specified Multi-Cluster registry being mapped to network2. The
+    # gateway is also defined differently with the name of the gateway service on the remote
+    # cluster. The public IP for the gateway will be determined from that remote service (only
+    # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service,
+    # it still need to be configured manually).
+    #
+    # meshNetworks:
+    #   network1:
+    #     endpoints:
+    #     - fromCidr: "192.168.0.1/24"
+    #     gateways:
+    #     - address: 1.1.1.1
+    #       port: 80
+    #   network2:
+    #     endpoints:
+    #     - fromRegistry: reg1
+    #     gateways:
+    #     - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
+    #       port: 443
+    #
+    meshNetworks: {}
+
+    # Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
+    mountMtlsCerts: false
+
+    multiCluster:
+      # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
+      # to properly label proxies
+      clusterName: ""
+
+    # Network defines the network this cluster belong to. This name
+    # corresponds to the networks in the map of mesh networks.
+    network: ""
+
+    # Configure the certificate provider for control plane communication.
+    # Currently, two providers are supported: "kubernetes" and "istiod".
+    # As some platforms may not have kubernetes signing APIs,
+    # Istiod is the default
+    pilotCertProvider: istiod
+
+    sds:
+      # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
+      # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the
+      # JWT is intended for the CA.
+      token:
+        aud: istio-ca
+
+    sts:
+      # The service port used by Security Token Service (STS) server to handle token exchange requests.
+      # Setting this port to a non-zero value enables STS server.
+      servicePort: 0
+
+    # The name of the CA for workload certificates.
+    # For example, when caName=GkeWorkloadCertificate, GKE workload certificates
+    # will be used as the certificates for workloads.
+    # The default value is "" and when caName="", the CA will be configured by other
+    # mechanisms (e.g., environmental variable CA_PROVIDER).
+    caName: ""
+
+    waypoint:
+      # Resources for the waypoint proxy.
+      resources:
+        requests:
+          cpu: 100m
+          memory: 128Mi
+        limits:
+          cpu: "2"
+          memory: 1Gi
+
+      # If specified, affinity defines the scheduling constraints of waypoint pods.
+      affinity: {}
+
+      # Topology Spread Constraints for the waypoint proxy.
+      topologySpreadConstraints: []
+
+      # Node labels for the waypoint proxy.
+      nodeSelector: {}
+
+      # Tolerations for the waypoint proxy.
+      tolerations: []
+
+  base:
+    # For istioctl usage to disable istio config crds in base
+    enableIstioConfigCRDs: true
+
+  # Gateway Settings
+  gateways:
+    # Define the security context for the pod.
+    # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
+    # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
+    securityContext: {}
+
+    # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it
+    seccompProfile: {}
+
+  # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass.
+  # For example:
+  # gatewayClasses:
+  #   istio:
+  #     service:
+  #       spec:
+  #         type: ClusterIP
+  # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field.
+  gatewayClasses: {}
+  
+  pdb:
+    # -- Minimum available pods set in PodDisruptionBudget.
+    # Define either 'minAvailable' or 'maxUnavailable', never both.
+    minAvailable: 1
+    # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored.
+    # maxUnavailable: 1
+    # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget.
+    # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/
+    unhealthyPodEvictionPolicy: ""
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/Chart.yaml
new file mode 100644
index 0000000000..23bf542f1c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/Chart.yaml
@@ -0,0 +1,8 @@
+apiVersion: v2
+appVersion: 1.27.3
+description: Helm chart for istio revision tags
+name: revisiontags
+sources:
+- https://github.com/istio-ecosystem/sail-operator
+version: 0.1.0
+
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-compatibility-version-1.24.yaml
new file mode 100644
index 0000000000..4f3dbef7ea
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-compatibility-version-1.24.yaml
@@ -0,0 +1,15 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.24 behavioral changes
+    PILOT_ENABLE_IP_AUTOALLOCATE: "false"
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  dnsCapture: false
+  reconcileIptablesOnStartup: false
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..b2f45948c2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..af10697326
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/templates/revision-tags.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/templates/revision-tags.yaml
new file mode 100644
index 0000000000..06764a826e
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/templates/revision-tags.yaml
@@ -0,0 +1,149 @@
+# Adapted from istio-discovery/templates/mutatingwebhook.yaml
+# Removed paths for legacy and default selectors since a revision tag
+# is inherently created from a specific revision
+# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that.
+{{- $whv := dict
+"revision" .Values.revision
+  "injectionPath" .Values.istiodRemote.injectionPath
+  "injectionURL" .Values.istiodRemote.injectionURL
+  "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy
+  "caBundle" .Values.istiodRemote.injectionCABundle
+  "namespace" .Release.Namespace }}
+{{- define "core" }}
+{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign
+a unique prefix to each. */}}
+- name: {{.Prefix}}sidecar-injector.istio.io
+  clientConfig:
+    {{- if .injectionURL }}
+    url: "{{ .injectionURL }}"
+    {{- else }}
+    service:
+      name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }}
+      namespace: {{ .namespace }}
+      path: "{{ .injectionPath }}"
+      port: 443
+    {{- end }}
+  sideEffects: None
+  rules:
+  - operations: [ "CREATE" ]
+    apiGroups: [""]
+    apiVersions: ["v1"]
+    resources: ["pods"]
+  failurePolicy: Fail
+  reinvocationPolicy: "{{ .reinvocationPolicy }}"
+  admissionReviewVersions: ["v1"]
+{{- end }}
+{{- range $tagName := $.Values.revisionTags }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+{{- if eq $.Release.Namespace "istio-system"}}
+  name: istio-revision-tag-{{ $tagName }}
+{{- else }}
+  name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }}
+{{- end }}
+  labels:
+    istio.io/tag: {{ $tagName }}
+    istio.io/rev: {{ $.Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app: sidecar-injector
+    release: {{ $.Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" $ | nindent 4 }}
+{{- if $.Values.sidecarInjectorWebhookAnnotations }}
+  annotations:
+{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }}
+{{- end }}
+webhooks:
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: In
+      values:
+      - "{{ $tagName }}"
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+    - key: istio.io/rev
+      operator: In
+      values:
+      - "{{ $tagName }}"
+
+{{- /* When the tag is "default" we want to create webhooks for the default revision */}}
+{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}}
+{{- if (eq $tagName "default") }}
+
+{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: In
+      values:
+      - enabled
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+
+{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: In
+      values:
+      - "true"
+    - key: istio.io/rev
+      operator: DoesNotExist
+
+{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
+{{- /* Special case 3: no labels at all */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: "kubernetes.io/metadata.name"
+      operator: "NotIn"
+      values: ["kube-system","kube-public","kube-node-lease","local-path-storage"]
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+{{- end }}
+
+{{- end }}
+---
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..3d84956485
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if false }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/values.yaml
new file mode 100644
index 0000000000..4f0d23eaf5
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/values.yaml
@@ -0,0 +1,569 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  autoscaleEnabled: true
+  autoscaleMin: 1
+  autoscaleMax: 5
+  autoscaleBehavior: {}
+  replicaCount: 1
+  rollingMaxSurge: 100%
+  rollingMaxUnavailable: 25%
+
+  hub: ""
+  tag: ""
+  variant: ""
+
+  # Can be a full hub/image:tag
+  image: pilot
+  traceSampling: 1.0
+
+  # Resources for a small pilot install
+  resources:
+    requests:
+      cpu: 500m
+      memory: 2048Mi
+
+  # Set to `type: RuntimeDefault` to use the default profile if available.
+  seccompProfile: {}
+
+  # Whether to use an existing CNI installation
+  cni:
+    enabled: false
+    provider: default
+
+  # Additional container arguments
+  extraContainerArgs: []
+
+  env: {}
+
+  envVarFrom: []
+
+  # Settings related to the untaint controller
+  # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready
+  # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes
+  taint:
+    # Controls whether or not the untaint controller is active
+    enabled: false
+    # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod
+    namespace: ""
+
+  affinity: {}
+
+  tolerations: []
+
+  cpu:
+    targetAverageUtilization: 80
+  memory: {}
+    # targetAverageUtilization: 80
+
+  # Additional volumeMounts to the istiod container
+  volumeMounts: []
+
+  # Additional volumes to the istiod pod
+  volumes: []
+
+  # Inject initContainers into the istiod pod
+  initContainers: []
+
+  nodeSelector: {}
+  podAnnotations: {}
+  serviceAnnotations: {}
+  serviceAccountAnnotations: {}
+  sidecarInjectorWebhookAnnotations: {}
+
+  topologySpreadConstraints: []
+
+  # You can use jwksResolverExtraRootCA to provide a root certificate
+  # in PEM format. This will then be trusted by pilot when resolving
+  # JWKS URIs.
+  jwksResolverExtraRootCA: ""
+
+  # The following is used to limit how long a sidecar can be connected
+  # to a pilot. It balances out load across pilot instances at the cost of
+  # increasing system churn.
+  keepaliveMaxServerConnectionAge: 30m
+
+  # Additional labels to apply to the deployment.
+  deploymentLabels: {}
+
+  # Annotations to apply to the istiod deployment.
+  deploymentAnnotations: {}
+
+  ## Mesh config settings
+
+  # Install the mesh config map, generated from values.yaml.
+  # If false, pilot wil use default values (by default) or user-supplied values.
+  configMap: true
+
+  # Additional labels to apply on the pod level for monitoring and logging configuration.
+  podLabels: {}
+
+  # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
+  ipFamilyPolicy: ""
+  ipFamilies: []
+
+  # Ambient mode only.
+  # Set this if you install ztunnel to a different namespace from `istiod`.
+  # If set, `istiod` will allow connections from trusted node proxy ztunnels
+  # in the provided namespace.
+  # If unset, `istiod` will assume the trusted node proxy ztunnel resides
+  # in the same namespace as itself.
+  trustedZtunnelNamespace: ""
+  # Set this if you install ztunnel with a name different from the default.
+  trustedZtunnelName: ""
+
+  sidecarInjectorWebhook:
+    # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or
+    # always skip the injection on pods that match that label selector, regardless of the global policy.
+    # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions
+    neverInjectSelector: []
+    alwaysInjectSelector: []
+
+    # injectedAnnotations are additional annotations that will be added to the pod spec after injection
+    # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations:
+    #
+    # annotations:
+    #   apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
+    #   apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
+    #
+    # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before
+    # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify:
+    # injectedAnnotations:
+    #   container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default
+    #   container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default
+    injectedAnnotations: {}
+
+    # This enables injection of sidecar in all namespaces,
+    # with the exception of namespaces with "istio-injection:disabled" annotation
+    # Only one environment should have this enabled.
+    enableNamespacesByDefault: false
+
+    # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run
+    # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten.
+    # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur.
+    reinvocationPolicy: Never
+
+    rewriteAppHTTPProbe: true
+
+    # Templates defines a set of custom injection templates that can be used. For example, defining:
+    #
+    # templates:
+    #   hello: |
+    #     metadata:
+    #       labels:
+    #         hello: world
+    #
+    # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod
+    # being injected with the hello=world labels.
+    # This is intended for advanced configuration only; most users should use the built in template
+    templates: {}
+
+    # Default templates specifies a set of default templates that are used in sidecar injection.
+    # By default, a template `sidecar` is always provided, which contains the template of default sidecar.
+    # To inject other additional templates, define it using the `templates` option, and add it to
+    # the default templates list.
+    # For example:
+    #
+    # templates:
+    #   hello: |
+    #     metadata:
+    #       labels:
+    #         hello: world
+    #
+    # defaultTemplates: ["sidecar", "hello"]
+    defaultTemplates: []
+  istiodRemote:
+    # If `true`, indicates that this cluster/install should consume a "remote istiod" installation,
+    # and istiod itself will NOT be installed in this cluster - only the support resources necessary
+    # to utilize a remote instance.
+    enabled: false
+
+    # If `true`, indicates that this cluster/install should consume a "local istiod" installation,
+    # local istiod inject sidecars
+    enabledLocalInjectorIstiod: false
+
+    # Sidecar injector mutating webhook configuration clientConfig.url value.
+    # For example: https://$remotePilotAddress:15017/inject
+    # The host should not refer to a service running in the cluster; use a service reference by specifying
+    # the clientConfig.service field instead.
+    injectionURL: ""
+
+    # Sidecar injector mutating webhook configuration path value for the clientConfig.service field.
+    # Override to pass env variables, for example: /inject/cluster/remote/net/network2
+    injectionPath: "/inject"
+
+    injectionCABundle: ""
+  telemetry:
+    enabled: true
+    v2:
+      # For Null VM case now.
+      # This also enables metadata exchange.
+      enabled: true
+      # Indicate if prometheus stats filter is enabled or not
+      prometheus:
+        enabled: true
+      # stackdriver filter settings.
+      stackdriver:
+        enabled: false
+  # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
+  revision: ""
+
+  # Revision tags are aliases to Istio control plane revisions
+  revisionTags: []
+
+  # For Helm compatibility.
+  ownerName: ""
+
+  # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior
+  # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options
+  meshConfig:
+    enablePrometheusMerge: true
+
+  experimental:
+    stableValidationPolicy: false
+
+  global:
+    # Used to locate istiod.
+    istioNamespace: istio-system
+    # List of cert-signers to allow "approve" action in the istio cluster role
+    #
+    # certSigners:
+    #   - clusterissuers.cert-manager.io/istio-ca
+    certSigners: []
+    # enable pod disruption budget for the control plane, which is used to
+    # ensure Istio control plane components are gradually upgraded or recovered.
+    defaultPodDisruptionBudget:
+      enabled: true
+      # The values aren't mutable due to a current PodDisruptionBudget limitation
+      # minAvailable: 1
+
+    # A minimal set of requested resources to applied to all deployments so that
+    # Horizontal Pod Autoscaler will be able to function (if set).
+    # Each component can overwrite these default values by adding its own resources
+    # block in the relevant section below and setting the desired resources values.
+    defaultResources:
+      requests:
+        cpu: 10m
+      #   memory: 128Mi
+      # limits:
+      #   cpu: 100m
+      #   memory: 128Mi
+
+    # Default hub for Istio images.
+    # Releases are published to docker hub under 'istio' project.
+    # Dev builds from prow are on gcr.io
+    hub: gcr.io/istio-release
+    # Default tag for Istio images.
+    tag: 1.27.3
+    # Variant of the image to use.
+    # Currently supported are: [debug, distroless]
+    variant: ""
+
+    # Specify image pull policy if default behavior isn't desired.
+    # Default behavior: latest images will be Always else IfNotPresent.
+    imagePullPolicy: ""
+
+    # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
+    # to use for pulling any images in pods that reference this ServiceAccount.
+    # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
+    # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
+    # Must be set for any cluster configured with private docker registry.
+    imagePullSecrets: []
+    # - private-registry-key
+
+    # Enabled by default in master for maximising testing.
+    istiod:
+      enableAnalysis: false
+
+    # To output all istio components logs in json format by adding --log_as_json argument to each container argument
+    logAsJson: false
+
+    # In order to use native nftable rules instead of iptable rules, set this flag to true.
+    nativeNftables: false
+
+    # Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
+    # The control plane has different scopes depending on component, but can configure default log level across all components
+    # If empty, default scope and level will be used as configured in code
+    logging:
+      level: "default:info"
+
+    omitSidecarInjectorConfigMap: false
+
+    # Configure whether Operator manages webhook configurations. The current behavior
+    # of Istiod is to manage its own webhook configurations.
+    # When this option is set as true, Istio Operator, instead of webhooks, manages the
+    # webhook configurations. When this option is set as false, webhooks manage their
+    # own webhook configurations.
+    operatorManageWebhooks: false
+
+    # Custom DNS config for the pod to resolve names of services in other
+    # clusters. Use this to add additional search domains, and other settings.
+    # see
+    # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config
+    # This does not apply to gateway pods as they typically need a different
+    # set of DNS settings than the normal application pods (e.g., in
+    # multicluster scenarios).
+    # NOTE: If using templates, follow the pattern in the commented example below.
+    #podDNSSearchNamespaces:
+    #- global
+    #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global"
+
+    # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
+    # system-node-critical, it is better to configure this in order to make sure your Istio pods
+    # will not be killed because of low priority class.
+    # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
+    # for more detail.
+    priorityClassName: ""
+
+    proxy:
+      image: proxyv2
+
+      # This controls the 'policy' in the sidecar injector.
+      autoInject: enabled
+
+      # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
+      # cluster domain. Default value is "cluster.local".
+      clusterDomain: "cluster.local"
+
+      # Per Component log level for proxy, applies to gateways and sidecars. If a component level is
+      # not set, then the global "logLevel" will be used.
+      componentLogLevel: "misc:error"
+
+      # istio ingress capture allowlist
+      # examples:
+      #     Redirect only selected ports:            --includeInboundPorts="80,8080"
+      excludeInboundPorts: ""
+      includeInboundPorts: "*"
+
+      # istio egress capture allowlist
+      # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
+      # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
+      # would only capture egress traffic on those two IP Ranges, all other outbound traffic would
+      # be allowed by the sidecar
+      includeIPRanges: "*"
+      excludeIPRanges: ""
+      includeOutboundPorts: ""
+      excludeOutboundPorts: ""
+
+      # Log level for proxy, applies to gateways and sidecars.
+      # Expected values are: trace|debug|info|warning|error|critical|off
+      logLevel: warning
+
+      # Specify the path to the outlier event log.
+      # Example: /dev/stdout
+      outlierLogPath: ""
+
+      #If set to true, istio-proxy container will have privileged securityContext
+      privileged: false
+
+      # The number of successive failed probes before indicating readiness failure.
+      readinessFailureThreshold: 4
+
+      # The initial delay for readiness probes in seconds.
+      readinessInitialDelaySeconds: 0
+
+      # The period between readiness probes.
+      readinessPeriodSeconds: 15
+
+      # Enables or disables a startup probe.
+      # For optimal startup times, changing this should be tied to the readiness probe values.
+      #
+      # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4.
+      # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval),
+      # and doesn't spam the readiness endpoint too much
+      #
+      # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30.
+      # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly.
+      startupProbe:
+        enabled: true
+        failureThreshold: 600 # 10 minutes
+
+      # Resources for the sidecar.
+      resources:
+        requests:
+          cpu: 100m
+          memory: 128Mi
+        limits:
+          cpu: 2000m
+          memory: 1024Mi
+
+      # Default port for Pilot agent health checks. A value of 0 will disable health checking.
+      statusPort: 15020
+
+      # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none.
+      # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file.
+      tracer: "none"
+
+    proxy_init:
+      # Base name for the proxy_init container, used to configure iptables.
+      image: proxyv2
+      # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures.
+      # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases.
+      forceApplyIptables: false
+
+    # configure remote pilot and istiod service and endpoint
+    remotePilotAddress: ""
+
+    ##############################################################################################
+    # The following values are found in other charts. To effectively modify these values, make   #
+    # make sure they are consistent across your Istio helm charts                                #
+    ##############################################################################################
+
+    # The customized CA address to retrieve certificates for the pods in the cluster.
+    # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
+    # If not set explicitly, default to the Istio discovery address.
+    caAddress: ""
+
+    # Enable control of remote clusters.
+    externalIstiod: false
+
+    # Configure a remote cluster as the config cluster for an external istiod.
+    configCluster: false
+
+    # configValidation enables the validation webhook for Istio configuration.
+    configValidation: true
+
+    # Mesh ID means Mesh Identifier. It should be unique within the scope where
+    # meshes will interact with each other, but it is not required to be
+    # globally/universally unique. For example, if any of the following are true,
+    # then two meshes must have different Mesh IDs:
+    # - Meshes will have their telemetry aggregated in one place
+    # - Meshes will be federated together
+    # - Policy will be written referencing one mesh from the other
+    #
+    # If an administrator expects that any of these conditions may become true in
+    # the future, they should ensure their meshes have different Mesh IDs
+    # assigned.
+    #
+    # Within a multicluster mesh, each cluster must be (manually or auto)
+    # configured to have the same Mesh ID value. If an existing cluster 'joins' a
+    # multicluster mesh, it will need to be migrated to the new mesh ID. Details
+    # of migration TBD, and it may be a disruptive operation to change the Mesh
+    # ID post-install.
+    #
+    # If the mesh admin does not specify a value, Istio will use the value of the
+    # mesh's Trust Domain. The best practice is to select a proper Trust Domain
+    # value.
+    meshID: ""
+
+    # Configure the mesh networks to be used by the Split Horizon EDS.
+    #
+    # The following example defines two networks with different endpoints association methods.
+    # For `network1` all endpoints that their IP belongs to the provided CIDR range will be
+    # mapped to network1. The gateway for this network example is specified by its public IP
+    # address and port.
+    # The second network, `network2`, in this example is defined differently with all endpoints
+    # retrieved through the specified Multi-Cluster registry being mapped to network2. The
+    # gateway is also defined differently with the name of the gateway service on the remote
+    # cluster. The public IP for the gateway will be determined from that remote service (only
+    # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service,
+    # it still need to be configured manually).
+    #
+    # meshNetworks:
+    #   network1:
+    #     endpoints:
+    #     - fromCidr: "192.168.0.1/24"
+    #     gateways:
+    #     - address: 1.1.1.1
+    #       port: 80
+    #   network2:
+    #     endpoints:
+    #     - fromRegistry: reg1
+    #     gateways:
+    #     - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
+    #       port: 443
+    #
+    meshNetworks: {}
+
+    # Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
+    mountMtlsCerts: false
+
+    multiCluster:
+      # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
+      # to properly label proxies
+      clusterName: ""
+
+    # Network defines the network this cluster belong to. This name
+    # corresponds to the networks in the map of mesh networks.
+    network: ""
+
+    # Configure the certificate provider for control plane communication.
+    # Currently, two providers are supported: "kubernetes" and "istiod".
+    # As some platforms may not have kubernetes signing APIs,
+    # Istiod is the default
+    pilotCertProvider: istiod
+
+    sds:
+      # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
+      # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the
+      # JWT is intended for the CA.
+      token:
+        aud: istio-ca
+
+    sts:
+      # The service port used by Security Token Service (STS) server to handle token exchange requests.
+      # Setting this port to a non-zero value enables STS server.
+      servicePort: 0
+
+    # The name of the CA for workload certificates.
+    # For example, when caName=GkeWorkloadCertificate, GKE workload certificates
+    # will be used as the certificates for workloads.
+    # The default value is "" and when caName="", the CA will be configured by other
+    # mechanisms (e.g., environmental variable CA_PROVIDER).
+    caName: ""
+
+    waypoint:
+      # Resources for the waypoint proxy.
+      resources:
+        requests:
+          cpu: 100m
+          memory: 128Mi
+        limits:
+          cpu: "2"
+          memory: 1Gi
+
+      # If specified, affinity defines the scheduling constraints of waypoint pods.
+      affinity: {}
+
+      # Topology Spread Constraints for the waypoint proxy.
+      topologySpreadConstraints: []
+
+      # Node labels for the waypoint proxy.
+      nodeSelector: {}
+
+      # Tolerations for the waypoint proxy.
+      tolerations: []
+
+  base:
+    # For istioctl usage to disable istio config crds in base
+    enableIstioConfigCRDs: true
+
+  # Gateway Settings
+  gateways:
+    # Define the security context for the pod.
+    # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
+    # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
+    securityContext: {}
+
+    # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it
+    seccompProfile: {}
+
+  # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass.
+  # For example:
+  # gatewayClasses:
+  #   istio:
+  #     service:
+  #       spec:
+  #         type: ClusterIP
+  # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field.
+  gatewayClasses: {}
+  
+  pdb:
+    # -- Minimum available pods set in PodDisruptionBudget.
+    # Define either 'minAvailable' or 'maxUnavailable', never both.
+    minAvailable: 1
+    # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored.
+    # maxUnavailable: 1
+    # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget.
+    # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/
+    unhealthyPodEvictionPolicy: ""
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/Chart.yaml
new file mode 100644
index 0000000000..24ef047b40
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/Chart.yaml
@@ -0,0 +1,11 @@
+apiVersion: v2
+appVersion: 1.27.3
+description: Helm chart for istio ztunnel components
+icon: https://istio.io/latest/favicons/android-192x192.png
+keywords:
+- istio-ztunnel
+- istio
+name: ztunnel
+sources:
+- https://github.com/istio/istio
+version: 1.27.3
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/README.md
new file mode 100644
index 0000000000..ffe0b94fe8
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/README.md
@@ -0,0 +1,50 @@
+# Istio Ztunnel Helm Chart
+
+This chart installs an Istio ztunnel.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+To install the chart:
+
+```console
+helm install ztunnel istio/ztunnel
+```
+
+## Uninstalling the Chart
+
+To uninstall/delete the chart:
+
+```console
+helm delete ztunnel
+```
+
+## Configuration
+
+To view support configuration options and documentation, run:
+
+```console
+helm show values istio/ztunnel
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-compatibility-version-1.24.yaml
new file mode 100644
index 0000000000..4f3dbef7ea
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-compatibility-version-1.24.yaml
@@ -0,0 +1,15 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.24 behavioral changes
+    PILOT_ENABLE_IP_AUTOALLOCATE: "false"
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  dnsCapture: false
+  reconcileIptablesOnStartup: false
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..b2f45948c2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..af10697326
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/templates/NOTES.txt
new file mode 100644
index 0000000000..244f59db06
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/templates/NOTES.txt
@@ -0,0 +1,5 @@
+ztunnel successfully installed!
+
+To learn more about the release, try:
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/templates/_helpers.tpl
new file mode 100644
index 0000000000..46a7a0b79d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/templates/_helpers.tpl
@@ -0,0 +1 @@
+{{ define "ztunnel.release-name" }}{{ .Values.resourceName| default "ztunnel" }}{{ end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/templates/daemonset.yaml
new file mode 100644
index 0000000000..7de85a2d18
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/templates/daemonset.yaml
@@ -0,0 +1,210 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: {{ include "ztunnel.release-name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: ztunnel
+    {{- include "istio.labels" . | nindent 4}}
+    {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }}
+  annotations:
+{{- if .Values.revision }}
+    {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }}
+    {{- toYaml $annos | nindent 4}}
+{{- else }}
+    {{- .Values.annotations | toYaml | nindent 4 }}
+{{- end }}
+spec:
+  {{- with .Values.updateStrategy }}
+  updateStrategy:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  selector:
+    matchLabels:
+      app: ztunnel
+  template:
+    metadata:
+      labels:
+        sidecar.istio.io/inject: "false"
+        istio.io/dataplane-mode: none
+        app: ztunnel
+        app.kubernetes.io/name: ztunnel
+        {{- include "istio.labels" . | nindent 8}}
+{{ with .Values.podLabels -}}{{ toYaml . | indent 8 }}{{ end }}
+      annotations:
+        sidecar.istio.io/inject: "false"
+{{- if .Values.revision }}
+        istio.io/rev: {{ .Values.revision }}
+{{- end }}
+{{ with .Values.podAnnotations -}}{{ toYaml . | indent 8 }}{{ end }}
+    spec:
+      nodeSelector:
+        kubernetes.io/os: linux
+{{- if .Values.nodeSelector }}
+{{ toYaml .Values.nodeSelector | indent 8 }}
+{{- end }}
+{{- if .Values.affinity }}
+      affinity:
+{{ toYaml .Values.affinity | trim | indent 8 }}
+{{- end }}
+      serviceAccountName: {{ include "ztunnel.release-name" . }}
+{{- if .Values.tolerations }}
+      tolerations:
+{{ toYaml .Values.tolerations | trim | indent 8 }}
+{{- end }}
+      containers:
+      - name: istio-proxy
+{{- if contains "/" .Values.image }}
+        image: "{{ .Values.image }}"
+{{- else }}
+        image: "{{ .Values.hub }}/{{ .Values.image | default "ztunnel" }}:{{ .Values.tag }}{{with (.Values.variant )}}-{{.}}{{end}}"
+{{- end }}
+        ports:
+        - containerPort: 15020
+          name: ztunnel-stats
+          protocol: TCP
+        resources:
+{{- if .Values.resources }}
+{{ toYaml .Values.resources | trim | indent 10 }}
+{{- end }}
+{{- with .Values.imagePullPolicy }}
+        imagePullPolicy: {{ . }}
+{{- end }}
+        securityContext:
+          # K8S docs are clear that CAP_SYS_ADMIN *or* privileged: true
+          # both force this to `true`: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+          # But there is a K8S validation bug that doesn't propery catch this: https://github.com/kubernetes/kubernetes/issues/119568
+          allowPrivilegeEscalation: true
+          privileged: false
+          capabilities:
+            drop:
+            - ALL
+            add: # See https://man7.org/linux/man-pages/man7/capabilities.7.html
+            - NET_ADMIN # Required for TPROXY and setsockopt
+            - SYS_ADMIN # Required for `setns` - doing things in other netns
+            - NET_RAW # Required for RAW/PACKET sockets, TPROXY
+          readOnlyRootFilesystem: true
+          runAsGroup: 1337
+          runAsNonRoot: false
+          runAsUser: 0
+{{- if .Values.seLinuxOptions }}
+          seLinuxOptions:
+{{ toYaml .Values.seLinuxOptions | trim | indent 12 }}
+{{- end }}
+        readinessProbe:
+          httpGet:
+            port: 15021
+            path: /healthz/ready
+        args:
+        - proxy
+        - ztunnel
+        env:
+        - name: CA_ADDRESS
+        {{- if .Values.caAddress }}
+          value: {{ .Values.caAddress }}
+        {{- else }}
+          value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012
+        {{- end }}
+        - name: XDS_ADDRESS
+        {{- if .Values.xdsAddress }}
+          value: {{ .Values.xdsAddress }}
+        {{- else }}
+          value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012
+        {{- end }}
+        {{- if .Values.logAsJson }}
+        - name: LOG_FORMAT
+          value: json
+        {{- end}}
+        {{- if .Values.network }}
+        - name: NETWORK
+          value: {{ .Values.network | quote }}
+        {{- end }}
+        - name: RUST_LOG
+          value: {{ .Values.logLevel | quote }}
+        - name: RUST_BACKTRACE
+          value: "1"
+        - name: ISTIO_META_CLUSTER_ID
+          value: {{ .Values.multiCluster.clusterName | default "Kubernetes" }}
+        - name: INPOD_ENABLED
+          value: "true"
+        - name: TERMINATION_GRACE_PERIOD_SECONDS
+          value: "{{ .Values.terminationGracePeriodSeconds }}"
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        - name: INSTANCE_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: SERVICE_ACCOUNT
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.serviceAccountName
+        {{- if .Values.meshConfig.defaultConfig.proxyMetadata }}
+        {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata}}
+        - name: {{ $key }}
+          value: "{{ $value }}"
+        {{- end }}
+        {{- end }}
+        - name: ZTUNNEL_CPU_LIMIT
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.cpu
+        {{- with .Values.env }}
+        {{- range $key, $val := . }}
+        - name: {{ $key }}
+          value: "{{ $val }}"
+        {{- end }}
+        {{- end }}
+        volumeMounts:
+        - mountPath: /var/run/secrets/istio
+          name: istiod-ca-cert
+        - mountPath: /var/run/secrets/tokens
+          name: istio-token
+        - mountPath: /var/run/ztunnel
+          name: cni-ztunnel-sock-dir
+        - mountPath: /tmp
+          name: tmp
+        {{- with .Values.volumeMounts }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      priorityClassName: system-node-critical
+      terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
+      volumes:
+      - name: istio-token
+        projected:
+          sources:
+          - serviceAccountToken:
+              path: istio-token
+              expirationSeconds: 43200
+              audience: istio-ca
+      - name: istiod-ca-cert
+        {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+        projected:
+          sources:
+          - clusterTrustBundle:
+              name: istio.io:istiod-ca:{{ .Values.trustBundleName | default "root-cert" }}
+              path: root-cert.pem
+        {{- else }}
+        configMap:
+          name: {{ .Values.trustBundleName | default "istio-ca-root-cert" }}
+        {{- end }}
+      - name: cni-ztunnel-sock-dir
+        hostPath:
+          path: /var/run/ztunnel
+          type: DirectoryOrCreate # ideally this would be a socket, but istio-cni may not have started yet.
+      # pprof needs a writable /tmp, and we don't have that thanks to `readOnlyRootFilesystem: true`, so mount one
+      - name: tmp
+        emptyDir: {}
+      {{- with .Values.volumes }}
+        {{- toYaml . | nindent 6}}
+      {{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/templates/rbac.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/templates/rbac.yaml
new file mode 100644
index 0000000000..0a8138c9a3
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/templates/rbac.yaml
@@ -0,0 +1,72 @@
+apiVersion: v1
+kind: ServiceAccount
+  {{- with .Values.imagePullSecrets }}
+imagePullSecrets:
+  {{- range . }}
+  - name: {{ . }}
+  {{- end }}
+  {{- end }}
+metadata:
+  name: {{ include "ztunnel.release-name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: ztunnel
+    {{- include "istio.labels" . | nindent 4}}
+    {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }}
+  annotations:
+{{- if .Values.revision }}
+    {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }}
+    {{- toYaml $annos | nindent 4}}
+{{- else }}
+    {{- .Values.annotations | toYaml | nindent 4 }}
+{{- end }}
+---
+{{- if (eq (.Values.platform | default "") "openshift") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "ztunnel.release-name" . }}
+  labels:
+    app: ztunnel
+    release: {{ include "ztunnel.release-name" . }}
+    app.kubernetes.io/name: ztunnel
+    {{- include "istio.labels" . | nindent 4}}
+  annotations:
+{{- if .Values.revision }}
+    {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }}
+    {{- toYaml $annos | nindent 4}}
+{{- else }}
+    {{- .Values.annotations | toYaml | nindent 4 }}
+{{- end }}
+rules:
+- apiGroups: ["security.openshift.io"]
+  resources: ["securitycontextconstraints"]
+  resourceNames: ["privileged"]
+  verbs: ["use"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "ztunnel.release-name" . }}
+  labels:
+    app: ztunnel
+    release: {{ include "ztunnel.release-name" . }}
+    app.kubernetes.io/name: ztunnel
+    {{- include "istio.labels" . | nindent 4}}
+  annotations:
+{{- if .Values.revision }}
+    {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }}
+    {{- toYaml $annos | nindent 4}}
+{{- else }}
+    {{- .Values.annotations | toYaml | nindent 4 }}
+{{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "ztunnel.release-name" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "ztunnel.release-name" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}
+---
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/templates/resourcequota.yaml
new file mode 100644
index 0000000000..a1c0e5496d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/templates/resourcequota.yaml
@@ -0,0 +1,20 @@
+{{- if .Values.resourceQuotas.enabled }}
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+  name: {{ include "ztunnel.release-name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: ztunnel
+    {{- include "istio.labels" . | nindent 4}}
+    {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }}
+spec:
+  hard:
+    pods: {{ .Values.resourceQuotas.pods | quote }}
+  scopeSelector:
+    matchExpressions:
+    - operator: In
+      scopeName: PriorityClass
+      values:
+      - system-node-critical
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..606c556697
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if true }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/values.yaml
new file mode 100644
index 0000000000..ad00f2b476
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/values.yaml
@@ -0,0 +1,128 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  # Hub to pull from. Image will be `Hub/Image:Tag-Variant`
+  hub: gcr.io/istio-release
+  # Tag to pull from. Image will be `Hub/Image:Tag-Variant`
+  tag: 1.27.3
+  # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version.
+  variant: ""
+
+  # Image name to pull from. Image will be `Hub/Image:Tag-Variant`
+  # If Image contains a "/", it will replace the entire `image` in the pod.
+  image: ztunnel
+
+  # Same as `global.network`, but will override it if set.
+  # Network defines the network this cluster belong to. This name
+  # corresponds to the networks in the map of mesh networks.
+  network: ""
+
+  # resourceName, if set, will override the naming of resources. If not set, will default to 'ztunnel'.
+  # If you set this, you MUST also set `trustedZtunnelName` in the `istiod` chart.
+  resourceName: ""
+
+  # Labels to apply to all top level resources
+  labels: {}
+  # Annotations to apply to all top level resources
+  annotations: {}
+
+  # Additional volumeMounts to the ztunnel container
+  volumeMounts: []
+
+  # Additional volumes to the ztunnel pod
+  volumes: []
+  
+  # Tolerations for the ztunnel pod
+  tolerations:
+    - effect: NoSchedule
+      operator: Exists
+    - key: CriticalAddonsOnly
+      operator: Exists
+    - effect: NoExecute
+      operator: Exists
+
+  # Annotations added to each pod. The default annotations are required for scraping prometheus (in most environments).
+  podAnnotations:
+    prometheus.io/port: "15020"
+    prometheus.io/scrape: "true"
+
+  # Additional labels to apply on the pod level
+  podLabels: {}
+
+  # Pod resource configuration
+  resources:
+    requests:
+      cpu: 200m
+      # Ztunnel memory scales with the size of the cluster and traffic load
+      # While there are many factors, this is enough for ~200k pod cluster or 100k concurrently open connections.
+      memory: 512Mi
+
+  resourceQuotas:
+    enabled: false
+    pods: 5000
+
+  # List of secret names to add to the service account as image pull secrets
+  imagePullSecrets: []
+
+  # A `key: value` mapping of environment variables to add to the pod
+  env: {}
+
+  # Override for the pod imagePullPolicy
+  imagePullPolicy: ""
+
+  # Settings for multicluster
+  multiCluster:
+    # The name of the cluster we are installing in. Note this is a user-defined name, which must be consistent
+    # with Istiod configuration.
+    clusterName: ""
+
+  # meshConfig defines runtime configuration of components.
+  # For ztunnel, only defaultConfig is used, but this is nested under `meshConfig` for consistency with other
+  # components.
+  # TODO: https://github.com/istio/istio/issues/43248
+  meshConfig:
+    defaultConfig:
+      proxyMetadata: {}
+
+  # This value defines:
+  # 1. how many seconds kube waits for ztunnel pod to gracefully exit before forcibly terminating it (this value)
+  # 2. how many seconds ztunnel waits to drain its own connections (this value - 1 sec)
+  # Default K8S value is 30 seconds
+  terminationGracePeriodSeconds: 30
+
+  # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
+  # Used to locate the XDS and CA, if caAddress or xdsAddress are not set explicitly.
+  revision: ""
+
+  # The customized CA address to retrieve certificates for the pods in the cluster.
+  # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
+  caAddress: ""
+
+  # The customized XDS address to retrieve configuration.
+  # This should include the port - 15012 for Istiod. TLS will be used with the certificates in "istiod-ca-cert" secret.
+  # By default, it is istiod.istio-system.svc:15012 if revision is not set, or istiod-<revision>.<istioNamespace>.svc:15012
+  xdsAddress: ""
+
+  # Used to locate the XDS and CA, if caAddress or xdsAddress are not set.
+  istioNamespace: istio-system
+
+  # Configuration log level of ztunnel binary, default is info.
+  # Valid values are: trace, debug, info, warn, error
+  logLevel: info
+
+  # To output all logs in json format
+  logAsJson: false
+
+  # Set to `type: RuntimeDefault` to use the default profile if available.
+  seLinuxOptions: {}
+  # TODO Ambient inpod - for OpenShift, set to the following to get writable sockets in hostmounts to work, eventually consider CSI driver instead
+  #seLinuxOptions:
+  #  type: spc_t
+
+  # K8s DaemonSet update strategy.
+  # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec).
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/cni-1.27.3.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/cni-1.27.3.tgz.etag
new file mode 100644
index 0000000000..7a5f5e1199
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/cni-1.27.3.tgz.etag
@@ -0,0 +1 @@
+225fe2f64f96f2d06ae32ab8aee589e9
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/commit b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/commit
new file mode 100644
index 0000000000..3bae5204be
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/commit
@@ -0,0 +1 @@
+1.27.3
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/gateway-1.27.3.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/gateway-1.27.3.tgz.etag
new file mode 100644
index 0000000000..c7fcfbf51c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/gateway-1.27.3.tgz.etag
@@ -0,0 +1 @@
+283b9a884ddfc8d6181e4ba9b7b864d3
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/istiod-1.27.3.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/istiod-1.27.3.tgz.etag
new file mode 100644
index 0000000000..b8e60f837d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/istiod-1.27.3.tgz.etag
@@ -0,0 +1 @@
+bb59c9d779b441c3b807c7b0e0469672
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/profiles/ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/profiles/ambient.yaml
new file mode 100644
index 0000000000..71ea784a80
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/profiles/ambient.yaml
@@ -0,0 +1,5 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: ambient
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/profiles/default.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/profiles/default.yaml
new file mode 100644
index 0000000000..8f1ef19676
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/profiles/default.yaml
@@ -0,0 +1,12 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  # Most default values come from the helm chart's values.yaml
+  # Below are the things that differ
+  values:
+    defaultRevision: ""
+    global:
+      istioNamespace: istio-system
+      configValidation: true
+    ztunnel:
+      resourceName: ztunnel
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/profiles/demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/profiles/demo.yaml
new file mode 100644
index 0000000000..53c4b41633
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/profiles/demo.yaml
@@ -0,0 +1,5 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: demo
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/profiles/empty.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/profiles/empty.yaml
new file mode 100644
index 0000000000..4477cb1fe1
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/profiles/empty.yaml
@@ -0,0 +1,5 @@
+# The empty profile has everything disabled
+# This is useful as a base for custom user configuration
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec: {}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/profiles/openshift-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/profiles/openshift-ambient.yaml
new file mode 100644
index 0000000000..76edf00cd8
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/profiles/openshift-ambient.yaml
@@ -0,0 +1,7 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: ambient
+    global:
+      platform: openshift
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/profiles/openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/profiles/openshift.yaml
new file mode 100644
index 0000000000..41492660fe
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/profiles/openshift.yaml
@@ -0,0 +1,6 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    global:
+      platform: openshift
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/profiles/preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/profiles/preview.yaml
new file mode 100644
index 0000000000..59d545c840
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/profiles/preview.yaml
@@ -0,0 +1,8 @@
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: preview
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/profiles/remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/profiles/remote.yaml
new file mode 100644
index 0000000000..54c65c8ba9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/profiles/remote.yaml
@@ -0,0 +1,7 @@
+# The remote profile is used to configure a mesh cluster without a locally deployed control plane.
+# Only the injector mutating webhook configuration is installed.
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: remote
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/profiles/stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/profiles/stable.yaml
new file mode 100644
index 0000000000..285feba244
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/profiles/stable.yaml
@@ -0,0 +1,5 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: stable
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/ztunnel-1.27.3.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/ztunnel-1.27.3.tgz.etag
new file mode 100644
index 0000000000..e4501f0133
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/ztunnel-1.27.3.tgz.etag
@@ -0,0 +1 @@
+1796665ace8eb824959a10e3dab18060
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/base-1.27.4.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/base-1.27.4.tgz.etag
new file mode 100644
index 0000000000..8e4b97d887
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/base-1.27.4.tgz.etag
@@ -0,0 +1 @@
+85804e76b8331e8abc25bf6663dab8a4
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/Chart.yaml
new file mode 100644
index 0000000000..2d63a6c8a9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/Chart.yaml
@@ -0,0 +1,10 @@
+apiVersion: v2
+appVersion: 1.27.4
+description: Helm chart for deploying Istio cluster resources and CRDs
+icon: https://istio.io/latest/favicons/android-192x192.png
+keywords:
+- istio
+name: base
+sources:
+- https://github.com/istio/istio
+version: 1.27.4
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/README.md
new file mode 100644
index 0000000000..ae8f6d5b0e
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/README.md
@@ -0,0 +1,35 @@
+# Istio base Helm Chart
+
+This chart installs resources shared by all Istio revisions. This includes Istio CRDs.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+To install the chart with the release name `istio-base`:
+
+```console
+kubectl create namespace istio-system
+helm install istio-base istio/base -n istio-system
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-compatibility-version-1.24.yaml
new file mode 100644
index 0000000000..4f3dbef7ea
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-compatibility-version-1.24.yaml
@@ -0,0 +1,15 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.24 behavioral changes
+    PILOT_ENABLE_IP_AUTOALLOCATE: "false"
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  dnsCapture: false
+  reconcileIptablesOnStartup: false
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..b2f45948c2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..af10697326
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/templates/NOTES.txt
new file mode 100644
index 0000000000..f12616f578
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/templates/NOTES.txt
@@ -0,0 +1,5 @@
+Istio base successfully installed!
+
+To learn more about the release, try:
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml
new file mode 100644
index 0000000000..2616b09c9a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml
@@ -0,0 +1,53 @@
+{{- if and .Values.experimental.stableValidationPolicy (not (eq .Values.defaultRevision "")) }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "stable-channel-default-policy.istio.io"
+  labels:
+    release: {{ .Release.Name }}
+    istio: istiod
+    istio.io/rev: {{ .Values.defaultRevision }}
+    app.kubernetes.io/name: "istiod"
+    {{ include "istio.labels" . | nindent 4 }}
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups:
+        - security.istio.io
+        - networking.istio.io
+        - telemetry.istio.io
+        - extensions.istio.io
+      apiVersions: ["*"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["*"]
+  variables:
+    - name: isEnvoyFilter
+      expression: "object.kind == 'EnvoyFilter'"
+    - name: isWasmPlugin
+      expression: "object.kind == 'WasmPlugin'"
+    - name: isProxyConfig
+      expression: "object.kind == 'ProxyConfig'"
+    - name: isTelemetry
+      expression: "object.kind == 'Telemetry'"
+  validations:
+    - expression: "!variables.isEnvoyFilter"
+    - expression: "!variables.isWasmPlugin"
+    - expression: "!variables.isProxyConfig"
+    - expression: |
+        !(
+          variables.isTelemetry && (
+            (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) ||
+            (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) ||
+            (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter))
+          )
+        )
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: "stable-channel-default-policy-binding.istio.io"
+spec:
+  policyName: "stable-channel-default-policy.istio.io"
+  validationActions: [Deny]
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml
new file mode 100644
index 0000000000..8cb76fd773
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml
@@ -0,0 +1,56 @@
+{{- if not (eq .Values.defaultRevision "") }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: istiod-default-validator
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    istio: istiod
+    istio.io/rev: {{ .Values.defaultRevision | quote }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+webhooks:
+  - name: validation.istio.io
+    clientConfig:
+      {{- if .Values.base.validationURL }}
+      url: {{ .Values.base.validationURL }}
+      {{- else }}
+      service:
+        {{- if (eq .Values.defaultRevision "default") }}
+        name: istiod
+        {{- else }}
+        name: istiod-{{ .Values.defaultRevision }}
+        {{- end }}
+        namespace: {{ .Values.global.istioNamespace }}
+        path: "/validate"
+      {{- end }}
+      {{- if .Values.base.validationCABundle }}
+      caBundle: "{{ .Values.base.validationCABundle }}"
+      {{- end }}
+    rules:
+      - operations:
+          - CREATE
+          - UPDATE
+        apiGroups:
+          - security.istio.io
+          - networking.istio.io
+          - telemetry.istio.io
+          - extensions.istio.io
+        apiVersions:
+          - "*"
+        resources:
+          - "*"
+
+    {{- if .Values.base.validationCABundle }}
+    # Disable webhook controller in Pilot to stop patching it
+    failurePolicy: Fail
+    {{- else }}
+    # Fail open until the validation webhook is ready. The webhook controller
+    # will update this to `Fail` and patch in the `caBundle` when the webhook
+    # endpoint is ready.
+    failurePolicy: Ignore
+    {{- end }}
+    sideEffects: None
+    admissionReviewVersions: ["v1"]
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/templates/reader-serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/templates/reader-serviceaccount.yaml
new file mode 100644
index 0000000000..ba829a6bfe
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/templates/reader-serviceaccount.yaml
@@ -0,0 +1,20 @@
+# This singleton service account aggregates reader permissions for the revisions in a given cluster
+# ATM this is a singleton per cluster with Istio installed, and is not revisioned. It maybe should be,
+# as otherwise compromising the token for this SA would give you access to *every* installed revision.
+# Should be used for remote secret creation.
+apiVersion: v1
+kind: ServiceAccount
+  {{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+  {{- range .Values.global.imagePullSecrets }}
+  - name: {{ . }}
+    {{- end }}
+    {{- end }}
+metadata:
+  name: istio-reader-service-account
+  namespace: {{ .Values.global.istioNamespace }}
+  labels:
+    app: istio-reader
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istio-reader"
+    {{- include "istio.labels" . | nindent 4 }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..3d84956485
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if false }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/values.yaml
new file mode 100644
index 0000000000..d18296f00a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/values.yaml
@@ -0,0 +1,37 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  global:
+
+    # ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace
+    # to use for pulling any images in pods that reference this ServiceAccount.
+    # Must be set for any cluster configured with private docker registry.
+    imagePullSecrets: []
+
+    # Used to locate istiod.
+    istioNamespace: istio-system
+  base:
+    # A list of CRDs to exclude. Requires `enableCRDTemplates` to be true.
+    # Example: `excludedCRDs: ["envoyfilters.networking.istio.io"]`.
+    # Note: when installing with `istioctl`, `enableIstioConfigCRDs=false` must also be set.
+    excludedCRDs: []
+    # Helm (as of V3) does not support upgrading CRDs, because it is not universally
+    # safe for them to support this.
+    # Istio as a project enforces certain backwards-compat guarantees that allow us
+    # to safely upgrade CRDs in spite of this, so we default to self-managing CRDs
+    # as standard K8S resources in Helm, and disable Helm's CRD management. See also:
+    # https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#method-2-separate-charts
+    enableCRDTemplates: true
+
+    # Validation webhook configuration url
+    # For example: https://$remotePilotAddress:15017/validate
+    validationURL: ""
+    # Validation webhook caBundle value. Useful when running pilot with a well known cert
+    validationCABundle: ""
+
+    # For istioctl usage to disable istio config crds in base
+    enableIstioConfigCRDs: true
+
+  defaultRevision: "default"
+  experimental:
+    stableValidationPolicy: false
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/Chart.yaml
new file mode 100644
index 0000000000..b2d482aa38
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/Chart.yaml
@@ -0,0 +1,11 @@
+apiVersion: v2
+appVersion: 1.27.4
+description: Helm chart for istio-cni components
+icon: https://istio.io/latest/favicons/android-192x192.png
+keywords:
+- istio-cni
+- istio
+name: cni
+sources:
+- https://github.com/istio/istio
+version: 1.27.4
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/README.md
new file mode 100644
index 0000000000..a8b78d5bde
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/README.md
@@ -0,0 +1,65 @@
+# Istio CNI Helm Chart
+
+This chart installs the Istio CNI Plugin. See the [CNI installation guide](https://istio.io/latest/docs/setup/additional-setup/cni/)
+for more information.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+To install the chart with the release name `istio-cni`:
+
+```console
+helm install istio-cni istio/cni -n kube-system
+```
+
+Installation in `kube-system` is recommended to ensure the [`system-node-critical`](https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/)
+`priorityClassName` can be used. You can install in other namespace only on K8S clusters that allow
+'system-node-critical' outside of kube-system.
+
+## Configuration
+
+To view support configuration options and documentation, run:
+
+```console
+helm show values istio/istio-cni
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
+
+### Ambient
+
+To enable ambient, you can use the ambient profile: `--set profile=ambient`.
+
+#### Calico
+
+For Calico, you must also modify the settings to allow source spoofing:
+
+- if deployed by operator,  `kubectl patch felixconfigurations default --type='json' -p='[{"op": "add", "path": "/spec/workloadSourceSpoofing", "value": "Any"}]'`
+- if deployed by manifest, add env `FELIX_WORKLOADSOURCESPOOFING` with value `Any` in `spec.template.spec.containers.env` for daemonset `calico-node`. (This will allow PODs with specified annotation to skip the rpf check. )
+
+### GKE notes
+
+On GKE, 'kube-system' is required.
+
+If using `helm template`, `--set cni.cniBinDir=/home/kubernetes/bin` is required - with `helm install`
+it is auto-detected.
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-compatibility-version-1.24.yaml
new file mode 100644
index 0000000000..4f3dbef7ea
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-compatibility-version-1.24.yaml
@@ -0,0 +1,15 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.24 behavioral changes
+    PILOT_ENABLE_IP_AUTOALLOCATE: "false"
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  dnsCapture: false
+  reconcileIptablesOnStartup: false
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..b2f45948c2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..af10697326
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/templates/NOTES.txt
new file mode 100644
index 0000000000..fb35525b99
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/templates/NOTES.txt
@@ -0,0 +1,5 @@
+"{{ .Release.Name }}" successfully installed!
+
+To learn more about the release, try:
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/templates/_helpers.tpl
new file mode 100644
index 0000000000..73cc17b2f6
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/templates/_helpers.tpl
@@ -0,0 +1,8 @@
+{{- define "name" -}}
+    istio-cni
+{{- end }}
+
+
+{{- define "istio-tag" -}}
+    {{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/templates/clusterrole.yaml
new file mode 100644
index 0000000000..1779e0bb1d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/templates/clusterrole.yaml
@@ -0,0 +1,81 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "name" . }}
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+- apiGroups: ["security.openshift.io"] 
+  resources: ["securitycontextconstraints"] 
+  resourceNames: ["privileged"] 
+  verbs: ["use"]
+- apiGroups: [""]
+  resources: ["pods","nodes","namespaces"]
+  verbs: ["get", "list", "watch"]
+{{- if (eq ((coalesce .Values.platform .Values.global.platform) | default "") "openshift") }}
+- apiGroups: ["security.openshift.io"]
+  resources: ["securitycontextconstraints"]
+  resourceNames: ["privileged"]
+  verbs: ["use"]
+{{- end }}
+---
+{{- if .Values.repair.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "name" . }}-repair-role
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["create", "patch"]
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["watch", "get", "list"]
+{{- if .Values.repair.repairPods }}
+{{- /*  No privileges needed*/}}
+{{- else if .Values.repair.deletePods }}
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["delete"]
+{{- else if .Values.repair.labelPods }}
+  - apiGroups: [""]
+    {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}}
+    resources: ["pods/status"]
+    verbs: ["patch", "update"]
+{{- end }}
+{{- end }}
+---
+{{- if .Values.ambient.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "name" . }}-ambient
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+- apiGroups: [""]
+  {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}}
+  resources: ["pods/status"]
+  verbs: ["patch", "update"]
+- apiGroups: ["apps"]
+  resources: ["daemonsets"]
+  resourceNames: ["{{ template "name" . }}-node"]
+  verbs: ["get"]
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/templates/clusterrolebinding.yaml
new file mode 100644
index 0000000000..42fedab1fc
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/templates/clusterrolebinding.yaml
@@ -0,0 +1,63 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "name" . }}
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "name" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ template "name" . }}
+  namespace: {{ .Release.Namespace }}
+---
+{{- if .Values.repair.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "name" . }}-repair-rolebinding
+  labels:
+    k8s-app: {{ template "name" . }}-repair
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+subjects:
+- kind: ServiceAccount
+  name: {{ template "name" . }}
+  namespace: {{ .Release.Namespace}}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "name" . }}-repair-role
+{{- end }}
+---
+{{- if .Values.ambient.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "name" . }}-ambient
+  labels:
+    k8s-app: {{ template "name" . }}-repair
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "name" . }}
+    namespace: {{ .Release.Namespace}}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "name" . }}-ambient
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/templates/configmap-cni.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/templates/configmap-cni.yaml
new file mode 100644
index 0000000000..6f6ef329a2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/templates/configmap-cni.yaml
@@ -0,0 +1,41 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: {{ template "name" . }}-config
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+data:
+  CURRENT_AGENT_VERSION: {{ .Values.tag | default .Values.global.tag | quote }}
+  AMBIENT_ENABLED: {{ .Values.ambient.enabled | quote }}
+  AMBIENT_ENABLEMENT_SELECTOR: {{ .Values.ambient.enablementSelectors | toYaml | quote }}
+  AMBIENT_DNS_CAPTURE: {{ .Values.ambient.dnsCapture | quote  }}
+  AMBIENT_IPV6: {{ .Values.ambient.ipv6 | quote }}
+  AMBIENT_RECONCILE_POD_RULES_ON_STARTUP: {{ .Values.ambient.reconcileIptablesOnStartup | quote }}
+  {{- if .Values.cniConfFileName }} # K8S < 1.24 doesn't like empty values
+  CNI_CONF_NAME: {{ .Values.cniConfFileName }} # Name of the CNI config file to create. Only override if you know the exact path your CNI requires..
+  {{- end }}
+  ISTIO_OWNED_CNI_CONFIG: {{ .Values.istioOwnedCNIConfig | quote }}
+  {{- if .Values.istioOwnedCNIConfig }}
+  ISTIO_OWNED_CNI_CONF_FILENAME: {{ .Values.istioOwnedCNIConfigFileName | quote }}
+  {{- end }}
+  CHAINED_CNI_PLUGIN: {{ .Values.chained | quote }}
+  EXCLUDE_NAMESPACES: "{{ range $idx, $ns := .Values.excludeNamespaces }}{{ if $idx }},{{ end }}{{ $ns }}{{ end }}"
+  REPAIR_ENABLED: {{ .Values.repair.enabled | quote }}
+  REPAIR_LABEL_PODS: {{ .Values.repair.labelPods | quote }}
+  REPAIR_DELETE_PODS: {{ .Values.repair.deletePods | quote }}
+  REPAIR_REPAIR_PODS: {{ .Values.repair.repairPods | quote }}
+  REPAIR_INIT_CONTAINER_NAME: {{ .Values.repair.initContainerName | quote }}
+  REPAIR_BROKEN_POD_LABEL_KEY: {{ .Values.repair.brokenPodLabelKey | quote }}
+  REPAIR_BROKEN_POD_LABEL_VALUE: {{ .Values.repair.brokenPodLabelValue | quote }}
+  NATIVE_NFTABLES: {{ .Values.global.nativeNftables | quote }}
+  {{- with .Values.env }}
+  {{- range $key, $val := . }}
+  {{ $key }}: "{{ $val }}"
+  {{- end }}
+  {{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/templates/daemonset.yaml
new file mode 100644
index 0000000000..896de3d038
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/templates/daemonset.yaml
@@ -0,0 +1,248 @@
+# This manifest installs the Istio install-cni container, as well
+# as the Istio CNI plugin and config on
+# each master and worker node in a Kubernetes cluster.
+#
+# $detectedBinDir exists to support a GKE-specific platform override,
+# and is deprecated in favor of using the explicit `gke` platform profile.
+{{- $detectedBinDir := (.Capabilities.KubeVersion.GitVersion | contains "-gke") | ternary
+    "/home/kubernetes/bin"
+    "/opt/cni/bin"
+}}
+{{- if .Values.cniBinDir }}
+{{ $detectedBinDir = .Values.cniBinDir }}
+{{- end }}
+kind: DaemonSet
+apiVersion: apps/v1
+metadata:
+  # Note that this is templated but evaluates to a fixed name
+  # which the CNI plugin may fall back onto in some failsafe scenarios.
+  # if this name is changed, CNI plugin logic that checks for this name
+  # format should also be updated.
+  name: {{ template "name" . }}-node
+  namespace: {{ .Release.Namespace }}
+  labels:
+    k8s-app: {{ template "name" . }}-node
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      k8s-app: {{ template "name" . }}-node
+  {{- with .Values.updateStrategy }}
+  updateStrategy:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  template:
+    metadata:
+      labels:
+        k8s-app: {{ template "name" . }}-node
+        sidecar.istio.io/inject: "false"
+        istio.io/dataplane-mode: none
+        app.kubernetes.io/name: {{ template "name" . }}
+        {{- include "istio.labels" . | nindent 8 }}
+      annotations:
+        sidecar.istio.io/inject: "false"
+        # Add Prometheus Scrape annotations
+        prometheus.io/scrape: 'true'
+        prometheus.io/port: "15014"
+        prometheus.io/path: '/metrics'
+        # Add AppArmor annotation
+        # This is required to avoid conflicts with AppArmor profiles which block certain
+        # privileged pod capabilities.
+        # Required for Kubernetes 1.29 which does not support setting appArmorProfile in the
+        # securityContext which is otherwise preferred.
+        container.apparmor.security.beta.kubernetes.io/install-cni: unconfined
+        # Custom annotations
+        {{- if .Values.podAnnotations }}
+{{ toYaml .Values.podAnnotations | indent 8 }}
+        {{- end }}
+    spec:
+{{- if and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace }}
+      hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
+{{- end }}
+      nodeSelector:
+        kubernetes.io/os: linux
+      # Can be configured to allow for excluding istio-cni from being scheduled on specified nodes
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      priorityClassName: system-node-critical
+      serviceAccountName: {{ template "name" . }}
+      # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
+      # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
+      terminationGracePeriodSeconds: 5
+      containers:
+        # This container installs the Istio CNI binaries
+        # and CNI network config file on each node.
+        - name: install-cni
+{{- if contains "/" .Values.image }}
+          image: "{{ .Values.image }}"
+{{- else }}
+          image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "install-cni" }}:{{ template "istio-tag" . }}"
+{{- end }}
+{{- if or .Values.pullPolicy .Values.global.imagePullPolicy }}
+          imagePullPolicy: {{ .Values.pullPolicy | default .Values.global.imagePullPolicy }}
+{{- end }}
+          ports:
+          - containerPort: 15014
+            name: metrics
+            protocol: TCP
+          readinessProbe:
+            httpGet:
+              path: /readyz
+              port: 8000
+          securityContext:
+            privileged: false
+            runAsGroup: 0
+            runAsUser: 0
+            runAsNonRoot: false
+            # Both ambient and sidecar repair mode require elevated node privileges to function.
+            # But we don't need _everything_ in `privileged`, so explicitly set it to false and
+            # add capabilities based on feature.
+            capabilities:
+              drop:
+              - ALL
+              add:
+              # CAP_NET_ADMIN is required to allow ipset and route table access
+              - NET_ADMIN
+              # CAP_NET_RAW is required to allow iptables mutation of the `nat` table
+              - NET_RAW
+              # CAP_SYS_PTRACE is required for repair and ambient mode to describe
+              # the pod's network namespace.
+              - SYS_PTRACE
+              # CAP_SYS_ADMIN is required for both ambient and repair, in order to open
+              # network namespaces in `/proc` to obtain descriptors for entering pod network
+              # namespaces. There does not appear to be a more granular capability for this.
+              - SYS_ADMIN
+              # While we run as a 'root' (UID/GID 0), since we drop all capabilities we lose
+              # the typical ability to read/write to folders owned by others.
+              # This can cause problems if the hostPath mounts we use, which we require write access into,
+              # are owned by non-root. DAC_OVERRIDE bypasses these and gives us write access into any folder.
+              - DAC_OVERRIDE
+{{- if .Values.seLinuxOptions }}
+{{ with (merge .Values.seLinuxOptions (dict "type" "spc_t")) }}
+            seLinuxOptions:
+{{ toYaml . | trim | indent 14 }}
+{{- end }}
+{{- end }}
+{{- if .Values.seccompProfile }}
+            seccompProfile:
+{{ toYaml .Values.seccompProfile | trim | indent 14 }}
+{{- end }}
+          command: ["install-cni"]
+          args:
+            {{- if or .Values.logging.level .Values.global.logging.level }}
+            - --log_output_level={{ coalesce .Values.logging.level .Values.global.logging.level }}
+            {{- end}}
+            {{- if .Values.global.logAsJson }}
+            - --log_as_json
+            {{- end}}
+          envFrom:
+            - configMapRef:
+                name: {{ template "name" . }}-config
+          env:
+            - name: REPAIR_NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            - name: REPAIR_RUN_AS_DAEMON
+              value: "true"
+            - name: REPAIR_SIDECAR_ANNOTATION
+              value: "sidecar.istio.io/status"
+            {{- if not (and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace) }}
+            - name: ALLOW_SWITCH_TO_HOST_NS
+              value: "true"
+            {{- end }}
+            - name: NODE_NAME
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: spec.nodeName
+            - name: GOMEMLIMIT
+              valueFrom:
+                resourceFieldRef:
+                  resource: limits.memory
+                  divisor: '1'
+            - name: GOMAXPROCS
+              valueFrom:
+                resourceFieldRef:
+                  resource: limits.cpu
+                  divisor: '1'
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            {{- if .Values.env }}
+            {{- range $key, $val := .Values.env }}
+            - name: {{ $key }}
+              value: "{{ $val }}"
+            {{- end }}
+            {{- end }}
+          volumeMounts:
+            - mountPath: /host/opt/cni/bin
+              name: cni-bin-dir
+            {{- if or .Values.repair.repairPods .Values.ambient.enabled }}
+            - mountPath: /host/proc
+              name: cni-host-procfs
+              readOnly: true
+            {{- end }}
+            - mountPath: /host/etc/cni/net.d
+              name: cni-net-dir
+            - mountPath: /var/run/istio-cni
+              name: cni-socket-dir
+            {{- if .Values.ambient.enabled }}
+            - mountPath: /host/var/run/netns
+              mountPropagation: HostToContainer
+              name: cni-netns-dir
+            - mountPath: /var/run/ztunnel
+              name: cni-ztunnel-sock-dir
+            {{ end }}
+          resources:
+{{- if .Values.resources }}
+{{ toYaml .Values.resources | trim | indent 12 }}
+{{- else }}
+{{ toYaml .Values.global.defaultResources | trim | indent 12 }}
+{{- end }}
+      volumes:
+        # Used to install CNI.
+        - name: cni-bin-dir
+          hostPath:
+            path: {{ $detectedBinDir }}
+        {{- if or .Values.repair.repairPods .Values.ambient.enabled }}
+        - name: cni-host-procfs
+          hostPath:
+            path: /proc
+            type: Directory
+        {{- end }}
+        {{- if .Values.ambient.enabled }}
+        - name: cni-ztunnel-sock-dir
+          hostPath:
+            path: /var/run/ztunnel
+            type: DirectoryOrCreate
+        {{- end }}
+        - name: cni-net-dir
+          hostPath:
+            path: {{ .Values.cniConfDir }}
+        # Used for UDS sockets for logging, ambient eventing
+        - name: cni-socket-dir
+          hostPath:
+            path: /var/run/istio-cni
+        - name: cni-netns-dir
+          hostPath:
+            path: {{ .Values.cniNetnsDir }}
+            type: DirectoryOrCreate # DirectoryOrCreate instead of Directory for the following reason - CNI may not bind mount this until a non-hostnetwork pod is scheduled on the node,
+            # and we don't want to block CNI agent pod creation on waiting for the first non-hostnetwork pod.
+            # Once the CNI does mount this, it will get populated and we're good.
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/templates/network-attachment-definition.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/templates/network-attachment-definition.yaml
new file mode 100644
index 0000000000..86a2eb7c0b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/templates/network-attachment-definition.yaml
@@ -0,0 +1,11 @@
+{{- if eq .Values.provider "multus" }}
+apiVersion: k8s.cni.cncf.io/v1
+kind: NetworkAttachmentDefinition
+metadata:
+  name: {{ template "name" . }}
+  namespace: default
+  labels:
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/templates/resourcequota.yaml
new file mode 100644
index 0000000000..9a6d61ff91
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/templates/resourcequota.yaml
@@ -0,0 +1,19 @@
+{{- if .Values.resourceQuotas.enabled }}
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+  name: {{ template "name" . }}-resource-quota
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  hard:
+    pods: {{ .Values.resourceQuotas.pods | quote }}
+  scopeSelector:
+    matchExpressions:
+    - operator: In
+      scopeName: PriorityClass
+      values:
+      - system-node-critical
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/templates/serviceaccount.yaml
new file mode 100644
index 0000000000..3193d7b74a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/templates/serviceaccount.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: ServiceAccount
+{{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+{{- range .Values.global.imagePullSecrets }}
+  - name: {{ . }}
+{{- end }}
+{{- end }}
+metadata:
+  name: {{ template "name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/templates/zzy_descope_legacy.yaml
new file mode 100644
index 0000000000..a9584ac29f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/templates/zzy_descope_legacy.yaml
@@ -0,0 +1,3 @@
+{{/* Copy anything under `.cni` to `.`, to avoid the need to specify a redundant prefix.
+Due to the file naming, this always happens after zzz_profile.yaml */}}
+{{- $_ := mustMergeOverwrite $.Values (index $.Values "cni") }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..3d84956485
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if false }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/values.yaml
new file mode 100644
index 0000000000..8a6b25bc51
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/values.yaml
@@ -0,0 +1,178 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  hub: ""
+  tag: ""
+  variant: ""
+  image: install-cni
+  pullPolicy: ""
+
+  # Same as `global.logging.level`, but will override it if set
+  logging:
+    level: ""
+
+  # Configuration file to insert istio-cni plugin configuration
+  # by default this will be the first file found in the cni-conf-dir
+  # Example
+  # cniConfFileName: 10-calico.conflist
+
+  # CNI-and-platform specific path defaults.
+  # These may need to be set to platform-specific values, consult
+  # overrides for your platform in `manifests/helm-profiles/platform-*.yaml`
+  cniBinDir: /opt/cni/bin
+  cniConfDir: /etc/cni/net.d
+  cniConfFileName: ""
+  cniNetnsDir: "/var/run/netns"
+
+  # If Istio owned CNI config is enabled, defaults to 02-istio-cni.conflist
+  istioOwnedCNIConfigFileName: "" 
+  istioOwnedCNIConfig: false
+
+  excludeNamespaces:
+    - kube-system
+
+  # Allows user to set custom affinity for the DaemonSet
+  affinity: {}
+
+  # Custom annotations on pod level, if you need them
+  podAnnotations: {}
+
+  # Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")?
+  # Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case
+  chained: true
+
+  # Custom configuration happens based on the CNI provider.
+  # Possible values: "default", "multus"
+  provider: "default"
+
+  # Configure ambient settings
+  ambient:
+    # If enabled, ambient redirection will be enabled
+    enabled: false
+    # If ambient is enabled, this selector will be used to identify the ambient-enabled pods
+    enablementSelectors: 
+    - podSelector:
+        matchLabels: {istio.io/dataplane-mode: ambient}
+    - podSelector:
+        matchExpressions:
+        - { key: istio.io/dataplane-mode, operator: NotIn, values: [none] }
+      namespaceSelector:
+        matchLabels: {istio.io/dataplane-mode: ambient}
+    # Set ambient config dir path: defaults to /etc/ambient-config
+    configDir: ""
+    # If enabled, and ambient is enabled, DNS redirection will be enabled
+    dnsCapture: true
+    # If enabled, and ambient is enabled, enables ipv6 support
+    ipv6: true
+    # If enabled, and ambient is enabled, the CNI agent will reconcile incompatible iptables rules and chains at startup.
+    # This will eventually be enabled by default
+    reconcileIptablesOnStartup: false
+    # If enabled, and ambient is enabled, the CNI agent will always share the network namespace of the host node it is running on
+    shareHostNetworkNamespace: false
+
+
+  repair:
+    enabled: true
+    hub: ""
+    tag: ""
+
+    # Repair controller has 3 modes. Pick which one meets your use cases. Note only one may be used.
+    # This defines the action the controller will take when a pod is detected as broken.
+
+    # labelPods will label all pods with <brokenPodLabelKey>=<brokenPodLabelValue>.
+    # This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them).
+    # Note this gives the DaemonSet a relatively high privilege, as modifying pod metadata/status can have wider impacts.
+    labelPods: false
+    # deletePods will delete any broken pod. These will then be rescheduled, hopefully onto a node that is fully ready.
+    # Note this gives the DaemonSet a relatively high privilege, as it can delete any Pod.
+    deletePods: false
+    # repairPods will dynamically repair any broken pod by setting up the pod networking configuration even after it has started.
+    # Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs.
+    # This requires no RBAC privilege, but does require `securityContext.privileged/CAP_SYS_ADMIN`.
+    repairPods: true
+
+    initContainerName: "istio-validation"
+
+    brokenPodLabelKey: "cni.istio.io/uninitialized"
+    brokenPodLabelValue: "true"
+
+  # Set to `type: RuntimeDefault` to use the default profile if available.
+  seccompProfile: {}
+
+  # SELinux options to set in the istio-cni-node pods. You may need to set this to `type: spc_t` for some platforms.
+  seLinuxOptions: {}
+
+  resources:
+    requests:
+      cpu: 100m
+      memory: 100Mi
+
+  resourceQuotas:
+    enabled: false
+    pods: 5000
+
+  tolerations:
+    # Make sure istio-cni-node gets scheduled on all nodes.
+    - effect: NoSchedule
+      operator: Exists
+    # Mark the pod as a critical add-on for rescheduling.
+    - key: CriticalAddonsOnly
+      operator: Exists
+    - effect: NoExecute
+      operator: Exists
+
+  # K8s DaemonSet update strategy.
+  # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec).
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 1
+
+  # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
+  revision: ""
+
+  # For Helm compatibility.
+  ownerName: ""
+
+  global:
+    # Default hub for Istio images.
+    # Releases are published to docker hub under 'istio' project.
+    # Dev builds from prow are on gcr.io
+    hub: gcr.io/istio-release
+
+    # Default tag for Istio images.
+    tag: 1.27.4
+
+    # Variant of the image to use.
+    # Currently supported are: [debug, distroless]
+    variant: ""
+
+    # Specify image pull policy if default behavior isn't desired.
+    # Default behavior: latest images will be Always else IfNotPresent.
+    imagePullPolicy: ""
+
+    # change cni scope level to control logging out of istio-cni-node DaemonSet
+    logging:
+      level: info
+
+    logAsJson: false
+
+    # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
+    # to use for pulling any images in pods that reference this ServiceAccount.
+    # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
+    # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
+    # Must be set for any cluster configured with private docker registry.
+    imagePullSecrets: []
+    # - private-registry-key
+
+    # Default resources allocated
+    defaultResources:
+      requests:
+        cpu: 100m
+        memory: 100Mi
+
+    # In order to use native nftable rules instead of iptable rules, set this flag to true.
+    nativeNftables: false
+
+  # A `key: value` mapping of environment variables to add to the pod
+  env: {}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/Chart.yaml
new file mode 100644
index 0000000000..2dfdbf31d1
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v2
+appVersion: 1.27.4
+description: Helm chart for deploying Istio gateways
+icon: https://istio.io/latest/favicons/android-192x192.png
+keywords:
+- istio
+- gateways
+name: gateway
+sources:
+- https://github.com/istio/istio
+type: application
+version: 1.27.4
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/README.md
new file mode 100644
index 0000000000..5c064d165b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/README.md
@@ -0,0 +1,170 @@
+# Istio Gateway Helm Chart
+
+This chart installs an Istio gateway deployment.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+To install the chart with the release name `istio-ingressgateway`:
+
+```console
+helm install istio-ingressgateway istio/gateway
+```
+
+## Uninstalling the Chart
+
+To uninstall/delete the `istio-ingressgateway` deployment:
+
+```console
+helm delete istio-ingressgateway
+```
+
+## Configuration
+
+To view support configuration options and documentation, run:
+
+```console
+helm show values istio/gateway
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
+
+### OpenShift
+
+When deploying the gateway in an OpenShift cluster, use the `openshift` profile to override the default values, for example:
+
+```console
+helm install istio-ingressgateway istio/gateway --set profile=openshift
+```
+
+### `image: auto` Information
+
+The image used by the chart, `auto`, may be unintuitive.
+This exists because the pod spec will be automatically populated at runtime, using the same mechanism as [Sidecar Injection](istio.io/latest/docs/setup/additional-setup/sidecar-injection).
+This allows the same configurations and lifecycle to apply to gateways as sidecars.
+
+Note: this does mean that the namespace the gateway is deployed in must not have the `istio-injection=disabled` label.
+See [Controlling the injection policy](https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy) for more info.
+
+### Examples
+
+#### Egress Gateway
+
+Deploying a Gateway to be used as an [Egress Gateway](https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/):
+
+```yaml
+service:
+  # Egress gateways do not need an external LoadBalancer IP
+  type: ClusterIP
+```
+
+#### Multi-network/VM Gateway
+
+Deploying a Gateway to be used as a [Multi-network Gateway](https://istio.io/latest/docs/setup/install/multicluster/) for network `network-1`:
+
+```yaml
+networkGateway: network-1
+```
+
+### Migrating from other installation methods
+
+Installations from other installation methods (such as istioctl, Istio Operator, other helm charts, etc) can be migrated to use the new Helm charts
+following the guidance below.
+If you are able to, a clean installation is simpler. However, this often requires an external IP migration which can be challenging.
+
+WARNING: when installing over an existing deployment, the two deployments will be merged together by Helm, which may lead to unexpected results.
+
+#### Legacy Gateway Helm charts
+
+Istio historically offered two different charts - `manifests/charts/gateways/istio-ingress` and `manifests/charts/gateways/istio-egress`.
+These are replaced by this chart.
+While not required, it is recommended all new users use this chart, and existing users migrate when possible.
+
+This chart has the following benefits and differences:
+* Designed with Helm best practices in mind (standardized values options, values schema, values are not all nested under `gateways.istio-ingressgateway.*`, release name and namespace taken into account, etc).
+* Utilizes Gateway injection, simplifying upgrades, allowing gateways to run in any namespace, and avoiding repeating config for sidecars and gateways.
+* Published to official Istio Helm repository.
+* Single chart for all gateways (Ingress, Egress, East West).
+
+#### General concerns
+
+For a smooth migration, the resource names and `Deployment.spec.selector` labels must match.
+
+If you install with `helm install istio-gateway istio/gateway`, resources will be named `istio-gateway` and the `selector` labels set to:
+
+```yaml
+app: istio-gateway
+istio: gateway # the release name with leading istio- prefix stripped
+```
+
+If your existing installation doesn't follow these names, you can override them. For example, if you have resources named `my-custom-gateway` with `selector` labels
+`foo=bar,istio=ingressgateway`:
+
+```yaml
+name: my-custom-gateway # Override the name to match existing resources
+labels:
+  app: "" # Unset default app selector label
+  istio: ingressgateway # override default istio selector label
+  foo: bar # Add the existing custom selector label
+```
+
+#### Migrating an existing Helm release
+
+An existing helm release can be `helm upgrade`d to this chart by using the same release name. For example, if a previous
+installation was done like:
+
+```console
+helm install istio-ingress manifests/charts/gateways/istio-ingress -n istio-system
+```
+
+It could be upgraded with
+
+```console
+helm upgrade istio-ingress manifests/charts/gateway -n istio-system --set name=istio-ingressgateway --set labels.app=istio-ingressgateway --set labels.istio=ingressgateway
+```
+
+Note the name and labels are overridden to match the names of the existing installation.
+
+Warning: the helm charts here default to using port 80 and 443, while the old charts used 8080 and 8443.
+If you have AuthorizationPolicies that reference port these ports, you should update them during this process,
+or customize the ports to match the old defaults.
+See the [security advisory](https://istio.io/latest/news/security/istio-security-2021-002/) for more information.
+
+#### Other migrations
+
+If you see errors like `rendered manifests contain a resource that already exists` during installation, you may need to forcibly take ownership.
+
+The script below can handle this for you. Replace `RELEASE` and `NAMESPACE` with the name and namespace of the release:
+
+```console
+KINDS=(service deployment)
+RELEASE=istio-ingressgateway
+NAMESPACE=istio-system
+for KIND in "${KINDS[@]}"; do
+    kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-name=$RELEASE
+    kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-namespace=$NAMESPACE
+    kubectl --namespace $NAMESPACE --overwrite=true label $KIND $RELEASE app.kubernetes.io/managed-by=Helm
+done
+```
+
+You may ignore errors about resources not being found.
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-compatibility-version-1.24.yaml
new file mode 100644
index 0000000000..4f3dbef7ea
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-compatibility-version-1.24.yaml
@@ -0,0 +1,15 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.24 behavioral changes
+    PILOT_ENABLE_IP_AUTOALLOCATE: "false"
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  dnsCapture: false
+  reconcileIptablesOnStartup: false
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..b2f45948c2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..af10697326
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/templates/NOTES.txt
new file mode 100644
index 0000000000..fd0142911a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/templates/NOTES.txt
@@ -0,0 +1,9 @@
+"{{ include "gateway.name" . }}" successfully installed!
+
+To learn more about the release, try:
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
+
+Next steps:
+  * Deploy an HTTP Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-control/
+  * Deploy an HTTPS Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/templates/_helpers.tpl
new file mode 100644
index 0000000000..e5a0a9b3c2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/templates/_helpers.tpl
@@ -0,0 +1,40 @@
+{{- define "gateway.name" -}}
+{{- if eq .Release.Name "RELEASE-NAME" -}}
+  {{- .Values.name | default "istio-ingressgateway" -}}
+{{- else -}}
+  {{- .Values.name | default .Release.Name | default "istio-ingressgateway" -}}
+{{- end -}}
+{{- end }}
+
+{{- define "gateway.labels" -}}
+{{ include "gateway.selectorLabels" . }}
+{{- range $key, $val := .Values.labels }}
+{{- if and (ne $key "app") (ne $key "istio") }}
+{{ $key | quote }}: {{ $val | quote }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{- define "gateway.selectorLabels" -}}
+app: {{ (.Values.labels.app | quote) | default (include "gateway.name" .) }}
+istio: {{ (.Values.labels.istio | quote) | default (include "gateway.name" . | trimPrefix "istio-") }}
+{{- end }}
+
+{{/*
+Keep sidecar injection labels together
+https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy
+*/}}
+{{- define "gateway.sidecarInjectionLabels" -}}
+sidecar.istio.io/inject: "true"
+{{- with .Values.revision }}
+istio.io/rev: {{ . | quote }}
+{{- end }}
+{{- end }}
+
+{{- define "gateway.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- .Values.serviceAccount.name | default (include "gateway.name" .)    }}
+{{- else }}
+{{- .Values.serviceAccount.name | default "default" }}
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/templates/deployment.yaml
new file mode 100644
index 0000000000..1d8f93a472
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/templates/deployment.yaml
@@ -0,0 +1,145 @@
+apiVersion: apps/v1
+kind: {{ .Values.kind | default "Deployment" }}
+metadata:
+  name: {{ include "gateway.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4}}
+  annotations:
+    {{- .Values.annotations | toYaml | nindent 4 }}
+spec:
+  {{- if not .Values.autoscaling.enabled }}
+  {{- if and (hasKey .Values "replicaCount") (ne .Values.replicaCount nil) }}
+  replicas: {{ .Values.replicaCount }}
+  {{- end }}
+  {{- end }}
+  {{- with .Values.strategy }}
+  strategy:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with .Values.minReadySeconds }}
+  minReadySeconds: {{ . }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "gateway.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "gateway.sidecarInjectionLabels" . | nindent 8 }}
+        {{- include "gateway.selectorLabels" . | nindent 8 }}
+        app.kubernetes.io/name: {{ include "gateway.name" . }}
+        {{- include "istio.labels" .  | nindent 8}}
+        {{- range $key, $val := .Values.labels }}
+        {{- if and (ne $key "app") (ne $key "istio") }}
+        {{ $key | quote }}: {{ $val | quote }}
+        {{- end }}
+        {{- end }}
+        {{- with .Values.networkGateway }}
+        topology.istio.io/network: "{{.}}"
+        {{- end }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "gateway.serviceAccountName" . }}
+      securityContext:
+      {{- if .Values.securityContext }}
+        {{- toYaml .Values.securityContext | nindent 8 }}
+      {{- else }}
+        # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326
+        sysctls:
+        - name: net.ipv4.ip_unprivileged_port_start
+          value: "0"
+      {{- end }}
+      {{- with .Values.volumes }}
+      volumes:
+        {{ toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.initContainers }}
+      initContainers:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: istio-proxy
+          # "auto" will be populated at runtime by the mutating webhook. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection
+          image: auto
+          {{- with .Values.imagePullPolicy }}
+          imagePullPolicy: {{ . }}
+          {{- end }}
+          securityContext:
+          {{- if .Values.containerSecurityContext }}
+            {{- toYaml .Values.containerSecurityContext | nindent 12 }}
+          {{- else }}
+            capabilities:
+              drop:
+              - ALL
+            allowPrivilegeEscalation: false
+            privileged: false
+            readOnlyRootFilesystem: true
+            {{- if not (eq (.Values.platform | default "") "openshift") }}
+            runAsUser: 1337
+            runAsGroup: 1337
+            {{- end }}
+            runAsNonRoot: true
+          {{- end }}
+          env:
+          {{- with .Values.networkGateway }}
+          - name: ISTIO_META_REQUESTED_NETWORK_VIEW
+            value: "{{.}}"
+          {{- end }}
+          {{- range $key, $val := .Values.env }}
+          - name: {{ $key }}
+            value: {{ $val | quote }}
+          {{- end }}
+          {{- with .Values.envVarFrom }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
+          ports:
+          - containerPort: 15090
+            protocol: TCP
+            name: http-envoy-prom
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          {{- with .Values.volumeMounts }}
+          volumeMounts:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.readinessProbe }}
+          readinessProbe:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.lifecycle }}
+          lifecycle:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+      {{- with .Values.additionalContainers }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      terminationGracePeriodSeconds: {{ $.Values.terminationGracePeriodSeconds }}
+      {{- with .Values.priorityClassName }}
+      priorityClassName: {{ . }}
+      {{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/templates/hpa.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/templates/hpa.yaml
new file mode 100644
index 0000000000..64ecb6a4cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/templates/hpa.yaml
@@ -0,0 +1,40 @@
+{{- if and (.Values.autoscaling.enabled) (eq .Values.kind "Deployment") }}
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ include "gateway.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4 }}
+  annotations:
+    {{- .Values.annotations | toYaml | nindent 4 }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: {{ .Values.kind | default "Deployment" }}
+    name: {{ include "gateway.name" . }}
+  minReplicas: {{ .Values.autoscaling.minReplicas }}
+  maxReplicas: {{ .Values.autoscaling.maxReplicas }}
+  metrics:
+    {{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
+          type: Utilization
+    {{- end }}
+    {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: memory
+        target:
+          averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
+          type: Utilization
+    {{- end }}
+  {{- if .Values.autoscaling.autoscaleBehavior }}
+  behavior: {{ toYaml .Values.autoscaling.autoscaleBehavior | nindent 4 }}
+  {{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/templates/poddisruptionbudget.yaml
new file mode 100644
index 0000000000..b0155cdf05
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/templates/poddisruptionbudget.yaml
@@ -0,0 +1,18 @@
+{{- if .Values.podDisruptionBudget }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ include "gateway.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4}}
+spec:
+  selector:
+    matchLabels:
+  {{- include "gateway.selectorLabels" . | nindent 6 }}
+  {{- with .Values.podDisruptionBudget }}
+    {{- toYaml . | nindent 2 }}
+  {{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/templates/role.yaml
new file mode 100644
index 0000000000..3d16079632
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/templates/role.yaml
@@ -0,0 +1,37 @@
+{{/*Set up roles for Istio Gateway. Not required for gateway-api*/}}
+{{- if .Values.rbac.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "gateway.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4}}
+  annotations:
+    {{- .Values.annotations | toYaml | nindent 4 }}
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get", "watch", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "gateway.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4}}
+  annotations:
+    {{- .Values.annotations | toYaml | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "gateway.serviceAccountName" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "gateway.serviceAccountName" . }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/templates/service.yaml
new file mode 100644
index 0000000000..3e28418f7b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/templates/service.yaml
@@ -0,0 +1,69 @@
+{{- if not (eq .Values.service.type "None") }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "gateway.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4 }}
+    {{- with .Values.networkGateway }}
+    topology.istio.io/network: "{{.}}"
+    {{- end }}
+  annotations:
+    {{- merge (deepCopy .Values.service.annotations) .Values.annotations | toYaml | nindent 4 }}
+spec:
+{{- with .Values.service.loadBalancerIP }}
+  loadBalancerIP: "{{ . }}"
+{{- end }}
+{{- if eq .Values.service.type "LoadBalancer" }}
+  {{- if hasKey .Values.service "allocateLoadBalancerNodePorts" }}
+  allocateLoadBalancerNodePorts: {{ .Values.service.allocateLoadBalancerNodePorts }}
+  {{- end }}
+  {{- if hasKey .Values.service "loadBalancerClass" }}
+  loadBalancerClass: {{ .Values.service.loadBalancerClass }}
+  {{- end }}
+{{- end }}
+{{- if .Values.service.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }}
+{{- end }}
+{{- if .Values.service.ipFamilies }}
+  ipFamilies:
+{{- range .Values.service.ipFamilies }}
+  - {{ . }}
+{{- end }}
+{{- end }}
+{{- with .Values.service.loadBalancerSourceRanges }}
+  loadBalancerSourceRanges:
+{{ toYaml . | indent 4 }}
+{{- end }}
+{{- with .Values.service.externalTrafficPolicy }}
+  externalTrafficPolicy: "{{ . }}"
+{{- end }}
+  type: {{ .Values.service.type }}
+  ports:
+{{- if .Values.networkGateway }}
+  - name: status-port
+    port: 15021
+    targetPort: 15021
+  - name: tls
+    port: 15443
+    targetPort: 15443
+  - name: tls-istiod
+    port: 15012
+    targetPort: 15012
+  - name: tls-webhook
+    port: 15017
+    targetPort: 15017
+{{- else }}
+{{ .Values.service.ports | toYaml | indent 4 }}
+{{- end }}
+{{- if .Values.service.externalIPs }}
+  externalIPs: {{- range .Values.service.externalIPs }}
+    - {{.}}
+  {{- end }}
+{{- end }}
+  selector:
+    {{- include "gateway.selectorLabels" . | nindent 4 }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/templates/serviceaccount.yaml
new file mode 100644
index 0000000000..c88afeadd3
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/templates/serviceaccount.yaml
@@ -0,0 +1,15 @@
+{{- if .Values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "gateway.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..606c556697
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if true }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/values.schema.json b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/values.schema.json
new file mode 100644
index 0000000000..bcbb30ccc8
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/values.schema.json
@@ -0,0 +1,353 @@
+{
+  "$schema": "http://json-schema.org/schema#",
+  "$defs": {
+    "values": {
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "_internal_defaults_do_not_set": {
+          "type": "object"
+        },
+        "global": {
+          "type": "object"
+        },
+        "affinity": {
+          "type": "object"
+        },
+        "securityContext": {
+          "type": [
+            "object",
+            "null"
+          ]
+        },
+        "containerSecurityContext": {
+          "type": [
+            "object",
+            "null"
+          ]
+        },
+        "kind": {
+          "type": "string",
+          "enum": [
+            "Deployment",
+            "DaemonSet"
+          ]
+        },
+        "annotations": {
+          "additionalProperties": {
+            "type": [
+              "string",
+              "integer"
+            ]
+          },
+          "type": "object"
+        },
+        "autoscaling": {
+          "type": "object",
+          "properties": {
+            "enabled": {
+              "type": "boolean"
+            },
+            "maxReplicas": {
+              "type": "integer"
+            },
+            "minReplicas": {
+              "type": "integer"
+            },
+            "targetCPUUtilizationPercentage": {
+              "type": "integer"
+            }
+          }
+        },
+        "env": {
+          "type": "object"
+        },
+        "envVarFrom": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "properties": {
+              "name": { "type": "string" },
+              "valueFrom": { "type": "object" }
+            }
+          }
+        },
+        "strategy": {
+          "type": "object"
+        },
+        "minReadySeconds": {
+          "type": [ "null", "integer" ]
+        },
+        "readinessProbe": {
+          "type": [ "null", "object" ]
+        },
+        "labels": {
+          "type": "object"
+        },
+        "name": {
+          "type": "string"
+        },
+        "nodeSelector": {
+          "type": "object"
+        },
+        "podAnnotations": {
+          "type": "object",
+          "properties": {
+            "inject.istio.io/templates": {
+              "type": "string"
+            },
+            "prometheus.io/path": {
+              "type": "string"
+            },
+            "prometheus.io/port": {
+              "type": "string"
+            },
+            "prometheus.io/scrape": {
+              "type": "string"
+            }
+          }
+        },
+        "replicaCount": {
+          "type": [
+            "integer",
+            "null"
+          ]
+        },
+        "resources": {
+          "type": "object",
+          "properties": {
+            "limits": {
+              "type": "object",
+              "properties": {
+                "cpu": {
+                  "type": ["string", "null"]
+                },
+                "memory": {
+                  "type": ["string", "null"]
+                }
+              }
+            },
+            "requests": {
+              "type": "object",
+              "properties": {
+                "cpu": {
+                  "type": ["string", "null"]
+                },
+                "memory": {
+                  "type": ["string", "null"]
+                }
+              }
+            }
+          }
+        },
+        "revision": {
+          "type": "string"
+        },
+        "defaultRevision": {
+          "type": "string"
+        },
+        "compatibilityVersion": {
+          "type": "string"
+        },
+        "profile": {
+          "type": "string"
+        },
+        "platform": {
+          "type": "string"
+        },
+        "pilot": {
+          "type": "object"
+        },
+        "runAsRoot": {
+          "type": "boolean"
+        },
+        "unprivilegedPort": {
+          "type": [
+            "string",
+            "boolean"
+          ],
+          "enum": [
+            true,
+            false,
+            "auto"
+          ]
+        },
+        "service": {
+          "type": "object",
+          "properties": {
+            "annotations": {
+              "type": "object"
+            },
+            "externalTrafficPolicy": {
+              "type": "string"
+            },
+            "loadBalancerIP": {
+              "type": "string"
+            },
+            "loadBalancerSourceRanges": {
+              "type": "array"
+            },
+            "ipFamilies": {
+              "items": {
+                "type": "string",
+                "enum": [
+                  "IPv4",
+                  "IPv6"
+                ]
+              }
+            },
+            "ipFamilyPolicy": {
+              "type": "string",
+              "enum": [
+                "",
+                "SingleStack",
+                "PreferDualStack",
+                "RequireDualStack"
+              ]
+            },
+            "ports": {
+              "type": "array",
+              "items": {
+                "type": "object",
+                "properties": {
+                  "name": {
+                    "type": "string"
+                  },
+                  "port": {
+                    "type": "integer"
+                  },
+                  "protocol": {
+                    "type": "string"
+                  },
+                  "targetPort": {
+                    "type": "integer"
+                  }
+                }
+              }
+            },
+            "type": {
+              "type": "string"
+            }
+          }
+        },
+        "serviceAccount": {
+          "type": "object",
+          "properties": {
+            "annotations": {
+              "type": "object"
+            },
+            "name": {
+              "type": "string"
+            },
+            "create": {
+              "type": "boolean"
+            }
+          }
+        },
+        "rbac": {
+          "type": "object",
+          "properties": {
+            "enabled": {
+              "type": "boolean"
+            }
+          }
+        },
+        "tolerations": {
+          "type": "array"
+        },
+        "topologySpreadConstraints": {
+          "type": "array"
+        },
+        "networkGateway": {
+          "type": "string"
+        },
+        "imagePullPolicy": {
+          "type": "string",
+          "enum": [
+            "",
+            "Always",
+            "IfNotPresent",
+            "Never"
+          ]
+        },
+        "imagePullSecrets": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "properties": {
+              "name": {
+                "type": "string"
+              }
+            }
+          }
+        },
+        "podDisruptionBudget": {
+          "type": "object",
+          "properties": {
+            "minAvailable": {
+              "type": [
+                "integer",
+                "string"
+              ]
+            },
+            "maxUnavailable": {
+              "type": [
+                "integer",
+                "string"
+              ]
+            },
+            "unhealthyPodEvictionPolicy": {
+              "type": "string",
+              "enum": [
+                "",
+                "IfHealthyBudget",
+                "AlwaysAllow"
+              ]
+            }
+          }
+        },
+        "terminationGracePeriodSeconds": {
+          "type": "number"
+        },
+        "volumes": {
+          "type": "array",
+          "items": {
+            "type": "object"
+          }
+        },
+        "volumeMounts": {
+          "type": "array",
+          "items": {
+            "type": "object"
+          }
+        },
+        "initContainers": {
+          "type": "array",
+          "items": { "type": "object" }
+        },
+        "additionalContainers": {
+          "type": "array",
+          "items": { "type": "object" }
+        },
+        "priorityClassName": {
+          "type": "string"
+        },
+        "lifecycle": {
+          "type": "object",
+          "properties": {
+            "postStart": {
+              "type": "object"
+            },
+            "preStop": {
+              "type": "object"
+            }
+          }
+        }
+      }
+    }
+  },
+  "defaults": {
+    "$ref": "#/$defs/values"
+  },
+  "$ref": "#/$defs/values"
+}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/values.yaml
new file mode 100644
index 0000000000..c0147ce210
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/values.yaml
@@ -0,0 +1,192 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  # Name allows overriding the release name. Generally this should not be set
+  name: ""
+  # revision declares which revision this gateway is a part of
+  revision: ""
+
+  # Controls the spec.replicas setting for the Gateway deployment if set.
+  # Otherwise defaults to Kubernetes Deployment default (1).
+  replicaCount:
+
+  kind: Deployment
+
+  rbac:
+    # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed
+    # when using http://gateway-api.org/.
+    enabled: true
+
+  serviceAccount:
+    # If set, a service account will be created. Otherwise, the default is used
+    create: true
+    # Annotations to add to the service account
+    annotations: {}
+    # The name of the service account to use.
+    # If not set, the release name is used
+    name: ""
+
+  podAnnotations:
+    prometheus.io/port: "15020"
+    prometheus.io/scrape: "true"
+    prometheus.io/path: "/stats/prometheus"
+    inject.istio.io/templates: "gateway"
+    sidecar.istio.io/inject: "true"
+
+  # Define the security context for the pod.
+  # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
+  # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
+  securityContext: {}
+  containerSecurityContext: {}
+
+  service:
+    # Type of service. Set to "None" to disable the service entirely
+    type: LoadBalancer
+    ports:
+    - name: status-port
+      port: 15021
+      protocol: TCP
+      targetPort: 15021
+    - name: http2
+      port: 80
+      protocol: TCP
+      targetPort: 80
+    - name: https
+      port: 443
+      protocol: TCP
+      targetPort: 443
+    annotations: {}
+    loadBalancerIP: ""
+    loadBalancerSourceRanges: []
+    externalTrafficPolicy: ""
+    externalIPs: []
+    ipFamilyPolicy: ""
+    ipFamilies: []
+    ## Whether to automatically allocate NodePorts (only for LoadBalancers).
+    # allocateLoadBalancerNodePorts: false
+    ## Set LoadBalancer class (only for LoadBalancers).
+    # loadBalancerClass: ""
+
+  resources:
+    requests:
+      cpu: 100m
+      memory: 128Mi
+    limits:
+      cpu: 2000m
+      memory: 1024Mi
+
+  autoscaling:
+    enabled: true
+    minReplicas: 1
+    maxReplicas: 5
+    targetCPUUtilizationPercentage: 80
+    targetMemoryUtilizationPercentage: {}
+    autoscaleBehavior: {}
+
+  # Pod environment variables
+  env: {}
+
+  # Use envVarFrom to define full environment variable entries with complex sources,
+  # such as valueFrom.secretKeyRef, valueFrom.configMapKeyRef. Each item must include a `name` and `valueFrom`.
+  #
+  # Example:
+  # envVarFrom:
+  #   - name: EXAMPLE_SECRET
+  #     valueFrom:
+  #       secretKeyRef:
+  #         name: example-name
+  #         key: example-key
+  envVarFrom: []
+
+  # Deployment Update strategy
+  strategy: {}
+  
+  # Sets the Deployment minReadySeconds value
+  minReadySeconds:
+  
+  # Optionally configure a custom readinessProbe. By default the control plane
+  # automatically injects the readinessProbe. If you wish to override that
+  # behavior, you may define your own readinessProbe here.
+  readinessProbe: {}
+
+  # Labels to apply to all resources
+  labels:
+    # By default, don't enroll gateways into the ambient dataplane
+    "istio.io/dataplane-mode": none
+
+  # Annotations to apply to all resources
+  annotations: {}
+
+  nodeSelector: {}
+
+  tolerations: []
+
+  topologySpreadConstraints: []
+
+  affinity: {}
+
+  # If specified, the gateway will act as a network gateway for the given network.
+  networkGateway: ""
+
+  # Specify image pull policy if default behavior isn't desired.
+  # Default behavior: latest images will be Always else IfNotPresent
+  imagePullPolicy: ""
+
+  imagePullSecrets: []
+
+  # This value is used to configure a Kubernetes PodDisruptionBudget for the gateway.
+  #
+  # By default, the `podDisruptionBudget` is disabled (set to `{}`),
+  # which means that no PodDisruptionBudget resource will be created.
+  #
+  # To enable the PodDisruptionBudget, configure it by specifying the
+  # `minAvailable` or `maxUnavailable`. For example, to set the
+  # minimum number of available replicas to 1, you can update this value as follows:
+  #
+  # podDisruptionBudget:
+  #   minAvailable: 1
+  #
+  # Or, to allow a maximum of 1 unavailable replica, you can set:
+  #
+  # podDisruptionBudget:
+  #   maxUnavailable: 1
+  #
+  # You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`.
+  # For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows:
+  #
+  # podDisruptionBudget:
+  #   minAvailable: 1
+  #   unhealthyPodEvictionPolicy: AlwaysAllow
+  #
+  # To disable the PodDisruptionBudget, you can leave it as an empty object `{}`:
+  #
+  # podDisruptionBudget: {}
+  #
+  podDisruptionBudget: {}
+
+  # Sets the per-pod terminationGracePeriodSeconds setting.
+  terminationGracePeriodSeconds: 30
+
+  # A list of `Volumes` added into the Gateway Pods. See
+  # https://kubernetes.io/docs/concepts/storage/volumes/.
+  volumes: []
+
+  # A list of `VolumeMounts` added into the Gateway Pods. See
+  # https://kubernetes.io/docs/concepts/storage/volumes/.
+  volumeMounts: []
+
+  # Inject initContainers into the Gateway Pods.
+  initContainers: []
+
+  # Inject additional containers into the Gateway Pods.
+  additionalContainers: []
+
+  # Configure this to a higher priority class in order to make sure your Istio gateway pods
+  # will not be killed because of low priority class.
+  # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
+  # for more detail.
+  priorityClassName: ""
+
+  # Configure the lifecycle hooks for the gateway. See
+  # https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/.
+  lifecycle: {}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/Chart.yaml
new file mode 100644
index 0000000000..f10e8233fc
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v2
+appVersion: 1.27.4
+description: Helm chart for istio control plane
+icon: https://istio.io/latest/favicons/android-192x192.png
+keywords:
+- istio
+- istiod
+- istio-discovery
+name: istiod
+sources:
+- https://github.com/istio/istio
+version: 1.27.4
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/README.md
new file mode 100644
index 0000000000..ddbfbc8fec
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/README.md
@@ -0,0 +1,73 @@
+# Istiod Helm Chart
+
+This chart installs an Istiod deployment.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+Before installing, ensure CRDs are installed in the cluster (from the `istio/base` chart).
+
+To install the chart with the release name `istiod`:
+
+```console
+kubectl create namespace istio-system
+helm install istiod istio/istiod --namespace istio-system
+```
+
+## Uninstalling the Chart
+
+To uninstall/delete the `istiod` deployment:
+
+```console
+helm delete istiod --namespace istio-system
+```
+
+## Configuration
+
+To view support configuration options and documentation, run:
+
+```console
+helm show values istio/istiod
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
+
+### Examples
+
+#### Configuring mesh configuration settings
+
+Any [Mesh Config](https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/) options can be configured like below:
+
+```yaml
+meshConfig:
+  accessLogFile: /dev/stdout
+```
+
+#### Revisions
+
+Control plane revisions allow deploying multiple versions of the control plane in the same cluster.
+This allows safe [canary upgrades](https://istio.io/latest/docs/setup/upgrade/canary/)
+
+```yaml
+revision: my-revision-name
+```
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/gateway-injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/gateway-injection-template.yaml
new file mode 100644
index 0000000000..bc15ee3c31
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/gateway-injection-template.yaml
@@ -0,0 +1,274 @@
+{{- $containers := list }}
+{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
+metadata:
+  labels:
+    service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name  | quote }}
+    service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest"  | quote }}
+  annotations:
+    istio.io/rev: {{ .Revision | default "default" | quote }}
+    {{- if ge (len $containers) 1 }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }}
+    kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}"
+    {{- end }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }}
+    kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}"
+    {{- end }}
+    {{- end }}
+spec:
+  securityContext:
+  {{- if .Values.gateways.securityContext }}
+    {{- toYaml .Values.gateways.securityContext | nindent 4 }}
+  {{- else }}
+    sysctls:
+    - name: net.ipv4.ip_unprivileged_port_start
+      value: "0"
+  {{- end }}
+  containers:
+  - name: istio-proxy
+  {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+    image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+  {{- else }}
+    image: "{{ .ProxyImage }}"
+  {{- end }}
+    ports:
+    - containerPort: 15090
+      protocol: TCP
+      name: http-envoy-prom
+    args:
+    - proxy
+    - router
+    - --domain
+    - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+    - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
+    - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
+    - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
+  {{- if .Values.global.sts.servicePort }}
+    - --stsPort={{ .Values.global.sts.servicePort }}
+  {{- end }}
+  {{- if .Values.global.logAsJson }}
+    - --log_as_json
+  {{- end }}
+  {{- if .Values.global.proxy.lifecycle }}
+    lifecycle:
+      {{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
+  {{- end }}
+    securityContext:
+      runAsUser: {{ .ProxyUID | default "1337" }}
+      runAsGroup: {{ .ProxyGID | default "1337" }}
+    env:
+    - name: PILOT_CERT_PROVIDER
+      value: {{ .Values.global.pilotCertProvider }}
+    - name: CA_ADDR
+    {{- if .Values.global.caAddress }}
+      value: {{ .Values.global.caAddress }}
+    {{- else }}
+      value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+    {{- end }}
+    - name: POD_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.name
+    - name: POD_NAMESPACE
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.namespace
+    - name: INSTANCE_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.podIP
+    - name: SERVICE_ACCOUNT
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.serviceAccountName
+    - name: HOST_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.hostIP
+    - name: ISTIO_CPU_LIMIT
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.cpu
+    - name: PROXY_CONFIG
+      value: |
+             {{ protoToJSON .ProxyConfig }}
+    - name: ISTIO_META_POD_PORTS
+      value: |-
+        [
+        {{- $first := true }}
+        {{- range $index1, $c := .Spec.Containers }}
+          {{- range $index2, $p := $c.Ports }}
+            {{- if (structToJSON $p) }}
+            {{if not $first}},{{end}}{{ structToJSON $p }}
+            {{- $first = false }}
+            {{- end }}
+          {{- end}}
+        {{- end}}
+        ]
+    - name: GOMEMLIMIT
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.memory
+    - name: GOMAXPROCS
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.cpu
+    {{- if .CompliancePolicy }}
+    - name: COMPLIANCE_POLICY
+      value: "{{ .CompliancePolicy }}"
+    {{- end }}
+    - name: ISTIO_META_APP_CONTAINERS
+      value: "{{ $containers | join "," }}"
+    - name: ISTIO_META_CLUSTER_ID
+      value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
+    - name: ISTIO_META_NODE_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.nodeName
+    - name: ISTIO_META_INTERCEPTION_MODE
+      value: "{{ .ProxyConfig.InterceptionMode.String }}"
+    {{- if .Values.global.network }}
+    - name: ISTIO_META_NETWORK
+      value: "{{ .Values.global.network }}"
+    {{- end }}
+    {{- if .DeploymentMeta.Name }}
+    - name: ISTIO_META_WORKLOAD_NAME
+      value: "{{ .DeploymentMeta.Name }}"
+    {{ end }}
+    {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
+    - name: ISTIO_META_OWNER
+      value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
+    {{- end}}
+    {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+    - name: ISTIO_BOOTSTRAP_OVERRIDE
+      value: "/etc/istio/custom-bootstrap/custom_bootstrap.json"
+    {{- end }}
+    {{- if .Values.global.meshID }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ .Values.global.meshID }}"
+    {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+    {{- end }}
+    {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain)  }}
+    - name: TRUST_DOMAIN
+      value: "{{ . }}"
+    {{- end }}
+    {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+    - name: {{ $key }}
+      value: "{{ $value }}"
+    {{- end }}
+    {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+    readinessProbe:
+      httpGet:
+        path: /healthz/ready
+        port: 15021
+      initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }}
+      periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }}
+      timeoutSeconds: 3
+      failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }}
+    volumeMounts:
+    - name: workload-socket
+      mountPath: /var/run/secrets/workload-spiffe-uds
+    - name: credential-socket
+      mountPath: /var/run/secrets/credential-uds
+    {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+    - name: gke-workload-certificate
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+      readOnly: true
+    {{- else }}
+    - name: workload-certs
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+    {{- end }}
+    {{- if eq .Values.global.pilotCertProvider "istiod" }}
+    - mountPath: /var/run/secrets/istio
+      name: istiod-ca-cert
+    {{- end }}
+    - mountPath: /var/lib/istio/data
+      name: istio-data
+    {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+    - mountPath: /etc/istio/custom-bootstrap
+      name: custom-bootstrap-volume
+    {{- end }}
+    # SDS channel between istioagent and Envoy
+    - mountPath: /etc/istio/proxy
+      name: istio-envoy
+    - mountPath: /var/run/secrets/tokens
+      name: istio-token
+    {{- if .Values.global.mountMtlsCerts }}
+    # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+    - mountPath: /etc/certs/
+      name: istio-certs
+      readOnly: true
+    {{- end }}
+    - name: istio-podinfo
+      mountPath: /etc/istio/pod
+  volumes:
+  - emptyDir:
+    name: workload-socket
+  - emptyDir: {}
+    name: credential-socket
+  {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+  - name: gke-workload-certificate
+    csi:
+      driver: workloadcertificates.security.cloud.google.com
+  {{- else}}
+  - emptyDir: {}
+    name: workload-certs
+  {{- end }}
+  {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+  - name: custom-bootstrap-volume
+    configMap:
+      name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
+  {{- end }}
+  # SDS channel between istioagent and Envoy
+  - emptyDir:
+      medium: Memory
+    name: istio-envoy
+  - name: istio-data
+    emptyDir: {}
+  - name: istio-podinfo
+    downwardAPI:
+      items:
+        - path: "labels"
+          fieldRef:
+            fieldPath: metadata.labels
+        - path: "annotations"
+          fieldRef:
+            fieldPath: metadata.annotations
+  - name: istio-token
+    projected:
+      sources:
+      - serviceAccountToken:
+          path: istio-token
+          expirationSeconds: 43200
+          audience: {{ .Values.global.sds.token.aud }}
+  {{- if eq .Values.global.pilotCertProvider "istiod" }}
+  - name: istiod-ca-cert
+  {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+    projected:
+      sources:
+      - clusterTrustBundle:
+          name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+          path: root-cert.pem
+  {{- else }}
+    configMap:
+      name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+  {{- end }}
+  {{- end }}
+  {{- if .Values.global.mountMtlsCerts }}
+  # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+  - name: istio-certs
+    secret:
+      optional: true
+      {{ if eq .Spec.ServiceAccountName "" }}
+      secretName: istio.default
+      {{ else -}}
+      secretName: {{  printf "istio.%s" .Spec.ServiceAccountName }}
+      {{  end -}}
+  {{- end }}
+  {{- if .Values.global.imagePullSecrets }}
+  imagePullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+  {{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/grpc-agent.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/grpc-agent.yaml
new file mode 100644
index 0000000000..6e3102e4c8
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/grpc-agent.yaml
@@ -0,0 +1,318 @@
+{{- define "resources"  }}
+  {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
+    {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
+      requests:
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
+        cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
+        {{ end }}
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
+        memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
+        {{ end }}
+    {{- end }}
+    {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
+      limits:
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
+        cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}"
+        {{ end }}
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
+        memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}"
+        {{ end }}
+    {{- end }}
+  {{- else }}
+    {{- if .Values.global.proxy.resources }}
+      {{ toYaml .Values.global.proxy.resources | indent 6 }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+{{- $containers := list }}
+{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
+metadata:
+  labels:
+    {{/* security.istio.io/tlsMode: istio must be set by user, if gRPC is using mTLS initialization code. We can't set it automatically. */}}
+    service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name  | quote }}
+    service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest"  | quote }}
+  annotations: {
+    istio.io/rev: {{ .Revision | default "default" | quote }},
+    {{- if ge (len $containers) 1 }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }}
+    kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
+    {{- end }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }}
+    kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
+    {{- end }}
+    {{- end }}
+    sidecar.istio.io/rewriteAppHTTPProbers: "false",
+  }
+spec:
+  containers:
+  - name: istio-proxy
+  {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+    image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+  {{- else }}
+    image: "{{ .ProxyImage }}"
+  {{- end }}
+    ports:
+    - containerPort: 15020
+      protocol: TCP
+      name: mesh-metrics
+    args:
+    - proxy
+    - sidecar
+    - --domain
+    - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+    - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
+    - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
+    - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
+  {{- if .Values.global.sts.servicePort }}
+    - --stsPort={{ .Values.global.sts.servicePort }}
+  {{- end }}
+  {{- if .Values.global.logAsJson }}
+    - --log_as_json
+  {{- end }}
+    lifecycle:
+      postStart:
+        exec:
+          command:
+          - pilot-agent
+          - wait
+          - --url=http://localhost:15020/healthz/ready
+    env:
+    - name: ISTIO_META_GENERATOR
+      value: grpc
+    - name: OUTPUT_CERTS
+      value: /var/lib/istio/data
+    {{- if eq .InboundTrafficPolicyMode "localhost" }}
+    - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION
+      value: "true"
+    {{- end }}
+    - name: PILOT_CERT_PROVIDER
+      value: {{ .Values.global.pilotCertProvider }}
+    - name: CA_ADDR
+    {{- if .Values.global.caAddress }}
+      value: {{ .Values.global.caAddress }}
+    {{- else }}
+      value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+    {{- end }}
+    - name: POD_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.name
+    - name: POD_NAMESPACE
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.namespace
+    - name: INSTANCE_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.podIP
+    - name: SERVICE_ACCOUNT
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.serviceAccountName
+    - name: HOST_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.hostIP
+    - name: PROXY_CONFIG
+      value: |
+             {{ protoToJSON .ProxyConfig }}
+    - name: ISTIO_META_POD_PORTS
+      value: |-
+        [
+        {{- $first := true }}
+        {{- range $index1, $c := .Spec.Containers }}
+          {{- range $index2, $p := $c.Ports }}
+            {{- if (structToJSON $p) }}
+            {{if not $first}},{{end}}{{ structToJSON $p }}
+            {{- $first = false }}
+            {{- end }}
+          {{- end}}
+        {{- end}}
+        ]
+    - name: ISTIO_META_APP_CONTAINERS
+      value: "{{ $containers | join "," }}"
+    - name: ISTIO_META_CLUSTER_ID
+      value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
+    - name: ISTIO_META_NODE_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.nodeName
+    {{- if .Values.global.network }}
+    - name: ISTIO_META_NETWORK
+      value: "{{ .Values.global.network }}"
+    {{- end }}
+    {{- if .DeploymentMeta.Name }}
+    - name: ISTIO_META_WORKLOAD_NAME
+      value: "{{ .DeploymentMeta.Name }}"
+    {{ end }}
+    {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
+    - name: ISTIO_META_OWNER
+      value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
+    {{- end}}
+    {{- if .Values.global.meshID }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ .Values.global.meshID }}"
+    {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+    {{- end }}
+    {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain)  }}
+    - name: TRUST_DOMAIN
+      value: "{{ . }}"
+    {{- end }}
+    {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+    - name: {{ $key }}
+      value: "{{ $value }}"
+    {{- end }}
+    # grpc uses xds:/// to resolve – no need to resolve VIP
+    - name: ISTIO_META_DNS_CAPTURE
+      value: "false"
+    - name: DISABLE_ENVOY
+      value: "true"
+    {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+    {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
+    readinessProbe:
+      httpGet:
+        path: /healthz/ready
+        port: 15020
+      initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }}
+      periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }}
+      timeoutSeconds: 3
+      failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}
+    resources:
+  {{ template "resources" . }}
+    volumeMounts:
+    - name: workload-socket
+      mountPath: /var/run/secrets/workload-spiffe-uds
+    {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+    - name: gke-workload-certificate
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+      readOnly: true
+    {{- else }}
+    - name: workload-certs
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+    {{- end }}
+    {{- if eq .Values.global.pilotCertProvider "istiod" }}
+    - mountPath: /var/run/secrets/istio
+      name: istiod-ca-cert
+    {{- end }}
+    - mountPath: /var/lib/istio/data
+      name: istio-data
+    # UDS channel between istioagent and gRPC client for XDS/SDS
+    - mountPath: /etc/istio/proxy
+      name: istio-xds
+    - mountPath: /var/run/secrets/tokens
+      name: istio-token
+    {{- if .Values.global.mountMtlsCerts }}
+    # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+    - mountPath: /etc/certs/
+      name: istio-certs
+      readOnly: true
+    {{- end }}
+    - name: istio-podinfo
+      mountPath: /etc/istio/pod
+    {{- end }}
+      {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }}
+      {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}
+    - name: "{{  $index }}"
+      {{ toYaml $value | indent 6 }}
+      {{ end }}
+      {{- end }}
+{{- range $index, $container := .Spec.Containers  }}
+{{ if not (eq $container.Name "istio-proxy") }}
+  - name: {{ $container.Name }}
+    env:
+      - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT"
+        value: "true"
+      - name: "GRPC_XDS_BOOTSTRAP"
+        value: "/etc/istio/proxy/grpc-bootstrap.json"
+    volumeMounts:
+      - mountPath: /var/lib/istio/data
+        name: istio-data
+      # UDS channel between istioagent and gRPC client for XDS/SDS
+      - mountPath: /etc/istio/proxy
+        name: istio-xds
+      {{- if eq $.Values.global.caName "GkeWorkloadCertificate" }}
+      - name: gke-workload-certificate
+        mountPath: /var/run/secrets/workload-spiffe-credentials
+        readOnly: true
+      {{- else }}
+      - name: workload-certs
+        mountPath: /var/run/secrets/workload-spiffe-credentials
+      {{- end }}
+{{- end }}
+{{- end }}
+  volumes:
+  - emptyDir:
+    name: workload-socket
+  {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+  - name: gke-workload-certificate
+    csi:
+      driver: workloadcertificates.security.cloud.google.com
+  {{- else }}
+  - emptyDir:
+    name: workload-certs
+  {{- end }}
+  {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+  - name: custom-bootstrap-volume
+    configMap:
+      name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
+  {{- end }}
+  # SDS channel between istioagent and Envoy
+  - emptyDir:
+      medium: Memory
+    name: istio-xds
+  - name: istio-data
+    emptyDir: {}
+  - name: istio-podinfo
+    downwardAPI:
+      items:
+        - path: "labels"
+          fieldRef:
+            fieldPath: metadata.labels
+        - path: "annotations"
+          fieldRef:
+            fieldPath: metadata.annotations
+  - name: istio-token
+    projected:
+      sources:
+      - serviceAccountToken:
+          path: istio-token
+          expirationSeconds: 43200
+          audience: {{ .Values.global.sds.token.aud }}
+  {{- if eq .Values.global.pilotCertProvider "istiod" }}
+  - name: istiod-ca-cert
+  {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+    projected:
+      sources:
+      - clusterTrustBundle:
+          name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+          path: root-cert.pem
+  {{- else }}
+    configMap:
+      name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+  {{- end }}
+  {{- end }}
+  {{- if .Values.global.mountMtlsCerts }}
+  # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+  - name: istio-certs
+    secret:
+      optional: true
+      {{ if eq .Spec.ServiceAccountName "" }}
+      secretName: istio.default
+      {{ else -}}
+      secretName: {{  printf "istio.%s" .Spec.ServiceAccountName }}
+      {{  end -}}
+  {{- end }}
+    {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }}
+    {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}
+  - name: "{{ $index }}"
+    {{ toYaml $value | indent 4 }}
+    {{ end }}
+    {{ end }}
+  {{- if .Values.global.imagePullSecrets }}
+  imagePullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+  {{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/grpc-simple.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/grpc-simple.yaml
new file mode 100644
index 0000000000..9ba0c7a46a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/grpc-simple.yaml
@@ -0,0 +1,65 @@
+metadata:
+  annotations:
+    sidecar.istio.io/rewriteAppHTTPProbers: "false"
+spec:
+  initContainers:
+    - name: grpc-bootstrap-init
+      image: busybox:1.28
+      volumeMounts:
+        - mountPath: /var/lib/grpc/data/
+          name: grpc-io-proxyless-bootstrap
+      env:
+        - name: INSTANCE_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: ISTIO_NAMESPACE
+          value: |
+             {{ .Values.global.istioNamespace }}
+      command:
+        - sh
+        - "-c"
+        - |-
+          NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local"
+          SERVER_URI="dns:///istiod.${ISTIO_NAMESPACE}.svc:15010"
+          echo '
+          {
+            "xds_servers": [
+              {
+                "server_uri": "'${SERVER_URI}'",
+                "channel_creds": [{"type": "insecure"}],
+                "server_features" : ["xds_v3"]
+              }
+            ],
+            "node": {
+              "id": "'${NODE_ID}'",
+              "metadata": {
+                "GENERATOR": "grpc"
+              }
+            }
+          }' > /var/lib/grpc/data/bootstrap.json
+  containers:
+  {{- range $index, $container := .Spec.Containers }}
+  - name: {{ $container.Name }}
+    env:
+      - name: GRPC_XDS_BOOTSTRAP
+        value: /var/lib/grpc/data/bootstrap.json
+      - name: GRPC_GO_LOG_VERBOSITY_LEVEL
+        value: "99"
+      - name: GRPC_GO_LOG_SEVERITY_LEVEL
+        value: info
+    volumeMounts:
+      - mountPath: /var/lib/grpc/data/
+        name: grpc-io-proxyless-bootstrap
+  {{- end }}
+  volumes:
+    - name: grpc-io-proxyless-bootstrap
+      emptyDir: {}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/injection-template.yaml
new file mode 100644
index 0000000000..df04baf847
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/injection-template.yaml
@@ -0,0 +1,541 @@
+{{- define "resources"  }}
+  {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
+    {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
+      requests:
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
+        cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
+        {{ end }}
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
+        memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
+        {{ end }}
+    {{- end }}
+    {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
+      limits:
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
+        cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}"
+        {{ end }}
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
+        memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}"
+        {{ end }}
+    {{- end }}
+  {{- else }}
+    {{- if .Values.global.proxy.resources }}
+      {{ toYaml .Values.global.proxy.resources | indent 6 }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+{{ $tproxy := (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) }}
+{{ $capNetBindService := (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) }}
+{{ $nativeSidecar := ne (index .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar` | default (printf "%t" .NativeSidecars)) "false" }}
+{{- $containers := list }}
+{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
+metadata:
+  labels:
+    security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio"  | quote }}
+    {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }}
+    networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http"  | quote }}
+    {{- end }}
+    service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name  | trunc 63 | trimSuffix "-" | quote }}
+    service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest"  | quote }}
+  annotations: {
+    istio.io/rev: {{ .Revision | default "default" | quote }},
+    {{- if ge (len $containers) 1 }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }}
+    kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
+    {{- end }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }}
+    kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
+    {{- end }}
+    {{- end }}
+{{- if .Values.pilot.cni.enabled }}
+    {{- if eq .Values.pilot.cni.provider "multus" }}
+    k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}',
+    {{- end }}
+    sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}",
+    {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }}
+    {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }}
+    traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}",
+    traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}",
+    {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }}
+    traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}",
+    {{- end }}
+    {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }}
+    traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}",
+    {{- end }}
+    {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }}
+    {{ with index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}istio.io/reroute-virtual-interfaces: "{{.}}",{{ end }}
+    {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }}
+{{- end }}
+  }
+spec:
+  {{- $holdProxy := and
+      (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts)
+      (not $nativeSidecar) }}
+  {{- $noInitContainer := and
+      (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE`)
+      (not $nativeSidecar) }}
+  {{ if $noInitContainer }}
+  initContainers: []
+  {{ else -}}
+  initContainers:
+  {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }}
+  {{ if .Values.pilot.cni.enabled -}}
+  - name: istio-validation
+  {{ else -}}
+  - name: istio-init
+  {{ end -}}
+  {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }}
+    image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}"
+  {{- else }}
+    image: "{{ .ProxyImage }}"
+  {{- end }}
+    args:
+    - istio-iptables
+    - "-p"
+    - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }}
+    - "-z"
+    - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }}
+    - "-u"
+    - {{ if $tproxy }} "1337" {{ else }} {{ .ProxyUID | default "1337" | quote }} {{ end }}
+    - "-m"
+    - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}"
+    - "-i"
+    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}"
+    - "-x"
+    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}"
+    - "-b"
+    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}"
+    - "-d"
+  {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}
+    - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}"
+  {{- else }}
+    - "15090,15021"
+  {{- end }}
+    {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}}
+    - "-q"
+    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}"
+    {{ end -}}
+    {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}}
+    - "-o"
+    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}"
+    {{ end -}}
+    {{ if (isset .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces`) -}}
+    - "-k"
+    - "{{ index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}"
+    {{ else if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}}
+    - "-k"
+    - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}"
+    {{ end -}}
+     {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}}
+    - "-c"
+    - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}"
+    {{ end -}}
+    - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}"
+    {{ if .Values.global.logAsJson -}}
+    - "--log_as_json"
+    {{ end -}}
+    {{ if .Values.pilot.cni.enabled -}}
+    - "--run-validation"
+    - "--skip-rule-apply"
+    {{ else if .Values.global.proxy_init.forceApplyIptables -}}
+    - "--force-apply"
+    {{ end -}}
+    {{ if .Values.global.nativeNftables -}}
+    - "--native-nftables"
+    {{ end -}}
+    {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+  {{- if .ProxyConfig.ProxyMetadata }}
+    env:
+    {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+    - name: {{ $key }}
+      value: "{{ $value }}"
+    {{- end }}
+  {{- end }}
+    resources:
+  {{ template "resources" . }}
+    securityContext:
+      allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
+      privileged: {{ .Values.global.proxy.privileged }}
+      capabilities:
+    {{- if not .Values.pilot.cni.enabled }}
+        add:
+        - NET_ADMIN
+        - NET_RAW
+    {{- end }}
+        drop:
+        - ALL
+    {{- if not .Values.pilot.cni.enabled }}
+      readOnlyRootFilesystem: false
+      runAsGroup: 0
+      runAsNonRoot: false
+      runAsUser: 0
+    {{- else }}
+      readOnlyRootFilesystem: true
+      runAsGroup: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyGID | default "1337" }} {{ end }}
+      runAsUser: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyUID | default "1337" }} {{ end }}
+      runAsNonRoot: true
+    {{- end }}
+  {{ end -}}
+  {{ end -}}
+  {{ if not $nativeSidecar }}
+  containers:
+  {{ end }}
+  - name: istio-proxy
+  {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+    image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+  {{- else }}
+    image: "{{ .ProxyImage }}"
+  {{- end }}
+    {{ if $nativeSidecar }}restartPolicy: Always{{end}}
+    ports:
+    - containerPort: 15090
+      protocol: TCP
+      name: http-envoy-prom
+    args:
+    - proxy
+    - sidecar
+    - --domain
+    - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+    - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
+    - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
+    - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
+  {{- if .Values.global.sts.servicePort }}
+    - --stsPort={{ .Values.global.sts.servicePort }}
+  {{- end }}
+  {{- if .Values.global.logAsJson }}
+    - --log_as_json
+  {{- end }}
+  {{- if .Values.global.proxy.outlierLogPath }}
+    - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }}
+  {{- end}}
+  {{- if .Values.global.proxy.lifecycle }}
+    lifecycle:
+      {{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
+  {{- else if $holdProxy }}
+    lifecycle:
+      postStart:
+        exec:
+          command:
+          - pilot-agent
+          - wait
+  {{- else if $nativeSidecar }}
+    {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}}
+    lifecycle:
+      preStop:
+        exec:
+          command:
+          - pilot-agent
+          - request
+          - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}}
+          - POST
+          - drain
+  {{- end }}
+    env:
+    {{- if eq .InboundTrafficPolicyMode "localhost" }}
+    - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION
+      value: "true"
+    {{- end }}
+    - name: PILOT_CERT_PROVIDER
+      value: {{ .Values.global.pilotCertProvider }}
+    - name: CA_ADDR
+    {{- if .Values.global.caAddress }}
+      value: {{ .Values.global.caAddress }}
+    {{- else }}
+      value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+    {{- end }}
+    - name: POD_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.name
+    - name: POD_NAMESPACE
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.namespace
+    - name: INSTANCE_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.podIP
+    - name: SERVICE_ACCOUNT
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.serviceAccountName
+    - name: HOST_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.hostIP
+    - name: ISTIO_CPU_LIMIT
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.cpu
+    - name: PROXY_CONFIG
+      value: |
+             {{ protoToJSON .ProxyConfig }}
+    - name: ISTIO_META_POD_PORTS
+      value: |-
+        [
+        {{- $first := true }}
+        {{- range $index1, $c := .Spec.Containers }}
+          {{- range $index2, $p := $c.Ports }}
+            {{- if (structToJSON $p) }}
+            {{if not $first}},{{end}}{{ structToJSON $p }}
+            {{- $first = false }}
+            {{- end }}
+          {{- end}}
+        {{- end}}
+        ]
+    - name: ISTIO_META_APP_CONTAINERS
+      value: "{{ $containers | join "," }}"
+    - name: GOMEMLIMIT
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.memory
+    - name: GOMAXPROCS
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.cpu
+    {{- if .CompliancePolicy }}
+    - name: COMPLIANCE_POLICY
+      value: "{{ .CompliancePolicy }}"
+    {{- end }}
+    - name: ISTIO_META_CLUSTER_ID
+      value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
+    - name: ISTIO_META_NODE_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.nodeName
+    - name: ISTIO_META_INTERCEPTION_MODE
+      value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}"
+    {{- if .Values.global.network }}
+    - name: ISTIO_META_NETWORK
+      value: "{{ .Values.global.network }}"
+    {{- end }}
+    {{- with (index .ObjectMeta.Labels `service.istio.io/workload-name` | default .DeploymentMeta.Name) }}
+    - name: ISTIO_META_WORKLOAD_NAME
+      value: "{{ . }}"
+    {{ end }}
+    {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
+    - name: ISTIO_META_OWNER
+      value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
+    {{- end}}
+    {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+    - name: ISTIO_BOOTSTRAP_OVERRIDE
+      value: "/etc/istio/custom-bootstrap/custom_bootstrap.json"
+    {{- end }}
+    {{- if .Values.global.meshID }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ .Values.global.meshID }}"
+    {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+    {{- end }}
+    {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain)  }}
+    - name: TRUST_DOMAIN
+      value: "{{ . }}"
+    {{- end }}
+    {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
+    {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
+    - name: {{ $key }}
+      value: "{{ $value }}"
+    {{- end }}
+    {{- end }}
+    {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+    - name: {{ $key }}
+      value: "{{ $value }}"
+    {{- end }}
+    {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+    {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
+  {{ if .Values.global.proxy.startupProbe.enabled }}
+    startupProbe:
+      httpGet:
+        path: /healthz/ready
+        port: 15021
+      initialDelaySeconds: 0
+      periodSeconds: 1
+      timeoutSeconds: 3
+      failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }}
+  {{ end }}
+    readinessProbe:
+      httpGet:
+        path: /healthz/ready
+        port: 15021
+      initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }}
+      periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }}
+      timeoutSeconds: 3
+      failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}
+    {{ end -}}
+    securityContext:
+      {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }}
+      allowPrivilegeEscalation: true
+      capabilities:
+        add:
+        - NET_ADMIN
+        drop:
+        - ALL
+      privileged: true
+      readOnlyRootFilesystem: true
+      runAsGroup: {{ .ProxyGID | default "1337" }}
+      runAsNonRoot: false
+      runAsUser: 0
+      {{- else }}
+      allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
+      capabilities:
+        {{ if or $tproxy $capNetBindService -}}
+        add:
+        {{ if $tproxy -}}
+        - NET_ADMIN
+        {{- end }}
+        {{ if $capNetBindService -}}
+        - NET_BIND_SERVICE
+        {{- end }}
+        {{- end }}
+        drop:
+        - ALL
+      privileged: {{ .Values.global.proxy.privileged }}
+      readOnlyRootFilesystem: true
+      {{ if or $tproxy $capNetBindService -}}
+      runAsNonRoot: false
+      runAsUser: 0
+      runAsGroup: 1337
+      {{- else -}}
+      runAsNonRoot: true
+      runAsUser: {{ .ProxyUID | default "1337" }}
+      runAsGroup: {{ .ProxyGID | default "1337" }}
+      {{- end }}
+      {{- end }}
+    resources:
+  {{ template "resources" . }}
+    volumeMounts:
+    - name: workload-socket
+      mountPath: /var/run/secrets/workload-spiffe-uds
+    - name: credential-socket
+      mountPath: /var/run/secrets/credential-uds
+    {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+    - name: gke-workload-certificate
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+      readOnly: true
+    {{- else }}
+    - name: workload-certs
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+    {{- end }}
+    {{- if eq .Values.global.pilotCertProvider "istiod" }}
+    - mountPath: /var/run/secrets/istio
+      name: istiod-ca-cert
+    - mountPath: /var/run/secrets/istio/crl
+      name: istio-ca-crl
+    {{- end }}
+    - mountPath: /var/lib/istio/data
+      name: istio-data
+    {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+    - mountPath: /etc/istio/custom-bootstrap
+      name: custom-bootstrap-volume
+    {{- end }}
+    # SDS channel between istioagent and Envoy
+    - mountPath: /etc/istio/proxy
+      name: istio-envoy
+    - mountPath: /var/run/secrets/tokens
+      name: istio-token
+    {{- if .Values.global.mountMtlsCerts }}
+    # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+    - mountPath: /etc/certs/
+      name: istio-certs
+      readOnly: true
+    {{- end }}
+    - name: istio-podinfo
+      mountPath: /etc/istio/pod
+     {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }}
+    - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }}
+      name: lightstep-certs
+      readOnly: true
+    {{- end }}
+      {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }}
+      {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}
+    - name: "{{  $index }}"
+      {{ toYaml $value | indent 6 }}
+      {{ end }}
+      {{- end }}
+  volumes:
+  - emptyDir:
+    name: workload-socket
+  - emptyDir:
+    name: credential-socket
+  {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+  - name: gke-workload-certificate
+    csi:
+      driver: workloadcertificates.security.cloud.google.com
+  {{- else }}
+  - emptyDir:
+    name: workload-certs
+  {{- end }}
+  {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+  - name: custom-bootstrap-volume
+    configMap:
+      name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
+  {{- end }}
+  # SDS channel between istioagent and Envoy
+  - emptyDir:
+      medium: Memory
+    name: istio-envoy
+  - name: istio-data
+    emptyDir: {}
+  - name: istio-podinfo
+    downwardAPI:
+      items:
+        - path: "labels"
+          fieldRef:
+            fieldPath: metadata.labels
+        - path: "annotations"
+          fieldRef:
+            fieldPath: metadata.annotations
+  - name: istio-token
+    projected:
+      sources:
+      - serviceAccountToken:
+          path: istio-token
+          expirationSeconds: 43200
+          audience: {{ .Values.global.sds.token.aud }}
+  {{- if eq .Values.global.pilotCertProvider "istiod" }}
+  - name: istiod-ca-cert
+  {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+    projected:
+      sources:
+      - clusterTrustBundle:
+          name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+          path: root-cert.pem
+  {{- else }}
+    configMap:
+      name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+  {{- end }}
+  {{- end }}
+  - name: istio-ca-crl
+    configMap:
+      name: istio-ca-crl
+      optional: true
+  {{- if .Values.global.mountMtlsCerts }}
+  # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+  - name: istio-certs
+    secret:
+      optional: true
+      {{ if eq .Spec.ServiceAccountName "" }}
+      secretName: istio.default
+      {{ else -}}
+      secretName: {{  printf "istio.%s" .Spec.ServiceAccountName }}
+      {{  end -}}
+  {{- end }}
+    {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }}
+    {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}
+  - name: "{{ $index }}"
+    {{ toYaml $value | indent 4 }}
+    {{ end }}
+    {{ end }}
+  {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }}
+  - name: lightstep-certs
+    secret:
+      optional: true
+      secretName: lightstep.cacert
+  {{- end }}
+  {{- if .Values.global.imagePullSecrets }}
+  imagePullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+  {{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/kube-gateway.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/kube-gateway.yaml
new file mode 100644
index 0000000000..616fb42c71
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/kube-gateway.yaml
@@ -0,0 +1,401 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{.ServiceAccount | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+      ) | nindent 4 }}
+  {{- if ge .KubeVersion 128 }}
+  # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    name: "{{.Name}}"
+    uid: "{{.UID}}"
+  {{- end }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+        "gateway.istio.io/managed" "istio.io-gateway-controller"
+      ) | nindent 4 }}
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    name: {{.Name}}
+    uid: "{{.UID}}"
+spec:
+  selector:
+    matchLabels:
+      "{{.GatewayNameLabel}}": {{.Name}}
+  template:
+    metadata:
+      annotations:
+        {{- toJsonMap
+          (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version")
+          (strdict "istio.io/rev" (.Revision | default "default"))
+          (strdict
+            "prometheus.io/path" "/stats/prometheus"
+            "prometheus.io/port" "15020"
+            "prometheus.io/scrape" "true"
+          ) | nindent 8 }}
+      labels:
+        {{- toJsonMap
+          (strdict
+            "sidecar.istio.io/inject" "false"
+            "service.istio.io/canonical-name" .DeploymentName
+            "service.istio.io/canonical-revision" "latest"
+           )
+          .InfrastructureLabels
+          (strdict
+            "gateway.networking.k8s.io/gateway-name" .Name
+            "gateway.istio.io/managed" "istio.io-gateway-controller"
+          ) | nindent 8 }}
+    spec:
+      securityContext:
+      {{- if .Values.gateways.securityContext }}
+        {{- toYaml .Values.gateways.securityContext | nindent 8 }}
+      {{- else }}
+        sysctls:
+        - name: net.ipv4.ip_unprivileged_port_start
+          value: "0"
+      {{- if .Values.gateways.seccompProfile }}
+        seccompProfile:
+      {{- toYaml .Values.gateways.seccompProfile | nindent 10 }}
+      {{- end }}
+      {{- end }}
+      serviceAccountName: {{.ServiceAccount | quote}}
+      containers:
+      - name: istio-proxy
+      {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+        image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+      {{- else }}
+        image: "{{ .ProxyImage }}"
+      {{- end }}
+        {{- if .Values.global.proxy.resources }}
+        resources:
+          {{- toYaml .Values.global.proxy.resources | nindent 10 }}
+        {{- end }}
+        {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+        securityContext:
+          capabilities:
+            drop:
+            - ALL
+          allowPrivilegeEscalation: false
+          privileged: false
+          readOnlyRootFilesystem: true
+          runAsUser: {{ .ProxyUID | default "1337" }}
+          runAsGroup: {{ .ProxyGID | default "1337" }}
+          runAsNonRoot: true
+        ports:
+        - containerPort: 15020
+          name: metrics
+          protocol: TCP
+        - containerPort: 15021
+          name: status-port
+          protocol: TCP
+        - containerPort: 15090
+          protocol: TCP
+          name: http-envoy-prom
+        args:
+        - proxy
+        - router
+        - --domain
+        - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+        - --proxyLogLevel
+        - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}}
+        - --proxyComponentLogLevel
+        - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}}
+        - --log_output_level
+        - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}}
+      {{- if .Values.global.sts.servicePort }}
+        - --stsPort={{ .Values.global.sts.servicePort }}
+      {{- end }}
+      {{- if .Values.global.logAsJson }}
+        - --log_as_json
+      {{- end }}
+      {{- if .Values.global.proxy.lifecycle }}
+        lifecycle:
+          {{- toYaml .Values.global.proxy.lifecycle | nindent 10 }}
+      {{- end }}
+        env:
+        - name: PILOT_CERT_PROVIDER
+          value: {{ .Values.global.pilotCertProvider }}
+        - name: CA_ADDR
+        {{- if .Values.global.caAddress }}
+          value: {{ .Values.global.caAddress }}
+        {{- else }}
+          value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+        {{- end }}
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: INSTANCE_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: SERVICE_ACCOUNT
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.serviceAccountName
+        - name: HOST_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.hostIP
+        - name: ISTIO_CPU_LIMIT
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.cpu
+        - name: PROXY_CONFIG
+          value: |
+                 {{ protoToJSON .ProxyConfig }}
+        - name: ISTIO_META_POD_PORTS
+          value: "[]"
+        - name: ISTIO_META_APP_CONTAINERS
+          value: ""
+        - name: GOMEMLIMIT
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.memory
+        - name: GOMAXPROCS
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.cpu
+        - name: ISTIO_META_CLUSTER_ID
+          value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}"
+        - name: ISTIO_META_NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        - name: ISTIO_META_INTERCEPTION_MODE
+          value: "{{ .ProxyConfig.InterceptionMode.String }}"
+        {{- with (valueOrDefault  (index .InfrastructureLabels "topology.istio.io/network") .Values.global.network) }}
+        - name: ISTIO_META_NETWORK
+          value: {{.|quote}}
+        {{- end }}
+        - name: ISTIO_META_WORKLOAD_NAME
+          value: {{.DeploymentName|quote}}
+        - name: ISTIO_META_OWNER
+          value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}"
+        {{- if .Values.global.meshID }}
+        - name: ISTIO_META_MESH_ID
+          value: "{{ .Values.global.meshID }}"
+        {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+        - name: ISTIO_META_MESH_ID
+          value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+        {{- end }}
+        {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain)  }}
+        - name: TRUST_DOMAIN
+          value: "{{ . }}"
+        {{- end }}
+        {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+        - name: {{ $key }}
+          value: "{{ $value }}"
+        {{- end }}
+        {{- with (index .InfrastructureLabels "topology.istio.io/network") }}
+        - name: ISTIO_META_REQUESTED_NETWORK_VIEW
+          value: {{.|quote}}
+        {{- end }}
+        startupProbe:
+          failureThreshold: 30
+          httpGet:
+            path: /healthz/ready
+            port: 15021
+            scheme: HTTP
+          initialDelaySeconds: 1
+          periodSeconds: 1
+          successThreshold: 1
+          timeoutSeconds: 1
+        readinessProbe:
+          failureThreshold: 4
+          httpGet:
+            path: /healthz/ready
+            port: 15021
+            scheme: HTTP
+          initialDelaySeconds: 0
+          periodSeconds: 15
+          successThreshold: 1
+          timeoutSeconds: 1
+        volumeMounts:
+        - name: workload-socket
+          mountPath: /var/run/secrets/workload-spiffe-uds
+        - name: credential-socket
+          mountPath: /var/run/secrets/credential-uds
+        {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+        - name: gke-workload-certificate
+          mountPath: /var/run/secrets/workload-spiffe-credentials
+          readOnly: true
+        {{- else }}
+        - name: workload-certs
+          mountPath: /var/run/secrets/workload-spiffe-credentials
+        {{- end }}
+        {{- if eq .Values.global.pilotCertProvider "istiod" }}
+        - mountPath: /var/run/secrets/istio
+          name: istiod-ca-cert
+        {{- end }}
+        - mountPath: /var/lib/istio/data
+          name: istio-data
+        # SDS channel between istioagent and Envoy
+        - mountPath: /etc/istio/proxy
+          name: istio-envoy
+        - mountPath: /var/run/secrets/tokens
+          name: istio-token
+        - name: istio-podinfo
+          mountPath: /etc/istio/pod
+      volumes:
+      - emptyDir: {}
+        name: workload-socket
+      - emptyDir: {}
+        name: credential-socket
+      {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+      - name: gke-workload-certificate
+        csi:
+          driver: workloadcertificates.security.cloud.google.com
+      {{- else}}
+      - emptyDir: {}
+        name: workload-certs
+      {{- end }}
+      # SDS channel between istioagent and Envoy
+      - emptyDir:
+          medium: Memory
+        name: istio-envoy
+      - name: istio-data
+        emptyDir: {}
+      - name: istio-podinfo
+        downwardAPI:
+          items:
+            - path: "labels"
+              fieldRef:
+                fieldPath: metadata.labels
+            - path: "annotations"
+              fieldRef:
+                fieldPath: metadata.annotations
+      - name: istio-token
+        projected:
+          sources:
+          - serviceAccountToken:
+              path: istio-token
+              expirationSeconds: 43200
+              audience: {{ .Values.global.sds.token.aud }}
+      {{- if eq .Values.global.pilotCertProvider "istiod" }}
+      - name: istiod-ca-cert
+      {{- if eq ((.Values.pilot).env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+        projected:
+          sources:
+          - clusterTrustBundle:
+              name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+              path: root-cert.pem
+      {{- else }}
+        configMap:
+          name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+      {{- end }}
+      {{- end }}
+      {{- if .Values.global.imagePullSecrets }}
+      imagePullSecrets:
+        {{- range .Values.global.imagePullSecrets }}
+        - name: {{ . }}
+        {{- end }}
+      {{- end }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+      ) | nindent 4 }}
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    name: {{.Name}}
+    uid: {{.UID}}
+spec:
+  ipFamilyPolicy: PreferDualStack
+  ports:
+  {{- range $key, $val := .Ports }}
+  - name: {{ $val.Name | quote }}
+    port: {{ $val.Port }}
+    protocol: TCP
+    appProtocol: {{ $val.AppProtocol }}
+  {{- end }}
+  selector:
+    "{{.GatewayNameLabel}}": {{.Name}}
+  {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }}
+  loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}}
+  {{- end }}
+  type: {{ .ServiceType | quote }}
+---
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+          .InfrastructureLabels
+          (strdict
+          "gateway.networking.k8s.io/gateway-name" .Name
+          ) | nindent 4 }}
+  ownerReferences:
+    - apiVersion: gateway.networking.k8s.io/v1beta1
+      kind: Gateway
+      name: {{.Name}}
+      uid: "{{.UID}}"
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name:  {{.DeploymentName | quote}}
+  maxReplicas: 1
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+          .InfrastructureLabels
+          (strdict
+          "gateway.networking.k8s.io/gateway-name" .Name
+          ) | nindent 4 }}
+  ownerReferences:
+    - apiVersion: gateway.networking.k8s.io/v1beta1
+      kind: Gateway
+      name: {{.Name}}
+      uid: "{{.UID}}"
+spec:
+  selector:
+    matchLabels:
+      gateway.networking.k8s.io/gateway-name: {{.Name|quote}}
+
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-compatibility-version-1.24.yaml
new file mode 100644
index 0000000000..4f3dbef7ea
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-compatibility-version-1.24.yaml
@@ -0,0 +1,15 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.24 behavioral changes
+    PILOT_ENABLE_IP_AUTOALLOCATE: "false"
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  dnsCapture: false
+  reconcileIptablesOnStartup: false
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..b2f45948c2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..af10697326
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/waypoint.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/waypoint.yaml
new file mode 100644
index 0000000000..3e6a2f5dc1
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/waypoint.yaml
@@ -0,0 +1,396 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{.ServiceAccount | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+      ) | nindent 4 }}
+  {{- if ge .KubeVersion 128 }}
+  # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    name: "{{.Name}}"
+    uid: "{{.UID}}"
+  {{- end }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+        "gateway.istio.io/managed" .ControllerLabel
+      ) | nindent 4 }}
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    name: "{{.Name}}"
+    uid: "{{.UID}}"
+spec:
+  selector:
+    matchLabels:
+      "{{.GatewayNameLabel}}": "{{.Name}}"
+  template:
+    metadata:
+      annotations:
+        {{- toJsonMap
+          (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version")
+          (strdict "istio.io/rev" (.Revision | default "default"))
+          (strdict
+            "prometheus.io/path" "/stats/prometheus"
+            "prometheus.io/port" "15020"
+            "prometheus.io/scrape" "true"
+          ) | nindent 8 }}
+      labels:
+        {{- toJsonMap
+          (strdict
+            "sidecar.istio.io/inject" "false"
+            "istio.io/dataplane-mode" "none"
+            "service.istio.io/canonical-name" .DeploymentName
+            "service.istio.io/canonical-revision" "latest"
+           )
+          .InfrastructureLabels
+          (strdict
+            "gateway.networking.k8s.io/gateway-name" .Name
+            "gateway.istio.io/managed" .ControllerLabel
+          ) | nindent 8}}
+    spec:
+      {{- if .Values.global.waypoint.affinity }}
+      affinity:
+      {{- toYaml .Values.global.waypoint.affinity | nindent 8 }}
+      {{- end }}
+      {{- if .Values.global.waypoint.topologySpreadConstraints }}
+      topologySpreadConstraints:
+      {{- toYaml .Values.global.waypoint.topologySpreadConstraints | nindent 8 }}
+      {{- end }}
+      {{- if .Values.global.waypoint.nodeSelector }}
+      nodeSelector:
+      {{- toYaml .Values.global.waypoint.nodeSelector | nindent 8 }}
+      {{- end }}
+      {{- if .Values.global.waypoint.tolerations }}
+      tolerations:
+      {{- toYaml .Values.global.waypoint.tolerations | nindent 8 }}
+      {{- end }}
+      terminationGracePeriodSeconds: 2
+      serviceAccountName: {{.ServiceAccount | quote}}
+      containers:
+      - name: istio-proxy
+        ports:
+        - containerPort: 15020
+          name: metrics
+          protocol: TCP
+        - containerPort: 15021
+          name: status-port
+          protocol: TCP
+        - containerPort: 15090
+          protocol: TCP
+          name: http-envoy-prom
+        {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+        image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+        {{- else }}
+        image: "{{ .ProxyImage }}"
+        {{- end }}
+        {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+        args:
+        - proxy
+        - waypoint
+        - --domain
+        - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+        - --serviceCluster
+        - {{.ServiceAccount}}.$(POD_NAMESPACE)
+        - --proxyLogLevel
+        - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}}
+        - --proxyComponentLogLevel
+        - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}}
+        - --log_output_level
+        - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}}
+        {{- if .Values.global.logAsJson }}
+        - --log_as_json
+        {{- end }}
+        {{- if .Values.global.proxy.outlierLogPath }}
+        - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }}
+        {{- end}}
+        env:
+        - name: ISTIO_META_SERVICE_ACCOUNT
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.serviceAccountName
+        - name: ISTIO_META_NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        - name: PILOT_CERT_PROVIDER
+          value: {{ .Values.global.pilotCertProvider }}
+        - name: CA_ADDR
+        {{- if .Values.global.caAddress }}
+          value: {{ .Values.global.caAddress }}
+        {{- else }}
+          value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+        {{- end }}
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: INSTANCE_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: SERVICE_ACCOUNT
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.serviceAccountName
+        - name: HOST_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.hostIP
+        - name: ISTIO_CPU_LIMIT
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.cpu
+        - name: PROXY_CONFIG
+          value: |
+                 {{ protoToJSON .ProxyConfig }}
+        {{- if .ProxyConfig.ProxyMetadata }}
+        {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+        - name: {{ $key }}
+          value: "{{ $value }}"
+        {{- end }}
+        {{- end }}
+        - name: GOMEMLIMIT
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.memory
+        - name: GOMAXPROCS
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.cpu
+        - name: ISTIO_META_CLUSTER_ID
+          value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
+        {{- $network := valueOrDefault (index .InfrastructureLabels `topology.istio.io/network`) .Values.global.network }}
+        {{- if $network }}
+        - name: ISTIO_META_NETWORK
+          value: "{{ $network }}"
+        {{- end }}
+        - name: ISTIO_META_INTERCEPTION_MODE
+          value: REDIRECT
+        - name: ISTIO_META_WORKLOAD_NAME
+          value: {{.DeploymentName}}
+        - name: ISTIO_META_OWNER
+          value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}
+        {{- if .Values.global.meshID }}
+        - name: ISTIO_META_MESH_ID
+          value: "{{ .Values.global.meshID }}"
+        {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+        - name: ISTIO_META_MESH_ID
+          value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+        {{- end }}
+        {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+        - name: TRUST_DOMAIN
+          value: "{{ . }}"
+        {{- end }}
+        {{- if .Values.global.waypoint.resources }}
+        resources:
+        {{- toYaml .Values.global.waypoint.resources | nindent 10 }}
+        {{- end }}
+        startupProbe:
+          failureThreshold: 30
+          httpGet:
+            path: /healthz/ready
+            port: 15021
+            scheme: HTTP
+          initialDelaySeconds: 1
+          periodSeconds: 1
+          successThreshold: 1
+          timeoutSeconds: 1
+        readinessProbe:
+          failureThreshold: 4
+          httpGet:
+            path: /healthz/ready
+            port: 15021
+            scheme: HTTP
+          initialDelaySeconds: 0
+          periodSeconds: 15
+          successThreshold: 1
+          timeoutSeconds: 1
+        securityContext:
+          privileged: false
+        {{- if not (eq .Values.global.platform "openshift") }}
+          runAsGroup: 1337
+          runAsUser: 1337
+        {{- end }}
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          capabilities:
+            drop:
+            - ALL
+{{- if .Values.gateways.seccompProfile }}
+          seccompProfile:
+{{- toYaml .Values.gateways.seccompProfile | nindent 12 }}
+{{- end }}
+        volumeMounts:
+        - mountPath: /var/run/secrets/workload-spiffe-uds
+          name: workload-socket
+        - mountPath: /var/run/secrets/istio
+          name: istiod-ca-cert
+        - mountPath: /var/lib/istio/data
+          name: istio-data
+        - mountPath: /etc/istio/proxy
+          name: istio-envoy
+        - mountPath: /var/run/secrets/tokens
+          name: istio-token
+        - mountPath: /etc/istio/pod
+          name: istio-podinfo
+      volumes:
+      - emptyDir: {}
+        name: workload-socket
+      - emptyDir:
+          medium: Memory
+        name: istio-envoy
+      - emptyDir:
+          medium: Memory
+        name: go-proxy-envoy
+      - emptyDir: {}
+        name: istio-data
+      - emptyDir: {}
+        name: go-proxy-data
+      - downwardAPI:
+          items:
+          - fieldRef:
+              fieldPath: metadata.labels
+            path: labels
+          - fieldRef:
+              fieldPath: metadata.annotations
+            path: annotations
+        name: istio-podinfo
+      - name: istio-token
+        projected:
+          sources:
+          - serviceAccountToken:
+              audience: istio-ca
+              expirationSeconds: 43200
+              path: istio-token
+      - name: istiod-ca-cert
+      {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+        projected:
+          sources:
+          - clusterTrustBundle:
+              name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+              path: root-cert.pem
+      {{- else }}
+        configMap:
+          name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+      {{- end }}
+      {{- if .Values.global.imagePullSecrets }}
+      imagePullSecrets:
+        {{- range .Values.global.imagePullSecrets }}
+        - name: {{ . }}
+        {{- end }}
+      {{- end }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    {{ toJsonMap
+      (strdict "networking.istio.io/traffic-distribution" "PreferClose")
+      (omit .InfrastructureAnnotations
+        "kubectl.kubernetes.io/last-applied-configuration"
+        "gateway.istio.io/name-override"
+        "gateway.istio.io/service-account"
+        "gateway.istio.io/controller-version"
+      ) | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+      ) | nindent 4 }}
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    name: "{{.Name}}"
+    uid: "{{.UID}}"
+spec:
+  ipFamilyPolicy: PreferDualStack
+  ports:
+  {{- range $key, $val := .Ports }}
+  - name: {{ $val.Name | quote }}
+    port: {{ $val.Port }}
+    protocol: TCP
+    appProtocol: {{ $val.AppProtocol }}
+  {{- end }}
+  selector:
+    "{{.GatewayNameLabel}}": "{{.Name}}"
+  {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }}
+  loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}}
+  {{- end }}
+  type: {{ .ServiceType | quote }}
+---
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+          .InfrastructureLabels
+          (strdict
+          "gateway.networking.k8s.io/gateway-name" .Name
+          ) | nindent 4 }}
+  ownerReferences:
+    - apiVersion: gateway.networking.k8s.io/v1beta1
+      kind: Gateway
+      name: {{.Name}}
+      uid: "{{.UID}}"
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name:  {{.DeploymentName | quote}}
+  maxReplicas: 1
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+          .InfrastructureLabels
+          (strdict
+          "gateway.networking.k8s.io/gateway-name" .Name
+          ) | nindent 4 }}
+  ownerReferences:
+    - apiVersion: gateway.networking.k8s.io/v1beta1
+      kind: Gateway
+      name: {{.Name}}
+      uid: "{{.UID}}"
+spec:
+  selector:
+    matchLabels:
+      gateway.networking.k8s.io/gateway-name: {{.Name|quote}}
+
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/NOTES.txt
new file mode 100644
index 0000000000..0d07ea7f4c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/NOTES.txt
@@ -0,0 +1,82 @@
+"istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}" successfully installed!
+
+To learn more about the release, try:
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
+
+Next steps:
+{{- $profile := default "" .Values.profile }}
+{{- if (eq $profile "ambient") }}
+  * Get started with ambient: https://istio.io/latest/docs/ops/ambient/getting-started/
+  * Review ambient's architecture: https://istio.io/latest/docs/ops/ambient/architecture/
+{{- else }}
+  * Deploy a Gateway: https://istio.io/latest/docs/setup/additional-setup/gateway/
+  * Try out our tasks to get started on common configurations:
+    * https://istio.io/latest/docs/tasks/traffic-management
+    * https://istio.io/latest/docs/tasks/security/
+    * https://istio.io/latest/docs/tasks/policy-enforcement/
+{{- end }}
+  * Review the list of actively supported releases, CVE publications and our hardening guide:
+    * https://istio.io/latest/docs/releases/supported-releases/
+    * https://istio.io/latest/news/security/
+    * https://istio.io/latest/docs/ops/best-practices/security/
+
+For further documentation see https://istio.io website
+
+{{-
+  $deps := dict
+    "global.outboundTrafficPolicy" "meshConfig.outboundTrafficPolicy"
+    "global.certificates" "meshConfig.certificates"
+    "global.localityLbSetting" "meshConfig.localityLbSetting"
+    "global.policyCheckFailOpen" "meshConfig.policyCheckFailOpen"
+    "global.enableTracing" "meshConfig.enableTracing"
+    "global.proxy.accessLogFormat" "meshConfig.accessLogFormat"
+    "global.proxy.accessLogFile" "meshConfig.accessLogFile"
+    "global.proxy.concurrency" "meshConfig.defaultConfig.concurrency"
+    "global.proxy.envoyAccessLogService" "meshConfig.defaultConfig.envoyAccessLogService"
+    "global.proxy.envoyAccessLogService.enabled" "meshConfig.enableEnvoyAccessLogService"
+    "global.proxy.envoyMetricsService" "meshConfig.defaultConfig.envoyMetricsService"
+    "global.proxy.protocolDetectionTimeout" "meshConfig.protocolDetectionTimeout"
+    "global.proxy.holdApplicationUntilProxyStarts" "meshConfig.defaultConfig.holdApplicationUntilProxyStarts"
+    "pilot.ingress" "meshConfig.ingressService, meshConfig.ingressControllerMode, and meshConfig.ingressClass"
+    "global.mtls.enabled" "the PeerAuthentication resource"
+    "global.mtls.auto" "meshConfig.enableAutoMtls"
+    "global.tracer.lightstep.address" "meshConfig.defaultConfig.tracing.lightstep.address"
+    "global.tracer.lightstep.accessToken" "meshConfig.defaultConfig.tracing.lightstep.accessToken"
+    "global.tracer.zipkin.address" "meshConfig.defaultConfig.tracing.zipkin.address"
+    "global.tracer.datadog.address" "meshConfig.defaultConfig.tracing.datadog.address"
+    "global.meshExpansion.enabled" "Gateway and other Istio networking resources, such as in samples/multicluster/"
+    "istiocoredns.enabled" "the in-proxy DNS capturing (ISTIO_META_DNS_CAPTURE)"
+}}
+{{- range $dep, $replace := $deps }}
+{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}}
+{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(")  ".Values." (replace "." ")." $dep) ")}}") $}}
+{{- if not (eq $res "")}}
+WARNING: {{$dep|quote}} is deprecated; use {{$replace|quote}} instead.
+{{- end }}
+{{- end }}
+{{-
+  $failDeps := dict
+    "telemetry.v2.prometheus.configOverride"
+    "telemetry.v2.stackdriver.configOverride"
+    "telemetry.v2.stackdriver.disableOutbound"
+    "telemetry.v2.stackdriver.outboundAccessLogging"
+    "global.tracer.stackdriver.debug" "meshConfig.defaultConfig.tracing.stackdriver.debug"
+    "global.tracer.stackdriver.maxNumberOfAttributes" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes"
+    "global.tracer.stackdriver.maxNumberOfAnnotations" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations"
+    "global.tracer.stackdriver.maxNumberOfMessageEvents" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents"
+    "meshConfig.defaultConfig.tracing.stackdriver.debug" "Istio supported tracers"
+    "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes" "Istio supported tracers"
+    "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations" "Istio supported tracers"
+    "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents" "Istio supported tracers"
+}}
+{{- range $dep, $replace := $failDeps }}
+{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}}
+{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(")  ".Values." (replace "." ")." $dep) ")}}") $}}
+{{- if not (eq $res "")}}
+{{fail (print $dep " is removed")}}
+{{- end }}
+{{- end }}
+{{- if eq $.Values.global.pilotCertProvider "kubernetes" }}
+{{- fail "pilotCertProvider=kubernetes is not supported" }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/_helpers.tpl
new file mode 100644
index 0000000000..042c92538d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/_helpers.tpl
@@ -0,0 +1,23 @@
+{{/* Default Prometheus is enabled if its enabled and there are no config overrides set */}}
+{{ define "default-prometheus" }}
+{{- and
+  (not .Values.meshConfig.defaultProviders)
+  .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.prometheus.enabled
+}}
+{{- end }}
+
+{{/* SD has metrics and logging split. Default metrics are enabled if SD is enabled */}}
+{{ define "default-sd-metrics" }}
+{{- and
+  (not .Values.meshConfig.defaultProviders)
+  .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled
+}}
+{{- end }}
+
+{{/* SD has metrics and logging split. */}}
+{{ define "default-sd-logs" }}
+{{- and
+  (not .Values.meshConfig.defaultProviders)
+  .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled
+}}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/autoscale.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/autoscale.yaml
new file mode 100644
index 0000000000..9b952ba857
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/autoscale.yaml
@@ -0,0 +1,43 @@
+# Not created if istiod is running remotely
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }}
+{{- if and .Values.autoscaleEnabled .Values.autoscaleMin .Values.autoscaleMax }}
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  maxReplicas: {{ .Values.autoscaleMax }}
+  minReplicas: {{ .Values.autoscaleMin }}
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  metrics:
+  - type: Resource
+    resource:
+      name: cpu
+      target:
+        type: Utilization
+        averageUtilization: {{ .Values.cpu.targetAverageUtilization }}
+  {{- if .Values.memory.targetAverageUtilization }}
+  - type: Resource
+    resource:
+      name: memory
+      target:
+        type: Utilization
+        averageUtilization: {{ .Values.memory.targetAverageUtilization }}
+  {{- end }}
+  {{- if .Values.autoscaleBehavior }}
+  behavior: {{ toYaml .Values.autoscaleBehavior | nindent 4 }}
+  {{- end }}
+---
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/clusterrole.yaml
new file mode 100644
index 0000000000..d9c86f43fa
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/clusterrole.yaml
@@ -0,0 +1,213 @@
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+  # sidecar injection controller
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["mutatingwebhookconfigurations"]
+    verbs: ["get", "list", "watch", "update", "patch"]
+
+  # configuration validation webhook controller
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["validatingwebhookconfigurations"]
+    verbs: ["get", "list", "watch", "update"]
+
+  # istio configuration
+  # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382)
+  # please proceed with caution
+  - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"]
+    verbs: ["get", "watch", "list"]
+    resources: ["*"]
+{{- if .Values.global.istiod.enableAnalysis }}
+  - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"]
+    verbs: ["update", "patch"]
+    resources:
+    - authorizationpolicies/status
+    - destinationrules/status
+    - envoyfilters/status
+    - gateways/status
+    - peerauthentications/status
+    - proxyconfigs/status
+    - requestauthentications/status
+    - serviceentries/status
+    - sidecars/status
+    - telemetries/status
+    - virtualservices/status
+    - wasmplugins/status
+    - workloadentries/status
+    - workloadgroups/status
+{{- end }}
+  - apiGroups: ["networking.istio.io"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "workloadentries" ]
+  - apiGroups: ["networking.istio.io"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "workloadentries/status",  "serviceentries/status" ]
+  - apiGroups: ["security.istio.io"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "authorizationpolicies/status" ]
+  - apiGroups: [""]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "services/status" ]
+
+  # auto-detect installed CRD definitions
+  - apiGroups: ["apiextensions.k8s.io"]
+    resources: ["customresourcedefinitions"]
+    verbs: ["get", "list", "watch"]
+
+  # discovery and routing
+  - apiGroups: [""]
+    resources: ["pods", "nodes", "services", "namespaces", "endpoints"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["discovery.k8s.io"]
+    resources: ["endpointslices"]
+    verbs: ["get", "list", "watch"]
+
+{{- if .Values.taint.enabled }}
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["patch"]
+{{- end }}
+
+  # ingress controller
+{{- if .Values.global.istiod.enableAnalysis }}
+  - apiGroups: ["extensions", "networking.k8s.io"]
+    resources: ["ingresses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["extensions", "networking.k8s.io"]
+    resources: ["ingresses/status"]
+    verbs: ["*"]
+{{- end}}
+  - apiGroups: ["networking.k8s.io"]
+    resources: ["ingresses", "ingressclasses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["networking.k8s.io"]
+    resources: ["ingresses/status"]
+    verbs: ["*"]
+
+  # required for CA's namespace controller
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["create", "get", "list", "watch", "update"]
+
+  # Istiod and bootstrap.
+{{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}}
+{{- if or .Values.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }}
+  - apiGroups: ["certificates.k8s.io"]
+    resources:
+      - "certificatesigningrequests"
+      - "certificatesigningrequests/approval"
+      - "certificatesigningrequests/status"
+    verbs: ["update", "create", "get", "delete", "watch"]
+  - apiGroups: ["certificates.k8s.io"]
+    resources:
+      - "signers"
+    resourceNames:
+{{- range .Values.global.certSigners }}
+    - {{ . | quote }}
+{{- end }}
+    verbs: ["approve"]
+{{- end}}
+{{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+  - apiGroups: ["certificates.k8s.io"]
+    resources: ["clustertrustbundles"]
+    verbs: ["update", "create", "delete", "list", "watch", "get"]
+  - apiGroups: ["certificates.k8s.io"]
+    resources: ["signers"]
+    resourceNames: ["istio.io/istiod-ca"]
+    verbs: ["attest"]
+{{- end }}
+
+  # Used by Istiod to verify the JWT tokens
+  - apiGroups: ["authentication.k8s.io"]
+    resources: ["tokenreviews"]
+    verbs: ["create"]
+
+  # Used by Istiod to verify gateway SDS
+  - apiGroups: ["authorization.k8s.io"]
+    resources: ["subjectaccessreviews"]
+    verbs: ["create"]
+
+  # Use for Kubernetes Service APIs
+  - apiGroups: ["gateway.networking.k8s.io", "gateway.networking.x-k8s.io"]
+    resources: ["*"]
+    verbs: ["get", "watch", "list"]
+  - apiGroups: ["gateway.networking.x-k8s.io"]
+    resources:
+    - xbackendtrafficpolicies/status
+    - xlistenersets/status
+    verbs: ["update", "patch"]
+  - apiGroups: ["gateway.networking.k8s.io"]
+    resources:
+    - backendtlspolicies/status
+    - gatewayclasses/status
+    - gateways/status
+    - grpcroutes/status
+    - httproutes/status
+    - referencegrants/status
+    - tcproutes/status
+    - tlsroutes/status
+    - udproutes/status
+    verbs: ["update", "patch"]
+  - apiGroups: ["gateway.networking.k8s.io"]
+    resources: ["gatewayclasses"]
+    verbs: ["create", "update", "patch", "delete"]
+  - apiGroups: ["inference.networking.x-k8s.io"]
+    resources: ["inferencepools"]
+    verbs: ["get", "watch", "list"]
+  - apiGroups: ["inference.networking.x-k8s.io"]
+    resources: ["inferencepools/status"]
+    verbs: ["update", "patch"]
+
+  # Needed for multicluster secret reading, possibly ingress certs in the future
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "watch", "list"]
+
+  # Used for MCS serviceexport management
+  - apiGroups: ["{{ $mcsAPIGroup }}"]
+    resources: ["serviceexports"]
+    verbs: [ "get", "watch", "list", "create", "delete"]
+
+  # Used for MCS serviceimport management
+  - apiGroups: ["{{ $mcsAPIGroup }}"]
+    resources: ["serviceimports"]
+    verbs: ["get", "watch", "list"]
+---
+{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+  - apiGroups: ["apps"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "deployments" ]
+  - apiGroups: ["autoscaling"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "horizontalpodautoscalers" ]
+  - apiGroups: ["policy"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "poddisruptionbudgets" ]
+  - apiGroups: [""]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "services" ]
+  - apiGroups: [""]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "serviceaccounts"]
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/clusterrolebinding.yaml
new file mode 100644
index 0000000000..1b8fa4d079
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/clusterrolebinding.yaml
@@ -0,0 +1,40 @@
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+subjects:
+  - kind: ServiceAccount
+    name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+    namespace: {{ .Values.global.istioNamespace }}
+---
+{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+subjects:
+- kind: ServiceAccount
+  name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Values.global.istioNamespace }}
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/configmap-jwks.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/configmap-jwks.yaml
new file mode 100644
index 0000000000..9d931c4065
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/configmap-jwks.yaml
@@ -0,0 +1,18 @@
+# Not created if istiod is running remotely
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }}
+{{- if .Values.jwksResolverExtraRootCA }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+data:
+  extra.pem: {{ .Values.jwksResolverExtraRootCA | quote }}
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/configmap-values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/configmap-values.yaml
new file mode 100644
index 0000000000..75e6e0bcc6
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/configmap-values.yaml
@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: values{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    kubernetes.io/description: This ConfigMap contains the Helm values used during chart rendering. This ConfigMap is rendered for debugging purposes and external tooling; modifying these values has no effect.
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+data:
+  original-values: |-
+{{ .Values._original | toPrettyJson | indent 4 }}
+{{- $_ := unset $.Values "_original" }}
+  merged-values: |-
+{{ .Values | toPrettyJson | indent 4 }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/configmap.yaml
new file mode 100644
index 0000000000..a8446a6fc9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/configmap.yaml
@@ -0,0 +1,111 @@
+{{- define "mesh" }}
+    # The trust domain corresponds to the trust root of a system.
+    # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
+    trustDomain: "cluster.local"
+
+    # The namespace to treat as the administrative root namespace for Istio configuration.
+    # When processing a leaf namespace Istio will search for declarations in that namespace first
+    # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace
+    # is processed as if it were declared in the leaf namespace.
+    rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }}
+
+  {{ $prom := include "default-prometheus" . | eq "true" }}
+  {{ $sdMetrics := include "default-sd-metrics" . | eq "true" }}
+  {{ $sdLogs := include "default-sd-logs" . | eq "true" }}
+  {{- if or $prom $sdMetrics $sdLogs }}
+    defaultProviders:
+    {{- if or $prom $sdMetrics }}
+      metrics:
+      {{ if $prom }}- prometheus{{ end }}
+      {{ if and $sdMetrics $sdLogs }}- stackdriver{{ end }}
+    {{- end }}
+    {{- if and $sdMetrics $sdLogs }}
+      accessLogging:
+      - stackdriver
+    {{- end }}
+  {{- end }}
+
+    defaultConfig:
+      {{- if .Values.global.meshID }}
+      meshId: "{{ .Values.global.meshID }}"
+      {{- end }}
+      {{- with (.Values.global.proxy.variant | default .Values.global.variant) }}
+      image:
+        imageType: {{. | quote}}
+      {{- end }}
+      {{- if not (eq .Values.global.proxy.tracer "none") }}
+      tracing:
+      {{- if eq .Values.global.proxy.tracer "lightstep" }}
+        lightstep:
+          # Address of the LightStep Satellite pool
+          address: {{ .Values.global.tracer.lightstep.address }}
+          # Access Token used to communicate with the Satellite pool
+          accessToken: {{ .Values.global.tracer.lightstep.accessToken }}
+      {{- else if eq .Values.global.proxy.tracer "zipkin" }}
+        zipkin:
+          # Address of the Zipkin collector
+          address: {{ ((.Values.global.tracer).zipkin).address | default (print "zipkin." .Values.global.istioNamespace ":9411") }}
+      {{- else if eq .Values.global.proxy.tracer "datadog" }}
+        datadog:
+          # Address of the Datadog Agent
+          address: {{ ((.Values.global.tracer).datadog).address | default "$(HOST_IP):8126" }}
+      {{- else if eq .Values.global.proxy.tracer "stackdriver" }}
+        stackdriver:
+          # enables trace output to stdout.
+          debug: {{ (($.Values.global.tracer).stackdriver).debug | default "false" }}
+          # The global default max number of attributes per span.
+          maxNumberOfAttributes: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAttributes | default "200" }}
+          # The global default max number of annotation events per span.
+          maxNumberOfAnnotations: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAnnotations | default "200" }}
+          # The global default max number of message events per span.
+          maxNumberOfMessageEvents: {{ (($.Values.global.tracer).stackdriver).maxNumberOfMessageEvents | default "200" }}
+      {{- end }}
+      {{- end }}
+      {{- if .Values.global.remotePilotAddress }}
+      {{- if and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod }}
+      #  only primary `istiod` to xds and local `istiod` injection installs.
+      discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012
+      {{- else }}
+      discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012
+      {{- end }}
+      {{- else }}
+      discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012
+      {{- end }}
+{{- end }}
+
+{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}}
+{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}}
+{{- $originalMesh := include "mesh" . | fromYaml }}
+{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }}
+
+{{- if .Values.configMap }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+data:
+
+  # Configuration file for the mesh networks to be used by the Split Horizon EDS.
+  meshNetworks: |-
+  {{- if .Values.global.meshNetworks }}
+    networks:
+{{ toYaml .Values.global.meshNetworks | trim | indent 6 }}
+  {{- else }}
+    networks: {}
+  {{- end }}
+
+  mesh: |-
+{{- if .Values.meshConfig }}
+{{ $mesh | toYaml | indent 4 }}
+{{- else }}
+{{- include "mesh" . }}
+{{- end }}
+---
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/deployment.yaml
new file mode 100644
index 0000000000..1b769c6ec7
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/deployment.yaml
@@ -0,0 +1,312 @@
+# Not created if istiod is running remotely
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: istiod
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    istio: pilot
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+{{- range $key, $val := .Values.deploymentLabels }}
+    {{ $key }}: "{{ $val }}"
+{{- end }}
+  {{- if .Values.deploymentAnnotations }}
+  annotations:
+{{ toYaml .Values.deploymentAnnotations | indent 4 }}
+  {{- end }}
+spec:
+{{- if not .Values.autoscaleEnabled }}
+{{- if .Values.replicaCount }}
+  replicas: {{ .Values.replicaCount }}
+{{- end }}
+{{- end }}
+  strategy:
+    rollingUpdate:
+      maxSurge: {{ .Values.rollingMaxSurge }}
+      maxUnavailable: {{ .Values.rollingMaxUnavailable }}
+  selector:
+    matchLabels:
+      {{- if ne .Values.revision "" }}
+      app: istiod
+      istio.io/rev: {{ .Values.revision | default "default" | quote }}
+      {{- else }}
+      istio: pilot
+      {{- end }}
+  template:
+    metadata:
+      labels:
+        app: istiod
+        istio.io/rev: {{ .Values.revision | default "default" | quote }}
+        sidecar.istio.io/inject: "false"
+        operator.istio.io/component: "Pilot"
+        {{- if ne .Values.revision "" }}
+        istio: istiod
+        {{- else }}
+        istio: pilot
+        {{- end }}
+        {{- range $key, $val := .Values.podLabels }}
+        {{ $key }}: "{{ $val }}"
+        {{- end }}
+        istio.io/dataplane-mode: none
+        app.kubernetes.io/name: "istiod"
+        {{- include "istio.labels" . | nindent 8 }}
+      annotations:
+        prometheus.io/port: "15014"
+        prometheus.io/scrape: "true"
+        sidecar.istio.io/inject: "false"
+        {{- if .Values.podAnnotations }}
+{{ toYaml .Values.podAnnotations | indent 8 }}
+        {{- end }}
+    spec:
+{{- if .Values.nodeSelector }}
+      nodeSelector:
+{{ toYaml .Values.nodeSelector | indent 8 }}
+{{- end }}
+{{- with .Values.affinity }}
+      affinity:
+{{- toYaml . | nindent 8 }}
+{{- end }}
+      tolerations:
+        - key: cni.istio.io/not-ready
+          operator: "Exists"
+{{- with .Values.tolerations }}
+{{- toYaml . | nindent 8 }}
+{{- end }}
+{{- with .Values.topologySpreadConstraints }}
+      topologySpreadConstraints:
+{{- toYaml . | nindent 8 }}
+{{- end }}
+      serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+{{- if .Values.global.priorityClassName }}
+      priorityClassName: "{{ .Values.global.priorityClassName }}"
+{{- end }}
+{{- with .Values.initContainers }}
+      initContainers:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+{{- end }}
+      containers:
+        - name: discovery
+{{- if contains "/" .Values.image }}
+          image: "{{ .Values.image }}"
+{{- else }}
+          image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "pilot" }}:{{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}}"
+{{- end }}
+{{- if .Values.global.imagePullPolicy }}
+          imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+{{- end }}
+          args:
+          - "discovery"
+          - --monitoringAddr=:15014
+{{- if .Values.global.logging.level }}
+          - --log_output_level={{ .Values.global.logging.level }}
+{{- end}}
+{{- if .Values.global.logAsJson }}
+          - --log_as_json
+{{- end }}
+          - --domain
+          - {{ .Values.global.proxy.clusterDomain }}
+{{- if .Values.taint.namespace }}
+          - --cniNamespace={{ .Values.taint.namespace }}
+{{- end }}
+          - --keepaliveMaxServerConnectionAge
+          - "{{ .Values.keepaliveMaxServerConnectionAge }}"
+{{- if .Values.extraContainerArgs }}
+          {{- with .Values.extraContainerArgs }}
+            {{- toYaml . | nindent 10 }}
+          {{- end }}
+{{- end }}
+          ports:
+          - containerPort: 8080
+            protocol: TCP
+            name: http-debug
+          - containerPort: 15010
+            protocol: TCP
+            name: grpc-xds
+          - containerPort: 15012
+            protocol: TCP
+            name: tls-xds
+          - containerPort: 15017
+            protocol: TCP
+            name: https-webhooks
+          - containerPort: 15014
+            protocol: TCP
+            name: http-monitoring
+          readinessProbe:
+            httpGet:
+              path: /ready
+              port: 8080
+            initialDelaySeconds: 1
+            periodSeconds: 3
+            timeoutSeconds: 5
+          env:
+          - name: REVISION
+            value: "{{ .Values.revision | default `default` }}"
+          - name: PILOT_CERT_PROVIDER
+            value: {{ .Values.global.pilotCertProvider }}
+          - name: POD_NAME
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: metadata.name
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: metadata.namespace
+          - name: SERVICE_ACCOUNT
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: spec.serviceAccountName
+          - name: KUBECONFIG
+            value: /var/run/secrets/remote/config
+          # If you explicitly told us where ztunnel lives, use that.
+          # Otherwise, assume it lives in our namespace
+          # Also, check for an explicit ENV override (legacy approach) and prefer that
+          # if present
+          {{ $ztTrustedNS := or .Values.trustedZtunnelNamespace .Release.Namespace }}
+          {{ $ztTrustedName := or .Values.trustedZtunnelName "ztunnel" }}
+          {{- if not .Values.env.CA_TRUSTED_NODE_ACCOUNTS }}
+          - name: CA_TRUSTED_NODE_ACCOUNTS
+            value: "{{ $ztTrustedNS }}/{{ $ztTrustedName }}"
+          {{- end }}
+          {{- if .Values.env }}
+          {{- range $key, $val := .Values.env }}
+          - name: {{ $key }}
+            value: "{{ $val }}"
+          {{- end }}
+          {{- end }}
+          {{- with .Values.envVarFrom }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
+{{- if .Values.traceSampling }}
+          - name: PILOT_TRACE_SAMPLING
+            value: "{{ .Values.traceSampling }}"
+{{- end }}
+# If externalIstiod is set via Values.Global, then enable the pilot env variable. However, if it's set via Values.pilot.env, then
+# don't set it here to avoid duplication.
+# TODO (nshankar13): Move from Helm chart to code: https://github.com/istio/istio/issues/52449
+{{- if and .Values.global.externalIstiod (not (and .Values.env .Values.env.EXTERNAL_ISTIOD)) }}
+          - name: EXTERNAL_ISTIOD
+            value: "{{ .Values.global.externalIstiod }}"
+{{- end }}
+{{- if .Values.global.trustBundleName }}
+          - name: PILOT_CA_CERT_CONFIGMAP
+            value: "{{ .Values.global.trustBundleName }}"
+{{- end }}
+          - name: PILOT_ENABLE_ANALYSIS
+            value: "{{ .Values.global.istiod.enableAnalysis }}"
+          - name: CLUSTER_ID
+            value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
+          - name: GOMEMLIMIT
+            valueFrom:
+              resourceFieldRef:
+                resource: limits.memory
+                divisor: "1"
+          - name: GOMAXPROCS
+            valueFrom:
+              resourceFieldRef:
+                resource: limits.cpu
+                divisor: "1"
+          - name: PLATFORM
+            value: "{{ coalesce .Values.global.platform .Values.platform }}"
+          resources:
+{{- if .Values.resources }}
+{{ toYaml .Values.resources | trim | indent 12 }}
+{{- else }}
+{{ toYaml .Values.global.defaultResources | trim | indent 12 }}
+{{- end }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            capabilities:
+              drop:
+              - ALL
+{{- if .Values.seccompProfile }}
+            seccompProfile:
+{{ toYaml .Values.seccompProfile | trim | indent 14 }}
+{{- end }}
+          volumeMounts:
+          - name: istio-token
+            mountPath: /var/run/secrets/tokens
+            readOnly: true
+          - name: local-certs
+            mountPath: /var/run/secrets/istio-dns
+          - name: cacerts
+            mountPath: /etc/cacerts
+            readOnly: true
+          - name: istio-kubeconfig
+            mountPath: /var/run/secrets/remote
+            readOnly: true
+          {{- if .Values.jwksResolverExtraRootCA }}
+          - name: extracacerts
+            mountPath: /cacerts
+          {{- end }}
+          - name: istio-csr-dns-cert
+            mountPath: /var/run/secrets/istiod/tls
+            readOnly: true
+          - name: istio-csr-ca-configmap
+            mountPath: /var/run/secrets/istiod/ca
+            readOnly: true
+          {{- with .Values.volumeMounts }}
+            {{- toYaml . | nindent 10 }}
+          {{- end }}
+      volumes:
+      # Technically not needed on this pod - but it helps debugging/testing SDS
+      # Should be removed after everything works.
+      - emptyDir:
+          medium: Memory
+        name: local-certs
+      - name: istio-token
+        projected:
+          sources:
+            - serviceAccountToken:
+                audience: {{ .Values.global.sds.token.aud }}
+                expirationSeconds: 43200
+                path: istio-token
+      # Optional: user-generated root
+      - name: cacerts
+        secret:
+          secretName: cacerts
+          optional: true
+      - name: istio-kubeconfig
+        secret:
+          secretName: istio-kubeconfig
+          optional: true
+      # Optional: istio-csr dns pilot certs
+      - name: istio-csr-dns-cert
+        secret:
+          secretName: istiod-tls
+          optional: true
+      - name: istio-csr-ca-configmap
+  {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+        projected:
+          sources:
+          - clusterTrustBundle:
+              name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+              path: root-cert.pem
+              optional: true
+  {{- else }}
+        configMap:
+          name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+          defaultMode: 420
+          optional: true
+  {{- end }}
+  {{- if .Values.jwksResolverExtraRootCA }}
+      - name: extracacerts
+        configMap:
+          name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  {{- end }}
+      {{- with .Values.volumes }}
+        {{- toYaml . | nindent 6}}
+      {{- end }}
+
+---
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/gateway-class-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/gateway-class-configmap.yaml
new file mode 100644
index 0000000000..6b23d716a4
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/gateway-class-configmap.yaml
@@ -0,0 +1,20 @@
+{{ range $key, $value := .Values.gatewayClasses }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: istio-{{ $.Values.revision | default "default"  }}-gatewayclass-{{$key}}
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    istio.io/rev: {{ $.Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    release: {{ $.Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    gateway.istio.io/defaults-for-class: {{$key|quote}}
+    {{- include "istio.labels" $ | nindent 4 }}
+data:
+{{ range $kind, $overlay := $value }}
+  {{$kind}}: |
+{{$overlay|toYaml|trim|indent 4}}
+{{ end }}
+---
+{{ end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/istiod-injector-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/istiod-injector-configmap.yaml
new file mode 100644
index 0000000000..171aff8861
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/istiod-injector-configmap.yaml
@@ -0,0 +1,81 @@
+{{- if not .Values.global.omitSidecarInjectorConfigMap }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+data:
+{{/* Scope the values to just top level fields used in the template, to reduce the size. */}}
+  values: |-
+{{ $vals := pick .Values "global" "sidecarInjectorWebhook" "revision" -}}
+{{ $pilotVals := pick .Values "cni" "env" -}}
+{{ $vals = set $vals "pilot" $pilotVals -}}
+{{ $gatewayVals := pick .Values.gateways "securityContext" "seccompProfile" -}}
+{{ $vals = set $vals "gateways" $gatewayVals -}}
+{{ $vals | toPrettyJson | indent 4 }}
+
+  # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching
+  # and istiod webhook functionality.
+  #
+  # New fields should not use Values - it is a 'primary' config object, users should be able
+  # to fine tune it or use it with kube-inject.
+  config: |-
+    # defaultTemplates defines the default template to use for pods that do not explicitly specify a template
+    {{- if .Values.sidecarInjectorWebhook.defaultTemplates }}
+    defaultTemplates:
+{{- range .Values.sidecarInjectorWebhook.defaultTemplates}}
+    - {{ . }}
+{{- end }}
+    {{- else }}
+    defaultTemplates: [sidecar]
+    {{- end }}
+    policy: {{ .Values.global.proxy.autoInject }}
+    alwaysInjectSelector:
+{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }}
+    neverInjectSelector:
+{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }}
+    injectedAnnotations:
+      {{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }}
+      "{{ $key }}": {{ $val | quote }}
+      {{- end }}
+    {{- /* If someone ends up with this new template, but an older Istiod image, they will attempt to render this template
+         which will fail with "Pod injection failed: template: inject:1: function "Istio_1_9_Required_Template_And_Version_Mismatched" not defined".
+         This should make it obvious that their installation is broken.
+     */}}
+    template: {{ `{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}` | quote }}
+    templates:
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "sidecar") }}
+      sidecar: |
+{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }}
+      gateway: |
+{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }}
+      grpc-simple: |
+{{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }}
+      grpc-agent: |
+{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "waypoint") }}
+      waypoint: |
+{{ .Files.Get "files/waypoint.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "kube-gateway") }}
+      kube-gateway: |
+{{ .Files.Get "files/kube-gateway.yaml" | trim | indent 8 }}
+{{- end }}
+{{- with .Values.sidecarInjectorWebhook.templates }}
+{{ toYaml . | trim | indent 6 }}
+{{- end }}
+
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/mutatingwebhook.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/mutatingwebhook.yaml
new file mode 100644
index 0000000000..ca017194e6
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/mutatingwebhook.yaml
@@ -0,0 +1,164 @@
+# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that.
+{{- /* Core defines the common configuration used by all webhook segments */}}
+{{/* Copy just what we need to avoid expensive deepCopy */}}
+{{- $whv := dict
+"revision" .Values.revision
+  "injectionPath" .Values.istiodRemote.injectionPath
+  "injectionURL" .Values.istiodRemote.injectionURL
+  "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy
+  "caBundle" .Values.istiodRemote.injectionCABundle
+  "namespace" .Release.Namespace }}
+{{- define "core" }}
+{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign
+a unique prefix to each. */}}
+- name: {{.Prefix}}sidecar-injector.istio.io
+  clientConfig:
+    {{- if .injectionURL }}
+    url: "{{ .injectionURL }}"
+    {{- else }}
+    service:
+      name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }}
+      namespace: {{ .namespace }}
+      path: "{{ .injectionPath }}"
+      port: 443
+    {{- end }}
+    {{- if .caBundle }}
+    caBundle: "{{ .caBundle }}"
+    {{- end }}
+  sideEffects: None
+  rules:
+  - operations: [ "CREATE" ]
+    apiGroups: [""]
+    apiVersions: ["v1"]
+    resources: ["pods"]
+  failurePolicy: Fail
+  reinvocationPolicy: "{{ .reinvocationPolicy }}"
+  admissionReviewVersions: ["v1"]
+{{- end }}
+{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}}
+{{- if not .Values.global.operatorManageWebhooks }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+{{- if eq .Release.Namespace "istio-system"}}
+  name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+{{- else }}
+  name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+{{- end }}
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app: sidecar-injector
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+{{- if $.Values.sidecarInjectorWebhookAnnotations }}
+  annotations:
+{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }}
+{{- end }}
+webhooks:
+{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}}
+
+{{- /* Case 1: namespace selector matches, and object doesn't disable */}}
+{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: In
+      values:
+      {{- if (eq .Values.revision "") }}
+      - "default"
+      {{- else }}
+      - "{{ .Values.revision }}"
+      {{- end }}
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+
+{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+    - key: istio.io/rev
+      operator: In
+      values:
+      {{- if (eq .Values.revision "") }}
+      - "default"
+      {{- else }}
+      - "{{ .Values.revision }}"
+      {{- end }}
+
+
+{{- /* Webhooks for default revision */}}
+{{- if (eq .Values.revision "") }}
+
+{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: In
+      values:
+      - enabled
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+
+{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: In
+      values:
+      - "true"
+    - key: istio.io/rev
+      operator: DoesNotExist
+
+{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
+{{- /* Special case 3: no labels at all */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: "kubernetes.io/metadata.name"
+      operator: "NotIn"
+      values: ["kube-system","kube-public","kube-node-lease","local-path-storage"]
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+{{- end }}
+
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/poddisruptionbudget.yaml
new file mode 100644
index 0000000000..d21cd919d3
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/poddisruptionbudget.yaml
@@ -0,0 +1,36 @@
+# Not created if istiod is running remotely
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }}
+{{- if .Values.global.defaultPodDisruptionBudget.enabled }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: istiod
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    release: {{ .Release.Name }}
+    istio: pilot
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  {{- if and .Values.pdb.minAvailable (not (hasKey .Values.pdb "maxUnavailable")) }}
+  minAvailable: {{ .Values.pdb.minAvailable }}
+  {{- else if .Values.pdb.maxUnavailable }}
+  maxUnavailable: {{ .Values.pdb.maxUnavailable }}
+  {{- end }}
+  {{- if .Values.pdb.unhealthyPodEvictionPolicy }}
+  unhealthyPodEvictionPolicy: {{ .Values.pdb.unhealthyPodEvictionPolicy }}
+  {{- end }}
+  selector:
+    matchLabels:
+      app: istiod
+      {{- if ne .Values.revision "" }}
+      istio.io/rev: {{ .Values.revision | quote }}
+      {{- else }}
+      istio: pilot
+      {{- end }}
+---
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/reader-clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/reader-clusterrole.yaml
new file mode 100644
index 0000000000..dbaa805035
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/reader-clusterrole.yaml
@@ -0,0 +1,62 @@
+{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istio-reader
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istio-reader"
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - "config.istio.io"
+      - "security.istio.io"
+      - "networking.istio.io"
+      - "authentication.istio.io"
+      - "rbac.istio.io"
+      - "telemetry.istio.io"
+      - "extensions.istio.io"
+    resources: ["*"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["networking.istio.io"]
+    verbs: [ "get", "watch", "list" ]
+    resources: [ "workloadentries" ]
+  - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
+    resources: ["gateways"]
+    verbs: ["get", "watch", "list"]
+  - apiGroups: ["apiextensions.k8s.io"]
+    resources: ["customresourcedefinitions"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["discovery.k8s.io"]
+    resources: ["endpointslices"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["{{ $mcsAPIGroup }}"]
+    resources: ["serviceexports"]
+    verbs: ["get", "list", "watch", "create", "delete"]
+  - apiGroups: ["{{ $mcsAPIGroup }}"]
+    resources: ["serviceimports"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["apps"]
+    resources: ["replicasets"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["authentication.k8s.io"]
+    resources: ["tokenreviews"]
+    verbs: ["create"]
+  - apiGroups: ["authorization.k8s.io"]
+    resources: ["subjectaccessreviews"]
+    verbs: ["create"]
+{{- if .Values.istiodRemote.enabled }}
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["create", "get", "list", "watch", "update"]
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["mutatingwebhookconfigurations"]
+    verbs: ["get", "list", "watch", "update", "patch"]
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["validatingwebhookconfigurations"]
+    verbs: ["get", "list", "watch", "update"]
+{{- end}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/reader-clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/reader-clusterrolebinding.yaml
new file mode 100644
index 0000000000..aea9f01f7a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/reader-clusterrolebinding.yaml
@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istio-reader
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istio-reader"
+    {{- include "istio.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+subjects:
+  - kind: ServiceAccount
+    name: istio-reader-service-account
+    namespace: {{ .Values.global.istioNamespace }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/remote-istiod-endpoints.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/remote-istiod-endpoints.yaml
new file mode 100644
index 0000000000..f13b8ce9a9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/remote-istiod-endpoints.yaml
@@ -0,0 +1,30 @@
+{{- if and .Values.global.remotePilotAddress .Values.istiodRemote.enabled }}
+# if the remotePilotAddress is an IP addr
+{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }}
+apiVersion: v1
+kind: Endpoints
+metadata:
+  {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }}
+  # This file is only used for remote `istiod` installs.
+  # only primary `istiod` to xds and local `istiod` injection installs.
+  name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote
+  {{- else }}
+  name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}
+  {{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+subsets:
+- addresses:
+  - ip: {{ .Values.global.remotePilotAddress }}
+  ports:
+  - port: 15012
+    name: tcp-istiod
+    protocol: TCP
+  - port: 15017
+    name: tcp-webhook
+    protocol: TCP
+---
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/remote-istiod-service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/remote-istiod-service.yaml
new file mode 100644
index 0000000000..0a48b9918b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/remote-istiod-service.yaml
@@ -0,0 +1,41 @@
+# This file is only used for remote
+{{- if and .Values.global.remotePilotAddress .Values.istiodRemote.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }}
+  # only primary `istiod` to xds and local `istiod` injection installs.
+  name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote
+  {{- else }}
+  name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}
+  {{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    app.kubernetes.io/name: "istiod"
+    {{ include "istio.labels" . | nindent 4 }}
+spec:
+  ports:
+  - port: 15012
+    name: tcp-istiod
+    protocol: TCP
+  - port: 443
+    targetPort: 15017
+    name: tcp-webhook
+    protocol: TCP
+  {{- if and .Values.global.remotePilotAddress (not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress)) }}
+  # if the remotePilotAddress is not an IP addr, we use ExternalName
+  type: ExternalName
+  externalName: {{ .Values.global.remotePilotAddress }}
+  {{- end }}
+{{- if .Values.global.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.global.ipFamilyPolicy }}
+{{- end }}
+{{- if .Values.global.ipFamilies }}
+  ipFamilies:
+{{- range .Values.global.ipFamilies }}
+  - {{ . }}
+{{- end }}
+{{- end }}
+---
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/revision-tags.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/revision-tags.yaml
new file mode 100644
index 0000000000..06764a826e
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/revision-tags.yaml
@@ -0,0 +1,149 @@
+# Adapted from istio-discovery/templates/mutatingwebhook.yaml
+# Removed paths for legacy and default selectors since a revision tag
+# is inherently created from a specific revision
+# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that.
+{{- $whv := dict
+"revision" .Values.revision
+  "injectionPath" .Values.istiodRemote.injectionPath
+  "injectionURL" .Values.istiodRemote.injectionURL
+  "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy
+  "caBundle" .Values.istiodRemote.injectionCABundle
+  "namespace" .Release.Namespace }}
+{{- define "core" }}
+{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign
+a unique prefix to each. */}}
+- name: {{.Prefix}}sidecar-injector.istio.io
+  clientConfig:
+    {{- if .injectionURL }}
+    url: "{{ .injectionURL }}"
+    {{- else }}
+    service:
+      name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }}
+      namespace: {{ .namespace }}
+      path: "{{ .injectionPath }}"
+      port: 443
+    {{- end }}
+  sideEffects: None
+  rules:
+  - operations: [ "CREATE" ]
+    apiGroups: [""]
+    apiVersions: ["v1"]
+    resources: ["pods"]
+  failurePolicy: Fail
+  reinvocationPolicy: "{{ .reinvocationPolicy }}"
+  admissionReviewVersions: ["v1"]
+{{- end }}
+{{- range $tagName := $.Values.revisionTags }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+{{- if eq $.Release.Namespace "istio-system"}}
+  name: istio-revision-tag-{{ $tagName }}
+{{- else }}
+  name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }}
+{{- end }}
+  labels:
+    istio.io/tag: {{ $tagName }}
+    istio.io/rev: {{ $.Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app: sidecar-injector
+    release: {{ $.Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" $ | nindent 4 }}
+{{- if $.Values.sidecarInjectorWebhookAnnotations }}
+  annotations:
+{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }}
+{{- end }}
+webhooks:
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: In
+      values:
+      - "{{ $tagName }}"
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+    - key: istio.io/rev
+      operator: In
+      values:
+      - "{{ $tagName }}"
+
+{{- /* When the tag is "default" we want to create webhooks for the default revision */}}
+{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}}
+{{- if (eq $tagName "default") }}
+
+{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: In
+      values:
+      - enabled
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+
+{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: In
+      values:
+      - "true"
+    - key: istio.io/rev
+      operator: DoesNotExist
+
+{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
+{{- /* Special case 3: no labels at all */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: "kubernetes.io/metadata.name"
+      operator: "NotIn"
+      values: ["kube-system","kube-public","kube-node-lease","local-path-storage"]
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+{{- end }}
+
+{{- end }}
+---
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/role.yaml
new file mode 100644
index 0000000000..bbcfbe4356
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/role.yaml
@@ -0,0 +1,35 @@
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Values.global.istioNamespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+# permissions to verify the webhook is ready and rejecting
+# invalid config. We use --server-dry-run so no config is persisted.
+- apiGroups: ["networking.istio.io"]
+  verbs: ["create"]
+  resources: ["gateways"]
+
+# For storing CA secret
+- apiGroups: [""]
+  resources: ["secrets"]
+  # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config
+  verbs: ["create", "get", "watch", "list", "update", "delete"]
+
+# For status controller, so it can delete the distribution report configmap
+- apiGroups: [""]
+  resources: ["configmaps"]
+  verbs: ["delete"]
+
+# For gateway deployment controller
+- apiGroups: ["coordination.k8s.io"]
+  resources: ["leases"]
+  verbs: ["get", "update", "patch", "create"]
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/rolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/rolebinding.yaml
new file mode 100644
index 0000000000..0c66b38a7d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/rolebinding.yaml
@@ -0,0 +1,21 @@
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Values.global.istioNamespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+subjects:
+  - kind: ServiceAccount
+    name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+    namespace: {{ .Values.global.istioNamespace }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/service.yaml
new file mode 100644
index 0000000000..25bda4dfd2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/service.yaml
@@ -0,0 +1,57 @@
+# Not created if istiod is running remotely
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  {{- if .Values.serviceAnnotations }}
+  annotations:
+{{ toYaml .Values.serviceAnnotations | indent 4 }}
+  {{- end }}
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app: istiod
+    istio: pilot
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  ports:
+    - port: 15010
+      name: grpc-xds # plaintext
+      protocol: TCP
+    - port: 15012
+      name: https-dns # mTLS with k8s-signed cert
+      protocol: TCP
+    - port: 443
+      name: https-webhook # validation and injection
+      targetPort: 15017
+      protocol: TCP
+    - port: 15014
+      name: http-monitoring # prometheus stats
+      protocol: TCP
+  selector:
+    app: istiod
+    {{- if ne .Values.revision "" }}
+    istio.io/rev: {{ .Values.revision | quote }}
+    {{- else }}
+    # Label used by the 'default' service. For versioned deployments we match with app and version.
+    # This avoids default deployment picking the canary
+    istio: pilot
+    {{- end }}
+  {{- if .Values.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.ipFamilyPolicy }}
+  {{- end }}
+  {{- if .Values.ipFamilies }}
+  ipFamilies:
+  {{- range .Values.ipFamilies }}
+  - {{ . }}
+  {{- end }}
+  {{- end }}
+  {{- if .Values.trafficDistribution }}
+  trafficDistribution: {{ .Values.trafficDistribution }}
+  {{- end }}
+---
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/serviceaccount.yaml
new file mode 100644
index 0000000000..8b4a0c0faf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/serviceaccount.yaml
@@ -0,0 +1,24 @@
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+apiVersion: v1
+kind: ServiceAccount
+  {{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+  {{- range .Values.global.imagePullSecrets }}
+  - name: {{ . }}
+  {{- end }}
+  {{- end }}
+metadata:
+  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Values.global.istioNamespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+  {{- if .Values.serviceAccountAnnotations }}
+  annotations:
+{{- toYaml .Values.serviceAccountAnnotations | nindent 4 }}
+  {{- end }}
+{{- end }}
+---
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/validatingadmissionpolicy.yaml
new file mode 100644
index 0000000000..8562a52d59
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/validatingadmissionpolicy.yaml
@@ -0,0 +1,63 @@
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+{{- if .Values.experimental.stableValidationPolicy }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io"
+  labels:
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups:
+        - security.istio.io
+        - networking.istio.io
+        - telemetry.istio.io
+        - extensions.istio.io
+      apiVersions: ["*"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["*"]
+    objectSelector:
+      matchExpressions:
+        - key: istio.io/rev
+          operator: In
+          values:
+          {{- if (eq .Values.revision "") }}
+          - "default"
+          {{- else }}
+          - "{{ .Values.revision }}"
+          {{- end }}
+  variables:
+    - name: isEnvoyFilter
+      expression: "object.kind == 'EnvoyFilter'"
+    - name: isWasmPlugin
+      expression: "object.kind == 'WasmPlugin'"
+    - name: isProxyConfig
+      expression: "object.kind == 'ProxyConfig'"
+    - name: isTelemetry
+      expression: "object.kind == 'Telemetry'"
+  validations:
+    - expression: "!variables.isEnvoyFilter"
+    - expression: "!variables.isWasmPlugin"
+    - expression: "!variables.isProxyConfig"
+    - expression: |
+        !(
+          variables.isTelemetry && (
+            (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) ||
+            (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) ||
+            (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter))
+          )
+        )
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: "stable-channel-policy-binding{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io"
+spec:
+  policyName: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io"
+  validationActions: [Deny]
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/validatingwebhookconfiguration.yaml
new file mode 100644
index 0000000000..b49bf7fafd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/validatingwebhookconfiguration.yaml
@@ -0,0 +1,68 @@
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+{{- if .Values.global.configValidation }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    istio: istiod
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+webhooks:
+  # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks
+  # are rejecting invalid configs on a per-revision basis.
+  - name: rev.validation.istio.io
+    clientConfig:
+      # Should change from base but cannot for API compat
+      {{- if .Values.base.validationURL }}
+      url: {{ .Values.base.validationURL }}
+      {{- else }}
+      service:
+        name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+        namespace: {{ .Values.global.istioNamespace }}
+        path: "/validate"
+      {{- end }}
+      {{- if .Values.base.validationCABundle }}
+      caBundle: "{{ .Values.base.validationCABundle }}"
+      {{- end }}
+    rules:
+      - operations:
+          - CREATE
+          - UPDATE
+        apiGroups:
+          - security.istio.io
+          - networking.istio.io
+          - telemetry.istio.io
+          - extensions.istio.io
+        apiVersions:
+          - "*"
+        resources:
+          - "*"
+    {{- if .Values.base.validationCABundle }}
+    # Disable webhook controller in Pilot to stop patching it
+    failurePolicy: Fail
+    {{- else }}
+    # Fail open until the validation webhook is ready. The webhook controller
+    # will update this to `Fail` and patch in the `caBundle` when the webhook
+    # endpoint is ready.
+    failurePolicy: Ignore
+    {{- end }}
+    sideEffects: None
+    admissionReviewVersions: ["v1"]
+    objectSelector:
+      matchExpressions:
+        - key: istio.io/rev
+          operator: In
+          values:
+          {{- if (eq .Values.revision "") }}
+          - "default"
+          {{- else }}
+          - "{{ .Values.revision }}"
+          {{- end }}
+---
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/zzy_descope_legacy.yaml
new file mode 100644
index 0000000000..ae8fced298
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/zzy_descope_legacy.yaml
@@ -0,0 +1,3 @@
+{{/* Copy anything under `.pilot` to `.`, to avoid the need to specify a redundant prefix.
+Due to the file naming, this always happens after zzz_profile.yaml */}}
+{{- $_ := mustMergeOverwrite $.Values (index $.Values "pilot") }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..3d84956485
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if false }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/values.yaml
new file mode 100644
index 0000000000..cda9829ce1
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/values.yaml
@@ -0,0 +1,569 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  autoscaleEnabled: true
+  autoscaleMin: 1
+  autoscaleMax: 5
+  autoscaleBehavior: {}
+  replicaCount: 1
+  rollingMaxSurge: 100%
+  rollingMaxUnavailable: 25%
+
+  hub: ""
+  tag: ""
+  variant: ""
+
+  # Can be a full hub/image:tag
+  image: pilot
+  traceSampling: 1.0
+
+  # Resources for a small pilot install
+  resources:
+    requests:
+      cpu: 500m
+      memory: 2048Mi
+
+  # Set to `type: RuntimeDefault` to use the default profile if available.
+  seccompProfile: {}
+
+  # Whether to use an existing CNI installation
+  cni:
+    enabled: false
+    provider: default
+
+  # Additional container arguments
+  extraContainerArgs: []
+
+  env: {}
+
+  envVarFrom: []
+
+  # Settings related to the untaint controller
+  # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready
+  # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes
+  taint:
+    # Controls whether or not the untaint controller is active
+    enabled: false
+    # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod
+    namespace: ""
+
+  affinity: {}
+
+  tolerations: []
+
+  cpu:
+    targetAverageUtilization: 80
+  memory: {}
+    # targetAverageUtilization: 80
+
+  # Additional volumeMounts to the istiod container
+  volumeMounts: []
+
+  # Additional volumes to the istiod pod
+  volumes: []
+
+  # Inject initContainers into the istiod pod
+  initContainers: []
+
+  nodeSelector: {}
+  podAnnotations: {}
+  serviceAnnotations: {}
+  serviceAccountAnnotations: {}
+  sidecarInjectorWebhookAnnotations: {}
+
+  topologySpreadConstraints: []
+
+  # You can use jwksResolverExtraRootCA to provide a root certificate
+  # in PEM format. This will then be trusted by pilot when resolving
+  # JWKS URIs.
+  jwksResolverExtraRootCA: ""
+
+  # The following is used to limit how long a sidecar can be connected
+  # to a pilot. It balances out load across pilot instances at the cost of
+  # increasing system churn.
+  keepaliveMaxServerConnectionAge: 30m
+
+  # Additional labels to apply to the deployment.
+  deploymentLabels: {}
+
+  # Annotations to apply to the istiod deployment.
+  deploymentAnnotations: {}
+
+  ## Mesh config settings
+
+  # Install the mesh config map, generated from values.yaml.
+  # If false, pilot wil use default values (by default) or user-supplied values.
+  configMap: true
+
+  # Additional labels to apply on the pod level for monitoring and logging configuration.
+  podLabels: {}
+
+  # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
+  ipFamilyPolicy: ""
+  ipFamilies: []
+
+  # Ambient mode only.
+  # Set this if you install ztunnel to a different namespace from `istiod`.
+  # If set, `istiod` will allow connections from trusted node proxy ztunnels
+  # in the provided namespace.
+  # If unset, `istiod` will assume the trusted node proxy ztunnel resides
+  # in the same namespace as itself.
+  trustedZtunnelNamespace: ""
+  # Set this if you install ztunnel with a name different from the default.
+  trustedZtunnelName: ""
+
+  sidecarInjectorWebhook:
+    # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or
+    # always skip the injection on pods that match that label selector, regardless of the global policy.
+    # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions
+    neverInjectSelector: []
+    alwaysInjectSelector: []
+
+    # injectedAnnotations are additional annotations that will be added to the pod spec after injection
+    # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations:
+    #
+    # annotations:
+    #   apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
+    #   apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
+    #
+    # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before
+    # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify:
+    # injectedAnnotations:
+    #   container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default
+    #   container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default
+    injectedAnnotations: {}
+
+    # This enables injection of sidecar in all namespaces,
+    # with the exception of namespaces with "istio-injection:disabled" annotation
+    # Only one environment should have this enabled.
+    enableNamespacesByDefault: false
+
+    # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run
+    # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten.
+    # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur.
+    reinvocationPolicy: Never
+
+    rewriteAppHTTPProbe: true
+
+    # Templates defines a set of custom injection templates that can be used. For example, defining:
+    #
+    # templates:
+    #   hello: |
+    #     metadata:
+    #       labels:
+    #         hello: world
+    #
+    # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod
+    # being injected with the hello=world labels.
+    # This is intended for advanced configuration only; most users should use the built in template
+    templates: {}
+
+    # Default templates specifies a set of default templates that are used in sidecar injection.
+    # By default, a template `sidecar` is always provided, which contains the template of default sidecar.
+    # To inject other additional templates, define it using the `templates` option, and add it to
+    # the default templates list.
+    # For example:
+    #
+    # templates:
+    #   hello: |
+    #     metadata:
+    #       labels:
+    #         hello: world
+    #
+    # defaultTemplates: ["sidecar", "hello"]
+    defaultTemplates: []
+  istiodRemote:
+    # If `true`, indicates that this cluster/install should consume a "remote istiod" installation,
+    # and istiod itself will NOT be installed in this cluster - only the support resources necessary
+    # to utilize a remote instance.
+    enabled: false
+
+    # If `true`, indicates that this cluster/install should consume a "local istiod" installation,
+    # local istiod inject sidecars
+    enabledLocalInjectorIstiod: false
+
+    # Sidecar injector mutating webhook configuration clientConfig.url value.
+    # For example: https://$remotePilotAddress:15017/inject
+    # The host should not refer to a service running in the cluster; use a service reference by specifying
+    # the clientConfig.service field instead.
+    injectionURL: ""
+
+    # Sidecar injector mutating webhook configuration path value for the clientConfig.service field.
+    # Override to pass env variables, for example: /inject/cluster/remote/net/network2
+    injectionPath: "/inject"
+
+    injectionCABundle: ""
+  telemetry:
+    enabled: true
+    v2:
+      # For Null VM case now.
+      # This also enables metadata exchange.
+      enabled: true
+      # Indicate if prometheus stats filter is enabled or not
+      prometheus:
+        enabled: true
+      # stackdriver filter settings.
+      stackdriver:
+        enabled: false
+  # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
+  revision: ""
+
+  # Revision tags are aliases to Istio control plane revisions
+  revisionTags: []
+
+  # For Helm compatibility.
+  ownerName: ""
+
+  # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior
+  # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options
+  meshConfig:
+    enablePrometheusMerge: true
+
+  experimental:
+    stableValidationPolicy: false
+
+  global:
+    # Used to locate istiod.
+    istioNamespace: istio-system
+    # List of cert-signers to allow "approve" action in the istio cluster role
+    #
+    # certSigners:
+    #   - clusterissuers.cert-manager.io/istio-ca
+    certSigners: []
+    # enable pod disruption budget for the control plane, which is used to
+    # ensure Istio control plane components are gradually upgraded or recovered.
+    defaultPodDisruptionBudget:
+      enabled: true
+      # The values aren't mutable due to a current PodDisruptionBudget limitation
+      # minAvailable: 1
+
+    # A minimal set of requested resources to applied to all deployments so that
+    # Horizontal Pod Autoscaler will be able to function (if set).
+    # Each component can overwrite these default values by adding its own resources
+    # block in the relevant section below and setting the desired resources values.
+    defaultResources:
+      requests:
+        cpu: 10m
+      #   memory: 128Mi
+      # limits:
+      #   cpu: 100m
+      #   memory: 128Mi
+
+    # Default hub for Istio images.
+    # Releases are published to docker hub under 'istio' project.
+    # Dev builds from prow are on gcr.io
+    hub: gcr.io/istio-release
+    # Default tag for Istio images.
+    tag: 1.27.4
+    # Variant of the image to use.
+    # Currently supported are: [debug, distroless]
+    variant: ""
+
+    # Specify image pull policy if default behavior isn't desired.
+    # Default behavior: latest images will be Always else IfNotPresent.
+    imagePullPolicy: ""
+
+    # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
+    # to use for pulling any images in pods that reference this ServiceAccount.
+    # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
+    # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
+    # Must be set for any cluster configured with private docker registry.
+    imagePullSecrets: []
+    # - private-registry-key
+
+    # Enabled by default in master for maximising testing.
+    istiod:
+      enableAnalysis: false
+
+    # To output all istio components logs in json format by adding --log_as_json argument to each container argument
+    logAsJson: false
+
+    # In order to use native nftable rules instead of iptable rules, set this flag to true.
+    nativeNftables: false
+
+    # Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
+    # The control plane has different scopes depending on component, but can configure default log level across all components
+    # If empty, default scope and level will be used as configured in code
+    logging:
+      level: "default:info"
+
+    omitSidecarInjectorConfigMap: false
+
+    # Configure whether Operator manages webhook configurations. The current behavior
+    # of Istiod is to manage its own webhook configurations.
+    # When this option is set as true, Istio Operator, instead of webhooks, manages the
+    # webhook configurations. When this option is set as false, webhooks manage their
+    # own webhook configurations.
+    operatorManageWebhooks: false
+
+    # Custom DNS config for the pod to resolve names of services in other
+    # clusters. Use this to add additional search domains, and other settings.
+    # see
+    # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config
+    # This does not apply to gateway pods as they typically need a different
+    # set of DNS settings than the normal application pods (e.g., in
+    # multicluster scenarios).
+    # NOTE: If using templates, follow the pattern in the commented example below.
+    #podDNSSearchNamespaces:
+    #- global
+    #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global"
+
+    # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
+    # system-node-critical, it is better to configure this in order to make sure your Istio pods
+    # will not be killed because of low priority class.
+    # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
+    # for more detail.
+    priorityClassName: ""
+
+    proxy:
+      image: proxyv2
+
+      # This controls the 'policy' in the sidecar injector.
+      autoInject: enabled
+
+      # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
+      # cluster domain. Default value is "cluster.local".
+      clusterDomain: "cluster.local"
+
+      # Per Component log level for proxy, applies to gateways and sidecars. If a component level is
+      # not set, then the global "logLevel" will be used.
+      componentLogLevel: "misc:error"
+
+      # istio ingress capture allowlist
+      # examples:
+      #     Redirect only selected ports:            --includeInboundPorts="80,8080"
+      excludeInboundPorts: ""
+      includeInboundPorts: "*"
+
+      # istio egress capture allowlist
+      # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
+      # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
+      # would only capture egress traffic on those two IP Ranges, all other outbound traffic would
+      # be allowed by the sidecar
+      includeIPRanges: "*"
+      excludeIPRanges: ""
+      includeOutboundPorts: ""
+      excludeOutboundPorts: ""
+
+      # Log level for proxy, applies to gateways and sidecars.
+      # Expected values are: trace|debug|info|warning|error|critical|off
+      logLevel: warning
+
+      # Specify the path to the outlier event log.
+      # Example: /dev/stdout
+      outlierLogPath: ""
+
+      #If set to true, istio-proxy container will have privileged securityContext
+      privileged: false
+
+      # The number of successive failed probes before indicating readiness failure.
+      readinessFailureThreshold: 4
+
+      # The initial delay for readiness probes in seconds.
+      readinessInitialDelaySeconds: 0
+
+      # The period between readiness probes.
+      readinessPeriodSeconds: 15
+
+      # Enables or disables a startup probe.
+      # For optimal startup times, changing this should be tied to the readiness probe values.
+      #
+      # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4.
+      # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval),
+      # and doesn't spam the readiness endpoint too much
+      #
+      # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30.
+      # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly.
+      startupProbe:
+        enabled: true
+        failureThreshold: 600 # 10 minutes
+
+      # Resources for the sidecar.
+      resources:
+        requests:
+          cpu: 100m
+          memory: 128Mi
+        limits:
+          cpu: 2000m
+          memory: 1024Mi
+
+      # Default port for Pilot agent health checks. A value of 0 will disable health checking.
+      statusPort: 15020
+
+      # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none.
+      # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file.
+      tracer: "none"
+
+    proxy_init:
+      # Base name for the proxy_init container, used to configure iptables.
+      image: proxyv2
+      # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures.
+      # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases.
+      forceApplyIptables: false
+
+    # configure remote pilot and istiod service and endpoint
+    remotePilotAddress: ""
+
+    ##############################################################################################
+    # The following values are found in other charts. To effectively modify these values, make   #
+    # make sure they are consistent across your Istio helm charts                                #
+    ##############################################################################################
+
+    # The customized CA address to retrieve certificates for the pods in the cluster.
+    # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
+    # If not set explicitly, default to the Istio discovery address.
+    caAddress: ""
+
+    # Enable control of remote clusters.
+    externalIstiod: false
+
+    # Configure a remote cluster as the config cluster for an external istiod.
+    configCluster: false
+
+    # configValidation enables the validation webhook for Istio configuration.
+    configValidation: true
+
+    # Mesh ID means Mesh Identifier. It should be unique within the scope where
+    # meshes will interact with each other, but it is not required to be
+    # globally/universally unique. For example, if any of the following are true,
+    # then two meshes must have different Mesh IDs:
+    # - Meshes will have their telemetry aggregated in one place
+    # - Meshes will be federated together
+    # - Policy will be written referencing one mesh from the other
+    #
+    # If an administrator expects that any of these conditions may become true in
+    # the future, they should ensure their meshes have different Mesh IDs
+    # assigned.
+    #
+    # Within a multicluster mesh, each cluster must be (manually or auto)
+    # configured to have the same Mesh ID value. If an existing cluster 'joins' a
+    # multicluster mesh, it will need to be migrated to the new mesh ID. Details
+    # of migration TBD, and it may be a disruptive operation to change the Mesh
+    # ID post-install.
+    #
+    # If the mesh admin does not specify a value, Istio will use the value of the
+    # mesh's Trust Domain. The best practice is to select a proper Trust Domain
+    # value.
+    meshID: ""
+
+    # Configure the mesh networks to be used by the Split Horizon EDS.
+    #
+    # The following example defines two networks with different endpoints association methods.
+    # For `network1` all endpoints that their IP belongs to the provided CIDR range will be
+    # mapped to network1. The gateway for this network example is specified by its public IP
+    # address and port.
+    # The second network, `network2`, in this example is defined differently with all endpoints
+    # retrieved through the specified Multi-Cluster registry being mapped to network2. The
+    # gateway is also defined differently with the name of the gateway service on the remote
+    # cluster. The public IP for the gateway will be determined from that remote service (only
+    # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service,
+    # it still need to be configured manually).
+    #
+    # meshNetworks:
+    #   network1:
+    #     endpoints:
+    #     - fromCidr: "192.168.0.1/24"
+    #     gateways:
+    #     - address: 1.1.1.1
+    #       port: 80
+    #   network2:
+    #     endpoints:
+    #     - fromRegistry: reg1
+    #     gateways:
+    #     - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
+    #       port: 443
+    #
+    meshNetworks: {}
+
+    # Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
+    mountMtlsCerts: false
+
+    multiCluster:
+      # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
+      # to properly label proxies
+      clusterName: ""
+
+    # Network defines the network this cluster belong to. This name
+    # corresponds to the networks in the map of mesh networks.
+    network: ""
+
+    # Configure the certificate provider for control plane communication.
+    # Currently, two providers are supported: "kubernetes" and "istiod".
+    # As some platforms may not have kubernetes signing APIs,
+    # Istiod is the default
+    pilotCertProvider: istiod
+
+    sds:
+      # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
+      # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the
+      # JWT is intended for the CA.
+      token:
+        aud: istio-ca
+
+    sts:
+      # The service port used by Security Token Service (STS) server to handle token exchange requests.
+      # Setting this port to a non-zero value enables STS server.
+      servicePort: 0
+
+    # The name of the CA for workload certificates.
+    # For example, when caName=GkeWorkloadCertificate, GKE workload certificates
+    # will be used as the certificates for workloads.
+    # The default value is "" and when caName="", the CA will be configured by other
+    # mechanisms (e.g., environmental variable CA_PROVIDER).
+    caName: ""
+
+    waypoint:
+      # Resources for the waypoint proxy.
+      resources:
+        requests:
+          cpu: 100m
+          memory: 128Mi
+        limits:
+          cpu: "2"
+          memory: 1Gi
+
+      # If specified, affinity defines the scheduling constraints of waypoint pods.
+      affinity: {}
+
+      # Topology Spread Constraints for the waypoint proxy.
+      topologySpreadConstraints: []
+
+      # Node labels for the waypoint proxy.
+      nodeSelector: {}
+
+      # Tolerations for the waypoint proxy.
+      tolerations: []
+
+  base:
+    # For istioctl usage to disable istio config crds in base
+    enableIstioConfigCRDs: true
+
+  # Gateway Settings
+  gateways:
+    # Define the security context for the pod.
+    # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
+    # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
+    securityContext: {}
+
+    # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it
+    seccompProfile: {}
+
+  # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass.
+  # For example:
+  # gatewayClasses:
+  #   istio:
+  #     service:
+  #       spec:
+  #         type: ClusterIP
+  # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field.
+  gatewayClasses: {}
+  
+  pdb:
+    # -- Minimum available pods set in PodDisruptionBudget.
+    # Define either 'minAvailable' or 'maxUnavailable', never both.
+    minAvailable: 1
+    # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored.
+    # maxUnavailable: 1
+    # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget.
+    # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/
+    unhealthyPodEvictionPolicy: ""
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/Chart.yaml
new file mode 100644
index 0000000000..4ba00e976c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/Chart.yaml
@@ -0,0 +1,8 @@
+apiVersion: v2
+appVersion: 1.27.4
+description: Helm chart for istio revision tags
+name: revisiontags
+sources:
+- https://github.com/istio-ecosystem/sail-operator
+version: 0.1.0
+
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-compatibility-version-1.24.yaml
new file mode 100644
index 0000000000..4f3dbef7ea
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-compatibility-version-1.24.yaml
@@ -0,0 +1,15 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.24 behavioral changes
+    PILOT_ENABLE_IP_AUTOALLOCATE: "false"
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  dnsCapture: false
+  reconcileIptablesOnStartup: false
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..b2f45948c2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..af10697326
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/templates/revision-tags.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/templates/revision-tags.yaml
new file mode 100644
index 0000000000..06764a826e
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/templates/revision-tags.yaml
@@ -0,0 +1,149 @@
+# Adapted from istio-discovery/templates/mutatingwebhook.yaml
+# Removed paths for legacy and default selectors since a revision tag
+# is inherently created from a specific revision
+# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that.
+{{- $whv := dict
+"revision" .Values.revision
+  "injectionPath" .Values.istiodRemote.injectionPath
+  "injectionURL" .Values.istiodRemote.injectionURL
+  "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy
+  "caBundle" .Values.istiodRemote.injectionCABundle
+  "namespace" .Release.Namespace }}
+{{- define "core" }}
+{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign
+a unique prefix to each. */}}
+- name: {{.Prefix}}sidecar-injector.istio.io
+  clientConfig:
+    {{- if .injectionURL }}
+    url: "{{ .injectionURL }}"
+    {{- else }}
+    service:
+      name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }}
+      namespace: {{ .namespace }}
+      path: "{{ .injectionPath }}"
+      port: 443
+    {{- end }}
+  sideEffects: None
+  rules:
+  - operations: [ "CREATE" ]
+    apiGroups: [""]
+    apiVersions: ["v1"]
+    resources: ["pods"]
+  failurePolicy: Fail
+  reinvocationPolicy: "{{ .reinvocationPolicy }}"
+  admissionReviewVersions: ["v1"]
+{{- end }}
+{{- range $tagName := $.Values.revisionTags }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+{{- if eq $.Release.Namespace "istio-system"}}
+  name: istio-revision-tag-{{ $tagName }}
+{{- else }}
+  name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }}
+{{- end }}
+  labels:
+    istio.io/tag: {{ $tagName }}
+    istio.io/rev: {{ $.Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app: sidecar-injector
+    release: {{ $.Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" $ | nindent 4 }}
+{{- if $.Values.sidecarInjectorWebhookAnnotations }}
+  annotations:
+{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }}
+{{- end }}
+webhooks:
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: In
+      values:
+      - "{{ $tagName }}"
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+    - key: istio.io/rev
+      operator: In
+      values:
+      - "{{ $tagName }}"
+
+{{- /* When the tag is "default" we want to create webhooks for the default revision */}}
+{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}}
+{{- if (eq $tagName "default") }}
+
+{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: In
+      values:
+      - enabled
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+
+{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: In
+      values:
+      - "true"
+    - key: istio.io/rev
+      operator: DoesNotExist
+
+{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
+{{- /* Special case 3: no labels at all */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: "kubernetes.io/metadata.name"
+      operator: "NotIn"
+      values: ["kube-system","kube-public","kube-node-lease","local-path-storage"]
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+{{- end }}
+
+{{- end }}
+---
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..3d84956485
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if false }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/values.yaml
new file mode 100644
index 0000000000..cda9829ce1
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/values.yaml
@@ -0,0 +1,569 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  autoscaleEnabled: true
+  autoscaleMin: 1
+  autoscaleMax: 5
+  autoscaleBehavior: {}
+  replicaCount: 1
+  rollingMaxSurge: 100%
+  rollingMaxUnavailable: 25%
+
+  hub: ""
+  tag: ""
+  variant: ""
+
+  # Can be a full hub/image:tag
+  image: pilot
+  traceSampling: 1.0
+
+  # Resources for a small pilot install
+  resources:
+    requests:
+      cpu: 500m
+      memory: 2048Mi
+
+  # Set to `type: RuntimeDefault` to use the default profile if available.
+  seccompProfile: {}
+
+  # Whether to use an existing CNI installation
+  cni:
+    enabled: false
+    provider: default
+
+  # Additional container arguments
+  extraContainerArgs: []
+
+  env: {}
+
+  envVarFrom: []
+
+  # Settings related to the untaint controller
+  # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready
+  # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes
+  taint:
+    # Controls whether or not the untaint controller is active
+    enabled: false
+    # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod
+    namespace: ""
+
+  affinity: {}
+
+  tolerations: []
+
+  cpu:
+    targetAverageUtilization: 80
+  memory: {}
+    # targetAverageUtilization: 80
+
+  # Additional volumeMounts to the istiod container
+  volumeMounts: []
+
+  # Additional volumes to the istiod pod
+  volumes: []
+
+  # Inject initContainers into the istiod pod
+  initContainers: []
+
+  nodeSelector: {}
+  podAnnotations: {}
+  serviceAnnotations: {}
+  serviceAccountAnnotations: {}
+  sidecarInjectorWebhookAnnotations: {}
+
+  topologySpreadConstraints: []
+
+  # You can use jwksResolverExtraRootCA to provide a root certificate
+  # in PEM format. This will then be trusted by pilot when resolving
+  # JWKS URIs.
+  jwksResolverExtraRootCA: ""
+
+  # The following is used to limit how long a sidecar can be connected
+  # to a pilot. It balances out load across pilot instances at the cost of
+  # increasing system churn.
+  keepaliveMaxServerConnectionAge: 30m
+
+  # Additional labels to apply to the deployment.
+  deploymentLabels: {}
+
+  # Annotations to apply to the istiod deployment.
+  deploymentAnnotations: {}
+
+  ## Mesh config settings
+
+  # Install the mesh config map, generated from values.yaml.
+  # If false, pilot wil use default values (by default) or user-supplied values.
+  configMap: true
+
+  # Additional labels to apply on the pod level for monitoring and logging configuration.
+  podLabels: {}
+
+  # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
+  ipFamilyPolicy: ""
+  ipFamilies: []
+
+  # Ambient mode only.
+  # Set this if you install ztunnel to a different namespace from `istiod`.
+  # If set, `istiod` will allow connections from trusted node proxy ztunnels
+  # in the provided namespace.
+  # If unset, `istiod` will assume the trusted node proxy ztunnel resides
+  # in the same namespace as itself.
+  trustedZtunnelNamespace: ""
+  # Set this if you install ztunnel with a name different from the default.
+  trustedZtunnelName: ""
+
+  sidecarInjectorWebhook:
+    # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or
+    # always skip the injection on pods that match that label selector, regardless of the global policy.
+    # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions
+    neverInjectSelector: []
+    alwaysInjectSelector: []
+
+    # injectedAnnotations are additional annotations that will be added to the pod spec after injection
+    # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations:
+    #
+    # annotations:
+    #   apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
+    #   apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
+    #
+    # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before
+    # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify:
+    # injectedAnnotations:
+    #   container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default
+    #   container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default
+    injectedAnnotations: {}
+
+    # This enables injection of sidecar in all namespaces,
+    # with the exception of namespaces with "istio-injection:disabled" annotation
+    # Only one environment should have this enabled.
+    enableNamespacesByDefault: false
+
+    # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run
+    # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten.
+    # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur.
+    reinvocationPolicy: Never
+
+    rewriteAppHTTPProbe: true
+
+    # Templates defines a set of custom injection templates that can be used. For example, defining:
+    #
+    # templates:
+    #   hello: |
+    #     metadata:
+    #       labels:
+    #         hello: world
+    #
+    # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod
+    # being injected with the hello=world labels.
+    # This is intended for advanced configuration only; most users should use the built in template
+    templates: {}
+
+    # Default templates specifies a set of default templates that are used in sidecar injection.
+    # By default, a template `sidecar` is always provided, which contains the template of default sidecar.
+    # To inject other additional templates, define it using the `templates` option, and add it to
+    # the default templates list.
+    # For example:
+    #
+    # templates:
+    #   hello: |
+    #     metadata:
+    #       labels:
+    #         hello: world
+    #
+    # defaultTemplates: ["sidecar", "hello"]
+    defaultTemplates: []
+  istiodRemote:
+    # If `true`, indicates that this cluster/install should consume a "remote istiod" installation,
+    # and istiod itself will NOT be installed in this cluster - only the support resources necessary
+    # to utilize a remote instance.
+    enabled: false
+
+    # If `true`, indicates that this cluster/install should consume a "local istiod" installation,
+    # local istiod inject sidecars
+    enabledLocalInjectorIstiod: false
+
+    # Sidecar injector mutating webhook configuration clientConfig.url value.
+    # For example: https://$remotePilotAddress:15017/inject
+    # The host should not refer to a service running in the cluster; use a service reference by specifying
+    # the clientConfig.service field instead.
+    injectionURL: ""
+
+    # Sidecar injector mutating webhook configuration path value for the clientConfig.service field.
+    # Override to pass env variables, for example: /inject/cluster/remote/net/network2
+    injectionPath: "/inject"
+
+    injectionCABundle: ""
+  telemetry:
+    enabled: true
+    v2:
+      # For Null VM case now.
+      # This also enables metadata exchange.
+      enabled: true
+      # Indicate if prometheus stats filter is enabled or not
+      prometheus:
+        enabled: true
+      # stackdriver filter settings.
+      stackdriver:
+        enabled: false
+  # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
+  revision: ""
+
+  # Revision tags are aliases to Istio control plane revisions
+  revisionTags: []
+
+  # For Helm compatibility.
+  ownerName: ""
+
+  # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior
+  # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options
+  meshConfig:
+    enablePrometheusMerge: true
+
+  experimental:
+    stableValidationPolicy: false
+
+  global:
+    # Used to locate istiod.
+    istioNamespace: istio-system
+    # List of cert-signers to allow "approve" action in the istio cluster role
+    #
+    # certSigners:
+    #   - clusterissuers.cert-manager.io/istio-ca
+    certSigners: []
+    # enable pod disruption budget for the control plane, which is used to
+    # ensure Istio control plane components are gradually upgraded or recovered.
+    defaultPodDisruptionBudget:
+      enabled: true
+      # The values aren't mutable due to a current PodDisruptionBudget limitation
+      # minAvailable: 1
+
+    # A minimal set of requested resources to applied to all deployments so that
+    # Horizontal Pod Autoscaler will be able to function (if set).
+    # Each component can overwrite these default values by adding its own resources
+    # block in the relevant section below and setting the desired resources values.
+    defaultResources:
+      requests:
+        cpu: 10m
+      #   memory: 128Mi
+      # limits:
+      #   cpu: 100m
+      #   memory: 128Mi
+
+    # Default hub for Istio images.
+    # Releases are published to docker hub under 'istio' project.
+    # Dev builds from prow are on gcr.io
+    hub: gcr.io/istio-release
+    # Default tag for Istio images.
+    tag: 1.27.4
+    # Variant of the image to use.
+    # Currently supported are: [debug, distroless]
+    variant: ""
+
+    # Specify image pull policy if default behavior isn't desired.
+    # Default behavior: latest images will be Always else IfNotPresent.
+    imagePullPolicy: ""
+
+    # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
+    # to use for pulling any images in pods that reference this ServiceAccount.
+    # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
+    # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
+    # Must be set for any cluster configured with private docker registry.
+    imagePullSecrets: []
+    # - private-registry-key
+
+    # Enabled by default in master for maximising testing.
+    istiod:
+      enableAnalysis: false
+
+    # To output all istio components logs in json format by adding --log_as_json argument to each container argument
+    logAsJson: false
+
+    # In order to use native nftable rules instead of iptable rules, set this flag to true.
+    nativeNftables: false
+
+    # Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
+    # The control plane has different scopes depending on component, but can configure default log level across all components
+    # If empty, default scope and level will be used as configured in code
+    logging:
+      level: "default:info"
+
+    omitSidecarInjectorConfigMap: false
+
+    # Configure whether Operator manages webhook configurations. The current behavior
+    # of Istiod is to manage its own webhook configurations.
+    # When this option is set as true, Istio Operator, instead of webhooks, manages the
+    # webhook configurations. When this option is set as false, webhooks manage their
+    # own webhook configurations.
+    operatorManageWebhooks: false
+
+    # Custom DNS config for the pod to resolve names of services in other
+    # clusters. Use this to add additional search domains, and other settings.
+    # see
+    # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config
+    # This does not apply to gateway pods as they typically need a different
+    # set of DNS settings than the normal application pods (e.g., in
+    # multicluster scenarios).
+    # NOTE: If using templates, follow the pattern in the commented example below.
+    #podDNSSearchNamespaces:
+    #- global
+    #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global"
+
+    # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
+    # system-node-critical, it is better to configure this in order to make sure your Istio pods
+    # will not be killed because of low priority class.
+    # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
+    # for more detail.
+    priorityClassName: ""
+
+    proxy:
+      image: proxyv2
+
+      # This controls the 'policy' in the sidecar injector.
+      autoInject: enabled
+
+      # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
+      # cluster domain. Default value is "cluster.local".
+      clusterDomain: "cluster.local"
+
+      # Per Component log level for proxy, applies to gateways and sidecars. If a component level is
+      # not set, then the global "logLevel" will be used.
+      componentLogLevel: "misc:error"
+
+      # istio ingress capture allowlist
+      # examples:
+      #     Redirect only selected ports:            --includeInboundPorts="80,8080"
+      excludeInboundPorts: ""
+      includeInboundPorts: "*"
+
+      # istio egress capture allowlist
+      # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
+      # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
+      # would only capture egress traffic on those two IP Ranges, all other outbound traffic would
+      # be allowed by the sidecar
+      includeIPRanges: "*"
+      excludeIPRanges: ""
+      includeOutboundPorts: ""
+      excludeOutboundPorts: ""
+
+      # Log level for proxy, applies to gateways and sidecars.
+      # Expected values are: trace|debug|info|warning|error|critical|off
+      logLevel: warning
+
+      # Specify the path to the outlier event log.
+      # Example: /dev/stdout
+      outlierLogPath: ""
+
+      #If set to true, istio-proxy container will have privileged securityContext
+      privileged: false
+
+      # The number of successive failed probes before indicating readiness failure.
+      readinessFailureThreshold: 4
+
+      # The initial delay for readiness probes in seconds.
+      readinessInitialDelaySeconds: 0
+
+      # The period between readiness probes.
+      readinessPeriodSeconds: 15
+
+      # Enables or disables a startup probe.
+      # For optimal startup times, changing this should be tied to the readiness probe values.
+      #
+      # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4.
+      # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval),
+      # and doesn't spam the readiness endpoint too much
+      #
+      # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30.
+      # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly.
+      startupProbe:
+        enabled: true
+        failureThreshold: 600 # 10 minutes
+
+      # Resources for the sidecar.
+      resources:
+        requests:
+          cpu: 100m
+          memory: 128Mi
+        limits:
+          cpu: 2000m
+          memory: 1024Mi
+
+      # Default port for Pilot agent health checks. A value of 0 will disable health checking.
+      statusPort: 15020
+
+      # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none.
+      # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file.
+      tracer: "none"
+
+    proxy_init:
+      # Base name for the proxy_init container, used to configure iptables.
+      image: proxyv2
+      # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures.
+      # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases.
+      forceApplyIptables: false
+
+    # configure remote pilot and istiod service and endpoint
+    remotePilotAddress: ""
+
+    ##############################################################################################
+    # The following values are found in other charts. To effectively modify these values, make   #
+    # make sure they are consistent across your Istio helm charts                                #
+    ##############################################################################################
+
+    # The customized CA address to retrieve certificates for the pods in the cluster.
+    # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
+    # If not set explicitly, default to the Istio discovery address.
+    caAddress: ""
+
+    # Enable control of remote clusters.
+    externalIstiod: false
+
+    # Configure a remote cluster as the config cluster for an external istiod.
+    configCluster: false
+
+    # configValidation enables the validation webhook for Istio configuration.
+    configValidation: true
+
+    # Mesh ID means Mesh Identifier. It should be unique within the scope where
+    # meshes will interact with each other, but it is not required to be
+    # globally/universally unique. For example, if any of the following are true,
+    # then two meshes must have different Mesh IDs:
+    # - Meshes will have their telemetry aggregated in one place
+    # - Meshes will be federated together
+    # - Policy will be written referencing one mesh from the other
+    #
+    # If an administrator expects that any of these conditions may become true in
+    # the future, they should ensure their meshes have different Mesh IDs
+    # assigned.
+    #
+    # Within a multicluster mesh, each cluster must be (manually or auto)
+    # configured to have the same Mesh ID value. If an existing cluster 'joins' a
+    # multicluster mesh, it will need to be migrated to the new mesh ID. Details
+    # of migration TBD, and it may be a disruptive operation to change the Mesh
+    # ID post-install.
+    #
+    # If the mesh admin does not specify a value, Istio will use the value of the
+    # mesh's Trust Domain. The best practice is to select a proper Trust Domain
+    # value.
+    meshID: ""
+
+    # Configure the mesh networks to be used by the Split Horizon EDS.
+    #
+    # The following example defines two networks with different endpoints association methods.
+    # For `network1` all endpoints that their IP belongs to the provided CIDR range will be
+    # mapped to network1. The gateway for this network example is specified by its public IP
+    # address and port.
+    # The second network, `network2`, in this example is defined differently with all endpoints
+    # retrieved through the specified Multi-Cluster registry being mapped to network2. The
+    # gateway is also defined differently with the name of the gateway service on the remote
+    # cluster. The public IP for the gateway will be determined from that remote service (only
+    # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service,
+    # it still need to be configured manually).
+    #
+    # meshNetworks:
+    #   network1:
+    #     endpoints:
+    #     - fromCidr: "192.168.0.1/24"
+    #     gateways:
+    #     - address: 1.1.1.1
+    #       port: 80
+    #   network2:
+    #     endpoints:
+    #     - fromRegistry: reg1
+    #     gateways:
+    #     - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
+    #       port: 443
+    #
+    meshNetworks: {}
+
+    # Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
+    mountMtlsCerts: false
+
+    multiCluster:
+      # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
+      # to properly label proxies
+      clusterName: ""
+
+    # Network defines the network this cluster belong to. This name
+    # corresponds to the networks in the map of mesh networks.
+    network: ""
+
+    # Configure the certificate provider for control plane communication.
+    # Currently, two providers are supported: "kubernetes" and "istiod".
+    # As some platforms may not have kubernetes signing APIs,
+    # Istiod is the default
+    pilotCertProvider: istiod
+
+    sds:
+      # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
+      # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the
+      # JWT is intended for the CA.
+      token:
+        aud: istio-ca
+
+    sts:
+      # The service port used by Security Token Service (STS) server to handle token exchange requests.
+      # Setting this port to a non-zero value enables STS server.
+      servicePort: 0
+
+    # The name of the CA for workload certificates.
+    # For example, when caName=GkeWorkloadCertificate, GKE workload certificates
+    # will be used as the certificates for workloads.
+    # The default value is "" and when caName="", the CA will be configured by other
+    # mechanisms (e.g., environmental variable CA_PROVIDER).
+    caName: ""
+
+    waypoint:
+      # Resources for the waypoint proxy.
+      resources:
+        requests:
+          cpu: 100m
+          memory: 128Mi
+        limits:
+          cpu: "2"
+          memory: 1Gi
+
+      # If specified, affinity defines the scheduling constraints of waypoint pods.
+      affinity: {}
+
+      # Topology Spread Constraints for the waypoint proxy.
+      topologySpreadConstraints: []
+
+      # Node labels for the waypoint proxy.
+      nodeSelector: {}
+
+      # Tolerations for the waypoint proxy.
+      tolerations: []
+
+  base:
+    # For istioctl usage to disable istio config crds in base
+    enableIstioConfigCRDs: true
+
+  # Gateway Settings
+  gateways:
+    # Define the security context for the pod.
+    # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
+    # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
+    securityContext: {}
+
+    # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it
+    seccompProfile: {}
+
+  # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass.
+  # For example:
+  # gatewayClasses:
+  #   istio:
+  #     service:
+  #       spec:
+  #         type: ClusterIP
+  # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field.
+  gatewayClasses: {}
+  
+  pdb:
+    # -- Minimum available pods set in PodDisruptionBudget.
+    # Define either 'minAvailable' or 'maxUnavailable', never both.
+    minAvailable: 1
+    # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored.
+    # maxUnavailable: 1
+    # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget.
+    # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/
+    unhealthyPodEvictionPolicy: ""
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/Chart.yaml
new file mode 100644
index 0000000000..a2c5bb6855
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/Chart.yaml
@@ -0,0 +1,11 @@
+apiVersion: v2
+appVersion: 1.27.4
+description: Helm chart for istio ztunnel components
+icon: https://istio.io/latest/favicons/android-192x192.png
+keywords:
+- istio-ztunnel
+- istio
+name: ztunnel
+sources:
+- https://github.com/istio/istio
+version: 1.27.4
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/README.md
new file mode 100644
index 0000000000..ffe0b94fe8
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/README.md
@@ -0,0 +1,50 @@
+# Istio Ztunnel Helm Chart
+
+This chart installs an Istio ztunnel.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+To install the chart:
+
+```console
+helm install ztunnel istio/ztunnel
+```
+
+## Uninstalling the Chart
+
+To uninstall/delete the chart:
+
+```console
+helm delete ztunnel
+```
+
+## Configuration
+
+To view support configuration options and documentation, run:
+
+```console
+helm show values istio/ztunnel
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-compatibility-version-1.24.yaml
new file mode 100644
index 0000000000..4f3dbef7ea
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-compatibility-version-1.24.yaml
@@ -0,0 +1,15 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.24 behavioral changes
+    PILOT_ENABLE_IP_AUTOALLOCATE: "false"
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  dnsCapture: false
+  reconcileIptablesOnStartup: false
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..b2f45948c2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..af10697326
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/templates/NOTES.txt
new file mode 100644
index 0000000000..244f59db06
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/templates/NOTES.txt
@@ -0,0 +1,5 @@
+ztunnel successfully installed!
+
+To learn more about the release, try:
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/templates/_helpers.tpl
new file mode 100644
index 0000000000..46a7a0b79d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/templates/_helpers.tpl
@@ -0,0 +1 @@
+{{ define "ztunnel.release-name" }}{{ .Values.resourceName| default "ztunnel" }}{{ end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/templates/daemonset.yaml
new file mode 100644
index 0000000000..7de85a2d18
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/templates/daemonset.yaml
@@ -0,0 +1,210 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: {{ include "ztunnel.release-name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: ztunnel
+    {{- include "istio.labels" . | nindent 4}}
+    {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }}
+  annotations:
+{{- if .Values.revision }}
+    {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }}
+    {{- toYaml $annos | nindent 4}}
+{{- else }}
+    {{- .Values.annotations | toYaml | nindent 4 }}
+{{- end }}
+spec:
+  {{- with .Values.updateStrategy }}
+  updateStrategy:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  selector:
+    matchLabels:
+      app: ztunnel
+  template:
+    metadata:
+      labels:
+        sidecar.istio.io/inject: "false"
+        istio.io/dataplane-mode: none
+        app: ztunnel
+        app.kubernetes.io/name: ztunnel
+        {{- include "istio.labels" . | nindent 8}}
+{{ with .Values.podLabels -}}{{ toYaml . | indent 8 }}{{ end }}
+      annotations:
+        sidecar.istio.io/inject: "false"
+{{- if .Values.revision }}
+        istio.io/rev: {{ .Values.revision }}
+{{- end }}
+{{ with .Values.podAnnotations -}}{{ toYaml . | indent 8 }}{{ end }}
+    spec:
+      nodeSelector:
+        kubernetes.io/os: linux
+{{- if .Values.nodeSelector }}
+{{ toYaml .Values.nodeSelector | indent 8 }}
+{{- end }}
+{{- if .Values.affinity }}
+      affinity:
+{{ toYaml .Values.affinity | trim | indent 8 }}
+{{- end }}
+      serviceAccountName: {{ include "ztunnel.release-name" . }}
+{{- if .Values.tolerations }}
+      tolerations:
+{{ toYaml .Values.tolerations | trim | indent 8 }}
+{{- end }}
+      containers:
+      - name: istio-proxy
+{{- if contains "/" .Values.image }}
+        image: "{{ .Values.image }}"
+{{- else }}
+        image: "{{ .Values.hub }}/{{ .Values.image | default "ztunnel" }}:{{ .Values.tag }}{{with (.Values.variant )}}-{{.}}{{end}}"
+{{- end }}
+        ports:
+        - containerPort: 15020
+          name: ztunnel-stats
+          protocol: TCP
+        resources:
+{{- if .Values.resources }}
+{{ toYaml .Values.resources | trim | indent 10 }}
+{{- end }}
+{{- with .Values.imagePullPolicy }}
+        imagePullPolicy: {{ . }}
+{{- end }}
+        securityContext:
+          # K8S docs are clear that CAP_SYS_ADMIN *or* privileged: true
+          # both force this to `true`: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+          # But there is a K8S validation bug that doesn't propery catch this: https://github.com/kubernetes/kubernetes/issues/119568
+          allowPrivilegeEscalation: true
+          privileged: false
+          capabilities:
+            drop:
+            - ALL
+            add: # See https://man7.org/linux/man-pages/man7/capabilities.7.html
+            - NET_ADMIN # Required for TPROXY and setsockopt
+            - SYS_ADMIN # Required for `setns` - doing things in other netns
+            - NET_RAW # Required for RAW/PACKET sockets, TPROXY
+          readOnlyRootFilesystem: true
+          runAsGroup: 1337
+          runAsNonRoot: false
+          runAsUser: 0
+{{- if .Values.seLinuxOptions }}
+          seLinuxOptions:
+{{ toYaml .Values.seLinuxOptions | trim | indent 12 }}
+{{- end }}
+        readinessProbe:
+          httpGet:
+            port: 15021
+            path: /healthz/ready
+        args:
+        - proxy
+        - ztunnel
+        env:
+        - name: CA_ADDRESS
+        {{- if .Values.caAddress }}
+          value: {{ .Values.caAddress }}
+        {{- else }}
+          value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012
+        {{- end }}
+        - name: XDS_ADDRESS
+        {{- if .Values.xdsAddress }}
+          value: {{ .Values.xdsAddress }}
+        {{- else }}
+          value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012
+        {{- end }}
+        {{- if .Values.logAsJson }}
+        - name: LOG_FORMAT
+          value: json
+        {{- end}}
+        {{- if .Values.network }}
+        - name: NETWORK
+          value: {{ .Values.network | quote }}
+        {{- end }}
+        - name: RUST_LOG
+          value: {{ .Values.logLevel | quote }}
+        - name: RUST_BACKTRACE
+          value: "1"
+        - name: ISTIO_META_CLUSTER_ID
+          value: {{ .Values.multiCluster.clusterName | default "Kubernetes" }}
+        - name: INPOD_ENABLED
+          value: "true"
+        - name: TERMINATION_GRACE_PERIOD_SECONDS
+          value: "{{ .Values.terminationGracePeriodSeconds }}"
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        - name: INSTANCE_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: SERVICE_ACCOUNT
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.serviceAccountName
+        {{- if .Values.meshConfig.defaultConfig.proxyMetadata }}
+        {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata}}
+        - name: {{ $key }}
+          value: "{{ $value }}"
+        {{- end }}
+        {{- end }}
+        - name: ZTUNNEL_CPU_LIMIT
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.cpu
+        {{- with .Values.env }}
+        {{- range $key, $val := . }}
+        - name: {{ $key }}
+          value: "{{ $val }}"
+        {{- end }}
+        {{- end }}
+        volumeMounts:
+        - mountPath: /var/run/secrets/istio
+          name: istiod-ca-cert
+        - mountPath: /var/run/secrets/tokens
+          name: istio-token
+        - mountPath: /var/run/ztunnel
+          name: cni-ztunnel-sock-dir
+        - mountPath: /tmp
+          name: tmp
+        {{- with .Values.volumeMounts }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      priorityClassName: system-node-critical
+      terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
+      volumes:
+      - name: istio-token
+        projected:
+          sources:
+          - serviceAccountToken:
+              path: istio-token
+              expirationSeconds: 43200
+              audience: istio-ca
+      - name: istiod-ca-cert
+        {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+        projected:
+          sources:
+          - clusterTrustBundle:
+              name: istio.io:istiod-ca:{{ .Values.trustBundleName | default "root-cert" }}
+              path: root-cert.pem
+        {{- else }}
+        configMap:
+          name: {{ .Values.trustBundleName | default "istio-ca-root-cert" }}
+        {{- end }}
+      - name: cni-ztunnel-sock-dir
+        hostPath:
+          path: /var/run/ztunnel
+          type: DirectoryOrCreate # ideally this would be a socket, but istio-cni may not have started yet.
+      # pprof needs a writable /tmp, and we don't have that thanks to `readOnlyRootFilesystem: true`, so mount one
+      - name: tmp
+        emptyDir: {}
+      {{- with .Values.volumes }}
+        {{- toYaml . | nindent 6}}
+      {{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/templates/rbac.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/templates/rbac.yaml
new file mode 100644
index 0000000000..0a8138c9a3
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/templates/rbac.yaml
@@ -0,0 +1,72 @@
+apiVersion: v1
+kind: ServiceAccount
+  {{- with .Values.imagePullSecrets }}
+imagePullSecrets:
+  {{- range . }}
+  - name: {{ . }}
+  {{- end }}
+  {{- end }}
+metadata:
+  name: {{ include "ztunnel.release-name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: ztunnel
+    {{- include "istio.labels" . | nindent 4}}
+    {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }}
+  annotations:
+{{- if .Values.revision }}
+    {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }}
+    {{- toYaml $annos | nindent 4}}
+{{- else }}
+    {{- .Values.annotations | toYaml | nindent 4 }}
+{{- end }}
+---
+{{- if (eq (.Values.platform | default "") "openshift") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "ztunnel.release-name" . }}
+  labels:
+    app: ztunnel
+    release: {{ include "ztunnel.release-name" . }}
+    app.kubernetes.io/name: ztunnel
+    {{- include "istio.labels" . | nindent 4}}
+  annotations:
+{{- if .Values.revision }}
+    {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }}
+    {{- toYaml $annos | nindent 4}}
+{{- else }}
+    {{- .Values.annotations | toYaml | nindent 4 }}
+{{- end }}
+rules:
+- apiGroups: ["security.openshift.io"]
+  resources: ["securitycontextconstraints"]
+  resourceNames: ["privileged"]
+  verbs: ["use"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "ztunnel.release-name" . }}
+  labels:
+    app: ztunnel
+    release: {{ include "ztunnel.release-name" . }}
+    app.kubernetes.io/name: ztunnel
+    {{- include "istio.labels" . | nindent 4}}
+  annotations:
+{{- if .Values.revision }}
+    {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }}
+    {{- toYaml $annos | nindent 4}}
+{{- else }}
+    {{- .Values.annotations | toYaml | nindent 4 }}
+{{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "ztunnel.release-name" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "ztunnel.release-name" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}
+---
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/templates/resourcequota.yaml
new file mode 100644
index 0000000000..a1c0e5496d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/templates/resourcequota.yaml
@@ -0,0 +1,20 @@
+{{- if .Values.resourceQuotas.enabled }}
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+  name: {{ include "ztunnel.release-name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: ztunnel
+    {{- include "istio.labels" . | nindent 4}}
+    {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }}
+spec:
+  hard:
+    pods: {{ .Values.resourceQuotas.pods | quote }}
+  scopeSelector:
+    matchExpressions:
+    - operator: In
+      scopeName: PriorityClass
+      values:
+      - system-node-critical
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..606c556697
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if true }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/values.yaml
new file mode 100644
index 0000000000..50d7b3c63c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/values.yaml
@@ -0,0 +1,128 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  # Hub to pull from. Image will be `Hub/Image:Tag-Variant`
+  hub: gcr.io/istio-release
+  # Tag to pull from. Image will be `Hub/Image:Tag-Variant`
+  tag: 1.27.4
+  # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version.
+  variant: ""
+
+  # Image name to pull from. Image will be `Hub/Image:Tag-Variant`
+  # If Image contains a "/", it will replace the entire `image` in the pod.
+  image: ztunnel
+
+  # Same as `global.network`, but will override it if set.
+  # Network defines the network this cluster belong to. This name
+  # corresponds to the networks in the map of mesh networks.
+  network: ""
+
+  # resourceName, if set, will override the naming of resources. If not set, will default to 'ztunnel'.
+  # If you set this, you MUST also set `trustedZtunnelName` in the `istiod` chart.
+  resourceName: ""
+
+  # Labels to apply to all top level resources
+  labels: {}
+  # Annotations to apply to all top level resources
+  annotations: {}
+
+  # Additional volumeMounts to the ztunnel container
+  volumeMounts: []
+
+  # Additional volumes to the ztunnel pod
+  volumes: []
+  
+  # Tolerations for the ztunnel pod
+  tolerations:
+    - effect: NoSchedule
+      operator: Exists
+    - key: CriticalAddonsOnly
+      operator: Exists
+    - effect: NoExecute
+      operator: Exists
+
+  # Annotations added to each pod. The default annotations are required for scraping prometheus (in most environments).
+  podAnnotations:
+    prometheus.io/port: "15020"
+    prometheus.io/scrape: "true"
+
+  # Additional labels to apply on the pod level
+  podLabels: {}
+
+  # Pod resource configuration
+  resources:
+    requests:
+      cpu: 200m
+      # Ztunnel memory scales with the size of the cluster and traffic load
+      # While there are many factors, this is enough for ~200k pod cluster or 100k concurrently open connections.
+      memory: 512Mi
+
+  resourceQuotas:
+    enabled: false
+    pods: 5000
+
+  # List of secret names to add to the service account as image pull secrets
+  imagePullSecrets: []
+
+  # A `key: value` mapping of environment variables to add to the pod
+  env: {}
+
+  # Override for the pod imagePullPolicy
+  imagePullPolicy: ""
+
+  # Settings for multicluster
+  multiCluster:
+    # The name of the cluster we are installing in. Note this is a user-defined name, which must be consistent
+    # with Istiod configuration.
+    clusterName: ""
+
+  # meshConfig defines runtime configuration of components.
+  # For ztunnel, only defaultConfig is used, but this is nested under `meshConfig` for consistency with other
+  # components.
+  # TODO: https://github.com/istio/istio/issues/43248
+  meshConfig:
+    defaultConfig:
+      proxyMetadata: {}
+
+  # This value defines:
+  # 1. how many seconds kube waits for ztunnel pod to gracefully exit before forcibly terminating it (this value)
+  # 2. how many seconds ztunnel waits to drain its own connections (this value - 1 sec)
+  # Default K8S value is 30 seconds
+  terminationGracePeriodSeconds: 30
+
+  # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
+  # Used to locate the XDS and CA, if caAddress or xdsAddress are not set explicitly.
+  revision: ""
+
+  # The customized CA address to retrieve certificates for the pods in the cluster.
+  # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
+  caAddress: ""
+
+  # The customized XDS address to retrieve configuration.
+  # This should include the port - 15012 for Istiod. TLS will be used with the certificates in "istiod-ca-cert" secret.
+  # By default, it is istiod.istio-system.svc:15012 if revision is not set, or istiod-<revision>.<istioNamespace>.svc:15012
+  xdsAddress: ""
+
+  # Used to locate the XDS and CA, if caAddress or xdsAddress are not set.
+  istioNamespace: istio-system
+
+  # Configuration log level of ztunnel binary, default is info.
+  # Valid values are: trace, debug, info, warn, error
+  logLevel: info
+
+  # To output all logs in json format
+  logAsJson: false
+
+  # Set to `type: RuntimeDefault` to use the default profile if available.
+  seLinuxOptions: {}
+  # TODO Ambient inpod - for OpenShift, set to the following to get writable sockets in hostmounts to work, eventually consider CSI driver instead
+  #seLinuxOptions:
+  #  type: spc_t
+
+  # K8s DaemonSet update strategy.
+  # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec).
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/cni-1.27.4.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/cni-1.27.4.tgz.etag
new file mode 100644
index 0000000000..57772900cc
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/cni-1.27.4.tgz.etag
@@ -0,0 +1 @@
+51fae7c4c2f2a9b595620028740a209c
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/commit b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/commit
new file mode 100644
index 0000000000..d6201580ed
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/commit
@@ -0,0 +1 @@
+1.27.4
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/gateway-1.27.4.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/gateway-1.27.4.tgz.etag
new file mode 100644
index 0000000000..104eaa5c38
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/gateway-1.27.4.tgz.etag
@@ -0,0 +1 @@
+a2843b9c7a9a91c00e461f4056d9b1d9
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/istiod-1.27.4.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/istiod-1.27.4.tgz.etag
new file mode 100644
index 0000000000..44a3f58f0e
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/istiod-1.27.4.tgz.etag
@@ -0,0 +1 @@
+d7be874f1187a5e030b3e3e333e774c7
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/profiles/ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/profiles/ambient.yaml
new file mode 100644
index 0000000000..71ea784a80
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/profiles/ambient.yaml
@@ -0,0 +1,5 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: ambient
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/profiles/default.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/profiles/default.yaml
new file mode 100644
index 0000000000..8f1ef19676
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/profiles/default.yaml
@@ -0,0 +1,12 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  # Most default values come from the helm chart's values.yaml
+  # Below are the things that differ
+  values:
+    defaultRevision: ""
+    global:
+      istioNamespace: istio-system
+      configValidation: true
+    ztunnel:
+      resourceName: ztunnel
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/profiles/demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/profiles/demo.yaml
new file mode 100644
index 0000000000..53c4b41633
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/profiles/demo.yaml
@@ -0,0 +1,5 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: demo
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/profiles/empty.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/profiles/empty.yaml
new file mode 100644
index 0000000000..4477cb1fe1
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/profiles/empty.yaml
@@ -0,0 +1,5 @@
+# The empty profile has everything disabled
+# This is useful as a base for custom user configuration
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec: {}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/profiles/openshift-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/profiles/openshift-ambient.yaml
new file mode 100644
index 0000000000..76edf00cd8
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/profiles/openshift-ambient.yaml
@@ -0,0 +1,7 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: ambient
+    global:
+      platform: openshift
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/profiles/openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/profiles/openshift.yaml
new file mode 100644
index 0000000000..41492660fe
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/profiles/openshift.yaml
@@ -0,0 +1,6 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    global:
+      platform: openshift
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/profiles/preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/profiles/preview.yaml
new file mode 100644
index 0000000000..59d545c840
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/profiles/preview.yaml
@@ -0,0 +1,8 @@
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: preview
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/profiles/remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/profiles/remote.yaml
new file mode 100644
index 0000000000..54c65c8ba9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/profiles/remote.yaml
@@ -0,0 +1,7 @@
+# The remote profile is used to configure a mesh cluster without a locally deployed control plane.
+# Only the injector mutating webhook configuration is installed.
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: remote
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/profiles/stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/profiles/stable.yaml
new file mode 100644
index 0000000000..285feba244
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/profiles/stable.yaml
@@ -0,0 +1,5 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: stable
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/ztunnel-1.27.4.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/ztunnel-1.27.4.tgz.etag
new file mode 100644
index 0000000000..f3718f5193
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/ztunnel-1.27.4.tgz.etag
@@ -0,0 +1 @@
+3b6cd190b838a132d4d14a0047581453
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/base-1.27.5.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/base-1.27.5.tgz.etag
new file mode 100644
index 0000000000..b4d325688a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/base-1.27.5.tgz.etag
@@ -0,0 +1 @@
+cb5b876deebf2702f8413bd19b8fa439
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/Chart.yaml
new file mode 100644
index 0000000000..bf04c86b30
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/Chart.yaml
@@ -0,0 +1,10 @@
+apiVersion: v2
+appVersion: 1.27.5
+description: Helm chart for deploying Istio cluster resources and CRDs
+icon: https://istio.io/latest/favicons/android-192x192.png
+keywords:
+- istio
+name: base
+sources:
+- https://github.com/istio/istio
+version: 1.27.5
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/README.md
new file mode 100644
index 0000000000..ae8f6d5b0e
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/README.md
@@ -0,0 +1,35 @@
+# Istio base Helm Chart
+
+This chart installs resources shared by all Istio revisions. This includes Istio CRDs.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+To install the chart with the release name `istio-base`:
+
+```console
+kubectl create namespace istio-system
+helm install istio-base istio/base -n istio-system
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-compatibility-version-1.24.yaml
new file mode 100644
index 0000000000..4f3dbef7ea
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-compatibility-version-1.24.yaml
@@ -0,0 +1,15 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.24 behavioral changes
+    PILOT_ENABLE_IP_AUTOALLOCATE: "false"
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  dnsCapture: false
+  reconcileIptablesOnStartup: false
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..b2f45948c2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..af10697326
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/templates/NOTES.txt
new file mode 100644
index 0000000000..f12616f578
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/templates/NOTES.txt
@@ -0,0 +1,5 @@
+Istio base successfully installed!
+
+To learn more about the release, try:
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml
new file mode 100644
index 0000000000..2616b09c9a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml
@@ -0,0 +1,53 @@
+{{- if and .Values.experimental.stableValidationPolicy (not (eq .Values.defaultRevision "")) }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "stable-channel-default-policy.istio.io"
+  labels:
+    release: {{ .Release.Name }}
+    istio: istiod
+    istio.io/rev: {{ .Values.defaultRevision }}
+    app.kubernetes.io/name: "istiod"
+    {{ include "istio.labels" . | nindent 4 }}
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups:
+        - security.istio.io
+        - networking.istio.io
+        - telemetry.istio.io
+        - extensions.istio.io
+      apiVersions: ["*"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["*"]
+  variables:
+    - name: isEnvoyFilter
+      expression: "object.kind == 'EnvoyFilter'"
+    - name: isWasmPlugin
+      expression: "object.kind == 'WasmPlugin'"
+    - name: isProxyConfig
+      expression: "object.kind == 'ProxyConfig'"
+    - name: isTelemetry
+      expression: "object.kind == 'Telemetry'"
+  validations:
+    - expression: "!variables.isEnvoyFilter"
+    - expression: "!variables.isWasmPlugin"
+    - expression: "!variables.isProxyConfig"
+    - expression: |
+        !(
+          variables.isTelemetry && (
+            (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) ||
+            (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) ||
+            (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter))
+          )
+        )
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: "stable-channel-default-policy-binding.istio.io"
+spec:
+  policyName: "stable-channel-default-policy.istio.io"
+  validationActions: [Deny]
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml
new file mode 100644
index 0000000000..8cb76fd773
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml
@@ -0,0 +1,56 @@
+{{- if not (eq .Values.defaultRevision "") }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: istiod-default-validator
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    istio: istiod
+    istio.io/rev: {{ .Values.defaultRevision | quote }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+webhooks:
+  - name: validation.istio.io
+    clientConfig:
+      {{- if .Values.base.validationURL }}
+      url: {{ .Values.base.validationURL }}
+      {{- else }}
+      service:
+        {{- if (eq .Values.defaultRevision "default") }}
+        name: istiod
+        {{- else }}
+        name: istiod-{{ .Values.defaultRevision }}
+        {{- end }}
+        namespace: {{ .Values.global.istioNamespace }}
+        path: "/validate"
+      {{- end }}
+      {{- if .Values.base.validationCABundle }}
+      caBundle: "{{ .Values.base.validationCABundle }}"
+      {{- end }}
+    rules:
+      - operations:
+          - CREATE
+          - UPDATE
+        apiGroups:
+          - security.istio.io
+          - networking.istio.io
+          - telemetry.istio.io
+          - extensions.istio.io
+        apiVersions:
+          - "*"
+        resources:
+          - "*"
+
+    {{- if .Values.base.validationCABundle }}
+    # Disable webhook controller in Pilot to stop patching it
+    failurePolicy: Fail
+    {{- else }}
+    # Fail open until the validation webhook is ready. The webhook controller
+    # will update this to `Fail` and patch in the `caBundle` when the webhook
+    # endpoint is ready.
+    failurePolicy: Ignore
+    {{- end }}
+    sideEffects: None
+    admissionReviewVersions: ["v1"]
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/templates/reader-serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/templates/reader-serviceaccount.yaml
new file mode 100644
index 0000000000..ba829a6bfe
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/templates/reader-serviceaccount.yaml
@@ -0,0 +1,20 @@
+# This singleton service account aggregates reader permissions for the revisions in a given cluster
+# ATM this is a singleton per cluster with Istio installed, and is not revisioned. It maybe should be,
+# as otherwise compromising the token for this SA would give you access to *every* installed revision.
+# Should be used for remote secret creation.
+apiVersion: v1
+kind: ServiceAccount
+  {{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+  {{- range .Values.global.imagePullSecrets }}
+  - name: {{ . }}
+    {{- end }}
+    {{- end }}
+metadata:
+  name: istio-reader-service-account
+  namespace: {{ .Values.global.istioNamespace }}
+  labels:
+    app: istio-reader
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istio-reader"
+    {{- include "istio.labels" . | nindent 4 }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..3d84956485
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if false }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/values.yaml
new file mode 100644
index 0000000000..d18296f00a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/values.yaml
@@ -0,0 +1,37 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  global:
+
+    # ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace
+    # to use for pulling any images in pods that reference this ServiceAccount.
+    # Must be set for any cluster configured with private docker registry.
+    imagePullSecrets: []
+
+    # Used to locate istiod.
+    istioNamespace: istio-system
+  base:
+    # A list of CRDs to exclude. Requires `enableCRDTemplates` to be true.
+    # Example: `excludedCRDs: ["envoyfilters.networking.istio.io"]`.
+    # Note: when installing with `istioctl`, `enableIstioConfigCRDs=false` must also be set.
+    excludedCRDs: []
+    # Helm (as of V3) does not support upgrading CRDs, because it is not universally
+    # safe for them to support this.
+    # Istio as a project enforces certain backwards-compat guarantees that allow us
+    # to safely upgrade CRDs in spite of this, so we default to self-managing CRDs
+    # as standard K8S resources in Helm, and disable Helm's CRD management. See also:
+    # https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#method-2-separate-charts
+    enableCRDTemplates: true
+
+    # Validation webhook configuration url
+    # For example: https://$remotePilotAddress:15017/validate
+    validationURL: ""
+    # Validation webhook caBundle value. Useful when running pilot with a well known cert
+    validationCABundle: ""
+
+    # For istioctl usage to disable istio config crds in base
+    enableIstioConfigCRDs: true
+
+  defaultRevision: "default"
+  experimental:
+    stableValidationPolicy: false
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/Chart.yaml
new file mode 100644
index 0000000000..6f877a1eb3
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/Chart.yaml
@@ -0,0 +1,11 @@
+apiVersion: v2
+appVersion: 1.27.5
+description: Helm chart for istio-cni components
+icon: https://istio.io/latest/favicons/android-192x192.png
+keywords:
+- istio-cni
+- istio
+name: cni
+sources:
+- https://github.com/istio/istio
+version: 1.27.5
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/README.md
new file mode 100644
index 0000000000..a8b78d5bde
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/README.md
@@ -0,0 +1,65 @@
+# Istio CNI Helm Chart
+
+This chart installs the Istio CNI Plugin. See the [CNI installation guide](https://istio.io/latest/docs/setup/additional-setup/cni/)
+for more information.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+To install the chart with the release name `istio-cni`:
+
+```console
+helm install istio-cni istio/cni -n kube-system
+```
+
+Installation in `kube-system` is recommended to ensure the [`system-node-critical`](https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/)
+`priorityClassName` can be used. You can install in other namespace only on K8S clusters that allow
+'system-node-critical' outside of kube-system.
+
+## Configuration
+
+To view support configuration options and documentation, run:
+
+```console
+helm show values istio/istio-cni
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
+
+### Ambient
+
+To enable ambient, you can use the ambient profile: `--set profile=ambient`.
+
+#### Calico
+
+For Calico, you must also modify the settings to allow source spoofing:
+
+- if deployed by operator,  `kubectl patch felixconfigurations default --type='json' -p='[{"op": "add", "path": "/spec/workloadSourceSpoofing", "value": "Any"}]'`
+- if deployed by manifest, add env `FELIX_WORKLOADSOURCESPOOFING` with value `Any` in `spec.template.spec.containers.env` for daemonset `calico-node`. (This will allow PODs with specified annotation to skip the rpf check. )
+
+### GKE notes
+
+On GKE, 'kube-system' is required.
+
+If using `helm template`, `--set cni.cniBinDir=/home/kubernetes/bin` is required - with `helm install`
+it is auto-detected.
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-compatibility-version-1.24.yaml
new file mode 100644
index 0000000000..4f3dbef7ea
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-compatibility-version-1.24.yaml
@@ -0,0 +1,15 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.24 behavioral changes
+    PILOT_ENABLE_IP_AUTOALLOCATE: "false"
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  dnsCapture: false
+  reconcileIptablesOnStartup: false
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..b2f45948c2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..af10697326
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/NOTES.txt
new file mode 100644
index 0000000000..fb35525b99
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/NOTES.txt
@@ -0,0 +1,5 @@
+"{{ .Release.Name }}" successfully installed!
+
+To learn more about the release, try:
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/_helpers.tpl
new file mode 100644
index 0000000000..73cc17b2f6
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/_helpers.tpl
@@ -0,0 +1,8 @@
+{{- define "name" -}}
+    istio-cni
+{{- end }}
+
+
+{{- define "istio-tag" -}}
+    {{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/clusterrole.yaml
new file mode 100644
index 0000000000..1779e0bb1d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/clusterrole.yaml
@@ -0,0 +1,81 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "name" . }}
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+- apiGroups: ["security.openshift.io"] 
+  resources: ["securitycontextconstraints"] 
+  resourceNames: ["privileged"] 
+  verbs: ["use"]
+- apiGroups: [""]
+  resources: ["pods","nodes","namespaces"]
+  verbs: ["get", "list", "watch"]
+{{- if (eq ((coalesce .Values.platform .Values.global.platform) | default "") "openshift") }}
+- apiGroups: ["security.openshift.io"]
+  resources: ["securitycontextconstraints"]
+  resourceNames: ["privileged"]
+  verbs: ["use"]
+{{- end }}
+---
+{{- if .Values.repair.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "name" . }}-repair-role
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["create", "patch"]
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["watch", "get", "list"]
+{{- if .Values.repair.repairPods }}
+{{- /*  No privileges needed*/}}
+{{- else if .Values.repair.deletePods }}
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["delete"]
+{{- else if .Values.repair.labelPods }}
+  - apiGroups: [""]
+    {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}}
+    resources: ["pods/status"]
+    verbs: ["patch", "update"]
+{{- end }}
+{{- end }}
+---
+{{- if .Values.ambient.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "name" . }}-ambient
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+- apiGroups: [""]
+  {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}}
+  resources: ["pods/status"]
+  verbs: ["patch", "update"]
+- apiGroups: ["apps"]
+  resources: ["daemonsets"]
+  resourceNames: ["{{ template "name" . }}-node"]
+  verbs: ["get"]
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/clusterrolebinding.yaml
new file mode 100644
index 0000000000..42fedab1fc
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/clusterrolebinding.yaml
@@ -0,0 +1,63 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "name" . }}
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "name" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ template "name" . }}
+  namespace: {{ .Release.Namespace }}
+---
+{{- if .Values.repair.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "name" . }}-repair-rolebinding
+  labels:
+    k8s-app: {{ template "name" . }}-repair
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+subjects:
+- kind: ServiceAccount
+  name: {{ template "name" . }}
+  namespace: {{ .Release.Namespace}}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "name" . }}-repair-role
+{{- end }}
+---
+{{- if .Values.ambient.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "name" . }}-ambient
+  labels:
+    k8s-app: {{ template "name" . }}-repair
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "name" . }}
+    namespace: {{ .Release.Namespace}}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "name" . }}-ambient
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/configmap-cni.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/configmap-cni.yaml
new file mode 100644
index 0000000000..6f6ef329a2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/configmap-cni.yaml
@@ -0,0 +1,41 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: {{ template "name" . }}-config
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+data:
+  CURRENT_AGENT_VERSION: {{ .Values.tag | default .Values.global.tag | quote }}
+  AMBIENT_ENABLED: {{ .Values.ambient.enabled | quote }}
+  AMBIENT_ENABLEMENT_SELECTOR: {{ .Values.ambient.enablementSelectors | toYaml | quote }}
+  AMBIENT_DNS_CAPTURE: {{ .Values.ambient.dnsCapture | quote  }}
+  AMBIENT_IPV6: {{ .Values.ambient.ipv6 | quote }}
+  AMBIENT_RECONCILE_POD_RULES_ON_STARTUP: {{ .Values.ambient.reconcileIptablesOnStartup | quote }}
+  {{- if .Values.cniConfFileName }} # K8S < 1.24 doesn't like empty values
+  CNI_CONF_NAME: {{ .Values.cniConfFileName }} # Name of the CNI config file to create. Only override if you know the exact path your CNI requires..
+  {{- end }}
+  ISTIO_OWNED_CNI_CONFIG: {{ .Values.istioOwnedCNIConfig | quote }}
+  {{- if .Values.istioOwnedCNIConfig }}
+  ISTIO_OWNED_CNI_CONF_FILENAME: {{ .Values.istioOwnedCNIConfigFileName | quote }}
+  {{- end }}
+  CHAINED_CNI_PLUGIN: {{ .Values.chained | quote }}
+  EXCLUDE_NAMESPACES: "{{ range $idx, $ns := .Values.excludeNamespaces }}{{ if $idx }},{{ end }}{{ $ns }}{{ end }}"
+  REPAIR_ENABLED: {{ .Values.repair.enabled | quote }}
+  REPAIR_LABEL_PODS: {{ .Values.repair.labelPods | quote }}
+  REPAIR_DELETE_PODS: {{ .Values.repair.deletePods | quote }}
+  REPAIR_REPAIR_PODS: {{ .Values.repair.repairPods | quote }}
+  REPAIR_INIT_CONTAINER_NAME: {{ .Values.repair.initContainerName | quote }}
+  REPAIR_BROKEN_POD_LABEL_KEY: {{ .Values.repair.brokenPodLabelKey | quote }}
+  REPAIR_BROKEN_POD_LABEL_VALUE: {{ .Values.repair.brokenPodLabelValue | quote }}
+  NATIVE_NFTABLES: {{ .Values.global.nativeNftables | quote }}
+  {{- with .Values.env }}
+  {{- range $key, $val := . }}
+  {{ $key }}: "{{ $val }}"
+  {{- end }}
+  {{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/daemonset.yaml
new file mode 100644
index 0000000000..896de3d038
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/daemonset.yaml
@@ -0,0 +1,248 @@
+# This manifest installs the Istio install-cni container, as well
+# as the Istio CNI plugin and config on
+# each master and worker node in a Kubernetes cluster.
+#
+# $detectedBinDir exists to support a GKE-specific platform override,
+# and is deprecated in favor of using the explicit `gke` platform profile.
+{{- $detectedBinDir := (.Capabilities.KubeVersion.GitVersion | contains "-gke") | ternary
+    "/home/kubernetes/bin"
+    "/opt/cni/bin"
+}}
+{{- if .Values.cniBinDir }}
+{{ $detectedBinDir = .Values.cniBinDir }}
+{{- end }}
+kind: DaemonSet
+apiVersion: apps/v1
+metadata:
+  # Note that this is templated but evaluates to a fixed name
+  # which the CNI plugin may fall back onto in some failsafe scenarios.
+  # if this name is changed, CNI plugin logic that checks for this name
+  # format should also be updated.
+  name: {{ template "name" . }}-node
+  namespace: {{ .Release.Namespace }}
+  labels:
+    k8s-app: {{ template "name" . }}-node
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      k8s-app: {{ template "name" . }}-node
+  {{- with .Values.updateStrategy }}
+  updateStrategy:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  template:
+    metadata:
+      labels:
+        k8s-app: {{ template "name" . }}-node
+        sidecar.istio.io/inject: "false"
+        istio.io/dataplane-mode: none
+        app.kubernetes.io/name: {{ template "name" . }}
+        {{- include "istio.labels" . | nindent 8 }}
+      annotations:
+        sidecar.istio.io/inject: "false"
+        # Add Prometheus Scrape annotations
+        prometheus.io/scrape: 'true'
+        prometheus.io/port: "15014"
+        prometheus.io/path: '/metrics'
+        # Add AppArmor annotation
+        # This is required to avoid conflicts with AppArmor profiles which block certain
+        # privileged pod capabilities.
+        # Required for Kubernetes 1.29 which does not support setting appArmorProfile in the
+        # securityContext which is otherwise preferred.
+        container.apparmor.security.beta.kubernetes.io/install-cni: unconfined
+        # Custom annotations
+        {{- if .Values.podAnnotations }}
+{{ toYaml .Values.podAnnotations | indent 8 }}
+        {{- end }}
+    spec:
+{{- if and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace }}
+      hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
+{{- end }}
+      nodeSelector:
+        kubernetes.io/os: linux
+      # Can be configured to allow for excluding istio-cni from being scheduled on specified nodes
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      priorityClassName: system-node-critical
+      serviceAccountName: {{ template "name" . }}
+      # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
+      # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
+      terminationGracePeriodSeconds: 5
+      containers:
+        # This container installs the Istio CNI binaries
+        # and CNI network config file on each node.
+        - name: install-cni
+{{- if contains "/" .Values.image }}
+          image: "{{ .Values.image }}"
+{{- else }}
+          image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "install-cni" }}:{{ template "istio-tag" . }}"
+{{- end }}
+{{- if or .Values.pullPolicy .Values.global.imagePullPolicy }}
+          imagePullPolicy: {{ .Values.pullPolicy | default .Values.global.imagePullPolicy }}
+{{- end }}
+          ports:
+          - containerPort: 15014
+            name: metrics
+            protocol: TCP
+          readinessProbe:
+            httpGet:
+              path: /readyz
+              port: 8000
+          securityContext:
+            privileged: false
+            runAsGroup: 0
+            runAsUser: 0
+            runAsNonRoot: false
+            # Both ambient and sidecar repair mode require elevated node privileges to function.
+            # But we don't need _everything_ in `privileged`, so explicitly set it to false and
+            # add capabilities based on feature.
+            capabilities:
+              drop:
+              - ALL
+              add:
+              # CAP_NET_ADMIN is required to allow ipset and route table access
+              - NET_ADMIN
+              # CAP_NET_RAW is required to allow iptables mutation of the `nat` table
+              - NET_RAW
+              # CAP_SYS_PTRACE is required for repair and ambient mode to describe
+              # the pod's network namespace.
+              - SYS_PTRACE
+              # CAP_SYS_ADMIN is required for both ambient and repair, in order to open
+              # network namespaces in `/proc` to obtain descriptors for entering pod network
+              # namespaces. There does not appear to be a more granular capability for this.
+              - SYS_ADMIN
+              # While we run as a 'root' (UID/GID 0), since we drop all capabilities we lose
+              # the typical ability to read/write to folders owned by others.
+              # This can cause problems if the hostPath mounts we use, which we require write access into,
+              # are owned by non-root. DAC_OVERRIDE bypasses these and gives us write access into any folder.
+              - DAC_OVERRIDE
+{{- if .Values.seLinuxOptions }}
+{{ with (merge .Values.seLinuxOptions (dict "type" "spc_t")) }}
+            seLinuxOptions:
+{{ toYaml . | trim | indent 14 }}
+{{- end }}
+{{- end }}
+{{- if .Values.seccompProfile }}
+            seccompProfile:
+{{ toYaml .Values.seccompProfile | trim | indent 14 }}
+{{- end }}
+          command: ["install-cni"]
+          args:
+            {{- if or .Values.logging.level .Values.global.logging.level }}
+            - --log_output_level={{ coalesce .Values.logging.level .Values.global.logging.level }}
+            {{- end}}
+            {{- if .Values.global.logAsJson }}
+            - --log_as_json
+            {{- end}}
+          envFrom:
+            - configMapRef:
+                name: {{ template "name" . }}-config
+          env:
+            - name: REPAIR_NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            - name: REPAIR_RUN_AS_DAEMON
+              value: "true"
+            - name: REPAIR_SIDECAR_ANNOTATION
+              value: "sidecar.istio.io/status"
+            {{- if not (and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace) }}
+            - name: ALLOW_SWITCH_TO_HOST_NS
+              value: "true"
+            {{- end }}
+            - name: NODE_NAME
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: spec.nodeName
+            - name: GOMEMLIMIT
+              valueFrom:
+                resourceFieldRef:
+                  resource: limits.memory
+                  divisor: '1'
+            - name: GOMAXPROCS
+              valueFrom:
+                resourceFieldRef:
+                  resource: limits.cpu
+                  divisor: '1'
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            {{- if .Values.env }}
+            {{- range $key, $val := .Values.env }}
+            - name: {{ $key }}
+              value: "{{ $val }}"
+            {{- end }}
+            {{- end }}
+          volumeMounts:
+            - mountPath: /host/opt/cni/bin
+              name: cni-bin-dir
+            {{- if or .Values.repair.repairPods .Values.ambient.enabled }}
+            - mountPath: /host/proc
+              name: cni-host-procfs
+              readOnly: true
+            {{- end }}
+            - mountPath: /host/etc/cni/net.d
+              name: cni-net-dir
+            - mountPath: /var/run/istio-cni
+              name: cni-socket-dir
+            {{- if .Values.ambient.enabled }}
+            - mountPath: /host/var/run/netns
+              mountPropagation: HostToContainer
+              name: cni-netns-dir
+            - mountPath: /var/run/ztunnel
+              name: cni-ztunnel-sock-dir
+            {{ end }}
+          resources:
+{{- if .Values.resources }}
+{{ toYaml .Values.resources | trim | indent 12 }}
+{{- else }}
+{{ toYaml .Values.global.defaultResources | trim | indent 12 }}
+{{- end }}
+      volumes:
+        # Used to install CNI.
+        - name: cni-bin-dir
+          hostPath:
+            path: {{ $detectedBinDir }}
+        {{- if or .Values.repair.repairPods .Values.ambient.enabled }}
+        - name: cni-host-procfs
+          hostPath:
+            path: /proc
+            type: Directory
+        {{- end }}
+        {{- if .Values.ambient.enabled }}
+        - name: cni-ztunnel-sock-dir
+          hostPath:
+            path: /var/run/ztunnel
+            type: DirectoryOrCreate
+        {{- end }}
+        - name: cni-net-dir
+          hostPath:
+            path: {{ .Values.cniConfDir }}
+        # Used for UDS sockets for logging, ambient eventing
+        - name: cni-socket-dir
+          hostPath:
+            path: /var/run/istio-cni
+        - name: cni-netns-dir
+          hostPath:
+            path: {{ .Values.cniNetnsDir }}
+            type: DirectoryOrCreate # DirectoryOrCreate instead of Directory for the following reason - CNI may not bind mount this until a non-hostnetwork pod is scheduled on the node,
+            # and we don't want to block CNI agent pod creation on waiting for the first non-hostnetwork pod.
+            # Once the CNI does mount this, it will get populated and we're good.
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/network-attachment-definition.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/network-attachment-definition.yaml
new file mode 100644
index 0000000000..86a2eb7c0b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/network-attachment-definition.yaml
@@ -0,0 +1,11 @@
+{{- if eq .Values.provider "multus" }}
+apiVersion: k8s.cni.cncf.io/v1
+kind: NetworkAttachmentDefinition
+metadata:
+  name: {{ template "name" . }}
+  namespace: default
+  labels:
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/resourcequota.yaml
new file mode 100644
index 0000000000..9a6d61ff91
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/resourcequota.yaml
@@ -0,0 +1,19 @@
+{{- if .Values.resourceQuotas.enabled }}
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+  name: {{ template "name" . }}-resource-quota
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  hard:
+    pods: {{ .Values.resourceQuotas.pods | quote }}
+  scopeSelector:
+    matchExpressions:
+    - operator: In
+      scopeName: PriorityClass
+      values:
+      - system-node-critical
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/serviceaccount.yaml
new file mode 100644
index 0000000000..3193d7b74a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/serviceaccount.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: ServiceAccount
+{{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+{{- range .Values.global.imagePullSecrets }}
+  - name: {{ . }}
+{{- end }}
+{{- end }}
+metadata:
+  name: {{ template "name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/zzy_descope_legacy.yaml
new file mode 100644
index 0000000000..a9584ac29f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/zzy_descope_legacy.yaml
@@ -0,0 +1,3 @@
+{{/* Copy anything under `.cni` to `.`, to avoid the need to specify a redundant prefix.
+Due to the file naming, this always happens after zzz_profile.yaml */}}
+{{- $_ := mustMergeOverwrite $.Values (index $.Values "cni") }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..3d84956485
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if false }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/values.yaml
new file mode 100644
index 0000000000..903450f82b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/values.yaml
@@ -0,0 +1,178 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  hub: ""
+  tag: ""
+  variant: ""
+  image: install-cni
+  pullPolicy: ""
+
+  # Same as `global.logging.level`, but will override it if set
+  logging:
+    level: ""
+
+  # Configuration file to insert istio-cni plugin configuration
+  # by default this will be the first file found in the cni-conf-dir
+  # Example
+  # cniConfFileName: 10-calico.conflist
+
+  # CNI-and-platform specific path defaults.
+  # These may need to be set to platform-specific values, consult
+  # overrides for your platform in `manifests/helm-profiles/platform-*.yaml`
+  cniBinDir: /opt/cni/bin
+  cniConfDir: /etc/cni/net.d
+  cniConfFileName: ""
+  cniNetnsDir: "/var/run/netns"
+
+  # If Istio owned CNI config is enabled, defaults to 02-istio-cni.conflist
+  istioOwnedCNIConfigFileName: "" 
+  istioOwnedCNIConfig: false
+
+  excludeNamespaces:
+    - kube-system
+
+  # Allows user to set custom affinity for the DaemonSet
+  affinity: {}
+
+  # Custom annotations on pod level, if you need them
+  podAnnotations: {}
+
+  # Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")?
+  # Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case
+  chained: true
+
+  # Custom configuration happens based on the CNI provider.
+  # Possible values: "default", "multus"
+  provider: "default"
+
+  # Configure ambient settings
+  ambient:
+    # If enabled, ambient redirection will be enabled
+    enabled: false
+    # If ambient is enabled, this selector will be used to identify the ambient-enabled pods
+    enablementSelectors: 
+    - podSelector:
+        matchLabels: {istio.io/dataplane-mode: ambient}
+    - podSelector:
+        matchExpressions:
+        - { key: istio.io/dataplane-mode, operator: NotIn, values: [none] }
+      namespaceSelector:
+        matchLabels: {istio.io/dataplane-mode: ambient}
+    # Set ambient config dir path: defaults to /etc/ambient-config
+    configDir: ""
+    # If enabled, and ambient is enabled, DNS redirection will be enabled
+    dnsCapture: true
+    # If enabled, and ambient is enabled, enables ipv6 support
+    ipv6: true
+    # If enabled, and ambient is enabled, the CNI agent will reconcile incompatible iptables rules and chains at startup.
+    # This will eventually be enabled by default
+    reconcileIptablesOnStartup: false
+    # If enabled, and ambient is enabled, the CNI agent will always share the network namespace of the host node it is running on
+    shareHostNetworkNamespace: false
+
+
+  repair:
+    enabled: true
+    hub: ""
+    tag: ""
+
+    # Repair controller has 3 modes. Pick which one meets your use cases. Note only one may be used.
+    # This defines the action the controller will take when a pod is detected as broken.
+
+    # labelPods will label all pods with <brokenPodLabelKey>=<brokenPodLabelValue>.
+    # This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them).
+    # Note this gives the DaemonSet a relatively high privilege, as modifying pod metadata/status can have wider impacts.
+    labelPods: false
+    # deletePods will delete any broken pod. These will then be rescheduled, hopefully onto a node that is fully ready.
+    # Note this gives the DaemonSet a relatively high privilege, as it can delete any Pod.
+    deletePods: false
+    # repairPods will dynamically repair any broken pod by setting up the pod networking configuration even after it has started.
+    # Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs.
+    # This requires no RBAC privilege, but does require `securityContext.privileged/CAP_SYS_ADMIN`.
+    repairPods: true
+
+    initContainerName: "istio-validation"
+
+    brokenPodLabelKey: "cni.istio.io/uninitialized"
+    brokenPodLabelValue: "true"
+
+  # Set to `type: RuntimeDefault` to use the default profile if available.
+  seccompProfile: {}
+
+  # SELinux options to set in the istio-cni-node pods. You may need to set this to `type: spc_t` for some platforms.
+  seLinuxOptions: {}
+
+  resources:
+    requests:
+      cpu: 100m
+      memory: 100Mi
+
+  resourceQuotas:
+    enabled: false
+    pods: 5000
+
+  tolerations:
+    # Make sure istio-cni-node gets scheduled on all nodes.
+    - effect: NoSchedule
+      operator: Exists
+    # Mark the pod as a critical add-on for rescheduling.
+    - key: CriticalAddonsOnly
+      operator: Exists
+    - effect: NoExecute
+      operator: Exists
+
+  # K8s DaemonSet update strategy.
+  # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec).
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 1
+
+  # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
+  revision: ""
+
+  # For Helm compatibility.
+  ownerName: ""
+
+  global:
+    # Default hub for Istio images.
+    # Releases are published to docker hub under 'istio' project.
+    # Dev builds from prow are on gcr.io
+    hub: gcr.io/istio-release
+
+    # Default tag for Istio images.
+    tag: 1.27.5
+
+    # Variant of the image to use.
+    # Currently supported are: [debug, distroless]
+    variant: ""
+
+    # Specify image pull policy if default behavior isn't desired.
+    # Default behavior: latest images will be Always else IfNotPresent.
+    imagePullPolicy: ""
+
+    # change cni scope level to control logging out of istio-cni-node DaemonSet
+    logging:
+      level: info
+
+    logAsJson: false
+
+    # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
+    # to use for pulling any images in pods that reference this ServiceAccount.
+    # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
+    # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
+    # Must be set for any cluster configured with private docker registry.
+    imagePullSecrets: []
+    # - private-registry-key
+
+    # Default resources allocated
+    defaultResources:
+      requests:
+        cpu: 100m
+        memory: 100Mi
+
+    # In order to use native nftable rules instead of iptable rules, set this flag to true.
+    nativeNftables: false
+
+  # A `key: value` mapping of environment variables to add to the pod
+  env: {}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/Chart.yaml
new file mode 100644
index 0000000000..7f68c00147
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v2
+appVersion: 1.27.5
+description: Helm chart for deploying Istio gateways
+icon: https://istio.io/latest/favicons/android-192x192.png
+keywords:
+- istio
+- gateways
+name: gateway
+sources:
+- https://github.com/istio/istio
+type: application
+version: 1.27.5
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/README.md
new file mode 100644
index 0000000000..5c064d165b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/README.md
@@ -0,0 +1,170 @@
+# Istio Gateway Helm Chart
+
+This chart installs an Istio gateway deployment.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+To install the chart with the release name `istio-ingressgateway`:
+
+```console
+helm install istio-ingressgateway istio/gateway
+```
+
+## Uninstalling the Chart
+
+To uninstall/delete the `istio-ingressgateway` deployment:
+
+```console
+helm delete istio-ingressgateway
+```
+
+## Configuration
+
+To view support configuration options and documentation, run:
+
+```console
+helm show values istio/gateway
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
+
+### OpenShift
+
+When deploying the gateway in an OpenShift cluster, use the `openshift` profile to override the default values, for example:
+
+```console
+helm install istio-ingressgateway istio/gateway --set profile=openshift
+```
+
+### `image: auto` Information
+
+The image used by the chart, `auto`, may be unintuitive.
+This exists because the pod spec will be automatically populated at runtime, using the same mechanism as [Sidecar Injection](istio.io/latest/docs/setup/additional-setup/sidecar-injection).
+This allows the same configurations and lifecycle to apply to gateways as sidecars.
+
+Note: this does mean that the namespace the gateway is deployed in must not have the `istio-injection=disabled` label.
+See [Controlling the injection policy](https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy) for more info.
+
+### Examples
+
+#### Egress Gateway
+
+Deploying a Gateway to be used as an [Egress Gateway](https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/):
+
+```yaml
+service:
+  # Egress gateways do not need an external LoadBalancer IP
+  type: ClusterIP
+```
+
+#### Multi-network/VM Gateway
+
+Deploying a Gateway to be used as a [Multi-network Gateway](https://istio.io/latest/docs/setup/install/multicluster/) for network `network-1`:
+
+```yaml
+networkGateway: network-1
+```
+
+### Migrating from other installation methods
+
+Installations from other installation methods (such as istioctl, Istio Operator, other helm charts, etc) can be migrated to use the new Helm charts
+following the guidance below.
+If you are able to, a clean installation is simpler. However, this often requires an external IP migration which can be challenging.
+
+WARNING: when installing over an existing deployment, the two deployments will be merged together by Helm, which may lead to unexpected results.
+
+#### Legacy Gateway Helm charts
+
+Istio historically offered two different charts - `manifests/charts/gateways/istio-ingress` and `manifests/charts/gateways/istio-egress`.
+These are replaced by this chart.
+While not required, it is recommended all new users use this chart, and existing users migrate when possible.
+
+This chart has the following benefits and differences:
+* Designed with Helm best practices in mind (standardized values options, values schema, values are not all nested under `gateways.istio-ingressgateway.*`, release name and namespace taken into account, etc).
+* Utilizes Gateway injection, simplifying upgrades, allowing gateways to run in any namespace, and avoiding repeating config for sidecars and gateways.
+* Published to official Istio Helm repository.
+* Single chart for all gateways (Ingress, Egress, East West).
+
+#### General concerns
+
+For a smooth migration, the resource names and `Deployment.spec.selector` labels must match.
+
+If you install with `helm install istio-gateway istio/gateway`, resources will be named `istio-gateway` and the `selector` labels set to:
+
+```yaml
+app: istio-gateway
+istio: gateway # the release name with leading istio- prefix stripped
+```
+
+If your existing installation doesn't follow these names, you can override them. For example, if you have resources named `my-custom-gateway` with `selector` labels
+`foo=bar,istio=ingressgateway`:
+
+```yaml
+name: my-custom-gateway # Override the name to match existing resources
+labels:
+  app: "" # Unset default app selector label
+  istio: ingressgateway # override default istio selector label
+  foo: bar # Add the existing custom selector label
+```
+
+#### Migrating an existing Helm release
+
+An existing helm release can be `helm upgrade`d to this chart by using the same release name. For example, if a previous
+installation was done like:
+
+```console
+helm install istio-ingress manifests/charts/gateways/istio-ingress -n istio-system
+```
+
+It could be upgraded with
+
+```console
+helm upgrade istio-ingress manifests/charts/gateway -n istio-system --set name=istio-ingressgateway --set labels.app=istio-ingressgateway --set labels.istio=ingressgateway
+```
+
+Note the name and labels are overridden to match the names of the existing installation.
+
+Warning: the helm charts here default to using port 80 and 443, while the old charts used 8080 and 8443.
+If you have AuthorizationPolicies that reference port these ports, you should update them during this process,
+or customize the ports to match the old defaults.
+See the [security advisory](https://istio.io/latest/news/security/istio-security-2021-002/) for more information.
+
+#### Other migrations
+
+If you see errors like `rendered manifests contain a resource that already exists` during installation, you may need to forcibly take ownership.
+
+The script below can handle this for you. Replace `RELEASE` and `NAMESPACE` with the name and namespace of the release:
+
+```console
+KINDS=(service deployment)
+RELEASE=istio-ingressgateway
+NAMESPACE=istio-system
+for KIND in "${KINDS[@]}"; do
+    kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-name=$RELEASE
+    kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-namespace=$NAMESPACE
+    kubectl --namespace $NAMESPACE --overwrite=true label $KIND $RELEASE app.kubernetes.io/managed-by=Helm
+done
+```
+
+You may ignore errors about resources not being found.
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-compatibility-version-1.24.yaml
new file mode 100644
index 0000000000..4f3dbef7ea
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-compatibility-version-1.24.yaml
@@ -0,0 +1,15 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.24 behavioral changes
+    PILOT_ENABLE_IP_AUTOALLOCATE: "false"
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  dnsCapture: false
+  reconcileIptablesOnStartup: false
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..b2f45948c2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..af10697326
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/templates/NOTES.txt
new file mode 100644
index 0000000000..fd0142911a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/templates/NOTES.txt
@@ -0,0 +1,9 @@
+"{{ include "gateway.name" . }}" successfully installed!
+
+To learn more about the release, try:
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
+
+Next steps:
+  * Deploy an HTTP Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-control/
+  * Deploy an HTTPS Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/templates/_helpers.tpl
new file mode 100644
index 0000000000..e5a0a9b3c2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/templates/_helpers.tpl
@@ -0,0 +1,40 @@
+{{- define "gateway.name" -}}
+{{- if eq .Release.Name "RELEASE-NAME" -}}
+  {{- .Values.name | default "istio-ingressgateway" -}}
+{{- else -}}
+  {{- .Values.name | default .Release.Name | default "istio-ingressgateway" -}}
+{{- end -}}
+{{- end }}
+
+{{- define "gateway.labels" -}}
+{{ include "gateway.selectorLabels" . }}
+{{- range $key, $val := .Values.labels }}
+{{- if and (ne $key "app") (ne $key "istio") }}
+{{ $key | quote }}: {{ $val | quote }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{- define "gateway.selectorLabels" -}}
+app: {{ (.Values.labels.app | quote) | default (include "gateway.name" .) }}
+istio: {{ (.Values.labels.istio | quote) | default (include "gateway.name" . | trimPrefix "istio-") }}
+{{- end }}
+
+{{/*
+Keep sidecar injection labels together
+https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy
+*/}}
+{{- define "gateway.sidecarInjectionLabels" -}}
+sidecar.istio.io/inject: "true"
+{{- with .Values.revision }}
+istio.io/rev: {{ . | quote }}
+{{- end }}
+{{- end }}
+
+{{- define "gateway.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- .Values.serviceAccount.name | default (include "gateway.name" .)    }}
+{{- else }}
+{{- .Values.serviceAccount.name | default "default" }}
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/templates/deployment.yaml
new file mode 100644
index 0000000000..1d8f93a472
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/templates/deployment.yaml
@@ -0,0 +1,145 @@
+apiVersion: apps/v1
+kind: {{ .Values.kind | default "Deployment" }}
+metadata:
+  name: {{ include "gateway.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4}}
+  annotations:
+    {{- .Values.annotations | toYaml | nindent 4 }}
+spec:
+  {{- if not .Values.autoscaling.enabled }}
+  {{- if and (hasKey .Values "replicaCount") (ne .Values.replicaCount nil) }}
+  replicas: {{ .Values.replicaCount }}
+  {{- end }}
+  {{- end }}
+  {{- with .Values.strategy }}
+  strategy:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with .Values.minReadySeconds }}
+  minReadySeconds: {{ . }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "gateway.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "gateway.sidecarInjectionLabels" . | nindent 8 }}
+        {{- include "gateway.selectorLabels" . | nindent 8 }}
+        app.kubernetes.io/name: {{ include "gateway.name" . }}
+        {{- include "istio.labels" .  | nindent 8}}
+        {{- range $key, $val := .Values.labels }}
+        {{- if and (ne $key "app") (ne $key "istio") }}
+        {{ $key | quote }}: {{ $val | quote }}
+        {{- end }}
+        {{- end }}
+        {{- with .Values.networkGateway }}
+        topology.istio.io/network: "{{.}}"
+        {{- end }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "gateway.serviceAccountName" . }}
+      securityContext:
+      {{- if .Values.securityContext }}
+        {{- toYaml .Values.securityContext | nindent 8 }}
+      {{- else }}
+        # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326
+        sysctls:
+        - name: net.ipv4.ip_unprivileged_port_start
+          value: "0"
+      {{- end }}
+      {{- with .Values.volumes }}
+      volumes:
+        {{ toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.initContainers }}
+      initContainers:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: istio-proxy
+          # "auto" will be populated at runtime by the mutating webhook. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection
+          image: auto
+          {{- with .Values.imagePullPolicy }}
+          imagePullPolicy: {{ . }}
+          {{- end }}
+          securityContext:
+          {{- if .Values.containerSecurityContext }}
+            {{- toYaml .Values.containerSecurityContext | nindent 12 }}
+          {{- else }}
+            capabilities:
+              drop:
+              - ALL
+            allowPrivilegeEscalation: false
+            privileged: false
+            readOnlyRootFilesystem: true
+            {{- if not (eq (.Values.platform | default "") "openshift") }}
+            runAsUser: 1337
+            runAsGroup: 1337
+            {{- end }}
+            runAsNonRoot: true
+          {{- end }}
+          env:
+          {{- with .Values.networkGateway }}
+          - name: ISTIO_META_REQUESTED_NETWORK_VIEW
+            value: "{{.}}"
+          {{- end }}
+          {{- range $key, $val := .Values.env }}
+          - name: {{ $key }}
+            value: {{ $val | quote }}
+          {{- end }}
+          {{- with .Values.envVarFrom }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
+          ports:
+          - containerPort: 15090
+            protocol: TCP
+            name: http-envoy-prom
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          {{- with .Values.volumeMounts }}
+          volumeMounts:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.readinessProbe }}
+          readinessProbe:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.lifecycle }}
+          lifecycle:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+      {{- with .Values.additionalContainers }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      terminationGracePeriodSeconds: {{ $.Values.terminationGracePeriodSeconds }}
+      {{- with .Values.priorityClassName }}
+      priorityClassName: {{ . }}
+      {{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/templates/hpa.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/templates/hpa.yaml
new file mode 100644
index 0000000000..64ecb6a4cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/templates/hpa.yaml
@@ -0,0 +1,40 @@
+{{- if and (.Values.autoscaling.enabled) (eq .Values.kind "Deployment") }}
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ include "gateway.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4 }}
+  annotations:
+    {{- .Values.annotations | toYaml | nindent 4 }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: {{ .Values.kind | default "Deployment" }}
+    name: {{ include "gateway.name" . }}
+  minReplicas: {{ .Values.autoscaling.minReplicas }}
+  maxReplicas: {{ .Values.autoscaling.maxReplicas }}
+  metrics:
+    {{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
+          type: Utilization
+    {{- end }}
+    {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: memory
+        target:
+          averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
+          type: Utilization
+    {{- end }}
+  {{- if .Values.autoscaling.autoscaleBehavior }}
+  behavior: {{ toYaml .Values.autoscaling.autoscaleBehavior | nindent 4 }}
+  {{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/templates/poddisruptionbudget.yaml
new file mode 100644
index 0000000000..b0155cdf05
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/templates/poddisruptionbudget.yaml
@@ -0,0 +1,18 @@
+{{- if .Values.podDisruptionBudget }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ include "gateway.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4}}
+spec:
+  selector:
+    matchLabels:
+  {{- include "gateway.selectorLabels" . | nindent 6 }}
+  {{- with .Values.podDisruptionBudget }}
+    {{- toYaml . | nindent 2 }}
+  {{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/templates/role.yaml
new file mode 100644
index 0000000000..3d16079632
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/templates/role.yaml
@@ -0,0 +1,37 @@
+{{/*Set up roles for Istio Gateway. Not required for gateway-api*/}}
+{{- if .Values.rbac.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "gateway.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4}}
+  annotations:
+    {{- .Values.annotations | toYaml | nindent 4 }}
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get", "watch", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "gateway.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4}}
+  annotations:
+    {{- .Values.annotations | toYaml | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "gateway.serviceAccountName" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "gateway.serviceAccountName" . }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/templates/service.yaml
new file mode 100644
index 0000000000..3e28418f7b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/templates/service.yaml
@@ -0,0 +1,69 @@
+{{- if not (eq .Values.service.type "None") }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "gateway.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4 }}
+    {{- with .Values.networkGateway }}
+    topology.istio.io/network: "{{.}}"
+    {{- end }}
+  annotations:
+    {{- merge (deepCopy .Values.service.annotations) .Values.annotations | toYaml | nindent 4 }}
+spec:
+{{- with .Values.service.loadBalancerIP }}
+  loadBalancerIP: "{{ . }}"
+{{- end }}
+{{- if eq .Values.service.type "LoadBalancer" }}
+  {{- if hasKey .Values.service "allocateLoadBalancerNodePorts" }}
+  allocateLoadBalancerNodePorts: {{ .Values.service.allocateLoadBalancerNodePorts }}
+  {{- end }}
+  {{- if hasKey .Values.service "loadBalancerClass" }}
+  loadBalancerClass: {{ .Values.service.loadBalancerClass }}
+  {{- end }}
+{{- end }}
+{{- if .Values.service.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }}
+{{- end }}
+{{- if .Values.service.ipFamilies }}
+  ipFamilies:
+{{- range .Values.service.ipFamilies }}
+  - {{ . }}
+{{- end }}
+{{- end }}
+{{- with .Values.service.loadBalancerSourceRanges }}
+  loadBalancerSourceRanges:
+{{ toYaml . | indent 4 }}
+{{- end }}
+{{- with .Values.service.externalTrafficPolicy }}
+  externalTrafficPolicy: "{{ . }}"
+{{- end }}
+  type: {{ .Values.service.type }}
+  ports:
+{{- if .Values.networkGateway }}
+  - name: status-port
+    port: 15021
+    targetPort: 15021
+  - name: tls
+    port: 15443
+    targetPort: 15443
+  - name: tls-istiod
+    port: 15012
+    targetPort: 15012
+  - name: tls-webhook
+    port: 15017
+    targetPort: 15017
+{{- else }}
+{{ .Values.service.ports | toYaml | indent 4 }}
+{{- end }}
+{{- if .Values.service.externalIPs }}
+  externalIPs: {{- range .Values.service.externalIPs }}
+    - {{.}}
+  {{- end }}
+{{- end }}
+  selector:
+    {{- include "gateway.selectorLabels" . | nindent 4 }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/templates/serviceaccount.yaml
new file mode 100644
index 0000000000..c88afeadd3
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/templates/serviceaccount.yaml
@@ -0,0 +1,15 @@
+{{- if .Values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "gateway.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..606c556697
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if true }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/values.schema.json b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/values.schema.json
new file mode 100644
index 0000000000..bcbb30ccc8
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/values.schema.json
@@ -0,0 +1,353 @@
+{
+  "$schema": "http://json-schema.org/schema#",
+  "$defs": {
+    "values": {
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "_internal_defaults_do_not_set": {
+          "type": "object"
+        },
+        "global": {
+          "type": "object"
+        },
+        "affinity": {
+          "type": "object"
+        },
+        "securityContext": {
+          "type": [
+            "object",
+            "null"
+          ]
+        },
+        "containerSecurityContext": {
+          "type": [
+            "object",
+            "null"
+          ]
+        },
+        "kind": {
+          "type": "string",
+          "enum": [
+            "Deployment",
+            "DaemonSet"
+          ]
+        },
+        "annotations": {
+          "additionalProperties": {
+            "type": [
+              "string",
+              "integer"
+            ]
+          },
+          "type": "object"
+        },
+        "autoscaling": {
+          "type": "object",
+          "properties": {
+            "enabled": {
+              "type": "boolean"
+            },
+            "maxReplicas": {
+              "type": "integer"
+            },
+            "minReplicas": {
+              "type": "integer"
+            },
+            "targetCPUUtilizationPercentage": {
+              "type": "integer"
+            }
+          }
+        },
+        "env": {
+          "type": "object"
+        },
+        "envVarFrom": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "properties": {
+              "name": { "type": "string" },
+              "valueFrom": { "type": "object" }
+            }
+          }
+        },
+        "strategy": {
+          "type": "object"
+        },
+        "minReadySeconds": {
+          "type": [ "null", "integer" ]
+        },
+        "readinessProbe": {
+          "type": [ "null", "object" ]
+        },
+        "labels": {
+          "type": "object"
+        },
+        "name": {
+          "type": "string"
+        },
+        "nodeSelector": {
+          "type": "object"
+        },
+        "podAnnotations": {
+          "type": "object",
+          "properties": {
+            "inject.istio.io/templates": {
+              "type": "string"
+            },
+            "prometheus.io/path": {
+              "type": "string"
+            },
+            "prometheus.io/port": {
+              "type": "string"
+            },
+            "prometheus.io/scrape": {
+              "type": "string"
+            }
+          }
+        },
+        "replicaCount": {
+          "type": [
+            "integer",
+            "null"
+          ]
+        },
+        "resources": {
+          "type": "object",
+          "properties": {
+            "limits": {
+              "type": "object",
+              "properties": {
+                "cpu": {
+                  "type": ["string", "null"]
+                },
+                "memory": {
+                  "type": ["string", "null"]
+                }
+              }
+            },
+            "requests": {
+              "type": "object",
+              "properties": {
+                "cpu": {
+                  "type": ["string", "null"]
+                },
+                "memory": {
+                  "type": ["string", "null"]
+                }
+              }
+            }
+          }
+        },
+        "revision": {
+          "type": "string"
+        },
+        "defaultRevision": {
+          "type": "string"
+        },
+        "compatibilityVersion": {
+          "type": "string"
+        },
+        "profile": {
+          "type": "string"
+        },
+        "platform": {
+          "type": "string"
+        },
+        "pilot": {
+          "type": "object"
+        },
+        "runAsRoot": {
+          "type": "boolean"
+        },
+        "unprivilegedPort": {
+          "type": [
+            "string",
+            "boolean"
+          ],
+          "enum": [
+            true,
+            false,
+            "auto"
+          ]
+        },
+        "service": {
+          "type": "object",
+          "properties": {
+            "annotations": {
+              "type": "object"
+            },
+            "externalTrafficPolicy": {
+              "type": "string"
+            },
+            "loadBalancerIP": {
+              "type": "string"
+            },
+            "loadBalancerSourceRanges": {
+              "type": "array"
+            },
+            "ipFamilies": {
+              "items": {
+                "type": "string",
+                "enum": [
+                  "IPv4",
+                  "IPv6"
+                ]
+              }
+            },
+            "ipFamilyPolicy": {
+              "type": "string",
+              "enum": [
+                "",
+                "SingleStack",
+                "PreferDualStack",
+                "RequireDualStack"
+              ]
+            },
+            "ports": {
+              "type": "array",
+              "items": {
+                "type": "object",
+                "properties": {
+                  "name": {
+                    "type": "string"
+                  },
+                  "port": {
+                    "type": "integer"
+                  },
+                  "protocol": {
+                    "type": "string"
+                  },
+                  "targetPort": {
+                    "type": "integer"
+                  }
+                }
+              }
+            },
+            "type": {
+              "type": "string"
+            }
+          }
+        },
+        "serviceAccount": {
+          "type": "object",
+          "properties": {
+            "annotations": {
+              "type": "object"
+            },
+            "name": {
+              "type": "string"
+            },
+            "create": {
+              "type": "boolean"
+            }
+          }
+        },
+        "rbac": {
+          "type": "object",
+          "properties": {
+            "enabled": {
+              "type": "boolean"
+            }
+          }
+        },
+        "tolerations": {
+          "type": "array"
+        },
+        "topologySpreadConstraints": {
+          "type": "array"
+        },
+        "networkGateway": {
+          "type": "string"
+        },
+        "imagePullPolicy": {
+          "type": "string",
+          "enum": [
+            "",
+            "Always",
+            "IfNotPresent",
+            "Never"
+          ]
+        },
+        "imagePullSecrets": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "properties": {
+              "name": {
+                "type": "string"
+              }
+            }
+          }
+        },
+        "podDisruptionBudget": {
+          "type": "object",
+          "properties": {
+            "minAvailable": {
+              "type": [
+                "integer",
+                "string"
+              ]
+            },
+            "maxUnavailable": {
+              "type": [
+                "integer",
+                "string"
+              ]
+            },
+            "unhealthyPodEvictionPolicy": {
+              "type": "string",
+              "enum": [
+                "",
+                "IfHealthyBudget",
+                "AlwaysAllow"
+              ]
+            }
+          }
+        },
+        "terminationGracePeriodSeconds": {
+          "type": "number"
+        },
+        "volumes": {
+          "type": "array",
+          "items": {
+            "type": "object"
+          }
+        },
+        "volumeMounts": {
+          "type": "array",
+          "items": {
+            "type": "object"
+          }
+        },
+        "initContainers": {
+          "type": "array",
+          "items": { "type": "object" }
+        },
+        "additionalContainers": {
+          "type": "array",
+          "items": { "type": "object" }
+        },
+        "priorityClassName": {
+          "type": "string"
+        },
+        "lifecycle": {
+          "type": "object",
+          "properties": {
+            "postStart": {
+              "type": "object"
+            },
+            "preStop": {
+              "type": "object"
+            }
+          }
+        }
+      }
+    }
+  },
+  "defaults": {
+    "$ref": "#/$defs/values"
+  },
+  "$ref": "#/$defs/values"
+}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/values.yaml
new file mode 100644
index 0000000000..c0147ce210
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/values.yaml
@@ -0,0 +1,192 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  # Name allows overriding the release name. Generally this should not be set
+  name: ""
+  # revision declares which revision this gateway is a part of
+  revision: ""
+
+  # Controls the spec.replicas setting for the Gateway deployment if set.
+  # Otherwise defaults to Kubernetes Deployment default (1).
+  replicaCount:
+
+  kind: Deployment
+
+  rbac:
+    # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed
+    # when using http://gateway-api.org/.
+    enabled: true
+
+  serviceAccount:
+    # If set, a service account will be created. Otherwise, the default is used
+    create: true
+    # Annotations to add to the service account
+    annotations: {}
+    # The name of the service account to use.
+    # If not set, the release name is used
+    name: ""
+
+  podAnnotations:
+    prometheus.io/port: "15020"
+    prometheus.io/scrape: "true"
+    prometheus.io/path: "/stats/prometheus"
+    inject.istio.io/templates: "gateway"
+    sidecar.istio.io/inject: "true"
+
+  # Define the security context for the pod.
+  # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
+  # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
+  securityContext: {}
+  containerSecurityContext: {}
+
+  service:
+    # Type of service. Set to "None" to disable the service entirely
+    type: LoadBalancer
+    ports:
+    - name: status-port
+      port: 15021
+      protocol: TCP
+      targetPort: 15021
+    - name: http2
+      port: 80
+      protocol: TCP
+      targetPort: 80
+    - name: https
+      port: 443
+      protocol: TCP
+      targetPort: 443
+    annotations: {}
+    loadBalancerIP: ""
+    loadBalancerSourceRanges: []
+    externalTrafficPolicy: ""
+    externalIPs: []
+    ipFamilyPolicy: ""
+    ipFamilies: []
+    ## Whether to automatically allocate NodePorts (only for LoadBalancers).
+    # allocateLoadBalancerNodePorts: false
+    ## Set LoadBalancer class (only for LoadBalancers).
+    # loadBalancerClass: ""
+
+  resources:
+    requests:
+      cpu: 100m
+      memory: 128Mi
+    limits:
+      cpu: 2000m
+      memory: 1024Mi
+
+  autoscaling:
+    enabled: true
+    minReplicas: 1
+    maxReplicas: 5
+    targetCPUUtilizationPercentage: 80
+    targetMemoryUtilizationPercentage: {}
+    autoscaleBehavior: {}
+
+  # Pod environment variables
+  env: {}
+
+  # Use envVarFrom to define full environment variable entries with complex sources,
+  # such as valueFrom.secretKeyRef, valueFrom.configMapKeyRef. Each item must include a `name` and `valueFrom`.
+  #
+  # Example:
+  # envVarFrom:
+  #   - name: EXAMPLE_SECRET
+  #     valueFrom:
+  #       secretKeyRef:
+  #         name: example-name
+  #         key: example-key
+  envVarFrom: []
+
+  # Deployment Update strategy
+  strategy: {}
+  
+  # Sets the Deployment minReadySeconds value
+  minReadySeconds:
+  
+  # Optionally configure a custom readinessProbe. By default the control plane
+  # automatically injects the readinessProbe. If you wish to override that
+  # behavior, you may define your own readinessProbe here.
+  readinessProbe: {}
+
+  # Labels to apply to all resources
+  labels:
+    # By default, don't enroll gateways into the ambient dataplane
+    "istio.io/dataplane-mode": none
+
+  # Annotations to apply to all resources
+  annotations: {}
+
+  nodeSelector: {}
+
+  tolerations: []
+
+  topologySpreadConstraints: []
+
+  affinity: {}
+
+  # If specified, the gateway will act as a network gateway for the given network.
+  networkGateway: ""
+
+  # Specify image pull policy if default behavior isn't desired.
+  # Default behavior: latest images will be Always else IfNotPresent
+  imagePullPolicy: ""
+
+  imagePullSecrets: []
+
+  # This value is used to configure a Kubernetes PodDisruptionBudget for the gateway.
+  #
+  # By default, the `podDisruptionBudget` is disabled (set to `{}`),
+  # which means that no PodDisruptionBudget resource will be created.
+  #
+  # To enable the PodDisruptionBudget, configure it by specifying the
+  # `minAvailable` or `maxUnavailable`. For example, to set the
+  # minimum number of available replicas to 1, you can update this value as follows:
+  #
+  # podDisruptionBudget:
+  #   minAvailable: 1
+  #
+  # Or, to allow a maximum of 1 unavailable replica, you can set:
+  #
+  # podDisruptionBudget:
+  #   maxUnavailable: 1
+  #
+  # You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`.
+  # For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows:
+  #
+  # podDisruptionBudget:
+  #   minAvailable: 1
+  #   unhealthyPodEvictionPolicy: AlwaysAllow
+  #
+  # To disable the PodDisruptionBudget, you can leave it as an empty object `{}`:
+  #
+  # podDisruptionBudget: {}
+  #
+  podDisruptionBudget: {}
+
+  # Sets the per-pod terminationGracePeriodSeconds setting.
+  terminationGracePeriodSeconds: 30
+
+  # A list of `Volumes` added into the Gateway Pods. See
+  # https://kubernetes.io/docs/concepts/storage/volumes/.
+  volumes: []
+
+  # A list of `VolumeMounts` added into the Gateway Pods. See
+  # https://kubernetes.io/docs/concepts/storage/volumes/.
+  volumeMounts: []
+
+  # Inject initContainers into the Gateway Pods.
+  initContainers: []
+
+  # Inject additional containers into the Gateway Pods.
+  additionalContainers: []
+
+  # Configure this to a higher priority class in order to make sure your Istio gateway pods
+  # will not be killed because of low priority class.
+  # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
+  # for more detail.
+  priorityClassName: ""
+
+  # Configure the lifecycle hooks for the gateway. See
+  # https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/.
+  lifecycle: {}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/Chart.yaml
new file mode 100644
index 0000000000..aff443622d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v2
+appVersion: 1.27.5
+description: Helm chart for istio control plane
+icon: https://istio.io/latest/favicons/android-192x192.png
+keywords:
+- istio
+- istiod
+- istio-discovery
+name: istiod
+sources:
+- https://github.com/istio/istio
+version: 1.27.5
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/README.md
new file mode 100644
index 0000000000..ddbfbc8fec
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/README.md
@@ -0,0 +1,73 @@
+# Istiod Helm Chart
+
+This chart installs an Istiod deployment.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+Before installing, ensure CRDs are installed in the cluster (from the `istio/base` chart).
+
+To install the chart with the release name `istiod`:
+
+```console
+kubectl create namespace istio-system
+helm install istiod istio/istiod --namespace istio-system
+```
+
+## Uninstalling the Chart
+
+To uninstall/delete the `istiod` deployment:
+
+```console
+helm delete istiod --namespace istio-system
+```
+
+## Configuration
+
+To view support configuration options and documentation, run:
+
+```console
+helm show values istio/istiod
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
+
+### Examples
+
+#### Configuring mesh configuration settings
+
+Any [Mesh Config](https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/) options can be configured like below:
+
+```yaml
+meshConfig:
+  accessLogFile: /dev/stdout
+```
+
+#### Revisions
+
+Control plane revisions allow deploying multiple versions of the control plane in the same cluster.
+This allows safe [canary upgrades](https://istio.io/latest/docs/setup/upgrade/canary/)
+
+```yaml
+revision: my-revision-name
+```
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/gateway-injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/gateway-injection-template.yaml
new file mode 100644
index 0000000000..bc15ee3c31
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/gateway-injection-template.yaml
@@ -0,0 +1,274 @@
+{{- $containers := list }}
+{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
+metadata:
+  labels:
+    service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name  | quote }}
+    service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest"  | quote }}
+  annotations:
+    istio.io/rev: {{ .Revision | default "default" | quote }}
+    {{- if ge (len $containers) 1 }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }}
+    kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}"
+    {{- end }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }}
+    kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}"
+    {{- end }}
+    {{- end }}
+spec:
+  securityContext:
+  {{- if .Values.gateways.securityContext }}
+    {{- toYaml .Values.gateways.securityContext | nindent 4 }}
+  {{- else }}
+    sysctls:
+    - name: net.ipv4.ip_unprivileged_port_start
+      value: "0"
+  {{- end }}
+  containers:
+  - name: istio-proxy
+  {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+    image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+  {{- else }}
+    image: "{{ .ProxyImage }}"
+  {{- end }}
+    ports:
+    - containerPort: 15090
+      protocol: TCP
+      name: http-envoy-prom
+    args:
+    - proxy
+    - router
+    - --domain
+    - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+    - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
+    - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
+    - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
+  {{- if .Values.global.sts.servicePort }}
+    - --stsPort={{ .Values.global.sts.servicePort }}
+  {{- end }}
+  {{- if .Values.global.logAsJson }}
+    - --log_as_json
+  {{- end }}
+  {{- if .Values.global.proxy.lifecycle }}
+    lifecycle:
+      {{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
+  {{- end }}
+    securityContext:
+      runAsUser: {{ .ProxyUID | default "1337" }}
+      runAsGroup: {{ .ProxyGID | default "1337" }}
+    env:
+    - name: PILOT_CERT_PROVIDER
+      value: {{ .Values.global.pilotCertProvider }}
+    - name: CA_ADDR
+    {{- if .Values.global.caAddress }}
+      value: {{ .Values.global.caAddress }}
+    {{- else }}
+      value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+    {{- end }}
+    - name: POD_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.name
+    - name: POD_NAMESPACE
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.namespace
+    - name: INSTANCE_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.podIP
+    - name: SERVICE_ACCOUNT
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.serviceAccountName
+    - name: HOST_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.hostIP
+    - name: ISTIO_CPU_LIMIT
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.cpu
+    - name: PROXY_CONFIG
+      value: |
+             {{ protoToJSON .ProxyConfig }}
+    - name: ISTIO_META_POD_PORTS
+      value: |-
+        [
+        {{- $first := true }}
+        {{- range $index1, $c := .Spec.Containers }}
+          {{- range $index2, $p := $c.Ports }}
+            {{- if (structToJSON $p) }}
+            {{if not $first}},{{end}}{{ structToJSON $p }}
+            {{- $first = false }}
+            {{- end }}
+          {{- end}}
+        {{- end}}
+        ]
+    - name: GOMEMLIMIT
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.memory
+    - name: GOMAXPROCS
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.cpu
+    {{- if .CompliancePolicy }}
+    - name: COMPLIANCE_POLICY
+      value: "{{ .CompliancePolicy }}"
+    {{- end }}
+    - name: ISTIO_META_APP_CONTAINERS
+      value: "{{ $containers | join "," }}"
+    - name: ISTIO_META_CLUSTER_ID
+      value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
+    - name: ISTIO_META_NODE_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.nodeName
+    - name: ISTIO_META_INTERCEPTION_MODE
+      value: "{{ .ProxyConfig.InterceptionMode.String }}"
+    {{- if .Values.global.network }}
+    - name: ISTIO_META_NETWORK
+      value: "{{ .Values.global.network }}"
+    {{- end }}
+    {{- if .DeploymentMeta.Name }}
+    - name: ISTIO_META_WORKLOAD_NAME
+      value: "{{ .DeploymentMeta.Name }}"
+    {{ end }}
+    {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
+    - name: ISTIO_META_OWNER
+      value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
+    {{- end}}
+    {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+    - name: ISTIO_BOOTSTRAP_OVERRIDE
+      value: "/etc/istio/custom-bootstrap/custom_bootstrap.json"
+    {{- end }}
+    {{- if .Values.global.meshID }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ .Values.global.meshID }}"
+    {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+    {{- end }}
+    {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain)  }}
+    - name: TRUST_DOMAIN
+      value: "{{ . }}"
+    {{- end }}
+    {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+    - name: {{ $key }}
+      value: "{{ $value }}"
+    {{- end }}
+    {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+    readinessProbe:
+      httpGet:
+        path: /healthz/ready
+        port: 15021
+      initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }}
+      periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }}
+      timeoutSeconds: 3
+      failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }}
+    volumeMounts:
+    - name: workload-socket
+      mountPath: /var/run/secrets/workload-spiffe-uds
+    - name: credential-socket
+      mountPath: /var/run/secrets/credential-uds
+    {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+    - name: gke-workload-certificate
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+      readOnly: true
+    {{- else }}
+    - name: workload-certs
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+    {{- end }}
+    {{- if eq .Values.global.pilotCertProvider "istiod" }}
+    - mountPath: /var/run/secrets/istio
+      name: istiod-ca-cert
+    {{- end }}
+    - mountPath: /var/lib/istio/data
+      name: istio-data
+    {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+    - mountPath: /etc/istio/custom-bootstrap
+      name: custom-bootstrap-volume
+    {{- end }}
+    # SDS channel between istioagent and Envoy
+    - mountPath: /etc/istio/proxy
+      name: istio-envoy
+    - mountPath: /var/run/secrets/tokens
+      name: istio-token
+    {{- if .Values.global.mountMtlsCerts }}
+    # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+    - mountPath: /etc/certs/
+      name: istio-certs
+      readOnly: true
+    {{- end }}
+    - name: istio-podinfo
+      mountPath: /etc/istio/pod
+  volumes:
+  - emptyDir:
+    name: workload-socket
+  - emptyDir: {}
+    name: credential-socket
+  {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+  - name: gke-workload-certificate
+    csi:
+      driver: workloadcertificates.security.cloud.google.com
+  {{- else}}
+  - emptyDir: {}
+    name: workload-certs
+  {{- end }}
+  {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+  - name: custom-bootstrap-volume
+    configMap:
+      name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
+  {{- end }}
+  # SDS channel between istioagent and Envoy
+  - emptyDir:
+      medium: Memory
+    name: istio-envoy
+  - name: istio-data
+    emptyDir: {}
+  - name: istio-podinfo
+    downwardAPI:
+      items:
+        - path: "labels"
+          fieldRef:
+            fieldPath: metadata.labels
+        - path: "annotations"
+          fieldRef:
+            fieldPath: metadata.annotations
+  - name: istio-token
+    projected:
+      sources:
+      - serviceAccountToken:
+          path: istio-token
+          expirationSeconds: 43200
+          audience: {{ .Values.global.sds.token.aud }}
+  {{- if eq .Values.global.pilotCertProvider "istiod" }}
+  - name: istiod-ca-cert
+  {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+    projected:
+      sources:
+      - clusterTrustBundle:
+          name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+          path: root-cert.pem
+  {{- else }}
+    configMap:
+      name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+  {{- end }}
+  {{- end }}
+  {{- if .Values.global.mountMtlsCerts }}
+  # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+  - name: istio-certs
+    secret:
+      optional: true
+      {{ if eq .Spec.ServiceAccountName "" }}
+      secretName: istio.default
+      {{ else -}}
+      secretName: {{  printf "istio.%s" .Spec.ServiceAccountName }}
+      {{  end -}}
+  {{- end }}
+  {{- if .Values.global.imagePullSecrets }}
+  imagePullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+  {{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/grpc-agent.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/grpc-agent.yaml
new file mode 100644
index 0000000000..6e3102e4c8
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/grpc-agent.yaml
@@ -0,0 +1,318 @@
+{{- define "resources"  }}
+  {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
+    {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
+      requests:
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
+        cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
+        {{ end }}
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
+        memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
+        {{ end }}
+    {{- end }}
+    {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
+      limits:
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
+        cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}"
+        {{ end }}
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
+        memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}"
+        {{ end }}
+    {{- end }}
+  {{- else }}
+    {{- if .Values.global.proxy.resources }}
+      {{ toYaml .Values.global.proxy.resources | indent 6 }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+{{- $containers := list }}
+{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
+metadata:
+  labels:
+    {{/* security.istio.io/tlsMode: istio must be set by user, if gRPC is using mTLS initialization code. We can't set it automatically. */}}
+    service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name  | quote }}
+    service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest"  | quote }}
+  annotations: {
+    istio.io/rev: {{ .Revision | default "default" | quote }},
+    {{- if ge (len $containers) 1 }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }}
+    kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
+    {{- end }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }}
+    kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
+    {{- end }}
+    {{- end }}
+    sidecar.istio.io/rewriteAppHTTPProbers: "false",
+  }
+spec:
+  containers:
+  - name: istio-proxy
+  {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+    image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+  {{- else }}
+    image: "{{ .ProxyImage }}"
+  {{- end }}
+    ports:
+    - containerPort: 15020
+      protocol: TCP
+      name: mesh-metrics
+    args:
+    - proxy
+    - sidecar
+    - --domain
+    - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+    - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
+    - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
+    - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
+  {{- if .Values.global.sts.servicePort }}
+    - --stsPort={{ .Values.global.sts.servicePort }}
+  {{- end }}
+  {{- if .Values.global.logAsJson }}
+    - --log_as_json
+  {{- end }}
+    lifecycle:
+      postStart:
+        exec:
+          command:
+          - pilot-agent
+          - wait
+          - --url=http://localhost:15020/healthz/ready
+    env:
+    - name: ISTIO_META_GENERATOR
+      value: grpc
+    - name: OUTPUT_CERTS
+      value: /var/lib/istio/data
+    {{- if eq .InboundTrafficPolicyMode "localhost" }}
+    - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION
+      value: "true"
+    {{- end }}
+    - name: PILOT_CERT_PROVIDER
+      value: {{ .Values.global.pilotCertProvider }}
+    - name: CA_ADDR
+    {{- if .Values.global.caAddress }}
+      value: {{ .Values.global.caAddress }}
+    {{- else }}
+      value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+    {{- end }}
+    - name: POD_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.name
+    - name: POD_NAMESPACE
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.namespace
+    - name: INSTANCE_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.podIP
+    - name: SERVICE_ACCOUNT
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.serviceAccountName
+    - name: HOST_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.hostIP
+    - name: PROXY_CONFIG
+      value: |
+             {{ protoToJSON .ProxyConfig }}
+    - name: ISTIO_META_POD_PORTS
+      value: |-
+        [
+        {{- $first := true }}
+        {{- range $index1, $c := .Spec.Containers }}
+          {{- range $index2, $p := $c.Ports }}
+            {{- if (structToJSON $p) }}
+            {{if not $first}},{{end}}{{ structToJSON $p }}
+            {{- $first = false }}
+            {{- end }}
+          {{- end}}
+        {{- end}}
+        ]
+    - name: ISTIO_META_APP_CONTAINERS
+      value: "{{ $containers | join "," }}"
+    - name: ISTIO_META_CLUSTER_ID
+      value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
+    - name: ISTIO_META_NODE_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.nodeName
+    {{- if .Values.global.network }}
+    - name: ISTIO_META_NETWORK
+      value: "{{ .Values.global.network }}"
+    {{- end }}
+    {{- if .DeploymentMeta.Name }}
+    - name: ISTIO_META_WORKLOAD_NAME
+      value: "{{ .DeploymentMeta.Name }}"
+    {{ end }}
+    {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
+    - name: ISTIO_META_OWNER
+      value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
+    {{- end}}
+    {{- if .Values.global.meshID }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ .Values.global.meshID }}"
+    {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+    {{- end }}
+    {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain)  }}
+    - name: TRUST_DOMAIN
+      value: "{{ . }}"
+    {{- end }}
+    {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+    - name: {{ $key }}
+      value: "{{ $value }}"
+    {{- end }}
+    # grpc uses xds:/// to resolve – no need to resolve VIP
+    - name: ISTIO_META_DNS_CAPTURE
+      value: "false"
+    - name: DISABLE_ENVOY
+      value: "true"
+    {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+    {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
+    readinessProbe:
+      httpGet:
+        path: /healthz/ready
+        port: 15020
+      initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }}
+      periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }}
+      timeoutSeconds: 3
+      failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}
+    resources:
+  {{ template "resources" . }}
+    volumeMounts:
+    - name: workload-socket
+      mountPath: /var/run/secrets/workload-spiffe-uds
+    {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+    - name: gke-workload-certificate
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+      readOnly: true
+    {{- else }}
+    - name: workload-certs
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+    {{- end }}
+    {{- if eq .Values.global.pilotCertProvider "istiod" }}
+    - mountPath: /var/run/secrets/istio
+      name: istiod-ca-cert
+    {{- end }}
+    - mountPath: /var/lib/istio/data
+      name: istio-data
+    # UDS channel between istioagent and gRPC client for XDS/SDS
+    - mountPath: /etc/istio/proxy
+      name: istio-xds
+    - mountPath: /var/run/secrets/tokens
+      name: istio-token
+    {{- if .Values.global.mountMtlsCerts }}
+    # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+    - mountPath: /etc/certs/
+      name: istio-certs
+      readOnly: true
+    {{- end }}
+    - name: istio-podinfo
+      mountPath: /etc/istio/pod
+    {{- end }}
+      {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }}
+      {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}
+    - name: "{{  $index }}"
+      {{ toYaml $value | indent 6 }}
+      {{ end }}
+      {{- end }}
+{{- range $index, $container := .Spec.Containers  }}
+{{ if not (eq $container.Name "istio-proxy") }}
+  - name: {{ $container.Name }}
+    env:
+      - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT"
+        value: "true"
+      - name: "GRPC_XDS_BOOTSTRAP"
+        value: "/etc/istio/proxy/grpc-bootstrap.json"
+    volumeMounts:
+      - mountPath: /var/lib/istio/data
+        name: istio-data
+      # UDS channel between istioagent and gRPC client for XDS/SDS
+      - mountPath: /etc/istio/proxy
+        name: istio-xds
+      {{- if eq $.Values.global.caName "GkeWorkloadCertificate" }}
+      - name: gke-workload-certificate
+        mountPath: /var/run/secrets/workload-spiffe-credentials
+        readOnly: true
+      {{- else }}
+      - name: workload-certs
+        mountPath: /var/run/secrets/workload-spiffe-credentials
+      {{- end }}
+{{- end }}
+{{- end }}
+  volumes:
+  - emptyDir:
+    name: workload-socket
+  {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+  - name: gke-workload-certificate
+    csi:
+      driver: workloadcertificates.security.cloud.google.com
+  {{- else }}
+  - emptyDir:
+    name: workload-certs
+  {{- end }}
+  {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+  - name: custom-bootstrap-volume
+    configMap:
+      name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
+  {{- end }}
+  # SDS channel between istioagent and Envoy
+  - emptyDir:
+      medium: Memory
+    name: istio-xds
+  - name: istio-data
+    emptyDir: {}
+  - name: istio-podinfo
+    downwardAPI:
+      items:
+        - path: "labels"
+          fieldRef:
+            fieldPath: metadata.labels
+        - path: "annotations"
+          fieldRef:
+            fieldPath: metadata.annotations
+  - name: istio-token
+    projected:
+      sources:
+      - serviceAccountToken:
+          path: istio-token
+          expirationSeconds: 43200
+          audience: {{ .Values.global.sds.token.aud }}
+  {{- if eq .Values.global.pilotCertProvider "istiod" }}
+  - name: istiod-ca-cert
+  {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+    projected:
+      sources:
+      - clusterTrustBundle:
+          name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+          path: root-cert.pem
+  {{- else }}
+    configMap:
+      name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+  {{- end }}
+  {{- end }}
+  {{- if .Values.global.mountMtlsCerts }}
+  # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+  - name: istio-certs
+    secret:
+      optional: true
+      {{ if eq .Spec.ServiceAccountName "" }}
+      secretName: istio.default
+      {{ else -}}
+      secretName: {{  printf "istio.%s" .Spec.ServiceAccountName }}
+      {{  end -}}
+  {{- end }}
+    {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }}
+    {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}
+  - name: "{{ $index }}"
+    {{ toYaml $value | indent 4 }}
+    {{ end }}
+    {{ end }}
+  {{- if .Values.global.imagePullSecrets }}
+  imagePullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+  {{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/grpc-simple.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/grpc-simple.yaml
new file mode 100644
index 0000000000..9ba0c7a46a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/grpc-simple.yaml
@@ -0,0 +1,65 @@
+metadata:
+  annotations:
+    sidecar.istio.io/rewriteAppHTTPProbers: "false"
+spec:
+  initContainers:
+    - name: grpc-bootstrap-init
+      image: busybox:1.28
+      volumeMounts:
+        - mountPath: /var/lib/grpc/data/
+          name: grpc-io-proxyless-bootstrap
+      env:
+        - name: INSTANCE_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: ISTIO_NAMESPACE
+          value: |
+             {{ .Values.global.istioNamespace }}
+      command:
+        - sh
+        - "-c"
+        - |-
+          NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local"
+          SERVER_URI="dns:///istiod.${ISTIO_NAMESPACE}.svc:15010"
+          echo '
+          {
+            "xds_servers": [
+              {
+                "server_uri": "'${SERVER_URI}'",
+                "channel_creds": [{"type": "insecure"}],
+                "server_features" : ["xds_v3"]
+              }
+            ],
+            "node": {
+              "id": "'${NODE_ID}'",
+              "metadata": {
+                "GENERATOR": "grpc"
+              }
+            }
+          }' > /var/lib/grpc/data/bootstrap.json
+  containers:
+  {{- range $index, $container := .Spec.Containers }}
+  - name: {{ $container.Name }}
+    env:
+      - name: GRPC_XDS_BOOTSTRAP
+        value: /var/lib/grpc/data/bootstrap.json
+      - name: GRPC_GO_LOG_VERBOSITY_LEVEL
+        value: "99"
+      - name: GRPC_GO_LOG_SEVERITY_LEVEL
+        value: info
+    volumeMounts:
+      - mountPath: /var/lib/grpc/data/
+        name: grpc-io-proxyless-bootstrap
+  {{- end }}
+  volumes:
+    - name: grpc-io-proxyless-bootstrap
+      emptyDir: {}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/injection-template.yaml
new file mode 100644
index 0000000000..df04baf847
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/injection-template.yaml
@@ -0,0 +1,541 @@
+{{- define "resources"  }}
+  {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
+    {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
+      requests:
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
+        cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
+        {{ end }}
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
+        memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
+        {{ end }}
+    {{- end }}
+    {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
+      limits:
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
+        cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}"
+        {{ end }}
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
+        memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}"
+        {{ end }}
+    {{- end }}
+  {{- else }}
+    {{- if .Values.global.proxy.resources }}
+      {{ toYaml .Values.global.proxy.resources | indent 6 }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+{{ $tproxy := (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) }}
+{{ $capNetBindService := (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) }}
+{{ $nativeSidecar := ne (index .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar` | default (printf "%t" .NativeSidecars)) "false" }}
+{{- $containers := list }}
+{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
+metadata:
+  labels:
+    security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio"  | quote }}
+    {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }}
+    networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http"  | quote }}
+    {{- end }}
+    service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name  | trunc 63 | trimSuffix "-" | quote }}
+    service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest"  | quote }}
+  annotations: {
+    istio.io/rev: {{ .Revision | default "default" | quote }},
+    {{- if ge (len $containers) 1 }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }}
+    kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
+    {{- end }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }}
+    kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
+    {{- end }}
+    {{- end }}
+{{- if .Values.pilot.cni.enabled }}
+    {{- if eq .Values.pilot.cni.provider "multus" }}
+    k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}',
+    {{- end }}
+    sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}",
+    {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }}
+    {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }}
+    traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}",
+    traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}",
+    {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }}
+    traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}",
+    {{- end }}
+    {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }}
+    traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}",
+    {{- end }}
+    {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }}
+    {{ with index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}istio.io/reroute-virtual-interfaces: "{{.}}",{{ end }}
+    {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }}
+{{- end }}
+  }
+spec:
+  {{- $holdProxy := and
+      (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts)
+      (not $nativeSidecar) }}
+  {{- $noInitContainer := and
+      (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE`)
+      (not $nativeSidecar) }}
+  {{ if $noInitContainer }}
+  initContainers: []
+  {{ else -}}
+  initContainers:
+  {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }}
+  {{ if .Values.pilot.cni.enabled -}}
+  - name: istio-validation
+  {{ else -}}
+  - name: istio-init
+  {{ end -}}
+  {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }}
+    image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}"
+  {{- else }}
+    image: "{{ .ProxyImage }}"
+  {{- end }}
+    args:
+    - istio-iptables
+    - "-p"
+    - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }}
+    - "-z"
+    - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }}
+    - "-u"
+    - {{ if $tproxy }} "1337" {{ else }} {{ .ProxyUID | default "1337" | quote }} {{ end }}
+    - "-m"
+    - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}"
+    - "-i"
+    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}"
+    - "-x"
+    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}"
+    - "-b"
+    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}"
+    - "-d"
+  {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}
+    - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}"
+  {{- else }}
+    - "15090,15021"
+  {{- end }}
+    {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}}
+    - "-q"
+    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}"
+    {{ end -}}
+    {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}}
+    - "-o"
+    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}"
+    {{ end -}}
+    {{ if (isset .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces`) -}}
+    - "-k"
+    - "{{ index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}"
+    {{ else if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}}
+    - "-k"
+    - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}"
+    {{ end -}}
+     {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}}
+    - "-c"
+    - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}"
+    {{ end -}}
+    - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}"
+    {{ if .Values.global.logAsJson -}}
+    - "--log_as_json"
+    {{ end -}}
+    {{ if .Values.pilot.cni.enabled -}}
+    - "--run-validation"
+    - "--skip-rule-apply"
+    {{ else if .Values.global.proxy_init.forceApplyIptables -}}
+    - "--force-apply"
+    {{ end -}}
+    {{ if .Values.global.nativeNftables -}}
+    - "--native-nftables"
+    {{ end -}}
+    {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+  {{- if .ProxyConfig.ProxyMetadata }}
+    env:
+    {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+    - name: {{ $key }}
+      value: "{{ $value }}"
+    {{- end }}
+  {{- end }}
+    resources:
+  {{ template "resources" . }}
+    securityContext:
+      allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
+      privileged: {{ .Values.global.proxy.privileged }}
+      capabilities:
+    {{- if not .Values.pilot.cni.enabled }}
+        add:
+        - NET_ADMIN
+        - NET_RAW
+    {{- end }}
+        drop:
+        - ALL
+    {{- if not .Values.pilot.cni.enabled }}
+      readOnlyRootFilesystem: false
+      runAsGroup: 0
+      runAsNonRoot: false
+      runAsUser: 0
+    {{- else }}
+      readOnlyRootFilesystem: true
+      runAsGroup: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyGID | default "1337" }} {{ end }}
+      runAsUser: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyUID | default "1337" }} {{ end }}
+      runAsNonRoot: true
+    {{- end }}
+  {{ end -}}
+  {{ end -}}
+  {{ if not $nativeSidecar }}
+  containers:
+  {{ end }}
+  - name: istio-proxy
+  {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+    image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+  {{- else }}
+    image: "{{ .ProxyImage }}"
+  {{- end }}
+    {{ if $nativeSidecar }}restartPolicy: Always{{end}}
+    ports:
+    - containerPort: 15090
+      protocol: TCP
+      name: http-envoy-prom
+    args:
+    - proxy
+    - sidecar
+    - --domain
+    - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+    - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
+    - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
+    - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
+  {{- if .Values.global.sts.servicePort }}
+    - --stsPort={{ .Values.global.sts.servicePort }}
+  {{- end }}
+  {{- if .Values.global.logAsJson }}
+    - --log_as_json
+  {{- end }}
+  {{- if .Values.global.proxy.outlierLogPath }}
+    - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }}
+  {{- end}}
+  {{- if .Values.global.proxy.lifecycle }}
+    lifecycle:
+      {{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
+  {{- else if $holdProxy }}
+    lifecycle:
+      postStart:
+        exec:
+          command:
+          - pilot-agent
+          - wait
+  {{- else if $nativeSidecar }}
+    {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}}
+    lifecycle:
+      preStop:
+        exec:
+          command:
+          - pilot-agent
+          - request
+          - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}}
+          - POST
+          - drain
+  {{- end }}
+    env:
+    {{- if eq .InboundTrafficPolicyMode "localhost" }}
+    - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION
+      value: "true"
+    {{- end }}
+    - name: PILOT_CERT_PROVIDER
+      value: {{ .Values.global.pilotCertProvider }}
+    - name: CA_ADDR
+    {{- if .Values.global.caAddress }}
+      value: {{ .Values.global.caAddress }}
+    {{- else }}
+      value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+    {{- end }}
+    - name: POD_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.name
+    - name: POD_NAMESPACE
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.namespace
+    - name: INSTANCE_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.podIP
+    - name: SERVICE_ACCOUNT
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.serviceAccountName
+    - name: HOST_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.hostIP
+    - name: ISTIO_CPU_LIMIT
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.cpu
+    - name: PROXY_CONFIG
+      value: |
+             {{ protoToJSON .ProxyConfig }}
+    - name: ISTIO_META_POD_PORTS
+      value: |-
+        [
+        {{- $first := true }}
+        {{- range $index1, $c := .Spec.Containers }}
+          {{- range $index2, $p := $c.Ports }}
+            {{- if (structToJSON $p) }}
+            {{if not $first}},{{end}}{{ structToJSON $p }}
+            {{- $first = false }}
+            {{- end }}
+          {{- end}}
+        {{- end}}
+        ]
+    - name: ISTIO_META_APP_CONTAINERS
+      value: "{{ $containers | join "," }}"
+    - name: GOMEMLIMIT
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.memory
+    - name: GOMAXPROCS
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.cpu
+    {{- if .CompliancePolicy }}
+    - name: COMPLIANCE_POLICY
+      value: "{{ .CompliancePolicy }}"
+    {{- end }}
+    - name: ISTIO_META_CLUSTER_ID
+      value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
+    - name: ISTIO_META_NODE_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.nodeName
+    - name: ISTIO_META_INTERCEPTION_MODE
+      value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}"
+    {{- if .Values.global.network }}
+    - name: ISTIO_META_NETWORK
+      value: "{{ .Values.global.network }}"
+    {{- end }}
+    {{- with (index .ObjectMeta.Labels `service.istio.io/workload-name` | default .DeploymentMeta.Name) }}
+    - name: ISTIO_META_WORKLOAD_NAME
+      value: "{{ . }}"
+    {{ end }}
+    {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
+    - name: ISTIO_META_OWNER
+      value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
+    {{- end}}
+    {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+    - name: ISTIO_BOOTSTRAP_OVERRIDE
+      value: "/etc/istio/custom-bootstrap/custom_bootstrap.json"
+    {{- end }}
+    {{- if .Values.global.meshID }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ .Values.global.meshID }}"
+    {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+    {{- end }}
+    {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain)  }}
+    - name: TRUST_DOMAIN
+      value: "{{ . }}"
+    {{- end }}
+    {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
+    {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
+    - name: {{ $key }}
+      value: "{{ $value }}"
+    {{- end }}
+    {{- end }}
+    {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+    - name: {{ $key }}
+      value: "{{ $value }}"
+    {{- end }}
+    {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+    {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
+  {{ if .Values.global.proxy.startupProbe.enabled }}
+    startupProbe:
+      httpGet:
+        path: /healthz/ready
+        port: 15021
+      initialDelaySeconds: 0
+      periodSeconds: 1
+      timeoutSeconds: 3
+      failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }}
+  {{ end }}
+    readinessProbe:
+      httpGet:
+        path: /healthz/ready
+        port: 15021
+      initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }}
+      periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }}
+      timeoutSeconds: 3
+      failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}
+    {{ end -}}
+    securityContext:
+      {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }}
+      allowPrivilegeEscalation: true
+      capabilities:
+        add:
+        - NET_ADMIN
+        drop:
+        - ALL
+      privileged: true
+      readOnlyRootFilesystem: true
+      runAsGroup: {{ .ProxyGID | default "1337" }}
+      runAsNonRoot: false
+      runAsUser: 0
+      {{- else }}
+      allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
+      capabilities:
+        {{ if or $tproxy $capNetBindService -}}
+        add:
+        {{ if $tproxy -}}
+        - NET_ADMIN
+        {{- end }}
+        {{ if $capNetBindService -}}
+        - NET_BIND_SERVICE
+        {{- end }}
+        {{- end }}
+        drop:
+        - ALL
+      privileged: {{ .Values.global.proxy.privileged }}
+      readOnlyRootFilesystem: true
+      {{ if or $tproxy $capNetBindService -}}
+      runAsNonRoot: false
+      runAsUser: 0
+      runAsGroup: 1337
+      {{- else -}}
+      runAsNonRoot: true
+      runAsUser: {{ .ProxyUID | default "1337" }}
+      runAsGroup: {{ .ProxyGID | default "1337" }}
+      {{- end }}
+      {{- end }}
+    resources:
+  {{ template "resources" . }}
+    volumeMounts:
+    - name: workload-socket
+      mountPath: /var/run/secrets/workload-spiffe-uds
+    - name: credential-socket
+      mountPath: /var/run/secrets/credential-uds
+    {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+    - name: gke-workload-certificate
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+      readOnly: true
+    {{- else }}
+    - name: workload-certs
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+    {{- end }}
+    {{- if eq .Values.global.pilotCertProvider "istiod" }}
+    - mountPath: /var/run/secrets/istio
+      name: istiod-ca-cert
+    - mountPath: /var/run/secrets/istio/crl
+      name: istio-ca-crl
+    {{- end }}
+    - mountPath: /var/lib/istio/data
+      name: istio-data
+    {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+    - mountPath: /etc/istio/custom-bootstrap
+      name: custom-bootstrap-volume
+    {{- end }}
+    # SDS channel between istioagent and Envoy
+    - mountPath: /etc/istio/proxy
+      name: istio-envoy
+    - mountPath: /var/run/secrets/tokens
+      name: istio-token
+    {{- if .Values.global.mountMtlsCerts }}
+    # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+    - mountPath: /etc/certs/
+      name: istio-certs
+      readOnly: true
+    {{- end }}
+    - name: istio-podinfo
+      mountPath: /etc/istio/pod
+     {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }}
+    - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }}
+      name: lightstep-certs
+      readOnly: true
+    {{- end }}
+      {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }}
+      {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}
+    - name: "{{  $index }}"
+      {{ toYaml $value | indent 6 }}
+      {{ end }}
+      {{- end }}
+  volumes:
+  - emptyDir:
+    name: workload-socket
+  - emptyDir:
+    name: credential-socket
+  {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+  - name: gke-workload-certificate
+    csi:
+      driver: workloadcertificates.security.cloud.google.com
+  {{- else }}
+  - emptyDir:
+    name: workload-certs
+  {{- end }}
+  {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+  - name: custom-bootstrap-volume
+    configMap:
+      name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
+  {{- end }}
+  # SDS channel between istioagent and Envoy
+  - emptyDir:
+      medium: Memory
+    name: istio-envoy
+  - name: istio-data
+    emptyDir: {}
+  - name: istio-podinfo
+    downwardAPI:
+      items:
+        - path: "labels"
+          fieldRef:
+            fieldPath: metadata.labels
+        - path: "annotations"
+          fieldRef:
+            fieldPath: metadata.annotations
+  - name: istio-token
+    projected:
+      sources:
+      - serviceAccountToken:
+          path: istio-token
+          expirationSeconds: 43200
+          audience: {{ .Values.global.sds.token.aud }}
+  {{- if eq .Values.global.pilotCertProvider "istiod" }}
+  - name: istiod-ca-cert
+  {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+    projected:
+      sources:
+      - clusterTrustBundle:
+          name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+          path: root-cert.pem
+  {{- else }}
+    configMap:
+      name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+  {{- end }}
+  {{- end }}
+  - name: istio-ca-crl
+    configMap:
+      name: istio-ca-crl
+      optional: true
+  {{- if .Values.global.mountMtlsCerts }}
+  # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+  - name: istio-certs
+    secret:
+      optional: true
+      {{ if eq .Spec.ServiceAccountName "" }}
+      secretName: istio.default
+      {{ else -}}
+      secretName: {{  printf "istio.%s" .Spec.ServiceAccountName }}
+      {{  end -}}
+  {{- end }}
+    {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }}
+    {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}
+  - name: "{{ $index }}"
+    {{ toYaml $value | indent 4 }}
+    {{ end }}
+    {{ end }}
+  {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }}
+  - name: lightstep-certs
+    secret:
+      optional: true
+      secretName: lightstep.cacert
+  {{- end }}
+  {{- if .Values.global.imagePullSecrets }}
+  imagePullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+  {{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/kube-gateway.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/kube-gateway.yaml
new file mode 100644
index 0000000000..616fb42c71
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/kube-gateway.yaml
@@ -0,0 +1,401 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{.ServiceAccount | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+      ) | nindent 4 }}
+  {{- if ge .KubeVersion 128 }}
+  # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    name: "{{.Name}}"
+    uid: "{{.UID}}"
+  {{- end }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+        "gateway.istio.io/managed" "istio.io-gateway-controller"
+      ) | nindent 4 }}
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    name: {{.Name}}
+    uid: "{{.UID}}"
+spec:
+  selector:
+    matchLabels:
+      "{{.GatewayNameLabel}}": {{.Name}}
+  template:
+    metadata:
+      annotations:
+        {{- toJsonMap
+          (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version")
+          (strdict "istio.io/rev" (.Revision | default "default"))
+          (strdict
+            "prometheus.io/path" "/stats/prometheus"
+            "prometheus.io/port" "15020"
+            "prometheus.io/scrape" "true"
+          ) | nindent 8 }}
+      labels:
+        {{- toJsonMap
+          (strdict
+            "sidecar.istio.io/inject" "false"
+            "service.istio.io/canonical-name" .DeploymentName
+            "service.istio.io/canonical-revision" "latest"
+           )
+          .InfrastructureLabels
+          (strdict
+            "gateway.networking.k8s.io/gateway-name" .Name
+            "gateway.istio.io/managed" "istio.io-gateway-controller"
+          ) | nindent 8 }}
+    spec:
+      securityContext:
+      {{- if .Values.gateways.securityContext }}
+        {{- toYaml .Values.gateways.securityContext | nindent 8 }}
+      {{- else }}
+        sysctls:
+        - name: net.ipv4.ip_unprivileged_port_start
+          value: "0"
+      {{- if .Values.gateways.seccompProfile }}
+        seccompProfile:
+      {{- toYaml .Values.gateways.seccompProfile | nindent 10 }}
+      {{- end }}
+      {{- end }}
+      serviceAccountName: {{.ServiceAccount | quote}}
+      containers:
+      - name: istio-proxy
+      {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+        image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+      {{- else }}
+        image: "{{ .ProxyImage }}"
+      {{- end }}
+        {{- if .Values.global.proxy.resources }}
+        resources:
+          {{- toYaml .Values.global.proxy.resources | nindent 10 }}
+        {{- end }}
+        {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+        securityContext:
+          capabilities:
+            drop:
+            - ALL
+          allowPrivilegeEscalation: false
+          privileged: false
+          readOnlyRootFilesystem: true
+          runAsUser: {{ .ProxyUID | default "1337" }}
+          runAsGroup: {{ .ProxyGID | default "1337" }}
+          runAsNonRoot: true
+        ports:
+        - containerPort: 15020
+          name: metrics
+          protocol: TCP
+        - containerPort: 15021
+          name: status-port
+          protocol: TCP
+        - containerPort: 15090
+          protocol: TCP
+          name: http-envoy-prom
+        args:
+        - proxy
+        - router
+        - --domain
+        - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+        - --proxyLogLevel
+        - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}}
+        - --proxyComponentLogLevel
+        - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}}
+        - --log_output_level
+        - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}}
+      {{- if .Values.global.sts.servicePort }}
+        - --stsPort={{ .Values.global.sts.servicePort }}
+      {{- end }}
+      {{- if .Values.global.logAsJson }}
+        - --log_as_json
+      {{- end }}
+      {{- if .Values.global.proxy.lifecycle }}
+        lifecycle:
+          {{- toYaml .Values.global.proxy.lifecycle | nindent 10 }}
+      {{- end }}
+        env:
+        - name: PILOT_CERT_PROVIDER
+          value: {{ .Values.global.pilotCertProvider }}
+        - name: CA_ADDR
+        {{- if .Values.global.caAddress }}
+          value: {{ .Values.global.caAddress }}
+        {{- else }}
+          value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+        {{- end }}
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: INSTANCE_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: SERVICE_ACCOUNT
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.serviceAccountName
+        - name: HOST_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.hostIP
+        - name: ISTIO_CPU_LIMIT
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.cpu
+        - name: PROXY_CONFIG
+          value: |
+                 {{ protoToJSON .ProxyConfig }}
+        - name: ISTIO_META_POD_PORTS
+          value: "[]"
+        - name: ISTIO_META_APP_CONTAINERS
+          value: ""
+        - name: GOMEMLIMIT
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.memory
+        - name: GOMAXPROCS
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.cpu
+        - name: ISTIO_META_CLUSTER_ID
+          value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}"
+        - name: ISTIO_META_NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        - name: ISTIO_META_INTERCEPTION_MODE
+          value: "{{ .ProxyConfig.InterceptionMode.String }}"
+        {{- with (valueOrDefault  (index .InfrastructureLabels "topology.istio.io/network") .Values.global.network) }}
+        - name: ISTIO_META_NETWORK
+          value: {{.|quote}}
+        {{- end }}
+        - name: ISTIO_META_WORKLOAD_NAME
+          value: {{.DeploymentName|quote}}
+        - name: ISTIO_META_OWNER
+          value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}"
+        {{- if .Values.global.meshID }}
+        - name: ISTIO_META_MESH_ID
+          value: "{{ .Values.global.meshID }}"
+        {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+        - name: ISTIO_META_MESH_ID
+          value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+        {{- end }}
+        {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain)  }}
+        - name: TRUST_DOMAIN
+          value: "{{ . }}"
+        {{- end }}
+        {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+        - name: {{ $key }}
+          value: "{{ $value }}"
+        {{- end }}
+        {{- with (index .InfrastructureLabels "topology.istio.io/network") }}
+        - name: ISTIO_META_REQUESTED_NETWORK_VIEW
+          value: {{.|quote}}
+        {{- end }}
+        startupProbe:
+          failureThreshold: 30
+          httpGet:
+            path: /healthz/ready
+            port: 15021
+            scheme: HTTP
+          initialDelaySeconds: 1
+          periodSeconds: 1
+          successThreshold: 1
+          timeoutSeconds: 1
+        readinessProbe:
+          failureThreshold: 4
+          httpGet:
+            path: /healthz/ready
+            port: 15021
+            scheme: HTTP
+          initialDelaySeconds: 0
+          periodSeconds: 15
+          successThreshold: 1
+          timeoutSeconds: 1
+        volumeMounts:
+        - name: workload-socket
+          mountPath: /var/run/secrets/workload-spiffe-uds
+        - name: credential-socket
+          mountPath: /var/run/secrets/credential-uds
+        {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+        - name: gke-workload-certificate
+          mountPath: /var/run/secrets/workload-spiffe-credentials
+          readOnly: true
+        {{- else }}
+        - name: workload-certs
+          mountPath: /var/run/secrets/workload-spiffe-credentials
+        {{- end }}
+        {{- if eq .Values.global.pilotCertProvider "istiod" }}
+        - mountPath: /var/run/secrets/istio
+          name: istiod-ca-cert
+        {{- end }}
+        - mountPath: /var/lib/istio/data
+          name: istio-data
+        # SDS channel between istioagent and Envoy
+        - mountPath: /etc/istio/proxy
+          name: istio-envoy
+        - mountPath: /var/run/secrets/tokens
+          name: istio-token
+        - name: istio-podinfo
+          mountPath: /etc/istio/pod
+      volumes:
+      - emptyDir: {}
+        name: workload-socket
+      - emptyDir: {}
+        name: credential-socket
+      {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+      - name: gke-workload-certificate
+        csi:
+          driver: workloadcertificates.security.cloud.google.com
+      {{- else}}
+      - emptyDir: {}
+        name: workload-certs
+      {{- end }}
+      # SDS channel between istioagent and Envoy
+      - emptyDir:
+          medium: Memory
+        name: istio-envoy
+      - name: istio-data
+        emptyDir: {}
+      - name: istio-podinfo
+        downwardAPI:
+          items:
+            - path: "labels"
+              fieldRef:
+                fieldPath: metadata.labels
+            - path: "annotations"
+              fieldRef:
+                fieldPath: metadata.annotations
+      - name: istio-token
+        projected:
+          sources:
+          - serviceAccountToken:
+              path: istio-token
+              expirationSeconds: 43200
+              audience: {{ .Values.global.sds.token.aud }}
+      {{- if eq .Values.global.pilotCertProvider "istiod" }}
+      - name: istiod-ca-cert
+      {{- if eq ((.Values.pilot).env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+        projected:
+          sources:
+          - clusterTrustBundle:
+              name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+              path: root-cert.pem
+      {{- else }}
+        configMap:
+          name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+      {{- end }}
+      {{- end }}
+      {{- if .Values.global.imagePullSecrets }}
+      imagePullSecrets:
+        {{- range .Values.global.imagePullSecrets }}
+        - name: {{ . }}
+        {{- end }}
+      {{- end }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+      ) | nindent 4 }}
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    name: {{.Name}}
+    uid: {{.UID}}
+spec:
+  ipFamilyPolicy: PreferDualStack
+  ports:
+  {{- range $key, $val := .Ports }}
+  - name: {{ $val.Name | quote }}
+    port: {{ $val.Port }}
+    protocol: TCP
+    appProtocol: {{ $val.AppProtocol }}
+  {{- end }}
+  selector:
+    "{{.GatewayNameLabel}}": {{.Name}}
+  {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }}
+  loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}}
+  {{- end }}
+  type: {{ .ServiceType | quote }}
+---
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+          .InfrastructureLabels
+          (strdict
+          "gateway.networking.k8s.io/gateway-name" .Name
+          ) | nindent 4 }}
+  ownerReferences:
+    - apiVersion: gateway.networking.k8s.io/v1beta1
+      kind: Gateway
+      name: {{.Name}}
+      uid: "{{.UID}}"
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name:  {{.DeploymentName | quote}}
+  maxReplicas: 1
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+          .InfrastructureLabels
+          (strdict
+          "gateway.networking.k8s.io/gateway-name" .Name
+          ) | nindent 4 }}
+  ownerReferences:
+    - apiVersion: gateway.networking.k8s.io/v1beta1
+      kind: Gateway
+      name: {{.Name}}
+      uid: "{{.UID}}"
+spec:
+  selector:
+    matchLabels:
+      gateway.networking.k8s.io/gateway-name: {{.Name|quote}}
+
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-compatibility-version-1.24.yaml
new file mode 100644
index 0000000000..4f3dbef7ea
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-compatibility-version-1.24.yaml
@@ -0,0 +1,15 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.24 behavioral changes
+    PILOT_ENABLE_IP_AUTOALLOCATE: "false"
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  dnsCapture: false
+  reconcileIptablesOnStartup: false
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..b2f45948c2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..af10697326
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/waypoint.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/waypoint.yaml
new file mode 100644
index 0000000000..3e6a2f5dc1
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/waypoint.yaml
@@ -0,0 +1,396 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{.ServiceAccount | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+      ) | nindent 4 }}
+  {{- if ge .KubeVersion 128 }}
+  # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    name: "{{.Name}}"
+    uid: "{{.UID}}"
+  {{- end }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+        "gateway.istio.io/managed" .ControllerLabel
+      ) | nindent 4 }}
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    name: "{{.Name}}"
+    uid: "{{.UID}}"
+spec:
+  selector:
+    matchLabels:
+      "{{.GatewayNameLabel}}": "{{.Name}}"
+  template:
+    metadata:
+      annotations:
+        {{- toJsonMap
+          (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version")
+          (strdict "istio.io/rev" (.Revision | default "default"))
+          (strdict
+            "prometheus.io/path" "/stats/prometheus"
+            "prometheus.io/port" "15020"
+            "prometheus.io/scrape" "true"
+          ) | nindent 8 }}
+      labels:
+        {{- toJsonMap
+          (strdict
+            "sidecar.istio.io/inject" "false"
+            "istio.io/dataplane-mode" "none"
+            "service.istio.io/canonical-name" .DeploymentName
+            "service.istio.io/canonical-revision" "latest"
+           )
+          .InfrastructureLabels
+          (strdict
+            "gateway.networking.k8s.io/gateway-name" .Name
+            "gateway.istio.io/managed" .ControllerLabel
+          ) | nindent 8}}
+    spec:
+      {{- if .Values.global.waypoint.affinity }}
+      affinity:
+      {{- toYaml .Values.global.waypoint.affinity | nindent 8 }}
+      {{- end }}
+      {{- if .Values.global.waypoint.topologySpreadConstraints }}
+      topologySpreadConstraints:
+      {{- toYaml .Values.global.waypoint.topologySpreadConstraints | nindent 8 }}
+      {{- end }}
+      {{- if .Values.global.waypoint.nodeSelector }}
+      nodeSelector:
+      {{- toYaml .Values.global.waypoint.nodeSelector | nindent 8 }}
+      {{- end }}
+      {{- if .Values.global.waypoint.tolerations }}
+      tolerations:
+      {{- toYaml .Values.global.waypoint.tolerations | nindent 8 }}
+      {{- end }}
+      terminationGracePeriodSeconds: 2
+      serviceAccountName: {{.ServiceAccount | quote}}
+      containers:
+      - name: istio-proxy
+        ports:
+        - containerPort: 15020
+          name: metrics
+          protocol: TCP
+        - containerPort: 15021
+          name: status-port
+          protocol: TCP
+        - containerPort: 15090
+          protocol: TCP
+          name: http-envoy-prom
+        {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+        image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+        {{- else }}
+        image: "{{ .ProxyImage }}"
+        {{- end }}
+        {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+        args:
+        - proxy
+        - waypoint
+        - --domain
+        - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+        - --serviceCluster
+        - {{.ServiceAccount}}.$(POD_NAMESPACE)
+        - --proxyLogLevel
+        - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}}
+        - --proxyComponentLogLevel
+        - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}}
+        - --log_output_level
+        - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}}
+        {{- if .Values.global.logAsJson }}
+        - --log_as_json
+        {{- end }}
+        {{- if .Values.global.proxy.outlierLogPath }}
+        - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }}
+        {{- end}}
+        env:
+        - name: ISTIO_META_SERVICE_ACCOUNT
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.serviceAccountName
+        - name: ISTIO_META_NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        - name: PILOT_CERT_PROVIDER
+          value: {{ .Values.global.pilotCertProvider }}
+        - name: CA_ADDR
+        {{- if .Values.global.caAddress }}
+          value: {{ .Values.global.caAddress }}
+        {{- else }}
+          value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+        {{- end }}
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: INSTANCE_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: SERVICE_ACCOUNT
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.serviceAccountName
+        - name: HOST_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.hostIP
+        - name: ISTIO_CPU_LIMIT
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.cpu
+        - name: PROXY_CONFIG
+          value: |
+                 {{ protoToJSON .ProxyConfig }}
+        {{- if .ProxyConfig.ProxyMetadata }}
+        {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+        - name: {{ $key }}
+          value: "{{ $value }}"
+        {{- end }}
+        {{- end }}
+        - name: GOMEMLIMIT
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.memory
+        - name: GOMAXPROCS
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.cpu
+        - name: ISTIO_META_CLUSTER_ID
+          value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
+        {{- $network := valueOrDefault (index .InfrastructureLabels `topology.istio.io/network`) .Values.global.network }}
+        {{- if $network }}
+        - name: ISTIO_META_NETWORK
+          value: "{{ $network }}"
+        {{- end }}
+        - name: ISTIO_META_INTERCEPTION_MODE
+          value: REDIRECT
+        - name: ISTIO_META_WORKLOAD_NAME
+          value: {{.DeploymentName}}
+        - name: ISTIO_META_OWNER
+          value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}
+        {{- if .Values.global.meshID }}
+        - name: ISTIO_META_MESH_ID
+          value: "{{ .Values.global.meshID }}"
+        {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+        - name: ISTIO_META_MESH_ID
+          value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+        {{- end }}
+        {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+        - name: TRUST_DOMAIN
+          value: "{{ . }}"
+        {{- end }}
+        {{- if .Values.global.waypoint.resources }}
+        resources:
+        {{- toYaml .Values.global.waypoint.resources | nindent 10 }}
+        {{- end }}
+        startupProbe:
+          failureThreshold: 30
+          httpGet:
+            path: /healthz/ready
+            port: 15021
+            scheme: HTTP
+          initialDelaySeconds: 1
+          periodSeconds: 1
+          successThreshold: 1
+          timeoutSeconds: 1
+        readinessProbe:
+          failureThreshold: 4
+          httpGet:
+            path: /healthz/ready
+            port: 15021
+            scheme: HTTP
+          initialDelaySeconds: 0
+          periodSeconds: 15
+          successThreshold: 1
+          timeoutSeconds: 1
+        securityContext:
+          privileged: false
+        {{- if not (eq .Values.global.platform "openshift") }}
+          runAsGroup: 1337
+          runAsUser: 1337
+        {{- end }}
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          capabilities:
+            drop:
+            - ALL
+{{- if .Values.gateways.seccompProfile }}
+          seccompProfile:
+{{- toYaml .Values.gateways.seccompProfile | nindent 12 }}
+{{- end }}
+        volumeMounts:
+        - mountPath: /var/run/secrets/workload-spiffe-uds
+          name: workload-socket
+        - mountPath: /var/run/secrets/istio
+          name: istiod-ca-cert
+        - mountPath: /var/lib/istio/data
+          name: istio-data
+        - mountPath: /etc/istio/proxy
+          name: istio-envoy
+        - mountPath: /var/run/secrets/tokens
+          name: istio-token
+        - mountPath: /etc/istio/pod
+          name: istio-podinfo
+      volumes:
+      - emptyDir: {}
+        name: workload-socket
+      - emptyDir:
+          medium: Memory
+        name: istio-envoy
+      - emptyDir:
+          medium: Memory
+        name: go-proxy-envoy
+      - emptyDir: {}
+        name: istio-data
+      - emptyDir: {}
+        name: go-proxy-data
+      - downwardAPI:
+          items:
+          - fieldRef:
+              fieldPath: metadata.labels
+            path: labels
+          - fieldRef:
+              fieldPath: metadata.annotations
+            path: annotations
+        name: istio-podinfo
+      - name: istio-token
+        projected:
+          sources:
+          - serviceAccountToken:
+              audience: istio-ca
+              expirationSeconds: 43200
+              path: istio-token
+      - name: istiod-ca-cert
+      {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+        projected:
+          sources:
+          - clusterTrustBundle:
+              name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+              path: root-cert.pem
+      {{- else }}
+        configMap:
+          name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+      {{- end }}
+      {{- if .Values.global.imagePullSecrets }}
+      imagePullSecrets:
+        {{- range .Values.global.imagePullSecrets }}
+        - name: {{ . }}
+        {{- end }}
+      {{- end }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    {{ toJsonMap
+      (strdict "networking.istio.io/traffic-distribution" "PreferClose")
+      (omit .InfrastructureAnnotations
+        "kubectl.kubernetes.io/last-applied-configuration"
+        "gateway.istio.io/name-override"
+        "gateway.istio.io/service-account"
+        "gateway.istio.io/controller-version"
+      ) | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+      ) | nindent 4 }}
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    name: "{{.Name}}"
+    uid: "{{.UID}}"
+spec:
+  ipFamilyPolicy: PreferDualStack
+  ports:
+  {{- range $key, $val := .Ports }}
+  - name: {{ $val.Name | quote }}
+    port: {{ $val.Port }}
+    protocol: TCP
+    appProtocol: {{ $val.AppProtocol }}
+  {{- end }}
+  selector:
+    "{{.GatewayNameLabel}}": "{{.Name}}"
+  {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }}
+  loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}}
+  {{- end }}
+  type: {{ .ServiceType | quote }}
+---
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+          .InfrastructureLabels
+          (strdict
+          "gateway.networking.k8s.io/gateway-name" .Name
+          ) | nindent 4 }}
+  ownerReferences:
+    - apiVersion: gateway.networking.k8s.io/v1beta1
+      kind: Gateway
+      name: {{.Name}}
+      uid: "{{.UID}}"
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name:  {{.DeploymentName | quote}}
+  maxReplicas: 1
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+          .InfrastructureLabels
+          (strdict
+          "gateway.networking.k8s.io/gateway-name" .Name
+          ) | nindent 4 }}
+  ownerReferences:
+    - apiVersion: gateway.networking.k8s.io/v1beta1
+      kind: Gateway
+      name: {{.Name}}
+      uid: "{{.UID}}"
+spec:
+  selector:
+    matchLabels:
+      gateway.networking.k8s.io/gateway-name: {{.Name|quote}}
+
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/NOTES.txt
new file mode 100644
index 0000000000..0d07ea7f4c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/NOTES.txt
@@ -0,0 +1,82 @@
+"istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}" successfully installed!
+
+To learn more about the release, try:
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
+
+Next steps:
+{{- $profile := default "" .Values.profile }}
+{{- if (eq $profile "ambient") }}
+  * Get started with ambient: https://istio.io/latest/docs/ops/ambient/getting-started/
+  * Review ambient's architecture: https://istio.io/latest/docs/ops/ambient/architecture/
+{{- else }}
+  * Deploy a Gateway: https://istio.io/latest/docs/setup/additional-setup/gateway/
+  * Try out our tasks to get started on common configurations:
+    * https://istio.io/latest/docs/tasks/traffic-management
+    * https://istio.io/latest/docs/tasks/security/
+    * https://istio.io/latest/docs/tasks/policy-enforcement/
+{{- end }}
+  * Review the list of actively supported releases, CVE publications and our hardening guide:
+    * https://istio.io/latest/docs/releases/supported-releases/
+    * https://istio.io/latest/news/security/
+    * https://istio.io/latest/docs/ops/best-practices/security/
+
+For further documentation see https://istio.io website
+
+{{-
+  $deps := dict
+    "global.outboundTrafficPolicy" "meshConfig.outboundTrafficPolicy"
+    "global.certificates" "meshConfig.certificates"
+    "global.localityLbSetting" "meshConfig.localityLbSetting"
+    "global.policyCheckFailOpen" "meshConfig.policyCheckFailOpen"
+    "global.enableTracing" "meshConfig.enableTracing"
+    "global.proxy.accessLogFormat" "meshConfig.accessLogFormat"
+    "global.proxy.accessLogFile" "meshConfig.accessLogFile"
+    "global.proxy.concurrency" "meshConfig.defaultConfig.concurrency"
+    "global.proxy.envoyAccessLogService" "meshConfig.defaultConfig.envoyAccessLogService"
+    "global.proxy.envoyAccessLogService.enabled" "meshConfig.enableEnvoyAccessLogService"
+    "global.proxy.envoyMetricsService" "meshConfig.defaultConfig.envoyMetricsService"
+    "global.proxy.protocolDetectionTimeout" "meshConfig.protocolDetectionTimeout"
+    "global.proxy.holdApplicationUntilProxyStarts" "meshConfig.defaultConfig.holdApplicationUntilProxyStarts"
+    "pilot.ingress" "meshConfig.ingressService, meshConfig.ingressControllerMode, and meshConfig.ingressClass"
+    "global.mtls.enabled" "the PeerAuthentication resource"
+    "global.mtls.auto" "meshConfig.enableAutoMtls"
+    "global.tracer.lightstep.address" "meshConfig.defaultConfig.tracing.lightstep.address"
+    "global.tracer.lightstep.accessToken" "meshConfig.defaultConfig.tracing.lightstep.accessToken"
+    "global.tracer.zipkin.address" "meshConfig.defaultConfig.tracing.zipkin.address"
+    "global.tracer.datadog.address" "meshConfig.defaultConfig.tracing.datadog.address"
+    "global.meshExpansion.enabled" "Gateway and other Istio networking resources, such as in samples/multicluster/"
+    "istiocoredns.enabled" "the in-proxy DNS capturing (ISTIO_META_DNS_CAPTURE)"
+}}
+{{- range $dep, $replace := $deps }}
+{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}}
+{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(")  ".Values." (replace "." ")." $dep) ")}}") $}}
+{{- if not (eq $res "")}}
+WARNING: {{$dep|quote}} is deprecated; use {{$replace|quote}} instead.
+{{- end }}
+{{- end }}
+{{-
+  $failDeps := dict
+    "telemetry.v2.prometheus.configOverride"
+    "telemetry.v2.stackdriver.configOverride"
+    "telemetry.v2.stackdriver.disableOutbound"
+    "telemetry.v2.stackdriver.outboundAccessLogging"
+    "global.tracer.stackdriver.debug" "meshConfig.defaultConfig.tracing.stackdriver.debug"
+    "global.tracer.stackdriver.maxNumberOfAttributes" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes"
+    "global.tracer.stackdriver.maxNumberOfAnnotations" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations"
+    "global.tracer.stackdriver.maxNumberOfMessageEvents" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents"
+    "meshConfig.defaultConfig.tracing.stackdriver.debug" "Istio supported tracers"
+    "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes" "Istio supported tracers"
+    "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations" "Istio supported tracers"
+    "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents" "Istio supported tracers"
+}}
+{{- range $dep, $replace := $failDeps }}
+{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}}
+{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(")  ".Values." (replace "." ")." $dep) ")}}") $}}
+{{- if not (eq $res "")}}
+{{fail (print $dep " is removed")}}
+{{- end }}
+{{- end }}
+{{- if eq $.Values.global.pilotCertProvider "kubernetes" }}
+{{- fail "pilotCertProvider=kubernetes is not supported" }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/_helpers.tpl
new file mode 100644
index 0000000000..042c92538d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/_helpers.tpl
@@ -0,0 +1,23 @@
+{{/* Default Prometheus is enabled if its enabled and there are no config overrides set */}}
+{{ define "default-prometheus" }}
+{{- and
+  (not .Values.meshConfig.defaultProviders)
+  .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.prometheus.enabled
+}}
+{{- end }}
+
+{{/* SD has metrics and logging split. Default metrics are enabled if SD is enabled */}}
+{{ define "default-sd-metrics" }}
+{{- and
+  (not .Values.meshConfig.defaultProviders)
+  .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled
+}}
+{{- end }}
+
+{{/* SD has metrics and logging split. */}}
+{{ define "default-sd-logs" }}
+{{- and
+  (not .Values.meshConfig.defaultProviders)
+  .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled
+}}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/autoscale.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/autoscale.yaml
new file mode 100644
index 0000000000..9b952ba857
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/autoscale.yaml
@@ -0,0 +1,43 @@
+# Not created if istiod is running remotely
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }}
+{{- if and .Values.autoscaleEnabled .Values.autoscaleMin .Values.autoscaleMax }}
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  maxReplicas: {{ .Values.autoscaleMax }}
+  minReplicas: {{ .Values.autoscaleMin }}
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  metrics:
+  - type: Resource
+    resource:
+      name: cpu
+      target:
+        type: Utilization
+        averageUtilization: {{ .Values.cpu.targetAverageUtilization }}
+  {{- if .Values.memory.targetAverageUtilization }}
+  - type: Resource
+    resource:
+      name: memory
+      target:
+        type: Utilization
+        averageUtilization: {{ .Values.memory.targetAverageUtilization }}
+  {{- end }}
+  {{- if .Values.autoscaleBehavior }}
+  behavior: {{ toYaml .Values.autoscaleBehavior | nindent 4 }}
+  {{- end }}
+---
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/clusterrole.yaml
new file mode 100644
index 0000000000..d9c86f43fa
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/clusterrole.yaml
@@ -0,0 +1,213 @@
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+  # sidecar injection controller
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["mutatingwebhookconfigurations"]
+    verbs: ["get", "list", "watch", "update", "patch"]
+
+  # configuration validation webhook controller
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["validatingwebhookconfigurations"]
+    verbs: ["get", "list", "watch", "update"]
+
+  # istio configuration
+  # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382)
+  # please proceed with caution
+  - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"]
+    verbs: ["get", "watch", "list"]
+    resources: ["*"]
+{{- if .Values.global.istiod.enableAnalysis }}
+  - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"]
+    verbs: ["update", "patch"]
+    resources:
+    - authorizationpolicies/status
+    - destinationrules/status
+    - envoyfilters/status
+    - gateways/status
+    - peerauthentications/status
+    - proxyconfigs/status
+    - requestauthentications/status
+    - serviceentries/status
+    - sidecars/status
+    - telemetries/status
+    - virtualservices/status
+    - wasmplugins/status
+    - workloadentries/status
+    - workloadgroups/status
+{{- end }}
+  - apiGroups: ["networking.istio.io"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "workloadentries" ]
+  - apiGroups: ["networking.istio.io"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "workloadentries/status",  "serviceentries/status" ]
+  - apiGroups: ["security.istio.io"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "authorizationpolicies/status" ]
+  - apiGroups: [""]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "services/status" ]
+
+  # auto-detect installed CRD definitions
+  - apiGroups: ["apiextensions.k8s.io"]
+    resources: ["customresourcedefinitions"]
+    verbs: ["get", "list", "watch"]
+
+  # discovery and routing
+  - apiGroups: [""]
+    resources: ["pods", "nodes", "services", "namespaces", "endpoints"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["discovery.k8s.io"]
+    resources: ["endpointslices"]
+    verbs: ["get", "list", "watch"]
+
+{{- if .Values.taint.enabled }}
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["patch"]
+{{- end }}
+
+  # ingress controller
+{{- if .Values.global.istiod.enableAnalysis }}
+  - apiGroups: ["extensions", "networking.k8s.io"]
+    resources: ["ingresses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["extensions", "networking.k8s.io"]
+    resources: ["ingresses/status"]
+    verbs: ["*"]
+{{- end}}
+  - apiGroups: ["networking.k8s.io"]
+    resources: ["ingresses", "ingressclasses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["networking.k8s.io"]
+    resources: ["ingresses/status"]
+    verbs: ["*"]
+
+  # required for CA's namespace controller
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["create", "get", "list", "watch", "update"]
+
+  # Istiod and bootstrap.
+{{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}}
+{{- if or .Values.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }}
+  - apiGroups: ["certificates.k8s.io"]
+    resources:
+      - "certificatesigningrequests"
+      - "certificatesigningrequests/approval"
+      - "certificatesigningrequests/status"
+    verbs: ["update", "create", "get", "delete", "watch"]
+  - apiGroups: ["certificates.k8s.io"]
+    resources:
+      - "signers"
+    resourceNames:
+{{- range .Values.global.certSigners }}
+    - {{ . | quote }}
+{{- end }}
+    verbs: ["approve"]
+{{- end}}
+{{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+  - apiGroups: ["certificates.k8s.io"]
+    resources: ["clustertrustbundles"]
+    verbs: ["update", "create", "delete", "list", "watch", "get"]
+  - apiGroups: ["certificates.k8s.io"]
+    resources: ["signers"]
+    resourceNames: ["istio.io/istiod-ca"]
+    verbs: ["attest"]
+{{- end }}
+
+  # Used by Istiod to verify the JWT tokens
+  - apiGroups: ["authentication.k8s.io"]
+    resources: ["tokenreviews"]
+    verbs: ["create"]
+
+  # Used by Istiod to verify gateway SDS
+  - apiGroups: ["authorization.k8s.io"]
+    resources: ["subjectaccessreviews"]
+    verbs: ["create"]
+
+  # Use for Kubernetes Service APIs
+  - apiGroups: ["gateway.networking.k8s.io", "gateway.networking.x-k8s.io"]
+    resources: ["*"]
+    verbs: ["get", "watch", "list"]
+  - apiGroups: ["gateway.networking.x-k8s.io"]
+    resources:
+    - xbackendtrafficpolicies/status
+    - xlistenersets/status
+    verbs: ["update", "patch"]
+  - apiGroups: ["gateway.networking.k8s.io"]
+    resources:
+    - backendtlspolicies/status
+    - gatewayclasses/status
+    - gateways/status
+    - grpcroutes/status
+    - httproutes/status
+    - referencegrants/status
+    - tcproutes/status
+    - tlsroutes/status
+    - udproutes/status
+    verbs: ["update", "patch"]
+  - apiGroups: ["gateway.networking.k8s.io"]
+    resources: ["gatewayclasses"]
+    verbs: ["create", "update", "patch", "delete"]
+  - apiGroups: ["inference.networking.x-k8s.io"]
+    resources: ["inferencepools"]
+    verbs: ["get", "watch", "list"]
+  - apiGroups: ["inference.networking.x-k8s.io"]
+    resources: ["inferencepools/status"]
+    verbs: ["update", "patch"]
+
+  # Needed for multicluster secret reading, possibly ingress certs in the future
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "watch", "list"]
+
+  # Used for MCS serviceexport management
+  - apiGroups: ["{{ $mcsAPIGroup }}"]
+    resources: ["serviceexports"]
+    verbs: [ "get", "watch", "list", "create", "delete"]
+
+  # Used for MCS serviceimport management
+  - apiGroups: ["{{ $mcsAPIGroup }}"]
+    resources: ["serviceimports"]
+    verbs: ["get", "watch", "list"]
+---
+{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+  - apiGroups: ["apps"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "deployments" ]
+  - apiGroups: ["autoscaling"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "horizontalpodautoscalers" ]
+  - apiGroups: ["policy"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "poddisruptionbudgets" ]
+  - apiGroups: [""]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "services" ]
+  - apiGroups: [""]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "serviceaccounts"]
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/clusterrolebinding.yaml
new file mode 100644
index 0000000000..1b8fa4d079
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/clusterrolebinding.yaml
@@ -0,0 +1,40 @@
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+subjects:
+  - kind: ServiceAccount
+    name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+    namespace: {{ .Values.global.istioNamespace }}
+---
+{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+subjects:
+- kind: ServiceAccount
+  name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Values.global.istioNamespace }}
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/configmap-jwks.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/configmap-jwks.yaml
new file mode 100644
index 0000000000..9d931c4065
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/configmap-jwks.yaml
@@ -0,0 +1,18 @@
+# Not created if istiod is running remotely
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }}
+{{- if .Values.jwksResolverExtraRootCA }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+data:
+  extra.pem: {{ .Values.jwksResolverExtraRootCA | quote }}
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/configmap-values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/configmap-values.yaml
new file mode 100644
index 0000000000..75e6e0bcc6
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/configmap-values.yaml
@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: values{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    kubernetes.io/description: This ConfigMap contains the Helm values used during chart rendering. This ConfigMap is rendered for debugging purposes and external tooling; modifying these values has no effect.
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+data:
+  original-values: |-
+{{ .Values._original | toPrettyJson | indent 4 }}
+{{- $_ := unset $.Values "_original" }}
+  merged-values: |-
+{{ .Values | toPrettyJson | indent 4 }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/configmap.yaml
new file mode 100644
index 0000000000..a8446a6fc9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/configmap.yaml
@@ -0,0 +1,111 @@
+{{- define "mesh" }}
+    # The trust domain corresponds to the trust root of a system.
+    # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
+    trustDomain: "cluster.local"
+
+    # The namespace to treat as the administrative root namespace for Istio configuration.
+    # When processing a leaf namespace Istio will search for declarations in that namespace first
+    # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace
+    # is processed as if it were declared in the leaf namespace.
+    rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }}
+
+  {{ $prom := include "default-prometheus" . | eq "true" }}
+  {{ $sdMetrics := include "default-sd-metrics" . | eq "true" }}
+  {{ $sdLogs := include "default-sd-logs" . | eq "true" }}
+  {{- if or $prom $sdMetrics $sdLogs }}
+    defaultProviders:
+    {{- if or $prom $sdMetrics }}
+      metrics:
+      {{ if $prom }}- prometheus{{ end }}
+      {{ if and $sdMetrics $sdLogs }}- stackdriver{{ end }}
+    {{- end }}
+    {{- if and $sdMetrics $sdLogs }}
+      accessLogging:
+      - stackdriver
+    {{- end }}
+  {{- end }}
+
+    defaultConfig:
+      {{- if .Values.global.meshID }}
+      meshId: "{{ .Values.global.meshID }}"
+      {{- end }}
+      {{- with (.Values.global.proxy.variant | default .Values.global.variant) }}
+      image:
+        imageType: {{. | quote}}
+      {{- end }}
+      {{- if not (eq .Values.global.proxy.tracer "none") }}
+      tracing:
+      {{- if eq .Values.global.proxy.tracer "lightstep" }}
+        lightstep:
+          # Address of the LightStep Satellite pool
+          address: {{ .Values.global.tracer.lightstep.address }}
+          # Access Token used to communicate with the Satellite pool
+          accessToken: {{ .Values.global.tracer.lightstep.accessToken }}
+      {{- else if eq .Values.global.proxy.tracer "zipkin" }}
+        zipkin:
+          # Address of the Zipkin collector
+          address: {{ ((.Values.global.tracer).zipkin).address | default (print "zipkin." .Values.global.istioNamespace ":9411") }}
+      {{- else if eq .Values.global.proxy.tracer "datadog" }}
+        datadog:
+          # Address of the Datadog Agent
+          address: {{ ((.Values.global.tracer).datadog).address | default "$(HOST_IP):8126" }}
+      {{- else if eq .Values.global.proxy.tracer "stackdriver" }}
+        stackdriver:
+          # enables trace output to stdout.
+          debug: {{ (($.Values.global.tracer).stackdriver).debug | default "false" }}
+          # The global default max number of attributes per span.
+          maxNumberOfAttributes: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAttributes | default "200" }}
+          # The global default max number of annotation events per span.
+          maxNumberOfAnnotations: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAnnotations | default "200" }}
+          # The global default max number of message events per span.
+          maxNumberOfMessageEvents: {{ (($.Values.global.tracer).stackdriver).maxNumberOfMessageEvents | default "200" }}
+      {{- end }}
+      {{- end }}
+      {{- if .Values.global.remotePilotAddress }}
+      {{- if and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod }}
+      #  only primary `istiod` to xds and local `istiod` injection installs.
+      discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012
+      {{- else }}
+      discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012
+      {{- end }}
+      {{- else }}
+      discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012
+      {{- end }}
+{{- end }}
+
+{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}}
+{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}}
+{{- $originalMesh := include "mesh" . | fromYaml }}
+{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }}
+
+{{- if .Values.configMap }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+data:
+
+  # Configuration file for the mesh networks to be used by the Split Horizon EDS.
+  meshNetworks: |-
+  {{- if .Values.global.meshNetworks }}
+    networks:
+{{ toYaml .Values.global.meshNetworks | trim | indent 6 }}
+  {{- else }}
+    networks: {}
+  {{- end }}
+
+  mesh: |-
+{{- if .Values.meshConfig }}
+{{ $mesh | toYaml | indent 4 }}
+{{- else }}
+{{- include "mesh" . }}
+{{- end }}
+---
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/deployment.yaml
new file mode 100644
index 0000000000..1b769c6ec7
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/deployment.yaml
@@ -0,0 +1,312 @@
+# Not created if istiod is running remotely
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: istiod
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    istio: pilot
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+{{- range $key, $val := .Values.deploymentLabels }}
+    {{ $key }}: "{{ $val }}"
+{{- end }}
+  {{- if .Values.deploymentAnnotations }}
+  annotations:
+{{ toYaml .Values.deploymentAnnotations | indent 4 }}
+  {{- end }}
+spec:
+{{- if not .Values.autoscaleEnabled }}
+{{- if .Values.replicaCount }}
+  replicas: {{ .Values.replicaCount }}
+{{- end }}
+{{- end }}
+  strategy:
+    rollingUpdate:
+      maxSurge: {{ .Values.rollingMaxSurge }}
+      maxUnavailable: {{ .Values.rollingMaxUnavailable }}
+  selector:
+    matchLabels:
+      {{- if ne .Values.revision "" }}
+      app: istiod
+      istio.io/rev: {{ .Values.revision | default "default" | quote }}
+      {{- else }}
+      istio: pilot
+      {{- end }}
+  template:
+    metadata:
+      labels:
+        app: istiod
+        istio.io/rev: {{ .Values.revision | default "default" | quote }}
+        sidecar.istio.io/inject: "false"
+        operator.istio.io/component: "Pilot"
+        {{- if ne .Values.revision "" }}
+        istio: istiod
+        {{- else }}
+        istio: pilot
+        {{- end }}
+        {{- range $key, $val := .Values.podLabels }}
+        {{ $key }}: "{{ $val }}"
+        {{- end }}
+        istio.io/dataplane-mode: none
+        app.kubernetes.io/name: "istiod"
+        {{- include "istio.labels" . | nindent 8 }}
+      annotations:
+        prometheus.io/port: "15014"
+        prometheus.io/scrape: "true"
+        sidecar.istio.io/inject: "false"
+        {{- if .Values.podAnnotations }}
+{{ toYaml .Values.podAnnotations | indent 8 }}
+        {{- end }}
+    spec:
+{{- if .Values.nodeSelector }}
+      nodeSelector:
+{{ toYaml .Values.nodeSelector | indent 8 }}
+{{- end }}
+{{- with .Values.affinity }}
+      affinity:
+{{- toYaml . | nindent 8 }}
+{{- end }}
+      tolerations:
+        - key: cni.istio.io/not-ready
+          operator: "Exists"
+{{- with .Values.tolerations }}
+{{- toYaml . | nindent 8 }}
+{{- end }}
+{{- with .Values.topologySpreadConstraints }}
+      topologySpreadConstraints:
+{{- toYaml . | nindent 8 }}
+{{- end }}
+      serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+{{- if .Values.global.priorityClassName }}
+      priorityClassName: "{{ .Values.global.priorityClassName }}"
+{{- end }}
+{{- with .Values.initContainers }}
+      initContainers:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+{{- end }}
+      containers:
+        - name: discovery
+{{- if contains "/" .Values.image }}
+          image: "{{ .Values.image }}"
+{{- else }}
+          image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "pilot" }}:{{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}}"
+{{- end }}
+{{- if .Values.global.imagePullPolicy }}
+          imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+{{- end }}
+          args:
+          - "discovery"
+          - --monitoringAddr=:15014
+{{- if .Values.global.logging.level }}
+          - --log_output_level={{ .Values.global.logging.level }}
+{{- end}}
+{{- if .Values.global.logAsJson }}
+          - --log_as_json
+{{- end }}
+          - --domain
+          - {{ .Values.global.proxy.clusterDomain }}
+{{- if .Values.taint.namespace }}
+          - --cniNamespace={{ .Values.taint.namespace }}
+{{- end }}
+          - --keepaliveMaxServerConnectionAge
+          - "{{ .Values.keepaliveMaxServerConnectionAge }}"
+{{- if .Values.extraContainerArgs }}
+          {{- with .Values.extraContainerArgs }}
+            {{- toYaml . | nindent 10 }}
+          {{- end }}
+{{- end }}
+          ports:
+          - containerPort: 8080
+            protocol: TCP
+            name: http-debug
+          - containerPort: 15010
+            protocol: TCP
+            name: grpc-xds
+          - containerPort: 15012
+            protocol: TCP
+            name: tls-xds
+          - containerPort: 15017
+            protocol: TCP
+            name: https-webhooks
+          - containerPort: 15014
+            protocol: TCP
+            name: http-monitoring
+          readinessProbe:
+            httpGet:
+              path: /ready
+              port: 8080
+            initialDelaySeconds: 1
+            periodSeconds: 3
+            timeoutSeconds: 5
+          env:
+          - name: REVISION
+            value: "{{ .Values.revision | default `default` }}"
+          - name: PILOT_CERT_PROVIDER
+            value: {{ .Values.global.pilotCertProvider }}
+          - name: POD_NAME
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: metadata.name
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: metadata.namespace
+          - name: SERVICE_ACCOUNT
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: spec.serviceAccountName
+          - name: KUBECONFIG
+            value: /var/run/secrets/remote/config
+          # If you explicitly told us where ztunnel lives, use that.
+          # Otherwise, assume it lives in our namespace
+          # Also, check for an explicit ENV override (legacy approach) and prefer that
+          # if present
+          {{ $ztTrustedNS := or .Values.trustedZtunnelNamespace .Release.Namespace }}
+          {{ $ztTrustedName := or .Values.trustedZtunnelName "ztunnel" }}
+          {{- if not .Values.env.CA_TRUSTED_NODE_ACCOUNTS }}
+          - name: CA_TRUSTED_NODE_ACCOUNTS
+            value: "{{ $ztTrustedNS }}/{{ $ztTrustedName }}"
+          {{- end }}
+          {{- if .Values.env }}
+          {{- range $key, $val := .Values.env }}
+          - name: {{ $key }}
+            value: "{{ $val }}"
+          {{- end }}
+          {{- end }}
+          {{- with .Values.envVarFrom }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
+{{- if .Values.traceSampling }}
+          - name: PILOT_TRACE_SAMPLING
+            value: "{{ .Values.traceSampling }}"
+{{- end }}
+# If externalIstiod is set via Values.Global, then enable the pilot env variable. However, if it's set via Values.pilot.env, then
+# don't set it here to avoid duplication.
+# TODO (nshankar13): Move from Helm chart to code: https://github.com/istio/istio/issues/52449
+{{- if and .Values.global.externalIstiod (not (and .Values.env .Values.env.EXTERNAL_ISTIOD)) }}
+          - name: EXTERNAL_ISTIOD
+            value: "{{ .Values.global.externalIstiod }}"
+{{- end }}
+{{- if .Values.global.trustBundleName }}
+          - name: PILOT_CA_CERT_CONFIGMAP
+            value: "{{ .Values.global.trustBundleName }}"
+{{- end }}
+          - name: PILOT_ENABLE_ANALYSIS
+            value: "{{ .Values.global.istiod.enableAnalysis }}"
+          - name: CLUSTER_ID
+            value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
+          - name: GOMEMLIMIT
+            valueFrom:
+              resourceFieldRef:
+                resource: limits.memory
+                divisor: "1"
+          - name: GOMAXPROCS
+            valueFrom:
+              resourceFieldRef:
+                resource: limits.cpu
+                divisor: "1"
+          - name: PLATFORM
+            value: "{{ coalesce .Values.global.platform .Values.platform }}"
+          resources:
+{{- if .Values.resources }}
+{{ toYaml .Values.resources | trim | indent 12 }}
+{{- else }}
+{{ toYaml .Values.global.defaultResources | trim | indent 12 }}
+{{- end }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            capabilities:
+              drop:
+              - ALL
+{{- if .Values.seccompProfile }}
+            seccompProfile:
+{{ toYaml .Values.seccompProfile | trim | indent 14 }}
+{{- end }}
+          volumeMounts:
+          - name: istio-token
+            mountPath: /var/run/secrets/tokens
+            readOnly: true
+          - name: local-certs
+            mountPath: /var/run/secrets/istio-dns
+          - name: cacerts
+            mountPath: /etc/cacerts
+            readOnly: true
+          - name: istio-kubeconfig
+            mountPath: /var/run/secrets/remote
+            readOnly: true
+          {{- if .Values.jwksResolverExtraRootCA }}
+          - name: extracacerts
+            mountPath: /cacerts
+          {{- end }}
+          - name: istio-csr-dns-cert
+            mountPath: /var/run/secrets/istiod/tls
+            readOnly: true
+          - name: istio-csr-ca-configmap
+            mountPath: /var/run/secrets/istiod/ca
+            readOnly: true
+          {{- with .Values.volumeMounts }}
+            {{- toYaml . | nindent 10 }}
+          {{- end }}
+      volumes:
+      # Technically not needed on this pod - but it helps debugging/testing SDS
+      # Should be removed after everything works.
+      - emptyDir:
+          medium: Memory
+        name: local-certs
+      - name: istio-token
+        projected:
+          sources:
+            - serviceAccountToken:
+                audience: {{ .Values.global.sds.token.aud }}
+                expirationSeconds: 43200
+                path: istio-token
+      # Optional: user-generated root
+      - name: cacerts
+        secret:
+          secretName: cacerts
+          optional: true
+      - name: istio-kubeconfig
+        secret:
+          secretName: istio-kubeconfig
+          optional: true
+      # Optional: istio-csr dns pilot certs
+      - name: istio-csr-dns-cert
+        secret:
+          secretName: istiod-tls
+          optional: true
+      - name: istio-csr-ca-configmap
+  {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+        projected:
+          sources:
+          - clusterTrustBundle:
+              name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+              path: root-cert.pem
+              optional: true
+  {{- else }}
+        configMap:
+          name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+          defaultMode: 420
+          optional: true
+  {{- end }}
+  {{- if .Values.jwksResolverExtraRootCA }}
+      - name: extracacerts
+        configMap:
+          name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  {{- end }}
+      {{- with .Values.volumes }}
+        {{- toYaml . | nindent 6}}
+      {{- end }}
+
+---
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/gateway-class-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/gateway-class-configmap.yaml
new file mode 100644
index 0000000000..6b23d716a4
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/gateway-class-configmap.yaml
@@ -0,0 +1,20 @@
+{{ range $key, $value := .Values.gatewayClasses }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: istio-{{ $.Values.revision | default "default"  }}-gatewayclass-{{$key}}
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    istio.io/rev: {{ $.Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    release: {{ $.Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    gateway.istio.io/defaults-for-class: {{$key|quote}}
+    {{- include "istio.labels" $ | nindent 4 }}
+data:
+{{ range $kind, $overlay := $value }}
+  {{$kind}}: |
+{{$overlay|toYaml|trim|indent 4}}
+{{ end }}
+---
+{{ end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/istiod-injector-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/istiod-injector-configmap.yaml
new file mode 100644
index 0000000000..171aff8861
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/istiod-injector-configmap.yaml
@@ -0,0 +1,81 @@
+{{- if not .Values.global.omitSidecarInjectorConfigMap }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+data:
+{{/* Scope the values to just top level fields used in the template, to reduce the size. */}}
+  values: |-
+{{ $vals := pick .Values "global" "sidecarInjectorWebhook" "revision" -}}
+{{ $pilotVals := pick .Values "cni" "env" -}}
+{{ $vals = set $vals "pilot" $pilotVals -}}
+{{ $gatewayVals := pick .Values.gateways "securityContext" "seccompProfile" -}}
+{{ $vals = set $vals "gateways" $gatewayVals -}}
+{{ $vals | toPrettyJson | indent 4 }}
+
+  # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching
+  # and istiod webhook functionality.
+  #
+  # New fields should not use Values - it is a 'primary' config object, users should be able
+  # to fine tune it or use it with kube-inject.
+  config: |-
+    # defaultTemplates defines the default template to use for pods that do not explicitly specify a template
+    {{- if .Values.sidecarInjectorWebhook.defaultTemplates }}
+    defaultTemplates:
+{{- range .Values.sidecarInjectorWebhook.defaultTemplates}}
+    - {{ . }}
+{{- end }}
+    {{- else }}
+    defaultTemplates: [sidecar]
+    {{- end }}
+    policy: {{ .Values.global.proxy.autoInject }}
+    alwaysInjectSelector:
+{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }}
+    neverInjectSelector:
+{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }}
+    injectedAnnotations:
+      {{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }}
+      "{{ $key }}": {{ $val | quote }}
+      {{- end }}
+    {{- /* If someone ends up with this new template, but an older Istiod image, they will attempt to render this template
+         which will fail with "Pod injection failed: template: inject:1: function "Istio_1_9_Required_Template_And_Version_Mismatched" not defined".
+         This should make it obvious that their installation is broken.
+     */}}
+    template: {{ `{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}` | quote }}
+    templates:
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "sidecar") }}
+      sidecar: |
+{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }}
+      gateway: |
+{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }}
+      grpc-simple: |
+{{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }}
+      grpc-agent: |
+{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "waypoint") }}
+      waypoint: |
+{{ .Files.Get "files/waypoint.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "kube-gateway") }}
+      kube-gateway: |
+{{ .Files.Get "files/kube-gateway.yaml" | trim | indent 8 }}
+{{- end }}
+{{- with .Values.sidecarInjectorWebhook.templates }}
+{{ toYaml . | trim | indent 6 }}
+{{- end }}
+
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/mutatingwebhook.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/mutatingwebhook.yaml
new file mode 100644
index 0000000000..ca017194e6
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/mutatingwebhook.yaml
@@ -0,0 +1,164 @@
+# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that.
+{{- /* Core defines the common configuration used by all webhook segments */}}
+{{/* Copy just what we need to avoid expensive deepCopy */}}
+{{- $whv := dict
+"revision" .Values.revision
+  "injectionPath" .Values.istiodRemote.injectionPath
+  "injectionURL" .Values.istiodRemote.injectionURL
+  "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy
+  "caBundle" .Values.istiodRemote.injectionCABundle
+  "namespace" .Release.Namespace }}
+{{- define "core" }}
+{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign
+a unique prefix to each. */}}
+- name: {{.Prefix}}sidecar-injector.istio.io
+  clientConfig:
+    {{- if .injectionURL }}
+    url: "{{ .injectionURL }}"
+    {{- else }}
+    service:
+      name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }}
+      namespace: {{ .namespace }}
+      path: "{{ .injectionPath }}"
+      port: 443
+    {{- end }}
+    {{- if .caBundle }}
+    caBundle: "{{ .caBundle }}"
+    {{- end }}
+  sideEffects: None
+  rules:
+  - operations: [ "CREATE" ]
+    apiGroups: [""]
+    apiVersions: ["v1"]
+    resources: ["pods"]
+  failurePolicy: Fail
+  reinvocationPolicy: "{{ .reinvocationPolicy }}"
+  admissionReviewVersions: ["v1"]
+{{- end }}
+{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}}
+{{- if not .Values.global.operatorManageWebhooks }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+{{- if eq .Release.Namespace "istio-system"}}
+  name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+{{- else }}
+  name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+{{- end }}
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app: sidecar-injector
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+{{- if $.Values.sidecarInjectorWebhookAnnotations }}
+  annotations:
+{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }}
+{{- end }}
+webhooks:
+{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}}
+
+{{- /* Case 1: namespace selector matches, and object doesn't disable */}}
+{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: In
+      values:
+      {{- if (eq .Values.revision "") }}
+      - "default"
+      {{- else }}
+      - "{{ .Values.revision }}"
+      {{- end }}
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+
+{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+    - key: istio.io/rev
+      operator: In
+      values:
+      {{- if (eq .Values.revision "") }}
+      - "default"
+      {{- else }}
+      - "{{ .Values.revision }}"
+      {{- end }}
+
+
+{{- /* Webhooks for default revision */}}
+{{- if (eq .Values.revision "") }}
+
+{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: In
+      values:
+      - enabled
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+
+{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: In
+      values:
+      - "true"
+    - key: istio.io/rev
+      operator: DoesNotExist
+
+{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
+{{- /* Special case 3: no labels at all */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: "kubernetes.io/metadata.name"
+      operator: "NotIn"
+      values: ["kube-system","kube-public","kube-node-lease","local-path-storage"]
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+{{- end }}
+
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/poddisruptionbudget.yaml
new file mode 100644
index 0000000000..d21cd919d3
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/poddisruptionbudget.yaml
@@ -0,0 +1,36 @@
+# Not created if istiod is running remotely
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }}
+{{- if .Values.global.defaultPodDisruptionBudget.enabled }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: istiod
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    release: {{ .Release.Name }}
+    istio: pilot
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  {{- if and .Values.pdb.minAvailable (not (hasKey .Values.pdb "maxUnavailable")) }}
+  minAvailable: {{ .Values.pdb.minAvailable }}
+  {{- else if .Values.pdb.maxUnavailable }}
+  maxUnavailable: {{ .Values.pdb.maxUnavailable }}
+  {{- end }}
+  {{- if .Values.pdb.unhealthyPodEvictionPolicy }}
+  unhealthyPodEvictionPolicy: {{ .Values.pdb.unhealthyPodEvictionPolicy }}
+  {{- end }}
+  selector:
+    matchLabels:
+      app: istiod
+      {{- if ne .Values.revision "" }}
+      istio.io/rev: {{ .Values.revision | quote }}
+      {{- else }}
+      istio: pilot
+      {{- end }}
+---
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/reader-clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/reader-clusterrole.yaml
new file mode 100644
index 0000000000..dbaa805035
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/reader-clusterrole.yaml
@@ -0,0 +1,62 @@
+{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istio-reader
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istio-reader"
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - "config.istio.io"
+      - "security.istio.io"
+      - "networking.istio.io"
+      - "authentication.istio.io"
+      - "rbac.istio.io"
+      - "telemetry.istio.io"
+      - "extensions.istio.io"
+    resources: ["*"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["networking.istio.io"]
+    verbs: [ "get", "watch", "list" ]
+    resources: [ "workloadentries" ]
+  - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
+    resources: ["gateways"]
+    verbs: ["get", "watch", "list"]
+  - apiGroups: ["apiextensions.k8s.io"]
+    resources: ["customresourcedefinitions"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["discovery.k8s.io"]
+    resources: ["endpointslices"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["{{ $mcsAPIGroup }}"]
+    resources: ["serviceexports"]
+    verbs: ["get", "list", "watch", "create", "delete"]
+  - apiGroups: ["{{ $mcsAPIGroup }}"]
+    resources: ["serviceimports"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["apps"]
+    resources: ["replicasets"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["authentication.k8s.io"]
+    resources: ["tokenreviews"]
+    verbs: ["create"]
+  - apiGroups: ["authorization.k8s.io"]
+    resources: ["subjectaccessreviews"]
+    verbs: ["create"]
+{{- if .Values.istiodRemote.enabled }}
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["create", "get", "list", "watch", "update"]
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["mutatingwebhookconfigurations"]
+    verbs: ["get", "list", "watch", "update", "patch"]
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["validatingwebhookconfigurations"]
+    verbs: ["get", "list", "watch", "update"]
+{{- end}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/reader-clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/reader-clusterrolebinding.yaml
new file mode 100644
index 0000000000..aea9f01f7a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/reader-clusterrolebinding.yaml
@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istio-reader
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istio-reader"
+    {{- include "istio.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+subjects:
+  - kind: ServiceAccount
+    name: istio-reader-service-account
+    namespace: {{ .Values.global.istioNamespace }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/remote-istiod-endpoints.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/remote-istiod-endpoints.yaml
new file mode 100644
index 0000000000..f13b8ce9a9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/remote-istiod-endpoints.yaml
@@ -0,0 +1,30 @@
+{{- if and .Values.global.remotePilotAddress .Values.istiodRemote.enabled }}
+# if the remotePilotAddress is an IP addr
+{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }}
+apiVersion: v1
+kind: Endpoints
+metadata:
+  {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }}
+  # This file is only used for remote `istiod` installs.
+  # only primary `istiod` to xds and local `istiod` injection installs.
+  name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote
+  {{- else }}
+  name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}
+  {{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+subsets:
+- addresses:
+  - ip: {{ .Values.global.remotePilotAddress }}
+  ports:
+  - port: 15012
+    name: tcp-istiod
+    protocol: TCP
+  - port: 15017
+    name: tcp-webhook
+    protocol: TCP
+---
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/remote-istiod-service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/remote-istiod-service.yaml
new file mode 100644
index 0000000000..0a48b9918b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/remote-istiod-service.yaml
@@ -0,0 +1,41 @@
+# This file is only used for remote
+{{- if and .Values.global.remotePilotAddress .Values.istiodRemote.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }}
+  # only primary `istiod` to xds and local `istiod` injection installs.
+  name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote
+  {{- else }}
+  name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}
+  {{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    app.kubernetes.io/name: "istiod"
+    {{ include "istio.labels" . | nindent 4 }}
+spec:
+  ports:
+  - port: 15012
+    name: tcp-istiod
+    protocol: TCP
+  - port: 443
+    targetPort: 15017
+    name: tcp-webhook
+    protocol: TCP
+  {{- if and .Values.global.remotePilotAddress (not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress)) }}
+  # if the remotePilotAddress is not an IP addr, we use ExternalName
+  type: ExternalName
+  externalName: {{ .Values.global.remotePilotAddress }}
+  {{- end }}
+{{- if .Values.global.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.global.ipFamilyPolicy }}
+{{- end }}
+{{- if .Values.global.ipFamilies }}
+  ipFamilies:
+{{- range .Values.global.ipFamilies }}
+  - {{ . }}
+{{- end }}
+{{- end }}
+---
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/revision-tags.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/revision-tags.yaml
new file mode 100644
index 0000000000..06764a826e
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/revision-tags.yaml
@@ -0,0 +1,149 @@
+# Adapted from istio-discovery/templates/mutatingwebhook.yaml
+# Removed paths for legacy and default selectors since a revision tag
+# is inherently created from a specific revision
+# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that.
+{{- $whv := dict
+"revision" .Values.revision
+  "injectionPath" .Values.istiodRemote.injectionPath
+  "injectionURL" .Values.istiodRemote.injectionURL
+  "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy
+  "caBundle" .Values.istiodRemote.injectionCABundle
+  "namespace" .Release.Namespace }}
+{{- define "core" }}
+{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign
+a unique prefix to each. */}}
+- name: {{.Prefix}}sidecar-injector.istio.io
+  clientConfig:
+    {{- if .injectionURL }}
+    url: "{{ .injectionURL }}"
+    {{- else }}
+    service:
+      name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }}
+      namespace: {{ .namespace }}
+      path: "{{ .injectionPath }}"
+      port: 443
+    {{- end }}
+  sideEffects: None
+  rules:
+  - operations: [ "CREATE" ]
+    apiGroups: [""]
+    apiVersions: ["v1"]
+    resources: ["pods"]
+  failurePolicy: Fail
+  reinvocationPolicy: "{{ .reinvocationPolicy }}"
+  admissionReviewVersions: ["v1"]
+{{- end }}
+{{- range $tagName := $.Values.revisionTags }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+{{- if eq $.Release.Namespace "istio-system"}}
+  name: istio-revision-tag-{{ $tagName }}
+{{- else }}
+  name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }}
+{{- end }}
+  labels:
+    istio.io/tag: {{ $tagName }}
+    istio.io/rev: {{ $.Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app: sidecar-injector
+    release: {{ $.Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" $ | nindent 4 }}
+{{- if $.Values.sidecarInjectorWebhookAnnotations }}
+  annotations:
+{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }}
+{{- end }}
+webhooks:
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: In
+      values:
+      - "{{ $tagName }}"
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+    - key: istio.io/rev
+      operator: In
+      values:
+      - "{{ $tagName }}"
+
+{{- /* When the tag is "default" we want to create webhooks for the default revision */}}
+{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}}
+{{- if (eq $tagName "default") }}
+
+{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: In
+      values:
+      - enabled
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+
+{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: In
+      values:
+      - "true"
+    - key: istio.io/rev
+      operator: DoesNotExist
+
+{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
+{{- /* Special case 3: no labels at all */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: "kubernetes.io/metadata.name"
+      operator: "NotIn"
+      values: ["kube-system","kube-public","kube-node-lease","local-path-storage"]
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+{{- end }}
+
+{{- end }}
+---
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/role.yaml
new file mode 100644
index 0000000000..bbcfbe4356
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/role.yaml
@@ -0,0 +1,35 @@
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Values.global.istioNamespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+# permissions to verify the webhook is ready and rejecting
+# invalid config. We use --server-dry-run so no config is persisted.
+- apiGroups: ["networking.istio.io"]
+  verbs: ["create"]
+  resources: ["gateways"]
+
+# For storing CA secret
+- apiGroups: [""]
+  resources: ["secrets"]
+  # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config
+  verbs: ["create", "get", "watch", "list", "update", "delete"]
+
+# For status controller, so it can delete the distribution report configmap
+- apiGroups: [""]
+  resources: ["configmaps"]
+  verbs: ["delete"]
+
+# For gateway deployment controller
+- apiGroups: ["coordination.k8s.io"]
+  resources: ["leases"]
+  verbs: ["get", "update", "patch", "create"]
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/rolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/rolebinding.yaml
new file mode 100644
index 0000000000..0c66b38a7d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/rolebinding.yaml
@@ -0,0 +1,21 @@
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Values.global.istioNamespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+subjects:
+  - kind: ServiceAccount
+    name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+    namespace: {{ .Values.global.istioNamespace }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/service.yaml
new file mode 100644
index 0000000000..25bda4dfd2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/service.yaml
@@ -0,0 +1,57 @@
+# Not created if istiod is running remotely
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  {{- if .Values.serviceAnnotations }}
+  annotations:
+{{ toYaml .Values.serviceAnnotations | indent 4 }}
+  {{- end }}
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app: istiod
+    istio: pilot
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  ports:
+    - port: 15010
+      name: grpc-xds # plaintext
+      protocol: TCP
+    - port: 15012
+      name: https-dns # mTLS with k8s-signed cert
+      protocol: TCP
+    - port: 443
+      name: https-webhook # validation and injection
+      targetPort: 15017
+      protocol: TCP
+    - port: 15014
+      name: http-monitoring # prometheus stats
+      protocol: TCP
+  selector:
+    app: istiod
+    {{- if ne .Values.revision "" }}
+    istio.io/rev: {{ .Values.revision | quote }}
+    {{- else }}
+    # Label used by the 'default' service. For versioned deployments we match with app and version.
+    # This avoids default deployment picking the canary
+    istio: pilot
+    {{- end }}
+  {{- if .Values.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.ipFamilyPolicy }}
+  {{- end }}
+  {{- if .Values.ipFamilies }}
+  ipFamilies:
+  {{- range .Values.ipFamilies }}
+  - {{ . }}
+  {{- end }}
+  {{- end }}
+  {{- if .Values.trafficDistribution }}
+  trafficDistribution: {{ .Values.trafficDistribution }}
+  {{- end }}
+---
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/serviceaccount.yaml
new file mode 100644
index 0000000000..8b4a0c0faf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/serviceaccount.yaml
@@ -0,0 +1,24 @@
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+apiVersion: v1
+kind: ServiceAccount
+  {{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+  {{- range .Values.global.imagePullSecrets }}
+  - name: {{ . }}
+  {{- end }}
+  {{- end }}
+metadata:
+  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Values.global.istioNamespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+  {{- if .Values.serviceAccountAnnotations }}
+  annotations:
+{{- toYaml .Values.serviceAccountAnnotations | nindent 4 }}
+  {{- end }}
+{{- end }}
+---
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/validatingadmissionpolicy.yaml
new file mode 100644
index 0000000000..8562a52d59
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/validatingadmissionpolicy.yaml
@@ -0,0 +1,63 @@
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+{{- if .Values.experimental.stableValidationPolicy }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io"
+  labels:
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups:
+        - security.istio.io
+        - networking.istio.io
+        - telemetry.istio.io
+        - extensions.istio.io
+      apiVersions: ["*"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["*"]
+    objectSelector:
+      matchExpressions:
+        - key: istio.io/rev
+          operator: In
+          values:
+          {{- if (eq .Values.revision "") }}
+          - "default"
+          {{- else }}
+          - "{{ .Values.revision }}"
+          {{- end }}
+  variables:
+    - name: isEnvoyFilter
+      expression: "object.kind == 'EnvoyFilter'"
+    - name: isWasmPlugin
+      expression: "object.kind == 'WasmPlugin'"
+    - name: isProxyConfig
+      expression: "object.kind == 'ProxyConfig'"
+    - name: isTelemetry
+      expression: "object.kind == 'Telemetry'"
+  validations:
+    - expression: "!variables.isEnvoyFilter"
+    - expression: "!variables.isWasmPlugin"
+    - expression: "!variables.isProxyConfig"
+    - expression: |
+        !(
+          variables.isTelemetry && (
+            (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) ||
+            (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) ||
+            (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter))
+          )
+        )
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: "stable-channel-policy-binding{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io"
+spec:
+  policyName: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io"
+  validationActions: [Deny]
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/validatingwebhookconfiguration.yaml
new file mode 100644
index 0000000000..b49bf7fafd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/validatingwebhookconfiguration.yaml
@@ -0,0 +1,68 @@
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+{{- if .Values.global.configValidation }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    istio: istiod
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+webhooks:
+  # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks
+  # are rejecting invalid configs on a per-revision basis.
+  - name: rev.validation.istio.io
+    clientConfig:
+      # Should change from base but cannot for API compat
+      {{- if .Values.base.validationURL }}
+      url: {{ .Values.base.validationURL }}
+      {{- else }}
+      service:
+        name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+        namespace: {{ .Values.global.istioNamespace }}
+        path: "/validate"
+      {{- end }}
+      {{- if .Values.base.validationCABundle }}
+      caBundle: "{{ .Values.base.validationCABundle }}"
+      {{- end }}
+    rules:
+      - operations:
+          - CREATE
+          - UPDATE
+        apiGroups:
+          - security.istio.io
+          - networking.istio.io
+          - telemetry.istio.io
+          - extensions.istio.io
+        apiVersions:
+          - "*"
+        resources:
+          - "*"
+    {{- if .Values.base.validationCABundle }}
+    # Disable webhook controller in Pilot to stop patching it
+    failurePolicy: Fail
+    {{- else }}
+    # Fail open until the validation webhook is ready. The webhook controller
+    # will update this to `Fail` and patch in the `caBundle` when the webhook
+    # endpoint is ready.
+    failurePolicy: Ignore
+    {{- end }}
+    sideEffects: None
+    admissionReviewVersions: ["v1"]
+    objectSelector:
+      matchExpressions:
+        - key: istio.io/rev
+          operator: In
+          values:
+          {{- if (eq .Values.revision "") }}
+          - "default"
+          {{- else }}
+          - "{{ .Values.revision }}"
+          {{- end }}
+---
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/zzy_descope_legacy.yaml
new file mode 100644
index 0000000000..ae8fced298
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/zzy_descope_legacy.yaml
@@ -0,0 +1,3 @@
+{{/* Copy anything under `.pilot` to `.`, to avoid the need to specify a redundant prefix.
+Due to the file naming, this always happens after zzz_profile.yaml */}}
+{{- $_ := mustMergeOverwrite $.Values (index $.Values "pilot") }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..3d84956485
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if false }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/values.yaml
new file mode 100644
index 0000000000..827da9284c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/values.yaml
@@ -0,0 +1,569 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  autoscaleEnabled: true
+  autoscaleMin: 1
+  autoscaleMax: 5
+  autoscaleBehavior: {}
+  replicaCount: 1
+  rollingMaxSurge: 100%
+  rollingMaxUnavailable: 25%
+
+  hub: ""
+  tag: ""
+  variant: ""
+
+  # Can be a full hub/image:tag
+  image: pilot
+  traceSampling: 1.0
+
+  # Resources for a small pilot install
+  resources:
+    requests:
+      cpu: 500m
+      memory: 2048Mi
+
+  # Set to `type: RuntimeDefault` to use the default profile if available.
+  seccompProfile: {}
+
+  # Whether to use an existing CNI installation
+  cni:
+    enabled: false
+    provider: default
+
+  # Additional container arguments
+  extraContainerArgs: []
+
+  env: {}
+
+  envVarFrom: []
+
+  # Settings related to the untaint controller
+  # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready
+  # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes
+  taint:
+    # Controls whether or not the untaint controller is active
+    enabled: false
+    # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod
+    namespace: ""
+
+  affinity: {}
+
+  tolerations: []
+
+  cpu:
+    targetAverageUtilization: 80
+  memory: {}
+    # targetAverageUtilization: 80
+
+  # Additional volumeMounts to the istiod container
+  volumeMounts: []
+
+  # Additional volumes to the istiod pod
+  volumes: []
+
+  # Inject initContainers into the istiod pod
+  initContainers: []
+
+  nodeSelector: {}
+  podAnnotations: {}
+  serviceAnnotations: {}
+  serviceAccountAnnotations: {}
+  sidecarInjectorWebhookAnnotations: {}
+
+  topologySpreadConstraints: []
+
+  # You can use jwksResolverExtraRootCA to provide a root certificate
+  # in PEM format. This will then be trusted by pilot when resolving
+  # JWKS URIs.
+  jwksResolverExtraRootCA: ""
+
+  # The following is used to limit how long a sidecar can be connected
+  # to a pilot. It balances out load across pilot instances at the cost of
+  # increasing system churn.
+  keepaliveMaxServerConnectionAge: 30m
+
+  # Additional labels to apply to the deployment.
+  deploymentLabels: {}
+
+  # Annotations to apply to the istiod deployment.
+  deploymentAnnotations: {}
+
+  ## Mesh config settings
+
+  # Install the mesh config map, generated from values.yaml.
+  # If false, pilot wil use default values (by default) or user-supplied values.
+  configMap: true
+
+  # Additional labels to apply on the pod level for monitoring and logging configuration.
+  podLabels: {}
+
+  # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
+  ipFamilyPolicy: ""
+  ipFamilies: []
+
+  # Ambient mode only.
+  # Set this if you install ztunnel to a different namespace from `istiod`.
+  # If set, `istiod` will allow connections from trusted node proxy ztunnels
+  # in the provided namespace.
+  # If unset, `istiod` will assume the trusted node proxy ztunnel resides
+  # in the same namespace as itself.
+  trustedZtunnelNamespace: ""
+  # Set this if you install ztunnel with a name different from the default.
+  trustedZtunnelName: ""
+
+  sidecarInjectorWebhook:
+    # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or
+    # always skip the injection on pods that match that label selector, regardless of the global policy.
+    # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions
+    neverInjectSelector: []
+    alwaysInjectSelector: []
+
+    # injectedAnnotations are additional annotations that will be added to the pod spec after injection
+    # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations:
+    #
+    # annotations:
+    #   apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
+    #   apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
+    #
+    # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before
+    # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify:
+    # injectedAnnotations:
+    #   container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default
+    #   container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default
+    injectedAnnotations: {}
+
+    # This enables injection of sidecar in all namespaces,
+    # with the exception of namespaces with "istio-injection:disabled" annotation
+    # Only one environment should have this enabled.
+    enableNamespacesByDefault: false
+
+    # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run
+    # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten.
+    # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur.
+    reinvocationPolicy: Never
+
+    rewriteAppHTTPProbe: true
+
+    # Templates defines a set of custom injection templates that can be used. For example, defining:
+    #
+    # templates:
+    #   hello: |
+    #     metadata:
+    #       labels:
+    #         hello: world
+    #
+    # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod
+    # being injected with the hello=world labels.
+    # This is intended for advanced configuration only; most users should use the built in template
+    templates: {}
+
+    # Default templates specifies a set of default templates that are used in sidecar injection.
+    # By default, a template `sidecar` is always provided, which contains the template of default sidecar.
+    # To inject other additional templates, define it using the `templates` option, and add it to
+    # the default templates list.
+    # For example:
+    #
+    # templates:
+    #   hello: |
+    #     metadata:
+    #       labels:
+    #         hello: world
+    #
+    # defaultTemplates: ["sidecar", "hello"]
+    defaultTemplates: []
+  istiodRemote:
+    # If `true`, indicates that this cluster/install should consume a "remote istiod" installation,
+    # and istiod itself will NOT be installed in this cluster - only the support resources necessary
+    # to utilize a remote instance.
+    enabled: false
+
+    # If `true`, indicates that this cluster/install should consume a "local istiod" installation,
+    # local istiod inject sidecars
+    enabledLocalInjectorIstiod: false
+
+    # Sidecar injector mutating webhook configuration clientConfig.url value.
+    # For example: https://$remotePilotAddress:15017/inject
+    # The host should not refer to a service running in the cluster; use a service reference by specifying
+    # the clientConfig.service field instead.
+    injectionURL: ""
+
+    # Sidecar injector mutating webhook configuration path value for the clientConfig.service field.
+    # Override to pass env variables, for example: /inject/cluster/remote/net/network2
+    injectionPath: "/inject"
+
+    injectionCABundle: ""
+  telemetry:
+    enabled: true
+    v2:
+      # For Null VM case now.
+      # This also enables metadata exchange.
+      enabled: true
+      # Indicate if prometheus stats filter is enabled or not
+      prometheus:
+        enabled: true
+      # stackdriver filter settings.
+      stackdriver:
+        enabled: false
+  # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
+  revision: ""
+
+  # Revision tags are aliases to Istio control plane revisions
+  revisionTags: []
+
+  # For Helm compatibility.
+  ownerName: ""
+
+  # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior
+  # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options
+  meshConfig:
+    enablePrometheusMerge: true
+
+  experimental:
+    stableValidationPolicy: false
+
+  global:
+    # Used to locate istiod.
+    istioNamespace: istio-system
+    # List of cert-signers to allow "approve" action in the istio cluster role
+    #
+    # certSigners:
+    #   - clusterissuers.cert-manager.io/istio-ca
+    certSigners: []
+    # enable pod disruption budget for the control plane, which is used to
+    # ensure Istio control plane components are gradually upgraded or recovered.
+    defaultPodDisruptionBudget:
+      enabled: true
+      # The values aren't mutable due to a current PodDisruptionBudget limitation
+      # minAvailable: 1
+
+    # A minimal set of requested resources to applied to all deployments so that
+    # Horizontal Pod Autoscaler will be able to function (if set).
+    # Each component can overwrite these default values by adding its own resources
+    # block in the relevant section below and setting the desired resources values.
+    defaultResources:
+      requests:
+        cpu: 10m
+      #   memory: 128Mi
+      # limits:
+      #   cpu: 100m
+      #   memory: 128Mi
+
+    # Default hub for Istio images.
+    # Releases are published to docker hub under 'istio' project.
+    # Dev builds from prow are on gcr.io
+    hub: gcr.io/istio-release
+    # Default tag for Istio images.
+    tag: 1.27.5
+    # Variant of the image to use.
+    # Currently supported are: [debug, distroless]
+    variant: ""
+
+    # Specify image pull policy if default behavior isn't desired.
+    # Default behavior: latest images will be Always else IfNotPresent.
+    imagePullPolicy: ""
+
+    # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
+    # to use for pulling any images in pods that reference this ServiceAccount.
+    # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
+    # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
+    # Must be set for any cluster configured with private docker registry.
+    imagePullSecrets: []
+    # - private-registry-key
+
+    # Enabled by default in master for maximising testing.
+    istiod:
+      enableAnalysis: false
+
+    # To output all istio components logs in json format by adding --log_as_json argument to each container argument
+    logAsJson: false
+
+    # In order to use native nftable rules instead of iptable rules, set this flag to true.
+    nativeNftables: false
+
+    # Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
+    # The control plane has different scopes depending on component, but can configure default log level across all components
+    # If empty, default scope and level will be used as configured in code
+    logging:
+      level: "default:info"
+
+    omitSidecarInjectorConfigMap: false
+
+    # Configure whether Operator manages webhook configurations. The current behavior
+    # of Istiod is to manage its own webhook configurations.
+    # When this option is set as true, Istio Operator, instead of webhooks, manages the
+    # webhook configurations. When this option is set as false, webhooks manage their
+    # own webhook configurations.
+    operatorManageWebhooks: false
+
+    # Custom DNS config for the pod to resolve names of services in other
+    # clusters. Use this to add additional search domains, and other settings.
+    # see
+    # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config
+    # This does not apply to gateway pods as they typically need a different
+    # set of DNS settings than the normal application pods (e.g., in
+    # multicluster scenarios).
+    # NOTE: If using templates, follow the pattern in the commented example below.
+    #podDNSSearchNamespaces:
+    #- global
+    #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global"
+
+    # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
+    # system-node-critical, it is better to configure this in order to make sure your Istio pods
+    # will not be killed because of low priority class.
+    # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
+    # for more detail.
+    priorityClassName: ""
+
+    proxy:
+      image: proxyv2
+
+      # This controls the 'policy' in the sidecar injector.
+      autoInject: enabled
+
+      # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
+      # cluster domain. Default value is "cluster.local".
+      clusterDomain: "cluster.local"
+
+      # Per Component log level for proxy, applies to gateways and sidecars. If a component level is
+      # not set, then the global "logLevel" will be used.
+      componentLogLevel: "misc:error"
+
+      # istio ingress capture allowlist
+      # examples:
+      #     Redirect only selected ports:            --includeInboundPorts="80,8080"
+      excludeInboundPorts: ""
+      includeInboundPorts: "*"
+
+      # istio egress capture allowlist
+      # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
+      # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
+      # would only capture egress traffic on those two IP Ranges, all other outbound traffic would
+      # be allowed by the sidecar
+      includeIPRanges: "*"
+      excludeIPRanges: ""
+      includeOutboundPorts: ""
+      excludeOutboundPorts: ""
+
+      # Log level for proxy, applies to gateways and sidecars.
+      # Expected values are: trace|debug|info|warning|error|critical|off
+      logLevel: warning
+
+      # Specify the path to the outlier event log.
+      # Example: /dev/stdout
+      outlierLogPath: ""
+
+      #If set to true, istio-proxy container will have privileged securityContext
+      privileged: false
+
+      # The number of successive failed probes before indicating readiness failure.
+      readinessFailureThreshold: 4
+
+      # The initial delay for readiness probes in seconds.
+      readinessInitialDelaySeconds: 0
+
+      # The period between readiness probes.
+      readinessPeriodSeconds: 15
+
+      # Enables or disables a startup probe.
+      # For optimal startup times, changing this should be tied to the readiness probe values.
+      #
+      # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4.
+      # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval),
+      # and doesn't spam the readiness endpoint too much
+      #
+      # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30.
+      # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly.
+      startupProbe:
+        enabled: true
+        failureThreshold: 600 # 10 minutes
+
+      # Resources for the sidecar.
+      resources:
+        requests:
+          cpu: 100m
+          memory: 128Mi
+        limits:
+          cpu: 2000m
+          memory: 1024Mi
+
+      # Default port for Pilot agent health checks. A value of 0 will disable health checking.
+      statusPort: 15020
+
+      # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none.
+      # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file.
+      tracer: "none"
+
+    proxy_init:
+      # Base name for the proxy_init container, used to configure iptables.
+      image: proxyv2
+      # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures.
+      # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases.
+      forceApplyIptables: false
+
+    # configure remote pilot and istiod service and endpoint
+    remotePilotAddress: ""
+
+    ##############################################################################################
+    # The following values are found in other charts. To effectively modify these values, make   #
+    # make sure they are consistent across your Istio helm charts                                #
+    ##############################################################################################
+
+    # The customized CA address to retrieve certificates for the pods in the cluster.
+    # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
+    # If not set explicitly, default to the Istio discovery address.
+    caAddress: ""
+
+    # Enable control of remote clusters.
+    externalIstiod: false
+
+    # Configure a remote cluster as the config cluster for an external istiod.
+    configCluster: false
+
+    # configValidation enables the validation webhook for Istio configuration.
+    configValidation: true
+
+    # Mesh ID means Mesh Identifier. It should be unique within the scope where
+    # meshes will interact with each other, but it is not required to be
+    # globally/universally unique. For example, if any of the following are true,
+    # then two meshes must have different Mesh IDs:
+    # - Meshes will have their telemetry aggregated in one place
+    # - Meshes will be federated together
+    # - Policy will be written referencing one mesh from the other
+    #
+    # If an administrator expects that any of these conditions may become true in
+    # the future, they should ensure their meshes have different Mesh IDs
+    # assigned.
+    #
+    # Within a multicluster mesh, each cluster must be (manually or auto)
+    # configured to have the same Mesh ID value. If an existing cluster 'joins' a
+    # multicluster mesh, it will need to be migrated to the new mesh ID. Details
+    # of migration TBD, and it may be a disruptive operation to change the Mesh
+    # ID post-install.
+    #
+    # If the mesh admin does not specify a value, Istio will use the value of the
+    # mesh's Trust Domain. The best practice is to select a proper Trust Domain
+    # value.
+    meshID: ""
+
+    # Configure the mesh networks to be used by the Split Horizon EDS.
+    #
+    # The following example defines two networks with different endpoints association methods.
+    # For `network1` all endpoints that their IP belongs to the provided CIDR range will be
+    # mapped to network1. The gateway for this network example is specified by its public IP
+    # address and port.
+    # The second network, `network2`, in this example is defined differently with all endpoints
+    # retrieved through the specified Multi-Cluster registry being mapped to network2. The
+    # gateway is also defined differently with the name of the gateway service on the remote
+    # cluster. The public IP for the gateway will be determined from that remote service (only
+    # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service,
+    # it still need to be configured manually).
+    #
+    # meshNetworks:
+    #   network1:
+    #     endpoints:
+    #     - fromCidr: "192.168.0.1/24"
+    #     gateways:
+    #     - address: 1.1.1.1
+    #       port: 80
+    #   network2:
+    #     endpoints:
+    #     - fromRegistry: reg1
+    #     gateways:
+    #     - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
+    #       port: 443
+    #
+    meshNetworks: {}
+
+    # Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
+    mountMtlsCerts: false
+
+    multiCluster:
+      # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
+      # to properly label proxies
+      clusterName: ""
+
+    # Network defines the network this cluster belong to. This name
+    # corresponds to the networks in the map of mesh networks.
+    network: ""
+
+    # Configure the certificate provider for control plane communication.
+    # Currently, two providers are supported: "kubernetes" and "istiod".
+    # As some platforms may not have kubernetes signing APIs,
+    # Istiod is the default
+    pilotCertProvider: istiod
+
+    sds:
+      # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
+      # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the
+      # JWT is intended for the CA.
+      token:
+        aud: istio-ca
+
+    sts:
+      # The service port used by Security Token Service (STS) server to handle token exchange requests.
+      # Setting this port to a non-zero value enables STS server.
+      servicePort: 0
+
+    # The name of the CA for workload certificates.
+    # For example, when caName=GkeWorkloadCertificate, GKE workload certificates
+    # will be used as the certificates for workloads.
+    # The default value is "" and when caName="", the CA will be configured by other
+    # mechanisms (e.g., environmental variable CA_PROVIDER).
+    caName: ""
+
+    waypoint:
+      # Resources for the waypoint proxy.
+      resources:
+        requests:
+          cpu: 100m
+          memory: 128Mi
+        limits:
+          cpu: "2"
+          memory: 1Gi
+
+      # If specified, affinity defines the scheduling constraints of waypoint pods.
+      affinity: {}
+
+      # Topology Spread Constraints for the waypoint proxy.
+      topologySpreadConstraints: []
+
+      # Node labels for the waypoint proxy.
+      nodeSelector: {}
+
+      # Tolerations for the waypoint proxy.
+      tolerations: []
+
+  base:
+    # For istioctl usage to disable istio config crds in base
+    enableIstioConfigCRDs: true
+
+  # Gateway Settings
+  gateways:
+    # Define the security context for the pod.
+    # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
+    # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
+    securityContext: {}
+
+    # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it
+    seccompProfile: {}
+
+  # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass.
+  # For example:
+  # gatewayClasses:
+  #   istio:
+  #     service:
+  #       spec:
+  #         type: ClusterIP
+  # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field.
+  gatewayClasses: {}
+  
+  pdb:
+    # -- Minimum available pods set in PodDisruptionBudget.
+    # Define either 'minAvailable' or 'maxUnavailable', never both.
+    minAvailable: 1
+    # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored.
+    # maxUnavailable: 1
+    # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget.
+    # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/
+    unhealthyPodEvictionPolicy: ""
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/Chart.yaml
new file mode 100644
index 0000000000..536fce8f03
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/Chart.yaml
@@ -0,0 +1,8 @@
+apiVersion: v2
+appVersion: 1.27.5
+description: Helm chart for istio revision tags
+name: revisiontags
+sources:
+- https://github.com/istio-ecosystem/sail-operator
+version: 0.1.0
+
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-compatibility-version-1.24.yaml
new file mode 100644
index 0000000000..4f3dbef7ea
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-compatibility-version-1.24.yaml
@@ -0,0 +1,15 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.24 behavioral changes
+    PILOT_ENABLE_IP_AUTOALLOCATE: "false"
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  dnsCapture: false
+  reconcileIptablesOnStartup: false
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..b2f45948c2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..af10697326
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/templates/revision-tags.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/templates/revision-tags.yaml
new file mode 100644
index 0000000000..06764a826e
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/templates/revision-tags.yaml
@@ -0,0 +1,149 @@
+# Adapted from istio-discovery/templates/mutatingwebhook.yaml
+# Removed paths for legacy and default selectors since a revision tag
+# is inherently created from a specific revision
+# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that.
+{{- $whv := dict
+"revision" .Values.revision
+  "injectionPath" .Values.istiodRemote.injectionPath
+  "injectionURL" .Values.istiodRemote.injectionURL
+  "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy
+  "caBundle" .Values.istiodRemote.injectionCABundle
+  "namespace" .Release.Namespace }}
+{{- define "core" }}
+{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign
+a unique prefix to each. */}}
+- name: {{.Prefix}}sidecar-injector.istio.io
+  clientConfig:
+    {{- if .injectionURL }}
+    url: "{{ .injectionURL }}"
+    {{- else }}
+    service:
+      name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }}
+      namespace: {{ .namespace }}
+      path: "{{ .injectionPath }}"
+      port: 443
+    {{- end }}
+  sideEffects: None
+  rules:
+  - operations: [ "CREATE" ]
+    apiGroups: [""]
+    apiVersions: ["v1"]
+    resources: ["pods"]
+  failurePolicy: Fail
+  reinvocationPolicy: "{{ .reinvocationPolicy }}"
+  admissionReviewVersions: ["v1"]
+{{- end }}
+{{- range $tagName := $.Values.revisionTags }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+{{- if eq $.Release.Namespace "istio-system"}}
+  name: istio-revision-tag-{{ $tagName }}
+{{- else }}
+  name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }}
+{{- end }}
+  labels:
+    istio.io/tag: {{ $tagName }}
+    istio.io/rev: {{ $.Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app: sidecar-injector
+    release: {{ $.Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" $ | nindent 4 }}
+{{- if $.Values.sidecarInjectorWebhookAnnotations }}
+  annotations:
+{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }}
+{{- end }}
+webhooks:
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: In
+      values:
+      - "{{ $tagName }}"
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+    - key: istio.io/rev
+      operator: In
+      values:
+      - "{{ $tagName }}"
+
+{{- /* When the tag is "default" we want to create webhooks for the default revision */}}
+{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}}
+{{- if (eq $tagName "default") }}
+
+{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: In
+      values:
+      - enabled
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+
+{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: In
+      values:
+      - "true"
+    - key: istio.io/rev
+      operator: DoesNotExist
+
+{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
+{{- /* Special case 3: no labels at all */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: "kubernetes.io/metadata.name"
+      operator: "NotIn"
+      values: ["kube-system","kube-public","kube-node-lease","local-path-storage"]
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+{{- end }}
+
+{{- end }}
+---
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..3d84956485
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if false }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/values.yaml
new file mode 100644
index 0000000000..827da9284c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/values.yaml
@@ -0,0 +1,569 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  autoscaleEnabled: true
+  autoscaleMin: 1
+  autoscaleMax: 5
+  autoscaleBehavior: {}
+  replicaCount: 1
+  rollingMaxSurge: 100%
+  rollingMaxUnavailable: 25%
+
+  hub: ""
+  tag: ""
+  variant: ""
+
+  # Can be a full hub/image:tag
+  image: pilot
+  traceSampling: 1.0
+
+  # Resources for a small pilot install
+  resources:
+    requests:
+      cpu: 500m
+      memory: 2048Mi
+
+  # Set to `type: RuntimeDefault` to use the default profile if available.
+  seccompProfile: {}
+
+  # Whether to use an existing CNI installation
+  cni:
+    enabled: false
+    provider: default
+
+  # Additional container arguments
+  extraContainerArgs: []
+
+  env: {}
+
+  envVarFrom: []
+
+  # Settings related to the untaint controller
+  # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready
+  # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes
+  taint:
+    # Controls whether or not the untaint controller is active
+    enabled: false
+    # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod
+    namespace: ""
+
+  affinity: {}
+
+  tolerations: []
+
+  cpu:
+    targetAverageUtilization: 80
+  memory: {}
+    # targetAverageUtilization: 80
+
+  # Additional volumeMounts to the istiod container
+  volumeMounts: []
+
+  # Additional volumes to the istiod pod
+  volumes: []
+
+  # Inject initContainers into the istiod pod
+  initContainers: []
+
+  nodeSelector: {}
+  podAnnotations: {}
+  serviceAnnotations: {}
+  serviceAccountAnnotations: {}
+  sidecarInjectorWebhookAnnotations: {}
+
+  topologySpreadConstraints: []
+
+  # You can use jwksResolverExtraRootCA to provide a root certificate
+  # in PEM format. This will then be trusted by pilot when resolving
+  # JWKS URIs.
+  jwksResolverExtraRootCA: ""
+
+  # The following is used to limit how long a sidecar can be connected
+  # to a pilot. It balances out load across pilot instances at the cost of
+  # increasing system churn.
+  keepaliveMaxServerConnectionAge: 30m
+
+  # Additional labels to apply to the deployment.
+  deploymentLabels: {}
+
+  # Annotations to apply to the istiod deployment.
+  deploymentAnnotations: {}
+
+  ## Mesh config settings
+
+  # Install the mesh config map, generated from values.yaml.
+  # If false, pilot wil use default values (by default) or user-supplied values.
+  configMap: true
+
+  # Additional labels to apply on the pod level for monitoring and logging configuration.
+  podLabels: {}
+
+  # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
+  ipFamilyPolicy: ""
+  ipFamilies: []
+
+  # Ambient mode only.
+  # Set this if you install ztunnel to a different namespace from `istiod`.
+  # If set, `istiod` will allow connections from trusted node proxy ztunnels
+  # in the provided namespace.
+  # If unset, `istiod` will assume the trusted node proxy ztunnel resides
+  # in the same namespace as itself.
+  trustedZtunnelNamespace: ""
+  # Set this if you install ztunnel with a name different from the default.
+  trustedZtunnelName: ""
+
+  sidecarInjectorWebhook:
+    # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or
+    # always skip the injection on pods that match that label selector, regardless of the global policy.
+    # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions
+    neverInjectSelector: []
+    alwaysInjectSelector: []
+
+    # injectedAnnotations are additional annotations that will be added to the pod spec after injection
+    # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations:
+    #
+    # annotations:
+    #   apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
+    #   apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
+    #
+    # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before
+    # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify:
+    # injectedAnnotations:
+    #   container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default
+    #   container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default
+    injectedAnnotations: {}
+
+    # This enables injection of sidecar in all namespaces,
+    # with the exception of namespaces with "istio-injection:disabled" annotation
+    # Only one environment should have this enabled.
+    enableNamespacesByDefault: false
+
+    # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run
+    # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten.
+    # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur.
+    reinvocationPolicy: Never
+
+    rewriteAppHTTPProbe: true
+
+    # Templates defines a set of custom injection templates that can be used. For example, defining:
+    #
+    # templates:
+    #   hello: |
+    #     metadata:
+    #       labels:
+    #         hello: world
+    #
+    # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod
+    # being injected with the hello=world labels.
+    # This is intended for advanced configuration only; most users should use the built in template
+    templates: {}
+
+    # Default templates specifies a set of default templates that are used in sidecar injection.
+    # By default, a template `sidecar` is always provided, which contains the template of default sidecar.
+    # To inject other additional templates, define it using the `templates` option, and add it to
+    # the default templates list.
+    # For example:
+    #
+    # templates:
+    #   hello: |
+    #     metadata:
+    #       labels:
+    #         hello: world
+    #
+    # defaultTemplates: ["sidecar", "hello"]
+    defaultTemplates: []
+  istiodRemote:
+    # If `true`, indicates that this cluster/install should consume a "remote istiod" installation,
+    # and istiod itself will NOT be installed in this cluster - only the support resources necessary
+    # to utilize a remote instance.
+    enabled: false
+
+    # If `true`, indicates that this cluster/install should consume a "local istiod" installation,
+    # local istiod inject sidecars
+    enabledLocalInjectorIstiod: false
+
+    # Sidecar injector mutating webhook configuration clientConfig.url value.
+    # For example: https://$remotePilotAddress:15017/inject
+    # The host should not refer to a service running in the cluster; use a service reference by specifying
+    # the clientConfig.service field instead.
+    injectionURL: ""
+
+    # Sidecar injector mutating webhook configuration path value for the clientConfig.service field.
+    # Override to pass env variables, for example: /inject/cluster/remote/net/network2
+    injectionPath: "/inject"
+
+    injectionCABundle: ""
+  telemetry:
+    enabled: true
+    v2:
+      # For Null VM case now.
+      # This also enables metadata exchange.
+      enabled: true
+      # Indicate if prometheus stats filter is enabled or not
+      prometheus:
+        enabled: true
+      # stackdriver filter settings.
+      stackdriver:
+        enabled: false
+  # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
+  revision: ""
+
+  # Revision tags are aliases to Istio control plane revisions
+  revisionTags: []
+
+  # For Helm compatibility.
+  ownerName: ""
+
+  # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior
+  # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options
+  meshConfig:
+    enablePrometheusMerge: true
+
+  experimental:
+    stableValidationPolicy: false
+
+  global:
+    # Used to locate istiod.
+    istioNamespace: istio-system
+    # List of cert-signers to allow "approve" action in the istio cluster role
+    #
+    # certSigners:
+    #   - clusterissuers.cert-manager.io/istio-ca
+    certSigners: []
+    # enable pod disruption budget for the control plane, which is used to
+    # ensure Istio control plane components are gradually upgraded or recovered.
+    defaultPodDisruptionBudget:
+      enabled: true
+      # The values aren't mutable due to a current PodDisruptionBudget limitation
+      # minAvailable: 1
+
+    # A minimal set of requested resources to applied to all deployments so that
+    # Horizontal Pod Autoscaler will be able to function (if set).
+    # Each component can overwrite these default values by adding its own resources
+    # block in the relevant section below and setting the desired resources values.
+    defaultResources:
+      requests:
+        cpu: 10m
+      #   memory: 128Mi
+      # limits:
+      #   cpu: 100m
+      #   memory: 128Mi
+
+    # Default hub for Istio images.
+    # Releases are published to docker hub under 'istio' project.
+    # Dev builds from prow are on gcr.io
+    hub: gcr.io/istio-release
+    # Default tag for Istio images.
+    tag: 1.27.5
+    # Variant of the image to use.
+    # Currently supported are: [debug, distroless]
+    variant: ""
+
+    # Specify image pull policy if default behavior isn't desired.
+    # Default behavior: latest images will be Always else IfNotPresent.
+    imagePullPolicy: ""
+
+    # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
+    # to use for pulling any images in pods that reference this ServiceAccount.
+    # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
+    # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
+    # Must be set for any cluster configured with private docker registry.
+    imagePullSecrets: []
+    # - private-registry-key
+
+    # Enabled by default in master for maximising testing.
+    istiod:
+      enableAnalysis: false
+
+    # To output all istio components logs in json format by adding --log_as_json argument to each container argument
+    logAsJson: false
+
+    # In order to use native nftable rules instead of iptable rules, set this flag to true.
+    nativeNftables: false
+
+    # Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
+    # The control plane has different scopes depending on component, but can configure default log level across all components
+    # If empty, default scope and level will be used as configured in code
+    logging:
+      level: "default:info"
+
+    omitSidecarInjectorConfigMap: false
+
+    # Configure whether Operator manages webhook configurations. The current behavior
+    # of Istiod is to manage its own webhook configurations.
+    # When this option is set as true, Istio Operator, instead of webhooks, manages the
+    # webhook configurations. When this option is set as false, webhooks manage their
+    # own webhook configurations.
+    operatorManageWebhooks: false
+
+    # Custom DNS config for the pod to resolve names of services in other
+    # clusters. Use this to add additional search domains, and other settings.
+    # see
+    # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config
+    # This does not apply to gateway pods as they typically need a different
+    # set of DNS settings than the normal application pods (e.g., in
+    # multicluster scenarios).
+    # NOTE: If using templates, follow the pattern in the commented example below.
+    #podDNSSearchNamespaces:
+    #- global
+    #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global"
+
+    # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
+    # system-node-critical, it is better to configure this in order to make sure your Istio pods
+    # will not be killed because of low priority class.
+    # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
+    # for more detail.
+    priorityClassName: ""
+
+    proxy:
+      image: proxyv2
+
+      # This controls the 'policy' in the sidecar injector.
+      autoInject: enabled
+
+      # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
+      # cluster domain. Default value is "cluster.local".
+      clusterDomain: "cluster.local"
+
+      # Per Component log level for proxy, applies to gateways and sidecars. If a component level is
+      # not set, then the global "logLevel" will be used.
+      componentLogLevel: "misc:error"
+
+      # istio ingress capture allowlist
+      # examples:
+      #     Redirect only selected ports:            --includeInboundPorts="80,8080"
+      excludeInboundPorts: ""
+      includeInboundPorts: "*"
+
+      # istio egress capture allowlist
+      # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
+      # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
+      # would only capture egress traffic on those two IP Ranges, all other outbound traffic would
+      # be allowed by the sidecar
+      includeIPRanges: "*"
+      excludeIPRanges: ""
+      includeOutboundPorts: ""
+      excludeOutboundPorts: ""
+
+      # Log level for proxy, applies to gateways and sidecars.
+      # Expected values are: trace|debug|info|warning|error|critical|off
+      logLevel: warning
+
+      # Specify the path to the outlier event log.
+      # Example: /dev/stdout
+      outlierLogPath: ""
+
+      #If set to true, istio-proxy container will have privileged securityContext
+      privileged: false
+
+      # The number of successive failed probes before indicating readiness failure.
+      readinessFailureThreshold: 4
+
+      # The initial delay for readiness probes in seconds.
+      readinessInitialDelaySeconds: 0
+
+      # The period between readiness probes.
+      readinessPeriodSeconds: 15
+
+      # Enables or disables a startup probe.
+      # For optimal startup times, changing this should be tied to the readiness probe values.
+      #
+      # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4.
+      # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval),
+      # and doesn't spam the readiness endpoint too much
+      #
+      # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30.
+      # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly.
+      startupProbe:
+        enabled: true
+        failureThreshold: 600 # 10 minutes
+
+      # Resources for the sidecar.
+      resources:
+        requests:
+          cpu: 100m
+          memory: 128Mi
+        limits:
+          cpu: 2000m
+          memory: 1024Mi
+
+      # Default port for Pilot agent health checks. A value of 0 will disable health checking.
+      statusPort: 15020
+
+      # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none.
+      # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file.
+      tracer: "none"
+
+    proxy_init:
+      # Base name for the proxy_init container, used to configure iptables.
+      image: proxyv2
+      # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures.
+      # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases.
+      forceApplyIptables: false
+
+    # configure remote pilot and istiod service and endpoint
+    remotePilotAddress: ""
+
+    ##############################################################################################
+    # The following values are found in other charts. To effectively modify these values, make   #
+    # make sure they are consistent across your Istio helm charts                                #
+    ##############################################################################################
+
+    # The customized CA address to retrieve certificates for the pods in the cluster.
+    # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
+    # If not set explicitly, default to the Istio discovery address.
+    caAddress: ""
+
+    # Enable control of remote clusters.
+    externalIstiod: false
+
+    # Configure a remote cluster as the config cluster for an external istiod.
+    configCluster: false
+
+    # configValidation enables the validation webhook for Istio configuration.
+    configValidation: true
+
+    # Mesh ID means Mesh Identifier. It should be unique within the scope where
+    # meshes will interact with each other, but it is not required to be
+    # globally/universally unique. For example, if any of the following are true,
+    # then two meshes must have different Mesh IDs:
+    # - Meshes will have their telemetry aggregated in one place
+    # - Meshes will be federated together
+    # - Policy will be written referencing one mesh from the other
+    #
+    # If an administrator expects that any of these conditions may become true in
+    # the future, they should ensure their meshes have different Mesh IDs
+    # assigned.
+    #
+    # Within a multicluster mesh, each cluster must be (manually or auto)
+    # configured to have the same Mesh ID value. If an existing cluster 'joins' a
+    # multicluster mesh, it will need to be migrated to the new mesh ID. Details
+    # of migration TBD, and it may be a disruptive operation to change the Mesh
+    # ID post-install.
+    #
+    # If the mesh admin does not specify a value, Istio will use the value of the
+    # mesh's Trust Domain. The best practice is to select a proper Trust Domain
+    # value.
+    meshID: ""
+
+    # Configure the mesh networks to be used by the Split Horizon EDS.
+    #
+    # The following example defines two networks with different endpoints association methods.
+    # For `network1` all endpoints that their IP belongs to the provided CIDR range will be
+    # mapped to network1. The gateway for this network example is specified by its public IP
+    # address and port.
+    # The second network, `network2`, in this example is defined differently with all endpoints
+    # retrieved through the specified Multi-Cluster registry being mapped to network2. The
+    # gateway is also defined differently with the name of the gateway service on the remote
+    # cluster. The public IP for the gateway will be determined from that remote service (only
+    # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service,
+    # it still need to be configured manually).
+    #
+    # meshNetworks:
+    #   network1:
+    #     endpoints:
+    #     - fromCidr: "192.168.0.1/24"
+    #     gateways:
+    #     - address: 1.1.1.1
+    #       port: 80
+    #   network2:
+    #     endpoints:
+    #     - fromRegistry: reg1
+    #     gateways:
+    #     - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
+    #       port: 443
+    #
+    meshNetworks: {}
+
+    # Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
+    mountMtlsCerts: false
+
+    multiCluster:
+      # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
+      # to properly label proxies
+      clusterName: ""
+
+    # Network defines the network this cluster belong to. This name
+    # corresponds to the networks in the map of mesh networks.
+    network: ""
+
+    # Configure the certificate provider for control plane communication.
+    # Currently, two providers are supported: "kubernetes" and "istiod".
+    # As some platforms may not have kubernetes signing APIs,
+    # Istiod is the default
+    pilotCertProvider: istiod
+
+    sds:
+      # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
+      # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the
+      # JWT is intended for the CA.
+      token:
+        aud: istio-ca
+
+    sts:
+      # The service port used by Security Token Service (STS) server to handle token exchange requests.
+      # Setting this port to a non-zero value enables STS server.
+      servicePort: 0
+
+    # The name of the CA for workload certificates.
+    # For example, when caName=GkeWorkloadCertificate, GKE workload certificates
+    # will be used as the certificates for workloads.
+    # The default value is "" and when caName="", the CA will be configured by other
+    # mechanisms (e.g., environmental variable CA_PROVIDER).
+    caName: ""
+
+    waypoint:
+      # Resources for the waypoint proxy.
+      resources:
+        requests:
+          cpu: 100m
+          memory: 128Mi
+        limits:
+          cpu: "2"
+          memory: 1Gi
+
+      # If specified, affinity defines the scheduling constraints of waypoint pods.
+      affinity: {}
+
+      # Topology Spread Constraints for the waypoint proxy.
+      topologySpreadConstraints: []
+
+      # Node labels for the waypoint proxy.
+      nodeSelector: {}
+
+      # Tolerations for the waypoint proxy.
+      tolerations: []
+
+  base:
+    # For istioctl usage to disable istio config crds in base
+    enableIstioConfigCRDs: true
+
+  # Gateway Settings
+  gateways:
+    # Define the security context for the pod.
+    # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
+    # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
+    securityContext: {}
+
+    # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it
+    seccompProfile: {}
+
+  # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass.
+  # For example:
+  # gatewayClasses:
+  #   istio:
+  #     service:
+  #       spec:
+  #         type: ClusterIP
+  # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field.
+  gatewayClasses: {}
+  
+  pdb:
+    # -- Minimum available pods set in PodDisruptionBudget.
+    # Define either 'minAvailable' or 'maxUnavailable', never both.
+    minAvailable: 1
+    # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored.
+    # maxUnavailable: 1
+    # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget.
+    # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/
+    unhealthyPodEvictionPolicy: ""
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/Chart.yaml
new file mode 100644
index 0000000000..e4b8972785
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/Chart.yaml
@@ -0,0 +1,11 @@
+apiVersion: v2
+appVersion: 1.27.5
+description: Helm chart for istio ztunnel components
+icon: https://istio.io/latest/favicons/android-192x192.png
+keywords:
+- istio-ztunnel
+- istio
+name: ztunnel
+sources:
+- https://github.com/istio/istio
+version: 1.27.5
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/README.md
new file mode 100644
index 0000000000..ffe0b94fe8
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/README.md
@@ -0,0 +1,50 @@
+# Istio Ztunnel Helm Chart
+
+This chart installs an Istio ztunnel.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+To install the chart:
+
+```console
+helm install ztunnel istio/ztunnel
+```
+
+## Uninstalling the Chart
+
+To uninstall/delete the chart:
+
+```console
+helm delete ztunnel
+```
+
+## Configuration
+
+To view support configuration options and documentation, run:
+
+```console
+helm show values istio/ztunnel
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-compatibility-version-1.24.yaml
new file mode 100644
index 0000000000..4f3dbef7ea
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-compatibility-version-1.24.yaml
@@ -0,0 +1,15 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.24 behavioral changes
+    PILOT_ENABLE_IP_AUTOALLOCATE: "false"
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  dnsCapture: false
+  reconcileIptablesOnStartup: false
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..b2f45948c2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..af10697326
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/templates/NOTES.txt
new file mode 100644
index 0000000000..244f59db06
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/templates/NOTES.txt
@@ -0,0 +1,5 @@
+ztunnel successfully installed!
+
+To learn more about the release, try:
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/templates/_helpers.tpl
new file mode 100644
index 0000000000..46a7a0b79d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/templates/_helpers.tpl
@@ -0,0 +1 @@
+{{ define "ztunnel.release-name" }}{{ .Values.resourceName| default "ztunnel" }}{{ end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/templates/daemonset.yaml
new file mode 100644
index 0000000000..7de85a2d18
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/templates/daemonset.yaml
@@ -0,0 +1,210 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: {{ include "ztunnel.release-name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: ztunnel
+    {{- include "istio.labels" . | nindent 4}}
+    {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }}
+  annotations:
+{{- if .Values.revision }}
+    {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }}
+    {{- toYaml $annos | nindent 4}}
+{{- else }}
+    {{- .Values.annotations | toYaml | nindent 4 }}
+{{- end }}
+spec:
+  {{- with .Values.updateStrategy }}
+  updateStrategy:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  selector:
+    matchLabels:
+      app: ztunnel
+  template:
+    metadata:
+      labels:
+        sidecar.istio.io/inject: "false"
+        istio.io/dataplane-mode: none
+        app: ztunnel
+        app.kubernetes.io/name: ztunnel
+        {{- include "istio.labels" . | nindent 8}}
+{{ with .Values.podLabels -}}{{ toYaml . | indent 8 }}{{ end }}
+      annotations:
+        sidecar.istio.io/inject: "false"
+{{- if .Values.revision }}
+        istio.io/rev: {{ .Values.revision }}
+{{- end }}
+{{ with .Values.podAnnotations -}}{{ toYaml . | indent 8 }}{{ end }}
+    spec:
+      nodeSelector:
+        kubernetes.io/os: linux
+{{- if .Values.nodeSelector }}
+{{ toYaml .Values.nodeSelector | indent 8 }}
+{{- end }}
+{{- if .Values.affinity }}
+      affinity:
+{{ toYaml .Values.affinity | trim | indent 8 }}
+{{- end }}
+      serviceAccountName: {{ include "ztunnel.release-name" . }}
+{{- if .Values.tolerations }}
+      tolerations:
+{{ toYaml .Values.tolerations | trim | indent 8 }}
+{{- end }}
+      containers:
+      - name: istio-proxy
+{{- if contains "/" .Values.image }}
+        image: "{{ .Values.image }}"
+{{- else }}
+        image: "{{ .Values.hub }}/{{ .Values.image | default "ztunnel" }}:{{ .Values.tag }}{{with (.Values.variant )}}-{{.}}{{end}}"
+{{- end }}
+        ports:
+        - containerPort: 15020
+          name: ztunnel-stats
+          protocol: TCP
+        resources:
+{{- if .Values.resources }}
+{{ toYaml .Values.resources | trim | indent 10 }}
+{{- end }}
+{{- with .Values.imagePullPolicy }}
+        imagePullPolicy: {{ . }}
+{{- end }}
+        securityContext:
+          # K8S docs are clear that CAP_SYS_ADMIN *or* privileged: true
+          # both force this to `true`: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+          # But there is a K8S validation bug that doesn't propery catch this: https://github.com/kubernetes/kubernetes/issues/119568
+          allowPrivilegeEscalation: true
+          privileged: false
+          capabilities:
+            drop:
+            - ALL
+            add: # See https://man7.org/linux/man-pages/man7/capabilities.7.html
+            - NET_ADMIN # Required for TPROXY and setsockopt
+            - SYS_ADMIN # Required for `setns` - doing things in other netns
+            - NET_RAW # Required for RAW/PACKET sockets, TPROXY
+          readOnlyRootFilesystem: true
+          runAsGroup: 1337
+          runAsNonRoot: false
+          runAsUser: 0
+{{- if .Values.seLinuxOptions }}
+          seLinuxOptions:
+{{ toYaml .Values.seLinuxOptions | trim | indent 12 }}
+{{- end }}
+        readinessProbe:
+          httpGet:
+            port: 15021
+            path: /healthz/ready
+        args:
+        - proxy
+        - ztunnel
+        env:
+        - name: CA_ADDRESS
+        {{- if .Values.caAddress }}
+          value: {{ .Values.caAddress }}
+        {{- else }}
+          value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012
+        {{- end }}
+        - name: XDS_ADDRESS
+        {{- if .Values.xdsAddress }}
+          value: {{ .Values.xdsAddress }}
+        {{- else }}
+          value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012
+        {{- end }}
+        {{- if .Values.logAsJson }}
+        - name: LOG_FORMAT
+          value: json
+        {{- end}}
+        {{- if .Values.network }}
+        - name: NETWORK
+          value: {{ .Values.network | quote }}
+        {{- end }}
+        - name: RUST_LOG
+          value: {{ .Values.logLevel | quote }}
+        - name: RUST_BACKTRACE
+          value: "1"
+        - name: ISTIO_META_CLUSTER_ID
+          value: {{ .Values.multiCluster.clusterName | default "Kubernetes" }}
+        - name: INPOD_ENABLED
+          value: "true"
+        - name: TERMINATION_GRACE_PERIOD_SECONDS
+          value: "{{ .Values.terminationGracePeriodSeconds }}"
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        - name: INSTANCE_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: SERVICE_ACCOUNT
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.serviceAccountName
+        {{- if .Values.meshConfig.defaultConfig.proxyMetadata }}
+        {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata}}
+        - name: {{ $key }}
+          value: "{{ $value }}"
+        {{- end }}
+        {{- end }}
+        - name: ZTUNNEL_CPU_LIMIT
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.cpu
+        {{- with .Values.env }}
+        {{- range $key, $val := . }}
+        - name: {{ $key }}
+          value: "{{ $val }}"
+        {{- end }}
+        {{- end }}
+        volumeMounts:
+        - mountPath: /var/run/secrets/istio
+          name: istiod-ca-cert
+        - mountPath: /var/run/secrets/tokens
+          name: istio-token
+        - mountPath: /var/run/ztunnel
+          name: cni-ztunnel-sock-dir
+        - mountPath: /tmp
+          name: tmp
+        {{- with .Values.volumeMounts }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      priorityClassName: system-node-critical
+      terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
+      volumes:
+      - name: istio-token
+        projected:
+          sources:
+          - serviceAccountToken:
+              path: istio-token
+              expirationSeconds: 43200
+              audience: istio-ca
+      - name: istiod-ca-cert
+        {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+        projected:
+          sources:
+          - clusterTrustBundle:
+              name: istio.io:istiod-ca:{{ .Values.trustBundleName | default "root-cert" }}
+              path: root-cert.pem
+        {{- else }}
+        configMap:
+          name: {{ .Values.trustBundleName | default "istio-ca-root-cert" }}
+        {{- end }}
+      - name: cni-ztunnel-sock-dir
+        hostPath:
+          path: /var/run/ztunnel
+          type: DirectoryOrCreate # ideally this would be a socket, but istio-cni may not have started yet.
+      # pprof needs a writable /tmp, and we don't have that thanks to `readOnlyRootFilesystem: true`, so mount one
+      - name: tmp
+        emptyDir: {}
+      {{- with .Values.volumes }}
+        {{- toYaml . | nindent 6}}
+      {{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/templates/rbac.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/templates/rbac.yaml
new file mode 100644
index 0000000000..0a8138c9a3
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/templates/rbac.yaml
@@ -0,0 +1,72 @@
+apiVersion: v1
+kind: ServiceAccount
+  {{- with .Values.imagePullSecrets }}
+imagePullSecrets:
+  {{- range . }}
+  - name: {{ . }}
+  {{- end }}
+  {{- end }}
+metadata:
+  name: {{ include "ztunnel.release-name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: ztunnel
+    {{- include "istio.labels" . | nindent 4}}
+    {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }}
+  annotations:
+{{- if .Values.revision }}
+    {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }}
+    {{- toYaml $annos | nindent 4}}
+{{- else }}
+    {{- .Values.annotations | toYaml | nindent 4 }}
+{{- end }}
+---
+{{- if (eq (.Values.platform | default "") "openshift") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "ztunnel.release-name" . }}
+  labels:
+    app: ztunnel
+    release: {{ include "ztunnel.release-name" . }}
+    app.kubernetes.io/name: ztunnel
+    {{- include "istio.labels" . | nindent 4}}
+  annotations:
+{{- if .Values.revision }}
+    {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }}
+    {{- toYaml $annos | nindent 4}}
+{{- else }}
+    {{- .Values.annotations | toYaml | nindent 4 }}
+{{- end }}
+rules:
+- apiGroups: ["security.openshift.io"]
+  resources: ["securitycontextconstraints"]
+  resourceNames: ["privileged"]
+  verbs: ["use"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "ztunnel.release-name" . }}
+  labels:
+    app: ztunnel
+    release: {{ include "ztunnel.release-name" . }}
+    app.kubernetes.io/name: ztunnel
+    {{- include "istio.labels" . | nindent 4}}
+  annotations:
+{{- if .Values.revision }}
+    {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }}
+    {{- toYaml $annos | nindent 4}}
+{{- else }}
+    {{- .Values.annotations | toYaml | nindent 4 }}
+{{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "ztunnel.release-name" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "ztunnel.release-name" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}
+---
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/templates/resourcequota.yaml
new file mode 100644
index 0000000000..a1c0e5496d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/templates/resourcequota.yaml
@@ -0,0 +1,20 @@
+{{- if .Values.resourceQuotas.enabled }}
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+  name: {{ include "ztunnel.release-name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: ztunnel
+    {{- include "istio.labels" . | nindent 4}}
+    {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }}
+spec:
+  hard:
+    pods: {{ .Values.resourceQuotas.pods | quote }}
+  scopeSelector:
+    matchExpressions:
+    - operator: In
+      scopeName: PriorityClass
+      values:
+      - system-node-critical
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..606c556697
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if true }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/values.yaml
new file mode 100644
index 0000000000..ff4b7c7466
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/values.yaml
@@ -0,0 +1,128 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  # Hub to pull from. Image will be `Hub/Image:Tag-Variant`
+  hub: gcr.io/istio-release
+  # Tag to pull from. Image will be `Hub/Image:Tag-Variant`
+  tag: 1.27.5
+  # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version.
+  variant: ""
+
+  # Image name to pull from. Image will be `Hub/Image:Tag-Variant`
+  # If Image contains a "/", it will replace the entire `image` in the pod.
+  image: ztunnel
+
+  # Same as `global.network`, but will override it if set.
+  # Network defines the network this cluster belong to. This name
+  # corresponds to the networks in the map of mesh networks.
+  network: ""
+
+  # resourceName, if set, will override the naming of resources. If not set, will default to 'ztunnel'.
+  # If you set this, you MUST also set `trustedZtunnelName` in the `istiod` chart.
+  resourceName: ""
+
+  # Labels to apply to all top level resources
+  labels: {}
+  # Annotations to apply to all top level resources
+  annotations: {}
+
+  # Additional volumeMounts to the ztunnel container
+  volumeMounts: []
+
+  # Additional volumes to the ztunnel pod
+  volumes: []
+  
+  # Tolerations for the ztunnel pod
+  tolerations:
+    - effect: NoSchedule
+      operator: Exists
+    - key: CriticalAddonsOnly
+      operator: Exists
+    - effect: NoExecute
+      operator: Exists
+
+  # Annotations added to each pod. The default annotations are required for scraping prometheus (in most environments).
+  podAnnotations:
+    prometheus.io/port: "15020"
+    prometheus.io/scrape: "true"
+
+  # Additional labels to apply on the pod level
+  podLabels: {}
+
+  # Pod resource configuration
+  resources:
+    requests:
+      cpu: 200m
+      # Ztunnel memory scales with the size of the cluster and traffic load
+      # While there are many factors, this is enough for ~200k pod cluster or 100k concurrently open connections.
+      memory: 512Mi
+
+  resourceQuotas:
+    enabled: false
+    pods: 5000
+
+  # List of secret names to add to the service account as image pull secrets
+  imagePullSecrets: []
+
+  # A `key: value` mapping of environment variables to add to the pod
+  env: {}
+
+  # Override for the pod imagePullPolicy
+  imagePullPolicy: ""
+
+  # Settings for multicluster
+  multiCluster:
+    # The name of the cluster we are installing in. Note this is a user-defined name, which must be consistent
+    # with Istiod configuration.
+    clusterName: ""
+
+  # meshConfig defines runtime configuration of components.
+  # For ztunnel, only defaultConfig is used, but this is nested under `meshConfig` for consistency with other
+  # components.
+  # TODO: https://github.com/istio/istio/issues/43248
+  meshConfig:
+    defaultConfig:
+      proxyMetadata: {}
+
+  # This value defines:
+  # 1. how many seconds kube waits for ztunnel pod to gracefully exit before forcibly terminating it (this value)
+  # 2. how many seconds ztunnel waits to drain its own connections (this value - 1 sec)
+  # Default K8S value is 30 seconds
+  terminationGracePeriodSeconds: 30
+
+  # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
+  # Used to locate the XDS and CA, if caAddress or xdsAddress are not set explicitly.
+  revision: ""
+
+  # The customized CA address to retrieve certificates for the pods in the cluster.
+  # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
+  caAddress: ""
+
+  # The customized XDS address to retrieve configuration.
+  # This should include the port - 15012 for Istiod. TLS will be used with the certificates in "istiod-ca-cert" secret.
+  # By default, it is istiod.istio-system.svc:15012 if revision is not set, or istiod-<revision>.<istioNamespace>.svc:15012
+  xdsAddress: ""
+
+  # Used to locate the XDS and CA, if caAddress or xdsAddress are not set.
+  istioNamespace: istio-system
+
+  # Configuration log level of ztunnel binary, default is info.
+  # Valid values are: trace, debug, info, warn, error
+  logLevel: info
+
+  # To output all logs in json format
+  logAsJson: false
+
+  # Set to `type: RuntimeDefault` to use the default profile if available.
+  seLinuxOptions: {}
+  # TODO Ambient inpod - for OpenShift, set to the following to get writable sockets in hostmounts to work, eventually consider CSI driver instead
+  #seLinuxOptions:
+  #  type: spc_t
+
+  # K8s DaemonSet update strategy.
+  # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec).
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/cni-1.27.5.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/cni-1.27.5.tgz.etag
new file mode 100644
index 0000000000..85755b0c38
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/cni-1.27.5.tgz.etag
@@ -0,0 +1 @@
+5b26a7e0cc5f3f7d5cbd2cf5265fdb82
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/commit b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/commit
new file mode 100644
index 0000000000..bd9c63786b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/commit
@@ -0,0 +1 @@
+1.27.5
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/gateway-1.27.5.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/gateway-1.27.5.tgz.etag
new file mode 100644
index 0000000000..abab054607
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/gateway-1.27.5.tgz.etag
@@ -0,0 +1 @@
+ecb9534d3e8c29e86377d1f56df070c0
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/istiod-1.27.5.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/istiod-1.27.5.tgz.etag
new file mode 100644
index 0000000000..e8270b5266
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/istiod-1.27.5.tgz.etag
@@ -0,0 +1 @@
+52aa229cba3bb3d940cda9e7a6697acd
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/profiles/ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/profiles/ambient.yaml
new file mode 100644
index 0000000000..71ea784a80
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/profiles/ambient.yaml
@@ -0,0 +1,5 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: ambient
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/profiles/default.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/profiles/default.yaml
new file mode 100644
index 0000000000..8f1ef19676
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/profiles/default.yaml
@@ -0,0 +1,12 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  # Most default values come from the helm chart's values.yaml
+  # Below are the things that differ
+  values:
+    defaultRevision: ""
+    global:
+      istioNamespace: istio-system
+      configValidation: true
+    ztunnel:
+      resourceName: ztunnel
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/profiles/demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/profiles/demo.yaml
new file mode 100644
index 0000000000..53c4b41633
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/profiles/demo.yaml
@@ -0,0 +1,5 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: demo
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/profiles/empty.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/profiles/empty.yaml
new file mode 100644
index 0000000000..4477cb1fe1
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/profiles/empty.yaml
@@ -0,0 +1,5 @@
+# The empty profile has everything disabled
+# This is useful as a base for custom user configuration
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec: {}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/profiles/openshift-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/profiles/openshift-ambient.yaml
new file mode 100644
index 0000000000..76edf00cd8
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/profiles/openshift-ambient.yaml
@@ -0,0 +1,7 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: ambient
+    global:
+      platform: openshift
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/profiles/openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/profiles/openshift.yaml
new file mode 100644
index 0000000000..41492660fe
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/profiles/openshift.yaml
@@ -0,0 +1,6 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    global:
+      platform: openshift
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/profiles/preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/profiles/preview.yaml
new file mode 100644
index 0000000000..59d545c840
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/profiles/preview.yaml
@@ -0,0 +1,8 @@
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: preview
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/profiles/remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/profiles/remote.yaml
new file mode 100644
index 0000000000..54c65c8ba9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/profiles/remote.yaml
@@ -0,0 +1,7 @@
+# The remote profile is used to configure a mesh cluster without a locally deployed control plane.
+# Only the injector mutating webhook configuration is installed.
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: remote
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/profiles/stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/profiles/stable.yaml
new file mode 100644
index 0000000000..285feba244
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/profiles/stable.yaml
@@ -0,0 +1,5 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: stable
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/ztunnel-1.27.5.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/ztunnel-1.27.5.tgz.etag
new file mode 100644
index 0000000000..e881d16d82
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/ztunnel-1.27.5.tgz.etag
@@ -0,0 +1 @@
+ef36ec00906f364ae84a4ffb82e14495
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/base-1.28.0.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/base-1.28.0.tgz.etag
new file mode 100644
index 0000000000..95a40faebb
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/base-1.28.0.tgz.etag
@@ -0,0 +1 @@
+7bc3f40a477bc457daf1899a1adc295b
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/Chart.yaml
new file mode 100644
index 0000000000..3a585967f2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/Chart.yaml
@@ -0,0 +1,10 @@
+apiVersion: v2
+appVersion: 1.28.0
+description: Helm chart for deploying Istio cluster resources and CRDs
+icon: https://istio.io/latest/favicons/android-192x192.png
+keywords:
+- istio
+name: base
+sources:
+- https://github.com/istio/istio
+version: 1.28.0
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/README.md
new file mode 100644
index 0000000000..ae8f6d5b0e
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/README.md
@@ -0,0 +1,35 @@
+# Istio base Helm Chart
+
+This chart installs resources shared by all Istio revisions. This includes Istio CRDs.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+To install the chart with the release name `istio-base`:
+
+```console
+kubectl create namespace istio-system
+helm install istio-base istio/base -n istio-system
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..d04117bfc0
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,14 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..8fe80112bf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-compatibility-version-1.27.yaml
new file mode 100644
index 0000000000..209157cccf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-compatibility-version-1.27.yaml
@@ -0,0 +1,9 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/templates/NOTES.txt
new file mode 100644
index 0000000000..f12616f578
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/templates/NOTES.txt
@@ -0,0 +1,5 @@
+Istio base successfully installed!
+
+To learn more about the release, try:
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml
new file mode 100644
index 0000000000..30049df989
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml
@@ -0,0 +1,55 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
+{{- if and .Values.experimental.stableValidationPolicy (not (eq .Values.defaultRevision "")) }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "stable-channel-default-policy.istio.io"
+  labels:
+    release: {{ .Release.Name }}
+    istio: istiod
+    istio.io/rev: {{ .Values.defaultRevision }}
+    app.kubernetes.io/name: "istiod"
+    {{ include "istio.labels" . | nindent 4 }}
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups:
+        - security.istio.io
+        - networking.istio.io
+        - telemetry.istio.io
+        - extensions.istio.io
+      apiVersions: ["*"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["*"]
+  variables:
+    - name: isEnvoyFilter
+      expression: "object.kind == 'EnvoyFilter'"
+    - name: isWasmPlugin
+      expression: "object.kind == 'WasmPlugin'"
+    - name: isProxyConfig
+      expression: "object.kind == 'ProxyConfig'"
+    - name: isTelemetry
+      expression: "object.kind == 'Telemetry'"
+  validations:
+    - expression: "!variables.isEnvoyFilter"
+    - expression: "!variables.isWasmPlugin"
+    - expression: "!variables.isProxyConfig"
+    - expression: |
+        !(
+          variables.isTelemetry && (
+            (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) ||
+            (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) ||
+            (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter))
+          )
+        )
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: "stable-channel-default-policy-binding.istio.io"
+spec:
+  policyName: "stable-channel-default-policy.istio.io"
+  validationActions: [Deny]
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml
new file mode 100644
index 0000000000..dcd16e964f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml
@@ -0,0 +1,58 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
+{{- if not (eq .Values.defaultRevision "") }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: istiod-default-validator
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    istio: istiod
+    istio.io/rev: {{ .Values.defaultRevision | quote }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+webhooks:
+  - name: validation.istio.io
+    clientConfig:
+      {{- if .Values.base.validationURL }}
+      url: {{ .Values.base.validationURL }}
+      {{- else }}
+      service:
+        {{- if (eq .Values.defaultRevision "default") }}
+        name: istiod
+        {{- else }}
+        name: istiod-{{ .Values.defaultRevision }}
+        {{- end }}
+        namespace: {{ .Values.global.istioNamespace }}
+        path: "/validate"
+      {{- end }}
+      {{- if .Values.base.validationCABundle }}
+      caBundle: "{{ .Values.base.validationCABundle }}"
+      {{- end }}
+    rules:
+      - operations:
+          - CREATE
+          - UPDATE
+        apiGroups:
+          - security.istio.io
+          - networking.istio.io
+          - telemetry.istio.io
+          - extensions.istio.io
+        apiVersions:
+          - "*"
+        resources:
+          - "*"
+
+    {{- if .Values.base.validationCABundle }}
+    # Disable webhook controller in Pilot to stop patching it
+    failurePolicy: Fail
+    {{- else }}
+    # Fail open until the validation webhook is ready. The webhook controller
+    # will update this to `Fail` and patch in the `caBundle` when the webhook
+    # endpoint is ready.
+    failurePolicy: Ignore
+    {{- end }}
+    sideEffects: None
+    admissionReviewVersions: ["v1"]
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/templates/reader-serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/templates/reader-serviceaccount.yaml
new file mode 100644
index 0000000000..bb7a74ff48
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/templates/reader-serviceaccount.yaml
@@ -0,0 +1,22 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# This singleton service account aggregates reader permissions for the revisions in a given cluster
+# ATM this is a singleton per cluster with Istio installed, and is not revisioned. It maybe should be,
+# as otherwise compromising the token for this SA would give you access to *every* installed revision.
+# Should be used for remote secret creation.
+apiVersion: v1
+kind: ServiceAccount
+  {{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+  {{- range .Values.global.imagePullSecrets }}
+  - name: {{ . }}
+    {{- end }}
+    {{- end }}
+metadata:
+  name: istio-reader-service-account
+  namespace: {{ .Values.global.istioNamespace }}
+  labels:
+    app: istio-reader
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istio-reader"
+    {{- include "istio.labels" . | nindent 4 }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..3d84956485
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if false }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/values.yaml
new file mode 100644
index 0000000000..8353c57d6d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/values.yaml
@@ -0,0 +1,45 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  global:
+
+    # ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace
+    # to use for pulling any images in pods that reference this ServiceAccount.
+    # Must be set for any cluster configured with private docker registry.
+    imagePullSecrets: []
+
+    # Used to locate istiod.
+    istioNamespace: istio-system
+
+    # resourceScope controls what resources will be processed by helm.
+    # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator.
+    # It can be one of:
+    # - all: all resources are processed
+    # - cluster: only cluster-scoped resources are processed
+    # - namespace: only namespace-scoped resources are processed
+    resourceScope: all
+  base:
+    # A list of CRDs to exclude. Requires `enableCRDTemplates` to be true.
+    # Example: `excludedCRDs: ["envoyfilters.networking.istio.io"]`.
+    # Note: when installing with `istioctl`, `enableIstioConfigCRDs=false` must also be set.
+    excludedCRDs: []
+    # Helm (as of V3) does not support upgrading CRDs, because it is not universally
+    # safe for them to support this.
+    # Istio as a project enforces certain backwards-compat guarantees that allow us
+    # to safely upgrade CRDs in spite of this, so we default to self-managing CRDs
+    # as standard K8S resources in Helm, and disable Helm's CRD management. See also:
+    # https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#method-2-separate-charts
+    enableCRDTemplates: true
+
+    # Validation webhook configuration url
+    # For example: https://$remotePilotAddress:15017/validate
+    validationURL: ""
+    # Validation webhook caBundle value. Useful when running pilot with a well known cert
+    validationCABundle: ""
+
+    # For istioctl usage to disable istio config crds in base
+    enableIstioConfigCRDs: true
+
+  defaultRevision: "default"
+  experimental:
+    stableValidationPolicy: false
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/Chart.yaml
new file mode 100644
index 0000000000..ec567edeb6
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/Chart.yaml
@@ -0,0 +1,11 @@
+apiVersion: v2
+appVersion: 1.28.0
+description: Helm chart for istio-cni components
+icon: https://istio.io/latest/favicons/android-192x192.png
+keywords:
+- istio-cni
+- istio
+name: cni
+sources:
+- https://github.com/istio/istio
+version: 1.28.0
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/README.md
new file mode 100644
index 0000000000..f7e5cbd379
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/README.md
@@ -0,0 +1,65 @@
+# Istio CNI Helm Chart
+
+This chart installs the Istio CNI Plugin. See the [CNI installation guide](https://istio.io/latest/docs/setup/additional-setup/cni/)
+for more information.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+To install the chart with the release name `istio-cni`:
+
+```console
+helm install istio-cni istio/cni -n kube-system
+```
+
+Installation in `kube-system` is recommended to ensure the [`system-node-critical`](https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/)
+`priorityClassName` can be used. You can install in other namespace only on K8S clusters that allow
+'system-node-critical' outside of kube-system.
+
+## Configuration
+
+To view supported configuration options and documentation, run:
+
+```console
+helm show values istio/istio-cni
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
+
+### Ambient
+
+To enable ambient, you can use the ambient profile: `--set profile=ambient`.
+
+#### Calico
+
+For Calico, you must also modify the settings to allow source spoofing:
+
+- if deployed by operator,  `kubectl patch felixconfigurations default --type='json' -p='[{"op": "add", "path": "/spec/workloadSourceSpoofing", "value": "Any"}]'`
+- if deployed by manifest, add env `FELIX_WORKLOADSOURCESPOOFING` with value `Any` in `spec.template.spec.containers.env` for daemonset `calico-node`. (This will allow PODs with specified annotation to skip the rpf check. )
+
+### GKE notes
+
+On GKE, 'kube-system' is required.
+
+If using `helm template`, `--set cni.cniBinDir=/home/kubernetes/bin` is required - with `helm install`
+it is auto-detected.
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..d04117bfc0
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,14 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..8fe80112bf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-compatibility-version-1.27.yaml
new file mode 100644
index 0000000000..209157cccf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-compatibility-version-1.27.yaml
@@ -0,0 +1,9 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/templates/NOTES.txt
new file mode 100644
index 0000000000..fb35525b99
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/templates/NOTES.txt
@@ -0,0 +1,5 @@
+"{{ .Release.Name }}" successfully installed!
+
+To learn more about the release, try:
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/templates/_helpers.tpl
new file mode 100644
index 0000000000..73cc17b2f6
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/templates/_helpers.tpl
@@ -0,0 +1,8 @@
+{{- define "name" -}}
+    istio-cni
+{{- end }}
+
+
+{{- define "istio-tag" -}}
+    {{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/templates/clusterrole.yaml
new file mode 100644
index 0000000000..51af4ce7ff
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/templates/clusterrole.yaml
@@ -0,0 +1,84 @@
+# Created if cluster resources are not omitted
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "name" . }}
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+- apiGroups: ["security.openshift.io"] 
+  resources: ["securitycontextconstraints"] 
+  resourceNames: ["privileged"] 
+  verbs: ["use"]
+- apiGroups: [""]
+  resources: ["pods","nodes","namespaces"]
+  verbs: ["get", "list", "watch"]
+{{- if (eq ((coalesce .Values.platform .Values.global.platform) | default "") "openshift") }}
+- apiGroups: ["security.openshift.io"]
+  resources: ["securitycontextconstraints"]
+  resourceNames: ["privileged"]
+  verbs: ["use"]
+{{- end }}
+---
+{{- if .Values.repair.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "name" . }}-repair-role
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["create", "patch"]
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["watch", "get", "list"]
+{{- if .Values.repair.repairPods }}
+{{- /*  No privileges needed*/}}
+{{- else if .Values.repair.deletePods }}
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["delete"]
+{{- else if .Values.repair.labelPods }}
+  - apiGroups: [""]
+    {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}}
+    resources: ["pods/status"]
+    verbs: ["patch", "update"]
+{{- end }}
+{{- end }}
+---
+{{- if .Values.ambient.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "name" . }}-ambient
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+- apiGroups: [""]
+  {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}}
+  resources: ["pods/status"]
+  verbs: ["patch", "update"]
+- apiGroups: ["apps"]
+  resources: ["daemonsets"]
+  resourceNames: ["{{ template "name" . }}-node"]
+  verbs: ["get"]
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/templates/clusterrolebinding.yaml
new file mode 100644
index 0000000000..60e3c28be8
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/templates/clusterrolebinding.yaml
@@ -0,0 +1,66 @@
+# Created if cluster resources are not omitted
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "name" . }}
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "name" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ template "name" . }}
+  namespace: {{ .Release.Namespace }}
+---
+{{- if .Values.repair.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "name" . }}-repair-rolebinding
+  labels:
+    k8s-app: {{ template "name" . }}-repair
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+subjects:
+- kind: ServiceAccount
+  name: {{ template "name" . }}
+  namespace: {{ .Release.Namespace}}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "name" . }}-repair-role
+{{- end }}
+---
+{{- if .Values.ambient.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "name" . }}-ambient
+  labels:
+    k8s-app: {{ template "name" . }}-repair
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "name" . }}
+    namespace: {{ .Release.Namespace}}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "name" . }}-ambient
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/templates/configmap-cni.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/templates/configmap-cni.yaml
new file mode 100644
index 0000000000..98bc60ac07
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/templates/configmap-cni.yaml
@@ -0,0 +1,43 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: {{ template "name" . }}-config
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+data:
+  CURRENT_AGENT_VERSION: {{ .Values.tag | default .Values.global.tag | quote }}
+  AMBIENT_ENABLED: {{ .Values.ambient.enabled | quote }}
+  AMBIENT_ENABLEMENT_SELECTOR: {{ .Values.ambient.enablementSelectors | toYaml | quote }}
+  AMBIENT_DNS_CAPTURE: {{ .Values.ambient.dnsCapture | quote  }}
+  AMBIENT_IPV6: {{ .Values.ambient.ipv6 | quote }}
+  AMBIENT_RECONCILE_POD_RULES_ON_STARTUP: {{ .Values.ambient.reconcileIptablesOnStartup | quote }}
+  {{- if .Values.cniConfFileName }} # K8S < 1.24 doesn't like empty values
+  CNI_CONF_NAME: {{ .Values.cniConfFileName }} # Name of the CNI config file to create. Only override if you know the exact path your CNI requires..
+  {{- end }}
+  ISTIO_OWNED_CNI_CONFIG: {{ .Values.istioOwnedCNIConfig | quote }}
+  {{- if .Values.istioOwnedCNIConfig }}
+  ISTIO_OWNED_CNI_CONF_FILENAME: {{ .Values.istioOwnedCNIConfigFileName | quote }}
+  {{- end }}
+  CHAINED_CNI_PLUGIN: {{ .Values.chained | quote }}
+  EXCLUDE_NAMESPACES: "{{ range $idx, $ns := .Values.excludeNamespaces }}{{ if $idx }},{{ end }}{{ $ns }}{{ end }}"
+  REPAIR_ENABLED: {{ .Values.repair.enabled | quote }}
+  REPAIR_LABEL_PODS: {{ .Values.repair.labelPods | quote }}
+  REPAIR_DELETE_PODS: {{ .Values.repair.deletePods | quote }}
+  REPAIR_REPAIR_PODS: {{ .Values.repair.repairPods | quote }}
+  REPAIR_INIT_CONTAINER_NAME: {{ .Values.repair.initContainerName | quote }}
+  REPAIR_BROKEN_POD_LABEL_KEY: {{ .Values.repair.brokenPodLabelKey | quote }}
+  REPAIR_BROKEN_POD_LABEL_VALUE: {{ .Values.repair.brokenPodLabelValue | quote }}
+  NATIVE_NFTABLES: {{ .Values.global.nativeNftables | quote }}
+  {{- with .Values.env }}
+  {{- range $key, $val := . }}
+  {{ $key }}: "{{ $val }}"
+  {{- end }}
+  {{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/templates/daemonset.yaml
new file mode 100644
index 0000000000..6d1dda2902
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/templates/daemonset.yaml
@@ -0,0 +1,252 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# This manifest installs the Istio install-cni container, as well
+# as the Istio CNI plugin and config on
+# each master and worker node in a Kubernetes cluster.
+#
+# $detectedBinDir exists to support a GKE-specific platform override,
+# and is deprecated in favor of using the explicit `gke` platform profile.
+{{- $detectedBinDir := (.Capabilities.KubeVersion.GitVersion | contains "-gke") | ternary
+    "/home/kubernetes/bin"
+    "/opt/cni/bin"
+}}
+{{- if .Values.cniBinDir }}
+{{ $detectedBinDir = .Values.cniBinDir }}
+{{- end }}
+kind: DaemonSet
+apiVersion: apps/v1
+metadata:
+  # Note that this is templated but evaluates to a fixed name
+  # which the CNI plugin may fall back onto in some failsafe scenarios.
+  # if this name is changed, CNI plugin logic that checks for this name
+  # format should also be updated.
+  name: {{ template "name" . }}-node
+  namespace: {{ .Release.Namespace }}
+  labels:
+    k8s-app: {{ template "name" . }}-node
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+    {{ with .Values.daemonSetLabels -}}{{ toYaml . | nindent 4}}{{ end }}
+spec:
+  selector:
+    matchLabels:
+      k8s-app: {{ template "name" . }}-node
+  {{- with .Values.updateStrategy }}
+  updateStrategy:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  template:
+    metadata:
+      labels:
+        k8s-app: {{ template "name" . }}-node
+        sidecar.istio.io/inject: "false"
+        istio.io/dataplane-mode: none
+        app.kubernetes.io/name: {{ template "name" . }}
+        {{- include "istio.labels" . | nindent 8 }}
+        {{ with .Values.podLabels -}}{{ toYaml . | nindent 8}}{{ end }}
+      annotations:
+        sidecar.istio.io/inject: "false"
+        # Add Prometheus Scrape annotations
+        prometheus.io/scrape: 'true'
+        prometheus.io/port: "15014"
+        prometheus.io/path: '/metrics'
+        # Add AppArmor annotation
+        # This is required to avoid conflicts with AppArmor profiles which block certain
+        # privileged pod capabilities.
+        # Required for Kubernetes 1.29 which does not support setting appArmorProfile in the
+        # securityContext which is otherwise preferred.
+        container.apparmor.security.beta.kubernetes.io/install-cni: unconfined
+        # Custom annotations
+        {{- if .Values.podAnnotations }}
+{{ toYaml .Values.podAnnotations | indent 8 }}
+        {{- end }}
+    spec:
+{{- if and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace }}
+      hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
+{{- end }}
+      nodeSelector:
+        kubernetes.io/os: linux
+      # Can be configured to allow for excluding istio-cni from being scheduled on specified nodes
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      priorityClassName: system-node-critical
+      serviceAccountName: {{ template "name" . }}
+      # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
+      # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
+      terminationGracePeriodSeconds: 5
+      containers:
+        # This container installs the Istio CNI binaries
+        # and CNI network config file on each node.
+        - name: install-cni
+{{- if contains "/" .Values.image }}
+          image: "{{ .Values.image }}"
+{{- else }}
+          image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "install-cni" }}:{{ template "istio-tag" . }}"
+{{- end }}
+{{- if or .Values.pullPolicy .Values.global.imagePullPolicy }}
+          imagePullPolicy: {{ .Values.pullPolicy | default .Values.global.imagePullPolicy }}
+{{- end }}
+          ports:
+          - containerPort: 15014
+            name: metrics
+            protocol: TCP
+          readinessProbe:
+            httpGet:
+              path: /readyz
+              port: 8000
+          securityContext:
+            privileged: false
+            runAsGroup: 0
+            runAsUser: 0
+            runAsNonRoot: false
+            # Both ambient and sidecar repair mode require elevated node privileges to function.
+            # But we don't need _everything_ in `privileged`, so explicitly set it to false and
+            # add capabilities based on feature.
+            capabilities:
+              drop:
+              - ALL
+              add:
+              # CAP_NET_ADMIN is required to allow ipset and route table access
+              - NET_ADMIN
+              # CAP_NET_RAW is required to allow iptables mutation of the `nat` table
+              - NET_RAW
+              # CAP_SYS_PTRACE is required for repair and ambient mode to describe
+              # the pod's network namespace.
+              - SYS_PTRACE
+              # CAP_SYS_ADMIN is required for both ambient and repair, in order to open
+              # network namespaces in `/proc` to obtain descriptors for entering pod network
+              # namespaces. There does not appear to be a more granular capability for this.
+              - SYS_ADMIN
+              # While we run as a 'root' (UID/GID 0), since we drop all capabilities we lose
+              # the typical ability to read/write to folders owned by others.
+              # This can cause problems if the hostPath mounts we use, which we require write access into,
+              # are owned by non-root. DAC_OVERRIDE bypasses these and gives us write access into any folder.
+              - DAC_OVERRIDE
+{{- if .Values.seLinuxOptions }}
+{{ with (merge .Values.seLinuxOptions (dict "type" "spc_t")) }}
+            seLinuxOptions:
+{{ toYaml . | trim | indent 14 }}
+{{- end }}
+{{- end }}
+{{- if .Values.seccompProfile }}
+            seccompProfile:
+{{ toYaml .Values.seccompProfile | trim | indent 14 }}
+{{- end }}
+          command: ["install-cni"]
+          args:
+            {{- if or .Values.logging.level .Values.global.logging.level }}
+            - --log_output_level={{ coalesce .Values.logging.level .Values.global.logging.level }}
+            {{- end}}
+            {{- if .Values.global.logAsJson }}
+            - --log_as_json
+            {{- end}}
+          envFrom:
+            - configMapRef:
+                name: {{ template "name" . }}-config
+          env:
+            - name: REPAIR_NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            - name: REPAIR_RUN_AS_DAEMON
+              value: "true"
+            - name: REPAIR_SIDECAR_ANNOTATION
+              value: "sidecar.istio.io/status"
+            {{- if not (and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace) }}
+            - name: ALLOW_SWITCH_TO_HOST_NS
+              value: "true"
+            {{- end }}
+            - name: NODE_NAME
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: spec.nodeName
+            - name: GOMEMLIMIT
+              valueFrom:
+                resourceFieldRef:
+                  resource: limits.memory
+                  divisor: '1'
+            - name: GOMAXPROCS
+              valueFrom:
+                resourceFieldRef:
+                  resource: limits.cpu
+                  divisor: '1'
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            {{- if .Values.env }}
+            {{- range $key, $val := .Values.env }}
+            - name: {{ $key }}
+              value: "{{ $val }}"
+            {{- end }}
+            {{- end }}
+          volumeMounts:
+            - mountPath: /host/opt/cni/bin
+              name: cni-bin-dir
+            {{- if or .Values.repair.repairPods .Values.ambient.enabled }}
+            - mountPath: /host/proc
+              name: cni-host-procfs
+              readOnly: true
+            {{- end }}
+            - mountPath: /host/etc/cni/net.d
+              name: cni-net-dir
+            - mountPath: /var/run/istio-cni
+              name: cni-socket-dir
+            {{- if .Values.ambient.enabled }}
+            - mountPath: /host/var/run/netns
+              mountPropagation: HostToContainer
+              name: cni-netns-dir
+            - mountPath: /var/run/ztunnel
+              name: cni-ztunnel-sock-dir
+            {{ end }}
+          resources:
+{{- if .Values.resources }}
+{{ toYaml .Values.resources | trim | indent 12 }}
+{{- else }}
+{{ toYaml .Values.global.defaultResources | trim | indent 12 }}
+{{- end }}
+      volumes:
+        # Used to install CNI.
+        - name: cni-bin-dir
+          hostPath:
+            path: {{ $detectedBinDir }}
+        {{- if or .Values.repair.repairPods .Values.ambient.enabled }}
+        - name: cni-host-procfs
+          hostPath:
+            path: /proc
+            type: Directory
+        {{- end }}
+        {{- if .Values.ambient.enabled }}
+        - name: cni-ztunnel-sock-dir
+          hostPath:
+            path: /var/run/ztunnel
+            type: DirectoryOrCreate
+        {{- end }}
+        - name: cni-net-dir
+          hostPath:
+            path: {{ .Values.cniConfDir }}
+        # Used for UDS sockets for logging, ambient eventing
+        - name: cni-socket-dir
+          hostPath:
+            path: /var/run/istio-cni
+        - name: cni-netns-dir
+          hostPath:
+            path: {{ .Values.cniNetnsDir }}
+            type: DirectoryOrCreate # DirectoryOrCreate instead of Directory for the following reason - CNI may not bind mount this until a non-hostnetwork pod is scheduled on the node,
+            # and we don't want to block CNI agent pod creation on waiting for the first non-hostnetwork pod.
+            # Once the CNI does mount this, it will get populated and we're good.
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/templates/network-attachment-definition.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/templates/network-attachment-definition.yaml
new file mode 100644
index 0000000000..37ef7c3e6d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/templates/network-attachment-definition.yaml
@@ -0,0 +1,13 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+{{- if eq .Values.provider "multus" }}
+apiVersion: k8s.cni.cncf.io/v1
+kind: NetworkAttachmentDefinition
+metadata:
+  name: {{ template "name" . }}
+  namespace: default
+  labels:
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/templates/resourcequota.yaml
new file mode 100644
index 0000000000..2e0be5ab40
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/templates/resourcequota.yaml
@@ -0,0 +1,21 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+{{- if .Values.resourceQuotas.enabled }}
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+  name: {{ template "name" . }}-resource-quota
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  hard:
+    pods: {{ .Values.resourceQuotas.pods | quote }}
+  scopeSelector:
+    matchExpressions:
+    - operator: In
+      scopeName: PriorityClass
+      values:
+      - system-node-critical
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/templates/serviceaccount.yaml
new file mode 100644
index 0000000000..17c8e64a9d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/templates/serviceaccount.yaml
@@ -0,0 +1,20 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+apiVersion: v1
+kind: ServiceAccount
+{{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+{{- range .Values.global.imagePullSecrets }}
+  - name: {{ . }}
+{{- end }}
+{{- end }}
+metadata:
+  name: {{ template "name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/templates/zzy_descope_legacy.yaml
new file mode 100644
index 0000000000..a9584ac29f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/templates/zzy_descope_legacy.yaml
@@ -0,0 +1,3 @@
+{{/* Copy anything under `.cni` to `.`, to avoid the need to specify a redundant prefix.
+Due to the file naming, this always happens after zzz_profile.yaml */}}
+{{- $_ := mustMergeOverwrite $.Values (index $.Values "cni") }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..3d84956485
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if false }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/values.yaml
new file mode 100644
index 0000000000..b48ac06e71
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/values.yaml
@@ -0,0 +1,192 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  hub: ""
+  tag: ""
+  variant: ""
+  image: install-cni
+  pullPolicy: ""
+
+  # Same as `global.logging.level`, but will override it if set
+  logging:
+    level: ""
+
+  # Configuration file to insert istio-cni plugin configuration
+  # by default this will be the first file found in the cni-conf-dir
+  # Example
+  # cniConfFileName: 10-calico.conflist
+
+  # CNI-and-platform specific path defaults.
+  # These may need to be set to platform-specific values, consult
+  # overrides for your platform in `manifests/helm-profiles/platform-*.yaml`
+  cniBinDir: /opt/cni/bin
+  cniConfDir: /etc/cni/net.d
+  cniConfFileName: ""
+  cniNetnsDir: "/var/run/netns"
+
+  # If Istio owned CNI config is enabled, defaults to 02-istio-cni.conflist
+  istioOwnedCNIConfigFileName: ""
+  istioOwnedCNIConfig: false
+
+  excludeNamespaces:
+    - kube-system
+
+  # Allows user to set custom affinity for the DaemonSet
+  affinity: {}
+
+  # Additional labels to apply on the daemonset level
+  daemonSetLabels: {}
+
+  # Custom annotations on pod level, if you need them
+  podAnnotations: {}
+
+  # Additional labels to apply on the pod level
+  podLabels: {}
+
+  # Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")?
+  # Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case
+  chained: true
+
+  # Custom configuration happens based on the CNI provider.
+  # Possible values: "default", "multus"
+  provider: "default"
+
+  # Configure ambient settings
+  ambient:
+    # If enabled, ambient redirection will be enabled
+    enabled: false
+    # If ambient is enabled, this selector will be used to identify the ambient-enabled pods
+    enablementSelectors: 
+    - podSelector:
+        matchLabels: {istio.io/dataplane-mode: ambient}
+    - podSelector:
+        matchExpressions:
+        - { key: istio.io/dataplane-mode, operator: NotIn, values: [none] }
+      namespaceSelector:
+        matchLabels: {istio.io/dataplane-mode: ambient}
+    # Set ambient config dir path: defaults to /etc/ambient-config
+    configDir: ""
+    # If enabled, and ambient is enabled, DNS redirection will be enabled
+    dnsCapture: true
+    # If enabled, and ambient is enabled, enables ipv6 support
+    ipv6: true
+    # If enabled, and ambient is enabled, the CNI agent will reconcile incompatible iptables rules and chains at startup.
+    # This will eventually be enabled by default
+    reconcileIptablesOnStartup: false
+    # If enabled, and ambient is enabled, the CNI agent will always share the network namespace of the host node it is running on
+    shareHostNetworkNamespace: false
+
+
+  repair:
+    enabled: true
+    hub: ""
+    tag: ""
+
+    # Repair controller has 3 modes. Pick which one meets your use cases. Note only one may be used.
+    # This defines the action the controller will take when a pod is detected as broken.
+
+    # labelPods will label all pods with <brokenPodLabelKey>=<brokenPodLabelValue>.
+    # This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them).
+    # Note this gives the DaemonSet a relatively high privilege, as modifying pod metadata/status can have wider impacts.
+    labelPods: false
+    # deletePods will delete any broken pod. These will then be rescheduled, hopefully onto a node that is fully ready.
+    # Note this gives the DaemonSet a relatively high privilege, as it can delete any Pod.
+    deletePods: false
+    # repairPods will dynamically repair any broken pod by setting up the pod networking configuration even after it has started.
+    # Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs.
+    # This requires no RBAC privilege, but does require `securityContext.privileged/CAP_SYS_ADMIN`.
+    repairPods: true
+
+    initContainerName: "istio-validation"
+
+    brokenPodLabelKey: "cni.istio.io/uninitialized"
+    brokenPodLabelValue: "true"
+
+  # Set to `type: RuntimeDefault` to use the default profile if available.
+  seccompProfile: {}
+
+  # SELinux options to set in the istio-cni-node pods. You may need to set this to `type: spc_t` for some platforms.
+  seLinuxOptions: {}
+
+  resources:
+    requests:
+      cpu: 100m
+      memory: 100Mi
+
+  resourceQuotas:
+    enabled: false
+    pods: 5000
+
+  tolerations:
+    # Make sure istio-cni-node gets scheduled on all nodes.
+    - effect: NoSchedule
+      operator: Exists
+    # Mark the pod as a critical add-on for rescheduling.
+    - key: CriticalAddonsOnly
+      operator: Exists
+    - effect: NoExecute
+      operator: Exists
+
+  # K8s DaemonSet update strategy.
+  # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec).
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 1
+
+  # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
+  revision: ""
+
+  # For Helm compatibility.
+  ownerName: ""
+
+  global:
+    # Default hub for Istio images.
+    # Releases are published to docker hub under 'istio' project.
+    # Dev builds from prow are on gcr.io
+    hub: gcr.io/istio-release
+
+    # Default tag for Istio images.
+    tag: 1.28.0
+
+    # Variant of the image to use.
+    # Currently supported are: [debug, distroless]
+    variant: ""
+
+    # Specify image pull policy if default behavior isn't desired.
+    # Default behavior: latest images will be Always else IfNotPresent.
+    imagePullPolicy: ""
+
+    # change cni scope level to control logging out of istio-cni-node DaemonSet
+    logging:
+      level: info
+
+    logAsJson: false
+
+    # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
+    # to use for pulling any images in pods that reference this ServiceAccount.
+    # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
+    # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
+    # Must be set for any cluster configured with private docker registry.
+    imagePullSecrets: []
+    # - private-registry-key
+
+    # Default resources allocated
+    defaultResources:
+      requests:
+        cpu: 100m
+        memory: 100Mi
+
+    # In order to use native nftable rules instead of iptable rules, set this flag to true.
+    nativeNftables: false
+
+    # resourceScope controls what resources will be processed by helm.
+    # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator.
+    # It can be one of:
+    # - all: all resources are processed
+    # - cluster: only cluster-scoped resources are processed
+    # - namespace: only namespace-scoped resources are processed
+    resourceScope: all
+
+  # A `key: value` mapping of environment variables to add to the pod
+  env: {}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/Chart.yaml
new file mode 100644
index 0000000000..0819c9b8bc
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v2
+appVersion: 1.28.0
+description: Helm chart for deploying Istio gateways
+icon: https://istio.io/latest/favicons/android-192x192.png
+keywords:
+- istio
+- gateways
+name: gateway
+sources:
+- https://github.com/istio/istio
+type: application
+version: 1.28.0
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/README.md
new file mode 100644
index 0000000000..6344859a22
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/README.md
@@ -0,0 +1,170 @@
+# Istio Gateway Helm Chart
+
+This chart installs an Istio gateway deployment.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+To install the chart with the release name `istio-ingressgateway`:
+
+```console
+helm install istio-ingressgateway istio/gateway
+```
+
+## Uninstalling the Chart
+
+To uninstall/delete the `istio-ingressgateway` deployment:
+
+```console
+helm delete istio-ingressgateway
+```
+
+## Configuration
+
+To view supported configuration options and documentation, run:
+
+```console
+helm show values istio/gateway
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
+
+### OpenShift
+
+When deploying the gateway in an OpenShift cluster, use the `openshift` profile to override the default values, for example:
+
+```console
+helm install istio-ingressgateway istio/gateway --set profile=openshift
+```
+
+### `image: auto` Information
+
+The image used by the chart, `auto`, may be unintuitive.
+This exists because the pod spec will be automatically populated at runtime, using the same mechanism as [Sidecar Injection](istio.io/latest/docs/setup/additional-setup/sidecar-injection).
+This allows the same configurations and lifecycle to apply to gateways as sidecars.
+
+Note: this does mean that the namespace the gateway is deployed in must not have the `istio-injection=disabled` label.
+See [Controlling the injection policy](https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy) for more info.
+
+### Examples
+
+#### Egress Gateway
+
+Deploying a Gateway to be used as an [Egress Gateway](https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/):
+
+```yaml
+service:
+  # Egress gateways do not need an external LoadBalancer IP
+  type: ClusterIP
+```
+
+#### Multi-network/VM Gateway
+
+Deploying a Gateway to be used as a [Multi-network Gateway](https://istio.io/latest/docs/setup/install/multicluster/) for network `network-1`:
+
+```yaml
+networkGateway: network-1
+```
+
+### Migrating from other installation methods
+
+Installations from other installation methods (such as istioctl, Istio Operator, other helm charts, etc) can be migrated to use the new Helm charts
+following the guidance below.
+If you are able to, a clean installation is simpler. However, this often requires an external IP migration which can be challenging.
+
+WARNING: when installing over an existing deployment, the two deployments will be merged together by Helm, which may lead to unexpected results.
+
+#### Legacy Gateway Helm charts
+
+Istio historically offered two different charts - `manifests/charts/gateways/istio-ingress` and `manifests/charts/gateways/istio-egress`.
+These are replaced by this chart.
+While not required, it is recommended all new users use this chart, and existing users migrate when possible.
+
+This chart has the following benefits and differences:
+* Designed with Helm best practices in mind (standardized values options, values schema, values are not all nested under `gateways.istio-ingressgateway.*`, release name and namespace taken into account, etc).
+* Utilizes Gateway injection, simplifying upgrades, allowing gateways to run in any namespace, and avoiding repeating config for sidecars and gateways.
+* Published to official Istio Helm repository.
+* Single chart for all gateways (Ingress, Egress, East West).
+
+#### General concerns
+
+For a smooth migration, the resource names and `Deployment.spec.selector` labels must match.
+
+If you install with `helm install istio-gateway istio/gateway`, resources will be named `istio-gateway` and the `selector` labels set to:
+
+```yaml
+app: istio-gateway
+istio: gateway # the release name with leading istio- prefix stripped
+```
+
+If your existing installation doesn't follow these names, you can override them. For example, if you have resources named `my-custom-gateway` with `selector` labels
+`foo=bar,istio=ingressgateway`:
+
+```yaml
+name: my-custom-gateway # Override the name to match existing resources
+labels:
+  app: "" # Unset default app selector label
+  istio: ingressgateway # override default istio selector label
+  foo: bar # Add the existing custom selector label
+```
+
+#### Migrating an existing Helm release
+
+An existing helm release can be `helm upgrade`d to this chart by using the same release name. For example, if a previous
+installation was done like:
+
+```console
+helm install istio-ingress manifests/charts/gateways/istio-ingress -n istio-system
+```
+
+It could be upgraded with
+
+```console
+helm upgrade istio-ingress manifests/charts/gateway -n istio-system --set name=istio-ingressgateway --set labels.app=istio-ingressgateway --set labels.istio=ingressgateway
+```
+
+Note the name and labels are overridden to match the names of the existing installation.
+
+Warning: the helm charts here default to using port 80 and 443, while the old charts used 8080 and 8443.
+If you have AuthorizationPolicies that reference port these ports, you should update them during this process,
+or customize the ports to match the old defaults.
+See the [security advisory](https://istio.io/latest/news/security/istio-security-2021-002/) for more information.
+
+#### Other migrations
+
+If you see errors like `rendered manifests contain a resource that already exists` during installation, you may need to forcibly take ownership.
+
+The script below can handle this for you. Replace `RELEASE` and `NAMESPACE` with the name and namespace of the release:
+
+```console
+KINDS=(service deployment)
+RELEASE=istio-ingressgateway
+NAMESPACE=istio-system
+for KIND in "${KINDS[@]}"; do
+    kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-name=$RELEASE
+    kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-namespace=$NAMESPACE
+    kubectl --namespace $NAMESPACE --overwrite=true label $KIND $RELEASE app.kubernetes.io/managed-by=Helm
+done
+```
+
+You may ignore errors about resources not being found.
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..d04117bfc0
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,14 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..8fe80112bf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-compatibility-version-1.27.yaml
new file mode 100644
index 0000000000..209157cccf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-compatibility-version-1.27.yaml
@@ -0,0 +1,9 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/templates/NOTES.txt
new file mode 100644
index 0000000000..fd0142911a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/templates/NOTES.txt
@@ -0,0 +1,9 @@
+"{{ include "gateway.name" . }}" successfully installed!
+
+To learn more about the release, try:
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
+
+Next steps:
+  * Deploy an HTTP Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-control/
+  * Deploy an HTTPS Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/templates/_helpers.tpl
new file mode 100644
index 0000000000..e5a0a9b3c2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/templates/_helpers.tpl
@@ -0,0 +1,40 @@
+{{- define "gateway.name" -}}
+{{- if eq .Release.Name "RELEASE-NAME" -}}
+  {{- .Values.name | default "istio-ingressgateway" -}}
+{{- else -}}
+  {{- .Values.name | default .Release.Name | default "istio-ingressgateway" -}}
+{{- end -}}
+{{- end }}
+
+{{- define "gateway.labels" -}}
+{{ include "gateway.selectorLabels" . }}
+{{- range $key, $val := .Values.labels }}
+{{- if and (ne $key "app") (ne $key "istio") }}
+{{ $key | quote }}: {{ $val | quote }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{- define "gateway.selectorLabels" -}}
+app: {{ (.Values.labels.app | quote) | default (include "gateway.name" .) }}
+istio: {{ (.Values.labels.istio | quote) | default (include "gateway.name" . | trimPrefix "istio-") }}
+{{- end }}
+
+{{/*
+Keep sidecar injection labels together
+https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy
+*/}}
+{{- define "gateway.sidecarInjectionLabels" -}}
+sidecar.istio.io/inject: "true"
+{{- with .Values.revision }}
+istio.io/rev: {{ . | quote }}
+{{- end }}
+{{- end }}
+
+{{- define "gateway.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- .Values.serviceAccount.name | default (include "gateway.name" .)    }}
+{{- else }}
+{{- .Values.serviceAccount.name | default "default" }}
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/templates/deployment.yaml
new file mode 100644
index 0000000000..1d8f93a472
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/templates/deployment.yaml
@@ -0,0 +1,145 @@
+apiVersion: apps/v1
+kind: {{ .Values.kind | default "Deployment" }}
+metadata:
+  name: {{ include "gateway.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4}}
+  annotations:
+    {{- .Values.annotations | toYaml | nindent 4 }}
+spec:
+  {{- if not .Values.autoscaling.enabled }}
+  {{- if and (hasKey .Values "replicaCount") (ne .Values.replicaCount nil) }}
+  replicas: {{ .Values.replicaCount }}
+  {{- end }}
+  {{- end }}
+  {{- with .Values.strategy }}
+  strategy:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with .Values.minReadySeconds }}
+  minReadySeconds: {{ . }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "gateway.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "gateway.sidecarInjectionLabels" . | nindent 8 }}
+        {{- include "gateway.selectorLabels" . | nindent 8 }}
+        app.kubernetes.io/name: {{ include "gateway.name" . }}
+        {{- include "istio.labels" .  | nindent 8}}
+        {{- range $key, $val := .Values.labels }}
+        {{- if and (ne $key "app") (ne $key "istio") }}
+        {{ $key | quote }}: {{ $val | quote }}
+        {{- end }}
+        {{- end }}
+        {{- with .Values.networkGateway }}
+        topology.istio.io/network: "{{.}}"
+        {{- end }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "gateway.serviceAccountName" . }}
+      securityContext:
+      {{- if .Values.securityContext }}
+        {{- toYaml .Values.securityContext | nindent 8 }}
+      {{- else }}
+        # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326
+        sysctls:
+        - name: net.ipv4.ip_unprivileged_port_start
+          value: "0"
+      {{- end }}
+      {{- with .Values.volumes }}
+      volumes:
+        {{ toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.initContainers }}
+      initContainers:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: istio-proxy
+          # "auto" will be populated at runtime by the mutating webhook. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection
+          image: auto
+          {{- with .Values.imagePullPolicy }}
+          imagePullPolicy: {{ . }}
+          {{- end }}
+          securityContext:
+          {{- if .Values.containerSecurityContext }}
+            {{- toYaml .Values.containerSecurityContext | nindent 12 }}
+          {{- else }}
+            capabilities:
+              drop:
+              - ALL
+            allowPrivilegeEscalation: false
+            privileged: false
+            readOnlyRootFilesystem: true
+            {{- if not (eq (.Values.platform | default "") "openshift") }}
+            runAsUser: 1337
+            runAsGroup: 1337
+            {{- end }}
+            runAsNonRoot: true
+          {{- end }}
+          env:
+          {{- with .Values.networkGateway }}
+          - name: ISTIO_META_REQUESTED_NETWORK_VIEW
+            value: "{{.}}"
+          {{- end }}
+          {{- range $key, $val := .Values.env }}
+          - name: {{ $key }}
+            value: {{ $val | quote }}
+          {{- end }}
+          {{- with .Values.envVarFrom }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
+          ports:
+          - containerPort: 15090
+            protocol: TCP
+            name: http-envoy-prom
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          {{- with .Values.volumeMounts }}
+          volumeMounts:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.readinessProbe }}
+          readinessProbe:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.lifecycle }}
+          lifecycle:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+      {{- with .Values.additionalContainers }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      terminationGracePeriodSeconds: {{ $.Values.terminationGracePeriodSeconds }}
+      {{- with .Values.priorityClassName }}
+      priorityClassName: {{ . }}
+      {{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/templates/hpa.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/templates/hpa.yaml
new file mode 100644
index 0000000000..64ecb6a4cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/templates/hpa.yaml
@@ -0,0 +1,40 @@
+{{- if and (.Values.autoscaling.enabled) (eq .Values.kind "Deployment") }}
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ include "gateway.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4 }}
+  annotations:
+    {{- .Values.annotations | toYaml | nindent 4 }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: {{ .Values.kind | default "Deployment" }}
+    name: {{ include "gateway.name" . }}
+  minReplicas: {{ .Values.autoscaling.minReplicas }}
+  maxReplicas: {{ .Values.autoscaling.maxReplicas }}
+  metrics:
+    {{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
+          type: Utilization
+    {{- end }}
+    {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: memory
+        target:
+          averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
+          type: Utilization
+    {{- end }}
+  {{- if .Values.autoscaling.autoscaleBehavior }}
+  behavior: {{ toYaml .Values.autoscaling.autoscaleBehavior | nindent 4 }}
+  {{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/templates/networkpolicy.yaml
new file mode 100644
index 0000000000..ea2fab97b3
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/templates/networkpolicy.yaml
@@ -0,0 +1,47 @@
+{{- if (.Values.global.networkPolicy).enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "gateway.name" . }}{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ include "gateway.name" . }}
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Gateway"
+    istio: {{ (.Values.labels.istio | quote) | default (include "gateway.name" . | trimPrefix "istio-") }}
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "gateway.labels" . | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "gateway.selectorLabels" . | nindent 6 }}
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress:
+  # Status/health check port
+  - from: []
+    ports:
+    - protocol: TCP
+      port: 15021
+  # Metrics endpoints for monitoring/prometheus
+  - from: []
+    ports:
+    - protocol: TCP
+      port: 15020
+    - protocol: TCP
+      port: 15090
+  # Main gateway traffic ports
+{{- if .Values.service.ports }}
+{{- range .Values.service.ports }}
+  - from: []
+    ports:
+    - protocol: {{ .protocol | default "TCP" }}
+      port: {{ .targetPort | default .port }}
+{{- end }}
+{{- end }}
+  egress:
+  # Allow all egress (gateways need to reach external services, istiod, and other cluster services)
+  - {}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/templates/poddisruptionbudget.yaml
new file mode 100644
index 0000000000..91869a0ead
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/templates/poddisruptionbudget.yaml
@@ -0,0 +1,21 @@
+{{- if .Values.podDisruptionBudget }}
+# a workaround for https://github.com/kubernetes/kubernetes/issues/93476
+{{- if or (and .Values.autoscaling.enabled  (gt (int .Values.autoscaling.minReplicas) 1)) (and (not .Values.autoscaling.enabled) (gt (int .Values.replicaCount) 1)) }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ include "gateway.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4}}
+spec:
+  selector:
+    matchLabels:
+  {{- include "gateway.selectorLabels" . | nindent 6 }}
+  {{- with .Values.podDisruptionBudget }}
+    {{- toYaml . | nindent 2 }}
+  {{- end }}
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/templates/role.yaml
new file mode 100644
index 0000000000..3d16079632
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/templates/role.yaml
@@ -0,0 +1,37 @@
+{{/*Set up roles for Istio Gateway. Not required for gateway-api*/}}
+{{- if .Values.rbac.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "gateway.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4}}
+  annotations:
+    {{- .Values.annotations | toYaml | nindent 4 }}
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get", "watch", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "gateway.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4}}
+  annotations:
+    {{- .Values.annotations | toYaml | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "gateway.serviceAccountName" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "gateway.serviceAccountName" . }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/templates/service.yaml
new file mode 100644
index 0000000000..f555e6c632
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/templates/service.yaml
@@ -0,0 +1,75 @@
+{{- if not (eq .Values.service.type "None") }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "gateway.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4 }}
+    {{- with .Values.networkGateway }}
+    topology.istio.io/network: "{{.}}"
+    {{- end }}
+  annotations:
+    {{- merge (deepCopy .Values.service.annotations) .Values.annotations | toYaml | nindent 4 }}
+spec:
+{{- with .Values.service.loadBalancerIP }}
+  loadBalancerIP: "{{ . }}"
+{{- end }}
+{{- if eq .Values.service.type "LoadBalancer" }}
+  {{- if hasKey .Values.service "allocateLoadBalancerNodePorts" }}
+  allocateLoadBalancerNodePorts: {{ .Values.service.allocateLoadBalancerNodePorts }}
+  {{- end }}
+  {{- if hasKey .Values.service "loadBalancerClass" }}
+  loadBalancerClass: {{ .Values.service.loadBalancerClass }}
+  {{- end }}
+{{- end }}
+{{- if .Values.service.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }}
+{{- end }}
+{{- if .Values.service.ipFamilies }}
+  ipFamilies:
+{{- range .Values.service.ipFamilies }}
+  - {{ . }}
+{{- end }}
+{{- end }}
+{{- with .Values.service.loadBalancerSourceRanges }}
+  loadBalancerSourceRanges:
+{{ toYaml . | indent 4 }}
+{{- end }}
+{{- with .Values.service.externalTrafficPolicy }}
+  externalTrafficPolicy: "{{ . }}"
+{{- end }}
+{{- with .Values.service.internalTrafficPolicy }}
+  internalTrafficPolicy: "{{ . }}"
+{{- end }}
+  type: {{ .Values.service.type }}
+{{- if not (eq .Values.service.clusterIP "") }}
+  clusterIP: {{ .Values.service.clusterIP }}
+{{- end }}
+  ports:
+{{- if .Values.networkGateway }}
+  - name: status-port
+    port: 15021
+    targetPort: 15021
+  - name: tls
+    port: 15443
+    targetPort: 15443
+  - name: tls-istiod
+    port: 15012
+    targetPort: 15012
+  - name: tls-webhook
+    port: 15017
+    targetPort: 15017
+{{- else }}
+{{ .Values.service.ports | toYaml | indent 4 }}
+{{- end }}
+{{- if .Values.service.externalIPs }}
+  externalIPs: {{- range .Values.service.externalIPs }}
+    - {{.}}
+  {{- end }}
+{{- end }}
+  selector:
+    {{- include "gateway.selectorLabels" . | nindent 4 }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/templates/serviceaccount.yaml
new file mode 100644
index 0000000000..c88afeadd3
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/templates/serviceaccount.yaml
@@ -0,0 +1,15 @@
+{{- if .Values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "gateway.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..606c556697
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if true }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/values.schema.json b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/values.schema.json
new file mode 100644
index 0000000000..739a67b775
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/values.schema.json
@@ -0,0 +1,353 @@
+{
+  "$schema": "http://json-schema.org/schema#",
+  "$defs": {
+    "values": {
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "_internal_defaults_do_not_set": {
+          "type": "object"
+        },
+        "global": {
+          "type": "object"
+        },
+        "affinity": {
+          "type": "object"
+        },
+        "securityContext": {
+          "type": [
+            "object",
+            "null"
+          ]
+        },
+        "containerSecurityContext": {
+          "type": [
+            "object",
+            "null"
+          ]
+        },
+        "kind": {
+          "type": "string",
+          "enum": [
+            "Deployment",
+            "DaemonSet"
+          ]
+        },
+        "annotations": {
+          "additionalProperties": {
+            "type": [
+              "string",
+              "integer"
+            ]
+          },
+          "type": "object"
+        },
+        "autoscaling": {
+          "type": "object",
+          "properties": {
+            "enabled": {
+              "type": "boolean"
+            },
+            "maxReplicas": {
+              "type": "integer"
+            },
+            "minReplicas": {
+              "type": "integer"
+            },
+            "targetCPUUtilizationPercentage": {
+              "type": "integer"
+            }
+          }
+        },
+        "env": {
+          "type": "object"
+        },
+        "envVarFrom": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "properties": {
+              "name": { "type": "string" },
+              "valueFrom": { "type": "object" }
+            }
+          }
+        },
+        "strategy": {
+          "type": "object"
+        },
+        "minReadySeconds": {
+          "type": [ "null", "integer" ]
+        },
+        "readinessProbe": {
+          "type": [ "null", "object" ]
+        },
+        "labels": {
+          "type": "object"
+        },
+        "name": {
+          "type": "string"
+        },
+        "nodeSelector": {
+          "type": "object"
+        },
+        "podAnnotations": {
+          "type": "object",
+          "properties": {
+            "inject.istio.io/templates": {
+              "type": "string"
+            },
+            "prometheus.io/path": {
+              "type": "string"
+            },
+            "prometheus.io/port": {
+              "type": "string"
+            },
+            "prometheus.io/scrape": {
+              "type": "string"
+            }
+          }
+        },
+        "replicaCount": {
+          "type": [
+            "integer",
+            "null"
+          ]
+        },
+        "resources": {
+          "type": "object",
+          "properties": {
+            "limits": {
+              "type": ["object", "null"],
+              "properties": {
+                "cpu": {
+                  "type": ["string", "null"]
+                },
+                "memory": {
+                  "type": ["string", "null"]
+                }
+              }
+            },
+            "requests": {
+              "type": ["object", "null"],
+              "properties": {
+                "cpu": {
+                  "type": ["string", "null"]
+                },
+                "memory": {
+                  "type": ["string", "null"]
+                }
+              }
+            }
+          }
+        },
+        "revision": {
+          "type": "string"
+        },
+        "defaultRevision": {
+          "type": "string"
+        },
+        "compatibilityVersion": {
+          "type": "string"
+        },
+        "profile": {
+          "type": "string"
+        },
+        "platform": {
+          "type": "string"
+        },
+        "pilot": {
+          "type": "object"
+        },
+        "runAsRoot": {
+          "type": "boolean"
+        },
+        "unprivilegedPort": {
+          "type": [
+            "string",
+            "boolean"
+          ],
+          "enum": [
+            true,
+            false,
+            "auto"
+          ]
+        },
+        "service": {
+          "type": "object",
+          "properties": {
+            "annotations": {
+              "type": "object"
+            },
+            "externalTrafficPolicy": {
+              "type": "string"
+            },
+            "loadBalancerIP": {
+              "type": "string"
+            },
+            "loadBalancerSourceRanges": {
+              "type": "array"
+            },
+            "ipFamilies": {
+              "items": {
+                "type": "string",
+                "enum": [
+                  "IPv4",
+                  "IPv6"
+                ]
+              }
+            },
+            "ipFamilyPolicy": {
+              "type": "string",
+              "enum": [
+                "",
+                "SingleStack",
+                "PreferDualStack",
+                "RequireDualStack"
+              ]
+            },
+            "ports": {
+              "type": "array",
+              "items": {
+                "type": "object",
+                "properties": {
+                  "name": {
+                    "type": "string"
+                  },
+                  "port": {
+                    "type": "integer"
+                  },
+                  "protocol": {
+                    "type": "string"
+                  },
+                  "targetPort": {
+                    "type": "integer"
+                  }
+                }
+              }
+            },
+            "type": {
+              "type": "string"
+            }
+          }
+        },
+        "serviceAccount": {
+          "type": "object",
+          "properties": {
+            "annotations": {
+              "type": "object"
+            },
+            "name": {
+              "type": "string"
+            },
+            "create": {
+              "type": "boolean"
+            }
+          }
+        },
+        "rbac": {
+          "type": "object",
+          "properties": {
+            "enabled": {
+              "type": "boolean"
+            }
+          }
+        },
+        "tolerations": {
+          "type": "array"
+        },
+        "topologySpreadConstraints": {
+          "type": "array"
+        },
+        "networkGateway": {
+          "type": "string"
+        },
+        "imagePullPolicy": {
+          "type": "string",
+          "enum": [
+            "",
+            "Always",
+            "IfNotPresent",
+            "Never"
+          ]
+        },
+        "imagePullSecrets": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "properties": {
+              "name": {
+                "type": "string"
+              }
+            }
+          }
+        },
+        "podDisruptionBudget": {
+          "type": "object",
+          "properties": {
+            "minAvailable": {
+              "type": [
+                "integer",
+                "string"
+              ]
+            },
+            "maxUnavailable": {
+              "type": [
+                "integer",
+                "string"
+              ]
+            },
+            "unhealthyPodEvictionPolicy": {
+              "type": "string",
+              "enum": [
+                "",
+                "IfHealthyBudget",
+                "AlwaysAllow"
+              ]
+            }
+          }
+        },
+        "terminationGracePeriodSeconds": {
+          "type": "number"
+        },
+        "volumes": {
+          "type": "array",
+          "items": {
+            "type": "object"
+          }
+        },
+        "volumeMounts": {
+          "type": "array",
+          "items": {
+            "type": "object"
+          }
+        },
+        "initContainers": {
+          "type": "array",
+          "items": { "type": "object" }
+        },
+        "additionalContainers": {
+          "type": "array",
+          "items": { "type": "object" }
+        },
+        "priorityClassName": {
+          "type": "string"
+        },
+        "lifecycle": {
+          "type": "object",
+          "properties": {
+            "postStart": {
+              "type": "object"
+            },
+            "preStop": {
+              "type": "object"
+            }
+          }
+        }
+      }
+    }
+  },
+  "defaults": {
+    "$ref": "#/$defs/values"
+  },
+  "$ref": "#/$defs/values"
+}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/values.yaml
new file mode 100644
index 0000000000..9975f92851
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/values.yaml
@@ -0,0 +1,202 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  # Name allows overriding the release name. Generally this should not be set
+  name: ""
+  # revision declares which revision this gateway is a part of
+  revision: ""
+
+  # Controls the spec.replicas setting for the Gateway deployment if set.
+  # Otherwise defaults to Kubernetes Deployment default (1).
+  replicaCount:
+
+  kind: Deployment
+
+  rbac:
+    # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed
+    # when using http://gateway-api.org/.
+    enabled: true
+
+  serviceAccount:
+    # If set, a service account will be created. Otherwise, the default is used
+    create: true
+    # Annotations to add to the service account
+    annotations: {}
+    # The name of the service account to use.
+    # If not set, the release name is used
+    name: ""
+
+  podAnnotations:
+    prometheus.io/port: "15020"
+    prometheus.io/scrape: "true"
+    prometheus.io/path: "/stats/prometheus"
+    inject.istio.io/templates: "gateway"
+    sidecar.istio.io/inject: "true"
+
+  # Define the security context for the pod.
+  # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
+  # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
+  securityContext: {}
+  containerSecurityContext: {}
+
+  service:
+    # Type of service. Set to "None" to disable the service entirely
+    type: LoadBalancer
+    # Set to a specific ClusterIP, or "" for automatic assignment
+    clusterIP: ""
+    ports:
+    - name: status-port
+      port: 15021
+      protocol: TCP
+      targetPort: 15021
+    - name: http2
+      port: 80
+      protocol: TCP
+      targetPort: 80
+    - name: https
+      port: 443
+      protocol: TCP
+      targetPort: 443
+    annotations: {}
+    loadBalancerIP: ""
+    loadBalancerSourceRanges: []
+    externalTrafficPolicy: ""
+    externalIPs: []
+    ipFamilyPolicy: ""
+    ipFamilies: []
+    ## Whether to automatically allocate NodePorts (only for LoadBalancers).
+    # allocateLoadBalancerNodePorts: false
+    ## Set LoadBalancer class (only for LoadBalancers).
+    # loadBalancerClass: ""
+
+  resources:
+    requests:
+      cpu: 100m
+      memory: 128Mi
+    limits:
+      cpu: 2000m
+      memory: 1024Mi
+
+  autoscaling:
+    enabled: true
+    minReplicas: 1
+    maxReplicas: 5
+    targetCPUUtilizationPercentage: 80
+    targetMemoryUtilizationPercentage: {}
+    autoscaleBehavior: {}
+
+  # Pod environment variables
+  env: {}
+
+  # Use envVarFrom to define full environment variable entries with complex sources,
+  # such as valueFrom.secretKeyRef, valueFrom.configMapKeyRef. Each item must include a `name` and `valueFrom`.
+  #
+  # Example:
+  # envVarFrom:
+  #   - name: EXAMPLE_SECRET
+  #     valueFrom:
+  #       secretKeyRef:
+  #         name: example-name
+  #         key: example-key
+  envVarFrom: []
+
+  # Deployment Update strategy
+  strategy: {}
+  
+  # Sets the Deployment minReadySeconds value
+  minReadySeconds:
+  
+  # Optionally configure a custom readinessProbe. By default the control plane
+  # automatically injects the readinessProbe. If you wish to override that
+  # behavior, you may define your own readinessProbe here.
+  readinessProbe: {}
+
+  # Labels to apply to all resources
+  labels:
+    # By default, don't enroll gateways into the ambient dataplane
+    "istio.io/dataplane-mode": none
+
+  # Annotations to apply to all resources
+  annotations: {}
+
+  nodeSelector: {}
+
+  tolerations: []
+
+  topologySpreadConstraints: []
+
+  affinity: {}
+
+  # If specified, the gateway will act as a network gateway for the given network.
+  networkGateway: ""
+
+  # Specify image pull policy if default behavior isn't desired.
+  # Default behavior: latest images will be Always else IfNotPresent
+  imagePullPolicy: ""
+
+  imagePullSecrets: []
+
+  # This value is used to configure a Kubernetes PodDisruptionBudget for the gateway.
+  #
+  # By default, the `podDisruptionBudget` is disabled (set to `{}`),
+  # which means that no PodDisruptionBudget resource will be created.
+  #
+  # The PodDisruptionBudget can be only enabled if autoscaling is enabled
+  # with minReplicas > 1 or if autoscaling is disabled but replicaCount > 1.
+  #
+  # To enable the PodDisruptionBudget, configure it by specifying the
+  # `minAvailable` or `maxUnavailable`. For example, to set the
+  # minimum number of available replicas to 1, you can update this value as follows:
+  #
+  # podDisruptionBudget:
+  #   minAvailable: 1
+  #
+  # Or, to allow a maximum of 1 unavailable replica, you can set:
+  #
+  # podDisruptionBudget:
+  #   maxUnavailable: 1
+  #
+  # You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`.
+  # For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows:
+  #
+  # podDisruptionBudget:
+  #   minAvailable: 1
+  #   unhealthyPodEvictionPolicy: AlwaysAllow
+  #
+  # To disable the PodDisruptionBudget, you can leave it as an empty object `{}`:
+  #
+  # podDisruptionBudget: {}
+  #
+  podDisruptionBudget: {}
+
+  # Sets the per-pod terminationGracePeriodSeconds setting.
+  terminationGracePeriodSeconds: 30
+
+  # A list of `Volumes` added into the Gateway Pods. See
+  # https://kubernetes.io/docs/concepts/storage/volumes/.
+  volumes: []
+
+  # A list of `VolumeMounts` added into the Gateway Pods. See
+  # https://kubernetes.io/docs/concepts/storage/volumes/.
+  volumeMounts: []
+
+  # Inject initContainers into the Gateway Pods.
+  initContainers: []
+
+  # Inject additional containers into the Gateway Pods.
+  additionalContainers: []
+
+  # Configure this to a higher priority class in order to make sure your Istio gateway pods
+  # will not be killed because of low priority class.
+  # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
+  # for more detail.
+  priorityClassName: ""
+
+  # Configure the lifecycle hooks for the gateway. See
+  # https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/.
+  lifecycle: {}
+
+  # When enabled, a default NetworkPolicy for gateways will be created
+  global:
+    networkPolicy:
+      enabled: false
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/Chart.yaml
new file mode 100644
index 0000000000..f6afa92b6f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v2
+appVersion: 1.28.0
+description: Helm chart for istio control plane
+icon: https://istio.io/latest/favicons/android-192x192.png
+keywords:
+- istio
+- istiod
+- istio-discovery
+name: istiod
+sources:
+- https://github.com/istio/istio
+version: 1.28.0
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/README.md
new file mode 100644
index 0000000000..44f7b1d8ca
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/README.md
@@ -0,0 +1,73 @@
+# Istiod Helm Chart
+
+This chart installs an Istiod deployment.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+Before installing, ensure CRDs are installed in the cluster (from the `istio/base` chart).
+
+To install the chart with the release name `istiod`:
+
+```console
+kubectl create namespace istio-system
+helm install istiod istio/istiod --namespace istio-system
+```
+
+## Uninstalling the Chart
+
+To uninstall/delete the `istiod` deployment:
+
+```console
+helm delete istiod --namespace istio-system
+```
+
+## Configuration
+
+To view supported configuration options and documentation, run:
+
+```console
+helm show values istio/istiod
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
+
+### Examples
+
+#### Configuring mesh configuration settings
+
+Any [Mesh Config](https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/) options can be configured like below:
+
+```yaml
+meshConfig:
+  accessLogFile: /dev/stdout
+```
+
+#### Revisions
+
+Control plane revisions allow deploying multiple versions of the control plane in the same cluster.
+This allows safe [canary upgrades](https://istio.io/latest/docs/setup/upgrade/canary/)
+
+```yaml
+revision: my-revision-name
+```
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/gateway-injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/gateway-injection-template.yaml
new file mode 100644
index 0000000000..bc15ee3c31
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/gateway-injection-template.yaml
@@ -0,0 +1,274 @@
+{{- $containers := list }}
+{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
+metadata:
+  labels:
+    service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name  | quote }}
+    service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest"  | quote }}
+  annotations:
+    istio.io/rev: {{ .Revision | default "default" | quote }}
+    {{- if ge (len $containers) 1 }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }}
+    kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}"
+    {{- end }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }}
+    kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}"
+    {{- end }}
+    {{- end }}
+spec:
+  securityContext:
+  {{- if .Values.gateways.securityContext }}
+    {{- toYaml .Values.gateways.securityContext | nindent 4 }}
+  {{- else }}
+    sysctls:
+    - name: net.ipv4.ip_unprivileged_port_start
+      value: "0"
+  {{- end }}
+  containers:
+  - name: istio-proxy
+  {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+    image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+  {{- else }}
+    image: "{{ .ProxyImage }}"
+  {{- end }}
+    ports:
+    - containerPort: 15090
+      protocol: TCP
+      name: http-envoy-prom
+    args:
+    - proxy
+    - router
+    - --domain
+    - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+    - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
+    - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
+    - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
+  {{- if .Values.global.sts.servicePort }}
+    - --stsPort={{ .Values.global.sts.servicePort }}
+  {{- end }}
+  {{- if .Values.global.logAsJson }}
+    - --log_as_json
+  {{- end }}
+  {{- if .Values.global.proxy.lifecycle }}
+    lifecycle:
+      {{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
+  {{- end }}
+    securityContext:
+      runAsUser: {{ .ProxyUID | default "1337" }}
+      runAsGroup: {{ .ProxyGID | default "1337" }}
+    env:
+    - name: PILOT_CERT_PROVIDER
+      value: {{ .Values.global.pilotCertProvider }}
+    - name: CA_ADDR
+    {{- if .Values.global.caAddress }}
+      value: {{ .Values.global.caAddress }}
+    {{- else }}
+      value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+    {{- end }}
+    - name: POD_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.name
+    - name: POD_NAMESPACE
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.namespace
+    - name: INSTANCE_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.podIP
+    - name: SERVICE_ACCOUNT
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.serviceAccountName
+    - name: HOST_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.hostIP
+    - name: ISTIO_CPU_LIMIT
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.cpu
+    - name: PROXY_CONFIG
+      value: |
+             {{ protoToJSON .ProxyConfig }}
+    - name: ISTIO_META_POD_PORTS
+      value: |-
+        [
+        {{- $first := true }}
+        {{- range $index1, $c := .Spec.Containers }}
+          {{- range $index2, $p := $c.Ports }}
+            {{- if (structToJSON $p) }}
+            {{if not $first}},{{end}}{{ structToJSON $p }}
+            {{- $first = false }}
+            {{- end }}
+          {{- end}}
+        {{- end}}
+        ]
+    - name: GOMEMLIMIT
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.memory
+    - name: GOMAXPROCS
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.cpu
+    {{- if .CompliancePolicy }}
+    - name: COMPLIANCE_POLICY
+      value: "{{ .CompliancePolicy }}"
+    {{- end }}
+    - name: ISTIO_META_APP_CONTAINERS
+      value: "{{ $containers | join "," }}"
+    - name: ISTIO_META_CLUSTER_ID
+      value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
+    - name: ISTIO_META_NODE_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.nodeName
+    - name: ISTIO_META_INTERCEPTION_MODE
+      value: "{{ .ProxyConfig.InterceptionMode.String }}"
+    {{- if .Values.global.network }}
+    - name: ISTIO_META_NETWORK
+      value: "{{ .Values.global.network }}"
+    {{- end }}
+    {{- if .DeploymentMeta.Name }}
+    - name: ISTIO_META_WORKLOAD_NAME
+      value: "{{ .DeploymentMeta.Name }}"
+    {{ end }}
+    {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
+    - name: ISTIO_META_OWNER
+      value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
+    {{- end}}
+    {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+    - name: ISTIO_BOOTSTRAP_OVERRIDE
+      value: "/etc/istio/custom-bootstrap/custom_bootstrap.json"
+    {{- end }}
+    {{- if .Values.global.meshID }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ .Values.global.meshID }}"
+    {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+    {{- end }}
+    {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain)  }}
+    - name: TRUST_DOMAIN
+      value: "{{ . }}"
+    {{- end }}
+    {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+    - name: {{ $key }}
+      value: "{{ $value }}"
+    {{- end }}
+    {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+    readinessProbe:
+      httpGet:
+        path: /healthz/ready
+        port: 15021
+      initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }}
+      periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }}
+      timeoutSeconds: 3
+      failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }}
+    volumeMounts:
+    - name: workload-socket
+      mountPath: /var/run/secrets/workload-spiffe-uds
+    - name: credential-socket
+      mountPath: /var/run/secrets/credential-uds
+    {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+    - name: gke-workload-certificate
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+      readOnly: true
+    {{- else }}
+    - name: workload-certs
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+    {{- end }}
+    {{- if eq .Values.global.pilotCertProvider "istiod" }}
+    - mountPath: /var/run/secrets/istio
+      name: istiod-ca-cert
+    {{- end }}
+    - mountPath: /var/lib/istio/data
+      name: istio-data
+    {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+    - mountPath: /etc/istio/custom-bootstrap
+      name: custom-bootstrap-volume
+    {{- end }}
+    # SDS channel between istioagent and Envoy
+    - mountPath: /etc/istio/proxy
+      name: istio-envoy
+    - mountPath: /var/run/secrets/tokens
+      name: istio-token
+    {{- if .Values.global.mountMtlsCerts }}
+    # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+    - mountPath: /etc/certs/
+      name: istio-certs
+      readOnly: true
+    {{- end }}
+    - name: istio-podinfo
+      mountPath: /etc/istio/pod
+  volumes:
+  - emptyDir:
+    name: workload-socket
+  - emptyDir: {}
+    name: credential-socket
+  {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+  - name: gke-workload-certificate
+    csi:
+      driver: workloadcertificates.security.cloud.google.com
+  {{- else}}
+  - emptyDir: {}
+    name: workload-certs
+  {{- end }}
+  {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+  - name: custom-bootstrap-volume
+    configMap:
+      name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
+  {{- end }}
+  # SDS channel between istioagent and Envoy
+  - emptyDir:
+      medium: Memory
+    name: istio-envoy
+  - name: istio-data
+    emptyDir: {}
+  - name: istio-podinfo
+    downwardAPI:
+      items:
+        - path: "labels"
+          fieldRef:
+            fieldPath: metadata.labels
+        - path: "annotations"
+          fieldRef:
+            fieldPath: metadata.annotations
+  - name: istio-token
+    projected:
+      sources:
+      - serviceAccountToken:
+          path: istio-token
+          expirationSeconds: 43200
+          audience: {{ .Values.global.sds.token.aud }}
+  {{- if eq .Values.global.pilotCertProvider "istiod" }}
+  - name: istiod-ca-cert
+  {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+    projected:
+      sources:
+      - clusterTrustBundle:
+          name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+          path: root-cert.pem
+  {{- else }}
+    configMap:
+      name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+  {{- end }}
+  {{- end }}
+  {{- if .Values.global.mountMtlsCerts }}
+  # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+  - name: istio-certs
+    secret:
+      optional: true
+      {{ if eq .Spec.ServiceAccountName "" }}
+      secretName: istio.default
+      {{ else -}}
+      secretName: {{  printf "istio.%s" .Spec.ServiceAccountName }}
+      {{  end -}}
+  {{- end }}
+  {{- if .Values.global.imagePullSecrets }}
+  imagePullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+  {{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/grpc-agent.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/grpc-agent.yaml
new file mode 100644
index 0000000000..6e3102e4c8
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/grpc-agent.yaml
@@ -0,0 +1,318 @@
+{{- define "resources"  }}
+  {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
+    {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
+      requests:
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
+        cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
+        {{ end }}
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
+        memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
+        {{ end }}
+    {{- end }}
+    {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
+      limits:
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
+        cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}"
+        {{ end }}
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
+        memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}"
+        {{ end }}
+    {{- end }}
+  {{- else }}
+    {{- if .Values.global.proxy.resources }}
+      {{ toYaml .Values.global.proxy.resources | indent 6 }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+{{- $containers := list }}
+{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
+metadata:
+  labels:
+    {{/* security.istio.io/tlsMode: istio must be set by user, if gRPC is using mTLS initialization code. We can't set it automatically. */}}
+    service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name  | quote }}
+    service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest"  | quote }}
+  annotations: {
+    istio.io/rev: {{ .Revision | default "default" | quote }},
+    {{- if ge (len $containers) 1 }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }}
+    kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
+    {{- end }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }}
+    kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
+    {{- end }}
+    {{- end }}
+    sidecar.istio.io/rewriteAppHTTPProbers: "false",
+  }
+spec:
+  containers:
+  - name: istio-proxy
+  {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+    image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+  {{- else }}
+    image: "{{ .ProxyImage }}"
+  {{- end }}
+    ports:
+    - containerPort: 15020
+      protocol: TCP
+      name: mesh-metrics
+    args:
+    - proxy
+    - sidecar
+    - --domain
+    - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+    - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
+    - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
+    - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
+  {{- if .Values.global.sts.servicePort }}
+    - --stsPort={{ .Values.global.sts.servicePort }}
+  {{- end }}
+  {{- if .Values.global.logAsJson }}
+    - --log_as_json
+  {{- end }}
+    lifecycle:
+      postStart:
+        exec:
+          command:
+          - pilot-agent
+          - wait
+          - --url=http://localhost:15020/healthz/ready
+    env:
+    - name: ISTIO_META_GENERATOR
+      value: grpc
+    - name: OUTPUT_CERTS
+      value: /var/lib/istio/data
+    {{- if eq .InboundTrafficPolicyMode "localhost" }}
+    - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION
+      value: "true"
+    {{- end }}
+    - name: PILOT_CERT_PROVIDER
+      value: {{ .Values.global.pilotCertProvider }}
+    - name: CA_ADDR
+    {{- if .Values.global.caAddress }}
+      value: {{ .Values.global.caAddress }}
+    {{- else }}
+      value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+    {{- end }}
+    - name: POD_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.name
+    - name: POD_NAMESPACE
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.namespace
+    - name: INSTANCE_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.podIP
+    - name: SERVICE_ACCOUNT
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.serviceAccountName
+    - name: HOST_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.hostIP
+    - name: PROXY_CONFIG
+      value: |
+             {{ protoToJSON .ProxyConfig }}
+    - name: ISTIO_META_POD_PORTS
+      value: |-
+        [
+        {{- $first := true }}
+        {{- range $index1, $c := .Spec.Containers }}
+          {{- range $index2, $p := $c.Ports }}
+            {{- if (structToJSON $p) }}
+            {{if not $first}},{{end}}{{ structToJSON $p }}
+            {{- $first = false }}
+            {{- end }}
+          {{- end}}
+        {{- end}}
+        ]
+    - name: ISTIO_META_APP_CONTAINERS
+      value: "{{ $containers | join "," }}"
+    - name: ISTIO_META_CLUSTER_ID
+      value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
+    - name: ISTIO_META_NODE_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.nodeName
+    {{- if .Values.global.network }}
+    - name: ISTIO_META_NETWORK
+      value: "{{ .Values.global.network }}"
+    {{- end }}
+    {{- if .DeploymentMeta.Name }}
+    - name: ISTIO_META_WORKLOAD_NAME
+      value: "{{ .DeploymentMeta.Name }}"
+    {{ end }}
+    {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
+    - name: ISTIO_META_OWNER
+      value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
+    {{- end}}
+    {{- if .Values.global.meshID }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ .Values.global.meshID }}"
+    {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+    {{- end }}
+    {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain)  }}
+    - name: TRUST_DOMAIN
+      value: "{{ . }}"
+    {{- end }}
+    {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+    - name: {{ $key }}
+      value: "{{ $value }}"
+    {{- end }}
+    # grpc uses xds:/// to resolve – no need to resolve VIP
+    - name: ISTIO_META_DNS_CAPTURE
+      value: "false"
+    - name: DISABLE_ENVOY
+      value: "true"
+    {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+    {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
+    readinessProbe:
+      httpGet:
+        path: /healthz/ready
+        port: 15020
+      initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }}
+      periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }}
+      timeoutSeconds: 3
+      failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}
+    resources:
+  {{ template "resources" . }}
+    volumeMounts:
+    - name: workload-socket
+      mountPath: /var/run/secrets/workload-spiffe-uds
+    {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+    - name: gke-workload-certificate
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+      readOnly: true
+    {{- else }}
+    - name: workload-certs
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+    {{- end }}
+    {{- if eq .Values.global.pilotCertProvider "istiod" }}
+    - mountPath: /var/run/secrets/istio
+      name: istiod-ca-cert
+    {{- end }}
+    - mountPath: /var/lib/istio/data
+      name: istio-data
+    # UDS channel between istioagent and gRPC client for XDS/SDS
+    - mountPath: /etc/istio/proxy
+      name: istio-xds
+    - mountPath: /var/run/secrets/tokens
+      name: istio-token
+    {{- if .Values.global.mountMtlsCerts }}
+    # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+    - mountPath: /etc/certs/
+      name: istio-certs
+      readOnly: true
+    {{- end }}
+    - name: istio-podinfo
+      mountPath: /etc/istio/pod
+    {{- end }}
+      {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }}
+      {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}
+    - name: "{{  $index }}"
+      {{ toYaml $value | indent 6 }}
+      {{ end }}
+      {{- end }}
+{{- range $index, $container := .Spec.Containers  }}
+{{ if not (eq $container.Name "istio-proxy") }}
+  - name: {{ $container.Name }}
+    env:
+      - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT"
+        value: "true"
+      - name: "GRPC_XDS_BOOTSTRAP"
+        value: "/etc/istio/proxy/grpc-bootstrap.json"
+    volumeMounts:
+      - mountPath: /var/lib/istio/data
+        name: istio-data
+      # UDS channel between istioagent and gRPC client for XDS/SDS
+      - mountPath: /etc/istio/proxy
+        name: istio-xds
+      {{- if eq $.Values.global.caName "GkeWorkloadCertificate" }}
+      - name: gke-workload-certificate
+        mountPath: /var/run/secrets/workload-spiffe-credentials
+        readOnly: true
+      {{- else }}
+      - name: workload-certs
+        mountPath: /var/run/secrets/workload-spiffe-credentials
+      {{- end }}
+{{- end }}
+{{- end }}
+  volumes:
+  - emptyDir:
+    name: workload-socket
+  {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+  - name: gke-workload-certificate
+    csi:
+      driver: workloadcertificates.security.cloud.google.com
+  {{- else }}
+  - emptyDir:
+    name: workload-certs
+  {{- end }}
+  {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+  - name: custom-bootstrap-volume
+    configMap:
+      name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
+  {{- end }}
+  # SDS channel between istioagent and Envoy
+  - emptyDir:
+      medium: Memory
+    name: istio-xds
+  - name: istio-data
+    emptyDir: {}
+  - name: istio-podinfo
+    downwardAPI:
+      items:
+        - path: "labels"
+          fieldRef:
+            fieldPath: metadata.labels
+        - path: "annotations"
+          fieldRef:
+            fieldPath: metadata.annotations
+  - name: istio-token
+    projected:
+      sources:
+      - serviceAccountToken:
+          path: istio-token
+          expirationSeconds: 43200
+          audience: {{ .Values.global.sds.token.aud }}
+  {{- if eq .Values.global.pilotCertProvider "istiod" }}
+  - name: istiod-ca-cert
+  {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+    projected:
+      sources:
+      - clusterTrustBundle:
+          name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+          path: root-cert.pem
+  {{- else }}
+    configMap:
+      name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+  {{- end }}
+  {{- end }}
+  {{- if .Values.global.mountMtlsCerts }}
+  # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+  - name: istio-certs
+    secret:
+      optional: true
+      {{ if eq .Spec.ServiceAccountName "" }}
+      secretName: istio.default
+      {{ else -}}
+      secretName: {{  printf "istio.%s" .Spec.ServiceAccountName }}
+      {{  end -}}
+  {{- end }}
+    {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }}
+    {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}
+  - name: "{{ $index }}"
+    {{ toYaml $value | indent 4 }}
+    {{ end }}
+    {{ end }}
+  {{- if .Values.global.imagePullSecrets }}
+  imagePullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+  {{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/grpc-simple.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/grpc-simple.yaml
new file mode 100644
index 0000000000..9ba0c7a46a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/grpc-simple.yaml
@@ -0,0 +1,65 @@
+metadata:
+  annotations:
+    sidecar.istio.io/rewriteAppHTTPProbers: "false"
+spec:
+  initContainers:
+    - name: grpc-bootstrap-init
+      image: busybox:1.28
+      volumeMounts:
+        - mountPath: /var/lib/grpc/data/
+          name: grpc-io-proxyless-bootstrap
+      env:
+        - name: INSTANCE_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: ISTIO_NAMESPACE
+          value: |
+             {{ .Values.global.istioNamespace }}
+      command:
+        - sh
+        - "-c"
+        - |-
+          NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local"
+          SERVER_URI="dns:///istiod.${ISTIO_NAMESPACE}.svc:15010"
+          echo '
+          {
+            "xds_servers": [
+              {
+                "server_uri": "'${SERVER_URI}'",
+                "channel_creds": [{"type": "insecure"}],
+                "server_features" : ["xds_v3"]
+              }
+            ],
+            "node": {
+              "id": "'${NODE_ID}'",
+              "metadata": {
+                "GENERATOR": "grpc"
+              }
+            }
+          }' > /var/lib/grpc/data/bootstrap.json
+  containers:
+  {{- range $index, $container := .Spec.Containers }}
+  - name: {{ $container.Name }}
+    env:
+      - name: GRPC_XDS_BOOTSTRAP
+        value: /var/lib/grpc/data/bootstrap.json
+      - name: GRPC_GO_LOG_VERBOSITY_LEVEL
+        value: "99"
+      - name: GRPC_GO_LOG_SEVERITY_LEVEL
+        value: info
+    volumeMounts:
+      - mountPath: /var/lib/grpc/data/
+        name: grpc-io-proxyless-bootstrap
+  {{- end }}
+  volumes:
+    - name: grpc-io-proxyless-bootstrap
+      emptyDir: {}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/injection-template.yaml
new file mode 100644
index 0000000000..ba656bd7f8
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/injection-template.yaml
@@ -0,0 +1,549 @@
+{{- define "resources"  }}
+  {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
+    {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
+      requests:
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
+        cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
+        {{ end }}
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
+        memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
+        {{ end }}
+    {{- end }}
+    {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
+      limits:
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
+        cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}"
+        {{ end }}
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
+        memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}"
+        {{ end }}
+    {{- end }}
+  {{- else }}
+    {{- if .Values.global.proxy.resources }}
+      {{ toYaml .Values.global.proxy.resources | indent 6 }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+{{ $tproxy := (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) }}
+{{ $capNetBindService := (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) }}
+{{ $nativeSidecar := ne (index .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar` | default (printf "%t" .NativeSidecars)) "false" }}
+{{- $containers := list }}
+{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
+metadata:
+  labels:
+    security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio"  | quote }}
+    {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }}
+    networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http"  | quote }}
+    {{- end }}
+    service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name  | trunc 63 | trimSuffix "-" | quote }}
+    service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest"  | quote }}
+  annotations: {
+    istio.io/rev: {{ .Revision | default "default" | quote }},
+    {{- if ge (len $containers) 1 }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }}
+    kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
+    {{- end }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }}
+    kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
+    {{- end }}
+    {{- end }}
+{{- if .Values.pilot.cni.enabled }}
+    {{- if eq .Values.pilot.cni.provider "multus" }}
+    k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}',
+    {{- end }}
+    sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}",
+    {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }}
+    {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }}
+    traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}",
+    traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}",
+    {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }}
+    traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}",
+    {{- end }}
+    {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }}
+    traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}",
+    {{- end }}
+    {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }}
+    {{ with index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}istio.io/reroute-virtual-interfaces: "{{.}}",{{ end }}
+    {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }}
+{{- end }}
+  }
+spec:
+  {{- $holdProxy := and
+      (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts)
+      (not $nativeSidecar) }}
+  {{- $noInitContainer := and
+      (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE`)
+      (not $nativeSidecar) }}
+  {{ if $noInitContainer }}
+  initContainers: []
+  {{ else -}}
+  initContainers:
+  {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }}
+  {{ if .Values.pilot.cni.enabled -}}
+  - name: istio-validation
+  {{ else -}}
+  - name: istio-init
+  {{ end -}}
+  {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }}
+    image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}"
+  {{- else }}
+    image: "{{ .ProxyImage }}"
+  {{- end }}
+    args:
+    - istio-iptables
+    - "-p"
+    - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }}
+    - "-z"
+    - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }}
+    - "-u"
+    - {{ if $tproxy }} "1337" {{ else }} {{ .ProxyUID | default "1337" | quote }} {{ end }}
+    - "-m"
+    - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}"
+    - "-i"
+    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}"
+    - "-x"
+    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}"
+    - "-b"
+    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}"
+    - "-d"
+  {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}
+    - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}"
+  {{- else }}
+    - "15090,15021"
+  {{- end }}
+    {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}}
+    - "-q"
+    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}"
+    {{ end -}}
+    {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}}
+    - "-o"
+    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}"
+    {{ end -}}
+    {{ if (isset .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces`) -}}
+    - "-k"
+    - "{{ index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}"
+    {{ else if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}}
+    - "-k"
+    - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}"
+    {{ end -}}
+     {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}}
+    - "-c"
+    - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}"
+    {{ end -}}
+    - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}"
+    {{ if .Values.global.logAsJson -}}
+    - "--log_as_json"
+    {{ end -}}
+    {{ if .Values.pilot.cni.enabled -}}
+    - "--run-validation"
+    - "--skip-rule-apply"
+    {{ else if .Values.global.proxy_init.forceApplyIptables -}}
+    - "--force-apply"
+    {{ end -}}
+    {{ if .Values.global.nativeNftables -}}
+    - "--native-nftables"
+    {{ end -}}
+    {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+  {{- if .ProxyConfig.ProxyMetadata }}
+    env:
+    {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+    - name: {{ $key }}
+      value: "{{ $value }}"
+    {{- end }}
+  {{- end }}
+    resources:
+  {{ template "resources" . }}
+    securityContext:
+      allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
+      privileged: {{ .Values.global.proxy.privileged }}
+      capabilities:
+    {{- if not .Values.pilot.cni.enabled }}
+        add:
+        - NET_ADMIN
+        - NET_RAW
+    {{- end }}
+        drop:
+        - ALL
+    {{- if not .Values.pilot.cni.enabled }}
+      readOnlyRootFilesystem: false
+      runAsGroup: 0
+      runAsNonRoot: false
+      runAsUser: 0
+    {{- else }}
+      readOnlyRootFilesystem: true
+      runAsGroup: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyGID | default "1337" }} {{ end }}
+      runAsUser: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyUID | default "1337" }} {{ end }}
+      runAsNonRoot: true
+    {{- end }}
+    {{- if .Values.global.proxy.seccompProfile }}
+      seccompProfile:
+    {{- toYaml .Values.global.proxy.seccompProfile | nindent 8 }}
+    {{- end }}
+  {{ end -}}
+  {{ end -}}
+  {{ if not $nativeSidecar }}
+  containers:
+  {{ end }}
+  - name: istio-proxy
+  {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+    image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+  {{- else }}
+    image: "{{ .ProxyImage }}"
+  {{- end }}
+    {{ if $nativeSidecar }}restartPolicy: Always{{end}}
+    ports:
+    - containerPort: 15090
+      protocol: TCP
+      name: http-envoy-prom
+    args:
+    - proxy
+    - sidecar
+    - --domain
+    - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+    - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
+    - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
+    - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
+  {{- if .Values.global.sts.servicePort }}
+    - --stsPort={{ .Values.global.sts.servicePort }}
+  {{- end }}
+  {{- if .Values.global.logAsJson }}
+    - --log_as_json
+  {{- end }}
+  {{- if .Values.global.proxy.outlierLogPath }}
+    - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }}
+  {{- end}}
+  {{- if .Values.global.proxy.lifecycle }}
+    lifecycle:
+      {{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
+  {{- else if $holdProxy }}
+    lifecycle:
+      postStart:
+        exec:
+          command:
+          - pilot-agent
+          - wait
+  {{- else if $nativeSidecar }}
+    {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}}
+    lifecycle:
+      preStop:
+        exec:
+          command:
+          - pilot-agent
+          - request
+          - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}}
+          - POST
+          - drain
+  {{- end }}
+    env:
+    {{- if eq .InboundTrafficPolicyMode "localhost" }}
+    - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION
+      value: "true"
+    {{- end }}
+    - name: PILOT_CERT_PROVIDER
+      value: {{ .Values.global.pilotCertProvider }}
+    - name: CA_ADDR
+    {{- if .Values.global.caAddress }}
+      value: {{ .Values.global.caAddress }}
+    {{- else }}
+      value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+    {{- end }}
+    - name: POD_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.name
+    - name: POD_NAMESPACE
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.namespace
+    - name: INSTANCE_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.podIP
+    - name: SERVICE_ACCOUNT
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.serviceAccountName
+    - name: HOST_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.hostIP
+    - name: ISTIO_CPU_LIMIT
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.cpu
+    - name: PROXY_CONFIG
+      value: |
+             {{ protoToJSON .ProxyConfig }}
+    - name: ISTIO_META_POD_PORTS
+      value: |-
+        [
+        {{- $first := true }}
+        {{- range $index1, $c := .Spec.Containers }}
+          {{- range $index2, $p := $c.Ports }}
+            {{- if (structToJSON $p) }}
+            {{if not $first}},{{end}}{{ structToJSON $p }}
+            {{- $first = false }}
+            {{- end }}
+          {{- end}}
+        {{- end}}
+        ]
+    - name: ISTIO_META_APP_CONTAINERS
+      value: "{{ $containers | join "," }}"
+    - name: GOMEMLIMIT
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.memory
+    - name: GOMAXPROCS
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.cpu
+    {{- if .CompliancePolicy }}
+    - name: COMPLIANCE_POLICY
+      value: "{{ .CompliancePolicy }}"
+    {{- end }}
+    - name: ISTIO_META_CLUSTER_ID
+      value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
+    - name: ISTIO_META_NODE_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.nodeName
+    - name: ISTIO_META_INTERCEPTION_MODE
+      value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}"
+    {{- if .Values.global.network }}
+    - name: ISTIO_META_NETWORK
+      value: "{{ .Values.global.network }}"
+    {{- end }}
+    {{- with (index .ObjectMeta.Labels `service.istio.io/workload-name` | default .DeploymentMeta.Name) }}
+    - name: ISTIO_META_WORKLOAD_NAME
+      value: "{{ . }}"
+    {{ end }}
+    {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
+    - name: ISTIO_META_OWNER
+      value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
+    {{- end}}
+    {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+    - name: ISTIO_BOOTSTRAP_OVERRIDE
+      value: "/etc/istio/custom-bootstrap/custom_bootstrap.json"
+    {{- end }}
+    {{- if .Values.global.meshID }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ .Values.global.meshID }}"
+    {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+    {{- end }}
+    {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain)  }}
+    - name: TRUST_DOMAIN
+      value: "{{ . }}"
+    {{- end }}
+    {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
+    {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
+    - name: {{ $key }}
+      value: "{{ $value }}"
+    {{- end }}
+    {{- end }}
+    {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+    - name: {{ $key }}
+      value: "{{ $value }}"
+    {{- end }}
+    {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+    {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
+  {{ if .Values.global.proxy.startupProbe.enabled }}
+    startupProbe:
+      httpGet:
+        path: /healthz/ready
+        port: 15021
+      initialDelaySeconds: 0
+      periodSeconds: 1
+      timeoutSeconds: 3
+      failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }}
+  {{ end }}
+    readinessProbe:
+      httpGet:
+        path: /healthz/ready
+        port: 15021
+      initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }}
+      periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }}
+      timeoutSeconds: 3
+      failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}
+    {{ end -}}
+    securityContext:
+      {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }}
+      allowPrivilegeEscalation: true
+      capabilities:
+        add:
+        - NET_ADMIN
+        drop:
+        - ALL
+      privileged: true
+      readOnlyRootFilesystem: true
+      runAsGroup: {{ .ProxyGID | default "1337" }}
+      runAsNonRoot: false
+      runAsUser: 0
+      {{- else }}
+      allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
+      capabilities:
+        {{ if or $tproxy $capNetBindService -}}
+        add:
+        {{ if $tproxy -}}
+        - NET_ADMIN
+        {{- end }}
+        {{ if $capNetBindService -}}
+        - NET_BIND_SERVICE
+        {{- end }}
+        {{- end }}
+        drop:
+        - ALL
+      privileged: {{ .Values.global.proxy.privileged }}
+      readOnlyRootFilesystem: true
+      {{ if or $tproxy $capNetBindService -}}
+      runAsNonRoot: false
+      runAsUser: 0
+      runAsGroup: 1337
+      {{- else -}}
+      runAsNonRoot: true
+      runAsUser: {{ .ProxyUID | default "1337" }}
+      runAsGroup: {{ .ProxyGID | default "1337" }}
+      {{- end }}
+      {{- end }}
+    {{- if .Values.global.proxy.seccompProfile }}
+      seccompProfile:
+    {{- toYaml .Values.global.proxy.seccompProfile | nindent 8 }}
+    {{- end }}
+    resources:
+  {{ template "resources" . }}
+    volumeMounts:
+    - name: workload-socket
+      mountPath: /var/run/secrets/workload-spiffe-uds
+    - name: credential-socket
+      mountPath: /var/run/secrets/credential-uds
+    {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+    - name: gke-workload-certificate
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+      readOnly: true
+    {{- else }}
+    - name: workload-certs
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+    {{- end }}
+    {{- if eq .Values.global.pilotCertProvider "istiod" }}
+    - mountPath: /var/run/secrets/istio
+      name: istiod-ca-cert
+    - mountPath: /var/run/secrets/istio/crl
+      name: istio-ca-crl
+    {{- end }}
+    - mountPath: /var/lib/istio/data
+      name: istio-data
+    {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+    - mountPath: /etc/istio/custom-bootstrap
+      name: custom-bootstrap-volume
+    {{- end }}
+    # SDS channel between istioagent and Envoy
+    - mountPath: /etc/istio/proxy
+      name: istio-envoy
+    - mountPath: /var/run/secrets/tokens
+      name: istio-token
+    {{- if .Values.global.mountMtlsCerts }}
+    # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+    - mountPath: /etc/certs/
+      name: istio-certs
+      readOnly: true
+    {{- end }}
+    - name: istio-podinfo
+      mountPath: /etc/istio/pod
+     {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }}
+    - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }}
+      name: lightstep-certs
+      readOnly: true
+    {{- end }}
+      {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }}
+      {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}
+    - name: "{{  $index }}"
+      {{ toYaml $value | indent 6 }}
+      {{ end }}
+      {{- end }}
+  volumes:
+  - emptyDir:
+    name: workload-socket
+  - emptyDir:
+    name: credential-socket
+  {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+  - name: gke-workload-certificate
+    csi:
+      driver: workloadcertificates.security.cloud.google.com
+  {{- else }}
+  - emptyDir:
+    name: workload-certs
+  {{- end }}
+  {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+  - name: custom-bootstrap-volume
+    configMap:
+      name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
+  {{- end }}
+  # SDS channel between istioagent and Envoy
+  - emptyDir:
+      medium: Memory
+    name: istio-envoy
+  - name: istio-data
+    emptyDir: {}
+  - name: istio-podinfo
+    downwardAPI:
+      items:
+        - path: "labels"
+          fieldRef:
+            fieldPath: metadata.labels
+        - path: "annotations"
+          fieldRef:
+            fieldPath: metadata.annotations
+  - name: istio-token
+    projected:
+      sources:
+      - serviceAccountToken:
+          path: istio-token
+          expirationSeconds: 43200
+          audience: {{ .Values.global.sds.token.aud }}
+  {{- if eq .Values.global.pilotCertProvider "istiod" }}
+  - name: istiod-ca-cert
+  {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+    projected:
+      sources:
+      - clusterTrustBundle:
+          name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+          path: root-cert.pem
+  {{- else }}
+    configMap:
+      name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+  {{- end }}
+  {{- end }}
+  - name: istio-ca-crl
+    configMap:
+      name: istio-ca-crl
+      optional: true
+  {{- if .Values.global.mountMtlsCerts }}
+  # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+  - name: istio-certs
+    secret:
+      optional: true
+      {{ if eq .Spec.ServiceAccountName "" }}
+      secretName: istio.default
+      {{ else -}}
+      secretName: {{  printf "istio.%s" .Spec.ServiceAccountName }}
+      {{  end -}}
+  {{- end }}
+    {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }}
+    {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}
+  - name: "{{ $index }}"
+    {{ toYaml $value | indent 4 }}
+    {{ end }}
+    {{ end }}
+  {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }}
+  - name: lightstep-certs
+    secret:
+      optional: true
+      secretName: lightstep.cacert
+  {{- end }}
+  {{- if .Values.global.imagePullSecrets }}
+  imagePullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+  {{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/kube-gateway.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/kube-gateway.yaml
new file mode 100644
index 0000000000..8a34ea8a8c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/kube-gateway.yaml
@@ -0,0 +1,407 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{.ServiceAccount | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+        "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+      ) | nindent 4 }}
+  {{- if ge .KubeVersion 128 }}
+  # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    name: "{{.Name}}"
+    uid: "{{.UID}}"
+  {{- end }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+        "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+        "gateway.istio.io/managed" "istio.io-gateway-controller"
+      ) | nindent 4 }}
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    name: {{.Name}}
+    uid: "{{.UID}}"
+spec:
+  selector:
+    matchLabels:
+      "{{.GatewayNameLabel}}": {{.Name}}
+  template:
+    metadata:
+      annotations:
+        {{- toJsonMap
+          (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version")
+          (strdict "istio.io/rev" (.Revision | default "default"))
+          (strdict
+            "prometheus.io/path" "/stats/prometheus"
+            "prometheus.io/port" "15020"
+            "prometheus.io/scrape" "true"
+          ) | nindent 8 }}
+      labels:
+        {{- toJsonMap
+          (strdict
+            "sidecar.istio.io/inject" "false"
+            "service.istio.io/canonical-name" .DeploymentName
+            "service.istio.io/canonical-revision" "latest"
+           )
+          .InfrastructureLabels
+          (strdict
+            "gateway.networking.k8s.io/gateway-name" .Name
+            "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+            "gateway.istio.io/managed" "istio.io-gateway-controller"
+          ) | nindent 8 }}
+    spec:
+      securityContext:
+      {{- if .Values.gateways.securityContext }}
+        {{- toYaml .Values.gateways.securityContext | nindent 8 }}
+      {{- else }}
+        sysctls:
+        - name: net.ipv4.ip_unprivileged_port_start
+          value: "0"
+      {{- if .Values.gateways.seccompProfile }}
+        seccompProfile:
+      {{- toYaml .Values.gateways.seccompProfile | nindent 10 }}
+      {{- end }}
+      {{- end }}
+      serviceAccountName: {{.ServiceAccount | quote}}
+      containers:
+      - name: istio-proxy
+      {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+        image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+      {{- else }}
+        image: "{{ .ProxyImage }}"
+      {{- end }}
+        {{- if .Values.global.proxy.resources }}
+        resources:
+          {{- toYaml .Values.global.proxy.resources | nindent 10 }}
+        {{- end }}
+        {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+        securityContext:
+          capabilities:
+            drop:
+            - ALL
+          allowPrivilegeEscalation: false
+          privileged: false
+          readOnlyRootFilesystem: true
+          runAsUser: {{ .ProxyUID | default "1337" }}
+          runAsGroup: {{ .ProxyGID | default "1337" }}
+          runAsNonRoot: true
+        ports:
+        - containerPort: 15020
+          name: metrics
+          protocol: TCP
+        - containerPort: 15021
+          name: status-port
+          protocol: TCP
+        - containerPort: 15090
+          protocol: TCP
+          name: http-envoy-prom
+        args:
+        - proxy
+        - router
+        - --domain
+        - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+        - --proxyLogLevel
+        - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}}
+        - --proxyComponentLogLevel
+        - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}}
+        - --log_output_level
+        - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}}
+      {{- if .Values.global.sts.servicePort }}
+        - --stsPort={{ .Values.global.sts.servicePort }}
+      {{- end }}
+      {{- if .Values.global.logAsJson }}
+        - --log_as_json
+      {{- end }}
+      {{- if .Values.global.proxy.lifecycle }}
+        lifecycle:
+          {{- toYaml .Values.global.proxy.lifecycle | nindent 10 }}
+      {{- end }}
+        env:
+        - name: PILOT_CERT_PROVIDER
+          value: {{ .Values.global.pilotCertProvider }}
+        - name: CA_ADDR
+        {{- if .Values.global.caAddress }}
+          value: {{ .Values.global.caAddress }}
+        {{- else }}
+          value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+        {{- end }}
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: INSTANCE_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: SERVICE_ACCOUNT
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.serviceAccountName
+        - name: HOST_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.hostIP
+        - name: ISTIO_CPU_LIMIT
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.cpu
+        - name: PROXY_CONFIG
+          value: |
+                 {{ protoToJSON .ProxyConfig }}
+        - name: ISTIO_META_POD_PORTS
+          value: "[]"
+        - name: ISTIO_META_APP_CONTAINERS
+          value: ""
+        - name: GOMEMLIMIT
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.memory
+        - name: GOMAXPROCS
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.cpu
+        - name: ISTIO_META_CLUSTER_ID
+          value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}"
+        - name: ISTIO_META_NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        - name: ISTIO_META_INTERCEPTION_MODE
+          value: "{{ .ProxyConfig.InterceptionMode.String }}"
+        {{- with (valueOrDefault  (index .InfrastructureLabels "topology.istio.io/network") .Values.global.network) }}
+        - name: ISTIO_META_NETWORK
+          value: {{.|quote}}
+        {{- end }}
+        - name: ISTIO_META_WORKLOAD_NAME
+          value: {{.DeploymentName|quote}}
+        - name: ISTIO_META_OWNER
+          value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}"
+        {{- if .Values.global.meshID }}
+        - name: ISTIO_META_MESH_ID
+          value: "{{ .Values.global.meshID }}"
+        {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+        - name: ISTIO_META_MESH_ID
+          value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+        {{- end }}
+        {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain)  }}
+        - name: TRUST_DOMAIN
+          value: "{{ . }}"
+        {{- end }}
+        {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+        - name: {{ $key }}
+          value: "{{ $value }}"
+        {{- end }}
+        {{- with (index .InfrastructureLabels "topology.istio.io/network") }}
+        - name: ISTIO_META_REQUESTED_NETWORK_VIEW
+          value: {{.|quote}}
+        {{- end }}
+        startupProbe:
+          failureThreshold: 30
+          httpGet:
+            path: /healthz/ready
+            port: 15021
+            scheme: HTTP
+          initialDelaySeconds: 1
+          periodSeconds: 1
+          successThreshold: 1
+          timeoutSeconds: 1
+        readinessProbe:
+          failureThreshold: 4
+          httpGet:
+            path: /healthz/ready
+            port: 15021
+            scheme: HTTP
+          initialDelaySeconds: 0
+          periodSeconds: 15
+          successThreshold: 1
+          timeoutSeconds: 1
+        volumeMounts:
+        - name: workload-socket
+          mountPath: /var/run/secrets/workload-spiffe-uds
+        - name: credential-socket
+          mountPath: /var/run/secrets/credential-uds
+        {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+        - name: gke-workload-certificate
+          mountPath: /var/run/secrets/workload-spiffe-credentials
+          readOnly: true
+        {{- else }}
+        - name: workload-certs
+          mountPath: /var/run/secrets/workload-spiffe-credentials
+        {{- end }}
+        {{- if eq .Values.global.pilotCertProvider "istiod" }}
+        - mountPath: /var/run/secrets/istio
+          name: istiod-ca-cert
+        {{- end }}
+        - mountPath: /var/lib/istio/data
+          name: istio-data
+        # SDS channel between istioagent and Envoy
+        - mountPath: /etc/istio/proxy
+          name: istio-envoy
+        - mountPath: /var/run/secrets/tokens
+          name: istio-token
+        - name: istio-podinfo
+          mountPath: /etc/istio/pod
+      volumes:
+      - emptyDir: {}
+        name: workload-socket
+      - emptyDir: {}
+        name: credential-socket
+      {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+      - name: gke-workload-certificate
+        csi:
+          driver: workloadcertificates.security.cloud.google.com
+      {{- else}}
+      - emptyDir: {}
+        name: workload-certs
+      {{- end }}
+      # SDS channel between istioagent and Envoy
+      - emptyDir:
+          medium: Memory
+        name: istio-envoy
+      - name: istio-data
+        emptyDir: {}
+      - name: istio-podinfo
+        downwardAPI:
+          items:
+            - path: "labels"
+              fieldRef:
+                fieldPath: metadata.labels
+            - path: "annotations"
+              fieldRef:
+                fieldPath: metadata.annotations
+      - name: istio-token
+        projected:
+          sources:
+          - serviceAccountToken:
+              path: istio-token
+              expirationSeconds: 43200
+              audience: {{ .Values.global.sds.token.aud }}
+      {{- if eq .Values.global.pilotCertProvider "istiod" }}
+      - name: istiod-ca-cert
+      {{- if eq ((.Values.pilot).env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+        projected:
+          sources:
+          - clusterTrustBundle:
+              name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+              path: root-cert.pem
+      {{- else }}
+        configMap:
+          name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+      {{- end }}
+      {{- end }}
+      {{- if .Values.global.imagePullSecrets }}
+      imagePullSecrets:
+        {{- range .Values.global.imagePullSecrets }}
+        - name: {{ . }}
+        {{- end }}
+      {{- end }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+        "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+      ) | nindent 4 }}
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    name: {{.Name}}
+    uid: {{.UID}}
+spec:
+  ipFamilyPolicy: PreferDualStack
+  ports:
+  {{- range $key, $val := .Ports }}
+  - name: {{ $val.Name | quote }}
+    port: {{ $val.Port }}
+    protocol: TCP
+    appProtocol: {{ $val.AppProtocol }}
+  {{- end }}
+  selector:
+    "{{.GatewayNameLabel}}": {{.Name}}
+  {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }}
+  loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}}
+  {{- end }}
+  type: {{ .ServiceType | quote }}
+---
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+          .InfrastructureLabels
+          (strdict
+          "gateway.networking.k8s.io/gateway-name" .Name
+          "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+          ) | nindent 4 }}
+  ownerReferences:
+    - apiVersion: gateway.networking.k8s.io/v1beta1
+      kind: Gateway
+      name: {{.Name}}
+      uid: "{{.UID}}"
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name:  {{.DeploymentName | quote}}
+  maxReplicas: 1
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+          .InfrastructureLabels
+          (strdict
+          "gateway.networking.k8s.io/gateway-name" .Name
+          "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+          ) | nindent 4 }}
+  ownerReferences:
+    - apiVersion: gateway.networking.k8s.io/v1beta1
+      kind: Gateway
+      name: {{.Name}}
+      uid: "{{.UID}}"
+spec:
+  selector:
+    matchLabels:
+      gateway.networking.k8s.io/gateway-name: {{.Name|quote}}
+
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..d04117bfc0
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,14 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..8fe80112bf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-compatibility-version-1.27.yaml
new file mode 100644
index 0000000000..209157cccf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-compatibility-version-1.27.yaml
@@ -0,0 +1,9 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/waypoint.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/waypoint.yaml
new file mode 100644
index 0000000000..4599945e9d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/waypoint.yaml
@@ -0,0 +1,401 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{.ServiceAccount | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+        "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+      ) | nindent 4 }}
+  {{- if ge .KubeVersion 128 }}
+  # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    name: "{{.Name}}"
+    uid: "{{.UID}}"
+  {{- end }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+        "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+        "gateway.istio.io/managed" .ControllerLabel
+      ) | nindent 4 }}
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    name: "{{.Name}}"
+    uid: "{{.UID}}"
+spec:
+  selector:
+    matchLabels:
+      "{{.GatewayNameLabel}}": "{{.Name}}"
+  template:
+    metadata:
+      annotations:
+        {{- toJsonMap
+          (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version")
+          (strdict "istio.io/rev" (.Revision | default "default"))
+          (strdict
+            "prometheus.io/path" "/stats/prometheus"
+            "prometheus.io/port" "15020"
+            "prometheus.io/scrape" "true"
+          ) | nindent 8 }}
+      labels:
+        {{- toJsonMap
+          (strdict
+            "sidecar.istio.io/inject" "false"
+            "istio.io/dataplane-mode" "none"
+            "service.istio.io/canonical-name" .DeploymentName
+            "service.istio.io/canonical-revision" "latest"
+           )
+          .InfrastructureLabels
+          (strdict
+            "gateway.networking.k8s.io/gateway-name" .Name
+            "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+            "gateway.istio.io/managed" .ControllerLabel
+          ) | nindent 8}}
+    spec:
+      {{- if .Values.global.waypoint.affinity }}
+      affinity:
+      {{- toYaml .Values.global.waypoint.affinity | nindent 8 }}
+      {{- end }}
+      {{- if .Values.global.waypoint.topologySpreadConstraints }}
+      topologySpreadConstraints:
+      {{- toYaml .Values.global.waypoint.topologySpreadConstraints | nindent 8 }}
+      {{- end }}
+      {{- if .Values.global.waypoint.nodeSelector }}
+      nodeSelector:
+      {{- toYaml .Values.global.waypoint.nodeSelector | nindent 8 }}
+      {{- end }}
+      {{- if .Values.global.waypoint.tolerations }}
+      tolerations:
+      {{- toYaml .Values.global.waypoint.tolerations | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{.ServiceAccount | quote}}
+      containers:
+      - name: istio-proxy
+        ports:
+        - containerPort: 15020
+          name: metrics
+          protocol: TCP
+        - containerPort: 15021
+          name: status-port
+          protocol: TCP
+        - containerPort: 15090
+          protocol: TCP
+          name: http-envoy-prom
+        {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+        image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+        {{- else }}
+        image: "{{ .ProxyImage }}"
+        {{- end }}
+        {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+        args:
+        - proxy
+        - waypoint
+        - --domain
+        - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+        - --serviceCluster
+        - {{.ServiceAccount}}.$(POD_NAMESPACE)
+        - --proxyLogLevel
+        - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}}
+        - --proxyComponentLogLevel
+        - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}}
+        - --log_output_level
+        - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}}
+        {{- if .Values.global.logAsJson }}
+        - --log_as_json
+        {{- end }}
+        {{- if .Values.global.proxy.outlierLogPath }}
+        - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }}
+        {{- end}}
+        env:
+        - name: ISTIO_META_SERVICE_ACCOUNT
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.serviceAccountName
+        - name: ISTIO_META_NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        - name: PILOT_CERT_PROVIDER
+          value: {{ .Values.global.pilotCertProvider }}
+        - name: CA_ADDR
+        {{- if .Values.global.caAddress }}
+          value: {{ .Values.global.caAddress }}
+        {{- else }}
+          value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+        {{- end }}
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: INSTANCE_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: SERVICE_ACCOUNT
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.serviceAccountName
+        - name: HOST_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.hostIP
+        - name: ISTIO_CPU_LIMIT
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.cpu
+        - name: PROXY_CONFIG
+          value: |
+                 {{ protoToJSON .ProxyConfig }}
+        {{- if .ProxyConfig.ProxyMetadata }}
+        {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+        - name: {{ $key }}
+          value: "{{ $value }}"
+        {{- end }}
+        {{- end }}
+        - name: GOMEMLIMIT
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.memory
+        - name: GOMAXPROCS
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.cpu
+        - name: ISTIO_META_CLUSTER_ID
+          value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
+        {{- $network := valueOrDefault (index .InfrastructureLabels `topology.istio.io/network`) .Values.global.network }}
+        {{- if $network }}
+        - name: ISTIO_META_NETWORK
+          value: "{{ $network }}"
+        {{- end }}
+        - name: ISTIO_META_INTERCEPTION_MODE
+          value: REDIRECT
+        - name: ISTIO_META_WORKLOAD_NAME
+          value: {{.DeploymentName}}
+        - name: ISTIO_META_OWNER
+          value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}
+        {{- if .Values.global.meshID }}
+        - name: ISTIO_META_MESH_ID
+          value: "{{ .Values.global.meshID }}"
+        {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+        - name: ISTIO_META_MESH_ID
+          value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+        {{- end }}
+        {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+        - name: TRUST_DOMAIN
+          value: "{{ . }}"
+        {{- end }}
+        {{- if .Values.global.waypoint.resources }}
+        resources:
+        {{- toYaml .Values.global.waypoint.resources | nindent 10 }}
+        {{- end }}
+        startupProbe:
+          failureThreshold: 30
+          httpGet:
+            path: /healthz/ready
+            port: 15021
+            scheme: HTTP
+          initialDelaySeconds: 1
+          periodSeconds: 1
+          successThreshold: 1
+          timeoutSeconds: 1
+        readinessProbe:
+          failureThreshold: 4
+          httpGet:
+            path: /healthz/ready
+            port: 15021
+            scheme: HTTP
+          initialDelaySeconds: 0
+          periodSeconds: 15
+          successThreshold: 1
+          timeoutSeconds: 1
+        securityContext:
+          privileged: false
+        {{- if not (eq .Values.global.platform "openshift") }}
+          runAsGroup: 1337
+          runAsUser: 1337
+        {{- end }}
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          capabilities:
+            drop:
+            - ALL
+{{- if .Values.gateways.seccompProfile }}
+          seccompProfile:
+{{- toYaml .Values.gateways.seccompProfile | nindent 12 }}
+{{- end }}
+        volumeMounts:
+        - mountPath: /var/run/secrets/workload-spiffe-uds
+          name: workload-socket
+        - mountPath: /var/run/secrets/istio
+          name: istiod-ca-cert
+        - mountPath: /var/lib/istio/data
+          name: istio-data
+        - mountPath: /etc/istio/proxy
+          name: istio-envoy
+        - mountPath: /var/run/secrets/tokens
+          name: istio-token
+        - mountPath: /etc/istio/pod
+          name: istio-podinfo
+      volumes:
+      - emptyDir: {}
+        name: workload-socket
+      - emptyDir:
+          medium: Memory
+        name: istio-envoy
+      - emptyDir:
+          medium: Memory
+        name: go-proxy-envoy
+      - emptyDir: {}
+        name: istio-data
+      - emptyDir: {}
+        name: go-proxy-data
+      - downwardAPI:
+          items:
+          - fieldRef:
+              fieldPath: metadata.labels
+            path: labels
+          - fieldRef:
+              fieldPath: metadata.annotations
+            path: annotations
+        name: istio-podinfo
+      - name: istio-token
+        projected:
+          sources:
+          - serviceAccountToken:
+              audience: istio-ca
+              expirationSeconds: 43200
+              path: istio-token
+      - name: istiod-ca-cert
+      {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+        projected:
+          sources:
+          - clusterTrustBundle:
+              name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+              path: root-cert.pem
+      {{- else }}
+        configMap:
+          name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+      {{- end }}
+      {{- if .Values.global.imagePullSecrets }}
+      imagePullSecrets:
+        {{- range .Values.global.imagePullSecrets }}
+        - name: {{ . }}
+        {{- end }}
+      {{- end }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    {{ toJsonMap
+      (strdict "networking.istio.io/traffic-distribution" "PreferClose")
+      (omit .InfrastructureAnnotations
+        "kubectl.kubernetes.io/last-applied-configuration"
+        "gateway.istio.io/name-override"
+        "gateway.istio.io/service-account"
+        "gateway.istio.io/controller-version"
+      ) | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+        "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+      ) | nindent 4 }}
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    name: "{{.Name}}"
+    uid: "{{.UID}}"
+spec:
+  ipFamilyPolicy: PreferDualStack
+  ports:
+  {{- range $key, $val := .Ports }}
+  - name: {{ $val.Name | quote }}
+    port: {{ $val.Port }}
+    protocol: TCP
+    appProtocol: {{ $val.AppProtocol }}
+  {{- end }}
+  selector:
+    "{{.GatewayNameLabel}}": "{{.Name}}"
+  {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }}
+  loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}}
+  {{- end }}
+  type: {{ .ServiceType | quote }}
+---
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+          .InfrastructureLabels
+          (strdict
+          "gateway.networking.k8s.io/gateway-name" .Name
+          "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+          ) | nindent 4 }}
+  ownerReferences:
+    - apiVersion: gateway.networking.k8s.io/v1beta1
+      kind: Gateway
+      name: {{.Name}}
+      uid: "{{.UID}}"
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name:  {{.DeploymentName | quote}}
+  maxReplicas: 1
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+          .InfrastructureLabels
+          (strdict
+          "gateway.networking.k8s.io/gateway-name" .Name
+          "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+          ) | nindent 4 }}
+  ownerReferences:
+    - apiVersion: gateway.networking.k8s.io/v1beta1
+      kind: Gateway
+      name: {{.Name}}
+      uid: "{{.UID}}"
+spec:
+  selector:
+    matchLabels:
+      gateway.networking.k8s.io/gateway-name: {{.Name|quote}}
+
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/NOTES.txt
new file mode 100644
index 0000000000..0d07ea7f4c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/NOTES.txt
@@ -0,0 +1,82 @@
+"istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}" successfully installed!
+
+To learn more about the release, try:
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
+
+Next steps:
+{{- $profile := default "" .Values.profile }}
+{{- if (eq $profile "ambient") }}
+  * Get started with ambient: https://istio.io/latest/docs/ops/ambient/getting-started/
+  * Review ambient's architecture: https://istio.io/latest/docs/ops/ambient/architecture/
+{{- else }}
+  * Deploy a Gateway: https://istio.io/latest/docs/setup/additional-setup/gateway/
+  * Try out our tasks to get started on common configurations:
+    * https://istio.io/latest/docs/tasks/traffic-management
+    * https://istio.io/latest/docs/tasks/security/
+    * https://istio.io/latest/docs/tasks/policy-enforcement/
+{{- end }}
+  * Review the list of actively supported releases, CVE publications and our hardening guide:
+    * https://istio.io/latest/docs/releases/supported-releases/
+    * https://istio.io/latest/news/security/
+    * https://istio.io/latest/docs/ops/best-practices/security/
+
+For further documentation see https://istio.io website
+
+{{-
+  $deps := dict
+    "global.outboundTrafficPolicy" "meshConfig.outboundTrafficPolicy"
+    "global.certificates" "meshConfig.certificates"
+    "global.localityLbSetting" "meshConfig.localityLbSetting"
+    "global.policyCheckFailOpen" "meshConfig.policyCheckFailOpen"
+    "global.enableTracing" "meshConfig.enableTracing"
+    "global.proxy.accessLogFormat" "meshConfig.accessLogFormat"
+    "global.proxy.accessLogFile" "meshConfig.accessLogFile"
+    "global.proxy.concurrency" "meshConfig.defaultConfig.concurrency"
+    "global.proxy.envoyAccessLogService" "meshConfig.defaultConfig.envoyAccessLogService"
+    "global.proxy.envoyAccessLogService.enabled" "meshConfig.enableEnvoyAccessLogService"
+    "global.proxy.envoyMetricsService" "meshConfig.defaultConfig.envoyMetricsService"
+    "global.proxy.protocolDetectionTimeout" "meshConfig.protocolDetectionTimeout"
+    "global.proxy.holdApplicationUntilProxyStarts" "meshConfig.defaultConfig.holdApplicationUntilProxyStarts"
+    "pilot.ingress" "meshConfig.ingressService, meshConfig.ingressControllerMode, and meshConfig.ingressClass"
+    "global.mtls.enabled" "the PeerAuthentication resource"
+    "global.mtls.auto" "meshConfig.enableAutoMtls"
+    "global.tracer.lightstep.address" "meshConfig.defaultConfig.tracing.lightstep.address"
+    "global.tracer.lightstep.accessToken" "meshConfig.defaultConfig.tracing.lightstep.accessToken"
+    "global.tracer.zipkin.address" "meshConfig.defaultConfig.tracing.zipkin.address"
+    "global.tracer.datadog.address" "meshConfig.defaultConfig.tracing.datadog.address"
+    "global.meshExpansion.enabled" "Gateway and other Istio networking resources, such as in samples/multicluster/"
+    "istiocoredns.enabled" "the in-proxy DNS capturing (ISTIO_META_DNS_CAPTURE)"
+}}
+{{- range $dep, $replace := $deps }}
+{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}}
+{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(")  ".Values." (replace "." ")." $dep) ")}}") $}}
+{{- if not (eq $res "")}}
+WARNING: {{$dep|quote}} is deprecated; use {{$replace|quote}} instead.
+{{- end }}
+{{- end }}
+{{-
+  $failDeps := dict
+    "telemetry.v2.prometheus.configOverride"
+    "telemetry.v2.stackdriver.configOverride"
+    "telemetry.v2.stackdriver.disableOutbound"
+    "telemetry.v2.stackdriver.outboundAccessLogging"
+    "global.tracer.stackdriver.debug" "meshConfig.defaultConfig.tracing.stackdriver.debug"
+    "global.tracer.stackdriver.maxNumberOfAttributes" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes"
+    "global.tracer.stackdriver.maxNumberOfAnnotations" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations"
+    "global.tracer.stackdriver.maxNumberOfMessageEvents" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents"
+    "meshConfig.defaultConfig.tracing.stackdriver.debug" "Istio supported tracers"
+    "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes" "Istio supported tracers"
+    "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations" "Istio supported tracers"
+    "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents" "Istio supported tracers"
+}}
+{{- range $dep, $replace := $failDeps }}
+{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}}
+{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(")  ".Values." (replace "." ")." $dep) ")}}") $}}
+{{- if not (eq $res "")}}
+{{fail (print $dep " is removed")}}
+{{- end }}
+{{- end }}
+{{- if eq $.Values.global.pilotCertProvider "kubernetes" }}
+{{- fail "pilotCertProvider=kubernetes is not supported" }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/_helpers.tpl
new file mode 100644
index 0000000000..042c92538d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/_helpers.tpl
@@ -0,0 +1,23 @@
+{{/* Default Prometheus is enabled if its enabled and there are no config overrides set */}}
+{{ define "default-prometheus" }}
+{{- and
+  (not .Values.meshConfig.defaultProviders)
+  .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.prometheus.enabled
+}}
+{{- end }}
+
+{{/* SD has metrics and logging split. Default metrics are enabled if SD is enabled */}}
+{{ define "default-sd-metrics" }}
+{{- and
+  (not .Values.meshConfig.defaultProviders)
+  .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled
+}}
+{{- end }}
+
+{{/* SD has metrics and logging split. */}}
+{{ define "default-sd-logs" }}
+{{- and
+  (not .Values.meshConfig.defaultProviders)
+  .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled
+}}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/autoscale.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/autoscale.yaml
new file mode 100644
index 0000000000..9ab43b5bf0
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/autoscale.yaml
@@ -0,0 +1,45 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# Not created if istiod is running remotely
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }}
+{{- if and .Values.autoscaleEnabled .Values.autoscaleMin .Values.autoscaleMax }}
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  maxReplicas: {{ .Values.autoscaleMax }}
+  minReplicas: {{ .Values.autoscaleMin }}
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  metrics:
+  - type: Resource
+    resource:
+      name: cpu
+      target:
+        type: Utilization
+        averageUtilization: {{ .Values.cpu.targetAverageUtilization }}
+  {{- if .Values.memory.targetAverageUtilization }}
+  - type: Resource
+    resource:
+      name: memory
+      target:
+        type: Utilization
+        averageUtilization: {{ .Values.memory.targetAverageUtilization }}
+  {{- end }}
+  {{- if .Values.autoscaleBehavior }}
+  behavior: {{ toYaml .Values.autoscaleBehavior | nindent 4 }}
+  {{- end }}
+---
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/clusterrole.yaml
new file mode 100644
index 0000000000..3280c96b54
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/clusterrole.yaml
@@ -0,0 +1,216 @@
+# Created if cluster resources are not omitted
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+  # sidecar injection controller
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["mutatingwebhookconfigurations"]
+    verbs: ["get", "list", "watch", "update", "patch"]
+
+  # configuration validation webhook controller
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["validatingwebhookconfigurations"]
+    verbs: ["get", "list", "watch", "update"]
+
+  # istio configuration
+  # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382)
+  # please proceed with caution
+  - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"]
+    verbs: ["get", "watch", "list"]
+    resources: ["*"]
+{{- if .Values.global.istiod.enableAnalysis }}
+  - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"]
+    verbs: ["update", "patch"]
+    resources:
+    - authorizationpolicies/status
+    - destinationrules/status
+    - envoyfilters/status
+    - gateways/status
+    - peerauthentications/status
+    - proxyconfigs/status
+    - requestauthentications/status
+    - serviceentries/status
+    - sidecars/status
+    - telemetries/status
+    - virtualservices/status
+    - wasmplugins/status
+    - workloadentries/status
+    - workloadgroups/status
+{{- end }}
+  - apiGroups: ["networking.istio.io"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "workloadentries" ]
+  - apiGroups: ["networking.istio.io"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "workloadentries/status",  "serviceentries/status" ]
+  - apiGroups: ["security.istio.io"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "authorizationpolicies/status" ]
+  - apiGroups: [""]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "services/status" ]
+
+  # auto-detect installed CRD definitions
+  - apiGroups: ["apiextensions.k8s.io"]
+    resources: ["customresourcedefinitions"]
+    verbs: ["get", "list", "watch"]
+
+  # discovery and routing
+  - apiGroups: [""]
+    resources: ["pods", "nodes", "services", "namespaces", "endpoints"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["discovery.k8s.io"]
+    resources: ["endpointslices"]
+    verbs: ["get", "list", "watch"]
+
+{{- if .Values.taint.enabled }}
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["patch"]
+{{- end }}
+
+  # ingress controller
+{{- if .Values.global.istiod.enableAnalysis }}
+  - apiGroups: ["extensions", "networking.k8s.io"]
+    resources: ["ingresses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["extensions", "networking.k8s.io"]
+    resources: ["ingresses/status"]
+    verbs: ["*"]
+{{- end}}
+  - apiGroups: ["networking.k8s.io"]
+    resources: ["ingresses", "ingressclasses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["networking.k8s.io"]
+    resources: ["ingresses/status"]
+    verbs: ["*"]
+
+  # required for CA's namespace controller
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["create", "get", "list", "watch", "update"]
+
+  # Istiod and bootstrap.
+{{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}}
+{{- if or .Values.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }}
+  - apiGroups: ["certificates.k8s.io"]
+    resources:
+      - "certificatesigningrequests"
+      - "certificatesigningrequests/approval"
+      - "certificatesigningrequests/status"
+    verbs: ["update", "create", "get", "delete", "watch"]
+  - apiGroups: ["certificates.k8s.io"]
+    resources:
+      - "signers"
+    resourceNames:
+{{- range .Values.global.certSigners }}
+    - {{ . | quote }}
+{{- end }}
+    verbs: ["approve"]
+{{- end}}
+{{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+  - apiGroups: ["certificates.k8s.io"]
+    resources: ["clustertrustbundles"]
+    verbs: ["update", "create", "delete", "list", "watch", "get"]
+  - apiGroups: ["certificates.k8s.io"]
+    resources: ["signers"]
+    resourceNames: ["istio.io/istiod-ca"]
+    verbs: ["attest"]
+{{- end }}
+
+  # Used by Istiod to verify the JWT tokens
+  - apiGroups: ["authentication.k8s.io"]
+    resources: ["tokenreviews"]
+    verbs: ["create"]
+
+  # Used by Istiod to verify gateway SDS
+  - apiGroups: ["authorization.k8s.io"]
+    resources: ["subjectaccessreviews"]
+    verbs: ["create"]
+
+  # Use for Kubernetes Service APIs
+  - apiGroups: ["gateway.networking.k8s.io", "gateway.networking.x-k8s.io"]
+    resources: ["*"]
+    verbs: ["get", "watch", "list"]
+  - apiGroups: ["gateway.networking.x-k8s.io"]
+    resources:
+    - xbackendtrafficpolicies/status
+    - xlistenersets/status
+    verbs: ["update", "patch"]
+  - apiGroups: ["gateway.networking.k8s.io"]
+    resources:
+    - backendtlspolicies/status
+    - gatewayclasses/status
+    - gateways/status
+    - grpcroutes/status
+    - httproutes/status
+    - referencegrants/status
+    - tcproutes/status
+    - tlsroutes/status
+    - udproutes/status
+    verbs: ["update", "patch"]
+  - apiGroups: ["gateway.networking.k8s.io"]
+    resources: ["gatewayclasses"]
+    verbs: ["create", "update", "patch", "delete"]
+  - apiGroups: ["inference.networking.k8s.io"]
+    resources: ["inferencepools"]
+    verbs: ["get", "watch", "list"]
+  - apiGroups: ["inference.networking.k8s.io"]
+    resources: ["inferencepools/status"]
+    verbs: ["update", "patch"]
+
+  # Needed for multicluster secret reading, possibly ingress certs in the future
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "watch", "list"]
+
+  # Used for MCS serviceexport management
+  - apiGroups: ["{{ $mcsAPIGroup }}"]
+    resources: ["serviceexports"]
+    verbs: [ "get", "watch", "list", "create", "delete"]
+
+  # Used for MCS serviceimport management
+  - apiGroups: ["{{ $mcsAPIGroup }}"]
+    resources: ["serviceimports"]
+    verbs: ["get", "watch", "list"]
+---
+{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+  - apiGroups: ["apps"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "deployments" ]
+  - apiGroups: ["autoscaling"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "horizontalpodautoscalers" ]
+  - apiGroups: ["policy"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "poddisruptionbudgets" ]
+  - apiGroups: [""]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "services" ]
+  - apiGroups: [""]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "serviceaccounts"]
+{{- end }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/clusterrolebinding.yaml
new file mode 100644
index 0000000000..0ca21b9576
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/clusterrolebinding.yaml
@@ -0,0 +1,43 @@
+# Created if cluster resources are not omitted
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+subjects:
+  - kind: ServiceAccount
+    name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+    namespace: {{ .Values.global.istioNamespace }}
+---
+{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+subjects:
+- kind: ServiceAccount
+  name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Values.global.istioNamespace }}
+{{- end }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/configmap-jwks.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/configmap-jwks.yaml
new file mode 100644
index 0000000000..45943d3839
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/configmap-jwks.yaml
@@ -0,0 +1,20 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# Not created if istiod is running remotely
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }}
+{{- if .Values.jwksResolverExtraRootCA }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+data:
+  extra.pem: {{ .Values.jwksResolverExtraRootCA | quote }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/configmap-values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/configmap-values.yaml
new file mode 100644
index 0000000000..dcd1e3530c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/configmap-values.yaml
@@ -0,0 +1,21 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: values{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    kubernetes.io/description: This ConfigMap contains the Helm values used during chart rendering. This ConfigMap is rendered for debugging purposes and external tooling; modifying these values has no effect.
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+data:
+  original-values: |-
+{{ .Values._original | toPrettyJson | indent 4 }}
+{{- $_ := unset $.Values "_original" }}
+  merged-values: |-
+{{ .Values | toPrettyJson | indent 4 }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/configmap.yaml
new file mode 100644
index 0000000000..a24ff9ee24
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/configmap.yaml
@@ -0,0 +1,113 @@
+{{- define "mesh" }}
+    # The trust domain corresponds to the trust root of a system.
+    # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
+    trustDomain: "cluster.local"
+
+    # The namespace to treat as the administrative root namespace for Istio configuration.
+    # When processing a leaf namespace Istio will search for declarations in that namespace first
+    # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace
+    # is processed as if it were declared in the leaf namespace.
+    rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }}
+
+  {{ $prom := include "default-prometheus" . | eq "true" }}
+  {{ $sdMetrics := include "default-sd-metrics" . | eq "true" }}
+  {{ $sdLogs := include "default-sd-logs" . | eq "true" }}
+  {{- if or $prom $sdMetrics $sdLogs }}
+    defaultProviders:
+    {{- if or $prom $sdMetrics }}
+      metrics:
+      {{ if $prom }}- prometheus{{ end }}
+      {{ if and $sdMetrics $sdLogs }}- stackdriver{{ end }}
+    {{- end }}
+    {{- if and $sdMetrics $sdLogs }}
+      accessLogging:
+      - stackdriver
+    {{- end }}
+  {{- end }}
+
+    defaultConfig:
+      {{- if .Values.global.meshID }}
+      meshId: "{{ .Values.global.meshID }}"
+      {{- end }}
+      {{- with (.Values.global.proxy.variant | default .Values.global.variant) }}
+      image:
+        imageType: {{. | quote}}
+      {{- end }}
+      {{- if not (eq .Values.global.proxy.tracer "none") }}
+      tracing:
+      {{- if eq .Values.global.proxy.tracer "lightstep" }}
+        lightstep:
+          # Address of the LightStep Satellite pool
+          address: {{ .Values.global.tracer.lightstep.address }}
+          # Access Token used to communicate with the Satellite pool
+          accessToken: {{ .Values.global.tracer.lightstep.accessToken }}
+      {{- else if eq .Values.global.proxy.tracer "zipkin" }}
+        zipkin:
+          # Address of the Zipkin collector
+          address: {{ ((.Values.global.tracer).zipkin).address | default (print "zipkin." .Values.global.istioNamespace ":9411") }}
+      {{- else if eq .Values.global.proxy.tracer "datadog" }}
+        datadog:
+          # Address of the Datadog Agent
+          address: {{ ((.Values.global.tracer).datadog).address | default "$(HOST_IP):8126" }}
+      {{- else if eq .Values.global.proxy.tracer "stackdriver" }}
+        stackdriver:
+          # enables trace output to stdout.
+          debug: {{ (($.Values.global.tracer).stackdriver).debug | default "false" }}
+          # The global default max number of attributes per span.
+          maxNumberOfAttributes: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAttributes | default "200" }}
+          # The global default max number of annotation events per span.
+          maxNumberOfAnnotations: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAnnotations | default "200" }}
+          # The global default max number of message events per span.
+          maxNumberOfMessageEvents: {{ (($.Values.global.tracer).stackdriver).maxNumberOfMessageEvents | default "200" }}
+      {{- end }}
+      {{- end }}
+      {{- if .Values.global.remotePilotAddress }}
+      {{- if and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod }}
+      #  only primary `istiod` to xds and local `istiod` injection installs.
+      discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012
+      {{- else }}
+      discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012
+      {{- end }}
+      {{- else }}
+      discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012
+      {{- end }}
+{{- end }}
+
+{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}}
+{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}}
+{{- $originalMesh := include "mesh" . | fromYaml }}
+{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }}
+
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+{{- if .Values.configMap }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+data:
+
+  # Configuration file for the mesh networks to be used by the Split Horizon EDS.
+  meshNetworks: |-
+  {{- if .Values.global.meshNetworks }}
+    networks:
+{{ toYaml .Values.global.meshNetworks | trim | indent 6 }}
+  {{- else }}
+    networks: {}
+  {{- end }}
+
+  mesh: |-
+{{- if .Values.meshConfig }}
+{{ $mesh | toYaml | indent 4 }}
+{{- else }}
+{{- include "mesh" . }}
+{{- end }}
+---
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/deployment.yaml
new file mode 100644
index 0000000000..15107e745c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/deployment.yaml
@@ -0,0 +1,314 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# Not created if istiod is running remotely
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: istiod
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    istio: pilot
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+{{- range $key, $val := .Values.deploymentLabels }}
+    {{ $key }}: "{{ $val }}"
+{{- end }}
+  {{- if .Values.deploymentAnnotations }}
+  annotations:
+{{ toYaml .Values.deploymentAnnotations | indent 4 }}
+  {{- end }}
+spec:
+{{- if not .Values.autoscaleEnabled }}
+{{- if .Values.replicaCount }}
+  replicas: {{ .Values.replicaCount }}
+{{- end }}
+{{- end }}
+  strategy:
+    rollingUpdate:
+      maxSurge: {{ .Values.rollingMaxSurge }}
+      maxUnavailable: {{ .Values.rollingMaxUnavailable }}
+  selector:
+    matchLabels:
+      {{- if ne .Values.revision "" }}
+      app: istiod
+      istio.io/rev: {{ .Values.revision | default "default" | quote }}
+      {{- else }}
+      istio: pilot
+      {{- end }}
+  template:
+    metadata:
+      labels:
+        app: istiod
+        istio.io/rev: {{ .Values.revision | default "default" | quote }}
+        sidecar.istio.io/inject: "false"
+        operator.istio.io/component: "Pilot"
+        {{- if ne .Values.revision "" }}
+        istio: istiod
+        {{- else }}
+        istio: pilot
+        {{- end }}
+        {{- range $key, $val := .Values.podLabels }}
+        {{ $key }}: "{{ $val }}"
+        {{- end }}
+        istio.io/dataplane-mode: none
+        app.kubernetes.io/name: "istiod"
+        {{- include "istio.labels" . | nindent 8 }}
+      annotations:
+        prometheus.io/port: "15014"
+        prometheus.io/scrape: "true"
+        sidecar.istio.io/inject: "false"
+        {{- if .Values.podAnnotations }}
+{{ toYaml .Values.podAnnotations | indent 8 }}
+        {{- end }}
+    spec:
+{{- if .Values.nodeSelector }}
+      nodeSelector:
+{{ toYaml .Values.nodeSelector | indent 8 }}
+{{- end }}
+{{- with .Values.affinity }}
+      affinity:
+{{- toYaml . | nindent 8 }}
+{{- end }}
+      tolerations:
+        - key: cni.istio.io/not-ready
+          operator: "Exists"
+{{- with .Values.tolerations }}
+{{- toYaml . | nindent 8 }}
+{{- end }}
+{{- with .Values.topologySpreadConstraints }}
+      topologySpreadConstraints:
+{{- toYaml . | nindent 8 }}
+{{- end }}
+      serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+{{- if .Values.global.priorityClassName }}
+      priorityClassName: "{{ .Values.global.priorityClassName }}"
+{{- end }}
+{{- with .Values.initContainers }}
+      initContainers:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+{{- end }}
+      containers:
+        - name: discovery
+{{- if contains "/" .Values.image }}
+          image: "{{ .Values.image }}"
+{{- else }}
+          image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "pilot" }}:{{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}}"
+{{- end }}
+{{- if .Values.global.imagePullPolicy }}
+          imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+{{- end }}
+          args:
+          - "discovery"
+          - --monitoringAddr=:15014
+{{- if .Values.global.logging.level }}
+          - --log_output_level={{ .Values.global.logging.level }}
+{{- end}}
+{{- if .Values.global.logAsJson }}
+          - --log_as_json
+{{- end }}
+          - --domain
+          - {{ .Values.global.proxy.clusterDomain }}
+{{- if .Values.taint.namespace }}
+          - --cniNamespace={{ .Values.taint.namespace }}
+{{- end }}
+          - --keepaliveMaxServerConnectionAge
+          - "{{ .Values.keepaliveMaxServerConnectionAge }}"
+{{- if .Values.extraContainerArgs }}
+          {{- with .Values.extraContainerArgs }}
+            {{- toYaml . | nindent 10 }}
+          {{- end }}
+{{- end }}
+          ports:
+          - containerPort: 8080
+            protocol: TCP
+            name: http-debug
+          - containerPort: 15010
+            protocol: TCP
+            name: grpc-xds
+          - containerPort: 15012
+            protocol: TCP
+            name: tls-xds
+          - containerPort: 15017
+            protocol: TCP
+            name: https-webhooks
+          - containerPort: 15014
+            protocol: TCP
+            name: http-monitoring
+          readinessProbe:
+            httpGet:
+              path: /ready
+              port: 8080
+            initialDelaySeconds: 1
+            periodSeconds: 3
+            timeoutSeconds: 5
+          env:
+          - name: REVISION
+            value: "{{ .Values.revision | default `default` }}"
+          - name: PILOT_CERT_PROVIDER
+            value: {{ .Values.global.pilotCertProvider }}
+          - name: POD_NAME
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: metadata.name
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: metadata.namespace
+          - name: SERVICE_ACCOUNT
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: spec.serviceAccountName
+          - name: KUBECONFIG
+            value: /var/run/secrets/remote/config
+          # If you explicitly told us where ztunnel lives, use that.
+          # Otherwise, assume it lives in our namespace
+          # Also, check for an explicit ENV override (legacy approach) and prefer that
+          # if present
+          {{ $ztTrustedNS := or .Values.trustedZtunnelNamespace .Release.Namespace }}
+          {{ $ztTrustedName := or .Values.trustedZtunnelName "ztunnel" }}
+          {{- if not .Values.env.CA_TRUSTED_NODE_ACCOUNTS }}
+          - name: CA_TRUSTED_NODE_ACCOUNTS
+            value: "{{ $ztTrustedNS }}/{{ $ztTrustedName }}"
+          {{- end }}
+          {{- if .Values.env }}
+          {{- range $key, $val := .Values.env }}
+          - name: {{ $key }}
+            value: "{{ $val }}"
+          {{- end }}
+          {{- end }}
+          {{- with .Values.envVarFrom }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
+{{- if .Values.traceSampling }}
+          - name: PILOT_TRACE_SAMPLING
+            value: "{{ .Values.traceSampling }}"
+{{- end }}
+# If externalIstiod is set via Values.Global, then enable the pilot env variable. However, if it's set via Values.pilot.env, then
+# don't set it here to avoid duplication.
+# TODO (nshankar13): Move from Helm chart to code: https://github.com/istio/istio/issues/52449
+{{- if and .Values.global.externalIstiod (not (and .Values.env .Values.env.EXTERNAL_ISTIOD)) }}
+          - name: EXTERNAL_ISTIOD
+            value: "{{ .Values.global.externalIstiod }}"
+{{- end }}
+{{- if .Values.global.trustBundleName }}
+          - name: PILOT_CA_CERT_CONFIGMAP
+            value: "{{ .Values.global.trustBundleName }}"
+{{- end }}
+          - name: PILOT_ENABLE_ANALYSIS
+            value: "{{ .Values.global.istiod.enableAnalysis }}"
+          - name: CLUSTER_ID
+            value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
+          - name: GOMEMLIMIT
+            valueFrom:
+              resourceFieldRef:
+                resource: limits.memory
+                divisor: "1"
+          - name: GOMAXPROCS
+            valueFrom:
+              resourceFieldRef:
+                resource: limits.cpu
+                divisor: "1"
+          - name: PLATFORM
+            value: "{{ coalesce .Values.global.platform .Values.platform }}"
+          resources:
+{{- if .Values.resources }}
+{{ toYaml .Values.resources | trim | indent 12 }}
+{{- else }}
+{{ toYaml .Values.global.defaultResources | trim | indent 12 }}
+{{- end }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            capabilities:
+              drop:
+              - ALL
+{{- if .Values.seccompProfile }}
+            seccompProfile:
+{{ toYaml .Values.seccompProfile | trim | indent 14 }}
+{{- end }}
+          volumeMounts:
+          - name: istio-token
+            mountPath: /var/run/secrets/tokens
+            readOnly: true
+          - name: local-certs
+            mountPath: /var/run/secrets/istio-dns
+          - name: cacerts
+            mountPath: /etc/cacerts
+            readOnly: true
+          - name: istio-kubeconfig
+            mountPath: /var/run/secrets/remote
+            readOnly: true
+          {{- if .Values.jwksResolverExtraRootCA }}
+          - name: extracacerts
+            mountPath: /cacerts
+          {{- end }}
+          - name: istio-csr-dns-cert
+            mountPath: /var/run/secrets/istiod/tls
+            readOnly: true
+          - name: istio-csr-ca-configmap
+            mountPath: /var/run/secrets/istiod/ca
+            readOnly: true
+          {{- with .Values.volumeMounts }}
+            {{- toYaml . | nindent 10 }}
+          {{- end }}
+      volumes:
+      # Technically not needed on this pod - but it helps debugging/testing SDS
+      # Should be removed after everything works.
+      - emptyDir:
+          medium: Memory
+        name: local-certs
+      - name: istio-token
+        projected:
+          sources:
+            - serviceAccountToken:
+                audience: {{ .Values.global.sds.token.aud }}
+                expirationSeconds: 43200
+                path: istio-token
+      # Optional: user-generated root
+      - name: cacerts
+        secret:
+          secretName: cacerts
+          optional: true
+      - name: istio-kubeconfig
+        secret:
+          secretName: istio-kubeconfig
+          optional: true
+      # Optional: istio-csr dns pilot certs
+      - name: istio-csr-dns-cert
+        secret:
+          secretName: istiod-tls
+          optional: true
+      - name: istio-csr-ca-configmap
+  {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+        projected:
+          sources:
+          - clusterTrustBundle:
+              name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+              path: root-cert.pem
+              optional: true
+  {{- else }}
+        configMap:
+          name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+          defaultMode: 420
+          optional: true
+  {{- end }}
+  {{- if .Values.jwksResolverExtraRootCA }}
+      - name: extracacerts
+        configMap:
+          name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  {{- end }}
+      {{- with .Values.volumes }}
+        {{- toYaml . | nindent 6}}
+      {{- end }}
+
+---
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/gateway-class-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/gateway-class-configmap.yaml
new file mode 100644
index 0000000000..9f7cdb01da
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/gateway-class-configmap.yaml
@@ -0,0 +1,22 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+{{ range $key, $value := .Values.gatewayClasses }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: istio-{{ $.Values.revision | default "default"  }}-gatewayclass-{{$key}}
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    istio.io/rev: {{ $.Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    release: {{ $.Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    gateway.istio.io/defaults-for-class: {{$key|quote}}
+    {{- include "istio.labels" $ | nindent 4 }}
+data:
+{{ range $kind, $overlay := $value }}
+  {{$kind}}: |
+{{$overlay|toYaml|trim|indent 4}}
+{{ end }}
+---
+{{ end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/istiod-injector-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/istiod-injector-configmap.yaml
new file mode 100644
index 0000000000..a5a6cf9ae8
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/istiod-injector-configmap.yaml
@@ -0,0 +1,83 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+{{- if not .Values.global.omitSidecarInjectorConfigMap }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+data:
+{{/* Scope the values to just top level fields used in the template, to reduce the size. */}}
+  values: |-
+{{ $vals := pick .Values "global" "sidecarInjectorWebhook" "revision" -}}
+{{ $pilotVals := pick .Values "cni" "env" -}}
+{{ $vals = set $vals "pilot" $pilotVals -}}
+{{ $gatewayVals := pick .Values.gateways "securityContext" "seccompProfile" -}}
+{{ $vals = set $vals "gateways" $gatewayVals -}}
+{{ $vals | toPrettyJson | indent 4 }}
+
+  # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching
+  # and istiod webhook functionality.
+  #
+  # New fields should not use Values - it is a 'primary' config object, users should be able
+  # to fine tune it or use it with kube-inject.
+  config: |-
+    # defaultTemplates defines the default template to use for pods that do not explicitly specify a template
+    {{- if .Values.sidecarInjectorWebhook.defaultTemplates }}
+    defaultTemplates:
+{{- range .Values.sidecarInjectorWebhook.defaultTemplates}}
+    - {{ . }}
+{{- end }}
+    {{- else }}
+    defaultTemplates: [sidecar]
+    {{- end }}
+    policy: {{ .Values.global.proxy.autoInject }}
+    alwaysInjectSelector:
+{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }}
+    neverInjectSelector:
+{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }}
+    injectedAnnotations:
+      {{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }}
+      "{{ $key }}": {{ $val | quote }}
+      {{- end }}
+    {{- /* If someone ends up with this new template, but an older Istiod image, they will attempt to render this template
+         which will fail with "Pod injection failed: template: inject:1: function "Istio_1_9_Required_Template_And_Version_Mismatched" not defined".
+         This should make it obvious that their installation is broken.
+     */}}
+    template: {{ `{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}` | quote }}
+    templates:
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "sidecar") }}
+      sidecar: |
+{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }}
+      gateway: |
+{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }}
+      grpc-simple: |
+{{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }}
+      grpc-agent: |
+{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "waypoint") }}
+      waypoint: |
+{{ .Files.Get "files/waypoint.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "kube-gateway") }}
+      kube-gateway: |
+{{ .Files.Get "files/kube-gateway.yaml" | trim | indent 8 }}
+{{- end }}
+{{- with .Values.sidecarInjectorWebhook.templates }}
+{{ toYaml . | trim | indent 6 }}
+{{- end }}
+
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/mutatingwebhook.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/mutatingwebhook.yaml
new file mode 100644
index 0000000000..26a6c8f00d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/mutatingwebhook.yaml
@@ -0,0 +1,167 @@
+# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that.
+{{- /* Core defines the common configuration used by all webhook segments */}}
+{{/* Copy just what we need to avoid expensive deepCopy */}}
+{{- $whv := dict
+"revision" .Values.revision
+  "injectionPath" .Values.istiodRemote.injectionPath
+  "injectionURL" .Values.istiodRemote.injectionURL
+  "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy
+  "caBundle" .Values.istiodRemote.injectionCABundle
+  "namespace" .Release.Namespace }}
+{{- define "core" }}
+{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign
+a unique prefix to each. */}}
+- name: {{.Prefix}}sidecar-injector.istio.io
+  clientConfig:
+    {{- if .injectionURL }}
+    url: "{{ .injectionURL }}"
+    {{- else }}
+    service:
+      name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }}
+      namespace: {{ .namespace }}
+      path: "{{ .injectionPath }}"
+      port: 443
+    {{- end }}
+    {{- if .caBundle }}
+    caBundle: "{{ .caBundle }}"
+    {{- end }}
+  sideEffects: None
+  rules:
+  - operations: [ "CREATE" ]
+    apiGroups: [""]
+    apiVersions: ["v1"]
+    resources: ["pods"]
+  failurePolicy: Fail
+  reinvocationPolicy: "{{ .reinvocationPolicy }}"
+  admissionReviewVersions: ["v1"]
+{{- end }}
+
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
+{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}}
+{{- if not .Values.global.operatorManageWebhooks }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+{{- if eq .Release.Namespace "istio-system"}}
+  name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+{{- else }}
+  name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+{{- end }}
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app: sidecar-injector
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+{{- if $.Values.sidecarInjectorWebhookAnnotations }}
+  annotations:
+{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }}
+{{- end }}
+webhooks:
+{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}}
+
+{{- /* Case 1: namespace selector matches, and object doesn't disable */}}
+{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: In
+      values:
+      {{- if (eq .Values.revision "") }}
+      - "default"
+      {{- else }}
+      - "{{ .Values.revision }}"
+      {{- end }}
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+
+{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+    - key: istio.io/rev
+      operator: In
+      values:
+      {{- if (eq .Values.revision "") }}
+      - "default"
+      {{- else }}
+      - "{{ .Values.revision }}"
+      {{- end }}
+
+
+{{- /* Webhooks for default revision */}}
+{{- if (eq .Values.revision "") }}
+
+{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: In
+      values:
+      - enabled
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+
+{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: In
+      values:
+      - "true"
+    - key: istio.io/rev
+      operator: DoesNotExist
+
+{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
+{{- /* Special case 3: no labels at all */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: "kubernetes.io/metadata.name"
+      operator: "NotIn"
+      values: ["kube-system","kube-public","kube-node-lease","local-path-storage"]
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+{{- end }}
+
+{{- end }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/networkpolicy.yaml
new file mode 100644
index 0000000000..e844d5e5de
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/networkpolicy.yaml
@@ -0,0 +1,47 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+{{- if (.Values.global.networkPolicy).enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: istiod
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    istio: pilot
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      app: istiod
+      istio.io/rev: {{ .Values.revision | default "default" | quote }}
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress:
+  # Webhook from kube-apiserver
+  - from: []
+    ports:
+    - protocol: TCP
+      port: 15017
+  # xDS from potentially anywhere
+  - from: []
+    ports:
+    - protocol: TCP
+      port: 15010
+    - protocol: TCP
+      port: 15011
+    - protocol: TCP
+      port: 15012
+    - protocol: TCP
+      port: 8080
+    - protocol: TCP
+      port: 15014
+  # Allow all egress (needed because features like JWKS require connections to user-defined endpoints)
+  egress:
+  - {}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/poddisruptionbudget.yaml
new file mode 100644
index 0000000000..0ac37d1cdf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/poddisruptionbudget.yaml
@@ -0,0 +1,41 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# Not created if istiod is running remotely
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }}
+{{- if .Values.global.defaultPodDisruptionBudget.enabled }}
+# a workaround for https://github.com/kubernetes/kubernetes/issues/93476
+{{- if or (and .Values.autoscaleEnabled  (gt (int .Values.autoscaleMin) 1)) (and (not .Values.autoscaleEnabled) (gt (int .Values.replicaCount) 1)) }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: istiod
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    release: {{ .Release.Name }}
+    istio: pilot
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  {{- if and .Values.pdb.minAvailable (not (hasKey .Values.pdb "maxUnavailable")) }}
+  minAvailable: {{ .Values.pdb.minAvailable }}
+  {{- else if .Values.pdb.maxUnavailable }}
+  maxUnavailable: {{ .Values.pdb.maxUnavailable }}
+  {{- end }}
+  {{- if .Values.pdb.unhealthyPodEvictionPolicy }}
+  unhealthyPodEvictionPolicy: {{ .Values.pdb.unhealthyPodEvictionPolicy }}
+  {{- end }}
+  selector:
+    matchLabels:
+      app: istiod
+      {{- if ne .Values.revision "" }}
+      istio.io/rev: {{ .Values.revision | quote }}
+      {{- else }}
+      istio: pilot
+      {{- end }}
+---
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/reader-clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/reader-clusterrole.yaml
new file mode 100644
index 0000000000..e0b0ff42a4
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/reader-clusterrole.yaml
@@ -0,0 +1,65 @@
+# Created if cluster resources are not omitted
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
+{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istio-reader
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istio-reader"
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - "config.istio.io"
+      - "security.istio.io"
+      - "networking.istio.io"
+      - "authentication.istio.io"
+      - "rbac.istio.io"
+      - "telemetry.istio.io"
+      - "extensions.istio.io"
+    resources: ["*"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["networking.istio.io"]
+    verbs: [ "get", "watch", "list" ]
+    resources: [ "workloadentries" ]
+  - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
+    resources: ["gateways"]
+    verbs: ["get", "watch", "list"]
+  - apiGroups: ["apiextensions.k8s.io"]
+    resources: ["customresourcedefinitions"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["discovery.k8s.io"]
+    resources: ["endpointslices"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["{{ $mcsAPIGroup }}"]
+    resources: ["serviceexports"]
+    verbs: ["get", "list", "watch", "create", "delete"]
+  - apiGroups: ["{{ $mcsAPIGroup }}"]
+    resources: ["serviceimports"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["apps"]
+    resources: ["replicasets"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["authentication.k8s.io"]
+    resources: ["tokenreviews"]
+    verbs: ["create"]
+  - apiGroups: ["authorization.k8s.io"]
+    resources: ["subjectaccessreviews"]
+    verbs: ["create"]
+{{- if .Values.istiodRemote.enabled }}
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["create", "get", "list", "watch", "update"]
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["mutatingwebhookconfigurations"]
+    verbs: ["get", "list", "watch", "update", "patch"]
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["validatingwebhookconfigurations"]
+    verbs: ["get", "list", "watch", "update"]
+{{- end}}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/reader-clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/reader-clusterrolebinding.yaml
new file mode 100644
index 0000000000..624f00dce6
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/reader-clusterrolebinding.yaml
@@ -0,0 +1,20 @@
+# Created if cluster resources are not omitted
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istio-reader
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istio-reader"
+    {{- include "istio.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+subjects:
+  - kind: ServiceAccount
+    name: istio-reader-service-account
+    namespace: {{ .Values.global.istioNamespace }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/remote-istiod-endpointslices.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/remote-istiod-endpointslices.yaml
new file mode 100644
index 0000000000..e2f4ff03b6
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/remote-istiod-endpointslices.yaml
@@ -0,0 +1,42 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+{{- if and .Values.global.remotePilotAddress .Values.istiodRemote.enabled }}
+# if the remotePilotAddress is an IP addr
+{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }}
+apiVersion: discovery.k8s.io/v1
+kind: EndpointSlice
+metadata:
+  {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }}
+  # This file is only used for remote `istiod` installs.
+  # only primary `istiod` to xds and local `istiod` injection installs.
+  name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote
+  {{- else }}
+  name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}
+  {{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }}
+    # only primary `istiod` to xds and local `istiod` injection installs.
+    kubernetes.io/service-name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote
+    {{- else }}
+    kubernetes.io/service-name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}
+    {{- end }}
+    {{- if .Release.Service }}
+    endpointslice.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+    {{- end }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+addressType: IPv4
+endpoints:
+- addresses:
+  - {{ .Values.global.remotePilotAddress }}
+ports:
+- port: 15012
+  name: tcp-istiod
+  protocol: TCP
+- port: 15017
+  name: tcp-webhook
+  protocol: TCP
+---
+{{- end }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/remote-istiod-service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/remote-istiod-service.yaml
new file mode 100644
index 0000000000..ab14497bac
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/remote-istiod-service.yaml
@@ -0,0 +1,43 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# This file is only used for remote
+{{- if and .Values.global.remotePilotAddress .Values.istiodRemote.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }}
+  # only primary `istiod` to xds and local `istiod` injection installs.
+  name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote
+  {{- else }}
+  name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}
+  {{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    app.kubernetes.io/name: "istiod"
+    {{ include "istio.labels" . | nindent 4 }}
+spec:
+  ports:
+  - port: 15012
+    name: tcp-istiod
+    protocol: TCP
+  - port: 443
+    targetPort: 15017
+    name: tcp-webhook
+    protocol: TCP
+  {{- if and .Values.global.remotePilotAddress (not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress)) }}
+  # if the remotePilotAddress is not an IP addr, we use ExternalName
+  type: ExternalName
+  externalName: {{ .Values.global.remotePilotAddress }}
+  {{- end }}
+{{- if .Values.global.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.global.ipFamilyPolicy }}
+{{- end }}
+{{- if .Values.global.ipFamilies }}
+  ipFamilies:
+{{- range .Values.global.ipFamilies }}
+  - {{ . }}
+{{- end }}
+{{- end }}
+---
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/revision-tags-mwc.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/revision-tags-mwc.yaml
new file mode 100644
index 0000000000..556bb2f1e9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/revision-tags-mwc.yaml
@@ -0,0 +1,154 @@
+# Adapted from istio-discovery/templates/mutatingwebhook.yaml
+# Removed paths for legacy and default selectors since a revision tag
+# is inherently created from a specific revision
+# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that.
+{{- $whv := dict
+"revision" .Values.revision
+  "injectionPath" .Values.istiodRemote.injectionPath
+  "injectionURL" .Values.istiodRemote.injectionURL
+  "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy
+  "caBundle" .Values.istiodRemote.injectionCABundle
+  "namespace" .Release.Namespace }}
+{{- define "core" }}
+{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign
+a unique prefix to each. */}}
+- name: {{.Prefix}}sidecar-injector.istio.io
+  clientConfig:
+    {{- if .injectionURL }}
+    url: "{{ .injectionURL }}"
+    {{- else }}
+    service:
+      name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }}
+      namespace: {{ .namespace }}
+      path: "{{ .injectionPath }}"
+      port: 443
+    {{- end }}
+  sideEffects: None
+  rules:
+  - operations: [ "CREATE" ]
+    apiGroups: [""]
+    apiVersions: ["v1"]
+    resources: ["pods"]
+  failurePolicy: Fail
+  reinvocationPolicy: "{{ .reinvocationPolicy }}"
+  admissionReviewVersions: ["v1"]
+{{- end }}
+
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
+{{- if not .Values.global.operatorManageWebhooks }}
+{{- range $tagName := $.Values.revisionTags }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+{{- if eq $.Release.Namespace "istio-system"}}
+  name: istio-revision-tag-{{ $tagName }}
+{{- else }}
+  name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }}
+{{- end }}
+  labels:
+    istio.io/tag: {{ $tagName }}
+    istio.io/rev: {{ $.Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app: sidecar-injector
+    release: {{ $.Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" $ | nindent 4 }}
+{{- if $.Values.sidecarInjectorWebhookAnnotations }}
+  annotations:
+{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }}
+{{- end }}
+webhooks:
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: In
+      values:
+      - "{{ $tagName }}"
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+    - key: istio.io/rev
+      operator: In
+      values:
+      - "{{ $tagName }}"
+
+{{- /* When the tag is "default" we want to create webhooks for the default revision */}}
+{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}}
+{{- if (eq $tagName "default") }}
+
+{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: In
+      values:
+      - enabled
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+
+{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: In
+      values:
+      - "true"
+    - key: istio.io/rev
+      operator: DoesNotExist
+
+{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
+{{- /* Special case 3: no labels at all */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: "kubernetes.io/metadata.name"
+      operator: "NotIn"
+      values: ["kube-system","kube-public","kube-node-lease","local-path-storage"]
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+{{- end }}
+
+{{- end }}
+---
+{{- end }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/revision-tags-svc.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/revision-tags-svc.yaml
new file mode 100644
index 0000000000..5c4826d23e
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/revision-tags-svc.yaml
@@ -0,0 +1,57 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# Adapted from istio-discovery/templates/service.yaml
+{{- range $tagName := .Values.revisionTags }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: istiod-revision-tag-{{ $tagName }}
+  namespace: {{ $.Release.Namespace }}
+  {{- if $.Values.serviceAnnotations }}
+  annotations:
+{{ toYaml $.Values.serviceAnnotations | indent 4 }}
+  {{- end }}
+  labels:
+    istio.io/rev: {{ $.Values.revision | default "default" | quote }}
+    istio.io/tag: {{ $tagName }}
+    operator.istio.io/component: "Pilot"
+    app: istiod
+    istio: pilot
+    release: {{ $.Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" $ | nindent 4 }}
+spec:
+  ports:
+    - port: 15010
+      name: grpc-xds # plaintext
+      protocol: TCP
+    - port: 15012
+      name: https-dns # mTLS with k8s-signed cert
+      protocol: TCP
+    - port: 443
+      name: https-webhook # validation and injection
+      targetPort: 15017
+      protocol: TCP
+    - port: 15014
+      name: http-monitoring # prometheus stats
+      protocol: TCP
+  selector:
+    app: istiod
+    {{- if ne $.Values.revision "" }}
+    istio.io/rev: {{ $.Values.revision | quote }}
+    {{- else }}
+    # Label used by the 'default' service. For versioned deployments we match with app and version.
+    # This avoids default deployment picking the canary
+    istio: pilot
+    {{- end }}
+  {{- if $.Values.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ $.Values.ipFamilyPolicy }}
+  {{- end }}
+  {{- if $.Values.ipFamilies }}
+  ipFamilies:
+  {{- range $.Values.ipFamilies }}
+  - {{ . }}
+  {{- end }}
+  {{- end }}
+---
+{{- end -}}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/role.yaml
new file mode 100644
index 0000000000..8abe608b66
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/role.yaml
@@ -0,0 +1,37 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Values.global.istioNamespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+# permissions to verify the webhook is ready and rejecting
+# invalid config. We use --server-dry-run so no config is persisted.
+- apiGroups: ["networking.istio.io"]
+  verbs: ["create"]
+  resources: ["gateways"]
+
+# For storing CA secret
+- apiGroups: [""]
+  resources: ["secrets"]
+  # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config
+  verbs: ["create", "get", "watch", "list", "update", "delete"]
+
+# For status controller, so it can delete the distribution report configmap
+- apiGroups: [""]
+  resources: ["configmaps"]
+  verbs: ["delete"]
+
+# For gateway deployment controller
+- apiGroups: ["coordination.k8s.io"]
+  resources: ["leases"]
+  verbs: ["get", "update", "patch", "create"]
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/rolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/rolebinding.yaml
new file mode 100644
index 0000000000..731964f04d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/rolebinding.yaml
@@ -0,0 +1,23 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Values.global.istioNamespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+subjects:
+  - kind: ServiceAccount
+    name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+    namespace: {{ .Values.global.istioNamespace }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/service.yaml
new file mode 100644
index 0000000000..c3aade8a49
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/service.yaml
@@ -0,0 +1,59 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# Not created if istiod is running remotely
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  {{- if .Values.serviceAnnotations }}
+  annotations:
+{{ toYaml .Values.serviceAnnotations | indent 4 }}
+  {{- end }}
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app: istiod
+    istio: pilot
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  ports:
+    - port: 15010
+      name: grpc-xds # plaintext
+      protocol: TCP
+    - port: 15012
+      name: https-dns # mTLS with k8s-signed cert
+      protocol: TCP
+    - port: 443
+      name: https-webhook # validation and injection
+      targetPort: 15017
+      protocol: TCP
+    - port: 15014
+      name: http-monitoring # prometheus stats
+      protocol: TCP
+  selector:
+    app: istiod
+    {{- if ne .Values.revision "" }}
+    istio.io/rev: {{ .Values.revision | quote }}
+    {{- else }}
+    # Label used by the 'default' service. For versioned deployments we match with app and version.
+    # This avoids default deployment picking the canary
+    istio: pilot
+    {{- end }}
+  {{- if .Values.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.ipFamilyPolicy }}
+  {{- end }}
+  {{- if .Values.ipFamilies }}
+  ipFamilies:
+  {{- range .Values.ipFamilies }}
+  - {{ . }}
+  {{- end }}
+  {{- end }}
+  {{- if .Values.trafficDistribution }}
+  trafficDistribution: {{ .Values.trafficDistribution }}
+  {{- end }}
+---
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/serviceaccount.yaml
new file mode 100644
index 0000000000..ee40eedf81
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/serviceaccount.yaml
@@ -0,0 +1,26 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+apiVersion: v1
+kind: ServiceAccount
+  {{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+  {{- range .Values.global.imagePullSecrets }}
+  - name: {{ . }}
+  {{- end }}
+  {{- end }}
+metadata:
+  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Values.global.istioNamespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+  {{- if .Values.serviceAccountAnnotations }}
+  annotations:
+{{- toYaml .Values.serviceAccountAnnotations | nindent 4 }}
+  {{- end }}
+{{- end }}
+---
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/validatingadmissionpolicy.yaml
new file mode 100644
index 0000000000..838d9fbaf7
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/validatingadmissionpolicy.yaml
@@ -0,0 +1,65 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+{{- if .Values.experimental.stableValidationPolicy }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io"
+  labels:
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups:
+        - security.istio.io
+        - networking.istio.io
+        - telemetry.istio.io
+        - extensions.istio.io
+      apiVersions: ["*"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["*"]
+    objectSelector:
+      matchExpressions:
+        - key: istio.io/rev
+          operator: In
+          values:
+          {{- if (eq .Values.revision "") }}
+          - "default"
+          {{- else }}
+          - "{{ .Values.revision }}"
+          {{- end }}
+  variables:
+    - name: isEnvoyFilter
+      expression: "object.kind == 'EnvoyFilter'"
+    - name: isWasmPlugin
+      expression: "object.kind == 'WasmPlugin'"
+    - name: isProxyConfig
+      expression: "object.kind == 'ProxyConfig'"
+    - name: isTelemetry
+      expression: "object.kind == 'Telemetry'"
+  validations:
+    - expression: "!variables.isEnvoyFilter"
+    - expression: "!variables.isWasmPlugin"
+    - expression: "!variables.isProxyConfig"
+    - expression: |
+        !(
+          variables.isTelemetry && (
+            (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) ||
+            (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) ||
+            (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter))
+          )
+        )
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: "stable-channel-policy-binding{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io"
+spec:
+  policyName: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io"
+  validationActions: [Deny]
+{{- end }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/validatingwebhookconfiguration.yaml
new file mode 100644
index 0000000000..6903b29b50
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/validatingwebhookconfiguration.yaml
@@ -0,0 +1,70 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+{{- if .Values.global.configValidation }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    istio: istiod
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+webhooks:
+  # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks
+  # are rejecting invalid configs on a per-revision basis.
+  - name: rev.validation.istio.io
+    clientConfig:
+      # Should change from base but cannot for API compat
+      {{- if .Values.base.validationURL }}
+      url: {{ .Values.base.validationURL }}
+      {{- else }}
+      service:
+        name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+        namespace: {{ .Values.global.istioNamespace }}
+        path: "/validate"
+      {{- end }}
+      {{- if .Values.base.validationCABundle }}
+      caBundle: "{{ .Values.base.validationCABundle }}"
+      {{- end }}
+    rules:
+      - operations:
+          - CREATE
+          - UPDATE
+        apiGroups:
+          - security.istio.io
+          - networking.istio.io
+          - telemetry.istio.io
+          - extensions.istio.io
+        apiVersions:
+          - "*"
+        resources:
+          - "*"
+    {{- if .Values.base.validationCABundle }}
+    # Disable webhook controller in Pilot to stop patching it
+    failurePolicy: Fail
+    {{- else }}
+    # Fail open until the validation webhook is ready. The webhook controller
+    # will update this to `Fail` and patch in the `caBundle` when the webhook
+    # endpoint is ready.
+    failurePolicy: Ignore
+    {{- end }}
+    sideEffects: None
+    admissionReviewVersions: ["v1"]
+    objectSelector:
+      matchExpressions:
+        - key: istio.io/rev
+          operator: In
+          values:
+          {{- if (eq .Values.revision "") }}
+          - "default"
+          {{- else }}
+          - "{{ .Values.revision }}"
+          {{- end }}
+---
+{{- end }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/zzy_descope_legacy.yaml
new file mode 100644
index 0000000000..73202418ca
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/zzy_descope_legacy.yaml
@@ -0,0 +1,3 @@
+{{/* Copy anything under `.pilot` to `.`, to avoid the need to specify a redundant prefix.
+Due to the file naming, this always happens after zzz_profile.yaml */}}
+{{- $_ := mustMergeOverwrite $.Values (index $.Values "pilot") }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..3d84956485
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if false }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/values.yaml
new file mode 100644
index 0000000000..1a28f38538
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/values.yaml
@@ -0,0 +1,583 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  autoscaleEnabled: true
+  autoscaleMin: 1
+  autoscaleMax: 5
+  autoscaleBehavior: {}
+  replicaCount: 1
+  rollingMaxSurge: 100%
+  rollingMaxUnavailable: 25%
+
+  hub: ""
+  tag: ""
+  variant: ""
+
+  # Can be a full hub/image:tag
+  image: pilot
+  traceSampling: 1.0
+
+  # Resources for a small pilot install
+  resources:
+    requests:
+      cpu: 500m
+      memory: 2048Mi
+
+  # Set to `type: RuntimeDefault` to use the default profile if available.
+  seccompProfile: {}
+
+  # Whether to use an existing CNI installation
+  cni:
+    enabled: false
+    provider: default
+
+  # Additional container arguments
+  extraContainerArgs: []
+
+  env: {}
+
+  envVarFrom: []
+
+  # Settings related to the untaint controller
+  # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready
+  # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes
+  taint:
+    # Controls whether or not the untaint controller is active
+    enabled: false
+    # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod
+    namespace: ""
+
+  affinity: {}
+
+  tolerations: []
+
+  cpu:
+    targetAverageUtilization: 80
+  memory: {}
+    # targetAverageUtilization: 80
+
+  # Additional volumeMounts to the istiod container
+  volumeMounts: []
+
+  # Additional volumes to the istiod pod
+  volumes: []
+
+  # Inject initContainers into the istiod pod
+  initContainers: []
+
+  nodeSelector: {}
+  podAnnotations: {}
+  serviceAnnotations: {}
+  serviceAccountAnnotations: {}
+  sidecarInjectorWebhookAnnotations: {}
+
+  topologySpreadConstraints: []
+
+  # You can use jwksResolverExtraRootCA to provide a root certificate
+  # in PEM format. This will then be trusted by pilot when resolving
+  # JWKS URIs.
+  jwksResolverExtraRootCA: ""
+
+  # The following is used to limit how long a sidecar can be connected
+  # to a pilot. It balances out load across pilot instances at the cost of
+  # increasing system churn.
+  keepaliveMaxServerConnectionAge: 30m
+
+  # Additional labels to apply to the deployment.
+  deploymentLabels: {}
+
+  # Annotations to apply to the istiod deployment.
+  deploymentAnnotations: {}
+
+  ## Mesh config settings
+
+  # Install the mesh config map, generated from values.yaml.
+  # If false, pilot wil use default values (by default) or user-supplied values.
+  configMap: true
+
+  # Additional labels to apply on the pod level for monitoring and logging configuration.
+  podLabels: {}
+
+  # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
+  ipFamilyPolicy: ""
+  ipFamilies: []
+
+  # Ambient mode only.
+  # Set this if you install ztunnel to a different namespace from `istiod`.
+  # If set, `istiod` will allow connections from trusted node proxy ztunnels
+  # in the provided namespace.
+  # If unset, `istiod` will assume the trusted node proxy ztunnel resides
+  # in the same namespace as itself.
+  trustedZtunnelNamespace: ""
+  # Set this if you install ztunnel with a name different from the default.
+  trustedZtunnelName: ""
+
+  sidecarInjectorWebhook:
+    # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or
+    # always skip the injection on pods that match that label selector, regardless of the global policy.
+    # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions
+    neverInjectSelector: []
+    alwaysInjectSelector: []
+
+    # injectedAnnotations are additional annotations that will be added to the pod spec after injection
+    # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations:
+    #
+    # annotations:
+    #   apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
+    #   apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
+    #
+    # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before
+    # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify:
+    # injectedAnnotations:
+    #   container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default
+    #   container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default
+    injectedAnnotations: {}
+
+    # This enables injection of sidecar in all namespaces,
+    # with the exception of namespaces with "istio-injection:disabled" annotation
+    # Only one environment should have this enabled.
+    enableNamespacesByDefault: false
+
+    # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run
+    # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten.
+    # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur.
+    reinvocationPolicy: Never
+
+    rewriteAppHTTPProbe: true
+
+    # Templates defines a set of custom injection templates that can be used. For example, defining:
+    #
+    # templates:
+    #   hello: |
+    #     metadata:
+    #       labels:
+    #         hello: world
+    #
+    # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod
+    # being injected with the hello=world labels.
+    # This is intended for advanced configuration only; most users should use the built in template
+    templates: {}
+
+    # Default templates specifies a set of default templates that are used in sidecar injection.
+    # By default, a template `sidecar` is always provided, which contains the template of default sidecar.
+    # To inject other additional templates, define it using the `templates` option, and add it to
+    # the default templates list.
+    # For example:
+    #
+    # templates:
+    #   hello: |
+    #     metadata:
+    #       labels:
+    #         hello: world
+    #
+    # defaultTemplates: ["sidecar", "hello"]
+    defaultTemplates: []
+  istiodRemote:
+    # If `true`, indicates that this cluster/install should consume a "remote istiod" installation,
+    # and istiod itself will NOT be installed in this cluster - only the support resources necessary
+    # to utilize a remote instance.
+    enabled: false
+
+    # If `true`, indicates that this cluster/install should consume a "local istiod" installation,
+    # local istiod inject sidecars
+    enabledLocalInjectorIstiod: false
+
+    # Sidecar injector mutating webhook configuration clientConfig.url value.
+    # For example: https://$remotePilotAddress:15017/inject
+    # The host should not refer to a service running in the cluster; use a service reference by specifying
+    # the clientConfig.service field instead.
+    injectionURL: ""
+
+    # Sidecar injector mutating webhook configuration path value for the clientConfig.service field.
+    # Override to pass env variables, for example: /inject/cluster/remote/net/network2
+    injectionPath: "/inject"
+
+    injectionCABundle: ""
+  telemetry:
+    enabled: true
+    v2:
+      # For Null VM case now.
+      # This also enables metadata exchange.
+      enabled: true
+      # Indicate if prometheus stats filter is enabled or not
+      prometheus:
+        enabled: true
+      # stackdriver filter settings.
+      stackdriver:
+        enabled: false
+  # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
+  revision: ""
+
+  # Revision tags are aliases to Istio control plane revisions
+  revisionTags: []
+
+  # For Helm compatibility.
+  ownerName: ""
+
+  # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior
+  # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options
+  meshConfig:
+    enablePrometheusMerge: true
+
+  experimental:
+    stableValidationPolicy: false
+
+  global:
+    # Used to locate istiod.
+    istioNamespace: istio-system
+    # List of cert-signers to allow "approve" action in the istio cluster role
+    #
+    # certSigners:
+    #   - clusterissuers.cert-manager.io/istio-ca
+    certSigners: []
+    # enable pod disruption budget for the control plane, which is used to
+    # ensure Istio control plane components are gradually upgraded or recovered.
+    defaultPodDisruptionBudget:
+      enabled: true
+      # The values aren't mutable due to a current PodDisruptionBudget limitation
+      # minAvailable: 1
+
+    # A minimal set of requested resources to applied to all deployments so that
+    # Horizontal Pod Autoscaler will be able to function (if set).
+    # Each component can overwrite these default values by adding its own resources
+    # block in the relevant section below and setting the desired resources values.
+    defaultResources:
+      requests:
+        cpu: 10m
+      #   memory: 128Mi
+      # limits:
+      #   cpu: 100m
+      #   memory: 128Mi
+
+    # Default hub for Istio images.
+    # Releases are published to docker hub under 'istio' project.
+    # Dev builds from prow are on gcr.io
+    hub: gcr.io/istio-release
+    # Default tag for Istio images.
+    tag: 1.28.0
+    # Variant of the image to use.
+    # Currently supported are: [debug, distroless]
+    variant: ""
+
+    # Specify image pull policy if default behavior isn't desired.
+    # Default behavior: latest images will be Always else IfNotPresent.
+    imagePullPolicy: ""
+
+    # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
+    # to use for pulling any images in pods that reference this ServiceAccount.
+    # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
+    # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
+    # Must be set for any cluster configured with private docker registry.
+    imagePullSecrets: []
+    # - private-registry-key
+
+    # Enabled by default in master for maximising testing.
+    istiod:
+      enableAnalysis: false
+
+    # To output all istio components logs in json format by adding --log_as_json argument to each container argument
+    logAsJson: false
+
+    # In order to use native nftable rules instead of iptable rules, set this flag to true.
+    nativeNftables: false
+
+    # Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
+    # The control plane has different scopes depending on component, but can configure default log level across all components
+    # If empty, default scope and level will be used as configured in code
+    logging:
+      level: "default:info"
+
+    # When enabled, default NetworkPolicy resources will be created
+    networkPolicy:
+      enabled: false
+
+    omitSidecarInjectorConfigMap: false
+
+    # resourceScope controls what resources will be processed by helm.
+    # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator.
+    # It can be one of:
+    # - all: all resources are processed
+    # - cluster: only cluster-scoped resources are processed
+    # - namespace: only namespace-scoped resources are processed
+    resourceScope: all
+
+    # Configure whether Operator manages webhook configurations. The current behavior
+    # of Istiod is to manage its own webhook configurations.
+    # When this option is set as true, Istio Operator, instead of webhooks, manages the
+    # webhook configurations. When this option is set as false, webhooks manage their
+    # own webhook configurations.
+    operatorManageWebhooks: false
+
+    # Custom DNS config for the pod to resolve names of services in other
+    # clusters. Use this to add additional search domains, and other settings.
+    # see
+    # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config
+    # This does not apply to gateway pods as they typically need a different
+    # set of DNS settings than the normal application pods (e.g., in
+    # multicluster scenarios).
+    # NOTE: If using templates, follow the pattern in the commented example below.
+    #podDNSSearchNamespaces:
+    #- global
+    #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global"
+
+    # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
+    # system-node-critical, it is better to configure this in order to make sure your Istio pods
+    # will not be killed because of low priority class.
+    # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
+    # for more detail.
+    priorityClassName: ""
+
+    proxy:
+      image: proxyv2
+
+      # This controls the 'policy' in the sidecar injector.
+      autoInject: enabled
+
+      # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
+      # cluster domain. Default value is "cluster.local".
+      clusterDomain: "cluster.local"
+
+      # Per Component log level for proxy, applies to gateways and sidecars. If a component level is
+      # not set, then the global "logLevel" will be used.
+      componentLogLevel: "misc:error"
+
+      # istio ingress capture allowlist
+      # examples:
+      #     Redirect only selected ports:            --includeInboundPorts="80,8080"
+      excludeInboundPorts: ""
+      includeInboundPorts: "*"
+
+      # istio egress capture allowlist
+      # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
+      # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
+      # would only capture egress traffic on those two IP Ranges, all other outbound traffic would
+      # be allowed by the sidecar
+      includeIPRanges: "*"
+      excludeIPRanges: ""
+      includeOutboundPorts: ""
+      excludeOutboundPorts: ""
+
+      # Log level for proxy, applies to gateways and sidecars.
+      # Expected values are: trace|debug|info|warning|error|critical|off
+      logLevel: warning
+
+      # Specify the path to the outlier event log.
+      # Example: /dev/stdout
+      outlierLogPath: ""
+
+      #If set to true, istio-proxy container will have privileged securityContext
+      privileged: false
+      
+      seccompProfile: {}
+
+      # The number of successive failed probes before indicating readiness failure.
+      readinessFailureThreshold: 4
+
+      # The initial delay for readiness probes in seconds.
+      readinessInitialDelaySeconds: 0
+
+      # The period between readiness probes.
+      readinessPeriodSeconds: 15
+
+      # Enables or disables a startup probe.
+      # For optimal startup times, changing this should be tied to the readiness probe values.
+      #
+      # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4.
+      # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval),
+      # and doesn't spam the readiness endpoint too much
+      #
+      # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30.
+      # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly.
+      startupProbe:
+        enabled: true
+        failureThreshold: 600 # 10 minutes
+
+      # Resources for the sidecar.
+      resources:
+        requests:
+          cpu: 100m
+          memory: 128Mi
+        limits:
+          cpu: 2000m
+          memory: 1024Mi
+
+      # Default port for Pilot agent health checks. A value of 0 will disable health checking.
+      statusPort: 15020
+
+      # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none.
+      # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file.
+      tracer: "none"
+
+    proxy_init:
+      # Base name for the proxy_init container, used to configure iptables.
+      image: proxyv2
+      # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures.
+      # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases.
+      forceApplyIptables: false
+
+    # configure remote pilot and istiod service and endpoint
+    remotePilotAddress: ""
+
+    ##############################################################################################
+    # The following values are found in other charts. To effectively modify these values, make   #
+    # make sure they are consistent across your Istio helm charts                                #
+    ##############################################################################################
+
+    # The customized CA address to retrieve certificates for the pods in the cluster.
+    # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
+    # If not set explicitly, default to the Istio discovery address.
+    caAddress: ""
+
+    # Enable control of remote clusters.
+    externalIstiod: false
+
+    # Configure a remote cluster as the config cluster for an external istiod.
+    configCluster: false
+
+    # configValidation enables the validation webhook for Istio configuration.
+    configValidation: true
+
+    # Mesh ID means Mesh Identifier. It should be unique within the scope where
+    # meshes will interact with each other, but it is not required to be
+    # globally/universally unique. For example, if any of the following are true,
+    # then two meshes must have different Mesh IDs:
+    # - Meshes will have their telemetry aggregated in one place
+    # - Meshes will be federated together
+    # - Policy will be written referencing one mesh from the other
+    #
+    # If an administrator expects that any of these conditions may become true in
+    # the future, they should ensure their meshes have different Mesh IDs
+    # assigned.
+    #
+    # Within a multicluster mesh, each cluster must be (manually or auto)
+    # configured to have the same Mesh ID value. If an existing cluster 'joins' a
+    # multicluster mesh, it will need to be migrated to the new mesh ID. Details
+    # of migration TBD, and it may be a disruptive operation to change the Mesh
+    # ID post-install.
+    #
+    # If the mesh admin does not specify a value, Istio will use the value of the
+    # mesh's Trust Domain. The best practice is to select a proper Trust Domain
+    # value.
+    meshID: ""
+
+    # Configure the mesh networks to be used by the Split Horizon EDS.
+    #
+    # The following example defines two networks with different endpoints association methods.
+    # For `network1` all endpoints that their IP belongs to the provided CIDR range will be
+    # mapped to network1. The gateway for this network example is specified by its public IP
+    # address and port.
+    # The second network, `network2`, in this example is defined differently with all endpoints
+    # retrieved through the specified Multi-Cluster registry being mapped to network2. The
+    # gateway is also defined differently with the name of the gateway service on the remote
+    # cluster. The public IP for the gateway will be determined from that remote service (only
+    # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service,
+    # it still need to be configured manually).
+    #
+    # meshNetworks:
+    #   network1:
+    #     endpoints:
+    #     - fromCidr: "192.168.0.1/24"
+    #     gateways:
+    #     - address: 1.1.1.1
+    #       port: 80
+    #   network2:
+    #     endpoints:
+    #     - fromRegistry: reg1
+    #     gateways:
+    #     - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
+    #       port: 443
+    #
+    meshNetworks: {}
+
+    # Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
+    mountMtlsCerts: false
+
+    multiCluster:
+      # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
+      # to properly label proxies
+      clusterName: ""
+
+    # Network defines the network this cluster belong to. This name
+    # corresponds to the networks in the map of mesh networks.
+    network: ""
+
+    # Configure the certificate provider for control plane communication.
+    # Currently, two providers are supported: "kubernetes" and "istiod".
+    # As some platforms may not have kubernetes signing APIs,
+    # Istiod is the default
+    pilotCertProvider: istiod
+
+    sds:
+      # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
+      # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the
+      # JWT is intended for the CA.
+      token:
+        aud: istio-ca
+
+    sts:
+      # The service port used by Security Token Service (STS) server to handle token exchange requests.
+      # Setting this port to a non-zero value enables STS server.
+      servicePort: 0
+
+    # The name of the CA for workload certificates.
+    # For example, when caName=GkeWorkloadCertificate, GKE workload certificates
+    # will be used as the certificates for workloads.
+    # The default value is "" and when caName="", the CA will be configured by other
+    # mechanisms (e.g., environmental variable CA_PROVIDER).
+    caName: ""
+
+    waypoint:
+      # Resources for the waypoint proxy.
+      resources:
+        requests:
+          cpu: 100m
+          memory: 128Mi
+        limits:
+          cpu: "2"
+          memory: 1Gi
+
+      # If specified, affinity defines the scheduling constraints of waypoint pods.
+      affinity: {}
+
+      # Topology Spread Constraints for the waypoint proxy.
+      topologySpreadConstraints: []
+
+      # Node labels for the waypoint proxy.
+      nodeSelector: {}
+
+      # Tolerations for the waypoint proxy.
+      tolerations: []
+
+  base:
+    # For istioctl usage to disable istio config crds in base
+    enableIstioConfigCRDs: true
+
+  # Gateway Settings
+  gateways:
+    # Define the security context for the pod.
+    # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
+    # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
+    securityContext: {}
+
+    # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it
+    seccompProfile: {}
+
+  # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass.
+  # For example:
+  # gatewayClasses:
+  #   istio:
+  #     service:
+  #       spec:
+  #         type: ClusterIP
+  # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field.
+  gatewayClasses: {}
+  
+  pdb:
+    # -- Minimum available pods set in PodDisruptionBudget.
+    # Define either 'minAvailable' or 'maxUnavailable', never both.
+    minAvailable: 1
+    # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored.
+    # maxUnavailable: 1
+    # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget.
+    # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/
+    unhealthyPodEvictionPolicy: ""
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/Chart.yaml
new file mode 100644
index 0000000000..b7b663e5b1
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/Chart.yaml
@@ -0,0 +1,8 @@
+apiVersion: v2
+appVersion: 1.28.0
+description: Helm chart for istio revision tags
+name: revisiontags
+sources:
+- https://github.com/istio-ecosystem/sail-operator
+version: 0.1.0
+
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..d04117bfc0
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,14 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..8fe80112bf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-compatibility-version-1.27.yaml
new file mode 100644
index 0000000000..209157cccf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-compatibility-version-1.27.yaml
@@ -0,0 +1,9 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/templates/revision-tags-mwc.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/templates/revision-tags-mwc.yaml
new file mode 100644
index 0000000000..556bb2f1e9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/templates/revision-tags-mwc.yaml
@@ -0,0 +1,154 @@
+# Adapted from istio-discovery/templates/mutatingwebhook.yaml
+# Removed paths for legacy and default selectors since a revision tag
+# is inherently created from a specific revision
+# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that.
+{{- $whv := dict
+"revision" .Values.revision
+  "injectionPath" .Values.istiodRemote.injectionPath
+  "injectionURL" .Values.istiodRemote.injectionURL
+  "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy
+  "caBundle" .Values.istiodRemote.injectionCABundle
+  "namespace" .Release.Namespace }}
+{{- define "core" }}
+{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign
+a unique prefix to each. */}}
+- name: {{.Prefix}}sidecar-injector.istio.io
+  clientConfig:
+    {{- if .injectionURL }}
+    url: "{{ .injectionURL }}"
+    {{- else }}
+    service:
+      name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }}
+      namespace: {{ .namespace }}
+      path: "{{ .injectionPath }}"
+      port: 443
+    {{- end }}
+  sideEffects: None
+  rules:
+  - operations: [ "CREATE" ]
+    apiGroups: [""]
+    apiVersions: ["v1"]
+    resources: ["pods"]
+  failurePolicy: Fail
+  reinvocationPolicy: "{{ .reinvocationPolicy }}"
+  admissionReviewVersions: ["v1"]
+{{- end }}
+
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
+{{- if not .Values.global.operatorManageWebhooks }}
+{{- range $tagName := $.Values.revisionTags }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+{{- if eq $.Release.Namespace "istio-system"}}
+  name: istio-revision-tag-{{ $tagName }}
+{{- else }}
+  name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }}
+{{- end }}
+  labels:
+    istio.io/tag: {{ $tagName }}
+    istio.io/rev: {{ $.Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app: sidecar-injector
+    release: {{ $.Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" $ | nindent 4 }}
+{{- if $.Values.sidecarInjectorWebhookAnnotations }}
+  annotations:
+{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }}
+{{- end }}
+webhooks:
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: In
+      values:
+      - "{{ $tagName }}"
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+    - key: istio.io/rev
+      operator: In
+      values:
+      - "{{ $tagName }}"
+
+{{- /* When the tag is "default" we want to create webhooks for the default revision */}}
+{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}}
+{{- if (eq $tagName "default") }}
+
+{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: In
+      values:
+      - enabled
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+
+{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: In
+      values:
+      - "true"
+    - key: istio.io/rev
+      operator: DoesNotExist
+
+{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
+{{- /* Special case 3: no labels at all */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: "kubernetes.io/metadata.name"
+      operator: "NotIn"
+      values: ["kube-system","kube-public","kube-node-lease","local-path-storage"]
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+{{- end }}
+
+{{- end }}
+---
+{{- end }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/templates/revision-tags-svc.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/templates/revision-tags-svc.yaml
new file mode 100644
index 0000000000..5c4826d23e
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/templates/revision-tags-svc.yaml
@@ -0,0 +1,57 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# Adapted from istio-discovery/templates/service.yaml
+{{- range $tagName := .Values.revisionTags }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: istiod-revision-tag-{{ $tagName }}
+  namespace: {{ $.Release.Namespace }}
+  {{- if $.Values.serviceAnnotations }}
+  annotations:
+{{ toYaml $.Values.serviceAnnotations | indent 4 }}
+  {{- end }}
+  labels:
+    istio.io/rev: {{ $.Values.revision | default "default" | quote }}
+    istio.io/tag: {{ $tagName }}
+    operator.istio.io/component: "Pilot"
+    app: istiod
+    istio: pilot
+    release: {{ $.Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" $ | nindent 4 }}
+spec:
+  ports:
+    - port: 15010
+      name: grpc-xds # plaintext
+      protocol: TCP
+    - port: 15012
+      name: https-dns # mTLS with k8s-signed cert
+      protocol: TCP
+    - port: 443
+      name: https-webhook # validation and injection
+      targetPort: 15017
+      protocol: TCP
+    - port: 15014
+      name: http-monitoring # prometheus stats
+      protocol: TCP
+  selector:
+    app: istiod
+    {{- if ne $.Values.revision "" }}
+    istio.io/rev: {{ $.Values.revision | quote }}
+    {{- else }}
+    # Label used by the 'default' service. For versioned deployments we match with app and version.
+    # This avoids default deployment picking the canary
+    istio: pilot
+    {{- end }}
+  {{- if $.Values.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ $.Values.ipFamilyPolicy }}
+  {{- end }}
+  {{- if $.Values.ipFamilies }}
+  ipFamilies:
+  {{- range $.Values.ipFamilies }}
+  - {{ . }}
+  {{- end }}
+  {{- end }}
+---
+{{- end -}}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..3d84956485
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if false }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/values.yaml
new file mode 100644
index 0000000000..1a28f38538
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/values.yaml
@@ -0,0 +1,583 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  autoscaleEnabled: true
+  autoscaleMin: 1
+  autoscaleMax: 5
+  autoscaleBehavior: {}
+  replicaCount: 1
+  rollingMaxSurge: 100%
+  rollingMaxUnavailable: 25%
+
+  hub: ""
+  tag: ""
+  variant: ""
+
+  # Can be a full hub/image:tag
+  image: pilot
+  traceSampling: 1.0
+
+  # Resources for a small pilot install
+  resources:
+    requests:
+      cpu: 500m
+      memory: 2048Mi
+
+  # Set to `type: RuntimeDefault` to use the default profile if available.
+  seccompProfile: {}
+
+  # Whether to use an existing CNI installation
+  cni:
+    enabled: false
+    provider: default
+
+  # Additional container arguments
+  extraContainerArgs: []
+
+  env: {}
+
+  envVarFrom: []
+
+  # Settings related to the untaint controller
+  # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready
+  # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes
+  taint:
+    # Controls whether or not the untaint controller is active
+    enabled: false
+    # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod
+    namespace: ""
+
+  affinity: {}
+
+  tolerations: []
+
+  cpu:
+    targetAverageUtilization: 80
+  memory: {}
+    # targetAverageUtilization: 80
+
+  # Additional volumeMounts to the istiod container
+  volumeMounts: []
+
+  # Additional volumes to the istiod pod
+  volumes: []
+
+  # Inject initContainers into the istiod pod
+  initContainers: []
+
+  nodeSelector: {}
+  podAnnotations: {}
+  serviceAnnotations: {}
+  serviceAccountAnnotations: {}
+  sidecarInjectorWebhookAnnotations: {}
+
+  topologySpreadConstraints: []
+
+  # You can use jwksResolverExtraRootCA to provide a root certificate
+  # in PEM format. This will then be trusted by pilot when resolving
+  # JWKS URIs.
+  jwksResolverExtraRootCA: ""
+
+  # The following is used to limit how long a sidecar can be connected
+  # to a pilot. It balances out load across pilot instances at the cost of
+  # increasing system churn.
+  keepaliveMaxServerConnectionAge: 30m
+
+  # Additional labels to apply to the deployment.
+  deploymentLabels: {}
+
+  # Annotations to apply to the istiod deployment.
+  deploymentAnnotations: {}
+
+  ## Mesh config settings
+
+  # Install the mesh config map, generated from values.yaml.
+  # If false, pilot wil use default values (by default) or user-supplied values.
+  configMap: true
+
+  # Additional labels to apply on the pod level for monitoring and logging configuration.
+  podLabels: {}
+
+  # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
+  ipFamilyPolicy: ""
+  ipFamilies: []
+
+  # Ambient mode only.
+  # Set this if you install ztunnel to a different namespace from `istiod`.
+  # If set, `istiod` will allow connections from trusted node proxy ztunnels
+  # in the provided namespace.
+  # If unset, `istiod` will assume the trusted node proxy ztunnel resides
+  # in the same namespace as itself.
+  trustedZtunnelNamespace: ""
+  # Set this if you install ztunnel with a name different from the default.
+  trustedZtunnelName: ""
+
+  sidecarInjectorWebhook:
+    # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or
+    # always skip the injection on pods that match that label selector, regardless of the global policy.
+    # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions
+    neverInjectSelector: []
+    alwaysInjectSelector: []
+
+    # injectedAnnotations are additional annotations that will be added to the pod spec after injection
+    # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations:
+    #
+    # annotations:
+    #   apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
+    #   apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
+    #
+    # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before
+    # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify:
+    # injectedAnnotations:
+    #   container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default
+    #   container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default
+    injectedAnnotations: {}
+
+    # This enables injection of sidecar in all namespaces,
+    # with the exception of namespaces with "istio-injection:disabled" annotation
+    # Only one environment should have this enabled.
+    enableNamespacesByDefault: false
+
+    # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run
+    # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten.
+    # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur.
+    reinvocationPolicy: Never
+
+    rewriteAppHTTPProbe: true
+
+    # Templates defines a set of custom injection templates that can be used. For example, defining:
+    #
+    # templates:
+    #   hello: |
+    #     metadata:
+    #       labels:
+    #         hello: world
+    #
+    # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod
+    # being injected with the hello=world labels.
+    # This is intended for advanced configuration only; most users should use the built in template
+    templates: {}
+
+    # Default templates specifies a set of default templates that are used in sidecar injection.
+    # By default, a template `sidecar` is always provided, which contains the template of default sidecar.
+    # To inject other additional templates, define it using the `templates` option, and add it to
+    # the default templates list.
+    # For example:
+    #
+    # templates:
+    #   hello: |
+    #     metadata:
+    #       labels:
+    #         hello: world
+    #
+    # defaultTemplates: ["sidecar", "hello"]
+    defaultTemplates: []
+  istiodRemote:
+    # If `true`, indicates that this cluster/install should consume a "remote istiod" installation,
+    # and istiod itself will NOT be installed in this cluster - only the support resources necessary
+    # to utilize a remote instance.
+    enabled: false
+
+    # If `true`, indicates that this cluster/install should consume a "local istiod" installation,
+    # local istiod inject sidecars
+    enabledLocalInjectorIstiod: false
+
+    # Sidecar injector mutating webhook configuration clientConfig.url value.
+    # For example: https://$remotePilotAddress:15017/inject
+    # The host should not refer to a service running in the cluster; use a service reference by specifying
+    # the clientConfig.service field instead.
+    injectionURL: ""
+
+    # Sidecar injector mutating webhook configuration path value for the clientConfig.service field.
+    # Override to pass env variables, for example: /inject/cluster/remote/net/network2
+    injectionPath: "/inject"
+
+    injectionCABundle: ""
+  telemetry:
+    enabled: true
+    v2:
+      # For Null VM case now.
+      # This also enables metadata exchange.
+      enabled: true
+      # Indicate if prometheus stats filter is enabled or not
+      prometheus:
+        enabled: true
+      # stackdriver filter settings.
+      stackdriver:
+        enabled: false
+  # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
+  revision: ""
+
+  # Revision tags are aliases to Istio control plane revisions
+  revisionTags: []
+
+  # For Helm compatibility.
+  ownerName: ""
+
+  # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior
+  # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options
+  meshConfig:
+    enablePrometheusMerge: true
+
+  experimental:
+    stableValidationPolicy: false
+
+  global:
+    # Used to locate istiod.
+    istioNamespace: istio-system
+    # List of cert-signers to allow "approve" action in the istio cluster role
+    #
+    # certSigners:
+    #   - clusterissuers.cert-manager.io/istio-ca
+    certSigners: []
+    # enable pod disruption budget for the control plane, which is used to
+    # ensure Istio control plane components are gradually upgraded or recovered.
+    defaultPodDisruptionBudget:
+      enabled: true
+      # The values aren't mutable due to a current PodDisruptionBudget limitation
+      # minAvailable: 1
+
+    # A minimal set of requested resources to applied to all deployments so that
+    # Horizontal Pod Autoscaler will be able to function (if set).
+    # Each component can overwrite these default values by adding its own resources
+    # block in the relevant section below and setting the desired resources values.
+    defaultResources:
+      requests:
+        cpu: 10m
+      #   memory: 128Mi
+      # limits:
+      #   cpu: 100m
+      #   memory: 128Mi
+
+    # Default hub for Istio images.
+    # Releases are published to docker hub under 'istio' project.
+    # Dev builds from prow are on gcr.io
+    hub: gcr.io/istio-release
+    # Default tag for Istio images.
+    tag: 1.28.0
+    # Variant of the image to use.
+    # Currently supported are: [debug, distroless]
+    variant: ""
+
+    # Specify image pull policy if default behavior isn't desired.
+    # Default behavior: latest images will be Always else IfNotPresent.
+    imagePullPolicy: ""
+
+    # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
+    # to use for pulling any images in pods that reference this ServiceAccount.
+    # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
+    # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
+    # Must be set for any cluster configured with private docker registry.
+    imagePullSecrets: []
+    # - private-registry-key
+
+    # Enabled by default in master for maximising testing.
+    istiod:
+      enableAnalysis: false
+
+    # To output all istio components logs in json format by adding --log_as_json argument to each container argument
+    logAsJson: false
+
+    # In order to use native nftable rules instead of iptable rules, set this flag to true.
+    nativeNftables: false
+
+    # Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
+    # The control plane has different scopes depending on component, but can configure default log level across all components
+    # If empty, default scope and level will be used as configured in code
+    logging:
+      level: "default:info"
+
+    # When enabled, default NetworkPolicy resources will be created
+    networkPolicy:
+      enabled: false
+
+    omitSidecarInjectorConfigMap: false
+
+    # resourceScope controls what resources will be processed by helm.
+    # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator.
+    # It can be one of:
+    # - all: all resources are processed
+    # - cluster: only cluster-scoped resources are processed
+    # - namespace: only namespace-scoped resources are processed
+    resourceScope: all
+
+    # Configure whether Operator manages webhook configurations. The current behavior
+    # of Istiod is to manage its own webhook configurations.
+    # When this option is set as true, Istio Operator, instead of webhooks, manages the
+    # webhook configurations. When this option is set as false, webhooks manage their
+    # own webhook configurations.
+    operatorManageWebhooks: false
+
+    # Custom DNS config for the pod to resolve names of services in other
+    # clusters. Use this to add additional search domains, and other settings.
+    # see
+    # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config
+    # This does not apply to gateway pods as they typically need a different
+    # set of DNS settings than the normal application pods (e.g., in
+    # multicluster scenarios).
+    # NOTE: If using templates, follow the pattern in the commented example below.
+    #podDNSSearchNamespaces:
+    #- global
+    #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global"
+
+    # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
+    # system-node-critical, it is better to configure this in order to make sure your Istio pods
+    # will not be killed because of low priority class.
+    # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
+    # for more detail.
+    priorityClassName: ""
+
+    proxy:
+      image: proxyv2
+
+      # This controls the 'policy' in the sidecar injector.
+      autoInject: enabled
+
+      # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
+      # cluster domain. Default value is "cluster.local".
+      clusterDomain: "cluster.local"
+
+      # Per Component log level for proxy, applies to gateways and sidecars. If a component level is
+      # not set, then the global "logLevel" will be used.
+      componentLogLevel: "misc:error"
+
+      # istio ingress capture allowlist
+      # examples:
+      #     Redirect only selected ports:            --includeInboundPorts="80,8080"
+      excludeInboundPorts: ""
+      includeInboundPorts: "*"
+
+      # istio egress capture allowlist
+      # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
+      # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
+      # would only capture egress traffic on those two IP Ranges, all other outbound traffic would
+      # be allowed by the sidecar
+      includeIPRanges: "*"
+      excludeIPRanges: ""
+      includeOutboundPorts: ""
+      excludeOutboundPorts: ""
+
+      # Log level for proxy, applies to gateways and sidecars.
+      # Expected values are: trace|debug|info|warning|error|critical|off
+      logLevel: warning
+
+      # Specify the path to the outlier event log.
+      # Example: /dev/stdout
+      outlierLogPath: ""
+
+      #If set to true, istio-proxy container will have privileged securityContext
+      privileged: false
+      
+      seccompProfile: {}
+
+      # The number of successive failed probes before indicating readiness failure.
+      readinessFailureThreshold: 4
+
+      # The initial delay for readiness probes in seconds.
+      readinessInitialDelaySeconds: 0
+
+      # The period between readiness probes.
+      readinessPeriodSeconds: 15
+
+      # Enables or disables a startup probe.
+      # For optimal startup times, changing this should be tied to the readiness probe values.
+      #
+      # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4.
+      # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval),
+      # and doesn't spam the readiness endpoint too much
+      #
+      # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30.
+      # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly.
+      startupProbe:
+        enabled: true
+        failureThreshold: 600 # 10 minutes
+
+      # Resources for the sidecar.
+      resources:
+        requests:
+          cpu: 100m
+          memory: 128Mi
+        limits:
+          cpu: 2000m
+          memory: 1024Mi
+
+      # Default port for Pilot agent health checks. A value of 0 will disable health checking.
+      statusPort: 15020
+
+      # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none.
+      # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file.
+      tracer: "none"
+
+    proxy_init:
+      # Base name for the proxy_init container, used to configure iptables.
+      image: proxyv2
+      # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures.
+      # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases.
+      forceApplyIptables: false
+
+    # configure remote pilot and istiod service and endpoint
+    remotePilotAddress: ""
+
+    ##############################################################################################
+    # The following values are found in other charts. To effectively modify these values, make   #
+    # make sure they are consistent across your Istio helm charts                                #
+    ##############################################################################################
+
+    # The customized CA address to retrieve certificates for the pods in the cluster.
+    # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
+    # If not set explicitly, default to the Istio discovery address.
+    caAddress: ""
+
+    # Enable control of remote clusters.
+    externalIstiod: false
+
+    # Configure a remote cluster as the config cluster for an external istiod.
+    configCluster: false
+
+    # configValidation enables the validation webhook for Istio configuration.
+    configValidation: true
+
+    # Mesh ID means Mesh Identifier. It should be unique within the scope where
+    # meshes will interact with each other, but it is not required to be
+    # globally/universally unique. For example, if any of the following are true,
+    # then two meshes must have different Mesh IDs:
+    # - Meshes will have their telemetry aggregated in one place
+    # - Meshes will be federated together
+    # - Policy will be written referencing one mesh from the other
+    #
+    # If an administrator expects that any of these conditions may become true in
+    # the future, they should ensure their meshes have different Mesh IDs
+    # assigned.
+    #
+    # Within a multicluster mesh, each cluster must be (manually or auto)
+    # configured to have the same Mesh ID value. If an existing cluster 'joins' a
+    # multicluster mesh, it will need to be migrated to the new mesh ID. Details
+    # of migration TBD, and it may be a disruptive operation to change the Mesh
+    # ID post-install.
+    #
+    # If the mesh admin does not specify a value, Istio will use the value of the
+    # mesh's Trust Domain. The best practice is to select a proper Trust Domain
+    # value.
+    meshID: ""
+
+    # Configure the mesh networks to be used by the Split Horizon EDS.
+    #
+    # The following example defines two networks with different endpoints association methods.
+    # For `network1` all endpoints that their IP belongs to the provided CIDR range will be
+    # mapped to network1. The gateway for this network example is specified by its public IP
+    # address and port.
+    # The second network, `network2`, in this example is defined differently with all endpoints
+    # retrieved through the specified Multi-Cluster registry being mapped to network2. The
+    # gateway is also defined differently with the name of the gateway service on the remote
+    # cluster. The public IP for the gateway will be determined from that remote service (only
+    # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service,
+    # it still need to be configured manually).
+    #
+    # meshNetworks:
+    #   network1:
+    #     endpoints:
+    #     - fromCidr: "192.168.0.1/24"
+    #     gateways:
+    #     - address: 1.1.1.1
+    #       port: 80
+    #   network2:
+    #     endpoints:
+    #     - fromRegistry: reg1
+    #     gateways:
+    #     - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
+    #       port: 443
+    #
+    meshNetworks: {}
+
+    # Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
+    mountMtlsCerts: false
+
+    multiCluster:
+      # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
+      # to properly label proxies
+      clusterName: ""
+
+    # Network defines the network this cluster belong to. This name
+    # corresponds to the networks in the map of mesh networks.
+    network: ""
+
+    # Configure the certificate provider for control plane communication.
+    # Currently, two providers are supported: "kubernetes" and "istiod".
+    # As some platforms may not have kubernetes signing APIs,
+    # Istiod is the default
+    pilotCertProvider: istiod
+
+    sds:
+      # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
+      # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the
+      # JWT is intended for the CA.
+      token:
+        aud: istio-ca
+
+    sts:
+      # The service port used by Security Token Service (STS) server to handle token exchange requests.
+      # Setting this port to a non-zero value enables STS server.
+      servicePort: 0
+
+    # The name of the CA for workload certificates.
+    # For example, when caName=GkeWorkloadCertificate, GKE workload certificates
+    # will be used as the certificates for workloads.
+    # The default value is "" and when caName="", the CA will be configured by other
+    # mechanisms (e.g., environmental variable CA_PROVIDER).
+    caName: ""
+
+    waypoint:
+      # Resources for the waypoint proxy.
+      resources:
+        requests:
+          cpu: 100m
+          memory: 128Mi
+        limits:
+          cpu: "2"
+          memory: 1Gi
+
+      # If specified, affinity defines the scheduling constraints of waypoint pods.
+      affinity: {}
+
+      # Topology Spread Constraints for the waypoint proxy.
+      topologySpreadConstraints: []
+
+      # Node labels for the waypoint proxy.
+      nodeSelector: {}
+
+      # Tolerations for the waypoint proxy.
+      tolerations: []
+
+  base:
+    # For istioctl usage to disable istio config crds in base
+    enableIstioConfigCRDs: true
+
+  # Gateway Settings
+  gateways:
+    # Define the security context for the pod.
+    # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
+    # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
+    securityContext: {}
+
+    # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it
+    seccompProfile: {}
+
+  # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass.
+  # For example:
+  # gatewayClasses:
+  #   istio:
+  #     service:
+  #       spec:
+  #         type: ClusterIP
+  # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field.
+  gatewayClasses: {}
+  
+  pdb:
+    # -- Minimum available pods set in PodDisruptionBudget.
+    # Define either 'minAvailable' or 'maxUnavailable', never both.
+    minAvailable: 1
+    # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored.
+    # maxUnavailable: 1
+    # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget.
+    # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/
+    unhealthyPodEvictionPolicy: ""
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/Chart.yaml
new file mode 100644
index 0000000000..00f9bcda39
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/Chart.yaml
@@ -0,0 +1,11 @@
+apiVersion: v2
+appVersion: 1.28.0
+description: Helm chart for istio ztunnel components
+icon: https://istio.io/latest/favicons/android-192x192.png
+keywords:
+- istio-ztunnel
+- istio
+name: ztunnel
+sources:
+- https://github.com/istio/istio
+version: 1.28.0
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/README.md
new file mode 100644
index 0000000000..72ea6892e5
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/README.md
@@ -0,0 +1,50 @@
+# Istio Ztunnel Helm Chart
+
+This chart installs an Istio ztunnel.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+To install the chart:
+
+```console
+helm install ztunnel istio/ztunnel
+```
+
+## Uninstalling the Chart
+
+To uninstall/delete the chart:
+
+```console
+helm delete ztunnel
+```
+
+## Configuration
+
+To view supported configuration options and documentation, run:
+
+```console
+helm show values istio/ztunnel
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..d04117bfc0
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,14 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..8fe80112bf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-compatibility-version-1.27.yaml
new file mode 100644
index 0000000000..209157cccf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-compatibility-version-1.27.yaml
@@ -0,0 +1,9 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/templates/NOTES.txt
new file mode 100644
index 0000000000..244f59db06
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/templates/NOTES.txt
@@ -0,0 +1,5 @@
+ztunnel successfully installed!
+
+To learn more about the release, try:
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/templates/_helpers.tpl
new file mode 100644
index 0000000000..46a7a0b79d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/templates/_helpers.tpl
@@ -0,0 +1 @@
+{{ define "ztunnel.release-name" }}{{ .Values.resourceName| default "ztunnel" }}{{ end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/templates/daemonset.yaml
new file mode 100644
index 0000000000..b10e99cfa4
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/templates/daemonset.yaml
@@ -0,0 +1,212 @@
+{{- if or (eq .Values.resourceScope "all") (eq .Values.resourceScope "namespace") }}
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: {{ include "ztunnel.release-name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: ztunnel
+    {{- include "istio.labels" . | nindent 4}}
+    {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }}
+  annotations:
+{{- if .Values.revision }}
+    {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }}
+    {{- toYaml $annos | nindent 4}}
+{{- else }}
+    {{- .Values.annotations | toYaml | nindent 4 }}
+{{- end }}
+spec:
+  {{- with .Values.updateStrategy }}
+  updateStrategy:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  selector:
+    matchLabels:
+      app: ztunnel
+  template:
+    metadata:
+      labels:
+        sidecar.istio.io/inject: "false"
+        istio.io/dataplane-mode: none
+        app: ztunnel
+        app.kubernetes.io/name: ztunnel
+        {{- include "istio.labels" . | nindent 8}}
+{{ with .Values.podLabels -}}{{ toYaml . | indent 8 }}{{ end }}
+      annotations:
+        sidecar.istio.io/inject: "false"
+{{- if .Values.revision }}
+        istio.io/rev: {{ .Values.revision }}
+{{- end }}
+{{ with .Values.podAnnotations -}}{{ toYaml . | indent 8 }}{{ end }}
+    spec:
+      nodeSelector:
+        kubernetes.io/os: linux
+{{- if .Values.nodeSelector }}
+{{ toYaml .Values.nodeSelector | indent 8 }}
+{{- end }}
+{{- if .Values.affinity }}
+      affinity:
+{{ toYaml .Values.affinity | trim | indent 8 }}
+{{- end }}
+      serviceAccountName: {{ include "ztunnel.release-name" . }}
+{{- if .Values.tolerations }}
+      tolerations:
+{{ toYaml .Values.tolerations | trim | indent 8 }}
+{{- end }}
+      containers:
+      - name: istio-proxy
+{{- if contains "/" .Values.image }}
+        image: "{{ .Values.image }}"
+{{- else }}
+        image: "{{ .Values.hub }}/{{ .Values.image | default "ztunnel" }}:{{ .Values.tag }}{{with (.Values.variant )}}-{{.}}{{end}}"
+{{- end }}
+        ports:
+        - containerPort: 15020
+          name: ztunnel-stats
+          protocol: TCP
+        resources:
+{{- if .Values.resources }}
+{{ toYaml .Values.resources | trim | indent 10 }}
+{{- end }}
+{{- with .Values.imagePullPolicy }}
+        imagePullPolicy: {{ . }}
+{{- end }}
+        securityContext:
+          # K8S docs are clear that CAP_SYS_ADMIN *or* privileged: true
+          # both force this to `true`: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+          # But there is a K8S validation bug that doesn't propery catch this: https://github.com/kubernetes/kubernetes/issues/119568
+          allowPrivilegeEscalation: true
+          privileged: false
+          capabilities:
+            drop:
+            - ALL
+            add: # See https://man7.org/linux/man-pages/man7/capabilities.7.html
+            - NET_ADMIN # Required for TPROXY and setsockopt
+            - SYS_ADMIN # Required for `setns` - doing things in other netns
+            - NET_RAW # Required for RAW/PACKET sockets, TPROXY
+          readOnlyRootFilesystem: true
+          runAsGroup: 1337
+          runAsNonRoot: false
+          runAsUser: 0
+{{- if .Values.seLinuxOptions }}
+          seLinuxOptions:
+{{ toYaml .Values.seLinuxOptions | trim | indent 12 }}
+{{- end }}
+        readinessProbe:
+          httpGet:
+            port: 15021
+            path: /healthz/ready
+        args:
+        - proxy
+        - ztunnel
+        env:
+        - name: CA_ADDRESS
+        {{- if .Values.caAddress }}
+          value: {{ .Values.caAddress }}
+        {{- else }}
+          value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012
+        {{- end }}
+        - name: XDS_ADDRESS
+        {{- if .Values.xdsAddress }}
+          value: {{ .Values.xdsAddress }}
+        {{- else }}
+          value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012
+        {{- end }}
+        {{- if .Values.logAsJson }}
+        - name: LOG_FORMAT
+          value: json
+        {{- end}}
+        {{- if .Values.network }}
+        - name: NETWORK
+          value: {{ .Values.network | quote }}
+        {{- end }}
+        - name: RUST_LOG
+          value: {{ .Values.logLevel | quote }}
+        - name: RUST_BACKTRACE
+          value: "1"
+        - name: ISTIO_META_CLUSTER_ID
+          value: {{ .Values.multiCluster.clusterName | default "Kubernetes" }}
+        - name: INPOD_ENABLED
+          value: "true"
+        - name: TERMINATION_GRACE_PERIOD_SECONDS
+          value: "{{ .Values.terminationGracePeriodSeconds }}"
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        - name: INSTANCE_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: SERVICE_ACCOUNT
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.serviceAccountName
+        {{- if .Values.meshConfig.defaultConfig.proxyMetadata }}
+        {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata}}
+        - name: {{ $key }}
+          value: "{{ $value }}"
+        {{- end }}
+        {{- end }}
+        - name: ZTUNNEL_CPU_LIMIT
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.cpu
+        {{- with .Values.env }}
+        {{- range $key, $val := . }}
+        - name: {{ $key }}
+          value: "{{ $val }}"
+        {{- end }}
+        {{- end }}
+        volumeMounts:
+        - mountPath: /var/run/secrets/istio
+          name: istiod-ca-cert
+        - mountPath: /var/run/secrets/tokens
+          name: istio-token
+        - mountPath: /var/run/ztunnel
+          name: cni-ztunnel-sock-dir
+        - mountPath: /tmp
+          name: tmp
+        {{- with .Values.volumeMounts }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      priorityClassName: system-node-critical
+      terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
+      volumes:
+      - name: istio-token
+        projected:
+          sources:
+          - serviceAccountToken:
+              path: istio-token
+              expirationSeconds: 43200
+              audience: istio-ca
+      - name: istiod-ca-cert
+        {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+        projected:
+          sources:
+          - clusterTrustBundle:
+              name: istio.io:istiod-ca:{{ .Values.trustBundleName | default "root-cert" }}
+              path: root-cert.pem
+        {{- else }}
+        configMap:
+          name: {{ .Values.trustBundleName | default "istio-ca-root-cert" }}
+        {{- end }}
+      - name: cni-ztunnel-sock-dir
+        hostPath:
+          path: /var/run/ztunnel
+          type: DirectoryOrCreate # ideally this would be a socket, but istio-cni may not have started yet.
+      # pprof needs a writable /tmp, and we don't have that thanks to `readOnlyRootFilesystem: true`, so mount one
+      - name: tmp
+        emptyDir: {}
+      {{- with .Values.volumes }}
+        {{- toYaml . | nindent 6}}
+      {{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/templates/rbac.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/templates/rbac.yaml
new file mode 100644
index 0000000000..18291716bf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/templates/rbac.yaml
@@ -0,0 +1,51 @@
+{{- if or (eq .Values.resourceScope "all") (eq .Values.resourceScope "cluster") }}
+{{- if (eq (.Values.platform | default "") "openshift") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "ztunnel.release-name" . }}
+  labels:
+    app: ztunnel
+    release: {{ include "ztunnel.release-name" . }}
+    app.kubernetes.io/name: ztunnel
+    {{- include "istio.labels" . | nindent 4}}
+  annotations:
+{{- if .Values.revision }}
+    {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }}
+    {{- toYaml $annos | nindent 4}}
+{{- else }}
+    {{- .Values.annotations | toYaml | nindent 4 }}
+{{- end }}
+rules:
+- apiGroups: ["security.openshift.io"]
+  resources: ["securitycontextconstraints"]
+  resourceNames: ["privileged"]
+  verbs: ["use"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "ztunnel.release-name" . }}
+  labels:
+    app: ztunnel
+    release: {{ include "ztunnel.release-name" . }}
+    app.kubernetes.io/name: ztunnel
+    {{- include "istio.labels" . | nindent 4}}
+  annotations:
+{{- if .Values.revision }}
+    {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }}
+    {{- toYaml $annos | nindent 4}}
+{{- else }}
+    {{- .Values.annotations | toYaml | nindent 4 }}
+{{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "ztunnel.release-name" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "ztunnel.release-name" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}
+---
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/templates/resourcequota.yaml
new file mode 100644
index 0000000000..d33c9fe137
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/templates/resourcequota.yaml
@@ -0,0 +1,22 @@
+{{- if or (eq .Values.resourceScope "all") (eq .Values.resourceScope "namespace") }}
+{{- if .Values.resourceQuotas.enabled }}
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+  name: {{ include "ztunnel.release-name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: ztunnel
+    {{- include "istio.labels" . | nindent 4}}
+    {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }}
+spec:
+  hard:
+    pods: {{ .Values.resourceQuotas.pods | quote }}
+  scopeSelector:
+    matchExpressions:
+    - operator: In
+      scopeName: PriorityClass
+      values:
+      - system-node-critical
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/templates/serviceaccount.yaml
new file mode 100644
index 0000000000..e1146f3920
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/templates/serviceaccount.yaml
@@ -0,0 +1,24 @@
+{{- if or (eq .Values.resourceScope "all") (eq .Values.resourceScope "namespace") }}
+apiVersion: v1
+kind: ServiceAccount
+  {{- with .Values.imagePullSecrets }}
+imagePullSecrets:
+  {{- range . }}
+  - name: {{ . }}
+  {{- end }}
+  {{- end }}
+metadata:
+  name: {{ include "ztunnel.release-name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: ztunnel
+    {{- include "istio.labels" . | nindent 4}}
+    {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }}
+  annotations:
+{{- if .Values.revision }}
+    {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }}
+    {{- toYaml $annos | nindent 4}}
+{{- else }}
+    {{- .Values.annotations | toYaml | nindent 4 }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..606c556697
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if true }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/values.yaml
new file mode 100644
index 0000000000..21364a58c7
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/values.yaml
@@ -0,0 +1,136 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  # Hub to pull from. Image will be `Hub/Image:Tag-Variant`
+  hub: gcr.io/istio-release
+  # Tag to pull from. Image will be `Hub/Image:Tag-Variant`
+  tag: 1.28.0
+  # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version.
+  variant: ""
+
+  # Image name to pull from. Image will be `Hub/Image:Tag-Variant`
+  # If Image contains a "/", it will replace the entire `image` in the pod.
+  image: ztunnel
+
+  # Same as `global.network`, but will override it if set.
+  # Network defines the network this cluster belong to. This name
+  # corresponds to the networks in the map of mesh networks.
+  network: ""
+
+  # resourceName, if set, will override the naming of resources. If not set, will default to 'ztunnel'.
+  # If you set this, you MUST also set `trustedZtunnelName` in the `istiod` chart.
+  resourceName: ""
+
+  # Labels to apply to all top level resources
+  labels: {}
+  # Annotations to apply to all top level resources
+  annotations: {}
+
+  # Additional volumeMounts to the ztunnel container
+  volumeMounts: []
+
+  # Additional volumes to the ztunnel pod
+  volumes: []
+  
+  # Tolerations for the ztunnel pod
+  tolerations:
+    - effect: NoSchedule
+      operator: Exists
+    - key: CriticalAddonsOnly
+      operator: Exists
+    - effect: NoExecute
+      operator: Exists
+
+  # Annotations added to each pod. The default annotations are required for scraping prometheus (in most environments).
+  podAnnotations:
+    prometheus.io/port: "15020"
+    prometheus.io/scrape: "true"
+
+  # Additional labels to apply on the pod level
+  podLabels: {}
+
+  # Pod resource configuration
+  resources:
+    requests:
+      cpu: 200m
+      # Ztunnel memory scales with the size of the cluster and traffic load
+      # While there are many factors, this is enough for ~200k pod cluster or 100k concurrently open connections.
+      memory: 512Mi
+
+  resourceQuotas:
+    enabled: false
+    pods: 5000
+
+  # List of secret names to add to the service account as image pull secrets
+  imagePullSecrets: []
+
+  # A `key: value` mapping of environment variables to add to the pod
+  env: {}
+
+  # Override for the pod imagePullPolicy
+  imagePullPolicy: ""
+
+  # Settings for multicluster
+  multiCluster:
+    # The name of the cluster we are installing in. Note this is a user-defined name, which must be consistent
+    # with Istiod configuration.
+    clusterName: ""
+
+  # meshConfig defines runtime configuration of components.
+  # For ztunnel, only defaultConfig is used, but this is nested under `meshConfig` for consistency with other
+  # components.
+  # TODO: https://github.com/istio/istio/issues/43248
+  meshConfig:
+    defaultConfig:
+      proxyMetadata: {}
+
+  # This value defines:
+  # 1. how many seconds kube waits for ztunnel pod to gracefully exit before forcibly terminating it (this value)
+  # 2. how many seconds ztunnel waits to drain its own connections (this value - 1 sec)
+  # Default K8S value is 30 seconds
+  terminationGracePeriodSeconds: 30
+
+  # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
+  # Used to locate the XDS and CA, if caAddress or xdsAddress are not set explicitly.
+  revision: ""
+
+  # The customized CA address to retrieve certificates for the pods in the cluster.
+  # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
+  caAddress: ""
+
+  # The customized XDS address to retrieve configuration.
+  # This should include the port - 15012 for Istiod. TLS will be used with the certificates in "istiod-ca-cert" secret.
+  # By default, it is istiod.istio-system.svc:15012 if revision is not set, or istiod-<revision>.<istioNamespace>.svc:15012
+  xdsAddress: ""
+
+  # Used to locate the XDS and CA, if caAddress or xdsAddress are not set.
+  istioNamespace: istio-system
+
+  # Configuration log level of ztunnel binary, default is info.
+  # Valid values are: trace, debug, info, warn, error
+  logLevel: info
+
+  # To output all logs in json format
+  logAsJson: false
+
+  # Set to `type: RuntimeDefault` to use the default profile if available.
+  seLinuxOptions: {}
+  # TODO Ambient inpod - for OpenShift, set to the following to get writable sockets in hostmounts to work, eventually consider CSI driver instead
+  #seLinuxOptions:
+  #  type: spc_t
+  
+  # resourceScope controls what resources will be processed by helm.
+  # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator.
+  # It can be one of:
+  # - all: all resources are processed
+  # - cluster: only cluster-scoped resources are processed
+  # - namespace: only namespace-scoped resources are processed
+  resourceScope: all
+
+  # K8s DaemonSet update strategy.
+  # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec).
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/cni-1.28.0.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/cni-1.28.0.tgz.etag
new file mode 100644
index 0000000000..9235e27af3
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/cni-1.28.0.tgz.etag
@@ -0,0 +1 @@
+1741dd04379cd554e8e6c432bc239a92
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/commit b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/commit
new file mode 100644
index 0000000000..cfc730712d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/commit
@@ -0,0 +1 @@
+1.28.0
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/gateway-1.28.0.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/gateway-1.28.0.tgz.etag
new file mode 100644
index 0000000000..573482ff7b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/gateway-1.28.0.tgz.etag
@@ -0,0 +1 @@
+2cf540e92003b760d6a99370aee68129
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/istiod-1.28.0.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/istiod-1.28.0.tgz.etag
new file mode 100644
index 0000000000..540dc3e240
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/istiod-1.28.0.tgz.etag
@@ -0,0 +1 @@
+b0f9abb423e3def023c9371eaef3a172
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/profiles/ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/profiles/ambient.yaml
new file mode 100644
index 0000000000..71ea784a80
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/profiles/ambient.yaml
@@ -0,0 +1,5 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: ambient
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/profiles/default.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/profiles/default.yaml
new file mode 100644
index 0000000000..8f1ef19676
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/profiles/default.yaml
@@ -0,0 +1,12 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  # Most default values come from the helm chart's values.yaml
+  # Below are the things that differ
+  values:
+    defaultRevision: ""
+    global:
+      istioNamespace: istio-system
+      configValidation: true
+    ztunnel:
+      resourceName: ztunnel
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/profiles/demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/profiles/demo.yaml
new file mode 100644
index 0000000000..53c4b41633
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/profiles/demo.yaml
@@ -0,0 +1,5 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: demo
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/profiles/empty.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/profiles/empty.yaml
new file mode 100644
index 0000000000..4477cb1fe1
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/profiles/empty.yaml
@@ -0,0 +1,5 @@
+# The empty profile has everything disabled
+# This is useful as a base for custom user configuration
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec: {}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/profiles/openshift-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/profiles/openshift-ambient.yaml
new file mode 100644
index 0000000000..76edf00cd8
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/profiles/openshift-ambient.yaml
@@ -0,0 +1,7 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: ambient
+    global:
+      platform: openshift
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/profiles/openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/profiles/openshift.yaml
new file mode 100644
index 0000000000..41492660fe
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/profiles/openshift.yaml
@@ -0,0 +1,6 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    global:
+      platform: openshift
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/profiles/preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/profiles/preview.yaml
new file mode 100644
index 0000000000..59d545c840
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/profiles/preview.yaml
@@ -0,0 +1,8 @@
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: preview
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/profiles/remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/profiles/remote.yaml
new file mode 100644
index 0000000000..54c65c8ba9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/profiles/remote.yaml
@@ -0,0 +1,7 @@
+# The remote profile is used to configure a mesh cluster without a locally deployed control plane.
+# Only the injector mutating webhook configuration is installed.
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: remote
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/profiles/stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/profiles/stable.yaml
new file mode 100644
index 0000000000..285feba244
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/profiles/stable.yaml
@@ -0,0 +1,5 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: stable
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/ztunnel-1.28.0.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/ztunnel-1.28.0.tgz.etag
new file mode 100644
index 0000000000..c8d4ec7888
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/ztunnel-1.28.0.tgz.etag
@@ -0,0 +1 @@
+77b68b902c4286f9d8f8814c14aab329
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/base-1.28.1.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/base-1.28.1.tgz.etag
new file mode 100644
index 0000000000..10e19fb89f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/base-1.28.1.tgz.etag
@@ -0,0 +1 @@
+18d6ebae74dd3e397808b235f5c67eaa
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/Chart.yaml
new file mode 100644
index 0000000000..2fd598dea5
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/Chart.yaml
@@ -0,0 +1,10 @@
+apiVersion: v2
+appVersion: 1.28.1
+description: Helm chart for deploying Istio cluster resources and CRDs
+icon: https://istio.io/latest/favicons/android-192x192.png
+keywords:
+- istio
+name: base
+sources:
+- https://github.com/istio/istio
+version: 1.28.1
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/README.md
new file mode 100644
index 0000000000..ae8f6d5b0e
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/README.md
@@ -0,0 +1,35 @@
+# Istio base Helm Chart
+
+This chart installs resources shared by all Istio revisions. This includes Istio CRDs.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+To install the chart with the release name `istio-base`:
+
+```console
+kubectl create namespace istio-system
+helm install istio-base istio/base -n istio-system
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..d04117bfc0
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,14 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..8fe80112bf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-compatibility-version-1.27.yaml
new file mode 100644
index 0000000000..209157cccf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-compatibility-version-1.27.yaml
@@ -0,0 +1,9 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/templates/NOTES.txt
new file mode 100644
index 0000000000..f12616f578
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/templates/NOTES.txt
@@ -0,0 +1,5 @@
+Istio base successfully installed!
+
+To learn more about the release, try:
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml
new file mode 100644
index 0000000000..30049df989
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml
@@ -0,0 +1,55 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
+{{- if and .Values.experimental.stableValidationPolicy (not (eq .Values.defaultRevision "")) }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "stable-channel-default-policy.istio.io"
+  labels:
+    release: {{ .Release.Name }}
+    istio: istiod
+    istio.io/rev: {{ .Values.defaultRevision }}
+    app.kubernetes.io/name: "istiod"
+    {{ include "istio.labels" . | nindent 4 }}
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups:
+        - security.istio.io
+        - networking.istio.io
+        - telemetry.istio.io
+        - extensions.istio.io
+      apiVersions: ["*"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["*"]
+  variables:
+    - name: isEnvoyFilter
+      expression: "object.kind == 'EnvoyFilter'"
+    - name: isWasmPlugin
+      expression: "object.kind == 'WasmPlugin'"
+    - name: isProxyConfig
+      expression: "object.kind == 'ProxyConfig'"
+    - name: isTelemetry
+      expression: "object.kind == 'Telemetry'"
+  validations:
+    - expression: "!variables.isEnvoyFilter"
+    - expression: "!variables.isWasmPlugin"
+    - expression: "!variables.isProxyConfig"
+    - expression: |
+        !(
+          variables.isTelemetry && (
+            (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) ||
+            (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) ||
+            (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter))
+          )
+        )
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: "stable-channel-default-policy-binding.istio.io"
+spec:
+  policyName: "stable-channel-default-policy.istio.io"
+  validationActions: [Deny]
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml
new file mode 100644
index 0000000000..dcd16e964f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml
@@ -0,0 +1,58 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
+{{- if not (eq .Values.defaultRevision "") }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: istiod-default-validator
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    istio: istiod
+    istio.io/rev: {{ .Values.defaultRevision | quote }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+webhooks:
+  - name: validation.istio.io
+    clientConfig:
+      {{- if .Values.base.validationURL }}
+      url: {{ .Values.base.validationURL }}
+      {{- else }}
+      service:
+        {{- if (eq .Values.defaultRevision "default") }}
+        name: istiod
+        {{- else }}
+        name: istiod-{{ .Values.defaultRevision }}
+        {{- end }}
+        namespace: {{ .Values.global.istioNamespace }}
+        path: "/validate"
+      {{- end }}
+      {{- if .Values.base.validationCABundle }}
+      caBundle: "{{ .Values.base.validationCABundle }}"
+      {{- end }}
+    rules:
+      - operations:
+          - CREATE
+          - UPDATE
+        apiGroups:
+          - security.istio.io
+          - networking.istio.io
+          - telemetry.istio.io
+          - extensions.istio.io
+        apiVersions:
+          - "*"
+        resources:
+          - "*"
+
+    {{- if .Values.base.validationCABundle }}
+    # Disable webhook controller in Pilot to stop patching it
+    failurePolicy: Fail
+    {{- else }}
+    # Fail open until the validation webhook is ready. The webhook controller
+    # will update this to `Fail` and patch in the `caBundle` when the webhook
+    # endpoint is ready.
+    failurePolicy: Ignore
+    {{- end }}
+    sideEffects: None
+    admissionReviewVersions: ["v1"]
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/templates/reader-serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/templates/reader-serviceaccount.yaml
new file mode 100644
index 0000000000..bb7a74ff48
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/templates/reader-serviceaccount.yaml
@@ -0,0 +1,22 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# This singleton service account aggregates reader permissions for the revisions in a given cluster
+# ATM this is a singleton per cluster with Istio installed, and is not revisioned. It maybe should be,
+# as otherwise compromising the token for this SA would give you access to *every* installed revision.
+# Should be used for remote secret creation.
+apiVersion: v1
+kind: ServiceAccount
+  {{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+  {{- range .Values.global.imagePullSecrets }}
+  - name: {{ . }}
+    {{- end }}
+    {{- end }}
+metadata:
+  name: istio-reader-service-account
+  namespace: {{ .Values.global.istioNamespace }}
+  labels:
+    app: istio-reader
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istio-reader"
+    {{- include "istio.labels" . | nindent 4 }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..3d84956485
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if false }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/values.yaml
new file mode 100644
index 0000000000..8353c57d6d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/values.yaml
@@ -0,0 +1,45 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  global:
+
+    # ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace
+    # to use for pulling any images in pods that reference this ServiceAccount.
+    # Must be set for any cluster configured with private docker registry.
+    imagePullSecrets: []
+
+    # Used to locate istiod.
+    istioNamespace: istio-system
+
+    # resourceScope controls what resources will be processed by helm.
+    # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator.
+    # It can be one of:
+    # - all: all resources are processed
+    # - cluster: only cluster-scoped resources are processed
+    # - namespace: only namespace-scoped resources are processed
+    resourceScope: all
+  base:
+    # A list of CRDs to exclude. Requires `enableCRDTemplates` to be true.
+    # Example: `excludedCRDs: ["envoyfilters.networking.istio.io"]`.
+    # Note: when installing with `istioctl`, `enableIstioConfigCRDs=false` must also be set.
+    excludedCRDs: []
+    # Helm (as of V3) does not support upgrading CRDs, because it is not universally
+    # safe for them to support this.
+    # Istio as a project enforces certain backwards-compat guarantees that allow us
+    # to safely upgrade CRDs in spite of this, so we default to self-managing CRDs
+    # as standard K8S resources in Helm, and disable Helm's CRD management. See also:
+    # https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#method-2-separate-charts
+    enableCRDTemplates: true
+
+    # Validation webhook configuration url
+    # For example: https://$remotePilotAddress:15017/validate
+    validationURL: ""
+    # Validation webhook caBundle value. Useful when running pilot with a well known cert
+    validationCABundle: ""
+
+    # For istioctl usage to disable istio config crds in base
+    enableIstioConfigCRDs: true
+
+  defaultRevision: "default"
+  experimental:
+    stableValidationPolicy: false
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/Chart.yaml
new file mode 100644
index 0000000000..71b8511b75
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/Chart.yaml
@@ -0,0 +1,11 @@
+apiVersion: v2
+appVersion: 1.28.1
+description: Helm chart for istio-cni components
+icon: https://istio.io/latest/favicons/android-192x192.png
+keywords:
+- istio-cni
+- istio
+name: cni
+sources:
+- https://github.com/istio/istio
+version: 1.28.1
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/README.md
new file mode 100644
index 0000000000..f7e5cbd379
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/README.md
@@ -0,0 +1,65 @@
+# Istio CNI Helm Chart
+
+This chart installs the Istio CNI Plugin. See the [CNI installation guide](https://istio.io/latest/docs/setup/additional-setup/cni/)
+for more information.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+To install the chart with the release name `istio-cni`:
+
+```console
+helm install istio-cni istio/cni -n kube-system
+```
+
+Installation in `kube-system` is recommended to ensure the [`system-node-critical`](https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/)
+`priorityClassName` can be used. You can install in other namespace only on K8S clusters that allow
+'system-node-critical' outside of kube-system.
+
+## Configuration
+
+To view supported configuration options and documentation, run:
+
+```console
+helm show values istio/istio-cni
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
+
+### Ambient
+
+To enable ambient, you can use the ambient profile: `--set profile=ambient`.
+
+#### Calico
+
+For Calico, you must also modify the settings to allow source spoofing:
+
+- if deployed by operator,  `kubectl patch felixconfigurations default --type='json' -p='[{"op": "add", "path": "/spec/workloadSourceSpoofing", "value": "Any"}]'`
+- if deployed by manifest, add env `FELIX_WORKLOADSOURCESPOOFING` with value `Any` in `spec.template.spec.containers.env` for daemonset `calico-node`. (This will allow PODs with specified annotation to skip the rpf check. )
+
+### GKE notes
+
+On GKE, 'kube-system' is required.
+
+If using `helm template`, `--set cni.cniBinDir=/home/kubernetes/bin` is required - with `helm install`
+it is auto-detected.
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..d04117bfc0
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,14 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..8fe80112bf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-compatibility-version-1.27.yaml
new file mode 100644
index 0000000000..209157cccf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-compatibility-version-1.27.yaml
@@ -0,0 +1,9 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/NOTES.txt
new file mode 100644
index 0000000000..fb35525b99
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/NOTES.txt
@@ -0,0 +1,5 @@
+"{{ .Release.Name }}" successfully installed!
+
+To learn more about the release, try:
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/_helpers.tpl
new file mode 100644
index 0000000000..73cc17b2f6
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/_helpers.tpl
@@ -0,0 +1,8 @@
+{{- define "name" -}}
+    istio-cni
+{{- end }}
+
+
+{{- define "istio-tag" -}}
+    {{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/clusterrole.yaml
new file mode 100644
index 0000000000..51af4ce7ff
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/clusterrole.yaml
@@ -0,0 +1,84 @@
+# Created if cluster resources are not omitted
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "name" . }}
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+- apiGroups: ["security.openshift.io"] 
+  resources: ["securitycontextconstraints"] 
+  resourceNames: ["privileged"] 
+  verbs: ["use"]
+- apiGroups: [""]
+  resources: ["pods","nodes","namespaces"]
+  verbs: ["get", "list", "watch"]
+{{- if (eq ((coalesce .Values.platform .Values.global.platform) | default "") "openshift") }}
+- apiGroups: ["security.openshift.io"]
+  resources: ["securitycontextconstraints"]
+  resourceNames: ["privileged"]
+  verbs: ["use"]
+{{- end }}
+---
+{{- if .Values.repair.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "name" . }}-repair-role
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["create", "patch"]
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["watch", "get", "list"]
+{{- if .Values.repair.repairPods }}
+{{- /*  No privileges needed*/}}
+{{- else if .Values.repair.deletePods }}
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["delete"]
+{{- else if .Values.repair.labelPods }}
+  - apiGroups: [""]
+    {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}}
+    resources: ["pods/status"]
+    verbs: ["patch", "update"]
+{{- end }}
+{{- end }}
+---
+{{- if .Values.ambient.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "name" . }}-ambient
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+- apiGroups: [""]
+  {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}}
+  resources: ["pods/status"]
+  verbs: ["patch", "update"]
+- apiGroups: ["apps"]
+  resources: ["daemonsets"]
+  resourceNames: ["{{ template "name" . }}-node"]
+  verbs: ["get"]
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/clusterrolebinding.yaml
new file mode 100644
index 0000000000..60e3c28be8
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/clusterrolebinding.yaml
@@ -0,0 +1,66 @@
+# Created if cluster resources are not omitted
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "name" . }}
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "name" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ template "name" . }}
+  namespace: {{ .Release.Namespace }}
+---
+{{- if .Values.repair.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "name" . }}-repair-rolebinding
+  labels:
+    k8s-app: {{ template "name" . }}-repair
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+subjects:
+- kind: ServiceAccount
+  name: {{ template "name" . }}
+  namespace: {{ .Release.Namespace}}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "name" . }}-repair-role
+{{- end }}
+---
+{{- if .Values.ambient.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "name" . }}-ambient
+  labels:
+    k8s-app: {{ template "name" . }}-repair
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "name" . }}
+    namespace: {{ .Release.Namespace}}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "name" . }}-ambient
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/configmap-cni.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/configmap-cni.yaml
new file mode 100644
index 0000000000..98bc60ac07
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/configmap-cni.yaml
@@ -0,0 +1,43 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: {{ template "name" . }}-config
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+data:
+  CURRENT_AGENT_VERSION: {{ .Values.tag | default .Values.global.tag | quote }}
+  AMBIENT_ENABLED: {{ .Values.ambient.enabled | quote }}
+  AMBIENT_ENABLEMENT_SELECTOR: {{ .Values.ambient.enablementSelectors | toYaml | quote }}
+  AMBIENT_DNS_CAPTURE: {{ .Values.ambient.dnsCapture | quote  }}
+  AMBIENT_IPV6: {{ .Values.ambient.ipv6 | quote }}
+  AMBIENT_RECONCILE_POD_RULES_ON_STARTUP: {{ .Values.ambient.reconcileIptablesOnStartup | quote }}
+  {{- if .Values.cniConfFileName }} # K8S < 1.24 doesn't like empty values
+  CNI_CONF_NAME: {{ .Values.cniConfFileName }} # Name of the CNI config file to create. Only override if you know the exact path your CNI requires..
+  {{- end }}
+  ISTIO_OWNED_CNI_CONFIG: {{ .Values.istioOwnedCNIConfig | quote }}
+  {{- if .Values.istioOwnedCNIConfig }}
+  ISTIO_OWNED_CNI_CONF_FILENAME: {{ .Values.istioOwnedCNIConfigFileName | quote }}
+  {{- end }}
+  CHAINED_CNI_PLUGIN: {{ .Values.chained | quote }}
+  EXCLUDE_NAMESPACES: "{{ range $idx, $ns := .Values.excludeNamespaces }}{{ if $idx }},{{ end }}{{ $ns }}{{ end }}"
+  REPAIR_ENABLED: {{ .Values.repair.enabled | quote }}
+  REPAIR_LABEL_PODS: {{ .Values.repair.labelPods | quote }}
+  REPAIR_DELETE_PODS: {{ .Values.repair.deletePods | quote }}
+  REPAIR_REPAIR_PODS: {{ .Values.repair.repairPods | quote }}
+  REPAIR_INIT_CONTAINER_NAME: {{ .Values.repair.initContainerName | quote }}
+  REPAIR_BROKEN_POD_LABEL_KEY: {{ .Values.repair.brokenPodLabelKey | quote }}
+  REPAIR_BROKEN_POD_LABEL_VALUE: {{ .Values.repair.brokenPodLabelValue | quote }}
+  NATIVE_NFTABLES: {{ .Values.global.nativeNftables | quote }}
+  {{- with .Values.env }}
+  {{- range $key, $val := . }}
+  {{ $key }}: "{{ $val }}"
+  {{- end }}
+  {{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/daemonset.yaml
new file mode 100644
index 0000000000..6d1dda2902
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/daemonset.yaml
@@ -0,0 +1,252 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# This manifest installs the Istio install-cni container, as well
+# as the Istio CNI plugin and config on
+# each master and worker node in a Kubernetes cluster.
+#
+# $detectedBinDir exists to support a GKE-specific platform override,
+# and is deprecated in favor of using the explicit `gke` platform profile.
+{{- $detectedBinDir := (.Capabilities.KubeVersion.GitVersion | contains "-gke") | ternary
+    "/home/kubernetes/bin"
+    "/opt/cni/bin"
+}}
+{{- if .Values.cniBinDir }}
+{{ $detectedBinDir = .Values.cniBinDir }}
+{{- end }}
+kind: DaemonSet
+apiVersion: apps/v1
+metadata:
+  # Note that this is templated but evaluates to a fixed name
+  # which the CNI plugin may fall back onto in some failsafe scenarios.
+  # if this name is changed, CNI plugin logic that checks for this name
+  # format should also be updated.
+  name: {{ template "name" . }}-node
+  namespace: {{ .Release.Namespace }}
+  labels:
+    k8s-app: {{ template "name" . }}-node
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+    {{ with .Values.daemonSetLabels -}}{{ toYaml . | nindent 4}}{{ end }}
+spec:
+  selector:
+    matchLabels:
+      k8s-app: {{ template "name" . }}-node
+  {{- with .Values.updateStrategy }}
+  updateStrategy:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  template:
+    metadata:
+      labels:
+        k8s-app: {{ template "name" . }}-node
+        sidecar.istio.io/inject: "false"
+        istio.io/dataplane-mode: none
+        app.kubernetes.io/name: {{ template "name" . }}
+        {{- include "istio.labels" . | nindent 8 }}
+        {{ with .Values.podLabels -}}{{ toYaml . | nindent 8}}{{ end }}
+      annotations:
+        sidecar.istio.io/inject: "false"
+        # Add Prometheus Scrape annotations
+        prometheus.io/scrape: 'true'
+        prometheus.io/port: "15014"
+        prometheus.io/path: '/metrics'
+        # Add AppArmor annotation
+        # This is required to avoid conflicts with AppArmor profiles which block certain
+        # privileged pod capabilities.
+        # Required for Kubernetes 1.29 which does not support setting appArmorProfile in the
+        # securityContext which is otherwise preferred.
+        container.apparmor.security.beta.kubernetes.io/install-cni: unconfined
+        # Custom annotations
+        {{- if .Values.podAnnotations }}
+{{ toYaml .Values.podAnnotations | indent 8 }}
+        {{- end }}
+    spec:
+{{- if and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace }}
+      hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
+{{- end }}
+      nodeSelector:
+        kubernetes.io/os: linux
+      # Can be configured to allow for excluding istio-cni from being scheduled on specified nodes
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      priorityClassName: system-node-critical
+      serviceAccountName: {{ template "name" . }}
+      # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
+      # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
+      terminationGracePeriodSeconds: 5
+      containers:
+        # This container installs the Istio CNI binaries
+        # and CNI network config file on each node.
+        - name: install-cni
+{{- if contains "/" .Values.image }}
+          image: "{{ .Values.image }}"
+{{- else }}
+          image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "install-cni" }}:{{ template "istio-tag" . }}"
+{{- end }}
+{{- if or .Values.pullPolicy .Values.global.imagePullPolicy }}
+          imagePullPolicy: {{ .Values.pullPolicy | default .Values.global.imagePullPolicy }}
+{{- end }}
+          ports:
+          - containerPort: 15014
+            name: metrics
+            protocol: TCP
+          readinessProbe:
+            httpGet:
+              path: /readyz
+              port: 8000
+          securityContext:
+            privileged: false
+            runAsGroup: 0
+            runAsUser: 0
+            runAsNonRoot: false
+            # Both ambient and sidecar repair mode require elevated node privileges to function.
+            # But we don't need _everything_ in `privileged`, so explicitly set it to false and
+            # add capabilities based on feature.
+            capabilities:
+              drop:
+              - ALL
+              add:
+              # CAP_NET_ADMIN is required to allow ipset and route table access
+              - NET_ADMIN
+              # CAP_NET_RAW is required to allow iptables mutation of the `nat` table
+              - NET_RAW
+              # CAP_SYS_PTRACE is required for repair and ambient mode to describe
+              # the pod's network namespace.
+              - SYS_PTRACE
+              # CAP_SYS_ADMIN is required for both ambient and repair, in order to open
+              # network namespaces in `/proc` to obtain descriptors for entering pod network
+              # namespaces. There does not appear to be a more granular capability for this.
+              - SYS_ADMIN
+              # While we run as a 'root' (UID/GID 0), since we drop all capabilities we lose
+              # the typical ability to read/write to folders owned by others.
+              # This can cause problems if the hostPath mounts we use, which we require write access into,
+              # are owned by non-root. DAC_OVERRIDE bypasses these and gives us write access into any folder.
+              - DAC_OVERRIDE
+{{- if .Values.seLinuxOptions }}
+{{ with (merge .Values.seLinuxOptions (dict "type" "spc_t")) }}
+            seLinuxOptions:
+{{ toYaml . | trim | indent 14 }}
+{{- end }}
+{{- end }}
+{{- if .Values.seccompProfile }}
+            seccompProfile:
+{{ toYaml .Values.seccompProfile | trim | indent 14 }}
+{{- end }}
+          command: ["install-cni"]
+          args:
+            {{- if or .Values.logging.level .Values.global.logging.level }}
+            - --log_output_level={{ coalesce .Values.logging.level .Values.global.logging.level }}
+            {{- end}}
+            {{- if .Values.global.logAsJson }}
+            - --log_as_json
+            {{- end}}
+          envFrom:
+            - configMapRef:
+                name: {{ template "name" . }}-config
+          env:
+            - name: REPAIR_NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            - name: REPAIR_RUN_AS_DAEMON
+              value: "true"
+            - name: REPAIR_SIDECAR_ANNOTATION
+              value: "sidecar.istio.io/status"
+            {{- if not (and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace) }}
+            - name: ALLOW_SWITCH_TO_HOST_NS
+              value: "true"
+            {{- end }}
+            - name: NODE_NAME
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: spec.nodeName
+            - name: GOMEMLIMIT
+              valueFrom:
+                resourceFieldRef:
+                  resource: limits.memory
+                  divisor: '1'
+            - name: GOMAXPROCS
+              valueFrom:
+                resourceFieldRef:
+                  resource: limits.cpu
+                  divisor: '1'
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            {{- if .Values.env }}
+            {{- range $key, $val := .Values.env }}
+            - name: {{ $key }}
+              value: "{{ $val }}"
+            {{- end }}
+            {{- end }}
+          volumeMounts:
+            - mountPath: /host/opt/cni/bin
+              name: cni-bin-dir
+            {{- if or .Values.repair.repairPods .Values.ambient.enabled }}
+            - mountPath: /host/proc
+              name: cni-host-procfs
+              readOnly: true
+            {{- end }}
+            - mountPath: /host/etc/cni/net.d
+              name: cni-net-dir
+            - mountPath: /var/run/istio-cni
+              name: cni-socket-dir
+            {{- if .Values.ambient.enabled }}
+            - mountPath: /host/var/run/netns
+              mountPropagation: HostToContainer
+              name: cni-netns-dir
+            - mountPath: /var/run/ztunnel
+              name: cni-ztunnel-sock-dir
+            {{ end }}
+          resources:
+{{- if .Values.resources }}
+{{ toYaml .Values.resources | trim | indent 12 }}
+{{- else }}
+{{ toYaml .Values.global.defaultResources | trim | indent 12 }}
+{{- end }}
+      volumes:
+        # Used to install CNI.
+        - name: cni-bin-dir
+          hostPath:
+            path: {{ $detectedBinDir }}
+        {{- if or .Values.repair.repairPods .Values.ambient.enabled }}
+        - name: cni-host-procfs
+          hostPath:
+            path: /proc
+            type: Directory
+        {{- end }}
+        {{- if .Values.ambient.enabled }}
+        - name: cni-ztunnel-sock-dir
+          hostPath:
+            path: /var/run/ztunnel
+            type: DirectoryOrCreate
+        {{- end }}
+        - name: cni-net-dir
+          hostPath:
+            path: {{ .Values.cniConfDir }}
+        # Used for UDS sockets for logging, ambient eventing
+        - name: cni-socket-dir
+          hostPath:
+            path: /var/run/istio-cni
+        - name: cni-netns-dir
+          hostPath:
+            path: {{ .Values.cniNetnsDir }}
+            type: DirectoryOrCreate # DirectoryOrCreate instead of Directory for the following reason - CNI may not bind mount this until a non-hostnetwork pod is scheduled on the node,
+            # and we don't want to block CNI agent pod creation on waiting for the first non-hostnetwork pod.
+            # Once the CNI does mount this, it will get populated and we're good.
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/network-attachment-definition.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/network-attachment-definition.yaml
new file mode 100644
index 0000000000..37ef7c3e6d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/network-attachment-definition.yaml
@@ -0,0 +1,13 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+{{- if eq .Values.provider "multus" }}
+apiVersion: k8s.cni.cncf.io/v1
+kind: NetworkAttachmentDefinition
+metadata:
+  name: {{ template "name" . }}
+  namespace: default
+  labels:
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/resourcequota.yaml
new file mode 100644
index 0000000000..2e0be5ab40
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/resourcequota.yaml
@@ -0,0 +1,21 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+{{- if .Values.resourceQuotas.enabled }}
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+  name: {{ template "name" . }}-resource-quota
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  hard:
+    pods: {{ .Values.resourceQuotas.pods | quote }}
+  scopeSelector:
+    matchExpressions:
+    - operator: In
+      scopeName: PriorityClass
+      values:
+      - system-node-critical
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/serviceaccount.yaml
new file mode 100644
index 0000000000..17c8e64a9d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/serviceaccount.yaml
@@ -0,0 +1,20 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+apiVersion: v1
+kind: ServiceAccount
+{{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+{{- range .Values.global.imagePullSecrets }}
+  - name: {{ . }}
+{{- end }}
+{{- end }}
+metadata:
+  name: {{ template "name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/zzy_descope_legacy.yaml
new file mode 100644
index 0000000000..a9584ac29f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/zzy_descope_legacy.yaml
@@ -0,0 +1,3 @@
+{{/* Copy anything under `.cni` to `.`, to avoid the need to specify a redundant prefix.
+Due to the file naming, this always happens after zzz_profile.yaml */}}
+{{- $_ := mustMergeOverwrite $.Values (index $.Values "cni") }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..3d84956485
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if false }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/values.yaml
new file mode 100644
index 0000000000..c38a2654d6
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/values.yaml
@@ -0,0 +1,192 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  hub: ""
+  tag: ""
+  variant: ""
+  image: install-cni
+  pullPolicy: ""
+
+  # Same as `global.logging.level`, but will override it if set
+  logging:
+    level: ""
+
+  # Configuration file to insert istio-cni plugin configuration
+  # by default this will be the first file found in the cni-conf-dir
+  # Example
+  # cniConfFileName: 10-calico.conflist
+
+  # CNI-and-platform specific path defaults.
+  # These may need to be set to platform-specific values, consult
+  # overrides for your platform in `manifests/helm-profiles/platform-*.yaml`
+  cniBinDir: /opt/cni/bin
+  cniConfDir: /etc/cni/net.d
+  cniConfFileName: ""
+  cniNetnsDir: "/var/run/netns"
+
+  # If Istio owned CNI config is enabled, defaults to 02-istio-cni.conflist
+  istioOwnedCNIConfigFileName: ""
+  istioOwnedCNIConfig: false
+
+  excludeNamespaces:
+    - kube-system
+
+  # Allows user to set custom affinity for the DaemonSet
+  affinity: {}
+
+  # Additional labels to apply on the daemonset level
+  daemonSetLabels: {}
+
+  # Custom annotations on pod level, if you need them
+  podAnnotations: {}
+
+  # Additional labels to apply on the pod level
+  podLabels: {}
+
+  # Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")?
+  # Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case
+  chained: true
+
+  # Custom configuration happens based on the CNI provider.
+  # Possible values: "default", "multus"
+  provider: "default"
+
+  # Configure ambient settings
+  ambient:
+    # If enabled, ambient redirection will be enabled
+    enabled: false
+    # If ambient is enabled, this selector will be used to identify the ambient-enabled pods
+    enablementSelectors: 
+    - podSelector:
+        matchLabels: {istio.io/dataplane-mode: ambient}
+    - podSelector:
+        matchExpressions:
+        - { key: istio.io/dataplane-mode, operator: NotIn, values: [none] }
+      namespaceSelector:
+        matchLabels: {istio.io/dataplane-mode: ambient}
+    # Set ambient config dir path: defaults to /etc/ambient-config
+    configDir: ""
+    # If enabled, and ambient is enabled, DNS redirection will be enabled
+    dnsCapture: true
+    # If enabled, and ambient is enabled, enables ipv6 support
+    ipv6: true
+    # If enabled, and ambient is enabled, the CNI agent will reconcile incompatible iptables rules and chains at startup.
+    # This will eventually be enabled by default
+    reconcileIptablesOnStartup: false
+    # If enabled, and ambient is enabled, the CNI agent will always share the network namespace of the host node it is running on
+    shareHostNetworkNamespace: false
+
+
+  repair:
+    enabled: true
+    hub: ""
+    tag: ""
+
+    # Repair controller has 3 modes. Pick which one meets your use cases. Note only one may be used.
+    # This defines the action the controller will take when a pod is detected as broken.
+
+    # labelPods will label all pods with <brokenPodLabelKey>=<brokenPodLabelValue>.
+    # This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them).
+    # Note this gives the DaemonSet a relatively high privilege, as modifying pod metadata/status can have wider impacts.
+    labelPods: false
+    # deletePods will delete any broken pod. These will then be rescheduled, hopefully onto a node that is fully ready.
+    # Note this gives the DaemonSet a relatively high privilege, as it can delete any Pod.
+    deletePods: false
+    # repairPods will dynamically repair any broken pod by setting up the pod networking configuration even after it has started.
+    # Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs.
+    # This requires no RBAC privilege, but does require `securityContext.privileged/CAP_SYS_ADMIN`.
+    repairPods: true
+
+    initContainerName: "istio-validation"
+
+    brokenPodLabelKey: "cni.istio.io/uninitialized"
+    brokenPodLabelValue: "true"
+
+  # Set to `type: RuntimeDefault` to use the default profile if available.
+  seccompProfile: {}
+
+  # SELinux options to set in the istio-cni-node pods. You may need to set this to `type: spc_t` for some platforms.
+  seLinuxOptions: {}
+
+  resources:
+    requests:
+      cpu: 100m
+      memory: 100Mi
+
+  resourceQuotas:
+    enabled: false
+    pods: 5000
+
+  tolerations:
+    # Make sure istio-cni-node gets scheduled on all nodes.
+    - effect: NoSchedule
+      operator: Exists
+    # Mark the pod as a critical add-on for rescheduling.
+    - key: CriticalAddonsOnly
+      operator: Exists
+    - effect: NoExecute
+      operator: Exists
+
+  # K8s DaemonSet update strategy.
+  # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec).
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 1
+
+  # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
+  revision: ""
+
+  # For Helm compatibility.
+  ownerName: ""
+
+  global:
+    # Default hub for Istio images.
+    # Releases are published to docker hub under 'istio' project.
+    # Dev builds from prow are on gcr.io
+    hub: gcr.io/istio-release
+
+    # Default tag for Istio images.
+    tag: 1.28.1
+
+    # Variant of the image to use.
+    # Currently supported are: [debug, distroless]
+    variant: ""
+
+    # Specify image pull policy if default behavior isn't desired.
+    # Default behavior: latest images will be Always else IfNotPresent.
+    imagePullPolicy: ""
+
+    # change cni scope level to control logging out of istio-cni-node DaemonSet
+    logging:
+      level: info
+
+    logAsJson: false
+
+    # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
+    # to use for pulling any images in pods that reference this ServiceAccount.
+    # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
+    # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
+    # Must be set for any cluster configured with private docker registry.
+    imagePullSecrets: []
+    # - private-registry-key
+
+    # Default resources allocated
+    defaultResources:
+      requests:
+        cpu: 100m
+        memory: 100Mi
+
+    # In order to use native nftable rules instead of iptable rules, set this flag to true.
+    nativeNftables: false
+
+    # resourceScope controls what resources will be processed by helm.
+    # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator.
+    # It can be one of:
+    # - all: all resources are processed
+    # - cluster: only cluster-scoped resources are processed
+    # - namespace: only namespace-scoped resources are processed
+    resourceScope: all
+
+  # A `key: value` mapping of environment variables to add to the pod
+  env: {}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/Chart.yaml
new file mode 100644
index 0000000000..7032b53511
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v2
+appVersion: 1.28.1
+description: Helm chart for deploying Istio gateways
+icon: https://istio.io/latest/favicons/android-192x192.png
+keywords:
+- istio
+- gateways
+name: gateway
+sources:
+- https://github.com/istio/istio
+type: application
+version: 1.28.1
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/README.md
new file mode 100644
index 0000000000..6344859a22
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/README.md
@@ -0,0 +1,170 @@
+# Istio Gateway Helm Chart
+
+This chart installs an Istio gateway deployment.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+To install the chart with the release name `istio-ingressgateway`:
+
+```console
+helm install istio-ingressgateway istio/gateway
+```
+
+## Uninstalling the Chart
+
+To uninstall/delete the `istio-ingressgateway` deployment:
+
+```console
+helm delete istio-ingressgateway
+```
+
+## Configuration
+
+To view supported configuration options and documentation, run:
+
+```console
+helm show values istio/gateway
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
+
+### OpenShift
+
+When deploying the gateway in an OpenShift cluster, use the `openshift` profile to override the default values, for example:
+
+```console
+helm install istio-ingressgateway istio/gateway --set profile=openshift
+```
+
+### `image: auto` Information
+
+The image used by the chart, `auto`, may be unintuitive.
+This exists because the pod spec will be automatically populated at runtime, using the same mechanism as [Sidecar Injection](istio.io/latest/docs/setup/additional-setup/sidecar-injection).
+This allows the same configurations and lifecycle to apply to gateways as sidecars.
+
+Note: this does mean that the namespace the gateway is deployed in must not have the `istio-injection=disabled` label.
+See [Controlling the injection policy](https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy) for more info.
+
+### Examples
+
+#### Egress Gateway
+
+Deploying a Gateway to be used as an [Egress Gateway](https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/):
+
+```yaml
+service:
+  # Egress gateways do not need an external LoadBalancer IP
+  type: ClusterIP
+```
+
+#### Multi-network/VM Gateway
+
+Deploying a Gateway to be used as a [Multi-network Gateway](https://istio.io/latest/docs/setup/install/multicluster/) for network `network-1`:
+
+```yaml
+networkGateway: network-1
+```
+
+### Migrating from other installation methods
+
+Installations from other installation methods (such as istioctl, Istio Operator, other helm charts, etc) can be migrated to use the new Helm charts
+following the guidance below.
+If you are able to, a clean installation is simpler. However, this often requires an external IP migration which can be challenging.
+
+WARNING: when installing over an existing deployment, the two deployments will be merged together by Helm, which may lead to unexpected results.
+
+#### Legacy Gateway Helm charts
+
+Istio historically offered two different charts - `manifests/charts/gateways/istio-ingress` and `manifests/charts/gateways/istio-egress`.
+These are replaced by this chart.
+While not required, it is recommended all new users use this chart, and existing users migrate when possible.
+
+This chart has the following benefits and differences:
+* Designed with Helm best practices in mind (standardized values options, values schema, values are not all nested under `gateways.istio-ingressgateway.*`, release name and namespace taken into account, etc).
+* Utilizes Gateway injection, simplifying upgrades, allowing gateways to run in any namespace, and avoiding repeating config for sidecars and gateways.
+* Published to official Istio Helm repository.
+* Single chart for all gateways (Ingress, Egress, East West).
+
+#### General concerns
+
+For a smooth migration, the resource names and `Deployment.spec.selector` labels must match.
+
+If you install with `helm install istio-gateway istio/gateway`, resources will be named `istio-gateway` and the `selector` labels set to:
+
+```yaml
+app: istio-gateway
+istio: gateway # the release name with leading istio- prefix stripped
+```
+
+If your existing installation doesn't follow these names, you can override them. For example, if you have resources named `my-custom-gateway` with `selector` labels
+`foo=bar,istio=ingressgateway`:
+
+```yaml
+name: my-custom-gateway # Override the name to match existing resources
+labels:
+  app: "" # Unset default app selector label
+  istio: ingressgateway # override default istio selector label
+  foo: bar # Add the existing custom selector label
+```
+
+#### Migrating an existing Helm release
+
+An existing helm release can be `helm upgrade`d to this chart by using the same release name. For example, if a previous
+installation was done like:
+
+```console
+helm install istio-ingress manifests/charts/gateways/istio-ingress -n istio-system
+```
+
+It could be upgraded with
+
+```console
+helm upgrade istio-ingress manifests/charts/gateway -n istio-system --set name=istio-ingressgateway --set labels.app=istio-ingressgateway --set labels.istio=ingressgateway
+```
+
+Note the name and labels are overridden to match the names of the existing installation.
+
+Warning: the helm charts here default to using port 80 and 443, while the old charts used 8080 and 8443.
+If you have AuthorizationPolicies that reference port these ports, you should update them during this process,
+or customize the ports to match the old defaults.
+See the [security advisory](https://istio.io/latest/news/security/istio-security-2021-002/) for more information.
+
+#### Other migrations
+
+If you see errors like `rendered manifests contain a resource that already exists` during installation, you may need to forcibly take ownership.
+
+The script below can handle this for you. Replace `RELEASE` and `NAMESPACE` with the name and namespace of the release:
+
+```console
+KINDS=(service deployment)
+RELEASE=istio-ingressgateway
+NAMESPACE=istio-system
+for KIND in "${KINDS[@]}"; do
+    kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-name=$RELEASE
+    kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-namespace=$NAMESPACE
+    kubectl --namespace $NAMESPACE --overwrite=true label $KIND $RELEASE app.kubernetes.io/managed-by=Helm
+done
+```
+
+You may ignore errors about resources not being found.
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..d04117bfc0
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,14 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..8fe80112bf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-compatibility-version-1.27.yaml
new file mode 100644
index 0000000000..209157cccf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-compatibility-version-1.27.yaml
@@ -0,0 +1,9 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/templates/NOTES.txt
new file mode 100644
index 0000000000..fd0142911a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/templates/NOTES.txt
@@ -0,0 +1,9 @@
+"{{ include "gateway.name" . }}" successfully installed!
+
+To learn more about the release, try:
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
+
+Next steps:
+  * Deploy an HTTP Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-control/
+  * Deploy an HTTPS Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/templates/_helpers.tpl
new file mode 100644
index 0000000000..e5a0a9b3c2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/templates/_helpers.tpl
@@ -0,0 +1,40 @@
+{{- define "gateway.name" -}}
+{{- if eq .Release.Name "RELEASE-NAME" -}}
+  {{- .Values.name | default "istio-ingressgateway" -}}
+{{- else -}}
+  {{- .Values.name | default .Release.Name | default "istio-ingressgateway" -}}
+{{- end -}}
+{{- end }}
+
+{{- define "gateway.labels" -}}
+{{ include "gateway.selectorLabels" . }}
+{{- range $key, $val := .Values.labels }}
+{{- if and (ne $key "app") (ne $key "istio") }}
+{{ $key | quote }}: {{ $val | quote }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{- define "gateway.selectorLabels" -}}
+app: {{ (.Values.labels.app | quote) | default (include "gateway.name" .) }}
+istio: {{ (.Values.labels.istio | quote) | default (include "gateway.name" . | trimPrefix "istio-") }}
+{{- end }}
+
+{{/*
+Keep sidecar injection labels together
+https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy
+*/}}
+{{- define "gateway.sidecarInjectionLabels" -}}
+sidecar.istio.io/inject: "true"
+{{- with .Values.revision }}
+istio.io/rev: {{ . | quote }}
+{{- end }}
+{{- end }}
+
+{{- define "gateway.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- .Values.serviceAccount.name | default (include "gateway.name" .)    }}
+{{- else }}
+{{- .Values.serviceAccount.name | default "default" }}
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/templates/deployment.yaml
new file mode 100644
index 0000000000..1d8f93a472
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/templates/deployment.yaml
@@ -0,0 +1,145 @@
+apiVersion: apps/v1
+kind: {{ .Values.kind | default "Deployment" }}
+metadata:
+  name: {{ include "gateway.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4}}
+  annotations:
+    {{- .Values.annotations | toYaml | nindent 4 }}
+spec:
+  {{- if not .Values.autoscaling.enabled }}
+  {{- if and (hasKey .Values "replicaCount") (ne .Values.replicaCount nil) }}
+  replicas: {{ .Values.replicaCount }}
+  {{- end }}
+  {{- end }}
+  {{- with .Values.strategy }}
+  strategy:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with .Values.minReadySeconds }}
+  minReadySeconds: {{ . }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "gateway.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "gateway.sidecarInjectionLabels" . | nindent 8 }}
+        {{- include "gateway.selectorLabels" . | nindent 8 }}
+        app.kubernetes.io/name: {{ include "gateway.name" . }}
+        {{- include "istio.labels" .  | nindent 8}}
+        {{- range $key, $val := .Values.labels }}
+        {{- if and (ne $key "app") (ne $key "istio") }}
+        {{ $key | quote }}: {{ $val | quote }}
+        {{- end }}
+        {{- end }}
+        {{- with .Values.networkGateway }}
+        topology.istio.io/network: "{{.}}"
+        {{- end }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "gateway.serviceAccountName" . }}
+      securityContext:
+      {{- if .Values.securityContext }}
+        {{- toYaml .Values.securityContext | nindent 8 }}
+      {{- else }}
+        # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326
+        sysctls:
+        - name: net.ipv4.ip_unprivileged_port_start
+          value: "0"
+      {{- end }}
+      {{- with .Values.volumes }}
+      volumes:
+        {{ toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.initContainers }}
+      initContainers:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: istio-proxy
+          # "auto" will be populated at runtime by the mutating webhook. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection
+          image: auto
+          {{- with .Values.imagePullPolicy }}
+          imagePullPolicy: {{ . }}
+          {{- end }}
+          securityContext:
+          {{- if .Values.containerSecurityContext }}
+            {{- toYaml .Values.containerSecurityContext | nindent 12 }}
+          {{- else }}
+            capabilities:
+              drop:
+              - ALL
+            allowPrivilegeEscalation: false
+            privileged: false
+            readOnlyRootFilesystem: true
+            {{- if not (eq (.Values.platform | default "") "openshift") }}
+            runAsUser: 1337
+            runAsGroup: 1337
+            {{- end }}
+            runAsNonRoot: true
+          {{- end }}
+          env:
+          {{- with .Values.networkGateway }}
+          - name: ISTIO_META_REQUESTED_NETWORK_VIEW
+            value: "{{.}}"
+          {{- end }}
+          {{- range $key, $val := .Values.env }}
+          - name: {{ $key }}
+            value: {{ $val | quote }}
+          {{- end }}
+          {{- with .Values.envVarFrom }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
+          ports:
+          - containerPort: 15090
+            protocol: TCP
+            name: http-envoy-prom
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          {{- with .Values.volumeMounts }}
+          volumeMounts:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.readinessProbe }}
+          readinessProbe:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.lifecycle }}
+          lifecycle:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+      {{- with .Values.additionalContainers }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      terminationGracePeriodSeconds: {{ $.Values.terminationGracePeriodSeconds }}
+      {{- with .Values.priorityClassName }}
+      priorityClassName: {{ . }}
+      {{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/templates/hpa.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/templates/hpa.yaml
new file mode 100644
index 0000000000..64ecb6a4cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/templates/hpa.yaml
@@ -0,0 +1,40 @@
+{{- if and (.Values.autoscaling.enabled) (eq .Values.kind "Deployment") }}
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ include "gateway.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4 }}
+  annotations:
+    {{- .Values.annotations | toYaml | nindent 4 }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: {{ .Values.kind | default "Deployment" }}
+    name: {{ include "gateway.name" . }}
+  minReplicas: {{ .Values.autoscaling.minReplicas }}
+  maxReplicas: {{ .Values.autoscaling.maxReplicas }}
+  metrics:
+    {{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
+          type: Utilization
+    {{- end }}
+    {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: memory
+        target:
+          averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
+          type: Utilization
+    {{- end }}
+  {{- if .Values.autoscaling.autoscaleBehavior }}
+  behavior: {{ toYaml .Values.autoscaling.autoscaleBehavior | nindent 4 }}
+  {{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/templates/networkpolicy.yaml
new file mode 100644
index 0000000000..ea2fab97b3
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/templates/networkpolicy.yaml
@@ -0,0 +1,47 @@
+{{- if (.Values.global.networkPolicy).enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "gateway.name" . }}{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ include "gateway.name" . }}
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Gateway"
+    istio: {{ (.Values.labels.istio | quote) | default (include "gateway.name" . | trimPrefix "istio-") }}
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "gateway.labels" . | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "gateway.selectorLabels" . | nindent 6 }}
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress:
+  # Status/health check port
+  - from: []
+    ports:
+    - protocol: TCP
+      port: 15021
+  # Metrics endpoints for monitoring/prometheus
+  - from: []
+    ports:
+    - protocol: TCP
+      port: 15020
+    - protocol: TCP
+      port: 15090
+  # Main gateway traffic ports
+{{- if .Values.service.ports }}
+{{- range .Values.service.ports }}
+  - from: []
+    ports:
+    - protocol: {{ .protocol | default "TCP" }}
+      port: {{ .targetPort | default .port }}
+{{- end }}
+{{- end }}
+  egress:
+  # Allow all egress (gateways need to reach external services, istiod, and other cluster services)
+  - {}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/templates/poddisruptionbudget.yaml
new file mode 100644
index 0000000000..91869a0ead
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/templates/poddisruptionbudget.yaml
@@ -0,0 +1,21 @@
+{{- if .Values.podDisruptionBudget }}
+# a workaround for https://github.com/kubernetes/kubernetes/issues/93476
+{{- if or (and .Values.autoscaling.enabled  (gt (int .Values.autoscaling.minReplicas) 1)) (and (not .Values.autoscaling.enabled) (gt (int .Values.replicaCount) 1)) }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ include "gateway.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4}}
+spec:
+  selector:
+    matchLabels:
+  {{- include "gateway.selectorLabels" . | nindent 6 }}
+  {{- with .Values.podDisruptionBudget }}
+    {{- toYaml . | nindent 2 }}
+  {{- end }}
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/templates/role.yaml
new file mode 100644
index 0000000000..3d16079632
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/templates/role.yaml
@@ -0,0 +1,37 @@
+{{/*Set up roles for Istio Gateway. Not required for gateway-api*/}}
+{{- if .Values.rbac.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "gateway.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4}}
+  annotations:
+    {{- .Values.annotations | toYaml | nindent 4 }}
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get", "watch", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "gateway.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4}}
+  annotations:
+    {{- .Values.annotations | toYaml | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "gateway.serviceAccountName" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "gateway.serviceAccountName" . }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/templates/service.yaml
new file mode 100644
index 0000000000..f555e6c632
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/templates/service.yaml
@@ -0,0 +1,75 @@
+{{- if not (eq .Values.service.type "None") }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "gateway.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4 }}
+    {{- with .Values.networkGateway }}
+    topology.istio.io/network: "{{.}}"
+    {{- end }}
+  annotations:
+    {{- merge (deepCopy .Values.service.annotations) .Values.annotations | toYaml | nindent 4 }}
+spec:
+{{- with .Values.service.loadBalancerIP }}
+  loadBalancerIP: "{{ . }}"
+{{- end }}
+{{- if eq .Values.service.type "LoadBalancer" }}
+  {{- if hasKey .Values.service "allocateLoadBalancerNodePorts" }}
+  allocateLoadBalancerNodePorts: {{ .Values.service.allocateLoadBalancerNodePorts }}
+  {{- end }}
+  {{- if hasKey .Values.service "loadBalancerClass" }}
+  loadBalancerClass: {{ .Values.service.loadBalancerClass }}
+  {{- end }}
+{{- end }}
+{{- if .Values.service.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }}
+{{- end }}
+{{- if .Values.service.ipFamilies }}
+  ipFamilies:
+{{- range .Values.service.ipFamilies }}
+  - {{ . }}
+{{- end }}
+{{- end }}
+{{- with .Values.service.loadBalancerSourceRanges }}
+  loadBalancerSourceRanges:
+{{ toYaml . | indent 4 }}
+{{- end }}
+{{- with .Values.service.externalTrafficPolicy }}
+  externalTrafficPolicy: "{{ . }}"
+{{- end }}
+{{- with .Values.service.internalTrafficPolicy }}
+  internalTrafficPolicy: "{{ . }}"
+{{- end }}
+  type: {{ .Values.service.type }}
+{{- if not (eq .Values.service.clusterIP "") }}
+  clusterIP: {{ .Values.service.clusterIP }}
+{{- end }}
+  ports:
+{{- if .Values.networkGateway }}
+  - name: status-port
+    port: 15021
+    targetPort: 15021
+  - name: tls
+    port: 15443
+    targetPort: 15443
+  - name: tls-istiod
+    port: 15012
+    targetPort: 15012
+  - name: tls-webhook
+    port: 15017
+    targetPort: 15017
+{{- else }}
+{{ .Values.service.ports | toYaml | indent 4 }}
+{{- end }}
+{{- if .Values.service.externalIPs }}
+  externalIPs: {{- range .Values.service.externalIPs }}
+    - {{.}}
+  {{- end }}
+{{- end }}
+  selector:
+    {{- include "gateway.selectorLabels" . | nindent 4 }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/templates/serviceaccount.yaml
new file mode 100644
index 0000000000..c88afeadd3
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/templates/serviceaccount.yaml
@@ -0,0 +1,15 @@
+{{- if .Values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "gateway.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..606c556697
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if true }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/values.schema.json b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/values.schema.json
new file mode 100644
index 0000000000..739a67b775
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/values.schema.json
@@ -0,0 +1,353 @@
+{
+  "$schema": "http://json-schema.org/schema#",
+  "$defs": {
+    "values": {
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "_internal_defaults_do_not_set": {
+          "type": "object"
+        },
+        "global": {
+          "type": "object"
+        },
+        "affinity": {
+          "type": "object"
+        },
+        "securityContext": {
+          "type": [
+            "object",
+            "null"
+          ]
+        },
+        "containerSecurityContext": {
+          "type": [
+            "object",
+            "null"
+          ]
+        },
+        "kind": {
+          "type": "string",
+          "enum": [
+            "Deployment",
+            "DaemonSet"
+          ]
+        },
+        "annotations": {
+          "additionalProperties": {
+            "type": [
+              "string",
+              "integer"
+            ]
+          },
+          "type": "object"
+        },
+        "autoscaling": {
+          "type": "object",
+          "properties": {
+            "enabled": {
+              "type": "boolean"
+            },
+            "maxReplicas": {
+              "type": "integer"
+            },
+            "minReplicas": {
+              "type": "integer"
+            },
+            "targetCPUUtilizationPercentage": {
+              "type": "integer"
+            }
+          }
+        },
+        "env": {
+          "type": "object"
+        },
+        "envVarFrom": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "properties": {
+              "name": { "type": "string" },
+              "valueFrom": { "type": "object" }
+            }
+          }
+        },
+        "strategy": {
+          "type": "object"
+        },
+        "minReadySeconds": {
+          "type": [ "null", "integer" ]
+        },
+        "readinessProbe": {
+          "type": [ "null", "object" ]
+        },
+        "labels": {
+          "type": "object"
+        },
+        "name": {
+          "type": "string"
+        },
+        "nodeSelector": {
+          "type": "object"
+        },
+        "podAnnotations": {
+          "type": "object",
+          "properties": {
+            "inject.istio.io/templates": {
+              "type": "string"
+            },
+            "prometheus.io/path": {
+              "type": "string"
+            },
+            "prometheus.io/port": {
+              "type": "string"
+            },
+            "prometheus.io/scrape": {
+              "type": "string"
+            }
+          }
+        },
+        "replicaCount": {
+          "type": [
+            "integer",
+            "null"
+          ]
+        },
+        "resources": {
+          "type": "object",
+          "properties": {
+            "limits": {
+              "type": ["object", "null"],
+              "properties": {
+                "cpu": {
+                  "type": ["string", "null"]
+                },
+                "memory": {
+                  "type": ["string", "null"]
+                }
+              }
+            },
+            "requests": {
+              "type": ["object", "null"],
+              "properties": {
+                "cpu": {
+                  "type": ["string", "null"]
+                },
+                "memory": {
+                  "type": ["string", "null"]
+                }
+              }
+            }
+          }
+        },
+        "revision": {
+          "type": "string"
+        },
+        "defaultRevision": {
+          "type": "string"
+        },
+        "compatibilityVersion": {
+          "type": "string"
+        },
+        "profile": {
+          "type": "string"
+        },
+        "platform": {
+          "type": "string"
+        },
+        "pilot": {
+          "type": "object"
+        },
+        "runAsRoot": {
+          "type": "boolean"
+        },
+        "unprivilegedPort": {
+          "type": [
+            "string",
+            "boolean"
+          ],
+          "enum": [
+            true,
+            false,
+            "auto"
+          ]
+        },
+        "service": {
+          "type": "object",
+          "properties": {
+            "annotations": {
+              "type": "object"
+            },
+            "externalTrafficPolicy": {
+              "type": "string"
+            },
+            "loadBalancerIP": {
+              "type": "string"
+            },
+            "loadBalancerSourceRanges": {
+              "type": "array"
+            },
+            "ipFamilies": {
+              "items": {
+                "type": "string",
+                "enum": [
+                  "IPv4",
+                  "IPv6"
+                ]
+              }
+            },
+            "ipFamilyPolicy": {
+              "type": "string",
+              "enum": [
+                "",
+                "SingleStack",
+                "PreferDualStack",
+                "RequireDualStack"
+              ]
+            },
+            "ports": {
+              "type": "array",
+              "items": {
+                "type": "object",
+                "properties": {
+                  "name": {
+                    "type": "string"
+                  },
+                  "port": {
+                    "type": "integer"
+                  },
+                  "protocol": {
+                    "type": "string"
+                  },
+                  "targetPort": {
+                    "type": "integer"
+                  }
+                }
+              }
+            },
+            "type": {
+              "type": "string"
+            }
+          }
+        },
+        "serviceAccount": {
+          "type": "object",
+          "properties": {
+            "annotations": {
+              "type": "object"
+            },
+            "name": {
+              "type": "string"
+            },
+            "create": {
+              "type": "boolean"
+            }
+          }
+        },
+        "rbac": {
+          "type": "object",
+          "properties": {
+            "enabled": {
+              "type": "boolean"
+            }
+          }
+        },
+        "tolerations": {
+          "type": "array"
+        },
+        "topologySpreadConstraints": {
+          "type": "array"
+        },
+        "networkGateway": {
+          "type": "string"
+        },
+        "imagePullPolicy": {
+          "type": "string",
+          "enum": [
+            "",
+            "Always",
+            "IfNotPresent",
+            "Never"
+          ]
+        },
+        "imagePullSecrets": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "properties": {
+              "name": {
+                "type": "string"
+              }
+            }
+          }
+        },
+        "podDisruptionBudget": {
+          "type": "object",
+          "properties": {
+            "minAvailable": {
+              "type": [
+                "integer",
+                "string"
+              ]
+            },
+            "maxUnavailable": {
+              "type": [
+                "integer",
+                "string"
+              ]
+            },
+            "unhealthyPodEvictionPolicy": {
+              "type": "string",
+              "enum": [
+                "",
+                "IfHealthyBudget",
+                "AlwaysAllow"
+              ]
+            }
+          }
+        },
+        "terminationGracePeriodSeconds": {
+          "type": "number"
+        },
+        "volumes": {
+          "type": "array",
+          "items": {
+            "type": "object"
+          }
+        },
+        "volumeMounts": {
+          "type": "array",
+          "items": {
+            "type": "object"
+          }
+        },
+        "initContainers": {
+          "type": "array",
+          "items": { "type": "object" }
+        },
+        "additionalContainers": {
+          "type": "array",
+          "items": { "type": "object" }
+        },
+        "priorityClassName": {
+          "type": "string"
+        },
+        "lifecycle": {
+          "type": "object",
+          "properties": {
+            "postStart": {
+              "type": "object"
+            },
+            "preStop": {
+              "type": "object"
+            }
+          }
+        }
+      }
+    }
+  },
+  "defaults": {
+    "$ref": "#/$defs/values"
+  },
+  "$ref": "#/$defs/values"
+}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/values.yaml
new file mode 100644
index 0000000000..9975f92851
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/values.yaml
@@ -0,0 +1,202 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  # Name allows overriding the release name. Generally this should not be set
+  name: ""
+  # revision declares which revision this gateway is a part of
+  revision: ""
+
+  # Controls the spec.replicas setting for the Gateway deployment if set.
+  # Otherwise defaults to Kubernetes Deployment default (1).
+  replicaCount:
+
+  kind: Deployment
+
+  rbac:
+    # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed
+    # when using http://gateway-api.org/.
+    enabled: true
+
+  serviceAccount:
+    # If set, a service account will be created. Otherwise, the default is used
+    create: true
+    # Annotations to add to the service account
+    annotations: {}
+    # The name of the service account to use.
+    # If not set, the release name is used
+    name: ""
+
+  podAnnotations:
+    prometheus.io/port: "15020"
+    prometheus.io/scrape: "true"
+    prometheus.io/path: "/stats/prometheus"
+    inject.istio.io/templates: "gateway"
+    sidecar.istio.io/inject: "true"
+
+  # Define the security context for the pod.
+  # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
+  # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
+  securityContext: {}
+  containerSecurityContext: {}
+
+  service:
+    # Type of service. Set to "None" to disable the service entirely
+    type: LoadBalancer
+    # Set to a specific ClusterIP, or "" for automatic assignment
+    clusterIP: ""
+    ports:
+    - name: status-port
+      port: 15021
+      protocol: TCP
+      targetPort: 15021
+    - name: http2
+      port: 80
+      protocol: TCP
+      targetPort: 80
+    - name: https
+      port: 443
+      protocol: TCP
+      targetPort: 443
+    annotations: {}
+    loadBalancerIP: ""
+    loadBalancerSourceRanges: []
+    externalTrafficPolicy: ""
+    externalIPs: []
+    ipFamilyPolicy: ""
+    ipFamilies: []
+    ## Whether to automatically allocate NodePorts (only for LoadBalancers).
+    # allocateLoadBalancerNodePorts: false
+    ## Set LoadBalancer class (only for LoadBalancers).
+    # loadBalancerClass: ""
+
+  resources:
+    requests:
+      cpu: 100m
+      memory: 128Mi
+    limits:
+      cpu: 2000m
+      memory: 1024Mi
+
+  autoscaling:
+    enabled: true
+    minReplicas: 1
+    maxReplicas: 5
+    targetCPUUtilizationPercentage: 80
+    targetMemoryUtilizationPercentage: {}
+    autoscaleBehavior: {}
+
+  # Pod environment variables
+  env: {}
+
+  # Use envVarFrom to define full environment variable entries with complex sources,
+  # such as valueFrom.secretKeyRef, valueFrom.configMapKeyRef. Each item must include a `name` and `valueFrom`.
+  #
+  # Example:
+  # envVarFrom:
+  #   - name: EXAMPLE_SECRET
+  #     valueFrom:
+  #       secretKeyRef:
+  #         name: example-name
+  #         key: example-key
+  envVarFrom: []
+
+  # Deployment Update strategy
+  strategy: {}
+  
+  # Sets the Deployment minReadySeconds value
+  minReadySeconds:
+  
+  # Optionally configure a custom readinessProbe. By default the control plane
+  # automatically injects the readinessProbe. If you wish to override that
+  # behavior, you may define your own readinessProbe here.
+  readinessProbe: {}
+
+  # Labels to apply to all resources
+  labels:
+    # By default, don't enroll gateways into the ambient dataplane
+    "istio.io/dataplane-mode": none
+
+  # Annotations to apply to all resources
+  annotations: {}
+
+  nodeSelector: {}
+
+  tolerations: []
+
+  topologySpreadConstraints: []
+
+  affinity: {}
+
+  # If specified, the gateway will act as a network gateway for the given network.
+  networkGateway: ""
+
+  # Specify image pull policy if default behavior isn't desired.
+  # Default behavior: latest images will be Always else IfNotPresent
+  imagePullPolicy: ""
+
+  imagePullSecrets: []
+
+  # This value is used to configure a Kubernetes PodDisruptionBudget for the gateway.
+  #
+  # By default, the `podDisruptionBudget` is disabled (set to `{}`),
+  # which means that no PodDisruptionBudget resource will be created.
+  #
+  # The PodDisruptionBudget can be only enabled if autoscaling is enabled
+  # with minReplicas > 1 or if autoscaling is disabled but replicaCount > 1.
+  #
+  # To enable the PodDisruptionBudget, configure it by specifying the
+  # `minAvailable` or `maxUnavailable`. For example, to set the
+  # minimum number of available replicas to 1, you can update this value as follows:
+  #
+  # podDisruptionBudget:
+  #   minAvailable: 1
+  #
+  # Or, to allow a maximum of 1 unavailable replica, you can set:
+  #
+  # podDisruptionBudget:
+  #   maxUnavailable: 1
+  #
+  # You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`.
+  # For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows:
+  #
+  # podDisruptionBudget:
+  #   minAvailable: 1
+  #   unhealthyPodEvictionPolicy: AlwaysAllow
+  #
+  # To disable the PodDisruptionBudget, you can leave it as an empty object `{}`:
+  #
+  # podDisruptionBudget: {}
+  #
+  podDisruptionBudget: {}
+
+  # Sets the per-pod terminationGracePeriodSeconds setting.
+  terminationGracePeriodSeconds: 30
+
+  # A list of `Volumes` added into the Gateway Pods. See
+  # https://kubernetes.io/docs/concepts/storage/volumes/.
+  volumes: []
+
+  # A list of `VolumeMounts` added into the Gateway Pods. See
+  # https://kubernetes.io/docs/concepts/storage/volumes/.
+  volumeMounts: []
+
+  # Inject initContainers into the Gateway Pods.
+  initContainers: []
+
+  # Inject additional containers into the Gateway Pods.
+  additionalContainers: []
+
+  # Configure this to a higher priority class in order to make sure your Istio gateway pods
+  # will not be killed because of low priority class.
+  # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
+  # for more detail.
+  priorityClassName: ""
+
+  # Configure the lifecycle hooks for the gateway. See
+  # https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/.
+  lifecycle: {}
+
+  # When enabled, a default NetworkPolicy for gateways will be created
+  global:
+    networkPolicy:
+      enabled: false
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/Chart.yaml
new file mode 100644
index 0000000000..86d16f2284
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v2
+appVersion: 1.28.1
+description: Helm chart for istio control plane
+icon: https://istio.io/latest/favicons/android-192x192.png
+keywords:
+- istio
+- istiod
+- istio-discovery
+name: istiod
+sources:
+- https://github.com/istio/istio
+version: 1.28.1
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/README.md
new file mode 100644
index 0000000000..44f7b1d8ca
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/README.md
@@ -0,0 +1,73 @@
+# Istiod Helm Chart
+
+This chart installs an Istiod deployment.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+Before installing, ensure CRDs are installed in the cluster (from the `istio/base` chart).
+
+To install the chart with the release name `istiod`:
+
+```console
+kubectl create namespace istio-system
+helm install istiod istio/istiod --namespace istio-system
+```
+
+## Uninstalling the Chart
+
+To uninstall/delete the `istiod` deployment:
+
+```console
+helm delete istiod --namespace istio-system
+```
+
+## Configuration
+
+To view supported configuration options and documentation, run:
+
+```console
+helm show values istio/istiod
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
+
+### Examples
+
+#### Configuring mesh configuration settings
+
+Any [Mesh Config](https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/) options can be configured like below:
+
+```yaml
+meshConfig:
+  accessLogFile: /dev/stdout
+```
+
+#### Revisions
+
+Control plane revisions allow deploying multiple versions of the control plane in the same cluster.
+This allows safe [canary upgrades](https://istio.io/latest/docs/setup/upgrade/canary/)
+
+```yaml
+revision: my-revision-name
+```
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/gateway-injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/gateway-injection-template.yaml
new file mode 100644
index 0000000000..bc15ee3c31
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/gateway-injection-template.yaml
@@ -0,0 +1,274 @@
+{{- $containers := list }}
+{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
+metadata:
+  labels:
+    service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name  | quote }}
+    service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest"  | quote }}
+  annotations:
+    istio.io/rev: {{ .Revision | default "default" | quote }}
+    {{- if ge (len $containers) 1 }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }}
+    kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}"
+    {{- end }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }}
+    kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}"
+    {{- end }}
+    {{- end }}
+spec:
+  securityContext:
+  {{- if .Values.gateways.securityContext }}
+    {{- toYaml .Values.gateways.securityContext | nindent 4 }}
+  {{- else }}
+    sysctls:
+    - name: net.ipv4.ip_unprivileged_port_start
+      value: "0"
+  {{- end }}
+  containers:
+  - name: istio-proxy
+  {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+    image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+  {{- else }}
+    image: "{{ .ProxyImage }}"
+  {{- end }}
+    ports:
+    - containerPort: 15090
+      protocol: TCP
+      name: http-envoy-prom
+    args:
+    - proxy
+    - router
+    - --domain
+    - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+    - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
+    - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
+    - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
+  {{- if .Values.global.sts.servicePort }}
+    - --stsPort={{ .Values.global.sts.servicePort }}
+  {{- end }}
+  {{- if .Values.global.logAsJson }}
+    - --log_as_json
+  {{- end }}
+  {{- if .Values.global.proxy.lifecycle }}
+    lifecycle:
+      {{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
+  {{- end }}
+    securityContext:
+      runAsUser: {{ .ProxyUID | default "1337" }}
+      runAsGroup: {{ .ProxyGID | default "1337" }}
+    env:
+    - name: PILOT_CERT_PROVIDER
+      value: {{ .Values.global.pilotCertProvider }}
+    - name: CA_ADDR
+    {{- if .Values.global.caAddress }}
+      value: {{ .Values.global.caAddress }}
+    {{- else }}
+      value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+    {{- end }}
+    - name: POD_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.name
+    - name: POD_NAMESPACE
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.namespace
+    - name: INSTANCE_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.podIP
+    - name: SERVICE_ACCOUNT
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.serviceAccountName
+    - name: HOST_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.hostIP
+    - name: ISTIO_CPU_LIMIT
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.cpu
+    - name: PROXY_CONFIG
+      value: |
+             {{ protoToJSON .ProxyConfig }}
+    - name: ISTIO_META_POD_PORTS
+      value: |-
+        [
+        {{- $first := true }}
+        {{- range $index1, $c := .Spec.Containers }}
+          {{- range $index2, $p := $c.Ports }}
+            {{- if (structToJSON $p) }}
+            {{if not $first}},{{end}}{{ structToJSON $p }}
+            {{- $first = false }}
+            {{- end }}
+          {{- end}}
+        {{- end}}
+        ]
+    - name: GOMEMLIMIT
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.memory
+    - name: GOMAXPROCS
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.cpu
+    {{- if .CompliancePolicy }}
+    - name: COMPLIANCE_POLICY
+      value: "{{ .CompliancePolicy }}"
+    {{- end }}
+    - name: ISTIO_META_APP_CONTAINERS
+      value: "{{ $containers | join "," }}"
+    - name: ISTIO_META_CLUSTER_ID
+      value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
+    - name: ISTIO_META_NODE_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.nodeName
+    - name: ISTIO_META_INTERCEPTION_MODE
+      value: "{{ .ProxyConfig.InterceptionMode.String }}"
+    {{- if .Values.global.network }}
+    - name: ISTIO_META_NETWORK
+      value: "{{ .Values.global.network }}"
+    {{- end }}
+    {{- if .DeploymentMeta.Name }}
+    - name: ISTIO_META_WORKLOAD_NAME
+      value: "{{ .DeploymentMeta.Name }}"
+    {{ end }}
+    {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
+    - name: ISTIO_META_OWNER
+      value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
+    {{- end}}
+    {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+    - name: ISTIO_BOOTSTRAP_OVERRIDE
+      value: "/etc/istio/custom-bootstrap/custom_bootstrap.json"
+    {{- end }}
+    {{- if .Values.global.meshID }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ .Values.global.meshID }}"
+    {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+    {{- end }}
+    {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain)  }}
+    - name: TRUST_DOMAIN
+      value: "{{ . }}"
+    {{- end }}
+    {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+    - name: {{ $key }}
+      value: "{{ $value }}"
+    {{- end }}
+    {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+    readinessProbe:
+      httpGet:
+        path: /healthz/ready
+        port: 15021
+      initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }}
+      periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }}
+      timeoutSeconds: 3
+      failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }}
+    volumeMounts:
+    - name: workload-socket
+      mountPath: /var/run/secrets/workload-spiffe-uds
+    - name: credential-socket
+      mountPath: /var/run/secrets/credential-uds
+    {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+    - name: gke-workload-certificate
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+      readOnly: true
+    {{- else }}
+    - name: workload-certs
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+    {{- end }}
+    {{- if eq .Values.global.pilotCertProvider "istiod" }}
+    - mountPath: /var/run/secrets/istio
+      name: istiod-ca-cert
+    {{- end }}
+    - mountPath: /var/lib/istio/data
+      name: istio-data
+    {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+    - mountPath: /etc/istio/custom-bootstrap
+      name: custom-bootstrap-volume
+    {{- end }}
+    # SDS channel between istioagent and Envoy
+    - mountPath: /etc/istio/proxy
+      name: istio-envoy
+    - mountPath: /var/run/secrets/tokens
+      name: istio-token
+    {{- if .Values.global.mountMtlsCerts }}
+    # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+    - mountPath: /etc/certs/
+      name: istio-certs
+      readOnly: true
+    {{- end }}
+    - name: istio-podinfo
+      mountPath: /etc/istio/pod
+  volumes:
+  - emptyDir:
+    name: workload-socket
+  - emptyDir: {}
+    name: credential-socket
+  {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+  - name: gke-workload-certificate
+    csi:
+      driver: workloadcertificates.security.cloud.google.com
+  {{- else}}
+  - emptyDir: {}
+    name: workload-certs
+  {{- end }}
+  {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+  - name: custom-bootstrap-volume
+    configMap:
+      name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
+  {{- end }}
+  # SDS channel between istioagent and Envoy
+  - emptyDir:
+      medium: Memory
+    name: istio-envoy
+  - name: istio-data
+    emptyDir: {}
+  - name: istio-podinfo
+    downwardAPI:
+      items:
+        - path: "labels"
+          fieldRef:
+            fieldPath: metadata.labels
+        - path: "annotations"
+          fieldRef:
+            fieldPath: metadata.annotations
+  - name: istio-token
+    projected:
+      sources:
+      - serviceAccountToken:
+          path: istio-token
+          expirationSeconds: 43200
+          audience: {{ .Values.global.sds.token.aud }}
+  {{- if eq .Values.global.pilotCertProvider "istiod" }}
+  - name: istiod-ca-cert
+  {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+    projected:
+      sources:
+      - clusterTrustBundle:
+          name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+          path: root-cert.pem
+  {{- else }}
+    configMap:
+      name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+  {{- end }}
+  {{- end }}
+  {{- if .Values.global.mountMtlsCerts }}
+  # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+  - name: istio-certs
+    secret:
+      optional: true
+      {{ if eq .Spec.ServiceAccountName "" }}
+      secretName: istio.default
+      {{ else -}}
+      secretName: {{  printf "istio.%s" .Spec.ServiceAccountName }}
+      {{  end -}}
+  {{- end }}
+  {{- if .Values.global.imagePullSecrets }}
+  imagePullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+  {{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/grpc-agent.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/grpc-agent.yaml
new file mode 100644
index 0000000000..6e3102e4c8
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/grpc-agent.yaml
@@ -0,0 +1,318 @@
+{{- define "resources"  }}
+  {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
+    {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
+      requests:
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
+        cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
+        {{ end }}
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
+        memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
+        {{ end }}
+    {{- end }}
+    {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
+      limits:
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
+        cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}"
+        {{ end }}
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
+        memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}"
+        {{ end }}
+    {{- end }}
+  {{- else }}
+    {{- if .Values.global.proxy.resources }}
+      {{ toYaml .Values.global.proxy.resources | indent 6 }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+{{- $containers := list }}
+{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
+metadata:
+  labels:
+    {{/* security.istio.io/tlsMode: istio must be set by user, if gRPC is using mTLS initialization code. We can't set it automatically. */}}
+    service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name  | quote }}
+    service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest"  | quote }}
+  annotations: {
+    istio.io/rev: {{ .Revision | default "default" | quote }},
+    {{- if ge (len $containers) 1 }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }}
+    kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
+    {{- end }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }}
+    kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
+    {{- end }}
+    {{- end }}
+    sidecar.istio.io/rewriteAppHTTPProbers: "false",
+  }
+spec:
+  containers:
+  - name: istio-proxy
+  {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+    image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+  {{- else }}
+    image: "{{ .ProxyImage }}"
+  {{- end }}
+    ports:
+    - containerPort: 15020
+      protocol: TCP
+      name: mesh-metrics
+    args:
+    - proxy
+    - sidecar
+    - --domain
+    - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+    - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
+    - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
+    - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
+  {{- if .Values.global.sts.servicePort }}
+    - --stsPort={{ .Values.global.sts.servicePort }}
+  {{- end }}
+  {{- if .Values.global.logAsJson }}
+    - --log_as_json
+  {{- end }}
+    lifecycle:
+      postStart:
+        exec:
+          command:
+          - pilot-agent
+          - wait
+          - --url=http://localhost:15020/healthz/ready
+    env:
+    - name: ISTIO_META_GENERATOR
+      value: grpc
+    - name: OUTPUT_CERTS
+      value: /var/lib/istio/data
+    {{- if eq .InboundTrafficPolicyMode "localhost" }}
+    - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION
+      value: "true"
+    {{- end }}
+    - name: PILOT_CERT_PROVIDER
+      value: {{ .Values.global.pilotCertProvider }}
+    - name: CA_ADDR
+    {{- if .Values.global.caAddress }}
+      value: {{ .Values.global.caAddress }}
+    {{- else }}
+      value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+    {{- end }}
+    - name: POD_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.name
+    - name: POD_NAMESPACE
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.namespace
+    - name: INSTANCE_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.podIP
+    - name: SERVICE_ACCOUNT
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.serviceAccountName
+    - name: HOST_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.hostIP
+    - name: PROXY_CONFIG
+      value: |
+             {{ protoToJSON .ProxyConfig }}
+    - name: ISTIO_META_POD_PORTS
+      value: |-
+        [
+        {{- $first := true }}
+        {{- range $index1, $c := .Spec.Containers }}
+          {{- range $index2, $p := $c.Ports }}
+            {{- if (structToJSON $p) }}
+            {{if not $first}},{{end}}{{ structToJSON $p }}
+            {{- $first = false }}
+            {{- end }}
+          {{- end}}
+        {{- end}}
+        ]
+    - name: ISTIO_META_APP_CONTAINERS
+      value: "{{ $containers | join "," }}"
+    - name: ISTIO_META_CLUSTER_ID
+      value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
+    - name: ISTIO_META_NODE_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.nodeName
+    {{- if .Values.global.network }}
+    - name: ISTIO_META_NETWORK
+      value: "{{ .Values.global.network }}"
+    {{- end }}
+    {{- if .DeploymentMeta.Name }}
+    - name: ISTIO_META_WORKLOAD_NAME
+      value: "{{ .DeploymentMeta.Name }}"
+    {{ end }}
+    {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
+    - name: ISTIO_META_OWNER
+      value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
+    {{- end}}
+    {{- if .Values.global.meshID }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ .Values.global.meshID }}"
+    {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+    {{- end }}
+    {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain)  }}
+    - name: TRUST_DOMAIN
+      value: "{{ . }}"
+    {{- end }}
+    {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+    - name: {{ $key }}
+      value: "{{ $value }}"
+    {{- end }}
+    # grpc uses xds:/// to resolve – no need to resolve VIP
+    - name: ISTIO_META_DNS_CAPTURE
+      value: "false"
+    - name: DISABLE_ENVOY
+      value: "true"
+    {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+    {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
+    readinessProbe:
+      httpGet:
+        path: /healthz/ready
+        port: 15020
+      initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }}
+      periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }}
+      timeoutSeconds: 3
+      failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}
+    resources:
+  {{ template "resources" . }}
+    volumeMounts:
+    - name: workload-socket
+      mountPath: /var/run/secrets/workload-spiffe-uds
+    {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+    - name: gke-workload-certificate
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+      readOnly: true
+    {{- else }}
+    - name: workload-certs
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+    {{- end }}
+    {{- if eq .Values.global.pilotCertProvider "istiod" }}
+    - mountPath: /var/run/secrets/istio
+      name: istiod-ca-cert
+    {{- end }}
+    - mountPath: /var/lib/istio/data
+      name: istio-data
+    # UDS channel between istioagent and gRPC client for XDS/SDS
+    - mountPath: /etc/istio/proxy
+      name: istio-xds
+    - mountPath: /var/run/secrets/tokens
+      name: istio-token
+    {{- if .Values.global.mountMtlsCerts }}
+    # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+    - mountPath: /etc/certs/
+      name: istio-certs
+      readOnly: true
+    {{- end }}
+    - name: istio-podinfo
+      mountPath: /etc/istio/pod
+    {{- end }}
+      {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }}
+      {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}
+    - name: "{{  $index }}"
+      {{ toYaml $value | indent 6 }}
+      {{ end }}
+      {{- end }}
+{{- range $index, $container := .Spec.Containers  }}
+{{ if not (eq $container.Name "istio-proxy") }}
+  - name: {{ $container.Name }}
+    env:
+      - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT"
+        value: "true"
+      - name: "GRPC_XDS_BOOTSTRAP"
+        value: "/etc/istio/proxy/grpc-bootstrap.json"
+    volumeMounts:
+      - mountPath: /var/lib/istio/data
+        name: istio-data
+      # UDS channel between istioagent and gRPC client for XDS/SDS
+      - mountPath: /etc/istio/proxy
+        name: istio-xds
+      {{- if eq $.Values.global.caName "GkeWorkloadCertificate" }}
+      - name: gke-workload-certificate
+        mountPath: /var/run/secrets/workload-spiffe-credentials
+        readOnly: true
+      {{- else }}
+      - name: workload-certs
+        mountPath: /var/run/secrets/workload-spiffe-credentials
+      {{- end }}
+{{- end }}
+{{- end }}
+  volumes:
+  - emptyDir:
+    name: workload-socket
+  {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+  - name: gke-workload-certificate
+    csi:
+      driver: workloadcertificates.security.cloud.google.com
+  {{- else }}
+  - emptyDir:
+    name: workload-certs
+  {{- end }}
+  {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+  - name: custom-bootstrap-volume
+    configMap:
+      name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
+  {{- end }}
+  # SDS channel between istioagent and Envoy
+  - emptyDir:
+      medium: Memory
+    name: istio-xds
+  - name: istio-data
+    emptyDir: {}
+  - name: istio-podinfo
+    downwardAPI:
+      items:
+        - path: "labels"
+          fieldRef:
+            fieldPath: metadata.labels
+        - path: "annotations"
+          fieldRef:
+            fieldPath: metadata.annotations
+  - name: istio-token
+    projected:
+      sources:
+      - serviceAccountToken:
+          path: istio-token
+          expirationSeconds: 43200
+          audience: {{ .Values.global.sds.token.aud }}
+  {{- if eq .Values.global.pilotCertProvider "istiod" }}
+  - name: istiod-ca-cert
+  {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+    projected:
+      sources:
+      - clusterTrustBundle:
+          name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+          path: root-cert.pem
+  {{- else }}
+    configMap:
+      name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+  {{- end }}
+  {{- end }}
+  {{- if .Values.global.mountMtlsCerts }}
+  # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+  - name: istio-certs
+    secret:
+      optional: true
+      {{ if eq .Spec.ServiceAccountName "" }}
+      secretName: istio.default
+      {{ else -}}
+      secretName: {{  printf "istio.%s" .Spec.ServiceAccountName }}
+      {{  end -}}
+  {{- end }}
+    {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }}
+    {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}
+  - name: "{{ $index }}"
+    {{ toYaml $value | indent 4 }}
+    {{ end }}
+    {{ end }}
+  {{- if .Values.global.imagePullSecrets }}
+  imagePullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+  {{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/grpc-simple.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/grpc-simple.yaml
new file mode 100644
index 0000000000..9ba0c7a46a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/grpc-simple.yaml
@@ -0,0 +1,65 @@
+metadata:
+  annotations:
+    sidecar.istio.io/rewriteAppHTTPProbers: "false"
+spec:
+  initContainers:
+    - name: grpc-bootstrap-init
+      image: busybox:1.28
+      volumeMounts:
+        - mountPath: /var/lib/grpc/data/
+          name: grpc-io-proxyless-bootstrap
+      env:
+        - name: INSTANCE_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: ISTIO_NAMESPACE
+          value: |
+             {{ .Values.global.istioNamespace }}
+      command:
+        - sh
+        - "-c"
+        - |-
+          NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local"
+          SERVER_URI="dns:///istiod.${ISTIO_NAMESPACE}.svc:15010"
+          echo '
+          {
+            "xds_servers": [
+              {
+                "server_uri": "'${SERVER_URI}'",
+                "channel_creds": [{"type": "insecure"}],
+                "server_features" : ["xds_v3"]
+              }
+            ],
+            "node": {
+              "id": "'${NODE_ID}'",
+              "metadata": {
+                "GENERATOR": "grpc"
+              }
+            }
+          }' > /var/lib/grpc/data/bootstrap.json
+  containers:
+  {{- range $index, $container := .Spec.Containers }}
+  - name: {{ $container.Name }}
+    env:
+      - name: GRPC_XDS_BOOTSTRAP
+        value: /var/lib/grpc/data/bootstrap.json
+      - name: GRPC_GO_LOG_VERBOSITY_LEVEL
+        value: "99"
+      - name: GRPC_GO_LOG_SEVERITY_LEVEL
+        value: info
+    volumeMounts:
+      - mountPath: /var/lib/grpc/data/
+        name: grpc-io-proxyless-bootstrap
+  {{- end }}
+  volumes:
+    - name: grpc-io-proxyless-bootstrap
+      emptyDir: {}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/injection-template.yaml
new file mode 100644
index 0000000000..ba656bd7f8
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/injection-template.yaml
@@ -0,0 +1,549 @@
+{{- define "resources"  }}
+  {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
+    {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
+      requests:
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
+        cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
+        {{ end }}
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
+        memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
+        {{ end }}
+    {{- end }}
+    {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
+      limits:
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
+        cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}"
+        {{ end }}
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
+        memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}"
+        {{ end }}
+    {{- end }}
+  {{- else }}
+    {{- if .Values.global.proxy.resources }}
+      {{ toYaml .Values.global.proxy.resources | indent 6 }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+{{ $tproxy := (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) }}
+{{ $capNetBindService := (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) }}
+{{ $nativeSidecar := ne (index .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar` | default (printf "%t" .NativeSidecars)) "false" }}
+{{- $containers := list }}
+{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
+metadata:
+  labels:
+    security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio"  | quote }}
+    {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }}
+    networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http"  | quote }}
+    {{- end }}
+    service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name  | trunc 63 | trimSuffix "-" | quote }}
+    service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest"  | quote }}
+  annotations: {
+    istio.io/rev: {{ .Revision | default "default" | quote }},
+    {{- if ge (len $containers) 1 }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }}
+    kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
+    {{- end }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }}
+    kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
+    {{- end }}
+    {{- end }}
+{{- if .Values.pilot.cni.enabled }}
+    {{- if eq .Values.pilot.cni.provider "multus" }}
+    k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}',
+    {{- end }}
+    sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}",
+    {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }}
+    {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }}
+    traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}",
+    traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}",
+    {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }}
+    traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}",
+    {{- end }}
+    {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }}
+    traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}",
+    {{- end }}
+    {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }}
+    {{ with index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}istio.io/reroute-virtual-interfaces: "{{.}}",{{ end }}
+    {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }}
+{{- end }}
+  }
+spec:
+  {{- $holdProxy := and
+      (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts)
+      (not $nativeSidecar) }}
+  {{- $noInitContainer := and
+      (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE`)
+      (not $nativeSidecar) }}
+  {{ if $noInitContainer }}
+  initContainers: []
+  {{ else -}}
+  initContainers:
+  {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }}
+  {{ if .Values.pilot.cni.enabled -}}
+  - name: istio-validation
+  {{ else -}}
+  - name: istio-init
+  {{ end -}}
+  {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }}
+    image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}"
+  {{- else }}
+    image: "{{ .ProxyImage }}"
+  {{- end }}
+    args:
+    - istio-iptables
+    - "-p"
+    - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }}
+    - "-z"
+    - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }}
+    - "-u"
+    - {{ if $tproxy }} "1337" {{ else }} {{ .ProxyUID | default "1337" | quote }} {{ end }}
+    - "-m"
+    - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}"
+    - "-i"
+    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}"
+    - "-x"
+    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}"
+    - "-b"
+    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}"
+    - "-d"
+  {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}
+    - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}"
+  {{- else }}
+    - "15090,15021"
+  {{- end }}
+    {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}}
+    - "-q"
+    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}"
+    {{ end -}}
+    {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}}
+    - "-o"
+    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}"
+    {{ end -}}
+    {{ if (isset .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces`) -}}
+    - "-k"
+    - "{{ index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}"
+    {{ else if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}}
+    - "-k"
+    - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}"
+    {{ end -}}
+     {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}}
+    - "-c"
+    - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}"
+    {{ end -}}
+    - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}"
+    {{ if .Values.global.logAsJson -}}
+    - "--log_as_json"
+    {{ end -}}
+    {{ if .Values.pilot.cni.enabled -}}
+    - "--run-validation"
+    - "--skip-rule-apply"
+    {{ else if .Values.global.proxy_init.forceApplyIptables -}}
+    - "--force-apply"
+    {{ end -}}
+    {{ if .Values.global.nativeNftables -}}
+    - "--native-nftables"
+    {{ end -}}
+    {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+  {{- if .ProxyConfig.ProxyMetadata }}
+    env:
+    {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+    - name: {{ $key }}
+      value: "{{ $value }}"
+    {{- end }}
+  {{- end }}
+    resources:
+  {{ template "resources" . }}
+    securityContext:
+      allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
+      privileged: {{ .Values.global.proxy.privileged }}
+      capabilities:
+    {{- if not .Values.pilot.cni.enabled }}
+        add:
+        - NET_ADMIN
+        - NET_RAW
+    {{- end }}
+        drop:
+        - ALL
+    {{- if not .Values.pilot.cni.enabled }}
+      readOnlyRootFilesystem: false
+      runAsGroup: 0
+      runAsNonRoot: false
+      runAsUser: 0
+    {{- else }}
+      readOnlyRootFilesystem: true
+      runAsGroup: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyGID | default "1337" }} {{ end }}
+      runAsUser: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyUID | default "1337" }} {{ end }}
+      runAsNonRoot: true
+    {{- end }}
+    {{- if .Values.global.proxy.seccompProfile }}
+      seccompProfile:
+    {{- toYaml .Values.global.proxy.seccompProfile | nindent 8 }}
+    {{- end }}
+  {{ end -}}
+  {{ end -}}
+  {{ if not $nativeSidecar }}
+  containers:
+  {{ end }}
+  - name: istio-proxy
+  {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+    image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+  {{- else }}
+    image: "{{ .ProxyImage }}"
+  {{- end }}
+    {{ if $nativeSidecar }}restartPolicy: Always{{end}}
+    ports:
+    - containerPort: 15090
+      protocol: TCP
+      name: http-envoy-prom
+    args:
+    - proxy
+    - sidecar
+    - --domain
+    - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+    - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
+    - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
+    - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
+  {{- if .Values.global.sts.servicePort }}
+    - --stsPort={{ .Values.global.sts.servicePort }}
+  {{- end }}
+  {{- if .Values.global.logAsJson }}
+    - --log_as_json
+  {{- end }}
+  {{- if .Values.global.proxy.outlierLogPath }}
+    - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }}
+  {{- end}}
+  {{- if .Values.global.proxy.lifecycle }}
+    lifecycle:
+      {{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
+  {{- else if $holdProxy }}
+    lifecycle:
+      postStart:
+        exec:
+          command:
+          - pilot-agent
+          - wait
+  {{- else if $nativeSidecar }}
+    {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}}
+    lifecycle:
+      preStop:
+        exec:
+          command:
+          - pilot-agent
+          - request
+          - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}}
+          - POST
+          - drain
+  {{- end }}
+    env:
+    {{- if eq .InboundTrafficPolicyMode "localhost" }}
+    - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION
+      value: "true"
+    {{- end }}
+    - name: PILOT_CERT_PROVIDER
+      value: {{ .Values.global.pilotCertProvider }}
+    - name: CA_ADDR
+    {{- if .Values.global.caAddress }}
+      value: {{ .Values.global.caAddress }}
+    {{- else }}
+      value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+    {{- end }}
+    - name: POD_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.name
+    - name: POD_NAMESPACE
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.namespace
+    - name: INSTANCE_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.podIP
+    - name: SERVICE_ACCOUNT
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.serviceAccountName
+    - name: HOST_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.hostIP
+    - name: ISTIO_CPU_LIMIT
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.cpu
+    - name: PROXY_CONFIG
+      value: |
+             {{ protoToJSON .ProxyConfig }}
+    - name: ISTIO_META_POD_PORTS
+      value: |-
+        [
+        {{- $first := true }}
+        {{- range $index1, $c := .Spec.Containers }}
+          {{- range $index2, $p := $c.Ports }}
+            {{- if (structToJSON $p) }}
+            {{if not $first}},{{end}}{{ structToJSON $p }}
+            {{- $first = false }}
+            {{- end }}
+          {{- end}}
+        {{- end}}
+        ]
+    - name: ISTIO_META_APP_CONTAINERS
+      value: "{{ $containers | join "," }}"
+    - name: GOMEMLIMIT
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.memory
+    - name: GOMAXPROCS
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.cpu
+    {{- if .CompliancePolicy }}
+    - name: COMPLIANCE_POLICY
+      value: "{{ .CompliancePolicy }}"
+    {{- end }}
+    - name: ISTIO_META_CLUSTER_ID
+      value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
+    - name: ISTIO_META_NODE_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.nodeName
+    - name: ISTIO_META_INTERCEPTION_MODE
+      value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}"
+    {{- if .Values.global.network }}
+    - name: ISTIO_META_NETWORK
+      value: "{{ .Values.global.network }}"
+    {{- end }}
+    {{- with (index .ObjectMeta.Labels `service.istio.io/workload-name` | default .DeploymentMeta.Name) }}
+    - name: ISTIO_META_WORKLOAD_NAME
+      value: "{{ . }}"
+    {{ end }}
+    {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
+    - name: ISTIO_META_OWNER
+      value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
+    {{- end}}
+    {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+    - name: ISTIO_BOOTSTRAP_OVERRIDE
+      value: "/etc/istio/custom-bootstrap/custom_bootstrap.json"
+    {{- end }}
+    {{- if .Values.global.meshID }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ .Values.global.meshID }}"
+    {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+    {{- end }}
+    {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain)  }}
+    - name: TRUST_DOMAIN
+      value: "{{ . }}"
+    {{- end }}
+    {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
+    {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
+    - name: {{ $key }}
+      value: "{{ $value }}"
+    {{- end }}
+    {{- end }}
+    {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+    - name: {{ $key }}
+      value: "{{ $value }}"
+    {{- end }}
+    {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+    {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
+  {{ if .Values.global.proxy.startupProbe.enabled }}
+    startupProbe:
+      httpGet:
+        path: /healthz/ready
+        port: 15021
+      initialDelaySeconds: 0
+      periodSeconds: 1
+      timeoutSeconds: 3
+      failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }}
+  {{ end }}
+    readinessProbe:
+      httpGet:
+        path: /healthz/ready
+        port: 15021
+      initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }}
+      periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }}
+      timeoutSeconds: 3
+      failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}
+    {{ end -}}
+    securityContext:
+      {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }}
+      allowPrivilegeEscalation: true
+      capabilities:
+        add:
+        - NET_ADMIN
+        drop:
+        - ALL
+      privileged: true
+      readOnlyRootFilesystem: true
+      runAsGroup: {{ .ProxyGID | default "1337" }}
+      runAsNonRoot: false
+      runAsUser: 0
+      {{- else }}
+      allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
+      capabilities:
+        {{ if or $tproxy $capNetBindService -}}
+        add:
+        {{ if $tproxy -}}
+        - NET_ADMIN
+        {{- end }}
+        {{ if $capNetBindService -}}
+        - NET_BIND_SERVICE
+        {{- end }}
+        {{- end }}
+        drop:
+        - ALL
+      privileged: {{ .Values.global.proxy.privileged }}
+      readOnlyRootFilesystem: true
+      {{ if or $tproxy $capNetBindService -}}
+      runAsNonRoot: false
+      runAsUser: 0
+      runAsGroup: 1337
+      {{- else -}}
+      runAsNonRoot: true
+      runAsUser: {{ .ProxyUID | default "1337" }}
+      runAsGroup: {{ .ProxyGID | default "1337" }}
+      {{- end }}
+      {{- end }}
+    {{- if .Values.global.proxy.seccompProfile }}
+      seccompProfile:
+    {{- toYaml .Values.global.proxy.seccompProfile | nindent 8 }}
+    {{- end }}
+    resources:
+  {{ template "resources" . }}
+    volumeMounts:
+    - name: workload-socket
+      mountPath: /var/run/secrets/workload-spiffe-uds
+    - name: credential-socket
+      mountPath: /var/run/secrets/credential-uds
+    {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+    - name: gke-workload-certificate
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+      readOnly: true
+    {{- else }}
+    - name: workload-certs
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+    {{- end }}
+    {{- if eq .Values.global.pilotCertProvider "istiod" }}
+    - mountPath: /var/run/secrets/istio
+      name: istiod-ca-cert
+    - mountPath: /var/run/secrets/istio/crl
+      name: istio-ca-crl
+    {{- end }}
+    - mountPath: /var/lib/istio/data
+      name: istio-data
+    {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+    - mountPath: /etc/istio/custom-bootstrap
+      name: custom-bootstrap-volume
+    {{- end }}
+    # SDS channel between istioagent and Envoy
+    - mountPath: /etc/istio/proxy
+      name: istio-envoy
+    - mountPath: /var/run/secrets/tokens
+      name: istio-token
+    {{- if .Values.global.mountMtlsCerts }}
+    # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+    - mountPath: /etc/certs/
+      name: istio-certs
+      readOnly: true
+    {{- end }}
+    - name: istio-podinfo
+      mountPath: /etc/istio/pod
+     {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }}
+    - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }}
+      name: lightstep-certs
+      readOnly: true
+    {{- end }}
+      {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }}
+      {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}
+    - name: "{{  $index }}"
+      {{ toYaml $value | indent 6 }}
+      {{ end }}
+      {{- end }}
+  volumes:
+  - emptyDir:
+    name: workload-socket
+  - emptyDir:
+    name: credential-socket
+  {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+  - name: gke-workload-certificate
+    csi:
+      driver: workloadcertificates.security.cloud.google.com
+  {{- else }}
+  - emptyDir:
+    name: workload-certs
+  {{- end }}
+  {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+  - name: custom-bootstrap-volume
+    configMap:
+      name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
+  {{- end }}
+  # SDS channel between istioagent and Envoy
+  - emptyDir:
+      medium: Memory
+    name: istio-envoy
+  - name: istio-data
+    emptyDir: {}
+  - name: istio-podinfo
+    downwardAPI:
+      items:
+        - path: "labels"
+          fieldRef:
+            fieldPath: metadata.labels
+        - path: "annotations"
+          fieldRef:
+            fieldPath: metadata.annotations
+  - name: istio-token
+    projected:
+      sources:
+      - serviceAccountToken:
+          path: istio-token
+          expirationSeconds: 43200
+          audience: {{ .Values.global.sds.token.aud }}
+  {{- if eq .Values.global.pilotCertProvider "istiod" }}
+  - name: istiod-ca-cert
+  {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+    projected:
+      sources:
+      - clusterTrustBundle:
+          name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+          path: root-cert.pem
+  {{- else }}
+    configMap:
+      name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+  {{- end }}
+  {{- end }}
+  - name: istio-ca-crl
+    configMap:
+      name: istio-ca-crl
+      optional: true
+  {{- if .Values.global.mountMtlsCerts }}
+  # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+  - name: istio-certs
+    secret:
+      optional: true
+      {{ if eq .Spec.ServiceAccountName "" }}
+      secretName: istio.default
+      {{ else -}}
+      secretName: {{  printf "istio.%s" .Spec.ServiceAccountName }}
+      {{  end -}}
+  {{- end }}
+    {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }}
+    {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}
+  - name: "{{ $index }}"
+    {{ toYaml $value | indent 4 }}
+    {{ end }}
+    {{ end }}
+  {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }}
+  - name: lightstep-certs
+    secret:
+      optional: true
+      secretName: lightstep.cacert
+  {{- end }}
+  {{- if .Values.global.imagePullSecrets }}
+  imagePullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+  {{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/kube-gateway.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/kube-gateway.yaml
new file mode 100644
index 0000000000..8a34ea8a8c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/kube-gateway.yaml
@@ -0,0 +1,407 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{.ServiceAccount | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+        "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+      ) | nindent 4 }}
+  {{- if ge .KubeVersion 128 }}
+  # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    name: "{{.Name}}"
+    uid: "{{.UID}}"
+  {{- end }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+        "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+        "gateway.istio.io/managed" "istio.io-gateway-controller"
+      ) | nindent 4 }}
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    name: {{.Name}}
+    uid: "{{.UID}}"
+spec:
+  selector:
+    matchLabels:
+      "{{.GatewayNameLabel}}": {{.Name}}
+  template:
+    metadata:
+      annotations:
+        {{- toJsonMap
+          (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version")
+          (strdict "istio.io/rev" (.Revision | default "default"))
+          (strdict
+            "prometheus.io/path" "/stats/prometheus"
+            "prometheus.io/port" "15020"
+            "prometheus.io/scrape" "true"
+          ) | nindent 8 }}
+      labels:
+        {{- toJsonMap
+          (strdict
+            "sidecar.istio.io/inject" "false"
+            "service.istio.io/canonical-name" .DeploymentName
+            "service.istio.io/canonical-revision" "latest"
+           )
+          .InfrastructureLabels
+          (strdict
+            "gateway.networking.k8s.io/gateway-name" .Name
+            "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+            "gateway.istio.io/managed" "istio.io-gateway-controller"
+          ) | nindent 8 }}
+    spec:
+      securityContext:
+      {{- if .Values.gateways.securityContext }}
+        {{- toYaml .Values.gateways.securityContext | nindent 8 }}
+      {{- else }}
+        sysctls:
+        - name: net.ipv4.ip_unprivileged_port_start
+          value: "0"
+      {{- if .Values.gateways.seccompProfile }}
+        seccompProfile:
+      {{- toYaml .Values.gateways.seccompProfile | nindent 10 }}
+      {{- end }}
+      {{- end }}
+      serviceAccountName: {{.ServiceAccount | quote}}
+      containers:
+      - name: istio-proxy
+      {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+        image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+      {{- else }}
+        image: "{{ .ProxyImage }}"
+      {{- end }}
+        {{- if .Values.global.proxy.resources }}
+        resources:
+          {{- toYaml .Values.global.proxy.resources | nindent 10 }}
+        {{- end }}
+        {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+        securityContext:
+          capabilities:
+            drop:
+            - ALL
+          allowPrivilegeEscalation: false
+          privileged: false
+          readOnlyRootFilesystem: true
+          runAsUser: {{ .ProxyUID | default "1337" }}
+          runAsGroup: {{ .ProxyGID | default "1337" }}
+          runAsNonRoot: true
+        ports:
+        - containerPort: 15020
+          name: metrics
+          protocol: TCP
+        - containerPort: 15021
+          name: status-port
+          protocol: TCP
+        - containerPort: 15090
+          protocol: TCP
+          name: http-envoy-prom
+        args:
+        - proxy
+        - router
+        - --domain
+        - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+        - --proxyLogLevel
+        - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}}
+        - --proxyComponentLogLevel
+        - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}}
+        - --log_output_level
+        - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}}
+      {{- if .Values.global.sts.servicePort }}
+        - --stsPort={{ .Values.global.sts.servicePort }}
+      {{- end }}
+      {{- if .Values.global.logAsJson }}
+        - --log_as_json
+      {{- end }}
+      {{- if .Values.global.proxy.lifecycle }}
+        lifecycle:
+          {{- toYaml .Values.global.proxy.lifecycle | nindent 10 }}
+      {{- end }}
+        env:
+        - name: PILOT_CERT_PROVIDER
+          value: {{ .Values.global.pilotCertProvider }}
+        - name: CA_ADDR
+        {{- if .Values.global.caAddress }}
+          value: {{ .Values.global.caAddress }}
+        {{- else }}
+          value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+        {{- end }}
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: INSTANCE_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: SERVICE_ACCOUNT
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.serviceAccountName
+        - name: HOST_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.hostIP
+        - name: ISTIO_CPU_LIMIT
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.cpu
+        - name: PROXY_CONFIG
+          value: |
+                 {{ protoToJSON .ProxyConfig }}
+        - name: ISTIO_META_POD_PORTS
+          value: "[]"
+        - name: ISTIO_META_APP_CONTAINERS
+          value: ""
+        - name: GOMEMLIMIT
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.memory
+        - name: GOMAXPROCS
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.cpu
+        - name: ISTIO_META_CLUSTER_ID
+          value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}"
+        - name: ISTIO_META_NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        - name: ISTIO_META_INTERCEPTION_MODE
+          value: "{{ .ProxyConfig.InterceptionMode.String }}"
+        {{- with (valueOrDefault  (index .InfrastructureLabels "topology.istio.io/network") .Values.global.network) }}
+        - name: ISTIO_META_NETWORK
+          value: {{.|quote}}
+        {{- end }}
+        - name: ISTIO_META_WORKLOAD_NAME
+          value: {{.DeploymentName|quote}}
+        - name: ISTIO_META_OWNER
+          value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}"
+        {{- if .Values.global.meshID }}
+        - name: ISTIO_META_MESH_ID
+          value: "{{ .Values.global.meshID }}"
+        {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+        - name: ISTIO_META_MESH_ID
+          value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+        {{- end }}
+        {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain)  }}
+        - name: TRUST_DOMAIN
+          value: "{{ . }}"
+        {{- end }}
+        {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+        - name: {{ $key }}
+          value: "{{ $value }}"
+        {{- end }}
+        {{- with (index .InfrastructureLabels "topology.istio.io/network") }}
+        - name: ISTIO_META_REQUESTED_NETWORK_VIEW
+          value: {{.|quote}}
+        {{- end }}
+        startupProbe:
+          failureThreshold: 30
+          httpGet:
+            path: /healthz/ready
+            port: 15021
+            scheme: HTTP
+          initialDelaySeconds: 1
+          periodSeconds: 1
+          successThreshold: 1
+          timeoutSeconds: 1
+        readinessProbe:
+          failureThreshold: 4
+          httpGet:
+            path: /healthz/ready
+            port: 15021
+            scheme: HTTP
+          initialDelaySeconds: 0
+          periodSeconds: 15
+          successThreshold: 1
+          timeoutSeconds: 1
+        volumeMounts:
+        - name: workload-socket
+          mountPath: /var/run/secrets/workload-spiffe-uds
+        - name: credential-socket
+          mountPath: /var/run/secrets/credential-uds
+        {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+        - name: gke-workload-certificate
+          mountPath: /var/run/secrets/workload-spiffe-credentials
+          readOnly: true
+        {{- else }}
+        - name: workload-certs
+          mountPath: /var/run/secrets/workload-spiffe-credentials
+        {{- end }}
+        {{- if eq .Values.global.pilotCertProvider "istiod" }}
+        - mountPath: /var/run/secrets/istio
+          name: istiod-ca-cert
+        {{- end }}
+        - mountPath: /var/lib/istio/data
+          name: istio-data
+        # SDS channel between istioagent and Envoy
+        - mountPath: /etc/istio/proxy
+          name: istio-envoy
+        - mountPath: /var/run/secrets/tokens
+          name: istio-token
+        - name: istio-podinfo
+          mountPath: /etc/istio/pod
+      volumes:
+      - emptyDir: {}
+        name: workload-socket
+      - emptyDir: {}
+        name: credential-socket
+      {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+      - name: gke-workload-certificate
+        csi:
+          driver: workloadcertificates.security.cloud.google.com
+      {{- else}}
+      - emptyDir: {}
+        name: workload-certs
+      {{- end }}
+      # SDS channel between istioagent and Envoy
+      - emptyDir:
+          medium: Memory
+        name: istio-envoy
+      - name: istio-data
+        emptyDir: {}
+      - name: istio-podinfo
+        downwardAPI:
+          items:
+            - path: "labels"
+              fieldRef:
+                fieldPath: metadata.labels
+            - path: "annotations"
+              fieldRef:
+                fieldPath: metadata.annotations
+      - name: istio-token
+        projected:
+          sources:
+          - serviceAccountToken:
+              path: istio-token
+              expirationSeconds: 43200
+              audience: {{ .Values.global.sds.token.aud }}
+      {{- if eq .Values.global.pilotCertProvider "istiod" }}
+      - name: istiod-ca-cert
+      {{- if eq ((.Values.pilot).env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+        projected:
+          sources:
+          - clusterTrustBundle:
+              name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+              path: root-cert.pem
+      {{- else }}
+        configMap:
+          name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+      {{- end }}
+      {{- end }}
+      {{- if .Values.global.imagePullSecrets }}
+      imagePullSecrets:
+        {{- range .Values.global.imagePullSecrets }}
+        - name: {{ . }}
+        {{- end }}
+      {{- end }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+        "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+      ) | nindent 4 }}
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    name: {{.Name}}
+    uid: {{.UID}}
+spec:
+  ipFamilyPolicy: PreferDualStack
+  ports:
+  {{- range $key, $val := .Ports }}
+  - name: {{ $val.Name | quote }}
+    port: {{ $val.Port }}
+    protocol: TCP
+    appProtocol: {{ $val.AppProtocol }}
+  {{- end }}
+  selector:
+    "{{.GatewayNameLabel}}": {{.Name}}
+  {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }}
+  loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}}
+  {{- end }}
+  type: {{ .ServiceType | quote }}
+---
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+          .InfrastructureLabels
+          (strdict
+          "gateway.networking.k8s.io/gateway-name" .Name
+          "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+          ) | nindent 4 }}
+  ownerReferences:
+    - apiVersion: gateway.networking.k8s.io/v1beta1
+      kind: Gateway
+      name: {{.Name}}
+      uid: "{{.UID}}"
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name:  {{.DeploymentName | quote}}
+  maxReplicas: 1
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+          .InfrastructureLabels
+          (strdict
+          "gateway.networking.k8s.io/gateway-name" .Name
+          "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+          ) | nindent 4 }}
+  ownerReferences:
+    - apiVersion: gateway.networking.k8s.io/v1beta1
+      kind: Gateway
+      name: {{.Name}}
+      uid: "{{.UID}}"
+spec:
+  selector:
+    matchLabels:
+      gateway.networking.k8s.io/gateway-name: {{.Name|quote}}
+
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..d04117bfc0
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,14 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..8fe80112bf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-compatibility-version-1.27.yaml
new file mode 100644
index 0000000000..209157cccf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-compatibility-version-1.27.yaml
@@ -0,0 +1,9 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/waypoint.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/waypoint.yaml
new file mode 100644
index 0000000000..7feed59a36
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/waypoint.yaml
@@ -0,0 +1,405 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{.ServiceAccount | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+        "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+      ) | nindent 4 }}
+  {{- if ge .KubeVersion 128 }}
+  # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    name: "{{.Name}}"
+    uid: "{{.UID}}"
+  {{- end }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+        "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+        "gateway.istio.io/managed" .ControllerLabel
+      ) | nindent 4 }}
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    name: "{{.Name}}"
+    uid: "{{.UID}}"
+spec:
+  selector:
+    matchLabels:
+      "{{.GatewayNameLabel}}": "{{.Name}}"
+  template:
+    metadata:
+      annotations:
+        {{- toJsonMap
+          (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version")
+          (strdict "istio.io/rev" (.Revision | default "default"))
+          (strdict
+            "prometheus.io/path" "/stats/prometheus"
+            "prometheus.io/port" "15020"
+            "prometheus.io/scrape" "true"
+          ) | nindent 8 }}
+      labels:
+        {{- toJsonMap
+          (strdict
+            "sidecar.istio.io/inject" "false"
+            "istio.io/dataplane-mode" "none"
+            "service.istio.io/canonical-name" .DeploymentName
+            "service.istio.io/canonical-revision" "latest"
+           )
+          .InfrastructureLabels
+          (strdict
+            "gateway.networking.k8s.io/gateway-name" .Name
+            "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+            "gateway.istio.io/managed" .ControllerLabel
+          ) | nindent 8}}
+    spec:
+      {{- if .Values.global.waypoint.affinity }}
+      affinity:
+      {{- toYaml .Values.global.waypoint.affinity | nindent 8 }}
+      {{- end }}
+      {{- if .Values.global.waypoint.topologySpreadConstraints }}
+      topologySpreadConstraints:
+      {{- toYaml .Values.global.waypoint.topologySpreadConstraints | nindent 8 }}
+      {{- end }}
+      {{- if .Values.global.waypoint.nodeSelector }}
+      nodeSelector:
+      {{- toYaml .Values.global.waypoint.nodeSelector | nindent 8 }}
+      {{- end }}
+      {{- if .Values.global.waypoint.tolerations }}
+      tolerations:
+      {{- toYaml .Values.global.waypoint.tolerations | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{.ServiceAccount | quote}}
+      containers:
+      - name: istio-proxy
+        ports:
+        - containerPort: 15020
+          name: metrics
+          protocol: TCP
+        - containerPort: 15021
+          name: status-port
+          protocol: TCP
+        - containerPort: 15090
+          protocol: TCP
+          name: http-envoy-prom
+        {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+        image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+        {{- else }}
+        image: "{{ .ProxyImage }}"
+        {{- end }}
+        {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+        args:
+        - proxy
+        - waypoint
+        - --domain
+        - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+        - --serviceCluster
+        - {{.ServiceAccount}}.$(POD_NAMESPACE)
+        - --proxyLogLevel
+        - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}}
+        - --proxyComponentLogLevel
+        - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}}
+        - --log_output_level
+        - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}}
+        {{- if .Values.global.logAsJson }}
+        - --log_as_json
+        {{- end }}
+        {{- if .Values.global.proxy.outlierLogPath }}
+        - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }}
+        {{- end}}
+        env:
+        - name: ISTIO_META_SERVICE_ACCOUNT
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.serviceAccountName
+        - name: ISTIO_META_NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        - name: PILOT_CERT_PROVIDER
+          value: {{ .Values.global.pilotCertProvider }}
+        - name: CA_ADDR
+        {{- if .Values.global.caAddress }}
+          value: {{ .Values.global.caAddress }}
+        {{- else }}
+          value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+        {{- end }}
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: INSTANCE_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: SERVICE_ACCOUNT
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.serviceAccountName
+        - name: HOST_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.hostIP
+        - name: ISTIO_CPU_LIMIT
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.cpu
+        - name: PROXY_CONFIG
+          value: |
+                 {{ protoToJSON .ProxyConfig }}
+        {{- if .ProxyConfig.ProxyMetadata }}
+        {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+        - name: {{ $key }}
+          value: "{{ $value }}"
+        {{- end }}
+        {{- end }}
+        - name: GOMEMLIMIT
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.memory
+        - name: GOMAXPROCS
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.cpu
+        - name: ISTIO_META_CLUSTER_ID
+          value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
+        {{- $network := valueOrDefault (index .InfrastructureLabels `topology.istio.io/network`) .Values.global.network }}
+        {{- if $network }}
+        - name: ISTIO_META_NETWORK
+          value: "{{ $network }}"
+        {{- if eq .ControllerLabel "istio.io-eastwest-controller" }}
+        - name: ISTIO_META_REQUESTED_NETWORK_VIEW
+          value: "{{ $network }}"
+        {{- end }}
+        {{- end }}
+        - name: ISTIO_META_INTERCEPTION_MODE
+          value: REDIRECT
+        - name: ISTIO_META_WORKLOAD_NAME
+          value: {{.DeploymentName}}
+        - name: ISTIO_META_OWNER
+          value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}
+        {{- if .Values.global.meshID }}
+        - name: ISTIO_META_MESH_ID
+          value: "{{ .Values.global.meshID }}"
+        {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+        - name: ISTIO_META_MESH_ID
+          value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+        {{- end }}
+        {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+        - name: TRUST_DOMAIN
+          value: "{{ . }}"
+        {{- end }}
+        {{- if .Values.global.waypoint.resources }}
+        resources:
+        {{- toYaml .Values.global.waypoint.resources | nindent 10 }}
+        {{- end }}
+        startupProbe:
+          failureThreshold: 30
+          httpGet:
+            path: /healthz/ready
+            port: 15021
+            scheme: HTTP
+          initialDelaySeconds: 1
+          periodSeconds: 1
+          successThreshold: 1
+          timeoutSeconds: 1
+        readinessProbe:
+          failureThreshold: 4
+          httpGet:
+            path: /healthz/ready
+            port: 15021
+            scheme: HTTP
+          initialDelaySeconds: 0
+          periodSeconds: 15
+          successThreshold: 1
+          timeoutSeconds: 1
+        securityContext:
+          privileged: false
+        {{- if not (eq .Values.global.platform "openshift") }}
+          runAsGroup: 1337
+          runAsUser: 1337
+        {{- end }}
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          capabilities:
+            drop:
+            - ALL
+{{- if .Values.gateways.seccompProfile }}
+          seccompProfile:
+{{- toYaml .Values.gateways.seccompProfile | nindent 12 }}
+{{- end }}
+        volumeMounts:
+        - mountPath: /var/run/secrets/workload-spiffe-uds
+          name: workload-socket
+        - mountPath: /var/run/secrets/istio
+          name: istiod-ca-cert
+        - mountPath: /var/lib/istio/data
+          name: istio-data
+        - mountPath: /etc/istio/proxy
+          name: istio-envoy
+        - mountPath: /var/run/secrets/tokens
+          name: istio-token
+        - mountPath: /etc/istio/pod
+          name: istio-podinfo
+      volumes:
+      - emptyDir: {}
+        name: workload-socket
+      - emptyDir:
+          medium: Memory
+        name: istio-envoy
+      - emptyDir:
+          medium: Memory
+        name: go-proxy-envoy
+      - emptyDir: {}
+        name: istio-data
+      - emptyDir: {}
+        name: go-proxy-data
+      - downwardAPI:
+          items:
+          - fieldRef:
+              fieldPath: metadata.labels
+            path: labels
+          - fieldRef:
+              fieldPath: metadata.annotations
+            path: annotations
+        name: istio-podinfo
+      - name: istio-token
+        projected:
+          sources:
+          - serviceAccountToken:
+              audience: istio-ca
+              expirationSeconds: 43200
+              path: istio-token
+      - name: istiod-ca-cert
+      {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+        projected:
+          sources:
+          - clusterTrustBundle:
+              name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+              path: root-cert.pem
+      {{- else }}
+        configMap:
+          name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+      {{- end }}
+      {{- if .Values.global.imagePullSecrets }}
+      imagePullSecrets:
+        {{- range .Values.global.imagePullSecrets }}
+        - name: {{ . }}
+        {{- end }}
+      {{- end }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    {{ toJsonMap
+      (strdict "networking.istio.io/traffic-distribution" "PreferClose")
+      (omit .InfrastructureAnnotations
+        "kubectl.kubernetes.io/last-applied-configuration"
+        "gateway.istio.io/name-override"
+        "gateway.istio.io/service-account"
+        "gateway.istio.io/controller-version"
+      ) | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+        "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+      ) | nindent 4 }}
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    name: "{{.Name}}"
+    uid: "{{.UID}}"
+spec:
+  ipFamilyPolicy: PreferDualStack
+  ports:
+  {{- range $key, $val := .Ports }}
+  - name: {{ $val.Name | quote }}
+    port: {{ $val.Port }}
+    protocol: TCP
+    appProtocol: {{ $val.AppProtocol }}
+  {{- end }}
+  selector:
+    "{{.GatewayNameLabel}}": "{{.Name}}"
+  {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }}
+  loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}}
+  {{- end }}
+  type: {{ .ServiceType | quote }}
+---
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+          .InfrastructureLabels
+          (strdict
+          "gateway.networking.k8s.io/gateway-name" .Name
+          "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+          ) | nindent 4 }}
+  ownerReferences:
+    - apiVersion: gateway.networking.k8s.io/v1beta1
+      kind: Gateway
+      name: {{.Name}}
+      uid: "{{.UID}}"
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name:  {{.DeploymentName | quote}}
+  maxReplicas: 1
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+          .InfrastructureLabels
+          (strdict
+          "gateway.networking.k8s.io/gateway-name" .Name
+          "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+          ) | nindent 4 }}
+  ownerReferences:
+    - apiVersion: gateway.networking.k8s.io/v1beta1
+      kind: Gateway
+      name: {{.Name}}
+      uid: "{{.UID}}"
+spec:
+  selector:
+    matchLabels:
+      gateway.networking.k8s.io/gateway-name: {{.Name|quote}}
+
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/NOTES.txt
new file mode 100644
index 0000000000..0d07ea7f4c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/NOTES.txt
@@ -0,0 +1,82 @@
+"istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}" successfully installed!
+
+To learn more about the release, try:
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
+
+Next steps:
+{{- $profile := default "" .Values.profile }}
+{{- if (eq $profile "ambient") }}
+  * Get started with ambient: https://istio.io/latest/docs/ops/ambient/getting-started/
+  * Review ambient's architecture: https://istio.io/latest/docs/ops/ambient/architecture/
+{{- else }}
+  * Deploy a Gateway: https://istio.io/latest/docs/setup/additional-setup/gateway/
+  * Try out our tasks to get started on common configurations:
+    * https://istio.io/latest/docs/tasks/traffic-management
+    * https://istio.io/latest/docs/tasks/security/
+    * https://istio.io/latest/docs/tasks/policy-enforcement/
+{{- end }}
+  * Review the list of actively supported releases, CVE publications and our hardening guide:
+    * https://istio.io/latest/docs/releases/supported-releases/
+    * https://istio.io/latest/news/security/
+    * https://istio.io/latest/docs/ops/best-practices/security/
+
+For further documentation see https://istio.io website
+
+{{-
+  $deps := dict
+    "global.outboundTrafficPolicy" "meshConfig.outboundTrafficPolicy"
+    "global.certificates" "meshConfig.certificates"
+    "global.localityLbSetting" "meshConfig.localityLbSetting"
+    "global.policyCheckFailOpen" "meshConfig.policyCheckFailOpen"
+    "global.enableTracing" "meshConfig.enableTracing"
+    "global.proxy.accessLogFormat" "meshConfig.accessLogFormat"
+    "global.proxy.accessLogFile" "meshConfig.accessLogFile"
+    "global.proxy.concurrency" "meshConfig.defaultConfig.concurrency"
+    "global.proxy.envoyAccessLogService" "meshConfig.defaultConfig.envoyAccessLogService"
+    "global.proxy.envoyAccessLogService.enabled" "meshConfig.enableEnvoyAccessLogService"
+    "global.proxy.envoyMetricsService" "meshConfig.defaultConfig.envoyMetricsService"
+    "global.proxy.protocolDetectionTimeout" "meshConfig.protocolDetectionTimeout"
+    "global.proxy.holdApplicationUntilProxyStarts" "meshConfig.defaultConfig.holdApplicationUntilProxyStarts"
+    "pilot.ingress" "meshConfig.ingressService, meshConfig.ingressControllerMode, and meshConfig.ingressClass"
+    "global.mtls.enabled" "the PeerAuthentication resource"
+    "global.mtls.auto" "meshConfig.enableAutoMtls"
+    "global.tracer.lightstep.address" "meshConfig.defaultConfig.tracing.lightstep.address"
+    "global.tracer.lightstep.accessToken" "meshConfig.defaultConfig.tracing.lightstep.accessToken"
+    "global.tracer.zipkin.address" "meshConfig.defaultConfig.tracing.zipkin.address"
+    "global.tracer.datadog.address" "meshConfig.defaultConfig.tracing.datadog.address"
+    "global.meshExpansion.enabled" "Gateway and other Istio networking resources, such as in samples/multicluster/"
+    "istiocoredns.enabled" "the in-proxy DNS capturing (ISTIO_META_DNS_CAPTURE)"
+}}
+{{- range $dep, $replace := $deps }}
+{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}}
+{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(")  ".Values." (replace "." ")." $dep) ")}}") $}}
+{{- if not (eq $res "")}}
+WARNING: {{$dep|quote}} is deprecated; use {{$replace|quote}} instead.
+{{- end }}
+{{- end }}
+{{-
+  $failDeps := dict
+    "telemetry.v2.prometheus.configOverride"
+    "telemetry.v2.stackdriver.configOverride"
+    "telemetry.v2.stackdriver.disableOutbound"
+    "telemetry.v2.stackdriver.outboundAccessLogging"
+    "global.tracer.stackdriver.debug" "meshConfig.defaultConfig.tracing.stackdriver.debug"
+    "global.tracer.stackdriver.maxNumberOfAttributes" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes"
+    "global.tracer.stackdriver.maxNumberOfAnnotations" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations"
+    "global.tracer.stackdriver.maxNumberOfMessageEvents" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents"
+    "meshConfig.defaultConfig.tracing.stackdriver.debug" "Istio supported tracers"
+    "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes" "Istio supported tracers"
+    "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations" "Istio supported tracers"
+    "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents" "Istio supported tracers"
+}}
+{{- range $dep, $replace := $failDeps }}
+{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}}
+{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(")  ".Values." (replace "." ")." $dep) ")}}") $}}
+{{- if not (eq $res "")}}
+{{fail (print $dep " is removed")}}
+{{- end }}
+{{- end }}
+{{- if eq $.Values.global.pilotCertProvider "kubernetes" }}
+{{- fail "pilotCertProvider=kubernetes is not supported" }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/_helpers.tpl
new file mode 100644
index 0000000000..042c92538d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/_helpers.tpl
@@ -0,0 +1,23 @@
+{{/* Default Prometheus is enabled if its enabled and there are no config overrides set */}}
+{{ define "default-prometheus" }}
+{{- and
+  (not .Values.meshConfig.defaultProviders)
+  .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.prometheus.enabled
+}}
+{{- end }}
+
+{{/* SD has metrics and logging split. Default metrics are enabled if SD is enabled */}}
+{{ define "default-sd-metrics" }}
+{{- and
+  (not .Values.meshConfig.defaultProviders)
+  .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled
+}}
+{{- end }}
+
+{{/* SD has metrics and logging split. */}}
+{{ define "default-sd-logs" }}
+{{- and
+  (not .Values.meshConfig.defaultProviders)
+  .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled
+}}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/autoscale.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/autoscale.yaml
new file mode 100644
index 0000000000..9ab43b5bf0
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/autoscale.yaml
@@ -0,0 +1,45 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# Not created if istiod is running remotely
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }}
+{{- if and .Values.autoscaleEnabled .Values.autoscaleMin .Values.autoscaleMax }}
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  maxReplicas: {{ .Values.autoscaleMax }}
+  minReplicas: {{ .Values.autoscaleMin }}
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  metrics:
+  - type: Resource
+    resource:
+      name: cpu
+      target:
+        type: Utilization
+        averageUtilization: {{ .Values.cpu.targetAverageUtilization }}
+  {{- if .Values.memory.targetAverageUtilization }}
+  - type: Resource
+    resource:
+      name: memory
+      target:
+        type: Utilization
+        averageUtilization: {{ .Values.memory.targetAverageUtilization }}
+  {{- end }}
+  {{- if .Values.autoscaleBehavior }}
+  behavior: {{ toYaml .Values.autoscaleBehavior | nindent 4 }}
+  {{- end }}
+---
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/clusterrole.yaml
new file mode 100644
index 0000000000..3280c96b54
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/clusterrole.yaml
@@ -0,0 +1,216 @@
+# Created if cluster resources are not omitted
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+  # sidecar injection controller
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["mutatingwebhookconfigurations"]
+    verbs: ["get", "list", "watch", "update", "patch"]
+
+  # configuration validation webhook controller
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["validatingwebhookconfigurations"]
+    verbs: ["get", "list", "watch", "update"]
+
+  # istio configuration
+  # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382)
+  # please proceed with caution
+  - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"]
+    verbs: ["get", "watch", "list"]
+    resources: ["*"]
+{{- if .Values.global.istiod.enableAnalysis }}
+  - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"]
+    verbs: ["update", "patch"]
+    resources:
+    - authorizationpolicies/status
+    - destinationrules/status
+    - envoyfilters/status
+    - gateways/status
+    - peerauthentications/status
+    - proxyconfigs/status
+    - requestauthentications/status
+    - serviceentries/status
+    - sidecars/status
+    - telemetries/status
+    - virtualservices/status
+    - wasmplugins/status
+    - workloadentries/status
+    - workloadgroups/status
+{{- end }}
+  - apiGroups: ["networking.istio.io"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "workloadentries" ]
+  - apiGroups: ["networking.istio.io"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "workloadentries/status",  "serviceentries/status" ]
+  - apiGroups: ["security.istio.io"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "authorizationpolicies/status" ]
+  - apiGroups: [""]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "services/status" ]
+
+  # auto-detect installed CRD definitions
+  - apiGroups: ["apiextensions.k8s.io"]
+    resources: ["customresourcedefinitions"]
+    verbs: ["get", "list", "watch"]
+
+  # discovery and routing
+  - apiGroups: [""]
+    resources: ["pods", "nodes", "services", "namespaces", "endpoints"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["discovery.k8s.io"]
+    resources: ["endpointslices"]
+    verbs: ["get", "list", "watch"]
+
+{{- if .Values.taint.enabled }}
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["patch"]
+{{- end }}
+
+  # ingress controller
+{{- if .Values.global.istiod.enableAnalysis }}
+  - apiGroups: ["extensions", "networking.k8s.io"]
+    resources: ["ingresses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["extensions", "networking.k8s.io"]
+    resources: ["ingresses/status"]
+    verbs: ["*"]
+{{- end}}
+  - apiGroups: ["networking.k8s.io"]
+    resources: ["ingresses", "ingressclasses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["networking.k8s.io"]
+    resources: ["ingresses/status"]
+    verbs: ["*"]
+
+  # required for CA's namespace controller
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["create", "get", "list", "watch", "update"]
+
+  # Istiod and bootstrap.
+{{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}}
+{{- if or .Values.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }}
+  - apiGroups: ["certificates.k8s.io"]
+    resources:
+      - "certificatesigningrequests"
+      - "certificatesigningrequests/approval"
+      - "certificatesigningrequests/status"
+    verbs: ["update", "create", "get", "delete", "watch"]
+  - apiGroups: ["certificates.k8s.io"]
+    resources:
+      - "signers"
+    resourceNames:
+{{- range .Values.global.certSigners }}
+    - {{ . | quote }}
+{{- end }}
+    verbs: ["approve"]
+{{- end}}
+{{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+  - apiGroups: ["certificates.k8s.io"]
+    resources: ["clustertrustbundles"]
+    verbs: ["update", "create", "delete", "list", "watch", "get"]
+  - apiGroups: ["certificates.k8s.io"]
+    resources: ["signers"]
+    resourceNames: ["istio.io/istiod-ca"]
+    verbs: ["attest"]
+{{- end }}
+
+  # Used by Istiod to verify the JWT tokens
+  - apiGroups: ["authentication.k8s.io"]
+    resources: ["tokenreviews"]
+    verbs: ["create"]
+
+  # Used by Istiod to verify gateway SDS
+  - apiGroups: ["authorization.k8s.io"]
+    resources: ["subjectaccessreviews"]
+    verbs: ["create"]
+
+  # Use for Kubernetes Service APIs
+  - apiGroups: ["gateway.networking.k8s.io", "gateway.networking.x-k8s.io"]
+    resources: ["*"]
+    verbs: ["get", "watch", "list"]
+  - apiGroups: ["gateway.networking.x-k8s.io"]
+    resources:
+    - xbackendtrafficpolicies/status
+    - xlistenersets/status
+    verbs: ["update", "patch"]
+  - apiGroups: ["gateway.networking.k8s.io"]
+    resources:
+    - backendtlspolicies/status
+    - gatewayclasses/status
+    - gateways/status
+    - grpcroutes/status
+    - httproutes/status
+    - referencegrants/status
+    - tcproutes/status
+    - tlsroutes/status
+    - udproutes/status
+    verbs: ["update", "patch"]
+  - apiGroups: ["gateway.networking.k8s.io"]
+    resources: ["gatewayclasses"]
+    verbs: ["create", "update", "patch", "delete"]
+  - apiGroups: ["inference.networking.k8s.io"]
+    resources: ["inferencepools"]
+    verbs: ["get", "watch", "list"]
+  - apiGroups: ["inference.networking.k8s.io"]
+    resources: ["inferencepools/status"]
+    verbs: ["update", "patch"]
+
+  # Needed for multicluster secret reading, possibly ingress certs in the future
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "watch", "list"]
+
+  # Used for MCS serviceexport management
+  - apiGroups: ["{{ $mcsAPIGroup }}"]
+    resources: ["serviceexports"]
+    verbs: [ "get", "watch", "list", "create", "delete"]
+
+  # Used for MCS serviceimport management
+  - apiGroups: ["{{ $mcsAPIGroup }}"]
+    resources: ["serviceimports"]
+    verbs: ["get", "watch", "list"]
+---
+{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+  - apiGroups: ["apps"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "deployments" ]
+  - apiGroups: ["autoscaling"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "horizontalpodautoscalers" ]
+  - apiGroups: ["policy"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "poddisruptionbudgets" ]
+  - apiGroups: [""]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "services" ]
+  - apiGroups: [""]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "serviceaccounts"]
+{{- end }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/clusterrolebinding.yaml
new file mode 100644
index 0000000000..0ca21b9576
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/clusterrolebinding.yaml
@@ -0,0 +1,43 @@
+# Created if cluster resources are not omitted
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+subjects:
+  - kind: ServiceAccount
+    name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+    namespace: {{ .Values.global.istioNamespace }}
+---
+{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+subjects:
+- kind: ServiceAccount
+  name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Values.global.istioNamespace }}
+{{- end }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/configmap-jwks.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/configmap-jwks.yaml
new file mode 100644
index 0000000000..45943d3839
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/configmap-jwks.yaml
@@ -0,0 +1,20 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# Not created if istiod is running remotely
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }}
+{{- if .Values.jwksResolverExtraRootCA }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+data:
+  extra.pem: {{ .Values.jwksResolverExtraRootCA | quote }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/configmap-values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/configmap-values.yaml
new file mode 100644
index 0000000000..dcd1e3530c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/configmap-values.yaml
@@ -0,0 +1,21 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: values{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    kubernetes.io/description: This ConfigMap contains the Helm values used during chart rendering. This ConfigMap is rendered for debugging purposes and external tooling; modifying these values has no effect.
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+data:
+  original-values: |-
+{{ .Values._original | toPrettyJson | indent 4 }}
+{{- $_ := unset $.Values "_original" }}
+  merged-values: |-
+{{ .Values | toPrettyJson | indent 4 }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/configmap.yaml
new file mode 100644
index 0000000000..a24ff9ee24
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/configmap.yaml
@@ -0,0 +1,113 @@
+{{- define "mesh" }}
+    # The trust domain corresponds to the trust root of a system.
+    # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
+    trustDomain: "cluster.local"
+
+    # The namespace to treat as the administrative root namespace for Istio configuration.
+    # When processing a leaf namespace Istio will search for declarations in that namespace first
+    # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace
+    # is processed as if it were declared in the leaf namespace.
+    rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }}
+
+  {{ $prom := include "default-prometheus" . | eq "true" }}
+  {{ $sdMetrics := include "default-sd-metrics" . | eq "true" }}
+  {{ $sdLogs := include "default-sd-logs" . | eq "true" }}
+  {{- if or $prom $sdMetrics $sdLogs }}
+    defaultProviders:
+    {{- if or $prom $sdMetrics }}
+      metrics:
+      {{ if $prom }}- prometheus{{ end }}
+      {{ if and $sdMetrics $sdLogs }}- stackdriver{{ end }}
+    {{- end }}
+    {{- if and $sdMetrics $sdLogs }}
+      accessLogging:
+      - stackdriver
+    {{- end }}
+  {{- end }}
+
+    defaultConfig:
+      {{- if .Values.global.meshID }}
+      meshId: "{{ .Values.global.meshID }}"
+      {{- end }}
+      {{- with (.Values.global.proxy.variant | default .Values.global.variant) }}
+      image:
+        imageType: {{. | quote}}
+      {{- end }}
+      {{- if not (eq .Values.global.proxy.tracer "none") }}
+      tracing:
+      {{- if eq .Values.global.proxy.tracer "lightstep" }}
+        lightstep:
+          # Address of the LightStep Satellite pool
+          address: {{ .Values.global.tracer.lightstep.address }}
+          # Access Token used to communicate with the Satellite pool
+          accessToken: {{ .Values.global.tracer.lightstep.accessToken }}
+      {{- else if eq .Values.global.proxy.tracer "zipkin" }}
+        zipkin:
+          # Address of the Zipkin collector
+          address: {{ ((.Values.global.tracer).zipkin).address | default (print "zipkin." .Values.global.istioNamespace ":9411") }}
+      {{- else if eq .Values.global.proxy.tracer "datadog" }}
+        datadog:
+          # Address of the Datadog Agent
+          address: {{ ((.Values.global.tracer).datadog).address | default "$(HOST_IP):8126" }}
+      {{- else if eq .Values.global.proxy.tracer "stackdriver" }}
+        stackdriver:
+          # enables trace output to stdout.
+          debug: {{ (($.Values.global.tracer).stackdriver).debug | default "false" }}
+          # The global default max number of attributes per span.
+          maxNumberOfAttributes: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAttributes | default "200" }}
+          # The global default max number of annotation events per span.
+          maxNumberOfAnnotations: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAnnotations | default "200" }}
+          # The global default max number of message events per span.
+          maxNumberOfMessageEvents: {{ (($.Values.global.tracer).stackdriver).maxNumberOfMessageEvents | default "200" }}
+      {{- end }}
+      {{- end }}
+      {{- if .Values.global.remotePilotAddress }}
+      {{- if and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod }}
+      #  only primary `istiod` to xds and local `istiod` injection installs.
+      discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012
+      {{- else }}
+      discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012
+      {{- end }}
+      {{- else }}
+      discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012
+      {{- end }}
+{{- end }}
+
+{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}}
+{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}}
+{{- $originalMesh := include "mesh" . | fromYaml }}
+{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }}
+
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+{{- if .Values.configMap }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+data:
+
+  # Configuration file for the mesh networks to be used by the Split Horizon EDS.
+  meshNetworks: |-
+  {{- if .Values.global.meshNetworks }}
+    networks:
+{{ toYaml .Values.global.meshNetworks | trim | indent 6 }}
+  {{- else }}
+    networks: {}
+  {{- end }}
+
+  mesh: |-
+{{- if .Values.meshConfig }}
+{{ $mesh | toYaml | indent 4 }}
+{{- else }}
+{{- include "mesh" . }}
+{{- end }}
+---
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/deployment.yaml
new file mode 100644
index 0000000000..15107e745c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/deployment.yaml
@@ -0,0 +1,314 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# Not created if istiod is running remotely
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: istiod
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    istio: pilot
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+{{- range $key, $val := .Values.deploymentLabels }}
+    {{ $key }}: "{{ $val }}"
+{{- end }}
+  {{- if .Values.deploymentAnnotations }}
+  annotations:
+{{ toYaml .Values.deploymentAnnotations | indent 4 }}
+  {{- end }}
+spec:
+{{- if not .Values.autoscaleEnabled }}
+{{- if .Values.replicaCount }}
+  replicas: {{ .Values.replicaCount }}
+{{- end }}
+{{- end }}
+  strategy:
+    rollingUpdate:
+      maxSurge: {{ .Values.rollingMaxSurge }}
+      maxUnavailable: {{ .Values.rollingMaxUnavailable }}
+  selector:
+    matchLabels:
+      {{- if ne .Values.revision "" }}
+      app: istiod
+      istio.io/rev: {{ .Values.revision | default "default" | quote }}
+      {{- else }}
+      istio: pilot
+      {{- end }}
+  template:
+    metadata:
+      labels:
+        app: istiod
+        istio.io/rev: {{ .Values.revision | default "default" | quote }}
+        sidecar.istio.io/inject: "false"
+        operator.istio.io/component: "Pilot"
+        {{- if ne .Values.revision "" }}
+        istio: istiod
+        {{- else }}
+        istio: pilot
+        {{- end }}
+        {{- range $key, $val := .Values.podLabels }}
+        {{ $key }}: "{{ $val }}"
+        {{- end }}
+        istio.io/dataplane-mode: none
+        app.kubernetes.io/name: "istiod"
+        {{- include "istio.labels" . | nindent 8 }}
+      annotations:
+        prometheus.io/port: "15014"
+        prometheus.io/scrape: "true"
+        sidecar.istio.io/inject: "false"
+        {{- if .Values.podAnnotations }}
+{{ toYaml .Values.podAnnotations | indent 8 }}
+        {{- end }}
+    spec:
+{{- if .Values.nodeSelector }}
+      nodeSelector:
+{{ toYaml .Values.nodeSelector | indent 8 }}
+{{- end }}
+{{- with .Values.affinity }}
+      affinity:
+{{- toYaml . | nindent 8 }}
+{{- end }}
+      tolerations:
+        - key: cni.istio.io/not-ready
+          operator: "Exists"
+{{- with .Values.tolerations }}
+{{- toYaml . | nindent 8 }}
+{{- end }}
+{{- with .Values.topologySpreadConstraints }}
+      topologySpreadConstraints:
+{{- toYaml . | nindent 8 }}
+{{- end }}
+      serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+{{- if .Values.global.priorityClassName }}
+      priorityClassName: "{{ .Values.global.priorityClassName }}"
+{{- end }}
+{{- with .Values.initContainers }}
+      initContainers:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+{{- end }}
+      containers:
+        - name: discovery
+{{- if contains "/" .Values.image }}
+          image: "{{ .Values.image }}"
+{{- else }}
+          image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "pilot" }}:{{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}}"
+{{- end }}
+{{- if .Values.global.imagePullPolicy }}
+          imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+{{- end }}
+          args:
+          - "discovery"
+          - --monitoringAddr=:15014
+{{- if .Values.global.logging.level }}
+          - --log_output_level={{ .Values.global.logging.level }}
+{{- end}}
+{{- if .Values.global.logAsJson }}
+          - --log_as_json
+{{- end }}
+          - --domain
+          - {{ .Values.global.proxy.clusterDomain }}
+{{- if .Values.taint.namespace }}
+          - --cniNamespace={{ .Values.taint.namespace }}
+{{- end }}
+          - --keepaliveMaxServerConnectionAge
+          - "{{ .Values.keepaliveMaxServerConnectionAge }}"
+{{- if .Values.extraContainerArgs }}
+          {{- with .Values.extraContainerArgs }}
+            {{- toYaml . | nindent 10 }}
+          {{- end }}
+{{- end }}
+          ports:
+          - containerPort: 8080
+            protocol: TCP
+            name: http-debug
+          - containerPort: 15010
+            protocol: TCP
+            name: grpc-xds
+          - containerPort: 15012
+            protocol: TCP
+            name: tls-xds
+          - containerPort: 15017
+            protocol: TCP
+            name: https-webhooks
+          - containerPort: 15014
+            protocol: TCP
+            name: http-monitoring
+          readinessProbe:
+            httpGet:
+              path: /ready
+              port: 8080
+            initialDelaySeconds: 1
+            periodSeconds: 3
+            timeoutSeconds: 5
+          env:
+          - name: REVISION
+            value: "{{ .Values.revision | default `default` }}"
+          - name: PILOT_CERT_PROVIDER
+            value: {{ .Values.global.pilotCertProvider }}
+          - name: POD_NAME
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: metadata.name
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: metadata.namespace
+          - name: SERVICE_ACCOUNT
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: spec.serviceAccountName
+          - name: KUBECONFIG
+            value: /var/run/secrets/remote/config
+          # If you explicitly told us where ztunnel lives, use that.
+          # Otherwise, assume it lives in our namespace
+          # Also, check for an explicit ENV override (legacy approach) and prefer that
+          # if present
+          {{ $ztTrustedNS := or .Values.trustedZtunnelNamespace .Release.Namespace }}
+          {{ $ztTrustedName := or .Values.trustedZtunnelName "ztunnel" }}
+          {{- if not .Values.env.CA_TRUSTED_NODE_ACCOUNTS }}
+          - name: CA_TRUSTED_NODE_ACCOUNTS
+            value: "{{ $ztTrustedNS }}/{{ $ztTrustedName }}"
+          {{- end }}
+          {{- if .Values.env }}
+          {{- range $key, $val := .Values.env }}
+          - name: {{ $key }}
+            value: "{{ $val }}"
+          {{- end }}
+          {{- end }}
+          {{- with .Values.envVarFrom }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
+{{- if .Values.traceSampling }}
+          - name: PILOT_TRACE_SAMPLING
+            value: "{{ .Values.traceSampling }}"
+{{- end }}
+# If externalIstiod is set via Values.Global, then enable the pilot env variable. However, if it's set via Values.pilot.env, then
+# don't set it here to avoid duplication.
+# TODO (nshankar13): Move from Helm chart to code: https://github.com/istio/istio/issues/52449
+{{- if and .Values.global.externalIstiod (not (and .Values.env .Values.env.EXTERNAL_ISTIOD)) }}
+          - name: EXTERNAL_ISTIOD
+            value: "{{ .Values.global.externalIstiod }}"
+{{- end }}
+{{- if .Values.global.trustBundleName }}
+          - name: PILOT_CA_CERT_CONFIGMAP
+            value: "{{ .Values.global.trustBundleName }}"
+{{- end }}
+          - name: PILOT_ENABLE_ANALYSIS
+            value: "{{ .Values.global.istiod.enableAnalysis }}"
+          - name: CLUSTER_ID
+            value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
+          - name: GOMEMLIMIT
+            valueFrom:
+              resourceFieldRef:
+                resource: limits.memory
+                divisor: "1"
+          - name: GOMAXPROCS
+            valueFrom:
+              resourceFieldRef:
+                resource: limits.cpu
+                divisor: "1"
+          - name: PLATFORM
+            value: "{{ coalesce .Values.global.platform .Values.platform }}"
+          resources:
+{{- if .Values.resources }}
+{{ toYaml .Values.resources | trim | indent 12 }}
+{{- else }}
+{{ toYaml .Values.global.defaultResources | trim | indent 12 }}
+{{- end }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            capabilities:
+              drop:
+              - ALL
+{{- if .Values.seccompProfile }}
+            seccompProfile:
+{{ toYaml .Values.seccompProfile | trim | indent 14 }}
+{{- end }}
+          volumeMounts:
+          - name: istio-token
+            mountPath: /var/run/secrets/tokens
+            readOnly: true
+          - name: local-certs
+            mountPath: /var/run/secrets/istio-dns
+          - name: cacerts
+            mountPath: /etc/cacerts
+            readOnly: true
+          - name: istio-kubeconfig
+            mountPath: /var/run/secrets/remote
+            readOnly: true
+          {{- if .Values.jwksResolverExtraRootCA }}
+          - name: extracacerts
+            mountPath: /cacerts
+          {{- end }}
+          - name: istio-csr-dns-cert
+            mountPath: /var/run/secrets/istiod/tls
+            readOnly: true
+          - name: istio-csr-ca-configmap
+            mountPath: /var/run/secrets/istiod/ca
+            readOnly: true
+          {{- with .Values.volumeMounts }}
+            {{- toYaml . | nindent 10 }}
+          {{- end }}
+      volumes:
+      # Technically not needed on this pod - but it helps debugging/testing SDS
+      # Should be removed after everything works.
+      - emptyDir:
+          medium: Memory
+        name: local-certs
+      - name: istio-token
+        projected:
+          sources:
+            - serviceAccountToken:
+                audience: {{ .Values.global.sds.token.aud }}
+                expirationSeconds: 43200
+                path: istio-token
+      # Optional: user-generated root
+      - name: cacerts
+        secret:
+          secretName: cacerts
+          optional: true
+      - name: istio-kubeconfig
+        secret:
+          secretName: istio-kubeconfig
+          optional: true
+      # Optional: istio-csr dns pilot certs
+      - name: istio-csr-dns-cert
+        secret:
+          secretName: istiod-tls
+          optional: true
+      - name: istio-csr-ca-configmap
+  {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+        projected:
+          sources:
+          - clusterTrustBundle:
+              name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+              path: root-cert.pem
+              optional: true
+  {{- else }}
+        configMap:
+          name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+          defaultMode: 420
+          optional: true
+  {{- end }}
+  {{- if .Values.jwksResolverExtraRootCA }}
+      - name: extracacerts
+        configMap:
+          name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  {{- end }}
+      {{- with .Values.volumes }}
+        {{- toYaml . | nindent 6}}
+      {{- end }}
+
+---
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/gateway-class-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/gateway-class-configmap.yaml
new file mode 100644
index 0000000000..9f7cdb01da
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/gateway-class-configmap.yaml
@@ -0,0 +1,22 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+{{ range $key, $value := .Values.gatewayClasses }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: istio-{{ $.Values.revision | default "default"  }}-gatewayclass-{{$key}}
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    istio.io/rev: {{ $.Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    release: {{ $.Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    gateway.istio.io/defaults-for-class: {{$key|quote}}
+    {{- include "istio.labels" $ | nindent 4 }}
+data:
+{{ range $kind, $overlay := $value }}
+  {{$kind}}: |
+{{$overlay|toYaml|trim|indent 4}}
+{{ end }}
+---
+{{ end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/istiod-injector-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/istiod-injector-configmap.yaml
new file mode 100644
index 0000000000..a5a6cf9ae8
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/istiod-injector-configmap.yaml
@@ -0,0 +1,83 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+{{- if not .Values.global.omitSidecarInjectorConfigMap }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+data:
+{{/* Scope the values to just top level fields used in the template, to reduce the size. */}}
+  values: |-
+{{ $vals := pick .Values "global" "sidecarInjectorWebhook" "revision" -}}
+{{ $pilotVals := pick .Values "cni" "env" -}}
+{{ $vals = set $vals "pilot" $pilotVals -}}
+{{ $gatewayVals := pick .Values.gateways "securityContext" "seccompProfile" -}}
+{{ $vals = set $vals "gateways" $gatewayVals -}}
+{{ $vals | toPrettyJson | indent 4 }}
+
+  # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching
+  # and istiod webhook functionality.
+  #
+  # New fields should not use Values - it is a 'primary' config object, users should be able
+  # to fine tune it or use it with kube-inject.
+  config: |-
+    # defaultTemplates defines the default template to use for pods that do not explicitly specify a template
+    {{- if .Values.sidecarInjectorWebhook.defaultTemplates }}
+    defaultTemplates:
+{{- range .Values.sidecarInjectorWebhook.defaultTemplates}}
+    - {{ . }}
+{{- end }}
+    {{- else }}
+    defaultTemplates: [sidecar]
+    {{- end }}
+    policy: {{ .Values.global.proxy.autoInject }}
+    alwaysInjectSelector:
+{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }}
+    neverInjectSelector:
+{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }}
+    injectedAnnotations:
+      {{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }}
+      "{{ $key }}": {{ $val | quote }}
+      {{- end }}
+    {{- /* If someone ends up with this new template, but an older Istiod image, they will attempt to render this template
+         which will fail with "Pod injection failed: template: inject:1: function "Istio_1_9_Required_Template_And_Version_Mismatched" not defined".
+         This should make it obvious that their installation is broken.
+     */}}
+    template: {{ `{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}` | quote }}
+    templates:
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "sidecar") }}
+      sidecar: |
+{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }}
+      gateway: |
+{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }}
+      grpc-simple: |
+{{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }}
+      grpc-agent: |
+{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "waypoint") }}
+      waypoint: |
+{{ .Files.Get "files/waypoint.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "kube-gateway") }}
+      kube-gateway: |
+{{ .Files.Get "files/kube-gateway.yaml" | trim | indent 8 }}
+{{- end }}
+{{- with .Values.sidecarInjectorWebhook.templates }}
+{{ toYaml . | trim | indent 6 }}
+{{- end }}
+
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/mutatingwebhook.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/mutatingwebhook.yaml
new file mode 100644
index 0000000000..26a6c8f00d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/mutatingwebhook.yaml
@@ -0,0 +1,167 @@
+# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that.
+{{- /* Core defines the common configuration used by all webhook segments */}}
+{{/* Copy just what we need to avoid expensive deepCopy */}}
+{{- $whv := dict
+"revision" .Values.revision
+  "injectionPath" .Values.istiodRemote.injectionPath
+  "injectionURL" .Values.istiodRemote.injectionURL
+  "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy
+  "caBundle" .Values.istiodRemote.injectionCABundle
+  "namespace" .Release.Namespace }}
+{{- define "core" }}
+{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign
+a unique prefix to each. */}}
+- name: {{.Prefix}}sidecar-injector.istio.io
+  clientConfig:
+    {{- if .injectionURL }}
+    url: "{{ .injectionURL }}"
+    {{- else }}
+    service:
+      name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }}
+      namespace: {{ .namespace }}
+      path: "{{ .injectionPath }}"
+      port: 443
+    {{- end }}
+    {{- if .caBundle }}
+    caBundle: "{{ .caBundle }}"
+    {{- end }}
+  sideEffects: None
+  rules:
+  - operations: [ "CREATE" ]
+    apiGroups: [""]
+    apiVersions: ["v1"]
+    resources: ["pods"]
+  failurePolicy: Fail
+  reinvocationPolicy: "{{ .reinvocationPolicy }}"
+  admissionReviewVersions: ["v1"]
+{{- end }}
+
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
+{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}}
+{{- if not .Values.global.operatorManageWebhooks }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+{{- if eq .Release.Namespace "istio-system"}}
+  name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+{{- else }}
+  name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+{{- end }}
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app: sidecar-injector
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+{{- if $.Values.sidecarInjectorWebhookAnnotations }}
+  annotations:
+{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }}
+{{- end }}
+webhooks:
+{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}}
+
+{{- /* Case 1: namespace selector matches, and object doesn't disable */}}
+{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: In
+      values:
+      {{- if (eq .Values.revision "") }}
+      - "default"
+      {{- else }}
+      - "{{ .Values.revision }}"
+      {{- end }}
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+
+{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+    - key: istio.io/rev
+      operator: In
+      values:
+      {{- if (eq .Values.revision "") }}
+      - "default"
+      {{- else }}
+      - "{{ .Values.revision }}"
+      {{- end }}
+
+
+{{- /* Webhooks for default revision */}}
+{{- if (eq .Values.revision "") }}
+
+{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: In
+      values:
+      - enabled
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+
+{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: In
+      values:
+      - "true"
+    - key: istio.io/rev
+      operator: DoesNotExist
+
+{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
+{{- /* Special case 3: no labels at all */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: "kubernetes.io/metadata.name"
+      operator: "NotIn"
+      values: ["kube-system","kube-public","kube-node-lease","local-path-storage"]
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+{{- end }}
+
+{{- end }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/networkpolicy.yaml
new file mode 100644
index 0000000000..e844d5e5de
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/networkpolicy.yaml
@@ -0,0 +1,47 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+{{- if (.Values.global.networkPolicy).enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: istiod
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    istio: pilot
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      app: istiod
+      istio.io/rev: {{ .Values.revision | default "default" | quote }}
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress:
+  # Webhook from kube-apiserver
+  - from: []
+    ports:
+    - protocol: TCP
+      port: 15017
+  # xDS from potentially anywhere
+  - from: []
+    ports:
+    - protocol: TCP
+      port: 15010
+    - protocol: TCP
+      port: 15011
+    - protocol: TCP
+      port: 15012
+    - protocol: TCP
+      port: 8080
+    - protocol: TCP
+      port: 15014
+  # Allow all egress (needed because features like JWKS require connections to user-defined endpoints)
+  egress:
+  - {}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/poddisruptionbudget.yaml
new file mode 100644
index 0000000000..0ac37d1cdf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/poddisruptionbudget.yaml
@@ -0,0 +1,41 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# Not created if istiod is running remotely
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }}
+{{- if .Values.global.defaultPodDisruptionBudget.enabled }}
+# a workaround for https://github.com/kubernetes/kubernetes/issues/93476
+{{- if or (and .Values.autoscaleEnabled  (gt (int .Values.autoscaleMin) 1)) (and (not .Values.autoscaleEnabled) (gt (int .Values.replicaCount) 1)) }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: istiod
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    release: {{ .Release.Name }}
+    istio: pilot
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  {{- if and .Values.pdb.minAvailable (not (hasKey .Values.pdb "maxUnavailable")) }}
+  minAvailable: {{ .Values.pdb.minAvailable }}
+  {{- else if .Values.pdb.maxUnavailable }}
+  maxUnavailable: {{ .Values.pdb.maxUnavailable }}
+  {{- end }}
+  {{- if .Values.pdb.unhealthyPodEvictionPolicy }}
+  unhealthyPodEvictionPolicy: {{ .Values.pdb.unhealthyPodEvictionPolicy }}
+  {{- end }}
+  selector:
+    matchLabels:
+      app: istiod
+      {{- if ne .Values.revision "" }}
+      istio.io/rev: {{ .Values.revision | quote }}
+      {{- else }}
+      istio: pilot
+      {{- end }}
+---
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/reader-clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/reader-clusterrole.yaml
new file mode 100644
index 0000000000..e0b0ff42a4
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/reader-clusterrole.yaml
@@ -0,0 +1,65 @@
+# Created if cluster resources are not omitted
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
+{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istio-reader
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istio-reader"
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - "config.istio.io"
+      - "security.istio.io"
+      - "networking.istio.io"
+      - "authentication.istio.io"
+      - "rbac.istio.io"
+      - "telemetry.istio.io"
+      - "extensions.istio.io"
+    resources: ["*"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["networking.istio.io"]
+    verbs: [ "get", "watch", "list" ]
+    resources: [ "workloadentries" ]
+  - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
+    resources: ["gateways"]
+    verbs: ["get", "watch", "list"]
+  - apiGroups: ["apiextensions.k8s.io"]
+    resources: ["customresourcedefinitions"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["discovery.k8s.io"]
+    resources: ["endpointslices"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["{{ $mcsAPIGroup }}"]
+    resources: ["serviceexports"]
+    verbs: ["get", "list", "watch", "create", "delete"]
+  - apiGroups: ["{{ $mcsAPIGroup }}"]
+    resources: ["serviceimports"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["apps"]
+    resources: ["replicasets"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["authentication.k8s.io"]
+    resources: ["tokenreviews"]
+    verbs: ["create"]
+  - apiGroups: ["authorization.k8s.io"]
+    resources: ["subjectaccessreviews"]
+    verbs: ["create"]
+{{- if .Values.istiodRemote.enabled }}
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["create", "get", "list", "watch", "update"]
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["mutatingwebhookconfigurations"]
+    verbs: ["get", "list", "watch", "update", "patch"]
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["validatingwebhookconfigurations"]
+    verbs: ["get", "list", "watch", "update"]
+{{- end}}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/reader-clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/reader-clusterrolebinding.yaml
new file mode 100644
index 0000000000..624f00dce6
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/reader-clusterrolebinding.yaml
@@ -0,0 +1,20 @@
+# Created if cluster resources are not omitted
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istio-reader
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istio-reader"
+    {{- include "istio.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+subjects:
+  - kind: ServiceAccount
+    name: istio-reader-service-account
+    namespace: {{ .Values.global.istioNamespace }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/remote-istiod-endpointslices.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/remote-istiod-endpointslices.yaml
new file mode 100644
index 0000000000..e2f4ff03b6
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/remote-istiod-endpointslices.yaml
@@ -0,0 +1,42 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+{{- if and .Values.global.remotePilotAddress .Values.istiodRemote.enabled }}
+# if the remotePilotAddress is an IP addr
+{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }}
+apiVersion: discovery.k8s.io/v1
+kind: EndpointSlice
+metadata:
+  {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }}
+  # This file is only used for remote `istiod` installs.
+  # only primary `istiod` to xds and local `istiod` injection installs.
+  name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote
+  {{- else }}
+  name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}
+  {{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }}
+    # only primary `istiod` to xds and local `istiod` injection installs.
+    kubernetes.io/service-name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote
+    {{- else }}
+    kubernetes.io/service-name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}
+    {{- end }}
+    {{- if .Release.Service }}
+    endpointslice.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+    {{- end }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+addressType: IPv4
+endpoints:
+- addresses:
+  - {{ .Values.global.remotePilotAddress }}
+ports:
+- port: 15012
+  name: tcp-istiod
+  protocol: TCP
+- port: 15017
+  name: tcp-webhook
+  protocol: TCP
+---
+{{- end }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/remote-istiod-service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/remote-istiod-service.yaml
new file mode 100644
index 0000000000..ab14497bac
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/remote-istiod-service.yaml
@@ -0,0 +1,43 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# This file is only used for remote
+{{- if and .Values.global.remotePilotAddress .Values.istiodRemote.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }}
+  # only primary `istiod` to xds and local `istiod` injection installs.
+  name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote
+  {{- else }}
+  name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}
+  {{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    app.kubernetes.io/name: "istiod"
+    {{ include "istio.labels" . | nindent 4 }}
+spec:
+  ports:
+  - port: 15012
+    name: tcp-istiod
+    protocol: TCP
+  - port: 443
+    targetPort: 15017
+    name: tcp-webhook
+    protocol: TCP
+  {{- if and .Values.global.remotePilotAddress (not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress)) }}
+  # if the remotePilotAddress is not an IP addr, we use ExternalName
+  type: ExternalName
+  externalName: {{ .Values.global.remotePilotAddress }}
+  {{- end }}
+{{- if .Values.global.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.global.ipFamilyPolicy }}
+{{- end }}
+{{- if .Values.global.ipFamilies }}
+  ipFamilies:
+{{- range .Values.global.ipFamilies }}
+  - {{ . }}
+{{- end }}
+{{- end }}
+---
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/revision-tags-mwc.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/revision-tags-mwc.yaml
new file mode 100644
index 0000000000..556bb2f1e9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/revision-tags-mwc.yaml
@@ -0,0 +1,154 @@
+# Adapted from istio-discovery/templates/mutatingwebhook.yaml
+# Removed paths for legacy and default selectors since a revision tag
+# is inherently created from a specific revision
+# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that.
+{{- $whv := dict
+"revision" .Values.revision
+  "injectionPath" .Values.istiodRemote.injectionPath
+  "injectionURL" .Values.istiodRemote.injectionURL
+  "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy
+  "caBundle" .Values.istiodRemote.injectionCABundle
+  "namespace" .Release.Namespace }}
+{{- define "core" }}
+{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign
+a unique prefix to each. */}}
+- name: {{.Prefix}}sidecar-injector.istio.io
+  clientConfig:
+    {{- if .injectionURL }}
+    url: "{{ .injectionURL }}"
+    {{- else }}
+    service:
+      name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }}
+      namespace: {{ .namespace }}
+      path: "{{ .injectionPath }}"
+      port: 443
+    {{- end }}
+  sideEffects: None
+  rules:
+  - operations: [ "CREATE" ]
+    apiGroups: [""]
+    apiVersions: ["v1"]
+    resources: ["pods"]
+  failurePolicy: Fail
+  reinvocationPolicy: "{{ .reinvocationPolicy }}"
+  admissionReviewVersions: ["v1"]
+{{- end }}
+
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
+{{- if not .Values.global.operatorManageWebhooks }}
+{{- range $tagName := $.Values.revisionTags }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+{{- if eq $.Release.Namespace "istio-system"}}
+  name: istio-revision-tag-{{ $tagName }}
+{{- else }}
+  name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }}
+{{- end }}
+  labels:
+    istio.io/tag: {{ $tagName }}
+    istio.io/rev: {{ $.Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app: sidecar-injector
+    release: {{ $.Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" $ | nindent 4 }}
+{{- if $.Values.sidecarInjectorWebhookAnnotations }}
+  annotations:
+{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }}
+{{- end }}
+webhooks:
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: In
+      values:
+      - "{{ $tagName }}"
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+    - key: istio.io/rev
+      operator: In
+      values:
+      - "{{ $tagName }}"
+
+{{- /* When the tag is "default" we want to create webhooks for the default revision */}}
+{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}}
+{{- if (eq $tagName "default") }}
+
+{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: In
+      values:
+      - enabled
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+
+{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: In
+      values:
+      - "true"
+    - key: istio.io/rev
+      operator: DoesNotExist
+
+{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
+{{- /* Special case 3: no labels at all */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: "kubernetes.io/metadata.name"
+      operator: "NotIn"
+      values: ["kube-system","kube-public","kube-node-lease","local-path-storage"]
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+{{- end }}
+
+{{- end }}
+---
+{{- end }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/revision-tags-svc.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/revision-tags-svc.yaml
new file mode 100644
index 0000000000..5c4826d23e
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/revision-tags-svc.yaml
@@ -0,0 +1,57 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# Adapted from istio-discovery/templates/service.yaml
+{{- range $tagName := .Values.revisionTags }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: istiod-revision-tag-{{ $tagName }}
+  namespace: {{ $.Release.Namespace }}
+  {{- if $.Values.serviceAnnotations }}
+  annotations:
+{{ toYaml $.Values.serviceAnnotations | indent 4 }}
+  {{- end }}
+  labels:
+    istio.io/rev: {{ $.Values.revision | default "default" | quote }}
+    istio.io/tag: {{ $tagName }}
+    operator.istio.io/component: "Pilot"
+    app: istiod
+    istio: pilot
+    release: {{ $.Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" $ | nindent 4 }}
+spec:
+  ports:
+    - port: 15010
+      name: grpc-xds # plaintext
+      protocol: TCP
+    - port: 15012
+      name: https-dns # mTLS with k8s-signed cert
+      protocol: TCP
+    - port: 443
+      name: https-webhook # validation and injection
+      targetPort: 15017
+      protocol: TCP
+    - port: 15014
+      name: http-monitoring # prometheus stats
+      protocol: TCP
+  selector:
+    app: istiod
+    {{- if ne $.Values.revision "" }}
+    istio.io/rev: {{ $.Values.revision | quote }}
+    {{- else }}
+    # Label used by the 'default' service. For versioned deployments we match with app and version.
+    # This avoids default deployment picking the canary
+    istio: pilot
+    {{- end }}
+  {{- if $.Values.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ $.Values.ipFamilyPolicy }}
+  {{- end }}
+  {{- if $.Values.ipFamilies }}
+  ipFamilies:
+  {{- range $.Values.ipFamilies }}
+  - {{ . }}
+  {{- end }}
+  {{- end }}
+---
+{{- end -}}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/role.yaml
new file mode 100644
index 0000000000..8abe608b66
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/role.yaml
@@ -0,0 +1,37 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Values.global.istioNamespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+# permissions to verify the webhook is ready and rejecting
+# invalid config. We use --server-dry-run so no config is persisted.
+- apiGroups: ["networking.istio.io"]
+  verbs: ["create"]
+  resources: ["gateways"]
+
+# For storing CA secret
+- apiGroups: [""]
+  resources: ["secrets"]
+  # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config
+  verbs: ["create", "get", "watch", "list", "update", "delete"]
+
+# For status controller, so it can delete the distribution report configmap
+- apiGroups: [""]
+  resources: ["configmaps"]
+  verbs: ["delete"]
+
+# For gateway deployment controller
+- apiGroups: ["coordination.k8s.io"]
+  resources: ["leases"]
+  verbs: ["get", "update", "patch", "create"]
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/rolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/rolebinding.yaml
new file mode 100644
index 0000000000..731964f04d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/rolebinding.yaml
@@ -0,0 +1,23 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Values.global.istioNamespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+subjects:
+  - kind: ServiceAccount
+    name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+    namespace: {{ .Values.global.istioNamespace }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/service.yaml
new file mode 100644
index 0000000000..c3aade8a49
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/service.yaml
@@ -0,0 +1,59 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# Not created if istiod is running remotely
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  {{- if .Values.serviceAnnotations }}
+  annotations:
+{{ toYaml .Values.serviceAnnotations | indent 4 }}
+  {{- end }}
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app: istiod
+    istio: pilot
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  ports:
+    - port: 15010
+      name: grpc-xds # plaintext
+      protocol: TCP
+    - port: 15012
+      name: https-dns # mTLS with k8s-signed cert
+      protocol: TCP
+    - port: 443
+      name: https-webhook # validation and injection
+      targetPort: 15017
+      protocol: TCP
+    - port: 15014
+      name: http-monitoring # prometheus stats
+      protocol: TCP
+  selector:
+    app: istiod
+    {{- if ne .Values.revision "" }}
+    istio.io/rev: {{ .Values.revision | quote }}
+    {{- else }}
+    # Label used by the 'default' service. For versioned deployments we match with app and version.
+    # This avoids default deployment picking the canary
+    istio: pilot
+    {{- end }}
+  {{- if .Values.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.ipFamilyPolicy }}
+  {{- end }}
+  {{- if .Values.ipFamilies }}
+  ipFamilies:
+  {{- range .Values.ipFamilies }}
+  - {{ . }}
+  {{- end }}
+  {{- end }}
+  {{- if .Values.trafficDistribution }}
+  trafficDistribution: {{ .Values.trafficDistribution }}
+  {{- end }}
+---
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/serviceaccount.yaml
new file mode 100644
index 0000000000..ee40eedf81
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/serviceaccount.yaml
@@ -0,0 +1,26 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+apiVersion: v1
+kind: ServiceAccount
+  {{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+  {{- range .Values.global.imagePullSecrets }}
+  - name: {{ . }}
+  {{- end }}
+  {{- end }}
+metadata:
+  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Values.global.istioNamespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+  {{- if .Values.serviceAccountAnnotations }}
+  annotations:
+{{- toYaml .Values.serviceAccountAnnotations | nindent 4 }}
+  {{- end }}
+{{- end }}
+---
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/validatingadmissionpolicy.yaml
new file mode 100644
index 0000000000..838d9fbaf7
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/validatingadmissionpolicy.yaml
@@ -0,0 +1,65 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+{{- if .Values.experimental.stableValidationPolicy }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io"
+  labels:
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups:
+        - security.istio.io
+        - networking.istio.io
+        - telemetry.istio.io
+        - extensions.istio.io
+      apiVersions: ["*"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["*"]
+    objectSelector:
+      matchExpressions:
+        - key: istio.io/rev
+          operator: In
+          values:
+          {{- if (eq .Values.revision "") }}
+          - "default"
+          {{- else }}
+          - "{{ .Values.revision }}"
+          {{- end }}
+  variables:
+    - name: isEnvoyFilter
+      expression: "object.kind == 'EnvoyFilter'"
+    - name: isWasmPlugin
+      expression: "object.kind == 'WasmPlugin'"
+    - name: isProxyConfig
+      expression: "object.kind == 'ProxyConfig'"
+    - name: isTelemetry
+      expression: "object.kind == 'Telemetry'"
+  validations:
+    - expression: "!variables.isEnvoyFilter"
+    - expression: "!variables.isWasmPlugin"
+    - expression: "!variables.isProxyConfig"
+    - expression: |
+        !(
+          variables.isTelemetry && (
+            (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) ||
+            (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) ||
+            (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter))
+          )
+        )
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: "stable-channel-policy-binding{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io"
+spec:
+  policyName: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io"
+  validationActions: [Deny]
+{{- end }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/validatingwebhookconfiguration.yaml
new file mode 100644
index 0000000000..6903b29b50
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/validatingwebhookconfiguration.yaml
@@ -0,0 +1,70 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+{{- if .Values.global.configValidation }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    istio: istiod
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+webhooks:
+  # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks
+  # are rejecting invalid configs on a per-revision basis.
+  - name: rev.validation.istio.io
+    clientConfig:
+      # Should change from base but cannot for API compat
+      {{- if .Values.base.validationURL }}
+      url: {{ .Values.base.validationURL }}
+      {{- else }}
+      service:
+        name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+        namespace: {{ .Values.global.istioNamespace }}
+        path: "/validate"
+      {{- end }}
+      {{- if .Values.base.validationCABundle }}
+      caBundle: "{{ .Values.base.validationCABundle }}"
+      {{- end }}
+    rules:
+      - operations:
+          - CREATE
+          - UPDATE
+        apiGroups:
+          - security.istio.io
+          - networking.istio.io
+          - telemetry.istio.io
+          - extensions.istio.io
+        apiVersions:
+          - "*"
+        resources:
+          - "*"
+    {{- if .Values.base.validationCABundle }}
+    # Disable webhook controller in Pilot to stop patching it
+    failurePolicy: Fail
+    {{- else }}
+    # Fail open until the validation webhook is ready. The webhook controller
+    # will update this to `Fail` and patch in the `caBundle` when the webhook
+    # endpoint is ready.
+    failurePolicy: Ignore
+    {{- end }}
+    sideEffects: None
+    admissionReviewVersions: ["v1"]
+    objectSelector:
+      matchExpressions:
+        - key: istio.io/rev
+          operator: In
+          values:
+          {{- if (eq .Values.revision "") }}
+          - "default"
+          {{- else }}
+          - "{{ .Values.revision }}"
+          {{- end }}
+---
+{{- end }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/zzy_descope_legacy.yaml
new file mode 100644
index 0000000000..73202418ca
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/zzy_descope_legacy.yaml
@@ -0,0 +1,3 @@
+{{/* Copy anything under `.pilot` to `.`, to avoid the need to specify a redundant prefix.
+Due to the file naming, this always happens after zzz_profile.yaml */}}
+{{- $_ := mustMergeOverwrite $.Values (index $.Values "pilot") }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..3d84956485
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if false }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/values.yaml
new file mode 100644
index 0000000000..e7c198a710
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/values.yaml
@@ -0,0 +1,583 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  autoscaleEnabled: true
+  autoscaleMin: 1
+  autoscaleMax: 5
+  autoscaleBehavior: {}
+  replicaCount: 1
+  rollingMaxSurge: 100%
+  rollingMaxUnavailable: 25%
+
+  hub: ""
+  tag: ""
+  variant: ""
+
+  # Can be a full hub/image:tag
+  image: pilot
+  traceSampling: 1.0
+
+  # Resources for a small pilot install
+  resources:
+    requests:
+      cpu: 500m
+      memory: 2048Mi
+
+  # Set to `type: RuntimeDefault` to use the default profile if available.
+  seccompProfile: {}
+
+  # Whether to use an existing CNI installation
+  cni:
+    enabled: false
+    provider: default
+
+  # Additional container arguments
+  extraContainerArgs: []
+
+  env: {}
+
+  envVarFrom: []
+
+  # Settings related to the untaint controller
+  # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready
+  # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes
+  taint:
+    # Controls whether or not the untaint controller is active
+    enabled: false
+    # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod
+    namespace: ""
+
+  affinity: {}
+
+  tolerations: []
+
+  cpu:
+    targetAverageUtilization: 80
+  memory: {}
+    # targetAverageUtilization: 80
+
+  # Additional volumeMounts to the istiod container
+  volumeMounts: []
+
+  # Additional volumes to the istiod pod
+  volumes: []
+
+  # Inject initContainers into the istiod pod
+  initContainers: []
+
+  nodeSelector: {}
+  podAnnotations: {}
+  serviceAnnotations: {}
+  serviceAccountAnnotations: {}
+  sidecarInjectorWebhookAnnotations: {}
+
+  topologySpreadConstraints: []
+
+  # You can use jwksResolverExtraRootCA to provide a root certificate
+  # in PEM format. This will then be trusted by pilot when resolving
+  # JWKS URIs.
+  jwksResolverExtraRootCA: ""
+
+  # The following is used to limit how long a sidecar can be connected
+  # to a pilot. It balances out load across pilot instances at the cost of
+  # increasing system churn.
+  keepaliveMaxServerConnectionAge: 30m
+
+  # Additional labels to apply to the deployment.
+  deploymentLabels: {}
+
+  # Annotations to apply to the istiod deployment.
+  deploymentAnnotations: {}
+
+  ## Mesh config settings
+
+  # Install the mesh config map, generated from values.yaml.
+  # If false, pilot wil use default values (by default) or user-supplied values.
+  configMap: true
+
+  # Additional labels to apply on the pod level for monitoring and logging configuration.
+  podLabels: {}
+
+  # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
+  ipFamilyPolicy: ""
+  ipFamilies: []
+
+  # Ambient mode only.
+  # Set this if you install ztunnel to a different namespace from `istiod`.
+  # If set, `istiod` will allow connections from trusted node proxy ztunnels
+  # in the provided namespace.
+  # If unset, `istiod` will assume the trusted node proxy ztunnel resides
+  # in the same namespace as itself.
+  trustedZtunnelNamespace: ""
+  # Set this if you install ztunnel with a name different from the default.
+  trustedZtunnelName: ""
+
+  sidecarInjectorWebhook:
+    # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or
+    # always skip the injection on pods that match that label selector, regardless of the global policy.
+    # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions
+    neverInjectSelector: []
+    alwaysInjectSelector: []
+
+    # injectedAnnotations are additional annotations that will be added to the pod spec after injection
+    # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations:
+    #
+    # annotations:
+    #   apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
+    #   apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
+    #
+    # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before
+    # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify:
+    # injectedAnnotations:
+    #   container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default
+    #   container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default
+    injectedAnnotations: {}
+
+    # This enables injection of sidecar in all namespaces,
+    # with the exception of namespaces with "istio-injection:disabled" annotation
+    # Only one environment should have this enabled.
+    enableNamespacesByDefault: false
+
+    # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run
+    # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten.
+    # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur.
+    reinvocationPolicy: Never
+
+    rewriteAppHTTPProbe: true
+
+    # Templates defines a set of custom injection templates that can be used. For example, defining:
+    #
+    # templates:
+    #   hello: |
+    #     metadata:
+    #       labels:
+    #         hello: world
+    #
+    # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod
+    # being injected with the hello=world labels.
+    # This is intended for advanced configuration only; most users should use the built in template
+    templates: {}
+
+    # Default templates specifies a set of default templates that are used in sidecar injection.
+    # By default, a template `sidecar` is always provided, which contains the template of default sidecar.
+    # To inject other additional templates, define it using the `templates` option, and add it to
+    # the default templates list.
+    # For example:
+    #
+    # templates:
+    #   hello: |
+    #     metadata:
+    #       labels:
+    #         hello: world
+    #
+    # defaultTemplates: ["sidecar", "hello"]
+    defaultTemplates: []
+  istiodRemote:
+    # If `true`, indicates that this cluster/install should consume a "remote istiod" installation,
+    # and istiod itself will NOT be installed in this cluster - only the support resources necessary
+    # to utilize a remote instance.
+    enabled: false
+
+    # If `true`, indicates that this cluster/install should consume a "local istiod" installation,
+    # local istiod inject sidecars
+    enabledLocalInjectorIstiod: false
+
+    # Sidecar injector mutating webhook configuration clientConfig.url value.
+    # For example: https://$remotePilotAddress:15017/inject
+    # The host should not refer to a service running in the cluster; use a service reference by specifying
+    # the clientConfig.service field instead.
+    injectionURL: ""
+
+    # Sidecar injector mutating webhook configuration path value for the clientConfig.service field.
+    # Override to pass env variables, for example: /inject/cluster/remote/net/network2
+    injectionPath: "/inject"
+
+    injectionCABundle: ""
+  telemetry:
+    enabled: true
+    v2:
+      # For Null VM case now.
+      # This also enables metadata exchange.
+      enabled: true
+      # Indicate if prometheus stats filter is enabled or not
+      prometheus:
+        enabled: true
+      # stackdriver filter settings.
+      stackdriver:
+        enabled: false
+  # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
+  revision: ""
+
+  # Revision tags are aliases to Istio control plane revisions
+  revisionTags: []
+
+  # For Helm compatibility.
+  ownerName: ""
+
+  # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior
+  # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options
+  meshConfig:
+    enablePrometheusMerge: true
+
+  experimental:
+    stableValidationPolicy: false
+
+  global:
+    # Used to locate istiod.
+    istioNamespace: istio-system
+    # List of cert-signers to allow "approve" action in the istio cluster role
+    #
+    # certSigners:
+    #   - clusterissuers.cert-manager.io/istio-ca
+    certSigners: []
+    # enable pod disruption budget for the control plane, which is used to
+    # ensure Istio control plane components are gradually upgraded or recovered.
+    defaultPodDisruptionBudget:
+      enabled: true
+      # The values aren't mutable due to a current PodDisruptionBudget limitation
+      # minAvailable: 1
+
+    # A minimal set of requested resources to applied to all deployments so that
+    # Horizontal Pod Autoscaler will be able to function (if set).
+    # Each component can overwrite these default values by adding its own resources
+    # block in the relevant section below and setting the desired resources values.
+    defaultResources:
+      requests:
+        cpu: 10m
+      #   memory: 128Mi
+      # limits:
+      #   cpu: 100m
+      #   memory: 128Mi
+
+    # Default hub for Istio images.
+    # Releases are published to docker hub under 'istio' project.
+    # Dev builds from prow are on gcr.io
+    hub: gcr.io/istio-release
+    # Default tag for Istio images.
+    tag: 1.28.1
+    # Variant of the image to use.
+    # Currently supported are: [debug, distroless]
+    variant: ""
+
+    # Specify image pull policy if default behavior isn't desired.
+    # Default behavior: latest images will be Always else IfNotPresent.
+    imagePullPolicy: ""
+
+    # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
+    # to use for pulling any images in pods that reference this ServiceAccount.
+    # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
+    # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
+    # Must be set for any cluster configured with private docker registry.
+    imagePullSecrets: []
+    # - private-registry-key
+
+    # Enabled by default in master for maximising testing.
+    istiod:
+      enableAnalysis: false
+
+    # To output all istio components logs in json format by adding --log_as_json argument to each container argument
+    logAsJson: false
+
+    # In order to use native nftable rules instead of iptable rules, set this flag to true.
+    nativeNftables: false
+
+    # Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
+    # The control plane has different scopes depending on component, but can configure default log level across all components
+    # If empty, default scope and level will be used as configured in code
+    logging:
+      level: "default:info"
+
+    # When enabled, default NetworkPolicy resources will be created
+    networkPolicy:
+      enabled: false
+
+    omitSidecarInjectorConfigMap: false
+
+    # resourceScope controls what resources will be processed by helm.
+    # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator.
+    # It can be one of:
+    # - all: all resources are processed
+    # - cluster: only cluster-scoped resources are processed
+    # - namespace: only namespace-scoped resources are processed
+    resourceScope: all
+
+    # Configure whether Operator manages webhook configurations. The current behavior
+    # of Istiod is to manage its own webhook configurations.
+    # When this option is set as true, Istio Operator, instead of webhooks, manages the
+    # webhook configurations. When this option is set as false, webhooks manage their
+    # own webhook configurations.
+    operatorManageWebhooks: false
+
+    # Custom DNS config for the pod to resolve names of services in other
+    # clusters. Use this to add additional search domains, and other settings.
+    # see
+    # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config
+    # This does not apply to gateway pods as they typically need a different
+    # set of DNS settings than the normal application pods (e.g., in
+    # multicluster scenarios).
+    # NOTE: If using templates, follow the pattern in the commented example below.
+    #podDNSSearchNamespaces:
+    #- global
+    #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global"
+
+    # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
+    # system-node-critical, it is better to configure this in order to make sure your Istio pods
+    # will not be killed because of low priority class.
+    # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
+    # for more detail.
+    priorityClassName: ""
+
+    proxy:
+      image: proxyv2
+
+      # This controls the 'policy' in the sidecar injector.
+      autoInject: enabled
+
+      # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
+      # cluster domain. Default value is "cluster.local".
+      clusterDomain: "cluster.local"
+
+      # Per Component log level for proxy, applies to gateways and sidecars. If a component level is
+      # not set, then the global "logLevel" will be used.
+      componentLogLevel: "misc:error"
+
+      # istio ingress capture allowlist
+      # examples:
+      #     Redirect only selected ports:            --includeInboundPorts="80,8080"
+      excludeInboundPorts: ""
+      includeInboundPorts: "*"
+
+      # istio egress capture allowlist
+      # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
+      # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
+      # would only capture egress traffic on those two IP Ranges, all other outbound traffic would
+      # be allowed by the sidecar
+      includeIPRanges: "*"
+      excludeIPRanges: ""
+      includeOutboundPorts: ""
+      excludeOutboundPorts: ""
+
+      # Log level for proxy, applies to gateways and sidecars.
+      # Expected values are: trace|debug|info|warning|error|critical|off
+      logLevel: warning
+
+      # Specify the path to the outlier event log.
+      # Example: /dev/stdout
+      outlierLogPath: ""
+
+      #If set to true, istio-proxy container will have privileged securityContext
+      privileged: false
+      
+      seccompProfile: {}
+
+      # The number of successive failed probes before indicating readiness failure.
+      readinessFailureThreshold: 4
+
+      # The initial delay for readiness probes in seconds.
+      readinessInitialDelaySeconds: 0
+
+      # The period between readiness probes.
+      readinessPeriodSeconds: 15
+
+      # Enables or disables a startup probe.
+      # For optimal startup times, changing this should be tied to the readiness probe values.
+      #
+      # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4.
+      # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval),
+      # and doesn't spam the readiness endpoint too much
+      #
+      # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30.
+      # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly.
+      startupProbe:
+        enabled: true
+        failureThreshold: 600 # 10 minutes
+
+      # Resources for the sidecar.
+      resources:
+        requests:
+          cpu: 100m
+          memory: 128Mi
+        limits:
+          cpu: 2000m
+          memory: 1024Mi
+
+      # Default port for Pilot agent health checks. A value of 0 will disable health checking.
+      statusPort: 15020
+
+      # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none.
+      # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file.
+      tracer: "none"
+
+    proxy_init:
+      # Base name for the proxy_init container, used to configure iptables.
+      image: proxyv2
+      # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures.
+      # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases.
+      forceApplyIptables: false
+
+    # configure remote pilot and istiod service and endpoint
+    remotePilotAddress: ""
+
+    ##############################################################################################
+    # The following values are found in other charts. To effectively modify these values, make   #
+    # make sure they are consistent across your Istio helm charts                                #
+    ##############################################################################################
+
+    # The customized CA address to retrieve certificates for the pods in the cluster.
+    # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
+    # If not set explicitly, default to the Istio discovery address.
+    caAddress: ""
+
+    # Enable control of remote clusters.
+    externalIstiod: false
+
+    # Configure a remote cluster as the config cluster for an external istiod.
+    configCluster: false
+
+    # configValidation enables the validation webhook for Istio configuration.
+    configValidation: true
+
+    # Mesh ID means Mesh Identifier. It should be unique within the scope where
+    # meshes will interact with each other, but it is not required to be
+    # globally/universally unique. For example, if any of the following are true,
+    # then two meshes must have different Mesh IDs:
+    # - Meshes will have their telemetry aggregated in one place
+    # - Meshes will be federated together
+    # - Policy will be written referencing one mesh from the other
+    #
+    # If an administrator expects that any of these conditions may become true in
+    # the future, they should ensure their meshes have different Mesh IDs
+    # assigned.
+    #
+    # Within a multicluster mesh, each cluster must be (manually or auto)
+    # configured to have the same Mesh ID value. If an existing cluster 'joins' a
+    # multicluster mesh, it will need to be migrated to the new mesh ID. Details
+    # of migration TBD, and it may be a disruptive operation to change the Mesh
+    # ID post-install.
+    #
+    # If the mesh admin does not specify a value, Istio will use the value of the
+    # mesh's Trust Domain. The best practice is to select a proper Trust Domain
+    # value.
+    meshID: ""
+
+    # Configure the mesh networks to be used by the Split Horizon EDS.
+    #
+    # The following example defines two networks with different endpoints association methods.
+    # For `network1` all endpoints that their IP belongs to the provided CIDR range will be
+    # mapped to network1. The gateway for this network example is specified by its public IP
+    # address and port.
+    # The second network, `network2`, in this example is defined differently with all endpoints
+    # retrieved through the specified Multi-Cluster registry being mapped to network2. The
+    # gateway is also defined differently with the name of the gateway service on the remote
+    # cluster. The public IP for the gateway will be determined from that remote service (only
+    # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service,
+    # it still need to be configured manually).
+    #
+    # meshNetworks:
+    #   network1:
+    #     endpoints:
+    #     - fromCidr: "192.168.0.1/24"
+    #     gateways:
+    #     - address: 1.1.1.1
+    #       port: 80
+    #   network2:
+    #     endpoints:
+    #     - fromRegistry: reg1
+    #     gateways:
+    #     - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
+    #       port: 443
+    #
+    meshNetworks: {}
+
+    # Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
+    mountMtlsCerts: false
+
+    multiCluster:
+      # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
+      # to properly label proxies
+      clusterName: ""
+
+    # Network defines the network this cluster belong to. This name
+    # corresponds to the networks in the map of mesh networks.
+    network: ""
+
+    # Configure the certificate provider for control plane communication.
+    # Currently, two providers are supported: "kubernetes" and "istiod".
+    # As some platforms may not have kubernetes signing APIs,
+    # Istiod is the default
+    pilotCertProvider: istiod
+
+    sds:
+      # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
+      # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the
+      # JWT is intended for the CA.
+      token:
+        aud: istio-ca
+
+    sts:
+      # The service port used by Security Token Service (STS) server to handle token exchange requests.
+      # Setting this port to a non-zero value enables STS server.
+      servicePort: 0
+
+    # The name of the CA for workload certificates.
+    # For example, when caName=GkeWorkloadCertificate, GKE workload certificates
+    # will be used as the certificates for workloads.
+    # The default value is "" and when caName="", the CA will be configured by other
+    # mechanisms (e.g., environmental variable CA_PROVIDER).
+    caName: ""
+
+    waypoint:
+      # Resources for the waypoint proxy.
+      resources:
+        requests:
+          cpu: 100m
+          memory: 128Mi
+        limits:
+          cpu: "2"
+          memory: 1Gi
+
+      # If specified, affinity defines the scheduling constraints of waypoint pods.
+      affinity: {}
+
+      # Topology Spread Constraints for the waypoint proxy.
+      topologySpreadConstraints: []
+
+      # Node labels for the waypoint proxy.
+      nodeSelector: {}
+
+      # Tolerations for the waypoint proxy.
+      tolerations: []
+
+  base:
+    # For istioctl usage to disable istio config crds in base
+    enableIstioConfigCRDs: true
+
+  # Gateway Settings
+  gateways:
+    # Define the security context for the pod.
+    # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
+    # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
+    securityContext: {}
+
+    # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it
+    seccompProfile: {}
+
+  # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass.
+  # For example:
+  # gatewayClasses:
+  #   istio:
+  #     service:
+  #       spec:
+  #         type: ClusterIP
+  # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field.
+  gatewayClasses: {}
+  
+  pdb:
+    # -- Minimum available pods set in PodDisruptionBudget.
+    # Define either 'minAvailable' or 'maxUnavailable', never both.
+    minAvailable: 1
+    # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored.
+    # maxUnavailable: 1
+    # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget.
+    # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/
+    unhealthyPodEvictionPolicy: ""
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/Chart.yaml
new file mode 100644
index 0000000000..33252c1b3d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/Chart.yaml
@@ -0,0 +1,8 @@
+apiVersion: v2
+appVersion: 1.28.1
+description: Helm chart for istio revision tags
+name: revisiontags
+sources:
+- https://github.com/istio-ecosystem/sail-operator
+version: 0.1.0
+
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..d04117bfc0
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,14 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..8fe80112bf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-compatibility-version-1.27.yaml
new file mode 100644
index 0000000000..209157cccf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-compatibility-version-1.27.yaml
@@ -0,0 +1,9 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/templates/revision-tags-mwc.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/templates/revision-tags-mwc.yaml
new file mode 100644
index 0000000000..556bb2f1e9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/templates/revision-tags-mwc.yaml
@@ -0,0 +1,154 @@
+# Adapted from istio-discovery/templates/mutatingwebhook.yaml
+# Removed paths for legacy and default selectors since a revision tag
+# is inherently created from a specific revision
+# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that.
+{{- $whv := dict
+"revision" .Values.revision
+  "injectionPath" .Values.istiodRemote.injectionPath
+  "injectionURL" .Values.istiodRemote.injectionURL
+  "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy
+  "caBundle" .Values.istiodRemote.injectionCABundle
+  "namespace" .Release.Namespace }}
+{{- define "core" }}
+{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign
+a unique prefix to each. */}}
+- name: {{.Prefix}}sidecar-injector.istio.io
+  clientConfig:
+    {{- if .injectionURL }}
+    url: "{{ .injectionURL }}"
+    {{- else }}
+    service:
+      name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }}
+      namespace: {{ .namespace }}
+      path: "{{ .injectionPath }}"
+      port: 443
+    {{- end }}
+  sideEffects: None
+  rules:
+  - operations: [ "CREATE" ]
+    apiGroups: [""]
+    apiVersions: ["v1"]
+    resources: ["pods"]
+  failurePolicy: Fail
+  reinvocationPolicy: "{{ .reinvocationPolicy }}"
+  admissionReviewVersions: ["v1"]
+{{- end }}
+
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
+{{- if not .Values.global.operatorManageWebhooks }}
+{{- range $tagName := $.Values.revisionTags }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+{{- if eq $.Release.Namespace "istio-system"}}
+  name: istio-revision-tag-{{ $tagName }}
+{{- else }}
+  name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }}
+{{- end }}
+  labels:
+    istio.io/tag: {{ $tagName }}
+    istio.io/rev: {{ $.Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app: sidecar-injector
+    release: {{ $.Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" $ | nindent 4 }}
+{{- if $.Values.sidecarInjectorWebhookAnnotations }}
+  annotations:
+{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }}
+{{- end }}
+webhooks:
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: In
+      values:
+      - "{{ $tagName }}"
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+    - key: istio.io/rev
+      operator: In
+      values:
+      - "{{ $tagName }}"
+
+{{- /* When the tag is "default" we want to create webhooks for the default revision */}}
+{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}}
+{{- if (eq $tagName "default") }}
+
+{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: In
+      values:
+      - enabled
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+
+{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: In
+      values:
+      - "true"
+    - key: istio.io/rev
+      operator: DoesNotExist
+
+{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
+{{- /* Special case 3: no labels at all */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: "kubernetes.io/metadata.name"
+      operator: "NotIn"
+      values: ["kube-system","kube-public","kube-node-lease","local-path-storage"]
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+{{- end }}
+
+{{- end }}
+---
+{{- end }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/templates/revision-tags-svc.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/templates/revision-tags-svc.yaml
new file mode 100644
index 0000000000..5c4826d23e
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/templates/revision-tags-svc.yaml
@@ -0,0 +1,57 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# Adapted from istio-discovery/templates/service.yaml
+{{- range $tagName := .Values.revisionTags }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: istiod-revision-tag-{{ $tagName }}
+  namespace: {{ $.Release.Namespace }}
+  {{- if $.Values.serviceAnnotations }}
+  annotations:
+{{ toYaml $.Values.serviceAnnotations | indent 4 }}
+  {{- end }}
+  labels:
+    istio.io/rev: {{ $.Values.revision | default "default" | quote }}
+    istio.io/tag: {{ $tagName }}
+    operator.istio.io/component: "Pilot"
+    app: istiod
+    istio: pilot
+    release: {{ $.Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" $ | nindent 4 }}
+spec:
+  ports:
+    - port: 15010
+      name: grpc-xds # plaintext
+      protocol: TCP
+    - port: 15012
+      name: https-dns # mTLS with k8s-signed cert
+      protocol: TCP
+    - port: 443
+      name: https-webhook # validation and injection
+      targetPort: 15017
+      protocol: TCP
+    - port: 15014
+      name: http-monitoring # prometheus stats
+      protocol: TCP
+  selector:
+    app: istiod
+    {{- if ne $.Values.revision "" }}
+    istio.io/rev: {{ $.Values.revision | quote }}
+    {{- else }}
+    # Label used by the 'default' service. For versioned deployments we match with app and version.
+    # This avoids default deployment picking the canary
+    istio: pilot
+    {{- end }}
+  {{- if $.Values.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ $.Values.ipFamilyPolicy }}
+  {{- end }}
+  {{- if $.Values.ipFamilies }}
+  ipFamilies:
+  {{- range $.Values.ipFamilies }}
+  - {{ . }}
+  {{- end }}
+  {{- end }}
+---
+{{- end -}}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..3d84956485
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if false }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/values.yaml
new file mode 100644
index 0000000000..e7c198a710
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/values.yaml
@@ -0,0 +1,583 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  autoscaleEnabled: true
+  autoscaleMin: 1
+  autoscaleMax: 5
+  autoscaleBehavior: {}
+  replicaCount: 1
+  rollingMaxSurge: 100%
+  rollingMaxUnavailable: 25%
+
+  hub: ""
+  tag: ""
+  variant: ""
+
+  # Can be a full hub/image:tag
+  image: pilot
+  traceSampling: 1.0
+
+  # Resources for a small pilot install
+  resources:
+    requests:
+      cpu: 500m
+      memory: 2048Mi
+
+  # Set to `type: RuntimeDefault` to use the default profile if available.
+  seccompProfile: {}
+
+  # Whether to use an existing CNI installation
+  cni:
+    enabled: false
+    provider: default
+
+  # Additional container arguments
+  extraContainerArgs: []
+
+  env: {}
+
+  envVarFrom: []
+
+  # Settings related to the untaint controller
+  # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready
+  # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes
+  taint:
+    # Controls whether or not the untaint controller is active
+    enabled: false
+    # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod
+    namespace: ""
+
+  affinity: {}
+
+  tolerations: []
+
+  cpu:
+    targetAverageUtilization: 80
+  memory: {}
+    # targetAverageUtilization: 80
+
+  # Additional volumeMounts to the istiod container
+  volumeMounts: []
+
+  # Additional volumes to the istiod pod
+  volumes: []
+
+  # Inject initContainers into the istiod pod
+  initContainers: []
+
+  nodeSelector: {}
+  podAnnotations: {}
+  serviceAnnotations: {}
+  serviceAccountAnnotations: {}
+  sidecarInjectorWebhookAnnotations: {}
+
+  topologySpreadConstraints: []
+
+  # You can use jwksResolverExtraRootCA to provide a root certificate
+  # in PEM format. This will then be trusted by pilot when resolving
+  # JWKS URIs.
+  jwksResolverExtraRootCA: ""
+
+  # The following is used to limit how long a sidecar can be connected
+  # to a pilot. It balances out load across pilot instances at the cost of
+  # increasing system churn.
+  keepaliveMaxServerConnectionAge: 30m
+
+  # Additional labels to apply to the deployment.
+  deploymentLabels: {}
+
+  # Annotations to apply to the istiod deployment.
+  deploymentAnnotations: {}
+
+  ## Mesh config settings
+
+  # Install the mesh config map, generated from values.yaml.
+  # If false, pilot wil use default values (by default) or user-supplied values.
+  configMap: true
+
+  # Additional labels to apply on the pod level for monitoring and logging configuration.
+  podLabels: {}
+
+  # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
+  ipFamilyPolicy: ""
+  ipFamilies: []
+
+  # Ambient mode only.
+  # Set this if you install ztunnel to a different namespace from `istiod`.
+  # If set, `istiod` will allow connections from trusted node proxy ztunnels
+  # in the provided namespace.
+  # If unset, `istiod` will assume the trusted node proxy ztunnel resides
+  # in the same namespace as itself.
+  trustedZtunnelNamespace: ""
+  # Set this if you install ztunnel with a name different from the default.
+  trustedZtunnelName: ""
+
+  sidecarInjectorWebhook:
+    # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or
+    # always skip the injection on pods that match that label selector, regardless of the global policy.
+    # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions
+    neverInjectSelector: []
+    alwaysInjectSelector: []
+
+    # injectedAnnotations are additional annotations that will be added to the pod spec after injection
+    # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations:
+    #
+    # annotations:
+    #   apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
+    #   apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
+    #
+    # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before
+    # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify:
+    # injectedAnnotations:
+    #   container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default
+    #   container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default
+    injectedAnnotations: {}
+
+    # This enables injection of sidecar in all namespaces,
+    # with the exception of namespaces with "istio-injection:disabled" annotation
+    # Only one environment should have this enabled.
+    enableNamespacesByDefault: false
+
+    # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run
+    # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten.
+    # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur.
+    reinvocationPolicy: Never
+
+    rewriteAppHTTPProbe: true
+
+    # Templates defines a set of custom injection templates that can be used. For example, defining:
+    #
+    # templates:
+    #   hello: |
+    #     metadata:
+    #       labels:
+    #         hello: world
+    #
+    # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod
+    # being injected with the hello=world labels.
+    # This is intended for advanced configuration only; most users should use the built in template
+    templates: {}
+
+    # Default templates specifies a set of default templates that are used in sidecar injection.
+    # By default, a template `sidecar` is always provided, which contains the template of default sidecar.
+    # To inject other additional templates, define it using the `templates` option, and add it to
+    # the default templates list.
+    # For example:
+    #
+    # templates:
+    #   hello: |
+    #     metadata:
+    #       labels:
+    #         hello: world
+    #
+    # defaultTemplates: ["sidecar", "hello"]
+    defaultTemplates: []
+  istiodRemote:
+    # If `true`, indicates that this cluster/install should consume a "remote istiod" installation,
+    # and istiod itself will NOT be installed in this cluster - only the support resources necessary
+    # to utilize a remote instance.
+    enabled: false
+
+    # If `true`, indicates that this cluster/install should consume a "local istiod" installation,
+    # local istiod inject sidecars
+    enabledLocalInjectorIstiod: false
+
+    # Sidecar injector mutating webhook configuration clientConfig.url value.
+    # For example: https://$remotePilotAddress:15017/inject
+    # The host should not refer to a service running in the cluster; use a service reference by specifying
+    # the clientConfig.service field instead.
+    injectionURL: ""
+
+    # Sidecar injector mutating webhook configuration path value for the clientConfig.service field.
+    # Override to pass env variables, for example: /inject/cluster/remote/net/network2
+    injectionPath: "/inject"
+
+    injectionCABundle: ""
+  telemetry:
+    enabled: true
+    v2:
+      # For Null VM case now.
+      # This also enables metadata exchange.
+      enabled: true
+      # Indicate if prometheus stats filter is enabled or not
+      prometheus:
+        enabled: true
+      # stackdriver filter settings.
+      stackdriver:
+        enabled: false
+  # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
+  revision: ""
+
+  # Revision tags are aliases to Istio control plane revisions
+  revisionTags: []
+
+  # For Helm compatibility.
+  ownerName: ""
+
+  # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior
+  # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options
+  meshConfig:
+    enablePrometheusMerge: true
+
+  experimental:
+    stableValidationPolicy: false
+
+  global:
+    # Used to locate istiod.
+    istioNamespace: istio-system
+    # List of cert-signers to allow "approve" action in the istio cluster role
+    #
+    # certSigners:
+    #   - clusterissuers.cert-manager.io/istio-ca
+    certSigners: []
+    # enable pod disruption budget for the control plane, which is used to
+    # ensure Istio control plane components are gradually upgraded or recovered.
+    defaultPodDisruptionBudget:
+      enabled: true
+      # The values aren't mutable due to a current PodDisruptionBudget limitation
+      # minAvailable: 1
+
+    # A minimal set of requested resources to applied to all deployments so that
+    # Horizontal Pod Autoscaler will be able to function (if set).
+    # Each component can overwrite these default values by adding its own resources
+    # block in the relevant section below and setting the desired resources values.
+    defaultResources:
+      requests:
+        cpu: 10m
+      #   memory: 128Mi
+      # limits:
+      #   cpu: 100m
+      #   memory: 128Mi
+
+    # Default hub for Istio images.
+    # Releases are published to docker hub under 'istio' project.
+    # Dev builds from prow are on gcr.io
+    hub: gcr.io/istio-release
+    # Default tag for Istio images.
+    tag: 1.28.1
+    # Variant of the image to use.
+    # Currently supported are: [debug, distroless]
+    variant: ""
+
+    # Specify image pull policy if default behavior isn't desired.
+    # Default behavior: latest images will be Always else IfNotPresent.
+    imagePullPolicy: ""
+
+    # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
+    # to use for pulling any images in pods that reference this ServiceAccount.
+    # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
+    # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
+    # Must be set for any cluster configured with private docker registry.
+    imagePullSecrets: []
+    # - private-registry-key
+
+    # Enabled by default in master for maximising testing.
+    istiod:
+      enableAnalysis: false
+
+    # To output all istio components logs in json format by adding --log_as_json argument to each container argument
+    logAsJson: false
+
+    # In order to use native nftable rules instead of iptable rules, set this flag to true.
+    nativeNftables: false
+
+    # Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
+    # The control plane has different scopes depending on component, but can configure default log level across all components
+    # If empty, default scope and level will be used as configured in code
+    logging:
+      level: "default:info"
+
+    # When enabled, default NetworkPolicy resources will be created
+    networkPolicy:
+      enabled: false
+
+    omitSidecarInjectorConfigMap: false
+
+    # resourceScope controls what resources will be processed by helm.
+    # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator.
+    # It can be one of:
+    # - all: all resources are processed
+    # - cluster: only cluster-scoped resources are processed
+    # - namespace: only namespace-scoped resources are processed
+    resourceScope: all
+
+    # Configure whether Operator manages webhook configurations. The current behavior
+    # of Istiod is to manage its own webhook configurations.
+    # When this option is set as true, Istio Operator, instead of webhooks, manages the
+    # webhook configurations. When this option is set as false, webhooks manage their
+    # own webhook configurations.
+    operatorManageWebhooks: false
+
+    # Custom DNS config for the pod to resolve names of services in other
+    # clusters. Use this to add additional search domains, and other settings.
+    # see
+    # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config
+    # This does not apply to gateway pods as they typically need a different
+    # set of DNS settings than the normal application pods (e.g., in
+    # multicluster scenarios).
+    # NOTE: If using templates, follow the pattern in the commented example below.
+    #podDNSSearchNamespaces:
+    #- global
+    #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global"
+
+    # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
+    # system-node-critical, it is better to configure this in order to make sure your Istio pods
+    # will not be killed because of low priority class.
+    # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
+    # for more detail.
+    priorityClassName: ""
+
+    proxy:
+      image: proxyv2
+
+      # This controls the 'policy' in the sidecar injector.
+      autoInject: enabled
+
+      # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
+      # cluster domain. Default value is "cluster.local".
+      clusterDomain: "cluster.local"
+
+      # Per Component log level for proxy, applies to gateways and sidecars. If a component level is
+      # not set, then the global "logLevel" will be used.
+      componentLogLevel: "misc:error"
+
+      # istio ingress capture allowlist
+      # examples:
+      #     Redirect only selected ports:            --includeInboundPorts="80,8080"
+      excludeInboundPorts: ""
+      includeInboundPorts: "*"
+
+      # istio egress capture allowlist
+      # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
+      # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
+      # would only capture egress traffic on those two IP Ranges, all other outbound traffic would
+      # be allowed by the sidecar
+      includeIPRanges: "*"
+      excludeIPRanges: ""
+      includeOutboundPorts: ""
+      excludeOutboundPorts: ""
+
+      # Log level for proxy, applies to gateways and sidecars.
+      # Expected values are: trace|debug|info|warning|error|critical|off
+      logLevel: warning
+
+      # Specify the path to the outlier event log.
+      # Example: /dev/stdout
+      outlierLogPath: ""
+
+      #If set to true, istio-proxy container will have privileged securityContext
+      privileged: false
+      
+      seccompProfile: {}
+
+      # The number of successive failed probes before indicating readiness failure.
+      readinessFailureThreshold: 4
+
+      # The initial delay for readiness probes in seconds.
+      readinessInitialDelaySeconds: 0
+
+      # The period between readiness probes.
+      readinessPeriodSeconds: 15
+
+      # Enables or disables a startup probe.
+      # For optimal startup times, changing this should be tied to the readiness probe values.
+      #
+      # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4.
+      # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval),
+      # and doesn't spam the readiness endpoint too much
+      #
+      # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30.
+      # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly.
+      startupProbe:
+        enabled: true
+        failureThreshold: 600 # 10 minutes
+
+      # Resources for the sidecar.
+      resources:
+        requests:
+          cpu: 100m
+          memory: 128Mi
+        limits:
+          cpu: 2000m
+          memory: 1024Mi
+
+      # Default port for Pilot agent health checks. A value of 0 will disable health checking.
+      statusPort: 15020
+
+      # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none.
+      # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file.
+      tracer: "none"
+
+    proxy_init:
+      # Base name for the proxy_init container, used to configure iptables.
+      image: proxyv2
+      # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures.
+      # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases.
+      forceApplyIptables: false
+
+    # configure remote pilot and istiod service and endpoint
+    remotePilotAddress: ""
+
+    ##############################################################################################
+    # The following values are found in other charts. To effectively modify these values, make   #
+    # make sure they are consistent across your Istio helm charts                                #
+    ##############################################################################################
+
+    # The customized CA address to retrieve certificates for the pods in the cluster.
+    # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
+    # If not set explicitly, default to the Istio discovery address.
+    caAddress: ""
+
+    # Enable control of remote clusters.
+    externalIstiod: false
+
+    # Configure a remote cluster as the config cluster for an external istiod.
+    configCluster: false
+
+    # configValidation enables the validation webhook for Istio configuration.
+    configValidation: true
+
+    # Mesh ID means Mesh Identifier. It should be unique within the scope where
+    # meshes will interact with each other, but it is not required to be
+    # globally/universally unique. For example, if any of the following are true,
+    # then two meshes must have different Mesh IDs:
+    # - Meshes will have their telemetry aggregated in one place
+    # - Meshes will be federated together
+    # - Policy will be written referencing one mesh from the other
+    #
+    # If an administrator expects that any of these conditions may become true in
+    # the future, they should ensure their meshes have different Mesh IDs
+    # assigned.
+    #
+    # Within a multicluster mesh, each cluster must be (manually or auto)
+    # configured to have the same Mesh ID value. If an existing cluster 'joins' a
+    # multicluster mesh, it will need to be migrated to the new mesh ID. Details
+    # of migration TBD, and it may be a disruptive operation to change the Mesh
+    # ID post-install.
+    #
+    # If the mesh admin does not specify a value, Istio will use the value of the
+    # mesh's Trust Domain. The best practice is to select a proper Trust Domain
+    # value.
+    meshID: ""
+
+    # Configure the mesh networks to be used by the Split Horizon EDS.
+    #
+    # The following example defines two networks with different endpoints association methods.
+    # For `network1` all endpoints that their IP belongs to the provided CIDR range will be
+    # mapped to network1. The gateway for this network example is specified by its public IP
+    # address and port.
+    # The second network, `network2`, in this example is defined differently with all endpoints
+    # retrieved through the specified Multi-Cluster registry being mapped to network2. The
+    # gateway is also defined differently with the name of the gateway service on the remote
+    # cluster. The public IP for the gateway will be determined from that remote service (only
+    # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service,
+    # it still need to be configured manually).
+    #
+    # meshNetworks:
+    #   network1:
+    #     endpoints:
+    #     - fromCidr: "192.168.0.1/24"
+    #     gateways:
+    #     - address: 1.1.1.1
+    #       port: 80
+    #   network2:
+    #     endpoints:
+    #     - fromRegistry: reg1
+    #     gateways:
+    #     - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
+    #       port: 443
+    #
+    meshNetworks: {}
+
+    # Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
+    mountMtlsCerts: false
+
+    multiCluster:
+      # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
+      # to properly label proxies
+      clusterName: ""
+
+    # Network defines the network this cluster belong to. This name
+    # corresponds to the networks in the map of mesh networks.
+    network: ""
+
+    # Configure the certificate provider for control plane communication.
+    # Currently, two providers are supported: "kubernetes" and "istiod".
+    # As some platforms may not have kubernetes signing APIs,
+    # Istiod is the default
+    pilotCertProvider: istiod
+
+    sds:
+      # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
+      # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the
+      # JWT is intended for the CA.
+      token:
+        aud: istio-ca
+
+    sts:
+      # The service port used by Security Token Service (STS) server to handle token exchange requests.
+      # Setting this port to a non-zero value enables STS server.
+      servicePort: 0
+
+    # The name of the CA for workload certificates.
+    # For example, when caName=GkeWorkloadCertificate, GKE workload certificates
+    # will be used as the certificates for workloads.
+    # The default value is "" and when caName="", the CA will be configured by other
+    # mechanisms (e.g., environmental variable CA_PROVIDER).
+    caName: ""
+
+    waypoint:
+      # Resources for the waypoint proxy.
+      resources:
+        requests:
+          cpu: 100m
+          memory: 128Mi
+        limits:
+          cpu: "2"
+          memory: 1Gi
+
+      # If specified, affinity defines the scheduling constraints of waypoint pods.
+      affinity: {}
+
+      # Topology Spread Constraints for the waypoint proxy.
+      topologySpreadConstraints: []
+
+      # Node labels for the waypoint proxy.
+      nodeSelector: {}
+
+      # Tolerations for the waypoint proxy.
+      tolerations: []
+
+  base:
+    # For istioctl usage to disable istio config crds in base
+    enableIstioConfigCRDs: true
+
+  # Gateway Settings
+  gateways:
+    # Define the security context for the pod.
+    # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
+    # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
+    securityContext: {}
+
+    # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it
+    seccompProfile: {}
+
+  # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass.
+  # For example:
+  # gatewayClasses:
+  #   istio:
+  #     service:
+  #       spec:
+  #         type: ClusterIP
+  # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field.
+  gatewayClasses: {}
+  
+  pdb:
+    # -- Minimum available pods set in PodDisruptionBudget.
+    # Define either 'minAvailable' or 'maxUnavailable', never both.
+    minAvailable: 1
+    # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored.
+    # maxUnavailable: 1
+    # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget.
+    # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/
+    unhealthyPodEvictionPolicy: ""
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/Chart.yaml
new file mode 100644
index 0000000000..45347caab9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/Chart.yaml
@@ -0,0 +1,11 @@
+apiVersion: v2
+appVersion: 1.28.1
+description: Helm chart for istio ztunnel components
+icon: https://istio.io/latest/favicons/android-192x192.png
+keywords:
+- istio-ztunnel
+- istio
+name: ztunnel
+sources:
+- https://github.com/istio/istio
+version: 1.28.1
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/README.md
new file mode 100644
index 0000000000..72ea6892e5
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/README.md
@@ -0,0 +1,50 @@
+# Istio Ztunnel Helm Chart
+
+This chart installs an Istio ztunnel.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+To install the chart:
+
+```console
+helm install ztunnel istio/ztunnel
+```
+
+## Uninstalling the Chart
+
+To uninstall/delete the chart:
+
+```console
+helm delete ztunnel
+```
+
+## Configuration
+
+To view supported configuration options and documentation, run:
+
+```console
+helm show values istio/ztunnel
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..d04117bfc0
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,14 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..8fe80112bf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-compatibility-version-1.27.yaml
new file mode 100644
index 0000000000..209157cccf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-compatibility-version-1.27.yaml
@@ -0,0 +1,9 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/templates/NOTES.txt
new file mode 100644
index 0000000000..244f59db06
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/templates/NOTES.txt
@@ -0,0 +1,5 @@
+ztunnel successfully installed!
+
+To learn more about the release, try:
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/templates/_helpers.tpl
new file mode 100644
index 0000000000..46a7a0b79d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/templates/_helpers.tpl
@@ -0,0 +1 @@
+{{ define "ztunnel.release-name" }}{{ .Values.resourceName| default "ztunnel" }}{{ end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/templates/daemonset.yaml
new file mode 100644
index 0000000000..b10e99cfa4
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/templates/daemonset.yaml
@@ -0,0 +1,212 @@
+{{- if or (eq .Values.resourceScope "all") (eq .Values.resourceScope "namespace") }}
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: {{ include "ztunnel.release-name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: ztunnel
+    {{- include "istio.labels" . | nindent 4}}
+    {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }}
+  annotations:
+{{- if .Values.revision }}
+    {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }}
+    {{- toYaml $annos | nindent 4}}
+{{- else }}
+    {{- .Values.annotations | toYaml | nindent 4 }}
+{{- end }}
+spec:
+  {{- with .Values.updateStrategy }}
+  updateStrategy:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  selector:
+    matchLabels:
+      app: ztunnel
+  template:
+    metadata:
+      labels:
+        sidecar.istio.io/inject: "false"
+        istio.io/dataplane-mode: none
+        app: ztunnel
+        app.kubernetes.io/name: ztunnel
+        {{- include "istio.labels" . | nindent 8}}
+{{ with .Values.podLabels -}}{{ toYaml . | indent 8 }}{{ end }}
+      annotations:
+        sidecar.istio.io/inject: "false"
+{{- if .Values.revision }}
+        istio.io/rev: {{ .Values.revision }}
+{{- end }}
+{{ with .Values.podAnnotations -}}{{ toYaml . | indent 8 }}{{ end }}
+    spec:
+      nodeSelector:
+        kubernetes.io/os: linux
+{{- if .Values.nodeSelector }}
+{{ toYaml .Values.nodeSelector | indent 8 }}
+{{- end }}
+{{- if .Values.affinity }}
+      affinity:
+{{ toYaml .Values.affinity | trim | indent 8 }}
+{{- end }}
+      serviceAccountName: {{ include "ztunnel.release-name" . }}
+{{- if .Values.tolerations }}
+      tolerations:
+{{ toYaml .Values.tolerations | trim | indent 8 }}
+{{- end }}
+      containers:
+      - name: istio-proxy
+{{- if contains "/" .Values.image }}
+        image: "{{ .Values.image }}"
+{{- else }}
+        image: "{{ .Values.hub }}/{{ .Values.image | default "ztunnel" }}:{{ .Values.tag }}{{with (.Values.variant )}}-{{.}}{{end}}"
+{{- end }}
+        ports:
+        - containerPort: 15020
+          name: ztunnel-stats
+          protocol: TCP
+        resources:
+{{- if .Values.resources }}
+{{ toYaml .Values.resources | trim | indent 10 }}
+{{- end }}
+{{- with .Values.imagePullPolicy }}
+        imagePullPolicy: {{ . }}
+{{- end }}
+        securityContext:
+          # K8S docs are clear that CAP_SYS_ADMIN *or* privileged: true
+          # both force this to `true`: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+          # But there is a K8S validation bug that doesn't propery catch this: https://github.com/kubernetes/kubernetes/issues/119568
+          allowPrivilegeEscalation: true
+          privileged: false
+          capabilities:
+            drop:
+            - ALL
+            add: # See https://man7.org/linux/man-pages/man7/capabilities.7.html
+            - NET_ADMIN # Required for TPROXY and setsockopt
+            - SYS_ADMIN # Required for `setns` - doing things in other netns
+            - NET_RAW # Required for RAW/PACKET sockets, TPROXY
+          readOnlyRootFilesystem: true
+          runAsGroup: 1337
+          runAsNonRoot: false
+          runAsUser: 0
+{{- if .Values.seLinuxOptions }}
+          seLinuxOptions:
+{{ toYaml .Values.seLinuxOptions | trim | indent 12 }}
+{{- end }}
+        readinessProbe:
+          httpGet:
+            port: 15021
+            path: /healthz/ready
+        args:
+        - proxy
+        - ztunnel
+        env:
+        - name: CA_ADDRESS
+        {{- if .Values.caAddress }}
+          value: {{ .Values.caAddress }}
+        {{- else }}
+          value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012
+        {{- end }}
+        - name: XDS_ADDRESS
+        {{- if .Values.xdsAddress }}
+          value: {{ .Values.xdsAddress }}
+        {{- else }}
+          value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012
+        {{- end }}
+        {{- if .Values.logAsJson }}
+        - name: LOG_FORMAT
+          value: json
+        {{- end}}
+        {{- if .Values.network }}
+        - name: NETWORK
+          value: {{ .Values.network | quote }}
+        {{- end }}
+        - name: RUST_LOG
+          value: {{ .Values.logLevel | quote }}
+        - name: RUST_BACKTRACE
+          value: "1"
+        - name: ISTIO_META_CLUSTER_ID
+          value: {{ .Values.multiCluster.clusterName | default "Kubernetes" }}
+        - name: INPOD_ENABLED
+          value: "true"
+        - name: TERMINATION_GRACE_PERIOD_SECONDS
+          value: "{{ .Values.terminationGracePeriodSeconds }}"
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        - name: INSTANCE_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: SERVICE_ACCOUNT
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.serviceAccountName
+        {{- if .Values.meshConfig.defaultConfig.proxyMetadata }}
+        {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata}}
+        - name: {{ $key }}
+          value: "{{ $value }}"
+        {{- end }}
+        {{- end }}
+        - name: ZTUNNEL_CPU_LIMIT
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.cpu
+        {{- with .Values.env }}
+        {{- range $key, $val := . }}
+        - name: {{ $key }}
+          value: "{{ $val }}"
+        {{- end }}
+        {{- end }}
+        volumeMounts:
+        - mountPath: /var/run/secrets/istio
+          name: istiod-ca-cert
+        - mountPath: /var/run/secrets/tokens
+          name: istio-token
+        - mountPath: /var/run/ztunnel
+          name: cni-ztunnel-sock-dir
+        - mountPath: /tmp
+          name: tmp
+        {{- with .Values.volumeMounts }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      priorityClassName: system-node-critical
+      terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
+      volumes:
+      - name: istio-token
+        projected:
+          sources:
+          - serviceAccountToken:
+              path: istio-token
+              expirationSeconds: 43200
+              audience: istio-ca
+      - name: istiod-ca-cert
+        {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+        projected:
+          sources:
+          - clusterTrustBundle:
+              name: istio.io:istiod-ca:{{ .Values.trustBundleName | default "root-cert" }}
+              path: root-cert.pem
+        {{- else }}
+        configMap:
+          name: {{ .Values.trustBundleName | default "istio-ca-root-cert" }}
+        {{- end }}
+      - name: cni-ztunnel-sock-dir
+        hostPath:
+          path: /var/run/ztunnel
+          type: DirectoryOrCreate # ideally this would be a socket, but istio-cni may not have started yet.
+      # pprof needs a writable /tmp, and we don't have that thanks to `readOnlyRootFilesystem: true`, so mount one
+      - name: tmp
+        emptyDir: {}
+      {{- with .Values.volumes }}
+        {{- toYaml . | nindent 6}}
+      {{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/templates/rbac.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/templates/rbac.yaml
new file mode 100644
index 0000000000..18291716bf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/templates/rbac.yaml
@@ -0,0 +1,51 @@
+{{- if or (eq .Values.resourceScope "all") (eq .Values.resourceScope "cluster") }}
+{{- if (eq (.Values.platform | default "") "openshift") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "ztunnel.release-name" . }}
+  labels:
+    app: ztunnel
+    release: {{ include "ztunnel.release-name" . }}
+    app.kubernetes.io/name: ztunnel
+    {{- include "istio.labels" . | nindent 4}}
+  annotations:
+{{- if .Values.revision }}
+    {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }}
+    {{- toYaml $annos | nindent 4}}
+{{- else }}
+    {{- .Values.annotations | toYaml | nindent 4 }}
+{{- end }}
+rules:
+- apiGroups: ["security.openshift.io"]
+  resources: ["securitycontextconstraints"]
+  resourceNames: ["privileged"]
+  verbs: ["use"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "ztunnel.release-name" . }}
+  labels:
+    app: ztunnel
+    release: {{ include "ztunnel.release-name" . }}
+    app.kubernetes.io/name: ztunnel
+    {{- include "istio.labels" . | nindent 4}}
+  annotations:
+{{- if .Values.revision }}
+    {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }}
+    {{- toYaml $annos | nindent 4}}
+{{- else }}
+    {{- .Values.annotations | toYaml | nindent 4 }}
+{{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "ztunnel.release-name" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "ztunnel.release-name" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}
+---
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/templates/resourcequota.yaml
new file mode 100644
index 0000000000..d33c9fe137
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/templates/resourcequota.yaml
@@ -0,0 +1,22 @@
+{{- if or (eq .Values.resourceScope "all") (eq .Values.resourceScope "namespace") }}
+{{- if .Values.resourceQuotas.enabled }}
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+  name: {{ include "ztunnel.release-name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: ztunnel
+    {{- include "istio.labels" . | nindent 4}}
+    {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }}
+spec:
+  hard:
+    pods: {{ .Values.resourceQuotas.pods | quote }}
+  scopeSelector:
+    matchExpressions:
+    - operator: In
+      scopeName: PriorityClass
+      values:
+      - system-node-critical
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/templates/serviceaccount.yaml
new file mode 100644
index 0000000000..e1146f3920
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/templates/serviceaccount.yaml
@@ -0,0 +1,24 @@
+{{- if or (eq .Values.resourceScope "all") (eq .Values.resourceScope "namespace") }}
+apiVersion: v1
+kind: ServiceAccount
+  {{- with .Values.imagePullSecrets }}
+imagePullSecrets:
+  {{- range . }}
+  - name: {{ . }}
+  {{- end }}
+  {{- end }}
+metadata:
+  name: {{ include "ztunnel.release-name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: ztunnel
+    {{- include "istio.labels" . | nindent 4}}
+    {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }}
+  annotations:
+{{- if .Values.revision }}
+    {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }}
+    {{- toYaml $annos | nindent 4}}
+{{- else }}
+    {{- .Values.annotations | toYaml | nindent 4 }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..606c556697
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if true }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/values.yaml
new file mode 100644
index 0000000000..d49aba1e1d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/values.yaml
@@ -0,0 +1,136 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  # Hub to pull from. Image will be `Hub/Image:Tag-Variant`
+  hub: gcr.io/istio-release
+  # Tag to pull from. Image will be `Hub/Image:Tag-Variant`
+  tag: 1.28.1
+  # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version.
+  variant: ""
+
+  # Image name to pull from. Image will be `Hub/Image:Tag-Variant`
+  # If Image contains a "/", it will replace the entire `image` in the pod.
+  image: ztunnel
+
+  # Same as `global.network`, but will override it if set.
+  # Network defines the network this cluster belong to. This name
+  # corresponds to the networks in the map of mesh networks.
+  network: ""
+
+  # resourceName, if set, will override the naming of resources. If not set, will default to 'ztunnel'.
+  # If you set this, you MUST also set `trustedZtunnelName` in the `istiod` chart.
+  resourceName: ""
+
+  # Labels to apply to all top level resources
+  labels: {}
+  # Annotations to apply to all top level resources
+  annotations: {}
+
+  # Additional volumeMounts to the ztunnel container
+  volumeMounts: []
+
+  # Additional volumes to the ztunnel pod
+  volumes: []
+  
+  # Tolerations for the ztunnel pod
+  tolerations:
+    - effect: NoSchedule
+      operator: Exists
+    - key: CriticalAddonsOnly
+      operator: Exists
+    - effect: NoExecute
+      operator: Exists
+
+  # Annotations added to each pod. The default annotations are required for scraping prometheus (in most environments).
+  podAnnotations:
+    prometheus.io/port: "15020"
+    prometheus.io/scrape: "true"
+
+  # Additional labels to apply on the pod level
+  podLabels: {}
+
+  # Pod resource configuration
+  resources:
+    requests:
+      cpu: 200m
+      # Ztunnel memory scales with the size of the cluster and traffic load
+      # While there are many factors, this is enough for ~200k pod cluster or 100k concurrently open connections.
+      memory: 512Mi
+
+  resourceQuotas:
+    enabled: false
+    pods: 5000
+
+  # List of secret names to add to the service account as image pull secrets
+  imagePullSecrets: []
+
+  # A `key: value` mapping of environment variables to add to the pod
+  env: {}
+
+  # Override for the pod imagePullPolicy
+  imagePullPolicy: ""
+
+  # Settings for multicluster
+  multiCluster:
+    # The name of the cluster we are installing in. Note this is a user-defined name, which must be consistent
+    # with Istiod configuration.
+    clusterName: ""
+
+  # meshConfig defines runtime configuration of components.
+  # For ztunnel, only defaultConfig is used, but this is nested under `meshConfig` for consistency with other
+  # components.
+  # TODO: https://github.com/istio/istio/issues/43248
+  meshConfig:
+    defaultConfig:
+      proxyMetadata: {}
+
+  # This value defines:
+  # 1. how many seconds kube waits for ztunnel pod to gracefully exit before forcibly terminating it (this value)
+  # 2. how many seconds ztunnel waits to drain its own connections (this value - 1 sec)
+  # Default K8S value is 30 seconds
+  terminationGracePeriodSeconds: 30
+
+  # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
+  # Used to locate the XDS and CA, if caAddress or xdsAddress are not set explicitly.
+  revision: ""
+
+  # The customized CA address to retrieve certificates for the pods in the cluster.
+  # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
+  caAddress: ""
+
+  # The customized XDS address to retrieve configuration.
+  # This should include the port - 15012 for Istiod. TLS will be used with the certificates in "istiod-ca-cert" secret.
+  # By default, it is istiod.istio-system.svc:15012 if revision is not set, or istiod-<revision>.<istioNamespace>.svc:15012
+  xdsAddress: ""
+
+  # Used to locate the XDS and CA, if caAddress or xdsAddress are not set.
+  istioNamespace: istio-system
+
+  # Configuration log level of ztunnel binary, default is info.
+  # Valid values are: trace, debug, info, warn, error
+  logLevel: info
+
+  # To output all logs in json format
+  logAsJson: false
+
+  # Set to `type: RuntimeDefault` to use the default profile if available.
+  seLinuxOptions: {}
+  # TODO Ambient inpod - for OpenShift, set to the following to get writable sockets in hostmounts to work, eventually consider CSI driver instead
+  #seLinuxOptions:
+  #  type: spc_t
+  
+  # resourceScope controls what resources will be processed by helm.
+  # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator.
+  # It can be one of:
+  # - all: all resources are processed
+  # - cluster: only cluster-scoped resources are processed
+  # - namespace: only namespace-scoped resources are processed
+  resourceScope: all
+
+  # K8s DaemonSet update strategy.
+  # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec).
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/cni-1.28.1.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/cni-1.28.1.tgz.etag
new file mode 100644
index 0000000000..5c3eac5f35
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/cni-1.28.1.tgz.etag
@@ -0,0 +1 @@
+cd216a48dd11d6d2a8b8a5b626c4135c
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/commit b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/commit
new file mode 100644
index 0000000000..450a687b2d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/commit
@@ -0,0 +1 @@
+1.28.1
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/gateway-1.28.1.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/gateway-1.28.1.tgz.etag
new file mode 100644
index 0000000000..f0958f6ffd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/gateway-1.28.1.tgz.etag
@@ -0,0 +1 @@
+aa1fffd54212764d07ed8b53120466d4
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/istiod-1.28.1.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/istiod-1.28.1.tgz.etag
new file mode 100644
index 0000000000..a2ec0dd7b6
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/istiod-1.28.1.tgz.etag
@@ -0,0 +1 @@
+46d3d78d4021ca730051fe389d19ccc8
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/profiles/ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/profiles/ambient.yaml
new file mode 100644
index 0000000000..71ea784a80
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/profiles/ambient.yaml
@@ -0,0 +1,5 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: ambient
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/profiles/default.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/profiles/default.yaml
new file mode 100644
index 0000000000..8f1ef19676
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/profiles/default.yaml
@@ -0,0 +1,12 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  # Most default values come from the helm chart's values.yaml
+  # Below are the things that differ
+  values:
+    defaultRevision: ""
+    global:
+      istioNamespace: istio-system
+      configValidation: true
+    ztunnel:
+      resourceName: ztunnel
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/profiles/demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/profiles/demo.yaml
new file mode 100644
index 0000000000..53c4b41633
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/profiles/demo.yaml
@@ -0,0 +1,5 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: demo
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/profiles/empty.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/profiles/empty.yaml
new file mode 100644
index 0000000000..4477cb1fe1
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/profiles/empty.yaml
@@ -0,0 +1,5 @@
+# The empty profile has everything disabled
+# This is useful as a base for custom user configuration
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec: {}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/profiles/openshift-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/profiles/openshift-ambient.yaml
new file mode 100644
index 0000000000..76edf00cd8
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/profiles/openshift-ambient.yaml
@@ -0,0 +1,7 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: ambient
+    global:
+      platform: openshift
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/profiles/openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/profiles/openshift.yaml
new file mode 100644
index 0000000000..41492660fe
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/profiles/openshift.yaml
@@ -0,0 +1,6 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    global:
+      platform: openshift
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/profiles/preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/profiles/preview.yaml
new file mode 100644
index 0000000000..59d545c840
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/profiles/preview.yaml
@@ -0,0 +1,8 @@
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: preview
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/profiles/remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/profiles/remote.yaml
new file mode 100644
index 0000000000..54c65c8ba9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/profiles/remote.yaml
@@ -0,0 +1,7 @@
+# The remote profile is used to configure a mesh cluster without a locally deployed control plane.
+# Only the injector mutating webhook configuration is installed.
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: remote
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/profiles/stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/profiles/stable.yaml
new file mode 100644
index 0000000000..285feba244
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/profiles/stable.yaml
@@ -0,0 +1,5 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: stable
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/ztunnel-1.28.1.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/ztunnel-1.28.1.tgz.etag
new file mode 100644
index 0000000000..05736d7616
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/ztunnel-1.28.1.tgz.etag
@@ -0,0 +1 @@
+7e182d4fa644f5d1441bf46643460739
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/base-1.28.2.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/base-1.28.2.tgz.etag
new file mode 100644
index 0000000000..cd7bf68d9b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/base-1.28.2.tgz.etag
@@ -0,0 +1 @@
+a451d9ebf87f9cd7f1a9ccb9d99208f0
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/Chart.yaml
new file mode 100644
index 0000000000..caf6d26a1d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/Chart.yaml
@@ -0,0 +1,10 @@
+apiVersion: v2
+appVersion: 1.28.2
+description: Helm chart for deploying Istio cluster resources and CRDs
+icon: https://istio.io/latest/favicons/android-192x192.png
+keywords:
+- istio
+name: base
+sources:
+- https://github.com/istio/istio
+version: 1.28.2
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/README.md
new file mode 100644
index 0000000000..ae8f6d5b0e
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/README.md
@@ -0,0 +1,35 @@
+# Istio base Helm Chart
+
+This chart installs resources shared by all Istio revisions. This includes Istio CRDs.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+To install the chart with the release name `istio-base`:
+
+```console
+kubectl create namespace istio-system
+helm install istio-base istio/base -n istio-system
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..d04117bfc0
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,14 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..8fe80112bf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-compatibility-version-1.27.yaml
new file mode 100644
index 0000000000..209157cccf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-compatibility-version-1.27.yaml
@@ -0,0 +1,9 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/templates/NOTES.txt
new file mode 100644
index 0000000000..f12616f578
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/templates/NOTES.txt
@@ -0,0 +1,5 @@
+Istio base successfully installed!
+
+To learn more about the release, try:
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml
new file mode 100644
index 0000000000..30049df989
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml
@@ -0,0 +1,55 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
+{{- if and .Values.experimental.stableValidationPolicy (not (eq .Values.defaultRevision "")) }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "stable-channel-default-policy.istio.io"
+  labels:
+    release: {{ .Release.Name }}
+    istio: istiod
+    istio.io/rev: {{ .Values.defaultRevision }}
+    app.kubernetes.io/name: "istiod"
+    {{ include "istio.labels" . | nindent 4 }}
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups:
+        - security.istio.io
+        - networking.istio.io
+        - telemetry.istio.io
+        - extensions.istio.io
+      apiVersions: ["*"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["*"]
+  variables:
+    - name: isEnvoyFilter
+      expression: "object.kind == 'EnvoyFilter'"
+    - name: isWasmPlugin
+      expression: "object.kind == 'WasmPlugin'"
+    - name: isProxyConfig
+      expression: "object.kind == 'ProxyConfig'"
+    - name: isTelemetry
+      expression: "object.kind == 'Telemetry'"
+  validations:
+    - expression: "!variables.isEnvoyFilter"
+    - expression: "!variables.isWasmPlugin"
+    - expression: "!variables.isProxyConfig"
+    - expression: |
+        !(
+          variables.isTelemetry && (
+            (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) ||
+            (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) ||
+            (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter))
+          )
+        )
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: "stable-channel-default-policy-binding.istio.io"
+spec:
+  policyName: "stable-channel-default-policy.istio.io"
+  validationActions: [Deny]
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml
new file mode 100644
index 0000000000..dcd16e964f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml
@@ -0,0 +1,58 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
+{{- if not (eq .Values.defaultRevision "") }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: istiod-default-validator
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    istio: istiod
+    istio.io/rev: {{ .Values.defaultRevision | quote }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+webhooks:
+  - name: validation.istio.io
+    clientConfig:
+      {{- if .Values.base.validationURL }}
+      url: {{ .Values.base.validationURL }}
+      {{- else }}
+      service:
+        {{- if (eq .Values.defaultRevision "default") }}
+        name: istiod
+        {{- else }}
+        name: istiod-{{ .Values.defaultRevision }}
+        {{- end }}
+        namespace: {{ .Values.global.istioNamespace }}
+        path: "/validate"
+      {{- end }}
+      {{- if .Values.base.validationCABundle }}
+      caBundle: "{{ .Values.base.validationCABundle }}"
+      {{- end }}
+    rules:
+      - operations:
+          - CREATE
+          - UPDATE
+        apiGroups:
+          - security.istio.io
+          - networking.istio.io
+          - telemetry.istio.io
+          - extensions.istio.io
+        apiVersions:
+          - "*"
+        resources:
+          - "*"
+
+    {{- if .Values.base.validationCABundle }}
+    # Disable webhook controller in Pilot to stop patching it
+    failurePolicy: Fail
+    {{- else }}
+    # Fail open until the validation webhook is ready. The webhook controller
+    # will update this to `Fail` and patch in the `caBundle` when the webhook
+    # endpoint is ready.
+    failurePolicy: Ignore
+    {{- end }}
+    sideEffects: None
+    admissionReviewVersions: ["v1"]
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/templates/reader-serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/templates/reader-serviceaccount.yaml
new file mode 100644
index 0000000000..bb7a74ff48
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/templates/reader-serviceaccount.yaml
@@ -0,0 +1,22 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# This singleton service account aggregates reader permissions for the revisions in a given cluster
+# ATM this is a singleton per cluster with Istio installed, and is not revisioned. It maybe should be,
+# as otherwise compromising the token for this SA would give you access to *every* installed revision.
+# Should be used for remote secret creation.
+apiVersion: v1
+kind: ServiceAccount
+  {{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+  {{- range .Values.global.imagePullSecrets }}
+  - name: {{ . }}
+    {{- end }}
+    {{- end }}
+metadata:
+  name: istio-reader-service-account
+  namespace: {{ .Values.global.istioNamespace }}
+  labels:
+    app: istio-reader
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istio-reader"
+    {{- include "istio.labels" . | nindent 4 }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..3d84956485
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if false }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/values.yaml
new file mode 100644
index 0000000000..8353c57d6d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/values.yaml
@@ -0,0 +1,45 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  global:
+
+    # ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace
+    # to use for pulling any images in pods that reference this ServiceAccount.
+    # Must be set for any cluster configured with private docker registry.
+    imagePullSecrets: []
+
+    # Used to locate istiod.
+    istioNamespace: istio-system
+
+    # resourceScope controls what resources will be processed by helm.
+    # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator.
+    # It can be one of:
+    # - all: all resources are processed
+    # - cluster: only cluster-scoped resources are processed
+    # - namespace: only namespace-scoped resources are processed
+    resourceScope: all
+  base:
+    # A list of CRDs to exclude. Requires `enableCRDTemplates` to be true.
+    # Example: `excludedCRDs: ["envoyfilters.networking.istio.io"]`.
+    # Note: when installing with `istioctl`, `enableIstioConfigCRDs=false` must also be set.
+    excludedCRDs: []
+    # Helm (as of V3) does not support upgrading CRDs, because it is not universally
+    # safe for them to support this.
+    # Istio as a project enforces certain backwards-compat guarantees that allow us
+    # to safely upgrade CRDs in spite of this, so we default to self-managing CRDs
+    # as standard K8S resources in Helm, and disable Helm's CRD management. See also:
+    # https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#method-2-separate-charts
+    enableCRDTemplates: true
+
+    # Validation webhook configuration url
+    # For example: https://$remotePilotAddress:15017/validate
+    validationURL: ""
+    # Validation webhook caBundle value. Useful when running pilot with a well known cert
+    validationCABundle: ""
+
+    # For istioctl usage to disable istio config crds in base
+    enableIstioConfigCRDs: true
+
+  defaultRevision: "default"
+  experimental:
+    stableValidationPolicy: false
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/Chart.yaml
new file mode 100644
index 0000000000..192d1773be
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/Chart.yaml
@@ -0,0 +1,11 @@
+apiVersion: v2
+appVersion: 1.28.2
+description: Helm chart for istio-cni components
+icon: https://istio.io/latest/favicons/android-192x192.png
+keywords:
+- istio-cni
+- istio
+name: cni
+sources:
+- https://github.com/istio/istio
+version: 1.28.2
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/README.md
new file mode 100644
index 0000000000..f7e5cbd379
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/README.md
@@ -0,0 +1,65 @@
+# Istio CNI Helm Chart
+
+This chart installs the Istio CNI Plugin. See the [CNI installation guide](https://istio.io/latest/docs/setup/additional-setup/cni/)
+for more information.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+To install the chart with the release name `istio-cni`:
+
+```console
+helm install istio-cni istio/cni -n kube-system
+```
+
+Installation in `kube-system` is recommended to ensure the [`system-node-critical`](https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/)
+`priorityClassName` can be used. You can install in other namespace only on K8S clusters that allow
+'system-node-critical' outside of kube-system.
+
+## Configuration
+
+To view supported configuration options and documentation, run:
+
+```console
+helm show values istio/istio-cni
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
+
+### Ambient
+
+To enable ambient, you can use the ambient profile: `--set profile=ambient`.
+
+#### Calico
+
+For Calico, you must also modify the settings to allow source spoofing:
+
+- if deployed by operator,  `kubectl patch felixconfigurations default --type='json' -p='[{"op": "add", "path": "/spec/workloadSourceSpoofing", "value": "Any"}]'`
+- if deployed by manifest, add env `FELIX_WORKLOADSOURCESPOOFING` with value `Any` in `spec.template.spec.containers.env` for daemonset `calico-node`. (This will allow PODs with specified annotation to skip the rpf check. )
+
+### GKE notes
+
+On GKE, 'kube-system' is required.
+
+If using `helm template`, `--set cni.cniBinDir=/home/kubernetes/bin` is required - with `helm install`
+it is auto-detected.
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..d04117bfc0
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,14 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..8fe80112bf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-compatibility-version-1.27.yaml
new file mode 100644
index 0000000000..209157cccf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-compatibility-version-1.27.yaml
@@ -0,0 +1,9 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/NOTES.txt
new file mode 100644
index 0000000000..fb35525b99
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/NOTES.txt
@@ -0,0 +1,5 @@
+"{{ .Release.Name }}" successfully installed!
+
+To learn more about the release, try:
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/_helpers.tpl
new file mode 100644
index 0000000000..73cc17b2f6
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/_helpers.tpl
@@ -0,0 +1,8 @@
+{{- define "name" -}}
+    istio-cni
+{{- end }}
+
+
+{{- define "istio-tag" -}}
+    {{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/clusterrole.yaml
new file mode 100644
index 0000000000..51af4ce7ff
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/clusterrole.yaml
@@ -0,0 +1,84 @@
+# Created if cluster resources are not omitted
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "name" . }}
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+- apiGroups: ["security.openshift.io"] 
+  resources: ["securitycontextconstraints"] 
+  resourceNames: ["privileged"] 
+  verbs: ["use"]
+- apiGroups: [""]
+  resources: ["pods","nodes","namespaces"]
+  verbs: ["get", "list", "watch"]
+{{- if (eq ((coalesce .Values.platform .Values.global.platform) | default "") "openshift") }}
+- apiGroups: ["security.openshift.io"]
+  resources: ["securitycontextconstraints"]
+  resourceNames: ["privileged"]
+  verbs: ["use"]
+{{- end }}
+---
+{{- if .Values.repair.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "name" . }}-repair-role
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["create", "patch"]
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["watch", "get", "list"]
+{{- if .Values.repair.repairPods }}
+{{- /*  No privileges needed*/}}
+{{- else if .Values.repair.deletePods }}
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["delete"]
+{{- else if .Values.repair.labelPods }}
+  - apiGroups: [""]
+    {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}}
+    resources: ["pods/status"]
+    verbs: ["patch", "update"]
+{{- end }}
+{{- end }}
+---
+{{- if .Values.ambient.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "name" . }}-ambient
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+- apiGroups: [""]
+  {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}}
+  resources: ["pods/status"]
+  verbs: ["patch", "update"]
+- apiGroups: ["apps"]
+  resources: ["daemonsets"]
+  resourceNames: ["{{ template "name" . }}-node"]
+  verbs: ["get"]
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/clusterrolebinding.yaml
new file mode 100644
index 0000000000..60e3c28be8
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/clusterrolebinding.yaml
@@ -0,0 +1,66 @@
+# Created if cluster resources are not omitted
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "name" . }}
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "name" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ template "name" . }}
+  namespace: {{ .Release.Namespace }}
+---
+{{- if .Values.repair.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "name" . }}-repair-rolebinding
+  labels:
+    k8s-app: {{ template "name" . }}-repair
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+subjects:
+- kind: ServiceAccount
+  name: {{ template "name" . }}
+  namespace: {{ .Release.Namespace}}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "name" . }}-repair-role
+{{- end }}
+---
+{{- if .Values.ambient.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "name" . }}-ambient
+  labels:
+    k8s-app: {{ template "name" . }}-repair
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "name" . }}
+    namespace: {{ .Release.Namespace}}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "name" . }}-ambient
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/configmap-cni.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/configmap-cni.yaml
new file mode 100644
index 0000000000..98bc60ac07
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/configmap-cni.yaml
@@ -0,0 +1,43 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: {{ template "name" . }}-config
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+data:
+  CURRENT_AGENT_VERSION: {{ .Values.tag | default .Values.global.tag | quote }}
+  AMBIENT_ENABLED: {{ .Values.ambient.enabled | quote }}
+  AMBIENT_ENABLEMENT_SELECTOR: {{ .Values.ambient.enablementSelectors | toYaml | quote }}
+  AMBIENT_DNS_CAPTURE: {{ .Values.ambient.dnsCapture | quote  }}
+  AMBIENT_IPV6: {{ .Values.ambient.ipv6 | quote }}
+  AMBIENT_RECONCILE_POD_RULES_ON_STARTUP: {{ .Values.ambient.reconcileIptablesOnStartup | quote }}
+  {{- if .Values.cniConfFileName }} # K8S < 1.24 doesn't like empty values
+  CNI_CONF_NAME: {{ .Values.cniConfFileName }} # Name of the CNI config file to create. Only override if you know the exact path your CNI requires..
+  {{- end }}
+  ISTIO_OWNED_CNI_CONFIG: {{ .Values.istioOwnedCNIConfig | quote }}
+  {{- if .Values.istioOwnedCNIConfig }}
+  ISTIO_OWNED_CNI_CONF_FILENAME: {{ .Values.istioOwnedCNIConfigFileName | quote }}
+  {{- end }}
+  CHAINED_CNI_PLUGIN: {{ .Values.chained | quote }}
+  EXCLUDE_NAMESPACES: "{{ range $idx, $ns := .Values.excludeNamespaces }}{{ if $idx }},{{ end }}{{ $ns }}{{ end }}"
+  REPAIR_ENABLED: {{ .Values.repair.enabled | quote }}
+  REPAIR_LABEL_PODS: {{ .Values.repair.labelPods | quote }}
+  REPAIR_DELETE_PODS: {{ .Values.repair.deletePods | quote }}
+  REPAIR_REPAIR_PODS: {{ .Values.repair.repairPods | quote }}
+  REPAIR_INIT_CONTAINER_NAME: {{ .Values.repair.initContainerName | quote }}
+  REPAIR_BROKEN_POD_LABEL_KEY: {{ .Values.repair.brokenPodLabelKey | quote }}
+  REPAIR_BROKEN_POD_LABEL_VALUE: {{ .Values.repair.brokenPodLabelValue | quote }}
+  NATIVE_NFTABLES: {{ .Values.global.nativeNftables | quote }}
+  {{- with .Values.env }}
+  {{- range $key, $val := . }}
+  {{ $key }}: "{{ $val }}"
+  {{- end }}
+  {{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/daemonset.yaml
new file mode 100644
index 0000000000..6d1dda2902
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/daemonset.yaml
@@ -0,0 +1,252 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# This manifest installs the Istio install-cni container, as well
+# as the Istio CNI plugin and config on
+# each master and worker node in a Kubernetes cluster.
+#
+# $detectedBinDir exists to support a GKE-specific platform override,
+# and is deprecated in favor of using the explicit `gke` platform profile.
+{{- $detectedBinDir := (.Capabilities.KubeVersion.GitVersion | contains "-gke") | ternary
+    "/home/kubernetes/bin"
+    "/opt/cni/bin"
+}}
+{{- if .Values.cniBinDir }}
+{{ $detectedBinDir = .Values.cniBinDir }}
+{{- end }}
+kind: DaemonSet
+apiVersion: apps/v1
+metadata:
+  # Note that this is templated but evaluates to a fixed name
+  # which the CNI plugin may fall back onto in some failsafe scenarios.
+  # if this name is changed, CNI plugin logic that checks for this name
+  # format should also be updated.
+  name: {{ template "name" . }}-node
+  namespace: {{ .Release.Namespace }}
+  labels:
+    k8s-app: {{ template "name" . }}-node
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+    {{ with .Values.daemonSetLabels -}}{{ toYaml . | nindent 4}}{{ end }}
+spec:
+  selector:
+    matchLabels:
+      k8s-app: {{ template "name" . }}-node
+  {{- with .Values.updateStrategy }}
+  updateStrategy:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  template:
+    metadata:
+      labels:
+        k8s-app: {{ template "name" . }}-node
+        sidecar.istio.io/inject: "false"
+        istio.io/dataplane-mode: none
+        app.kubernetes.io/name: {{ template "name" . }}
+        {{- include "istio.labels" . | nindent 8 }}
+        {{ with .Values.podLabels -}}{{ toYaml . | nindent 8}}{{ end }}
+      annotations:
+        sidecar.istio.io/inject: "false"
+        # Add Prometheus Scrape annotations
+        prometheus.io/scrape: 'true'
+        prometheus.io/port: "15014"
+        prometheus.io/path: '/metrics'
+        # Add AppArmor annotation
+        # This is required to avoid conflicts with AppArmor profiles which block certain
+        # privileged pod capabilities.
+        # Required for Kubernetes 1.29 which does not support setting appArmorProfile in the
+        # securityContext which is otherwise preferred.
+        container.apparmor.security.beta.kubernetes.io/install-cni: unconfined
+        # Custom annotations
+        {{- if .Values.podAnnotations }}
+{{ toYaml .Values.podAnnotations | indent 8 }}
+        {{- end }}
+    spec:
+{{- if and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace }}
+      hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
+{{- end }}
+      nodeSelector:
+        kubernetes.io/os: linux
+      # Can be configured to allow for excluding istio-cni from being scheduled on specified nodes
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      priorityClassName: system-node-critical
+      serviceAccountName: {{ template "name" . }}
+      # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
+      # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
+      terminationGracePeriodSeconds: 5
+      containers:
+        # This container installs the Istio CNI binaries
+        # and CNI network config file on each node.
+        - name: install-cni
+{{- if contains "/" .Values.image }}
+          image: "{{ .Values.image }}"
+{{- else }}
+          image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "install-cni" }}:{{ template "istio-tag" . }}"
+{{- end }}
+{{- if or .Values.pullPolicy .Values.global.imagePullPolicy }}
+          imagePullPolicy: {{ .Values.pullPolicy | default .Values.global.imagePullPolicy }}
+{{- end }}
+          ports:
+          - containerPort: 15014
+            name: metrics
+            protocol: TCP
+          readinessProbe:
+            httpGet:
+              path: /readyz
+              port: 8000
+          securityContext:
+            privileged: false
+            runAsGroup: 0
+            runAsUser: 0
+            runAsNonRoot: false
+            # Both ambient and sidecar repair mode require elevated node privileges to function.
+            # But we don't need _everything_ in `privileged`, so explicitly set it to false and
+            # add capabilities based on feature.
+            capabilities:
+              drop:
+              - ALL
+              add:
+              # CAP_NET_ADMIN is required to allow ipset and route table access
+              - NET_ADMIN
+              # CAP_NET_RAW is required to allow iptables mutation of the `nat` table
+              - NET_RAW
+              # CAP_SYS_PTRACE is required for repair and ambient mode to describe
+              # the pod's network namespace.
+              - SYS_PTRACE
+              # CAP_SYS_ADMIN is required for both ambient and repair, in order to open
+              # network namespaces in `/proc` to obtain descriptors for entering pod network
+              # namespaces. There does not appear to be a more granular capability for this.
+              - SYS_ADMIN
+              # While we run as a 'root' (UID/GID 0), since we drop all capabilities we lose
+              # the typical ability to read/write to folders owned by others.
+              # This can cause problems if the hostPath mounts we use, which we require write access into,
+              # are owned by non-root. DAC_OVERRIDE bypasses these and gives us write access into any folder.
+              - DAC_OVERRIDE
+{{- if .Values.seLinuxOptions }}
+{{ with (merge .Values.seLinuxOptions (dict "type" "spc_t")) }}
+            seLinuxOptions:
+{{ toYaml . | trim | indent 14 }}
+{{- end }}
+{{- end }}
+{{- if .Values.seccompProfile }}
+            seccompProfile:
+{{ toYaml .Values.seccompProfile | trim | indent 14 }}
+{{- end }}
+          command: ["install-cni"]
+          args:
+            {{- if or .Values.logging.level .Values.global.logging.level }}
+            - --log_output_level={{ coalesce .Values.logging.level .Values.global.logging.level }}
+            {{- end}}
+            {{- if .Values.global.logAsJson }}
+            - --log_as_json
+            {{- end}}
+          envFrom:
+            - configMapRef:
+                name: {{ template "name" . }}-config
+          env:
+            - name: REPAIR_NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            - name: REPAIR_RUN_AS_DAEMON
+              value: "true"
+            - name: REPAIR_SIDECAR_ANNOTATION
+              value: "sidecar.istio.io/status"
+            {{- if not (and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace) }}
+            - name: ALLOW_SWITCH_TO_HOST_NS
+              value: "true"
+            {{- end }}
+            - name: NODE_NAME
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: spec.nodeName
+            - name: GOMEMLIMIT
+              valueFrom:
+                resourceFieldRef:
+                  resource: limits.memory
+                  divisor: '1'
+            - name: GOMAXPROCS
+              valueFrom:
+                resourceFieldRef:
+                  resource: limits.cpu
+                  divisor: '1'
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            {{- if .Values.env }}
+            {{- range $key, $val := .Values.env }}
+            - name: {{ $key }}
+              value: "{{ $val }}"
+            {{- end }}
+            {{- end }}
+          volumeMounts:
+            - mountPath: /host/opt/cni/bin
+              name: cni-bin-dir
+            {{- if or .Values.repair.repairPods .Values.ambient.enabled }}
+            - mountPath: /host/proc
+              name: cni-host-procfs
+              readOnly: true
+            {{- end }}
+            - mountPath: /host/etc/cni/net.d
+              name: cni-net-dir
+            - mountPath: /var/run/istio-cni
+              name: cni-socket-dir
+            {{- if .Values.ambient.enabled }}
+            - mountPath: /host/var/run/netns
+              mountPropagation: HostToContainer
+              name: cni-netns-dir
+            - mountPath: /var/run/ztunnel
+              name: cni-ztunnel-sock-dir
+            {{ end }}
+          resources:
+{{- if .Values.resources }}
+{{ toYaml .Values.resources | trim | indent 12 }}
+{{- else }}
+{{ toYaml .Values.global.defaultResources | trim | indent 12 }}
+{{- end }}
+      volumes:
+        # Used to install CNI.
+        - name: cni-bin-dir
+          hostPath:
+            path: {{ $detectedBinDir }}
+        {{- if or .Values.repair.repairPods .Values.ambient.enabled }}
+        - name: cni-host-procfs
+          hostPath:
+            path: /proc
+            type: Directory
+        {{- end }}
+        {{- if .Values.ambient.enabled }}
+        - name: cni-ztunnel-sock-dir
+          hostPath:
+            path: /var/run/ztunnel
+            type: DirectoryOrCreate
+        {{- end }}
+        - name: cni-net-dir
+          hostPath:
+            path: {{ .Values.cniConfDir }}
+        # Used for UDS sockets for logging, ambient eventing
+        - name: cni-socket-dir
+          hostPath:
+            path: /var/run/istio-cni
+        - name: cni-netns-dir
+          hostPath:
+            path: {{ .Values.cniNetnsDir }}
+            type: DirectoryOrCreate # DirectoryOrCreate instead of Directory for the following reason - CNI may not bind mount this until a non-hostnetwork pod is scheduled on the node,
+            # and we don't want to block CNI agent pod creation on waiting for the first non-hostnetwork pod.
+            # Once the CNI does mount this, it will get populated and we're good.
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/network-attachment-definition.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/network-attachment-definition.yaml
new file mode 100644
index 0000000000..37ef7c3e6d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/network-attachment-definition.yaml
@@ -0,0 +1,13 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+{{- if eq .Values.provider "multus" }}
+apiVersion: k8s.cni.cncf.io/v1
+kind: NetworkAttachmentDefinition
+metadata:
+  name: {{ template "name" . }}
+  namespace: default
+  labels:
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/resourcequota.yaml
new file mode 100644
index 0000000000..2e0be5ab40
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/resourcequota.yaml
@@ -0,0 +1,21 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+{{- if .Values.resourceQuotas.enabled }}
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+  name: {{ template "name" . }}-resource-quota
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  hard:
+    pods: {{ .Values.resourceQuotas.pods | quote }}
+  scopeSelector:
+    matchExpressions:
+    - operator: In
+      scopeName: PriorityClass
+      values:
+      - system-node-critical
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/serviceaccount.yaml
new file mode 100644
index 0000000000..17c8e64a9d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/serviceaccount.yaml
@@ -0,0 +1,20 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+apiVersion: v1
+kind: ServiceAccount
+{{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+{{- range .Values.global.imagePullSecrets }}
+  - name: {{ . }}
+{{- end }}
+{{- end }}
+metadata:
+  name: {{ template "name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/zzy_descope_legacy.yaml
new file mode 100644
index 0000000000..a9584ac29f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/zzy_descope_legacy.yaml
@@ -0,0 +1,3 @@
+{{/* Copy anything under `.cni` to `.`, to avoid the need to specify a redundant prefix.
+Due to the file naming, this always happens after zzz_profile.yaml */}}
+{{- $_ := mustMergeOverwrite $.Values (index $.Values "cni") }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..3d84956485
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if false }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/values.yaml
new file mode 100644
index 0000000000..c2273d89f5
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/values.yaml
@@ -0,0 +1,192 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  hub: ""
+  tag: ""
+  variant: ""
+  image: install-cni
+  pullPolicy: ""
+
+  # Same as `global.logging.level`, but will override it if set
+  logging:
+    level: ""
+
+  # Configuration file to insert istio-cni plugin configuration
+  # by default this will be the first file found in the cni-conf-dir
+  # Example
+  # cniConfFileName: 10-calico.conflist
+
+  # CNI-and-platform specific path defaults.
+  # These may need to be set to platform-specific values, consult
+  # overrides for your platform in `manifests/helm-profiles/platform-*.yaml`
+  cniBinDir: /opt/cni/bin
+  cniConfDir: /etc/cni/net.d
+  cniConfFileName: ""
+  cniNetnsDir: "/var/run/netns"
+
+  # If Istio owned CNI config is enabled, defaults to 02-istio-cni.conflist
+  istioOwnedCNIConfigFileName: ""
+  istioOwnedCNIConfig: false
+
+  excludeNamespaces:
+    - kube-system
+
+  # Allows user to set custom affinity for the DaemonSet
+  affinity: {}
+
+  # Additional labels to apply on the daemonset level
+  daemonSetLabels: {}
+
+  # Custom annotations on pod level, if you need them
+  podAnnotations: {}
+
+  # Additional labels to apply on the pod level
+  podLabels: {}
+
+  # Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")?
+  # Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case
+  chained: true
+
+  # Custom configuration happens based on the CNI provider.
+  # Possible values: "default", "multus"
+  provider: "default"
+
+  # Configure ambient settings
+  ambient:
+    # If enabled, ambient redirection will be enabled
+    enabled: false
+    # If ambient is enabled, this selector will be used to identify the ambient-enabled pods
+    enablementSelectors: 
+    - podSelector:
+        matchLabels: {istio.io/dataplane-mode: ambient}
+    - podSelector:
+        matchExpressions:
+        - { key: istio.io/dataplane-mode, operator: NotIn, values: [none] }
+      namespaceSelector:
+        matchLabels: {istio.io/dataplane-mode: ambient}
+    # Set ambient config dir path: defaults to /etc/ambient-config
+    configDir: ""
+    # If enabled, and ambient is enabled, DNS redirection will be enabled
+    dnsCapture: true
+    # If enabled, and ambient is enabled, enables ipv6 support
+    ipv6: true
+    # If enabled, and ambient is enabled, the CNI agent will reconcile incompatible iptables rules and chains at startup.
+    # This will eventually be enabled by default
+    reconcileIptablesOnStartup: false
+    # If enabled, and ambient is enabled, the CNI agent will always share the network namespace of the host node it is running on
+    shareHostNetworkNamespace: false
+
+
+  repair:
+    enabled: true
+    hub: ""
+    tag: ""
+
+    # Repair controller has 3 modes. Pick which one meets your use cases. Note only one may be used.
+    # This defines the action the controller will take when a pod is detected as broken.
+
+    # labelPods will label all pods with <brokenPodLabelKey>=<brokenPodLabelValue>.
+    # This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them).
+    # Note this gives the DaemonSet a relatively high privilege, as modifying pod metadata/status can have wider impacts.
+    labelPods: false
+    # deletePods will delete any broken pod. These will then be rescheduled, hopefully onto a node that is fully ready.
+    # Note this gives the DaemonSet a relatively high privilege, as it can delete any Pod.
+    deletePods: false
+    # repairPods will dynamically repair any broken pod by setting up the pod networking configuration even after it has started.
+    # Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs.
+    # This requires no RBAC privilege, but does require `securityContext.privileged/CAP_SYS_ADMIN`.
+    repairPods: true
+
+    initContainerName: "istio-validation"
+
+    brokenPodLabelKey: "cni.istio.io/uninitialized"
+    brokenPodLabelValue: "true"
+
+  # Set to `type: RuntimeDefault` to use the default profile if available.
+  seccompProfile: {}
+
+  # SELinux options to set in the istio-cni-node pods. You may need to set this to `type: spc_t` for some platforms.
+  seLinuxOptions: {}
+
+  resources:
+    requests:
+      cpu: 100m
+      memory: 100Mi
+
+  resourceQuotas:
+    enabled: false
+    pods: 5000
+
+  tolerations:
+    # Make sure istio-cni-node gets scheduled on all nodes.
+    - effect: NoSchedule
+      operator: Exists
+    # Mark the pod as a critical add-on for rescheduling.
+    - key: CriticalAddonsOnly
+      operator: Exists
+    - effect: NoExecute
+      operator: Exists
+
+  # K8s DaemonSet update strategy.
+  # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec).
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 1
+
+  # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
+  revision: ""
+
+  # For Helm compatibility.
+  ownerName: ""
+
+  global:
+    # Default hub for Istio images.
+    # Releases are published to docker hub under 'istio' project.
+    # Dev builds from prow are on gcr.io
+    hub: gcr.io/istio-release
+
+    # Default tag for Istio images.
+    tag: 1.28.2
+
+    # Variant of the image to use.
+    # Currently supported are: [debug, distroless]
+    variant: ""
+
+    # Specify image pull policy if default behavior isn't desired.
+    # Default behavior: latest images will be Always else IfNotPresent.
+    imagePullPolicy: ""
+
+    # change cni scope level to control logging out of istio-cni-node DaemonSet
+    logging:
+      level: info
+
+    logAsJson: false
+
+    # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
+    # to use for pulling any images in pods that reference this ServiceAccount.
+    # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
+    # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
+    # Must be set for any cluster configured with private docker registry.
+    imagePullSecrets: []
+    # - private-registry-key
+
+    # Default resources allocated
+    defaultResources:
+      requests:
+        cpu: 100m
+        memory: 100Mi
+
+    # In order to use native nftable rules instead of iptable rules, set this flag to true.
+    nativeNftables: false
+
+    # resourceScope controls what resources will be processed by helm.
+    # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator.
+    # It can be one of:
+    # - all: all resources are processed
+    # - cluster: only cluster-scoped resources are processed
+    # - namespace: only namespace-scoped resources are processed
+    resourceScope: all
+
+  # A `key: value` mapping of environment variables to add to the pod
+  env: {}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/Chart.yaml
new file mode 100644
index 0000000000..c4d6c29618
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v2
+appVersion: 1.28.2
+description: Helm chart for deploying Istio gateways
+icon: https://istio.io/latest/favicons/android-192x192.png
+keywords:
+- istio
+- gateways
+name: gateway
+sources:
+- https://github.com/istio/istio
+type: application
+version: 1.28.2
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/README.md
new file mode 100644
index 0000000000..6344859a22
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/README.md
@@ -0,0 +1,170 @@
+# Istio Gateway Helm Chart
+
+This chart installs an Istio gateway deployment.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+To install the chart with the release name `istio-ingressgateway`:
+
+```console
+helm install istio-ingressgateway istio/gateway
+```
+
+## Uninstalling the Chart
+
+To uninstall/delete the `istio-ingressgateway` deployment:
+
+```console
+helm delete istio-ingressgateway
+```
+
+## Configuration
+
+To view supported configuration options and documentation, run:
+
+```console
+helm show values istio/gateway
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
+
+### OpenShift
+
+When deploying the gateway in an OpenShift cluster, use the `openshift` profile to override the default values, for example:
+
+```console
+helm install istio-ingressgateway istio/gateway --set profile=openshift
+```
+
+### `image: auto` Information
+
+The image used by the chart, `auto`, may be unintuitive.
+This exists because the pod spec will be automatically populated at runtime, using the same mechanism as [Sidecar Injection](istio.io/latest/docs/setup/additional-setup/sidecar-injection).
+This allows the same configurations and lifecycle to apply to gateways as sidecars.
+
+Note: this does mean that the namespace the gateway is deployed in must not have the `istio-injection=disabled` label.
+See [Controlling the injection policy](https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy) for more info.
+
+### Examples
+
+#### Egress Gateway
+
+Deploying a Gateway to be used as an [Egress Gateway](https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/):
+
+```yaml
+service:
+  # Egress gateways do not need an external LoadBalancer IP
+  type: ClusterIP
+```
+
+#### Multi-network/VM Gateway
+
+Deploying a Gateway to be used as a [Multi-network Gateway](https://istio.io/latest/docs/setup/install/multicluster/) for network `network-1`:
+
+```yaml
+networkGateway: network-1
+```
+
+### Migrating from other installation methods
+
+Installations from other installation methods (such as istioctl, Istio Operator, other helm charts, etc) can be migrated to use the new Helm charts
+following the guidance below.
+If you are able to, a clean installation is simpler. However, this often requires an external IP migration which can be challenging.
+
+WARNING: when installing over an existing deployment, the two deployments will be merged together by Helm, which may lead to unexpected results.
+
+#### Legacy Gateway Helm charts
+
+Istio historically offered two different charts - `manifests/charts/gateways/istio-ingress` and `manifests/charts/gateways/istio-egress`.
+These are replaced by this chart.
+While not required, it is recommended all new users use this chart, and existing users migrate when possible.
+
+This chart has the following benefits and differences:
+* Designed with Helm best practices in mind (standardized values options, values schema, values are not all nested under `gateways.istio-ingressgateway.*`, release name and namespace taken into account, etc).
+* Utilizes Gateway injection, simplifying upgrades, allowing gateways to run in any namespace, and avoiding repeating config for sidecars and gateways.
+* Published to official Istio Helm repository.
+* Single chart for all gateways (Ingress, Egress, East West).
+
+#### General concerns
+
+For a smooth migration, the resource names and `Deployment.spec.selector` labels must match.
+
+If you install with `helm install istio-gateway istio/gateway`, resources will be named `istio-gateway` and the `selector` labels set to:
+
+```yaml
+app: istio-gateway
+istio: gateway # the release name with leading istio- prefix stripped
+```
+
+If your existing installation doesn't follow these names, you can override them. For example, if you have resources named `my-custom-gateway` with `selector` labels
+`foo=bar,istio=ingressgateway`:
+
+```yaml
+name: my-custom-gateway # Override the name to match existing resources
+labels:
+  app: "" # Unset default app selector label
+  istio: ingressgateway # override default istio selector label
+  foo: bar # Add the existing custom selector label
+```
+
+#### Migrating an existing Helm release
+
+An existing helm release can be `helm upgrade`d to this chart by using the same release name. For example, if a previous
+installation was done like:
+
+```console
+helm install istio-ingress manifests/charts/gateways/istio-ingress -n istio-system
+```
+
+It could be upgraded with
+
+```console
+helm upgrade istio-ingress manifests/charts/gateway -n istio-system --set name=istio-ingressgateway --set labels.app=istio-ingressgateway --set labels.istio=ingressgateway
+```
+
+Note the name and labels are overridden to match the names of the existing installation.
+
+Warning: the helm charts here default to using port 80 and 443, while the old charts used 8080 and 8443.
+If you have AuthorizationPolicies that reference port these ports, you should update them during this process,
+or customize the ports to match the old defaults.
+See the [security advisory](https://istio.io/latest/news/security/istio-security-2021-002/) for more information.
+
+#### Other migrations
+
+If you see errors like `rendered manifests contain a resource that already exists` during installation, you may need to forcibly take ownership.
+
+The script below can handle this for you. Replace `RELEASE` and `NAMESPACE` with the name and namespace of the release:
+
+```console
+KINDS=(service deployment)
+RELEASE=istio-ingressgateway
+NAMESPACE=istio-system
+for KIND in "${KINDS[@]}"; do
+    kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-name=$RELEASE
+    kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-namespace=$NAMESPACE
+    kubectl --namespace $NAMESPACE --overwrite=true label $KIND $RELEASE app.kubernetes.io/managed-by=Helm
+done
+```
+
+You may ignore errors about resources not being found.
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..d04117bfc0
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,14 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..8fe80112bf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-compatibility-version-1.27.yaml
new file mode 100644
index 0000000000..209157cccf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-compatibility-version-1.27.yaml
@@ -0,0 +1,9 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/templates/NOTES.txt
new file mode 100644
index 0000000000..fd0142911a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/templates/NOTES.txt
@@ -0,0 +1,9 @@
+"{{ include "gateway.name" . }}" successfully installed!
+
+To learn more about the release, try:
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
+
+Next steps:
+  * Deploy an HTTP Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-control/
+  * Deploy an HTTPS Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/templates/_helpers.tpl
new file mode 100644
index 0000000000..e5a0a9b3c2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/templates/_helpers.tpl
@@ -0,0 +1,40 @@
+{{- define "gateway.name" -}}
+{{- if eq .Release.Name "RELEASE-NAME" -}}
+  {{- .Values.name | default "istio-ingressgateway" -}}
+{{- else -}}
+  {{- .Values.name | default .Release.Name | default "istio-ingressgateway" -}}
+{{- end -}}
+{{- end }}
+
+{{- define "gateway.labels" -}}
+{{ include "gateway.selectorLabels" . }}
+{{- range $key, $val := .Values.labels }}
+{{- if and (ne $key "app") (ne $key "istio") }}
+{{ $key | quote }}: {{ $val | quote }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{- define "gateway.selectorLabels" -}}
+app: {{ (.Values.labels.app | quote) | default (include "gateway.name" .) }}
+istio: {{ (.Values.labels.istio | quote) | default (include "gateway.name" . | trimPrefix "istio-") }}
+{{- end }}
+
+{{/*
+Keep sidecar injection labels together
+https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy
+*/}}
+{{- define "gateway.sidecarInjectionLabels" -}}
+sidecar.istio.io/inject: "true"
+{{- with .Values.revision }}
+istio.io/rev: {{ . | quote }}
+{{- end }}
+{{- end }}
+
+{{- define "gateway.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- .Values.serviceAccount.name | default (include "gateway.name" .)    }}
+{{- else }}
+{{- .Values.serviceAccount.name | default "default" }}
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/templates/deployment.yaml
new file mode 100644
index 0000000000..1d8f93a472
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/templates/deployment.yaml
@@ -0,0 +1,145 @@
+apiVersion: apps/v1
+kind: {{ .Values.kind | default "Deployment" }}
+metadata:
+  name: {{ include "gateway.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4}}
+  annotations:
+    {{- .Values.annotations | toYaml | nindent 4 }}
+spec:
+  {{- if not .Values.autoscaling.enabled }}
+  {{- if and (hasKey .Values "replicaCount") (ne .Values.replicaCount nil) }}
+  replicas: {{ .Values.replicaCount }}
+  {{- end }}
+  {{- end }}
+  {{- with .Values.strategy }}
+  strategy:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with .Values.minReadySeconds }}
+  minReadySeconds: {{ . }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "gateway.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "gateway.sidecarInjectionLabels" . | nindent 8 }}
+        {{- include "gateway.selectorLabels" . | nindent 8 }}
+        app.kubernetes.io/name: {{ include "gateway.name" . }}
+        {{- include "istio.labels" .  | nindent 8}}
+        {{- range $key, $val := .Values.labels }}
+        {{- if and (ne $key "app") (ne $key "istio") }}
+        {{ $key | quote }}: {{ $val | quote }}
+        {{- end }}
+        {{- end }}
+        {{- with .Values.networkGateway }}
+        topology.istio.io/network: "{{.}}"
+        {{- end }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "gateway.serviceAccountName" . }}
+      securityContext:
+      {{- if .Values.securityContext }}
+        {{- toYaml .Values.securityContext | nindent 8 }}
+      {{- else }}
+        # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326
+        sysctls:
+        - name: net.ipv4.ip_unprivileged_port_start
+          value: "0"
+      {{- end }}
+      {{- with .Values.volumes }}
+      volumes:
+        {{ toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.initContainers }}
+      initContainers:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: istio-proxy
+          # "auto" will be populated at runtime by the mutating webhook. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection
+          image: auto
+          {{- with .Values.imagePullPolicy }}
+          imagePullPolicy: {{ . }}
+          {{- end }}
+          securityContext:
+          {{- if .Values.containerSecurityContext }}
+            {{- toYaml .Values.containerSecurityContext | nindent 12 }}
+          {{- else }}
+            capabilities:
+              drop:
+              - ALL
+            allowPrivilegeEscalation: false
+            privileged: false
+            readOnlyRootFilesystem: true
+            {{- if not (eq (.Values.platform | default "") "openshift") }}
+            runAsUser: 1337
+            runAsGroup: 1337
+            {{- end }}
+            runAsNonRoot: true
+          {{- end }}
+          env:
+          {{- with .Values.networkGateway }}
+          - name: ISTIO_META_REQUESTED_NETWORK_VIEW
+            value: "{{.}}"
+          {{- end }}
+          {{- range $key, $val := .Values.env }}
+          - name: {{ $key }}
+            value: {{ $val | quote }}
+          {{- end }}
+          {{- with .Values.envVarFrom }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
+          ports:
+          - containerPort: 15090
+            protocol: TCP
+            name: http-envoy-prom
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          {{- with .Values.volumeMounts }}
+          volumeMounts:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.readinessProbe }}
+          readinessProbe:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.lifecycle }}
+          lifecycle:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+      {{- with .Values.additionalContainers }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      terminationGracePeriodSeconds: {{ $.Values.terminationGracePeriodSeconds }}
+      {{- with .Values.priorityClassName }}
+      priorityClassName: {{ . }}
+      {{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/templates/hpa.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/templates/hpa.yaml
new file mode 100644
index 0000000000..64ecb6a4cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/templates/hpa.yaml
@@ -0,0 +1,40 @@
+{{- if and (.Values.autoscaling.enabled) (eq .Values.kind "Deployment") }}
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ include "gateway.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4 }}
+  annotations:
+    {{- .Values.annotations | toYaml | nindent 4 }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: {{ .Values.kind | default "Deployment" }}
+    name: {{ include "gateway.name" . }}
+  minReplicas: {{ .Values.autoscaling.minReplicas }}
+  maxReplicas: {{ .Values.autoscaling.maxReplicas }}
+  metrics:
+    {{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
+          type: Utilization
+    {{- end }}
+    {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: memory
+        target:
+          averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
+          type: Utilization
+    {{- end }}
+  {{- if .Values.autoscaling.autoscaleBehavior }}
+  behavior: {{ toYaml .Values.autoscaling.autoscaleBehavior | nindent 4 }}
+  {{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/templates/networkpolicy.yaml
new file mode 100644
index 0000000000..ea2fab97b3
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/templates/networkpolicy.yaml
@@ -0,0 +1,47 @@
+{{- if (.Values.global.networkPolicy).enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "gateway.name" . }}{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ include "gateway.name" . }}
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Gateway"
+    istio: {{ (.Values.labels.istio | quote) | default (include "gateway.name" . | trimPrefix "istio-") }}
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "gateway.labels" . | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "gateway.selectorLabels" . | nindent 6 }}
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress:
+  # Status/health check port
+  - from: []
+    ports:
+    - protocol: TCP
+      port: 15021
+  # Metrics endpoints for monitoring/prometheus
+  - from: []
+    ports:
+    - protocol: TCP
+      port: 15020
+    - protocol: TCP
+      port: 15090
+  # Main gateway traffic ports
+{{- if .Values.service.ports }}
+{{- range .Values.service.ports }}
+  - from: []
+    ports:
+    - protocol: {{ .protocol | default "TCP" }}
+      port: {{ .targetPort | default .port }}
+{{- end }}
+{{- end }}
+  egress:
+  # Allow all egress (gateways need to reach external services, istiod, and other cluster services)
+  - {}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/templates/poddisruptionbudget.yaml
new file mode 100644
index 0000000000..91869a0ead
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/templates/poddisruptionbudget.yaml
@@ -0,0 +1,21 @@
+{{- if .Values.podDisruptionBudget }}
+# a workaround for https://github.com/kubernetes/kubernetes/issues/93476
+{{- if or (and .Values.autoscaling.enabled  (gt (int .Values.autoscaling.minReplicas) 1)) (and (not .Values.autoscaling.enabled) (gt (int .Values.replicaCount) 1)) }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ include "gateway.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4}}
+spec:
+  selector:
+    matchLabels:
+  {{- include "gateway.selectorLabels" . | nindent 6 }}
+  {{- with .Values.podDisruptionBudget }}
+    {{- toYaml . | nindent 2 }}
+  {{- end }}
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/templates/role.yaml
new file mode 100644
index 0000000000..3d16079632
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/templates/role.yaml
@@ -0,0 +1,37 @@
+{{/*Set up roles for Istio Gateway. Not required for gateway-api*/}}
+{{- if .Values.rbac.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "gateway.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4}}
+  annotations:
+    {{- .Values.annotations | toYaml | nindent 4 }}
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get", "watch", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "gateway.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4}}
+  annotations:
+    {{- .Values.annotations | toYaml | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "gateway.serviceAccountName" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "gateway.serviceAccountName" . }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/templates/service.yaml
new file mode 100644
index 0000000000..f555e6c632
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/templates/service.yaml
@@ -0,0 +1,75 @@
+{{- if not (eq .Values.service.type "None") }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "gateway.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4 }}
+    {{- with .Values.networkGateway }}
+    topology.istio.io/network: "{{.}}"
+    {{- end }}
+  annotations:
+    {{- merge (deepCopy .Values.service.annotations) .Values.annotations | toYaml | nindent 4 }}
+spec:
+{{- with .Values.service.loadBalancerIP }}
+  loadBalancerIP: "{{ . }}"
+{{- end }}
+{{- if eq .Values.service.type "LoadBalancer" }}
+  {{- if hasKey .Values.service "allocateLoadBalancerNodePorts" }}
+  allocateLoadBalancerNodePorts: {{ .Values.service.allocateLoadBalancerNodePorts }}
+  {{- end }}
+  {{- if hasKey .Values.service "loadBalancerClass" }}
+  loadBalancerClass: {{ .Values.service.loadBalancerClass }}
+  {{- end }}
+{{- end }}
+{{- if .Values.service.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }}
+{{- end }}
+{{- if .Values.service.ipFamilies }}
+  ipFamilies:
+{{- range .Values.service.ipFamilies }}
+  - {{ . }}
+{{- end }}
+{{- end }}
+{{- with .Values.service.loadBalancerSourceRanges }}
+  loadBalancerSourceRanges:
+{{ toYaml . | indent 4 }}
+{{- end }}
+{{- with .Values.service.externalTrafficPolicy }}
+  externalTrafficPolicy: "{{ . }}"
+{{- end }}
+{{- with .Values.service.internalTrafficPolicy }}
+  internalTrafficPolicy: "{{ . }}"
+{{- end }}
+  type: {{ .Values.service.type }}
+{{- if not (eq .Values.service.clusterIP "") }}
+  clusterIP: {{ .Values.service.clusterIP }}
+{{- end }}
+  ports:
+{{- if .Values.networkGateway }}
+  - name: status-port
+    port: 15021
+    targetPort: 15021
+  - name: tls
+    port: 15443
+    targetPort: 15443
+  - name: tls-istiod
+    port: 15012
+    targetPort: 15012
+  - name: tls-webhook
+    port: 15017
+    targetPort: 15017
+{{- else }}
+{{ .Values.service.ports | toYaml | indent 4 }}
+{{- end }}
+{{- if .Values.service.externalIPs }}
+  externalIPs: {{- range .Values.service.externalIPs }}
+    - {{.}}
+  {{- end }}
+{{- end }}
+  selector:
+    {{- include "gateway.selectorLabels" . | nindent 4 }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/templates/serviceaccount.yaml
new file mode 100644
index 0000000000..c88afeadd3
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/templates/serviceaccount.yaml
@@ -0,0 +1,15 @@
+{{- if .Values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "gateway.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..606c556697
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if true }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/values.schema.json b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/values.schema.json
new file mode 100644
index 0000000000..739a67b775
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/values.schema.json
@@ -0,0 +1,353 @@
+{
+  "$schema": "http://json-schema.org/schema#",
+  "$defs": {
+    "values": {
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "_internal_defaults_do_not_set": {
+          "type": "object"
+        },
+        "global": {
+          "type": "object"
+        },
+        "affinity": {
+          "type": "object"
+        },
+        "securityContext": {
+          "type": [
+            "object",
+            "null"
+          ]
+        },
+        "containerSecurityContext": {
+          "type": [
+            "object",
+            "null"
+          ]
+        },
+        "kind": {
+          "type": "string",
+          "enum": [
+            "Deployment",
+            "DaemonSet"
+          ]
+        },
+        "annotations": {
+          "additionalProperties": {
+            "type": [
+              "string",
+              "integer"
+            ]
+          },
+          "type": "object"
+        },
+        "autoscaling": {
+          "type": "object",
+          "properties": {
+            "enabled": {
+              "type": "boolean"
+            },
+            "maxReplicas": {
+              "type": "integer"
+            },
+            "minReplicas": {
+              "type": "integer"
+            },
+            "targetCPUUtilizationPercentage": {
+              "type": "integer"
+            }
+          }
+        },
+        "env": {
+          "type": "object"
+        },
+        "envVarFrom": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "properties": {
+              "name": { "type": "string" },
+              "valueFrom": { "type": "object" }
+            }
+          }
+        },
+        "strategy": {
+          "type": "object"
+        },
+        "minReadySeconds": {
+          "type": [ "null", "integer" ]
+        },
+        "readinessProbe": {
+          "type": [ "null", "object" ]
+        },
+        "labels": {
+          "type": "object"
+        },
+        "name": {
+          "type": "string"
+        },
+        "nodeSelector": {
+          "type": "object"
+        },
+        "podAnnotations": {
+          "type": "object",
+          "properties": {
+            "inject.istio.io/templates": {
+              "type": "string"
+            },
+            "prometheus.io/path": {
+              "type": "string"
+            },
+            "prometheus.io/port": {
+              "type": "string"
+            },
+            "prometheus.io/scrape": {
+              "type": "string"
+            }
+          }
+        },
+        "replicaCount": {
+          "type": [
+            "integer",
+            "null"
+          ]
+        },
+        "resources": {
+          "type": "object",
+          "properties": {
+            "limits": {
+              "type": ["object", "null"],
+              "properties": {
+                "cpu": {
+                  "type": ["string", "null"]
+                },
+                "memory": {
+                  "type": ["string", "null"]
+                }
+              }
+            },
+            "requests": {
+              "type": ["object", "null"],
+              "properties": {
+                "cpu": {
+                  "type": ["string", "null"]
+                },
+                "memory": {
+                  "type": ["string", "null"]
+                }
+              }
+            }
+          }
+        },
+        "revision": {
+          "type": "string"
+        },
+        "defaultRevision": {
+          "type": "string"
+        },
+        "compatibilityVersion": {
+          "type": "string"
+        },
+        "profile": {
+          "type": "string"
+        },
+        "platform": {
+          "type": "string"
+        },
+        "pilot": {
+          "type": "object"
+        },
+        "runAsRoot": {
+          "type": "boolean"
+        },
+        "unprivilegedPort": {
+          "type": [
+            "string",
+            "boolean"
+          ],
+          "enum": [
+            true,
+            false,
+            "auto"
+          ]
+        },
+        "service": {
+          "type": "object",
+          "properties": {
+            "annotations": {
+              "type": "object"
+            },
+            "externalTrafficPolicy": {
+              "type": "string"
+            },
+            "loadBalancerIP": {
+              "type": "string"
+            },
+            "loadBalancerSourceRanges": {
+              "type": "array"
+            },
+            "ipFamilies": {
+              "items": {
+                "type": "string",
+                "enum": [
+                  "IPv4",
+                  "IPv6"
+                ]
+              }
+            },
+            "ipFamilyPolicy": {
+              "type": "string",
+              "enum": [
+                "",
+                "SingleStack",
+                "PreferDualStack",
+                "RequireDualStack"
+              ]
+            },
+            "ports": {
+              "type": "array",
+              "items": {
+                "type": "object",
+                "properties": {
+                  "name": {
+                    "type": "string"
+                  },
+                  "port": {
+                    "type": "integer"
+                  },
+                  "protocol": {
+                    "type": "string"
+                  },
+                  "targetPort": {
+                    "type": "integer"
+                  }
+                }
+              }
+            },
+            "type": {
+              "type": "string"
+            }
+          }
+        },
+        "serviceAccount": {
+          "type": "object",
+          "properties": {
+            "annotations": {
+              "type": "object"
+            },
+            "name": {
+              "type": "string"
+            },
+            "create": {
+              "type": "boolean"
+            }
+          }
+        },
+        "rbac": {
+          "type": "object",
+          "properties": {
+            "enabled": {
+              "type": "boolean"
+            }
+          }
+        },
+        "tolerations": {
+          "type": "array"
+        },
+        "topologySpreadConstraints": {
+          "type": "array"
+        },
+        "networkGateway": {
+          "type": "string"
+        },
+        "imagePullPolicy": {
+          "type": "string",
+          "enum": [
+            "",
+            "Always",
+            "IfNotPresent",
+            "Never"
+          ]
+        },
+        "imagePullSecrets": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "properties": {
+              "name": {
+                "type": "string"
+              }
+            }
+          }
+        },
+        "podDisruptionBudget": {
+          "type": "object",
+          "properties": {
+            "minAvailable": {
+              "type": [
+                "integer",
+                "string"
+              ]
+            },
+            "maxUnavailable": {
+              "type": [
+                "integer",
+                "string"
+              ]
+            },
+            "unhealthyPodEvictionPolicy": {
+              "type": "string",
+              "enum": [
+                "",
+                "IfHealthyBudget",
+                "AlwaysAllow"
+              ]
+            }
+          }
+        },
+        "terminationGracePeriodSeconds": {
+          "type": "number"
+        },
+        "volumes": {
+          "type": "array",
+          "items": {
+            "type": "object"
+          }
+        },
+        "volumeMounts": {
+          "type": "array",
+          "items": {
+            "type": "object"
+          }
+        },
+        "initContainers": {
+          "type": "array",
+          "items": { "type": "object" }
+        },
+        "additionalContainers": {
+          "type": "array",
+          "items": { "type": "object" }
+        },
+        "priorityClassName": {
+          "type": "string"
+        },
+        "lifecycle": {
+          "type": "object",
+          "properties": {
+            "postStart": {
+              "type": "object"
+            },
+            "preStop": {
+              "type": "object"
+            }
+          }
+        }
+      }
+    }
+  },
+  "defaults": {
+    "$ref": "#/$defs/values"
+  },
+  "$ref": "#/$defs/values"
+}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/values.yaml
new file mode 100644
index 0000000000..9975f92851
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/values.yaml
@@ -0,0 +1,202 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  # Name allows overriding the release name. Generally this should not be set
+  name: ""
+  # revision declares which revision this gateway is a part of
+  revision: ""
+
+  # Controls the spec.replicas setting for the Gateway deployment if set.
+  # Otherwise defaults to Kubernetes Deployment default (1).
+  replicaCount:
+
+  kind: Deployment
+
+  rbac:
+    # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed
+    # when using http://gateway-api.org/.
+    enabled: true
+
+  serviceAccount:
+    # If set, a service account will be created. Otherwise, the default is used
+    create: true
+    # Annotations to add to the service account
+    annotations: {}
+    # The name of the service account to use.
+    # If not set, the release name is used
+    name: ""
+
+  podAnnotations:
+    prometheus.io/port: "15020"
+    prometheus.io/scrape: "true"
+    prometheus.io/path: "/stats/prometheus"
+    inject.istio.io/templates: "gateway"
+    sidecar.istio.io/inject: "true"
+
+  # Define the security context for the pod.
+  # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
+  # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
+  securityContext: {}
+  containerSecurityContext: {}
+
+  service:
+    # Type of service. Set to "None" to disable the service entirely
+    type: LoadBalancer
+    # Set to a specific ClusterIP, or "" for automatic assignment
+    clusterIP: ""
+    ports:
+    - name: status-port
+      port: 15021
+      protocol: TCP
+      targetPort: 15021
+    - name: http2
+      port: 80
+      protocol: TCP
+      targetPort: 80
+    - name: https
+      port: 443
+      protocol: TCP
+      targetPort: 443
+    annotations: {}
+    loadBalancerIP: ""
+    loadBalancerSourceRanges: []
+    externalTrafficPolicy: ""
+    externalIPs: []
+    ipFamilyPolicy: ""
+    ipFamilies: []
+    ## Whether to automatically allocate NodePorts (only for LoadBalancers).
+    # allocateLoadBalancerNodePorts: false
+    ## Set LoadBalancer class (only for LoadBalancers).
+    # loadBalancerClass: ""
+
+  resources:
+    requests:
+      cpu: 100m
+      memory: 128Mi
+    limits:
+      cpu: 2000m
+      memory: 1024Mi
+
+  autoscaling:
+    enabled: true
+    minReplicas: 1
+    maxReplicas: 5
+    targetCPUUtilizationPercentage: 80
+    targetMemoryUtilizationPercentage: {}
+    autoscaleBehavior: {}
+
+  # Pod environment variables
+  env: {}
+
+  # Use envVarFrom to define full environment variable entries with complex sources,
+  # such as valueFrom.secretKeyRef, valueFrom.configMapKeyRef. Each item must include a `name` and `valueFrom`.
+  #
+  # Example:
+  # envVarFrom:
+  #   - name: EXAMPLE_SECRET
+  #     valueFrom:
+  #       secretKeyRef:
+  #         name: example-name
+  #         key: example-key
+  envVarFrom: []
+
+  # Deployment Update strategy
+  strategy: {}
+  
+  # Sets the Deployment minReadySeconds value
+  minReadySeconds:
+  
+  # Optionally configure a custom readinessProbe. By default the control plane
+  # automatically injects the readinessProbe. If you wish to override that
+  # behavior, you may define your own readinessProbe here.
+  readinessProbe: {}
+
+  # Labels to apply to all resources
+  labels:
+    # By default, don't enroll gateways into the ambient dataplane
+    "istio.io/dataplane-mode": none
+
+  # Annotations to apply to all resources
+  annotations: {}
+
+  nodeSelector: {}
+
+  tolerations: []
+
+  topologySpreadConstraints: []
+
+  affinity: {}
+
+  # If specified, the gateway will act as a network gateway for the given network.
+  networkGateway: ""
+
+  # Specify image pull policy if default behavior isn't desired.
+  # Default behavior: latest images will be Always else IfNotPresent
+  imagePullPolicy: ""
+
+  imagePullSecrets: []
+
+  # This value is used to configure a Kubernetes PodDisruptionBudget for the gateway.
+  #
+  # By default, the `podDisruptionBudget` is disabled (set to `{}`),
+  # which means that no PodDisruptionBudget resource will be created.
+  #
+  # The PodDisruptionBudget can be only enabled if autoscaling is enabled
+  # with minReplicas > 1 or if autoscaling is disabled but replicaCount > 1.
+  #
+  # To enable the PodDisruptionBudget, configure it by specifying the
+  # `minAvailable` or `maxUnavailable`. For example, to set the
+  # minimum number of available replicas to 1, you can update this value as follows:
+  #
+  # podDisruptionBudget:
+  #   minAvailable: 1
+  #
+  # Or, to allow a maximum of 1 unavailable replica, you can set:
+  #
+  # podDisruptionBudget:
+  #   maxUnavailable: 1
+  #
+  # You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`.
+  # For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows:
+  #
+  # podDisruptionBudget:
+  #   minAvailable: 1
+  #   unhealthyPodEvictionPolicy: AlwaysAllow
+  #
+  # To disable the PodDisruptionBudget, you can leave it as an empty object `{}`:
+  #
+  # podDisruptionBudget: {}
+  #
+  podDisruptionBudget: {}
+
+  # Sets the per-pod terminationGracePeriodSeconds setting.
+  terminationGracePeriodSeconds: 30
+
+  # A list of `Volumes` added into the Gateway Pods. See
+  # https://kubernetes.io/docs/concepts/storage/volumes/.
+  volumes: []
+
+  # A list of `VolumeMounts` added into the Gateway Pods. See
+  # https://kubernetes.io/docs/concepts/storage/volumes/.
+  volumeMounts: []
+
+  # Inject initContainers into the Gateway Pods.
+  initContainers: []
+
+  # Inject additional containers into the Gateway Pods.
+  additionalContainers: []
+
+  # Configure this to a higher priority class in order to make sure your Istio gateway pods
+  # will not be killed because of low priority class.
+  # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
+  # for more detail.
+  priorityClassName: ""
+
+  # Configure the lifecycle hooks for the gateway. See
+  # https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/.
+  lifecycle: {}
+
+  # When enabled, a default NetworkPolicy for gateways will be created
+  global:
+    networkPolicy:
+      enabled: false
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/Chart.yaml
new file mode 100644
index 0000000000..34b7ec7aa6
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v2
+appVersion: 1.28.2
+description: Helm chart for istio control plane
+icon: https://istio.io/latest/favicons/android-192x192.png
+keywords:
+- istio
+- istiod
+- istio-discovery
+name: istiod
+sources:
+- https://github.com/istio/istio
+version: 1.28.2
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/README.md
new file mode 100644
index 0000000000..44f7b1d8ca
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/README.md
@@ -0,0 +1,73 @@
+# Istiod Helm Chart
+
+This chart installs an Istiod deployment.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+Before installing, ensure CRDs are installed in the cluster (from the `istio/base` chart).
+
+To install the chart with the release name `istiod`:
+
+```console
+kubectl create namespace istio-system
+helm install istiod istio/istiod --namespace istio-system
+```
+
+## Uninstalling the Chart
+
+To uninstall/delete the `istiod` deployment:
+
+```console
+helm delete istiod --namespace istio-system
+```
+
+## Configuration
+
+To view supported configuration options and documentation, run:
+
+```console
+helm show values istio/istiod
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
+
+### Examples
+
+#### Configuring mesh configuration settings
+
+Any [Mesh Config](https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/) options can be configured like below:
+
+```yaml
+meshConfig:
+  accessLogFile: /dev/stdout
+```
+
+#### Revisions
+
+Control plane revisions allow deploying multiple versions of the control plane in the same cluster.
+This allows safe [canary upgrades](https://istio.io/latest/docs/setup/upgrade/canary/)
+
+```yaml
+revision: my-revision-name
+```
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/gateway-injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/gateway-injection-template.yaml
new file mode 100644
index 0000000000..bc15ee3c31
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/gateway-injection-template.yaml
@@ -0,0 +1,274 @@
+{{- $containers := list }}
+{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
+metadata:
+  labels:
+    service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name  | quote }}
+    service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest"  | quote }}
+  annotations:
+    istio.io/rev: {{ .Revision | default "default" | quote }}
+    {{- if ge (len $containers) 1 }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }}
+    kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}"
+    {{- end }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }}
+    kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}"
+    {{- end }}
+    {{- end }}
+spec:
+  securityContext:
+  {{- if .Values.gateways.securityContext }}
+    {{- toYaml .Values.gateways.securityContext | nindent 4 }}
+  {{- else }}
+    sysctls:
+    - name: net.ipv4.ip_unprivileged_port_start
+      value: "0"
+  {{- end }}
+  containers:
+  - name: istio-proxy
+  {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+    image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+  {{- else }}
+    image: "{{ .ProxyImage }}"
+  {{- end }}
+    ports:
+    - containerPort: 15090
+      protocol: TCP
+      name: http-envoy-prom
+    args:
+    - proxy
+    - router
+    - --domain
+    - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+    - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
+    - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
+    - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
+  {{- if .Values.global.sts.servicePort }}
+    - --stsPort={{ .Values.global.sts.servicePort }}
+  {{- end }}
+  {{- if .Values.global.logAsJson }}
+    - --log_as_json
+  {{- end }}
+  {{- if .Values.global.proxy.lifecycle }}
+    lifecycle:
+      {{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
+  {{- end }}
+    securityContext:
+      runAsUser: {{ .ProxyUID | default "1337" }}
+      runAsGroup: {{ .ProxyGID | default "1337" }}
+    env:
+    - name: PILOT_CERT_PROVIDER
+      value: {{ .Values.global.pilotCertProvider }}
+    - name: CA_ADDR
+    {{- if .Values.global.caAddress }}
+      value: {{ .Values.global.caAddress }}
+    {{- else }}
+      value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+    {{- end }}
+    - name: POD_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.name
+    - name: POD_NAMESPACE
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.namespace
+    - name: INSTANCE_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.podIP
+    - name: SERVICE_ACCOUNT
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.serviceAccountName
+    - name: HOST_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.hostIP
+    - name: ISTIO_CPU_LIMIT
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.cpu
+    - name: PROXY_CONFIG
+      value: |
+             {{ protoToJSON .ProxyConfig }}
+    - name: ISTIO_META_POD_PORTS
+      value: |-
+        [
+        {{- $first := true }}
+        {{- range $index1, $c := .Spec.Containers }}
+          {{- range $index2, $p := $c.Ports }}
+            {{- if (structToJSON $p) }}
+            {{if not $first}},{{end}}{{ structToJSON $p }}
+            {{- $first = false }}
+            {{- end }}
+          {{- end}}
+        {{- end}}
+        ]
+    - name: GOMEMLIMIT
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.memory
+    - name: GOMAXPROCS
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.cpu
+    {{- if .CompliancePolicy }}
+    - name: COMPLIANCE_POLICY
+      value: "{{ .CompliancePolicy }}"
+    {{- end }}
+    - name: ISTIO_META_APP_CONTAINERS
+      value: "{{ $containers | join "," }}"
+    - name: ISTIO_META_CLUSTER_ID
+      value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
+    - name: ISTIO_META_NODE_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.nodeName
+    - name: ISTIO_META_INTERCEPTION_MODE
+      value: "{{ .ProxyConfig.InterceptionMode.String }}"
+    {{- if .Values.global.network }}
+    - name: ISTIO_META_NETWORK
+      value: "{{ .Values.global.network }}"
+    {{- end }}
+    {{- if .DeploymentMeta.Name }}
+    - name: ISTIO_META_WORKLOAD_NAME
+      value: "{{ .DeploymentMeta.Name }}"
+    {{ end }}
+    {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
+    - name: ISTIO_META_OWNER
+      value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
+    {{- end}}
+    {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+    - name: ISTIO_BOOTSTRAP_OVERRIDE
+      value: "/etc/istio/custom-bootstrap/custom_bootstrap.json"
+    {{- end }}
+    {{- if .Values.global.meshID }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ .Values.global.meshID }}"
+    {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+    {{- end }}
+    {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain)  }}
+    - name: TRUST_DOMAIN
+      value: "{{ . }}"
+    {{- end }}
+    {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+    - name: {{ $key }}
+      value: "{{ $value }}"
+    {{- end }}
+    {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+    readinessProbe:
+      httpGet:
+        path: /healthz/ready
+        port: 15021
+      initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }}
+      periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }}
+      timeoutSeconds: 3
+      failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }}
+    volumeMounts:
+    - name: workload-socket
+      mountPath: /var/run/secrets/workload-spiffe-uds
+    - name: credential-socket
+      mountPath: /var/run/secrets/credential-uds
+    {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+    - name: gke-workload-certificate
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+      readOnly: true
+    {{- else }}
+    - name: workload-certs
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+    {{- end }}
+    {{- if eq .Values.global.pilotCertProvider "istiod" }}
+    - mountPath: /var/run/secrets/istio
+      name: istiod-ca-cert
+    {{- end }}
+    - mountPath: /var/lib/istio/data
+      name: istio-data
+    {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+    - mountPath: /etc/istio/custom-bootstrap
+      name: custom-bootstrap-volume
+    {{- end }}
+    # SDS channel between istioagent and Envoy
+    - mountPath: /etc/istio/proxy
+      name: istio-envoy
+    - mountPath: /var/run/secrets/tokens
+      name: istio-token
+    {{- if .Values.global.mountMtlsCerts }}
+    # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+    - mountPath: /etc/certs/
+      name: istio-certs
+      readOnly: true
+    {{- end }}
+    - name: istio-podinfo
+      mountPath: /etc/istio/pod
+  volumes:
+  - emptyDir:
+    name: workload-socket
+  - emptyDir: {}
+    name: credential-socket
+  {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+  - name: gke-workload-certificate
+    csi:
+      driver: workloadcertificates.security.cloud.google.com
+  {{- else}}
+  - emptyDir: {}
+    name: workload-certs
+  {{- end }}
+  {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+  - name: custom-bootstrap-volume
+    configMap:
+      name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
+  {{- end }}
+  # SDS channel between istioagent and Envoy
+  - emptyDir:
+      medium: Memory
+    name: istio-envoy
+  - name: istio-data
+    emptyDir: {}
+  - name: istio-podinfo
+    downwardAPI:
+      items:
+        - path: "labels"
+          fieldRef:
+            fieldPath: metadata.labels
+        - path: "annotations"
+          fieldRef:
+            fieldPath: metadata.annotations
+  - name: istio-token
+    projected:
+      sources:
+      - serviceAccountToken:
+          path: istio-token
+          expirationSeconds: 43200
+          audience: {{ .Values.global.sds.token.aud }}
+  {{- if eq .Values.global.pilotCertProvider "istiod" }}
+  - name: istiod-ca-cert
+  {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+    projected:
+      sources:
+      - clusterTrustBundle:
+          name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+          path: root-cert.pem
+  {{- else }}
+    configMap:
+      name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+  {{- end }}
+  {{- end }}
+  {{- if .Values.global.mountMtlsCerts }}
+  # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+  - name: istio-certs
+    secret:
+      optional: true
+      {{ if eq .Spec.ServiceAccountName "" }}
+      secretName: istio.default
+      {{ else -}}
+      secretName: {{  printf "istio.%s" .Spec.ServiceAccountName }}
+      {{  end -}}
+  {{- end }}
+  {{- if .Values.global.imagePullSecrets }}
+  imagePullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+  {{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/grpc-agent.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/grpc-agent.yaml
new file mode 100644
index 0000000000..6e3102e4c8
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/grpc-agent.yaml
@@ -0,0 +1,318 @@
+{{- define "resources"  }}
+  {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
+    {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
+      requests:
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
+        cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
+        {{ end }}
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
+        memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
+        {{ end }}
+    {{- end }}
+    {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
+      limits:
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
+        cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}"
+        {{ end }}
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
+        memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}"
+        {{ end }}
+    {{- end }}
+  {{- else }}
+    {{- if .Values.global.proxy.resources }}
+      {{ toYaml .Values.global.proxy.resources | indent 6 }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+{{- $containers := list }}
+{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
+metadata:
+  labels:
+    {{/* security.istio.io/tlsMode: istio must be set by user, if gRPC is using mTLS initialization code. We can't set it automatically. */}}
+    service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name  | quote }}
+    service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest"  | quote }}
+  annotations: {
+    istio.io/rev: {{ .Revision | default "default" | quote }},
+    {{- if ge (len $containers) 1 }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }}
+    kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
+    {{- end }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }}
+    kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
+    {{- end }}
+    {{- end }}
+    sidecar.istio.io/rewriteAppHTTPProbers: "false",
+  }
+spec:
+  containers:
+  - name: istio-proxy
+  {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+    image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+  {{- else }}
+    image: "{{ .ProxyImage }}"
+  {{- end }}
+    ports:
+    - containerPort: 15020
+      protocol: TCP
+      name: mesh-metrics
+    args:
+    - proxy
+    - sidecar
+    - --domain
+    - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+    - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
+    - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
+    - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
+  {{- if .Values.global.sts.servicePort }}
+    - --stsPort={{ .Values.global.sts.servicePort }}
+  {{- end }}
+  {{- if .Values.global.logAsJson }}
+    - --log_as_json
+  {{- end }}
+    lifecycle:
+      postStart:
+        exec:
+          command:
+          - pilot-agent
+          - wait
+          - --url=http://localhost:15020/healthz/ready
+    env:
+    - name: ISTIO_META_GENERATOR
+      value: grpc
+    - name: OUTPUT_CERTS
+      value: /var/lib/istio/data
+    {{- if eq .InboundTrafficPolicyMode "localhost" }}
+    - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION
+      value: "true"
+    {{- end }}
+    - name: PILOT_CERT_PROVIDER
+      value: {{ .Values.global.pilotCertProvider }}
+    - name: CA_ADDR
+    {{- if .Values.global.caAddress }}
+      value: {{ .Values.global.caAddress }}
+    {{- else }}
+      value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+    {{- end }}
+    - name: POD_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.name
+    - name: POD_NAMESPACE
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.namespace
+    - name: INSTANCE_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.podIP
+    - name: SERVICE_ACCOUNT
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.serviceAccountName
+    - name: HOST_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.hostIP
+    - name: PROXY_CONFIG
+      value: |
+             {{ protoToJSON .ProxyConfig }}
+    - name: ISTIO_META_POD_PORTS
+      value: |-
+        [
+        {{- $first := true }}
+        {{- range $index1, $c := .Spec.Containers }}
+          {{- range $index2, $p := $c.Ports }}
+            {{- if (structToJSON $p) }}
+            {{if not $first}},{{end}}{{ structToJSON $p }}
+            {{- $first = false }}
+            {{- end }}
+          {{- end}}
+        {{- end}}
+        ]
+    - name: ISTIO_META_APP_CONTAINERS
+      value: "{{ $containers | join "," }}"
+    - name: ISTIO_META_CLUSTER_ID
+      value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
+    - name: ISTIO_META_NODE_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.nodeName
+    {{- if .Values.global.network }}
+    - name: ISTIO_META_NETWORK
+      value: "{{ .Values.global.network }}"
+    {{- end }}
+    {{- if .DeploymentMeta.Name }}
+    - name: ISTIO_META_WORKLOAD_NAME
+      value: "{{ .DeploymentMeta.Name }}"
+    {{ end }}
+    {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
+    - name: ISTIO_META_OWNER
+      value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
+    {{- end}}
+    {{- if .Values.global.meshID }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ .Values.global.meshID }}"
+    {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+    {{- end }}
+    {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain)  }}
+    - name: TRUST_DOMAIN
+      value: "{{ . }}"
+    {{- end }}
+    {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+    - name: {{ $key }}
+      value: "{{ $value }}"
+    {{- end }}
+    # grpc uses xds:/// to resolve – no need to resolve VIP
+    - name: ISTIO_META_DNS_CAPTURE
+      value: "false"
+    - name: DISABLE_ENVOY
+      value: "true"
+    {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+    {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
+    readinessProbe:
+      httpGet:
+        path: /healthz/ready
+        port: 15020
+      initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }}
+      periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }}
+      timeoutSeconds: 3
+      failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}
+    resources:
+  {{ template "resources" . }}
+    volumeMounts:
+    - name: workload-socket
+      mountPath: /var/run/secrets/workload-spiffe-uds
+    {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+    - name: gke-workload-certificate
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+      readOnly: true
+    {{- else }}
+    - name: workload-certs
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+    {{- end }}
+    {{- if eq .Values.global.pilotCertProvider "istiod" }}
+    - mountPath: /var/run/secrets/istio
+      name: istiod-ca-cert
+    {{- end }}
+    - mountPath: /var/lib/istio/data
+      name: istio-data
+    # UDS channel between istioagent and gRPC client for XDS/SDS
+    - mountPath: /etc/istio/proxy
+      name: istio-xds
+    - mountPath: /var/run/secrets/tokens
+      name: istio-token
+    {{- if .Values.global.mountMtlsCerts }}
+    # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+    - mountPath: /etc/certs/
+      name: istio-certs
+      readOnly: true
+    {{- end }}
+    - name: istio-podinfo
+      mountPath: /etc/istio/pod
+    {{- end }}
+      {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }}
+      {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}
+    - name: "{{  $index }}"
+      {{ toYaml $value | indent 6 }}
+      {{ end }}
+      {{- end }}
+{{- range $index, $container := .Spec.Containers  }}
+{{ if not (eq $container.Name "istio-proxy") }}
+  - name: {{ $container.Name }}
+    env:
+      - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT"
+        value: "true"
+      - name: "GRPC_XDS_BOOTSTRAP"
+        value: "/etc/istio/proxy/grpc-bootstrap.json"
+    volumeMounts:
+      - mountPath: /var/lib/istio/data
+        name: istio-data
+      # UDS channel between istioagent and gRPC client for XDS/SDS
+      - mountPath: /etc/istio/proxy
+        name: istio-xds
+      {{- if eq $.Values.global.caName "GkeWorkloadCertificate" }}
+      - name: gke-workload-certificate
+        mountPath: /var/run/secrets/workload-spiffe-credentials
+        readOnly: true
+      {{- else }}
+      - name: workload-certs
+        mountPath: /var/run/secrets/workload-spiffe-credentials
+      {{- end }}
+{{- end }}
+{{- end }}
+  volumes:
+  - emptyDir:
+    name: workload-socket
+  {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+  - name: gke-workload-certificate
+    csi:
+      driver: workloadcertificates.security.cloud.google.com
+  {{- else }}
+  - emptyDir:
+    name: workload-certs
+  {{- end }}
+  {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+  - name: custom-bootstrap-volume
+    configMap:
+      name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
+  {{- end }}
+  # SDS channel between istioagent and Envoy
+  - emptyDir:
+      medium: Memory
+    name: istio-xds
+  - name: istio-data
+    emptyDir: {}
+  - name: istio-podinfo
+    downwardAPI:
+      items:
+        - path: "labels"
+          fieldRef:
+            fieldPath: metadata.labels
+        - path: "annotations"
+          fieldRef:
+            fieldPath: metadata.annotations
+  - name: istio-token
+    projected:
+      sources:
+      - serviceAccountToken:
+          path: istio-token
+          expirationSeconds: 43200
+          audience: {{ .Values.global.sds.token.aud }}
+  {{- if eq .Values.global.pilotCertProvider "istiod" }}
+  - name: istiod-ca-cert
+  {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+    projected:
+      sources:
+      - clusterTrustBundle:
+          name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+          path: root-cert.pem
+  {{- else }}
+    configMap:
+      name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+  {{- end }}
+  {{- end }}
+  {{- if .Values.global.mountMtlsCerts }}
+  # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+  - name: istio-certs
+    secret:
+      optional: true
+      {{ if eq .Spec.ServiceAccountName "" }}
+      secretName: istio.default
+      {{ else -}}
+      secretName: {{  printf "istio.%s" .Spec.ServiceAccountName }}
+      {{  end -}}
+  {{- end }}
+    {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }}
+    {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}
+  - name: "{{ $index }}"
+    {{ toYaml $value | indent 4 }}
+    {{ end }}
+    {{ end }}
+  {{- if .Values.global.imagePullSecrets }}
+  imagePullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+  {{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/grpc-simple.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/grpc-simple.yaml
new file mode 100644
index 0000000000..9ba0c7a46a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/grpc-simple.yaml
@@ -0,0 +1,65 @@
+metadata:
+  annotations:
+    sidecar.istio.io/rewriteAppHTTPProbers: "false"
+spec:
+  initContainers:
+    - name: grpc-bootstrap-init
+      image: busybox:1.28
+      volumeMounts:
+        - mountPath: /var/lib/grpc/data/
+          name: grpc-io-proxyless-bootstrap
+      env:
+        - name: INSTANCE_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: ISTIO_NAMESPACE
+          value: |
+             {{ .Values.global.istioNamespace }}
+      command:
+        - sh
+        - "-c"
+        - |-
+          NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local"
+          SERVER_URI="dns:///istiod.${ISTIO_NAMESPACE}.svc:15010"
+          echo '
+          {
+            "xds_servers": [
+              {
+                "server_uri": "'${SERVER_URI}'",
+                "channel_creds": [{"type": "insecure"}],
+                "server_features" : ["xds_v3"]
+              }
+            ],
+            "node": {
+              "id": "'${NODE_ID}'",
+              "metadata": {
+                "GENERATOR": "grpc"
+              }
+            }
+          }' > /var/lib/grpc/data/bootstrap.json
+  containers:
+  {{- range $index, $container := .Spec.Containers }}
+  - name: {{ $container.Name }}
+    env:
+      - name: GRPC_XDS_BOOTSTRAP
+        value: /var/lib/grpc/data/bootstrap.json
+      - name: GRPC_GO_LOG_VERBOSITY_LEVEL
+        value: "99"
+      - name: GRPC_GO_LOG_SEVERITY_LEVEL
+        value: info
+    volumeMounts:
+      - mountPath: /var/lib/grpc/data/
+        name: grpc-io-proxyless-bootstrap
+  {{- end }}
+  volumes:
+    - name: grpc-io-proxyless-bootstrap
+      emptyDir: {}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/injection-template.yaml
new file mode 100644
index 0000000000..ba656bd7f8
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/injection-template.yaml
@@ -0,0 +1,549 @@
+{{- define "resources"  }}
+  {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
+    {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
+      requests:
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
+        cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
+        {{ end }}
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
+        memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
+        {{ end }}
+    {{- end }}
+    {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
+      limits:
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
+        cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}"
+        {{ end }}
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
+        memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}"
+        {{ end }}
+    {{- end }}
+  {{- else }}
+    {{- if .Values.global.proxy.resources }}
+      {{ toYaml .Values.global.proxy.resources | indent 6 }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+{{ $tproxy := (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) }}
+{{ $capNetBindService := (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) }}
+{{ $nativeSidecar := ne (index .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar` | default (printf "%t" .NativeSidecars)) "false" }}
+{{- $containers := list }}
+{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
+metadata:
+  labels:
+    security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio"  | quote }}
+    {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }}
+    networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http"  | quote }}
+    {{- end }}
+    service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name  | trunc 63 | trimSuffix "-" | quote }}
+    service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest"  | quote }}
+  annotations: {
+    istio.io/rev: {{ .Revision | default "default" | quote }},
+    {{- if ge (len $containers) 1 }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }}
+    kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
+    {{- end }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }}
+    kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
+    {{- end }}
+    {{- end }}
+{{- if .Values.pilot.cni.enabled }}
+    {{- if eq .Values.pilot.cni.provider "multus" }}
+    k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}',
+    {{- end }}
+    sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}",
+    {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }}
+    {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }}
+    traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}",
+    traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}",
+    {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }}
+    traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}",
+    {{- end }}
+    {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }}
+    traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}",
+    {{- end }}
+    {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }}
+    {{ with index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}istio.io/reroute-virtual-interfaces: "{{.}}",{{ end }}
+    {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }}
+{{- end }}
+  }
+spec:
+  {{- $holdProxy := and
+      (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts)
+      (not $nativeSidecar) }}
+  {{- $noInitContainer := and
+      (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE`)
+      (not $nativeSidecar) }}
+  {{ if $noInitContainer }}
+  initContainers: []
+  {{ else -}}
+  initContainers:
+  {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }}
+  {{ if .Values.pilot.cni.enabled -}}
+  - name: istio-validation
+  {{ else -}}
+  - name: istio-init
+  {{ end -}}
+  {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }}
+    image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}"
+  {{- else }}
+    image: "{{ .ProxyImage }}"
+  {{- end }}
+    args:
+    - istio-iptables
+    - "-p"
+    - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }}
+    - "-z"
+    - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }}
+    - "-u"
+    - {{ if $tproxy }} "1337" {{ else }} {{ .ProxyUID | default "1337" | quote }} {{ end }}
+    - "-m"
+    - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}"
+    - "-i"
+    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}"
+    - "-x"
+    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}"
+    - "-b"
+    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}"
+    - "-d"
+  {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}
+    - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}"
+  {{- else }}
+    - "15090,15021"
+  {{- end }}
+    {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}}
+    - "-q"
+    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}"
+    {{ end -}}
+    {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}}
+    - "-o"
+    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}"
+    {{ end -}}
+    {{ if (isset .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces`) -}}
+    - "-k"
+    - "{{ index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}"
+    {{ else if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}}
+    - "-k"
+    - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}"
+    {{ end -}}
+     {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}}
+    - "-c"
+    - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}"
+    {{ end -}}
+    - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}"
+    {{ if .Values.global.logAsJson -}}
+    - "--log_as_json"
+    {{ end -}}
+    {{ if .Values.pilot.cni.enabled -}}
+    - "--run-validation"
+    - "--skip-rule-apply"
+    {{ else if .Values.global.proxy_init.forceApplyIptables -}}
+    - "--force-apply"
+    {{ end -}}
+    {{ if .Values.global.nativeNftables -}}
+    - "--native-nftables"
+    {{ end -}}
+    {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+  {{- if .ProxyConfig.ProxyMetadata }}
+    env:
+    {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+    - name: {{ $key }}
+      value: "{{ $value }}"
+    {{- end }}
+  {{- end }}
+    resources:
+  {{ template "resources" . }}
+    securityContext:
+      allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
+      privileged: {{ .Values.global.proxy.privileged }}
+      capabilities:
+    {{- if not .Values.pilot.cni.enabled }}
+        add:
+        - NET_ADMIN
+        - NET_RAW
+    {{- end }}
+        drop:
+        - ALL
+    {{- if not .Values.pilot.cni.enabled }}
+      readOnlyRootFilesystem: false
+      runAsGroup: 0
+      runAsNonRoot: false
+      runAsUser: 0
+    {{- else }}
+      readOnlyRootFilesystem: true
+      runAsGroup: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyGID | default "1337" }} {{ end }}
+      runAsUser: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyUID | default "1337" }} {{ end }}
+      runAsNonRoot: true
+    {{- end }}
+    {{- if .Values.global.proxy.seccompProfile }}
+      seccompProfile:
+    {{- toYaml .Values.global.proxy.seccompProfile | nindent 8 }}
+    {{- end }}
+  {{ end -}}
+  {{ end -}}
+  {{ if not $nativeSidecar }}
+  containers:
+  {{ end }}
+  - name: istio-proxy
+  {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+    image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+  {{- else }}
+    image: "{{ .ProxyImage }}"
+  {{- end }}
+    {{ if $nativeSidecar }}restartPolicy: Always{{end}}
+    ports:
+    - containerPort: 15090
+      protocol: TCP
+      name: http-envoy-prom
+    args:
+    - proxy
+    - sidecar
+    - --domain
+    - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+    - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
+    - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
+    - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
+  {{- if .Values.global.sts.servicePort }}
+    - --stsPort={{ .Values.global.sts.servicePort }}
+  {{- end }}
+  {{- if .Values.global.logAsJson }}
+    - --log_as_json
+  {{- end }}
+  {{- if .Values.global.proxy.outlierLogPath }}
+    - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }}
+  {{- end}}
+  {{- if .Values.global.proxy.lifecycle }}
+    lifecycle:
+      {{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
+  {{- else if $holdProxy }}
+    lifecycle:
+      postStart:
+        exec:
+          command:
+          - pilot-agent
+          - wait
+  {{- else if $nativeSidecar }}
+    {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}}
+    lifecycle:
+      preStop:
+        exec:
+          command:
+          - pilot-agent
+          - request
+          - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}}
+          - POST
+          - drain
+  {{- end }}
+    env:
+    {{- if eq .InboundTrafficPolicyMode "localhost" }}
+    - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION
+      value: "true"
+    {{- end }}
+    - name: PILOT_CERT_PROVIDER
+      value: {{ .Values.global.pilotCertProvider }}
+    - name: CA_ADDR
+    {{- if .Values.global.caAddress }}
+      value: {{ .Values.global.caAddress }}
+    {{- else }}
+      value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+    {{- end }}
+    - name: POD_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.name
+    - name: POD_NAMESPACE
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.namespace
+    - name: INSTANCE_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.podIP
+    - name: SERVICE_ACCOUNT
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.serviceAccountName
+    - name: HOST_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.hostIP
+    - name: ISTIO_CPU_LIMIT
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.cpu
+    - name: PROXY_CONFIG
+      value: |
+             {{ protoToJSON .ProxyConfig }}
+    - name: ISTIO_META_POD_PORTS
+      value: |-
+        [
+        {{- $first := true }}
+        {{- range $index1, $c := .Spec.Containers }}
+          {{- range $index2, $p := $c.Ports }}
+            {{- if (structToJSON $p) }}
+            {{if not $first}},{{end}}{{ structToJSON $p }}
+            {{- $first = false }}
+            {{- end }}
+          {{- end}}
+        {{- end}}
+        ]
+    - name: ISTIO_META_APP_CONTAINERS
+      value: "{{ $containers | join "," }}"
+    - name: GOMEMLIMIT
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.memory
+    - name: GOMAXPROCS
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.cpu
+    {{- if .CompliancePolicy }}
+    - name: COMPLIANCE_POLICY
+      value: "{{ .CompliancePolicy }}"
+    {{- end }}
+    - name: ISTIO_META_CLUSTER_ID
+      value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
+    - name: ISTIO_META_NODE_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.nodeName
+    - name: ISTIO_META_INTERCEPTION_MODE
+      value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}"
+    {{- if .Values.global.network }}
+    - name: ISTIO_META_NETWORK
+      value: "{{ .Values.global.network }}"
+    {{- end }}
+    {{- with (index .ObjectMeta.Labels `service.istio.io/workload-name` | default .DeploymentMeta.Name) }}
+    - name: ISTIO_META_WORKLOAD_NAME
+      value: "{{ . }}"
+    {{ end }}
+    {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
+    - name: ISTIO_META_OWNER
+      value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
+    {{- end}}
+    {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+    - name: ISTIO_BOOTSTRAP_OVERRIDE
+      value: "/etc/istio/custom-bootstrap/custom_bootstrap.json"
+    {{- end }}
+    {{- if .Values.global.meshID }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ .Values.global.meshID }}"
+    {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+    {{- end }}
+    {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain)  }}
+    - name: TRUST_DOMAIN
+      value: "{{ . }}"
+    {{- end }}
+    {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
+    {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
+    - name: {{ $key }}
+      value: "{{ $value }}"
+    {{- end }}
+    {{- end }}
+    {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+    - name: {{ $key }}
+      value: "{{ $value }}"
+    {{- end }}
+    {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+    {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
+  {{ if .Values.global.proxy.startupProbe.enabled }}
+    startupProbe:
+      httpGet:
+        path: /healthz/ready
+        port: 15021
+      initialDelaySeconds: 0
+      periodSeconds: 1
+      timeoutSeconds: 3
+      failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }}
+  {{ end }}
+    readinessProbe:
+      httpGet:
+        path: /healthz/ready
+        port: 15021
+      initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }}
+      periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }}
+      timeoutSeconds: 3
+      failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}
+    {{ end -}}
+    securityContext:
+      {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }}
+      allowPrivilegeEscalation: true
+      capabilities:
+        add:
+        - NET_ADMIN
+        drop:
+        - ALL
+      privileged: true
+      readOnlyRootFilesystem: true
+      runAsGroup: {{ .ProxyGID | default "1337" }}
+      runAsNonRoot: false
+      runAsUser: 0
+      {{- else }}
+      allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
+      capabilities:
+        {{ if or $tproxy $capNetBindService -}}
+        add:
+        {{ if $tproxy -}}
+        - NET_ADMIN
+        {{- end }}
+        {{ if $capNetBindService -}}
+        - NET_BIND_SERVICE
+        {{- end }}
+        {{- end }}
+        drop:
+        - ALL
+      privileged: {{ .Values.global.proxy.privileged }}
+      readOnlyRootFilesystem: true
+      {{ if or $tproxy $capNetBindService -}}
+      runAsNonRoot: false
+      runAsUser: 0
+      runAsGroup: 1337
+      {{- else -}}
+      runAsNonRoot: true
+      runAsUser: {{ .ProxyUID | default "1337" }}
+      runAsGroup: {{ .ProxyGID | default "1337" }}
+      {{- end }}
+      {{- end }}
+    {{- if .Values.global.proxy.seccompProfile }}
+      seccompProfile:
+    {{- toYaml .Values.global.proxy.seccompProfile | nindent 8 }}
+    {{- end }}
+    resources:
+  {{ template "resources" . }}
+    volumeMounts:
+    - name: workload-socket
+      mountPath: /var/run/secrets/workload-spiffe-uds
+    - name: credential-socket
+      mountPath: /var/run/secrets/credential-uds
+    {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+    - name: gke-workload-certificate
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+      readOnly: true
+    {{- else }}
+    - name: workload-certs
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+    {{- end }}
+    {{- if eq .Values.global.pilotCertProvider "istiod" }}
+    - mountPath: /var/run/secrets/istio
+      name: istiod-ca-cert
+    - mountPath: /var/run/secrets/istio/crl
+      name: istio-ca-crl
+    {{- end }}
+    - mountPath: /var/lib/istio/data
+      name: istio-data
+    {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+    - mountPath: /etc/istio/custom-bootstrap
+      name: custom-bootstrap-volume
+    {{- end }}
+    # SDS channel between istioagent and Envoy
+    - mountPath: /etc/istio/proxy
+      name: istio-envoy
+    - mountPath: /var/run/secrets/tokens
+      name: istio-token
+    {{- if .Values.global.mountMtlsCerts }}
+    # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+    - mountPath: /etc/certs/
+      name: istio-certs
+      readOnly: true
+    {{- end }}
+    - name: istio-podinfo
+      mountPath: /etc/istio/pod
+     {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }}
+    - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }}
+      name: lightstep-certs
+      readOnly: true
+    {{- end }}
+      {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }}
+      {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}
+    - name: "{{  $index }}"
+      {{ toYaml $value | indent 6 }}
+      {{ end }}
+      {{- end }}
+  volumes:
+  - emptyDir:
+    name: workload-socket
+  - emptyDir:
+    name: credential-socket
+  {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+  - name: gke-workload-certificate
+    csi:
+      driver: workloadcertificates.security.cloud.google.com
+  {{- else }}
+  - emptyDir:
+    name: workload-certs
+  {{- end }}
+  {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+  - name: custom-bootstrap-volume
+    configMap:
+      name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
+  {{- end }}
+  # SDS channel between istioagent and Envoy
+  - emptyDir:
+      medium: Memory
+    name: istio-envoy
+  - name: istio-data
+    emptyDir: {}
+  - name: istio-podinfo
+    downwardAPI:
+      items:
+        - path: "labels"
+          fieldRef:
+            fieldPath: metadata.labels
+        - path: "annotations"
+          fieldRef:
+            fieldPath: metadata.annotations
+  - name: istio-token
+    projected:
+      sources:
+      - serviceAccountToken:
+          path: istio-token
+          expirationSeconds: 43200
+          audience: {{ .Values.global.sds.token.aud }}
+  {{- if eq .Values.global.pilotCertProvider "istiod" }}
+  - name: istiod-ca-cert
+  {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+    projected:
+      sources:
+      - clusterTrustBundle:
+          name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+          path: root-cert.pem
+  {{- else }}
+    configMap:
+      name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+  {{- end }}
+  {{- end }}
+  - name: istio-ca-crl
+    configMap:
+      name: istio-ca-crl
+      optional: true
+  {{- if .Values.global.mountMtlsCerts }}
+  # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+  - name: istio-certs
+    secret:
+      optional: true
+      {{ if eq .Spec.ServiceAccountName "" }}
+      secretName: istio.default
+      {{ else -}}
+      secretName: {{  printf "istio.%s" .Spec.ServiceAccountName }}
+      {{  end -}}
+  {{- end }}
+    {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }}
+    {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}
+  - name: "{{ $index }}"
+    {{ toYaml $value | indent 4 }}
+    {{ end }}
+    {{ end }}
+  {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }}
+  - name: lightstep-certs
+    secret:
+      optional: true
+      secretName: lightstep.cacert
+  {{- end }}
+  {{- if .Values.global.imagePullSecrets }}
+  imagePullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+  {{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/kube-gateway.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/kube-gateway.yaml
new file mode 100644
index 0000000000..8a34ea8a8c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/kube-gateway.yaml
@@ -0,0 +1,407 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{.ServiceAccount | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+        "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+      ) | nindent 4 }}
+  {{- if ge .KubeVersion 128 }}
+  # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    name: "{{.Name}}"
+    uid: "{{.UID}}"
+  {{- end }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+        "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+        "gateway.istio.io/managed" "istio.io-gateway-controller"
+      ) | nindent 4 }}
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    name: {{.Name}}
+    uid: "{{.UID}}"
+spec:
+  selector:
+    matchLabels:
+      "{{.GatewayNameLabel}}": {{.Name}}
+  template:
+    metadata:
+      annotations:
+        {{- toJsonMap
+          (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version")
+          (strdict "istio.io/rev" (.Revision | default "default"))
+          (strdict
+            "prometheus.io/path" "/stats/prometheus"
+            "prometheus.io/port" "15020"
+            "prometheus.io/scrape" "true"
+          ) | nindent 8 }}
+      labels:
+        {{- toJsonMap
+          (strdict
+            "sidecar.istio.io/inject" "false"
+            "service.istio.io/canonical-name" .DeploymentName
+            "service.istio.io/canonical-revision" "latest"
+           )
+          .InfrastructureLabels
+          (strdict
+            "gateway.networking.k8s.io/gateway-name" .Name
+            "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+            "gateway.istio.io/managed" "istio.io-gateway-controller"
+          ) | nindent 8 }}
+    spec:
+      securityContext:
+      {{- if .Values.gateways.securityContext }}
+        {{- toYaml .Values.gateways.securityContext | nindent 8 }}
+      {{- else }}
+        sysctls:
+        - name: net.ipv4.ip_unprivileged_port_start
+          value: "0"
+      {{- if .Values.gateways.seccompProfile }}
+        seccompProfile:
+      {{- toYaml .Values.gateways.seccompProfile | nindent 10 }}
+      {{- end }}
+      {{- end }}
+      serviceAccountName: {{.ServiceAccount | quote}}
+      containers:
+      - name: istio-proxy
+      {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+        image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+      {{- else }}
+        image: "{{ .ProxyImage }}"
+      {{- end }}
+        {{- if .Values.global.proxy.resources }}
+        resources:
+          {{- toYaml .Values.global.proxy.resources | nindent 10 }}
+        {{- end }}
+        {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+        securityContext:
+          capabilities:
+            drop:
+            - ALL
+          allowPrivilegeEscalation: false
+          privileged: false
+          readOnlyRootFilesystem: true
+          runAsUser: {{ .ProxyUID | default "1337" }}
+          runAsGroup: {{ .ProxyGID | default "1337" }}
+          runAsNonRoot: true
+        ports:
+        - containerPort: 15020
+          name: metrics
+          protocol: TCP
+        - containerPort: 15021
+          name: status-port
+          protocol: TCP
+        - containerPort: 15090
+          protocol: TCP
+          name: http-envoy-prom
+        args:
+        - proxy
+        - router
+        - --domain
+        - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+        - --proxyLogLevel
+        - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}}
+        - --proxyComponentLogLevel
+        - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}}
+        - --log_output_level
+        - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}}
+      {{- if .Values.global.sts.servicePort }}
+        - --stsPort={{ .Values.global.sts.servicePort }}
+      {{- end }}
+      {{- if .Values.global.logAsJson }}
+        - --log_as_json
+      {{- end }}
+      {{- if .Values.global.proxy.lifecycle }}
+        lifecycle:
+          {{- toYaml .Values.global.proxy.lifecycle | nindent 10 }}
+      {{- end }}
+        env:
+        - name: PILOT_CERT_PROVIDER
+          value: {{ .Values.global.pilotCertProvider }}
+        - name: CA_ADDR
+        {{- if .Values.global.caAddress }}
+          value: {{ .Values.global.caAddress }}
+        {{- else }}
+          value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+        {{- end }}
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: INSTANCE_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: SERVICE_ACCOUNT
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.serviceAccountName
+        - name: HOST_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.hostIP
+        - name: ISTIO_CPU_LIMIT
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.cpu
+        - name: PROXY_CONFIG
+          value: |
+                 {{ protoToJSON .ProxyConfig }}
+        - name: ISTIO_META_POD_PORTS
+          value: "[]"
+        - name: ISTIO_META_APP_CONTAINERS
+          value: ""
+        - name: GOMEMLIMIT
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.memory
+        - name: GOMAXPROCS
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.cpu
+        - name: ISTIO_META_CLUSTER_ID
+          value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}"
+        - name: ISTIO_META_NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        - name: ISTIO_META_INTERCEPTION_MODE
+          value: "{{ .ProxyConfig.InterceptionMode.String }}"
+        {{- with (valueOrDefault  (index .InfrastructureLabels "topology.istio.io/network") .Values.global.network) }}
+        - name: ISTIO_META_NETWORK
+          value: {{.|quote}}
+        {{- end }}
+        - name: ISTIO_META_WORKLOAD_NAME
+          value: {{.DeploymentName|quote}}
+        - name: ISTIO_META_OWNER
+          value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}"
+        {{- if .Values.global.meshID }}
+        - name: ISTIO_META_MESH_ID
+          value: "{{ .Values.global.meshID }}"
+        {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+        - name: ISTIO_META_MESH_ID
+          value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+        {{- end }}
+        {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain)  }}
+        - name: TRUST_DOMAIN
+          value: "{{ . }}"
+        {{- end }}
+        {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+        - name: {{ $key }}
+          value: "{{ $value }}"
+        {{- end }}
+        {{- with (index .InfrastructureLabels "topology.istio.io/network") }}
+        - name: ISTIO_META_REQUESTED_NETWORK_VIEW
+          value: {{.|quote}}
+        {{- end }}
+        startupProbe:
+          failureThreshold: 30
+          httpGet:
+            path: /healthz/ready
+            port: 15021
+            scheme: HTTP
+          initialDelaySeconds: 1
+          periodSeconds: 1
+          successThreshold: 1
+          timeoutSeconds: 1
+        readinessProbe:
+          failureThreshold: 4
+          httpGet:
+            path: /healthz/ready
+            port: 15021
+            scheme: HTTP
+          initialDelaySeconds: 0
+          periodSeconds: 15
+          successThreshold: 1
+          timeoutSeconds: 1
+        volumeMounts:
+        - name: workload-socket
+          mountPath: /var/run/secrets/workload-spiffe-uds
+        - name: credential-socket
+          mountPath: /var/run/secrets/credential-uds
+        {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+        - name: gke-workload-certificate
+          mountPath: /var/run/secrets/workload-spiffe-credentials
+          readOnly: true
+        {{- else }}
+        - name: workload-certs
+          mountPath: /var/run/secrets/workload-spiffe-credentials
+        {{- end }}
+        {{- if eq .Values.global.pilotCertProvider "istiod" }}
+        - mountPath: /var/run/secrets/istio
+          name: istiod-ca-cert
+        {{- end }}
+        - mountPath: /var/lib/istio/data
+          name: istio-data
+        # SDS channel between istioagent and Envoy
+        - mountPath: /etc/istio/proxy
+          name: istio-envoy
+        - mountPath: /var/run/secrets/tokens
+          name: istio-token
+        - name: istio-podinfo
+          mountPath: /etc/istio/pod
+      volumes:
+      - emptyDir: {}
+        name: workload-socket
+      - emptyDir: {}
+        name: credential-socket
+      {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+      - name: gke-workload-certificate
+        csi:
+          driver: workloadcertificates.security.cloud.google.com
+      {{- else}}
+      - emptyDir: {}
+        name: workload-certs
+      {{- end }}
+      # SDS channel between istioagent and Envoy
+      - emptyDir:
+          medium: Memory
+        name: istio-envoy
+      - name: istio-data
+        emptyDir: {}
+      - name: istio-podinfo
+        downwardAPI:
+          items:
+            - path: "labels"
+              fieldRef:
+                fieldPath: metadata.labels
+            - path: "annotations"
+              fieldRef:
+                fieldPath: metadata.annotations
+      - name: istio-token
+        projected:
+          sources:
+          - serviceAccountToken:
+              path: istio-token
+              expirationSeconds: 43200
+              audience: {{ .Values.global.sds.token.aud }}
+      {{- if eq .Values.global.pilotCertProvider "istiod" }}
+      - name: istiod-ca-cert
+      {{- if eq ((.Values.pilot).env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+        projected:
+          sources:
+          - clusterTrustBundle:
+              name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+              path: root-cert.pem
+      {{- else }}
+        configMap:
+          name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+      {{- end }}
+      {{- end }}
+      {{- if .Values.global.imagePullSecrets }}
+      imagePullSecrets:
+        {{- range .Values.global.imagePullSecrets }}
+        - name: {{ . }}
+        {{- end }}
+      {{- end }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+        "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+      ) | nindent 4 }}
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    name: {{.Name}}
+    uid: {{.UID}}
+spec:
+  ipFamilyPolicy: PreferDualStack
+  ports:
+  {{- range $key, $val := .Ports }}
+  - name: {{ $val.Name | quote }}
+    port: {{ $val.Port }}
+    protocol: TCP
+    appProtocol: {{ $val.AppProtocol }}
+  {{- end }}
+  selector:
+    "{{.GatewayNameLabel}}": {{.Name}}
+  {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }}
+  loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}}
+  {{- end }}
+  type: {{ .ServiceType | quote }}
+---
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+          .InfrastructureLabels
+          (strdict
+          "gateway.networking.k8s.io/gateway-name" .Name
+          "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+          ) | nindent 4 }}
+  ownerReferences:
+    - apiVersion: gateway.networking.k8s.io/v1beta1
+      kind: Gateway
+      name: {{.Name}}
+      uid: "{{.UID}}"
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name:  {{.DeploymentName | quote}}
+  maxReplicas: 1
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+          .InfrastructureLabels
+          (strdict
+          "gateway.networking.k8s.io/gateway-name" .Name
+          "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+          ) | nindent 4 }}
+  ownerReferences:
+    - apiVersion: gateway.networking.k8s.io/v1beta1
+      kind: Gateway
+      name: {{.Name}}
+      uid: "{{.UID}}"
+spec:
+  selector:
+    matchLabels:
+      gateway.networking.k8s.io/gateway-name: {{.Name|quote}}
+
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..d04117bfc0
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,14 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..8fe80112bf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-compatibility-version-1.27.yaml
new file mode 100644
index 0000000000..209157cccf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-compatibility-version-1.27.yaml
@@ -0,0 +1,9 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/waypoint.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/waypoint.yaml
new file mode 100644
index 0000000000..7feed59a36
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/waypoint.yaml
@@ -0,0 +1,405 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{.ServiceAccount | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+        "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+      ) | nindent 4 }}
+  {{- if ge .KubeVersion 128 }}
+  # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    name: "{{.Name}}"
+    uid: "{{.UID}}"
+  {{- end }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+        "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+        "gateway.istio.io/managed" .ControllerLabel
+      ) | nindent 4 }}
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    name: "{{.Name}}"
+    uid: "{{.UID}}"
+spec:
+  selector:
+    matchLabels:
+      "{{.GatewayNameLabel}}": "{{.Name}}"
+  template:
+    metadata:
+      annotations:
+        {{- toJsonMap
+          (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version")
+          (strdict "istio.io/rev" (.Revision | default "default"))
+          (strdict
+            "prometheus.io/path" "/stats/prometheus"
+            "prometheus.io/port" "15020"
+            "prometheus.io/scrape" "true"
+          ) | nindent 8 }}
+      labels:
+        {{- toJsonMap
+          (strdict
+            "sidecar.istio.io/inject" "false"
+            "istio.io/dataplane-mode" "none"
+            "service.istio.io/canonical-name" .DeploymentName
+            "service.istio.io/canonical-revision" "latest"
+           )
+          .InfrastructureLabels
+          (strdict
+            "gateway.networking.k8s.io/gateway-name" .Name
+            "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+            "gateway.istio.io/managed" .ControllerLabel
+          ) | nindent 8}}
+    spec:
+      {{- if .Values.global.waypoint.affinity }}
+      affinity:
+      {{- toYaml .Values.global.waypoint.affinity | nindent 8 }}
+      {{- end }}
+      {{- if .Values.global.waypoint.topologySpreadConstraints }}
+      topologySpreadConstraints:
+      {{- toYaml .Values.global.waypoint.topologySpreadConstraints | nindent 8 }}
+      {{- end }}
+      {{- if .Values.global.waypoint.nodeSelector }}
+      nodeSelector:
+      {{- toYaml .Values.global.waypoint.nodeSelector | nindent 8 }}
+      {{- end }}
+      {{- if .Values.global.waypoint.tolerations }}
+      tolerations:
+      {{- toYaml .Values.global.waypoint.tolerations | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{.ServiceAccount | quote}}
+      containers:
+      - name: istio-proxy
+        ports:
+        - containerPort: 15020
+          name: metrics
+          protocol: TCP
+        - containerPort: 15021
+          name: status-port
+          protocol: TCP
+        - containerPort: 15090
+          protocol: TCP
+          name: http-envoy-prom
+        {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+        image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+        {{- else }}
+        image: "{{ .ProxyImage }}"
+        {{- end }}
+        {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+        args:
+        - proxy
+        - waypoint
+        - --domain
+        - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+        - --serviceCluster
+        - {{.ServiceAccount}}.$(POD_NAMESPACE)
+        - --proxyLogLevel
+        - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}}
+        - --proxyComponentLogLevel
+        - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}}
+        - --log_output_level
+        - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}}
+        {{- if .Values.global.logAsJson }}
+        - --log_as_json
+        {{- end }}
+        {{- if .Values.global.proxy.outlierLogPath }}
+        - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }}
+        {{- end}}
+        env:
+        - name: ISTIO_META_SERVICE_ACCOUNT
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.serviceAccountName
+        - name: ISTIO_META_NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        - name: PILOT_CERT_PROVIDER
+          value: {{ .Values.global.pilotCertProvider }}
+        - name: CA_ADDR
+        {{- if .Values.global.caAddress }}
+          value: {{ .Values.global.caAddress }}
+        {{- else }}
+          value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+        {{- end }}
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: INSTANCE_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: SERVICE_ACCOUNT
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.serviceAccountName
+        - name: HOST_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.hostIP
+        - name: ISTIO_CPU_LIMIT
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.cpu
+        - name: PROXY_CONFIG
+          value: |
+                 {{ protoToJSON .ProxyConfig }}
+        {{- if .ProxyConfig.ProxyMetadata }}
+        {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+        - name: {{ $key }}
+          value: "{{ $value }}"
+        {{- end }}
+        {{- end }}
+        - name: GOMEMLIMIT
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.memory
+        - name: GOMAXPROCS
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.cpu
+        - name: ISTIO_META_CLUSTER_ID
+          value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
+        {{- $network := valueOrDefault (index .InfrastructureLabels `topology.istio.io/network`) .Values.global.network }}
+        {{- if $network }}
+        - name: ISTIO_META_NETWORK
+          value: "{{ $network }}"
+        {{- if eq .ControllerLabel "istio.io-eastwest-controller" }}
+        - name: ISTIO_META_REQUESTED_NETWORK_VIEW
+          value: "{{ $network }}"
+        {{- end }}
+        {{- end }}
+        - name: ISTIO_META_INTERCEPTION_MODE
+          value: REDIRECT
+        - name: ISTIO_META_WORKLOAD_NAME
+          value: {{.DeploymentName}}
+        - name: ISTIO_META_OWNER
+          value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}
+        {{- if .Values.global.meshID }}
+        - name: ISTIO_META_MESH_ID
+          value: "{{ .Values.global.meshID }}"
+        {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+        - name: ISTIO_META_MESH_ID
+          value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+        {{- end }}
+        {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+        - name: TRUST_DOMAIN
+          value: "{{ . }}"
+        {{- end }}
+        {{- if .Values.global.waypoint.resources }}
+        resources:
+        {{- toYaml .Values.global.waypoint.resources | nindent 10 }}
+        {{- end }}
+        startupProbe:
+          failureThreshold: 30
+          httpGet:
+            path: /healthz/ready
+            port: 15021
+            scheme: HTTP
+          initialDelaySeconds: 1
+          periodSeconds: 1
+          successThreshold: 1
+          timeoutSeconds: 1
+        readinessProbe:
+          failureThreshold: 4
+          httpGet:
+            path: /healthz/ready
+            port: 15021
+            scheme: HTTP
+          initialDelaySeconds: 0
+          periodSeconds: 15
+          successThreshold: 1
+          timeoutSeconds: 1
+        securityContext:
+          privileged: false
+        {{- if not (eq .Values.global.platform "openshift") }}
+          runAsGroup: 1337
+          runAsUser: 1337
+        {{- end }}
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          capabilities:
+            drop:
+            - ALL
+{{- if .Values.gateways.seccompProfile }}
+          seccompProfile:
+{{- toYaml .Values.gateways.seccompProfile | nindent 12 }}
+{{- end }}
+        volumeMounts:
+        - mountPath: /var/run/secrets/workload-spiffe-uds
+          name: workload-socket
+        - mountPath: /var/run/secrets/istio
+          name: istiod-ca-cert
+        - mountPath: /var/lib/istio/data
+          name: istio-data
+        - mountPath: /etc/istio/proxy
+          name: istio-envoy
+        - mountPath: /var/run/secrets/tokens
+          name: istio-token
+        - mountPath: /etc/istio/pod
+          name: istio-podinfo
+      volumes:
+      - emptyDir: {}
+        name: workload-socket
+      - emptyDir:
+          medium: Memory
+        name: istio-envoy
+      - emptyDir:
+          medium: Memory
+        name: go-proxy-envoy
+      - emptyDir: {}
+        name: istio-data
+      - emptyDir: {}
+        name: go-proxy-data
+      - downwardAPI:
+          items:
+          - fieldRef:
+              fieldPath: metadata.labels
+            path: labels
+          - fieldRef:
+              fieldPath: metadata.annotations
+            path: annotations
+        name: istio-podinfo
+      - name: istio-token
+        projected:
+          sources:
+          - serviceAccountToken:
+              audience: istio-ca
+              expirationSeconds: 43200
+              path: istio-token
+      - name: istiod-ca-cert
+      {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+        projected:
+          sources:
+          - clusterTrustBundle:
+              name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+              path: root-cert.pem
+      {{- else }}
+        configMap:
+          name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+      {{- end }}
+      {{- if .Values.global.imagePullSecrets }}
+      imagePullSecrets:
+        {{- range .Values.global.imagePullSecrets }}
+        - name: {{ . }}
+        {{- end }}
+      {{- end }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    {{ toJsonMap
+      (strdict "networking.istio.io/traffic-distribution" "PreferClose")
+      (omit .InfrastructureAnnotations
+        "kubectl.kubernetes.io/last-applied-configuration"
+        "gateway.istio.io/name-override"
+        "gateway.istio.io/service-account"
+        "gateway.istio.io/controller-version"
+      ) | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+        "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+      ) | nindent 4 }}
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    name: "{{.Name}}"
+    uid: "{{.UID}}"
+spec:
+  ipFamilyPolicy: PreferDualStack
+  ports:
+  {{- range $key, $val := .Ports }}
+  - name: {{ $val.Name | quote }}
+    port: {{ $val.Port }}
+    protocol: TCP
+    appProtocol: {{ $val.AppProtocol }}
+  {{- end }}
+  selector:
+    "{{.GatewayNameLabel}}": "{{.Name}}"
+  {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }}
+  loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}}
+  {{- end }}
+  type: {{ .ServiceType | quote }}
+---
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+          .InfrastructureLabels
+          (strdict
+          "gateway.networking.k8s.io/gateway-name" .Name
+          "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+          ) | nindent 4 }}
+  ownerReferences:
+    - apiVersion: gateway.networking.k8s.io/v1beta1
+      kind: Gateway
+      name: {{.Name}}
+      uid: "{{.UID}}"
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name:  {{.DeploymentName | quote}}
+  maxReplicas: 1
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+          .InfrastructureLabels
+          (strdict
+          "gateway.networking.k8s.io/gateway-name" .Name
+          "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+          ) | nindent 4 }}
+  ownerReferences:
+    - apiVersion: gateway.networking.k8s.io/v1beta1
+      kind: Gateway
+      name: {{.Name}}
+      uid: "{{.UID}}"
+spec:
+  selector:
+    matchLabels:
+      gateway.networking.k8s.io/gateway-name: {{.Name|quote}}
+
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/NOTES.txt
new file mode 100644
index 0000000000..0d07ea7f4c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/NOTES.txt
@@ -0,0 +1,82 @@
+"istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}" successfully installed!
+
+To learn more about the release, try:
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
+
+Next steps:
+{{- $profile := default "" .Values.profile }}
+{{- if (eq $profile "ambient") }}
+  * Get started with ambient: https://istio.io/latest/docs/ops/ambient/getting-started/
+  * Review ambient's architecture: https://istio.io/latest/docs/ops/ambient/architecture/
+{{- else }}
+  * Deploy a Gateway: https://istio.io/latest/docs/setup/additional-setup/gateway/
+  * Try out our tasks to get started on common configurations:
+    * https://istio.io/latest/docs/tasks/traffic-management
+    * https://istio.io/latest/docs/tasks/security/
+    * https://istio.io/latest/docs/tasks/policy-enforcement/
+{{- end }}
+  * Review the list of actively supported releases, CVE publications and our hardening guide:
+    * https://istio.io/latest/docs/releases/supported-releases/
+    * https://istio.io/latest/news/security/
+    * https://istio.io/latest/docs/ops/best-practices/security/
+
+For further documentation see https://istio.io website
+
+{{-
+  $deps := dict
+    "global.outboundTrafficPolicy" "meshConfig.outboundTrafficPolicy"
+    "global.certificates" "meshConfig.certificates"
+    "global.localityLbSetting" "meshConfig.localityLbSetting"
+    "global.policyCheckFailOpen" "meshConfig.policyCheckFailOpen"
+    "global.enableTracing" "meshConfig.enableTracing"
+    "global.proxy.accessLogFormat" "meshConfig.accessLogFormat"
+    "global.proxy.accessLogFile" "meshConfig.accessLogFile"
+    "global.proxy.concurrency" "meshConfig.defaultConfig.concurrency"
+    "global.proxy.envoyAccessLogService" "meshConfig.defaultConfig.envoyAccessLogService"
+    "global.proxy.envoyAccessLogService.enabled" "meshConfig.enableEnvoyAccessLogService"
+    "global.proxy.envoyMetricsService" "meshConfig.defaultConfig.envoyMetricsService"
+    "global.proxy.protocolDetectionTimeout" "meshConfig.protocolDetectionTimeout"
+    "global.proxy.holdApplicationUntilProxyStarts" "meshConfig.defaultConfig.holdApplicationUntilProxyStarts"
+    "pilot.ingress" "meshConfig.ingressService, meshConfig.ingressControllerMode, and meshConfig.ingressClass"
+    "global.mtls.enabled" "the PeerAuthentication resource"
+    "global.mtls.auto" "meshConfig.enableAutoMtls"
+    "global.tracer.lightstep.address" "meshConfig.defaultConfig.tracing.lightstep.address"
+    "global.tracer.lightstep.accessToken" "meshConfig.defaultConfig.tracing.lightstep.accessToken"
+    "global.tracer.zipkin.address" "meshConfig.defaultConfig.tracing.zipkin.address"
+    "global.tracer.datadog.address" "meshConfig.defaultConfig.tracing.datadog.address"
+    "global.meshExpansion.enabled" "Gateway and other Istio networking resources, such as in samples/multicluster/"
+    "istiocoredns.enabled" "the in-proxy DNS capturing (ISTIO_META_DNS_CAPTURE)"
+}}
+{{- range $dep, $replace := $deps }}
+{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}}
+{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(")  ".Values." (replace "." ")." $dep) ")}}") $}}
+{{- if not (eq $res "")}}
+WARNING: {{$dep|quote}} is deprecated; use {{$replace|quote}} instead.
+{{- end }}
+{{- end }}
+{{-
+  $failDeps := dict
+    "telemetry.v2.prometheus.configOverride"
+    "telemetry.v2.stackdriver.configOverride"
+    "telemetry.v2.stackdriver.disableOutbound"
+    "telemetry.v2.stackdriver.outboundAccessLogging"
+    "global.tracer.stackdriver.debug" "meshConfig.defaultConfig.tracing.stackdriver.debug"
+    "global.tracer.stackdriver.maxNumberOfAttributes" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes"
+    "global.tracer.stackdriver.maxNumberOfAnnotations" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations"
+    "global.tracer.stackdriver.maxNumberOfMessageEvents" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents"
+    "meshConfig.defaultConfig.tracing.stackdriver.debug" "Istio supported tracers"
+    "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes" "Istio supported tracers"
+    "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations" "Istio supported tracers"
+    "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents" "Istio supported tracers"
+}}
+{{- range $dep, $replace := $failDeps }}
+{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}}
+{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(")  ".Values." (replace "." ")." $dep) ")}}") $}}
+{{- if not (eq $res "")}}
+{{fail (print $dep " is removed")}}
+{{- end }}
+{{- end }}
+{{- if eq $.Values.global.pilotCertProvider "kubernetes" }}
+{{- fail "pilotCertProvider=kubernetes is not supported" }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/_helpers.tpl
new file mode 100644
index 0000000000..042c92538d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/_helpers.tpl
@@ -0,0 +1,23 @@
+{{/* Default Prometheus is enabled if its enabled and there are no config overrides set */}}
+{{ define "default-prometheus" }}
+{{- and
+  (not .Values.meshConfig.defaultProviders)
+  .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.prometheus.enabled
+}}
+{{- end }}
+
+{{/* SD has metrics and logging split. Default metrics are enabled if SD is enabled */}}
+{{ define "default-sd-metrics" }}
+{{- and
+  (not .Values.meshConfig.defaultProviders)
+  .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled
+}}
+{{- end }}
+
+{{/* SD has metrics and logging split. */}}
+{{ define "default-sd-logs" }}
+{{- and
+  (not .Values.meshConfig.defaultProviders)
+  .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled
+}}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/autoscale.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/autoscale.yaml
new file mode 100644
index 0000000000..9ab43b5bf0
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/autoscale.yaml
@@ -0,0 +1,45 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# Not created if istiod is running remotely
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }}
+{{- if and .Values.autoscaleEnabled .Values.autoscaleMin .Values.autoscaleMax }}
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  maxReplicas: {{ .Values.autoscaleMax }}
+  minReplicas: {{ .Values.autoscaleMin }}
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  metrics:
+  - type: Resource
+    resource:
+      name: cpu
+      target:
+        type: Utilization
+        averageUtilization: {{ .Values.cpu.targetAverageUtilization }}
+  {{- if .Values.memory.targetAverageUtilization }}
+  - type: Resource
+    resource:
+      name: memory
+      target:
+        type: Utilization
+        averageUtilization: {{ .Values.memory.targetAverageUtilization }}
+  {{- end }}
+  {{- if .Values.autoscaleBehavior }}
+  behavior: {{ toYaml .Values.autoscaleBehavior | nindent 4 }}
+  {{- end }}
+---
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/clusterrole.yaml
new file mode 100644
index 0000000000..3280c96b54
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/clusterrole.yaml
@@ -0,0 +1,216 @@
+# Created if cluster resources are not omitted
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+  # sidecar injection controller
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["mutatingwebhookconfigurations"]
+    verbs: ["get", "list", "watch", "update", "patch"]
+
+  # configuration validation webhook controller
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["validatingwebhookconfigurations"]
+    verbs: ["get", "list", "watch", "update"]
+
+  # istio configuration
+  # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382)
+  # please proceed with caution
+  - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"]
+    verbs: ["get", "watch", "list"]
+    resources: ["*"]
+{{- if .Values.global.istiod.enableAnalysis }}
+  - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"]
+    verbs: ["update", "patch"]
+    resources:
+    - authorizationpolicies/status
+    - destinationrules/status
+    - envoyfilters/status
+    - gateways/status
+    - peerauthentications/status
+    - proxyconfigs/status
+    - requestauthentications/status
+    - serviceentries/status
+    - sidecars/status
+    - telemetries/status
+    - virtualservices/status
+    - wasmplugins/status
+    - workloadentries/status
+    - workloadgroups/status
+{{- end }}
+  - apiGroups: ["networking.istio.io"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "workloadentries" ]
+  - apiGroups: ["networking.istio.io"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "workloadentries/status",  "serviceentries/status" ]
+  - apiGroups: ["security.istio.io"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "authorizationpolicies/status" ]
+  - apiGroups: [""]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "services/status" ]
+
+  # auto-detect installed CRD definitions
+  - apiGroups: ["apiextensions.k8s.io"]
+    resources: ["customresourcedefinitions"]
+    verbs: ["get", "list", "watch"]
+
+  # discovery and routing
+  - apiGroups: [""]
+    resources: ["pods", "nodes", "services", "namespaces", "endpoints"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["discovery.k8s.io"]
+    resources: ["endpointslices"]
+    verbs: ["get", "list", "watch"]
+
+{{- if .Values.taint.enabled }}
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["patch"]
+{{- end }}
+
+  # ingress controller
+{{- if .Values.global.istiod.enableAnalysis }}
+  - apiGroups: ["extensions", "networking.k8s.io"]
+    resources: ["ingresses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["extensions", "networking.k8s.io"]
+    resources: ["ingresses/status"]
+    verbs: ["*"]
+{{- end}}
+  - apiGroups: ["networking.k8s.io"]
+    resources: ["ingresses", "ingressclasses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["networking.k8s.io"]
+    resources: ["ingresses/status"]
+    verbs: ["*"]
+
+  # required for CA's namespace controller
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["create", "get", "list", "watch", "update"]
+
+  # Istiod and bootstrap.
+{{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}}
+{{- if or .Values.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }}
+  - apiGroups: ["certificates.k8s.io"]
+    resources:
+      - "certificatesigningrequests"
+      - "certificatesigningrequests/approval"
+      - "certificatesigningrequests/status"
+    verbs: ["update", "create", "get", "delete", "watch"]
+  - apiGroups: ["certificates.k8s.io"]
+    resources:
+      - "signers"
+    resourceNames:
+{{- range .Values.global.certSigners }}
+    - {{ . | quote }}
+{{- end }}
+    verbs: ["approve"]
+{{- end}}
+{{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+  - apiGroups: ["certificates.k8s.io"]
+    resources: ["clustertrustbundles"]
+    verbs: ["update", "create", "delete", "list", "watch", "get"]
+  - apiGroups: ["certificates.k8s.io"]
+    resources: ["signers"]
+    resourceNames: ["istio.io/istiod-ca"]
+    verbs: ["attest"]
+{{- end }}
+
+  # Used by Istiod to verify the JWT tokens
+  - apiGroups: ["authentication.k8s.io"]
+    resources: ["tokenreviews"]
+    verbs: ["create"]
+
+  # Used by Istiod to verify gateway SDS
+  - apiGroups: ["authorization.k8s.io"]
+    resources: ["subjectaccessreviews"]
+    verbs: ["create"]
+
+  # Use for Kubernetes Service APIs
+  - apiGroups: ["gateway.networking.k8s.io", "gateway.networking.x-k8s.io"]
+    resources: ["*"]
+    verbs: ["get", "watch", "list"]
+  - apiGroups: ["gateway.networking.x-k8s.io"]
+    resources:
+    - xbackendtrafficpolicies/status
+    - xlistenersets/status
+    verbs: ["update", "patch"]
+  - apiGroups: ["gateway.networking.k8s.io"]
+    resources:
+    - backendtlspolicies/status
+    - gatewayclasses/status
+    - gateways/status
+    - grpcroutes/status
+    - httproutes/status
+    - referencegrants/status
+    - tcproutes/status
+    - tlsroutes/status
+    - udproutes/status
+    verbs: ["update", "patch"]
+  - apiGroups: ["gateway.networking.k8s.io"]
+    resources: ["gatewayclasses"]
+    verbs: ["create", "update", "patch", "delete"]
+  - apiGroups: ["inference.networking.k8s.io"]
+    resources: ["inferencepools"]
+    verbs: ["get", "watch", "list"]
+  - apiGroups: ["inference.networking.k8s.io"]
+    resources: ["inferencepools/status"]
+    verbs: ["update", "patch"]
+
+  # Needed for multicluster secret reading, possibly ingress certs in the future
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "watch", "list"]
+
+  # Used for MCS serviceexport management
+  - apiGroups: ["{{ $mcsAPIGroup }}"]
+    resources: ["serviceexports"]
+    verbs: [ "get", "watch", "list", "create", "delete"]
+
+  # Used for MCS serviceimport management
+  - apiGroups: ["{{ $mcsAPIGroup }}"]
+    resources: ["serviceimports"]
+    verbs: ["get", "watch", "list"]
+---
+{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+  - apiGroups: ["apps"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "deployments" ]
+  - apiGroups: ["autoscaling"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "horizontalpodautoscalers" ]
+  - apiGroups: ["policy"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "poddisruptionbudgets" ]
+  - apiGroups: [""]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "services" ]
+  - apiGroups: [""]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "serviceaccounts"]
+{{- end }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/clusterrolebinding.yaml
new file mode 100644
index 0000000000..0ca21b9576
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/clusterrolebinding.yaml
@@ -0,0 +1,43 @@
+# Created if cluster resources are not omitted
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+subjects:
+  - kind: ServiceAccount
+    name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+    namespace: {{ .Values.global.istioNamespace }}
+---
+{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+subjects:
+- kind: ServiceAccount
+  name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Values.global.istioNamespace }}
+{{- end }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/configmap-jwks.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/configmap-jwks.yaml
new file mode 100644
index 0000000000..45943d3839
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/configmap-jwks.yaml
@@ -0,0 +1,20 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# Not created if istiod is running remotely
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }}
+{{- if .Values.jwksResolverExtraRootCA }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+data:
+  extra.pem: {{ .Values.jwksResolverExtraRootCA | quote }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/configmap-values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/configmap-values.yaml
new file mode 100644
index 0000000000..dcd1e3530c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/configmap-values.yaml
@@ -0,0 +1,21 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: values{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    kubernetes.io/description: This ConfigMap contains the Helm values used during chart rendering. This ConfigMap is rendered for debugging purposes and external tooling; modifying these values has no effect.
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+data:
+  original-values: |-
+{{ .Values._original | toPrettyJson | indent 4 }}
+{{- $_ := unset $.Values "_original" }}
+  merged-values: |-
+{{ .Values | toPrettyJson | indent 4 }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/configmap.yaml
new file mode 100644
index 0000000000..a24ff9ee24
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/configmap.yaml
@@ -0,0 +1,113 @@
+{{- define "mesh" }}
+    # The trust domain corresponds to the trust root of a system.
+    # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
+    trustDomain: "cluster.local"
+
+    # The namespace to treat as the administrative root namespace for Istio configuration.
+    # When processing a leaf namespace Istio will search for declarations in that namespace first
+    # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace
+    # is processed as if it were declared in the leaf namespace.
+    rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }}
+
+  {{ $prom := include "default-prometheus" . | eq "true" }}
+  {{ $sdMetrics := include "default-sd-metrics" . | eq "true" }}
+  {{ $sdLogs := include "default-sd-logs" . | eq "true" }}
+  {{- if or $prom $sdMetrics $sdLogs }}
+    defaultProviders:
+    {{- if or $prom $sdMetrics }}
+      metrics:
+      {{ if $prom }}- prometheus{{ end }}
+      {{ if and $sdMetrics $sdLogs }}- stackdriver{{ end }}
+    {{- end }}
+    {{- if and $sdMetrics $sdLogs }}
+      accessLogging:
+      - stackdriver
+    {{- end }}
+  {{- end }}
+
+    defaultConfig:
+      {{- if .Values.global.meshID }}
+      meshId: "{{ .Values.global.meshID }}"
+      {{- end }}
+      {{- with (.Values.global.proxy.variant | default .Values.global.variant) }}
+      image:
+        imageType: {{. | quote}}
+      {{- end }}
+      {{- if not (eq .Values.global.proxy.tracer "none") }}
+      tracing:
+      {{- if eq .Values.global.proxy.tracer "lightstep" }}
+        lightstep:
+          # Address of the LightStep Satellite pool
+          address: {{ .Values.global.tracer.lightstep.address }}
+          # Access Token used to communicate with the Satellite pool
+          accessToken: {{ .Values.global.tracer.lightstep.accessToken }}
+      {{- else if eq .Values.global.proxy.tracer "zipkin" }}
+        zipkin:
+          # Address of the Zipkin collector
+          address: {{ ((.Values.global.tracer).zipkin).address | default (print "zipkin." .Values.global.istioNamespace ":9411") }}
+      {{- else if eq .Values.global.proxy.tracer "datadog" }}
+        datadog:
+          # Address of the Datadog Agent
+          address: {{ ((.Values.global.tracer).datadog).address | default "$(HOST_IP):8126" }}
+      {{- else if eq .Values.global.proxy.tracer "stackdriver" }}
+        stackdriver:
+          # enables trace output to stdout.
+          debug: {{ (($.Values.global.tracer).stackdriver).debug | default "false" }}
+          # The global default max number of attributes per span.
+          maxNumberOfAttributes: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAttributes | default "200" }}
+          # The global default max number of annotation events per span.
+          maxNumberOfAnnotations: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAnnotations | default "200" }}
+          # The global default max number of message events per span.
+          maxNumberOfMessageEvents: {{ (($.Values.global.tracer).stackdriver).maxNumberOfMessageEvents | default "200" }}
+      {{- end }}
+      {{- end }}
+      {{- if .Values.global.remotePilotAddress }}
+      {{- if and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod }}
+      #  only primary `istiod` to xds and local `istiod` injection installs.
+      discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012
+      {{- else }}
+      discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012
+      {{- end }}
+      {{- else }}
+      discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012
+      {{- end }}
+{{- end }}
+
+{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}}
+{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}}
+{{- $originalMesh := include "mesh" . | fromYaml }}
+{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }}
+
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+{{- if .Values.configMap }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+data:
+
+  # Configuration file for the mesh networks to be used by the Split Horizon EDS.
+  meshNetworks: |-
+  {{- if .Values.global.meshNetworks }}
+    networks:
+{{ toYaml .Values.global.meshNetworks | trim | indent 6 }}
+  {{- else }}
+    networks: {}
+  {{- end }}
+
+  mesh: |-
+{{- if .Values.meshConfig }}
+{{ $mesh | toYaml | indent 4 }}
+{{- else }}
+{{- include "mesh" . }}
+{{- end }}
+---
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/deployment.yaml
new file mode 100644
index 0000000000..15107e745c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/deployment.yaml
@@ -0,0 +1,314 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# Not created if istiod is running remotely
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: istiod
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    istio: pilot
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+{{- range $key, $val := .Values.deploymentLabels }}
+    {{ $key }}: "{{ $val }}"
+{{- end }}
+  {{- if .Values.deploymentAnnotations }}
+  annotations:
+{{ toYaml .Values.deploymentAnnotations | indent 4 }}
+  {{- end }}
+spec:
+{{- if not .Values.autoscaleEnabled }}
+{{- if .Values.replicaCount }}
+  replicas: {{ .Values.replicaCount }}
+{{- end }}
+{{- end }}
+  strategy:
+    rollingUpdate:
+      maxSurge: {{ .Values.rollingMaxSurge }}
+      maxUnavailable: {{ .Values.rollingMaxUnavailable }}
+  selector:
+    matchLabels:
+      {{- if ne .Values.revision "" }}
+      app: istiod
+      istio.io/rev: {{ .Values.revision | default "default" | quote }}
+      {{- else }}
+      istio: pilot
+      {{- end }}
+  template:
+    metadata:
+      labels:
+        app: istiod
+        istio.io/rev: {{ .Values.revision | default "default" | quote }}
+        sidecar.istio.io/inject: "false"
+        operator.istio.io/component: "Pilot"
+        {{- if ne .Values.revision "" }}
+        istio: istiod
+        {{- else }}
+        istio: pilot
+        {{- end }}
+        {{- range $key, $val := .Values.podLabels }}
+        {{ $key }}: "{{ $val }}"
+        {{- end }}
+        istio.io/dataplane-mode: none
+        app.kubernetes.io/name: "istiod"
+        {{- include "istio.labels" . | nindent 8 }}
+      annotations:
+        prometheus.io/port: "15014"
+        prometheus.io/scrape: "true"
+        sidecar.istio.io/inject: "false"
+        {{- if .Values.podAnnotations }}
+{{ toYaml .Values.podAnnotations | indent 8 }}
+        {{- end }}
+    spec:
+{{- if .Values.nodeSelector }}
+      nodeSelector:
+{{ toYaml .Values.nodeSelector | indent 8 }}
+{{- end }}
+{{- with .Values.affinity }}
+      affinity:
+{{- toYaml . | nindent 8 }}
+{{- end }}
+      tolerations:
+        - key: cni.istio.io/not-ready
+          operator: "Exists"
+{{- with .Values.tolerations }}
+{{- toYaml . | nindent 8 }}
+{{- end }}
+{{- with .Values.topologySpreadConstraints }}
+      topologySpreadConstraints:
+{{- toYaml . | nindent 8 }}
+{{- end }}
+      serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+{{- if .Values.global.priorityClassName }}
+      priorityClassName: "{{ .Values.global.priorityClassName }}"
+{{- end }}
+{{- with .Values.initContainers }}
+      initContainers:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+{{- end }}
+      containers:
+        - name: discovery
+{{- if contains "/" .Values.image }}
+          image: "{{ .Values.image }}"
+{{- else }}
+          image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "pilot" }}:{{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}}"
+{{- end }}
+{{- if .Values.global.imagePullPolicy }}
+          imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+{{- end }}
+          args:
+          - "discovery"
+          - --monitoringAddr=:15014
+{{- if .Values.global.logging.level }}
+          - --log_output_level={{ .Values.global.logging.level }}
+{{- end}}
+{{- if .Values.global.logAsJson }}
+          - --log_as_json
+{{- end }}
+          - --domain
+          - {{ .Values.global.proxy.clusterDomain }}
+{{- if .Values.taint.namespace }}
+          - --cniNamespace={{ .Values.taint.namespace }}
+{{- end }}
+          - --keepaliveMaxServerConnectionAge
+          - "{{ .Values.keepaliveMaxServerConnectionAge }}"
+{{- if .Values.extraContainerArgs }}
+          {{- with .Values.extraContainerArgs }}
+            {{- toYaml . | nindent 10 }}
+          {{- end }}
+{{- end }}
+          ports:
+          - containerPort: 8080
+            protocol: TCP
+            name: http-debug
+          - containerPort: 15010
+            protocol: TCP
+            name: grpc-xds
+          - containerPort: 15012
+            protocol: TCP
+            name: tls-xds
+          - containerPort: 15017
+            protocol: TCP
+            name: https-webhooks
+          - containerPort: 15014
+            protocol: TCP
+            name: http-monitoring
+          readinessProbe:
+            httpGet:
+              path: /ready
+              port: 8080
+            initialDelaySeconds: 1
+            periodSeconds: 3
+            timeoutSeconds: 5
+          env:
+          - name: REVISION
+            value: "{{ .Values.revision | default `default` }}"
+          - name: PILOT_CERT_PROVIDER
+            value: {{ .Values.global.pilotCertProvider }}
+          - name: POD_NAME
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: metadata.name
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: metadata.namespace
+          - name: SERVICE_ACCOUNT
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: spec.serviceAccountName
+          - name: KUBECONFIG
+            value: /var/run/secrets/remote/config
+          # If you explicitly told us where ztunnel lives, use that.
+          # Otherwise, assume it lives in our namespace
+          # Also, check for an explicit ENV override (legacy approach) and prefer that
+          # if present
+          {{ $ztTrustedNS := or .Values.trustedZtunnelNamespace .Release.Namespace }}
+          {{ $ztTrustedName := or .Values.trustedZtunnelName "ztunnel" }}
+          {{- if not .Values.env.CA_TRUSTED_NODE_ACCOUNTS }}
+          - name: CA_TRUSTED_NODE_ACCOUNTS
+            value: "{{ $ztTrustedNS }}/{{ $ztTrustedName }}"
+          {{- end }}
+          {{- if .Values.env }}
+          {{- range $key, $val := .Values.env }}
+          - name: {{ $key }}
+            value: "{{ $val }}"
+          {{- end }}
+          {{- end }}
+          {{- with .Values.envVarFrom }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
+{{- if .Values.traceSampling }}
+          - name: PILOT_TRACE_SAMPLING
+            value: "{{ .Values.traceSampling }}"
+{{- end }}
+# If externalIstiod is set via Values.Global, then enable the pilot env variable. However, if it's set via Values.pilot.env, then
+# don't set it here to avoid duplication.
+# TODO (nshankar13): Move from Helm chart to code: https://github.com/istio/istio/issues/52449
+{{- if and .Values.global.externalIstiod (not (and .Values.env .Values.env.EXTERNAL_ISTIOD)) }}
+          - name: EXTERNAL_ISTIOD
+            value: "{{ .Values.global.externalIstiod }}"
+{{- end }}
+{{- if .Values.global.trustBundleName }}
+          - name: PILOT_CA_CERT_CONFIGMAP
+            value: "{{ .Values.global.trustBundleName }}"
+{{- end }}
+          - name: PILOT_ENABLE_ANALYSIS
+            value: "{{ .Values.global.istiod.enableAnalysis }}"
+          - name: CLUSTER_ID
+            value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
+          - name: GOMEMLIMIT
+            valueFrom:
+              resourceFieldRef:
+                resource: limits.memory
+                divisor: "1"
+          - name: GOMAXPROCS
+            valueFrom:
+              resourceFieldRef:
+                resource: limits.cpu
+                divisor: "1"
+          - name: PLATFORM
+            value: "{{ coalesce .Values.global.platform .Values.platform }}"
+          resources:
+{{- if .Values.resources }}
+{{ toYaml .Values.resources | trim | indent 12 }}
+{{- else }}
+{{ toYaml .Values.global.defaultResources | trim | indent 12 }}
+{{- end }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            capabilities:
+              drop:
+              - ALL
+{{- if .Values.seccompProfile }}
+            seccompProfile:
+{{ toYaml .Values.seccompProfile | trim | indent 14 }}
+{{- end }}
+          volumeMounts:
+          - name: istio-token
+            mountPath: /var/run/secrets/tokens
+            readOnly: true
+          - name: local-certs
+            mountPath: /var/run/secrets/istio-dns
+          - name: cacerts
+            mountPath: /etc/cacerts
+            readOnly: true
+          - name: istio-kubeconfig
+            mountPath: /var/run/secrets/remote
+            readOnly: true
+          {{- if .Values.jwksResolverExtraRootCA }}
+          - name: extracacerts
+            mountPath: /cacerts
+          {{- end }}
+          - name: istio-csr-dns-cert
+            mountPath: /var/run/secrets/istiod/tls
+            readOnly: true
+          - name: istio-csr-ca-configmap
+            mountPath: /var/run/secrets/istiod/ca
+            readOnly: true
+          {{- with .Values.volumeMounts }}
+            {{- toYaml . | nindent 10 }}
+          {{- end }}
+      volumes:
+      # Technically not needed on this pod - but it helps debugging/testing SDS
+      # Should be removed after everything works.
+      - emptyDir:
+          medium: Memory
+        name: local-certs
+      - name: istio-token
+        projected:
+          sources:
+            - serviceAccountToken:
+                audience: {{ .Values.global.sds.token.aud }}
+                expirationSeconds: 43200
+                path: istio-token
+      # Optional: user-generated root
+      - name: cacerts
+        secret:
+          secretName: cacerts
+          optional: true
+      - name: istio-kubeconfig
+        secret:
+          secretName: istio-kubeconfig
+          optional: true
+      # Optional: istio-csr dns pilot certs
+      - name: istio-csr-dns-cert
+        secret:
+          secretName: istiod-tls
+          optional: true
+      - name: istio-csr-ca-configmap
+  {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+        projected:
+          sources:
+          - clusterTrustBundle:
+              name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+              path: root-cert.pem
+              optional: true
+  {{- else }}
+        configMap:
+          name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+          defaultMode: 420
+          optional: true
+  {{- end }}
+  {{- if .Values.jwksResolverExtraRootCA }}
+      - name: extracacerts
+        configMap:
+          name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  {{- end }}
+      {{- with .Values.volumes }}
+        {{- toYaml . | nindent 6}}
+      {{- end }}
+
+---
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/gateway-class-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/gateway-class-configmap.yaml
new file mode 100644
index 0000000000..9f7cdb01da
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/gateway-class-configmap.yaml
@@ -0,0 +1,22 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+{{ range $key, $value := .Values.gatewayClasses }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: istio-{{ $.Values.revision | default "default"  }}-gatewayclass-{{$key}}
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    istio.io/rev: {{ $.Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    release: {{ $.Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    gateway.istio.io/defaults-for-class: {{$key|quote}}
+    {{- include "istio.labels" $ | nindent 4 }}
+data:
+{{ range $kind, $overlay := $value }}
+  {{$kind}}: |
+{{$overlay|toYaml|trim|indent 4}}
+{{ end }}
+---
+{{ end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/istiod-injector-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/istiod-injector-configmap.yaml
new file mode 100644
index 0000000000..a5a6cf9ae8
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/istiod-injector-configmap.yaml
@@ -0,0 +1,83 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+{{- if not .Values.global.omitSidecarInjectorConfigMap }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+data:
+{{/* Scope the values to just top level fields used in the template, to reduce the size. */}}
+  values: |-
+{{ $vals := pick .Values "global" "sidecarInjectorWebhook" "revision" -}}
+{{ $pilotVals := pick .Values "cni" "env" -}}
+{{ $vals = set $vals "pilot" $pilotVals -}}
+{{ $gatewayVals := pick .Values.gateways "securityContext" "seccompProfile" -}}
+{{ $vals = set $vals "gateways" $gatewayVals -}}
+{{ $vals | toPrettyJson | indent 4 }}
+
+  # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching
+  # and istiod webhook functionality.
+  #
+  # New fields should not use Values - it is a 'primary' config object, users should be able
+  # to fine tune it or use it with kube-inject.
+  config: |-
+    # defaultTemplates defines the default template to use for pods that do not explicitly specify a template
+    {{- if .Values.sidecarInjectorWebhook.defaultTemplates }}
+    defaultTemplates:
+{{- range .Values.sidecarInjectorWebhook.defaultTemplates}}
+    - {{ . }}
+{{- end }}
+    {{- else }}
+    defaultTemplates: [sidecar]
+    {{- end }}
+    policy: {{ .Values.global.proxy.autoInject }}
+    alwaysInjectSelector:
+{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }}
+    neverInjectSelector:
+{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }}
+    injectedAnnotations:
+      {{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }}
+      "{{ $key }}": {{ $val | quote }}
+      {{- end }}
+    {{- /* If someone ends up with this new template, but an older Istiod image, they will attempt to render this template
+         which will fail with "Pod injection failed: template: inject:1: function "Istio_1_9_Required_Template_And_Version_Mismatched" not defined".
+         This should make it obvious that their installation is broken.
+     */}}
+    template: {{ `{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}` | quote }}
+    templates:
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "sidecar") }}
+      sidecar: |
+{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }}
+      gateway: |
+{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }}
+      grpc-simple: |
+{{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }}
+      grpc-agent: |
+{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "waypoint") }}
+      waypoint: |
+{{ .Files.Get "files/waypoint.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "kube-gateway") }}
+      kube-gateway: |
+{{ .Files.Get "files/kube-gateway.yaml" | trim | indent 8 }}
+{{- end }}
+{{- with .Values.sidecarInjectorWebhook.templates }}
+{{ toYaml . | trim | indent 6 }}
+{{- end }}
+
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/mutatingwebhook.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/mutatingwebhook.yaml
new file mode 100644
index 0000000000..26a6c8f00d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/mutatingwebhook.yaml
@@ -0,0 +1,167 @@
+# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that.
+{{- /* Core defines the common configuration used by all webhook segments */}}
+{{/* Copy just what we need to avoid expensive deepCopy */}}
+{{- $whv := dict
+"revision" .Values.revision
+  "injectionPath" .Values.istiodRemote.injectionPath
+  "injectionURL" .Values.istiodRemote.injectionURL
+  "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy
+  "caBundle" .Values.istiodRemote.injectionCABundle
+  "namespace" .Release.Namespace }}
+{{- define "core" }}
+{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign
+a unique prefix to each. */}}
+- name: {{.Prefix}}sidecar-injector.istio.io
+  clientConfig:
+    {{- if .injectionURL }}
+    url: "{{ .injectionURL }}"
+    {{- else }}
+    service:
+      name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }}
+      namespace: {{ .namespace }}
+      path: "{{ .injectionPath }}"
+      port: 443
+    {{- end }}
+    {{- if .caBundle }}
+    caBundle: "{{ .caBundle }}"
+    {{- end }}
+  sideEffects: None
+  rules:
+  - operations: [ "CREATE" ]
+    apiGroups: [""]
+    apiVersions: ["v1"]
+    resources: ["pods"]
+  failurePolicy: Fail
+  reinvocationPolicy: "{{ .reinvocationPolicy }}"
+  admissionReviewVersions: ["v1"]
+{{- end }}
+
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
+{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}}
+{{- if not .Values.global.operatorManageWebhooks }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+{{- if eq .Release.Namespace "istio-system"}}
+  name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+{{- else }}
+  name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+{{- end }}
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app: sidecar-injector
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+{{- if $.Values.sidecarInjectorWebhookAnnotations }}
+  annotations:
+{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }}
+{{- end }}
+webhooks:
+{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}}
+
+{{- /* Case 1: namespace selector matches, and object doesn't disable */}}
+{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: In
+      values:
+      {{- if (eq .Values.revision "") }}
+      - "default"
+      {{- else }}
+      - "{{ .Values.revision }}"
+      {{- end }}
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+
+{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+    - key: istio.io/rev
+      operator: In
+      values:
+      {{- if (eq .Values.revision "") }}
+      - "default"
+      {{- else }}
+      - "{{ .Values.revision }}"
+      {{- end }}
+
+
+{{- /* Webhooks for default revision */}}
+{{- if (eq .Values.revision "") }}
+
+{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: In
+      values:
+      - enabled
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+
+{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: In
+      values:
+      - "true"
+    - key: istio.io/rev
+      operator: DoesNotExist
+
+{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
+{{- /* Special case 3: no labels at all */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: "kubernetes.io/metadata.name"
+      operator: "NotIn"
+      values: ["kube-system","kube-public","kube-node-lease","local-path-storage"]
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+{{- end }}
+
+{{- end }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/networkpolicy.yaml
new file mode 100644
index 0000000000..e844d5e5de
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/networkpolicy.yaml
@@ -0,0 +1,47 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+{{- if (.Values.global.networkPolicy).enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: istiod
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    istio: pilot
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      app: istiod
+      istio.io/rev: {{ .Values.revision | default "default" | quote }}
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress:
+  # Webhook from kube-apiserver
+  - from: []
+    ports:
+    - protocol: TCP
+      port: 15017
+  # xDS from potentially anywhere
+  - from: []
+    ports:
+    - protocol: TCP
+      port: 15010
+    - protocol: TCP
+      port: 15011
+    - protocol: TCP
+      port: 15012
+    - protocol: TCP
+      port: 8080
+    - protocol: TCP
+      port: 15014
+  # Allow all egress (needed because features like JWKS require connections to user-defined endpoints)
+  egress:
+  - {}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/poddisruptionbudget.yaml
new file mode 100644
index 0000000000..0ac37d1cdf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/poddisruptionbudget.yaml
@@ -0,0 +1,41 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# Not created if istiod is running remotely
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }}
+{{- if .Values.global.defaultPodDisruptionBudget.enabled }}
+# a workaround for https://github.com/kubernetes/kubernetes/issues/93476
+{{- if or (and .Values.autoscaleEnabled  (gt (int .Values.autoscaleMin) 1)) (and (not .Values.autoscaleEnabled) (gt (int .Values.replicaCount) 1)) }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: istiod
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    release: {{ .Release.Name }}
+    istio: pilot
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  {{- if and .Values.pdb.minAvailable (not (hasKey .Values.pdb "maxUnavailable")) }}
+  minAvailable: {{ .Values.pdb.minAvailable }}
+  {{- else if .Values.pdb.maxUnavailable }}
+  maxUnavailable: {{ .Values.pdb.maxUnavailable }}
+  {{- end }}
+  {{- if .Values.pdb.unhealthyPodEvictionPolicy }}
+  unhealthyPodEvictionPolicy: {{ .Values.pdb.unhealthyPodEvictionPolicy }}
+  {{- end }}
+  selector:
+    matchLabels:
+      app: istiod
+      {{- if ne .Values.revision "" }}
+      istio.io/rev: {{ .Values.revision | quote }}
+      {{- else }}
+      istio: pilot
+      {{- end }}
+---
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/reader-clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/reader-clusterrole.yaml
new file mode 100644
index 0000000000..e0b0ff42a4
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/reader-clusterrole.yaml
@@ -0,0 +1,65 @@
+# Created if cluster resources are not omitted
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
+{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istio-reader
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istio-reader"
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - "config.istio.io"
+      - "security.istio.io"
+      - "networking.istio.io"
+      - "authentication.istio.io"
+      - "rbac.istio.io"
+      - "telemetry.istio.io"
+      - "extensions.istio.io"
+    resources: ["*"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["networking.istio.io"]
+    verbs: [ "get", "watch", "list" ]
+    resources: [ "workloadentries" ]
+  - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
+    resources: ["gateways"]
+    verbs: ["get", "watch", "list"]
+  - apiGroups: ["apiextensions.k8s.io"]
+    resources: ["customresourcedefinitions"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["discovery.k8s.io"]
+    resources: ["endpointslices"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["{{ $mcsAPIGroup }}"]
+    resources: ["serviceexports"]
+    verbs: ["get", "list", "watch", "create", "delete"]
+  - apiGroups: ["{{ $mcsAPIGroup }}"]
+    resources: ["serviceimports"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["apps"]
+    resources: ["replicasets"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["authentication.k8s.io"]
+    resources: ["tokenreviews"]
+    verbs: ["create"]
+  - apiGroups: ["authorization.k8s.io"]
+    resources: ["subjectaccessreviews"]
+    verbs: ["create"]
+{{- if .Values.istiodRemote.enabled }}
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["create", "get", "list", "watch", "update"]
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["mutatingwebhookconfigurations"]
+    verbs: ["get", "list", "watch", "update", "patch"]
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["validatingwebhookconfigurations"]
+    verbs: ["get", "list", "watch", "update"]
+{{- end}}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/reader-clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/reader-clusterrolebinding.yaml
new file mode 100644
index 0000000000..624f00dce6
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/reader-clusterrolebinding.yaml
@@ -0,0 +1,20 @@
+# Created if cluster resources are not omitted
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istio-reader
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istio-reader"
+    {{- include "istio.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+subjects:
+  - kind: ServiceAccount
+    name: istio-reader-service-account
+    namespace: {{ .Values.global.istioNamespace }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/remote-istiod-endpointslices.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/remote-istiod-endpointslices.yaml
new file mode 100644
index 0000000000..e2f4ff03b6
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/remote-istiod-endpointslices.yaml
@@ -0,0 +1,42 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+{{- if and .Values.global.remotePilotAddress .Values.istiodRemote.enabled }}
+# if the remotePilotAddress is an IP addr
+{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }}
+apiVersion: discovery.k8s.io/v1
+kind: EndpointSlice
+metadata:
+  {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }}
+  # This file is only used for remote `istiod` installs.
+  # only primary `istiod` to xds and local `istiod` injection installs.
+  name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote
+  {{- else }}
+  name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}
+  {{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }}
+    # only primary `istiod` to xds and local `istiod` injection installs.
+    kubernetes.io/service-name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote
+    {{- else }}
+    kubernetes.io/service-name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}
+    {{- end }}
+    {{- if .Release.Service }}
+    endpointslice.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+    {{- end }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+addressType: IPv4
+endpoints:
+- addresses:
+  - {{ .Values.global.remotePilotAddress }}
+ports:
+- port: 15012
+  name: tcp-istiod
+  protocol: TCP
+- port: 15017
+  name: tcp-webhook
+  protocol: TCP
+---
+{{- end }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/remote-istiod-service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/remote-istiod-service.yaml
new file mode 100644
index 0000000000..ab14497bac
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/remote-istiod-service.yaml
@@ -0,0 +1,43 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# This file is only used for remote
+{{- if and .Values.global.remotePilotAddress .Values.istiodRemote.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }}
+  # only primary `istiod` to xds and local `istiod` injection installs.
+  name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote
+  {{- else }}
+  name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}
+  {{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    app.kubernetes.io/name: "istiod"
+    {{ include "istio.labels" . | nindent 4 }}
+spec:
+  ports:
+  - port: 15012
+    name: tcp-istiod
+    protocol: TCP
+  - port: 443
+    targetPort: 15017
+    name: tcp-webhook
+    protocol: TCP
+  {{- if and .Values.global.remotePilotAddress (not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress)) }}
+  # if the remotePilotAddress is not an IP addr, we use ExternalName
+  type: ExternalName
+  externalName: {{ .Values.global.remotePilotAddress }}
+  {{- end }}
+{{- if .Values.global.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.global.ipFamilyPolicy }}
+{{- end }}
+{{- if .Values.global.ipFamilies }}
+  ipFamilies:
+{{- range .Values.global.ipFamilies }}
+  - {{ . }}
+{{- end }}
+{{- end }}
+---
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/revision-tags-mwc.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/revision-tags-mwc.yaml
new file mode 100644
index 0000000000..556bb2f1e9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/revision-tags-mwc.yaml
@@ -0,0 +1,154 @@
+# Adapted from istio-discovery/templates/mutatingwebhook.yaml
+# Removed paths for legacy and default selectors since a revision tag
+# is inherently created from a specific revision
+# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that.
+{{- $whv := dict
+"revision" .Values.revision
+  "injectionPath" .Values.istiodRemote.injectionPath
+  "injectionURL" .Values.istiodRemote.injectionURL
+  "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy
+  "caBundle" .Values.istiodRemote.injectionCABundle
+  "namespace" .Release.Namespace }}
+{{- define "core" }}
+{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign
+a unique prefix to each. */}}
+- name: {{.Prefix}}sidecar-injector.istio.io
+  clientConfig:
+    {{- if .injectionURL }}
+    url: "{{ .injectionURL }}"
+    {{- else }}
+    service:
+      name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }}
+      namespace: {{ .namespace }}
+      path: "{{ .injectionPath }}"
+      port: 443
+    {{- end }}
+  sideEffects: None
+  rules:
+  - operations: [ "CREATE" ]
+    apiGroups: [""]
+    apiVersions: ["v1"]
+    resources: ["pods"]
+  failurePolicy: Fail
+  reinvocationPolicy: "{{ .reinvocationPolicy }}"
+  admissionReviewVersions: ["v1"]
+{{- end }}
+
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
+{{- if not .Values.global.operatorManageWebhooks }}
+{{- range $tagName := $.Values.revisionTags }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+{{- if eq $.Release.Namespace "istio-system"}}
+  name: istio-revision-tag-{{ $tagName }}
+{{- else }}
+  name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }}
+{{- end }}
+  labels:
+    istio.io/tag: {{ $tagName }}
+    istio.io/rev: {{ $.Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app: sidecar-injector
+    release: {{ $.Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" $ | nindent 4 }}
+{{- if $.Values.sidecarInjectorWebhookAnnotations }}
+  annotations:
+{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }}
+{{- end }}
+webhooks:
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: In
+      values:
+      - "{{ $tagName }}"
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+    - key: istio.io/rev
+      operator: In
+      values:
+      - "{{ $tagName }}"
+
+{{- /* When the tag is "default" we want to create webhooks for the default revision */}}
+{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}}
+{{- if (eq $tagName "default") }}
+
+{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: In
+      values:
+      - enabled
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+
+{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: In
+      values:
+      - "true"
+    - key: istio.io/rev
+      operator: DoesNotExist
+
+{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
+{{- /* Special case 3: no labels at all */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: "kubernetes.io/metadata.name"
+      operator: "NotIn"
+      values: ["kube-system","kube-public","kube-node-lease","local-path-storage"]
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+{{- end }}
+
+{{- end }}
+---
+{{- end }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/revision-tags-svc.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/revision-tags-svc.yaml
new file mode 100644
index 0000000000..5c4826d23e
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/revision-tags-svc.yaml
@@ -0,0 +1,57 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# Adapted from istio-discovery/templates/service.yaml
+{{- range $tagName := .Values.revisionTags }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: istiod-revision-tag-{{ $tagName }}
+  namespace: {{ $.Release.Namespace }}
+  {{- if $.Values.serviceAnnotations }}
+  annotations:
+{{ toYaml $.Values.serviceAnnotations | indent 4 }}
+  {{- end }}
+  labels:
+    istio.io/rev: {{ $.Values.revision | default "default" | quote }}
+    istio.io/tag: {{ $tagName }}
+    operator.istio.io/component: "Pilot"
+    app: istiod
+    istio: pilot
+    release: {{ $.Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" $ | nindent 4 }}
+spec:
+  ports:
+    - port: 15010
+      name: grpc-xds # plaintext
+      protocol: TCP
+    - port: 15012
+      name: https-dns # mTLS with k8s-signed cert
+      protocol: TCP
+    - port: 443
+      name: https-webhook # validation and injection
+      targetPort: 15017
+      protocol: TCP
+    - port: 15014
+      name: http-monitoring # prometheus stats
+      protocol: TCP
+  selector:
+    app: istiod
+    {{- if ne $.Values.revision "" }}
+    istio.io/rev: {{ $.Values.revision | quote }}
+    {{- else }}
+    # Label used by the 'default' service. For versioned deployments we match with app and version.
+    # This avoids default deployment picking the canary
+    istio: pilot
+    {{- end }}
+  {{- if $.Values.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ $.Values.ipFamilyPolicy }}
+  {{- end }}
+  {{- if $.Values.ipFamilies }}
+  ipFamilies:
+  {{- range $.Values.ipFamilies }}
+  - {{ . }}
+  {{- end }}
+  {{- end }}
+---
+{{- end -}}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/role.yaml
new file mode 100644
index 0000000000..8abe608b66
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/role.yaml
@@ -0,0 +1,37 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Values.global.istioNamespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+# permissions to verify the webhook is ready and rejecting
+# invalid config. We use --server-dry-run so no config is persisted.
+- apiGroups: ["networking.istio.io"]
+  verbs: ["create"]
+  resources: ["gateways"]
+
+# For storing CA secret
+- apiGroups: [""]
+  resources: ["secrets"]
+  # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config
+  verbs: ["create", "get", "watch", "list", "update", "delete"]
+
+# For status controller, so it can delete the distribution report configmap
+- apiGroups: [""]
+  resources: ["configmaps"]
+  verbs: ["delete"]
+
+# For gateway deployment controller
+- apiGroups: ["coordination.k8s.io"]
+  resources: ["leases"]
+  verbs: ["get", "update", "patch", "create"]
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/rolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/rolebinding.yaml
new file mode 100644
index 0000000000..731964f04d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/rolebinding.yaml
@@ -0,0 +1,23 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Values.global.istioNamespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+subjects:
+  - kind: ServiceAccount
+    name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+    namespace: {{ .Values.global.istioNamespace }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/service.yaml
new file mode 100644
index 0000000000..c3aade8a49
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/service.yaml
@@ -0,0 +1,59 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# Not created if istiod is running remotely
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  {{- if .Values.serviceAnnotations }}
+  annotations:
+{{ toYaml .Values.serviceAnnotations | indent 4 }}
+  {{- end }}
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app: istiod
+    istio: pilot
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  ports:
+    - port: 15010
+      name: grpc-xds # plaintext
+      protocol: TCP
+    - port: 15012
+      name: https-dns # mTLS with k8s-signed cert
+      protocol: TCP
+    - port: 443
+      name: https-webhook # validation and injection
+      targetPort: 15017
+      protocol: TCP
+    - port: 15014
+      name: http-monitoring # prometheus stats
+      protocol: TCP
+  selector:
+    app: istiod
+    {{- if ne .Values.revision "" }}
+    istio.io/rev: {{ .Values.revision | quote }}
+    {{- else }}
+    # Label used by the 'default' service. For versioned deployments we match with app and version.
+    # This avoids default deployment picking the canary
+    istio: pilot
+    {{- end }}
+  {{- if .Values.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.ipFamilyPolicy }}
+  {{- end }}
+  {{- if .Values.ipFamilies }}
+  ipFamilies:
+  {{- range .Values.ipFamilies }}
+  - {{ . }}
+  {{- end }}
+  {{- end }}
+  {{- if .Values.trafficDistribution }}
+  trafficDistribution: {{ .Values.trafficDistribution }}
+  {{- end }}
+---
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/serviceaccount.yaml
new file mode 100644
index 0000000000..ee40eedf81
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/serviceaccount.yaml
@@ -0,0 +1,26 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+apiVersion: v1
+kind: ServiceAccount
+  {{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+  {{- range .Values.global.imagePullSecrets }}
+  - name: {{ . }}
+  {{- end }}
+  {{- end }}
+metadata:
+  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Values.global.istioNamespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+  {{- if .Values.serviceAccountAnnotations }}
+  annotations:
+{{- toYaml .Values.serviceAccountAnnotations | nindent 4 }}
+  {{- end }}
+{{- end }}
+---
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/validatingadmissionpolicy.yaml
new file mode 100644
index 0000000000..838d9fbaf7
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/validatingadmissionpolicy.yaml
@@ -0,0 +1,65 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+{{- if .Values.experimental.stableValidationPolicy }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io"
+  labels:
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups:
+        - security.istio.io
+        - networking.istio.io
+        - telemetry.istio.io
+        - extensions.istio.io
+      apiVersions: ["*"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["*"]
+    objectSelector:
+      matchExpressions:
+        - key: istio.io/rev
+          operator: In
+          values:
+          {{- if (eq .Values.revision "") }}
+          - "default"
+          {{- else }}
+          - "{{ .Values.revision }}"
+          {{- end }}
+  variables:
+    - name: isEnvoyFilter
+      expression: "object.kind == 'EnvoyFilter'"
+    - name: isWasmPlugin
+      expression: "object.kind == 'WasmPlugin'"
+    - name: isProxyConfig
+      expression: "object.kind == 'ProxyConfig'"
+    - name: isTelemetry
+      expression: "object.kind == 'Telemetry'"
+  validations:
+    - expression: "!variables.isEnvoyFilter"
+    - expression: "!variables.isWasmPlugin"
+    - expression: "!variables.isProxyConfig"
+    - expression: |
+        !(
+          variables.isTelemetry && (
+            (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) ||
+            (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) ||
+            (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter))
+          )
+        )
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: "stable-channel-policy-binding{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io"
+spec:
+  policyName: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io"
+  validationActions: [Deny]
+{{- end }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/validatingwebhookconfiguration.yaml
new file mode 100644
index 0000000000..6903b29b50
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/validatingwebhookconfiguration.yaml
@@ -0,0 +1,70 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+{{- if .Values.global.configValidation }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    istio: istiod
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+webhooks:
+  # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks
+  # are rejecting invalid configs on a per-revision basis.
+  - name: rev.validation.istio.io
+    clientConfig:
+      # Should change from base but cannot for API compat
+      {{- if .Values.base.validationURL }}
+      url: {{ .Values.base.validationURL }}
+      {{- else }}
+      service:
+        name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+        namespace: {{ .Values.global.istioNamespace }}
+        path: "/validate"
+      {{- end }}
+      {{- if .Values.base.validationCABundle }}
+      caBundle: "{{ .Values.base.validationCABundle }}"
+      {{- end }}
+    rules:
+      - operations:
+          - CREATE
+          - UPDATE
+        apiGroups:
+          - security.istio.io
+          - networking.istio.io
+          - telemetry.istio.io
+          - extensions.istio.io
+        apiVersions:
+          - "*"
+        resources:
+          - "*"
+    {{- if .Values.base.validationCABundle }}
+    # Disable webhook controller in Pilot to stop patching it
+    failurePolicy: Fail
+    {{- else }}
+    # Fail open until the validation webhook is ready. The webhook controller
+    # will update this to `Fail` and patch in the `caBundle` when the webhook
+    # endpoint is ready.
+    failurePolicy: Ignore
+    {{- end }}
+    sideEffects: None
+    admissionReviewVersions: ["v1"]
+    objectSelector:
+      matchExpressions:
+        - key: istio.io/rev
+          operator: In
+          values:
+          {{- if (eq .Values.revision "") }}
+          - "default"
+          {{- else }}
+          - "{{ .Values.revision }}"
+          {{- end }}
+---
+{{- end }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/zzy_descope_legacy.yaml
new file mode 100644
index 0000000000..73202418ca
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/zzy_descope_legacy.yaml
@@ -0,0 +1,3 @@
+{{/* Copy anything under `.pilot` to `.`, to avoid the need to specify a redundant prefix.
+Due to the file naming, this always happens after zzz_profile.yaml */}}
+{{- $_ := mustMergeOverwrite $.Values (index $.Values "pilot") }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..3d84956485
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if false }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/values.yaml
new file mode 100644
index 0000000000..b6c13bf43e
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/values.yaml
@@ -0,0 +1,583 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  autoscaleEnabled: true
+  autoscaleMin: 1
+  autoscaleMax: 5
+  autoscaleBehavior: {}
+  replicaCount: 1
+  rollingMaxSurge: 100%
+  rollingMaxUnavailable: 25%
+
+  hub: ""
+  tag: ""
+  variant: ""
+
+  # Can be a full hub/image:tag
+  image: pilot
+  traceSampling: 1.0
+
+  # Resources for a small pilot install
+  resources:
+    requests:
+      cpu: 500m
+      memory: 2048Mi
+
+  # Set to `type: RuntimeDefault` to use the default profile if available.
+  seccompProfile: {}
+
+  # Whether to use an existing CNI installation
+  cni:
+    enabled: false
+    provider: default
+
+  # Additional container arguments
+  extraContainerArgs: []
+
+  env: {}
+
+  envVarFrom: []
+
+  # Settings related to the untaint controller
+  # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready
+  # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes
+  taint:
+    # Controls whether or not the untaint controller is active
+    enabled: false
+    # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod
+    namespace: ""
+
+  affinity: {}
+
+  tolerations: []
+
+  cpu:
+    targetAverageUtilization: 80
+  memory: {}
+    # targetAverageUtilization: 80
+
+  # Additional volumeMounts to the istiod container
+  volumeMounts: []
+
+  # Additional volumes to the istiod pod
+  volumes: []
+
+  # Inject initContainers into the istiod pod
+  initContainers: []
+
+  nodeSelector: {}
+  podAnnotations: {}
+  serviceAnnotations: {}
+  serviceAccountAnnotations: {}
+  sidecarInjectorWebhookAnnotations: {}
+
+  topologySpreadConstraints: []
+
+  # You can use jwksResolverExtraRootCA to provide a root certificate
+  # in PEM format. This will then be trusted by pilot when resolving
+  # JWKS URIs.
+  jwksResolverExtraRootCA: ""
+
+  # The following is used to limit how long a sidecar can be connected
+  # to a pilot. It balances out load across pilot instances at the cost of
+  # increasing system churn.
+  keepaliveMaxServerConnectionAge: 30m
+
+  # Additional labels to apply to the deployment.
+  deploymentLabels: {}
+
+  # Annotations to apply to the istiod deployment.
+  deploymentAnnotations: {}
+
+  ## Mesh config settings
+
+  # Install the mesh config map, generated from values.yaml.
+  # If false, pilot wil use default values (by default) or user-supplied values.
+  configMap: true
+
+  # Additional labels to apply on the pod level for monitoring and logging configuration.
+  podLabels: {}
+
+  # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
+  ipFamilyPolicy: ""
+  ipFamilies: []
+
+  # Ambient mode only.
+  # Set this if you install ztunnel to a different namespace from `istiod`.
+  # If set, `istiod` will allow connections from trusted node proxy ztunnels
+  # in the provided namespace.
+  # If unset, `istiod` will assume the trusted node proxy ztunnel resides
+  # in the same namespace as itself.
+  trustedZtunnelNamespace: ""
+  # Set this if you install ztunnel with a name different from the default.
+  trustedZtunnelName: ""
+
+  sidecarInjectorWebhook:
+    # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or
+    # always skip the injection on pods that match that label selector, regardless of the global policy.
+    # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions
+    neverInjectSelector: []
+    alwaysInjectSelector: []
+
+    # injectedAnnotations are additional annotations that will be added to the pod spec after injection
+    # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations:
+    #
+    # annotations:
+    #   apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
+    #   apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
+    #
+    # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before
+    # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify:
+    # injectedAnnotations:
+    #   container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default
+    #   container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default
+    injectedAnnotations: {}
+
+    # This enables injection of sidecar in all namespaces,
+    # with the exception of namespaces with "istio-injection:disabled" annotation
+    # Only one environment should have this enabled.
+    enableNamespacesByDefault: false
+
+    # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run
+    # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten.
+    # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur.
+    reinvocationPolicy: Never
+
+    rewriteAppHTTPProbe: true
+
+    # Templates defines a set of custom injection templates that can be used. For example, defining:
+    #
+    # templates:
+    #   hello: |
+    #     metadata:
+    #       labels:
+    #         hello: world
+    #
+    # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod
+    # being injected with the hello=world labels.
+    # This is intended for advanced configuration only; most users should use the built in template
+    templates: {}
+
+    # Default templates specifies a set of default templates that are used in sidecar injection.
+    # By default, a template `sidecar` is always provided, which contains the template of default sidecar.
+    # To inject other additional templates, define it using the `templates` option, and add it to
+    # the default templates list.
+    # For example:
+    #
+    # templates:
+    #   hello: |
+    #     metadata:
+    #       labels:
+    #         hello: world
+    #
+    # defaultTemplates: ["sidecar", "hello"]
+    defaultTemplates: []
+  istiodRemote:
+    # If `true`, indicates that this cluster/install should consume a "remote istiod" installation,
+    # and istiod itself will NOT be installed in this cluster - only the support resources necessary
+    # to utilize a remote instance.
+    enabled: false
+
+    # If `true`, indicates that this cluster/install should consume a "local istiod" installation,
+    # local istiod inject sidecars
+    enabledLocalInjectorIstiod: false
+
+    # Sidecar injector mutating webhook configuration clientConfig.url value.
+    # For example: https://$remotePilotAddress:15017/inject
+    # The host should not refer to a service running in the cluster; use a service reference by specifying
+    # the clientConfig.service field instead.
+    injectionURL: ""
+
+    # Sidecar injector mutating webhook configuration path value for the clientConfig.service field.
+    # Override to pass env variables, for example: /inject/cluster/remote/net/network2
+    injectionPath: "/inject"
+
+    injectionCABundle: ""
+  telemetry:
+    enabled: true
+    v2:
+      # For Null VM case now.
+      # This also enables metadata exchange.
+      enabled: true
+      # Indicate if prometheus stats filter is enabled or not
+      prometheus:
+        enabled: true
+      # stackdriver filter settings.
+      stackdriver:
+        enabled: false
+  # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
+  revision: ""
+
+  # Revision tags are aliases to Istio control plane revisions
+  revisionTags: []
+
+  # For Helm compatibility.
+  ownerName: ""
+
+  # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior
+  # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options
+  meshConfig:
+    enablePrometheusMerge: true
+
+  experimental:
+    stableValidationPolicy: false
+
+  global:
+    # Used to locate istiod.
+    istioNamespace: istio-system
+    # List of cert-signers to allow "approve" action in the istio cluster role
+    #
+    # certSigners:
+    #   - clusterissuers.cert-manager.io/istio-ca
+    certSigners: []
+    # enable pod disruption budget for the control plane, which is used to
+    # ensure Istio control plane components are gradually upgraded or recovered.
+    defaultPodDisruptionBudget:
+      enabled: true
+      # The values aren't mutable due to a current PodDisruptionBudget limitation
+      # minAvailable: 1
+
+    # A minimal set of requested resources to applied to all deployments so that
+    # Horizontal Pod Autoscaler will be able to function (if set).
+    # Each component can overwrite these default values by adding its own resources
+    # block in the relevant section below and setting the desired resources values.
+    defaultResources:
+      requests:
+        cpu: 10m
+      #   memory: 128Mi
+      # limits:
+      #   cpu: 100m
+      #   memory: 128Mi
+
+    # Default hub for Istio images.
+    # Releases are published to docker hub under 'istio' project.
+    # Dev builds from prow are on gcr.io
+    hub: gcr.io/istio-release
+    # Default tag for Istio images.
+    tag: 1.28.2
+    # Variant of the image to use.
+    # Currently supported are: [debug, distroless]
+    variant: ""
+
+    # Specify image pull policy if default behavior isn't desired.
+    # Default behavior: latest images will be Always else IfNotPresent.
+    imagePullPolicy: ""
+
+    # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
+    # to use for pulling any images in pods that reference this ServiceAccount.
+    # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
+    # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
+    # Must be set for any cluster configured with private docker registry.
+    imagePullSecrets: []
+    # - private-registry-key
+
+    # Enabled by default in master for maximising testing.
+    istiod:
+      enableAnalysis: false
+
+    # To output all istio components logs in json format by adding --log_as_json argument to each container argument
+    logAsJson: false
+
+    # In order to use native nftable rules instead of iptable rules, set this flag to true.
+    nativeNftables: false
+
+    # Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
+    # The control plane has different scopes depending on component, but can configure default log level across all components
+    # If empty, default scope and level will be used as configured in code
+    logging:
+      level: "default:info"
+
+    # When enabled, default NetworkPolicy resources will be created
+    networkPolicy:
+      enabled: false
+
+    omitSidecarInjectorConfigMap: false
+
+    # resourceScope controls what resources will be processed by helm.
+    # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator.
+    # It can be one of:
+    # - all: all resources are processed
+    # - cluster: only cluster-scoped resources are processed
+    # - namespace: only namespace-scoped resources are processed
+    resourceScope: all
+
+    # Configure whether Operator manages webhook configurations. The current behavior
+    # of Istiod is to manage its own webhook configurations.
+    # When this option is set as true, Istio Operator, instead of webhooks, manages the
+    # webhook configurations. When this option is set as false, webhooks manage their
+    # own webhook configurations.
+    operatorManageWebhooks: false
+
+    # Custom DNS config for the pod to resolve names of services in other
+    # clusters. Use this to add additional search domains, and other settings.
+    # see
+    # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config
+    # This does not apply to gateway pods as they typically need a different
+    # set of DNS settings than the normal application pods (e.g., in
+    # multicluster scenarios).
+    # NOTE: If using templates, follow the pattern in the commented example below.
+    #podDNSSearchNamespaces:
+    #- global
+    #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global"
+
+    # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
+    # system-node-critical, it is better to configure this in order to make sure your Istio pods
+    # will not be killed because of low priority class.
+    # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
+    # for more detail.
+    priorityClassName: ""
+
+    proxy:
+      image: proxyv2
+
+      # This controls the 'policy' in the sidecar injector.
+      autoInject: enabled
+
+      # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
+      # cluster domain. Default value is "cluster.local".
+      clusterDomain: "cluster.local"
+
+      # Per Component log level for proxy, applies to gateways and sidecars. If a component level is
+      # not set, then the global "logLevel" will be used.
+      componentLogLevel: "misc:error"
+
+      # istio ingress capture allowlist
+      # examples:
+      #     Redirect only selected ports:            --includeInboundPorts="80,8080"
+      excludeInboundPorts: ""
+      includeInboundPorts: "*"
+
+      # istio egress capture allowlist
+      # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
+      # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
+      # would only capture egress traffic on those two IP Ranges, all other outbound traffic would
+      # be allowed by the sidecar
+      includeIPRanges: "*"
+      excludeIPRanges: ""
+      includeOutboundPorts: ""
+      excludeOutboundPorts: ""
+
+      # Log level for proxy, applies to gateways and sidecars.
+      # Expected values are: trace|debug|info|warning|error|critical|off
+      logLevel: warning
+
+      # Specify the path to the outlier event log.
+      # Example: /dev/stdout
+      outlierLogPath: ""
+
+      #If set to true, istio-proxy container will have privileged securityContext
+      privileged: false
+      
+      seccompProfile: {}
+
+      # The number of successive failed probes before indicating readiness failure.
+      readinessFailureThreshold: 4
+
+      # The initial delay for readiness probes in seconds.
+      readinessInitialDelaySeconds: 0
+
+      # The period between readiness probes.
+      readinessPeriodSeconds: 15
+
+      # Enables or disables a startup probe.
+      # For optimal startup times, changing this should be tied to the readiness probe values.
+      #
+      # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4.
+      # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval),
+      # and doesn't spam the readiness endpoint too much
+      #
+      # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30.
+      # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly.
+      startupProbe:
+        enabled: true
+        failureThreshold: 600 # 10 minutes
+
+      # Resources for the sidecar.
+      resources:
+        requests:
+          cpu: 100m
+          memory: 128Mi
+        limits:
+          cpu: 2000m
+          memory: 1024Mi
+
+      # Default port for Pilot agent health checks. A value of 0 will disable health checking.
+      statusPort: 15020
+
+      # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none.
+      # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file.
+      tracer: "none"
+
+    proxy_init:
+      # Base name for the proxy_init container, used to configure iptables.
+      image: proxyv2
+      # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures.
+      # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases.
+      forceApplyIptables: false
+
+    # configure remote pilot and istiod service and endpoint
+    remotePilotAddress: ""
+
+    ##############################################################################################
+    # The following values are found in other charts. To effectively modify these values, make   #
+    # make sure they are consistent across your Istio helm charts                                #
+    ##############################################################################################
+
+    # The customized CA address to retrieve certificates for the pods in the cluster.
+    # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
+    # If not set explicitly, default to the Istio discovery address.
+    caAddress: ""
+
+    # Enable control of remote clusters.
+    externalIstiod: false
+
+    # Configure a remote cluster as the config cluster for an external istiod.
+    configCluster: false
+
+    # configValidation enables the validation webhook for Istio configuration.
+    configValidation: true
+
+    # Mesh ID means Mesh Identifier. It should be unique within the scope where
+    # meshes will interact with each other, but it is not required to be
+    # globally/universally unique. For example, if any of the following are true,
+    # then two meshes must have different Mesh IDs:
+    # - Meshes will have their telemetry aggregated in one place
+    # - Meshes will be federated together
+    # - Policy will be written referencing one mesh from the other
+    #
+    # If an administrator expects that any of these conditions may become true in
+    # the future, they should ensure their meshes have different Mesh IDs
+    # assigned.
+    #
+    # Within a multicluster mesh, each cluster must be (manually or auto)
+    # configured to have the same Mesh ID value. If an existing cluster 'joins' a
+    # multicluster mesh, it will need to be migrated to the new mesh ID. Details
+    # of migration TBD, and it may be a disruptive operation to change the Mesh
+    # ID post-install.
+    #
+    # If the mesh admin does not specify a value, Istio will use the value of the
+    # mesh's Trust Domain. The best practice is to select a proper Trust Domain
+    # value.
+    meshID: ""
+
+    # Configure the mesh networks to be used by the Split Horizon EDS.
+    #
+    # The following example defines two networks with different endpoints association methods.
+    # For `network1` all endpoints that their IP belongs to the provided CIDR range will be
+    # mapped to network1. The gateway for this network example is specified by its public IP
+    # address and port.
+    # The second network, `network2`, in this example is defined differently with all endpoints
+    # retrieved through the specified Multi-Cluster registry being mapped to network2. The
+    # gateway is also defined differently with the name of the gateway service on the remote
+    # cluster. The public IP for the gateway will be determined from that remote service (only
+    # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service,
+    # it still need to be configured manually).
+    #
+    # meshNetworks:
+    #   network1:
+    #     endpoints:
+    #     - fromCidr: "192.168.0.1/24"
+    #     gateways:
+    #     - address: 1.1.1.1
+    #       port: 80
+    #   network2:
+    #     endpoints:
+    #     - fromRegistry: reg1
+    #     gateways:
+    #     - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
+    #       port: 443
+    #
+    meshNetworks: {}
+
+    # Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
+    mountMtlsCerts: false
+
+    multiCluster:
+      # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
+      # to properly label proxies
+      clusterName: ""
+
+    # Network defines the network this cluster belong to. This name
+    # corresponds to the networks in the map of mesh networks.
+    network: ""
+
+    # Configure the certificate provider for control plane communication.
+    # Currently, two providers are supported: "kubernetes" and "istiod".
+    # As some platforms may not have kubernetes signing APIs,
+    # Istiod is the default
+    pilotCertProvider: istiod
+
+    sds:
+      # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
+      # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the
+      # JWT is intended for the CA.
+      token:
+        aud: istio-ca
+
+    sts:
+      # The service port used by Security Token Service (STS) server to handle token exchange requests.
+      # Setting this port to a non-zero value enables STS server.
+      servicePort: 0
+
+    # The name of the CA for workload certificates.
+    # For example, when caName=GkeWorkloadCertificate, GKE workload certificates
+    # will be used as the certificates for workloads.
+    # The default value is "" and when caName="", the CA will be configured by other
+    # mechanisms (e.g., environmental variable CA_PROVIDER).
+    caName: ""
+
+    waypoint:
+      # Resources for the waypoint proxy.
+      resources:
+        requests:
+          cpu: 100m
+          memory: 128Mi
+        limits:
+          cpu: "2"
+          memory: 1Gi
+
+      # If specified, affinity defines the scheduling constraints of waypoint pods.
+      affinity: {}
+
+      # Topology Spread Constraints for the waypoint proxy.
+      topologySpreadConstraints: []
+
+      # Node labels for the waypoint proxy.
+      nodeSelector: {}
+
+      # Tolerations for the waypoint proxy.
+      tolerations: []
+
+  base:
+    # For istioctl usage to disable istio config crds in base
+    enableIstioConfigCRDs: true
+
+  # Gateway Settings
+  gateways:
+    # Define the security context for the pod.
+    # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
+    # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
+    securityContext: {}
+
+    # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it
+    seccompProfile: {}
+
+  # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass.
+  # For example:
+  # gatewayClasses:
+  #   istio:
+  #     service:
+  #       spec:
+  #         type: ClusterIP
+  # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field.
+  gatewayClasses: {}
+  
+  pdb:
+    # -- Minimum available pods set in PodDisruptionBudget.
+    # Define either 'minAvailable' or 'maxUnavailable', never both.
+    minAvailable: 1
+    # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored.
+    # maxUnavailable: 1
+    # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget.
+    # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/
+    unhealthyPodEvictionPolicy: ""
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/Chart.yaml
new file mode 100644
index 0000000000..3e1c166f51
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/Chart.yaml
@@ -0,0 +1,8 @@
+apiVersion: v2
+appVersion: 1.28.2
+description: Helm chart for istio revision tags
+name: revisiontags
+sources:
+- https://github.com/istio-ecosystem/sail-operator
+version: 0.1.0
+
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..d04117bfc0
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,14 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..8fe80112bf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-compatibility-version-1.27.yaml
new file mode 100644
index 0000000000..209157cccf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-compatibility-version-1.27.yaml
@@ -0,0 +1,9 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/templates/revision-tags-mwc.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/templates/revision-tags-mwc.yaml
new file mode 100644
index 0000000000..556bb2f1e9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/templates/revision-tags-mwc.yaml
@@ -0,0 +1,154 @@
+# Adapted from istio-discovery/templates/mutatingwebhook.yaml
+# Removed paths for legacy and default selectors since a revision tag
+# is inherently created from a specific revision
+# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that.
+{{- $whv := dict
+"revision" .Values.revision
+  "injectionPath" .Values.istiodRemote.injectionPath
+  "injectionURL" .Values.istiodRemote.injectionURL
+  "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy
+  "caBundle" .Values.istiodRemote.injectionCABundle
+  "namespace" .Release.Namespace }}
+{{- define "core" }}
+{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign
+a unique prefix to each. */}}
+- name: {{.Prefix}}sidecar-injector.istio.io
+  clientConfig:
+    {{- if .injectionURL }}
+    url: "{{ .injectionURL }}"
+    {{- else }}
+    service:
+      name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }}
+      namespace: {{ .namespace }}
+      path: "{{ .injectionPath }}"
+      port: 443
+    {{- end }}
+  sideEffects: None
+  rules:
+  - operations: [ "CREATE" ]
+    apiGroups: [""]
+    apiVersions: ["v1"]
+    resources: ["pods"]
+  failurePolicy: Fail
+  reinvocationPolicy: "{{ .reinvocationPolicy }}"
+  admissionReviewVersions: ["v1"]
+{{- end }}
+
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
+{{- if not .Values.global.operatorManageWebhooks }}
+{{- range $tagName := $.Values.revisionTags }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+{{- if eq $.Release.Namespace "istio-system"}}
+  name: istio-revision-tag-{{ $tagName }}
+{{- else }}
+  name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }}
+{{- end }}
+  labels:
+    istio.io/tag: {{ $tagName }}
+    istio.io/rev: {{ $.Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app: sidecar-injector
+    release: {{ $.Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" $ | nindent 4 }}
+{{- if $.Values.sidecarInjectorWebhookAnnotations }}
+  annotations:
+{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }}
+{{- end }}
+webhooks:
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: In
+      values:
+      - "{{ $tagName }}"
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+    - key: istio.io/rev
+      operator: In
+      values:
+      - "{{ $tagName }}"
+
+{{- /* When the tag is "default" we want to create webhooks for the default revision */}}
+{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}}
+{{- if (eq $tagName "default") }}
+
+{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: In
+      values:
+      - enabled
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+
+{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: In
+      values:
+      - "true"
+    - key: istio.io/rev
+      operator: DoesNotExist
+
+{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
+{{- /* Special case 3: no labels at all */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: "kubernetes.io/metadata.name"
+      operator: "NotIn"
+      values: ["kube-system","kube-public","kube-node-lease","local-path-storage"]
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+{{- end }}
+
+{{- end }}
+---
+{{- end }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/templates/revision-tags-svc.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/templates/revision-tags-svc.yaml
new file mode 100644
index 0000000000..5c4826d23e
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/templates/revision-tags-svc.yaml
@@ -0,0 +1,57 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# Adapted from istio-discovery/templates/service.yaml
+{{- range $tagName := .Values.revisionTags }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: istiod-revision-tag-{{ $tagName }}
+  namespace: {{ $.Release.Namespace }}
+  {{- if $.Values.serviceAnnotations }}
+  annotations:
+{{ toYaml $.Values.serviceAnnotations | indent 4 }}
+  {{- end }}
+  labels:
+    istio.io/rev: {{ $.Values.revision | default "default" | quote }}
+    istio.io/tag: {{ $tagName }}
+    operator.istio.io/component: "Pilot"
+    app: istiod
+    istio: pilot
+    release: {{ $.Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" $ | nindent 4 }}
+spec:
+  ports:
+    - port: 15010
+      name: grpc-xds # plaintext
+      protocol: TCP
+    - port: 15012
+      name: https-dns # mTLS with k8s-signed cert
+      protocol: TCP
+    - port: 443
+      name: https-webhook # validation and injection
+      targetPort: 15017
+      protocol: TCP
+    - port: 15014
+      name: http-monitoring # prometheus stats
+      protocol: TCP
+  selector:
+    app: istiod
+    {{- if ne $.Values.revision "" }}
+    istio.io/rev: {{ $.Values.revision | quote }}
+    {{- else }}
+    # Label used by the 'default' service. For versioned deployments we match with app and version.
+    # This avoids default deployment picking the canary
+    istio: pilot
+    {{- end }}
+  {{- if $.Values.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ $.Values.ipFamilyPolicy }}
+  {{- end }}
+  {{- if $.Values.ipFamilies }}
+  ipFamilies:
+  {{- range $.Values.ipFamilies }}
+  - {{ . }}
+  {{- end }}
+  {{- end }}
+---
+{{- end -}}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..3d84956485
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if false }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/values.yaml
new file mode 100644
index 0000000000..b6c13bf43e
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/values.yaml
@@ -0,0 +1,583 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  autoscaleEnabled: true
+  autoscaleMin: 1
+  autoscaleMax: 5
+  autoscaleBehavior: {}
+  replicaCount: 1
+  rollingMaxSurge: 100%
+  rollingMaxUnavailable: 25%
+
+  hub: ""
+  tag: ""
+  variant: ""
+
+  # Can be a full hub/image:tag
+  image: pilot
+  traceSampling: 1.0
+
+  # Resources for a small pilot install
+  resources:
+    requests:
+      cpu: 500m
+      memory: 2048Mi
+
+  # Set to `type: RuntimeDefault` to use the default profile if available.
+  seccompProfile: {}
+
+  # Whether to use an existing CNI installation
+  cni:
+    enabled: false
+    provider: default
+
+  # Additional container arguments
+  extraContainerArgs: []
+
+  env: {}
+
+  envVarFrom: []
+
+  # Settings related to the untaint controller
+  # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready
+  # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes
+  taint:
+    # Controls whether or not the untaint controller is active
+    enabled: false
+    # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod
+    namespace: ""
+
+  affinity: {}
+
+  tolerations: []
+
+  cpu:
+    targetAverageUtilization: 80
+  memory: {}
+    # targetAverageUtilization: 80
+
+  # Additional volumeMounts to the istiod container
+  volumeMounts: []
+
+  # Additional volumes to the istiod pod
+  volumes: []
+
+  # Inject initContainers into the istiod pod
+  initContainers: []
+
+  nodeSelector: {}
+  podAnnotations: {}
+  serviceAnnotations: {}
+  serviceAccountAnnotations: {}
+  sidecarInjectorWebhookAnnotations: {}
+
+  topologySpreadConstraints: []
+
+  # You can use jwksResolverExtraRootCA to provide a root certificate
+  # in PEM format. This will then be trusted by pilot when resolving
+  # JWKS URIs.
+  jwksResolverExtraRootCA: ""
+
+  # The following is used to limit how long a sidecar can be connected
+  # to a pilot. It balances out load across pilot instances at the cost of
+  # increasing system churn.
+  keepaliveMaxServerConnectionAge: 30m
+
+  # Additional labels to apply to the deployment.
+  deploymentLabels: {}
+
+  # Annotations to apply to the istiod deployment.
+  deploymentAnnotations: {}
+
+  ## Mesh config settings
+
+  # Install the mesh config map, generated from values.yaml.
+  # If false, pilot wil use default values (by default) or user-supplied values.
+  configMap: true
+
+  # Additional labels to apply on the pod level for monitoring and logging configuration.
+  podLabels: {}
+
+  # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
+  ipFamilyPolicy: ""
+  ipFamilies: []
+
+  # Ambient mode only.
+  # Set this if you install ztunnel to a different namespace from `istiod`.
+  # If set, `istiod` will allow connections from trusted node proxy ztunnels
+  # in the provided namespace.
+  # If unset, `istiod` will assume the trusted node proxy ztunnel resides
+  # in the same namespace as itself.
+  trustedZtunnelNamespace: ""
+  # Set this if you install ztunnel with a name different from the default.
+  trustedZtunnelName: ""
+
+  sidecarInjectorWebhook:
+    # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or
+    # always skip the injection on pods that match that label selector, regardless of the global policy.
+    # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions
+    neverInjectSelector: []
+    alwaysInjectSelector: []
+
+    # injectedAnnotations are additional annotations that will be added to the pod spec after injection
+    # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations:
+    #
+    # annotations:
+    #   apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
+    #   apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
+    #
+    # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before
+    # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify:
+    # injectedAnnotations:
+    #   container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default
+    #   container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default
+    injectedAnnotations: {}
+
+    # This enables injection of sidecar in all namespaces,
+    # with the exception of namespaces with "istio-injection:disabled" annotation
+    # Only one environment should have this enabled.
+    enableNamespacesByDefault: false
+
+    # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run
+    # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten.
+    # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur.
+    reinvocationPolicy: Never
+
+    rewriteAppHTTPProbe: true
+
+    # Templates defines a set of custom injection templates that can be used. For example, defining:
+    #
+    # templates:
+    #   hello: |
+    #     metadata:
+    #       labels:
+    #         hello: world
+    #
+    # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod
+    # being injected with the hello=world labels.
+    # This is intended for advanced configuration only; most users should use the built in template
+    templates: {}
+
+    # Default templates specifies a set of default templates that are used in sidecar injection.
+    # By default, a template `sidecar` is always provided, which contains the template of default sidecar.
+    # To inject other additional templates, define it using the `templates` option, and add it to
+    # the default templates list.
+    # For example:
+    #
+    # templates:
+    #   hello: |
+    #     metadata:
+    #       labels:
+    #         hello: world
+    #
+    # defaultTemplates: ["sidecar", "hello"]
+    defaultTemplates: []
+  istiodRemote:
+    # If `true`, indicates that this cluster/install should consume a "remote istiod" installation,
+    # and istiod itself will NOT be installed in this cluster - only the support resources necessary
+    # to utilize a remote instance.
+    enabled: false
+
+    # If `true`, indicates that this cluster/install should consume a "local istiod" installation,
+    # local istiod inject sidecars
+    enabledLocalInjectorIstiod: false
+
+    # Sidecar injector mutating webhook configuration clientConfig.url value.
+    # For example: https://$remotePilotAddress:15017/inject
+    # The host should not refer to a service running in the cluster; use a service reference by specifying
+    # the clientConfig.service field instead.
+    injectionURL: ""
+
+    # Sidecar injector mutating webhook configuration path value for the clientConfig.service field.
+    # Override to pass env variables, for example: /inject/cluster/remote/net/network2
+    injectionPath: "/inject"
+
+    injectionCABundle: ""
+  telemetry:
+    enabled: true
+    v2:
+      # For Null VM case now.
+      # This also enables metadata exchange.
+      enabled: true
+      # Indicate if prometheus stats filter is enabled or not
+      prometheus:
+        enabled: true
+      # stackdriver filter settings.
+      stackdriver:
+        enabled: false
+  # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
+  revision: ""
+
+  # Revision tags are aliases to Istio control plane revisions
+  revisionTags: []
+
+  # For Helm compatibility.
+  ownerName: ""
+
+  # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior
+  # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options
+  meshConfig:
+    enablePrometheusMerge: true
+
+  experimental:
+    stableValidationPolicy: false
+
+  global:
+    # Used to locate istiod.
+    istioNamespace: istio-system
+    # List of cert-signers to allow "approve" action in the istio cluster role
+    #
+    # certSigners:
+    #   - clusterissuers.cert-manager.io/istio-ca
+    certSigners: []
+    # enable pod disruption budget for the control plane, which is used to
+    # ensure Istio control plane components are gradually upgraded or recovered.
+    defaultPodDisruptionBudget:
+      enabled: true
+      # The values aren't mutable due to a current PodDisruptionBudget limitation
+      # minAvailable: 1
+
+    # A minimal set of requested resources to applied to all deployments so that
+    # Horizontal Pod Autoscaler will be able to function (if set).
+    # Each component can overwrite these default values by adding its own resources
+    # block in the relevant section below and setting the desired resources values.
+    defaultResources:
+      requests:
+        cpu: 10m
+      #   memory: 128Mi
+      # limits:
+      #   cpu: 100m
+      #   memory: 128Mi
+
+    # Default hub for Istio images.
+    # Releases are published to docker hub under 'istio' project.
+    # Dev builds from prow are on gcr.io
+    hub: gcr.io/istio-release
+    # Default tag for Istio images.
+    tag: 1.28.2
+    # Variant of the image to use.
+    # Currently supported are: [debug, distroless]
+    variant: ""
+
+    # Specify image pull policy if default behavior isn't desired.
+    # Default behavior: latest images will be Always else IfNotPresent.
+    imagePullPolicy: ""
+
+    # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
+    # to use for pulling any images in pods that reference this ServiceAccount.
+    # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
+    # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
+    # Must be set for any cluster configured with private docker registry.
+    imagePullSecrets: []
+    # - private-registry-key
+
+    # Enabled by default in master for maximising testing.
+    istiod:
+      enableAnalysis: false
+
+    # To output all istio components logs in json format by adding --log_as_json argument to each container argument
+    logAsJson: false
+
+    # In order to use native nftable rules instead of iptable rules, set this flag to true.
+    nativeNftables: false
+
+    # Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
+    # The control plane has different scopes depending on component, but can configure default log level across all components
+    # If empty, default scope and level will be used as configured in code
+    logging:
+      level: "default:info"
+
+    # When enabled, default NetworkPolicy resources will be created
+    networkPolicy:
+      enabled: false
+
+    omitSidecarInjectorConfigMap: false
+
+    # resourceScope controls what resources will be processed by helm.
+    # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator.
+    # It can be one of:
+    # - all: all resources are processed
+    # - cluster: only cluster-scoped resources are processed
+    # - namespace: only namespace-scoped resources are processed
+    resourceScope: all
+
+    # Configure whether Operator manages webhook configurations. The current behavior
+    # of Istiod is to manage its own webhook configurations.
+    # When this option is set as true, Istio Operator, instead of webhooks, manages the
+    # webhook configurations. When this option is set as false, webhooks manage their
+    # own webhook configurations.
+    operatorManageWebhooks: false
+
+    # Custom DNS config for the pod to resolve names of services in other
+    # clusters. Use this to add additional search domains, and other settings.
+    # see
+    # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config
+    # This does not apply to gateway pods as they typically need a different
+    # set of DNS settings than the normal application pods (e.g., in
+    # multicluster scenarios).
+    # NOTE: If using templates, follow the pattern in the commented example below.
+    #podDNSSearchNamespaces:
+    #- global
+    #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global"
+
+    # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
+    # system-node-critical, it is better to configure this in order to make sure your Istio pods
+    # will not be killed because of low priority class.
+    # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
+    # for more detail.
+    priorityClassName: ""
+
+    proxy:
+      image: proxyv2
+
+      # This controls the 'policy' in the sidecar injector.
+      autoInject: enabled
+
+      # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
+      # cluster domain. Default value is "cluster.local".
+      clusterDomain: "cluster.local"
+
+      # Per Component log level for proxy, applies to gateways and sidecars. If a component level is
+      # not set, then the global "logLevel" will be used.
+      componentLogLevel: "misc:error"
+
+      # istio ingress capture allowlist
+      # examples:
+      #     Redirect only selected ports:            --includeInboundPorts="80,8080"
+      excludeInboundPorts: ""
+      includeInboundPorts: "*"
+
+      # istio egress capture allowlist
+      # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
+      # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
+      # would only capture egress traffic on those two IP Ranges, all other outbound traffic would
+      # be allowed by the sidecar
+      includeIPRanges: "*"
+      excludeIPRanges: ""
+      includeOutboundPorts: ""
+      excludeOutboundPorts: ""
+
+      # Log level for proxy, applies to gateways and sidecars.
+      # Expected values are: trace|debug|info|warning|error|critical|off
+      logLevel: warning
+
+      # Specify the path to the outlier event log.
+      # Example: /dev/stdout
+      outlierLogPath: ""
+
+      #If set to true, istio-proxy container will have privileged securityContext
+      privileged: false
+      
+      seccompProfile: {}
+
+      # The number of successive failed probes before indicating readiness failure.
+      readinessFailureThreshold: 4
+
+      # The initial delay for readiness probes in seconds.
+      readinessInitialDelaySeconds: 0
+
+      # The period between readiness probes.
+      readinessPeriodSeconds: 15
+
+      # Enables or disables a startup probe.
+      # For optimal startup times, changing this should be tied to the readiness probe values.
+      #
+      # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4.
+      # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval),
+      # and doesn't spam the readiness endpoint too much
+      #
+      # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30.
+      # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly.
+      startupProbe:
+        enabled: true
+        failureThreshold: 600 # 10 minutes
+
+      # Resources for the sidecar.
+      resources:
+        requests:
+          cpu: 100m
+          memory: 128Mi
+        limits:
+          cpu: 2000m
+          memory: 1024Mi
+
+      # Default port for Pilot agent health checks. A value of 0 will disable health checking.
+      statusPort: 15020
+
+      # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none.
+      # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file.
+      tracer: "none"
+
+    proxy_init:
+      # Base name for the proxy_init container, used to configure iptables.
+      image: proxyv2
+      # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures.
+      # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases.
+      forceApplyIptables: false
+
+    # configure remote pilot and istiod service and endpoint
+    remotePilotAddress: ""
+
+    ##############################################################################################
+    # The following values are found in other charts. To effectively modify these values, make   #
+    # make sure they are consistent across your Istio helm charts                                #
+    ##############################################################################################
+
+    # The customized CA address to retrieve certificates for the pods in the cluster.
+    # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
+    # If not set explicitly, default to the Istio discovery address.
+    caAddress: ""
+
+    # Enable control of remote clusters.
+    externalIstiod: false
+
+    # Configure a remote cluster as the config cluster for an external istiod.
+    configCluster: false
+
+    # configValidation enables the validation webhook for Istio configuration.
+    configValidation: true
+
+    # Mesh ID means Mesh Identifier. It should be unique within the scope where
+    # meshes will interact with each other, but it is not required to be
+    # globally/universally unique. For example, if any of the following are true,
+    # then two meshes must have different Mesh IDs:
+    # - Meshes will have their telemetry aggregated in one place
+    # - Meshes will be federated together
+    # - Policy will be written referencing one mesh from the other
+    #
+    # If an administrator expects that any of these conditions may become true in
+    # the future, they should ensure their meshes have different Mesh IDs
+    # assigned.
+    #
+    # Within a multicluster mesh, each cluster must be (manually or auto)
+    # configured to have the same Mesh ID value. If an existing cluster 'joins' a
+    # multicluster mesh, it will need to be migrated to the new mesh ID. Details
+    # of migration TBD, and it may be a disruptive operation to change the Mesh
+    # ID post-install.
+    #
+    # If the mesh admin does not specify a value, Istio will use the value of the
+    # mesh's Trust Domain. The best practice is to select a proper Trust Domain
+    # value.
+    meshID: ""
+
+    # Configure the mesh networks to be used by the Split Horizon EDS.
+    #
+    # The following example defines two networks with different endpoints association methods.
+    # For `network1` all endpoints that their IP belongs to the provided CIDR range will be
+    # mapped to network1. The gateway for this network example is specified by its public IP
+    # address and port.
+    # The second network, `network2`, in this example is defined differently with all endpoints
+    # retrieved through the specified Multi-Cluster registry being mapped to network2. The
+    # gateway is also defined differently with the name of the gateway service on the remote
+    # cluster. The public IP for the gateway will be determined from that remote service (only
+    # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service,
+    # it still need to be configured manually).
+    #
+    # meshNetworks:
+    #   network1:
+    #     endpoints:
+    #     - fromCidr: "192.168.0.1/24"
+    #     gateways:
+    #     - address: 1.1.1.1
+    #       port: 80
+    #   network2:
+    #     endpoints:
+    #     - fromRegistry: reg1
+    #     gateways:
+    #     - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
+    #       port: 443
+    #
+    meshNetworks: {}
+
+    # Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
+    mountMtlsCerts: false
+
+    multiCluster:
+      # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
+      # to properly label proxies
+      clusterName: ""
+
+    # Network defines the network this cluster belong to. This name
+    # corresponds to the networks in the map of mesh networks.
+    network: ""
+
+    # Configure the certificate provider for control plane communication.
+    # Currently, two providers are supported: "kubernetes" and "istiod".
+    # As some platforms may not have kubernetes signing APIs,
+    # Istiod is the default
+    pilotCertProvider: istiod
+
+    sds:
+      # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
+      # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the
+      # JWT is intended for the CA.
+      token:
+        aud: istio-ca
+
+    sts:
+      # The service port used by Security Token Service (STS) server to handle token exchange requests.
+      # Setting this port to a non-zero value enables STS server.
+      servicePort: 0
+
+    # The name of the CA for workload certificates.
+    # For example, when caName=GkeWorkloadCertificate, GKE workload certificates
+    # will be used as the certificates for workloads.
+    # The default value is "" and when caName="", the CA will be configured by other
+    # mechanisms (e.g., environmental variable CA_PROVIDER).
+    caName: ""
+
+    waypoint:
+      # Resources for the waypoint proxy.
+      resources:
+        requests:
+          cpu: 100m
+          memory: 128Mi
+        limits:
+          cpu: "2"
+          memory: 1Gi
+
+      # If specified, affinity defines the scheduling constraints of waypoint pods.
+      affinity: {}
+
+      # Topology Spread Constraints for the waypoint proxy.
+      topologySpreadConstraints: []
+
+      # Node labels for the waypoint proxy.
+      nodeSelector: {}
+
+      # Tolerations for the waypoint proxy.
+      tolerations: []
+
+  base:
+    # For istioctl usage to disable istio config crds in base
+    enableIstioConfigCRDs: true
+
+  # Gateway Settings
+  gateways:
+    # Define the security context for the pod.
+    # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
+    # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
+    securityContext: {}
+
+    # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it
+    seccompProfile: {}
+
+  # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass.
+  # For example:
+  # gatewayClasses:
+  #   istio:
+  #     service:
+  #       spec:
+  #         type: ClusterIP
+  # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field.
+  gatewayClasses: {}
+  
+  pdb:
+    # -- Minimum available pods set in PodDisruptionBudget.
+    # Define either 'minAvailable' or 'maxUnavailable', never both.
+    minAvailable: 1
+    # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored.
+    # maxUnavailable: 1
+    # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget.
+    # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/
+    unhealthyPodEvictionPolicy: ""
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/Chart.yaml
new file mode 100644
index 0000000000..8678090017
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/Chart.yaml
@@ -0,0 +1,11 @@
+apiVersion: v2
+appVersion: 1.28.2
+description: Helm chart for istio ztunnel components
+icon: https://istio.io/latest/favicons/android-192x192.png
+keywords:
+- istio-ztunnel
+- istio
+name: ztunnel
+sources:
+- https://github.com/istio/istio
+version: 1.28.2
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/README.md
new file mode 100644
index 0000000000..72ea6892e5
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/README.md
@@ -0,0 +1,50 @@
+# Istio Ztunnel Helm Chart
+
+This chart installs an Istio ztunnel.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+To install the chart:
+
+```console
+helm install ztunnel istio/ztunnel
+```
+
+## Uninstalling the Chart
+
+To uninstall/delete the chart:
+
+```console
+helm delete ztunnel
+```
+
+## Configuration
+
+To view supported configuration options and documentation, run:
+
+```console
+helm show values istio/ztunnel
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..d04117bfc0
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,14 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..8fe80112bf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-compatibility-version-1.27.yaml
new file mode 100644
index 0000000000..209157cccf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-compatibility-version-1.27.yaml
@@ -0,0 +1,9 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/templates/NOTES.txt
new file mode 100644
index 0000000000..244f59db06
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/templates/NOTES.txt
@@ -0,0 +1,5 @@
+ztunnel successfully installed!
+
+To learn more about the release, try:
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/templates/_helpers.tpl
new file mode 100644
index 0000000000..46a7a0b79d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/templates/_helpers.tpl
@@ -0,0 +1 @@
+{{ define "ztunnel.release-name" }}{{ .Values.resourceName| default "ztunnel" }}{{ end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/templates/daemonset.yaml
new file mode 100644
index 0000000000..b10e99cfa4
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/templates/daemonset.yaml
@@ -0,0 +1,212 @@
+{{- if or (eq .Values.resourceScope "all") (eq .Values.resourceScope "namespace") }}
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: {{ include "ztunnel.release-name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: ztunnel
+    {{- include "istio.labels" . | nindent 4}}
+    {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }}
+  annotations:
+{{- if .Values.revision }}
+    {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }}
+    {{- toYaml $annos | nindent 4}}
+{{- else }}
+    {{- .Values.annotations | toYaml | nindent 4 }}
+{{- end }}
+spec:
+  {{- with .Values.updateStrategy }}
+  updateStrategy:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  selector:
+    matchLabels:
+      app: ztunnel
+  template:
+    metadata:
+      labels:
+        sidecar.istio.io/inject: "false"
+        istio.io/dataplane-mode: none
+        app: ztunnel
+        app.kubernetes.io/name: ztunnel
+        {{- include "istio.labels" . | nindent 8}}
+{{ with .Values.podLabels -}}{{ toYaml . | indent 8 }}{{ end }}
+      annotations:
+        sidecar.istio.io/inject: "false"
+{{- if .Values.revision }}
+        istio.io/rev: {{ .Values.revision }}
+{{- end }}
+{{ with .Values.podAnnotations -}}{{ toYaml . | indent 8 }}{{ end }}
+    spec:
+      nodeSelector:
+        kubernetes.io/os: linux
+{{- if .Values.nodeSelector }}
+{{ toYaml .Values.nodeSelector | indent 8 }}
+{{- end }}
+{{- if .Values.affinity }}
+      affinity:
+{{ toYaml .Values.affinity | trim | indent 8 }}
+{{- end }}
+      serviceAccountName: {{ include "ztunnel.release-name" . }}
+{{- if .Values.tolerations }}
+      tolerations:
+{{ toYaml .Values.tolerations | trim | indent 8 }}
+{{- end }}
+      containers:
+      - name: istio-proxy
+{{- if contains "/" .Values.image }}
+        image: "{{ .Values.image }}"
+{{- else }}
+        image: "{{ .Values.hub }}/{{ .Values.image | default "ztunnel" }}:{{ .Values.tag }}{{with (.Values.variant )}}-{{.}}{{end}}"
+{{- end }}
+        ports:
+        - containerPort: 15020
+          name: ztunnel-stats
+          protocol: TCP
+        resources:
+{{- if .Values.resources }}
+{{ toYaml .Values.resources | trim | indent 10 }}
+{{- end }}
+{{- with .Values.imagePullPolicy }}
+        imagePullPolicy: {{ . }}
+{{- end }}
+        securityContext:
+          # K8S docs are clear that CAP_SYS_ADMIN *or* privileged: true
+          # both force this to `true`: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+          # But there is a K8S validation bug that doesn't propery catch this: https://github.com/kubernetes/kubernetes/issues/119568
+          allowPrivilegeEscalation: true
+          privileged: false
+          capabilities:
+            drop:
+            - ALL
+            add: # See https://man7.org/linux/man-pages/man7/capabilities.7.html
+            - NET_ADMIN # Required for TPROXY and setsockopt
+            - SYS_ADMIN # Required for `setns` - doing things in other netns
+            - NET_RAW # Required for RAW/PACKET sockets, TPROXY
+          readOnlyRootFilesystem: true
+          runAsGroup: 1337
+          runAsNonRoot: false
+          runAsUser: 0
+{{- if .Values.seLinuxOptions }}
+          seLinuxOptions:
+{{ toYaml .Values.seLinuxOptions | trim | indent 12 }}
+{{- end }}
+        readinessProbe:
+          httpGet:
+            port: 15021
+            path: /healthz/ready
+        args:
+        - proxy
+        - ztunnel
+        env:
+        - name: CA_ADDRESS
+        {{- if .Values.caAddress }}
+          value: {{ .Values.caAddress }}
+        {{- else }}
+          value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012
+        {{- end }}
+        - name: XDS_ADDRESS
+        {{- if .Values.xdsAddress }}
+          value: {{ .Values.xdsAddress }}
+        {{- else }}
+          value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012
+        {{- end }}
+        {{- if .Values.logAsJson }}
+        - name: LOG_FORMAT
+          value: json
+        {{- end}}
+        {{- if .Values.network }}
+        - name: NETWORK
+          value: {{ .Values.network | quote }}
+        {{- end }}
+        - name: RUST_LOG
+          value: {{ .Values.logLevel | quote }}
+        - name: RUST_BACKTRACE
+          value: "1"
+        - name: ISTIO_META_CLUSTER_ID
+          value: {{ .Values.multiCluster.clusterName | default "Kubernetes" }}
+        - name: INPOD_ENABLED
+          value: "true"
+        - name: TERMINATION_GRACE_PERIOD_SECONDS
+          value: "{{ .Values.terminationGracePeriodSeconds }}"
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        - name: INSTANCE_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: SERVICE_ACCOUNT
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.serviceAccountName
+        {{- if .Values.meshConfig.defaultConfig.proxyMetadata }}
+        {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata}}
+        - name: {{ $key }}
+          value: "{{ $value }}"
+        {{- end }}
+        {{- end }}
+        - name: ZTUNNEL_CPU_LIMIT
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.cpu
+        {{- with .Values.env }}
+        {{- range $key, $val := . }}
+        - name: {{ $key }}
+          value: "{{ $val }}"
+        {{- end }}
+        {{- end }}
+        volumeMounts:
+        - mountPath: /var/run/secrets/istio
+          name: istiod-ca-cert
+        - mountPath: /var/run/secrets/tokens
+          name: istio-token
+        - mountPath: /var/run/ztunnel
+          name: cni-ztunnel-sock-dir
+        - mountPath: /tmp
+          name: tmp
+        {{- with .Values.volumeMounts }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      priorityClassName: system-node-critical
+      terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
+      volumes:
+      - name: istio-token
+        projected:
+          sources:
+          - serviceAccountToken:
+              path: istio-token
+              expirationSeconds: 43200
+              audience: istio-ca
+      - name: istiod-ca-cert
+        {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+        projected:
+          sources:
+          - clusterTrustBundle:
+              name: istio.io:istiod-ca:{{ .Values.trustBundleName | default "root-cert" }}
+              path: root-cert.pem
+        {{- else }}
+        configMap:
+          name: {{ .Values.trustBundleName | default "istio-ca-root-cert" }}
+        {{- end }}
+      - name: cni-ztunnel-sock-dir
+        hostPath:
+          path: /var/run/ztunnel
+          type: DirectoryOrCreate # ideally this would be a socket, but istio-cni may not have started yet.
+      # pprof needs a writable /tmp, and we don't have that thanks to `readOnlyRootFilesystem: true`, so mount one
+      - name: tmp
+        emptyDir: {}
+      {{- with .Values.volumes }}
+        {{- toYaml . | nindent 6}}
+      {{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/templates/rbac.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/templates/rbac.yaml
new file mode 100644
index 0000000000..18291716bf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/templates/rbac.yaml
@@ -0,0 +1,51 @@
+{{- if or (eq .Values.resourceScope "all") (eq .Values.resourceScope "cluster") }}
+{{- if (eq (.Values.platform | default "") "openshift") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "ztunnel.release-name" . }}
+  labels:
+    app: ztunnel
+    release: {{ include "ztunnel.release-name" . }}
+    app.kubernetes.io/name: ztunnel
+    {{- include "istio.labels" . | nindent 4}}
+  annotations:
+{{- if .Values.revision }}
+    {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }}
+    {{- toYaml $annos | nindent 4}}
+{{- else }}
+    {{- .Values.annotations | toYaml | nindent 4 }}
+{{- end }}
+rules:
+- apiGroups: ["security.openshift.io"]
+  resources: ["securitycontextconstraints"]
+  resourceNames: ["privileged"]
+  verbs: ["use"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "ztunnel.release-name" . }}
+  labels:
+    app: ztunnel
+    release: {{ include "ztunnel.release-name" . }}
+    app.kubernetes.io/name: ztunnel
+    {{- include "istio.labels" . | nindent 4}}
+  annotations:
+{{- if .Values.revision }}
+    {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }}
+    {{- toYaml $annos | nindent 4}}
+{{- else }}
+    {{- .Values.annotations | toYaml | nindent 4 }}
+{{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "ztunnel.release-name" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "ztunnel.release-name" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}
+---
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/templates/resourcequota.yaml
new file mode 100644
index 0000000000..d33c9fe137
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/templates/resourcequota.yaml
@@ -0,0 +1,22 @@
+{{- if or (eq .Values.resourceScope "all") (eq .Values.resourceScope "namespace") }}
+{{- if .Values.resourceQuotas.enabled }}
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+  name: {{ include "ztunnel.release-name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: ztunnel
+    {{- include "istio.labels" . | nindent 4}}
+    {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }}
+spec:
+  hard:
+    pods: {{ .Values.resourceQuotas.pods | quote }}
+  scopeSelector:
+    matchExpressions:
+    - operator: In
+      scopeName: PriorityClass
+      values:
+      - system-node-critical
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/templates/serviceaccount.yaml
new file mode 100644
index 0000000000..e1146f3920
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/templates/serviceaccount.yaml
@@ -0,0 +1,24 @@
+{{- if or (eq .Values.resourceScope "all") (eq .Values.resourceScope "namespace") }}
+apiVersion: v1
+kind: ServiceAccount
+  {{- with .Values.imagePullSecrets }}
+imagePullSecrets:
+  {{- range . }}
+  - name: {{ . }}
+  {{- end }}
+  {{- end }}
+metadata:
+  name: {{ include "ztunnel.release-name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: ztunnel
+    {{- include "istio.labels" . | nindent 4}}
+    {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }}
+  annotations:
+{{- if .Values.revision }}
+    {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }}
+    {{- toYaml $annos | nindent 4}}
+{{- else }}
+    {{- .Values.annotations | toYaml | nindent 4 }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..606c556697
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if true }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/values.yaml
new file mode 100644
index 0000000000..a3ae5e7edf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/values.yaml
@@ -0,0 +1,136 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  # Hub to pull from. Image will be `Hub/Image:Tag-Variant`
+  hub: gcr.io/istio-release
+  # Tag to pull from. Image will be `Hub/Image:Tag-Variant`
+  tag: 1.28.2
+  # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version.
+  variant: ""
+
+  # Image name to pull from. Image will be `Hub/Image:Tag-Variant`
+  # If Image contains a "/", it will replace the entire `image` in the pod.
+  image: ztunnel
+
+  # Same as `global.network`, but will override it if set.
+  # Network defines the network this cluster belong to. This name
+  # corresponds to the networks in the map of mesh networks.
+  network: ""
+
+  # resourceName, if set, will override the naming of resources. If not set, will default to 'ztunnel'.
+  # If you set this, you MUST also set `trustedZtunnelName` in the `istiod` chart.
+  resourceName: ""
+
+  # Labels to apply to all top level resources
+  labels: {}
+  # Annotations to apply to all top level resources
+  annotations: {}
+
+  # Additional volumeMounts to the ztunnel container
+  volumeMounts: []
+
+  # Additional volumes to the ztunnel pod
+  volumes: []
+  
+  # Tolerations for the ztunnel pod
+  tolerations:
+    - effect: NoSchedule
+      operator: Exists
+    - key: CriticalAddonsOnly
+      operator: Exists
+    - effect: NoExecute
+      operator: Exists
+
+  # Annotations added to each pod. The default annotations are required for scraping prometheus (in most environments).
+  podAnnotations:
+    prometheus.io/port: "15020"
+    prometheus.io/scrape: "true"
+
+  # Additional labels to apply on the pod level
+  podLabels: {}
+
+  # Pod resource configuration
+  resources:
+    requests:
+      cpu: 200m
+      # Ztunnel memory scales with the size of the cluster and traffic load
+      # While there are many factors, this is enough for ~200k pod cluster or 100k concurrently open connections.
+      memory: 512Mi
+
+  resourceQuotas:
+    enabled: false
+    pods: 5000
+
+  # List of secret names to add to the service account as image pull secrets
+  imagePullSecrets: []
+
+  # A `key: value` mapping of environment variables to add to the pod
+  env: {}
+
+  # Override for the pod imagePullPolicy
+  imagePullPolicy: ""
+
+  # Settings for multicluster
+  multiCluster:
+    # The name of the cluster we are installing in. Note this is a user-defined name, which must be consistent
+    # with Istiod configuration.
+    clusterName: ""
+
+  # meshConfig defines runtime configuration of components.
+  # For ztunnel, only defaultConfig is used, but this is nested under `meshConfig` for consistency with other
+  # components.
+  # TODO: https://github.com/istio/istio/issues/43248
+  meshConfig:
+    defaultConfig:
+      proxyMetadata: {}
+
+  # This value defines:
+  # 1. how many seconds kube waits for ztunnel pod to gracefully exit before forcibly terminating it (this value)
+  # 2. how many seconds ztunnel waits to drain its own connections (this value - 1 sec)
+  # Default K8S value is 30 seconds
+  terminationGracePeriodSeconds: 30
+
+  # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
+  # Used to locate the XDS and CA, if caAddress or xdsAddress are not set explicitly.
+  revision: ""
+
+  # The customized CA address to retrieve certificates for the pods in the cluster.
+  # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
+  caAddress: ""
+
+  # The customized XDS address to retrieve configuration.
+  # This should include the port - 15012 for Istiod. TLS will be used with the certificates in "istiod-ca-cert" secret.
+  # By default, it is istiod.istio-system.svc:15012 if revision is not set, or istiod-<revision>.<istioNamespace>.svc:15012
+  xdsAddress: ""
+
+  # Used to locate the XDS and CA, if caAddress or xdsAddress are not set.
+  istioNamespace: istio-system
+
+  # Configuration log level of ztunnel binary, default is info.
+  # Valid values are: trace, debug, info, warn, error
+  logLevel: info
+
+  # To output all logs in json format
+  logAsJson: false
+
+  # Set to `type: RuntimeDefault` to use the default profile if available.
+  seLinuxOptions: {}
+  # TODO Ambient inpod - for OpenShift, set to the following to get writable sockets in hostmounts to work, eventually consider CSI driver instead
+  #seLinuxOptions:
+  #  type: spc_t
+  
+  # resourceScope controls what resources will be processed by helm.
+  # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator.
+  # It can be one of:
+  # - all: all resources are processed
+  # - cluster: only cluster-scoped resources are processed
+  # - namespace: only namespace-scoped resources are processed
+  resourceScope: all
+
+  # K8s DaemonSet update strategy.
+  # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec).
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/cni-1.28.2.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/cni-1.28.2.tgz.etag
new file mode 100644
index 0000000000..74ab39357b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/cni-1.28.2.tgz.etag
@@ -0,0 +1 @@
+d6a48ca4cd966b435a0517b2006312c8
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/commit b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/commit
new file mode 100644
index 0000000000..bf4df28efc
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/commit
@@ -0,0 +1 @@
+1.28.2
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/gateway-1.28.2.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/gateway-1.28.2.tgz.etag
new file mode 100644
index 0000000000..6034648ad8
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/gateway-1.28.2.tgz.etag
@@ -0,0 +1 @@
+463bbd84d9bf1ba34b6550b054f543d8
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/istiod-1.28.2.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/istiod-1.28.2.tgz.etag
new file mode 100644
index 0000000000..9fc37e115f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/istiod-1.28.2.tgz.etag
@@ -0,0 +1 @@
+02466bd34e6fdcdacbfb4e925e72ba51
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/profiles/ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/profiles/ambient.yaml
new file mode 100644
index 0000000000..71ea784a80
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/profiles/ambient.yaml
@@ -0,0 +1,5 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: ambient
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/profiles/default.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/profiles/default.yaml
new file mode 100644
index 0000000000..8f1ef19676
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/profiles/default.yaml
@@ -0,0 +1,12 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  # Most default values come from the helm chart's values.yaml
+  # Below are the things that differ
+  values:
+    defaultRevision: ""
+    global:
+      istioNamespace: istio-system
+      configValidation: true
+    ztunnel:
+      resourceName: ztunnel
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/profiles/demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/profiles/demo.yaml
new file mode 100644
index 0000000000..53c4b41633
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/profiles/demo.yaml
@@ -0,0 +1,5 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: demo
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/profiles/empty.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/profiles/empty.yaml
new file mode 100644
index 0000000000..4477cb1fe1
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/profiles/empty.yaml
@@ -0,0 +1,5 @@
+# The empty profile has everything disabled
+# This is useful as a base for custom user configuration
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec: {}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/profiles/openshift-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/profiles/openshift-ambient.yaml
new file mode 100644
index 0000000000..76edf00cd8
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/profiles/openshift-ambient.yaml
@@ -0,0 +1,7 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: ambient
+    global:
+      platform: openshift
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/profiles/openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/profiles/openshift.yaml
new file mode 100644
index 0000000000..41492660fe
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/profiles/openshift.yaml
@@ -0,0 +1,6 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    global:
+      platform: openshift
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/profiles/preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/profiles/preview.yaml
new file mode 100644
index 0000000000..59d545c840
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/profiles/preview.yaml
@@ -0,0 +1,8 @@
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: preview
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/profiles/remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/profiles/remote.yaml
new file mode 100644
index 0000000000..54c65c8ba9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/profiles/remote.yaml
@@ -0,0 +1,7 @@
+# The remote profile is used to configure a mesh cluster without a locally deployed control plane.
+# Only the injector mutating webhook configuration is installed.
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: remote
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/profiles/stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/profiles/stable.yaml
new file mode 100644
index 0000000000..285feba244
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/profiles/stable.yaml
@@ -0,0 +1,5 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: stable
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/ztunnel-1.28.2.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/ztunnel-1.28.2.tgz.etag
new file mode 100644
index 0000000000..8f088c28c3
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/ztunnel-1.28.2.tgz.etag
@@ -0,0 +1 @@
+9091d2b23f4401c30063ade1fd73a7d2
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/base-1.28.3.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/base-1.28.3.tgz.etag
new file mode 100644
index 0000000000..d425be4008
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/base-1.28.3.tgz.etag
@@ -0,0 +1 @@
+e96f57338a9da3e1c3e1b08a768607c4
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/Chart.yaml
new file mode 100644
index 0000000000..a3d44a4238
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/Chart.yaml
@@ -0,0 +1,10 @@
+apiVersion: v2
+appVersion: 1.28.3
+description: Helm chart for deploying Istio cluster resources and CRDs
+icon: https://istio.io/latest/favicons/android-192x192.png
+keywords:
+- istio
+name: base
+sources:
+- https://github.com/istio/istio
+version: 1.28.3
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/README.md
new file mode 100644
index 0000000000..ae8f6d5b0e
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/README.md
@@ -0,0 +1,35 @@
+# Istio base Helm Chart
+
+This chart installs resources shared by all Istio revisions. This includes Istio CRDs.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+To install the chart with the release name `istio-base`:
+
+```console
+kubectl create namespace istio-system
+helm install istio-base istio/base -n istio-system
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..d04117bfc0
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,14 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..8fe80112bf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-compatibility-version-1.27.yaml
new file mode 100644
index 0000000000..209157cccf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-compatibility-version-1.27.yaml
@@ -0,0 +1,9 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/templates/NOTES.txt
new file mode 100644
index 0000000000..f12616f578
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/templates/NOTES.txt
@@ -0,0 +1,5 @@
+Istio base successfully installed!
+
+To learn more about the release, try:
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml
new file mode 100644
index 0000000000..30049df989
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml
@@ -0,0 +1,55 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
+{{- if and .Values.experimental.stableValidationPolicy (not (eq .Values.defaultRevision "")) }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "stable-channel-default-policy.istio.io"
+  labels:
+    release: {{ .Release.Name }}
+    istio: istiod
+    istio.io/rev: {{ .Values.defaultRevision }}
+    app.kubernetes.io/name: "istiod"
+    {{ include "istio.labels" . | nindent 4 }}
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups:
+        - security.istio.io
+        - networking.istio.io
+        - telemetry.istio.io
+        - extensions.istio.io
+      apiVersions: ["*"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["*"]
+  variables:
+    - name: isEnvoyFilter
+      expression: "object.kind == 'EnvoyFilter'"
+    - name: isWasmPlugin
+      expression: "object.kind == 'WasmPlugin'"
+    - name: isProxyConfig
+      expression: "object.kind == 'ProxyConfig'"
+    - name: isTelemetry
+      expression: "object.kind == 'Telemetry'"
+  validations:
+    - expression: "!variables.isEnvoyFilter"
+    - expression: "!variables.isWasmPlugin"
+    - expression: "!variables.isProxyConfig"
+    - expression: |
+        !(
+          variables.isTelemetry && (
+            (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) ||
+            (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) ||
+            (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter))
+          )
+        )
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: "stable-channel-default-policy-binding.istio.io"
+spec:
+  policyName: "stable-channel-default-policy.istio.io"
+  validationActions: [Deny]
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml
new file mode 100644
index 0000000000..dcd16e964f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml
@@ -0,0 +1,58 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
+{{- if not (eq .Values.defaultRevision "") }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: istiod-default-validator
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    istio: istiod
+    istio.io/rev: {{ .Values.defaultRevision | quote }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+webhooks:
+  - name: validation.istio.io
+    clientConfig:
+      {{- if .Values.base.validationURL }}
+      url: {{ .Values.base.validationURL }}
+      {{- else }}
+      service:
+        {{- if (eq .Values.defaultRevision "default") }}
+        name: istiod
+        {{- else }}
+        name: istiod-{{ .Values.defaultRevision }}
+        {{- end }}
+        namespace: {{ .Values.global.istioNamespace }}
+        path: "/validate"
+      {{- end }}
+      {{- if .Values.base.validationCABundle }}
+      caBundle: "{{ .Values.base.validationCABundle }}"
+      {{- end }}
+    rules:
+      - operations:
+          - CREATE
+          - UPDATE
+        apiGroups:
+          - security.istio.io
+          - networking.istio.io
+          - telemetry.istio.io
+          - extensions.istio.io
+        apiVersions:
+          - "*"
+        resources:
+          - "*"
+
+    {{- if .Values.base.validationCABundle }}
+    # Disable webhook controller in Pilot to stop patching it
+    failurePolicy: Fail
+    {{- else }}
+    # Fail open until the validation webhook is ready. The webhook controller
+    # will update this to `Fail` and patch in the `caBundle` when the webhook
+    # endpoint is ready.
+    failurePolicy: Ignore
+    {{- end }}
+    sideEffects: None
+    admissionReviewVersions: ["v1"]
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/templates/reader-serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/templates/reader-serviceaccount.yaml
new file mode 100644
index 0000000000..bb7a74ff48
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/templates/reader-serviceaccount.yaml
@@ -0,0 +1,22 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# This singleton service account aggregates reader permissions for the revisions in a given cluster
+# ATM this is a singleton per cluster with Istio installed, and is not revisioned. It maybe should be,
+# as otherwise compromising the token for this SA would give you access to *every* installed revision.
+# Should be used for remote secret creation.
+apiVersion: v1
+kind: ServiceAccount
+  {{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+  {{- range .Values.global.imagePullSecrets }}
+  - name: {{ . }}
+    {{- end }}
+    {{- end }}
+metadata:
+  name: istio-reader-service-account
+  namespace: {{ .Values.global.istioNamespace }}
+  labels:
+    app: istio-reader
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istio-reader"
+    {{- include "istio.labels" . | nindent 4 }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..3d84956485
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if false }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/values.yaml
new file mode 100644
index 0000000000..8353c57d6d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/values.yaml
@@ -0,0 +1,45 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  global:
+
+    # ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace
+    # to use for pulling any images in pods that reference this ServiceAccount.
+    # Must be set for any cluster configured with private docker registry.
+    imagePullSecrets: []
+
+    # Used to locate istiod.
+    istioNamespace: istio-system
+
+    # resourceScope controls what resources will be processed by helm.
+    # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator.
+    # It can be one of:
+    # - all: all resources are processed
+    # - cluster: only cluster-scoped resources are processed
+    # - namespace: only namespace-scoped resources are processed
+    resourceScope: all
+  base:
+    # A list of CRDs to exclude. Requires `enableCRDTemplates` to be true.
+    # Example: `excludedCRDs: ["envoyfilters.networking.istio.io"]`.
+    # Note: when installing with `istioctl`, `enableIstioConfigCRDs=false` must also be set.
+    excludedCRDs: []
+    # Helm (as of V3) does not support upgrading CRDs, because it is not universally
+    # safe for them to support this.
+    # Istio as a project enforces certain backwards-compat guarantees that allow us
+    # to safely upgrade CRDs in spite of this, so we default to self-managing CRDs
+    # as standard K8S resources in Helm, and disable Helm's CRD management. See also:
+    # https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#method-2-separate-charts
+    enableCRDTemplates: true
+
+    # Validation webhook configuration url
+    # For example: https://$remotePilotAddress:15017/validate
+    validationURL: ""
+    # Validation webhook caBundle value. Useful when running pilot with a well known cert
+    validationCABundle: ""
+
+    # For istioctl usage to disable istio config crds in base
+    enableIstioConfigCRDs: true
+
+  defaultRevision: "default"
+  experimental:
+    stableValidationPolicy: false
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/Chart.yaml
new file mode 100644
index 0000000000..61996e2b20
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/Chart.yaml
@@ -0,0 +1,11 @@
+apiVersion: v2
+appVersion: 1.28.3
+description: Helm chart for istio-cni components
+icon: https://istio.io/latest/favicons/android-192x192.png
+keywords:
+- istio-cni
+- istio
+name: cni
+sources:
+- https://github.com/istio/istio
+version: 1.28.3
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/README.md
new file mode 100644
index 0000000000..f7e5cbd379
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/README.md
@@ -0,0 +1,65 @@
+# Istio CNI Helm Chart
+
+This chart installs the Istio CNI Plugin. See the [CNI installation guide](https://istio.io/latest/docs/setup/additional-setup/cni/)
+for more information.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+To install the chart with the release name `istio-cni`:
+
+```console
+helm install istio-cni istio/cni -n kube-system
+```
+
+Installation in `kube-system` is recommended to ensure the [`system-node-critical`](https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/)
+`priorityClassName` can be used. You can install in other namespace only on K8S clusters that allow
+'system-node-critical' outside of kube-system.
+
+## Configuration
+
+To view supported configuration options and documentation, run:
+
+```console
+helm show values istio/istio-cni
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
+
+### Ambient
+
+To enable ambient, you can use the ambient profile: `--set profile=ambient`.
+
+#### Calico
+
+For Calico, you must also modify the settings to allow source spoofing:
+
+- if deployed by operator,  `kubectl patch felixconfigurations default --type='json' -p='[{"op": "add", "path": "/spec/workloadSourceSpoofing", "value": "Any"}]'`
+- if deployed by manifest, add env `FELIX_WORKLOADSOURCESPOOFING` with value `Any` in `spec.template.spec.containers.env` for daemonset `calico-node`. (This will allow PODs with specified annotation to skip the rpf check. )
+
+### GKE notes
+
+On GKE, 'kube-system' is required.
+
+If using `helm template`, `--set cni.cniBinDir=/home/kubernetes/bin` is required - with `helm install`
+it is auto-detected.
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..d04117bfc0
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,14 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..8fe80112bf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-compatibility-version-1.27.yaml
new file mode 100644
index 0000000000..209157cccf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-compatibility-version-1.27.yaml
@@ -0,0 +1,9 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/NOTES.txt
new file mode 100644
index 0000000000..fb35525b99
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/NOTES.txt
@@ -0,0 +1,5 @@
+"{{ .Release.Name }}" successfully installed!
+
+To learn more about the release, try:
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/_helpers.tpl
new file mode 100644
index 0000000000..73cc17b2f6
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/_helpers.tpl
@@ -0,0 +1,8 @@
+{{- define "name" -}}
+    istio-cni
+{{- end }}
+
+
+{{- define "istio-tag" -}}
+    {{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/clusterrole.yaml
new file mode 100644
index 0000000000..51af4ce7ff
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/clusterrole.yaml
@@ -0,0 +1,84 @@
+# Created if cluster resources are not omitted
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "name" . }}
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+- apiGroups: ["security.openshift.io"] 
+  resources: ["securitycontextconstraints"] 
+  resourceNames: ["privileged"] 
+  verbs: ["use"]
+- apiGroups: [""]
+  resources: ["pods","nodes","namespaces"]
+  verbs: ["get", "list", "watch"]
+{{- if (eq ((coalesce .Values.platform .Values.global.platform) | default "") "openshift") }}
+- apiGroups: ["security.openshift.io"]
+  resources: ["securitycontextconstraints"]
+  resourceNames: ["privileged"]
+  verbs: ["use"]
+{{- end }}
+---
+{{- if .Values.repair.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "name" . }}-repair-role
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["create", "patch"]
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["watch", "get", "list"]
+{{- if .Values.repair.repairPods }}
+{{- /*  No privileges needed*/}}
+{{- else if .Values.repair.deletePods }}
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["delete"]
+{{- else if .Values.repair.labelPods }}
+  - apiGroups: [""]
+    {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}}
+    resources: ["pods/status"]
+    verbs: ["patch", "update"]
+{{- end }}
+{{- end }}
+---
+{{- if .Values.ambient.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "name" . }}-ambient
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+- apiGroups: [""]
+  {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}}
+  resources: ["pods/status"]
+  verbs: ["patch", "update"]
+- apiGroups: ["apps"]
+  resources: ["daemonsets"]
+  resourceNames: ["{{ template "name" . }}-node"]
+  verbs: ["get"]
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/clusterrolebinding.yaml
new file mode 100644
index 0000000000..60e3c28be8
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/clusterrolebinding.yaml
@@ -0,0 +1,66 @@
+# Created if cluster resources are not omitted
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "name" . }}
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "name" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ template "name" . }}
+  namespace: {{ .Release.Namespace }}
+---
+{{- if .Values.repair.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "name" . }}-repair-rolebinding
+  labels:
+    k8s-app: {{ template "name" . }}-repair
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+subjects:
+- kind: ServiceAccount
+  name: {{ template "name" . }}
+  namespace: {{ .Release.Namespace}}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "name" . }}-repair-role
+{{- end }}
+---
+{{- if .Values.ambient.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "name" . }}-ambient
+  labels:
+    k8s-app: {{ template "name" . }}-repair
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "name" . }}
+    namespace: {{ .Release.Namespace}}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "name" . }}-ambient
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/configmap-cni.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/configmap-cni.yaml
new file mode 100644
index 0000000000..98bc60ac07
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/configmap-cni.yaml
@@ -0,0 +1,43 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: {{ template "name" . }}-config
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+data:
+  CURRENT_AGENT_VERSION: {{ .Values.tag | default .Values.global.tag | quote }}
+  AMBIENT_ENABLED: {{ .Values.ambient.enabled | quote }}
+  AMBIENT_ENABLEMENT_SELECTOR: {{ .Values.ambient.enablementSelectors | toYaml | quote }}
+  AMBIENT_DNS_CAPTURE: {{ .Values.ambient.dnsCapture | quote  }}
+  AMBIENT_IPV6: {{ .Values.ambient.ipv6 | quote }}
+  AMBIENT_RECONCILE_POD_RULES_ON_STARTUP: {{ .Values.ambient.reconcileIptablesOnStartup | quote }}
+  {{- if .Values.cniConfFileName }} # K8S < 1.24 doesn't like empty values
+  CNI_CONF_NAME: {{ .Values.cniConfFileName }} # Name of the CNI config file to create. Only override if you know the exact path your CNI requires..
+  {{- end }}
+  ISTIO_OWNED_CNI_CONFIG: {{ .Values.istioOwnedCNIConfig | quote }}
+  {{- if .Values.istioOwnedCNIConfig }}
+  ISTIO_OWNED_CNI_CONF_FILENAME: {{ .Values.istioOwnedCNIConfigFileName | quote }}
+  {{- end }}
+  CHAINED_CNI_PLUGIN: {{ .Values.chained | quote }}
+  EXCLUDE_NAMESPACES: "{{ range $idx, $ns := .Values.excludeNamespaces }}{{ if $idx }},{{ end }}{{ $ns }}{{ end }}"
+  REPAIR_ENABLED: {{ .Values.repair.enabled | quote }}
+  REPAIR_LABEL_PODS: {{ .Values.repair.labelPods | quote }}
+  REPAIR_DELETE_PODS: {{ .Values.repair.deletePods | quote }}
+  REPAIR_REPAIR_PODS: {{ .Values.repair.repairPods | quote }}
+  REPAIR_INIT_CONTAINER_NAME: {{ .Values.repair.initContainerName | quote }}
+  REPAIR_BROKEN_POD_LABEL_KEY: {{ .Values.repair.brokenPodLabelKey | quote }}
+  REPAIR_BROKEN_POD_LABEL_VALUE: {{ .Values.repair.brokenPodLabelValue | quote }}
+  NATIVE_NFTABLES: {{ .Values.global.nativeNftables | quote }}
+  {{- with .Values.env }}
+  {{- range $key, $val := . }}
+  {{ $key }}: "{{ $val }}"
+  {{- end }}
+  {{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/daemonset.yaml
new file mode 100644
index 0000000000..6d1dda2902
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/daemonset.yaml
@@ -0,0 +1,252 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# This manifest installs the Istio install-cni container, as well
+# as the Istio CNI plugin and config on
+# each master and worker node in a Kubernetes cluster.
+#
+# $detectedBinDir exists to support a GKE-specific platform override,
+# and is deprecated in favor of using the explicit `gke` platform profile.
+{{- $detectedBinDir := (.Capabilities.KubeVersion.GitVersion | contains "-gke") | ternary
+    "/home/kubernetes/bin"
+    "/opt/cni/bin"
+}}
+{{- if .Values.cniBinDir }}
+{{ $detectedBinDir = .Values.cniBinDir }}
+{{- end }}
+kind: DaemonSet
+apiVersion: apps/v1
+metadata:
+  # Note that this is templated but evaluates to a fixed name
+  # which the CNI plugin may fall back onto in some failsafe scenarios.
+  # if this name is changed, CNI plugin logic that checks for this name
+  # format should also be updated.
+  name: {{ template "name" . }}-node
+  namespace: {{ .Release.Namespace }}
+  labels:
+    k8s-app: {{ template "name" . }}-node
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+    {{ with .Values.daemonSetLabels -}}{{ toYaml . | nindent 4}}{{ end }}
+spec:
+  selector:
+    matchLabels:
+      k8s-app: {{ template "name" . }}-node
+  {{- with .Values.updateStrategy }}
+  updateStrategy:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  template:
+    metadata:
+      labels:
+        k8s-app: {{ template "name" . }}-node
+        sidecar.istio.io/inject: "false"
+        istio.io/dataplane-mode: none
+        app.kubernetes.io/name: {{ template "name" . }}
+        {{- include "istio.labels" . | nindent 8 }}
+        {{ with .Values.podLabels -}}{{ toYaml . | nindent 8}}{{ end }}
+      annotations:
+        sidecar.istio.io/inject: "false"
+        # Add Prometheus Scrape annotations
+        prometheus.io/scrape: 'true'
+        prometheus.io/port: "15014"
+        prometheus.io/path: '/metrics'
+        # Add AppArmor annotation
+        # This is required to avoid conflicts with AppArmor profiles which block certain
+        # privileged pod capabilities.
+        # Required for Kubernetes 1.29 which does not support setting appArmorProfile in the
+        # securityContext which is otherwise preferred.
+        container.apparmor.security.beta.kubernetes.io/install-cni: unconfined
+        # Custom annotations
+        {{- if .Values.podAnnotations }}
+{{ toYaml .Values.podAnnotations | indent 8 }}
+        {{- end }}
+    spec:
+{{- if and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace }}
+      hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
+{{- end }}
+      nodeSelector:
+        kubernetes.io/os: linux
+      # Can be configured to allow for excluding istio-cni from being scheduled on specified nodes
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      priorityClassName: system-node-critical
+      serviceAccountName: {{ template "name" . }}
+      # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
+      # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
+      terminationGracePeriodSeconds: 5
+      containers:
+        # This container installs the Istio CNI binaries
+        # and CNI network config file on each node.
+        - name: install-cni
+{{- if contains "/" .Values.image }}
+          image: "{{ .Values.image }}"
+{{- else }}
+          image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "install-cni" }}:{{ template "istio-tag" . }}"
+{{- end }}
+{{- if or .Values.pullPolicy .Values.global.imagePullPolicy }}
+          imagePullPolicy: {{ .Values.pullPolicy | default .Values.global.imagePullPolicy }}
+{{- end }}
+          ports:
+          - containerPort: 15014
+            name: metrics
+            protocol: TCP
+          readinessProbe:
+            httpGet:
+              path: /readyz
+              port: 8000
+          securityContext:
+            privileged: false
+            runAsGroup: 0
+            runAsUser: 0
+            runAsNonRoot: false
+            # Both ambient and sidecar repair mode require elevated node privileges to function.
+            # But we don't need _everything_ in `privileged`, so explicitly set it to false and
+            # add capabilities based on feature.
+            capabilities:
+              drop:
+              - ALL
+              add:
+              # CAP_NET_ADMIN is required to allow ipset and route table access
+              - NET_ADMIN
+              # CAP_NET_RAW is required to allow iptables mutation of the `nat` table
+              - NET_RAW
+              # CAP_SYS_PTRACE is required for repair and ambient mode to describe
+              # the pod's network namespace.
+              - SYS_PTRACE
+              # CAP_SYS_ADMIN is required for both ambient and repair, in order to open
+              # network namespaces in `/proc` to obtain descriptors for entering pod network
+              # namespaces. There does not appear to be a more granular capability for this.
+              - SYS_ADMIN
+              # While we run as a 'root' (UID/GID 0), since we drop all capabilities we lose
+              # the typical ability to read/write to folders owned by others.
+              # This can cause problems if the hostPath mounts we use, which we require write access into,
+              # are owned by non-root. DAC_OVERRIDE bypasses these and gives us write access into any folder.
+              - DAC_OVERRIDE
+{{- if .Values.seLinuxOptions }}
+{{ with (merge .Values.seLinuxOptions (dict "type" "spc_t")) }}
+            seLinuxOptions:
+{{ toYaml . | trim | indent 14 }}
+{{- end }}
+{{- end }}
+{{- if .Values.seccompProfile }}
+            seccompProfile:
+{{ toYaml .Values.seccompProfile | trim | indent 14 }}
+{{- end }}
+          command: ["install-cni"]
+          args:
+            {{- if or .Values.logging.level .Values.global.logging.level }}
+            - --log_output_level={{ coalesce .Values.logging.level .Values.global.logging.level }}
+            {{- end}}
+            {{- if .Values.global.logAsJson }}
+            - --log_as_json
+            {{- end}}
+          envFrom:
+            - configMapRef:
+                name: {{ template "name" . }}-config
+          env:
+            - name: REPAIR_NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            - name: REPAIR_RUN_AS_DAEMON
+              value: "true"
+            - name: REPAIR_SIDECAR_ANNOTATION
+              value: "sidecar.istio.io/status"
+            {{- if not (and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace) }}
+            - name: ALLOW_SWITCH_TO_HOST_NS
+              value: "true"
+            {{- end }}
+            - name: NODE_NAME
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: spec.nodeName
+            - name: GOMEMLIMIT
+              valueFrom:
+                resourceFieldRef:
+                  resource: limits.memory
+                  divisor: '1'
+            - name: GOMAXPROCS
+              valueFrom:
+                resourceFieldRef:
+                  resource: limits.cpu
+                  divisor: '1'
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            {{- if .Values.env }}
+            {{- range $key, $val := .Values.env }}
+            - name: {{ $key }}
+              value: "{{ $val }}"
+            {{- end }}
+            {{- end }}
+          volumeMounts:
+            - mountPath: /host/opt/cni/bin
+              name: cni-bin-dir
+            {{- if or .Values.repair.repairPods .Values.ambient.enabled }}
+            - mountPath: /host/proc
+              name: cni-host-procfs
+              readOnly: true
+            {{- end }}
+            - mountPath: /host/etc/cni/net.d
+              name: cni-net-dir
+            - mountPath: /var/run/istio-cni
+              name: cni-socket-dir
+            {{- if .Values.ambient.enabled }}
+            - mountPath: /host/var/run/netns
+              mountPropagation: HostToContainer
+              name: cni-netns-dir
+            - mountPath: /var/run/ztunnel
+              name: cni-ztunnel-sock-dir
+            {{ end }}
+          resources:
+{{- if .Values.resources }}
+{{ toYaml .Values.resources | trim | indent 12 }}
+{{- else }}
+{{ toYaml .Values.global.defaultResources | trim | indent 12 }}
+{{- end }}
+      volumes:
+        # Used to install CNI.
+        - name: cni-bin-dir
+          hostPath:
+            path: {{ $detectedBinDir }}
+        {{- if or .Values.repair.repairPods .Values.ambient.enabled }}
+        - name: cni-host-procfs
+          hostPath:
+            path: /proc
+            type: Directory
+        {{- end }}
+        {{- if .Values.ambient.enabled }}
+        - name: cni-ztunnel-sock-dir
+          hostPath:
+            path: /var/run/ztunnel
+            type: DirectoryOrCreate
+        {{- end }}
+        - name: cni-net-dir
+          hostPath:
+            path: {{ .Values.cniConfDir }}
+        # Used for UDS sockets for logging, ambient eventing
+        - name: cni-socket-dir
+          hostPath:
+            path: /var/run/istio-cni
+        - name: cni-netns-dir
+          hostPath:
+            path: {{ .Values.cniNetnsDir }}
+            type: DirectoryOrCreate # DirectoryOrCreate instead of Directory for the following reason - CNI may not bind mount this until a non-hostnetwork pod is scheduled on the node,
+            # and we don't want to block CNI agent pod creation on waiting for the first non-hostnetwork pod.
+            # Once the CNI does mount this, it will get populated and we're good.
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/network-attachment-definition.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/network-attachment-definition.yaml
new file mode 100644
index 0000000000..37ef7c3e6d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/network-attachment-definition.yaml
@@ -0,0 +1,13 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+{{- if eq .Values.provider "multus" }}
+apiVersion: k8s.cni.cncf.io/v1
+kind: NetworkAttachmentDefinition
+metadata:
+  name: {{ template "name" . }}
+  namespace: default
+  labels:
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/resourcequota.yaml
new file mode 100644
index 0000000000..2e0be5ab40
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/resourcequota.yaml
@@ -0,0 +1,21 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+{{- if .Values.resourceQuotas.enabled }}
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+  name: {{ template "name" . }}-resource-quota
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  hard:
+    pods: {{ .Values.resourceQuotas.pods | quote }}
+  scopeSelector:
+    matchExpressions:
+    - operator: In
+      scopeName: PriorityClass
+      values:
+      - system-node-critical
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/serviceaccount.yaml
new file mode 100644
index 0000000000..17c8e64a9d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/serviceaccount.yaml
@@ -0,0 +1,20 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+apiVersion: v1
+kind: ServiceAccount
+{{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+{{- range .Values.global.imagePullSecrets }}
+  - name: {{ . }}
+{{- end }}
+{{- end }}
+metadata:
+  name: {{ template "name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/zzy_descope_legacy.yaml
new file mode 100644
index 0000000000..a9584ac29f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/zzy_descope_legacy.yaml
@@ -0,0 +1,3 @@
+{{/* Copy anything under `.cni` to `.`, to avoid the need to specify a redundant prefix.
+Due to the file naming, this always happens after zzz_profile.yaml */}}
+{{- $_ := mustMergeOverwrite $.Values (index $.Values "cni") }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..3d84956485
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if false }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/values.yaml
new file mode 100644
index 0000000000..a7b72fe037
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/values.yaml
@@ -0,0 +1,192 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  hub: ""
+  tag: ""
+  variant: ""
+  image: install-cni
+  pullPolicy: ""
+
+  # Same as `global.logging.level`, but will override it if set
+  logging:
+    level: ""
+
+  # Configuration file to insert istio-cni plugin configuration
+  # by default this will be the first file found in the cni-conf-dir
+  # Example
+  # cniConfFileName: 10-calico.conflist
+
+  # CNI-and-platform specific path defaults.
+  # These may need to be set to platform-specific values, consult
+  # overrides for your platform in `manifests/helm-profiles/platform-*.yaml`
+  cniBinDir: /opt/cni/bin
+  cniConfDir: /etc/cni/net.d
+  cniConfFileName: ""
+  cniNetnsDir: "/var/run/netns"
+
+  # If Istio owned CNI config is enabled, defaults to 02-istio-cni.conflist
+  istioOwnedCNIConfigFileName: ""
+  istioOwnedCNIConfig: false
+
+  excludeNamespaces:
+    - kube-system
+
+  # Allows user to set custom affinity for the DaemonSet
+  affinity: {}
+
+  # Additional labels to apply on the daemonset level
+  daemonSetLabels: {}
+
+  # Custom annotations on pod level, if you need them
+  podAnnotations: {}
+
+  # Additional labels to apply on the pod level
+  podLabels: {}
+
+  # Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")?
+  # Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case
+  chained: true
+
+  # Custom configuration happens based on the CNI provider.
+  # Possible values: "default", "multus"
+  provider: "default"
+
+  # Configure ambient settings
+  ambient:
+    # If enabled, ambient redirection will be enabled
+    enabled: false
+    # If ambient is enabled, this selector will be used to identify the ambient-enabled pods
+    enablementSelectors: 
+    - podSelector:
+        matchLabels: {istio.io/dataplane-mode: ambient}
+    - podSelector:
+        matchExpressions:
+        - { key: istio.io/dataplane-mode, operator: NotIn, values: [none] }
+      namespaceSelector:
+        matchLabels: {istio.io/dataplane-mode: ambient}
+    # Set ambient config dir path: defaults to /etc/ambient-config
+    configDir: ""
+    # If enabled, and ambient is enabled, DNS redirection will be enabled
+    dnsCapture: true
+    # If enabled, and ambient is enabled, enables ipv6 support
+    ipv6: true
+    # If enabled, and ambient is enabled, the CNI agent will reconcile incompatible iptables rules and chains at startup.
+    # This will eventually be enabled by default
+    reconcileIptablesOnStartup: false
+    # If enabled, and ambient is enabled, the CNI agent will always share the network namespace of the host node it is running on
+    shareHostNetworkNamespace: false
+
+
+  repair:
+    enabled: true
+    hub: ""
+    tag: ""
+
+    # Repair controller has 3 modes. Pick which one meets your use cases. Note only one may be used.
+    # This defines the action the controller will take when a pod is detected as broken.
+
+    # labelPods will label all pods with <brokenPodLabelKey>=<brokenPodLabelValue>.
+    # This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them).
+    # Note this gives the DaemonSet a relatively high privilege, as modifying pod metadata/status can have wider impacts.
+    labelPods: false
+    # deletePods will delete any broken pod. These will then be rescheduled, hopefully onto a node that is fully ready.
+    # Note this gives the DaemonSet a relatively high privilege, as it can delete any Pod.
+    deletePods: false
+    # repairPods will dynamically repair any broken pod by setting up the pod networking configuration even after it has started.
+    # Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs.
+    # This requires no RBAC privilege, but does require `securityContext.privileged/CAP_SYS_ADMIN`.
+    repairPods: true
+
+    initContainerName: "istio-validation"
+
+    brokenPodLabelKey: "cni.istio.io/uninitialized"
+    brokenPodLabelValue: "true"
+
+  # Set to `type: RuntimeDefault` to use the default profile if available.
+  seccompProfile: {}
+
+  # SELinux options to set in the istio-cni-node pods. You may need to set this to `type: spc_t` for some platforms.
+  seLinuxOptions: {}
+
+  resources:
+    requests:
+      cpu: 100m
+      memory: 100Mi
+
+  resourceQuotas:
+    enabled: false
+    pods: 5000
+
+  tolerations:
+    # Make sure istio-cni-node gets scheduled on all nodes.
+    - effect: NoSchedule
+      operator: Exists
+    # Mark the pod as a critical add-on for rescheduling.
+    - key: CriticalAddonsOnly
+      operator: Exists
+    - effect: NoExecute
+      operator: Exists
+
+  # K8s DaemonSet update strategy.
+  # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec).
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 1
+
+  # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
+  revision: ""
+
+  # For Helm compatibility.
+  ownerName: ""
+
+  global:
+    # Default hub for Istio images.
+    # Releases are published to docker hub under 'istio' project.
+    # Dev builds from prow are on gcr.io
+    hub: gcr.io/istio-release
+
+    # Default tag for Istio images.
+    tag: 1.28.3
+
+    # Variant of the image to use.
+    # Currently supported are: [debug, distroless]
+    variant: ""
+
+    # Specify image pull policy if default behavior isn't desired.
+    # Default behavior: latest images will be Always else IfNotPresent.
+    imagePullPolicy: ""
+
+    # change cni scope level to control logging out of istio-cni-node DaemonSet
+    logging:
+      level: info
+
+    logAsJson: false
+
+    # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
+    # to use for pulling any images in pods that reference this ServiceAccount.
+    # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
+    # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
+    # Must be set for any cluster configured with private docker registry.
+    imagePullSecrets: []
+    # - private-registry-key
+
+    # Default resources allocated
+    defaultResources:
+      requests:
+        cpu: 100m
+        memory: 100Mi
+
+    # In order to use native nftable rules instead of iptable rules, set this flag to true.
+    nativeNftables: false
+
+    # resourceScope controls what resources will be processed by helm.
+    # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator.
+    # It can be one of:
+    # - all: all resources are processed
+    # - cluster: only cluster-scoped resources are processed
+    # - namespace: only namespace-scoped resources are processed
+    resourceScope: all
+
+  # A `key: value` mapping of environment variables to add to the pod
+  env: {}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/Chart.yaml
new file mode 100644
index 0000000000..d41b4ee178
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v2
+appVersion: 1.28.3
+description: Helm chart for deploying Istio gateways
+icon: https://istio.io/latest/favicons/android-192x192.png
+keywords:
+- istio
+- gateways
+name: gateway
+sources:
+- https://github.com/istio/istio
+type: application
+version: 1.28.3
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/README.md
new file mode 100644
index 0000000000..6344859a22
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/README.md
@@ -0,0 +1,170 @@
+# Istio Gateway Helm Chart
+
+This chart installs an Istio gateway deployment.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+To install the chart with the release name `istio-ingressgateway`:
+
+```console
+helm install istio-ingressgateway istio/gateway
+```
+
+## Uninstalling the Chart
+
+To uninstall/delete the `istio-ingressgateway` deployment:
+
+```console
+helm delete istio-ingressgateway
+```
+
+## Configuration
+
+To view supported configuration options and documentation, run:
+
+```console
+helm show values istio/gateway
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
+
+### OpenShift
+
+When deploying the gateway in an OpenShift cluster, use the `openshift` profile to override the default values, for example:
+
+```console
+helm install istio-ingressgateway istio/gateway --set profile=openshift
+```
+
+### `image: auto` Information
+
+The image used by the chart, `auto`, may be unintuitive.
+This exists because the pod spec will be automatically populated at runtime, using the same mechanism as [Sidecar Injection](istio.io/latest/docs/setup/additional-setup/sidecar-injection).
+This allows the same configurations and lifecycle to apply to gateways as sidecars.
+
+Note: this does mean that the namespace the gateway is deployed in must not have the `istio-injection=disabled` label.
+See [Controlling the injection policy](https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy) for more info.
+
+### Examples
+
+#### Egress Gateway
+
+Deploying a Gateway to be used as an [Egress Gateway](https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/):
+
+```yaml
+service:
+  # Egress gateways do not need an external LoadBalancer IP
+  type: ClusterIP
+```
+
+#### Multi-network/VM Gateway
+
+Deploying a Gateway to be used as a [Multi-network Gateway](https://istio.io/latest/docs/setup/install/multicluster/) for network `network-1`:
+
+```yaml
+networkGateway: network-1
+```
+
+### Migrating from other installation methods
+
+Installations from other installation methods (such as istioctl, Istio Operator, other helm charts, etc) can be migrated to use the new Helm charts
+following the guidance below.
+If you are able to, a clean installation is simpler. However, this often requires an external IP migration which can be challenging.
+
+WARNING: when installing over an existing deployment, the two deployments will be merged together by Helm, which may lead to unexpected results.
+
+#### Legacy Gateway Helm charts
+
+Istio historically offered two different charts - `manifests/charts/gateways/istio-ingress` and `manifests/charts/gateways/istio-egress`.
+These are replaced by this chart.
+While not required, it is recommended all new users use this chart, and existing users migrate when possible.
+
+This chart has the following benefits and differences:
+* Designed with Helm best practices in mind (standardized values options, values schema, values are not all nested under `gateways.istio-ingressgateway.*`, release name and namespace taken into account, etc).
+* Utilizes Gateway injection, simplifying upgrades, allowing gateways to run in any namespace, and avoiding repeating config for sidecars and gateways.
+* Published to official Istio Helm repository.
+* Single chart for all gateways (Ingress, Egress, East West).
+
+#### General concerns
+
+For a smooth migration, the resource names and `Deployment.spec.selector` labels must match.
+
+If you install with `helm install istio-gateway istio/gateway`, resources will be named `istio-gateway` and the `selector` labels set to:
+
+```yaml
+app: istio-gateway
+istio: gateway # the release name with leading istio- prefix stripped
+```
+
+If your existing installation doesn't follow these names, you can override them. For example, if you have resources named `my-custom-gateway` with `selector` labels
+`foo=bar,istio=ingressgateway`:
+
+```yaml
+name: my-custom-gateway # Override the name to match existing resources
+labels:
+  app: "" # Unset default app selector label
+  istio: ingressgateway # override default istio selector label
+  foo: bar # Add the existing custom selector label
+```
+
+#### Migrating an existing Helm release
+
+An existing helm release can be `helm upgrade`d to this chart by using the same release name. For example, if a previous
+installation was done like:
+
+```console
+helm install istio-ingress manifests/charts/gateways/istio-ingress -n istio-system
+```
+
+It could be upgraded with
+
+```console
+helm upgrade istio-ingress manifests/charts/gateway -n istio-system --set name=istio-ingressgateway --set labels.app=istio-ingressgateway --set labels.istio=ingressgateway
+```
+
+Note the name and labels are overridden to match the names of the existing installation.
+
+Warning: the helm charts here default to using port 80 and 443, while the old charts used 8080 and 8443.
+If you have AuthorizationPolicies that reference port these ports, you should update them during this process,
+or customize the ports to match the old defaults.
+See the [security advisory](https://istio.io/latest/news/security/istio-security-2021-002/) for more information.
+
+#### Other migrations
+
+If you see errors like `rendered manifests contain a resource that already exists` during installation, you may need to forcibly take ownership.
+
+The script below can handle this for you. Replace `RELEASE` and `NAMESPACE` with the name and namespace of the release:
+
+```console
+KINDS=(service deployment)
+RELEASE=istio-ingressgateway
+NAMESPACE=istio-system
+for KIND in "${KINDS[@]}"; do
+    kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-name=$RELEASE
+    kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-namespace=$NAMESPACE
+    kubectl --namespace $NAMESPACE --overwrite=true label $KIND $RELEASE app.kubernetes.io/managed-by=Helm
+done
+```
+
+You may ignore errors about resources not being found.
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..d04117bfc0
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,14 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..8fe80112bf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-compatibility-version-1.27.yaml
new file mode 100644
index 0000000000..209157cccf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-compatibility-version-1.27.yaml
@@ -0,0 +1,9 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/templates/NOTES.txt
new file mode 100644
index 0000000000..fd0142911a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/templates/NOTES.txt
@@ -0,0 +1,9 @@
+"{{ include "gateway.name" . }}" successfully installed!
+
+To learn more about the release, try:
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
+
+Next steps:
+  * Deploy an HTTP Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-control/
+  * Deploy an HTTPS Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/templates/_helpers.tpl
new file mode 100644
index 0000000000..e5a0a9b3c2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/templates/_helpers.tpl
@@ -0,0 +1,40 @@
+{{- define "gateway.name" -}}
+{{- if eq .Release.Name "RELEASE-NAME" -}}
+  {{- .Values.name | default "istio-ingressgateway" -}}
+{{- else -}}
+  {{- .Values.name | default .Release.Name | default "istio-ingressgateway" -}}
+{{- end -}}
+{{- end }}
+
+{{- define "gateway.labels" -}}
+{{ include "gateway.selectorLabels" . }}
+{{- range $key, $val := .Values.labels }}
+{{- if and (ne $key "app") (ne $key "istio") }}
+{{ $key | quote }}: {{ $val | quote }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{- define "gateway.selectorLabels" -}}
+app: {{ (.Values.labels.app | quote) | default (include "gateway.name" .) }}
+istio: {{ (.Values.labels.istio | quote) | default (include "gateway.name" . | trimPrefix "istio-") }}
+{{- end }}
+
+{{/*
+Keep sidecar injection labels together
+https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy
+*/}}
+{{- define "gateway.sidecarInjectionLabels" -}}
+sidecar.istio.io/inject: "true"
+{{- with .Values.revision }}
+istio.io/rev: {{ . | quote }}
+{{- end }}
+{{- end }}
+
+{{- define "gateway.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- .Values.serviceAccount.name | default (include "gateway.name" .)    }}
+{{- else }}
+{{- .Values.serviceAccount.name | default "default" }}
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/templates/deployment.yaml
new file mode 100644
index 0000000000..1d8f93a472
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/templates/deployment.yaml
@@ -0,0 +1,145 @@
+apiVersion: apps/v1
+kind: {{ .Values.kind | default "Deployment" }}
+metadata:
+  name: {{ include "gateway.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4}}
+  annotations:
+    {{- .Values.annotations | toYaml | nindent 4 }}
+spec:
+  {{- if not .Values.autoscaling.enabled }}
+  {{- if and (hasKey .Values "replicaCount") (ne .Values.replicaCount nil) }}
+  replicas: {{ .Values.replicaCount }}
+  {{- end }}
+  {{- end }}
+  {{- with .Values.strategy }}
+  strategy:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with .Values.minReadySeconds }}
+  minReadySeconds: {{ . }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "gateway.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "gateway.sidecarInjectionLabels" . | nindent 8 }}
+        {{- include "gateway.selectorLabels" . | nindent 8 }}
+        app.kubernetes.io/name: {{ include "gateway.name" . }}
+        {{- include "istio.labels" .  | nindent 8}}
+        {{- range $key, $val := .Values.labels }}
+        {{- if and (ne $key "app") (ne $key "istio") }}
+        {{ $key | quote }}: {{ $val | quote }}
+        {{- end }}
+        {{- end }}
+        {{- with .Values.networkGateway }}
+        topology.istio.io/network: "{{.}}"
+        {{- end }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "gateway.serviceAccountName" . }}
+      securityContext:
+      {{- if .Values.securityContext }}
+        {{- toYaml .Values.securityContext | nindent 8 }}
+      {{- else }}
+        # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326
+        sysctls:
+        - name: net.ipv4.ip_unprivileged_port_start
+          value: "0"
+      {{- end }}
+      {{- with .Values.volumes }}
+      volumes:
+        {{ toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.initContainers }}
+      initContainers:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: istio-proxy
+          # "auto" will be populated at runtime by the mutating webhook. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection
+          image: auto
+          {{- with .Values.imagePullPolicy }}
+          imagePullPolicy: {{ . }}
+          {{- end }}
+          securityContext:
+          {{- if .Values.containerSecurityContext }}
+            {{- toYaml .Values.containerSecurityContext | nindent 12 }}
+          {{- else }}
+            capabilities:
+              drop:
+              - ALL
+            allowPrivilegeEscalation: false
+            privileged: false
+            readOnlyRootFilesystem: true
+            {{- if not (eq (.Values.platform | default "") "openshift") }}
+            runAsUser: 1337
+            runAsGroup: 1337
+            {{- end }}
+            runAsNonRoot: true
+          {{- end }}
+          env:
+          {{- with .Values.networkGateway }}
+          - name: ISTIO_META_REQUESTED_NETWORK_VIEW
+            value: "{{.}}"
+          {{- end }}
+          {{- range $key, $val := .Values.env }}
+          - name: {{ $key }}
+            value: {{ $val | quote }}
+          {{- end }}
+          {{- with .Values.envVarFrom }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
+          ports:
+          - containerPort: 15090
+            protocol: TCP
+            name: http-envoy-prom
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          {{- with .Values.volumeMounts }}
+          volumeMounts:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.readinessProbe }}
+          readinessProbe:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.lifecycle }}
+          lifecycle:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+      {{- with .Values.additionalContainers }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      terminationGracePeriodSeconds: {{ $.Values.terminationGracePeriodSeconds }}
+      {{- with .Values.priorityClassName }}
+      priorityClassName: {{ . }}
+      {{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/templates/hpa.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/templates/hpa.yaml
new file mode 100644
index 0000000000..64ecb6a4cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/templates/hpa.yaml
@@ -0,0 +1,40 @@
+{{- if and (.Values.autoscaling.enabled) (eq .Values.kind "Deployment") }}
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ include "gateway.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4 }}
+  annotations:
+    {{- .Values.annotations | toYaml | nindent 4 }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: {{ .Values.kind | default "Deployment" }}
+    name: {{ include "gateway.name" . }}
+  minReplicas: {{ .Values.autoscaling.minReplicas }}
+  maxReplicas: {{ .Values.autoscaling.maxReplicas }}
+  metrics:
+    {{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
+          type: Utilization
+    {{- end }}
+    {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: memory
+        target:
+          averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
+          type: Utilization
+    {{- end }}
+  {{- if .Values.autoscaling.autoscaleBehavior }}
+  behavior: {{ toYaml .Values.autoscaling.autoscaleBehavior | nindent 4 }}
+  {{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/templates/networkpolicy.yaml
new file mode 100644
index 0000000000..ea2fab97b3
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/templates/networkpolicy.yaml
@@ -0,0 +1,47 @@
+{{- if (.Values.global.networkPolicy).enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "gateway.name" . }}{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ include "gateway.name" . }}
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Gateway"
+    istio: {{ (.Values.labels.istio | quote) | default (include "gateway.name" . | trimPrefix "istio-") }}
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "gateway.labels" . | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "gateway.selectorLabels" . | nindent 6 }}
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress:
+  # Status/health check port
+  - from: []
+    ports:
+    - protocol: TCP
+      port: 15021
+  # Metrics endpoints for monitoring/prometheus
+  - from: []
+    ports:
+    - protocol: TCP
+      port: 15020
+    - protocol: TCP
+      port: 15090
+  # Main gateway traffic ports
+{{- if .Values.service.ports }}
+{{- range .Values.service.ports }}
+  - from: []
+    ports:
+    - protocol: {{ .protocol | default "TCP" }}
+      port: {{ .targetPort | default .port }}
+{{- end }}
+{{- end }}
+  egress:
+  # Allow all egress (gateways need to reach external services, istiod, and other cluster services)
+  - {}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/templates/poddisruptionbudget.yaml
new file mode 100644
index 0000000000..91869a0ead
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/templates/poddisruptionbudget.yaml
@@ -0,0 +1,21 @@
+{{- if .Values.podDisruptionBudget }}
+# a workaround for https://github.com/kubernetes/kubernetes/issues/93476
+{{- if or (and .Values.autoscaling.enabled  (gt (int .Values.autoscaling.minReplicas) 1)) (and (not .Values.autoscaling.enabled) (gt (int .Values.replicaCount) 1)) }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ include "gateway.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4}}
+spec:
+  selector:
+    matchLabels:
+  {{- include "gateway.selectorLabels" . | nindent 6 }}
+  {{- with .Values.podDisruptionBudget }}
+    {{- toYaml . | nindent 2 }}
+  {{- end }}
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/templates/role.yaml
new file mode 100644
index 0000000000..3d16079632
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/templates/role.yaml
@@ -0,0 +1,37 @@
+{{/*Set up roles for Istio Gateway. Not required for gateway-api*/}}
+{{- if .Values.rbac.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "gateway.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4}}
+  annotations:
+    {{- .Values.annotations | toYaml | nindent 4 }}
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get", "watch", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "gateway.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4}}
+  annotations:
+    {{- .Values.annotations | toYaml | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "gateway.serviceAccountName" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "gateway.serviceAccountName" . }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/templates/service.yaml
new file mode 100644
index 0000000000..d172364d0e
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/templates/service.yaml
@@ -0,0 +1,78 @@
+{{- if not (eq .Values.service.type "None") }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "gateway.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4 }}
+    {{- with .Values.networkGateway }}
+    topology.istio.io/network: "{{.}}"
+    {{- end }}
+  annotations:
+    {{- merge (deepCopy .Values.service.annotations) .Values.annotations | toYaml | nindent 4 }}
+spec:
+{{- with .Values.service.loadBalancerIP }}
+  loadBalancerIP: "{{ . }}"
+{{- end }}
+{{- if eq .Values.service.type "LoadBalancer" }}
+  {{- if hasKey .Values.service "allocateLoadBalancerNodePorts" }}
+  allocateLoadBalancerNodePorts: {{ .Values.service.allocateLoadBalancerNodePorts }}
+  {{- end }}
+  {{- if hasKey .Values.service "loadBalancerClass" }}
+  loadBalancerClass: {{ .Values.service.loadBalancerClass }}
+  {{- end }}
+{{- end }}
+{{- if .Values.service.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }}
+{{- end }}
+{{- if .Values.service.ipFamilies }}
+  ipFamilies:
+{{- range .Values.service.ipFamilies }}
+  - {{ . }}
+{{- end }}
+{{- end }}
+{{- with .Values.service.loadBalancerSourceRanges }}
+  loadBalancerSourceRanges:
+{{ toYaml . | indent 4 }}
+{{- end }}
+{{- with .Values.service.externalTrafficPolicy }}
+  externalTrafficPolicy: "{{ . }}"
+{{- end }}
+{{- with .Values.service.internalTrafficPolicy }}
+  internalTrafficPolicy: "{{ . }}"
+{{- end }}
+  type: {{ .Values.service.type }}
+{{- if not (eq .Values.service.clusterIP "") }}
+  clusterIP: {{ .Values.service.clusterIP }}
+{{- end }}
+  ports:
+{{- if .Values.networkGateway }}
+  - name: status-port
+    port: 15021
+    targetPort: 15021
+  - name: tls
+    port: 15443
+    targetPort: 15443
+  - name: tls-istiod
+    port: 15012
+    targetPort: 15012
+  - name: tls-webhook
+    port: 15017
+    targetPort: 15017
+{{- else }}
+{{ .Values.service.ports | toYaml | indent 4 }}
+{{- end }}
+{{- if .Values.service.externalIPs }}
+  externalIPs: {{- range .Values.service.externalIPs }}
+    - {{.}}
+  {{- end }}
+{{- end }}
+  selector:
+    {{- include "gateway.selectorLabels" . | nindent 4 }}
+    {{- with .Values.service.selectorLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/templates/serviceaccount.yaml
new file mode 100644
index 0000000000..c88afeadd3
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/templates/serviceaccount.yaml
@@ -0,0 +1,15 @@
+{{- if .Values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "gateway.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..606c556697
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if true }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/values.schema.json b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/values.schema.json
new file mode 100644
index 0000000000..9263245a24
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/values.schema.json
@@ -0,0 +1,359 @@
+{
+  "$schema": "http://json-schema.org/schema#",
+  "$defs": {
+    "values": {
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "_internal_defaults_do_not_set": {
+          "type": "object"
+        },
+        "global": {
+          "type": "object"
+        },
+        "affinity": {
+          "type": "object"
+        },
+        "securityContext": {
+          "type": [
+            "object",
+            "null"
+          ]
+        },
+        "containerSecurityContext": {
+          "type": [
+            "object",
+            "null"
+          ]
+        },
+        "kind": {
+          "type": "string",
+          "enum": [
+            "Deployment",
+            "DaemonSet"
+          ]
+        },
+        "annotations": {
+          "additionalProperties": {
+            "type": [
+              "string",
+              "integer"
+            ]
+          },
+          "type": "object"
+        },
+        "autoscaling": {
+          "type": "object",
+          "properties": {
+            "enabled": {
+              "type": "boolean"
+            },
+            "maxReplicas": {
+              "type": "integer"
+            },
+            "minReplicas": {
+              "type": "integer"
+            },
+            "targetCPUUtilizationPercentage": {
+              "type": "integer"
+            }
+          }
+        },
+        "env": {
+          "type": "object"
+        },
+        "envVarFrom": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "properties": {
+              "name": { "type": "string" },
+              "valueFrom": { "type": "object" }
+            }
+          }
+        },
+        "strategy": {
+          "type": "object"
+        },
+        "minReadySeconds": {
+          "type": [ "null", "integer" ]
+        },
+        "readinessProbe": {
+          "type": [ "null", "object" ]
+        },
+        "labels": {
+          "type": "object"
+        },
+        "name": {
+          "type": "string"
+        },
+        "nodeSelector": {
+          "type": "object"
+        },
+        "podAnnotations": {
+          "type": "object",
+          "properties": {
+            "inject.istio.io/templates": {
+              "type": "string"
+            },
+            "prometheus.io/path": {
+              "type": "string"
+            },
+            "prometheus.io/port": {
+              "type": "string"
+            },
+            "prometheus.io/scrape": {
+              "type": "string"
+            }
+          }
+        },
+        "replicaCount": {
+          "type": [
+            "integer",
+            "null"
+          ]
+        },
+        "resources": {
+          "type": "object",
+          "properties": {
+            "limits": {
+              "type": ["object", "null"],
+              "properties": {
+                "cpu": {
+                  "type": ["string", "null"]
+                },
+                "memory": {
+                  "type": ["string", "null"]
+                }
+              }
+            },
+            "requests": {
+              "type": ["object", "null"],
+              "properties": {
+                "cpu": {
+                  "type": ["string", "null"]
+                },
+                "memory": {
+                  "type": ["string", "null"]
+                }
+              }
+            }
+          }
+        },
+        "revision": {
+          "type": "string"
+        },
+        "defaultRevision": {
+          "type": "string"
+        },
+        "compatibilityVersion": {
+          "type": "string"
+        },
+        "profile": {
+          "type": "string"
+        },
+        "platform": {
+          "type": "string"
+        },
+        "pilot": {
+          "type": "object"
+        },
+        "runAsRoot": {
+          "type": "boolean"
+        },
+        "unprivilegedPort": {
+          "type": [
+            "string",
+            "boolean"
+          ],
+          "enum": [
+            true,
+            false,
+            "auto"
+          ]
+        },
+        "service": {
+          "type": "object",
+          "properties": {
+            "annotations": {
+              "type": "object"
+            },
+            "selectorLabels": {
+              "type": "object",
+              "additionalProperties": {
+                "type": "string"
+              }
+            },
+            "externalTrafficPolicy": {
+              "type": "string"
+            },
+            "loadBalancerIP": {
+              "type": "string"
+            },
+            "loadBalancerSourceRanges": {
+              "type": "array"
+            },
+            "ipFamilies": {
+              "items": {
+                "type": "string",
+                "enum": [
+                  "IPv4",
+                  "IPv6"
+                ]
+              }
+            },
+            "ipFamilyPolicy": {
+              "type": "string",
+              "enum": [
+                "",
+                "SingleStack",
+                "PreferDualStack",
+                "RequireDualStack"
+              ]
+            },
+            "ports": {
+              "type": "array",
+              "items": {
+                "type": "object",
+                "properties": {
+                  "name": {
+                    "type": "string"
+                  },
+                  "port": {
+                    "type": "integer"
+                  },
+                  "protocol": {
+                    "type": "string"
+                  },
+                  "targetPort": {
+                    "type": "integer"
+                  }
+                }
+              }
+            },
+            "type": {
+              "type": "string"
+            }
+          }
+        },
+        "serviceAccount": {
+          "type": "object",
+          "properties": {
+            "annotations": {
+              "type": "object"
+            },
+            "name": {
+              "type": "string"
+            },
+            "create": {
+              "type": "boolean"
+            }
+          }
+        },
+        "rbac": {
+          "type": "object",
+          "properties": {
+            "enabled": {
+              "type": "boolean"
+            }
+          }
+        },
+        "tolerations": {
+          "type": "array"
+        },
+        "topologySpreadConstraints": {
+          "type": "array"
+        },
+        "networkGateway": {
+          "type": "string"
+        },
+        "imagePullPolicy": {
+          "type": "string",
+          "enum": [
+            "",
+            "Always",
+            "IfNotPresent",
+            "Never"
+          ]
+        },
+        "imagePullSecrets": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "properties": {
+              "name": {
+                "type": "string"
+              }
+            }
+          }
+        },
+        "podDisruptionBudget": {
+          "type": "object",
+          "properties": {
+            "minAvailable": {
+              "type": [
+                "integer",
+                "string"
+              ]
+            },
+            "maxUnavailable": {
+              "type": [
+                "integer",
+                "string"
+              ]
+            },
+            "unhealthyPodEvictionPolicy": {
+              "type": "string",
+              "enum": [
+                "",
+                "IfHealthyBudget",
+                "AlwaysAllow"
+              ]
+            }
+          }
+        },
+        "terminationGracePeriodSeconds": {
+          "type": "number"
+        },
+        "volumes": {
+          "type": "array",
+          "items": {
+            "type": "object"
+          }
+        },
+        "volumeMounts": {
+          "type": "array",
+          "items": {
+            "type": "object"
+          }
+        },
+        "initContainers": {
+          "type": "array",
+          "items": { "type": "object" }
+        },
+        "additionalContainers": {
+          "type": "array",
+          "items": { "type": "object" }
+        },
+        "priorityClassName": {
+          "type": "string"
+        },
+        "lifecycle": {
+          "type": "object",
+          "properties": {
+            "postStart": {
+              "type": "object"
+            },
+            "preStop": {
+              "type": "object"
+            }
+          }
+        }
+      }
+    }
+  },
+  "defaults": {
+    "$ref": "#/$defs/values"
+  },
+  "$ref": "#/$defs/values"
+}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/values.yaml
new file mode 100644
index 0000000000..d463634ec4
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/values.yaml
@@ -0,0 +1,204 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  # Name allows overriding the release name. Generally this should not be set
+  name: ""
+  # revision declares which revision this gateway is a part of
+  revision: ""
+
+  # Controls the spec.replicas setting for the Gateway deployment if set.
+  # Otherwise defaults to Kubernetes Deployment default (1).
+  replicaCount:
+
+  kind: Deployment
+
+  rbac:
+    # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed
+    # when using http://gateway-api.org/.
+    enabled: true
+
+  serviceAccount:
+    # If set, a service account will be created. Otherwise, the default is used
+    create: true
+    # Annotations to add to the service account
+    annotations: {}
+    # The name of the service account to use.
+    # If not set, the release name is used
+    name: ""
+
+  podAnnotations:
+    prometheus.io/port: "15020"
+    prometheus.io/scrape: "true"
+    prometheus.io/path: "/stats/prometheus"
+    inject.istio.io/templates: "gateway"
+    sidecar.istio.io/inject: "true"
+
+  # Define the security context for the pod.
+  # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
+  # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
+  securityContext: {}
+  containerSecurityContext: {}
+
+  service:
+    # Type of service. Set to "None" to disable the service entirely
+    type: LoadBalancer
+    # Set to a specific ClusterIP, or "" for automatic assignment
+    clusterIP: ""
+    # Additional labels to add to the service selector
+    selectorLabels: {}
+    ports:
+    - name: status-port
+      port: 15021
+      protocol: TCP
+      targetPort: 15021
+    - name: http2
+      port: 80
+      protocol: TCP
+      targetPort: 80
+    - name: https
+      port: 443
+      protocol: TCP
+      targetPort: 443
+    annotations: {}
+    loadBalancerIP: ""
+    loadBalancerSourceRanges: []
+    externalTrafficPolicy: ""
+    externalIPs: []
+    ipFamilyPolicy: ""
+    ipFamilies: []
+    ## Whether to automatically allocate NodePorts (only for LoadBalancers).
+    # allocateLoadBalancerNodePorts: false
+    ## Set LoadBalancer class (only for LoadBalancers).
+    # loadBalancerClass: ""
+
+  resources:
+    requests:
+      cpu: 100m
+      memory: 128Mi
+    limits:
+      cpu: 2000m
+      memory: 1024Mi
+
+  autoscaling:
+    enabled: true
+    minReplicas: 1
+    maxReplicas: 5
+    targetCPUUtilizationPercentage: 80
+    targetMemoryUtilizationPercentage: {}
+    autoscaleBehavior: {}
+
+  # Pod environment variables
+  env: {}
+
+  # Use envVarFrom to define full environment variable entries with complex sources,
+  # such as valueFrom.secretKeyRef, valueFrom.configMapKeyRef. Each item must include a `name` and `valueFrom`.
+  #
+  # Example:
+  # envVarFrom:
+  #   - name: EXAMPLE_SECRET
+  #     valueFrom:
+  #       secretKeyRef:
+  #         name: example-name
+  #         key: example-key
+  envVarFrom: []
+
+  # Deployment Update strategy
+  strategy: {}
+  
+  # Sets the Deployment minReadySeconds value
+  minReadySeconds:
+  
+  # Optionally configure a custom readinessProbe. By default the control plane
+  # automatically injects the readinessProbe. If you wish to override that
+  # behavior, you may define your own readinessProbe here.
+  readinessProbe: {}
+
+  # Labels to apply to all resources
+  labels:
+    # By default, don't enroll gateways into the ambient dataplane
+    "istio.io/dataplane-mode": none
+
+  # Annotations to apply to all resources
+  annotations: {}
+
+  nodeSelector: {}
+
+  tolerations: []
+
+  topologySpreadConstraints: []
+
+  affinity: {}
+
+  # If specified, the gateway will act as a network gateway for the given network.
+  networkGateway: ""
+
+  # Specify image pull policy if default behavior isn't desired.
+  # Default behavior: latest images will be Always else IfNotPresent
+  imagePullPolicy: ""
+
+  imagePullSecrets: []
+
+  # This value is used to configure a Kubernetes PodDisruptionBudget for the gateway.
+  #
+  # By default, the `podDisruptionBudget` is disabled (set to `{}`),
+  # which means that no PodDisruptionBudget resource will be created.
+  #
+  # The PodDisruptionBudget can be only enabled if autoscaling is enabled
+  # with minReplicas > 1 or if autoscaling is disabled but replicaCount > 1.
+  #
+  # To enable the PodDisruptionBudget, configure it by specifying the
+  # `minAvailable` or `maxUnavailable`. For example, to set the
+  # minimum number of available replicas to 1, you can update this value as follows:
+  #
+  # podDisruptionBudget:
+  #   minAvailable: 1
+  #
+  # Or, to allow a maximum of 1 unavailable replica, you can set:
+  #
+  # podDisruptionBudget:
+  #   maxUnavailable: 1
+  #
+  # You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`.
+  # For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows:
+  #
+  # podDisruptionBudget:
+  #   minAvailable: 1
+  #   unhealthyPodEvictionPolicy: AlwaysAllow
+  #
+  # To disable the PodDisruptionBudget, you can leave it as an empty object `{}`:
+  #
+  # podDisruptionBudget: {}
+  #
+  podDisruptionBudget: {}
+
+  # Sets the per-pod terminationGracePeriodSeconds setting.
+  terminationGracePeriodSeconds: 30
+
+  # A list of `Volumes` added into the Gateway Pods. See
+  # https://kubernetes.io/docs/concepts/storage/volumes/.
+  volumes: []
+
+  # A list of `VolumeMounts` added into the Gateway Pods. See
+  # https://kubernetes.io/docs/concepts/storage/volumes/.
+  volumeMounts: []
+
+  # Inject initContainers into the Gateway Pods.
+  initContainers: []
+
+  # Inject additional containers into the Gateway Pods.
+  additionalContainers: []
+
+  # Configure this to a higher priority class in order to make sure your Istio gateway pods
+  # will not be killed because of low priority class.
+  # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
+  # for more detail.
+  priorityClassName: ""
+
+  # Configure the lifecycle hooks for the gateway. See
+  # https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/.
+  lifecycle: {}
+
+  # When enabled, a default NetworkPolicy for gateways will be created
+  global:
+    networkPolicy:
+      enabled: false
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/Chart.yaml
new file mode 100644
index 0000000000..c1e3222117
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v2
+appVersion: 1.28.3
+description: Helm chart for istio control plane
+icon: https://istio.io/latest/favicons/android-192x192.png
+keywords:
+- istio
+- istiod
+- istio-discovery
+name: istiod
+sources:
+- https://github.com/istio/istio
+version: 1.28.3
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/README.md
new file mode 100644
index 0000000000..44f7b1d8ca
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/README.md
@@ -0,0 +1,73 @@
+# Istiod Helm Chart
+
+This chart installs an Istiod deployment.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+Before installing, ensure CRDs are installed in the cluster (from the `istio/base` chart).
+
+To install the chart with the release name `istiod`:
+
+```console
+kubectl create namespace istio-system
+helm install istiod istio/istiod --namespace istio-system
+```
+
+## Uninstalling the Chart
+
+To uninstall/delete the `istiod` deployment:
+
+```console
+helm delete istiod --namespace istio-system
+```
+
+## Configuration
+
+To view supported configuration options and documentation, run:
+
+```console
+helm show values istio/istiod
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
+
+### Examples
+
+#### Configuring mesh configuration settings
+
+Any [Mesh Config](https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/) options can be configured like below:
+
+```yaml
+meshConfig:
+  accessLogFile: /dev/stdout
+```
+
+#### Revisions
+
+Control plane revisions allow deploying multiple versions of the control plane in the same cluster.
+This allows safe [canary upgrades](https://istio.io/latest/docs/setup/upgrade/canary/)
+
+```yaml
+revision: my-revision-name
+```
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/gateway-injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/gateway-injection-template.yaml
new file mode 100644
index 0000000000..bc15ee3c31
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/gateway-injection-template.yaml
@@ -0,0 +1,274 @@
+{{- $containers := list }}
+{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
+metadata:
+  labels:
+    service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name  | quote }}
+    service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest"  | quote }}
+  annotations:
+    istio.io/rev: {{ .Revision | default "default" | quote }}
+    {{- if ge (len $containers) 1 }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }}
+    kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}"
+    {{- end }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }}
+    kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}"
+    {{- end }}
+    {{- end }}
+spec:
+  securityContext:
+  {{- if .Values.gateways.securityContext }}
+    {{- toYaml .Values.gateways.securityContext | nindent 4 }}
+  {{- else }}
+    sysctls:
+    - name: net.ipv4.ip_unprivileged_port_start
+      value: "0"
+  {{- end }}
+  containers:
+  - name: istio-proxy
+  {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+    image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+  {{- else }}
+    image: "{{ .ProxyImage }}"
+  {{- end }}
+    ports:
+    - containerPort: 15090
+      protocol: TCP
+      name: http-envoy-prom
+    args:
+    - proxy
+    - router
+    - --domain
+    - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+    - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
+    - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
+    - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
+  {{- if .Values.global.sts.servicePort }}
+    - --stsPort={{ .Values.global.sts.servicePort }}
+  {{- end }}
+  {{- if .Values.global.logAsJson }}
+    - --log_as_json
+  {{- end }}
+  {{- if .Values.global.proxy.lifecycle }}
+    lifecycle:
+      {{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
+  {{- end }}
+    securityContext:
+      runAsUser: {{ .ProxyUID | default "1337" }}
+      runAsGroup: {{ .ProxyGID | default "1337" }}
+    env:
+    - name: PILOT_CERT_PROVIDER
+      value: {{ .Values.global.pilotCertProvider }}
+    - name: CA_ADDR
+    {{- if .Values.global.caAddress }}
+      value: {{ .Values.global.caAddress }}
+    {{- else }}
+      value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+    {{- end }}
+    - name: POD_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.name
+    - name: POD_NAMESPACE
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.namespace
+    - name: INSTANCE_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.podIP
+    - name: SERVICE_ACCOUNT
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.serviceAccountName
+    - name: HOST_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.hostIP
+    - name: ISTIO_CPU_LIMIT
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.cpu
+    - name: PROXY_CONFIG
+      value: |
+             {{ protoToJSON .ProxyConfig }}
+    - name: ISTIO_META_POD_PORTS
+      value: |-
+        [
+        {{- $first := true }}
+        {{- range $index1, $c := .Spec.Containers }}
+          {{- range $index2, $p := $c.Ports }}
+            {{- if (structToJSON $p) }}
+            {{if not $first}},{{end}}{{ structToJSON $p }}
+            {{- $first = false }}
+            {{- end }}
+          {{- end}}
+        {{- end}}
+        ]
+    - name: GOMEMLIMIT
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.memory
+    - name: GOMAXPROCS
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.cpu
+    {{- if .CompliancePolicy }}
+    - name: COMPLIANCE_POLICY
+      value: "{{ .CompliancePolicy }}"
+    {{- end }}
+    - name: ISTIO_META_APP_CONTAINERS
+      value: "{{ $containers | join "," }}"
+    - name: ISTIO_META_CLUSTER_ID
+      value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
+    - name: ISTIO_META_NODE_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.nodeName
+    - name: ISTIO_META_INTERCEPTION_MODE
+      value: "{{ .ProxyConfig.InterceptionMode.String }}"
+    {{- if .Values.global.network }}
+    - name: ISTIO_META_NETWORK
+      value: "{{ .Values.global.network }}"
+    {{- end }}
+    {{- if .DeploymentMeta.Name }}
+    - name: ISTIO_META_WORKLOAD_NAME
+      value: "{{ .DeploymentMeta.Name }}"
+    {{ end }}
+    {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
+    - name: ISTIO_META_OWNER
+      value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
+    {{- end}}
+    {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+    - name: ISTIO_BOOTSTRAP_OVERRIDE
+      value: "/etc/istio/custom-bootstrap/custom_bootstrap.json"
+    {{- end }}
+    {{- if .Values.global.meshID }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ .Values.global.meshID }}"
+    {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+    {{- end }}
+    {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain)  }}
+    - name: TRUST_DOMAIN
+      value: "{{ . }}"
+    {{- end }}
+    {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+    - name: {{ $key }}
+      value: "{{ $value }}"
+    {{- end }}
+    {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+    readinessProbe:
+      httpGet:
+        path: /healthz/ready
+        port: 15021
+      initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }}
+      periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }}
+      timeoutSeconds: 3
+      failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }}
+    volumeMounts:
+    - name: workload-socket
+      mountPath: /var/run/secrets/workload-spiffe-uds
+    - name: credential-socket
+      mountPath: /var/run/secrets/credential-uds
+    {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+    - name: gke-workload-certificate
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+      readOnly: true
+    {{- else }}
+    - name: workload-certs
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+    {{- end }}
+    {{- if eq .Values.global.pilotCertProvider "istiod" }}
+    - mountPath: /var/run/secrets/istio
+      name: istiod-ca-cert
+    {{- end }}
+    - mountPath: /var/lib/istio/data
+      name: istio-data
+    {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+    - mountPath: /etc/istio/custom-bootstrap
+      name: custom-bootstrap-volume
+    {{- end }}
+    # SDS channel between istioagent and Envoy
+    - mountPath: /etc/istio/proxy
+      name: istio-envoy
+    - mountPath: /var/run/secrets/tokens
+      name: istio-token
+    {{- if .Values.global.mountMtlsCerts }}
+    # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+    - mountPath: /etc/certs/
+      name: istio-certs
+      readOnly: true
+    {{- end }}
+    - name: istio-podinfo
+      mountPath: /etc/istio/pod
+  volumes:
+  - emptyDir:
+    name: workload-socket
+  - emptyDir: {}
+    name: credential-socket
+  {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+  - name: gke-workload-certificate
+    csi:
+      driver: workloadcertificates.security.cloud.google.com
+  {{- else}}
+  - emptyDir: {}
+    name: workload-certs
+  {{- end }}
+  {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+  - name: custom-bootstrap-volume
+    configMap:
+      name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
+  {{- end }}
+  # SDS channel between istioagent and Envoy
+  - emptyDir:
+      medium: Memory
+    name: istio-envoy
+  - name: istio-data
+    emptyDir: {}
+  - name: istio-podinfo
+    downwardAPI:
+      items:
+        - path: "labels"
+          fieldRef:
+            fieldPath: metadata.labels
+        - path: "annotations"
+          fieldRef:
+            fieldPath: metadata.annotations
+  - name: istio-token
+    projected:
+      sources:
+      - serviceAccountToken:
+          path: istio-token
+          expirationSeconds: 43200
+          audience: {{ .Values.global.sds.token.aud }}
+  {{- if eq .Values.global.pilotCertProvider "istiod" }}
+  - name: istiod-ca-cert
+  {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+    projected:
+      sources:
+      - clusterTrustBundle:
+          name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+          path: root-cert.pem
+  {{- else }}
+    configMap:
+      name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+  {{- end }}
+  {{- end }}
+  {{- if .Values.global.mountMtlsCerts }}
+  # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+  - name: istio-certs
+    secret:
+      optional: true
+      {{ if eq .Spec.ServiceAccountName "" }}
+      secretName: istio.default
+      {{ else -}}
+      secretName: {{  printf "istio.%s" .Spec.ServiceAccountName }}
+      {{  end -}}
+  {{- end }}
+  {{- if .Values.global.imagePullSecrets }}
+  imagePullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+  {{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/grpc-agent.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/grpc-agent.yaml
new file mode 100644
index 0000000000..6e3102e4c8
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/grpc-agent.yaml
@@ -0,0 +1,318 @@
+{{- define "resources"  }}
+  {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
+    {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
+      requests:
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
+        cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
+        {{ end }}
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
+        memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
+        {{ end }}
+    {{- end }}
+    {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
+      limits:
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
+        cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}"
+        {{ end }}
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
+        memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}"
+        {{ end }}
+    {{- end }}
+  {{- else }}
+    {{- if .Values.global.proxy.resources }}
+      {{ toYaml .Values.global.proxy.resources | indent 6 }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+{{- $containers := list }}
+{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
+metadata:
+  labels:
+    {{/* security.istio.io/tlsMode: istio must be set by user, if gRPC is using mTLS initialization code. We can't set it automatically. */}}
+    service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name  | quote }}
+    service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest"  | quote }}
+  annotations: {
+    istio.io/rev: {{ .Revision | default "default" | quote }},
+    {{- if ge (len $containers) 1 }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }}
+    kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
+    {{- end }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }}
+    kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
+    {{- end }}
+    {{- end }}
+    sidecar.istio.io/rewriteAppHTTPProbers: "false",
+  }
+spec:
+  containers:
+  - name: istio-proxy
+  {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+    image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+  {{- else }}
+    image: "{{ .ProxyImage }}"
+  {{- end }}
+    ports:
+    - containerPort: 15020
+      protocol: TCP
+      name: mesh-metrics
+    args:
+    - proxy
+    - sidecar
+    - --domain
+    - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+    - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
+    - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
+    - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
+  {{- if .Values.global.sts.servicePort }}
+    - --stsPort={{ .Values.global.sts.servicePort }}
+  {{- end }}
+  {{- if .Values.global.logAsJson }}
+    - --log_as_json
+  {{- end }}
+    lifecycle:
+      postStart:
+        exec:
+          command:
+          - pilot-agent
+          - wait
+          - --url=http://localhost:15020/healthz/ready
+    env:
+    - name: ISTIO_META_GENERATOR
+      value: grpc
+    - name: OUTPUT_CERTS
+      value: /var/lib/istio/data
+    {{- if eq .InboundTrafficPolicyMode "localhost" }}
+    - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION
+      value: "true"
+    {{- end }}
+    - name: PILOT_CERT_PROVIDER
+      value: {{ .Values.global.pilotCertProvider }}
+    - name: CA_ADDR
+    {{- if .Values.global.caAddress }}
+      value: {{ .Values.global.caAddress }}
+    {{- else }}
+      value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+    {{- end }}
+    - name: POD_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.name
+    - name: POD_NAMESPACE
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.namespace
+    - name: INSTANCE_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.podIP
+    - name: SERVICE_ACCOUNT
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.serviceAccountName
+    - name: HOST_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.hostIP
+    - name: PROXY_CONFIG
+      value: |
+             {{ protoToJSON .ProxyConfig }}
+    - name: ISTIO_META_POD_PORTS
+      value: |-
+        [
+        {{- $first := true }}
+        {{- range $index1, $c := .Spec.Containers }}
+          {{- range $index2, $p := $c.Ports }}
+            {{- if (structToJSON $p) }}
+            {{if not $first}},{{end}}{{ structToJSON $p }}
+            {{- $first = false }}
+            {{- end }}
+          {{- end}}
+        {{- end}}
+        ]
+    - name: ISTIO_META_APP_CONTAINERS
+      value: "{{ $containers | join "," }}"
+    - name: ISTIO_META_CLUSTER_ID
+      value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
+    - name: ISTIO_META_NODE_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.nodeName
+    {{- if .Values.global.network }}
+    - name: ISTIO_META_NETWORK
+      value: "{{ .Values.global.network }}"
+    {{- end }}
+    {{- if .DeploymentMeta.Name }}
+    - name: ISTIO_META_WORKLOAD_NAME
+      value: "{{ .DeploymentMeta.Name }}"
+    {{ end }}
+    {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
+    - name: ISTIO_META_OWNER
+      value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
+    {{- end}}
+    {{- if .Values.global.meshID }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ .Values.global.meshID }}"
+    {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+    {{- end }}
+    {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain)  }}
+    - name: TRUST_DOMAIN
+      value: "{{ . }}"
+    {{- end }}
+    {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+    - name: {{ $key }}
+      value: "{{ $value }}"
+    {{- end }}
+    # grpc uses xds:/// to resolve – no need to resolve VIP
+    - name: ISTIO_META_DNS_CAPTURE
+      value: "false"
+    - name: DISABLE_ENVOY
+      value: "true"
+    {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+    {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
+    readinessProbe:
+      httpGet:
+        path: /healthz/ready
+        port: 15020
+      initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }}
+      periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }}
+      timeoutSeconds: 3
+      failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}
+    resources:
+  {{ template "resources" . }}
+    volumeMounts:
+    - name: workload-socket
+      mountPath: /var/run/secrets/workload-spiffe-uds
+    {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+    - name: gke-workload-certificate
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+      readOnly: true
+    {{- else }}
+    - name: workload-certs
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+    {{- end }}
+    {{- if eq .Values.global.pilotCertProvider "istiod" }}
+    - mountPath: /var/run/secrets/istio
+      name: istiod-ca-cert
+    {{- end }}
+    - mountPath: /var/lib/istio/data
+      name: istio-data
+    # UDS channel between istioagent and gRPC client for XDS/SDS
+    - mountPath: /etc/istio/proxy
+      name: istio-xds
+    - mountPath: /var/run/secrets/tokens
+      name: istio-token
+    {{- if .Values.global.mountMtlsCerts }}
+    # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+    - mountPath: /etc/certs/
+      name: istio-certs
+      readOnly: true
+    {{- end }}
+    - name: istio-podinfo
+      mountPath: /etc/istio/pod
+    {{- end }}
+      {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }}
+      {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}
+    - name: "{{  $index }}"
+      {{ toYaml $value | indent 6 }}
+      {{ end }}
+      {{- end }}
+{{- range $index, $container := .Spec.Containers  }}
+{{ if not (eq $container.Name "istio-proxy") }}
+  - name: {{ $container.Name }}
+    env:
+      - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT"
+        value: "true"
+      - name: "GRPC_XDS_BOOTSTRAP"
+        value: "/etc/istio/proxy/grpc-bootstrap.json"
+    volumeMounts:
+      - mountPath: /var/lib/istio/data
+        name: istio-data
+      # UDS channel between istioagent and gRPC client for XDS/SDS
+      - mountPath: /etc/istio/proxy
+        name: istio-xds
+      {{- if eq $.Values.global.caName "GkeWorkloadCertificate" }}
+      - name: gke-workload-certificate
+        mountPath: /var/run/secrets/workload-spiffe-credentials
+        readOnly: true
+      {{- else }}
+      - name: workload-certs
+        mountPath: /var/run/secrets/workload-spiffe-credentials
+      {{- end }}
+{{- end }}
+{{- end }}
+  volumes:
+  - emptyDir:
+    name: workload-socket
+  {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+  - name: gke-workload-certificate
+    csi:
+      driver: workloadcertificates.security.cloud.google.com
+  {{- else }}
+  - emptyDir:
+    name: workload-certs
+  {{- end }}
+  {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+  - name: custom-bootstrap-volume
+    configMap:
+      name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
+  {{- end }}
+  # SDS channel between istioagent and Envoy
+  - emptyDir:
+      medium: Memory
+    name: istio-xds
+  - name: istio-data
+    emptyDir: {}
+  - name: istio-podinfo
+    downwardAPI:
+      items:
+        - path: "labels"
+          fieldRef:
+            fieldPath: metadata.labels
+        - path: "annotations"
+          fieldRef:
+            fieldPath: metadata.annotations
+  - name: istio-token
+    projected:
+      sources:
+      - serviceAccountToken:
+          path: istio-token
+          expirationSeconds: 43200
+          audience: {{ .Values.global.sds.token.aud }}
+  {{- if eq .Values.global.pilotCertProvider "istiod" }}
+  - name: istiod-ca-cert
+  {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+    projected:
+      sources:
+      - clusterTrustBundle:
+          name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+          path: root-cert.pem
+  {{- else }}
+    configMap:
+      name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+  {{- end }}
+  {{- end }}
+  {{- if .Values.global.mountMtlsCerts }}
+  # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+  - name: istio-certs
+    secret:
+      optional: true
+      {{ if eq .Spec.ServiceAccountName "" }}
+      secretName: istio.default
+      {{ else -}}
+      secretName: {{  printf "istio.%s" .Spec.ServiceAccountName }}
+      {{  end -}}
+  {{- end }}
+    {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }}
+    {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}
+  - name: "{{ $index }}"
+    {{ toYaml $value | indent 4 }}
+    {{ end }}
+    {{ end }}
+  {{- if .Values.global.imagePullSecrets }}
+  imagePullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+  {{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/grpc-simple.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/grpc-simple.yaml
new file mode 100644
index 0000000000..9ba0c7a46a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/grpc-simple.yaml
@@ -0,0 +1,65 @@
+metadata:
+  annotations:
+    sidecar.istio.io/rewriteAppHTTPProbers: "false"
+spec:
+  initContainers:
+    - name: grpc-bootstrap-init
+      image: busybox:1.28
+      volumeMounts:
+        - mountPath: /var/lib/grpc/data/
+          name: grpc-io-proxyless-bootstrap
+      env:
+        - name: INSTANCE_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: ISTIO_NAMESPACE
+          value: |
+             {{ .Values.global.istioNamespace }}
+      command:
+        - sh
+        - "-c"
+        - |-
+          NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local"
+          SERVER_URI="dns:///istiod.${ISTIO_NAMESPACE}.svc:15010"
+          echo '
+          {
+            "xds_servers": [
+              {
+                "server_uri": "'${SERVER_URI}'",
+                "channel_creds": [{"type": "insecure"}],
+                "server_features" : ["xds_v3"]
+              }
+            ],
+            "node": {
+              "id": "'${NODE_ID}'",
+              "metadata": {
+                "GENERATOR": "grpc"
+              }
+            }
+          }' > /var/lib/grpc/data/bootstrap.json
+  containers:
+  {{- range $index, $container := .Spec.Containers }}
+  - name: {{ $container.Name }}
+    env:
+      - name: GRPC_XDS_BOOTSTRAP
+        value: /var/lib/grpc/data/bootstrap.json
+      - name: GRPC_GO_LOG_VERBOSITY_LEVEL
+        value: "99"
+      - name: GRPC_GO_LOG_SEVERITY_LEVEL
+        value: info
+    volumeMounts:
+      - mountPath: /var/lib/grpc/data/
+        name: grpc-io-proxyless-bootstrap
+  {{- end }}
+  volumes:
+    - name: grpc-io-proxyless-bootstrap
+      emptyDir: {}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/injection-template.yaml
new file mode 100644
index 0000000000..ba656bd7f8
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/injection-template.yaml
@@ -0,0 +1,549 @@
+{{- define "resources"  }}
+  {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
+    {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
+      requests:
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
+        cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
+        {{ end }}
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
+        memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
+        {{ end }}
+    {{- end }}
+    {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
+      limits:
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
+        cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}"
+        {{ end }}
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
+        memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}"
+        {{ end }}
+    {{- end }}
+  {{- else }}
+    {{- if .Values.global.proxy.resources }}
+      {{ toYaml .Values.global.proxy.resources | indent 6 }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+{{ $tproxy := (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) }}
+{{ $capNetBindService := (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) }}
+{{ $nativeSidecar := ne (index .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar` | default (printf "%t" .NativeSidecars)) "false" }}
+{{- $containers := list }}
+{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
+metadata:
+  labels:
+    security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio"  | quote }}
+    {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }}
+    networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http"  | quote }}
+    {{- end }}
+    service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name  | trunc 63 | trimSuffix "-" | quote }}
+    service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest"  | quote }}
+  annotations: {
+    istio.io/rev: {{ .Revision | default "default" | quote }},
+    {{- if ge (len $containers) 1 }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }}
+    kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
+    {{- end }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }}
+    kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
+    {{- end }}
+    {{- end }}
+{{- if .Values.pilot.cni.enabled }}
+    {{- if eq .Values.pilot.cni.provider "multus" }}
+    k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}',
+    {{- end }}
+    sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}",
+    {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }}
+    {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }}
+    traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}",
+    traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}",
+    {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }}
+    traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}",
+    {{- end }}
+    {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }}
+    traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}",
+    {{- end }}
+    {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }}
+    {{ with index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}istio.io/reroute-virtual-interfaces: "{{.}}",{{ end }}
+    {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }}
+{{- end }}
+  }
+spec:
+  {{- $holdProxy := and
+      (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts)
+      (not $nativeSidecar) }}
+  {{- $noInitContainer := and
+      (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE`)
+      (not $nativeSidecar) }}
+  {{ if $noInitContainer }}
+  initContainers: []
+  {{ else -}}
+  initContainers:
+  {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }}
+  {{ if .Values.pilot.cni.enabled -}}
+  - name: istio-validation
+  {{ else -}}
+  - name: istio-init
+  {{ end -}}
+  {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }}
+    image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}"
+  {{- else }}
+    image: "{{ .ProxyImage }}"
+  {{- end }}
+    args:
+    - istio-iptables
+    - "-p"
+    - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }}
+    - "-z"
+    - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }}
+    - "-u"
+    - {{ if $tproxy }} "1337" {{ else }} {{ .ProxyUID | default "1337" | quote }} {{ end }}
+    - "-m"
+    - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}"
+    - "-i"
+    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}"
+    - "-x"
+    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}"
+    - "-b"
+    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}"
+    - "-d"
+  {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}
+    - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}"
+  {{- else }}
+    - "15090,15021"
+  {{- end }}
+    {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}}
+    - "-q"
+    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}"
+    {{ end -}}
+    {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}}
+    - "-o"
+    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}"
+    {{ end -}}
+    {{ if (isset .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces`) -}}
+    - "-k"
+    - "{{ index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}"
+    {{ else if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}}
+    - "-k"
+    - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}"
+    {{ end -}}
+     {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}}
+    - "-c"
+    - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}"
+    {{ end -}}
+    - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}"
+    {{ if .Values.global.logAsJson -}}
+    - "--log_as_json"
+    {{ end -}}
+    {{ if .Values.pilot.cni.enabled -}}
+    - "--run-validation"
+    - "--skip-rule-apply"
+    {{ else if .Values.global.proxy_init.forceApplyIptables -}}
+    - "--force-apply"
+    {{ end -}}
+    {{ if .Values.global.nativeNftables -}}
+    - "--native-nftables"
+    {{ end -}}
+    {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+  {{- if .ProxyConfig.ProxyMetadata }}
+    env:
+    {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+    - name: {{ $key }}
+      value: "{{ $value }}"
+    {{- end }}
+  {{- end }}
+    resources:
+  {{ template "resources" . }}
+    securityContext:
+      allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
+      privileged: {{ .Values.global.proxy.privileged }}
+      capabilities:
+    {{- if not .Values.pilot.cni.enabled }}
+        add:
+        - NET_ADMIN
+        - NET_RAW
+    {{- end }}
+        drop:
+        - ALL
+    {{- if not .Values.pilot.cni.enabled }}
+      readOnlyRootFilesystem: false
+      runAsGroup: 0
+      runAsNonRoot: false
+      runAsUser: 0
+    {{- else }}
+      readOnlyRootFilesystem: true
+      runAsGroup: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyGID | default "1337" }} {{ end }}
+      runAsUser: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyUID | default "1337" }} {{ end }}
+      runAsNonRoot: true
+    {{- end }}
+    {{- if .Values.global.proxy.seccompProfile }}
+      seccompProfile:
+    {{- toYaml .Values.global.proxy.seccompProfile | nindent 8 }}
+    {{- end }}
+  {{ end -}}
+  {{ end -}}
+  {{ if not $nativeSidecar }}
+  containers:
+  {{ end }}
+  - name: istio-proxy
+  {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+    image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+  {{- else }}
+    image: "{{ .ProxyImage }}"
+  {{- end }}
+    {{ if $nativeSidecar }}restartPolicy: Always{{end}}
+    ports:
+    - containerPort: 15090
+      protocol: TCP
+      name: http-envoy-prom
+    args:
+    - proxy
+    - sidecar
+    - --domain
+    - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+    - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
+    - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
+    - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
+  {{- if .Values.global.sts.servicePort }}
+    - --stsPort={{ .Values.global.sts.servicePort }}
+  {{- end }}
+  {{- if .Values.global.logAsJson }}
+    - --log_as_json
+  {{- end }}
+  {{- if .Values.global.proxy.outlierLogPath }}
+    - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }}
+  {{- end}}
+  {{- if .Values.global.proxy.lifecycle }}
+    lifecycle:
+      {{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
+  {{- else if $holdProxy }}
+    lifecycle:
+      postStart:
+        exec:
+          command:
+          - pilot-agent
+          - wait
+  {{- else if $nativeSidecar }}
+    {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}}
+    lifecycle:
+      preStop:
+        exec:
+          command:
+          - pilot-agent
+          - request
+          - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}}
+          - POST
+          - drain
+  {{- end }}
+    env:
+    {{- if eq .InboundTrafficPolicyMode "localhost" }}
+    - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION
+      value: "true"
+    {{- end }}
+    - name: PILOT_CERT_PROVIDER
+      value: {{ .Values.global.pilotCertProvider }}
+    - name: CA_ADDR
+    {{- if .Values.global.caAddress }}
+      value: {{ .Values.global.caAddress }}
+    {{- else }}
+      value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+    {{- end }}
+    - name: POD_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.name
+    - name: POD_NAMESPACE
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.namespace
+    - name: INSTANCE_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.podIP
+    - name: SERVICE_ACCOUNT
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.serviceAccountName
+    - name: HOST_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.hostIP
+    - name: ISTIO_CPU_LIMIT
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.cpu
+    - name: PROXY_CONFIG
+      value: |
+             {{ protoToJSON .ProxyConfig }}
+    - name: ISTIO_META_POD_PORTS
+      value: |-
+        [
+        {{- $first := true }}
+        {{- range $index1, $c := .Spec.Containers }}
+          {{- range $index2, $p := $c.Ports }}
+            {{- if (structToJSON $p) }}
+            {{if not $first}},{{end}}{{ structToJSON $p }}
+            {{- $first = false }}
+            {{- end }}
+          {{- end}}
+        {{- end}}
+        ]
+    - name: ISTIO_META_APP_CONTAINERS
+      value: "{{ $containers | join "," }}"
+    - name: GOMEMLIMIT
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.memory
+    - name: GOMAXPROCS
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.cpu
+    {{- if .CompliancePolicy }}
+    - name: COMPLIANCE_POLICY
+      value: "{{ .CompliancePolicy }}"
+    {{- end }}
+    - name: ISTIO_META_CLUSTER_ID
+      value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
+    - name: ISTIO_META_NODE_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.nodeName
+    - name: ISTIO_META_INTERCEPTION_MODE
+      value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}"
+    {{- if .Values.global.network }}
+    - name: ISTIO_META_NETWORK
+      value: "{{ .Values.global.network }}"
+    {{- end }}
+    {{- with (index .ObjectMeta.Labels `service.istio.io/workload-name` | default .DeploymentMeta.Name) }}
+    - name: ISTIO_META_WORKLOAD_NAME
+      value: "{{ . }}"
+    {{ end }}
+    {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
+    - name: ISTIO_META_OWNER
+      value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
+    {{- end}}
+    {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+    - name: ISTIO_BOOTSTRAP_OVERRIDE
+      value: "/etc/istio/custom-bootstrap/custom_bootstrap.json"
+    {{- end }}
+    {{- if .Values.global.meshID }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ .Values.global.meshID }}"
+    {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+    {{- end }}
+    {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain)  }}
+    - name: TRUST_DOMAIN
+      value: "{{ . }}"
+    {{- end }}
+    {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
+    {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
+    - name: {{ $key }}
+      value: "{{ $value }}"
+    {{- end }}
+    {{- end }}
+    {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+    - name: {{ $key }}
+      value: "{{ $value }}"
+    {{- end }}
+    {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+    {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
+  {{ if .Values.global.proxy.startupProbe.enabled }}
+    startupProbe:
+      httpGet:
+        path: /healthz/ready
+        port: 15021
+      initialDelaySeconds: 0
+      periodSeconds: 1
+      timeoutSeconds: 3
+      failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }}
+  {{ end }}
+    readinessProbe:
+      httpGet:
+        path: /healthz/ready
+        port: 15021
+      initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }}
+      periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }}
+      timeoutSeconds: 3
+      failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}
+    {{ end -}}
+    securityContext:
+      {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }}
+      allowPrivilegeEscalation: true
+      capabilities:
+        add:
+        - NET_ADMIN
+        drop:
+        - ALL
+      privileged: true
+      readOnlyRootFilesystem: true
+      runAsGroup: {{ .ProxyGID | default "1337" }}
+      runAsNonRoot: false
+      runAsUser: 0
+      {{- else }}
+      allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
+      capabilities:
+        {{ if or $tproxy $capNetBindService -}}
+        add:
+        {{ if $tproxy -}}
+        - NET_ADMIN
+        {{- end }}
+        {{ if $capNetBindService -}}
+        - NET_BIND_SERVICE
+        {{- end }}
+        {{- end }}
+        drop:
+        - ALL
+      privileged: {{ .Values.global.proxy.privileged }}
+      readOnlyRootFilesystem: true
+      {{ if or $tproxy $capNetBindService -}}
+      runAsNonRoot: false
+      runAsUser: 0
+      runAsGroup: 1337
+      {{- else -}}
+      runAsNonRoot: true
+      runAsUser: {{ .ProxyUID | default "1337" }}
+      runAsGroup: {{ .ProxyGID | default "1337" }}
+      {{- end }}
+      {{- end }}
+    {{- if .Values.global.proxy.seccompProfile }}
+      seccompProfile:
+    {{- toYaml .Values.global.proxy.seccompProfile | nindent 8 }}
+    {{- end }}
+    resources:
+  {{ template "resources" . }}
+    volumeMounts:
+    - name: workload-socket
+      mountPath: /var/run/secrets/workload-spiffe-uds
+    - name: credential-socket
+      mountPath: /var/run/secrets/credential-uds
+    {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+    - name: gke-workload-certificate
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+      readOnly: true
+    {{- else }}
+    - name: workload-certs
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+    {{- end }}
+    {{- if eq .Values.global.pilotCertProvider "istiod" }}
+    - mountPath: /var/run/secrets/istio
+      name: istiod-ca-cert
+    - mountPath: /var/run/secrets/istio/crl
+      name: istio-ca-crl
+    {{- end }}
+    - mountPath: /var/lib/istio/data
+      name: istio-data
+    {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+    - mountPath: /etc/istio/custom-bootstrap
+      name: custom-bootstrap-volume
+    {{- end }}
+    # SDS channel between istioagent and Envoy
+    - mountPath: /etc/istio/proxy
+      name: istio-envoy
+    - mountPath: /var/run/secrets/tokens
+      name: istio-token
+    {{- if .Values.global.mountMtlsCerts }}
+    # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+    - mountPath: /etc/certs/
+      name: istio-certs
+      readOnly: true
+    {{- end }}
+    - name: istio-podinfo
+      mountPath: /etc/istio/pod
+     {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }}
+    - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }}
+      name: lightstep-certs
+      readOnly: true
+    {{- end }}
+      {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }}
+      {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}
+    - name: "{{  $index }}"
+      {{ toYaml $value | indent 6 }}
+      {{ end }}
+      {{- end }}
+  volumes:
+  - emptyDir:
+    name: workload-socket
+  - emptyDir:
+    name: credential-socket
+  {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+  - name: gke-workload-certificate
+    csi:
+      driver: workloadcertificates.security.cloud.google.com
+  {{- else }}
+  - emptyDir:
+    name: workload-certs
+  {{- end }}
+  {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+  - name: custom-bootstrap-volume
+    configMap:
+      name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
+  {{- end }}
+  # SDS channel between istioagent and Envoy
+  - emptyDir:
+      medium: Memory
+    name: istio-envoy
+  - name: istio-data
+    emptyDir: {}
+  - name: istio-podinfo
+    downwardAPI:
+      items:
+        - path: "labels"
+          fieldRef:
+            fieldPath: metadata.labels
+        - path: "annotations"
+          fieldRef:
+            fieldPath: metadata.annotations
+  - name: istio-token
+    projected:
+      sources:
+      - serviceAccountToken:
+          path: istio-token
+          expirationSeconds: 43200
+          audience: {{ .Values.global.sds.token.aud }}
+  {{- if eq .Values.global.pilotCertProvider "istiod" }}
+  - name: istiod-ca-cert
+  {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+    projected:
+      sources:
+      - clusterTrustBundle:
+          name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+          path: root-cert.pem
+  {{- else }}
+    configMap:
+      name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+  {{- end }}
+  {{- end }}
+  - name: istio-ca-crl
+    configMap:
+      name: istio-ca-crl
+      optional: true
+  {{- if .Values.global.mountMtlsCerts }}
+  # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+  - name: istio-certs
+    secret:
+      optional: true
+      {{ if eq .Spec.ServiceAccountName "" }}
+      secretName: istio.default
+      {{ else -}}
+      secretName: {{  printf "istio.%s" .Spec.ServiceAccountName }}
+      {{  end -}}
+  {{- end }}
+    {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }}
+    {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}
+  - name: "{{ $index }}"
+    {{ toYaml $value | indent 4 }}
+    {{ end }}
+    {{ end }}
+  {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }}
+  - name: lightstep-certs
+    secret:
+      optional: true
+      secretName: lightstep.cacert
+  {{- end }}
+  {{- if .Values.global.imagePullSecrets }}
+  imagePullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+  {{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/kube-gateway.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/kube-gateway.yaml
new file mode 100644
index 0000000000..8a34ea8a8c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/kube-gateway.yaml
@@ -0,0 +1,407 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{.ServiceAccount | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+        "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+      ) | nindent 4 }}
+  {{- if ge .KubeVersion 128 }}
+  # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    name: "{{.Name}}"
+    uid: "{{.UID}}"
+  {{- end }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+        "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+        "gateway.istio.io/managed" "istio.io-gateway-controller"
+      ) | nindent 4 }}
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    name: {{.Name}}
+    uid: "{{.UID}}"
+spec:
+  selector:
+    matchLabels:
+      "{{.GatewayNameLabel}}": {{.Name}}
+  template:
+    metadata:
+      annotations:
+        {{- toJsonMap
+          (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version")
+          (strdict "istio.io/rev" (.Revision | default "default"))
+          (strdict
+            "prometheus.io/path" "/stats/prometheus"
+            "prometheus.io/port" "15020"
+            "prometheus.io/scrape" "true"
+          ) | nindent 8 }}
+      labels:
+        {{- toJsonMap
+          (strdict
+            "sidecar.istio.io/inject" "false"
+            "service.istio.io/canonical-name" .DeploymentName
+            "service.istio.io/canonical-revision" "latest"
+           )
+          .InfrastructureLabels
+          (strdict
+            "gateway.networking.k8s.io/gateway-name" .Name
+            "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+            "gateway.istio.io/managed" "istio.io-gateway-controller"
+          ) | nindent 8 }}
+    spec:
+      securityContext:
+      {{- if .Values.gateways.securityContext }}
+        {{- toYaml .Values.gateways.securityContext | nindent 8 }}
+      {{- else }}
+        sysctls:
+        - name: net.ipv4.ip_unprivileged_port_start
+          value: "0"
+      {{- if .Values.gateways.seccompProfile }}
+        seccompProfile:
+      {{- toYaml .Values.gateways.seccompProfile | nindent 10 }}
+      {{- end }}
+      {{- end }}
+      serviceAccountName: {{.ServiceAccount | quote}}
+      containers:
+      - name: istio-proxy
+      {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+        image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+      {{- else }}
+        image: "{{ .ProxyImage }}"
+      {{- end }}
+        {{- if .Values.global.proxy.resources }}
+        resources:
+          {{- toYaml .Values.global.proxy.resources | nindent 10 }}
+        {{- end }}
+        {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+        securityContext:
+          capabilities:
+            drop:
+            - ALL
+          allowPrivilegeEscalation: false
+          privileged: false
+          readOnlyRootFilesystem: true
+          runAsUser: {{ .ProxyUID | default "1337" }}
+          runAsGroup: {{ .ProxyGID | default "1337" }}
+          runAsNonRoot: true
+        ports:
+        - containerPort: 15020
+          name: metrics
+          protocol: TCP
+        - containerPort: 15021
+          name: status-port
+          protocol: TCP
+        - containerPort: 15090
+          protocol: TCP
+          name: http-envoy-prom
+        args:
+        - proxy
+        - router
+        - --domain
+        - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+        - --proxyLogLevel
+        - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}}
+        - --proxyComponentLogLevel
+        - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}}
+        - --log_output_level
+        - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}}
+      {{- if .Values.global.sts.servicePort }}
+        - --stsPort={{ .Values.global.sts.servicePort }}
+      {{- end }}
+      {{- if .Values.global.logAsJson }}
+        - --log_as_json
+      {{- end }}
+      {{- if .Values.global.proxy.lifecycle }}
+        lifecycle:
+          {{- toYaml .Values.global.proxy.lifecycle | nindent 10 }}
+      {{- end }}
+        env:
+        - name: PILOT_CERT_PROVIDER
+          value: {{ .Values.global.pilotCertProvider }}
+        - name: CA_ADDR
+        {{- if .Values.global.caAddress }}
+          value: {{ .Values.global.caAddress }}
+        {{- else }}
+          value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+        {{- end }}
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: INSTANCE_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: SERVICE_ACCOUNT
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.serviceAccountName
+        - name: HOST_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.hostIP
+        - name: ISTIO_CPU_LIMIT
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.cpu
+        - name: PROXY_CONFIG
+          value: |
+                 {{ protoToJSON .ProxyConfig }}
+        - name: ISTIO_META_POD_PORTS
+          value: "[]"
+        - name: ISTIO_META_APP_CONTAINERS
+          value: ""
+        - name: GOMEMLIMIT
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.memory
+        - name: GOMAXPROCS
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.cpu
+        - name: ISTIO_META_CLUSTER_ID
+          value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}"
+        - name: ISTIO_META_NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        - name: ISTIO_META_INTERCEPTION_MODE
+          value: "{{ .ProxyConfig.InterceptionMode.String }}"
+        {{- with (valueOrDefault  (index .InfrastructureLabels "topology.istio.io/network") .Values.global.network) }}
+        - name: ISTIO_META_NETWORK
+          value: {{.|quote}}
+        {{- end }}
+        - name: ISTIO_META_WORKLOAD_NAME
+          value: {{.DeploymentName|quote}}
+        - name: ISTIO_META_OWNER
+          value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}"
+        {{- if .Values.global.meshID }}
+        - name: ISTIO_META_MESH_ID
+          value: "{{ .Values.global.meshID }}"
+        {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+        - name: ISTIO_META_MESH_ID
+          value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+        {{- end }}
+        {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain)  }}
+        - name: TRUST_DOMAIN
+          value: "{{ . }}"
+        {{- end }}
+        {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+        - name: {{ $key }}
+          value: "{{ $value }}"
+        {{- end }}
+        {{- with (index .InfrastructureLabels "topology.istio.io/network") }}
+        - name: ISTIO_META_REQUESTED_NETWORK_VIEW
+          value: {{.|quote}}
+        {{- end }}
+        startupProbe:
+          failureThreshold: 30
+          httpGet:
+            path: /healthz/ready
+            port: 15021
+            scheme: HTTP
+          initialDelaySeconds: 1
+          periodSeconds: 1
+          successThreshold: 1
+          timeoutSeconds: 1
+        readinessProbe:
+          failureThreshold: 4
+          httpGet:
+            path: /healthz/ready
+            port: 15021
+            scheme: HTTP
+          initialDelaySeconds: 0
+          periodSeconds: 15
+          successThreshold: 1
+          timeoutSeconds: 1
+        volumeMounts:
+        - name: workload-socket
+          mountPath: /var/run/secrets/workload-spiffe-uds
+        - name: credential-socket
+          mountPath: /var/run/secrets/credential-uds
+        {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+        - name: gke-workload-certificate
+          mountPath: /var/run/secrets/workload-spiffe-credentials
+          readOnly: true
+        {{- else }}
+        - name: workload-certs
+          mountPath: /var/run/secrets/workload-spiffe-credentials
+        {{- end }}
+        {{- if eq .Values.global.pilotCertProvider "istiod" }}
+        - mountPath: /var/run/secrets/istio
+          name: istiod-ca-cert
+        {{- end }}
+        - mountPath: /var/lib/istio/data
+          name: istio-data
+        # SDS channel between istioagent and Envoy
+        - mountPath: /etc/istio/proxy
+          name: istio-envoy
+        - mountPath: /var/run/secrets/tokens
+          name: istio-token
+        - name: istio-podinfo
+          mountPath: /etc/istio/pod
+      volumes:
+      - emptyDir: {}
+        name: workload-socket
+      - emptyDir: {}
+        name: credential-socket
+      {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+      - name: gke-workload-certificate
+        csi:
+          driver: workloadcertificates.security.cloud.google.com
+      {{- else}}
+      - emptyDir: {}
+        name: workload-certs
+      {{- end }}
+      # SDS channel between istioagent and Envoy
+      - emptyDir:
+          medium: Memory
+        name: istio-envoy
+      - name: istio-data
+        emptyDir: {}
+      - name: istio-podinfo
+        downwardAPI:
+          items:
+            - path: "labels"
+              fieldRef:
+                fieldPath: metadata.labels
+            - path: "annotations"
+              fieldRef:
+                fieldPath: metadata.annotations
+      - name: istio-token
+        projected:
+          sources:
+          - serviceAccountToken:
+              path: istio-token
+              expirationSeconds: 43200
+              audience: {{ .Values.global.sds.token.aud }}
+      {{- if eq .Values.global.pilotCertProvider "istiod" }}
+      - name: istiod-ca-cert
+      {{- if eq ((.Values.pilot).env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+        projected:
+          sources:
+          - clusterTrustBundle:
+              name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+              path: root-cert.pem
+      {{- else }}
+        configMap:
+          name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+      {{- end }}
+      {{- end }}
+      {{- if .Values.global.imagePullSecrets }}
+      imagePullSecrets:
+        {{- range .Values.global.imagePullSecrets }}
+        - name: {{ . }}
+        {{- end }}
+      {{- end }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+        "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+      ) | nindent 4 }}
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    name: {{.Name}}
+    uid: {{.UID}}
+spec:
+  ipFamilyPolicy: PreferDualStack
+  ports:
+  {{- range $key, $val := .Ports }}
+  - name: {{ $val.Name | quote }}
+    port: {{ $val.Port }}
+    protocol: TCP
+    appProtocol: {{ $val.AppProtocol }}
+  {{- end }}
+  selector:
+    "{{.GatewayNameLabel}}": {{.Name}}
+  {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }}
+  loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}}
+  {{- end }}
+  type: {{ .ServiceType | quote }}
+---
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+          .InfrastructureLabels
+          (strdict
+          "gateway.networking.k8s.io/gateway-name" .Name
+          "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+          ) | nindent 4 }}
+  ownerReferences:
+    - apiVersion: gateway.networking.k8s.io/v1beta1
+      kind: Gateway
+      name: {{.Name}}
+      uid: "{{.UID}}"
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name:  {{.DeploymentName | quote}}
+  maxReplicas: 1
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+          .InfrastructureLabels
+          (strdict
+          "gateway.networking.k8s.io/gateway-name" .Name
+          "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+          ) | nindent 4 }}
+  ownerReferences:
+    - apiVersion: gateway.networking.k8s.io/v1beta1
+      kind: Gateway
+      name: {{.Name}}
+      uid: "{{.UID}}"
+spec:
+  selector:
+    matchLabels:
+      gateway.networking.k8s.io/gateway-name: {{.Name|quote}}
+
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..d04117bfc0
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,14 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..8fe80112bf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-compatibility-version-1.27.yaml
new file mode 100644
index 0000000000..209157cccf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-compatibility-version-1.27.yaml
@@ -0,0 +1,9 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/waypoint.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/waypoint.yaml
new file mode 100644
index 0000000000..7feed59a36
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/waypoint.yaml
@@ -0,0 +1,405 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{.ServiceAccount | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+        "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+      ) | nindent 4 }}
+  {{- if ge .KubeVersion 128 }}
+  # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    name: "{{.Name}}"
+    uid: "{{.UID}}"
+  {{- end }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+        "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+        "gateway.istio.io/managed" .ControllerLabel
+      ) | nindent 4 }}
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    name: "{{.Name}}"
+    uid: "{{.UID}}"
+spec:
+  selector:
+    matchLabels:
+      "{{.GatewayNameLabel}}": "{{.Name}}"
+  template:
+    metadata:
+      annotations:
+        {{- toJsonMap
+          (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version")
+          (strdict "istio.io/rev" (.Revision | default "default"))
+          (strdict
+            "prometheus.io/path" "/stats/prometheus"
+            "prometheus.io/port" "15020"
+            "prometheus.io/scrape" "true"
+          ) | nindent 8 }}
+      labels:
+        {{- toJsonMap
+          (strdict
+            "sidecar.istio.io/inject" "false"
+            "istio.io/dataplane-mode" "none"
+            "service.istio.io/canonical-name" .DeploymentName
+            "service.istio.io/canonical-revision" "latest"
+           )
+          .InfrastructureLabels
+          (strdict
+            "gateway.networking.k8s.io/gateway-name" .Name
+            "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+            "gateway.istio.io/managed" .ControllerLabel
+          ) | nindent 8}}
+    spec:
+      {{- if .Values.global.waypoint.affinity }}
+      affinity:
+      {{- toYaml .Values.global.waypoint.affinity | nindent 8 }}
+      {{- end }}
+      {{- if .Values.global.waypoint.topologySpreadConstraints }}
+      topologySpreadConstraints:
+      {{- toYaml .Values.global.waypoint.topologySpreadConstraints | nindent 8 }}
+      {{- end }}
+      {{- if .Values.global.waypoint.nodeSelector }}
+      nodeSelector:
+      {{- toYaml .Values.global.waypoint.nodeSelector | nindent 8 }}
+      {{- end }}
+      {{- if .Values.global.waypoint.tolerations }}
+      tolerations:
+      {{- toYaml .Values.global.waypoint.tolerations | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{.ServiceAccount | quote}}
+      containers:
+      - name: istio-proxy
+        ports:
+        - containerPort: 15020
+          name: metrics
+          protocol: TCP
+        - containerPort: 15021
+          name: status-port
+          protocol: TCP
+        - containerPort: 15090
+          protocol: TCP
+          name: http-envoy-prom
+        {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+        image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+        {{- else }}
+        image: "{{ .ProxyImage }}"
+        {{- end }}
+        {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+        args:
+        - proxy
+        - waypoint
+        - --domain
+        - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+        - --serviceCluster
+        - {{.ServiceAccount}}.$(POD_NAMESPACE)
+        - --proxyLogLevel
+        - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}}
+        - --proxyComponentLogLevel
+        - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}}
+        - --log_output_level
+        - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}}
+        {{- if .Values.global.logAsJson }}
+        - --log_as_json
+        {{- end }}
+        {{- if .Values.global.proxy.outlierLogPath }}
+        - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }}
+        {{- end}}
+        env:
+        - name: ISTIO_META_SERVICE_ACCOUNT
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.serviceAccountName
+        - name: ISTIO_META_NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        - name: PILOT_CERT_PROVIDER
+          value: {{ .Values.global.pilotCertProvider }}
+        - name: CA_ADDR
+        {{- if .Values.global.caAddress }}
+          value: {{ .Values.global.caAddress }}
+        {{- else }}
+          value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+        {{- end }}
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: INSTANCE_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: SERVICE_ACCOUNT
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.serviceAccountName
+        - name: HOST_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.hostIP
+        - name: ISTIO_CPU_LIMIT
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.cpu
+        - name: PROXY_CONFIG
+          value: |
+                 {{ protoToJSON .ProxyConfig }}
+        {{- if .ProxyConfig.ProxyMetadata }}
+        {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+        - name: {{ $key }}
+          value: "{{ $value }}"
+        {{- end }}
+        {{- end }}
+        - name: GOMEMLIMIT
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.memory
+        - name: GOMAXPROCS
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.cpu
+        - name: ISTIO_META_CLUSTER_ID
+          value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
+        {{- $network := valueOrDefault (index .InfrastructureLabels `topology.istio.io/network`) .Values.global.network }}
+        {{- if $network }}
+        - name: ISTIO_META_NETWORK
+          value: "{{ $network }}"
+        {{- if eq .ControllerLabel "istio.io-eastwest-controller" }}
+        - name: ISTIO_META_REQUESTED_NETWORK_VIEW
+          value: "{{ $network }}"
+        {{- end }}
+        {{- end }}
+        - name: ISTIO_META_INTERCEPTION_MODE
+          value: REDIRECT
+        - name: ISTIO_META_WORKLOAD_NAME
+          value: {{.DeploymentName}}
+        - name: ISTIO_META_OWNER
+          value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}
+        {{- if .Values.global.meshID }}
+        - name: ISTIO_META_MESH_ID
+          value: "{{ .Values.global.meshID }}"
+        {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+        - name: ISTIO_META_MESH_ID
+          value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+        {{- end }}
+        {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+        - name: TRUST_DOMAIN
+          value: "{{ . }}"
+        {{- end }}
+        {{- if .Values.global.waypoint.resources }}
+        resources:
+        {{- toYaml .Values.global.waypoint.resources | nindent 10 }}
+        {{- end }}
+        startupProbe:
+          failureThreshold: 30
+          httpGet:
+            path: /healthz/ready
+            port: 15021
+            scheme: HTTP
+          initialDelaySeconds: 1
+          periodSeconds: 1
+          successThreshold: 1
+          timeoutSeconds: 1
+        readinessProbe:
+          failureThreshold: 4
+          httpGet:
+            path: /healthz/ready
+            port: 15021
+            scheme: HTTP
+          initialDelaySeconds: 0
+          periodSeconds: 15
+          successThreshold: 1
+          timeoutSeconds: 1
+        securityContext:
+          privileged: false
+        {{- if not (eq .Values.global.platform "openshift") }}
+          runAsGroup: 1337
+          runAsUser: 1337
+        {{- end }}
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          capabilities:
+            drop:
+            - ALL
+{{- if .Values.gateways.seccompProfile }}
+          seccompProfile:
+{{- toYaml .Values.gateways.seccompProfile | nindent 12 }}
+{{- end }}
+        volumeMounts:
+        - mountPath: /var/run/secrets/workload-spiffe-uds
+          name: workload-socket
+        - mountPath: /var/run/secrets/istio
+          name: istiod-ca-cert
+        - mountPath: /var/lib/istio/data
+          name: istio-data
+        - mountPath: /etc/istio/proxy
+          name: istio-envoy
+        - mountPath: /var/run/secrets/tokens
+          name: istio-token
+        - mountPath: /etc/istio/pod
+          name: istio-podinfo
+      volumes:
+      - emptyDir: {}
+        name: workload-socket
+      - emptyDir:
+          medium: Memory
+        name: istio-envoy
+      - emptyDir:
+          medium: Memory
+        name: go-proxy-envoy
+      - emptyDir: {}
+        name: istio-data
+      - emptyDir: {}
+        name: go-proxy-data
+      - downwardAPI:
+          items:
+          - fieldRef:
+              fieldPath: metadata.labels
+            path: labels
+          - fieldRef:
+              fieldPath: metadata.annotations
+            path: annotations
+        name: istio-podinfo
+      - name: istio-token
+        projected:
+          sources:
+          - serviceAccountToken:
+              audience: istio-ca
+              expirationSeconds: 43200
+              path: istio-token
+      - name: istiod-ca-cert
+      {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+        projected:
+          sources:
+          - clusterTrustBundle:
+              name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+              path: root-cert.pem
+      {{- else }}
+        configMap:
+          name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+      {{- end }}
+      {{- if .Values.global.imagePullSecrets }}
+      imagePullSecrets:
+        {{- range .Values.global.imagePullSecrets }}
+        - name: {{ . }}
+        {{- end }}
+      {{- end }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    {{ toJsonMap
+      (strdict "networking.istio.io/traffic-distribution" "PreferClose")
+      (omit .InfrastructureAnnotations
+        "kubectl.kubernetes.io/last-applied-configuration"
+        "gateway.istio.io/name-override"
+        "gateway.istio.io/service-account"
+        "gateway.istio.io/controller-version"
+      ) | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+        "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+      ) | nindent 4 }}
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    name: "{{.Name}}"
+    uid: "{{.UID}}"
+spec:
+  ipFamilyPolicy: PreferDualStack
+  ports:
+  {{- range $key, $val := .Ports }}
+  - name: {{ $val.Name | quote }}
+    port: {{ $val.Port }}
+    protocol: TCP
+    appProtocol: {{ $val.AppProtocol }}
+  {{- end }}
+  selector:
+    "{{.GatewayNameLabel}}": "{{.Name}}"
+  {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }}
+  loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}}
+  {{- end }}
+  type: {{ .ServiceType | quote }}
+---
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+          .InfrastructureLabels
+          (strdict
+          "gateway.networking.k8s.io/gateway-name" .Name
+          "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+          ) | nindent 4 }}
+  ownerReferences:
+    - apiVersion: gateway.networking.k8s.io/v1beta1
+      kind: Gateway
+      name: {{.Name}}
+      uid: "{{.UID}}"
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name:  {{.DeploymentName | quote}}
+  maxReplicas: 1
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+          .InfrastructureLabels
+          (strdict
+          "gateway.networking.k8s.io/gateway-name" .Name
+          "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+          ) | nindent 4 }}
+  ownerReferences:
+    - apiVersion: gateway.networking.k8s.io/v1beta1
+      kind: Gateway
+      name: {{.Name}}
+      uid: "{{.UID}}"
+spec:
+  selector:
+    matchLabels:
+      gateway.networking.k8s.io/gateway-name: {{.Name|quote}}
+
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/NOTES.txt
new file mode 100644
index 0000000000..0d07ea7f4c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/NOTES.txt
@@ -0,0 +1,82 @@
+"istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}" successfully installed!
+
+To learn more about the release, try:
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
+
+Next steps:
+{{- $profile := default "" .Values.profile }}
+{{- if (eq $profile "ambient") }}
+  * Get started with ambient: https://istio.io/latest/docs/ops/ambient/getting-started/
+  * Review ambient's architecture: https://istio.io/latest/docs/ops/ambient/architecture/
+{{- else }}
+  * Deploy a Gateway: https://istio.io/latest/docs/setup/additional-setup/gateway/
+  * Try out our tasks to get started on common configurations:
+    * https://istio.io/latest/docs/tasks/traffic-management
+    * https://istio.io/latest/docs/tasks/security/
+    * https://istio.io/latest/docs/tasks/policy-enforcement/
+{{- end }}
+  * Review the list of actively supported releases, CVE publications and our hardening guide:
+    * https://istio.io/latest/docs/releases/supported-releases/
+    * https://istio.io/latest/news/security/
+    * https://istio.io/latest/docs/ops/best-practices/security/
+
+For further documentation see https://istio.io website
+
+{{-
+  $deps := dict
+    "global.outboundTrafficPolicy" "meshConfig.outboundTrafficPolicy"
+    "global.certificates" "meshConfig.certificates"
+    "global.localityLbSetting" "meshConfig.localityLbSetting"
+    "global.policyCheckFailOpen" "meshConfig.policyCheckFailOpen"
+    "global.enableTracing" "meshConfig.enableTracing"
+    "global.proxy.accessLogFormat" "meshConfig.accessLogFormat"
+    "global.proxy.accessLogFile" "meshConfig.accessLogFile"
+    "global.proxy.concurrency" "meshConfig.defaultConfig.concurrency"
+    "global.proxy.envoyAccessLogService" "meshConfig.defaultConfig.envoyAccessLogService"
+    "global.proxy.envoyAccessLogService.enabled" "meshConfig.enableEnvoyAccessLogService"
+    "global.proxy.envoyMetricsService" "meshConfig.defaultConfig.envoyMetricsService"
+    "global.proxy.protocolDetectionTimeout" "meshConfig.protocolDetectionTimeout"
+    "global.proxy.holdApplicationUntilProxyStarts" "meshConfig.defaultConfig.holdApplicationUntilProxyStarts"
+    "pilot.ingress" "meshConfig.ingressService, meshConfig.ingressControllerMode, and meshConfig.ingressClass"
+    "global.mtls.enabled" "the PeerAuthentication resource"
+    "global.mtls.auto" "meshConfig.enableAutoMtls"
+    "global.tracer.lightstep.address" "meshConfig.defaultConfig.tracing.lightstep.address"
+    "global.tracer.lightstep.accessToken" "meshConfig.defaultConfig.tracing.lightstep.accessToken"
+    "global.tracer.zipkin.address" "meshConfig.defaultConfig.tracing.zipkin.address"
+    "global.tracer.datadog.address" "meshConfig.defaultConfig.tracing.datadog.address"
+    "global.meshExpansion.enabled" "Gateway and other Istio networking resources, such as in samples/multicluster/"
+    "istiocoredns.enabled" "the in-proxy DNS capturing (ISTIO_META_DNS_CAPTURE)"
+}}
+{{- range $dep, $replace := $deps }}
+{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}}
+{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(")  ".Values." (replace "." ")." $dep) ")}}") $}}
+{{- if not (eq $res "")}}
+WARNING: {{$dep|quote}} is deprecated; use {{$replace|quote}} instead.
+{{- end }}
+{{- end }}
+{{-
+  $failDeps := dict
+    "telemetry.v2.prometheus.configOverride"
+    "telemetry.v2.stackdriver.configOverride"
+    "telemetry.v2.stackdriver.disableOutbound"
+    "telemetry.v2.stackdriver.outboundAccessLogging"
+    "global.tracer.stackdriver.debug" "meshConfig.defaultConfig.tracing.stackdriver.debug"
+    "global.tracer.stackdriver.maxNumberOfAttributes" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes"
+    "global.tracer.stackdriver.maxNumberOfAnnotations" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations"
+    "global.tracer.stackdriver.maxNumberOfMessageEvents" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents"
+    "meshConfig.defaultConfig.tracing.stackdriver.debug" "Istio supported tracers"
+    "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes" "Istio supported tracers"
+    "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations" "Istio supported tracers"
+    "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents" "Istio supported tracers"
+}}
+{{- range $dep, $replace := $failDeps }}
+{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}}
+{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(")  ".Values." (replace "." ")." $dep) ")}}") $}}
+{{- if not (eq $res "")}}
+{{fail (print $dep " is removed")}}
+{{- end }}
+{{- end }}
+{{- if eq $.Values.global.pilotCertProvider "kubernetes" }}
+{{- fail "pilotCertProvider=kubernetes is not supported" }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/_helpers.tpl
new file mode 100644
index 0000000000..042c92538d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/_helpers.tpl
@@ -0,0 +1,23 @@
+{{/* Default Prometheus is enabled if its enabled and there are no config overrides set */}}
+{{ define "default-prometheus" }}
+{{- and
+  (not .Values.meshConfig.defaultProviders)
+  .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.prometheus.enabled
+}}
+{{- end }}
+
+{{/* SD has metrics and logging split. Default metrics are enabled if SD is enabled */}}
+{{ define "default-sd-metrics" }}
+{{- and
+  (not .Values.meshConfig.defaultProviders)
+  .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled
+}}
+{{- end }}
+
+{{/* SD has metrics and logging split. */}}
+{{ define "default-sd-logs" }}
+{{- and
+  (not .Values.meshConfig.defaultProviders)
+  .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled
+}}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/autoscale.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/autoscale.yaml
new file mode 100644
index 0000000000..9ab43b5bf0
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/autoscale.yaml
@@ -0,0 +1,45 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# Not created if istiod is running remotely
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }}
+{{- if and .Values.autoscaleEnabled .Values.autoscaleMin .Values.autoscaleMax }}
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  maxReplicas: {{ .Values.autoscaleMax }}
+  minReplicas: {{ .Values.autoscaleMin }}
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  metrics:
+  - type: Resource
+    resource:
+      name: cpu
+      target:
+        type: Utilization
+        averageUtilization: {{ .Values.cpu.targetAverageUtilization }}
+  {{- if .Values.memory.targetAverageUtilization }}
+  - type: Resource
+    resource:
+      name: memory
+      target:
+        type: Utilization
+        averageUtilization: {{ .Values.memory.targetAverageUtilization }}
+  {{- end }}
+  {{- if .Values.autoscaleBehavior }}
+  behavior: {{ toYaml .Values.autoscaleBehavior | nindent 4 }}
+  {{- end }}
+---
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/clusterrole.yaml
new file mode 100644
index 0000000000..3280c96b54
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/clusterrole.yaml
@@ -0,0 +1,216 @@
+# Created if cluster resources are not omitted
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+  # sidecar injection controller
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["mutatingwebhookconfigurations"]
+    verbs: ["get", "list", "watch", "update", "patch"]
+
+  # configuration validation webhook controller
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["validatingwebhookconfigurations"]
+    verbs: ["get", "list", "watch", "update"]
+
+  # istio configuration
+  # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382)
+  # please proceed with caution
+  - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"]
+    verbs: ["get", "watch", "list"]
+    resources: ["*"]
+{{- if .Values.global.istiod.enableAnalysis }}
+  - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"]
+    verbs: ["update", "patch"]
+    resources:
+    - authorizationpolicies/status
+    - destinationrules/status
+    - envoyfilters/status
+    - gateways/status
+    - peerauthentications/status
+    - proxyconfigs/status
+    - requestauthentications/status
+    - serviceentries/status
+    - sidecars/status
+    - telemetries/status
+    - virtualservices/status
+    - wasmplugins/status
+    - workloadentries/status
+    - workloadgroups/status
+{{- end }}
+  - apiGroups: ["networking.istio.io"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "workloadentries" ]
+  - apiGroups: ["networking.istio.io"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "workloadentries/status",  "serviceentries/status" ]
+  - apiGroups: ["security.istio.io"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "authorizationpolicies/status" ]
+  - apiGroups: [""]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "services/status" ]
+
+  # auto-detect installed CRD definitions
+  - apiGroups: ["apiextensions.k8s.io"]
+    resources: ["customresourcedefinitions"]
+    verbs: ["get", "list", "watch"]
+
+  # discovery and routing
+  - apiGroups: [""]
+    resources: ["pods", "nodes", "services", "namespaces", "endpoints"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["discovery.k8s.io"]
+    resources: ["endpointslices"]
+    verbs: ["get", "list", "watch"]
+
+{{- if .Values.taint.enabled }}
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["patch"]
+{{- end }}
+
+  # ingress controller
+{{- if .Values.global.istiod.enableAnalysis }}
+  - apiGroups: ["extensions", "networking.k8s.io"]
+    resources: ["ingresses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["extensions", "networking.k8s.io"]
+    resources: ["ingresses/status"]
+    verbs: ["*"]
+{{- end}}
+  - apiGroups: ["networking.k8s.io"]
+    resources: ["ingresses", "ingressclasses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["networking.k8s.io"]
+    resources: ["ingresses/status"]
+    verbs: ["*"]
+
+  # required for CA's namespace controller
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["create", "get", "list", "watch", "update"]
+
+  # Istiod and bootstrap.
+{{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}}
+{{- if or .Values.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }}
+  - apiGroups: ["certificates.k8s.io"]
+    resources:
+      - "certificatesigningrequests"
+      - "certificatesigningrequests/approval"
+      - "certificatesigningrequests/status"
+    verbs: ["update", "create", "get", "delete", "watch"]
+  - apiGroups: ["certificates.k8s.io"]
+    resources:
+      - "signers"
+    resourceNames:
+{{- range .Values.global.certSigners }}
+    - {{ . | quote }}
+{{- end }}
+    verbs: ["approve"]
+{{- end}}
+{{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+  - apiGroups: ["certificates.k8s.io"]
+    resources: ["clustertrustbundles"]
+    verbs: ["update", "create", "delete", "list", "watch", "get"]
+  - apiGroups: ["certificates.k8s.io"]
+    resources: ["signers"]
+    resourceNames: ["istio.io/istiod-ca"]
+    verbs: ["attest"]
+{{- end }}
+
+  # Used by Istiod to verify the JWT tokens
+  - apiGroups: ["authentication.k8s.io"]
+    resources: ["tokenreviews"]
+    verbs: ["create"]
+
+  # Used by Istiod to verify gateway SDS
+  - apiGroups: ["authorization.k8s.io"]
+    resources: ["subjectaccessreviews"]
+    verbs: ["create"]
+
+  # Use for Kubernetes Service APIs
+  - apiGroups: ["gateway.networking.k8s.io", "gateway.networking.x-k8s.io"]
+    resources: ["*"]
+    verbs: ["get", "watch", "list"]
+  - apiGroups: ["gateway.networking.x-k8s.io"]
+    resources:
+    - xbackendtrafficpolicies/status
+    - xlistenersets/status
+    verbs: ["update", "patch"]
+  - apiGroups: ["gateway.networking.k8s.io"]
+    resources:
+    - backendtlspolicies/status
+    - gatewayclasses/status
+    - gateways/status
+    - grpcroutes/status
+    - httproutes/status
+    - referencegrants/status
+    - tcproutes/status
+    - tlsroutes/status
+    - udproutes/status
+    verbs: ["update", "patch"]
+  - apiGroups: ["gateway.networking.k8s.io"]
+    resources: ["gatewayclasses"]
+    verbs: ["create", "update", "patch", "delete"]
+  - apiGroups: ["inference.networking.k8s.io"]
+    resources: ["inferencepools"]
+    verbs: ["get", "watch", "list"]
+  - apiGroups: ["inference.networking.k8s.io"]
+    resources: ["inferencepools/status"]
+    verbs: ["update", "patch"]
+
+  # Needed for multicluster secret reading, possibly ingress certs in the future
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "watch", "list"]
+
+  # Used for MCS serviceexport management
+  - apiGroups: ["{{ $mcsAPIGroup }}"]
+    resources: ["serviceexports"]
+    verbs: [ "get", "watch", "list", "create", "delete"]
+
+  # Used for MCS serviceimport management
+  - apiGroups: ["{{ $mcsAPIGroup }}"]
+    resources: ["serviceimports"]
+    verbs: ["get", "watch", "list"]
+---
+{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+  - apiGroups: ["apps"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "deployments" ]
+  - apiGroups: ["autoscaling"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "horizontalpodautoscalers" ]
+  - apiGroups: ["policy"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "poddisruptionbudgets" ]
+  - apiGroups: [""]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "services" ]
+  - apiGroups: [""]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "serviceaccounts"]
+{{- end }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/clusterrolebinding.yaml
new file mode 100644
index 0000000000..0ca21b9576
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/clusterrolebinding.yaml
@@ -0,0 +1,43 @@
+# Created if cluster resources are not omitted
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+subjects:
+  - kind: ServiceAccount
+    name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+    namespace: {{ .Values.global.istioNamespace }}
+---
+{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+subjects:
+- kind: ServiceAccount
+  name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Values.global.istioNamespace }}
+{{- end }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/configmap-jwks.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/configmap-jwks.yaml
new file mode 100644
index 0000000000..45943d3839
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/configmap-jwks.yaml
@@ -0,0 +1,20 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# Not created if istiod is running remotely
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }}
+{{- if .Values.jwksResolverExtraRootCA }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+data:
+  extra.pem: {{ .Values.jwksResolverExtraRootCA | quote }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/configmap-values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/configmap-values.yaml
new file mode 100644
index 0000000000..dcd1e3530c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/configmap-values.yaml
@@ -0,0 +1,21 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: values{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    kubernetes.io/description: This ConfigMap contains the Helm values used during chart rendering. This ConfigMap is rendered for debugging purposes and external tooling; modifying these values has no effect.
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+data:
+  original-values: |-
+{{ .Values._original | toPrettyJson | indent 4 }}
+{{- $_ := unset $.Values "_original" }}
+  merged-values: |-
+{{ .Values | toPrettyJson | indent 4 }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/configmap.yaml
new file mode 100644
index 0000000000..a24ff9ee24
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/configmap.yaml
@@ -0,0 +1,113 @@
+{{- define "mesh" }}
+    # The trust domain corresponds to the trust root of a system.
+    # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
+    trustDomain: "cluster.local"
+
+    # The namespace to treat as the administrative root namespace for Istio configuration.
+    # When processing a leaf namespace Istio will search for declarations in that namespace first
+    # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace
+    # is processed as if it were declared in the leaf namespace.
+    rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }}
+
+  {{ $prom := include "default-prometheus" . | eq "true" }}
+  {{ $sdMetrics := include "default-sd-metrics" . | eq "true" }}
+  {{ $sdLogs := include "default-sd-logs" . | eq "true" }}
+  {{- if or $prom $sdMetrics $sdLogs }}
+    defaultProviders:
+    {{- if or $prom $sdMetrics }}
+      metrics:
+      {{ if $prom }}- prometheus{{ end }}
+      {{ if and $sdMetrics $sdLogs }}- stackdriver{{ end }}
+    {{- end }}
+    {{- if and $sdMetrics $sdLogs }}
+      accessLogging:
+      - stackdriver
+    {{- end }}
+  {{- end }}
+
+    defaultConfig:
+      {{- if .Values.global.meshID }}
+      meshId: "{{ .Values.global.meshID }}"
+      {{- end }}
+      {{- with (.Values.global.proxy.variant | default .Values.global.variant) }}
+      image:
+        imageType: {{. | quote}}
+      {{- end }}
+      {{- if not (eq .Values.global.proxy.tracer "none") }}
+      tracing:
+      {{- if eq .Values.global.proxy.tracer "lightstep" }}
+        lightstep:
+          # Address of the LightStep Satellite pool
+          address: {{ .Values.global.tracer.lightstep.address }}
+          # Access Token used to communicate with the Satellite pool
+          accessToken: {{ .Values.global.tracer.lightstep.accessToken }}
+      {{- else if eq .Values.global.proxy.tracer "zipkin" }}
+        zipkin:
+          # Address of the Zipkin collector
+          address: {{ ((.Values.global.tracer).zipkin).address | default (print "zipkin." .Values.global.istioNamespace ":9411") }}
+      {{- else if eq .Values.global.proxy.tracer "datadog" }}
+        datadog:
+          # Address of the Datadog Agent
+          address: {{ ((.Values.global.tracer).datadog).address | default "$(HOST_IP):8126" }}
+      {{- else if eq .Values.global.proxy.tracer "stackdriver" }}
+        stackdriver:
+          # enables trace output to stdout.
+          debug: {{ (($.Values.global.tracer).stackdriver).debug | default "false" }}
+          # The global default max number of attributes per span.
+          maxNumberOfAttributes: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAttributes | default "200" }}
+          # The global default max number of annotation events per span.
+          maxNumberOfAnnotations: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAnnotations | default "200" }}
+          # The global default max number of message events per span.
+          maxNumberOfMessageEvents: {{ (($.Values.global.tracer).stackdriver).maxNumberOfMessageEvents | default "200" }}
+      {{- end }}
+      {{- end }}
+      {{- if .Values.global.remotePilotAddress }}
+      {{- if and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod }}
+      #  only primary `istiod` to xds and local `istiod` injection installs.
+      discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012
+      {{- else }}
+      discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012
+      {{- end }}
+      {{- else }}
+      discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012
+      {{- end }}
+{{- end }}
+
+{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}}
+{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}}
+{{- $originalMesh := include "mesh" . | fromYaml }}
+{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }}
+
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+{{- if .Values.configMap }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+data:
+
+  # Configuration file for the mesh networks to be used by the Split Horizon EDS.
+  meshNetworks: |-
+  {{- if .Values.global.meshNetworks }}
+    networks:
+{{ toYaml .Values.global.meshNetworks | trim | indent 6 }}
+  {{- else }}
+    networks: {}
+  {{- end }}
+
+  mesh: |-
+{{- if .Values.meshConfig }}
+{{ $mesh | toYaml | indent 4 }}
+{{- else }}
+{{- include "mesh" . }}
+{{- end }}
+---
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/deployment.yaml
new file mode 100644
index 0000000000..15107e745c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/deployment.yaml
@@ -0,0 +1,314 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# Not created if istiod is running remotely
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: istiod
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    istio: pilot
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+{{- range $key, $val := .Values.deploymentLabels }}
+    {{ $key }}: "{{ $val }}"
+{{- end }}
+  {{- if .Values.deploymentAnnotations }}
+  annotations:
+{{ toYaml .Values.deploymentAnnotations | indent 4 }}
+  {{- end }}
+spec:
+{{- if not .Values.autoscaleEnabled }}
+{{- if .Values.replicaCount }}
+  replicas: {{ .Values.replicaCount }}
+{{- end }}
+{{- end }}
+  strategy:
+    rollingUpdate:
+      maxSurge: {{ .Values.rollingMaxSurge }}
+      maxUnavailable: {{ .Values.rollingMaxUnavailable }}
+  selector:
+    matchLabels:
+      {{- if ne .Values.revision "" }}
+      app: istiod
+      istio.io/rev: {{ .Values.revision | default "default" | quote }}
+      {{- else }}
+      istio: pilot
+      {{- end }}
+  template:
+    metadata:
+      labels:
+        app: istiod
+        istio.io/rev: {{ .Values.revision | default "default" | quote }}
+        sidecar.istio.io/inject: "false"
+        operator.istio.io/component: "Pilot"
+        {{- if ne .Values.revision "" }}
+        istio: istiod
+        {{- else }}
+        istio: pilot
+        {{- end }}
+        {{- range $key, $val := .Values.podLabels }}
+        {{ $key }}: "{{ $val }}"
+        {{- end }}
+        istio.io/dataplane-mode: none
+        app.kubernetes.io/name: "istiod"
+        {{- include "istio.labels" . | nindent 8 }}
+      annotations:
+        prometheus.io/port: "15014"
+        prometheus.io/scrape: "true"
+        sidecar.istio.io/inject: "false"
+        {{- if .Values.podAnnotations }}
+{{ toYaml .Values.podAnnotations | indent 8 }}
+        {{- end }}
+    spec:
+{{- if .Values.nodeSelector }}
+      nodeSelector:
+{{ toYaml .Values.nodeSelector | indent 8 }}
+{{- end }}
+{{- with .Values.affinity }}
+      affinity:
+{{- toYaml . | nindent 8 }}
+{{- end }}
+      tolerations:
+        - key: cni.istio.io/not-ready
+          operator: "Exists"
+{{- with .Values.tolerations }}
+{{- toYaml . | nindent 8 }}
+{{- end }}
+{{- with .Values.topologySpreadConstraints }}
+      topologySpreadConstraints:
+{{- toYaml . | nindent 8 }}
+{{- end }}
+      serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+{{- if .Values.global.priorityClassName }}
+      priorityClassName: "{{ .Values.global.priorityClassName }}"
+{{- end }}
+{{- with .Values.initContainers }}
+      initContainers:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+{{- end }}
+      containers:
+        - name: discovery
+{{- if contains "/" .Values.image }}
+          image: "{{ .Values.image }}"
+{{- else }}
+          image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "pilot" }}:{{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}}"
+{{- end }}
+{{- if .Values.global.imagePullPolicy }}
+          imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+{{- end }}
+          args:
+          - "discovery"
+          - --monitoringAddr=:15014
+{{- if .Values.global.logging.level }}
+          - --log_output_level={{ .Values.global.logging.level }}
+{{- end}}
+{{- if .Values.global.logAsJson }}
+          - --log_as_json
+{{- end }}
+          - --domain
+          - {{ .Values.global.proxy.clusterDomain }}
+{{- if .Values.taint.namespace }}
+          - --cniNamespace={{ .Values.taint.namespace }}
+{{- end }}
+          - --keepaliveMaxServerConnectionAge
+          - "{{ .Values.keepaliveMaxServerConnectionAge }}"
+{{- if .Values.extraContainerArgs }}
+          {{- with .Values.extraContainerArgs }}
+            {{- toYaml . | nindent 10 }}
+          {{- end }}
+{{- end }}
+          ports:
+          - containerPort: 8080
+            protocol: TCP
+            name: http-debug
+          - containerPort: 15010
+            protocol: TCP
+            name: grpc-xds
+          - containerPort: 15012
+            protocol: TCP
+            name: tls-xds
+          - containerPort: 15017
+            protocol: TCP
+            name: https-webhooks
+          - containerPort: 15014
+            protocol: TCP
+            name: http-monitoring
+          readinessProbe:
+            httpGet:
+              path: /ready
+              port: 8080
+            initialDelaySeconds: 1
+            periodSeconds: 3
+            timeoutSeconds: 5
+          env:
+          - name: REVISION
+            value: "{{ .Values.revision | default `default` }}"
+          - name: PILOT_CERT_PROVIDER
+            value: {{ .Values.global.pilotCertProvider }}
+          - name: POD_NAME
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: metadata.name
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: metadata.namespace
+          - name: SERVICE_ACCOUNT
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: spec.serviceAccountName
+          - name: KUBECONFIG
+            value: /var/run/secrets/remote/config
+          # If you explicitly told us where ztunnel lives, use that.
+          # Otherwise, assume it lives in our namespace
+          # Also, check for an explicit ENV override (legacy approach) and prefer that
+          # if present
+          {{ $ztTrustedNS := or .Values.trustedZtunnelNamespace .Release.Namespace }}
+          {{ $ztTrustedName := or .Values.trustedZtunnelName "ztunnel" }}
+          {{- if not .Values.env.CA_TRUSTED_NODE_ACCOUNTS }}
+          - name: CA_TRUSTED_NODE_ACCOUNTS
+            value: "{{ $ztTrustedNS }}/{{ $ztTrustedName }}"
+          {{- end }}
+          {{- if .Values.env }}
+          {{- range $key, $val := .Values.env }}
+          - name: {{ $key }}
+            value: "{{ $val }}"
+          {{- end }}
+          {{- end }}
+          {{- with .Values.envVarFrom }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
+{{- if .Values.traceSampling }}
+          - name: PILOT_TRACE_SAMPLING
+            value: "{{ .Values.traceSampling }}"
+{{- end }}
+# If externalIstiod is set via Values.Global, then enable the pilot env variable. However, if it's set via Values.pilot.env, then
+# don't set it here to avoid duplication.
+# TODO (nshankar13): Move from Helm chart to code: https://github.com/istio/istio/issues/52449
+{{- if and .Values.global.externalIstiod (not (and .Values.env .Values.env.EXTERNAL_ISTIOD)) }}
+          - name: EXTERNAL_ISTIOD
+            value: "{{ .Values.global.externalIstiod }}"
+{{- end }}
+{{- if .Values.global.trustBundleName }}
+          - name: PILOT_CA_CERT_CONFIGMAP
+            value: "{{ .Values.global.trustBundleName }}"
+{{- end }}
+          - name: PILOT_ENABLE_ANALYSIS
+            value: "{{ .Values.global.istiod.enableAnalysis }}"
+          - name: CLUSTER_ID
+            value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
+          - name: GOMEMLIMIT
+            valueFrom:
+              resourceFieldRef:
+                resource: limits.memory
+                divisor: "1"
+          - name: GOMAXPROCS
+            valueFrom:
+              resourceFieldRef:
+                resource: limits.cpu
+                divisor: "1"
+          - name: PLATFORM
+            value: "{{ coalesce .Values.global.platform .Values.platform }}"
+          resources:
+{{- if .Values.resources }}
+{{ toYaml .Values.resources | trim | indent 12 }}
+{{- else }}
+{{ toYaml .Values.global.defaultResources | trim | indent 12 }}
+{{- end }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            capabilities:
+              drop:
+              - ALL
+{{- if .Values.seccompProfile }}
+            seccompProfile:
+{{ toYaml .Values.seccompProfile | trim | indent 14 }}
+{{- end }}
+          volumeMounts:
+          - name: istio-token
+            mountPath: /var/run/secrets/tokens
+            readOnly: true
+          - name: local-certs
+            mountPath: /var/run/secrets/istio-dns
+          - name: cacerts
+            mountPath: /etc/cacerts
+            readOnly: true
+          - name: istio-kubeconfig
+            mountPath: /var/run/secrets/remote
+            readOnly: true
+          {{- if .Values.jwksResolverExtraRootCA }}
+          - name: extracacerts
+            mountPath: /cacerts
+          {{- end }}
+          - name: istio-csr-dns-cert
+            mountPath: /var/run/secrets/istiod/tls
+            readOnly: true
+          - name: istio-csr-ca-configmap
+            mountPath: /var/run/secrets/istiod/ca
+            readOnly: true
+          {{- with .Values.volumeMounts }}
+            {{- toYaml . | nindent 10 }}
+          {{- end }}
+      volumes:
+      # Technically not needed on this pod - but it helps debugging/testing SDS
+      # Should be removed after everything works.
+      - emptyDir:
+          medium: Memory
+        name: local-certs
+      - name: istio-token
+        projected:
+          sources:
+            - serviceAccountToken:
+                audience: {{ .Values.global.sds.token.aud }}
+                expirationSeconds: 43200
+                path: istio-token
+      # Optional: user-generated root
+      - name: cacerts
+        secret:
+          secretName: cacerts
+          optional: true
+      - name: istio-kubeconfig
+        secret:
+          secretName: istio-kubeconfig
+          optional: true
+      # Optional: istio-csr dns pilot certs
+      - name: istio-csr-dns-cert
+        secret:
+          secretName: istiod-tls
+          optional: true
+      - name: istio-csr-ca-configmap
+  {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+        projected:
+          sources:
+          - clusterTrustBundle:
+              name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+              path: root-cert.pem
+              optional: true
+  {{- else }}
+        configMap:
+          name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+          defaultMode: 420
+          optional: true
+  {{- end }}
+  {{- if .Values.jwksResolverExtraRootCA }}
+      - name: extracacerts
+        configMap:
+          name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  {{- end }}
+      {{- with .Values.volumes }}
+        {{- toYaml . | nindent 6}}
+      {{- end }}
+
+---
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/gateway-class-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/gateway-class-configmap.yaml
new file mode 100644
index 0000000000..9f7cdb01da
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/gateway-class-configmap.yaml
@@ -0,0 +1,22 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+{{ range $key, $value := .Values.gatewayClasses }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: istio-{{ $.Values.revision | default "default"  }}-gatewayclass-{{$key}}
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    istio.io/rev: {{ $.Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    release: {{ $.Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    gateway.istio.io/defaults-for-class: {{$key|quote}}
+    {{- include "istio.labels" $ | nindent 4 }}
+data:
+{{ range $kind, $overlay := $value }}
+  {{$kind}}: |
+{{$overlay|toYaml|trim|indent 4}}
+{{ end }}
+---
+{{ end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/istiod-injector-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/istiod-injector-configmap.yaml
new file mode 100644
index 0000000000..a5a6cf9ae8
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/istiod-injector-configmap.yaml
@@ -0,0 +1,83 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+{{- if not .Values.global.omitSidecarInjectorConfigMap }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+data:
+{{/* Scope the values to just top level fields used in the template, to reduce the size. */}}
+  values: |-
+{{ $vals := pick .Values "global" "sidecarInjectorWebhook" "revision" -}}
+{{ $pilotVals := pick .Values "cni" "env" -}}
+{{ $vals = set $vals "pilot" $pilotVals -}}
+{{ $gatewayVals := pick .Values.gateways "securityContext" "seccompProfile" -}}
+{{ $vals = set $vals "gateways" $gatewayVals -}}
+{{ $vals | toPrettyJson | indent 4 }}
+
+  # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching
+  # and istiod webhook functionality.
+  #
+  # New fields should not use Values - it is a 'primary' config object, users should be able
+  # to fine tune it or use it with kube-inject.
+  config: |-
+    # defaultTemplates defines the default template to use for pods that do not explicitly specify a template
+    {{- if .Values.sidecarInjectorWebhook.defaultTemplates }}
+    defaultTemplates:
+{{- range .Values.sidecarInjectorWebhook.defaultTemplates}}
+    - {{ . }}
+{{- end }}
+    {{- else }}
+    defaultTemplates: [sidecar]
+    {{- end }}
+    policy: {{ .Values.global.proxy.autoInject }}
+    alwaysInjectSelector:
+{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }}
+    neverInjectSelector:
+{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }}
+    injectedAnnotations:
+      {{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }}
+      "{{ $key }}": {{ $val | quote }}
+      {{- end }}
+    {{- /* If someone ends up with this new template, but an older Istiod image, they will attempt to render this template
+         which will fail with "Pod injection failed: template: inject:1: function "Istio_1_9_Required_Template_And_Version_Mismatched" not defined".
+         This should make it obvious that their installation is broken.
+     */}}
+    template: {{ `{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}` | quote }}
+    templates:
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "sidecar") }}
+      sidecar: |
+{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }}
+      gateway: |
+{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }}
+      grpc-simple: |
+{{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }}
+      grpc-agent: |
+{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "waypoint") }}
+      waypoint: |
+{{ .Files.Get "files/waypoint.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "kube-gateway") }}
+      kube-gateway: |
+{{ .Files.Get "files/kube-gateway.yaml" | trim | indent 8 }}
+{{- end }}
+{{- with .Values.sidecarInjectorWebhook.templates }}
+{{ toYaml . | trim | indent 6 }}
+{{- end }}
+
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/mutatingwebhook.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/mutatingwebhook.yaml
new file mode 100644
index 0000000000..26a6c8f00d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/mutatingwebhook.yaml
@@ -0,0 +1,167 @@
+# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that.
+{{- /* Core defines the common configuration used by all webhook segments */}}
+{{/* Copy just what we need to avoid expensive deepCopy */}}
+{{- $whv := dict
+"revision" .Values.revision
+  "injectionPath" .Values.istiodRemote.injectionPath
+  "injectionURL" .Values.istiodRemote.injectionURL
+  "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy
+  "caBundle" .Values.istiodRemote.injectionCABundle
+  "namespace" .Release.Namespace }}
+{{- define "core" }}
+{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign
+a unique prefix to each. */}}
+- name: {{.Prefix}}sidecar-injector.istio.io
+  clientConfig:
+    {{- if .injectionURL }}
+    url: "{{ .injectionURL }}"
+    {{- else }}
+    service:
+      name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }}
+      namespace: {{ .namespace }}
+      path: "{{ .injectionPath }}"
+      port: 443
+    {{- end }}
+    {{- if .caBundle }}
+    caBundle: "{{ .caBundle }}"
+    {{- end }}
+  sideEffects: None
+  rules:
+  - operations: [ "CREATE" ]
+    apiGroups: [""]
+    apiVersions: ["v1"]
+    resources: ["pods"]
+  failurePolicy: Fail
+  reinvocationPolicy: "{{ .reinvocationPolicy }}"
+  admissionReviewVersions: ["v1"]
+{{- end }}
+
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
+{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}}
+{{- if not .Values.global.operatorManageWebhooks }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+{{- if eq .Release.Namespace "istio-system"}}
+  name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+{{- else }}
+  name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+{{- end }}
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app: sidecar-injector
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+{{- if $.Values.sidecarInjectorWebhookAnnotations }}
+  annotations:
+{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }}
+{{- end }}
+webhooks:
+{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}}
+
+{{- /* Case 1: namespace selector matches, and object doesn't disable */}}
+{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: In
+      values:
+      {{- if (eq .Values.revision "") }}
+      - "default"
+      {{- else }}
+      - "{{ .Values.revision }}"
+      {{- end }}
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+
+{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+    - key: istio.io/rev
+      operator: In
+      values:
+      {{- if (eq .Values.revision "") }}
+      - "default"
+      {{- else }}
+      - "{{ .Values.revision }}"
+      {{- end }}
+
+
+{{- /* Webhooks for default revision */}}
+{{- if (eq .Values.revision "") }}
+
+{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: In
+      values:
+      - enabled
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+
+{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: In
+      values:
+      - "true"
+    - key: istio.io/rev
+      operator: DoesNotExist
+
+{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
+{{- /* Special case 3: no labels at all */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: "kubernetes.io/metadata.name"
+      operator: "NotIn"
+      values: ["kube-system","kube-public","kube-node-lease","local-path-storage"]
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+{{- end }}
+
+{{- end }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/networkpolicy.yaml
new file mode 100644
index 0000000000..e844d5e5de
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/networkpolicy.yaml
@@ -0,0 +1,47 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+{{- if (.Values.global.networkPolicy).enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: istiod
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    istio: pilot
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      app: istiod
+      istio.io/rev: {{ .Values.revision | default "default" | quote }}
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress:
+  # Webhook from kube-apiserver
+  - from: []
+    ports:
+    - protocol: TCP
+      port: 15017
+  # xDS from potentially anywhere
+  - from: []
+    ports:
+    - protocol: TCP
+      port: 15010
+    - protocol: TCP
+      port: 15011
+    - protocol: TCP
+      port: 15012
+    - protocol: TCP
+      port: 8080
+    - protocol: TCP
+      port: 15014
+  # Allow all egress (needed because features like JWKS require connections to user-defined endpoints)
+  egress:
+  - {}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/poddisruptionbudget.yaml
new file mode 100644
index 0000000000..0ac37d1cdf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/poddisruptionbudget.yaml
@@ -0,0 +1,41 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# Not created if istiod is running remotely
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }}
+{{- if .Values.global.defaultPodDisruptionBudget.enabled }}
+# a workaround for https://github.com/kubernetes/kubernetes/issues/93476
+{{- if or (and .Values.autoscaleEnabled  (gt (int .Values.autoscaleMin) 1)) (and (not .Values.autoscaleEnabled) (gt (int .Values.replicaCount) 1)) }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: istiod
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    release: {{ .Release.Name }}
+    istio: pilot
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  {{- if and .Values.pdb.minAvailable (not (hasKey .Values.pdb "maxUnavailable")) }}
+  minAvailable: {{ .Values.pdb.minAvailable }}
+  {{- else if .Values.pdb.maxUnavailable }}
+  maxUnavailable: {{ .Values.pdb.maxUnavailable }}
+  {{- end }}
+  {{- if .Values.pdb.unhealthyPodEvictionPolicy }}
+  unhealthyPodEvictionPolicy: {{ .Values.pdb.unhealthyPodEvictionPolicy }}
+  {{- end }}
+  selector:
+    matchLabels:
+      app: istiod
+      {{- if ne .Values.revision "" }}
+      istio.io/rev: {{ .Values.revision | quote }}
+      {{- else }}
+      istio: pilot
+      {{- end }}
+---
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/reader-clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/reader-clusterrole.yaml
new file mode 100644
index 0000000000..e0b0ff42a4
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/reader-clusterrole.yaml
@@ -0,0 +1,65 @@
+# Created if cluster resources are not omitted
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
+{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istio-reader
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istio-reader"
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - "config.istio.io"
+      - "security.istio.io"
+      - "networking.istio.io"
+      - "authentication.istio.io"
+      - "rbac.istio.io"
+      - "telemetry.istio.io"
+      - "extensions.istio.io"
+    resources: ["*"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["networking.istio.io"]
+    verbs: [ "get", "watch", "list" ]
+    resources: [ "workloadentries" ]
+  - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
+    resources: ["gateways"]
+    verbs: ["get", "watch", "list"]
+  - apiGroups: ["apiextensions.k8s.io"]
+    resources: ["customresourcedefinitions"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["discovery.k8s.io"]
+    resources: ["endpointslices"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["{{ $mcsAPIGroup }}"]
+    resources: ["serviceexports"]
+    verbs: ["get", "list", "watch", "create", "delete"]
+  - apiGroups: ["{{ $mcsAPIGroup }}"]
+    resources: ["serviceimports"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["apps"]
+    resources: ["replicasets"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["authentication.k8s.io"]
+    resources: ["tokenreviews"]
+    verbs: ["create"]
+  - apiGroups: ["authorization.k8s.io"]
+    resources: ["subjectaccessreviews"]
+    verbs: ["create"]
+{{- if .Values.istiodRemote.enabled }}
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["create", "get", "list", "watch", "update"]
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["mutatingwebhookconfigurations"]
+    verbs: ["get", "list", "watch", "update", "patch"]
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["validatingwebhookconfigurations"]
+    verbs: ["get", "list", "watch", "update"]
+{{- end}}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/reader-clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/reader-clusterrolebinding.yaml
new file mode 100644
index 0000000000..624f00dce6
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/reader-clusterrolebinding.yaml
@@ -0,0 +1,20 @@
+# Created if cluster resources are not omitted
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istio-reader
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istio-reader"
+    {{- include "istio.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+subjects:
+  - kind: ServiceAccount
+    name: istio-reader-service-account
+    namespace: {{ .Values.global.istioNamespace }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/remote-istiod-endpointslices.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/remote-istiod-endpointslices.yaml
new file mode 100644
index 0000000000..e2f4ff03b6
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/remote-istiod-endpointslices.yaml
@@ -0,0 +1,42 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+{{- if and .Values.global.remotePilotAddress .Values.istiodRemote.enabled }}
+# if the remotePilotAddress is an IP addr
+{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }}
+apiVersion: discovery.k8s.io/v1
+kind: EndpointSlice
+metadata:
+  {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }}
+  # This file is only used for remote `istiod` installs.
+  # only primary `istiod` to xds and local `istiod` injection installs.
+  name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote
+  {{- else }}
+  name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}
+  {{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }}
+    # only primary `istiod` to xds and local `istiod` injection installs.
+    kubernetes.io/service-name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote
+    {{- else }}
+    kubernetes.io/service-name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}
+    {{- end }}
+    {{- if .Release.Service }}
+    endpointslice.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+    {{- end }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+addressType: IPv4
+endpoints:
+- addresses:
+  - {{ .Values.global.remotePilotAddress }}
+ports:
+- port: 15012
+  name: tcp-istiod
+  protocol: TCP
+- port: 15017
+  name: tcp-webhook
+  protocol: TCP
+---
+{{- end }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/remote-istiod-service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/remote-istiod-service.yaml
new file mode 100644
index 0000000000..ab14497bac
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/remote-istiod-service.yaml
@@ -0,0 +1,43 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# This file is only used for remote
+{{- if and .Values.global.remotePilotAddress .Values.istiodRemote.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }}
+  # only primary `istiod` to xds and local `istiod` injection installs.
+  name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote
+  {{- else }}
+  name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}
+  {{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    app.kubernetes.io/name: "istiod"
+    {{ include "istio.labels" . | nindent 4 }}
+spec:
+  ports:
+  - port: 15012
+    name: tcp-istiod
+    protocol: TCP
+  - port: 443
+    targetPort: 15017
+    name: tcp-webhook
+    protocol: TCP
+  {{- if and .Values.global.remotePilotAddress (not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress)) }}
+  # if the remotePilotAddress is not an IP addr, we use ExternalName
+  type: ExternalName
+  externalName: {{ .Values.global.remotePilotAddress }}
+  {{- end }}
+{{- if .Values.global.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.global.ipFamilyPolicy }}
+{{- end }}
+{{- if .Values.global.ipFamilies }}
+  ipFamilies:
+{{- range .Values.global.ipFamilies }}
+  - {{ . }}
+{{- end }}
+{{- end }}
+---
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/revision-tags-mwc.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/revision-tags-mwc.yaml
new file mode 100644
index 0000000000..556bb2f1e9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/revision-tags-mwc.yaml
@@ -0,0 +1,154 @@
+# Adapted from istio-discovery/templates/mutatingwebhook.yaml
+# Removed paths for legacy and default selectors since a revision tag
+# is inherently created from a specific revision
+# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that.
+{{- $whv := dict
+"revision" .Values.revision
+  "injectionPath" .Values.istiodRemote.injectionPath
+  "injectionURL" .Values.istiodRemote.injectionURL
+  "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy
+  "caBundle" .Values.istiodRemote.injectionCABundle
+  "namespace" .Release.Namespace }}
+{{- define "core" }}
+{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign
+a unique prefix to each. */}}
+- name: {{.Prefix}}sidecar-injector.istio.io
+  clientConfig:
+    {{- if .injectionURL }}
+    url: "{{ .injectionURL }}"
+    {{- else }}
+    service:
+      name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }}
+      namespace: {{ .namespace }}
+      path: "{{ .injectionPath }}"
+      port: 443
+    {{- end }}
+  sideEffects: None
+  rules:
+  - operations: [ "CREATE" ]
+    apiGroups: [""]
+    apiVersions: ["v1"]
+    resources: ["pods"]
+  failurePolicy: Fail
+  reinvocationPolicy: "{{ .reinvocationPolicy }}"
+  admissionReviewVersions: ["v1"]
+{{- end }}
+
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
+{{- if not .Values.global.operatorManageWebhooks }}
+{{- range $tagName := $.Values.revisionTags }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+{{- if eq $.Release.Namespace "istio-system"}}
+  name: istio-revision-tag-{{ $tagName }}
+{{- else }}
+  name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }}
+{{- end }}
+  labels:
+    istio.io/tag: {{ $tagName }}
+    istio.io/rev: {{ $.Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app: sidecar-injector
+    release: {{ $.Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" $ | nindent 4 }}
+{{- if $.Values.sidecarInjectorWebhookAnnotations }}
+  annotations:
+{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }}
+{{- end }}
+webhooks:
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: In
+      values:
+      - "{{ $tagName }}"
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+    - key: istio.io/rev
+      operator: In
+      values:
+      - "{{ $tagName }}"
+
+{{- /* When the tag is "default" we want to create webhooks for the default revision */}}
+{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}}
+{{- if (eq $tagName "default") }}
+
+{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: In
+      values:
+      - enabled
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+
+{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: In
+      values:
+      - "true"
+    - key: istio.io/rev
+      operator: DoesNotExist
+
+{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
+{{- /* Special case 3: no labels at all */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: "kubernetes.io/metadata.name"
+      operator: "NotIn"
+      values: ["kube-system","kube-public","kube-node-lease","local-path-storage"]
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+{{- end }}
+
+{{- end }}
+---
+{{- end }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/revision-tags-svc.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/revision-tags-svc.yaml
new file mode 100644
index 0000000000..5c4826d23e
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/revision-tags-svc.yaml
@@ -0,0 +1,57 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# Adapted from istio-discovery/templates/service.yaml
+{{- range $tagName := .Values.revisionTags }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: istiod-revision-tag-{{ $tagName }}
+  namespace: {{ $.Release.Namespace }}
+  {{- if $.Values.serviceAnnotations }}
+  annotations:
+{{ toYaml $.Values.serviceAnnotations | indent 4 }}
+  {{- end }}
+  labels:
+    istio.io/rev: {{ $.Values.revision | default "default" | quote }}
+    istio.io/tag: {{ $tagName }}
+    operator.istio.io/component: "Pilot"
+    app: istiod
+    istio: pilot
+    release: {{ $.Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" $ | nindent 4 }}
+spec:
+  ports:
+    - port: 15010
+      name: grpc-xds # plaintext
+      protocol: TCP
+    - port: 15012
+      name: https-dns # mTLS with k8s-signed cert
+      protocol: TCP
+    - port: 443
+      name: https-webhook # validation and injection
+      targetPort: 15017
+      protocol: TCP
+    - port: 15014
+      name: http-monitoring # prometheus stats
+      protocol: TCP
+  selector:
+    app: istiod
+    {{- if ne $.Values.revision "" }}
+    istio.io/rev: {{ $.Values.revision | quote }}
+    {{- else }}
+    # Label used by the 'default' service. For versioned deployments we match with app and version.
+    # This avoids default deployment picking the canary
+    istio: pilot
+    {{- end }}
+  {{- if $.Values.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ $.Values.ipFamilyPolicy }}
+  {{- end }}
+  {{- if $.Values.ipFamilies }}
+  ipFamilies:
+  {{- range $.Values.ipFamilies }}
+  - {{ . }}
+  {{- end }}
+  {{- end }}
+---
+{{- end -}}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/role.yaml
new file mode 100644
index 0000000000..8abe608b66
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/role.yaml
@@ -0,0 +1,37 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Values.global.istioNamespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+# permissions to verify the webhook is ready and rejecting
+# invalid config. We use --server-dry-run so no config is persisted.
+- apiGroups: ["networking.istio.io"]
+  verbs: ["create"]
+  resources: ["gateways"]
+
+# For storing CA secret
+- apiGroups: [""]
+  resources: ["secrets"]
+  # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config
+  verbs: ["create", "get", "watch", "list", "update", "delete"]
+
+# For status controller, so it can delete the distribution report configmap
+- apiGroups: [""]
+  resources: ["configmaps"]
+  verbs: ["delete"]
+
+# For gateway deployment controller
+- apiGroups: ["coordination.k8s.io"]
+  resources: ["leases"]
+  verbs: ["get", "update", "patch", "create"]
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/rolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/rolebinding.yaml
new file mode 100644
index 0000000000..731964f04d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/rolebinding.yaml
@@ -0,0 +1,23 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Values.global.istioNamespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+subjects:
+  - kind: ServiceAccount
+    name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+    namespace: {{ .Values.global.istioNamespace }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/service.yaml
new file mode 100644
index 0000000000..c3aade8a49
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/service.yaml
@@ -0,0 +1,59 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# Not created if istiod is running remotely
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  {{- if .Values.serviceAnnotations }}
+  annotations:
+{{ toYaml .Values.serviceAnnotations | indent 4 }}
+  {{- end }}
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app: istiod
+    istio: pilot
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  ports:
+    - port: 15010
+      name: grpc-xds # plaintext
+      protocol: TCP
+    - port: 15012
+      name: https-dns # mTLS with k8s-signed cert
+      protocol: TCP
+    - port: 443
+      name: https-webhook # validation and injection
+      targetPort: 15017
+      protocol: TCP
+    - port: 15014
+      name: http-monitoring # prometheus stats
+      protocol: TCP
+  selector:
+    app: istiod
+    {{- if ne .Values.revision "" }}
+    istio.io/rev: {{ .Values.revision | quote }}
+    {{- else }}
+    # Label used by the 'default' service. For versioned deployments we match with app and version.
+    # This avoids default deployment picking the canary
+    istio: pilot
+    {{- end }}
+  {{- if .Values.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.ipFamilyPolicy }}
+  {{- end }}
+  {{- if .Values.ipFamilies }}
+  ipFamilies:
+  {{- range .Values.ipFamilies }}
+  - {{ . }}
+  {{- end }}
+  {{- end }}
+  {{- if .Values.trafficDistribution }}
+  trafficDistribution: {{ .Values.trafficDistribution }}
+  {{- end }}
+---
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/serviceaccount.yaml
new file mode 100644
index 0000000000..ee40eedf81
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/serviceaccount.yaml
@@ -0,0 +1,26 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+apiVersion: v1
+kind: ServiceAccount
+  {{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+  {{- range .Values.global.imagePullSecrets }}
+  - name: {{ . }}
+  {{- end }}
+  {{- end }}
+metadata:
+  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Values.global.istioNamespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+  {{- if .Values.serviceAccountAnnotations }}
+  annotations:
+{{- toYaml .Values.serviceAccountAnnotations | nindent 4 }}
+  {{- end }}
+{{- end }}
+---
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/validatingadmissionpolicy.yaml
new file mode 100644
index 0000000000..838d9fbaf7
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/validatingadmissionpolicy.yaml
@@ -0,0 +1,65 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+{{- if .Values.experimental.stableValidationPolicy }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io"
+  labels:
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups:
+        - security.istio.io
+        - networking.istio.io
+        - telemetry.istio.io
+        - extensions.istio.io
+      apiVersions: ["*"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["*"]
+    objectSelector:
+      matchExpressions:
+        - key: istio.io/rev
+          operator: In
+          values:
+          {{- if (eq .Values.revision "") }}
+          - "default"
+          {{- else }}
+          - "{{ .Values.revision }}"
+          {{- end }}
+  variables:
+    - name: isEnvoyFilter
+      expression: "object.kind == 'EnvoyFilter'"
+    - name: isWasmPlugin
+      expression: "object.kind == 'WasmPlugin'"
+    - name: isProxyConfig
+      expression: "object.kind == 'ProxyConfig'"
+    - name: isTelemetry
+      expression: "object.kind == 'Telemetry'"
+  validations:
+    - expression: "!variables.isEnvoyFilter"
+    - expression: "!variables.isWasmPlugin"
+    - expression: "!variables.isProxyConfig"
+    - expression: |
+        !(
+          variables.isTelemetry && (
+            (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) ||
+            (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) ||
+            (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter))
+          )
+        )
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: "stable-channel-policy-binding{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io"
+spec:
+  policyName: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io"
+  validationActions: [Deny]
+{{- end }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/validatingwebhookconfiguration.yaml
new file mode 100644
index 0000000000..6903b29b50
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/validatingwebhookconfiguration.yaml
@@ -0,0 +1,70 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+{{- if .Values.global.configValidation }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    istio: istiod
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+webhooks:
+  # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks
+  # are rejecting invalid configs on a per-revision basis.
+  - name: rev.validation.istio.io
+    clientConfig:
+      # Should change from base but cannot for API compat
+      {{- if .Values.base.validationURL }}
+      url: {{ .Values.base.validationURL }}
+      {{- else }}
+      service:
+        name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+        namespace: {{ .Values.global.istioNamespace }}
+        path: "/validate"
+      {{- end }}
+      {{- if .Values.base.validationCABundle }}
+      caBundle: "{{ .Values.base.validationCABundle }}"
+      {{- end }}
+    rules:
+      - operations:
+          - CREATE
+          - UPDATE
+        apiGroups:
+          - security.istio.io
+          - networking.istio.io
+          - telemetry.istio.io
+          - extensions.istio.io
+        apiVersions:
+          - "*"
+        resources:
+          - "*"
+    {{- if .Values.base.validationCABundle }}
+    # Disable webhook controller in Pilot to stop patching it
+    failurePolicy: Fail
+    {{- else }}
+    # Fail open until the validation webhook is ready. The webhook controller
+    # will update this to `Fail` and patch in the `caBundle` when the webhook
+    # endpoint is ready.
+    failurePolicy: Ignore
+    {{- end }}
+    sideEffects: None
+    admissionReviewVersions: ["v1"]
+    objectSelector:
+      matchExpressions:
+        - key: istio.io/rev
+          operator: In
+          values:
+          {{- if (eq .Values.revision "") }}
+          - "default"
+          {{- else }}
+          - "{{ .Values.revision }}"
+          {{- end }}
+---
+{{- end }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/zzy_descope_legacy.yaml
new file mode 100644
index 0000000000..73202418ca
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/zzy_descope_legacy.yaml
@@ -0,0 +1,3 @@
+{{/* Copy anything under `.pilot` to `.`, to avoid the need to specify a redundant prefix.
+Due to the file naming, this always happens after zzz_profile.yaml */}}
+{{- $_ := mustMergeOverwrite $.Values (index $.Values "pilot") }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..3d84956485
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if false }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/values.yaml
new file mode 100644
index 0000000000..875383ea24
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/values.yaml
@@ -0,0 +1,583 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  autoscaleEnabled: true
+  autoscaleMin: 1
+  autoscaleMax: 5
+  autoscaleBehavior: {}
+  replicaCount: 1
+  rollingMaxSurge: 100%
+  rollingMaxUnavailable: 25%
+
+  hub: ""
+  tag: ""
+  variant: ""
+
+  # Can be a full hub/image:tag
+  image: pilot
+  traceSampling: 1.0
+
+  # Resources for a small pilot install
+  resources:
+    requests:
+      cpu: 500m
+      memory: 2048Mi
+
+  # Set to `type: RuntimeDefault` to use the default profile if available.
+  seccompProfile: {}
+
+  # Whether to use an existing CNI installation
+  cni:
+    enabled: false
+    provider: default
+
+  # Additional container arguments
+  extraContainerArgs: []
+
+  env: {}
+
+  envVarFrom: []
+
+  # Settings related to the untaint controller
+  # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready
+  # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes
+  taint:
+    # Controls whether or not the untaint controller is active
+    enabled: false
+    # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod
+    namespace: ""
+
+  affinity: {}
+
+  tolerations: []
+
+  cpu:
+    targetAverageUtilization: 80
+  memory: {}
+    # targetAverageUtilization: 80
+
+  # Additional volumeMounts to the istiod container
+  volumeMounts: []
+
+  # Additional volumes to the istiod pod
+  volumes: []
+
+  # Inject initContainers into the istiod pod
+  initContainers: []
+
+  nodeSelector: {}
+  podAnnotations: {}
+  serviceAnnotations: {}
+  serviceAccountAnnotations: {}
+  sidecarInjectorWebhookAnnotations: {}
+
+  topologySpreadConstraints: []
+
+  # You can use jwksResolverExtraRootCA to provide a root certificate
+  # in PEM format. This will then be trusted by pilot when resolving
+  # JWKS URIs.
+  jwksResolverExtraRootCA: ""
+
+  # The following is used to limit how long a sidecar can be connected
+  # to a pilot. It balances out load across pilot instances at the cost of
+  # increasing system churn.
+  keepaliveMaxServerConnectionAge: 30m
+
+  # Additional labels to apply to the deployment.
+  deploymentLabels: {}
+
+  # Annotations to apply to the istiod deployment.
+  deploymentAnnotations: {}
+
+  ## Mesh config settings
+
+  # Install the mesh config map, generated from values.yaml.
+  # If false, pilot wil use default values (by default) or user-supplied values.
+  configMap: true
+
+  # Additional labels to apply on the pod level for monitoring and logging configuration.
+  podLabels: {}
+
+  # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
+  ipFamilyPolicy: ""
+  ipFamilies: []
+
+  # Ambient mode only.
+  # Set this if you install ztunnel to a different namespace from `istiod`.
+  # If set, `istiod` will allow connections from trusted node proxy ztunnels
+  # in the provided namespace.
+  # If unset, `istiod` will assume the trusted node proxy ztunnel resides
+  # in the same namespace as itself.
+  trustedZtunnelNamespace: ""
+  # Set this if you install ztunnel with a name different from the default.
+  trustedZtunnelName: ""
+
+  sidecarInjectorWebhook:
+    # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or
+    # always skip the injection on pods that match that label selector, regardless of the global policy.
+    # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions
+    neverInjectSelector: []
+    alwaysInjectSelector: []
+
+    # injectedAnnotations are additional annotations that will be added to the pod spec after injection
+    # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations:
+    #
+    # annotations:
+    #   apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
+    #   apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
+    #
+    # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before
+    # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify:
+    # injectedAnnotations:
+    #   container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default
+    #   container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default
+    injectedAnnotations: {}
+
+    # This enables injection of sidecar in all namespaces,
+    # with the exception of namespaces with "istio-injection:disabled" annotation
+    # Only one environment should have this enabled.
+    enableNamespacesByDefault: false
+
+    # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run
+    # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten.
+    # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur.
+    reinvocationPolicy: Never
+
+    rewriteAppHTTPProbe: true
+
+    # Templates defines a set of custom injection templates that can be used. For example, defining:
+    #
+    # templates:
+    #   hello: |
+    #     metadata:
+    #       labels:
+    #         hello: world
+    #
+    # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod
+    # being injected with the hello=world labels.
+    # This is intended for advanced configuration only; most users should use the built in template
+    templates: {}
+
+    # Default templates specifies a set of default templates that are used in sidecar injection.
+    # By default, a template `sidecar` is always provided, which contains the template of default sidecar.
+    # To inject other additional templates, define it using the `templates` option, and add it to
+    # the default templates list.
+    # For example:
+    #
+    # templates:
+    #   hello: |
+    #     metadata:
+    #       labels:
+    #         hello: world
+    #
+    # defaultTemplates: ["sidecar", "hello"]
+    defaultTemplates: []
+  istiodRemote:
+    # If `true`, indicates that this cluster/install should consume a "remote istiod" installation,
+    # and istiod itself will NOT be installed in this cluster - only the support resources necessary
+    # to utilize a remote instance.
+    enabled: false
+
+    # If `true`, indicates that this cluster/install should consume a "local istiod" installation,
+    # local istiod inject sidecars
+    enabledLocalInjectorIstiod: false
+
+    # Sidecar injector mutating webhook configuration clientConfig.url value.
+    # For example: https://$remotePilotAddress:15017/inject
+    # The host should not refer to a service running in the cluster; use a service reference by specifying
+    # the clientConfig.service field instead.
+    injectionURL: ""
+
+    # Sidecar injector mutating webhook configuration path value for the clientConfig.service field.
+    # Override to pass env variables, for example: /inject/cluster/remote/net/network2
+    injectionPath: "/inject"
+
+    injectionCABundle: ""
+  telemetry:
+    enabled: true
+    v2:
+      # For Null VM case now.
+      # This also enables metadata exchange.
+      enabled: true
+      # Indicate if prometheus stats filter is enabled or not
+      prometheus:
+        enabled: true
+      # stackdriver filter settings.
+      stackdriver:
+        enabled: false
+  # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
+  revision: ""
+
+  # Revision tags are aliases to Istio control plane revisions
+  revisionTags: []
+
+  # For Helm compatibility.
+  ownerName: ""
+
+  # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior
+  # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options
+  meshConfig:
+    enablePrometheusMerge: true
+
+  experimental:
+    stableValidationPolicy: false
+
+  global:
+    # Used to locate istiod.
+    istioNamespace: istio-system
+    # List of cert-signers to allow "approve" action in the istio cluster role
+    #
+    # certSigners:
+    #   - clusterissuers.cert-manager.io/istio-ca
+    certSigners: []
+    # enable pod disruption budget for the control plane, which is used to
+    # ensure Istio control plane components are gradually upgraded or recovered.
+    defaultPodDisruptionBudget:
+      enabled: true
+      # The values aren't mutable due to a current PodDisruptionBudget limitation
+      # minAvailable: 1
+
+    # A minimal set of requested resources to applied to all deployments so that
+    # Horizontal Pod Autoscaler will be able to function (if set).
+    # Each component can overwrite these default values by adding its own resources
+    # block in the relevant section below and setting the desired resources values.
+    defaultResources:
+      requests:
+        cpu: 10m
+      #   memory: 128Mi
+      # limits:
+      #   cpu: 100m
+      #   memory: 128Mi
+
+    # Default hub for Istio images.
+    # Releases are published to docker hub under 'istio' project.
+    # Dev builds from prow are on gcr.io
+    hub: gcr.io/istio-release
+    # Default tag for Istio images.
+    tag: 1.28.3
+    # Variant of the image to use.
+    # Currently supported are: [debug, distroless]
+    variant: ""
+
+    # Specify image pull policy if default behavior isn't desired.
+    # Default behavior: latest images will be Always else IfNotPresent.
+    imagePullPolicy: ""
+
+    # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
+    # to use for pulling any images in pods that reference this ServiceAccount.
+    # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
+    # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
+    # Must be set for any cluster configured with private docker registry.
+    imagePullSecrets: []
+    # - private-registry-key
+
+    # Enabled by default in master for maximising testing.
+    istiod:
+      enableAnalysis: false
+
+    # To output all istio components logs in json format by adding --log_as_json argument to each container argument
+    logAsJson: false
+
+    # In order to use native nftable rules instead of iptable rules, set this flag to true.
+    nativeNftables: false
+
+    # Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
+    # The control plane has different scopes depending on component, but can configure default log level across all components
+    # If empty, default scope and level will be used as configured in code
+    logging:
+      level: "default:info"
+
+    # When enabled, default NetworkPolicy resources will be created
+    networkPolicy:
+      enabled: false
+
+    omitSidecarInjectorConfigMap: false
+
+    # resourceScope controls what resources will be processed by helm.
+    # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator.
+    # It can be one of:
+    # - all: all resources are processed
+    # - cluster: only cluster-scoped resources are processed
+    # - namespace: only namespace-scoped resources are processed
+    resourceScope: all
+
+    # Configure whether Operator manages webhook configurations. The current behavior
+    # of Istiod is to manage its own webhook configurations.
+    # When this option is set as true, Istio Operator, instead of webhooks, manages the
+    # webhook configurations. When this option is set as false, webhooks manage their
+    # own webhook configurations.
+    operatorManageWebhooks: false
+
+    # Custom DNS config for the pod to resolve names of services in other
+    # clusters. Use this to add additional search domains, and other settings.
+    # see
+    # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config
+    # This does not apply to gateway pods as they typically need a different
+    # set of DNS settings than the normal application pods (e.g., in
+    # multicluster scenarios).
+    # NOTE: If using templates, follow the pattern in the commented example below.
+    #podDNSSearchNamespaces:
+    #- global
+    #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global"
+
+    # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
+    # system-node-critical, it is better to configure this in order to make sure your Istio pods
+    # will not be killed because of low priority class.
+    # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
+    # for more detail.
+    priorityClassName: ""
+
+    proxy:
+      image: proxyv2
+
+      # This controls the 'policy' in the sidecar injector.
+      autoInject: enabled
+
+      # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
+      # cluster domain. Default value is "cluster.local".
+      clusterDomain: "cluster.local"
+
+      # Per Component log level for proxy, applies to gateways and sidecars. If a component level is
+      # not set, then the global "logLevel" will be used.
+      componentLogLevel: "misc:error"
+
+      # istio ingress capture allowlist
+      # examples:
+      #     Redirect only selected ports:            --includeInboundPorts="80,8080"
+      excludeInboundPorts: ""
+      includeInboundPorts: "*"
+
+      # istio egress capture allowlist
+      # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
+      # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
+      # would only capture egress traffic on those two IP Ranges, all other outbound traffic would
+      # be allowed by the sidecar
+      includeIPRanges: "*"
+      excludeIPRanges: ""
+      includeOutboundPorts: ""
+      excludeOutboundPorts: ""
+
+      # Log level for proxy, applies to gateways and sidecars.
+      # Expected values are: trace|debug|info|warning|error|critical|off
+      logLevel: warning
+
+      # Specify the path to the outlier event log.
+      # Example: /dev/stdout
+      outlierLogPath: ""
+
+      #If set to true, istio-proxy container will have privileged securityContext
+      privileged: false
+      
+      seccompProfile: {}
+
+      # The number of successive failed probes before indicating readiness failure.
+      readinessFailureThreshold: 4
+
+      # The initial delay for readiness probes in seconds.
+      readinessInitialDelaySeconds: 0
+
+      # The period between readiness probes.
+      readinessPeriodSeconds: 15
+
+      # Enables or disables a startup probe.
+      # For optimal startup times, changing this should be tied to the readiness probe values.
+      #
+      # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4.
+      # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval),
+      # and doesn't spam the readiness endpoint too much
+      #
+      # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30.
+      # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly.
+      startupProbe:
+        enabled: true
+        failureThreshold: 600 # 10 minutes
+
+      # Resources for the sidecar.
+      resources:
+        requests:
+          cpu: 100m
+          memory: 128Mi
+        limits:
+          cpu: 2000m
+          memory: 1024Mi
+
+      # Default port for Pilot agent health checks. A value of 0 will disable health checking.
+      statusPort: 15020
+
+      # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none.
+      # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file.
+      tracer: "none"
+
+    proxy_init:
+      # Base name for the proxy_init container, used to configure iptables.
+      image: proxyv2
+      # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures.
+      # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases.
+      forceApplyIptables: false
+
+    # configure remote pilot and istiod service and endpoint
+    remotePilotAddress: ""
+
+    ##############################################################################################
+    # The following values are found in other charts. To effectively modify these values, make   #
+    # make sure they are consistent across your Istio helm charts                                #
+    ##############################################################################################
+
+    # The customized CA address to retrieve certificates for the pods in the cluster.
+    # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
+    # If not set explicitly, default to the Istio discovery address.
+    caAddress: ""
+
+    # Enable control of remote clusters.
+    externalIstiod: false
+
+    # Configure a remote cluster as the config cluster for an external istiod.
+    configCluster: false
+
+    # configValidation enables the validation webhook for Istio configuration.
+    configValidation: true
+
+    # Mesh ID means Mesh Identifier. It should be unique within the scope where
+    # meshes will interact with each other, but it is not required to be
+    # globally/universally unique. For example, if any of the following are true,
+    # then two meshes must have different Mesh IDs:
+    # - Meshes will have their telemetry aggregated in one place
+    # - Meshes will be federated together
+    # - Policy will be written referencing one mesh from the other
+    #
+    # If an administrator expects that any of these conditions may become true in
+    # the future, they should ensure their meshes have different Mesh IDs
+    # assigned.
+    #
+    # Within a multicluster mesh, each cluster must be (manually or auto)
+    # configured to have the same Mesh ID value. If an existing cluster 'joins' a
+    # multicluster mesh, it will need to be migrated to the new mesh ID. Details
+    # of migration TBD, and it may be a disruptive operation to change the Mesh
+    # ID post-install.
+    #
+    # If the mesh admin does not specify a value, Istio will use the value of the
+    # mesh's Trust Domain. The best practice is to select a proper Trust Domain
+    # value.
+    meshID: ""
+
+    # Configure the mesh networks to be used by the Split Horizon EDS.
+    #
+    # The following example defines two networks with different endpoints association methods.
+    # For `network1` all endpoints that their IP belongs to the provided CIDR range will be
+    # mapped to network1. The gateway for this network example is specified by its public IP
+    # address and port.
+    # The second network, `network2`, in this example is defined differently with all endpoints
+    # retrieved through the specified Multi-Cluster registry being mapped to network2. The
+    # gateway is also defined differently with the name of the gateway service on the remote
+    # cluster. The public IP for the gateway will be determined from that remote service (only
+    # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service,
+    # it still need to be configured manually).
+    #
+    # meshNetworks:
+    #   network1:
+    #     endpoints:
+    #     - fromCidr: "192.168.0.1/24"
+    #     gateways:
+    #     - address: 1.1.1.1
+    #       port: 80
+    #   network2:
+    #     endpoints:
+    #     - fromRegistry: reg1
+    #     gateways:
+    #     - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
+    #       port: 443
+    #
+    meshNetworks: {}
+
+    # Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
+    mountMtlsCerts: false
+
+    multiCluster:
+      # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
+      # to properly label proxies
+      clusterName: ""
+
+    # Network defines the network this cluster belong to. This name
+    # corresponds to the networks in the map of mesh networks.
+    network: ""
+
+    # Configure the certificate provider for control plane communication.
+    # Currently, two providers are supported: "kubernetes" and "istiod".
+    # As some platforms may not have kubernetes signing APIs,
+    # Istiod is the default
+    pilotCertProvider: istiod
+
+    sds:
+      # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
+      # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the
+      # JWT is intended for the CA.
+      token:
+        aud: istio-ca
+
+    sts:
+      # The service port used by Security Token Service (STS) server to handle token exchange requests.
+      # Setting this port to a non-zero value enables STS server.
+      servicePort: 0
+
+    # The name of the CA for workload certificates.
+    # For example, when caName=GkeWorkloadCertificate, GKE workload certificates
+    # will be used as the certificates for workloads.
+    # The default value is "" and when caName="", the CA will be configured by other
+    # mechanisms (e.g., environmental variable CA_PROVIDER).
+    caName: ""
+
+    waypoint:
+      # Resources for the waypoint proxy.
+      resources:
+        requests:
+          cpu: 100m
+          memory: 128Mi
+        limits:
+          cpu: "2"
+          memory: 1Gi
+
+      # If specified, affinity defines the scheduling constraints of waypoint pods.
+      affinity: {}
+
+      # Topology Spread Constraints for the waypoint proxy.
+      topologySpreadConstraints: []
+
+      # Node labels for the waypoint proxy.
+      nodeSelector: {}
+
+      # Tolerations for the waypoint proxy.
+      tolerations: []
+
+  base:
+    # For istioctl usage to disable istio config crds in base
+    enableIstioConfigCRDs: true
+
+  # Gateway Settings
+  gateways:
+    # Define the security context for the pod.
+    # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
+    # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
+    securityContext: {}
+
+    # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it
+    seccompProfile: {}
+
+  # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass.
+  # For example:
+  # gatewayClasses:
+  #   istio:
+  #     service:
+  #       spec:
+  #         type: ClusterIP
+  # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field.
+  gatewayClasses: {}
+  
+  pdb:
+    # -- Minimum available pods set in PodDisruptionBudget.
+    # Define either 'minAvailable' or 'maxUnavailable', never both.
+    minAvailable: 1
+    # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored.
+    # maxUnavailable: 1
+    # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget.
+    # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/
+    unhealthyPodEvictionPolicy: ""
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/Chart.yaml
new file mode 100644
index 0000000000..a7e92aab5c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/Chart.yaml
@@ -0,0 +1,8 @@
+apiVersion: v2
+appVersion: 1.28.3
+description: Helm chart for istio revision tags
+name: revisiontags
+sources:
+- https://github.com/istio-ecosystem/sail-operator
+version: 0.1.0
+
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..d04117bfc0
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,14 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..8fe80112bf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-compatibility-version-1.27.yaml
new file mode 100644
index 0000000000..209157cccf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-compatibility-version-1.27.yaml
@@ -0,0 +1,9 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/templates/revision-tags-mwc.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/templates/revision-tags-mwc.yaml
new file mode 100644
index 0000000000..556bb2f1e9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/templates/revision-tags-mwc.yaml
@@ -0,0 +1,154 @@
+# Adapted from istio-discovery/templates/mutatingwebhook.yaml
+# Removed paths for legacy and default selectors since a revision tag
+# is inherently created from a specific revision
+# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that.
+{{- $whv := dict
+"revision" .Values.revision
+  "injectionPath" .Values.istiodRemote.injectionPath
+  "injectionURL" .Values.istiodRemote.injectionURL
+  "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy
+  "caBundle" .Values.istiodRemote.injectionCABundle
+  "namespace" .Release.Namespace }}
+{{- define "core" }}
+{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign
+a unique prefix to each. */}}
+- name: {{.Prefix}}sidecar-injector.istio.io
+  clientConfig:
+    {{- if .injectionURL }}
+    url: "{{ .injectionURL }}"
+    {{- else }}
+    service:
+      name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }}
+      namespace: {{ .namespace }}
+      path: "{{ .injectionPath }}"
+      port: 443
+    {{- end }}
+  sideEffects: None
+  rules:
+  - operations: [ "CREATE" ]
+    apiGroups: [""]
+    apiVersions: ["v1"]
+    resources: ["pods"]
+  failurePolicy: Fail
+  reinvocationPolicy: "{{ .reinvocationPolicy }}"
+  admissionReviewVersions: ["v1"]
+{{- end }}
+
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
+{{- if not .Values.global.operatorManageWebhooks }}
+{{- range $tagName := $.Values.revisionTags }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+{{- if eq $.Release.Namespace "istio-system"}}
+  name: istio-revision-tag-{{ $tagName }}
+{{- else }}
+  name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }}
+{{- end }}
+  labels:
+    istio.io/tag: {{ $tagName }}
+    istio.io/rev: {{ $.Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app: sidecar-injector
+    release: {{ $.Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" $ | nindent 4 }}
+{{- if $.Values.sidecarInjectorWebhookAnnotations }}
+  annotations:
+{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }}
+{{- end }}
+webhooks:
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: In
+      values:
+      - "{{ $tagName }}"
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+    - key: istio.io/rev
+      operator: In
+      values:
+      - "{{ $tagName }}"
+
+{{- /* When the tag is "default" we want to create webhooks for the default revision */}}
+{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}}
+{{- if (eq $tagName "default") }}
+
+{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: In
+      values:
+      - enabled
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+
+{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: In
+      values:
+      - "true"
+    - key: istio.io/rev
+      operator: DoesNotExist
+
+{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
+{{- /* Special case 3: no labels at all */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: "kubernetes.io/metadata.name"
+      operator: "NotIn"
+      values: ["kube-system","kube-public","kube-node-lease","local-path-storage"]
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+{{- end }}
+
+{{- end }}
+---
+{{- end }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/templates/revision-tags-svc.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/templates/revision-tags-svc.yaml
new file mode 100644
index 0000000000..5c4826d23e
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/templates/revision-tags-svc.yaml
@@ -0,0 +1,57 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# Adapted from istio-discovery/templates/service.yaml
+{{- range $tagName := .Values.revisionTags }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: istiod-revision-tag-{{ $tagName }}
+  namespace: {{ $.Release.Namespace }}
+  {{- if $.Values.serviceAnnotations }}
+  annotations:
+{{ toYaml $.Values.serviceAnnotations | indent 4 }}
+  {{- end }}
+  labels:
+    istio.io/rev: {{ $.Values.revision | default "default" | quote }}
+    istio.io/tag: {{ $tagName }}
+    operator.istio.io/component: "Pilot"
+    app: istiod
+    istio: pilot
+    release: {{ $.Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" $ | nindent 4 }}
+spec:
+  ports:
+    - port: 15010
+      name: grpc-xds # plaintext
+      protocol: TCP
+    - port: 15012
+      name: https-dns # mTLS with k8s-signed cert
+      protocol: TCP
+    - port: 443
+      name: https-webhook # validation and injection
+      targetPort: 15017
+      protocol: TCP
+    - port: 15014
+      name: http-monitoring # prometheus stats
+      protocol: TCP
+  selector:
+    app: istiod
+    {{- if ne $.Values.revision "" }}
+    istio.io/rev: {{ $.Values.revision | quote }}
+    {{- else }}
+    # Label used by the 'default' service. For versioned deployments we match with app and version.
+    # This avoids default deployment picking the canary
+    istio: pilot
+    {{- end }}
+  {{- if $.Values.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ $.Values.ipFamilyPolicy }}
+  {{- end }}
+  {{- if $.Values.ipFamilies }}
+  ipFamilies:
+  {{- range $.Values.ipFamilies }}
+  - {{ . }}
+  {{- end }}
+  {{- end }}
+---
+{{- end -}}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..3d84956485
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if false }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/values.yaml
new file mode 100644
index 0000000000..875383ea24
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/values.yaml
@@ -0,0 +1,583 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  autoscaleEnabled: true
+  autoscaleMin: 1
+  autoscaleMax: 5
+  autoscaleBehavior: {}
+  replicaCount: 1
+  rollingMaxSurge: 100%
+  rollingMaxUnavailable: 25%
+
+  hub: ""
+  tag: ""
+  variant: ""
+
+  # Can be a full hub/image:tag
+  image: pilot
+  traceSampling: 1.0
+
+  # Resources for a small pilot install
+  resources:
+    requests:
+      cpu: 500m
+      memory: 2048Mi
+
+  # Set to `type: RuntimeDefault` to use the default profile if available.
+  seccompProfile: {}
+
+  # Whether to use an existing CNI installation
+  cni:
+    enabled: false
+    provider: default
+
+  # Additional container arguments
+  extraContainerArgs: []
+
+  env: {}
+
+  envVarFrom: []
+
+  # Settings related to the untaint controller
+  # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready
+  # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes
+  taint:
+    # Controls whether or not the untaint controller is active
+    enabled: false
+    # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod
+    namespace: ""
+
+  affinity: {}
+
+  tolerations: []
+
+  cpu:
+    targetAverageUtilization: 80
+  memory: {}
+    # targetAverageUtilization: 80
+
+  # Additional volumeMounts to the istiod container
+  volumeMounts: []
+
+  # Additional volumes to the istiod pod
+  volumes: []
+
+  # Inject initContainers into the istiod pod
+  initContainers: []
+
+  nodeSelector: {}
+  podAnnotations: {}
+  serviceAnnotations: {}
+  serviceAccountAnnotations: {}
+  sidecarInjectorWebhookAnnotations: {}
+
+  topologySpreadConstraints: []
+
+  # You can use jwksResolverExtraRootCA to provide a root certificate
+  # in PEM format. This will then be trusted by pilot when resolving
+  # JWKS URIs.
+  jwksResolverExtraRootCA: ""
+
+  # The following is used to limit how long a sidecar can be connected
+  # to a pilot. It balances out load across pilot instances at the cost of
+  # increasing system churn.
+  keepaliveMaxServerConnectionAge: 30m
+
+  # Additional labels to apply to the deployment.
+  deploymentLabels: {}
+
+  # Annotations to apply to the istiod deployment.
+  deploymentAnnotations: {}
+
+  ## Mesh config settings
+
+  # Install the mesh config map, generated from values.yaml.
+  # If false, pilot wil use default values (by default) or user-supplied values.
+  configMap: true
+
+  # Additional labels to apply on the pod level for monitoring and logging configuration.
+  podLabels: {}
+
+  # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
+  ipFamilyPolicy: ""
+  ipFamilies: []
+
+  # Ambient mode only.
+  # Set this if you install ztunnel to a different namespace from `istiod`.
+  # If set, `istiod` will allow connections from trusted node proxy ztunnels
+  # in the provided namespace.
+  # If unset, `istiod` will assume the trusted node proxy ztunnel resides
+  # in the same namespace as itself.
+  trustedZtunnelNamespace: ""
+  # Set this if you install ztunnel with a name different from the default.
+  trustedZtunnelName: ""
+
+  sidecarInjectorWebhook:
+    # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or
+    # always skip the injection on pods that match that label selector, regardless of the global policy.
+    # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions
+    neverInjectSelector: []
+    alwaysInjectSelector: []
+
+    # injectedAnnotations are additional annotations that will be added to the pod spec after injection
+    # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations:
+    #
+    # annotations:
+    #   apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
+    #   apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
+    #
+    # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before
+    # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify:
+    # injectedAnnotations:
+    #   container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default
+    #   container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default
+    injectedAnnotations: {}
+
+    # This enables injection of sidecar in all namespaces,
+    # with the exception of namespaces with "istio-injection:disabled" annotation
+    # Only one environment should have this enabled.
+    enableNamespacesByDefault: false
+
+    # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run
+    # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten.
+    # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur.
+    reinvocationPolicy: Never
+
+    rewriteAppHTTPProbe: true
+
+    # Templates defines a set of custom injection templates that can be used. For example, defining:
+    #
+    # templates:
+    #   hello: |
+    #     metadata:
+    #       labels:
+    #         hello: world
+    #
+    # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod
+    # being injected with the hello=world labels.
+    # This is intended for advanced configuration only; most users should use the built in template
+    templates: {}
+
+    # Default templates specifies a set of default templates that are used in sidecar injection.
+    # By default, a template `sidecar` is always provided, which contains the template of default sidecar.
+    # To inject other additional templates, define it using the `templates` option, and add it to
+    # the default templates list.
+    # For example:
+    #
+    # templates:
+    #   hello: |
+    #     metadata:
+    #       labels:
+    #         hello: world
+    #
+    # defaultTemplates: ["sidecar", "hello"]
+    defaultTemplates: []
+  istiodRemote:
+    # If `true`, indicates that this cluster/install should consume a "remote istiod" installation,
+    # and istiod itself will NOT be installed in this cluster - only the support resources necessary
+    # to utilize a remote instance.
+    enabled: false
+
+    # If `true`, indicates that this cluster/install should consume a "local istiod" installation,
+    # local istiod inject sidecars
+    enabledLocalInjectorIstiod: false
+
+    # Sidecar injector mutating webhook configuration clientConfig.url value.
+    # For example: https://$remotePilotAddress:15017/inject
+    # The host should not refer to a service running in the cluster; use a service reference by specifying
+    # the clientConfig.service field instead.
+    injectionURL: ""
+
+    # Sidecar injector mutating webhook configuration path value for the clientConfig.service field.
+    # Override to pass env variables, for example: /inject/cluster/remote/net/network2
+    injectionPath: "/inject"
+
+    injectionCABundle: ""
+  telemetry:
+    enabled: true
+    v2:
+      # For Null VM case now.
+      # This also enables metadata exchange.
+      enabled: true
+      # Indicate if prometheus stats filter is enabled or not
+      prometheus:
+        enabled: true
+      # stackdriver filter settings.
+      stackdriver:
+        enabled: false
+  # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
+  revision: ""
+
+  # Revision tags are aliases to Istio control plane revisions
+  revisionTags: []
+
+  # For Helm compatibility.
+  ownerName: ""
+
+  # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior
+  # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options
+  meshConfig:
+    enablePrometheusMerge: true
+
+  experimental:
+    stableValidationPolicy: false
+
+  global:
+    # Used to locate istiod.
+    istioNamespace: istio-system
+    # List of cert-signers to allow "approve" action in the istio cluster role
+    #
+    # certSigners:
+    #   - clusterissuers.cert-manager.io/istio-ca
+    certSigners: []
+    # enable pod disruption budget for the control plane, which is used to
+    # ensure Istio control plane components are gradually upgraded or recovered.
+    defaultPodDisruptionBudget:
+      enabled: true
+      # The values aren't mutable due to a current PodDisruptionBudget limitation
+      # minAvailable: 1
+
+    # A minimal set of requested resources to applied to all deployments so that
+    # Horizontal Pod Autoscaler will be able to function (if set).
+    # Each component can overwrite these default values by adding its own resources
+    # block in the relevant section below and setting the desired resources values.
+    defaultResources:
+      requests:
+        cpu: 10m
+      #   memory: 128Mi
+      # limits:
+      #   cpu: 100m
+      #   memory: 128Mi
+
+    # Default hub for Istio images.
+    # Releases are published to docker hub under 'istio' project.
+    # Dev builds from prow are on gcr.io
+    hub: gcr.io/istio-release
+    # Default tag for Istio images.
+    tag: 1.28.3
+    # Variant of the image to use.
+    # Currently supported are: [debug, distroless]
+    variant: ""
+
+    # Specify image pull policy if default behavior isn't desired.
+    # Default behavior: latest images will be Always else IfNotPresent.
+    imagePullPolicy: ""
+
+    # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
+    # to use for pulling any images in pods that reference this ServiceAccount.
+    # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
+    # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
+    # Must be set for any cluster configured with private docker registry.
+    imagePullSecrets: []
+    # - private-registry-key
+
+    # Enabled by default in master for maximising testing.
+    istiod:
+      enableAnalysis: false
+
+    # To output all istio components logs in json format by adding --log_as_json argument to each container argument
+    logAsJson: false
+
+    # In order to use native nftable rules instead of iptable rules, set this flag to true.
+    nativeNftables: false
+
+    # Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
+    # The control plane has different scopes depending on component, but can configure default log level across all components
+    # If empty, default scope and level will be used as configured in code
+    logging:
+      level: "default:info"
+
+    # When enabled, default NetworkPolicy resources will be created
+    networkPolicy:
+      enabled: false
+
+    omitSidecarInjectorConfigMap: false
+
+    # resourceScope controls what resources will be processed by helm.
+    # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator.
+    # It can be one of:
+    # - all: all resources are processed
+    # - cluster: only cluster-scoped resources are processed
+    # - namespace: only namespace-scoped resources are processed
+    resourceScope: all
+
+    # Configure whether Operator manages webhook configurations. The current behavior
+    # of Istiod is to manage its own webhook configurations.
+    # When this option is set as true, Istio Operator, instead of webhooks, manages the
+    # webhook configurations. When this option is set as false, webhooks manage their
+    # own webhook configurations.
+    operatorManageWebhooks: false
+
+    # Custom DNS config for the pod to resolve names of services in other
+    # clusters. Use this to add additional search domains, and other settings.
+    # see
+    # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config
+    # This does not apply to gateway pods as they typically need a different
+    # set of DNS settings than the normal application pods (e.g., in
+    # multicluster scenarios).
+    # NOTE: If using templates, follow the pattern in the commented example below.
+    #podDNSSearchNamespaces:
+    #- global
+    #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global"
+
+    # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
+    # system-node-critical, it is better to configure this in order to make sure your Istio pods
+    # will not be killed because of low priority class.
+    # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
+    # for more detail.
+    priorityClassName: ""
+
+    proxy:
+      image: proxyv2
+
+      # This controls the 'policy' in the sidecar injector.
+      autoInject: enabled
+
+      # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
+      # cluster domain. Default value is "cluster.local".
+      clusterDomain: "cluster.local"
+
+      # Per Component log level for proxy, applies to gateways and sidecars. If a component level is
+      # not set, then the global "logLevel" will be used.
+      componentLogLevel: "misc:error"
+
+      # istio ingress capture allowlist
+      # examples:
+      #     Redirect only selected ports:            --includeInboundPorts="80,8080"
+      excludeInboundPorts: ""
+      includeInboundPorts: "*"
+
+      # istio egress capture allowlist
+      # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
+      # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
+      # would only capture egress traffic on those two IP Ranges, all other outbound traffic would
+      # be allowed by the sidecar
+      includeIPRanges: "*"
+      excludeIPRanges: ""
+      includeOutboundPorts: ""
+      excludeOutboundPorts: ""
+
+      # Log level for proxy, applies to gateways and sidecars.
+      # Expected values are: trace|debug|info|warning|error|critical|off
+      logLevel: warning
+
+      # Specify the path to the outlier event log.
+      # Example: /dev/stdout
+      outlierLogPath: ""
+
+      #If set to true, istio-proxy container will have privileged securityContext
+      privileged: false
+      
+      seccompProfile: {}
+
+      # The number of successive failed probes before indicating readiness failure.
+      readinessFailureThreshold: 4
+
+      # The initial delay for readiness probes in seconds.
+      readinessInitialDelaySeconds: 0
+
+      # The period between readiness probes.
+      readinessPeriodSeconds: 15
+
+      # Enables or disables a startup probe.
+      # For optimal startup times, changing this should be tied to the readiness probe values.
+      #
+      # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4.
+      # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval),
+      # and doesn't spam the readiness endpoint too much
+      #
+      # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30.
+      # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly.
+      startupProbe:
+        enabled: true
+        failureThreshold: 600 # 10 minutes
+
+      # Resources for the sidecar.
+      resources:
+        requests:
+          cpu: 100m
+          memory: 128Mi
+        limits:
+          cpu: 2000m
+          memory: 1024Mi
+
+      # Default port for Pilot agent health checks. A value of 0 will disable health checking.
+      statusPort: 15020
+
+      # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none.
+      # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file.
+      tracer: "none"
+
+    proxy_init:
+      # Base name for the proxy_init container, used to configure iptables.
+      image: proxyv2
+      # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures.
+      # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases.
+      forceApplyIptables: false
+
+    # configure remote pilot and istiod service and endpoint
+    remotePilotAddress: ""
+
+    ##############################################################################################
+    # The following values are found in other charts. To effectively modify these values, make   #
+    # make sure they are consistent across your Istio helm charts                                #
+    ##############################################################################################
+
+    # The customized CA address to retrieve certificates for the pods in the cluster.
+    # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
+    # If not set explicitly, default to the Istio discovery address.
+    caAddress: ""
+
+    # Enable control of remote clusters.
+    externalIstiod: false
+
+    # Configure a remote cluster as the config cluster for an external istiod.
+    configCluster: false
+
+    # configValidation enables the validation webhook for Istio configuration.
+    configValidation: true
+
+    # Mesh ID means Mesh Identifier. It should be unique within the scope where
+    # meshes will interact with each other, but it is not required to be
+    # globally/universally unique. For example, if any of the following are true,
+    # then two meshes must have different Mesh IDs:
+    # - Meshes will have their telemetry aggregated in one place
+    # - Meshes will be federated together
+    # - Policy will be written referencing one mesh from the other
+    #
+    # If an administrator expects that any of these conditions may become true in
+    # the future, they should ensure their meshes have different Mesh IDs
+    # assigned.
+    #
+    # Within a multicluster mesh, each cluster must be (manually or auto)
+    # configured to have the same Mesh ID value. If an existing cluster 'joins' a
+    # multicluster mesh, it will need to be migrated to the new mesh ID. Details
+    # of migration TBD, and it may be a disruptive operation to change the Mesh
+    # ID post-install.
+    #
+    # If the mesh admin does not specify a value, Istio will use the value of the
+    # mesh's Trust Domain. The best practice is to select a proper Trust Domain
+    # value.
+    meshID: ""
+
+    # Configure the mesh networks to be used by the Split Horizon EDS.
+    #
+    # The following example defines two networks with different endpoints association methods.
+    # For `network1` all endpoints that their IP belongs to the provided CIDR range will be
+    # mapped to network1. The gateway for this network example is specified by its public IP
+    # address and port.
+    # The second network, `network2`, in this example is defined differently with all endpoints
+    # retrieved through the specified Multi-Cluster registry being mapped to network2. The
+    # gateway is also defined differently with the name of the gateway service on the remote
+    # cluster. The public IP for the gateway will be determined from that remote service (only
+    # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service,
+    # it still need to be configured manually).
+    #
+    # meshNetworks:
+    #   network1:
+    #     endpoints:
+    #     - fromCidr: "192.168.0.1/24"
+    #     gateways:
+    #     - address: 1.1.1.1
+    #       port: 80
+    #   network2:
+    #     endpoints:
+    #     - fromRegistry: reg1
+    #     gateways:
+    #     - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
+    #       port: 443
+    #
+    meshNetworks: {}
+
+    # Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
+    mountMtlsCerts: false
+
+    multiCluster:
+      # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
+      # to properly label proxies
+      clusterName: ""
+
+    # Network defines the network this cluster belong to. This name
+    # corresponds to the networks in the map of mesh networks.
+    network: ""
+
+    # Configure the certificate provider for control plane communication.
+    # Currently, two providers are supported: "kubernetes" and "istiod".
+    # As some platforms may not have kubernetes signing APIs,
+    # Istiod is the default
+    pilotCertProvider: istiod
+
+    sds:
+      # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
+      # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the
+      # JWT is intended for the CA.
+      token:
+        aud: istio-ca
+
+    sts:
+      # The service port used by Security Token Service (STS) server to handle token exchange requests.
+      # Setting this port to a non-zero value enables STS server.
+      servicePort: 0
+
+    # The name of the CA for workload certificates.
+    # For example, when caName=GkeWorkloadCertificate, GKE workload certificates
+    # will be used as the certificates for workloads.
+    # The default value is "" and when caName="", the CA will be configured by other
+    # mechanisms (e.g., environmental variable CA_PROVIDER).
+    caName: ""
+
+    waypoint:
+      # Resources for the waypoint proxy.
+      resources:
+        requests:
+          cpu: 100m
+          memory: 128Mi
+        limits:
+          cpu: "2"
+          memory: 1Gi
+
+      # If specified, affinity defines the scheduling constraints of waypoint pods.
+      affinity: {}
+
+      # Topology Spread Constraints for the waypoint proxy.
+      topologySpreadConstraints: []
+
+      # Node labels for the waypoint proxy.
+      nodeSelector: {}
+
+      # Tolerations for the waypoint proxy.
+      tolerations: []
+
+  base:
+    # For istioctl usage to disable istio config crds in base
+    enableIstioConfigCRDs: true
+
+  # Gateway Settings
+  gateways:
+    # Define the security context for the pod.
+    # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
+    # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
+    securityContext: {}
+
+    # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it
+    seccompProfile: {}
+
+  # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass.
+  # For example:
+  # gatewayClasses:
+  #   istio:
+  #     service:
+  #       spec:
+  #         type: ClusterIP
+  # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field.
+  gatewayClasses: {}
+  
+  pdb:
+    # -- Minimum available pods set in PodDisruptionBudget.
+    # Define either 'minAvailable' or 'maxUnavailable', never both.
+    minAvailable: 1
+    # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored.
+    # maxUnavailable: 1
+    # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget.
+    # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/
+    unhealthyPodEvictionPolicy: ""
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/Chart.yaml
new file mode 100644
index 0000000000..d09d91961e
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/Chart.yaml
@@ -0,0 +1,11 @@
+apiVersion: v2
+appVersion: 1.28.3
+description: Helm chart for istio ztunnel components
+icon: https://istio.io/latest/favicons/android-192x192.png
+keywords:
+- istio-ztunnel
+- istio
+name: ztunnel
+sources:
+- https://github.com/istio/istio
+version: 1.28.3
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/README.md
new file mode 100644
index 0000000000..72ea6892e5
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/README.md
@@ -0,0 +1,50 @@
+# Istio Ztunnel Helm Chart
+
+This chart installs an Istio ztunnel.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+To install the chart:
+
+```console
+helm install ztunnel istio/ztunnel
+```
+
+## Uninstalling the Chart
+
+To uninstall/delete the chart:
+
+```console
+helm delete ztunnel
+```
+
+## Configuration
+
+To view supported configuration options and documentation, run:
+
+```console
+helm show values istio/ztunnel
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..d04117bfc0
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,14 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..8fe80112bf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,11 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-compatibility-version-1.27.yaml
new file mode 100644
index 0000000000..209157cccf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-compatibility-version-1.27.yaml
@@ -0,0 +1,9 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/templates/NOTES.txt
new file mode 100644
index 0000000000..244f59db06
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/templates/NOTES.txt
@@ -0,0 +1,5 @@
+ztunnel successfully installed!
+
+To learn more about the release, try:
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/templates/_helpers.tpl
new file mode 100644
index 0000000000..46a7a0b79d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/templates/_helpers.tpl
@@ -0,0 +1 @@
+{{ define "ztunnel.release-name" }}{{ .Values.resourceName| default "ztunnel" }}{{ end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/templates/daemonset.yaml
new file mode 100644
index 0000000000..b10e99cfa4
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/templates/daemonset.yaml
@@ -0,0 +1,212 @@
+{{- if or (eq .Values.resourceScope "all") (eq .Values.resourceScope "namespace") }}
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: {{ include "ztunnel.release-name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: ztunnel
+    {{- include "istio.labels" . | nindent 4}}
+    {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }}
+  annotations:
+{{- if .Values.revision }}
+    {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }}
+    {{- toYaml $annos | nindent 4}}
+{{- else }}
+    {{- .Values.annotations | toYaml | nindent 4 }}
+{{- end }}
+spec:
+  {{- with .Values.updateStrategy }}
+  updateStrategy:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  selector:
+    matchLabels:
+      app: ztunnel
+  template:
+    metadata:
+      labels:
+        sidecar.istio.io/inject: "false"
+        istio.io/dataplane-mode: none
+        app: ztunnel
+        app.kubernetes.io/name: ztunnel
+        {{- include "istio.labels" . | nindent 8}}
+{{ with .Values.podLabels -}}{{ toYaml . | indent 8 }}{{ end }}
+      annotations:
+        sidecar.istio.io/inject: "false"
+{{- if .Values.revision }}
+        istio.io/rev: {{ .Values.revision }}
+{{- end }}
+{{ with .Values.podAnnotations -}}{{ toYaml . | indent 8 }}{{ end }}
+    spec:
+      nodeSelector:
+        kubernetes.io/os: linux
+{{- if .Values.nodeSelector }}
+{{ toYaml .Values.nodeSelector | indent 8 }}
+{{- end }}
+{{- if .Values.affinity }}
+      affinity:
+{{ toYaml .Values.affinity | trim | indent 8 }}
+{{- end }}
+      serviceAccountName: {{ include "ztunnel.release-name" . }}
+{{- if .Values.tolerations }}
+      tolerations:
+{{ toYaml .Values.tolerations | trim | indent 8 }}
+{{- end }}
+      containers:
+      - name: istio-proxy
+{{- if contains "/" .Values.image }}
+        image: "{{ .Values.image }}"
+{{- else }}
+        image: "{{ .Values.hub }}/{{ .Values.image | default "ztunnel" }}:{{ .Values.tag }}{{with (.Values.variant )}}-{{.}}{{end}}"
+{{- end }}
+        ports:
+        - containerPort: 15020
+          name: ztunnel-stats
+          protocol: TCP
+        resources:
+{{- if .Values.resources }}
+{{ toYaml .Values.resources | trim | indent 10 }}
+{{- end }}
+{{- with .Values.imagePullPolicy }}
+        imagePullPolicy: {{ . }}
+{{- end }}
+        securityContext:
+          # K8S docs are clear that CAP_SYS_ADMIN *or* privileged: true
+          # both force this to `true`: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+          # But there is a K8S validation bug that doesn't propery catch this: https://github.com/kubernetes/kubernetes/issues/119568
+          allowPrivilegeEscalation: true
+          privileged: false
+          capabilities:
+            drop:
+            - ALL
+            add: # See https://man7.org/linux/man-pages/man7/capabilities.7.html
+            - NET_ADMIN # Required for TPROXY and setsockopt
+            - SYS_ADMIN # Required for `setns` - doing things in other netns
+            - NET_RAW # Required for RAW/PACKET sockets, TPROXY
+          readOnlyRootFilesystem: true
+          runAsGroup: 1337
+          runAsNonRoot: false
+          runAsUser: 0
+{{- if .Values.seLinuxOptions }}
+          seLinuxOptions:
+{{ toYaml .Values.seLinuxOptions | trim | indent 12 }}
+{{- end }}
+        readinessProbe:
+          httpGet:
+            port: 15021
+            path: /healthz/ready
+        args:
+        - proxy
+        - ztunnel
+        env:
+        - name: CA_ADDRESS
+        {{- if .Values.caAddress }}
+          value: {{ .Values.caAddress }}
+        {{- else }}
+          value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012
+        {{- end }}
+        - name: XDS_ADDRESS
+        {{- if .Values.xdsAddress }}
+          value: {{ .Values.xdsAddress }}
+        {{- else }}
+          value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012
+        {{- end }}
+        {{- if .Values.logAsJson }}
+        - name: LOG_FORMAT
+          value: json
+        {{- end}}
+        {{- if .Values.network }}
+        - name: NETWORK
+          value: {{ .Values.network | quote }}
+        {{- end }}
+        - name: RUST_LOG
+          value: {{ .Values.logLevel | quote }}
+        - name: RUST_BACKTRACE
+          value: "1"
+        - name: ISTIO_META_CLUSTER_ID
+          value: {{ .Values.multiCluster.clusterName | default "Kubernetes" }}
+        - name: INPOD_ENABLED
+          value: "true"
+        - name: TERMINATION_GRACE_PERIOD_SECONDS
+          value: "{{ .Values.terminationGracePeriodSeconds }}"
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        - name: INSTANCE_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: SERVICE_ACCOUNT
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.serviceAccountName
+        {{- if .Values.meshConfig.defaultConfig.proxyMetadata }}
+        {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata}}
+        - name: {{ $key }}
+          value: "{{ $value }}"
+        {{- end }}
+        {{- end }}
+        - name: ZTUNNEL_CPU_LIMIT
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.cpu
+        {{- with .Values.env }}
+        {{- range $key, $val := . }}
+        - name: {{ $key }}
+          value: "{{ $val }}"
+        {{- end }}
+        {{- end }}
+        volumeMounts:
+        - mountPath: /var/run/secrets/istio
+          name: istiod-ca-cert
+        - mountPath: /var/run/secrets/tokens
+          name: istio-token
+        - mountPath: /var/run/ztunnel
+          name: cni-ztunnel-sock-dir
+        - mountPath: /tmp
+          name: tmp
+        {{- with .Values.volumeMounts }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      priorityClassName: system-node-critical
+      terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
+      volumes:
+      - name: istio-token
+        projected:
+          sources:
+          - serviceAccountToken:
+              path: istio-token
+              expirationSeconds: 43200
+              audience: istio-ca
+      - name: istiod-ca-cert
+        {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+        projected:
+          sources:
+          - clusterTrustBundle:
+              name: istio.io:istiod-ca:{{ .Values.trustBundleName | default "root-cert" }}
+              path: root-cert.pem
+        {{- else }}
+        configMap:
+          name: {{ .Values.trustBundleName | default "istio-ca-root-cert" }}
+        {{- end }}
+      - name: cni-ztunnel-sock-dir
+        hostPath:
+          path: /var/run/ztunnel
+          type: DirectoryOrCreate # ideally this would be a socket, but istio-cni may not have started yet.
+      # pprof needs a writable /tmp, and we don't have that thanks to `readOnlyRootFilesystem: true`, so mount one
+      - name: tmp
+        emptyDir: {}
+      {{- with .Values.volumes }}
+        {{- toYaml . | nindent 6}}
+      {{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/templates/rbac.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/templates/rbac.yaml
new file mode 100644
index 0000000000..18291716bf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/templates/rbac.yaml
@@ -0,0 +1,51 @@
+{{- if or (eq .Values.resourceScope "all") (eq .Values.resourceScope "cluster") }}
+{{- if (eq (.Values.platform | default "") "openshift") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "ztunnel.release-name" . }}
+  labels:
+    app: ztunnel
+    release: {{ include "ztunnel.release-name" . }}
+    app.kubernetes.io/name: ztunnel
+    {{- include "istio.labels" . | nindent 4}}
+  annotations:
+{{- if .Values.revision }}
+    {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }}
+    {{- toYaml $annos | nindent 4}}
+{{- else }}
+    {{- .Values.annotations | toYaml | nindent 4 }}
+{{- end }}
+rules:
+- apiGroups: ["security.openshift.io"]
+  resources: ["securitycontextconstraints"]
+  resourceNames: ["privileged"]
+  verbs: ["use"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "ztunnel.release-name" . }}
+  labels:
+    app: ztunnel
+    release: {{ include "ztunnel.release-name" . }}
+    app.kubernetes.io/name: ztunnel
+    {{- include "istio.labels" . | nindent 4}}
+  annotations:
+{{- if .Values.revision }}
+    {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }}
+    {{- toYaml $annos | nindent 4}}
+{{- else }}
+    {{- .Values.annotations | toYaml | nindent 4 }}
+{{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "ztunnel.release-name" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "ztunnel.release-name" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}
+---
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/templates/resourcequota.yaml
new file mode 100644
index 0000000000..d33c9fe137
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/templates/resourcequota.yaml
@@ -0,0 +1,22 @@
+{{- if or (eq .Values.resourceScope "all") (eq .Values.resourceScope "namespace") }}
+{{- if .Values.resourceQuotas.enabled }}
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+  name: {{ include "ztunnel.release-name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: ztunnel
+    {{- include "istio.labels" . | nindent 4}}
+    {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }}
+spec:
+  hard:
+    pods: {{ .Values.resourceQuotas.pods | quote }}
+  scopeSelector:
+    matchExpressions:
+    - operator: In
+      scopeName: PriorityClass
+      values:
+      - system-node-critical
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/templates/serviceaccount.yaml
new file mode 100644
index 0000000000..e1146f3920
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/templates/serviceaccount.yaml
@@ -0,0 +1,24 @@
+{{- if or (eq .Values.resourceScope "all") (eq .Values.resourceScope "namespace") }}
+apiVersion: v1
+kind: ServiceAccount
+  {{- with .Values.imagePullSecrets }}
+imagePullSecrets:
+  {{- range . }}
+  - name: {{ . }}
+  {{- end }}
+  {{- end }}
+metadata:
+  name: {{ include "ztunnel.release-name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: ztunnel
+    {{- include "istio.labels" . | nindent 4}}
+    {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }}
+  annotations:
+{{- if .Values.revision }}
+    {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }}
+    {{- toYaml $annos | nindent 4}}
+{{- else }}
+    {{- .Values.annotations | toYaml | nindent 4 }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..606c556697
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if true }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/values.yaml
new file mode 100644
index 0000000000..873922159a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/values.yaml
@@ -0,0 +1,136 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  # Hub to pull from. Image will be `Hub/Image:Tag-Variant`
+  hub: gcr.io/istio-release
+  # Tag to pull from. Image will be `Hub/Image:Tag-Variant`
+  tag: 1.28.3
+  # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version.
+  variant: ""
+
+  # Image name to pull from. Image will be `Hub/Image:Tag-Variant`
+  # If Image contains a "/", it will replace the entire `image` in the pod.
+  image: ztunnel
+
+  # Same as `global.network`, but will override it if set.
+  # Network defines the network this cluster belong to. This name
+  # corresponds to the networks in the map of mesh networks.
+  network: ""
+
+  # resourceName, if set, will override the naming of resources. If not set, will default to 'ztunnel'.
+  # If you set this, you MUST also set `trustedZtunnelName` in the `istiod` chart.
+  resourceName: ""
+
+  # Labels to apply to all top level resources
+  labels: {}
+  # Annotations to apply to all top level resources
+  annotations: {}
+
+  # Additional volumeMounts to the ztunnel container
+  volumeMounts: []
+
+  # Additional volumes to the ztunnel pod
+  volumes: []
+  
+  # Tolerations for the ztunnel pod
+  tolerations:
+    - effect: NoSchedule
+      operator: Exists
+    - key: CriticalAddonsOnly
+      operator: Exists
+    - effect: NoExecute
+      operator: Exists
+
+  # Annotations added to each pod. The default annotations are required for scraping prometheus (in most environments).
+  podAnnotations:
+    prometheus.io/port: "15020"
+    prometheus.io/scrape: "true"
+
+  # Additional labels to apply on the pod level
+  podLabels: {}
+
+  # Pod resource configuration
+  resources:
+    requests:
+      cpu: 200m
+      # Ztunnel memory scales with the size of the cluster and traffic load
+      # While there are many factors, this is enough for ~200k pod cluster or 100k concurrently open connections.
+      memory: 512Mi
+
+  resourceQuotas:
+    enabled: false
+    pods: 5000
+
+  # List of secret names to add to the service account as image pull secrets
+  imagePullSecrets: []
+
+  # A `key: value` mapping of environment variables to add to the pod
+  env: {}
+
+  # Override for the pod imagePullPolicy
+  imagePullPolicy: ""
+
+  # Settings for multicluster
+  multiCluster:
+    # The name of the cluster we are installing in. Note this is a user-defined name, which must be consistent
+    # with Istiod configuration.
+    clusterName: ""
+
+  # meshConfig defines runtime configuration of components.
+  # For ztunnel, only defaultConfig is used, but this is nested under `meshConfig` for consistency with other
+  # components.
+  # TODO: https://github.com/istio/istio/issues/43248
+  meshConfig:
+    defaultConfig:
+      proxyMetadata: {}
+
+  # This value defines:
+  # 1. how many seconds kube waits for ztunnel pod to gracefully exit before forcibly terminating it (this value)
+  # 2. how many seconds ztunnel waits to drain its own connections (this value - 1 sec)
+  # Default K8S value is 30 seconds
+  terminationGracePeriodSeconds: 30
+
+  # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
+  # Used to locate the XDS and CA, if caAddress or xdsAddress are not set explicitly.
+  revision: ""
+
+  # The customized CA address to retrieve certificates for the pods in the cluster.
+  # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
+  caAddress: ""
+
+  # The customized XDS address to retrieve configuration.
+  # This should include the port - 15012 for Istiod. TLS will be used with the certificates in "istiod-ca-cert" secret.
+  # By default, it is istiod.istio-system.svc:15012 if revision is not set, or istiod-<revision>.<istioNamespace>.svc:15012
+  xdsAddress: ""
+
+  # Used to locate the XDS and CA, if caAddress or xdsAddress are not set.
+  istioNamespace: istio-system
+
+  # Configuration log level of ztunnel binary, default is info.
+  # Valid values are: trace, debug, info, warn, error
+  logLevel: info
+
+  # To output all logs in json format
+  logAsJson: false
+
+  # Set to `type: RuntimeDefault` to use the default profile if available.
+  seLinuxOptions: {}
+  # TODO Ambient inpod - for OpenShift, set to the following to get writable sockets in hostmounts to work, eventually consider CSI driver instead
+  #seLinuxOptions:
+  #  type: spc_t
+  
+  # resourceScope controls what resources will be processed by helm.
+  # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator.
+  # It can be one of:
+  # - all: all resources are processed
+  # - cluster: only cluster-scoped resources are processed
+  # - namespace: only namespace-scoped resources are processed
+  resourceScope: all
+
+  # K8s DaemonSet update strategy.
+  # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec).
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/cni-1.28.3.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/cni-1.28.3.tgz.etag
new file mode 100644
index 0000000000..45b88f41b7
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/cni-1.28.3.tgz.etag
@@ -0,0 +1 @@
+2fdce22e41dcf85b354a52ac22b38545
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/commit b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/commit
new file mode 100644
index 0000000000..ac786b6454
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/commit
@@ -0,0 +1 @@
+1.28.3
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/gateway-1.28.3.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/gateway-1.28.3.tgz.etag
new file mode 100644
index 0000000000..6d14181372
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/gateway-1.28.3.tgz.etag
@@ -0,0 +1 @@
+87531546798e63fea2011e05bf043b92
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/istiod-1.28.3.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/istiod-1.28.3.tgz.etag
new file mode 100644
index 0000000000..a2304b67bb
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/istiod-1.28.3.tgz.etag
@@ -0,0 +1 @@
+80b4ccabd73127664f7e5eb5ee7ae6c9
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/profiles/ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/profiles/ambient.yaml
new file mode 100644
index 0000000000..71ea784a80
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/profiles/ambient.yaml
@@ -0,0 +1,5 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: ambient
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/profiles/default.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/profiles/default.yaml
new file mode 100644
index 0000000000..8f1ef19676
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/profiles/default.yaml
@@ -0,0 +1,12 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  # Most default values come from the helm chart's values.yaml
+  # Below are the things that differ
+  values:
+    defaultRevision: ""
+    global:
+      istioNamespace: istio-system
+      configValidation: true
+    ztunnel:
+      resourceName: ztunnel
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/profiles/demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/profiles/demo.yaml
new file mode 100644
index 0000000000..53c4b41633
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/profiles/demo.yaml
@@ -0,0 +1,5 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: demo
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/profiles/empty.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/profiles/empty.yaml
new file mode 100644
index 0000000000..4477cb1fe1
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/profiles/empty.yaml
@@ -0,0 +1,5 @@
+# The empty profile has everything disabled
+# This is useful as a base for custom user configuration
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec: {}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/profiles/openshift-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/profiles/openshift-ambient.yaml
new file mode 100644
index 0000000000..76edf00cd8
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/profiles/openshift-ambient.yaml
@@ -0,0 +1,7 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: ambient
+    global:
+      platform: openshift
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/profiles/openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/profiles/openshift.yaml
new file mode 100644
index 0000000000..41492660fe
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/profiles/openshift.yaml
@@ -0,0 +1,6 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    global:
+      platform: openshift
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/profiles/preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/profiles/preview.yaml
new file mode 100644
index 0000000000..59d545c840
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/profiles/preview.yaml
@@ -0,0 +1,8 @@
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: preview
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/profiles/remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/profiles/remote.yaml
new file mode 100644
index 0000000000..54c65c8ba9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/profiles/remote.yaml
@@ -0,0 +1,7 @@
+# The remote profile is used to configure a mesh cluster without a locally deployed control plane.
+# Only the injector mutating webhook configuration is installed.
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: remote
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/profiles/stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/profiles/stable.yaml
new file mode 100644
index 0000000000..285feba244
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/profiles/stable.yaml
@@ -0,0 +1,5 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: stable
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/ztunnel-1.28.3.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/ztunnel-1.28.3.tgz.etag
new file mode 100644
index 0000000000..c12377522e
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/ztunnel-1.28.3.tgz.etag
@@ -0,0 +1 @@
+f1b915596d91081396743c9ab367bdf0
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/base-1.30-alpha.a30ad73344d771ce45cba8a1d17b6bb2c209119d.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/base-1.30-alpha.a30ad73344d771ce45cba8a1d17b6bb2c209119d.tgz.etag
new file mode 100644
index 0000000000..be95f27973
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/base-1.30-alpha.a30ad73344d771ce45cba8a1d17b6bb2c209119d.tgz.etag
@@ -0,0 +1 @@
+6a20fbde6cc3450b90a670098b456adb
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/Chart.yaml
new file mode 100644
index 0000000000..a7b4621365
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/Chart.yaml
@@ -0,0 +1,10 @@
+apiVersion: v2
+appVersion: 1.30-alpha.a30ad73344d771ce45cba8a1d17b6bb2c209119d
+description: Helm chart for deploying Istio cluster resources and CRDs
+icon: https://istio.io/latest/favicons/android-192x192.png
+keywords:
+- istio
+name: base
+sources:
+- https://github.com/istio/istio
+version: 1.30-alpha.a30ad73344d771ce45cba8a1d17b6bb2c209119d
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/README.md
new file mode 100644
index 0000000000..ae8f6d5b0e
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/README.md
@@ -0,0 +1,35 @@
+# Istio base Helm Chart
+
+This chart installs resources shared by all Istio revisions. This includes Istio CRDs.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+To install the chart with the release name `istio-base`:
+
+```console
+kubectl create namespace istio-system
+helm install istio-base istio/base -n istio-system
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..842aaf17de
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,22 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
+     # 1.29 behavioral changes
+    DISABLE_TRACK_REMAINING_CB_METRICS: "false"
+
+cni:
+  ambient:
+    # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.25
+    reconcileIptablesOnStartup: false
+
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..f30e143133
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,18 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
+    # 1.29 behavioral changes
+    DISABLE_TRACK_REMAINING_CB_METRICS: "false"
+
+cni:
+  ambient:
+    # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.26
+    reconcileIptablesOnStartup: false
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/files/profile-compatibility-version-1.27.yaml
new file mode 100644
index 0000000000..b842b0914c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/files/profile-compatibility-version-1.27.yaml
@@ -0,0 +1,16 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
+    # 1.29 behavioral changes
+    DISABLE_TRACK_REMAINING_CB_METRICS: "false"
+
+cni:
+  ambient:
+    # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.27
+    reconcileIptablesOnStartup: false
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/files/profile-compatibility-version-1.28.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/files/profile-compatibility-version-1.28.yaml
new file mode 100644
index 0000000000..3d378691a2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/files/profile-compatibility-version-1.28.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.29 behavioral changes
+    DISABLE_TRACK_REMAINING_CB_METRICS: "false"
+
+cni:
+  ambient:
+    # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.28
+    reconcileIptablesOnStartup: false
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/templates/NOTES.txt
new file mode 100644
index 0000000000..f12616f578
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/templates/NOTES.txt
@@ -0,0 +1,5 @@
+Istio base successfully installed!
+
+To learn more about the release, try:
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml
new file mode 100644
index 0000000000..30049df989
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml
@@ -0,0 +1,55 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
+{{- if and .Values.experimental.stableValidationPolicy (not (eq .Values.defaultRevision "")) }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "stable-channel-default-policy.istio.io"
+  labels:
+    release: {{ .Release.Name }}
+    istio: istiod
+    istio.io/rev: {{ .Values.defaultRevision }}
+    app.kubernetes.io/name: "istiod"
+    {{ include "istio.labels" . | nindent 4 }}
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups:
+        - security.istio.io
+        - networking.istio.io
+        - telemetry.istio.io
+        - extensions.istio.io
+      apiVersions: ["*"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["*"]
+  variables:
+    - name: isEnvoyFilter
+      expression: "object.kind == 'EnvoyFilter'"
+    - name: isWasmPlugin
+      expression: "object.kind == 'WasmPlugin'"
+    - name: isProxyConfig
+      expression: "object.kind == 'ProxyConfig'"
+    - name: isTelemetry
+      expression: "object.kind == 'Telemetry'"
+  validations:
+    - expression: "!variables.isEnvoyFilter"
+    - expression: "!variables.isWasmPlugin"
+    - expression: "!variables.isProxyConfig"
+    - expression: |
+        !(
+          variables.isTelemetry && (
+            (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) ||
+            (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) ||
+            (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter))
+          )
+        )
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: "stable-channel-default-policy-binding.istio.io"
+spec:
+  policyName: "stable-channel-default-policy.istio.io"
+  validationActions: [Deny]
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml
new file mode 100644
index 0000000000..dcd16e964f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml
@@ -0,0 +1,58 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
+{{- if not (eq .Values.defaultRevision "") }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: istiod-default-validator
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    istio: istiod
+    istio.io/rev: {{ .Values.defaultRevision | quote }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+webhooks:
+  - name: validation.istio.io
+    clientConfig:
+      {{- if .Values.base.validationURL }}
+      url: {{ .Values.base.validationURL }}
+      {{- else }}
+      service:
+        {{- if (eq .Values.defaultRevision "default") }}
+        name: istiod
+        {{- else }}
+        name: istiod-{{ .Values.defaultRevision }}
+        {{- end }}
+        namespace: {{ .Values.global.istioNamespace }}
+        path: "/validate"
+      {{- end }}
+      {{- if .Values.base.validationCABundle }}
+      caBundle: "{{ .Values.base.validationCABundle }}"
+      {{- end }}
+    rules:
+      - operations:
+          - CREATE
+          - UPDATE
+        apiGroups:
+          - security.istio.io
+          - networking.istio.io
+          - telemetry.istio.io
+          - extensions.istio.io
+        apiVersions:
+          - "*"
+        resources:
+          - "*"
+
+    {{- if .Values.base.validationCABundle }}
+    # Disable webhook controller in Pilot to stop patching it
+    failurePolicy: Fail
+    {{- else }}
+    # Fail open until the validation webhook is ready. The webhook controller
+    # will update this to `Fail` and patch in the `caBundle` when the webhook
+    # endpoint is ready.
+    failurePolicy: Ignore
+    {{- end }}
+    sideEffects: None
+    admissionReviewVersions: ["v1"]
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/templates/reader-serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/templates/reader-serviceaccount.yaml
new file mode 100644
index 0000000000..bb7a74ff48
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/templates/reader-serviceaccount.yaml
@@ -0,0 +1,22 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# This singleton service account aggregates reader permissions for the revisions in a given cluster
+# ATM this is a singleton per cluster with Istio installed, and is not revisioned. It maybe should be,
+# as otherwise compromising the token for this SA would give you access to *every* installed revision.
+# Should be used for remote secret creation.
+apiVersion: v1
+kind: ServiceAccount
+  {{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+  {{- range .Values.global.imagePullSecrets }}
+  - name: {{ . }}
+    {{- end }}
+    {{- end }}
+metadata:
+  name: istio-reader-service-account
+  namespace: {{ .Values.global.istioNamespace }}
+  labels:
+    app: istio-reader
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istio-reader"
+    {{- include "istio.labels" . | nindent 4 }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..3d84956485
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if false }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/values.yaml
new file mode 100644
index 0000000000..8353c57d6d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/base/values.yaml
@@ -0,0 +1,45 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  global:
+
+    # ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace
+    # to use for pulling any images in pods that reference this ServiceAccount.
+    # Must be set for any cluster configured with private docker registry.
+    imagePullSecrets: []
+
+    # Used to locate istiod.
+    istioNamespace: istio-system
+
+    # resourceScope controls what resources will be processed by helm.
+    # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator.
+    # It can be one of:
+    # - all: all resources are processed
+    # - cluster: only cluster-scoped resources are processed
+    # - namespace: only namespace-scoped resources are processed
+    resourceScope: all
+  base:
+    # A list of CRDs to exclude. Requires `enableCRDTemplates` to be true.
+    # Example: `excludedCRDs: ["envoyfilters.networking.istio.io"]`.
+    # Note: when installing with `istioctl`, `enableIstioConfigCRDs=false` must also be set.
+    excludedCRDs: []
+    # Helm (as of V3) does not support upgrading CRDs, because it is not universally
+    # safe for them to support this.
+    # Istio as a project enforces certain backwards-compat guarantees that allow us
+    # to safely upgrade CRDs in spite of this, so we default to self-managing CRDs
+    # as standard K8S resources in Helm, and disable Helm's CRD management. See also:
+    # https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#method-2-separate-charts
+    enableCRDTemplates: true
+
+    # Validation webhook configuration url
+    # For example: https://$remotePilotAddress:15017/validate
+    validationURL: ""
+    # Validation webhook caBundle value. Useful when running pilot with a well known cert
+    validationCABundle: ""
+
+    # For istioctl usage to disable istio config crds in base
+    enableIstioConfigCRDs: true
+
+  defaultRevision: "default"
+  experimental:
+    stableValidationPolicy: false
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/Chart.yaml
new file mode 100644
index 0000000000..e40fc0d225
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/Chart.yaml
@@ -0,0 +1,11 @@
+apiVersion: v2
+appVersion: 1.30-alpha.a30ad73344d771ce45cba8a1d17b6bb2c209119d
+description: Helm chart for istio-cni components
+icon: https://istio.io/latest/favicons/android-192x192.png
+keywords:
+- istio-cni
+- istio
+name: cni
+sources:
+- https://github.com/istio/istio
+version: 1.30-alpha.a30ad73344d771ce45cba8a1d17b6bb2c209119d
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/README.md
new file mode 100644
index 0000000000..f7e5cbd379
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/README.md
@@ -0,0 +1,65 @@
+# Istio CNI Helm Chart
+
+This chart installs the Istio CNI Plugin. See the [CNI installation guide](https://istio.io/latest/docs/setup/additional-setup/cni/)
+for more information.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+To install the chart with the release name `istio-cni`:
+
+```console
+helm install istio-cni istio/cni -n kube-system
+```
+
+Installation in `kube-system` is recommended to ensure the [`system-node-critical`](https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/)
+`priorityClassName` can be used. You can install in other namespace only on K8S clusters that allow
+'system-node-critical' outside of kube-system.
+
+## Configuration
+
+To view supported configuration options and documentation, run:
+
+```console
+helm show values istio/istio-cni
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
+
+### Ambient
+
+To enable ambient, you can use the ambient profile: `--set profile=ambient`.
+
+#### Calico
+
+For Calico, you must also modify the settings to allow source spoofing:
+
+- if deployed by operator,  `kubectl patch felixconfigurations default --type='json' -p='[{"op": "add", "path": "/spec/workloadSourceSpoofing", "value": "Any"}]'`
+- if deployed by manifest, add env `FELIX_WORKLOADSOURCESPOOFING` with value `Any` in `spec.template.spec.containers.env` for daemonset `calico-node`. (This will allow PODs with specified annotation to skip the rpf check. )
+
+### GKE notes
+
+On GKE, 'kube-system' is required.
+
+If using `helm template`, `--set cni.cniBinDir=/home/kubernetes/bin` is required - with `helm install`
+it is auto-detected.
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..842aaf17de
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,22 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
+     # 1.29 behavioral changes
+    DISABLE_TRACK_REMAINING_CB_METRICS: "false"
+
+cni:
+  ambient:
+    # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.25
+    reconcileIptablesOnStartup: false
+
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..f30e143133
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,18 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
+    # 1.29 behavioral changes
+    DISABLE_TRACK_REMAINING_CB_METRICS: "false"
+
+cni:
+  ambient:
+    # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.26
+    reconcileIptablesOnStartup: false
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/files/profile-compatibility-version-1.27.yaml
new file mode 100644
index 0000000000..b842b0914c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/files/profile-compatibility-version-1.27.yaml
@@ -0,0 +1,16 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
+    # 1.29 behavioral changes
+    DISABLE_TRACK_REMAINING_CB_METRICS: "false"
+
+cni:
+  ambient:
+    # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.27
+    reconcileIptablesOnStartup: false
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/files/profile-compatibility-version-1.28.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/files/profile-compatibility-version-1.28.yaml
new file mode 100644
index 0000000000..3d378691a2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/files/profile-compatibility-version-1.28.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.29 behavioral changes
+    DISABLE_TRACK_REMAINING_CB_METRICS: "false"
+
+cni:
+  ambient:
+    # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.28
+    reconcileIptablesOnStartup: false
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/templates/NOTES.txt
new file mode 100644
index 0000000000..fb35525b99
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/templates/NOTES.txt
@@ -0,0 +1,5 @@
+"{{ .Release.Name }}" successfully installed!
+
+To learn more about the release, try:
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/templates/_helpers.tpl
new file mode 100644
index 0000000000..73cc17b2f6
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/templates/_helpers.tpl
@@ -0,0 +1,8 @@
+{{- define "name" -}}
+    istio-cni
+{{- end }}
+
+
+{{- define "istio-tag" -}}
+    {{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/templates/clusterrole.yaml
new file mode 100644
index 0000000000..51af4ce7ff
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/templates/clusterrole.yaml
@@ -0,0 +1,84 @@
+# Created if cluster resources are not omitted
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "name" . }}
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+- apiGroups: ["security.openshift.io"] 
+  resources: ["securitycontextconstraints"] 
+  resourceNames: ["privileged"] 
+  verbs: ["use"]
+- apiGroups: [""]
+  resources: ["pods","nodes","namespaces"]
+  verbs: ["get", "list", "watch"]
+{{- if (eq ((coalesce .Values.platform .Values.global.platform) | default "") "openshift") }}
+- apiGroups: ["security.openshift.io"]
+  resources: ["securitycontextconstraints"]
+  resourceNames: ["privileged"]
+  verbs: ["use"]
+{{- end }}
+---
+{{- if .Values.repair.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "name" . }}-repair-role
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["create", "patch"]
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["watch", "get", "list"]
+{{- if .Values.repair.repairPods }}
+{{- /*  No privileges needed*/}}
+{{- else if .Values.repair.deletePods }}
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["delete"]
+{{- else if .Values.repair.labelPods }}
+  - apiGroups: [""]
+    {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}}
+    resources: ["pods/status"]
+    verbs: ["patch", "update"]
+{{- end }}
+{{- end }}
+---
+{{- if .Values.ambient.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "name" . }}-ambient
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+- apiGroups: [""]
+  {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}}
+  resources: ["pods/status"]
+  verbs: ["patch", "update"]
+- apiGroups: ["apps"]
+  resources: ["daemonsets"]
+  resourceNames: ["{{ template "name" . }}-node"]
+  verbs: ["get"]
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/templates/clusterrolebinding.yaml
new file mode 100644
index 0000000000..60e3c28be8
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/templates/clusterrolebinding.yaml
@@ -0,0 +1,66 @@
+# Created if cluster resources are not omitted
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "name" . }}
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "name" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ template "name" . }}
+  namespace: {{ .Release.Namespace }}
+---
+{{- if .Values.repair.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "name" . }}-repair-rolebinding
+  labels:
+    k8s-app: {{ template "name" . }}-repair
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+subjects:
+- kind: ServiceAccount
+  name: {{ template "name" . }}
+  namespace: {{ .Release.Namespace}}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "name" . }}-repair-role
+{{- end }}
+---
+{{- if .Values.ambient.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "name" . }}-ambient
+  labels:
+    k8s-app: {{ template "name" . }}-repair
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "name" . }}
+    namespace: {{ .Release.Namespace}}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "name" . }}-ambient
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/templates/configmap-cni.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/templates/configmap-cni.yaml
new file mode 100644
index 0000000000..9b5dd47925
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/templates/configmap-cni.yaml
@@ -0,0 +1,44 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: {{ template "name" . }}-config
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+data:
+  CURRENT_AGENT_VERSION: {{ .Values.tag | default .Values.global.tag | quote }}
+  AMBIENT_ENABLED: {{ .Values.ambient.enabled | quote }}
+  AMBIENT_ENABLEMENT_SELECTOR: {{ .Values.ambient.enablementSelectors | toYaml | quote }}
+  AMBIENT_DNS_CAPTURE: {{ .Values.ambient.dnsCapture | quote  }}
+  AMBIENT_IPV6: {{ .Values.ambient.ipv6 | quote }}
+  AMBIENT_RECONCILE_POD_RULES_ON_STARTUP: {{ .Values.ambient.reconcileIptablesOnStartup | quote }}
+  ENABLE_AMBIENT_DETECTION_RETRY: {{ .Values.ambient.enableAmbientDetectionRetry | quote }}
+  {{- if .Values.cniConfFileName }} # K8S < 1.24 doesn't like empty values
+  CNI_CONF_NAME: {{ .Values.cniConfFileName }} # Name of the CNI config file to create. Only override if you know the exact path your CNI requires..
+  {{- end }}
+  ISTIO_OWNED_CNI_CONFIG: {{ .Values.istioOwnedCNIConfig | quote }}
+  {{- if .Values.istioOwnedCNIConfig }}
+  ISTIO_OWNED_CNI_CONF_FILENAME: {{ .Values.istioOwnedCNIConfigFileName | quote }}
+  {{- end }}
+  CHAINED_CNI_PLUGIN: {{ .Values.chained | quote }}
+  EXCLUDE_NAMESPACES: "{{ range $idx, $ns := .Values.excludeNamespaces }}{{ if $idx }},{{ end }}{{ $ns }}{{ end }}"
+  REPAIR_ENABLED: {{ .Values.repair.enabled | quote }}
+  REPAIR_LABEL_PODS: {{ .Values.repair.labelPods | quote }}
+  REPAIR_DELETE_PODS: {{ .Values.repair.deletePods | quote }}
+  REPAIR_REPAIR_PODS: {{ .Values.repair.repairPods | quote }}
+  REPAIR_INIT_CONTAINER_NAME: {{ .Values.repair.initContainerName | quote }}
+  REPAIR_BROKEN_POD_LABEL_KEY: {{ .Values.repair.brokenPodLabelKey | quote }}
+  REPAIR_BROKEN_POD_LABEL_VALUE: {{ .Values.repair.brokenPodLabelValue | quote }}
+  NATIVE_NFTABLES: {{ .Values.global.nativeNftables | quote }}
+  {{- with .Values.env }}
+  {{- range $key, $val := . }}
+  {{ $key }}: "{{ $val }}"
+  {{- end }}
+  {{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/templates/daemonset.yaml
new file mode 100644
index 0000000000..0be2784012
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/templates/daemonset.yaml
@@ -0,0 +1,252 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# This manifest installs the Istio install-cni container, as well
+# as the Istio CNI plugin and config on
+# each master and worker node in a Kubernetes cluster.
+#
+# $detectedBinDir exists to support a GKE-specific platform override,
+# and is deprecated in favor of using the explicit `gke` platform profile.
+{{- $detectedBinDir := (.Capabilities.KubeVersion.GitVersion | contains "-gke") | ternary
+    "/home/kubernetes/bin"
+    "/opt/cni/bin"
+}}
+{{- if .Values.cniBinDir }}
+{{ $detectedBinDir = .Values.cniBinDir }}
+{{- end }}
+kind: DaemonSet
+apiVersion: apps/v1
+metadata:
+  # Note that this is templated but evaluates to a fixed name
+  # which the CNI plugin may fall back onto in some failsafe scenarios.
+  # if this name is changed, CNI plugin logic that checks for this name
+  # format should also be updated.
+  name: {{ template "name" . }}-node
+  namespace: {{ .Release.Namespace }}
+  labels:
+    k8s-app: {{ template "name" . }}-node
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+    {{ with .Values.daemonSetLabels -}}{{ toYaml . | nindent 4}}{{ end }}
+spec:
+  selector:
+    matchLabels:
+      k8s-app: {{ template "name" . }}-node
+  {{- with .Values.updateStrategy }}
+  updateStrategy:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  template:
+    metadata:
+      labels:
+        k8s-app: {{ template "name" . }}-node
+        sidecar.istio.io/inject: "false"
+        istio.io/dataplane-mode: none
+        app.kubernetes.io/name: {{ template "name" . }}
+        {{- include "istio.labels" . | nindent 8 }}
+        {{ with .Values.podLabels -}}{{ toYaml . | nindent 8}}{{ end }}
+      annotations:
+        sidecar.istio.io/inject: "false"
+        # Add Prometheus Scrape annotations
+        prometheus.io/scrape: 'true'
+        prometheus.io/port: "15014"
+        prometheus.io/path: '/metrics'
+        # Add AppArmor annotation
+        # This is required to avoid conflicts with AppArmor profiles which block certain
+        # privileged pod capabilities.
+        # Required for Kubernetes 1.29 which does not support setting appArmorProfile in the
+        # securityContext which is otherwise preferred.
+        container.apparmor.security.beta.kubernetes.io/install-cni: unconfined
+        # Custom annotations
+        {{- if .Values.podAnnotations }}
+{{ toYaml .Values.podAnnotations | indent 8 }}
+        {{- end }}
+    spec:
+{{- if and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace }}
+      hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
+{{- end }}
+      nodeSelector:
+        kubernetes.io/os: linux
+      # Can be configured to allow for excluding istio-cni from being scheduled on specified nodes
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      priorityClassName: system-node-critical
+      serviceAccountName: {{ template "name" . }}
+      # Time to allow for graceful CNI cleanup during pod termination.
+      # Configurable via values.yaml to prevent race conditions during rolling updates.
+      terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
+      containers:
+        # This container installs the Istio CNI binaries
+        # and CNI network config file on each node.
+        - name: install-cni
+{{- if contains "/" .Values.image }}
+          image: "{{ .Values.image }}"
+{{- else }}
+          image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "install-cni" }}:{{ template "istio-tag" . }}"
+{{- end }}
+{{- if or .Values.pullPolicy .Values.global.imagePullPolicy }}
+          imagePullPolicy: {{ .Values.pullPolicy | default .Values.global.imagePullPolicy }}
+{{- end }}
+          ports:
+          - containerPort: 15014
+            name: metrics
+            protocol: TCP
+          readinessProbe:
+            httpGet:
+              path: /readyz
+              port: 8000
+          securityContext:
+            privileged: false
+            runAsGroup: 0
+            runAsUser: 0
+            runAsNonRoot: false
+            # Both ambient and sidecar repair mode require elevated node privileges to function.
+            # But we don't need _everything_ in `privileged`, so explicitly set it to false and
+            # add capabilities based on feature.
+            capabilities:
+              drop:
+              - ALL
+              add:
+              # CAP_NET_ADMIN is required to allow ipset and route table access
+              - NET_ADMIN
+              # CAP_NET_RAW is required to allow iptables mutation of the `nat` table
+              - NET_RAW
+              # CAP_SYS_PTRACE is required for repair and ambient mode to describe
+              # the pod's network namespace.
+              - SYS_PTRACE
+              # CAP_SYS_ADMIN is required for both ambient and repair, in order to open
+              # network namespaces in `/proc` to obtain descriptors for entering pod network
+              # namespaces. There does not appear to be a more granular capability for this.
+              - SYS_ADMIN
+              # While we run as a 'root' (UID/GID 0), since we drop all capabilities we lose
+              # the typical ability to read/write to folders owned by others.
+              # This can cause problems if the hostPath mounts we use, which we require write access into,
+              # are owned by non-root. DAC_OVERRIDE bypasses these and gives us write access into any folder.
+              - DAC_OVERRIDE
+{{- if .Values.seLinuxOptions }}
+{{ with (merge .Values.seLinuxOptions (dict "type" "spc_t")) }}
+            seLinuxOptions:
+{{ toYaml . | trim | indent 14 }}
+{{- end }}
+{{- end }}
+{{- if .Values.seccompProfile }}
+            seccompProfile:
+{{ toYaml .Values.seccompProfile | trim | indent 14 }}
+{{- end }}
+          command: ["install-cni"]
+          args:
+            {{- if or .Values.logging.level .Values.global.logging.level }}
+            - --log_output_level={{ coalesce .Values.logging.level .Values.global.logging.level }}
+            {{- end}}
+            {{- if .Values.global.logAsJson }}
+            - --log_as_json
+            {{- end}}
+          envFrom:
+            - configMapRef:
+                name: {{ template "name" . }}-config
+          env:
+            - name: REPAIR_NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            - name: REPAIR_RUN_AS_DAEMON
+              value: "true"
+            - name: REPAIR_SIDECAR_ANNOTATION
+              value: "sidecar.istio.io/status"
+            {{- if not (and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace) }}
+            - name: ALLOW_SWITCH_TO_HOST_NS
+              value: "true"
+            {{- end }}
+            - name: NODE_NAME
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: spec.nodeName
+            - name: GOMEMLIMIT
+              valueFrom:
+                resourceFieldRef:
+                  resource: limits.memory
+                  divisor: "1"
+            - name: GOMAXPROCS
+              valueFrom:
+                resourceFieldRef:
+                  resource: limits.cpu
+                  divisor: "1"
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            {{- if .Values.env }}
+            {{- range $key, $val := .Values.env }}
+            - name: {{ $key }}
+              value: "{{ $val }}"
+            {{- end }}
+            {{- end }}
+          volumeMounts:
+            - mountPath: /host/opt/cni/bin
+              name: cni-bin-dir
+            {{- if or .Values.repair.repairPods .Values.ambient.enabled }}
+            - mountPath: /host/proc
+              name: cni-host-procfs
+              readOnly: true
+            {{- end }}
+            - mountPath: /host/etc/cni/net.d
+              name: cni-net-dir
+            - mountPath: /var/run/istio-cni
+              name: cni-socket-dir
+            {{- if .Values.ambient.enabled }}
+            - mountPath: /host/var/run/netns
+              mountPropagation: HostToContainer
+              name: cni-netns-dir
+            - mountPath: /var/run/ztunnel
+              name: cni-ztunnel-sock-dir
+            {{ end }}
+          resources:
+{{- if .Values.resources }}
+{{ toYaml .Values.resources | trim | indent 12 }}
+{{- else }}
+{{ toYaml .Values.global.defaultResources | trim | indent 12 }}
+{{- end }}
+      volumes:
+        # Used to install CNI.
+        - name: cni-bin-dir
+          hostPath:
+            path: {{ $detectedBinDir }}
+        {{- if or .Values.repair.repairPods .Values.ambient.enabled }}
+        - name: cni-host-procfs
+          hostPath:
+            path: /proc
+            type: Directory
+        {{- end }}
+        {{- if .Values.ambient.enabled }}
+        - name: cni-ztunnel-sock-dir
+          hostPath:
+            path: /var/run/ztunnel
+            type: DirectoryOrCreate
+        {{- end }}
+        - name: cni-net-dir
+          hostPath:
+            path: {{ .Values.cniConfDir }}
+        # Used for UDS sockets for logging, ambient eventing
+        - name: cni-socket-dir
+          hostPath:
+            path: /var/run/istio-cni
+        - name: cni-netns-dir
+          hostPath:
+            path: {{ .Values.cniNetnsDir }}
+            type: DirectoryOrCreate # DirectoryOrCreate instead of Directory for the following reason - CNI may not bind mount this until a non-hostnetwork pod is scheduled on the node,
+            # and we don't want to block CNI agent pod creation on waiting for the first non-hostnetwork pod.
+            # Once the CNI does mount this, it will get populated and we're good.
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/templates/network-attachment-definition.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/templates/network-attachment-definition.yaml
new file mode 100644
index 0000000000..37ef7c3e6d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/templates/network-attachment-definition.yaml
@@ -0,0 +1,13 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+{{- if eq .Values.provider "multus" }}
+apiVersion: k8s.cni.cncf.io/v1
+kind: NetworkAttachmentDefinition
+metadata:
+  name: {{ template "name" . }}
+  namespace: default
+  labels:
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/templates/networkpolicy.yaml
new file mode 100644
index 0000000000..a30df776db
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/templates/networkpolicy.yaml
@@ -0,0 +1,36 @@
+{{- if (.Values.global.networkPolicy).enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ template "name" . }}{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    k8s-app: {{ template "name" . }}-node
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      k8s-app: {{ template "name" . }}-node
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress:
+  # Metrics endpoint for monitoring/prometheus
+  - from: []
+    ports:
+    - protocol: TCP
+      port: 15014
+  # Readiness probe endpoint
+  - from: []
+    ports:
+    - protocol: TCP
+      port: 8000
+  egress:
+  # Allow DNS resolution and access to Kubernetes API server.
+  # IP/Port of the API server is heavily dependant on k8s distribution, so we allow all egress for now.
+  - {}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/templates/resourcequota.yaml
new file mode 100644
index 0000000000..2e0be5ab40
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/templates/resourcequota.yaml
@@ -0,0 +1,21 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+{{- if .Values.resourceQuotas.enabled }}
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+  name: {{ template "name" . }}-resource-quota
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  hard:
+    pods: {{ .Values.resourceQuotas.pods | quote }}
+  scopeSelector:
+    matchExpressions:
+    - operator: In
+      scopeName: PriorityClass
+      values:
+      - system-node-critical
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/templates/serviceaccount.yaml
new file mode 100644
index 0000000000..17c8e64a9d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/templates/serviceaccount.yaml
@@ -0,0 +1,20 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+apiVersion: v1
+kind: ServiceAccount
+{{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+{{- range .Values.global.imagePullSecrets }}
+  - name: {{ . }}
+{{- end }}
+{{- end }}
+metadata:
+  name: {{ template "name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "name" . }}
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" }}
+    operator.istio.io/component: "Cni"
+    app.kubernetes.io/name: {{ template "name" . }}
+    {{- include "istio.labels" . | nindent 4 }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/templates/zzy_descope_legacy.yaml
new file mode 100644
index 0000000000..a9584ac29f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/templates/zzy_descope_legacy.yaml
@@ -0,0 +1,3 @@
+{{/* Copy anything under `.cni` to `.`, to avoid the need to specify a redundant prefix.
+Due to the file naming, this always happens after zzz_profile.yaml */}}
+{{- $_ := mustMergeOverwrite $.Values (index $.Values "cni") }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..3d84956485
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if false }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/values.yaml
new file mode 100644
index 0000000000..c0a7197d3c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/cni/values.yaml
@@ -0,0 +1,204 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  hub: ""
+  tag: ""
+  variant: ""
+  image: install-cni
+  pullPolicy: ""
+
+  # Same as `global.logging.level`, but will override it if set
+  logging:
+    level: ""
+
+  # Configuration file to insert istio-cni plugin configuration
+  # by default this will be the first file found in the cni-conf-dir
+  # Example
+  # cniConfFileName: 10-calico.conflist
+
+  # CNI-and-platform specific path defaults.
+  # These may need to be set to platform-specific values, consult
+  # overrides for your platform in `manifests/helm-profiles/platform-*.yaml`
+  cniBinDir: /opt/cni/bin
+  cniConfDir: /etc/cni/net.d
+  cniConfFileName: ""
+  cniNetnsDir: "/var/run/netns"
+
+  # If Istio owned CNI config is enabled, defaults to 02-istio-cni.conflist
+  istioOwnedCNIConfigFileName: ""
+  istioOwnedCNIConfig: false
+
+  excludeNamespaces:
+    - kube-system
+
+  # Allows user to set custom affinity for the DaemonSet
+  affinity: {}
+
+  # Additional labels to apply on the daemonset level
+  daemonSetLabels: {}
+
+  # Custom annotations on pod level, if you need them
+  podAnnotations: {}
+
+  # Additional labels to apply on the pod level
+  podLabels: {}
+
+  # Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")?
+  # Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case
+  chained: true
+
+  # Custom configuration happens based on the CNI provider.
+  # Possible values: "default", "multus"
+  provider: "default"
+
+  # Configure ambient settings
+  ambient:
+    # If enabled, ambient redirection will be enabled
+    enabled: false
+    # If ambient is enabled, this selector will be used to identify the ambient-enabled pods
+    enablementSelectors: 
+    - podSelector:
+        matchLabels: {istio.io/dataplane-mode: ambient}
+    - podSelector:
+        matchExpressions:
+        - { key: istio.io/dataplane-mode, operator: NotIn, values: [none] }
+      namespaceSelector:
+        matchLabels: {istio.io/dataplane-mode: ambient}
+    # Set ambient config dir path: defaults to /etc/ambient-config
+    configDir: ""
+    # If enabled, and ambient is enabled, DNS redirection will be enabled
+    dnsCapture: true
+    # If enabled, and ambient is enabled, enables ipv6 support
+    ipv6: true
+    # If enabled, and ambient is enabled, the CNI agent will reconcile incompatible iptables rules and chains at startup.
+    # This is enabled by default
+    reconcileIptablesOnStartup: true
+    # If enabled, and ambient is enabled, the CNI agent will always share the network namespace of the host node it is running on
+    shareHostNetworkNamespace: false
+    # If enabled, the CNI agent will retry checking if a pod is ambient enabled when there are errors
+    enableAmbientDetectionRetry: false
+
+
+  repair:
+    enabled: true
+    hub: ""
+    tag: ""
+
+    # Repair controller has 3 modes. Pick which one meets your use cases. Note only one may be used.
+    # This defines the action the controller will take when a pod is detected as broken.
+
+    # labelPods will label all pods with <brokenPodLabelKey>=<brokenPodLabelValue>.
+    # This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them).
+    # Note this gives the DaemonSet a relatively high privilege, as modifying pod metadata/status can have wider impacts.
+    labelPods: false
+    # deletePods will delete any broken pod. These will then be rescheduled, hopefully onto a node that is fully ready.
+    # Note this gives the DaemonSet a relatively high privilege, as it can delete any Pod.
+    deletePods: false
+    # repairPods will dynamically repair any broken pod by setting up the pod networking configuration even after it has started.
+    # Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs.
+    # This requires no RBAC privilege, but does require `securityContext.privileged/CAP_SYS_ADMIN`.
+    repairPods: true
+
+    initContainerName: "istio-validation"
+
+    brokenPodLabelKey: "cni.istio.io/uninitialized"
+    brokenPodLabelValue: "true"
+
+  # Set to `type: RuntimeDefault` to use the default profile if available.
+  seccompProfile: {}
+
+  # SELinux options to set in the istio-cni-node pods. You may need to set this to `type: spc_t` for some platforms.
+  seLinuxOptions: {}
+
+  resources:
+    requests:
+      cpu: 100m
+      memory: 100Mi
+
+  resourceQuotas:
+    enabled: false
+    pods: 5000
+
+  tolerations:
+    # Make sure istio-cni-node gets scheduled on all nodes.
+    - effect: NoSchedule
+      operator: Exists
+    # Mark the pod as a critical add-on for rescheduling.
+    - key: CriticalAddonsOnly
+      operator: Exists
+    - effect: NoExecute
+      operator: Exists
+
+  # K8s DaemonSet update strategy.
+  # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec).
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 1
+
+  # Sets the per-pod terminationGracePeriodSeconds setting.
+  # A higher value gives more time for CNI cleanup during rolling updates,
+  # preventing "failed to find plugin istio-cni" errors.
+  # Default K8s value is 30 seconds.
+  terminationGracePeriodSeconds: 30
+
+  # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
+  revision: ""
+
+  # For Helm compatibility.
+  ownerName: ""
+
+  global:
+    # Default hub for Istio images.
+    # Releases are published to docker hub under 'istio' project.
+    # Dev builds from prow are on gcr.io
+    hub: gcr.io/istio-testing
+
+    # Default tag for Istio images.
+    tag: 1.30-alpha.a30ad73344d771ce45cba8a1d17b6bb2c209119d
+
+    # Variant of the image to use.
+    # Currently supported are: [debug, distroless]
+    variant: ""
+
+    # Specify image pull policy if default behavior isn't desired.
+    # Default behavior: latest images will be Always else IfNotPresent.
+    imagePullPolicy: ""
+
+    # change cni scope level to control logging out of istio-cni-node DaemonSet
+    logging:
+      level: info
+
+    logAsJson: false
+
+    # When enabled, default NetworkPolicy resources will be created
+    networkPolicy:
+      enabled: false
+
+    # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
+    # to use for pulling any images in pods that reference this ServiceAccount.
+    # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
+    # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
+    # Must be set for any cluster configured with private docker registry.
+    imagePullSecrets: []
+    # - private-registry-key
+
+    # Default resources allocated
+    defaultResources:
+      requests:
+        cpu: 100m
+        memory: 100Mi
+
+    # In order to use native nftable rules instead of iptable rules, set this flag to true.
+    nativeNftables: false
+
+    # resourceScope controls what resources will be processed by helm.
+    # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator.
+    # It can be one of:
+    # - all: all resources are processed
+    # - cluster: only cluster-scoped resources are processed
+    # - namespace: only namespace-scoped resources are processed
+    resourceScope: all
+
+  # A `key: value` mapping of environment variables to add to the pod
+  env: {}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/Chart.yaml
new file mode 100644
index 0000000000..0d47c629a6
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v2
+appVersion: 1.30-alpha.a30ad73344d771ce45cba8a1d17b6bb2c209119d
+description: Helm chart for deploying Istio gateways
+icon: https://istio.io/latest/favicons/android-192x192.png
+keywords:
+- istio
+- gateways
+name: gateway
+sources:
+- https://github.com/istio/istio
+type: application
+version: 1.30-alpha.a30ad73344d771ce45cba8a1d17b6bb2c209119d
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/README.md
new file mode 100644
index 0000000000..6344859a22
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/README.md
@@ -0,0 +1,170 @@
+# Istio Gateway Helm Chart
+
+This chart installs an Istio gateway deployment.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+To install the chart with the release name `istio-ingressgateway`:
+
+```console
+helm install istio-ingressgateway istio/gateway
+```
+
+## Uninstalling the Chart
+
+To uninstall/delete the `istio-ingressgateway` deployment:
+
+```console
+helm delete istio-ingressgateway
+```
+
+## Configuration
+
+To view supported configuration options and documentation, run:
+
+```console
+helm show values istio/gateway
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
+
+### OpenShift
+
+When deploying the gateway in an OpenShift cluster, use the `openshift` profile to override the default values, for example:
+
+```console
+helm install istio-ingressgateway istio/gateway --set profile=openshift
+```
+
+### `image: auto` Information
+
+The image used by the chart, `auto`, may be unintuitive.
+This exists because the pod spec will be automatically populated at runtime, using the same mechanism as [Sidecar Injection](istio.io/latest/docs/setup/additional-setup/sidecar-injection).
+This allows the same configurations and lifecycle to apply to gateways as sidecars.
+
+Note: this does mean that the namespace the gateway is deployed in must not have the `istio-injection=disabled` label.
+See [Controlling the injection policy](https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy) for more info.
+
+### Examples
+
+#### Egress Gateway
+
+Deploying a Gateway to be used as an [Egress Gateway](https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/):
+
+```yaml
+service:
+  # Egress gateways do not need an external LoadBalancer IP
+  type: ClusterIP
+```
+
+#### Multi-network/VM Gateway
+
+Deploying a Gateway to be used as a [Multi-network Gateway](https://istio.io/latest/docs/setup/install/multicluster/) for network `network-1`:
+
+```yaml
+networkGateway: network-1
+```
+
+### Migrating from other installation methods
+
+Installations from other installation methods (such as istioctl, Istio Operator, other helm charts, etc) can be migrated to use the new Helm charts
+following the guidance below.
+If you are able to, a clean installation is simpler. However, this often requires an external IP migration which can be challenging.
+
+WARNING: when installing over an existing deployment, the two deployments will be merged together by Helm, which may lead to unexpected results.
+
+#### Legacy Gateway Helm charts
+
+Istio historically offered two different charts - `manifests/charts/gateways/istio-ingress` and `manifests/charts/gateways/istio-egress`.
+These are replaced by this chart.
+While not required, it is recommended all new users use this chart, and existing users migrate when possible.
+
+This chart has the following benefits and differences:
+* Designed with Helm best practices in mind (standardized values options, values schema, values are not all nested under `gateways.istio-ingressgateway.*`, release name and namespace taken into account, etc).
+* Utilizes Gateway injection, simplifying upgrades, allowing gateways to run in any namespace, and avoiding repeating config for sidecars and gateways.
+* Published to official Istio Helm repository.
+* Single chart for all gateways (Ingress, Egress, East West).
+
+#### General concerns
+
+For a smooth migration, the resource names and `Deployment.spec.selector` labels must match.
+
+If you install with `helm install istio-gateway istio/gateway`, resources will be named `istio-gateway` and the `selector` labels set to:
+
+```yaml
+app: istio-gateway
+istio: gateway # the release name with leading istio- prefix stripped
+```
+
+If your existing installation doesn't follow these names, you can override them. For example, if you have resources named `my-custom-gateway` with `selector` labels
+`foo=bar,istio=ingressgateway`:
+
+```yaml
+name: my-custom-gateway # Override the name to match existing resources
+labels:
+  app: "" # Unset default app selector label
+  istio: ingressgateway # override default istio selector label
+  foo: bar # Add the existing custom selector label
+```
+
+#### Migrating an existing Helm release
+
+An existing helm release can be `helm upgrade`d to this chart by using the same release name. For example, if a previous
+installation was done like:
+
+```console
+helm install istio-ingress manifests/charts/gateways/istio-ingress -n istio-system
+```
+
+It could be upgraded with
+
+```console
+helm upgrade istio-ingress manifests/charts/gateway -n istio-system --set name=istio-ingressgateway --set labels.app=istio-ingressgateway --set labels.istio=ingressgateway
+```
+
+Note the name and labels are overridden to match the names of the existing installation.
+
+Warning: the helm charts here default to using port 80 and 443, while the old charts used 8080 and 8443.
+If you have AuthorizationPolicies that reference port these ports, you should update them during this process,
+or customize the ports to match the old defaults.
+See the [security advisory](https://istio.io/latest/news/security/istio-security-2021-002/) for more information.
+
+#### Other migrations
+
+If you see errors like `rendered manifests contain a resource that already exists` during installation, you may need to forcibly take ownership.
+
+The script below can handle this for you. Replace `RELEASE` and `NAMESPACE` with the name and namespace of the release:
+
+```console
+KINDS=(service deployment)
+RELEASE=istio-ingressgateway
+NAMESPACE=istio-system
+for KIND in "${KINDS[@]}"; do
+    kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-name=$RELEASE
+    kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-namespace=$NAMESPACE
+    kubectl --namespace $NAMESPACE --overwrite=true label $KIND $RELEASE app.kubernetes.io/managed-by=Helm
+done
+```
+
+You may ignore errors about resources not being found.
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..842aaf17de
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,22 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
+     # 1.29 behavioral changes
+    DISABLE_TRACK_REMAINING_CB_METRICS: "false"
+
+cni:
+  ambient:
+    # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.25
+    reconcileIptablesOnStartup: false
+
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..f30e143133
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,18 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
+    # 1.29 behavioral changes
+    DISABLE_TRACK_REMAINING_CB_METRICS: "false"
+
+cni:
+  ambient:
+    # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.26
+    reconcileIptablesOnStartup: false
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/files/profile-compatibility-version-1.27.yaml
new file mode 100644
index 0000000000..b842b0914c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/files/profile-compatibility-version-1.27.yaml
@@ -0,0 +1,16 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
+    # 1.29 behavioral changes
+    DISABLE_TRACK_REMAINING_CB_METRICS: "false"
+
+cni:
+  ambient:
+    # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.27
+    reconcileIptablesOnStartup: false
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/files/profile-compatibility-version-1.28.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/files/profile-compatibility-version-1.28.yaml
new file mode 100644
index 0000000000..3d378691a2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/files/profile-compatibility-version-1.28.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.29 behavioral changes
+    DISABLE_TRACK_REMAINING_CB_METRICS: "false"
+
+cni:
+  ambient:
+    # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.28
+    reconcileIptablesOnStartup: false
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/templates/NOTES.txt
new file mode 100644
index 0000000000..fd0142911a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/templates/NOTES.txt
@@ -0,0 +1,9 @@
+"{{ include "gateway.name" . }}" successfully installed!
+
+To learn more about the release, try:
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
+
+Next steps:
+  * Deploy an HTTP Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-control/
+  * Deploy an HTTPS Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/templates/_helpers.tpl
new file mode 100644
index 0000000000..e5a0a9b3c2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/templates/_helpers.tpl
@@ -0,0 +1,40 @@
+{{- define "gateway.name" -}}
+{{- if eq .Release.Name "RELEASE-NAME" -}}
+  {{- .Values.name | default "istio-ingressgateway" -}}
+{{- else -}}
+  {{- .Values.name | default .Release.Name | default "istio-ingressgateway" -}}
+{{- end -}}
+{{- end }}
+
+{{- define "gateway.labels" -}}
+{{ include "gateway.selectorLabels" . }}
+{{- range $key, $val := .Values.labels }}
+{{- if and (ne $key "app") (ne $key "istio") }}
+{{ $key | quote }}: {{ $val | quote }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{- define "gateway.selectorLabels" -}}
+app: {{ (.Values.labels.app | quote) | default (include "gateway.name" .) }}
+istio: {{ (.Values.labels.istio | quote) | default (include "gateway.name" . | trimPrefix "istio-") }}
+{{- end }}
+
+{{/*
+Keep sidecar injection labels together
+https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy
+*/}}
+{{- define "gateway.sidecarInjectionLabels" -}}
+sidecar.istio.io/inject: "true"
+{{- with .Values.revision }}
+istio.io/rev: {{ . | quote }}
+{{- end }}
+{{- end }}
+
+{{- define "gateway.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- .Values.serviceAccount.name | default (include "gateway.name" .)    }}
+{{- else }}
+{{- .Values.serviceAccount.name | default "default" }}
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/templates/deployment.yaml
new file mode 100644
index 0000000000..1d8f93a472
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/templates/deployment.yaml
@@ -0,0 +1,145 @@
+apiVersion: apps/v1
+kind: {{ .Values.kind | default "Deployment" }}
+metadata:
+  name: {{ include "gateway.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4}}
+  annotations:
+    {{- .Values.annotations | toYaml | nindent 4 }}
+spec:
+  {{- if not .Values.autoscaling.enabled }}
+  {{- if and (hasKey .Values "replicaCount") (ne .Values.replicaCount nil) }}
+  replicas: {{ .Values.replicaCount }}
+  {{- end }}
+  {{- end }}
+  {{- with .Values.strategy }}
+  strategy:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with .Values.minReadySeconds }}
+  minReadySeconds: {{ . }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "gateway.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "gateway.sidecarInjectionLabels" . | nindent 8 }}
+        {{- include "gateway.selectorLabels" . | nindent 8 }}
+        app.kubernetes.io/name: {{ include "gateway.name" . }}
+        {{- include "istio.labels" .  | nindent 8}}
+        {{- range $key, $val := .Values.labels }}
+        {{- if and (ne $key "app") (ne $key "istio") }}
+        {{ $key | quote }}: {{ $val | quote }}
+        {{- end }}
+        {{- end }}
+        {{- with .Values.networkGateway }}
+        topology.istio.io/network: "{{.}}"
+        {{- end }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "gateway.serviceAccountName" . }}
+      securityContext:
+      {{- if .Values.securityContext }}
+        {{- toYaml .Values.securityContext | nindent 8 }}
+      {{- else }}
+        # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326
+        sysctls:
+        - name: net.ipv4.ip_unprivileged_port_start
+          value: "0"
+      {{- end }}
+      {{- with .Values.volumes }}
+      volumes:
+        {{ toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.initContainers }}
+      initContainers:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: istio-proxy
+          # "auto" will be populated at runtime by the mutating webhook. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection
+          image: auto
+          {{- with .Values.imagePullPolicy }}
+          imagePullPolicy: {{ . }}
+          {{- end }}
+          securityContext:
+          {{- if .Values.containerSecurityContext }}
+            {{- toYaml .Values.containerSecurityContext | nindent 12 }}
+          {{- else }}
+            capabilities:
+              drop:
+              - ALL
+            allowPrivilegeEscalation: false
+            privileged: false
+            readOnlyRootFilesystem: true
+            {{- if not (eq (.Values.platform | default "") "openshift") }}
+            runAsUser: 1337
+            runAsGroup: 1337
+            {{- end }}
+            runAsNonRoot: true
+          {{- end }}
+          env:
+          {{- with .Values.networkGateway }}
+          - name: ISTIO_META_REQUESTED_NETWORK_VIEW
+            value: "{{.}}"
+          {{- end }}
+          {{- range $key, $val := .Values.env }}
+          - name: {{ $key }}
+            value: {{ $val | quote }}
+          {{- end }}
+          {{- with .Values.envVarFrom }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
+          ports:
+          - containerPort: 15090
+            protocol: TCP
+            name: http-envoy-prom
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          {{- with .Values.volumeMounts }}
+          volumeMounts:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.readinessProbe }}
+          readinessProbe:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.lifecycle }}
+          lifecycle:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+      {{- with .Values.additionalContainers }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      terminationGracePeriodSeconds: {{ $.Values.terminationGracePeriodSeconds }}
+      {{- with .Values.priorityClassName }}
+      priorityClassName: {{ . }}
+      {{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/templates/hpa.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/templates/hpa.yaml
new file mode 100644
index 0000000000..64ecb6a4cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/templates/hpa.yaml
@@ -0,0 +1,40 @@
+{{- if and (.Values.autoscaling.enabled) (eq .Values.kind "Deployment") }}
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ include "gateway.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4 }}
+  annotations:
+    {{- .Values.annotations | toYaml | nindent 4 }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: {{ .Values.kind | default "Deployment" }}
+    name: {{ include "gateway.name" . }}
+  minReplicas: {{ .Values.autoscaling.minReplicas }}
+  maxReplicas: {{ .Values.autoscaling.maxReplicas }}
+  metrics:
+    {{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
+          type: Utilization
+    {{- end }}
+    {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: memory
+        target:
+          averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
+          type: Utilization
+    {{- end }}
+  {{- if .Values.autoscaling.autoscaleBehavior }}
+  behavior: {{ toYaml .Values.autoscaling.autoscaleBehavior | nindent 4 }}
+  {{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/templates/networkpolicy.yaml
new file mode 100644
index 0000000000..ea2fab97b3
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/templates/networkpolicy.yaml
@@ -0,0 +1,47 @@
+{{- if (.Values.global.networkPolicy).enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "gateway.name" . }}{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ include "gateway.name" . }}
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Gateway"
+    istio: {{ (.Values.labels.istio | quote) | default (include "gateway.name" . | trimPrefix "istio-") }}
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "gateway.labels" . | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "gateway.selectorLabels" . | nindent 6 }}
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress:
+  # Status/health check port
+  - from: []
+    ports:
+    - protocol: TCP
+      port: 15021
+  # Metrics endpoints for monitoring/prometheus
+  - from: []
+    ports:
+    - protocol: TCP
+      port: 15020
+    - protocol: TCP
+      port: 15090
+  # Main gateway traffic ports
+{{- if .Values.service.ports }}
+{{- range .Values.service.ports }}
+  - from: []
+    ports:
+    - protocol: {{ .protocol | default "TCP" }}
+      port: {{ .targetPort | default .port }}
+{{- end }}
+{{- end }}
+  egress:
+  # Allow all egress (gateways need to reach external services, istiod, and other cluster services)
+  - {}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/templates/poddisruptionbudget.yaml
new file mode 100644
index 0000000000..91869a0ead
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/templates/poddisruptionbudget.yaml
@@ -0,0 +1,21 @@
+{{- if .Values.podDisruptionBudget }}
+# a workaround for https://github.com/kubernetes/kubernetes/issues/93476
+{{- if or (and .Values.autoscaling.enabled  (gt (int .Values.autoscaling.minReplicas) 1)) (and (not .Values.autoscaling.enabled) (gt (int .Values.replicaCount) 1)) }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ include "gateway.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4}}
+spec:
+  selector:
+    matchLabels:
+  {{- include "gateway.selectorLabels" . | nindent 6 }}
+  {{- with .Values.podDisruptionBudget }}
+    {{- toYaml . | nindent 2 }}
+  {{- end }}
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/templates/role.yaml
new file mode 100644
index 0000000000..3d16079632
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/templates/role.yaml
@@ -0,0 +1,37 @@
+{{/*Set up roles for Istio Gateway. Not required for gateway-api*/}}
+{{- if .Values.rbac.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "gateway.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4}}
+  annotations:
+    {{- .Values.annotations | toYaml | nindent 4 }}
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get", "watch", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "gateway.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4}}
+  annotations:
+    {{- .Values.annotations | toYaml | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "gateway.serviceAccountName" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "gateway.serviceAccountName" . }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/templates/service.yaml
new file mode 100644
index 0000000000..d172364d0e
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/templates/service.yaml
@@ -0,0 +1,78 @@
+{{- if not (eq .Values.service.type "None") }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "gateway.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4 }}
+    {{- with .Values.networkGateway }}
+    topology.istio.io/network: "{{.}}"
+    {{- end }}
+  annotations:
+    {{- merge (deepCopy .Values.service.annotations) .Values.annotations | toYaml | nindent 4 }}
+spec:
+{{- with .Values.service.loadBalancerIP }}
+  loadBalancerIP: "{{ . }}"
+{{- end }}
+{{- if eq .Values.service.type "LoadBalancer" }}
+  {{- if hasKey .Values.service "allocateLoadBalancerNodePorts" }}
+  allocateLoadBalancerNodePorts: {{ .Values.service.allocateLoadBalancerNodePorts }}
+  {{- end }}
+  {{- if hasKey .Values.service "loadBalancerClass" }}
+  loadBalancerClass: {{ .Values.service.loadBalancerClass }}
+  {{- end }}
+{{- end }}
+{{- if .Values.service.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }}
+{{- end }}
+{{- if .Values.service.ipFamilies }}
+  ipFamilies:
+{{- range .Values.service.ipFamilies }}
+  - {{ . }}
+{{- end }}
+{{- end }}
+{{- with .Values.service.loadBalancerSourceRanges }}
+  loadBalancerSourceRanges:
+{{ toYaml . | indent 4 }}
+{{- end }}
+{{- with .Values.service.externalTrafficPolicy }}
+  externalTrafficPolicy: "{{ . }}"
+{{- end }}
+{{- with .Values.service.internalTrafficPolicy }}
+  internalTrafficPolicy: "{{ . }}"
+{{- end }}
+  type: {{ .Values.service.type }}
+{{- if not (eq .Values.service.clusterIP "") }}
+  clusterIP: {{ .Values.service.clusterIP }}
+{{- end }}
+  ports:
+{{- if .Values.networkGateway }}
+  - name: status-port
+    port: 15021
+    targetPort: 15021
+  - name: tls
+    port: 15443
+    targetPort: 15443
+  - name: tls-istiod
+    port: 15012
+    targetPort: 15012
+  - name: tls-webhook
+    port: 15017
+    targetPort: 15017
+{{- else }}
+{{ .Values.service.ports | toYaml | indent 4 }}
+{{- end }}
+{{- if .Values.service.externalIPs }}
+  externalIPs: {{- range .Values.service.externalIPs }}
+    - {{.}}
+  {{- end }}
+{{- end }}
+  selector:
+    {{- include "gateway.selectorLabels" . | nindent 4 }}
+    {{- with .Values.service.selectorLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/templates/serviceaccount.yaml
new file mode 100644
index 0000000000..c88afeadd3
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/templates/serviceaccount.yaml
@@ -0,0 +1,15 @@
+{{- if .Values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "gateway.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gateway.name" . }}
+    {{- include "istio.labels" . | nindent 4}}
+    {{- include "gateway.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..606c556697
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if true }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/values.schema.json b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/values.schema.json
new file mode 100644
index 0000000000..553de55439
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/values.schema.json
@@ -0,0 +1,363 @@
+{
+  "$schema": "http://json-schema.org/schema#",
+  "$defs": {
+    "values": {
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "_internal_defaults_do_not_set": {
+          "type": "object"
+        },
+        "global": {
+          "type": "object"
+        },
+        "enabled": {
+          "description": "Field used as a condition when this chart is included as a dependency. It's allowed in the schema, but the chart itself does not read it. For more information see: https://helm.sh/docs/chart_best_practices/dependencies/#conditions-and-tags.",
+          "type": "boolean"
+        },
+        "affinity": {
+          "type": "object"
+        },
+        "securityContext": {
+          "type": [
+            "object",
+            "null"
+          ]
+        },
+        "containerSecurityContext": {
+          "type": [
+            "object",
+            "null"
+          ]
+        },
+        "kind": {
+          "type": "string",
+          "enum": [
+            "Deployment",
+            "DaemonSet"
+          ]
+        },
+        "annotations": {
+          "additionalProperties": {
+            "type": [
+              "string",
+              "integer"
+            ]
+          },
+          "type": "object"
+        },
+        "autoscaling": {
+          "type": "object",
+          "properties": {
+            "enabled": {
+              "type": "boolean"
+            },
+            "maxReplicas": {
+              "type": "integer"
+            },
+            "minReplicas": {
+              "type": "integer"
+            },
+            "targetCPUUtilizationPercentage": {
+              "type": "integer"
+            }
+          }
+        },
+        "env": {
+          "type": "object"
+        },
+        "envVarFrom": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "properties": {
+              "name": { "type": "string" },
+              "valueFrom": { "type": "object" }
+            }
+          }
+        },
+        "strategy": {
+          "type": "object"
+        },
+        "minReadySeconds": {
+          "type": [ "null", "integer" ]
+        },
+        "readinessProbe": {
+          "type": [ "null", "object" ]
+        },
+        "labels": {
+          "type": "object"
+        },
+        "name": {
+          "type": "string"
+        },
+        "nodeSelector": {
+          "type": "object"
+        },
+        "podAnnotations": {
+          "type": "object",
+          "properties": {
+            "inject.istio.io/templates": {
+              "type": "string"
+            },
+            "prometheus.io/path": {
+              "type": "string"
+            },
+            "prometheus.io/port": {
+              "type": "string"
+            },
+            "prometheus.io/scrape": {
+              "type": "string"
+            }
+          }
+        },
+        "replicaCount": {
+          "type": [
+            "integer",
+            "null"
+          ]
+        },
+        "resources": {
+          "type": "object",
+          "properties": {
+            "limits": {
+              "type": ["object", "null"],
+              "properties": {
+                "cpu": {
+                  "type": ["string", "null"]
+                },
+                "memory": {
+                  "type": ["string", "null"]
+                }
+              }
+            },
+            "requests": {
+              "type": ["object", "null"],
+              "properties": {
+                "cpu": {
+                  "type": ["string", "null"]
+                },
+                "memory": {
+                  "type": ["string", "null"]
+                }
+              }
+            }
+          }
+        },
+        "revision": {
+          "type": "string"
+        },
+        "defaultRevision": {
+          "type": "string"
+        },
+        "compatibilityVersion": {
+          "type": "string"
+        },
+        "profile": {
+          "type": "string"
+        },
+        "platform": {
+          "type": "string"
+        },
+        "pilot": {
+          "type": "object"
+        },
+        "runAsRoot": {
+          "type": "boolean"
+        },
+        "unprivilegedPort": {
+          "type": [
+            "string",
+            "boolean"
+          ],
+          "enum": [
+            true,
+            false,
+            "auto"
+          ]
+        },
+        "service": {
+          "type": "object",
+          "properties": {
+            "annotations": {
+              "type": "object"
+            },
+            "selectorLabels": {
+              "type": "object",
+              "additionalProperties": {
+                "type": "string"
+              }
+            },
+            "externalTrafficPolicy": {
+              "type": "string"
+            },
+            "loadBalancerIP": {
+              "type": "string"
+            },
+            "loadBalancerSourceRanges": {
+              "type": "array"
+            },
+            "ipFamilies": {
+              "items": {
+                "type": "string",
+                "enum": [
+                  "IPv4",
+                  "IPv6"
+                ]
+              }
+            },
+            "ipFamilyPolicy": {
+              "type": "string",
+              "enum": [
+                "",
+                "SingleStack",
+                "PreferDualStack",
+                "RequireDualStack"
+              ]
+            },
+            "ports": {
+              "type": "array",
+              "items": {
+                "type": "object",
+                "properties": {
+                  "name": {
+                    "type": "string"
+                  },
+                  "port": {
+                    "type": "integer"
+                  },
+                  "protocol": {
+                    "type": "string"
+                  },
+                  "targetPort": {
+                    "type": "integer"
+                  }
+                }
+              }
+            },
+            "type": {
+              "type": "string"
+            }
+          }
+        },
+        "serviceAccount": {
+          "type": "object",
+          "properties": {
+            "annotations": {
+              "type": "object"
+            },
+            "name": {
+              "type": "string"
+            },
+            "create": {
+              "type": "boolean"
+            }
+          }
+        },
+        "rbac": {
+          "type": "object",
+          "properties": {
+            "enabled": {
+              "type": "boolean"
+            }
+          }
+        },
+        "tolerations": {
+          "type": "array"
+        },
+        "topologySpreadConstraints": {
+          "type": "array"
+        },
+        "networkGateway": {
+          "type": "string"
+        },
+        "imagePullPolicy": {
+          "type": "string",
+          "enum": [
+            "",
+            "Always",
+            "IfNotPresent",
+            "Never"
+          ]
+        },
+        "imagePullSecrets": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "properties": {
+              "name": {
+                "type": "string"
+              }
+            }
+          }
+        },
+        "podDisruptionBudget": {
+          "type": "object",
+          "properties": {
+            "minAvailable": {
+              "type": [
+                "integer",
+                "string"
+              ]
+            },
+            "maxUnavailable": {
+              "type": [
+                "integer",
+                "string"
+              ]
+            },
+            "unhealthyPodEvictionPolicy": {
+              "type": "string",
+              "enum": [
+                "",
+                "IfHealthyBudget",
+                "AlwaysAllow"
+              ]
+            }
+          }
+        },
+        "terminationGracePeriodSeconds": {
+          "type": "number"
+        },
+        "volumes": {
+          "type": "array",
+          "items": {
+            "type": "object"
+          }
+        },
+        "volumeMounts": {
+          "type": "array",
+          "items": {
+            "type": "object"
+          }
+        },
+        "initContainers": {
+          "type": "array",
+          "items": { "type": "object" }
+        },
+        "additionalContainers": {
+          "type": "array",
+          "items": { "type": "object" }
+        },
+        "priorityClassName": {
+          "type": "string"
+        },
+        "lifecycle": {
+          "type": "object",
+          "properties": {
+            "postStart": {
+              "type": "object"
+            },
+            "preStop": {
+              "type": "object"
+            }
+          }
+        }
+      }
+    }
+  },
+  "defaults": {
+    "$ref": "#/$defs/values"
+  },
+  "$ref": "#/$defs/values"
+}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/values.yaml
new file mode 100644
index 0000000000..d463634ec4
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/gateway/values.yaml
@@ -0,0 +1,204 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  # Name allows overriding the release name. Generally this should not be set
+  name: ""
+  # revision declares which revision this gateway is a part of
+  revision: ""
+
+  # Controls the spec.replicas setting for the Gateway deployment if set.
+  # Otherwise defaults to Kubernetes Deployment default (1).
+  replicaCount:
+
+  kind: Deployment
+
+  rbac:
+    # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed
+    # when using http://gateway-api.org/.
+    enabled: true
+
+  serviceAccount:
+    # If set, a service account will be created. Otherwise, the default is used
+    create: true
+    # Annotations to add to the service account
+    annotations: {}
+    # The name of the service account to use.
+    # If not set, the release name is used
+    name: ""
+
+  podAnnotations:
+    prometheus.io/port: "15020"
+    prometheus.io/scrape: "true"
+    prometheus.io/path: "/stats/prometheus"
+    inject.istio.io/templates: "gateway"
+    sidecar.istio.io/inject: "true"
+
+  # Define the security context for the pod.
+  # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
+  # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
+  securityContext: {}
+  containerSecurityContext: {}
+
+  service:
+    # Type of service. Set to "None" to disable the service entirely
+    type: LoadBalancer
+    # Set to a specific ClusterIP, or "" for automatic assignment
+    clusterIP: ""
+    # Additional labels to add to the service selector
+    selectorLabels: {}
+    ports:
+    - name: status-port
+      port: 15021
+      protocol: TCP
+      targetPort: 15021
+    - name: http2
+      port: 80
+      protocol: TCP
+      targetPort: 80
+    - name: https
+      port: 443
+      protocol: TCP
+      targetPort: 443
+    annotations: {}
+    loadBalancerIP: ""
+    loadBalancerSourceRanges: []
+    externalTrafficPolicy: ""
+    externalIPs: []
+    ipFamilyPolicy: ""
+    ipFamilies: []
+    ## Whether to automatically allocate NodePorts (only for LoadBalancers).
+    # allocateLoadBalancerNodePorts: false
+    ## Set LoadBalancer class (only for LoadBalancers).
+    # loadBalancerClass: ""
+
+  resources:
+    requests:
+      cpu: 100m
+      memory: 128Mi
+    limits:
+      cpu: 2000m
+      memory: 1024Mi
+
+  autoscaling:
+    enabled: true
+    minReplicas: 1
+    maxReplicas: 5
+    targetCPUUtilizationPercentage: 80
+    targetMemoryUtilizationPercentage: {}
+    autoscaleBehavior: {}
+
+  # Pod environment variables
+  env: {}
+
+  # Use envVarFrom to define full environment variable entries with complex sources,
+  # such as valueFrom.secretKeyRef, valueFrom.configMapKeyRef. Each item must include a `name` and `valueFrom`.
+  #
+  # Example:
+  # envVarFrom:
+  #   - name: EXAMPLE_SECRET
+  #     valueFrom:
+  #       secretKeyRef:
+  #         name: example-name
+  #         key: example-key
+  envVarFrom: []
+
+  # Deployment Update strategy
+  strategy: {}
+  
+  # Sets the Deployment minReadySeconds value
+  minReadySeconds:
+  
+  # Optionally configure a custom readinessProbe. By default the control plane
+  # automatically injects the readinessProbe. If you wish to override that
+  # behavior, you may define your own readinessProbe here.
+  readinessProbe: {}
+
+  # Labels to apply to all resources
+  labels:
+    # By default, don't enroll gateways into the ambient dataplane
+    "istio.io/dataplane-mode": none
+
+  # Annotations to apply to all resources
+  annotations: {}
+
+  nodeSelector: {}
+
+  tolerations: []
+
+  topologySpreadConstraints: []
+
+  affinity: {}
+
+  # If specified, the gateway will act as a network gateway for the given network.
+  networkGateway: ""
+
+  # Specify image pull policy if default behavior isn't desired.
+  # Default behavior: latest images will be Always else IfNotPresent
+  imagePullPolicy: ""
+
+  imagePullSecrets: []
+
+  # This value is used to configure a Kubernetes PodDisruptionBudget for the gateway.
+  #
+  # By default, the `podDisruptionBudget` is disabled (set to `{}`),
+  # which means that no PodDisruptionBudget resource will be created.
+  #
+  # The PodDisruptionBudget can be only enabled if autoscaling is enabled
+  # with minReplicas > 1 or if autoscaling is disabled but replicaCount > 1.
+  #
+  # To enable the PodDisruptionBudget, configure it by specifying the
+  # `minAvailable` or `maxUnavailable`. For example, to set the
+  # minimum number of available replicas to 1, you can update this value as follows:
+  #
+  # podDisruptionBudget:
+  #   minAvailable: 1
+  #
+  # Or, to allow a maximum of 1 unavailable replica, you can set:
+  #
+  # podDisruptionBudget:
+  #   maxUnavailable: 1
+  #
+  # You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`.
+  # For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows:
+  #
+  # podDisruptionBudget:
+  #   minAvailable: 1
+  #   unhealthyPodEvictionPolicy: AlwaysAllow
+  #
+  # To disable the PodDisruptionBudget, you can leave it as an empty object `{}`:
+  #
+  # podDisruptionBudget: {}
+  #
+  podDisruptionBudget: {}
+
+  # Sets the per-pod terminationGracePeriodSeconds setting.
+  terminationGracePeriodSeconds: 30
+
+  # A list of `Volumes` added into the Gateway Pods. See
+  # https://kubernetes.io/docs/concepts/storage/volumes/.
+  volumes: []
+
+  # A list of `VolumeMounts` added into the Gateway Pods. See
+  # https://kubernetes.io/docs/concepts/storage/volumes/.
+  volumeMounts: []
+
+  # Inject initContainers into the Gateway Pods.
+  initContainers: []
+
+  # Inject additional containers into the Gateway Pods.
+  additionalContainers: []
+
+  # Configure this to a higher priority class in order to make sure your Istio gateway pods
+  # will not be killed because of low priority class.
+  # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
+  # for more detail.
+  priorityClassName: ""
+
+  # Configure the lifecycle hooks for the gateway. See
+  # https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/.
+  lifecycle: {}
+
+  # When enabled, a default NetworkPolicy for gateways will be created
+  global:
+    networkPolicy:
+      enabled: false
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/Chart.yaml
new file mode 100644
index 0000000000..15f25b72b0
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v2
+appVersion: 1.30-alpha.a30ad73344d771ce45cba8a1d17b6bb2c209119d
+description: Helm chart for istio control plane
+icon: https://istio.io/latest/favicons/android-192x192.png
+keywords:
+- istio
+- istiod
+- istio-discovery
+name: istiod
+sources:
+- https://github.com/istio/istio
+version: 1.30-alpha.a30ad73344d771ce45cba8a1d17b6bb2c209119d
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/README.md
new file mode 100644
index 0000000000..44f7b1d8ca
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/README.md
@@ -0,0 +1,73 @@
+# Istiod Helm Chart
+
+This chart installs an Istiod deployment.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+Before installing, ensure CRDs are installed in the cluster (from the `istio/base` chart).
+
+To install the chart with the release name `istiod`:
+
+```console
+kubectl create namespace istio-system
+helm install istiod istio/istiod --namespace istio-system
+```
+
+## Uninstalling the Chart
+
+To uninstall/delete the `istiod` deployment:
+
+```console
+helm delete istiod --namespace istio-system
+```
+
+## Configuration
+
+To view supported configuration options and documentation, run:
+
+```console
+helm show values istio/istiod
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
+
+### Examples
+
+#### Configuring mesh configuration settings
+
+Any [Mesh Config](https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/) options can be configured like below:
+
+```yaml
+meshConfig:
+  accessLogFile: /dev/stdout
+```
+
+#### Revisions
+
+Control plane revisions allow deploying multiple versions of the control plane in the same cluster.
+This allows safe [canary upgrades](https://istio.io/latest/docs/setup/upgrade/canary/)
+
+```yaml
+revision: my-revision-name
+```
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/agentgateway.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/agentgateway.yaml
new file mode 100644
index 0000000000..ca55352712
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/agentgateway.yaml
@@ -0,0 +1,306 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{.ServiceAccount | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+        "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+      ) | nindent 4 }}
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1
+    kind: Gateway
+    name: "{{.Name}}"
+    uid: "{{.UID}}"
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+        "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+        "gateway.istio.io/managed" "istio.io-agentgateway-controller"
+      ) | nindent 4 }}
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1
+    kind: Gateway
+    name: {{.Name}}
+    uid: "{{.UID}}"
+spec:
+  selector:
+    matchLabels:
+      "{{.GatewayNameLabel}}": {{.Name}}
+  template:
+    metadata:
+      annotations:
+        {{- toJsonMap
+          (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version")
+          (strdict "istio.io/rev" (.Revision | default "default"))
+          (strdict
+            "prometheus.io/path" "/stats/prometheus"
+            "prometheus.io/port" "15020"
+            "prometheus.io/scrape" "true"
+          ) | nindent 8 }}
+      labels:
+        {{- toJsonMap
+          (strdict
+            "sidecar.istio.io/inject" "false"
+            "service.istio.io/canonical-name" .DeploymentName
+            "service.istio.io/canonical-revision" "latest"
+           )
+          .InfrastructureLabels
+          (strdict
+            "gateway.networking.k8s.io/gateway-name" .Name
+            "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+            "gateway.istio.io/managed" "istio.io-agentgateway-controller"
+          ) | nindent 8 }}
+    spec:
+      securityContext:
+      {{- if .Values.gateways.securityContext }}
+        {{- toYaml .Values.gateways.securityContext | nindent 8 }}
+      {{- else }}
+        sysctls:
+        - name: net.ipv4.ip_unprivileged_port_start # allows binding to 80 and 443 without root
+          value: "0"
+      {{- if .Values.gateways.seccompProfile }}
+        seccompProfile:
+      {{- toYaml .Values.gateways.seccompProfile | nindent 10 }}
+      {{- end }}
+      {{- end }}
+      serviceAccountName: {{.ServiceAccount | quote}}
+      containers:
+      - name: agentgateway
+      {{- if contains "/" (annotation .ObjectMeta `gateway.istio.io/agentgatewayImage` .Values.global.agentgateway.image) }}
+        image: "{{ annotation .ObjectMeta `gateway.istio.io/agentgatewayImage` .Values.global.agentgateway.image }}"
+      {{- else }}
+        image: "{{ .AgentgatewayImage }}"
+      {{- end }}
+        {{- if .Values.global.proxy.resources }}
+        resources:
+          {{- toYaml .Values.global.proxy.resources | nindent 10 }}
+        {{- end }}
+        {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+        securityContext:
+          capabilities:
+            drop:
+            - ALL
+          allowPrivilegeEscalation: false
+          privileged: false
+          readOnlyRootFilesystem: true
+          runAsUser: {{ .ProxyUID | default "10101" }}
+          runAsGroup: {{ .ProxyGID | default "10101" }}
+          runAsNonRoot: true
+        ports:
+        - containerPort: 15020
+          name: metrics
+          protocol: TCP
+        - containerPort: 15021
+          name: status-port
+          protocol: TCP
+        args:
+        - --config
+        - '{}'
+      {{- if .Values.global.proxy.lifecycle }}
+        lifecycle:
+          {{- toYaml .Values.global.proxy.lifecycle | nindent 10 }}
+      {{- end }}
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: INSTANCE_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: SERVICE_ACCOUNT
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.serviceAccountName
+        - name: CPU_LIMIT
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.cpu
+              divisor: "1"
+        - name: GATEWAY
+          value: {{.Name|quote}}
+        - name: RUST_BACKTRACE
+          value: "1"
+        - name: CLUSTER_ID
+          value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}"
+        {{- with (valueOrDefault  (index .InfrastructureLabels "topology.istio.io/network") .Values.global.network) }}
+        - name: NETWORK
+          value: {{.|quote}}
+        {{- end }}
+        {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain)  }}
+        - name: TRUST_DOMAIN
+          value: "{{ . }}"
+        {{- end }}
+        {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+        - name: {{ $key }}
+          value: "{{ $value }}"
+        {{- end }}
+        - name: XDS_ADDRESS
+          value: {{ .ProxyConfig.DiscoveryAddress | quote }}
+        startupProbe:
+          failureThreshold: 30
+          httpGet:
+            path: /healthz/ready
+            port: 15021
+            scheme: HTTP
+          initialDelaySeconds: 1
+          periodSeconds: 1
+          successThreshold: 1
+          timeoutSeconds: 1
+        readinessProbe:
+          failureThreshold: 4
+          httpGet:
+            path: /healthz/ready
+            port: 15021
+            scheme: HTTP
+          initialDelaySeconds: 0
+          periodSeconds: 15
+          successThreshold: 1
+          timeoutSeconds: 1
+        volumeMounts:
+        - mountPath: /var/run/secrets/xds
+          name: istiod-ca-cert
+        - mountPath: /var/run/secrets/xds-tokens
+          name: istio-token
+        - mountPath: /tmp
+          name: tmp
+      volumes:
+      - emptyDir: {}
+        name: tmp
+      - name: istio-token
+        projected:
+          sources:
+          - serviceAccountToken:
+              path: xds-token
+              expirationSeconds: 43200
+              audience: {{ .Values.global.sds.token.aud }}
+      {{- if eq .Values.global.pilotCertProvider "istiod" }}
+      - name: istiod-ca-cert
+      {{- if eq ((.Values.pilot).env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+        projected:
+          sources:
+          - clusterTrustBundle:
+              name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+              path: root-cert.pem
+      {{- else }}
+        configMap:
+          name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+      {{- end }}
+      {{- end }}
+      {{- if .Values.global.imagePullSecrets }}
+      imagePullSecrets:
+        {{- range .Values.global.imagePullSecrets }}
+        - name: {{ . }}
+        {{- end }}
+      {{- end }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+        "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+      ) | nindent 4 }}
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1
+    kind: Gateway
+    name: {{.Name}}
+    uid: {{.UID}}
+spec:
+  ipFamilyPolicy: PreferDualStack
+  ports:
+  {{- range $key, $val := .Ports }}
+  - name: {{ $val.Name | quote }}
+    port: {{ $val.Port }}
+    protocol: TCP
+    appProtocol: {{ $val.AppProtocol }}
+  {{- end }}
+  selector:
+    "{{.GatewayNameLabel}}": {{.Name}}
+  {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }}
+  loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}}
+  {{- end }}
+  type: {{ .ServiceType | quote }}
+---
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+          .InfrastructureLabels
+          (strdict
+          "gateway.networking.k8s.io/gateway-name" .Name
+          "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+          ) | nindent 4 }}
+  ownerReferences:
+    - apiVersion: gateway.networking.k8s.io/v1
+      kind: Gateway
+      name: {{.Name}}
+      uid: "{{.UID}}"
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name:  {{.DeploymentName | quote}}
+  maxReplicas: 1
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+          .InfrastructureLabels
+          (strdict
+          "gateway.networking.k8s.io/gateway-name" .Name
+          "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+          ) | nindent 4 }}
+  ownerReferences:
+    - apiVersion: gateway.networking.k8s.io/v1
+      kind: Gateway
+      name: {{.Name}}
+      uid: "{{.UID}}"
+spec:
+  selector:
+    matchLabels:
+      gateway.networking.k8s.io/gateway-name: {{.Name|quote}}
+
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/gateway-injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/gateway-injection-template.yaml
new file mode 100644
index 0000000000..3b7c71cfaf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/gateway-injection-template.yaml
@@ -0,0 +1,277 @@
+{{- $containers := list }}
+{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
+metadata:
+  labels:
+    service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name  | quote }}
+    service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest"  | quote }}
+  annotations:
+    istio.io/rev: {{ .Revision | default "default" | quote }}
+    {{- if ge (len $containers) 1 }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }}
+    kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}"
+    {{- end }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }}
+    kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}"
+    {{- end }}
+    {{- end }}
+spec:
+  securityContext:
+  {{- if .Values.gateways.securityContext }}
+    {{- toYaml .Values.gateways.securityContext | nindent 4 }}
+  {{- else }}
+    sysctls:
+    - name: net.ipv4.ip_unprivileged_port_start
+      value: "0"
+  {{- end }}
+  containers:
+  - name: istio-proxy
+  {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+    image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+  {{- else }}
+    image: "{{ .ProxyImage }}"
+  {{- end }}
+    ports:
+    - containerPort: 15090
+      protocol: TCP
+      name: http-envoy-prom
+    args:
+    - proxy
+    - router
+    - --domain
+    - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+    - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
+    - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
+    - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
+  {{- if .Values.global.sts.servicePort }}
+    - --stsPort={{ .Values.global.sts.servicePort }}
+  {{- end }}
+  {{- if .Values.global.logAsJson }}
+    - --log_as_json
+  {{- end }}
+  {{- if .Values.global.proxy.lifecycle }}
+    lifecycle:
+      {{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
+  {{- end }}
+    securityContext:
+      runAsUser: {{ .ProxyUID | default "1337" }}
+      runAsGroup: {{ .ProxyGID | default "1337" }}
+    env:
+    - name: PILOT_CERT_PROVIDER
+      value: {{ .Values.global.pilotCertProvider }}
+    - name: CA_ADDR
+    {{- if .Values.global.caAddress }}
+      value: {{ .Values.global.caAddress }}
+    {{- else }}
+      value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+    {{- end }}
+    - name: POD_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.name
+    - name: POD_NAMESPACE
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.namespace
+    - name: INSTANCE_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.podIP
+    - name: SERVICE_ACCOUNT
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.serviceAccountName
+    - name: HOST_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.hostIP
+    - name: ISTIO_CPU_LIMIT
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.cpu
+          divisor: "1"
+    - name: PROXY_CONFIG
+      value: |
+             {{ protoToJSON .ProxyConfig }}
+    - name: ISTIO_META_POD_PORTS
+      value: |-
+        [
+        {{- $first := true }}
+        {{- range $index1, $c := .Spec.Containers }}
+          {{- range $index2, $p := $c.Ports }}
+            {{- if (structToJSON $p) }}
+            {{if not $first}},{{end}}{{ structToJSON $p }}
+            {{- $first = false }}
+            {{- end }}
+          {{- end}}
+        {{- end}}
+        ]
+    - name: GOMEMLIMIT
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.memory
+          divisor: "1"
+    - name: GOMAXPROCS
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.cpu
+          divisor: "1"
+    {{- if .CompliancePolicy }}
+    - name: COMPLIANCE_POLICY
+      value: "{{ .CompliancePolicy }}"
+    {{- end }}
+    - name: ISTIO_META_APP_CONTAINERS
+      value: "{{ $containers | join "," }}"
+    - name: ISTIO_META_CLUSTER_ID
+      value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
+    - name: ISTIO_META_NODE_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.nodeName
+    - name: ISTIO_META_INTERCEPTION_MODE
+      value: "{{ .ProxyConfig.InterceptionMode.String }}"
+    {{- if .Values.global.network }}
+    - name: ISTIO_META_NETWORK
+      value: "{{ .Values.global.network }}"
+    {{- end }}
+    {{- if .DeploymentMeta.Name }}
+    - name: ISTIO_META_WORKLOAD_NAME
+      value: "{{ .DeploymentMeta.Name }}"
+    {{ end }}
+    {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
+    - name: ISTIO_META_OWNER
+      value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
+    {{- end}}
+    {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+    - name: ISTIO_BOOTSTRAP_OVERRIDE
+      value: "/etc/istio/custom-bootstrap/custom_bootstrap.json"
+    {{- end }}
+    {{- if .Values.global.meshID }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ .Values.global.meshID }}"
+    {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+    {{- end }}
+    {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain)  }}
+    - name: TRUST_DOMAIN
+      value: "{{ . }}"
+    {{- end }}
+    {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+    - name: {{ $key }}
+      value: "{{ $value }}"
+    {{- end }}
+    {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+    readinessProbe:
+      httpGet:
+        path: /healthz/ready
+        port: 15021
+      initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }}
+      periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }}
+      timeoutSeconds: 3
+      failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }}
+    volumeMounts:
+    - name: workload-socket
+      mountPath: /var/run/secrets/workload-spiffe-uds
+    - name: credential-socket
+      mountPath: /var/run/secrets/credential-uds
+    {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+    - name: gke-workload-certificate
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+      readOnly: true
+    {{- else }}
+    - name: workload-certs
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+    {{- end }}
+    {{- if eq .Values.global.pilotCertProvider "istiod" }}
+    - mountPath: /var/run/secrets/istio
+      name: istiod-ca-cert
+    {{- end }}
+    - mountPath: /var/lib/istio/data
+      name: istio-data
+    {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+    - mountPath: /etc/istio/custom-bootstrap
+      name: custom-bootstrap-volume
+    {{- end }}
+    # SDS channel between istioagent and Envoy
+    - mountPath: /etc/istio/proxy
+      name: istio-envoy
+    - mountPath: /var/run/secrets/tokens
+      name: istio-token
+    {{- if .Values.global.mountMtlsCerts }}
+    # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+    - mountPath: /etc/certs/
+      name: istio-certs
+      readOnly: true
+    {{- end }}
+    - name: istio-podinfo
+      mountPath: /etc/istio/pod
+  volumes:
+  - emptyDir:
+    name: workload-socket
+  - emptyDir: {}
+    name: credential-socket
+  {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+  - name: gke-workload-certificate
+    csi:
+      driver: workloadcertificates.security.cloud.google.com
+  {{- else}}
+  - emptyDir: {}
+    name: workload-certs
+  {{- end }}
+  {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+  - name: custom-bootstrap-volume
+    configMap:
+      name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
+  {{- end }}
+  # SDS channel between istioagent and Envoy
+  - emptyDir:
+      medium: Memory
+    name: istio-envoy
+  - name: istio-data
+    emptyDir: {}
+  - name: istio-podinfo
+    downwardAPI:
+      items:
+        - path: "labels"
+          fieldRef:
+            fieldPath: metadata.labels
+        - path: "annotations"
+          fieldRef:
+            fieldPath: metadata.annotations
+  - name: istio-token
+    projected:
+      sources:
+      - serviceAccountToken:
+          path: istio-token
+          expirationSeconds: 43200
+          audience: {{ .Values.global.sds.token.aud }}
+  {{- if eq .Values.global.pilotCertProvider "istiod" }}
+  - name: istiod-ca-cert
+  {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+    projected:
+      sources:
+      - clusterTrustBundle:
+          name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+          path: root-cert.pem
+  {{- else }}
+    configMap:
+      name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+  {{- end }}
+  {{- end }}
+  {{- if .Values.global.mountMtlsCerts }}
+  # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+  - name: istio-certs
+    secret:
+      optional: true
+      {{ if eq .Spec.ServiceAccountName "" }}
+      secretName: istio.default
+      {{ else -}}
+      secretName: {{  printf "istio.%s" .Spec.ServiceAccountName }}
+      {{  end -}}
+  {{- end }}
+  {{- if .Values.global.imagePullSecrets }}
+  imagePullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+  {{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/grpc-agent.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/grpc-agent.yaml
new file mode 100644
index 0000000000..3b9240e36c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/grpc-agent.yaml
@@ -0,0 +1,318 @@
+{{- define "resources"  }}
+  {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
+    {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
+      requests:
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
+        cpu: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` | quote }}
+        {{ end }}
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
+        memory: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` | quote }}
+        {{ end }}
+    {{- end }}
+    {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
+      limits:
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
+        cpu: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` | quote }}
+        {{ end }}
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
+        memory: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` | quote }}
+        {{ end }}
+    {{- end }}
+  {{- else }}
+    {{- if .Values.global.proxy.resources }}
+      {{ toYaml .Values.global.proxy.resources | indent 6 }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+{{- $containers := list }}
+{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
+metadata:
+  labels:
+    {{/* security.istio.io/tlsMode: istio must be set by user, if gRPC is using mTLS initialization code. We can't set it automatically. */}}
+    service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name  | quote }}
+    service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest"  | quote }}
+  annotations: {
+    istio.io/rev: {{ .Revision | default "default" | quote }},
+    {{- if ge (len $containers) 1 }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }}
+    kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
+    {{- end }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }}
+    kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
+    {{- end }}
+    {{- end }}
+    sidecar.istio.io/rewriteAppHTTPProbers: "false",
+  }
+spec:
+  containers:
+  - name: istio-proxy
+  {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+    image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+  {{- else }}
+    image: "{{ .ProxyImage }}"
+  {{- end }}
+    ports:
+    - containerPort: 15020
+      protocol: TCP
+      name: mesh-metrics
+    args:
+    - proxy
+    - sidecar
+    - --domain
+    - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+    - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
+    - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
+    - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
+  {{- if .Values.global.sts.servicePort }}
+    - --stsPort={{ .Values.global.sts.servicePort }}
+  {{- end }}
+  {{- if .Values.global.logAsJson }}
+    - --log_as_json
+  {{- end }}
+    lifecycle:
+      postStart:
+        exec:
+          command:
+          - pilot-agent
+          - wait
+          - --url=http://localhost:15020/healthz/ready
+    env:
+    - name: ISTIO_META_GENERATOR
+      value: grpc
+    - name: OUTPUT_CERTS
+      value: /var/lib/istio/data
+    {{- if eq .InboundTrafficPolicyMode "localhost" }}
+    - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION
+      value: "true"
+    {{- end }}
+    - name: PILOT_CERT_PROVIDER
+      value: {{ .Values.global.pilotCertProvider }}
+    - name: CA_ADDR
+    {{- if .Values.global.caAddress }}
+      value: {{ .Values.global.caAddress }}
+    {{- else }}
+      value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+    {{- end }}
+    - name: POD_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.name
+    - name: POD_NAMESPACE
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.namespace
+    - name: INSTANCE_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.podIP
+    - name: SERVICE_ACCOUNT
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.serviceAccountName
+    - name: HOST_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.hostIP
+    - name: PROXY_CONFIG
+      value: |
+             {{ protoToJSON .ProxyConfig }}
+    - name: ISTIO_META_POD_PORTS
+      value: |-
+        [
+        {{- $first := true }}
+        {{- range $index1, $c := .Spec.Containers }}
+          {{- range $index2, $p := $c.Ports }}
+            {{- if (structToJSON $p) }}
+            {{if not $first}},{{end}}{{ structToJSON $p }}
+            {{- $first = false }}
+            {{- end }}
+          {{- end}}
+        {{- end}}
+        ]
+    - name: ISTIO_META_APP_CONTAINERS
+      value: "{{ $containers | join "," }}"
+    - name: ISTIO_META_CLUSTER_ID
+      value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
+    - name: ISTIO_META_NODE_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.nodeName
+    {{- if .Values.global.network }}
+    - name: ISTIO_META_NETWORK
+      value: "{{ .Values.global.network }}"
+    {{- end }}
+    {{- if .DeploymentMeta.Name }}
+    - name: ISTIO_META_WORKLOAD_NAME
+      value: "{{ .DeploymentMeta.Name }}"
+    {{ end }}
+    {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
+    - name: ISTIO_META_OWNER
+      value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
+    {{- end}}
+    {{- if .Values.global.meshID }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ .Values.global.meshID }}"
+    {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+    {{- end }}
+    {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain)  }}
+    - name: TRUST_DOMAIN
+      value: "{{ . }}"
+    {{- end }}
+    {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+    - name: {{ $key }}
+      value: "{{ $value }}"
+    {{- end }}
+    # grpc uses xds:/// to resolve – no need to resolve VIP
+    - name: ISTIO_META_DNS_CAPTURE
+      value: "false"
+    - name: DISABLE_ENVOY
+      value: "true"
+    {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+    {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
+    readinessProbe:
+      httpGet:
+        path: /healthz/ready
+        port: 15020
+      initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }}
+      periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }}
+      timeoutSeconds: 3
+      failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}
+    resources:
+  {{ template "resources" . }}
+    volumeMounts:
+    - name: workload-socket
+      mountPath: /var/run/secrets/workload-spiffe-uds
+    {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+    - name: gke-workload-certificate
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+      readOnly: true
+    {{- else }}
+    - name: workload-certs
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+    {{- end }}
+    {{- if eq .Values.global.pilotCertProvider "istiod" }}
+    - mountPath: /var/run/secrets/istio
+      name: istiod-ca-cert
+    {{- end }}
+    - mountPath: /var/lib/istio/data
+      name: istio-data
+    # UDS channel between istioagent and gRPC client for XDS/SDS
+    - mountPath: /etc/istio/proxy
+      name: istio-xds
+    - mountPath: /var/run/secrets/tokens
+      name: istio-token
+    {{- if .Values.global.mountMtlsCerts }}
+    # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+    - mountPath: /etc/certs/
+      name: istio-certs
+      readOnly: true
+    {{- end }}
+    - name: istio-podinfo
+      mountPath: /etc/istio/pod
+    {{- end }}
+      {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }}
+      {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}
+    - name: "{{  $index }}"
+      {{ toYaml $value | indent 6 }}
+      {{ end }}
+      {{- end }}
+{{- range $index, $container := .Spec.Containers  }}
+{{ if not (eq $container.Name "istio-proxy") }}
+  - name: {{ $container.Name }}
+    env:
+      - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT"
+        value: "true"
+      - name: "GRPC_XDS_BOOTSTRAP"
+        value: "/etc/istio/proxy/grpc-bootstrap.json"
+    volumeMounts:
+      - mountPath: /var/lib/istio/data
+        name: istio-data
+      # UDS channel between istioagent and gRPC client for XDS/SDS
+      - mountPath: /etc/istio/proxy
+        name: istio-xds
+      {{- if eq $.Values.global.caName "GkeWorkloadCertificate" }}
+      - name: gke-workload-certificate
+        mountPath: /var/run/secrets/workload-spiffe-credentials
+        readOnly: true
+      {{- else }}
+      - name: workload-certs
+        mountPath: /var/run/secrets/workload-spiffe-credentials
+      {{- end }}
+{{- end }}
+{{- end }}
+  volumes:
+  - emptyDir:
+    name: workload-socket
+  {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+  - name: gke-workload-certificate
+    csi:
+      driver: workloadcertificates.security.cloud.google.com
+  {{- else }}
+  - emptyDir:
+    name: workload-certs
+  {{- end }}
+  {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+  - name: custom-bootstrap-volume
+    configMap:
+      name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
+  {{- end }}
+  # SDS channel between istioagent and Envoy
+  - emptyDir:
+      medium: Memory
+    name: istio-xds
+  - name: istio-data
+    emptyDir: {}
+  - name: istio-podinfo
+    downwardAPI:
+      items:
+        - path: "labels"
+          fieldRef:
+            fieldPath: metadata.labels
+        - path: "annotations"
+          fieldRef:
+            fieldPath: metadata.annotations
+  - name: istio-token
+    projected:
+      sources:
+      - serviceAccountToken:
+          path: istio-token
+          expirationSeconds: 43200
+          audience: {{ .Values.global.sds.token.aud }}
+  {{- if eq .Values.global.pilotCertProvider "istiod" }}
+  - name: istiod-ca-cert
+  {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+    projected:
+      sources:
+      - clusterTrustBundle:
+          name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+          path: root-cert.pem
+  {{- else }}
+    configMap:
+      name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+  {{- end }}
+  {{- end }}
+  {{- if .Values.global.mountMtlsCerts }}
+  # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+  - name: istio-certs
+    secret:
+      optional: true
+      {{ if eq .Spec.ServiceAccountName "" }}
+      secretName: istio.default
+      {{ else -}}
+      secretName: {{  printf "istio.%s" .Spec.ServiceAccountName }}
+      {{  end -}}
+  {{- end }}
+    {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }}
+    {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}
+  - name: "{{ $index }}"
+    {{ toYaml $value | indent 4 }}
+    {{ end }}
+    {{ end }}
+  {{- if .Values.global.imagePullSecrets }}
+  imagePullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+  {{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/grpc-simple.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/grpc-simple.yaml
new file mode 100644
index 0000000000..9ba0c7a46a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/grpc-simple.yaml
@@ -0,0 +1,65 @@
+metadata:
+  annotations:
+    sidecar.istio.io/rewriteAppHTTPProbers: "false"
+spec:
+  initContainers:
+    - name: grpc-bootstrap-init
+      image: busybox:1.28
+      volumeMounts:
+        - mountPath: /var/lib/grpc/data/
+          name: grpc-io-proxyless-bootstrap
+      env:
+        - name: INSTANCE_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: ISTIO_NAMESPACE
+          value: |
+             {{ .Values.global.istioNamespace }}
+      command:
+        - sh
+        - "-c"
+        - |-
+          NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local"
+          SERVER_URI="dns:///istiod.${ISTIO_NAMESPACE}.svc:15010"
+          echo '
+          {
+            "xds_servers": [
+              {
+                "server_uri": "'${SERVER_URI}'",
+                "channel_creds": [{"type": "insecure"}],
+                "server_features" : ["xds_v3"]
+              }
+            ],
+            "node": {
+              "id": "'${NODE_ID}'",
+              "metadata": {
+                "GENERATOR": "grpc"
+              }
+            }
+          }' > /var/lib/grpc/data/bootstrap.json
+  containers:
+  {{- range $index, $container := .Spec.Containers }}
+  - name: {{ $container.Name }}
+    env:
+      - name: GRPC_XDS_BOOTSTRAP
+        value: /var/lib/grpc/data/bootstrap.json
+      - name: GRPC_GO_LOG_VERBOSITY_LEVEL
+        value: "99"
+      - name: GRPC_GO_LOG_SEVERITY_LEVEL
+        value: info
+    volumeMounts:
+      - mountPath: /var/lib/grpc/data/
+        name: grpc-io-proxyless-bootstrap
+  {{- end }}
+  volumes:
+    - name: grpc-io-proxyless-bootstrap
+      emptyDir: {}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/injection-template.yaml
new file mode 100644
index 0000000000..82ef167172
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/injection-template.yaml
@@ -0,0 +1,552 @@
+{{- define "resources"  }}
+  {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
+    {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
+      requests:
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
+        cpu: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` | quote }}
+        {{ end }}
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
+        memory: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` | quote }}
+        {{ end }}
+    {{- end }}
+    {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
+      limits:
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
+        cpu: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` | quote }}
+        {{ end }}
+        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
+        memory: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` | quote }}
+        {{ end }}
+    {{- end }}
+  {{- else }}
+    {{- if .Values.global.proxy.resources }}
+      {{ toYaml .Values.global.proxy.resources | indent 6 }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+{{ $tproxy := (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) }}
+{{ $capNetBindService := (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) }}
+{{ $nativeSidecar := ne (index .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar` | default (printf "%t" .NativeSidecars)) "false" }}
+{{- $containers := list }}
+{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
+metadata:
+  labels:
+    security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio"  | quote }}
+    {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }}
+    networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http"  | quote }}
+    {{- end }}
+    service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name  | trunc 63 | trimSuffix "-" | quote }}
+    service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest"  | quote }}
+  annotations: {
+    istio.io/rev: {{ .Revision | default "default" | quote }},
+    {{- if ge (len $containers) 1 }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }}
+    kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
+    {{- end }}
+    {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }}
+    kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
+    {{- end }}
+    {{- end }}
+{{- if .Values.pilot.cni.enabled }}
+    {{- if eq .Values.pilot.cni.provider "multus" }}
+    k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}',
+    {{- end }}
+    sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}",
+    {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }}
+    {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }}
+    traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}",
+    traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}",
+    {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }}
+    traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}",
+    {{- end }}
+    {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }}
+    traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}",
+    {{- end }}
+    {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }}
+    {{ with index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}istio.io/reroute-virtual-interfaces: "{{.}}",{{ end }}
+    {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }}
+{{- end }}
+  }
+spec:
+  {{- $holdProxy := and
+      (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts)
+      (not $nativeSidecar) }}
+  {{- $noInitContainer := and
+      (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE`)
+      (not $nativeSidecar) }}
+  {{ if $noInitContainer }}
+  initContainers: []
+  {{ else -}}
+  initContainers:
+  {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }}
+  {{ if .Values.pilot.cni.enabled -}}
+  - name: istio-validation
+  {{ else -}}
+  - name: istio-init
+  {{ end -}}
+  {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }}
+    image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}"
+  {{- else }}
+    image: "{{ .ProxyImage }}"
+  {{- end }}
+    args:
+    - istio-iptables
+    - "-p"
+    - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }}
+    - "-z"
+    - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }}
+    - "-u"
+    - {{ if $tproxy }} "1337" {{ else }} {{ .ProxyUID | default "1337" | quote }} {{ end }}
+    - "-m"
+    - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}"
+    - "-i"
+    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}"
+    - "-x"
+    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}"
+    - "-b"
+    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}"
+    - "-d"
+  {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}
+    - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}"
+  {{- else }}
+    - "15090,15021"
+  {{- end }}
+    {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}}
+    - "-q"
+    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}"
+    {{ end -}}
+    {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}}
+    - "-o"
+    - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}"
+    {{ end -}}
+    {{ if (isset .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces`) -}}
+    - "-k"
+    - "{{ index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}"
+    {{ else if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}}
+    - "-k"
+    - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}"
+    {{ end -}}
+     {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}}
+    - "-c"
+    - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}"
+    {{ end -}}
+    - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}"
+    {{ if .Values.global.logAsJson -}}
+    - "--log_as_json"
+    {{ end -}}
+    {{ if .Values.pilot.cni.enabled -}}
+    - "--run-validation"
+    - "--skip-rule-apply"
+    {{ else if .Values.global.proxy_init.forceApplyIptables -}}
+    - "--force-apply"
+    {{ end -}}
+    {{ if .Values.global.nativeNftables -}}
+    - "--native-nftables"
+    {{ end -}}
+    {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+  {{- if .ProxyConfig.ProxyMetadata }}
+    env:
+    {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+    - name: {{ $key }}
+      value: "{{ $value }}"
+    {{- end }}
+  {{- end }}
+    resources:
+  {{ template "resources" . }}
+    securityContext:
+      allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
+      privileged: {{ .Values.global.proxy.privileged }}
+      capabilities:
+    {{- if not .Values.pilot.cni.enabled }}
+        add:
+        - NET_ADMIN
+        - NET_RAW
+    {{- end }}
+        drop:
+        - ALL
+    {{- if not .Values.pilot.cni.enabled }}
+      readOnlyRootFilesystem: false
+      runAsGroup: 0
+      runAsNonRoot: false
+      runAsUser: 0
+    {{- else }}
+      readOnlyRootFilesystem: true
+      runAsGroup: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyGID | default "1337" }} {{ end }}
+      runAsUser: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyUID | default "1337" }} {{ end }}
+      runAsNonRoot: true
+    {{- end }}
+    {{- if .Values.global.proxy.seccompProfile }}
+      seccompProfile:
+    {{- toYaml .Values.global.proxy.seccompProfile | nindent 8 }}
+    {{- end }}
+  {{ end -}}
+  {{ end -}}
+  {{ if not $nativeSidecar }}
+  containers:
+  {{ end }}
+  - name: istio-proxy
+  {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+    image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+  {{- else }}
+    image: "{{ .ProxyImage }}"
+  {{- end }}
+    {{ if $nativeSidecar }}restartPolicy: Always{{end}}
+    ports:
+    - containerPort: 15090
+      protocol: TCP
+      name: http-envoy-prom
+    args:
+    - proxy
+    - sidecar
+    - --domain
+    - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+    - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
+    - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
+    - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
+  {{- if .Values.global.sts.servicePort }}
+    - --stsPort={{ .Values.global.sts.servicePort }}
+  {{- end }}
+  {{- if .Values.global.logAsJson }}
+    - --log_as_json
+  {{- end }}
+  {{- if .Values.global.proxy.outlierLogPath }}
+    - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }}
+  {{- end}}
+  {{- if .Values.global.proxy.lifecycle }}
+    lifecycle:
+      {{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
+  {{- else if $holdProxy }}
+    lifecycle:
+      postStart:
+        exec:
+          command:
+          - pilot-agent
+          - wait
+  {{- else if $nativeSidecar }}
+    {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}}
+    lifecycle:
+      preStop:
+        exec:
+          command:
+          - pilot-agent
+          - request
+          - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}}
+          - POST
+          - drain
+  {{- end }}
+    env:
+    {{- if eq .InboundTrafficPolicyMode "localhost" }}
+    - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION
+      value: "true"
+    {{- end }}
+    - name: PILOT_CERT_PROVIDER
+      value: {{ .Values.global.pilotCertProvider }}
+    - name: CA_ADDR
+    {{- if .Values.global.caAddress }}
+      value: {{ .Values.global.caAddress }}
+    {{- else }}
+      value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+    {{- end }}
+    - name: POD_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.name
+    - name: POD_NAMESPACE
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.namespace
+    - name: INSTANCE_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.podIP
+    - name: SERVICE_ACCOUNT
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.serviceAccountName
+    - name: HOST_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.hostIP
+    - name: ISTIO_CPU_LIMIT
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.cpu
+          divisor: "1"
+    - name: PROXY_CONFIG
+      value: |
+             {{ protoToJSON .ProxyConfig }}
+    - name: ISTIO_META_POD_PORTS
+      value: |-
+        [
+        {{- $first := true }}
+        {{- range $index1, $c := .Spec.Containers }}
+          {{- range $index2, $p := $c.Ports }}
+            {{- if (structToJSON $p) }}
+            {{if not $first}},{{end}}{{ structToJSON $p }}
+            {{- $first = false }}
+            {{- end }}
+          {{- end}}
+        {{- end}}
+        ]
+    - name: ISTIO_META_APP_CONTAINERS
+      value: "{{ $containers | join "," }}"
+    - name: GOMEMLIMIT
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.memory
+          divisor: "1"
+    - name: GOMAXPROCS
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.cpu
+          divisor: "1"
+    {{- if .CompliancePolicy }}
+    - name: COMPLIANCE_POLICY
+      value: "{{ .CompliancePolicy }}"
+    {{- end }}
+    - name: ISTIO_META_CLUSTER_ID
+      value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
+    - name: ISTIO_META_NODE_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.nodeName
+    - name: ISTIO_META_INTERCEPTION_MODE
+      value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}"
+    {{- if .Values.global.network }}
+    - name: ISTIO_META_NETWORK
+      value: "{{ .Values.global.network }}"
+    {{- end }}
+    {{- with (index .ObjectMeta.Labels `service.istio.io/workload-name` | default .DeploymentMeta.Name) }}
+    - name: ISTIO_META_WORKLOAD_NAME
+      value: "{{ . }}"
+    {{ end }}
+    {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
+    - name: ISTIO_META_OWNER
+      value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
+    {{- end}}
+    {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+    - name: ISTIO_BOOTSTRAP_OVERRIDE
+      value: "/etc/istio/custom-bootstrap/custom_bootstrap.json"
+    {{- end }}
+    {{- if .Values.global.meshID }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ .Values.global.meshID }}"
+    {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+    - name: ISTIO_META_MESH_ID
+      value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+    {{- end }}
+    {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain)  }}
+    - name: TRUST_DOMAIN
+      value: "{{ . }}"
+    {{- end }}
+    {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
+    {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
+    - name: {{ $key }}
+      value: "{{ $value }}"
+    {{- end }}
+    {{- end }}
+    {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+    - name: {{ $key }}
+      value: "{{ $value }}"
+    {{- end }}
+    {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+    {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
+  {{ if .Values.global.proxy.startupProbe.enabled }}
+    startupProbe:
+      httpGet:
+        path: /healthz/ready
+        port: 15021
+      initialDelaySeconds: 0
+      periodSeconds: 1
+      timeoutSeconds: 3
+      failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }}
+  {{ end }}
+    readinessProbe:
+      httpGet:
+        path: /healthz/ready
+        port: 15021
+      initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }}
+      periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }}
+      timeoutSeconds: 3
+      failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}
+    {{ end -}}
+    securityContext:
+      {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }}
+      allowPrivilegeEscalation: true
+      capabilities:
+        add:
+        - NET_ADMIN
+        drop:
+        - ALL
+      privileged: true
+      readOnlyRootFilesystem: true
+      runAsGroup: {{ .ProxyGID | default "1337" }}
+      runAsNonRoot: false
+      runAsUser: 0
+      {{- else }}
+      allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
+      capabilities:
+        {{ if or $tproxy $capNetBindService -}}
+        add:
+        {{ if $tproxy -}}
+        - NET_ADMIN
+        {{- end }}
+        {{ if $capNetBindService -}}
+        - NET_BIND_SERVICE
+        {{- end }}
+        {{- end }}
+        drop:
+        - ALL
+      privileged: {{ .Values.global.proxy.privileged }}
+      readOnlyRootFilesystem: true
+      {{ if or $tproxy $capNetBindService -}}
+      runAsNonRoot: false
+      runAsUser: 0
+      runAsGroup: 1337
+      {{- else -}}
+      runAsNonRoot: true
+      runAsUser: {{ .ProxyUID | default "1337" }}
+      runAsGroup: {{ .ProxyGID | default "1337" }}
+      {{- end }}
+      {{- end }}
+    {{- if .Values.global.proxy.seccompProfile }}
+      seccompProfile:
+    {{- toYaml .Values.global.proxy.seccompProfile | nindent 8 }}
+    {{- end }}
+    resources:
+  {{ template "resources" . }}
+    volumeMounts:
+    - name: workload-socket
+      mountPath: /var/run/secrets/workload-spiffe-uds
+    - name: credential-socket
+      mountPath: /var/run/secrets/credential-uds
+    {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+    - name: gke-workload-certificate
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+      readOnly: true
+    {{- else }}
+    - name: workload-certs
+      mountPath: /var/run/secrets/workload-spiffe-credentials
+    {{- end }}
+    {{- if eq .Values.global.pilotCertProvider "istiod" }}
+    - mountPath: /var/run/secrets/istio
+      name: istiod-ca-cert
+    - mountPath: /var/run/secrets/istio/crl
+      name: istio-ca-crl
+    {{- end }}
+    - mountPath: /var/lib/istio/data
+      name: istio-data
+    {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+    - mountPath: /etc/istio/custom-bootstrap
+      name: custom-bootstrap-volume
+    {{- end }}
+    # SDS channel between istioagent and Envoy
+    - mountPath: /etc/istio/proxy
+      name: istio-envoy
+    - mountPath: /var/run/secrets/tokens
+      name: istio-token
+    {{- if .Values.global.mountMtlsCerts }}
+    # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+    - mountPath: /etc/certs/
+      name: istio-certs
+      readOnly: true
+    {{- end }}
+    - name: istio-podinfo
+      mountPath: /etc/istio/pod
+     {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }}
+    - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }}
+      name: lightstep-certs
+      readOnly: true
+    {{- end }}
+      {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }}
+      {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}
+    - name: "{{  $index }}"
+      {{ toYaml $value | indent 6 }}
+      {{ end }}
+      {{- end }}
+  volumes:
+  - emptyDir:
+    name: workload-socket
+  - emptyDir:
+    name: credential-socket
+  {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+  - name: gke-workload-certificate
+    csi:
+      driver: workloadcertificates.security.cloud.google.com
+  {{- else }}
+  - emptyDir:
+    name: workload-certs
+  {{- end }}
+  {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+  - name: custom-bootstrap-volume
+    configMap:
+      name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
+  {{- end }}
+  # SDS channel between istioagent and Envoy
+  - emptyDir:
+      medium: Memory
+    name: istio-envoy
+  - name: istio-data
+    emptyDir: {}
+  - name: istio-podinfo
+    downwardAPI:
+      items:
+        - path: "labels"
+          fieldRef:
+            fieldPath: metadata.labels
+        - path: "annotations"
+          fieldRef:
+            fieldPath: metadata.annotations
+  - name: istio-token
+    projected:
+      sources:
+      - serviceAccountToken:
+          path: istio-token
+          expirationSeconds: 43200
+          audience: {{ .Values.global.sds.token.aud }}
+  {{- if eq .Values.global.pilotCertProvider "istiod" }}
+  - name: istiod-ca-cert
+  {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+    projected:
+      sources:
+      - clusterTrustBundle:
+          name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+          path: root-cert.pem
+  {{- else }}
+    configMap:
+      name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+  {{- end }}
+  {{- end }}
+  - name: istio-ca-crl
+    configMap:
+      name: {{ .Values.pilot.crlConfigMapName | default "istio-ca-crl" }}
+      optional: true
+  {{- if .Values.global.mountMtlsCerts }}
+  # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+  - name: istio-certs
+    secret:
+      optional: true
+      {{ if eq .Spec.ServiceAccountName "" }}
+      secretName: istio.default
+      {{ else -}}
+      secretName: {{  printf "istio.%s" .Spec.ServiceAccountName }}
+      {{  end -}}
+  {{- end }}
+    {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }}
+    {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}
+  - name: "{{ $index }}"
+    {{ toYaml $value | indent 4 }}
+    {{ end }}
+    {{ end }}
+  {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }}
+  - name: lightstep-certs
+    secret:
+      optional: true
+      secretName: lightstep.cacert
+  {{- end }}
+  {{- if .Values.global.imagePullSecrets }}
+  imagePullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+  {{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/kube-gateway.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/kube-gateway.yaml
new file mode 100644
index 0000000000..8d909beb83
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/kube-gateway.yaml
@@ -0,0 +1,410 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{.ServiceAccount | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+        "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+      ) | nindent 4 }}
+  {{- if ge .KubeVersion 128 }}
+  # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1
+    kind: Gateway
+    name: "{{.Name}}"
+    uid: "{{.UID}}"
+  {{- end }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+        "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+        "gateway.istio.io/managed" "istio.io-gateway-controller"
+      ) | nindent 4 }}
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1
+    kind: Gateway
+    name: {{.Name}}
+    uid: "{{.UID}}"
+spec:
+  selector:
+    matchLabels:
+      "{{.GatewayNameLabel}}": {{.Name}}
+  template:
+    metadata:
+      annotations:
+        {{- toJsonMap
+          (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version")
+          (strdict "istio.io/rev" (.Revision | default "default"))
+          (strdict
+            "prometheus.io/path" "/stats/prometheus"
+            "prometheus.io/port" "15020"
+            "prometheus.io/scrape" "true"
+          ) | nindent 8 }}
+      labels:
+        {{- toJsonMap
+          (strdict
+            "sidecar.istio.io/inject" "false"
+            "service.istio.io/canonical-name" .DeploymentName
+            "service.istio.io/canonical-revision" "latest"
+           )
+          .InfrastructureLabels
+          (strdict
+            "gateway.networking.k8s.io/gateway-name" .Name
+            "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+            "gateway.istio.io/managed" "istio.io-gateway-controller"
+          ) | nindent 8 }}
+    spec:
+      securityContext:
+      {{- if .Values.gateways.securityContext }}
+        {{- toYaml .Values.gateways.securityContext | nindent 8 }}
+      {{- else }}
+        sysctls:
+        - name: net.ipv4.ip_unprivileged_port_start
+          value: "0"
+      {{- if .Values.gateways.seccompProfile }}
+        seccompProfile:
+      {{- toYaml .Values.gateways.seccompProfile | nindent 10 }}
+      {{- end }}
+      {{- end }}
+      serviceAccountName: {{.ServiceAccount | quote}}
+      containers:
+      - name: istio-proxy
+      {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+        image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+      {{- else }}
+        image: "{{ .ProxyImage }}"
+      {{- end }}
+        {{- if .Values.global.proxy.resources }}
+        resources:
+          {{- toYaml .Values.global.proxy.resources | nindent 10 }}
+        {{- end }}
+        {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+        securityContext:
+          capabilities:
+            drop:
+            - ALL
+          allowPrivilegeEscalation: false
+          privileged: false
+          readOnlyRootFilesystem: true
+          runAsUser: {{ .ProxyUID | default "1337" }}
+          runAsGroup: {{ .ProxyGID | default "1337" }}
+          runAsNonRoot: true
+        ports:
+        - containerPort: 15020
+          name: metrics
+          protocol: TCP
+        - containerPort: 15021
+          name: status-port
+          protocol: TCP
+        - containerPort: 15090
+          protocol: TCP
+          name: http-envoy-prom
+        args:
+        - proxy
+        - router
+        - --domain
+        - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+        - --proxyLogLevel
+        - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}}
+        - --proxyComponentLogLevel
+        - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}}
+        - --log_output_level
+        - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}}
+      {{- if .Values.global.sts.servicePort }}
+        - --stsPort={{ .Values.global.sts.servicePort }}
+      {{- end }}
+      {{- if .Values.global.logAsJson }}
+        - --log_as_json
+      {{- end }}
+      {{- if .Values.global.proxy.lifecycle }}
+        lifecycle:
+          {{- toYaml .Values.global.proxy.lifecycle | nindent 10 }}
+      {{- end }}
+        env:
+        - name: PILOT_CERT_PROVIDER
+          value: {{ .Values.global.pilotCertProvider }}
+        - name: CA_ADDR
+        {{- if .Values.global.caAddress }}
+          value: {{ .Values.global.caAddress }}
+        {{- else }}
+          value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+        {{- end }}
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: INSTANCE_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: SERVICE_ACCOUNT
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.serviceAccountName
+        - name: HOST_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.hostIP
+        - name: ISTIO_CPU_LIMIT
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.cpu
+              divisor: "1"
+        - name: PROXY_CONFIG
+          value: |
+                 {{ protoToJSON .ProxyConfig }}
+        - name: ISTIO_META_POD_PORTS
+          value: "[]"
+        - name: ISTIO_META_APP_CONTAINERS
+          value: ""
+        - name: GOMEMLIMIT
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.memory
+              divisor: "1"
+        - name: GOMAXPROCS
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.cpu
+              divisor: "1"
+        - name: ISTIO_META_CLUSTER_ID
+          value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}"
+        - name: ISTIO_META_NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        - name: ISTIO_META_INTERCEPTION_MODE
+          value: "{{ .ProxyConfig.InterceptionMode.String }}"
+        {{- with (valueOrDefault  (index .InfrastructureLabels "topology.istio.io/network") .Values.global.network) }}
+        - name: ISTIO_META_NETWORK
+          value: {{.|quote}}
+        {{- end }}
+        - name: ISTIO_META_WORKLOAD_NAME
+          value: {{.DeploymentName|quote}}
+        - name: ISTIO_META_OWNER
+          value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}"
+        {{- if .Values.global.meshID }}
+        - name: ISTIO_META_MESH_ID
+          value: "{{ .Values.global.meshID }}"
+        {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+        - name: ISTIO_META_MESH_ID
+          value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+        {{- end }}
+        {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain)  }}
+        - name: TRUST_DOMAIN
+          value: "{{ . }}"
+        {{- end }}
+        {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+        - name: {{ $key }}
+          value: "{{ $value }}"
+        {{- end }}
+        {{- with (index .InfrastructureLabels "topology.istio.io/network") }}
+        - name: ISTIO_META_REQUESTED_NETWORK_VIEW
+          value: {{.|quote}}
+        {{- end }}
+        startupProbe:
+          failureThreshold: 30
+          httpGet:
+            path: /healthz/ready
+            port: 15021
+            scheme: HTTP
+          initialDelaySeconds: 1
+          periodSeconds: 1
+          successThreshold: 1
+          timeoutSeconds: 1
+        readinessProbe:
+          failureThreshold: 4
+          httpGet:
+            path: /healthz/ready
+            port: 15021
+            scheme: HTTP
+          initialDelaySeconds: 0
+          periodSeconds: 15
+          successThreshold: 1
+          timeoutSeconds: 1
+        volumeMounts:
+        - name: workload-socket
+          mountPath: /var/run/secrets/workload-spiffe-uds
+        - name: credential-socket
+          mountPath: /var/run/secrets/credential-uds
+        {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+        - name: gke-workload-certificate
+          mountPath: /var/run/secrets/workload-spiffe-credentials
+          readOnly: true
+        {{- else }}
+        - name: workload-certs
+          mountPath: /var/run/secrets/workload-spiffe-credentials
+        {{- end }}
+        {{- if eq .Values.global.pilotCertProvider "istiod" }}
+        - mountPath: /var/run/secrets/istio
+          name: istiod-ca-cert
+        {{- end }}
+        - mountPath: /var/lib/istio/data
+          name: istio-data
+        # SDS channel between istioagent and Envoy
+        - mountPath: /etc/istio/proxy
+          name: istio-envoy
+        - mountPath: /var/run/secrets/tokens
+          name: istio-token
+        - name: istio-podinfo
+          mountPath: /etc/istio/pod
+      volumes:
+      - emptyDir: {}
+        name: workload-socket
+      - emptyDir: {}
+        name: credential-socket
+      {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+      - name: gke-workload-certificate
+        csi:
+          driver: workloadcertificates.security.cloud.google.com
+      {{- else}}
+      - emptyDir: {}
+        name: workload-certs
+      {{- end }}
+      # SDS channel between istioagent and Envoy
+      - emptyDir:
+          medium: Memory
+        name: istio-envoy
+      - name: istio-data
+        emptyDir: {}
+      - name: istio-podinfo
+        downwardAPI:
+          items:
+            - path: "labels"
+              fieldRef:
+                fieldPath: metadata.labels
+            - path: "annotations"
+              fieldRef:
+                fieldPath: metadata.annotations
+      - name: istio-token
+        projected:
+          sources:
+          - serviceAccountToken:
+              path: istio-token
+              expirationSeconds: 43200
+              audience: {{ .Values.global.sds.token.aud }}
+      {{- if eq .Values.global.pilotCertProvider "istiod" }}
+      - name: istiod-ca-cert
+      {{- if eq ((.Values.pilot).env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+        projected:
+          sources:
+          - clusterTrustBundle:
+              name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+              path: root-cert.pem
+      {{- else }}
+        configMap:
+          name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+      {{- end }}
+      {{- end }}
+      {{- if .Values.global.imagePullSecrets }}
+      imagePullSecrets:
+        {{- range .Values.global.imagePullSecrets }}
+        - name: {{ . }}
+        {{- end }}
+      {{- end }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+        "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+      ) | nindent 4 }}
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1
+    kind: Gateway
+    name: {{.Name}}
+    uid: {{.UID}}
+spec:
+  ipFamilyPolicy: PreferDualStack
+  ports:
+  {{- range $key, $val := .Ports }}
+  - name: {{ $val.Name | quote }}
+    port: {{ $val.Port }}
+    protocol: TCP
+    appProtocol: {{ $val.AppProtocol }}
+  {{- end }}
+  selector:
+    "{{.GatewayNameLabel}}": {{.Name}}
+  {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }}
+  loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}}
+  {{- end }}
+  type: {{ .ServiceType | quote }}
+---
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+          .InfrastructureLabels
+          (strdict
+          "gateway.networking.k8s.io/gateway-name" .Name
+          "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+          ) | nindent 4 }}
+  ownerReferences:
+    - apiVersion: gateway.networking.k8s.io/v1
+      kind: Gateway
+      name: {{.Name}}
+      uid: "{{.UID}}"
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name:  {{.DeploymentName | quote}}
+  maxReplicas: 1
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+          .InfrastructureLabels
+          (strdict
+          "gateway.networking.k8s.io/gateway-name" .Name
+          "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+          ) | nindent 4 }}
+  ownerReferences:
+    - apiVersion: gateway.networking.k8s.io/v1
+      kind: Gateway
+      name: {{.Name}}
+      uid: "{{.UID}}"
+spec:
+  selector:
+    matchLabels:
+      gateway.networking.k8s.io/gateway-name: {{.Name|quote}}
+
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..842aaf17de
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,22 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
+     # 1.29 behavioral changes
+    DISABLE_TRACK_REMAINING_CB_METRICS: "false"
+
+cni:
+  ambient:
+    # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.25
+    reconcileIptablesOnStartup: false
+
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..f30e143133
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,18 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
+    # 1.29 behavioral changes
+    DISABLE_TRACK_REMAINING_CB_METRICS: "false"
+
+cni:
+  ambient:
+    # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.26
+    reconcileIptablesOnStartup: false
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/profile-compatibility-version-1.27.yaml
new file mode 100644
index 0000000000..b842b0914c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/profile-compatibility-version-1.27.yaml
@@ -0,0 +1,16 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
+    # 1.29 behavioral changes
+    DISABLE_TRACK_REMAINING_CB_METRICS: "false"
+
+cni:
+  ambient:
+    # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.27
+    reconcileIptablesOnStartup: false
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/profile-compatibility-version-1.28.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/profile-compatibility-version-1.28.yaml
new file mode 100644
index 0000000000..3d378691a2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/profile-compatibility-version-1.28.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.29 behavioral changes
+    DISABLE_TRACK_REMAINING_CB_METRICS: "false"
+
+cni:
+  ambient:
+    # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.28
+    reconcileIptablesOnStartup: false
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/waypoint.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/waypoint.yaml
new file mode 100644
index 0000000000..644d8780c3
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/files/waypoint.yaml
@@ -0,0 +1,408 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{.ServiceAccount | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+        "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+      ) | nindent 4 }}
+  {{- if ge .KubeVersion 128 }}
+  # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1
+    kind: Gateway
+    name: "{{.Name}}"
+    uid: "{{.UID}}"
+  {{- end }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+        "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+        "gateway.istio.io/managed" .ControllerLabel
+      ) | nindent 4 }}
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1
+    kind: Gateway
+    name: "{{.Name}}"
+    uid: "{{.UID}}"
+spec:
+  selector:
+    matchLabels:
+      "{{.GatewayNameLabel}}": "{{.Name}}"
+  template:
+    metadata:
+      annotations:
+        {{- toJsonMap
+          (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version")
+          (strdict "istio.io/rev" (.Revision | default "default"))
+          (strdict
+            "prometheus.io/path" "/stats/prometheus"
+            "prometheus.io/port" "15020"
+            "prometheus.io/scrape" "true"
+          ) | nindent 8 }}
+      labels:
+        {{- toJsonMap
+          (strdict
+            "sidecar.istio.io/inject" "false"
+            "istio.io/dataplane-mode" "none"
+            "service.istio.io/canonical-name" .DeploymentName
+            "service.istio.io/canonical-revision" "latest"
+           )
+          .InfrastructureLabels
+          (strdict
+            "gateway.networking.k8s.io/gateway-name" .Name
+            "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+            "gateway.istio.io/managed" .ControllerLabel
+          ) | nindent 8}}
+    spec:
+      {{- if .Values.global.waypoint.affinity }}
+      affinity:
+      {{- toYaml .Values.global.waypoint.affinity | nindent 8 }}
+      {{- end }}
+      {{- if .Values.global.waypoint.topologySpreadConstraints }}
+      topologySpreadConstraints:
+      {{- toYaml .Values.global.waypoint.topologySpreadConstraints | nindent 8 }}
+      {{- end }}
+      {{- if .Values.global.waypoint.nodeSelector }}
+      nodeSelector:
+      {{- toYaml .Values.global.waypoint.nodeSelector | nindent 8 }}
+      {{- end }}
+      {{- if .Values.global.waypoint.tolerations }}
+      tolerations:
+      {{- toYaml .Values.global.waypoint.tolerations | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{.ServiceAccount | quote}}
+      containers:
+      - name: istio-proxy
+        ports:
+        - containerPort: 15020
+          name: metrics
+          protocol: TCP
+        - containerPort: 15021
+          name: status-port
+          protocol: TCP
+        - containerPort: 15090
+          protocol: TCP
+          name: http-envoy-prom
+        {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+        image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+        {{- else }}
+        image: "{{ .ProxyImage }}"
+        {{- end }}
+        {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+        args:
+        - proxy
+        - waypoint
+        - --domain
+        - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+        - --serviceCluster
+        - {{.ServiceAccount}}.$(POD_NAMESPACE)
+        - --proxyLogLevel
+        - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}}
+        - --proxyComponentLogLevel
+        - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}}
+        - --log_output_level
+        - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}}
+        {{- if .Values.global.logAsJson }}
+        - --log_as_json
+        {{- end }}
+        {{- if .Values.global.proxy.outlierLogPath }}
+        - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }}
+        {{- end}}
+        env:
+        - name: ISTIO_META_SERVICE_ACCOUNT
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.serviceAccountName
+        - name: ISTIO_META_NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        - name: PILOT_CERT_PROVIDER
+          value: {{ .Values.global.pilotCertProvider }}
+        - name: CA_ADDR
+        {{- if .Values.global.caAddress }}
+          value: {{ .Values.global.caAddress }}
+        {{- else }}
+          value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+        {{- end }}
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: INSTANCE_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: SERVICE_ACCOUNT
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.serviceAccountName
+        - name: HOST_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.hostIP
+        - name: ISTIO_CPU_LIMIT
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.cpu
+              divisor: "1"
+        - name: PROXY_CONFIG
+          value: |
+                 {{ protoToJSON .ProxyConfig }}
+        {{- if .ProxyConfig.ProxyMetadata }}
+        {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+        - name: {{ $key }}
+          value: "{{ $value }}"
+        {{- end }}
+        {{- end }}
+        - name: GOMEMLIMIT
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.memory
+              divisor: "1"
+        - name: GOMAXPROCS
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.cpu
+              divisor: "1"
+        - name: ISTIO_META_CLUSTER_ID
+          value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
+        {{- $network := valueOrDefault (index .InfrastructureLabels `topology.istio.io/network`) .Values.global.network }}
+        {{- if $network }}
+        - name: ISTIO_META_NETWORK
+          value: "{{ $network }}"
+        {{- if eq .ControllerLabel "istio.io-eastwest-controller" }}
+        - name: ISTIO_META_REQUESTED_NETWORK_VIEW
+          value: "{{ $network }}"
+        {{- end }}
+        {{- end }}
+        - name: ISTIO_META_INTERCEPTION_MODE
+          value: REDIRECT
+        - name: ISTIO_META_WORKLOAD_NAME
+          value: {{.DeploymentName}}
+        - name: ISTIO_META_OWNER
+          value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}
+        {{- if .Values.global.meshID }}
+        - name: ISTIO_META_MESH_ID
+          value: "{{ .Values.global.meshID }}"
+        {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+        - name: ISTIO_META_MESH_ID
+          value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+        {{- end }}
+        {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+        - name: TRUST_DOMAIN
+          value: "{{ . }}"
+        {{- end }}
+        {{- if .Values.global.waypoint.resources }}
+        resources:
+        {{- toYaml .Values.global.waypoint.resources | nindent 10 }}
+        {{- end }}
+        startupProbe:
+          failureThreshold: 30
+          httpGet:
+            path: /healthz/ready
+            port: 15021
+            scheme: HTTP
+          initialDelaySeconds: 1
+          periodSeconds: 1
+          successThreshold: 1
+          timeoutSeconds: 1
+        readinessProbe:
+          failureThreshold: 4
+          httpGet:
+            path: /healthz/ready
+            port: 15021
+            scheme: HTTP
+          initialDelaySeconds: 0
+          periodSeconds: 15
+          successThreshold: 1
+          timeoutSeconds: 1
+        securityContext:
+          privileged: false
+        {{- if not (eq .Values.global.platform "openshift") }}
+          runAsGroup: 1337
+          runAsUser: 1337
+        {{- end }}
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          capabilities:
+            drop:
+            - ALL
+{{- if .Values.gateways.seccompProfile }}
+          seccompProfile:
+{{- toYaml .Values.gateways.seccompProfile | nindent 12 }}
+{{- end }}
+        volumeMounts:
+        - mountPath: /var/run/secrets/workload-spiffe-uds
+          name: workload-socket
+        - mountPath: /var/run/secrets/istio
+          name: istiod-ca-cert
+        - mountPath: /var/lib/istio/data
+          name: istio-data
+        - mountPath: /etc/istio/proxy
+          name: istio-envoy
+        - mountPath: /var/run/secrets/tokens
+          name: istio-token
+        - mountPath: /etc/istio/pod
+          name: istio-podinfo
+      volumes:
+      - emptyDir: {}
+        name: workload-socket
+      - emptyDir:
+          medium: Memory
+        name: istio-envoy
+      - emptyDir:
+          medium: Memory
+        name: go-proxy-envoy
+      - emptyDir: {}
+        name: istio-data
+      - emptyDir: {}
+        name: go-proxy-data
+      - downwardAPI:
+          items:
+          - fieldRef:
+              fieldPath: metadata.labels
+            path: labels
+          - fieldRef:
+              fieldPath: metadata.annotations
+            path: annotations
+        name: istio-podinfo
+      - name: istio-token
+        projected:
+          sources:
+          - serviceAccountToken:
+              audience: istio-ca
+              expirationSeconds: 43200
+              path: istio-token
+      - name: istiod-ca-cert
+      {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+        projected:
+          sources:
+          - clusterTrustBundle:
+              name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+              path: root-cert.pem
+      {{- else }}
+        configMap:
+          name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+      {{- end }}
+      {{- if .Values.global.imagePullSecrets }}
+      imagePullSecrets:
+        {{- range .Values.global.imagePullSecrets }}
+        - name: {{ . }}
+        {{- end }}
+      {{- end }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    {{ toJsonMap
+      (strdict "networking.istio.io/traffic-distribution" "PreferClose")
+      (omit .InfrastructureAnnotations
+        "kubectl.kubernetes.io/last-applied-configuration"
+        "gateway.istio.io/name-override"
+        "gateway.istio.io/service-account"
+        "gateway.istio.io/controller-version"
+      ) | nindent 4 }}
+  labels:
+    {{- toJsonMap
+      .InfrastructureLabels
+      (strdict
+        "gateway.networking.k8s.io/gateway-name" .Name
+        "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+      ) | nindent 4 }}
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  ownerReferences:
+  - apiVersion: gateway.networking.k8s.io/v1
+    kind: Gateway
+    name: "{{.Name}}"
+    uid: "{{.UID}}"
+spec:
+  ipFamilyPolicy: PreferDualStack
+  ports:
+  {{- range $key, $val := .Ports }}
+  - name: {{ $val.Name | quote }}
+    port: {{ $val.Port }}
+    protocol: TCP
+    appProtocol: {{ $val.AppProtocol }}
+  {{- end }}
+  selector:
+    "{{.GatewayNameLabel}}": "{{.Name}}"
+  {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }}
+  loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}}
+  {{- end }}
+  type: {{ .ServiceType | quote }}
+---
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+          .InfrastructureLabels
+          (strdict
+          "gateway.networking.k8s.io/gateway-name" .Name
+          "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+          ) | nindent 4 }}
+  ownerReferences:
+    - apiVersion: gateway.networking.k8s.io/v1
+      kind: Gateway
+      name: {{.Name}}
+      uid: "{{.UID}}"
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name:  {{.DeploymentName | quote}}
+  maxReplicas: 1
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{.DeploymentName | quote}}
+  namespace: {{.Namespace | quote}}
+  annotations:
+    {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+  labels:
+    {{- toJsonMap
+          .InfrastructureLabels
+          (strdict
+          "gateway.networking.k8s.io/gateway-name" .Name
+          "gateway.networking.k8s.io/gateway-class-name" .GatewayClass
+          ) | nindent 4 }}
+  ownerReferences:
+    - apiVersion: gateway.networking.k8s.io/v1
+      kind: Gateway
+      name: {{.Name}}
+      uid: "{{.UID}}"
+spec:
+  selector:
+    matchLabels:
+      gateway.networking.k8s.io/gateway-name: {{.Name|quote}}
+
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/NOTES.txt
new file mode 100644
index 0000000000..0d07ea7f4c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/NOTES.txt
@@ -0,0 +1,82 @@
+"istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}" successfully installed!
+
+To learn more about the release, try:
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
+
+Next steps:
+{{- $profile := default "" .Values.profile }}
+{{- if (eq $profile "ambient") }}
+  * Get started with ambient: https://istio.io/latest/docs/ops/ambient/getting-started/
+  * Review ambient's architecture: https://istio.io/latest/docs/ops/ambient/architecture/
+{{- else }}
+  * Deploy a Gateway: https://istio.io/latest/docs/setup/additional-setup/gateway/
+  * Try out our tasks to get started on common configurations:
+    * https://istio.io/latest/docs/tasks/traffic-management
+    * https://istio.io/latest/docs/tasks/security/
+    * https://istio.io/latest/docs/tasks/policy-enforcement/
+{{- end }}
+  * Review the list of actively supported releases, CVE publications and our hardening guide:
+    * https://istio.io/latest/docs/releases/supported-releases/
+    * https://istio.io/latest/news/security/
+    * https://istio.io/latest/docs/ops/best-practices/security/
+
+For further documentation see https://istio.io website
+
+{{-
+  $deps := dict
+    "global.outboundTrafficPolicy" "meshConfig.outboundTrafficPolicy"
+    "global.certificates" "meshConfig.certificates"
+    "global.localityLbSetting" "meshConfig.localityLbSetting"
+    "global.policyCheckFailOpen" "meshConfig.policyCheckFailOpen"
+    "global.enableTracing" "meshConfig.enableTracing"
+    "global.proxy.accessLogFormat" "meshConfig.accessLogFormat"
+    "global.proxy.accessLogFile" "meshConfig.accessLogFile"
+    "global.proxy.concurrency" "meshConfig.defaultConfig.concurrency"
+    "global.proxy.envoyAccessLogService" "meshConfig.defaultConfig.envoyAccessLogService"
+    "global.proxy.envoyAccessLogService.enabled" "meshConfig.enableEnvoyAccessLogService"
+    "global.proxy.envoyMetricsService" "meshConfig.defaultConfig.envoyMetricsService"
+    "global.proxy.protocolDetectionTimeout" "meshConfig.protocolDetectionTimeout"
+    "global.proxy.holdApplicationUntilProxyStarts" "meshConfig.defaultConfig.holdApplicationUntilProxyStarts"
+    "pilot.ingress" "meshConfig.ingressService, meshConfig.ingressControllerMode, and meshConfig.ingressClass"
+    "global.mtls.enabled" "the PeerAuthentication resource"
+    "global.mtls.auto" "meshConfig.enableAutoMtls"
+    "global.tracer.lightstep.address" "meshConfig.defaultConfig.tracing.lightstep.address"
+    "global.tracer.lightstep.accessToken" "meshConfig.defaultConfig.tracing.lightstep.accessToken"
+    "global.tracer.zipkin.address" "meshConfig.defaultConfig.tracing.zipkin.address"
+    "global.tracer.datadog.address" "meshConfig.defaultConfig.tracing.datadog.address"
+    "global.meshExpansion.enabled" "Gateway and other Istio networking resources, such as in samples/multicluster/"
+    "istiocoredns.enabled" "the in-proxy DNS capturing (ISTIO_META_DNS_CAPTURE)"
+}}
+{{- range $dep, $replace := $deps }}
+{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}}
+{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(")  ".Values." (replace "." ")." $dep) ")}}") $}}
+{{- if not (eq $res "")}}
+WARNING: {{$dep|quote}} is deprecated; use {{$replace|quote}} instead.
+{{- end }}
+{{- end }}
+{{-
+  $failDeps := dict
+    "telemetry.v2.prometheus.configOverride"
+    "telemetry.v2.stackdriver.configOverride"
+    "telemetry.v2.stackdriver.disableOutbound"
+    "telemetry.v2.stackdriver.outboundAccessLogging"
+    "global.tracer.stackdriver.debug" "meshConfig.defaultConfig.tracing.stackdriver.debug"
+    "global.tracer.stackdriver.maxNumberOfAttributes" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes"
+    "global.tracer.stackdriver.maxNumberOfAnnotations" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations"
+    "global.tracer.stackdriver.maxNumberOfMessageEvents" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents"
+    "meshConfig.defaultConfig.tracing.stackdriver.debug" "Istio supported tracers"
+    "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes" "Istio supported tracers"
+    "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations" "Istio supported tracers"
+    "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents" "Istio supported tracers"
+}}
+{{- range $dep, $replace := $failDeps }}
+{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}}
+{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(")  ".Values." (replace "." ")." $dep) ")}}") $}}
+{{- if not (eq $res "")}}
+{{fail (print $dep " is removed")}}
+{{- end }}
+{{- end }}
+{{- if eq $.Values.global.pilotCertProvider "kubernetes" }}
+{{- fail "pilotCertProvider=kubernetes is not supported" }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/_helpers.tpl
new file mode 100644
index 0000000000..042c92538d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/_helpers.tpl
@@ -0,0 +1,23 @@
+{{/* Default Prometheus is enabled if its enabled and there are no config overrides set */}}
+{{ define "default-prometheus" }}
+{{- and
+  (not .Values.meshConfig.defaultProviders)
+  .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.prometheus.enabled
+}}
+{{- end }}
+
+{{/* SD has metrics and logging split. Default metrics are enabled if SD is enabled */}}
+{{ define "default-sd-metrics" }}
+{{- and
+  (not .Values.meshConfig.defaultProviders)
+  .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled
+}}
+{{- end }}
+
+{{/* SD has metrics and logging split. */}}
+{{ define "default-sd-logs" }}
+{{- and
+  (not .Values.meshConfig.defaultProviders)
+  .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled
+}}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/autoscale.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/autoscale.yaml
new file mode 100644
index 0000000000..9ab43b5bf0
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/autoscale.yaml
@@ -0,0 +1,45 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# Not created if istiod is running remotely
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }}
+{{- if and .Values.autoscaleEnabled .Values.autoscaleMin .Values.autoscaleMax }}
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  maxReplicas: {{ .Values.autoscaleMax }}
+  minReplicas: {{ .Values.autoscaleMin }}
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  metrics:
+  - type: Resource
+    resource:
+      name: cpu
+      target:
+        type: Utilization
+        averageUtilization: {{ .Values.cpu.targetAverageUtilization }}
+  {{- if .Values.memory.targetAverageUtilization }}
+  - type: Resource
+    resource:
+      name: memory
+      target:
+        type: Utilization
+        averageUtilization: {{ .Values.memory.targetAverageUtilization }}
+  {{- end }}
+  {{- if .Values.autoscaleBehavior }}
+  behavior: {{ toYaml .Values.autoscaleBehavior | nindent 4 }}
+  {{- end }}
+---
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/clusterrole.yaml
new file mode 100644
index 0000000000..3280c96b54
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/clusterrole.yaml
@@ -0,0 +1,216 @@
+# Created if cluster resources are not omitted
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+  # sidecar injection controller
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["mutatingwebhookconfigurations"]
+    verbs: ["get", "list", "watch", "update", "patch"]
+
+  # configuration validation webhook controller
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["validatingwebhookconfigurations"]
+    verbs: ["get", "list", "watch", "update"]
+
+  # istio configuration
+  # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382)
+  # please proceed with caution
+  - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"]
+    verbs: ["get", "watch", "list"]
+    resources: ["*"]
+{{- if .Values.global.istiod.enableAnalysis }}
+  - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"]
+    verbs: ["update", "patch"]
+    resources:
+    - authorizationpolicies/status
+    - destinationrules/status
+    - envoyfilters/status
+    - gateways/status
+    - peerauthentications/status
+    - proxyconfigs/status
+    - requestauthentications/status
+    - serviceentries/status
+    - sidecars/status
+    - telemetries/status
+    - virtualservices/status
+    - wasmplugins/status
+    - workloadentries/status
+    - workloadgroups/status
+{{- end }}
+  - apiGroups: ["networking.istio.io"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "workloadentries" ]
+  - apiGroups: ["networking.istio.io"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "workloadentries/status",  "serviceentries/status" ]
+  - apiGroups: ["security.istio.io"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "authorizationpolicies/status" ]
+  - apiGroups: [""]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "services/status" ]
+
+  # auto-detect installed CRD definitions
+  - apiGroups: ["apiextensions.k8s.io"]
+    resources: ["customresourcedefinitions"]
+    verbs: ["get", "list", "watch"]
+
+  # discovery and routing
+  - apiGroups: [""]
+    resources: ["pods", "nodes", "services", "namespaces", "endpoints"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["discovery.k8s.io"]
+    resources: ["endpointslices"]
+    verbs: ["get", "list", "watch"]
+
+{{- if .Values.taint.enabled }}
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["patch"]
+{{- end }}
+
+  # ingress controller
+{{- if .Values.global.istiod.enableAnalysis }}
+  - apiGroups: ["extensions", "networking.k8s.io"]
+    resources: ["ingresses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["extensions", "networking.k8s.io"]
+    resources: ["ingresses/status"]
+    verbs: ["*"]
+{{- end}}
+  - apiGroups: ["networking.k8s.io"]
+    resources: ["ingresses", "ingressclasses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["networking.k8s.io"]
+    resources: ["ingresses/status"]
+    verbs: ["*"]
+
+  # required for CA's namespace controller
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["create", "get", "list", "watch", "update"]
+
+  # Istiod and bootstrap.
+{{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}}
+{{- if or .Values.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }}
+  - apiGroups: ["certificates.k8s.io"]
+    resources:
+      - "certificatesigningrequests"
+      - "certificatesigningrequests/approval"
+      - "certificatesigningrequests/status"
+    verbs: ["update", "create", "get", "delete", "watch"]
+  - apiGroups: ["certificates.k8s.io"]
+    resources:
+      - "signers"
+    resourceNames:
+{{- range .Values.global.certSigners }}
+    - {{ . | quote }}
+{{- end }}
+    verbs: ["approve"]
+{{- end}}
+{{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+  - apiGroups: ["certificates.k8s.io"]
+    resources: ["clustertrustbundles"]
+    verbs: ["update", "create", "delete", "list", "watch", "get"]
+  - apiGroups: ["certificates.k8s.io"]
+    resources: ["signers"]
+    resourceNames: ["istio.io/istiod-ca"]
+    verbs: ["attest"]
+{{- end }}
+
+  # Used by Istiod to verify the JWT tokens
+  - apiGroups: ["authentication.k8s.io"]
+    resources: ["tokenreviews"]
+    verbs: ["create"]
+
+  # Used by Istiod to verify gateway SDS
+  - apiGroups: ["authorization.k8s.io"]
+    resources: ["subjectaccessreviews"]
+    verbs: ["create"]
+
+  # Use for Kubernetes Service APIs
+  - apiGroups: ["gateway.networking.k8s.io", "gateway.networking.x-k8s.io"]
+    resources: ["*"]
+    verbs: ["get", "watch", "list"]
+  - apiGroups: ["gateway.networking.x-k8s.io"]
+    resources:
+    - xbackendtrafficpolicies/status
+    - xlistenersets/status
+    verbs: ["update", "patch"]
+  - apiGroups: ["gateway.networking.k8s.io"]
+    resources:
+    - backendtlspolicies/status
+    - gatewayclasses/status
+    - gateways/status
+    - grpcroutes/status
+    - httproutes/status
+    - referencegrants/status
+    - tcproutes/status
+    - tlsroutes/status
+    - udproutes/status
+    verbs: ["update", "patch"]
+  - apiGroups: ["gateway.networking.k8s.io"]
+    resources: ["gatewayclasses"]
+    verbs: ["create", "update", "patch", "delete"]
+  - apiGroups: ["inference.networking.k8s.io"]
+    resources: ["inferencepools"]
+    verbs: ["get", "watch", "list"]
+  - apiGroups: ["inference.networking.k8s.io"]
+    resources: ["inferencepools/status"]
+    verbs: ["update", "patch"]
+
+  # Needed for multicluster secret reading, possibly ingress certs in the future
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "watch", "list"]
+
+  # Used for MCS serviceexport management
+  - apiGroups: ["{{ $mcsAPIGroup }}"]
+    resources: ["serviceexports"]
+    verbs: [ "get", "watch", "list", "create", "delete"]
+
+  # Used for MCS serviceimport management
+  - apiGroups: ["{{ $mcsAPIGroup }}"]
+    resources: ["serviceimports"]
+    verbs: ["get", "watch", "list"]
+---
+{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+  - apiGroups: ["apps"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "deployments" ]
+  - apiGroups: ["autoscaling"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "horizontalpodautoscalers" ]
+  - apiGroups: ["policy"]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "poddisruptionbudgets" ]
+  - apiGroups: [""]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "services" ]
+  - apiGroups: [""]
+    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+    resources: [ "serviceaccounts"]
+{{- end }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/clusterrolebinding.yaml
new file mode 100644
index 0000000000..0ca21b9576
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/clusterrolebinding.yaml
@@ -0,0 +1,43 @@
+# Created if cluster resources are not omitted
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+subjects:
+  - kind: ServiceAccount
+    name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+    namespace: {{ .Values.global.istioNamespace }}
+---
+{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+subjects:
+- kind: ServiceAccount
+  name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Values.global.istioNamespace }}
+{{- end }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/configmap-jwks.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/configmap-jwks.yaml
new file mode 100644
index 0000000000..45943d3839
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/configmap-jwks.yaml
@@ -0,0 +1,20 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# Not created if istiod is running remotely
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }}
+{{- if .Values.jwksResolverExtraRootCA }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    release: {{ .Release.Name }}
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+data:
+  extra.pem: {{ .Values.jwksResolverExtraRootCA | quote }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/configmap-values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/configmap-values.yaml
new file mode 100644
index 0000000000..dcd1e3530c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/configmap-values.yaml
@@ -0,0 +1,21 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: values{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    kubernetes.io/description: This ConfigMap contains the Helm values used during chart rendering. This ConfigMap is rendered for debugging purposes and external tooling; modifying these values has no effect.
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+data:
+  original-values: |-
+{{ .Values._original | toPrettyJson | indent 4 }}
+{{- $_ := unset $.Values "_original" }}
+  merged-values: |-
+{{ .Values | toPrettyJson | indent 4 }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/configmap.yaml
new file mode 100644
index 0000000000..a24ff9ee24
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/configmap.yaml
@@ -0,0 +1,113 @@
+{{- define "mesh" }}
+    # The trust domain corresponds to the trust root of a system.
+    # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
+    trustDomain: "cluster.local"
+
+    # The namespace to treat as the administrative root namespace for Istio configuration.
+    # When processing a leaf namespace Istio will search for declarations in that namespace first
+    # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace
+    # is processed as if it were declared in the leaf namespace.
+    rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }}
+
+  {{ $prom := include "default-prometheus" . | eq "true" }}
+  {{ $sdMetrics := include "default-sd-metrics" . | eq "true" }}
+  {{ $sdLogs := include "default-sd-logs" . | eq "true" }}
+  {{- if or $prom $sdMetrics $sdLogs }}
+    defaultProviders:
+    {{- if or $prom $sdMetrics }}
+      metrics:
+      {{ if $prom }}- prometheus{{ end }}
+      {{ if and $sdMetrics $sdLogs }}- stackdriver{{ end }}
+    {{- end }}
+    {{- if and $sdMetrics $sdLogs }}
+      accessLogging:
+      - stackdriver
+    {{- end }}
+  {{- end }}
+
+    defaultConfig:
+      {{- if .Values.global.meshID }}
+      meshId: "{{ .Values.global.meshID }}"
+      {{- end }}
+      {{- with (.Values.global.proxy.variant | default .Values.global.variant) }}
+      image:
+        imageType: {{. | quote}}
+      {{- end }}
+      {{- if not (eq .Values.global.proxy.tracer "none") }}
+      tracing:
+      {{- if eq .Values.global.proxy.tracer "lightstep" }}
+        lightstep:
+          # Address of the LightStep Satellite pool
+          address: {{ .Values.global.tracer.lightstep.address }}
+          # Access Token used to communicate with the Satellite pool
+          accessToken: {{ .Values.global.tracer.lightstep.accessToken }}
+      {{- else if eq .Values.global.proxy.tracer "zipkin" }}
+        zipkin:
+          # Address of the Zipkin collector
+          address: {{ ((.Values.global.tracer).zipkin).address | default (print "zipkin." .Values.global.istioNamespace ":9411") }}
+      {{- else if eq .Values.global.proxy.tracer "datadog" }}
+        datadog:
+          # Address of the Datadog Agent
+          address: {{ ((.Values.global.tracer).datadog).address | default "$(HOST_IP):8126" }}
+      {{- else if eq .Values.global.proxy.tracer "stackdriver" }}
+        stackdriver:
+          # enables trace output to stdout.
+          debug: {{ (($.Values.global.tracer).stackdriver).debug | default "false" }}
+          # The global default max number of attributes per span.
+          maxNumberOfAttributes: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAttributes | default "200" }}
+          # The global default max number of annotation events per span.
+          maxNumberOfAnnotations: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAnnotations | default "200" }}
+          # The global default max number of message events per span.
+          maxNumberOfMessageEvents: {{ (($.Values.global.tracer).stackdriver).maxNumberOfMessageEvents | default "200" }}
+      {{- end }}
+      {{- end }}
+      {{- if .Values.global.remotePilotAddress }}
+      {{- if and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod }}
+      #  only primary `istiod` to xds and local `istiod` injection installs.
+      discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012
+      {{- else }}
+      discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012
+      {{- end }}
+      {{- else }}
+      discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012
+      {{- end }}
+{{- end }}
+
+{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}}
+{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}}
+{{- $originalMesh := include "mesh" . | fromYaml }}
+{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }}
+
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+{{- if .Values.configMap }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+data:
+
+  # Configuration file for the mesh networks to be used by the Split Horizon EDS.
+  meshNetworks: |-
+  {{- if .Values.global.meshNetworks }}
+    networks:
+{{ toYaml .Values.global.meshNetworks | trim | indent 6 }}
+  {{- else }}
+    networks: {}
+  {{- end }}
+
+  mesh: |-
+{{- if .Values.meshConfig }}
+{{ $mesh | toYaml | indent 4 }}
+{{- else }}
+{{- include "mesh" . }}
+{{- end }}
+---
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/deployment.yaml
new file mode 100644
index 0000000000..da975afd5c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/deployment.yaml
@@ -0,0 +1,317 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# Not created if istiod is running remotely
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: istiod
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    istio: pilot
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+{{- range $key, $val := .Values.deploymentLabels }}
+    {{ $key }}: "{{ $val }}"
+{{- end }}
+  {{- if .Values.deploymentAnnotations }}
+  annotations:
+{{ toYaml .Values.deploymentAnnotations | indent 4 }}
+  {{- end }}
+spec:
+{{- if not .Values.autoscaleEnabled }}
+{{- if .Values.replicaCount }}
+  replicas: {{ .Values.replicaCount }}
+{{- end }}
+{{- end }}
+  strategy:
+    rollingUpdate:
+      maxSurge: {{ .Values.rollingMaxSurge }}
+      maxUnavailable: {{ .Values.rollingMaxUnavailable }}
+  selector:
+    matchLabels:
+      {{- if ne .Values.revision "" }}
+      app: istiod
+      istio.io/rev: {{ .Values.revision | default "default" | quote }}
+      {{- else }}
+      istio: pilot
+      {{- end }}
+  template:
+    metadata:
+      labels:
+        app: istiod
+        istio.io/rev: {{ .Values.revision | default "default" | quote }}
+        sidecar.istio.io/inject: "false"
+        operator.istio.io/component: "Pilot"
+        {{- if ne .Values.revision "" }}
+        istio: istiod
+        {{- else }}
+        istio: pilot
+        {{- end }}
+        {{- range $key, $val := .Values.podLabels }}
+        {{ $key }}: "{{ $val }}"
+        {{- end }}
+        istio.io/dataplane-mode: none
+        app.kubernetes.io/name: "istiod"
+        {{- include "istio.labels" . | nindent 8 }}
+      annotations:
+        prometheus.io/port: "15014"
+        prometheus.io/scrape: "true"
+        sidecar.istio.io/inject: "false"
+        {{- if .Values.podAnnotations }}
+{{ toYaml .Values.podAnnotations | indent 8 }}
+        {{- end }}
+    spec:
+{{- if .Values.nodeSelector }}
+      nodeSelector:
+{{ toYaml .Values.nodeSelector | indent 8 }}
+{{- end }}
+{{- with .Values.affinity }}
+      affinity:
+{{- toYaml . | nindent 8 }}
+{{- end }}
+      tolerations:
+        - key: cni.istio.io/not-ready
+          operator: "Exists"
+{{- with .Values.tolerations }}
+{{- toYaml . | nindent 8 }}
+{{- end }}
+{{- with .Values.topologySpreadConstraints }}
+      topologySpreadConstraints:
+{{- toYaml . | nindent 8 }}
+{{- end }}
+      serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+{{- if .Values.global.priorityClassName }}
+      priorityClassName: "{{ .Values.global.priorityClassName }}"
+{{- end }}
+{{- with .Values.initContainers }}
+      initContainers:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+{{- end }}
+      containers:
+        - name: discovery
+{{- if contains "/" .Values.image }}
+          image: "{{ .Values.image }}"
+{{- else }}
+          image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "pilot" }}:{{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}}"
+{{- end }}
+{{- if .Values.global.imagePullPolicy }}
+          imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+{{- end }}
+          args:
+          - "discovery"
+          - --monitoringAddr=:15014
+{{- if .Values.global.logging.level }}
+          - --log_output_level={{ .Values.global.logging.level }}
+{{- end}}
+{{- if .Values.global.logAsJson }}
+          - --log_as_json
+{{- end }}
+          - --domain
+          - {{ .Values.global.proxy.clusterDomain }}
+{{- if .Values.taint.namespace }}
+          - --cniNamespace={{ .Values.taint.namespace }}
+{{- end }}
+          - --keepaliveMaxServerConnectionAge
+          - "{{ .Values.keepaliveMaxServerConnectionAge }}"
+{{- if .Values.extraContainerArgs }}
+          {{- with .Values.extraContainerArgs }}
+            {{- toYaml . | nindent 10 }}
+          {{- end }}
+{{- end }}
+          ports:
+          - containerPort: 8080
+            protocol: TCP
+            name: http-debug
+          - containerPort: 15010
+            protocol: TCP
+            name: grpc-xds
+          - containerPort: 15012
+            protocol: TCP
+            name: tls-xds
+          - containerPort: 15017
+            protocol: TCP
+            name: https-webhooks
+          - containerPort: 15014
+            protocol: TCP
+            name: http-monitoring
+          readinessProbe:
+            httpGet:
+              path: /ready
+              port: 8080
+            initialDelaySeconds: 1
+            periodSeconds: 3
+            timeoutSeconds: 5
+          env:
+          - name: REVISION
+            value: "{{ .Values.revision | default `default` }}"
+          - name: PILOT_CERT_PROVIDER
+            value: {{ .Values.global.pilotCertProvider }}
+          - name: POD_NAME
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: metadata.name
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: metadata.namespace
+          - name: SERVICE_ACCOUNT
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: spec.serviceAccountName
+          - name: KUBECONFIG
+            value: /var/run/secrets/remote/config
+          # If you explicitly told us where ztunnel lives, use that.
+          # Otherwise, assume it lives in our namespace
+          # Also, check for an explicit ENV override (legacy approach) and prefer that
+          # if present
+          {{ $ztTrustedNS := or .Values.trustedZtunnelNamespace .Release.Namespace }}
+          {{ $ztTrustedName := or .Values.trustedZtunnelName "ztunnel" }}
+          {{- if not .Values.env.CA_TRUSTED_NODE_ACCOUNTS }}
+          - name: CA_TRUSTED_NODE_ACCOUNTS
+            value: "{{ $ztTrustedNS }}/{{ $ztTrustedName }}"
+          {{- end }}
+          {{- if .Values.env }}
+          {{- range $key, $val := .Values.env }}
+          - name: {{ $key }}
+            value: "{{ $val }}"
+          {{- end }}
+          {{- end }}
+          {{- with .Values.envVarFrom }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
+{{- if .Values.traceSampling }}
+          - name: PILOT_TRACE_SAMPLING
+            value: "{{ .Values.traceSampling }}"
+{{- end }}
+{{- if .Values.taint.enabled }}
+          - name: PILOT_ENABLE_NODE_UNTAINT_CONTROLLERS
+            value: "true"
+{{- end }}
+# If externalIstiod is set via Values.Global, then enable the pilot env variable. However, if it's set via Values.pilot.env, then
+# don't set it here to avoid duplication.
+# TODO (nshankar13): Move from Helm chart to code: https://github.com/istio/istio/issues/52449
+{{- if and .Values.global.externalIstiod (not (and .Values.env .Values.env.EXTERNAL_ISTIOD)) }}
+          - name: EXTERNAL_ISTIOD
+            value: "{{ .Values.global.externalIstiod }}"
+{{- end }}
+{{- if .Values.global.trustBundleName }}
+          - name: PILOT_CA_CERT_CONFIGMAP
+            value: "{{ .Values.global.trustBundleName }}"
+{{- end }}
+{{- if .Values.crlConfigMapName }}
+          - name: PILOT_CRL_CONFIGMAP
+            value: "{{ .Values.crlConfigMapName }}"
+{{- end }}
+          - name: PILOT_ENABLE_ANALYSIS
+            value: "{{ .Values.global.istiod.enableAnalysis }}"
+          - name: CLUSTER_ID
+            value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
+          - name: GOMAXPROCS
+            valueFrom:
+              resourceFieldRef:
+                resource: limits.cpu
+                divisor: "1"
+          - name: PLATFORM
+            value: "{{ coalesce .Values.global.platform .Values.platform }}"
+          resources:
+{{- if .Values.resources }}
+{{ toYaml .Values.resources | trim | indent 12 }}
+{{- else }}
+{{ toYaml .Values.global.defaultResources | trim | indent 12 }}
+{{- end }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            capabilities:
+              drop:
+              - ALL
+{{- if .Values.seccompProfile }}
+            seccompProfile:
+{{ toYaml .Values.seccompProfile | trim | indent 14 }}
+{{- end }}
+          volumeMounts:
+          - name: istio-token
+            mountPath: /var/run/secrets/tokens
+            readOnly: true
+          - name: local-certs
+            mountPath: /var/run/secrets/istio-dns
+          - name: cacerts
+            mountPath: /etc/cacerts
+            readOnly: true
+          - name: istio-kubeconfig
+            mountPath: /var/run/secrets/remote
+            readOnly: true
+          {{- if .Values.jwksResolverExtraRootCA }}
+          - name: extracacerts
+            mountPath: /cacerts
+          {{- end }}
+          - name: istio-csr-dns-cert
+            mountPath: /var/run/secrets/istiod/tls
+            readOnly: true
+          - name: istio-csr-ca-configmap
+            mountPath: /var/run/secrets/istiod/ca
+            readOnly: true
+          {{- with .Values.volumeMounts }}
+            {{- toYaml . | nindent 10 }}
+          {{- end }}
+      volumes:
+      # Technically not needed on this pod - but it helps debugging/testing SDS
+      # Should be removed after everything works.
+      - emptyDir:
+          medium: Memory
+        name: local-certs
+      - name: istio-token
+        projected:
+          sources:
+            - serviceAccountToken:
+                audience: {{ .Values.global.sds.token.aud }}
+                expirationSeconds: 43200
+                path: istio-token
+      # Optional: user-generated root
+      - name: cacerts
+        secret:
+          secretName: cacerts
+          optional: true
+      - name: istio-kubeconfig
+        secret:
+          secretName: istio-kubeconfig
+          optional: true
+      # Optional: istio-csr dns pilot certs
+      - name: istio-csr-dns-cert
+        secret:
+          secretName: istiod-tls
+          optional: true
+      - name: istio-csr-ca-configmap
+  {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+        projected:
+          sources:
+          - clusterTrustBundle:
+              name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }}
+              path: root-cert.pem
+              optional: true
+  {{- else }}
+        configMap:
+          name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }}
+          defaultMode: 420
+          optional: true
+  {{- end }}
+  {{- if .Values.jwksResolverExtraRootCA }}
+      - name: extracacerts
+        configMap:
+          name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  {{- end }}
+      {{- with .Values.volumes }}
+        {{- toYaml . | nindent 6}}
+      {{- end }}
+
+---
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/gateway-class-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/gateway-class-configmap.yaml
new file mode 100644
index 0000000000..9f7cdb01da
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/gateway-class-configmap.yaml
@@ -0,0 +1,22 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+{{ range $key, $value := .Values.gatewayClasses }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: istio-{{ $.Values.revision | default "default"  }}-gatewayclass-{{$key}}
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    istio.io/rev: {{ $.Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    release: {{ $.Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    gateway.istio.io/defaults-for-class: {{$key|quote}}
+    {{- include "istio.labels" $ | nindent 4 }}
+data:
+{{ range $kind, $overlay := $value }}
+  {{$kind}}: |
+{{$overlay|toYaml|trim|indent 4}}
+{{ end }}
+---
+{{ end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/istiod-injector-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/istiod-injector-configmap.yaml
new file mode 100644
index 0000000000..73288ab974
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/istiod-injector-configmap.yaml
@@ -0,0 +1,87 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+{{- if not .Values.global.omitSidecarInjectorConfigMap }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+data:
+{{/* Scope the values to just top level fields used in the template, to reduce the size. */}}
+  values: |-
+{{ $vals := pick .Values "global" "sidecarInjectorWebhook" "revision" -}}
+{{ $pilotVals := pick .Values "cni" "env" -}}
+{{ $vals = set $vals "pilot" $pilotVals -}}
+{{ $gatewayVals := pick .Values.gateways "securityContext" "seccompProfile" -}}
+{{ $vals = set $vals "gateways" $gatewayVals -}}
+{{ $vals | toPrettyJson | indent 4 }}
+
+  # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching
+  # and istiod webhook functionality.
+  #
+  # New fields should not use Values - it is a 'primary' config object, users should be able
+  # to fine tune it or use it with kube-inject.
+  config: |-
+    # defaultTemplates defines the default template to use for pods that do not explicitly specify a template
+    {{- if .Values.sidecarInjectorWebhook.defaultTemplates }}
+    defaultTemplates:
+{{- range .Values.sidecarInjectorWebhook.defaultTemplates}}
+    - {{ . }}
+{{- end }}
+    {{- else }}
+    defaultTemplates: [sidecar]
+    {{- end }}
+    policy: {{ .Values.global.proxy.autoInject }}
+    alwaysInjectSelector:
+{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }}
+    neverInjectSelector:
+{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }}
+    injectedAnnotations:
+      {{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }}
+      "{{ $key }}": {{ $val | quote }}
+      {{- end }}
+    {{- /* If someone ends up with this new template, but an older Istiod image, they will attempt to render this template
+         which will fail with "Pod injection failed: template: inject:1: function "Istio_1_9_Required_Template_And_Version_Mismatched" not defined".
+         This should make it obvious that their installation is broken.
+     */}}
+    template: {{ `{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}` | quote }}
+    templates:
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "sidecar") }}
+      sidecar: |
+{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }}
+      gateway: |
+{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }}
+      grpc-simple: |
+{{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }}
+      grpc-agent: |
+{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "waypoint") }}
+      waypoint: |
+{{ .Files.Get "files/waypoint.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "kube-gateway") }}
+      kube-gateway: |
+{{ .Files.Get "files/kube-gateway.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "agentgateway") }}
+      agentgateway: |
+{{ .Files.Get "files/agentgateway.yaml" | trim | indent 8 }}
+{{- end }}
+{{- with .Values.sidecarInjectorWebhook.templates }}
+{{ toYaml . | trim | indent 6 }}
+{{- end }}
+
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/mutatingwebhook.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/mutatingwebhook.yaml
new file mode 100644
index 0000000000..26a6c8f00d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/mutatingwebhook.yaml
@@ -0,0 +1,167 @@
+# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that.
+{{- /* Core defines the common configuration used by all webhook segments */}}
+{{/* Copy just what we need to avoid expensive deepCopy */}}
+{{- $whv := dict
+"revision" .Values.revision
+  "injectionPath" .Values.istiodRemote.injectionPath
+  "injectionURL" .Values.istiodRemote.injectionURL
+  "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy
+  "caBundle" .Values.istiodRemote.injectionCABundle
+  "namespace" .Release.Namespace }}
+{{- define "core" }}
+{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign
+a unique prefix to each. */}}
+- name: {{.Prefix}}sidecar-injector.istio.io
+  clientConfig:
+    {{- if .injectionURL }}
+    url: "{{ .injectionURL }}"
+    {{- else }}
+    service:
+      name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }}
+      namespace: {{ .namespace }}
+      path: "{{ .injectionPath }}"
+      port: 443
+    {{- end }}
+    {{- if .caBundle }}
+    caBundle: "{{ .caBundle }}"
+    {{- end }}
+  sideEffects: None
+  rules:
+  - operations: [ "CREATE" ]
+    apiGroups: [""]
+    apiVersions: ["v1"]
+    resources: ["pods"]
+  failurePolicy: Fail
+  reinvocationPolicy: "{{ .reinvocationPolicy }}"
+  admissionReviewVersions: ["v1"]
+{{- end }}
+
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
+{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}}
+{{- if not .Values.global.operatorManageWebhooks }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+{{- if eq .Release.Namespace "istio-system"}}
+  name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+{{- else }}
+  name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+{{- end }}
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app: sidecar-injector
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+{{- if $.Values.sidecarInjectorWebhookAnnotations }}
+  annotations:
+{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }}
+{{- end }}
+webhooks:
+{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}}
+
+{{- /* Case 1: namespace selector matches, and object doesn't disable */}}
+{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: In
+      values:
+      {{- if (eq .Values.revision "") }}
+      - "default"
+      {{- else }}
+      - "{{ .Values.revision }}"
+      {{- end }}
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+
+{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+    - key: istio.io/rev
+      operator: In
+      values:
+      {{- if (eq .Values.revision "") }}
+      - "default"
+      {{- else }}
+      - "{{ .Values.revision }}"
+      {{- end }}
+
+
+{{- /* Webhooks for default revision */}}
+{{- if (eq .Values.revision "") }}
+
+{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: In
+      values:
+      - enabled
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+
+{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: In
+      values:
+      - "true"
+    - key: istio.io/rev
+      operator: DoesNotExist
+
+{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
+{{- /* Special case 3: no labels at all */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: "kubernetes.io/metadata.name"
+      operator: "NotIn"
+      values: ["kube-system","kube-public","kube-node-lease","local-path-storage"]
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+{{- end }}
+
+{{- end }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/networkpolicy.yaml
new file mode 100644
index 0000000000..e844d5e5de
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/networkpolicy.yaml
@@ -0,0 +1,47 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+{{- if (.Values.global.networkPolicy).enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: istiod
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    istio: pilot
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      app: istiod
+      istio.io/rev: {{ .Values.revision | default "default" | quote }}
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress:
+  # Webhook from kube-apiserver
+  - from: []
+    ports:
+    - protocol: TCP
+      port: 15017
+  # xDS from potentially anywhere
+  - from: []
+    ports:
+    - protocol: TCP
+      port: 15010
+    - protocol: TCP
+      port: 15011
+    - protocol: TCP
+      port: 15012
+    - protocol: TCP
+      port: 8080
+    - protocol: TCP
+      port: 15014
+  # Allow all egress (needed because features like JWKS require connections to user-defined endpoints)
+  egress:
+  - {}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/poddisruptionbudget.yaml
new file mode 100644
index 0000000000..0ac37d1cdf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/poddisruptionbudget.yaml
@@ -0,0 +1,41 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# Not created if istiod is running remotely
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }}
+{{- if .Values.global.defaultPodDisruptionBudget.enabled }}
+# a workaround for https://github.com/kubernetes/kubernetes/issues/93476
+{{- if or (and .Values.autoscaleEnabled  (gt (int .Values.autoscaleMin) 1)) (and (not .Values.autoscaleEnabled) (gt (int .Values.replicaCount) 1)) }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: istiod
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    release: {{ .Release.Name }}
+    istio: pilot
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  {{- if and .Values.pdb.minAvailable (not (hasKey .Values.pdb "maxUnavailable")) }}
+  minAvailable: {{ .Values.pdb.minAvailable }}
+  {{- else if .Values.pdb.maxUnavailable }}
+  maxUnavailable: {{ .Values.pdb.maxUnavailable }}
+  {{- end }}
+  {{- if .Values.pdb.unhealthyPodEvictionPolicy }}
+  unhealthyPodEvictionPolicy: {{ .Values.pdb.unhealthyPodEvictionPolicy }}
+  {{- end }}
+  selector:
+    matchLabels:
+      app: istiod
+      {{- if ne .Values.revision "" }}
+      istio.io/rev: {{ .Values.revision | quote }}
+      {{- else }}
+      istio: pilot
+      {{- end }}
+---
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/reader-clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/reader-clusterrole.yaml
new file mode 100644
index 0000000000..af795f1f5a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/reader-clusterrole.yaml
@@ -0,0 +1,65 @@
+# Created if cluster resources are not omitted
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
+{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istio-reader
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istio-reader"
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - "config.istio.io"
+      - "security.istio.io"
+      - "networking.istio.io"
+      - "authentication.istio.io"
+      - "rbac.istio.io"
+      - "telemetry.istio.io"
+      - "extensions.istio.io"
+    resources: ["*"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets", "configmaps"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["networking.istio.io"]
+    verbs: [ "get", "watch", "list" ]
+    resources: [ "workloadentries" ]
+  - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
+    resources: ["gateways"]
+    verbs: ["get", "watch", "list"]
+  - apiGroups: ["apiextensions.k8s.io"]
+    resources: ["customresourcedefinitions"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["discovery.k8s.io"]
+    resources: ["endpointslices"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["{{ $mcsAPIGroup }}"]
+    resources: ["serviceexports"]
+    verbs: ["get", "list", "watch", "create", "delete"]
+  - apiGroups: ["{{ $mcsAPIGroup }}"]
+    resources: ["serviceimports"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["apps"]
+    resources: ["replicasets"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["authentication.k8s.io"]
+    resources: ["tokenreviews"]
+    verbs: ["create"]
+  - apiGroups: ["authorization.k8s.io"]
+    resources: ["subjectaccessreviews"]
+    verbs: ["create"]
+{{- if .Values.istiodRemote.enabled }}
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["create", "get", "list", "watch", "update"]
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["mutatingwebhookconfigurations"]
+    verbs: ["get", "list", "watch", "update", "patch"]
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["validatingwebhookconfigurations"]
+    verbs: ["get", "list", "watch", "update"]
+{{- end}}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/reader-clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/reader-clusterrolebinding.yaml
new file mode 100644
index 0000000000..624f00dce6
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/reader-clusterrolebinding.yaml
@@ -0,0 +1,20 @@
+# Created if cluster resources are not omitted
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+  labels:
+    app: istio-reader
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istio-reader"
+    {{- include "istio.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+subjects:
+  - kind: ServiceAccount
+    name: istio-reader-service-account
+    namespace: {{ .Values.global.istioNamespace }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/remote-istiod-endpointslices.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/remote-istiod-endpointslices.yaml
new file mode 100644
index 0000000000..e2f4ff03b6
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/remote-istiod-endpointslices.yaml
@@ -0,0 +1,42 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+{{- if and .Values.global.remotePilotAddress .Values.istiodRemote.enabled }}
+# if the remotePilotAddress is an IP addr
+{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }}
+apiVersion: discovery.k8s.io/v1
+kind: EndpointSlice
+metadata:
+  {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }}
+  # This file is only used for remote `istiod` installs.
+  # only primary `istiod` to xds and local `istiod` injection installs.
+  name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote
+  {{- else }}
+  name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}
+  {{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }}
+    # only primary `istiod` to xds and local `istiod` injection installs.
+    kubernetes.io/service-name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote
+    {{- else }}
+    kubernetes.io/service-name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}
+    {{- end }}
+    {{- if .Release.Service }}
+    endpointslice.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+    {{- end }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+addressType: IPv4
+endpoints:
+- addresses:
+  - {{ .Values.global.remotePilotAddress }}
+ports:
+- port: 15012
+  name: tcp-istiod
+  protocol: TCP
+- port: 15017
+  name: tcp-webhook
+  protocol: TCP
+---
+{{- end }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/remote-istiod-service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/remote-istiod-service.yaml
new file mode 100644
index 0000000000..ab14497bac
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/remote-istiod-service.yaml
@@ -0,0 +1,43 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# This file is only used for remote
+{{- if and .Values.global.remotePilotAddress .Values.istiodRemote.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }}
+  # only primary `istiod` to xds and local `istiod` injection installs.
+  name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote
+  {{- else }}
+  name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}
+  {{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    app.kubernetes.io/name: "istiod"
+    {{ include "istio.labels" . | nindent 4 }}
+spec:
+  ports:
+  - port: 15012
+    name: tcp-istiod
+    protocol: TCP
+  - port: 443
+    targetPort: 15017
+    name: tcp-webhook
+    protocol: TCP
+  {{- if and .Values.global.remotePilotAddress (not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress)) }}
+  # if the remotePilotAddress is not an IP addr, we use ExternalName
+  type: ExternalName
+  externalName: {{ .Values.global.remotePilotAddress }}
+  {{- end }}
+{{- if .Values.global.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.global.ipFamilyPolicy }}
+{{- end }}
+{{- if .Values.global.ipFamilies }}
+  ipFamilies:
+{{- range .Values.global.ipFamilies }}
+  - {{ . }}
+{{- end }}
+{{- end }}
+---
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/revision-tags-mwc.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/revision-tags-mwc.yaml
new file mode 100644
index 0000000000..556bb2f1e9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/revision-tags-mwc.yaml
@@ -0,0 +1,154 @@
+# Adapted from istio-discovery/templates/mutatingwebhook.yaml
+# Removed paths for legacy and default selectors since a revision tag
+# is inherently created from a specific revision
+# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that.
+{{- $whv := dict
+"revision" .Values.revision
+  "injectionPath" .Values.istiodRemote.injectionPath
+  "injectionURL" .Values.istiodRemote.injectionURL
+  "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy
+  "caBundle" .Values.istiodRemote.injectionCABundle
+  "namespace" .Release.Namespace }}
+{{- define "core" }}
+{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign
+a unique prefix to each. */}}
+- name: {{.Prefix}}sidecar-injector.istio.io
+  clientConfig:
+    {{- if .injectionURL }}
+    url: "{{ .injectionURL }}"
+    {{- else }}
+    service:
+      name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }}
+      namespace: {{ .namespace }}
+      path: "{{ .injectionPath }}"
+      port: 443
+    {{- end }}
+  sideEffects: None
+  rules:
+  - operations: [ "CREATE" ]
+    apiGroups: [""]
+    apiVersions: ["v1"]
+    resources: ["pods"]
+  failurePolicy: Fail
+  reinvocationPolicy: "{{ .reinvocationPolicy }}"
+  admissionReviewVersions: ["v1"]
+{{- end }}
+
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
+{{- if not .Values.global.operatorManageWebhooks }}
+{{- range $tagName := $.Values.revisionTags }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+{{- if eq $.Release.Namespace "istio-system"}}
+  name: istio-revision-tag-{{ $tagName }}
+{{- else }}
+  name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }}
+{{- end }}
+  labels:
+    istio.io/tag: {{ $tagName }}
+    istio.io/rev: {{ $.Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app: sidecar-injector
+    release: {{ $.Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" $ | nindent 4 }}
+{{- if $.Values.sidecarInjectorWebhookAnnotations }}
+  annotations:
+{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }}
+{{- end }}
+webhooks:
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: In
+      values:
+      - "{{ $tagName }}"
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+    - key: istio.io/rev
+      operator: In
+      values:
+      - "{{ $tagName }}"
+
+{{- /* When the tag is "default" we want to create webhooks for the default revision */}}
+{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}}
+{{- if (eq $tagName "default") }}
+
+{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: In
+      values:
+      - enabled
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+
+{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: In
+      values:
+      - "true"
+    - key: istio.io/rev
+      operator: DoesNotExist
+
+{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
+{{- /* Special case 3: no labels at all */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: "kubernetes.io/metadata.name"
+      operator: "NotIn"
+      values: ["kube-system","kube-public","kube-node-lease","local-path-storage"]
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+{{- end }}
+
+{{- end }}
+---
+{{- end }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/revision-tags-svc.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/revision-tags-svc.yaml
new file mode 100644
index 0000000000..5c4826d23e
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/revision-tags-svc.yaml
@@ -0,0 +1,57 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# Adapted from istio-discovery/templates/service.yaml
+{{- range $tagName := .Values.revisionTags }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: istiod-revision-tag-{{ $tagName }}
+  namespace: {{ $.Release.Namespace }}
+  {{- if $.Values.serviceAnnotations }}
+  annotations:
+{{ toYaml $.Values.serviceAnnotations | indent 4 }}
+  {{- end }}
+  labels:
+    istio.io/rev: {{ $.Values.revision | default "default" | quote }}
+    istio.io/tag: {{ $tagName }}
+    operator.istio.io/component: "Pilot"
+    app: istiod
+    istio: pilot
+    release: {{ $.Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" $ | nindent 4 }}
+spec:
+  ports:
+    - port: 15010
+      name: grpc-xds # plaintext
+      protocol: TCP
+    - port: 15012
+      name: https-dns # mTLS with k8s-signed cert
+      protocol: TCP
+    - port: 443
+      name: https-webhook # validation and injection
+      targetPort: 15017
+      protocol: TCP
+    - port: 15014
+      name: http-monitoring # prometheus stats
+      protocol: TCP
+  selector:
+    app: istiod
+    {{- if ne $.Values.revision "" }}
+    istio.io/rev: {{ $.Values.revision | quote }}
+    {{- else }}
+    # Label used by the 'default' service. For versioned deployments we match with app and version.
+    # This avoids default deployment picking the canary
+    istio: pilot
+    {{- end }}
+  {{- if $.Values.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ $.Values.ipFamilyPolicy }}
+  {{- end }}
+  {{- if $.Values.ipFamilies }}
+  ipFamilies:
+  {{- range $.Values.ipFamilies }}
+  - {{ . }}
+  {{- end }}
+  {{- end }}
+---
+{{- end -}}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/role.yaml
new file mode 100644
index 0000000000..8abe608b66
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/role.yaml
@@ -0,0 +1,37 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Values.global.istioNamespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+rules:
+# permissions to verify the webhook is ready and rejecting
+# invalid config. We use --server-dry-run so no config is persisted.
+- apiGroups: ["networking.istio.io"]
+  verbs: ["create"]
+  resources: ["gateways"]
+
+# For storing CA secret
+- apiGroups: [""]
+  resources: ["secrets"]
+  # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config
+  verbs: ["create", "get", "watch", "list", "update", "delete"]
+
+# For status controller, so it can delete the distribution report configmap
+- apiGroups: [""]
+  resources: ["configmaps"]
+  verbs: ["delete"]
+
+# For gateway deployment controller
+- apiGroups: ["coordination.k8s.io"]
+  resources: ["leases"]
+  verbs: ["get", "update", "patch", "create"]
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/rolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/rolebinding.yaml
new file mode 100644
index 0000000000..731964f04d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/rolebinding.yaml
@@ -0,0 +1,23 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Values.global.istioNamespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+subjects:
+  - kind: ServiceAccount
+    name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+    namespace: {{ .Values.global.istioNamespace }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/service.yaml
new file mode 100644
index 0000000000..c3aade8a49
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/service.yaml
@@ -0,0 +1,59 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# Not created if istiod is running remotely
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  {{- if .Values.serviceAnnotations }}
+  annotations:
+{{ toYaml .Values.serviceAnnotations | indent 4 }}
+  {{- end }}
+  labels:
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app: istiod
+    istio: pilot
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  ports:
+    - port: 15010
+      name: grpc-xds # plaintext
+      protocol: TCP
+    - port: 15012
+      name: https-dns # mTLS with k8s-signed cert
+      protocol: TCP
+    - port: 443
+      name: https-webhook # validation and injection
+      targetPort: 15017
+      protocol: TCP
+    - port: 15014
+      name: http-monitoring # prometheus stats
+      protocol: TCP
+  selector:
+    app: istiod
+    {{- if ne .Values.revision "" }}
+    istio.io/rev: {{ .Values.revision | quote }}
+    {{- else }}
+    # Label used by the 'default' service. For versioned deployments we match with app and version.
+    # This avoids default deployment picking the canary
+    istio: pilot
+    {{- end }}
+  {{- if .Values.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.ipFamilyPolicy }}
+  {{- end }}
+  {{- if .Values.ipFamilies }}
+  ipFamilies:
+  {{- range .Values.ipFamilies }}
+  - {{ . }}
+  {{- end }}
+  {{- end }}
+  {{- if .Values.trafficDistribution }}
+  trafficDistribution: {{ .Values.trafficDistribution }}
+  {{- end }}
+---
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/serviceaccount.yaml
new file mode 100644
index 0000000000..ee40eedf81
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/serviceaccount.yaml
@@ -0,0 +1,26 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+apiVersion: v1
+kind: ServiceAccount
+  {{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+  {{- range .Values.global.imagePullSecrets }}
+  - name: {{ . }}
+  {{- end }}
+  {{- end }}
+metadata:
+  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Values.global.istioNamespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+  {{- if .Values.serviceAccountAnnotations }}
+  annotations:
+{{- toYaml .Values.serviceAccountAnnotations | nindent 4 }}
+  {{- end }}
+{{- end }}
+---
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/validatingadmissionpolicy.yaml
new file mode 100644
index 0000000000..838d9fbaf7
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/validatingadmissionpolicy.yaml
@@ -0,0 +1,65 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+{{- if .Values.experimental.stableValidationPolicy }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io"
+  labels:
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups:
+        - security.istio.io
+        - networking.istio.io
+        - telemetry.istio.io
+        - extensions.istio.io
+      apiVersions: ["*"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["*"]
+    objectSelector:
+      matchExpressions:
+        - key: istio.io/rev
+          operator: In
+          values:
+          {{- if (eq .Values.revision "") }}
+          - "default"
+          {{- else }}
+          - "{{ .Values.revision }}"
+          {{- end }}
+  variables:
+    - name: isEnvoyFilter
+      expression: "object.kind == 'EnvoyFilter'"
+    - name: isWasmPlugin
+      expression: "object.kind == 'WasmPlugin'"
+    - name: isProxyConfig
+      expression: "object.kind == 'ProxyConfig'"
+    - name: isTelemetry
+      expression: "object.kind == 'Telemetry'"
+  validations:
+    - expression: "!variables.isEnvoyFilter"
+    - expression: "!variables.isWasmPlugin"
+    - expression: "!variables.isProxyConfig"
+    - expression: |
+        !(
+          variables.isTelemetry && (
+            (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) ||
+            (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) ||
+            (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter))
+          )
+        )
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: "stable-channel-policy-binding{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io"
+spec:
+  policyName: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io"
+  validationActions: [Deny]
+{{- end }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/validatingwebhookconfiguration.yaml
new file mode 100644
index 0000000000..6903b29b50
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/validatingwebhookconfiguration.yaml
@@ -0,0 +1,70 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
+# Created if this is not a remote istiod, OR if it is and is also a config cluster
+{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }}
+{{- if .Values.global.configValidation }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}
+  labels:
+    app: istiod
+    release: {{ .Release.Name }}
+    istio: istiod
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" . | nindent 4 }}
+webhooks:
+  # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks
+  # are rejecting invalid configs on a per-revision basis.
+  - name: rev.validation.istio.io
+    clientConfig:
+      # Should change from base but cannot for API compat
+      {{- if .Values.base.validationURL }}
+      url: {{ .Values.base.validationURL }}
+      {{- else }}
+      service:
+        name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+        namespace: {{ .Values.global.istioNamespace }}
+        path: "/validate"
+      {{- end }}
+      {{- if .Values.base.validationCABundle }}
+      caBundle: "{{ .Values.base.validationCABundle }}"
+      {{- end }}
+    rules:
+      - operations:
+          - CREATE
+          - UPDATE
+        apiGroups:
+          - security.istio.io
+          - networking.istio.io
+          - telemetry.istio.io
+          - extensions.istio.io
+        apiVersions:
+          - "*"
+        resources:
+          - "*"
+    {{- if .Values.base.validationCABundle }}
+    # Disable webhook controller in Pilot to stop patching it
+    failurePolicy: Fail
+    {{- else }}
+    # Fail open until the validation webhook is ready. The webhook controller
+    # will update this to `Fail` and patch in the `caBundle` when the webhook
+    # endpoint is ready.
+    failurePolicy: Ignore
+    {{- end }}
+    sideEffects: None
+    admissionReviewVersions: ["v1"]
+    objectSelector:
+      matchExpressions:
+        - key: istio.io/rev
+          operator: In
+          values:
+          {{- if (eq .Values.revision "") }}
+          - "default"
+          {{- else }}
+          - "{{ .Values.revision }}"
+          {{- end }}
+---
+{{- end }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/zzy_descope_legacy.yaml
new file mode 100644
index 0000000000..73202418ca
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/zzy_descope_legacy.yaml
@@ -0,0 +1,3 @@
+{{/* Copy anything under `.pilot` to `.`, to avoid the need to specify a redundant prefix.
+Due to the file naming, this always happens after zzz_profile.yaml */}}
+{{- $_ := mustMergeOverwrite $.Values (index $.Values "pilot") }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..3d84956485
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if false }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/values.yaml
new file mode 100644
index 0000000000..f578cd9049
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/istiod/values.yaml
@@ -0,0 +1,584 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  autoscaleEnabled: true
+  autoscaleMin: 1
+  autoscaleMax: 5
+  autoscaleBehavior: {}
+  replicaCount: 1
+  rollingMaxSurge: 100%
+  rollingMaxUnavailable: 25%
+
+  hub: ""
+  tag: ""
+  variant: ""
+
+  # Can be a full hub/image:tag
+  image: pilot
+  traceSampling: 1.0
+
+  # Resources for a small pilot install
+  resources:
+    requests:
+      cpu: 500m
+      memory: 2048Mi
+
+  # Set to `type: RuntimeDefault` to use the default profile if available.
+  seccompProfile: {}
+
+  # Whether to use an existing CNI installation
+  cni:
+    enabled: false
+    provider: default
+
+  # Additional container arguments
+  extraContainerArgs: []
+
+  env: {}
+
+  envVarFrom: []
+
+  # Settings related to the untaint controller
+  # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready
+  # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes
+  taint:
+    # Controls whether or not the untaint controller is active
+    # When enabled, this automatically sets PILOT_ENABLE_NODE_UNTAINT_CONTROLLERS environment variable to true in the istiod deployment.
+    enabled: false
+    # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod
+    namespace: ""
+
+  affinity: {}
+
+  tolerations: []
+
+  cpu:
+    targetAverageUtilization: 80
+  memory: {}
+    # targetAverageUtilization: 80
+
+  # Additional volumeMounts to the istiod container
+  volumeMounts: []
+
+  # Additional volumes to the istiod pod
+  volumes: []
+
+  # Inject initContainers into the istiod pod
+  initContainers: []
+
+  nodeSelector: {}
+  podAnnotations: {}
+  serviceAnnotations: {}
+  serviceAccountAnnotations: {}
+  sidecarInjectorWebhookAnnotations: {}
+
+  topologySpreadConstraints: []
+
+  # You can use jwksResolverExtraRootCA to provide a root certificate
+  # in PEM format. This will then be trusted by pilot when resolving
+  # JWKS URIs.
+  jwksResolverExtraRootCA: ""
+
+  # The following is used to limit how long a sidecar can be connected
+  # to a pilot. It balances out load across pilot instances at the cost of
+  # increasing system churn.
+  keepaliveMaxServerConnectionAge: 30m
+
+  # Additional labels to apply to the deployment.
+  deploymentLabels: {}
+
+  # Annotations to apply to the istiod deployment.
+  deploymentAnnotations: {}
+
+  ## Mesh config settings
+
+  # Install the mesh config map, generated from values.yaml.
+  # If false, pilot wil use default values (by default) or user-supplied values.
+  configMap: true
+
+  # Additional labels to apply on the pod level for monitoring and logging configuration.
+  podLabels: {}
+
+  # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
+  ipFamilyPolicy: ""
+  ipFamilies: []
+
+  # Ambient mode only.
+  # Set this if you install ztunnel to a different namespace from `istiod`.
+  # If set, `istiod` will allow connections from trusted node proxy ztunnels
+  # in the provided namespace.
+  # If unset, `istiod` will assume the trusted node proxy ztunnel resides
+  # in the same namespace as itself.
+  trustedZtunnelNamespace: ""
+  # Set this if you install ztunnel with a name different from the default.
+  trustedZtunnelName: ""
+
+  sidecarInjectorWebhook:
+    # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or
+    # always skip the injection on pods that match that label selector, regardless of the global policy.
+    # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions
+    neverInjectSelector: []
+    alwaysInjectSelector: []
+
+    # injectedAnnotations are additional annotations that will be added to the pod spec after injection
+    # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations:
+    #
+    # annotations:
+    #   apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
+    #   apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
+    #
+    # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before
+    # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify:
+    # injectedAnnotations:
+    #   container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default
+    #   container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default
+    injectedAnnotations: {}
+
+    # This enables injection of sidecar in all namespaces,
+    # with the exception of namespaces with "istio-injection:disabled" annotation
+    # Only one environment should have this enabled.
+    enableNamespacesByDefault: false
+
+    # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run
+    # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten.
+    # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur.
+    reinvocationPolicy: Never
+
+    rewriteAppHTTPProbe: true
+
+    # Templates defines a set of custom injection templates that can be used. For example, defining:
+    #
+    # templates:
+    #   hello: |
+    #     metadata:
+    #       labels:
+    #         hello: world
+    #
+    # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod
+    # being injected with the hello=world labels.
+    # This is intended for advanced configuration only; most users should use the built in template
+    templates: {}
+
+    # Default templates specifies a set of default templates that are used in sidecar injection.
+    # By default, a template `sidecar` is always provided, which contains the template of default sidecar.
+    # To inject other additional templates, define it using the `templates` option, and add it to
+    # the default templates list.
+    # For example:
+    #
+    # templates:
+    #   hello: |
+    #     metadata:
+    #       labels:
+    #         hello: world
+    #
+    # defaultTemplates: ["sidecar", "hello"]
+    defaultTemplates: []
+  istiodRemote:
+    # If `true`, indicates that this cluster/install should consume a "remote istiod" installation,
+    # and istiod itself will NOT be installed in this cluster - only the support resources necessary
+    # to utilize a remote instance.
+    enabled: false
+
+    # If `true`, indicates that this cluster/install should consume a "local istiod" installation,
+    # local istiod inject sidecars
+    enabledLocalInjectorIstiod: false
+
+    # Sidecar injector mutating webhook configuration clientConfig.url value.
+    # For example: https://$remotePilotAddress:15017/inject
+    # The host should not refer to a service running in the cluster; use a service reference by specifying
+    # the clientConfig.service field instead.
+    injectionURL: ""
+
+    # Sidecar injector mutating webhook configuration path value for the clientConfig.service field.
+    # Override to pass env variables, for example: /inject/cluster/remote/net/network2
+    injectionPath: "/inject"
+
+    injectionCABundle: ""
+  telemetry:
+    enabled: true
+    v2:
+      # For Null VM case now.
+      # This also enables metadata exchange.
+      enabled: true
+      # Indicate if prometheus stats filter is enabled or not
+      prometheus:
+        enabled: true
+      # stackdriver filter settings.
+      stackdriver:
+        enabled: false
+  # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
+  revision: ""
+
+  # Revision tags are aliases to Istio control plane revisions
+  revisionTags: []
+
+  # For Helm compatibility.
+  ownerName: ""
+
+  # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior
+  # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options
+  meshConfig:
+    enablePrometheusMerge: true
+
+  experimental:
+    stableValidationPolicy: false
+
+  global:
+    # Used to locate istiod.
+    istioNamespace: istio-system
+    # List of cert-signers to allow "approve" action in the istio cluster role
+    #
+    # certSigners:
+    #   - clusterissuers.cert-manager.io/istio-ca
+    certSigners: []
+    # enable pod disruption budget for the control plane, which is used to
+    # ensure Istio control plane components are gradually upgraded or recovered.
+    defaultPodDisruptionBudget:
+      enabled: true
+      # The values aren't mutable due to a current PodDisruptionBudget limitation
+      # minAvailable: 1
+
+    # A minimal set of requested resources to applied to all deployments so that
+    # Horizontal Pod Autoscaler will be able to function (if set).
+    # Each component can overwrite these default values by adding its own resources
+    # block in the relevant section below and setting the desired resources values.
+    defaultResources:
+      requests:
+        cpu: 10m
+      #   memory: 128Mi
+      # limits:
+      #   cpu: 100m
+      #   memory: 128Mi
+
+    # Default hub for Istio images.
+    # Releases are published to docker hub under 'istio' project.
+    # Dev builds from prow are on gcr.io
+    hub: gcr.io/istio-testing
+    # Default tag for Istio images.
+    tag: 1.30-alpha.a30ad73344d771ce45cba8a1d17b6bb2c209119d
+    # Variant of the image to use.
+    # Currently supported are: [debug, distroless]
+    variant: ""
+
+    # Specify image pull policy if default behavior isn't desired.
+    # Default behavior: latest images will be Always else IfNotPresent.
+    imagePullPolicy: ""
+
+    # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
+    # to use for pulling any images in pods that reference this ServiceAccount.
+    # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
+    # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
+    # Must be set for any cluster configured with private docker registry.
+    imagePullSecrets: []
+    # - private-registry-key
+
+    # Enabled by default in master for maximising testing.
+    istiod:
+      enableAnalysis: false
+
+    # To output all istio components logs in json format by adding --log_as_json argument to each container argument
+    logAsJson: false
+
+    # In order to use native nftable rules instead of iptable rules, set this flag to true.
+    nativeNftables: false
+
+    # Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
+    # The control plane has different scopes depending on component, but can configure default log level across all components
+    # If empty, default scope and level will be used as configured in code
+    logging:
+      level: "default:info"
+
+    # When enabled, default NetworkPolicy resources will be created
+    networkPolicy:
+      enabled: false
+
+    omitSidecarInjectorConfigMap: false
+
+    # resourceScope controls what resources will be processed by helm.
+    # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator.
+    # It can be one of:
+    # - all: all resources are processed
+    # - cluster: only cluster-scoped resources are processed
+    # - namespace: only namespace-scoped resources are processed
+    resourceScope: all
+
+    # Configure whether Operator manages webhook configurations. The current behavior
+    # of Istiod is to manage its own webhook configurations.
+    # When this option is set as true, Istio Operator, instead of webhooks, manages the
+    # webhook configurations. When this option is set as false, webhooks manage their
+    # own webhook configurations.
+    operatorManageWebhooks: false
+
+    # Custom DNS config for the pod to resolve names of services in other
+    # clusters. Use this to add additional search domains, and other settings.
+    # see
+    # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config
+    # This does not apply to gateway pods as they typically need a different
+    # set of DNS settings than the normal application pods (e.g., in
+    # multicluster scenarios).
+    # NOTE: If using templates, follow the pattern in the commented example below.
+    #podDNSSearchNamespaces:
+    #- global
+    #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global"
+
+    # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
+    # system-node-critical, it is better to configure this in order to make sure your Istio pods
+    # will not be killed because of low priority class.
+    # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
+    # for more detail.
+    priorityClassName: ""
+
+    proxy:
+      image: proxyv2
+
+      # This controls the 'policy' in the sidecar injector.
+      autoInject: enabled
+
+      # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
+      # cluster domain. Default value is "cluster.local".
+      clusterDomain: "cluster.local"
+
+      # Per Component log level for proxy, applies to gateways and sidecars. If a component level is
+      # not set, then the global "logLevel" will be used.
+      componentLogLevel: "misc:error"
+
+      # istio ingress capture allowlist
+      # examples:
+      #     Redirect only selected ports:            --includeInboundPorts="80,8080"
+      excludeInboundPorts: ""
+      includeInboundPorts: "*"
+
+      # istio egress capture allowlist
+      # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
+      # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
+      # would only capture egress traffic on those two IP Ranges, all other outbound traffic would
+      # be allowed by the sidecar
+      includeIPRanges: "*"
+      excludeIPRanges: ""
+      includeOutboundPorts: ""
+      excludeOutboundPorts: ""
+
+      # Log level for proxy, applies to gateways and sidecars.
+      # Expected values are: trace|debug|info|warning|error|critical|off
+      logLevel: warning
+
+      # Specify the path to the outlier event log.
+      # Example: /dev/stdout
+      outlierLogPath: ""
+
+      #If set to true, istio-proxy container will have privileged securityContext
+      privileged: false
+
+      seccompProfile: {}
+
+      # The number of successive failed probes before indicating readiness failure.
+      readinessFailureThreshold: 4
+
+      # The initial delay for readiness probes in seconds.
+      readinessInitialDelaySeconds: 0
+
+      # The period between readiness probes.
+      readinessPeriodSeconds: 15
+
+      # Enables or disables a startup probe.
+      # For optimal startup times, changing this should be tied to the readiness probe values.
+      #
+      # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4.
+      # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval),
+      # and doesn't spam the readiness endpoint too much
+      #
+      # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30.
+      # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly.
+      startupProbe:
+        enabled: true
+        failureThreshold: 600 # 10 minutes
+
+      # Resources for the sidecar.
+      resources:
+        requests:
+          cpu: 100m
+          memory: 128Mi
+        limits:
+          cpu: 2000m
+          memory: 1024Mi
+
+      # Default port for Pilot agent health checks. A value of 0 will disable health checking.
+      statusPort: 15020
+
+      # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none.
+      # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file.
+      tracer: "none"
+
+    proxy_init:
+      # Base name for the proxy_init container, used to configure iptables.
+      image: proxyv2
+      # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures.
+      # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases.
+      forceApplyIptables: false
+
+    # configure remote pilot and istiod service and endpoint
+    remotePilotAddress: ""
+
+    ##############################################################################################
+    # The following values are found in other charts. To effectively modify these values, make   #
+    # make sure they are consistent across your Istio helm charts                                #
+    ##############################################################################################
+
+    # The customized CA address to retrieve certificates for the pods in the cluster.
+    # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
+    # If not set explicitly, default to the Istio discovery address.
+    caAddress: ""
+
+    # Enable control of remote clusters.
+    externalIstiod: false
+
+    # Configure a remote cluster as the config cluster for an external istiod.
+    configCluster: false
+
+    # configValidation enables the validation webhook for Istio configuration.
+    configValidation: true
+
+    # Mesh ID means Mesh Identifier. It should be unique within the scope where
+    # meshes will interact with each other, but it is not required to be
+    # globally/universally unique. For example, if any of the following are true,
+    # then two meshes must have different Mesh IDs:
+    # - Meshes will have their telemetry aggregated in one place
+    # - Meshes will be federated together
+    # - Policy will be written referencing one mesh from the other
+    #
+    # If an administrator expects that any of these conditions may become true in
+    # the future, they should ensure their meshes have different Mesh IDs
+    # assigned.
+    #
+    # Within a multicluster mesh, each cluster must be (manually or auto)
+    # configured to have the same Mesh ID value. If an existing cluster 'joins' a
+    # multicluster mesh, it will need to be migrated to the new mesh ID. Details
+    # of migration TBD, and it may be a disruptive operation to change the Mesh
+    # ID post-install.
+    #
+    # If the mesh admin does not specify a value, Istio will use the value of the
+    # mesh's Trust Domain. The best practice is to select a proper Trust Domain
+    # value.
+    meshID: ""
+
+    # Configure the mesh networks to be used by the Split Horizon EDS.
+    #
+    # The following example defines two networks with different endpoints association methods.
+    # For `network1` all endpoints that their IP belongs to the provided CIDR range will be
+    # mapped to network1. The gateway for this network example is specified by its public IP
+    # address and port.
+    # The second network, `network2`, in this example is defined differently with all endpoints
+    # retrieved through the specified Multi-Cluster registry being mapped to network2. The
+    # gateway is also defined differently with the name of the gateway service on the remote
+    # cluster. The public IP for the gateway will be determined from that remote service (only
+    # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service,
+    # it still need to be configured manually).
+    #
+    # meshNetworks:
+    #   network1:
+    #     endpoints:
+    #     - fromCidr: "192.168.0.1/24"
+    #     gateways:
+    #     - address: 1.1.1.1
+    #       port: 80
+    #   network2:
+    #     endpoints:
+    #     - fromRegistry: reg1
+    #     gateways:
+    #     - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
+    #       port: 443
+    #
+    meshNetworks: {}
+
+    # Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
+    mountMtlsCerts: false
+
+    multiCluster:
+      # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
+      # to properly label proxies
+      clusterName: ""
+
+    # Network defines the network this cluster belong to. This name
+    # corresponds to the networks in the map of mesh networks.
+    network: ""
+
+    # Configure the certificate provider for control plane communication.
+    # Currently, two providers are supported: "kubernetes" and "istiod".
+    # As some platforms may not have kubernetes signing APIs,
+    # Istiod is the default
+    pilotCertProvider: istiod
+
+    sds:
+      # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
+      # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the
+      # JWT is intended for the CA.
+      token:
+        aud: istio-ca
+
+    sts:
+      # The service port used by Security Token Service (STS) server to handle token exchange requests.
+      # Setting this port to a non-zero value enables STS server.
+      servicePort: 0
+
+    # The name of the CA for workload certificates.
+    # For example, when caName=GkeWorkloadCertificate, GKE workload certificates
+    # will be used as the certificates for workloads.
+    # The default value is "" and when caName="", the CA will be configured by other
+    # mechanisms (e.g., environmental variable CA_PROVIDER).
+    caName: ""
+
+    waypoint:
+      # Resources for the waypoint proxy.
+      resources:
+        requests:
+          cpu: 100m
+          memory: 128Mi
+        limits:
+          cpu: "2"
+          memory: 1Gi
+
+      # If specified, affinity defines the scheduling constraints of waypoint pods.
+      affinity: {}
+
+      # Topology Spread Constraints for the waypoint proxy.
+      topologySpreadConstraints: []
+
+      # Node labels for the waypoint proxy.
+      nodeSelector: {}
+
+      # Tolerations for the waypoint proxy.
+      tolerations: []
+
+  base:
+    # For istioctl usage to disable istio config crds in base
+    enableIstioConfigCRDs: true
+
+  # Gateway Settings
+  gateways:
+    # Define the security context for the pod.
+    # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
+    # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
+    securityContext: {}
+
+    # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it
+    seccompProfile: {}
+
+  # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass.
+  # For example:
+  # gatewayClasses:
+  #   istio:
+  #     service:
+  #       spec:
+  #         type: ClusterIP
+  # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field.
+  gatewayClasses: {}
+
+  pdb:
+    # -- Minimum available pods set in PodDisruptionBudget.
+    # Define either 'minAvailable' or 'maxUnavailable', never both.
+    minAvailable: 1
+    # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored.
+    # maxUnavailable: 1
+    # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget.
+    # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/
+    unhealthyPodEvictionPolicy: ""
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/revisiontags/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/revisiontags/Chart.yaml
new file mode 100644
index 0000000000..f212e3bbc7
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/revisiontags/Chart.yaml
@@ -0,0 +1,8 @@
+apiVersion: v2
+appVersion: 1.30-alpha.a30ad73344d771ce45cba8a1d17b6bb2c209119d
+description: Helm chart for istio revision tags
+name: revisiontags
+sources:
+- https://github.com/istio-ecosystem/sail-operator
+version: 0.1.0
+
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/revisiontags/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/revisiontags/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/revisiontags/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/revisiontags/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/revisiontags/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..842aaf17de
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/revisiontags/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,22 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
+     # 1.29 behavioral changes
+    DISABLE_TRACK_REMAINING_CB_METRICS: "false"
+
+cni:
+  ambient:
+    # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.25
+    reconcileIptablesOnStartup: false
+
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/revisiontags/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/revisiontags/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..f30e143133
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/revisiontags/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,18 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
+    # 1.29 behavioral changes
+    DISABLE_TRACK_REMAINING_CB_METRICS: "false"
+
+cni:
+  ambient:
+    # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.26
+    reconcileIptablesOnStartup: false
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/revisiontags/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/revisiontags/files/profile-compatibility-version-1.27.yaml
new file mode 100644
index 0000000000..b842b0914c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/revisiontags/files/profile-compatibility-version-1.27.yaml
@@ -0,0 +1,16 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
+    # 1.29 behavioral changes
+    DISABLE_TRACK_REMAINING_CB_METRICS: "false"
+
+cni:
+  ambient:
+    # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.27
+    reconcileIptablesOnStartup: false
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/revisiontags/files/profile-compatibility-version-1.28.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/revisiontags/files/profile-compatibility-version-1.28.yaml
new file mode 100644
index 0000000000..3d378691a2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/revisiontags/files/profile-compatibility-version-1.28.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.29 behavioral changes
+    DISABLE_TRACK_REMAINING_CB_METRICS: "false"
+
+cni:
+  ambient:
+    # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.28
+    reconcileIptablesOnStartup: false
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/revisiontags/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/revisiontags/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/revisiontags/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/revisiontags/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/revisiontags/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/revisiontags/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/revisiontags/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/revisiontags/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/revisiontags/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/revisiontags/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/revisiontags/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/revisiontags/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/revisiontags/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/revisiontags/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/revisiontags/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/revisiontags/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/revisiontags/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/revisiontags/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/revisiontags/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/revisiontags/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/revisiontags/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/revisiontags/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/revisiontags/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/revisiontags/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/revisiontags/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/revisiontags/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/revisiontags/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/revisiontags/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/revisiontags/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/revisiontags/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/revisiontags/templates/revision-tags-mwc.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/revisiontags/templates/revision-tags-mwc.yaml
new file mode 100644
index 0000000000..556bb2f1e9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/revisiontags/templates/revision-tags-mwc.yaml
@@ -0,0 +1,154 @@
+# Adapted from istio-discovery/templates/mutatingwebhook.yaml
+# Removed paths for legacy and default selectors since a revision tag
+# is inherently created from a specific revision
+# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that.
+{{- $whv := dict
+"revision" .Values.revision
+  "injectionPath" .Values.istiodRemote.injectionPath
+  "injectionURL" .Values.istiodRemote.injectionURL
+  "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy
+  "caBundle" .Values.istiodRemote.injectionCABundle
+  "namespace" .Release.Namespace }}
+{{- define "core" }}
+{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign
+a unique prefix to each. */}}
+- name: {{.Prefix}}sidecar-injector.istio.io
+  clientConfig:
+    {{- if .injectionURL }}
+    url: "{{ .injectionURL }}"
+    {{- else }}
+    service:
+      name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }}
+      namespace: {{ .namespace }}
+      path: "{{ .injectionPath }}"
+      port: 443
+    {{- end }}
+  sideEffects: None
+  rules:
+  - operations: [ "CREATE" ]
+    apiGroups: [""]
+    apiVersions: ["v1"]
+    resources: ["pods"]
+  failurePolicy: Fail
+  reinvocationPolicy: "{{ .reinvocationPolicy }}"
+  admissionReviewVersions: ["v1"]
+{{- end }}
+
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }}
+{{- if not .Values.global.operatorManageWebhooks }}
+{{- range $tagName := $.Values.revisionTags }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+{{- if eq $.Release.Namespace "istio-system"}}
+  name: istio-revision-tag-{{ $tagName }}
+{{- else }}
+  name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }}
+{{- end }}
+  labels:
+    istio.io/tag: {{ $tagName }}
+    istio.io/rev: {{ $.Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Pilot"
+    app: sidecar-injector
+    release: {{ $.Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" $ | nindent 4 }}
+{{- if $.Values.sidecarInjectorWebhookAnnotations }}
+  annotations:
+{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }}
+{{- end }}
+webhooks:
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: In
+      values:
+      - "{{ $tagName }}"
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: istio-injection
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+    - key: istio.io/rev
+      operator: In
+      values:
+      - "{{ $tagName }}"
+
+{{- /* When the tag is "default" we want to create webhooks for the default revision */}}
+{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}}
+{{- if (eq $tagName "default") }}
+
+{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: In
+      values:
+      - enabled
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: NotIn
+      values:
+      - "false"
+
+{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: In
+      values:
+      - "true"
+    - key: istio.io/rev
+      operator: DoesNotExist
+
+{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
+{{- /* Special case 3: no labels at all */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }}
+  namespaceSelector:
+    matchExpressions:
+    - key: istio-injection
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+    - key: "kubernetes.io/metadata.name"
+      operator: "NotIn"
+      values: ["kube-system","kube-public","kube-node-lease","local-path-storage"]
+  objectSelector:
+    matchExpressions:
+    - key: sidecar.istio.io/inject
+      operator: DoesNotExist
+    - key: istio.io/rev
+      operator: DoesNotExist
+{{- end }}
+
+{{- end }}
+---
+{{- end }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/revisiontags/templates/revision-tags-svc.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/revisiontags/templates/revision-tags-svc.yaml
new file mode 100644
index 0000000000..5c4826d23e
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/revisiontags/templates/revision-tags-svc.yaml
@@ -0,0 +1,57 @@
+{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }}
+# Adapted from istio-discovery/templates/service.yaml
+{{- range $tagName := .Values.revisionTags }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: istiod-revision-tag-{{ $tagName }}
+  namespace: {{ $.Release.Namespace }}
+  {{- if $.Values.serviceAnnotations }}
+  annotations:
+{{ toYaml $.Values.serviceAnnotations | indent 4 }}
+  {{- end }}
+  labels:
+    istio.io/rev: {{ $.Values.revision | default "default" | quote }}
+    istio.io/tag: {{ $tagName }}
+    operator.istio.io/component: "Pilot"
+    app: istiod
+    istio: pilot
+    release: {{ $.Release.Name }}
+    app.kubernetes.io/name: "istiod"
+    {{- include "istio.labels" $ | nindent 4 }}
+spec:
+  ports:
+    - port: 15010
+      name: grpc-xds # plaintext
+      protocol: TCP
+    - port: 15012
+      name: https-dns # mTLS with k8s-signed cert
+      protocol: TCP
+    - port: 443
+      name: https-webhook # validation and injection
+      targetPort: 15017
+      protocol: TCP
+    - port: 15014
+      name: http-monitoring # prometheus stats
+      protocol: TCP
+  selector:
+    app: istiod
+    {{- if ne $.Values.revision "" }}
+    istio.io/rev: {{ $.Values.revision | quote }}
+    {{- else }}
+    # Label used by the 'default' service. For versioned deployments we match with app and version.
+    # This avoids default deployment picking the canary
+    istio: pilot
+    {{- end }}
+  {{- if $.Values.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ $.Values.ipFamilyPolicy }}
+  {{- end }}
+  {{- if $.Values.ipFamilies }}
+  ipFamilies:
+  {{- range $.Values.ipFamilies }}
+  - {{ . }}
+  {{- end }}
+  {{- end }}
+---
+{{- end -}}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/revisiontags/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/revisiontags/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..3d84956485
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/revisiontags/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if false }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/revisiontags/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/revisiontags/values.yaml
new file mode 100644
index 0000000000..f578cd9049
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/revisiontags/values.yaml
@@ -0,0 +1,584 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  autoscaleEnabled: true
+  autoscaleMin: 1
+  autoscaleMax: 5
+  autoscaleBehavior: {}
+  replicaCount: 1
+  rollingMaxSurge: 100%
+  rollingMaxUnavailable: 25%
+
+  hub: ""
+  tag: ""
+  variant: ""
+
+  # Can be a full hub/image:tag
+  image: pilot
+  traceSampling: 1.0
+
+  # Resources for a small pilot install
+  resources:
+    requests:
+      cpu: 500m
+      memory: 2048Mi
+
+  # Set to `type: RuntimeDefault` to use the default profile if available.
+  seccompProfile: {}
+
+  # Whether to use an existing CNI installation
+  cni:
+    enabled: false
+    provider: default
+
+  # Additional container arguments
+  extraContainerArgs: []
+
+  env: {}
+
+  envVarFrom: []
+
+  # Settings related to the untaint controller
+  # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready
+  # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes
+  taint:
+    # Controls whether or not the untaint controller is active
+    # When enabled, this automatically sets PILOT_ENABLE_NODE_UNTAINT_CONTROLLERS environment variable to true in the istiod deployment.
+    enabled: false
+    # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod
+    namespace: ""
+
+  affinity: {}
+
+  tolerations: []
+
+  cpu:
+    targetAverageUtilization: 80
+  memory: {}
+    # targetAverageUtilization: 80
+
+  # Additional volumeMounts to the istiod container
+  volumeMounts: []
+
+  # Additional volumes to the istiod pod
+  volumes: []
+
+  # Inject initContainers into the istiod pod
+  initContainers: []
+
+  nodeSelector: {}
+  podAnnotations: {}
+  serviceAnnotations: {}
+  serviceAccountAnnotations: {}
+  sidecarInjectorWebhookAnnotations: {}
+
+  topologySpreadConstraints: []
+
+  # You can use jwksResolverExtraRootCA to provide a root certificate
+  # in PEM format. This will then be trusted by pilot when resolving
+  # JWKS URIs.
+  jwksResolverExtraRootCA: ""
+
+  # The following is used to limit how long a sidecar can be connected
+  # to a pilot. It balances out load across pilot instances at the cost of
+  # increasing system churn.
+  keepaliveMaxServerConnectionAge: 30m
+
+  # Additional labels to apply to the deployment.
+  deploymentLabels: {}
+
+  # Annotations to apply to the istiod deployment.
+  deploymentAnnotations: {}
+
+  ## Mesh config settings
+
+  # Install the mesh config map, generated from values.yaml.
+  # If false, pilot wil use default values (by default) or user-supplied values.
+  configMap: true
+
+  # Additional labels to apply on the pod level for monitoring and logging configuration.
+  podLabels: {}
+
+  # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
+  ipFamilyPolicy: ""
+  ipFamilies: []
+
+  # Ambient mode only.
+  # Set this if you install ztunnel to a different namespace from `istiod`.
+  # If set, `istiod` will allow connections from trusted node proxy ztunnels
+  # in the provided namespace.
+  # If unset, `istiod` will assume the trusted node proxy ztunnel resides
+  # in the same namespace as itself.
+  trustedZtunnelNamespace: ""
+  # Set this if you install ztunnel with a name different from the default.
+  trustedZtunnelName: ""
+
+  sidecarInjectorWebhook:
+    # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or
+    # always skip the injection on pods that match that label selector, regardless of the global policy.
+    # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions
+    neverInjectSelector: []
+    alwaysInjectSelector: []
+
+    # injectedAnnotations are additional annotations that will be added to the pod spec after injection
+    # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations:
+    #
+    # annotations:
+    #   apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
+    #   apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
+    #
+    # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before
+    # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify:
+    # injectedAnnotations:
+    #   container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default
+    #   container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default
+    injectedAnnotations: {}
+
+    # This enables injection of sidecar in all namespaces,
+    # with the exception of namespaces with "istio-injection:disabled" annotation
+    # Only one environment should have this enabled.
+    enableNamespacesByDefault: false
+
+    # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run
+    # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten.
+    # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur.
+    reinvocationPolicy: Never
+
+    rewriteAppHTTPProbe: true
+
+    # Templates defines a set of custom injection templates that can be used. For example, defining:
+    #
+    # templates:
+    #   hello: |
+    #     metadata:
+    #       labels:
+    #         hello: world
+    #
+    # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod
+    # being injected with the hello=world labels.
+    # This is intended for advanced configuration only; most users should use the built in template
+    templates: {}
+
+    # Default templates specifies a set of default templates that are used in sidecar injection.
+    # By default, a template `sidecar` is always provided, which contains the template of default sidecar.
+    # To inject other additional templates, define it using the `templates` option, and add it to
+    # the default templates list.
+    # For example:
+    #
+    # templates:
+    #   hello: |
+    #     metadata:
+    #       labels:
+    #         hello: world
+    #
+    # defaultTemplates: ["sidecar", "hello"]
+    defaultTemplates: []
+  istiodRemote:
+    # If `true`, indicates that this cluster/install should consume a "remote istiod" installation,
+    # and istiod itself will NOT be installed in this cluster - only the support resources necessary
+    # to utilize a remote instance.
+    enabled: false
+
+    # If `true`, indicates that this cluster/install should consume a "local istiod" installation,
+    # local istiod inject sidecars
+    enabledLocalInjectorIstiod: false
+
+    # Sidecar injector mutating webhook configuration clientConfig.url value.
+    # For example: https://$remotePilotAddress:15017/inject
+    # The host should not refer to a service running in the cluster; use a service reference by specifying
+    # the clientConfig.service field instead.
+    injectionURL: ""
+
+    # Sidecar injector mutating webhook configuration path value for the clientConfig.service field.
+    # Override to pass env variables, for example: /inject/cluster/remote/net/network2
+    injectionPath: "/inject"
+
+    injectionCABundle: ""
+  telemetry:
+    enabled: true
+    v2:
+      # For Null VM case now.
+      # This also enables metadata exchange.
+      enabled: true
+      # Indicate if prometheus stats filter is enabled or not
+      prometheus:
+        enabled: true
+      # stackdriver filter settings.
+      stackdriver:
+        enabled: false
+  # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
+  revision: ""
+
+  # Revision tags are aliases to Istio control plane revisions
+  revisionTags: []
+
+  # For Helm compatibility.
+  ownerName: ""
+
+  # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior
+  # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options
+  meshConfig:
+    enablePrometheusMerge: true
+
+  experimental:
+    stableValidationPolicy: false
+
+  global:
+    # Used to locate istiod.
+    istioNamespace: istio-system
+    # List of cert-signers to allow "approve" action in the istio cluster role
+    #
+    # certSigners:
+    #   - clusterissuers.cert-manager.io/istio-ca
+    certSigners: []
+    # enable pod disruption budget for the control plane, which is used to
+    # ensure Istio control plane components are gradually upgraded or recovered.
+    defaultPodDisruptionBudget:
+      enabled: true
+      # The values aren't mutable due to a current PodDisruptionBudget limitation
+      # minAvailable: 1
+
+    # A minimal set of requested resources to applied to all deployments so that
+    # Horizontal Pod Autoscaler will be able to function (if set).
+    # Each component can overwrite these default values by adding its own resources
+    # block in the relevant section below and setting the desired resources values.
+    defaultResources:
+      requests:
+        cpu: 10m
+      #   memory: 128Mi
+      # limits:
+      #   cpu: 100m
+      #   memory: 128Mi
+
+    # Default hub for Istio images.
+    # Releases are published to docker hub under 'istio' project.
+    # Dev builds from prow are on gcr.io
+    hub: gcr.io/istio-testing
+    # Default tag for Istio images.
+    tag: 1.30-alpha.a30ad73344d771ce45cba8a1d17b6bb2c209119d
+    # Variant of the image to use.
+    # Currently supported are: [debug, distroless]
+    variant: ""
+
+    # Specify image pull policy if default behavior isn't desired.
+    # Default behavior: latest images will be Always else IfNotPresent.
+    imagePullPolicy: ""
+
+    # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
+    # to use for pulling any images in pods that reference this ServiceAccount.
+    # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
+    # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
+    # Must be set for any cluster configured with private docker registry.
+    imagePullSecrets: []
+    # - private-registry-key
+
+    # Enabled by default in master for maximising testing.
+    istiod:
+      enableAnalysis: false
+
+    # To output all istio components logs in json format by adding --log_as_json argument to each container argument
+    logAsJson: false
+
+    # In order to use native nftable rules instead of iptable rules, set this flag to true.
+    nativeNftables: false
+
+    # Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
+    # The control plane has different scopes depending on component, but can configure default log level across all components
+    # If empty, default scope and level will be used as configured in code
+    logging:
+      level: "default:info"
+
+    # When enabled, default NetworkPolicy resources will be created
+    networkPolicy:
+      enabled: false
+
+    omitSidecarInjectorConfigMap: false
+
+    # resourceScope controls what resources will be processed by helm.
+    # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator.
+    # It can be one of:
+    # - all: all resources are processed
+    # - cluster: only cluster-scoped resources are processed
+    # - namespace: only namespace-scoped resources are processed
+    resourceScope: all
+
+    # Configure whether Operator manages webhook configurations. The current behavior
+    # of Istiod is to manage its own webhook configurations.
+    # When this option is set as true, Istio Operator, instead of webhooks, manages the
+    # webhook configurations. When this option is set as false, webhooks manage their
+    # own webhook configurations.
+    operatorManageWebhooks: false
+
+    # Custom DNS config for the pod to resolve names of services in other
+    # clusters. Use this to add additional search domains, and other settings.
+    # see
+    # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config
+    # This does not apply to gateway pods as they typically need a different
+    # set of DNS settings than the normal application pods (e.g., in
+    # multicluster scenarios).
+    # NOTE: If using templates, follow the pattern in the commented example below.
+    #podDNSSearchNamespaces:
+    #- global
+    #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global"
+
+    # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
+    # system-node-critical, it is better to configure this in order to make sure your Istio pods
+    # will not be killed because of low priority class.
+    # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
+    # for more detail.
+    priorityClassName: ""
+
+    proxy:
+      image: proxyv2
+
+      # This controls the 'policy' in the sidecar injector.
+      autoInject: enabled
+
+      # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
+      # cluster domain. Default value is "cluster.local".
+      clusterDomain: "cluster.local"
+
+      # Per Component log level for proxy, applies to gateways and sidecars. If a component level is
+      # not set, then the global "logLevel" will be used.
+      componentLogLevel: "misc:error"
+
+      # istio ingress capture allowlist
+      # examples:
+      #     Redirect only selected ports:            --includeInboundPorts="80,8080"
+      excludeInboundPorts: ""
+      includeInboundPorts: "*"
+
+      # istio egress capture allowlist
+      # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
+      # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
+      # would only capture egress traffic on those two IP Ranges, all other outbound traffic would
+      # be allowed by the sidecar
+      includeIPRanges: "*"
+      excludeIPRanges: ""
+      includeOutboundPorts: ""
+      excludeOutboundPorts: ""
+
+      # Log level for proxy, applies to gateways and sidecars.
+      # Expected values are: trace|debug|info|warning|error|critical|off
+      logLevel: warning
+
+      # Specify the path to the outlier event log.
+      # Example: /dev/stdout
+      outlierLogPath: ""
+
+      #If set to true, istio-proxy container will have privileged securityContext
+      privileged: false
+
+      seccompProfile: {}
+
+      # The number of successive failed probes before indicating readiness failure.
+      readinessFailureThreshold: 4
+
+      # The initial delay for readiness probes in seconds.
+      readinessInitialDelaySeconds: 0
+
+      # The period between readiness probes.
+      readinessPeriodSeconds: 15
+
+      # Enables or disables a startup probe.
+      # For optimal startup times, changing this should be tied to the readiness probe values.
+      #
+      # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4.
+      # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval),
+      # and doesn't spam the readiness endpoint too much
+      #
+      # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30.
+      # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly.
+      startupProbe:
+        enabled: true
+        failureThreshold: 600 # 10 minutes
+
+      # Resources for the sidecar.
+      resources:
+        requests:
+          cpu: 100m
+          memory: 128Mi
+        limits:
+          cpu: 2000m
+          memory: 1024Mi
+
+      # Default port for Pilot agent health checks. A value of 0 will disable health checking.
+      statusPort: 15020
+
+      # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none.
+      # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file.
+      tracer: "none"
+
+    proxy_init:
+      # Base name for the proxy_init container, used to configure iptables.
+      image: proxyv2
+      # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures.
+      # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases.
+      forceApplyIptables: false
+
+    # configure remote pilot and istiod service and endpoint
+    remotePilotAddress: ""
+
+    ##############################################################################################
+    # The following values are found in other charts. To effectively modify these values, make   #
+    # make sure they are consistent across your Istio helm charts                                #
+    ##############################################################################################
+
+    # The customized CA address to retrieve certificates for the pods in the cluster.
+    # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
+    # If not set explicitly, default to the Istio discovery address.
+    caAddress: ""
+
+    # Enable control of remote clusters.
+    externalIstiod: false
+
+    # Configure a remote cluster as the config cluster for an external istiod.
+    configCluster: false
+
+    # configValidation enables the validation webhook for Istio configuration.
+    configValidation: true
+
+    # Mesh ID means Mesh Identifier. It should be unique within the scope where
+    # meshes will interact with each other, but it is not required to be
+    # globally/universally unique. For example, if any of the following are true,
+    # then two meshes must have different Mesh IDs:
+    # - Meshes will have their telemetry aggregated in one place
+    # - Meshes will be federated together
+    # - Policy will be written referencing one mesh from the other
+    #
+    # If an administrator expects that any of these conditions may become true in
+    # the future, they should ensure their meshes have different Mesh IDs
+    # assigned.
+    #
+    # Within a multicluster mesh, each cluster must be (manually or auto)
+    # configured to have the same Mesh ID value. If an existing cluster 'joins' a
+    # multicluster mesh, it will need to be migrated to the new mesh ID. Details
+    # of migration TBD, and it may be a disruptive operation to change the Mesh
+    # ID post-install.
+    #
+    # If the mesh admin does not specify a value, Istio will use the value of the
+    # mesh's Trust Domain. The best practice is to select a proper Trust Domain
+    # value.
+    meshID: ""
+
+    # Configure the mesh networks to be used by the Split Horizon EDS.
+    #
+    # The following example defines two networks with different endpoints association methods.
+    # For `network1` all endpoints that their IP belongs to the provided CIDR range will be
+    # mapped to network1. The gateway for this network example is specified by its public IP
+    # address and port.
+    # The second network, `network2`, in this example is defined differently with all endpoints
+    # retrieved through the specified Multi-Cluster registry being mapped to network2. The
+    # gateway is also defined differently with the name of the gateway service on the remote
+    # cluster. The public IP for the gateway will be determined from that remote service (only
+    # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service,
+    # it still need to be configured manually).
+    #
+    # meshNetworks:
+    #   network1:
+    #     endpoints:
+    #     - fromCidr: "192.168.0.1/24"
+    #     gateways:
+    #     - address: 1.1.1.1
+    #       port: 80
+    #   network2:
+    #     endpoints:
+    #     - fromRegistry: reg1
+    #     gateways:
+    #     - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
+    #       port: 443
+    #
+    meshNetworks: {}
+
+    # Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
+    mountMtlsCerts: false
+
+    multiCluster:
+      # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
+      # to properly label proxies
+      clusterName: ""
+
+    # Network defines the network this cluster belong to. This name
+    # corresponds to the networks in the map of mesh networks.
+    network: ""
+
+    # Configure the certificate provider for control plane communication.
+    # Currently, two providers are supported: "kubernetes" and "istiod".
+    # As some platforms may not have kubernetes signing APIs,
+    # Istiod is the default
+    pilotCertProvider: istiod
+
+    sds:
+      # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
+      # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the
+      # JWT is intended for the CA.
+      token:
+        aud: istio-ca
+
+    sts:
+      # The service port used by Security Token Service (STS) server to handle token exchange requests.
+      # Setting this port to a non-zero value enables STS server.
+      servicePort: 0
+
+    # The name of the CA for workload certificates.
+    # For example, when caName=GkeWorkloadCertificate, GKE workload certificates
+    # will be used as the certificates for workloads.
+    # The default value is "" and when caName="", the CA will be configured by other
+    # mechanisms (e.g., environmental variable CA_PROVIDER).
+    caName: ""
+
+    waypoint:
+      # Resources for the waypoint proxy.
+      resources:
+        requests:
+          cpu: 100m
+          memory: 128Mi
+        limits:
+          cpu: "2"
+          memory: 1Gi
+
+      # If specified, affinity defines the scheduling constraints of waypoint pods.
+      affinity: {}
+
+      # Topology Spread Constraints for the waypoint proxy.
+      topologySpreadConstraints: []
+
+      # Node labels for the waypoint proxy.
+      nodeSelector: {}
+
+      # Tolerations for the waypoint proxy.
+      tolerations: []
+
+  base:
+    # For istioctl usage to disable istio config crds in base
+    enableIstioConfigCRDs: true
+
+  # Gateway Settings
+  gateways:
+    # Define the security context for the pod.
+    # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
+    # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
+    securityContext: {}
+
+    # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it
+    seccompProfile: {}
+
+  # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass.
+  # For example:
+  # gatewayClasses:
+  #   istio:
+  #     service:
+  #       spec:
+  #         type: ClusterIP
+  # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field.
+  gatewayClasses: {}
+
+  pdb:
+    # -- Minimum available pods set in PodDisruptionBudget.
+    # Define either 'minAvailable' or 'maxUnavailable', never both.
+    minAvailable: 1
+    # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored.
+    # maxUnavailable: 1
+    # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget.
+    # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/
+    unhealthyPodEvictionPolicy: ""
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/Chart.yaml
new file mode 100644
index 0000000000..0b786478e6
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/Chart.yaml
@@ -0,0 +1,11 @@
+apiVersion: v2
+appVersion: 1.30-alpha.a30ad73344d771ce45cba8a1d17b6bb2c209119d
+description: Helm chart for istio ztunnel components
+icon: https://istio.io/latest/favicons/android-192x192.png
+keywords:
+- istio-ztunnel
+- istio
+name: ztunnel
+sources:
+- https://github.com/istio/istio
+version: 1.30-alpha.a30ad73344d771ce45cba8a1d17b6bb2c209119d
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/README.md
new file mode 100644
index 0000000000..72ea6892e5
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/README.md
@@ -0,0 +1,50 @@
+# Istio Ztunnel Helm Chart
+
+This chart installs an Istio ztunnel.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+To install the chart:
+
+```console
+helm install ztunnel istio/ztunnel
+```
+
+## Uninstalling the Chart
+
+To uninstall/delete the chart:
+
+```console
+helm delete ztunnel
+```
+
+## Configuration
+
+To view supported configuration options and documentation, run:
+
+```console
+helm show values istio/ztunnel
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/files/profile-ambient.yaml
new file mode 100644
index 0000000000..495fbcd434
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/files/profile-ambient.yaml
@@ -0,0 +1,24 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+  serviceScopeConfigs:
+    - servicesSelector:
+        matchExpressions:
+          - key: istio.io/global
+            operator: In
+            values: ["true"]
+      scope: GLOBAL
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/files/profile-compatibility-version-1.25.yaml
new file mode 100644
index 0000000000..842aaf17de
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/files/profile-compatibility-version-1.25.yaml
@@ -0,0 +1,22 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
+     # 1.29 behavioral changes
+    DISABLE_TRACK_REMAINING_CB_METRICS: "false"
+
+cni:
+  ambient:
+    # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.25
+    reconcileIptablesOnStartup: false
+
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/files/profile-compatibility-version-1.26.yaml
new file mode 100644
index 0000000000..f30e143133
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/files/profile-compatibility-version-1.26.yaml
@@ -0,0 +1,18 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.27 behavioral changes
+    ENABLE_NATIVE_SIDECARS: "false"
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
+    # 1.29 behavioral changes
+    DISABLE_TRACK_REMAINING_CB_METRICS: "false"
+
+cni:
+  ambient:
+    # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.26
+    reconcileIptablesOnStartup: false
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/files/profile-compatibility-version-1.27.yaml
new file mode 100644
index 0000000000..b842b0914c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/files/profile-compatibility-version-1.27.yaml
@@ -0,0 +1,16 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.28 behavioral changes
+    DISABLE_SHADOW_HOST_SUFFIX: "false"
+    PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false"
+    # 1.29 behavioral changes
+    DISABLE_TRACK_REMAINING_CB_METRICS: "false"
+
+cni:
+  ambient:
+    # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.27
+    reconcileIptablesOnStartup: false
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/files/profile-compatibility-version-1.28.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/files/profile-compatibility-version-1.28.yaml
new file mode 100644
index 0000000000..3d378691a2
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/files/profile-compatibility-version-1.28.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.29 behavioral changes
+    DISABLE_TRACK_REMAINING_CB_METRICS: "false"
+
+cni:
+  ambient:
+    # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.28
+    reconcileIptablesOnStartup: false
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/files/profile-demo.yaml
new file mode 100644
index 0000000000..d6dc36dd0f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/files/profile-demo.yaml
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/files/profile-platform-gke.yaml
new file mode 100644
index 0000000000..dfe8a7d741
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/files/profile-platform-gke.yaml
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/files/profile-platform-k3d.yaml
new file mode 100644
index 0000000000..cd86d9ec58
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/files/profile-platform-k3d.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/files/profile-platform-k3s.yaml
new file mode 100644
index 0000000000..07820106d9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/files/profile-platform-k3s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/files/profile-platform-microk8s.yaml
new file mode 100644
index 0000000000..57d7f5e3cd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/files/profile-platform-microk8s.yaml
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/files/profile-platform-minikube.yaml
new file mode 100644
index 0000000000..fa9992e204
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/files/profile-platform-minikube.yaml
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/files/profile-platform-openshift.yaml
new file mode 100644
index 0000000000..8ddc5e1654
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/files/profile-platform-openshift.yaml
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/files/profile-preview.yaml
new file mode 100644
index 0000000000..181d7bda2c
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/files/profile-preview.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/files/profile-remote.yaml
new file mode 100644
index 0000000000..d17b9a801a
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/files/profile-remote.yaml
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/files/profile-stable.yaml
new file mode 100644
index 0000000000..358282e69b
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/files/profile-stable.yaml
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/templates/NOTES.txt
new file mode 100644
index 0000000000..244f59db06
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/templates/NOTES.txt
@@ -0,0 +1,5 @@
+ztunnel successfully installed!
+
+To learn more about the release, try:
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/templates/_helpers.tpl
new file mode 100644
index 0000000000..46a7a0b79d
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/templates/_helpers.tpl
@@ -0,0 +1 @@
+{{ define "ztunnel.release-name" }}{{ .Values.resourceName| default "ztunnel" }}{{ end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/templates/daemonset.yaml
new file mode 100644
index 0000000000..cb5451a799
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/templates/daemonset.yaml
@@ -0,0 +1,236 @@
+{{- if or (eq .Values.resourceScope "all") (eq .Values.resourceScope "namespace") }}
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: {{ include "ztunnel.release-name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: ztunnel
+    {{- include "istio.labels" . | nindent 4}}
+    {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }}
+  annotations:
+{{- if .Values.revision }}
+    {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }}
+    {{- toYaml $annos | nindent 4}}
+{{- else }}
+    {{- .Values.annotations | toYaml | nindent 4 }}
+{{- end }}
+spec:
+  {{- with .Values.updateStrategy }}
+  updateStrategy:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  selector:
+    matchLabels:
+      app: ztunnel
+  template:
+    metadata:
+      labels:
+        sidecar.istio.io/inject: "false"
+        istio.io/dataplane-mode: none
+        app: ztunnel
+        app.kubernetes.io/name: ztunnel
+        {{- include "istio.labels" . | nindent 8}}
+{{ with .Values.podLabels -}}{{ toYaml . | indent 8 }}{{ end }}
+      annotations:
+        sidecar.istio.io/inject: "false"
+{{- if .Values.revision }}
+        istio.io/rev: {{ .Values.revision }}
+{{- end }}
+{{ with .Values.podAnnotations -}}{{ toYaml . | indent 8 }}{{ end }}
+    spec:
+      nodeSelector:
+        kubernetes.io/os: linux
+{{- if .Values.nodeSelector }}
+{{ toYaml .Values.nodeSelector | indent 8 }}
+{{- end }}
+{{- if .Values.affinity }}
+      affinity:
+{{ toYaml .Values.affinity | trim | indent 8 }}
+{{- end }}
+      serviceAccountName: {{ include "ztunnel.release-name" . }}
+{{- if .Values.tolerations }}
+      tolerations:
+{{ toYaml .Values.tolerations | trim | indent 8 }}
+{{- end }}
+{{- if .Values.dnsPolicy }}
+      dnsPolicy: {{ .Values.dnsPolicy }}
+{{- end }}
+{{- if .Values.dnsConfig }}
+      dnsConfig:
+{{ toYaml .Values.dnsConfig | trim | indent 8 }}
+{{- end }}
+      containers:
+      - name: istio-proxy
+{{- if contains "/" .Values.image }}
+        image: "{{ .Values.image }}"
+{{- else }}
+        image: "{{ .Values.hub }}/{{ .Values.image | default "ztunnel" }}:{{ .Values.tag }}{{with (.Values.variant )}}-{{.}}{{end}}"
+{{- end }}
+        ports:
+        - containerPort: 15020
+          name: ztunnel-stats
+          protocol: TCP
+        resources:
+{{- if .Values.resources }}
+{{ toYaml .Values.resources | trim | indent 10 }}
+{{- end }}
+{{- with .Values.imagePullPolicy }}
+        imagePullPolicy: {{ . }}
+{{- end }}
+        securityContext:
+          # K8S docs are clear that CAP_SYS_ADMIN *or* privileged: true
+          # both force this to `true`: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+          # But there is a K8S validation bug that doesn't propery catch this: https://github.com/kubernetes/kubernetes/issues/119568
+          allowPrivilegeEscalation: true
+          privileged: false
+          capabilities:
+            drop:
+            - ALL
+            add: # See https://man7.org/linux/man-pages/man7/capabilities.7.html
+            - NET_ADMIN # Required for TPROXY and setsockopt
+            - SYS_ADMIN # Required for `setns` - doing things in other netns
+            - NET_RAW # Required for RAW/PACKET sockets, TPROXY
+          readOnlyRootFilesystem: true
+          runAsGroup: 1337
+          runAsNonRoot: false
+          runAsUser: 0
+{{- if .Values.seLinuxOptions }}
+          seLinuxOptions:
+{{ toYaml .Values.seLinuxOptions | trim | indent 12 }}
+{{- end }}
+        readinessProbe:
+          httpGet:
+            port: 15021
+            path: /healthz/ready
+        args:
+        - proxy
+        - ztunnel
+        env:
+        - name: CA_ADDRESS
+        {{- if .Values.caAddress }}
+          value: {{ .Values.caAddress }}
+        {{- else }}
+          value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012
+        {{- end }}
+        - name: XDS_ADDRESS
+        {{- if .Values.xdsAddress }}
+          value: {{ .Values.xdsAddress }}
+        {{- else }}
+          value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012
+        {{- end }}
+        {{- if .Values.logAsJson }}
+        - name: LOG_FORMAT
+          value: json
+        {{- end}}
+        {{- if .Values.network }}
+        - name: NETWORK
+          value: {{ .Values.network | quote }}
+        {{- end }}
+        - name: RUST_LOG
+          value: {{ .Values.logLevel | quote }}
+        - name: RUST_BACKTRACE
+          value: "1"
+        - name: ISTIO_META_CLUSTER_ID
+          value: {{ .Values.multiCluster.clusterName | default "Kubernetes" }}
+        - name: INPOD_ENABLED
+          value: "true"
+        - name: TERMINATION_GRACE_PERIOD_SECONDS
+          value: "{{ .Values.terminationGracePeriodSeconds }}"
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        - name: INSTANCE_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: SERVICE_ACCOUNT
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.serviceAccountName
+        {{- if .Values.meshConfig.defaultConfig.proxyMetadata }}
+        {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata}}
+        - name: {{ $key }}
+          value: "{{ $value }}"
+        {{- end }}
+        {{- end }}
+        - name: ZTUNNEL_CPU_LIMIT
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.cpu
+              divisor: "1"
+        {{- with .Values.env }}
+        {{- range $key, $val := . }}
+        - name: {{ $key }}
+          value: "{{ $val }}"
+        {{- end }}
+        {{- end }}
+        {{- if .Values.peerCaCrl.enabled }}
+        - name: CRL_PATH
+          value: "/var/run/secrets/istio/crl/ca-crl.pem"
+        {{- end }}
+        volumeMounts:
+        - mountPath: /var/run/secrets/istio
+          name: istiod-ca-cert
+        - mountPath: /var/run/secrets/tokens
+          name: istio-token
+        - mountPath: /var/run/ztunnel
+          name: cni-ztunnel-sock-dir
+        - mountPath: /tmp
+          name: tmp
+        {{- if .Values.peerCaCrl.enabled }}
+        - mountPath: /var/run/secrets/istio/crl
+          name: crl-volume
+          readOnly: true
+        {{- end }}
+        {{- with .Values.volumeMounts }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      priorityClassName: system-node-critical
+      terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
+      volumes:
+      - name: istio-token
+        projected:
+          sources:
+          - serviceAccountToken:
+              path: istio-token
+              expirationSeconds: 43200
+              audience: istio-ca
+      - name: istiod-ca-cert
+        {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }}
+        projected:
+          sources:
+          - clusterTrustBundle:
+              name: istio.io:istiod-ca:{{ .Values.trustBundleName | default "root-cert" }}
+              path: root-cert.pem
+        {{- else }}
+        configMap:
+          name: {{ .Values.trustBundleName | default "istio-ca-root-cert" }}
+        {{- end }}
+      - name: cni-ztunnel-sock-dir
+        hostPath:
+          path: /var/run/ztunnel
+          type: DirectoryOrCreate # ideally this would be a socket, but istio-cni may not have started yet.
+      # pprof needs a writable /tmp, and we don't have that thanks to `readOnlyRootFilesystem: true`, so mount one
+      - name: tmp
+        emptyDir: {}
+      {{- if .Values.peerCaCrl.enabled }}
+      # Optional CRL volume - mounts istio-ca-crl ConfigMap if it exists
+      - name: crl-volume
+        configMap:
+          name: istio-ca-crl
+          optional: true
+      {{- end }}
+      {{- with .Values.volumes }}
+        {{- toYaml . | nindent 6}}
+      {{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/templates/networkpolicy.yaml
new file mode 100644
index 0000000000..b397c64c82
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/templates/networkpolicy.yaml
@@ -0,0 +1,62 @@
+{{- if (.Values.global.networkPolicy).enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "ztunnel.release-name" . }}{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: ztunnel
+    app.kubernetes.io/name: ztunnel
+    istio.io/rev: {{ .Values.revision | default "default" | quote }}
+    operator.istio.io/component: "Ztunnel"
+    release: {{ .Release.Name }}
+    {{- include "istio.labels" . | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      app: ztunnel
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress:
+  # Readiness probe
+  - from: []
+    ports:
+    - protocol: TCP
+      port: 15021
+  # Monitoring/prometheus
+  - from: []
+    ports:
+    - protocol: TCP
+      port: 15020  # Metrics
+  # Admin interface
+  - from: []
+    ports:
+    - protocol: TCP
+      port: 15000  # Admin interface
+  # HBONE traffic
+  - from: []
+    ports:
+    - protocol: TCP
+      port: 15008
+  # Outbound traffic endpoint
+  - from: []
+    ports:
+    - protocol: TCP
+      port: 15001
+  # Traffic endpoint for inbound plaintext
+  - from: []
+    ports:
+    - protocol: TCP
+      port: 15006
+  # DNS Captures
+  - from: [ ]
+    ports:
+      - protocol: TCP
+        port: 15053
+      - protocol: UDP
+        port: 15053
+  egress:
+  # Allow all egress
+  - {}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/templates/rbac.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/templates/rbac.yaml
new file mode 100644
index 0000000000..18291716bf
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/templates/rbac.yaml
@@ -0,0 +1,51 @@
+{{- if or (eq .Values.resourceScope "all") (eq .Values.resourceScope "cluster") }}
+{{- if (eq (.Values.platform | default "") "openshift") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "ztunnel.release-name" . }}
+  labels:
+    app: ztunnel
+    release: {{ include "ztunnel.release-name" . }}
+    app.kubernetes.io/name: ztunnel
+    {{- include "istio.labels" . | nindent 4}}
+  annotations:
+{{- if .Values.revision }}
+    {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }}
+    {{- toYaml $annos | nindent 4}}
+{{- else }}
+    {{- .Values.annotations | toYaml | nindent 4 }}
+{{- end }}
+rules:
+- apiGroups: ["security.openshift.io"]
+  resources: ["securitycontextconstraints"]
+  resourceNames: ["privileged"]
+  verbs: ["use"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "ztunnel.release-name" . }}
+  labels:
+    app: ztunnel
+    release: {{ include "ztunnel.release-name" . }}
+    app.kubernetes.io/name: ztunnel
+    {{- include "istio.labels" . | nindent 4}}
+  annotations:
+{{- if .Values.revision }}
+    {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }}
+    {{- toYaml $annos | nindent 4}}
+{{- else }}
+    {{- .Values.annotations | toYaml | nindent 4 }}
+{{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "ztunnel.release-name" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "ztunnel.release-name" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}
+---
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/templates/resourcequota.yaml
new file mode 100644
index 0000000000..d33c9fe137
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/templates/resourcequota.yaml
@@ -0,0 +1,22 @@
+{{- if or (eq .Values.resourceScope "all") (eq .Values.resourceScope "namespace") }}
+{{- if .Values.resourceQuotas.enabled }}
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+  name: {{ include "ztunnel.release-name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: ztunnel
+    {{- include "istio.labels" . | nindent 4}}
+    {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }}
+spec:
+  hard:
+    pods: {{ .Values.resourceQuotas.pods | quote }}
+  scopeSelector:
+    matchExpressions:
+    - operator: In
+      scopeName: PriorityClass
+      values:
+      - system-node-critical
+{{- end }}
+{{- end }}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/templates/serviceaccount.yaml
new file mode 100644
index 0000000000..e1146f3920
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/templates/serviceaccount.yaml
@@ -0,0 +1,24 @@
+{{- if or (eq .Values.resourceScope "all") (eq .Values.resourceScope "namespace") }}
+apiVersion: v1
+kind: ServiceAccount
+  {{- with .Values.imagePullSecrets }}
+imagePullSecrets:
+  {{- range . }}
+  - name: {{ . }}
+  {{- end }}
+  {{- end }}
+metadata:
+  name: {{ include "ztunnel.release-name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: ztunnel
+    {{- include "istio.labels" . | nindent 4}}
+    {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }}
+  annotations:
+{{- if .Values.revision }}
+    {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }}
+    {{- toYaml $annos | nindent 4}}
+{{- else }}
+    {{- .Values.annotations | toYaml | nindent 4 }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/templates/zzz_profile.yaml
new file mode 100644
index 0000000000..606c556697
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/templates/zzz_profile.yaml
@@ -0,0 +1,75 @@
+{{/*
+WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY.
+The original version of this file is located at /manifests directory.
+If you want to make a change in this file, edit the original one and run "make gen".
+
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- if $.Values.defaults}}
+{{ fail (cat
+  "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n"
+  ($.Values.defaults | toYaml |nindent 4)
+) }}
+{{- end }}
+{{- $defaults := $.Values._internal_defaults_do_not_set }}
+{{- $_ := unset $.Values "_internal_defaults_do_not_set" }}
+{{- $profile := dict }}
+{{- with (coalesce ($.Values).profile ($.Values.global).profile) }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" .) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- with (coalesce ($.Values).platform ($.Values.global).platform) }}
+{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown platform" .) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+#  Flatten globals, if defined on a per-chart basis
+{{- if true }}
+{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict)  }}
+{{- end }}
+{{- $x := set $.Values "_original" (deepCopy $.Values) }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
+
+{{/*
+Labels that should be applied to ALL resources.
+*/}}
+{{- define "istio.labels" -}}
+{{- if .Release.Service -}}
+app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+{{- end }}
+{{- if .Release.Name }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+{{- end }}
+app.kubernetes.io/part-of: "istio"
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if and .Chart.Name .Chart.Version }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end -}}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/values.yaml
new file mode 100644
index 0000000000..d0276a72ce
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/charts/ztunnel/values.yaml
@@ -0,0 +1,154 @@
+# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
+# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
+_internal_defaults_do_not_set:
+  # Hub to pull from. Image will be `Hub/Image:Tag-Variant`
+  hub: gcr.io/istio-testing
+  # Tag to pull from. Image will be `Hub/Image:Tag-Variant`
+  tag: 1.30-alpha.a30ad73344d771ce45cba8a1d17b6bb2c209119d
+  # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version.
+  variant: ""
+
+  # Image name to pull from. Image will be `Hub/Image:Tag-Variant`
+  # If Image contains a "/", it will replace the entire `image` in the pod.
+  image: ztunnel
+
+  # Same as `global.network`, but will override it if set.
+  # Network defines the network this cluster belong to. This name
+  # corresponds to the networks in the map of mesh networks.
+  network: ""
+
+  global:
+    # When enabled, default NetworkPolicy resources will be created
+    networkPolicy:
+      enabled: false
+
+  # resourceName, if set, will override the naming of resources. If not set, will default to 'ztunnel'.
+  # If you set this, you MUST also set `trustedZtunnelName` in the `istiod` chart.
+  resourceName: ""
+
+  # Labels to apply to all top level resources
+  labels: {}
+  # Annotations to apply to all top level resources
+  annotations: {}
+
+  # Additional volumeMounts to the ztunnel container
+  volumeMounts: []
+
+  # Additional volumes to the ztunnel pod
+  volumes: []
+  
+  # Tolerations for the ztunnel pod
+  tolerations:
+    - effect: NoSchedule
+      operator: Exists
+    - key: CriticalAddonsOnly
+      operator: Exists
+    - effect: NoExecute
+      operator: Exists
+
+  # Annotations added to each pod. The default annotations are required for scraping prometheus (in most environments).
+  podAnnotations:
+    prometheus.io/port: "15020"
+    prometheus.io/scrape: "true"
+
+  # Additional labels to apply on the pod level
+  podLabels: {}
+
+  # Pod resource configuration
+  resources:
+    requests:
+      cpu: 200m
+      # Ztunnel memory scales with the size of the cluster and traffic load
+      # While there are many factors, this is enough for ~200k pod cluster or 100k concurrently open connections.
+      memory: 512Mi
+
+  resourceQuotas:
+    enabled: false
+    pods: 5000
+
+  # Certificate Revocation List (CRL) support for plugged-in CAs.
+  # When enabled, ztunnel will check certificates against the CRL
+  peerCaCrl:
+    enabled: false
+
+  # List of secret names to add to the service account as image pull secrets
+  imagePullSecrets: []
+
+  # A `key: value` mapping of environment variables to add to the pod
+  env: {}
+
+  # Override for the pod imagePullPolicy
+  imagePullPolicy: ""
+
+  # Settings for multicluster
+  multiCluster:
+    # The name of the cluster we are installing in. Note this is a user-defined name, which must be consistent
+    # with Istiod configuration.
+    clusterName: ""
+
+  # meshConfig defines runtime configuration of components.
+  # For ztunnel, only defaultConfig is used, but this is nested under `meshConfig` for consistency with other
+  # components.
+  # TODO: https://github.com/istio/istio/issues/43248
+  meshConfig:
+    defaultConfig:
+      proxyMetadata: {}
+
+  # This value defines:
+  # 1. how many seconds kube waits for ztunnel pod to gracefully exit before forcibly terminating it (this value)
+  # 2. how many seconds ztunnel waits to drain its own connections (this value - 1 sec)
+  # Default K8S value is 30 seconds
+  terminationGracePeriodSeconds: 30
+
+  # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
+  # Used to locate the XDS and CA, if caAddress or xdsAddress are not set explicitly.
+  revision: ""
+
+  # The customized CA address to retrieve certificates for the pods in the cluster.
+  # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
+  caAddress: ""
+
+  # The customized XDS address to retrieve configuration.
+  # This should include the port - 15012 for Istiod. TLS will be used with the certificates in "istiod-ca-cert" secret.
+  # By default, it is istiod.istio-system.svc:15012 if revision is not set, or istiod-<revision>.<istioNamespace>.svc:15012
+  xdsAddress: ""
+
+  # Used to locate the XDS and CA, if caAddress or xdsAddress are not set.
+  istioNamespace: istio-system
+
+  # Configuration log level of ztunnel binary, default is info.
+  # Valid values are: trace, debug, info, warn, error
+  logLevel: info
+
+  # To output all logs in json format
+  logAsJson: false
+
+  # Set to `type: RuntimeDefault` to use the default profile if available.
+  seLinuxOptions: {}
+  # TODO Ambient inpod - for OpenShift, set to the following to get writable sockets in hostmounts to work, eventually consider CSI driver instead
+  #seLinuxOptions:
+  #  type: spc_t
+  
+  # resourceScope controls what resources will be processed by helm.
+  # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator.
+  # It can be one of:
+  # - all: all resources are processed
+  # - cluster: only cluster-scoped resources are processed
+  # - namespace: only namespace-scoped resources are processed
+  resourceScope: all
+
+  # K8s DaemonSet update strategy.
+  # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec).
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
+
+  # DNS policy for the ztunnel pod
+  # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy
+  dnsPolicy: ""
+
+  # DNS config for the ztunnel pod
+  # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config
+  dnsConfig: {}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/cni-1.30-alpha.a30ad73344d771ce45cba8a1d17b6bb2c209119d.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/cni-1.30-alpha.a30ad73344d771ce45cba8a1d17b6bb2c209119d.tgz.etag
new file mode 100644
index 0000000000..ef735eef6f
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/cni-1.30-alpha.a30ad73344d771ce45cba8a1d17b6bb2c209119d.tgz.etag
@@ -0,0 +1 @@
+fa80969295cb1a10437a7e95e84c2502
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/commit b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/commit
new file mode 100644
index 0000000000..3dc22795dd
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/commit
@@ -0,0 +1 @@
+a30ad73344d771ce45cba8a1d17b6bb2c209119d
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/gateway-1.30-alpha.a30ad73344d771ce45cba8a1d17b6bb2c209119d.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/gateway-1.30-alpha.a30ad73344d771ce45cba8a1d17b6bb2c209119d.tgz.etag
new file mode 100644
index 0000000000..91f9f8b2f3
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/gateway-1.30-alpha.a30ad73344d771ce45cba8a1d17b6bb2c209119d.tgz.etag
@@ -0,0 +1 @@
+f0bef15cfa2aeb23cbc1b388c39fa225
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/istiod-1.30-alpha.a30ad73344d771ce45cba8a1d17b6bb2c209119d.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/istiod-1.30-alpha.a30ad73344d771ce45cba8a1d17b6bb2c209119d.tgz.etag
new file mode 100644
index 0000000000..1ea84ce7e8
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/istiod-1.30-alpha.a30ad73344d771ce45cba8a1d17b6bb2c209119d.tgz.etag
@@ -0,0 +1 @@
+ce979b022d392a5a04ddf431ebe85ceb
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/profiles/ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/profiles/ambient.yaml
new file mode 100644
index 0000000000..71ea784a80
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/profiles/ambient.yaml
@@ -0,0 +1,5 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: ambient
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/profiles/default.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/profiles/default.yaml
new file mode 100644
index 0000000000..8f1ef19676
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/profiles/default.yaml
@@ -0,0 +1,12 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  # Most default values come from the helm chart's values.yaml
+  # Below are the things that differ
+  values:
+    defaultRevision: ""
+    global:
+      istioNamespace: istio-system
+      configValidation: true
+    ztunnel:
+      resourceName: ztunnel
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/profiles/demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/profiles/demo.yaml
new file mode 100644
index 0000000000..53c4b41633
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/profiles/demo.yaml
@@ -0,0 +1,5 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: demo
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/profiles/empty.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/profiles/empty.yaml
new file mode 100644
index 0000000000..4477cb1fe1
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/profiles/empty.yaml
@@ -0,0 +1,5 @@
+# The empty profile has everything disabled
+# This is useful as a base for custom user configuration
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec: {}
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/profiles/openshift-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/profiles/openshift-ambient.yaml
new file mode 100644
index 0000000000..76edf00cd8
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/profiles/openshift-ambient.yaml
@@ -0,0 +1,7 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: ambient
+    global:
+      platform: openshift
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/profiles/openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/profiles/openshift.yaml
new file mode 100644
index 0000000000..41492660fe
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/profiles/openshift.yaml
@@ -0,0 +1,6 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    global:
+      platform: openshift
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/profiles/preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/profiles/preview.yaml
new file mode 100644
index 0000000000..59d545c840
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/profiles/preview.yaml
@@ -0,0 +1,8 @@
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: preview
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/profiles/remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/profiles/remote.yaml
new file mode 100644
index 0000000000..54c65c8ba9
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/profiles/remote.yaml
@@ -0,0 +1,7 @@
+# The remote profile is used to configure a mesh cluster without a locally deployed control plane.
+# Only the injector mutating webhook configuration is installed.
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: remote
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/profiles/stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/profiles/stable.yaml
new file mode 100644
index 0000000000..285feba244
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/profiles/stable.yaml
@@ -0,0 +1,5 @@
+apiVersion: sailoperator.io/v1
+kind: Istio
+spec:
+  values:
+    profile: stable
diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/ztunnel-1.30-alpha.a30ad73344d771ce45cba8a1d17b6bb2c209119d.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/ztunnel-1.30-alpha.a30ad73344d771ce45cba8a1d17b6bb2c209119d.tgz.etag
new file mode 100644
index 0000000000..2306532e98
--- /dev/null
+++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a30ad733/ztunnel-1.30-alpha.a30ad73344d771ce45cba8a1d17b6bb2c209119d.tgz.etag
@@ -0,0 +1 @@
+8b4680d0cd74b577b9d57cf815811b25
diff --git a/vendor/github.com/jmoiron/sqlx/.gitignore b/vendor/github.com/jmoiron/sqlx/.gitignore
new file mode 100644
index 0000000000..b2be23c87f
--- /dev/null
+++ b/vendor/github.com/jmoiron/sqlx/.gitignore
@@ -0,0 +1,25 @@
+# Compiled Object files, Static and Dynamic libs (Shared Objects)
+*.o
+*.a
+*.so
+
+# Folders
+_obj
+_test
+.idea
+
+# Architecture specific extensions/prefixes
+*.[568vq]
+[568vq].out
+
+*.cgo1.go
+*.cgo2.c
+_cgo_defun.c
+_cgo_gotypes.go
+_cgo_export.*
+
+_testmain.go
+
+*.exe
+tags
+environ
diff --git a/vendor/github.com/jmoiron/sqlx/LICENSE b/vendor/github.com/jmoiron/sqlx/LICENSE
new file mode 100644
index 0000000000..0d31edfa73
--- /dev/null
+++ b/vendor/github.com/jmoiron/sqlx/LICENSE
@@ -0,0 +1,23 @@
+ Copyright (c) 2013, Jason Moiron
+
+ Permission is hereby granted, free of charge, to any person
+ obtaining a copy of this software and associated documentation
+ files (the "Software"), to deal in the Software without
+ restriction, including without limitation the rights to use,
+ copy, modify, merge, publish, distribute, sublicense, and/or sell
+ copies of the Software, and to permit persons to whom the
+ Software is furnished to do so, subject to the following
+ conditions:
+
+ The above copyright notice and this permission notice shall be
+ included in all copies or substantial portions of the Software.
+
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
+ OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+ HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+ WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+ OTHER DEALINGS IN THE SOFTWARE.
+
diff --git a/vendor/github.com/jmoiron/sqlx/Makefile b/vendor/github.com/jmoiron/sqlx/Makefile
new file mode 100644
index 0000000000..448b9ddd9c
--- /dev/null
+++ b/vendor/github.com/jmoiron/sqlx/Makefile
@@ -0,0 +1,30 @@
+.ONESHELL:
+SHELL = /bin/sh
+.SHELLFLAGS = -ec
+
+BASE_PACKAGE := github.com/jmoiron/sqlx
+
+tooling:
+	go install honnef.co/go/tools/cmd/staticcheck@v0.4.7
+	go install golang.org/x/vuln/cmd/govulncheck@v1.0.4
+	go install golang.org/x/tools/cmd/goimports@v0.20.0
+
+has-changes:
+	git diff --exit-code --quiet HEAD --
+
+lint:
+	go vet ./...
+	staticcheck -checks=all ./...
+
+fmt:
+	go list -f '{{.Dir}}' ./... | xargs -I {} goimports -local $(BASE_PACKAGE) -w {}
+
+vuln-check:
+	govulncheck ./...
+
+test-race:
+	go test -v -race -count=1 ./...
+
+update-dependencies:
+	go get -u -t -v ./...
+	go mod tidy
diff --git a/vendor/github.com/jmoiron/sqlx/README.md b/vendor/github.com/jmoiron/sqlx/README.md
new file mode 100644
index 0000000000..5bfd231a11
--- /dev/null
+++ b/vendor/github.com/jmoiron/sqlx/README.md
@@ -0,0 +1,213 @@
+# sqlx
+
+[![CircleCI](https://dl.circleci.com/status-badge/img/gh/jmoiron/sqlx/tree/master.svg?style=shield)](https://dl.circleci.com/status-badge/redirect/gh/jmoiron/sqlx/tree/master) [![Coverage Status](https://coveralls.io/repos/github/jmoiron/sqlx/badge.svg?branch=master)](https://coveralls.io/github/jmoiron/sqlx?branch=master) [![Godoc](http://img.shields.io/badge/godoc-reference-blue.svg?style=flat)](https://godoc.org/github.com/jmoiron/sqlx) [![license](http://img.shields.io/badge/license-MIT-red.svg?style=flat)](https://raw.githubusercontent.com/jmoiron/sqlx/master/LICENSE)
+
+sqlx is a library which provides a set of extensions on go's standard
+`database/sql` library.  The sqlx versions of `sql.DB`, `sql.TX`, `sql.Stmt`,
+et al. all leave the underlying interfaces untouched, so that their interfaces
+are a superset on the standard ones.  This makes it relatively painless to
+integrate existing codebases using database/sql with sqlx.
+
+Major additional concepts are:
+
+* Marshal rows into structs (with embedded struct support), maps, and slices
+* Named parameter support including prepared statements
+* `Get` and `Select` to go quickly from query to struct/slice
+
+In addition to the [godoc API documentation](http://godoc.org/github.com/jmoiron/sqlx),
+there is also some [user documentation](http://jmoiron.github.io/sqlx/) that
+explains how to use `database/sql` along with sqlx.
+
+## Recent Changes
+
+1.3.0:
+
+* `sqlx.DB.Connx(context.Context) *sqlx.Conn`
+* `sqlx.BindDriver(driverName, bindType)`
+* support for `[]map[string]interface{}` to do "batch" insertions
+* allocation & perf improvements for `sqlx.In`
+
+DB.Connx returns an `sqlx.Conn`, which is an `sql.Conn`-alike consistent with
+sqlx's wrapping of other types.
+
+`BindDriver` allows users to control the bindvars that sqlx will use for drivers,
+and add new drivers at runtime.  This results in a very slight performance hit
+when resolving the driver into a bind type (~40ns per call), but it allows users
+to specify what bindtype their driver uses even when sqlx has not been updated
+to know about it by default.
+
+### Backwards Compatibility
+
+Compatibility with the most recent two versions of Go is a requirement for any
+new changes.  Compatibility beyond that is not guaranteed.
+
+Versioning is done with Go modules.  Breaking changes (eg. removing deprecated API)
+will get major version number bumps.
+
+## install
+
+    go get github.com/jmoiron/sqlx
+
+## issues
+
+Row headers can be ambiguous (`SELECT 1 AS a, 2 AS a`), and the result of
+`Columns()` does not fully qualify column names in queries like:
+
+```sql
+SELECT a.id, a.name, b.id, b.name FROM foos AS a JOIN foos AS b ON a.parent = b.id;
+```
+
+making a struct or map destination ambiguous.  Use `AS` in your queries
+to give columns distinct names, `rows.Scan` to scan them manually, or 
+`SliceScan` to get a slice of results.
+
+## usage
+
+Below is an example which shows some common use cases for sqlx.  Check 
+[sqlx_test.go](https://github.com/jmoiron/sqlx/blob/master/sqlx_test.go) for more
+usage.
+
+
+```go
+package main
+
+import (
+    "database/sql"
+    "fmt"
+    "log"
+    
+    _ "github.com/lib/pq"
+    "github.com/jmoiron/sqlx"
+)
+
+var schema = `
+CREATE TABLE person (
+    first_name text,
+    last_name text,
+    email text
+);
+
+CREATE TABLE place (
+    country text,
+    city text NULL,
+    telcode integer
+)`
+
+type Person struct {
+    FirstName string `db:"first_name"`
+    LastName  string `db:"last_name"`
+    Email     string
+}
+
+type Place struct {
+    Country string
+    City    sql.NullString
+    TelCode int
+}
+
+func main() {
+    // this Pings the database trying to connect
+    // use sqlx.Open() for sql.Open() semantics
+    db, err := sqlx.Connect("postgres", "user=foo dbname=bar sslmode=disable")
+    if err != nil {
+        log.Fatalln(err)
+    }
+
+    // exec the schema or fail; multi-statement Exec behavior varies between
+    // database drivers;  pq will exec them all, sqlite3 won't, ymmv
+    db.MustExec(schema)
+    
+    tx := db.MustBegin()
+    tx.MustExec("INSERT INTO person (first_name, last_name, email) VALUES ($1, $2, $3)", "Jason", "Moiron", "jmoiron@jmoiron.net")
+    tx.MustExec("INSERT INTO person (first_name, last_name, email) VALUES ($1, $2, $3)", "John", "Doe", "johndoeDNE@gmail.net")
+    tx.MustExec("INSERT INTO place (country, city, telcode) VALUES ($1, $2, $3)", "United States", "New York", "1")
+    tx.MustExec("INSERT INTO place (country, telcode) VALUES ($1, $2)", "Hong Kong", "852")
+    tx.MustExec("INSERT INTO place (country, telcode) VALUES ($1, $2)", "Singapore", "65")
+    // Named queries can use structs, so if you have an existing struct (i.e. person := &Person{}) that you have populated, you can pass it in as &person
+    tx.NamedExec("INSERT INTO person (first_name, last_name, email) VALUES (:first_name, :last_name, :email)", &Person{"Jane", "Citizen", "jane.citzen@example.com"})
+    tx.Commit()
+
+    // Query the database, storing results in a []Person (wrapped in []interface{})
+    people := []Person{}
+    db.Select(&people, "SELECT * FROM person ORDER BY first_name ASC")
+    jason, john := people[0], people[1]
+
+    fmt.Printf("%#v\n%#v", jason, john)
+    // Person{FirstName:"Jason", LastName:"Moiron", Email:"jmoiron@jmoiron.net"}
+    // Person{FirstName:"John", LastName:"Doe", Email:"johndoeDNE@gmail.net"}
+
+    // You can also get a single result, a la QueryRow
+    jason = Person{}
+    err = db.Get(&jason, "SELECT * FROM person WHERE first_name=$1", "Jason")
+    fmt.Printf("%#v\n", jason)
+    // Person{FirstName:"Jason", LastName:"Moiron", Email:"jmoiron@jmoiron.net"}
+
+    // if you have null fields and use SELECT *, you must use sql.Null* in your struct
+    places := []Place{}
+    err = db.Select(&places, "SELECT * FROM place ORDER BY telcode ASC")
+    if err != nil {
+        fmt.Println(err)
+        return
+    }
+    usa, singsing, honkers := places[0], places[1], places[2]
+    
+    fmt.Printf("%#v\n%#v\n%#v\n", usa, singsing, honkers)
+    // Place{Country:"United States", City:sql.NullString{String:"New York", Valid:true}, TelCode:1}
+    // Place{Country:"Singapore", City:sql.NullString{String:"", Valid:false}, TelCode:65}
+    // Place{Country:"Hong Kong", City:sql.NullString{String:"", Valid:false}, TelCode:852}
+
+    // Loop through rows using only one struct
+    place := Place{}
+    rows, err := db.Queryx("SELECT * FROM place")
+    for rows.Next() {
+        err := rows.StructScan(&place)
+        if err != nil {
+            log.Fatalln(err)
+        } 
+        fmt.Printf("%#v\n", place)
+    }
+    // Place{Country:"United States", City:sql.NullString{String:"New York", Valid:true}, TelCode:1}
+    // Place{Country:"Hong Kong", City:sql.NullString{String:"", Valid:false}, TelCode:852}
+    // Place{Country:"Singapore", City:sql.NullString{String:"", Valid:false}, TelCode:65}
+
+    // Named queries, using `:name` as the bindvar.  Automatic bindvar support
+    // which takes into account the dbtype based on the driverName on sqlx.Open/Connect
+    _, err = db.NamedExec(`INSERT INTO person (first_name,last_name,email) VALUES (:first,:last,:email)`, 
+        map[string]interface{}{
+            "first": "Bin",
+            "last": "Smuth",
+            "email": "bensmith@allblacks.nz",
+    })
+
+    // Selects Mr. Smith from the database
+    rows, err = db.NamedQuery(`SELECT * FROM person WHERE first_name=:fn`, map[string]interface{}{"fn": "Bin"})
+
+    // Named queries can also use structs.  Their bind names follow the same rules
+    // as the name -> db mapping, so struct fields are lowercased and the `db` tag
+    // is taken into consideration.
+    rows, err = db.NamedQuery(`SELECT * FROM person WHERE first_name=:first_name`, jason)
+    
+    
+    // batch insert
+    
+    // batch insert with structs
+    personStructs := []Person{
+        {FirstName: "Ardie", LastName: "Savea", Email: "asavea@ab.co.nz"},
+        {FirstName: "Sonny Bill", LastName: "Williams", Email: "sbw@ab.co.nz"},
+        {FirstName: "Ngani", LastName: "Laumape", Email: "nlaumape@ab.co.nz"},
+    }
+
+    _, err = db.NamedExec(`INSERT INTO person (first_name, last_name, email)
+        VALUES (:first_name, :last_name, :email)`, personStructs)
+
+    // batch insert with maps
+    personMaps := []map[string]interface{}{
+        {"first_name": "Ardie", "last_name": "Savea", "email": "asavea@ab.co.nz"},
+        {"first_name": "Sonny Bill", "last_name": "Williams", "email": "sbw@ab.co.nz"},
+        {"first_name": "Ngani", "last_name": "Laumape", "email": "nlaumape@ab.co.nz"},
+    }
+
+    _, err = db.NamedExec(`INSERT INTO person (first_name, last_name, email)
+        VALUES (:first_name, :last_name, :email)`, personMaps)
+}
+```
diff --git a/vendor/github.com/jmoiron/sqlx/bind.go b/vendor/github.com/jmoiron/sqlx/bind.go
new file mode 100644
index 0000000000..ec0da4e72e
--- /dev/null
+++ b/vendor/github.com/jmoiron/sqlx/bind.go
@@ -0,0 +1,265 @@
+package sqlx
+
+import (
+	"bytes"
+	"database/sql/driver"
+	"errors"
+	"reflect"
+	"strconv"
+	"strings"
+	"sync"
+
+	"github.com/jmoiron/sqlx/reflectx"
+)
+
+// Bindvar types supported by Rebind, BindMap and BindStruct.
+const (
+	UNKNOWN = iota
+	QUESTION
+	DOLLAR
+	NAMED
+	AT
+)
+
+var defaultBinds = map[int][]string{
+	DOLLAR:   []string{"postgres", "pgx", "pq-timeouts", "cloudsqlpostgres", "ql", "nrpostgres", "cockroach"},
+	QUESTION: []string{"mysql", "sqlite3", "nrmysql", "nrsqlite3"},
+	NAMED:    []string{"oci8", "ora", "goracle", "godror"},
+	AT:       []string{"sqlserver"},
+}
+
+var binds sync.Map
+
+func init() {
+	for bind, drivers := range defaultBinds {
+		for _, driver := range drivers {
+			BindDriver(driver, bind)
+		}
+	}
+
+}
+
+// BindType returns the bindtype for a given database given a drivername.
+func BindType(driverName string) int {
+	itype, ok := binds.Load(driverName)
+	if !ok {
+		return UNKNOWN
+	}
+	return itype.(int)
+}
+
+// BindDriver sets the BindType for driverName to bindType.
+func BindDriver(driverName string, bindType int) {
+	binds.Store(driverName, bindType)
+}
+
+// FIXME: this should be able to be tolerant of escaped ?'s in queries without
+// losing much speed, and should be to avoid confusion.
+
+// Rebind a query from the default bindtype (QUESTION) to the target bindtype.
+func Rebind(bindType int, query string) string {
+	switch bindType {
+	case QUESTION, UNKNOWN:
+		return query
+	}
+
+	// Add space enough for 10 params before we have to allocate
+	rqb := make([]byte, 0, len(query)+10)
+
+	var i, j int
+
+	for i = strings.Index(query, "?"); i != -1; i = strings.Index(query, "?") {
+		rqb = append(rqb, query[:i]...)
+
+		switch bindType {
+		case DOLLAR:
+			rqb = append(rqb, '$')
+		case NAMED:
+			rqb = append(rqb, ':', 'a', 'r', 'g')
+		case AT:
+			rqb = append(rqb, '@', 'p')
+		}
+
+		j++
+		rqb = strconv.AppendInt(rqb, int64(j), 10)
+
+		query = query[i+1:]
+	}
+
+	return string(append(rqb, query...))
+}
+
+// Experimental implementation of Rebind which uses a bytes.Buffer.  The code is
+// much simpler and should be more resistant to odd unicode, but it is twice as
+// slow.  Kept here for benchmarking purposes and to possibly replace Rebind if
+// problems arise with its somewhat naive handling of unicode.
+func rebindBuff(bindType int, query string) string {
+	if bindType != DOLLAR {
+		return query
+	}
+
+	b := make([]byte, 0, len(query))
+	rqb := bytes.NewBuffer(b)
+	j := 1
+	for _, r := range query {
+		if r == '?' {
+			rqb.WriteRune('$')
+			rqb.WriteString(strconv.Itoa(j))
+			j++
+		} else {
+			rqb.WriteRune(r)
+		}
+	}
+
+	return rqb.String()
+}
+
+func asSliceForIn(i interface{}) (v reflect.Value, ok bool) {
+	if i == nil {
+		return reflect.Value{}, false
+	}
+
+	v = reflect.ValueOf(i)
+	t := reflectx.Deref(v.Type())
+
+	// Only expand slices
+	if t.Kind() != reflect.Slice {
+		return reflect.Value{}, false
+	}
+
+	// []byte is a driver.Value type so it should not be expanded
+	if t == reflect.TypeOf([]byte{}) {
+		return reflect.Value{}, false
+
+	}
+
+	return v, true
+}
+
+// In expands slice values in args, returning the modified query string
+// and a new arg list that can be executed by a database. The `query` should
+// use the `?` bindVar.  The return value uses the `?` bindVar.
+func In(query string, args ...interface{}) (string, []interface{}, error) {
+	// argMeta stores reflect.Value and length for slices and
+	// the value itself for non-slice arguments
+	type argMeta struct {
+		v      reflect.Value
+		i      interface{}
+		length int
+	}
+
+	var flatArgsCount int
+	var anySlices bool
+
+	var stackMeta [32]argMeta
+
+	var meta []argMeta
+	if len(args) <= len(stackMeta) {
+		meta = stackMeta[:len(args)]
+	} else {
+		meta = make([]argMeta, len(args))
+	}
+
+	for i, arg := range args {
+		if a, ok := arg.(driver.Valuer); ok {
+			var err error
+			arg, err = a.Value()
+			if err != nil {
+				return "", nil, err
+			}
+		}
+
+		if v, ok := asSliceForIn(arg); ok {
+			meta[i].length = v.Len()
+			meta[i].v = v
+
+			anySlices = true
+			flatArgsCount += meta[i].length
+
+			if meta[i].length == 0 {
+				return "", nil, errors.New("empty slice passed to 'in' query")
+			}
+		} else {
+			meta[i].i = arg
+			flatArgsCount++
+		}
+	}
+
+	// don't do any parsing if there aren't any slices;  note that this means
+	// some errors that we might have caught below will not be returned.
+	if !anySlices {
+		return query, args, nil
+	}
+
+	newArgs := make([]interface{}, 0, flatArgsCount)
+
+	var buf strings.Builder
+	buf.Grow(len(query) + len(", ?")*flatArgsCount)
+
+	var arg, offset int
+
+	for i := strings.IndexByte(query[offset:], '?'); i != -1; i = strings.IndexByte(query[offset:], '?') {
+		if arg >= len(meta) {
+			// if an argument wasn't passed, lets return an error;  this is
+			// not actually how database/sql Exec/Query works, but since we are
+			// creating an argument list programmatically, we want to be able
+			// to catch these programmer errors earlier.
+			return "", nil, errors.New("number of bindVars exceeds arguments")
+		}
+
+		argMeta := meta[arg]
+		arg++
+
+		// not a slice, continue.
+		// our questionmark will either be written before the next expansion
+		// of a slice or after the loop when writing the rest of the query
+		if argMeta.length == 0 {
+			offset = offset + i + 1
+			newArgs = append(newArgs, argMeta.i)
+			continue
+		}
+
+		// write everything up to and including our ? character
+		buf.WriteString(query[:offset+i+1])
+
+		for si := 1; si < argMeta.length; si++ {
+			buf.WriteString(", ?")
+		}
+
+		newArgs = appendReflectSlice(newArgs, argMeta.v, argMeta.length)
+
+		// slice the query and reset the offset. this avoids some bookkeeping for
+		// the write after the loop
+		query = query[offset+i+1:]
+		offset = 0
+	}
+
+	buf.WriteString(query)
+
+	if arg < len(meta) {
+		return "", nil, errors.New("number of bindVars less than number arguments")
+	}
+
+	return buf.String(), newArgs, nil
+}
+
+func appendReflectSlice(args []interface{}, v reflect.Value, vlen int) []interface{} {
+	switch val := v.Interface().(type) {
+	case []interface{}:
+		args = append(args, val...)
+	case []int:
+		for i := range val {
+			args = append(args, val[i])
+		}
+	case []string:
+		for i := range val {
+			args = append(args, val[i])
+		}
+	default:
+		for si := 0; si < vlen; si++ {
+			args = append(args, v.Index(si).Interface())
+		}
+	}
+
+	return args
+}
diff --git a/vendor/github.com/jmoiron/sqlx/doc.go b/vendor/github.com/jmoiron/sqlx/doc.go
new file mode 100644
index 0000000000..b80104175d
--- /dev/null
+++ b/vendor/github.com/jmoiron/sqlx/doc.go
@@ -0,0 +1,11 @@
+// Package sqlx provides general purpose extensions to database/sql.
+//
+// It is intended to seamlessly wrap database/sql and provide convenience
+// methods which are useful in the development of database driven applications.
+// None of the underlying database/sql methods are changed.  Instead all extended
+// behavior is implemented through new methods defined on wrapper types.
+//
+// Additions include scanning into structs, named query support, rebinding
+// queries for different drivers, convenient shorthands for common error handling
+// and more.
+package sqlx
diff --git a/vendor/github.com/jmoiron/sqlx/named.go b/vendor/github.com/jmoiron/sqlx/named.go
new file mode 100644
index 0000000000..6ac4477713
--- /dev/null
+++ b/vendor/github.com/jmoiron/sqlx/named.go
@@ -0,0 +1,458 @@
+package sqlx
+
+// Named Query Support
+//
+//  * BindMap - bind query bindvars to map/struct args
+//	* NamedExec, NamedQuery - named query w/ struct or map
+//  * NamedStmt - a pre-compiled named query which is a prepared statement
+//
+// Internal Interfaces:
+//
+//  * compileNamedQuery - rebind a named query, returning a query and list of names
+//  * bindArgs, bindMapArgs, bindAnyArgs - given a list of names, return an arglist
+//
+import (
+	"bytes"
+	"database/sql"
+	"errors"
+	"fmt"
+	"reflect"
+	"regexp"
+	"strconv"
+	"unicode"
+
+	"github.com/jmoiron/sqlx/reflectx"
+)
+
+// NamedStmt is a prepared statement that executes named queries.  Prepare it
+// how you would execute a NamedQuery, but pass in a struct or map when executing.
+type NamedStmt struct {
+	Params      []string
+	QueryString string
+	Stmt        *Stmt
+}
+
+// Close closes the named statement.
+func (n *NamedStmt) Close() error {
+	return n.Stmt.Close()
+}
+
+// Exec executes a named statement using the struct passed.
+// Any named placeholder parameters are replaced with fields from arg.
+func (n *NamedStmt) Exec(arg interface{}) (sql.Result, error) {
+	args, err := bindAnyArgs(n.Params, arg, n.Stmt.Mapper)
+	if err != nil {
+		return *new(sql.Result), err
+	}
+	return n.Stmt.Exec(args...)
+}
+
+// Query executes a named statement using the struct argument, returning rows.
+// Any named placeholder parameters are replaced with fields from arg.
+func (n *NamedStmt) Query(arg interface{}) (*sql.Rows, error) {
+	args, err := bindAnyArgs(n.Params, arg, n.Stmt.Mapper)
+	if err != nil {
+		return nil, err
+	}
+	return n.Stmt.Query(args...)
+}
+
+// QueryRow executes a named statement against the database.  Because sqlx cannot
+// create a *sql.Row with an error condition pre-set for binding errors, sqlx
+// returns a *sqlx.Row instead.
+// Any named placeholder parameters are replaced with fields from arg.
+func (n *NamedStmt) QueryRow(arg interface{}) *Row {
+	args, err := bindAnyArgs(n.Params, arg, n.Stmt.Mapper)
+	if err != nil {
+		return &Row{err: err}
+	}
+	return n.Stmt.QueryRowx(args...)
+}
+
+// MustExec execs a NamedStmt, panicing on error
+// Any named placeholder parameters are replaced with fields from arg.
+func (n *NamedStmt) MustExec(arg interface{}) sql.Result {
+	res, err := n.Exec(arg)
+	if err != nil {
+		panic(err)
+	}
+	return res
+}
+
+// Queryx using this NamedStmt
+// Any named placeholder parameters are replaced with fields from arg.
+func (n *NamedStmt) Queryx(arg interface{}) (*Rows, error) {
+	r, err := n.Query(arg)
+	if err != nil {
+		return nil, err
+	}
+	return &Rows{Rows: r, Mapper: n.Stmt.Mapper, unsafe: isUnsafe(n)}, err
+}
+
+// QueryRowx this NamedStmt.  Because of limitations with QueryRow, this is
+// an alias for QueryRow.
+// Any named placeholder parameters are replaced with fields from arg.
+func (n *NamedStmt) QueryRowx(arg interface{}) *Row {
+	return n.QueryRow(arg)
+}
+
+// Select using this NamedStmt
+// Any named placeholder parameters are replaced with fields from arg.
+func (n *NamedStmt) Select(dest interface{}, arg interface{}) error {
+	rows, err := n.Queryx(arg)
+	if err != nil {
+		return err
+	}
+	// if something happens here, we want to make sure the rows are Closed
+	defer rows.Close()
+	return scanAll(rows, dest, false)
+}
+
+// Get using this NamedStmt
+// Any named placeholder parameters are replaced with fields from arg.
+func (n *NamedStmt) Get(dest interface{}, arg interface{}) error {
+	r := n.QueryRowx(arg)
+	return r.scanAny(dest, false)
+}
+
+// Unsafe creates an unsafe version of the NamedStmt
+func (n *NamedStmt) Unsafe() *NamedStmt {
+	r := &NamedStmt{Params: n.Params, Stmt: n.Stmt, QueryString: n.QueryString}
+	r.Stmt.unsafe = true
+	return r
+}
+
+// A union interface of preparer and binder, required to be able to prepare
+// named statements (as the bindtype must be determined).
+type namedPreparer interface {
+	Preparer
+	binder
+}
+
+func prepareNamed(p namedPreparer, query string) (*NamedStmt, error) {
+	bindType := BindType(p.DriverName())
+	q, args, err := compileNamedQuery([]byte(query), bindType)
+	if err != nil {
+		return nil, err
+	}
+	stmt, err := Preparex(p, q)
+	if err != nil {
+		return nil, err
+	}
+	return &NamedStmt{
+		QueryString: q,
+		Params:      args,
+		Stmt:        stmt,
+	}, nil
+}
+
+// convertMapStringInterface attempts to convert v to map[string]interface{}.
+// Unlike v.(map[string]interface{}), this function works on named types that
+// are convertible to map[string]interface{} as well.
+func convertMapStringInterface(v interface{}) (map[string]interface{}, bool) {
+	var m map[string]interface{}
+	mtype := reflect.TypeOf(m)
+	t := reflect.TypeOf(v)
+	if !t.ConvertibleTo(mtype) {
+		return nil, false
+	}
+	return reflect.ValueOf(v).Convert(mtype).Interface().(map[string]interface{}), true
+
+}
+
+func bindAnyArgs(names []string, arg interface{}, m *reflectx.Mapper) ([]interface{}, error) {
+	if maparg, ok := convertMapStringInterface(arg); ok {
+		return bindMapArgs(names, maparg)
+	}
+	return bindArgs(names, arg, m)
+}
+
+// private interface to generate a list of interfaces from a given struct
+// type, given a list of names to pull out of the struct.  Used by public
+// BindStruct interface.
+func bindArgs(names []string, arg interface{}, m *reflectx.Mapper) ([]interface{}, error) {
+	arglist := make([]interface{}, 0, len(names))
+
+	// grab the indirected value of arg
+	var v reflect.Value
+	for v = reflect.ValueOf(arg); v.Kind() == reflect.Ptr; {
+		v = v.Elem()
+	}
+
+	err := m.TraversalsByNameFunc(v.Type(), names, func(i int, t []int) error {
+		if len(t) == 0 {
+			return fmt.Errorf("could not find name %s in %#v", names[i], arg)
+		}
+
+		val := reflectx.FieldByIndexesReadOnly(v, t)
+		arglist = append(arglist, val.Interface())
+
+		return nil
+	})
+
+	return arglist, err
+}
+
+// like bindArgs, but for maps.
+func bindMapArgs(names []string, arg map[string]interface{}) ([]interface{}, error) {
+	arglist := make([]interface{}, 0, len(names))
+
+	for _, name := range names {
+		val, ok := arg[name]
+		if !ok {
+			return arglist, fmt.Errorf("could not find name %s in %#v", name, arg)
+		}
+		arglist = append(arglist, val)
+	}
+	return arglist, nil
+}
+
+// bindStruct binds a named parameter query with fields from a struct argument.
+// The rules for binding field names to parameter names follow the same
+// conventions as for StructScan, including obeying the `db` struct tags.
+func bindStruct(bindType int, query string, arg interface{}, m *reflectx.Mapper) (string, []interface{}, error) {
+	bound, names, err := compileNamedQuery([]byte(query), bindType)
+	if err != nil {
+		return "", []interface{}{}, err
+	}
+
+	arglist, err := bindAnyArgs(names, arg, m)
+	if err != nil {
+		return "", []interface{}{}, err
+	}
+
+	return bound, arglist, nil
+}
+
+var valuesReg = regexp.MustCompile(`\)\s*(?i)VALUES\s*\(`)
+
+func findMatchingClosingBracketIndex(s string) int {
+	count := 0
+	for i, ch := range s {
+		if ch == '(' {
+			count++
+		}
+		if ch == ')' {
+			count--
+			if count == 0 {
+				return i
+			}
+		}
+	}
+	return 0
+}
+
+func fixBound(bound string, loop int) string {
+	loc := valuesReg.FindStringIndex(bound)
+	// defensive guard when "VALUES (...)" not found
+	if len(loc) < 2 {
+		return bound
+	}
+
+	openingBracketIndex := loc[1] - 1
+	index := findMatchingClosingBracketIndex(bound[openingBracketIndex:])
+	// defensive guard. must have closing bracket
+	if index == 0 {
+		return bound
+	}
+	closingBracketIndex := openingBracketIndex + index + 1
+
+	var buffer bytes.Buffer
+
+	buffer.WriteString(bound[0:closingBracketIndex])
+	for i := 0; i < loop-1; i++ {
+		buffer.WriteString(",")
+		buffer.WriteString(bound[openingBracketIndex:closingBracketIndex])
+	}
+	buffer.WriteString(bound[closingBracketIndex:])
+	return buffer.String()
+}
+
+// bindArray binds a named parameter query with fields from an array or slice of
+// structs argument.
+func bindArray(bindType int, query string, arg interface{}, m *reflectx.Mapper) (string, []interface{}, error) {
+	// do the initial binding with QUESTION;  if bindType is not question,
+	// we can rebind it at the end.
+	bound, names, err := compileNamedQuery([]byte(query), QUESTION)
+	if err != nil {
+		return "", []interface{}{}, err
+	}
+	arrayValue := reflect.ValueOf(arg)
+	arrayLen := arrayValue.Len()
+	if arrayLen == 0 {
+		return "", []interface{}{}, fmt.Errorf("length of array is 0: %#v", arg)
+	}
+	var arglist = make([]interface{}, 0, len(names)*arrayLen)
+	for i := 0; i < arrayLen; i++ {
+		elemArglist, err := bindAnyArgs(names, arrayValue.Index(i).Interface(), m)
+		if err != nil {
+			return "", []interface{}{}, err
+		}
+		arglist = append(arglist, elemArglist...)
+	}
+	if arrayLen > 1 {
+		bound = fixBound(bound, arrayLen)
+	}
+	// adjust binding type if we weren't on question
+	if bindType != QUESTION {
+		bound = Rebind(bindType, bound)
+	}
+	return bound, arglist, nil
+}
+
+// bindMap binds a named parameter query with a map of arguments.
+func bindMap(bindType int, query string, args map[string]interface{}) (string, []interface{}, error) {
+	bound, names, err := compileNamedQuery([]byte(query), bindType)
+	if err != nil {
+		return "", []interface{}{}, err
+	}
+
+	arglist, err := bindMapArgs(names, args)
+	return bound, arglist, err
+}
+
+// -- Compilation of Named Queries
+
+// Allow digits and letters in bind params;  additionally runes are
+// checked against underscores, meaning that bind params can have be
+// alphanumeric with underscores.  Mind the difference between unicode
+// digits and numbers, where '5' is a digit but '五' is not.
+var allowedBindRunes = []*unicode.RangeTable{unicode.Letter, unicode.Digit}
+
+// FIXME: this function isn't safe for unicode named params, as a failing test
+// can testify.  This is not a regression but a failure of the original code
+// as well.  It should be modified to range over runes in a string rather than
+// bytes, even though this is less convenient and slower.  Hopefully the
+// addition of the prepared NamedStmt (which will only do this once) will make
+// up for the slightly slower ad-hoc NamedExec/NamedQuery.
+
+// compile a NamedQuery into an unbound query (using the '?' bindvar) and
+// a list of names.
+func compileNamedQuery(qs []byte, bindType int) (query string, names []string, err error) {
+	names = make([]string, 0, 10)
+	rebound := make([]byte, 0, len(qs))
+
+	inName := false
+	last := len(qs) - 1
+	currentVar := 1
+	name := make([]byte, 0, 10)
+
+	for i, b := range qs {
+		// a ':' while we're in a name is an error
+		if b == ':' {
+			// if this is the second ':' in a '::' escape sequence, append a ':'
+			if inName && i > 0 && qs[i-1] == ':' {
+				rebound = append(rebound, ':')
+				inName = false
+				continue
+			} else if inName {
+				err = errors.New("unexpected `:` while reading named param at " + strconv.Itoa(i))
+				return query, names, err
+			}
+			inName = true
+			name = []byte{}
+		} else if inName && i > 0 && b == '=' && len(name) == 0 {
+			rebound = append(rebound, ':', '=')
+			inName = false
+			continue
+			// if we're in a name, and this is an allowed character, continue
+		} else if inName && (unicode.IsOneOf(allowedBindRunes, rune(b)) || b == '_' || b == '.') && i != last {
+			// append the byte to the name if we are in a name and not on the last byte
+			name = append(name, b)
+			// if we're in a name and it's not an allowed character, the name is done
+		} else if inName {
+			inName = false
+			// if this is the final byte of the string and it is part of the name, then
+			// make sure to add it to the name
+			if i == last && unicode.IsOneOf(allowedBindRunes, rune(b)) {
+				name = append(name, b)
+			}
+			// add the string representation to the names list
+			names = append(names, string(name))
+			// add a proper bindvar for the bindType
+			switch bindType {
+			// oracle only supports named type bind vars even for positional
+			case NAMED:
+				rebound = append(rebound, ':')
+				rebound = append(rebound, name...)
+			case QUESTION, UNKNOWN:
+				rebound = append(rebound, '?')
+			case DOLLAR:
+				rebound = append(rebound, '$')
+				for _, b := range strconv.Itoa(currentVar) {
+					rebound = append(rebound, byte(b))
+				}
+				currentVar++
+			case AT:
+				rebound = append(rebound, '@', 'p')
+				for _, b := range strconv.Itoa(currentVar) {
+					rebound = append(rebound, byte(b))
+				}
+				currentVar++
+			}
+			// add this byte to string unless it was not part of the name
+			if i != last {
+				rebound = append(rebound, b)
+			} else if !unicode.IsOneOf(allowedBindRunes, rune(b)) {
+				rebound = append(rebound, b)
+			}
+		} else {
+			// this is a normal byte and should just go onto the rebound query
+			rebound = append(rebound, b)
+		}
+	}
+
+	return string(rebound), names, err
+}
+
+// BindNamed binds a struct or a map to a query with named parameters.
+// DEPRECATED: use sqlx.Named` instead of this, it may be removed in future.
+func BindNamed(bindType int, query string, arg interface{}) (string, []interface{}, error) {
+	return bindNamedMapper(bindType, query, arg, mapper())
+}
+
+// Named takes a query using named parameters and an argument and
+// returns a new query with a list of args that can be executed by
+// a database.  The return value uses the `?` bindvar.
+func Named(query string, arg interface{}) (string, []interface{}, error) {
+	return bindNamedMapper(QUESTION, query, arg, mapper())
+}
+
+func bindNamedMapper(bindType int, query string, arg interface{}, m *reflectx.Mapper) (string, []interface{}, error) {
+	t := reflect.TypeOf(arg)
+	k := t.Kind()
+	switch {
+	case k == reflect.Map && t.Key().Kind() == reflect.String:
+		m, ok := convertMapStringInterface(arg)
+		if !ok {
+			return "", nil, fmt.Errorf("sqlx.bindNamedMapper: unsupported map type: %T", arg)
+		}
+		return bindMap(bindType, query, m)
+	case k == reflect.Array || k == reflect.Slice:
+		return bindArray(bindType, query, arg, m)
+	default:
+		return bindStruct(bindType, query, arg, m)
+	}
+}
+
+// NamedQuery binds a named query and then runs Query on the result using the
+// provided Ext (sqlx.Tx, sqlx.Db).  It works with both structs and with
+// map[string]interface{} types.
+func NamedQuery(e Ext, query string, arg interface{}) (*Rows, error) {
+	q, args, err := bindNamedMapper(BindType(e.DriverName()), query, arg, mapperFor(e))
+	if err != nil {
+		return nil, err
+	}
+	return e.Queryx(q, args...)
+}
+
+// NamedExec uses BindStruct to get a query executable by the driver and
+// then runs Exec on the result.  Returns an error from the binding
+// or the query execution itself.
+func NamedExec(e Ext, query string, arg interface{}) (sql.Result, error) {
+	q, args, err := bindNamedMapper(BindType(e.DriverName()), query, arg, mapperFor(e))
+	if err != nil {
+		return nil, err
+	}
+	return e.Exec(q, args...)
+}
diff --git a/vendor/github.com/jmoiron/sqlx/named_context.go b/vendor/github.com/jmoiron/sqlx/named_context.go
new file mode 100644
index 0000000000..9ad23f4ed1
--- /dev/null
+++ b/vendor/github.com/jmoiron/sqlx/named_context.go
@@ -0,0 +1,133 @@
+//go:build go1.8
+// +build go1.8
+
+package sqlx
+
+import (
+	"context"
+	"database/sql"
+)
+
+// A union interface of contextPreparer and binder, required to be able to
+// prepare named statements with context (as the bindtype must be determined).
+type namedPreparerContext interface {
+	PreparerContext
+	binder
+}
+
+func prepareNamedContext(ctx context.Context, p namedPreparerContext, query string) (*NamedStmt, error) {
+	bindType := BindType(p.DriverName())
+	q, args, err := compileNamedQuery([]byte(query), bindType)
+	if err != nil {
+		return nil, err
+	}
+	stmt, err := PreparexContext(ctx, p, q)
+	if err != nil {
+		return nil, err
+	}
+	return &NamedStmt{
+		QueryString: q,
+		Params:      args,
+		Stmt:        stmt,
+	}, nil
+}
+
+// ExecContext executes a named statement using the struct passed.
+// Any named placeholder parameters are replaced with fields from arg.
+func (n *NamedStmt) ExecContext(ctx context.Context, arg interface{}) (sql.Result, error) {
+	args, err := bindAnyArgs(n.Params, arg, n.Stmt.Mapper)
+	if err != nil {
+		return *new(sql.Result), err
+	}
+	return n.Stmt.ExecContext(ctx, args...)
+}
+
+// QueryContext executes a named statement using the struct argument, returning rows.
+// Any named placeholder parameters are replaced with fields from arg.
+func (n *NamedStmt) QueryContext(ctx context.Context, arg interface{}) (*sql.Rows, error) {
+	args, err := bindAnyArgs(n.Params, arg, n.Stmt.Mapper)
+	if err != nil {
+		return nil, err
+	}
+	return n.Stmt.QueryContext(ctx, args...)
+}
+
+// QueryRowContext executes a named statement against the database.  Because sqlx cannot
+// create a *sql.Row with an error condition pre-set for binding errors, sqlx
+// returns a *sqlx.Row instead.
+// Any named placeholder parameters are replaced with fields from arg.
+func (n *NamedStmt) QueryRowContext(ctx context.Context, arg interface{}) *Row {
+	args, err := bindAnyArgs(n.Params, arg, n.Stmt.Mapper)
+	if err != nil {
+		return &Row{err: err}
+	}
+	return n.Stmt.QueryRowxContext(ctx, args...)
+}
+
+// MustExecContext execs a NamedStmt, panicing on error
+// Any named placeholder parameters are replaced with fields from arg.
+func (n *NamedStmt) MustExecContext(ctx context.Context, arg interface{}) sql.Result {
+	res, err := n.ExecContext(ctx, arg)
+	if err != nil {
+		panic(err)
+	}
+	return res
+}
+
+// QueryxContext using this NamedStmt
+// Any named placeholder parameters are replaced with fields from arg.
+func (n *NamedStmt) QueryxContext(ctx context.Context, arg interface{}) (*Rows, error) {
+	r, err := n.QueryContext(ctx, arg)
+	if err != nil {
+		return nil, err
+	}
+	return &Rows{Rows: r, Mapper: n.Stmt.Mapper, unsafe: isUnsafe(n)}, err
+}
+
+// QueryRowxContext this NamedStmt.  Because of limitations with QueryRow, this is
+// an alias for QueryRow.
+// Any named placeholder parameters are replaced with fields from arg.
+func (n *NamedStmt) QueryRowxContext(ctx context.Context, arg interface{}) *Row {
+	return n.QueryRowContext(ctx, arg)
+}
+
+// SelectContext using this NamedStmt
+// Any named placeholder parameters are replaced with fields from arg.
+func (n *NamedStmt) SelectContext(ctx context.Context, dest interface{}, arg interface{}) error {
+	rows, err := n.QueryxContext(ctx, arg)
+	if err != nil {
+		return err
+	}
+	// if something happens here, we want to make sure the rows are Closed
+	defer rows.Close()
+	return scanAll(rows, dest, false)
+}
+
+// GetContext using this NamedStmt
+// Any named placeholder parameters are replaced with fields from arg.
+func (n *NamedStmt) GetContext(ctx context.Context, dest interface{}, arg interface{}) error {
+	r := n.QueryRowxContext(ctx, arg)
+	return r.scanAny(dest, false)
+}
+
+// NamedQueryContext binds a named query and then runs Query on the result using the
+// provided Ext (sqlx.Tx, sqlx.Db).  It works with both structs and with
+// map[string]interface{} types.
+func NamedQueryContext(ctx context.Context, e ExtContext, query string, arg interface{}) (*Rows, error) {
+	q, args, err := bindNamedMapper(BindType(e.DriverName()), query, arg, mapperFor(e))
+	if err != nil {
+		return nil, err
+	}
+	return e.QueryxContext(ctx, q, args...)
+}
+
+// NamedExecContext uses BindStruct to get a query executable by the driver and
+// then runs Exec on the result.  Returns an error from the binding
+// or the query execution itself.
+func NamedExecContext(ctx context.Context, e ExtContext, query string, arg interface{}) (sql.Result, error) {
+	q, args, err := bindNamedMapper(BindType(e.DriverName()), query, arg, mapperFor(e))
+	if err != nil {
+		return nil, err
+	}
+	return e.ExecContext(ctx, q, args...)
+}
diff --git a/vendor/github.com/jmoiron/sqlx/reflectx/README.md b/vendor/github.com/jmoiron/sqlx/reflectx/README.md
new file mode 100644
index 0000000000..f01d3d1f08
--- /dev/null
+++ b/vendor/github.com/jmoiron/sqlx/reflectx/README.md
@@ -0,0 +1,17 @@
+# reflectx
+
+The sqlx package has special reflect needs.  In particular, it needs to:
+
+* be able to map a name to a field
+* understand embedded structs
+* understand mapping names to fields by a particular tag
+* user specified name -> field mapping functions
+
+These behaviors mimic the behaviors by the standard library marshallers and also the
+behavior of standard Go accessors.
+
+The first two are amply taken care of by `Reflect.Value.FieldByName`, and the third is
+addressed by `Reflect.Value.FieldByNameFunc`, but these don't quite understand struct
+tags in the ways that are vital to most marshallers, and they are slow.
+
+This reflectx package extends reflect to achieve these goals.
diff --git a/vendor/github.com/jmoiron/sqlx/reflectx/reflect.go b/vendor/github.com/jmoiron/sqlx/reflectx/reflect.go
new file mode 100644
index 0000000000..8ec6a13828
--- /dev/null
+++ b/vendor/github.com/jmoiron/sqlx/reflectx/reflect.go
@@ -0,0 +1,443 @@
+// Package reflectx implements extensions to the standard reflect lib suitable
+// for implementing marshalling and unmarshalling packages.  The main Mapper type
+// allows for Go-compatible named attribute access, including accessing embedded
+// struct attributes and the ability to use  functions and struct tags to
+// customize field names.
+package reflectx
+
+import (
+	"reflect"
+	"runtime"
+	"strings"
+	"sync"
+)
+
+// A FieldInfo is metadata for a struct field.
+type FieldInfo struct {
+	Index    []int
+	Path     string
+	Field    reflect.StructField
+	Zero     reflect.Value
+	Name     string
+	Options  map[string]string
+	Embedded bool
+	Children []*FieldInfo
+	Parent   *FieldInfo
+}
+
+// A StructMap is an index of field metadata for a struct.
+type StructMap struct {
+	Tree  *FieldInfo
+	Index []*FieldInfo
+	Paths map[string]*FieldInfo
+	Names map[string]*FieldInfo
+}
+
+// GetByPath returns a *FieldInfo for a given string path.
+func (f StructMap) GetByPath(path string) *FieldInfo {
+	return f.Paths[path]
+}
+
+// GetByTraversal returns a *FieldInfo for a given integer path.  It is
+// analogous to reflect.FieldByIndex, but using the cached traversal
+// rather than re-executing the reflect machinery each time.
+func (f StructMap) GetByTraversal(index []int) *FieldInfo {
+	if len(index) == 0 {
+		return nil
+	}
+
+	tree := f.Tree
+	for _, i := range index {
+		if i >= len(tree.Children) || tree.Children[i] == nil {
+			return nil
+		}
+		tree = tree.Children[i]
+	}
+	return tree
+}
+
+// Mapper is a general purpose mapper of names to struct fields.  A Mapper
+// behaves like most marshallers in the standard library, obeying a field tag
+// for name mapping but also providing a basic transform function.
+type Mapper struct {
+	cache      map[reflect.Type]*StructMap
+	tagName    string
+	tagMapFunc func(string) string
+	mapFunc    func(string) string
+	mutex      sync.Mutex
+}
+
+// NewMapper returns a new mapper using the tagName as its struct field tag.
+// If tagName is the empty string, it is ignored.
+func NewMapper(tagName string) *Mapper {
+	return &Mapper{
+		cache:   make(map[reflect.Type]*StructMap),
+		tagName: tagName,
+	}
+}
+
+// NewMapperTagFunc returns a new mapper which contains a mapper for field names
+// AND a mapper for tag values.  This is useful for tags like json which can
+// have values like "name,omitempty".
+func NewMapperTagFunc(tagName string, mapFunc, tagMapFunc func(string) string) *Mapper {
+	return &Mapper{
+		cache:      make(map[reflect.Type]*StructMap),
+		tagName:    tagName,
+		mapFunc:    mapFunc,
+		tagMapFunc: tagMapFunc,
+	}
+}
+
+// NewMapperFunc returns a new mapper which optionally obeys a field tag and
+// a struct field name mapper func given by f.  Tags will take precedence, but
+// for any other field, the mapped name will be f(field.Name)
+func NewMapperFunc(tagName string, f func(string) string) *Mapper {
+	return &Mapper{
+		cache:   make(map[reflect.Type]*StructMap),
+		tagName: tagName,
+		mapFunc: f,
+	}
+}
+
+// TypeMap returns a mapping of field strings to int slices representing
+// the traversal down the struct to reach the field.
+func (m *Mapper) TypeMap(t reflect.Type) *StructMap {
+	m.mutex.Lock()
+	mapping, ok := m.cache[t]
+	if !ok {
+		mapping = getMapping(t, m.tagName, m.mapFunc, m.tagMapFunc)
+		m.cache[t] = mapping
+	}
+	m.mutex.Unlock()
+	return mapping
+}
+
+// FieldMap returns the mapper's mapping of field names to reflect values.  Panics
+// if v's Kind is not Struct, or v is not Indirectable to a struct kind.
+func (m *Mapper) FieldMap(v reflect.Value) map[string]reflect.Value {
+	v = reflect.Indirect(v)
+	mustBe(v, reflect.Struct)
+
+	r := map[string]reflect.Value{}
+	tm := m.TypeMap(v.Type())
+	for tagName, fi := range tm.Names {
+		r[tagName] = FieldByIndexes(v, fi.Index)
+	}
+	return r
+}
+
+// FieldByName returns a field by its mapped name as a reflect.Value.
+// Panics if v's Kind is not Struct or v is not Indirectable to a struct Kind.
+// Returns zero Value if the name is not found.
+func (m *Mapper) FieldByName(v reflect.Value, name string) reflect.Value {
+	v = reflect.Indirect(v)
+	mustBe(v, reflect.Struct)
+
+	tm := m.TypeMap(v.Type())
+	fi, ok := tm.Names[name]
+	if !ok {
+		return v
+	}
+	return FieldByIndexes(v, fi.Index)
+}
+
+// FieldsByName returns a slice of values corresponding to the slice of names
+// for the value.  Panics if v's Kind is not Struct or v is not Indirectable
+// to a struct Kind.  Returns zero Value for each name not found.
+func (m *Mapper) FieldsByName(v reflect.Value, names []string) []reflect.Value {
+	v = reflect.Indirect(v)
+	mustBe(v, reflect.Struct)
+
+	tm := m.TypeMap(v.Type())
+	vals := make([]reflect.Value, 0, len(names))
+	for _, name := range names {
+		fi, ok := tm.Names[name]
+		if !ok {
+			vals = append(vals, *new(reflect.Value))
+		} else {
+			vals = append(vals, FieldByIndexes(v, fi.Index))
+		}
+	}
+	return vals
+}
+
+// TraversalsByName returns a slice of int slices which represent the struct
+// traversals for each mapped name.  Panics if t is not a struct or Indirectable
+// to a struct.  Returns empty int slice for each name not found.
+func (m *Mapper) TraversalsByName(t reflect.Type, names []string) [][]int {
+	r := make([][]int, 0, len(names))
+	m.TraversalsByNameFunc(t, names, func(_ int, i []int) error {
+		if i == nil {
+			r = append(r, []int{})
+		} else {
+			r = append(r, i)
+		}
+
+		return nil
+	})
+	return r
+}
+
+// TraversalsByNameFunc traverses the mapped names and calls fn with the index of
+// each name and the struct traversal represented by that name. Panics if t is not
+// a struct or Indirectable to a struct. Returns the first error returned by fn or nil.
+func (m *Mapper) TraversalsByNameFunc(t reflect.Type, names []string, fn func(int, []int) error) error {
+	t = Deref(t)
+	mustBe(t, reflect.Struct)
+	tm := m.TypeMap(t)
+	for i, name := range names {
+		fi, ok := tm.Names[name]
+		if !ok {
+			if err := fn(i, nil); err != nil {
+				return err
+			}
+		} else {
+			if err := fn(i, fi.Index); err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+// FieldByIndexes returns a value for the field given by the struct traversal
+// for the given value.
+func FieldByIndexes(v reflect.Value, indexes []int) reflect.Value {
+	for _, i := range indexes {
+		v = reflect.Indirect(v).Field(i)
+		// if this is a pointer and it's nil, allocate a new value and set it
+		if v.Kind() == reflect.Ptr && v.IsNil() {
+			alloc := reflect.New(Deref(v.Type()))
+			v.Set(alloc)
+		}
+		if v.Kind() == reflect.Map && v.IsNil() {
+			v.Set(reflect.MakeMap(v.Type()))
+		}
+	}
+	return v
+}
+
+// FieldByIndexesReadOnly returns a value for a particular struct traversal,
+// but is not concerned with allocating nil pointers because the value is
+// going to be used for reading and not setting.
+func FieldByIndexesReadOnly(v reflect.Value, indexes []int) reflect.Value {
+	for _, i := range indexes {
+		v = reflect.Indirect(v).Field(i)
+	}
+	return v
+}
+
+// Deref is Indirect for reflect.Types
+func Deref(t reflect.Type) reflect.Type {
+	if t.Kind() == reflect.Ptr {
+		t = t.Elem()
+	}
+	return t
+}
+
+// -- helpers & utilities --
+
+type kinder interface {
+	Kind() reflect.Kind
+}
+
+// mustBe checks a value against a kind, panicing with a reflect.ValueError
+// if the kind isn't that which is required.
+func mustBe(v kinder, expected reflect.Kind) {
+	if k := v.Kind(); k != expected {
+		panic(&reflect.ValueError{Method: methodName(), Kind: k})
+	}
+}
+
+// methodName returns the caller of the function calling methodName
+func methodName() string {
+	pc, _, _, _ := runtime.Caller(2)
+	f := runtime.FuncForPC(pc)
+	if f == nil {
+		return "unknown method"
+	}
+	return f.Name()
+}
+
+type typeQueue struct {
+	t  reflect.Type
+	fi *FieldInfo
+	pp string // Parent path
+}
+
+// A copying append that creates a new slice each time.
+func apnd(is []int, i int) []int {
+	x := make([]int, len(is)+1)
+	copy(x, is)
+	x[len(x)-1] = i
+	return x
+}
+
+type mapf func(string) string
+
+// parseName parses the tag and the target name for the given field using
+// the tagName (eg 'json' for `json:"foo"` tags), mapFunc for mapping the
+// field's name to a target name, and tagMapFunc for mapping the tag to
+// a target name.
+func parseName(field reflect.StructField, tagName string, mapFunc, tagMapFunc mapf) (tag, fieldName string) {
+	// first, set the fieldName to the field's name
+	fieldName = field.Name
+	// if a mapFunc is set, use that to override the fieldName
+	if mapFunc != nil {
+		fieldName = mapFunc(fieldName)
+	}
+
+	// if there's no tag to look for, return the field name
+	if tagName == "" {
+		return "", fieldName
+	}
+
+	// if this tag is not set using the normal convention in the tag,
+	// then return the fieldname..  this check is done because according
+	// to the reflect documentation:
+	//    If the tag does not have the conventional format,
+	//    the value returned by Get is unspecified.
+	// which doesn't sound great.
+	if !strings.Contains(string(field.Tag), tagName+":") {
+		return "", fieldName
+	}
+
+	// at this point we're fairly sure that we have a tag, so lets pull it out
+	tag = field.Tag.Get(tagName)
+
+	// if we have a mapper function, call it on the whole tag
+	// XXX: this is a change from the old version, which pulled out the name
+	// before the tagMapFunc could be run, but I think this is the right way
+	if tagMapFunc != nil {
+		tag = tagMapFunc(tag)
+	}
+
+	// finally, split the options from the name
+	parts := strings.Split(tag, ",")
+	fieldName = parts[0]
+
+	return tag, fieldName
+}
+
+// parseOptions parses options out of a tag string, skipping the name
+func parseOptions(tag string) map[string]string {
+	parts := strings.Split(tag, ",")
+	options := make(map[string]string, len(parts))
+	if len(parts) > 1 {
+		for _, opt := range parts[1:] {
+			// short circuit potentially expensive split op
+			if strings.Contains(opt, "=") {
+				kv := strings.Split(opt, "=")
+				options[kv[0]] = kv[1]
+				continue
+			}
+			options[opt] = ""
+		}
+	}
+	return options
+}
+
+// getMapping returns a mapping for the t type, using the tagName, mapFunc and
+// tagMapFunc to determine the canonical names of fields.
+func getMapping(t reflect.Type, tagName string, mapFunc, tagMapFunc mapf) *StructMap {
+	m := []*FieldInfo{}
+
+	root := &FieldInfo{}
+	queue := []typeQueue{}
+	queue = append(queue, typeQueue{Deref(t), root, ""})
+
+QueueLoop:
+	for len(queue) != 0 {
+		// pop the first item off of the queue
+		tq := queue[0]
+		queue = queue[1:]
+
+		// ignore recursive field
+		for p := tq.fi.Parent; p != nil; p = p.Parent {
+			if tq.fi.Field.Type == p.Field.Type {
+				continue QueueLoop
+			}
+		}
+
+		nChildren := 0
+		if tq.t.Kind() == reflect.Struct {
+			nChildren = tq.t.NumField()
+		}
+		tq.fi.Children = make([]*FieldInfo, nChildren)
+
+		// iterate through all of its fields
+		for fieldPos := 0; fieldPos < nChildren; fieldPos++ {
+
+			f := tq.t.Field(fieldPos)
+
+			// parse the tag and the target name using the mapping options for this field
+			tag, name := parseName(f, tagName, mapFunc, tagMapFunc)
+
+			// if the name is "-", disabled via a tag, skip it
+			if name == "-" {
+				continue
+			}
+
+			fi := FieldInfo{
+				Field:   f,
+				Name:    name,
+				Zero:    reflect.New(f.Type).Elem(),
+				Options: parseOptions(tag),
+			}
+
+			// if the path is empty this path is just the name
+			if tq.pp == "" {
+				fi.Path = fi.Name
+			} else {
+				fi.Path = tq.pp + "." + fi.Name
+			}
+
+			// skip unexported fields
+			if len(f.PkgPath) != 0 && !f.Anonymous {
+				continue
+			}
+
+			// bfs search of anonymous embedded structs
+			if f.Anonymous {
+				pp := tq.pp
+				if tag != "" {
+					pp = fi.Path
+				}
+
+				fi.Embedded = true
+				fi.Index = apnd(tq.fi.Index, fieldPos)
+				nChildren := 0
+				ft := Deref(f.Type)
+				if ft.Kind() == reflect.Struct {
+					nChildren = ft.NumField()
+				}
+				fi.Children = make([]*FieldInfo, nChildren)
+				queue = append(queue, typeQueue{Deref(f.Type), &fi, pp})
+			} else if fi.Zero.Kind() == reflect.Struct || (fi.Zero.Kind() == reflect.Ptr && fi.Zero.Type().Elem().Kind() == reflect.Struct) {
+				fi.Index = apnd(tq.fi.Index, fieldPos)
+				fi.Children = make([]*FieldInfo, Deref(f.Type).NumField())
+				queue = append(queue, typeQueue{Deref(f.Type), &fi, fi.Path})
+			}
+
+			fi.Index = apnd(tq.fi.Index, fieldPos)
+			fi.Parent = tq.fi
+			tq.fi.Children[fieldPos] = &fi
+			m = append(m, &fi)
+		}
+	}
+
+	flds := &StructMap{Index: m, Tree: root, Paths: map[string]*FieldInfo{}, Names: map[string]*FieldInfo{}}
+	for _, fi := range flds.Index {
+		// check if nothing has already been pushed with the same path
+		// sometimes you can choose to override a type using embedded struct
+		fld, ok := flds.Paths[fi.Path]
+		if !ok || fld.Embedded {
+			flds.Paths[fi.Path] = fi
+			if fi.Name != "" && !fi.Embedded {
+				flds.Names[fi.Path] = fi
+			}
+		}
+	}
+
+	return flds
+}
diff --git a/vendor/github.com/jmoiron/sqlx/sqlx.go b/vendor/github.com/jmoiron/sqlx/sqlx.go
new file mode 100644
index 0000000000..8259a4feb6
--- /dev/null
+++ b/vendor/github.com/jmoiron/sqlx/sqlx.go
@@ -0,0 +1,1054 @@
+package sqlx
+
+import (
+	"database/sql"
+	"database/sql/driver"
+	"errors"
+	"fmt"
+	"io/ioutil"
+	"path/filepath"
+	"reflect"
+	"strings"
+	"sync"
+
+	"github.com/jmoiron/sqlx/reflectx"
+)
+
+// Although the NameMapper is convenient, in practice it should not
+// be relied on except for application code.  If you are writing a library
+// that uses sqlx, you should be aware that the name mappings you expect
+// can be overridden by your user's application.
+
+// NameMapper is used to map column names to struct field names.  By default,
+// it uses strings.ToLower to lowercase struct field names.  It can be set
+// to whatever you want, but it is encouraged to be set before sqlx is used
+// as name-to-field mappings are cached after first use on a type.
+var NameMapper = strings.ToLower
+var origMapper = reflect.ValueOf(NameMapper)
+
+// Rather than creating on init, this is created when necessary so that
+// importers have time to customize the NameMapper.
+var mpr *reflectx.Mapper
+
+// mprMu protects mpr.
+var mprMu sync.Mutex
+
+// mapper returns a valid mapper using the configured NameMapper func.
+func mapper() *reflectx.Mapper {
+	mprMu.Lock()
+	defer mprMu.Unlock()
+
+	if mpr == nil {
+		mpr = reflectx.NewMapperFunc("db", NameMapper)
+	} else if origMapper != reflect.ValueOf(NameMapper) {
+		// if NameMapper has changed, create a new mapper
+		mpr = reflectx.NewMapperFunc("db", NameMapper)
+		origMapper = reflect.ValueOf(NameMapper)
+	}
+	return mpr
+}
+
+// isScannable takes the reflect.Type and the actual dest value and returns
+// whether or not it's Scannable.  Something is scannable if:
+//   - it is not a struct
+//   - it implements sql.Scanner
+//   - it has no exported fields
+func isScannable(t reflect.Type) bool {
+	if reflect.PtrTo(t).Implements(_scannerInterface) {
+		return true
+	}
+	if t.Kind() != reflect.Struct {
+		return true
+	}
+
+	// it's not important that we use the right mapper for this particular object,
+	// we're only concerned on how many exported fields this struct has
+	return len(mapper().TypeMap(t).Index) == 0
+}
+
+// ColScanner is an interface used by MapScan and SliceScan
+type ColScanner interface {
+	Columns() ([]string, error)
+	Scan(dest ...interface{}) error
+	Err() error
+}
+
+// Queryer is an interface used by Get and Select
+type Queryer interface {
+	Query(query string, args ...interface{}) (*sql.Rows, error)
+	Queryx(query string, args ...interface{}) (*Rows, error)
+	QueryRowx(query string, args ...interface{}) *Row
+}
+
+// Execer is an interface used by MustExec and LoadFile
+type Execer interface {
+	Exec(query string, args ...interface{}) (sql.Result, error)
+}
+
+// Binder is an interface for something which can bind queries (Tx, DB)
+type binder interface {
+	DriverName() string
+	Rebind(string) string
+	BindNamed(string, interface{}) (string, []interface{}, error)
+}
+
+// Ext is a union interface which can bind, query, and exec, used by
+// NamedQuery and NamedExec.
+type Ext interface {
+	binder
+	Queryer
+	Execer
+}
+
+// Preparer is an interface used by Preparex.
+type Preparer interface {
+	Prepare(query string) (*sql.Stmt, error)
+}
+
+// determine if any of our extensions are unsafe
+func isUnsafe(i interface{}) bool {
+	switch v := i.(type) {
+	case Row:
+		return v.unsafe
+	case *Row:
+		return v.unsafe
+	case Rows:
+		return v.unsafe
+	case *Rows:
+		return v.unsafe
+	case NamedStmt:
+		return v.Stmt.unsafe
+	case *NamedStmt:
+		return v.Stmt.unsafe
+	case Stmt:
+		return v.unsafe
+	case *Stmt:
+		return v.unsafe
+	case qStmt:
+		return v.unsafe
+	case *qStmt:
+		return v.unsafe
+	case DB:
+		return v.unsafe
+	case *DB:
+		return v.unsafe
+	case Tx:
+		return v.unsafe
+	case *Tx:
+		return v.unsafe
+	case sql.Rows, *sql.Rows:
+		return false
+	default:
+		return false
+	}
+}
+
+func mapperFor(i interface{}) *reflectx.Mapper {
+	switch i := i.(type) {
+	case DB:
+		return i.Mapper
+	case *DB:
+		return i.Mapper
+	case Tx:
+		return i.Mapper
+	case *Tx:
+		return i.Mapper
+	default:
+		return mapper()
+	}
+}
+
+var _scannerInterface = reflect.TypeOf((*sql.Scanner)(nil)).Elem()
+
+//lint:ignore U1000 ignoring this for now
+var _valuerInterface = reflect.TypeOf((*driver.Valuer)(nil)).Elem()
+
+// Row is a reimplementation of sql.Row in order to gain access to the underlying
+// sql.Rows.Columns() data, necessary for StructScan.
+type Row struct {
+	err    error
+	unsafe bool
+	rows   *sql.Rows
+	Mapper *reflectx.Mapper
+}
+
+// Scan is a fixed implementation of sql.Row.Scan, which does not discard the
+// underlying error from the internal rows object if it exists.
+func (r *Row) Scan(dest ...interface{}) error {
+	if r.err != nil {
+		return r.err
+	}
+
+	// TODO(bradfitz): for now we need to defensively clone all
+	// []byte that the driver returned (not permitting
+	// *RawBytes in Rows.Scan), since we're about to close
+	// the Rows in our defer, when we return from this function.
+	// the contract with the driver.Next(...) interface is that it
+	// can return slices into read-only temporary memory that's
+	// only valid until the next Scan/Close.  But the TODO is that
+	// for a lot of drivers, this copy will be unnecessary.  We
+	// should provide an optional interface for drivers to
+	// implement to say, "don't worry, the []bytes that I return
+	// from Next will not be modified again." (for instance, if
+	// they were obtained from the network anyway) But for now we
+	// don't care.
+	defer r.rows.Close()
+	for _, dp := range dest {
+		if _, ok := dp.(*sql.RawBytes); ok {
+			return errors.New("sql: RawBytes isn't allowed on Row.Scan")
+		}
+	}
+
+	if !r.rows.Next() {
+		if err := r.rows.Err(); err != nil {
+			return err
+		}
+		return sql.ErrNoRows
+	}
+	err := r.rows.Scan(dest...)
+	if err != nil {
+		return err
+	}
+	// Make sure the query can be processed to completion with no errors.
+	if err := r.rows.Close(); err != nil {
+		return err
+	}
+	return nil
+}
+
+// Columns returns the underlying sql.Rows.Columns(), or the deferred error usually
+// returned by Row.Scan()
+func (r *Row) Columns() ([]string, error) {
+	if r.err != nil {
+		return []string{}, r.err
+	}
+	return r.rows.Columns()
+}
+
+// ColumnTypes returns the underlying sql.Rows.ColumnTypes(), or the deferred error
+func (r *Row) ColumnTypes() ([]*sql.ColumnType, error) {
+	if r.err != nil {
+		return []*sql.ColumnType{}, r.err
+	}
+	return r.rows.ColumnTypes()
+}
+
+// Err returns the error encountered while scanning.
+func (r *Row) Err() error {
+	return r.err
+}
+
+// DB is a wrapper around sql.DB which keeps track of the driverName upon Open,
+// used mostly to automatically bind named queries using the right bindvars.
+type DB struct {
+	*sql.DB
+	driverName string
+	unsafe     bool
+	Mapper     *reflectx.Mapper
+}
+
+// NewDb returns a new sqlx DB wrapper for a pre-existing *sql.DB.  The
+// driverName of the original database is required for named query support.
+//
+//lint:ignore ST1003 changing this would break the package interface.
+func NewDb(db *sql.DB, driverName string) *DB {
+	return &DB{DB: db, driverName: driverName, Mapper: mapper()}
+}
+
+// DriverName returns the driverName passed to the Open function for this DB.
+func (db *DB) DriverName() string {
+	return db.driverName
+}
+
+// Open is the same as sql.Open, but returns an *sqlx.DB instead.
+func Open(driverName, dataSourceName string) (*DB, error) {
+	db, err := sql.Open(driverName, dataSourceName)
+	if err != nil {
+		return nil, err
+	}
+	return &DB{DB: db, driverName: driverName, Mapper: mapper()}, err
+}
+
+// MustOpen is the same as sql.Open, but returns an *sqlx.DB instead and panics on error.
+func MustOpen(driverName, dataSourceName string) *DB {
+	db, err := Open(driverName, dataSourceName)
+	if err != nil {
+		panic(err)
+	}
+	return db
+}
+
+// MapperFunc sets a new mapper for this db using the default sqlx struct tag
+// and the provided mapper function.
+func (db *DB) MapperFunc(mf func(string) string) {
+	db.Mapper = reflectx.NewMapperFunc("db", mf)
+}
+
+// Rebind transforms a query from QUESTION to the DB driver's bindvar type.
+func (db *DB) Rebind(query string) string {
+	return Rebind(BindType(db.driverName), query)
+}
+
+// Unsafe returns a version of DB which will silently succeed to scan when
+// columns in the SQL result have no fields in the destination struct.
+// sqlx.Stmt and sqlx.Tx which are created from this DB will inherit its
+// safety behavior.
+func (db *DB) Unsafe() *DB {
+	return &DB{DB: db.DB, driverName: db.driverName, unsafe: true, Mapper: db.Mapper}
+}
+
+// BindNamed binds a query using the DB driver's bindvar type.
+func (db *DB) BindNamed(query string, arg interface{}) (string, []interface{}, error) {
+	return bindNamedMapper(BindType(db.driverName), query, arg, db.Mapper)
+}
+
+// NamedQuery using this DB.
+// Any named placeholder parameters are replaced with fields from arg.
+func (db *DB) NamedQuery(query string, arg interface{}) (*Rows, error) {
+	return NamedQuery(db, query, arg)
+}
+
+// NamedExec using this DB.
+// Any named placeholder parameters are replaced with fields from arg.
+func (db *DB) NamedExec(query string, arg interface{}) (sql.Result, error) {
+	return NamedExec(db, query, arg)
+}
+
+// Select using this DB.
+// Any placeholder parameters are replaced with supplied args.
+func (db *DB) Select(dest interface{}, query string, args ...interface{}) error {
+	return Select(db, dest, query, args...)
+}
+
+// Get using this DB.
+// Any placeholder parameters are replaced with supplied args.
+// An error is returned if the result set is empty.
+func (db *DB) Get(dest interface{}, query string, args ...interface{}) error {
+	return Get(db, dest, query, args...)
+}
+
+// MustBegin starts a transaction, and panics on error.  Returns an *sqlx.Tx instead
+// of an *sql.Tx.
+func (db *DB) MustBegin() *Tx {
+	tx, err := db.Beginx()
+	if err != nil {
+		panic(err)
+	}
+	return tx
+}
+
+// Beginx begins a transaction and returns an *sqlx.Tx instead of an *sql.Tx.
+func (db *DB) Beginx() (*Tx, error) {
+	tx, err := db.DB.Begin()
+	if err != nil {
+		return nil, err
+	}
+	return &Tx{Tx: tx, driverName: db.driverName, unsafe: db.unsafe, Mapper: db.Mapper}, err
+}
+
+// Queryx queries the database and returns an *sqlx.Rows.
+// Any placeholder parameters are replaced with supplied args.
+func (db *DB) Queryx(query string, args ...interface{}) (*Rows, error) {
+	r, err := db.DB.Query(query, args...)
+	if err != nil {
+		return nil, err
+	}
+	return &Rows{Rows: r, unsafe: db.unsafe, Mapper: db.Mapper}, err
+}
+
+// QueryRowx queries the database and returns an *sqlx.Row.
+// Any placeholder parameters are replaced with supplied args.
+func (db *DB) QueryRowx(query string, args ...interface{}) *Row {
+	rows, err := db.DB.Query(query, args...)
+	return &Row{rows: rows, err: err, unsafe: db.unsafe, Mapper: db.Mapper}
+}
+
+// MustExec (panic) runs MustExec using this database.
+// Any placeholder parameters are replaced with supplied args.
+func (db *DB) MustExec(query string, args ...interface{}) sql.Result {
+	return MustExec(db, query, args...)
+}
+
+// Preparex returns an sqlx.Stmt instead of a sql.Stmt
+func (db *DB) Preparex(query string) (*Stmt, error) {
+	return Preparex(db, query)
+}
+
+// PrepareNamed returns an sqlx.NamedStmt
+func (db *DB) PrepareNamed(query string) (*NamedStmt, error) {
+	return prepareNamed(db, query)
+}
+
+// Conn is a wrapper around sql.Conn with extra functionality
+type Conn struct {
+	*sql.Conn
+	driverName string
+	unsafe     bool
+	Mapper     *reflectx.Mapper
+}
+
+// Tx is an sqlx wrapper around sql.Tx with extra functionality
+type Tx struct {
+	*sql.Tx
+	driverName string
+	unsafe     bool
+	Mapper     *reflectx.Mapper
+}
+
+// DriverName returns the driverName used by the DB which began this transaction.
+func (tx *Tx) DriverName() string {
+	return tx.driverName
+}
+
+// Rebind a query within a transaction's bindvar type.
+func (tx *Tx) Rebind(query string) string {
+	return Rebind(BindType(tx.driverName), query)
+}
+
+// Unsafe returns a version of Tx which will silently succeed to scan when
+// columns in the SQL result have no fields in the destination struct.
+func (tx *Tx) Unsafe() *Tx {
+	return &Tx{Tx: tx.Tx, driverName: tx.driverName, unsafe: true, Mapper: tx.Mapper}
+}
+
+// BindNamed binds a query within a transaction's bindvar type.
+func (tx *Tx) BindNamed(query string, arg interface{}) (string, []interface{}, error) {
+	return bindNamedMapper(BindType(tx.driverName), query, arg, tx.Mapper)
+}
+
+// NamedQuery within a transaction.
+// Any named placeholder parameters are replaced with fields from arg.
+func (tx *Tx) NamedQuery(query string, arg interface{}) (*Rows, error) {
+	return NamedQuery(tx, query, arg)
+}
+
+// NamedExec a named query within a transaction.
+// Any named placeholder parameters are replaced with fields from arg.
+func (tx *Tx) NamedExec(query string, arg interface{}) (sql.Result, error) {
+	return NamedExec(tx, query, arg)
+}
+
+// Select within a transaction.
+// Any placeholder parameters are replaced with supplied args.
+func (tx *Tx) Select(dest interface{}, query string, args ...interface{}) error {
+	return Select(tx, dest, query, args...)
+}
+
+// Queryx within a transaction.
+// Any placeholder parameters are replaced with supplied args.
+func (tx *Tx) Queryx(query string, args ...interface{}) (*Rows, error) {
+	r, err := tx.Tx.Query(query, args...)
+	if err != nil {
+		return nil, err
+	}
+	return &Rows{Rows: r, unsafe: tx.unsafe, Mapper: tx.Mapper}, err
+}
+
+// QueryRowx within a transaction.
+// Any placeholder parameters are replaced with supplied args.
+func (tx *Tx) QueryRowx(query string, args ...interface{}) *Row {
+	rows, err := tx.Tx.Query(query, args...)
+	return &Row{rows: rows, err: err, unsafe: tx.unsafe, Mapper: tx.Mapper}
+}
+
+// Get within a transaction.
+// Any placeholder parameters are replaced with supplied args.
+// An error is returned if the result set is empty.
+func (tx *Tx) Get(dest interface{}, query string, args ...interface{}) error {
+	return Get(tx, dest, query, args...)
+}
+
+// MustExec runs MustExec within a transaction.
+// Any placeholder parameters are replaced with supplied args.
+func (tx *Tx) MustExec(query string, args ...interface{}) sql.Result {
+	return MustExec(tx, query, args...)
+}
+
+// Preparex  a statement within a transaction.
+func (tx *Tx) Preparex(query string) (*Stmt, error) {
+	return Preparex(tx, query)
+}
+
+// Stmtx returns a version of the prepared statement which runs within a transaction.  Provided
+// stmt can be either *sql.Stmt or *sqlx.Stmt.
+func (tx *Tx) Stmtx(stmt interface{}) *Stmt {
+	var s *sql.Stmt
+	switch v := stmt.(type) {
+	case Stmt:
+		s = v.Stmt
+	case *Stmt:
+		s = v.Stmt
+	case *sql.Stmt:
+		s = v
+	default:
+		panic(fmt.Sprintf("non-statement type %v passed to Stmtx", reflect.ValueOf(stmt).Type()))
+	}
+	return &Stmt{Stmt: tx.Stmt(s), Mapper: tx.Mapper}
+}
+
+// NamedStmt returns a version of the prepared statement which runs within a transaction.
+func (tx *Tx) NamedStmt(stmt *NamedStmt) *NamedStmt {
+	return &NamedStmt{
+		QueryString: stmt.QueryString,
+		Params:      stmt.Params,
+		Stmt:        tx.Stmtx(stmt.Stmt),
+	}
+}
+
+// PrepareNamed returns an sqlx.NamedStmt
+func (tx *Tx) PrepareNamed(query string) (*NamedStmt, error) {
+	return prepareNamed(tx, query)
+}
+
+// Stmt is an sqlx wrapper around sql.Stmt with extra functionality
+type Stmt struct {
+	*sql.Stmt
+	unsafe bool
+	Mapper *reflectx.Mapper
+}
+
+// Unsafe returns a version of Stmt which will silently succeed to scan when
+// columns in the SQL result have no fields in the destination struct.
+func (s *Stmt) Unsafe() *Stmt {
+	return &Stmt{Stmt: s.Stmt, unsafe: true, Mapper: s.Mapper}
+}
+
+// Select using the prepared statement.
+// Any placeholder parameters are replaced with supplied args.
+func (s *Stmt) Select(dest interface{}, args ...interface{}) error {
+	return Select(&qStmt{s}, dest, "", args...)
+}
+
+// Get using the prepared statement.
+// Any placeholder parameters are replaced with supplied args.
+// An error is returned if the result set is empty.
+func (s *Stmt) Get(dest interface{}, args ...interface{}) error {
+	return Get(&qStmt{s}, dest, "", args...)
+}
+
+// MustExec (panic) using this statement.  Note that the query portion of the error
+// output will be blank, as Stmt does not expose its query.
+// Any placeholder parameters are replaced with supplied args.
+func (s *Stmt) MustExec(args ...interface{}) sql.Result {
+	return MustExec(&qStmt{s}, "", args...)
+}
+
+// QueryRowx using this statement.
+// Any placeholder parameters are replaced with supplied args.
+func (s *Stmt) QueryRowx(args ...interface{}) *Row {
+	qs := &qStmt{s}
+	return qs.QueryRowx("", args...)
+}
+
+// Queryx using this statement.
+// Any placeholder parameters are replaced with supplied args.
+func (s *Stmt) Queryx(args ...interface{}) (*Rows, error) {
+	qs := &qStmt{s}
+	return qs.Queryx("", args...)
+}
+
+// qStmt is an unexposed wrapper which lets you use a Stmt as a Queryer & Execer by
+// implementing those interfaces and ignoring the `query` argument.
+type qStmt struct{ *Stmt }
+
+func (q *qStmt) Query(query string, args ...interface{}) (*sql.Rows, error) {
+	return q.Stmt.Query(args...)
+}
+
+func (q *qStmt) Queryx(query string, args ...interface{}) (*Rows, error) {
+	r, err := q.Stmt.Query(args...)
+	if err != nil {
+		return nil, err
+	}
+	return &Rows{Rows: r, unsafe: q.Stmt.unsafe, Mapper: q.Stmt.Mapper}, err
+}
+
+func (q *qStmt) QueryRowx(query string, args ...interface{}) *Row {
+	rows, err := q.Stmt.Query(args...)
+	return &Row{rows: rows, err: err, unsafe: q.Stmt.unsafe, Mapper: q.Stmt.Mapper}
+}
+
+func (q *qStmt) Exec(query string, args ...interface{}) (sql.Result, error) {
+	return q.Stmt.Exec(args...)
+}
+
+// Rows is a wrapper around sql.Rows which caches costly reflect operations
+// during a looped StructScan
+type Rows struct {
+	*sql.Rows
+	unsafe bool
+	Mapper *reflectx.Mapper
+	// these fields cache memory use for a rows during iteration w/ structScan
+	started bool
+	fields  [][]int
+	values  []interface{}
+}
+
+// SliceScan using this Rows.
+func (r *Rows) SliceScan() ([]interface{}, error) {
+	return SliceScan(r)
+}
+
+// MapScan using this Rows.
+func (r *Rows) MapScan(dest map[string]interface{}) error {
+	return MapScan(r, dest)
+}
+
+// StructScan is like sql.Rows.Scan, but scans a single Row into a single Struct.
+// Use this and iterate over Rows manually when the memory load of Select() might be
+// prohibitive.  *Rows.StructScan caches the reflect work of matching up column
+// positions to fields to avoid that overhead per scan, which means it is not safe
+// to run StructScan on the same Rows instance with different struct types.
+func (r *Rows) StructScan(dest interface{}) error {
+	v := reflect.ValueOf(dest)
+
+	if v.Kind() != reflect.Ptr {
+		return errors.New("must pass a pointer, not a value, to StructScan destination")
+	}
+
+	v = v.Elem()
+
+	if !r.started {
+		columns, err := r.Columns()
+		if err != nil {
+			return err
+		}
+		m := r.Mapper
+
+		r.fields = m.TraversalsByName(v.Type(), columns)
+		// if we are not unsafe and are missing fields, return an error
+		if f, err := missingFields(r.fields); err != nil && !r.unsafe {
+			return fmt.Errorf("missing destination name %s in %T", columns[f], dest)
+		}
+		r.values = make([]interface{}, len(columns))
+		r.started = true
+	}
+
+	err := fieldsByTraversal(v, r.fields, r.values, true)
+	if err != nil {
+		return err
+	}
+	// scan into the struct field pointers and append to our results
+	err = r.Scan(r.values...)
+	if err != nil {
+		return err
+	}
+	return r.Err()
+}
+
+// Connect to a database and verify with a ping.
+func Connect(driverName, dataSourceName string) (*DB, error) {
+	db, err := Open(driverName, dataSourceName)
+	if err != nil {
+		return nil, err
+	}
+	err = db.Ping()
+	if err != nil {
+		db.Close()
+		return nil, err
+	}
+	return db, nil
+}
+
+// MustConnect connects to a database and panics on error.
+func MustConnect(driverName, dataSourceName string) *DB {
+	db, err := Connect(driverName, dataSourceName)
+	if err != nil {
+		panic(err)
+	}
+	return db
+}
+
+// Preparex prepares a statement.
+func Preparex(p Preparer, query string) (*Stmt, error) {
+	s, err := p.Prepare(query)
+	if err != nil {
+		return nil, err
+	}
+	return &Stmt{Stmt: s, unsafe: isUnsafe(p), Mapper: mapperFor(p)}, err
+}
+
+// Select executes a query using the provided Queryer, and StructScans each row
+// into dest, which must be a slice.  If the slice elements are scannable, then
+// the result set must have only one column.  Otherwise, StructScan is used.
+// The *sql.Rows are closed automatically.
+// Any placeholder parameters are replaced with supplied args.
+func Select(q Queryer, dest interface{}, query string, args ...interface{}) error {
+	rows, err := q.Queryx(query, args...)
+	if err != nil {
+		return err
+	}
+	// if something happens here, we want to make sure the rows are Closed
+	defer rows.Close()
+	return scanAll(rows, dest, false)
+}
+
+// Get does a QueryRow using the provided Queryer, and scans the resulting row
+// to dest.  If dest is scannable, the result must only have one column.  Otherwise,
+// StructScan is used.  Get will return sql.ErrNoRows like row.Scan would.
+// Any placeholder parameters are replaced with supplied args.
+// An error is returned if the result set is empty.
+func Get(q Queryer, dest interface{}, query string, args ...interface{}) error {
+	r := q.QueryRowx(query, args...)
+	return r.scanAny(dest, false)
+}
+
+// LoadFile exec's every statement in a file (as a single call to Exec).
+// LoadFile may return a nil *sql.Result if errors are encountered locating or
+// reading the file at path.  LoadFile reads the entire file into memory, so it
+// is not suitable for loading large data dumps, but can be useful for initializing
+// schemas or loading indexes.
+//
+// FIXME: this does not really work with multi-statement files for mattn/go-sqlite3
+// or the go-mysql-driver/mysql drivers;  pq seems to be an exception here.  Detecting
+// this by requiring something with DriverName() and then attempting to split the
+// queries will be difficult to get right, and its current driver-specific behavior
+// is deemed at least not complex in its incorrectness.
+func LoadFile(e Execer, path string) (*sql.Result, error) {
+	realpath, err := filepath.Abs(path)
+	if err != nil {
+		return nil, err
+	}
+	contents, err := ioutil.ReadFile(realpath)
+	if err != nil {
+		return nil, err
+	}
+	res, err := e.Exec(string(contents))
+	return &res, err
+}
+
+// MustExec execs the query using e and panics if there was an error.
+// Any placeholder parameters are replaced with supplied args.
+func MustExec(e Execer, query string, args ...interface{}) sql.Result {
+	res, err := e.Exec(query, args...)
+	if err != nil {
+		panic(err)
+	}
+	return res
+}
+
+// SliceScan using this Rows.
+func (r *Row) SliceScan() ([]interface{}, error) {
+	return SliceScan(r)
+}
+
+// MapScan using this Rows.
+func (r *Row) MapScan(dest map[string]interface{}) error {
+	return MapScan(r, dest)
+}
+
+func (r *Row) scanAny(dest interface{}, structOnly bool) error {
+	if r.err != nil {
+		return r.err
+	}
+	if r.rows == nil {
+		r.err = sql.ErrNoRows
+		return r.err
+	}
+	defer r.rows.Close()
+
+	v := reflect.ValueOf(dest)
+	if v.Kind() != reflect.Ptr {
+		return errors.New("must pass a pointer, not a value, to StructScan destination")
+	}
+	if v.IsNil() {
+		return errors.New("nil pointer passed to StructScan destination")
+	}
+
+	base := reflectx.Deref(v.Type())
+	scannable := isScannable(base)
+
+	if structOnly && scannable {
+		return structOnlyError(base)
+	}
+
+	columns, err := r.Columns()
+	if err != nil {
+		return err
+	}
+
+	if scannable && len(columns) > 1 {
+		return fmt.Errorf("scannable dest type %s with >1 columns (%d) in result", base.Kind(), len(columns))
+	}
+
+	if scannable {
+		return r.Scan(dest)
+	}
+
+	m := r.Mapper
+
+	fields := m.TraversalsByName(v.Type(), columns)
+	// if we are not unsafe and are missing fields, return an error
+	if f, err := missingFields(fields); err != nil && !r.unsafe {
+		return fmt.Errorf("missing destination name %s in %T", columns[f], dest)
+	}
+	values := make([]interface{}, len(columns))
+
+	err = fieldsByTraversal(v, fields, values, true)
+	if err != nil {
+		return err
+	}
+	// scan into the struct field pointers and append to our results
+	return r.Scan(values...)
+}
+
+// StructScan a single Row into dest.
+func (r *Row) StructScan(dest interface{}) error {
+	return r.scanAny(dest, true)
+}
+
+// SliceScan a row, returning a []interface{} with values similar to MapScan.
+// This function is primarily intended for use where the number of columns
+// is not known.  Because you can pass an []interface{} directly to Scan,
+// it's recommended that you do that as it will not have to allocate new
+// slices per row.
+func SliceScan(r ColScanner) ([]interface{}, error) {
+	// ignore r.started, since we needn't use reflect for anything.
+	columns, err := r.Columns()
+	if err != nil {
+		return []interface{}{}, err
+	}
+
+	values := make([]interface{}, len(columns))
+	for i := range values {
+		values[i] = new(interface{})
+	}
+
+	err = r.Scan(values...)
+
+	if err != nil {
+		return values, err
+	}
+
+	for i := range columns {
+		values[i] = *(values[i].(*interface{}))
+	}
+
+	return values, r.Err()
+}
+
+// MapScan scans a single Row into the dest map[string]interface{}.
+// Use this to get results for SQL that might not be under your control
+// (for instance, if you're building an interface for an SQL server that
+// executes SQL from input).  Please do not use this as a primary interface!
+// This will modify the map sent to it in place, so reuse the same map with
+// care.  Columns which occur more than once in the result will overwrite
+// each other!
+func MapScan(r ColScanner, dest map[string]interface{}) error {
+	// ignore r.started, since we needn't use reflect for anything.
+	columns, err := r.Columns()
+	if err != nil {
+		return err
+	}
+
+	values := make([]interface{}, len(columns))
+	for i := range values {
+		values[i] = new(interface{})
+	}
+
+	err = r.Scan(values...)
+	if err != nil {
+		return err
+	}
+
+	for i, column := range columns {
+		dest[column] = *(values[i].(*interface{}))
+	}
+
+	return r.Err()
+}
+
+type rowsi interface {
+	Close() error
+	Columns() ([]string, error)
+	Err() error
+	Next() bool
+	Scan(...interface{}) error
+}
+
+// structOnlyError returns an error appropriate for type when a non-scannable
+// struct is expected but something else is given
+func structOnlyError(t reflect.Type) error {
+	isStruct := t.Kind() == reflect.Struct
+	isScanner := reflect.PtrTo(t).Implements(_scannerInterface)
+	if !isStruct {
+		return fmt.Errorf("expected %s but got %s", reflect.Struct, t.Kind())
+	}
+	if isScanner {
+		return fmt.Errorf("structscan expects a struct dest but the provided struct type %s implements scanner", t.Name())
+	}
+	return fmt.Errorf("expected a struct, but struct %s has no exported fields", t.Name())
+}
+
+// scanAll scans all rows into a destination, which must be a slice of any
+// type.  It resets the slice length to zero before appending each element to
+// the slice.  If the destination slice type is a Struct, then StructScan will
+// be used on each row.  If the destination is some other kind of base type,
+// then each row must only have one column which can scan into that type.  This
+// allows you to do something like:
+//
+//	rows, _ := db.Query("select id from people;")
+//	var ids []int
+//	scanAll(rows, &ids, false)
+//
+// and ids will be a list of the id results.  I realize that this is a desirable
+// interface to expose to users, but for now it will only be exposed via changes
+// to `Get` and `Select`.  The reason that this has been implemented like this is
+// this is the only way to not duplicate reflect work in the new API while
+// maintaining backwards compatibility.
+func scanAll(rows rowsi, dest interface{}, structOnly bool) error {
+	var v, vp reflect.Value
+
+	value := reflect.ValueOf(dest)
+
+	// json.Unmarshal returns errors for these
+	if value.Kind() != reflect.Ptr {
+		return errors.New("must pass a pointer, not a value, to StructScan destination")
+	}
+	if value.IsNil() {
+		return errors.New("nil pointer passed to StructScan destination")
+	}
+	direct := reflect.Indirect(value)
+
+	slice, err := baseType(value.Type(), reflect.Slice)
+	if err != nil {
+		return err
+	}
+	direct.SetLen(0)
+
+	isPtr := slice.Elem().Kind() == reflect.Ptr
+	base := reflectx.Deref(slice.Elem())
+	scannable := isScannable(base)
+
+	if structOnly && scannable {
+		return structOnlyError(base)
+	}
+
+	columns, err := rows.Columns()
+	if err != nil {
+		return err
+	}
+
+	// if it's a base type make sure it only has 1 column;  if not return an error
+	if scannable && len(columns) > 1 {
+		return fmt.Errorf("non-struct dest type %s with >1 columns (%d)", base.Kind(), len(columns))
+	}
+
+	if !scannable {
+		var values []interface{}
+		var m *reflectx.Mapper
+
+		switch rows := rows.(type) {
+		case *Rows:
+			m = rows.Mapper
+		default:
+			m = mapper()
+		}
+
+		fields := m.TraversalsByName(base, columns)
+		// if we are not unsafe and are missing fields, return an error
+		if f, err := missingFields(fields); err != nil && !isUnsafe(rows) {
+			return fmt.Errorf("missing destination name %s in %T", columns[f], dest)
+		}
+		values = make([]interface{}, len(columns))
+
+		for rows.Next() {
+			// create a new struct type (which returns PtrTo) and indirect it
+			vp = reflect.New(base)
+			v = reflect.Indirect(vp)
+
+			err = fieldsByTraversal(v, fields, values, true)
+			if err != nil {
+				return err
+			}
+
+			// scan into the struct field pointers and append to our results
+			err = rows.Scan(values...)
+			if err != nil {
+				return err
+			}
+
+			if isPtr {
+				direct.Set(reflect.Append(direct, vp))
+			} else {
+				direct.Set(reflect.Append(direct, v))
+			}
+		}
+	} else {
+		for rows.Next() {
+			vp = reflect.New(base)
+			err = rows.Scan(vp.Interface())
+			if err != nil {
+				return err
+			}
+			// append
+			if isPtr {
+				direct.Set(reflect.Append(direct, vp))
+			} else {
+				direct.Set(reflect.Append(direct, reflect.Indirect(vp)))
+			}
+		}
+	}
+
+	return rows.Err()
+}
+
+// FIXME: StructScan was the very first bit of API in sqlx, and now unfortunately
+// it doesn't really feel like it's named properly.  There is an incongruency
+// between this and the way that StructScan (which might better be ScanStruct
+// anyway) works on a rows object.
+
+// StructScan all rows from an sql.Rows or an sqlx.Rows into the dest slice.
+// StructScan will scan in the entire rows result, so if you do not want to
+// allocate structs for the entire result, use Queryx and see sqlx.Rows.StructScan.
+// If rows is sqlx.Rows, it will use its mapper, otherwise it will use the default.
+func StructScan(rows rowsi, dest interface{}) error {
+	return scanAll(rows, dest, true)
+
+}
+
+// reflect helpers
+
+func baseType(t reflect.Type, expected reflect.Kind) (reflect.Type, error) {
+	t = reflectx.Deref(t)
+	if t.Kind() != expected {
+		return nil, fmt.Errorf("expected %s but got %s", expected, t.Kind())
+	}
+	return t, nil
+}
+
+// fieldsByName fills a values interface with fields from the passed value based
+// on the traversals in int.  If ptrs is true, return addresses instead of values.
+// We write this instead of using FieldsByName to save allocations and map lookups
+// when iterating over many rows.  Empty traversals will get an interface pointer.
+// Because of the necessity of requesting ptrs or values, it's considered a bit too
+// specialized for inclusion in reflectx itself.
+func fieldsByTraversal(v reflect.Value, traversals [][]int, values []interface{}, ptrs bool) error {
+	v = reflect.Indirect(v)
+	if v.Kind() != reflect.Struct {
+		return errors.New("argument not a struct")
+	}
+
+	for i, traversal := range traversals {
+		if len(traversal) == 0 {
+			values[i] = new(interface{})
+			continue
+		}
+		f := reflectx.FieldByIndexes(v, traversal)
+		if ptrs {
+			values[i] = f.Addr().Interface()
+		} else {
+			values[i] = f.Interface()
+		}
+	}
+	return nil
+}
+
+func missingFields(transversals [][]int) (field int, err error) {
+	for i, t := range transversals {
+		if len(t) == 0 {
+			return i, errors.New("missing field")
+		}
+	}
+	return 0, nil
+}
diff --git a/vendor/github.com/jmoiron/sqlx/sqlx_context.go b/vendor/github.com/jmoiron/sqlx/sqlx_context.go
new file mode 100644
index 0000000000..32621d56d7
--- /dev/null
+++ b/vendor/github.com/jmoiron/sqlx/sqlx_context.go
@@ -0,0 +1,415 @@
+//go:build go1.8
+// +build go1.8
+
+package sqlx
+
+import (
+	"context"
+	"database/sql"
+	"fmt"
+	"io/ioutil"
+	"path/filepath"
+	"reflect"
+)
+
+// ConnectContext to a database and verify with a ping.
+func ConnectContext(ctx context.Context, driverName, dataSourceName string) (*DB, error) {
+	db, err := Open(driverName, dataSourceName)
+	if err != nil {
+		return db, err
+	}
+	err = db.PingContext(ctx)
+	return db, err
+}
+
+// QueryerContext is an interface used by GetContext and SelectContext
+type QueryerContext interface {
+	QueryContext(ctx context.Context, query string, args ...interface{}) (*sql.Rows, error)
+	QueryxContext(ctx context.Context, query string, args ...interface{}) (*Rows, error)
+	QueryRowxContext(ctx context.Context, query string, args ...interface{}) *Row
+}
+
+// PreparerContext is an interface used by PreparexContext.
+type PreparerContext interface {
+	PrepareContext(ctx context.Context, query string) (*sql.Stmt, error)
+}
+
+// ExecerContext is an interface used by MustExecContext and LoadFileContext
+type ExecerContext interface {
+	ExecContext(ctx context.Context, query string, args ...interface{}) (sql.Result, error)
+}
+
+// ExtContext is a union interface which can bind, query, and exec, with Context
+// used by NamedQueryContext and NamedExecContext.
+type ExtContext interface {
+	binder
+	QueryerContext
+	ExecerContext
+}
+
+// SelectContext executes a query using the provided Queryer, and StructScans
+// each row into dest, which must be a slice.  If the slice elements are
+// scannable, then the result set must have only one column.  Otherwise,
+// StructScan is used. The *sql.Rows are closed automatically.
+// Any placeholder parameters are replaced with supplied args.
+func SelectContext(ctx context.Context, q QueryerContext, dest interface{}, query string, args ...interface{}) error {
+	rows, err := q.QueryxContext(ctx, query, args...)
+	if err != nil {
+		return err
+	}
+	// if something happens here, we want to make sure the rows are Closed
+	defer rows.Close()
+	return scanAll(rows, dest, false)
+}
+
+// PreparexContext prepares a statement.
+//
+// The provided context is used for the preparation of the statement, not for
+// the execution of the statement.
+func PreparexContext(ctx context.Context, p PreparerContext, query string) (*Stmt, error) {
+	s, err := p.PrepareContext(ctx, query)
+	if err != nil {
+		return nil, err
+	}
+	return &Stmt{Stmt: s, unsafe: isUnsafe(p), Mapper: mapperFor(p)}, err
+}
+
+// GetContext does a QueryRow using the provided Queryer, and scans the
+// resulting row to dest.  If dest is scannable, the result must only have one
+// column. Otherwise, StructScan is used.  Get will return sql.ErrNoRows like
+// row.Scan would. Any placeholder parameters are replaced with supplied args.
+// An error is returned if the result set is empty.
+func GetContext(ctx context.Context, q QueryerContext, dest interface{}, query string, args ...interface{}) error {
+	r := q.QueryRowxContext(ctx, query, args...)
+	return r.scanAny(dest, false)
+}
+
+// LoadFileContext exec's every statement in a file (as a single call to Exec).
+// LoadFileContext may return a nil *sql.Result if errors are encountered
+// locating or reading the file at path.  LoadFile reads the entire file into
+// memory, so it is not suitable for loading large data dumps, but can be useful
+// for initializing schemas or loading indexes.
+//
+// FIXME: this does not really work with multi-statement files for mattn/go-sqlite3
+// or the go-mysql-driver/mysql drivers;  pq seems to be an exception here.  Detecting
+// this by requiring something with DriverName() and then attempting to split the
+// queries will be difficult to get right, and its current driver-specific behavior
+// is deemed at least not complex in its incorrectness.
+func LoadFileContext(ctx context.Context, e ExecerContext, path string) (*sql.Result, error) {
+	realpath, err := filepath.Abs(path)
+	if err != nil {
+		return nil, err
+	}
+	contents, err := ioutil.ReadFile(realpath)
+	if err != nil {
+		return nil, err
+	}
+	res, err := e.ExecContext(ctx, string(contents))
+	return &res, err
+}
+
+// MustExecContext execs the query using e and panics if there was an error.
+// Any placeholder parameters are replaced with supplied args.
+func MustExecContext(ctx context.Context, e ExecerContext, query string, args ...interface{}) sql.Result {
+	res, err := e.ExecContext(ctx, query, args...)
+	if err != nil {
+		panic(err)
+	}
+	return res
+}
+
+// PrepareNamedContext returns an sqlx.NamedStmt
+func (db *DB) PrepareNamedContext(ctx context.Context, query string) (*NamedStmt, error) {
+	return prepareNamedContext(ctx, db, query)
+}
+
+// NamedQueryContext using this DB.
+// Any named placeholder parameters are replaced with fields from arg.
+func (db *DB) NamedQueryContext(ctx context.Context, query string, arg interface{}) (*Rows, error) {
+	return NamedQueryContext(ctx, db, query, arg)
+}
+
+// NamedExecContext using this DB.
+// Any named placeholder parameters are replaced with fields from arg.
+func (db *DB) NamedExecContext(ctx context.Context, query string, arg interface{}) (sql.Result, error) {
+	return NamedExecContext(ctx, db, query, arg)
+}
+
+// SelectContext using this DB.
+// Any placeholder parameters are replaced with supplied args.
+func (db *DB) SelectContext(ctx context.Context, dest interface{}, query string, args ...interface{}) error {
+	return SelectContext(ctx, db, dest, query, args...)
+}
+
+// GetContext using this DB.
+// Any placeholder parameters are replaced with supplied args.
+// An error is returned if the result set is empty.
+func (db *DB) GetContext(ctx context.Context, dest interface{}, query string, args ...interface{}) error {
+	return GetContext(ctx, db, dest, query, args...)
+}
+
+// PreparexContext returns an sqlx.Stmt instead of a sql.Stmt.
+//
+// The provided context is used for the preparation of the statement, not for
+// the execution of the statement.
+func (db *DB) PreparexContext(ctx context.Context, query string) (*Stmt, error) {
+	return PreparexContext(ctx, db, query)
+}
+
+// QueryxContext queries the database and returns an *sqlx.Rows.
+// Any placeholder parameters are replaced with supplied args.
+func (db *DB) QueryxContext(ctx context.Context, query string, args ...interface{}) (*Rows, error) {
+	r, err := db.DB.QueryContext(ctx, query, args...)
+	if err != nil {
+		return nil, err
+	}
+	return &Rows{Rows: r, unsafe: db.unsafe, Mapper: db.Mapper}, err
+}
+
+// QueryRowxContext queries the database and returns an *sqlx.Row.
+// Any placeholder parameters are replaced with supplied args.
+func (db *DB) QueryRowxContext(ctx context.Context, query string, args ...interface{}) *Row {
+	rows, err := db.DB.QueryContext(ctx, query, args...)
+	return &Row{rows: rows, err: err, unsafe: db.unsafe, Mapper: db.Mapper}
+}
+
+// MustBeginTx starts a transaction, and panics on error.  Returns an *sqlx.Tx instead
+// of an *sql.Tx.
+//
+// The provided context is used until the transaction is committed or rolled
+// back. If the context is canceled, the sql package will roll back the
+// transaction. Tx.Commit will return an error if the context provided to
+// MustBeginContext is canceled.
+func (db *DB) MustBeginTx(ctx context.Context, opts *sql.TxOptions) *Tx {
+	tx, err := db.BeginTxx(ctx, opts)
+	if err != nil {
+		panic(err)
+	}
+	return tx
+}
+
+// MustExecContext (panic) runs MustExec using this database.
+// Any placeholder parameters are replaced with supplied args.
+func (db *DB) MustExecContext(ctx context.Context, query string, args ...interface{}) sql.Result {
+	return MustExecContext(ctx, db, query, args...)
+}
+
+// BeginTxx begins a transaction and returns an *sqlx.Tx instead of an
+// *sql.Tx.
+//
+// The provided context is used until the transaction is committed or rolled
+// back. If the context is canceled, the sql package will roll back the
+// transaction. Tx.Commit will return an error if the context provided to
+// BeginxContext is canceled.
+func (db *DB) BeginTxx(ctx context.Context, opts *sql.TxOptions) (*Tx, error) {
+	tx, err := db.DB.BeginTx(ctx, opts)
+	if err != nil {
+		return nil, err
+	}
+	return &Tx{Tx: tx, driverName: db.driverName, unsafe: db.unsafe, Mapper: db.Mapper}, err
+}
+
+// Connx returns an *sqlx.Conn instead of an *sql.Conn.
+func (db *DB) Connx(ctx context.Context) (*Conn, error) {
+	conn, err := db.DB.Conn(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	return &Conn{Conn: conn, driverName: db.driverName, unsafe: db.unsafe, Mapper: db.Mapper}, nil
+}
+
+// BeginTxx begins a transaction and returns an *sqlx.Tx instead of an
+// *sql.Tx.
+//
+// The provided context is used until the transaction is committed or rolled
+// back. If the context is canceled, the sql package will roll back the
+// transaction. Tx.Commit will return an error if the context provided to
+// BeginxContext is canceled.
+func (c *Conn) BeginTxx(ctx context.Context, opts *sql.TxOptions) (*Tx, error) {
+	tx, err := c.Conn.BeginTx(ctx, opts)
+	if err != nil {
+		return nil, err
+	}
+	return &Tx{Tx: tx, driverName: c.driverName, unsafe: c.unsafe, Mapper: c.Mapper}, err
+}
+
+// SelectContext using this Conn.
+// Any placeholder parameters are replaced with supplied args.
+func (c *Conn) SelectContext(ctx context.Context, dest interface{}, query string, args ...interface{}) error {
+	return SelectContext(ctx, c, dest, query, args...)
+}
+
+// GetContext using this Conn.
+// Any placeholder parameters are replaced with supplied args.
+// An error is returned if the result set is empty.
+func (c *Conn) GetContext(ctx context.Context, dest interface{}, query string, args ...interface{}) error {
+	return GetContext(ctx, c, dest, query, args...)
+}
+
+// PreparexContext returns an sqlx.Stmt instead of a sql.Stmt.
+//
+// The provided context is used for the preparation of the statement, not for
+// the execution of the statement.
+func (c *Conn) PreparexContext(ctx context.Context, query string) (*Stmt, error) {
+	return PreparexContext(ctx, c, query)
+}
+
+// QueryxContext queries the database and returns an *sqlx.Rows.
+// Any placeholder parameters are replaced with supplied args.
+func (c *Conn) QueryxContext(ctx context.Context, query string, args ...interface{}) (*Rows, error) {
+	r, err := c.Conn.QueryContext(ctx, query, args...)
+	if err != nil {
+		return nil, err
+	}
+	return &Rows{Rows: r, unsafe: c.unsafe, Mapper: c.Mapper}, err
+}
+
+// QueryRowxContext queries the database and returns an *sqlx.Row.
+// Any placeholder parameters are replaced with supplied args.
+func (c *Conn) QueryRowxContext(ctx context.Context, query string, args ...interface{}) *Row {
+	rows, err := c.Conn.QueryContext(ctx, query, args...)
+	return &Row{rows: rows, err: err, unsafe: c.unsafe, Mapper: c.Mapper}
+}
+
+// Rebind a query within a Conn's bindvar type.
+func (c *Conn) Rebind(query string) string {
+	return Rebind(BindType(c.driverName), query)
+}
+
+// StmtxContext returns a version of the prepared statement which runs within a
+// transaction. Provided stmt can be either *sql.Stmt or *sqlx.Stmt.
+func (tx *Tx) StmtxContext(ctx context.Context, stmt interface{}) *Stmt {
+	var s *sql.Stmt
+	switch v := stmt.(type) {
+	case Stmt:
+		s = v.Stmt
+	case *Stmt:
+		s = v.Stmt
+	case *sql.Stmt:
+		s = v
+	default:
+		panic(fmt.Sprintf("non-statement type %v passed to Stmtx", reflect.ValueOf(stmt).Type()))
+	}
+	return &Stmt{Stmt: tx.StmtContext(ctx, s), Mapper: tx.Mapper}
+}
+
+// NamedStmtContext returns a version of the prepared statement which runs
+// within a transaction.
+func (tx *Tx) NamedStmtContext(ctx context.Context, stmt *NamedStmt) *NamedStmt {
+	return &NamedStmt{
+		QueryString: stmt.QueryString,
+		Params:      stmt.Params,
+		Stmt:        tx.StmtxContext(ctx, stmt.Stmt),
+	}
+}
+
+// PreparexContext returns an sqlx.Stmt instead of a sql.Stmt.
+//
+// The provided context is used for the preparation of the statement, not for
+// the execution of the statement.
+func (tx *Tx) PreparexContext(ctx context.Context, query string) (*Stmt, error) {
+	return PreparexContext(ctx, tx, query)
+}
+
+// PrepareNamedContext returns an sqlx.NamedStmt
+func (tx *Tx) PrepareNamedContext(ctx context.Context, query string) (*NamedStmt, error) {
+	return prepareNamedContext(ctx, tx, query)
+}
+
+// MustExecContext runs MustExecContext within a transaction.
+// Any placeholder parameters are replaced with supplied args.
+func (tx *Tx) MustExecContext(ctx context.Context, query string, args ...interface{}) sql.Result {
+	return MustExecContext(ctx, tx, query, args...)
+}
+
+// QueryxContext within a transaction and context.
+// Any placeholder parameters are replaced with supplied args.
+func (tx *Tx) QueryxContext(ctx context.Context, query string, args ...interface{}) (*Rows, error) {
+	r, err := tx.Tx.QueryContext(ctx, query, args...)
+	if err != nil {
+		return nil, err
+	}
+	return &Rows{Rows: r, unsafe: tx.unsafe, Mapper: tx.Mapper}, err
+}
+
+// SelectContext within a transaction and context.
+// Any placeholder parameters are replaced with supplied args.
+func (tx *Tx) SelectContext(ctx context.Context, dest interface{}, query string, args ...interface{}) error {
+	return SelectContext(ctx, tx, dest, query, args...)
+}
+
+// GetContext within a transaction and context.
+// Any placeholder parameters are replaced with supplied args.
+// An error is returned if the result set is empty.
+func (tx *Tx) GetContext(ctx context.Context, dest interface{}, query string, args ...interface{}) error {
+	return GetContext(ctx, tx, dest, query, args...)
+}
+
+// QueryRowxContext within a transaction and context.
+// Any placeholder parameters are replaced with supplied args.
+func (tx *Tx) QueryRowxContext(ctx context.Context, query string, args ...interface{}) *Row {
+	rows, err := tx.Tx.QueryContext(ctx, query, args...)
+	return &Row{rows: rows, err: err, unsafe: tx.unsafe, Mapper: tx.Mapper}
+}
+
+// NamedExecContext using this Tx.
+// Any named placeholder parameters are replaced with fields from arg.
+func (tx *Tx) NamedExecContext(ctx context.Context, query string, arg interface{}) (sql.Result, error) {
+	return NamedExecContext(ctx, tx, query, arg)
+}
+
+// SelectContext using the prepared statement.
+// Any placeholder parameters are replaced with supplied args.
+func (s *Stmt) SelectContext(ctx context.Context, dest interface{}, args ...interface{}) error {
+	return SelectContext(ctx, &qStmt{s}, dest, "", args...)
+}
+
+// GetContext using the prepared statement.
+// Any placeholder parameters are replaced with supplied args.
+// An error is returned if the result set is empty.
+func (s *Stmt) GetContext(ctx context.Context, dest interface{}, args ...interface{}) error {
+	return GetContext(ctx, &qStmt{s}, dest, "", args...)
+}
+
+// MustExecContext (panic) using this statement.  Note that the query portion of
+// the error output will be blank, as Stmt does not expose its query.
+// Any placeholder parameters are replaced with supplied args.
+func (s *Stmt) MustExecContext(ctx context.Context, args ...interface{}) sql.Result {
+	return MustExecContext(ctx, &qStmt{s}, "", args...)
+}
+
+// QueryRowxContext using this statement.
+// Any placeholder parameters are replaced with supplied args.
+func (s *Stmt) QueryRowxContext(ctx context.Context, args ...interface{}) *Row {
+	qs := &qStmt{s}
+	return qs.QueryRowxContext(ctx, "", args...)
+}
+
+// QueryxContext using this statement.
+// Any placeholder parameters are replaced with supplied args.
+func (s *Stmt) QueryxContext(ctx context.Context, args ...interface{}) (*Rows, error) {
+	qs := &qStmt{s}
+	return qs.QueryxContext(ctx, "", args...)
+}
+
+func (q *qStmt) QueryContext(ctx context.Context, query string, args ...interface{}) (*sql.Rows, error) {
+	return q.Stmt.QueryContext(ctx, args...)
+}
+
+func (q *qStmt) QueryxContext(ctx context.Context, query string, args ...interface{}) (*Rows, error) {
+	r, err := q.Stmt.QueryContext(ctx, args...)
+	if err != nil {
+		return nil, err
+	}
+	return &Rows{Rows: r, unsafe: q.Stmt.unsafe, Mapper: q.Stmt.Mapper}, err
+}
+
+func (q *qStmt) QueryRowxContext(ctx context.Context, query string, args ...interface{}) *Row {
+	rows, err := q.Stmt.QueryContext(ctx, args...)
+	return &Row{rows: rows, err: err, unsafe: q.Stmt.unsafe, Mapper: q.Stmt.Mapper}
+}
+
+func (q *qStmt) ExecContext(ctx context.Context, query string, args ...interface{}) (sql.Result, error) {
+	return q.Stmt.ExecContext(ctx, args...)
+}
diff --git a/vendor/github.com/josharian/intern/README.md b/vendor/github.com/josharian/intern/README.md
deleted file mode 100644
index ffc44b219b..0000000000
--- a/vendor/github.com/josharian/intern/README.md
+++ /dev/null
@@ -1,5 +0,0 @@
-Docs: https://godoc.org/github.com/josharian/intern
-
-See also [Go issue 5160](https://golang.org/issue/5160).
-
-License: MIT
diff --git a/vendor/github.com/josharian/intern/intern.go b/vendor/github.com/josharian/intern/intern.go
deleted file mode 100644
index 7acb1fe90a..0000000000
--- a/vendor/github.com/josharian/intern/intern.go
+++ /dev/null
@@ -1,44 +0,0 @@
-// Package intern interns strings.
-// Interning is best effort only.
-// Interned strings may be removed automatically
-// at any time without notification.
-// All functions may be called concurrently
-// with themselves and each other.
-package intern
-
-import "sync"
-
-var (
-	pool sync.Pool = sync.Pool{
-		New: func() interface{} {
-			return make(map[string]string)
-		},
-	}
-)
-
-// String returns s, interned.
-func String(s string) string {
-	m := pool.Get().(map[string]string)
-	c, ok := m[s]
-	if ok {
-		pool.Put(m)
-		return c
-	}
-	m[s] = s
-	pool.Put(m)
-	return s
-}
-
-// Bytes returns b converted to a string, interned.
-func Bytes(b []byte) string {
-	m := pool.Get().(map[string]string)
-	c, ok := m[string(b)]
-	if ok {
-		pool.Put(m)
-		return c
-	}
-	s := string(b)
-	m[s] = s
-	pool.Put(m)
-	return s
-}
diff --git a/vendor/github.com/klauspost/compress/.gitattributes b/vendor/github.com/klauspost/compress/.gitattributes
new file mode 100644
index 0000000000..402433593c
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/.gitattributes
@@ -0,0 +1,2 @@
+* -text
+*.bin -text -diff
diff --git a/vendor/github.com/klauspost/compress/.gitignore b/vendor/github.com/klauspost/compress/.gitignore
new file mode 100644
index 0000000000..d31b378152
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/.gitignore
@@ -0,0 +1,32 @@
+# Compiled Object files, Static and Dynamic libs (Shared Objects)
+*.o
+*.a
+*.so
+
+# Folders
+_obj
+_test
+
+# Architecture specific extensions/prefixes
+*.[568vq]
+[568vq].out
+
+*.cgo1.go
+*.cgo2.c
+_cgo_defun.c
+_cgo_gotypes.go
+_cgo_export.*
+
+_testmain.go
+
+*.exe
+*.test
+*.prof
+/s2/cmd/_s2sx/sfx-exe
+
+# Linux perf files
+perf.data
+perf.data.old
+
+# gdb history
+.gdb_history
diff --git a/vendor/github.com/klauspost/compress/.goreleaser.yml b/vendor/github.com/klauspost/compress/.goreleaser.yml
new file mode 100644
index 0000000000..4528059ca6
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/.goreleaser.yml
@@ -0,0 +1,123 @@
+version: 2
+
+before:
+  hooks:
+    - ./gen.sh
+
+builds:
+  -
+    id: "s2c"
+    binary: s2c
+    main: ./s2/cmd/s2c/main.go
+    flags:
+      - -trimpath
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - aix
+      - linux
+      - freebsd
+      - netbsd
+      - windows
+      - darwin
+    goarch:
+      - 386
+      - amd64
+      - arm
+      - arm64
+      - ppc64
+      - ppc64le
+      - mips64
+      - mips64le
+    goarm:
+      - 7
+  -
+    id: "s2d"
+    binary: s2d
+    main: ./s2/cmd/s2d/main.go
+    flags:
+      - -trimpath
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - aix
+      - linux
+      - freebsd
+      - netbsd
+      - windows
+      - darwin
+    goarch:
+      - 386
+      - amd64
+      - arm
+      - arm64
+      - ppc64
+      - ppc64le
+      - mips64
+      - mips64le
+    goarm:
+      - 7
+  -
+    id: "s2sx"
+    binary: s2sx
+    main: ./s2/cmd/_s2sx/main.go
+    flags:
+      - -modfile=s2sx.mod
+      - -trimpath
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - aix
+      - linux
+      - freebsd
+      - netbsd
+      - windows
+      - darwin
+    goarch:
+      - 386
+      - amd64
+      - arm
+      - arm64
+      - ppc64
+      - ppc64le
+      - mips64
+      - mips64le
+    goarm:
+      - 7
+
+archives:
+  -
+    id: s2-binaries
+    name_template: "s2-{{ .Os }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}"
+    format_overrides:
+      - goos: windows
+        format: zip
+    files:
+      - unpack/*
+      - s2/LICENSE
+      - s2/README.md
+checksum:
+  name_template: 'checksums.txt'
+snapshot:
+  version_template: "{{ .Tag }}-next"
+changelog:
+  sort: asc
+  filters:
+    exclude:
+    - '^doc:'
+    - '^docs:'
+    - '^test:'
+    - '^tests:'
+    - '^Update\sREADME.md'
+
+nfpms:
+  -
+    file_name_template: "s2_package__{{ .Os }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}"
+    vendor: Klaus Post
+    homepage: https://github.com/klauspost/compress
+    maintainer: Klaus Post <klauspost@gmail.com>
+    description: S2 Compression Tool
+    license: BSD 3-Clause
+    formats:
+      - deb
+      - rpm
diff --git a/vendor/github.com/klauspost/compress/LICENSE b/vendor/github.com/klauspost/compress/LICENSE
new file mode 100644
index 0000000000..87d5574777
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/LICENSE
@@ -0,0 +1,304 @@
+Copyright (c) 2012 The Go Authors. All rights reserved.
+Copyright (c) 2019 Klaus Post. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+   * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+   * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+   * Neither the name of Google Inc. nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+------------------
+
+Files: gzhttp/*
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright 2016-2017 The New York Times Company
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+
+------------------
+
+Files: s2/cmd/internal/readahead/*
+
+The MIT License (MIT)
+
+Copyright (c) 2015 Klaus Post
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
+---------------------
+Files: snappy/*
+Files: internal/snapref/*
+
+Copyright (c) 2011 The Snappy-Go Authors. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+   * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+   * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+   * Neither the name of Google Inc. nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+-----------------
+
+Files: s2/cmd/internal/filepathx/*
+
+Copyright 2016 The filepathx Authors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
diff --git a/vendor/github.com/klauspost/compress/README.md b/vendor/github.com/klauspost/compress/README.md
new file mode 100644
index 0000000000..244ee19c4b
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/README.md
@@ -0,0 +1,671 @@
+# compress
+
+This package provides various compression algorithms.
+
+* [zstandard](https://github.com/klauspost/compress/tree/master/zstd#zstd) compression and decompression in pure Go.
+* [S2](https://github.com/klauspost/compress/tree/master/s2#s2-compression) is a high performance replacement for Snappy.
+* Optimized [deflate](https://godoc.org/github.com/klauspost/compress/flate) packages which can be used as a dropin replacement for [gzip](https://godoc.org/github.com/klauspost/compress/gzip), [zip](https://godoc.org/github.com/klauspost/compress/zip) and [zlib](https://godoc.org/github.com/klauspost/compress/zlib).
+* [snappy](https://github.com/klauspost/compress/tree/master/snappy) is a drop-in replacement for `github.com/golang/snappy` offering better compression and concurrent streams.
+* [huff0](https://github.com/klauspost/compress/tree/master/huff0) and [FSE](https://github.com/klauspost/compress/tree/master/fse) implementations for raw entropy encoding.
+* [gzhttp](https://github.com/klauspost/compress/tree/master/gzhttp) Provides client and server wrappers for handling gzipped requests efficiently.
+* [pgzip](https://github.com/klauspost/pgzip) is a separate package that provides a very fast parallel gzip implementation.
+
+[![Go Reference](https://pkg.go.dev/badge/klauspost/compress.svg)](https://pkg.go.dev/github.com/klauspost/compress?tab=subdirectories)
+[![Go](https://github.com/klauspost/compress/actions/workflows/go.yml/badge.svg)](https://github.com/klauspost/compress/actions/workflows/go.yml)
+[![Sourcegraph Badge](https://sourcegraph.com/github.com/klauspost/compress/-/badge.svg)](https://sourcegraph.com/github.com/klauspost/compress?badge)
+
+# package usage
+
+Use `go get github.com/klauspost/compress@latest` to add it to your project.
+
+This package will support the current Go version and 2 versions back.
+
+* Use the `nounsafe` tag to disable all use of the "unsafe" package.
+* Use the `noasm` tag to disable all assembly across packages.
+
+Use the links above for more information on each.
+
+# changelog
+
+* Feb 19th, 2025 - [1.18.0](https://github.com/klauspost/compress/releases/tag/v1.18.0)
+  * Add unsafe little endian loaders https://github.com/klauspost/compress/pull/1036
+  * fix: check `r.err != nil` but return a nil value error `err` by @alingse in https://github.com/klauspost/compress/pull/1028
+  * flate: Simplify L4-6 loading https://github.com/klauspost/compress/pull/1043
+  * flate: Simplify matchlen (remove asm) https://github.com/klauspost/compress/pull/1045
+  * s2: Improve small block compression speed w/o asm https://github.com/klauspost/compress/pull/1048
+  * flate: Fix matchlen L5+L6 https://github.com/klauspost/compress/pull/1049
+  * flate: Cleanup & reduce casts https://github.com/klauspost/compress/pull/1050
+
+* Oct 11th, 2024 - [1.17.11](https://github.com/klauspost/compress/releases/tag/v1.17.11)
+  * zstd: Fix extra CRC written with multiple Close calls https://github.com/klauspost/compress/pull/1017
+  * s2: Don't use stack for index tables https://github.com/klauspost/compress/pull/1014
+  * gzhttp: No content-type on no body response code by @juliens in https://github.com/klauspost/compress/pull/1011
+  * gzhttp: Do not set the content-type when response has no body by @kevinpollet in https://github.com/klauspost/compress/pull/1013
+
+* Sep 23rd, 2024 - [1.17.10](https://github.com/klauspost/compress/releases/tag/v1.17.10)
+	* gzhttp: Add TransportAlwaysDecompress option. https://github.com/klauspost/compress/pull/978
+	* gzhttp: Add supported decompress request body by @mirecl in https://github.com/klauspost/compress/pull/1002
+	* s2: Add EncodeBuffer buffer recycling callback https://github.com/klauspost/compress/pull/982
+	* zstd: Improve memory usage on small streaming encodes https://github.com/klauspost/compress/pull/1007
+	* flate: read data written with partial flush by @vajexal in https://github.com/klauspost/compress/pull/996
+
+* Jun 12th, 2024 - [1.17.9](https://github.com/klauspost/compress/releases/tag/v1.17.9)
+	* s2: Reduce ReadFrom temporary allocations https://github.com/klauspost/compress/pull/949
+	* flate, zstd: Shave some bytes off amd64 matchLen by @greatroar in https://github.com/klauspost/compress/pull/963
+	* Upgrade zip/zlib to 1.22.4 upstream https://github.com/klauspost/compress/pull/970 https://github.com/klauspost/compress/pull/971
+	* zstd: BuildDict fails with RLE table https://github.com/klauspost/compress/pull/951
+
+* Apr 9th, 2024 - [1.17.8](https://github.com/klauspost/compress/releases/tag/v1.17.8)
+	* zstd: Reject blocks where reserved values are not 0 https://github.com/klauspost/compress/pull/885
+	* zstd: Add RLE detection+encoding https://github.com/klauspost/compress/pull/938
+
+* Feb 21st, 2024 - [1.17.7](https://github.com/klauspost/compress/releases/tag/v1.17.7)
+	* s2: Add AsyncFlush method: Complete the block without flushing by @Jille in https://github.com/klauspost/compress/pull/927
+	* s2: Fix literal+repeat exceeds dst crash https://github.com/klauspost/compress/pull/930
+  
+* Feb 5th, 2024 - [1.17.6](https://github.com/klauspost/compress/releases/tag/v1.17.6)
+	* zstd: Fix incorrect repeat coding in best mode https://github.com/klauspost/compress/pull/923
+	* s2: Fix DecodeConcurrent deadlock on errors https://github.com/klauspost/compress/pull/925
+  
+* Jan 26th, 2024 - [v1.17.5](https://github.com/klauspost/compress/releases/tag/v1.17.5)
+	* flate: Fix reset with dictionary on custom window encodes https://github.com/klauspost/compress/pull/912
+	* zstd: Add Frame header encoding and stripping https://github.com/klauspost/compress/pull/908
+	* zstd: Limit better/best default window to 8MB https://github.com/klauspost/compress/pull/913
+	* zstd: Speed improvements by @greatroar in https://github.com/klauspost/compress/pull/896 https://github.com/klauspost/compress/pull/910
+	* s2: Fix callbacks for skippable blocks and disallow 0xfe (Padding) by @Jille in https://github.com/klauspost/compress/pull/916 https://github.com/klauspost/compress/pull/917
+https://github.com/klauspost/compress/pull/919 https://github.com/klauspost/compress/pull/918
+
+* Dec 1st, 2023 - [v1.17.4](https://github.com/klauspost/compress/releases/tag/v1.17.4)
+	* huff0: Speed up symbol counting by @greatroar in https://github.com/klauspost/compress/pull/887
+	* huff0: Remove byteReader by @greatroar in https://github.com/klauspost/compress/pull/886
+	* gzhttp: Allow overriding decompression on transport https://github.com/klauspost/compress/pull/892
+	* gzhttp: Clamp compression level https://github.com/klauspost/compress/pull/890
+	* gzip: Error out if reserved bits are set https://github.com/klauspost/compress/pull/891
+
+* Nov 15th, 2023 - [v1.17.3](https://github.com/klauspost/compress/releases/tag/v1.17.3)
+	* fse: Fix max header size https://github.com/klauspost/compress/pull/881
+	* zstd: Improve better/best compression https://github.com/klauspost/compress/pull/877
+	* gzhttp: Fix missing content type on Close https://github.com/klauspost/compress/pull/883
+
+* Oct 22nd, 2023 - [v1.17.2](https://github.com/klauspost/compress/releases/tag/v1.17.2)
+	* zstd: Fix rare *CORRUPTION* output in "best" mode. See https://github.com/klauspost/compress/pull/876
+
+* Oct 14th, 2023 - [v1.17.1](https://github.com/klauspost/compress/releases/tag/v1.17.1)
+	* s2: Fix S2 "best" dictionary wrong encoding https://github.com/klauspost/compress/pull/871
+	* flate: Reduce allocations in decompressor and minor code improvements by @fakefloordiv in https://github.com/klauspost/compress/pull/869
+	* s2: Fix EstimateBlockSize on 6&7 length input https://github.com/klauspost/compress/pull/867
+
+* Sept 19th, 2023 - [v1.17.0](https://github.com/klauspost/compress/releases/tag/v1.17.0)
+	* Add experimental dictionary builder  https://github.com/klauspost/compress/pull/853
+	* Add xerial snappy read/writer https://github.com/klauspost/compress/pull/838
+	* flate: Add limited window compression https://github.com/klauspost/compress/pull/843
+	* s2: Do 2 overlapping match checks https://github.com/klauspost/compress/pull/839
+	* flate: Add amd64 assembly matchlen https://github.com/klauspost/compress/pull/837
+	* gzip: Copy bufio.Reader on Reset by @thatguystone in https://github.com/klauspost/compress/pull/860
+
+<details>
+	<summary>See changes to v1.16.x</summary>
+
+   
+* July 1st, 2023 - [v1.16.7](https://github.com/klauspost/compress/releases/tag/v1.16.7)
+	* zstd: Fix default level first dictionary encode https://github.com/klauspost/compress/pull/829
+	* s2: add GetBufferCapacity() method by @GiedriusS in https://github.com/klauspost/compress/pull/832
+
+* June 13, 2023 - [v1.16.6](https://github.com/klauspost/compress/releases/tag/v1.16.6)
+	* zstd: correctly ignore WithEncoderPadding(1) by @ianlancetaylor in https://github.com/klauspost/compress/pull/806
+	* zstd: Add amd64 match length assembly https://github.com/klauspost/compress/pull/824
+	* gzhttp: Handle informational headers by @rtribotte in https://github.com/klauspost/compress/pull/815
+	* s2: Improve Better compression slightly https://github.com/klauspost/compress/pull/663
+
+* Apr 16, 2023 - [v1.16.5](https://github.com/klauspost/compress/releases/tag/v1.16.5)
+	* zstd: readByte needs to use io.ReadFull by @jnoxon in https://github.com/klauspost/compress/pull/802
+	* gzip: Fix WriterTo after initial read https://github.com/klauspost/compress/pull/804
+
+* Apr 5, 2023 - [v1.16.4](https://github.com/klauspost/compress/releases/tag/v1.16.4)
+	* zstd: Improve zstd best efficiency by @greatroar and @klauspost in https://github.com/klauspost/compress/pull/784
+	* zstd: Respect WithAllLitEntropyCompression https://github.com/klauspost/compress/pull/792
+	* zstd: Fix amd64 not always detecting corrupt data https://github.com/klauspost/compress/pull/785
+	* zstd: Various minor improvements by @greatroar in https://github.com/klauspost/compress/pull/788 https://github.com/klauspost/compress/pull/794 https://github.com/klauspost/compress/pull/795
+	* s2: Fix huge block overflow https://github.com/klauspost/compress/pull/779
+	* s2: Allow CustomEncoder fallback https://github.com/klauspost/compress/pull/780
+	* gzhttp: Support ResponseWriter Unwrap() in gzhttp handler by @jgimenez in https://github.com/klauspost/compress/pull/799
+
+* Mar 13, 2023 - [v1.16.1](https://github.com/klauspost/compress/releases/tag/v1.16.1)
+	* zstd: Speed up + improve best encoder by @greatroar in https://github.com/klauspost/compress/pull/776
+	* gzhttp: Add optional [BREACH mitigation](https://github.com/klauspost/compress/tree/master/gzhttp#breach-mitigation). https://github.com/klauspost/compress/pull/762 https://github.com/klauspost/compress/pull/768 https://github.com/klauspost/compress/pull/769 https://github.com/klauspost/compress/pull/770 https://github.com/klauspost/compress/pull/767
+	* s2: Add Intel LZ4s converter https://github.com/klauspost/compress/pull/766
+	* zstd: Minor bug fixes https://github.com/klauspost/compress/pull/771 https://github.com/klauspost/compress/pull/772 https://github.com/klauspost/compress/pull/773
+	* huff0: Speed up compress1xDo by @greatroar in https://github.com/klauspost/compress/pull/774
+
+* Feb 26, 2023 - [v1.16.0](https://github.com/klauspost/compress/releases/tag/v1.16.0)
+	* s2: Add [Dictionary](https://github.com/klauspost/compress/tree/master/s2#dictionaries) support.  https://github.com/klauspost/compress/pull/685
+	* s2: Add Compression Size Estimate.  https://github.com/klauspost/compress/pull/752
+	* s2: Add support for custom stream encoder. https://github.com/klauspost/compress/pull/755
+	* s2: Add LZ4 block converter. https://github.com/klauspost/compress/pull/748
+	* s2: Support io.ReaderAt in ReadSeeker. https://github.com/klauspost/compress/pull/747
+	* s2c/s2sx: Use concurrent decoding. https://github.com/klauspost/compress/pull/746
+</details>
+
+<details>
+	<summary>See changes to v1.15.x</summary>
+	
+* Jan 21st, 2023 (v1.15.15)
+	* deflate: Improve level 7-9 https://github.com/klauspost/compress/pull/739
+	* zstd: Add delta encoding support by @greatroar in https://github.com/klauspost/compress/pull/728
+	* zstd: Various speed improvements by @greatroar https://github.com/klauspost/compress/pull/741 https://github.com/klauspost/compress/pull/734 https://github.com/klauspost/compress/pull/736 https://github.com/klauspost/compress/pull/744 https://github.com/klauspost/compress/pull/743 https://github.com/klauspost/compress/pull/745
+	* gzhttp: Add SuffixETag() and DropETag() options to prevent ETag collisions on compressed responses by @willbicks in https://github.com/klauspost/compress/pull/740
+
+* Jan 3rd, 2023 (v1.15.14)
+
+	* flate: Improve speed in big stateless blocks https://github.com/klauspost/compress/pull/718
+	* zstd: Minor speed tweaks by @greatroar in https://github.com/klauspost/compress/pull/716 https://github.com/klauspost/compress/pull/720
+	* export NoGzipResponseWriter for custom ResponseWriter wrappers by @harshavardhana in https://github.com/klauspost/compress/pull/722
+	* s2: Add example for indexing and existing stream https://github.com/klauspost/compress/pull/723
+
+* Dec 11, 2022 (v1.15.13)
+	* zstd: Add [MaxEncodedSize](https://pkg.go.dev/github.com/klauspost/compress@v1.15.13/zstd#Encoder.MaxEncodedSize) to encoder  https://github.com/klauspost/compress/pull/691
+	* zstd: Various tweaks and improvements https://github.com/klauspost/compress/pull/693 https://github.com/klauspost/compress/pull/695 https://github.com/klauspost/compress/pull/696 https://github.com/klauspost/compress/pull/701 https://github.com/klauspost/compress/pull/702 https://github.com/klauspost/compress/pull/703 https://github.com/klauspost/compress/pull/704 https://github.com/klauspost/compress/pull/705 https://github.com/klauspost/compress/pull/706 https://github.com/klauspost/compress/pull/707 https://github.com/klauspost/compress/pull/708
+
+* Oct 26, 2022 (v1.15.12)
+
+	* zstd: Tweak decoder allocs. https://github.com/klauspost/compress/pull/680
+	* gzhttp: Always delete `HeaderNoCompression` https://github.com/klauspost/compress/pull/683
+
+* Sept 26, 2022 (v1.15.11)
+
+	* flate: Improve level 1-3 compression  https://github.com/klauspost/compress/pull/678
+	* zstd: Improve "best" compression by @nightwolfz in https://github.com/klauspost/compress/pull/677
+	* zstd: Fix+reduce decompression allocations https://github.com/klauspost/compress/pull/668
+	* zstd: Fix non-effective noescape tag https://github.com/klauspost/compress/pull/667
+
+* Sept 16, 2022 (v1.15.10)
+
+	* zstd: Add [WithDecodeAllCapLimit](https://pkg.go.dev/github.com/klauspost/compress@v1.15.10/zstd#WithDecodeAllCapLimit) https://github.com/klauspost/compress/pull/649
+	* Add Go 1.19 - deprecate Go 1.16  https://github.com/klauspost/compress/pull/651
+	* flate: Improve level 5+6 compression https://github.com/klauspost/compress/pull/656
+	* zstd: Improve "better" compression  https://github.com/klauspost/compress/pull/657
+	* s2: Improve "best" compression https://github.com/klauspost/compress/pull/658
+	* s2: Improve "better" compression. https://github.com/klauspost/compress/pull/635
+	* s2: Slightly faster non-assembly decompression https://github.com/klauspost/compress/pull/646
+	* Use arrays for constant size copies https://github.com/klauspost/compress/pull/659
+
+* July 21, 2022 (v1.15.9)
+
+	* zstd: Fix decoder crash on amd64 (no BMI) on invalid input https://github.com/klauspost/compress/pull/645
+	* zstd: Disable decoder extended memory copies (amd64) due to possible crashes https://github.com/klauspost/compress/pull/644
+	* zstd: Allow single segments up to "max decoded size" https://github.com/klauspost/compress/pull/643
+
+* July 13, 2022 (v1.15.8)
+
+	* gzip: fix stack exhaustion bug in Reader.Read https://github.com/klauspost/compress/pull/641
+	* s2: Add Index header trim/restore https://github.com/klauspost/compress/pull/638
+	* zstd: Optimize seqdeq amd64 asm by @greatroar in https://github.com/klauspost/compress/pull/636
+	* zstd: Improve decoder memcopy https://github.com/klauspost/compress/pull/637
+	* huff0: Pass a single bitReader pointer to asm by @greatroar in https://github.com/klauspost/compress/pull/634
+	* zstd: Branchless getBits for amd64 w/o BMI2 by @greatroar in https://github.com/klauspost/compress/pull/640
+	* gzhttp: Remove header before writing https://github.com/klauspost/compress/pull/639
+
+* June 29, 2022 (v1.15.7)
+
+	* s2: Fix absolute forward seeks  https://github.com/klauspost/compress/pull/633
+	* zip: Merge upstream  https://github.com/klauspost/compress/pull/631
+	* zip: Re-add zip64 fix https://github.com/klauspost/compress/pull/624
+	* zstd: translate fseDecoder.buildDtable into asm by @WojciechMula in https://github.com/klauspost/compress/pull/598
+	* flate: Faster histograms  https://github.com/klauspost/compress/pull/620
+	* deflate: Use compound hcode  https://github.com/klauspost/compress/pull/622
+
+* June 3, 2022 (v1.15.6)
+	* s2: Improve coding for long, close matches https://github.com/klauspost/compress/pull/613
+	* s2c: Add Snappy/S2 stream recompression https://github.com/klauspost/compress/pull/611
+	* zstd: Always use configured block size https://github.com/klauspost/compress/pull/605
+	* zstd: Fix incorrect hash table placement for dict encoding in default https://github.com/klauspost/compress/pull/606
+	* zstd: Apply default config to ZipDecompressor without options https://github.com/klauspost/compress/pull/608
+	* gzhttp: Exclude more common archive formats https://github.com/klauspost/compress/pull/612
+	* s2: Add ReaderIgnoreCRC https://github.com/klauspost/compress/pull/609
+	* s2: Remove sanity load on index creation https://github.com/klauspost/compress/pull/607
+	* snappy: Use dedicated function for scoring https://github.com/klauspost/compress/pull/614
+	* s2c+s2d: Use official snappy framed extension https://github.com/klauspost/compress/pull/610
+
+* May 25, 2022 (v1.15.5)
+	* s2: Add concurrent stream decompression https://github.com/klauspost/compress/pull/602
+	* s2: Fix final emit oob read crash on amd64 https://github.com/klauspost/compress/pull/601
+	* huff0: asm implementation of Decompress1X by @WojciechMula https://github.com/klauspost/compress/pull/596
+	* zstd: Use 1 less goroutine for stream decoding https://github.com/klauspost/compress/pull/588
+	* zstd: Copy literal in 16 byte blocks when possible https://github.com/klauspost/compress/pull/592
+	* zstd: Speed up when WithDecoderLowmem(false) https://github.com/klauspost/compress/pull/599
+	* zstd: faster next state update in BMI2 version of decode by @WojciechMula in https://github.com/klauspost/compress/pull/593
+	* huff0: Do not check max size when reading table. https://github.com/klauspost/compress/pull/586
+	* flate: Inplace hashing for level 7-9 https://github.com/klauspost/compress/pull/590
+
+
+* May 11, 2022 (v1.15.4)
+	* huff0: decompress directly into output by @WojciechMula in [#577](https://github.com/klauspost/compress/pull/577)
+	* inflate: Keep dict on stack [#581](https://github.com/klauspost/compress/pull/581)
+	* zstd: Faster decoding memcopy in asm [#583](https://github.com/klauspost/compress/pull/583)
+	* zstd: Fix ignored crc [#580](https://github.com/klauspost/compress/pull/580)
+
+* May 5, 2022 (v1.15.3)
+	* zstd: Allow to ignore checksum checking by @WojciechMula [#572](https://github.com/klauspost/compress/pull/572)
+	* s2: Fix incorrect seek for io.SeekEnd in [#575](https://github.com/klauspost/compress/pull/575)
+
+* Apr 26, 2022 (v1.15.2)
+	* zstd: Add x86-64 assembly for decompression on streams and blocks. Contributed by [@WojciechMula](https://github.com/WojciechMula). Typically 2x faster.  [#528](https://github.com/klauspost/compress/pull/528) [#531](https://github.com/klauspost/compress/pull/531) [#545](https://github.com/klauspost/compress/pull/545) [#537](https://github.com/klauspost/compress/pull/537)
+	* zstd: Add options to ZipDecompressor and fixes [#539](https://github.com/klauspost/compress/pull/539)
+	* s2: Use sorted search for index [#555](https://github.com/klauspost/compress/pull/555)
+	* Minimum version is Go 1.16, added CI test on 1.18.
+
+* Mar 11, 2022 (v1.15.1)
+	* huff0: Add x86 assembly of Decode4X by @WojciechMula in [#512](https://github.com/klauspost/compress/pull/512)
+	* zstd: Reuse zip decoders in [#514](https://github.com/klauspost/compress/pull/514)
+	* zstd: Detect extra block data and report as corrupted in [#520](https://github.com/klauspost/compress/pull/520)
+	* zstd: Handle zero sized frame content size stricter in [#521](https://github.com/klauspost/compress/pull/521)
+	* zstd: Add stricter block size checks in [#523](https://github.com/klauspost/compress/pull/523)
+
+* Mar 3, 2022 (v1.15.0)
+	* zstd: Refactor decoder [#498](https://github.com/klauspost/compress/pull/498)
+	* zstd: Add stream encoding without goroutines [#505](https://github.com/klauspost/compress/pull/505)
+	* huff0: Prevent single blocks exceeding 16 bits by @klauspost in[#507](https://github.com/klauspost/compress/pull/507)
+	* flate: Inline literal emission [#509](https://github.com/klauspost/compress/pull/509)
+	* gzhttp: Add zstd to transport [#400](https://github.com/klauspost/compress/pull/400)
+	* gzhttp: Make content-type optional [#510](https://github.com/klauspost/compress/pull/510)
+
+Both compression and decompression now supports "synchronous" stream operations. This means that whenever "concurrency" is set to 1, they will operate without spawning goroutines.
+
+Stream decompression is now faster on asynchronous, since the goroutine allocation much more effectively splits the workload. On typical streams this will typically use 2 cores fully for decompression. When a stream has finished decoding no goroutines will be left over, so decoders can now safely be pooled and still be garbage collected.
+
+While the release has been extensively tested, it is recommended to testing when upgrading.
+
+</details>
+
+<details>
+	<summary>See changes to v1.14.x</summary>
+	
+* Feb 22, 2022 (v1.14.4)
+	* flate: Fix rare huffman only (-2) corruption. [#503](https://github.com/klauspost/compress/pull/503)
+	* zip: Update deprecated CreateHeaderRaw to correctly call CreateRaw by @saracen in [#502](https://github.com/klauspost/compress/pull/502)
+	* zip: don't read data descriptor early by @saracen in [#501](https://github.com/klauspost/compress/pull/501)  #501
+	* huff0: Use static decompression buffer up to 30% faster [#499](https://github.com/klauspost/compress/pull/499) [#500](https://github.com/klauspost/compress/pull/500)
+
+* Feb 17, 2022 (v1.14.3)
+	* flate: Improve fastest levels compression speed ~10% more throughput. [#482](https://github.com/klauspost/compress/pull/482) [#489](https://github.com/klauspost/compress/pull/489) [#490](https://github.com/klauspost/compress/pull/490) [#491](https://github.com/klauspost/compress/pull/491) [#494](https://github.com/klauspost/compress/pull/494)  [#478](https://github.com/klauspost/compress/pull/478)
+	* flate: Faster decompression speed, ~5-10%. [#483](https://github.com/klauspost/compress/pull/483)
+	* s2: Faster compression with Go v1.18 and amd64 microarch level 3+. [#484](https://github.com/klauspost/compress/pull/484) [#486](https://github.com/klauspost/compress/pull/486)
+
+* Jan 25, 2022 (v1.14.2)
+	* zstd: improve header decoder by @dsnet  [#476](https://github.com/klauspost/compress/pull/476)
+	* zstd: Add bigger default blocks  [#469](https://github.com/klauspost/compress/pull/469)
+	* zstd: Remove unused decompression buffer [#470](https://github.com/klauspost/compress/pull/470)
+	* zstd: Fix logically dead code by @ningmingxiao [#472](https://github.com/klauspost/compress/pull/472)
+	* flate: Improve level 7-9 [#471](https://github.com/klauspost/compress/pull/471) [#473](https://github.com/klauspost/compress/pull/473)
+	* zstd: Add noasm tag for xxhash [#475](https://github.com/klauspost/compress/pull/475)
+
+* Jan 11, 2022 (v1.14.1)
+	* s2: Add stream index in [#462](https://github.com/klauspost/compress/pull/462)
+	* flate: Speed and efficiency improvements in [#439](https://github.com/klauspost/compress/pull/439) [#461](https://github.com/klauspost/compress/pull/461) [#455](https://github.com/klauspost/compress/pull/455) [#452](https://github.com/klauspost/compress/pull/452) [#458](https://github.com/klauspost/compress/pull/458)
+	* zstd: Performance improvement in [#420]( https://github.com/klauspost/compress/pull/420) [#456](https://github.com/klauspost/compress/pull/456) [#437](https://github.com/klauspost/compress/pull/437) [#467](https://github.com/klauspost/compress/pull/467) [#468](https://github.com/klauspost/compress/pull/468)
+	* zstd: add arm64 xxhash assembly in [#464](https://github.com/klauspost/compress/pull/464)
+	* Add garbled for binaries for s2 in [#445](https://github.com/klauspost/compress/pull/445)
+</details>
+
+<details>
+	<summary>See changes to v1.13.x</summary>
+	
+* Aug 30, 2021 (v1.13.5)
+	* gz/zlib/flate: Alias stdlib errors [#425](https://github.com/klauspost/compress/pull/425)
+	* s2: Add block support to commandline tools [#413](https://github.com/klauspost/compress/pull/413)
+	* zstd: pooledZipWriter should return Writers to the same pool [#426](https://github.com/klauspost/compress/pull/426)
+	* Removed golang/snappy as external dependency for tests [#421](https://github.com/klauspost/compress/pull/421)
+
+* Aug 12, 2021 (v1.13.4)
+	* Add [snappy replacement package](https://github.com/klauspost/compress/tree/master/snappy).
+	* zstd: Fix incorrect encoding in "best" mode [#415](https://github.com/klauspost/compress/pull/415)
+
+* Aug 3, 2021 (v1.13.3) 
+	* zstd: Improve Best compression [#404](https://github.com/klauspost/compress/pull/404)
+	* zstd: Fix WriteTo error forwarding [#411](https://github.com/klauspost/compress/pull/411)
+	* gzhttp: Return http.HandlerFunc instead of http.Handler. Unlikely breaking change. [#406](https://github.com/klauspost/compress/pull/406)
+	* s2sx: Fix max size error [#399](https://github.com/klauspost/compress/pull/399)
+	* zstd: Add optional stream content size on reset [#401](https://github.com/klauspost/compress/pull/401)
+	* zstd: use SpeedBestCompression for level >= 10 [#410](https://github.com/klauspost/compress/pull/410)
+
+* Jun 14, 2021 (v1.13.1)
+	* s2: Add full Snappy output support  [#396](https://github.com/klauspost/compress/pull/396)
+	* zstd: Add configurable [Decoder window](https://pkg.go.dev/github.com/klauspost/compress/zstd#WithDecoderMaxWindow) size [#394](https://github.com/klauspost/compress/pull/394)
+	* gzhttp: Add header to skip compression  [#389](https://github.com/klauspost/compress/pull/389)
+	* s2: Improve speed with bigger output margin  [#395](https://github.com/klauspost/compress/pull/395)
+
+* Jun 3, 2021 (v1.13.0)
+	* Added [gzhttp](https://github.com/klauspost/compress/tree/master/gzhttp#gzip-handler) which allows wrapping HTTP servers and clients with GZIP compressors.
+	* zstd: Detect short invalid signatures [#382](https://github.com/klauspost/compress/pull/382)
+	* zstd: Spawn decoder goroutine only if needed. [#380](https://github.com/klauspost/compress/pull/380)
+</details>
+
+
+<details>
+	<summary>See changes to v1.12.x</summary>
+	
+* May 25, 2021 (v1.12.3)
+	* deflate: Better/faster Huffman encoding [#374](https://github.com/klauspost/compress/pull/374)
+	* deflate: Allocate less for history. [#375](https://github.com/klauspost/compress/pull/375)
+	* zstd: Forward read errors [#373](https://github.com/klauspost/compress/pull/373) 
+
+* Apr 27, 2021 (v1.12.2)
+	* zstd: Improve better/best compression [#360](https://github.com/klauspost/compress/pull/360) [#364](https://github.com/klauspost/compress/pull/364) [#365](https://github.com/klauspost/compress/pull/365)
+	* zstd: Add helpers to compress/decompress zstd inside zip files [#363](https://github.com/klauspost/compress/pull/363)
+	* deflate: Improve level 5+6 compression [#367](https://github.com/klauspost/compress/pull/367)
+	* s2: Improve better/best compression [#358](https://github.com/klauspost/compress/pull/358) [#359](https://github.com/klauspost/compress/pull/358)
+	* s2: Load after checking src limit on amd64. [#362](https://github.com/klauspost/compress/pull/362)
+	* s2sx: Limit max executable size [#368](https://github.com/klauspost/compress/pull/368) 
+
+* Apr 14, 2021 (v1.12.1)
+	* snappy package removed. Upstream added as dependency.
+	* s2: Better compression in "best" mode [#353](https://github.com/klauspost/compress/pull/353)
+	* s2sx: Add stdin input and detect pre-compressed from signature [#352](https://github.com/klauspost/compress/pull/352)
+	* s2c/s2d: Add http as possible input [#348](https://github.com/klauspost/compress/pull/348)
+	* s2c/s2d/s2sx: Always truncate when writing files [#352](https://github.com/klauspost/compress/pull/352)
+	* zstd: Reduce memory usage further when using [WithLowerEncoderMem](https://pkg.go.dev/github.com/klauspost/compress/zstd#WithLowerEncoderMem) [#346](https://github.com/klauspost/compress/pull/346)
+	* s2: Fix potential problem with amd64 assembly and profilers [#349](https://github.com/klauspost/compress/pull/349)
+</details>
+
+<details>
+	<summary>See changes to v1.11.x</summary>
+	
+* Mar 26, 2021 (v1.11.13)
+	* zstd: Big speedup on small dictionary encodes [#344](https://github.com/klauspost/compress/pull/344) [#345](https://github.com/klauspost/compress/pull/345)
+	* zstd: Add [WithLowerEncoderMem](https://pkg.go.dev/github.com/klauspost/compress/zstd#WithLowerEncoderMem) encoder option [#336](https://github.com/klauspost/compress/pull/336)
+	* deflate: Improve entropy compression [#338](https://github.com/klauspost/compress/pull/338)
+	* s2: Clean up and minor performance improvement in best [#341](https://github.com/klauspost/compress/pull/341)
+
+* Mar 5, 2021 (v1.11.12)
+	* s2: Add `s2sx` binary that creates [self extracting archives](https://github.com/klauspost/compress/tree/master/s2#s2sx-self-extracting-archives).
+	* s2: Speed up decompression on non-assembly platforms [#328](https://github.com/klauspost/compress/pull/328)
+
+* Mar 1, 2021 (v1.11.9)
+	* s2: Add ARM64 decompression assembly. Around 2x output speed. [#324](https://github.com/klauspost/compress/pull/324)
+	* s2: Improve "better" speed and efficiency. [#325](https://github.com/klauspost/compress/pull/325)
+	* s2: Fix binaries.
+
+* Feb 25, 2021 (v1.11.8)
+	* s2: Fixed occasional out-of-bounds write on amd64. Upgrade recommended.
+	* s2: Add AMD64 assembly for better mode. 25-50% faster. [#315](https://github.com/klauspost/compress/pull/315)
+	* s2: Less upfront decoder allocation. [#322](https://github.com/klauspost/compress/pull/322)
+	* zstd: Faster "compression" of incompressible data. [#314](https://github.com/klauspost/compress/pull/314)
+	* zip: Fix zip64 headers. [#313](https://github.com/klauspost/compress/pull/313)
+  
+* Jan 14, 2021 (v1.11.7)
+	* Use Bytes() interface to get bytes across packages. [#309](https://github.com/klauspost/compress/pull/309)
+	* s2: Add 'best' compression option.  [#310](https://github.com/klauspost/compress/pull/310)
+	* s2: Add ReaderMaxBlockSize, changes `s2.NewReader` signature to include varargs. [#311](https://github.com/klauspost/compress/pull/311)
+	* s2: Fix crash on small better buffers. [#308](https://github.com/klauspost/compress/pull/308)
+	* s2: Clean up decoder. [#312](https://github.com/klauspost/compress/pull/312)
+
+* Jan 7, 2021 (v1.11.6)
+	* zstd: Make decoder allocations smaller [#306](https://github.com/klauspost/compress/pull/306)
+	* zstd: Free Decoder resources when Reset is called with a nil io.Reader  [#305](https://github.com/klauspost/compress/pull/305)
+
+* Dec 20, 2020 (v1.11.4)
+	* zstd: Add Best compression mode [#304](https://github.com/klauspost/compress/pull/304)
+	* Add header decoder [#299](https://github.com/klauspost/compress/pull/299)
+	* s2: Add uncompressed stream option [#297](https://github.com/klauspost/compress/pull/297)
+	* Simplify/speed up small blocks with known max size. [#300](https://github.com/klauspost/compress/pull/300)
+	* zstd: Always reset literal dict encoder [#303](https://github.com/klauspost/compress/pull/303)
+
+* Nov 15, 2020 (v1.11.3)
+	* inflate: 10-15% faster decompression  [#293](https://github.com/klauspost/compress/pull/293)
+	* zstd: Tweak DecodeAll default allocation [#295](https://github.com/klauspost/compress/pull/295)
+
+* Oct 11, 2020 (v1.11.2)
+	* s2: Fix out of bounds read in "better" block compression [#291](https://github.com/klauspost/compress/pull/291)
+
+* Oct 1, 2020 (v1.11.1)
+	* zstd: Set allLitEntropy true in default configuration [#286](https://github.com/klauspost/compress/pull/286)
+
+* Sept 8, 2020 (v1.11.0)
+	* zstd: Add experimental compression [dictionaries](https://github.com/klauspost/compress/tree/master/zstd#dictionaries) [#281](https://github.com/klauspost/compress/pull/281)
+	* zstd: Fix mixed Write and ReadFrom calls [#282](https://github.com/klauspost/compress/pull/282)
+	* inflate/gz: Limit variable shifts, ~5% faster decompression [#274](https://github.com/klauspost/compress/pull/274)
+</details>
+
+<details>
+	<summary>See changes to v1.10.x</summary>
+ 
+* July 8, 2020 (v1.10.11) 
+	* zstd: Fix extra block when compressing with ReadFrom. [#278](https://github.com/klauspost/compress/pull/278)
+	* huff0: Also populate compression table when reading decoding table. [#275](https://github.com/klauspost/compress/pull/275)
+	
+* June 23, 2020 (v1.10.10) 
+	* zstd: Skip entropy compression in fastest mode when no matches. [#270](https://github.com/klauspost/compress/pull/270)
+	
+* June 16, 2020 (v1.10.9): 
+	* zstd: API change for specifying dictionaries. See [#268](https://github.com/klauspost/compress/pull/268)
+	* zip: update CreateHeaderRaw to handle zip64 fields. [#266](https://github.com/klauspost/compress/pull/266)
+	* Fuzzit tests removed. The service has been purchased and is no longer available.
+	
+* June 5, 2020 (v1.10.8): 
+	* 1.15x faster zstd block decompression. [#265](https://github.com/klauspost/compress/pull/265)
+	
+* June 1, 2020 (v1.10.7): 
+	* Added zstd decompression [dictionary support](https://github.com/klauspost/compress/tree/master/zstd#dictionaries)
+	* Increase zstd decompression speed up to 1.19x.  [#259](https://github.com/klauspost/compress/pull/259)
+	* Remove internal reset call in zstd compression and reduce allocations. [#263](https://github.com/klauspost/compress/pull/263)
+	
+* May 21, 2020: (v1.10.6) 
+	* zstd: Reduce allocations while decoding. [#258](https://github.com/klauspost/compress/pull/258), [#252](https://github.com/klauspost/compress/pull/252)
+	* zstd: Stricter decompression checks.
+	
+* April 12, 2020: (v1.10.5)
+	* s2-commands: Flush output when receiving SIGINT. [#239](https://github.com/klauspost/compress/pull/239)
+	
+* Apr 8, 2020: (v1.10.4) 
+	* zstd: Minor/special case optimizations. [#251](https://github.com/klauspost/compress/pull/251),  [#250](https://github.com/klauspost/compress/pull/250),  [#249](https://github.com/klauspost/compress/pull/249),  [#247](https://github.com/klauspost/compress/pull/247)
+* Mar 11, 2020: (v1.10.3) 
+	* s2: Use S2 encoder in pure Go mode for Snappy output as well. [#245](https://github.com/klauspost/compress/pull/245)
+	* s2: Fix pure Go block encoder. [#244](https://github.com/klauspost/compress/pull/244)
+	* zstd: Added "better compression" mode. [#240](https://github.com/klauspost/compress/pull/240)
+	* zstd: Improve speed of fastest compression mode by 5-10% [#241](https://github.com/klauspost/compress/pull/241)
+	* zstd: Skip creating encoders when not needed. [#238](https://github.com/klauspost/compress/pull/238)
+	
+* Feb 27, 2020: (v1.10.2) 
+	* Close to 50% speedup in inflate (gzip/zip decompression). [#236](https://github.com/klauspost/compress/pull/236) [#234](https://github.com/klauspost/compress/pull/234) [#232](https://github.com/klauspost/compress/pull/232)
+	* Reduce deflate level 1-6 memory usage up to 59%. [#227](https://github.com/klauspost/compress/pull/227)
+	
+* Feb 18, 2020: (v1.10.1)
+	* Fix zstd crash when resetting multiple times without sending data. [#226](https://github.com/klauspost/compress/pull/226)
+	* deflate: Fix dictionary use on level 1-6. [#224](https://github.com/klauspost/compress/pull/224)
+	* Remove deflate writer reference when closing. [#224](https://github.com/klauspost/compress/pull/224)
+	
+* Feb 4, 2020: (v1.10.0) 
+	* Add optional dictionary to [stateless deflate](https://pkg.go.dev/github.com/klauspost/compress/flate?tab=doc#StatelessDeflate). Breaking change, send `nil` for previous behaviour. [#216](https://github.com/klauspost/compress/pull/216)
+	* Fix buffer overflow on repeated small block deflate.  [#218](https://github.com/klauspost/compress/pull/218)
+	* Allow copying content from an existing ZIP file without decompressing+compressing. [#214](https://github.com/klauspost/compress/pull/214)
+	* Added [S2](https://github.com/klauspost/compress/tree/master/s2#s2-compression) AMD64 assembler and various optimizations. Stream speed >10GB/s.  [#186](https://github.com/klauspost/compress/pull/186)
+
+</details>
+
+<details>
+	<summary>See changes prior to v1.10.0</summary>
+
+* Jan 20,2020 (v1.9.8) Optimize gzip/deflate with better size estimates and faster table generation. [#207](https://github.com/klauspost/compress/pull/207) by [luyu6056](https://github.com/luyu6056),  [#206](https://github.com/klauspost/compress/pull/206).
+* Jan 11, 2020: S2 Encode/Decode will use provided buffer if capacity is big enough. [#204](https://github.com/klauspost/compress/pull/204) 
+* Jan 5, 2020: (v1.9.7) Fix another zstd regression in v1.9.5 - v1.9.6 removed.
+* Jan 4, 2020: (v1.9.6) Regression in v1.9.5 fixed causing corrupt zstd encodes in rare cases.
+* Jan 4, 2020: Faster IO in [s2c + s2d commandline tools](https://github.com/klauspost/compress/tree/master/s2#commandline-tools) compression/decompression. [#192](https://github.com/klauspost/compress/pull/192)
+* Dec 29, 2019: Removed v1.9.5 since fuzz tests showed a compatibility problem with the reference zstandard decoder.
+* Dec 29, 2019: (v1.9.5) zstd: 10-20% faster block compression. [#199](https://github.com/klauspost/compress/pull/199)
+* Dec 29, 2019: [zip](https://godoc.org/github.com/klauspost/compress/zip) package updated with latest Go features
+* Dec 29, 2019: zstd: Single segment flag condintions tweaked. [#197](https://github.com/klauspost/compress/pull/197)
+* Dec 18, 2019: s2: Faster compression when ReadFrom is used. [#198](https://github.com/klauspost/compress/pull/198)
+* Dec 10, 2019: s2: Fix repeat length output when just above at 16MB limit.
+* Dec 10, 2019: zstd: Add function to get decoder as io.ReadCloser. [#191](https://github.com/klauspost/compress/pull/191)
+* Dec 3, 2019: (v1.9.4) S2: limit max repeat length. [#188](https://github.com/klauspost/compress/pull/188)
+* Dec 3, 2019: Add [WithNoEntropyCompression](https://godoc.org/github.com/klauspost/compress/zstd#WithNoEntropyCompression) to zstd [#187](https://github.com/klauspost/compress/pull/187)
+* Dec 3, 2019: Reduce memory use for tests. Check for leaked goroutines.
+* Nov 28, 2019 (v1.9.3) Less allocations in stateless deflate.
+* Nov 28, 2019: 5-20% Faster huff0 decode. Impacts zstd as well. [#184](https://github.com/klauspost/compress/pull/184)
+* Nov 12, 2019 (v1.9.2) Added [Stateless Compression](#stateless-compression) for gzip/deflate.
+* Nov 12, 2019: Fixed zstd decompression of large single blocks. [#180](https://github.com/klauspost/compress/pull/180)
+* Nov 11, 2019: Set default  [s2c](https://github.com/klauspost/compress/tree/master/s2#commandline-tools) block size to 4MB.
+* Nov 11, 2019: Reduce inflate memory use by 1KB.
+* Nov 10, 2019: Less allocations in deflate bit writer.
+* Nov 10, 2019: Fix inconsistent error returned by zstd decoder.
+* Oct 28, 2019 (v1.9.1) ztsd: Fix crash when compressing blocks. [#174](https://github.com/klauspost/compress/pull/174)
+* Oct 24, 2019 (v1.9.0) zstd: Fix rare data corruption [#173](https://github.com/klauspost/compress/pull/173)
+* Oct 24, 2019 zstd: Fix huff0 out of buffer write [#171](https://github.com/klauspost/compress/pull/171) and always return errors [#172](https://github.com/klauspost/compress/pull/172) 
+* Oct 10, 2019: Big deflate rewrite, 30-40% faster with better compression [#105](https://github.com/klauspost/compress/pull/105)
+
+</details>
+
+<details>
+	<summary>See changes prior to v1.9.0</summary>
+
+* Oct 10, 2019: (v1.8.6) zstd: Allow partial reads to get flushed data. [#169](https://github.com/klauspost/compress/pull/169)
+* Oct 3, 2019: Fix inconsistent results on broken zstd streams.
+* Sep 25, 2019: Added `-rm` (remove source files) and `-q` (no output except errors) to `s2c` and `s2d` [commands](https://github.com/klauspost/compress/tree/master/s2#commandline-tools)
+* Sep 16, 2019: (v1.8.4) Add `s2c` and `s2d` [commandline tools](https://github.com/klauspost/compress/tree/master/s2#commandline-tools).
+* Sep 10, 2019: (v1.8.3) Fix s2 decoder [Skip](https://godoc.org/github.com/klauspost/compress/s2#Reader.Skip).
+* Sep 7, 2019: zstd: Added [WithWindowSize](https://godoc.org/github.com/klauspost/compress/zstd#WithWindowSize), contributed by [ianwilkes](https://github.com/ianwilkes).
+* Sep 5, 2019: (v1.8.2) Add [WithZeroFrames](https://godoc.org/github.com/klauspost/compress/zstd#WithZeroFrames) which adds full zero payload block encoding option.
+* Sep 5, 2019: Lazy initialization of zstandard predefined en/decoder tables.
+* Aug 26, 2019: (v1.8.1) S2: 1-2% compression increase in "better" compression mode.
+* Aug 26, 2019: zstd: Check maximum size of Huffman 1X compressed literals while decoding.
+* Aug 24, 2019: (v1.8.0) Added [S2 compression](https://github.com/klauspost/compress/tree/master/s2#s2-compression), a high performance replacement for Snappy. 
+* Aug 21, 2019: (v1.7.6) Fixed minor issues found by fuzzer. One could lead to zstd not decompressing.
+* Aug 18, 2019: Add [fuzzit](https://fuzzit.dev/) continuous fuzzing.
+* Aug 14, 2019: zstd: Skip incompressible data 2x faster.  [#147](https://github.com/klauspost/compress/pull/147)
+* Aug 4, 2019 (v1.7.5): Better literal compression. [#146](https://github.com/klauspost/compress/pull/146)
+* Aug 4, 2019: Faster zstd compression. [#143](https://github.com/klauspost/compress/pull/143) [#144](https://github.com/klauspost/compress/pull/144)
+* Aug 4, 2019: Faster zstd decompression. [#145](https://github.com/klauspost/compress/pull/145) [#143](https://github.com/klauspost/compress/pull/143) [#142](https://github.com/klauspost/compress/pull/142)
+* July 15, 2019 (v1.7.4): Fix double EOF block in rare cases on zstd encoder.
+* July 15, 2019 (v1.7.3): Minor speedup/compression increase in default zstd encoder.
+* July 14, 2019: zstd decoder: Fix decompression error on multiple uses with mixed content.
+* July 7, 2019 (v1.7.2): Snappy update, zstd decoder potential race fix.
+* June 17, 2019: zstd decompression bugfix.
+* June 17, 2019: fix 32 bit builds.
+* June 17, 2019: Easier use in modules (less dependencies).
+* June 9, 2019: New stronger "default" [zstd](https://github.com/klauspost/compress/tree/master/zstd#zstd) compression mode. Matches zstd default compression ratio.
+* June 5, 2019: 20-40% throughput in [zstandard](https://github.com/klauspost/compress/tree/master/zstd#zstd) compression and better compression.
+* June 5, 2019: deflate/gzip compression: Reduce memory usage of lower compression levels.
+* June 2, 2019: Added [zstandard](https://github.com/klauspost/compress/tree/master/zstd#zstd) compression!
+* May 25, 2019: deflate/gzip: 10% faster bit writer, mostly visible in lower levels.
+* Apr 22, 2019: [zstd](https://github.com/klauspost/compress/tree/master/zstd#zstd) decompression added.
+* Aug 1, 2018: Added [huff0 README](https://github.com/klauspost/compress/tree/master/huff0#huff0-entropy-compression).
+* Jul 8, 2018: Added [Performance Update 2018](#performance-update-2018) below.
+* Jun 23, 2018: Merged [Go 1.11 inflate optimizations](https://go-review.googlesource.com/c/go/+/102235). Go 1.9 is now required. Backwards compatible version tagged with [v1.3.0](https://github.com/klauspost/compress/releases/tag/v1.3.0).
+* Apr 2, 2018: Added [huff0](https://godoc.org/github.com/klauspost/compress/huff0) en/decoder. Experimental for now, API may change.
+* Mar 4, 2018: Added [FSE Entropy](https://godoc.org/github.com/klauspost/compress/fse) en/decoder. Experimental for now, API may change.
+* Nov 3, 2017: Add compression [Estimate](https://godoc.org/github.com/klauspost/compress#Estimate) function.
+* May 28, 2017: Reduce allocations when resetting decoder.
+* Apr 02, 2017: Change back to official crc32, since changes were merged in Go 1.7.
+* Jan 14, 2017: Reduce stack pressure due to array copies. See [Issue #18625](https://github.com/golang/go/issues/18625).
+* Oct 25, 2016: Level 2-4 have been rewritten and now offers significantly better performance than before.
+* Oct 20, 2016: Port zlib changes from Go 1.7 to fix zlib writer issue. Please update.
+* Oct 16, 2016: Go 1.7 changes merged. Apples to apples this package is a few percent faster, but has a significantly better balance between speed and compression per level. 
+* Mar 24, 2016: Always attempt Huffman encoding on level 4-7. This improves base 64 encoded data compression.
+* Mar 24, 2016: Small speedup for level 1-3.
+* Feb 19, 2016: Faster bit writer, level -2 is 15% faster, level 1 is 4% faster.
+* Feb 19, 2016: Handle small payloads faster in level 1-3.
+* Feb 19, 2016: Added faster level 2 + 3 compression modes.
+* Feb 19, 2016: [Rebalanced compression levels](https://blog.klauspost.com/rebalancing-deflate-compression-levels/), so there is a more even progression in terms of compression. New default level is 5.
+* Feb 14, 2016: Snappy: Merge upstream changes. 
+* Feb 14, 2016: Snappy: Fix aggressive skipping.
+* Feb 14, 2016: Snappy: Update benchmark.
+* Feb 13, 2016: Deflate: Fixed assembler problem that could lead to sub-optimal compression.
+* Feb 12, 2016: Snappy: Added AMD64 SSE 4.2 optimizations to matching, which makes easy to compress material run faster. Typical speedup is around 25%.
+* Feb 9, 2016: Added Snappy package fork. This version is 5-7% faster, much more on hard to compress content.
+* Jan 30, 2016: Optimize level 1 to 3 by not considering static dictionary or storing uncompressed. ~4-5% speedup.
+* Jan 16, 2016: Optimization on deflate level 1,2,3 compression.
+* Jan 8 2016: Merge [CL 18317](https://go-review.googlesource.com/#/c/18317): fix reading, writing of zip64 archives.
+* Dec 8 2015: Make level 1 and -2 deterministic even if write size differs.
+* Dec 8 2015: Split encoding functions, so hashing and matching can potentially be inlined. 1-3% faster on AMD64. 5% faster on other platforms.
+* Dec 8 2015: Fixed rare [one byte out-of bounds read](https://github.com/klauspost/compress/issues/20). Please update!
+* Nov 23 2015: Optimization on token writer. ~2-4% faster. Contributed by [@dsnet](https://github.com/dsnet).
+* Nov 20 2015: Small optimization to bit writer on 64 bit systems.
+* Nov 17 2015: Fixed out-of-bound errors if the underlying Writer returned an error. See [#15](https://github.com/klauspost/compress/issues/15).
+* Nov 12 2015: Added [io.WriterTo](https://golang.org/pkg/io/#WriterTo) support to gzip/inflate.
+* Nov 11 2015: Merged [CL 16669](https://go-review.googlesource.com/#/c/16669/4): archive/zip: enable overriding (de)compressors per file
+* Oct 15 2015: Added skipping on uncompressible data. Random data speed up >5x.
+
+</details>
+
+# deflate usage
+
+The packages are drop-in replacements for standard libraries. Simply replace the import path to use them:
+
+Typical speed is about 2x of the standard library packages.
+
+| old import       | new import                            | Documentation                                                           |
+|------------------|---------------------------------------|-------------------------------------------------------------------------|
+| `compress/gzip`  | `github.com/klauspost/compress/gzip`  | [gzip](https://pkg.go.dev/github.com/klauspost/compress/gzip?tab=doc)   |
+| `compress/zlib`  | `github.com/klauspost/compress/zlib`  | [zlib](https://pkg.go.dev/github.com/klauspost/compress/zlib?tab=doc)   |
+| `archive/zip`    | `github.com/klauspost/compress/zip`   | [zip](https://pkg.go.dev/github.com/klauspost/compress/zip?tab=doc)     |
+| `compress/flate` | `github.com/klauspost/compress/flate` | [flate](https://pkg.go.dev/github.com/klauspost/compress/flate?tab=doc) |
+
+* Optimized [deflate](https://godoc.org/github.com/klauspost/compress/flate) packages which can be used as a dropin replacement for [gzip](https://godoc.org/github.com/klauspost/compress/gzip), [zip](https://godoc.org/github.com/klauspost/compress/zip) and [zlib](https://godoc.org/github.com/klauspost/compress/zlib).
+
+You may also be interested in [pgzip](https://github.com/klauspost/pgzip), which is a drop in replacement for gzip, which support multithreaded compression on big files and the optimized [crc32](https://github.com/klauspost/crc32) package used by these packages.
+
+The packages contains the same as the standard library, so you can use the godoc for that: [gzip](http://golang.org/pkg/compress/gzip/), [zip](http://golang.org/pkg/archive/zip/),  [zlib](http://golang.org/pkg/compress/zlib/), [flate](http://golang.org/pkg/compress/flate/).
+
+Currently there is only minor speedup on decompression (mostly CRC32 calculation).
+
+Memory usage is typically 1MB for a Writer. stdlib is in the same range. 
+If you expect to have a lot of concurrently allocated Writers consider using 
+the stateless compress described below.
+
+For compression performance, see: [this spreadsheet](https://docs.google.com/spreadsheets/d/1nuNE2nPfuINCZJRMt6wFWhKpToF95I47XjSsc-1rbPQ/edit?usp=sharing).
+
+To disable all assembly add `-tags=noasm`. This works across all packages.
+
+# Stateless compression
+
+This package offers stateless compression as a special option for gzip/deflate. 
+It will do compression but without maintaining any state between Write calls.
+
+This means there will be no memory kept between Write calls, but compression and speed will be suboptimal.
+
+This is only relevant in cases where you expect to run many thousands of compressors concurrently, 
+but with very little activity. This is *not* intended for regular web servers serving individual requests.  
+
+Because of this, the size of actual Write calls will affect output size.
+
+In gzip, specify level `-3` / `gzip.StatelessCompression` to enable.
+
+For direct deflate use, NewStatelessWriter and StatelessDeflate are available. See [documentation](https://godoc.org/github.com/klauspost/compress/flate#NewStatelessWriter)
+
+A `bufio.Writer` can of course be used to control write sizes. For example, to use a 4KB buffer:
+
+```go
+	// replace 'ioutil.Discard' with your output.
+	gzw, err := gzip.NewWriterLevel(ioutil.Discard, gzip.StatelessCompression)
+	if err != nil {
+		return err
+	}
+	defer gzw.Close()
+
+	w := bufio.NewWriterSize(gzw, 4096)
+	defer w.Flush()
+	
+	// Write to 'w' 
+```
+
+This will only use up to 4KB in memory when the writer is idle. 
+
+Compression is almost always worse than the fastest compression level 
+and each write will allocate (a little) memory. 
+
+
+# Other packages
+
+Here are other packages of good quality and pure Go (no cgo wrappers or autoconverted code):
+
+* [github.com/pierrec/lz4](https://github.com/pierrec/lz4) - strong multithreaded LZ4 compression.
+* [github.com/cosnicolaou/pbzip2](https://github.com/cosnicolaou/pbzip2) - multithreaded bzip2 decompression.
+* [github.com/dsnet/compress](https://github.com/dsnet/compress) - brotli decompression, bzip2 writer.
+* [github.com/ronanh/intcomp](https://github.com/ronanh/intcomp) - Integer compression.
+* [github.com/spenczar/fpc](https://github.com/spenczar/fpc) - Float compression.
+* [github.com/minio/zipindex](https://github.com/minio/zipindex) - External ZIP directory index.
+* [github.com/ybirader/pzip](https://github.com/ybirader/pzip) - Fast concurrent zip archiver and extractor.
+
+# license
+
+This code is licensed under the same conditions as the original Go code. See LICENSE file.
diff --git a/vendor/github.com/klauspost/compress/SECURITY.md b/vendor/github.com/klauspost/compress/SECURITY.md
new file mode 100644
index 0000000000..ca6685e2b7
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/SECURITY.md
@@ -0,0 +1,25 @@
+# Security Policy
+
+## Supported Versions
+
+Security updates are applied only to the latest release.
+
+## Vulnerability Definition
+
+A security vulnerability is a bug that with certain input triggers a crash or an infinite loop. Most calls will have varying execution time and only in rare cases will slow operation be considered a security vulnerability.
+
+Corrupted output generally is not considered a security vulnerability, unless independent operations are able to affect each other. Note that not all functionality is re-entrant and safe to use concurrently.
+
+Out-of-memory crashes only applies if the en/decoder uses an abnormal amount of memory, with appropriate options applied, to limit maximum window size, concurrency, etc. However, if you are in doubt you are welcome to file a security issue.
+
+It is assumed that all callers are trusted, meaning internal data exposed through reflection or inspection of returned data structures is not considered a vulnerability.
+
+Vulnerabilities resulting from compiler/assembler errors should be reported upstream. Depending on the severity this package may or may not implement a workaround.
+
+## Reporting a Vulnerability
+
+If you have discovered a security vulnerability in this project, please report it privately. **Do not disclose it as a public issue.** This gives us time to work with you to fix the issue before public exposure, reducing the chance that the exploit will be used before a patch is released.
+
+Please disclose it at [security advisory](https://github.com/klauspost/compress/security/advisories/new). If possible please provide a minimal reproducer. If the issue only applies to a single platform, it would be helpful to provide access to that.
+
+This project is maintained by a team of volunteers on a reasonable-effort basis. As such, vulnerabilities will be disclosed in a best effort base.
diff --git a/vendor/github.com/klauspost/compress/compressible.go b/vendor/github.com/klauspost/compress/compressible.go
new file mode 100644
index 0000000000..ea5a692d51
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/compressible.go
@@ -0,0 +1,85 @@
+package compress
+
+import "math"
+
+// Estimate returns a normalized compressibility estimate of block b.
+// Values close to zero are likely uncompressible.
+// Values above 0.1 are likely to be compressible.
+// Values above 0.5 are very compressible.
+// Very small lengths will return 0.
+func Estimate(b []byte) float64 {
+	if len(b) < 16 {
+		return 0
+	}
+
+	// Correctly predicted order 1
+	hits := 0
+	lastMatch := false
+	var o1 [256]byte
+	var hist [256]int
+	c1 := byte(0)
+	for _, c := range b {
+		if c == o1[c1] {
+			// We only count a hit if there was two correct predictions in a row.
+			if lastMatch {
+				hits++
+			}
+			lastMatch = true
+		} else {
+			lastMatch = false
+		}
+		o1[c1] = c
+		c1 = c
+		hist[c]++
+	}
+
+	// Use x^0.6 to give better spread
+	prediction := math.Pow(float64(hits)/float64(len(b)), 0.6)
+
+	// Calculate histogram distribution
+	variance := float64(0)
+	avg := float64(len(b)) / 256
+
+	for _, v := range hist {
+		Δ := float64(v) - avg
+		variance += Δ * Δ
+	}
+
+	stddev := math.Sqrt(float64(variance)) / float64(len(b))
+	exp := math.Sqrt(1 / float64(len(b)))
+
+	// Subtract expected stddev
+	stddev -= exp
+	if stddev < 0 {
+		stddev = 0
+	}
+	stddev *= 1 + exp
+
+	// Use x^0.4 to give better spread
+	entropy := math.Pow(stddev, 0.4)
+
+	// 50/50 weight between prediction and histogram distribution
+	return math.Pow((prediction+entropy)/2, 0.9)
+}
+
+// ShannonEntropyBits returns the number of bits minimum required to represent
+// an entropy encoding of the input bytes.
+// https://en.wiktionary.org/wiki/Shannon_entropy
+func ShannonEntropyBits(b []byte) int {
+	if len(b) == 0 {
+		return 0
+	}
+	var hist [256]int
+	for _, c := range b {
+		hist[c]++
+	}
+	shannon := float64(0)
+	invTotal := 1.0 / float64(len(b))
+	for _, v := range hist[:] {
+		if v > 0 {
+			n := float64(v)
+			shannon += math.Ceil(-math.Log2(n*invTotal) * n)
+		}
+	}
+	return int(math.Ceil(shannon))
+}
diff --git a/vendor/github.com/klauspost/compress/fse/README.md b/vendor/github.com/klauspost/compress/fse/README.md
new file mode 100644
index 0000000000..ea7324da67
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/fse/README.md
@@ -0,0 +1,79 @@
+# Finite State Entropy
+
+This package provides Finite State Entropy encoding and decoding.
+            
+Finite State Entropy (also referenced as [tANS](https://en.wikipedia.org/wiki/Asymmetric_numeral_systems#tANS)) 
+encoding provides a fast near-optimal symbol encoding/decoding
+for byte blocks as implemented in [zstandard](https://github.com/facebook/zstd).
+
+This can be used for compressing input with a lot of similar input values to the smallest number of bytes.
+This does not perform any multi-byte [dictionary coding](https://en.wikipedia.org/wiki/Dictionary_coder) as LZ coders,
+but it can be used as a secondary step to compressors (like Snappy) that does not do entropy encoding. 
+
+* [Godoc documentation](https://godoc.org/github.com/klauspost/compress/fse)
+
+## News
+
+ * Feb 2018: First implementation released. Consider this beta software for now.
+
+# Usage
+
+This package provides a low level interface that allows to compress single independent blocks. 
+
+Each block is separate, and there is no built in integrity checks. 
+This means that the caller should keep track of block sizes and also do checksums if needed.  
+
+Compressing a block is done via the [`Compress`](https://godoc.org/github.com/klauspost/compress/fse#Compress) function.
+You must provide input and will receive the output and maybe an error.
+
+These error values can be returned:
+
+| Error               | Description                                                                 |
+|---------------------|-----------------------------------------------------------------------------|
+| `<nil>`             | Everything ok, output is returned                                           |
+| `ErrIncompressible` | Returned when input is judged to be too hard to compress                    |
+| `ErrUseRLE`         | Returned from the compressor when the input is a single byte value repeated |
+| `(error)`           | An internal error occurred.                                                 |
+
+As can be seen above there are errors that will be returned even under normal operation so it is important to handle these.
+
+To reduce allocations you can provide a [`Scratch`](https://godoc.org/github.com/klauspost/compress/fse#Scratch) object 
+that can be re-used for successive calls. Both compression and decompression accepts a `Scratch` object, and the same 
+object can be used for both.   
+
+Be aware, that when re-using a `Scratch` object that the *output* buffer is also re-used, so if you are still using this
+you must set the `Out` field in the scratch to nil. The same buffer is used for compression and decompression output.
+
+Decompressing is done by calling the [`Decompress`](https://godoc.org/github.com/klauspost/compress/fse#Decompress) function.
+You must provide the output from the compression stage, at exactly the size you got back. If you receive an error back
+your input was likely corrupted. 
+
+It is important to note that a successful decoding does *not* mean your output matches your original input. 
+There are no integrity checks, so relying on errors from the decompressor does not assure your data is valid.
+
+For more detailed usage, see examples in the [godoc documentation](https://godoc.org/github.com/klauspost/compress/fse#pkg-examples).
+
+# Performance
+
+A lot of factors are affecting speed. Block sizes and compressibility of the material are primary factors.  
+All compression functions are currently only running on the calling goroutine so only one core will be used per block.  
+
+The compressor is significantly faster if symbols are kept as small as possible. The highest byte value of the input
+is used to reduce some of the processing, so if all your input is above byte value 64 for instance, it may be 
+beneficial to transpose all your input values down by 64.   
+
+With moderate block sizes around 64k speed are typically 200MB/s per core for compression and 
+around 300MB/s decompression speed. 
+
+The same hardware typically does Huffman (deflate) encoding at 125MB/s and decompression at 100MB/s. 
+
+# Plans
+
+At one point, more internals will be exposed to facilitate more "expert" usage of the components. 
+
+A streaming interface is also likely to be implemented. Likely compatible with [FSE stream format](https://github.com/Cyan4973/FiniteStateEntropy/blob/dev/programs/fileio.c#L261).  
+
+# Contributing
+
+Contributions are always welcome. Be aware that adding public functions will require good justification and breaking 
+changes will likely not be accepted. If in doubt open an issue before writing the PR.  
\ No newline at end of file
diff --git a/vendor/github.com/klauspost/compress/fse/bitreader.go b/vendor/github.com/klauspost/compress/fse/bitreader.go
new file mode 100644
index 0000000000..f65eb3909c
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/fse/bitreader.go
@@ -0,0 +1,122 @@
+// Copyright 2018 Klaus Post. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+// Based on work Copyright (c) 2013, Yann Collet, released under BSD License.
+
+package fse
+
+import (
+	"encoding/binary"
+	"errors"
+	"io"
+)
+
+// bitReader reads a bitstream in reverse.
+// The last set bit indicates the start of the stream and is used
+// for aligning the input.
+type bitReader struct {
+	in       []byte
+	off      uint // next byte to read is at in[off - 1]
+	value    uint64
+	bitsRead uint8
+}
+
+// init initializes and resets the bit reader.
+func (b *bitReader) init(in []byte) error {
+	if len(in) < 1 {
+		return errors.New("corrupt stream: too short")
+	}
+	b.in = in
+	b.off = uint(len(in))
+	// The highest bit of the last byte indicates where to start
+	v := in[len(in)-1]
+	if v == 0 {
+		return errors.New("corrupt stream, did not find end of stream")
+	}
+	b.bitsRead = 64
+	b.value = 0
+	if len(in) >= 8 {
+		b.fillFastStart()
+	} else {
+		b.fill()
+		b.fill()
+	}
+	b.bitsRead += 8 - uint8(highBits(uint32(v)))
+	return nil
+}
+
+// getBits will return n bits. n can be 0.
+func (b *bitReader) getBits(n uint8) uint16 {
+	if n == 0 || b.bitsRead >= 64 {
+		return 0
+	}
+	return b.getBitsFast(n)
+}
+
+// getBitsFast requires that at least one bit is requested every time.
+// There are no checks if the buffer is filled.
+func (b *bitReader) getBitsFast(n uint8) uint16 {
+	const regMask = 64 - 1
+	v := uint16((b.value << (b.bitsRead & regMask)) >> ((regMask + 1 - n) & regMask))
+	b.bitsRead += n
+	return v
+}
+
+// fillFast() will make sure at least 32 bits are available.
+// There must be at least 4 bytes available.
+func (b *bitReader) fillFast() {
+	if b.bitsRead < 32 {
+		return
+	}
+	// 2 bounds checks.
+	v := b.in[b.off-4:]
+	v = v[:4]
+	low := (uint32(v[0])) | (uint32(v[1]) << 8) | (uint32(v[2]) << 16) | (uint32(v[3]) << 24)
+	b.value = (b.value << 32) | uint64(low)
+	b.bitsRead -= 32
+	b.off -= 4
+}
+
+// fill() will make sure at least 32 bits are available.
+func (b *bitReader) fill() {
+	if b.bitsRead < 32 {
+		return
+	}
+	if b.off > 4 {
+		v := b.in[b.off-4:]
+		v = v[:4]
+		low := (uint32(v[0])) | (uint32(v[1]) << 8) | (uint32(v[2]) << 16) | (uint32(v[3]) << 24)
+		b.value = (b.value << 32) | uint64(low)
+		b.bitsRead -= 32
+		b.off -= 4
+		return
+	}
+	for b.off > 0 {
+		b.value = (b.value << 8) | uint64(b.in[b.off-1])
+		b.bitsRead -= 8
+		b.off--
+	}
+}
+
+// fillFastStart() assumes the bitreader is empty and there is at least 8 bytes to read.
+func (b *bitReader) fillFastStart() {
+	// Do single re-slice to avoid bounds checks.
+	b.value = binary.LittleEndian.Uint64(b.in[b.off-8:])
+	b.bitsRead = 0
+	b.off -= 8
+}
+
+// finished returns true if all bits have been read from the bit stream.
+func (b *bitReader) finished() bool {
+	return b.bitsRead >= 64 && b.off == 0
+}
+
+// close the bitstream and returns an error if out-of-buffer reads occurred.
+func (b *bitReader) close() error {
+	// Release reference.
+	b.in = nil
+	if b.bitsRead > 64 {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
diff --git a/vendor/github.com/klauspost/compress/fse/bitwriter.go b/vendor/github.com/klauspost/compress/fse/bitwriter.go
new file mode 100644
index 0000000000..e82fa3bb7b
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/fse/bitwriter.go
@@ -0,0 +1,167 @@
+// Copyright 2018 Klaus Post. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+// Based on work Copyright (c) 2013, Yann Collet, released under BSD License.
+
+package fse
+
+import "fmt"
+
+// bitWriter will write bits.
+// First bit will be LSB of the first byte of output.
+type bitWriter struct {
+	bitContainer uint64
+	nBits        uint8
+	out          []byte
+}
+
+// bitMask16 is bitmasks. Has extra to avoid bounds check.
+var bitMask16 = [32]uint16{
+	0, 1, 3, 7, 0xF, 0x1F,
+	0x3F, 0x7F, 0xFF, 0x1FF, 0x3FF, 0x7FF,
+	0xFFF, 0x1FFF, 0x3FFF, 0x7FFF, 0xFFFF, 0xFFFF,
+	0xFFFF, 0xFFFF, 0xFFFF, 0xFFFF, 0xFFFF, 0xFFFF,
+	0xFFFF, 0xFFFF} /* up to 16 bits */
+
+// addBits16NC will add up to 16 bits.
+// It will not check if there is space for them,
+// so the caller must ensure that it has flushed recently.
+func (b *bitWriter) addBits16NC(value uint16, bits uint8) {
+	b.bitContainer |= uint64(value&bitMask16[bits&31]) << (b.nBits & 63)
+	b.nBits += bits
+}
+
+// addBits16Clean will add up to 16 bits. value may not contain more set bits than indicated.
+// It will not check if there is space for them, so the caller must ensure that it has flushed recently.
+func (b *bitWriter) addBits16Clean(value uint16, bits uint8) {
+	b.bitContainer |= uint64(value) << (b.nBits & 63)
+	b.nBits += bits
+}
+
+// addBits16ZeroNC will add up to 16 bits.
+// It will not check if there is space for them,
+// so the caller must ensure that it has flushed recently.
+// This is fastest if bits can be zero.
+func (b *bitWriter) addBits16ZeroNC(value uint16, bits uint8) {
+	if bits == 0 {
+		return
+	}
+	value <<= (16 - bits) & 15
+	value >>= (16 - bits) & 15
+	b.bitContainer |= uint64(value) << (b.nBits & 63)
+	b.nBits += bits
+}
+
+// flush will flush all pending full bytes.
+// There will be at least 56 bits available for writing when this has been called.
+// Using flush32 is faster, but leaves less space for writing.
+func (b *bitWriter) flush() {
+	v := b.nBits >> 3
+	switch v {
+	case 0:
+	case 1:
+		b.out = append(b.out,
+			byte(b.bitContainer),
+		)
+	case 2:
+		b.out = append(b.out,
+			byte(b.bitContainer),
+			byte(b.bitContainer>>8),
+		)
+	case 3:
+		b.out = append(b.out,
+			byte(b.bitContainer),
+			byte(b.bitContainer>>8),
+			byte(b.bitContainer>>16),
+		)
+	case 4:
+		b.out = append(b.out,
+			byte(b.bitContainer),
+			byte(b.bitContainer>>8),
+			byte(b.bitContainer>>16),
+			byte(b.bitContainer>>24),
+		)
+	case 5:
+		b.out = append(b.out,
+			byte(b.bitContainer),
+			byte(b.bitContainer>>8),
+			byte(b.bitContainer>>16),
+			byte(b.bitContainer>>24),
+			byte(b.bitContainer>>32),
+		)
+	case 6:
+		b.out = append(b.out,
+			byte(b.bitContainer),
+			byte(b.bitContainer>>8),
+			byte(b.bitContainer>>16),
+			byte(b.bitContainer>>24),
+			byte(b.bitContainer>>32),
+			byte(b.bitContainer>>40),
+		)
+	case 7:
+		b.out = append(b.out,
+			byte(b.bitContainer),
+			byte(b.bitContainer>>8),
+			byte(b.bitContainer>>16),
+			byte(b.bitContainer>>24),
+			byte(b.bitContainer>>32),
+			byte(b.bitContainer>>40),
+			byte(b.bitContainer>>48),
+		)
+	case 8:
+		b.out = append(b.out,
+			byte(b.bitContainer),
+			byte(b.bitContainer>>8),
+			byte(b.bitContainer>>16),
+			byte(b.bitContainer>>24),
+			byte(b.bitContainer>>32),
+			byte(b.bitContainer>>40),
+			byte(b.bitContainer>>48),
+			byte(b.bitContainer>>56),
+		)
+	default:
+		panic(fmt.Errorf("bits (%d) > 64", b.nBits))
+	}
+	b.bitContainer >>= v << 3
+	b.nBits &= 7
+}
+
+// flush32 will flush out, so there are at least 32 bits available for writing.
+func (b *bitWriter) flush32() {
+	if b.nBits < 32 {
+		return
+	}
+	b.out = append(b.out,
+		byte(b.bitContainer),
+		byte(b.bitContainer>>8),
+		byte(b.bitContainer>>16),
+		byte(b.bitContainer>>24))
+	b.nBits -= 32
+	b.bitContainer >>= 32
+}
+
+// flushAlign will flush remaining full bytes and align to next byte boundary.
+func (b *bitWriter) flushAlign() {
+	nbBytes := (b.nBits + 7) >> 3
+	for i := uint8(0); i < nbBytes; i++ {
+		b.out = append(b.out, byte(b.bitContainer>>(i*8)))
+	}
+	b.nBits = 0
+	b.bitContainer = 0
+}
+
+// close will write the alignment bit and write the final byte(s)
+// to the output.
+func (b *bitWriter) close() {
+	// End mark
+	b.addBits16Clean(1, 1)
+	// flush until next byte.
+	b.flushAlign()
+}
+
+// reset and continue writing by appending to out.
+func (b *bitWriter) reset(out []byte) {
+	b.bitContainer = 0
+	b.nBits = 0
+	b.out = out
+}
diff --git a/vendor/github.com/klauspost/compress/fse/bytereader.go b/vendor/github.com/klauspost/compress/fse/bytereader.go
new file mode 100644
index 0000000000..abade2d605
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/fse/bytereader.go
@@ -0,0 +1,47 @@
+// Copyright 2018 Klaus Post. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+// Based on work Copyright (c) 2013, Yann Collet, released under BSD License.
+
+package fse
+
+// byteReader provides a byte reader that reads
+// little endian values from a byte stream.
+// The input stream is manually advanced.
+// The reader performs no bounds checks.
+type byteReader struct {
+	b   []byte
+	off int
+}
+
+// init will initialize the reader and set the input.
+func (b *byteReader) init(in []byte) {
+	b.b = in
+	b.off = 0
+}
+
+// advance the stream b n bytes.
+func (b *byteReader) advance(n uint) {
+	b.off += int(n)
+}
+
+// Uint32 returns a little endian uint32 starting at current offset.
+func (b byteReader) Uint32() uint32 {
+	b2 := b.b[b.off:]
+	b2 = b2[:4]
+	v3 := uint32(b2[3])
+	v2 := uint32(b2[2])
+	v1 := uint32(b2[1])
+	v0 := uint32(b2[0])
+	return v0 | (v1 << 8) | (v2 << 16) | (v3 << 24)
+}
+
+// unread returns the unread portion of the input.
+func (b byteReader) unread() []byte {
+	return b.b[b.off:]
+}
+
+// remain will return the number of bytes remaining.
+func (b byteReader) remain() int {
+	return len(b.b) - b.off
+}
diff --git a/vendor/github.com/klauspost/compress/fse/compress.go b/vendor/github.com/klauspost/compress/fse/compress.go
new file mode 100644
index 0000000000..074018d8f9
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/fse/compress.go
@@ -0,0 +1,683 @@
+// Copyright 2018 Klaus Post. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+// Based on work Copyright (c) 2013, Yann Collet, released under BSD License.
+
+package fse
+
+import (
+	"errors"
+	"fmt"
+)
+
+// Compress the input bytes. Input must be < 2GB.
+// Provide a Scratch buffer to avoid memory allocations.
+// Note that the output is also kept in the scratch buffer.
+// If input is too hard to compress, ErrIncompressible is returned.
+// If input is a single byte value repeated ErrUseRLE is returned.
+func Compress(in []byte, s *Scratch) ([]byte, error) {
+	if len(in) <= 1 {
+		return nil, ErrIncompressible
+	}
+	if len(in) > (2<<30)-1 {
+		return nil, errors.New("input too big, must be < 2GB")
+	}
+	s, err := s.prepare(in)
+	if err != nil {
+		return nil, err
+	}
+
+	// Create histogram, if none was provided.
+	maxCount := s.maxCount
+	if maxCount == 0 {
+		maxCount = s.countSimple(in)
+	}
+	// Reset for next run.
+	s.clearCount = true
+	s.maxCount = 0
+	if maxCount == len(in) {
+		// One symbol, use RLE
+		return nil, ErrUseRLE
+	}
+	if maxCount == 1 || maxCount < (len(in)>>7) {
+		// Each symbol present maximum once or too well distributed.
+		return nil, ErrIncompressible
+	}
+	s.optimalTableLog()
+	err = s.normalizeCount()
+	if err != nil {
+		return nil, err
+	}
+	err = s.writeCount()
+	if err != nil {
+		return nil, err
+	}
+
+	if false {
+		err = s.validateNorm()
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	err = s.buildCTable()
+	if err != nil {
+		return nil, err
+	}
+	err = s.compress(in)
+	if err != nil {
+		return nil, err
+	}
+	s.Out = s.bw.out
+	// Check if we compressed.
+	if len(s.Out) >= len(in) {
+		return nil, ErrIncompressible
+	}
+	return s.Out, nil
+}
+
+// cState contains the compression state of a stream.
+type cState struct {
+	bw         *bitWriter
+	stateTable []uint16
+	state      uint16
+}
+
+// init will initialize the compression state to the first symbol of the stream.
+func (c *cState) init(bw *bitWriter, ct *cTable, tableLog uint8, first symbolTransform) {
+	c.bw = bw
+	c.stateTable = ct.stateTable
+
+	nbBitsOut := (first.deltaNbBits + (1 << 15)) >> 16
+	im := int32((nbBitsOut << 16) - first.deltaNbBits)
+	lu := (im >> nbBitsOut) + first.deltaFindState
+	c.state = c.stateTable[lu]
+}
+
+// encode the output symbol provided and write it to the bitstream.
+func (c *cState) encode(symbolTT symbolTransform) {
+	nbBitsOut := (uint32(c.state) + symbolTT.deltaNbBits) >> 16
+	dstState := int32(c.state>>(nbBitsOut&15)) + symbolTT.deltaFindState
+	c.bw.addBits16NC(c.state, uint8(nbBitsOut))
+	c.state = c.stateTable[dstState]
+}
+
+// encode the output symbol provided and write it to the bitstream.
+func (c *cState) encodeZero(symbolTT symbolTransform) {
+	nbBitsOut := (uint32(c.state) + symbolTT.deltaNbBits) >> 16
+	dstState := int32(c.state>>(nbBitsOut&15)) + symbolTT.deltaFindState
+	c.bw.addBits16ZeroNC(c.state, uint8(nbBitsOut))
+	c.state = c.stateTable[dstState]
+}
+
+// flush will write the tablelog to the output and flush the remaining full bytes.
+func (c *cState) flush(tableLog uint8) {
+	c.bw.flush32()
+	c.bw.addBits16NC(c.state, tableLog)
+	c.bw.flush()
+}
+
+// compress is the main compression loop that will encode the input from the last byte to the first.
+func (s *Scratch) compress(src []byte) error {
+	if len(src) <= 2 {
+		return errors.New("compress: src too small")
+	}
+	tt := s.ct.symbolTT[:256]
+	s.bw.reset(s.Out)
+
+	// Our two states each encodes every second byte.
+	// Last byte encoded (first byte decoded) will always be encoded by c1.
+	var c1, c2 cState
+
+	// Encode so remaining size is divisible by 4.
+	ip := len(src)
+	if ip&1 == 1 {
+		c1.init(&s.bw, &s.ct, s.actualTableLog, tt[src[ip-1]])
+		c2.init(&s.bw, &s.ct, s.actualTableLog, tt[src[ip-2]])
+		c1.encodeZero(tt[src[ip-3]])
+		ip -= 3
+	} else {
+		c2.init(&s.bw, &s.ct, s.actualTableLog, tt[src[ip-1]])
+		c1.init(&s.bw, &s.ct, s.actualTableLog, tt[src[ip-2]])
+		ip -= 2
+	}
+	if ip&2 != 0 {
+		c2.encodeZero(tt[src[ip-1]])
+		c1.encodeZero(tt[src[ip-2]])
+		ip -= 2
+	}
+	src = src[:ip]
+
+	// Main compression loop.
+	switch {
+	case !s.zeroBits && s.actualTableLog <= 8:
+		// We can encode 4 symbols without requiring a flush.
+		// We do not need to check if any output is 0 bits.
+		for ; len(src) >= 4; src = src[:len(src)-4] {
+			s.bw.flush32()
+			v3, v2, v1, v0 := src[len(src)-4], src[len(src)-3], src[len(src)-2], src[len(src)-1]
+			c2.encode(tt[v0])
+			c1.encode(tt[v1])
+			c2.encode(tt[v2])
+			c1.encode(tt[v3])
+		}
+	case !s.zeroBits:
+		// We do not need to check if any output is 0 bits.
+		for ; len(src) >= 4; src = src[:len(src)-4] {
+			s.bw.flush32()
+			v3, v2, v1, v0 := src[len(src)-4], src[len(src)-3], src[len(src)-2], src[len(src)-1]
+			c2.encode(tt[v0])
+			c1.encode(tt[v1])
+			s.bw.flush32()
+			c2.encode(tt[v2])
+			c1.encode(tt[v3])
+		}
+	case s.actualTableLog <= 8:
+		// We can encode 4 symbols without requiring a flush
+		for ; len(src) >= 4; src = src[:len(src)-4] {
+			s.bw.flush32()
+			v3, v2, v1, v0 := src[len(src)-4], src[len(src)-3], src[len(src)-2], src[len(src)-1]
+			c2.encodeZero(tt[v0])
+			c1.encodeZero(tt[v1])
+			c2.encodeZero(tt[v2])
+			c1.encodeZero(tt[v3])
+		}
+	default:
+		for ; len(src) >= 4; src = src[:len(src)-4] {
+			s.bw.flush32()
+			v3, v2, v1, v0 := src[len(src)-4], src[len(src)-3], src[len(src)-2], src[len(src)-1]
+			c2.encodeZero(tt[v0])
+			c1.encodeZero(tt[v1])
+			s.bw.flush32()
+			c2.encodeZero(tt[v2])
+			c1.encodeZero(tt[v3])
+		}
+	}
+
+	// Flush final state.
+	// Used to initialize state when decoding.
+	c2.flush(s.actualTableLog)
+	c1.flush(s.actualTableLog)
+
+	s.bw.close()
+	return nil
+}
+
+// writeCount will write the normalized histogram count to header.
+// This is read back by readNCount.
+func (s *Scratch) writeCount() error {
+	var (
+		tableLog  = s.actualTableLog
+		tableSize = 1 << tableLog
+		previous0 bool
+		charnum   uint16
+
+		maxHeaderSize = ((int(s.symbolLen)*int(tableLog) + 4 + 2) >> 3) + 3
+
+		// Write Table Size
+		bitStream = uint32(tableLog - minTablelog)
+		bitCount  = uint(4)
+		remaining = int16(tableSize + 1) /* +1 for extra accuracy */
+		threshold = int16(tableSize)
+		nbBits    = uint(tableLog + 1)
+	)
+	if cap(s.Out) < maxHeaderSize {
+		s.Out = make([]byte, 0, s.br.remain()+maxHeaderSize)
+	}
+	outP := uint(0)
+	out := s.Out[:maxHeaderSize]
+
+	// stops at 1
+	for remaining > 1 {
+		if previous0 {
+			start := charnum
+			for s.norm[charnum] == 0 {
+				charnum++
+			}
+			for charnum >= start+24 {
+				start += 24
+				bitStream += uint32(0xFFFF) << bitCount
+				out[outP] = byte(bitStream)
+				out[outP+1] = byte(bitStream >> 8)
+				outP += 2
+				bitStream >>= 16
+			}
+			for charnum >= start+3 {
+				start += 3
+				bitStream += 3 << bitCount
+				bitCount += 2
+			}
+			bitStream += uint32(charnum-start) << bitCount
+			bitCount += 2
+			if bitCount > 16 {
+				out[outP] = byte(bitStream)
+				out[outP+1] = byte(bitStream >> 8)
+				outP += 2
+				bitStream >>= 16
+				bitCount -= 16
+			}
+		}
+
+		count := s.norm[charnum]
+		charnum++
+		max := (2*threshold - 1) - remaining
+		if count < 0 {
+			remaining += count
+		} else {
+			remaining -= count
+		}
+		count++ // +1 for extra accuracy
+		if count >= threshold {
+			count += max // [0..max[ [max..threshold[ (...) [threshold+max 2*threshold[
+		}
+		bitStream += uint32(count) << bitCount
+		bitCount += nbBits
+		if count < max {
+			bitCount--
+		}
+
+		previous0 = count == 1
+		if remaining < 1 {
+			return errors.New("internal error: remaining<1")
+		}
+		for remaining < threshold {
+			nbBits--
+			threshold >>= 1
+		}
+
+		if bitCount > 16 {
+			out[outP] = byte(bitStream)
+			out[outP+1] = byte(bitStream >> 8)
+			outP += 2
+			bitStream >>= 16
+			bitCount -= 16
+		}
+	}
+
+	out[outP] = byte(bitStream)
+	out[outP+1] = byte(bitStream >> 8)
+	outP += (bitCount + 7) / 8
+
+	if charnum > s.symbolLen {
+		return errors.New("internal error: charnum > s.symbolLen")
+	}
+	s.Out = out[:outP]
+	return nil
+}
+
+// symbolTransform contains the state transform for a symbol.
+type symbolTransform struct {
+	deltaFindState int32
+	deltaNbBits    uint32
+}
+
+// String prints values as a human readable string.
+func (s symbolTransform) String() string {
+	return fmt.Sprintf("dnbits: %08x, fs:%d", s.deltaNbBits, s.deltaFindState)
+}
+
+// cTable contains tables used for compression.
+type cTable struct {
+	tableSymbol []byte
+	stateTable  []uint16
+	symbolTT    []symbolTransform
+}
+
+// allocCtable will allocate tables needed for compression.
+// If existing tables a re big enough, they are simply re-used.
+func (s *Scratch) allocCtable() {
+	tableSize := 1 << s.actualTableLog
+	// get tableSymbol that is big enough.
+	if cap(s.ct.tableSymbol) < tableSize {
+		s.ct.tableSymbol = make([]byte, tableSize)
+	}
+	s.ct.tableSymbol = s.ct.tableSymbol[:tableSize]
+
+	ctSize := tableSize
+	if cap(s.ct.stateTable) < ctSize {
+		s.ct.stateTable = make([]uint16, ctSize)
+	}
+	s.ct.stateTable = s.ct.stateTable[:ctSize]
+
+	if cap(s.ct.symbolTT) < 256 {
+		s.ct.symbolTT = make([]symbolTransform, 256)
+	}
+	s.ct.symbolTT = s.ct.symbolTT[:256]
+}
+
+// buildCTable will populate the compression table so it is ready to be used.
+func (s *Scratch) buildCTable() error {
+	tableSize := uint32(1 << s.actualTableLog)
+	highThreshold := tableSize - 1
+	var cumul [maxSymbolValue + 2]int16
+
+	s.allocCtable()
+	tableSymbol := s.ct.tableSymbol[:tableSize]
+	// symbol start positions
+	{
+		cumul[0] = 0
+		for ui, v := range s.norm[:s.symbolLen-1] {
+			u := byte(ui) // one less than reference
+			if v == -1 {
+				// Low proba symbol
+				cumul[u+1] = cumul[u] + 1
+				tableSymbol[highThreshold] = u
+				highThreshold--
+			} else {
+				cumul[u+1] = cumul[u] + v
+			}
+		}
+		// Encode last symbol separately to avoid overflowing u
+		u := int(s.symbolLen - 1)
+		v := s.norm[s.symbolLen-1]
+		if v == -1 {
+			// Low proba symbol
+			cumul[u+1] = cumul[u] + 1
+			tableSymbol[highThreshold] = byte(u)
+			highThreshold--
+		} else {
+			cumul[u+1] = cumul[u] + v
+		}
+		if uint32(cumul[s.symbolLen]) != tableSize {
+			return fmt.Errorf("internal error: expected cumul[s.symbolLen] (%d) == tableSize (%d)", cumul[s.symbolLen], tableSize)
+		}
+		cumul[s.symbolLen] = int16(tableSize) + 1
+	}
+	// Spread symbols
+	s.zeroBits = false
+	{
+		step := tableStep(tableSize)
+		tableMask := tableSize - 1
+		var position uint32
+		// if any symbol > largeLimit, we may have 0 bits output.
+		largeLimit := int16(1 << (s.actualTableLog - 1))
+		for ui, v := range s.norm[:s.symbolLen] {
+			symbol := byte(ui)
+			if v > largeLimit {
+				s.zeroBits = true
+			}
+			for nbOccurrences := int16(0); nbOccurrences < v; nbOccurrences++ {
+				tableSymbol[position] = symbol
+				position = (position + step) & tableMask
+				for position > highThreshold {
+					position = (position + step) & tableMask
+				} /* Low proba area */
+			}
+		}
+
+		// Check if we have gone through all positions
+		if position != 0 {
+			return errors.New("position!=0")
+		}
+	}
+
+	// Build table
+	table := s.ct.stateTable
+	{
+		tsi := int(tableSize)
+		for u, v := range tableSymbol {
+			// TableU16 : sorted by symbol order; gives next state value
+			table[cumul[v]] = uint16(tsi + u)
+			cumul[v]++
+		}
+	}
+
+	// Build Symbol Transformation Table
+	{
+		total := int16(0)
+		symbolTT := s.ct.symbolTT[:s.symbolLen]
+		tableLog := s.actualTableLog
+		tl := (uint32(tableLog) << 16) - (1 << tableLog)
+		for i, v := range s.norm[:s.symbolLen] {
+			switch v {
+			case 0:
+			case -1, 1:
+				symbolTT[i].deltaNbBits = tl
+				symbolTT[i].deltaFindState = int32(total - 1)
+				total++
+			default:
+				maxBitsOut := uint32(tableLog) - highBits(uint32(v-1))
+				minStatePlus := uint32(v) << maxBitsOut
+				symbolTT[i].deltaNbBits = (maxBitsOut << 16) - minStatePlus
+				symbolTT[i].deltaFindState = int32(total - v)
+				total += v
+			}
+		}
+		if total != int16(tableSize) {
+			return fmt.Errorf("total mismatch %d (got) != %d (want)", total, tableSize)
+		}
+	}
+	return nil
+}
+
+// countSimple will create a simple histogram in s.count.
+// Returns the biggest count.
+// Does not update s.clearCount.
+func (s *Scratch) countSimple(in []byte) (max int) {
+	for _, v := range in {
+		s.count[v]++
+	}
+	m, symlen := uint32(0), s.symbolLen
+	for i, v := range s.count[:] {
+		if v == 0 {
+			continue
+		}
+		if v > m {
+			m = v
+		}
+		symlen = uint16(i) + 1
+	}
+	s.symbolLen = symlen
+	return int(m)
+}
+
+// minTableLog provides the minimum logSize to safely represent a distribution.
+func (s *Scratch) minTableLog() uint8 {
+	minBitsSrc := highBits(uint32(s.br.remain()-1)) + 1
+	minBitsSymbols := highBits(uint32(s.symbolLen-1)) + 2
+	if minBitsSrc < minBitsSymbols {
+		return uint8(minBitsSrc)
+	}
+	return uint8(minBitsSymbols)
+}
+
+// optimalTableLog calculates and sets the optimal tableLog in s.actualTableLog
+func (s *Scratch) optimalTableLog() {
+	tableLog := s.TableLog
+	minBits := s.minTableLog()
+	maxBitsSrc := uint8(highBits(uint32(s.br.remain()-1))) - 2
+	if maxBitsSrc < tableLog {
+		// Accuracy can be reduced
+		tableLog = maxBitsSrc
+	}
+	if minBits > tableLog {
+		tableLog = minBits
+	}
+	// Need a minimum to safely represent all symbol values
+	if tableLog < minTablelog {
+		tableLog = minTablelog
+	}
+	if tableLog > maxTableLog {
+		tableLog = maxTableLog
+	}
+	s.actualTableLog = tableLog
+}
+
+var rtbTable = [...]uint32{0, 473195, 504333, 520860, 550000, 700000, 750000, 830000}
+
+// normalizeCount will normalize the count of the symbols so
+// the total is equal to the table size.
+func (s *Scratch) normalizeCount() error {
+	var (
+		tableLog          = s.actualTableLog
+		scale             = 62 - uint64(tableLog)
+		step              = (1 << 62) / uint64(s.br.remain())
+		vStep             = uint64(1) << (scale - 20)
+		stillToDistribute = int16(1 << tableLog)
+		largest           int
+		largestP          int16
+		lowThreshold      = (uint32)(s.br.remain() >> tableLog)
+	)
+
+	for i, cnt := range s.count[:s.symbolLen] {
+		// already handled
+		// if (count[s] == s.length) return 0;   /* rle special case */
+
+		if cnt == 0 {
+			s.norm[i] = 0
+			continue
+		}
+		if cnt <= lowThreshold {
+			s.norm[i] = -1
+			stillToDistribute--
+		} else {
+			proba := (int16)((uint64(cnt) * step) >> scale)
+			if proba < 8 {
+				restToBeat := vStep * uint64(rtbTable[proba])
+				v := uint64(cnt)*step - (uint64(proba) << scale)
+				if v > restToBeat {
+					proba++
+				}
+			}
+			if proba > largestP {
+				largestP = proba
+				largest = i
+			}
+			s.norm[i] = proba
+			stillToDistribute -= proba
+		}
+	}
+
+	if -stillToDistribute >= (s.norm[largest] >> 1) {
+		// corner case, need another normalization method
+		return s.normalizeCount2()
+	}
+	s.norm[largest] += stillToDistribute
+	return nil
+}
+
+// Secondary normalization method.
+// To be used when primary method fails.
+func (s *Scratch) normalizeCount2() error {
+	const notYetAssigned = -2
+	var (
+		distributed  uint32
+		total        = uint32(s.br.remain())
+		tableLog     = s.actualTableLog
+		lowThreshold = total >> tableLog
+		lowOne       = (total * 3) >> (tableLog + 1)
+	)
+	for i, cnt := range s.count[:s.symbolLen] {
+		if cnt == 0 {
+			s.norm[i] = 0
+			continue
+		}
+		if cnt <= lowThreshold {
+			s.norm[i] = -1
+			distributed++
+			total -= cnt
+			continue
+		}
+		if cnt <= lowOne {
+			s.norm[i] = 1
+			distributed++
+			total -= cnt
+			continue
+		}
+		s.norm[i] = notYetAssigned
+	}
+	toDistribute := (1 << tableLog) - distributed
+
+	if (total / toDistribute) > lowOne {
+		// risk of rounding to zero
+		lowOne = (total * 3) / (toDistribute * 2)
+		for i, cnt := range s.count[:s.symbolLen] {
+			if (s.norm[i] == notYetAssigned) && (cnt <= lowOne) {
+				s.norm[i] = 1
+				distributed++
+				total -= cnt
+				continue
+			}
+		}
+		toDistribute = (1 << tableLog) - distributed
+	}
+	if distributed == uint32(s.symbolLen)+1 {
+		// all values are pretty poor;
+		//   probably incompressible data (should have already been detected);
+		//   find max, then give all remaining points to max
+		var maxV int
+		var maxC uint32
+		for i, cnt := range s.count[:s.symbolLen] {
+			if cnt > maxC {
+				maxV = i
+				maxC = cnt
+			}
+		}
+		s.norm[maxV] += int16(toDistribute)
+		return nil
+	}
+
+	if total == 0 {
+		// all of the symbols were low enough for the lowOne or lowThreshold
+		for i := uint32(0); toDistribute > 0; i = (i + 1) % (uint32(s.symbolLen)) {
+			if s.norm[i] > 0 {
+				toDistribute--
+				s.norm[i]++
+			}
+		}
+		return nil
+	}
+
+	var (
+		vStepLog = 62 - uint64(tableLog)
+		mid      = uint64((1 << (vStepLog - 1)) - 1)
+		rStep    = (((1 << vStepLog) * uint64(toDistribute)) + mid) / uint64(total) // scale on remaining
+		tmpTotal = mid
+	)
+	for i, cnt := range s.count[:s.symbolLen] {
+		if s.norm[i] == notYetAssigned {
+			var (
+				end    = tmpTotal + uint64(cnt)*rStep
+				sStart = uint32(tmpTotal >> vStepLog)
+				sEnd   = uint32(end >> vStepLog)
+				weight = sEnd - sStart
+			)
+			if weight < 1 {
+				return errors.New("weight < 1")
+			}
+			s.norm[i] = int16(weight)
+			tmpTotal = end
+		}
+	}
+	return nil
+}
+
+// validateNorm validates the normalized histogram table.
+func (s *Scratch) validateNorm() (err error) {
+	var total int
+	for _, v := range s.norm[:s.symbolLen] {
+		if v >= 0 {
+			total += int(v)
+		} else {
+			total -= int(v)
+		}
+	}
+	defer func() {
+		if err == nil {
+			return
+		}
+		fmt.Printf("selected TableLog: %d, Symbol length: %d\n", s.actualTableLog, s.symbolLen)
+		for i, v := range s.norm[:s.symbolLen] {
+			fmt.Printf("%3d: %5d -> %4d \n", i, s.count[i], v)
+		}
+	}()
+	if total != (1 << s.actualTableLog) {
+		return fmt.Errorf("warning: Total == %d != %d", total, 1<<s.actualTableLog)
+	}
+	for i, v := range s.count[s.symbolLen:] {
+		if v != 0 {
+			return fmt.Errorf("warning: Found symbol out of range, %d after cut", i)
+		}
+	}
+	return nil
+}
diff --git a/vendor/github.com/klauspost/compress/fse/decompress.go b/vendor/github.com/klauspost/compress/fse/decompress.go
new file mode 100644
index 0000000000..0c7dd4ffef
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/fse/decompress.go
@@ -0,0 +1,376 @@
+package fse
+
+import (
+	"errors"
+	"fmt"
+)
+
+const (
+	tablelogAbsoluteMax = 15
+)
+
+// Decompress a block of data.
+// You can provide a scratch buffer to avoid allocations.
+// If nil is provided a temporary one will be allocated.
+// It is possible, but by no way guaranteed that corrupt data will
+// return an error.
+// It is up to the caller to verify integrity of the returned data.
+// Use a predefined Scratch to set maximum acceptable output size.
+func Decompress(b []byte, s *Scratch) ([]byte, error) {
+	s, err := s.prepare(b)
+	if err != nil {
+		return nil, err
+	}
+	s.Out = s.Out[:0]
+	err = s.readNCount()
+	if err != nil {
+		return nil, err
+	}
+	err = s.buildDtable()
+	if err != nil {
+		return nil, err
+	}
+	err = s.decompress()
+	if err != nil {
+		return nil, err
+	}
+
+	return s.Out, nil
+}
+
+// readNCount will read the symbol distribution so decoding tables can be constructed.
+func (s *Scratch) readNCount() error {
+	var (
+		charnum   uint16
+		previous0 bool
+		b         = &s.br
+	)
+	iend := b.remain()
+	if iend < 4 {
+		return errors.New("input too small")
+	}
+	bitStream := b.Uint32()
+	nbBits := uint((bitStream & 0xF) + minTablelog) // extract tableLog
+	if nbBits > tablelogAbsoluteMax {
+		return errors.New("tableLog too large")
+	}
+	bitStream >>= 4
+	bitCount := uint(4)
+
+	s.actualTableLog = uint8(nbBits)
+	remaining := int32((1 << nbBits) + 1)
+	threshold := int32(1 << nbBits)
+	gotTotal := int32(0)
+	nbBits++
+
+	for remaining > 1 {
+		if previous0 {
+			n0 := charnum
+			for (bitStream & 0xFFFF) == 0xFFFF {
+				n0 += 24
+				if b.off < iend-5 {
+					b.advance(2)
+					bitStream = b.Uint32() >> bitCount
+				} else {
+					bitStream >>= 16
+					bitCount += 16
+				}
+			}
+			for (bitStream & 3) == 3 {
+				n0 += 3
+				bitStream >>= 2
+				bitCount += 2
+			}
+			n0 += uint16(bitStream & 3)
+			bitCount += 2
+			if n0 > maxSymbolValue {
+				return errors.New("maxSymbolValue too small")
+			}
+			for charnum < n0 {
+				s.norm[charnum&0xff] = 0
+				charnum++
+			}
+
+			if b.off <= iend-7 || b.off+int(bitCount>>3) <= iend-4 {
+				b.advance(bitCount >> 3)
+				bitCount &= 7
+				bitStream = b.Uint32() >> bitCount
+			} else {
+				bitStream >>= 2
+			}
+		}
+
+		max := (2*(threshold) - 1) - (remaining)
+		var count int32
+
+		if (int32(bitStream) & (threshold - 1)) < max {
+			count = int32(bitStream) & (threshold - 1)
+			bitCount += nbBits - 1
+		} else {
+			count = int32(bitStream) & (2*threshold - 1)
+			if count >= threshold {
+				count -= max
+			}
+			bitCount += nbBits
+		}
+
+		count-- // extra accuracy
+		if count < 0 {
+			// -1 means +1
+			remaining += count
+			gotTotal -= count
+		} else {
+			remaining -= count
+			gotTotal += count
+		}
+		s.norm[charnum&0xff] = int16(count)
+		charnum++
+		previous0 = count == 0
+		for remaining < threshold {
+			nbBits--
+			threshold >>= 1
+		}
+		if b.off <= iend-7 || b.off+int(bitCount>>3) <= iend-4 {
+			b.advance(bitCount >> 3)
+			bitCount &= 7
+		} else {
+			bitCount -= (uint)(8 * (len(b.b) - 4 - b.off))
+			b.off = len(b.b) - 4
+		}
+		bitStream = b.Uint32() >> (bitCount & 31)
+	}
+	s.symbolLen = charnum
+
+	if s.symbolLen <= 1 {
+		return fmt.Errorf("symbolLen (%d) too small", s.symbolLen)
+	}
+	if s.symbolLen > maxSymbolValue+1 {
+		return fmt.Errorf("symbolLen (%d) too big", s.symbolLen)
+	}
+	if remaining != 1 {
+		return fmt.Errorf("corruption detected (remaining %d != 1)", remaining)
+	}
+	if bitCount > 32 {
+		return fmt.Errorf("corruption detected (bitCount %d > 32)", bitCount)
+	}
+	if gotTotal != 1<<s.actualTableLog {
+		return fmt.Errorf("corruption detected (total %d != %d)", gotTotal, 1<<s.actualTableLog)
+	}
+	b.advance((bitCount + 7) >> 3)
+	return nil
+}
+
+// decSymbol contains information about a state entry,
+// Including the state offset base, the output symbol and
+// the number of bits to read for the low part of the destination state.
+type decSymbol struct {
+	newState uint16
+	symbol   uint8
+	nbBits   uint8
+}
+
+// allocDtable will allocate decoding tables if they are not big enough.
+func (s *Scratch) allocDtable() {
+	tableSize := 1 << s.actualTableLog
+	if cap(s.decTable) < tableSize {
+		s.decTable = make([]decSymbol, tableSize)
+	}
+	s.decTable = s.decTable[:tableSize]
+
+	if cap(s.ct.tableSymbol) < 256 {
+		s.ct.tableSymbol = make([]byte, 256)
+	}
+	s.ct.tableSymbol = s.ct.tableSymbol[:256]
+
+	if cap(s.ct.stateTable) < 256 {
+		s.ct.stateTable = make([]uint16, 256)
+	}
+	s.ct.stateTable = s.ct.stateTable[:256]
+}
+
+// buildDtable will build the decoding table.
+func (s *Scratch) buildDtable() error {
+	tableSize := uint32(1 << s.actualTableLog)
+	highThreshold := tableSize - 1
+	s.allocDtable()
+	symbolNext := s.ct.stateTable[:256]
+
+	// Init, lay down lowprob symbols
+	s.zeroBits = false
+	{
+		largeLimit := int16(1 << (s.actualTableLog - 1))
+		for i, v := range s.norm[:s.symbolLen] {
+			if v == -1 {
+				s.decTable[highThreshold].symbol = uint8(i)
+				highThreshold--
+				symbolNext[i] = 1
+			} else {
+				if v >= largeLimit {
+					s.zeroBits = true
+				}
+				symbolNext[i] = uint16(v)
+			}
+		}
+	}
+	// Spread symbols
+	{
+		tableMask := tableSize - 1
+		step := tableStep(tableSize)
+		position := uint32(0)
+		for ss, v := range s.norm[:s.symbolLen] {
+			for i := 0; i < int(v); i++ {
+				s.decTable[position].symbol = uint8(ss)
+				position = (position + step) & tableMask
+				for position > highThreshold {
+					// lowprob area
+					position = (position + step) & tableMask
+				}
+			}
+		}
+		if position != 0 {
+			// position must reach all cells once, otherwise normalizedCounter is incorrect
+			return errors.New("corrupted input (position != 0)")
+		}
+	}
+
+	// Build Decoding table
+	{
+		tableSize := uint16(1 << s.actualTableLog)
+		for u, v := range s.decTable {
+			symbol := v.symbol
+			nextState := symbolNext[symbol]
+			symbolNext[symbol] = nextState + 1
+			nBits := s.actualTableLog - byte(highBits(uint32(nextState)))
+			s.decTable[u].nbBits = nBits
+			newState := (nextState << nBits) - tableSize
+			if newState >= tableSize {
+				return fmt.Errorf("newState (%d) outside table size (%d)", newState, tableSize)
+			}
+			if newState == uint16(u) && nBits == 0 {
+				// Seems weird that this is possible with nbits > 0.
+				return fmt.Errorf("newState (%d) == oldState (%d) and no bits", newState, u)
+			}
+			s.decTable[u].newState = newState
+		}
+	}
+	return nil
+}
+
+// decompress will decompress the bitstream.
+// If the buffer is over-read an error is returned.
+func (s *Scratch) decompress() error {
+	br := &s.bits
+	if err := br.init(s.br.unread()); err != nil {
+		return err
+	}
+
+	var s1, s2 decoder
+	// Initialize and decode first state and symbol.
+	s1.init(br, s.decTable, s.actualTableLog)
+	s2.init(br, s.decTable, s.actualTableLog)
+
+	// Use temp table to avoid bound checks/append penalty.
+	var tmp = s.ct.tableSymbol[:256]
+	var off uint8
+
+	// Main part
+	if !s.zeroBits {
+		for br.off >= 8 {
+			br.fillFast()
+			tmp[off+0] = s1.nextFast()
+			tmp[off+1] = s2.nextFast()
+			br.fillFast()
+			tmp[off+2] = s1.nextFast()
+			tmp[off+3] = s2.nextFast()
+			off += 4
+			// When off is 0, we have overflowed and should write.
+			if off == 0 {
+				s.Out = append(s.Out, tmp...)
+				if len(s.Out) >= s.DecompressLimit {
+					return fmt.Errorf("output size (%d) > DecompressLimit (%d)", len(s.Out), s.DecompressLimit)
+				}
+			}
+		}
+	} else {
+		for br.off >= 8 {
+			br.fillFast()
+			tmp[off+0] = s1.next()
+			tmp[off+1] = s2.next()
+			br.fillFast()
+			tmp[off+2] = s1.next()
+			tmp[off+3] = s2.next()
+			off += 4
+			if off == 0 {
+				s.Out = append(s.Out, tmp...)
+				// When off is 0, we have overflowed and should write.
+				if len(s.Out) >= s.DecompressLimit {
+					return fmt.Errorf("output size (%d) > DecompressLimit (%d)", len(s.Out), s.DecompressLimit)
+				}
+			}
+		}
+	}
+	s.Out = append(s.Out, tmp[:off]...)
+
+	// Final bits, a bit more expensive check
+	for {
+		if s1.finished() {
+			s.Out = append(s.Out, s1.final(), s2.final())
+			break
+		}
+		br.fill()
+		s.Out = append(s.Out, s1.next())
+		if s2.finished() {
+			s.Out = append(s.Out, s2.final(), s1.final())
+			break
+		}
+		s.Out = append(s.Out, s2.next())
+		if len(s.Out) >= s.DecompressLimit {
+			return fmt.Errorf("output size (%d) > DecompressLimit (%d)", len(s.Out), s.DecompressLimit)
+		}
+	}
+	return br.close()
+}
+
+// decoder keeps track of the current state and updates it from the bitstream.
+type decoder struct {
+	state uint16
+	br    *bitReader
+	dt    []decSymbol
+}
+
+// init will initialize the decoder and read the first state from the stream.
+func (d *decoder) init(in *bitReader, dt []decSymbol, tableLog uint8) {
+	d.dt = dt
+	d.br = in
+	d.state = in.getBits(tableLog)
+}
+
+// next returns the next symbol and sets the next state.
+// At least tablelog bits must be available in the bit reader.
+func (d *decoder) next() uint8 {
+	n := &d.dt[d.state]
+	lowBits := d.br.getBits(n.nbBits)
+	d.state = n.newState + lowBits
+	return n.symbol
+}
+
+// finished returns true if all bits have been read from the bitstream
+// and the next state would require reading bits from the input.
+func (d *decoder) finished() bool {
+	return d.br.finished() && d.dt[d.state].nbBits > 0
+}
+
+// final returns the current state symbol without decoding the next.
+func (d *decoder) final() uint8 {
+	return d.dt[d.state].symbol
+}
+
+// nextFast returns the next symbol and sets the next state.
+// This can only be used if no symbols are 0 bits.
+// At least tablelog bits must be available in the bit reader.
+func (d *decoder) nextFast() uint8 {
+	n := d.dt[d.state]
+	lowBits := d.br.getBitsFast(n.nbBits)
+	d.state = n.newState + lowBits
+	return n.symbol
+}
diff --git a/vendor/github.com/klauspost/compress/fse/fse.go b/vendor/github.com/klauspost/compress/fse/fse.go
new file mode 100644
index 0000000000..535cbadfde
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/fse/fse.go
@@ -0,0 +1,144 @@
+// Copyright 2018 Klaus Post. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+// Based on work Copyright (c) 2013, Yann Collet, released under BSD License.
+
+// Package fse provides Finite State Entropy encoding and decoding.
+//
+// Finite State Entropy encoding provides a fast near-optimal symbol encoding/decoding
+// for byte blocks as implemented in zstd.
+//
+// See https://github.com/klauspost/compress/tree/master/fse for more information.
+package fse
+
+import (
+	"errors"
+	"fmt"
+	"math/bits"
+)
+
+const (
+	/*!MEMORY_USAGE :
+	 *  Memory usage formula : N->2^N Bytes (examples : 10 -> 1KB; 12 -> 4KB ; 16 -> 64KB; 20 -> 1MB; etc.)
+	 *  Increasing memory usage improves compression ratio
+	 *  Reduced memory usage can improve speed, due to cache effect
+	 *  Recommended max value is 14, for 16KB, which nicely fits into Intel x86 L1 cache */
+	maxMemoryUsage     = 14
+	defaultMemoryUsage = 13
+
+	maxTableLog     = maxMemoryUsage - 2
+	maxTablesize    = 1 << maxTableLog
+	defaultTablelog = defaultMemoryUsage - 2
+	minTablelog     = 5
+	maxSymbolValue  = 255
+)
+
+var (
+	// ErrIncompressible is returned when input is judged to be too hard to compress.
+	ErrIncompressible = errors.New("input is not compressible")
+
+	// ErrUseRLE is returned from the compressor when the input is a single byte value repeated.
+	ErrUseRLE = errors.New("input is single value repeated")
+)
+
+// Scratch provides temporary storage for compression and decompression.
+type Scratch struct {
+	// Private
+	count    [maxSymbolValue + 1]uint32
+	norm     [maxSymbolValue + 1]int16
+	br       byteReader
+	bits     bitReader
+	bw       bitWriter
+	ct       cTable      // Compression tables.
+	decTable []decSymbol // Decompression table.
+	maxCount int         // count of the most probable symbol
+
+	// Per block parameters.
+	// These can be used to override compression parameters of the block.
+	// Do not touch, unless you know what you are doing.
+
+	// Out is output buffer.
+	// If the scratch is re-used before the caller is done processing the output,
+	// set this field to nil.
+	// Otherwise the output buffer will be re-used for next Compression/Decompression step
+	// and allocation will be avoided.
+	Out []byte
+
+	// DecompressLimit limits the maximum decoded size acceptable.
+	// If > 0 decompression will stop when approximately this many bytes
+	// has been decoded.
+	// If 0, maximum size will be 2GB.
+	DecompressLimit int
+
+	symbolLen      uint16 // Length of active part of the symbol table.
+	actualTableLog uint8  // Selected tablelog.
+	zeroBits       bool   // no bits has prob > 50%.
+	clearCount     bool   // clear count
+
+	// MaxSymbolValue will override the maximum symbol value of the next block.
+	MaxSymbolValue uint8
+
+	// TableLog will attempt to override the tablelog for the next block.
+	TableLog uint8
+}
+
+// Histogram allows to populate the histogram and skip that step in the compression,
+// It otherwise allows to inspect the histogram when compression is done.
+// To indicate that you have populated the histogram call HistogramFinished
+// with the value of the highest populated symbol, as well as the number of entries
+// in the most populated entry. These are accepted at face value.
+// The returned slice will always be length 256.
+func (s *Scratch) Histogram() []uint32 {
+	return s.count[:]
+}
+
+// HistogramFinished can be called to indicate that the histogram has been populated.
+// maxSymbol is the index of the highest set symbol of the next data segment.
+// maxCount is the number of entries in the most populated entry.
+// These are accepted at face value.
+func (s *Scratch) HistogramFinished(maxSymbol uint8, maxCount int) {
+	s.maxCount = maxCount
+	s.symbolLen = uint16(maxSymbol) + 1
+	s.clearCount = maxCount != 0
+}
+
+// prepare will prepare and allocate scratch tables used for both compression and decompression.
+func (s *Scratch) prepare(in []byte) (*Scratch, error) {
+	if s == nil {
+		s = &Scratch{}
+	}
+	if s.MaxSymbolValue == 0 {
+		s.MaxSymbolValue = 255
+	}
+	if s.TableLog == 0 {
+		s.TableLog = defaultTablelog
+	}
+	if s.TableLog > maxTableLog {
+		return nil, fmt.Errorf("tableLog (%d) > maxTableLog (%d)", s.TableLog, maxTableLog)
+	}
+	if cap(s.Out) == 0 {
+		s.Out = make([]byte, 0, len(in))
+	}
+	if s.clearCount && s.maxCount == 0 {
+		for i := range s.count {
+			s.count[i] = 0
+		}
+		s.clearCount = false
+	}
+	s.br.init(in)
+	if s.DecompressLimit == 0 {
+		// Max size 2GB.
+		s.DecompressLimit = (2 << 30) - 1
+	}
+
+	return s, nil
+}
+
+// tableStep returns the next table index.
+func tableStep(tableSize uint32) uint32 {
+	return (tableSize >> 1) + (tableSize >> 3) + 3
+}
+
+func highBits(val uint32) (n uint32) {
+	return uint32(bits.Len32(val) - 1)
+}
diff --git a/vendor/github.com/klauspost/compress/gen.sh b/vendor/github.com/klauspost/compress/gen.sh
new file mode 100644
index 0000000000..aff942205f
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/gen.sh
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+cd s2/cmd/_s2sx/ || exit 1
+go generate .
diff --git a/vendor/github.com/klauspost/compress/huff0/.gitignore b/vendor/github.com/klauspost/compress/huff0/.gitignore
new file mode 100644
index 0000000000..b3d262958f
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/huff0/.gitignore
@@ -0,0 +1 @@
+/huff0-fuzz.zip
diff --git a/vendor/github.com/klauspost/compress/huff0/README.md b/vendor/github.com/klauspost/compress/huff0/README.md
new file mode 100644
index 0000000000..8b6e5c6638
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/huff0/README.md
@@ -0,0 +1,89 @@
+# Huff0 entropy compression
+
+This package provides Huff0 encoding and decoding as used in zstd.
+            
+[Huff0](https://github.com/Cyan4973/FiniteStateEntropy#new-generation-entropy-coders), 
+a Huffman codec designed for modern CPU, featuring OoO (Out of Order) operations on multiple ALU 
+(Arithmetic Logic Unit), achieving extremely fast compression and decompression speeds.
+
+This can be used for compressing input with a lot of similar input values to the smallest number of bytes.
+This does not perform any multi-byte [dictionary coding](https://en.wikipedia.org/wiki/Dictionary_coder) as LZ coders,
+but it can be used as a secondary step to compressors (like Snappy) that does not do entropy encoding. 
+
+* [Godoc documentation](https://godoc.org/github.com/klauspost/compress/huff0)
+
+## News
+
+This is used as part of the [zstandard](https://github.com/klauspost/compress/tree/master/zstd#zstd) compression and decompression package.
+
+This ensures that most functionality is well tested.
+
+# Usage
+
+This package provides a low level interface that allows to compress single independent blocks. 
+
+Each block is separate, and there is no built in integrity checks. 
+This means that the caller should keep track of block sizes and also do checksums if needed.  
+
+Compressing a block is done via the [`Compress1X`](https://godoc.org/github.com/klauspost/compress/huff0#Compress1X) and 
+[`Compress4X`](https://godoc.org/github.com/klauspost/compress/huff0#Compress4X) functions.
+You must provide input and will receive the output and maybe an error.
+
+These error values can be returned:
+
+| Error               | Description                                                                 |
+|---------------------|-----------------------------------------------------------------------------|
+| `<nil>`             | Everything ok, output is returned                                           |
+| `ErrIncompressible` | Returned when input is judged to be too hard to compress                    |
+| `ErrUseRLE`         | Returned from the compressor when the input is a single byte value repeated |
+| `ErrTooBig`         | Returned if the input block exceeds the maximum allowed size (128 Kib)      |
+| `(error)`           | An internal error occurred.                                                 |
+
+
+As can be seen above some of there are errors that will be returned even under normal operation so it is important to handle these.
+
+To reduce allocations you can provide a [`Scratch`](https://godoc.org/github.com/klauspost/compress/huff0#Scratch) object 
+that can be re-used for successive calls. Both compression and decompression accepts a `Scratch` object, and the same 
+object can be used for both.   
+
+Be aware, that when re-using a `Scratch` object that the *output* buffer is also re-used, so if you are still using this
+you must set the `Out` field in the scratch to nil. The same buffer is used for compression and decompression output.
+
+The `Scratch` object will retain state that allows to re-use previous tables for encoding and decoding.  
+
+## Tables and re-use
+
+Huff0 allows for reusing tables from the previous block to save space if that is expected to give better/faster results. 
+
+The Scratch object allows you to set a [`ReusePolicy`](https://godoc.org/github.com/klauspost/compress/huff0#ReusePolicy) 
+that controls this behaviour. See the documentation for details. This can be altered between each block.
+
+Do however note that this information is *not* stored in the output block and it is up to the users of the package to
+record whether [`ReadTable`](https://godoc.org/github.com/klauspost/compress/huff0#ReadTable) should be called,
+based on the boolean reported back from the CompressXX call. 
+
+If you want to store the table separate from the data, you can access them as `OutData` and `OutTable` on the 
+[`Scratch`](https://godoc.org/github.com/klauspost/compress/huff0#Scratch) object.
+
+## Decompressing
+
+The first part of decoding is to initialize the decoding table through [`ReadTable`](https://godoc.org/github.com/klauspost/compress/huff0#ReadTable).
+This will initialize the decoding tables. 
+You can supply the complete block to `ReadTable` and it will return the data part of the block 
+which can be given to the decompressor. 
+
+Decompressing is done by calling the [`Decompress1X`](https://godoc.org/github.com/klauspost/compress/huff0#Scratch.Decompress1X) 
+or [`Decompress4X`](https://godoc.org/github.com/klauspost/compress/huff0#Scratch.Decompress4X) function.
+
+For concurrently decompressing content with a fixed table a stateless [`Decoder`](https://godoc.org/github.com/klauspost/compress/huff0#Decoder) can be requested which will remain correct as long as the scratch is unchanged. The capacity of the provided slice indicates the expected output size.
+
+You must provide the output from the compression stage, at exactly the size you got back. If you receive an error back
+your input was likely corrupted. 
+
+It is important to note that a successful decoding does *not* mean your output matches your original input. 
+There are no integrity checks, so relying on errors from the decompressor does not assure your data is valid.
+
+# Contributing
+
+Contributions are always welcome. Be aware that adding public functions will require good justification and breaking 
+changes will likely not be accepted. If in doubt open an issue before writing the PR.
diff --git a/vendor/github.com/klauspost/compress/huff0/bitreader.go b/vendor/github.com/klauspost/compress/huff0/bitreader.go
new file mode 100644
index 0000000000..bfc7a523de
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/huff0/bitreader.go
@@ -0,0 +1,224 @@
+// Copyright 2018 Klaus Post. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+// Based on work Copyright (c) 2013, Yann Collet, released under BSD License.
+
+package huff0
+
+import (
+	"errors"
+	"fmt"
+	"io"
+
+	"github.com/klauspost/compress/internal/le"
+)
+
+// bitReader reads a bitstream in reverse.
+// The last set bit indicates the start of the stream and is used
+// for aligning the input.
+type bitReaderBytes struct {
+	in       []byte
+	off      uint // next byte to read is at in[off - 1]
+	value    uint64
+	bitsRead uint8
+}
+
+// init initializes and resets the bit reader.
+func (b *bitReaderBytes) init(in []byte) error {
+	if len(in) < 1 {
+		return errors.New("corrupt stream: too short")
+	}
+	b.in = in
+	b.off = uint(len(in))
+	// The highest bit of the last byte indicates where to start
+	v := in[len(in)-1]
+	if v == 0 {
+		return errors.New("corrupt stream, did not find end of stream")
+	}
+	b.bitsRead = 64
+	b.value = 0
+	if len(in) >= 8 {
+		b.fillFastStart()
+	} else {
+		b.fill()
+		b.fill()
+	}
+	b.advance(8 - uint8(highBit32(uint32(v))))
+	return nil
+}
+
+// peekByteFast requires that at least one byte is requested every time.
+// There are no checks if the buffer is filled.
+func (b *bitReaderBytes) peekByteFast() uint8 {
+	got := uint8(b.value >> 56)
+	return got
+}
+
+func (b *bitReaderBytes) advance(n uint8) {
+	b.bitsRead += n
+	b.value <<= n & 63
+}
+
+// fillFast() will make sure at least 32 bits are available.
+// There must be at least 4 bytes available.
+func (b *bitReaderBytes) fillFast() {
+	if b.bitsRead < 32 {
+		return
+	}
+
+	// 2 bounds checks.
+	low := le.Load32(b.in, b.off-4)
+	b.value |= uint64(low) << (b.bitsRead - 32)
+	b.bitsRead -= 32
+	b.off -= 4
+}
+
+// fillFastStart() assumes the bitReaderBytes is empty and there is at least 8 bytes to read.
+func (b *bitReaderBytes) fillFastStart() {
+	// Do single re-slice to avoid bounds checks.
+	b.value = le.Load64(b.in, b.off-8)
+	b.bitsRead = 0
+	b.off -= 8
+}
+
+// fill() will make sure at least 32 bits are available.
+func (b *bitReaderBytes) fill() {
+	if b.bitsRead < 32 {
+		return
+	}
+	if b.off >= 4 {
+		low := le.Load32(b.in, b.off-4)
+		b.value |= uint64(low) << (b.bitsRead - 32)
+		b.bitsRead -= 32
+		b.off -= 4
+		return
+	}
+	for b.off > 0 {
+		b.value |= uint64(b.in[b.off-1]) << (b.bitsRead - 8)
+		b.bitsRead -= 8
+		b.off--
+	}
+}
+
+// finished returns true if all bits have been read from the bit stream.
+func (b *bitReaderBytes) finished() bool {
+	return b.off == 0 && b.bitsRead >= 64
+}
+
+func (b *bitReaderBytes) remaining() uint {
+	return b.off*8 + uint(64-b.bitsRead)
+}
+
+// close the bitstream and returns an error if out-of-buffer reads occurred.
+func (b *bitReaderBytes) close() error {
+	// Release reference.
+	b.in = nil
+	if b.remaining() > 0 {
+		return fmt.Errorf("corrupt input: %d bits remain on stream", b.remaining())
+	}
+	if b.bitsRead > 64 {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+
+// bitReaderShifted reads a bitstream in reverse.
+// The last set bit indicates the start of the stream and is used
+// for aligning the input.
+type bitReaderShifted struct {
+	in       []byte
+	off      uint // next byte to read is at in[off - 1]
+	value    uint64
+	bitsRead uint8
+}
+
+// init initializes and resets the bit reader.
+func (b *bitReaderShifted) init(in []byte) error {
+	if len(in) < 1 {
+		return errors.New("corrupt stream: too short")
+	}
+	b.in = in
+	b.off = uint(len(in))
+	// The highest bit of the last byte indicates where to start
+	v := in[len(in)-1]
+	if v == 0 {
+		return errors.New("corrupt stream, did not find end of stream")
+	}
+	b.bitsRead = 64
+	b.value = 0
+	if len(in) >= 8 {
+		b.fillFastStart()
+	} else {
+		b.fill()
+		b.fill()
+	}
+	b.advance(8 - uint8(highBit32(uint32(v))))
+	return nil
+}
+
+// peekBitsFast requires that at least one bit is requested every time.
+// There are no checks if the buffer is filled.
+func (b *bitReaderShifted) peekBitsFast(n uint8) uint16 {
+	return uint16(b.value >> ((64 - n) & 63))
+}
+
+func (b *bitReaderShifted) advance(n uint8) {
+	b.bitsRead += n
+	b.value <<= n & 63
+}
+
+// fillFast() will make sure at least 32 bits are available.
+// There must be at least 4 bytes available.
+func (b *bitReaderShifted) fillFast() {
+	if b.bitsRead < 32 {
+		return
+	}
+
+	low := le.Load32(b.in, b.off-4)
+	b.value |= uint64(low) << ((b.bitsRead - 32) & 63)
+	b.bitsRead -= 32
+	b.off -= 4
+}
+
+// fillFastStart() assumes the bitReaderShifted is empty and there is at least 8 bytes to read.
+func (b *bitReaderShifted) fillFastStart() {
+	b.value = le.Load64(b.in, b.off-8)
+	b.bitsRead = 0
+	b.off -= 8
+}
+
+// fill() will make sure at least 32 bits are available.
+func (b *bitReaderShifted) fill() {
+	if b.bitsRead < 32 {
+		return
+	}
+	if b.off > 4 {
+		low := le.Load32(b.in, b.off-4)
+		b.value |= uint64(low) << ((b.bitsRead - 32) & 63)
+		b.bitsRead -= 32
+		b.off -= 4
+		return
+	}
+	for b.off > 0 {
+		b.value |= uint64(b.in[b.off-1]) << ((b.bitsRead - 8) & 63)
+		b.bitsRead -= 8
+		b.off--
+	}
+}
+
+func (b *bitReaderShifted) remaining() uint {
+	return b.off*8 + uint(64-b.bitsRead)
+}
+
+// close the bitstream and returns an error if out-of-buffer reads occurred.
+func (b *bitReaderShifted) close() error {
+	// Release reference.
+	b.in = nil
+	if b.remaining() > 0 {
+		return fmt.Errorf("corrupt input: %d bits remain on stream", b.remaining())
+	}
+	if b.bitsRead > 64 {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
diff --git a/vendor/github.com/klauspost/compress/huff0/bitwriter.go b/vendor/github.com/klauspost/compress/huff0/bitwriter.go
new file mode 100644
index 0000000000..0ebc9aaac7
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/huff0/bitwriter.go
@@ -0,0 +1,102 @@
+// Copyright 2018 Klaus Post. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+// Based on work Copyright (c) 2013, Yann Collet, released under BSD License.
+
+package huff0
+
+// bitWriter will write bits.
+// First bit will be LSB of the first byte of output.
+type bitWriter struct {
+	bitContainer uint64
+	nBits        uint8
+	out          []byte
+}
+
+// addBits16Clean will add up to 16 bits. value may not contain more set bits than indicated.
+// It will not check if there is space for them, so the caller must ensure that it has flushed recently.
+func (b *bitWriter) addBits16Clean(value uint16, bits uint8) {
+	b.bitContainer |= uint64(value) << (b.nBits & 63)
+	b.nBits += bits
+}
+
+// encSymbol will add up to 16 bits. value may not contain more set bits than indicated.
+// It will not check if there is space for them, so the caller must ensure that it has flushed recently.
+func (b *bitWriter) encSymbol(ct cTable, symbol byte) {
+	enc := ct[symbol]
+	b.bitContainer |= uint64(enc.val) << (b.nBits & 63)
+	if false {
+		if enc.nBits == 0 {
+			panic("nbits 0")
+		}
+	}
+	b.nBits += enc.nBits
+}
+
+// encTwoSymbols will add up to 32 bits. value may not contain more set bits than indicated.
+// It will not check if there is space for them, so the caller must ensure that it has flushed recently.
+func (b *bitWriter) encTwoSymbols(ct cTable, av, bv byte) {
+	encA := ct[av]
+	encB := ct[bv]
+	sh := b.nBits & 63
+	combined := uint64(encA.val) | (uint64(encB.val) << (encA.nBits & 63))
+	b.bitContainer |= combined << sh
+	if false {
+		if encA.nBits == 0 {
+			panic("nbitsA 0")
+		}
+		if encB.nBits == 0 {
+			panic("nbitsB 0")
+		}
+	}
+	b.nBits += encA.nBits + encB.nBits
+}
+
+// encFourSymbols adds up to 32 bits from four symbols.
+// It will not check if there is space for them,
+// so the caller must ensure that b has been flushed recently.
+func (b *bitWriter) encFourSymbols(encA, encB, encC, encD cTableEntry) {
+	bitsA := encA.nBits
+	bitsB := bitsA + encB.nBits
+	bitsC := bitsB + encC.nBits
+	bitsD := bitsC + encD.nBits
+	combined := uint64(encA.val) |
+		(uint64(encB.val) << (bitsA & 63)) |
+		(uint64(encC.val) << (bitsB & 63)) |
+		(uint64(encD.val) << (bitsC & 63))
+	b.bitContainer |= combined << (b.nBits & 63)
+	b.nBits += bitsD
+}
+
+// flush32 will flush out, so there are at least 32 bits available for writing.
+func (b *bitWriter) flush32() {
+	if b.nBits < 32 {
+		return
+	}
+	b.out = append(b.out,
+		byte(b.bitContainer),
+		byte(b.bitContainer>>8),
+		byte(b.bitContainer>>16),
+		byte(b.bitContainer>>24))
+	b.nBits -= 32
+	b.bitContainer >>= 32
+}
+
+// flushAlign will flush remaining full bytes and align to next byte boundary.
+func (b *bitWriter) flushAlign() {
+	nbBytes := (b.nBits + 7) >> 3
+	for i := uint8(0); i < nbBytes; i++ {
+		b.out = append(b.out, byte(b.bitContainer>>(i*8)))
+	}
+	b.nBits = 0
+	b.bitContainer = 0
+}
+
+// close will write the alignment bit and write the final byte(s)
+// to the output.
+func (b *bitWriter) close() {
+	// End mark
+	b.addBits16Clean(1, 1)
+	// flush until next byte.
+	b.flushAlign()
+}
diff --git a/vendor/github.com/klauspost/compress/huff0/compress.go b/vendor/github.com/klauspost/compress/huff0/compress.go
new file mode 100644
index 0000000000..84aa3d12f0
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/huff0/compress.go
@@ -0,0 +1,742 @@
+package huff0
+
+import (
+	"fmt"
+	"math"
+	"runtime"
+	"sync"
+)
+
+// Compress1X will compress the input.
+// The output can be decoded using Decompress1X.
+// Supply a Scratch object. The scratch object contains state about re-use,
+// So when sharing across independent encodes, be sure to set the re-use policy.
+func Compress1X(in []byte, s *Scratch) (out []byte, reUsed bool, err error) {
+	s, err = s.prepare(in)
+	if err != nil {
+		return nil, false, err
+	}
+	return compress(in, s, s.compress1X)
+}
+
+// Compress4X will compress the input. The input is split into 4 independent blocks
+// and compressed similar to Compress1X.
+// The output can be decoded using Decompress4X.
+// Supply a Scratch object. The scratch object contains state about re-use,
+// So when sharing across independent encodes, be sure to set the re-use policy.
+func Compress4X(in []byte, s *Scratch) (out []byte, reUsed bool, err error) {
+	s, err = s.prepare(in)
+	if err != nil {
+		return nil, false, err
+	}
+	if false {
+		// TODO: compress4Xp only slightly faster.
+		const parallelThreshold = 8 << 10
+		if len(in) < parallelThreshold || runtime.GOMAXPROCS(0) == 1 {
+			return compress(in, s, s.compress4X)
+		}
+		return compress(in, s, s.compress4Xp)
+	}
+	return compress(in, s, s.compress4X)
+}
+
+func compress(in []byte, s *Scratch, compressor func(src []byte) ([]byte, error)) (out []byte, reUsed bool, err error) {
+	// Nuke previous table if we cannot reuse anyway.
+	if s.Reuse == ReusePolicyNone {
+		s.prevTable = s.prevTable[:0]
+	}
+
+	// Create histogram, if none was provided.
+	maxCount := s.maxCount
+	var canReuse = false
+	if maxCount == 0 {
+		maxCount, canReuse = s.countSimple(in)
+	} else {
+		canReuse = s.canUseTable(s.prevTable)
+	}
+
+	// We want the output size to be less than this:
+	wantSize := len(in)
+	if s.WantLogLess > 0 {
+		wantSize -= wantSize >> s.WantLogLess
+	}
+
+	// Reset for next run.
+	s.clearCount = true
+	s.maxCount = 0
+	if maxCount >= len(in) {
+		if maxCount > len(in) {
+			return nil, false, fmt.Errorf("maxCount (%d) > length (%d)", maxCount, len(in))
+		}
+		if len(in) == 1 {
+			return nil, false, ErrIncompressible
+		}
+		// One symbol, use RLE
+		return nil, false, ErrUseRLE
+	}
+	if maxCount == 1 || maxCount < (len(in)>>7) {
+		// Each symbol present maximum once or too well distributed.
+		return nil, false, ErrIncompressible
+	}
+	if s.Reuse == ReusePolicyMust && !canReuse {
+		// We must reuse, but we can't.
+		return nil, false, ErrIncompressible
+	}
+	if (s.Reuse == ReusePolicyPrefer || s.Reuse == ReusePolicyMust) && canReuse {
+		keepTable := s.cTable
+		keepTL := s.actualTableLog
+		s.cTable = s.prevTable
+		s.actualTableLog = s.prevTableLog
+		s.Out, err = compressor(in)
+		s.cTable = keepTable
+		s.actualTableLog = keepTL
+		if err == nil && len(s.Out) < wantSize {
+			s.OutData = s.Out
+			return s.Out, true, nil
+		}
+		if s.Reuse == ReusePolicyMust {
+			return nil, false, ErrIncompressible
+		}
+		// Do not attempt to re-use later.
+		s.prevTable = s.prevTable[:0]
+	}
+
+	// Calculate new table.
+	err = s.buildCTable()
+	if err != nil {
+		return nil, false, err
+	}
+
+	if false && !s.canUseTable(s.cTable) {
+		panic("invalid table generated")
+	}
+
+	if s.Reuse == ReusePolicyAllow && canReuse {
+		hSize := len(s.Out)
+		oldSize := s.prevTable.estimateSize(s.count[:s.symbolLen])
+		newSize := s.cTable.estimateSize(s.count[:s.symbolLen])
+		if oldSize <= hSize+newSize || hSize+12 >= wantSize {
+			// Retain cTable even if we re-use.
+			keepTable := s.cTable
+			keepTL := s.actualTableLog
+
+			s.cTable = s.prevTable
+			s.actualTableLog = s.prevTableLog
+			s.Out, err = compressor(in)
+
+			// Restore ctable.
+			s.cTable = keepTable
+			s.actualTableLog = keepTL
+			if err != nil {
+				return nil, false, err
+			}
+			if len(s.Out) >= wantSize {
+				return nil, false, ErrIncompressible
+			}
+			s.OutData = s.Out
+			return s.Out, true, nil
+		}
+	}
+
+	// Use new table
+	err = s.cTable.write(s)
+	if err != nil {
+		s.OutTable = nil
+		return nil, false, err
+	}
+	s.OutTable = s.Out
+
+	// Compress using new table
+	s.Out, err = compressor(in)
+	if err != nil {
+		s.OutTable = nil
+		return nil, false, err
+	}
+	if len(s.Out) >= wantSize {
+		s.OutTable = nil
+		return nil, false, ErrIncompressible
+	}
+	// Move current table into previous.
+	s.prevTable, s.prevTableLog, s.cTable = s.cTable, s.actualTableLog, s.prevTable[:0]
+	s.OutData = s.Out[len(s.OutTable):]
+	return s.Out, false, nil
+}
+
+// EstimateSizes will estimate the data sizes
+func EstimateSizes(in []byte, s *Scratch) (tableSz, dataSz, reuseSz int, err error) {
+	s, err = s.prepare(in)
+	if err != nil {
+		return 0, 0, 0, err
+	}
+
+	// Create histogram, if none was provided.
+	tableSz, dataSz, reuseSz = -1, -1, -1
+	maxCount := s.maxCount
+	var canReuse = false
+	if maxCount == 0 {
+		maxCount, canReuse = s.countSimple(in)
+	} else {
+		canReuse = s.canUseTable(s.prevTable)
+	}
+
+	// We want the output size to be less than this:
+	wantSize := len(in)
+	if s.WantLogLess > 0 {
+		wantSize -= wantSize >> s.WantLogLess
+	}
+
+	// Reset for next run.
+	s.clearCount = true
+	s.maxCount = 0
+	if maxCount >= len(in) {
+		if maxCount > len(in) {
+			return 0, 0, 0, fmt.Errorf("maxCount (%d) > length (%d)", maxCount, len(in))
+		}
+		if len(in) == 1 {
+			return 0, 0, 0, ErrIncompressible
+		}
+		// One symbol, use RLE
+		return 0, 0, 0, ErrUseRLE
+	}
+	if maxCount == 1 || maxCount < (len(in)>>7) {
+		// Each symbol present maximum once or too well distributed.
+		return 0, 0, 0, ErrIncompressible
+	}
+
+	// Calculate new table.
+	err = s.buildCTable()
+	if err != nil {
+		return 0, 0, 0, err
+	}
+
+	if false && !s.canUseTable(s.cTable) {
+		panic("invalid table generated")
+	}
+
+	tableSz, err = s.cTable.estTableSize(s)
+	if err != nil {
+		return 0, 0, 0, err
+	}
+	if canReuse {
+		reuseSz = s.prevTable.estimateSize(s.count[:s.symbolLen])
+	}
+	dataSz = s.cTable.estimateSize(s.count[:s.symbolLen])
+
+	// Restore
+	return tableSz, dataSz, reuseSz, nil
+}
+
+func (s *Scratch) compress1X(src []byte) ([]byte, error) {
+	return s.compress1xDo(s.Out, src), nil
+}
+
+func (s *Scratch) compress1xDo(dst, src []byte) []byte {
+	var bw = bitWriter{out: dst}
+
+	// N is length divisible by 4.
+	n := len(src)
+	n -= n & 3
+	cTable := s.cTable[:256]
+
+	// Encode last bytes.
+	for i := len(src) & 3; i > 0; i-- {
+		bw.encSymbol(cTable, src[n+i-1])
+	}
+	n -= 4
+	if s.actualTableLog <= 8 {
+		for ; n >= 0; n -= 4 {
+			tmp := src[n : n+4]
+			// tmp should be len 4
+			bw.flush32()
+			bw.encFourSymbols(cTable[tmp[3]], cTable[tmp[2]], cTable[tmp[1]], cTable[tmp[0]])
+		}
+	} else {
+		for ; n >= 0; n -= 4 {
+			tmp := src[n : n+4]
+			// tmp should be len 4
+			bw.flush32()
+			bw.encTwoSymbols(cTable, tmp[3], tmp[2])
+			bw.flush32()
+			bw.encTwoSymbols(cTable, tmp[1], tmp[0])
+		}
+	}
+	bw.close()
+	return bw.out
+}
+
+var sixZeros [6]byte
+
+func (s *Scratch) compress4X(src []byte) ([]byte, error) {
+	if len(src) < 12 {
+		return nil, ErrIncompressible
+	}
+	segmentSize := (len(src) + 3) / 4
+
+	// Add placeholder for output length
+	offsetIdx := len(s.Out)
+	s.Out = append(s.Out, sixZeros[:]...)
+
+	for i := 0; i < 4; i++ {
+		toDo := src
+		if len(toDo) > segmentSize {
+			toDo = toDo[:segmentSize]
+		}
+		src = src[len(toDo):]
+
+		idx := len(s.Out)
+		s.Out = s.compress1xDo(s.Out, toDo)
+		if len(s.Out)-idx > math.MaxUint16 {
+			// We cannot store the size in the jump table
+			return nil, ErrIncompressible
+		}
+		// Write compressed length as little endian before block.
+		if i < 3 {
+			// Last length is not written.
+			length := len(s.Out) - idx
+			s.Out[i*2+offsetIdx] = byte(length)
+			s.Out[i*2+offsetIdx+1] = byte(length >> 8)
+		}
+	}
+
+	return s.Out, nil
+}
+
+// compress4Xp will compress 4 streams using separate goroutines.
+func (s *Scratch) compress4Xp(src []byte) ([]byte, error) {
+	if len(src) < 12 {
+		return nil, ErrIncompressible
+	}
+	// Add placeholder for output length
+	s.Out = s.Out[:6]
+
+	segmentSize := (len(src) + 3) / 4
+	var wg sync.WaitGroup
+	wg.Add(4)
+	for i := 0; i < 4; i++ {
+		toDo := src
+		if len(toDo) > segmentSize {
+			toDo = toDo[:segmentSize]
+		}
+		src = src[len(toDo):]
+
+		// Separate goroutine for each block.
+		go func(i int) {
+			s.tmpOut[i] = s.compress1xDo(s.tmpOut[i][:0], toDo)
+			wg.Done()
+		}(i)
+	}
+	wg.Wait()
+	for i := 0; i < 4; i++ {
+		o := s.tmpOut[i]
+		if len(o) > math.MaxUint16 {
+			// We cannot store the size in the jump table
+			return nil, ErrIncompressible
+		}
+		// Write compressed length as little endian before block.
+		if i < 3 {
+			// Last length is not written.
+			s.Out[i*2] = byte(len(o))
+			s.Out[i*2+1] = byte(len(o) >> 8)
+		}
+
+		// Write output.
+		s.Out = append(s.Out, o...)
+	}
+	return s.Out, nil
+}
+
+// countSimple will create a simple histogram in s.count.
+// Returns the biggest count.
+// Does not update s.clearCount.
+func (s *Scratch) countSimple(in []byte) (max int, reuse bool) {
+	reuse = true
+	_ = s.count // Assert that s != nil to speed up the following loop.
+	for _, v := range in {
+		s.count[v]++
+	}
+	m := uint32(0)
+	if len(s.prevTable) > 0 {
+		for i, v := range s.count[:] {
+			if v == 0 {
+				continue
+			}
+			if v > m {
+				m = v
+			}
+			s.symbolLen = uint16(i) + 1
+			if i >= len(s.prevTable) {
+				reuse = false
+			} else if s.prevTable[i].nBits == 0 {
+				reuse = false
+			}
+		}
+		return int(m), reuse
+	}
+	for i, v := range s.count[:] {
+		if v == 0 {
+			continue
+		}
+		if v > m {
+			m = v
+		}
+		s.symbolLen = uint16(i) + 1
+	}
+	return int(m), false
+}
+
+func (s *Scratch) canUseTable(c cTable) bool {
+	if len(c) < int(s.symbolLen) {
+		return false
+	}
+	for i, v := range s.count[:s.symbolLen] {
+		if v != 0 && c[i].nBits == 0 {
+			return false
+		}
+	}
+	return true
+}
+
+//lint:ignore U1000 used for debugging
+func (s *Scratch) validateTable(c cTable) bool {
+	if len(c) < int(s.symbolLen) {
+		return false
+	}
+	for i, v := range s.count[:s.symbolLen] {
+		if v != 0 {
+			if c[i].nBits == 0 {
+				return false
+			}
+			if c[i].nBits > s.actualTableLog {
+				return false
+			}
+		}
+	}
+	return true
+}
+
+// minTableLog provides the minimum logSize to safely represent a distribution.
+func (s *Scratch) minTableLog() uint8 {
+	minBitsSrc := highBit32(uint32(s.srcLen)) + 1
+	minBitsSymbols := highBit32(uint32(s.symbolLen-1)) + 2
+	if minBitsSrc < minBitsSymbols {
+		return uint8(minBitsSrc)
+	}
+	return uint8(minBitsSymbols)
+}
+
+// optimalTableLog calculates and sets the optimal tableLog in s.actualTableLog
+func (s *Scratch) optimalTableLog() {
+	tableLog := s.TableLog
+	minBits := s.minTableLog()
+	maxBitsSrc := uint8(highBit32(uint32(s.srcLen-1))) - 1
+	if maxBitsSrc < tableLog {
+		// Accuracy can be reduced
+		tableLog = maxBitsSrc
+	}
+	if minBits > tableLog {
+		tableLog = minBits
+	}
+	// Need a minimum to safely represent all symbol values
+	if tableLog < minTablelog {
+		tableLog = minTablelog
+	}
+	if tableLog > tableLogMax {
+		tableLog = tableLogMax
+	}
+	s.actualTableLog = tableLog
+}
+
+type cTableEntry struct {
+	val   uint16
+	nBits uint8
+	// We have 8 bits extra
+}
+
+const huffNodesMask = huffNodesLen - 1
+
+func (s *Scratch) buildCTable() error {
+	s.optimalTableLog()
+	s.huffSort()
+	if cap(s.cTable) < maxSymbolValue+1 {
+		s.cTable = make([]cTableEntry, s.symbolLen, maxSymbolValue+1)
+	} else {
+		s.cTable = s.cTable[:s.symbolLen]
+		for i := range s.cTable {
+			s.cTable[i] = cTableEntry{}
+		}
+	}
+
+	var startNode = int16(s.symbolLen)
+	nonNullRank := s.symbolLen - 1
+
+	nodeNb := startNode
+	huffNode := s.nodes[1 : huffNodesLen+1]
+
+	// This overlays the slice above, but allows "-1" index lookups.
+	// Different from reference implementation.
+	huffNode0 := s.nodes[0 : huffNodesLen+1]
+
+	for huffNode[nonNullRank].count() == 0 {
+		nonNullRank--
+	}
+
+	lowS := int16(nonNullRank)
+	nodeRoot := nodeNb + lowS - 1
+	lowN := nodeNb
+	huffNode[nodeNb].setCount(huffNode[lowS].count() + huffNode[lowS-1].count())
+	huffNode[lowS].setParent(nodeNb)
+	huffNode[lowS-1].setParent(nodeNb)
+	nodeNb++
+	lowS -= 2
+	for n := nodeNb; n <= nodeRoot; n++ {
+		huffNode[n].setCount(1 << 30)
+	}
+	// fake entry, strong barrier
+	huffNode0[0].setCount(1 << 31)
+
+	// create parents
+	for nodeNb <= nodeRoot {
+		var n1, n2 int16
+		if huffNode0[lowS+1].count() < huffNode0[lowN+1].count() {
+			n1 = lowS
+			lowS--
+		} else {
+			n1 = lowN
+			lowN++
+		}
+		if huffNode0[lowS+1].count() < huffNode0[lowN+1].count() {
+			n2 = lowS
+			lowS--
+		} else {
+			n2 = lowN
+			lowN++
+		}
+
+		huffNode[nodeNb].setCount(huffNode0[n1+1].count() + huffNode0[n2+1].count())
+		huffNode0[n1+1].setParent(nodeNb)
+		huffNode0[n2+1].setParent(nodeNb)
+		nodeNb++
+	}
+
+	// distribute weights (unlimited tree height)
+	huffNode[nodeRoot].setNbBits(0)
+	for n := nodeRoot - 1; n >= startNode; n-- {
+		huffNode[n].setNbBits(huffNode[huffNode[n].parent()].nbBits() + 1)
+	}
+	for n := uint16(0); n <= nonNullRank; n++ {
+		huffNode[n].setNbBits(huffNode[huffNode[n].parent()].nbBits() + 1)
+	}
+	s.actualTableLog = s.setMaxHeight(int(nonNullRank))
+	maxNbBits := s.actualTableLog
+
+	// fill result into tree (val, nbBits)
+	if maxNbBits > tableLogMax {
+		return fmt.Errorf("internal error: maxNbBits (%d) > tableLogMax (%d)", maxNbBits, tableLogMax)
+	}
+	var nbPerRank [tableLogMax + 1]uint16
+	var valPerRank [16]uint16
+	for _, v := range huffNode[:nonNullRank+1] {
+		nbPerRank[v.nbBits()]++
+	}
+	// determine stating value per rank
+	{
+		min := uint16(0)
+		for n := maxNbBits; n > 0; n-- {
+			// get starting value within each rank
+			valPerRank[n] = min
+			min += nbPerRank[n]
+			min >>= 1
+		}
+	}
+
+	// push nbBits per symbol, symbol order
+	for _, v := range huffNode[:nonNullRank+1] {
+		s.cTable[v.symbol()].nBits = v.nbBits()
+	}
+
+	// assign value within rank, symbol order
+	t := s.cTable[:s.symbolLen]
+	for n, val := range t {
+		nbits := val.nBits & 15
+		v := valPerRank[nbits]
+		t[n].val = v
+		valPerRank[nbits] = v + 1
+	}
+
+	return nil
+}
+
+// huffSort will sort symbols, decreasing order.
+func (s *Scratch) huffSort() {
+	type rankPos struct {
+		base    uint32
+		current uint32
+	}
+
+	// Clear nodes
+	nodes := s.nodes[:huffNodesLen+1]
+	s.nodes = nodes
+	nodes = nodes[1 : huffNodesLen+1]
+
+	// Sort into buckets based on length of symbol count.
+	var rank [32]rankPos
+	for _, v := range s.count[:s.symbolLen] {
+		r := highBit32(v+1) & 31
+		rank[r].base++
+	}
+	// maxBitLength is log2(BlockSizeMax) + 1
+	const maxBitLength = 18 + 1
+	for n := maxBitLength; n > 0; n-- {
+		rank[n-1].base += rank[n].base
+	}
+	for n := range rank[:maxBitLength] {
+		rank[n].current = rank[n].base
+	}
+	for n, c := range s.count[:s.symbolLen] {
+		r := (highBit32(c+1) + 1) & 31
+		pos := rank[r].current
+		rank[r].current++
+		prev := nodes[(pos-1)&huffNodesMask]
+		for pos > rank[r].base && c > prev.count() {
+			nodes[pos&huffNodesMask] = prev
+			pos--
+			prev = nodes[(pos-1)&huffNodesMask]
+		}
+		nodes[pos&huffNodesMask] = makeNodeElt(c, byte(n))
+	}
+}
+
+func (s *Scratch) setMaxHeight(lastNonNull int) uint8 {
+	maxNbBits := s.actualTableLog
+	huffNode := s.nodes[1 : huffNodesLen+1]
+	//huffNode = huffNode[: huffNodesLen]
+
+	largestBits := huffNode[lastNonNull].nbBits()
+
+	// early exit : no elt > maxNbBits
+	if largestBits <= maxNbBits {
+		return largestBits
+	}
+	totalCost := int(0)
+	baseCost := int(1) << (largestBits - maxNbBits)
+	n := uint32(lastNonNull)
+
+	for huffNode[n].nbBits() > maxNbBits {
+		totalCost += baseCost - (1 << (largestBits - huffNode[n].nbBits()))
+		huffNode[n].setNbBits(maxNbBits)
+		n--
+	}
+	// n stops at huffNode[n].nbBits <= maxNbBits
+
+	for huffNode[n].nbBits() == maxNbBits {
+		n--
+	}
+	// n end at index of smallest symbol using < maxNbBits
+
+	// renorm totalCost
+	totalCost >>= largestBits - maxNbBits /* note : totalCost is necessarily a multiple of baseCost */
+
+	// repay normalized cost
+	{
+		const noSymbol = 0xF0F0F0F0
+		var rankLast [tableLogMax + 2]uint32
+
+		for i := range rankLast[:] {
+			rankLast[i] = noSymbol
+		}
+
+		// Get pos of last (smallest) symbol per rank
+		{
+			currentNbBits := maxNbBits
+			for pos := int(n); pos >= 0; pos-- {
+				if huffNode[pos].nbBits() >= currentNbBits {
+					continue
+				}
+				currentNbBits = huffNode[pos].nbBits() // < maxNbBits
+				rankLast[maxNbBits-currentNbBits] = uint32(pos)
+			}
+		}
+
+		for totalCost > 0 {
+			nBitsToDecrease := uint8(highBit32(uint32(totalCost))) + 1
+
+			for ; nBitsToDecrease > 1; nBitsToDecrease-- {
+				highPos := rankLast[nBitsToDecrease]
+				lowPos := rankLast[nBitsToDecrease-1]
+				if highPos == noSymbol {
+					continue
+				}
+				if lowPos == noSymbol {
+					break
+				}
+				highTotal := huffNode[highPos].count()
+				lowTotal := 2 * huffNode[lowPos].count()
+				if highTotal <= lowTotal {
+					break
+				}
+			}
+			// only triggered when no more rank 1 symbol left => find closest one (note : there is necessarily at least one !)
+			// HUF_MAX_TABLELOG test just to please gcc 5+; but it should not be necessary
+			// FIXME: try to remove
+			for (nBitsToDecrease <= tableLogMax) && (rankLast[nBitsToDecrease] == noSymbol) {
+				nBitsToDecrease++
+			}
+			totalCost -= 1 << (nBitsToDecrease - 1)
+			if rankLast[nBitsToDecrease-1] == noSymbol {
+				// this rank is no longer empty
+				rankLast[nBitsToDecrease-1] = rankLast[nBitsToDecrease]
+			}
+			huffNode[rankLast[nBitsToDecrease]].setNbBits(1 +
+				huffNode[rankLast[nBitsToDecrease]].nbBits())
+			if rankLast[nBitsToDecrease] == 0 {
+				/* special case, reached largest symbol */
+				rankLast[nBitsToDecrease] = noSymbol
+			} else {
+				rankLast[nBitsToDecrease]--
+				if huffNode[rankLast[nBitsToDecrease]].nbBits() != maxNbBits-nBitsToDecrease {
+					rankLast[nBitsToDecrease] = noSymbol /* this rank is now empty */
+				}
+			}
+		}
+
+		for totalCost < 0 { /* Sometimes, cost correction overshoot */
+			if rankLast[1] == noSymbol { /* special case : no rank 1 symbol (using maxNbBits-1); let's create one from largest rank 0 (using maxNbBits) */
+				for huffNode[n].nbBits() == maxNbBits {
+					n--
+				}
+				huffNode[n+1].setNbBits(huffNode[n+1].nbBits() - 1)
+				rankLast[1] = n + 1
+				totalCost++
+				continue
+			}
+			huffNode[rankLast[1]+1].setNbBits(huffNode[rankLast[1]+1].nbBits() - 1)
+			rankLast[1]++
+			totalCost++
+		}
+	}
+	return maxNbBits
+}
+
+// A nodeElt is the fields
+//
+//	count  uint32
+//	parent uint16
+//	symbol byte
+//	nbBits uint8
+//
+// in some order, all squashed into an integer so that the compiler
+// always loads and stores entire nodeElts instead of separate fields.
+type nodeElt uint64
+
+func makeNodeElt(count uint32, symbol byte) nodeElt {
+	return nodeElt(count) | nodeElt(symbol)<<48
+}
+
+func (e *nodeElt) count() uint32  { return uint32(*e) }
+func (e *nodeElt) parent() uint16 { return uint16(*e >> 32) }
+func (e *nodeElt) symbol() byte   { return byte(*e >> 48) }
+func (e *nodeElt) nbBits() uint8  { return uint8(*e >> 56) }
+
+func (e *nodeElt) setCount(c uint32) { *e = (*e)&0xffffffff00000000 | nodeElt(c) }
+func (e *nodeElt) setParent(p int16) { *e = (*e)&0xffff0000ffffffff | nodeElt(uint16(p))<<32 }
+func (e *nodeElt) setNbBits(n uint8) { *e = (*e)&0x00ffffffffffffff | nodeElt(n)<<56 }
diff --git a/vendor/github.com/klauspost/compress/huff0/decompress.go b/vendor/github.com/klauspost/compress/huff0/decompress.go
new file mode 100644
index 0000000000..0f56b02d74
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/huff0/decompress.go
@@ -0,0 +1,1167 @@
+package huff0
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"sync"
+
+	"github.com/klauspost/compress/fse"
+)
+
+type dTable struct {
+	single []dEntrySingle
+}
+
+// single-symbols decoding
+type dEntrySingle struct {
+	entry uint16
+}
+
+// Uses special code for all tables that are < 8 bits.
+const use8BitTables = true
+
+// ReadTable will read a table from the input.
+// The size of the input may be larger than the table definition.
+// Any content remaining after the table definition will be returned.
+// If no Scratch is provided a new one is allocated.
+// The returned Scratch can be used for encoding or decoding input using this table.
+func ReadTable(in []byte, s *Scratch) (s2 *Scratch, remain []byte, err error) {
+	s, err = s.prepare(nil)
+	if err != nil {
+		return s, nil, err
+	}
+	if len(in) <= 1 {
+		return s, nil, errors.New("input too small for table")
+	}
+	iSize := in[0]
+	in = in[1:]
+	if iSize >= 128 {
+		// Uncompressed
+		oSize := iSize - 127
+		iSize = (oSize + 1) / 2
+		if int(iSize) > len(in) {
+			return s, nil, errors.New("input too small for table")
+		}
+		for n := uint8(0); n < oSize; n += 2 {
+			v := in[n/2]
+			s.huffWeight[n] = v >> 4
+			s.huffWeight[n+1] = v & 15
+		}
+		s.symbolLen = uint16(oSize)
+		in = in[iSize:]
+	} else {
+		if len(in) < int(iSize) {
+			return s, nil, fmt.Errorf("input too small for table, want %d bytes, have %d", iSize, len(in))
+		}
+		// FSE compressed weights
+		s.fse.DecompressLimit = 255
+		hw := s.huffWeight[:]
+		s.fse.Out = hw
+		b, err := fse.Decompress(in[:iSize], s.fse)
+		s.fse.Out = nil
+		if err != nil {
+			return s, nil, fmt.Errorf("fse decompress returned: %w", err)
+		}
+		if len(b) > 255 {
+			return s, nil, errors.New("corrupt input: output table too large")
+		}
+		s.symbolLen = uint16(len(b))
+		in = in[iSize:]
+	}
+
+	// collect weight stats
+	var rankStats [16]uint32
+	weightTotal := uint32(0)
+	for _, v := range s.huffWeight[:s.symbolLen] {
+		if v > tableLogMax {
+			return s, nil, errors.New("corrupt input: weight too large")
+		}
+		v2 := v & 15
+		rankStats[v2]++
+		// (1 << (v2-1)) is slower since the compiler cannot prove that v2 isn't 0.
+		weightTotal += (1 << v2) >> 1
+	}
+	if weightTotal == 0 {
+		return s, nil, errors.New("corrupt input: weights zero")
+	}
+
+	// get last non-null symbol weight (implied, total must be 2^n)
+	{
+		tableLog := highBit32(weightTotal) + 1
+		if tableLog > tableLogMax {
+			return s, nil, errors.New("corrupt input: tableLog too big")
+		}
+		s.actualTableLog = uint8(tableLog)
+		// determine last weight
+		{
+			total := uint32(1) << tableLog
+			rest := total - weightTotal
+			verif := uint32(1) << highBit32(rest)
+			lastWeight := highBit32(rest) + 1
+			if verif != rest {
+				// last value must be a clean power of 2
+				return s, nil, errors.New("corrupt input: last value not power of two")
+			}
+			s.huffWeight[s.symbolLen] = uint8(lastWeight)
+			s.symbolLen++
+			rankStats[lastWeight]++
+		}
+	}
+
+	if (rankStats[1] < 2) || (rankStats[1]&1 != 0) {
+		// by construction : at least 2 elts of rank 1, must be even
+		return s, nil, errors.New("corrupt input: min elt size, even check failed ")
+	}
+
+	// TODO: Choose between single/double symbol decoding
+
+	// Calculate starting value for each rank
+	{
+		var nextRankStart uint32
+		for n := uint8(1); n < s.actualTableLog+1; n++ {
+			current := nextRankStart
+			nextRankStart += rankStats[n] << (n - 1)
+			rankStats[n] = current
+		}
+	}
+
+	// fill DTable (always full size)
+	tSize := 1 << tableLogMax
+	if len(s.dt.single) != tSize {
+		s.dt.single = make([]dEntrySingle, tSize)
+	}
+	cTable := s.prevTable
+	if cap(cTable) < maxSymbolValue+1 {
+		cTable = make([]cTableEntry, 0, maxSymbolValue+1)
+	}
+	cTable = cTable[:maxSymbolValue+1]
+	s.prevTable = cTable[:s.symbolLen]
+	s.prevTableLog = s.actualTableLog
+
+	for n, w := range s.huffWeight[:s.symbolLen] {
+		if w == 0 {
+			cTable[n] = cTableEntry{
+				val:   0,
+				nBits: 0,
+			}
+			continue
+		}
+		length := (uint32(1) << w) >> 1
+		d := dEntrySingle{
+			entry: uint16(s.actualTableLog+1-w) | (uint16(n) << 8),
+		}
+
+		rank := &rankStats[w]
+		cTable[n] = cTableEntry{
+			val:   uint16(*rank >> (w - 1)),
+			nBits: uint8(d.entry),
+		}
+
+		single := s.dt.single[*rank : *rank+length]
+		for i := range single {
+			single[i] = d
+		}
+		*rank += length
+	}
+
+	return s, in, nil
+}
+
+// Decompress1X will decompress a 1X encoded stream.
+// The length of the supplied input must match the end of a block exactly.
+// Before this is called, the table must be initialized with ReadTable unless
+// the encoder re-used the table.
+// deprecated: Use the stateless Decoder() to get a concurrent version.
+func (s *Scratch) Decompress1X(in []byte) (out []byte, err error) {
+	if cap(s.Out) < s.MaxDecodedSize {
+		s.Out = make([]byte, s.MaxDecodedSize)
+	}
+	s.Out = s.Out[:0:s.MaxDecodedSize]
+	s.Out, err = s.Decoder().Decompress1X(s.Out, in)
+	return s.Out, err
+}
+
+// Decompress4X will decompress a 4X encoded stream.
+// Before this is called, the table must be initialized with ReadTable unless
+// the encoder re-used the table.
+// The length of the supplied input must match the end of a block exactly.
+// The destination size of the uncompressed data must be known and provided.
+// deprecated: Use the stateless Decoder() to get a concurrent version.
+func (s *Scratch) Decompress4X(in []byte, dstSize int) (out []byte, err error) {
+	if dstSize > s.MaxDecodedSize {
+		return nil, ErrMaxDecodedSizeExceeded
+	}
+	if cap(s.Out) < dstSize {
+		s.Out = make([]byte, s.MaxDecodedSize)
+	}
+	s.Out = s.Out[:0:dstSize]
+	s.Out, err = s.Decoder().Decompress4X(s.Out, in)
+	return s.Out, err
+}
+
+// Decoder will return a stateless decoder that can be used by multiple
+// decompressors concurrently.
+// Before this is called, the table must be initialized with ReadTable.
+// The Decoder is still linked to the scratch buffer so that cannot be reused.
+// However, it is safe to discard the scratch.
+func (s *Scratch) Decoder() *Decoder {
+	return &Decoder{
+		dt:             s.dt,
+		actualTableLog: s.actualTableLog,
+		bufs:           &s.decPool,
+	}
+}
+
+// Decoder provides stateless decoding.
+type Decoder struct {
+	dt             dTable
+	actualTableLog uint8
+	bufs           *sync.Pool
+}
+
+func (d *Decoder) buffer() *[4][256]byte {
+	buf, ok := d.bufs.Get().(*[4][256]byte)
+	if ok {
+		return buf
+	}
+	return &[4][256]byte{}
+}
+
+// decompress1X8Bit will decompress a 1X encoded stream with tablelog <= 8.
+// The cap of the output buffer will be the maximum decompressed size.
+// The length of the supplied input must match the end of a block exactly.
+func (d *Decoder) decompress1X8Bit(dst, src []byte) ([]byte, error) {
+	if d.actualTableLog == 8 {
+		return d.decompress1X8BitExactly(dst, src)
+	}
+	var br bitReaderBytes
+	err := br.init(src)
+	if err != nil {
+		return dst, err
+	}
+	maxDecodedSize := cap(dst)
+	dst = dst[:0]
+
+	// Avoid bounds check by always having full sized table.
+	dt := d.dt.single[:256]
+
+	// Use temp table to avoid bound checks/append penalty.
+	bufs := d.buffer()
+	buf := &bufs[0]
+	var off uint8
+
+	switch d.actualTableLog {
+	case 8:
+		const shift = 0
+		for br.off >= 4 {
+			br.fillFast()
+			v := dt[uint8(br.value>>(56+shift))]
+			br.advance(uint8(v.entry))
+			buf[off+0] = uint8(v.entry >> 8)
+
+			v = dt[uint8(br.value>>(56+shift))]
+			br.advance(uint8(v.entry))
+			buf[off+1] = uint8(v.entry >> 8)
+
+			v = dt[uint8(br.value>>(56+shift))]
+			br.advance(uint8(v.entry))
+			buf[off+2] = uint8(v.entry >> 8)
+
+			v = dt[uint8(br.value>>(56+shift))]
+			br.advance(uint8(v.entry))
+			buf[off+3] = uint8(v.entry >> 8)
+
+			off += 4
+			if off == 0 {
+				if len(dst)+256 > maxDecodedSize {
+					br.close()
+					d.bufs.Put(bufs)
+					return nil, ErrMaxDecodedSizeExceeded
+				}
+				dst = append(dst, buf[:]...)
+			}
+		}
+	case 7:
+		const shift = 8 - 7
+		for br.off >= 4 {
+			br.fillFast()
+			v := dt[uint8(br.value>>(56+shift))]
+			br.advance(uint8(v.entry))
+			buf[off+0] = uint8(v.entry >> 8)
+
+			v = dt[uint8(br.value>>(56+shift))]
+			br.advance(uint8(v.entry))
+			buf[off+1] = uint8(v.entry >> 8)
+
+			v = dt[uint8(br.value>>(56+shift))]
+			br.advance(uint8(v.entry))
+			buf[off+2] = uint8(v.entry >> 8)
+
+			v = dt[uint8(br.value>>(56+shift))]
+			br.advance(uint8(v.entry))
+			buf[off+3] = uint8(v.entry >> 8)
+
+			off += 4
+			if off == 0 {
+				if len(dst)+256 > maxDecodedSize {
+					br.close()
+					d.bufs.Put(bufs)
+					return nil, ErrMaxDecodedSizeExceeded
+				}
+				dst = append(dst, buf[:]...)
+			}
+		}
+	case 6:
+		const shift = 8 - 6
+		for br.off >= 4 {
+			br.fillFast()
+			v := dt[uint8(br.value>>(56+shift))]
+			br.advance(uint8(v.entry))
+			buf[off+0] = uint8(v.entry >> 8)
+
+			v = dt[uint8(br.value>>(56+shift))]
+			br.advance(uint8(v.entry))
+			buf[off+1] = uint8(v.entry >> 8)
+
+			v = dt[uint8(br.value>>(56+shift))]
+			br.advance(uint8(v.entry))
+			buf[off+2] = uint8(v.entry >> 8)
+
+			v = dt[uint8(br.value>>(56+shift))]
+			br.advance(uint8(v.entry))
+			buf[off+3] = uint8(v.entry >> 8)
+
+			off += 4
+			if off == 0 {
+				if len(dst)+256 > maxDecodedSize {
+					d.bufs.Put(bufs)
+					br.close()
+					return nil, ErrMaxDecodedSizeExceeded
+				}
+				dst = append(dst, buf[:]...)
+			}
+		}
+	case 5:
+		const shift = 8 - 5
+		for br.off >= 4 {
+			br.fillFast()
+			v := dt[uint8(br.value>>(56+shift))]
+			br.advance(uint8(v.entry))
+			buf[off+0] = uint8(v.entry >> 8)
+
+			v = dt[uint8(br.value>>(56+shift))]
+			br.advance(uint8(v.entry))
+			buf[off+1] = uint8(v.entry >> 8)
+
+			v = dt[uint8(br.value>>(56+shift))]
+			br.advance(uint8(v.entry))
+			buf[off+2] = uint8(v.entry >> 8)
+
+			v = dt[uint8(br.value>>(56+shift))]
+			br.advance(uint8(v.entry))
+			buf[off+3] = uint8(v.entry >> 8)
+
+			off += 4
+			if off == 0 {
+				if len(dst)+256 > maxDecodedSize {
+					d.bufs.Put(bufs)
+					br.close()
+					return nil, ErrMaxDecodedSizeExceeded
+				}
+				dst = append(dst, buf[:]...)
+			}
+		}
+	case 4:
+		const shift = 8 - 4
+		for br.off >= 4 {
+			br.fillFast()
+			v := dt[uint8(br.value>>(56+shift))]
+			br.advance(uint8(v.entry))
+			buf[off+0] = uint8(v.entry >> 8)
+
+			v = dt[uint8(br.value>>(56+shift))]
+			br.advance(uint8(v.entry))
+			buf[off+1] = uint8(v.entry >> 8)
+
+			v = dt[uint8(br.value>>(56+shift))]
+			br.advance(uint8(v.entry))
+			buf[off+2] = uint8(v.entry >> 8)
+
+			v = dt[uint8(br.value>>(56+shift))]
+			br.advance(uint8(v.entry))
+			buf[off+3] = uint8(v.entry >> 8)
+
+			off += 4
+			if off == 0 {
+				if len(dst)+256 > maxDecodedSize {
+					d.bufs.Put(bufs)
+					br.close()
+					return nil, ErrMaxDecodedSizeExceeded
+				}
+				dst = append(dst, buf[:]...)
+			}
+		}
+	case 3:
+		const shift = 8 - 3
+		for br.off >= 4 {
+			br.fillFast()
+			v := dt[uint8(br.value>>(56+shift))]
+			br.advance(uint8(v.entry))
+			buf[off+0] = uint8(v.entry >> 8)
+
+			v = dt[uint8(br.value>>(56+shift))]
+			br.advance(uint8(v.entry))
+			buf[off+1] = uint8(v.entry >> 8)
+
+			v = dt[uint8(br.value>>(56+shift))]
+			br.advance(uint8(v.entry))
+			buf[off+2] = uint8(v.entry >> 8)
+
+			v = dt[uint8(br.value>>(56+shift))]
+			br.advance(uint8(v.entry))
+			buf[off+3] = uint8(v.entry >> 8)
+
+			off += 4
+			if off == 0 {
+				if len(dst)+256 > maxDecodedSize {
+					d.bufs.Put(bufs)
+					br.close()
+					return nil, ErrMaxDecodedSizeExceeded
+				}
+				dst = append(dst, buf[:]...)
+			}
+		}
+	case 2:
+		const shift = 8 - 2
+		for br.off >= 4 {
+			br.fillFast()
+			v := dt[uint8(br.value>>(56+shift))]
+			br.advance(uint8(v.entry))
+			buf[off+0] = uint8(v.entry >> 8)
+
+			v = dt[uint8(br.value>>(56+shift))]
+			br.advance(uint8(v.entry))
+			buf[off+1] = uint8(v.entry >> 8)
+
+			v = dt[uint8(br.value>>(56+shift))]
+			br.advance(uint8(v.entry))
+			buf[off+2] = uint8(v.entry >> 8)
+
+			v = dt[uint8(br.value>>(56+shift))]
+			br.advance(uint8(v.entry))
+			buf[off+3] = uint8(v.entry >> 8)
+
+			off += 4
+			if off == 0 {
+				if len(dst)+256 > maxDecodedSize {
+					d.bufs.Put(bufs)
+					br.close()
+					return nil, ErrMaxDecodedSizeExceeded
+				}
+				dst = append(dst, buf[:]...)
+			}
+		}
+	case 1:
+		const shift = 8 - 1
+		for br.off >= 4 {
+			br.fillFast()
+			v := dt[uint8(br.value>>(56+shift))]
+			br.advance(uint8(v.entry))
+			buf[off+0] = uint8(v.entry >> 8)
+
+			v = dt[uint8(br.value>>(56+shift))]
+			br.advance(uint8(v.entry))
+			buf[off+1] = uint8(v.entry >> 8)
+
+			v = dt[uint8(br.value>>(56+shift))]
+			br.advance(uint8(v.entry))
+			buf[off+2] = uint8(v.entry >> 8)
+
+			v = dt[uint8(br.value>>(56+shift))]
+			br.advance(uint8(v.entry))
+			buf[off+3] = uint8(v.entry >> 8)
+
+			off += 4
+			if off == 0 {
+				if len(dst)+256 > maxDecodedSize {
+					d.bufs.Put(bufs)
+					br.close()
+					return nil, ErrMaxDecodedSizeExceeded
+				}
+				dst = append(dst, buf[:]...)
+			}
+		}
+	default:
+		d.bufs.Put(bufs)
+		return nil, fmt.Errorf("invalid tablelog: %d", d.actualTableLog)
+	}
+
+	if len(dst)+int(off) > maxDecodedSize {
+		d.bufs.Put(bufs)
+		br.close()
+		return nil, ErrMaxDecodedSizeExceeded
+	}
+	dst = append(dst, buf[:off]...)
+
+	// br < 4, so uint8 is fine
+	bitsLeft := int8(uint8(br.off)*8 + (64 - br.bitsRead))
+	shift := (8 - d.actualTableLog) & 7
+
+	for bitsLeft > 0 {
+		if br.bitsRead >= 64-8 {
+			for br.off > 0 {
+				br.value |= uint64(br.in[br.off-1]) << (br.bitsRead - 8)
+				br.bitsRead -= 8
+				br.off--
+			}
+		}
+		if len(dst) >= maxDecodedSize {
+			br.close()
+			d.bufs.Put(bufs)
+			return nil, ErrMaxDecodedSizeExceeded
+		}
+		v := dt[br.peekByteFast()>>shift]
+		nBits := uint8(v.entry)
+		br.advance(nBits)
+		bitsLeft -= int8(nBits)
+		dst = append(dst, uint8(v.entry>>8))
+	}
+	d.bufs.Put(bufs)
+	return dst, br.close()
+}
+
+// decompress1X8Bit will decompress a 1X encoded stream with tablelog <= 8.
+// The cap of the output buffer will be the maximum decompressed size.
+// The length of the supplied input must match the end of a block exactly.
+func (d *Decoder) decompress1X8BitExactly(dst, src []byte) ([]byte, error) {
+	var br bitReaderBytes
+	err := br.init(src)
+	if err != nil {
+		return dst, err
+	}
+	maxDecodedSize := cap(dst)
+	dst = dst[:0]
+
+	// Avoid bounds check by always having full sized table.
+	dt := d.dt.single[:256]
+
+	// Use temp table to avoid bound checks/append penalty.
+	bufs := d.buffer()
+	buf := &bufs[0]
+	var off uint8
+
+	const shift = 56
+
+	//fmt.Printf("mask: %b, tl:%d\n", mask, d.actualTableLog)
+	for br.off >= 4 {
+		br.fillFast()
+		v := dt[uint8(br.value>>shift)]
+		br.advance(uint8(v.entry))
+		buf[off+0] = uint8(v.entry >> 8)
+
+		v = dt[uint8(br.value>>shift)]
+		br.advance(uint8(v.entry))
+		buf[off+1] = uint8(v.entry >> 8)
+
+		v = dt[uint8(br.value>>shift)]
+		br.advance(uint8(v.entry))
+		buf[off+2] = uint8(v.entry >> 8)
+
+		v = dt[uint8(br.value>>shift)]
+		br.advance(uint8(v.entry))
+		buf[off+3] = uint8(v.entry >> 8)
+
+		off += 4
+		if off == 0 {
+			if len(dst)+256 > maxDecodedSize {
+				d.bufs.Put(bufs)
+				br.close()
+				return nil, ErrMaxDecodedSizeExceeded
+			}
+			dst = append(dst, buf[:]...)
+		}
+	}
+
+	if len(dst)+int(off) > maxDecodedSize {
+		d.bufs.Put(bufs)
+		br.close()
+		return nil, ErrMaxDecodedSizeExceeded
+	}
+	dst = append(dst, buf[:off]...)
+
+	// br < 4, so uint8 is fine
+	bitsLeft := int8(uint8(br.off)*8 + (64 - br.bitsRead))
+	for bitsLeft > 0 {
+		if br.bitsRead >= 64-8 {
+			for br.off > 0 {
+				br.value |= uint64(br.in[br.off-1]) << (br.bitsRead - 8)
+				br.bitsRead -= 8
+				br.off--
+			}
+		}
+		if len(dst) >= maxDecodedSize {
+			d.bufs.Put(bufs)
+			br.close()
+			return nil, ErrMaxDecodedSizeExceeded
+		}
+		v := dt[br.peekByteFast()]
+		nBits := uint8(v.entry)
+		br.advance(nBits)
+		bitsLeft -= int8(nBits)
+		dst = append(dst, uint8(v.entry>>8))
+	}
+	d.bufs.Put(bufs)
+	return dst, br.close()
+}
+
+// Decompress4X will decompress a 4X encoded stream.
+// The length of the supplied input must match the end of a block exactly.
+// The *capacity* of the dst slice must match the destination size of
+// the uncompressed data exactly.
+func (d *Decoder) decompress4X8bit(dst, src []byte) ([]byte, error) {
+	if d.actualTableLog == 8 {
+		return d.decompress4X8bitExactly(dst, src)
+	}
+
+	var br [4]bitReaderBytes
+	start := 6
+	for i := 0; i < 3; i++ {
+		length := int(src[i*2]) | (int(src[i*2+1]) << 8)
+		if start+length >= len(src) {
+			return nil, errors.New("truncated input (or invalid offset)")
+		}
+		err := br[i].init(src[start : start+length])
+		if err != nil {
+			return nil, err
+		}
+		start += length
+	}
+	err := br[3].init(src[start:])
+	if err != nil {
+		return nil, err
+	}
+
+	// destination, offset to match first output
+	dstSize := cap(dst)
+	dst = dst[:dstSize]
+	out := dst
+	dstEvery := (dstSize + 3) / 4
+
+	shift := (56 + (8 - d.actualTableLog)) & 63
+
+	const tlSize = 1 << 8
+	single := d.dt.single[:tlSize]
+
+	// Use temp table to avoid bound checks/append penalty.
+	buf := d.buffer()
+	var off uint8
+	var decoded int
+
+	// Decode 4 values from each decoder/loop.
+	const bufoff = 256
+	for {
+		if br[0].off < 4 || br[1].off < 4 || br[2].off < 4 || br[3].off < 4 {
+			break
+		}
+
+		{
+			// Interleave 2 decodes.
+			const stream = 0
+			const stream2 = 1
+			br1 := &br[stream]
+			br2 := &br[stream2]
+			br1.fillFast()
+			br2.fillFast()
+
+			v := single[uint8(br1.value>>shift)].entry
+			v2 := single[uint8(br2.value>>shift)].entry
+			br1.bitsRead += uint8(v)
+			br1.value <<= v & 63
+			br2.bitsRead += uint8(v2)
+			br2.value <<= v2 & 63
+			buf[stream][off] = uint8(v >> 8)
+			buf[stream2][off] = uint8(v2 >> 8)
+
+			v = single[uint8(br1.value>>shift)].entry
+			v2 = single[uint8(br2.value>>shift)].entry
+			br1.bitsRead += uint8(v)
+			br1.value <<= v & 63
+			br2.bitsRead += uint8(v2)
+			br2.value <<= v2 & 63
+			buf[stream][off+1] = uint8(v >> 8)
+			buf[stream2][off+1] = uint8(v2 >> 8)
+
+			v = single[uint8(br1.value>>shift)].entry
+			v2 = single[uint8(br2.value>>shift)].entry
+			br1.bitsRead += uint8(v)
+			br1.value <<= v & 63
+			br2.bitsRead += uint8(v2)
+			br2.value <<= v2 & 63
+			buf[stream][off+2] = uint8(v >> 8)
+			buf[stream2][off+2] = uint8(v2 >> 8)
+
+			v = single[uint8(br1.value>>shift)].entry
+			v2 = single[uint8(br2.value>>shift)].entry
+			br1.bitsRead += uint8(v)
+			br1.value <<= v & 63
+			br2.bitsRead += uint8(v2)
+			br2.value <<= v2 & 63
+			buf[stream][off+3] = uint8(v >> 8)
+			buf[stream2][off+3] = uint8(v2 >> 8)
+		}
+
+		{
+			const stream = 2
+			const stream2 = 3
+			br1 := &br[stream]
+			br2 := &br[stream2]
+			br1.fillFast()
+			br2.fillFast()
+
+			v := single[uint8(br1.value>>shift)].entry
+			v2 := single[uint8(br2.value>>shift)].entry
+			br1.bitsRead += uint8(v)
+			br1.value <<= v & 63
+			br2.bitsRead += uint8(v2)
+			br2.value <<= v2 & 63
+			buf[stream][off] = uint8(v >> 8)
+			buf[stream2][off] = uint8(v2 >> 8)
+
+			v = single[uint8(br1.value>>shift)].entry
+			v2 = single[uint8(br2.value>>shift)].entry
+			br1.bitsRead += uint8(v)
+			br1.value <<= v & 63
+			br2.bitsRead += uint8(v2)
+			br2.value <<= v2 & 63
+			buf[stream][off+1] = uint8(v >> 8)
+			buf[stream2][off+1] = uint8(v2 >> 8)
+
+			v = single[uint8(br1.value>>shift)].entry
+			v2 = single[uint8(br2.value>>shift)].entry
+			br1.bitsRead += uint8(v)
+			br1.value <<= v & 63
+			br2.bitsRead += uint8(v2)
+			br2.value <<= v2 & 63
+			buf[stream][off+2] = uint8(v >> 8)
+			buf[stream2][off+2] = uint8(v2 >> 8)
+
+			v = single[uint8(br1.value>>shift)].entry
+			v2 = single[uint8(br2.value>>shift)].entry
+			br1.bitsRead += uint8(v)
+			br1.value <<= v & 63
+			br2.bitsRead += uint8(v2)
+			br2.value <<= v2 & 63
+			buf[stream][off+3] = uint8(v >> 8)
+			buf[stream2][off+3] = uint8(v2 >> 8)
+		}
+
+		off += 4
+
+		if off == 0 {
+			if bufoff > dstEvery {
+				d.bufs.Put(buf)
+				return nil, errors.New("corruption detected: stream overrun 1")
+			}
+			// There must at least be 3 buffers left.
+			if len(out)-bufoff < dstEvery*3 {
+				d.bufs.Put(buf)
+				return nil, errors.New("corruption detected: stream overrun 2")
+			}
+			//copy(out, buf[0][:])
+			//copy(out[dstEvery:], buf[1][:])
+			//copy(out[dstEvery*2:], buf[2][:])
+			*(*[bufoff]byte)(out) = buf[0]
+			*(*[bufoff]byte)(out[dstEvery:]) = buf[1]
+			*(*[bufoff]byte)(out[dstEvery*2:]) = buf[2]
+			*(*[bufoff]byte)(out[dstEvery*3:]) = buf[3]
+			out = out[bufoff:]
+			decoded += bufoff * 4
+		}
+	}
+	if off > 0 {
+		ioff := int(off)
+		if len(out) < dstEvery*3+ioff {
+			d.bufs.Put(buf)
+			return nil, errors.New("corruption detected: stream overrun 3")
+		}
+		copy(out, buf[0][:off])
+		copy(out[dstEvery:], buf[1][:off])
+		copy(out[dstEvery*2:], buf[2][:off])
+		copy(out[dstEvery*3:], buf[3][:off])
+		decoded += int(off) * 4
+		out = out[off:]
+	}
+
+	// Decode remaining.
+	// Decode remaining.
+	remainBytes := dstEvery - (decoded / 4)
+	for i := range br {
+		offset := dstEvery * i
+		endsAt := offset + remainBytes
+		if endsAt > len(out) {
+			endsAt = len(out)
+		}
+		br := &br[i]
+		bitsLeft := br.remaining()
+		for bitsLeft > 0 {
+			if br.finished() {
+				d.bufs.Put(buf)
+				return nil, io.ErrUnexpectedEOF
+			}
+			if br.bitsRead >= 56 {
+				if br.off >= 4 {
+					v := br.in[br.off-4:]
+					v = v[:4]
+					low := (uint32(v[0])) | (uint32(v[1]) << 8) | (uint32(v[2]) << 16) | (uint32(v[3]) << 24)
+					br.value |= uint64(low) << (br.bitsRead - 32)
+					br.bitsRead -= 32
+					br.off -= 4
+				} else {
+					for br.off > 0 {
+						br.value |= uint64(br.in[br.off-1]) << (br.bitsRead - 8)
+						br.bitsRead -= 8
+						br.off--
+					}
+				}
+			}
+			// end inline...
+			if offset >= endsAt {
+				d.bufs.Put(buf)
+				return nil, errors.New("corruption detected: stream overrun 4")
+			}
+
+			// Read value and increment offset.
+			v := single[uint8(br.value>>shift)].entry
+			nBits := uint8(v)
+			br.advance(nBits)
+			bitsLeft -= uint(nBits)
+			out[offset] = uint8(v >> 8)
+			offset++
+		}
+		if offset != endsAt {
+			d.bufs.Put(buf)
+			return nil, fmt.Errorf("corruption detected: short output block %d, end %d != %d", i, offset, endsAt)
+		}
+		decoded += offset - dstEvery*i
+		err = br.close()
+		if err != nil {
+			d.bufs.Put(buf)
+			return nil, err
+		}
+	}
+	d.bufs.Put(buf)
+	if dstSize != decoded {
+		return nil, errors.New("corruption detected: short output block")
+	}
+	return dst, nil
+}
+
+// Decompress4X will decompress a 4X encoded stream.
+// The length of the supplied input must match the end of a block exactly.
+// The *capacity* of the dst slice must match the destination size of
+// the uncompressed data exactly.
+func (d *Decoder) decompress4X8bitExactly(dst, src []byte) ([]byte, error) {
+	var br [4]bitReaderBytes
+	start := 6
+	for i := 0; i < 3; i++ {
+		length := int(src[i*2]) | (int(src[i*2+1]) << 8)
+		if start+length >= len(src) {
+			return nil, errors.New("truncated input (or invalid offset)")
+		}
+		err := br[i].init(src[start : start+length])
+		if err != nil {
+			return nil, err
+		}
+		start += length
+	}
+	err := br[3].init(src[start:])
+	if err != nil {
+		return nil, err
+	}
+
+	// destination, offset to match first output
+	dstSize := cap(dst)
+	dst = dst[:dstSize]
+	out := dst
+	dstEvery := (dstSize + 3) / 4
+
+	const shift = 56
+	const tlSize = 1 << 8
+	single := d.dt.single[:tlSize]
+
+	// Use temp table to avoid bound checks/append penalty.
+	buf := d.buffer()
+	var off uint8
+	var decoded int
+
+	// Decode 4 values from each decoder/loop.
+	const bufoff = 256
+	for {
+		if br[0].off < 4 || br[1].off < 4 || br[2].off < 4 || br[3].off < 4 {
+			break
+		}
+
+		{
+			// Interleave 2 decodes.
+			const stream = 0
+			const stream2 = 1
+			br1 := &br[stream]
+			br2 := &br[stream2]
+			br1.fillFast()
+			br2.fillFast()
+
+			v := single[uint8(br1.value>>shift)].entry
+			v2 := single[uint8(br2.value>>shift)].entry
+			br1.bitsRead += uint8(v)
+			br1.value <<= v & 63
+			br2.bitsRead += uint8(v2)
+			br2.value <<= v2 & 63
+			buf[stream][off] = uint8(v >> 8)
+			buf[stream2][off] = uint8(v2 >> 8)
+
+			v = single[uint8(br1.value>>shift)].entry
+			v2 = single[uint8(br2.value>>shift)].entry
+			br1.bitsRead += uint8(v)
+			br1.value <<= v & 63
+			br2.bitsRead += uint8(v2)
+			br2.value <<= v2 & 63
+			buf[stream][off+1] = uint8(v >> 8)
+			buf[stream2][off+1] = uint8(v2 >> 8)
+
+			v = single[uint8(br1.value>>shift)].entry
+			v2 = single[uint8(br2.value>>shift)].entry
+			br1.bitsRead += uint8(v)
+			br1.value <<= v & 63
+			br2.bitsRead += uint8(v2)
+			br2.value <<= v2 & 63
+			buf[stream][off+2] = uint8(v >> 8)
+			buf[stream2][off+2] = uint8(v2 >> 8)
+
+			v = single[uint8(br1.value>>shift)].entry
+			v2 = single[uint8(br2.value>>shift)].entry
+			br1.bitsRead += uint8(v)
+			br1.value <<= v & 63
+			br2.bitsRead += uint8(v2)
+			br2.value <<= v2 & 63
+			buf[stream][off+3] = uint8(v >> 8)
+			buf[stream2][off+3] = uint8(v2 >> 8)
+		}
+
+		{
+			const stream = 2
+			const stream2 = 3
+			br1 := &br[stream]
+			br2 := &br[stream2]
+			br1.fillFast()
+			br2.fillFast()
+
+			v := single[uint8(br1.value>>shift)].entry
+			v2 := single[uint8(br2.value>>shift)].entry
+			br1.bitsRead += uint8(v)
+			br1.value <<= v & 63
+			br2.bitsRead += uint8(v2)
+			br2.value <<= v2 & 63
+			buf[stream][off] = uint8(v >> 8)
+			buf[stream2][off] = uint8(v2 >> 8)
+
+			v = single[uint8(br1.value>>shift)].entry
+			v2 = single[uint8(br2.value>>shift)].entry
+			br1.bitsRead += uint8(v)
+			br1.value <<= v & 63
+			br2.bitsRead += uint8(v2)
+			br2.value <<= v2 & 63
+			buf[stream][off+1] = uint8(v >> 8)
+			buf[stream2][off+1] = uint8(v2 >> 8)
+
+			v = single[uint8(br1.value>>shift)].entry
+			v2 = single[uint8(br2.value>>shift)].entry
+			br1.bitsRead += uint8(v)
+			br1.value <<= v & 63
+			br2.bitsRead += uint8(v2)
+			br2.value <<= v2 & 63
+			buf[stream][off+2] = uint8(v >> 8)
+			buf[stream2][off+2] = uint8(v2 >> 8)
+
+			v = single[uint8(br1.value>>shift)].entry
+			v2 = single[uint8(br2.value>>shift)].entry
+			br1.bitsRead += uint8(v)
+			br1.value <<= v & 63
+			br2.bitsRead += uint8(v2)
+			br2.value <<= v2 & 63
+			buf[stream][off+3] = uint8(v >> 8)
+			buf[stream2][off+3] = uint8(v2 >> 8)
+		}
+
+		off += 4
+
+		if off == 0 {
+			if bufoff > dstEvery {
+				d.bufs.Put(buf)
+				return nil, errors.New("corruption detected: stream overrun 1")
+			}
+			// There must at least be 3 buffers left.
+			if len(out)-bufoff < dstEvery*3 {
+				d.bufs.Put(buf)
+				return nil, errors.New("corruption detected: stream overrun 2")
+			}
+
+			//copy(out, buf[0][:])
+			//copy(out[dstEvery:], buf[1][:])
+			//copy(out[dstEvery*2:], buf[2][:])
+			// copy(out[dstEvery*3:], buf[3][:])
+			*(*[bufoff]byte)(out) = buf[0]
+			*(*[bufoff]byte)(out[dstEvery:]) = buf[1]
+			*(*[bufoff]byte)(out[dstEvery*2:]) = buf[2]
+			*(*[bufoff]byte)(out[dstEvery*3:]) = buf[3]
+			out = out[bufoff:]
+			decoded += bufoff * 4
+		}
+	}
+	if off > 0 {
+		ioff := int(off)
+		if len(out) < dstEvery*3+ioff {
+			return nil, errors.New("corruption detected: stream overrun 3")
+		}
+		copy(out, buf[0][:off])
+		copy(out[dstEvery:], buf[1][:off])
+		copy(out[dstEvery*2:], buf[2][:off])
+		copy(out[dstEvery*3:], buf[3][:off])
+		decoded += int(off) * 4
+		out = out[off:]
+	}
+
+	// Decode remaining.
+	remainBytes := dstEvery - (decoded / 4)
+	for i := range br {
+		offset := dstEvery * i
+		endsAt := offset + remainBytes
+		if endsAt > len(out) {
+			endsAt = len(out)
+		}
+		br := &br[i]
+		bitsLeft := br.remaining()
+		for bitsLeft > 0 {
+			if br.finished() {
+				d.bufs.Put(buf)
+				return nil, io.ErrUnexpectedEOF
+			}
+			if br.bitsRead >= 56 {
+				if br.off >= 4 {
+					v := br.in[br.off-4:]
+					v = v[:4]
+					low := (uint32(v[0])) | (uint32(v[1]) << 8) | (uint32(v[2]) << 16) | (uint32(v[3]) << 24)
+					br.value |= uint64(low) << (br.bitsRead - 32)
+					br.bitsRead -= 32
+					br.off -= 4
+				} else {
+					for br.off > 0 {
+						br.value |= uint64(br.in[br.off-1]) << (br.bitsRead - 8)
+						br.bitsRead -= 8
+						br.off--
+					}
+				}
+			}
+			// end inline...
+			if offset >= endsAt {
+				d.bufs.Put(buf)
+				return nil, errors.New("corruption detected: stream overrun 4")
+			}
+
+			// Read value and increment offset.
+			v := single[br.peekByteFast()].entry
+			nBits := uint8(v)
+			br.advance(nBits)
+			bitsLeft -= uint(nBits)
+			out[offset] = uint8(v >> 8)
+			offset++
+		}
+		if offset != endsAt {
+			d.bufs.Put(buf)
+			return nil, fmt.Errorf("corruption detected: short output block %d, end %d != %d", i, offset, endsAt)
+		}
+
+		decoded += offset - dstEvery*i
+		err = br.close()
+		if err != nil {
+			d.bufs.Put(buf)
+			return nil, err
+		}
+	}
+	d.bufs.Put(buf)
+	if dstSize != decoded {
+		return nil, errors.New("corruption detected: short output block")
+	}
+	return dst, nil
+}
+
+// matches will compare a decoding table to a coding table.
+// Errors are written to the writer.
+// Nothing will be written if table is ok.
+func (s *Scratch) matches(ct cTable, w io.Writer) {
+	if s == nil || len(s.dt.single) == 0 {
+		return
+	}
+	dt := s.dt.single[:1<<s.actualTableLog]
+	tablelog := s.actualTableLog
+	ok := 0
+	broken := 0
+	for sym, enc := range ct {
+		errs := 0
+		broken++
+		if enc.nBits == 0 {
+			for _, dec := range dt {
+				if uint8(dec.entry>>8) == byte(sym) {
+					fmt.Fprintf(w, "symbol %x has decoder, but no encoder\n", sym)
+					errs++
+					break
+				}
+			}
+			if errs == 0 {
+				broken--
+			}
+			continue
+		}
+		// Unused bits in input
+		ub := tablelog - enc.nBits
+		top := enc.val << ub
+		// decoder looks at top bits.
+		dec := dt[top]
+		if uint8(dec.entry) != enc.nBits {
+			fmt.Fprintf(w, "symbol 0x%x bit size mismatch (enc: %d, dec:%d).\n", sym, enc.nBits, uint8(dec.entry))
+			errs++
+		}
+		if uint8(dec.entry>>8) != uint8(sym) {
+			fmt.Fprintf(w, "symbol 0x%x decoder output mismatch (enc: %d, dec:%d).\n", sym, sym, uint8(dec.entry>>8))
+			errs++
+		}
+		if errs > 0 {
+			fmt.Fprintf(w, "%d errors in base, stopping\n", errs)
+			continue
+		}
+		// Ensure that all combinations are covered.
+		for i := uint16(0); i < (1 << ub); i++ {
+			vval := top | i
+			dec := dt[vval]
+			if uint8(dec.entry) != enc.nBits {
+				fmt.Fprintf(w, "symbol 0x%x bit size mismatch (enc: %d, dec:%d).\n", vval, enc.nBits, uint8(dec.entry))
+				errs++
+			}
+			if uint8(dec.entry>>8) != uint8(sym) {
+				fmt.Fprintf(w, "symbol 0x%x decoder output mismatch (enc: %d, dec:%d).\n", vval, sym, uint8(dec.entry>>8))
+				errs++
+			}
+			if errs > 20 {
+				fmt.Fprintf(w, "%d errors, stopping\n", errs)
+				break
+			}
+		}
+		if errs == 0 {
+			ok++
+			broken--
+		}
+	}
+	if broken > 0 {
+		fmt.Fprintf(w, "%d broken, %d ok\n", broken, ok)
+	}
+}
diff --git a/vendor/github.com/klauspost/compress/huff0/decompress_amd64.go b/vendor/github.com/klauspost/compress/huff0/decompress_amd64.go
new file mode 100644
index 0000000000..ba7e8e6b02
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/huff0/decompress_amd64.go
@@ -0,0 +1,226 @@
+//go:build amd64 && !appengine && !noasm && gc
+// +build amd64,!appengine,!noasm,gc
+
+// This file contains the specialisation of Decoder.Decompress4X
+// and Decoder.Decompress1X that use an asm implementation of thir main loops.
+package huff0
+
+import (
+	"errors"
+	"fmt"
+
+	"github.com/klauspost/compress/internal/cpuinfo"
+)
+
+// decompress4x_main_loop_x86 is an x86 assembler implementation
+// of Decompress4X when tablelog > 8.
+//
+//go:noescape
+func decompress4x_main_loop_amd64(ctx *decompress4xContext)
+
+// decompress4x_8b_loop_x86 is an x86 assembler implementation
+// of Decompress4X when tablelog <= 8 which decodes 4 entries
+// per loop.
+//
+//go:noescape
+func decompress4x_8b_main_loop_amd64(ctx *decompress4xContext)
+
+// fallback8BitSize is the size where using Go version is faster.
+const fallback8BitSize = 800
+
+type decompress4xContext struct {
+	pbr      *[4]bitReaderShifted
+	peekBits uint8
+	out      *byte
+	dstEvery int
+	tbl      *dEntrySingle
+	decoded  int
+	limit    *byte
+}
+
+// Decompress4X will decompress a 4X encoded stream.
+// The length of the supplied input must match the end of a block exactly.
+// The *capacity* of the dst slice must match the destination size of
+// the uncompressed data exactly.
+func (d *Decoder) Decompress4X(dst, src []byte) ([]byte, error) {
+	if len(d.dt.single) == 0 {
+		return nil, errors.New("no table loaded")
+	}
+	if len(src) < 6+(4*1) {
+		return nil, errors.New("input too small")
+	}
+
+	use8BitTables := d.actualTableLog <= 8
+	if cap(dst) < fallback8BitSize && use8BitTables {
+		return d.decompress4X8bit(dst, src)
+	}
+
+	var br [4]bitReaderShifted
+	// Decode "jump table"
+	start := 6
+	for i := 0; i < 3; i++ {
+		length := int(src[i*2]) | (int(src[i*2+1]) << 8)
+		if start+length >= len(src) {
+			return nil, errors.New("truncated input (or invalid offset)")
+		}
+		err := br[i].init(src[start : start+length])
+		if err != nil {
+			return nil, err
+		}
+		start += length
+	}
+	err := br[3].init(src[start:])
+	if err != nil {
+		return nil, err
+	}
+
+	// destination, offset to match first output
+	dstSize := cap(dst)
+	dst = dst[:dstSize]
+	out := dst
+	dstEvery := (dstSize + 3) / 4
+
+	const tlSize = 1 << tableLogMax
+	const tlMask = tlSize - 1
+	single := d.dt.single[:tlSize]
+
+	var decoded int
+
+	if len(out) > 4*4 && !(br[0].off < 4 || br[1].off < 4 || br[2].off < 4 || br[3].off < 4) {
+		ctx := decompress4xContext{
+			pbr:      &br,
+			peekBits: uint8((64 - d.actualTableLog) & 63), // see: bitReaderShifted.peekBitsFast()
+			out:      &out[0],
+			dstEvery: dstEvery,
+			tbl:      &single[0],
+			limit:    &out[dstEvery-4], // Always stop decoding when first buffer gets here to avoid writing OOB on last.
+		}
+		if use8BitTables {
+			decompress4x_8b_main_loop_amd64(&ctx)
+		} else {
+			decompress4x_main_loop_amd64(&ctx)
+		}
+
+		decoded = ctx.decoded
+		out = out[decoded/4:]
+	}
+
+	// Decode remaining.
+	remainBytes := dstEvery - (decoded / 4)
+	for i := range br {
+		offset := dstEvery * i
+		endsAt := offset + remainBytes
+		if endsAt > len(out) {
+			endsAt = len(out)
+		}
+		br := &br[i]
+		bitsLeft := br.remaining()
+		for bitsLeft > 0 {
+			br.fill()
+			if offset >= endsAt {
+				return nil, errors.New("corruption detected: stream overrun 4")
+			}
+
+			// Read value and increment offset.
+			val := br.peekBitsFast(d.actualTableLog)
+			v := single[val&tlMask].entry
+			nBits := uint8(v)
+			br.advance(nBits)
+			bitsLeft -= uint(nBits)
+			out[offset] = uint8(v >> 8)
+			offset++
+		}
+		if offset != endsAt {
+			return nil, fmt.Errorf("corruption detected: short output block %d, end %d != %d", i, offset, endsAt)
+		}
+		decoded += offset - dstEvery*i
+		err = br.close()
+		if err != nil {
+			return nil, err
+		}
+	}
+	if dstSize != decoded {
+		return nil, errors.New("corruption detected: short output block")
+	}
+	return dst, nil
+}
+
+// decompress4x_main_loop_x86 is an x86 assembler implementation
+// of Decompress1X when tablelog > 8.
+//
+//go:noescape
+func decompress1x_main_loop_amd64(ctx *decompress1xContext)
+
+// decompress4x_main_loop_x86 is an x86 with BMI2 assembler implementation
+// of Decompress1X when tablelog > 8.
+//
+//go:noescape
+func decompress1x_main_loop_bmi2(ctx *decompress1xContext)
+
+type decompress1xContext struct {
+	pbr      *bitReaderShifted
+	peekBits uint8
+	out      *byte
+	outCap   int
+	tbl      *dEntrySingle
+	decoded  int
+}
+
+// Error reported by asm implementations
+const error_max_decoded_size_exeeded = -1
+
+// Decompress1X will decompress a 1X encoded stream.
+// The cap of the output buffer will be the maximum decompressed size.
+// The length of the supplied input must match the end of a block exactly.
+func (d *Decoder) Decompress1X(dst, src []byte) ([]byte, error) {
+	if len(d.dt.single) == 0 {
+		return nil, errors.New("no table loaded")
+	}
+	var br bitReaderShifted
+	err := br.init(src)
+	if err != nil {
+		return dst, err
+	}
+	maxDecodedSize := cap(dst)
+	dst = dst[:maxDecodedSize]
+
+	const tlSize = 1 << tableLogMax
+	const tlMask = tlSize - 1
+
+	if maxDecodedSize >= 4 {
+		ctx := decompress1xContext{
+			pbr:      &br,
+			out:      &dst[0],
+			outCap:   maxDecodedSize,
+			peekBits: uint8((64 - d.actualTableLog) & 63), // see: bitReaderShifted.peekBitsFast()
+			tbl:      &d.dt.single[0],
+		}
+
+		if cpuinfo.HasBMI2() {
+			decompress1x_main_loop_bmi2(&ctx)
+		} else {
+			decompress1x_main_loop_amd64(&ctx)
+		}
+		if ctx.decoded == error_max_decoded_size_exeeded {
+			return nil, ErrMaxDecodedSizeExceeded
+		}
+
+		dst = dst[:ctx.decoded]
+	}
+
+	// br < 8, so uint8 is fine
+	bitsLeft := uint8(br.off)*8 + 64 - br.bitsRead
+	for bitsLeft > 0 {
+		br.fill()
+		if len(dst) >= maxDecodedSize {
+			br.close()
+			return nil, ErrMaxDecodedSizeExceeded
+		}
+		v := d.dt.single[br.peekBitsFast(d.actualTableLog)&tlMask]
+		nBits := uint8(v.entry)
+		br.advance(nBits)
+		bitsLeft -= nBits
+		dst = append(dst, uint8(v.entry>>8))
+	}
+	return dst, br.close()
+}
diff --git a/vendor/github.com/klauspost/compress/huff0/decompress_amd64.s b/vendor/github.com/klauspost/compress/huff0/decompress_amd64.s
new file mode 100644
index 0000000000..c4c7ab2d1f
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/huff0/decompress_amd64.s
@@ -0,0 +1,830 @@
+// Code generated by command: go run gen.go -out ../decompress_amd64.s -pkg=huff0. DO NOT EDIT.
+
+//go:build amd64 && !appengine && !noasm && gc
+
+// func decompress4x_main_loop_amd64(ctx *decompress4xContext)
+TEXT ·decompress4x_main_loop_amd64(SB), $0-8
+	// Preload values
+	MOVQ    ctx+0(FP), AX
+	MOVBQZX 8(AX), DI
+	MOVQ    16(AX), BX
+	MOVQ    48(AX), SI
+	MOVQ    24(AX), R8
+	MOVQ    32(AX), R9
+	MOVQ    (AX), R10
+
+	// Main loop
+main_loop:
+	XORL  DX, DX
+	CMPQ  BX, SI
+	SETGE DL
+
+	// br0.fillFast32()
+	MOVQ    32(R10), R11
+	MOVBQZX 40(R10), R12
+	CMPQ    R12, $0x20
+	JBE     skip_fill0
+	MOVQ    24(R10), AX
+	SUBQ    $0x20, R12
+	SUBQ    $0x04, AX
+	MOVQ    (R10), R13
+
+	// b.value |= uint64(low) << (b.bitsRead & 63)
+	MOVL (AX)(R13*1), R13
+	MOVQ R12, CX
+	SHLQ CL, R13
+	MOVQ AX, 24(R10)
+	ORQ  R13, R11
+
+	// exhausted += (br0.off < 4)
+	CMPQ AX, $0x04
+	ADCB $+0, DL
+
+skip_fill0:
+	// val0 := br0.peekTopBits(peekBits)
+	MOVQ R11, R13
+	MOVQ DI, CX
+	SHRQ CL, R13
+
+	// v0 := table[val0&mask]
+	MOVW (R9)(R13*2), CX
+
+	// br0.advance(uint8(v0.entry)
+	MOVB CH, AL
+	SHLQ CL, R11
+	ADDB CL, R12
+
+	// val1 := br0.peekTopBits(peekBits)
+	MOVQ DI, CX
+	MOVQ R11, R13
+	SHRQ CL, R13
+
+	// v1 := table[val1&mask]
+	MOVW (R9)(R13*2), CX
+
+	// br0.advance(uint8(v1.entry))
+	MOVB CH, AH
+	SHLQ CL, R11
+	ADDB CL, R12
+
+	// these two writes get coalesced
+	// out[id * dstEvery + 0] = uint8(v0.entry >> 8)
+	// out[id * dstEvery + 1] = uint8(v1.entry >> 8)
+	MOVW AX, (BX)
+
+	// update the bitreader structure
+	MOVQ R11, 32(R10)
+	MOVB R12, 40(R10)
+
+	// br1.fillFast32()
+	MOVQ    80(R10), R11
+	MOVBQZX 88(R10), R12
+	CMPQ    R12, $0x20
+	JBE     skip_fill1
+	MOVQ    72(R10), AX
+	SUBQ    $0x20, R12
+	SUBQ    $0x04, AX
+	MOVQ    48(R10), R13
+
+	// b.value |= uint64(low) << (b.bitsRead & 63)
+	MOVL (AX)(R13*1), R13
+	MOVQ R12, CX
+	SHLQ CL, R13
+	MOVQ AX, 72(R10)
+	ORQ  R13, R11
+
+	// exhausted += (br1.off < 4)
+	CMPQ AX, $0x04
+	ADCB $+0, DL
+
+skip_fill1:
+	// val0 := br1.peekTopBits(peekBits)
+	MOVQ R11, R13
+	MOVQ DI, CX
+	SHRQ CL, R13
+
+	// v0 := table[val0&mask]
+	MOVW (R9)(R13*2), CX
+
+	// br1.advance(uint8(v0.entry)
+	MOVB CH, AL
+	SHLQ CL, R11
+	ADDB CL, R12
+
+	// val1 := br1.peekTopBits(peekBits)
+	MOVQ DI, CX
+	MOVQ R11, R13
+	SHRQ CL, R13
+
+	// v1 := table[val1&mask]
+	MOVW (R9)(R13*2), CX
+
+	// br1.advance(uint8(v1.entry))
+	MOVB CH, AH
+	SHLQ CL, R11
+	ADDB CL, R12
+
+	// these two writes get coalesced
+	// out[id * dstEvery + 0] = uint8(v0.entry >> 8)
+	// out[id * dstEvery + 1] = uint8(v1.entry >> 8)
+	MOVW AX, (BX)(R8*1)
+
+	// update the bitreader structure
+	MOVQ R11, 80(R10)
+	MOVB R12, 88(R10)
+
+	// br2.fillFast32()
+	MOVQ    128(R10), R11
+	MOVBQZX 136(R10), R12
+	CMPQ    R12, $0x20
+	JBE     skip_fill2
+	MOVQ    120(R10), AX
+	SUBQ    $0x20, R12
+	SUBQ    $0x04, AX
+	MOVQ    96(R10), R13
+
+	// b.value |= uint64(low) << (b.bitsRead & 63)
+	MOVL (AX)(R13*1), R13
+	MOVQ R12, CX
+	SHLQ CL, R13
+	MOVQ AX, 120(R10)
+	ORQ  R13, R11
+
+	// exhausted += (br2.off < 4)
+	CMPQ AX, $0x04
+	ADCB $+0, DL
+
+skip_fill2:
+	// val0 := br2.peekTopBits(peekBits)
+	MOVQ R11, R13
+	MOVQ DI, CX
+	SHRQ CL, R13
+
+	// v0 := table[val0&mask]
+	MOVW (R9)(R13*2), CX
+
+	// br2.advance(uint8(v0.entry)
+	MOVB CH, AL
+	SHLQ CL, R11
+	ADDB CL, R12
+
+	// val1 := br2.peekTopBits(peekBits)
+	MOVQ DI, CX
+	MOVQ R11, R13
+	SHRQ CL, R13
+
+	// v1 := table[val1&mask]
+	MOVW (R9)(R13*2), CX
+
+	// br2.advance(uint8(v1.entry))
+	MOVB CH, AH
+	SHLQ CL, R11
+	ADDB CL, R12
+
+	// these two writes get coalesced
+	// out[id * dstEvery + 0] = uint8(v0.entry >> 8)
+	// out[id * dstEvery + 1] = uint8(v1.entry >> 8)
+	MOVW AX, (BX)(R8*2)
+
+	// update the bitreader structure
+	MOVQ R11, 128(R10)
+	MOVB R12, 136(R10)
+
+	// br3.fillFast32()
+	MOVQ    176(R10), R11
+	MOVBQZX 184(R10), R12
+	CMPQ    R12, $0x20
+	JBE     skip_fill3
+	MOVQ    168(R10), AX
+	SUBQ    $0x20, R12
+	SUBQ    $0x04, AX
+	MOVQ    144(R10), R13
+
+	// b.value |= uint64(low) << (b.bitsRead & 63)
+	MOVL (AX)(R13*1), R13
+	MOVQ R12, CX
+	SHLQ CL, R13
+	MOVQ AX, 168(R10)
+	ORQ  R13, R11
+
+	// exhausted += (br3.off < 4)
+	CMPQ AX, $0x04
+	ADCB $+0, DL
+
+skip_fill3:
+	// val0 := br3.peekTopBits(peekBits)
+	MOVQ R11, R13
+	MOVQ DI, CX
+	SHRQ CL, R13
+
+	// v0 := table[val0&mask]
+	MOVW (R9)(R13*2), CX
+
+	// br3.advance(uint8(v0.entry)
+	MOVB CH, AL
+	SHLQ CL, R11
+	ADDB CL, R12
+
+	// val1 := br3.peekTopBits(peekBits)
+	MOVQ DI, CX
+	MOVQ R11, R13
+	SHRQ CL, R13
+
+	// v1 := table[val1&mask]
+	MOVW (R9)(R13*2), CX
+
+	// br3.advance(uint8(v1.entry))
+	MOVB CH, AH
+	SHLQ CL, R11
+	ADDB CL, R12
+
+	// these two writes get coalesced
+	// out[id * dstEvery + 0] = uint8(v0.entry >> 8)
+	// out[id * dstEvery + 1] = uint8(v1.entry >> 8)
+	LEAQ (R8)(R8*2), CX
+	MOVW AX, (BX)(CX*1)
+
+	// update the bitreader structure
+	MOVQ  R11, 176(R10)
+	MOVB  R12, 184(R10)
+	ADDQ  $0x02, BX
+	TESTB DL, DL
+	JZ    main_loop
+	MOVQ  ctx+0(FP), AX
+	SUBQ  16(AX), BX
+	SHLQ  $0x02, BX
+	MOVQ  BX, 40(AX)
+	RET
+
+// func decompress4x_8b_main_loop_amd64(ctx *decompress4xContext)
+TEXT ·decompress4x_8b_main_loop_amd64(SB), $0-8
+	// Preload values
+	MOVQ    ctx+0(FP), CX
+	MOVBQZX 8(CX), DI
+	MOVQ    16(CX), BX
+	MOVQ    48(CX), SI
+	MOVQ    24(CX), R8
+	MOVQ    32(CX), R9
+	MOVQ    (CX), R10
+
+	// Main loop
+main_loop:
+	XORL  DX, DX
+	CMPQ  BX, SI
+	SETGE DL
+
+	// br0.fillFast32()
+	MOVQ    32(R10), R11
+	MOVBQZX 40(R10), R12
+	CMPQ    R12, $0x20
+	JBE     skip_fill0
+	MOVQ    24(R10), R13
+	SUBQ    $0x20, R12
+	SUBQ    $0x04, R13
+	MOVQ    (R10), R14
+
+	// b.value |= uint64(low) << (b.bitsRead & 63)
+	MOVL (R13)(R14*1), R14
+	MOVQ R12, CX
+	SHLQ CL, R14
+	MOVQ R13, 24(R10)
+	ORQ  R14, R11
+
+	// exhausted += (br0.off < 4)
+	CMPQ R13, $0x04
+	ADCB $+0, DL
+
+skip_fill0:
+	// val0 := br0.peekTopBits(peekBits)
+	MOVQ R11, R13
+	MOVQ DI, CX
+	SHRQ CL, R13
+
+	// v0 := table[val0&mask]
+	MOVW (R9)(R13*2), CX
+
+	// br0.advance(uint8(v0.entry)
+	MOVB CH, AL
+	SHLQ CL, R11
+	ADDB CL, R12
+
+	// val1 := br0.peekTopBits(peekBits)
+	MOVQ R11, R13
+	MOVQ DI, CX
+	SHRQ CL, R13
+
+	// v1 := table[val0&mask]
+	MOVW (R9)(R13*2), CX
+
+	// br0.advance(uint8(v1.entry)
+	MOVB   CH, AH
+	SHLQ   CL, R11
+	ADDB   CL, R12
+	BSWAPL AX
+
+	// val2 := br0.peekTopBits(peekBits)
+	MOVQ R11, R13
+	MOVQ DI, CX
+	SHRQ CL, R13
+
+	// v2 := table[val0&mask]
+	MOVW (R9)(R13*2), CX
+
+	// br0.advance(uint8(v2.entry)
+	MOVB CH, AH
+	SHLQ CL, R11
+	ADDB CL, R12
+
+	// val3 := br0.peekTopBits(peekBits)
+	MOVQ R11, R13
+	MOVQ DI, CX
+	SHRQ CL, R13
+
+	// v3 := table[val0&mask]
+	MOVW (R9)(R13*2), CX
+
+	// br0.advance(uint8(v3.entry)
+	MOVB   CH, AL
+	SHLQ   CL, R11
+	ADDB   CL, R12
+	BSWAPL AX
+
+	// these four writes get coalesced
+	// out[id * dstEvery + 0] = uint8(v0.entry >> 8)
+	// out[id * dstEvery + 1] = uint8(v1.entry >> 8)
+	// out[id * dstEvery + 3] = uint8(v2.entry >> 8)
+	// out[id * dstEvery + 4] = uint8(v3.entry >> 8)
+	MOVL AX, (BX)
+
+	// update the bitreader structure
+	MOVQ R11, 32(R10)
+	MOVB R12, 40(R10)
+
+	// br1.fillFast32()
+	MOVQ    80(R10), R11
+	MOVBQZX 88(R10), R12
+	CMPQ    R12, $0x20
+	JBE     skip_fill1
+	MOVQ    72(R10), R13
+	SUBQ    $0x20, R12
+	SUBQ    $0x04, R13
+	MOVQ    48(R10), R14
+
+	// b.value |= uint64(low) << (b.bitsRead & 63)
+	MOVL (R13)(R14*1), R14
+	MOVQ R12, CX
+	SHLQ CL, R14
+	MOVQ R13, 72(R10)
+	ORQ  R14, R11
+
+	// exhausted += (br1.off < 4)
+	CMPQ R13, $0x04
+	ADCB $+0, DL
+
+skip_fill1:
+	// val0 := br1.peekTopBits(peekBits)
+	MOVQ R11, R13
+	MOVQ DI, CX
+	SHRQ CL, R13
+
+	// v0 := table[val0&mask]
+	MOVW (R9)(R13*2), CX
+
+	// br1.advance(uint8(v0.entry)
+	MOVB CH, AL
+	SHLQ CL, R11
+	ADDB CL, R12
+
+	// val1 := br1.peekTopBits(peekBits)
+	MOVQ R11, R13
+	MOVQ DI, CX
+	SHRQ CL, R13
+
+	// v1 := table[val0&mask]
+	MOVW (R9)(R13*2), CX
+
+	// br1.advance(uint8(v1.entry)
+	MOVB   CH, AH
+	SHLQ   CL, R11
+	ADDB   CL, R12
+	BSWAPL AX
+
+	// val2 := br1.peekTopBits(peekBits)
+	MOVQ R11, R13
+	MOVQ DI, CX
+	SHRQ CL, R13
+
+	// v2 := table[val0&mask]
+	MOVW (R9)(R13*2), CX
+
+	// br1.advance(uint8(v2.entry)
+	MOVB CH, AH
+	SHLQ CL, R11
+	ADDB CL, R12
+
+	// val3 := br1.peekTopBits(peekBits)
+	MOVQ R11, R13
+	MOVQ DI, CX
+	SHRQ CL, R13
+
+	// v3 := table[val0&mask]
+	MOVW (R9)(R13*2), CX
+
+	// br1.advance(uint8(v3.entry)
+	MOVB   CH, AL
+	SHLQ   CL, R11
+	ADDB   CL, R12
+	BSWAPL AX
+
+	// these four writes get coalesced
+	// out[id * dstEvery + 0] = uint8(v0.entry >> 8)
+	// out[id * dstEvery + 1] = uint8(v1.entry >> 8)
+	// out[id * dstEvery + 3] = uint8(v2.entry >> 8)
+	// out[id * dstEvery + 4] = uint8(v3.entry >> 8)
+	MOVL AX, (BX)(R8*1)
+
+	// update the bitreader structure
+	MOVQ R11, 80(R10)
+	MOVB R12, 88(R10)
+
+	// br2.fillFast32()
+	MOVQ    128(R10), R11
+	MOVBQZX 136(R10), R12
+	CMPQ    R12, $0x20
+	JBE     skip_fill2
+	MOVQ    120(R10), R13
+	SUBQ    $0x20, R12
+	SUBQ    $0x04, R13
+	MOVQ    96(R10), R14
+
+	// b.value |= uint64(low) << (b.bitsRead & 63)
+	MOVL (R13)(R14*1), R14
+	MOVQ R12, CX
+	SHLQ CL, R14
+	MOVQ R13, 120(R10)
+	ORQ  R14, R11
+
+	// exhausted += (br2.off < 4)
+	CMPQ R13, $0x04
+	ADCB $+0, DL
+
+skip_fill2:
+	// val0 := br2.peekTopBits(peekBits)
+	MOVQ R11, R13
+	MOVQ DI, CX
+	SHRQ CL, R13
+
+	// v0 := table[val0&mask]
+	MOVW (R9)(R13*2), CX
+
+	// br2.advance(uint8(v0.entry)
+	MOVB CH, AL
+	SHLQ CL, R11
+	ADDB CL, R12
+
+	// val1 := br2.peekTopBits(peekBits)
+	MOVQ R11, R13
+	MOVQ DI, CX
+	SHRQ CL, R13
+
+	// v1 := table[val0&mask]
+	MOVW (R9)(R13*2), CX
+
+	// br2.advance(uint8(v1.entry)
+	MOVB   CH, AH
+	SHLQ   CL, R11
+	ADDB   CL, R12
+	BSWAPL AX
+
+	// val2 := br2.peekTopBits(peekBits)
+	MOVQ R11, R13
+	MOVQ DI, CX
+	SHRQ CL, R13
+
+	// v2 := table[val0&mask]
+	MOVW (R9)(R13*2), CX
+
+	// br2.advance(uint8(v2.entry)
+	MOVB CH, AH
+	SHLQ CL, R11
+	ADDB CL, R12
+
+	// val3 := br2.peekTopBits(peekBits)
+	MOVQ R11, R13
+	MOVQ DI, CX
+	SHRQ CL, R13
+
+	// v3 := table[val0&mask]
+	MOVW (R9)(R13*2), CX
+
+	// br2.advance(uint8(v3.entry)
+	MOVB   CH, AL
+	SHLQ   CL, R11
+	ADDB   CL, R12
+	BSWAPL AX
+
+	// these four writes get coalesced
+	// out[id * dstEvery + 0] = uint8(v0.entry >> 8)
+	// out[id * dstEvery + 1] = uint8(v1.entry >> 8)
+	// out[id * dstEvery + 3] = uint8(v2.entry >> 8)
+	// out[id * dstEvery + 4] = uint8(v3.entry >> 8)
+	MOVL AX, (BX)(R8*2)
+
+	// update the bitreader structure
+	MOVQ R11, 128(R10)
+	MOVB R12, 136(R10)
+
+	// br3.fillFast32()
+	MOVQ    176(R10), R11
+	MOVBQZX 184(R10), R12
+	CMPQ    R12, $0x20
+	JBE     skip_fill3
+	MOVQ    168(R10), R13
+	SUBQ    $0x20, R12
+	SUBQ    $0x04, R13
+	MOVQ    144(R10), R14
+
+	// b.value |= uint64(low) << (b.bitsRead & 63)
+	MOVL (R13)(R14*1), R14
+	MOVQ R12, CX
+	SHLQ CL, R14
+	MOVQ R13, 168(R10)
+	ORQ  R14, R11
+
+	// exhausted += (br3.off < 4)
+	CMPQ R13, $0x04
+	ADCB $+0, DL
+
+skip_fill3:
+	// val0 := br3.peekTopBits(peekBits)
+	MOVQ R11, R13
+	MOVQ DI, CX
+	SHRQ CL, R13
+
+	// v0 := table[val0&mask]
+	MOVW (R9)(R13*2), CX
+
+	// br3.advance(uint8(v0.entry)
+	MOVB CH, AL
+	SHLQ CL, R11
+	ADDB CL, R12
+
+	// val1 := br3.peekTopBits(peekBits)
+	MOVQ R11, R13
+	MOVQ DI, CX
+	SHRQ CL, R13
+
+	// v1 := table[val0&mask]
+	MOVW (R9)(R13*2), CX
+
+	// br3.advance(uint8(v1.entry)
+	MOVB   CH, AH
+	SHLQ   CL, R11
+	ADDB   CL, R12
+	BSWAPL AX
+
+	// val2 := br3.peekTopBits(peekBits)
+	MOVQ R11, R13
+	MOVQ DI, CX
+	SHRQ CL, R13
+
+	// v2 := table[val0&mask]
+	MOVW (R9)(R13*2), CX
+
+	// br3.advance(uint8(v2.entry)
+	MOVB CH, AH
+	SHLQ CL, R11
+	ADDB CL, R12
+
+	// val3 := br3.peekTopBits(peekBits)
+	MOVQ R11, R13
+	MOVQ DI, CX
+	SHRQ CL, R13
+
+	// v3 := table[val0&mask]
+	MOVW (R9)(R13*2), CX
+
+	// br3.advance(uint8(v3.entry)
+	MOVB   CH, AL
+	SHLQ   CL, R11
+	ADDB   CL, R12
+	BSWAPL AX
+
+	// these four writes get coalesced
+	// out[id * dstEvery + 0] = uint8(v0.entry >> 8)
+	// out[id * dstEvery + 1] = uint8(v1.entry >> 8)
+	// out[id * dstEvery + 3] = uint8(v2.entry >> 8)
+	// out[id * dstEvery + 4] = uint8(v3.entry >> 8)
+	LEAQ (R8)(R8*2), CX
+	MOVL AX, (BX)(CX*1)
+
+	// update the bitreader structure
+	MOVQ  R11, 176(R10)
+	MOVB  R12, 184(R10)
+	ADDQ  $0x04, BX
+	TESTB DL, DL
+	JZ    main_loop
+	MOVQ  ctx+0(FP), AX
+	SUBQ  16(AX), BX
+	SHLQ  $0x02, BX
+	MOVQ  BX, 40(AX)
+	RET
+
+// func decompress1x_main_loop_amd64(ctx *decompress1xContext)
+TEXT ·decompress1x_main_loop_amd64(SB), $0-8
+	MOVQ    ctx+0(FP), CX
+	MOVQ    16(CX), DX
+	MOVQ    24(CX), BX
+	CMPQ    BX, $0x04
+	JB      error_max_decoded_size_exceeded
+	LEAQ    (DX)(BX*1), BX
+	MOVQ    (CX), SI
+	MOVQ    (SI), R8
+	MOVQ    24(SI), R9
+	MOVQ    32(SI), R10
+	MOVBQZX 40(SI), R11
+	MOVQ    32(CX), SI
+	MOVBQZX 8(CX), DI
+	JMP     loop_condition
+
+main_loop:
+	// Check if we have room for 4 bytes in the output buffer
+	LEAQ 4(DX), CX
+	CMPQ CX, BX
+	JGE  error_max_decoded_size_exceeded
+
+	// Decode 4 values
+	CMPQ R11, $0x20
+	JL   bitReader_fillFast_1_end
+	SUBQ $0x20, R11
+	SUBQ $0x04, R9
+	MOVL (R8)(R9*1), R12
+	MOVQ R11, CX
+	SHLQ CL, R12
+	ORQ  R12, R10
+
+bitReader_fillFast_1_end:
+	MOVQ    DI, CX
+	MOVQ    R10, R12
+	SHRQ    CL, R12
+	MOVW    (SI)(R12*2), CX
+	MOVB    CH, AL
+	MOVBQZX CL, CX
+	ADDQ    CX, R11
+	SHLQ    CL, R10
+	MOVQ    DI, CX
+	MOVQ    R10, R12
+	SHRQ    CL, R12
+	MOVW    (SI)(R12*2), CX
+	MOVB    CH, AH
+	MOVBQZX CL, CX
+	ADDQ    CX, R11
+	SHLQ    CL, R10
+	BSWAPL  AX
+	CMPQ    R11, $0x20
+	JL      bitReader_fillFast_2_end
+	SUBQ    $0x20, R11
+	SUBQ    $0x04, R9
+	MOVL    (R8)(R9*1), R12
+	MOVQ    R11, CX
+	SHLQ    CL, R12
+	ORQ     R12, R10
+
+bitReader_fillFast_2_end:
+	MOVQ    DI, CX
+	MOVQ    R10, R12
+	SHRQ    CL, R12
+	MOVW    (SI)(R12*2), CX
+	MOVB    CH, AH
+	MOVBQZX CL, CX
+	ADDQ    CX, R11
+	SHLQ    CL, R10
+	MOVQ    DI, CX
+	MOVQ    R10, R12
+	SHRQ    CL, R12
+	MOVW    (SI)(R12*2), CX
+	MOVB    CH, AL
+	MOVBQZX CL, CX
+	ADDQ    CX, R11
+	SHLQ    CL, R10
+	BSWAPL  AX
+
+	// Store the decoded values
+	MOVL AX, (DX)
+	ADDQ $0x04, DX
+
+loop_condition:
+	CMPQ R9, $0x08
+	JGE  main_loop
+
+	// Update ctx structure
+	MOVQ ctx+0(FP), AX
+	SUBQ 16(AX), DX
+	MOVQ DX, 40(AX)
+	MOVQ (AX), AX
+	MOVQ R9, 24(AX)
+	MOVQ R10, 32(AX)
+	MOVB R11, 40(AX)
+	RET
+
+	// Report error
+error_max_decoded_size_exceeded:
+	MOVQ ctx+0(FP), AX
+	MOVQ $-1, CX
+	MOVQ CX, 40(AX)
+	RET
+
+// func decompress1x_main_loop_bmi2(ctx *decompress1xContext)
+// Requires: BMI2
+TEXT ·decompress1x_main_loop_bmi2(SB), $0-8
+	MOVQ    ctx+0(FP), CX
+	MOVQ    16(CX), DX
+	MOVQ    24(CX), BX
+	CMPQ    BX, $0x04
+	JB      error_max_decoded_size_exceeded
+	LEAQ    (DX)(BX*1), BX
+	MOVQ    (CX), SI
+	MOVQ    (SI), R8
+	MOVQ    24(SI), R9
+	MOVQ    32(SI), R10
+	MOVBQZX 40(SI), R11
+	MOVQ    32(CX), SI
+	MOVBQZX 8(CX), DI
+	JMP     loop_condition
+
+main_loop:
+	// Check if we have room for 4 bytes in the output buffer
+	LEAQ 4(DX), CX
+	CMPQ CX, BX
+	JGE  error_max_decoded_size_exceeded
+
+	// Decode 4 values
+	CMPQ  R11, $0x20
+	JL    bitReader_fillFast_1_end
+	SUBQ  $0x20, R11
+	SUBQ  $0x04, R9
+	MOVL  (R8)(R9*1), CX
+	SHLXQ R11, CX, CX
+	ORQ   CX, R10
+
+bitReader_fillFast_1_end:
+	SHRXQ   DI, R10, CX
+	MOVW    (SI)(CX*2), CX
+	MOVB    CH, AL
+	MOVBQZX CL, CX
+	ADDQ    CX, R11
+	SHLXQ   CX, R10, R10
+	SHRXQ   DI, R10, CX
+	MOVW    (SI)(CX*2), CX
+	MOVB    CH, AH
+	MOVBQZX CL, CX
+	ADDQ    CX, R11
+	SHLXQ   CX, R10, R10
+	BSWAPL  AX
+	CMPQ    R11, $0x20
+	JL      bitReader_fillFast_2_end
+	SUBQ    $0x20, R11
+	SUBQ    $0x04, R9
+	MOVL    (R8)(R9*1), CX
+	SHLXQ   R11, CX, CX
+	ORQ     CX, R10
+
+bitReader_fillFast_2_end:
+	SHRXQ   DI, R10, CX
+	MOVW    (SI)(CX*2), CX
+	MOVB    CH, AH
+	MOVBQZX CL, CX
+	ADDQ    CX, R11
+	SHLXQ   CX, R10, R10
+	SHRXQ   DI, R10, CX
+	MOVW    (SI)(CX*2), CX
+	MOVB    CH, AL
+	MOVBQZX CL, CX
+	ADDQ    CX, R11
+	SHLXQ   CX, R10, R10
+	BSWAPL  AX
+
+	// Store the decoded values
+	MOVL AX, (DX)
+	ADDQ $0x04, DX
+
+loop_condition:
+	CMPQ R9, $0x08
+	JGE  main_loop
+
+	// Update ctx structure
+	MOVQ ctx+0(FP), AX
+	SUBQ 16(AX), DX
+	MOVQ DX, 40(AX)
+	MOVQ (AX), AX
+	MOVQ R9, 24(AX)
+	MOVQ R10, 32(AX)
+	MOVB R11, 40(AX)
+	RET
+
+	// Report error
+error_max_decoded_size_exceeded:
+	MOVQ ctx+0(FP), AX
+	MOVQ $-1, CX
+	MOVQ CX, 40(AX)
+	RET
diff --git a/vendor/github.com/klauspost/compress/huff0/decompress_generic.go b/vendor/github.com/klauspost/compress/huff0/decompress_generic.go
new file mode 100644
index 0000000000..908c17de63
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/huff0/decompress_generic.go
@@ -0,0 +1,299 @@
+//go:build !amd64 || appengine || !gc || noasm
+// +build !amd64 appengine !gc noasm
+
+// This file contains a generic implementation of Decoder.Decompress4X.
+package huff0
+
+import (
+	"errors"
+	"fmt"
+)
+
+// Decompress4X will decompress a 4X encoded stream.
+// The length of the supplied input must match the end of a block exactly.
+// The *capacity* of the dst slice must match the destination size of
+// the uncompressed data exactly.
+func (d *Decoder) Decompress4X(dst, src []byte) ([]byte, error) {
+	if len(d.dt.single) == 0 {
+		return nil, errors.New("no table loaded")
+	}
+	if len(src) < 6+(4*1) {
+		return nil, errors.New("input too small")
+	}
+	if use8BitTables && d.actualTableLog <= 8 {
+		return d.decompress4X8bit(dst, src)
+	}
+
+	var br [4]bitReaderShifted
+	// Decode "jump table"
+	start := 6
+	for i := 0; i < 3; i++ {
+		length := int(src[i*2]) | (int(src[i*2+1]) << 8)
+		if start+length >= len(src) {
+			return nil, errors.New("truncated input (or invalid offset)")
+		}
+		err := br[i].init(src[start : start+length])
+		if err != nil {
+			return nil, err
+		}
+		start += length
+	}
+	err := br[3].init(src[start:])
+	if err != nil {
+		return nil, err
+	}
+
+	// destination, offset to match first output
+	dstSize := cap(dst)
+	dst = dst[:dstSize]
+	out := dst
+	dstEvery := (dstSize + 3) / 4
+
+	const tlSize = 1 << tableLogMax
+	const tlMask = tlSize - 1
+	single := d.dt.single[:tlSize]
+
+	// Use temp table to avoid bound checks/append penalty.
+	buf := d.buffer()
+	var off uint8
+	var decoded int
+
+	// Decode 2 values from each decoder/loop.
+	const bufoff = 256
+	for {
+		if br[0].off < 4 || br[1].off < 4 || br[2].off < 4 || br[3].off < 4 {
+			break
+		}
+
+		{
+			const stream = 0
+			const stream2 = 1
+			br[stream].fillFast()
+			br[stream2].fillFast()
+
+			val := br[stream].peekBitsFast(d.actualTableLog)
+			val2 := br[stream2].peekBitsFast(d.actualTableLog)
+			v := single[val&tlMask]
+			v2 := single[val2&tlMask]
+			br[stream].advance(uint8(v.entry))
+			br[stream2].advance(uint8(v2.entry))
+			buf[stream][off] = uint8(v.entry >> 8)
+			buf[stream2][off] = uint8(v2.entry >> 8)
+
+			val = br[stream].peekBitsFast(d.actualTableLog)
+			val2 = br[stream2].peekBitsFast(d.actualTableLog)
+			v = single[val&tlMask]
+			v2 = single[val2&tlMask]
+			br[stream].advance(uint8(v.entry))
+			br[stream2].advance(uint8(v2.entry))
+			buf[stream][off+1] = uint8(v.entry >> 8)
+			buf[stream2][off+1] = uint8(v2.entry >> 8)
+		}
+
+		{
+			const stream = 2
+			const stream2 = 3
+			br[stream].fillFast()
+			br[stream2].fillFast()
+
+			val := br[stream].peekBitsFast(d.actualTableLog)
+			val2 := br[stream2].peekBitsFast(d.actualTableLog)
+			v := single[val&tlMask]
+			v2 := single[val2&tlMask]
+			br[stream].advance(uint8(v.entry))
+			br[stream2].advance(uint8(v2.entry))
+			buf[stream][off] = uint8(v.entry >> 8)
+			buf[stream2][off] = uint8(v2.entry >> 8)
+
+			val = br[stream].peekBitsFast(d.actualTableLog)
+			val2 = br[stream2].peekBitsFast(d.actualTableLog)
+			v = single[val&tlMask]
+			v2 = single[val2&tlMask]
+			br[stream].advance(uint8(v.entry))
+			br[stream2].advance(uint8(v2.entry))
+			buf[stream][off+1] = uint8(v.entry >> 8)
+			buf[stream2][off+1] = uint8(v2.entry >> 8)
+		}
+
+		off += 2
+
+		if off == 0 {
+			if bufoff > dstEvery {
+				d.bufs.Put(buf)
+				return nil, errors.New("corruption detected: stream overrun 1")
+			}
+			// There must at least be 3 buffers left.
+			if len(out)-bufoff < dstEvery*3 {
+				d.bufs.Put(buf)
+				return nil, errors.New("corruption detected: stream overrun 2")
+			}
+			//copy(out, buf[0][:])
+			//copy(out[dstEvery:], buf[1][:])
+			//copy(out[dstEvery*2:], buf[2][:])
+			//copy(out[dstEvery*3:], buf[3][:])
+			*(*[bufoff]byte)(out) = buf[0]
+			*(*[bufoff]byte)(out[dstEvery:]) = buf[1]
+			*(*[bufoff]byte)(out[dstEvery*2:]) = buf[2]
+			*(*[bufoff]byte)(out[dstEvery*3:]) = buf[3]
+			out = out[bufoff:]
+			decoded += bufoff * 4
+		}
+	}
+	if off > 0 {
+		ioff := int(off)
+		if len(out) < dstEvery*3+ioff {
+			d.bufs.Put(buf)
+			return nil, errors.New("corruption detected: stream overrun 3")
+		}
+		copy(out, buf[0][:off])
+		copy(out[dstEvery:], buf[1][:off])
+		copy(out[dstEvery*2:], buf[2][:off])
+		copy(out[dstEvery*3:], buf[3][:off])
+		decoded += int(off) * 4
+		out = out[off:]
+	}
+
+	// Decode remaining.
+	remainBytes := dstEvery - (decoded / 4)
+	for i := range br {
+		offset := dstEvery * i
+		endsAt := offset + remainBytes
+		if endsAt > len(out) {
+			endsAt = len(out)
+		}
+		br := &br[i]
+		bitsLeft := br.remaining()
+		for bitsLeft > 0 {
+			br.fill()
+			if offset >= endsAt {
+				d.bufs.Put(buf)
+				return nil, errors.New("corruption detected: stream overrun 4")
+			}
+
+			// Read value and increment offset.
+			val := br.peekBitsFast(d.actualTableLog)
+			v := single[val&tlMask].entry
+			nBits := uint8(v)
+			br.advance(nBits)
+			bitsLeft -= uint(nBits)
+			out[offset] = uint8(v >> 8)
+			offset++
+		}
+		if offset != endsAt {
+			d.bufs.Put(buf)
+			return nil, fmt.Errorf("corruption detected: short output block %d, end %d != %d", i, offset, endsAt)
+		}
+		decoded += offset - dstEvery*i
+		err = br.close()
+		if err != nil {
+			return nil, err
+		}
+	}
+	d.bufs.Put(buf)
+	if dstSize != decoded {
+		return nil, errors.New("corruption detected: short output block")
+	}
+	return dst, nil
+}
+
+// Decompress1X will decompress a 1X encoded stream.
+// The cap of the output buffer will be the maximum decompressed size.
+// The length of the supplied input must match the end of a block exactly.
+func (d *Decoder) Decompress1X(dst, src []byte) ([]byte, error) {
+	if len(d.dt.single) == 0 {
+		return nil, errors.New("no table loaded")
+	}
+	if use8BitTables && d.actualTableLog <= 8 {
+		return d.decompress1X8Bit(dst, src)
+	}
+	var br bitReaderShifted
+	err := br.init(src)
+	if err != nil {
+		return dst, err
+	}
+	maxDecodedSize := cap(dst)
+	dst = dst[:0]
+
+	// Avoid bounds check by always having full sized table.
+	const tlSize = 1 << tableLogMax
+	const tlMask = tlSize - 1
+	dt := d.dt.single[:tlSize]
+
+	// Use temp table to avoid bound checks/append penalty.
+	bufs := d.buffer()
+	buf := &bufs[0]
+	var off uint8
+
+	for br.off >= 8 {
+		br.fillFast()
+		v := dt[br.peekBitsFast(d.actualTableLog)&tlMask]
+		br.advance(uint8(v.entry))
+		buf[off+0] = uint8(v.entry >> 8)
+
+		v = dt[br.peekBitsFast(d.actualTableLog)&tlMask]
+		br.advance(uint8(v.entry))
+		buf[off+1] = uint8(v.entry >> 8)
+
+		// Refill
+		br.fillFast()
+
+		v = dt[br.peekBitsFast(d.actualTableLog)&tlMask]
+		br.advance(uint8(v.entry))
+		buf[off+2] = uint8(v.entry >> 8)
+
+		v = dt[br.peekBitsFast(d.actualTableLog)&tlMask]
+		br.advance(uint8(v.entry))
+		buf[off+3] = uint8(v.entry >> 8)
+
+		off += 4
+		if off == 0 {
+			if len(dst)+256 > maxDecodedSize {
+				br.close()
+				d.bufs.Put(bufs)
+				return nil, ErrMaxDecodedSizeExceeded
+			}
+			dst = append(dst, buf[:]...)
+		}
+	}
+
+	if len(dst)+int(off) > maxDecodedSize {
+		d.bufs.Put(bufs)
+		br.close()
+		return nil, ErrMaxDecodedSizeExceeded
+	}
+	dst = append(dst, buf[:off]...)
+
+	// br < 8, so uint8 is fine
+	bitsLeft := uint8(br.off)*8 + 64 - br.bitsRead
+	for bitsLeft > 0 {
+		br.fill()
+		if false && br.bitsRead >= 32 {
+			if br.off >= 4 {
+				v := br.in[br.off-4:]
+				v = v[:4]
+				low := (uint32(v[0])) | (uint32(v[1]) << 8) | (uint32(v[2]) << 16) | (uint32(v[3]) << 24)
+				br.value = (br.value << 32) | uint64(low)
+				br.bitsRead -= 32
+				br.off -= 4
+			} else {
+				for br.off > 0 {
+					br.value = (br.value << 8) | uint64(br.in[br.off-1])
+					br.bitsRead -= 8
+					br.off--
+				}
+			}
+		}
+		if len(dst) >= maxDecodedSize {
+			d.bufs.Put(bufs)
+			br.close()
+			return nil, ErrMaxDecodedSizeExceeded
+		}
+		v := d.dt.single[br.peekBitsFast(d.actualTableLog)&tlMask]
+		nBits := uint8(v.entry)
+		br.advance(nBits)
+		bitsLeft -= nBits
+		dst = append(dst, uint8(v.entry>>8))
+	}
+	d.bufs.Put(bufs)
+	return dst, br.close()
+}
diff --git a/vendor/github.com/klauspost/compress/huff0/huff0.go b/vendor/github.com/klauspost/compress/huff0/huff0.go
new file mode 100644
index 0000000000..77ecd68e0a
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/huff0/huff0.go
@@ -0,0 +1,337 @@
+// Package huff0 provides fast huffman encoding as used in zstd.
+//
+// See README.md at https://github.com/klauspost/compress/tree/master/huff0 for details.
+package huff0
+
+import (
+	"errors"
+	"fmt"
+	"math"
+	"math/bits"
+	"sync"
+
+	"github.com/klauspost/compress/fse"
+)
+
+const (
+	maxSymbolValue = 255
+
+	// zstandard limits tablelog to 11, see:
+	// https://github.com/facebook/zstd/blob/dev/doc/zstd_compression_format.md#huffman-tree-description
+	tableLogMax     = 11
+	tableLogDefault = 11
+	minTablelog     = 5
+	huffNodesLen    = 512
+
+	// BlockSizeMax is maximum input size for a single block uncompressed.
+	BlockSizeMax = 1<<18 - 1
+)
+
+var (
+	// ErrIncompressible is returned when input is judged to be too hard to compress.
+	ErrIncompressible = errors.New("input is not compressible")
+
+	// ErrUseRLE is returned from the compressor when the input is a single byte value repeated.
+	ErrUseRLE = errors.New("input is single value repeated")
+
+	// ErrTooBig is return if input is too large for a single block.
+	ErrTooBig = errors.New("input too big")
+
+	// ErrMaxDecodedSizeExceeded is return if input is too large for a single block.
+	ErrMaxDecodedSizeExceeded = errors.New("maximum output size exceeded")
+)
+
+type ReusePolicy uint8
+
+const (
+	// ReusePolicyAllow will allow reuse if it produces smaller output.
+	ReusePolicyAllow ReusePolicy = iota
+
+	// ReusePolicyPrefer will re-use aggressively if possible.
+	// This will not check if a new table will produce smaller output,
+	// except if the current table is impossible to use or
+	// compressed output is bigger than input.
+	ReusePolicyPrefer
+
+	// ReusePolicyNone will disable re-use of tables.
+	// This is slightly faster than ReusePolicyAllow but may produce larger output.
+	ReusePolicyNone
+
+	// ReusePolicyMust must allow reuse and produce smaller output.
+	ReusePolicyMust
+)
+
+type Scratch struct {
+	count [maxSymbolValue + 1]uint32
+
+	// Per block parameters.
+	// These can be used to override compression parameters of the block.
+	// Do not touch, unless you know what you are doing.
+
+	// Out is output buffer.
+	// If the scratch is re-used before the caller is done processing the output,
+	// set this field to nil.
+	// Otherwise the output buffer will be re-used for next Compression/Decompression step
+	// and allocation will be avoided.
+	Out []byte
+
+	// OutTable will contain the table data only, if a new table has been generated.
+	// Slice of the returned data.
+	OutTable []byte
+
+	// OutData will contain the compressed data.
+	// Slice of the returned data.
+	OutData []byte
+
+	// MaxDecodedSize will set the maximum allowed output size.
+	// This value will automatically be set to BlockSizeMax if not set.
+	// Decoders will return ErrMaxDecodedSizeExceeded is this limit is exceeded.
+	MaxDecodedSize int
+
+	srcLen int
+
+	// MaxSymbolValue will override the maximum symbol value of the next block.
+	MaxSymbolValue uint8
+
+	// TableLog will attempt to override the tablelog for the next block.
+	// Must be <= 11 and >= 5.
+	TableLog uint8
+
+	// Reuse will specify the reuse policy
+	Reuse ReusePolicy
+
+	// WantLogLess allows to specify a log 2 reduction that should at least be achieved,
+	// otherwise the block will be returned as incompressible.
+	// The reduction should then at least be (input size >> WantLogLess)
+	// If WantLogLess == 0 any improvement will do.
+	WantLogLess uint8
+
+	symbolLen      uint16 // Length of active part of the symbol table.
+	maxCount       int    // count of the most probable symbol
+	clearCount     bool   // clear count
+	actualTableLog uint8  // Selected tablelog.
+	prevTableLog   uint8  // Tablelog for previous table
+	prevTable      cTable // Table used for previous compression.
+	cTable         cTable // compression table
+	dt             dTable // decompression table
+	nodes          []nodeElt
+	tmpOut         [4][]byte
+	fse            *fse.Scratch
+	decPool        sync.Pool // *[4][256]byte buffers.
+	huffWeight     [maxSymbolValue + 1]byte
+}
+
+// TransferCTable will transfer the previously used compression table.
+func (s *Scratch) TransferCTable(src *Scratch) {
+	if cap(s.prevTable) < len(src.prevTable) {
+		s.prevTable = make(cTable, 0, maxSymbolValue+1)
+	}
+	s.prevTable = s.prevTable[:len(src.prevTable)]
+	copy(s.prevTable, src.prevTable)
+	s.prevTableLog = src.prevTableLog
+}
+
+func (s *Scratch) prepare(in []byte) (*Scratch, error) {
+	if len(in) > BlockSizeMax {
+		return nil, ErrTooBig
+	}
+	if s == nil {
+		s = &Scratch{}
+	}
+	if s.MaxSymbolValue == 0 {
+		s.MaxSymbolValue = maxSymbolValue
+	}
+	if s.TableLog == 0 {
+		s.TableLog = tableLogDefault
+	}
+	if s.TableLog > tableLogMax || s.TableLog < minTablelog {
+		return nil, fmt.Errorf(" invalid tableLog %d (%d -> %d)", s.TableLog, minTablelog, tableLogMax)
+	}
+	if s.MaxDecodedSize <= 0 || s.MaxDecodedSize > BlockSizeMax {
+		s.MaxDecodedSize = BlockSizeMax
+	}
+	if s.clearCount && s.maxCount == 0 {
+		for i := range s.count {
+			s.count[i] = 0
+		}
+		s.clearCount = false
+	}
+	if cap(s.Out) == 0 {
+		s.Out = make([]byte, 0, len(in))
+	}
+	s.Out = s.Out[:0]
+
+	s.OutTable = nil
+	s.OutData = nil
+	if cap(s.nodes) < huffNodesLen+1 {
+		s.nodes = make([]nodeElt, 0, huffNodesLen+1)
+	}
+	s.nodes = s.nodes[:0]
+	if s.fse == nil {
+		s.fse = &fse.Scratch{}
+	}
+	s.srcLen = len(in)
+
+	return s, nil
+}
+
+type cTable []cTableEntry
+
+func (c cTable) write(s *Scratch) error {
+	var (
+		// precomputed conversion table
+		bitsToWeight [tableLogMax + 1]byte
+		huffLog      = s.actualTableLog
+		// last weight is not saved.
+		maxSymbolValue = uint8(s.symbolLen - 1)
+		huffWeight     = s.huffWeight[:256]
+	)
+	const (
+		maxFSETableLog = 6
+	)
+	// convert to weight
+	bitsToWeight[0] = 0
+	for n := uint8(1); n < huffLog+1; n++ {
+		bitsToWeight[n] = huffLog + 1 - n
+	}
+
+	// Acquire histogram for FSE.
+	hist := s.fse.Histogram()
+	hist = hist[:256]
+	for i := range hist[:16] {
+		hist[i] = 0
+	}
+	for n := uint8(0); n < maxSymbolValue; n++ {
+		v := bitsToWeight[c[n].nBits] & 15
+		huffWeight[n] = v
+		hist[v]++
+	}
+
+	// FSE compress if feasible.
+	if maxSymbolValue >= 2 {
+		huffMaxCnt := uint32(0)
+		huffMax := uint8(0)
+		for i, v := range hist[:16] {
+			if v == 0 {
+				continue
+			}
+			huffMax = byte(i)
+			if v > huffMaxCnt {
+				huffMaxCnt = v
+			}
+		}
+		s.fse.HistogramFinished(huffMax, int(huffMaxCnt))
+		s.fse.TableLog = maxFSETableLog
+		b, err := fse.Compress(huffWeight[:maxSymbolValue], s.fse)
+		if err == nil && len(b) < int(s.symbolLen>>1) {
+			s.Out = append(s.Out, uint8(len(b)))
+			s.Out = append(s.Out, b...)
+			return nil
+		}
+		// Unable to compress (RLE/uncompressible)
+	}
+	// write raw values as 4-bits (max : 15)
+	if maxSymbolValue > (256 - 128) {
+		// should not happen : likely means source cannot be compressed
+		return ErrIncompressible
+	}
+	op := s.Out
+	// special case, pack weights 4 bits/weight.
+	op = append(op, 128|(maxSymbolValue-1))
+	// be sure it doesn't cause msan issue in final combination
+	huffWeight[maxSymbolValue] = 0
+	for n := uint16(0); n < uint16(maxSymbolValue); n += 2 {
+		op = append(op, (huffWeight[n]<<4)|huffWeight[n+1])
+	}
+	s.Out = op
+	return nil
+}
+
+func (c cTable) estTableSize(s *Scratch) (sz int, err error) {
+	var (
+		// precomputed conversion table
+		bitsToWeight [tableLogMax + 1]byte
+		huffLog      = s.actualTableLog
+		// last weight is not saved.
+		maxSymbolValue = uint8(s.symbolLen - 1)
+		huffWeight     = s.huffWeight[:256]
+	)
+	const (
+		maxFSETableLog = 6
+	)
+	// convert to weight
+	bitsToWeight[0] = 0
+	for n := uint8(1); n < huffLog+1; n++ {
+		bitsToWeight[n] = huffLog + 1 - n
+	}
+
+	// Acquire histogram for FSE.
+	hist := s.fse.Histogram()
+	hist = hist[:256]
+	for i := range hist[:16] {
+		hist[i] = 0
+	}
+	for n := uint8(0); n < maxSymbolValue; n++ {
+		v := bitsToWeight[c[n].nBits] & 15
+		huffWeight[n] = v
+		hist[v]++
+	}
+
+	// FSE compress if feasible.
+	if maxSymbolValue >= 2 {
+		huffMaxCnt := uint32(0)
+		huffMax := uint8(0)
+		for i, v := range hist[:16] {
+			if v == 0 {
+				continue
+			}
+			huffMax = byte(i)
+			if v > huffMaxCnt {
+				huffMaxCnt = v
+			}
+		}
+		s.fse.HistogramFinished(huffMax, int(huffMaxCnt))
+		s.fse.TableLog = maxFSETableLog
+		b, err := fse.Compress(huffWeight[:maxSymbolValue], s.fse)
+		if err == nil && len(b) < int(s.symbolLen>>1) {
+			sz += 1 + len(b)
+			return sz, nil
+		}
+		// Unable to compress (RLE/uncompressible)
+	}
+	// write raw values as 4-bits (max : 15)
+	if maxSymbolValue > (256 - 128) {
+		// should not happen : likely means source cannot be compressed
+		return 0, ErrIncompressible
+	}
+	// special case, pack weights 4 bits/weight.
+	sz += 1 + int(maxSymbolValue/2)
+	return sz, nil
+}
+
+// estimateSize returns the estimated size in bytes of the input represented in the
+// histogram supplied.
+func (c cTable) estimateSize(hist []uint32) int {
+	nbBits := uint32(7)
+	for i, v := range c[:len(hist)] {
+		nbBits += uint32(v.nBits) * hist[i]
+	}
+	return int(nbBits >> 3)
+}
+
+// minSize returns the minimum possible size considering the shannon limit.
+func (s *Scratch) minSize(total int) int {
+	nbBits := float64(7)
+	fTotal := float64(total)
+	for _, v := range s.count[:s.symbolLen] {
+		n := float64(v)
+		if n > 0 {
+			nbBits += math.Log2(fTotal/n) * n
+		}
+	}
+	return int(nbBits) >> 3
+}
+
+func highBit32(val uint32) (n uint32) {
+	return uint32(bits.Len32(val) - 1)
+}
diff --git a/vendor/github.com/klauspost/compress/internal/cpuinfo/cpuinfo.go b/vendor/github.com/klauspost/compress/internal/cpuinfo/cpuinfo.go
new file mode 100644
index 0000000000..3954c51219
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/internal/cpuinfo/cpuinfo.go
@@ -0,0 +1,34 @@
+// Package cpuinfo gives runtime info about the current CPU.
+//
+// This is a very limited module meant for use internally
+// in this project. For more versatile solution check
+// https://github.com/klauspost/cpuid.
+package cpuinfo
+
+// HasBMI1 checks whether an x86 CPU supports the BMI1 extension.
+func HasBMI1() bool {
+	return hasBMI1
+}
+
+// HasBMI2 checks whether an x86 CPU supports the BMI2 extension.
+func HasBMI2() bool {
+	return hasBMI2
+}
+
+// DisableBMI2 will disable BMI2, for testing purposes.
+// Call returned function to restore previous state.
+func DisableBMI2() func() {
+	old := hasBMI2
+	hasBMI2 = false
+	return func() {
+		hasBMI2 = old
+	}
+}
+
+// HasBMI checks whether an x86 CPU supports both BMI1 and BMI2 extensions.
+func HasBMI() bool {
+	return HasBMI1() && HasBMI2()
+}
+
+var hasBMI1 bool
+var hasBMI2 bool
diff --git a/vendor/github.com/klauspost/compress/internal/cpuinfo/cpuinfo_amd64.go b/vendor/github.com/klauspost/compress/internal/cpuinfo/cpuinfo_amd64.go
new file mode 100644
index 0000000000..e802579c4f
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/internal/cpuinfo/cpuinfo_amd64.go
@@ -0,0 +1,11 @@
+//go:build amd64 && !appengine && !noasm && gc
+// +build amd64,!appengine,!noasm,gc
+
+package cpuinfo
+
+// go:noescape
+func x86extensions() (bmi1, bmi2 bool)
+
+func init() {
+	hasBMI1, hasBMI2 = x86extensions()
+}
diff --git a/vendor/github.com/klauspost/compress/internal/cpuinfo/cpuinfo_amd64.s b/vendor/github.com/klauspost/compress/internal/cpuinfo/cpuinfo_amd64.s
new file mode 100644
index 0000000000..4465fbe9e9
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/internal/cpuinfo/cpuinfo_amd64.s
@@ -0,0 +1,36 @@
+// +build !appengine
+// +build gc
+// +build !noasm
+
+#include "textflag.h"
+#include "funcdata.h"
+#include "go_asm.h"
+
+TEXT ·x86extensions(SB), NOSPLIT, $0
+	// 1. determine max EAX value
+	XORQ AX, AX
+	CPUID
+
+	CMPQ AX, $7
+	JB   unsupported
+
+	// 2. EAX = 7, ECX = 0 --- see Table 3-8 "Information Returned by CPUID Instruction"
+	MOVQ $7, AX
+	MOVQ $0, CX
+	CPUID
+
+	BTQ   $3, BX // bit 3 = BMI1
+	SETCS AL
+
+	BTQ   $8, BX // bit 8 = BMI2
+	SETCS AH
+
+	MOVB AL, bmi1+0(FP)
+	MOVB AH, bmi2+1(FP)
+	RET
+
+unsupported:
+	XORQ AX, AX
+	MOVB AL, bmi1+0(FP)
+	MOVB AL, bmi2+1(FP)
+	RET
diff --git a/vendor/github.com/klauspost/compress/internal/le/le.go b/vendor/github.com/klauspost/compress/internal/le/le.go
new file mode 100644
index 0000000000..e54909e16f
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/internal/le/le.go
@@ -0,0 +1,5 @@
+package le
+
+type Indexer interface {
+	int | int8 | int16 | int32 | int64 | uint | uint8 | uint16 | uint32 | uint64
+}
diff --git a/vendor/github.com/klauspost/compress/internal/le/unsafe_disabled.go b/vendor/github.com/klauspost/compress/internal/le/unsafe_disabled.go
new file mode 100644
index 0000000000..0cfb5c0e27
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/internal/le/unsafe_disabled.go
@@ -0,0 +1,42 @@
+//go:build !(amd64 || arm64 || ppc64le || riscv64) || nounsafe || purego || appengine
+
+package le
+
+import (
+	"encoding/binary"
+)
+
+// Load8 will load from b at index i.
+func Load8[I Indexer](b []byte, i I) byte {
+	return b[i]
+}
+
+// Load16 will load from b at index i.
+func Load16[I Indexer](b []byte, i I) uint16 {
+	return binary.LittleEndian.Uint16(b[i:])
+}
+
+// Load32 will load from b at index i.
+func Load32[I Indexer](b []byte, i I) uint32 {
+	return binary.LittleEndian.Uint32(b[i:])
+}
+
+// Load64 will load from b at index i.
+func Load64[I Indexer](b []byte, i I) uint64 {
+	return binary.LittleEndian.Uint64(b[i:])
+}
+
+// Store16 will store v at b.
+func Store16(b []byte, v uint16) {
+	binary.LittleEndian.PutUint16(b, v)
+}
+
+// Store32 will store v at b.
+func Store32(b []byte, v uint32) {
+	binary.LittleEndian.PutUint32(b, v)
+}
+
+// Store64 will store v at b.
+func Store64(b []byte, v uint64) {
+	binary.LittleEndian.PutUint64(b, v)
+}
diff --git a/vendor/github.com/klauspost/compress/internal/le/unsafe_enabled.go b/vendor/github.com/klauspost/compress/internal/le/unsafe_enabled.go
new file mode 100644
index 0000000000..ada45cd909
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/internal/le/unsafe_enabled.go
@@ -0,0 +1,55 @@
+// We enable 64 bit LE platforms:
+
+//go:build (amd64 || arm64 || ppc64le || riscv64) && !nounsafe && !purego && !appengine
+
+package le
+
+import (
+	"unsafe"
+)
+
+// Load8 will load from b at index i.
+func Load8[I Indexer](b []byte, i I) byte {
+	//return binary.LittleEndian.Uint16(b[i:])
+	//return *(*uint16)(unsafe.Pointer(&b[i]))
+	return *(*byte)(unsafe.Add(unsafe.Pointer(unsafe.SliceData(b)), i))
+}
+
+// Load16 will load from b at index i.
+func Load16[I Indexer](b []byte, i I) uint16 {
+	//return binary.LittleEndian.Uint16(b[i:])
+	//return *(*uint16)(unsafe.Pointer(&b[i]))
+	return *(*uint16)(unsafe.Add(unsafe.Pointer(unsafe.SliceData(b)), i))
+}
+
+// Load32 will load from b at index i.
+func Load32[I Indexer](b []byte, i I) uint32 {
+	//return binary.LittleEndian.Uint32(b[i:])
+	//return *(*uint32)(unsafe.Pointer(&b[i]))
+	return *(*uint32)(unsafe.Add(unsafe.Pointer(unsafe.SliceData(b)), i))
+}
+
+// Load64 will load from b at index i.
+func Load64[I Indexer](b []byte, i I) uint64 {
+	//return binary.LittleEndian.Uint64(b[i:])
+	//return *(*uint64)(unsafe.Pointer(&b[i]))
+	return *(*uint64)(unsafe.Add(unsafe.Pointer(unsafe.SliceData(b)), i))
+}
+
+// Store16 will store v at b.
+func Store16(b []byte, v uint16) {
+	//binary.LittleEndian.PutUint16(b, v)
+	*(*uint16)(unsafe.Pointer(unsafe.SliceData(b))) = v
+}
+
+// Store32 will store v at b.
+func Store32(b []byte, v uint32) {
+	//binary.LittleEndian.PutUint32(b, v)
+	*(*uint32)(unsafe.Pointer(unsafe.SliceData(b))) = v
+}
+
+// Store64 will store v at b.
+func Store64(b []byte, v uint64) {
+	//binary.LittleEndian.PutUint64(b, v)
+	*(*uint64)(unsafe.Pointer(unsafe.SliceData(b))) = v
+}
diff --git a/vendor/github.com/klauspost/compress/internal/snapref/LICENSE b/vendor/github.com/klauspost/compress/internal/snapref/LICENSE
new file mode 100644
index 0000000000..6050c10f4c
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/internal/snapref/LICENSE
@@ -0,0 +1,27 @@
+Copyright (c) 2011 The Snappy-Go Authors. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+   * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+   * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+   * Neither the name of Google Inc. nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/vendor/github.com/klauspost/compress/internal/snapref/decode.go b/vendor/github.com/klauspost/compress/internal/snapref/decode.go
new file mode 100644
index 0000000000..40796a49d6
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/internal/snapref/decode.go
@@ -0,0 +1,264 @@
+// Copyright 2011 The Snappy-Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package snapref
+
+import (
+	"encoding/binary"
+	"errors"
+	"io"
+)
+
+var (
+	// ErrCorrupt reports that the input is invalid.
+	ErrCorrupt = errors.New("snappy: corrupt input")
+	// ErrTooLarge reports that the uncompressed length is too large.
+	ErrTooLarge = errors.New("snappy: decoded block is too large")
+	// ErrUnsupported reports that the input isn't supported.
+	ErrUnsupported = errors.New("snappy: unsupported input")
+
+	errUnsupportedLiteralLength = errors.New("snappy: unsupported literal length")
+)
+
+// DecodedLen returns the length of the decoded block.
+func DecodedLen(src []byte) (int, error) {
+	v, _, err := decodedLen(src)
+	return v, err
+}
+
+// decodedLen returns the length of the decoded block and the number of bytes
+// that the length header occupied.
+func decodedLen(src []byte) (blockLen, headerLen int, err error) {
+	v, n := binary.Uvarint(src)
+	if n <= 0 || v > 0xffffffff {
+		return 0, 0, ErrCorrupt
+	}
+
+	const wordSize = 32 << (^uint(0) >> 32 & 1)
+	if wordSize == 32 && v > 0x7fffffff {
+		return 0, 0, ErrTooLarge
+	}
+	return int(v), n, nil
+}
+
+const (
+	decodeErrCodeCorrupt                  = 1
+	decodeErrCodeUnsupportedLiteralLength = 2
+)
+
+// Decode returns the decoded form of src. The returned slice may be a sub-
+// slice of dst if dst was large enough to hold the entire decoded block.
+// Otherwise, a newly allocated slice will be returned.
+//
+// The dst and src must not overlap. It is valid to pass a nil dst.
+//
+// Decode handles the Snappy block format, not the Snappy stream format.
+func Decode(dst, src []byte) ([]byte, error) {
+	dLen, s, err := decodedLen(src)
+	if err != nil {
+		return nil, err
+	}
+	if dLen <= len(dst) {
+		dst = dst[:dLen]
+	} else {
+		dst = make([]byte, dLen)
+	}
+	switch decode(dst, src[s:]) {
+	case 0:
+		return dst, nil
+	case decodeErrCodeUnsupportedLiteralLength:
+		return nil, errUnsupportedLiteralLength
+	}
+	return nil, ErrCorrupt
+}
+
+// NewReader returns a new Reader that decompresses from r, using the framing
+// format described at
+// https://github.com/google/snappy/blob/master/framing_format.txt
+func NewReader(r io.Reader) *Reader {
+	return &Reader{
+		r:       r,
+		decoded: make([]byte, maxBlockSize),
+		buf:     make([]byte, maxEncodedLenOfMaxBlockSize+checksumSize),
+	}
+}
+
+// Reader is an io.Reader that can read Snappy-compressed bytes.
+//
+// Reader handles the Snappy stream format, not the Snappy block format.
+type Reader struct {
+	r       io.Reader
+	err     error
+	decoded []byte
+	buf     []byte
+	// decoded[i:j] contains decoded bytes that have not yet been passed on.
+	i, j       int
+	readHeader bool
+}
+
+// Reset discards any buffered data, resets all state, and switches the Snappy
+// reader to read from r. This permits reusing a Reader rather than allocating
+// a new one.
+func (r *Reader) Reset(reader io.Reader) {
+	r.r = reader
+	r.err = nil
+	r.i = 0
+	r.j = 0
+	r.readHeader = false
+}
+
+func (r *Reader) readFull(p []byte, allowEOF bool) (ok bool) {
+	if _, r.err = io.ReadFull(r.r, p); r.err != nil {
+		if r.err == io.ErrUnexpectedEOF || (r.err == io.EOF && !allowEOF) {
+			r.err = ErrCorrupt
+		}
+		return false
+	}
+	return true
+}
+
+func (r *Reader) fill() error {
+	for r.i >= r.j {
+		if !r.readFull(r.buf[:4], true) {
+			return r.err
+		}
+		chunkType := r.buf[0]
+		if !r.readHeader {
+			if chunkType != chunkTypeStreamIdentifier {
+				r.err = ErrCorrupt
+				return r.err
+			}
+			r.readHeader = true
+		}
+		chunkLen := int(r.buf[1]) | int(r.buf[2])<<8 | int(r.buf[3])<<16
+		if chunkLen > len(r.buf) {
+			r.err = ErrUnsupported
+			return r.err
+		}
+
+		// The chunk types are specified at
+		// https://github.com/google/snappy/blob/master/framing_format.txt
+		switch chunkType {
+		case chunkTypeCompressedData:
+			// Section 4.2. Compressed data (chunk type 0x00).
+			if chunkLen < checksumSize {
+				r.err = ErrCorrupt
+				return r.err
+			}
+			buf := r.buf[:chunkLen]
+			if !r.readFull(buf, false) {
+				return r.err
+			}
+			checksum := uint32(buf[0]) | uint32(buf[1])<<8 | uint32(buf[2])<<16 | uint32(buf[3])<<24
+			buf = buf[checksumSize:]
+
+			n, err := DecodedLen(buf)
+			if err != nil {
+				r.err = err
+				return r.err
+			}
+			if n > len(r.decoded) {
+				r.err = ErrCorrupt
+				return r.err
+			}
+			if _, err := Decode(r.decoded, buf); err != nil {
+				r.err = err
+				return r.err
+			}
+			if crc(r.decoded[:n]) != checksum {
+				r.err = ErrCorrupt
+				return r.err
+			}
+			r.i, r.j = 0, n
+			continue
+
+		case chunkTypeUncompressedData:
+			// Section 4.3. Uncompressed data (chunk type 0x01).
+			if chunkLen < checksumSize {
+				r.err = ErrCorrupt
+				return r.err
+			}
+			buf := r.buf[:checksumSize]
+			if !r.readFull(buf, false) {
+				return r.err
+			}
+			checksum := uint32(buf[0]) | uint32(buf[1])<<8 | uint32(buf[2])<<16 | uint32(buf[3])<<24
+			// Read directly into r.decoded instead of via r.buf.
+			n := chunkLen - checksumSize
+			if n > len(r.decoded) {
+				r.err = ErrCorrupt
+				return r.err
+			}
+			if !r.readFull(r.decoded[:n], false) {
+				return r.err
+			}
+			if crc(r.decoded[:n]) != checksum {
+				r.err = ErrCorrupt
+				return r.err
+			}
+			r.i, r.j = 0, n
+			continue
+
+		case chunkTypeStreamIdentifier:
+			// Section 4.1. Stream identifier (chunk type 0xff).
+			if chunkLen != len(magicBody) {
+				r.err = ErrCorrupt
+				return r.err
+			}
+			if !r.readFull(r.buf[:len(magicBody)], false) {
+				return r.err
+			}
+			for i := 0; i < len(magicBody); i++ {
+				if r.buf[i] != magicBody[i] {
+					r.err = ErrCorrupt
+					return r.err
+				}
+			}
+			continue
+		}
+
+		if chunkType <= 0x7f {
+			// Section 4.5. Reserved unskippable chunks (chunk types 0x02-0x7f).
+			r.err = ErrUnsupported
+			return r.err
+		}
+		// Section 4.4 Padding (chunk type 0xfe).
+		// Section 4.6. Reserved skippable chunks (chunk types 0x80-0xfd).
+		if !r.readFull(r.buf[:chunkLen], false) {
+			return r.err
+		}
+	}
+
+	return nil
+}
+
+// Read satisfies the io.Reader interface.
+func (r *Reader) Read(p []byte) (int, error) {
+	if r.err != nil {
+		return 0, r.err
+	}
+
+	if err := r.fill(); err != nil {
+		return 0, err
+	}
+
+	n := copy(p, r.decoded[r.i:r.j])
+	r.i += n
+	return n, nil
+}
+
+// ReadByte satisfies the io.ByteReader interface.
+func (r *Reader) ReadByte() (byte, error) {
+	if r.err != nil {
+		return 0, r.err
+	}
+
+	if err := r.fill(); err != nil {
+		return 0, err
+	}
+
+	c := r.decoded[r.i]
+	r.i++
+	return c, nil
+}
diff --git a/vendor/github.com/klauspost/compress/internal/snapref/decode_other.go b/vendor/github.com/klauspost/compress/internal/snapref/decode_other.go
new file mode 100644
index 0000000000..77395a6b8b
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/internal/snapref/decode_other.go
@@ -0,0 +1,113 @@
+// Copyright 2016 The Snappy-Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package snapref
+
+// decode writes the decoding of src to dst. It assumes that the varint-encoded
+// length of the decompressed bytes has already been read, and that len(dst)
+// equals that length.
+//
+// It returns 0 on success or a decodeErrCodeXxx error code on failure.
+func decode(dst, src []byte) int {
+	var d, s, offset, length int
+	for s < len(src) {
+		switch src[s] & 0x03 {
+		case tagLiteral:
+			x := uint32(src[s] >> 2)
+			switch {
+			case x < 60:
+				s++
+			case x == 60:
+				s += 2
+				if uint(s) > uint(len(src)) { // The uint conversions catch overflow from the previous line.
+					return decodeErrCodeCorrupt
+				}
+				x = uint32(src[s-1])
+			case x == 61:
+				s += 3
+				if uint(s) > uint(len(src)) { // The uint conversions catch overflow from the previous line.
+					return decodeErrCodeCorrupt
+				}
+				x = uint32(src[s-2]) | uint32(src[s-1])<<8
+			case x == 62:
+				s += 4
+				if uint(s) > uint(len(src)) { // The uint conversions catch overflow from the previous line.
+					return decodeErrCodeCorrupt
+				}
+				x = uint32(src[s-3]) | uint32(src[s-2])<<8 | uint32(src[s-1])<<16
+			case x == 63:
+				s += 5
+				if uint(s) > uint(len(src)) { // The uint conversions catch overflow from the previous line.
+					return decodeErrCodeCorrupt
+				}
+				x = uint32(src[s-4]) | uint32(src[s-3])<<8 | uint32(src[s-2])<<16 | uint32(src[s-1])<<24
+			}
+			length = int(x) + 1
+			if length <= 0 {
+				return decodeErrCodeUnsupportedLiteralLength
+			}
+			if length > len(dst)-d || length > len(src)-s {
+				return decodeErrCodeCorrupt
+			}
+			copy(dst[d:], src[s:s+length])
+			d += length
+			s += length
+			continue
+
+		case tagCopy1:
+			s += 2
+			if uint(s) > uint(len(src)) { // The uint conversions catch overflow from the previous line.
+				return decodeErrCodeCorrupt
+			}
+			length = 4 + int(src[s-2])>>2&0x7
+			offset = int(uint32(src[s-2])&0xe0<<3 | uint32(src[s-1]))
+
+		case tagCopy2:
+			s += 3
+			if uint(s) > uint(len(src)) { // The uint conversions catch overflow from the previous line.
+				return decodeErrCodeCorrupt
+			}
+			length = 1 + int(src[s-3])>>2
+			offset = int(uint32(src[s-2]) | uint32(src[s-1])<<8)
+
+		case tagCopy4:
+			s += 5
+			if uint(s) > uint(len(src)) { // The uint conversions catch overflow from the previous line.
+				return decodeErrCodeCorrupt
+			}
+			length = 1 + int(src[s-5])>>2
+			offset = int(uint32(src[s-4]) | uint32(src[s-3])<<8 | uint32(src[s-2])<<16 | uint32(src[s-1])<<24)
+		}
+
+		if offset <= 0 || d < offset || length > len(dst)-d {
+			return decodeErrCodeCorrupt
+		}
+		// Copy from an earlier sub-slice of dst to a later sub-slice.
+		// If no overlap, use the built-in copy:
+		if offset >= length {
+			copy(dst[d:d+length], dst[d-offset:])
+			d += length
+			continue
+		}
+
+		// Unlike the built-in copy function, this byte-by-byte copy always runs
+		// forwards, even if the slices overlap. Conceptually, this is:
+		//
+		// d += forwardCopy(dst[d:d+length], dst[d-offset:])
+		//
+		// We align the slices into a and b and show the compiler they are the same size.
+		// This allows the loop to run without bounds checks.
+		a := dst[d : d+length]
+		b := dst[d-offset:]
+		b = b[:len(a)]
+		for i := range a {
+			a[i] = b[i]
+		}
+		d += length
+	}
+	if d != len(dst) {
+		return decodeErrCodeCorrupt
+	}
+	return 0
+}
diff --git a/vendor/github.com/klauspost/compress/internal/snapref/encode.go b/vendor/github.com/klauspost/compress/internal/snapref/encode.go
new file mode 100644
index 0000000000..13c6040a5d
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/internal/snapref/encode.go
@@ -0,0 +1,289 @@
+// Copyright 2011 The Snappy-Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package snapref
+
+import (
+	"encoding/binary"
+	"errors"
+	"io"
+)
+
+// Encode returns the encoded form of src. The returned slice may be a sub-
+// slice of dst if dst was large enough to hold the entire encoded block.
+// Otherwise, a newly allocated slice will be returned.
+//
+// The dst and src must not overlap. It is valid to pass a nil dst.
+//
+// Encode handles the Snappy block format, not the Snappy stream format.
+func Encode(dst, src []byte) []byte {
+	if n := MaxEncodedLen(len(src)); n < 0 {
+		panic(ErrTooLarge)
+	} else if len(dst) < n {
+		dst = make([]byte, n)
+	}
+
+	// The block starts with the varint-encoded length of the decompressed bytes.
+	d := binary.PutUvarint(dst, uint64(len(src)))
+
+	for len(src) > 0 {
+		p := src
+		src = nil
+		if len(p) > maxBlockSize {
+			p, src = p[:maxBlockSize], p[maxBlockSize:]
+		}
+		if len(p) < minNonLiteralBlockSize {
+			d += emitLiteral(dst[d:], p)
+		} else {
+			d += encodeBlock(dst[d:], p)
+		}
+	}
+	return dst[:d]
+}
+
+// inputMargin is the minimum number of extra input bytes to keep, inside
+// encodeBlock's inner loop. On some architectures, this margin lets us
+// implement a fast path for emitLiteral, where the copy of short (<= 16 byte)
+// literals can be implemented as a single load to and store from a 16-byte
+// register. That literal's actual length can be as short as 1 byte, so this
+// can copy up to 15 bytes too much, but that's OK as subsequent iterations of
+// the encoding loop will fix up the copy overrun, and this inputMargin ensures
+// that we don't overrun the dst and src buffers.
+const inputMargin = 16 - 1
+
+// minNonLiteralBlockSize is the minimum size of the input to encodeBlock that
+// could be encoded with a copy tag. This is the minimum with respect to the
+// algorithm used by encodeBlock, not a minimum enforced by the file format.
+//
+// The encoded output must start with at least a 1 byte literal, as there are
+// no previous bytes to copy. A minimal (1 byte) copy after that, generated
+// from an emitCopy call in encodeBlock's main loop, would require at least
+// another inputMargin bytes, for the reason above: we want any emitLiteral
+// calls inside encodeBlock's main loop to use the fast path if possible, which
+// requires being able to overrun by inputMargin bytes. Thus,
+// minNonLiteralBlockSize equals 1 + 1 + inputMargin.
+//
+// The C++ code doesn't use this exact threshold, but it could, as discussed at
+// https://groups.google.com/d/topic/snappy-compression/oGbhsdIJSJ8/discussion
+// The difference between Go (2+inputMargin) and C++ (inputMargin) is purely an
+// optimization. It should not affect the encoded form. This is tested by
+// TestSameEncodingAsCppShortCopies.
+const minNonLiteralBlockSize = 1 + 1 + inputMargin
+
+// MaxEncodedLen returns the maximum length of a snappy block, given its
+// uncompressed length.
+//
+// It will return a negative value if srcLen is too large to encode.
+func MaxEncodedLen(srcLen int) int {
+	n := uint64(srcLen)
+	if n > 0xffffffff {
+		return -1
+	}
+	// Compressed data can be defined as:
+	//    compressed := item* literal*
+	//    item       := literal* copy
+	//
+	// The trailing literal sequence has a space blowup of at most 62/60
+	// since a literal of length 60 needs one tag byte + one extra byte
+	// for length information.
+	//
+	// Item blowup is trickier to measure. Suppose the "copy" op copies
+	// 4 bytes of data. Because of a special check in the encoding code,
+	// we produce a 4-byte copy only if the offset is < 65536. Therefore
+	// the copy op takes 3 bytes to encode, and this type of item leads
+	// to at most the 62/60 blowup for representing literals.
+	//
+	// Suppose the "copy" op copies 5 bytes of data. If the offset is big
+	// enough, it will take 5 bytes to encode the copy op. Therefore the
+	// worst case here is a one-byte literal followed by a five-byte copy.
+	// That is, 6 bytes of input turn into 7 bytes of "compressed" data.
+	//
+	// This last factor dominates the blowup, so the final estimate is:
+	n = 32 + n + n/6
+	if n > 0xffffffff {
+		return -1
+	}
+	return int(n)
+}
+
+var errClosed = errors.New("snappy: Writer is closed")
+
+// NewWriter returns a new Writer that compresses to w.
+//
+// The Writer returned does not buffer writes. There is no need to Flush or
+// Close such a Writer.
+//
+// Deprecated: the Writer returned is not suitable for many small writes, only
+// for few large writes. Use NewBufferedWriter instead, which is efficient
+// regardless of the frequency and shape of the writes, and remember to Close
+// that Writer when done.
+func NewWriter(w io.Writer) *Writer {
+	return &Writer{
+		w:    w,
+		obuf: make([]byte, obufLen),
+	}
+}
+
+// NewBufferedWriter returns a new Writer that compresses to w, using the
+// framing format described at
+// https://github.com/google/snappy/blob/master/framing_format.txt
+//
+// The Writer returned buffers writes. Users must call Close to guarantee all
+// data has been forwarded to the underlying io.Writer. They may also call
+// Flush zero or more times before calling Close.
+func NewBufferedWriter(w io.Writer) *Writer {
+	return &Writer{
+		w:    w,
+		ibuf: make([]byte, 0, maxBlockSize),
+		obuf: make([]byte, obufLen),
+	}
+}
+
+// Writer is an io.Writer that can write Snappy-compressed bytes.
+//
+// Writer handles the Snappy stream format, not the Snappy block format.
+type Writer struct {
+	w   io.Writer
+	err error
+
+	// ibuf is a buffer for the incoming (uncompressed) bytes.
+	//
+	// Its use is optional. For backwards compatibility, Writers created by the
+	// NewWriter function have ibuf == nil, do not buffer incoming bytes, and
+	// therefore do not need to be Flush'ed or Close'd.
+	ibuf []byte
+
+	// obuf is a buffer for the outgoing (compressed) bytes.
+	obuf []byte
+
+	// wroteStreamHeader is whether we have written the stream header.
+	wroteStreamHeader bool
+}
+
+// Reset discards the writer's state and switches the Snappy writer to write to
+// w. This permits reusing a Writer rather than allocating a new one.
+func (w *Writer) Reset(writer io.Writer) {
+	w.w = writer
+	w.err = nil
+	if w.ibuf != nil {
+		w.ibuf = w.ibuf[:0]
+	}
+	w.wroteStreamHeader = false
+}
+
+// Write satisfies the io.Writer interface.
+func (w *Writer) Write(p []byte) (nRet int, errRet error) {
+	if w.ibuf == nil {
+		// Do not buffer incoming bytes. This does not perform or compress well
+		// if the caller of Writer.Write writes many small slices. This
+		// behavior is therefore deprecated, but still supported for backwards
+		// compatibility with code that doesn't explicitly Flush or Close.
+		return w.write(p)
+	}
+
+	// The remainder of this method is based on bufio.Writer.Write from the
+	// standard library.
+
+	for len(p) > (cap(w.ibuf)-len(w.ibuf)) && w.err == nil {
+		var n int
+		if len(w.ibuf) == 0 {
+			// Large write, empty buffer.
+			// Write directly from p to avoid copy.
+			n, _ = w.write(p)
+		} else {
+			n = copy(w.ibuf[len(w.ibuf):cap(w.ibuf)], p)
+			w.ibuf = w.ibuf[:len(w.ibuf)+n]
+			w.Flush()
+		}
+		nRet += n
+		p = p[n:]
+	}
+	if w.err != nil {
+		return nRet, w.err
+	}
+	n := copy(w.ibuf[len(w.ibuf):cap(w.ibuf)], p)
+	w.ibuf = w.ibuf[:len(w.ibuf)+n]
+	nRet += n
+	return nRet, nil
+}
+
+func (w *Writer) write(p []byte) (nRet int, errRet error) {
+	if w.err != nil {
+		return 0, w.err
+	}
+	for len(p) > 0 {
+		obufStart := len(magicChunk)
+		if !w.wroteStreamHeader {
+			w.wroteStreamHeader = true
+			copy(w.obuf, magicChunk)
+			obufStart = 0
+		}
+
+		var uncompressed []byte
+		if len(p) > maxBlockSize {
+			uncompressed, p = p[:maxBlockSize], p[maxBlockSize:]
+		} else {
+			uncompressed, p = p, nil
+		}
+		checksum := crc(uncompressed)
+
+		// Compress the buffer, discarding the result if the improvement
+		// isn't at least 12.5%.
+		compressed := Encode(w.obuf[obufHeaderLen:], uncompressed)
+		chunkType := uint8(chunkTypeCompressedData)
+		chunkLen := 4 + len(compressed)
+		obufEnd := obufHeaderLen + len(compressed)
+		if len(compressed) >= len(uncompressed)-len(uncompressed)/8 {
+			chunkType = chunkTypeUncompressedData
+			chunkLen = 4 + len(uncompressed)
+			obufEnd = obufHeaderLen
+		}
+
+		// Fill in the per-chunk header that comes before the body.
+		w.obuf[len(magicChunk)+0] = chunkType
+		w.obuf[len(magicChunk)+1] = uint8(chunkLen >> 0)
+		w.obuf[len(magicChunk)+2] = uint8(chunkLen >> 8)
+		w.obuf[len(magicChunk)+3] = uint8(chunkLen >> 16)
+		w.obuf[len(magicChunk)+4] = uint8(checksum >> 0)
+		w.obuf[len(magicChunk)+5] = uint8(checksum >> 8)
+		w.obuf[len(magicChunk)+6] = uint8(checksum >> 16)
+		w.obuf[len(magicChunk)+7] = uint8(checksum >> 24)
+
+		if _, err := w.w.Write(w.obuf[obufStart:obufEnd]); err != nil {
+			w.err = err
+			return nRet, err
+		}
+		if chunkType == chunkTypeUncompressedData {
+			if _, err := w.w.Write(uncompressed); err != nil {
+				w.err = err
+				return nRet, err
+			}
+		}
+		nRet += len(uncompressed)
+	}
+	return nRet, nil
+}
+
+// Flush flushes the Writer to its underlying io.Writer.
+func (w *Writer) Flush() error {
+	if w.err != nil {
+		return w.err
+	}
+	if len(w.ibuf) == 0 {
+		return nil
+	}
+	w.write(w.ibuf)
+	w.ibuf = w.ibuf[:0]
+	return w.err
+}
+
+// Close calls Flush and then closes the Writer.
+func (w *Writer) Close() error {
+	w.Flush()
+	ret := w.err
+	if w.err == nil {
+		w.err = errClosed
+	}
+	return ret
+}
diff --git a/vendor/github.com/klauspost/compress/internal/snapref/encode_other.go b/vendor/github.com/klauspost/compress/internal/snapref/encode_other.go
new file mode 100644
index 0000000000..2754bac6f1
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/internal/snapref/encode_other.go
@@ -0,0 +1,250 @@
+// Copyright 2016 The Snappy-Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package snapref
+
+func load32(b []byte, i int) uint32 {
+	b = b[i : i+4 : len(b)] // Help the compiler eliminate bounds checks on the next line.
+	return uint32(b[0]) | uint32(b[1])<<8 | uint32(b[2])<<16 | uint32(b[3])<<24
+}
+
+func load64(b []byte, i int) uint64 {
+	b = b[i : i+8 : len(b)] // Help the compiler eliminate bounds checks on the next line.
+	return uint64(b[0]) | uint64(b[1])<<8 | uint64(b[2])<<16 | uint64(b[3])<<24 |
+		uint64(b[4])<<32 | uint64(b[5])<<40 | uint64(b[6])<<48 | uint64(b[7])<<56
+}
+
+// emitLiteral writes a literal chunk and returns the number of bytes written.
+//
+// It assumes that:
+//
+//	dst is long enough to hold the encoded bytes
+//	1 <= len(lit) && len(lit) <= 65536
+func emitLiteral(dst, lit []byte) int {
+	i, n := 0, uint(len(lit)-1)
+	switch {
+	case n < 60:
+		dst[0] = uint8(n)<<2 | tagLiteral
+		i = 1
+	case n < 1<<8:
+		dst[0] = 60<<2 | tagLiteral
+		dst[1] = uint8(n)
+		i = 2
+	default:
+		dst[0] = 61<<2 | tagLiteral
+		dst[1] = uint8(n)
+		dst[2] = uint8(n >> 8)
+		i = 3
+	}
+	return i + copy(dst[i:], lit)
+}
+
+// emitCopy writes a copy chunk and returns the number of bytes written.
+//
+// It assumes that:
+//
+//	dst is long enough to hold the encoded bytes
+//	1 <= offset && offset <= 65535
+//	4 <= length && length <= 65535
+func emitCopy(dst []byte, offset, length int) int {
+	i := 0
+	// The maximum length for a single tagCopy1 or tagCopy2 op is 64 bytes. The
+	// threshold for this loop is a little higher (at 68 = 64 + 4), and the
+	// length emitted down below is a little lower (at 60 = 64 - 4), because
+	// it's shorter to encode a length 67 copy as a length 60 tagCopy2 followed
+	// by a length 7 tagCopy1 (which encodes as 3+2 bytes) than to encode it as
+	// a length 64 tagCopy2 followed by a length 3 tagCopy2 (which encodes as
+	// 3+3 bytes). The magic 4 in the 64±4 is because the minimum length for a
+	// tagCopy1 op is 4 bytes, which is why a length 3 copy has to be an
+	// encodes-as-3-bytes tagCopy2 instead of an encodes-as-2-bytes tagCopy1.
+	for length >= 68 {
+		// Emit a length 64 copy, encoded as 3 bytes.
+		dst[i+0] = 63<<2 | tagCopy2
+		dst[i+1] = uint8(offset)
+		dst[i+2] = uint8(offset >> 8)
+		i += 3
+		length -= 64
+	}
+	if length > 64 {
+		// Emit a length 60 copy, encoded as 3 bytes.
+		dst[i+0] = 59<<2 | tagCopy2
+		dst[i+1] = uint8(offset)
+		dst[i+2] = uint8(offset >> 8)
+		i += 3
+		length -= 60
+	}
+	if length >= 12 || offset >= 2048 {
+		// Emit the remaining copy, encoded as 3 bytes.
+		dst[i+0] = uint8(length-1)<<2 | tagCopy2
+		dst[i+1] = uint8(offset)
+		dst[i+2] = uint8(offset >> 8)
+		return i + 3
+	}
+	// Emit the remaining copy, encoded as 2 bytes.
+	dst[i+0] = uint8(offset>>8)<<5 | uint8(length-4)<<2 | tagCopy1
+	dst[i+1] = uint8(offset)
+	return i + 2
+}
+
+func hash(u, shift uint32) uint32 {
+	return (u * 0x1e35a7bd) >> shift
+}
+
+// EncodeBlockInto exposes encodeBlock but checks dst size.
+func EncodeBlockInto(dst, src []byte) (d int) {
+	if MaxEncodedLen(len(src)) > len(dst) {
+		return 0
+	}
+
+	// encodeBlock breaks on too big blocks, so split.
+	for len(src) > 0 {
+		p := src
+		src = nil
+		if len(p) > maxBlockSize {
+			p, src = p[:maxBlockSize], p[maxBlockSize:]
+		}
+		if len(p) < minNonLiteralBlockSize {
+			d += emitLiteral(dst[d:], p)
+		} else {
+			d += encodeBlock(dst[d:], p)
+		}
+	}
+	return d
+}
+
+// encodeBlock encodes a non-empty src to a guaranteed-large-enough dst. It
+// assumes that the varint-encoded length of the decompressed bytes has already
+// been written.
+//
+// It also assumes that:
+//
+//	len(dst) >= MaxEncodedLen(len(src)) &&
+//	minNonLiteralBlockSize <= len(src) && len(src) <= maxBlockSize
+func encodeBlock(dst, src []byte) (d int) {
+	// Initialize the hash table. Its size ranges from 1<<8 to 1<<14 inclusive.
+	// The table element type is uint16, as s < sLimit and sLimit < len(src)
+	// and len(src) <= maxBlockSize and maxBlockSize == 65536.
+	const (
+		maxTableSize = 1 << 14
+		// tableMask is redundant, but helps the compiler eliminate bounds
+		// checks.
+		tableMask = maxTableSize - 1
+	)
+	shift := uint32(32 - 8)
+	for tableSize := 1 << 8; tableSize < maxTableSize && tableSize < len(src); tableSize *= 2 {
+		shift--
+	}
+	// In Go, all array elements are zero-initialized, so there is no advantage
+	// to a smaller tableSize per se. However, it matches the C++ algorithm,
+	// and in the asm versions of this code, we can get away with zeroing only
+	// the first tableSize elements.
+	var table [maxTableSize]uint16
+
+	// sLimit is when to stop looking for offset/length copies. The inputMargin
+	// lets us use a fast path for emitLiteral in the main loop, while we are
+	// looking for copies.
+	sLimit := len(src) - inputMargin
+
+	// nextEmit is where in src the next emitLiteral should start from.
+	nextEmit := 0
+
+	// The encoded form must start with a literal, as there are no previous
+	// bytes to copy, so we start looking for hash matches at s == 1.
+	s := 1
+	nextHash := hash(load32(src, s), shift)
+
+	for {
+		// Copied from the C++ snappy implementation:
+		//
+		// Heuristic match skipping: If 32 bytes are scanned with no matches
+		// found, start looking only at every other byte. If 32 more bytes are
+		// scanned (or skipped), look at every third byte, etc.. When a match
+		// is found, immediately go back to looking at every byte. This is a
+		// small loss (~5% performance, ~0.1% density) for compressible data
+		// due to more bookkeeping, but for non-compressible data (such as
+		// JPEG) it's a huge win since the compressor quickly "realizes" the
+		// data is incompressible and doesn't bother looking for matches
+		// everywhere.
+		//
+		// The "skip" variable keeps track of how many bytes there are since
+		// the last match; dividing it by 32 (ie. right-shifting by five) gives
+		// the number of bytes to move ahead for each iteration.
+		skip := 32
+
+		nextS := s
+		candidate := 0
+		for {
+			s = nextS
+			bytesBetweenHashLookups := skip >> 5
+			nextS = s + bytesBetweenHashLookups
+			skip += bytesBetweenHashLookups
+			if nextS > sLimit {
+				goto emitRemainder
+			}
+			candidate = int(table[nextHash&tableMask])
+			table[nextHash&tableMask] = uint16(s)
+			nextHash = hash(load32(src, nextS), shift)
+			if load32(src, s) == load32(src, candidate) {
+				break
+			}
+		}
+
+		// A 4-byte match has been found. We'll later see if more than 4 bytes
+		// match. But, prior to the match, src[nextEmit:s] are unmatched. Emit
+		// them as literal bytes.
+		d += emitLiteral(dst[d:], src[nextEmit:s])
+
+		// Call emitCopy, and then see if another emitCopy could be our next
+		// move. Repeat until we find no match for the input immediately after
+		// what was consumed by the last emitCopy call.
+		//
+		// If we exit this loop normally then we need to call emitLiteral next,
+		// though we don't yet know how big the literal will be. We handle that
+		// by proceeding to the next iteration of the main loop. We also can
+		// exit this loop via goto if we get close to exhausting the input.
+		for {
+			// Invariant: we have a 4-byte match at s, and no need to emit any
+			// literal bytes prior to s.
+			base := s
+
+			// Extend the 4-byte match as long as possible.
+			//
+			// This is an inlined version of:
+			//	s = extendMatch(src, candidate+4, s+4)
+			s += 4
+			for i := candidate + 4; s < len(src) && src[i] == src[s]; i, s = i+1, s+1 {
+			}
+
+			d += emitCopy(dst[d:], base-candidate, s-base)
+			nextEmit = s
+			if s >= sLimit {
+				goto emitRemainder
+			}
+
+			// We could immediately start working at s now, but to improve
+			// compression we first update the hash table at s-1 and at s. If
+			// another emitCopy is not our next move, also calculate nextHash
+			// at s+1. At least on GOARCH=amd64, these three hash calculations
+			// are faster as one load64 call (with some shifts) instead of
+			// three load32 calls.
+			x := load64(src, s-1)
+			prevHash := hash(uint32(x>>0), shift)
+			table[prevHash&tableMask] = uint16(s - 1)
+			currHash := hash(uint32(x>>8), shift)
+			candidate = int(table[currHash&tableMask])
+			table[currHash&tableMask] = uint16(s)
+			if uint32(x>>8) != load32(src, candidate) {
+				nextHash = hash(uint32(x>>16), shift)
+				s++
+				break
+			}
+		}
+	}
+
+emitRemainder:
+	if nextEmit < len(src) {
+		d += emitLiteral(dst[d:], src[nextEmit:])
+	}
+	return d
+}
diff --git a/vendor/github.com/klauspost/compress/internal/snapref/snappy.go b/vendor/github.com/klauspost/compress/internal/snapref/snappy.go
new file mode 100644
index 0000000000..34d01f4aa6
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/internal/snapref/snappy.go
@@ -0,0 +1,98 @@
+// Copyright 2011 The Snappy-Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package snapref implements the Snappy compression format. It aims for very
+// high speeds and reasonable compression.
+//
+// There are actually two Snappy formats: block and stream. They are related,
+// but different: trying to decompress block-compressed data as a Snappy stream
+// will fail, and vice versa. The block format is the Decode and Encode
+// functions and the stream format is the Reader and Writer types.
+//
+// The block format, the more common case, is used when the complete size (the
+// number of bytes) of the original data is known upfront, at the time
+// compression starts. The stream format, also known as the framing format, is
+// for when that isn't always true.
+//
+// The canonical, C++ implementation is at https://github.com/google/snappy and
+// it only implements the block format.
+package snapref
+
+import (
+	"hash/crc32"
+)
+
+/*
+Each encoded block begins with the varint-encoded length of the decoded data,
+followed by a sequence of chunks. Chunks begin and end on byte boundaries. The
+first byte of each chunk is broken into its 2 least and 6 most significant bits
+called l and m: l ranges in [0, 4) and m ranges in [0, 64). l is the chunk tag.
+Zero means a literal tag. All other values mean a copy tag.
+
+For literal tags:
+  - If m < 60, the next 1 + m bytes are literal bytes.
+  - Otherwise, let n be the little-endian unsigned integer denoted by the next
+    m - 59 bytes. The next 1 + n bytes after that are literal bytes.
+
+For copy tags, length bytes are copied from offset bytes ago, in the style of
+Lempel-Ziv compression algorithms. In particular:
+  - For l == 1, the offset ranges in [0, 1<<11) and the length in [4, 12).
+    The length is 4 + the low 3 bits of m. The high 3 bits of m form bits 8-10
+    of the offset. The next byte is bits 0-7 of the offset.
+  - For l == 2, the offset ranges in [0, 1<<16) and the length in [1, 65).
+    The length is 1 + m. The offset is the little-endian unsigned integer
+    denoted by the next 2 bytes.
+  - For l == 3, this tag is a legacy format that is no longer issued by most
+    encoders. Nonetheless, the offset ranges in [0, 1<<32) and the length in
+    [1, 65). The length is 1 + m. The offset is the little-endian unsigned
+    integer denoted by the next 4 bytes.
+*/
+const (
+	tagLiteral = 0x00
+	tagCopy1   = 0x01
+	tagCopy2   = 0x02
+	tagCopy4   = 0x03
+)
+
+const (
+	checksumSize    = 4
+	chunkHeaderSize = 4
+	magicChunk      = "\xff\x06\x00\x00" + magicBody
+	magicBody       = "sNaPpY"
+
+	// maxBlockSize is the maximum size of the input to encodeBlock. It is not
+	// part of the wire format per se, but some parts of the encoder assume
+	// that an offset fits into a uint16.
+	//
+	// Also, for the framing format (Writer type instead of Encode function),
+	// https://github.com/google/snappy/blob/master/framing_format.txt says
+	// that "the uncompressed data in a chunk must be no longer than 65536
+	// bytes".
+	maxBlockSize = 65536
+
+	// maxEncodedLenOfMaxBlockSize equals MaxEncodedLen(maxBlockSize), but is
+	// hard coded to be a const instead of a variable, so that obufLen can also
+	// be a const. Their equivalence is confirmed by
+	// TestMaxEncodedLenOfMaxBlockSize.
+	maxEncodedLenOfMaxBlockSize = 76490
+
+	obufHeaderLen = len(magicChunk) + checksumSize + chunkHeaderSize
+	obufLen       = obufHeaderLen + maxEncodedLenOfMaxBlockSize
+)
+
+const (
+	chunkTypeCompressedData   = 0x00
+	chunkTypeUncompressedData = 0x01
+	chunkTypePadding          = 0xfe
+	chunkTypeStreamIdentifier = 0xff
+)
+
+var crcTable = crc32.MakeTable(crc32.Castagnoli)
+
+// crc implements the checksum specified in section 3 of
+// https://github.com/google/snappy/blob/master/framing_format.txt
+func crc(b []byte) uint32 {
+	c := crc32.Update(0, crcTable, b)
+	return uint32(c>>15|c<<17) + 0xa282ead8
+}
diff --git a/vendor/github.com/klauspost/compress/s2sx.mod b/vendor/github.com/klauspost/compress/s2sx.mod
new file mode 100644
index 0000000000..81bda5e294
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/s2sx.mod
@@ -0,0 +1,3 @@
+module github.com/klauspost/compress
+
+go 1.22
diff --git a/vendor/github.com/klauspost/compress/s2sx.sum b/vendor/github.com/klauspost/compress/s2sx.sum
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/vendor/github.com/klauspost/compress/zstd/README.md b/vendor/github.com/klauspost/compress/zstd/README.md
new file mode 100644
index 0000000000..c11d7fa28e
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/zstd/README.md
@@ -0,0 +1,441 @@
+# zstd 
+
+[Zstandard](https://facebook.github.io/zstd/) is a real-time compression algorithm, providing high compression ratios. 
+It offers a very wide range of compression / speed trade-off, while being backed by a very fast decoder.
+A high performance compression algorithm is implemented. For now focused on speed. 
+
+This package provides [compression](#Compressor) to and [decompression](#Decompressor) of Zstandard content. 
+
+This package is pure Go. Use `noasm` and `nounsafe` to disable relevant features.
+
+The `zstd` package is provided as open source software using a Go standard license.
+
+Currently the package is heavily optimized for 64 bit processors and will be significantly slower on 32 bit processors.
+
+For seekable zstd streams, see [this excellent package](https://github.com/SaveTheRbtz/zstd-seekable-format-go).
+
+## Installation
+
+Install using `go get -u github.com/klauspost/compress`. The package is located in `github.com/klauspost/compress/zstd`.
+
+[![Go Reference](https://pkg.go.dev/badge/github.com/klauspost/compress/zstd.svg)](https://pkg.go.dev/github.com/klauspost/compress/zstd)
+
+## Compressor
+
+### Status: 
+
+STABLE - there may always be subtle bugs, a wide variety of content has been tested and the library is actively 
+used by several projects. This library is being [fuzz-tested](https://github.com/klauspost/compress-fuzz) for all updates.
+
+There may still be specific combinations of data types/size/settings that could lead to edge cases, 
+so as always, testing is recommended.  
+
+For now, a high speed (fastest) and medium-fast (default) compressor has been implemented. 
+
+* The "Fastest" compression ratio is roughly equivalent to zstd level 1. 
+* The "Default" compression ratio is roughly equivalent to zstd level 3 (default).
+* The "Better" compression ratio is roughly equivalent to zstd level 7.
+* The "Best" compression ratio is roughly equivalent to zstd level 11.
+
+In terms of speed, it is typically 2x as fast as the stdlib deflate/gzip in its fastest mode. 
+The compression ratio compared to stdlib is around level 3, but usually 3x as fast.
+
+ 
+### Usage
+
+An Encoder can be used for either compressing a stream via the
+`io.WriteCloser` interface supported by the Encoder or as multiple independent
+tasks via the `EncodeAll` function.
+Smaller encodes are encouraged to use the EncodeAll function.
+Use `NewWriter` to create a new instance that can be used for both.
+
+To create a writer with default options, do like this:
+
+```Go
+// Compress input to output.
+func Compress(in io.Reader, out io.Writer) error {
+    enc, err := zstd.NewWriter(out)
+    if err != nil {
+        return err
+    }
+    _, err = io.Copy(enc, in)
+    if err != nil {
+        enc.Close()
+        return err
+    }
+    return enc.Close()
+}
+```
+
+Now you can encode by writing data to `enc`. The output will be finished writing when `Close()` is called.
+Even if your encode fails, you should still call `Close()` to release any resources that may be held up.  
+
+The above is fine for big encodes. However, whenever possible try to *reuse* the writer.
+
+To reuse the encoder, you can use the `Reset(io.Writer)` function to change to another output. 
+This will allow the encoder to reuse all resources and avoid wasteful allocations. 
+
+Currently stream encoding has 'light' concurrency, meaning up to 2 goroutines can be working on part 
+of a stream. This is independent of the `WithEncoderConcurrency(n)`, but that is likely to change 
+in the future. So if you want to limit concurrency for future updates, specify the concurrency
+you would like.
+
+If you would like stream encoding to be done without spawning async goroutines, use `WithEncoderConcurrency(1)`
+which will compress input as each block is completed, blocking on writes until each has completed.
+
+You can specify your desired compression level using `WithEncoderLevel()` option. Currently only pre-defined 
+compression settings can be specified.
+
+#### Future Compatibility Guarantees
+
+This will be an evolving project. When using this package it is important to note that both the compression efficiency and speed may change.
+
+The goal will be to keep the default efficiency at the default zstd (level 3). 
+However the encoding should never be assumed to remain the same, 
+and you should not use hashes of compressed output for similarity checks.
+
+The Encoder can be assumed to produce the same output from the exact same code version.
+However, the may be modes in the future that break this, 
+although they will not be enabled without an explicit option.   
+
+This encoder is not designed to (and will probably never) output the exact same bitstream as the reference encoder.
+
+Also note, that the cgo decompressor currently does not [report all errors on invalid input](https://github.com/DataDog/zstd/issues/59),
+[omits error checks](https://github.com/DataDog/zstd/issues/61), [ignores checksums](https://github.com/DataDog/zstd/issues/43) 
+and seems to ignore concatenated streams, even though [it is part of the spec](https://github.com/facebook/zstd/blob/dev/doc/zstd_compression_format.md#frames).
+
+#### Blocks
+
+For compressing small blocks, the returned encoder has a function called `EncodeAll(src, dst []byte) []byte`.
+
+`EncodeAll` will encode all input in src and append it to dst.
+This function can be called concurrently. 
+Each call will only run on a same goroutine as the caller.
+
+Encoded blocks can be concatenated and the result will be the combined input stream.
+Data compressed with EncodeAll can be decoded with the Decoder, using either a stream or `DecodeAll`.
+
+Especially when encoding blocks you should take special care to reuse the encoder. 
+This will effectively make it run without allocations after a warmup period. 
+To make it run completely without allocations, supply a destination buffer with space for all content.   
+
+```Go
+import "github.com/klauspost/compress/zstd"
+
+// Create a writer that caches compressors.
+// For this operation type we supply a nil Reader.
+var encoder, _ = zstd.NewWriter(nil)
+
+// Compress a buffer. 
+// If you have a destination buffer, the allocation in the call can also be eliminated.
+func Compress(src []byte) []byte {
+    return encoder.EncodeAll(src, make([]byte, 0, len(src)))
+} 
+```
+
+You can control the maximum number of concurrent encodes using the `WithEncoderConcurrency(n)` 
+option when creating the writer.
+
+Using the Encoder for both a stream and individual blocks concurrently is safe. 
+
+### Performance
+
+I have collected some speed examples to compare speed and compression against other compressors.
+
+* `file` is the input file.
+* `out` is the compressor used. `zskp` is this package. `zstd` is the Datadog cgo library. `gzstd/gzkp` is gzip standard and this library.
+* `level` is the compression level used. For `zskp` level 1 is "fastest", level 2 is "default"; 3 is "better", 4 is "best".
+* `insize`/`outsize` is the input/output size.
+* `millis` is the number of milliseconds used for compression.
+* `mb/s` is megabytes (2^20 bytes) per second.
+
+```
+Silesia Corpus:
+http://sun.aei.polsl.pl/~sdeor/corpus/silesia.zip
+
+This package:
+file    out     level   insize      outsize     millis  mb/s
+silesia.tar zskp    1   211947520   73821326    634     318.47
+silesia.tar zskp    2   211947520   67655404    1508    133.96
+silesia.tar zskp    3   211947520   64746933    3000    67.37
+silesia.tar zskp    4   211947520   60073508    16926   11.94
+
+cgo zstd:
+silesia.tar zstd    1   211947520   73605392    543     371.56
+silesia.tar zstd    3   211947520   66793289    864     233.68
+silesia.tar zstd    6   211947520   62916450    1913    105.66
+silesia.tar zstd    9   211947520   60212393    5063    39.92
+
+gzip, stdlib/this package:
+silesia.tar gzstd   1   211947520   80007735    1498    134.87
+silesia.tar gzkp    1   211947520   80088272    1009    200.31
+
+GOB stream of binary data. Highly compressible.
+https://files.klauspost.com/compress/gob-stream.7z
+
+file        out     level   insize  outsize     millis  mb/s
+gob-stream  zskp    1   1911399616  233948096   3230    564.34
+gob-stream  zskp    2   1911399616  203997694   4997    364.73
+gob-stream  zskp    3   1911399616  173526523   13435   135.68
+gob-stream  zskp    4   1911399616  162195235   47559   38.33
+
+gob-stream  zstd    1   1911399616  249810424   2637    691.26
+gob-stream  zstd    3   1911399616  208192146   3490    522.31
+gob-stream  zstd    6   1911399616  193632038   6687    272.56
+gob-stream  zstd    9   1911399616  177620386   16175   112.70
+
+gob-stream  gzstd   1   1911399616  357382013   9046    201.49
+gob-stream  gzkp    1   1911399616  359136669   4885    373.08
+
+The test data for the Large Text Compression Benchmark is the first
+10^9 bytes of the English Wikipedia dump on Mar. 3, 2006.
+http://mattmahoney.net/dc/textdata.html
+
+file    out level   insize      outsize     millis  mb/s
+enwik9  zskp    1   1000000000  343833605   3687    258.64
+enwik9  zskp    2   1000000000  317001237   7672    124.29
+enwik9  zskp    3   1000000000  291915823   15923   59.89
+enwik9  zskp    4   1000000000  261710291   77697   12.27
+
+enwik9  zstd    1   1000000000  358072021   3110    306.65
+enwik9  zstd    3   1000000000  313734672   4784    199.35
+enwik9  zstd    6   1000000000  295138875   10290   92.68
+enwik9  zstd    9   1000000000  278348700   28549   33.40
+
+enwik9  gzstd   1   1000000000  382578136   8608    110.78
+enwik9  gzkp    1   1000000000  382781160   5628    169.45
+
+Highly compressible JSON file.
+https://files.klauspost.com/compress/github-june-2days-2019.json.zst
+
+file                        out level   insize      outsize     millis  mb/s
+github-june-2days-2019.json zskp    1   6273951764  697439532   9789    611.17
+github-june-2days-2019.json zskp    2   6273951764  610876538   18553   322.49
+github-june-2days-2019.json zskp    3   6273951764  517662858   44186   135.41
+github-june-2days-2019.json zskp    4   6273951764  464617114   165373  36.18
+
+github-june-2days-2019.json zstd    1   6273951764  766284037   8450    708.00
+github-june-2days-2019.json zstd    3   6273951764  661889476   10927   547.57
+github-june-2days-2019.json zstd    6   6273951764  642756859   22996   260.18
+github-june-2days-2019.json zstd    9   6273951764  601974523   52413   114.16
+
+github-june-2days-2019.json gzstd   1   6273951764  1164397768  26793   223.32
+github-june-2days-2019.json gzkp    1   6273951764  1120631856  17693   338.16
+
+VM Image, Linux mint with a few installed applications:
+https://files.klauspost.com/compress/rawstudio-mint14.7z
+
+file                    out level   insize      outsize     millis  mb/s
+rawstudio-mint14.tar    zskp    1   8558382592  3718400221  18206   448.29
+rawstudio-mint14.tar    zskp    2   8558382592  3326118337  37074   220.15
+rawstudio-mint14.tar    zskp    3   8558382592  3163842361  87306   93.49
+rawstudio-mint14.tar    zskp    4   8558382592  2970480650  783862  10.41
+
+rawstudio-mint14.tar    zstd    1   8558382592  3609250104  17136   476.27
+rawstudio-mint14.tar    zstd    3   8558382592  3341679997  29262   278.92
+rawstudio-mint14.tar    zstd    6   8558382592  3235846406  77904   104.77
+rawstudio-mint14.tar    zstd    9   8558382592  3160778861  140946  57.91
+
+rawstudio-mint14.tar    gzstd   1   8558382592  3926234992  51345   158.96
+rawstudio-mint14.tar    gzkp    1   8558382592  3960117298  36722   222.26
+
+CSV data:
+https://files.klauspost.com/compress/nyc-taxi-data-10M.csv.zst
+
+file                    out level   insize      outsize     millis  mb/s
+nyc-taxi-data-10M.csv   zskp    1   3325605752  641319332   9462    335.17
+nyc-taxi-data-10M.csv   zskp    2   3325605752  588976126   17570   180.50
+nyc-taxi-data-10M.csv   zskp    3   3325605752  529329260   32432   97.79
+nyc-taxi-data-10M.csv   zskp    4   3325605752  474949772   138025  22.98
+
+nyc-taxi-data-10M.csv   zstd    1   3325605752  687399637   8233    385.18
+nyc-taxi-data-10M.csv   zstd    3   3325605752  598514411   10065   315.07
+nyc-taxi-data-10M.csv   zstd    6   3325605752  570522953   20038   158.27
+nyc-taxi-data-10M.csv   zstd    9   3325605752  517554797   64565   49.12
+
+nyc-taxi-data-10M.csv   gzstd   1   3325605752  928654908   21270   149.11
+nyc-taxi-data-10M.csv   gzkp    1   3325605752  922273214   13929   227.68
+```
+
+## Decompressor
+
+Status: STABLE - there may still be subtle bugs, but a wide variety of content has been tested.
+
+This library is being continuously [fuzz-tested](https://github.com/klauspost/compress-fuzz),
+kindly supplied by [fuzzit.dev](https://fuzzit.dev/). 
+The main purpose of the fuzz testing is to ensure that it is not possible to crash the decoder, 
+or run it past its limits with ANY input provided.  
+ 
+### Usage
+
+The package has been designed for two main usages, big streams of data and smaller in-memory buffers. 
+There are two main usages of the package for these. Both of them are accessed by creating a `Decoder`.
+
+For streaming use a simple setup could look like this:
+
+```Go
+import "github.com/klauspost/compress/zstd"
+
+func Decompress(in io.Reader, out io.Writer) error {
+    d, err := zstd.NewReader(in)
+    if err != nil {
+        return err
+    }
+    defer d.Close()
+    
+    // Copy content...
+    _, err = io.Copy(out, d)
+    return err
+}
+```
+
+It is important to use the "Close" function when you no longer need the Reader to stop running goroutines, 
+when running with default settings.
+Goroutines will exit once an error has been returned, including `io.EOF` at the end of a stream.
+
+Streams are decoded concurrently in 4 asynchronous stages to give the best possible throughput.
+However, if you prefer synchronous decompression, use `WithDecoderConcurrency(1)` which will decompress data 
+as it is being requested only.
+
+For decoding buffers, it could look something like this:
+
+```Go
+import "github.com/klauspost/compress/zstd"
+
+// Create a reader that caches decompressors.
+// For this operation type we supply a nil Reader.
+var decoder, _ = zstd.NewReader(nil, zstd.WithDecoderConcurrency(0))
+
+// Decompress a buffer. We don't supply a destination buffer,
+// so it will be allocated by the decoder.
+func Decompress(src []byte) ([]byte, error) {
+    return decoder.DecodeAll(src, nil)
+} 
+```
+
+Both of these cases should provide the functionality needed. 
+The decoder can be used for *concurrent* decompression of multiple buffers.
+By default 4 decompressors will be created. 
+
+It will only allow a certain number of concurrent operations to run. 
+To tweak that yourself use the `WithDecoderConcurrency(n)` option when creating the decoder.
+It is possible to use `WithDecoderConcurrency(0)` to create GOMAXPROCS decoders.
+
+### Dictionaries
+
+Data compressed with [dictionaries](https://github.com/facebook/zstd#the-case-for-small-data-compression) can be decompressed.
+
+Dictionaries are added individually to Decoders.
+Dictionaries are generated by the `zstd --train` command and contains an initial state for the decoder.
+To add a dictionary use the `WithDecoderDicts(dicts ...[]byte)` option with the dictionary data.
+Several dictionaries can be added at once.
+
+The dictionary will be used automatically for the data that specifies them.
+A re-used Decoder will still contain the dictionaries registered.
+
+When registering multiple dictionaries with the same ID, the last one will be used.
+
+It is possible to use dictionaries when compressing data.
+
+To enable a dictionary use `WithEncoderDict(dict []byte)`. Here only one dictionary will be used 
+and it will likely be used even if it doesn't improve compression. 
+
+The used dictionary must be used to decompress the content.
+
+For any real gains, the dictionary should be built with similar data. 
+If an unsuitable dictionary is used the output may be slightly larger than using no dictionary.
+Use the [zstd commandline tool](https://github.com/facebook/zstd/releases) to build a dictionary from sample data.
+For information see [zstd dictionary information](https://github.com/facebook/zstd#the-case-for-small-data-compression). 
+
+For now there is a fixed startup performance penalty for compressing content with dictionaries. 
+This will likely be improved over time. Just be aware to test performance when implementing.  
+
+### Allocation-less operation
+
+The decoder has been designed to operate without allocations after a warmup. 
+
+This means that you should *store* the decoder for best performance. 
+To re-use a stream decoder, use the `Reset(r io.Reader) error` to switch to another stream.
+A decoder can safely be re-used even if the previous stream failed.
+
+To release the resources, you must call the `Close()` function on a decoder.
+After this it can *no longer be reused*, but all running goroutines will be stopped.
+So you *must* use this if you will no longer need the Reader.
+
+For decompressing smaller buffers a single decoder can be used.
+When decoding buffers, you can supply a destination slice with length 0 and your expected capacity.
+In this case no unneeded allocations should be made. 
+
+### Concurrency
+
+The buffer decoder does everything on the same goroutine and does nothing concurrently.
+It can however decode several buffers concurrently. Use `WithDecoderConcurrency(n)` to limit that.
+
+The stream decoder will create goroutines that:
+
+1) Reads input and splits the input into blocks.
+2) Decompression of literals.
+3) Decompression of sequences.
+4) Reconstruction of output stream.
+
+So effectively this also means the decoder will "read ahead" and prepare data to always be available for output.
+
+The concurrency level will, for streams, determine how many blocks ahead the compression will start.
+
+Since "blocks" are quite dependent on the output of the previous block stream decoding will only have limited concurrency.
+
+In practice this means that concurrency is often limited to utilizing about 3 cores effectively.
+  
+### Benchmarks
+
+The first two are streaming decodes and the last are smaller inputs. 
+
+Running on AMD Ryzen 9 3950X 16-Core Processor. AMD64 assembly used.
+
+```
+BenchmarkDecoderSilesia-32    	                   5	 206878840 ns/op	1024.50 MB/s	   49808 B/op	      43 allocs/op
+BenchmarkDecoderEnwik9-32                          1	1271809000 ns/op	 786.28 MB/s	   72048 B/op	      52 allocs/op
+
+Concurrent blocks, performance:
+
+BenchmarkDecoder_DecodeAllParallel/kppkn.gtb.zst-32         	   67356	     17857 ns/op	10321.96 MB/s	        22.48 pct	     102 B/op	       0 allocs/op
+BenchmarkDecoder_DecodeAllParallel/geo.protodata.zst-32     	  266656	      4421 ns/op	26823.21 MB/s	        11.89 pct	      19 B/op	       0 allocs/op
+BenchmarkDecoder_DecodeAllParallel/plrabn12.txt.zst-32      	   20992	     56842 ns/op	8477.17 MB/s	        39.90 pct	     754 B/op	       0 allocs/op
+BenchmarkDecoder_DecodeAllParallel/lcet10.txt.zst-32        	   27456	     43932 ns/op	9714.01 MB/s	        33.27 pct	     524 B/op	       0 allocs/op
+BenchmarkDecoder_DecodeAllParallel/asyoulik.txt.zst-32      	   78432	     15047 ns/op	8319.15 MB/s	        40.34 pct	      66 B/op	       0 allocs/op
+BenchmarkDecoder_DecodeAllParallel/alice29.txt.zst-32       	   65800	     18436 ns/op	8249.63 MB/s	        37.75 pct	      88 B/op	       0 allocs/op
+BenchmarkDecoder_DecodeAllParallel/html_x_4.zst-32          	  102993	     11523 ns/op	35546.09 MB/s	         3.637 pct	     143 B/op	       0 allocs/op
+BenchmarkDecoder_DecodeAllParallel/paper-100k.pdf.zst-32    	 1000000	      1070 ns/op	95720.98 MB/s	        80.53 pct	       3 B/op	       0 allocs/op
+BenchmarkDecoder_DecodeAllParallel/fireworks.jpeg.zst-32    	  749802	      1752 ns/op	70272.35 MB/s	       100.0 pct	       5 B/op	       0 allocs/op
+BenchmarkDecoder_DecodeAllParallel/urls.10K.zst-32          	   22640	     52934 ns/op	13263.37 MB/s	        26.25 pct	    1014 B/op	       0 allocs/op
+BenchmarkDecoder_DecodeAllParallel/html.zst-32              	  226412	      5232 ns/op	19572.27 MB/s	        14.49 pct	      20 B/op	       0 allocs/op
+BenchmarkDecoder_DecodeAllParallel/comp-data.bin.zst-32     	  923041	      1276 ns/op	3194.71 MB/s	        31.26 pct	       0 B/op	       0 allocs/op
+```
+
+This reflects the performance around May 2022, but this may be out of date.
+
+## Zstd inside ZIP files
+
+It is possible to use zstandard to compress individual files inside zip archives.
+While this isn't widely supported it can be useful for internal files.
+
+To support the compression and decompression of these files you must register a compressor and decompressor.
+
+It is highly recommended registering the (de)compressors on individual zip Reader/Writer and NOT
+use the global registration functions. The main reason for this is that 2 registrations from 
+different packages will result in a panic.
+
+It is a good idea to only have a single compressor and decompressor, since they can be used for multiple zip
+files concurrently, and using a single instance will allow reusing some resources.
+
+See [this example](https://pkg.go.dev/github.com/klauspost/compress/zstd#example-ZipCompressor) for 
+how to compress and decompress files inside zip archives.
+
+# Contributions
+
+Contributions are always welcome. 
+For new features/fixes, remember to add tests and for performance enhancements include benchmarks.
+
+For general feedback and experience reports, feel free to open an issue or write me on [Twitter](https://twitter.com/sh0dan).
+
+This package includes the excellent [`github.com/cespare/xxhash`](https://github.com/cespare/xxhash) package Copyright (c) 2016 Caleb Spare.
diff --git a/vendor/github.com/klauspost/compress/zstd/bitreader.go b/vendor/github.com/klauspost/compress/zstd/bitreader.go
new file mode 100644
index 0000000000..d41e3e1709
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/zstd/bitreader.go
@@ -0,0 +1,135 @@
+// Copyright 2019+ Klaus Post. All rights reserved.
+// License information can be found in the LICENSE file.
+// Based on work by Yann Collet, released under BSD License.
+
+package zstd
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"math/bits"
+
+	"github.com/klauspost/compress/internal/le"
+)
+
+// bitReader reads a bitstream in reverse.
+// The last set bit indicates the start of the stream and is used
+// for aligning the input.
+type bitReader struct {
+	in       []byte
+	value    uint64 // Maybe use [16]byte, but shifting is awkward.
+	cursor   int    // offset where next read should end
+	bitsRead uint8
+}
+
+// init initializes and resets the bit reader.
+func (b *bitReader) init(in []byte) error {
+	if len(in) < 1 {
+		return errors.New("corrupt stream: too short")
+	}
+	b.in = in
+	// The highest bit of the last byte indicates where to start
+	v := in[len(in)-1]
+	if v == 0 {
+		return errors.New("corrupt stream, did not find end of stream")
+	}
+	b.cursor = len(in)
+	b.bitsRead = 64
+	b.value = 0
+	if len(in) >= 8 {
+		b.fillFastStart()
+	} else {
+		b.fill()
+		b.fill()
+	}
+	b.bitsRead += 8 - uint8(highBits(uint32(v)))
+	return nil
+}
+
+// getBits will return n bits. n can be 0.
+func (b *bitReader) getBits(n uint8) int {
+	if n == 0 /*|| b.bitsRead >= 64 */ {
+		return 0
+	}
+	return int(b.get32BitsFast(n))
+}
+
+// get32BitsFast requires that at least one bit is requested every time.
+// There are no checks if the buffer is filled.
+func (b *bitReader) get32BitsFast(n uint8) uint32 {
+	const regMask = 64 - 1
+	v := uint32((b.value << (b.bitsRead & regMask)) >> ((regMask + 1 - n) & regMask))
+	b.bitsRead += n
+	return v
+}
+
+// fillFast() will make sure at least 32 bits are available.
+// There must be at least 4 bytes available.
+func (b *bitReader) fillFast() {
+	if b.bitsRead < 32 {
+		return
+	}
+	b.cursor -= 4
+	b.value = (b.value << 32) | uint64(le.Load32(b.in, b.cursor))
+	b.bitsRead -= 32
+}
+
+// fillFastStart() assumes the bitreader is empty and there is at least 8 bytes to read.
+func (b *bitReader) fillFastStart() {
+	b.cursor -= 8
+	b.value = le.Load64(b.in, b.cursor)
+	b.bitsRead = 0
+}
+
+// fill() will make sure at least 32 bits are available.
+func (b *bitReader) fill() {
+	if b.bitsRead < 32 {
+		return
+	}
+	if b.cursor >= 4 {
+		b.cursor -= 4
+		b.value = (b.value << 32) | uint64(le.Load32(b.in, b.cursor))
+		b.bitsRead -= 32
+		return
+	}
+
+	b.bitsRead -= uint8(8 * b.cursor)
+	for b.cursor > 0 {
+		b.cursor -= 1
+		b.value = (b.value << 8) | uint64(b.in[b.cursor])
+	}
+}
+
+// finished returns true if all bits have been read from the bit stream.
+func (b *bitReader) finished() bool {
+	return b.cursor == 0 && b.bitsRead >= 64
+}
+
+// overread returns true if more bits have been requested than is on the stream.
+func (b *bitReader) overread() bool {
+	return b.bitsRead > 64
+}
+
+// remain returns the number of bits remaining.
+func (b *bitReader) remain() uint {
+	return 8*uint(b.cursor) + 64 - uint(b.bitsRead)
+}
+
+// close the bitstream and returns an error if out-of-buffer reads occurred.
+func (b *bitReader) close() error {
+	// Release reference.
+	b.in = nil
+	b.cursor = 0
+	if !b.finished() {
+		return fmt.Errorf("%d extra bits on block, should be 0", b.remain())
+	}
+	if b.bitsRead > 64 {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+
+func highBits(val uint32) (n uint32) {
+	return uint32(bits.Len32(val) - 1)
+}
diff --git a/vendor/github.com/klauspost/compress/zstd/bitwriter.go b/vendor/github.com/klauspost/compress/zstd/bitwriter.go
new file mode 100644
index 0000000000..1952f175b0
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/zstd/bitwriter.go
@@ -0,0 +1,112 @@
+// Copyright 2018 Klaus Post. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+// Based on work Copyright (c) 2013, Yann Collet, released under BSD License.
+
+package zstd
+
+// bitWriter will write bits.
+// First bit will be LSB of the first byte of output.
+type bitWriter struct {
+	bitContainer uint64
+	nBits        uint8
+	out          []byte
+}
+
+// bitMask16 is bitmasks. Has extra to avoid bounds check.
+var bitMask16 = [32]uint16{
+	0, 1, 3, 7, 0xF, 0x1F,
+	0x3F, 0x7F, 0xFF, 0x1FF, 0x3FF, 0x7FF,
+	0xFFF, 0x1FFF, 0x3FFF, 0x7FFF, 0xFFFF, 0xFFFF,
+	0xFFFF, 0xFFFF, 0xFFFF, 0xFFFF, 0xFFFF, 0xFFFF,
+	0xFFFF, 0xFFFF} /* up to 16 bits */
+
+var bitMask32 = [32]uint32{
+	0, 1, 3, 7, 0xF, 0x1F, 0x3F, 0x7F, 0xFF,
+	0x1FF, 0x3FF, 0x7FF, 0xFFF, 0x1FFF, 0x3FFF, 0x7FFF, 0xFFFF,
+	0x1ffff, 0x3ffff, 0x7FFFF, 0xfFFFF, 0x1fFFFF, 0x3fFFFF, 0x7fFFFF, 0xffFFFF,
+	0x1ffFFFF, 0x3ffFFFF, 0x7ffFFFF, 0xfffFFFF, 0x1fffFFFF, 0x3fffFFFF, 0x7fffFFFF,
+} // up to 32 bits
+
+// addBits16NC will add up to 16 bits.
+// It will not check if there is space for them,
+// so the caller must ensure that it has flushed recently.
+func (b *bitWriter) addBits16NC(value uint16, bits uint8) {
+	b.bitContainer |= uint64(value&bitMask16[bits&31]) << (b.nBits & 63)
+	b.nBits += bits
+}
+
+// addBits32NC will add up to 31 bits.
+// It will not check if there is space for them,
+// so the caller must ensure that it has flushed recently.
+func (b *bitWriter) addBits32NC(value uint32, bits uint8) {
+	b.bitContainer |= uint64(value&bitMask32[bits&31]) << (b.nBits & 63)
+	b.nBits += bits
+}
+
+// addBits64NC will add up to 64 bits.
+// There must be space for 32 bits.
+func (b *bitWriter) addBits64NC(value uint64, bits uint8) {
+	if bits <= 31 {
+		b.addBits32Clean(uint32(value), bits)
+		return
+	}
+	b.addBits32Clean(uint32(value), 32)
+	b.flush32()
+	b.addBits32Clean(uint32(value>>32), bits-32)
+}
+
+// addBits32Clean will add up to 32 bits.
+// It will not check if there is space for them.
+// The input must not contain more bits than specified.
+func (b *bitWriter) addBits32Clean(value uint32, bits uint8) {
+	b.bitContainer |= uint64(value) << (b.nBits & 63)
+	b.nBits += bits
+}
+
+// addBits16Clean will add up to 16 bits. value may not contain more set bits than indicated.
+// It will not check if there is space for them, so the caller must ensure that it has flushed recently.
+func (b *bitWriter) addBits16Clean(value uint16, bits uint8) {
+	b.bitContainer |= uint64(value) << (b.nBits & 63)
+	b.nBits += bits
+}
+
+// flush32 will flush out, so there are at least 32 bits available for writing.
+func (b *bitWriter) flush32() {
+	if b.nBits < 32 {
+		return
+	}
+	b.out = append(b.out,
+		byte(b.bitContainer),
+		byte(b.bitContainer>>8),
+		byte(b.bitContainer>>16),
+		byte(b.bitContainer>>24))
+	b.nBits -= 32
+	b.bitContainer >>= 32
+}
+
+// flushAlign will flush remaining full bytes and align to next byte boundary.
+func (b *bitWriter) flushAlign() {
+	nbBytes := (b.nBits + 7) >> 3
+	for i := uint8(0); i < nbBytes; i++ {
+		b.out = append(b.out, byte(b.bitContainer>>(i*8)))
+	}
+	b.nBits = 0
+	b.bitContainer = 0
+}
+
+// close will write the alignment bit and write the final byte(s)
+// to the output.
+func (b *bitWriter) close() {
+	// End mark
+	b.addBits16Clean(1, 1)
+	// flush until next byte.
+	b.flushAlign()
+}
+
+// reset and continue writing by appending to out.
+func (b *bitWriter) reset(out []byte) {
+	b.bitContainer = 0
+	b.nBits = 0
+	b.out = out
+}
diff --git a/vendor/github.com/klauspost/compress/zstd/blockdec.go b/vendor/github.com/klauspost/compress/zstd/blockdec.go
new file mode 100644
index 0000000000..0dd742fd2a
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/zstd/blockdec.go
@@ -0,0 +1,712 @@
+// Copyright 2019+ Klaus Post. All rights reserved.
+// License information can be found in the LICENSE file.
+// Based on work by Yann Collet, released under BSD License.
+
+package zstd
+
+import (
+	"errors"
+	"fmt"
+	"hash/crc32"
+	"io"
+	"sync"
+
+	"github.com/klauspost/compress/huff0"
+	"github.com/klauspost/compress/zstd/internal/xxhash"
+)
+
+type blockType uint8
+
+//go:generate stringer -type=blockType,literalsBlockType,seqCompMode,tableIndex
+
+const (
+	blockTypeRaw blockType = iota
+	blockTypeRLE
+	blockTypeCompressed
+	blockTypeReserved
+)
+
+type literalsBlockType uint8
+
+const (
+	literalsBlockRaw literalsBlockType = iota
+	literalsBlockRLE
+	literalsBlockCompressed
+	literalsBlockTreeless
+)
+
+const (
+	// maxCompressedBlockSize is the biggest allowed compressed block size (128KB)
+	maxCompressedBlockSize = 128 << 10
+
+	compressedBlockOverAlloc    = 16
+	maxCompressedBlockSizeAlloc = 128<<10 + compressedBlockOverAlloc
+
+	// Maximum possible block size (all Raw+Uncompressed).
+	maxBlockSize = (1 << 21) - 1
+
+	maxMatchLen  = 131074
+	maxSequences = 0x7f00 + 0xffff
+
+	// We support slightly less than the reference decoder to be able to
+	// use ints on 32 bit archs.
+	maxOffsetBits = 30
+)
+
+var (
+	huffDecoderPool = sync.Pool{New: func() interface{} {
+		return &huff0.Scratch{}
+	}}
+
+	fseDecoderPool = sync.Pool{New: func() interface{} {
+		return &fseDecoder{}
+	}}
+)
+
+type blockDec struct {
+	// Raw source data of the block.
+	data        []byte
+	dataStorage []byte
+
+	// Destination of the decoded data.
+	dst []byte
+
+	// Buffer for literals data.
+	literalBuf []byte
+
+	// Window size of the block.
+	WindowSize uint64
+
+	err error
+
+	// Check against this crc, if hasCRC is true.
+	checkCRC uint32
+	hasCRC   bool
+
+	// Frame to use for singlethreaded decoding.
+	// Should not be used by the decoder itself since parent may be another frame.
+	localFrame *frameDec
+
+	sequence []seqVals
+
+	async struct {
+		newHist  *history
+		literals []byte
+		seqData  []byte
+		seqSize  int // Size of uncompressed sequences
+		fcs      uint64
+	}
+
+	// Block is RLE, this is the size.
+	RLESize uint32
+
+	Type blockType
+
+	// Is this the last block of a frame?
+	Last bool
+
+	// Use less memory
+	lowMem bool
+}
+
+func (b *blockDec) String() string {
+	if b == nil {
+		return "<nil>"
+	}
+	return fmt.Sprintf("Steam Size: %d, Type: %v, Last: %t, Window: %d", len(b.data), b.Type, b.Last, b.WindowSize)
+}
+
+func newBlockDec(lowMem bool) *blockDec {
+	b := blockDec{
+		lowMem: lowMem,
+	}
+	return &b
+}
+
+// reset will reset the block.
+// Input must be a start of a block and will be at the end of the block when returned.
+func (b *blockDec) reset(br byteBuffer, windowSize uint64) error {
+	b.WindowSize = windowSize
+	tmp, err := br.readSmall(3)
+	if err != nil {
+		println("Reading block header:", err)
+		return err
+	}
+	bh := uint32(tmp[0]) | (uint32(tmp[1]) << 8) | (uint32(tmp[2]) << 16)
+	b.Last = bh&1 != 0
+	b.Type = blockType((bh >> 1) & 3)
+	// find size.
+	cSize := int(bh >> 3)
+	maxSize := maxCompressedBlockSizeAlloc
+	switch b.Type {
+	case blockTypeReserved:
+		return ErrReservedBlockType
+	case blockTypeRLE:
+		if cSize > maxCompressedBlockSize || cSize > int(b.WindowSize) {
+			if debugDecoder {
+				printf("rle block too big: csize:%d block: %+v\n", uint64(cSize), b)
+			}
+			return ErrWindowSizeExceeded
+		}
+		b.RLESize = uint32(cSize)
+		if b.lowMem {
+			maxSize = cSize
+		}
+		cSize = 1
+	case blockTypeCompressed:
+		if debugDecoder {
+			println("Data size on stream:", cSize)
+		}
+		b.RLESize = 0
+		maxSize = maxCompressedBlockSizeAlloc
+		if windowSize < maxCompressedBlockSize && b.lowMem {
+			maxSize = int(windowSize) + compressedBlockOverAlloc
+		}
+		if cSize > maxCompressedBlockSize || uint64(cSize) > b.WindowSize {
+			if debugDecoder {
+				printf("compressed block too big: csize:%d block: %+v\n", uint64(cSize), b)
+			}
+			return ErrCompressedSizeTooBig
+		}
+		// Empty compressed blocks must at least be 2 bytes
+		// for Literals_Block_Type and one for Sequences_Section_Header.
+		if cSize < 2 {
+			return ErrBlockTooSmall
+		}
+	case blockTypeRaw:
+		if cSize > maxCompressedBlockSize || cSize > int(b.WindowSize) {
+			if debugDecoder {
+				printf("rle block too big: csize:%d block: %+v\n", uint64(cSize), b)
+			}
+			return ErrWindowSizeExceeded
+		}
+
+		b.RLESize = 0
+		// We do not need a destination for raw blocks.
+		maxSize = -1
+	default:
+		panic("Invalid block type")
+	}
+
+	// Read block data.
+	if _, ok := br.(*byteBuf); !ok && cap(b.dataStorage) < cSize {
+		// byteBuf doesn't need a destination buffer.
+		if b.lowMem || cSize > maxCompressedBlockSize {
+			b.dataStorage = make([]byte, 0, cSize+compressedBlockOverAlloc)
+		} else {
+			b.dataStorage = make([]byte, 0, maxCompressedBlockSizeAlloc)
+		}
+	}
+	b.data, err = br.readBig(cSize, b.dataStorage)
+	if err != nil {
+		if debugDecoder {
+			println("Reading block:", err, "(", cSize, ")", len(b.data))
+			printf("%T", br)
+		}
+		return err
+	}
+	if cap(b.dst) <= maxSize {
+		b.dst = make([]byte, 0, maxSize+1)
+	}
+	return nil
+}
+
+// sendEOF will make the decoder send EOF on this frame.
+func (b *blockDec) sendErr(err error) {
+	b.Last = true
+	b.Type = blockTypeReserved
+	b.err = err
+}
+
+// Close will release resources.
+// Closed blockDec cannot be reset.
+func (b *blockDec) Close() {
+}
+
+// decodeBuf
+func (b *blockDec) decodeBuf(hist *history) error {
+	switch b.Type {
+	case blockTypeRLE:
+		if cap(b.dst) < int(b.RLESize) {
+			if b.lowMem {
+				b.dst = make([]byte, b.RLESize)
+			} else {
+				b.dst = make([]byte, maxCompressedBlockSize)
+			}
+		}
+		b.dst = b.dst[:b.RLESize]
+		v := b.data[0]
+		for i := range b.dst {
+			b.dst[i] = v
+		}
+		hist.appendKeep(b.dst)
+		return nil
+	case blockTypeRaw:
+		hist.appendKeep(b.data)
+		return nil
+	case blockTypeCompressed:
+		saved := b.dst
+		// Append directly to history
+		if hist.ignoreBuffer == 0 {
+			b.dst = hist.b
+			hist.b = nil
+		} else {
+			b.dst = b.dst[:0]
+		}
+		err := b.decodeCompressed(hist)
+		if debugDecoder {
+			println("Decompressed to total", len(b.dst), "bytes, hash:", xxhash.Sum64(b.dst), "error:", err)
+		}
+		if hist.ignoreBuffer == 0 {
+			hist.b = b.dst
+			b.dst = saved
+		} else {
+			hist.appendKeep(b.dst)
+		}
+		return err
+	case blockTypeReserved:
+		// Used for returning errors.
+		return b.err
+	default:
+		panic("Invalid block type")
+	}
+}
+
+func (b *blockDec) decodeLiterals(in []byte, hist *history) (remain []byte, err error) {
+	// There must be at least one byte for Literals_Block_Type and one for Sequences_Section_Header
+	if len(in) < 2 {
+		return in, ErrBlockTooSmall
+	}
+
+	litType := literalsBlockType(in[0] & 3)
+	var litRegenSize int
+	var litCompSize int
+	sizeFormat := (in[0] >> 2) & 3
+	var fourStreams bool
+	var literals []byte
+	switch litType {
+	case literalsBlockRaw, literalsBlockRLE:
+		switch sizeFormat {
+		case 0, 2:
+			// Regenerated_Size uses 5 bits (0-31). Literals_Section_Header uses 1 byte.
+			litRegenSize = int(in[0] >> 3)
+			in = in[1:]
+		case 1:
+			// Regenerated_Size uses 12 bits (0-4095). Literals_Section_Header uses 2 bytes.
+			litRegenSize = int(in[0]>>4) + (int(in[1]) << 4)
+			in = in[2:]
+		case 3:
+			//  Regenerated_Size uses 20 bits (0-1048575). Literals_Section_Header uses 3 bytes.
+			if len(in) < 3 {
+				println("too small: litType:", litType, " sizeFormat", sizeFormat, len(in))
+				return in, ErrBlockTooSmall
+			}
+			litRegenSize = int(in[0]>>4) + (int(in[1]) << 4) + (int(in[2]) << 12)
+			in = in[3:]
+		}
+	case literalsBlockCompressed, literalsBlockTreeless:
+		switch sizeFormat {
+		case 0, 1:
+			// Both Regenerated_Size and Compressed_Size use 10 bits (0-1023).
+			if len(in) < 3 {
+				println("too small: litType:", litType, " sizeFormat", sizeFormat, len(in))
+				return in, ErrBlockTooSmall
+			}
+			n := uint64(in[0]>>4) + (uint64(in[1]) << 4) + (uint64(in[2]) << 12)
+			litRegenSize = int(n & 1023)
+			litCompSize = int(n >> 10)
+			fourStreams = sizeFormat == 1
+			in = in[3:]
+		case 2:
+			fourStreams = true
+			if len(in) < 4 {
+				println("too small: litType:", litType, " sizeFormat", sizeFormat, len(in))
+				return in, ErrBlockTooSmall
+			}
+			n := uint64(in[0]>>4) + (uint64(in[1]) << 4) + (uint64(in[2]) << 12) + (uint64(in[3]) << 20)
+			litRegenSize = int(n & 16383)
+			litCompSize = int(n >> 14)
+			in = in[4:]
+		case 3:
+			fourStreams = true
+			if len(in) < 5 {
+				println("too small: litType:", litType, " sizeFormat", sizeFormat, len(in))
+				return in, ErrBlockTooSmall
+			}
+			n := uint64(in[0]>>4) + (uint64(in[1]) << 4) + (uint64(in[2]) << 12) + (uint64(in[3]) << 20) + (uint64(in[4]) << 28)
+			litRegenSize = int(n & 262143)
+			litCompSize = int(n >> 18)
+			in = in[5:]
+		}
+	}
+	if debugDecoder {
+		println("literals type:", litType, "litRegenSize:", litRegenSize, "litCompSize:", litCompSize, "sizeFormat:", sizeFormat, "4X:", fourStreams)
+	}
+	if litRegenSize > int(b.WindowSize) || litRegenSize > maxCompressedBlockSize {
+		return in, ErrWindowSizeExceeded
+	}
+
+	switch litType {
+	case literalsBlockRaw:
+		if len(in) < litRegenSize {
+			println("too small: litType:", litType, " sizeFormat", sizeFormat, "remain:", len(in), "want:", litRegenSize)
+			return in, ErrBlockTooSmall
+		}
+		literals = in[:litRegenSize]
+		in = in[litRegenSize:]
+		//printf("Found %d uncompressed literals\n", litRegenSize)
+	case literalsBlockRLE:
+		if len(in) < 1 {
+			println("too small: litType:", litType, " sizeFormat", sizeFormat, "remain:", len(in), "want:", 1)
+			return in, ErrBlockTooSmall
+		}
+		if cap(b.literalBuf) < litRegenSize {
+			if b.lowMem {
+				b.literalBuf = make([]byte, litRegenSize, litRegenSize+compressedBlockOverAlloc)
+			} else {
+				b.literalBuf = make([]byte, litRegenSize, maxCompressedBlockSize+compressedBlockOverAlloc)
+			}
+		}
+		literals = b.literalBuf[:litRegenSize]
+		v := in[0]
+		for i := range literals {
+			literals[i] = v
+		}
+		in = in[1:]
+		if debugDecoder {
+			printf("Found %d RLE compressed literals\n", litRegenSize)
+		}
+	case literalsBlockTreeless:
+		if len(in) < litCompSize {
+			println("too small: litType:", litType, " sizeFormat", sizeFormat, "remain:", len(in), "want:", litCompSize)
+			return in, ErrBlockTooSmall
+		}
+		// Store compressed literals, so we defer decoding until we get history.
+		literals = in[:litCompSize]
+		in = in[litCompSize:]
+		if debugDecoder {
+			printf("Found %d compressed literals\n", litCompSize)
+		}
+		huff := hist.huffTree
+		if huff == nil {
+			return in, errors.New("literal block was treeless, but no history was defined")
+		}
+		// Ensure we have space to store it.
+		if cap(b.literalBuf) < litRegenSize {
+			if b.lowMem {
+				b.literalBuf = make([]byte, 0, litRegenSize+compressedBlockOverAlloc)
+			} else {
+				b.literalBuf = make([]byte, 0, maxCompressedBlockSize+compressedBlockOverAlloc)
+			}
+		}
+		var err error
+		// Use our out buffer.
+		huff.MaxDecodedSize = litRegenSize
+		if fourStreams {
+			literals, err = huff.Decoder().Decompress4X(b.literalBuf[:0:litRegenSize], literals)
+		} else {
+			literals, err = huff.Decoder().Decompress1X(b.literalBuf[:0:litRegenSize], literals)
+		}
+		// Make sure we don't leak our literals buffer
+		if err != nil {
+			println("decompressing literals:", err)
+			return in, err
+		}
+		if len(literals) != litRegenSize {
+			return in, fmt.Errorf("literal output size mismatch want %d, got %d", litRegenSize, len(literals))
+		}
+
+	case literalsBlockCompressed:
+		if len(in) < litCompSize {
+			println("too small: litType:", litType, " sizeFormat", sizeFormat, "remain:", len(in), "want:", litCompSize)
+			return in, ErrBlockTooSmall
+		}
+		literals = in[:litCompSize]
+		in = in[litCompSize:]
+		// Ensure we have space to store it.
+		if cap(b.literalBuf) < litRegenSize {
+			if b.lowMem {
+				b.literalBuf = make([]byte, 0, litRegenSize+compressedBlockOverAlloc)
+			} else {
+				b.literalBuf = make([]byte, 0, maxCompressedBlockSize+compressedBlockOverAlloc)
+			}
+		}
+		huff := hist.huffTree
+		if huff == nil || (hist.dict != nil && huff == hist.dict.litEnc) {
+			huff = huffDecoderPool.Get().(*huff0.Scratch)
+			if huff == nil {
+				huff = &huff0.Scratch{}
+			}
+		}
+		var err error
+		if debugDecoder {
+			println("huff table input:", len(literals), "CRC:", crc32.ChecksumIEEE(literals))
+		}
+		huff, literals, err = huff0.ReadTable(literals, huff)
+		if err != nil {
+			println("reading huffman table:", err)
+			return in, err
+		}
+		hist.huffTree = huff
+		huff.MaxDecodedSize = litRegenSize
+		// Use our out buffer.
+		if fourStreams {
+			literals, err = huff.Decoder().Decompress4X(b.literalBuf[:0:litRegenSize], literals)
+		} else {
+			literals, err = huff.Decoder().Decompress1X(b.literalBuf[:0:litRegenSize], literals)
+		}
+		if err != nil {
+			println("decoding compressed literals:", err)
+			return in, err
+		}
+		// Make sure we don't leak our literals buffer
+		if len(literals) != litRegenSize {
+			return in, fmt.Errorf("literal output size mismatch want %d, got %d", litRegenSize, len(literals))
+		}
+		// Re-cap to get extra size.
+		literals = b.literalBuf[:len(literals)]
+		if debugDecoder {
+			printf("Decompressed %d literals into %d bytes\n", litCompSize, litRegenSize)
+		}
+	}
+	hist.decoders.literals = literals
+	return in, nil
+}
+
+// decodeCompressed will start decompressing a block.
+func (b *blockDec) decodeCompressed(hist *history) error {
+	in := b.data
+	in, err := b.decodeLiterals(in, hist)
+	if err != nil {
+		return err
+	}
+	err = b.prepareSequences(in, hist)
+	if err != nil {
+		return err
+	}
+	if hist.decoders.nSeqs == 0 {
+		b.dst = append(b.dst, hist.decoders.literals...)
+		return nil
+	}
+	before := len(hist.decoders.out)
+	err = hist.decoders.decodeSync(hist.b[hist.ignoreBuffer:])
+	if err != nil {
+		return err
+	}
+	if hist.decoders.maxSyncLen > 0 {
+		hist.decoders.maxSyncLen += uint64(before)
+		hist.decoders.maxSyncLen -= uint64(len(hist.decoders.out))
+	}
+	b.dst = hist.decoders.out
+	hist.recentOffsets = hist.decoders.prevOffset
+	return nil
+}
+
+func (b *blockDec) prepareSequences(in []byte, hist *history) (err error) {
+	if debugDecoder {
+		printf("prepareSequences: %d byte(s) input\n", len(in))
+	}
+	// Decode Sequences
+	// https://github.com/facebook/zstd/blob/dev/doc/zstd_compression_format.md#sequences-section
+	if len(in) < 1 {
+		return ErrBlockTooSmall
+	}
+	var nSeqs int
+	seqHeader := in[0]
+	switch {
+	case seqHeader < 128:
+		nSeqs = int(seqHeader)
+		in = in[1:]
+	case seqHeader < 255:
+		if len(in) < 2 {
+			return ErrBlockTooSmall
+		}
+		nSeqs = int(seqHeader-128)<<8 | int(in[1])
+		in = in[2:]
+	case seqHeader == 255:
+		if len(in) < 3 {
+			return ErrBlockTooSmall
+		}
+		nSeqs = 0x7f00 + int(in[1]) + (int(in[2]) << 8)
+		in = in[3:]
+	}
+	if nSeqs == 0 && len(in) != 0 {
+		// When no sequences, there should not be any more data...
+		if debugDecoder {
+			printf("prepareSequences: 0 sequences, but %d byte(s) left on stream\n", len(in))
+		}
+		return ErrUnexpectedBlockSize
+	}
+
+	var seqs = &hist.decoders
+	seqs.nSeqs = nSeqs
+	if nSeqs > 0 {
+		if len(in) < 1 {
+			return ErrBlockTooSmall
+		}
+		br := byteReader{b: in, off: 0}
+		compMode := br.Uint8()
+		br.advance(1)
+		if debugDecoder {
+			printf("Compression modes: 0b%b", compMode)
+		}
+		if compMode&3 != 0 {
+			return errors.New("corrupt block: reserved bits not zero")
+		}
+		for i := uint(0); i < 3; i++ {
+			mode := seqCompMode((compMode >> (6 - i*2)) & 3)
+			if debugDecoder {
+				println("Table", tableIndex(i), "is", mode)
+			}
+			var seq *sequenceDec
+			switch tableIndex(i) {
+			case tableLiteralLengths:
+				seq = &seqs.litLengths
+			case tableOffsets:
+				seq = &seqs.offsets
+			case tableMatchLengths:
+				seq = &seqs.matchLengths
+			default:
+				panic("unknown table")
+			}
+			switch mode {
+			case compModePredefined:
+				if seq.fse != nil && !seq.fse.preDefined {
+					fseDecoderPool.Put(seq.fse)
+				}
+				seq.fse = &fsePredef[i]
+			case compModeRLE:
+				if br.remain() < 1 {
+					return ErrBlockTooSmall
+				}
+				v := br.Uint8()
+				br.advance(1)
+				if seq.fse == nil || seq.fse.preDefined {
+					seq.fse = fseDecoderPool.Get().(*fseDecoder)
+				}
+				symb, err := decSymbolValue(v, symbolTableX[i])
+				if err != nil {
+					printf("RLE Transform table (%v) error: %v", tableIndex(i), err)
+					return err
+				}
+				seq.fse.setRLE(symb)
+				if debugDecoder {
+					printf("RLE set to 0x%x, code: %v", symb, v)
+				}
+			case compModeFSE:
+				if debugDecoder {
+					println("Reading table for", tableIndex(i))
+				}
+				if seq.fse == nil || seq.fse.preDefined {
+					seq.fse = fseDecoderPool.Get().(*fseDecoder)
+				}
+				err := seq.fse.readNCount(&br, uint16(maxTableSymbol[i]))
+				if err != nil {
+					println("Read table error:", err)
+					return err
+				}
+				err = seq.fse.transform(symbolTableX[i])
+				if err != nil {
+					println("Transform table error:", err)
+					return err
+				}
+				if debugDecoder {
+					println("Read table ok", "symbolLen:", seq.fse.symbolLen)
+				}
+			case compModeRepeat:
+				seq.repeat = true
+			}
+			if br.overread() {
+				return io.ErrUnexpectedEOF
+			}
+		}
+		in = br.unread()
+	}
+	if debugDecoder {
+		println("Literals:", len(seqs.literals), "hash:", xxhash.Sum64(seqs.literals), "and", seqs.nSeqs, "sequences.")
+	}
+
+	if nSeqs == 0 {
+		if len(b.sequence) > 0 {
+			b.sequence = b.sequence[:0]
+		}
+		return nil
+	}
+	br := seqs.br
+	if br == nil {
+		br = &bitReader{}
+	}
+	if err := br.init(in); err != nil {
+		return err
+	}
+
+	if err := seqs.initialize(br, hist, b.dst); err != nil {
+		println("initializing sequences:", err)
+		return err
+	}
+
+	return nil
+}
+
+func (b *blockDec) decodeSequences(hist *history) error {
+	if cap(b.sequence) < hist.decoders.nSeqs {
+		if b.lowMem {
+			b.sequence = make([]seqVals, 0, hist.decoders.nSeqs)
+		} else {
+			b.sequence = make([]seqVals, 0, 0x7F00+0xffff)
+		}
+	}
+	b.sequence = b.sequence[:hist.decoders.nSeqs]
+	if hist.decoders.nSeqs == 0 {
+		hist.decoders.seqSize = len(hist.decoders.literals)
+		return nil
+	}
+	hist.decoders.windowSize = hist.windowSize
+	hist.decoders.prevOffset = hist.recentOffsets
+
+	err := hist.decoders.decode(b.sequence)
+	hist.recentOffsets = hist.decoders.prevOffset
+	return err
+}
+
+func (b *blockDec) executeSequences(hist *history) error {
+	hbytes := hist.b
+	if len(hbytes) > hist.windowSize {
+		hbytes = hbytes[len(hbytes)-hist.windowSize:]
+		// We do not need history anymore.
+		if hist.dict != nil {
+			hist.dict.content = nil
+		}
+	}
+	hist.decoders.windowSize = hist.windowSize
+	hist.decoders.out = b.dst[:0]
+	err := hist.decoders.execute(b.sequence, hbytes)
+	if err != nil {
+		return err
+	}
+	return b.updateHistory(hist)
+}
+
+func (b *blockDec) updateHistory(hist *history) error {
+	if len(b.data) > maxCompressedBlockSize {
+		return fmt.Errorf("compressed block size too large (%d)", len(b.data))
+	}
+	// Set output and release references.
+	b.dst = hist.decoders.out
+	hist.recentOffsets = hist.decoders.prevOffset
+
+	if b.Last {
+		// if last block we don't care about history.
+		println("Last block, no history returned")
+		hist.b = hist.b[:0]
+		return nil
+	} else {
+		hist.append(b.dst)
+		if debugDecoder {
+			println("Finished block with ", len(b.sequence), "sequences. Added", len(b.dst), "to history, now length", len(hist.b))
+		}
+	}
+	hist.decoders.out, hist.decoders.literals = nil, nil
+
+	return nil
+}
diff --git a/vendor/github.com/klauspost/compress/zstd/blockenc.go b/vendor/github.com/klauspost/compress/zstd/blockenc.go
new file mode 100644
index 0000000000..fd35ea1480
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/zstd/blockenc.go
@@ -0,0 +1,892 @@
+// Copyright 2019+ Klaus Post. All rights reserved.
+// License information can be found in the LICENSE file.
+// Based on work by Yann Collet, released under BSD License.
+
+package zstd
+
+import (
+	"errors"
+	"fmt"
+	"math"
+	"math/bits"
+	"slices"
+
+	"github.com/klauspost/compress/huff0"
+)
+
+type blockEnc struct {
+	size       int
+	literals   []byte
+	sequences  []seq
+	coders     seqCoders
+	litEnc     *huff0.Scratch
+	dictLitEnc *huff0.Scratch
+	wr         bitWriter
+
+	extraLits         int
+	output            []byte
+	recentOffsets     [3]uint32
+	prevRecentOffsets [3]uint32
+
+	last   bool
+	lowMem bool
+}
+
+// init should be used once the block has been created.
+// If called more than once, the effect is the same as calling reset.
+func (b *blockEnc) init() {
+	if b.lowMem {
+		// 1K literals
+		if cap(b.literals) < 1<<10 {
+			b.literals = make([]byte, 0, 1<<10)
+		}
+		const defSeqs = 20
+		if cap(b.sequences) < defSeqs {
+			b.sequences = make([]seq, 0, defSeqs)
+		}
+		// 1K
+		if cap(b.output) < 1<<10 {
+			b.output = make([]byte, 0, 1<<10)
+		}
+	} else {
+		if cap(b.literals) < maxCompressedBlockSize {
+			b.literals = make([]byte, 0, maxCompressedBlockSize)
+		}
+		const defSeqs = 2000
+		if cap(b.sequences) < defSeqs {
+			b.sequences = make([]seq, 0, defSeqs)
+		}
+		if cap(b.output) < maxCompressedBlockSize {
+			b.output = make([]byte, 0, maxCompressedBlockSize)
+		}
+	}
+
+	if b.coders.mlEnc == nil {
+		b.coders.mlEnc = &fseEncoder{}
+		b.coders.mlPrev = &fseEncoder{}
+		b.coders.ofEnc = &fseEncoder{}
+		b.coders.ofPrev = &fseEncoder{}
+		b.coders.llEnc = &fseEncoder{}
+		b.coders.llPrev = &fseEncoder{}
+	}
+	b.litEnc = &huff0.Scratch{WantLogLess: 4}
+	b.reset(nil)
+}
+
+// initNewEncode can be used to reset offsets and encoders to the initial state.
+func (b *blockEnc) initNewEncode() {
+	b.recentOffsets = [3]uint32{1, 4, 8}
+	b.litEnc.Reuse = huff0.ReusePolicyNone
+	b.coders.setPrev(nil, nil, nil)
+}
+
+// reset will reset the block for a new encode, but in the same stream,
+// meaning that state will be carried over, but the block content is reset.
+// If a previous block is provided, the recent offsets are carried over.
+func (b *blockEnc) reset(prev *blockEnc) {
+	b.extraLits = 0
+	b.literals = b.literals[:0]
+	b.size = 0
+	b.sequences = b.sequences[:0]
+	b.output = b.output[:0]
+	b.last = false
+	if prev != nil {
+		b.recentOffsets = prev.prevRecentOffsets
+	}
+	b.dictLitEnc = nil
+}
+
+// reset will reset the block for a new encode, but in the same stream,
+// meaning that state will be carried over, but the block content is reset.
+// If a previous block is provided, the recent offsets are carried over.
+func (b *blockEnc) swapEncoders(prev *blockEnc) {
+	b.coders.swap(&prev.coders)
+	b.litEnc, prev.litEnc = prev.litEnc, b.litEnc
+}
+
+// blockHeader contains the information for a block header.
+type blockHeader uint32
+
+// setLast sets the 'last' indicator on a block.
+func (h *blockHeader) setLast(b bool) {
+	if b {
+		*h = *h | 1
+	} else {
+		const mask = (1 << 24) - 2
+		*h = *h & mask
+	}
+}
+
+// setSize will store the compressed size of a block.
+func (h *blockHeader) setSize(v uint32) {
+	const mask = 7
+	*h = (*h)&mask | blockHeader(v<<3)
+}
+
+// setType sets the block type.
+func (h *blockHeader) setType(t blockType) {
+	const mask = 1 | (((1 << 24) - 1) ^ 7)
+	*h = (*h & mask) | blockHeader(t<<1)
+}
+
+// appendTo will append the block header to a slice.
+func (h blockHeader) appendTo(b []byte) []byte {
+	return append(b, uint8(h), uint8(h>>8), uint8(h>>16))
+}
+
+// String returns a string representation of the block.
+func (h blockHeader) String() string {
+	return fmt.Sprintf("Type: %d, Size: %d, Last:%t", (h>>1)&3, h>>3, h&1 == 1)
+}
+
+// literalsHeader contains literals header information.
+type literalsHeader uint64
+
+// setType can be used to set the type of literal block.
+func (h *literalsHeader) setType(t literalsBlockType) {
+	const mask = math.MaxUint64 - 3
+	*h = (*h & mask) | literalsHeader(t)
+}
+
+// setSize can be used to set a single size, for uncompressed and RLE content.
+func (h *literalsHeader) setSize(regenLen int) {
+	inBits := bits.Len32(uint32(regenLen))
+	// Only retain 2 bits
+	const mask = 3
+	lh := uint64(*h & mask)
+	switch {
+	case inBits < 5:
+		lh |= (uint64(regenLen) << 3) | (1 << 60)
+		if debugEncoder {
+			got := int(lh>>3) & 0xff
+			if got != regenLen {
+				panic(fmt.Sprint("litRegenSize = ", regenLen, "(want) != ", got, "(got)"))
+			}
+		}
+	case inBits < 12:
+		lh |= (1 << 2) | (uint64(regenLen) << 4) | (2 << 60)
+	case inBits < 20:
+		lh |= (3 << 2) | (uint64(regenLen) << 4) | (3 << 60)
+	default:
+		panic(fmt.Errorf("internal error: block too big (%d)", regenLen))
+	}
+	*h = literalsHeader(lh)
+}
+
+// setSizes will set the size of a compressed literals section and the input length.
+func (h *literalsHeader) setSizes(compLen, inLen int, single bool) {
+	compBits, inBits := bits.Len32(uint32(compLen)), bits.Len32(uint32(inLen))
+	// Only retain 2 bits
+	const mask = 3
+	lh := uint64(*h & mask)
+	switch {
+	case compBits <= 10 && inBits <= 10:
+		if !single {
+			lh |= 1 << 2
+		}
+		lh |= (uint64(inLen) << 4) | (uint64(compLen) << (10 + 4)) | (3 << 60)
+		if debugEncoder {
+			const mmask = (1 << 24) - 1
+			n := (lh >> 4) & mmask
+			if int(n&1023) != inLen {
+				panic(fmt.Sprint("regensize:", int(n&1023), "!=", inLen, inBits))
+			}
+			if int(n>>10) != compLen {
+				panic(fmt.Sprint("compsize:", int(n>>10), "!=", compLen, compBits))
+			}
+		}
+	case compBits <= 14 && inBits <= 14:
+		lh |= (2 << 2) | (uint64(inLen) << 4) | (uint64(compLen) << (14 + 4)) | (4 << 60)
+		if single {
+			panic("single stream used with more than 10 bits length.")
+		}
+	case compBits <= 18 && inBits <= 18:
+		lh |= (3 << 2) | (uint64(inLen) << 4) | (uint64(compLen) << (18 + 4)) | (5 << 60)
+		if single {
+			panic("single stream used with more than 10 bits length.")
+		}
+	default:
+		panic("internal error: block too big")
+	}
+	*h = literalsHeader(lh)
+}
+
+// appendTo will append the literals header to a byte slice.
+func (h literalsHeader) appendTo(b []byte) []byte {
+	size := uint8(h >> 60)
+	switch size {
+	case 1:
+		b = append(b, uint8(h))
+	case 2:
+		b = append(b, uint8(h), uint8(h>>8))
+	case 3:
+		b = append(b, uint8(h), uint8(h>>8), uint8(h>>16))
+	case 4:
+		b = append(b, uint8(h), uint8(h>>8), uint8(h>>16), uint8(h>>24))
+	case 5:
+		b = append(b, uint8(h), uint8(h>>8), uint8(h>>16), uint8(h>>24), uint8(h>>32))
+	default:
+		panic(fmt.Errorf("internal error: literalsHeader has invalid size (%d)", size))
+	}
+	return b
+}
+
+// size returns the output size with currently set values.
+func (h literalsHeader) size() int {
+	return int(h >> 60)
+}
+
+func (h literalsHeader) String() string {
+	return fmt.Sprintf("Type: %d, SizeFormat: %d, Size: 0x%d, Bytes:%d", literalsBlockType(h&3), (h>>2)&3, h&((1<<60)-1)>>4, h>>60)
+}
+
+// pushOffsets will push the recent offsets to the backup store.
+func (b *blockEnc) pushOffsets() {
+	b.prevRecentOffsets = b.recentOffsets
+}
+
+// pushOffsets will push the recent offsets to the backup store.
+func (b *blockEnc) popOffsets() {
+	b.recentOffsets = b.prevRecentOffsets
+}
+
+// matchOffset will adjust recent offsets and return the adjusted one,
+// if it matches a previous offset.
+func (b *blockEnc) matchOffset(offset, lits uint32) uint32 {
+	// Check if offset is one of the recent offsets.
+	// Adjusts the output offset accordingly.
+	// Gives a tiny bit of compression, typically around 1%.
+	if true {
+		if lits > 0 {
+			switch offset {
+			case b.recentOffsets[0]:
+				offset = 1
+			case b.recentOffsets[1]:
+				b.recentOffsets[1] = b.recentOffsets[0]
+				b.recentOffsets[0] = offset
+				offset = 2
+			case b.recentOffsets[2]:
+				b.recentOffsets[2] = b.recentOffsets[1]
+				b.recentOffsets[1] = b.recentOffsets[0]
+				b.recentOffsets[0] = offset
+				offset = 3
+			default:
+				b.recentOffsets[2] = b.recentOffsets[1]
+				b.recentOffsets[1] = b.recentOffsets[0]
+				b.recentOffsets[0] = offset
+				offset += 3
+			}
+		} else {
+			switch offset {
+			case b.recentOffsets[1]:
+				b.recentOffsets[1] = b.recentOffsets[0]
+				b.recentOffsets[0] = offset
+				offset = 1
+			case b.recentOffsets[2]:
+				b.recentOffsets[2] = b.recentOffsets[1]
+				b.recentOffsets[1] = b.recentOffsets[0]
+				b.recentOffsets[0] = offset
+				offset = 2
+			case b.recentOffsets[0] - 1:
+				b.recentOffsets[2] = b.recentOffsets[1]
+				b.recentOffsets[1] = b.recentOffsets[0]
+				b.recentOffsets[0] = offset
+				offset = 3
+			default:
+				b.recentOffsets[2] = b.recentOffsets[1]
+				b.recentOffsets[1] = b.recentOffsets[0]
+				b.recentOffsets[0] = offset
+				offset += 3
+			}
+		}
+	} else {
+		offset += 3
+	}
+	return offset
+}
+
+// encodeRaw can be used to set the output to a raw representation of supplied bytes.
+func (b *blockEnc) encodeRaw(a []byte) {
+	var bh blockHeader
+	bh.setLast(b.last)
+	bh.setSize(uint32(len(a)))
+	bh.setType(blockTypeRaw)
+	b.output = bh.appendTo(b.output[:0])
+	b.output = append(b.output, a...)
+	if debugEncoder {
+		println("Adding RAW block, length", len(a), "last:", b.last)
+	}
+}
+
+// encodeRaw can be used to set the output to a raw representation of supplied bytes.
+func (b *blockEnc) encodeRawTo(dst, src []byte) []byte {
+	var bh blockHeader
+	bh.setLast(b.last)
+	bh.setSize(uint32(len(src)))
+	bh.setType(blockTypeRaw)
+	dst = bh.appendTo(dst)
+	dst = append(dst, src...)
+	if debugEncoder {
+		println("Adding RAW block, length", len(src), "last:", b.last)
+	}
+	return dst
+}
+
+// encodeLits can be used if the block is only litLen.
+func (b *blockEnc) encodeLits(lits []byte, raw bool) error {
+	var bh blockHeader
+	bh.setLast(b.last)
+	bh.setSize(uint32(len(lits)))
+
+	// Don't compress extremely small blocks
+	if len(lits) < 8 || (len(lits) < 32 && b.dictLitEnc == nil) || raw {
+		if debugEncoder {
+			println("Adding RAW block, length", len(lits), "last:", b.last)
+		}
+		bh.setType(blockTypeRaw)
+		b.output = bh.appendTo(b.output)
+		b.output = append(b.output, lits...)
+		return nil
+	}
+
+	var (
+		out            []byte
+		reUsed, single bool
+		err            error
+	)
+	if b.dictLitEnc != nil {
+		b.litEnc.TransferCTable(b.dictLitEnc)
+		b.litEnc.Reuse = huff0.ReusePolicyAllow
+		b.dictLitEnc = nil
+	}
+	if len(lits) >= 1024 {
+		// Use 4 Streams.
+		out, reUsed, err = huff0.Compress4X(lits, b.litEnc)
+	} else if len(lits) > 16 {
+		// Use 1 stream
+		single = true
+		out, reUsed, err = huff0.Compress1X(lits, b.litEnc)
+	} else {
+		err = huff0.ErrIncompressible
+	}
+	if err == nil && len(out)+5 > len(lits) {
+		// If we are close, we may still be worse or equal to raw.
+		var lh literalsHeader
+		lh.setSizes(len(out), len(lits), single)
+		if len(out)+lh.size() >= len(lits) {
+			err = huff0.ErrIncompressible
+		}
+	}
+	switch err {
+	case huff0.ErrIncompressible:
+		if debugEncoder {
+			println("Adding RAW block, length", len(lits), "last:", b.last)
+		}
+		bh.setType(blockTypeRaw)
+		b.output = bh.appendTo(b.output)
+		b.output = append(b.output, lits...)
+		return nil
+	case huff0.ErrUseRLE:
+		if debugEncoder {
+			println("Adding RLE block, length", len(lits))
+		}
+		bh.setType(blockTypeRLE)
+		b.output = bh.appendTo(b.output)
+		b.output = append(b.output, lits[0])
+		return nil
+	case nil:
+	default:
+		return err
+	}
+	// Compressed...
+	// Now, allow reuse
+	b.litEnc.Reuse = huff0.ReusePolicyAllow
+	bh.setType(blockTypeCompressed)
+	var lh literalsHeader
+	if reUsed {
+		if debugEncoder {
+			println("Reused tree, compressed to", len(out))
+		}
+		lh.setType(literalsBlockTreeless)
+	} else {
+		if debugEncoder {
+			println("New tree, compressed to", len(out), "tree size:", len(b.litEnc.OutTable))
+		}
+		lh.setType(literalsBlockCompressed)
+	}
+	// Set sizes
+	lh.setSizes(len(out), len(lits), single)
+	bh.setSize(uint32(len(out) + lh.size() + 1))
+
+	// Write block headers.
+	b.output = bh.appendTo(b.output)
+	b.output = lh.appendTo(b.output)
+	// Add compressed data.
+	b.output = append(b.output, out...)
+	// No sequences.
+	b.output = append(b.output, 0)
+	return nil
+}
+
+// encodeRLE will encode an RLE block.
+func (b *blockEnc) encodeRLE(val byte, length uint32) {
+	var bh blockHeader
+	bh.setLast(b.last)
+	bh.setSize(length)
+	bh.setType(blockTypeRLE)
+	b.output = bh.appendTo(b.output)
+	b.output = append(b.output, val)
+}
+
+// fuzzFseEncoder can be used to fuzz the FSE encoder.
+func fuzzFseEncoder(data []byte) int {
+	if len(data) > maxSequences || len(data) < 2 {
+		return 0
+	}
+	enc := fseEncoder{}
+	hist := enc.Histogram()
+	maxSym := uint8(0)
+	for i, v := range data {
+		v = v & 63
+		data[i] = v
+		hist[v]++
+		if v > maxSym {
+			maxSym = v
+		}
+	}
+	if maxSym == 0 {
+		// All 0
+		return 0
+	}
+	cnt := int(slices.Max(hist[:maxSym]))
+	if cnt == len(data) {
+		// RLE
+		return 0
+	}
+	enc.HistogramFinished(maxSym, cnt)
+	err := enc.normalizeCount(len(data))
+	if err != nil {
+		return 0
+	}
+	_, err = enc.writeCount(nil)
+	if err != nil {
+		panic(err)
+	}
+	return 1
+}
+
+// encode will encode the block and append the output in b.output.
+// Previous offset codes must be pushed if more blocks are expected.
+func (b *blockEnc) encode(org []byte, raw, rawAllLits bool) error {
+	if len(b.sequences) == 0 {
+		return b.encodeLits(b.literals, rawAllLits)
+	}
+	if len(b.sequences) == 1 && len(org) > 0 && len(b.literals) <= 1 {
+		// Check common RLE cases.
+		seq := b.sequences[0]
+		if seq.litLen == uint32(len(b.literals)) && seq.offset-3 == 1 {
+			// Offset == 1 and 0 or 1 literals.
+			b.encodeRLE(org[0], b.sequences[0].matchLen+zstdMinMatch+seq.litLen)
+			return nil
+		}
+	}
+
+	// We want some difference to at least account for the headers.
+	saved := b.size - len(b.literals) - (b.size >> 6)
+	if saved < 16 {
+		if org == nil {
+			return errIncompressible
+		}
+		b.popOffsets()
+		return b.encodeLits(org, rawAllLits)
+	}
+
+	var bh blockHeader
+	var lh literalsHeader
+	bh.setLast(b.last)
+	bh.setType(blockTypeCompressed)
+	// Store offset of the block header. Needed when we know the size.
+	bhOffset := len(b.output)
+	b.output = bh.appendTo(b.output)
+
+	var (
+		out            []byte
+		reUsed, single bool
+		err            error
+	)
+	if b.dictLitEnc != nil {
+		b.litEnc.TransferCTable(b.dictLitEnc)
+		b.litEnc.Reuse = huff0.ReusePolicyAllow
+		b.dictLitEnc = nil
+	}
+	if len(b.literals) >= 1024 && !raw {
+		// Use 4 Streams.
+		out, reUsed, err = huff0.Compress4X(b.literals, b.litEnc)
+	} else if len(b.literals) > 16 && !raw {
+		// Use 1 stream
+		single = true
+		out, reUsed, err = huff0.Compress1X(b.literals, b.litEnc)
+	} else {
+		err = huff0.ErrIncompressible
+	}
+
+	if err == nil && len(out)+5 > len(b.literals) {
+		// If we are close, we may still be worse or equal to raw.
+		var lh literalsHeader
+		lh.setSize(len(b.literals))
+		szRaw := lh.size()
+		lh.setSizes(len(out), len(b.literals), single)
+		szComp := lh.size()
+		if len(out)+szComp >= len(b.literals)+szRaw {
+			err = huff0.ErrIncompressible
+		}
+	}
+	switch err {
+	case huff0.ErrIncompressible:
+		lh.setType(literalsBlockRaw)
+		lh.setSize(len(b.literals))
+		b.output = lh.appendTo(b.output)
+		b.output = append(b.output, b.literals...)
+		if debugEncoder {
+			println("Adding literals RAW, length", len(b.literals))
+		}
+	case huff0.ErrUseRLE:
+		lh.setType(literalsBlockRLE)
+		lh.setSize(len(b.literals))
+		b.output = lh.appendTo(b.output)
+		b.output = append(b.output, b.literals[0])
+		if debugEncoder {
+			println("Adding literals RLE")
+		}
+	case nil:
+		// Compressed litLen...
+		if reUsed {
+			if debugEncoder {
+				println("reused tree")
+			}
+			lh.setType(literalsBlockTreeless)
+		} else {
+			if debugEncoder {
+				println("new tree, size:", len(b.litEnc.OutTable))
+			}
+			lh.setType(literalsBlockCompressed)
+			if debugEncoder {
+				_, _, err := huff0.ReadTable(out, nil)
+				if err != nil {
+					panic(err)
+				}
+			}
+		}
+		lh.setSizes(len(out), len(b.literals), single)
+		if debugEncoder {
+			printf("Compressed %d literals to %d bytes", len(b.literals), len(out))
+			println("Adding literal header:", lh)
+		}
+		b.output = lh.appendTo(b.output)
+		b.output = append(b.output, out...)
+		b.litEnc.Reuse = huff0.ReusePolicyAllow
+		if debugEncoder {
+			println("Adding literals compressed")
+		}
+	default:
+		if debugEncoder {
+			println("Adding literals ERROR:", err)
+		}
+		return err
+	}
+	// Sequence compression
+
+	// Write the number of sequences
+	switch {
+	case len(b.sequences) < 128:
+		b.output = append(b.output, uint8(len(b.sequences)))
+	case len(b.sequences) < 0x7f00: // TODO: this could be wrong
+		n := len(b.sequences)
+		b.output = append(b.output, 128+uint8(n>>8), uint8(n))
+	default:
+		n := len(b.sequences) - 0x7f00
+		b.output = append(b.output, 255, uint8(n), uint8(n>>8))
+	}
+	if debugEncoder {
+		println("Encoding", len(b.sequences), "sequences")
+	}
+	b.genCodes()
+	llEnc := b.coders.llEnc
+	ofEnc := b.coders.ofEnc
+	mlEnc := b.coders.mlEnc
+	err = llEnc.normalizeCount(len(b.sequences))
+	if err != nil {
+		return err
+	}
+	err = ofEnc.normalizeCount(len(b.sequences))
+	if err != nil {
+		return err
+	}
+	err = mlEnc.normalizeCount(len(b.sequences))
+	if err != nil {
+		return err
+	}
+
+	// Choose the best compression mode for each type.
+	// Will evaluate the new vs predefined and previous.
+	chooseComp := func(cur, prev, preDef *fseEncoder) (*fseEncoder, seqCompMode) {
+		// See if predefined/previous is better
+		hist := cur.count[:cur.symbolLen]
+		nSize := cur.approxSize(hist) + cur.maxHeaderSize()
+		predefSize := preDef.approxSize(hist)
+		prevSize := prev.approxSize(hist)
+
+		// Add a small penalty for new encoders.
+		// Don't bother with extremely small (<2 byte gains).
+		nSize = nSize + (nSize+2*8*16)>>4
+		switch {
+		case predefSize <= prevSize && predefSize <= nSize || forcePreDef:
+			if debugEncoder {
+				println("Using predefined", predefSize>>3, "<=", nSize>>3)
+			}
+			return preDef, compModePredefined
+		case prevSize <= nSize:
+			if debugEncoder {
+				println("Using previous", prevSize>>3, "<=", nSize>>3)
+			}
+			return prev, compModeRepeat
+		default:
+			if debugEncoder {
+				println("Using new, predef", predefSize>>3, ". previous:", prevSize>>3, ">", nSize>>3, "header max:", cur.maxHeaderSize()>>3, "bytes")
+				println("tl:", cur.actualTableLog, "symbolLen:", cur.symbolLen, "norm:", cur.norm[:cur.symbolLen], "hist", cur.count[:cur.symbolLen])
+			}
+			return cur, compModeFSE
+		}
+	}
+
+	// Write compression mode
+	var mode uint8
+	if llEnc.useRLE {
+		mode |= uint8(compModeRLE) << 6
+		llEnc.setRLE(b.sequences[0].llCode)
+		if debugEncoder {
+			println("llEnc.useRLE")
+		}
+	} else {
+		var m seqCompMode
+		llEnc, m = chooseComp(llEnc, b.coders.llPrev, &fsePredefEnc[tableLiteralLengths])
+		mode |= uint8(m) << 6
+	}
+	if ofEnc.useRLE {
+		mode |= uint8(compModeRLE) << 4
+		ofEnc.setRLE(b.sequences[0].ofCode)
+		if debugEncoder {
+			println("ofEnc.useRLE")
+		}
+	} else {
+		var m seqCompMode
+		ofEnc, m = chooseComp(ofEnc, b.coders.ofPrev, &fsePredefEnc[tableOffsets])
+		mode |= uint8(m) << 4
+	}
+
+	if mlEnc.useRLE {
+		mode |= uint8(compModeRLE) << 2
+		mlEnc.setRLE(b.sequences[0].mlCode)
+		if debugEncoder {
+			println("mlEnc.useRLE, code: ", b.sequences[0].mlCode, "value", b.sequences[0].matchLen)
+		}
+	} else {
+		var m seqCompMode
+		mlEnc, m = chooseComp(mlEnc, b.coders.mlPrev, &fsePredefEnc[tableMatchLengths])
+		mode |= uint8(m) << 2
+	}
+	b.output = append(b.output, mode)
+	if debugEncoder {
+		printf("Compression modes: 0b%b", mode)
+	}
+	b.output, err = llEnc.writeCount(b.output)
+	if err != nil {
+		return err
+	}
+	start := len(b.output)
+	b.output, err = ofEnc.writeCount(b.output)
+	if err != nil {
+		return err
+	}
+	if false {
+		println("block:", b.output[start:], "tablelog", ofEnc.actualTableLog, "maxcount:", ofEnc.maxCount)
+		fmt.Printf("selected TableLog: %d, Symbol length: %d\n", ofEnc.actualTableLog, ofEnc.symbolLen)
+		for i, v := range ofEnc.norm[:ofEnc.symbolLen] {
+			fmt.Printf("%3d: %5d -> %4d \n", i, ofEnc.count[i], v)
+		}
+	}
+	b.output, err = mlEnc.writeCount(b.output)
+	if err != nil {
+		return err
+	}
+
+	// Maybe in block?
+	wr := &b.wr
+	wr.reset(b.output)
+
+	var ll, of, ml cState
+
+	// Current sequence
+	seq := len(b.sequences) - 1
+	s := b.sequences[seq]
+	llEnc.setBits(llBitsTable[:])
+	mlEnc.setBits(mlBitsTable[:])
+	ofEnc.setBits(nil)
+
+	llTT, ofTT, mlTT := llEnc.ct.symbolTT[:256], ofEnc.ct.symbolTT[:256], mlEnc.ct.symbolTT[:256]
+
+	// We have 3 bounds checks here (and in the loop).
+	// Since we are iterating backwards it is kinda hard to avoid.
+	llB, ofB, mlB := llTT[s.llCode], ofTT[s.ofCode], mlTT[s.mlCode]
+	ll.init(wr, &llEnc.ct, llB)
+	of.init(wr, &ofEnc.ct, ofB)
+	wr.flush32()
+	ml.init(wr, &mlEnc.ct, mlB)
+
+	// Each of these lookups also generates a bounds check.
+	wr.addBits32NC(s.litLen, llB.outBits)
+	wr.addBits32NC(s.matchLen, mlB.outBits)
+	wr.flush32()
+	wr.addBits32NC(s.offset, ofB.outBits)
+	if debugSequences {
+		println("Encoded seq", seq, s, "codes:", s.llCode, s.mlCode, s.ofCode, "states:", ll.state, ml.state, of.state, "bits:", llB, mlB, ofB)
+	}
+	seq--
+	// Store sequences in reverse...
+	for seq >= 0 {
+		s = b.sequences[seq]
+
+		ofB := ofTT[s.ofCode]
+		wr.flush32() // tablelog max is below 8 for each, so it will fill max 24 bits.
+		//of.encode(ofB)
+		nbBitsOut := (uint32(of.state) + ofB.deltaNbBits) >> 16
+		dstState := int32(of.state>>(nbBitsOut&15)) + int32(ofB.deltaFindState)
+		wr.addBits16NC(of.state, uint8(nbBitsOut))
+		of.state = of.stateTable[dstState]
+
+		// Accumulate extra bits.
+		outBits := ofB.outBits & 31
+		extraBits := uint64(s.offset & bitMask32[outBits])
+		extraBitsN := outBits
+
+		mlB := mlTT[s.mlCode]
+		//ml.encode(mlB)
+		nbBitsOut = (uint32(ml.state) + mlB.deltaNbBits) >> 16
+		dstState = int32(ml.state>>(nbBitsOut&15)) + int32(mlB.deltaFindState)
+		wr.addBits16NC(ml.state, uint8(nbBitsOut))
+		ml.state = ml.stateTable[dstState]
+
+		outBits = mlB.outBits & 31
+		extraBits = extraBits<<outBits | uint64(s.matchLen&bitMask32[outBits])
+		extraBitsN += outBits
+
+		llB := llTT[s.llCode]
+		//ll.encode(llB)
+		nbBitsOut = (uint32(ll.state) + llB.deltaNbBits) >> 16
+		dstState = int32(ll.state>>(nbBitsOut&15)) + int32(llB.deltaFindState)
+		wr.addBits16NC(ll.state, uint8(nbBitsOut))
+		ll.state = ll.stateTable[dstState]
+
+		outBits = llB.outBits & 31
+		extraBits = extraBits<<outBits | uint64(s.litLen&bitMask32[outBits])
+		extraBitsN += outBits
+
+		wr.flush32()
+		wr.addBits64NC(extraBits, extraBitsN)
+
+		if debugSequences {
+			println("Encoded seq", seq, s)
+		}
+
+		seq--
+	}
+	ml.flush(mlEnc.actualTableLog)
+	of.flush(ofEnc.actualTableLog)
+	ll.flush(llEnc.actualTableLog)
+	wr.close()
+	b.output = wr.out
+
+	// Maybe even add a bigger margin.
+	if len(b.output)-3-bhOffset >= b.size {
+		// Discard and encode as raw block.
+		b.output = b.encodeRawTo(b.output[:bhOffset], org)
+		b.popOffsets()
+		b.litEnc.Reuse = huff0.ReusePolicyNone
+		return nil
+	}
+
+	// Size is output minus block header.
+	bh.setSize(uint32(len(b.output)-bhOffset) - 3)
+	if debugEncoder {
+		println("Rewriting block header", bh)
+	}
+	_ = bh.appendTo(b.output[bhOffset:bhOffset])
+	b.coders.setPrev(llEnc, mlEnc, ofEnc)
+	return nil
+}
+
+var errIncompressible = errors.New("incompressible")
+
+func (b *blockEnc) genCodes() {
+	if len(b.sequences) == 0 {
+		// nothing to do
+		return
+	}
+	if len(b.sequences) > math.MaxUint16 {
+		panic("can only encode up to 64K sequences")
+	}
+	// No bounds checks after here:
+	llH := b.coders.llEnc.Histogram()
+	ofH := b.coders.ofEnc.Histogram()
+	mlH := b.coders.mlEnc.Histogram()
+	for i := range llH {
+		llH[i] = 0
+	}
+	for i := range ofH {
+		ofH[i] = 0
+	}
+	for i := range mlH {
+		mlH[i] = 0
+	}
+
+	var llMax, ofMax, mlMax uint8
+	for i := range b.sequences {
+		seq := &b.sequences[i]
+		v := llCode(seq.litLen)
+		seq.llCode = v
+		llH[v]++
+		if v > llMax {
+			llMax = v
+		}
+
+		v = ofCode(seq.offset)
+		seq.ofCode = v
+		ofH[v]++
+		if v > ofMax {
+			ofMax = v
+		}
+
+		v = mlCode(seq.matchLen)
+		seq.mlCode = v
+		mlH[v]++
+		if v > mlMax {
+			mlMax = v
+			if debugAsserts && mlMax > maxMatchLengthSymbol {
+				panic(fmt.Errorf("mlMax > maxMatchLengthSymbol (%d), matchlen: %d", mlMax, seq.matchLen))
+			}
+		}
+	}
+	if debugAsserts && mlMax > maxMatchLengthSymbol {
+		panic(fmt.Errorf("mlMax > maxMatchLengthSymbol (%d)", mlMax))
+	}
+	if debugAsserts && ofMax > maxOffsetBits {
+		panic(fmt.Errorf("ofMax > maxOffsetBits (%d)", ofMax))
+	}
+	if debugAsserts && llMax > maxLiteralLengthSymbol {
+		panic(fmt.Errorf("llMax > maxLiteralLengthSymbol (%d)", llMax))
+	}
+
+	b.coders.mlEnc.HistogramFinished(mlMax, int(slices.Max(mlH[:mlMax+1])))
+	b.coders.ofEnc.HistogramFinished(ofMax, int(slices.Max(ofH[:ofMax+1])))
+	b.coders.llEnc.HistogramFinished(llMax, int(slices.Max(llH[:llMax+1])))
+}
diff --git a/vendor/github.com/klauspost/compress/zstd/blocktype_string.go b/vendor/github.com/klauspost/compress/zstd/blocktype_string.go
new file mode 100644
index 0000000000..01a01e486e
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/zstd/blocktype_string.go
@@ -0,0 +1,85 @@
+// Code generated by "stringer -type=blockType,literalsBlockType,seqCompMode,tableIndex"; DO NOT EDIT.
+
+package zstd
+
+import "strconv"
+
+func _() {
+	// An "invalid array index" compiler error signifies that the constant values have changed.
+	// Re-run the stringer command to generate them again.
+	var x [1]struct{}
+	_ = x[blockTypeRaw-0]
+	_ = x[blockTypeRLE-1]
+	_ = x[blockTypeCompressed-2]
+	_ = x[blockTypeReserved-3]
+}
+
+const _blockType_name = "blockTypeRawblockTypeRLEblockTypeCompressedblockTypeReserved"
+
+var _blockType_index = [...]uint8{0, 12, 24, 43, 60}
+
+func (i blockType) String() string {
+	if i >= blockType(len(_blockType_index)-1) {
+		return "blockType(" + strconv.FormatInt(int64(i), 10) + ")"
+	}
+	return _blockType_name[_blockType_index[i]:_blockType_index[i+1]]
+}
+func _() {
+	// An "invalid array index" compiler error signifies that the constant values have changed.
+	// Re-run the stringer command to generate them again.
+	var x [1]struct{}
+	_ = x[literalsBlockRaw-0]
+	_ = x[literalsBlockRLE-1]
+	_ = x[literalsBlockCompressed-2]
+	_ = x[literalsBlockTreeless-3]
+}
+
+const _literalsBlockType_name = "literalsBlockRawliteralsBlockRLEliteralsBlockCompressedliteralsBlockTreeless"
+
+var _literalsBlockType_index = [...]uint8{0, 16, 32, 55, 76}
+
+func (i literalsBlockType) String() string {
+	if i >= literalsBlockType(len(_literalsBlockType_index)-1) {
+		return "literalsBlockType(" + strconv.FormatInt(int64(i), 10) + ")"
+	}
+	return _literalsBlockType_name[_literalsBlockType_index[i]:_literalsBlockType_index[i+1]]
+}
+func _() {
+	// An "invalid array index" compiler error signifies that the constant values have changed.
+	// Re-run the stringer command to generate them again.
+	var x [1]struct{}
+	_ = x[compModePredefined-0]
+	_ = x[compModeRLE-1]
+	_ = x[compModeFSE-2]
+	_ = x[compModeRepeat-3]
+}
+
+const _seqCompMode_name = "compModePredefinedcompModeRLEcompModeFSEcompModeRepeat"
+
+var _seqCompMode_index = [...]uint8{0, 18, 29, 40, 54}
+
+func (i seqCompMode) String() string {
+	if i >= seqCompMode(len(_seqCompMode_index)-1) {
+		return "seqCompMode(" + strconv.FormatInt(int64(i), 10) + ")"
+	}
+	return _seqCompMode_name[_seqCompMode_index[i]:_seqCompMode_index[i+1]]
+}
+func _() {
+	// An "invalid array index" compiler error signifies that the constant values have changed.
+	// Re-run the stringer command to generate them again.
+	var x [1]struct{}
+	_ = x[tableLiteralLengths-0]
+	_ = x[tableOffsets-1]
+	_ = x[tableMatchLengths-2]
+}
+
+const _tableIndex_name = "tableLiteralLengthstableOffsetstableMatchLengths"
+
+var _tableIndex_index = [...]uint8{0, 19, 31, 48}
+
+func (i tableIndex) String() string {
+	if i >= tableIndex(len(_tableIndex_index)-1) {
+		return "tableIndex(" + strconv.FormatInt(int64(i), 10) + ")"
+	}
+	return _tableIndex_name[_tableIndex_index[i]:_tableIndex_index[i+1]]
+}
diff --git a/vendor/github.com/klauspost/compress/zstd/bytebuf.go b/vendor/github.com/klauspost/compress/zstd/bytebuf.go
new file mode 100644
index 0000000000..55a388553d
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/zstd/bytebuf.go
@@ -0,0 +1,131 @@
+// Copyright 2019+ Klaus Post. All rights reserved.
+// License information can be found in the LICENSE file.
+// Based on work by Yann Collet, released under BSD License.
+
+package zstd
+
+import (
+	"fmt"
+	"io"
+)
+
+type byteBuffer interface {
+	// Read up to 8 bytes.
+	// Returns io.ErrUnexpectedEOF if this cannot be satisfied.
+	readSmall(n int) ([]byte, error)
+
+	// Read >8 bytes.
+	// MAY use the destination slice.
+	readBig(n int, dst []byte) ([]byte, error)
+
+	// Read a single byte.
+	readByte() (byte, error)
+
+	// Skip n bytes.
+	skipN(n int64) error
+}
+
+// in-memory buffer
+type byteBuf []byte
+
+func (b *byteBuf) readSmall(n int) ([]byte, error) {
+	if debugAsserts && n > 8 {
+		panic(fmt.Errorf("small read > 8 (%d). use readBig", n))
+	}
+	bb := *b
+	if len(bb) < n {
+		return nil, io.ErrUnexpectedEOF
+	}
+	r := bb[:n]
+	*b = bb[n:]
+	return r, nil
+}
+
+func (b *byteBuf) readBig(n int, dst []byte) ([]byte, error) {
+	bb := *b
+	if len(bb) < n {
+		return nil, io.ErrUnexpectedEOF
+	}
+	r := bb[:n]
+	*b = bb[n:]
+	return r, nil
+}
+
+func (b *byteBuf) readByte() (byte, error) {
+	bb := *b
+	if len(bb) < 1 {
+		return 0, io.ErrUnexpectedEOF
+	}
+	r := bb[0]
+	*b = bb[1:]
+	return r, nil
+}
+
+func (b *byteBuf) skipN(n int64) error {
+	bb := *b
+	if n < 0 {
+		return fmt.Errorf("negative skip (%d) requested", n)
+	}
+	if int64(len(bb)) < n {
+		return io.ErrUnexpectedEOF
+	}
+	*b = bb[n:]
+	return nil
+}
+
+// wrapper around a reader.
+type readerWrapper struct {
+	r   io.Reader
+	tmp [8]byte
+}
+
+func (r *readerWrapper) readSmall(n int) ([]byte, error) {
+	if debugAsserts && n > 8 {
+		panic(fmt.Errorf("small read > 8 (%d). use readBig", n))
+	}
+	n2, err := io.ReadFull(r.r, r.tmp[:n])
+	// We only really care about the actual bytes read.
+	if err != nil {
+		if err == io.EOF {
+			return nil, io.ErrUnexpectedEOF
+		}
+		if debugDecoder {
+			println("readSmall: got", n2, "want", n, "err", err)
+		}
+		return nil, err
+	}
+	return r.tmp[:n], nil
+}
+
+func (r *readerWrapper) readBig(n int, dst []byte) ([]byte, error) {
+	if cap(dst) < n {
+		dst = make([]byte, n)
+	}
+	n2, err := io.ReadFull(r.r, dst[:n])
+	if err == io.EOF && n > 0 {
+		err = io.ErrUnexpectedEOF
+	}
+	return dst[:n2], err
+}
+
+func (r *readerWrapper) readByte() (byte, error) {
+	n2, err := io.ReadFull(r.r, r.tmp[:1])
+	if err != nil {
+		if err == io.EOF {
+			err = io.ErrUnexpectedEOF
+		}
+		return 0, err
+	}
+	if n2 != 1 {
+		return 0, io.ErrUnexpectedEOF
+	}
+	return r.tmp[0], nil
+}
+
+func (r *readerWrapper) skipN(n int64) error {
+	n2, err := io.CopyN(io.Discard, r.r, n)
+	if n2 != n {
+		err = io.ErrUnexpectedEOF
+	}
+	return err
+}
diff --git a/vendor/github.com/klauspost/compress/zstd/bytereader.go b/vendor/github.com/klauspost/compress/zstd/bytereader.go
new file mode 100644
index 0000000000..0e59a242d8
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/zstd/bytereader.go
@@ -0,0 +1,82 @@
+// Copyright 2019+ Klaus Post. All rights reserved.
+// License information can be found in the LICENSE file.
+// Based on work by Yann Collet, released under BSD License.
+
+package zstd
+
+// byteReader provides a byte reader that reads
+// little endian values from a byte stream.
+// The input stream is manually advanced.
+// The reader performs no bounds checks.
+type byteReader struct {
+	b   []byte
+	off int
+}
+
+// advance the stream b n bytes.
+func (b *byteReader) advance(n uint) {
+	b.off += int(n)
+}
+
+// overread returns whether we have advanced too far.
+func (b *byteReader) overread() bool {
+	return b.off > len(b.b)
+}
+
+// Int32 returns a little endian int32 starting at current offset.
+func (b byteReader) Int32() int32 {
+	b2 := b.b[b.off:]
+	b2 = b2[:4]
+	v3 := int32(b2[3])
+	v2 := int32(b2[2])
+	v1 := int32(b2[1])
+	v0 := int32(b2[0])
+	return v0 | (v1 << 8) | (v2 << 16) | (v3 << 24)
+}
+
+// Uint8 returns the next byte
+func (b *byteReader) Uint8() uint8 {
+	v := b.b[b.off]
+	return v
+}
+
+// Uint32 returns a little endian uint32 starting at current offset.
+func (b byteReader) Uint32() uint32 {
+	if r := b.remain(); r < 4 {
+		// Very rare
+		v := uint32(0)
+		for i := 1; i <= r; i++ {
+			v = (v << 8) | uint32(b.b[len(b.b)-i])
+		}
+		return v
+	}
+	b2 := b.b[b.off:]
+	b2 = b2[:4]
+	v3 := uint32(b2[3])
+	v2 := uint32(b2[2])
+	v1 := uint32(b2[1])
+	v0 := uint32(b2[0])
+	return v0 | (v1 << 8) | (v2 << 16) | (v3 << 24)
+}
+
+// Uint32NC returns a little endian uint32 starting at current offset.
+// The caller must be sure if there are at least 4 bytes left.
+func (b byteReader) Uint32NC() uint32 {
+	b2 := b.b[b.off:]
+	b2 = b2[:4]
+	v3 := uint32(b2[3])
+	v2 := uint32(b2[2])
+	v1 := uint32(b2[1])
+	v0 := uint32(b2[0])
+	return v0 | (v1 << 8) | (v2 << 16) | (v3 << 24)
+}
+
+// unread returns the unread portion of the input.
+func (b byteReader) unread() []byte {
+	return b.b[b.off:]
+}
+
+// remain will return the number of bytes remaining.
+func (b byteReader) remain() int {
+	return len(b.b) - b.off
+}
diff --git a/vendor/github.com/klauspost/compress/zstd/decodeheader.go b/vendor/github.com/klauspost/compress/zstd/decodeheader.go
new file mode 100644
index 0000000000..6a5a2988b6
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/zstd/decodeheader.go
@@ -0,0 +1,261 @@
+// Copyright 2020+ Klaus Post. All rights reserved.
+// License information can be found in the LICENSE file.
+
+package zstd
+
+import (
+	"encoding/binary"
+	"errors"
+	"io"
+)
+
+// HeaderMaxSize is the maximum size of a Frame and Block Header.
+// If less is sent to Header.Decode it *may* still contain enough information.
+const HeaderMaxSize = 14 + 3
+
+// Header contains information about the first frame and block within that.
+type Header struct {
+	// SingleSegment specifies whether the data is to be decompressed into a
+	// single contiguous memory segment.
+	// It implies that WindowSize is invalid and that FrameContentSize is valid.
+	SingleSegment bool
+
+	// WindowSize is the window of data to keep while decoding.
+	// Will only be set if SingleSegment is false.
+	WindowSize uint64
+
+	// Dictionary ID.
+	// If 0, no dictionary.
+	DictionaryID uint32
+
+	// HasFCS specifies whether FrameContentSize has a valid value.
+	HasFCS bool
+
+	// FrameContentSize is the expected uncompressed size of the entire frame.
+	FrameContentSize uint64
+
+	// Skippable will be true if the frame is meant to be skipped.
+	// This implies that FirstBlock.OK is false.
+	Skippable bool
+
+	// SkippableID is the user-specific ID for the skippable frame.
+	// Valid values are between 0 to 15, inclusive.
+	SkippableID int
+
+	// SkippableSize is the length of the user data to skip following
+	// the header.
+	SkippableSize uint32
+
+	// HeaderSize is the raw size of the frame header.
+	//
+	// For normal frames, it includes the size of the magic number and
+	// the size of the header (per section 3.1.1.1).
+	// It does not include the size for any data blocks (section 3.1.1.2) nor
+	// the size for the trailing content checksum.
+	//
+	// For skippable frames, this counts the size of the magic number
+	// along with the size of the size field of the payload.
+	// It does not include the size of the skippable payload itself.
+	// The total frame size is the HeaderSize plus the SkippableSize.
+	HeaderSize int
+
+	// First block information.
+	FirstBlock struct {
+		// OK will be set if first block could be decoded.
+		OK bool
+
+		// Is this the last block of a frame?
+		Last bool
+
+		// Is the data compressed?
+		// If true CompressedSize will be populated.
+		// Unfortunately DecompressedSize cannot be determined
+		// without decoding the blocks.
+		Compressed bool
+
+		// DecompressedSize is the expected decompressed size of the block.
+		// Will be 0 if it cannot be determined.
+		DecompressedSize int
+
+		// CompressedSize of the data in the block.
+		// Does not include the block header.
+		// Will be equal to DecompressedSize if not Compressed.
+		CompressedSize int
+	}
+
+	// If set there is a checksum present for the block content.
+	// The checksum field at the end is always 4 bytes long.
+	HasCheckSum bool
+}
+
+// Decode the header from the beginning of the stream.
+// This will decode the frame header and the first block header if enough bytes are provided.
+// It is recommended to provide at least HeaderMaxSize bytes.
+// If the frame header cannot be read an error will be returned.
+// If there isn't enough input, io.ErrUnexpectedEOF is returned.
+// The FirstBlock.OK will indicate if enough information was available to decode the first block header.
+func (h *Header) Decode(in []byte) error {
+	_, err := h.DecodeAndStrip(in)
+	return err
+}
+
+// DecodeAndStrip will decode the header from the beginning of the stream
+// and on success return the remaining bytes.
+// This will decode the frame header and the first block header if enough bytes are provided.
+// It is recommended to provide at least HeaderMaxSize bytes.
+// If the frame header cannot be read an error will be returned.
+// If there isn't enough input, io.ErrUnexpectedEOF is returned.
+// The FirstBlock.OK will indicate if enough information was available to decode the first block header.
+func (h *Header) DecodeAndStrip(in []byte) (remain []byte, err error) {
+	*h = Header{}
+	if len(in) < 4 {
+		return nil, io.ErrUnexpectedEOF
+	}
+	h.HeaderSize += 4
+	b, in := in[:4], in[4:]
+	if string(b) != frameMagic {
+		if string(b[1:4]) != skippableFrameMagic || b[0]&0xf0 != 0x50 {
+			return nil, ErrMagicMismatch
+		}
+		if len(in) < 4 {
+			return nil, io.ErrUnexpectedEOF
+		}
+		h.HeaderSize += 4
+		h.Skippable = true
+		h.SkippableID = int(b[0] & 0xf)
+		h.SkippableSize = binary.LittleEndian.Uint32(in)
+		return in[4:], nil
+	}
+
+	// Read Window_Descriptor
+	// https://github.com/facebook/zstd/blob/dev/doc/zstd_compression_format.md#window_descriptor
+	if len(in) < 1 {
+		return nil, io.ErrUnexpectedEOF
+	}
+	fhd, in := in[0], in[1:]
+	h.HeaderSize++
+	h.SingleSegment = fhd&(1<<5) != 0
+	h.HasCheckSum = fhd&(1<<2) != 0
+	if fhd&(1<<3) != 0 {
+		return nil, errors.New("reserved bit set on frame header")
+	}
+
+	if !h.SingleSegment {
+		if len(in) < 1 {
+			return nil, io.ErrUnexpectedEOF
+		}
+		var wd byte
+		wd, in = in[0], in[1:]
+		h.HeaderSize++
+		windowLog := 10 + (wd >> 3)
+		windowBase := uint64(1) << windowLog
+		windowAdd := (windowBase / 8) * uint64(wd&0x7)
+		h.WindowSize = windowBase + windowAdd
+	}
+
+	// Read Dictionary_ID
+	// https://github.com/facebook/zstd/blob/dev/doc/zstd_compression_format.md#dictionary_id
+	if size := fhd & 3; size != 0 {
+		if size == 3 {
+			size = 4
+		}
+		if len(in) < int(size) {
+			return nil, io.ErrUnexpectedEOF
+		}
+		b, in = in[:size], in[size:]
+		h.HeaderSize += int(size)
+		switch len(b) {
+		case 1:
+			h.DictionaryID = uint32(b[0])
+		case 2:
+			h.DictionaryID = uint32(b[0]) | (uint32(b[1]) << 8)
+		case 4:
+			h.DictionaryID = uint32(b[0]) | (uint32(b[1]) << 8) | (uint32(b[2]) << 16) | (uint32(b[3]) << 24)
+		}
+	}
+
+	// Read Frame_Content_Size
+	// https://github.com/facebook/zstd/blob/dev/doc/zstd_compression_format.md#frame_content_size
+	var fcsSize int
+	v := fhd >> 6
+	switch v {
+	case 0:
+		if h.SingleSegment {
+			fcsSize = 1
+		}
+	default:
+		fcsSize = 1 << v
+	}
+
+	if fcsSize > 0 {
+		h.HasFCS = true
+		if len(in) < fcsSize {
+			return nil, io.ErrUnexpectedEOF
+		}
+		b, in = in[:fcsSize], in[fcsSize:]
+		h.HeaderSize += int(fcsSize)
+		switch len(b) {
+		case 1:
+			h.FrameContentSize = uint64(b[0])
+		case 2:
+			// When FCS_Field_Size is 2, the offset of 256 is added.
+			h.FrameContentSize = uint64(b[0]) | (uint64(b[1]) << 8) + 256
+		case 4:
+			h.FrameContentSize = uint64(b[0]) | (uint64(b[1]) << 8) | (uint64(b[2]) << 16) | (uint64(b[3]) << 24)
+		case 8:
+			d1 := uint32(b[0]) | (uint32(b[1]) << 8) | (uint32(b[2]) << 16) | (uint32(b[3]) << 24)
+			d2 := uint32(b[4]) | (uint32(b[5]) << 8) | (uint32(b[6]) << 16) | (uint32(b[7]) << 24)
+			h.FrameContentSize = uint64(d1) | (uint64(d2) << 32)
+		}
+	}
+
+	// Frame Header done, we will not fail from now on.
+	if len(in) < 3 {
+		return in, nil
+	}
+	tmp := in[:3]
+	bh := uint32(tmp[0]) | (uint32(tmp[1]) << 8) | (uint32(tmp[2]) << 16)
+	h.FirstBlock.Last = bh&1 != 0
+	blockType := blockType((bh >> 1) & 3)
+	// find size.
+	cSize := int(bh >> 3)
+	switch blockType {
+	case blockTypeReserved:
+		return in, nil
+	case blockTypeRLE:
+		h.FirstBlock.Compressed = true
+		h.FirstBlock.DecompressedSize = cSize
+		h.FirstBlock.CompressedSize = 1
+	case blockTypeCompressed:
+		h.FirstBlock.Compressed = true
+		h.FirstBlock.CompressedSize = cSize
+	case blockTypeRaw:
+		h.FirstBlock.DecompressedSize = cSize
+		h.FirstBlock.CompressedSize = cSize
+	default:
+		panic("Invalid block type")
+	}
+
+	h.FirstBlock.OK = true
+	return in, nil
+}
+
+// AppendTo will append the encoded header to the dst slice.
+// There is no error checking performed on the header values.
+func (h *Header) AppendTo(dst []byte) ([]byte, error) {
+	if h.Skippable {
+		magic := [4]byte{0x50, 0x2a, 0x4d, 0x18}
+		magic[0] |= byte(h.SkippableID & 0xf)
+		dst = append(dst, magic[:]...)
+		f := h.SkippableSize
+		return append(dst, uint8(f), uint8(f>>8), uint8(f>>16), uint8(f>>24)), nil
+	}
+	f := frameHeader{
+		ContentSize:   h.FrameContentSize,
+		WindowSize:    uint32(h.WindowSize),
+		SingleSegment: h.SingleSegment,
+		Checksum:      h.HasCheckSum,
+		DictID:        h.DictionaryID,
+	}
+	return f.appendTo(dst), nil
+}
diff --git a/vendor/github.com/klauspost/compress/zstd/decoder.go b/vendor/github.com/klauspost/compress/zstd/decoder.go
new file mode 100644
index 0000000000..ea2a19376c
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/zstd/decoder.go
@@ -0,0 +1,949 @@
+// Copyright 2019+ Klaus Post. All rights reserved.
+// License information can be found in the LICENSE file.
+// Based on work by Yann Collet, released under BSD License.
+
+package zstd
+
+import (
+	"context"
+	"encoding/binary"
+	"io"
+	"sync"
+
+	"github.com/klauspost/compress/zstd/internal/xxhash"
+)
+
+// Decoder provides decoding of zstandard streams.
+// The decoder has been designed to operate without allocations after a warmup.
+// This means that you should store the decoder for best performance.
+// To re-use a stream decoder, use the Reset(r io.Reader) error to switch to another stream.
+// A decoder can safely be re-used even if the previous stream failed.
+// To release the resources, you must call the Close() function on a decoder.
+type Decoder struct {
+	o decoderOptions
+
+	// Unreferenced decoders, ready for use.
+	decoders chan *blockDec
+
+	// Current read position used for Reader functionality.
+	current decoderState
+
+	// sync stream decoding
+	syncStream struct {
+		decodedFrame uint64
+		br           readerWrapper
+		enabled      bool
+		inFrame      bool
+		dstBuf       []byte
+	}
+
+	frame *frameDec
+
+	// Custom dictionaries.
+	dicts map[uint32]*dict
+
+	// streamWg is the waitgroup for all streams
+	streamWg sync.WaitGroup
+}
+
+// decoderState is used for maintaining state when the decoder
+// is used for streaming.
+type decoderState struct {
+	// current block being written to stream.
+	decodeOutput
+
+	// output in order to be written to stream.
+	output chan decodeOutput
+
+	// cancel remaining output.
+	cancel context.CancelFunc
+
+	// crc of current frame
+	crc *xxhash.Digest
+
+	flushed bool
+}
+
+var (
+	// Check the interfaces we want to support.
+	_ = io.WriterTo(&Decoder{})
+	_ = io.Reader(&Decoder{})
+)
+
+// NewReader creates a new decoder.
+// A nil Reader can be provided in which case Reset can be used to start a decode.
+//
+// A Decoder can be used in two modes:
+//
+// 1) As a stream, or
+// 2) For stateless decoding using DecodeAll.
+//
+// Only a single stream can be decoded concurrently, but the same decoder
+// can run multiple concurrent stateless decodes. It is even possible to
+// use stateless decodes while a stream is being decoded.
+//
+// The Reset function can be used to initiate a new stream, which will considerably
+// reduce the allocations normally caused by NewReader.
+func NewReader(r io.Reader, opts ...DOption) (*Decoder, error) {
+	initPredefined()
+	var d Decoder
+	d.o.setDefault()
+	for _, o := range opts {
+		err := o(&d.o)
+		if err != nil {
+			return nil, err
+		}
+	}
+	d.current.crc = xxhash.New()
+	d.current.flushed = true
+
+	if r == nil {
+		d.current.err = ErrDecoderNilInput
+	}
+
+	// Transfer option dicts.
+	d.dicts = make(map[uint32]*dict, len(d.o.dicts))
+	for _, dc := range d.o.dicts {
+		d.dicts[dc.id] = dc
+	}
+	d.o.dicts = nil
+
+	// Create decoders
+	d.decoders = make(chan *blockDec, d.o.concurrent)
+	for i := 0; i < d.o.concurrent; i++ {
+		dec := newBlockDec(d.o.lowMem)
+		dec.localFrame = newFrameDec(d.o)
+		d.decoders <- dec
+	}
+
+	if r == nil {
+		return &d, nil
+	}
+	return &d, d.Reset(r)
+}
+
+// Read bytes from the decompressed stream into p.
+// Returns the number of bytes read and any error that occurred.
+// When the stream is done, io.EOF will be returned.
+func (d *Decoder) Read(p []byte) (int, error) {
+	var n int
+	for {
+		if len(d.current.b) > 0 {
+			filled := copy(p, d.current.b)
+			p = p[filled:]
+			d.current.b = d.current.b[filled:]
+			n += filled
+		}
+		if len(p) == 0 {
+			break
+		}
+		if len(d.current.b) == 0 {
+			// We have an error and no more data
+			if d.current.err != nil {
+				break
+			}
+			if !d.nextBlock(n == 0) {
+				return n, d.current.err
+			}
+		}
+	}
+	if len(d.current.b) > 0 {
+		if debugDecoder {
+			println("returning", n, "still bytes left:", len(d.current.b))
+		}
+		// Only return error at end of block
+		return n, nil
+	}
+	if d.current.err != nil {
+		d.drainOutput()
+	}
+	if debugDecoder {
+		println("returning", n, d.current.err, len(d.decoders))
+	}
+	return n, d.current.err
+}
+
+// Reset will reset the decoder the supplied stream after the current has finished processing.
+// Note that this functionality cannot be used after Close has been called.
+// Reset can be called with a nil reader to release references to the previous reader.
+// After being called with a nil reader, no other operations than Reset or DecodeAll or Close
+// should be used.
+func (d *Decoder) Reset(r io.Reader) error {
+	if d.current.err == ErrDecoderClosed {
+		return d.current.err
+	}
+
+	d.drainOutput()
+
+	d.syncStream.br.r = nil
+	if r == nil {
+		d.current.err = ErrDecoderNilInput
+		if len(d.current.b) > 0 {
+			d.current.b = d.current.b[:0]
+		}
+		d.current.flushed = true
+		return nil
+	}
+
+	// If bytes buffer and < 5MB, do sync decoding anyway.
+	if bb, ok := r.(byter); ok && bb.Len() < d.o.decodeBufsBelow && !d.o.limitToCap {
+		bb2 := bb
+		if debugDecoder {
+			println("*bytes.Buffer detected, doing sync decode, len:", bb.Len())
+		}
+		b := bb2.Bytes()
+		var dst []byte
+		if cap(d.syncStream.dstBuf) > 0 {
+			dst = d.syncStream.dstBuf[:0]
+		}
+
+		dst, err := d.DecodeAll(b, dst)
+		if err == nil {
+			err = io.EOF
+		}
+		// Save output buffer
+		d.syncStream.dstBuf = dst
+		d.current.b = dst
+		d.current.err = err
+		d.current.flushed = true
+		if debugDecoder {
+			println("sync decode to", len(dst), "bytes, err:", err)
+		}
+		return nil
+	}
+	// Remove current block.
+	d.stashDecoder()
+	d.current.decodeOutput = decodeOutput{}
+	d.current.err = nil
+	d.current.flushed = false
+	d.current.d = nil
+	d.syncStream.dstBuf = nil
+
+	// Ensure no-one else is still running...
+	d.streamWg.Wait()
+	if d.frame == nil {
+		d.frame = newFrameDec(d.o)
+	}
+
+	if d.o.concurrent == 1 {
+		return d.startSyncDecoder(r)
+	}
+
+	d.current.output = make(chan decodeOutput, d.o.concurrent)
+	ctx, cancel := context.WithCancel(context.Background())
+	d.current.cancel = cancel
+	d.streamWg.Add(1)
+	go d.startStreamDecoder(ctx, r, d.current.output)
+
+	return nil
+}
+
+// drainOutput will drain the output until errEndOfStream is sent.
+func (d *Decoder) drainOutput() {
+	if d.current.cancel != nil {
+		if debugDecoder {
+			println("cancelling current")
+		}
+		d.current.cancel()
+		d.current.cancel = nil
+	}
+	if d.current.d != nil {
+		if debugDecoder {
+			printf("re-adding current decoder %p, decoders: %d", d.current.d, len(d.decoders))
+		}
+		d.decoders <- d.current.d
+		d.current.d = nil
+		d.current.b = nil
+	}
+	if d.current.output == nil || d.current.flushed {
+		println("current already flushed")
+		return
+	}
+	for v := range d.current.output {
+		if v.d != nil {
+			if debugDecoder {
+				printf("re-adding decoder %p", v.d)
+			}
+			d.decoders <- v.d
+		}
+	}
+	d.current.output = nil
+	d.current.flushed = true
+}
+
+// WriteTo writes data to w until there's no more data to write or when an error occurs.
+// The return value n is the number of bytes written.
+// Any error encountered during the write is also returned.
+func (d *Decoder) WriteTo(w io.Writer) (int64, error) {
+	var n int64
+	for {
+		if len(d.current.b) > 0 {
+			n2, err2 := w.Write(d.current.b)
+			n += int64(n2)
+			if err2 != nil && (d.current.err == nil || d.current.err == io.EOF) {
+				d.current.err = err2
+			} else if n2 != len(d.current.b) {
+				d.current.err = io.ErrShortWrite
+			}
+		}
+		if d.current.err != nil {
+			break
+		}
+		d.nextBlock(true)
+	}
+	err := d.current.err
+	if err != nil {
+		d.drainOutput()
+	}
+	if err == io.EOF {
+		err = nil
+	}
+	return n, err
+}
+
+// DecodeAll allows stateless decoding of a blob of bytes.
+// Output will be appended to dst, so if the destination size is known
+// you can pre-allocate the destination slice to avoid allocations.
+// DecodeAll can be used concurrently.
+// The Decoder concurrency limits will be respected.
+func (d *Decoder) DecodeAll(input, dst []byte) ([]byte, error) {
+	if d.decoders == nil {
+		return dst, ErrDecoderClosed
+	}
+
+	// Grab a block decoder and frame decoder.
+	block := <-d.decoders
+	frame := block.localFrame
+	initialSize := len(dst)
+	defer func() {
+		if debugDecoder {
+			printf("re-adding decoder: %p", block)
+		}
+		frame.rawInput = nil
+		frame.bBuf = nil
+		if frame.history.decoders.br != nil {
+			frame.history.decoders.br.in = nil
+			frame.history.decoders.br.cursor = 0
+		}
+		d.decoders <- block
+	}()
+	frame.bBuf = input
+
+	for {
+		frame.history.reset()
+		err := frame.reset(&frame.bBuf)
+		if err != nil {
+			if err == io.EOF {
+				if debugDecoder {
+					println("frame reset return EOF")
+				}
+				return dst, nil
+			}
+			return dst, err
+		}
+		if err = d.setDict(frame); err != nil {
+			return nil, err
+		}
+		if frame.WindowSize > d.o.maxWindowSize {
+			if debugDecoder {
+				println("window size exceeded:", frame.WindowSize, ">", d.o.maxWindowSize)
+			}
+			return dst, ErrWindowSizeExceeded
+		}
+		if frame.FrameContentSize != fcsUnknown {
+			if frame.FrameContentSize > d.o.maxDecodedSize-uint64(len(dst)-initialSize) {
+				if debugDecoder {
+					println("decoder size exceeded; fcs:", frame.FrameContentSize, "> mcs:", d.o.maxDecodedSize-uint64(len(dst)-initialSize), "len:", len(dst))
+				}
+				return dst, ErrDecoderSizeExceeded
+			}
+			if d.o.limitToCap && frame.FrameContentSize > uint64(cap(dst)-len(dst)) {
+				if debugDecoder {
+					println("decoder size exceeded; fcs:", frame.FrameContentSize, "> (cap-len)", cap(dst)-len(dst))
+				}
+				return dst, ErrDecoderSizeExceeded
+			}
+			if cap(dst)-len(dst) < int(frame.FrameContentSize) {
+				dst2 := make([]byte, len(dst), len(dst)+int(frame.FrameContentSize)+compressedBlockOverAlloc)
+				copy(dst2, dst)
+				dst = dst2
+			}
+		}
+
+		if cap(dst) == 0 && !d.o.limitToCap {
+			// Allocate len(input) * 2 by default if nothing is provided
+			// and we didn't get frame content size.
+			size := len(input) * 2
+			// Cap to 1 MB.
+			if size > 1<<20 {
+				size = 1 << 20
+			}
+			if uint64(size) > d.o.maxDecodedSize {
+				size = int(d.o.maxDecodedSize)
+			}
+			dst = make([]byte, 0, size)
+		}
+
+		dst, err = frame.runDecoder(dst, block)
+		if err != nil {
+			return dst, err
+		}
+		if uint64(len(dst)-initialSize) > d.o.maxDecodedSize {
+			return dst, ErrDecoderSizeExceeded
+		}
+		if len(frame.bBuf) == 0 {
+			if debugDecoder {
+				println("frame dbuf empty")
+			}
+			break
+		}
+	}
+	return dst, nil
+}
+
+// nextBlock returns the next block.
+// If an error occurs d.err will be set.
+// Optionally the function can block for new output.
+// If non-blocking mode is used the returned boolean will be false
+// if no data was available without blocking.
+func (d *Decoder) nextBlock(blocking bool) (ok bool) {
+	if d.current.err != nil {
+		// Keep error state.
+		return false
+	}
+	d.current.b = d.current.b[:0]
+
+	// SYNC:
+	if d.syncStream.enabled {
+		if !blocking {
+			return false
+		}
+		ok = d.nextBlockSync()
+		if !ok {
+			d.stashDecoder()
+		}
+		return ok
+	}
+
+	//ASYNC:
+	d.stashDecoder()
+	if blocking {
+		d.current.decodeOutput, ok = <-d.current.output
+	} else {
+		select {
+		case d.current.decodeOutput, ok = <-d.current.output:
+		default:
+			return false
+		}
+	}
+	if !ok {
+		// This should not happen, so signal error state...
+		d.current.err = io.ErrUnexpectedEOF
+		return false
+	}
+	next := d.current.decodeOutput
+	if next.d != nil && next.d.async.newHist != nil {
+		d.current.crc.Reset()
+	}
+	if debugDecoder {
+		var tmp [4]byte
+		binary.LittleEndian.PutUint32(tmp[:], uint32(xxhash.Sum64(next.b)))
+		println("got", len(d.current.b), "bytes, error:", d.current.err, "data crc:", tmp)
+	}
+
+	if d.o.ignoreChecksum {
+		return true
+	}
+
+	if len(next.b) > 0 {
+		d.current.crc.Write(next.b)
+	}
+	if next.err == nil && next.d != nil && next.d.hasCRC {
+		got := uint32(d.current.crc.Sum64())
+		if got != next.d.checkCRC {
+			if debugDecoder {
+				printf("CRC Check Failed: %08x (got) != %08x (on stream)\n", got, next.d.checkCRC)
+			}
+			d.current.err = ErrCRCMismatch
+		} else {
+			if debugDecoder {
+				printf("CRC ok %08x\n", got)
+			}
+		}
+	}
+
+	return true
+}
+
+func (d *Decoder) nextBlockSync() (ok bool) {
+	if d.current.d == nil {
+		d.current.d = <-d.decoders
+	}
+	for len(d.current.b) == 0 {
+		if !d.syncStream.inFrame {
+			d.frame.history.reset()
+			d.current.err = d.frame.reset(&d.syncStream.br)
+			if d.current.err == nil {
+				d.current.err = d.setDict(d.frame)
+			}
+			if d.current.err != nil {
+				return false
+			}
+			if d.frame.WindowSize > d.o.maxDecodedSize || d.frame.WindowSize > d.o.maxWindowSize {
+				d.current.err = ErrDecoderSizeExceeded
+				return false
+			}
+
+			d.syncStream.decodedFrame = 0
+			d.syncStream.inFrame = true
+		}
+		d.current.err = d.frame.next(d.current.d)
+		if d.current.err != nil {
+			return false
+		}
+		d.frame.history.ensureBlock()
+		if debugDecoder {
+			println("History trimmed:", len(d.frame.history.b), "decoded already:", d.syncStream.decodedFrame)
+		}
+		histBefore := len(d.frame.history.b)
+		d.current.err = d.current.d.decodeBuf(&d.frame.history)
+
+		if d.current.err != nil {
+			println("error after:", d.current.err)
+			return false
+		}
+		d.current.b = d.frame.history.b[histBefore:]
+		if debugDecoder {
+			println("history after:", len(d.frame.history.b))
+		}
+
+		// Check frame size (before CRC)
+		d.syncStream.decodedFrame += uint64(len(d.current.b))
+		if d.syncStream.decodedFrame > d.frame.FrameContentSize {
+			if debugDecoder {
+				printf("DecodedFrame (%d) > FrameContentSize (%d)\n", d.syncStream.decodedFrame, d.frame.FrameContentSize)
+			}
+			d.current.err = ErrFrameSizeExceeded
+			return false
+		}
+
+		// Check FCS
+		if d.current.d.Last && d.frame.FrameContentSize != fcsUnknown && d.syncStream.decodedFrame != d.frame.FrameContentSize {
+			if debugDecoder {
+				printf("DecodedFrame (%d) != FrameContentSize (%d)\n", d.syncStream.decodedFrame, d.frame.FrameContentSize)
+			}
+			d.current.err = ErrFrameSizeMismatch
+			return false
+		}
+
+		// Update/Check CRC
+		if d.frame.HasCheckSum {
+			if !d.o.ignoreChecksum {
+				d.frame.crc.Write(d.current.b)
+			}
+			if d.current.d.Last {
+				if !d.o.ignoreChecksum {
+					d.current.err = d.frame.checkCRC()
+				} else {
+					d.current.err = d.frame.consumeCRC()
+				}
+				if d.current.err != nil {
+					println("CRC error:", d.current.err)
+					return false
+				}
+			}
+		}
+		d.syncStream.inFrame = !d.current.d.Last
+	}
+	return true
+}
+
+func (d *Decoder) stashDecoder() {
+	if d.current.d != nil {
+		if debugDecoder {
+			printf("re-adding current decoder %p", d.current.d)
+		}
+		d.decoders <- d.current.d
+		d.current.d = nil
+	}
+}
+
+// Close will release all resources.
+// It is NOT possible to reuse the decoder after this.
+func (d *Decoder) Close() {
+	if d.current.err == ErrDecoderClosed {
+		return
+	}
+	d.drainOutput()
+	if d.current.cancel != nil {
+		d.current.cancel()
+		d.streamWg.Wait()
+		d.current.cancel = nil
+	}
+	if d.decoders != nil {
+		close(d.decoders)
+		for dec := range d.decoders {
+			dec.Close()
+		}
+		d.decoders = nil
+	}
+	if d.current.d != nil {
+		d.current.d.Close()
+		d.current.d = nil
+	}
+	d.current.err = ErrDecoderClosed
+}
+
+// IOReadCloser returns the decoder as an io.ReadCloser for convenience.
+// Any changes to the decoder will be reflected, so the returned ReadCloser
+// can be reused along with the decoder.
+// io.WriterTo is also supported by the returned ReadCloser.
+func (d *Decoder) IOReadCloser() io.ReadCloser {
+	return closeWrapper{d: d}
+}
+
+// closeWrapper wraps a function call as a closer.
+type closeWrapper struct {
+	d *Decoder
+}
+
+// WriteTo forwards WriteTo calls to the decoder.
+func (c closeWrapper) WriteTo(w io.Writer) (n int64, err error) {
+	return c.d.WriteTo(w)
+}
+
+// Read forwards read calls to the decoder.
+func (c closeWrapper) Read(p []byte) (n int, err error) {
+	return c.d.Read(p)
+}
+
+// Close closes the decoder.
+func (c closeWrapper) Close() error {
+	c.d.Close()
+	return nil
+}
+
+type decodeOutput struct {
+	d   *blockDec
+	b   []byte
+	err error
+}
+
+func (d *Decoder) startSyncDecoder(r io.Reader) error {
+	d.frame.history.reset()
+	d.syncStream.br = readerWrapper{r: r}
+	d.syncStream.inFrame = false
+	d.syncStream.enabled = true
+	d.syncStream.decodedFrame = 0
+	return nil
+}
+
+// Create Decoder:
+// ASYNC:
+// Spawn 3 go routines.
+// 0: Read frames and decode block literals.
+// 1: Decode sequences.
+// 2: Execute sequences, send to output.
+func (d *Decoder) startStreamDecoder(ctx context.Context, r io.Reader, output chan decodeOutput) {
+	defer d.streamWg.Done()
+	br := readerWrapper{r: r}
+
+	var seqDecode = make(chan *blockDec, d.o.concurrent)
+	var seqExecute = make(chan *blockDec, d.o.concurrent)
+
+	// Async 1: Decode sequences...
+	go func() {
+		var hist history
+		var hasErr bool
+
+		for block := range seqDecode {
+			if hasErr {
+				if block != nil {
+					seqExecute <- block
+				}
+				continue
+			}
+			if block.async.newHist != nil {
+				if debugDecoder {
+					println("Async 1: new history, recent:", block.async.newHist.recentOffsets)
+				}
+				hist.reset()
+				hist.decoders = block.async.newHist.decoders
+				hist.recentOffsets = block.async.newHist.recentOffsets
+				hist.windowSize = block.async.newHist.windowSize
+				if block.async.newHist.dict != nil {
+					hist.setDict(block.async.newHist.dict)
+				}
+			}
+			if block.err != nil || block.Type != blockTypeCompressed {
+				hasErr = block.err != nil
+				seqExecute <- block
+				continue
+			}
+
+			hist.decoders.literals = block.async.literals
+			block.err = block.prepareSequences(block.async.seqData, &hist)
+			if debugDecoder && block.err != nil {
+				println("prepareSequences returned:", block.err)
+			}
+			hasErr = block.err != nil
+			if block.err == nil {
+				block.err = block.decodeSequences(&hist)
+				if debugDecoder && block.err != nil {
+					println("decodeSequences returned:", block.err)
+				}
+				hasErr = block.err != nil
+				//				block.async.sequence = hist.decoders.seq[:hist.decoders.nSeqs]
+				block.async.seqSize = hist.decoders.seqSize
+			}
+			seqExecute <- block
+		}
+		close(seqExecute)
+		hist.reset()
+	}()
+
+	var wg sync.WaitGroup
+	wg.Add(1)
+
+	// Async 3: Execute sequences...
+	frameHistCache := d.frame.history.b
+	go func() {
+		var hist history
+		var decodedFrame uint64
+		var fcs uint64
+		var hasErr bool
+		for block := range seqExecute {
+			out := decodeOutput{err: block.err, d: block}
+			if block.err != nil || hasErr {
+				hasErr = true
+				output <- out
+				continue
+			}
+			if block.async.newHist != nil {
+				if debugDecoder {
+					println("Async 2: new history")
+				}
+				hist.reset()
+				hist.windowSize = block.async.newHist.windowSize
+				hist.allocFrameBuffer = block.async.newHist.allocFrameBuffer
+				if block.async.newHist.dict != nil {
+					hist.setDict(block.async.newHist.dict)
+				}
+
+				if cap(hist.b) < hist.allocFrameBuffer {
+					if cap(frameHistCache) >= hist.allocFrameBuffer {
+						hist.b = frameHistCache
+					} else {
+						hist.b = make([]byte, 0, hist.allocFrameBuffer)
+						println("Alloc history sized", hist.allocFrameBuffer)
+					}
+				}
+				hist.b = hist.b[:0]
+				fcs = block.async.fcs
+				decodedFrame = 0
+			}
+			do := decodeOutput{err: block.err, d: block}
+			switch block.Type {
+			case blockTypeRLE:
+				if debugDecoder {
+					println("add rle block length:", block.RLESize)
+				}
+
+				if cap(block.dst) < int(block.RLESize) {
+					if block.lowMem {
+						block.dst = make([]byte, block.RLESize)
+					} else {
+						block.dst = make([]byte, maxCompressedBlockSize)
+					}
+				}
+				block.dst = block.dst[:block.RLESize]
+				v := block.data[0]
+				for i := range block.dst {
+					block.dst[i] = v
+				}
+				hist.append(block.dst)
+				do.b = block.dst
+			case blockTypeRaw:
+				if debugDecoder {
+					println("add raw block length:", len(block.data))
+				}
+				hist.append(block.data)
+				do.b = block.data
+			case blockTypeCompressed:
+				if debugDecoder {
+					println("execute with history length:", len(hist.b), "window:", hist.windowSize)
+				}
+				hist.decoders.seqSize = block.async.seqSize
+				hist.decoders.literals = block.async.literals
+				do.err = block.executeSequences(&hist)
+				hasErr = do.err != nil
+				if debugDecoder && hasErr {
+					println("executeSequences returned:", do.err)
+				}
+				do.b = block.dst
+			}
+			if !hasErr {
+				decodedFrame += uint64(len(do.b))
+				if decodedFrame > fcs {
+					println("fcs exceeded", block.Last, fcs, decodedFrame)
+					do.err = ErrFrameSizeExceeded
+					hasErr = true
+				} else if block.Last && fcs != fcsUnknown && decodedFrame != fcs {
+					do.err = ErrFrameSizeMismatch
+					hasErr = true
+				} else {
+					if debugDecoder {
+						println("fcs ok", block.Last, fcs, decodedFrame)
+					}
+				}
+			}
+			output <- do
+		}
+		close(output)
+		frameHistCache = hist.b
+		wg.Done()
+		if debugDecoder {
+			println("decoder goroutines finished")
+		}
+		hist.reset()
+	}()
+
+	var hist history
+decodeStream:
+	for {
+		var hasErr bool
+		hist.reset()
+		decodeBlock := func(block *blockDec) {
+			if hasErr {
+				if block != nil {
+					seqDecode <- block
+				}
+				return
+			}
+			if block.err != nil || block.Type != blockTypeCompressed {
+				hasErr = block.err != nil
+				seqDecode <- block
+				return
+			}
+
+			remain, err := block.decodeLiterals(block.data, &hist)
+			block.err = err
+			hasErr = block.err != nil
+			if err == nil {
+				block.async.literals = hist.decoders.literals
+				block.async.seqData = remain
+			} else if debugDecoder {
+				println("decodeLiterals error:", err)
+			}
+			seqDecode <- block
+		}
+		frame := d.frame
+		if debugDecoder {
+			println("New frame...")
+		}
+		var historySent bool
+		frame.history.reset()
+		err := frame.reset(&br)
+		if debugDecoder && err != nil {
+			println("Frame decoder returned", err)
+		}
+		if err == nil {
+			err = d.setDict(frame)
+		}
+		if err == nil && d.frame.WindowSize > d.o.maxWindowSize {
+			if debugDecoder {
+				println("decoder size exceeded, fws:", d.frame.WindowSize, "> mws:", d.o.maxWindowSize)
+			}
+
+			err = ErrDecoderSizeExceeded
+		}
+		if err != nil {
+			select {
+			case <-ctx.Done():
+			case dec := <-d.decoders:
+				dec.sendErr(err)
+				decodeBlock(dec)
+			}
+			break decodeStream
+		}
+
+		// Go through all blocks of the frame.
+		for {
+			var dec *blockDec
+			select {
+			case <-ctx.Done():
+				break decodeStream
+			case dec = <-d.decoders:
+				// Once we have a decoder, we MUST return it.
+			}
+			err := frame.next(dec)
+			if !historySent {
+				h := frame.history
+				if debugDecoder {
+					println("Alloc History:", h.allocFrameBuffer)
+				}
+				hist.reset()
+				if h.dict != nil {
+					hist.setDict(h.dict)
+				}
+				dec.async.newHist = &h
+				dec.async.fcs = frame.FrameContentSize
+				historySent = true
+			} else {
+				dec.async.newHist = nil
+			}
+			if debugDecoder && err != nil {
+				println("next block returned error:", err)
+			}
+			dec.err = err
+			dec.hasCRC = false
+			if dec.Last && frame.HasCheckSum && err == nil {
+				crc, err := frame.rawInput.readSmall(4)
+				if len(crc) < 4 {
+					if err == nil {
+						err = io.ErrUnexpectedEOF
+
+					}
+					println("CRC missing?", err)
+					dec.err = err
+				} else {
+					dec.checkCRC = binary.LittleEndian.Uint32(crc)
+					dec.hasCRC = true
+					if debugDecoder {
+						printf("found crc to check: %08x\n", dec.checkCRC)
+					}
+				}
+			}
+			err = dec.err
+			last := dec.Last
+			decodeBlock(dec)
+			if err != nil {
+				break decodeStream
+			}
+			if last {
+				break
+			}
+		}
+	}
+	close(seqDecode)
+	wg.Wait()
+	hist.reset()
+	d.frame.history.b = frameHistCache
+}
+
+func (d *Decoder) setDict(frame *frameDec) (err error) {
+	dict, ok := d.dicts[frame.DictionaryID]
+	if ok {
+		if debugDecoder {
+			println("setting dict", frame.DictionaryID)
+		}
+		frame.history.setDict(dict)
+	} else if frame.DictionaryID != 0 {
+		// A zero or missing dictionary id is ambiguous:
+		// either dictionary zero, or no dictionary. In particular,
+		// zstd --patch-from uses this id for the source file,
+		// so only return an error if the dictionary id is not zero.
+		err = ErrUnknownDictionary
+	}
+	return err
+}
diff --git a/vendor/github.com/klauspost/compress/zstd/decoder_options.go b/vendor/github.com/klauspost/compress/zstd/decoder_options.go
new file mode 100644
index 0000000000..774c5f00fe
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/zstd/decoder_options.go
@@ -0,0 +1,169 @@
+// Copyright 2019+ Klaus Post. All rights reserved.
+// License information can be found in the LICENSE file.
+// Based on work by Yann Collet, released under BSD License.
+
+package zstd
+
+import (
+	"errors"
+	"fmt"
+	"math/bits"
+	"runtime"
+)
+
+// DOption is an option for creating a decoder.
+type DOption func(*decoderOptions) error
+
+// options retains accumulated state of multiple options.
+type decoderOptions struct {
+	lowMem          bool
+	concurrent      int
+	maxDecodedSize  uint64
+	maxWindowSize   uint64
+	dicts           []*dict
+	ignoreChecksum  bool
+	limitToCap      bool
+	decodeBufsBelow int
+}
+
+func (o *decoderOptions) setDefault() {
+	*o = decoderOptions{
+		// use less ram: true for now, but may change.
+		lowMem:          true,
+		concurrent:      runtime.GOMAXPROCS(0),
+		maxWindowSize:   MaxWindowSize,
+		decodeBufsBelow: 128 << 10,
+	}
+	if o.concurrent > 4 {
+		o.concurrent = 4
+	}
+	o.maxDecodedSize = 64 << 30
+}
+
+// WithDecoderLowmem will set whether to use a lower amount of memory,
+// but possibly have to allocate more while running.
+func WithDecoderLowmem(b bool) DOption {
+	return func(o *decoderOptions) error { o.lowMem = b; return nil }
+}
+
+// WithDecoderConcurrency sets the number of created decoders.
+// When decoding block with DecodeAll, this will limit the number
+// of possible concurrently running decodes.
+// When decoding streams, this will limit the number of
+// inflight blocks.
+// When decoding streams and setting maximum to 1,
+// no async decoding will be done.
+// When a value of 0 is provided GOMAXPROCS will be used.
+// By default this will be set to 4 or GOMAXPROCS, whatever is lower.
+func WithDecoderConcurrency(n int) DOption {
+	return func(o *decoderOptions) error {
+		if n < 0 {
+			return errors.New("concurrency must be at least 1")
+		}
+		if n == 0 {
+			o.concurrent = runtime.GOMAXPROCS(0)
+		} else {
+			o.concurrent = n
+		}
+		return nil
+	}
+}
+
+// WithDecoderMaxMemory allows to set a maximum decoded size for in-memory
+// non-streaming operations or maximum window size for streaming operations.
+// This can be used to control memory usage of potentially hostile content.
+// Maximum is 1 << 63 bytes. Default is 64GiB.
+func WithDecoderMaxMemory(n uint64) DOption {
+	return func(o *decoderOptions) error {
+		if n == 0 {
+			return errors.New("WithDecoderMaxMemory must be at least 1")
+		}
+		if n > 1<<63 {
+			return errors.New("WithDecoderMaxmemory must be less than 1 << 63")
+		}
+		o.maxDecodedSize = n
+		return nil
+	}
+}
+
+// WithDecoderDicts allows to register one or more dictionaries for the decoder.
+//
+// Each slice in dict must be in the [dictionary format] produced by
+// "zstd --train" from the Zstandard reference implementation.
+//
+// If several dictionaries with the same ID are provided, the last one will be used.
+//
+// [dictionary format]: https://github.com/facebook/zstd/blob/dev/doc/zstd_compression_format.md#dictionary-format
+func WithDecoderDicts(dicts ...[]byte) DOption {
+	return func(o *decoderOptions) error {
+		for _, b := range dicts {
+			d, err := loadDict(b)
+			if err != nil {
+				return err
+			}
+			o.dicts = append(o.dicts, d)
+		}
+		return nil
+	}
+}
+
+// WithDecoderDictRaw registers a dictionary that may be used by the decoder.
+// The slice content can be arbitrary data.
+func WithDecoderDictRaw(id uint32, content []byte) DOption {
+	return func(o *decoderOptions) error {
+		if bits.UintSize > 32 && uint(len(content)) > dictMaxLength {
+			return fmt.Errorf("dictionary of size %d > 2GiB too large", len(content))
+		}
+		o.dicts = append(o.dicts, &dict{id: id, content: content, offsets: [3]int{1, 4, 8}})
+		return nil
+	}
+}
+
+// WithDecoderMaxWindow allows to set a maximum window size for decodes.
+// This allows rejecting packets that will cause big memory usage.
+// The Decoder will likely allocate more memory based on the WithDecoderLowmem setting.
+// If WithDecoderMaxMemory is set to a lower value, that will be used.
+// Default is 512MB, Maximum is ~3.75 TB as per zstandard spec.
+func WithDecoderMaxWindow(size uint64) DOption {
+	return func(o *decoderOptions) error {
+		if size < MinWindowSize {
+			return errors.New("WithMaxWindowSize must be at least 1KB, 1024 bytes")
+		}
+		if size > (1<<41)+7*(1<<38) {
+			return errors.New("WithMaxWindowSize must be less than (1<<41) + 7*(1<<38) ~ 3.75TB")
+		}
+		o.maxWindowSize = size
+		return nil
+	}
+}
+
+// WithDecodeAllCapLimit will limit DecodeAll to decoding cap(dst)-len(dst) bytes,
+// or any size set in WithDecoderMaxMemory.
+// This can be used to limit decoding to a specific maximum output size.
+// Disabled by default.
+func WithDecodeAllCapLimit(b bool) DOption {
+	return func(o *decoderOptions) error {
+		o.limitToCap = b
+		return nil
+	}
+}
+
+// WithDecodeBuffersBelow will fully decode readers that have a
+// `Bytes() []byte` and `Len() int` interface similar to bytes.Buffer.
+// This typically uses less allocations but will have the full decompressed object in memory.
+// Note that DecodeAllCapLimit will disable this, as well as giving a size of 0 or less.
+// Default is 128KiB.
+func WithDecodeBuffersBelow(size int) DOption {
+	return func(o *decoderOptions) error {
+		o.decodeBufsBelow = size
+		return nil
+	}
+}
+
+// IgnoreChecksum allows to forcibly ignore checksum checking.
+func IgnoreChecksum(b bool) DOption {
+	return func(o *decoderOptions) error {
+		o.ignoreChecksum = b
+		return nil
+	}
+}
diff --git a/vendor/github.com/klauspost/compress/zstd/dict.go b/vendor/github.com/klauspost/compress/zstd/dict.go
new file mode 100644
index 0000000000..b7b83164bc
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/zstd/dict.go
@@ -0,0 +1,565 @@
+package zstd
+
+import (
+	"bytes"
+	"encoding/binary"
+	"errors"
+	"fmt"
+	"io"
+	"math"
+	"sort"
+
+	"github.com/klauspost/compress/huff0"
+)
+
+type dict struct {
+	id uint32
+
+	litEnc              *huff0.Scratch
+	llDec, ofDec, mlDec sequenceDec
+	offsets             [3]int
+	content             []byte
+}
+
+const dictMagic = "\x37\xa4\x30\xec"
+
+// Maximum dictionary size for the reference implementation (1.5.3) is 2 GiB.
+const dictMaxLength = 1 << 31
+
+// ID returns the dictionary id or 0 if d is nil.
+func (d *dict) ID() uint32 {
+	if d == nil {
+		return 0
+	}
+	return d.id
+}
+
+// ContentSize returns the dictionary content size or 0 if d is nil.
+func (d *dict) ContentSize() int {
+	if d == nil {
+		return 0
+	}
+	return len(d.content)
+}
+
+// Content returns the dictionary content.
+func (d *dict) Content() []byte {
+	if d == nil {
+		return nil
+	}
+	return d.content
+}
+
+// Offsets returns the initial offsets.
+func (d *dict) Offsets() [3]int {
+	if d == nil {
+		return [3]int{}
+	}
+	return d.offsets
+}
+
+// LitEncoder returns the literal encoder.
+func (d *dict) LitEncoder() *huff0.Scratch {
+	if d == nil {
+		return nil
+	}
+	return d.litEnc
+}
+
+// Load a dictionary as described in
+// https://github.com/facebook/zstd/blob/master/doc/zstd_compression_format.md#dictionary-format
+func loadDict(b []byte) (*dict, error) {
+	// Check static field size.
+	if len(b) <= 8+(3*4) {
+		return nil, io.ErrUnexpectedEOF
+	}
+	d := dict{
+		llDec: sequenceDec{fse: &fseDecoder{}},
+		ofDec: sequenceDec{fse: &fseDecoder{}},
+		mlDec: sequenceDec{fse: &fseDecoder{}},
+	}
+	if string(b[:4]) != dictMagic {
+		return nil, ErrMagicMismatch
+	}
+	d.id = binary.LittleEndian.Uint32(b[4:8])
+	if d.id == 0 {
+		return nil, errors.New("dictionaries cannot have ID 0")
+	}
+
+	// Read literal table
+	var err error
+	d.litEnc, b, err = huff0.ReadTable(b[8:], nil)
+	if err != nil {
+		return nil, fmt.Errorf("loading literal table: %w", err)
+	}
+	d.litEnc.Reuse = huff0.ReusePolicyMust
+
+	br := byteReader{
+		b:   b,
+		off: 0,
+	}
+	readDec := func(i tableIndex, dec *fseDecoder) error {
+		if err := dec.readNCount(&br, uint16(maxTableSymbol[i])); err != nil {
+			return err
+		}
+		if br.overread() {
+			return io.ErrUnexpectedEOF
+		}
+		err = dec.transform(symbolTableX[i])
+		if err != nil {
+			println("Transform table error:", err)
+			return err
+		}
+		if debugDecoder || debugEncoder {
+			println("Read table ok", "symbolLen:", dec.symbolLen)
+		}
+		// Set decoders as predefined so they aren't reused.
+		dec.preDefined = true
+		return nil
+	}
+
+	if err := readDec(tableOffsets, d.ofDec.fse); err != nil {
+		return nil, err
+	}
+	if err := readDec(tableMatchLengths, d.mlDec.fse); err != nil {
+		return nil, err
+	}
+	if err := readDec(tableLiteralLengths, d.llDec.fse); err != nil {
+		return nil, err
+	}
+	if br.remain() < 12 {
+		return nil, io.ErrUnexpectedEOF
+	}
+
+	d.offsets[0] = int(br.Uint32())
+	br.advance(4)
+	d.offsets[1] = int(br.Uint32())
+	br.advance(4)
+	d.offsets[2] = int(br.Uint32())
+	br.advance(4)
+	if d.offsets[0] <= 0 || d.offsets[1] <= 0 || d.offsets[2] <= 0 {
+		return nil, errors.New("invalid offset in dictionary")
+	}
+	d.content = make([]byte, br.remain())
+	copy(d.content, br.unread())
+	if d.offsets[0] > len(d.content) || d.offsets[1] > len(d.content) || d.offsets[2] > len(d.content) {
+		return nil, fmt.Errorf("initial offset bigger than dictionary content size %d, offsets: %v", len(d.content), d.offsets)
+	}
+
+	return &d, nil
+}
+
+// InspectDictionary loads a zstd dictionary and provides functions to inspect the content.
+func InspectDictionary(b []byte) (interface {
+	ID() uint32
+	ContentSize() int
+	Content() []byte
+	Offsets() [3]int
+	LitEncoder() *huff0.Scratch
+}, error) {
+	initPredefined()
+	d, err := loadDict(b)
+	return d, err
+}
+
+type BuildDictOptions struct {
+	// Dictionary ID.
+	ID uint32
+
+	// Content to use to create dictionary tables.
+	Contents [][]byte
+
+	// History to use for all blocks.
+	History []byte
+
+	// Offsets to use.
+	Offsets [3]int
+
+	// CompatV155 will make the dictionary compatible with Zstd v1.5.5 and earlier.
+	// See https://github.com/facebook/zstd/issues/3724
+	CompatV155 bool
+
+	// Use the specified encoder level.
+	// The dictionary will be built using the specified encoder level,
+	// which will reflect speed and make the dictionary tailored for that level.
+	// If not set SpeedBestCompression will be used.
+	Level EncoderLevel
+
+	// DebugOut will write stats and other details here if set.
+	DebugOut io.Writer
+}
+
+func BuildDict(o BuildDictOptions) ([]byte, error) {
+	initPredefined()
+	hist := o.History
+	contents := o.Contents
+	debug := o.DebugOut != nil
+	println := func(args ...interface{}) {
+		if o.DebugOut != nil {
+			fmt.Fprintln(o.DebugOut, args...)
+		}
+	}
+	printf := func(s string, args ...interface{}) {
+		if o.DebugOut != nil {
+			fmt.Fprintf(o.DebugOut, s, args...)
+		}
+	}
+	print := func(args ...interface{}) {
+		if o.DebugOut != nil {
+			fmt.Fprint(o.DebugOut, args...)
+		}
+	}
+
+	if int64(len(hist)) > dictMaxLength {
+		return nil, fmt.Errorf("dictionary of size %d > %d", len(hist), int64(dictMaxLength))
+	}
+	if len(hist) < 8 {
+		return nil, fmt.Errorf("dictionary of size %d < %d", len(hist), 8)
+	}
+	if len(contents) == 0 {
+		return nil, errors.New("no content provided")
+	}
+	d := dict{
+		id:      o.ID,
+		litEnc:  nil,
+		llDec:   sequenceDec{},
+		ofDec:   sequenceDec{},
+		mlDec:   sequenceDec{},
+		offsets: o.Offsets,
+		content: hist,
+	}
+	block := blockEnc{lowMem: false}
+	block.init()
+	enc := encoder(&bestFastEncoder{fastBase: fastBase{maxMatchOff: int32(maxMatchLen), bufferReset: math.MaxInt32 - int32(maxMatchLen*2), lowMem: false}})
+	if o.Level != 0 {
+		eOpts := encoderOptions{
+			level:      o.Level,
+			blockSize:  maxMatchLen,
+			windowSize: maxMatchLen,
+			dict:       &d,
+			lowMem:     false,
+		}
+		enc = eOpts.encoder()
+	} else {
+		o.Level = SpeedBestCompression
+	}
+	var (
+		remain [256]int
+		ll     [256]int
+		ml     [256]int
+		of     [256]int
+	)
+	addValues := func(dst *[256]int, src []byte) {
+		for _, v := range src {
+			dst[v]++
+		}
+	}
+	addHist := func(dst *[256]int, src *[256]uint32) {
+		for i, v := range src {
+			dst[i] += int(v)
+		}
+	}
+	seqs := 0
+	nUsed := 0
+	litTotal := 0
+	newOffsets := make(map[uint32]int, 1000)
+	for _, b := range contents {
+		block.reset(nil)
+		if len(b) < 8 {
+			continue
+		}
+		nUsed++
+		enc.Reset(&d, true)
+		enc.Encode(&block, b)
+		addValues(&remain, block.literals)
+		litTotal += len(block.literals)
+		if len(block.sequences) == 0 {
+			continue
+		}
+		seqs += len(block.sequences)
+		block.genCodes()
+		addHist(&ll, block.coders.llEnc.Histogram())
+		addHist(&ml, block.coders.mlEnc.Histogram())
+		addHist(&of, block.coders.ofEnc.Histogram())
+		for i, seq := range block.sequences {
+			if i > 3 {
+				break
+			}
+			offset := seq.offset
+			if offset == 0 {
+				continue
+			}
+			if int(offset) >= len(o.History) {
+				continue
+			}
+			if offset > 3 {
+				newOffsets[offset-3]++
+			} else {
+				newOffsets[uint32(o.Offsets[offset-1])]++
+			}
+		}
+	}
+	// Find most used offsets.
+	var sortedOffsets []uint32
+	for k := range newOffsets {
+		sortedOffsets = append(sortedOffsets, k)
+	}
+	sort.Slice(sortedOffsets, func(i, j int) bool {
+		a, b := sortedOffsets[i], sortedOffsets[j]
+		if a == b {
+			// Prefer the longer offset
+			return sortedOffsets[i] > sortedOffsets[j]
+		}
+		return newOffsets[sortedOffsets[i]] > newOffsets[sortedOffsets[j]]
+	})
+	if len(sortedOffsets) > 3 {
+		if debug {
+			print("Offsets:")
+			for i, v := range sortedOffsets {
+				if i > 20 {
+					break
+				}
+				printf("[%d: %d],", v, newOffsets[v])
+			}
+			println("")
+		}
+
+		sortedOffsets = sortedOffsets[:3]
+	}
+	for i, v := range sortedOffsets {
+		o.Offsets[i] = int(v)
+	}
+	if debug {
+		println("New repeat offsets", o.Offsets)
+	}
+
+	if nUsed == 0 || seqs == 0 {
+		return nil, fmt.Errorf("%d blocks, %d sequences found", nUsed, seqs)
+	}
+	if debug {
+		println("Sequences:", seqs, "Blocks:", nUsed, "Literals:", litTotal)
+	}
+	if seqs/nUsed < 512 {
+		// Use 512 as minimum.
+		nUsed = seqs / 512
+		if nUsed == 0 {
+			nUsed = 1
+		}
+	}
+	copyHist := func(dst *fseEncoder, src *[256]int) ([]byte, error) {
+		hist := dst.Histogram()
+		var maxSym uint8
+		var maxCount int
+		var fakeLength int
+		for i, v := range src {
+			if v > 0 {
+				v = v / nUsed
+				if v == 0 {
+					v = 1
+				}
+			}
+			if v > maxCount {
+				maxCount = v
+			}
+			if v != 0 {
+				maxSym = uint8(i)
+			}
+			fakeLength += v
+			hist[i] = uint32(v)
+		}
+
+		// Ensure we aren't trying to represent RLE.
+		if maxCount == fakeLength {
+			for i := range hist {
+				if uint8(i) == maxSym {
+					fakeLength++
+					maxSym++
+					hist[i+1] = 1
+					if maxSym > 1 {
+						break
+					}
+				}
+				if hist[0] == 0 {
+					fakeLength++
+					hist[i] = 1
+					if maxSym > 1 {
+						break
+					}
+				}
+			}
+		}
+
+		dst.HistogramFinished(maxSym, maxCount)
+		dst.reUsed = false
+		dst.useRLE = false
+		err := dst.normalizeCount(fakeLength)
+		if err != nil {
+			return nil, err
+		}
+		if debug {
+			println("RAW:", dst.count[:maxSym+1], "NORM:", dst.norm[:maxSym+1], "LEN:", fakeLength)
+		}
+		return dst.writeCount(nil)
+	}
+	if debug {
+		print("Literal lengths: ")
+	}
+	llTable, err := copyHist(block.coders.llEnc, &ll)
+	if err != nil {
+		return nil, err
+	}
+	if debug {
+		print("Match lengths: ")
+	}
+	mlTable, err := copyHist(block.coders.mlEnc, &ml)
+	if err != nil {
+		return nil, err
+	}
+	if debug {
+		print("Offsets: ")
+	}
+	ofTable, err := copyHist(block.coders.ofEnc, &of)
+	if err != nil {
+		return nil, err
+	}
+
+	// Literal table
+	avgSize := litTotal
+	if avgSize > huff0.BlockSizeMax/2 {
+		avgSize = huff0.BlockSizeMax / 2
+	}
+	huffBuff := make([]byte, 0, avgSize)
+	// Target size
+	div := litTotal / avgSize
+	if div < 1 {
+		div = 1
+	}
+	if debug {
+		println("Huffman weights:")
+	}
+	for i, n := range remain[:] {
+		if n > 0 {
+			n = n / div
+			// Allow all entries to be represented.
+			if n == 0 {
+				n = 1
+			}
+			huffBuff = append(huffBuff, bytes.Repeat([]byte{byte(i)}, n)...)
+			if debug {
+				printf("[%d: %d], ", i, n)
+			}
+		}
+	}
+	if o.CompatV155 && remain[255]/div == 0 {
+		huffBuff = append(huffBuff, 255)
+	}
+	scratch := &huff0.Scratch{TableLog: 11}
+	for tries := 0; tries < 255; tries++ {
+		scratch = &huff0.Scratch{TableLog: 11}
+		_, _, err = huff0.Compress1X(huffBuff, scratch)
+		if err == nil {
+			break
+		}
+		if debug {
+			printf("Try %d: Huffman error: %v\n", tries+1, err)
+		}
+		huffBuff = huffBuff[:0]
+		if tries == 250 {
+			if debug {
+				println("Huffman: Bailing out with predefined table")
+			}
+
+			// Bail out.... Just generate something
+			huffBuff = append(huffBuff, bytes.Repeat([]byte{255}, 10000)...)
+			for i := 0; i < 128; i++ {
+				huffBuff = append(huffBuff, byte(i))
+			}
+			continue
+		}
+		if errors.Is(err, huff0.ErrIncompressible) {
+			// Try truncating least common.
+			for i, n := range remain[:] {
+				if n > 0 {
+					n = n / (div * (i + 1))
+					if n > 0 {
+						huffBuff = append(huffBuff, bytes.Repeat([]byte{byte(i)}, n)...)
+					}
+				}
+			}
+			if o.CompatV155 && len(huffBuff) > 0 && huffBuff[len(huffBuff)-1] != 255 {
+				huffBuff = append(huffBuff, 255)
+			}
+			if len(huffBuff) == 0 {
+				huffBuff = append(huffBuff, 0, 255)
+			}
+		}
+		if errors.Is(err, huff0.ErrUseRLE) {
+			for i, n := range remain[:] {
+				n = n / (div * (i + 1))
+				// Allow all entries to be represented.
+				if n == 0 {
+					n = 1
+				}
+				huffBuff = append(huffBuff, bytes.Repeat([]byte{byte(i)}, n)...)
+			}
+		}
+	}
+
+	var out bytes.Buffer
+	out.Write([]byte(dictMagic))
+	out.Write(binary.LittleEndian.AppendUint32(nil, o.ID))
+	out.Write(scratch.OutTable)
+	if debug {
+		println("huff table:", len(scratch.OutTable), "bytes")
+		println("of table:", len(ofTable), "bytes")
+		println("ml table:", len(mlTable), "bytes")
+		println("ll table:", len(llTable), "bytes")
+	}
+	out.Write(ofTable)
+	out.Write(mlTable)
+	out.Write(llTable)
+	out.Write(binary.LittleEndian.AppendUint32(nil, uint32(o.Offsets[0])))
+	out.Write(binary.LittleEndian.AppendUint32(nil, uint32(o.Offsets[1])))
+	out.Write(binary.LittleEndian.AppendUint32(nil, uint32(o.Offsets[2])))
+	out.Write(hist)
+	if debug {
+		_, err := loadDict(out.Bytes())
+		if err != nil {
+			panic(err)
+		}
+		i, err := InspectDictionary(out.Bytes())
+		if err != nil {
+			panic(err)
+		}
+		println("ID:", i.ID())
+		println("Content size:", i.ContentSize())
+		println("Encoder:", i.LitEncoder() != nil)
+		println("Offsets:", i.Offsets())
+		var totalSize int
+		for _, b := range contents {
+			totalSize += len(b)
+		}
+
+		encWith := func(opts ...EOption) int {
+			enc, err := NewWriter(nil, opts...)
+			if err != nil {
+				panic(err)
+			}
+			defer enc.Close()
+			var dst []byte
+			var totalSize int
+			for _, b := range contents {
+				dst = enc.EncodeAll(b, dst[:0])
+				totalSize += len(dst)
+			}
+			return totalSize
+		}
+		plain := encWith(WithEncoderLevel(o.Level))
+		withDict := encWith(WithEncoderLevel(o.Level), WithEncoderDict(out.Bytes()))
+		println("Input size:", totalSize)
+		println("Plain Compressed:", plain)
+		println("Dict Compressed:", withDict)
+		println("Saved:", plain-withDict, (plain-withDict)/len(contents), "bytes per input (rounded down)")
+	}
+	return out.Bytes(), nil
+}
diff --git a/vendor/github.com/klauspost/compress/zstd/enc_base.go b/vendor/github.com/klauspost/compress/zstd/enc_base.go
new file mode 100644
index 0000000000..7d250c67f5
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/zstd/enc_base.go
@@ -0,0 +1,173 @@
+package zstd
+
+import (
+	"fmt"
+	"math/bits"
+
+	"github.com/klauspost/compress/zstd/internal/xxhash"
+)
+
+const (
+	dictShardBits = 6
+)
+
+type fastBase struct {
+	// cur is the offset at the start of hist
+	cur int32
+	// maximum offset. Should be at least 2x block size.
+	maxMatchOff int32
+	bufferReset int32
+	hist        []byte
+	crc         *xxhash.Digest
+	tmp         [8]byte
+	blk         *blockEnc
+	lastDictID  uint32
+	lowMem      bool
+}
+
+// CRC returns the underlying CRC writer.
+func (e *fastBase) CRC() *xxhash.Digest {
+	return e.crc
+}
+
+// AppendCRC will append the CRC to the destination slice and return it.
+func (e *fastBase) AppendCRC(dst []byte) []byte {
+	crc := e.crc.Sum(e.tmp[:0])
+	dst = append(dst, crc[7], crc[6], crc[5], crc[4])
+	return dst
+}
+
+// WindowSize returns the window size of the encoder,
+// or a window size small enough to contain the input size, if > 0.
+func (e *fastBase) WindowSize(size int64) int32 {
+	if size > 0 && size < int64(e.maxMatchOff) {
+		b := int32(1) << uint(bits.Len(uint(size)))
+		// Keep minimum window.
+		if b < 1024 {
+			b = 1024
+		}
+		return b
+	}
+	return e.maxMatchOff
+}
+
+// Block returns the current block.
+func (e *fastBase) Block() *blockEnc {
+	return e.blk
+}
+
+func (e *fastBase) addBlock(src []byte) int32 {
+	if debugAsserts && e.cur > e.bufferReset {
+		panic(fmt.Sprintf("ecur (%d) > buffer reset (%d)", e.cur, e.bufferReset))
+	}
+	// check if we have space already
+	if len(e.hist)+len(src) > cap(e.hist) {
+		if cap(e.hist) == 0 {
+			e.ensureHist(len(src))
+		} else {
+			if cap(e.hist) < int(e.maxMatchOff+maxCompressedBlockSize) {
+				panic(fmt.Errorf("unexpected buffer cap %d, want at least %d with window %d", cap(e.hist), e.maxMatchOff+maxCompressedBlockSize, e.maxMatchOff))
+			}
+			// Move down
+			offset := int32(len(e.hist)) - e.maxMatchOff
+			copy(e.hist[0:e.maxMatchOff], e.hist[offset:])
+			e.cur += offset
+			e.hist = e.hist[:e.maxMatchOff]
+		}
+	}
+	s := int32(len(e.hist))
+	e.hist = append(e.hist, src...)
+	return s
+}
+
+// ensureHist will ensure that history can keep at least this many bytes.
+func (e *fastBase) ensureHist(n int) {
+	if cap(e.hist) >= n {
+		return
+	}
+	l := e.maxMatchOff
+	if (e.lowMem && e.maxMatchOff > maxCompressedBlockSize) || e.maxMatchOff <= maxCompressedBlockSize {
+		l += maxCompressedBlockSize
+	} else {
+		l += e.maxMatchOff
+	}
+	// Make it at least 1MB.
+	if l < 1<<20 && !e.lowMem {
+		l = 1 << 20
+	}
+	// Make it at least the requested size.
+	if l < int32(n) {
+		l = int32(n)
+	}
+	e.hist = make([]byte, 0, l)
+}
+
+// useBlock will replace the block with the provided one,
+// but transfer recent offsets from the previous.
+func (e *fastBase) UseBlock(enc *blockEnc) {
+	enc.reset(e.blk)
+	e.blk = enc
+}
+
+func (e *fastBase) matchlen(s, t int32, src []byte) int32 {
+	if debugAsserts {
+		if s < 0 {
+			err := fmt.Sprintf("s (%d) < 0", s)
+			panic(err)
+		}
+		if t < 0 {
+			err := fmt.Sprintf("t (%d) < 0", t)
+			panic(err)
+		}
+		if s-t > e.maxMatchOff {
+			err := fmt.Sprintf("s (%d) - t (%d) > maxMatchOff (%d)", s, t, e.maxMatchOff)
+			panic(err)
+		}
+		if len(src)-int(s) > maxCompressedBlockSize {
+			panic(fmt.Sprintf("len(src)-s (%d) > maxCompressedBlockSize (%d)", len(src)-int(s), maxCompressedBlockSize))
+		}
+	}
+	return int32(matchLen(src[s:], src[t:]))
+}
+
+// Reset the encoding table.
+func (e *fastBase) resetBase(d *dict, singleBlock bool) {
+	if e.blk == nil {
+		e.blk = &blockEnc{lowMem: e.lowMem}
+		e.blk.init()
+	} else {
+		e.blk.reset(nil)
+	}
+	e.blk.initNewEncode()
+	if e.crc == nil {
+		e.crc = xxhash.New()
+	} else {
+		e.crc.Reset()
+	}
+	e.blk.dictLitEnc = nil
+	if d != nil {
+		low := e.lowMem
+		if singleBlock {
+			e.lowMem = true
+		}
+		e.ensureHist(d.ContentSize() + maxCompressedBlockSize)
+		e.lowMem = low
+	}
+
+	// We offset current position so everything will be out of reach.
+	// If above reset line, history will be purged.
+	if e.cur < e.bufferReset {
+		e.cur += e.maxMatchOff + int32(len(e.hist))
+	}
+	e.hist = e.hist[:0]
+	if d != nil {
+		// Set offsets (currently not used)
+		for i, off := range d.offsets {
+			e.blk.recentOffsets[i] = uint32(off)
+			e.blk.prevRecentOffsets[i] = e.blk.recentOffsets[i]
+		}
+		// Transfer litenc.
+		e.blk.dictLitEnc = d.litEnc
+		e.hist = append(e.hist, d.content...)
+	}
+}
diff --git a/vendor/github.com/klauspost/compress/zstd/enc_best.go b/vendor/github.com/klauspost/compress/zstd/enc_best.go
new file mode 100644
index 0000000000..4613724e9d
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/zstd/enc_best.go
@@ -0,0 +1,560 @@
+// Copyright 2019+ Klaus Post. All rights reserved.
+// License information can be found in the LICENSE file.
+// Based on work by Yann Collet, released under BSD License.
+
+package zstd
+
+import (
+	"bytes"
+	"fmt"
+
+	"github.com/klauspost/compress"
+)
+
+const (
+	bestLongTableBits = 22                     // Bits used in the long match table
+	bestLongTableSize = 1 << bestLongTableBits // Size of the table
+	bestLongLen       = 8                      // Bytes used for table hash
+
+	// Note: Increasing the short table bits or making the hash shorter
+	// can actually lead to compression degradation since it will 'steal' more from the
+	// long match table and match offsets are quite big.
+	// This greatly depends on the type of input.
+	bestShortTableBits = 18                      // Bits used in the short match table
+	bestShortTableSize = 1 << bestShortTableBits // Size of the table
+	bestShortLen       = 4                       // Bytes used for table hash
+
+)
+
+type match struct {
+	offset int32
+	s      int32
+	length int32
+	rep    int32
+	est    int32
+}
+
+const highScore = maxMatchLen * 8
+
+// estBits will estimate output bits from predefined tables.
+func (m *match) estBits(bitsPerByte int32) {
+	mlc := mlCode(uint32(m.length - zstdMinMatch))
+	var ofc uint8
+	if m.rep < 0 {
+		ofc = ofCode(uint32(m.s-m.offset) + 3)
+	} else {
+		ofc = ofCode(uint32(m.rep) & 3)
+	}
+	// Cost, excluding
+	ofTT, mlTT := fsePredefEnc[tableOffsets].ct.symbolTT[ofc], fsePredefEnc[tableMatchLengths].ct.symbolTT[mlc]
+
+	// Add cost of match encoding...
+	m.est = int32(ofTT.outBits + mlTT.outBits)
+	m.est += int32(ofTT.deltaNbBits>>16 + mlTT.deltaNbBits>>16)
+	// Subtract savings compared to literal encoding...
+	m.est -= (m.length * bitsPerByte) >> 10
+	if m.est > 0 {
+		// Unlikely gain..
+		m.length = 0
+		m.est = highScore
+	}
+}
+
+// bestFastEncoder uses 2 tables, one for short matches (5 bytes) and one for long matches.
+// The long match table contains the previous entry with the same hash,
+// effectively making it a "chain" of length 2.
+// When we find a long match we choose between the two values and select the longest.
+// When we find a short match, after checking the long, we check if we can find a long at n+1
+// and that it is longer (lazy matching).
+type bestFastEncoder struct {
+	fastBase
+	table         [bestShortTableSize]prevEntry
+	longTable     [bestLongTableSize]prevEntry
+	dictTable     []prevEntry
+	dictLongTable []prevEntry
+}
+
+// Encode improves compression...
+func (e *bestFastEncoder) Encode(blk *blockEnc, src []byte) {
+	const (
+		// Input margin is the number of bytes we read (8)
+		// and the maximum we will read ahead (2)
+		inputMargin            = 8 + 4
+		minNonLiteralBlockSize = 16
+	)
+
+	// Protect against e.cur wraparound.
+	for e.cur >= e.bufferReset-int32(len(e.hist)) {
+		if len(e.hist) == 0 {
+			e.table = [bestShortTableSize]prevEntry{}
+			e.longTable = [bestLongTableSize]prevEntry{}
+			e.cur = e.maxMatchOff
+			break
+		}
+		// Shift down everything in the table that isn't already too far away.
+		minOff := e.cur + int32(len(e.hist)) - e.maxMatchOff
+		for i := range e.table[:] {
+			v := e.table[i].offset
+			v2 := e.table[i].prev
+			if v < minOff {
+				v = 0
+				v2 = 0
+			} else {
+				v = v - e.cur + e.maxMatchOff
+				if v2 < minOff {
+					v2 = 0
+				} else {
+					v2 = v2 - e.cur + e.maxMatchOff
+				}
+			}
+			e.table[i] = prevEntry{
+				offset: v,
+				prev:   v2,
+			}
+		}
+		for i := range e.longTable[:] {
+			v := e.longTable[i].offset
+			v2 := e.longTable[i].prev
+			if v < minOff {
+				v = 0
+				v2 = 0
+			} else {
+				v = v - e.cur + e.maxMatchOff
+				if v2 < minOff {
+					v2 = 0
+				} else {
+					v2 = v2 - e.cur + e.maxMatchOff
+				}
+			}
+			e.longTable[i] = prevEntry{
+				offset: v,
+				prev:   v2,
+			}
+		}
+		e.cur = e.maxMatchOff
+		break
+	}
+
+	// Add block to history
+	s := e.addBlock(src)
+	blk.size = len(src)
+
+	// Check RLE first
+	if len(src) > zstdMinMatch {
+		ml := matchLen(src[1:], src)
+		if ml == len(src)-1 {
+			blk.literals = append(blk.literals, src[0])
+			blk.sequences = append(blk.sequences, seq{litLen: 1, matchLen: uint32(len(src)-1) - zstdMinMatch, offset: 1 + 3})
+			return
+		}
+	}
+
+	if len(src) < minNonLiteralBlockSize {
+		blk.extraLits = len(src)
+		blk.literals = blk.literals[:len(src)]
+		copy(blk.literals, src)
+		return
+	}
+
+	// Use this to estimate literal cost.
+	// Scaled by 10 bits.
+	bitsPerByte := int32((compress.ShannonEntropyBits(src) * 1024) / len(src))
+	// Huffman can never go < 1 bit/byte
+	if bitsPerByte < 1024 {
+		bitsPerByte = 1024
+	}
+
+	// Override src
+	src = e.hist
+	sLimit := int32(len(src)) - inputMargin
+	const kSearchStrength = 10
+
+	// nextEmit is where in src the next emitLiteral should start from.
+	nextEmit := s
+
+	// Relative offsets
+	offset1 := int32(blk.recentOffsets[0])
+	offset2 := int32(blk.recentOffsets[1])
+	offset3 := int32(blk.recentOffsets[2])
+
+	addLiterals := func(s *seq, until int32) {
+		if until == nextEmit {
+			return
+		}
+		blk.literals = append(blk.literals, src[nextEmit:until]...)
+		s.litLen = uint32(until - nextEmit)
+	}
+
+	if debugEncoder {
+		println("recent offsets:", blk.recentOffsets)
+	}
+
+encodeLoop:
+	for {
+		// We allow the encoder to optionally turn off repeat offsets across blocks
+		canRepeat := len(blk.sequences) > 2
+
+		if debugAsserts && canRepeat && offset1 == 0 {
+			panic("offset0 was 0")
+		}
+
+		const goodEnough = 250
+
+		cv := load6432(src, s)
+
+		nextHashL := hashLen(cv, bestLongTableBits, bestLongLen)
+		nextHashS := hashLen(cv, bestShortTableBits, bestShortLen)
+		candidateL := e.longTable[nextHashL]
+		candidateS := e.table[nextHashS]
+
+		// Set m to a match at offset if it looks like that will improve compression.
+		improve := func(m *match, offset int32, s int32, first uint32, rep int32) {
+			delta := s - offset
+			if delta >= e.maxMatchOff || delta <= 0 || load3232(src, offset) != first {
+				return
+			}
+			// Try to quick reject if we already have a long match.
+			if m.length > 16 {
+				left := len(src) - int(m.s+m.length)
+				// If we are too close to the end, keep as is.
+				if left <= 0 {
+					return
+				}
+				checkLen := m.length - (s - m.s) - 8
+				if left > 2 && checkLen > 4 {
+					// Check 4 bytes, 4 bytes from the end of the current match.
+					a := load3232(src, offset+checkLen)
+					b := load3232(src, s+checkLen)
+					if a != b {
+						return
+					}
+				}
+			}
+			l := 4 + e.matchlen(s+4, offset+4, src)
+			if m.rep <= 0 {
+				// Extend candidate match backwards as far as possible.
+				// Do not extend repeats as we can assume they are optimal
+				// and offsets change if s == nextEmit.
+				tMin := s - e.maxMatchOff
+				if tMin < 0 {
+					tMin = 0
+				}
+				for offset > tMin && s > nextEmit && src[offset-1] == src[s-1] && l < maxMatchLength {
+					s--
+					offset--
+					l++
+				}
+			}
+			if debugAsserts {
+				if offset >= s {
+					panic(fmt.Sprintf("offset: %d - s:%d - rep: %d - cur :%d - max: %d", offset, s, rep, e.cur, e.maxMatchOff))
+				}
+				if !bytes.Equal(src[s:s+l], src[offset:offset+l]) {
+					panic(fmt.Sprintf("second match mismatch: %v != %v, first: %08x", src[s:s+4], src[offset:offset+4], first))
+				}
+			}
+			cand := match{offset: offset, s: s, length: l, rep: rep}
+			cand.estBits(bitsPerByte)
+			if m.est >= highScore || cand.est-m.est+(cand.s-m.s)*bitsPerByte>>10 < 0 {
+				*m = cand
+			}
+		}
+
+		best := match{s: s, est: highScore}
+		improve(&best, candidateL.offset-e.cur, s, uint32(cv), -1)
+		improve(&best, candidateL.prev-e.cur, s, uint32(cv), -1)
+		improve(&best, candidateS.offset-e.cur, s, uint32(cv), -1)
+		improve(&best, candidateS.prev-e.cur, s, uint32(cv), -1)
+
+		if canRepeat && best.length < goodEnough {
+			if s == nextEmit {
+				// Check repeats straight after a match.
+				improve(&best, s-offset2, s, uint32(cv), 1|4)
+				improve(&best, s-offset3, s, uint32(cv), 2|4)
+				if offset1 > 1 {
+					improve(&best, s-(offset1-1), s, uint32(cv), 3|4)
+				}
+			}
+
+			// If either no match or a non-repeat match, check at + 1
+			if best.rep <= 0 {
+				cv32 := uint32(cv >> 8)
+				spp := s + 1
+				improve(&best, spp-offset1, spp, cv32, 1)
+				improve(&best, spp-offset2, spp, cv32, 2)
+				improve(&best, spp-offset3, spp, cv32, 3)
+				if best.rep < 0 {
+					cv32 = uint32(cv >> 24)
+					spp += 2
+					improve(&best, spp-offset1, spp, cv32, 1)
+					improve(&best, spp-offset2, spp, cv32, 2)
+					improve(&best, spp-offset3, spp, cv32, 3)
+				}
+			}
+		}
+		// Load next and check...
+		e.longTable[nextHashL] = prevEntry{offset: s + e.cur, prev: candidateL.offset}
+		e.table[nextHashS] = prevEntry{offset: s + e.cur, prev: candidateS.offset}
+		index0 := s + 1
+
+		// Look far ahead, unless we have a really long match already...
+		if best.length < goodEnough {
+			// No match found, move forward on input, no need to check forward...
+			if best.length < 4 {
+				s += 1 + (s-nextEmit)>>(kSearchStrength-1)
+				if s >= sLimit {
+					break encodeLoop
+				}
+				continue
+			}
+
+			candidateS = e.table[hashLen(cv>>8, bestShortTableBits, bestShortLen)]
+			cv = load6432(src, s+1)
+			cv2 := load6432(src, s+2)
+			candidateL = e.longTable[hashLen(cv, bestLongTableBits, bestLongLen)]
+			candidateL2 := e.longTable[hashLen(cv2, bestLongTableBits, bestLongLen)]
+
+			// Short at s+1
+			improve(&best, candidateS.offset-e.cur, s+1, uint32(cv), -1)
+			// Long at s+1, s+2
+			improve(&best, candidateL.offset-e.cur, s+1, uint32(cv), -1)
+			improve(&best, candidateL.prev-e.cur, s+1, uint32(cv), -1)
+			improve(&best, candidateL2.offset-e.cur, s+2, uint32(cv2), -1)
+			improve(&best, candidateL2.prev-e.cur, s+2, uint32(cv2), -1)
+			if false {
+				// Short at s+3.
+				// Too often worse...
+				improve(&best, e.table[hashLen(cv2>>8, bestShortTableBits, bestShortLen)].offset-e.cur, s+3, uint32(cv2>>8), -1)
+			}
+
+			// Start check at a fixed offset to allow for a few mismatches.
+			// For this compression level 2 yields the best results.
+			// We cannot do this if we have already indexed this position.
+			const skipBeginning = 2
+			if best.s > s-skipBeginning {
+				// See if we can find a better match by checking where the current best ends.
+				// Use that offset to see if we can find a better full match.
+				if sAt := best.s + best.length; sAt < sLimit {
+					nextHashL := hashLen(load6432(src, sAt), bestLongTableBits, bestLongLen)
+					candidateEnd := e.longTable[nextHashL]
+
+					if off := candidateEnd.offset - e.cur - best.length + skipBeginning; off >= 0 {
+						improve(&best, off, best.s+skipBeginning, load3232(src, best.s+skipBeginning), -1)
+						if off := candidateEnd.prev - e.cur - best.length + skipBeginning; off >= 0 {
+							improve(&best, off, best.s+skipBeginning, load3232(src, best.s+skipBeginning), -1)
+						}
+					}
+				}
+			}
+		}
+
+		if debugAsserts {
+			if best.offset >= best.s {
+				panic(fmt.Sprintf("best.offset > s: %d >= %d", best.offset, best.s))
+			}
+			if best.s < nextEmit {
+				panic(fmt.Sprintf("s %d < nextEmit %d", best.s, nextEmit))
+			}
+			if best.offset < s-e.maxMatchOff {
+				panic(fmt.Sprintf("best.offset < s-e.maxMatchOff: %d < %d", best.offset, s-e.maxMatchOff))
+			}
+			if !bytes.Equal(src[best.s:best.s+best.length], src[best.offset:best.offset+best.length]) {
+				panic(fmt.Sprintf("match mismatch: %v != %v", src[best.s:best.s+best.length], src[best.offset:best.offset+best.length]))
+			}
+		}
+
+		// We have a match, we can store the forward value
+		s = best.s
+		if best.rep > 0 {
+			var seq seq
+			seq.matchLen = uint32(best.length - zstdMinMatch)
+			addLiterals(&seq, best.s)
+
+			// Repeat. If bit 4 is set, this is a non-lit repeat.
+			seq.offset = uint32(best.rep & 3)
+			if debugSequences {
+				println("repeat sequence", seq, "next s:", best.s, "off:", best.s-best.offset)
+			}
+			blk.sequences = append(blk.sequences, seq)
+
+			// Index old s + 1 -> s - 1
+			s = best.s + best.length
+			nextEmit = s
+
+			// Index skipped...
+			end := s
+			if s > sLimit+4 {
+				end = sLimit + 4
+			}
+			off := index0 + e.cur
+			for index0 < end {
+				cv0 := load6432(src, index0)
+				h0 := hashLen(cv0, bestLongTableBits, bestLongLen)
+				h1 := hashLen(cv0, bestShortTableBits, bestShortLen)
+				e.longTable[h0] = prevEntry{offset: off, prev: e.longTable[h0].offset}
+				e.table[h1] = prevEntry{offset: off, prev: e.table[h1].offset}
+				off++
+				index0++
+			}
+
+			switch best.rep {
+			case 2, 4 | 1:
+				offset1, offset2 = offset2, offset1
+			case 3, 4 | 2:
+				offset1, offset2, offset3 = offset3, offset1, offset2
+			case 4 | 3:
+				offset1, offset2, offset3 = offset1-1, offset1, offset2
+			}
+			if s >= sLimit {
+				if debugEncoder {
+					println("repeat ended", s, best.length)
+				}
+				break encodeLoop
+			}
+			continue
+		}
+
+		// A 4-byte match has been found. Update recent offsets.
+		// We'll later see if more than 4 bytes.
+		t := best.offset
+		offset1, offset2, offset3 = s-t, offset1, offset2
+
+		if debugAsserts && s <= t {
+			panic(fmt.Sprintf("s (%d) <= t (%d)", s, t))
+		}
+
+		if debugAsserts && int(offset1) > len(src) {
+			panic("invalid offset")
+		}
+
+		// Write our sequence
+		var seq seq
+		l := best.length
+		seq.litLen = uint32(s - nextEmit)
+		seq.matchLen = uint32(l - zstdMinMatch)
+		if seq.litLen > 0 {
+			blk.literals = append(blk.literals, src[nextEmit:s]...)
+		}
+		seq.offset = uint32(s-t) + 3
+		s += l
+		if debugSequences {
+			println("sequence", seq, "next s:", s)
+		}
+		blk.sequences = append(blk.sequences, seq)
+		nextEmit = s
+
+		// Index old s + 1 -> s - 1 or sLimit
+		end := s
+		if s > sLimit-4 {
+			end = sLimit - 4
+		}
+
+		off := index0 + e.cur
+		for index0 < end {
+			cv0 := load6432(src, index0)
+			h0 := hashLen(cv0, bestLongTableBits, bestLongLen)
+			h1 := hashLen(cv0, bestShortTableBits, bestShortLen)
+			e.longTable[h0] = prevEntry{offset: off, prev: e.longTable[h0].offset}
+			e.table[h1] = prevEntry{offset: off, prev: e.table[h1].offset}
+			index0++
+			off++
+		}
+		if s >= sLimit {
+			break encodeLoop
+		}
+	}
+
+	if int(nextEmit) < len(src) {
+		blk.literals = append(blk.literals, src[nextEmit:]...)
+		blk.extraLits = len(src) - int(nextEmit)
+	}
+	blk.recentOffsets[0] = uint32(offset1)
+	blk.recentOffsets[1] = uint32(offset2)
+	blk.recentOffsets[2] = uint32(offset3)
+	if debugEncoder {
+		println("returning, recent offsets:", blk.recentOffsets, "extra literals:", blk.extraLits)
+	}
+}
+
+// EncodeNoHist will encode a block with no history and no following blocks.
+// Most notable difference is that src will not be copied for history and
+// we do not need to check for max match length.
+func (e *bestFastEncoder) EncodeNoHist(blk *blockEnc, src []byte) {
+	e.ensureHist(len(src))
+	e.Encode(blk, src)
+}
+
+// Reset will reset and set a dictionary if not nil
+func (e *bestFastEncoder) Reset(d *dict, singleBlock bool) {
+	e.resetBase(d, singleBlock)
+	if d == nil {
+		return
+	}
+	// Init or copy dict table
+	if len(e.dictTable) != len(e.table) || d.id != e.lastDictID {
+		if len(e.dictTable) != len(e.table) {
+			e.dictTable = make([]prevEntry, len(e.table))
+		}
+		end := int32(len(d.content)) - 8 + e.maxMatchOff
+		for i := e.maxMatchOff; i < end; i += 4 {
+			const hashLog = bestShortTableBits
+
+			cv := load6432(d.content, i-e.maxMatchOff)
+			nextHash := hashLen(cv, hashLog, bestShortLen)      // 0 -> 4
+			nextHash1 := hashLen(cv>>8, hashLog, bestShortLen)  // 1 -> 5
+			nextHash2 := hashLen(cv>>16, hashLog, bestShortLen) // 2 -> 6
+			nextHash3 := hashLen(cv>>24, hashLog, bestShortLen) // 3 -> 7
+			e.dictTable[nextHash] = prevEntry{
+				prev:   e.dictTable[nextHash].offset,
+				offset: i,
+			}
+			e.dictTable[nextHash1] = prevEntry{
+				prev:   e.dictTable[nextHash1].offset,
+				offset: i + 1,
+			}
+			e.dictTable[nextHash2] = prevEntry{
+				prev:   e.dictTable[nextHash2].offset,
+				offset: i + 2,
+			}
+			e.dictTable[nextHash3] = prevEntry{
+				prev:   e.dictTable[nextHash3].offset,
+				offset: i + 3,
+			}
+		}
+		e.lastDictID = d.id
+	}
+
+	// Init or copy dict table
+	if len(e.dictLongTable) != len(e.longTable) || d.id != e.lastDictID {
+		if len(e.dictLongTable) != len(e.longTable) {
+			e.dictLongTable = make([]prevEntry, len(e.longTable))
+		}
+		if len(d.content) >= 8 {
+			cv := load6432(d.content, 0)
+			h := hashLen(cv, bestLongTableBits, bestLongLen)
+			e.dictLongTable[h] = prevEntry{
+				offset: e.maxMatchOff,
+				prev:   e.dictLongTable[h].offset,
+			}
+
+			end := int32(len(d.content)) - 8 + e.maxMatchOff
+			off := 8 // First to read
+			for i := e.maxMatchOff + 1; i < end; i++ {
+				cv = cv>>8 | (uint64(d.content[off]) << 56)
+				h := hashLen(cv, bestLongTableBits, bestLongLen)
+				e.dictLongTable[h] = prevEntry{
+					offset: i,
+					prev:   e.dictLongTable[h].offset,
+				}
+				off++
+			}
+		}
+		e.lastDictID = d.id
+	}
+	// Reset table to initial state
+	copy(e.longTable[:], e.dictLongTable)
+
+	e.cur = e.maxMatchOff
+	// Reset table to initial state
+	copy(e.table[:], e.dictTable)
+}
diff --git a/vendor/github.com/klauspost/compress/zstd/enc_better.go b/vendor/github.com/klauspost/compress/zstd/enc_better.go
new file mode 100644
index 0000000000..84a79fde76
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/zstd/enc_better.go
@@ -0,0 +1,1252 @@
+// Copyright 2019+ Klaus Post. All rights reserved.
+// License information can be found in the LICENSE file.
+// Based on work by Yann Collet, released under BSD License.
+
+package zstd
+
+import "fmt"
+
+const (
+	betterLongTableBits = 19                       // Bits used in the long match table
+	betterLongTableSize = 1 << betterLongTableBits // Size of the table
+	betterLongLen       = 8                        // Bytes used for table hash
+
+	// Note: Increasing the short table bits or making the hash shorter
+	// can actually lead to compression degradation since it will 'steal' more from the
+	// long match table and match offsets are quite big.
+	// This greatly depends on the type of input.
+	betterShortTableBits = 13                        // Bits used in the short match table
+	betterShortTableSize = 1 << betterShortTableBits // Size of the table
+	betterShortLen       = 5                         // Bytes used for table hash
+
+	betterLongTableShardCnt  = 1 << (betterLongTableBits - dictShardBits)    // Number of shards in the table
+	betterLongTableShardSize = betterLongTableSize / betterLongTableShardCnt // Size of an individual shard
+
+	betterShortTableShardCnt  = 1 << (betterShortTableBits - dictShardBits)     // Number of shards in the table
+	betterShortTableShardSize = betterShortTableSize / betterShortTableShardCnt // Size of an individual shard
+)
+
+type prevEntry struct {
+	offset int32
+	prev   int32
+}
+
+// betterFastEncoder uses 2 tables, one for short matches (5 bytes) and one for long matches.
+// The long match table contains the previous entry with the same hash,
+// effectively making it a "chain" of length 2.
+// When we find a long match we choose between the two values and select the longest.
+// When we find a short match, after checking the long, we check if we can find a long at n+1
+// and that it is longer (lazy matching).
+type betterFastEncoder struct {
+	fastBase
+	table     [betterShortTableSize]tableEntry
+	longTable [betterLongTableSize]prevEntry
+}
+
+type betterFastEncoderDict struct {
+	betterFastEncoder
+	dictTable            []tableEntry
+	dictLongTable        []prevEntry
+	shortTableShardDirty [betterShortTableShardCnt]bool
+	longTableShardDirty  [betterLongTableShardCnt]bool
+	allDirty             bool
+}
+
+// Encode improves compression...
+func (e *betterFastEncoder) Encode(blk *blockEnc, src []byte) {
+	const (
+		// Input margin is the number of bytes we read (8)
+		// and the maximum we will read ahead (2)
+		inputMargin            = 8 + 2
+		minNonLiteralBlockSize = 16
+	)
+
+	// Protect against e.cur wraparound.
+	for e.cur >= e.bufferReset-int32(len(e.hist)) {
+		if len(e.hist) == 0 {
+			e.table = [betterShortTableSize]tableEntry{}
+			e.longTable = [betterLongTableSize]prevEntry{}
+			e.cur = e.maxMatchOff
+			break
+		}
+		// Shift down everything in the table that isn't already too far away.
+		minOff := e.cur + int32(len(e.hist)) - e.maxMatchOff
+		for i := range e.table[:] {
+			v := e.table[i].offset
+			if v < minOff {
+				v = 0
+			} else {
+				v = v - e.cur + e.maxMatchOff
+			}
+			e.table[i].offset = v
+		}
+		for i := range e.longTable[:] {
+			v := e.longTable[i].offset
+			v2 := e.longTable[i].prev
+			if v < minOff {
+				v = 0
+				v2 = 0
+			} else {
+				v = v - e.cur + e.maxMatchOff
+				if v2 < minOff {
+					v2 = 0
+				} else {
+					v2 = v2 - e.cur + e.maxMatchOff
+				}
+			}
+			e.longTable[i] = prevEntry{
+				offset: v,
+				prev:   v2,
+			}
+		}
+		e.cur = e.maxMatchOff
+		break
+	}
+	// Add block to history
+	s := e.addBlock(src)
+	blk.size = len(src)
+
+	// Check RLE first
+	if len(src) > zstdMinMatch {
+		ml := matchLen(src[1:], src)
+		if ml == len(src)-1 {
+			blk.literals = append(blk.literals, src[0])
+			blk.sequences = append(blk.sequences, seq{litLen: 1, matchLen: uint32(len(src)-1) - zstdMinMatch, offset: 1 + 3})
+			return
+		}
+	}
+
+	if len(src) < minNonLiteralBlockSize {
+		blk.extraLits = len(src)
+		blk.literals = blk.literals[:len(src)]
+		copy(blk.literals, src)
+		return
+	}
+
+	// Override src
+	src = e.hist
+	sLimit := int32(len(src)) - inputMargin
+	// stepSize is the number of bytes to skip on every main loop iteration.
+	// It should be >= 1.
+	const stepSize = 1
+
+	const kSearchStrength = 9
+
+	// nextEmit is where in src the next emitLiteral should start from.
+	nextEmit := s
+	cv := load6432(src, s)
+
+	// Relative offsets
+	offset1 := int32(blk.recentOffsets[0])
+	offset2 := int32(blk.recentOffsets[1])
+
+	addLiterals := func(s *seq, until int32) {
+		if until == nextEmit {
+			return
+		}
+		blk.literals = append(blk.literals, src[nextEmit:until]...)
+		s.litLen = uint32(until - nextEmit)
+	}
+	if debugEncoder {
+		println("recent offsets:", blk.recentOffsets)
+	}
+
+encodeLoop:
+	for {
+		var t int32
+		// We allow the encoder to optionally turn off repeat offsets across blocks
+		canRepeat := len(blk.sequences) > 2
+		var matched, index0 int32
+
+		for {
+			if debugAsserts && canRepeat && offset1 == 0 {
+				panic("offset0 was 0")
+			}
+
+			nextHashL := hashLen(cv, betterLongTableBits, betterLongLen)
+			nextHashS := hashLen(cv, betterShortTableBits, betterShortLen)
+			candidateL := e.longTable[nextHashL]
+			candidateS := e.table[nextHashS]
+
+			const repOff = 1
+			repIndex := s - offset1 + repOff
+			off := s + e.cur
+			e.longTable[nextHashL] = prevEntry{offset: off, prev: candidateL.offset}
+			e.table[nextHashS] = tableEntry{offset: off, val: uint32(cv)}
+			index0 = s + 1
+
+			if canRepeat {
+				if repIndex >= 0 && load3232(src, repIndex) == uint32(cv>>(repOff*8)) {
+					// Consider history as well.
+					var seq seq
+					length := 4 + e.matchlen(s+4+repOff, repIndex+4, src)
+
+					seq.matchLen = uint32(length - zstdMinMatch)
+
+					// We might be able to match backwards.
+					// Extend as long as we can.
+					start := s + repOff
+					// We end the search early, so we don't risk 0 literals
+					// and have to do special offset treatment.
+					startLimit := nextEmit + 1
+
+					tMin := s - e.maxMatchOff
+					if tMin < 0 {
+						tMin = 0
+					}
+					for repIndex > tMin && start > startLimit && src[repIndex-1] == src[start-1] && seq.matchLen < maxMatchLength-zstdMinMatch-1 {
+						repIndex--
+						start--
+						seq.matchLen++
+					}
+					addLiterals(&seq, start)
+
+					// rep 0
+					seq.offset = 1
+					if debugSequences {
+						println("repeat sequence", seq, "next s:", s)
+					}
+					blk.sequences = append(blk.sequences, seq)
+
+					// Index match start+1 (long) -> s - 1
+					index0 := s + repOff
+					s += length + repOff
+
+					nextEmit = s
+					if s >= sLimit {
+						if debugEncoder {
+							println("repeat ended", s, length)
+
+						}
+						break encodeLoop
+					}
+					// Index skipped...
+					for index0 < s-1 {
+						cv0 := load6432(src, index0)
+						cv1 := cv0 >> 8
+						h0 := hashLen(cv0, betterLongTableBits, betterLongLen)
+						off := index0 + e.cur
+						e.longTable[h0] = prevEntry{offset: off, prev: e.longTable[h0].offset}
+						e.table[hashLen(cv1, betterShortTableBits, betterShortLen)] = tableEntry{offset: off + 1, val: uint32(cv1)}
+						index0 += 2
+					}
+					cv = load6432(src, s)
+					continue
+				}
+				const repOff2 = 1
+
+				// We deviate from the reference encoder and also check offset 2.
+				// Still slower and not much better, so disabled.
+				// repIndex = s - offset2 + repOff2
+				if false && repIndex >= 0 && load6432(src, repIndex) == load6432(src, s+repOff) {
+					// Consider history as well.
+					var seq seq
+					length := 8 + e.matchlen(s+8+repOff2, repIndex+8, src)
+
+					seq.matchLen = uint32(length - zstdMinMatch)
+
+					// We might be able to match backwards.
+					// Extend as long as we can.
+					start := s + repOff2
+					// We end the search early, so we don't risk 0 literals
+					// and have to do special offset treatment.
+					startLimit := nextEmit + 1
+
+					tMin := s - e.maxMatchOff
+					if tMin < 0 {
+						tMin = 0
+					}
+					for repIndex > tMin && start > startLimit && src[repIndex-1] == src[start-1] && seq.matchLen < maxMatchLength-zstdMinMatch-1 {
+						repIndex--
+						start--
+						seq.matchLen++
+					}
+					addLiterals(&seq, start)
+
+					// rep 2
+					seq.offset = 2
+					if debugSequences {
+						println("repeat sequence 2", seq, "next s:", s)
+					}
+					blk.sequences = append(blk.sequences, seq)
+
+					s += length + repOff2
+					nextEmit = s
+					if s >= sLimit {
+						if debugEncoder {
+							println("repeat ended", s, length)
+
+						}
+						break encodeLoop
+					}
+
+					// Index skipped...
+					for index0 < s-1 {
+						cv0 := load6432(src, index0)
+						cv1 := cv0 >> 8
+						h0 := hashLen(cv0, betterLongTableBits, betterLongLen)
+						off := index0 + e.cur
+						e.longTable[h0] = prevEntry{offset: off, prev: e.longTable[h0].offset}
+						e.table[hashLen(cv1, betterShortTableBits, betterShortLen)] = tableEntry{offset: off + 1, val: uint32(cv1)}
+						index0 += 2
+					}
+					cv = load6432(src, s)
+					// Swap offsets
+					offset1, offset2 = offset2, offset1
+					continue
+				}
+			}
+			// Find the offsets of our two matches.
+			coffsetL := candidateL.offset - e.cur
+			coffsetLP := candidateL.prev - e.cur
+
+			// Check if we have a long match.
+			if s-coffsetL < e.maxMatchOff && cv == load6432(src, coffsetL) {
+				// Found a long match, at least 8 bytes.
+				matched = e.matchlen(s+8, coffsetL+8, src) + 8
+				t = coffsetL
+				if debugAsserts && s <= t {
+					panic(fmt.Sprintf("s (%d) <= t (%d)", s, t))
+				}
+				if debugAsserts && s-t > e.maxMatchOff {
+					panic("s - t >e.maxMatchOff")
+				}
+				if debugMatches {
+					println("long match")
+				}
+
+				if s-coffsetLP < e.maxMatchOff && cv == load6432(src, coffsetLP) {
+					// Found a long match, at least 8 bytes.
+					prevMatch := e.matchlen(s+8, coffsetLP+8, src) + 8
+					if prevMatch > matched {
+						matched = prevMatch
+						t = coffsetLP
+					}
+					if debugAsserts && s <= t {
+						panic(fmt.Sprintf("s (%d) <= t (%d)", s, t))
+					}
+					if debugAsserts && s-t > e.maxMatchOff {
+						panic("s - t >e.maxMatchOff")
+					}
+					if debugMatches {
+						println("long match")
+					}
+				}
+				break
+			}
+
+			// Check if we have a long match on prev.
+			if s-coffsetLP < e.maxMatchOff && cv == load6432(src, coffsetLP) {
+				// Found a long match, at least 8 bytes.
+				matched = e.matchlen(s+8, coffsetLP+8, src) + 8
+				t = coffsetLP
+				if debugAsserts && s <= t {
+					panic(fmt.Sprintf("s (%d) <= t (%d)", s, t))
+				}
+				if debugAsserts && s-t > e.maxMatchOff {
+					panic("s - t >e.maxMatchOff")
+				}
+				if debugMatches {
+					println("long match")
+				}
+				break
+			}
+
+			coffsetS := candidateS.offset - e.cur
+
+			// Check if we have a short match.
+			if s-coffsetS < e.maxMatchOff && uint32(cv) == candidateS.val {
+				// found a regular match
+				matched = e.matchlen(s+4, coffsetS+4, src) + 4
+
+				// See if we can find a long match at s+1
+				const checkAt = 1
+				cv := load6432(src, s+checkAt)
+				nextHashL = hashLen(cv, betterLongTableBits, betterLongLen)
+				candidateL = e.longTable[nextHashL]
+				coffsetL = candidateL.offset - e.cur
+
+				// We can store it, since we have at least a 4 byte match.
+				e.longTable[nextHashL] = prevEntry{offset: s + checkAt + e.cur, prev: candidateL.offset}
+				if s-coffsetL < e.maxMatchOff && cv == load6432(src, coffsetL) {
+					// Found a long match, at least 8 bytes.
+					matchedNext := e.matchlen(s+8+checkAt, coffsetL+8, src) + 8
+					if matchedNext > matched {
+						t = coffsetL
+						s += checkAt
+						matched = matchedNext
+						if debugMatches {
+							println("long match (after short)")
+						}
+						break
+					}
+				}
+
+				// Check prev long...
+				coffsetL = candidateL.prev - e.cur
+				if s-coffsetL < e.maxMatchOff && cv == load6432(src, coffsetL) {
+					// Found a long match, at least 8 bytes.
+					matchedNext := e.matchlen(s+8+checkAt, coffsetL+8, src) + 8
+					if matchedNext > matched {
+						t = coffsetL
+						s += checkAt
+						matched = matchedNext
+						if debugMatches {
+							println("prev long match (after short)")
+						}
+						break
+					}
+				}
+				t = coffsetS
+				if debugAsserts && s <= t {
+					panic(fmt.Sprintf("s (%d) <= t (%d)", s, t))
+				}
+				if debugAsserts && s-t > e.maxMatchOff {
+					panic("s - t >e.maxMatchOff")
+				}
+				if debugAsserts && t < 0 {
+					panic("t<0")
+				}
+				if debugMatches {
+					println("short match")
+				}
+				break
+			}
+
+			// No match found, move forward in input.
+			s += stepSize + ((s - nextEmit) >> (kSearchStrength - 1))
+			if s >= sLimit {
+				break encodeLoop
+			}
+			cv = load6432(src, s)
+		}
+
+		// Try to find a better match by searching for a long match at the end of the current best match
+		if s+matched < sLimit {
+			// Allow some bytes at the beginning to mismatch.
+			// Sweet spot is around 3 bytes, but depends on input.
+			// The skipped bytes are tested in Extend backwards,
+			// and still picked up as part of the match if they do.
+			const skipBeginning = 3
+
+			nextHashL := hashLen(load6432(src, s+matched), betterLongTableBits, betterLongLen)
+			s2 := s + skipBeginning
+			cv := load3232(src, s2)
+			candidateL := e.longTable[nextHashL]
+			coffsetL := candidateL.offset - e.cur - matched + skipBeginning
+			if coffsetL >= 0 && coffsetL < s2 && s2-coffsetL < e.maxMatchOff && cv == load3232(src, coffsetL) {
+				// Found a long match, at least 4 bytes.
+				matchedNext := e.matchlen(s2+4, coffsetL+4, src) + 4
+				if matchedNext > matched {
+					t = coffsetL
+					s = s2
+					matched = matchedNext
+					if debugMatches {
+						println("long match at end-of-match")
+					}
+				}
+			}
+
+			// Check prev long...
+			if true {
+				coffsetL = candidateL.prev - e.cur - matched + skipBeginning
+				if coffsetL >= 0 && coffsetL < s2 && s2-coffsetL < e.maxMatchOff && cv == load3232(src, coffsetL) {
+					// Found a long match, at least 4 bytes.
+					matchedNext := e.matchlen(s2+4, coffsetL+4, src) + 4
+					if matchedNext > matched {
+						t = coffsetL
+						s = s2
+						matched = matchedNext
+						if debugMatches {
+							println("prev long match at end-of-match")
+						}
+					}
+				}
+			}
+		}
+		// A match has been found. Update recent offsets.
+		offset2 = offset1
+		offset1 = s - t
+
+		if debugAsserts && s <= t {
+			panic(fmt.Sprintf("s (%d) <= t (%d)", s, t))
+		}
+
+		if debugAsserts && canRepeat && int(offset1) > len(src) {
+			panic("invalid offset")
+		}
+
+		// Extend the n-byte match as long as possible.
+		l := matched
+
+		// Extend backwards
+		tMin := s - e.maxMatchOff
+		if tMin < 0 {
+			tMin = 0
+		}
+		for t > tMin && s > nextEmit && src[t-1] == src[s-1] && l < maxMatchLength {
+			s--
+			t--
+			l++
+		}
+
+		// Write our sequence
+		var seq seq
+		seq.litLen = uint32(s - nextEmit)
+		seq.matchLen = uint32(l - zstdMinMatch)
+		if seq.litLen > 0 {
+			blk.literals = append(blk.literals, src[nextEmit:s]...)
+		}
+		seq.offset = uint32(s-t) + 3
+		s += l
+		if debugSequences {
+			println("sequence", seq, "next s:", s)
+		}
+		blk.sequences = append(blk.sequences, seq)
+		nextEmit = s
+		if s >= sLimit {
+			break encodeLoop
+		}
+
+		// Index match start+1 (long) -> s - 1
+		off := index0 + e.cur
+		for index0 < s-1 {
+			cv0 := load6432(src, index0)
+			cv1 := cv0 >> 8
+			h0 := hashLen(cv0, betterLongTableBits, betterLongLen)
+			e.longTable[h0] = prevEntry{offset: off, prev: e.longTable[h0].offset}
+			e.table[hashLen(cv1, betterShortTableBits, betterShortLen)] = tableEntry{offset: off + 1, val: uint32(cv1)}
+			index0 += 2
+			off += 2
+		}
+
+		cv = load6432(src, s)
+		if !canRepeat {
+			continue
+		}
+
+		// Check offset 2
+		for {
+			o2 := s - offset2
+			if load3232(src, o2) != uint32(cv) {
+				// Do regular search
+				break
+			}
+
+			// Store this, since we have it.
+			nextHashL := hashLen(cv, betterLongTableBits, betterLongLen)
+			nextHashS := hashLen(cv, betterShortTableBits, betterShortLen)
+
+			// We have at least 4 byte match.
+			// No need to check backwards. We come straight from a match
+			l := 4 + e.matchlen(s+4, o2+4, src)
+
+			e.longTable[nextHashL] = prevEntry{offset: s + e.cur, prev: e.longTable[nextHashL].offset}
+			e.table[nextHashS] = tableEntry{offset: s + e.cur, val: uint32(cv)}
+			seq.matchLen = uint32(l) - zstdMinMatch
+			seq.litLen = 0
+
+			// Since litlen is always 0, this is offset 1.
+			seq.offset = 1
+			s += l
+			nextEmit = s
+			if debugSequences {
+				println("sequence", seq, "next s:", s)
+			}
+			blk.sequences = append(blk.sequences, seq)
+
+			// Swap offset 1 and 2.
+			offset1, offset2 = offset2, offset1
+			if s >= sLimit {
+				// Finished
+				break encodeLoop
+			}
+			cv = load6432(src, s)
+		}
+	}
+
+	if int(nextEmit) < len(src) {
+		blk.literals = append(blk.literals, src[nextEmit:]...)
+		blk.extraLits = len(src) - int(nextEmit)
+	}
+	blk.recentOffsets[0] = uint32(offset1)
+	blk.recentOffsets[1] = uint32(offset2)
+	if debugEncoder {
+		println("returning, recent offsets:", blk.recentOffsets, "extra literals:", blk.extraLits)
+	}
+}
+
+// EncodeNoHist will encode a block with no history and no following blocks.
+// Most notable difference is that src will not be copied for history and
+// we do not need to check for max match length.
+func (e *betterFastEncoder) EncodeNoHist(blk *blockEnc, src []byte) {
+	e.ensureHist(len(src))
+	e.Encode(blk, src)
+}
+
+// Encode improves compression...
+func (e *betterFastEncoderDict) Encode(blk *blockEnc, src []byte) {
+	const (
+		// Input margin is the number of bytes we read (8)
+		// and the maximum we will read ahead (2)
+		inputMargin            = 8 + 2
+		minNonLiteralBlockSize = 16
+	)
+
+	// Protect against e.cur wraparound.
+	for e.cur >= e.bufferReset-int32(len(e.hist)) {
+		if len(e.hist) == 0 {
+			for i := range e.table[:] {
+				e.table[i] = tableEntry{}
+			}
+			for i := range e.longTable[:] {
+				e.longTable[i] = prevEntry{}
+			}
+			e.cur = e.maxMatchOff
+			e.allDirty = true
+			break
+		}
+		// Shift down everything in the table that isn't already too far away.
+		minOff := e.cur + int32(len(e.hist)) - e.maxMatchOff
+		for i := range e.table[:] {
+			v := e.table[i].offset
+			if v < minOff {
+				v = 0
+			} else {
+				v = v - e.cur + e.maxMatchOff
+			}
+			e.table[i].offset = v
+		}
+		for i := range e.longTable[:] {
+			v := e.longTable[i].offset
+			v2 := e.longTable[i].prev
+			if v < minOff {
+				v = 0
+				v2 = 0
+			} else {
+				v = v - e.cur + e.maxMatchOff
+				if v2 < minOff {
+					v2 = 0
+				} else {
+					v2 = v2 - e.cur + e.maxMatchOff
+				}
+			}
+			e.longTable[i] = prevEntry{
+				offset: v,
+				prev:   v2,
+			}
+		}
+		e.allDirty = true
+		e.cur = e.maxMatchOff
+		break
+	}
+
+	s := e.addBlock(src)
+	blk.size = len(src)
+	if len(src) < minNonLiteralBlockSize {
+		blk.extraLits = len(src)
+		blk.literals = blk.literals[:len(src)]
+		copy(blk.literals, src)
+		return
+	}
+
+	// Override src
+	src = e.hist
+	sLimit := int32(len(src)) - inputMargin
+	// stepSize is the number of bytes to skip on every main loop iteration.
+	// It should be >= 1.
+	const stepSize = 1
+
+	const kSearchStrength = 9
+
+	// nextEmit is where in src the next emitLiteral should start from.
+	nextEmit := s
+	cv := load6432(src, s)
+
+	// Relative offsets
+	offset1 := int32(blk.recentOffsets[0])
+	offset2 := int32(blk.recentOffsets[1])
+
+	addLiterals := func(s *seq, until int32) {
+		if until == nextEmit {
+			return
+		}
+		blk.literals = append(blk.literals, src[nextEmit:until]...)
+		s.litLen = uint32(until - nextEmit)
+	}
+	if debugEncoder {
+		println("recent offsets:", blk.recentOffsets)
+	}
+
+encodeLoop:
+	for {
+		var t int32
+		// We allow the encoder to optionally turn off repeat offsets across blocks
+		canRepeat := len(blk.sequences) > 2
+		var matched, index0 int32
+
+		for {
+			if debugAsserts && canRepeat && offset1 == 0 {
+				panic("offset0 was 0")
+			}
+
+			nextHashL := hashLen(cv, betterLongTableBits, betterLongLen)
+			nextHashS := hashLen(cv, betterShortTableBits, betterShortLen)
+			candidateL := e.longTable[nextHashL]
+			candidateS := e.table[nextHashS]
+
+			const repOff = 1
+			repIndex := s - offset1 + repOff
+			off := s + e.cur
+			e.longTable[nextHashL] = prevEntry{offset: off, prev: candidateL.offset}
+			e.markLongShardDirty(nextHashL)
+			e.table[nextHashS] = tableEntry{offset: off, val: uint32(cv)}
+			e.markShortShardDirty(nextHashS)
+			index0 = s + 1
+
+			if canRepeat {
+				if repIndex >= 0 && load3232(src, repIndex) == uint32(cv>>(repOff*8)) {
+					// Consider history as well.
+					var seq seq
+					length := 4 + e.matchlen(s+4+repOff, repIndex+4, src)
+
+					seq.matchLen = uint32(length - zstdMinMatch)
+
+					// We might be able to match backwards.
+					// Extend as long as we can.
+					start := s + repOff
+					// We end the search early, so we don't risk 0 literals
+					// and have to do special offset treatment.
+					startLimit := nextEmit + 1
+
+					tMin := s - e.maxMatchOff
+					if tMin < 0 {
+						tMin = 0
+					}
+					for repIndex > tMin && start > startLimit && src[repIndex-1] == src[start-1] && seq.matchLen < maxMatchLength-zstdMinMatch-1 {
+						repIndex--
+						start--
+						seq.matchLen++
+					}
+					addLiterals(&seq, start)
+
+					// rep 0
+					seq.offset = 1
+					if debugSequences {
+						println("repeat sequence", seq, "next s:", s)
+					}
+					blk.sequences = append(blk.sequences, seq)
+
+					// Index match start+1 (long) -> s - 1
+					s += length + repOff
+
+					nextEmit = s
+					if s >= sLimit {
+						if debugEncoder {
+							println("repeat ended", s, length)
+
+						}
+						break encodeLoop
+					}
+					// Index skipped...
+					for index0 < s-1 {
+						cv0 := load6432(src, index0)
+						cv1 := cv0 >> 8
+						h0 := hashLen(cv0, betterLongTableBits, betterLongLen)
+						off := index0 + e.cur
+						e.longTable[h0] = prevEntry{offset: off, prev: e.longTable[h0].offset}
+						e.markLongShardDirty(h0)
+						h1 := hashLen(cv1, betterShortTableBits, betterShortLen)
+						e.table[h1] = tableEntry{offset: off + 1, val: uint32(cv1)}
+						e.markShortShardDirty(h1)
+						index0 += 2
+					}
+					cv = load6432(src, s)
+					continue
+				}
+				const repOff2 = 1
+
+				// We deviate from the reference encoder and also check offset 2.
+				// Still slower and not much better, so disabled.
+				// repIndex = s - offset2 + repOff2
+				if false && repIndex >= 0 && load6432(src, repIndex) == load6432(src, s+repOff) {
+					// Consider history as well.
+					var seq seq
+					length := 8 + e.matchlen(s+8+repOff2, repIndex+8, src)
+
+					seq.matchLen = uint32(length - zstdMinMatch)
+
+					// We might be able to match backwards.
+					// Extend as long as we can.
+					start := s + repOff2
+					// We end the search early, so we don't risk 0 literals
+					// and have to do special offset treatment.
+					startLimit := nextEmit + 1
+
+					tMin := s - e.maxMatchOff
+					if tMin < 0 {
+						tMin = 0
+					}
+					for repIndex > tMin && start > startLimit && src[repIndex-1] == src[start-1] && seq.matchLen < maxMatchLength-zstdMinMatch-1 {
+						repIndex--
+						start--
+						seq.matchLen++
+					}
+					addLiterals(&seq, start)
+
+					// rep 2
+					seq.offset = 2
+					if debugSequences {
+						println("repeat sequence 2", seq, "next s:", s)
+					}
+					blk.sequences = append(blk.sequences, seq)
+
+					s += length + repOff2
+					nextEmit = s
+					if s >= sLimit {
+						if debugEncoder {
+							println("repeat ended", s, length)
+
+						}
+						break encodeLoop
+					}
+
+					// Index skipped...
+					for index0 < s-1 {
+						cv0 := load6432(src, index0)
+						cv1 := cv0 >> 8
+						h0 := hashLen(cv0, betterLongTableBits, betterLongLen)
+						off := index0 + e.cur
+						e.longTable[h0] = prevEntry{offset: off, prev: e.longTable[h0].offset}
+						e.markLongShardDirty(h0)
+						h1 := hashLen(cv1, betterShortTableBits, betterShortLen)
+						e.table[h1] = tableEntry{offset: off + 1, val: uint32(cv1)}
+						e.markShortShardDirty(h1)
+						index0 += 2
+					}
+					cv = load6432(src, s)
+					// Swap offsets
+					offset1, offset2 = offset2, offset1
+					continue
+				}
+			}
+			// Find the offsets of our two matches.
+			coffsetL := candidateL.offset - e.cur
+			coffsetLP := candidateL.prev - e.cur
+
+			// Check if we have a long match.
+			if s-coffsetL < e.maxMatchOff && cv == load6432(src, coffsetL) {
+				// Found a long match, at least 8 bytes.
+				matched = e.matchlen(s+8, coffsetL+8, src) + 8
+				t = coffsetL
+				if debugAsserts && s <= t {
+					panic(fmt.Sprintf("s (%d) <= t (%d)", s, t))
+				}
+				if debugAsserts && s-t > e.maxMatchOff {
+					panic("s - t >e.maxMatchOff")
+				}
+				if debugMatches {
+					println("long match")
+				}
+
+				if s-coffsetLP < e.maxMatchOff && cv == load6432(src, coffsetLP) {
+					// Found a long match, at least 8 bytes.
+					prevMatch := e.matchlen(s+8, coffsetLP+8, src) + 8
+					if prevMatch > matched {
+						matched = prevMatch
+						t = coffsetLP
+					}
+					if debugAsserts && s <= t {
+						panic(fmt.Sprintf("s (%d) <= t (%d)", s, t))
+					}
+					if debugAsserts && s-t > e.maxMatchOff {
+						panic("s - t >e.maxMatchOff")
+					}
+					if debugMatches {
+						println("long match")
+					}
+				}
+				break
+			}
+
+			// Check if we have a long match on prev.
+			if s-coffsetLP < e.maxMatchOff && cv == load6432(src, coffsetLP) {
+				// Found a long match, at least 8 bytes.
+				matched = e.matchlen(s+8, coffsetLP+8, src) + 8
+				t = coffsetLP
+				if debugAsserts && s <= t {
+					panic(fmt.Sprintf("s (%d) <= t (%d)", s, t))
+				}
+				if debugAsserts && s-t > e.maxMatchOff {
+					panic("s - t >e.maxMatchOff")
+				}
+				if debugMatches {
+					println("long match")
+				}
+				break
+			}
+
+			coffsetS := candidateS.offset - e.cur
+
+			// Check if we have a short match.
+			if s-coffsetS < e.maxMatchOff && uint32(cv) == candidateS.val {
+				// found a regular match
+				matched = e.matchlen(s+4, coffsetS+4, src) + 4
+
+				// See if we can find a long match at s+1
+				const checkAt = 1
+				cv := load6432(src, s+checkAt)
+				nextHashL = hashLen(cv, betterLongTableBits, betterLongLen)
+				candidateL = e.longTable[nextHashL]
+				coffsetL = candidateL.offset - e.cur
+
+				// We can store it, since we have at least a 4 byte match.
+				e.longTable[nextHashL] = prevEntry{offset: s + checkAt + e.cur, prev: candidateL.offset}
+				e.markLongShardDirty(nextHashL)
+				if s-coffsetL < e.maxMatchOff && cv == load6432(src, coffsetL) {
+					// Found a long match, at least 8 bytes.
+					matchedNext := e.matchlen(s+8+checkAt, coffsetL+8, src) + 8
+					if matchedNext > matched {
+						t = coffsetL
+						s += checkAt
+						matched = matchedNext
+						if debugMatches {
+							println("long match (after short)")
+						}
+						break
+					}
+				}
+
+				// Check prev long...
+				coffsetL = candidateL.prev - e.cur
+				if s-coffsetL < e.maxMatchOff && cv == load6432(src, coffsetL) {
+					// Found a long match, at least 8 bytes.
+					matchedNext := e.matchlen(s+8+checkAt, coffsetL+8, src) + 8
+					if matchedNext > matched {
+						t = coffsetL
+						s += checkAt
+						matched = matchedNext
+						if debugMatches {
+							println("prev long match (after short)")
+						}
+						break
+					}
+				}
+				t = coffsetS
+				if debugAsserts && s <= t {
+					panic(fmt.Sprintf("s (%d) <= t (%d)", s, t))
+				}
+				if debugAsserts && s-t > e.maxMatchOff {
+					panic("s - t >e.maxMatchOff")
+				}
+				if debugAsserts && t < 0 {
+					panic("t<0")
+				}
+				if debugMatches {
+					println("short match")
+				}
+				break
+			}
+
+			// No match found, move forward in input.
+			s += stepSize + ((s - nextEmit) >> (kSearchStrength - 1))
+			if s >= sLimit {
+				break encodeLoop
+			}
+			cv = load6432(src, s)
+		}
+		// Try to find a better match by searching for a long match at the end of the current best match
+		if s+matched < sLimit {
+			nextHashL := hashLen(load6432(src, s+matched), betterLongTableBits, betterLongLen)
+			cv := load3232(src, s)
+			candidateL := e.longTable[nextHashL]
+			coffsetL := candidateL.offset - e.cur - matched
+			if coffsetL >= 0 && coffsetL < s && s-coffsetL < e.maxMatchOff && cv == load3232(src, coffsetL) {
+				// Found a long match, at least 4 bytes.
+				matchedNext := e.matchlen(s+4, coffsetL+4, src) + 4
+				if matchedNext > matched {
+					t = coffsetL
+					matched = matchedNext
+					if debugMatches {
+						println("long match at end-of-match")
+					}
+				}
+			}
+
+			// Check prev long...
+			if true {
+				coffsetL = candidateL.prev - e.cur - matched
+				if coffsetL >= 0 && coffsetL < s && s-coffsetL < e.maxMatchOff && cv == load3232(src, coffsetL) {
+					// Found a long match, at least 4 bytes.
+					matchedNext := e.matchlen(s+4, coffsetL+4, src) + 4
+					if matchedNext > matched {
+						t = coffsetL
+						matched = matchedNext
+						if debugMatches {
+							println("prev long match at end-of-match")
+						}
+					}
+				}
+			}
+		}
+		// A match has been found. Update recent offsets.
+		offset2 = offset1
+		offset1 = s - t
+
+		if debugAsserts && s <= t {
+			panic(fmt.Sprintf("s (%d) <= t (%d)", s, t))
+		}
+
+		if debugAsserts && canRepeat && int(offset1) > len(src) {
+			panic("invalid offset")
+		}
+
+		// Extend the n-byte match as long as possible.
+		l := matched
+
+		// Extend backwards
+		tMin := s - e.maxMatchOff
+		if tMin < 0 {
+			tMin = 0
+		}
+		for t > tMin && s > nextEmit && src[t-1] == src[s-1] && l < maxMatchLength {
+			s--
+			t--
+			l++
+		}
+
+		// Write our sequence
+		var seq seq
+		seq.litLen = uint32(s - nextEmit)
+		seq.matchLen = uint32(l - zstdMinMatch)
+		if seq.litLen > 0 {
+			blk.literals = append(blk.literals, src[nextEmit:s]...)
+		}
+		seq.offset = uint32(s-t) + 3
+		s += l
+		if debugSequences {
+			println("sequence", seq, "next s:", s)
+		}
+		blk.sequences = append(blk.sequences, seq)
+		nextEmit = s
+		if s >= sLimit {
+			break encodeLoop
+		}
+
+		// Index match start+1 (long) -> s - 1
+		off := index0 + e.cur
+		for index0 < s-1 {
+			cv0 := load6432(src, index0)
+			cv1 := cv0 >> 8
+			h0 := hashLen(cv0, betterLongTableBits, betterLongLen)
+			e.longTable[h0] = prevEntry{offset: off, prev: e.longTable[h0].offset}
+			e.markLongShardDirty(h0)
+			h1 := hashLen(cv1, betterShortTableBits, betterShortLen)
+			e.table[h1] = tableEntry{offset: off + 1, val: uint32(cv1)}
+			e.markShortShardDirty(h1)
+			index0 += 2
+			off += 2
+		}
+
+		cv = load6432(src, s)
+		if !canRepeat {
+			continue
+		}
+
+		// Check offset 2
+		for {
+			o2 := s - offset2
+			if load3232(src, o2) != uint32(cv) {
+				// Do regular search
+				break
+			}
+
+			// Store this, since we have it.
+			nextHashL := hashLen(cv, betterLongTableBits, betterLongLen)
+			nextHashS := hashLen(cv, betterShortTableBits, betterShortLen)
+
+			// We have at least 4 byte match.
+			// No need to check backwards. We come straight from a match
+			l := 4 + e.matchlen(s+4, o2+4, src)
+
+			e.longTable[nextHashL] = prevEntry{offset: s + e.cur, prev: e.longTable[nextHashL].offset}
+			e.markLongShardDirty(nextHashL)
+			e.table[nextHashS] = tableEntry{offset: s + e.cur, val: uint32(cv)}
+			e.markShortShardDirty(nextHashS)
+			seq.matchLen = uint32(l) - zstdMinMatch
+			seq.litLen = 0
+
+			// Since litlen is always 0, this is offset 1.
+			seq.offset = 1
+			s += l
+			nextEmit = s
+			if debugSequences {
+				println("sequence", seq, "next s:", s)
+			}
+			blk.sequences = append(blk.sequences, seq)
+
+			// Swap offset 1 and 2.
+			offset1, offset2 = offset2, offset1
+			if s >= sLimit {
+				// Finished
+				break encodeLoop
+			}
+			cv = load6432(src, s)
+		}
+	}
+
+	if int(nextEmit) < len(src) {
+		blk.literals = append(blk.literals, src[nextEmit:]...)
+		blk.extraLits = len(src) - int(nextEmit)
+	}
+	blk.recentOffsets[0] = uint32(offset1)
+	blk.recentOffsets[1] = uint32(offset2)
+	if debugEncoder {
+		println("returning, recent offsets:", blk.recentOffsets, "extra literals:", blk.extraLits)
+	}
+}
+
+// ResetDict will reset and set a dictionary if not nil
+func (e *betterFastEncoder) Reset(d *dict, singleBlock bool) {
+	e.resetBase(d, singleBlock)
+	if d != nil {
+		panic("betterFastEncoder: Reset with dict")
+	}
+}
+
+// ResetDict will reset and set a dictionary if not nil
+func (e *betterFastEncoderDict) Reset(d *dict, singleBlock bool) {
+	e.resetBase(d, singleBlock)
+	if d == nil {
+		return
+	}
+	// Init or copy dict table
+	if len(e.dictTable) != len(e.table) || d.id != e.lastDictID {
+		if len(e.dictTable) != len(e.table) {
+			e.dictTable = make([]tableEntry, len(e.table))
+		}
+		end := int32(len(d.content)) - 8 + e.maxMatchOff
+		for i := e.maxMatchOff; i < end; i += 4 {
+			const hashLog = betterShortTableBits
+
+			cv := load6432(d.content, i-e.maxMatchOff)
+			nextHash := hashLen(cv, hashLog, betterShortLen)      // 0 -> 4
+			nextHash1 := hashLen(cv>>8, hashLog, betterShortLen)  // 1 -> 5
+			nextHash2 := hashLen(cv>>16, hashLog, betterShortLen) // 2 -> 6
+			nextHash3 := hashLen(cv>>24, hashLog, betterShortLen) // 3 -> 7
+			e.dictTable[nextHash] = tableEntry{
+				val:    uint32(cv),
+				offset: i,
+			}
+			e.dictTable[nextHash1] = tableEntry{
+				val:    uint32(cv >> 8),
+				offset: i + 1,
+			}
+			e.dictTable[nextHash2] = tableEntry{
+				val:    uint32(cv >> 16),
+				offset: i + 2,
+			}
+			e.dictTable[nextHash3] = tableEntry{
+				val:    uint32(cv >> 24),
+				offset: i + 3,
+			}
+		}
+		e.lastDictID = d.id
+		e.allDirty = true
+	}
+
+	// Init or copy dict table
+	if len(e.dictLongTable) != len(e.longTable) || d.id != e.lastDictID {
+		if len(e.dictLongTable) != len(e.longTable) {
+			e.dictLongTable = make([]prevEntry, len(e.longTable))
+		}
+		if len(d.content) >= 8 {
+			cv := load6432(d.content, 0)
+			h := hashLen(cv, betterLongTableBits, betterLongLen)
+			e.dictLongTable[h] = prevEntry{
+				offset: e.maxMatchOff,
+				prev:   e.dictLongTable[h].offset,
+			}
+
+			end := int32(len(d.content)) - 8 + e.maxMatchOff
+			off := 8 // First to read
+			for i := e.maxMatchOff + 1; i < end; i++ {
+				cv = cv>>8 | (uint64(d.content[off]) << 56)
+				h := hashLen(cv, betterLongTableBits, betterLongLen)
+				e.dictLongTable[h] = prevEntry{
+					offset: i,
+					prev:   e.dictLongTable[h].offset,
+				}
+				off++
+			}
+		}
+		e.lastDictID = d.id
+		e.allDirty = true
+	}
+
+	// Reset table to initial state
+	{
+		dirtyShardCnt := 0
+		if !e.allDirty {
+			for i := range e.shortTableShardDirty {
+				if e.shortTableShardDirty[i] {
+					dirtyShardCnt++
+				}
+			}
+		}
+		const shardCnt = betterShortTableShardCnt
+		const shardSize = betterShortTableShardSize
+		if e.allDirty || dirtyShardCnt > shardCnt*4/6 {
+			copy(e.table[:], e.dictTable)
+			for i := range e.shortTableShardDirty {
+				e.shortTableShardDirty[i] = false
+			}
+		} else {
+			for i := range e.shortTableShardDirty {
+				if !e.shortTableShardDirty[i] {
+					continue
+				}
+
+				copy(e.table[i*shardSize:(i+1)*shardSize], e.dictTable[i*shardSize:(i+1)*shardSize])
+				e.shortTableShardDirty[i] = false
+			}
+		}
+	}
+	{
+		dirtyShardCnt := 0
+		if !e.allDirty {
+			for i := range e.shortTableShardDirty {
+				if e.shortTableShardDirty[i] {
+					dirtyShardCnt++
+				}
+			}
+		}
+		const shardCnt = betterLongTableShardCnt
+		const shardSize = betterLongTableShardSize
+		if e.allDirty || dirtyShardCnt > shardCnt*4/6 {
+			copy(e.longTable[:], e.dictLongTable)
+			for i := range e.longTableShardDirty {
+				e.longTableShardDirty[i] = false
+			}
+		} else {
+			for i := range e.longTableShardDirty {
+				if !e.longTableShardDirty[i] {
+					continue
+				}
+
+				copy(e.longTable[i*shardSize:(i+1)*shardSize], e.dictLongTable[i*shardSize:(i+1)*shardSize])
+				e.longTableShardDirty[i] = false
+			}
+		}
+	}
+	e.cur = e.maxMatchOff
+	e.allDirty = false
+}
+
+func (e *betterFastEncoderDict) markLongShardDirty(entryNum uint32) {
+	e.longTableShardDirty[entryNum/betterLongTableShardSize] = true
+}
+
+func (e *betterFastEncoderDict) markShortShardDirty(entryNum uint32) {
+	e.shortTableShardDirty[entryNum/betterShortTableShardSize] = true
+}
diff --git a/vendor/github.com/klauspost/compress/zstd/enc_dfast.go b/vendor/github.com/klauspost/compress/zstd/enc_dfast.go
new file mode 100644
index 0000000000..d36be7bd8c
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/zstd/enc_dfast.go
@@ -0,0 +1,1123 @@
+// Copyright 2019+ Klaus Post. All rights reserved.
+// License information can be found in the LICENSE file.
+// Based on work by Yann Collet, released under BSD License.
+
+package zstd
+
+import "fmt"
+
+const (
+	dFastLongTableBits = 17                      // Bits used in the long match table
+	dFastLongTableSize = 1 << dFastLongTableBits // Size of the table
+	dFastLongTableMask = dFastLongTableSize - 1  // Mask for table indices. Redundant, but can eliminate bounds checks.
+	dFastLongLen       = 8                       // Bytes used for table hash
+
+	dLongTableShardCnt  = 1 << (dFastLongTableBits - dictShardBits) // Number of shards in the table
+	dLongTableShardSize = dFastLongTableSize / tableShardCnt        // Size of an individual shard
+
+	dFastShortTableBits = tableBits                // Bits used in the short match table
+	dFastShortTableSize = 1 << dFastShortTableBits // Size of the table
+	dFastShortTableMask = dFastShortTableSize - 1  // Mask for table indices. Redundant, but can eliminate bounds checks.
+	dFastShortLen       = 5                        // Bytes used for table hash
+
+)
+
+type doubleFastEncoder struct {
+	fastEncoder
+	longTable [dFastLongTableSize]tableEntry
+}
+
+type doubleFastEncoderDict struct {
+	fastEncoderDict
+	longTable           [dFastLongTableSize]tableEntry
+	dictLongTable       []tableEntry
+	longTableShardDirty [dLongTableShardCnt]bool
+}
+
+// Encode mimmics functionality in zstd_dfast.c
+func (e *doubleFastEncoder) Encode(blk *blockEnc, src []byte) {
+	const (
+		// Input margin is the number of bytes we read (8)
+		// and the maximum we will read ahead (2)
+		inputMargin            = 8 + 2
+		minNonLiteralBlockSize = 16
+	)
+
+	// Protect against e.cur wraparound.
+	for e.cur >= e.bufferReset-int32(len(e.hist)) {
+		if len(e.hist) == 0 {
+			e.table = [dFastShortTableSize]tableEntry{}
+			e.longTable = [dFastLongTableSize]tableEntry{}
+			e.cur = e.maxMatchOff
+			break
+		}
+		// Shift down everything in the table that isn't already too far away.
+		minOff := e.cur + int32(len(e.hist)) - e.maxMatchOff
+		for i := range e.table[:] {
+			v := e.table[i].offset
+			if v < minOff {
+				v = 0
+			} else {
+				v = v - e.cur + e.maxMatchOff
+			}
+			e.table[i].offset = v
+		}
+		for i := range e.longTable[:] {
+			v := e.longTable[i].offset
+			if v < minOff {
+				v = 0
+			} else {
+				v = v - e.cur + e.maxMatchOff
+			}
+			e.longTable[i].offset = v
+		}
+		e.cur = e.maxMatchOff
+		break
+	}
+
+	s := e.addBlock(src)
+	blk.size = len(src)
+	if len(src) < minNonLiteralBlockSize {
+		blk.extraLits = len(src)
+		blk.literals = blk.literals[:len(src)]
+		copy(blk.literals, src)
+		return
+	}
+
+	// Override src
+	src = e.hist
+	sLimit := int32(len(src)) - inputMargin
+	// stepSize is the number of bytes to skip on every main loop iteration.
+	// It should be >= 1.
+	const stepSize = 1
+
+	const kSearchStrength = 8
+
+	// nextEmit is where in src the next emitLiteral should start from.
+	nextEmit := s
+	cv := load6432(src, s)
+
+	// Relative offsets
+	offset1 := int32(blk.recentOffsets[0])
+	offset2 := int32(blk.recentOffsets[1])
+
+	addLiterals := func(s *seq, until int32) {
+		if until == nextEmit {
+			return
+		}
+		blk.literals = append(blk.literals, src[nextEmit:until]...)
+		s.litLen = uint32(until - nextEmit)
+	}
+	if debugEncoder {
+		println("recent offsets:", blk.recentOffsets)
+	}
+
+encodeLoop:
+	for {
+		var t int32
+		// We allow the encoder to optionally turn off repeat offsets across blocks
+		canRepeat := len(blk.sequences) > 2
+
+		for {
+			if debugAsserts && canRepeat && offset1 == 0 {
+				panic("offset0 was 0")
+			}
+
+			nextHashL := hashLen(cv, dFastLongTableBits, dFastLongLen)
+			nextHashS := hashLen(cv, dFastShortTableBits, dFastShortLen)
+			candidateL := e.longTable[nextHashL]
+			candidateS := e.table[nextHashS]
+
+			const repOff = 1
+			repIndex := s - offset1 + repOff
+			entry := tableEntry{offset: s + e.cur, val: uint32(cv)}
+			e.longTable[nextHashL] = entry
+			e.table[nextHashS] = entry
+
+			if canRepeat {
+				if repIndex >= 0 && load3232(src, repIndex) == uint32(cv>>(repOff*8)) {
+					// Consider history as well.
+					var seq seq
+					length := 4 + e.matchlen(s+4+repOff, repIndex+4, src)
+
+					seq.matchLen = uint32(length - zstdMinMatch)
+
+					// We might be able to match backwards.
+					// Extend as long as we can.
+					start := s + repOff
+					// We end the search early, so we don't risk 0 literals
+					// and have to do special offset treatment.
+					startLimit := nextEmit + 1
+
+					tMin := s - e.maxMatchOff
+					if tMin < 0 {
+						tMin = 0
+					}
+					for repIndex > tMin && start > startLimit && src[repIndex-1] == src[start-1] && seq.matchLen < maxMatchLength-zstdMinMatch-1 {
+						repIndex--
+						start--
+						seq.matchLen++
+					}
+					addLiterals(&seq, start)
+
+					// rep 0
+					seq.offset = 1
+					if debugSequences {
+						println("repeat sequence", seq, "next s:", s)
+					}
+					blk.sequences = append(blk.sequences, seq)
+					s += length + repOff
+					nextEmit = s
+					if s >= sLimit {
+						if debugEncoder {
+							println("repeat ended", s, length)
+
+						}
+						break encodeLoop
+					}
+					cv = load6432(src, s)
+					continue
+				}
+			}
+			// Find the offsets of our two matches.
+			coffsetL := s - (candidateL.offset - e.cur)
+			coffsetS := s - (candidateS.offset - e.cur)
+
+			// Check if we have a long match.
+			if coffsetL < e.maxMatchOff && uint32(cv) == candidateL.val {
+				// Found a long match, likely at least 8 bytes.
+				// Reference encoder checks all 8 bytes, we only check 4,
+				// but the likelihood of both the first 4 bytes and the hash matching should be enough.
+				t = candidateL.offset - e.cur
+				if debugAsserts && s <= t {
+					panic(fmt.Sprintf("s (%d) <= t (%d)", s, t))
+				}
+				if debugAsserts && s-t > e.maxMatchOff {
+					panic("s - t >e.maxMatchOff")
+				}
+				if debugMatches {
+					println("long match")
+				}
+				break
+			}
+
+			// Check if we have a short match.
+			if coffsetS < e.maxMatchOff && uint32(cv) == candidateS.val {
+				// found a regular match
+				// See if we can find a long match at s+1
+				const checkAt = 1
+				cv := load6432(src, s+checkAt)
+				nextHashL = hashLen(cv, dFastLongTableBits, dFastLongLen)
+				candidateL = e.longTable[nextHashL]
+				coffsetL = s - (candidateL.offset - e.cur) + checkAt
+
+				// We can store it, since we have at least a 4 byte match.
+				e.longTable[nextHashL] = tableEntry{offset: s + checkAt + e.cur, val: uint32(cv)}
+				if coffsetL < e.maxMatchOff && uint32(cv) == candidateL.val {
+					// Found a long match, likely at least 8 bytes.
+					// Reference encoder checks all 8 bytes, we only check 4,
+					// but the likelihood of both the first 4 bytes and the hash matching should be enough.
+					t = candidateL.offset - e.cur
+					s += checkAt
+					if debugMatches {
+						println("long match (after short)")
+					}
+					break
+				}
+
+				t = candidateS.offset - e.cur
+				if debugAsserts && s <= t {
+					panic(fmt.Sprintf("s (%d) <= t (%d)", s, t))
+				}
+				if debugAsserts && s-t > e.maxMatchOff {
+					panic("s - t >e.maxMatchOff")
+				}
+				if debugAsserts && t < 0 {
+					panic("t<0")
+				}
+				if debugMatches {
+					println("short match")
+				}
+				break
+			}
+
+			// No match found, move forward in input.
+			s += stepSize + ((s - nextEmit) >> (kSearchStrength - 1))
+			if s >= sLimit {
+				break encodeLoop
+			}
+			cv = load6432(src, s)
+		}
+
+		// A 4-byte match has been found. Update recent offsets.
+		// We'll later see if more than 4 bytes.
+		offset2 = offset1
+		offset1 = s - t
+
+		if debugAsserts && s <= t {
+			panic(fmt.Sprintf("s (%d) <= t (%d)", s, t))
+		}
+
+		if debugAsserts && canRepeat && int(offset1) > len(src) {
+			panic("invalid offset")
+		}
+
+		// Extend the 4-byte match as long as possible.
+		l := e.matchlen(s+4, t+4, src) + 4
+
+		// Extend backwards
+		tMin := s - e.maxMatchOff
+		if tMin < 0 {
+			tMin = 0
+		}
+		for t > tMin && s > nextEmit && src[t-1] == src[s-1] && l < maxMatchLength {
+			s--
+			t--
+			l++
+		}
+
+		// Write our sequence
+		var seq seq
+		seq.litLen = uint32(s - nextEmit)
+		seq.matchLen = uint32(l - zstdMinMatch)
+		if seq.litLen > 0 {
+			blk.literals = append(blk.literals, src[nextEmit:s]...)
+		}
+		seq.offset = uint32(s-t) + 3
+		s += l
+		if debugSequences {
+			println("sequence", seq, "next s:", s)
+		}
+		blk.sequences = append(blk.sequences, seq)
+		nextEmit = s
+		if s >= sLimit {
+			break encodeLoop
+		}
+
+		// Index match start+1 (long) and start+2 (short)
+		index0 := s - l + 1
+		// Index match end-2 (long) and end-1 (short)
+		index1 := s - 2
+
+		cv0 := load6432(src, index0)
+		cv1 := load6432(src, index1)
+		te0 := tableEntry{offset: index0 + e.cur, val: uint32(cv0)}
+		te1 := tableEntry{offset: index1 + e.cur, val: uint32(cv1)}
+		e.longTable[hashLen(cv0, dFastLongTableBits, dFastLongLen)] = te0
+		e.longTable[hashLen(cv1, dFastLongTableBits, dFastLongLen)] = te1
+		cv0 >>= 8
+		cv1 >>= 8
+		te0.offset++
+		te1.offset++
+		te0.val = uint32(cv0)
+		te1.val = uint32(cv1)
+		e.table[hashLen(cv0, dFastShortTableBits, dFastShortLen)] = te0
+		e.table[hashLen(cv1, dFastShortTableBits, dFastShortLen)] = te1
+
+		cv = load6432(src, s)
+
+		if !canRepeat {
+			continue
+		}
+
+		// Check offset 2
+		for {
+			o2 := s - offset2
+			if load3232(src, o2) != uint32(cv) {
+				// Do regular search
+				break
+			}
+
+			// Store this, since we have it.
+			nextHashS := hashLen(cv, dFastShortTableBits, dFastShortLen)
+			nextHashL := hashLen(cv, dFastLongTableBits, dFastLongLen)
+
+			// We have at least 4 byte match.
+			// No need to check backwards. We come straight from a match
+			l := 4 + e.matchlen(s+4, o2+4, src)
+
+			entry := tableEntry{offset: s + e.cur, val: uint32(cv)}
+			e.longTable[nextHashL] = entry
+			e.table[nextHashS] = entry
+			seq.matchLen = uint32(l) - zstdMinMatch
+			seq.litLen = 0
+
+			// Since litlen is always 0, this is offset 1.
+			seq.offset = 1
+			s += l
+			nextEmit = s
+			if debugSequences {
+				println("sequence", seq, "next s:", s)
+			}
+			blk.sequences = append(blk.sequences, seq)
+
+			// Swap offset 1 and 2.
+			offset1, offset2 = offset2, offset1
+			if s >= sLimit {
+				// Finished
+				break encodeLoop
+			}
+			cv = load6432(src, s)
+		}
+	}
+
+	if int(nextEmit) < len(src) {
+		blk.literals = append(blk.literals, src[nextEmit:]...)
+		blk.extraLits = len(src) - int(nextEmit)
+	}
+	blk.recentOffsets[0] = uint32(offset1)
+	blk.recentOffsets[1] = uint32(offset2)
+	if debugEncoder {
+		println("returning, recent offsets:", blk.recentOffsets, "extra literals:", blk.extraLits)
+	}
+}
+
+// EncodeNoHist will encode a block with no history and no following blocks.
+// Most notable difference is that src will not be copied for history and
+// we do not need to check for max match length.
+func (e *doubleFastEncoder) EncodeNoHist(blk *blockEnc, src []byte) {
+	const (
+		// Input margin is the number of bytes we read (8)
+		// and the maximum we will read ahead (2)
+		inputMargin            = 8 + 2
+		minNonLiteralBlockSize = 16
+	)
+
+	// Protect against e.cur wraparound.
+	if e.cur >= e.bufferReset {
+		for i := range e.table[:] {
+			e.table[i] = tableEntry{}
+		}
+		for i := range e.longTable[:] {
+			e.longTable[i] = tableEntry{}
+		}
+		e.cur = e.maxMatchOff
+	}
+
+	s := int32(0)
+	blk.size = len(src)
+	if len(src) < minNonLiteralBlockSize {
+		blk.extraLits = len(src)
+		blk.literals = blk.literals[:len(src)]
+		copy(blk.literals, src)
+		return
+	}
+
+	// Override src
+	sLimit := int32(len(src)) - inputMargin
+	// stepSize is the number of bytes to skip on every main loop iteration.
+	// It should be >= 1.
+	const stepSize = 1
+
+	const kSearchStrength = 8
+
+	// nextEmit is where in src the next emitLiteral should start from.
+	nextEmit := s
+	cv := load6432(src, s)
+
+	// Relative offsets
+	offset1 := int32(blk.recentOffsets[0])
+	offset2 := int32(blk.recentOffsets[1])
+
+	addLiterals := func(s *seq, until int32) {
+		if until == nextEmit {
+			return
+		}
+		blk.literals = append(blk.literals, src[nextEmit:until]...)
+		s.litLen = uint32(until - nextEmit)
+	}
+	if debugEncoder {
+		println("recent offsets:", blk.recentOffsets)
+	}
+
+encodeLoop:
+	for {
+		var t int32
+		for {
+
+			nextHashL := hashLen(cv, dFastLongTableBits, dFastLongLen)
+			nextHashS := hashLen(cv, dFastShortTableBits, dFastShortLen)
+			candidateL := e.longTable[nextHashL]
+			candidateS := e.table[nextHashS]
+
+			const repOff = 1
+			repIndex := s - offset1 + repOff
+			entry := tableEntry{offset: s + e.cur, val: uint32(cv)}
+			e.longTable[nextHashL] = entry
+			e.table[nextHashS] = entry
+
+			if len(blk.sequences) > 2 {
+				if load3232(src, repIndex) == uint32(cv>>(repOff*8)) {
+					// Consider history as well.
+					var seq seq
+					//length := 4 + e.matchlen(s+4+repOff, repIndex+4, src)
+					length := 4 + int32(matchLen(src[s+4+repOff:], src[repIndex+4:]))
+
+					seq.matchLen = uint32(length - zstdMinMatch)
+
+					// We might be able to match backwards.
+					// Extend as long as we can.
+					start := s + repOff
+					// We end the search early, so we don't risk 0 literals
+					// and have to do special offset treatment.
+					startLimit := nextEmit + 1
+
+					tMin := s - e.maxMatchOff
+					if tMin < 0 {
+						tMin = 0
+					}
+					for repIndex > tMin && start > startLimit && src[repIndex-1] == src[start-1] {
+						repIndex--
+						start--
+						seq.matchLen++
+					}
+					addLiterals(&seq, start)
+
+					// rep 0
+					seq.offset = 1
+					if debugSequences {
+						println("repeat sequence", seq, "next s:", s)
+					}
+					blk.sequences = append(blk.sequences, seq)
+					s += length + repOff
+					nextEmit = s
+					if s >= sLimit {
+						if debugEncoder {
+							println("repeat ended", s, length)
+
+						}
+						break encodeLoop
+					}
+					cv = load6432(src, s)
+					continue
+				}
+			}
+			// Find the offsets of our two matches.
+			coffsetL := s - (candidateL.offset - e.cur)
+			coffsetS := s - (candidateS.offset - e.cur)
+
+			// Check if we have a long match.
+			if coffsetL < e.maxMatchOff && uint32(cv) == candidateL.val {
+				// Found a long match, likely at least 8 bytes.
+				// Reference encoder checks all 8 bytes, we only check 4,
+				// but the likelihood of both the first 4 bytes and the hash matching should be enough.
+				t = candidateL.offset - e.cur
+				if debugAsserts && s <= t {
+					panic(fmt.Sprintf("s (%d) <= t (%d). cur: %d", s, t, e.cur))
+				}
+				if debugAsserts && s-t > e.maxMatchOff {
+					panic("s - t >e.maxMatchOff")
+				}
+				if debugMatches {
+					println("long match")
+				}
+				break
+			}
+
+			// Check if we have a short match.
+			if coffsetS < e.maxMatchOff && uint32(cv) == candidateS.val {
+				// found a regular match
+				// See if we can find a long match at s+1
+				const checkAt = 1
+				cv := load6432(src, s+checkAt)
+				nextHashL = hashLen(cv, dFastLongTableBits, dFastLongLen)
+				candidateL = e.longTable[nextHashL]
+				coffsetL = s - (candidateL.offset - e.cur) + checkAt
+
+				// We can store it, since we have at least a 4 byte match.
+				e.longTable[nextHashL] = tableEntry{offset: s + checkAt + e.cur, val: uint32(cv)}
+				if coffsetL < e.maxMatchOff && uint32(cv) == candidateL.val {
+					// Found a long match, likely at least 8 bytes.
+					// Reference encoder checks all 8 bytes, we only check 4,
+					// but the likelihood of both the first 4 bytes and the hash matching should be enough.
+					t = candidateL.offset - e.cur
+					s += checkAt
+					if debugMatches {
+						println("long match (after short)")
+					}
+					break
+				}
+
+				t = candidateS.offset - e.cur
+				if debugAsserts && s <= t {
+					panic(fmt.Sprintf("s (%d) <= t (%d)", s, t))
+				}
+				if debugAsserts && s-t > e.maxMatchOff {
+					panic("s - t >e.maxMatchOff")
+				}
+				if debugAsserts && t < 0 {
+					panic("t<0")
+				}
+				if debugMatches {
+					println("short match")
+				}
+				break
+			}
+
+			// No match found, move forward in input.
+			s += stepSize + ((s - nextEmit) >> (kSearchStrength - 1))
+			if s >= sLimit {
+				break encodeLoop
+			}
+			cv = load6432(src, s)
+		}
+
+		// A 4-byte match has been found. Update recent offsets.
+		// We'll later see if more than 4 bytes.
+		offset2 = offset1
+		offset1 = s - t
+
+		if debugAsserts && s <= t {
+			panic(fmt.Sprintf("s (%d) <= t (%d)", s, t))
+		}
+
+		// Extend the 4-byte match as long as possible.
+		//l := e.matchlen(s+4, t+4, src) + 4
+		l := int32(matchLen(src[s+4:], src[t+4:])) + 4
+
+		// Extend backwards
+		tMin := s - e.maxMatchOff
+		if tMin < 0 {
+			tMin = 0
+		}
+		for t > tMin && s > nextEmit && src[t-1] == src[s-1] {
+			s--
+			t--
+			l++
+		}
+
+		// Write our sequence
+		var seq seq
+		seq.litLen = uint32(s - nextEmit)
+		seq.matchLen = uint32(l - zstdMinMatch)
+		if seq.litLen > 0 {
+			blk.literals = append(blk.literals, src[nextEmit:s]...)
+		}
+		seq.offset = uint32(s-t) + 3
+		s += l
+		if debugSequences {
+			println("sequence", seq, "next s:", s)
+		}
+		blk.sequences = append(blk.sequences, seq)
+		nextEmit = s
+		if s >= sLimit {
+			break encodeLoop
+		}
+
+		// Index match start+1 (long) and start+2 (short)
+		index0 := s - l + 1
+		// Index match end-2 (long) and end-1 (short)
+		index1 := s - 2
+
+		cv0 := load6432(src, index0)
+		cv1 := load6432(src, index1)
+		te0 := tableEntry{offset: index0 + e.cur, val: uint32(cv0)}
+		te1 := tableEntry{offset: index1 + e.cur, val: uint32(cv1)}
+		e.longTable[hashLen(cv0, dFastLongTableBits, dFastLongLen)] = te0
+		e.longTable[hashLen(cv1, dFastLongTableBits, dFastLongLen)] = te1
+		cv0 >>= 8
+		cv1 >>= 8
+		te0.offset++
+		te1.offset++
+		te0.val = uint32(cv0)
+		te1.val = uint32(cv1)
+		e.table[hashLen(cv0, dFastShortTableBits, dFastShortLen)] = te0
+		e.table[hashLen(cv1, dFastShortTableBits, dFastShortLen)] = te1
+
+		cv = load6432(src, s)
+
+		if len(blk.sequences) <= 2 {
+			continue
+		}
+
+		// Check offset 2
+		for {
+			o2 := s - offset2
+			if load3232(src, o2) != uint32(cv) {
+				// Do regular search
+				break
+			}
+
+			// Store this, since we have it.
+			nextHashS := hashLen(cv1>>8, dFastShortTableBits, dFastShortLen)
+			nextHashL := hashLen(cv, dFastLongTableBits, dFastLongLen)
+
+			// We have at least 4 byte match.
+			// No need to check backwards. We come straight from a match
+			//l := 4 + e.matchlen(s+4, o2+4, src)
+			l := 4 + int32(matchLen(src[s+4:], src[o2+4:]))
+
+			entry := tableEntry{offset: s + e.cur, val: uint32(cv)}
+			e.longTable[nextHashL] = entry
+			e.table[nextHashS] = entry
+			seq.matchLen = uint32(l) - zstdMinMatch
+			seq.litLen = 0
+
+			// Since litlen is always 0, this is offset 1.
+			seq.offset = 1
+			s += l
+			nextEmit = s
+			if debugSequences {
+				println("sequence", seq, "next s:", s)
+			}
+			blk.sequences = append(blk.sequences, seq)
+
+			// Swap offset 1 and 2.
+			offset1, offset2 = offset2, offset1
+			if s >= sLimit {
+				// Finished
+				break encodeLoop
+			}
+			cv = load6432(src, s)
+		}
+	}
+
+	if int(nextEmit) < len(src) {
+		blk.literals = append(blk.literals, src[nextEmit:]...)
+		blk.extraLits = len(src) - int(nextEmit)
+	}
+	if debugEncoder {
+		println("returning, recent offsets:", blk.recentOffsets, "extra literals:", blk.extraLits)
+	}
+
+	// We do not store history, so we must offset e.cur to avoid false matches for next user.
+	if e.cur < e.bufferReset {
+		e.cur += int32(len(src))
+	}
+}
+
+// Encode will encode the content, with a dictionary if initialized for it.
+func (e *doubleFastEncoderDict) Encode(blk *blockEnc, src []byte) {
+	const (
+		// Input margin is the number of bytes we read (8)
+		// and the maximum we will read ahead (2)
+		inputMargin            = 8 + 2
+		minNonLiteralBlockSize = 16
+	)
+
+	// Protect against e.cur wraparound.
+	for e.cur >= e.bufferReset-int32(len(e.hist)) {
+		if len(e.hist) == 0 {
+			for i := range e.table[:] {
+				e.table[i] = tableEntry{}
+			}
+			for i := range e.longTable[:] {
+				e.longTable[i] = tableEntry{}
+			}
+			e.markAllShardsDirty()
+			e.cur = e.maxMatchOff
+			break
+		}
+		// Shift down everything in the table that isn't already too far away.
+		minOff := e.cur + int32(len(e.hist)) - e.maxMatchOff
+		for i := range e.table[:] {
+			v := e.table[i].offset
+			if v < minOff {
+				v = 0
+			} else {
+				v = v - e.cur + e.maxMatchOff
+			}
+			e.table[i].offset = v
+		}
+		for i := range e.longTable[:] {
+			v := e.longTable[i].offset
+			if v < minOff {
+				v = 0
+			} else {
+				v = v - e.cur + e.maxMatchOff
+			}
+			e.longTable[i].offset = v
+		}
+		e.markAllShardsDirty()
+		e.cur = e.maxMatchOff
+		break
+	}
+
+	s := e.addBlock(src)
+	blk.size = len(src)
+	if len(src) < minNonLiteralBlockSize {
+		blk.extraLits = len(src)
+		blk.literals = blk.literals[:len(src)]
+		copy(blk.literals, src)
+		return
+	}
+
+	// Override src
+	src = e.hist
+	sLimit := int32(len(src)) - inputMargin
+	// stepSize is the number of bytes to skip on every main loop iteration.
+	// It should be >= 1.
+	const stepSize = 1
+
+	const kSearchStrength = 8
+
+	// nextEmit is where in src the next emitLiteral should start from.
+	nextEmit := s
+	cv := load6432(src, s)
+
+	// Relative offsets
+	offset1 := int32(blk.recentOffsets[0])
+	offset2 := int32(blk.recentOffsets[1])
+
+	addLiterals := func(s *seq, until int32) {
+		if until == nextEmit {
+			return
+		}
+		blk.literals = append(blk.literals, src[nextEmit:until]...)
+		s.litLen = uint32(until - nextEmit)
+	}
+	if debugEncoder {
+		println("recent offsets:", blk.recentOffsets)
+	}
+
+encodeLoop:
+	for {
+		var t int32
+		// We allow the encoder to optionally turn off repeat offsets across blocks
+		canRepeat := len(blk.sequences) > 2
+
+		for {
+			if debugAsserts && canRepeat && offset1 == 0 {
+				panic("offset0 was 0")
+			}
+
+			nextHashL := hashLen(cv, dFastLongTableBits, dFastLongLen)
+			nextHashS := hashLen(cv, dFastShortTableBits, dFastShortLen)
+			candidateL := e.longTable[nextHashL]
+			candidateS := e.table[nextHashS]
+
+			const repOff = 1
+			repIndex := s - offset1 + repOff
+			entry := tableEntry{offset: s + e.cur, val: uint32(cv)}
+			e.longTable[nextHashL] = entry
+			e.markLongShardDirty(nextHashL)
+			e.table[nextHashS] = entry
+			e.markShardDirty(nextHashS)
+
+			if canRepeat {
+				if repIndex >= 0 && load3232(src, repIndex) == uint32(cv>>(repOff*8)) {
+					// Consider history as well.
+					var seq seq
+					length := 4 + e.matchlen(s+4+repOff, repIndex+4, src)
+
+					seq.matchLen = uint32(length - zstdMinMatch)
+
+					// We might be able to match backwards.
+					// Extend as long as we can.
+					start := s + repOff
+					// We end the search early, so we don't risk 0 literals
+					// and have to do special offset treatment.
+					startLimit := nextEmit + 1
+
+					tMin := s - e.maxMatchOff
+					if tMin < 0 {
+						tMin = 0
+					}
+					for repIndex > tMin && start > startLimit && src[repIndex-1] == src[start-1] && seq.matchLen < maxMatchLength-zstdMinMatch-1 {
+						repIndex--
+						start--
+						seq.matchLen++
+					}
+					addLiterals(&seq, start)
+
+					// rep 0
+					seq.offset = 1
+					if debugSequences {
+						println("repeat sequence", seq, "next s:", s)
+					}
+					blk.sequences = append(blk.sequences, seq)
+					s += length + repOff
+					nextEmit = s
+					if s >= sLimit {
+						if debugEncoder {
+							println("repeat ended", s, length)
+
+						}
+						break encodeLoop
+					}
+					cv = load6432(src, s)
+					continue
+				}
+			}
+			// Find the offsets of our two matches.
+			coffsetL := s - (candidateL.offset - e.cur)
+			coffsetS := s - (candidateS.offset - e.cur)
+
+			// Check if we have a long match.
+			if coffsetL < e.maxMatchOff && uint32(cv) == candidateL.val {
+				// Found a long match, likely at least 8 bytes.
+				// Reference encoder checks all 8 bytes, we only check 4,
+				// but the likelihood of both the first 4 bytes and the hash matching should be enough.
+				t = candidateL.offset - e.cur
+				if debugAsserts && s <= t {
+					panic(fmt.Sprintf("s (%d) <= t (%d)", s, t))
+				}
+				if debugAsserts && s-t > e.maxMatchOff {
+					panic("s - t >e.maxMatchOff")
+				}
+				if debugMatches {
+					println("long match")
+				}
+				break
+			}
+
+			// Check if we have a short match.
+			if coffsetS < e.maxMatchOff && uint32(cv) == candidateS.val {
+				// found a regular match
+				// See if we can find a long match at s+1
+				const checkAt = 1
+				cv := load6432(src, s+checkAt)
+				nextHashL = hashLen(cv, dFastLongTableBits, dFastLongLen)
+				candidateL = e.longTable[nextHashL]
+				coffsetL = s - (candidateL.offset - e.cur) + checkAt
+
+				// We can store it, since we have at least a 4 byte match.
+				e.longTable[nextHashL] = tableEntry{offset: s + checkAt + e.cur, val: uint32(cv)}
+				e.markLongShardDirty(nextHashL)
+				if coffsetL < e.maxMatchOff && uint32(cv) == candidateL.val {
+					// Found a long match, likely at least 8 bytes.
+					// Reference encoder checks all 8 bytes, we only check 4,
+					// but the likelihood of both the first 4 bytes and the hash matching should be enough.
+					t = candidateL.offset - e.cur
+					s += checkAt
+					if debugMatches {
+						println("long match (after short)")
+					}
+					break
+				}
+
+				t = candidateS.offset - e.cur
+				if debugAsserts && s <= t {
+					panic(fmt.Sprintf("s (%d) <= t (%d)", s, t))
+				}
+				if debugAsserts && s-t > e.maxMatchOff {
+					panic("s - t >e.maxMatchOff")
+				}
+				if debugAsserts && t < 0 {
+					panic("t<0")
+				}
+				if debugMatches {
+					println("short match")
+				}
+				break
+			}
+
+			// No match found, move forward in input.
+			s += stepSize + ((s - nextEmit) >> (kSearchStrength - 1))
+			if s >= sLimit {
+				break encodeLoop
+			}
+			cv = load6432(src, s)
+		}
+
+		// A 4-byte match has been found. Update recent offsets.
+		// We'll later see if more than 4 bytes.
+		offset2 = offset1
+		offset1 = s - t
+
+		if debugAsserts && s <= t {
+			panic(fmt.Sprintf("s (%d) <= t (%d)", s, t))
+		}
+
+		if debugAsserts && canRepeat && int(offset1) > len(src) {
+			panic("invalid offset")
+		}
+
+		// Extend the 4-byte match as long as possible.
+		l := e.matchlen(s+4, t+4, src) + 4
+
+		// Extend backwards
+		tMin := s - e.maxMatchOff
+		if tMin < 0 {
+			tMin = 0
+		}
+		for t > tMin && s > nextEmit && src[t-1] == src[s-1] && l < maxMatchLength {
+			s--
+			t--
+			l++
+		}
+
+		// Write our sequence
+		var seq seq
+		seq.litLen = uint32(s - nextEmit)
+		seq.matchLen = uint32(l - zstdMinMatch)
+		if seq.litLen > 0 {
+			blk.literals = append(blk.literals, src[nextEmit:s]...)
+		}
+		seq.offset = uint32(s-t) + 3
+		s += l
+		if debugSequences {
+			println("sequence", seq, "next s:", s)
+		}
+		blk.sequences = append(blk.sequences, seq)
+		nextEmit = s
+		if s >= sLimit {
+			break encodeLoop
+		}
+
+		// Index match start+1 (long) and start+2 (short)
+		index0 := s - l + 1
+		// Index match end-2 (long) and end-1 (short)
+		index1 := s - 2
+
+		cv0 := load6432(src, index0)
+		cv1 := load6432(src, index1)
+		te0 := tableEntry{offset: index0 + e.cur, val: uint32(cv0)}
+		te1 := tableEntry{offset: index1 + e.cur, val: uint32(cv1)}
+		longHash1 := hashLen(cv0, dFastLongTableBits, dFastLongLen)
+		longHash2 := hashLen(cv1, dFastLongTableBits, dFastLongLen)
+		e.longTable[longHash1] = te0
+		e.longTable[longHash2] = te1
+		e.markLongShardDirty(longHash1)
+		e.markLongShardDirty(longHash2)
+		cv0 >>= 8
+		cv1 >>= 8
+		te0.offset++
+		te1.offset++
+		te0.val = uint32(cv0)
+		te1.val = uint32(cv1)
+		hashVal1 := hashLen(cv0, dFastShortTableBits, dFastShortLen)
+		hashVal2 := hashLen(cv1, dFastShortTableBits, dFastShortLen)
+		e.table[hashVal1] = te0
+		e.markShardDirty(hashVal1)
+		e.table[hashVal2] = te1
+		e.markShardDirty(hashVal2)
+
+		cv = load6432(src, s)
+
+		if !canRepeat {
+			continue
+		}
+
+		// Check offset 2
+		for {
+			o2 := s - offset2
+			if load3232(src, o2) != uint32(cv) {
+				// Do regular search
+				break
+			}
+
+			// Store this, since we have it.
+			nextHashL := hashLen(cv, dFastLongTableBits, dFastLongLen)
+			nextHashS := hashLen(cv, dFastShortTableBits, dFastShortLen)
+
+			// We have at least 4 byte match.
+			// No need to check backwards. We come straight from a match
+			l := 4 + e.matchlen(s+4, o2+4, src)
+
+			entry := tableEntry{offset: s + e.cur, val: uint32(cv)}
+			e.longTable[nextHashL] = entry
+			e.markLongShardDirty(nextHashL)
+			e.table[nextHashS] = entry
+			e.markShardDirty(nextHashS)
+			seq.matchLen = uint32(l) - zstdMinMatch
+			seq.litLen = 0
+
+			// Since litlen is always 0, this is offset 1.
+			seq.offset = 1
+			s += l
+			nextEmit = s
+			if debugSequences {
+				println("sequence", seq, "next s:", s)
+			}
+			blk.sequences = append(blk.sequences, seq)
+
+			// Swap offset 1 and 2.
+			offset1, offset2 = offset2, offset1
+			if s >= sLimit {
+				// Finished
+				break encodeLoop
+			}
+			cv = load6432(src, s)
+		}
+	}
+
+	if int(nextEmit) < len(src) {
+		blk.literals = append(blk.literals, src[nextEmit:]...)
+		blk.extraLits = len(src) - int(nextEmit)
+	}
+	blk.recentOffsets[0] = uint32(offset1)
+	blk.recentOffsets[1] = uint32(offset2)
+	if debugEncoder {
+		println("returning, recent offsets:", blk.recentOffsets, "extra literals:", blk.extraLits)
+	}
+	// If we encoded more than 64K mark all dirty.
+	if len(src) > 64<<10 {
+		e.markAllShardsDirty()
+	}
+}
+
+// ResetDict will reset and set a dictionary if not nil
+func (e *doubleFastEncoder) Reset(d *dict, singleBlock bool) {
+	e.fastEncoder.Reset(d, singleBlock)
+	if d != nil {
+		panic("doubleFastEncoder: Reset with dict not supported")
+	}
+}
+
+// ResetDict will reset and set a dictionary if not nil
+func (e *doubleFastEncoderDict) Reset(d *dict, singleBlock bool) {
+	allDirty := e.allDirty
+	e.fastEncoderDict.Reset(d, singleBlock)
+	if d == nil {
+		return
+	}
+
+	// Init or copy dict table
+	if len(e.dictLongTable) != len(e.longTable) || d.id != e.lastDictID {
+		if len(e.dictLongTable) != len(e.longTable) {
+			e.dictLongTable = make([]tableEntry, len(e.longTable))
+		}
+		if len(d.content) >= 8 {
+			cv := load6432(d.content, 0)
+			e.dictLongTable[hashLen(cv, dFastLongTableBits, dFastLongLen)] = tableEntry{
+				val:    uint32(cv),
+				offset: e.maxMatchOff,
+			}
+			end := int32(len(d.content)) - 8 + e.maxMatchOff
+			for i := e.maxMatchOff + 1; i < end; i++ {
+				cv = cv>>8 | (uint64(d.content[i-e.maxMatchOff+7]) << 56)
+				e.dictLongTable[hashLen(cv, dFastLongTableBits, dFastLongLen)] = tableEntry{
+					val:    uint32(cv),
+					offset: i,
+				}
+			}
+		}
+		e.lastDictID = d.id
+		allDirty = true
+	}
+	// Reset table to initial state
+	e.cur = e.maxMatchOff
+
+	dirtyShardCnt := 0
+	if !allDirty {
+		for i := range e.longTableShardDirty {
+			if e.longTableShardDirty[i] {
+				dirtyShardCnt++
+			}
+		}
+	}
+
+	if allDirty || dirtyShardCnt > dLongTableShardCnt/2 {
+		//copy(e.longTable[:], e.dictLongTable)
+		e.longTable = *(*[dFastLongTableSize]tableEntry)(e.dictLongTable)
+		for i := range e.longTableShardDirty {
+			e.longTableShardDirty[i] = false
+		}
+		return
+	}
+	for i := range e.longTableShardDirty {
+		if !e.longTableShardDirty[i] {
+			continue
+		}
+
+		// copy(e.longTable[i*dLongTableShardSize:(i+1)*dLongTableShardSize], e.dictLongTable[i*dLongTableShardSize:(i+1)*dLongTableShardSize])
+		*(*[dLongTableShardSize]tableEntry)(e.longTable[i*dLongTableShardSize:]) = *(*[dLongTableShardSize]tableEntry)(e.dictLongTable[i*dLongTableShardSize:])
+
+		e.longTableShardDirty[i] = false
+	}
+}
+
+func (e *doubleFastEncoderDict) markLongShardDirty(entryNum uint32) {
+	e.longTableShardDirty[entryNum/dLongTableShardSize] = true
+}
diff --git a/vendor/github.com/klauspost/compress/zstd/enc_fast.go b/vendor/github.com/klauspost/compress/zstd/enc_fast.go
new file mode 100644
index 0000000000..f45a3da7da
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/zstd/enc_fast.go
@@ -0,0 +1,891 @@
+// Copyright 2019+ Klaus Post. All rights reserved.
+// License information can be found in the LICENSE file.
+// Based on work by Yann Collet, released under BSD License.
+
+package zstd
+
+import (
+	"fmt"
+)
+
+const (
+	tableBits        = 15                               // Bits used in the table
+	tableSize        = 1 << tableBits                   // Size of the table
+	tableShardCnt    = 1 << (tableBits - dictShardBits) // Number of shards in the table
+	tableShardSize   = tableSize / tableShardCnt        // Size of an individual shard
+	tableFastHashLen = 6
+	tableMask        = tableSize - 1 // Mask for table indices. Redundant, but can eliminate bounds checks.
+	maxMatchLength   = 131074
+)
+
+type tableEntry struct {
+	val    uint32
+	offset int32
+}
+
+type fastEncoder struct {
+	fastBase
+	table [tableSize]tableEntry
+}
+
+type fastEncoderDict struct {
+	fastEncoder
+	dictTable       []tableEntry
+	tableShardDirty [tableShardCnt]bool
+	allDirty        bool
+}
+
+// Encode mimmics functionality in zstd_fast.c
+func (e *fastEncoder) Encode(blk *blockEnc, src []byte) {
+	const (
+		inputMargin            = 8
+		minNonLiteralBlockSize = 1 + 1 + inputMargin
+	)
+
+	// Protect against e.cur wraparound.
+	for e.cur >= e.bufferReset-int32(len(e.hist)) {
+		if len(e.hist) == 0 {
+			for i := range e.table[:] {
+				e.table[i] = tableEntry{}
+			}
+			e.cur = e.maxMatchOff
+			break
+		}
+		// Shift down everything in the table that isn't already too far away.
+		minOff := e.cur + int32(len(e.hist)) - e.maxMatchOff
+		for i := range e.table[:] {
+			v := e.table[i].offset
+			if v < minOff {
+				v = 0
+			} else {
+				v = v - e.cur + e.maxMatchOff
+			}
+			e.table[i].offset = v
+		}
+		e.cur = e.maxMatchOff
+		break
+	}
+
+	s := e.addBlock(src)
+	blk.size = len(src)
+	if len(src) < minNonLiteralBlockSize {
+		blk.extraLits = len(src)
+		blk.literals = blk.literals[:len(src)]
+		copy(blk.literals, src)
+		return
+	}
+
+	// Override src
+	src = e.hist
+	sLimit := int32(len(src)) - inputMargin
+	// stepSize is the number of bytes to skip on every main loop iteration.
+	// It should be >= 2.
+	const stepSize = 2
+
+	// TEMPLATE
+	const hashLog = tableBits
+	// seems global, but would be nice to tweak.
+	const kSearchStrength = 6
+
+	// nextEmit is where in src the next emitLiteral should start from.
+	nextEmit := s
+	cv := load6432(src, s)
+
+	// Relative offsets
+	offset1 := int32(blk.recentOffsets[0])
+	offset2 := int32(blk.recentOffsets[1])
+
+	addLiterals := func(s *seq, until int32) {
+		if until == nextEmit {
+			return
+		}
+		blk.literals = append(blk.literals, src[nextEmit:until]...)
+		s.litLen = uint32(until - nextEmit)
+	}
+	if debugEncoder {
+		println("recent offsets:", blk.recentOffsets)
+	}
+
+encodeLoop:
+	for {
+		// t will contain the match offset when we find one.
+		// When existing the search loop, we have already checked 4 bytes.
+		var t int32
+
+		// We will not use repeat offsets across blocks.
+		// By not using them for the first 3 matches
+		canRepeat := len(blk.sequences) > 2
+
+		for {
+			if debugAsserts && canRepeat && offset1 == 0 {
+				panic("offset0 was 0")
+			}
+
+			nextHash := hashLen(cv, hashLog, tableFastHashLen)
+			nextHash2 := hashLen(cv>>8, hashLog, tableFastHashLen)
+			candidate := e.table[nextHash]
+			candidate2 := e.table[nextHash2]
+			repIndex := s - offset1 + 2
+
+			e.table[nextHash] = tableEntry{offset: s + e.cur, val: uint32(cv)}
+			e.table[nextHash2] = tableEntry{offset: s + e.cur + 1, val: uint32(cv >> 8)}
+
+			if canRepeat && repIndex >= 0 && load3232(src, repIndex) == uint32(cv>>16) {
+				// Consider history as well.
+				var seq seq
+				length := 4 + e.matchlen(s+6, repIndex+4, src)
+				seq.matchLen = uint32(length - zstdMinMatch)
+
+				// We might be able to match backwards.
+				// Extend as long as we can.
+				start := s + 2
+				// We end the search early, so we don't risk 0 literals
+				// and have to do special offset treatment.
+				startLimit := nextEmit + 1
+
+				sMin := s - e.maxMatchOff
+				if sMin < 0 {
+					sMin = 0
+				}
+				for repIndex > sMin && start > startLimit && src[repIndex-1] == src[start-1] && seq.matchLen < maxMatchLength-zstdMinMatch {
+					repIndex--
+					start--
+					seq.matchLen++
+				}
+				addLiterals(&seq, start)
+
+				// rep 0
+				seq.offset = 1
+				if debugSequences {
+					println("repeat sequence", seq, "next s:", s)
+				}
+				blk.sequences = append(blk.sequences, seq)
+				s += length + 2
+				nextEmit = s
+				if s >= sLimit {
+					if debugEncoder {
+						println("repeat ended", s, length)
+
+					}
+					break encodeLoop
+				}
+				cv = load6432(src, s)
+				continue
+			}
+			coffset0 := s - (candidate.offset - e.cur)
+			coffset1 := s - (candidate2.offset - e.cur) + 1
+			if coffset0 < e.maxMatchOff && uint32(cv) == candidate.val {
+				// found a regular match
+				t = candidate.offset - e.cur
+				if debugAsserts && s <= t {
+					panic(fmt.Sprintf("s (%d) <= t (%d)", s, t))
+				}
+				if debugAsserts && s-t > e.maxMatchOff {
+					panic("s - t >e.maxMatchOff")
+				}
+				break
+			}
+
+			if coffset1 < e.maxMatchOff && uint32(cv>>8) == candidate2.val {
+				// found a regular match
+				t = candidate2.offset - e.cur
+				s++
+				if debugAsserts && s <= t {
+					panic(fmt.Sprintf("s (%d) <= t (%d)", s, t))
+				}
+				if debugAsserts && s-t > e.maxMatchOff {
+					panic("s - t >e.maxMatchOff")
+				}
+				if debugAsserts && t < 0 {
+					panic("t<0")
+				}
+				break
+			}
+			s += stepSize + ((s - nextEmit) >> (kSearchStrength - 1))
+			if s >= sLimit {
+				break encodeLoop
+			}
+			cv = load6432(src, s)
+		}
+		// A 4-byte match has been found. We'll later see if more than 4 bytes.
+		offset2 = offset1
+		offset1 = s - t
+
+		if debugAsserts && s <= t {
+			panic(fmt.Sprintf("s (%d) <= t (%d)", s, t))
+		}
+
+		if debugAsserts && canRepeat && int(offset1) > len(src) {
+			panic("invalid offset")
+		}
+
+		// Extend the 4-byte match as long as possible.
+		l := e.matchlen(s+4, t+4, src) + 4
+
+		// Extend backwards
+		tMin := s - e.maxMatchOff
+		if tMin < 0 {
+			tMin = 0
+		}
+		for t > tMin && s > nextEmit && src[t-1] == src[s-1] && l < maxMatchLength {
+			s--
+			t--
+			l++
+		}
+
+		// Write our sequence.
+		var seq seq
+		seq.litLen = uint32(s - nextEmit)
+		seq.matchLen = uint32(l - zstdMinMatch)
+		if seq.litLen > 0 {
+			blk.literals = append(blk.literals, src[nextEmit:s]...)
+		}
+		// Don't use repeat offsets
+		seq.offset = uint32(s-t) + 3
+		s += l
+		if debugSequences {
+			println("sequence", seq, "next s:", s)
+		}
+		blk.sequences = append(blk.sequences, seq)
+		nextEmit = s
+		if s >= sLimit {
+			break encodeLoop
+		}
+		cv = load6432(src, s)
+
+		// Check offset 2
+		if o2 := s - offset2; canRepeat && load3232(src, o2) == uint32(cv) {
+			// We have at least 4 byte match.
+			// No need to check backwards. We come straight from a match
+			l := 4 + e.matchlen(s+4, o2+4, src)
+
+			// Store this, since we have it.
+			nextHash := hashLen(cv, hashLog, tableFastHashLen)
+			e.table[nextHash] = tableEntry{offset: s + e.cur, val: uint32(cv)}
+			seq.matchLen = uint32(l) - zstdMinMatch
+			seq.litLen = 0
+			// Since litlen is always 0, this is offset 1.
+			seq.offset = 1
+			s += l
+			nextEmit = s
+			if debugSequences {
+				println("sequence", seq, "next s:", s)
+			}
+			blk.sequences = append(blk.sequences, seq)
+
+			// Swap offset 1 and 2.
+			offset1, offset2 = offset2, offset1
+			if s >= sLimit {
+				break encodeLoop
+			}
+			// Prepare next loop.
+			cv = load6432(src, s)
+		}
+	}
+
+	if int(nextEmit) < len(src) {
+		blk.literals = append(blk.literals, src[nextEmit:]...)
+		blk.extraLits = len(src) - int(nextEmit)
+	}
+	blk.recentOffsets[0] = uint32(offset1)
+	blk.recentOffsets[1] = uint32(offset2)
+	if debugEncoder {
+		println("returning, recent offsets:", blk.recentOffsets, "extra literals:", blk.extraLits)
+	}
+}
+
+// EncodeNoHist will encode a block with no history and no following blocks.
+// Most notable difference is that src will not be copied for history and
+// we do not need to check for max match length.
+func (e *fastEncoder) EncodeNoHist(blk *blockEnc, src []byte) {
+	const (
+		inputMargin            = 8
+		minNonLiteralBlockSize = 1 + 1 + inputMargin
+	)
+	if debugEncoder {
+		if len(src) > maxCompressedBlockSize {
+			panic("src too big")
+		}
+	}
+
+	// Protect against e.cur wraparound.
+	if e.cur >= e.bufferReset {
+		for i := range e.table[:] {
+			e.table[i] = tableEntry{}
+		}
+		e.cur = e.maxMatchOff
+	}
+
+	s := int32(0)
+	blk.size = len(src)
+	if len(src) < minNonLiteralBlockSize {
+		blk.extraLits = len(src)
+		blk.literals = blk.literals[:len(src)]
+		copy(blk.literals, src)
+		return
+	}
+
+	sLimit := int32(len(src)) - inputMargin
+	// stepSize is the number of bytes to skip on every main loop iteration.
+	// It should be >= 2.
+	const stepSize = 2
+
+	// TEMPLATE
+	const hashLog = tableBits
+	// seems global, but would be nice to tweak.
+	const kSearchStrength = 6
+
+	// nextEmit is where in src the next emitLiteral should start from.
+	nextEmit := s
+	cv := load6432(src, s)
+
+	// Relative offsets
+	offset1 := int32(blk.recentOffsets[0])
+	offset2 := int32(blk.recentOffsets[1])
+
+	addLiterals := func(s *seq, until int32) {
+		if until == nextEmit {
+			return
+		}
+		blk.literals = append(blk.literals, src[nextEmit:until]...)
+		s.litLen = uint32(until - nextEmit)
+	}
+	if debugEncoder {
+		println("recent offsets:", blk.recentOffsets)
+	}
+
+encodeLoop:
+	for {
+		// t will contain the match offset when we find one.
+		// When existing the search loop, we have already checked 4 bytes.
+		var t int32
+
+		// We will not use repeat offsets across blocks.
+		// By not using them for the first 3 matches
+
+		for {
+			nextHash := hashLen(cv, hashLog, tableFastHashLen)
+			nextHash2 := hashLen(cv>>8, hashLog, tableFastHashLen)
+			candidate := e.table[nextHash]
+			candidate2 := e.table[nextHash2]
+			repIndex := s - offset1 + 2
+
+			e.table[nextHash] = tableEntry{offset: s + e.cur, val: uint32(cv)}
+			e.table[nextHash2] = tableEntry{offset: s + e.cur + 1, val: uint32(cv >> 8)}
+
+			if len(blk.sequences) > 2 && load3232(src, repIndex) == uint32(cv>>16) {
+				// Consider history as well.
+				var seq seq
+				length := 4 + e.matchlen(s+6, repIndex+4, src)
+
+				seq.matchLen = uint32(length - zstdMinMatch)
+
+				// We might be able to match backwards.
+				// Extend as long as we can.
+				start := s + 2
+				// We end the search early, so we don't risk 0 literals
+				// and have to do special offset treatment.
+				startLimit := nextEmit + 1
+
+				sMin := s - e.maxMatchOff
+				if sMin < 0 {
+					sMin = 0
+				}
+				for repIndex > sMin && start > startLimit && src[repIndex-1] == src[start-1] {
+					repIndex--
+					start--
+					seq.matchLen++
+				}
+				addLiterals(&seq, start)
+
+				// rep 0
+				seq.offset = 1
+				if debugSequences {
+					println("repeat sequence", seq, "next s:", s)
+				}
+				blk.sequences = append(blk.sequences, seq)
+				s += length + 2
+				nextEmit = s
+				if s >= sLimit {
+					if debugEncoder {
+						println("repeat ended", s, length)
+
+					}
+					break encodeLoop
+				}
+				cv = load6432(src, s)
+				continue
+			}
+			coffset0 := s - (candidate.offset - e.cur)
+			coffset1 := s - (candidate2.offset - e.cur) + 1
+			if coffset0 < e.maxMatchOff && uint32(cv) == candidate.val {
+				// found a regular match
+				t = candidate.offset - e.cur
+				if debugAsserts && s <= t {
+					panic(fmt.Sprintf("s (%d) <= t (%d)", s, t))
+				}
+				if debugAsserts && s-t > e.maxMatchOff {
+					panic("s - t >e.maxMatchOff")
+				}
+				if debugAsserts && t < 0 {
+					panic(fmt.Sprintf("t (%d) < 0, candidate.offset: %d, e.cur: %d, coffset0: %d, e.maxMatchOff: %d", t, candidate.offset, e.cur, coffset0, e.maxMatchOff))
+				}
+				break
+			}
+
+			if coffset1 < e.maxMatchOff && uint32(cv>>8) == candidate2.val {
+				// found a regular match
+				t = candidate2.offset - e.cur
+				s++
+				if debugAsserts && s <= t {
+					panic(fmt.Sprintf("s (%d) <= t (%d)", s, t))
+				}
+				if debugAsserts && s-t > e.maxMatchOff {
+					panic("s - t >e.maxMatchOff")
+				}
+				if debugAsserts && t < 0 {
+					panic("t<0")
+				}
+				break
+			}
+			s += stepSize + ((s - nextEmit) >> (kSearchStrength - 1))
+			if s >= sLimit {
+				break encodeLoop
+			}
+			cv = load6432(src, s)
+		}
+		// A 4-byte match has been found. We'll later see if more than 4 bytes.
+		offset2 = offset1
+		offset1 = s - t
+
+		if debugAsserts && s <= t {
+			panic(fmt.Sprintf("s (%d) <= t (%d)", s, t))
+		}
+
+		if debugAsserts && t < 0 {
+			panic(fmt.Sprintf("t (%d) < 0 ", t))
+		}
+		// Extend the 4-byte match as long as possible.
+		l := e.matchlen(s+4, t+4, src) + 4
+
+		// Extend backwards
+		tMin := s - e.maxMatchOff
+		if tMin < 0 {
+			tMin = 0
+		}
+		for t > tMin && s > nextEmit && src[t-1] == src[s-1] {
+			s--
+			t--
+			l++
+		}
+
+		// Write our sequence.
+		var seq seq
+		seq.litLen = uint32(s - nextEmit)
+		seq.matchLen = uint32(l - zstdMinMatch)
+		if seq.litLen > 0 {
+			blk.literals = append(blk.literals, src[nextEmit:s]...)
+		}
+		// Don't use repeat offsets
+		seq.offset = uint32(s-t) + 3
+		s += l
+		if debugSequences {
+			println("sequence", seq, "next s:", s)
+		}
+		blk.sequences = append(blk.sequences, seq)
+		nextEmit = s
+		if s >= sLimit {
+			break encodeLoop
+		}
+		cv = load6432(src, s)
+
+		// Check offset 2
+		if o2 := s - offset2; len(blk.sequences) > 2 && load3232(src, o2) == uint32(cv) {
+			// We have at least 4 byte match.
+			// No need to check backwards. We come straight from a match
+			l := 4 + e.matchlen(s+4, o2+4, src)
+
+			// Store this, since we have it.
+			nextHash := hashLen(cv, hashLog, tableFastHashLen)
+			e.table[nextHash] = tableEntry{offset: s + e.cur, val: uint32(cv)}
+			seq.matchLen = uint32(l) - zstdMinMatch
+			seq.litLen = 0
+			// Since litlen is always 0, this is offset 1.
+			seq.offset = 1
+			s += l
+			nextEmit = s
+			if debugSequences {
+				println("sequence", seq, "next s:", s)
+			}
+			blk.sequences = append(blk.sequences, seq)
+
+			// Swap offset 1 and 2.
+			offset1, offset2 = offset2, offset1
+			if s >= sLimit {
+				break encodeLoop
+			}
+			// Prepare next loop.
+			cv = load6432(src, s)
+		}
+	}
+
+	if int(nextEmit) < len(src) {
+		blk.literals = append(blk.literals, src[nextEmit:]...)
+		blk.extraLits = len(src) - int(nextEmit)
+	}
+	if debugEncoder {
+		println("returning, recent offsets:", blk.recentOffsets, "extra literals:", blk.extraLits)
+	}
+	// We do not store history, so we must offset e.cur to avoid false matches for next user.
+	if e.cur < e.bufferReset {
+		e.cur += int32(len(src))
+	}
+}
+
+// Encode will encode the content, with a dictionary if initialized for it.
+func (e *fastEncoderDict) Encode(blk *blockEnc, src []byte) {
+	const (
+		inputMargin            = 8
+		minNonLiteralBlockSize = 1 + 1 + inputMargin
+	)
+	if e.allDirty || len(src) > 32<<10 {
+		e.fastEncoder.Encode(blk, src)
+		e.allDirty = true
+		return
+	}
+	// Protect against e.cur wraparound.
+	for e.cur >= e.bufferReset-int32(len(e.hist)) {
+		if len(e.hist) == 0 {
+			e.table = [tableSize]tableEntry{}
+			e.cur = e.maxMatchOff
+			break
+		}
+		// Shift down everything in the table that isn't already too far away.
+		minOff := e.cur + int32(len(e.hist)) - e.maxMatchOff
+		for i := range e.table[:] {
+			v := e.table[i].offset
+			if v < minOff {
+				v = 0
+			} else {
+				v = v - e.cur + e.maxMatchOff
+			}
+			e.table[i].offset = v
+		}
+		e.cur = e.maxMatchOff
+		break
+	}
+
+	s := e.addBlock(src)
+	blk.size = len(src)
+	if len(src) < minNonLiteralBlockSize {
+		blk.extraLits = len(src)
+		blk.literals = blk.literals[:len(src)]
+		copy(blk.literals, src)
+		return
+	}
+
+	// Override src
+	src = e.hist
+	sLimit := int32(len(src)) - inputMargin
+	// stepSize is the number of bytes to skip on every main loop iteration.
+	// It should be >= 2.
+	const stepSize = 2
+
+	// TEMPLATE
+	const hashLog = tableBits
+	// seems global, but would be nice to tweak.
+	const kSearchStrength = 7
+
+	// nextEmit is where in src the next emitLiteral should start from.
+	nextEmit := s
+	cv := load6432(src, s)
+
+	// Relative offsets
+	offset1 := int32(blk.recentOffsets[0])
+	offset2 := int32(blk.recentOffsets[1])
+
+	addLiterals := func(s *seq, until int32) {
+		if until == nextEmit {
+			return
+		}
+		blk.literals = append(blk.literals, src[nextEmit:until]...)
+		s.litLen = uint32(until - nextEmit)
+	}
+	if debugEncoder {
+		println("recent offsets:", blk.recentOffsets)
+	}
+
+encodeLoop:
+	for {
+		// t will contain the match offset when we find one.
+		// When existing the search loop, we have already checked 4 bytes.
+		var t int32
+
+		// We will not use repeat offsets across blocks.
+		// By not using them for the first 3 matches
+		canRepeat := len(blk.sequences) > 2
+
+		for {
+			if debugAsserts && canRepeat && offset1 == 0 {
+				panic("offset0 was 0")
+			}
+
+			nextHash := hashLen(cv, hashLog, tableFastHashLen)
+			nextHash2 := hashLen(cv>>8, hashLog, tableFastHashLen)
+			candidate := e.table[nextHash]
+			candidate2 := e.table[nextHash2]
+			repIndex := s - offset1 + 2
+
+			e.table[nextHash] = tableEntry{offset: s + e.cur, val: uint32(cv)}
+			e.markShardDirty(nextHash)
+			e.table[nextHash2] = tableEntry{offset: s + e.cur + 1, val: uint32(cv >> 8)}
+			e.markShardDirty(nextHash2)
+
+			if canRepeat && repIndex >= 0 && load3232(src, repIndex) == uint32(cv>>16) {
+				// Consider history as well.
+				var seq seq
+				length := 4 + e.matchlen(s+6, repIndex+4, src)
+
+				seq.matchLen = uint32(length - zstdMinMatch)
+
+				// We might be able to match backwards.
+				// Extend as long as we can.
+				start := s + 2
+				// We end the search early, so we don't risk 0 literals
+				// and have to do special offset treatment.
+				startLimit := nextEmit + 1
+
+				sMin := s - e.maxMatchOff
+				if sMin < 0 {
+					sMin = 0
+				}
+				for repIndex > sMin && start > startLimit && src[repIndex-1] == src[start-1] && seq.matchLen < maxMatchLength-zstdMinMatch {
+					repIndex--
+					start--
+					seq.matchLen++
+				}
+				addLiterals(&seq, start)
+
+				// rep 0
+				seq.offset = 1
+				if debugSequences {
+					println("repeat sequence", seq, "next s:", s)
+				}
+				blk.sequences = append(blk.sequences, seq)
+				s += length + 2
+				nextEmit = s
+				if s >= sLimit {
+					if debugEncoder {
+						println("repeat ended", s, length)
+
+					}
+					break encodeLoop
+				}
+				cv = load6432(src, s)
+				continue
+			}
+			coffset0 := s - (candidate.offset - e.cur)
+			coffset1 := s - (candidate2.offset - e.cur) + 1
+			if coffset0 < e.maxMatchOff && uint32(cv) == candidate.val {
+				// found a regular match
+				t = candidate.offset - e.cur
+				if debugAsserts && s <= t {
+					panic(fmt.Sprintf("s (%d) <= t (%d)", s, t))
+				}
+				if debugAsserts && s-t > e.maxMatchOff {
+					panic("s - t >e.maxMatchOff")
+				}
+				break
+			}
+
+			if coffset1 < e.maxMatchOff && uint32(cv>>8) == candidate2.val {
+				// found a regular match
+				t = candidate2.offset - e.cur
+				s++
+				if debugAsserts && s <= t {
+					panic(fmt.Sprintf("s (%d) <= t (%d)", s, t))
+				}
+				if debugAsserts && s-t > e.maxMatchOff {
+					panic("s - t >e.maxMatchOff")
+				}
+				if debugAsserts && t < 0 {
+					panic("t<0")
+				}
+				break
+			}
+			s += stepSize + ((s - nextEmit) >> (kSearchStrength - 1))
+			if s >= sLimit {
+				break encodeLoop
+			}
+			cv = load6432(src, s)
+		}
+		// A 4-byte match has been found. We'll later see if more than 4 bytes.
+		offset2 = offset1
+		offset1 = s - t
+
+		if debugAsserts && s <= t {
+			panic(fmt.Sprintf("s (%d) <= t (%d)", s, t))
+		}
+
+		if debugAsserts && canRepeat && int(offset1) > len(src) {
+			panic("invalid offset")
+		}
+
+		// Extend the 4-byte match as long as possible.
+		l := e.matchlen(s+4, t+4, src) + 4
+
+		// Extend backwards
+		tMin := s - e.maxMatchOff
+		if tMin < 0 {
+			tMin = 0
+		}
+		for t > tMin && s > nextEmit && src[t-1] == src[s-1] && l < maxMatchLength {
+			s--
+			t--
+			l++
+		}
+
+		// Write our sequence.
+		var seq seq
+		seq.litLen = uint32(s - nextEmit)
+		seq.matchLen = uint32(l - zstdMinMatch)
+		if seq.litLen > 0 {
+			blk.literals = append(blk.literals, src[nextEmit:s]...)
+		}
+		// Don't use repeat offsets
+		seq.offset = uint32(s-t) + 3
+		s += l
+		if debugSequences {
+			println("sequence", seq, "next s:", s)
+		}
+		blk.sequences = append(blk.sequences, seq)
+		nextEmit = s
+		if s >= sLimit {
+			break encodeLoop
+		}
+		cv = load6432(src, s)
+
+		// Check offset 2
+		if o2 := s - offset2; canRepeat && load3232(src, o2) == uint32(cv) {
+			// We have at least 4 byte match.
+			// No need to check backwards. We come straight from a match
+			l := 4 + e.matchlen(s+4, o2+4, src)
+
+			// Store this, since we have it.
+			nextHash := hashLen(cv, hashLog, tableFastHashLen)
+			e.table[nextHash] = tableEntry{offset: s + e.cur, val: uint32(cv)}
+			e.markShardDirty(nextHash)
+			seq.matchLen = uint32(l) - zstdMinMatch
+			seq.litLen = 0
+			// Since litlen is always 0, this is offset 1.
+			seq.offset = 1
+			s += l
+			nextEmit = s
+			if debugSequences {
+				println("sequence", seq, "next s:", s)
+			}
+			blk.sequences = append(blk.sequences, seq)
+
+			// Swap offset 1 and 2.
+			offset1, offset2 = offset2, offset1
+			if s >= sLimit {
+				break encodeLoop
+			}
+			// Prepare next loop.
+			cv = load6432(src, s)
+		}
+	}
+
+	if int(nextEmit) < len(src) {
+		blk.literals = append(blk.literals, src[nextEmit:]...)
+		blk.extraLits = len(src) - int(nextEmit)
+	}
+	blk.recentOffsets[0] = uint32(offset1)
+	blk.recentOffsets[1] = uint32(offset2)
+	if debugEncoder {
+		println("returning, recent offsets:", blk.recentOffsets, "extra literals:", blk.extraLits)
+	}
+}
+
+// ResetDict will reset and set a dictionary if not nil
+func (e *fastEncoder) Reset(d *dict, singleBlock bool) {
+	e.resetBase(d, singleBlock)
+	if d != nil {
+		panic("fastEncoder: Reset with dict")
+	}
+}
+
+// ResetDict will reset and set a dictionary if not nil
+func (e *fastEncoderDict) Reset(d *dict, singleBlock bool) {
+	e.resetBase(d, singleBlock)
+	if d == nil {
+		return
+	}
+
+	// Init or copy dict table
+	if len(e.dictTable) != len(e.table) || d.id != e.lastDictID {
+		if len(e.dictTable) != len(e.table) {
+			e.dictTable = make([]tableEntry, len(e.table))
+		}
+		if true {
+			end := e.maxMatchOff + int32(len(d.content)) - 8
+			for i := e.maxMatchOff; i < end; i += 2 {
+				const hashLog = tableBits
+
+				cv := load6432(d.content, i-e.maxMatchOff)
+				nextHash := hashLen(cv, hashLog, tableFastHashLen)     // 0 -> 6
+				nextHash1 := hashLen(cv>>8, hashLog, tableFastHashLen) // 1 -> 7
+				e.dictTable[nextHash] = tableEntry{
+					val:    uint32(cv),
+					offset: i,
+				}
+				e.dictTable[nextHash1] = tableEntry{
+					val:    uint32(cv >> 8),
+					offset: i + 1,
+				}
+			}
+		}
+		e.lastDictID = d.id
+		e.allDirty = true
+	}
+
+	e.cur = e.maxMatchOff
+	dirtyShardCnt := 0
+	if !e.allDirty {
+		for i := range e.tableShardDirty {
+			if e.tableShardDirty[i] {
+				dirtyShardCnt++
+			}
+		}
+	}
+
+	const shardCnt = tableShardCnt
+	const shardSize = tableShardSize
+	if e.allDirty || dirtyShardCnt > shardCnt*4/6 {
+		//copy(e.table[:], e.dictTable)
+		e.table = *(*[tableSize]tableEntry)(e.dictTable)
+		for i := range e.tableShardDirty {
+			e.tableShardDirty[i] = false
+		}
+		e.allDirty = false
+		return
+	}
+	for i := range e.tableShardDirty {
+		if !e.tableShardDirty[i] {
+			continue
+		}
+
+		//copy(e.table[i*shardSize:(i+1)*shardSize], e.dictTable[i*shardSize:(i+1)*shardSize])
+		*(*[shardSize]tableEntry)(e.table[i*shardSize:]) = *(*[shardSize]tableEntry)(e.dictTable[i*shardSize:])
+		e.tableShardDirty[i] = false
+	}
+	e.allDirty = false
+}
+
+func (e *fastEncoderDict) markAllShardsDirty() {
+	e.allDirty = true
+}
+
+func (e *fastEncoderDict) markShardDirty(entryNum uint32) {
+	e.tableShardDirty[entryNum/tableShardSize] = true
+}
diff --git a/vendor/github.com/klauspost/compress/zstd/encoder.go b/vendor/github.com/klauspost/compress/zstd/encoder.go
new file mode 100644
index 0000000000..8f8223cd3a
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/zstd/encoder.go
@@ -0,0 +1,642 @@
+// Copyright 2019+ Klaus Post. All rights reserved.
+// License information can be found in the LICENSE file.
+// Based on work by Yann Collet, released under BSD License.
+
+package zstd
+
+import (
+	"crypto/rand"
+	"errors"
+	"fmt"
+	"io"
+	"math"
+	rdebug "runtime/debug"
+	"sync"
+
+	"github.com/klauspost/compress/zstd/internal/xxhash"
+)
+
+// Encoder provides encoding to Zstandard.
+// An Encoder can be used for either compressing a stream via the
+// io.WriteCloser interface supported by the Encoder or as multiple independent
+// tasks via the EncodeAll function.
+// Smaller encodes are encouraged to use the EncodeAll function.
+// Use NewWriter to create a new instance.
+type Encoder struct {
+	o        encoderOptions
+	encoders chan encoder
+	state    encoderState
+	init     sync.Once
+}
+
+type encoder interface {
+	Encode(blk *blockEnc, src []byte)
+	EncodeNoHist(blk *blockEnc, src []byte)
+	Block() *blockEnc
+	CRC() *xxhash.Digest
+	AppendCRC([]byte) []byte
+	WindowSize(size int64) int32
+	UseBlock(*blockEnc)
+	Reset(d *dict, singleBlock bool)
+}
+
+type encoderState struct {
+	w                io.Writer
+	filling          []byte
+	current          []byte
+	previous         []byte
+	encoder          encoder
+	writing          *blockEnc
+	err              error
+	writeErr         error
+	nWritten         int64
+	nInput           int64
+	frameContentSize int64
+	headerWritten    bool
+	eofWritten       bool
+	fullFrameWritten bool
+
+	// This waitgroup indicates an encode is running.
+	wg sync.WaitGroup
+	// This waitgroup indicates we have a block encoding/writing.
+	wWg sync.WaitGroup
+}
+
+// NewWriter will create a new Zstandard encoder.
+// If the encoder will be used for encoding blocks a nil writer can be used.
+func NewWriter(w io.Writer, opts ...EOption) (*Encoder, error) {
+	initPredefined()
+	var e Encoder
+	e.o.setDefault()
+	for _, o := range opts {
+		err := o(&e.o)
+		if err != nil {
+			return nil, err
+		}
+	}
+	if w != nil {
+		e.Reset(w)
+	}
+	return &e, nil
+}
+
+func (e *Encoder) initialize() {
+	if e.o.concurrent == 0 {
+		e.o.setDefault()
+	}
+	e.encoders = make(chan encoder, e.o.concurrent)
+	for i := 0; i < e.o.concurrent; i++ {
+		enc := e.o.encoder()
+		e.encoders <- enc
+	}
+}
+
+// Reset will re-initialize the writer and new writes will encode to the supplied writer
+// as a new, independent stream.
+func (e *Encoder) Reset(w io.Writer) {
+	s := &e.state
+	s.wg.Wait()
+	s.wWg.Wait()
+	if cap(s.filling) == 0 {
+		s.filling = make([]byte, 0, e.o.blockSize)
+	}
+	if e.o.concurrent > 1 {
+		if cap(s.current) == 0 {
+			s.current = make([]byte, 0, e.o.blockSize)
+		}
+		if cap(s.previous) == 0 {
+			s.previous = make([]byte, 0, e.o.blockSize)
+		}
+		s.current = s.current[:0]
+		s.previous = s.previous[:0]
+		if s.writing == nil {
+			s.writing = &blockEnc{lowMem: e.o.lowMem}
+			s.writing.init()
+		}
+		s.writing.initNewEncode()
+	}
+	if s.encoder == nil {
+		s.encoder = e.o.encoder()
+	}
+	s.filling = s.filling[:0]
+	s.encoder.Reset(e.o.dict, false)
+	s.headerWritten = false
+	s.eofWritten = false
+	s.fullFrameWritten = false
+	s.w = w
+	s.err = nil
+	s.nWritten = 0
+	s.nInput = 0
+	s.writeErr = nil
+	s.frameContentSize = 0
+}
+
+// ResetContentSize will reset and set a content size for the next stream.
+// If the bytes written does not match the size given an error will be returned
+// when calling Close().
+// This is removed when Reset is called.
+// Sizes <= 0 results in no content size set.
+func (e *Encoder) ResetContentSize(w io.Writer, size int64) {
+	e.Reset(w)
+	if size >= 0 {
+		e.state.frameContentSize = size
+	}
+}
+
+// Write data to the encoder.
+// Input data will be buffered and as the buffer fills up
+// content will be compressed and written to the output.
+// When done writing, use Close to flush the remaining output
+// and write CRC if requested.
+func (e *Encoder) Write(p []byte) (n int, err error) {
+	s := &e.state
+	if s.eofWritten {
+		return 0, ErrEncoderClosed
+	}
+	for len(p) > 0 {
+		if len(p)+len(s.filling) < e.o.blockSize {
+			if e.o.crc {
+				_, _ = s.encoder.CRC().Write(p)
+			}
+			s.filling = append(s.filling, p...)
+			return n + len(p), nil
+		}
+		add := p
+		if len(p)+len(s.filling) > e.o.blockSize {
+			add = add[:e.o.blockSize-len(s.filling)]
+		}
+		if e.o.crc {
+			_, _ = s.encoder.CRC().Write(add)
+		}
+		s.filling = append(s.filling, add...)
+		p = p[len(add):]
+		n += len(add)
+		if len(s.filling) < e.o.blockSize {
+			return n, nil
+		}
+		err := e.nextBlock(false)
+		if err != nil {
+			return n, err
+		}
+		if debugAsserts && len(s.filling) > 0 {
+			panic(len(s.filling))
+		}
+	}
+	return n, nil
+}
+
+// nextBlock will synchronize and start compressing input in e.state.filling.
+// If an error has occurred during encoding it will be returned.
+func (e *Encoder) nextBlock(final bool) error {
+	s := &e.state
+	// Wait for current block.
+	s.wg.Wait()
+	if s.err != nil {
+		return s.err
+	}
+	if len(s.filling) > e.o.blockSize {
+		return fmt.Errorf("block > maxStoreBlockSize")
+	}
+	if !s.headerWritten {
+		// If we have a single block encode, do a sync compression.
+		if final && len(s.filling) == 0 && !e.o.fullZero {
+			s.headerWritten = true
+			s.fullFrameWritten = true
+			s.eofWritten = true
+			return nil
+		}
+		if final && len(s.filling) > 0 {
+			s.current = e.encodeAll(s.encoder, s.filling, s.current[:0])
+			var n2 int
+			n2, s.err = s.w.Write(s.current)
+			if s.err != nil {
+				return s.err
+			}
+			s.nWritten += int64(n2)
+			s.nInput += int64(len(s.filling))
+			s.current = s.current[:0]
+			s.filling = s.filling[:0]
+			s.headerWritten = true
+			s.fullFrameWritten = true
+			s.eofWritten = true
+			return nil
+		}
+
+		var tmp [maxHeaderSize]byte
+		fh := frameHeader{
+			ContentSize:   uint64(s.frameContentSize),
+			WindowSize:    uint32(s.encoder.WindowSize(s.frameContentSize)),
+			SingleSegment: false,
+			Checksum:      e.o.crc,
+			DictID:        e.o.dict.ID(),
+		}
+
+		dst := fh.appendTo(tmp[:0])
+		s.headerWritten = true
+		s.wWg.Wait()
+		var n2 int
+		n2, s.err = s.w.Write(dst)
+		if s.err != nil {
+			return s.err
+		}
+		s.nWritten += int64(n2)
+	}
+	if s.eofWritten {
+		// Ensure we only write it once.
+		final = false
+	}
+
+	if len(s.filling) == 0 {
+		// Final block, but no data.
+		if final {
+			enc := s.encoder
+			blk := enc.Block()
+			blk.reset(nil)
+			blk.last = true
+			blk.encodeRaw(nil)
+			s.wWg.Wait()
+			_, s.err = s.w.Write(blk.output)
+			s.nWritten += int64(len(blk.output))
+			s.eofWritten = true
+		}
+		return s.err
+	}
+
+	// SYNC:
+	if e.o.concurrent == 1 {
+		src := s.filling
+		s.nInput += int64(len(s.filling))
+		if debugEncoder {
+			println("Adding sync block,", len(src), "bytes, final:", final)
+		}
+		enc := s.encoder
+		blk := enc.Block()
+		blk.reset(nil)
+		enc.Encode(blk, src)
+		blk.last = final
+		if final {
+			s.eofWritten = true
+		}
+
+		s.err = blk.encode(src, e.o.noEntropy, !e.o.allLitEntropy)
+		if s.err != nil {
+			return s.err
+		}
+		_, s.err = s.w.Write(blk.output)
+		s.nWritten += int64(len(blk.output))
+		s.filling = s.filling[:0]
+		return s.err
+	}
+
+	// Move blocks forward.
+	s.filling, s.current, s.previous = s.previous[:0], s.filling, s.current
+	s.nInput += int64(len(s.current))
+	s.wg.Add(1)
+	if final {
+		s.eofWritten = true
+	}
+	go func(src []byte) {
+		if debugEncoder {
+			println("Adding block,", len(src), "bytes, final:", final)
+		}
+		defer func() {
+			if r := recover(); r != nil {
+				s.err = fmt.Errorf("panic while encoding: %v", r)
+				rdebug.PrintStack()
+			}
+			s.wg.Done()
+		}()
+		enc := s.encoder
+		blk := enc.Block()
+		enc.Encode(blk, src)
+		blk.last = final
+		// Wait for pending writes.
+		s.wWg.Wait()
+		if s.writeErr != nil {
+			s.err = s.writeErr
+			return
+		}
+		// Transfer encoders from previous write block.
+		blk.swapEncoders(s.writing)
+		// Transfer recent offsets to next.
+		enc.UseBlock(s.writing)
+		s.writing = blk
+		s.wWg.Add(1)
+		go func() {
+			defer func() {
+				if r := recover(); r != nil {
+					s.writeErr = fmt.Errorf("panic while encoding/writing: %v", r)
+					rdebug.PrintStack()
+				}
+				s.wWg.Done()
+			}()
+			s.writeErr = blk.encode(src, e.o.noEntropy, !e.o.allLitEntropy)
+			if s.writeErr != nil {
+				return
+			}
+			_, s.writeErr = s.w.Write(blk.output)
+			s.nWritten += int64(len(blk.output))
+		}()
+	}(s.current)
+	return nil
+}
+
+// ReadFrom reads data from r until EOF or error.
+// The return value n is the number of bytes read.
+// Any error except io.EOF encountered during the read is also returned.
+//
+// The Copy function uses ReaderFrom if available.
+func (e *Encoder) ReadFrom(r io.Reader) (n int64, err error) {
+	if debugEncoder {
+		println("Using ReadFrom")
+	}
+
+	// Flush any current writes.
+	if len(e.state.filling) > 0 {
+		if err := e.nextBlock(false); err != nil {
+			return 0, err
+		}
+	}
+	e.state.filling = e.state.filling[:e.o.blockSize]
+	src := e.state.filling
+	for {
+		n2, err := r.Read(src)
+		if e.o.crc {
+			_, _ = e.state.encoder.CRC().Write(src[:n2])
+		}
+		// src is now the unfilled part...
+		src = src[n2:]
+		n += int64(n2)
+		switch err {
+		case io.EOF:
+			e.state.filling = e.state.filling[:len(e.state.filling)-len(src)]
+			if debugEncoder {
+				println("ReadFrom: got EOF final block:", len(e.state.filling))
+			}
+			return n, nil
+		case nil:
+		default:
+			if debugEncoder {
+				println("ReadFrom: got error:", err)
+			}
+			e.state.err = err
+			return n, err
+		}
+		if len(src) > 0 {
+			if debugEncoder {
+				println("ReadFrom: got space left in source:", len(src))
+			}
+			continue
+		}
+		err = e.nextBlock(false)
+		if err != nil {
+			return n, err
+		}
+		e.state.filling = e.state.filling[:e.o.blockSize]
+		src = e.state.filling
+	}
+}
+
+// Flush will send the currently written data to output
+// and block until everything has been written.
+// This should only be used on rare occasions where pushing the currently queued data is critical.
+func (e *Encoder) Flush() error {
+	s := &e.state
+	if len(s.filling) > 0 {
+		err := e.nextBlock(false)
+		if err != nil {
+			// Ignore Flush after Close.
+			if errors.Is(s.err, ErrEncoderClosed) {
+				return nil
+			}
+			return err
+		}
+	}
+	s.wg.Wait()
+	s.wWg.Wait()
+	if s.err != nil {
+		// Ignore Flush after Close.
+		if errors.Is(s.err, ErrEncoderClosed) {
+			return nil
+		}
+		return s.err
+	}
+	return s.writeErr
+}
+
+// Close will flush the final output and close the stream.
+// The function will block until everything has been written.
+// The Encoder can still be re-used after calling this.
+func (e *Encoder) Close() error {
+	s := &e.state
+	if s.encoder == nil {
+		return nil
+	}
+	err := e.nextBlock(true)
+	if err != nil {
+		if errors.Is(s.err, ErrEncoderClosed) {
+			return nil
+		}
+		return err
+	}
+	if s.frameContentSize > 0 {
+		if s.nInput != s.frameContentSize {
+			return fmt.Errorf("frame content size %d given, but %d bytes was written", s.frameContentSize, s.nInput)
+		}
+	}
+	if e.state.fullFrameWritten {
+		return s.err
+	}
+	s.wg.Wait()
+	s.wWg.Wait()
+
+	if s.err != nil {
+		return s.err
+	}
+	if s.writeErr != nil {
+		return s.writeErr
+	}
+
+	// Write CRC
+	if e.o.crc && s.err == nil {
+		// heap alloc.
+		var tmp [4]byte
+		_, s.err = s.w.Write(s.encoder.AppendCRC(tmp[:0]))
+		s.nWritten += 4
+	}
+
+	// Add padding with content from crypto/rand.Reader
+	if s.err == nil && e.o.pad > 0 {
+		add := calcSkippableFrame(s.nWritten, int64(e.o.pad))
+		frame, err := skippableFrame(s.filling[:0], add, rand.Reader)
+		if err != nil {
+			return err
+		}
+		_, s.err = s.w.Write(frame)
+	}
+	if s.err == nil {
+		s.err = ErrEncoderClosed
+		return nil
+	}
+
+	return s.err
+}
+
+// EncodeAll will encode all input in src and append it to dst.
+// This function can be called concurrently, but each call will only run on a single goroutine.
+// If empty input is given, nothing is returned, unless WithZeroFrames is specified.
+// Encoded blocks can be concatenated and the result will be the combined input stream.
+// Data compressed with EncodeAll can be decoded with the Decoder,
+// using either a stream or DecodeAll.
+func (e *Encoder) EncodeAll(src, dst []byte) []byte {
+	e.init.Do(e.initialize)
+	enc := <-e.encoders
+	defer func() {
+		e.encoders <- enc
+	}()
+	return e.encodeAll(enc, src, dst)
+}
+
+func (e *Encoder) encodeAll(enc encoder, src, dst []byte) []byte {
+	if len(src) == 0 {
+		if e.o.fullZero {
+			// Add frame header.
+			fh := frameHeader{
+				ContentSize:   0,
+				WindowSize:    MinWindowSize,
+				SingleSegment: true,
+				// Adding a checksum would be a waste of space.
+				Checksum: false,
+				DictID:   0,
+			}
+			dst = fh.appendTo(dst)
+
+			// Write raw block as last one only.
+			var blk blockHeader
+			blk.setSize(0)
+			blk.setType(blockTypeRaw)
+			blk.setLast(true)
+			dst = blk.appendTo(dst)
+		}
+		return dst
+	}
+
+	// Use single segments when above minimum window and below window size.
+	single := len(src) <= e.o.windowSize && len(src) > MinWindowSize
+	if e.o.single != nil {
+		single = *e.o.single
+	}
+	fh := frameHeader{
+		ContentSize:   uint64(len(src)),
+		WindowSize:    uint32(enc.WindowSize(int64(len(src)))),
+		SingleSegment: single,
+		Checksum:      e.o.crc,
+		DictID:        e.o.dict.ID(),
+	}
+
+	// If less than 1MB, allocate a buffer up front.
+	if len(dst) == 0 && cap(dst) == 0 && len(src) < 1<<20 && !e.o.lowMem {
+		dst = make([]byte, 0, len(src))
+	}
+	dst = fh.appendTo(dst)
+
+	// If we can do everything in one block, prefer that.
+	if len(src) <= e.o.blockSize {
+		enc.Reset(e.o.dict, true)
+		// Slightly faster with no history and everything in one block.
+		if e.o.crc {
+			_, _ = enc.CRC().Write(src)
+		}
+		blk := enc.Block()
+		blk.last = true
+		if e.o.dict == nil {
+			enc.EncodeNoHist(blk, src)
+		} else {
+			enc.Encode(blk, src)
+		}
+
+		// If we got the exact same number of literals as input,
+		// assume the literals cannot be compressed.
+		oldout := blk.output
+		// Output directly to dst
+		blk.output = dst
+
+		err := blk.encode(src, e.o.noEntropy, !e.o.allLitEntropy)
+		if err != nil {
+			panic(err)
+		}
+		dst = blk.output
+		blk.output = oldout
+	} else {
+		enc.Reset(e.o.dict, false)
+		blk := enc.Block()
+		for len(src) > 0 {
+			todo := src
+			if len(todo) > e.o.blockSize {
+				todo = todo[:e.o.blockSize]
+			}
+			src = src[len(todo):]
+			if e.o.crc {
+				_, _ = enc.CRC().Write(todo)
+			}
+			blk.pushOffsets()
+			enc.Encode(blk, todo)
+			if len(src) == 0 {
+				blk.last = true
+			}
+			err := blk.encode(todo, e.o.noEntropy, !e.o.allLitEntropy)
+			if err != nil {
+				panic(err)
+			}
+			dst = append(dst, blk.output...)
+			blk.reset(nil)
+		}
+	}
+	if e.o.crc {
+		dst = enc.AppendCRC(dst)
+	}
+	// Add padding with content from crypto/rand.Reader
+	if e.o.pad > 0 {
+		add := calcSkippableFrame(int64(len(dst)), int64(e.o.pad))
+		var err error
+		dst, err = skippableFrame(dst, add, rand.Reader)
+		if err != nil {
+			panic(err)
+		}
+	}
+	return dst
+}
+
+// MaxEncodedSize returns the expected maximum
+// size of an encoded block or stream.
+func (e *Encoder) MaxEncodedSize(size int) int {
+	frameHeader := 4 + 2 // magic + frame header & window descriptor
+	if e.o.dict != nil {
+		frameHeader += 4
+	}
+	// Frame content size:
+	if size < 256 {
+		frameHeader++
+	} else if size < 65536+256 {
+		frameHeader += 2
+	} else if size < math.MaxInt32 {
+		frameHeader += 4
+	} else {
+		frameHeader += 8
+	}
+	// Final crc
+	if e.o.crc {
+		frameHeader += 4
+	}
+
+	// Max overhead is 3 bytes/block.
+	// There cannot be 0 blocks.
+	blocks := (size + e.o.blockSize) / e.o.blockSize
+
+	// Combine, add padding.
+	maxSz := frameHeader + 3*blocks + size
+	if e.o.pad > 1 {
+		maxSz += calcSkippableFrame(int64(maxSz), int64(e.o.pad))
+	}
+	return maxSz
+}
diff --git a/vendor/github.com/klauspost/compress/zstd/encoder_options.go b/vendor/github.com/klauspost/compress/zstd/encoder_options.go
new file mode 100644
index 0000000000..20671dcb91
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/zstd/encoder_options.go
@@ -0,0 +1,339 @@
+package zstd
+
+import (
+	"errors"
+	"fmt"
+	"math"
+	"math/bits"
+	"runtime"
+	"strings"
+)
+
+// EOption is an option for creating a encoder.
+type EOption func(*encoderOptions) error
+
+// options retains accumulated state of multiple options.
+type encoderOptions struct {
+	concurrent      int
+	level           EncoderLevel
+	single          *bool
+	pad             int
+	blockSize       int
+	windowSize      int
+	crc             bool
+	fullZero        bool
+	noEntropy       bool
+	allLitEntropy   bool
+	customWindow    bool
+	customALEntropy bool
+	customBlockSize bool
+	lowMem          bool
+	dict            *dict
+}
+
+func (o *encoderOptions) setDefault() {
+	*o = encoderOptions{
+		concurrent:    runtime.GOMAXPROCS(0),
+		crc:           true,
+		single:        nil,
+		blockSize:     maxCompressedBlockSize,
+		windowSize:    8 << 20,
+		level:         SpeedDefault,
+		allLitEntropy: false,
+		lowMem:        false,
+	}
+}
+
+// encoder returns an encoder with the selected options.
+func (o encoderOptions) encoder() encoder {
+	switch o.level {
+	case SpeedFastest:
+		if o.dict != nil {
+			return &fastEncoderDict{fastEncoder: fastEncoder{fastBase: fastBase{maxMatchOff: int32(o.windowSize), bufferReset: math.MaxInt32 - int32(o.windowSize*2), lowMem: o.lowMem}}}
+		}
+		return &fastEncoder{fastBase: fastBase{maxMatchOff: int32(o.windowSize), bufferReset: math.MaxInt32 - int32(o.windowSize*2), lowMem: o.lowMem}}
+
+	case SpeedDefault:
+		if o.dict != nil {
+			return &doubleFastEncoderDict{fastEncoderDict: fastEncoderDict{fastEncoder: fastEncoder{fastBase: fastBase{maxMatchOff: int32(o.windowSize), bufferReset: math.MaxInt32 - int32(o.windowSize*2), lowMem: o.lowMem}}}}
+		}
+		return &doubleFastEncoder{fastEncoder: fastEncoder{fastBase: fastBase{maxMatchOff: int32(o.windowSize), bufferReset: math.MaxInt32 - int32(o.windowSize*2), lowMem: o.lowMem}}}
+	case SpeedBetterCompression:
+		if o.dict != nil {
+			return &betterFastEncoderDict{betterFastEncoder: betterFastEncoder{fastBase: fastBase{maxMatchOff: int32(o.windowSize), bufferReset: math.MaxInt32 - int32(o.windowSize*2), lowMem: o.lowMem}}}
+		}
+		return &betterFastEncoder{fastBase: fastBase{maxMatchOff: int32(o.windowSize), bufferReset: math.MaxInt32 - int32(o.windowSize*2), lowMem: o.lowMem}}
+	case SpeedBestCompression:
+		return &bestFastEncoder{fastBase: fastBase{maxMatchOff: int32(o.windowSize), bufferReset: math.MaxInt32 - int32(o.windowSize*2), lowMem: o.lowMem}}
+	}
+	panic("unknown compression level")
+}
+
+// WithEncoderCRC will add CRC value to output.
+// Output will be 4 bytes larger.
+func WithEncoderCRC(b bool) EOption {
+	return func(o *encoderOptions) error { o.crc = b; return nil }
+}
+
+// WithEncoderConcurrency will set the concurrency,
+// meaning the maximum number of encoders to run concurrently.
+// The value supplied must be at least 1.
+// For streams, setting a value of 1 will disable async compression.
+// By default this will be set to GOMAXPROCS.
+func WithEncoderConcurrency(n int) EOption {
+	return func(o *encoderOptions) error {
+		if n <= 0 {
+			return fmt.Errorf("concurrency must be at least 1")
+		}
+		o.concurrent = n
+		return nil
+	}
+}
+
+// WithWindowSize will set the maximum allowed back-reference distance.
+// The value must be a power of two between MinWindowSize and MaxWindowSize.
+// A larger value will enable better compression but allocate more memory and,
+// for above-default values, take considerably longer.
+// The default value is determined by the compression level and max 8MB.
+func WithWindowSize(n int) EOption {
+	return func(o *encoderOptions) error {
+		switch {
+		case n < MinWindowSize:
+			return fmt.Errorf("window size must be at least %d", MinWindowSize)
+		case n > MaxWindowSize:
+			return fmt.Errorf("window size must be at most %d", MaxWindowSize)
+		case (n & (n - 1)) != 0:
+			return errors.New("window size must be a power of 2")
+		}
+
+		o.windowSize = n
+		o.customWindow = true
+		if o.blockSize > o.windowSize {
+			o.blockSize = o.windowSize
+			o.customBlockSize = true
+		}
+		return nil
+	}
+}
+
+// WithEncoderPadding will add padding to all output so the size will be a multiple of n.
+// This can be used to obfuscate the exact output size or make blocks of a certain size.
+// The contents will be a skippable frame, so it will be invisible by the decoder.
+// n must be > 0 and <= 1GB, 1<<30 bytes.
+// The padded area will be filled with data from crypto/rand.Reader.
+// If `EncodeAll` is used with data already in the destination, the total size will be multiple of this.
+func WithEncoderPadding(n int) EOption {
+	return func(o *encoderOptions) error {
+		if n <= 0 {
+			return fmt.Errorf("padding must be at least 1")
+		}
+		// No need to waste our time.
+		if n == 1 {
+			n = 0
+		}
+		if n > 1<<30 {
+			return fmt.Errorf("padding must less than 1GB (1<<30 bytes) ")
+		}
+		o.pad = n
+		return nil
+	}
+}
+
+// EncoderLevel predefines encoder compression levels.
+// Only use the constants made available, since the actual mapping
+// of these values are very likely to change and your compression could change
+// unpredictably when upgrading the library.
+type EncoderLevel int
+
+const (
+	speedNotSet EncoderLevel = iota
+
+	// SpeedFastest will choose the fastest reasonable compression.
+	// This is roughly equivalent to the fastest Zstandard mode.
+	SpeedFastest
+
+	// SpeedDefault is the default "pretty fast" compression option.
+	// This is roughly equivalent to the default Zstandard mode (level 3).
+	SpeedDefault
+
+	// SpeedBetterCompression will yield better compression than the default.
+	// Currently it is about zstd level 7-8 with ~ 2x-3x the default CPU usage.
+	// By using this, notice that CPU usage may go up in the future.
+	SpeedBetterCompression
+
+	// SpeedBestCompression will choose the best available compression option.
+	// This will offer the best compression no matter the CPU cost.
+	SpeedBestCompression
+
+	// speedLast should be kept as the last actual compression option.
+	// The is not for external usage, but is used to keep track of the valid options.
+	speedLast
+)
+
+// EncoderLevelFromString will convert a string representation of an encoding level back
+// to a compression level. The compare is not case sensitive.
+// If the string wasn't recognized, (false, SpeedDefault) will be returned.
+func EncoderLevelFromString(s string) (bool, EncoderLevel) {
+	for l := speedNotSet + 1; l < speedLast; l++ {
+		if strings.EqualFold(s, l.String()) {
+			return true, l
+		}
+	}
+	return false, SpeedDefault
+}
+
+// EncoderLevelFromZstd will return an encoder level that closest matches the compression
+// ratio of a specific zstd compression level.
+// Many input values will provide the same compression level.
+func EncoderLevelFromZstd(level int) EncoderLevel {
+	switch {
+	case level < 3:
+		return SpeedFastest
+	case level >= 3 && level < 6:
+		return SpeedDefault
+	case level >= 6 && level < 10:
+		return SpeedBetterCompression
+	default:
+		return SpeedBestCompression
+	}
+}
+
+// String provides a string representation of the compression level.
+func (e EncoderLevel) String() string {
+	switch e {
+	case SpeedFastest:
+		return "fastest"
+	case SpeedDefault:
+		return "default"
+	case SpeedBetterCompression:
+		return "better"
+	case SpeedBestCompression:
+		return "best"
+	default:
+		return "invalid"
+	}
+}
+
+// WithEncoderLevel specifies a predefined compression level.
+func WithEncoderLevel(l EncoderLevel) EOption {
+	return func(o *encoderOptions) error {
+		switch {
+		case l <= speedNotSet || l >= speedLast:
+			return fmt.Errorf("unknown encoder level")
+		}
+		o.level = l
+		if !o.customWindow {
+			switch o.level {
+			case SpeedFastest:
+				o.windowSize = 4 << 20
+				if !o.customBlockSize {
+					o.blockSize = 1 << 16
+				}
+			case SpeedDefault:
+				o.windowSize = 8 << 20
+			case SpeedBetterCompression:
+				o.windowSize = 8 << 20
+			case SpeedBestCompression:
+				o.windowSize = 8 << 20
+			}
+		}
+		if !o.customALEntropy {
+			o.allLitEntropy = l > SpeedDefault
+		}
+
+		return nil
+	}
+}
+
+// WithZeroFrames will encode 0 length input as full frames.
+// This can be needed for compatibility with zstandard usage,
+// but is not needed for this package.
+func WithZeroFrames(b bool) EOption {
+	return func(o *encoderOptions) error {
+		o.fullZero = b
+		return nil
+	}
+}
+
+// WithAllLitEntropyCompression will apply entropy compression if no matches are found.
+// Disabling this will skip incompressible data faster, but in cases with no matches but
+// skewed character distribution compression is lost.
+// Default value depends on the compression level selected.
+func WithAllLitEntropyCompression(b bool) EOption {
+	return func(o *encoderOptions) error {
+		o.customALEntropy = true
+		o.allLitEntropy = b
+		return nil
+	}
+}
+
+// WithNoEntropyCompression will always skip entropy compression of literals.
+// This can be useful if content has matches, but unlikely to benefit from entropy
+// compression. Usually the slight speed improvement is not worth enabling this.
+func WithNoEntropyCompression(b bool) EOption {
+	return func(o *encoderOptions) error {
+		o.noEntropy = b
+		return nil
+	}
+}
+
+// WithSingleSegment will set the "single segment" flag when EncodeAll is used.
+// If this flag is set, data must be regenerated within a single continuous memory segment.
+// In this case, Window_Descriptor byte is skipped, but Frame_Content_Size is necessarily present.
+// As a consequence, the decoder must allocate a memory segment of size equal or larger than size of your content.
+// In order to preserve the decoder from unreasonable memory requirements,
+// a decoder is allowed to reject a compressed frame which requests a memory size beyond decoder's authorized range.
+// For broader compatibility, decoders are recommended to support memory sizes of at least 8 MB.
+// This is only a recommendation, each decoder is free to support higher or lower limits, depending on local limitations.
+// If this is not specified, block encodes will automatically choose this based on the input size and the window size.
+// This setting has no effect on streamed encodes.
+func WithSingleSegment(b bool) EOption {
+	return func(o *encoderOptions) error {
+		o.single = &b
+		return nil
+	}
+}
+
+// WithLowerEncoderMem will trade in some memory cases trade less memory usage for
+// slower encoding speed.
+// This will not change the window size which is the primary function for reducing
+// memory usage. See WithWindowSize.
+func WithLowerEncoderMem(b bool) EOption {
+	return func(o *encoderOptions) error {
+		o.lowMem = b
+		return nil
+	}
+}
+
+// WithEncoderDict allows to register a dictionary that will be used for the encode.
+//
+// The slice dict must be in the [dictionary format] produced by
+// "zstd --train" from the Zstandard reference implementation.
+//
+// The encoder *may* choose to use no dictionary instead for certain payloads.
+//
+// [dictionary format]: https://github.com/facebook/zstd/blob/dev/doc/zstd_compression_format.md#dictionary-format
+func WithEncoderDict(dict []byte) EOption {
+	return func(o *encoderOptions) error {
+		d, err := loadDict(dict)
+		if err != nil {
+			return err
+		}
+		o.dict = d
+		return nil
+	}
+}
+
+// WithEncoderDictRaw registers a dictionary that may be used by the encoder.
+//
+// The slice content may contain arbitrary data. It will be used as an initial
+// history.
+func WithEncoderDictRaw(id uint32, content []byte) EOption {
+	return func(o *encoderOptions) error {
+		if bits.UintSize > 32 && uint(len(content)) > dictMaxLength {
+			return fmt.Errorf("dictionary of size %d > 2GiB too large", len(content))
+		}
+		o.dict = &dict{id: id, content: content, offsets: [3]int{1, 4, 8}}
+		return nil
+	}
+}
diff --git a/vendor/github.com/klauspost/compress/zstd/framedec.go b/vendor/github.com/klauspost/compress/zstd/framedec.go
new file mode 100644
index 0000000000..e47af66e7c
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/zstd/framedec.go
@@ -0,0 +1,415 @@
+// Copyright 2019+ Klaus Post. All rights reserved.
+// License information can be found in the LICENSE file.
+// Based on work by Yann Collet, released under BSD License.
+
+package zstd
+
+import (
+	"encoding/binary"
+	"encoding/hex"
+	"errors"
+	"io"
+
+	"github.com/klauspost/compress/zstd/internal/xxhash"
+)
+
+type frameDec struct {
+	o   decoderOptions
+	crc *xxhash.Digest
+
+	WindowSize uint64
+
+	// Frame history passed between blocks
+	history history
+
+	rawInput byteBuffer
+
+	// Byte buffer that can be reused for small input blocks.
+	bBuf byteBuf
+
+	FrameContentSize uint64
+
+	DictionaryID  uint32
+	HasCheckSum   bool
+	SingleSegment bool
+}
+
+const (
+	// MinWindowSize is the minimum Window Size, which is 1 KB.
+	MinWindowSize = 1 << 10
+
+	// MaxWindowSize is the maximum encoder window size
+	// and the default decoder maximum window size.
+	MaxWindowSize = 1 << 29
+)
+
+const (
+	frameMagic          = "\x28\xb5\x2f\xfd"
+	skippableFrameMagic = "\x2a\x4d\x18"
+)
+
+func newFrameDec(o decoderOptions) *frameDec {
+	if o.maxWindowSize > o.maxDecodedSize {
+		o.maxWindowSize = o.maxDecodedSize
+	}
+	d := frameDec{
+		o: o,
+	}
+	return &d
+}
+
+// reset will read the frame header and prepare for block decoding.
+// If nothing can be read from the input, io.EOF will be returned.
+// Any other error indicated that the stream contained data, but
+// there was a problem.
+func (d *frameDec) reset(br byteBuffer) error {
+	d.HasCheckSum = false
+	d.WindowSize = 0
+	var signature [4]byte
+	for {
+		var err error
+		// Check if we can read more...
+		b, err := br.readSmall(1)
+		switch err {
+		case io.EOF, io.ErrUnexpectedEOF:
+			return io.EOF
+		case nil:
+			signature[0] = b[0]
+		default:
+			return err
+		}
+		// Read the rest, don't allow io.ErrUnexpectedEOF
+		b, err = br.readSmall(3)
+		switch err {
+		case io.EOF:
+			return io.EOF
+		case nil:
+			copy(signature[1:], b)
+		default:
+			return err
+		}
+
+		if string(signature[1:4]) != skippableFrameMagic || signature[0]&0xf0 != 0x50 {
+			if debugDecoder {
+				println("Not skippable", hex.EncodeToString(signature[:]), hex.EncodeToString([]byte(skippableFrameMagic)))
+			}
+			// Break if not skippable frame.
+			break
+		}
+		// Read size to skip
+		b, err = br.readSmall(4)
+		if err != nil {
+			if debugDecoder {
+				println("Reading Frame Size", err)
+			}
+			return err
+		}
+		n := uint32(b[0]) | (uint32(b[1]) << 8) | (uint32(b[2]) << 16) | (uint32(b[3]) << 24)
+		println("Skipping frame with", n, "bytes.")
+		err = br.skipN(int64(n))
+		if err != nil {
+			if debugDecoder {
+				println("Reading discarded frame", err)
+			}
+			return err
+		}
+	}
+	if string(signature[:]) != frameMagic {
+		if debugDecoder {
+			println("Got magic numbers: ", signature, "want:", []byte(frameMagic))
+		}
+		return ErrMagicMismatch
+	}
+
+	// Read Frame_Header_Descriptor
+	fhd, err := br.readByte()
+	if err != nil {
+		if debugDecoder {
+			println("Reading Frame_Header_Descriptor", err)
+		}
+		return err
+	}
+	d.SingleSegment = fhd&(1<<5) != 0
+
+	if fhd&(1<<3) != 0 {
+		return errors.New("reserved bit set on frame header")
+	}
+
+	// Read Window_Descriptor
+	// https://github.com/facebook/zstd/blob/dev/doc/zstd_compression_format.md#window_descriptor
+	d.WindowSize = 0
+	if !d.SingleSegment {
+		wd, err := br.readByte()
+		if err != nil {
+			if debugDecoder {
+				println("Reading Window_Descriptor", err)
+			}
+			return err
+		}
+		if debugDecoder {
+			printf("raw: %x, mantissa: %d, exponent: %d\n", wd, wd&7, wd>>3)
+		}
+		windowLog := 10 + (wd >> 3)
+		windowBase := uint64(1) << windowLog
+		windowAdd := (windowBase / 8) * uint64(wd&0x7)
+		d.WindowSize = windowBase + windowAdd
+	}
+
+	// Read Dictionary_ID
+	// https://github.com/facebook/zstd/blob/dev/doc/zstd_compression_format.md#dictionary_id
+	d.DictionaryID = 0
+	if size := fhd & 3; size != 0 {
+		if size == 3 {
+			size = 4
+		}
+
+		b, err := br.readSmall(int(size))
+		if err != nil {
+			println("Reading Dictionary_ID", err)
+			return err
+		}
+		var id uint32
+		switch len(b) {
+		case 1:
+			id = uint32(b[0])
+		case 2:
+			id = uint32(b[0]) | (uint32(b[1]) << 8)
+		case 4:
+			id = uint32(b[0]) | (uint32(b[1]) << 8) | (uint32(b[2]) << 16) | (uint32(b[3]) << 24)
+		}
+		if debugDecoder {
+			println("Dict size", size, "ID:", id)
+		}
+		d.DictionaryID = id
+	}
+
+	// Read Frame_Content_Size
+	// https://github.com/facebook/zstd/blob/dev/doc/zstd_compression_format.md#frame_content_size
+	var fcsSize int
+	v := fhd >> 6
+	switch v {
+	case 0:
+		if d.SingleSegment {
+			fcsSize = 1
+		}
+	default:
+		fcsSize = 1 << v
+	}
+	d.FrameContentSize = fcsUnknown
+	if fcsSize > 0 {
+		b, err := br.readSmall(fcsSize)
+		if err != nil {
+			println("Reading Frame content", err)
+			return err
+		}
+		switch len(b) {
+		case 1:
+			d.FrameContentSize = uint64(b[0])
+		case 2:
+			// When FCS_Field_Size is 2, the offset of 256 is added.
+			d.FrameContentSize = uint64(b[0]) | (uint64(b[1]) << 8) + 256
+		case 4:
+			d.FrameContentSize = uint64(b[0]) | (uint64(b[1]) << 8) | (uint64(b[2]) << 16) | (uint64(b[3]) << 24)
+		case 8:
+			d1 := uint32(b[0]) | (uint32(b[1]) << 8) | (uint32(b[2]) << 16) | (uint32(b[3]) << 24)
+			d2 := uint32(b[4]) | (uint32(b[5]) << 8) | (uint32(b[6]) << 16) | (uint32(b[7]) << 24)
+			d.FrameContentSize = uint64(d1) | (uint64(d2) << 32)
+		}
+		if debugDecoder {
+			println("Read FCS:", d.FrameContentSize)
+		}
+	}
+
+	// Move this to shared.
+	d.HasCheckSum = fhd&(1<<2) != 0
+	if d.HasCheckSum {
+		if d.crc == nil {
+			d.crc = xxhash.New()
+		}
+		d.crc.Reset()
+	}
+
+	if d.WindowSize > d.o.maxWindowSize {
+		if debugDecoder {
+			printf("window size %d > max %d\n", d.WindowSize, d.o.maxWindowSize)
+		}
+		return ErrWindowSizeExceeded
+	}
+
+	if d.WindowSize == 0 && d.SingleSegment {
+		// We may not need window in this case.
+		d.WindowSize = d.FrameContentSize
+		if d.WindowSize < MinWindowSize {
+			d.WindowSize = MinWindowSize
+		}
+		if d.WindowSize > d.o.maxDecodedSize {
+			if debugDecoder {
+				printf("window size %d > max %d\n", d.WindowSize, d.o.maxWindowSize)
+			}
+			return ErrDecoderSizeExceeded
+		}
+	}
+
+	// The minimum Window_Size is 1 KB.
+	if d.WindowSize < MinWindowSize {
+		if debugDecoder {
+			println("got window size: ", d.WindowSize)
+		}
+		return ErrWindowSizeTooSmall
+	}
+	d.history.windowSize = int(d.WindowSize)
+	if !d.o.lowMem || d.history.windowSize < maxBlockSize {
+		// Alloc 2x window size if not low-mem, or window size below 2MB.
+		d.history.allocFrameBuffer = d.history.windowSize * 2
+	} else {
+		if d.o.lowMem {
+			// Alloc with 1MB extra.
+			d.history.allocFrameBuffer = d.history.windowSize + maxBlockSize/2
+		} else {
+			// Alloc with 2MB extra.
+			d.history.allocFrameBuffer = d.history.windowSize + maxBlockSize
+		}
+	}
+
+	if debugDecoder {
+		println("Frame: Dict:", d.DictionaryID, "FrameContentSize:", d.FrameContentSize, "singleseg:", d.SingleSegment, "window:", d.WindowSize, "crc:", d.HasCheckSum)
+	}
+
+	// history contains input - maybe we do something
+	d.rawInput = br
+	return nil
+}
+
+// next will start decoding the next block from stream.
+func (d *frameDec) next(block *blockDec) error {
+	if debugDecoder {
+		println("decoding new block")
+	}
+	err := block.reset(d.rawInput, d.WindowSize)
+	if err != nil {
+		println("block error:", err)
+		// Signal the frame decoder we have a problem.
+		block.sendErr(err)
+		return err
+	}
+	return nil
+}
+
+// checkCRC will check the checksum, assuming the frame has one.
+// Will return ErrCRCMismatch if crc check failed, otherwise nil.
+func (d *frameDec) checkCRC() error {
+	// We can overwrite upper tmp now
+	buf, err := d.rawInput.readSmall(4)
+	if err != nil {
+		println("CRC missing?", err)
+		return err
+	}
+
+	want := binary.LittleEndian.Uint32(buf[:4])
+	got := uint32(d.crc.Sum64())
+
+	if got != want {
+		if debugDecoder {
+			printf("CRC check failed: got %08x, want %08x\n", got, want)
+		}
+		return ErrCRCMismatch
+	}
+	if debugDecoder {
+		printf("CRC ok %08x\n", got)
+	}
+	return nil
+}
+
+// consumeCRC skips over the checksum, assuming the frame has one.
+func (d *frameDec) consumeCRC() error {
+	_, err := d.rawInput.readSmall(4)
+	if err != nil {
+		println("CRC missing?", err)
+	}
+	return err
+}
+
+// runDecoder will run the decoder for the remainder of the frame.
+func (d *frameDec) runDecoder(dst []byte, dec *blockDec) ([]byte, error) {
+	saved := d.history.b
+
+	// We use the history for output to avoid copying it.
+	d.history.b = dst
+	d.history.ignoreBuffer = len(dst)
+	// Store input length, so we only check new data.
+	crcStart := len(dst)
+	d.history.decoders.maxSyncLen = 0
+	if d.o.limitToCap {
+		d.history.decoders.maxSyncLen = uint64(cap(dst) - len(dst))
+	}
+	if d.FrameContentSize != fcsUnknown {
+		if !d.o.limitToCap || d.FrameContentSize+uint64(len(dst)) < d.history.decoders.maxSyncLen {
+			d.history.decoders.maxSyncLen = d.FrameContentSize + uint64(len(dst))
+		}
+		if d.history.decoders.maxSyncLen > d.o.maxDecodedSize {
+			if debugDecoder {
+				println("maxSyncLen:", d.history.decoders.maxSyncLen, "> maxDecodedSize:", d.o.maxDecodedSize)
+			}
+			return dst, ErrDecoderSizeExceeded
+		}
+		if debugDecoder {
+			println("maxSyncLen:", d.history.decoders.maxSyncLen)
+		}
+		if !d.o.limitToCap && uint64(cap(dst)) < d.history.decoders.maxSyncLen {
+			// Alloc for output
+			dst2 := make([]byte, len(dst), d.history.decoders.maxSyncLen+compressedBlockOverAlloc)
+			copy(dst2, dst)
+			dst = dst2
+		}
+	}
+	var err error
+	for {
+		err = dec.reset(d.rawInput, d.WindowSize)
+		if err != nil {
+			break
+		}
+		if debugDecoder {
+			println("next block:", dec)
+		}
+		err = dec.decodeBuf(&d.history)
+		if err != nil {
+			break
+		}
+		if uint64(len(d.history.b)-crcStart) > d.o.maxDecodedSize {
+			println("runDecoder: maxDecodedSize exceeded", uint64(len(d.history.b)-crcStart), ">", d.o.maxDecodedSize)
+			err = ErrDecoderSizeExceeded
+			break
+		}
+		if d.o.limitToCap && len(d.history.b) > cap(dst) {
+			println("runDecoder: cap exceeded", uint64(len(d.history.b)), ">", cap(dst))
+			err = ErrDecoderSizeExceeded
+			break
+		}
+		if uint64(len(d.history.b)-crcStart) > d.FrameContentSize {
+			println("runDecoder: FrameContentSize exceeded", uint64(len(d.history.b)-crcStart), ">", d.FrameContentSize)
+			err = ErrFrameSizeExceeded
+			break
+		}
+		if dec.Last {
+			break
+		}
+		if debugDecoder {
+			println("runDecoder: FrameContentSize", uint64(len(d.history.b)-crcStart), "<=", d.FrameContentSize)
+		}
+	}
+	dst = d.history.b
+	if err == nil {
+		if d.FrameContentSize != fcsUnknown && uint64(len(d.history.b)-crcStart) != d.FrameContentSize {
+			err = ErrFrameSizeMismatch
+		} else if d.HasCheckSum {
+			if d.o.ignoreChecksum {
+				err = d.consumeCRC()
+			} else {
+				d.crc.Write(dst[crcStart:])
+				err = d.checkCRC()
+			}
+		}
+	}
+	d.history.b = saved
+	return dst, err
+}
diff --git a/vendor/github.com/klauspost/compress/zstd/frameenc.go b/vendor/github.com/klauspost/compress/zstd/frameenc.go
new file mode 100644
index 0000000000..667ca06794
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/zstd/frameenc.go
@@ -0,0 +1,137 @@
+// Copyright 2019+ Klaus Post. All rights reserved.
+// License information can be found in the LICENSE file.
+// Based on work by Yann Collet, released under BSD License.
+
+package zstd
+
+import (
+	"encoding/binary"
+	"fmt"
+	"io"
+	"math"
+	"math/bits"
+)
+
+type frameHeader struct {
+	ContentSize   uint64
+	WindowSize    uint32
+	SingleSegment bool
+	Checksum      bool
+	DictID        uint32
+}
+
+const maxHeaderSize = 14
+
+func (f frameHeader) appendTo(dst []byte) []byte {
+	dst = append(dst, frameMagic...)
+	var fhd uint8
+	if f.Checksum {
+		fhd |= 1 << 2
+	}
+	if f.SingleSegment {
+		fhd |= 1 << 5
+	}
+
+	var dictIDContent []byte
+	if f.DictID > 0 {
+		var tmp [4]byte
+		if f.DictID < 256 {
+			fhd |= 1
+			tmp[0] = uint8(f.DictID)
+			dictIDContent = tmp[:1]
+		} else if f.DictID < 1<<16 {
+			fhd |= 2
+			binary.LittleEndian.PutUint16(tmp[:2], uint16(f.DictID))
+			dictIDContent = tmp[:2]
+		} else {
+			fhd |= 3
+			binary.LittleEndian.PutUint32(tmp[:4], f.DictID)
+			dictIDContent = tmp[:4]
+		}
+	}
+	var fcs uint8
+	if f.ContentSize >= 256 {
+		fcs++
+	}
+	if f.ContentSize >= 65536+256 {
+		fcs++
+	}
+	if f.ContentSize >= 0xffffffff {
+		fcs++
+	}
+
+	fhd |= fcs << 6
+
+	dst = append(dst, fhd)
+	if !f.SingleSegment {
+		const winLogMin = 10
+		windowLog := (bits.Len32(f.WindowSize-1) - winLogMin) << 3
+		dst = append(dst, uint8(windowLog))
+	}
+	if f.DictID > 0 {
+		dst = append(dst, dictIDContent...)
+	}
+	switch fcs {
+	case 0:
+		if f.SingleSegment {
+			dst = append(dst, uint8(f.ContentSize))
+		}
+		// Unless SingleSegment is set, framessizes < 256 are not stored.
+	case 1:
+		f.ContentSize -= 256
+		dst = append(dst, uint8(f.ContentSize), uint8(f.ContentSize>>8))
+	case 2:
+		dst = append(dst, uint8(f.ContentSize), uint8(f.ContentSize>>8), uint8(f.ContentSize>>16), uint8(f.ContentSize>>24))
+	case 3:
+		dst = append(dst, uint8(f.ContentSize), uint8(f.ContentSize>>8), uint8(f.ContentSize>>16), uint8(f.ContentSize>>24),
+			uint8(f.ContentSize>>32), uint8(f.ContentSize>>40), uint8(f.ContentSize>>48), uint8(f.ContentSize>>56))
+	default:
+		panic("invalid fcs")
+	}
+	return dst
+}
+
+const skippableFrameHeader = 4 + 4
+
+// calcSkippableFrame will return a total size to be added for written
+// to be divisible by multiple.
+// The value will always be > skippableFrameHeader.
+// The function will panic if written < 0 or wantMultiple <= 0.
+func calcSkippableFrame(written, wantMultiple int64) int {
+	if wantMultiple <= 0 {
+		panic("wantMultiple <= 0")
+	}
+	if written < 0 {
+		panic("written < 0")
+	}
+	leftOver := written % wantMultiple
+	if leftOver == 0 {
+		return 0
+	}
+	toAdd := wantMultiple - leftOver
+	for toAdd < skippableFrameHeader {
+		toAdd += wantMultiple
+	}
+	return int(toAdd)
+}
+
+// skippableFrame will add a skippable frame with a total size of bytes.
+// total should be >= skippableFrameHeader and < math.MaxUint32.
+func skippableFrame(dst []byte, total int, r io.Reader) ([]byte, error) {
+	if total == 0 {
+		return dst, nil
+	}
+	if total < skippableFrameHeader {
+		return dst, fmt.Errorf("requested skippable frame (%d) < 8", total)
+	}
+	if int64(total) > math.MaxUint32 {
+		return dst, fmt.Errorf("requested skippable frame (%d) > max uint32", total)
+	}
+	dst = append(dst, 0x50, 0x2a, 0x4d, 0x18)
+	f := uint32(total - skippableFrameHeader)
+	dst = append(dst, uint8(f), uint8(f>>8), uint8(f>>16), uint8(f>>24))
+	start := len(dst)
+	dst = append(dst, make([]byte, f)...)
+	_, err := io.ReadFull(r, dst[start:])
+	return dst, err
+}
diff --git a/vendor/github.com/klauspost/compress/zstd/fse_decoder.go b/vendor/github.com/klauspost/compress/zstd/fse_decoder.go
new file mode 100644
index 0000000000..2f8860a722
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/zstd/fse_decoder.go
@@ -0,0 +1,307 @@
+// Copyright 2019+ Klaus Post. All rights reserved.
+// License information can be found in the LICENSE file.
+// Based on work by Yann Collet, released under BSD License.
+
+package zstd
+
+import (
+	"encoding/binary"
+	"errors"
+	"fmt"
+	"io"
+)
+
+const (
+	tablelogAbsoluteMax = 9
+)
+
+const (
+	/*!MEMORY_USAGE :
+	 *  Memory usage formula : N->2^N Bytes (examples : 10 -> 1KB; 12 -> 4KB ; 16 -> 64KB; 20 -> 1MB; etc.)
+	 *  Increasing memory usage improves compression ratio
+	 *  Reduced memory usage can improve speed, due to cache effect
+	 *  Recommended max value is 14, for 16KB, which nicely fits into Intel x86 L1 cache */
+	maxMemoryUsage = tablelogAbsoluteMax + 2
+
+	maxTableLog    = maxMemoryUsage - 2
+	maxTablesize   = 1 << maxTableLog
+	maxTableMask   = (1 << maxTableLog) - 1
+	minTablelog    = 5
+	maxSymbolValue = 255
+)
+
+// fseDecoder provides temporary storage for compression and decompression.
+type fseDecoder struct {
+	dt             [maxTablesize]decSymbol // Decompression table.
+	symbolLen      uint16                  // Length of active part of the symbol table.
+	actualTableLog uint8                   // Selected tablelog.
+	maxBits        uint8                   // Maximum number of additional bits
+
+	// used for table creation to avoid allocations.
+	stateTable [256]uint16
+	norm       [maxSymbolValue + 1]int16
+	preDefined bool
+}
+
+// tableStep returns the next table index.
+func tableStep(tableSize uint32) uint32 {
+	return (tableSize >> 1) + (tableSize >> 3) + 3
+}
+
+// readNCount will read the symbol distribution so decoding tables can be constructed.
+func (s *fseDecoder) readNCount(b *byteReader, maxSymbol uint16) error {
+	var (
+		charnum   uint16
+		previous0 bool
+	)
+	if b.remain() < 4 {
+		return errors.New("input too small")
+	}
+	bitStream := b.Uint32NC()
+	nbBits := uint((bitStream & 0xF) + minTablelog) // extract tableLog
+	if nbBits > tablelogAbsoluteMax {
+		println("Invalid tablelog:", nbBits)
+		return errors.New("tableLog too large")
+	}
+	bitStream >>= 4
+	bitCount := uint(4)
+
+	s.actualTableLog = uint8(nbBits)
+	remaining := int32((1 << nbBits) + 1)
+	threshold := int32(1 << nbBits)
+	gotTotal := int32(0)
+	nbBits++
+
+	for remaining > 1 && charnum <= maxSymbol {
+		if previous0 {
+			//println("prev0")
+			n0 := charnum
+			for (bitStream & 0xFFFF) == 0xFFFF {
+				//println("24 x 0")
+				n0 += 24
+				if r := b.remain(); r > 5 {
+					b.advance(2)
+					// The check above should make sure we can read 32 bits
+					bitStream = b.Uint32NC() >> bitCount
+				} else {
+					// end of bit stream
+					bitStream >>= 16
+					bitCount += 16
+				}
+			}
+			//printf("bitstream: %d, 0b%b", bitStream&3, bitStream)
+			for (bitStream & 3) == 3 {
+				n0 += 3
+				bitStream >>= 2
+				bitCount += 2
+			}
+			n0 += uint16(bitStream & 3)
+			bitCount += 2
+
+			if n0 > maxSymbolValue {
+				return errors.New("maxSymbolValue too small")
+			}
+			//println("inserting ", n0-charnum, "zeroes from idx", charnum, "ending before", n0)
+			for charnum < n0 {
+				s.norm[uint8(charnum)] = 0
+				charnum++
+			}
+
+			if r := b.remain(); r >= 7 || r-int(bitCount>>3) >= 4 {
+				b.advance(bitCount >> 3)
+				bitCount &= 7
+				// The check above should make sure we can read 32 bits
+				bitStream = b.Uint32NC() >> bitCount
+			} else {
+				bitStream >>= 2
+			}
+		}
+
+		max := (2*threshold - 1) - remaining
+		var count int32
+
+		if int32(bitStream)&(threshold-1) < max {
+			count = int32(bitStream) & (threshold - 1)
+			if debugAsserts && nbBits < 1 {
+				panic("nbBits underflow")
+			}
+			bitCount += nbBits - 1
+		} else {
+			count = int32(bitStream) & (2*threshold - 1)
+			if count >= threshold {
+				count -= max
+			}
+			bitCount += nbBits
+		}
+
+		// extra accuracy
+		count--
+		if count < 0 {
+			// -1 means +1
+			remaining += count
+			gotTotal -= count
+		} else {
+			remaining -= count
+			gotTotal += count
+		}
+		s.norm[charnum&0xff] = int16(count)
+		charnum++
+		previous0 = count == 0
+		for remaining < threshold {
+			nbBits--
+			threshold >>= 1
+		}
+
+		if r := b.remain(); r >= 7 || r-int(bitCount>>3) >= 4 {
+			b.advance(bitCount >> 3)
+			bitCount &= 7
+			// The check above should make sure we can read 32 bits
+			bitStream = b.Uint32NC() >> (bitCount & 31)
+		} else {
+			bitCount -= (uint)(8 * (len(b.b) - 4 - b.off))
+			b.off = len(b.b) - 4
+			bitStream = b.Uint32() >> (bitCount & 31)
+		}
+	}
+	s.symbolLen = charnum
+	if s.symbolLen <= 1 {
+		return fmt.Errorf("symbolLen (%d) too small", s.symbolLen)
+	}
+	if s.symbolLen > maxSymbolValue+1 {
+		return fmt.Errorf("symbolLen (%d) too big", s.symbolLen)
+	}
+	if remaining != 1 {
+		return fmt.Errorf("corruption detected (remaining %d != 1)", remaining)
+	}
+	if bitCount > 32 {
+		return fmt.Errorf("corruption detected (bitCount %d > 32)", bitCount)
+	}
+	if gotTotal != 1<<s.actualTableLog {
+		return fmt.Errorf("corruption detected (total %d != %d)", gotTotal, 1<<s.actualTableLog)
+	}
+	b.advance((bitCount + 7) >> 3)
+	return s.buildDtable()
+}
+
+func (s *fseDecoder) mustReadFrom(r io.Reader) {
+	fatalErr := func(err error) {
+		if err != nil {
+			panic(err)
+		}
+	}
+	// 	dt             [maxTablesize]decSymbol // Decompression table.
+	//	symbolLen      uint16                  // Length of active part of the symbol table.
+	//	actualTableLog uint8                   // Selected tablelog.
+	//	maxBits        uint8                   // Maximum number of additional bits
+	//	// used for table creation to avoid allocations.
+	//	stateTable [256]uint16
+	//	norm       [maxSymbolValue + 1]int16
+	//	preDefined bool
+	fatalErr(binary.Read(r, binary.LittleEndian, &s.dt))
+	fatalErr(binary.Read(r, binary.LittleEndian, &s.symbolLen))
+	fatalErr(binary.Read(r, binary.LittleEndian, &s.actualTableLog))
+	fatalErr(binary.Read(r, binary.LittleEndian, &s.maxBits))
+	fatalErr(binary.Read(r, binary.LittleEndian, &s.stateTable))
+	fatalErr(binary.Read(r, binary.LittleEndian, &s.norm))
+	fatalErr(binary.Read(r, binary.LittleEndian, &s.preDefined))
+}
+
+// decSymbol contains information about a state entry,
+// Including the state offset base, the output symbol and
+// the number of bits to read for the low part of the destination state.
+// Using a composite uint64 is faster than a struct with separate members.
+type decSymbol uint64
+
+func newDecSymbol(nbits, addBits uint8, newState uint16, baseline uint32) decSymbol {
+	return decSymbol(nbits) | (decSymbol(addBits) << 8) | (decSymbol(newState) << 16) | (decSymbol(baseline) << 32)
+}
+
+func (d decSymbol) nbBits() uint8 {
+	return uint8(d)
+}
+
+func (d decSymbol) addBits() uint8 {
+	return uint8(d >> 8)
+}
+
+func (d decSymbol) newState() uint16 {
+	return uint16(d >> 16)
+}
+
+func (d decSymbol) baselineInt() int {
+	return int(d >> 32)
+}
+
+func (d *decSymbol) setNBits(nBits uint8) {
+	const mask = 0xffffffffffffff00
+	*d = (*d & mask) | decSymbol(nBits)
+}
+
+func (d *decSymbol) setAddBits(addBits uint8) {
+	const mask = 0xffffffffffff00ff
+	*d = (*d & mask) | (decSymbol(addBits) << 8)
+}
+
+func (d *decSymbol) setNewState(state uint16) {
+	const mask = 0xffffffff0000ffff
+	*d = (*d & mask) | decSymbol(state)<<16
+}
+
+func (d *decSymbol) setExt(addBits uint8, baseline uint32) {
+	const mask = 0xffff00ff
+	*d = (*d & mask) | (decSymbol(addBits) << 8) | (decSymbol(baseline) << 32)
+}
+
+// decSymbolValue returns the transformed decSymbol for the given symbol.
+func decSymbolValue(symb uint8, t []baseOffset) (decSymbol, error) {
+	if int(symb) >= len(t) {
+		return 0, fmt.Errorf("rle symbol %d >= max %d", symb, len(t))
+	}
+	lu := t[symb]
+	return newDecSymbol(0, lu.addBits, 0, lu.baseLine), nil
+}
+
+// setRLE will set the decoder til RLE mode.
+func (s *fseDecoder) setRLE(symbol decSymbol) {
+	s.actualTableLog = 0
+	s.maxBits = symbol.addBits()
+	s.dt[0] = symbol
+}
+
+// transform will transform the decoder table into a table usable for
+// decoding without having to apply the transformation while decoding.
+// The state will contain the base value and the number of bits to read.
+func (s *fseDecoder) transform(t []baseOffset) error {
+	tableSize := uint16(1 << s.actualTableLog)
+	s.maxBits = 0
+	for i, v := range s.dt[:tableSize] {
+		add := v.addBits()
+		if int(add) >= len(t) {
+			return fmt.Errorf("invalid decoding table entry %d, symbol %d >= max (%d)", i, v.addBits(), len(t))
+		}
+		lu := t[add]
+		if lu.addBits > s.maxBits {
+			s.maxBits = lu.addBits
+		}
+		v.setExt(lu.addBits, lu.baseLine)
+		s.dt[i] = v
+	}
+	return nil
+}
+
+type fseState struct {
+	dt    []decSymbol
+	state decSymbol
+}
+
+// Initialize and decodeAsync first state and symbol.
+func (s *fseState) init(br *bitReader, tableLog uint8, dt []decSymbol) {
+	s.dt = dt
+	br.fill()
+	s.state = dt[br.getBits(tableLog)]
+}
+
+// final returns the current state symbol without decoding the next.
+func (s decSymbol) final() (int, uint8) {
+	return s.baselineInt(), s.addBits()
+}
diff --git a/vendor/github.com/klauspost/compress/zstd/fse_decoder_amd64.go b/vendor/github.com/klauspost/compress/zstd/fse_decoder_amd64.go
new file mode 100644
index 0000000000..d04a829b0a
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/zstd/fse_decoder_amd64.go
@@ -0,0 +1,65 @@
+//go:build amd64 && !appengine && !noasm && gc
+// +build amd64,!appengine,!noasm,gc
+
+package zstd
+
+import (
+	"fmt"
+)
+
+type buildDtableAsmContext struct {
+	// inputs
+	stateTable *uint16
+	norm       *int16
+	dt         *uint64
+
+	// outputs --- set by the procedure in the case of error;
+	// for interpretation please see the error handling part below
+	errParam1 uint64
+	errParam2 uint64
+}
+
+// buildDtable_asm is an x86 assembly implementation of fseDecoder.buildDtable.
+// Function returns non-zero exit code on error.
+//
+//go:noescape
+func buildDtable_asm(s *fseDecoder, ctx *buildDtableAsmContext) int
+
+// please keep in sync with _generate/gen_fse.go
+const (
+	errorCorruptedNormalizedCounter = 1
+	errorNewStateTooBig             = 2
+	errorNewStateNoBits             = 3
+)
+
+// buildDtable will build the decoding table.
+func (s *fseDecoder) buildDtable() error {
+	ctx := buildDtableAsmContext{
+		stateTable: &s.stateTable[0],
+		norm:       &s.norm[0],
+		dt:         (*uint64)(&s.dt[0]),
+	}
+	code := buildDtable_asm(s, &ctx)
+
+	if code != 0 {
+		switch code {
+		case errorCorruptedNormalizedCounter:
+			position := ctx.errParam1
+			return fmt.Errorf("corrupted input (position=%d, expected 0)", position)
+
+		case errorNewStateTooBig:
+			newState := decSymbol(ctx.errParam1)
+			size := ctx.errParam2
+			return fmt.Errorf("newState (%d) outside table size (%d)", newState, size)
+
+		case errorNewStateNoBits:
+			newState := decSymbol(ctx.errParam1)
+			oldState := decSymbol(ctx.errParam2)
+			return fmt.Errorf("newState (%d) == oldState (%d) and no bits", newState, oldState)
+
+		default:
+			return fmt.Errorf("buildDtable_asm returned unhandled nonzero code = %d", code)
+		}
+	}
+	return nil
+}
diff --git a/vendor/github.com/klauspost/compress/zstd/fse_decoder_amd64.s b/vendor/github.com/klauspost/compress/zstd/fse_decoder_amd64.s
new file mode 100644
index 0000000000..bcde398695
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/zstd/fse_decoder_amd64.s
@@ -0,0 +1,126 @@
+// Code generated by command: go run gen_fse.go -out ../fse_decoder_amd64.s -pkg=zstd. DO NOT EDIT.
+
+//go:build !appengine && !noasm && gc && !noasm
+
+// func buildDtable_asm(s *fseDecoder, ctx *buildDtableAsmContext) int
+TEXT ·buildDtable_asm(SB), $0-24
+	MOVQ ctx+8(FP), CX
+	MOVQ s+0(FP), DI
+
+	// Load values
+	MOVBQZX 4098(DI), DX
+	XORQ    AX, AX
+	BTSQ    DX, AX
+	MOVQ    (CX), BX
+	MOVQ    16(CX), SI
+	LEAQ    -1(AX), R8
+	MOVQ    8(CX), CX
+	MOVWQZX 4096(DI), DI
+
+	// End load values
+	// Init, lay down lowprob symbols
+	XORQ R9, R9
+	JMP  init_main_loop_condition
+
+init_main_loop:
+	MOVWQSX (CX)(R9*2), R10
+	CMPW    R10, $-1
+	JNE     do_not_update_high_threshold
+	MOVB    R9, 1(SI)(R8*8)
+	DECQ    R8
+	MOVQ    $0x0000000000000001, R10
+
+do_not_update_high_threshold:
+	MOVW R10, (BX)(R9*2)
+	INCQ R9
+
+init_main_loop_condition:
+	CMPQ R9, DI
+	JL   init_main_loop
+
+	// Spread symbols
+	// Calculate table step
+	MOVQ AX, R9
+	SHRQ $0x01, R9
+	MOVQ AX, R10
+	SHRQ $0x03, R10
+	LEAQ 3(R9)(R10*1), R9
+
+	// Fill add bits values
+	LEAQ -1(AX), R10
+	XORQ R11, R11
+	XORQ R12, R12
+	JMP  spread_main_loop_condition
+
+spread_main_loop:
+	XORQ    R13, R13
+	MOVWQSX (CX)(R12*2), R14
+	JMP     spread_inner_loop_condition
+
+spread_inner_loop:
+	MOVB R12, 1(SI)(R11*8)
+
+adjust_position:
+	ADDQ R9, R11
+	ANDQ R10, R11
+	CMPQ R11, R8
+	JG   adjust_position
+	INCQ R13
+
+spread_inner_loop_condition:
+	CMPQ R13, R14
+	JL   spread_inner_loop
+	INCQ R12
+
+spread_main_loop_condition:
+	CMPQ  R12, DI
+	JL    spread_main_loop
+	TESTQ R11, R11
+	JZ    spread_check_ok
+	MOVQ  ctx+8(FP), AX
+	MOVQ  R11, 24(AX)
+	MOVQ  $+1, ret+16(FP)
+	RET
+
+spread_check_ok:
+	// Build Decoding table
+	XORQ DI, DI
+
+build_table_main_table:
+	MOVBQZX 1(SI)(DI*8), CX
+	MOVWQZX (BX)(CX*2), R8
+	LEAQ    1(R8), R9
+	MOVW    R9, (BX)(CX*2)
+	MOVQ    R8, R9
+	BSRQ    R9, R9
+	MOVQ    DX, CX
+	SUBQ    R9, CX
+	SHLQ    CL, R8
+	SUBQ    AX, R8
+	MOVB    CL, (SI)(DI*8)
+	MOVW    R8, 2(SI)(DI*8)
+	CMPQ    R8, AX
+	JLE     build_table_check1_ok
+	MOVQ    ctx+8(FP), CX
+	MOVQ    R8, 24(CX)
+	MOVQ    AX, 32(CX)
+	MOVQ    $+2, ret+16(FP)
+	RET
+
+build_table_check1_ok:
+	TESTB CL, CL
+	JNZ   build_table_check2_ok
+	CMPW  R8, DI
+	JNE   build_table_check2_ok
+	MOVQ  ctx+8(FP), AX
+	MOVQ  R8, 24(AX)
+	MOVQ  DI, 32(AX)
+	MOVQ  $+3, ret+16(FP)
+	RET
+
+build_table_check2_ok:
+	INCQ DI
+	CMPQ DI, AX
+	JL   build_table_main_table
+	MOVQ $+0, ret+16(FP)
+	RET
diff --git a/vendor/github.com/klauspost/compress/zstd/fse_decoder_generic.go b/vendor/github.com/klauspost/compress/zstd/fse_decoder_generic.go
new file mode 100644
index 0000000000..8adfebb029
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/zstd/fse_decoder_generic.go
@@ -0,0 +1,73 @@
+//go:build !amd64 || appengine || !gc || noasm
+// +build !amd64 appengine !gc noasm
+
+package zstd
+
+import (
+	"errors"
+	"fmt"
+)
+
+// buildDtable will build the decoding table.
+func (s *fseDecoder) buildDtable() error {
+	tableSize := uint32(1 << s.actualTableLog)
+	highThreshold := tableSize - 1
+	symbolNext := s.stateTable[:256]
+
+	// Init, lay down lowprob symbols
+	{
+		for i, v := range s.norm[:s.symbolLen] {
+			if v == -1 {
+				s.dt[highThreshold].setAddBits(uint8(i))
+				highThreshold--
+				v = 1
+			}
+			symbolNext[i] = uint16(v)
+		}
+	}
+
+	// Spread symbols
+	{
+		tableMask := tableSize - 1
+		step := tableStep(tableSize)
+		position := uint32(0)
+		for ss, v := range s.norm[:s.symbolLen] {
+			for i := 0; i < int(v); i++ {
+				s.dt[position].setAddBits(uint8(ss))
+				for {
+					// lowprob area
+					position = (position + step) & tableMask
+					if position <= highThreshold {
+						break
+					}
+				}
+			}
+		}
+		if position != 0 {
+			// position must reach all cells once, otherwise normalizedCounter is incorrect
+			return errors.New("corrupted input (position != 0)")
+		}
+	}
+
+	// Build Decoding table
+	{
+		tableSize := uint16(1 << s.actualTableLog)
+		for u, v := range s.dt[:tableSize] {
+			symbol := v.addBits()
+			nextState := symbolNext[symbol]
+			symbolNext[symbol] = nextState + 1
+			nBits := s.actualTableLog - byte(highBits(uint32(nextState)))
+			s.dt[u&maxTableMask].setNBits(nBits)
+			newState := (nextState << nBits) - tableSize
+			if newState > tableSize {
+				return fmt.Errorf("newState (%d) outside table size (%d)", newState, tableSize)
+			}
+			if newState == uint16(u) && nBits == 0 {
+				// Seems weird that this is possible with nbits > 0.
+				return fmt.Errorf("newState (%d) == oldState (%d) and no bits", newState, u)
+			}
+			s.dt[u&maxTableMask].setNewState(newState)
+		}
+	}
+	return nil
+}
diff --git a/vendor/github.com/klauspost/compress/zstd/fse_encoder.go b/vendor/github.com/klauspost/compress/zstd/fse_encoder.go
new file mode 100644
index 0000000000..ab26326a8f
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/zstd/fse_encoder.go
@@ -0,0 +1,701 @@
+// Copyright 2019+ Klaus Post. All rights reserved.
+// License information can be found in the LICENSE file.
+// Based on work by Yann Collet, released under BSD License.
+
+package zstd
+
+import (
+	"errors"
+	"fmt"
+	"math"
+)
+
+const (
+	// For encoding we only support up to
+	maxEncTableLog    = 8
+	maxEncTablesize   = 1 << maxTableLog
+	maxEncTableMask   = (1 << maxTableLog) - 1
+	minEncTablelog    = 5
+	maxEncSymbolValue = maxMatchLengthSymbol
+)
+
+// Scratch provides temporary storage for compression and decompression.
+type fseEncoder struct {
+	symbolLen      uint16 // Length of active part of the symbol table.
+	actualTableLog uint8  // Selected tablelog.
+	ct             cTable // Compression tables.
+	maxCount       int    // count of the most probable symbol
+	zeroBits       bool   // no bits has prob > 50%.
+	clearCount     bool   // clear count
+	useRLE         bool   // This encoder is for RLE
+	preDefined     bool   // This encoder is predefined.
+	reUsed         bool   // Set to know when the encoder has been reused.
+	rleVal         uint8  // RLE Symbol
+	maxBits        uint8  // Maximum output bits after transform.
+
+	// TODO: Technically zstd should be fine with 64 bytes.
+	count [256]uint32
+	norm  [256]int16
+}
+
+// cTable contains tables used for compression.
+type cTable struct {
+	tableSymbol []byte
+	stateTable  []uint16
+	symbolTT    []symbolTransform
+}
+
+// symbolTransform contains the state transform for a symbol.
+type symbolTransform struct {
+	deltaNbBits    uint32
+	deltaFindState int16
+	outBits        uint8
+}
+
+// String prints values as a human readable string.
+func (s symbolTransform) String() string {
+	return fmt.Sprintf("{deltabits: %08x, findstate:%d outbits:%d}", s.deltaNbBits, s.deltaFindState, s.outBits)
+}
+
+// Histogram allows to populate the histogram and skip that step in the compression,
+// It otherwise allows to inspect the histogram when compression is done.
+// To indicate that you have populated the histogram call HistogramFinished
+// with the value of the highest populated symbol, as well as the number of entries
+// in the most populated entry. These are accepted at face value.
+func (s *fseEncoder) Histogram() *[256]uint32 {
+	return &s.count
+}
+
+// HistogramFinished can be called to indicate that the histogram has been populated.
+// maxSymbol is the index of the highest set symbol of the next data segment.
+// maxCount is the number of entries in the most populated entry.
+// These are accepted at face value.
+func (s *fseEncoder) HistogramFinished(maxSymbol uint8, maxCount int) {
+	s.maxCount = maxCount
+	s.symbolLen = uint16(maxSymbol) + 1
+	s.clearCount = maxCount != 0
+}
+
+// allocCtable will allocate tables needed for compression.
+// If existing tables a re big enough, they are simply re-used.
+func (s *fseEncoder) allocCtable() {
+	tableSize := 1 << s.actualTableLog
+	// get tableSymbol that is big enough.
+	if cap(s.ct.tableSymbol) < tableSize {
+		s.ct.tableSymbol = make([]byte, tableSize)
+	}
+	s.ct.tableSymbol = s.ct.tableSymbol[:tableSize]
+
+	ctSize := tableSize
+	if cap(s.ct.stateTable) < ctSize {
+		s.ct.stateTable = make([]uint16, ctSize)
+	}
+	s.ct.stateTable = s.ct.stateTable[:ctSize]
+
+	if cap(s.ct.symbolTT) < 256 {
+		s.ct.symbolTT = make([]symbolTransform, 256)
+	}
+	s.ct.symbolTT = s.ct.symbolTT[:256]
+}
+
+// buildCTable will populate the compression table so it is ready to be used.
+func (s *fseEncoder) buildCTable() error {
+	tableSize := uint32(1 << s.actualTableLog)
+	highThreshold := tableSize - 1
+	var cumul [256]int16
+
+	s.allocCtable()
+	tableSymbol := s.ct.tableSymbol[:tableSize]
+	// symbol start positions
+	{
+		cumul[0] = 0
+		for ui, v := range s.norm[:s.symbolLen-1] {
+			u := byte(ui) // one less than reference
+			if v == -1 {
+				// Low proba symbol
+				cumul[u+1] = cumul[u] + 1
+				tableSymbol[highThreshold] = u
+				highThreshold--
+			} else {
+				cumul[u+1] = cumul[u] + v
+			}
+		}
+		// Encode last symbol separately to avoid overflowing u
+		u := int(s.symbolLen - 1)
+		v := s.norm[s.symbolLen-1]
+		if v == -1 {
+			// Low proba symbol
+			cumul[u+1] = cumul[u] + 1
+			tableSymbol[highThreshold] = byte(u)
+			highThreshold--
+		} else {
+			cumul[u+1] = cumul[u] + v
+		}
+		if uint32(cumul[s.symbolLen]) != tableSize {
+			return fmt.Errorf("internal error: expected cumul[s.symbolLen] (%d) == tableSize (%d)", cumul[s.symbolLen], tableSize)
+		}
+		cumul[s.symbolLen] = int16(tableSize) + 1
+	}
+	// Spread symbols
+	s.zeroBits = false
+	{
+		step := tableStep(tableSize)
+		tableMask := tableSize - 1
+		var position uint32
+		// if any symbol > largeLimit, we may have 0 bits output.
+		largeLimit := int16(1 << (s.actualTableLog - 1))
+		for ui, v := range s.norm[:s.symbolLen] {
+			symbol := byte(ui)
+			if v > largeLimit {
+				s.zeroBits = true
+			}
+			for nbOccurrences := int16(0); nbOccurrences < v; nbOccurrences++ {
+				tableSymbol[position] = symbol
+				position = (position + step) & tableMask
+				for position > highThreshold {
+					position = (position + step) & tableMask
+				} /* Low proba area */
+			}
+		}
+
+		// Check if we have gone through all positions
+		if position != 0 {
+			return errors.New("position!=0")
+		}
+	}
+
+	// Build table
+	table := s.ct.stateTable
+	{
+		tsi := int(tableSize)
+		for u, v := range tableSymbol {
+			// TableU16 : sorted by symbol order; gives next state value
+			table[cumul[v]] = uint16(tsi + u)
+			cumul[v]++
+		}
+	}
+
+	// Build Symbol Transformation Table
+	{
+		total := int16(0)
+		symbolTT := s.ct.symbolTT[:s.symbolLen]
+		tableLog := s.actualTableLog
+		tl := (uint32(tableLog) << 16) - (1 << tableLog)
+		for i, v := range s.norm[:s.symbolLen] {
+			switch v {
+			case 0:
+			case -1, 1:
+				symbolTT[i].deltaNbBits = tl
+				symbolTT[i].deltaFindState = total - 1
+				total++
+			default:
+				maxBitsOut := uint32(tableLog) - highBit(uint32(v-1))
+				minStatePlus := uint32(v) << maxBitsOut
+				symbolTT[i].deltaNbBits = (maxBitsOut << 16) - minStatePlus
+				symbolTT[i].deltaFindState = total - v
+				total += v
+			}
+		}
+		if total != int16(tableSize) {
+			return fmt.Errorf("total mismatch %d (got) != %d (want)", total, tableSize)
+		}
+	}
+	return nil
+}
+
+var rtbTable = [...]uint32{0, 473195, 504333, 520860, 550000, 700000, 750000, 830000}
+
+func (s *fseEncoder) setRLE(val byte) {
+	s.allocCtable()
+	s.actualTableLog = 0
+	s.ct.stateTable = s.ct.stateTable[:1]
+	s.ct.symbolTT[val] = symbolTransform{
+		deltaFindState: 0,
+		deltaNbBits:    0,
+	}
+	if debugEncoder {
+		println("setRLE: val", val, "symbolTT", s.ct.symbolTT[val])
+	}
+	s.rleVal = val
+	s.useRLE = true
+}
+
+// setBits will set output bits for the transform.
+// if nil is provided, the number of bits is equal to the index.
+func (s *fseEncoder) setBits(transform []byte) {
+	if s.reUsed || s.preDefined {
+		return
+	}
+	if s.useRLE {
+		if transform == nil {
+			s.ct.symbolTT[s.rleVal].outBits = s.rleVal
+			s.maxBits = s.rleVal
+			return
+		}
+		s.maxBits = transform[s.rleVal]
+		s.ct.symbolTT[s.rleVal].outBits = s.maxBits
+		return
+	}
+	if transform == nil {
+		for i := range s.ct.symbolTT[:s.symbolLen] {
+			s.ct.symbolTT[i].outBits = uint8(i)
+		}
+		s.maxBits = uint8(s.symbolLen - 1)
+		return
+	}
+	s.maxBits = 0
+	for i, v := range transform[:s.symbolLen] {
+		s.ct.symbolTT[i].outBits = v
+		if v > s.maxBits {
+			// We could assume bits always going up, but we play safe.
+			s.maxBits = v
+		}
+	}
+}
+
+// normalizeCount will normalize the count of the symbols so
+// the total is equal to the table size.
+// If successful, compression tables will also be made ready.
+func (s *fseEncoder) normalizeCount(length int) error {
+	if s.reUsed {
+		return nil
+	}
+	s.optimalTableLog(length)
+	var (
+		tableLog          = s.actualTableLog
+		scale             = 62 - uint64(tableLog)
+		step              = (1 << 62) / uint64(length)
+		vStep             = uint64(1) << (scale - 20)
+		stillToDistribute = int16(1 << tableLog)
+		largest           int
+		largestP          int16
+		lowThreshold      = (uint32)(length >> tableLog)
+	)
+	if s.maxCount == length {
+		s.useRLE = true
+		return nil
+	}
+	s.useRLE = false
+	for i, cnt := range s.count[:s.symbolLen] {
+		// already handled
+		// if (count[s] == s.length) return 0;   /* rle special case */
+
+		if cnt == 0 {
+			s.norm[i] = 0
+			continue
+		}
+		if cnt <= lowThreshold {
+			s.norm[i] = -1
+			stillToDistribute--
+		} else {
+			proba := (int16)((uint64(cnt) * step) >> scale)
+			if proba < 8 {
+				restToBeat := vStep * uint64(rtbTable[proba])
+				v := uint64(cnt)*step - (uint64(proba) << scale)
+				if v > restToBeat {
+					proba++
+				}
+			}
+			if proba > largestP {
+				largestP = proba
+				largest = i
+			}
+			s.norm[i] = proba
+			stillToDistribute -= proba
+		}
+	}
+
+	if -stillToDistribute >= (s.norm[largest] >> 1) {
+		// corner case, need another normalization method
+		err := s.normalizeCount2(length)
+		if err != nil {
+			return err
+		}
+		if debugAsserts {
+			err = s.validateNorm()
+			if err != nil {
+				return err
+			}
+		}
+		return s.buildCTable()
+	}
+	s.norm[largest] += stillToDistribute
+	if debugAsserts {
+		err := s.validateNorm()
+		if err != nil {
+			return err
+		}
+	}
+	return s.buildCTable()
+}
+
+// Secondary normalization method.
+// To be used when primary method fails.
+func (s *fseEncoder) normalizeCount2(length int) error {
+	const notYetAssigned = -2
+	var (
+		distributed  uint32
+		total        = uint32(length)
+		tableLog     = s.actualTableLog
+		lowThreshold = total >> tableLog
+		lowOne       = (total * 3) >> (tableLog + 1)
+	)
+	for i, cnt := range s.count[:s.symbolLen] {
+		if cnt == 0 {
+			s.norm[i] = 0
+			continue
+		}
+		if cnt <= lowThreshold {
+			s.norm[i] = -1
+			distributed++
+			total -= cnt
+			continue
+		}
+		if cnt <= lowOne {
+			s.norm[i] = 1
+			distributed++
+			total -= cnt
+			continue
+		}
+		s.norm[i] = notYetAssigned
+	}
+	toDistribute := (1 << tableLog) - distributed
+
+	if (total / toDistribute) > lowOne {
+		// risk of rounding to zero
+		lowOne = (total * 3) / (toDistribute * 2)
+		for i, cnt := range s.count[:s.symbolLen] {
+			if (s.norm[i] == notYetAssigned) && (cnt <= lowOne) {
+				s.norm[i] = 1
+				distributed++
+				total -= cnt
+				continue
+			}
+		}
+		toDistribute = (1 << tableLog) - distributed
+	}
+	if distributed == uint32(s.symbolLen)+1 {
+		// all values are pretty poor;
+		//   probably incompressible data (should have already been detected);
+		//   find max, then give all remaining points to max
+		var maxV int
+		var maxC uint32
+		for i, cnt := range s.count[:s.symbolLen] {
+			if cnt > maxC {
+				maxV = i
+				maxC = cnt
+			}
+		}
+		s.norm[maxV] += int16(toDistribute)
+		return nil
+	}
+
+	if total == 0 {
+		// all of the symbols were low enough for the lowOne or lowThreshold
+		for i := uint32(0); toDistribute > 0; i = (i + 1) % (uint32(s.symbolLen)) {
+			if s.norm[i] > 0 {
+				toDistribute--
+				s.norm[i]++
+			}
+		}
+		return nil
+	}
+
+	var (
+		vStepLog = 62 - uint64(tableLog)
+		mid      = uint64((1 << (vStepLog - 1)) - 1)
+		rStep    = (((1 << vStepLog) * uint64(toDistribute)) + mid) / uint64(total) // scale on remaining
+		tmpTotal = mid
+	)
+	for i, cnt := range s.count[:s.symbolLen] {
+		if s.norm[i] == notYetAssigned {
+			var (
+				end    = tmpTotal + uint64(cnt)*rStep
+				sStart = uint32(tmpTotal >> vStepLog)
+				sEnd   = uint32(end >> vStepLog)
+				weight = sEnd - sStart
+			)
+			if weight < 1 {
+				return errors.New("weight < 1")
+			}
+			s.norm[i] = int16(weight)
+			tmpTotal = end
+		}
+	}
+	return nil
+}
+
+// optimalTableLog calculates and sets the optimal tableLog in s.actualTableLog
+func (s *fseEncoder) optimalTableLog(length int) {
+	tableLog := uint8(maxEncTableLog)
+	minBitsSrc := highBit(uint32(length)) + 1
+	minBitsSymbols := highBit(uint32(s.symbolLen-1)) + 2
+	minBits := uint8(minBitsSymbols)
+	if minBitsSrc < minBitsSymbols {
+		minBits = uint8(minBitsSrc)
+	}
+
+	maxBitsSrc := uint8(highBit(uint32(length-1))) - 2
+	if maxBitsSrc < tableLog {
+		// Accuracy can be reduced
+		tableLog = maxBitsSrc
+	}
+	if minBits > tableLog {
+		tableLog = minBits
+	}
+	// Need a minimum to safely represent all symbol values
+	if tableLog < minEncTablelog {
+		tableLog = minEncTablelog
+	}
+	if tableLog > maxEncTableLog {
+		tableLog = maxEncTableLog
+	}
+	s.actualTableLog = tableLog
+}
+
+// validateNorm validates the normalized histogram table.
+func (s *fseEncoder) validateNorm() (err error) {
+	var total int
+	for _, v := range s.norm[:s.symbolLen] {
+		if v >= 0 {
+			total += int(v)
+		} else {
+			total -= int(v)
+		}
+	}
+	defer func() {
+		if err == nil {
+			return
+		}
+		fmt.Printf("selected TableLog: %d, Symbol length: %d\n", s.actualTableLog, s.symbolLen)
+		for i, v := range s.norm[:s.symbolLen] {
+			fmt.Printf("%3d: %5d -> %4d \n", i, s.count[i], v)
+		}
+	}()
+	if total != (1 << s.actualTableLog) {
+		return fmt.Errorf("warning: Total == %d != %d", total, 1<<s.actualTableLog)
+	}
+	for i, v := range s.count[s.symbolLen:] {
+		if v != 0 {
+			return fmt.Errorf("warning: Found symbol out of range, %d after cut", i)
+		}
+	}
+	return nil
+}
+
+// writeCount will write the normalized histogram count to header.
+// This is read back by readNCount.
+func (s *fseEncoder) writeCount(out []byte) ([]byte, error) {
+	if s.useRLE {
+		return append(out, s.rleVal), nil
+	}
+	if s.preDefined || s.reUsed {
+		// Never write predefined.
+		return out, nil
+	}
+
+	var (
+		tableLog  = s.actualTableLog
+		tableSize = 1 << tableLog
+		previous0 bool
+		charnum   uint16
+
+		// maximum header size plus 2 extra bytes for final output if bitCount == 0.
+		maxHeaderSize = ((int(s.symbolLen) * int(tableLog)) >> 3) + 3 + 2
+
+		// Write Table Size
+		bitStream = uint32(tableLog - minEncTablelog)
+		bitCount  = uint(4)
+		remaining = int16(tableSize + 1) /* +1 for extra accuracy */
+		threshold = int16(tableSize)
+		nbBits    = uint(tableLog + 1)
+		outP      = len(out)
+	)
+	if cap(out) < outP+maxHeaderSize {
+		out = append(out, make([]byte, maxHeaderSize*3)...)
+		out = out[:len(out)-maxHeaderSize*3]
+	}
+	out = out[:outP+maxHeaderSize]
+
+	// stops at 1
+	for remaining > 1 {
+		if previous0 {
+			start := charnum
+			for s.norm[charnum] == 0 {
+				charnum++
+			}
+			for charnum >= start+24 {
+				start += 24
+				bitStream += uint32(0xFFFF) << bitCount
+				out[outP] = byte(bitStream)
+				out[outP+1] = byte(bitStream >> 8)
+				outP += 2
+				bitStream >>= 16
+			}
+			for charnum >= start+3 {
+				start += 3
+				bitStream += 3 << bitCount
+				bitCount += 2
+			}
+			bitStream += uint32(charnum-start) << bitCount
+			bitCount += 2
+			if bitCount > 16 {
+				out[outP] = byte(bitStream)
+				out[outP+1] = byte(bitStream >> 8)
+				outP += 2
+				bitStream >>= 16
+				bitCount -= 16
+			}
+		}
+
+		count := s.norm[charnum]
+		charnum++
+		max := (2*threshold - 1) - remaining
+		if count < 0 {
+			remaining += count
+		} else {
+			remaining -= count
+		}
+		count++ // +1 for extra accuracy
+		if count >= threshold {
+			count += max // [0..max[ [max..threshold[ (...) [threshold+max 2*threshold[
+		}
+		bitStream += uint32(count) << bitCount
+		bitCount += nbBits
+		if count < max {
+			bitCount--
+		}
+
+		previous0 = count == 1
+		if remaining < 1 {
+			return nil, errors.New("internal error: remaining < 1")
+		}
+		for remaining < threshold {
+			nbBits--
+			threshold >>= 1
+		}
+
+		if bitCount > 16 {
+			out[outP] = byte(bitStream)
+			out[outP+1] = byte(bitStream >> 8)
+			outP += 2
+			bitStream >>= 16
+			bitCount -= 16
+		}
+	}
+
+	if outP+2 > len(out) {
+		return nil, fmt.Errorf("internal error: %d > %d, maxheader: %d, sl: %d, tl: %d, normcount: %v", outP+2, len(out), maxHeaderSize, s.symbolLen, int(tableLog), s.norm[:s.symbolLen])
+	}
+	out[outP] = byte(bitStream)
+	out[outP+1] = byte(bitStream >> 8)
+	outP += int((bitCount + 7) / 8)
+
+	if charnum > s.symbolLen {
+		return nil, errors.New("internal error: charnum > s.symbolLen")
+	}
+	return out[:outP], nil
+}
+
+// Approximate symbol cost, as fractional value, using fixed-point format (accuracyLog fractional bits)
+// note 1 : assume symbolValue is valid (<= maxSymbolValue)
+// note 2 : if freq[symbolValue]==0, @return a fake cost of tableLog+1 bits *
+func (s *fseEncoder) bitCost(symbolValue uint8, accuracyLog uint32) uint32 {
+	minNbBits := s.ct.symbolTT[symbolValue].deltaNbBits >> 16
+	threshold := (minNbBits + 1) << 16
+	if debugAsserts {
+		if !(s.actualTableLog < 16) {
+			panic("!s.actualTableLog < 16")
+		}
+		// ensure enough room for renormalization double shift
+		if !(uint8(accuracyLog) < 31-s.actualTableLog) {
+			panic("!uint8(accuracyLog) < 31-s.actualTableLog")
+		}
+	}
+	tableSize := uint32(1) << s.actualTableLog
+	deltaFromThreshold := threshold - (s.ct.symbolTT[symbolValue].deltaNbBits + tableSize)
+	// linear interpolation (very approximate)
+	normalizedDeltaFromThreshold := (deltaFromThreshold << accuracyLog) >> s.actualTableLog
+	bitMultiplier := uint32(1) << accuracyLog
+	if debugAsserts {
+		if s.ct.symbolTT[symbolValue].deltaNbBits+tableSize > threshold {
+			panic("s.ct.symbolTT[symbolValue].deltaNbBits+tableSize > threshold")
+		}
+		if normalizedDeltaFromThreshold > bitMultiplier {
+			panic("normalizedDeltaFromThreshold > bitMultiplier")
+		}
+	}
+	return (minNbBits+1)*bitMultiplier - normalizedDeltaFromThreshold
+}
+
+// Returns the cost in bits of encoding the distribution in count using ctable.
+// Histogram should only be up to the last non-zero symbol.
+// Returns an -1 if ctable cannot represent all the symbols in count.
+func (s *fseEncoder) approxSize(hist []uint32) uint32 {
+	if int(s.symbolLen) < len(hist) {
+		// More symbols than we have.
+		return math.MaxUint32
+	}
+	if s.useRLE {
+		// We will never reuse RLE encoders.
+		return math.MaxUint32
+	}
+	const kAccuracyLog = 8
+	badCost := (uint32(s.actualTableLog) + 1) << kAccuracyLog
+	var cost uint32
+	for i, v := range hist {
+		if v == 0 {
+			continue
+		}
+		if s.norm[i] == 0 {
+			return math.MaxUint32
+		}
+		bitCost := s.bitCost(uint8(i), kAccuracyLog)
+		if bitCost > badCost {
+			return math.MaxUint32
+		}
+		cost += v * bitCost
+	}
+	return cost >> kAccuracyLog
+}
+
+// maxHeaderSize returns the maximum header size in bits.
+// This is not exact size, but we want a penalty for new tables anyway.
+func (s *fseEncoder) maxHeaderSize() uint32 {
+	if s.preDefined {
+		return 0
+	}
+	if s.useRLE {
+		return 8
+	}
+	return (((uint32(s.symbolLen) * uint32(s.actualTableLog)) >> 3) + 3) * 8
+}
+
+// cState contains the compression state of a stream.
+type cState struct {
+	bw         *bitWriter
+	stateTable []uint16
+	state      uint16
+}
+
+// init will initialize the compression state to the first symbol of the stream.
+func (c *cState) init(bw *bitWriter, ct *cTable, first symbolTransform) {
+	c.bw = bw
+	c.stateTable = ct.stateTable
+	if len(c.stateTable) == 1 {
+		// RLE
+		c.stateTable[0] = uint16(0)
+		c.state = 0
+		return
+	}
+	nbBitsOut := (first.deltaNbBits + (1 << 15)) >> 16
+	im := int32((nbBitsOut << 16) - first.deltaNbBits)
+	lu := (im >> nbBitsOut) + int32(first.deltaFindState)
+	c.state = c.stateTable[lu]
+}
+
+// flush will write the tablelog to the output and flush the remaining full bytes.
+func (c *cState) flush(tableLog uint8) {
+	c.bw.flush32()
+	c.bw.addBits16NC(c.state, tableLog)
+}
diff --git a/vendor/github.com/klauspost/compress/zstd/fse_predefined.go b/vendor/github.com/klauspost/compress/zstd/fse_predefined.go
new file mode 100644
index 0000000000..474cb77d2b
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/zstd/fse_predefined.go
@@ -0,0 +1,158 @@
+// Copyright 2019+ Klaus Post. All rights reserved.
+// License information can be found in the LICENSE file.
+// Based on work by Yann Collet, released under BSD License.
+
+package zstd
+
+import (
+	"fmt"
+	"math"
+	"sync"
+)
+
+var (
+	// fsePredef are the predefined fse tables as defined here:
+	// https://github.com/facebook/zstd/blob/dev/doc/zstd_compression_format.md#default-distributions
+	// These values are already transformed.
+	fsePredef [3]fseDecoder
+
+	// fsePredefEnc are the predefined encoder based on fse tables as defined here:
+	// https://github.com/facebook/zstd/blob/dev/doc/zstd_compression_format.md#default-distributions
+	// These values are already transformed.
+	fsePredefEnc [3]fseEncoder
+
+	// symbolTableX contain the transformations needed for each type as defined in
+	// https://github.com/facebook/zstd/blob/dev/doc/zstd_compression_format.md#the-codes-for-literals-lengths-match-lengths-and-offsets
+	symbolTableX [3][]baseOffset
+
+	// maxTableSymbol is the biggest supported symbol for each table type
+	// https://github.com/facebook/zstd/blob/dev/doc/zstd_compression_format.md#the-codes-for-literals-lengths-match-lengths-and-offsets
+	maxTableSymbol = [3]uint8{tableLiteralLengths: maxLiteralLengthSymbol, tableOffsets: maxOffsetLengthSymbol, tableMatchLengths: maxMatchLengthSymbol}
+
+	// bitTables is the bits table for each table.
+	bitTables = [3][]byte{tableLiteralLengths: llBitsTable[:], tableOffsets: nil, tableMatchLengths: mlBitsTable[:]}
+)
+
+type tableIndex uint8
+
+const (
+	// indexes for fsePredef and symbolTableX
+	tableLiteralLengths tableIndex = 0
+	tableOffsets        tableIndex = 1
+	tableMatchLengths   tableIndex = 2
+
+	maxLiteralLengthSymbol = 35
+	maxOffsetLengthSymbol  = 30
+	maxMatchLengthSymbol   = 52
+)
+
+// baseOffset is used for calculating transformations.
+type baseOffset struct {
+	baseLine uint32
+	addBits  uint8
+}
+
+// fillBase will precalculate base offsets with the given bit distributions.
+func fillBase(dst []baseOffset, base uint32, bits ...uint8) {
+	if len(bits) != len(dst) {
+		panic(fmt.Sprintf("len(dst) (%d) != len(bits) (%d)", len(dst), len(bits)))
+	}
+	for i, bit := range bits {
+		if base > math.MaxInt32 {
+			panic("invalid decoding table, base overflows int32")
+		}
+
+		dst[i] = baseOffset{
+			baseLine: base,
+			addBits:  bit,
+		}
+		base += 1 << bit
+	}
+}
+
+var predef sync.Once
+
+func initPredefined() {
+	predef.Do(func() {
+		// Literals length codes
+		tmp := make([]baseOffset, 36)
+		for i := range tmp[:16] {
+			tmp[i] = baseOffset{
+				baseLine: uint32(i),
+				addBits:  0,
+			}
+		}
+		fillBase(tmp[16:], 16, 1, 1, 1, 1, 2, 2, 3, 3, 4, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
+		symbolTableX[tableLiteralLengths] = tmp
+
+		// Match length codes
+		tmp = make([]baseOffset, 53)
+		for i := range tmp[:32] {
+			tmp[i] = baseOffset{
+				// The transformation adds the 3 length.
+				baseLine: uint32(i) + 3,
+				addBits:  0,
+			}
+		}
+		fillBase(tmp[32:], 35, 1, 1, 1, 1, 2, 2, 3, 3, 4, 4, 5, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
+		symbolTableX[tableMatchLengths] = tmp
+
+		// Offset codes
+		tmp = make([]baseOffset, maxOffsetBits+1)
+		tmp[1] = baseOffset{
+			baseLine: 1,
+			addBits:  1,
+		}
+		fillBase(tmp[2:], 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
+		symbolTableX[tableOffsets] = tmp
+
+		// Fill predefined tables and transform them.
+		// https://github.com/facebook/zstd/blob/dev/doc/zstd_compression_format.md#default-distributions
+		for i := range fsePredef[:] {
+			f := &fsePredef[i]
+			switch tableIndex(i) {
+			case tableLiteralLengths:
+				// https://github.com/facebook/zstd/blob/ededcfca57366461021c922720878c81a5854a0a/lib/decompress/zstd_decompress_block.c#L243
+				f.actualTableLog = 6
+				copy(f.norm[:], []int16{4, 3, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 1, 1, 1,
+					2, 2, 2, 2, 2, 2, 2, 2, 2, 3, 2, 1, 1, 1, 1, 1,
+					-1, -1, -1, -1})
+				f.symbolLen = 36
+			case tableOffsets:
+				// https://github.com/facebook/zstd/blob/ededcfca57366461021c922720878c81a5854a0a/lib/decompress/zstd_decompress_block.c#L281
+				f.actualTableLog = 5
+				copy(f.norm[:], []int16{
+					1, 1, 1, 1, 1, 1, 2, 2, 2, 1, 1, 1, 1, 1, 1, 1,
+					1, 1, 1, 1, 1, 1, 1, 1, -1, -1, -1, -1, -1})
+				f.symbolLen = 29
+			case tableMatchLengths:
+				//https://github.com/facebook/zstd/blob/ededcfca57366461021c922720878c81a5854a0a/lib/decompress/zstd_decompress_block.c#L304
+				f.actualTableLog = 6
+				copy(f.norm[:], []int16{
+					1, 4, 3, 2, 2, 2, 2, 2, 2, 1, 1, 1, 1, 1, 1, 1,
+					1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
+					1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, -1, -1,
+					-1, -1, -1, -1, -1})
+				f.symbolLen = 53
+			}
+			if err := f.buildDtable(); err != nil {
+				panic(fmt.Errorf("building table %v: %v", tableIndex(i), err))
+			}
+			if err := f.transform(symbolTableX[i]); err != nil {
+				panic(fmt.Errorf("building table %v: %v", tableIndex(i), err))
+			}
+			f.preDefined = true
+
+			// Create encoder as well
+			enc := &fsePredefEnc[i]
+			copy(enc.norm[:], f.norm[:])
+			enc.symbolLen = f.symbolLen
+			enc.actualTableLog = f.actualTableLog
+			if err := enc.buildCTable(); err != nil {
+				panic(fmt.Errorf("building encoding table %v: %v", tableIndex(i), err))
+			}
+			enc.setBits(bitTables[i])
+			enc.preDefined = true
+		}
+	})
+}
diff --git a/vendor/github.com/klauspost/compress/zstd/hash.go b/vendor/github.com/klauspost/compress/zstd/hash.go
new file mode 100644
index 0000000000..5d73c21ebd
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/zstd/hash.go
@@ -0,0 +1,35 @@
+// Copyright 2019+ Klaus Post. All rights reserved.
+// License information can be found in the LICENSE file.
+// Based on work by Yann Collet, released under BSD License.
+
+package zstd
+
+const (
+	prime3bytes = 506832829
+	prime4bytes = 2654435761
+	prime5bytes = 889523592379
+	prime6bytes = 227718039650203
+	prime7bytes = 58295818150454627
+	prime8bytes = 0xcf1bbcdcb7a56463
+)
+
+// hashLen returns a hash of the lowest mls bytes of with length output bits.
+// mls must be >=3 and <=8. Any other value will return hash for 4 bytes.
+// length should always be < 32.
+// Preferably length and mls should be a constant for inlining.
+func hashLen(u uint64, length, mls uint8) uint32 {
+	switch mls {
+	case 3:
+		return (uint32(u<<8) * prime3bytes) >> (32 - length)
+	case 5:
+		return uint32(((u << (64 - 40)) * prime5bytes) >> (64 - length))
+	case 6:
+		return uint32(((u << (64 - 48)) * prime6bytes) >> (64 - length))
+	case 7:
+		return uint32(((u << (64 - 56)) * prime7bytes) >> (64 - length))
+	case 8:
+		return uint32((u * prime8bytes) >> (64 - length))
+	default:
+		return (uint32(u) * prime4bytes) >> (32 - length)
+	}
+}
diff --git a/vendor/github.com/klauspost/compress/zstd/history.go b/vendor/github.com/klauspost/compress/zstd/history.go
new file mode 100644
index 0000000000..09164856d2
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/zstd/history.go
@@ -0,0 +1,116 @@
+// Copyright 2019+ Klaus Post. All rights reserved.
+// License information can be found in the LICENSE file.
+// Based on work by Yann Collet, released under BSD License.
+
+package zstd
+
+import (
+	"github.com/klauspost/compress/huff0"
+)
+
+// history contains the information transferred between blocks.
+type history struct {
+	// Literal decompression
+	huffTree *huff0.Scratch
+
+	// Sequence decompression
+	decoders      sequenceDecs
+	recentOffsets [3]int
+
+	// History buffer...
+	b []byte
+
+	// ignoreBuffer is meant to ignore a number of bytes
+	// when checking for matches in history
+	ignoreBuffer int
+
+	windowSize       int
+	allocFrameBuffer int // needed?
+	error            bool
+	dict             *dict
+}
+
+// reset will reset the history to initial state of a frame.
+// The history must already have been initialized to the desired size.
+func (h *history) reset() {
+	h.b = h.b[:0]
+	h.ignoreBuffer = 0
+	h.error = false
+	h.recentOffsets = [3]int{1, 4, 8}
+	h.decoders.freeDecoders()
+	h.decoders = sequenceDecs{br: h.decoders.br}
+	h.freeHuffDecoder()
+	h.huffTree = nil
+	h.dict = nil
+	//printf("history created: %+v (l: %d, c: %d)", *h, len(h.b), cap(h.b))
+}
+
+func (h *history) freeHuffDecoder() {
+	if h.huffTree != nil {
+		if h.dict == nil || h.dict.litEnc != h.huffTree {
+			huffDecoderPool.Put(h.huffTree)
+			h.huffTree = nil
+		}
+	}
+}
+
+func (h *history) setDict(dict *dict) {
+	if dict == nil {
+		return
+	}
+	h.dict = dict
+	h.decoders.litLengths = dict.llDec
+	h.decoders.offsets = dict.ofDec
+	h.decoders.matchLengths = dict.mlDec
+	h.decoders.dict = dict.content
+	h.recentOffsets = dict.offsets
+	h.huffTree = dict.litEnc
+}
+
+// append bytes to history.
+// This function will make sure there is space for it,
+// if the buffer has been allocated with enough extra space.
+func (h *history) append(b []byte) {
+	if len(b) >= h.windowSize {
+		// Discard all history by simply overwriting
+		h.b = h.b[:h.windowSize]
+		copy(h.b, b[len(b)-h.windowSize:])
+		return
+	}
+
+	// If there is space, append it.
+	if len(b) < cap(h.b)-len(h.b) {
+		h.b = append(h.b, b...)
+		return
+	}
+
+	// Move data down so we only have window size left.
+	// We know we have less than window size in b at this point.
+	discard := len(b) + len(h.b) - h.windowSize
+	copy(h.b, h.b[discard:])
+	h.b = h.b[:h.windowSize]
+	copy(h.b[h.windowSize-len(b):], b)
+}
+
+// ensureBlock will ensure there is space for at least one block...
+func (h *history) ensureBlock() {
+	if cap(h.b) < h.allocFrameBuffer {
+		h.b = make([]byte, 0, h.allocFrameBuffer)
+		return
+	}
+
+	avail := cap(h.b) - len(h.b)
+	if avail >= h.windowSize || avail > maxCompressedBlockSize {
+		return
+	}
+	// Move data down so we only have window size left.
+	// We know we have less than window size in b at this point.
+	discard := len(h.b) - h.windowSize
+	copy(h.b, h.b[discard:])
+	h.b = h.b[:h.windowSize]
+}
+
+// append bytes to history without ever discarding anything.
+func (h *history) appendKeep(b []byte) {
+	h.b = append(h.b, b...)
+}
diff --git a/vendor/github.com/klauspost/compress/zstd/internal/xxhash/LICENSE.txt b/vendor/github.com/klauspost/compress/zstd/internal/xxhash/LICENSE.txt
new file mode 100644
index 0000000000..24b53065f4
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/zstd/internal/xxhash/LICENSE.txt
@@ -0,0 +1,22 @@
+Copyright (c) 2016 Caleb Spare
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
diff --git a/vendor/github.com/klauspost/compress/zstd/internal/xxhash/README.md b/vendor/github.com/klauspost/compress/zstd/internal/xxhash/README.md
new file mode 100644
index 0000000000..777290d44c
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/zstd/internal/xxhash/README.md
@@ -0,0 +1,71 @@
+# xxhash
+
+VENDORED: Go to [github.com/cespare/xxhash](https://github.com/cespare/xxhash) for original package.
+
+xxhash is a Go implementation of the 64-bit [xxHash] algorithm, XXH64. This is a
+high-quality hashing algorithm that is much faster than anything in the Go
+standard library.
+
+This package provides a straightforward API:
+
+```
+func Sum64(b []byte) uint64
+func Sum64String(s string) uint64
+type Digest struct{ ... }
+    func New() *Digest
+```
+
+The `Digest` type implements hash.Hash64. Its key methods are:
+
+```
+func (*Digest) Write([]byte) (int, error)
+func (*Digest) WriteString(string) (int, error)
+func (*Digest) Sum64() uint64
+```
+
+The package is written with optimized pure Go and also contains even faster
+assembly implementations for amd64 and arm64. If desired, the `purego` build tag
+opts into using the Go code even on those architectures.
+
+[xxHash]: http://cyan4973.github.io/xxHash/
+
+## Compatibility
+
+This package is in a module and the latest code is in version 2 of the module.
+You need a version of Go with at least "minimal module compatibility" to use
+github.com/cespare/xxhash/v2:
+
+* 1.9.7+ for Go 1.9
+* 1.10.3+ for Go 1.10
+* Go 1.11 or later
+
+I recommend using the latest release of Go.
+
+## Benchmarks
+
+Here are some quick benchmarks comparing the pure-Go and assembly
+implementations of Sum64.
+
+| input size | purego    | asm       |
+| ---------- | --------- | --------- |
+| 4 B        |  1.3 GB/s |  1.2 GB/s |
+| 16 B       |  2.9 GB/s |  3.5 GB/s |
+| 100 B      |  6.9 GB/s |  8.1 GB/s |
+| 4 KB       | 11.7 GB/s | 16.7 GB/s |
+| 10 MB      | 12.0 GB/s | 17.3 GB/s |
+
+These numbers were generated on Ubuntu 20.04 with an Intel Xeon Platinum 8252C
+CPU using the following commands under Go 1.19.2:
+
+```
+benchstat <(go test -tags purego -benchtime 500ms -count 15 -bench 'Sum64$')
+benchstat <(go test -benchtime 500ms -count 15 -bench 'Sum64$')
+```
+
+## Projects using this package
+
+- [InfluxDB](https://github.com/influxdata/influxdb)
+- [Prometheus](https://github.com/prometheus/prometheus)
+- [VictoriaMetrics](https://github.com/VictoriaMetrics/VictoriaMetrics)
+- [FreeCache](https://github.com/coocood/freecache)
+- [FastCache](https://github.com/VictoriaMetrics/fastcache)
diff --git a/vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash.go b/vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash.go
new file mode 100644
index 0000000000..fc40c82001
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash.go
@@ -0,0 +1,230 @@
+// Package xxhash implements the 64-bit variant of xxHash (XXH64) as described
+// at http://cyan4973.github.io/xxHash/.
+// THIS IS VENDORED: Go to github.com/cespare/xxhash for original package.
+
+package xxhash
+
+import (
+	"encoding/binary"
+	"errors"
+	"math/bits"
+)
+
+const (
+	prime1 uint64 = 11400714785074694791
+	prime2 uint64 = 14029467366897019727
+	prime3 uint64 = 1609587929392839161
+	prime4 uint64 = 9650029242287828579
+	prime5 uint64 = 2870177450012600261
+)
+
+// Store the primes in an array as well.
+//
+// The consts are used when possible in Go code to avoid MOVs but we need a
+// contiguous array of the assembly code.
+var primes = [...]uint64{prime1, prime2, prime3, prime4, prime5}
+
+// Digest implements hash.Hash64.
+type Digest struct {
+	v1    uint64
+	v2    uint64
+	v3    uint64
+	v4    uint64
+	total uint64
+	mem   [32]byte
+	n     int // how much of mem is used
+}
+
+// New creates a new Digest that computes the 64-bit xxHash algorithm.
+func New() *Digest {
+	var d Digest
+	d.Reset()
+	return &d
+}
+
+// Reset clears the Digest's state so that it can be reused.
+func (d *Digest) Reset() {
+	d.v1 = primes[0] + prime2
+	d.v2 = prime2
+	d.v3 = 0
+	d.v4 = -primes[0]
+	d.total = 0
+	d.n = 0
+}
+
+// Size always returns 8 bytes.
+func (d *Digest) Size() int { return 8 }
+
+// BlockSize always returns 32 bytes.
+func (d *Digest) BlockSize() int { return 32 }
+
+// Write adds more data to d. It always returns len(b), nil.
+func (d *Digest) Write(b []byte) (n int, err error) {
+	n = len(b)
+	d.total += uint64(n)
+
+	memleft := d.mem[d.n&(len(d.mem)-1):]
+
+	if d.n+n < 32 {
+		// This new data doesn't even fill the current block.
+		copy(memleft, b)
+		d.n += n
+		return
+	}
+
+	if d.n > 0 {
+		// Finish off the partial block.
+		c := copy(memleft, b)
+		d.v1 = round(d.v1, u64(d.mem[0:8]))
+		d.v2 = round(d.v2, u64(d.mem[8:16]))
+		d.v3 = round(d.v3, u64(d.mem[16:24]))
+		d.v4 = round(d.v4, u64(d.mem[24:32]))
+		b = b[c:]
+		d.n = 0
+	}
+
+	if len(b) >= 32 {
+		// One or more full blocks left.
+		nw := writeBlocks(d, b)
+		b = b[nw:]
+	}
+
+	// Store any remaining partial block.
+	copy(d.mem[:], b)
+	d.n = len(b)
+
+	return
+}
+
+// Sum appends the current hash to b and returns the resulting slice.
+func (d *Digest) Sum(b []byte) []byte {
+	s := d.Sum64()
+	return append(
+		b,
+		byte(s>>56),
+		byte(s>>48),
+		byte(s>>40),
+		byte(s>>32),
+		byte(s>>24),
+		byte(s>>16),
+		byte(s>>8),
+		byte(s),
+	)
+}
+
+// Sum64 returns the current hash.
+func (d *Digest) Sum64() uint64 {
+	var h uint64
+
+	if d.total >= 32 {
+		v1, v2, v3, v4 := d.v1, d.v2, d.v3, d.v4
+		h = rol1(v1) + rol7(v2) + rol12(v3) + rol18(v4)
+		h = mergeRound(h, v1)
+		h = mergeRound(h, v2)
+		h = mergeRound(h, v3)
+		h = mergeRound(h, v4)
+	} else {
+		h = d.v3 + prime5
+	}
+
+	h += d.total
+
+	b := d.mem[:d.n&(len(d.mem)-1)]
+	for ; len(b) >= 8; b = b[8:] {
+		k1 := round(0, u64(b[:8]))
+		h ^= k1
+		h = rol27(h)*prime1 + prime4
+	}
+	if len(b) >= 4 {
+		h ^= uint64(u32(b[:4])) * prime1
+		h = rol23(h)*prime2 + prime3
+		b = b[4:]
+	}
+	for ; len(b) > 0; b = b[1:] {
+		h ^= uint64(b[0]) * prime5
+		h = rol11(h) * prime1
+	}
+
+	h ^= h >> 33
+	h *= prime2
+	h ^= h >> 29
+	h *= prime3
+	h ^= h >> 32
+
+	return h
+}
+
+const (
+	magic         = "xxh\x06"
+	marshaledSize = len(magic) + 8*5 + 32
+)
+
+// MarshalBinary implements the encoding.BinaryMarshaler interface.
+func (d *Digest) MarshalBinary() ([]byte, error) {
+	b := make([]byte, 0, marshaledSize)
+	b = append(b, magic...)
+	b = appendUint64(b, d.v1)
+	b = appendUint64(b, d.v2)
+	b = appendUint64(b, d.v3)
+	b = appendUint64(b, d.v4)
+	b = appendUint64(b, d.total)
+	b = append(b, d.mem[:d.n]...)
+	b = b[:len(b)+len(d.mem)-d.n]
+	return b, nil
+}
+
+// UnmarshalBinary implements the encoding.BinaryUnmarshaler interface.
+func (d *Digest) UnmarshalBinary(b []byte) error {
+	if len(b) < len(magic) || string(b[:len(magic)]) != magic {
+		return errors.New("xxhash: invalid hash state identifier")
+	}
+	if len(b) != marshaledSize {
+		return errors.New("xxhash: invalid hash state size")
+	}
+	b = b[len(magic):]
+	b, d.v1 = consumeUint64(b)
+	b, d.v2 = consumeUint64(b)
+	b, d.v3 = consumeUint64(b)
+	b, d.v4 = consumeUint64(b)
+	b, d.total = consumeUint64(b)
+	copy(d.mem[:], b)
+	d.n = int(d.total % uint64(len(d.mem)))
+	return nil
+}
+
+func appendUint64(b []byte, x uint64) []byte {
+	var a [8]byte
+	binary.LittleEndian.PutUint64(a[:], x)
+	return append(b, a[:]...)
+}
+
+func consumeUint64(b []byte) ([]byte, uint64) {
+	x := u64(b)
+	return b[8:], x
+}
+
+func u64(b []byte) uint64 { return binary.LittleEndian.Uint64(b) }
+func u32(b []byte) uint32 { return binary.LittleEndian.Uint32(b) }
+
+func round(acc, input uint64) uint64 {
+	acc += input * prime2
+	acc = rol31(acc)
+	acc *= prime1
+	return acc
+}
+
+func mergeRound(acc, val uint64) uint64 {
+	val = round(0, val)
+	acc ^= val
+	acc = acc*prime1 + prime4
+	return acc
+}
+
+func rol1(x uint64) uint64  { return bits.RotateLeft64(x, 1) }
+func rol7(x uint64) uint64  { return bits.RotateLeft64(x, 7) }
+func rol11(x uint64) uint64 { return bits.RotateLeft64(x, 11) }
+func rol12(x uint64) uint64 { return bits.RotateLeft64(x, 12) }
+func rol18(x uint64) uint64 { return bits.RotateLeft64(x, 18) }
+func rol23(x uint64) uint64 { return bits.RotateLeft64(x, 23) }
+func rol27(x uint64) uint64 { return bits.RotateLeft64(x, 27) }
+func rol31(x uint64) uint64 { return bits.RotateLeft64(x, 31) }
diff --git a/vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash_amd64.s b/vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash_amd64.s
new file mode 100644
index 0000000000..ddb63aa91b
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash_amd64.s
@@ -0,0 +1,210 @@
+//go:build !appengine && gc && !purego && !noasm
+// +build !appengine
+// +build gc
+// +build !purego
+// +build !noasm
+
+#include "textflag.h"
+
+// Registers:
+#define h      AX
+#define d      AX
+#define p      SI // pointer to advance through b
+#define n      DX
+#define end    BX // loop end
+#define v1     R8
+#define v2     R9
+#define v3     R10
+#define v4     R11
+#define x      R12
+#define prime1 R13
+#define prime2 R14
+#define prime4 DI
+
+#define round(acc, x) \
+	IMULQ prime2, x   \
+	ADDQ  x, acc      \
+	ROLQ  $31, acc    \
+	IMULQ prime1, acc
+
+// round0 performs the operation x = round(0, x).
+#define round0(x) \
+	IMULQ prime2, x \
+	ROLQ  $31, x    \
+	IMULQ prime1, x
+
+// mergeRound applies a merge round on the two registers acc and x.
+// It assumes that prime1, prime2, and prime4 have been loaded.
+#define mergeRound(acc, x) \
+	round0(x)         \
+	XORQ  x, acc      \
+	IMULQ prime1, acc \
+	ADDQ  prime4, acc
+
+// blockLoop processes as many 32-byte blocks as possible,
+// updating v1, v2, v3, and v4. It assumes that there is at least one block
+// to process.
+#define blockLoop() \
+loop:  \
+	MOVQ +0(p), x  \
+	round(v1, x)   \
+	MOVQ +8(p), x  \
+	round(v2, x)   \
+	MOVQ +16(p), x \
+	round(v3, x)   \
+	MOVQ +24(p), x \
+	round(v4, x)   \
+	ADDQ $32, p    \
+	CMPQ p, end    \
+	JLE  loop
+
+// func Sum64(b []byte) uint64
+TEXT ·Sum64(SB), NOSPLIT|NOFRAME, $0-32
+	// Load fixed primes.
+	MOVQ ·primes+0(SB), prime1
+	MOVQ ·primes+8(SB), prime2
+	MOVQ ·primes+24(SB), prime4
+
+	// Load slice.
+	MOVQ b_base+0(FP), p
+	MOVQ b_len+8(FP), n
+	LEAQ (p)(n*1), end
+
+	// The first loop limit will be len(b)-32.
+	SUBQ $32, end
+
+	// Check whether we have at least one block.
+	CMPQ n, $32
+	JLT  noBlocks
+
+	// Set up initial state (v1, v2, v3, v4).
+	MOVQ prime1, v1
+	ADDQ prime2, v1
+	MOVQ prime2, v2
+	XORQ v3, v3
+	XORQ v4, v4
+	SUBQ prime1, v4
+
+	blockLoop()
+
+	MOVQ v1, h
+	ROLQ $1, h
+	MOVQ v2, x
+	ROLQ $7, x
+	ADDQ x, h
+	MOVQ v3, x
+	ROLQ $12, x
+	ADDQ x, h
+	MOVQ v4, x
+	ROLQ $18, x
+	ADDQ x, h
+
+	mergeRound(h, v1)
+	mergeRound(h, v2)
+	mergeRound(h, v3)
+	mergeRound(h, v4)
+
+	JMP afterBlocks
+
+noBlocks:
+	MOVQ ·primes+32(SB), h
+
+afterBlocks:
+	ADDQ n, h
+
+	ADDQ $24, end
+	CMPQ p, end
+	JG   try4
+
+loop8:
+	MOVQ  (p), x
+	ADDQ  $8, p
+	round0(x)
+	XORQ  x, h
+	ROLQ  $27, h
+	IMULQ prime1, h
+	ADDQ  prime4, h
+
+	CMPQ p, end
+	JLE  loop8
+
+try4:
+	ADDQ $4, end
+	CMPQ p, end
+	JG   try1
+
+	MOVL  (p), x
+	ADDQ  $4, p
+	IMULQ prime1, x
+	XORQ  x, h
+
+	ROLQ  $23, h
+	IMULQ prime2, h
+	ADDQ  ·primes+16(SB), h
+
+try1:
+	ADDQ $4, end
+	CMPQ p, end
+	JGE  finalize
+
+loop1:
+	MOVBQZX (p), x
+	ADDQ    $1, p
+	IMULQ   ·primes+32(SB), x
+	XORQ    x, h
+	ROLQ    $11, h
+	IMULQ   prime1, h
+
+	CMPQ p, end
+	JL   loop1
+
+finalize:
+	MOVQ  h, x
+	SHRQ  $33, x
+	XORQ  x, h
+	IMULQ prime2, h
+	MOVQ  h, x
+	SHRQ  $29, x
+	XORQ  x, h
+	IMULQ ·primes+16(SB), h
+	MOVQ  h, x
+	SHRQ  $32, x
+	XORQ  x, h
+
+	MOVQ h, ret+24(FP)
+	RET
+
+// func writeBlocks(d *Digest, b []byte) int
+TEXT ·writeBlocks(SB), NOSPLIT|NOFRAME, $0-40
+	// Load fixed primes needed for round.
+	MOVQ ·primes+0(SB), prime1
+	MOVQ ·primes+8(SB), prime2
+
+	// Load slice.
+	MOVQ b_base+8(FP), p
+	MOVQ b_len+16(FP), n
+	LEAQ (p)(n*1), end
+	SUBQ $32, end
+
+	// Load vN from d.
+	MOVQ s+0(FP), d
+	MOVQ 0(d), v1
+	MOVQ 8(d), v2
+	MOVQ 16(d), v3
+	MOVQ 24(d), v4
+
+	// We don't need to check the loop condition here; this function is
+	// always called with at least one block of data to process.
+	blockLoop()
+
+	// Copy vN back to d.
+	MOVQ v1, 0(d)
+	MOVQ v2, 8(d)
+	MOVQ v3, 16(d)
+	MOVQ v4, 24(d)
+
+	// The number of bytes written is p minus the old base pointer.
+	SUBQ b_base+8(FP), p
+	MOVQ p, ret+32(FP)
+
+	RET
diff --git a/vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash_arm64.s b/vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash_arm64.s
new file mode 100644
index 0000000000..ae7d4d3295
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash_arm64.s
@@ -0,0 +1,184 @@
+//go:build !appengine && gc && !purego && !noasm
+// +build !appengine
+// +build gc
+// +build !purego
+// +build !noasm
+
+#include "textflag.h"
+
+// Registers:
+#define digest	R1
+#define h	R2 // return value
+#define p	R3 // input pointer
+#define n	R4 // input length
+#define nblocks	R5 // n / 32
+#define prime1	R7
+#define prime2	R8
+#define prime3	R9
+#define prime4	R10
+#define prime5	R11
+#define v1	R12
+#define v2	R13
+#define v3	R14
+#define v4	R15
+#define x1	R20
+#define x2	R21
+#define x3	R22
+#define x4	R23
+
+#define round(acc, x) \
+	MADD prime2, acc, x, acc \
+	ROR  $64-31, acc         \
+	MUL  prime1, acc
+
+// round0 performs the operation x = round(0, x).
+#define round0(x) \
+	MUL prime2, x \
+	ROR $64-31, x \
+	MUL prime1, x
+
+#define mergeRound(acc, x) \
+	round0(x)                     \
+	EOR  x, acc                   \
+	MADD acc, prime4, prime1, acc
+
+// blockLoop processes as many 32-byte blocks as possible,
+// updating v1, v2, v3, and v4. It assumes that n >= 32.
+#define blockLoop() \
+	LSR     $5, n, nblocks  \
+	PCALIGN $16             \
+	loop:                   \
+	LDP.P   16(p), (x1, x2) \
+	LDP.P   16(p), (x3, x4) \
+	round(v1, x1)           \
+	round(v2, x2)           \
+	round(v3, x3)           \
+	round(v4, x4)           \
+	SUB     $1, nblocks     \
+	CBNZ    nblocks, loop
+
+// func Sum64(b []byte) uint64
+TEXT ·Sum64(SB), NOSPLIT|NOFRAME, $0-32
+	LDP b_base+0(FP), (p, n)
+
+	LDP  ·primes+0(SB), (prime1, prime2)
+	LDP  ·primes+16(SB), (prime3, prime4)
+	MOVD ·primes+32(SB), prime5
+
+	CMP  $32, n
+	CSEL LT, prime5, ZR, h // if n < 32 { h = prime5 } else { h = 0 }
+	BLT  afterLoop
+
+	ADD  prime1, prime2, v1
+	MOVD prime2, v2
+	MOVD $0, v3
+	NEG  prime1, v4
+
+	blockLoop()
+
+	ROR $64-1, v1, x1
+	ROR $64-7, v2, x2
+	ADD x1, x2
+	ROR $64-12, v3, x3
+	ROR $64-18, v4, x4
+	ADD x3, x4
+	ADD x2, x4, h
+
+	mergeRound(h, v1)
+	mergeRound(h, v2)
+	mergeRound(h, v3)
+	mergeRound(h, v4)
+
+afterLoop:
+	ADD n, h
+
+	TBZ   $4, n, try8
+	LDP.P 16(p), (x1, x2)
+
+	round0(x1)
+
+	// NOTE: here and below, sequencing the EOR after the ROR (using a
+	// rotated register) is worth a small but measurable speedup for small
+	// inputs.
+	ROR  $64-27, h
+	EOR  x1 @> 64-27, h, h
+	MADD h, prime4, prime1, h
+
+	round0(x2)
+	ROR  $64-27, h
+	EOR  x2 @> 64-27, h, h
+	MADD h, prime4, prime1, h
+
+try8:
+	TBZ    $3, n, try4
+	MOVD.P 8(p), x1
+
+	round0(x1)
+	ROR  $64-27, h
+	EOR  x1 @> 64-27, h, h
+	MADD h, prime4, prime1, h
+
+try4:
+	TBZ     $2, n, try2
+	MOVWU.P 4(p), x2
+
+	MUL  prime1, x2
+	ROR  $64-23, h
+	EOR  x2 @> 64-23, h, h
+	MADD h, prime3, prime2, h
+
+try2:
+	TBZ     $1, n, try1
+	MOVHU.P 2(p), x3
+	AND     $255, x3, x1
+	LSR     $8, x3, x2
+
+	MUL prime5, x1
+	ROR $64-11, h
+	EOR x1 @> 64-11, h, h
+	MUL prime1, h
+
+	MUL prime5, x2
+	ROR $64-11, h
+	EOR x2 @> 64-11, h, h
+	MUL prime1, h
+
+try1:
+	TBZ   $0, n, finalize
+	MOVBU (p), x4
+
+	MUL prime5, x4
+	ROR $64-11, h
+	EOR x4 @> 64-11, h, h
+	MUL prime1, h
+
+finalize:
+	EOR h >> 33, h
+	MUL prime2, h
+	EOR h >> 29, h
+	MUL prime3, h
+	EOR h >> 32, h
+
+	MOVD h, ret+24(FP)
+	RET
+
+// func writeBlocks(s *Digest, b []byte) int
+TEXT ·writeBlocks(SB), NOSPLIT|NOFRAME, $0-40
+	LDP ·primes+0(SB), (prime1, prime2)
+
+	// Load state. Assume v[1-4] are stored contiguously.
+	MOVD s+0(FP), digest
+	LDP  0(digest), (v1, v2)
+	LDP  16(digest), (v3, v4)
+
+	LDP b_base+8(FP), (p, n)
+
+	blockLoop()
+
+	// Store updated state.
+	STP (v1, v2), 0(digest)
+	STP (v3, v4), 16(digest)
+
+	BIC  $31, n
+	MOVD n, ret+32(FP)
+	RET
diff --git a/vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash_asm.go b/vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash_asm.go
new file mode 100644
index 0000000000..d4221edf4f
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash_asm.go
@@ -0,0 +1,16 @@
+//go:build (amd64 || arm64) && !appengine && gc && !purego && !noasm
+// +build amd64 arm64
+// +build !appengine
+// +build gc
+// +build !purego
+// +build !noasm
+
+package xxhash
+
+// Sum64 computes the 64-bit xxHash digest of b.
+//
+//go:noescape
+func Sum64(b []byte) uint64
+
+//go:noescape
+func writeBlocks(s *Digest, b []byte) int
diff --git a/vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash_other.go b/vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash_other.go
new file mode 100644
index 0000000000..0be16cefc7
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash_other.go
@@ -0,0 +1,76 @@
+//go:build (!amd64 && !arm64) || appengine || !gc || purego || noasm
+// +build !amd64,!arm64 appengine !gc purego noasm
+
+package xxhash
+
+// Sum64 computes the 64-bit xxHash digest of b.
+func Sum64(b []byte) uint64 {
+	// A simpler version would be
+	//   d := New()
+	//   d.Write(b)
+	//   return d.Sum64()
+	// but this is faster, particularly for small inputs.
+
+	n := len(b)
+	var h uint64
+
+	if n >= 32 {
+		v1 := primes[0] + prime2
+		v2 := prime2
+		v3 := uint64(0)
+		v4 := -primes[0]
+		for len(b) >= 32 {
+			v1 = round(v1, u64(b[0:8:len(b)]))
+			v2 = round(v2, u64(b[8:16:len(b)]))
+			v3 = round(v3, u64(b[16:24:len(b)]))
+			v4 = round(v4, u64(b[24:32:len(b)]))
+			b = b[32:len(b):len(b)]
+		}
+		h = rol1(v1) + rol7(v2) + rol12(v3) + rol18(v4)
+		h = mergeRound(h, v1)
+		h = mergeRound(h, v2)
+		h = mergeRound(h, v3)
+		h = mergeRound(h, v4)
+	} else {
+		h = prime5
+	}
+
+	h += uint64(n)
+
+	for ; len(b) >= 8; b = b[8:] {
+		k1 := round(0, u64(b[:8]))
+		h ^= k1
+		h = rol27(h)*prime1 + prime4
+	}
+	if len(b) >= 4 {
+		h ^= uint64(u32(b[:4])) * prime1
+		h = rol23(h)*prime2 + prime3
+		b = b[4:]
+	}
+	for ; len(b) > 0; b = b[1:] {
+		h ^= uint64(b[0]) * prime5
+		h = rol11(h) * prime1
+	}
+
+	h ^= h >> 33
+	h *= prime2
+	h ^= h >> 29
+	h *= prime3
+	h ^= h >> 32
+
+	return h
+}
+
+func writeBlocks(d *Digest, b []byte) int {
+	v1, v2, v3, v4 := d.v1, d.v2, d.v3, d.v4
+	n := len(b)
+	for len(b) >= 32 {
+		v1 = round(v1, u64(b[0:8:len(b)]))
+		v2 = round(v2, u64(b[8:16:len(b)]))
+		v3 = round(v3, u64(b[16:24:len(b)]))
+		v4 = round(v4, u64(b[24:32:len(b)]))
+		b = b[32:len(b):len(b)]
+	}
+	d.v1, d.v2, d.v3, d.v4 = v1, v2, v3, v4
+	return n - len(b)
+}
diff --git a/vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash_safe.go b/vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash_safe.go
new file mode 100644
index 0000000000..6f3b0cb102
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash_safe.go
@@ -0,0 +1,11 @@
+package xxhash
+
+// Sum64String computes the 64-bit xxHash digest of s.
+func Sum64String(s string) uint64 {
+	return Sum64([]byte(s))
+}
+
+// WriteString adds more data to d. It always returns len(s), nil.
+func (d *Digest) WriteString(s string) (n int, err error) {
+	return d.Write([]byte(s))
+}
diff --git a/vendor/github.com/klauspost/compress/zstd/matchlen_amd64.go b/vendor/github.com/klauspost/compress/zstd/matchlen_amd64.go
new file mode 100644
index 0000000000..f41932b7a4
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/zstd/matchlen_amd64.go
@@ -0,0 +1,16 @@
+//go:build amd64 && !appengine && !noasm && gc
+// +build amd64,!appengine,!noasm,gc
+
+// Copyright 2019+ Klaus Post. All rights reserved.
+// License information can be found in the LICENSE file.
+
+package zstd
+
+// matchLen returns how many bytes match in a and b
+//
+// It assumes that:
+//
+//	len(a) <= len(b) and len(a) > 0
+//
+//go:noescape
+func matchLen(a []byte, b []byte) int
diff --git a/vendor/github.com/klauspost/compress/zstd/matchlen_amd64.s b/vendor/github.com/klauspost/compress/zstd/matchlen_amd64.s
new file mode 100644
index 0000000000..0782b86e3d
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/zstd/matchlen_amd64.s
@@ -0,0 +1,66 @@
+// Copied from S2 implementation.
+
+//go:build !appengine && !noasm && gc && !noasm
+
+#include "textflag.h"
+
+// func matchLen(a []byte, b []byte) int
+TEXT ·matchLen(SB), NOSPLIT, $0-56
+	MOVQ a_base+0(FP), AX
+	MOVQ b_base+24(FP), CX
+	MOVQ a_len+8(FP), DX
+
+	// matchLen
+	XORL SI, SI
+	CMPL DX, $0x08
+	JB   matchlen_match4_standalone
+
+matchlen_loopback_standalone:
+	MOVQ (AX)(SI*1), BX
+	XORQ (CX)(SI*1), BX
+	JZ   matchlen_loop_standalone
+
+#ifdef GOAMD64_v3
+	TZCNTQ BX, BX
+#else
+	BSFQ BX, BX
+#endif
+	SHRL $0x03, BX
+	LEAL (SI)(BX*1), SI
+	JMP  gen_match_len_end
+
+matchlen_loop_standalone:
+	LEAL -8(DX), DX
+	LEAL 8(SI), SI
+	CMPL DX, $0x08
+	JAE  matchlen_loopback_standalone
+
+matchlen_match4_standalone:
+	CMPL DX, $0x04
+	JB   matchlen_match2_standalone
+	MOVL (AX)(SI*1), BX
+	CMPL (CX)(SI*1), BX
+	JNE  matchlen_match2_standalone
+	LEAL -4(DX), DX
+	LEAL 4(SI), SI
+
+matchlen_match2_standalone:
+	CMPL DX, $0x02
+	JB   matchlen_match1_standalone
+	MOVW (AX)(SI*1), BX
+	CMPW (CX)(SI*1), BX
+	JNE  matchlen_match1_standalone
+	LEAL -2(DX), DX
+	LEAL 2(SI), SI
+
+matchlen_match1_standalone:
+	CMPL DX, $0x01
+	JB   gen_match_len_end
+	MOVB (AX)(SI*1), BL
+	CMPB (CX)(SI*1), BL
+	JNE  gen_match_len_end
+	INCL SI
+
+gen_match_len_end:
+	MOVQ SI, ret+48(FP)
+	RET
diff --git a/vendor/github.com/klauspost/compress/zstd/matchlen_generic.go b/vendor/github.com/klauspost/compress/zstd/matchlen_generic.go
new file mode 100644
index 0000000000..bea1779e97
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/zstd/matchlen_generic.go
@@ -0,0 +1,38 @@
+//go:build !amd64 || appengine || !gc || noasm
+// +build !amd64 appengine !gc noasm
+
+// Copyright 2019+ Klaus Post. All rights reserved.
+// License information can be found in the LICENSE file.
+
+package zstd
+
+import (
+	"math/bits"
+
+	"github.com/klauspost/compress/internal/le"
+)
+
+// matchLen returns the maximum common prefix length of a and b.
+// a must be the shortest of the two.
+func matchLen(a, b []byte) (n int) {
+	left := len(a)
+	for left >= 8 {
+		diff := le.Load64(a, n) ^ le.Load64(b, n)
+		if diff != 0 {
+			return n + bits.TrailingZeros64(diff)>>3
+		}
+		n += 8
+		left -= 8
+	}
+	a = a[n:]
+	b = b[n:]
+
+	for i := range a {
+		if a[i] != b[i] {
+			break
+		}
+		n++
+	}
+	return n
+
+}
diff --git a/vendor/github.com/klauspost/compress/zstd/seqdec.go b/vendor/github.com/klauspost/compress/zstd/seqdec.go
new file mode 100644
index 0000000000..9a7de82f9e
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/zstd/seqdec.go
@@ -0,0 +1,503 @@
+// Copyright 2019+ Klaus Post. All rights reserved.
+// License information can be found in the LICENSE file.
+// Based on work by Yann Collet, released under BSD License.
+
+package zstd
+
+import (
+	"errors"
+	"fmt"
+	"io"
+)
+
+type seq struct {
+	litLen   uint32
+	matchLen uint32
+	offset   uint32
+
+	// Codes are stored here for the encoder
+	// so they only have to be looked up once.
+	llCode, mlCode, ofCode uint8
+}
+
+type seqVals struct {
+	ll, ml, mo int
+}
+
+func (s seq) String() string {
+	if s.offset <= 3 {
+		if s.offset == 0 {
+			return fmt.Sprint("litLen:", s.litLen, ", matchLen:", s.matchLen+zstdMinMatch, ", offset: INVALID (0)")
+		}
+		return fmt.Sprint("litLen:", s.litLen, ", matchLen:", s.matchLen+zstdMinMatch, ", offset:", s.offset, " (repeat)")
+	}
+	return fmt.Sprint("litLen:", s.litLen, ", matchLen:", s.matchLen+zstdMinMatch, ", offset:", s.offset-3, " (new)")
+}
+
+type seqCompMode uint8
+
+const (
+	compModePredefined seqCompMode = iota
+	compModeRLE
+	compModeFSE
+	compModeRepeat
+)
+
+type sequenceDec struct {
+	// decoder keeps track of the current state and updates it from the bitstream.
+	fse    *fseDecoder
+	state  fseState
+	repeat bool
+}
+
+// init the state of the decoder with input from stream.
+func (s *sequenceDec) init(br *bitReader) error {
+	if s.fse == nil {
+		return errors.New("sequence decoder not defined")
+	}
+	s.state.init(br, s.fse.actualTableLog, s.fse.dt[:1<<s.fse.actualTableLog])
+	return nil
+}
+
+// sequenceDecs contains all 3 sequence decoders and their state.
+type sequenceDecs struct {
+	litLengths   sequenceDec
+	offsets      sequenceDec
+	matchLengths sequenceDec
+	prevOffset   [3]int
+	dict         []byte
+	literals     []byte
+	out          []byte
+	nSeqs        int
+	br           *bitReader
+	seqSize      int
+	windowSize   int
+	maxBits      uint8
+	maxSyncLen   uint64
+}
+
+// initialize all 3 decoders from the stream input.
+func (s *sequenceDecs) initialize(br *bitReader, hist *history, out []byte) error {
+	if err := s.litLengths.init(br); err != nil {
+		return errors.New("litLengths:" + err.Error())
+	}
+	if err := s.offsets.init(br); err != nil {
+		return errors.New("offsets:" + err.Error())
+	}
+	if err := s.matchLengths.init(br); err != nil {
+		return errors.New("matchLengths:" + err.Error())
+	}
+	s.br = br
+	s.prevOffset = hist.recentOffsets
+	s.maxBits = s.litLengths.fse.maxBits + s.offsets.fse.maxBits + s.matchLengths.fse.maxBits
+	s.windowSize = hist.windowSize
+	s.out = out
+	s.dict = nil
+	if hist.dict != nil {
+		s.dict = hist.dict.content
+	}
+	return nil
+}
+
+func (s *sequenceDecs) freeDecoders() {
+	if f := s.litLengths.fse; f != nil && !f.preDefined {
+		fseDecoderPool.Put(f)
+		s.litLengths.fse = nil
+	}
+	if f := s.offsets.fse; f != nil && !f.preDefined {
+		fseDecoderPool.Put(f)
+		s.offsets.fse = nil
+	}
+	if f := s.matchLengths.fse; f != nil && !f.preDefined {
+		fseDecoderPool.Put(f)
+		s.matchLengths.fse = nil
+	}
+}
+
+// execute will execute the decoded sequence with the provided history.
+// The sequence must be evaluated before being sent.
+func (s *sequenceDecs) execute(seqs []seqVals, hist []byte) error {
+	if len(s.dict) == 0 {
+		return s.executeSimple(seqs, hist)
+	}
+
+	// Ensure we have enough output size...
+	if len(s.out)+s.seqSize > cap(s.out) {
+		addBytes := s.seqSize + len(s.out)
+		s.out = append(s.out, make([]byte, addBytes)...)
+		s.out = s.out[:len(s.out)-addBytes]
+	}
+
+	if debugDecoder {
+		printf("Execute %d seqs with hist %d, dict %d, literals: %d into %d bytes\n", len(seqs), len(hist), len(s.dict), len(s.literals), s.seqSize)
+	}
+
+	var t = len(s.out)
+	out := s.out[:t+s.seqSize]
+
+	for _, seq := range seqs {
+		// Add literals
+		copy(out[t:], s.literals[:seq.ll])
+		t += seq.ll
+		s.literals = s.literals[seq.ll:]
+
+		// Copy from dictionary...
+		if seq.mo > t+len(hist) || seq.mo > s.windowSize {
+			if len(s.dict) == 0 {
+				return fmt.Errorf("match offset (%d) bigger than current history (%d)", seq.mo, t+len(hist))
+			}
+
+			// we may be in dictionary.
+			dictO := len(s.dict) - (seq.mo - (t + len(hist)))
+			if dictO < 0 || dictO >= len(s.dict) {
+				return fmt.Errorf("match offset (%d) bigger than current history+dict (%d)", seq.mo, t+len(hist)+len(s.dict))
+			}
+			end := dictO + seq.ml
+			if end > len(s.dict) {
+				n := len(s.dict) - dictO
+				copy(out[t:], s.dict[dictO:])
+				t += n
+				seq.ml -= n
+			} else {
+				copy(out[t:], s.dict[dictO:end])
+				t += end - dictO
+				continue
+			}
+		}
+
+		// Copy from history.
+		if v := seq.mo - t; v > 0 {
+			// v is the start position in history from end.
+			start := len(hist) - v
+			if seq.ml > v {
+				// Some goes into current block.
+				// Copy remainder of history
+				copy(out[t:], hist[start:])
+				t += v
+				seq.ml -= v
+			} else {
+				copy(out[t:], hist[start:start+seq.ml])
+				t += seq.ml
+				continue
+			}
+		}
+		// We must be in current buffer now
+		if seq.ml > 0 {
+			start := t - seq.mo
+			if seq.ml <= t-start {
+				// No overlap
+				copy(out[t:], out[start:start+seq.ml])
+				t += seq.ml
+				continue
+			} else {
+				// Overlapping copy
+				// Extend destination slice and copy one byte at the time.
+				src := out[start : start+seq.ml]
+				dst := out[t:]
+				dst = dst[:len(src)]
+				t += len(src)
+				// Destination is the space we just added.
+				for i := range src {
+					dst[i] = src[i]
+				}
+			}
+		}
+	}
+
+	// Add final literals
+	copy(out[t:], s.literals)
+	if debugDecoder {
+		t += len(s.literals)
+		if t != len(out) {
+			panic(fmt.Errorf("length mismatch, want %d, got %d, ss: %d", len(out), t, s.seqSize))
+		}
+	}
+	s.out = out
+
+	return nil
+}
+
+// decode sequences from the stream with the provided history.
+func (s *sequenceDecs) decodeSync(hist []byte) error {
+	supported, err := s.decodeSyncSimple(hist)
+	if supported {
+		return err
+	}
+
+	br := s.br
+	seqs := s.nSeqs
+	startSize := len(s.out)
+	// Grab full sizes tables, to avoid bounds checks.
+	llTable, mlTable, ofTable := s.litLengths.fse.dt[:maxTablesize], s.matchLengths.fse.dt[:maxTablesize], s.offsets.fse.dt[:maxTablesize]
+	llState, mlState, ofState := s.litLengths.state.state, s.matchLengths.state.state, s.offsets.state.state
+	out := s.out
+	maxBlockSize := maxCompressedBlockSize
+	if s.windowSize < maxBlockSize {
+		maxBlockSize = s.windowSize
+	}
+
+	if debugDecoder {
+		println("decodeSync: decoding", seqs, "sequences", br.remain(), "bits remain on stream")
+	}
+	for i := seqs - 1; i >= 0; i-- {
+		if br.overread() {
+			printf("reading sequence %d, exceeded available data. Overread by %d\n", seqs-i, -br.remain())
+			return io.ErrUnexpectedEOF
+		}
+		var ll, mo, ml int
+		if br.cursor > 4+((maxOffsetBits+16+16)>>3) {
+			// inlined function:
+			// ll, mo, ml = s.nextFast(br, llState, mlState, ofState)
+
+			// Final will not read from stream.
+			var llB, mlB, moB uint8
+			ll, llB = llState.final()
+			ml, mlB = mlState.final()
+			mo, moB = ofState.final()
+
+			// extra bits are stored in reverse order.
+			br.fillFast()
+			mo += br.getBits(moB)
+			if s.maxBits > 32 {
+				br.fillFast()
+			}
+			ml += br.getBits(mlB)
+			ll += br.getBits(llB)
+
+			if moB > 1 {
+				s.prevOffset[2] = s.prevOffset[1]
+				s.prevOffset[1] = s.prevOffset[0]
+				s.prevOffset[0] = mo
+			} else {
+				// mo = s.adjustOffset(mo, ll, moB)
+				// Inlined for rather big speedup
+				if ll == 0 {
+					// There is an exception though, when current sequence's literals_length = 0.
+					// In this case, repeated offsets are shifted by one, so an offset_value of 1 means Repeated_Offset2,
+					// an offset_value of 2 means Repeated_Offset3, and an offset_value of 3 means Repeated_Offset1 - 1_byte.
+					mo++
+				}
+
+				if mo == 0 {
+					mo = s.prevOffset[0]
+				} else {
+					var temp int
+					if mo == 3 {
+						temp = s.prevOffset[0] - 1
+					} else {
+						temp = s.prevOffset[mo]
+					}
+
+					if temp == 0 {
+						// 0 is not valid; input is corrupted; force offset to 1
+						println("WARNING: temp was 0")
+						temp = 1
+					}
+
+					if mo != 1 {
+						s.prevOffset[2] = s.prevOffset[1]
+					}
+					s.prevOffset[1] = s.prevOffset[0]
+					s.prevOffset[0] = temp
+					mo = temp
+				}
+			}
+			br.fillFast()
+		} else {
+			ll, mo, ml = s.next(br, llState, mlState, ofState)
+			br.fill()
+		}
+
+		if debugSequences {
+			println("Seq", seqs-i-1, "Litlen:", ll, "mo:", mo, "(abs) ml:", ml)
+		}
+
+		if ll > len(s.literals) {
+			return fmt.Errorf("unexpected literal count, want %d bytes, but only %d is available", ll, len(s.literals))
+		}
+		size := ll + ml + len(out)
+		if size-startSize > maxBlockSize {
+			return fmt.Errorf("output bigger than max block size (%d)", maxBlockSize)
+		}
+		if size > cap(out) {
+			// Not enough size, which can happen under high volume block streaming conditions
+			// but could be if destination slice is too small for sync operations.
+			// over-allocating here can create a large amount of GC pressure so we try to keep
+			// it as contained as possible
+			used := len(out) - startSize
+			addBytes := 256 + ll + ml + used>>2
+			// Clamp to max block size.
+			if used+addBytes > maxBlockSize {
+				addBytes = maxBlockSize - used
+			}
+			out = append(out, make([]byte, addBytes)...)
+			out = out[:len(out)-addBytes]
+		}
+		if ml > maxMatchLen {
+			return fmt.Errorf("match len (%d) bigger than max allowed length", ml)
+		}
+
+		// Add literals
+		out = append(out, s.literals[:ll]...)
+		s.literals = s.literals[ll:]
+
+		if mo == 0 && ml > 0 {
+			return fmt.Errorf("zero matchoff and matchlen (%d) > 0", ml)
+		}
+
+		if mo > len(out)+len(hist) || mo > s.windowSize {
+			if len(s.dict) == 0 {
+				return fmt.Errorf("match offset (%d) bigger than current history (%d)", mo, len(out)+len(hist)-startSize)
+			}
+
+			// we may be in dictionary.
+			dictO := len(s.dict) - (mo - (len(out) + len(hist)))
+			if dictO < 0 || dictO >= len(s.dict) {
+				return fmt.Errorf("match offset (%d) bigger than current history (%d)", mo, len(out)+len(hist)-startSize)
+			}
+			end := dictO + ml
+			if end > len(s.dict) {
+				out = append(out, s.dict[dictO:]...)
+				ml -= len(s.dict) - dictO
+			} else {
+				out = append(out, s.dict[dictO:end]...)
+				mo = 0
+				ml = 0
+			}
+		}
+
+		// Copy from history.
+		// TODO: Blocks without history could be made to ignore this completely.
+		if v := mo - len(out); v > 0 {
+			// v is the start position in history from end.
+			start := len(hist) - v
+			if ml > v {
+				// Some goes into current block.
+				// Copy remainder of history
+				out = append(out, hist[start:]...)
+				ml -= v
+			} else {
+				out = append(out, hist[start:start+ml]...)
+				ml = 0
+			}
+		}
+		// We must be in current buffer now
+		if ml > 0 {
+			start := len(out) - mo
+			if ml <= len(out)-start {
+				// No overlap
+				out = append(out, out[start:start+ml]...)
+			} else {
+				// Overlapping copy
+				// Extend destination slice and copy one byte at the time.
+				out = out[:len(out)+ml]
+				src := out[start : start+ml]
+				// Destination is the space we just added.
+				dst := out[len(out)-ml:]
+				dst = dst[:len(src)]
+				for i := range src {
+					dst[i] = src[i]
+				}
+			}
+		}
+		if i == 0 {
+			// This is the last sequence, so we shouldn't update state.
+			break
+		}
+
+		// Manually inlined, ~ 5-20% faster
+		// Update all 3 states at once. Approx 20% faster.
+		nBits := llState.nbBits() + mlState.nbBits() + ofState.nbBits()
+		if nBits == 0 {
+			llState = llTable[llState.newState()&maxTableMask]
+			mlState = mlTable[mlState.newState()&maxTableMask]
+			ofState = ofTable[ofState.newState()&maxTableMask]
+		} else {
+			bits := br.get32BitsFast(nBits)
+
+			lowBits := uint16(bits >> ((ofState.nbBits() + mlState.nbBits()) & 31))
+			llState = llTable[(llState.newState()+lowBits)&maxTableMask]
+
+			lowBits = uint16(bits >> (ofState.nbBits() & 31))
+			lowBits &= bitMask[mlState.nbBits()&15]
+			mlState = mlTable[(mlState.newState()+lowBits)&maxTableMask]
+
+			lowBits = uint16(bits) & bitMask[ofState.nbBits()&15]
+			ofState = ofTable[(ofState.newState()+lowBits)&maxTableMask]
+		}
+	}
+
+	if size := len(s.literals) + len(out) - startSize; size > maxBlockSize {
+		return fmt.Errorf("output bigger than max block size (%d)", maxBlockSize)
+	}
+
+	// Add final literals
+	s.out = append(out, s.literals...)
+	return br.close()
+}
+
+var bitMask [16]uint16
+
+func init() {
+	for i := range bitMask[:] {
+		bitMask[i] = uint16((1 << uint(i)) - 1)
+	}
+}
+
+func (s *sequenceDecs) next(br *bitReader, llState, mlState, ofState decSymbol) (ll, mo, ml int) {
+	// Final will not read from stream.
+	ll, llB := llState.final()
+	ml, mlB := mlState.final()
+	mo, moB := ofState.final()
+
+	// extra bits are stored in reverse order.
+	br.fill()
+	mo += br.getBits(moB)
+	if s.maxBits > 32 {
+		br.fill()
+	}
+	// matchlength+literal length, max 32 bits
+	ml += br.getBits(mlB)
+	ll += br.getBits(llB)
+	mo = s.adjustOffset(mo, ll, moB)
+	return
+}
+
+func (s *sequenceDecs) adjustOffset(offset, litLen int, offsetB uint8) int {
+	if offsetB > 1 {
+		s.prevOffset[2] = s.prevOffset[1]
+		s.prevOffset[1] = s.prevOffset[0]
+		s.prevOffset[0] = offset
+		return offset
+	}
+
+	if litLen == 0 {
+		// There is an exception though, when current sequence's literals_length = 0.
+		// In this case, repeated offsets are shifted by one, so an offset_value of 1 means Repeated_Offset2,
+		// an offset_value of 2 means Repeated_Offset3, and an offset_value of 3 means Repeated_Offset1 - 1_byte.
+		offset++
+	}
+
+	if offset == 0 {
+		return s.prevOffset[0]
+	}
+	var temp int
+	if offset == 3 {
+		temp = s.prevOffset[0] - 1
+	} else {
+		temp = s.prevOffset[offset]
+	}
+
+	if temp == 0 {
+		// 0 is not valid; input is corrupted; force offset to 1
+		println("temp was 0")
+		temp = 1
+	}
+
+	if offset != 1 {
+		s.prevOffset[2] = s.prevOffset[1]
+	}
+	s.prevOffset[1] = s.prevOffset[0]
+	s.prevOffset[0] = temp
+	return temp
+}
diff --git a/vendor/github.com/klauspost/compress/zstd/seqdec_amd64.go b/vendor/github.com/klauspost/compress/zstd/seqdec_amd64.go
new file mode 100644
index 0000000000..c59f17e07a
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/zstd/seqdec_amd64.go
@@ -0,0 +1,394 @@
+//go:build amd64 && !appengine && !noasm && gc
+// +build amd64,!appengine,!noasm,gc
+
+package zstd
+
+import (
+	"fmt"
+	"io"
+
+	"github.com/klauspost/compress/internal/cpuinfo"
+)
+
+type decodeSyncAsmContext struct {
+	llTable     []decSymbol
+	mlTable     []decSymbol
+	ofTable     []decSymbol
+	llState     uint64
+	mlState     uint64
+	ofState     uint64
+	iteration   int
+	litRemain   int
+	out         []byte
+	outPosition int
+	literals    []byte
+	litPosition int
+	history     []byte
+	windowSize  int
+	ll          int // set on error (not for all errors, please refer to _generate/gen.go)
+	ml          int // set on error (not for all errors, please refer to _generate/gen.go)
+	mo          int // set on error (not for all errors, please refer to _generate/gen.go)
+}
+
+// sequenceDecs_decodeSync_amd64 implements the main loop of sequenceDecs.decodeSync in x86 asm.
+//
+// Please refer to seqdec_generic.go for the reference implementation.
+//
+//go:noescape
+func sequenceDecs_decodeSync_amd64(s *sequenceDecs, br *bitReader, ctx *decodeSyncAsmContext) int
+
+// sequenceDecs_decodeSync_bmi2 implements the main loop of sequenceDecs.decodeSync in x86 asm with BMI2 extensions.
+//
+//go:noescape
+func sequenceDecs_decodeSync_bmi2(s *sequenceDecs, br *bitReader, ctx *decodeSyncAsmContext) int
+
+// sequenceDecs_decodeSync_safe_amd64 does the same as above, but does not write more than output buffer.
+//
+//go:noescape
+func sequenceDecs_decodeSync_safe_amd64(s *sequenceDecs, br *bitReader, ctx *decodeSyncAsmContext) int
+
+// sequenceDecs_decodeSync_safe_bmi2 does the same as above, but does not write more than output buffer.
+//
+//go:noescape
+func sequenceDecs_decodeSync_safe_bmi2(s *sequenceDecs, br *bitReader, ctx *decodeSyncAsmContext) int
+
+// decode sequences from the stream with the provided history but without a dictionary.
+func (s *sequenceDecs) decodeSyncSimple(hist []byte) (bool, error) {
+	if len(s.dict) > 0 {
+		return false, nil
+	}
+	if s.maxSyncLen == 0 && cap(s.out)-len(s.out) < maxCompressedBlockSize {
+		return false, nil
+	}
+
+	// FIXME: Using unsafe memory copies leads to rare, random crashes
+	// with fuzz testing. It is therefore disabled for now.
+	const useSafe = true
+	/*
+		useSafe := false
+		if s.maxSyncLen == 0 && cap(s.out)-len(s.out) < maxCompressedBlockSizeAlloc {
+			useSafe = true
+		}
+		if s.maxSyncLen > 0 && cap(s.out)-len(s.out)-compressedBlockOverAlloc < int(s.maxSyncLen) {
+			useSafe = true
+		}
+		if cap(s.literals) < len(s.literals)+compressedBlockOverAlloc {
+			useSafe = true
+		}
+	*/
+
+	br := s.br
+
+	maxBlockSize := maxCompressedBlockSize
+	if s.windowSize < maxBlockSize {
+		maxBlockSize = s.windowSize
+	}
+
+	ctx := decodeSyncAsmContext{
+		llTable:     s.litLengths.fse.dt[:maxTablesize],
+		mlTable:     s.matchLengths.fse.dt[:maxTablesize],
+		ofTable:     s.offsets.fse.dt[:maxTablesize],
+		llState:     uint64(s.litLengths.state.state),
+		mlState:     uint64(s.matchLengths.state.state),
+		ofState:     uint64(s.offsets.state.state),
+		iteration:   s.nSeqs - 1,
+		litRemain:   len(s.literals),
+		out:         s.out,
+		outPosition: len(s.out),
+		literals:    s.literals,
+		windowSize:  s.windowSize,
+		history:     hist,
+	}
+
+	s.seqSize = 0
+	startSize := len(s.out)
+
+	var errCode int
+	if cpuinfo.HasBMI2() {
+		if useSafe {
+			errCode = sequenceDecs_decodeSync_safe_bmi2(s, br, &ctx)
+		} else {
+			errCode = sequenceDecs_decodeSync_bmi2(s, br, &ctx)
+		}
+	} else {
+		if useSafe {
+			errCode = sequenceDecs_decodeSync_safe_amd64(s, br, &ctx)
+		} else {
+			errCode = sequenceDecs_decodeSync_amd64(s, br, &ctx)
+		}
+	}
+	switch errCode {
+	case noError:
+		break
+
+	case errorMatchLenOfsMismatch:
+		return true, fmt.Errorf("zero matchoff and matchlen (%d) > 0", ctx.ml)
+
+	case errorMatchLenTooBig:
+		return true, fmt.Errorf("match len (%d) bigger than max allowed length", ctx.ml)
+
+	case errorMatchOffTooBig:
+		return true, fmt.Errorf("match offset (%d) bigger than current history (%d)",
+			ctx.mo, ctx.outPosition+len(hist)-startSize)
+
+	case errorNotEnoughLiterals:
+		return true, fmt.Errorf("unexpected literal count, want %d bytes, but only %d is available",
+			ctx.ll, ctx.litRemain+ctx.ll)
+
+	case errorOverread:
+		return true, io.ErrUnexpectedEOF
+
+	case errorNotEnoughSpace:
+		size := ctx.outPosition + ctx.ll + ctx.ml
+		if debugDecoder {
+			println("msl:", s.maxSyncLen, "cap", cap(s.out), "bef:", startSize, "sz:", size-startSize, "mbs:", maxBlockSize, "outsz:", cap(s.out)-startSize)
+		}
+		return true, fmt.Errorf("output bigger than max block size (%d)", maxBlockSize)
+
+	default:
+		return true, fmt.Errorf("sequenceDecs_decode returned erroneous code %d", errCode)
+	}
+
+	s.seqSize += ctx.litRemain
+	if s.seqSize > maxBlockSize {
+		return true, fmt.Errorf("output bigger than max block size (%d)", maxBlockSize)
+	}
+	err := br.close()
+	if err != nil {
+		printf("Closing sequences: %v, %+v\n", err, *br)
+		return true, err
+	}
+
+	s.literals = s.literals[ctx.litPosition:]
+	t := ctx.outPosition
+	s.out = s.out[:t]
+
+	// Add final literals
+	s.out = append(s.out, s.literals...)
+	if debugDecoder {
+		t += len(s.literals)
+		if t != len(s.out) {
+			panic(fmt.Errorf("length mismatch, want %d, got %d", len(s.out), t))
+		}
+	}
+
+	return true, nil
+}
+
+// --------------------------------------------------------------------------------
+
+type decodeAsmContext struct {
+	llTable   []decSymbol
+	mlTable   []decSymbol
+	ofTable   []decSymbol
+	llState   uint64
+	mlState   uint64
+	ofState   uint64
+	iteration int
+	seqs      []seqVals
+	litRemain int
+}
+
+const noError = 0
+
+// error reported when mo == 0 && ml > 0
+const errorMatchLenOfsMismatch = 1
+
+// error reported when ml > maxMatchLen
+const errorMatchLenTooBig = 2
+
+// error reported when mo > available history or mo > s.windowSize
+const errorMatchOffTooBig = 3
+
+// error reported when the sum of literal lengths exeeceds the literal buffer size
+const errorNotEnoughLiterals = 4
+
+// error reported when capacity of `out` is too small
+const errorNotEnoughSpace = 5
+
+// error reported when bits are overread.
+const errorOverread = 6
+
+// sequenceDecs_decode implements the main loop of sequenceDecs in x86 asm.
+//
+// Please refer to seqdec_generic.go for the reference implementation.
+//
+//go:noescape
+func sequenceDecs_decode_amd64(s *sequenceDecs, br *bitReader, ctx *decodeAsmContext) int
+
+// sequenceDecs_decode implements the main loop of sequenceDecs in x86 asm.
+//
+// Please refer to seqdec_generic.go for the reference implementation.
+//
+//go:noescape
+func sequenceDecs_decode_56_amd64(s *sequenceDecs, br *bitReader, ctx *decodeAsmContext) int
+
+// sequenceDecs_decode implements the main loop of sequenceDecs in x86 asm with BMI2 extensions.
+//
+//go:noescape
+func sequenceDecs_decode_bmi2(s *sequenceDecs, br *bitReader, ctx *decodeAsmContext) int
+
+// sequenceDecs_decode implements the main loop of sequenceDecs in x86 asm with BMI2 extensions.
+//
+//go:noescape
+func sequenceDecs_decode_56_bmi2(s *sequenceDecs, br *bitReader, ctx *decodeAsmContext) int
+
+// decode sequences from the stream without the provided history.
+func (s *sequenceDecs) decode(seqs []seqVals) error {
+	br := s.br
+
+	maxBlockSize := maxCompressedBlockSize
+	if s.windowSize < maxBlockSize {
+		maxBlockSize = s.windowSize
+	}
+
+	ctx := decodeAsmContext{
+		llTable:   s.litLengths.fse.dt[:maxTablesize],
+		mlTable:   s.matchLengths.fse.dt[:maxTablesize],
+		ofTable:   s.offsets.fse.dt[:maxTablesize],
+		llState:   uint64(s.litLengths.state.state),
+		mlState:   uint64(s.matchLengths.state.state),
+		ofState:   uint64(s.offsets.state.state),
+		seqs:      seqs,
+		iteration: len(seqs) - 1,
+		litRemain: len(s.literals),
+	}
+
+	if debugDecoder {
+		println("decode: decoding", len(seqs), "sequences", br.remain(), "bits remain on stream")
+	}
+
+	s.seqSize = 0
+	lte56bits := s.maxBits+s.offsets.fse.actualTableLog+s.matchLengths.fse.actualTableLog+s.litLengths.fse.actualTableLog <= 56
+	var errCode int
+	if cpuinfo.HasBMI2() {
+		if lte56bits {
+			errCode = sequenceDecs_decode_56_bmi2(s, br, &ctx)
+		} else {
+			errCode = sequenceDecs_decode_bmi2(s, br, &ctx)
+		}
+	} else {
+		if lte56bits {
+			errCode = sequenceDecs_decode_56_amd64(s, br, &ctx)
+		} else {
+			errCode = sequenceDecs_decode_amd64(s, br, &ctx)
+		}
+	}
+	if errCode != 0 {
+		i := len(seqs) - ctx.iteration - 1
+		switch errCode {
+		case errorMatchLenOfsMismatch:
+			ml := ctx.seqs[i].ml
+			return fmt.Errorf("zero matchoff and matchlen (%d) > 0", ml)
+
+		case errorMatchLenTooBig:
+			ml := ctx.seqs[i].ml
+			return fmt.Errorf("match len (%d) bigger than max allowed length", ml)
+
+		case errorNotEnoughLiterals:
+			ll := ctx.seqs[i].ll
+			return fmt.Errorf("unexpected literal count, want %d bytes, but only %d is available", ll, ctx.litRemain+ll)
+		case errorOverread:
+			return io.ErrUnexpectedEOF
+		}
+
+		return fmt.Errorf("sequenceDecs_decode_amd64 returned erroneous code %d", errCode)
+	}
+
+	if ctx.litRemain < 0 {
+		return fmt.Errorf("literal count is too big: total available %d, total requested %d",
+			len(s.literals), len(s.literals)-ctx.litRemain)
+	}
+
+	s.seqSize += ctx.litRemain
+	if s.seqSize > maxBlockSize {
+		return fmt.Errorf("output bigger than max block size (%d)", maxBlockSize)
+	}
+	if debugDecoder {
+		println("decode: ", br.remain(), "bits remain on stream. code:", errCode)
+	}
+	err := br.close()
+	if err != nil {
+		printf("Closing sequences: %v, %+v\n", err, *br)
+	}
+	return err
+}
+
+// --------------------------------------------------------------------------------
+
+type executeAsmContext struct {
+	seqs        []seqVals
+	seqIndex    int
+	out         []byte
+	history     []byte
+	literals    []byte
+	outPosition int
+	litPosition int
+	windowSize  int
+}
+
+// sequenceDecs_executeSimple_amd64 implements the main loop of sequenceDecs.executeSimple in x86 asm.
+//
+// Returns false if a match offset is too big.
+//
+// Please refer to seqdec_generic.go for the reference implementation.
+//
+//go:noescape
+func sequenceDecs_executeSimple_amd64(ctx *executeAsmContext) bool
+
+// Same as above, but with safe memcopies
+//
+//go:noescape
+func sequenceDecs_executeSimple_safe_amd64(ctx *executeAsmContext) bool
+
+// executeSimple handles cases when dictionary is not used.
+func (s *sequenceDecs) executeSimple(seqs []seqVals, hist []byte) error {
+	// Ensure we have enough output size...
+	if len(s.out)+s.seqSize+compressedBlockOverAlloc > cap(s.out) {
+		addBytes := s.seqSize + len(s.out) + compressedBlockOverAlloc
+		s.out = append(s.out, make([]byte, addBytes)...)
+		s.out = s.out[:len(s.out)-addBytes]
+	}
+
+	if debugDecoder {
+		printf("Execute %d seqs with literals: %d into %d bytes\n", len(seqs), len(s.literals), s.seqSize)
+	}
+
+	var t = len(s.out)
+	out := s.out[:t+s.seqSize]
+
+	ctx := executeAsmContext{
+		seqs:        seqs,
+		seqIndex:    0,
+		out:         out,
+		history:     hist,
+		outPosition: t,
+		litPosition: 0,
+		literals:    s.literals,
+		windowSize:  s.windowSize,
+	}
+	var ok bool
+	if cap(s.literals) < len(s.literals)+compressedBlockOverAlloc {
+		ok = sequenceDecs_executeSimple_safe_amd64(&ctx)
+	} else {
+		ok = sequenceDecs_executeSimple_amd64(&ctx)
+	}
+	if !ok {
+		return fmt.Errorf("match offset (%d) bigger than current history (%d)",
+			seqs[ctx.seqIndex].mo, ctx.outPosition+len(hist))
+	}
+	s.literals = s.literals[ctx.litPosition:]
+	t = ctx.outPosition
+
+	// Add final literals
+	copy(out[t:], s.literals)
+	if debugDecoder {
+		t += len(s.literals)
+		if t != len(out) {
+			panic(fmt.Errorf("length mismatch, want %d, got %d, ss: %d", len(out), t, s.seqSize))
+		}
+	}
+	s.out = out
+
+	return nil
+}
diff --git a/vendor/github.com/klauspost/compress/zstd/seqdec_amd64.s b/vendor/github.com/klauspost/compress/zstd/seqdec_amd64.s
new file mode 100644
index 0000000000..a708ca6d3d
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/zstd/seqdec_amd64.s
@@ -0,0 +1,4151 @@
+// Code generated by command: go run gen.go -out ../seqdec_amd64.s -pkg=zstd. DO NOT EDIT.
+
+//go:build !appengine && !noasm && gc && !noasm
+
+// func sequenceDecs_decode_amd64(s *sequenceDecs, br *bitReader, ctx *decodeAsmContext) int
+// Requires: CMOV
+TEXT ·sequenceDecs_decode_amd64(SB), $8-32
+	MOVQ    br+8(FP), CX
+	MOVQ    24(CX), DX
+	MOVBQZX 40(CX), BX
+	MOVQ    (CX), AX
+	MOVQ    32(CX), SI
+	ADDQ    SI, AX
+	MOVQ    AX, (SP)
+	MOVQ    ctx+16(FP), AX
+	MOVQ    72(AX), DI
+	MOVQ    80(AX), R8
+	MOVQ    88(AX), R9
+	MOVQ    104(AX), R10
+	MOVQ    s+0(FP), AX
+	MOVQ    144(AX), R11
+	MOVQ    152(AX), R12
+	MOVQ    160(AX), R13
+
+sequenceDecs_decode_amd64_main_loop:
+	MOVQ (SP), R14
+
+	// Fill bitreader to have enough for the offset and match length.
+	CMPQ SI, $0x08
+	JL   sequenceDecs_decode_amd64_fill_byte_by_byte
+	MOVQ BX, AX
+	SHRQ $0x03, AX
+	SUBQ AX, R14
+	MOVQ (R14), DX
+	SUBQ AX, SI
+	ANDQ $0x07, BX
+	JMP  sequenceDecs_decode_amd64_fill_end
+
+sequenceDecs_decode_amd64_fill_byte_by_byte:
+	CMPQ    SI, $0x00
+	JLE     sequenceDecs_decode_amd64_fill_check_overread
+	CMPQ    BX, $0x07
+	JLE     sequenceDecs_decode_amd64_fill_end
+	SHLQ    $0x08, DX
+	SUBQ    $0x01, R14
+	SUBQ    $0x01, SI
+	SUBQ    $0x08, BX
+	MOVBQZX (R14), AX
+	ORQ     AX, DX
+	JMP     sequenceDecs_decode_amd64_fill_byte_by_byte
+
+sequenceDecs_decode_amd64_fill_check_overread:
+	CMPQ BX, $0x40
+	JA   error_overread
+
+sequenceDecs_decode_amd64_fill_end:
+	// Update offset
+	MOVQ  R9, AX
+	MOVQ  BX, CX
+	MOVQ  DX, R15
+	SHLQ  CL, R15
+	MOVB  AH, CL
+	SHRQ  $0x20, AX
+	TESTQ CX, CX
+	JZ    sequenceDecs_decode_amd64_of_update_zero
+	ADDQ  CX, BX
+	CMPQ  BX, $0x40
+	JA    sequenceDecs_decode_amd64_of_update_zero
+	CMPQ  CX, $0x40
+	JAE   sequenceDecs_decode_amd64_of_update_zero
+	NEGQ  CX
+	SHRQ  CL, R15
+	ADDQ  R15, AX
+
+sequenceDecs_decode_amd64_of_update_zero:
+	MOVQ AX, 16(R10)
+
+	// Update match length
+	MOVQ  R8, AX
+	MOVQ  BX, CX
+	MOVQ  DX, R15
+	SHLQ  CL, R15
+	MOVB  AH, CL
+	SHRQ  $0x20, AX
+	TESTQ CX, CX
+	JZ    sequenceDecs_decode_amd64_ml_update_zero
+	ADDQ  CX, BX
+	CMPQ  BX, $0x40
+	JA    sequenceDecs_decode_amd64_ml_update_zero
+	CMPQ  CX, $0x40
+	JAE   sequenceDecs_decode_amd64_ml_update_zero
+	NEGQ  CX
+	SHRQ  CL, R15
+	ADDQ  R15, AX
+
+sequenceDecs_decode_amd64_ml_update_zero:
+	MOVQ AX, 8(R10)
+
+	// Fill bitreader to have enough for the remaining
+	CMPQ SI, $0x08
+	JL   sequenceDecs_decode_amd64_fill_2_byte_by_byte
+	MOVQ BX, AX
+	SHRQ $0x03, AX
+	SUBQ AX, R14
+	MOVQ (R14), DX
+	SUBQ AX, SI
+	ANDQ $0x07, BX
+	JMP  sequenceDecs_decode_amd64_fill_2_end
+
+sequenceDecs_decode_amd64_fill_2_byte_by_byte:
+	CMPQ    SI, $0x00
+	JLE     sequenceDecs_decode_amd64_fill_2_check_overread
+	CMPQ    BX, $0x07
+	JLE     sequenceDecs_decode_amd64_fill_2_end
+	SHLQ    $0x08, DX
+	SUBQ    $0x01, R14
+	SUBQ    $0x01, SI
+	SUBQ    $0x08, BX
+	MOVBQZX (R14), AX
+	ORQ     AX, DX
+	JMP     sequenceDecs_decode_amd64_fill_2_byte_by_byte
+
+sequenceDecs_decode_amd64_fill_2_check_overread:
+	CMPQ BX, $0x40
+	JA   error_overread
+
+sequenceDecs_decode_amd64_fill_2_end:
+	// Update literal length
+	MOVQ  DI, AX
+	MOVQ  BX, CX
+	MOVQ  DX, R15
+	SHLQ  CL, R15
+	MOVB  AH, CL
+	SHRQ  $0x20, AX
+	TESTQ CX, CX
+	JZ    sequenceDecs_decode_amd64_ll_update_zero
+	ADDQ  CX, BX
+	CMPQ  BX, $0x40
+	JA    sequenceDecs_decode_amd64_ll_update_zero
+	CMPQ  CX, $0x40
+	JAE   sequenceDecs_decode_amd64_ll_update_zero
+	NEGQ  CX
+	SHRQ  CL, R15
+	ADDQ  R15, AX
+
+sequenceDecs_decode_amd64_ll_update_zero:
+	MOVQ AX, (R10)
+
+	// Fill bitreader for state updates
+	MOVQ    R14, (SP)
+	MOVQ    R9, AX
+	SHRQ    $0x08, AX
+	MOVBQZX AL, AX
+	MOVQ    ctx+16(FP), CX
+	CMPQ    96(CX), $0x00
+	JZ      sequenceDecs_decode_amd64_skip_update
+
+	// Update Literal Length State
+	MOVBQZX DI, R14
+	SHRL    $0x10, DI
+	LEAQ    (BX)(R14*1), CX
+	MOVQ    DX, R15
+	MOVQ    CX, BX
+	ROLQ    CL, R15
+	MOVL    $0x00000001, BP
+	MOVB    R14, CL
+	SHLL    CL, BP
+	DECL    BP
+	ANDQ    BP, R15
+	ADDQ    R15, DI
+
+	// Load ctx.llTable
+	MOVQ ctx+16(FP), CX
+	MOVQ (CX), CX
+	MOVQ (CX)(DI*8), DI
+
+	// Update Match Length State
+	MOVBQZX R8, R14
+	SHRL    $0x10, R8
+	LEAQ    (BX)(R14*1), CX
+	MOVQ    DX, R15
+	MOVQ    CX, BX
+	ROLQ    CL, R15
+	MOVL    $0x00000001, BP
+	MOVB    R14, CL
+	SHLL    CL, BP
+	DECL    BP
+	ANDQ    BP, R15
+	ADDQ    R15, R8
+
+	// Load ctx.mlTable
+	MOVQ ctx+16(FP), CX
+	MOVQ 24(CX), CX
+	MOVQ (CX)(R8*8), R8
+
+	// Update Offset State
+	MOVBQZX R9, R14
+	SHRL    $0x10, R9
+	LEAQ    (BX)(R14*1), CX
+	MOVQ    DX, R15
+	MOVQ    CX, BX
+	ROLQ    CL, R15
+	MOVL    $0x00000001, BP
+	MOVB    R14, CL
+	SHLL    CL, BP
+	DECL    BP
+	ANDQ    BP, R15
+	ADDQ    R15, R9
+
+	// Load ctx.ofTable
+	MOVQ ctx+16(FP), CX
+	MOVQ 48(CX), CX
+	MOVQ (CX)(R9*8), R9
+
+sequenceDecs_decode_amd64_skip_update:
+	// Adjust offset
+	MOVQ 16(R10), CX
+	CMPQ AX, $0x01
+	JBE  sequenceDecs_decode_amd64_adjust_offsetB_1_or_0
+	MOVQ R12, R13
+	MOVQ R11, R12
+	MOVQ CX, R11
+	JMP  sequenceDecs_decode_amd64_after_adjust
+
+sequenceDecs_decode_amd64_adjust_offsetB_1_or_0:
+	CMPQ (R10), $0x00000000
+	JNE  sequenceDecs_decode_amd64_adjust_offset_maybezero
+	INCQ CX
+	JMP  sequenceDecs_decode_amd64_adjust_offset_nonzero
+
+sequenceDecs_decode_amd64_adjust_offset_maybezero:
+	TESTQ CX, CX
+	JNZ   sequenceDecs_decode_amd64_adjust_offset_nonzero
+	MOVQ  R11, CX
+	JMP   sequenceDecs_decode_amd64_after_adjust
+
+sequenceDecs_decode_amd64_adjust_offset_nonzero:
+	CMPQ CX, $0x01
+	JB   sequenceDecs_decode_amd64_adjust_zero
+	JEQ  sequenceDecs_decode_amd64_adjust_one
+	CMPQ CX, $0x02
+	JA   sequenceDecs_decode_amd64_adjust_three
+	JMP  sequenceDecs_decode_amd64_adjust_two
+
+sequenceDecs_decode_amd64_adjust_zero:
+	MOVQ R11, AX
+	JMP  sequenceDecs_decode_amd64_adjust_test_temp_valid
+
+sequenceDecs_decode_amd64_adjust_one:
+	MOVQ R12, AX
+	JMP  sequenceDecs_decode_amd64_adjust_test_temp_valid
+
+sequenceDecs_decode_amd64_adjust_two:
+	MOVQ R13, AX
+	JMP  sequenceDecs_decode_amd64_adjust_test_temp_valid
+
+sequenceDecs_decode_amd64_adjust_three:
+	LEAQ -1(R11), AX
+
+sequenceDecs_decode_amd64_adjust_test_temp_valid:
+	TESTQ AX, AX
+	JNZ   sequenceDecs_decode_amd64_adjust_temp_valid
+	MOVQ  $0x00000001, AX
+
+sequenceDecs_decode_amd64_adjust_temp_valid:
+	CMPQ    CX, $0x01
+	CMOVQNE R12, R13
+	MOVQ    R11, R12
+	MOVQ    AX, R11
+	MOVQ    AX, CX
+
+sequenceDecs_decode_amd64_after_adjust:
+	MOVQ CX, 16(R10)
+
+	// Check values
+	MOVQ  8(R10), AX
+	MOVQ  (R10), R14
+	LEAQ  (AX)(R14*1), R15
+	MOVQ  s+0(FP), BP
+	ADDQ  R15, 256(BP)
+	MOVQ  ctx+16(FP), R15
+	SUBQ  R14, 128(R15)
+	JS    error_not_enough_literals
+	CMPQ  AX, $0x00020002
+	JA    sequenceDecs_decode_amd64_error_match_len_too_big
+	TESTQ CX, CX
+	JNZ   sequenceDecs_decode_amd64_match_len_ofs_ok
+	TESTQ AX, AX
+	JNZ   sequenceDecs_decode_amd64_error_match_len_ofs_mismatch
+
+sequenceDecs_decode_amd64_match_len_ofs_ok:
+	ADDQ $0x18, R10
+	MOVQ ctx+16(FP), AX
+	DECQ 96(AX)
+	JNS  sequenceDecs_decode_amd64_main_loop
+	MOVQ s+0(FP), AX
+	MOVQ R11, 144(AX)
+	MOVQ R12, 152(AX)
+	MOVQ R13, 160(AX)
+	MOVQ br+8(FP), AX
+	MOVQ DX, 24(AX)
+	MOVB BL, 40(AX)
+	MOVQ SI, 32(AX)
+
+	// Return success
+	MOVQ $0x00000000, ret+24(FP)
+	RET
+
+	// Return with match length error
+sequenceDecs_decode_amd64_error_match_len_ofs_mismatch:
+	MOVQ $0x00000001, ret+24(FP)
+	RET
+
+	// Return with match too long error
+sequenceDecs_decode_amd64_error_match_len_too_big:
+	MOVQ $0x00000002, ret+24(FP)
+	RET
+
+	// Return with match offset too long error
+	MOVQ $0x00000003, ret+24(FP)
+	RET
+
+	// Return with not enough literals error
+error_not_enough_literals:
+	MOVQ $0x00000004, ret+24(FP)
+	RET
+
+	// Return with overread error
+error_overread:
+	MOVQ $0x00000006, ret+24(FP)
+	RET
+
+// func sequenceDecs_decode_56_amd64(s *sequenceDecs, br *bitReader, ctx *decodeAsmContext) int
+// Requires: CMOV
+TEXT ·sequenceDecs_decode_56_amd64(SB), $8-32
+	MOVQ    br+8(FP), CX
+	MOVQ    24(CX), DX
+	MOVBQZX 40(CX), BX
+	MOVQ    (CX), AX
+	MOVQ    32(CX), SI
+	ADDQ    SI, AX
+	MOVQ    AX, (SP)
+	MOVQ    ctx+16(FP), AX
+	MOVQ    72(AX), DI
+	MOVQ    80(AX), R8
+	MOVQ    88(AX), R9
+	MOVQ    104(AX), R10
+	MOVQ    s+0(FP), AX
+	MOVQ    144(AX), R11
+	MOVQ    152(AX), R12
+	MOVQ    160(AX), R13
+
+sequenceDecs_decode_56_amd64_main_loop:
+	MOVQ (SP), R14
+
+	// Fill bitreader to have enough for the offset and match length.
+	CMPQ SI, $0x08
+	JL   sequenceDecs_decode_56_amd64_fill_byte_by_byte
+	MOVQ BX, AX
+	SHRQ $0x03, AX
+	SUBQ AX, R14
+	MOVQ (R14), DX
+	SUBQ AX, SI
+	ANDQ $0x07, BX
+	JMP  sequenceDecs_decode_56_amd64_fill_end
+
+sequenceDecs_decode_56_amd64_fill_byte_by_byte:
+	CMPQ    SI, $0x00
+	JLE     sequenceDecs_decode_56_amd64_fill_check_overread
+	CMPQ    BX, $0x07
+	JLE     sequenceDecs_decode_56_amd64_fill_end
+	SHLQ    $0x08, DX
+	SUBQ    $0x01, R14
+	SUBQ    $0x01, SI
+	SUBQ    $0x08, BX
+	MOVBQZX (R14), AX
+	ORQ     AX, DX
+	JMP     sequenceDecs_decode_56_amd64_fill_byte_by_byte
+
+sequenceDecs_decode_56_amd64_fill_check_overread:
+	CMPQ BX, $0x40
+	JA   error_overread
+
+sequenceDecs_decode_56_amd64_fill_end:
+	// Update offset
+	MOVQ  R9, AX
+	MOVQ  BX, CX
+	MOVQ  DX, R15
+	SHLQ  CL, R15
+	MOVB  AH, CL
+	SHRQ  $0x20, AX
+	TESTQ CX, CX
+	JZ    sequenceDecs_decode_56_amd64_of_update_zero
+	ADDQ  CX, BX
+	CMPQ  BX, $0x40
+	JA    sequenceDecs_decode_56_amd64_of_update_zero
+	CMPQ  CX, $0x40
+	JAE   sequenceDecs_decode_56_amd64_of_update_zero
+	NEGQ  CX
+	SHRQ  CL, R15
+	ADDQ  R15, AX
+
+sequenceDecs_decode_56_amd64_of_update_zero:
+	MOVQ AX, 16(R10)
+
+	// Update match length
+	MOVQ  R8, AX
+	MOVQ  BX, CX
+	MOVQ  DX, R15
+	SHLQ  CL, R15
+	MOVB  AH, CL
+	SHRQ  $0x20, AX
+	TESTQ CX, CX
+	JZ    sequenceDecs_decode_56_amd64_ml_update_zero
+	ADDQ  CX, BX
+	CMPQ  BX, $0x40
+	JA    sequenceDecs_decode_56_amd64_ml_update_zero
+	CMPQ  CX, $0x40
+	JAE   sequenceDecs_decode_56_amd64_ml_update_zero
+	NEGQ  CX
+	SHRQ  CL, R15
+	ADDQ  R15, AX
+
+sequenceDecs_decode_56_amd64_ml_update_zero:
+	MOVQ AX, 8(R10)
+
+	// Update literal length
+	MOVQ  DI, AX
+	MOVQ  BX, CX
+	MOVQ  DX, R15
+	SHLQ  CL, R15
+	MOVB  AH, CL
+	SHRQ  $0x20, AX
+	TESTQ CX, CX
+	JZ    sequenceDecs_decode_56_amd64_ll_update_zero
+	ADDQ  CX, BX
+	CMPQ  BX, $0x40
+	JA    sequenceDecs_decode_56_amd64_ll_update_zero
+	CMPQ  CX, $0x40
+	JAE   sequenceDecs_decode_56_amd64_ll_update_zero
+	NEGQ  CX
+	SHRQ  CL, R15
+	ADDQ  R15, AX
+
+sequenceDecs_decode_56_amd64_ll_update_zero:
+	MOVQ AX, (R10)
+
+	// Fill bitreader for state updates
+	MOVQ    R14, (SP)
+	MOVQ    R9, AX
+	SHRQ    $0x08, AX
+	MOVBQZX AL, AX
+	MOVQ    ctx+16(FP), CX
+	CMPQ    96(CX), $0x00
+	JZ      sequenceDecs_decode_56_amd64_skip_update
+
+	// Update Literal Length State
+	MOVBQZX DI, R14
+	SHRL    $0x10, DI
+	LEAQ    (BX)(R14*1), CX
+	MOVQ    DX, R15
+	MOVQ    CX, BX
+	ROLQ    CL, R15
+	MOVL    $0x00000001, BP
+	MOVB    R14, CL
+	SHLL    CL, BP
+	DECL    BP
+	ANDQ    BP, R15
+	ADDQ    R15, DI
+
+	// Load ctx.llTable
+	MOVQ ctx+16(FP), CX
+	MOVQ (CX), CX
+	MOVQ (CX)(DI*8), DI
+
+	// Update Match Length State
+	MOVBQZX R8, R14
+	SHRL    $0x10, R8
+	LEAQ    (BX)(R14*1), CX
+	MOVQ    DX, R15
+	MOVQ    CX, BX
+	ROLQ    CL, R15
+	MOVL    $0x00000001, BP
+	MOVB    R14, CL
+	SHLL    CL, BP
+	DECL    BP
+	ANDQ    BP, R15
+	ADDQ    R15, R8
+
+	// Load ctx.mlTable
+	MOVQ ctx+16(FP), CX
+	MOVQ 24(CX), CX
+	MOVQ (CX)(R8*8), R8
+
+	// Update Offset State
+	MOVBQZX R9, R14
+	SHRL    $0x10, R9
+	LEAQ    (BX)(R14*1), CX
+	MOVQ    DX, R15
+	MOVQ    CX, BX
+	ROLQ    CL, R15
+	MOVL    $0x00000001, BP
+	MOVB    R14, CL
+	SHLL    CL, BP
+	DECL    BP
+	ANDQ    BP, R15
+	ADDQ    R15, R9
+
+	// Load ctx.ofTable
+	MOVQ ctx+16(FP), CX
+	MOVQ 48(CX), CX
+	MOVQ (CX)(R9*8), R9
+
+sequenceDecs_decode_56_amd64_skip_update:
+	// Adjust offset
+	MOVQ 16(R10), CX
+	CMPQ AX, $0x01
+	JBE  sequenceDecs_decode_56_amd64_adjust_offsetB_1_or_0
+	MOVQ R12, R13
+	MOVQ R11, R12
+	MOVQ CX, R11
+	JMP  sequenceDecs_decode_56_amd64_after_adjust
+
+sequenceDecs_decode_56_amd64_adjust_offsetB_1_or_0:
+	CMPQ (R10), $0x00000000
+	JNE  sequenceDecs_decode_56_amd64_adjust_offset_maybezero
+	INCQ CX
+	JMP  sequenceDecs_decode_56_amd64_adjust_offset_nonzero
+
+sequenceDecs_decode_56_amd64_adjust_offset_maybezero:
+	TESTQ CX, CX
+	JNZ   sequenceDecs_decode_56_amd64_adjust_offset_nonzero
+	MOVQ  R11, CX
+	JMP   sequenceDecs_decode_56_amd64_after_adjust
+
+sequenceDecs_decode_56_amd64_adjust_offset_nonzero:
+	CMPQ CX, $0x01
+	JB   sequenceDecs_decode_56_amd64_adjust_zero
+	JEQ  sequenceDecs_decode_56_amd64_adjust_one
+	CMPQ CX, $0x02
+	JA   sequenceDecs_decode_56_amd64_adjust_three
+	JMP  sequenceDecs_decode_56_amd64_adjust_two
+
+sequenceDecs_decode_56_amd64_adjust_zero:
+	MOVQ R11, AX
+	JMP  sequenceDecs_decode_56_amd64_adjust_test_temp_valid
+
+sequenceDecs_decode_56_amd64_adjust_one:
+	MOVQ R12, AX
+	JMP  sequenceDecs_decode_56_amd64_adjust_test_temp_valid
+
+sequenceDecs_decode_56_amd64_adjust_two:
+	MOVQ R13, AX
+	JMP  sequenceDecs_decode_56_amd64_adjust_test_temp_valid
+
+sequenceDecs_decode_56_amd64_adjust_three:
+	LEAQ -1(R11), AX
+
+sequenceDecs_decode_56_amd64_adjust_test_temp_valid:
+	TESTQ AX, AX
+	JNZ   sequenceDecs_decode_56_amd64_adjust_temp_valid
+	MOVQ  $0x00000001, AX
+
+sequenceDecs_decode_56_amd64_adjust_temp_valid:
+	CMPQ    CX, $0x01
+	CMOVQNE R12, R13
+	MOVQ    R11, R12
+	MOVQ    AX, R11
+	MOVQ    AX, CX
+
+sequenceDecs_decode_56_amd64_after_adjust:
+	MOVQ CX, 16(R10)
+
+	// Check values
+	MOVQ  8(R10), AX
+	MOVQ  (R10), R14
+	LEAQ  (AX)(R14*1), R15
+	MOVQ  s+0(FP), BP
+	ADDQ  R15, 256(BP)
+	MOVQ  ctx+16(FP), R15
+	SUBQ  R14, 128(R15)
+	JS    error_not_enough_literals
+	CMPQ  AX, $0x00020002
+	JA    sequenceDecs_decode_56_amd64_error_match_len_too_big
+	TESTQ CX, CX
+	JNZ   sequenceDecs_decode_56_amd64_match_len_ofs_ok
+	TESTQ AX, AX
+	JNZ   sequenceDecs_decode_56_amd64_error_match_len_ofs_mismatch
+
+sequenceDecs_decode_56_amd64_match_len_ofs_ok:
+	ADDQ $0x18, R10
+	MOVQ ctx+16(FP), AX
+	DECQ 96(AX)
+	JNS  sequenceDecs_decode_56_amd64_main_loop
+	MOVQ s+0(FP), AX
+	MOVQ R11, 144(AX)
+	MOVQ R12, 152(AX)
+	MOVQ R13, 160(AX)
+	MOVQ br+8(FP), AX
+	MOVQ DX, 24(AX)
+	MOVB BL, 40(AX)
+	MOVQ SI, 32(AX)
+
+	// Return success
+	MOVQ $0x00000000, ret+24(FP)
+	RET
+
+	// Return with match length error
+sequenceDecs_decode_56_amd64_error_match_len_ofs_mismatch:
+	MOVQ $0x00000001, ret+24(FP)
+	RET
+
+	// Return with match too long error
+sequenceDecs_decode_56_amd64_error_match_len_too_big:
+	MOVQ $0x00000002, ret+24(FP)
+	RET
+
+	// Return with match offset too long error
+	MOVQ $0x00000003, ret+24(FP)
+	RET
+
+	// Return with not enough literals error
+error_not_enough_literals:
+	MOVQ $0x00000004, ret+24(FP)
+	RET
+
+	// Return with overread error
+error_overread:
+	MOVQ $0x00000006, ret+24(FP)
+	RET
+
+// func sequenceDecs_decode_bmi2(s *sequenceDecs, br *bitReader, ctx *decodeAsmContext) int
+// Requires: BMI, BMI2, CMOV
+TEXT ·sequenceDecs_decode_bmi2(SB), $8-32
+	MOVQ    br+8(FP), BX
+	MOVQ    24(BX), AX
+	MOVBQZX 40(BX), DX
+	MOVQ    (BX), CX
+	MOVQ    32(BX), BX
+	ADDQ    BX, CX
+	MOVQ    CX, (SP)
+	MOVQ    ctx+16(FP), CX
+	MOVQ    72(CX), SI
+	MOVQ    80(CX), DI
+	MOVQ    88(CX), R8
+	MOVQ    104(CX), R9
+	MOVQ    s+0(FP), CX
+	MOVQ    144(CX), R10
+	MOVQ    152(CX), R11
+	MOVQ    160(CX), R12
+
+sequenceDecs_decode_bmi2_main_loop:
+	MOVQ (SP), R13
+
+	// Fill bitreader to have enough for the offset and match length.
+	CMPQ BX, $0x08
+	JL   sequenceDecs_decode_bmi2_fill_byte_by_byte
+	MOVQ DX, CX
+	SHRQ $0x03, CX
+	SUBQ CX, R13
+	MOVQ (R13), AX
+	SUBQ CX, BX
+	ANDQ $0x07, DX
+	JMP  sequenceDecs_decode_bmi2_fill_end
+
+sequenceDecs_decode_bmi2_fill_byte_by_byte:
+	CMPQ    BX, $0x00
+	JLE     sequenceDecs_decode_bmi2_fill_check_overread
+	CMPQ    DX, $0x07
+	JLE     sequenceDecs_decode_bmi2_fill_end
+	SHLQ    $0x08, AX
+	SUBQ    $0x01, R13
+	SUBQ    $0x01, BX
+	SUBQ    $0x08, DX
+	MOVBQZX (R13), CX
+	ORQ     CX, AX
+	JMP     sequenceDecs_decode_bmi2_fill_byte_by_byte
+
+sequenceDecs_decode_bmi2_fill_check_overread:
+	CMPQ DX, $0x40
+	JA   error_overread
+
+sequenceDecs_decode_bmi2_fill_end:
+	// Update offset
+	MOVQ   $0x00000808, CX
+	BEXTRQ CX, R8, R14
+	MOVQ   AX, R15
+	LEAQ   (DX)(R14*1), CX
+	ROLQ   CL, R15
+	BZHIQ  R14, R15, R15
+	MOVQ   CX, DX
+	MOVQ   R8, CX
+	SHRQ   $0x20, CX
+	ADDQ   R15, CX
+	MOVQ   CX, 16(R9)
+
+	// Update match length
+	MOVQ   $0x00000808, CX
+	BEXTRQ CX, DI, R14
+	MOVQ   AX, R15
+	LEAQ   (DX)(R14*1), CX
+	ROLQ   CL, R15
+	BZHIQ  R14, R15, R15
+	MOVQ   CX, DX
+	MOVQ   DI, CX
+	SHRQ   $0x20, CX
+	ADDQ   R15, CX
+	MOVQ   CX, 8(R9)
+
+	// Fill bitreader to have enough for the remaining
+	CMPQ BX, $0x08
+	JL   sequenceDecs_decode_bmi2_fill_2_byte_by_byte
+	MOVQ DX, CX
+	SHRQ $0x03, CX
+	SUBQ CX, R13
+	MOVQ (R13), AX
+	SUBQ CX, BX
+	ANDQ $0x07, DX
+	JMP  sequenceDecs_decode_bmi2_fill_2_end
+
+sequenceDecs_decode_bmi2_fill_2_byte_by_byte:
+	CMPQ    BX, $0x00
+	JLE     sequenceDecs_decode_bmi2_fill_2_check_overread
+	CMPQ    DX, $0x07
+	JLE     sequenceDecs_decode_bmi2_fill_2_end
+	SHLQ    $0x08, AX
+	SUBQ    $0x01, R13
+	SUBQ    $0x01, BX
+	SUBQ    $0x08, DX
+	MOVBQZX (R13), CX
+	ORQ     CX, AX
+	JMP     sequenceDecs_decode_bmi2_fill_2_byte_by_byte
+
+sequenceDecs_decode_bmi2_fill_2_check_overread:
+	CMPQ DX, $0x40
+	JA   error_overread
+
+sequenceDecs_decode_bmi2_fill_2_end:
+	// Update literal length
+	MOVQ   $0x00000808, CX
+	BEXTRQ CX, SI, R14
+	MOVQ   AX, R15
+	LEAQ   (DX)(R14*1), CX
+	ROLQ   CL, R15
+	BZHIQ  R14, R15, R15
+	MOVQ   CX, DX
+	MOVQ   SI, CX
+	SHRQ   $0x20, CX
+	ADDQ   R15, CX
+	MOVQ   CX, (R9)
+
+	// Fill bitreader for state updates
+	MOVQ    R13, (SP)
+	MOVQ    $0x00000808, CX
+	BEXTRQ  CX, R8, R13
+	MOVQ    ctx+16(FP), CX
+	CMPQ    96(CX), $0x00
+	JZ      sequenceDecs_decode_bmi2_skip_update
+	LEAQ    (SI)(DI*1), R14
+	ADDQ    R8, R14
+	MOVBQZX R14, R14
+	LEAQ    (DX)(R14*1), CX
+	MOVQ    AX, R15
+	MOVQ    CX, DX
+	ROLQ    CL, R15
+	BZHIQ   R14, R15, R15
+
+	// Update Offset State
+	BZHIQ R8, R15, CX
+	SHRXQ R8, R15, R15
+	SHRL  $0x10, R8
+	ADDQ  CX, R8
+
+	// Load ctx.ofTable
+	MOVQ ctx+16(FP), CX
+	MOVQ 48(CX), CX
+	MOVQ (CX)(R8*8), R8
+
+	// Update Match Length State
+	BZHIQ DI, R15, CX
+	SHRXQ DI, R15, R15
+	SHRL  $0x10, DI
+	ADDQ  CX, DI
+
+	// Load ctx.mlTable
+	MOVQ ctx+16(FP), CX
+	MOVQ 24(CX), CX
+	MOVQ (CX)(DI*8), DI
+
+	// Update Literal Length State
+	BZHIQ SI, R15, CX
+	SHRL  $0x10, SI
+	ADDQ  CX, SI
+
+	// Load ctx.llTable
+	MOVQ ctx+16(FP), CX
+	MOVQ (CX), CX
+	MOVQ (CX)(SI*8), SI
+
+sequenceDecs_decode_bmi2_skip_update:
+	// Adjust offset
+	MOVQ 16(R9), CX
+	CMPQ R13, $0x01
+	JBE  sequenceDecs_decode_bmi2_adjust_offsetB_1_or_0
+	MOVQ R11, R12
+	MOVQ R10, R11
+	MOVQ CX, R10
+	JMP  sequenceDecs_decode_bmi2_after_adjust
+
+sequenceDecs_decode_bmi2_adjust_offsetB_1_or_0:
+	CMPQ (R9), $0x00000000
+	JNE  sequenceDecs_decode_bmi2_adjust_offset_maybezero
+	INCQ CX
+	JMP  sequenceDecs_decode_bmi2_adjust_offset_nonzero
+
+sequenceDecs_decode_bmi2_adjust_offset_maybezero:
+	TESTQ CX, CX
+	JNZ   sequenceDecs_decode_bmi2_adjust_offset_nonzero
+	MOVQ  R10, CX
+	JMP   sequenceDecs_decode_bmi2_after_adjust
+
+sequenceDecs_decode_bmi2_adjust_offset_nonzero:
+	CMPQ CX, $0x01
+	JB   sequenceDecs_decode_bmi2_adjust_zero
+	JEQ  sequenceDecs_decode_bmi2_adjust_one
+	CMPQ CX, $0x02
+	JA   sequenceDecs_decode_bmi2_adjust_three
+	JMP  sequenceDecs_decode_bmi2_adjust_two
+
+sequenceDecs_decode_bmi2_adjust_zero:
+	MOVQ R10, R13
+	JMP  sequenceDecs_decode_bmi2_adjust_test_temp_valid
+
+sequenceDecs_decode_bmi2_adjust_one:
+	MOVQ R11, R13
+	JMP  sequenceDecs_decode_bmi2_adjust_test_temp_valid
+
+sequenceDecs_decode_bmi2_adjust_two:
+	MOVQ R12, R13
+	JMP  sequenceDecs_decode_bmi2_adjust_test_temp_valid
+
+sequenceDecs_decode_bmi2_adjust_three:
+	LEAQ -1(R10), R13
+
+sequenceDecs_decode_bmi2_adjust_test_temp_valid:
+	TESTQ R13, R13
+	JNZ   sequenceDecs_decode_bmi2_adjust_temp_valid
+	MOVQ  $0x00000001, R13
+
+sequenceDecs_decode_bmi2_adjust_temp_valid:
+	CMPQ    CX, $0x01
+	CMOVQNE R11, R12
+	MOVQ    R10, R11
+	MOVQ    R13, R10
+	MOVQ    R13, CX
+
+sequenceDecs_decode_bmi2_after_adjust:
+	MOVQ CX, 16(R9)
+
+	// Check values
+	MOVQ  8(R9), R13
+	MOVQ  (R9), R14
+	LEAQ  (R13)(R14*1), R15
+	MOVQ  s+0(FP), BP
+	ADDQ  R15, 256(BP)
+	MOVQ  ctx+16(FP), R15
+	SUBQ  R14, 128(R15)
+	JS    error_not_enough_literals
+	CMPQ  R13, $0x00020002
+	JA    sequenceDecs_decode_bmi2_error_match_len_too_big
+	TESTQ CX, CX
+	JNZ   sequenceDecs_decode_bmi2_match_len_ofs_ok
+	TESTQ R13, R13
+	JNZ   sequenceDecs_decode_bmi2_error_match_len_ofs_mismatch
+
+sequenceDecs_decode_bmi2_match_len_ofs_ok:
+	ADDQ $0x18, R9
+	MOVQ ctx+16(FP), CX
+	DECQ 96(CX)
+	JNS  sequenceDecs_decode_bmi2_main_loop
+	MOVQ s+0(FP), CX
+	MOVQ R10, 144(CX)
+	MOVQ R11, 152(CX)
+	MOVQ R12, 160(CX)
+	MOVQ br+8(FP), CX
+	MOVQ AX, 24(CX)
+	MOVB DL, 40(CX)
+	MOVQ BX, 32(CX)
+
+	// Return success
+	MOVQ $0x00000000, ret+24(FP)
+	RET
+
+	// Return with match length error
+sequenceDecs_decode_bmi2_error_match_len_ofs_mismatch:
+	MOVQ $0x00000001, ret+24(FP)
+	RET
+
+	// Return with match too long error
+sequenceDecs_decode_bmi2_error_match_len_too_big:
+	MOVQ $0x00000002, ret+24(FP)
+	RET
+
+	// Return with match offset too long error
+	MOVQ $0x00000003, ret+24(FP)
+	RET
+
+	// Return with not enough literals error
+error_not_enough_literals:
+	MOVQ $0x00000004, ret+24(FP)
+	RET
+
+	// Return with overread error
+error_overread:
+	MOVQ $0x00000006, ret+24(FP)
+	RET
+
+// func sequenceDecs_decode_56_bmi2(s *sequenceDecs, br *bitReader, ctx *decodeAsmContext) int
+// Requires: BMI, BMI2, CMOV
+TEXT ·sequenceDecs_decode_56_bmi2(SB), $8-32
+	MOVQ    br+8(FP), BX
+	MOVQ    24(BX), AX
+	MOVBQZX 40(BX), DX
+	MOVQ    (BX), CX
+	MOVQ    32(BX), BX
+	ADDQ    BX, CX
+	MOVQ    CX, (SP)
+	MOVQ    ctx+16(FP), CX
+	MOVQ    72(CX), SI
+	MOVQ    80(CX), DI
+	MOVQ    88(CX), R8
+	MOVQ    104(CX), R9
+	MOVQ    s+0(FP), CX
+	MOVQ    144(CX), R10
+	MOVQ    152(CX), R11
+	MOVQ    160(CX), R12
+
+sequenceDecs_decode_56_bmi2_main_loop:
+	MOVQ (SP), R13
+
+	// Fill bitreader to have enough for the offset and match length.
+	CMPQ BX, $0x08
+	JL   sequenceDecs_decode_56_bmi2_fill_byte_by_byte
+	MOVQ DX, CX
+	SHRQ $0x03, CX
+	SUBQ CX, R13
+	MOVQ (R13), AX
+	SUBQ CX, BX
+	ANDQ $0x07, DX
+	JMP  sequenceDecs_decode_56_bmi2_fill_end
+
+sequenceDecs_decode_56_bmi2_fill_byte_by_byte:
+	CMPQ    BX, $0x00
+	JLE     sequenceDecs_decode_56_bmi2_fill_check_overread
+	CMPQ    DX, $0x07
+	JLE     sequenceDecs_decode_56_bmi2_fill_end
+	SHLQ    $0x08, AX
+	SUBQ    $0x01, R13
+	SUBQ    $0x01, BX
+	SUBQ    $0x08, DX
+	MOVBQZX (R13), CX
+	ORQ     CX, AX
+	JMP     sequenceDecs_decode_56_bmi2_fill_byte_by_byte
+
+sequenceDecs_decode_56_bmi2_fill_check_overread:
+	CMPQ DX, $0x40
+	JA   error_overread
+
+sequenceDecs_decode_56_bmi2_fill_end:
+	// Update offset
+	MOVQ   $0x00000808, CX
+	BEXTRQ CX, R8, R14
+	MOVQ   AX, R15
+	LEAQ   (DX)(R14*1), CX
+	ROLQ   CL, R15
+	BZHIQ  R14, R15, R15
+	MOVQ   CX, DX
+	MOVQ   R8, CX
+	SHRQ   $0x20, CX
+	ADDQ   R15, CX
+	MOVQ   CX, 16(R9)
+
+	// Update match length
+	MOVQ   $0x00000808, CX
+	BEXTRQ CX, DI, R14
+	MOVQ   AX, R15
+	LEAQ   (DX)(R14*1), CX
+	ROLQ   CL, R15
+	BZHIQ  R14, R15, R15
+	MOVQ   CX, DX
+	MOVQ   DI, CX
+	SHRQ   $0x20, CX
+	ADDQ   R15, CX
+	MOVQ   CX, 8(R9)
+
+	// Update literal length
+	MOVQ   $0x00000808, CX
+	BEXTRQ CX, SI, R14
+	MOVQ   AX, R15
+	LEAQ   (DX)(R14*1), CX
+	ROLQ   CL, R15
+	BZHIQ  R14, R15, R15
+	MOVQ   CX, DX
+	MOVQ   SI, CX
+	SHRQ   $0x20, CX
+	ADDQ   R15, CX
+	MOVQ   CX, (R9)
+
+	// Fill bitreader for state updates
+	MOVQ    R13, (SP)
+	MOVQ    $0x00000808, CX
+	BEXTRQ  CX, R8, R13
+	MOVQ    ctx+16(FP), CX
+	CMPQ    96(CX), $0x00
+	JZ      sequenceDecs_decode_56_bmi2_skip_update
+	LEAQ    (SI)(DI*1), R14
+	ADDQ    R8, R14
+	MOVBQZX R14, R14
+	LEAQ    (DX)(R14*1), CX
+	MOVQ    AX, R15
+	MOVQ    CX, DX
+	ROLQ    CL, R15
+	BZHIQ   R14, R15, R15
+
+	// Update Offset State
+	BZHIQ R8, R15, CX
+	SHRXQ R8, R15, R15
+	SHRL  $0x10, R8
+	ADDQ  CX, R8
+
+	// Load ctx.ofTable
+	MOVQ ctx+16(FP), CX
+	MOVQ 48(CX), CX
+	MOVQ (CX)(R8*8), R8
+
+	// Update Match Length State
+	BZHIQ DI, R15, CX
+	SHRXQ DI, R15, R15
+	SHRL  $0x10, DI
+	ADDQ  CX, DI
+
+	// Load ctx.mlTable
+	MOVQ ctx+16(FP), CX
+	MOVQ 24(CX), CX
+	MOVQ (CX)(DI*8), DI
+
+	// Update Literal Length State
+	BZHIQ SI, R15, CX
+	SHRL  $0x10, SI
+	ADDQ  CX, SI
+
+	// Load ctx.llTable
+	MOVQ ctx+16(FP), CX
+	MOVQ (CX), CX
+	MOVQ (CX)(SI*8), SI
+
+sequenceDecs_decode_56_bmi2_skip_update:
+	// Adjust offset
+	MOVQ 16(R9), CX
+	CMPQ R13, $0x01
+	JBE  sequenceDecs_decode_56_bmi2_adjust_offsetB_1_or_0
+	MOVQ R11, R12
+	MOVQ R10, R11
+	MOVQ CX, R10
+	JMP  sequenceDecs_decode_56_bmi2_after_adjust
+
+sequenceDecs_decode_56_bmi2_adjust_offsetB_1_or_0:
+	CMPQ (R9), $0x00000000
+	JNE  sequenceDecs_decode_56_bmi2_adjust_offset_maybezero
+	INCQ CX
+	JMP  sequenceDecs_decode_56_bmi2_adjust_offset_nonzero
+
+sequenceDecs_decode_56_bmi2_adjust_offset_maybezero:
+	TESTQ CX, CX
+	JNZ   sequenceDecs_decode_56_bmi2_adjust_offset_nonzero
+	MOVQ  R10, CX
+	JMP   sequenceDecs_decode_56_bmi2_after_adjust
+
+sequenceDecs_decode_56_bmi2_adjust_offset_nonzero:
+	CMPQ CX, $0x01
+	JB   sequenceDecs_decode_56_bmi2_adjust_zero
+	JEQ  sequenceDecs_decode_56_bmi2_adjust_one
+	CMPQ CX, $0x02
+	JA   sequenceDecs_decode_56_bmi2_adjust_three
+	JMP  sequenceDecs_decode_56_bmi2_adjust_two
+
+sequenceDecs_decode_56_bmi2_adjust_zero:
+	MOVQ R10, R13
+	JMP  sequenceDecs_decode_56_bmi2_adjust_test_temp_valid
+
+sequenceDecs_decode_56_bmi2_adjust_one:
+	MOVQ R11, R13
+	JMP  sequenceDecs_decode_56_bmi2_adjust_test_temp_valid
+
+sequenceDecs_decode_56_bmi2_adjust_two:
+	MOVQ R12, R13
+	JMP  sequenceDecs_decode_56_bmi2_adjust_test_temp_valid
+
+sequenceDecs_decode_56_bmi2_adjust_three:
+	LEAQ -1(R10), R13
+
+sequenceDecs_decode_56_bmi2_adjust_test_temp_valid:
+	TESTQ R13, R13
+	JNZ   sequenceDecs_decode_56_bmi2_adjust_temp_valid
+	MOVQ  $0x00000001, R13
+
+sequenceDecs_decode_56_bmi2_adjust_temp_valid:
+	CMPQ    CX, $0x01
+	CMOVQNE R11, R12
+	MOVQ    R10, R11
+	MOVQ    R13, R10
+	MOVQ    R13, CX
+
+sequenceDecs_decode_56_bmi2_after_adjust:
+	MOVQ CX, 16(R9)
+
+	// Check values
+	MOVQ  8(R9), R13
+	MOVQ  (R9), R14
+	LEAQ  (R13)(R14*1), R15
+	MOVQ  s+0(FP), BP
+	ADDQ  R15, 256(BP)
+	MOVQ  ctx+16(FP), R15
+	SUBQ  R14, 128(R15)
+	JS    error_not_enough_literals
+	CMPQ  R13, $0x00020002
+	JA    sequenceDecs_decode_56_bmi2_error_match_len_too_big
+	TESTQ CX, CX
+	JNZ   sequenceDecs_decode_56_bmi2_match_len_ofs_ok
+	TESTQ R13, R13
+	JNZ   sequenceDecs_decode_56_bmi2_error_match_len_ofs_mismatch
+
+sequenceDecs_decode_56_bmi2_match_len_ofs_ok:
+	ADDQ $0x18, R9
+	MOVQ ctx+16(FP), CX
+	DECQ 96(CX)
+	JNS  sequenceDecs_decode_56_bmi2_main_loop
+	MOVQ s+0(FP), CX
+	MOVQ R10, 144(CX)
+	MOVQ R11, 152(CX)
+	MOVQ R12, 160(CX)
+	MOVQ br+8(FP), CX
+	MOVQ AX, 24(CX)
+	MOVB DL, 40(CX)
+	MOVQ BX, 32(CX)
+
+	// Return success
+	MOVQ $0x00000000, ret+24(FP)
+	RET
+
+	// Return with match length error
+sequenceDecs_decode_56_bmi2_error_match_len_ofs_mismatch:
+	MOVQ $0x00000001, ret+24(FP)
+	RET
+
+	// Return with match too long error
+sequenceDecs_decode_56_bmi2_error_match_len_too_big:
+	MOVQ $0x00000002, ret+24(FP)
+	RET
+
+	// Return with match offset too long error
+	MOVQ $0x00000003, ret+24(FP)
+	RET
+
+	// Return with not enough literals error
+error_not_enough_literals:
+	MOVQ $0x00000004, ret+24(FP)
+	RET
+
+	// Return with overread error
+error_overread:
+	MOVQ $0x00000006, ret+24(FP)
+	RET
+
+// func sequenceDecs_executeSimple_amd64(ctx *executeAsmContext) bool
+// Requires: SSE
+TEXT ·sequenceDecs_executeSimple_amd64(SB), $8-9
+	MOVQ  ctx+0(FP), R10
+	MOVQ  8(R10), CX
+	TESTQ CX, CX
+	JZ    empty_seqs
+	MOVQ  (R10), AX
+	MOVQ  24(R10), DX
+	MOVQ  32(R10), BX
+	MOVQ  80(R10), SI
+	MOVQ  104(R10), DI
+	MOVQ  120(R10), R8
+	MOVQ  56(R10), R9
+	MOVQ  64(R10), R10
+	ADDQ  R10, R9
+
+	// seqsBase += 24 * seqIndex
+	LEAQ (DX)(DX*2), R11
+	SHLQ $0x03, R11
+	ADDQ R11, AX
+
+	// outBase += outPosition
+	ADDQ DI, BX
+
+main_loop:
+	MOVQ (AX), R11
+	MOVQ 16(AX), R12
+	MOVQ 8(AX), R13
+
+	// Copy literals
+	TESTQ R11, R11
+	JZ    check_offset
+	XORQ  R14, R14
+
+copy_1:
+	MOVUPS (SI)(R14*1), X0
+	MOVUPS X0, (BX)(R14*1)
+	ADDQ   $0x10, R14
+	CMPQ   R14, R11
+	JB     copy_1
+	ADDQ   R11, SI
+	ADDQ   R11, BX
+	ADDQ   R11, DI
+
+	// Malformed input if seq.mo > t+len(hist) || seq.mo > s.windowSize)
+check_offset:
+	LEAQ (DI)(R10*1), R11
+	CMPQ R12, R11
+	JG   error_match_off_too_big
+	CMPQ R12, R8
+	JG   error_match_off_too_big
+
+	// Copy match from history
+	MOVQ R12, R11
+	SUBQ DI, R11
+	JLS  copy_match
+	MOVQ R9, R14
+	SUBQ R11, R14
+	CMPQ R13, R11
+	JG   copy_all_from_history
+	MOVQ R13, R11
+	SUBQ $0x10, R11
+	JB   copy_4_small
+
+copy_4_loop:
+	MOVUPS (R14), X0
+	MOVUPS X0, (BX)
+	ADDQ   $0x10, R14
+	ADDQ   $0x10, BX
+	SUBQ   $0x10, R11
+	JAE    copy_4_loop
+	LEAQ   16(R14)(R11*1), R14
+	LEAQ   16(BX)(R11*1), BX
+	MOVUPS -16(R14), X0
+	MOVUPS X0, -16(BX)
+	JMP    copy_4_end
+
+copy_4_small:
+	CMPQ R13, $0x03
+	JE   copy_4_move_3
+	CMPQ R13, $0x08
+	JB   copy_4_move_4through7
+	JMP  copy_4_move_8through16
+
+copy_4_move_3:
+	MOVW (R14), R11
+	MOVB 2(R14), R12
+	MOVW R11, (BX)
+	MOVB R12, 2(BX)
+	ADDQ R13, R14
+	ADDQ R13, BX
+	JMP  copy_4_end
+
+copy_4_move_4through7:
+	MOVL (R14), R11
+	MOVL -4(R14)(R13*1), R12
+	MOVL R11, (BX)
+	MOVL R12, -4(BX)(R13*1)
+	ADDQ R13, R14
+	ADDQ R13, BX
+	JMP  copy_4_end
+
+copy_4_move_8through16:
+	MOVQ (R14), R11
+	MOVQ -8(R14)(R13*1), R12
+	MOVQ R11, (BX)
+	MOVQ R12, -8(BX)(R13*1)
+	ADDQ R13, R14
+	ADDQ R13, BX
+
+copy_4_end:
+	ADDQ R13, DI
+	ADDQ $0x18, AX
+	INCQ DX
+	CMPQ DX, CX
+	JB   main_loop
+	JMP  loop_finished
+
+copy_all_from_history:
+	MOVQ R11, R15
+	SUBQ $0x10, R15
+	JB   copy_5_small
+
+copy_5_loop:
+	MOVUPS (R14), X0
+	MOVUPS X0, (BX)
+	ADDQ   $0x10, R14
+	ADDQ   $0x10, BX
+	SUBQ   $0x10, R15
+	JAE    copy_5_loop
+	LEAQ   16(R14)(R15*1), R14
+	LEAQ   16(BX)(R15*1), BX
+	MOVUPS -16(R14), X0
+	MOVUPS X0, -16(BX)
+	JMP    copy_5_end
+
+copy_5_small:
+	CMPQ R11, $0x03
+	JE   copy_5_move_3
+	JB   copy_5_move_1or2
+	CMPQ R11, $0x08
+	JB   copy_5_move_4through7
+	JMP  copy_5_move_8through16
+
+copy_5_move_1or2:
+	MOVB (R14), R15
+	MOVB -1(R14)(R11*1), BP
+	MOVB R15, (BX)
+	MOVB BP, -1(BX)(R11*1)
+	ADDQ R11, R14
+	ADDQ R11, BX
+	JMP  copy_5_end
+
+copy_5_move_3:
+	MOVW (R14), R15
+	MOVB 2(R14), BP
+	MOVW R15, (BX)
+	MOVB BP, 2(BX)
+	ADDQ R11, R14
+	ADDQ R11, BX
+	JMP  copy_5_end
+
+copy_5_move_4through7:
+	MOVL (R14), R15
+	MOVL -4(R14)(R11*1), BP
+	MOVL R15, (BX)
+	MOVL BP, -4(BX)(R11*1)
+	ADDQ R11, R14
+	ADDQ R11, BX
+	JMP  copy_5_end
+
+copy_5_move_8through16:
+	MOVQ (R14), R15
+	MOVQ -8(R14)(R11*1), BP
+	MOVQ R15, (BX)
+	MOVQ BP, -8(BX)(R11*1)
+	ADDQ R11, R14
+	ADDQ R11, BX
+
+copy_5_end:
+	ADDQ R11, DI
+	SUBQ R11, R13
+
+	// Copy match from the current buffer
+copy_match:
+	MOVQ BX, R11
+	SUBQ R12, R11
+
+	// ml <= mo
+	CMPQ R13, R12
+	JA   copy_overlapping_match
+
+	// Copy non-overlapping match
+	ADDQ R13, DI
+	MOVQ BX, R12
+	ADDQ R13, BX
+
+copy_2:
+	MOVUPS (R11), X0
+	MOVUPS X0, (R12)
+	ADDQ   $0x10, R11
+	ADDQ   $0x10, R12
+	SUBQ   $0x10, R13
+	JHI    copy_2
+	JMP    handle_loop
+
+	// Copy overlapping match
+copy_overlapping_match:
+	ADDQ R13, DI
+
+copy_slow_3:
+	MOVB (R11), R12
+	MOVB R12, (BX)
+	INCQ R11
+	INCQ BX
+	DECQ R13
+	JNZ  copy_slow_3
+
+handle_loop:
+	ADDQ $0x18, AX
+	INCQ DX
+	CMPQ DX, CX
+	JB   main_loop
+
+loop_finished:
+	// Return value
+	MOVB $0x01, ret+8(FP)
+
+	// Update the context
+	MOVQ ctx+0(FP), AX
+	MOVQ DX, 24(AX)
+	MOVQ DI, 104(AX)
+	SUBQ 80(AX), SI
+	MOVQ SI, 112(AX)
+	RET
+
+error_match_off_too_big:
+	// Return value
+	MOVB $0x00, ret+8(FP)
+
+	// Update the context
+	MOVQ ctx+0(FP), AX
+	MOVQ DX, 24(AX)
+	MOVQ DI, 104(AX)
+	SUBQ 80(AX), SI
+	MOVQ SI, 112(AX)
+	RET
+
+empty_seqs:
+	// Return value
+	MOVB $0x01, ret+8(FP)
+	RET
+
+// func sequenceDecs_executeSimple_safe_amd64(ctx *executeAsmContext) bool
+// Requires: SSE
+TEXT ·sequenceDecs_executeSimple_safe_amd64(SB), $8-9
+	MOVQ  ctx+0(FP), R10
+	MOVQ  8(R10), CX
+	TESTQ CX, CX
+	JZ    empty_seqs
+	MOVQ  (R10), AX
+	MOVQ  24(R10), DX
+	MOVQ  32(R10), BX
+	MOVQ  80(R10), SI
+	MOVQ  104(R10), DI
+	MOVQ  120(R10), R8
+	MOVQ  56(R10), R9
+	MOVQ  64(R10), R10
+	ADDQ  R10, R9
+
+	// seqsBase += 24 * seqIndex
+	LEAQ (DX)(DX*2), R11
+	SHLQ $0x03, R11
+	ADDQ R11, AX
+
+	// outBase += outPosition
+	ADDQ DI, BX
+
+main_loop:
+	MOVQ (AX), R11
+	MOVQ 16(AX), R12
+	MOVQ 8(AX), R13
+
+	// Copy literals
+	TESTQ R11, R11
+	JZ    check_offset
+	MOVQ  R11, R14
+	SUBQ  $0x10, R14
+	JB    copy_1_small
+
+copy_1_loop:
+	MOVUPS (SI), X0
+	MOVUPS X0, (BX)
+	ADDQ   $0x10, SI
+	ADDQ   $0x10, BX
+	SUBQ   $0x10, R14
+	JAE    copy_1_loop
+	LEAQ   16(SI)(R14*1), SI
+	LEAQ   16(BX)(R14*1), BX
+	MOVUPS -16(SI), X0
+	MOVUPS X0, -16(BX)
+	JMP    copy_1_end
+
+copy_1_small:
+	CMPQ R11, $0x03
+	JE   copy_1_move_3
+	JB   copy_1_move_1or2
+	CMPQ R11, $0x08
+	JB   copy_1_move_4through7
+	JMP  copy_1_move_8through16
+
+copy_1_move_1or2:
+	MOVB (SI), R14
+	MOVB -1(SI)(R11*1), R15
+	MOVB R14, (BX)
+	MOVB R15, -1(BX)(R11*1)
+	ADDQ R11, SI
+	ADDQ R11, BX
+	JMP  copy_1_end
+
+copy_1_move_3:
+	MOVW (SI), R14
+	MOVB 2(SI), R15
+	MOVW R14, (BX)
+	MOVB R15, 2(BX)
+	ADDQ R11, SI
+	ADDQ R11, BX
+	JMP  copy_1_end
+
+copy_1_move_4through7:
+	MOVL (SI), R14
+	MOVL -4(SI)(R11*1), R15
+	MOVL R14, (BX)
+	MOVL R15, -4(BX)(R11*1)
+	ADDQ R11, SI
+	ADDQ R11, BX
+	JMP  copy_1_end
+
+copy_1_move_8through16:
+	MOVQ (SI), R14
+	MOVQ -8(SI)(R11*1), R15
+	MOVQ R14, (BX)
+	MOVQ R15, -8(BX)(R11*1)
+	ADDQ R11, SI
+	ADDQ R11, BX
+
+copy_1_end:
+	ADDQ R11, DI
+
+	// Malformed input if seq.mo > t+len(hist) || seq.mo > s.windowSize)
+check_offset:
+	LEAQ (DI)(R10*1), R11
+	CMPQ R12, R11
+	JG   error_match_off_too_big
+	CMPQ R12, R8
+	JG   error_match_off_too_big
+
+	// Copy match from history
+	MOVQ R12, R11
+	SUBQ DI, R11
+	JLS  copy_match
+	MOVQ R9, R14
+	SUBQ R11, R14
+	CMPQ R13, R11
+	JG   copy_all_from_history
+	MOVQ R13, R11
+	SUBQ $0x10, R11
+	JB   copy_4_small
+
+copy_4_loop:
+	MOVUPS (R14), X0
+	MOVUPS X0, (BX)
+	ADDQ   $0x10, R14
+	ADDQ   $0x10, BX
+	SUBQ   $0x10, R11
+	JAE    copy_4_loop
+	LEAQ   16(R14)(R11*1), R14
+	LEAQ   16(BX)(R11*1), BX
+	MOVUPS -16(R14), X0
+	MOVUPS X0, -16(BX)
+	JMP    copy_4_end
+
+copy_4_small:
+	CMPQ R13, $0x03
+	JE   copy_4_move_3
+	CMPQ R13, $0x08
+	JB   copy_4_move_4through7
+	JMP  copy_4_move_8through16
+
+copy_4_move_3:
+	MOVW (R14), R11
+	MOVB 2(R14), R12
+	MOVW R11, (BX)
+	MOVB R12, 2(BX)
+	ADDQ R13, R14
+	ADDQ R13, BX
+	JMP  copy_4_end
+
+copy_4_move_4through7:
+	MOVL (R14), R11
+	MOVL -4(R14)(R13*1), R12
+	MOVL R11, (BX)
+	MOVL R12, -4(BX)(R13*1)
+	ADDQ R13, R14
+	ADDQ R13, BX
+	JMP  copy_4_end
+
+copy_4_move_8through16:
+	MOVQ (R14), R11
+	MOVQ -8(R14)(R13*1), R12
+	MOVQ R11, (BX)
+	MOVQ R12, -8(BX)(R13*1)
+	ADDQ R13, R14
+	ADDQ R13, BX
+
+copy_4_end:
+	ADDQ R13, DI
+	ADDQ $0x18, AX
+	INCQ DX
+	CMPQ DX, CX
+	JB   main_loop
+	JMP  loop_finished
+
+copy_all_from_history:
+	MOVQ R11, R15
+	SUBQ $0x10, R15
+	JB   copy_5_small
+
+copy_5_loop:
+	MOVUPS (R14), X0
+	MOVUPS X0, (BX)
+	ADDQ   $0x10, R14
+	ADDQ   $0x10, BX
+	SUBQ   $0x10, R15
+	JAE    copy_5_loop
+	LEAQ   16(R14)(R15*1), R14
+	LEAQ   16(BX)(R15*1), BX
+	MOVUPS -16(R14), X0
+	MOVUPS X0, -16(BX)
+	JMP    copy_5_end
+
+copy_5_small:
+	CMPQ R11, $0x03
+	JE   copy_5_move_3
+	JB   copy_5_move_1or2
+	CMPQ R11, $0x08
+	JB   copy_5_move_4through7
+	JMP  copy_5_move_8through16
+
+copy_5_move_1or2:
+	MOVB (R14), R15
+	MOVB -1(R14)(R11*1), BP
+	MOVB R15, (BX)
+	MOVB BP, -1(BX)(R11*1)
+	ADDQ R11, R14
+	ADDQ R11, BX
+	JMP  copy_5_end
+
+copy_5_move_3:
+	MOVW (R14), R15
+	MOVB 2(R14), BP
+	MOVW R15, (BX)
+	MOVB BP, 2(BX)
+	ADDQ R11, R14
+	ADDQ R11, BX
+	JMP  copy_5_end
+
+copy_5_move_4through7:
+	MOVL (R14), R15
+	MOVL -4(R14)(R11*1), BP
+	MOVL R15, (BX)
+	MOVL BP, -4(BX)(R11*1)
+	ADDQ R11, R14
+	ADDQ R11, BX
+	JMP  copy_5_end
+
+copy_5_move_8through16:
+	MOVQ (R14), R15
+	MOVQ -8(R14)(R11*1), BP
+	MOVQ R15, (BX)
+	MOVQ BP, -8(BX)(R11*1)
+	ADDQ R11, R14
+	ADDQ R11, BX
+
+copy_5_end:
+	ADDQ R11, DI
+	SUBQ R11, R13
+
+	// Copy match from the current buffer
+copy_match:
+	MOVQ BX, R11
+	SUBQ R12, R11
+
+	// ml <= mo
+	CMPQ R13, R12
+	JA   copy_overlapping_match
+
+	// Copy non-overlapping match
+	ADDQ R13, DI
+	MOVQ R13, R12
+	SUBQ $0x10, R12
+	JB   copy_2_small
+
+copy_2_loop:
+	MOVUPS (R11), X0
+	MOVUPS X0, (BX)
+	ADDQ   $0x10, R11
+	ADDQ   $0x10, BX
+	SUBQ   $0x10, R12
+	JAE    copy_2_loop
+	LEAQ   16(R11)(R12*1), R11
+	LEAQ   16(BX)(R12*1), BX
+	MOVUPS -16(R11), X0
+	MOVUPS X0, -16(BX)
+	JMP    copy_2_end
+
+copy_2_small:
+	CMPQ R13, $0x03
+	JE   copy_2_move_3
+	JB   copy_2_move_1or2
+	CMPQ R13, $0x08
+	JB   copy_2_move_4through7
+	JMP  copy_2_move_8through16
+
+copy_2_move_1or2:
+	MOVB (R11), R12
+	MOVB -1(R11)(R13*1), R14
+	MOVB R12, (BX)
+	MOVB R14, -1(BX)(R13*1)
+	ADDQ R13, R11
+	ADDQ R13, BX
+	JMP  copy_2_end
+
+copy_2_move_3:
+	MOVW (R11), R12
+	MOVB 2(R11), R14
+	MOVW R12, (BX)
+	MOVB R14, 2(BX)
+	ADDQ R13, R11
+	ADDQ R13, BX
+	JMP  copy_2_end
+
+copy_2_move_4through7:
+	MOVL (R11), R12
+	MOVL -4(R11)(R13*1), R14
+	MOVL R12, (BX)
+	MOVL R14, -4(BX)(R13*1)
+	ADDQ R13, R11
+	ADDQ R13, BX
+	JMP  copy_2_end
+
+copy_2_move_8through16:
+	MOVQ (R11), R12
+	MOVQ -8(R11)(R13*1), R14
+	MOVQ R12, (BX)
+	MOVQ R14, -8(BX)(R13*1)
+	ADDQ R13, R11
+	ADDQ R13, BX
+
+copy_2_end:
+	JMP handle_loop
+
+	// Copy overlapping match
+copy_overlapping_match:
+	ADDQ R13, DI
+
+copy_slow_3:
+	MOVB (R11), R12
+	MOVB R12, (BX)
+	INCQ R11
+	INCQ BX
+	DECQ R13
+	JNZ  copy_slow_3
+
+handle_loop:
+	ADDQ $0x18, AX
+	INCQ DX
+	CMPQ DX, CX
+	JB   main_loop
+
+loop_finished:
+	// Return value
+	MOVB $0x01, ret+8(FP)
+
+	// Update the context
+	MOVQ ctx+0(FP), AX
+	MOVQ DX, 24(AX)
+	MOVQ DI, 104(AX)
+	SUBQ 80(AX), SI
+	MOVQ SI, 112(AX)
+	RET
+
+error_match_off_too_big:
+	// Return value
+	MOVB $0x00, ret+8(FP)
+
+	// Update the context
+	MOVQ ctx+0(FP), AX
+	MOVQ DX, 24(AX)
+	MOVQ DI, 104(AX)
+	SUBQ 80(AX), SI
+	MOVQ SI, 112(AX)
+	RET
+
+empty_seqs:
+	// Return value
+	MOVB $0x01, ret+8(FP)
+	RET
+
+// func sequenceDecs_decodeSync_amd64(s *sequenceDecs, br *bitReader, ctx *decodeSyncAsmContext) int
+// Requires: CMOV, SSE
+TEXT ·sequenceDecs_decodeSync_amd64(SB), $64-32
+	MOVQ    br+8(FP), CX
+	MOVQ    24(CX), DX
+	MOVBQZX 40(CX), BX
+	MOVQ    (CX), AX
+	MOVQ    32(CX), SI
+	ADDQ    SI, AX
+	MOVQ    AX, (SP)
+	MOVQ    ctx+16(FP), AX
+	MOVQ    72(AX), DI
+	MOVQ    80(AX), R8
+	MOVQ    88(AX), R9
+	XORQ    CX, CX
+	MOVQ    CX, 8(SP)
+	MOVQ    CX, 16(SP)
+	MOVQ    CX, 24(SP)
+	MOVQ    112(AX), R10
+	MOVQ    128(AX), CX
+	MOVQ    CX, 32(SP)
+	MOVQ    144(AX), R11
+	MOVQ    136(AX), R12
+	MOVQ    200(AX), CX
+	MOVQ    CX, 56(SP)
+	MOVQ    176(AX), CX
+	MOVQ    CX, 48(SP)
+	MOVQ    184(AX), AX
+	MOVQ    AX, 40(SP)
+	MOVQ    40(SP), AX
+	ADDQ    AX, 48(SP)
+
+	// Calculate pointer to s.out[cap(s.out)] (a past-end pointer)
+	ADDQ R10, 32(SP)
+
+	// outBase += outPosition
+	ADDQ R12, R10
+
+sequenceDecs_decodeSync_amd64_main_loop:
+	MOVQ (SP), R13
+
+	// Fill bitreader to have enough for the offset and match length.
+	CMPQ SI, $0x08
+	JL   sequenceDecs_decodeSync_amd64_fill_byte_by_byte
+	MOVQ BX, AX
+	SHRQ $0x03, AX
+	SUBQ AX, R13
+	MOVQ (R13), DX
+	SUBQ AX, SI
+	ANDQ $0x07, BX
+	JMP  sequenceDecs_decodeSync_amd64_fill_end
+
+sequenceDecs_decodeSync_amd64_fill_byte_by_byte:
+	CMPQ    SI, $0x00
+	JLE     sequenceDecs_decodeSync_amd64_fill_check_overread
+	CMPQ    BX, $0x07
+	JLE     sequenceDecs_decodeSync_amd64_fill_end
+	SHLQ    $0x08, DX
+	SUBQ    $0x01, R13
+	SUBQ    $0x01, SI
+	SUBQ    $0x08, BX
+	MOVBQZX (R13), AX
+	ORQ     AX, DX
+	JMP     sequenceDecs_decodeSync_amd64_fill_byte_by_byte
+
+sequenceDecs_decodeSync_amd64_fill_check_overread:
+	CMPQ BX, $0x40
+	JA   error_overread
+
+sequenceDecs_decodeSync_amd64_fill_end:
+	// Update offset
+	MOVQ  R9, AX
+	MOVQ  BX, CX
+	MOVQ  DX, R14
+	SHLQ  CL, R14
+	MOVB  AH, CL
+	SHRQ  $0x20, AX
+	TESTQ CX, CX
+	JZ    sequenceDecs_decodeSync_amd64_of_update_zero
+	ADDQ  CX, BX
+	CMPQ  BX, $0x40
+	JA    sequenceDecs_decodeSync_amd64_of_update_zero
+	CMPQ  CX, $0x40
+	JAE   sequenceDecs_decodeSync_amd64_of_update_zero
+	NEGQ  CX
+	SHRQ  CL, R14
+	ADDQ  R14, AX
+
+sequenceDecs_decodeSync_amd64_of_update_zero:
+	MOVQ AX, 8(SP)
+
+	// Update match length
+	MOVQ  R8, AX
+	MOVQ  BX, CX
+	MOVQ  DX, R14
+	SHLQ  CL, R14
+	MOVB  AH, CL
+	SHRQ  $0x20, AX
+	TESTQ CX, CX
+	JZ    sequenceDecs_decodeSync_amd64_ml_update_zero
+	ADDQ  CX, BX
+	CMPQ  BX, $0x40
+	JA    sequenceDecs_decodeSync_amd64_ml_update_zero
+	CMPQ  CX, $0x40
+	JAE   sequenceDecs_decodeSync_amd64_ml_update_zero
+	NEGQ  CX
+	SHRQ  CL, R14
+	ADDQ  R14, AX
+
+sequenceDecs_decodeSync_amd64_ml_update_zero:
+	MOVQ AX, 16(SP)
+
+	// Fill bitreader to have enough for the remaining
+	CMPQ SI, $0x08
+	JL   sequenceDecs_decodeSync_amd64_fill_2_byte_by_byte
+	MOVQ BX, AX
+	SHRQ $0x03, AX
+	SUBQ AX, R13
+	MOVQ (R13), DX
+	SUBQ AX, SI
+	ANDQ $0x07, BX
+	JMP  sequenceDecs_decodeSync_amd64_fill_2_end
+
+sequenceDecs_decodeSync_amd64_fill_2_byte_by_byte:
+	CMPQ    SI, $0x00
+	JLE     sequenceDecs_decodeSync_amd64_fill_2_check_overread
+	CMPQ    BX, $0x07
+	JLE     sequenceDecs_decodeSync_amd64_fill_2_end
+	SHLQ    $0x08, DX
+	SUBQ    $0x01, R13
+	SUBQ    $0x01, SI
+	SUBQ    $0x08, BX
+	MOVBQZX (R13), AX
+	ORQ     AX, DX
+	JMP     sequenceDecs_decodeSync_amd64_fill_2_byte_by_byte
+
+sequenceDecs_decodeSync_amd64_fill_2_check_overread:
+	CMPQ BX, $0x40
+	JA   error_overread
+
+sequenceDecs_decodeSync_amd64_fill_2_end:
+	// Update literal length
+	MOVQ  DI, AX
+	MOVQ  BX, CX
+	MOVQ  DX, R14
+	SHLQ  CL, R14
+	MOVB  AH, CL
+	SHRQ  $0x20, AX
+	TESTQ CX, CX
+	JZ    sequenceDecs_decodeSync_amd64_ll_update_zero
+	ADDQ  CX, BX
+	CMPQ  BX, $0x40
+	JA    sequenceDecs_decodeSync_amd64_ll_update_zero
+	CMPQ  CX, $0x40
+	JAE   sequenceDecs_decodeSync_amd64_ll_update_zero
+	NEGQ  CX
+	SHRQ  CL, R14
+	ADDQ  R14, AX
+
+sequenceDecs_decodeSync_amd64_ll_update_zero:
+	MOVQ AX, 24(SP)
+
+	// Fill bitreader for state updates
+	MOVQ    R13, (SP)
+	MOVQ    R9, AX
+	SHRQ    $0x08, AX
+	MOVBQZX AL, AX
+	MOVQ    ctx+16(FP), CX
+	CMPQ    96(CX), $0x00
+	JZ      sequenceDecs_decodeSync_amd64_skip_update
+
+	// Update Literal Length State
+	MOVBQZX DI, R13
+	SHRL    $0x10, DI
+	LEAQ    (BX)(R13*1), CX
+	MOVQ    DX, R14
+	MOVQ    CX, BX
+	ROLQ    CL, R14
+	MOVL    $0x00000001, R15
+	MOVB    R13, CL
+	SHLL    CL, R15
+	DECL    R15
+	ANDQ    R15, R14
+	ADDQ    R14, DI
+
+	// Load ctx.llTable
+	MOVQ ctx+16(FP), CX
+	MOVQ (CX), CX
+	MOVQ (CX)(DI*8), DI
+
+	// Update Match Length State
+	MOVBQZX R8, R13
+	SHRL    $0x10, R8
+	LEAQ    (BX)(R13*1), CX
+	MOVQ    DX, R14
+	MOVQ    CX, BX
+	ROLQ    CL, R14
+	MOVL    $0x00000001, R15
+	MOVB    R13, CL
+	SHLL    CL, R15
+	DECL    R15
+	ANDQ    R15, R14
+	ADDQ    R14, R8
+
+	// Load ctx.mlTable
+	MOVQ ctx+16(FP), CX
+	MOVQ 24(CX), CX
+	MOVQ (CX)(R8*8), R8
+
+	// Update Offset State
+	MOVBQZX R9, R13
+	SHRL    $0x10, R9
+	LEAQ    (BX)(R13*1), CX
+	MOVQ    DX, R14
+	MOVQ    CX, BX
+	ROLQ    CL, R14
+	MOVL    $0x00000001, R15
+	MOVB    R13, CL
+	SHLL    CL, R15
+	DECL    R15
+	ANDQ    R15, R14
+	ADDQ    R14, R9
+
+	// Load ctx.ofTable
+	MOVQ ctx+16(FP), CX
+	MOVQ 48(CX), CX
+	MOVQ (CX)(R9*8), R9
+
+sequenceDecs_decodeSync_amd64_skip_update:
+	// Adjust offset
+	MOVQ   s+0(FP), CX
+	MOVQ   8(SP), R13
+	CMPQ   AX, $0x01
+	JBE    sequenceDecs_decodeSync_amd64_adjust_offsetB_1_or_0
+	MOVUPS 144(CX), X0
+	MOVQ   R13, 144(CX)
+	MOVUPS X0, 152(CX)
+	JMP    sequenceDecs_decodeSync_amd64_after_adjust
+
+sequenceDecs_decodeSync_amd64_adjust_offsetB_1_or_0:
+	CMPQ 24(SP), $0x00000000
+	JNE  sequenceDecs_decodeSync_amd64_adjust_offset_maybezero
+	INCQ R13
+	JMP  sequenceDecs_decodeSync_amd64_adjust_offset_nonzero
+
+sequenceDecs_decodeSync_amd64_adjust_offset_maybezero:
+	TESTQ R13, R13
+	JNZ   sequenceDecs_decodeSync_amd64_adjust_offset_nonzero
+	MOVQ  144(CX), R13
+	JMP   sequenceDecs_decodeSync_amd64_after_adjust
+
+sequenceDecs_decodeSync_amd64_adjust_offset_nonzero:
+	MOVQ    R13, AX
+	XORQ    R14, R14
+	MOVQ    $-1, R15
+	CMPQ    R13, $0x03
+	CMOVQEQ R14, AX
+	CMOVQEQ R15, R14
+	ADDQ    144(CX)(AX*8), R14
+	JNZ     sequenceDecs_decodeSync_amd64_adjust_temp_valid
+	MOVQ    $0x00000001, R14
+
+sequenceDecs_decodeSync_amd64_adjust_temp_valid:
+	CMPQ R13, $0x01
+	JZ   sequenceDecs_decodeSync_amd64_adjust_skip
+	MOVQ 152(CX), AX
+	MOVQ AX, 160(CX)
+
+sequenceDecs_decodeSync_amd64_adjust_skip:
+	MOVQ 144(CX), AX
+	MOVQ AX, 152(CX)
+	MOVQ R14, 144(CX)
+	MOVQ R14, R13
+
+sequenceDecs_decodeSync_amd64_after_adjust:
+	MOVQ R13, 8(SP)
+
+	// Check values
+	MOVQ  16(SP), AX
+	MOVQ  24(SP), CX
+	LEAQ  (AX)(CX*1), R14
+	MOVQ  s+0(FP), R15
+	ADDQ  R14, 256(R15)
+	MOVQ  ctx+16(FP), R14
+	SUBQ  CX, 104(R14)
+	JS    error_not_enough_literals
+	CMPQ  AX, $0x00020002
+	JA    sequenceDecs_decodeSync_amd64_error_match_len_too_big
+	TESTQ R13, R13
+	JNZ   sequenceDecs_decodeSync_amd64_match_len_ofs_ok
+	TESTQ AX, AX
+	JNZ   sequenceDecs_decodeSync_amd64_error_match_len_ofs_mismatch
+
+sequenceDecs_decodeSync_amd64_match_len_ofs_ok:
+	MOVQ 24(SP), AX
+	MOVQ 8(SP), CX
+	MOVQ 16(SP), R13
+
+	// Check if we have enough space in s.out
+	LEAQ (AX)(R13*1), R14
+	ADDQ R10, R14
+	CMPQ R14, 32(SP)
+	JA   error_not_enough_space
+
+	// Copy literals
+	TESTQ AX, AX
+	JZ    check_offset
+	XORQ  R14, R14
+
+copy_1:
+	MOVUPS (R11)(R14*1), X0
+	MOVUPS X0, (R10)(R14*1)
+	ADDQ   $0x10, R14
+	CMPQ   R14, AX
+	JB     copy_1
+	ADDQ   AX, R11
+	ADDQ   AX, R10
+	ADDQ   AX, R12
+
+	// Malformed input if seq.mo > t+len(hist) || seq.mo > s.windowSize)
+check_offset:
+	MOVQ R12, AX
+	ADDQ 40(SP), AX
+	CMPQ CX, AX
+	JG   error_match_off_too_big
+	CMPQ CX, 56(SP)
+	JG   error_match_off_too_big
+
+	// Copy match from history
+	MOVQ CX, AX
+	SUBQ R12, AX
+	JLS  copy_match
+	MOVQ 48(SP), R14
+	SUBQ AX, R14
+	CMPQ R13, AX
+	JG   copy_all_from_history
+	MOVQ R13, AX
+	SUBQ $0x10, AX
+	JB   copy_4_small
+
+copy_4_loop:
+	MOVUPS (R14), X0
+	MOVUPS X0, (R10)
+	ADDQ   $0x10, R14
+	ADDQ   $0x10, R10
+	SUBQ   $0x10, AX
+	JAE    copy_4_loop
+	LEAQ   16(R14)(AX*1), R14
+	LEAQ   16(R10)(AX*1), R10
+	MOVUPS -16(R14), X0
+	MOVUPS X0, -16(R10)
+	JMP    copy_4_end
+
+copy_4_small:
+	CMPQ R13, $0x03
+	JE   copy_4_move_3
+	CMPQ R13, $0x08
+	JB   copy_4_move_4through7
+	JMP  copy_4_move_8through16
+
+copy_4_move_3:
+	MOVW (R14), AX
+	MOVB 2(R14), CL
+	MOVW AX, (R10)
+	MOVB CL, 2(R10)
+	ADDQ R13, R14
+	ADDQ R13, R10
+	JMP  copy_4_end
+
+copy_4_move_4through7:
+	MOVL (R14), AX
+	MOVL -4(R14)(R13*1), CX
+	MOVL AX, (R10)
+	MOVL CX, -4(R10)(R13*1)
+	ADDQ R13, R14
+	ADDQ R13, R10
+	JMP  copy_4_end
+
+copy_4_move_8through16:
+	MOVQ (R14), AX
+	MOVQ -8(R14)(R13*1), CX
+	MOVQ AX, (R10)
+	MOVQ CX, -8(R10)(R13*1)
+	ADDQ R13, R14
+	ADDQ R13, R10
+
+copy_4_end:
+	ADDQ R13, R12
+	JMP  handle_loop
+	JMP loop_finished
+
+copy_all_from_history:
+	MOVQ AX, R15
+	SUBQ $0x10, R15
+	JB   copy_5_small
+
+copy_5_loop:
+	MOVUPS (R14), X0
+	MOVUPS X0, (R10)
+	ADDQ   $0x10, R14
+	ADDQ   $0x10, R10
+	SUBQ   $0x10, R15
+	JAE    copy_5_loop
+	LEAQ   16(R14)(R15*1), R14
+	LEAQ   16(R10)(R15*1), R10
+	MOVUPS -16(R14), X0
+	MOVUPS X0, -16(R10)
+	JMP    copy_5_end
+
+copy_5_small:
+	CMPQ AX, $0x03
+	JE   copy_5_move_3
+	JB   copy_5_move_1or2
+	CMPQ AX, $0x08
+	JB   copy_5_move_4through7
+	JMP  copy_5_move_8through16
+
+copy_5_move_1or2:
+	MOVB (R14), R15
+	MOVB -1(R14)(AX*1), BP
+	MOVB R15, (R10)
+	MOVB BP, -1(R10)(AX*1)
+	ADDQ AX, R14
+	ADDQ AX, R10
+	JMP  copy_5_end
+
+copy_5_move_3:
+	MOVW (R14), R15
+	MOVB 2(R14), BP
+	MOVW R15, (R10)
+	MOVB BP, 2(R10)
+	ADDQ AX, R14
+	ADDQ AX, R10
+	JMP  copy_5_end
+
+copy_5_move_4through7:
+	MOVL (R14), R15
+	MOVL -4(R14)(AX*1), BP
+	MOVL R15, (R10)
+	MOVL BP, -4(R10)(AX*1)
+	ADDQ AX, R14
+	ADDQ AX, R10
+	JMP  copy_5_end
+
+copy_5_move_8through16:
+	MOVQ (R14), R15
+	MOVQ -8(R14)(AX*1), BP
+	MOVQ R15, (R10)
+	MOVQ BP, -8(R10)(AX*1)
+	ADDQ AX, R14
+	ADDQ AX, R10
+
+copy_5_end:
+	ADDQ AX, R12
+	SUBQ AX, R13
+
+	// Copy match from the current buffer
+copy_match:
+	MOVQ R10, AX
+	SUBQ CX, AX
+
+	// ml <= mo
+	CMPQ R13, CX
+	JA   copy_overlapping_match
+
+	// Copy non-overlapping match
+	ADDQ R13, R12
+	MOVQ R10, CX
+	ADDQ R13, R10
+
+copy_2:
+	MOVUPS (AX), X0
+	MOVUPS X0, (CX)
+	ADDQ   $0x10, AX
+	ADDQ   $0x10, CX
+	SUBQ   $0x10, R13
+	JHI    copy_2
+	JMP    handle_loop
+
+	// Copy overlapping match
+copy_overlapping_match:
+	ADDQ R13, R12
+
+copy_slow_3:
+	MOVB (AX), CL
+	MOVB CL, (R10)
+	INCQ AX
+	INCQ R10
+	DECQ R13
+	JNZ  copy_slow_3
+
+handle_loop:
+	MOVQ ctx+16(FP), AX
+	DECQ 96(AX)
+	JNS  sequenceDecs_decodeSync_amd64_main_loop
+
+loop_finished:
+	MOVQ br+8(FP), AX
+	MOVQ DX, 24(AX)
+	MOVB BL, 40(AX)
+	MOVQ SI, 32(AX)
+
+	// Update the context
+	MOVQ ctx+16(FP), AX
+	MOVQ R12, 136(AX)
+	MOVQ 144(AX), CX
+	SUBQ CX, R11
+	MOVQ R11, 168(AX)
+
+	// Return success
+	MOVQ $0x00000000, ret+24(FP)
+	RET
+
+	// Return with match length error
+sequenceDecs_decodeSync_amd64_error_match_len_ofs_mismatch:
+	MOVQ 16(SP), AX
+	MOVQ ctx+16(FP), CX
+	MOVQ AX, 216(CX)
+	MOVQ $0x00000001, ret+24(FP)
+	RET
+
+	// Return with match too long error
+sequenceDecs_decodeSync_amd64_error_match_len_too_big:
+	MOVQ ctx+16(FP), AX
+	MOVQ 16(SP), CX
+	MOVQ CX, 216(AX)
+	MOVQ $0x00000002, ret+24(FP)
+	RET
+
+	// Return with match offset too long error
+error_match_off_too_big:
+	MOVQ ctx+16(FP), AX
+	MOVQ 8(SP), CX
+	MOVQ CX, 224(AX)
+	MOVQ R12, 136(AX)
+	MOVQ $0x00000003, ret+24(FP)
+	RET
+
+	// Return with not enough literals error
+error_not_enough_literals:
+	MOVQ ctx+16(FP), AX
+	MOVQ 24(SP), CX
+	MOVQ CX, 208(AX)
+	MOVQ $0x00000004, ret+24(FP)
+	RET
+
+	// Return with overread error
+error_overread:
+	MOVQ $0x00000006, ret+24(FP)
+	RET
+
+	// Return with not enough output space error
+error_not_enough_space:
+	MOVQ ctx+16(FP), AX
+	MOVQ 24(SP), CX
+	MOVQ CX, 208(AX)
+	MOVQ 16(SP), CX
+	MOVQ CX, 216(AX)
+	MOVQ R12, 136(AX)
+	MOVQ $0x00000005, ret+24(FP)
+	RET
+
+// func sequenceDecs_decodeSync_bmi2(s *sequenceDecs, br *bitReader, ctx *decodeSyncAsmContext) int
+// Requires: BMI, BMI2, CMOV, SSE
+TEXT ·sequenceDecs_decodeSync_bmi2(SB), $64-32
+	MOVQ    br+8(FP), BX
+	MOVQ    24(BX), AX
+	MOVBQZX 40(BX), DX
+	MOVQ    (BX), CX
+	MOVQ    32(BX), BX
+	ADDQ    BX, CX
+	MOVQ    CX, (SP)
+	MOVQ    ctx+16(FP), CX
+	MOVQ    72(CX), SI
+	MOVQ    80(CX), DI
+	MOVQ    88(CX), R8
+	XORQ    R9, R9
+	MOVQ    R9, 8(SP)
+	MOVQ    R9, 16(SP)
+	MOVQ    R9, 24(SP)
+	MOVQ    112(CX), R9
+	MOVQ    128(CX), R10
+	MOVQ    R10, 32(SP)
+	MOVQ    144(CX), R10
+	MOVQ    136(CX), R11
+	MOVQ    200(CX), R12
+	MOVQ    R12, 56(SP)
+	MOVQ    176(CX), R12
+	MOVQ    R12, 48(SP)
+	MOVQ    184(CX), CX
+	MOVQ    CX, 40(SP)
+	MOVQ    40(SP), CX
+	ADDQ    CX, 48(SP)
+
+	// Calculate pointer to s.out[cap(s.out)] (a past-end pointer)
+	ADDQ R9, 32(SP)
+
+	// outBase += outPosition
+	ADDQ R11, R9
+
+sequenceDecs_decodeSync_bmi2_main_loop:
+	MOVQ (SP), R12
+
+	// Fill bitreader to have enough for the offset and match length.
+	CMPQ BX, $0x08
+	JL   sequenceDecs_decodeSync_bmi2_fill_byte_by_byte
+	MOVQ DX, CX
+	SHRQ $0x03, CX
+	SUBQ CX, R12
+	MOVQ (R12), AX
+	SUBQ CX, BX
+	ANDQ $0x07, DX
+	JMP  sequenceDecs_decodeSync_bmi2_fill_end
+
+sequenceDecs_decodeSync_bmi2_fill_byte_by_byte:
+	CMPQ    BX, $0x00
+	JLE     sequenceDecs_decodeSync_bmi2_fill_check_overread
+	CMPQ    DX, $0x07
+	JLE     sequenceDecs_decodeSync_bmi2_fill_end
+	SHLQ    $0x08, AX
+	SUBQ    $0x01, R12
+	SUBQ    $0x01, BX
+	SUBQ    $0x08, DX
+	MOVBQZX (R12), CX
+	ORQ     CX, AX
+	JMP     sequenceDecs_decodeSync_bmi2_fill_byte_by_byte
+
+sequenceDecs_decodeSync_bmi2_fill_check_overread:
+	CMPQ DX, $0x40
+	JA   error_overread
+
+sequenceDecs_decodeSync_bmi2_fill_end:
+	// Update offset
+	MOVQ   $0x00000808, CX
+	BEXTRQ CX, R8, R13
+	MOVQ   AX, R14
+	LEAQ   (DX)(R13*1), CX
+	ROLQ   CL, R14
+	BZHIQ  R13, R14, R14
+	MOVQ   CX, DX
+	MOVQ   R8, CX
+	SHRQ   $0x20, CX
+	ADDQ   R14, CX
+	MOVQ   CX, 8(SP)
+
+	// Update match length
+	MOVQ   $0x00000808, CX
+	BEXTRQ CX, DI, R13
+	MOVQ   AX, R14
+	LEAQ   (DX)(R13*1), CX
+	ROLQ   CL, R14
+	BZHIQ  R13, R14, R14
+	MOVQ   CX, DX
+	MOVQ   DI, CX
+	SHRQ   $0x20, CX
+	ADDQ   R14, CX
+	MOVQ   CX, 16(SP)
+
+	// Fill bitreader to have enough for the remaining
+	CMPQ BX, $0x08
+	JL   sequenceDecs_decodeSync_bmi2_fill_2_byte_by_byte
+	MOVQ DX, CX
+	SHRQ $0x03, CX
+	SUBQ CX, R12
+	MOVQ (R12), AX
+	SUBQ CX, BX
+	ANDQ $0x07, DX
+	JMP  sequenceDecs_decodeSync_bmi2_fill_2_end
+
+sequenceDecs_decodeSync_bmi2_fill_2_byte_by_byte:
+	CMPQ    BX, $0x00
+	JLE     sequenceDecs_decodeSync_bmi2_fill_2_check_overread
+	CMPQ    DX, $0x07
+	JLE     sequenceDecs_decodeSync_bmi2_fill_2_end
+	SHLQ    $0x08, AX
+	SUBQ    $0x01, R12
+	SUBQ    $0x01, BX
+	SUBQ    $0x08, DX
+	MOVBQZX (R12), CX
+	ORQ     CX, AX
+	JMP     sequenceDecs_decodeSync_bmi2_fill_2_byte_by_byte
+
+sequenceDecs_decodeSync_bmi2_fill_2_check_overread:
+	CMPQ DX, $0x40
+	JA   error_overread
+
+sequenceDecs_decodeSync_bmi2_fill_2_end:
+	// Update literal length
+	MOVQ   $0x00000808, CX
+	BEXTRQ CX, SI, R13
+	MOVQ   AX, R14
+	LEAQ   (DX)(R13*1), CX
+	ROLQ   CL, R14
+	BZHIQ  R13, R14, R14
+	MOVQ   CX, DX
+	MOVQ   SI, CX
+	SHRQ   $0x20, CX
+	ADDQ   R14, CX
+	MOVQ   CX, 24(SP)
+
+	// Fill bitreader for state updates
+	MOVQ    R12, (SP)
+	MOVQ    $0x00000808, CX
+	BEXTRQ  CX, R8, R12
+	MOVQ    ctx+16(FP), CX
+	CMPQ    96(CX), $0x00
+	JZ      sequenceDecs_decodeSync_bmi2_skip_update
+	LEAQ    (SI)(DI*1), R13
+	ADDQ    R8, R13
+	MOVBQZX R13, R13
+	LEAQ    (DX)(R13*1), CX
+	MOVQ    AX, R14
+	MOVQ    CX, DX
+	ROLQ    CL, R14
+	BZHIQ   R13, R14, R14
+
+	// Update Offset State
+	BZHIQ R8, R14, CX
+	SHRXQ R8, R14, R14
+	SHRL  $0x10, R8
+	ADDQ  CX, R8
+
+	// Load ctx.ofTable
+	MOVQ ctx+16(FP), CX
+	MOVQ 48(CX), CX
+	MOVQ (CX)(R8*8), R8
+
+	// Update Match Length State
+	BZHIQ DI, R14, CX
+	SHRXQ DI, R14, R14
+	SHRL  $0x10, DI
+	ADDQ  CX, DI
+
+	// Load ctx.mlTable
+	MOVQ ctx+16(FP), CX
+	MOVQ 24(CX), CX
+	MOVQ (CX)(DI*8), DI
+
+	// Update Literal Length State
+	BZHIQ SI, R14, CX
+	SHRL  $0x10, SI
+	ADDQ  CX, SI
+
+	// Load ctx.llTable
+	MOVQ ctx+16(FP), CX
+	MOVQ (CX), CX
+	MOVQ (CX)(SI*8), SI
+
+sequenceDecs_decodeSync_bmi2_skip_update:
+	// Adjust offset
+	MOVQ   s+0(FP), CX
+	MOVQ   8(SP), R13
+	CMPQ   R12, $0x01
+	JBE    sequenceDecs_decodeSync_bmi2_adjust_offsetB_1_or_0
+	MOVUPS 144(CX), X0
+	MOVQ   R13, 144(CX)
+	MOVUPS X0, 152(CX)
+	JMP    sequenceDecs_decodeSync_bmi2_after_adjust
+
+sequenceDecs_decodeSync_bmi2_adjust_offsetB_1_or_0:
+	CMPQ 24(SP), $0x00000000
+	JNE  sequenceDecs_decodeSync_bmi2_adjust_offset_maybezero
+	INCQ R13
+	JMP  sequenceDecs_decodeSync_bmi2_adjust_offset_nonzero
+
+sequenceDecs_decodeSync_bmi2_adjust_offset_maybezero:
+	TESTQ R13, R13
+	JNZ   sequenceDecs_decodeSync_bmi2_adjust_offset_nonzero
+	MOVQ  144(CX), R13
+	JMP   sequenceDecs_decodeSync_bmi2_after_adjust
+
+sequenceDecs_decodeSync_bmi2_adjust_offset_nonzero:
+	MOVQ    R13, R12
+	XORQ    R14, R14
+	MOVQ    $-1, R15
+	CMPQ    R13, $0x03
+	CMOVQEQ R14, R12
+	CMOVQEQ R15, R14
+	ADDQ    144(CX)(R12*8), R14
+	JNZ     sequenceDecs_decodeSync_bmi2_adjust_temp_valid
+	MOVQ    $0x00000001, R14
+
+sequenceDecs_decodeSync_bmi2_adjust_temp_valid:
+	CMPQ R13, $0x01
+	JZ   sequenceDecs_decodeSync_bmi2_adjust_skip
+	MOVQ 152(CX), R12
+	MOVQ R12, 160(CX)
+
+sequenceDecs_decodeSync_bmi2_adjust_skip:
+	MOVQ 144(CX), R12
+	MOVQ R12, 152(CX)
+	MOVQ R14, 144(CX)
+	MOVQ R14, R13
+
+sequenceDecs_decodeSync_bmi2_after_adjust:
+	MOVQ R13, 8(SP)
+
+	// Check values
+	MOVQ  16(SP), CX
+	MOVQ  24(SP), R12
+	LEAQ  (CX)(R12*1), R14
+	MOVQ  s+0(FP), R15
+	ADDQ  R14, 256(R15)
+	MOVQ  ctx+16(FP), R14
+	SUBQ  R12, 104(R14)
+	JS    error_not_enough_literals
+	CMPQ  CX, $0x00020002
+	JA    sequenceDecs_decodeSync_bmi2_error_match_len_too_big
+	TESTQ R13, R13
+	JNZ   sequenceDecs_decodeSync_bmi2_match_len_ofs_ok
+	TESTQ CX, CX
+	JNZ   sequenceDecs_decodeSync_bmi2_error_match_len_ofs_mismatch
+
+sequenceDecs_decodeSync_bmi2_match_len_ofs_ok:
+	MOVQ 24(SP), CX
+	MOVQ 8(SP), R12
+	MOVQ 16(SP), R13
+
+	// Check if we have enough space in s.out
+	LEAQ (CX)(R13*1), R14
+	ADDQ R9, R14
+	CMPQ R14, 32(SP)
+	JA   error_not_enough_space
+
+	// Copy literals
+	TESTQ CX, CX
+	JZ    check_offset
+	XORQ  R14, R14
+
+copy_1:
+	MOVUPS (R10)(R14*1), X0
+	MOVUPS X0, (R9)(R14*1)
+	ADDQ   $0x10, R14
+	CMPQ   R14, CX
+	JB     copy_1
+	ADDQ   CX, R10
+	ADDQ   CX, R9
+	ADDQ   CX, R11
+
+	// Malformed input if seq.mo > t+len(hist) || seq.mo > s.windowSize)
+check_offset:
+	MOVQ R11, CX
+	ADDQ 40(SP), CX
+	CMPQ R12, CX
+	JG   error_match_off_too_big
+	CMPQ R12, 56(SP)
+	JG   error_match_off_too_big
+
+	// Copy match from history
+	MOVQ R12, CX
+	SUBQ R11, CX
+	JLS  copy_match
+	MOVQ 48(SP), R14
+	SUBQ CX, R14
+	CMPQ R13, CX
+	JG   copy_all_from_history
+	MOVQ R13, CX
+	SUBQ $0x10, CX
+	JB   copy_4_small
+
+copy_4_loop:
+	MOVUPS (R14), X0
+	MOVUPS X0, (R9)
+	ADDQ   $0x10, R14
+	ADDQ   $0x10, R9
+	SUBQ   $0x10, CX
+	JAE    copy_4_loop
+	LEAQ   16(R14)(CX*1), R14
+	LEAQ   16(R9)(CX*1), R9
+	MOVUPS -16(R14), X0
+	MOVUPS X0, -16(R9)
+	JMP    copy_4_end
+
+copy_4_small:
+	CMPQ R13, $0x03
+	JE   copy_4_move_3
+	CMPQ R13, $0x08
+	JB   copy_4_move_4through7
+	JMP  copy_4_move_8through16
+
+copy_4_move_3:
+	MOVW (R14), CX
+	MOVB 2(R14), R12
+	MOVW CX, (R9)
+	MOVB R12, 2(R9)
+	ADDQ R13, R14
+	ADDQ R13, R9
+	JMP  copy_4_end
+
+copy_4_move_4through7:
+	MOVL (R14), CX
+	MOVL -4(R14)(R13*1), R12
+	MOVL CX, (R9)
+	MOVL R12, -4(R9)(R13*1)
+	ADDQ R13, R14
+	ADDQ R13, R9
+	JMP  copy_4_end
+
+copy_4_move_8through16:
+	MOVQ (R14), CX
+	MOVQ -8(R14)(R13*1), R12
+	MOVQ CX, (R9)
+	MOVQ R12, -8(R9)(R13*1)
+	ADDQ R13, R14
+	ADDQ R13, R9
+
+copy_4_end:
+	ADDQ R13, R11
+	JMP  handle_loop
+	JMP loop_finished
+
+copy_all_from_history:
+	MOVQ CX, R15
+	SUBQ $0x10, R15
+	JB   copy_5_small
+
+copy_5_loop:
+	MOVUPS (R14), X0
+	MOVUPS X0, (R9)
+	ADDQ   $0x10, R14
+	ADDQ   $0x10, R9
+	SUBQ   $0x10, R15
+	JAE    copy_5_loop
+	LEAQ   16(R14)(R15*1), R14
+	LEAQ   16(R9)(R15*1), R9
+	MOVUPS -16(R14), X0
+	MOVUPS X0, -16(R9)
+	JMP    copy_5_end
+
+copy_5_small:
+	CMPQ CX, $0x03
+	JE   copy_5_move_3
+	JB   copy_5_move_1or2
+	CMPQ CX, $0x08
+	JB   copy_5_move_4through7
+	JMP  copy_5_move_8through16
+
+copy_5_move_1or2:
+	MOVB (R14), R15
+	MOVB -1(R14)(CX*1), BP
+	MOVB R15, (R9)
+	MOVB BP, -1(R9)(CX*1)
+	ADDQ CX, R14
+	ADDQ CX, R9
+	JMP  copy_5_end
+
+copy_5_move_3:
+	MOVW (R14), R15
+	MOVB 2(R14), BP
+	MOVW R15, (R9)
+	MOVB BP, 2(R9)
+	ADDQ CX, R14
+	ADDQ CX, R9
+	JMP  copy_5_end
+
+copy_5_move_4through7:
+	MOVL (R14), R15
+	MOVL -4(R14)(CX*1), BP
+	MOVL R15, (R9)
+	MOVL BP, -4(R9)(CX*1)
+	ADDQ CX, R14
+	ADDQ CX, R9
+	JMP  copy_5_end
+
+copy_5_move_8through16:
+	MOVQ (R14), R15
+	MOVQ -8(R14)(CX*1), BP
+	MOVQ R15, (R9)
+	MOVQ BP, -8(R9)(CX*1)
+	ADDQ CX, R14
+	ADDQ CX, R9
+
+copy_5_end:
+	ADDQ CX, R11
+	SUBQ CX, R13
+
+	// Copy match from the current buffer
+copy_match:
+	MOVQ R9, CX
+	SUBQ R12, CX
+
+	// ml <= mo
+	CMPQ R13, R12
+	JA   copy_overlapping_match
+
+	// Copy non-overlapping match
+	ADDQ R13, R11
+	MOVQ R9, R12
+	ADDQ R13, R9
+
+copy_2:
+	MOVUPS (CX), X0
+	MOVUPS X0, (R12)
+	ADDQ   $0x10, CX
+	ADDQ   $0x10, R12
+	SUBQ   $0x10, R13
+	JHI    copy_2
+	JMP    handle_loop
+
+	// Copy overlapping match
+copy_overlapping_match:
+	ADDQ R13, R11
+
+copy_slow_3:
+	MOVB (CX), R12
+	MOVB R12, (R9)
+	INCQ CX
+	INCQ R9
+	DECQ R13
+	JNZ  copy_slow_3
+
+handle_loop:
+	MOVQ ctx+16(FP), CX
+	DECQ 96(CX)
+	JNS  sequenceDecs_decodeSync_bmi2_main_loop
+
+loop_finished:
+	MOVQ br+8(FP), CX
+	MOVQ AX, 24(CX)
+	MOVB DL, 40(CX)
+	MOVQ BX, 32(CX)
+
+	// Update the context
+	MOVQ ctx+16(FP), AX
+	MOVQ R11, 136(AX)
+	MOVQ 144(AX), CX
+	SUBQ CX, R10
+	MOVQ R10, 168(AX)
+
+	// Return success
+	MOVQ $0x00000000, ret+24(FP)
+	RET
+
+	// Return with match length error
+sequenceDecs_decodeSync_bmi2_error_match_len_ofs_mismatch:
+	MOVQ 16(SP), AX
+	MOVQ ctx+16(FP), CX
+	MOVQ AX, 216(CX)
+	MOVQ $0x00000001, ret+24(FP)
+	RET
+
+	// Return with match too long error
+sequenceDecs_decodeSync_bmi2_error_match_len_too_big:
+	MOVQ ctx+16(FP), AX
+	MOVQ 16(SP), CX
+	MOVQ CX, 216(AX)
+	MOVQ $0x00000002, ret+24(FP)
+	RET
+
+	// Return with match offset too long error
+error_match_off_too_big:
+	MOVQ ctx+16(FP), AX
+	MOVQ 8(SP), CX
+	MOVQ CX, 224(AX)
+	MOVQ R11, 136(AX)
+	MOVQ $0x00000003, ret+24(FP)
+	RET
+
+	// Return with not enough literals error
+error_not_enough_literals:
+	MOVQ ctx+16(FP), AX
+	MOVQ 24(SP), CX
+	MOVQ CX, 208(AX)
+	MOVQ $0x00000004, ret+24(FP)
+	RET
+
+	// Return with overread error
+error_overread:
+	MOVQ $0x00000006, ret+24(FP)
+	RET
+
+	// Return with not enough output space error
+error_not_enough_space:
+	MOVQ ctx+16(FP), AX
+	MOVQ 24(SP), CX
+	MOVQ CX, 208(AX)
+	MOVQ 16(SP), CX
+	MOVQ CX, 216(AX)
+	MOVQ R11, 136(AX)
+	MOVQ $0x00000005, ret+24(FP)
+	RET
+
+// func sequenceDecs_decodeSync_safe_amd64(s *sequenceDecs, br *bitReader, ctx *decodeSyncAsmContext) int
+// Requires: CMOV, SSE
+TEXT ·sequenceDecs_decodeSync_safe_amd64(SB), $64-32
+	MOVQ    br+8(FP), CX
+	MOVQ    24(CX), DX
+	MOVBQZX 40(CX), BX
+	MOVQ    (CX), AX
+	MOVQ    32(CX), SI
+	ADDQ    SI, AX
+	MOVQ    AX, (SP)
+	MOVQ    ctx+16(FP), AX
+	MOVQ    72(AX), DI
+	MOVQ    80(AX), R8
+	MOVQ    88(AX), R9
+	XORQ    CX, CX
+	MOVQ    CX, 8(SP)
+	MOVQ    CX, 16(SP)
+	MOVQ    CX, 24(SP)
+	MOVQ    112(AX), R10
+	MOVQ    128(AX), CX
+	MOVQ    CX, 32(SP)
+	MOVQ    144(AX), R11
+	MOVQ    136(AX), R12
+	MOVQ    200(AX), CX
+	MOVQ    CX, 56(SP)
+	MOVQ    176(AX), CX
+	MOVQ    CX, 48(SP)
+	MOVQ    184(AX), AX
+	MOVQ    AX, 40(SP)
+	MOVQ    40(SP), AX
+	ADDQ    AX, 48(SP)
+
+	// Calculate pointer to s.out[cap(s.out)] (a past-end pointer)
+	ADDQ R10, 32(SP)
+
+	// outBase += outPosition
+	ADDQ R12, R10
+
+sequenceDecs_decodeSync_safe_amd64_main_loop:
+	MOVQ (SP), R13
+
+	// Fill bitreader to have enough for the offset and match length.
+	CMPQ SI, $0x08
+	JL   sequenceDecs_decodeSync_safe_amd64_fill_byte_by_byte
+	MOVQ BX, AX
+	SHRQ $0x03, AX
+	SUBQ AX, R13
+	MOVQ (R13), DX
+	SUBQ AX, SI
+	ANDQ $0x07, BX
+	JMP  sequenceDecs_decodeSync_safe_amd64_fill_end
+
+sequenceDecs_decodeSync_safe_amd64_fill_byte_by_byte:
+	CMPQ    SI, $0x00
+	JLE     sequenceDecs_decodeSync_safe_amd64_fill_check_overread
+	CMPQ    BX, $0x07
+	JLE     sequenceDecs_decodeSync_safe_amd64_fill_end
+	SHLQ    $0x08, DX
+	SUBQ    $0x01, R13
+	SUBQ    $0x01, SI
+	SUBQ    $0x08, BX
+	MOVBQZX (R13), AX
+	ORQ     AX, DX
+	JMP     sequenceDecs_decodeSync_safe_amd64_fill_byte_by_byte
+
+sequenceDecs_decodeSync_safe_amd64_fill_check_overread:
+	CMPQ BX, $0x40
+	JA   error_overread
+
+sequenceDecs_decodeSync_safe_amd64_fill_end:
+	// Update offset
+	MOVQ  R9, AX
+	MOVQ  BX, CX
+	MOVQ  DX, R14
+	SHLQ  CL, R14
+	MOVB  AH, CL
+	SHRQ  $0x20, AX
+	TESTQ CX, CX
+	JZ    sequenceDecs_decodeSync_safe_amd64_of_update_zero
+	ADDQ  CX, BX
+	CMPQ  BX, $0x40
+	JA    sequenceDecs_decodeSync_safe_amd64_of_update_zero
+	CMPQ  CX, $0x40
+	JAE   sequenceDecs_decodeSync_safe_amd64_of_update_zero
+	NEGQ  CX
+	SHRQ  CL, R14
+	ADDQ  R14, AX
+
+sequenceDecs_decodeSync_safe_amd64_of_update_zero:
+	MOVQ AX, 8(SP)
+
+	// Update match length
+	MOVQ  R8, AX
+	MOVQ  BX, CX
+	MOVQ  DX, R14
+	SHLQ  CL, R14
+	MOVB  AH, CL
+	SHRQ  $0x20, AX
+	TESTQ CX, CX
+	JZ    sequenceDecs_decodeSync_safe_amd64_ml_update_zero
+	ADDQ  CX, BX
+	CMPQ  BX, $0x40
+	JA    sequenceDecs_decodeSync_safe_amd64_ml_update_zero
+	CMPQ  CX, $0x40
+	JAE   sequenceDecs_decodeSync_safe_amd64_ml_update_zero
+	NEGQ  CX
+	SHRQ  CL, R14
+	ADDQ  R14, AX
+
+sequenceDecs_decodeSync_safe_amd64_ml_update_zero:
+	MOVQ AX, 16(SP)
+
+	// Fill bitreader to have enough for the remaining
+	CMPQ SI, $0x08
+	JL   sequenceDecs_decodeSync_safe_amd64_fill_2_byte_by_byte
+	MOVQ BX, AX
+	SHRQ $0x03, AX
+	SUBQ AX, R13
+	MOVQ (R13), DX
+	SUBQ AX, SI
+	ANDQ $0x07, BX
+	JMP  sequenceDecs_decodeSync_safe_amd64_fill_2_end
+
+sequenceDecs_decodeSync_safe_amd64_fill_2_byte_by_byte:
+	CMPQ    SI, $0x00
+	JLE     sequenceDecs_decodeSync_safe_amd64_fill_2_check_overread
+	CMPQ    BX, $0x07
+	JLE     sequenceDecs_decodeSync_safe_amd64_fill_2_end
+	SHLQ    $0x08, DX
+	SUBQ    $0x01, R13
+	SUBQ    $0x01, SI
+	SUBQ    $0x08, BX
+	MOVBQZX (R13), AX
+	ORQ     AX, DX
+	JMP     sequenceDecs_decodeSync_safe_amd64_fill_2_byte_by_byte
+
+sequenceDecs_decodeSync_safe_amd64_fill_2_check_overread:
+	CMPQ BX, $0x40
+	JA   error_overread
+
+sequenceDecs_decodeSync_safe_amd64_fill_2_end:
+	// Update literal length
+	MOVQ  DI, AX
+	MOVQ  BX, CX
+	MOVQ  DX, R14
+	SHLQ  CL, R14
+	MOVB  AH, CL
+	SHRQ  $0x20, AX
+	TESTQ CX, CX
+	JZ    sequenceDecs_decodeSync_safe_amd64_ll_update_zero
+	ADDQ  CX, BX
+	CMPQ  BX, $0x40
+	JA    sequenceDecs_decodeSync_safe_amd64_ll_update_zero
+	CMPQ  CX, $0x40
+	JAE   sequenceDecs_decodeSync_safe_amd64_ll_update_zero
+	NEGQ  CX
+	SHRQ  CL, R14
+	ADDQ  R14, AX
+
+sequenceDecs_decodeSync_safe_amd64_ll_update_zero:
+	MOVQ AX, 24(SP)
+
+	// Fill bitreader for state updates
+	MOVQ    R13, (SP)
+	MOVQ    R9, AX
+	SHRQ    $0x08, AX
+	MOVBQZX AL, AX
+	MOVQ    ctx+16(FP), CX
+	CMPQ    96(CX), $0x00
+	JZ      sequenceDecs_decodeSync_safe_amd64_skip_update
+
+	// Update Literal Length State
+	MOVBQZX DI, R13
+	SHRL    $0x10, DI
+	LEAQ    (BX)(R13*1), CX
+	MOVQ    DX, R14
+	MOVQ    CX, BX
+	ROLQ    CL, R14
+	MOVL    $0x00000001, R15
+	MOVB    R13, CL
+	SHLL    CL, R15
+	DECL    R15
+	ANDQ    R15, R14
+	ADDQ    R14, DI
+
+	// Load ctx.llTable
+	MOVQ ctx+16(FP), CX
+	MOVQ (CX), CX
+	MOVQ (CX)(DI*8), DI
+
+	// Update Match Length State
+	MOVBQZX R8, R13
+	SHRL    $0x10, R8
+	LEAQ    (BX)(R13*1), CX
+	MOVQ    DX, R14
+	MOVQ    CX, BX
+	ROLQ    CL, R14
+	MOVL    $0x00000001, R15
+	MOVB    R13, CL
+	SHLL    CL, R15
+	DECL    R15
+	ANDQ    R15, R14
+	ADDQ    R14, R8
+
+	// Load ctx.mlTable
+	MOVQ ctx+16(FP), CX
+	MOVQ 24(CX), CX
+	MOVQ (CX)(R8*8), R8
+
+	// Update Offset State
+	MOVBQZX R9, R13
+	SHRL    $0x10, R9
+	LEAQ    (BX)(R13*1), CX
+	MOVQ    DX, R14
+	MOVQ    CX, BX
+	ROLQ    CL, R14
+	MOVL    $0x00000001, R15
+	MOVB    R13, CL
+	SHLL    CL, R15
+	DECL    R15
+	ANDQ    R15, R14
+	ADDQ    R14, R9
+
+	// Load ctx.ofTable
+	MOVQ ctx+16(FP), CX
+	MOVQ 48(CX), CX
+	MOVQ (CX)(R9*8), R9
+
+sequenceDecs_decodeSync_safe_amd64_skip_update:
+	// Adjust offset
+	MOVQ   s+0(FP), CX
+	MOVQ   8(SP), R13
+	CMPQ   AX, $0x01
+	JBE    sequenceDecs_decodeSync_safe_amd64_adjust_offsetB_1_or_0
+	MOVUPS 144(CX), X0
+	MOVQ   R13, 144(CX)
+	MOVUPS X0, 152(CX)
+	JMP    sequenceDecs_decodeSync_safe_amd64_after_adjust
+
+sequenceDecs_decodeSync_safe_amd64_adjust_offsetB_1_or_0:
+	CMPQ 24(SP), $0x00000000
+	JNE  sequenceDecs_decodeSync_safe_amd64_adjust_offset_maybezero
+	INCQ R13
+	JMP  sequenceDecs_decodeSync_safe_amd64_adjust_offset_nonzero
+
+sequenceDecs_decodeSync_safe_amd64_adjust_offset_maybezero:
+	TESTQ R13, R13
+	JNZ   sequenceDecs_decodeSync_safe_amd64_adjust_offset_nonzero
+	MOVQ  144(CX), R13
+	JMP   sequenceDecs_decodeSync_safe_amd64_after_adjust
+
+sequenceDecs_decodeSync_safe_amd64_adjust_offset_nonzero:
+	MOVQ    R13, AX
+	XORQ    R14, R14
+	MOVQ    $-1, R15
+	CMPQ    R13, $0x03
+	CMOVQEQ R14, AX
+	CMOVQEQ R15, R14
+	ADDQ    144(CX)(AX*8), R14
+	JNZ     sequenceDecs_decodeSync_safe_amd64_adjust_temp_valid
+	MOVQ    $0x00000001, R14
+
+sequenceDecs_decodeSync_safe_amd64_adjust_temp_valid:
+	CMPQ R13, $0x01
+	JZ   sequenceDecs_decodeSync_safe_amd64_adjust_skip
+	MOVQ 152(CX), AX
+	MOVQ AX, 160(CX)
+
+sequenceDecs_decodeSync_safe_amd64_adjust_skip:
+	MOVQ 144(CX), AX
+	MOVQ AX, 152(CX)
+	MOVQ R14, 144(CX)
+	MOVQ R14, R13
+
+sequenceDecs_decodeSync_safe_amd64_after_adjust:
+	MOVQ R13, 8(SP)
+
+	// Check values
+	MOVQ  16(SP), AX
+	MOVQ  24(SP), CX
+	LEAQ  (AX)(CX*1), R14
+	MOVQ  s+0(FP), R15
+	ADDQ  R14, 256(R15)
+	MOVQ  ctx+16(FP), R14
+	SUBQ  CX, 104(R14)
+	JS    error_not_enough_literals
+	CMPQ  AX, $0x00020002
+	JA    sequenceDecs_decodeSync_safe_amd64_error_match_len_too_big
+	TESTQ R13, R13
+	JNZ   sequenceDecs_decodeSync_safe_amd64_match_len_ofs_ok
+	TESTQ AX, AX
+	JNZ   sequenceDecs_decodeSync_safe_amd64_error_match_len_ofs_mismatch
+
+sequenceDecs_decodeSync_safe_amd64_match_len_ofs_ok:
+	MOVQ 24(SP), AX
+	MOVQ 8(SP), CX
+	MOVQ 16(SP), R13
+
+	// Check if we have enough space in s.out
+	LEAQ (AX)(R13*1), R14
+	ADDQ R10, R14
+	CMPQ R14, 32(SP)
+	JA   error_not_enough_space
+
+	// Copy literals
+	TESTQ AX, AX
+	JZ    check_offset
+	MOVQ  AX, R14
+	SUBQ  $0x10, R14
+	JB    copy_1_small
+
+copy_1_loop:
+	MOVUPS (R11), X0
+	MOVUPS X0, (R10)
+	ADDQ   $0x10, R11
+	ADDQ   $0x10, R10
+	SUBQ   $0x10, R14
+	JAE    copy_1_loop
+	LEAQ   16(R11)(R14*1), R11
+	LEAQ   16(R10)(R14*1), R10
+	MOVUPS -16(R11), X0
+	MOVUPS X0, -16(R10)
+	JMP    copy_1_end
+
+copy_1_small:
+	CMPQ AX, $0x03
+	JE   copy_1_move_3
+	JB   copy_1_move_1or2
+	CMPQ AX, $0x08
+	JB   copy_1_move_4through7
+	JMP  copy_1_move_8through16
+
+copy_1_move_1or2:
+	MOVB (R11), R14
+	MOVB -1(R11)(AX*1), R15
+	MOVB R14, (R10)
+	MOVB R15, -1(R10)(AX*1)
+	ADDQ AX, R11
+	ADDQ AX, R10
+	JMP  copy_1_end
+
+copy_1_move_3:
+	MOVW (R11), R14
+	MOVB 2(R11), R15
+	MOVW R14, (R10)
+	MOVB R15, 2(R10)
+	ADDQ AX, R11
+	ADDQ AX, R10
+	JMP  copy_1_end
+
+copy_1_move_4through7:
+	MOVL (R11), R14
+	MOVL -4(R11)(AX*1), R15
+	MOVL R14, (R10)
+	MOVL R15, -4(R10)(AX*1)
+	ADDQ AX, R11
+	ADDQ AX, R10
+	JMP  copy_1_end
+
+copy_1_move_8through16:
+	MOVQ (R11), R14
+	MOVQ -8(R11)(AX*1), R15
+	MOVQ R14, (R10)
+	MOVQ R15, -8(R10)(AX*1)
+	ADDQ AX, R11
+	ADDQ AX, R10
+
+copy_1_end:
+	ADDQ AX, R12
+
+	// Malformed input if seq.mo > t+len(hist) || seq.mo > s.windowSize)
+check_offset:
+	MOVQ R12, AX
+	ADDQ 40(SP), AX
+	CMPQ CX, AX
+	JG   error_match_off_too_big
+	CMPQ CX, 56(SP)
+	JG   error_match_off_too_big
+
+	// Copy match from history
+	MOVQ CX, AX
+	SUBQ R12, AX
+	JLS  copy_match
+	MOVQ 48(SP), R14
+	SUBQ AX, R14
+	CMPQ R13, AX
+	JG   copy_all_from_history
+	MOVQ R13, AX
+	SUBQ $0x10, AX
+	JB   copy_4_small
+
+copy_4_loop:
+	MOVUPS (R14), X0
+	MOVUPS X0, (R10)
+	ADDQ   $0x10, R14
+	ADDQ   $0x10, R10
+	SUBQ   $0x10, AX
+	JAE    copy_4_loop
+	LEAQ   16(R14)(AX*1), R14
+	LEAQ   16(R10)(AX*1), R10
+	MOVUPS -16(R14), X0
+	MOVUPS X0, -16(R10)
+	JMP    copy_4_end
+
+copy_4_small:
+	CMPQ R13, $0x03
+	JE   copy_4_move_3
+	CMPQ R13, $0x08
+	JB   copy_4_move_4through7
+	JMP  copy_4_move_8through16
+
+copy_4_move_3:
+	MOVW (R14), AX
+	MOVB 2(R14), CL
+	MOVW AX, (R10)
+	MOVB CL, 2(R10)
+	ADDQ R13, R14
+	ADDQ R13, R10
+	JMP  copy_4_end
+
+copy_4_move_4through7:
+	MOVL (R14), AX
+	MOVL -4(R14)(R13*1), CX
+	MOVL AX, (R10)
+	MOVL CX, -4(R10)(R13*1)
+	ADDQ R13, R14
+	ADDQ R13, R10
+	JMP  copy_4_end
+
+copy_4_move_8through16:
+	MOVQ (R14), AX
+	MOVQ -8(R14)(R13*1), CX
+	MOVQ AX, (R10)
+	MOVQ CX, -8(R10)(R13*1)
+	ADDQ R13, R14
+	ADDQ R13, R10
+
+copy_4_end:
+	ADDQ R13, R12
+	JMP  handle_loop
+	JMP loop_finished
+
+copy_all_from_history:
+	MOVQ AX, R15
+	SUBQ $0x10, R15
+	JB   copy_5_small
+
+copy_5_loop:
+	MOVUPS (R14), X0
+	MOVUPS X0, (R10)
+	ADDQ   $0x10, R14
+	ADDQ   $0x10, R10
+	SUBQ   $0x10, R15
+	JAE    copy_5_loop
+	LEAQ   16(R14)(R15*1), R14
+	LEAQ   16(R10)(R15*1), R10
+	MOVUPS -16(R14), X0
+	MOVUPS X0, -16(R10)
+	JMP    copy_5_end
+
+copy_5_small:
+	CMPQ AX, $0x03
+	JE   copy_5_move_3
+	JB   copy_5_move_1or2
+	CMPQ AX, $0x08
+	JB   copy_5_move_4through7
+	JMP  copy_5_move_8through16
+
+copy_5_move_1or2:
+	MOVB (R14), R15
+	MOVB -1(R14)(AX*1), BP
+	MOVB R15, (R10)
+	MOVB BP, -1(R10)(AX*1)
+	ADDQ AX, R14
+	ADDQ AX, R10
+	JMP  copy_5_end
+
+copy_5_move_3:
+	MOVW (R14), R15
+	MOVB 2(R14), BP
+	MOVW R15, (R10)
+	MOVB BP, 2(R10)
+	ADDQ AX, R14
+	ADDQ AX, R10
+	JMP  copy_5_end
+
+copy_5_move_4through7:
+	MOVL (R14), R15
+	MOVL -4(R14)(AX*1), BP
+	MOVL R15, (R10)
+	MOVL BP, -4(R10)(AX*1)
+	ADDQ AX, R14
+	ADDQ AX, R10
+	JMP  copy_5_end
+
+copy_5_move_8through16:
+	MOVQ (R14), R15
+	MOVQ -8(R14)(AX*1), BP
+	MOVQ R15, (R10)
+	MOVQ BP, -8(R10)(AX*1)
+	ADDQ AX, R14
+	ADDQ AX, R10
+
+copy_5_end:
+	ADDQ AX, R12
+	SUBQ AX, R13
+
+	// Copy match from the current buffer
+copy_match:
+	MOVQ R10, AX
+	SUBQ CX, AX
+
+	// ml <= mo
+	CMPQ R13, CX
+	JA   copy_overlapping_match
+
+	// Copy non-overlapping match
+	ADDQ R13, R12
+	MOVQ R13, CX
+	SUBQ $0x10, CX
+	JB   copy_2_small
+
+copy_2_loop:
+	MOVUPS (AX), X0
+	MOVUPS X0, (R10)
+	ADDQ   $0x10, AX
+	ADDQ   $0x10, R10
+	SUBQ   $0x10, CX
+	JAE    copy_2_loop
+	LEAQ   16(AX)(CX*1), AX
+	LEAQ   16(R10)(CX*1), R10
+	MOVUPS -16(AX), X0
+	MOVUPS X0, -16(R10)
+	JMP    copy_2_end
+
+copy_2_small:
+	CMPQ R13, $0x03
+	JE   copy_2_move_3
+	JB   copy_2_move_1or2
+	CMPQ R13, $0x08
+	JB   copy_2_move_4through7
+	JMP  copy_2_move_8through16
+
+copy_2_move_1or2:
+	MOVB (AX), CL
+	MOVB -1(AX)(R13*1), R14
+	MOVB CL, (R10)
+	MOVB R14, -1(R10)(R13*1)
+	ADDQ R13, AX
+	ADDQ R13, R10
+	JMP  copy_2_end
+
+copy_2_move_3:
+	MOVW (AX), CX
+	MOVB 2(AX), R14
+	MOVW CX, (R10)
+	MOVB R14, 2(R10)
+	ADDQ R13, AX
+	ADDQ R13, R10
+	JMP  copy_2_end
+
+copy_2_move_4through7:
+	MOVL (AX), CX
+	MOVL -4(AX)(R13*1), R14
+	MOVL CX, (R10)
+	MOVL R14, -4(R10)(R13*1)
+	ADDQ R13, AX
+	ADDQ R13, R10
+	JMP  copy_2_end
+
+copy_2_move_8through16:
+	MOVQ (AX), CX
+	MOVQ -8(AX)(R13*1), R14
+	MOVQ CX, (R10)
+	MOVQ R14, -8(R10)(R13*1)
+	ADDQ R13, AX
+	ADDQ R13, R10
+
+copy_2_end:
+	JMP handle_loop
+
+	// Copy overlapping match
+copy_overlapping_match:
+	ADDQ R13, R12
+
+copy_slow_3:
+	MOVB (AX), CL
+	MOVB CL, (R10)
+	INCQ AX
+	INCQ R10
+	DECQ R13
+	JNZ  copy_slow_3
+
+handle_loop:
+	MOVQ ctx+16(FP), AX
+	DECQ 96(AX)
+	JNS  sequenceDecs_decodeSync_safe_amd64_main_loop
+
+loop_finished:
+	MOVQ br+8(FP), AX
+	MOVQ DX, 24(AX)
+	MOVB BL, 40(AX)
+	MOVQ SI, 32(AX)
+
+	// Update the context
+	MOVQ ctx+16(FP), AX
+	MOVQ R12, 136(AX)
+	MOVQ 144(AX), CX
+	SUBQ CX, R11
+	MOVQ R11, 168(AX)
+
+	// Return success
+	MOVQ $0x00000000, ret+24(FP)
+	RET
+
+	// Return with match length error
+sequenceDecs_decodeSync_safe_amd64_error_match_len_ofs_mismatch:
+	MOVQ 16(SP), AX
+	MOVQ ctx+16(FP), CX
+	MOVQ AX, 216(CX)
+	MOVQ $0x00000001, ret+24(FP)
+	RET
+
+	// Return with match too long error
+sequenceDecs_decodeSync_safe_amd64_error_match_len_too_big:
+	MOVQ ctx+16(FP), AX
+	MOVQ 16(SP), CX
+	MOVQ CX, 216(AX)
+	MOVQ $0x00000002, ret+24(FP)
+	RET
+
+	// Return with match offset too long error
+error_match_off_too_big:
+	MOVQ ctx+16(FP), AX
+	MOVQ 8(SP), CX
+	MOVQ CX, 224(AX)
+	MOVQ R12, 136(AX)
+	MOVQ $0x00000003, ret+24(FP)
+	RET
+
+	// Return with not enough literals error
+error_not_enough_literals:
+	MOVQ ctx+16(FP), AX
+	MOVQ 24(SP), CX
+	MOVQ CX, 208(AX)
+	MOVQ $0x00000004, ret+24(FP)
+	RET
+
+	// Return with overread error
+error_overread:
+	MOVQ $0x00000006, ret+24(FP)
+	RET
+
+	// Return with not enough output space error
+error_not_enough_space:
+	MOVQ ctx+16(FP), AX
+	MOVQ 24(SP), CX
+	MOVQ CX, 208(AX)
+	MOVQ 16(SP), CX
+	MOVQ CX, 216(AX)
+	MOVQ R12, 136(AX)
+	MOVQ $0x00000005, ret+24(FP)
+	RET
+
+// func sequenceDecs_decodeSync_safe_bmi2(s *sequenceDecs, br *bitReader, ctx *decodeSyncAsmContext) int
+// Requires: BMI, BMI2, CMOV, SSE
+TEXT ·sequenceDecs_decodeSync_safe_bmi2(SB), $64-32
+	MOVQ    br+8(FP), BX
+	MOVQ    24(BX), AX
+	MOVBQZX 40(BX), DX
+	MOVQ    (BX), CX
+	MOVQ    32(BX), BX
+	ADDQ    BX, CX
+	MOVQ    CX, (SP)
+	MOVQ    ctx+16(FP), CX
+	MOVQ    72(CX), SI
+	MOVQ    80(CX), DI
+	MOVQ    88(CX), R8
+	XORQ    R9, R9
+	MOVQ    R9, 8(SP)
+	MOVQ    R9, 16(SP)
+	MOVQ    R9, 24(SP)
+	MOVQ    112(CX), R9
+	MOVQ    128(CX), R10
+	MOVQ    R10, 32(SP)
+	MOVQ    144(CX), R10
+	MOVQ    136(CX), R11
+	MOVQ    200(CX), R12
+	MOVQ    R12, 56(SP)
+	MOVQ    176(CX), R12
+	MOVQ    R12, 48(SP)
+	MOVQ    184(CX), CX
+	MOVQ    CX, 40(SP)
+	MOVQ    40(SP), CX
+	ADDQ    CX, 48(SP)
+
+	// Calculate pointer to s.out[cap(s.out)] (a past-end pointer)
+	ADDQ R9, 32(SP)
+
+	// outBase += outPosition
+	ADDQ R11, R9
+
+sequenceDecs_decodeSync_safe_bmi2_main_loop:
+	MOVQ (SP), R12
+
+	// Fill bitreader to have enough for the offset and match length.
+	CMPQ BX, $0x08
+	JL   sequenceDecs_decodeSync_safe_bmi2_fill_byte_by_byte
+	MOVQ DX, CX
+	SHRQ $0x03, CX
+	SUBQ CX, R12
+	MOVQ (R12), AX
+	SUBQ CX, BX
+	ANDQ $0x07, DX
+	JMP  sequenceDecs_decodeSync_safe_bmi2_fill_end
+
+sequenceDecs_decodeSync_safe_bmi2_fill_byte_by_byte:
+	CMPQ    BX, $0x00
+	JLE     sequenceDecs_decodeSync_safe_bmi2_fill_check_overread
+	CMPQ    DX, $0x07
+	JLE     sequenceDecs_decodeSync_safe_bmi2_fill_end
+	SHLQ    $0x08, AX
+	SUBQ    $0x01, R12
+	SUBQ    $0x01, BX
+	SUBQ    $0x08, DX
+	MOVBQZX (R12), CX
+	ORQ     CX, AX
+	JMP     sequenceDecs_decodeSync_safe_bmi2_fill_byte_by_byte
+
+sequenceDecs_decodeSync_safe_bmi2_fill_check_overread:
+	CMPQ DX, $0x40
+	JA   error_overread
+
+sequenceDecs_decodeSync_safe_bmi2_fill_end:
+	// Update offset
+	MOVQ   $0x00000808, CX
+	BEXTRQ CX, R8, R13
+	MOVQ   AX, R14
+	LEAQ   (DX)(R13*1), CX
+	ROLQ   CL, R14
+	BZHIQ  R13, R14, R14
+	MOVQ   CX, DX
+	MOVQ   R8, CX
+	SHRQ   $0x20, CX
+	ADDQ   R14, CX
+	MOVQ   CX, 8(SP)
+
+	// Update match length
+	MOVQ   $0x00000808, CX
+	BEXTRQ CX, DI, R13
+	MOVQ   AX, R14
+	LEAQ   (DX)(R13*1), CX
+	ROLQ   CL, R14
+	BZHIQ  R13, R14, R14
+	MOVQ   CX, DX
+	MOVQ   DI, CX
+	SHRQ   $0x20, CX
+	ADDQ   R14, CX
+	MOVQ   CX, 16(SP)
+
+	// Fill bitreader to have enough for the remaining
+	CMPQ BX, $0x08
+	JL   sequenceDecs_decodeSync_safe_bmi2_fill_2_byte_by_byte
+	MOVQ DX, CX
+	SHRQ $0x03, CX
+	SUBQ CX, R12
+	MOVQ (R12), AX
+	SUBQ CX, BX
+	ANDQ $0x07, DX
+	JMP  sequenceDecs_decodeSync_safe_bmi2_fill_2_end
+
+sequenceDecs_decodeSync_safe_bmi2_fill_2_byte_by_byte:
+	CMPQ    BX, $0x00
+	JLE     sequenceDecs_decodeSync_safe_bmi2_fill_2_check_overread
+	CMPQ    DX, $0x07
+	JLE     sequenceDecs_decodeSync_safe_bmi2_fill_2_end
+	SHLQ    $0x08, AX
+	SUBQ    $0x01, R12
+	SUBQ    $0x01, BX
+	SUBQ    $0x08, DX
+	MOVBQZX (R12), CX
+	ORQ     CX, AX
+	JMP     sequenceDecs_decodeSync_safe_bmi2_fill_2_byte_by_byte
+
+sequenceDecs_decodeSync_safe_bmi2_fill_2_check_overread:
+	CMPQ DX, $0x40
+	JA   error_overread
+
+sequenceDecs_decodeSync_safe_bmi2_fill_2_end:
+	// Update literal length
+	MOVQ   $0x00000808, CX
+	BEXTRQ CX, SI, R13
+	MOVQ   AX, R14
+	LEAQ   (DX)(R13*1), CX
+	ROLQ   CL, R14
+	BZHIQ  R13, R14, R14
+	MOVQ   CX, DX
+	MOVQ   SI, CX
+	SHRQ   $0x20, CX
+	ADDQ   R14, CX
+	MOVQ   CX, 24(SP)
+
+	// Fill bitreader for state updates
+	MOVQ    R12, (SP)
+	MOVQ    $0x00000808, CX
+	BEXTRQ  CX, R8, R12
+	MOVQ    ctx+16(FP), CX
+	CMPQ    96(CX), $0x00
+	JZ      sequenceDecs_decodeSync_safe_bmi2_skip_update
+	LEAQ    (SI)(DI*1), R13
+	ADDQ    R8, R13
+	MOVBQZX R13, R13
+	LEAQ    (DX)(R13*1), CX
+	MOVQ    AX, R14
+	MOVQ    CX, DX
+	ROLQ    CL, R14
+	BZHIQ   R13, R14, R14
+
+	// Update Offset State
+	BZHIQ R8, R14, CX
+	SHRXQ R8, R14, R14
+	SHRL  $0x10, R8
+	ADDQ  CX, R8
+
+	// Load ctx.ofTable
+	MOVQ ctx+16(FP), CX
+	MOVQ 48(CX), CX
+	MOVQ (CX)(R8*8), R8
+
+	// Update Match Length State
+	BZHIQ DI, R14, CX
+	SHRXQ DI, R14, R14
+	SHRL  $0x10, DI
+	ADDQ  CX, DI
+
+	// Load ctx.mlTable
+	MOVQ ctx+16(FP), CX
+	MOVQ 24(CX), CX
+	MOVQ (CX)(DI*8), DI
+
+	// Update Literal Length State
+	BZHIQ SI, R14, CX
+	SHRL  $0x10, SI
+	ADDQ  CX, SI
+
+	// Load ctx.llTable
+	MOVQ ctx+16(FP), CX
+	MOVQ (CX), CX
+	MOVQ (CX)(SI*8), SI
+
+sequenceDecs_decodeSync_safe_bmi2_skip_update:
+	// Adjust offset
+	MOVQ   s+0(FP), CX
+	MOVQ   8(SP), R13
+	CMPQ   R12, $0x01
+	JBE    sequenceDecs_decodeSync_safe_bmi2_adjust_offsetB_1_or_0
+	MOVUPS 144(CX), X0
+	MOVQ   R13, 144(CX)
+	MOVUPS X0, 152(CX)
+	JMP    sequenceDecs_decodeSync_safe_bmi2_after_adjust
+
+sequenceDecs_decodeSync_safe_bmi2_adjust_offsetB_1_or_0:
+	CMPQ 24(SP), $0x00000000
+	JNE  sequenceDecs_decodeSync_safe_bmi2_adjust_offset_maybezero
+	INCQ R13
+	JMP  sequenceDecs_decodeSync_safe_bmi2_adjust_offset_nonzero
+
+sequenceDecs_decodeSync_safe_bmi2_adjust_offset_maybezero:
+	TESTQ R13, R13
+	JNZ   sequenceDecs_decodeSync_safe_bmi2_adjust_offset_nonzero
+	MOVQ  144(CX), R13
+	JMP   sequenceDecs_decodeSync_safe_bmi2_after_adjust
+
+sequenceDecs_decodeSync_safe_bmi2_adjust_offset_nonzero:
+	MOVQ    R13, R12
+	XORQ    R14, R14
+	MOVQ    $-1, R15
+	CMPQ    R13, $0x03
+	CMOVQEQ R14, R12
+	CMOVQEQ R15, R14
+	ADDQ    144(CX)(R12*8), R14
+	JNZ     sequenceDecs_decodeSync_safe_bmi2_adjust_temp_valid
+	MOVQ    $0x00000001, R14
+
+sequenceDecs_decodeSync_safe_bmi2_adjust_temp_valid:
+	CMPQ R13, $0x01
+	JZ   sequenceDecs_decodeSync_safe_bmi2_adjust_skip
+	MOVQ 152(CX), R12
+	MOVQ R12, 160(CX)
+
+sequenceDecs_decodeSync_safe_bmi2_adjust_skip:
+	MOVQ 144(CX), R12
+	MOVQ R12, 152(CX)
+	MOVQ R14, 144(CX)
+	MOVQ R14, R13
+
+sequenceDecs_decodeSync_safe_bmi2_after_adjust:
+	MOVQ R13, 8(SP)
+
+	// Check values
+	MOVQ  16(SP), CX
+	MOVQ  24(SP), R12
+	LEAQ  (CX)(R12*1), R14
+	MOVQ  s+0(FP), R15
+	ADDQ  R14, 256(R15)
+	MOVQ  ctx+16(FP), R14
+	SUBQ  R12, 104(R14)
+	JS    error_not_enough_literals
+	CMPQ  CX, $0x00020002
+	JA    sequenceDecs_decodeSync_safe_bmi2_error_match_len_too_big
+	TESTQ R13, R13
+	JNZ   sequenceDecs_decodeSync_safe_bmi2_match_len_ofs_ok
+	TESTQ CX, CX
+	JNZ   sequenceDecs_decodeSync_safe_bmi2_error_match_len_ofs_mismatch
+
+sequenceDecs_decodeSync_safe_bmi2_match_len_ofs_ok:
+	MOVQ 24(SP), CX
+	MOVQ 8(SP), R12
+	MOVQ 16(SP), R13
+
+	// Check if we have enough space in s.out
+	LEAQ (CX)(R13*1), R14
+	ADDQ R9, R14
+	CMPQ R14, 32(SP)
+	JA   error_not_enough_space
+
+	// Copy literals
+	TESTQ CX, CX
+	JZ    check_offset
+	MOVQ  CX, R14
+	SUBQ  $0x10, R14
+	JB    copy_1_small
+
+copy_1_loop:
+	MOVUPS (R10), X0
+	MOVUPS X0, (R9)
+	ADDQ   $0x10, R10
+	ADDQ   $0x10, R9
+	SUBQ   $0x10, R14
+	JAE    copy_1_loop
+	LEAQ   16(R10)(R14*1), R10
+	LEAQ   16(R9)(R14*1), R9
+	MOVUPS -16(R10), X0
+	MOVUPS X0, -16(R9)
+	JMP    copy_1_end
+
+copy_1_small:
+	CMPQ CX, $0x03
+	JE   copy_1_move_3
+	JB   copy_1_move_1or2
+	CMPQ CX, $0x08
+	JB   copy_1_move_4through7
+	JMP  copy_1_move_8through16
+
+copy_1_move_1or2:
+	MOVB (R10), R14
+	MOVB -1(R10)(CX*1), R15
+	MOVB R14, (R9)
+	MOVB R15, -1(R9)(CX*1)
+	ADDQ CX, R10
+	ADDQ CX, R9
+	JMP  copy_1_end
+
+copy_1_move_3:
+	MOVW (R10), R14
+	MOVB 2(R10), R15
+	MOVW R14, (R9)
+	MOVB R15, 2(R9)
+	ADDQ CX, R10
+	ADDQ CX, R9
+	JMP  copy_1_end
+
+copy_1_move_4through7:
+	MOVL (R10), R14
+	MOVL -4(R10)(CX*1), R15
+	MOVL R14, (R9)
+	MOVL R15, -4(R9)(CX*1)
+	ADDQ CX, R10
+	ADDQ CX, R9
+	JMP  copy_1_end
+
+copy_1_move_8through16:
+	MOVQ (R10), R14
+	MOVQ -8(R10)(CX*1), R15
+	MOVQ R14, (R9)
+	MOVQ R15, -8(R9)(CX*1)
+	ADDQ CX, R10
+	ADDQ CX, R9
+
+copy_1_end:
+	ADDQ CX, R11
+
+	// Malformed input if seq.mo > t+len(hist) || seq.mo > s.windowSize)
+check_offset:
+	MOVQ R11, CX
+	ADDQ 40(SP), CX
+	CMPQ R12, CX
+	JG   error_match_off_too_big
+	CMPQ R12, 56(SP)
+	JG   error_match_off_too_big
+
+	// Copy match from history
+	MOVQ R12, CX
+	SUBQ R11, CX
+	JLS  copy_match
+	MOVQ 48(SP), R14
+	SUBQ CX, R14
+	CMPQ R13, CX
+	JG   copy_all_from_history
+	MOVQ R13, CX
+	SUBQ $0x10, CX
+	JB   copy_4_small
+
+copy_4_loop:
+	MOVUPS (R14), X0
+	MOVUPS X0, (R9)
+	ADDQ   $0x10, R14
+	ADDQ   $0x10, R9
+	SUBQ   $0x10, CX
+	JAE    copy_4_loop
+	LEAQ   16(R14)(CX*1), R14
+	LEAQ   16(R9)(CX*1), R9
+	MOVUPS -16(R14), X0
+	MOVUPS X0, -16(R9)
+	JMP    copy_4_end
+
+copy_4_small:
+	CMPQ R13, $0x03
+	JE   copy_4_move_3
+	CMPQ R13, $0x08
+	JB   copy_4_move_4through7
+	JMP  copy_4_move_8through16
+
+copy_4_move_3:
+	MOVW (R14), CX
+	MOVB 2(R14), R12
+	MOVW CX, (R9)
+	MOVB R12, 2(R9)
+	ADDQ R13, R14
+	ADDQ R13, R9
+	JMP  copy_4_end
+
+copy_4_move_4through7:
+	MOVL (R14), CX
+	MOVL -4(R14)(R13*1), R12
+	MOVL CX, (R9)
+	MOVL R12, -4(R9)(R13*1)
+	ADDQ R13, R14
+	ADDQ R13, R9
+	JMP  copy_4_end
+
+copy_4_move_8through16:
+	MOVQ (R14), CX
+	MOVQ -8(R14)(R13*1), R12
+	MOVQ CX, (R9)
+	MOVQ R12, -8(R9)(R13*1)
+	ADDQ R13, R14
+	ADDQ R13, R9
+
+copy_4_end:
+	ADDQ R13, R11
+	JMP  handle_loop
+	JMP loop_finished
+
+copy_all_from_history:
+	MOVQ CX, R15
+	SUBQ $0x10, R15
+	JB   copy_5_small
+
+copy_5_loop:
+	MOVUPS (R14), X0
+	MOVUPS X0, (R9)
+	ADDQ   $0x10, R14
+	ADDQ   $0x10, R9
+	SUBQ   $0x10, R15
+	JAE    copy_5_loop
+	LEAQ   16(R14)(R15*1), R14
+	LEAQ   16(R9)(R15*1), R9
+	MOVUPS -16(R14), X0
+	MOVUPS X0, -16(R9)
+	JMP    copy_5_end
+
+copy_5_small:
+	CMPQ CX, $0x03
+	JE   copy_5_move_3
+	JB   copy_5_move_1or2
+	CMPQ CX, $0x08
+	JB   copy_5_move_4through7
+	JMP  copy_5_move_8through16
+
+copy_5_move_1or2:
+	MOVB (R14), R15
+	MOVB -1(R14)(CX*1), BP
+	MOVB R15, (R9)
+	MOVB BP, -1(R9)(CX*1)
+	ADDQ CX, R14
+	ADDQ CX, R9
+	JMP  copy_5_end
+
+copy_5_move_3:
+	MOVW (R14), R15
+	MOVB 2(R14), BP
+	MOVW R15, (R9)
+	MOVB BP, 2(R9)
+	ADDQ CX, R14
+	ADDQ CX, R9
+	JMP  copy_5_end
+
+copy_5_move_4through7:
+	MOVL (R14), R15
+	MOVL -4(R14)(CX*1), BP
+	MOVL R15, (R9)
+	MOVL BP, -4(R9)(CX*1)
+	ADDQ CX, R14
+	ADDQ CX, R9
+	JMP  copy_5_end
+
+copy_5_move_8through16:
+	MOVQ (R14), R15
+	MOVQ -8(R14)(CX*1), BP
+	MOVQ R15, (R9)
+	MOVQ BP, -8(R9)(CX*1)
+	ADDQ CX, R14
+	ADDQ CX, R9
+
+copy_5_end:
+	ADDQ CX, R11
+	SUBQ CX, R13
+
+	// Copy match from the current buffer
+copy_match:
+	MOVQ R9, CX
+	SUBQ R12, CX
+
+	// ml <= mo
+	CMPQ R13, R12
+	JA   copy_overlapping_match
+
+	// Copy non-overlapping match
+	ADDQ R13, R11
+	MOVQ R13, R12
+	SUBQ $0x10, R12
+	JB   copy_2_small
+
+copy_2_loop:
+	MOVUPS (CX), X0
+	MOVUPS X0, (R9)
+	ADDQ   $0x10, CX
+	ADDQ   $0x10, R9
+	SUBQ   $0x10, R12
+	JAE    copy_2_loop
+	LEAQ   16(CX)(R12*1), CX
+	LEAQ   16(R9)(R12*1), R9
+	MOVUPS -16(CX), X0
+	MOVUPS X0, -16(R9)
+	JMP    copy_2_end
+
+copy_2_small:
+	CMPQ R13, $0x03
+	JE   copy_2_move_3
+	JB   copy_2_move_1or2
+	CMPQ R13, $0x08
+	JB   copy_2_move_4through7
+	JMP  copy_2_move_8through16
+
+copy_2_move_1or2:
+	MOVB (CX), R12
+	MOVB -1(CX)(R13*1), R14
+	MOVB R12, (R9)
+	MOVB R14, -1(R9)(R13*1)
+	ADDQ R13, CX
+	ADDQ R13, R9
+	JMP  copy_2_end
+
+copy_2_move_3:
+	MOVW (CX), R12
+	MOVB 2(CX), R14
+	MOVW R12, (R9)
+	MOVB R14, 2(R9)
+	ADDQ R13, CX
+	ADDQ R13, R9
+	JMP  copy_2_end
+
+copy_2_move_4through7:
+	MOVL (CX), R12
+	MOVL -4(CX)(R13*1), R14
+	MOVL R12, (R9)
+	MOVL R14, -4(R9)(R13*1)
+	ADDQ R13, CX
+	ADDQ R13, R9
+	JMP  copy_2_end
+
+copy_2_move_8through16:
+	MOVQ (CX), R12
+	MOVQ -8(CX)(R13*1), R14
+	MOVQ R12, (R9)
+	MOVQ R14, -8(R9)(R13*1)
+	ADDQ R13, CX
+	ADDQ R13, R9
+
+copy_2_end:
+	JMP handle_loop
+
+	// Copy overlapping match
+copy_overlapping_match:
+	ADDQ R13, R11
+
+copy_slow_3:
+	MOVB (CX), R12
+	MOVB R12, (R9)
+	INCQ CX
+	INCQ R9
+	DECQ R13
+	JNZ  copy_slow_3
+
+handle_loop:
+	MOVQ ctx+16(FP), CX
+	DECQ 96(CX)
+	JNS  sequenceDecs_decodeSync_safe_bmi2_main_loop
+
+loop_finished:
+	MOVQ br+8(FP), CX
+	MOVQ AX, 24(CX)
+	MOVB DL, 40(CX)
+	MOVQ BX, 32(CX)
+
+	// Update the context
+	MOVQ ctx+16(FP), AX
+	MOVQ R11, 136(AX)
+	MOVQ 144(AX), CX
+	SUBQ CX, R10
+	MOVQ R10, 168(AX)
+
+	// Return success
+	MOVQ $0x00000000, ret+24(FP)
+	RET
+
+	// Return with match length error
+sequenceDecs_decodeSync_safe_bmi2_error_match_len_ofs_mismatch:
+	MOVQ 16(SP), AX
+	MOVQ ctx+16(FP), CX
+	MOVQ AX, 216(CX)
+	MOVQ $0x00000001, ret+24(FP)
+	RET
+
+	// Return with match too long error
+sequenceDecs_decodeSync_safe_bmi2_error_match_len_too_big:
+	MOVQ ctx+16(FP), AX
+	MOVQ 16(SP), CX
+	MOVQ CX, 216(AX)
+	MOVQ $0x00000002, ret+24(FP)
+	RET
+
+	// Return with match offset too long error
+error_match_off_too_big:
+	MOVQ ctx+16(FP), AX
+	MOVQ 8(SP), CX
+	MOVQ CX, 224(AX)
+	MOVQ R11, 136(AX)
+	MOVQ $0x00000003, ret+24(FP)
+	RET
+
+	// Return with not enough literals error
+error_not_enough_literals:
+	MOVQ ctx+16(FP), AX
+	MOVQ 24(SP), CX
+	MOVQ CX, 208(AX)
+	MOVQ $0x00000004, ret+24(FP)
+	RET
+
+	// Return with overread error
+error_overread:
+	MOVQ $0x00000006, ret+24(FP)
+	RET
+
+	// Return with not enough output space error
+error_not_enough_space:
+	MOVQ ctx+16(FP), AX
+	MOVQ 24(SP), CX
+	MOVQ CX, 208(AX)
+	MOVQ 16(SP), CX
+	MOVQ CX, 216(AX)
+	MOVQ R11, 136(AX)
+	MOVQ $0x00000005, ret+24(FP)
+	RET
diff --git a/vendor/github.com/klauspost/compress/zstd/seqdec_generic.go b/vendor/github.com/klauspost/compress/zstd/seqdec_generic.go
new file mode 100644
index 0000000000..7cec2197cd
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/zstd/seqdec_generic.go
@@ -0,0 +1,237 @@
+//go:build !amd64 || appengine || !gc || noasm
+// +build !amd64 appengine !gc noasm
+
+package zstd
+
+import (
+	"fmt"
+	"io"
+)
+
+// decode sequences from the stream with the provided history but without dictionary.
+func (s *sequenceDecs) decodeSyncSimple(hist []byte) (bool, error) {
+	return false, nil
+}
+
+// decode sequences from the stream without the provided history.
+func (s *sequenceDecs) decode(seqs []seqVals) error {
+	br := s.br
+
+	// Grab full sizes tables, to avoid bounds checks.
+	llTable, mlTable, ofTable := s.litLengths.fse.dt[:maxTablesize], s.matchLengths.fse.dt[:maxTablesize], s.offsets.fse.dt[:maxTablesize]
+	llState, mlState, ofState := s.litLengths.state.state, s.matchLengths.state.state, s.offsets.state.state
+	s.seqSize = 0
+	litRemain := len(s.literals)
+
+	maxBlockSize := maxCompressedBlockSize
+	if s.windowSize < maxBlockSize {
+		maxBlockSize = s.windowSize
+	}
+	for i := range seqs {
+		var ll, mo, ml int
+		if br.cursor > 4+((maxOffsetBits+16+16)>>3) {
+			// inlined function:
+			// ll, mo, ml = s.nextFast(br, llState, mlState, ofState)
+
+			// Final will not read from stream.
+			var llB, mlB, moB uint8
+			ll, llB = llState.final()
+			ml, mlB = mlState.final()
+			mo, moB = ofState.final()
+
+			// extra bits are stored in reverse order.
+			br.fillFast()
+			mo += br.getBits(moB)
+			if s.maxBits > 32 {
+				br.fillFast()
+			}
+			ml += br.getBits(mlB)
+			ll += br.getBits(llB)
+
+			if moB > 1 {
+				s.prevOffset[2] = s.prevOffset[1]
+				s.prevOffset[1] = s.prevOffset[0]
+				s.prevOffset[0] = mo
+			} else {
+				// mo = s.adjustOffset(mo, ll, moB)
+				// Inlined for rather big speedup
+				if ll == 0 {
+					// There is an exception though, when current sequence's literals_length = 0.
+					// In this case, repeated offsets are shifted by one, so an offset_value of 1 means Repeated_Offset2,
+					// an offset_value of 2 means Repeated_Offset3, and an offset_value of 3 means Repeated_Offset1 - 1_byte.
+					mo++
+				}
+
+				if mo == 0 {
+					mo = s.prevOffset[0]
+				} else {
+					var temp int
+					if mo == 3 {
+						temp = s.prevOffset[0] - 1
+					} else {
+						temp = s.prevOffset[mo]
+					}
+
+					if temp == 0 {
+						// 0 is not valid; input is corrupted; force offset to 1
+						println("WARNING: temp was 0")
+						temp = 1
+					}
+
+					if mo != 1 {
+						s.prevOffset[2] = s.prevOffset[1]
+					}
+					s.prevOffset[1] = s.prevOffset[0]
+					s.prevOffset[0] = temp
+					mo = temp
+				}
+			}
+			br.fillFast()
+		} else {
+			if br.overread() {
+				if debugDecoder {
+					printf("reading sequence %d, exceeded available data\n", i)
+				}
+				return io.ErrUnexpectedEOF
+			}
+			ll, mo, ml = s.next(br, llState, mlState, ofState)
+			br.fill()
+		}
+
+		if debugSequences {
+			println("Seq", i, "Litlen:", ll, "mo:", mo, "(abs) ml:", ml)
+		}
+		// Evaluate.
+		// We might be doing this async, so do it early.
+		if mo == 0 && ml > 0 {
+			return fmt.Errorf("zero matchoff and matchlen (%d) > 0", ml)
+		}
+		if ml > maxMatchLen {
+			return fmt.Errorf("match len (%d) bigger than max allowed length", ml)
+		}
+		s.seqSize += ll + ml
+		if s.seqSize > maxBlockSize {
+			return fmt.Errorf("output bigger than max block size (%d)", maxBlockSize)
+		}
+		litRemain -= ll
+		if litRemain < 0 {
+			return fmt.Errorf("unexpected literal count, want %d bytes, but only %d is available", ll, litRemain+ll)
+		}
+		seqs[i] = seqVals{
+			ll: ll,
+			ml: ml,
+			mo: mo,
+		}
+		if i == len(seqs)-1 {
+			// This is the last sequence, so we shouldn't update state.
+			break
+		}
+
+		// Manually inlined, ~ 5-20% faster
+		// Update all 3 states at once. Approx 20% faster.
+		nBits := llState.nbBits() + mlState.nbBits() + ofState.nbBits()
+		if nBits == 0 {
+			llState = llTable[llState.newState()&maxTableMask]
+			mlState = mlTable[mlState.newState()&maxTableMask]
+			ofState = ofTable[ofState.newState()&maxTableMask]
+		} else {
+			bits := br.get32BitsFast(nBits)
+			lowBits := uint16(bits >> ((ofState.nbBits() + mlState.nbBits()) & 31))
+			llState = llTable[(llState.newState()+lowBits)&maxTableMask]
+
+			lowBits = uint16(bits >> (ofState.nbBits() & 31))
+			lowBits &= bitMask[mlState.nbBits()&15]
+			mlState = mlTable[(mlState.newState()+lowBits)&maxTableMask]
+
+			lowBits = uint16(bits) & bitMask[ofState.nbBits()&15]
+			ofState = ofTable[(ofState.newState()+lowBits)&maxTableMask]
+		}
+	}
+	s.seqSize += litRemain
+	if s.seqSize > maxBlockSize {
+		return fmt.Errorf("output bigger than max block size (%d)", maxBlockSize)
+	}
+	err := br.close()
+	if err != nil {
+		printf("Closing sequences: %v, %+v\n", err, *br)
+	}
+	return err
+}
+
+// executeSimple handles cases when a dictionary is not used.
+func (s *sequenceDecs) executeSimple(seqs []seqVals, hist []byte) error {
+	// Ensure we have enough output size...
+	if len(s.out)+s.seqSize > cap(s.out) {
+		addBytes := s.seqSize + len(s.out)
+		s.out = append(s.out, make([]byte, addBytes)...)
+		s.out = s.out[:len(s.out)-addBytes]
+	}
+
+	if debugDecoder {
+		printf("Execute %d seqs with literals: %d into %d bytes\n", len(seqs), len(s.literals), s.seqSize)
+	}
+
+	var t = len(s.out)
+	out := s.out[:t+s.seqSize]
+
+	for _, seq := range seqs {
+		// Add literals
+		copy(out[t:], s.literals[:seq.ll])
+		t += seq.ll
+		s.literals = s.literals[seq.ll:]
+
+		// Malformed input
+		if seq.mo > t+len(hist) || seq.mo > s.windowSize {
+			return fmt.Errorf("match offset (%d) bigger than current history (%d)", seq.mo, t+len(hist))
+		}
+
+		// Copy from history.
+		if v := seq.mo - t; v > 0 {
+			// v is the start position in history from end.
+			start := len(hist) - v
+			if seq.ml > v {
+				// Some goes into the current block.
+				// Copy remainder of history
+				copy(out[t:], hist[start:])
+				t += v
+				seq.ml -= v
+			} else {
+				copy(out[t:], hist[start:start+seq.ml])
+				t += seq.ml
+				continue
+			}
+		}
+
+		// We must be in the current buffer now
+		if seq.ml > 0 {
+			start := t - seq.mo
+			if seq.ml <= t-start {
+				// No overlap
+				copy(out[t:], out[start:start+seq.ml])
+				t += seq.ml
+			} else {
+				// Overlapping copy
+				// Extend destination slice and copy one byte at the time.
+				src := out[start : start+seq.ml]
+				dst := out[t:]
+				dst = dst[:len(src)]
+				t += len(src)
+				// Destination is the space we just added.
+				for i := range src {
+					dst[i] = src[i]
+				}
+			}
+		}
+	}
+	// Add final literals
+	copy(out[t:], s.literals)
+	if debugDecoder {
+		t += len(s.literals)
+		if t != len(out) {
+			panic(fmt.Errorf("length mismatch, want %d, got %d, ss: %d", len(out), t, s.seqSize))
+		}
+	}
+	s.out = out
+
+	return nil
+}
diff --git a/vendor/github.com/klauspost/compress/zstd/seqenc.go b/vendor/github.com/klauspost/compress/zstd/seqenc.go
new file mode 100644
index 0000000000..65045eabdd
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/zstd/seqenc.go
@@ -0,0 +1,112 @@
+// Copyright 2019+ Klaus Post. All rights reserved.
+// License information can be found in the LICENSE file.
+// Based on work by Yann Collet, released under BSD License.
+
+package zstd
+
+import "math/bits"
+
+type seqCoders struct {
+	llEnc, ofEnc, mlEnc    *fseEncoder
+	llPrev, ofPrev, mlPrev *fseEncoder
+}
+
+// swap coders with another (block).
+func (s *seqCoders) swap(other *seqCoders) {
+	*s, *other = *other, *s
+}
+
+// setPrev will update the previous encoders to the actually used ones
+// and make sure a fresh one is in the main slot.
+func (s *seqCoders) setPrev(ll, ml, of *fseEncoder) {
+	compareSwap := func(used *fseEncoder, current, prev **fseEncoder) {
+		// We used the new one, more current to history and reuse the previous history
+		if *current == used {
+			*prev, *current = *current, *prev
+			c := *current
+			p := *prev
+			c.reUsed = false
+			p.reUsed = true
+			return
+		}
+		if used == *prev {
+			return
+		}
+		// Ensure we cannot reuse by accident
+		prevEnc := *prev
+		prevEnc.symbolLen = 0
+	}
+	compareSwap(ll, &s.llEnc, &s.llPrev)
+	compareSwap(ml, &s.mlEnc, &s.mlPrev)
+	compareSwap(of, &s.ofEnc, &s.ofPrev)
+}
+
+func highBit(val uint32) (n uint32) {
+	return uint32(bits.Len32(val) - 1)
+}
+
+var llCodeTable = [64]byte{0, 1, 2, 3, 4, 5, 6, 7,
+	8, 9, 10, 11, 12, 13, 14, 15,
+	16, 16, 17, 17, 18, 18, 19, 19,
+	20, 20, 20, 20, 21, 21, 21, 21,
+	22, 22, 22, 22, 22, 22, 22, 22,
+	23, 23, 23, 23, 23, 23, 23, 23,
+	24, 24, 24, 24, 24, 24, 24, 24,
+	24, 24, 24, 24, 24, 24, 24, 24}
+
+// Up to 6 bits
+const maxLLCode = 35
+
+// llBitsTable translates from ll code to number of bits.
+var llBitsTable = [maxLLCode + 1]byte{
+	0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0,
+	1, 1, 1, 1, 2, 2, 3, 3,
+	4, 6, 7, 8, 9, 10, 11, 12,
+	13, 14, 15, 16}
+
+// llCode returns the code that represents the literal length requested.
+func llCode(litLength uint32) uint8 {
+	const llDeltaCode = 19
+	if litLength <= 63 {
+		return llCodeTable[litLength&63]
+	}
+	return uint8(highBit(litLength)) + llDeltaCode
+}
+
+var mlCodeTable = [128]byte{0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15,
+	16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31,
+	32, 32, 33, 33, 34, 34, 35, 35, 36, 36, 36, 36, 37, 37, 37, 37,
+	38, 38, 38, 38, 38, 38, 38, 38, 39, 39, 39, 39, 39, 39, 39, 39,
+	40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
+	41, 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, 41,
+	42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42,
+	42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42}
+
+// Up to 6 bits
+const maxMLCode = 52
+
+// mlBitsTable translates from ml code to number of bits.
+var mlBitsTable = [maxMLCode + 1]byte{
+	0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0,
+	1, 1, 1, 1, 2, 2, 3, 3,
+	4, 4, 5, 7, 8, 9, 10, 11,
+	12, 13, 14, 15, 16}
+
+// note : mlBase = matchLength - MINMATCH;
+// because it's the format it's stored in seqStore->sequences
+func mlCode(mlBase uint32) uint8 {
+	const mlDeltaCode = 36
+	if mlBase <= 127 {
+		return mlCodeTable[mlBase&127]
+	}
+	return uint8(highBit(mlBase)) + mlDeltaCode
+}
+
+func ofCode(offset uint32) uint8 {
+	// A valid offset will always be > 0.
+	return uint8(bits.Len32(offset) - 1)
+}
diff --git a/vendor/github.com/klauspost/compress/zstd/snappy.go b/vendor/github.com/klauspost/compress/zstd/snappy.go
new file mode 100644
index 0000000000..a17381b8f8
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/zstd/snappy.go
@@ -0,0 +1,434 @@
+// Copyright 2019+ Klaus Post. All rights reserved.
+// License information can be found in the LICENSE file.
+// Based on work by Yann Collet, released under BSD License.
+
+package zstd
+
+import (
+	"encoding/binary"
+	"errors"
+	"hash/crc32"
+	"io"
+
+	"github.com/klauspost/compress/huff0"
+	snappy "github.com/klauspost/compress/internal/snapref"
+)
+
+const (
+	snappyTagLiteral = 0x00
+	snappyTagCopy1   = 0x01
+	snappyTagCopy2   = 0x02
+	snappyTagCopy4   = 0x03
+)
+
+const (
+	snappyChecksumSize = 4
+	snappyMagicBody    = "sNaPpY"
+
+	// snappyMaxBlockSize is the maximum size of the input to encodeBlock. It is not
+	// part of the wire format per se, but some parts of the encoder assume
+	// that an offset fits into a uint16.
+	//
+	// Also, for the framing format (Writer type instead of Encode function),
+	// https://github.com/google/snappy/blob/master/framing_format.txt says
+	// that "the uncompressed data in a chunk must be no longer than 65536
+	// bytes".
+	snappyMaxBlockSize = 65536
+
+	// snappyMaxEncodedLenOfMaxBlockSize equals MaxEncodedLen(snappyMaxBlockSize), but is
+	// hard coded to be a const instead of a variable, so that obufLen can also
+	// be a const. Their equivalence is confirmed by
+	// TestMaxEncodedLenOfMaxBlockSize.
+	snappyMaxEncodedLenOfMaxBlockSize = 76490
+)
+
+const (
+	chunkTypeCompressedData   = 0x00
+	chunkTypeUncompressedData = 0x01
+	chunkTypePadding          = 0xfe
+	chunkTypeStreamIdentifier = 0xff
+)
+
+var (
+	// ErrSnappyCorrupt reports that the input is invalid.
+	ErrSnappyCorrupt = errors.New("snappy: corrupt input")
+	// ErrSnappyTooLarge reports that the uncompressed length is too large.
+	ErrSnappyTooLarge = errors.New("snappy: decoded block is too large")
+	// ErrSnappyUnsupported reports that the input isn't supported.
+	ErrSnappyUnsupported = errors.New("snappy: unsupported input")
+
+	errUnsupportedLiteralLength = errors.New("snappy: unsupported literal length")
+)
+
+// SnappyConverter can read SnappyConverter-compressed streams and convert them to zstd.
+// Conversion is done by converting the stream directly from Snappy without intermediate
+// full decoding.
+// Therefore the compression ratio is much less than what can be done by a full decompression
+// and compression, and a faulty Snappy stream may lead to a faulty Zstandard stream without
+// any errors being generated.
+// No CRC value is being generated and not all CRC values of the Snappy stream are checked.
+// However, it provides really fast recompression of Snappy streams.
+// The converter can be reused to avoid allocations, even after errors.
+type SnappyConverter struct {
+	r     io.Reader
+	err   error
+	buf   []byte
+	block *blockEnc
+}
+
+// Convert the Snappy stream supplied in 'in' and write the zStandard stream to 'w'.
+// If any error is detected on the Snappy stream it is returned.
+// The number of bytes written is returned.
+func (r *SnappyConverter) Convert(in io.Reader, w io.Writer) (int64, error) {
+	initPredefined()
+	r.err = nil
+	r.r = in
+	if r.block == nil {
+		r.block = &blockEnc{}
+		r.block.init()
+	}
+	r.block.initNewEncode()
+	if len(r.buf) != snappyMaxEncodedLenOfMaxBlockSize+snappyChecksumSize {
+		r.buf = make([]byte, snappyMaxEncodedLenOfMaxBlockSize+snappyChecksumSize)
+	}
+	r.block.litEnc.Reuse = huff0.ReusePolicyNone
+	var written int64
+	var readHeader bool
+	{
+		header := frameHeader{WindowSize: snappyMaxBlockSize}.appendTo(r.buf[:0])
+
+		var n int
+		n, r.err = w.Write(header)
+		if r.err != nil {
+			return written, r.err
+		}
+		written += int64(n)
+	}
+
+	for {
+		if !r.readFull(r.buf[:4], true) {
+			// Add empty last block
+			r.block.reset(nil)
+			r.block.last = true
+			err := r.block.encodeLits(r.block.literals, false)
+			if err != nil {
+				return written, err
+			}
+			n, err := w.Write(r.block.output)
+			if err != nil {
+				return written, err
+			}
+			written += int64(n)
+
+			return written, r.err
+		}
+		chunkType := r.buf[0]
+		if !readHeader {
+			if chunkType != chunkTypeStreamIdentifier {
+				println("chunkType != chunkTypeStreamIdentifier", chunkType)
+				r.err = ErrSnappyCorrupt
+				return written, r.err
+			}
+			readHeader = true
+		}
+		chunkLen := int(r.buf[1]) | int(r.buf[2])<<8 | int(r.buf[3])<<16
+		if chunkLen > len(r.buf) {
+			println("chunkLen > len(r.buf)", chunkType)
+			r.err = ErrSnappyUnsupported
+			return written, r.err
+		}
+
+		// The chunk types are specified at
+		// https://github.com/google/snappy/blob/master/framing_format.txt
+		switch chunkType {
+		case chunkTypeCompressedData:
+			// Section 4.2. Compressed data (chunk type 0x00).
+			if chunkLen < snappyChecksumSize {
+				println("chunkLen < snappyChecksumSize", chunkLen, snappyChecksumSize)
+				r.err = ErrSnappyCorrupt
+				return written, r.err
+			}
+			buf := r.buf[:chunkLen]
+			if !r.readFull(buf, false) {
+				return written, r.err
+			}
+			//checksum := uint32(buf[0]) | uint32(buf[1])<<8 | uint32(buf[2])<<16 | uint32(buf[3])<<24
+			buf = buf[snappyChecksumSize:]
+
+			n, hdr, err := snappyDecodedLen(buf)
+			if err != nil {
+				r.err = err
+				return written, r.err
+			}
+			buf = buf[hdr:]
+			if n > snappyMaxBlockSize {
+				println("n > snappyMaxBlockSize", n, snappyMaxBlockSize)
+				r.err = ErrSnappyCorrupt
+				return written, r.err
+			}
+			r.block.reset(nil)
+			r.block.pushOffsets()
+			if err := decodeSnappy(r.block, buf); err != nil {
+				r.err = err
+				return written, r.err
+			}
+			if r.block.size+r.block.extraLits != n {
+				printf("invalid size, want %d, got %d\n", n, r.block.size+r.block.extraLits)
+				r.err = ErrSnappyCorrupt
+				return written, r.err
+			}
+			err = r.block.encode(nil, false, false)
+			switch err {
+			case errIncompressible:
+				r.block.popOffsets()
+				r.block.reset(nil)
+				r.block.literals, err = snappy.Decode(r.block.literals[:n], r.buf[snappyChecksumSize:chunkLen])
+				if err != nil {
+					return written, err
+				}
+				err = r.block.encodeLits(r.block.literals, false)
+				if err != nil {
+					return written, err
+				}
+			case nil:
+			default:
+				return written, err
+			}
+
+			n, r.err = w.Write(r.block.output)
+			if r.err != nil {
+				return written, r.err
+			}
+			written += int64(n)
+			continue
+		case chunkTypeUncompressedData:
+			if debugEncoder {
+				println("Uncompressed, chunklen", chunkLen)
+			}
+			// Section 4.3. Uncompressed data (chunk type 0x01).
+			if chunkLen < snappyChecksumSize {
+				println("chunkLen < snappyChecksumSize", chunkLen, snappyChecksumSize)
+				r.err = ErrSnappyCorrupt
+				return written, r.err
+			}
+			r.block.reset(nil)
+			buf := r.buf[:snappyChecksumSize]
+			if !r.readFull(buf, false) {
+				return written, r.err
+			}
+			checksum := uint32(buf[0]) | uint32(buf[1])<<8 | uint32(buf[2])<<16 | uint32(buf[3])<<24
+			// Read directly into r.decoded instead of via r.buf.
+			n := chunkLen - snappyChecksumSize
+			if n > snappyMaxBlockSize {
+				println("n > snappyMaxBlockSize", n, snappyMaxBlockSize)
+				r.err = ErrSnappyCorrupt
+				return written, r.err
+			}
+			r.block.literals = r.block.literals[:n]
+			if !r.readFull(r.block.literals, false) {
+				return written, r.err
+			}
+			if snappyCRC(r.block.literals) != checksum {
+				println("literals crc mismatch")
+				r.err = ErrSnappyCorrupt
+				return written, r.err
+			}
+			err := r.block.encodeLits(r.block.literals, false)
+			if err != nil {
+				return written, err
+			}
+			n, r.err = w.Write(r.block.output)
+			if r.err != nil {
+				return written, r.err
+			}
+			written += int64(n)
+			continue
+
+		case chunkTypeStreamIdentifier:
+			if debugEncoder {
+				println("stream id", chunkLen, len(snappyMagicBody))
+			}
+			// Section 4.1. Stream identifier (chunk type 0xff).
+			if chunkLen != len(snappyMagicBody) {
+				println("chunkLen != len(snappyMagicBody)", chunkLen, len(snappyMagicBody))
+				r.err = ErrSnappyCorrupt
+				return written, r.err
+			}
+			if !r.readFull(r.buf[:len(snappyMagicBody)], false) {
+				return written, r.err
+			}
+			for i := 0; i < len(snappyMagicBody); i++ {
+				if r.buf[i] != snappyMagicBody[i] {
+					println("r.buf[i] != snappyMagicBody[i]", r.buf[i], snappyMagicBody[i], i)
+					r.err = ErrSnappyCorrupt
+					return written, r.err
+				}
+			}
+			continue
+		}
+
+		if chunkType <= 0x7f {
+			// Section 4.5. Reserved unskippable chunks (chunk types 0x02-0x7f).
+			println("chunkType <= 0x7f")
+			r.err = ErrSnappyUnsupported
+			return written, r.err
+		}
+		// Section 4.4 Padding (chunk type 0xfe).
+		// Section 4.6. Reserved skippable chunks (chunk types 0x80-0xfd).
+		if !r.readFull(r.buf[:chunkLen], false) {
+			return written, r.err
+		}
+	}
+}
+
+// decodeSnappy writes the decoding of src to dst. It assumes that the varint-encoded
+// length of the decompressed bytes has already been read.
+func decodeSnappy(blk *blockEnc, src []byte) error {
+	//decodeRef(make([]byte, snappyMaxBlockSize), src)
+	var s, length int
+	lits := blk.extraLits
+	var offset uint32
+	for s < len(src) {
+		switch src[s] & 0x03 {
+		case snappyTagLiteral:
+			x := uint32(src[s] >> 2)
+			switch {
+			case x < 60:
+				s++
+			case x == 60:
+				s += 2
+				if uint(s) > uint(len(src)) { // The uint conversions catch overflow from the previous line.
+					println("uint(s) > uint(len(src)", s, src)
+					return ErrSnappyCorrupt
+				}
+				x = uint32(src[s-1])
+			case x == 61:
+				s += 3
+				if uint(s) > uint(len(src)) { // The uint conversions catch overflow from the previous line.
+					println("uint(s) > uint(len(src)", s, src)
+					return ErrSnappyCorrupt
+				}
+				x = uint32(src[s-2]) | uint32(src[s-1])<<8
+			case x == 62:
+				s += 4
+				if uint(s) > uint(len(src)) { // The uint conversions catch overflow from the previous line.
+					println("uint(s) > uint(len(src)", s, src)
+					return ErrSnappyCorrupt
+				}
+				x = uint32(src[s-3]) | uint32(src[s-2])<<8 | uint32(src[s-1])<<16
+			case x == 63:
+				s += 5
+				if uint(s) > uint(len(src)) { // The uint conversions catch overflow from the previous line.
+					println("uint(s) > uint(len(src)", s, src)
+					return ErrSnappyCorrupt
+				}
+				x = uint32(src[s-4]) | uint32(src[s-3])<<8 | uint32(src[s-2])<<16 | uint32(src[s-1])<<24
+			}
+			if x > snappyMaxBlockSize {
+				println("x > snappyMaxBlockSize", x, snappyMaxBlockSize)
+				return ErrSnappyCorrupt
+			}
+			length = int(x) + 1
+			if length <= 0 {
+				println("length <= 0 ", length)
+
+				return errUnsupportedLiteralLength
+			}
+			//if length > snappyMaxBlockSize-d || uint32(length) > len(src)-s {
+			//	return ErrSnappyCorrupt
+			//}
+
+			blk.literals = append(blk.literals, src[s:s+length]...)
+			//println(length, "litLen")
+			lits += length
+			s += length
+			continue
+
+		case snappyTagCopy1:
+			s += 2
+			if uint(s) > uint(len(src)) { // The uint conversions catch overflow from the previous line.
+				println("uint(s) > uint(len(src)", s, len(src))
+				return ErrSnappyCorrupt
+			}
+			length = 4 + int(src[s-2])>>2&0x7
+			offset = uint32(src[s-2])&0xe0<<3 | uint32(src[s-1])
+
+		case snappyTagCopy2:
+			s += 3
+			if uint(s) > uint(len(src)) { // The uint conversions catch overflow from the previous line.
+				println("uint(s) > uint(len(src)", s, len(src))
+				return ErrSnappyCorrupt
+			}
+			length = 1 + int(src[s-3])>>2
+			offset = uint32(src[s-2]) | uint32(src[s-1])<<8
+
+		case snappyTagCopy4:
+			s += 5
+			if uint(s) > uint(len(src)) { // The uint conversions catch overflow from the previous line.
+				println("uint(s) > uint(len(src)", s, len(src))
+				return ErrSnappyCorrupt
+			}
+			length = 1 + int(src[s-5])>>2
+			offset = uint32(src[s-4]) | uint32(src[s-3])<<8 | uint32(src[s-2])<<16 | uint32(src[s-1])<<24
+		}
+
+		if offset <= 0 || blk.size+lits < int(offset) /*|| length > len(blk)-d */ {
+			println("offset <= 0 || blk.size+lits < int(offset)", offset, blk.size+lits, int(offset), blk.size, lits)
+
+			return ErrSnappyCorrupt
+		}
+
+		// Check if offset is one of the recent offsets.
+		// Adjusts the output offset accordingly.
+		// Gives a tiny bit of compression, typically around 1%.
+		if false {
+			offset = blk.matchOffset(offset, uint32(lits))
+		} else {
+			offset += 3
+		}
+
+		blk.sequences = append(blk.sequences, seq{
+			litLen:   uint32(lits),
+			offset:   offset,
+			matchLen: uint32(length) - zstdMinMatch,
+		})
+		blk.size += length + lits
+		lits = 0
+	}
+	blk.extraLits = lits
+	return nil
+}
+
+func (r *SnappyConverter) readFull(p []byte, allowEOF bool) (ok bool) {
+	if _, r.err = io.ReadFull(r.r, p); r.err != nil {
+		if r.err == io.ErrUnexpectedEOF || (r.err == io.EOF && !allowEOF) {
+			r.err = ErrSnappyCorrupt
+		}
+		return false
+	}
+	return true
+}
+
+var crcTable = crc32.MakeTable(crc32.Castagnoli)
+
+// crc implements the checksum specified in section 3 of
+// https://github.com/google/snappy/blob/master/framing_format.txt
+func snappyCRC(b []byte) uint32 {
+	c := crc32.Update(0, crcTable, b)
+	return c>>15 | c<<17 + 0xa282ead8
+}
+
+// snappyDecodedLen returns the length of the decoded block and the number of bytes
+// that the length header occupied.
+func snappyDecodedLen(src []byte) (blockLen, headerLen int, err error) {
+	v, n := binary.Uvarint(src)
+	if n <= 0 || v > 0xffffffff {
+		return 0, 0, ErrSnappyCorrupt
+	}
+
+	const wordSize = 32 << (^uint(0) >> 32 & 1)
+	if wordSize == 32 && v > 0x7fffffff {
+		return 0, 0, ErrSnappyTooLarge
+	}
+	return int(v), n, nil
+}
diff --git a/vendor/github.com/klauspost/compress/zstd/zip.go b/vendor/github.com/klauspost/compress/zstd/zip.go
new file mode 100644
index 0000000000..29c15c8c4e
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/zstd/zip.go
@@ -0,0 +1,141 @@
+// Copyright 2019+ Klaus Post. All rights reserved.
+// License information can be found in the LICENSE file.
+
+package zstd
+
+import (
+	"errors"
+	"io"
+	"sync"
+)
+
+// ZipMethodWinZip is the method for Zstandard compressed data inside Zip files for WinZip.
+// See https://www.winzip.com/win/en/comp_info.html
+const ZipMethodWinZip = 93
+
+// ZipMethodPKWare is the original method number used by PKWARE to indicate Zstandard compression.
+// Deprecated: This has been deprecated by PKWARE, use ZipMethodWinZip instead for compression.
+// See https://pkware.cachefly.net/webdocs/APPNOTE/APPNOTE-6.3.9.TXT
+const ZipMethodPKWare = 20
+
+// zipReaderPool is the default reader pool.
+var zipReaderPool = sync.Pool{New: func() interface{} {
+	z, err := NewReader(nil, WithDecoderLowmem(true), WithDecoderMaxWindow(128<<20), WithDecoderConcurrency(1))
+	if err != nil {
+		panic(err)
+	}
+	return z
+}}
+
+// newZipReader creates a pooled zip decompressor.
+func newZipReader(opts ...DOption) func(r io.Reader) io.ReadCloser {
+	pool := &zipReaderPool
+	if len(opts) > 0 {
+		opts = append([]DOption{WithDecoderLowmem(true), WithDecoderMaxWindow(128 << 20)}, opts...)
+		// Force concurrency 1
+		opts = append(opts, WithDecoderConcurrency(1))
+		// Create our own pool
+		pool = &sync.Pool{}
+	}
+	return func(r io.Reader) io.ReadCloser {
+		dec, ok := pool.Get().(*Decoder)
+		if ok {
+			dec.Reset(r)
+		} else {
+			d, err := NewReader(r, opts...)
+			if err != nil {
+				panic(err)
+			}
+			dec = d
+		}
+		return &pooledZipReader{dec: dec, pool: pool}
+	}
+}
+
+type pooledZipReader struct {
+	mu   sync.Mutex // guards Close and Read
+	pool *sync.Pool
+	dec  *Decoder
+}
+
+func (r *pooledZipReader) Read(p []byte) (n int, err error) {
+	r.mu.Lock()
+	defer r.mu.Unlock()
+	if r.dec == nil {
+		return 0, errors.New("read after close or EOF")
+	}
+	dec, err := r.dec.Read(p)
+	if err == io.EOF {
+		r.dec.Reset(nil)
+		r.pool.Put(r.dec)
+		r.dec = nil
+	}
+	return dec, err
+}
+
+func (r *pooledZipReader) Close() error {
+	r.mu.Lock()
+	defer r.mu.Unlock()
+	var err error
+	if r.dec != nil {
+		err = r.dec.Reset(nil)
+		r.pool.Put(r.dec)
+		r.dec = nil
+	}
+	return err
+}
+
+type pooledZipWriter struct {
+	mu   sync.Mutex // guards Close and Read
+	enc  *Encoder
+	pool *sync.Pool
+}
+
+func (w *pooledZipWriter) Write(p []byte) (n int, err error) {
+	w.mu.Lock()
+	defer w.mu.Unlock()
+	if w.enc == nil {
+		return 0, errors.New("Write after Close")
+	}
+	return w.enc.Write(p)
+}
+
+func (w *pooledZipWriter) Close() error {
+	w.mu.Lock()
+	defer w.mu.Unlock()
+	var err error
+	if w.enc != nil {
+		err = w.enc.Close()
+		w.pool.Put(w.enc)
+		w.enc = nil
+	}
+	return err
+}
+
+// ZipCompressor returns a compressor that can be registered with zip libraries.
+// The provided encoder options will be used on all encodes.
+func ZipCompressor(opts ...EOption) func(w io.Writer) (io.WriteCloser, error) {
+	var pool sync.Pool
+	return func(w io.Writer) (io.WriteCloser, error) {
+		enc, ok := pool.Get().(*Encoder)
+		if ok {
+			enc.Reset(w)
+		} else {
+			var err error
+			enc, err = NewWriter(w, opts...)
+			if err != nil {
+				return nil, err
+			}
+		}
+		return &pooledZipWriter{enc: enc, pool: &pool}, nil
+	}
+}
+
+// ZipDecompressor returns a decompressor that can be registered with zip libraries.
+// See ZipCompressor for example.
+// Options can be specified. WithDecoderConcurrency(1) is forced,
+// and by default a 128MB maximum decompression window is specified.
+// The window size can be overridden if required.
+func ZipDecompressor(opts ...DOption) func(r io.Reader) io.ReadCloser {
+	return newZipReader(opts...)
+}
diff --git a/vendor/github.com/klauspost/compress/zstd/zstd.go b/vendor/github.com/klauspost/compress/zstd/zstd.go
new file mode 100644
index 0000000000..6252b46ae6
--- /dev/null
+++ b/vendor/github.com/klauspost/compress/zstd/zstd.go
@@ -0,0 +1,126 @@
+// Package zstd provides decompression of zstandard files.
+//
+// For advanced usage and examples, go to the README: https://github.com/klauspost/compress/tree/master/zstd#zstd
+package zstd
+
+import (
+	"bytes"
+	"errors"
+	"log"
+	"math"
+
+	"github.com/klauspost/compress/internal/le"
+)
+
+// enable debug printing
+const debug = false
+
+// enable encoding debug printing
+const debugEncoder = debug
+
+// enable decoding debug printing
+const debugDecoder = debug
+
+// Enable extra assertions.
+const debugAsserts = debug || false
+
+// print sequence details
+const debugSequences = false
+
+// print detailed matching information
+const debugMatches = false
+
+// force encoder to use predefined tables.
+const forcePreDef = false
+
+// zstdMinMatch is the minimum zstd match length.
+const zstdMinMatch = 3
+
+// fcsUnknown is used for unknown frame content size.
+const fcsUnknown = math.MaxUint64
+
+var (
+	// ErrReservedBlockType is returned when a reserved block type is found.
+	// Typically this indicates wrong or corrupted input.
+	ErrReservedBlockType = errors.New("invalid input: reserved block type encountered")
+
+	// ErrCompressedSizeTooBig is returned when a block is bigger than allowed.
+	// Typically this indicates wrong or corrupted input.
+	ErrCompressedSizeTooBig = errors.New("invalid input: compressed size too big")
+
+	// ErrBlockTooSmall is returned when a block is too small to be decoded.
+	// Typically returned on invalid input.
+	ErrBlockTooSmall = errors.New("block too small")
+
+	// ErrUnexpectedBlockSize is returned when a block has unexpected size.
+	// Typically returned on invalid input.
+	ErrUnexpectedBlockSize = errors.New("unexpected block size")
+
+	// ErrMagicMismatch is returned when a "magic" number isn't what is expected.
+	// Typically this indicates wrong or corrupted input.
+	ErrMagicMismatch = errors.New("invalid input: magic number mismatch")
+
+	// ErrWindowSizeExceeded is returned when a reference exceeds the valid window size.
+	// Typically this indicates wrong or corrupted input.
+	ErrWindowSizeExceeded = errors.New("window size exceeded")
+
+	// ErrWindowSizeTooSmall is returned when no window size is specified.
+	// Typically this indicates wrong or corrupted input.
+	ErrWindowSizeTooSmall = errors.New("invalid input: window size was too small")
+
+	// ErrDecoderSizeExceeded is returned if decompressed size exceeds the configured limit.
+	ErrDecoderSizeExceeded = errors.New("decompressed size exceeds configured limit")
+
+	// ErrUnknownDictionary is returned if the dictionary ID is unknown.
+	ErrUnknownDictionary = errors.New("unknown dictionary")
+
+	// ErrFrameSizeExceeded is returned if the stated frame size is exceeded.
+	// This is only returned if SingleSegment is specified on the frame.
+	ErrFrameSizeExceeded = errors.New("frame size exceeded")
+
+	// ErrFrameSizeMismatch is returned if the stated frame size does not match the expected size.
+	// This is only returned if SingleSegment is specified on the frame.
+	ErrFrameSizeMismatch = errors.New("frame size does not match size on stream")
+
+	// ErrCRCMismatch is returned if CRC mismatches.
+	ErrCRCMismatch = errors.New("CRC check failed")
+
+	// ErrDecoderClosed will be returned if the Decoder was used after
+	// Close has been called.
+	ErrDecoderClosed = errors.New("decoder used after Close")
+
+	// ErrEncoderClosed will be returned if the Encoder was used after
+	// Close has been called.
+	ErrEncoderClosed = errors.New("encoder used after Close")
+
+	// ErrDecoderNilInput is returned when a nil Reader was provided
+	// and an operation other than Reset/DecodeAll/Close was attempted.
+	ErrDecoderNilInput = errors.New("nil input provided as reader")
+)
+
+func println(a ...interface{}) {
+	if debug || debugDecoder || debugEncoder {
+		log.Println(a...)
+	}
+}
+
+func printf(format string, a ...interface{}) {
+	if debug || debugDecoder || debugEncoder {
+		log.Printf(format, a...)
+	}
+}
+
+func load3232(b []byte, i int32) uint32 {
+	return le.Load32(b, i)
+}
+
+func load6432(b []byte, i int32) uint64 {
+	return le.Load64(b, i)
+}
+
+type byter interface {
+	Bytes() []byte
+	Len() int
+}
+
+var _ byter = &bytes.Buffer{}
diff --git a/vendor/github.com/lann/builder/.gitignore b/vendor/github.com/lann/builder/.gitignore
new file mode 100644
index 0000000000..f54eb28f6e
--- /dev/null
+++ b/vendor/github.com/lann/builder/.gitignore
@@ -0,0 +1,2 @@
+*~
+\#*#
diff --git a/vendor/github.com/lann/builder/.travis.yml b/vendor/github.com/lann/builder/.travis.yml
new file mode 100644
index 0000000000..c8860f69bc
--- /dev/null
+++ b/vendor/github.com/lann/builder/.travis.yml
@@ -0,0 +1,7 @@
+language: go
+
+go:
+  - '1.8'
+  - '1.9'
+  - '1.10'
+  - tip
diff --git a/vendor/github.com/josharian/intern/license.md b/vendor/github.com/lann/builder/LICENSE
similarity index 96%
rename from vendor/github.com/josharian/intern/license.md
rename to vendor/github.com/lann/builder/LICENSE
index 353d3055f0..a109e8051c 100644
--- a/vendor/github.com/josharian/intern/license.md
+++ b/vendor/github.com/lann/builder/LICENSE
@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2019 Josh Bleecher Snyder
+Copyright (c) 2014-2015 Lann Martin
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
diff --git a/vendor/github.com/lann/builder/README.md b/vendor/github.com/lann/builder/README.md
new file mode 100644
index 0000000000..3b18550bb9
--- /dev/null
+++ b/vendor/github.com/lann/builder/README.md
@@ -0,0 +1,68 @@
+# Builder - fluent immutable builders for Go
+
+[![GoDoc](https://godoc.org/github.com/lann/builder?status.png)](https://godoc.org/github.com/lann/builder)
+[![Build Status](https://travis-ci.org/lann/builder.png?branch=master)](https://travis-ci.org/lann/builder)
+
+Builder was originally written for
+[Squirrel](https://github.com/lann/squirrel), a fluent SQL generator. It
+is probably the best example of Builder in action.
+
+Builder helps you write **fluent** DSLs for your libraries with method chaining:
+
+```go
+resp := ReqBuilder.
+    Url("http://golang.org").
+    Header("User-Agent", "Builder").
+    Get()
+```
+
+Builder uses **immutable** persistent data structures
+([these](https://github.com/mndrix/ps), specifically)
+so that each step in your method chain can be reused:
+
+```go
+build := WordBuilder.AddLetters("Build")
+builder := build.AddLetters("er")
+building := build.AddLetters("ing")
+```
+
+Builder makes it easy to **build** structs using the **builder** pattern
+(*surprise!*):
+
+```go
+import "github.com/lann/builder"
+
+type Muppet struct {
+    Name string
+    Friends []string
+}
+
+type muppetBuilder builder.Builder
+
+func (b muppetBuilder) Name(name string) muppetBuilder {
+    return builder.Set(b, "Name", name).(muppetBuilder)
+}
+
+func (b muppetBuilder) AddFriend(friend string) muppetBuilder {
+    return builder.Append(b, "Friends", friend).(muppetBuilder)
+}
+
+func (b muppetBuilder) Build() Muppet {
+    return builder.GetStruct(b).(Muppet)
+}
+
+var MuppetBuilder = builder.Register(muppetBuilder{}, Muppet{}).(muppetBuilder)
+```
+```go
+MuppetBuilder.
+    Name("Beaker").
+    AddFriend("Dr. Honeydew").
+    Build()
+
+=> Muppet{Name:"Beaker", Friends:[]string{"Dr. Honeydew"}}
+```
+
+## License
+
+Builder is released under the
+[MIT License](http://www.opensource.org/licenses/MIT).
diff --git a/vendor/github.com/lann/builder/builder.go b/vendor/github.com/lann/builder/builder.go
new file mode 100644
index 0000000000..ff621406a4
--- /dev/null
+++ b/vendor/github.com/lann/builder/builder.go
@@ -0,0 +1,225 @@
+// Package builder provides a method for writing fluent immutable builders.
+package builder
+
+import (
+	"github.com/lann/ps"
+	"go/ast"
+	"reflect"
+)
+
+// Builder stores a set of named values.
+//
+// New types can be declared with underlying type Builder and used with the
+// functions in this package. See example.
+//
+// Instances of Builder should be treated as immutable. It is up to the
+// implementor to ensure mutable values set on a Builder are not mutated while
+// the Builder is in use.
+type Builder struct {
+	builderMap ps.Map
+}
+
+var (
+	EmptyBuilder      = Builder{ps.NewMap()}
+	emptyBuilderValue = reflect.ValueOf(EmptyBuilder)
+)
+
+func getBuilderMap(builder interface{}) ps.Map {
+	b := convert(builder, Builder{}).(Builder)
+
+	if b.builderMap == nil {
+		return ps.NewMap()
+	}
+
+	return b.builderMap
+}
+
+// Set returns a copy of the given builder with a new value set for the given
+// name.
+//
+// Set (and all other functions taking a builder in this package) will panic if
+// the given builder's underlying type is not Builder.
+func Set(builder interface{}, name string, v interface{}) interface{} {
+	b := Builder{getBuilderMap(builder).Set(name, v)}
+	return convert(b, builder)
+}
+
+// Delete returns a copy of the given builder with the given named value unset.
+func Delete(builder interface{}, name string) interface{} {
+	b := Builder{getBuilderMap(builder).Delete(name)}
+	return convert(b, builder)
+}
+
+// Append returns a copy of the given builder with new value(s) appended to the
+// named list. If the value was previously unset or set with Set (even to a e.g.
+// slice values), the new value(s) will be appended to an empty list.
+func Append(builder interface{}, name string, vs ...interface{}) interface{} {
+	return Extend(builder, name, vs)
+}
+
+// Extend behaves like Append, except it takes a single slice or array value
+// which will be concatenated to the named list.
+//
+// Unlike a variadic call to Append - which requires a []interface{} value -
+// Extend accepts slices or arrays of any type.
+//
+// Extend will panic if the given value is not a slice, array, or nil.
+func Extend(builder interface{}, name string, vs interface{}) interface{} {
+	if vs == nil {
+		return builder
+	}
+
+	maybeList, ok := getBuilderMap(builder).Lookup(name)
+
+	var list ps.List
+	if ok {
+		list, ok = maybeList.(ps.List)
+	}
+	if !ok {
+		list = ps.NewList()
+	}
+
+	forEach(vs, func(v interface{}) {
+		list = list.Cons(v)
+	})
+
+	return Set(builder, name, list)
+}
+
+func listToSlice(list ps.List, arrayType reflect.Type) reflect.Value {
+	size := list.Size()
+	slice := reflect.MakeSlice(arrayType, size, size)
+	for i := size - 1; i >= 0; i-- {
+		val := reflect.ValueOf(list.Head())
+		slice.Index(i).Set(val)
+		list = list.Tail()
+	}
+	return slice
+}
+
+var anyArrayType = reflect.TypeOf([]interface{}{})
+
+// Get retrieves a single named value from the given builder.
+// If the value has not been set, it returns (nil, false). Otherwise, it will
+// return (value, true).
+//
+// If the named value was last set with Append or Extend, the returned value
+// will be a slice. If the given Builder has been registered with Register or
+// RegisterType and the given name is an exported field of the registered
+// struct, the returned slice will have the same type as that field. Otherwise
+// the slice will have type []interface{}. It will panic if the given name is a
+// registered struct's exported field and the value set on the Builder is not
+// assignable to the field.
+func Get(builder interface{}, name string) (interface{}, bool) {
+	val, ok := getBuilderMap(builder).Lookup(name)
+	if !ok {
+		return nil, false
+	}
+
+	list, isList := val.(ps.List)
+	if isList {
+		arrayType := anyArrayType
+
+		if ast.IsExported(name) {
+			structType := getBuilderStructType(reflect.TypeOf(builder))
+			if structType != nil {
+				field, ok := (*structType).FieldByName(name)
+				if ok {
+					arrayType = field.Type
+				}
+			}
+		}
+
+		val = listToSlice(list, arrayType).Interface()
+	}
+
+	return val, true
+}
+
+// GetMap returns a map[string]interface{} of the values set in the given
+// builder.
+//
+// See notes on Get regarding returned slices.
+func GetMap(builder interface{}) map[string]interface{} {
+	m := getBuilderMap(builder)
+	structType := getBuilderStructType(reflect.TypeOf(builder))
+
+	ret := make(map[string]interface{}, m.Size())
+
+	m.ForEach(func(name string, val ps.Any) {
+		list, isList := val.(ps.List)
+		if isList {
+			arrayType := anyArrayType
+
+			if structType != nil {
+				field, ok := (*structType).FieldByName(name)
+				if ok {
+					arrayType = field.Type
+				}
+			}
+
+			val = listToSlice(list, arrayType).Interface()
+		}
+
+		ret[name] = val
+	})
+
+	return ret
+}
+
+// GetStruct builds a new struct from the given registered builder.
+// It will return nil if the given builder's type has not been registered with
+// Register or RegisterValue.
+//
+// All values set on the builder with names that start with an uppercase letter
+// (i.e. which would be exported if they were identifiers) are assigned to the
+// corresponding exported fields of the struct.
+//
+// GetStruct will panic if any of these "exported" values are not assignable to
+// their corresponding struct fields.
+func GetStruct(builder interface{}) interface{} {
+	structVal := newBuilderStruct(reflect.TypeOf(builder))
+	if structVal == nil {
+		return nil
+	}
+	return scanStruct(builder, structVal)
+}
+
+// GetStructLike builds a new struct from the given builder with the same type
+// as the given struct.
+//
+// All values set on the builder with names that start with an uppercase letter
+// (i.e. which would be exported if they were identifiers) are assigned to the
+// corresponding exported fields of the struct.
+//
+// ScanStruct will panic if any of these "exported" values are not assignable to
+// their corresponding struct fields.
+func GetStructLike(builder interface{}, strct interface{}) interface{} {
+	structVal := reflect.New(reflect.TypeOf(strct)).Elem()
+	return scanStruct(builder, &structVal)
+}
+
+func scanStruct(builder interface{}, structVal *reflect.Value) interface{} {
+	getBuilderMap(builder).ForEach(func(name string, val ps.Any) {
+		if ast.IsExported(name) {
+			field := structVal.FieldByName(name)
+
+			var value reflect.Value
+			switch v := val.(type) {
+			case nil:
+				switch field.Kind() {
+				case reflect.Chan, reflect.Func, reflect.Interface, reflect.Map, reflect.Ptr, reflect.Slice:
+					value = reflect.Zero(field.Type())
+				}
+				// nil is not valid for this Type; Set will panic
+			case ps.List:
+				value = listToSlice(v, field.Type())
+			default:
+				value = reflect.ValueOf(val)
+			}
+			field.Set(value)
+		}
+	})
+
+	return structVal.Interface()
+}
diff --git a/vendor/github.com/lann/builder/reflect.go b/vendor/github.com/lann/builder/reflect.go
new file mode 100644
index 0000000000..3b236e7918
--- /dev/null
+++ b/vendor/github.com/lann/builder/reflect.go
@@ -0,0 +1,24 @@
+package builder
+
+import "reflect"
+
+func convert(from interface{}, to interface{}) interface{} {
+	return reflect.
+		ValueOf(from).
+		Convert(reflect.TypeOf(to)).
+		Interface()
+}
+
+func forEach(s interface{}, f func(interface{})) {
+	val := reflect.ValueOf(s)
+
+	kind := val.Kind()
+	if kind != reflect.Slice && kind != reflect.Array {
+		panic(&reflect.ValueError{Method: "builder.forEach", Kind: kind})
+	}
+
+	l := val.Len()
+	for i := 0; i < l; i++ {
+		f(val.Index(i).Interface())
+	}
+}
diff --git a/vendor/github.com/lann/builder/registry.go b/vendor/github.com/lann/builder/registry.go
new file mode 100644
index 0000000000..612845418e
--- /dev/null
+++ b/vendor/github.com/lann/builder/registry.go
@@ -0,0 +1,59 @@
+package builder
+
+import (
+	"reflect"
+	"sync"
+)
+
+var (
+	registry = make(map[reflect.Type]reflect.Type)
+	registryMux sync.RWMutex
+)
+
+// RegisterType maps the given builderType to a structType.
+// This mapping affects the type of slices returned by Get and is required for
+// GetStruct to work.
+//
+// Returns a Value containing an empty instance of the registered builderType.
+//
+// RegisterType will panic if builderType's underlying type is not Builder or
+// if structType's Kind is not Struct.
+func RegisterType(builderType reflect.Type, structType reflect.Type) *reflect.Value {
+	registryMux.Lock()
+	defer registryMux.Unlock()
+	structType.NumField() // Panic if structType is not a struct
+	registry[builderType] = structType
+	emptyValue := emptyBuilderValue.Convert(builderType)
+	return &emptyValue
+}
+
+// Register wraps RegisterType, taking instances instead of Types.
+//
+// Returns an empty instance of the registered builder type which can be used
+// as the initial value for builder expressions. See example.
+func Register(builderProto, structProto interface{}) interface{} {
+	empty := RegisterType(
+		reflect.TypeOf(builderProto),
+		reflect.TypeOf(structProto),
+	).Interface()
+	return empty
+}
+
+func getBuilderStructType(builderType reflect.Type) *reflect.Type {
+	registryMux.RLock()
+	defer registryMux.RUnlock()
+	structType, ok := registry[builderType]
+	if !ok {
+		return nil
+	}
+	return &structType
+}
+
+func newBuilderStruct(builderType reflect.Type) *reflect.Value {
+	structType := getBuilderStructType(builderType)
+	if structType == nil {
+		return nil
+	}
+	newStruct := reflect.New(*structType).Elem()
+	return &newStruct
+}
diff --git a/vendor/github.com/mailru/easyjson/LICENSE b/vendor/github.com/lann/ps/LICENSE
similarity index 96%
rename from vendor/github.com/mailru/easyjson/LICENSE
rename to vendor/github.com/lann/ps/LICENSE
index fbff658f70..69f9ae8d5a 100644
--- a/vendor/github.com/mailru/easyjson/LICENSE
+++ b/vendor/github.com/lann/ps/LICENSE
@@ -1,4 +1,4 @@
-Copyright (c) 2016 Mail.Ru Group
+Copyright (c) 2013 Michael Hendricks
 
 Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
 
diff --git a/vendor/github.com/lann/ps/README.md b/vendor/github.com/lann/ps/README.md
new file mode 100644
index 0000000000..325a5b3540
--- /dev/null
+++ b/vendor/github.com/lann/ps/README.md
@@ -0,0 +1,10 @@
+**This is a stable fork of https://github.com/mndrix/ps; it will not introduce breaking changes.**
+
+ps
+==
+
+Persistent data structures for Go.  See the [full package documentation](http://godoc.org/github.com/lann/ps)
+
+Install with
+
+    go get github.com/lann/ps
diff --git a/vendor/github.com/lann/ps/list.go b/vendor/github.com/lann/ps/list.go
new file mode 100644
index 0000000000..48a1cebacf
--- /dev/null
+++ b/vendor/github.com/lann/ps/list.go
@@ -0,0 +1,93 @@
+package ps
+
+// List is a persistent list of possibly heterogenous values.
+type List interface {
+	// IsNil returns true if the list is empty
+	IsNil() bool
+
+	// Cons returns a new list with val as the head
+	Cons(val Any) List
+
+	// Head returns the first element of the list;
+	// panics if the list is empty
+	Head() Any
+
+	// Tail returns a list with all elements except the head;
+	// panics if the list is empty
+	Tail() List
+
+	// Size returns the list's length.  This takes O(1) time.
+	Size() int
+
+	// ForEach executes a callback for each value in the list.
+	ForEach(f func(Any))
+
+	// Reverse returns a list whose elements are in the opposite order as
+	// the original list.
+	Reverse() List
+}
+
+// Immutable (i.e. persistent) list
+type list struct {
+	depth int // the number of nodes after, and including, this one
+	value Any
+	tail  *list
+}
+
+// An empty list shared by all lists
+var nilList = &list{}
+
+// NewList returns a new, empty list.  The result is a singly linked
+// list implementation.  All lists share an empty tail, so allocating
+// empty lists is efficient in time and memory.
+func NewList() List {
+	return nilList
+}
+
+func (self *list) IsNil() bool {
+	return self == nilList
+}
+
+func (self *list) Size() int {
+	return self.depth
+}
+
+func (tail *list) Cons(val Any) List {
+	var xs list
+	xs.depth = tail.depth + 1
+	xs.value = val
+	xs.tail = tail
+	return &xs
+}
+
+func (self *list) Head() Any {
+	if self.IsNil() {
+		panic("Called Head() on an empty list")
+	}
+
+	return self.value
+}
+
+func (self *list) Tail() List {
+	if self.IsNil() {
+		panic("Called Tail() on an empty list")
+	}
+
+	return self.tail
+}
+
+// ForEach executes a callback for each value in the list
+func (self *list) ForEach(f func(Any)) {
+	if self.IsNil() {
+		return
+	}
+	f(self.Head())
+	self.Tail().ForEach(f)
+}
+
+// Reverse returns a list with elements in opposite order as this list
+func (self *list) Reverse() List {
+	reversed := NewList()
+	self.ForEach(func(v Any) { reversed = reversed.Cons(v) })
+	return reversed
+}
diff --git a/vendor/github.com/lann/ps/map.go b/vendor/github.com/lann/ps/map.go
new file mode 100644
index 0000000000..192daec8f3
--- /dev/null
+++ b/vendor/github.com/lann/ps/map.go
@@ -0,0 +1,311 @@
+// Fully persistent data structures. A persistent data structure is a data
+// structure that always preserves the previous version of itself when
+// it is modified. Such data structures are effectively immutable,
+// as their operations do not update the structure in-place, but instead
+// always yield a new structure.
+//
+// Persistent
+// data structures typically share structure among themselves.  This allows
+// operations to avoid copying the entire data structure.
+package ps
+
+import (
+	"bytes"
+	"fmt"
+)
+
+// Any is a shorthand for Go's verbose interface{} type.
+type Any interface{}
+
+// A Map associates unique keys (type string) with values (type Any).
+type Map interface {
+	// IsNil returns true if the Map is empty
+	IsNil() bool
+
+	// Set returns a new map in which key and value are associated.
+	// If the key didn't exist before, it's created; otherwise, the
+	// associated value is changed.
+	// This operation is O(log N) in the number of keys.
+	Set(key string, value Any) Map
+
+	// Delete returns a new map with the association for key, if any, removed.
+	// This operation is O(log N) in the number of keys.
+	Delete(key string) Map
+
+	// Lookup returns the value associated with a key, if any.  If the key
+	// exists, the second return value is true; otherwise, false.
+	// This operation is O(log N) in the number of keys.
+	Lookup(key string) (Any, bool)
+
+	// Size returns the number of key value pairs in the map.
+	// This takes O(1) time.
+	Size() int
+
+	// ForEach executes a callback on each key value pair in the map.
+	ForEach(f func(key string, val Any))
+
+	// Keys returns a slice with all keys in this map.
+	// This operation is O(N) in the number of keys.
+	Keys() []string
+
+	String() string
+}
+
+// Immutable (i.e. persistent) associative array
+const childCount = 8
+const shiftSize = 3
+
+type tree struct {
+	count    int
+	hash     uint64 // hash of the key (used for tree balancing)
+	key      string
+	value    Any
+	children [childCount]*tree
+}
+
+var nilMap = &tree{}
+
+// Recursively set nilMap's subtrees to point at itself.
+// This eliminates all nil pointers in the map structure.
+// All map nodes are created by cloning this structure so
+// they avoid the problem too.
+func init() {
+	for i := range nilMap.children {
+		nilMap.children[i] = nilMap
+	}
+}
+
+// NewMap allocates a new, persistent map from strings to values of
+// any type.
+// This is currently implemented as a path-copying binary tree.
+func NewMap() Map {
+	return nilMap
+}
+
+func (self *tree) IsNil() bool {
+	return self == nilMap
+}
+
+// clone returns an exact duplicate of a tree node
+func (self *tree) clone() *tree {
+	var m tree
+	m = *self
+	return &m
+}
+
+// constants for FNV-1a hash algorithm
+const (
+	offset64 uint64 = 14695981039346656037
+	prime64  uint64 = 1099511628211
+)
+
+// hashKey returns a hash code for a given string
+func hashKey(key string) uint64 {
+	hash := offset64
+	for _, codepoint := range key {
+		hash ^= uint64(codepoint)
+		hash *= prime64
+	}
+	return hash
+}
+
+// Set returns a new map similar to this one but with key and value
+// associated.  If the key didn't exist, it's created; otherwise, the
+// associated value is changed.
+func (self *tree) Set(key string, value Any) Map {
+	hash := hashKey(key)
+	return setLowLevel(self, hash, hash, key, value)
+}
+
+func setLowLevel(self *tree, partialHash, hash uint64, key string, value Any) *tree {
+	if self.IsNil() { // an empty tree is easy
+		m := self.clone()
+		m.count = 1
+		m.hash = hash
+		m.key = key
+		m.value = value
+		return m
+	}
+
+	if hash != self.hash {
+		m := self.clone()
+		i := partialHash % childCount
+		m.children[i] = setLowLevel(self.children[i], partialHash>>shiftSize, hash, key, value)
+		recalculateCount(m)
+		return m
+	}
+
+	// replacing a key's previous value
+	m := self.clone()
+	m.value = value
+	return m
+}
+
+// modifies a map by recalculating its key count based on the counts
+// of its subtrees
+func recalculateCount(m *tree) {
+	count := 0
+	for _, t := range m.children {
+		count += t.Size()
+	}
+	m.count = count + 1 // add one to count ourself
+}
+
+func (m *tree) Delete(key string) Map {
+	hash := hashKey(key)
+	newMap, _ := deleteLowLevel(m, hash, hash)
+	return newMap
+}
+
+func deleteLowLevel(self *tree, partialHash, hash uint64) (*tree, bool) {
+	// empty trees are easy
+	if self.IsNil() {
+		return self, false
+	}
+
+	if hash != self.hash {
+		i := partialHash % childCount
+		child, found := deleteLowLevel(self.children[i], partialHash>>shiftSize, hash)
+		if !found {
+			return self, false
+		}
+		newMap := self.clone()
+		newMap.children[i] = child
+		recalculateCount(newMap)
+		return newMap, true // ? this wasn't in the original code
+	}
+
+	// we must delete our own node
+	if self.isLeaf() { // we have no children
+		return nilMap, true
+	}
+	/*
+	   if self.subtreeCount() == 1 { // only one subtree
+	       for _, t := range self.children {
+	           if t != nilMap {
+	               return t, true
+	           }
+	       }
+	       panic("Tree with 1 subtree actually had no subtrees")
+	   }
+	*/
+
+	// find a node to replace us
+	i := -1
+	size := -1
+	for j, t := range self.children {
+		if t.Size() > size {
+			i = j
+			size = t.Size()
+		}
+	}
+
+	// make chosen leaf smaller
+	replacement, child := self.children[i].deleteLeftmost()
+	newMap := replacement.clone()
+	for j := range self.children {
+		if j == i {
+			newMap.children[j] = child
+		} else {
+			newMap.children[j] = self.children[j]
+		}
+	}
+	recalculateCount(newMap)
+	return newMap, true
+}
+
+// delete the leftmost node in a tree returning the node that
+// was deleted and the tree left over after its deletion
+func (m *tree) deleteLeftmost() (*tree, *tree) {
+	if m.isLeaf() {
+		return m, nilMap
+	}
+
+	for i, t := range m.children {
+		if t != nilMap {
+			deleted, child := t.deleteLeftmost()
+			newMap := m.clone()
+			newMap.children[i] = child
+			recalculateCount(newMap)
+			return deleted, newMap
+		}
+	}
+	panic("Tree isn't a leaf but also had no children. How does that happen?")
+}
+
+// isLeaf returns true if this is a leaf node
+func (m *tree) isLeaf() bool {
+	return m.Size() == 1
+}
+
+// returns the number of child subtrees we have
+func (m *tree) subtreeCount() int {
+	count := 0
+	for _, t := range m.children {
+		if t != nilMap {
+			count++
+		}
+	}
+	return count
+}
+
+func (m *tree) Lookup(key string) (Any, bool) {
+	hash := hashKey(key)
+	return lookupLowLevel(m, hash, hash)
+}
+
+func lookupLowLevel(self *tree, partialHash, hash uint64) (Any, bool) {
+	if self.IsNil() { // an empty tree is easy
+		return nil, false
+	}
+
+	if hash != self.hash {
+		i := partialHash % childCount
+		return lookupLowLevel(self.children[i], partialHash>>shiftSize, hash)
+	}
+
+	// we found it
+	return self.value, true
+}
+
+func (m *tree) Size() int {
+	return m.count
+}
+
+func (m *tree) ForEach(f func(key string, val Any)) {
+	if m.IsNil() {
+		return
+	}
+
+	// ourself
+	f(m.key, m.value)
+
+	// children
+	for _, t := range m.children {
+		if t != nilMap {
+			t.ForEach(f)
+		}
+	}
+}
+
+func (m *tree) Keys() []string {
+	keys := make([]string, m.Size())
+	i := 0
+	m.ForEach(func(k string, v Any) {
+		keys[i] = k
+		i++
+	})
+	return keys
+}
+
+// make it easier to display maps for debugging
+func (m *tree) String() string {
+	keys := m.Keys()
+	buf := bytes.NewBufferString("{")
+	for _, key := range keys {
+		val, _ := m.Lookup(key)
+		fmt.Fprintf(buf, "%s: %s, ", key, val)
+	}
+	fmt.Fprintf(buf, "}\n")
+	return buf.String()
+}
diff --git a/vendor/github.com/lann/ps/profile.sh b/vendor/github.com/lann/ps/profile.sh
new file mode 100644
index 0000000000..f03df05a5a
--- /dev/null
+++ b/vendor/github.com/lann/ps/profile.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+go test -c
+./ps.test -test.run=none -test.bench=$2 -test.$1profile=$1.profile
diff --git a/vendor/github.com/lib/pq/.gitignore b/vendor/github.com/lib/pq/.gitignore
new file mode 100644
index 0000000000..3243952a4d
--- /dev/null
+++ b/vendor/github.com/lib/pq/.gitignore
@@ -0,0 +1,6 @@
+.db
+*.test
+*~
+*.swp
+.idea
+.vscode
\ No newline at end of file
diff --git a/vendor/github.com/lib/pq/LICENSE.md b/vendor/github.com/lib/pq/LICENSE.md
new file mode 100644
index 0000000000..5773904a30
--- /dev/null
+++ b/vendor/github.com/lib/pq/LICENSE.md
@@ -0,0 +1,8 @@
+Copyright (c) 2011-2013, 'pq' Contributors
+Portions Copyright (C) 2011 Blake Mizerany
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
diff --git a/vendor/github.com/lib/pq/README.md b/vendor/github.com/lib/pq/README.md
new file mode 100644
index 0000000000..126ee5d35d
--- /dev/null
+++ b/vendor/github.com/lib/pq/README.md
@@ -0,0 +1,36 @@
+# pq - A pure Go postgres driver for Go's database/sql package
+
+[![GoDoc](https://godoc.org/github.com/lib/pq?status.svg)](https://pkg.go.dev/github.com/lib/pq?tab=doc)
+
+## Install
+
+	go get github.com/lib/pq
+
+## Features
+
+* SSL
+* Handles bad connections for `database/sql`
+* Scan `time.Time` correctly (i.e. `timestamp[tz]`, `time[tz]`, `date`)
+* Scan binary blobs correctly (i.e. `bytea`)
+* Package for `hstore` support
+* COPY FROM support
+* pq.ParseURL for converting urls to connection strings for sql.Open.
+* Many libpq compatible environment variables
+* Unix socket support
+* Notifications: `LISTEN`/`NOTIFY`
+* pgpass support
+* GSS (Kerberos) auth
+
+## Tests
+
+`go test` is used for testing.  See [TESTS.md](TESTS.md) for more details.
+
+## Status
+
+This package is currently in maintenance mode, which means:
+1.   It generally does not accept new features.
+2.   It does accept bug fixes and version compatability changes provided by the community.
+3.   Maintainers usually do not resolve reported issues.
+4.   Community members are encouraged to help each other with reported issues.
+
+For users that require new features or reliable resolution of reported bugs, we recommend using [pgx](https://github.com/jackc/pgx) which is under active development.
diff --git a/vendor/github.com/lib/pq/TESTS.md b/vendor/github.com/lib/pq/TESTS.md
new file mode 100644
index 0000000000..f05021115b
--- /dev/null
+++ b/vendor/github.com/lib/pq/TESTS.md
@@ -0,0 +1,33 @@
+# Tests
+
+## Running Tests
+
+`go test` is used for testing. A running PostgreSQL
+server is required, with the ability to log in. The
+database to connect to test with is "pqgotest," on
+"localhost" but these can be overridden using [environment
+variables](https://www.postgresql.org/docs/9.3/static/libpq-envars.html).
+
+Example:
+
+	PGHOST=/run/postgresql go test
+
+## Benchmarks
+
+A benchmark suite can be run as part of the tests:
+
+	go test -bench .
+
+## Example setup (Docker)
+
+Run a postgres container:
+
+```
+docker run --expose 5432:5432 postgres
+```
+
+Run tests:
+
+```
+PGHOST=localhost PGPORT=5432 PGUSER=postgres PGSSLMODE=disable PGDATABASE=postgres go test
+```
diff --git a/vendor/github.com/lib/pq/array.go b/vendor/github.com/lib/pq/array.go
new file mode 100644
index 0000000000..39c8f7e2e0
--- /dev/null
+++ b/vendor/github.com/lib/pq/array.go
@@ -0,0 +1,895 @@
+package pq
+
+import (
+	"bytes"
+	"database/sql"
+	"database/sql/driver"
+	"encoding/hex"
+	"fmt"
+	"reflect"
+	"strconv"
+	"strings"
+)
+
+var typeByteSlice = reflect.TypeOf([]byte{})
+var typeDriverValuer = reflect.TypeOf((*driver.Valuer)(nil)).Elem()
+var typeSQLScanner = reflect.TypeOf((*sql.Scanner)(nil)).Elem()
+
+// Array returns the optimal driver.Valuer and sql.Scanner for an array or
+// slice of any dimension.
+//
+// For example:
+//  db.Query(`SELECT * FROM t WHERE id = ANY($1)`, pq.Array([]int{235, 401}))
+//
+//  var x []sql.NullInt64
+//  db.QueryRow(`SELECT ARRAY[235, 401]`).Scan(pq.Array(&x))
+//
+// Scanning multi-dimensional arrays is not supported.  Arrays where the lower
+// bound is not one (such as `[0:0]={1}') are not supported.
+func Array(a interface{}) interface {
+	driver.Valuer
+	sql.Scanner
+} {
+	switch a := a.(type) {
+	case []bool:
+		return (*BoolArray)(&a)
+	case []float64:
+		return (*Float64Array)(&a)
+	case []float32:
+		return (*Float32Array)(&a)
+	case []int64:
+		return (*Int64Array)(&a)
+	case []int32:
+		return (*Int32Array)(&a)
+	case []string:
+		return (*StringArray)(&a)
+	case [][]byte:
+		return (*ByteaArray)(&a)
+
+	case *[]bool:
+		return (*BoolArray)(a)
+	case *[]float64:
+		return (*Float64Array)(a)
+	case *[]float32:
+		return (*Float32Array)(a)
+	case *[]int64:
+		return (*Int64Array)(a)
+	case *[]int32:
+		return (*Int32Array)(a)
+	case *[]string:
+		return (*StringArray)(a)
+	case *[][]byte:
+		return (*ByteaArray)(a)
+	}
+
+	return GenericArray{a}
+}
+
+// ArrayDelimiter may be optionally implemented by driver.Valuer or sql.Scanner
+// to override the array delimiter used by GenericArray.
+type ArrayDelimiter interface {
+	// ArrayDelimiter returns the delimiter character(s) for this element's type.
+	ArrayDelimiter() string
+}
+
+// BoolArray represents a one-dimensional array of the PostgreSQL boolean type.
+type BoolArray []bool
+
+// Scan implements the sql.Scanner interface.
+func (a *BoolArray) Scan(src interface{}) error {
+	switch src := src.(type) {
+	case []byte:
+		return a.scanBytes(src)
+	case string:
+		return a.scanBytes([]byte(src))
+	case nil:
+		*a = nil
+		return nil
+	}
+
+	return fmt.Errorf("pq: cannot convert %T to BoolArray", src)
+}
+
+func (a *BoolArray) scanBytes(src []byte) error {
+	elems, err := scanLinearArray(src, []byte{','}, "BoolArray")
+	if err != nil {
+		return err
+	}
+	if *a != nil && len(elems) == 0 {
+		*a = (*a)[:0]
+	} else {
+		b := make(BoolArray, len(elems))
+		for i, v := range elems {
+			if len(v) != 1 {
+				return fmt.Errorf("pq: could not parse boolean array index %d: invalid boolean %q", i, v)
+			}
+			switch v[0] {
+			case 't':
+				b[i] = true
+			case 'f':
+				b[i] = false
+			default:
+				return fmt.Errorf("pq: could not parse boolean array index %d: invalid boolean %q", i, v)
+			}
+		}
+		*a = b
+	}
+	return nil
+}
+
+// Value implements the driver.Valuer interface.
+func (a BoolArray) Value() (driver.Value, error) {
+	if a == nil {
+		return nil, nil
+	}
+
+	if n := len(a); n > 0 {
+		// There will be exactly two curly brackets, N bytes of values,
+		// and N-1 bytes of delimiters.
+		b := make([]byte, 1+2*n)
+
+		for i := 0; i < n; i++ {
+			b[2*i] = ','
+			if a[i] {
+				b[1+2*i] = 't'
+			} else {
+				b[1+2*i] = 'f'
+			}
+		}
+
+		b[0] = '{'
+		b[2*n] = '}'
+
+		return string(b), nil
+	}
+
+	return "{}", nil
+}
+
+// ByteaArray represents a one-dimensional array of the PostgreSQL bytea type.
+type ByteaArray [][]byte
+
+// Scan implements the sql.Scanner interface.
+func (a *ByteaArray) Scan(src interface{}) error {
+	switch src := src.(type) {
+	case []byte:
+		return a.scanBytes(src)
+	case string:
+		return a.scanBytes([]byte(src))
+	case nil:
+		*a = nil
+		return nil
+	}
+
+	return fmt.Errorf("pq: cannot convert %T to ByteaArray", src)
+}
+
+func (a *ByteaArray) scanBytes(src []byte) error {
+	elems, err := scanLinearArray(src, []byte{','}, "ByteaArray")
+	if err != nil {
+		return err
+	}
+	if *a != nil && len(elems) == 0 {
+		*a = (*a)[:0]
+	} else {
+		b := make(ByteaArray, len(elems))
+		for i, v := range elems {
+			b[i], err = parseBytea(v)
+			if err != nil {
+				return fmt.Errorf("could not parse bytea array index %d: %s", i, err.Error())
+			}
+		}
+		*a = b
+	}
+	return nil
+}
+
+// Value implements the driver.Valuer interface. It uses the "hex" format which
+// is only supported on PostgreSQL 9.0 or newer.
+func (a ByteaArray) Value() (driver.Value, error) {
+	if a == nil {
+		return nil, nil
+	}
+
+	if n := len(a); n > 0 {
+		// There will be at least two curly brackets, 2*N bytes of quotes,
+		// 3*N bytes of hex formatting, and N-1 bytes of delimiters.
+		size := 1 + 6*n
+		for _, x := range a {
+			size += hex.EncodedLen(len(x))
+		}
+
+		b := make([]byte, size)
+
+		for i, s := 0, b; i < n; i++ {
+			o := copy(s, `,"\\x`)
+			o += hex.Encode(s[o:], a[i])
+			s[o] = '"'
+			s = s[o+1:]
+		}
+
+		b[0] = '{'
+		b[size-1] = '}'
+
+		return string(b), nil
+	}
+
+	return "{}", nil
+}
+
+// Float64Array represents a one-dimensional array of the PostgreSQL double
+// precision type.
+type Float64Array []float64
+
+// Scan implements the sql.Scanner interface.
+func (a *Float64Array) Scan(src interface{}) error {
+	switch src := src.(type) {
+	case []byte:
+		return a.scanBytes(src)
+	case string:
+		return a.scanBytes([]byte(src))
+	case nil:
+		*a = nil
+		return nil
+	}
+
+	return fmt.Errorf("pq: cannot convert %T to Float64Array", src)
+}
+
+func (a *Float64Array) scanBytes(src []byte) error {
+	elems, err := scanLinearArray(src, []byte{','}, "Float64Array")
+	if err != nil {
+		return err
+	}
+	if *a != nil && len(elems) == 0 {
+		*a = (*a)[:0]
+	} else {
+		b := make(Float64Array, len(elems))
+		for i, v := range elems {
+			if b[i], err = strconv.ParseFloat(string(v), 64); err != nil {
+				return fmt.Errorf("pq: parsing array element index %d: %v", i, err)
+			}
+		}
+		*a = b
+	}
+	return nil
+}
+
+// Value implements the driver.Valuer interface.
+func (a Float64Array) Value() (driver.Value, error) {
+	if a == nil {
+		return nil, nil
+	}
+
+	if n := len(a); n > 0 {
+		// There will be at least two curly brackets, N bytes of values,
+		// and N-1 bytes of delimiters.
+		b := make([]byte, 1, 1+2*n)
+		b[0] = '{'
+
+		b = strconv.AppendFloat(b, a[0], 'f', -1, 64)
+		for i := 1; i < n; i++ {
+			b = append(b, ',')
+			b = strconv.AppendFloat(b, a[i], 'f', -1, 64)
+		}
+
+		return string(append(b, '}')), nil
+	}
+
+	return "{}", nil
+}
+
+// Float32Array represents a one-dimensional array of the PostgreSQL double
+// precision type.
+type Float32Array []float32
+
+// Scan implements the sql.Scanner interface.
+func (a *Float32Array) Scan(src interface{}) error {
+	switch src := src.(type) {
+	case []byte:
+		return a.scanBytes(src)
+	case string:
+		return a.scanBytes([]byte(src))
+	case nil:
+		*a = nil
+		return nil
+	}
+
+	return fmt.Errorf("pq: cannot convert %T to Float32Array", src)
+}
+
+func (a *Float32Array) scanBytes(src []byte) error {
+	elems, err := scanLinearArray(src, []byte{','}, "Float32Array")
+	if err != nil {
+		return err
+	}
+	if *a != nil && len(elems) == 0 {
+		*a = (*a)[:0]
+	} else {
+		b := make(Float32Array, len(elems))
+		for i, v := range elems {
+			var x float64
+			if x, err = strconv.ParseFloat(string(v), 32); err != nil {
+				return fmt.Errorf("pq: parsing array element index %d: %v", i, err)
+			}
+			b[i] = float32(x)
+		}
+		*a = b
+	}
+	return nil
+}
+
+// Value implements the driver.Valuer interface.
+func (a Float32Array) Value() (driver.Value, error) {
+	if a == nil {
+		return nil, nil
+	}
+
+	if n := len(a); n > 0 {
+		// There will be at least two curly brackets, N bytes of values,
+		// and N-1 bytes of delimiters.
+		b := make([]byte, 1, 1+2*n)
+		b[0] = '{'
+
+		b = strconv.AppendFloat(b, float64(a[0]), 'f', -1, 32)
+		for i := 1; i < n; i++ {
+			b = append(b, ',')
+			b = strconv.AppendFloat(b, float64(a[i]), 'f', -1, 32)
+		}
+
+		return string(append(b, '}')), nil
+	}
+
+	return "{}", nil
+}
+
+// GenericArray implements the driver.Valuer and sql.Scanner interfaces for
+// an array or slice of any dimension.
+type GenericArray struct{ A interface{} }
+
+func (GenericArray) evaluateDestination(rt reflect.Type) (reflect.Type, func([]byte, reflect.Value) error, string) {
+	var assign func([]byte, reflect.Value) error
+	var del = ","
+
+	// TODO calculate the assign function for other types
+	// TODO repeat this section on the element type of arrays or slices (multidimensional)
+	{
+		if reflect.PtrTo(rt).Implements(typeSQLScanner) {
+			// dest is always addressable because it is an element of a slice.
+			assign = func(src []byte, dest reflect.Value) (err error) {
+				ss := dest.Addr().Interface().(sql.Scanner)
+				if src == nil {
+					err = ss.Scan(nil)
+				} else {
+					err = ss.Scan(src)
+				}
+				return
+			}
+			goto FoundType
+		}
+
+		assign = func([]byte, reflect.Value) error {
+			return fmt.Errorf("pq: scanning to %s is not implemented; only sql.Scanner", rt)
+		}
+	}
+
+FoundType:
+
+	if ad, ok := reflect.Zero(rt).Interface().(ArrayDelimiter); ok {
+		del = ad.ArrayDelimiter()
+	}
+
+	return rt, assign, del
+}
+
+// Scan implements the sql.Scanner interface.
+func (a GenericArray) Scan(src interface{}) error {
+	dpv := reflect.ValueOf(a.A)
+	switch {
+	case dpv.Kind() != reflect.Ptr:
+		return fmt.Errorf("pq: destination %T is not a pointer to array or slice", a.A)
+	case dpv.IsNil():
+		return fmt.Errorf("pq: destination %T is nil", a.A)
+	}
+
+	dv := dpv.Elem()
+	switch dv.Kind() {
+	case reflect.Slice:
+	case reflect.Array:
+	default:
+		return fmt.Errorf("pq: destination %T is not a pointer to array or slice", a.A)
+	}
+
+	switch src := src.(type) {
+	case []byte:
+		return a.scanBytes(src, dv)
+	case string:
+		return a.scanBytes([]byte(src), dv)
+	case nil:
+		if dv.Kind() == reflect.Slice {
+			dv.Set(reflect.Zero(dv.Type()))
+			return nil
+		}
+	}
+
+	return fmt.Errorf("pq: cannot convert %T to %s", src, dv.Type())
+}
+
+func (a GenericArray) scanBytes(src []byte, dv reflect.Value) error {
+	dtype, assign, del := a.evaluateDestination(dv.Type().Elem())
+	dims, elems, err := parseArray(src, []byte(del))
+	if err != nil {
+		return err
+	}
+
+	// TODO allow multidimensional
+
+	if len(dims) > 1 {
+		return fmt.Errorf("pq: scanning from multidimensional ARRAY%s is not implemented",
+			strings.Replace(fmt.Sprint(dims), " ", "][", -1))
+	}
+
+	// Treat a zero-dimensional array like an array with a single dimension of zero.
+	if len(dims) == 0 {
+		dims = append(dims, 0)
+	}
+
+	for i, rt := 0, dv.Type(); i < len(dims); i, rt = i+1, rt.Elem() {
+		switch rt.Kind() {
+		case reflect.Slice:
+		case reflect.Array:
+			if rt.Len() != dims[i] {
+				return fmt.Errorf("pq: cannot convert ARRAY%s to %s",
+					strings.Replace(fmt.Sprint(dims), " ", "][", -1), dv.Type())
+			}
+		default:
+			// TODO handle multidimensional
+		}
+	}
+
+	values := reflect.MakeSlice(reflect.SliceOf(dtype), len(elems), len(elems))
+	for i, e := range elems {
+		if err := assign(e, values.Index(i)); err != nil {
+			return fmt.Errorf("pq: parsing array element index %d: %v", i, err)
+		}
+	}
+
+	// TODO handle multidimensional
+
+	switch dv.Kind() {
+	case reflect.Slice:
+		dv.Set(values.Slice(0, dims[0]))
+	case reflect.Array:
+		for i := 0; i < dims[0]; i++ {
+			dv.Index(i).Set(values.Index(i))
+		}
+	}
+
+	return nil
+}
+
+// Value implements the driver.Valuer interface.
+func (a GenericArray) Value() (driver.Value, error) {
+	if a.A == nil {
+		return nil, nil
+	}
+
+	rv := reflect.ValueOf(a.A)
+
+	switch rv.Kind() {
+	case reflect.Slice:
+		if rv.IsNil() {
+			return nil, nil
+		}
+	case reflect.Array:
+	default:
+		return nil, fmt.Errorf("pq: Unable to convert %T to array", a.A)
+	}
+
+	if n := rv.Len(); n > 0 {
+		// There will be at least two curly brackets, N bytes of values,
+		// and N-1 bytes of delimiters.
+		b := make([]byte, 0, 1+2*n)
+
+		b, _, err := appendArray(b, rv, n)
+		return string(b), err
+	}
+
+	return "{}", nil
+}
+
+// Int64Array represents a one-dimensional array of the PostgreSQL integer types.
+type Int64Array []int64
+
+// Scan implements the sql.Scanner interface.
+func (a *Int64Array) Scan(src interface{}) error {
+	switch src := src.(type) {
+	case []byte:
+		return a.scanBytes(src)
+	case string:
+		return a.scanBytes([]byte(src))
+	case nil:
+		*a = nil
+		return nil
+	}
+
+	return fmt.Errorf("pq: cannot convert %T to Int64Array", src)
+}
+
+func (a *Int64Array) scanBytes(src []byte) error {
+	elems, err := scanLinearArray(src, []byte{','}, "Int64Array")
+	if err != nil {
+		return err
+	}
+	if *a != nil && len(elems) == 0 {
+		*a = (*a)[:0]
+	} else {
+		b := make(Int64Array, len(elems))
+		for i, v := range elems {
+			if b[i], err = strconv.ParseInt(string(v), 10, 64); err != nil {
+				return fmt.Errorf("pq: parsing array element index %d: %v", i, err)
+			}
+		}
+		*a = b
+	}
+	return nil
+}
+
+// Value implements the driver.Valuer interface.
+func (a Int64Array) Value() (driver.Value, error) {
+	if a == nil {
+		return nil, nil
+	}
+
+	if n := len(a); n > 0 {
+		// There will be at least two curly brackets, N bytes of values,
+		// and N-1 bytes of delimiters.
+		b := make([]byte, 1, 1+2*n)
+		b[0] = '{'
+
+		b = strconv.AppendInt(b, a[0], 10)
+		for i := 1; i < n; i++ {
+			b = append(b, ',')
+			b = strconv.AppendInt(b, a[i], 10)
+		}
+
+		return string(append(b, '}')), nil
+	}
+
+	return "{}", nil
+}
+
+// Int32Array represents a one-dimensional array of the PostgreSQL integer types.
+type Int32Array []int32
+
+// Scan implements the sql.Scanner interface.
+func (a *Int32Array) Scan(src interface{}) error {
+	switch src := src.(type) {
+	case []byte:
+		return a.scanBytes(src)
+	case string:
+		return a.scanBytes([]byte(src))
+	case nil:
+		*a = nil
+		return nil
+	}
+
+	return fmt.Errorf("pq: cannot convert %T to Int32Array", src)
+}
+
+func (a *Int32Array) scanBytes(src []byte) error {
+	elems, err := scanLinearArray(src, []byte{','}, "Int32Array")
+	if err != nil {
+		return err
+	}
+	if *a != nil && len(elems) == 0 {
+		*a = (*a)[:0]
+	} else {
+		b := make(Int32Array, len(elems))
+		for i, v := range elems {
+			x, err := strconv.ParseInt(string(v), 10, 32)
+			if err != nil {
+				return fmt.Errorf("pq: parsing array element index %d: %v", i, err)
+			}
+			b[i] = int32(x)
+		}
+		*a = b
+	}
+	return nil
+}
+
+// Value implements the driver.Valuer interface.
+func (a Int32Array) Value() (driver.Value, error) {
+	if a == nil {
+		return nil, nil
+	}
+
+	if n := len(a); n > 0 {
+		// There will be at least two curly brackets, N bytes of values,
+		// and N-1 bytes of delimiters.
+		b := make([]byte, 1, 1+2*n)
+		b[0] = '{'
+
+		b = strconv.AppendInt(b, int64(a[0]), 10)
+		for i := 1; i < n; i++ {
+			b = append(b, ',')
+			b = strconv.AppendInt(b, int64(a[i]), 10)
+		}
+
+		return string(append(b, '}')), nil
+	}
+
+	return "{}", nil
+}
+
+// StringArray represents a one-dimensional array of the PostgreSQL character types.
+type StringArray []string
+
+// Scan implements the sql.Scanner interface.
+func (a *StringArray) Scan(src interface{}) error {
+	switch src := src.(type) {
+	case []byte:
+		return a.scanBytes(src)
+	case string:
+		return a.scanBytes([]byte(src))
+	case nil:
+		*a = nil
+		return nil
+	}
+
+	return fmt.Errorf("pq: cannot convert %T to StringArray", src)
+}
+
+func (a *StringArray) scanBytes(src []byte) error {
+	elems, err := scanLinearArray(src, []byte{','}, "StringArray")
+	if err != nil {
+		return err
+	}
+	if *a != nil && len(elems) == 0 {
+		*a = (*a)[:0]
+	} else {
+		b := make(StringArray, len(elems))
+		for i, v := range elems {
+			if b[i] = string(v); v == nil {
+				return fmt.Errorf("pq: parsing array element index %d: cannot convert nil to string", i)
+			}
+		}
+		*a = b
+	}
+	return nil
+}
+
+// Value implements the driver.Valuer interface.
+func (a StringArray) Value() (driver.Value, error) {
+	if a == nil {
+		return nil, nil
+	}
+
+	if n := len(a); n > 0 {
+		// There will be at least two curly brackets, 2*N bytes of quotes,
+		// and N-1 bytes of delimiters.
+		b := make([]byte, 1, 1+3*n)
+		b[0] = '{'
+
+		b = appendArrayQuotedBytes(b, []byte(a[0]))
+		for i := 1; i < n; i++ {
+			b = append(b, ',')
+			b = appendArrayQuotedBytes(b, []byte(a[i]))
+		}
+
+		return string(append(b, '}')), nil
+	}
+
+	return "{}", nil
+}
+
+// appendArray appends rv to the buffer, returning the extended buffer and
+// the delimiter used between elements.
+//
+// It panics when n <= 0 or rv's Kind is not reflect.Array nor reflect.Slice.
+func appendArray(b []byte, rv reflect.Value, n int) ([]byte, string, error) {
+	var del string
+	var err error
+
+	b = append(b, '{')
+
+	if b, del, err = appendArrayElement(b, rv.Index(0)); err != nil {
+		return b, del, err
+	}
+
+	for i := 1; i < n; i++ {
+		b = append(b, del...)
+		if b, del, err = appendArrayElement(b, rv.Index(i)); err != nil {
+			return b, del, err
+		}
+	}
+
+	return append(b, '}'), del, nil
+}
+
+// appendArrayElement appends rv to the buffer, returning the extended buffer
+// and the delimiter to use before the next element.
+//
+// When rv's Kind is neither reflect.Array nor reflect.Slice, it is converted
+// using driver.DefaultParameterConverter and the resulting []byte or string
+// is double-quoted.
+//
+// See http://www.postgresql.org/docs/current/static/arrays.html#ARRAYS-IO
+func appendArrayElement(b []byte, rv reflect.Value) ([]byte, string, error) {
+	if k := rv.Kind(); k == reflect.Array || k == reflect.Slice {
+		if t := rv.Type(); t != typeByteSlice && !t.Implements(typeDriverValuer) {
+			if n := rv.Len(); n > 0 {
+				return appendArray(b, rv, n)
+			}
+
+			return b, "", nil
+		}
+	}
+
+	var del = ","
+	var err error
+	var iv interface{} = rv.Interface()
+
+	if ad, ok := iv.(ArrayDelimiter); ok {
+		del = ad.ArrayDelimiter()
+	}
+
+	if iv, err = driver.DefaultParameterConverter.ConvertValue(iv); err != nil {
+		return b, del, err
+	}
+
+	switch v := iv.(type) {
+	case nil:
+		return append(b, "NULL"...), del, nil
+	case []byte:
+		return appendArrayQuotedBytes(b, v), del, nil
+	case string:
+		return appendArrayQuotedBytes(b, []byte(v)), del, nil
+	}
+
+	b, err = appendValue(b, iv)
+	return b, del, err
+}
+
+func appendArrayQuotedBytes(b, v []byte) []byte {
+	b = append(b, '"')
+	for {
+		i := bytes.IndexAny(v, `"\`)
+		if i < 0 {
+			b = append(b, v...)
+			break
+		}
+		if i > 0 {
+			b = append(b, v[:i]...)
+		}
+		b = append(b, '\\', v[i])
+		v = v[i+1:]
+	}
+	return append(b, '"')
+}
+
+func appendValue(b []byte, v driver.Value) ([]byte, error) {
+	return append(b, encode(nil, v, 0)...), nil
+}
+
+// parseArray extracts the dimensions and elements of an array represented in
+// text format. Only representations emitted by the backend are supported.
+// Notably, whitespace around brackets and delimiters is significant, and NULL
+// is case-sensitive.
+//
+// See http://www.postgresql.org/docs/current/static/arrays.html#ARRAYS-IO
+func parseArray(src, del []byte) (dims []int, elems [][]byte, err error) {
+	var depth, i int
+
+	if len(src) < 1 || src[0] != '{' {
+		return nil, nil, fmt.Errorf("pq: unable to parse array; expected %q at offset %d", '{', 0)
+	}
+
+Open:
+	for i < len(src) {
+		switch src[i] {
+		case '{':
+			depth++
+			i++
+		case '}':
+			elems = make([][]byte, 0)
+			goto Close
+		default:
+			break Open
+		}
+	}
+	dims = make([]int, i)
+
+Element:
+	for i < len(src) {
+		switch src[i] {
+		case '{':
+			if depth == len(dims) {
+				break Element
+			}
+			depth++
+			dims[depth-1] = 0
+			i++
+		case '"':
+			var elem = []byte{}
+			var escape bool
+			for i++; i < len(src); i++ {
+				if escape {
+					elem = append(elem, src[i])
+					escape = false
+				} else {
+					switch src[i] {
+					default:
+						elem = append(elem, src[i])
+					case '\\':
+						escape = true
+					case '"':
+						elems = append(elems, elem)
+						i++
+						break Element
+					}
+				}
+			}
+		default:
+			for start := i; i < len(src); i++ {
+				if bytes.HasPrefix(src[i:], del) || src[i] == '}' {
+					elem := src[start:i]
+					if len(elem) == 0 {
+						return nil, nil, fmt.Errorf("pq: unable to parse array; unexpected %q at offset %d", src[i], i)
+					}
+					if bytes.Equal(elem, []byte("NULL")) {
+						elem = nil
+					}
+					elems = append(elems, elem)
+					break Element
+				}
+			}
+		}
+	}
+
+	for i < len(src) {
+		if bytes.HasPrefix(src[i:], del) && depth > 0 {
+			dims[depth-1]++
+			i += len(del)
+			goto Element
+		} else if src[i] == '}' && depth > 0 {
+			dims[depth-1]++
+			depth--
+			i++
+		} else {
+			return nil, nil, fmt.Errorf("pq: unable to parse array; unexpected %q at offset %d", src[i], i)
+		}
+	}
+
+Close:
+	for i < len(src) {
+		if src[i] == '}' && depth > 0 {
+			depth--
+			i++
+		} else {
+			return nil, nil, fmt.Errorf("pq: unable to parse array; unexpected %q at offset %d", src[i], i)
+		}
+	}
+	if depth > 0 {
+		err = fmt.Errorf("pq: unable to parse array; expected %q at offset %d", '}', i)
+	}
+	if err == nil {
+		for _, d := range dims {
+			if (len(elems) % d) != 0 {
+				err = fmt.Errorf("pq: multidimensional arrays must have elements with matching dimensions")
+			}
+		}
+	}
+	return
+}
+
+func scanLinearArray(src, del []byte, typ string) (elems [][]byte, err error) {
+	dims, elems, err := parseArray(src, del)
+	if err != nil {
+		return nil, err
+	}
+	if len(dims) > 1 {
+		return nil, fmt.Errorf("pq: cannot convert ARRAY%s to %s", strings.Replace(fmt.Sprint(dims), " ", "][", -1), typ)
+	}
+	return elems, err
+}
diff --git a/vendor/github.com/lib/pq/buf.go b/vendor/github.com/lib/pq/buf.go
new file mode 100644
index 0000000000..4b0a0a8f7e
--- /dev/null
+++ b/vendor/github.com/lib/pq/buf.go
@@ -0,0 +1,91 @@
+package pq
+
+import (
+	"bytes"
+	"encoding/binary"
+
+	"github.com/lib/pq/oid"
+)
+
+type readBuf []byte
+
+func (b *readBuf) int32() (n int) {
+	n = int(int32(binary.BigEndian.Uint32(*b)))
+	*b = (*b)[4:]
+	return
+}
+
+func (b *readBuf) oid() (n oid.Oid) {
+	n = oid.Oid(binary.BigEndian.Uint32(*b))
+	*b = (*b)[4:]
+	return
+}
+
+// N.B: this is actually an unsigned 16-bit integer, unlike int32
+func (b *readBuf) int16() (n int) {
+	n = int(binary.BigEndian.Uint16(*b))
+	*b = (*b)[2:]
+	return
+}
+
+func (b *readBuf) string() string {
+	i := bytes.IndexByte(*b, 0)
+	if i < 0 {
+		errorf("invalid message format; expected string terminator")
+	}
+	s := (*b)[:i]
+	*b = (*b)[i+1:]
+	return string(s)
+}
+
+func (b *readBuf) next(n int) (v []byte) {
+	v = (*b)[:n]
+	*b = (*b)[n:]
+	return
+}
+
+func (b *readBuf) byte() byte {
+	return b.next(1)[0]
+}
+
+type writeBuf struct {
+	buf []byte
+	pos int
+}
+
+func (b *writeBuf) int32(n int) {
+	x := make([]byte, 4)
+	binary.BigEndian.PutUint32(x, uint32(n))
+	b.buf = append(b.buf, x...)
+}
+
+func (b *writeBuf) int16(n int) {
+	x := make([]byte, 2)
+	binary.BigEndian.PutUint16(x, uint16(n))
+	b.buf = append(b.buf, x...)
+}
+
+func (b *writeBuf) string(s string) {
+	b.buf = append(append(b.buf, s...), '\000')
+}
+
+func (b *writeBuf) byte(c byte) {
+	b.buf = append(b.buf, c)
+}
+
+func (b *writeBuf) bytes(v []byte) {
+	b.buf = append(b.buf, v...)
+}
+
+func (b *writeBuf) wrap() []byte {
+	p := b.buf[b.pos:]
+	binary.BigEndian.PutUint32(p, uint32(len(p)))
+	return b.buf
+}
+
+func (b *writeBuf) next(c byte) {
+	p := b.buf[b.pos:]
+	binary.BigEndian.PutUint32(p, uint32(len(p)))
+	b.pos = len(b.buf) + 1
+	b.buf = append(b.buf, c, 0, 0, 0, 0)
+}
diff --git a/vendor/github.com/lib/pq/conn.go b/vendor/github.com/lib/pq/conn.go
new file mode 100644
index 0000000000..da4ff9de60
--- /dev/null
+++ b/vendor/github.com/lib/pq/conn.go
@@ -0,0 +1,2112 @@
+package pq
+
+import (
+	"bufio"
+	"bytes"
+	"context"
+	"crypto/md5"
+	"crypto/sha256"
+	"database/sql"
+	"database/sql/driver"
+	"encoding/binary"
+	"errors"
+	"fmt"
+	"io"
+	"net"
+	"os"
+	"os/user"
+	"path"
+	"path/filepath"
+	"strconv"
+	"strings"
+	"sync"
+	"time"
+	"unicode"
+
+	"github.com/lib/pq/oid"
+	"github.com/lib/pq/scram"
+)
+
+// Common error types
+var (
+	ErrNotSupported              = errors.New("pq: Unsupported command")
+	ErrInFailedTransaction       = errors.New("pq: Could not complete operation in a failed transaction")
+	ErrSSLNotSupported           = errors.New("pq: SSL is not enabled on the server")
+	ErrSSLKeyUnknownOwnership    = errors.New("pq: Could not get owner information for private key, may not be properly protected")
+	ErrSSLKeyHasWorldPermissions = errors.New("pq: Private key has world access. Permissions should be u=rw,g=r (0640) if owned by root, or u=rw (0600), or less")
+
+	ErrCouldNotDetectUsername = errors.New("pq: Could not detect default username. Please provide one explicitly")
+
+	errUnexpectedReady = errors.New("unexpected ReadyForQuery")
+	errNoRowsAffected  = errors.New("no RowsAffected available after the empty statement")
+	errNoLastInsertID  = errors.New("no LastInsertId available after the empty statement")
+)
+
+// Compile time validation that our types implement the expected interfaces
+var (
+	_ driver.Driver = Driver{}
+)
+
+// Driver is the Postgres database driver.
+type Driver struct{}
+
+// Open opens a new connection to the database. name is a connection string.
+// Most users should only use it through database/sql package from the standard
+// library.
+func (d Driver) Open(name string) (driver.Conn, error) {
+	return Open(name)
+}
+
+func init() {
+	sql.Register("postgres", &Driver{})
+}
+
+type parameterStatus struct {
+	// server version in the same format as server_version_num, or 0 if
+	// unavailable
+	serverVersion int
+
+	// the current location based on the TimeZone value of the session, if
+	// available
+	currentLocation *time.Location
+}
+
+type transactionStatus byte
+
+const (
+	txnStatusIdle                transactionStatus = 'I'
+	txnStatusIdleInTransaction   transactionStatus = 'T'
+	txnStatusInFailedTransaction transactionStatus = 'E'
+)
+
+func (s transactionStatus) String() string {
+	switch s {
+	case txnStatusIdle:
+		return "idle"
+	case txnStatusIdleInTransaction:
+		return "idle in transaction"
+	case txnStatusInFailedTransaction:
+		return "in a failed transaction"
+	default:
+		errorf("unknown transactionStatus %d", s)
+	}
+
+	panic("not reached")
+}
+
+// Dialer is the dialer interface. It can be used to obtain more control over
+// how pq creates network connections.
+type Dialer interface {
+	Dial(network, address string) (net.Conn, error)
+	DialTimeout(network, address string, timeout time.Duration) (net.Conn, error)
+}
+
+// DialerContext is the context-aware dialer interface.
+type DialerContext interface {
+	DialContext(ctx context.Context, network, address string) (net.Conn, error)
+}
+
+type defaultDialer struct {
+	d net.Dialer
+}
+
+func (d defaultDialer) Dial(network, address string) (net.Conn, error) {
+	return d.d.Dial(network, address)
+}
+func (d defaultDialer) DialTimeout(
+	network, address string, timeout time.Duration,
+) (net.Conn, error) {
+	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	defer cancel()
+	return d.DialContext(ctx, network, address)
+}
+func (d defaultDialer) DialContext(ctx context.Context, network, address string) (net.Conn, error) {
+	return d.d.DialContext(ctx, network, address)
+}
+
+type conn struct {
+	c         net.Conn
+	buf       *bufio.Reader
+	namei     int
+	scratch   [512]byte
+	txnStatus transactionStatus
+	txnFinish func()
+
+	// Save connection arguments to use during CancelRequest.
+	dialer Dialer
+	opts   values
+
+	// Cancellation key data for use with CancelRequest messages.
+	processID int
+	secretKey int
+
+	parameterStatus parameterStatus
+
+	saveMessageType   byte
+	saveMessageBuffer []byte
+
+	// If an error is set, this connection is bad and all public-facing
+	// functions should return the appropriate error by calling get()
+	// (ErrBadConn) or getForNext().
+	err syncErr
+
+	// If set, this connection should never use the binary format when
+	// receiving query results from prepared statements.  Only provided for
+	// debugging.
+	disablePreparedBinaryResult bool
+
+	// Whether to always send []byte parameters over as binary.  Enables single
+	// round-trip mode for non-prepared Query calls.
+	binaryParameters bool
+
+	// If true this connection is in the middle of a COPY
+	inCopy bool
+
+	// If not nil, notices will be synchronously sent here
+	noticeHandler func(*Error)
+
+	// If not nil, notifications will be synchronously sent here
+	notificationHandler func(*Notification)
+
+	// GSSAPI context
+	gss GSS
+}
+
+type syncErr struct {
+	err error
+	sync.Mutex
+}
+
+// Return ErrBadConn if connection is bad.
+func (e *syncErr) get() error {
+	e.Lock()
+	defer e.Unlock()
+	if e.err != nil {
+		return driver.ErrBadConn
+	}
+	return nil
+}
+
+// Return the error set on the connection. Currently only used by rows.Next.
+func (e *syncErr) getForNext() error {
+	e.Lock()
+	defer e.Unlock()
+	return e.err
+}
+
+// Set error, only if it isn't set yet.
+func (e *syncErr) set(err error) {
+	if err == nil {
+		panic("attempt to set nil err")
+	}
+	e.Lock()
+	defer e.Unlock()
+	if e.err == nil {
+		e.err = err
+	}
+}
+
+// Handle driver-side settings in parsed connection string.
+func (cn *conn) handleDriverSettings(o values) (err error) {
+	boolSetting := func(key string, val *bool) error {
+		if value, ok := o[key]; ok {
+			if value == "yes" {
+				*val = true
+			} else if value == "no" {
+				*val = false
+			} else {
+				return fmt.Errorf("unrecognized value %q for %s", value, key)
+			}
+		}
+		return nil
+	}
+
+	err = boolSetting("disable_prepared_binary_result", &cn.disablePreparedBinaryResult)
+	if err != nil {
+		return err
+	}
+	return boolSetting("binary_parameters", &cn.binaryParameters)
+}
+
+func (cn *conn) handlePgpass(o values) {
+	// if a password was supplied, do not process .pgpass
+	if _, ok := o["password"]; ok {
+		return
+	}
+	filename := os.Getenv("PGPASSFILE")
+	if filename == "" {
+		// XXX this code doesn't work on Windows where the default filename is
+		// XXX %APPDATA%\postgresql\pgpass.conf
+		// Prefer $HOME over user.Current due to glibc bug: golang.org/issue/13470
+		userHome := os.Getenv("HOME")
+		if userHome == "" {
+			user, err := user.Current()
+			if err != nil {
+				return
+			}
+			userHome = user.HomeDir
+		}
+		filename = filepath.Join(userHome, ".pgpass")
+	}
+	fileinfo, err := os.Stat(filename)
+	if err != nil {
+		return
+	}
+	mode := fileinfo.Mode()
+	if mode&(0x77) != 0 {
+		// XXX should warn about incorrect .pgpass permissions as psql does
+		return
+	}
+	file, err := os.Open(filename)
+	if err != nil {
+		return
+	}
+	defer file.Close()
+	scanner := bufio.NewScanner(io.Reader(file))
+	// From: https://github.com/tg/pgpass/blob/master/reader.go
+	for scanner.Scan() {
+		if scanText(scanner.Text(), o) {
+			break
+		}
+	}
+}
+
+// GetFields is a helper function for scanText.
+func getFields(s string) []string {
+	fs := make([]string, 0, 5)
+	f := make([]rune, 0, len(s))
+
+	var esc bool
+	for _, c := range s {
+		switch {
+		case esc:
+			f = append(f, c)
+			esc = false
+		case c == '\\':
+			esc = true
+		case c == ':':
+			fs = append(fs, string(f))
+			f = f[:0]
+		default:
+			f = append(f, c)
+		}
+	}
+	return append(fs, string(f))
+}
+
+// ScanText assists HandlePgpass in it's objective.
+func scanText(line string, o values) bool {
+	hostname := o["host"]
+	ntw, _ := network(o)
+	port := o["port"]
+	db := o["dbname"]
+	username := o["user"]
+	if len(line) == 0 || line[0] == '#' {
+		return false
+	}
+	split := getFields(line)
+	if len(split) != 5 {
+		return false
+	}
+	if (split[0] == "*" || split[0] == hostname || (split[0] == "localhost" && (hostname == "" || ntw == "unix"))) && (split[1] == "*" || split[1] == port) && (split[2] == "*" || split[2] == db) && (split[3] == "*" || split[3] == username) {
+		o["password"] = split[4]
+		return true
+	}
+	return false
+}
+
+func (cn *conn) writeBuf(b byte) *writeBuf {
+	cn.scratch[0] = b
+	return &writeBuf{
+		buf: cn.scratch[:5],
+		pos: 1,
+	}
+}
+
+// Open opens a new connection to the database. dsn is a connection string.
+// Most users should only use it through database/sql package from the standard
+// library.
+func Open(dsn string) (_ driver.Conn, err error) {
+	return DialOpen(defaultDialer{}, dsn)
+}
+
+// DialOpen opens a new connection to the database using a dialer.
+func DialOpen(d Dialer, dsn string) (_ driver.Conn, err error) {
+	c, err := NewConnector(dsn)
+	if err != nil {
+		return nil, err
+	}
+	c.Dialer(d)
+	return c.open(context.Background())
+}
+
+func (c *Connector) open(ctx context.Context) (cn *conn, err error) {
+	// Handle any panics during connection initialization.  Note that we
+	// specifically do *not* want to use errRecover(), as that would turn any
+	// connection errors into ErrBadConns, hiding the real error message from
+	// the user.
+	defer errRecoverNoErrBadConn(&err)
+
+	// Create a new values map (copy). This makes it so maps in different
+	// connections do not reference the same underlying data structure, so it
+	// is safe for multiple connections to concurrently write to their opts.
+	o := make(values)
+	for k, v := range c.opts {
+		o[k] = v
+	}
+
+	cn = &conn{
+		opts:   o,
+		dialer: c.dialer,
+	}
+	err = cn.handleDriverSettings(o)
+	if err != nil {
+		return nil, err
+	}
+	cn.handlePgpass(o)
+
+	cn.c, err = dial(ctx, c.dialer, o)
+	if err != nil {
+		return nil, err
+	}
+
+	err = cn.ssl(o)
+	if err != nil {
+		if cn.c != nil {
+			cn.c.Close()
+		}
+		return nil, err
+	}
+
+	// cn.startup panics on error. Make sure we don't leak cn.c.
+	panicking := true
+	defer func() {
+		if panicking {
+			cn.c.Close()
+		}
+	}()
+
+	cn.buf = bufio.NewReader(cn.c)
+	cn.startup(o)
+
+	// reset the deadline, in case one was set (see dial)
+	if timeout, ok := o["connect_timeout"]; ok && timeout != "0" {
+		err = cn.c.SetDeadline(time.Time{})
+	}
+	panicking = false
+	return cn, err
+}
+
+func dial(ctx context.Context, d Dialer, o values) (net.Conn, error) {
+	network, address := network(o)
+
+	// Zero or not specified means wait indefinitely.
+	if timeout, ok := o["connect_timeout"]; ok && timeout != "0" {
+		seconds, err := strconv.ParseInt(timeout, 10, 0)
+		if err != nil {
+			return nil, fmt.Errorf("invalid value for parameter connect_timeout: %s", err)
+		}
+		duration := time.Duration(seconds) * time.Second
+
+		// connect_timeout should apply to the entire connection establishment
+		// procedure, so we both use a timeout for the TCP connection
+		// establishment and set a deadline for doing the initial handshake.
+		// The deadline is then reset after startup() is done.
+		deadline := time.Now().Add(duration)
+		var conn net.Conn
+		if dctx, ok := d.(DialerContext); ok {
+			ctx, cancel := context.WithTimeout(ctx, duration)
+			defer cancel()
+			conn, err = dctx.DialContext(ctx, network, address)
+		} else {
+			conn, err = d.DialTimeout(network, address, duration)
+		}
+		if err != nil {
+			return nil, err
+		}
+		err = conn.SetDeadline(deadline)
+		return conn, err
+	}
+	if dctx, ok := d.(DialerContext); ok {
+		return dctx.DialContext(ctx, network, address)
+	}
+	return d.Dial(network, address)
+}
+
+func network(o values) (string, string) {
+	host := o["host"]
+
+	if strings.HasPrefix(host, "/") {
+		sockPath := path.Join(host, ".s.PGSQL."+o["port"])
+		return "unix", sockPath
+	}
+
+	return "tcp", net.JoinHostPort(host, o["port"])
+}
+
+type values map[string]string
+
+// scanner implements a tokenizer for libpq-style option strings.
+type scanner struct {
+	s []rune
+	i int
+}
+
+// newScanner returns a new scanner initialized with the option string s.
+func newScanner(s string) *scanner {
+	return &scanner{[]rune(s), 0}
+}
+
+// Next returns the next rune.
+// It returns 0, false if the end of the text has been reached.
+func (s *scanner) Next() (rune, bool) {
+	if s.i >= len(s.s) {
+		return 0, false
+	}
+	r := s.s[s.i]
+	s.i++
+	return r, true
+}
+
+// SkipSpaces returns the next non-whitespace rune.
+// It returns 0, false if the end of the text has been reached.
+func (s *scanner) SkipSpaces() (rune, bool) {
+	r, ok := s.Next()
+	for unicode.IsSpace(r) && ok {
+		r, ok = s.Next()
+	}
+	return r, ok
+}
+
+// parseOpts parses the options from name and adds them to the values.
+//
+// The parsing code is based on conninfo_parse from libpq's fe-connect.c
+func parseOpts(name string, o values) error {
+	s := newScanner(name)
+
+	for {
+		var (
+			keyRunes, valRunes []rune
+			r                  rune
+			ok                 bool
+		)
+
+		if r, ok = s.SkipSpaces(); !ok {
+			break
+		}
+
+		// Scan the key
+		for !unicode.IsSpace(r) && r != '=' {
+			keyRunes = append(keyRunes, r)
+			if r, ok = s.Next(); !ok {
+				break
+			}
+		}
+
+		// Skip any whitespace if we're not at the = yet
+		if r != '=' {
+			r, ok = s.SkipSpaces()
+		}
+
+		// The current character should be =
+		if r != '=' || !ok {
+			return fmt.Errorf(`missing "=" after %q in connection info string"`, string(keyRunes))
+		}
+
+		// Skip any whitespace after the =
+		if r, ok = s.SkipSpaces(); !ok {
+			// If we reach the end here, the last value is just an empty string as per libpq.
+			o[string(keyRunes)] = ""
+			break
+		}
+
+		if r != '\'' {
+			for !unicode.IsSpace(r) {
+				if r == '\\' {
+					if r, ok = s.Next(); !ok {
+						return fmt.Errorf(`missing character after backslash`)
+					}
+				}
+				valRunes = append(valRunes, r)
+
+				if r, ok = s.Next(); !ok {
+					break
+				}
+			}
+		} else {
+		quote:
+			for {
+				if r, ok = s.Next(); !ok {
+					return fmt.Errorf(`unterminated quoted string literal in connection string`)
+				}
+				switch r {
+				case '\'':
+					break quote
+				case '\\':
+					r, _ = s.Next()
+					fallthrough
+				default:
+					valRunes = append(valRunes, r)
+				}
+			}
+		}
+
+		o[string(keyRunes)] = string(valRunes)
+	}
+
+	return nil
+}
+
+func (cn *conn) isInTransaction() bool {
+	return cn.txnStatus == txnStatusIdleInTransaction ||
+		cn.txnStatus == txnStatusInFailedTransaction
+}
+
+func (cn *conn) checkIsInTransaction(intxn bool) {
+	if cn.isInTransaction() != intxn {
+		cn.err.set(driver.ErrBadConn)
+		errorf("unexpected transaction status %v", cn.txnStatus)
+	}
+}
+
+func (cn *conn) Begin() (_ driver.Tx, err error) {
+	return cn.begin("")
+}
+
+func (cn *conn) begin(mode string) (_ driver.Tx, err error) {
+	if err := cn.err.get(); err != nil {
+		return nil, err
+	}
+	defer cn.errRecover(&err)
+
+	cn.checkIsInTransaction(false)
+	_, commandTag, err := cn.simpleExec("BEGIN" + mode)
+	if err != nil {
+		return nil, err
+	}
+	if commandTag != "BEGIN" {
+		cn.err.set(driver.ErrBadConn)
+		return nil, fmt.Errorf("unexpected command tag %s", commandTag)
+	}
+	if cn.txnStatus != txnStatusIdleInTransaction {
+		cn.err.set(driver.ErrBadConn)
+		return nil, fmt.Errorf("unexpected transaction status %v", cn.txnStatus)
+	}
+	return cn, nil
+}
+
+func (cn *conn) closeTxn() {
+	if finish := cn.txnFinish; finish != nil {
+		finish()
+	}
+}
+
+func (cn *conn) Commit() (err error) {
+	defer cn.closeTxn()
+	if err := cn.err.get(); err != nil {
+		return err
+	}
+	defer cn.errRecover(&err)
+
+	cn.checkIsInTransaction(true)
+	// We don't want the client to think that everything is okay if it tries
+	// to commit a failed transaction.  However, no matter what we return,
+	// database/sql will release this connection back into the free connection
+	// pool so we have to abort the current transaction here.  Note that you
+	// would get the same behaviour if you issued a COMMIT in a failed
+	// transaction, so it's also the least surprising thing to do here.
+	if cn.txnStatus == txnStatusInFailedTransaction {
+		if err := cn.rollback(); err != nil {
+			return err
+		}
+		return ErrInFailedTransaction
+	}
+
+	_, commandTag, err := cn.simpleExec("COMMIT")
+	if err != nil {
+		if cn.isInTransaction() {
+			cn.err.set(driver.ErrBadConn)
+		}
+		return err
+	}
+	if commandTag != "COMMIT" {
+		cn.err.set(driver.ErrBadConn)
+		return fmt.Errorf("unexpected command tag %s", commandTag)
+	}
+	cn.checkIsInTransaction(false)
+	return nil
+}
+
+func (cn *conn) Rollback() (err error) {
+	defer cn.closeTxn()
+	if err := cn.err.get(); err != nil {
+		return err
+	}
+	defer cn.errRecover(&err)
+	return cn.rollback()
+}
+
+func (cn *conn) rollback() (err error) {
+	cn.checkIsInTransaction(true)
+	_, commandTag, err := cn.simpleExec("ROLLBACK")
+	if err != nil {
+		if cn.isInTransaction() {
+			cn.err.set(driver.ErrBadConn)
+		}
+		return err
+	}
+	if commandTag != "ROLLBACK" {
+		return fmt.Errorf("unexpected command tag %s", commandTag)
+	}
+	cn.checkIsInTransaction(false)
+	return nil
+}
+
+func (cn *conn) gname() string {
+	cn.namei++
+	return strconv.FormatInt(int64(cn.namei), 10)
+}
+
+func (cn *conn) simpleExec(q string) (res driver.Result, commandTag string, err error) {
+	b := cn.writeBuf('Q')
+	b.string(q)
+	cn.send(b)
+
+	for {
+		t, r := cn.recv1()
+		switch t {
+		case 'C':
+			res, commandTag = cn.parseComplete(r.string())
+		case 'Z':
+			cn.processReadyForQuery(r)
+			if res == nil && err == nil {
+				err = errUnexpectedReady
+			}
+			// done
+			return
+		case 'E':
+			err = parseError(r)
+		case 'I':
+			res = emptyRows
+		case 'T', 'D':
+			// ignore any results
+		default:
+			cn.err.set(driver.ErrBadConn)
+			errorf("unknown response for simple query: %q", t)
+		}
+	}
+}
+
+func (cn *conn) simpleQuery(q string) (res *rows, err error) {
+	defer cn.errRecover(&err)
+
+	b := cn.writeBuf('Q')
+	b.string(q)
+	cn.send(b)
+
+	for {
+		t, r := cn.recv1()
+		switch t {
+		case 'C', 'I':
+			// We allow queries which don't return any results through Query as
+			// well as Exec.  We still have to give database/sql a rows object
+			// the user can close, though, to avoid connections from being
+			// leaked.  A "rows" with done=true works fine for that purpose.
+			if err != nil {
+				cn.err.set(driver.ErrBadConn)
+				errorf("unexpected message %q in simple query execution", t)
+			}
+			if res == nil {
+				res = &rows{
+					cn: cn,
+				}
+			}
+			// Set the result and tag to the last command complete if there wasn't a
+			// query already run. Although queries usually return from here and cede
+			// control to Next, a query with zero results does not.
+			if t == 'C' {
+				res.result, res.tag = cn.parseComplete(r.string())
+				if res.colNames != nil {
+					return
+				}
+			}
+			res.done = true
+		case 'Z':
+			cn.processReadyForQuery(r)
+			// done
+			return
+		case 'E':
+			res = nil
+			err = parseError(r)
+		case 'D':
+			if res == nil {
+				cn.err.set(driver.ErrBadConn)
+				errorf("unexpected DataRow in simple query execution")
+			}
+			// the query didn't fail; kick off to Next
+			cn.saveMessage(t, r)
+			return
+		case 'T':
+			// res might be non-nil here if we received a previous
+			// CommandComplete, but that's fine; just overwrite it
+			res = &rows{cn: cn}
+			res.rowsHeader = parsePortalRowDescribe(r)
+
+			// To work around a bug in QueryRow in Go 1.2 and earlier, wait
+			// until the first DataRow has been received.
+		default:
+			cn.err.set(driver.ErrBadConn)
+			errorf("unknown response for simple query: %q", t)
+		}
+	}
+}
+
+type noRows struct{}
+
+var emptyRows noRows
+
+var _ driver.Result = noRows{}
+
+func (noRows) LastInsertId() (int64, error) {
+	return 0, errNoLastInsertID
+}
+
+func (noRows) RowsAffected() (int64, error) {
+	return 0, errNoRowsAffected
+}
+
+// Decides which column formats to use for a prepared statement.  The input is
+// an array of type oids, one element per result column.
+func decideColumnFormats(
+	colTyps []fieldDesc, forceText bool,
+) (colFmts []format, colFmtData []byte) {
+	if len(colTyps) == 0 {
+		return nil, colFmtDataAllText
+	}
+
+	colFmts = make([]format, len(colTyps))
+	if forceText {
+		return colFmts, colFmtDataAllText
+	}
+
+	allBinary := true
+	allText := true
+	for i, t := range colTyps {
+		switch t.OID {
+		// This is the list of types to use binary mode for when receiving them
+		// through a prepared statement.  If a type appears in this list, it
+		// must also be implemented in binaryDecode in encode.go.
+		case oid.T_bytea:
+			fallthrough
+		case oid.T_int8:
+			fallthrough
+		case oid.T_int4:
+			fallthrough
+		case oid.T_int2:
+			fallthrough
+		case oid.T_uuid:
+			colFmts[i] = formatBinary
+			allText = false
+
+		default:
+			allBinary = false
+		}
+	}
+
+	if allBinary {
+		return colFmts, colFmtDataAllBinary
+	} else if allText {
+		return colFmts, colFmtDataAllText
+	} else {
+		colFmtData = make([]byte, 2+len(colFmts)*2)
+		binary.BigEndian.PutUint16(colFmtData, uint16(len(colFmts)))
+		for i, v := range colFmts {
+			binary.BigEndian.PutUint16(colFmtData[2+i*2:], uint16(v))
+		}
+		return colFmts, colFmtData
+	}
+}
+
+func (cn *conn) prepareTo(q, stmtName string) *stmt {
+	st := &stmt{cn: cn, name: stmtName}
+
+	b := cn.writeBuf('P')
+	b.string(st.name)
+	b.string(q)
+	b.int16(0)
+
+	b.next('D')
+	b.byte('S')
+	b.string(st.name)
+
+	b.next('S')
+	cn.send(b)
+
+	cn.readParseResponse()
+	st.paramTyps, st.colNames, st.colTyps = cn.readStatementDescribeResponse()
+	st.colFmts, st.colFmtData = decideColumnFormats(st.colTyps, cn.disablePreparedBinaryResult)
+	cn.readReadyForQuery()
+	return st
+}
+
+func (cn *conn) Prepare(q string) (_ driver.Stmt, err error) {
+	if err := cn.err.get(); err != nil {
+		return nil, err
+	}
+	defer cn.errRecover(&err)
+
+	if len(q) >= 4 && strings.EqualFold(q[:4], "COPY") {
+		s, err := cn.prepareCopyIn(q)
+		if err == nil {
+			cn.inCopy = true
+		}
+		return s, err
+	}
+	return cn.prepareTo(q, cn.gname()), nil
+}
+
+func (cn *conn) Close() (err error) {
+	// Skip cn.bad return here because we always want to close a connection.
+	defer cn.errRecover(&err)
+
+	// Ensure that cn.c.Close is always run. Since error handling is done with
+	// panics and cn.errRecover, the Close must be in a defer.
+	defer func() {
+		cerr := cn.c.Close()
+		if err == nil {
+			err = cerr
+		}
+	}()
+
+	// Don't go through send(); ListenerConn relies on us not scribbling on the
+	// scratch buffer of this connection.
+	return cn.sendSimpleMessage('X')
+}
+
+// Implement the "Queryer" interface
+func (cn *conn) Query(query string, args []driver.Value) (driver.Rows, error) {
+	return cn.query(query, args)
+}
+
+func (cn *conn) query(query string, args []driver.Value) (_ *rows, err error) {
+	if err := cn.err.get(); err != nil {
+		return nil, err
+	}
+	if cn.inCopy {
+		return nil, errCopyInProgress
+	}
+	defer cn.errRecover(&err)
+
+	// Check to see if we can use the "simpleQuery" interface, which is
+	// *much* faster than going through prepare/exec
+	if len(args) == 0 {
+		return cn.simpleQuery(query)
+	}
+
+	if cn.binaryParameters {
+		cn.sendBinaryModeQuery(query, args)
+
+		cn.readParseResponse()
+		cn.readBindResponse()
+		rows := &rows{cn: cn}
+		rows.rowsHeader = cn.readPortalDescribeResponse()
+		cn.postExecuteWorkaround()
+		return rows, nil
+	}
+	st := cn.prepareTo(query, "")
+	st.exec(args)
+	return &rows{
+		cn:         cn,
+		rowsHeader: st.rowsHeader,
+	}, nil
+}
+
+// Implement the optional "Execer" interface for one-shot queries
+func (cn *conn) Exec(query string, args []driver.Value) (res driver.Result, err error) {
+	if err := cn.err.get(); err != nil {
+		return nil, err
+	}
+	defer cn.errRecover(&err)
+
+	// Check to see if we can use the "simpleExec" interface, which is
+	// *much* faster than going through prepare/exec
+	if len(args) == 0 {
+		// ignore commandTag, our caller doesn't care
+		r, _, err := cn.simpleExec(query)
+		return r, err
+	}
+
+	if cn.binaryParameters {
+		cn.sendBinaryModeQuery(query, args)
+
+		cn.readParseResponse()
+		cn.readBindResponse()
+		cn.readPortalDescribeResponse()
+		cn.postExecuteWorkaround()
+		res, _, err = cn.readExecuteResponse("Execute")
+		return res, err
+	}
+	// Use the unnamed statement to defer planning until bind
+	// time, or else value-based selectivity estimates cannot be
+	// used.
+	st := cn.prepareTo(query, "")
+	r, err := st.Exec(args)
+	if err != nil {
+		panic(err)
+	}
+	return r, err
+}
+
+type safeRetryError struct {
+	Err error
+}
+
+func (se *safeRetryError) Error() string {
+	return se.Err.Error()
+}
+
+func (cn *conn) send(m *writeBuf) {
+	n, err := cn.c.Write(m.wrap())
+	if err != nil {
+		if n == 0 {
+			err = &safeRetryError{Err: err}
+		}
+		panic(err)
+	}
+}
+
+func (cn *conn) sendStartupPacket(m *writeBuf) error {
+	_, err := cn.c.Write((m.wrap())[1:])
+	return err
+}
+
+// Send a message of type typ to the server on the other end of cn.  The
+// message should have no payload.  This method does not use the scratch
+// buffer.
+func (cn *conn) sendSimpleMessage(typ byte) (err error) {
+	_, err = cn.c.Write([]byte{typ, '\x00', '\x00', '\x00', '\x04'})
+	return err
+}
+
+// saveMessage memorizes a message and its buffer in the conn struct.
+// recvMessage will then return these values on the next call to it.  This
+// method is useful in cases where you have to see what the next message is
+// going to be (e.g. to see whether it's an error or not) but you can't handle
+// the message yourself.
+func (cn *conn) saveMessage(typ byte, buf *readBuf) {
+	if cn.saveMessageType != 0 {
+		cn.err.set(driver.ErrBadConn)
+		errorf("unexpected saveMessageType %d", cn.saveMessageType)
+	}
+	cn.saveMessageType = typ
+	cn.saveMessageBuffer = *buf
+}
+
+// recvMessage receives any message from the backend, or returns an error if
+// a problem occurred while reading the message.
+func (cn *conn) recvMessage(r *readBuf) (byte, error) {
+	// workaround for a QueryRow bug, see exec
+	if cn.saveMessageType != 0 {
+		t := cn.saveMessageType
+		*r = cn.saveMessageBuffer
+		cn.saveMessageType = 0
+		cn.saveMessageBuffer = nil
+		return t, nil
+	}
+
+	x := cn.scratch[:5]
+	_, err := io.ReadFull(cn.buf, x)
+	if err != nil {
+		return 0, err
+	}
+
+	// read the type and length of the message that follows
+	t := x[0]
+	n := int(binary.BigEndian.Uint32(x[1:])) - 4
+	var y []byte
+	if n <= len(cn.scratch) {
+		y = cn.scratch[:n]
+	} else {
+		y = make([]byte, n)
+	}
+	_, err = io.ReadFull(cn.buf, y)
+	if err != nil {
+		return 0, err
+	}
+	*r = y
+	return t, nil
+}
+
+// recv receives a message from the backend, but if an error happened while
+// reading the message or the received message was an ErrorResponse, it panics.
+// NoticeResponses are ignored.  This function should generally be used only
+// during the startup sequence.
+func (cn *conn) recv() (t byte, r *readBuf) {
+	for {
+		var err error
+		r = &readBuf{}
+		t, err = cn.recvMessage(r)
+		if err != nil {
+			panic(err)
+		}
+		switch t {
+		case 'E':
+			panic(parseError(r))
+		case 'N':
+			if n := cn.noticeHandler; n != nil {
+				n(parseError(r))
+			}
+		case 'A':
+			if n := cn.notificationHandler; n != nil {
+				n(recvNotification(r))
+			}
+		default:
+			return
+		}
+	}
+}
+
+// recv1Buf is exactly equivalent to recv1, except it uses a buffer supplied by
+// the caller to avoid an allocation.
+func (cn *conn) recv1Buf(r *readBuf) byte {
+	for {
+		t, err := cn.recvMessage(r)
+		if err != nil {
+			panic(err)
+		}
+
+		switch t {
+		case 'A':
+			if n := cn.notificationHandler; n != nil {
+				n(recvNotification(r))
+			}
+		case 'N':
+			if n := cn.noticeHandler; n != nil {
+				n(parseError(r))
+			}
+		case 'S':
+			cn.processParameterStatus(r)
+		default:
+			return t
+		}
+	}
+}
+
+// recv1 receives a message from the backend, panicking if an error occurs
+// while attempting to read it.  All asynchronous messages are ignored, with
+// the exception of ErrorResponse.
+func (cn *conn) recv1() (t byte, r *readBuf) {
+	r = &readBuf{}
+	t = cn.recv1Buf(r)
+	return t, r
+}
+
+func (cn *conn) ssl(o values) error {
+	upgrade, err := ssl(o)
+	if err != nil {
+		return err
+	}
+
+	if upgrade == nil {
+		// Nothing to do
+		return nil
+	}
+
+	w := cn.writeBuf(0)
+	w.int32(80877103)
+	if err = cn.sendStartupPacket(w); err != nil {
+		return err
+	}
+
+	b := cn.scratch[:1]
+	_, err = io.ReadFull(cn.c, b)
+	if err != nil {
+		return err
+	}
+
+	if b[0] != 'S' {
+		return ErrSSLNotSupported
+	}
+
+	cn.c, err = upgrade(cn.c)
+	return err
+}
+
+// isDriverSetting returns true iff a setting is purely for configuring the
+// driver's options and should not be sent to the server in the connection
+// startup packet.
+func isDriverSetting(key string) bool {
+	switch key {
+	case "host", "port":
+		return true
+	case "password":
+		return true
+	case "sslmode", "sslcert", "sslkey", "sslrootcert", "sslinline", "sslsni":
+		return true
+	case "fallback_application_name":
+		return true
+	case "connect_timeout":
+		return true
+	case "disable_prepared_binary_result":
+		return true
+	case "binary_parameters":
+		return true
+	case "krbsrvname":
+		return true
+	case "krbspn":
+		return true
+	default:
+		return false
+	}
+}
+
+func (cn *conn) startup(o values) {
+	w := cn.writeBuf(0)
+	w.int32(196608)
+	// Send the backend the name of the database we want to connect to, and the
+	// user we want to connect as.  Additionally, we send over any run-time
+	// parameters potentially included in the connection string.  If the server
+	// doesn't recognize any of them, it will reply with an error.
+	for k, v := range o {
+		if isDriverSetting(k) {
+			// skip options which can't be run-time parameters
+			continue
+		}
+		// The protocol requires us to supply the database name as "database"
+		// instead of "dbname".
+		if k == "dbname" {
+			k = "database"
+		}
+		w.string(k)
+		w.string(v)
+	}
+	w.string("")
+	if err := cn.sendStartupPacket(w); err != nil {
+		panic(err)
+	}
+
+	for {
+		t, r := cn.recv()
+		switch t {
+		case 'K':
+			cn.processBackendKeyData(r)
+		case 'S':
+			cn.processParameterStatus(r)
+		case 'R':
+			cn.auth(r, o)
+		case 'Z':
+			cn.processReadyForQuery(r)
+			return
+		default:
+			errorf("unknown response for startup: %q", t)
+		}
+	}
+}
+
+func (cn *conn) auth(r *readBuf, o values) {
+	switch code := r.int32(); code {
+	case 0:
+		// OK
+	case 3:
+		w := cn.writeBuf('p')
+		w.string(o["password"])
+		cn.send(w)
+
+		t, r := cn.recv()
+		if t != 'R' {
+			errorf("unexpected password response: %q", t)
+		}
+
+		if r.int32() != 0 {
+			errorf("unexpected authentication response: %q", t)
+		}
+	case 5:
+		s := string(r.next(4))
+		w := cn.writeBuf('p')
+		w.string("md5" + md5s(md5s(o["password"]+o["user"])+s))
+		cn.send(w)
+
+		t, r := cn.recv()
+		if t != 'R' {
+			errorf("unexpected password response: %q", t)
+		}
+
+		if r.int32() != 0 {
+			errorf("unexpected authentication response: %q", t)
+		}
+	case 7: // GSSAPI, startup
+		if newGss == nil {
+			errorf("kerberos error: no GSSAPI provider registered (import github.com/lib/pq/auth/kerberos if you need Kerberos support)")
+		}
+		cli, err := newGss()
+		if err != nil {
+			errorf("kerberos error: %s", err.Error())
+		}
+
+		var token []byte
+
+		if spn, ok := o["krbspn"]; ok {
+			// Use the supplied SPN if provided..
+			token, err = cli.GetInitTokenFromSpn(spn)
+		} else {
+			// Allow the kerberos service name to be overridden
+			service := "postgres"
+			if val, ok := o["krbsrvname"]; ok {
+				service = val
+			}
+
+			token, err = cli.GetInitToken(o["host"], service)
+		}
+
+		if err != nil {
+			errorf("failed to get Kerberos ticket: %q", err)
+		}
+
+		w := cn.writeBuf('p')
+		w.bytes(token)
+		cn.send(w)
+
+		// Store for GSSAPI continue message
+		cn.gss = cli
+
+	case 8: // GSSAPI continue
+
+		if cn.gss == nil {
+			errorf("GSSAPI protocol error")
+		}
+
+		b := []byte(*r)
+
+		done, tokOut, err := cn.gss.Continue(b)
+		if err == nil && !done {
+			w := cn.writeBuf('p')
+			w.bytes(tokOut)
+			cn.send(w)
+		}
+
+		// Errors fall through and read the more detailed message
+		// from the server..
+
+	case 10:
+		sc := scram.NewClient(sha256.New, o["user"], o["password"])
+		sc.Step(nil)
+		if sc.Err() != nil {
+			errorf("SCRAM-SHA-256 error: %s", sc.Err().Error())
+		}
+		scOut := sc.Out()
+
+		w := cn.writeBuf('p')
+		w.string("SCRAM-SHA-256")
+		w.int32(len(scOut))
+		w.bytes(scOut)
+		cn.send(w)
+
+		t, r := cn.recv()
+		if t != 'R' {
+			errorf("unexpected password response: %q", t)
+		}
+
+		if r.int32() != 11 {
+			errorf("unexpected authentication response: %q", t)
+		}
+
+		nextStep := r.next(len(*r))
+		sc.Step(nextStep)
+		if sc.Err() != nil {
+			errorf("SCRAM-SHA-256 error: %s", sc.Err().Error())
+		}
+
+		scOut = sc.Out()
+		w = cn.writeBuf('p')
+		w.bytes(scOut)
+		cn.send(w)
+
+		t, r = cn.recv()
+		if t != 'R' {
+			errorf("unexpected password response: %q", t)
+		}
+
+		if r.int32() != 12 {
+			errorf("unexpected authentication response: %q", t)
+		}
+
+		nextStep = r.next(len(*r))
+		sc.Step(nextStep)
+		if sc.Err() != nil {
+			errorf("SCRAM-SHA-256 error: %s", sc.Err().Error())
+		}
+
+	default:
+		errorf("unknown authentication response: %d", code)
+	}
+}
+
+type format int
+
+const formatText format = 0
+const formatBinary format = 1
+
+// One result-column format code with the value 1 (i.e. all binary).
+var colFmtDataAllBinary = []byte{0, 1, 0, 1}
+
+// No result-column format codes (i.e. all text).
+var colFmtDataAllText = []byte{0, 0}
+
+type stmt struct {
+	cn   *conn
+	name string
+	rowsHeader
+	colFmtData []byte
+	paramTyps  []oid.Oid
+	closed     bool
+}
+
+func (st *stmt) Close() (err error) {
+	if st.closed {
+		return nil
+	}
+	if err := st.cn.err.get(); err != nil {
+		return err
+	}
+	defer st.cn.errRecover(&err)
+
+	w := st.cn.writeBuf('C')
+	w.byte('S')
+	w.string(st.name)
+	st.cn.send(w)
+
+	st.cn.send(st.cn.writeBuf('S'))
+
+	t, _ := st.cn.recv1()
+	if t != '3' {
+		st.cn.err.set(driver.ErrBadConn)
+		errorf("unexpected close response: %q", t)
+	}
+	st.closed = true
+
+	t, r := st.cn.recv1()
+	if t != 'Z' {
+		st.cn.err.set(driver.ErrBadConn)
+		errorf("expected ready for query, but got: %q", t)
+	}
+	st.cn.processReadyForQuery(r)
+
+	return nil
+}
+
+func (st *stmt) Query(v []driver.Value) (r driver.Rows, err error) {
+	return st.query(v)
+}
+
+func (st *stmt) query(v []driver.Value) (r *rows, err error) {
+	if err := st.cn.err.get(); err != nil {
+		return nil, err
+	}
+	defer st.cn.errRecover(&err)
+
+	st.exec(v)
+	return &rows{
+		cn:         st.cn,
+		rowsHeader: st.rowsHeader,
+	}, nil
+}
+
+func (st *stmt) Exec(v []driver.Value) (res driver.Result, err error) {
+	if err := st.cn.err.get(); err != nil {
+		return nil, err
+	}
+	defer st.cn.errRecover(&err)
+
+	st.exec(v)
+	res, _, err = st.cn.readExecuteResponse("simple query")
+	return res, err
+}
+
+func (st *stmt) exec(v []driver.Value) {
+	if len(v) >= 65536 {
+		errorf("got %d parameters but PostgreSQL only supports 65535 parameters", len(v))
+	}
+	if len(v) != len(st.paramTyps) {
+		errorf("got %d parameters but the statement requires %d", len(v), len(st.paramTyps))
+	}
+
+	cn := st.cn
+	w := cn.writeBuf('B')
+	w.byte(0) // unnamed portal
+	w.string(st.name)
+
+	if cn.binaryParameters {
+		cn.sendBinaryParameters(w, v)
+	} else {
+		w.int16(0)
+		w.int16(len(v))
+		for i, x := range v {
+			if x == nil {
+				w.int32(-1)
+			} else {
+				b := encode(&cn.parameterStatus, x, st.paramTyps[i])
+				w.int32(len(b))
+				w.bytes(b)
+			}
+		}
+	}
+	w.bytes(st.colFmtData)
+
+	w.next('E')
+	w.byte(0)
+	w.int32(0)
+
+	w.next('S')
+	cn.send(w)
+
+	cn.readBindResponse()
+	cn.postExecuteWorkaround()
+
+}
+
+func (st *stmt) NumInput() int {
+	return len(st.paramTyps)
+}
+
+// parseComplete parses the "command tag" from a CommandComplete message, and
+// returns the number of rows affected (if applicable) and a string
+// identifying only the command that was executed, e.g. "ALTER TABLE".  If the
+// command tag could not be parsed, parseComplete panics.
+func (cn *conn) parseComplete(commandTag string) (driver.Result, string) {
+	commandsWithAffectedRows := []string{
+		"SELECT ",
+		// INSERT is handled below
+		"UPDATE ",
+		"DELETE ",
+		"FETCH ",
+		"MOVE ",
+		"COPY ",
+	}
+
+	var affectedRows *string
+	for _, tag := range commandsWithAffectedRows {
+		if strings.HasPrefix(commandTag, tag) {
+			t := commandTag[len(tag):]
+			affectedRows = &t
+			commandTag = tag[:len(tag)-1]
+			break
+		}
+	}
+	// INSERT also includes the oid of the inserted row in its command tag.
+	// Oids in user tables are deprecated, and the oid is only returned when
+	// exactly one row is inserted, so it's unlikely to be of value to any
+	// real-world application and we can ignore it.
+	if affectedRows == nil && strings.HasPrefix(commandTag, "INSERT ") {
+		parts := strings.Split(commandTag, " ")
+		if len(parts) != 3 {
+			cn.err.set(driver.ErrBadConn)
+			errorf("unexpected INSERT command tag %s", commandTag)
+		}
+		affectedRows = &parts[len(parts)-1]
+		commandTag = "INSERT"
+	}
+	// There should be no affected rows attached to the tag, just return it
+	if affectedRows == nil {
+		return driver.RowsAffected(0), commandTag
+	}
+	n, err := strconv.ParseInt(*affectedRows, 10, 64)
+	if err != nil {
+		cn.err.set(driver.ErrBadConn)
+		errorf("could not parse commandTag: %s", err)
+	}
+	return driver.RowsAffected(n), commandTag
+}
+
+type rowsHeader struct {
+	colNames []string
+	colTyps  []fieldDesc
+	colFmts  []format
+}
+
+type rows struct {
+	cn     *conn
+	finish func()
+	rowsHeader
+	done   bool
+	rb     readBuf
+	result driver.Result
+	tag    string
+
+	next *rowsHeader
+}
+
+func (rs *rows) Close() error {
+	if finish := rs.finish; finish != nil {
+		defer finish()
+	}
+	// no need to look at cn.bad as Next() will
+	for {
+		err := rs.Next(nil)
+		switch err {
+		case nil:
+		case io.EOF:
+			// rs.Next can return io.EOF on both 'Z' (ready for query) and 'T' (row
+			// description, used with HasNextResultSet). We need to fetch messages until
+			// we hit a 'Z', which is done by waiting for done to be set.
+			if rs.done {
+				return nil
+			}
+		default:
+			return err
+		}
+	}
+}
+
+func (rs *rows) Columns() []string {
+	return rs.colNames
+}
+
+func (rs *rows) Result() driver.Result {
+	if rs.result == nil {
+		return emptyRows
+	}
+	return rs.result
+}
+
+func (rs *rows) Tag() string {
+	return rs.tag
+}
+
+func (rs *rows) Next(dest []driver.Value) (err error) {
+	if rs.done {
+		return io.EOF
+	}
+
+	conn := rs.cn
+	if err := conn.err.getForNext(); err != nil {
+		return err
+	}
+	defer conn.errRecover(&err)
+
+	for {
+		t := conn.recv1Buf(&rs.rb)
+		switch t {
+		case 'E':
+			err = parseError(&rs.rb)
+		case 'C', 'I':
+			if t == 'C' {
+				rs.result, rs.tag = conn.parseComplete(rs.rb.string())
+			}
+			continue
+		case 'Z':
+			conn.processReadyForQuery(&rs.rb)
+			rs.done = true
+			if err != nil {
+				return err
+			}
+			return io.EOF
+		case 'D':
+			n := rs.rb.int16()
+			if err != nil {
+				conn.err.set(driver.ErrBadConn)
+				errorf("unexpected DataRow after error %s", err)
+			}
+			if n < len(dest) {
+				dest = dest[:n]
+			}
+			for i := range dest {
+				l := rs.rb.int32()
+				if l == -1 {
+					dest[i] = nil
+					continue
+				}
+				dest[i] = decode(&conn.parameterStatus, rs.rb.next(l), rs.colTyps[i].OID, rs.colFmts[i])
+			}
+			return
+		case 'T':
+			next := parsePortalRowDescribe(&rs.rb)
+			rs.next = &next
+			return io.EOF
+		default:
+			errorf("unexpected message after execute: %q", t)
+		}
+	}
+}
+
+func (rs *rows) HasNextResultSet() bool {
+	hasNext := rs.next != nil && !rs.done
+	return hasNext
+}
+
+func (rs *rows) NextResultSet() error {
+	if rs.next == nil {
+		return io.EOF
+	}
+	rs.rowsHeader = *rs.next
+	rs.next = nil
+	return nil
+}
+
+// QuoteIdentifier quotes an "identifier" (e.g. a table or a column name) to be
+// used as part of an SQL statement.  For example:
+//
+//	tblname := "my_table"
+//	data := "my_data"
+//	quoted := pq.QuoteIdentifier(tblname)
+//	err := db.Exec(fmt.Sprintf("INSERT INTO %s VALUES ($1)", quoted), data)
+//
+// Any double quotes in name will be escaped.  The quoted identifier will be
+// case sensitive when used in a query.  If the input string contains a zero
+// byte, the result will be truncated immediately before it.
+func QuoteIdentifier(name string) string {
+	end := strings.IndexRune(name, 0)
+	if end > -1 {
+		name = name[:end]
+	}
+	return `"` + strings.Replace(name, `"`, `""`, -1) + `"`
+}
+
+// BufferQuoteIdentifier satisfies the same purpose as QuoteIdentifier, but backed by a
+// byte buffer.
+func BufferQuoteIdentifier(name string, buffer *bytes.Buffer) {
+	end := strings.IndexRune(name, 0)
+	if end > -1 {
+		name = name[:end]
+	}
+	buffer.WriteRune('"')
+	buffer.WriteString(strings.Replace(name, `"`, `""`, -1))
+	buffer.WriteRune('"')
+}
+
+// QuoteLiteral quotes a 'literal' (e.g. a parameter, often used to pass literal
+// to DDL and other statements that do not accept parameters) to be used as part
+// of an SQL statement.  For example:
+//
+//	exp_date := pq.QuoteLiteral("2023-01-05 15:00:00Z")
+//	err := db.Exec(fmt.Sprintf("CREATE ROLE my_user VALID UNTIL %s", exp_date))
+//
+// Any single quotes in name will be escaped. Any backslashes (i.e. "\") will be
+// replaced by two backslashes (i.e. "\\") and the C-style escape identifier
+// that PostgreSQL provides ('E') will be prepended to the string.
+func QuoteLiteral(literal string) string {
+	// This follows the PostgreSQL internal algorithm for handling quoted literals
+	// from libpq, which can be found in the "PQEscapeStringInternal" function,
+	// which is found in the libpq/fe-exec.c source file:
+	// https://git.postgresql.org/gitweb/?p=postgresql.git;a=blob;f=src/interfaces/libpq/fe-exec.c
+	//
+	// substitute any single-quotes (') with two single-quotes ('')
+	literal = strings.Replace(literal, `'`, `''`, -1)
+	// determine if the string has any backslashes (\) in it.
+	// if it does, replace any backslashes (\) with two backslashes (\\)
+	// then, we need to wrap the entire string with a PostgreSQL
+	// C-style escape. Per how "PQEscapeStringInternal" handles this case, we
+	// also add a space before the "E"
+	if strings.Contains(literal, `\`) {
+		literal = strings.Replace(literal, `\`, `\\`, -1)
+		literal = ` E'` + literal + `'`
+	} else {
+		// otherwise, we can just wrap the literal with a pair of single quotes
+		literal = `'` + literal + `'`
+	}
+	return literal
+}
+
+func md5s(s string) string {
+	h := md5.New()
+	h.Write([]byte(s))
+	return fmt.Sprintf("%x", h.Sum(nil))
+}
+
+func (cn *conn) sendBinaryParameters(b *writeBuf, args []driver.Value) {
+	// Do one pass over the parameters to see if we're going to send any of
+	// them over in binary.  If we are, create a paramFormats array at the
+	// same time.
+	var paramFormats []int
+	for i, x := range args {
+		_, ok := x.([]byte)
+		if ok {
+			if paramFormats == nil {
+				paramFormats = make([]int, len(args))
+			}
+			paramFormats[i] = 1
+		}
+	}
+	if paramFormats == nil {
+		b.int16(0)
+	} else {
+		b.int16(len(paramFormats))
+		for _, x := range paramFormats {
+			b.int16(x)
+		}
+	}
+
+	b.int16(len(args))
+	for _, x := range args {
+		if x == nil {
+			b.int32(-1)
+		} else {
+			datum := binaryEncode(&cn.parameterStatus, x)
+			b.int32(len(datum))
+			b.bytes(datum)
+		}
+	}
+}
+
+func (cn *conn) sendBinaryModeQuery(query string, args []driver.Value) {
+	if len(args) >= 65536 {
+		errorf("got %d parameters but PostgreSQL only supports 65535 parameters", len(args))
+	}
+
+	b := cn.writeBuf('P')
+	b.byte(0) // unnamed statement
+	b.string(query)
+	b.int16(0)
+
+	b.next('B')
+	b.int16(0) // unnamed portal and statement
+	cn.sendBinaryParameters(b, args)
+	b.bytes(colFmtDataAllText)
+
+	b.next('D')
+	b.byte('P')
+	b.byte(0) // unnamed portal
+
+	b.next('E')
+	b.byte(0)
+	b.int32(0)
+
+	b.next('S')
+	cn.send(b)
+}
+
+func (cn *conn) processParameterStatus(r *readBuf) {
+	var err error
+
+	param := r.string()
+	switch param {
+	case "server_version":
+		var major1 int
+		var major2 int
+		_, err = fmt.Sscanf(r.string(), "%d.%d", &major1, &major2)
+		if err == nil {
+			cn.parameterStatus.serverVersion = major1*10000 + major2*100
+		}
+
+	case "TimeZone":
+		cn.parameterStatus.currentLocation, err = time.LoadLocation(r.string())
+		if err != nil {
+			cn.parameterStatus.currentLocation = nil
+		}
+
+	default:
+		// ignore
+	}
+}
+
+func (cn *conn) processReadyForQuery(r *readBuf) {
+	cn.txnStatus = transactionStatus(r.byte())
+}
+
+func (cn *conn) readReadyForQuery() {
+	t, r := cn.recv1()
+	switch t {
+	case 'Z':
+		cn.processReadyForQuery(r)
+		return
+	default:
+		cn.err.set(driver.ErrBadConn)
+		errorf("unexpected message %q; expected ReadyForQuery", t)
+	}
+}
+
+func (cn *conn) processBackendKeyData(r *readBuf) {
+	cn.processID = r.int32()
+	cn.secretKey = r.int32()
+}
+
+func (cn *conn) readParseResponse() {
+	t, r := cn.recv1()
+	switch t {
+	case '1':
+		return
+	case 'E':
+		err := parseError(r)
+		cn.readReadyForQuery()
+		panic(err)
+	default:
+		cn.err.set(driver.ErrBadConn)
+		errorf("unexpected Parse response %q", t)
+	}
+}
+
+func (cn *conn) readStatementDescribeResponse() (
+	paramTyps []oid.Oid,
+	colNames []string,
+	colTyps []fieldDesc,
+) {
+	for {
+		t, r := cn.recv1()
+		switch t {
+		case 't':
+			nparams := r.int16()
+			paramTyps = make([]oid.Oid, nparams)
+			for i := range paramTyps {
+				paramTyps[i] = r.oid()
+			}
+		case 'n':
+			return paramTyps, nil, nil
+		case 'T':
+			colNames, colTyps = parseStatementRowDescribe(r)
+			return paramTyps, colNames, colTyps
+		case 'E':
+			err := parseError(r)
+			cn.readReadyForQuery()
+			panic(err)
+		default:
+			cn.err.set(driver.ErrBadConn)
+			errorf("unexpected Describe statement response %q", t)
+		}
+	}
+}
+
+func (cn *conn) readPortalDescribeResponse() rowsHeader {
+	t, r := cn.recv1()
+	switch t {
+	case 'T':
+		return parsePortalRowDescribe(r)
+	case 'n':
+		return rowsHeader{}
+	case 'E':
+		err := parseError(r)
+		cn.readReadyForQuery()
+		panic(err)
+	default:
+		cn.err.set(driver.ErrBadConn)
+		errorf("unexpected Describe response %q", t)
+	}
+	panic("not reached")
+}
+
+func (cn *conn) readBindResponse() {
+	t, r := cn.recv1()
+	switch t {
+	case '2':
+		return
+	case 'E':
+		err := parseError(r)
+		cn.readReadyForQuery()
+		panic(err)
+	default:
+		cn.err.set(driver.ErrBadConn)
+		errorf("unexpected Bind response %q", t)
+	}
+}
+
+func (cn *conn) postExecuteWorkaround() {
+	// Work around a bug in sql.DB.QueryRow: in Go 1.2 and earlier it ignores
+	// any errors from rows.Next, which masks errors that happened during the
+	// execution of the query.  To avoid the problem in common cases, we wait
+	// here for one more message from the database.  If it's not an error the
+	// query will likely succeed (or perhaps has already, if it's a
+	// CommandComplete), so we push the message into the conn struct; recv1
+	// will return it as the next message for rows.Next or rows.Close.
+	// However, if it's an error, we wait until ReadyForQuery and then return
+	// the error to our caller.
+	for {
+		t, r := cn.recv1()
+		switch t {
+		case 'E':
+			err := parseError(r)
+			cn.readReadyForQuery()
+			panic(err)
+		case 'C', 'D', 'I':
+			// the query didn't fail, but we can't process this message
+			cn.saveMessage(t, r)
+			return
+		default:
+			cn.err.set(driver.ErrBadConn)
+			errorf("unexpected message during extended query execution: %q", t)
+		}
+	}
+}
+
+// Only for Exec(), since we ignore the returned data
+func (cn *conn) readExecuteResponse(
+	protocolState string,
+) (res driver.Result, commandTag string, err error) {
+	for {
+		t, r := cn.recv1()
+		switch t {
+		case 'C':
+			if err != nil {
+				cn.err.set(driver.ErrBadConn)
+				errorf("unexpected CommandComplete after error %s", err)
+			}
+			res, commandTag = cn.parseComplete(r.string())
+		case 'Z':
+			cn.processReadyForQuery(r)
+			if res == nil && err == nil {
+				err = errUnexpectedReady
+			}
+			return res, commandTag, err
+		case 'E':
+			err = parseError(r)
+		case 'T', 'D', 'I':
+			if err != nil {
+				cn.err.set(driver.ErrBadConn)
+				errorf("unexpected %q after error %s", t, err)
+			}
+			if t == 'I' {
+				res = emptyRows
+			}
+			// ignore any results
+		default:
+			cn.err.set(driver.ErrBadConn)
+			errorf("unknown %s response: %q", protocolState, t)
+		}
+	}
+}
+
+func parseStatementRowDescribe(r *readBuf) (colNames []string, colTyps []fieldDesc) {
+	n := r.int16()
+	colNames = make([]string, n)
+	colTyps = make([]fieldDesc, n)
+	for i := range colNames {
+		colNames[i] = r.string()
+		r.next(6)
+		colTyps[i].OID = r.oid()
+		colTyps[i].Len = r.int16()
+		colTyps[i].Mod = r.int32()
+		// format code not known when describing a statement; always 0
+		r.next(2)
+	}
+	return
+}
+
+func parsePortalRowDescribe(r *readBuf) rowsHeader {
+	n := r.int16()
+	colNames := make([]string, n)
+	colFmts := make([]format, n)
+	colTyps := make([]fieldDesc, n)
+	for i := range colNames {
+		colNames[i] = r.string()
+		r.next(6)
+		colTyps[i].OID = r.oid()
+		colTyps[i].Len = r.int16()
+		colTyps[i].Mod = r.int32()
+		colFmts[i] = format(r.int16())
+	}
+	return rowsHeader{
+		colNames: colNames,
+		colFmts:  colFmts,
+		colTyps:  colTyps,
+	}
+}
+
+// parseEnviron tries to mimic some of libpq's environment handling
+//
+// To ease testing, it does not directly reference os.Environ, but is
+// designed to accept its output.
+//
+// Environment-set connection information is intended to have a higher
+// precedence than a library default but lower than any explicitly
+// passed information (such as in the URL or connection string).
+func parseEnviron(env []string) (out map[string]string) {
+	out = make(map[string]string)
+
+	for _, v := range env {
+		parts := strings.SplitN(v, "=", 2)
+
+		accrue := func(keyname string) {
+			out[keyname] = parts[1]
+		}
+		unsupported := func() {
+			panic(fmt.Sprintf("setting %v not supported", parts[0]))
+		}
+
+		// The order of these is the same as is seen in the
+		// PostgreSQL 9.1 manual. Unsupported but well-defined
+		// keys cause a panic; these should be unset prior to
+		// execution. Options which pq expects to be set to a
+		// certain value are allowed, but must be set to that
+		// value if present (they can, of course, be absent).
+		switch parts[0] {
+		case "PGHOST":
+			accrue("host")
+		case "PGHOSTADDR":
+			unsupported()
+		case "PGPORT":
+			accrue("port")
+		case "PGDATABASE":
+			accrue("dbname")
+		case "PGUSER":
+			accrue("user")
+		case "PGPASSWORD":
+			accrue("password")
+		case "PGSERVICE", "PGSERVICEFILE", "PGREALM":
+			unsupported()
+		case "PGOPTIONS":
+			accrue("options")
+		case "PGAPPNAME":
+			accrue("application_name")
+		case "PGSSLMODE":
+			accrue("sslmode")
+		case "PGSSLCERT":
+			accrue("sslcert")
+		case "PGSSLKEY":
+			accrue("sslkey")
+		case "PGSSLROOTCERT":
+			accrue("sslrootcert")
+		case "PGSSLSNI":
+			accrue("sslsni")
+		case "PGREQUIRESSL", "PGSSLCRL":
+			unsupported()
+		case "PGREQUIREPEER":
+			unsupported()
+		case "PGKRBSRVNAME", "PGGSSLIB":
+			unsupported()
+		case "PGCONNECT_TIMEOUT":
+			accrue("connect_timeout")
+		case "PGCLIENTENCODING":
+			accrue("client_encoding")
+		case "PGDATESTYLE":
+			accrue("datestyle")
+		case "PGTZ":
+			accrue("timezone")
+		case "PGGEQO":
+			accrue("geqo")
+		case "PGSYSCONFDIR", "PGLOCALEDIR":
+			unsupported()
+		}
+	}
+
+	return out
+}
+
+// isUTF8 returns whether name is a fuzzy variation of the string "UTF-8".
+func isUTF8(name string) bool {
+	// Recognize all sorts of silly things as "UTF-8", like Postgres does
+	s := strings.Map(alnumLowerASCII, name)
+	return s == "utf8" || s == "unicode"
+}
+
+func alnumLowerASCII(ch rune) rune {
+	if 'A' <= ch && ch <= 'Z' {
+		return ch + ('a' - 'A')
+	}
+	if 'a' <= ch && ch <= 'z' || '0' <= ch && ch <= '9' {
+		return ch
+	}
+	return -1 // discard
+}
+
+// The database/sql/driver package says:
+// All Conn implementations should implement the following interfaces: Pinger, SessionResetter, and Validator.
+var _ driver.Pinger = &conn{}
+var _ driver.SessionResetter = &conn{}
+
+func (cn *conn) ResetSession(ctx context.Context) error {
+	// Ensure bad connections are reported: From database/sql/driver:
+	// If a connection is never returned to the connection pool but immediately reused, then
+	// ResetSession is called prior to reuse but IsValid is not called.
+	return cn.err.get()
+}
+
+func (cn *conn) IsValid() bool {
+	return cn.err.get() == nil
+}
diff --git a/vendor/github.com/lib/pq/conn_go115.go b/vendor/github.com/lib/pq/conn_go115.go
new file mode 100644
index 0000000000..f4ef030f99
--- /dev/null
+++ b/vendor/github.com/lib/pq/conn_go115.go
@@ -0,0 +1,8 @@
+//go:build go1.15
+// +build go1.15
+
+package pq
+
+import "database/sql/driver"
+
+var _ driver.Validator = &conn{}
diff --git a/vendor/github.com/lib/pq/conn_go18.go b/vendor/github.com/lib/pq/conn_go18.go
new file mode 100644
index 0000000000..63d4ca6aaa
--- /dev/null
+++ b/vendor/github.com/lib/pq/conn_go18.go
@@ -0,0 +1,247 @@
+package pq
+
+import (
+	"context"
+	"database/sql"
+	"database/sql/driver"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"time"
+)
+
+const (
+	watchCancelDialContextTimeout = time.Second * 10
+)
+
+// Implement the "QueryerContext" interface
+func (cn *conn) QueryContext(ctx context.Context, query string, args []driver.NamedValue) (driver.Rows, error) {
+	list := make([]driver.Value, len(args))
+	for i, nv := range args {
+		list[i] = nv.Value
+	}
+	finish := cn.watchCancel(ctx)
+	r, err := cn.query(query, list)
+	if err != nil {
+		if finish != nil {
+			finish()
+		}
+		return nil, err
+	}
+	r.finish = finish
+	return r, nil
+}
+
+// Implement the "ExecerContext" interface
+func (cn *conn) ExecContext(ctx context.Context, query string, args []driver.NamedValue) (driver.Result, error) {
+	list := make([]driver.Value, len(args))
+	for i, nv := range args {
+		list[i] = nv.Value
+	}
+
+	if finish := cn.watchCancel(ctx); finish != nil {
+		defer finish()
+	}
+
+	return cn.Exec(query, list)
+}
+
+// Implement the "ConnPrepareContext" interface
+func (cn *conn) PrepareContext(ctx context.Context, query string) (driver.Stmt, error) {
+	if finish := cn.watchCancel(ctx); finish != nil {
+		defer finish()
+	}
+	return cn.Prepare(query)
+}
+
+// Implement the "ConnBeginTx" interface
+func (cn *conn) BeginTx(ctx context.Context, opts driver.TxOptions) (driver.Tx, error) {
+	var mode string
+
+	switch sql.IsolationLevel(opts.Isolation) {
+	case sql.LevelDefault:
+		// Don't touch mode: use the server's default
+	case sql.LevelReadUncommitted:
+		mode = " ISOLATION LEVEL READ UNCOMMITTED"
+	case sql.LevelReadCommitted:
+		mode = " ISOLATION LEVEL READ COMMITTED"
+	case sql.LevelRepeatableRead:
+		mode = " ISOLATION LEVEL REPEATABLE READ"
+	case sql.LevelSerializable:
+		mode = " ISOLATION LEVEL SERIALIZABLE"
+	default:
+		return nil, fmt.Errorf("pq: isolation level not supported: %d", opts.Isolation)
+	}
+
+	if opts.ReadOnly {
+		mode += " READ ONLY"
+	} else {
+		mode += " READ WRITE"
+	}
+
+	tx, err := cn.begin(mode)
+	if err != nil {
+		return nil, err
+	}
+	cn.txnFinish = cn.watchCancel(ctx)
+	return tx, nil
+}
+
+func (cn *conn) Ping(ctx context.Context) error {
+	if finish := cn.watchCancel(ctx); finish != nil {
+		defer finish()
+	}
+	rows, err := cn.simpleQuery(";")
+	if err != nil {
+		return driver.ErrBadConn // https://golang.org/pkg/database/sql/driver/#Pinger
+	}
+	rows.Close()
+	return nil
+}
+
+func (cn *conn) watchCancel(ctx context.Context) func() {
+	if done := ctx.Done(); done != nil {
+		finished := make(chan struct{}, 1)
+		go func() {
+			select {
+			case <-done:
+				select {
+				case finished <- struct{}{}:
+				default:
+					// We raced with the finish func, let the next query handle this with the
+					// context.
+					return
+				}
+
+				// Set the connection state to bad so it does not get reused.
+				cn.err.set(ctx.Err())
+
+				// At this point the function level context is canceled,
+				// so it must not be used for the additional network
+				// request to cancel the query.
+				// Create a new context to pass into the dial.
+				ctxCancel, cancel := context.WithTimeout(context.Background(), watchCancelDialContextTimeout)
+				defer cancel()
+
+				_ = cn.cancel(ctxCancel)
+			case <-finished:
+			}
+		}()
+		return func() {
+			select {
+			case <-finished:
+				cn.err.set(ctx.Err())
+				cn.Close()
+			case finished <- struct{}{}:
+			}
+		}
+	}
+	return nil
+}
+
+func (cn *conn) cancel(ctx context.Context) error {
+	// Create a new values map (copy). This makes sure the connection created
+	// in this method cannot write to the same underlying data, which could
+	// cause a concurrent map write panic. This is necessary because cancel
+	// is called from a goroutine in watchCancel.
+	o := make(values)
+	for k, v := range cn.opts {
+		o[k] = v
+	}
+
+	c, err := dial(ctx, cn.dialer, o)
+	if err != nil {
+		return err
+	}
+	defer c.Close()
+
+	{
+		can := conn{
+			c: c,
+		}
+		err = can.ssl(o)
+		if err != nil {
+			return err
+		}
+
+		w := can.writeBuf(0)
+		w.int32(80877102) // cancel request code
+		w.int32(cn.processID)
+		w.int32(cn.secretKey)
+
+		if err := can.sendStartupPacket(w); err != nil {
+			return err
+		}
+	}
+
+	// Read until EOF to ensure that the server received the cancel.
+	{
+		_, err := io.Copy(ioutil.Discard, c)
+		return err
+	}
+}
+
+// Implement the "StmtQueryContext" interface
+func (st *stmt) QueryContext(ctx context.Context, args []driver.NamedValue) (driver.Rows, error) {
+	list := make([]driver.Value, len(args))
+	for i, nv := range args {
+		list[i] = nv.Value
+	}
+	finish := st.watchCancel(ctx)
+	r, err := st.query(list)
+	if err != nil {
+		if finish != nil {
+			finish()
+		}
+		return nil, err
+	}
+	r.finish = finish
+	return r, nil
+}
+
+// Implement the "StmtExecContext" interface
+func (st *stmt) ExecContext(ctx context.Context, args []driver.NamedValue) (driver.Result, error) {
+	list := make([]driver.Value, len(args))
+	for i, nv := range args {
+		list[i] = nv.Value
+	}
+
+	if finish := st.watchCancel(ctx); finish != nil {
+		defer finish()
+	}
+
+	return st.Exec(list)
+}
+
+// watchCancel is implemented on stmt in order to not mark the parent conn as bad
+func (st *stmt) watchCancel(ctx context.Context) func() {
+	if done := ctx.Done(); done != nil {
+		finished := make(chan struct{})
+		go func() {
+			select {
+			case <-done:
+				// At this point the function level context is canceled,
+				// so it must not be used for the additional network
+				// request to cancel the query.
+				// Create a new context to pass into the dial.
+				ctxCancel, cancel := context.WithTimeout(context.Background(), watchCancelDialContextTimeout)
+				defer cancel()
+
+				_ = st.cancel(ctxCancel)
+				finished <- struct{}{}
+			case <-finished:
+			}
+		}()
+		return func() {
+			select {
+			case <-finished:
+			case finished <- struct{}{}:
+			}
+		}
+	}
+	return nil
+}
+
+func (st *stmt) cancel(ctx context.Context) error {
+	return st.cn.cancel(ctx)
+}
diff --git a/vendor/github.com/lib/pq/connector.go b/vendor/github.com/lib/pq/connector.go
new file mode 100644
index 0000000000..1145e12257
--- /dev/null
+++ b/vendor/github.com/lib/pq/connector.go
@@ -0,0 +1,120 @@
+package pq
+
+import (
+	"context"
+	"database/sql/driver"
+	"errors"
+	"fmt"
+	"os"
+	"strings"
+)
+
+// Connector represents a fixed configuration for the pq driver with a given
+// name. Connector satisfies the database/sql/driver Connector interface and
+// can be used to create any number of DB Conn's via the database/sql OpenDB
+// function.
+//
+// See https://golang.org/pkg/database/sql/driver/#Connector.
+// See https://golang.org/pkg/database/sql/#OpenDB.
+type Connector struct {
+	opts   values
+	dialer Dialer
+}
+
+// Connect returns a connection to the database using the fixed configuration
+// of this Connector. Context is not used.
+func (c *Connector) Connect(ctx context.Context) (driver.Conn, error) {
+	return c.open(ctx)
+}
+
+// Dialer allows change the dialer used to open connections.
+func (c *Connector) Dialer(dialer Dialer) {
+	c.dialer = dialer
+}
+
+// Driver returns the underlying driver of this Connector.
+func (c *Connector) Driver() driver.Driver {
+	return &Driver{}
+}
+
+// NewConnector returns a connector for the pq driver in a fixed configuration
+// with the given dsn. The returned connector can be used to create any number
+// of equivalent Conn's. The returned connector is intended to be used with
+// database/sql.OpenDB.
+//
+// See https://golang.org/pkg/database/sql/driver/#Connector.
+// See https://golang.org/pkg/database/sql/#OpenDB.
+func NewConnector(dsn string) (*Connector, error) {
+	var err error
+	o := make(values)
+
+	// A number of defaults are applied here, in this order:
+	//
+	// * Very low precedence defaults applied in every situation
+	// * Environment variables
+	// * Explicitly passed connection information
+	o["host"] = "localhost"
+	o["port"] = "5432"
+	// N.B.: Extra float digits should be set to 3, but that breaks
+	// Postgres 8.4 and older, where the max is 2.
+	o["extra_float_digits"] = "2"
+	for k, v := range parseEnviron(os.Environ()) {
+		o[k] = v
+	}
+
+	if strings.HasPrefix(dsn, "postgres://") || strings.HasPrefix(dsn, "postgresql://") {
+		dsn, err = ParseURL(dsn)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	if err := parseOpts(dsn, o); err != nil {
+		return nil, err
+	}
+
+	// Use the "fallback" application name if necessary
+	if fallback, ok := o["fallback_application_name"]; ok {
+		if _, ok := o["application_name"]; !ok {
+			o["application_name"] = fallback
+		}
+	}
+
+	// We can't work with any client_encoding other than UTF-8 currently.
+	// However, we have historically allowed the user to set it to UTF-8
+	// explicitly, and there's no reason to break such programs, so allow that.
+	// Note that the "options" setting could also set client_encoding, but
+	// parsing its value is not worth it.  Instead, we always explicitly send
+	// client_encoding as a separate run-time parameter, which should override
+	// anything set in options.
+	if enc, ok := o["client_encoding"]; ok && !isUTF8(enc) {
+		return nil, errors.New("client_encoding must be absent or 'UTF8'")
+	}
+	o["client_encoding"] = "UTF8"
+	// DateStyle needs a similar treatment.
+	if datestyle, ok := o["datestyle"]; ok {
+		if datestyle != "ISO, MDY" {
+			return nil, fmt.Errorf("setting datestyle must be absent or %v; got %v", "ISO, MDY", datestyle)
+		}
+	} else {
+		o["datestyle"] = "ISO, MDY"
+	}
+
+	// If a user is not provided by any other means, the last
+	// resort is to use the current operating system provided user
+	// name.
+	if _, ok := o["user"]; !ok {
+		u, err := userCurrent()
+		if err != nil {
+			return nil, err
+		}
+		o["user"] = u
+	}
+
+	// SSL is not necessary or supported over UNIX domain sockets
+	if network, _ := network(o); network == "unix" {
+		o["sslmode"] = "disable"
+	}
+
+	return &Connector{opts: o, dialer: defaultDialer{}}, nil
+}
diff --git a/vendor/github.com/lib/pq/copy.go b/vendor/github.com/lib/pq/copy.go
new file mode 100644
index 0000000000..a8f16b2b26
--- /dev/null
+++ b/vendor/github.com/lib/pq/copy.go
@@ -0,0 +1,348 @@
+package pq
+
+import (
+	"bytes"
+	"context"
+	"database/sql/driver"
+	"encoding/binary"
+	"errors"
+	"fmt"
+	"sync"
+)
+
+var (
+	errCopyInClosed               = errors.New("pq: copyin statement has already been closed")
+	errBinaryCopyNotSupported     = errors.New("pq: only text format supported for COPY")
+	errCopyToNotSupported         = errors.New("pq: COPY TO is not supported")
+	errCopyNotSupportedOutsideTxn = errors.New("pq: COPY is only allowed inside a transaction")
+	errCopyInProgress             = errors.New("pq: COPY in progress")
+)
+
+// CopyIn creates a COPY FROM statement which can be prepared with
+// Tx.Prepare().  The target table should be visible in search_path.
+func CopyIn(table string, columns ...string) string {
+	buffer := bytes.NewBufferString("COPY ")
+	BufferQuoteIdentifier(table, buffer)
+	buffer.WriteString(" (")
+	makeStmt(buffer, columns...)
+	return buffer.String()
+}
+
+// MakeStmt makes the stmt string for CopyIn and CopyInSchema.
+func makeStmt(buffer *bytes.Buffer, columns ...string) {
+	//s := bytes.NewBufferString()
+	for i, col := range columns {
+		if i != 0 {
+			buffer.WriteString(", ")
+		}
+		BufferQuoteIdentifier(col, buffer)
+	}
+	buffer.WriteString(") FROM STDIN")
+}
+
+// CopyInSchema creates a COPY FROM statement which can be prepared with
+// Tx.Prepare().
+func CopyInSchema(schema, table string, columns ...string) string {
+	buffer := bytes.NewBufferString("COPY ")
+	BufferQuoteIdentifier(schema, buffer)
+	buffer.WriteRune('.')
+	BufferQuoteIdentifier(table, buffer)
+	buffer.WriteString(" (")
+	makeStmt(buffer, columns...)
+	return buffer.String()
+}
+
+type copyin struct {
+	cn      *conn
+	buffer  []byte
+	rowData chan []byte
+	done    chan bool
+
+	closed bool
+
+	mu struct {
+		sync.Mutex
+		err error
+		driver.Result
+	}
+}
+
+const ciBufferSize = 64 * 1024
+
+// flush buffer before the buffer is filled up and needs reallocation
+const ciBufferFlushSize = 63 * 1024
+
+func (cn *conn) prepareCopyIn(q string) (_ driver.Stmt, err error) {
+	if !cn.isInTransaction() {
+		return nil, errCopyNotSupportedOutsideTxn
+	}
+
+	ci := &copyin{
+		cn:      cn,
+		buffer:  make([]byte, 0, ciBufferSize),
+		rowData: make(chan []byte),
+		done:    make(chan bool, 1),
+	}
+	// add CopyData identifier + 4 bytes for message length
+	ci.buffer = append(ci.buffer, 'd', 0, 0, 0, 0)
+
+	b := cn.writeBuf('Q')
+	b.string(q)
+	cn.send(b)
+
+awaitCopyInResponse:
+	for {
+		t, r := cn.recv1()
+		switch t {
+		case 'G':
+			if r.byte() != 0 {
+				err = errBinaryCopyNotSupported
+				break awaitCopyInResponse
+			}
+			go ci.resploop()
+			return ci, nil
+		case 'H':
+			err = errCopyToNotSupported
+			break awaitCopyInResponse
+		case 'E':
+			err = parseError(r)
+		case 'Z':
+			if err == nil {
+				ci.setBad(driver.ErrBadConn)
+				errorf("unexpected ReadyForQuery in response to COPY")
+			}
+			cn.processReadyForQuery(r)
+			return nil, err
+		default:
+			ci.setBad(driver.ErrBadConn)
+			errorf("unknown response for copy query: %q", t)
+		}
+	}
+
+	// something went wrong, abort COPY before we return
+	b = cn.writeBuf('f')
+	b.string(err.Error())
+	cn.send(b)
+
+	for {
+		t, r := cn.recv1()
+		switch t {
+		case 'c', 'C', 'E':
+		case 'Z':
+			// correctly aborted, we're done
+			cn.processReadyForQuery(r)
+			return nil, err
+		default:
+			ci.setBad(driver.ErrBadConn)
+			errorf("unknown response for CopyFail: %q", t)
+		}
+	}
+}
+
+func (ci *copyin) flush(buf []byte) {
+	// set message length (without message identifier)
+	binary.BigEndian.PutUint32(buf[1:], uint32(len(buf)-1))
+
+	_, err := ci.cn.c.Write(buf)
+	if err != nil {
+		panic(err)
+	}
+}
+
+func (ci *copyin) resploop() {
+	for {
+		var r readBuf
+		t, err := ci.cn.recvMessage(&r)
+		if err != nil {
+			ci.setBad(driver.ErrBadConn)
+			ci.setError(err)
+			ci.done <- true
+			return
+		}
+		switch t {
+		case 'C':
+			// complete
+			res, _ := ci.cn.parseComplete(r.string())
+			ci.setResult(res)
+		case 'N':
+			if n := ci.cn.noticeHandler; n != nil {
+				n(parseError(&r))
+			}
+		case 'Z':
+			ci.cn.processReadyForQuery(&r)
+			ci.done <- true
+			return
+		case 'E':
+			err := parseError(&r)
+			ci.setError(err)
+		default:
+			ci.setBad(driver.ErrBadConn)
+			ci.setError(fmt.Errorf("unknown response during CopyIn: %q", t))
+			ci.done <- true
+			return
+		}
+	}
+}
+
+func (ci *copyin) setBad(err error) {
+	ci.cn.err.set(err)
+}
+
+func (ci *copyin) getBad() error {
+	return ci.cn.err.get()
+}
+
+func (ci *copyin) err() error {
+	ci.mu.Lock()
+	err := ci.mu.err
+	ci.mu.Unlock()
+	return err
+}
+
+// setError() sets ci.err if one has not been set already.  Caller must not be
+// holding ci.Mutex.
+func (ci *copyin) setError(err error) {
+	ci.mu.Lock()
+	if ci.mu.err == nil {
+		ci.mu.err = err
+	}
+	ci.mu.Unlock()
+}
+
+func (ci *copyin) setResult(result driver.Result) {
+	ci.mu.Lock()
+	ci.mu.Result = result
+	ci.mu.Unlock()
+}
+
+func (ci *copyin) getResult() driver.Result {
+	ci.mu.Lock()
+	result := ci.mu.Result
+	ci.mu.Unlock()
+	if result == nil {
+		return driver.RowsAffected(0)
+	}
+	return result
+}
+
+func (ci *copyin) NumInput() int {
+	return -1
+}
+
+func (ci *copyin) Query(v []driver.Value) (r driver.Rows, err error) {
+	return nil, ErrNotSupported
+}
+
+// Exec inserts values into the COPY stream. The insert is asynchronous
+// and Exec can return errors from previous Exec calls to the same
+// COPY stmt.
+//
+// You need to call Exec(nil) to sync the COPY stream and to get any
+// errors from pending data, since Stmt.Close() doesn't return errors
+// to the user.
+func (ci *copyin) Exec(v []driver.Value) (r driver.Result, err error) {
+	if ci.closed {
+		return nil, errCopyInClosed
+	}
+
+	if err := ci.getBad(); err != nil {
+		return nil, err
+	}
+	defer ci.cn.errRecover(&err)
+
+	if err := ci.err(); err != nil {
+		return nil, err
+	}
+
+	if len(v) == 0 {
+		if err := ci.Close(); err != nil {
+			return driver.RowsAffected(0), err
+		}
+
+		return ci.getResult(), nil
+	}
+
+	numValues := len(v)
+	for i, value := range v {
+		ci.buffer = appendEncodedText(&ci.cn.parameterStatus, ci.buffer, value)
+		if i < numValues-1 {
+			ci.buffer = append(ci.buffer, '\t')
+		}
+	}
+
+	ci.buffer = append(ci.buffer, '\n')
+
+	if len(ci.buffer) > ciBufferFlushSize {
+		ci.flush(ci.buffer)
+		// reset buffer, keep bytes for message identifier and length
+		ci.buffer = ci.buffer[:5]
+	}
+
+	return driver.RowsAffected(0), nil
+}
+
+// CopyData inserts a raw string into the COPY stream. The insert is
+// asynchronous and CopyData can return errors from previous CopyData calls to
+// the same COPY stmt.
+//
+// You need to call Exec(nil) to sync the COPY stream and to get any
+// errors from pending data, since Stmt.Close() doesn't return errors
+// to the user.
+func (ci *copyin) CopyData(ctx context.Context, line string) (r driver.Result, err error) {
+	if ci.closed {
+		return nil, errCopyInClosed
+	}
+
+	if finish := ci.cn.watchCancel(ctx); finish != nil {
+		defer finish()
+	}
+
+	if err := ci.getBad(); err != nil {
+		return nil, err
+	}
+	defer ci.cn.errRecover(&err)
+
+	if err := ci.err(); err != nil {
+		return nil, err
+	}
+
+	ci.buffer = append(ci.buffer, []byte(line)...)
+	ci.buffer = append(ci.buffer, '\n')
+
+	if len(ci.buffer) > ciBufferFlushSize {
+		ci.flush(ci.buffer)
+		// reset buffer, keep bytes for message identifier and length
+		ci.buffer = ci.buffer[:5]
+	}
+
+	return driver.RowsAffected(0), nil
+}
+
+func (ci *copyin) Close() (err error) {
+	if ci.closed { // Don't do anything, we're already closed
+		return nil
+	}
+	ci.closed = true
+
+	if err := ci.getBad(); err != nil {
+		return err
+	}
+	defer ci.cn.errRecover(&err)
+
+	if len(ci.buffer) > 0 {
+		ci.flush(ci.buffer)
+	}
+	// Avoid touching the scratch buffer as resploop could be using it.
+	err = ci.cn.sendSimpleMessage('c')
+	if err != nil {
+		return err
+	}
+
+	<-ci.done
+	ci.cn.inCopy = false
+
+	if err := ci.err(); err != nil {
+		return err
+	}
+	return nil
+}
diff --git a/vendor/github.com/lib/pq/doc.go b/vendor/github.com/lib/pq/doc.go
new file mode 100644
index 0000000000..b57184801b
--- /dev/null
+++ b/vendor/github.com/lib/pq/doc.go
@@ -0,0 +1,268 @@
+/*
+Package pq is a pure Go Postgres driver for the database/sql package.
+
+In most cases clients will use the database/sql package instead of
+using this package directly. For example:
+
+	import (
+		"database/sql"
+
+		_ "github.com/lib/pq"
+	)
+
+	func main() {
+		connStr := "user=pqgotest dbname=pqgotest sslmode=verify-full"
+		db, err := sql.Open("postgres", connStr)
+		if err != nil {
+			log.Fatal(err)
+		}
+
+		age := 21
+		rows, err := db.Query("SELECT name FROM users WHERE age = $1", age)
+		…
+	}
+
+You can also connect to a database using a URL. For example:
+
+	connStr := "postgres://pqgotest:password@localhost/pqgotest?sslmode=verify-full"
+	db, err := sql.Open("postgres", connStr)
+
+
+Connection String Parameters
+
+
+Similarly to libpq, when establishing a connection using pq you are expected to
+supply a connection string containing zero or more parameters.
+A subset of the connection parameters supported by libpq are also supported by pq.
+Additionally, pq also lets you specify run-time parameters (such as search_path or work_mem)
+directly in the connection string.  This is different from libpq, which does not allow
+run-time parameters in the connection string, instead requiring you to supply
+them in the options parameter.
+
+For compatibility with libpq, the following special connection parameters are
+supported:
+
+	* dbname - The name of the database to connect to
+	* user - The user to sign in as
+	* password - The user's password
+	* host - The host to connect to. Values that start with / are for unix
+	  domain sockets. (default is localhost)
+	* port - The port to bind to. (default is 5432)
+	* sslmode - Whether or not to use SSL (default is require, this is not
+	  the default for libpq)
+	* fallback_application_name - An application_name to fall back to if one isn't provided.
+	* connect_timeout - Maximum wait for connection, in seconds. Zero or
+	  not specified means wait indefinitely.
+	* sslcert - Cert file location. The file must contain PEM encoded data.
+	* sslkey - Key file location. The file must contain PEM encoded data.
+	* sslrootcert - The location of the root certificate file. The file
+	  must contain PEM encoded data.
+
+Valid values for sslmode are:
+
+	* disable - No SSL
+	* require - Always SSL (skip verification)
+	* verify-ca - Always SSL (verify that the certificate presented by the
+	  server was signed by a trusted CA)
+	* verify-full - Always SSL (verify that the certification presented by
+	  the server was signed by a trusted CA and the server host name
+	  matches the one in the certificate)
+
+See http://www.postgresql.org/docs/current/static/libpq-connect.html#LIBPQ-CONNSTRING
+for more information about connection string parameters.
+
+Use single quotes for values that contain whitespace:
+
+    "user=pqgotest password='with spaces'"
+
+A backslash will escape the next character in values:
+
+    "user=space\ man password='it\'s valid'"
+
+Note that the connection parameter client_encoding (which sets the
+text encoding for the connection) may be set but must be "UTF8",
+matching with the same rules as Postgres. It is an error to provide
+any other value.
+
+In addition to the parameters listed above, any run-time parameter that can be
+set at backend start time can be set in the connection string.  For more
+information, see
+http://www.postgresql.org/docs/current/static/runtime-config.html.
+
+Most environment variables as specified at http://www.postgresql.org/docs/current/static/libpq-envars.html
+supported by libpq are also supported by pq.  If any of the environment
+variables not supported by pq are set, pq will panic during connection
+establishment.  Environment variables have a lower precedence than explicitly
+provided connection parameters.
+
+The pgpass mechanism as described in http://www.postgresql.org/docs/current/static/libpq-pgpass.html
+is supported, but on Windows PGPASSFILE must be specified explicitly.
+
+
+Queries
+
+
+database/sql does not dictate any specific format for parameter
+markers in query strings, and pq uses the Postgres-native ordinal markers,
+as shown above. The same marker can be reused for the same parameter:
+
+	rows, err := db.Query(`SELECT name FROM users WHERE favorite_fruit = $1
+		OR age BETWEEN $2 AND $2 + 3`, "orange", 64)
+
+pq does not support the LastInsertId() method of the Result type in database/sql.
+To return the identifier of an INSERT (or UPDATE or DELETE), use the Postgres
+RETURNING clause with a standard Query or QueryRow call:
+
+	var userid int
+	err := db.QueryRow(`INSERT INTO users(name, favorite_fruit, age)
+		VALUES('beatrice', 'starfruit', 93) RETURNING id`).Scan(&userid)
+
+For more details on RETURNING, see the Postgres documentation:
+
+	http://www.postgresql.org/docs/current/static/sql-insert.html
+	http://www.postgresql.org/docs/current/static/sql-update.html
+	http://www.postgresql.org/docs/current/static/sql-delete.html
+
+For additional instructions on querying see the documentation for the database/sql package.
+
+
+Data Types
+
+
+Parameters pass through driver.DefaultParameterConverter before they are handled
+by this package. When the binary_parameters connection option is enabled,
+[]byte values are sent directly to the backend as data in binary format.
+
+This package returns the following types for values from the PostgreSQL backend:
+
+	- integer types smallint, integer, and bigint are returned as int64
+	- floating-point types real and double precision are returned as float64
+	- character types char, varchar, and text are returned as string
+	- temporal types date, time, timetz, timestamp, and timestamptz are
+	  returned as time.Time
+	- the boolean type is returned as bool
+	- the bytea type is returned as []byte
+
+All other types are returned directly from the backend as []byte values in text format.
+
+
+Errors
+
+
+pq may return errors of type *pq.Error which can be interrogated for error details:
+
+        if err, ok := err.(*pq.Error); ok {
+            fmt.Println("pq error:", err.Code.Name())
+        }
+
+See the pq.Error type for details.
+
+
+Bulk imports
+
+You can perform bulk imports by preparing a statement returned by pq.CopyIn (or
+pq.CopyInSchema) in an explicit transaction (sql.Tx). The returned statement
+handle can then be repeatedly "executed" to copy data into the target table.
+After all data has been processed you should call Exec() once with no arguments
+to flush all buffered data. Any call to Exec() might return an error which
+should be handled appropriately, but because of the internal buffering an error
+returned by Exec() might not be related to the data passed in the call that
+failed.
+
+CopyIn uses COPY FROM internally. It is not possible to COPY outside of an
+explicit transaction in pq.
+
+Usage example:
+
+	txn, err := db.Begin()
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	stmt, err := txn.Prepare(pq.CopyIn("users", "name", "age"))
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	for _, user := range users {
+		_, err = stmt.Exec(user.Name, int64(user.Age))
+		if err != nil {
+			log.Fatal(err)
+		}
+	}
+
+	_, err = stmt.Exec()
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	err = stmt.Close()
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	err = txn.Commit()
+	if err != nil {
+		log.Fatal(err)
+	}
+
+
+Notifications
+
+
+PostgreSQL supports a simple publish/subscribe model over database
+connections.  See http://www.postgresql.org/docs/current/static/sql-notify.html
+for more information about the general mechanism.
+
+To start listening for notifications, you first have to open a new connection
+to the database by calling NewListener.  This connection can not be used for
+anything other than LISTEN / NOTIFY.  Calling Listen will open a "notification
+channel"; once a notification channel is open, a notification generated on that
+channel will effect a send on the Listener.Notify channel.  A notification
+channel will remain open until Unlisten is called, though connection loss might
+result in some notifications being lost.  To solve this problem, Listener sends
+a nil pointer over the Notify channel any time the connection is re-established
+following a connection loss.  The application can get information about the
+state of the underlying connection by setting an event callback in the call to
+NewListener.
+
+A single Listener can safely be used from concurrent goroutines, which means
+that there is often no need to create more than one Listener in your
+application.  However, a Listener is always connected to a single database, so
+you will need to create a new Listener instance for every database you want to
+receive notifications in.
+
+The channel name in both Listen and Unlisten is case sensitive, and can contain
+any characters legal in an identifier (see
+http://www.postgresql.org/docs/current/static/sql-syntax-lexical.html#SQL-SYNTAX-IDENTIFIERS
+for more information).  Note that the channel name will be truncated to 63
+bytes by the PostgreSQL server.
+
+You can find a complete, working example of Listener usage at
+https://godoc.org/github.com/lib/pq/example/listen.
+
+
+Kerberos Support
+
+
+If you need support for Kerberos authentication, add the following to your main
+package:
+
+	import "github.com/lib/pq/auth/kerberos"
+
+	func init() {
+		pq.RegisterGSSProvider(func() (pq.Gss, error) { return kerberos.NewGSS() })
+	}
+
+This package is in a separate module so that users who don't need Kerberos
+don't have to download unnecessary dependencies.
+
+When imported, additional connection string parameters are supported:
+
+	* krbsrvname - GSS (Kerberos) service name when constructing the
+	  SPN (default is `postgres`). This will be combined with the host
+	  to form the full SPN: `krbsrvname/host`.
+	* krbspn - GSS (Kerberos) SPN. This takes priority over
+	  `krbsrvname` if present.
+*/
+package pq
diff --git a/vendor/github.com/lib/pq/encode.go b/vendor/github.com/lib/pq/encode.go
new file mode 100644
index 0000000000..bffe6096af
--- /dev/null
+++ b/vendor/github.com/lib/pq/encode.go
@@ -0,0 +1,632 @@
+package pq
+
+import (
+	"bytes"
+	"database/sql/driver"
+	"encoding/binary"
+	"encoding/hex"
+	"errors"
+	"fmt"
+	"math"
+	"regexp"
+	"strconv"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/lib/pq/oid"
+)
+
+var time2400Regex = regexp.MustCompile(`^(24:00(?::00(?:\.0+)?)?)(?:[Z+-].*)?$`)
+
+func binaryEncode(parameterStatus *parameterStatus, x interface{}) []byte {
+	switch v := x.(type) {
+	case []byte:
+		return v
+	default:
+		return encode(parameterStatus, x, oid.T_unknown)
+	}
+}
+
+func encode(parameterStatus *parameterStatus, x interface{}, pgtypOid oid.Oid) []byte {
+	switch v := x.(type) {
+	case int64:
+		return strconv.AppendInt(nil, v, 10)
+	case float64:
+		return strconv.AppendFloat(nil, v, 'f', -1, 64)
+	case []byte:
+		if pgtypOid == oid.T_bytea {
+			return encodeBytea(parameterStatus.serverVersion, v)
+		}
+
+		return v
+	case string:
+		if pgtypOid == oid.T_bytea {
+			return encodeBytea(parameterStatus.serverVersion, []byte(v))
+		}
+
+		return []byte(v)
+	case bool:
+		return strconv.AppendBool(nil, v)
+	case time.Time:
+		return formatTs(v)
+
+	default:
+		errorf("encode: unknown type for %T", v)
+	}
+
+	panic("not reached")
+}
+
+func decode(parameterStatus *parameterStatus, s []byte, typ oid.Oid, f format) interface{} {
+	switch f {
+	case formatBinary:
+		return binaryDecode(parameterStatus, s, typ)
+	case formatText:
+		return textDecode(parameterStatus, s, typ)
+	default:
+		panic("not reached")
+	}
+}
+
+func binaryDecode(parameterStatus *parameterStatus, s []byte, typ oid.Oid) interface{} {
+	switch typ {
+	case oid.T_bytea:
+		return s
+	case oid.T_int8:
+		return int64(binary.BigEndian.Uint64(s))
+	case oid.T_int4:
+		return int64(int32(binary.BigEndian.Uint32(s)))
+	case oid.T_int2:
+		return int64(int16(binary.BigEndian.Uint16(s)))
+	case oid.T_uuid:
+		b, err := decodeUUIDBinary(s)
+		if err != nil {
+			panic(err)
+		}
+		return b
+
+	default:
+		errorf("don't know how to decode binary parameter of type %d", uint32(typ))
+	}
+
+	panic("not reached")
+}
+
+func textDecode(parameterStatus *parameterStatus, s []byte, typ oid.Oid) interface{} {
+	switch typ {
+	case oid.T_char, oid.T_varchar, oid.T_text:
+		return string(s)
+	case oid.T_bytea:
+		b, err := parseBytea(s)
+		if err != nil {
+			errorf("%s", err)
+		}
+		return b
+	case oid.T_timestamptz:
+		return parseTs(parameterStatus.currentLocation, string(s))
+	case oid.T_timestamp, oid.T_date:
+		return parseTs(nil, string(s))
+	case oid.T_time:
+		return mustParse("15:04:05", typ, s)
+	case oid.T_timetz:
+		return mustParse("15:04:05-07", typ, s)
+	case oid.T_bool:
+		return s[0] == 't'
+	case oid.T_int8, oid.T_int4, oid.T_int2:
+		i, err := strconv.ParseInt(string(s), 10, 64)
+		if err != nil {
+			errorf("%s", err)
+		}
+		return i
+	case oid.T_float4, oid.T_float8:
+		// We always use 64 bit parsing, regardless of whether the input text is for
+		// a float4 or float8, because clients expect float64s for all float datatypes
+		// and returning a 32-bit parsed float64 produces lossy results.
+		f, err := strconv.ParseFloat(string(s), 64)
+		if err != nil {
+			errorf("%s", err)
+		}
+		return f
+	}
+
+	return s
+}
+
+// appendEncodedText encodes item in text format as required by COPY
+// and appends to buf
+func appendEncodedText(parameterStatus *parameterStatus, buf []byte, x interface{}) []byte {
+	switch v := x.(type) {
+	case int64:
+		return strconv.AppendInt(buf, v, 10)
+	case float64:
+		return strconv.AppendFloat(buf, v, 'f', -1, 64)
+	case []byte:
+		encodedBytea := encodeBytea(parameterStatus.serverVersion, v)
+		return appendEscapedText(buf, string(encodedBytea))
+	case string:
+		return appendEscapedText(buf, v)
+	case bool:
+		return strconv.AppendBool(buf, v)
+	case time.Time:
+		return append(buf, formatTs(v)...)
+	case nil:
+		return append(buf, "\\N"...)
+	default:
+		errorf("encode: unknown type for %T", v)
+	}
+
+	panic("not reached")
+}
+
+func appendEscapedText(buf []byte, text string) []byte {
+	escapeNeeded := false
+	startPos := 0
+	var c byte
+
+	// check if we need to escape
+	for i := 0; i < len(text); i++ {
+		c = text[i]
+		if c == '\\' || c == '\n' || c == '\r' || c == '\t' {
+			escapeNeeded = true
+			startPos = i
+			break
+		}
+	}
+	if !escapeNeeded {
+		return append(buf, text...)
+	}
+
+	// copy till first char to escape, iterate the rest
+	result := append(buf, text[:startPos]...)
+	for i := startPos; i < len(text); i++ {
+		c = text[i]
+		switch c {
+		case '\\':
+			result = append(result, '\\', '\\')
+		case '\n':
+			result = append(result, '\\', 'n')
+		case '\r':
+			result = append(result, '\\', 'r')
+		case '\t':
+			result = append(result, '\\', 't')
+		default:
+			result = append(result, c)
+		}
+	}
+	return result
+}
+
+func mustParse(f string, typ oid.Oid, s []byte) time.Time {
+	str := string(s)
+
+	// Check for a minute and second offset in the timezone.
+	if typ == oid.T_timestamptz || typ == oid.T_timetz {
+		for i := 3; i <= 6; i += 3 {
+			if str[len(str)-i] == ':' {
+				f += ":00"
+				continue
+			}
+			break
+		}
+	}
+
+	// Special case for 24:00 time.
+	// Unfortunately, golang does not parse 24:00 as a proper time.
+	// In this case, we want to try "round to the next day", to differentiate.
+	// As such, we find if the 24:00 time matches at the beginning; if so,
+	// we default it back to 00:00 but add a day later.
+	var is2400Time bool
+	switch typ {
+	case oid.T_timetz, oid.T_time:
+		if matches := time2400Regex.FindStringSubmatch(str); matches != nil {
+			// Concatenate timezone information at the back.
+			str = "00:00:00" + str[len(matches[1]):]
+			is2400Time = true
+		}
+	}
+	t, err := time.Parse(f, str)
+	if err != nil {
+		errorf("decode: %s", err)
+	}
+	if is2400Time {
+		t = t.Add(24 * time.Hour)
+	}
+	return t
+}
+
+var errInvalidTimestamp = errors.New("invalid timestamp")
+
+type timestampParser struct {
+	err error
+}
+
+func (p *timestampParser) expect(str string, char byte, pos int) {
+	if p.err != nil {
+		return
+	}
+	if pos+1 > len(str) {
+		p.err = errInvalidTimestamp
+		return
+	}
+	if c := str[pos]; c != char && p.err == nil {
+		p.err = fmt.Errorf("expected '%v' at position %v; got '%v'", char, pos, c)
+	}
+}
+
+func (p *timestampParser) mustAtoi(str string, begin int, end int) int {
+	if p.err != nil {
+		return 0
+	}
+	if begin < 0 || end < 0 || begin > end || end > len(str) {
+		p.err = errInvalidTimestamp
+		return 0
+	}
+	result, err := strconv.Atoi(str[begin:end])
+	if err != nil {
+		if p.err == nil {
+			p.err = fmt.Errorf("expected number; got '%v'", str)
+		}
+		return 0
+	}
+	return result
+}
+
+// The location cache caches the time zones typically used by the client.
+type locationCache struct {
+	cache map[int]*time.Location
+	lock  sync.Mutex
+}
+
+// All connections share the same list of timezones. Benchmarking shows that
+// about 5% speed could be gained by putting the cache in the connection and
+// losing the mutex, at the cost of a small amount of memory and a somewhat
+// significant increase in code complexity.
+var globalLocationCache = newLocationCache()
+
+func newLocationCache() *locationCache {
+	return &locationCache{cache: make(map[int]*time.Location)}
+}
+
+// Returns the cached timezone for the specified offset, creating and caching
+// it if necessary.
+func (c *locationCache) getLocation(offset int) *time.Location {
+	c.lock.Lock()
+	defer c.lock.Unlock()
+
+	location, ok := c.cache[offset]
+	if !ok {
+		location = time.FixedZone("", offset)
+		c.cache[offset] = location
+	}
+
+	return location
+}
+
+var infinityTsEnabled = false
+var infinityTsNegative time.Time
+var infinityTsPositive time.Time
+
+const (
+	infinityTsEnabledAlready        = "pq: infinity timestamp enabled already"
+	infinityTsNegativeMustBeSmaller = "pq: infinity timestamp: negative value must be smaller (before) than positive"
+)
+
+// EnableInfinityTs controls the handling of Postgres' "-infinity" and
+// "infinity" "timestamp"s.
+//
+// If EnableInfinityTs is not called, "-infinity" and "infinity" will return
+// []byte("-infinity") and []byte("infinity") respectively, and potentially
+// cause error "sql: Scan error on column index 0: unsupported driver -> Scan
+// pair: []uint8 -> *time.Time", when scanning into a time.Time value.
+//
+// Once EnableInfinityTs has been called, all connections created using this
+// driver will decode Postgres' "-infinity" and "infinity" for "timestamp",
+// "timestamp with time zone" and "date" types to the predefined minimum and
+// maximum times, respectively.  When encoding time.Time values, any time which
+// equals or precedes the predefined minimum time will be encoded to
+// "-infinity".  Any values at or past the maximum time will similarly be
+// encoded to "infinity".
+//
+// If EnableInfinityTs is called with negative >= positive, it will panic.
+// Calling EnableInfinityTs after a connection has been established results in
+// undefined behavior.  If EnableInfinityTs is called more than once, it will
+// panic.
+func EnableInfinityTs(negative time.Time, positive time.Time) {
+	if infinityTsEnabled {
+		panic(infinityTsEnabledAlready)
+	}
+	if !negative.Before(positive) {
+		panic(infinityTsNegativeMustBeSmaller)
+	}
+	infinityTsEnabled = true
+	infinityTsNegative = negative
+	infinityTsPositive = positive
+}
+
+/*
+ * Testing might want to toggle infinityTsEnabled
+ */
+func disableInfinityTs() {
+	infinityTsEnabled = false
+}
+
+// This is a time function specific to the Postgres default DateStyle
+// setting ("ISO, MDY"), the only one we currently support. This
+// accounts for the discrepancies between the parsing available with
+// time.Parse and the Postgres date formatting quirks.
+func parseTs(currentLocation *time.Location, str string) interface{} {
+	switch str {
+	case "-infinity":
+		if infinityTsEnabled {
+			return infinityTsNegative
+		}
+		return []byte(str)
+	case "infinity":
+		if infinityTsEnabled {
+			return infinityTsPositive
+		}
+		return []byte(str)
+	}
+	t, err := ParseTimestamp(currentLocation, str)
+	if err != nil {
+		panic(err)
+	}
+	return t
+}
+
+// ParseTimestamp parses Postgres' text format. It returns a time.Time in
+// currentLocation iff that time's offset agrees with the offset sent from the
+// Postgres server. Otherwise, ParseTimestamp returns a time.Time with the
+// fixed offset offset provided by the Postgres server.
+func ParseTimestamp(currentLocation *time.Location, str string) (time.Time, error) {
+	p := timestampParser{}
+
+	monSep := strings.IndexRune(str, '-')
+	// this is Gregorian year, not ISO Year
+	// In Gregorian system, the year 1 BC is followed by AD 1
+	year := p.mustAtoi(str, 0, monSep)
+	daySep := monSep + 3
+	month := p.mustAtoi(str, monSep+1, daySep)
+	p.expect(str, '-', daySep)
+	timeSep := daySep + 3
+	day := p.mustAtoi(str, daySep+1, timeSep)
+
+	minLen := monSep + len("01-01") + 1
+
+	isBC := strings.HasSuffix(str, " BC")
+	if isBC {
+		minLen += 3
+	}
+
+	var hour, minute, second int
+	if len(str) > minLen {
+		p.expect(str, ' ', timeSep)
+		minSep := timeSep + 3
+		p.expect(str, ':', minSep)
+		hour = p.mustAtoi(str, timeSep+1, minSep)
+		secSep := minSep + 3
+		p.expect(str, ':', secSep)
+		minute = p.mustAtoi(str, minSep+1, secSep)
+		secEnd := secSep + 3
+		second = p.mustAtoi(str, secSep+1, secEnd)
+	}
+	remainderIdx := monSep + len("01-01 00:00:00") + 1
+	// Three optional (but ordered) sections follow: the
+	// fractional seconds, the time zone offset, and the BC
+	// designation. We set them up here and adjust the other
+	// offsets if the preceding sections exist.
+
+	nanoSec := 0
+	tzOff := 0
+
+	if remainderIdx < len(str) && str[remainderIdx] == '.' {
+		fracStart := remainderIdx + 1
+		fracOff := strings.IndexAny(str[fracStart:], "-+Z ")
+		if fracOff < 0 {
+			fracOff = len(str) - fracStart
+		}
+		fracSec := p.mustAtoi(str, fracStart, fracStart+fracOff)
+		nanoSec = fracSec * (1000000000 / int(math.Pow(10, float64(fracOff))))
+
+		remainderIdx += fracOff + 1
+	}
+	if tzStart := remainderIdx; tzStart < len(str) && (str[tzStart] == '-' || str[tzStart] == '+') {
+		// time zone separator is always '-' or '+' or 'Z' (UTC is +00)
+		var tzSign int
+		switch c := str[tzStart]; c {
+		case '-':
+			tzSign = -1
+		case '+':
+			tzSign = +1
+		default:
+			return time.Time{}, fmt.Errorf("expected '-' or '+' at position %v; got %v", tzStart, c)
+		}
+		tzHours := p.mustAtoi(str, tzStart+1, tzStart+3)
+		remainderIdx += 3
+		var tzMin, tzSec int
+		if remainderIdx < len(str) && str[remainderIdx] == ':' {
+			tzMin = p.mustAtoi(str, remainderIdx+1, remainderIdx+3)
+			remainderIdx += 3
+		}
+		if remainderIdx < len(str) && str[remainderIdx] == ':' {
+			tzSec = p.mustAtoi(str, remainderIdx+1, remainderIdx+3)
+			remainderIdx += 3
+		}
+		tzOff = tzSign * ((tzHours * 60 * 60) + (tzMin * 60) + tzSec)
+	} else if tzStart < len(str) && str[tzStart] == 'Z' {
+		// time zone Z separator indicates UTC is +00
+		remainderIdx += 1
+	}
+
+	var isoYear int
+
+	if isBC {
+		isoYear = 1 - year
+		remainderIdx += 3
+	} else {
+		isoYear = year
+	}
+	if remainderIdx < len(str) {
+		return time.Time{}, fmt.Errorf("expected end of input, got %v", str[remainderIdx:])
+	}
+	t := time.Date(isoYear, time.Month(month), day,
+		hour, minute, second, nanoSec,
+		globalLocationCache.getLocation(tzOff))
+
+	if currentLocation != nil {
+		// Set the location of the returned Time based on the session's
+		// TimeZone value, but only if the local time zone database agrees with
+		// the remote database on the offset.
+		lt := t.In(currentLocation)
+		_, newOff := lt.Zone()
+		if newOff == tzOff {
+			t = lt
+		}
+	}
+
+	return t, p.err
+}
+
+// formatTs formats t into a format postgres understands.
+func formatTs(t time.Time) []byte {
+	if infinityTsEnabled {
+		// t <= -infinity : ! (t > -infinity)
+		if !t.After(infinityTsNegative) {
+			return []byte("-infinity")
+		}
+		// t >= infinity : ! (!t < infinity)
+		if !t.Before(infinityTsPositive) {
+			return []byte("infinity")
+		}
+	}
+	return FormatTimestamp(t)
+}
+
+// FormatTimestamp formats t into Postgres' text format for timestamps.
+func FormatTimestamp(t time.Time) []byte {
+	// Need to send dates before 0001 A.D. with " BC" suffix, instead of the
+	// minus sign preferred by Go.
+	// Beware, "0000" in ISO is "1 BC", "-0001" is "2 BC" and so on
+	bc := false
+	if t.Year() <= 0 {
+		// flip year sign, and add 1, e.g: "0" will be "1", and "-10" will be "11"
+		t = t.AddDate((-t.Year())*2+1, 0, 0)
+		bc = true
+	}
+	b := []byte(t.Format("2006-01-02 15:04:05.999999999Z07:00"))
+
+	_, offset := t.Zone()
+	offset %= 60
+	if offset != 0 {
+		// RFC3339Nano already printed the minus sign
+		if offset < 0 {
+			offset = -offset
+		}
+
+		b = append(b, ':')
+		if offset < 10 {
+			b = append(b, '0')
+		}
+		b = strconv.AppendInt(b, int64(offset), 10)
+	}
+
+	if bc {
+		b = append(b, " BC"...)
+	}
+	return b
+}
+
+// Parse a bytea value received from the server.  Both "hex" and the legacy
+// "escape" format are supported.
+func parseBytea(s []byte) (result []byte, err error) {
+	if len(s) >= 2 && bytes.Equal(s[:2], []byte("\\x")) {
+		// bytea_output = hex
+		s = s[2:] // trim off leading "\\x"
+		result = make([]byte, hex.DecodedLen(len(s)))
+		_, err := hex.Decode(result, s)
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		// bytea_output = escape
+		for len(s) > 0 {
+			if s[0] == '\\' {
+				// escaped '\\'
+				if len(s) >= 2 && s[1] == '\\' {
+					result = append(result, '\\')
+					s = s[2:]
+					continue
+				}
+
+				// '\\' followed by an octal number
+				if len(s) < 4 {
+					return nil, fmt.Errorf("invalid bytea sequence %v", s)
+				}
+				r, err := strconv.ParseUint(string(s[1:4]), 8, 8)
+				if err != nil {
+					return nil, fmt.Errorf("could not parse bytea value: %s", err.Error())
+				}
+				result = append(result, byte(r))
+				s = s[4:]
+			} else {
+				// We hit an unescaped, raw byte.  Try to read in as many as
+				// possible in one go.
+				i := bytes.IndexByte(s, '\\')
+				if i == -1 {
+					result = append(result, s...)
+					break
+				}
+				result = append(result, s[:i]...)
+				s = s[i:]
+			}
+		}
+	}
+
+	return result, nil
+}
+
+func encodeBytea(serverVersion int, v []byte) (result []byte) {
+	if serverVersion >= 90000 {
+		// Use the hex format if we know that the server supports it
+		result = make([]byte, 2+hex.EncodedLen(len(v)))
+		result[0] = '\\'
+		result[1] = 'x'
+		hex.Encode(result[2:], v)
+	} else {
+		// .. or resort to "escape"
+		for _, b := range v {
+			if b == '\\' {
+				result = append(result, '\\', '\\')
+			} else if b < 0x20 || b > 0x7e {
+				result = append(result, []byte(fmt.Sprintf("\\%03o", b))...)
+			} else {
+				result = append(result, b)
+			}
+		}
+	}
+
+	return result
+}
+
+// NullTime represents a time.Time that may be null. NullTime implements the
+// sql.Scanner interface so it can be used as a scan destination, similar to
+// sql.NullString.
+type NullTime struct {
+	Time  time.Time
+	Valid bool // Valid is true if Time is not NULL
+}
+
+// Scan implements the Scanner interface.
+func (nt *NullTime) Scan(value interface{}) error {
+	nt.Time, nt.Valid = value.(time.Time)
+	return nil
+}
+
+// Value implements the driver Valuer interface.
+func (nt NullTime) Value() (driver.Value, error) {
+	if !nt.Valid {
+		return nil, nil
+	}
+	return nt.Time, nil
+}
diff --git a/vendor/github.com/lib/pq/error.go b/vendor/github.com/lib/pq/error.go
new file mode 100644
index 0000000000..f67c5a5fa6
--- /dev/null
+++ b/vendor/github.com/lib/pq/error.go
@@ -0,0 +1,523 @@
+package pq
+
+import (
+	"database/sql/driver"
+	"fmt"
+	"io"
+	"net"
+	"runtime"
+)
+
+// Error severities
+const (
+	Efatal   = "FATAL"
+	Epanic   = "PANIC"
+	Ewarning = "WARNING"
+	Enotice  = "NOTICE"
+	Edebug   = "DEBUG"
+	Einfo    = "INFO"
+	Elog     = "LOG"
+)
+
+// Error represents an error communicating with the server.
+//
+// See http://www.postgresql.org/docs/current/static/protocol-error-fields.html for details of the fields
+type Error struct {
+	Severity         string
+	Code             ErrorCode
+	Message          string
+	Detail           string
+	Hint             string
+	Position         string
+	InternalPosition string
+	InternalQuery    string
+	Where            string
+	Schema           string
+	Table            string
+	Column           string
+	DataTypeName     string
+	Constraint       string
+	File             string
+	Line             string
+	Routine          string
+}
+
+// ErrorCode is a five-character error code.
+type ErrorCode string
+
+// Name returns a more human friendly rendering of the error code, namely the
+// "condition name".
+//
+// See http://www.postgresql.org/docs/9.3/static/errcodes-appendix.html for
+// details.
+func (ec ErrorCode) Name() string {
+	return errorCodeNames[ec]
+}
+
+// ErrorClass is only the class part of an error code.
+type ErrorClass string
+
+// Name returns the condition name of an error class.  It is equivalent to the
+// condition name of the "standard" error code (i.e. the one having the last
+// three characters "000").
+func (ec ErrorClass) Name() string {
+	return errorCodeNames[ErrorCode(ec+"000")]
+}
+
+// Class returns the error class, e.g. "28".
+//
+// See http://www.postgresql.org/docs/9.3/static/errcodes-appendix.html for
+// details.
+func (ec ErrorCode) Class() ErrorClass {
+	return ErrorClass(ec[0:2])
+}
+
+// errorCodeNames is a mapping between the five-character error codes and the
+// human readable "condition names". It is derived from the list at
+// http://www.postgresql.org/docs/9.3/static/errcodes-appendix.html
+var errorCodeNames = map[ErrorCode]string{
+	// Class 00 - Successful Completion
+	"00000": "successful_completion",
+	// Class 01 - Warning
+	"01000": "warning",
+	"0100C": "dynamic_result_sets_returned",
+	"01008": "implicit_zero_bit_padding",
+	"01003": "null_value_eliminated_in_set_function",
+	"01007": "privilege_not_granted",
+	"01006": "privilege_not_revoked",
+	"01004": "string_data_right_truncation",
+	"01P01": "deprecated_feature",
+	// Class 02 - No Data (this is also a warning class per the SQL standard)
+	"02000": "no_data",
+	"02001": "no_additional_dynamic_result_sets_returned",
+	// Class 03 - SQL Statement Not Yet Complete
+	"03000": "sql_statement_not_yet_complete",
+	// Class 08 - Connection Exception
+	"08000": "connection_exception",
+	"08003": "connection_does_not_exist",
+	"08006": "connection_failure",
+	"08001": "sqlclient_unable_to_establish_sqlconnection",
+	"08004": "sqlserver_rejected_establishment_of_sqlconnection",
+	"08007": "transaction_resolution_unknown",
+	"08P01": "protocol_violation",
+	// Class 09 - Triggered Action Exception
+	"09000": "triggered_action_exception",
+	// Class 0A - Feature Not Supported
+	"0A000": "feature_not_supported",
+	// Class 0B - Invalid Transaction Initiation
+	"0B000": "invalid_transaction_initiation",
+	// Class 0F - Locator Exception
+	"0F000": "locator_exception",
+	"0F001": "invalid_locator_specification",
+	// Class 0L - Invalid Grantor
+	"0L000": "invalid_grantor",
+	"0LP01": "invalid_grant_operation",
+	// Class 0P - Invalid Role Specification
+	"0P000": "invalid_role_specification",
+	// Class 0Z - Diagnostics Exception
+	"0Z000": "diagnostics_exception",
+	"0Z002": "stacked_diagnostics_accessed_without_active_handler",
+	// Class 20 - Case Not Found
+	"20000": "case_not_found",
+	// Class 21 - Cardinality Violation
+	"21000": "cardinality_violation",
+	// Class 22 - Data Exception
+	"22000": "data_exception",
+	"2202E": "array_subscript_error",
+	"22021": "character_not_in_repertoire",
+	"22008": "datetime_field_overflow",
+	"22012": "division_by_zero",
+	"22005": "error_in_assignment",
+	"2200B": "escape_character_conflict",
+	"22022": "indicator_overflow",
+	"22015": "interval_field_overflow",
+	"2201E": "invalid_argument_for_logarithm",
+	"22014": "invalid_argument_for_ntile_function",
+	"22016": "invalid_argument_for_nth_value_function",
+	"2201F": "invalid_argument_for_power_function",
+	"2201G": "invalid_argument_for_width_bucket_function",
+	"22018": "invalid_character_value_for_cast",
+	"22007": "invalid_datetime_format",
+	"22019": "invalid_escape_character",
+	"2200D": "invalid_escape_octet",
+	"22025": "invalid_escape_sequence",
+	"22P06": "nonstandard_use_of_escape_character",
+	"22010": "invalid_indicator_parameter_value",
+	"22023": "invalid_parameter_value",
+	"2201B": "invalid_regular_expression",
+	"2201W": "invalid_row_count_in_limit_clause",
+	"2201X": "invalid_row_count_in_result_offset_clause",
+	"22009": "invalid_time_zone_displacement_value",
+	"2200C": "invalid_use_of_escape_character",
+	"2200G": "most_specific_type_mismatch",
+	"22004": "null_value_not_allowed",
+	"22002": "null_value_no_indicator_parameter",
+	"22003": "numeric_value_out_of_range",
+	"2200H": "sequence_generator_limit_exceeded",
+	"22026": "string_data_length_mismatch",
+	"22001": "string_data_right_truncation",
+	"22011": "substring_error",
+	"22027": "trim_error",
+	"22024": "unterminated_c_string",
+	"2200F": "zero_length_character_string",
+	"22P01": "floating_point_exception",
+	"22P02": "invalid_text_representation",
+	"22P03": "invalid_binary_representation",
+	"22P04": "bad_copy_file_format",
+	"22P05": "untranslatable_character",
+	"2200L": "not_an_xml_document",
+	"2200M": "invalid_xml_document",
+	"2200N": "invalid_xml_content",
+	"2200S": "invalid_xml_comment",
+	"2200T": "invalid_xml_processing_instruction",
+	// Class 23 - Integrity Constraint Violation
+	"23000": "integrity_constraint_violation",
+	"23001": "restrict_violation",
+	"23502": "not_null_violation",
+	"23503": "foreign_key_violation",
+	"23505": "unique_violation",
+	"23514": "check_violation",
+	"23P01": "exclusion_violation",
+	// Class 24 - Invalid Cursor State
+	"24000": "invalid_cursor_state",
+	// Class 25 - Invalid Transaction State
+	"25000": "invalid_transaction_state",
+	"25001": "active_sql_transaction",
+	"25002": "branch_transaction_already_active",
+	"25008": "held_cursor_requires_same_isolation_level",
+	"25003": "inappropriate_access_mode_for_branch_transaction",
+	"25004": "inappropriate_isolation_level_for_branch_transaction",
+	"25005": "no_active_sql_transaction_for_branch_transaction",
+	"25006": "read_only_sql_transaction",
+	"25007": "schema_and_data_statement_mixing_not_supported",
+	"25P01": "no_active_sql_transaction",
+	"25P02": "in_failed_sql_transaction",
+	// Class 26 - Invalid SQL Statement Name
+	"26000": "invalid_sql_statement_name",
+	// Class 27 - Triggered Data Change Violation
+	"27000": "triggered_data_change_violation",
+	// Class 28 - Invalid Authorization Specification
+	"28000": "invalid_authorization_specification",
+	"28P01": "invalid_password",
+	// Class 2B - Dependent Privilege Descriptors Still Exist
+	"2B000": "dependent_privilege_descriptors_still_exist",
+	"2BP01": "dependent_objects_still_exist",
+	// Class 2D - Invalid Transaction Termination
+	"2D000": "invalid_transaction_termination",
+	// Class 2F - SQL Routine Exception
+	"2F000": "sql_routine_exception",
+	"2F005": "function_executed_no_return_statement",
+	"2F002": "modifying_sql_data_not_permitted",
+	"2F003": "prohibited_sql_statement_attempted",
+	"2F004": "reading_sql_data_not_permitted",
+	// Class 34 - Invalid Cursor Name
+	"34000": "invalid_cursor_name",
+	// Class 38 - External Routine Exception
+	"38000": "external_routine_exception",
+	"38001": "containing_sql_not_permitted",
+	"38002": "modifying_sql_data_not_permitted",
+	"38003": "prohibited_sql_statement_attempted",
+	"38004": "reading_sql_data_not_permitted",
+	// Class 39 - External Routine Invocation Exception
+	"39000": "external_routine_invocation_exception",
+	"39001": "invalid_sqlstate_returned",
+	"39004": "null_value_not_allowed",
+	"39P01": "trigger_protocol_violated",
+	"39P02": "srf_protocol_violated",
+	// Class 3B - Savepoint Exception
+	"3B000": "savepoint_exception",
+	"3B001": "invalid_savepoint_specification",
+	// Class 3D - Invalid Catalog Name
+	"3D000": "invalid_catalog_name",
+	// Class 3F - Invalid Schema Name
+	"3F000": "invalid_schema_name",
+	// Class 40 - Transaction Rollback
+	"40000": "transaction_rollback",
+	"40002": "transaction_integrity_constraint_violation",
+	"40001": "serialization_failure",
+	"40003": "statement_completion_unknown",
+	"40P01": "deadlock_detected",
+	// Class 42 - Syntax Error or Access Rule Violation
+	"42000": "syntax_error_or_access_rule_violation",
+	"42601": "syntax_error",
+	"42501": "insufficient_privilege",
+	"42846": "cannot_coerce",
+	"42803": "grouping_error",
+	"42P20": "windowing_error",
+	"42P19": "invalid_recursion",
+	"42830": "invalid_foreign_key",
+	"42602": "invalid_name",
+	"42622": "name_too_long",
+	"42939": "reserved_name",
+	"42804": "datatype_mismatch",
+	"42P18": "indeterminate_datatype",
+	"42P21": "collation_mismatch",
+	"42P22": "indeterminate_collation",
+	"42809": "wrong_object_type",
+	"42703": "undefined_column",
+	"42883": "undefined_function",
+	"42P01": "undefined_table",
+	"42P02": "undefined_parameter",
+	"42704": "undefined_object",
+	"42701": "duplicate_column",
+	"42P03": "duplicate_cursor",
+	"42P04": "duplicate_database",
+	"42723": "duplicate_function",
+	"42P05": "duplicate_prepared_statement",
+	"42P06": "duplicate_schema",
+	"42P07": "duplicate_table",
+	"42712": "duplicate_alias",
+	"42710": "duplicate_object",
+	"42702": "ambiguous_column",
+	"42725": "ambiguous_function",
+	"42P08": "ambiguous_parameter",
+	"42P09": "ambiguous_alias",
+	"42P10": "invalid_column_reference",
+	"42611": "invalid_column_definition",
+	"42P11": "invalid_cursor_definition",
+	"42P12": "invalid_database_definition",
+	"42P13": "invalid_function_definition",
+	"42P14": "invalid_prepared_statement_definition",
+	"42P15": "invalid_schema_definition",
+	"42P16": "invalid_table_definition",
+	"42P17": "invalid_object_definition",
+	// Class 44 - WITH CHECK OPTION Violation
+	"44000": "with_check_option_violation",
+	// Class 53 - Insufficient Resources
+	"53000": "insufficient_resources",
+	"53100": "disk_full",
+	"53200": "out_of_memory",
+	"53300": "too_many_connections",
+	"53400": "configuration_limit_exceeded",
+	// Class 54 - Program Limit Exceeded
+	"54000": "program_limit_exceeded",
+	"54001": "statement_too_complex",
+	"54011": "too_many_columns",
+	"54023": "too_many_arguments",
+	// Class 55 - Object Not In Prerequisite State
+	"55000": "object_not_in_prerequisite_state",
+	"55006": "object_in_use",
+	"55P02": "cant_change_runtime_param",
+	"55P03": "lock_not_available",
+	// Class 57 - Operator Intervention
+	"57000": "operator_intervention",
+	"57014": "query_canceled",
+	"57P01": "admin_shutdown",
+	"57P02": "crash_shutdown",
+	"57P03": "cannot_connect_now",
+	"57P04": "database_dropped",
+	// Class 58 - System Error (errors external to PostgreSQL itself)
+	"58000": "system_error",
+	"58030": "io_error",
+	"58P01": "undefined_file",
+	"58P02": "duplicate_file",
+	// Class F0 - Configuration File Error
+	"F0000": "config_file_error",
+	"F0001": "lock_file_exists",
+	// Class HV - Foreign Data Wrapper Error (SQL/MED)
+	"HV000": "fdw_error",
+	"HV005": "fdw_column_name_not_found",
+	"HV002": "fdw_dynamic_parameter_value_needed",
+	"HV010": "fdw_function_sequence_error",
+	"HV021": "fdw_inconsistent_descriptor_information",
+	"HV024": "fdw_invalid_attribute_value",
+	"HV007": "fdw_invalid_column_name",
+	"HV008": "fdw_invalid_column_number",
+	"HV004": "fdw_invalid_data_type",
+	"HV006": "fdw_invalid_data_type_descriptors",
+	"HV091": "fdw_invalid_descriptor_field_identifier",
+	"HV00B": "fdw_invalid_handle",
+	"HV00C": "fdw_invalid_option_index",
+	"HV00D": "fdw_invalid_option_name",
+	"HV090": "fdw_invalid_string_length_or_buffer_length",
+	"HV00A": "fdw_invalid_string_format",
+	"HV009": "fdw_invalid_use_of_null_pointer",
+	"HV014": "fdw_too_many_handles",
+	"HV001": "fdw_out_of_memory",
+	"HV00P": "fdw_no_schemas",
+	"HV00J": "fdw_option_name_not_found",
+	"HV00K": "fdw_reply_handle",
+	"HV00Q": "fdw_schema_not_found",
+	"HV00R": "fdw_table_not_found",
+	"HV00L": "fdw_unable_to_create_execution",
+	"HV00M": "fdw_unable_to_create_reply",
+	"HV00N": "fdw_unable_to_establish_connection",
+	// Class P0 - PL/pgSQL Error
+	"P0000": "plpgsql_error",
+	"P0001": "raise_exception",
+	"P0002": "no_data_found",
+	"P0003": "too_many_rows",
+	// Class XX - Internal Error
+	"XX000": "internal_error",
+	"XX001": "data_corrupted",
+	"XX002": "index_corrupted",
+}
+
+func parseError(r *readBuf) *Error {
+	err := new(Error)
+	for t := r.byte(); t != 0; t = r.byte() {
+		msg := r.string()
+		switch t {
+		case 'S':
+			err.Severity = msg
+		case 'C':
+			err.Code = ErrorCode(msg)
+		case 'M':
+			err.Message = msg
+		case 'D':
+			err.Detail = msg
+		case 'H':
+			err.Hint = msg
+		case 'P':
+			err.Position = msg
+		case 'p':
+			err.InternalPosition = msg
+		case 'q':
+			err.InternalQuery = msg
+		case 'W':
+			err.Where = msg
+		case 's':
+			err.Schema = msg
+		case 't':
+			err.Table = msg
+		case 'c':
+			err.Column = msg
+		case 'd':
+			err.DataTypeName = msg
+		case 'n':
+			err.Constraint = msg
+		case 'F':
+			err.File = msg
+		case 'L':
+			err.Line = msg
+		case 'R':
+			err.Routine = msg
+		}
+	}
+	return err
+}
+
+// Fatal returns true if the Error Severity is fatal.
+func (err *Error) Fatal() bool {
+	return err.Severity == Efatal
+}
+
+// SQLState returns the SQLState of the error.
+func (err *Error) SQLState() string {
+	return string(err.Code)
+}
+
+// Get implements the legacy PGError interface. New code should use the fields
+// of the Error struct directly.
+func (err *Error) Get(k byte) (v string) {
+	switch k {
+	case 'S':
+		return err.Severity
+	case 'C':
+		return string(err.Code)
+	case 'M':
+		return err.Message
+	case 'D':
+		return err.Detail
+	case 'H':
+		return err.Hint
+	case 'P':
+		return err.Position
+	case 'p':
+		return err.InternalPosition
+	case 'q':
+		return err.InternalQuery
+	case 'W':
+		return err.Where
+	case 's':
+		return err.Schema
+	case 't':
+		return err.Table
+	case 'c':
+		return err.Column
+	case 'd':
+		return err.DataTypeName
+	case 'n':
+		return err.Constraint
+	case 'F':
+		return err.File
+	case 'L':
+		return err.Line
+	case 'R':
+		return err.Routine
+	}
+	return ""
+}
+
+func (err *Error) Error() string {
+	return "pq: " + err.Message
+}
+
+// PGError is an interface used by previous versions of pq. It is provided
+// only to support legacy code. New code should use the Error type.
+type PGError interface {
+	Error() string
+	Fatal() bool
+	Get(k byte) (v string)
+}
+
+func errorf(s string, args ...interface{}) {
+	panic(fmt.Errorf("pq: %s", fmt.Sprintf(s, args...)))
+}
+
+// TODO(ainar-g) Rename to errorf after removing panics.
+func fmterrorf(s string, args ...interface{}) error {
+	return fmt.Errorf("pq: %s", fmt.Sprintf(s, args...))
+}
+
+func errRecoverNoErrBadConn(err *error) {
+	e := recover()
+	if e == nil {
+		// Do nothing
+		return
+	}
+	var ok bool
+	*err, ok = e.(error)
+	if !ok {
+		*err = fmt.Errorf("pq: unexpected error: %#v", e)
+	}
+}
+
+func (cn *conn) errRecover(err *error) {
+	e := recover()
+	switch v := e.(type) {
+	case nil:
+		// Do nothing
+	case runtime.Error:
+		cn.err.set(driver.ErrBadConn)
+		panic(v)
+	case *Error:
+		if v.Fatal() {
+			*err = driver.ErrBadConn
+		} else {
+			*err = v
+		}
+	case *net.OpError:
+		cn.err.set(driver.ErrBadConn)
+		*err = v
+	case *safeRetryError:
+		cn.err.set(driver.ErrBadConn)
+		*err = driver.ErrBadConn
+	case error:
+		if v == io.EOF || v.Error() == "remote error: handshake failure" {
+			*err = driver.ErrBadConn
+		} else {
+			*err = v
+		}
+
+	default:
+		cn.err.set(driver.ErrBadConn)
+		panic(fmt.Sprintf("unknown error: %#v", e))
+	}
+
+	// Any time we return ErrBadConn, we need to remember it since *Tx doesn't
+	// mark the connection bad in database/sql.
+	if *err == driver.ErrBadConn {
+		cn.err.set(driver.ErrBadConn)
+	}
+}
diff --git a/vendor/github.com/lib/pq/krb.go b/vendor/github.com/lib/pq/krb.go
new file mode 100644
index 0000000000..408ec01f97
--- /dev/null
+++ b/vendor/github.com/lib/pq/krb.go
@@ -0,0 +1,27 @@
+package pq
+
+// NewGSSFunc creates a GSS authentication provider, for use with
+// RegisterGSSProvider.
+type NewGSSFunc func() (GSS, error)
+
+var newGss NewGSSFunc
+
+// RegisterGSSProvider registers a GSS authentication provider. For example, if
+// you need to use Kerberos to authenticate with your server, add this to your
+// main package:
+//
+//	import "github.com/lib/pq/auth/kerberos"
+//
+//	func init() {
+//		pq.RegisterGSSProvider(func() (pq.GSS, error) { return kerberos.NewGSS() })
+//	}
+func RegisterGSSProvider(newGssArg NewGSSFunc) {
+	newGss = newGssArg
+}
+
+// GSS provides GSSAPI authentication (e.g., Kerberos).
+type GSS interface {
+	GetInitToken(host string, service string) ([]byte, error)
+	GetInitTokenFromSpn(spn string) ([]byte, error)
+	Continue(inToken []byte) (done bool, outToken []byte, err error)
+}
diff --git a/vendor/github.com/lib/pq/notice.go b/vendor/github.com/lib/pq/notice.go
new file mode 100644
index 0000000000..70ad122a7d
--- /dev/null
+++ b/vendor/github.com/lib/pq/notice.go
@@ -0,0 +1,72 @@
+//go:build go1.10
+// +build go1.10
+
+package pq
+
+import (
+	"context"
+	"database/sql/driver"
+)
+
+// NoticeHandler returns the notice handler on the given connection, if any. A
+// runtime panic occurs if c is not a pq connection. This is rarely used
+// directly, use ConnectorNoticeHandler and ConnectorWithNoticeHandler instead.
+func NoticeHandler(c driver.Conn) func(*Error) {
+	return c.(*conn).noticeHandler
+}
+
+// SetNoticeHandler sets the given notice handler on the given connection. A
+// runtime panic occurs if c is not a pq connection. A nil handler may be used
+// to unset it. This is rarely used directly, use ConnectorNoticeHandler and
+// ConnectorWithNoticeHandler instead.
+//
+// Note: Notice handlers are executed synchronously by pq meaning commands
+// won't continue to be processed until the handler returns.
+func SetNoticeHandler(c driver.Conn, handler func(*Error)) {
+	c.(*conn).noticeHandler = handler
+}
+
+// NoticeHandlerConnector wraps a regular connector and sets a notice handler
+// on it.
+type NoticeHandlerConnector struct {
+	driver.Connector
+	noticeHandler func(*Error)
+}
+
+// Connect calls the underlying connector's connect method and then sets the
+// notice handler.
+func (n *NoticeHandlerConnector) Connect(ctx context.Context) (driver.Conn, error) {
+	c, err := n.Connector.Connect(ctx)
+	if err == nil {
+		SetNoticeHandler(c, n.noticeHandler)
+	}
+	return c, err
+}
+
+// ConnectorNoticeHandler returns the currently set notice handler, if any. If
+// the given connector is not a result of ConnectorWithNoticeHandler, nil is
+// returned.
+func ConnectorNoticeHandler(c driver.Connector) func(*Error) {
+	if c, ok := c.(*NoticeHandlerConnector); ok {
+		return c.noticeHandler
+	}
+	return nil
+}
+
+// ConnectorWithNoticeHandler creates or sets the given handler for the given
+// connector. If the given connector is a result of calling this function
+// previously, it is simply set on the given connector and returned. Otherwise,
+// this returns a new connector wrapping the given one and setting the notice
+// handler. A nil notice handler may be used to unset it.
+//
+// The returned connector is intended to be used with database/sql.OpenDB.
+//
+// Note: Notice handlers are executed synchronously by pq meaning commands
+// won't continue to be processed until the handler returns.
+func ConnectorWithNoticeHandler(c driver.Connector, handler func(*Error)) *NoticeHandlerConnector {
+	if c, ok := c.(*NoticeHandlerConnector); ok {
+		c.noticeHandler = handler
+		return c
+	}
+	return &NoticeHandlerConnector{Connector: c, noticeHandler: handler}
+}
diff --git a/vendor/github.com/lib/pq/notify.go b/vendor/github.com/lib/pq/notify.go
new file mode 100644
index 0000000000..5c421fdb8b
--- /dev/null
+++ b/vendor/github.com/lib/pq/notify.go
@@ -0,0 +1,858 @@
+package pq
+
+// Package pq is a pure Go Postgres driver for the database/sql package.
+// This module contains support for Postgres LISTEN/NOTIFY.
+
+import (
+	"context"
+	"database/sql/driver"
+	"errors"
+	"fmt"
+	"sync"
+	"sync/atomic"
+	"time"
+)
+
+// Notification represents a single notification from the database.
+type Notification struct {
+	// Process ID (PID) of the notifying postgres backend.
+	BePid int
+	// Name of the channel the notification was sent on.
+	Channel string
+	// Payload, or the empty string if unspecified.
+	Extra string
+}
+
+func recvNotification(r *readBuf) *Notification {
+	bePid := r.int32()
+	channel := r.string()
+	extra := r.string()
+
+	return &Notification{bePid, channel, extra}
+}
+
+// SetNotificationHandler sets the given notification handler on the given
+// connection. A runtime panic occurs if c is not a pq connection. A nil handler
+// may be used to unset it.
+//
+// Note: Notification handlers are executed synchronously by pq meaning commands
+// won't continue to be processed until the handler returns.
+func SetNotificationHandler(c driver.Conn, handler func(*Notification)) {
+	c.(*conn).notificationHandler = handler
+}
+
+// NotificationHandlerConnector wraps a regular connector and sets a notification handler
+// on it.
+type NotificationHandlerConnector struct {
+	driver.Connector
+	notificationHandler func(*Notification)
+}
+
+// Connect calls the underlying connector's connect method and then sets the
+// notification handler.
+func (n *NotificationHandlerConnector) Connect(ctx context.Context) (driver.Conn, error) {
+	c, err := n.Connector.Connect(ctx)
+	if err == nil {
+		SetNotificationHandler(c, n.notificationHandler)
+	}
+	return c, err
+}
+
+// ConnectorNotificationHandler returns the currently set notification handler, if any. If
+// the given connector is not a result of ConnectorWithNotificationHandler, nil is
+// returned.
+func ConnectorNotificationHandler(c driver.Connector) func(*Notification) {
+	if c, ok := c.(*NotificationHandlerConnector); ok {
+		return c.notificationHandler
+	}
+	return nil
+}
+
+// ConnectorWithNotificationHandler creates or sets the given handler for the given
+// connector. If the given connector is a result of calling this function
+// previously, it is simply set on the given connector and returned. Otherwise,
+// this returns a new connector wrapping the given one and setting the notification
+// handler. A nil notification handler may be used to unset it.
+//
+// The returned connector is intended to be used with database/sql.OpenDB.
+//
+// Note: Notification handlers are executed synchronously by pq meaning commands
+// won't continue to be processed until the handler returns.
+func ConnectorWithNotificationHandler(c driver.Connector, handler func(*Notification)) *NotificationHandlerConnector {
+	if c, ok := c.(*NotificationHandlerConnector); ok {
+		c.notificationHandler = handler
+		return c
+	}
+	return &NotificationHandlerConnector{Connector: c, notificationHandler: handler}
+}
+
+const (
+	connStateIdle int32 = iota
+	connStateExpectResponse
+	connStateExpectReadyForQuery
+)
+
+type message struct {
+	typ byte
+	err error
+}
+
+var errListenerConnClosed = errors.New("pq: ListenerConn has been closed")
+
+// ListenerConn is a low-level interface for waiting for notifications.  You
+// should use Listener instead.
+type ListenerConn struct {
+	// guards cn and err
+	connectionLock sync.Mutex
+	cn             *conn
+	err            error
+
+	connState int32
+
+	// the sending goroutine will be holding this lock
+	senderLock sync.Mutex
+
+	notificationChan chan<- *Notification
+
+	replyChan chan message
+}
+
+// NewListenerConn creates a new ListenerConn. Use NewListener instead.
+func NewListenerConn(name string, notificationChan chan<- *Notification) (*ListenerConn, error) {
+	return newDialListenerConn(defaultDialer{}, name, notificationChan)
+}
+
+func newDialListenerConn(d Dialer, name string, c chan<- *Notification) (*ListenerConn, error) {
+	cn, err := DialOpen(d, name)
+	if err != nil {
+		return nil, err
+	}
+
+	l := &ListenerConn{
+		cn:               cn.(*conn),
+		notificationChan: c,
+		connState:        connStateIdle,
+		replyChan:        make(chan message, 2),
+	}
+
+	go l.listenerConnMain()
+
+	return l, nil
+}
+
+// We can only allow one goroutine at a time to be running a query on the
+// connection for various reasons, so the goroutine sending on the connection
+// must be holding senderLock.
+//
+// Returns an error if an unrecoverable error has occurred and the ListenerConn
+// should be abandoned.
+func (l *ListenerConn) acquireSenderLock() error {
+	// we must acquire senderLock first to avoid deadlocks; see ExecSimpleQuery
+	l.senderLock.Lock()
+
+	l.connectionLock.Lock()
+	err := l.err
+	l.connectionLock.Unlock()
+	if err != nil {
+		l.senderLock.Unlock()
+		return err
+	}
+	return nil
+}
+
+func (l *ListenerConn) releaseSenderLock() {
+	l.senderLock.Unlock()
+}
+
+// setState advances the protocol state to newState.  Returns false if moving
+// to that state from the current state is not allowed.
+func (l *ListenerConn) setState(newState int32) bool {
+	var expectedState int32
+
+	switch newState {
+	case connStateIdle:
+		expectedState = connStateExpectReadyForQuery
+	case connStateExpectResponse:
+		expectedState = connStateIdle
+	case connStateExpectReadyForQuery:
+		expectedState = connStateExpectResponse
+	default:
+		panic(fmt.Sprintf("unexpected listenerConnState %d", newState))
+	}
+
+	return atomic.CompareAndSwapInt32(&l.connState, expectedState, newState)
+}
+
+// Main logic is here: receive messages from the postgres backend, forward
+// notifications and query replies and keep the internal state in sync with the
+// protocol state.  Returns when the connection has been lost, is about to go
+// away or should be discarded because we couldn't agree on the state with the
+// server backend.
+func (l *ListenerConn) listenerConnLoop() (err error) {
+	defer errRecoverNoErrBadConn(&err)
+
+	r := &readBuf{}
+	for {
+		t, err := l.cn.recvMessage(r)
+		if err != nil {
+			return err
+		}
+
+		switch t {
+		case 'A':
+			// recvNotification copies all the data so we don't need to worry
+			// about the scratch buffer being overwritten.
+			l.notificationChan <- recvNotification(r)
+
+		case 'T', 'D':
+			// only used by tests; ignore
+
+		case 'E':
+			// We might receive an ErrorResponse even when not in a query; it
+			// is expected that the server will close the connection after
+			// that, but we should make sure that the error we display is the
+			// one from the stray ErrorResponse, not io.ErrUnexpectedEOF.
+			if !l.setState(connStateExpectReadyForQuery) {
+				return parseError(r)
+			}
+			l.replyChan <- message{t, parseError(r)}
+
+		case 'C', 'I':
+			if !l.setState(connStateExpectReadyForQuery) {
+				// protocol out of sync
+				return fmt.Errorf("unexpected CommandComplete")
+			}
+			// ExecSimpleQuery doesn't need to know about this message
+
+		case 'Z':
+			if !l.setState(connStateIdle) {
+				// protocol out of sync
+				return fmt.Errorf("unexpected ReadyForQuery")
+			}
+			l.replyChan <- message{t, nil}
+
+		case 'S':
+			// ignore
+		case 'N':
+			if n := l.cn.noticeHandler; n != nil {
+				n(parseError(r))
+			}
+		default:
+			return fmt.Errorf("unexpected message %q from server in listenerConnLoop", t)
+		}
+	}
+}
+
+// This is the main routine for the goroutine receiving on the database
+// connection.  Most of the main logic is in listenerConnLoop.
+func (l *ListenerConn) listenerConnMain() {
+	err := l.listenerConnLoop()
+
+	// listenerConnLoop terminated; we're done, but we still have to clean up.
+	// Make sure nobody tries to start any new queries by making sure the err
+	// pointer is set.  It is important that we do not overwrite its value; a
+	// connection could be closed by either this goroutine or one sending on
+	// the connection -- whoever closes the connection is assumed to have the
+	// more meaningful error message (as the other one will probably get
+	// net.errClosed), so that goroutine sets the error we expose while the
+	// other error is discarded.  If the connection is lost while two
+	// goroutines are operating on the socket, it probably doesn't matter which
+	// error we expose so we don't try to do anything more complex.
+	l.connectionLock.Lock()
+	if l.err == nil {
+		l.err = err
+	}
+	l.cn.Close()
+	l.connectionLock.Unlock()
+
+	// There might be a query in-flight; make sure nobody's waiting for a
+	// response to it, since there's not going to be one.
+	close(l.replyChan)
+
+	// let the listener know we're done
+	close(l.notificationChan)
+
+	// this ListenerConn is done
+}
+
+// Listen sends a LISTEN query to the server. See ExecSimpleQuery.
+func (l *ListenerConn) Listen(channel string) (bool, error) {
+	return l.ExecSimpleQuery("LISTEN " + QuoteIdentifier(channel))
+}
+
+// Unlisten sends an UNLISTEN query to the server. See ExecSimpleQuery.
+func (l *ListenerConn) Unlisten(channel string) (bool, error) {
+	return l.ExecSimpleQuery("UNLISTEN " + QuoteIdentifier(channel))
+}
+
+// UnlistenAll sends an `UNLISTEN *` query to the server. See ExecSimpleQuery.
+func (l *ListenerConn) UnlistenAll() (bool, error) {
+	return l.ExecSimpleQuery("UNLISTEN *")
+}
+
+// Ping the remote server to make sure it's alive.  Non-nil error means the
+// connection has failed and should be abandoned.
+func (l *ListenerConn) Ping() error {
+	sent, err := l.ExecSimpleQuery("")
+	if !sent {
+		return err
+	}
+	if err != nil {
+		// shouldn't happen
+		panic(err)
+	}
+	return nil
+}
+
+// Attempt to send a query on the connection.  Returns an error if sending the
+// query failed, and the caller should initiate closure of this connection.
+// The caller must be holding senderLock (see acquireSenderLock and
+// releaseSenderLock).
+func (l *ListenerConn) sendSimpleQuery(q string) (err error) {
+	defer errRecoverNoErrBadConn(&err)
+
+	// must set connection state before sending the query
+	if !l.setState(connStateExpectResponse) {
+		panic("two queries running at the same time")
+	}
+
+	// Can't use l.cn.writeBuf here because it uses the scratch buffer which
+	// might get overwritten by listenerConnLoop.
+	b := &writeBuf{
+		buf: []byte("Q\x00\x00\x00\x00"),
+		pos: 1,
+	}
+	b.string(q)
+	l.cn.send(b)
+
+	return nil
+}
+
+// ExecSimpleQuery executes a "simple query" (i.e. one with no bindable
+// parameters) on the connection. The possible return values are:
+//   1) "executed" is true; the query was executed to completion on the
+//      database server.  If the query failed, err will be set to the error
+//      returned by the database, otherwise err will be nil.
+//   2) If "executed" is false, the query could not be executed on the remote
+//      server.  err will be non-nil.
+//
+// After a call to ExecSimpleQuery has returned an executed=false value, the
+// connection has either been closed or will be closed shortly thereafter, and
+// all subsequently executed queries will return an error.
+func (l *ListenerConn) ExecSimpleQuery(q string) (executed bool, err error) {
+	if err = l.acquireSenderLock(); err != nil {
+		return false, err
+	}
+	defer l.releaseSenderLock()
+
+	err = l.sendSimpleQuery(q)
+	if err != nil {
+		// We can't know what state the protocol is in, so we need to abandon
+		// this connection.
+		l.connectionLock.Lock()
+		// Set the error pointer if it hasn't been set already; see
+		// listenerConnMain.
+		if l.err == nil {
+			l.err = err
+		}
+		l.connectionLock.Unlock()
+		l.cn.c.Close()
+		return false, err
+	}
+
+	// now we just wait for a reply..
+	for {
+		m, ok := <-l.replyChan
+		if !ok {
+			// We lost the connection to server, don't bother waiting for a
+			// a response.  err should have been set already.
+			l.connectionLock.Lock()
+			err := l.err
+			l.connectionLock.Unlock()
+			return false, err
+		}
+		switch m.typ {
+		case 'Z':
+			// sanity check
+			if m.err != nil {
+				panic("m.err != nil")
+			}
+			// done; err might or might not be set
+			return true, err
+
+		case 'E':
+			// sanity check
+			if m.err == nil {
+				panic("m.err == nil")
+			}
+			// server responded with an error; ReadyForQuery to follow
+			err = m.err
+
+		default:
+			return false, fmt.Errorf("unknown response for simple query: %q", m.typ)
+		}
+	}
+}
+
+// Close closes the connection.
+func (l *ListenerConn) Close() error {
+	l.connectionLock.Lock()
+	if l.err != nil {
+		l.connectionLock.Unlock()
+		return errListenerConnClosed
+	}
+	l.err = errListenerConnClosed
+	l.connectionLock.Unlock()
+	// We can't send anything on the connection without holding senderLock.
+	// Simply close the net.Conn to wake up everyone operating on it.
+	return l.cn.c.Close()
+}
+
+// Err returns the reason the connection was closed. It is not safe to call
+// this function until l.Notify has been closed.
+func (l *ListenerConn) Err() error {
+	return l.err
+}
+
+var errListenerClosed = errors.New("pq: Listener has been closed")
+
+// ErrChannelAlreadyOpen is returned from Listen when a channel is already
+// open.
+var ErrChannelAlreadyOpen = errors.New("pq: channel is already open")
+
+// ErrChannelNotOpen is returned from Unlisten when a channel is not open.
+var ErrChannelNotOpen = errors.New("pq: channel is not open")
+
+// ListenerEventType is an enumeration of listener event types.
+type ListenerEventType int
+
+const (
+	// ListenerEventConnected is emitted only when the database connection
+	// has been initially initialized. The err argument of the callback
+	// will always be nil.
+	ListenerEventConnected ListenerEventType = iota
+
+	// ListenerEventDisconnected is emitted after a database connection has
+	// been lost, either because of an error or because Close has been
+	// called. The err argument will be set to the reason the database
+	// connection was lost.
+	ListenerEventDisconnected
+
+	// ListenerEventReconnected is emitted after a database connection has
+	// been re-established after connection loss. The err argument of the
+	// callback will always be nil. After this event has been emitted, a
+	// nil pq.Notification is sent on the Listener.Notify channel.
+	ListenerEventReconnected
+
+	// ListenerEventConnectionAttemptFailed is emitted after a connection
+	// to the database was attempted, but failed. The err argument will be
+	// set to an error describing why the connection attempt did not
+	// succeed.
+	ListenerEventConnectionAttemptFailed
+)
+
+// EventCallbackType is the event callback type. See also ListenerEventType
+// constants' documentation.
+type EventCallbackType func(event ListenerEventType, err error)
+
+// Listener provides an interface for listening to notifications from a
+// PostgreSQL database.  For general usage information, see section
+// "Notifications".
+//
+// Listener can safely be used from concurrently running goroutines.
+type Listener struct {
+	// Channel for receiving notifications from the database.  In some cases a
+	// nil value will be sent.  See section "Notifications" above.
+	Notify chan *Notification
+
+	name                 string
+	minReconnectInterval time.Duration
+	maxReconnectInterval time.Duration
+	dialer               Dialer
+	eventCallback        EventCallbackType
+
+	lock                 sync.Mutex
+	isClosed             bool
+	reconnectCond        *sync.Cond
+	cn                   *ListenerConn
+	connNotificationChan <-chan *Notification
+	channels             map[string]struct{}
+}
+
+// NewListener creates a new database connection dedicated to LISTEN / NOTIFY.
+//
+// name should be set to a connection string to be used to establish the
+// database connection (see section "Connection String Parameters" above).
+//
+// minReconnectInterval controls the duration to wait before trying to
+// re-establish the database connection after connection loss.  After each
+// consecutive failure this interval is doubled, until maxReconnectInterval is
+// reached.  Successfully completing the connection establishment procedure
+// resets the interval back to minReconnectInterval.
+//
+// The last parameter eventCallback can be set to a function which will be
+// called by the Listener when the state of the underlying database connection
+// changes.  This callback will be called by the goroutine which dispatches the
+// notifications over the Notify channel, so you should try to avoid doing
+// potentially time-consuming operations from the callback.
+func NewListener(name string,
+	minReconnectInterval time.Duration,
+	maxReconnectInterval time.Duration,
+	eventCallback EventCallbackType) *Listener {
+	return NewDialListener(defaultDialer{}, name, minReconnectInterval, maxReconnectInterval, eventCallback)
+}
+
+// NewDialListener is like NewListener but it takes a Dialer.
+func NewDialListener(d Dialer,
+	name string,
+	minReconnectInterval time.Duration,
+	maxReconnectInterval time.Duration,
+	eventCallback EventCallbackType) *Listener {
+
+	l := &Listener{
+		name:                 name,
+		minReconnectInterval: minReconnectInterval,
+		maxReconnectInterval: maxReconnectInterval,
+		dialer:               d,
+		eventCallback:        eventCallback,
+
+		channels: make(map[string]struct{}),
+
+		Notify: make(chan *Notification, 32),
+	}
+	l.reconnectCond = sync.NewCond(&l.lock)
+
+	go l.listenerMain()
+
+	return l
+}
+
+// NotificationChannel returns the notification channel for this listener.
+// This is the same channel as Notify, and will not be recreated during the
+// life time of the Listener.
+func (l *Listener) NotificationChannel() <-chan *Notification {
+	return l.Notify
+}
+
+// Listen starts listening for notifications on a channel.  Calls to this
+// function will block until an acknowledgement has been received from the
+// server.  Note that Listener automatically re-establishes the connection
+// after connection loss, so this function may block indefinitely if the
+// connection can not be re-established.
+//
+// Listen will only fail in three conditions:
+//   1) The channel is already open.  The returned error will be
+//      ErrChannelAlreadyOpen.
+//   2) The query was executed on the remote server, but PostgreSQL returned an
+//      error message in response to the query.  The returned error will be a
+//      pq.Error containing the information the server supplied.
+//   3) Close is called on the Listener before the request could be completed.
+//
+// The channel name is case-sensitive.
+func (l *Listener) Listen(channel string) error {
+	l.lock.Lock()
+	defer l.lock.Unlock()
+
+	if l.isClosed {
+		return errListenerClosed
+	}
+
+	// The server allows you to issue a LISTEN on a channel which is already
+	// open, but it seems useful to be able to detect this case to spot for
+	// mistakes in application logic.  If the application genuinely does't
+	// care, it can check the exported error and ignore it.
+	_, exists := l.channels[channel]
+	if exists {
+		return ErrChannelAlreadyOpen
+	}
+
+	if l.cn != nil {
+		// If gotResponse is true but error is set, the query was executed on
+		// the remote server, but resulted in an error.  This should be
+		// relatively rare, so it's fine if we just pass the error to our
+		// caller.  However, if gotResponse is false, we could not complete the
+		// query on the remote server and our underlying connection is about
+		// to go away, so we only add relname to l.channels, and wait for
+		// resync() to take care of the rest.
+		gotResponse, err := l.cn.Listen(channel)
+		if gotResponse && err != nil {
+			return err
+		}
+	}
+
+	l.channels[channel] = struct{}{}
+	for l.cn == nil {
+		l.reconnectCond.Wait()
+		// we let go of the mutex for a while
+		if l.isClosed {
+			return errListenerClosed
+		}
+	}
+
+	return nil
+}
+
+// Unlisten removes a channel from the Listener's channel list.  Returns
+// ErrChannelNotOpen if the Listener is not listening on the specified channel.
+// Returns immediately with no error if there is no connection.  Note that you
+// might still get notifications for this channel even after Unlisten has
+// returned.
+//
+// The channel name is case-sensitive.
+func (l *Listener) Unlisten(channel string) error {
+	l.lock.Lock()
+	defer l.lock.Unlock()
+
+	if l.isClosed {
+		return errListenerClosed
+	}
+
+	// Similarly to LISTEN, this is not an error in Postgres, but it seems
+	// useful to distinguish from the normal conditions.
+	_, exists := l.channels[channel]
+	if !exists {
+		return ErrChannelNotOpen
+	}
+
+	if l.cn != nil {
+		// Similarly to Listen (see comment in that function), the caller
+		// should only be bothered with an error if it came from the backend as
+		// a response to our query.
+		gotResponse, err := l.cn.Unlisten(channel)
+		if gotResponse && err != nil {
+			return err
+		}
+	}
+
+	// Don't bother waiting for resync if there's no connection.
+	delete(l.channels, channel)
+	return nil
+}
+
+// UnlistenAll removes all channels from the Listener's channel list.  Returns
+// immediately with no error if there is no connection.  Note that you might
+// still get notifications for any of the deleted channels even after
+// UnlistenAll has returned.
+func (l *Listener) UnlistenAll() error {
+	l.lock.Lock()
+	defer l.lock.Unlock()
+
+	if l.isClosed {
+		return errListenerClosed
+	}
+
+	if l.cn != nil {
+		// Similarly to Listen (see comment in that function), the caller
+		// should only be bothered with an error if it came from the backend as
+		// a response to our query.
+		gotResponse, err := l.cn.UnlistenAll()
+		if gotResponse && err != nil {
+			return err
+		}
+	}
+
+	// Don't bother waiting for resync if there's no connection.
+	l.channels = make(map[string]struct{})
+	return nil
+}
+
+// Ping the remote server to make sure it's alive.  Non-nil return value means
+// that there is no active connection.
+func (l *Listener) Ping() error {
+	l.lock.Lock()
+	defer l.lock.Unlock()
+
+	if l.isClosed {
+		return errListenerClosed
+	}
+	if l.cn == nil {
+		return errors.New("no connection")
+	}
+
+	return l.cn.Ping()
+}
+
+// Clean up after losing the server connection.  Returns l.cn.Err(), which
+// should have the reason the connection was lost.
+func (l *Listener) disconnectCleanup() error {
+	l.lock.Lock()
+	defer l.lock.Unlock()
+
+	// sanity check; can't look at Err() until the channel has been closed
+	select {
+	case _, ok := <-l.connNotificationChan:
+		if ok {
+			panic("connNotificationChan not closed")
+		}
+	default:
+		panic("connNotificationChan not closed")
+	}
+
+	err := l.cn.Err()
+	l.cn.Close()
+	l.cn = nil
+	return err
+}
+
+// Synchronize the list of channels we want to be listening on with the server
+// after the connection has been established.
+func (l *Listener) resync(cn *ListenerConn, notificationChan <-chan *Notification) error {
+	doneChan := make(chan error)
+	go func(notificationChan <-chan *Notification) {
+		for channel := range l.channels {
+			// If we got a response, return that error to our caller as it's
+			// going to be more descriptive than cn.Err().
+			gotResponse, err := cn.Listen(channel)
+			if gotResponse && err != nil {
+				doneChan <- err
+				return
+			}
+
+			// If we couldn't reach the server, wait for notificationChan to
+			// close and then return the error message from the connection, as
+			// per ListenerConn's interface.
+			if err != nil {
+				for range notificationChan {
+				}
+				doneChan <- cn.Err()
+				return
+			}
+		}
+		doneChan <- nil
+	}(notificationChan)
+
+	// Ignore notifications while synchronization is going on to avoid
+	// deadlocks.  We have to send a nil notification over Notify anyway as
+	// we can't possibly know which notifications (if any) were lost while
+	// the connection was down, so there's no reason to try and process
+	// these messages at all.
+	for {
+		select {
+		case _, ok := <-notificationChan:
+			if !ok {
+				notificationChan = nil
+			}
+
+		case err := <-doneChan:
+			return err
+		}
+	}
+}
+
+// caller should NOT be holding l.lock
+func (l *Listener) closed() bool {
+	l.lock.Lock()
+	defer l.lock.Unlock()
+
+	return l.isClosed
+}
+
+func (l *Listener) connect() error {
+	notificationChan := make(chan *Notification, 32)
+	cn, err := newDialListenerConn(l.dialer, l.name, notificationChan)
+	if err != nil {
+		return err
+	}
+
+	l.lock.Lock()
+	defer l.lock.Unlock()
+
+	err = l.resync(cn, notificationChan)
+	if err != nil {
+		cn.Close()
+		return err
+	}
+
+	l.cn = cn
+	l.connNotificationChan = notificationChan
+	l.reconnectCond.Broadcast()
+
+	return nil
+}
+
+// Close disconnects the Listener from the database and shuts it down.
+// Subsequent calls to its methods will return an error.  Close returns an
+// error if the connection has already been closed.
+func (l *Listener) Close() error {
+	l.lock.Lock()
+	defer l.lock.Unlock()
+
+	if l.isClosed {
+		return errListenerClosed
+	}
+
+	if l.cn != nil {
+		l.cn.Close()
+	}
+	l.isClosed = true
+
+	// Unblock calls to Listen()
+	l.reconnectCond.Broadcast()
+
+	return nil
+}
+
+func (l *Listener) emitEvent(event ListenerEventType, err error) {
+	if l.eventCallback != nil {
+		l.eventCallback(event, err)
+	}
+}
+
+// Main logic here: maintain a connection to the server when possible, wait
+// for notifications and emit events.
+func (l *Listener) listenerConnLoop() {
+	var nextReconnect time.Time
+
+	reconnectInterval := l.minReconnectInterval
+	for {
+		for {
+			err := l.connect()
+			if err == nil {
+				break
+			}
+
+			if l.closed() {
+				return
+			}
+			l.emitEvent(ListenerEventConnectionAttemptFailed, err)
+
+			time.Sleep(reconnectInterval)
+			reconnectInterval *= 2
+			if reconnectInterval > l.maxReconnectInterval {
+				reconnectInterval = l.maxReconnectInterval
+			}
+		}
+
+		if nextReconnect.IsZero() {
+			l.emitEvent(ListenerEventConnected, nil)
+		} else {
+			l.emitEvent(ListenerEventReconnected, nil)
+			l.Notify <- nil
+		}
+
+		reconnectInterval = l.minReconnectInterval
+		nextReconnect = time.Now().Add(reconnectInterval)
+
+		for {
+			notification, ok := <-l.connNotificationChan
+			if !ok {
+				// lost connection, loop again
+				break
+			}
+			l.Notify <- notification
+		}
+
+		err := l.disconnectCleanup()
+		if l.closed() {
+			return
+		}
+		l.emitEvent(ListenerEventDisconnected, err)
+
+		time.Sleep(time.Until(nextReconnect))
+	}
+}
+
+func (l *Listener) listenerMain() {
+	l.listenerConnLoop()
+	close(l.Notify)
+}
diff --git a/vendor/github.com/lib/pq/oid/doc.go b/vendor/github.com/lib/pq/oid/doc.go
new file mode 100644
index 0000000000..caaede2489
--- /dev/null
+++ b/vendor/github.com/lib/pq/oid/doc.go
@@ -0,0 +1,6 @@
+// Package oid contains OID constants
+// as defined by the Postgres server.
+package oid
+
+// Oid is a Postgres Object ID.
+type Oid uint32
diff --git a/vendor/github.com/lib/pq/oid/types.go b/vendor/github.com/lib/pq/oid/types.go
new file mode 100644
index 0000000000..ecc84c2c86
--- /dev/null
+++ b/vendor/github.com/lib/pq/oid/types.go
@@ -0,0 +1,343 @@
+// Code generated by gen.go. DO NOT EDIT.
+
+package oid
+
+const (
+	T_bool             Oid = 16
+	T_bytea            Oid = 17
+	T_char             Oid = 18
+	T_name             Oid = 19
+	T_int8             Oid = 20
+	T_int2             Oid = 21
+	T_int2vector       Oid = 22
+	T_int4             Oid = 23
+	T_regproc          Oid = 24
+	T_text             Oid = 25
+	T_oid              Oid = 26
+	T_tid              Oid = 27
+	T_xid              Oid = 28
+	T_cid              Oid = 29
+	T_oidvector        Oid = 30
+	T_pg_ddl_command   Oid = 32
+	T_pg_type          Oid = 71
+	T_pg_attribute     Oid = 75
+	T_pg_proc          Oid = 81
+	T_pg_class         Oid = 83
+	T_json             Oid = 114
+	T_xml              Oid = 142
+	T__xml             Oid = 143
+	T_pg_node_tree     Oid = 194
+	T__json            Oid = 199
+	T_smgr             Oid = 210
+	T_index_am_handler Oid = 325
+	T_point            Oid = 600
+	T_lseg             Oid = 601
+	T_path             Oid = 602
+	T_box              Oid = 603
+	T_polygon          Oid = 604
+	T_line             Oid = 628
+	T__line            Oid = 629
+	T_cidr             Oid = 650
+	T__cidr            Oid = 651
+	T_float4           Oid = 700
+	T_float8           Oid = 701
+	T_abstime          Oid = 702
+	T_reltime          Oid = 703
+	T_tinterval        Oid = 704
+	T_unknown          Oid = 705
+	T_circle           Oid = 718
+	T__circle          Oid = 719
+	T_money            Oid = 790
+	T__money           Oid = 791
+	T_macaddr          Oid = 829
+	T_inet             Oid = 869
+	T__bool            Oid = 1000
+	T__bytea           Oid = 1001
+	T__char            Oid = 1002
+	T__name            Oid = 1003
+	T__int2            Oid = 1005
+	T__int2vector      Oid = 1006
+	T__int4            Oid = 1007
+	T__regproc         Oid = 1008
+	T__text            Oid = 1009
+	T__tid             Oid = 1010
+	T__xid             Oid = 1011
+	T__cid             Oid = 1012
+	T__oidvector       Oid = 1013
+	T__bpchar          Oid = 1014
+	T__varchar         Oid = 1015
+	T__int8            Oid = 1016
+	T__point           Oid = 1017
+	T__lseg            Oid = 1018
+	T__path            Oid = 1019
+	T__box             Oid = 1020
+	T__float4          Oid = 1021
+	T__float8          Oid = 1022
+	T__abstime         Oid = 1023
+	T__reltime         Oid = 1024
+	T__tinterval       Oid = 1025
+	T__polygon         Oid = 1027
+	T__oid             Oid = 1028
+	T_aclitem          Oid = 1033
+	T__aclitem         Oid = 1034
+	T__macaddr         Oid = 1040
+	T__inet            Oid = 1041
+	T_bpchar           Oid = 1042
+	T_varchar          Oid = 1043
+	T_date             Oid = 1082
+	T_time             Oid = 1083
+	T_timestamp        Oid = 1114
+	T__timestamp       Oid = 1115
+	T__date            Oid = 1182
+	T__time            Oid = 1183
+	T_timestamptz      Oid = 1184
+	T__timestamptz     Oid = 1185
+	T_interval         Oid = 1186
+	T__interval        Oid = 1187
+	T__numeric         Oid = 1231
+	T_pg_database      Oid = 1248
+	T__cstring         Oid = 1263
+	T_timetz           Oid = 1266
+	T__timetz          Oid = 1270
+	T_bit              Oid = 1560
+	T__bit             Oid = 1561
+	T_varbit           Oid = 1562
+	T__varbit          Oid = 1563
+	T_numeric          Oid = 1700
+	T_refcursor        Oid = 1790
+	T__refcursor       Oid = 2201
+	T_regprocedure     Oid = 2202
+	T_regoper          Oid = 2203
+	T_regoperator      Oid = 2204
+	T_regclass         Oid = 2205
+	T_regtype          Oid = 2206
+	T__regprocedure    Oid = 2207
+	T__regoper         Oid = 2208
+	T__regoperator     Oid = 2209
+	T__regclass        Oid = 2210
+	T__regtype         Oid = 2211
+	T_record           Oid = 2249
+	T_cstring          Oid = 2275
+	T_any              Oid = 2276
+	T_anyarray         Oid = 2277
+	T_void             Oid = 2278
+	T_trigger          Oid = 2279
+	T_language_handler Oid = 2280
+	T_internal         Oid = 2281
+	T_opaque           Oid = 2282
+	T_anyelement       Oid = 2283
+	T__record          Oid = 2287
+	T_anynonarray      Oid = 2776
+	T_pg_authid        Oid = 2842
+	T_pg_auth_members  Oid = 2843
+	T__txid_snapshot   Oid = 2949
+	T_uuid             Oid = 2950
+	T__uuid            Oid = 2951
+	T_txid_snapshot    Oid = 2970
+	T_fdw_handler      Oid = 3115
+	T_pg_lsn           Oid = 3220
+	T__pg_lsn          Oid = 3221
+	T_tsm_handler      Oid = 3310
+	T_anyenum          Oid = 3500
+	T_tsvector         Oid = 3614
+	T_tsquery          Oid = 3615
+	T_gtsvector        Oid = 3642
+	T__tsvector        Oid = 3643
+	T__gtsvector       Oid = 3644
+	T__tsquery         Oid = 3645
+	T_regconfig        Oid = 3734
+	T__regconfig       Oid = 3735
+	T_regdictionary    Oid = 3769
+	T__regdictionary   Oid = 3770
+	T_jsonb            Oid = 3802
+	T__jsonb           Oid = 3807
+	T_anyrange         Oid = 3831
+	T_event_trigger    Oid = 3838
+	T_int4range        Oid = 3904
+	T__int4range       Oid = 3905
+	T_numrange         Oid = 3906
+	T__numrange        Oid = 3907
+	T_tsrange          Oid = 3908
+	T__tsrange         Oid = 3909
+	T_tstzrange        Oid = 3910
+	T__tstzrange       Oid = 3911
+	T_daterange        Oid = 3912
+	T__daterange       Oid = 3913
+	T_int8range        Oid = 3926
+	T__int8range       Oid = 3927
+	T_pg_shseclabel    Oid = 4066
+	T_regnamespace     Oid = 4089
+	T__regnamespace    Oid = 4090
+	T_regrole          Oid = 4096
+	T__regrole         Oid = 4097
+)
+
+var TypeName = map[Oid]string{
+	T_bool:             "BOOL",
+	T_bytea:            "BYTEA",
+	T_char:             "CHAR",
+	T_name:             "NAME",
+	T_int8:             "INT8",
+	T_int2:             "INT2",
+	T_int2vector:       "INT2VECTOR",
+	T_int4:             "INT4",
+	T_regproc:          "REGPROC",
+	T_text:             "TEXT",
+	T_oid:              "OID",
+	T_tid:              "TID",
+	T_xid:              "XID",
+	T_cid:              "CID",
+	T_oidvector:        "OIDVECTOR",
+	T_pg_ddl_command:   "PG_DDL_COMMAND",
+	T_pg_type:          "PG_TYPE",
+	T_pg_attribute:     "PG_ATTRIBUTE",
+	T_pg_proc:          "PG_PROC",
+	T_pg_class:         "PG_CLASS",
+	T_json:             "JSON",
+	T_xml:              "XML",
+	T__xml:             "_XML",
+	T_pg_node_tree:     "PG_NODE_TREE",
+	T__json:            "_JSON",
+	T_smgr:             "SMGR",
+	T_index_am_handler: "INDEX_AM_HANDLER",
+	T_point:            "POINT",
+	T_lseg:             "LSEG",
+	T_path:             "PATH",
+	T_box:              "BOX",
+	T_polygon:          "POLYGON",
+	T_line:             "LINE",
+	T__line:            "_LINE",
+	T_cidr:             "CIDR",
+	T__cidr:            "_CIDR",
+	T_float4:           "FLOAT4",
+	T_float8:           "FLOAT8",
+	T_abstime:          "ABSTIME",
+	T_reltime:          "RELTIME",
+	T_tinterval:        "TINTERVAL",
+	T_unknown:          "UNKNOWN",
+	T_circle:           "CIRCLE",
+	T__circle:          "_CIRCLE",
+	T_money:            "MONEY",
+	T__money:           "_MONEY",
+	T_macaddr:          "MACADDR",
+	T_inet:             "INET",
+	T__bool:            "_BOOL",
+	T__bytea:           "_BYTEA",
+	T__char:            "_CHAR",
+	T__name:            "_NAME",
+	T__int2:            "_INT2",
+	T__int2vector:      "_INT2VECTOR",
+	T__int4:            "_INT4",
+	T__regproc:         "_REGPROC",
+	T__text:            "_TEXT",
+	T__tid:             "_TID",
+	T__xid:             "_XID",
+	T__cid:             "_CID",
+	T__oidvector:       "_OIDVECTOR",
+	T__bpchar:          "_BPCHAR",
+	T__varchar:         "_VARCHAR",
+	T__int8:            "_INT8",
+	T__point:           "_POINT",
+	T__lseg:            "_LSEG",
+	T__path:            "_PATH",
+	T__box:             "_BOX",
+	T__float4:          "_FLOAT4",
+	T__float8:          "_FLOAT8",
+	T__abstime:         "_ABSTIME",
+	T__reltime:         "_RELTIME",
+	T__tinterval:       "_TINTERVAL",
+	T__polygon:         "_POLYGON",
+	T__oid:             "_OID",
+	T_aclitem:          "ACLITEM",
+	T__aclitem:         "_ACLITEM",
+	T__macaddr:         "_MACADDR",
+	T__inet:            "_INET",
+	T_bpchar:           "BPCHAR",
+	T_varchar:          "VARCHAR",
+	T_date:             "DATE",
+	T_time:             "TIME",
+	T_timestamp:        "TIMESTAMP",
+	T__timestamp:       "_TIMESTAMP",
+	T__date:            "_DATE",
+	T__time:            "_TIME",
+	T_timestamptz:      "TIMESTAMPTZ",
+	T__timestamptz:     "_TIMESTAMPTZ",
+	T_interval:         "INTERVAL",
+	T__interval:        "_INTERVAL",
+	T__numeric:         "_NUMERIC",
+	T_pg_database:      "PG_DATABASE",
+	T__cstring:         "_CSTRING",
+	T_timetz:           "TIMETZ",
+	T__timetz:          "_TIMETZ",
+	T_bit:              "BIT",
+	T__bit:             "_BIT",
+	T_varbit:           "VARBIT",
+	T__varbit:          "_VARBIT",
+	T_numeric:          "NUMERIC",
+	T_refcursor:        "REFCURSOR",
+	T__refcursor:       "_REFCURSOR",
+	T_regprocedure:     "REGPROCEDURE",
+	T_regoper:          "REGOPER",
+	T_regoperator:      "REGOPERATOR",
+	T_regclass:         "REGCLASS",
+	T_regtype:          "REGTYPE",
+	T__regprocedure:    "_REGPROCEDURE",
+	T__regoper:         "_REGOPER",
+	T__regoperator:     "_REGOPERATOR",
+	T__regclass:        "_REGCLASS",
+	T__regtype:         "_REGTYPE",
+	T_record:           "RECORD",
+	T_cstring:          "CSTRING",
+	T_any:              "ANY",
+	T_anyarray:         "ANYARRAY",
+	T_void:             "VOID",
+	T_trigger:          "TRIGGER",
+	T_language_handler: "LANGUAGE_HANDLER",
+	T_internal:         "INTERNAL",
+	T_opaque:           "OPAQUE",
+	T_anyelement:       "ANYELEMENT",
+	T__record:          "_RECORD",
+	T_anynonarray:      "ANYNONARRAY",
+	T_pg_authid:        "PG_AUTHID",
+	T_pg_auth_members:  "PG_AUTH_MEMBERS",
+	T__txid_snapshot:   "_TXID_SNAPSHOT",
+	T_uuid:             "UUID",
+	T__uuid:            "_UUID",
+	T_txid_snapshot:    "TXID_SNAPSHOT",
+	T_fdw_handler:      "FDW_HANDLER",
+	T_pg_lsn:           "PG_LSN",
+	T__pg_lsn:          "_PG_LSN",
+	T_tsm_handler:      "TSM_HANDLER",
+	T_anyenum:          "ANYENUM",
+	T_tsvector:         "TSVECTOR",
+	T_tsquery:          "TSQUERY",
+	T_gtsvector:        "GTSVECTOR",
+	T__tsvector:        "_TSVECTOR",
+	T__gtsvector:       "_GTSVECTOR",
+	T__tsquery:         "_TSQUERY",
+	T_regconfig:        "REGCONFIG",
+	T__regconfig:       "_REGCONFIG",
+	T_regdictionary:    "REGDICTIONARY",
+	T__regdictionary:   "_REGDICTIONARY",
+	T_jsonb:            "JSONB",
+	T__jsonb:           "_JSONB",
+	T_anyrange:         "ANYRANGE",
+	T_event_trigger:    "EVENT_TRIGGER",
+	T_int4range:        "INT4RANGE",
+	T__int4range:       "_INT4RANGE",
+	T_numrange:         "NUMRANGE",
+	T__numrange:        "_NUMRANGE",
+	T_tsrange:          "TSRANGE",
+	T__tsrange:         "_TSRANGE",
+	T_tstzrange:        "TSTZRANGE",
+	T__tstzrange:       "_TSTZRANGE",
+	T_daterange:        "DATERANGE",
+	T__daterange:       "_DATERANGE",
+	T_int8range:        "INT8RANGE",
+	T__int8range:       "_INT8RANGE",
+	T_pg_shseclabel:    "PG_SHSECLABEL",
+	T_regnamespace:     "REGNAMESPACE",
+	T__regnamespace:    "_REGNAMESPACE",
+	T_regrole:          "REGROLE",
+	T__regrole:         "_REGROLE",
+}
diff --git a/vendor/github.com/lib/pq/rows.go b/vendor/github.com/lib/pq/rows.go
new file mode 100644
index 0000000000..c6aa5b9a36
--- /dev/null
+++ b/vendor/github.com/lib/pq/rows.go
@@ -0,0 +1,93 @@
+package pq
+
+import (
+	"math"
+	"reflect"
+	"time"
+
+	"github.com/lib/pq/oid"
+)
+
+const headerSize = 4
+
+type fieldDesc struct {
+	// The object ID of the data type.
+	OID oid.Oid
+	// The data type size (see pg_type.typlen).
+	// Note that negative values denote variable-width types.
+	Len int
+	// The type modifier (see pg_attribute.atttypmod).
+	// The meaning of the modifier is type-specific.
+	Mod int
+}
+
+func (fd fieldDesc) Type() reflect.Type {
+	switch fd.OID {
+	case oid.T_int8:
+		return reflect.TypeOf(int64(0))
+	case oid.T_int4:
+		return reflect.TypeOf(int32(0))
+	case oid.T_int2:
+		return reflect.TypeOf(int16(0))
+	case oid.T_varchar, oid.T_text:
+		return reflect.TypeOf("")
+	case oid.T_bool:
+		return reflect.TypeOf(false)
+	case oid.T_date, oid.T_time, oid.T_timetz, oid.T_timestamp, oid.T_timestamptz:
+		return reflect.TypeOf(time.Time{})
+	case oid.T_bytea:
+		return reflect.TypeOf([]byte(nil))
+	default:
+		return reflect.TypeOf(new(interface{})).Elem()
+	}
+}
+
+func (fd fieldDesc) Name() string {
+	return oid.TypeName[fd.OID]
+}
+
+func (fd fieldDesc) Length() (length int64, ok bool) {
+	switch fd.OID {
+	case oid.T_text, oid.T_bytea:
+		return math.MaxInt64, true
+	case oid.T_varchar, oid.T_bpchar:
+		return int64(fd.Mod - headerSize), true
+	default:
+		return 0, false
+	}
+}
+
+func (fd fieldDesc) PrecisionScale() (precision, scale int64, ok bool) {
+	switch fd.OID {
+	case oid.T_numeric, oid.T__numeric:
+		mod := fd.Mod - headerSize
+		precision = int64((mod >> 16) & 0xffff)
+		scale = int64(mod & 0xffff)
+		return precision, scale, true
+	default:
+		return 0, 0, false
+	}
+}
+
+// ColumnTypeScanType returns the value type that can be used to scan types into.
+func (rs *rows) ColumnTypeScanType(index int) reflect.Type {
+	return rs.colTyps[index].Type()
+}
+
+// ColumnTypeDatabaseTypeName return the database system type name.
+func (rs *rows) ColumnTypeDatabaseTypeName(index int) string {
+	return rs.colTyps[index].Name()
+}
+
+// ColumnTypeLength returns the length of the column type if the column is a
+// variable length type. If the column is not a variable length type ok
+// should return false.
+func (rs *rows) ColumnTypeLength(index int) (length int64, ok bool) {
+	return rs.colTyps[index].Length()
+}
+
+// ColumnTypePrecisionScale should return the precision and scale for decimal
+// types. If not applicable, ok should be false.
+func (rs *rows) ColumnTypePrecisionScale(index int) (precision, scale int64, ok bool) {
+	return rs.colTyps[index].PrecisionScale()
+}
diff --git a/vendor/github.com/lib/pq/scram/scram.go b/vendor/github.com/lib/pq/scram/scram.go
new file mode 100644
index 0000000000..477216b600
--- /dev/null
+++ b/vendor/github.com/lib/pq/scram/scram.go
@@ -0,0 +1,264 @@
+// Copyright (c) 2014 - Gustavo Niemeyer <gustavo@niemeyer.net>
+//
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are met:
+//
+// 1. Redistributions of source code must retain the above copyright notice, this
+//    list of conditions and the following disclaimer.
+// 2. Redistributions in binary form must reproduce the above copyright notice,
+//    this list of conditions and the following disclaimer in the documentation
+//    and/or other materials provided with the distribution.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+// ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+// WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
+// ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+// LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+// ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+// SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+// Package scram implements a SCRAM-{SHA-1,etc} client per RFC5802.
+//
+// http://tools.ietf.org/html/rfc5802
+//
+package scram
+
+import (
+	"bytes"
+	"crypto/hmac"
+	"crypto/rand"
+	"encoding/base64"
+	"fmt"
+	"hash"
+	"strconv"
+	"strings"
+)
+
+// Client implements a SCRAM-* client (SCRAM-SHA-1, SCRAM-SHA-256, etc).
+//
+// A Client may be used within a SASL conversation with logic resembling:
+//
+//    var in []byte
+//    var client = scram.NewClient(sha1.New, user, pass)
+//    for client.Step(in) {
+//            out := client.Out()
+//            // send out to server
+//            in := serverOut
+//    }
+//    if client.Err() != nil {
+//            // auth failed
+//    }
+//
+type Client struct {
+	newHash func() hash.Hash
+
+	user string
+	pass string
+	step int
+	out  bytes.Buffer
+	err  error
+
+	clientNonce []byte
+	serverNonce []byte
+	saltedPass  []byte
+	authMsg     bytes.Buffer
+}
+
+// NewClient returns a new SCRAM-* client with the provided hash algorithm.
+//
+// For SCRAM-SHA-256, for example, use:
+//
+//    client := scram.NewClient(sha256.New, user, pass)
+//
+func NewClient(newHash func() hash.Hash, user, pass string) *Client {
+	c := &Client{
+		newHash: newHash,
+		user:    user,
+		pass:    pass,
+	}
+	c.out.Grow(256)
+	c.authMsg.Grow(256)
+	return c
+}
+
+// Out returns the data to be sent to the server in the current step.
+func (c *Client) Out() []byte {
+	if c.out.Len() == 0 {
+		return nil
+	}
+	return c.out.Bytes()
+}
+
+// Err returns the error that occurred, or nil if there were no errors.
+func (c *Client) Err() error {
+	return c.err
+}
+
+// SetNonce sets the client nonce to the provided value.
+// If not set, the nonce is generated automatically out of crypto/rand on the first step.
+func (c *Client) SetNonce(nonce []byte) {
+	c.clientNonce = nonce
+}
+
+var escaper = strings.NewReplacer("=", "=3D", ",", "=2C")
+
+// Step processes the incoming data from the server and makes the
+// next round of data for the server available via Client.Out.
+// Step returns false if there are no errors and more data is
+// still expected.
+func (c *Client) Step(in []byte) bool {
+	c.out.Reset()
+	if c.step > 2 || c.err != nil {
+		return false
+	}
+	c.step++
+	switch c.step {
+	case 1:
+		c.err = c.step1(in)
+	case 2:
+		c.err = c.step2(in)
+	case 3:
+		c.err = c.step3(in)
+	}
+	return c.step > 2 || c.err != nil
+}
+
+func (c *Client) step1(in []byte) error {
+	if len(c.clientNonce) == 0 {
+		const nonceLen = 16
+		buf := make([]byte, nonceLen+b64.EncodedLen(nonceLen))
+		if _, err := rand.Read(buf[:nonceLen]); err != nil {
+			return fmt.Errorf("cannot read random SCRAM-SHA-256 nonce from operating system: %v", err)
+		}
+		c.clientNonce = buf[nonceLen:]
+		b64.Encode(c.clientNonce, buf[:nonceLen])
+	}
+	c.authMsg.WriteString("n=")
+	escaper.WriteString(&c.authMsg, c.user)
+	c.authMsg.WriteString(",r=")
+	c.authMsg.Write(c.clientNonce)
+
+	c.out.WriteString("n,,")
+	c.out.Write(c.authMsg.Bytes())
+	return nil
+}
+
+var b64 = base64.StdEncoding
+
+func (c *Client) step2(in []byte) error {
+	c.authMsg.WriteByte(',')
+	c.authMsg.Write(in)
+
+	fields := bytes.Split(in, []byte(","))
+	if len(fields) != 3 {
+		return fmt.Errorf("expected 3 fields in first SCRAM-SHA-256 server message, got %d: %q", len(fields), in)
+	}
+	if !bytes.HasPrefix(fields[0], []byte("r=")) || len(fields[0]) < 2 {
+		return fmt.Errorf("server sent an invalid SCRAM-SHA-256 nonce: %q", fields[0])
+	}
+	if !bytes.HasPrefix(fields[1], []byte("s=")) || len(fields[1]) < 6 {
+		return fmt.Errorf("server sent an invalid SCRAM-SHA-256 salt: %q", fields[1])
+	}
+	if !bytes.HasPrefix(fields[2], []byte("i=")) || len(fields[2]) < 6 {
+		return fmt.Errorf("server sent an invalid SCRAM-SHA-256 iteration count: %q", fields[2])
+	}
+
+	c.serverNonce = fields[0][2:]
+	if !bytes.HasPrefix(c.serverNonce, c.clientNonce) {
+		return fmt.Errorf("server SCRAM-SHA-256 nonce is not prefixed by client nonce: got %q, want %q+\"...\"", c.serverNonce, c.clientNonce)
+	}
+
+	salt := make([]byte, b64.DecodedLen(len(fields[1][2:])))
+	n, err := b64.Decode(salt, fields[1][2:])
+	if err != nil {
+		return fmt.Errorf("cannot decode SCRAM-SHA-256 salt sent by server: %q", fields[1])
+	}
+	salt = salt[:n]
+	iterCount, err := strconv.Atoi(string(fields[2][2:]))
+	if err != nil {
+		return fmt.Errorf("server sent an invalid SCRAM-SHA-256 iteration count: %q", fields[2])
+	}
+	c.saltPassword(salt, iterCount)
+
+	c.authMsg.WriteString(",c=biws,r=")
+	c.authMsg.Write(c.serverNonce)
+
+	c.out.WriteString("c=biws,r=")
+	c.out.Write(c.serverNonce)
+	c.out.WriteString(",p=")
+	c.out.Write(c.clientProof())
+	return nil
+}
+
+func (c *Client) step3(in []byte) error {
+	var isv, ise bool
+	var fields = bytes.Split(in, []byte(","))
+	if len(fields) == 1 {
+		isv = bytes.HasPrefix(fields[0], []byte("v="))
+		ise = bytes.HasPrefix(fields[0], []byte("e="))
+	}
+	if ise {
+		return fmt.Errorf("SCRAM-SHA-256 authentication error: %s", fields[0][2:])
+	} else if !isv {
+		return fmt.Errorf("unsupported SCRAM-SHA-256 final message from server: %q", in)
+	}
+	if !bytes.Equal(c.serverSignature(), fields[0][2:]) {
+		return fmt.Errorf("cannot authenticate SCRAM-SHA-256 server signature: %q", fields[0][2:])
+	}
+	return nil
+}
+
+func (c *Client) saltPassword(salt []byte, iterCount int) {
+	mac := hmac.New(c.newHash, []byte(c.pass))
+	mac.Write(salt)
+	mac.Write([]byte{0, 0, 0, 1})
+	ui := mac.Sum(nil)
+	hi := make([]byte, len(ui))
+	copy(hi, ui)
+	for i := 1; i < iterCount; i++ {
+		mac.Reset()
+		mac.Write(ui)
+		mac.Sum(ui[:0])
+		for j, b := range ui {
+			hi[j] ^= b
+		}
+	}
+	c.saltedPass = hi
+}
+
+func (c *Client) clientProof() []byte {
+	mac := hmac.New(c.newHash, c.saltedPass)
+	mac.Write([]byte("Client Key"))
+	clientKey := mac.Sum(nil)
+	hash := c.newHash()
+	hash.Write(clientKey)
+	storedKey := hash.Sum(nil)
+	mac = hmac.New(c.newHash, storedKey)
+	mac.Write(c.authMsg.Bytes())
+	clientProof := mac.Sum(nil)
+	for i, b := range clientKey {
+		clientProof[i] ^= b
+	}
+	clientProof64 := make([]byte, b64.EncodedLen(len(clientProof)))
+	b64.Encode(clientProof64, clientProof)
+	return clientProof64
+}
+
+func (c *Client) serverSignature() []byte {
+	mac := hmac.New(c.newHash, c.saltedPass)
+	mac.Write([]byte("Server Key"))
+	serverKey := mac.Sum(nil)
+
+	mac = hmac.New(c.newHash, serverKey)
+	mac.Write(c.authMsg.Bytes())
+	serverSignature := mac.Sum(nil)
+
+	encoded := make([]byte, b64.EncodedLen(len(serverSignature)))
+	b64.Encode(encoded, serverSignature)
+	return encoded
+}
diff --git a/vendor/github.com/lib/pq/ssl.go b/vendor/github.com/lib/pq/ssl.go
new file mode 100644
index 0000000000..36b61ba45b
--- /dev/null
+++ b/vendor/github.com/lib/pq/ssl.go
@@ -0,0 +1,204 @@
+package pq
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"io/ioutil"
+	"net"
+	"os"
+	"os/user"
+	"path/filepath"
+	"strings"
+)
+
+// ssl generates a function to upgrade a net.Conn based on the "sslmode" and
+// related settings. The function is nil when no upgrade should take place.
+func ssl(o values) (func(net.Conn) (net.Conn, error), error) {
+	verifyCaOnly := false
+	tlsConf := tls.Config{}
+	switch mode := o["sslmode"]; mode {
+	// "require" is the default.
+	case "", "require":
+		// We must skip TLS's own verification since it requires full
+		// verification since Go 1.3.
+		tlsConf.InsecureSkipVerify = true
+
+		// From http://www.postgresql.org/docs/current/static/libpq-ssl.html:
+		//
+		// Note: For backwards compatibility with earlier versions of
+		// PostgreSQL, if a root CA file exists, the behavior of
+		// sslmode=require will be the same as that of verify-ca, meaning the
+		// server certificate is validated against the CA. Relying on this
+		// behavior is discouraged, and applications that need certificate
+		// validation should always use verify-ca or verify-full.
+		if sslrootcert, ok := o["sslrootcert"]; ok {
+			if _, err := os.Stat(sslrootcert); err == nil {
+				verifyCaOnly = true
+			} else {
+				delete(o, "sslrootcert")
+			}
+		}
+	case "verify-ca":
+		// We must skip TLS's own verification since it requires full
+		// verification since Go 1.3.
+		tlsConf.InsecureSkipVerify = true
+		verifyCaOnly = true
+	case "verify-full":
+		tlsConf.ServerName = o["host"]
+	case "disable":
+		return nil, nil
+	default:
+		return nil, fmterrorf(`unsupported sslmode %q; only "require" (default), "verify-full", "verify-ca", and "disable" supported`, mode)
+	}
+
+	// Set Server Name Indication (SNI), if enabled by connection parameters.
+	// By default SNI is on, any value which is not starting with "1" disables
+	// SNI -- that is the same check vanilla libpq uses.
+	if sslsni := o["sslsni"]; sslsni == "" || strings.HasPrefix(sslsni, "1") {
+		// RFC 6066 asks to not set SNI if the host is a literal IP address (IPv4
+		// or IPv6). This check is coded already crypto.tls.hostnameInSNI, so
+		// just always set ServerName here and let crypto/tls do the filtering.
+		tlsConf.ServerName = o["host"]
+	}
+
+	err := sslClientCertificates(&tlsConf, o)
+	if err != nil {
+		return nil, err
+	}
+	err = sslCertificateAuthority(&tlsConf, o)
+	if err != nil {
+		return nil, err
+	}
+
+	// Accept renegotiation requests initiated by the backend.
+	//
+	// Renegotiation was deprecated then removed from PostgreSQL 9.5, but
+	// the default configuration of older versions has it enabled. Redshift
+	// also initiates renegotiations and cannot be reconfigured.
+	tlsConf.Renegotiation = tls.RenegotiateFreelyAsClient
+
+	return func(conn net.Conn) (net.Conn, error) {
+		client := tls.Client(conn, &tlsConf)
+		if verifyCaOnly {
+			err := sslVerifyCertificateAuthority(client, &tlsConf)
+			if err != nil {
+				return nil, err
+			}
+		}
+		return client, nil
+	}, nil
+}
+
+// sslClientCertificates adds the certificate specified in the "sslcert" and
+// "sslkey" settings, or if they aren't set, from the .postgresql directory
+// in the user's home directory. The configured files must exist and have
+// the correct permissions.
+func sslClientCertificates(tlsConf *tls.Config, o values) error {
+	sslinline := o["sslinline"]
+	if sslinline == "true" {
+		cert, err := tls.X509KeyPair([]byte(o["sslcert"]), []byte(o["sslkey"]))
+		if err != nil {
+			return err
+		}
+		tlsConf.Certificates = []tls.Certificate{cert}
+		return nil
+	}
+
+	// user.Current() might fail when cross-compiling. We have to ignore the
+	// error and continue without home directory defaults, since we wouldn't
+	// know from where to load them.
+	user, _ := user.Current()
+
+	// In libpq, the client certificate is only loaded if the setting is not blank.
+	//
+	// https://github.com/postgres/postgres/blob/REL9_6_2/src/interfaces/libpq/fe-secure-openssl.c#L1036-L1037
+	sslcert := o["sslcert"]
+	if len(sslcert) == 0 && user != nil {
+		sslcert = filepath.Join(user.HomeDir, ".postgresql", "postgresql.crt")
+	}
+	// https://github.com/postgres/postgres/blob/REL9_6_2/src/interfaces/libpq/fe-secure-openssl.c#L1045
+	if len(sslcert) == 0 {
+		return nil
+	}
+	// https://github.com/postgres/postgres/blob/REL9_6_2/src/interfaces/libpq/fe-secure-openssl.c#L1050:L1054
+	if _, err := os.Stat(sslcert); os.IsNotExist(err) {
+		return nil
+	} else if err != nil {
+		return err
+	}
+
+	// In libpq, the ssl key is only loaded if the setting is not blank.
+	//
+	// https://github.com/postgres/postgres/blob/REL9_6_2/src/interfaces/libpq/fe-secure-openssl.c#L1123-L1222
+	sslkey := o["sslkey"]
+	if len(sslkey) == 0 && user != nil {
+		sslkey = filepath.Join(user.HomeDir, ".postgresql", "postgresql.key")
+	}
+
+	if len(sslkey) > 0 {
+		if err := sslKeyPermissions(sslkey); err != nil {
+			return err
+		}
+	}
+
+	cert, err := tls.LoadX509KeyPair(sslcert, sslkey)
+	if err != nil {
+		return err
+	}
+
+	tlsConf.Certificates = []tls.Certificate{cert}
+	return nil
+}
+
+// sslCertificateAuthority adds the RootCA specified in the "sslrootcert" setting.
+func sslCertificateAuthority(tlsConf *tls.Config, o values) error {
+	// In libpq, the root certificate is only loaded if the setting is not blank.
+	//
+	// https://github.com/postgres/postgres/blob/REL9_6_2/src/interfaces/libpq/fe-secure-openssl.c#L950-L951
+	if sslrootcert := o["sslrootcert"]; len(sslrootcert) > 0 {
+		tlsConf.RootCAs = x509.NewCertPool()
+
+		sslinline := o["sslinline"]
+
+		var cert []byte
+		if sslinline == "true" {
+			cert = []byte(sslrootcert)
+		} else {
+			var err error
+			cert, err = ioutil.ReadFile(sslrootcert)
+			if err != nil {
+				return err
+			}
+		}
+
+		if !tlsConf.RootCAs.AppendCertsFromPEM(cert) {
+			return fmterrorf("couldn't parse pem in sslrootcert")
+		}
+	}
+
+	return nil
+}
+
+// sslVerifyCertificateAuthority carries out a TLS handshake to the server and
+// verifies the presented certificate against the CA, i.e. the one specified in
+// sslrootcert or the system CA if sslrootcert was not specified.
+func sslVerifyCertificateAuthority(client *tls.Conn, tlsConf *tls.Config) error {
+	err := client.Handshake()
+	if err != nil {
+		return err
+	}
+	certs := client.ConnectionState().PeerCertificates
+	opts := x509.VerifyOptions{
+		DNSName:       client.ConnectionState().ServerName,
+		Intermediates: x509.NewCertPool(),
+		Roots:         tlsConf.RootCAs,
+	}
+	for i, cert := range certs {
+		if i == 0 {
+			continue
+		}
+		opts.Intermediates.AddCert(cert)
+	}
+	_, err = certs[0].Verify(opts)
+	return err
+}
diff --git a/vendor/github.com/lib/pq/ssl_permissions.go b/vendor/github.com/lib/pq/ssl_permissions.go
new file mode 100644
index 0000000000..d587f102ed
--- /dev/null
+++ b/vendor/github.com/lib/pq/ssl_permissions.go
@@ -0,0 +1,93 @@
+//go:build !windows
+// +build !windows
+
+package pq
+
+import (
+	"errors"
+	"os"
+	"syscall"
+)
+
+const (
+	rootUserID = uint32(0)
+
+	// The maximum permissions that a private key file owned by a regular user
+	// is allowed to have. This translates to u=rw.
+	maxUserOwnedKeyPermissions os.FileMode = 0600
+
+	// The maximum permissions that a private key file owned by root is allowed
+	// to have. This translates to u=rw,g=r.
+	maxRootOwnedKeyPermissions os.FileMode = 0640
+)
+
+var (
+	errSSLKeyHasUnacceptableUserPermissions = errors.New("permissions for files not owned by root should be u=rw (0600) or less")
+	errSSLKeyHasUnacceptableRootPermissions = errors.New("permissions for root owned files should be u=rw,g=r (0640) or less")
+)
+
+// sslKeyPermissions checks the permissions on user-supplied ssl key files.
+// The key file should have very little access.
+//
+// libpq does not check key file permissions on Windows.
+func sslKeyPermissions(sslkey string) error {
+	info, err := os.Stat(sslkey)
+	if err != nil {
+		return err
+	}
+
+	err = hasCorrectPermissions(info)
+
+	// return ErrSSLKeyHasWorldPermissions for backwards compatability with
+	// existing code.
+	if err == errSSLKeyHasUnacceptableUserPermissions || err == errSSLKeyHasUnacceptableRootPermissions {
+		err = ErrSSLKeyHasWorldPermissions
+	}
+	return err
+}
+
+// hasCorrectPermissions checks the file info (and the unix-specific stat_t
+// output) to verify that the permissions on the file are correct.
+//
+// If the file is owned by the same user the process is running as,
+// the file should only have 0600 (u=rw). If the file is owned by root,
+// and the group matches the group that the process is running in, the
+// permissions cannot be more than 0640 (u=rw,g=r). The file should
+// never have world permissions.
+//
+// Returns an error when the permission check fails.
+func hasCorrectPermissions(info os.FileInfo) error {
+	// if file's permission matches 0600, allow access.
+	userPermissionMask := (os.FileMode(0777) ^ maxUserOwnedKeyPermissions)
+
+	// regardless of if we're running as root or not, 0600 is acceptable,
+	// so we return if we match the regular user permission mask.
+	if info.Mode().Perm()&userPermissionMask == 0 {
+		return nil
+	}
+
+	// We need to pull the Unix file information to get the file's owner.
+	// If we can't access it, there's some sort of operating system level error
+	// and we should fail rather than attempting to use faulty information.
+	sysInfo := info.Sys()
+	if sysInfo == nil {
+		return ErrSSLKeyUnknownOwnership
+	}
+
+	unixStat, ok := sysInfo.(*syscall.Stat_t)
+	if !ok {
+		return ErrSSLKeyUnknownOwnership
+	}
+
+	// if the file is owned by root, we allow 0640 (u=rw,g=r) to match what
+	// Postgres does.
+	if unixStat.Uid == rootUserID {
+		rootPermissionMask := (os.FileMode(0777) ^ maxRootOwnedKeyPermissions)
+		if info.Mode().Perm()&rootPermissionMask != 0 {
+			return errSSLKeyHasUnacceptableRootPermissions
+		}
+		return nil
+	}
+
+	return errSSLKeyHasUnacceptableUserPermissions
+}
diff --git a/vendor/github.com/lib/pq/ssl_windows.go b/vendor/github.com/lib/pq/ssl_windows.go
new file mode 100644
index 0000000000..73663c8f15
--- /dev/null
+++ b/vendor/github.com/lib/pq/ssl_windows.go
@@ -0,0 +1,10 @@
+//go:build windows
+// +build windows
+
+package pq
+
+// sslKeyPermissions checks the permissions on user-supplied ssl key files.
+// The key file should have very little access.
+//
+// libpq does not check key file permissions on Windows.
+func sslKeyPermissions(string) error { return nil }
diff --git a/vendor/github.com/lib/pq/url.go b/vendor/github.com/lib/pq/url.go
new file mode 100644
index 0000000000..aec6e95be8
--- /dev/null
+++ b/vendor/github.com/lib/pq/url.go
@@ -0,0 +1,76 @@
+package pq
+
+import (
+	"fmt"
+	"net"
+	nurl "net/url"
+	"sort"
+	"strings"
+)
+
+// ParseURL no longer needs to be used by clients of this library since supplying a URL as a
+// connection string to sql.Open() is now supported:
+//
+//	sql.Open("postgres", "postgres://bob:secret@1.2.3.4:5432/mydb?sslmode=verify-full")
+//
+// It remains exported here for backwards-compatibility.
+//
+// ParseURL converts a url to a connection string for driver.Open.
+// Example:
+//
+//	"postgres://bob:secret@1.2.3.4:5432/mydb?sslmode=verify-full"
+//
+// converts to:
+//
+//	"user=bob password=secret host=1.2.3.4 port=5432 dbname=mydb sslmode=verify-full"
+//
+// A minimal example:
+//
+//	"postgres://"
+//
+// This will be blank, causing driver.Open to use all of the defaults
+func ParseURL(url string) (string, error) {
+	u, err := nurl.Parse(url)
+	if err != nil {
+		return "", err
+	}
+
+	if u.Scheme != "postgres" && u.Scheme != "postgresql" {
+		return "", fmt.Errorf("invalid connection protocol: %s", u.Scheme)
+	}
+
+	var kvs []string
+	escaper := strings.NewReplacer(`'`, `\'`, `\`, `\\`)
+	accrue := func(k, v string) {
+		if v != "" {
+			kvs = append(kvs, k+"='"+escaper.Replace(v)+"'")
+		}
+	}
+
+	if u.User != nil {
+		v := u.User.Username()
+		accrue("user", v)
+
+		v, _ = u.User.Password()
+		accrue("password", v)
+	}
+
+	if host, port, err := net.SplitHostPort(u.Host); err != nil {
+		accrue("host", u.Host)
+	} else {
+		accrue("host", host)
+		accrue("port", port)
+	}
+
+	if u.Path != "" {
+		accrue("dbname", u.Path[1:])
+	}
+
+	q := u.Query()
+	for k := range q {
+		accrue(k, q.Get(k))
+	}
+
+	sort.Strings(kvs) // Makes testing easier (not a performance concern)
+	return strings.Join(kvs, " "), nil
+}
diff --git a/vendor/github.com/lib/pq/user_other.go b/vendor/github.com/lib/pq/user_other.go
new file mode 100644
index 0000000000..3dae8f5572
--- /dev/null
+++ b/vendor/github.com/lib/pq/user_other.go
@@ -0,0 +1,10 @@
+// Package pq is a pure Go Postgres driver for the database/sql package.
+
+//go:build js || android || hurd || zos
+// +build js android hurd zos
+
+package pq
+
+func userCurrent() (string, error) {
+	return "", ErrCouldNotDetectUsername
+}
diff --git a/vendor/github.com/lib/pq/user_posix.go b/vendor/github.com/lib/pq/user_posix.go
new file mode 100644
index 0000000000..5f2d439bc4
--- /dev/null
+++ b/vendor/github.com/lib/pq/user_posix.go
@@ -0,0 +1,25 @@
+// Package pq is a pure Go Postgres driver for the database/sql package.
+
+//go:build aix || darwin || dragonfly || freebsd || (linux && !android) || nacl || netbsd || openbsd || plan9 || solaris || rumprun || illumos
+// +build aix darwin dragonfly freebsd linux,!android nacl netbsd openbsd plan9 solaris rumprun illumos
+
+package pq
+
+import (
+	"os"
+	"os/user"
+)
+
+func userCurrent() (string, error) {
+	u, err := user.Current()
+	if err == nil {
+		return u.Username, nil
+	}
+
+	name := os.Getenv("USER")
+	if name != "" {
+		return name, nil
+	}
+
+	return "", ErrCouldNotDetectUsername
+}
diff --git a/vendor/github.com/lib/pq/user_windows.go b/vendor/github.com/lib/pq/user_windows.go
new file mode 100644
index 0000000000..2b691267b9
--- /dev/null
+++ b/vendor/github.com/lib/pq/user_windows.go
@@ -0,0 +1,27 @@
+// Package pq is a pure Go Postgres driver for the database/sql package.
+package pq
+
+import (
+	"path/filepath"
+	"syscall"
+)
+
+// Perform Windows user name lookup identically to libpq.
+//
+// The PostgreSQL code makes use of the legacy Win32 function
+// GetUserName, and that function has not been imported into stock Go.
+// GetUserNameEx is available though, the difference being that a
+// wider range of names are available.  To get the output to be the
+// same as GetUserName, only the base (or last) component of the
+// result is returned.
+func userCurrent() (string, error) {
+	pw_name := make([]uint16, 128)
+	pwname_size := uint32(len(pw_name)) - 1
+	err := syscall.GetUserNameEx(syscall.NameSamCompatible, &pw_name[0], &pwname_size)
+	if err != nil {
+		return "", ErrCouldNotDetectUsername
+	}
+	s := syscall.UTF16ToString(pw_name)
+	u := filepath.Base(s)
+	return u, nil
+}
diff --git a/vendor/github.com/lib/pq/uuid.go b/vendor/github.com/lib/pq/uuid.go
new file mode 100644
index 0000000000..9a1b9e0748
--- /dev/null
+++ b/vendor/github.com/lib/pq/uuid.go
@@ -0,0 +1,23 @@
+package pq
+
+import (
+	"encoding/hex"
+	"fmt"
+)
+
+// decodeUUIDBinary interprets the binary format of a uuid, returning it in text format.
+func decodeUUIDBinary(src []byte) ([]byte, error) {
+	if len(src) != 16 {
+		return nil, fmt.Errorf("pq: unable to decode uuid; bad length: %d", len(src))
+	}
+
+	dst := make([]byte, 36)
+	dst[8], dst[13], dst[18], dst[23] = '-', '-', '-', '-'
+	hex.Encode(dst[0:], src[0:4])
+	hex.Encode(dst[9:], src[4:6])
+	hex.Encode(dst[14:], src[6:8])
+	hex.Encode(dst[19:], src[8:10])
+	hex.Encode(dst[24:], src[10:16])
+
+	return dst, nil
+}
diff --git a/vendor/github.com/liggitt/tabwriter/.travis.yml b/vendor/github.com/liggitt/tabwriter/.travis.yml
new file mode 100644
index 0000000000..2768dc0727
--- /dev/null
+++ b/vendor/github.com/liggitt/tabwriter/.travis.yml
@@ -0,0 +1,11 @@
+language: go
+
+go:
+  - "1.8"
+  - "1.9"
+  - "1.10"
+  - "1.11"
+  - "1.12"
+  - master
+
+script: go test -v ./...
diff --git a/vendor/github.com/liggitt/tabwriter/LICENSE b/vendor/github.com/liggitt/tabwriter/LICENSE
new file mode 100644
index 0000000000..6a66aea5ea
--- /dev/null
+++ b/vendor/github.com/liggitt/tabwriter/LICENSE
@@ -0,0 +1,27 @@
+Copyright (c) 2009 The Go Authors. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+   * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+   * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+   * Neither the name of Google Inc. nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/vendor/github.com/liggitt/tabwriter/README.md b/vendor/github.com/liggitt/tabwriter/README.md
new file mode 100644
index 0000000000..e75d35672e
--- /dev/null
+++ b/vendor/github.com/liggitt/tabwriter/README.md
@@ -0,0 +1,7 @@
+This repo is a drop-in replacement for the golang [text/tabwriter](https://golang.org/pkg/text/tabwriter/) package.
+
+It is based on that package at [cf2c2ea8](https://github.com/golang/go/tree/cf2c2ea89d09d486bb018b1817c5874388038c3a/src/text/tabwriter) and inherits its license.
+
+The following additional features are supported:
+* `RememberWidths` flag allows remembering maximum widths seen per column even after Flush() is called.
+* `RememberedWidths() []int` and `SetRememberedWidths([]int) *Writer` allows obtaining and transferring remembered column width between writers.
diff --git a/vendor/github.com/liggitt/tabwriter/tabwriter.go b/vendor/github.com/liggitt/tabwriter/tabwriter.go
new file mode 100644
index 0000000000..fd3431fb03
--- /dev/null
+++ b/vendor/github.com/liggitt/tabwriter/tabwriter.go
@@ -0,0 +1,637 @@
+// Copyright 2009 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package tabwriter implements a write filter (tabwriter.Writer) that
+// translates tabbed columns in input into properly aligned text.
+//
+// It is a drop-in replacement for the golang text/tabwriter package (https://golang.org/pkg/text/tabwriter),
+// based on that package at https://github.com/golang/go/tree/cf2c2ea89d09d486bb018b1817c5874388038c3a
+// with support for additional features.
+//
+// The package is using the Elastic Tabstops algorithm described at
+// http://nickgravgaard.com/elastictabstops/index.html.
+package tabwriter
+
+import (
+	"io"
+	"unicode/utf8"
+)
+
+// ----------------------------------------------------------------------------
+// Filter implementation
+
+// A cell represents a segment of text terminated by tabs or line breaks.
+// The text itself is stored in a separate buffer; cell only describes the
+// segment's size in bytes, its width in runes, and whether it's an htab
+// ('\t') terminated cell.
+//
+type cell struct {
+	size  int  // cell size in bytes
+	width int  // cell width in runes
+	htab  bool // true if the cell is terminated by an htab ('\t')
+}
+
+// A Writer is a filter that inserts padding around tab-delimited
+// columns in its input to align them in the output.
+//
+// The Writer treats incoming bytes as UTF-8-encoded text consisting
+// of cells terminated by horizontal ('\t') or vertical ('\v') tabs,
+// and newline ('\n') or formfeed ('\f') characters; both newline and
+// formfeed act as line breaks.
+//
+// Tab-terminated cells in contiguous lines constitute a column. The
+// Writer inserts padding as needed to make all cells in a column have
+// the same width, effectively aligning the columns. It assumes that
+// all characters have the same width, except for tabs for which a
+// tabwidth must be specified. Column cells must be tab-terminated, not
+// tab-separated: non-tab terminated trailing text at the end of a line
+// forms a cell but that cell is not part of an aligned column.
+// For instance, in this example (where | stands for a horizontal tab):
+//
+//	aaaa|bbb|d
+//	aa  |b  |dd
+//	a   |
+//	aa  |cccc|eee
+//
+// the b and c are in distinct columns (the b column is not contiguous
+// all the way). The d and e are not in a column at all (there's no
+// terminating tab, nor would the column be contiguous).
+//
+// The Writer assumes that all Unicode code points have the same width;
+// this may not be true in some fonts or if the string contains combining
+// characters.
+//
+// If DiscardEmptyColumns is set, empty columns that are terminated
+// entirely by vertical (or "soft") tabs are discarded. Columns
+// terminated by horizontal (or "hard") tabs are not affected by
+// this flag.
+//
+// If a Writer is configured to filter HTML, HTML tags and entities
+// are passed through. The widths of tags and entities are
+// assumed to be zero (tags) and one (entities) for formatting purposes.
+//
+// A segment of text may be escaped by bracketing it with Escape
+// characters. The tabwriter passes escaped text segments through
+// unchanged. In particular, it does not interpret any tabs or line
+// breaks within the segment. If the StripEscape flag is set, the
+// Escape characters are stripped from the output; otherwise they
+// are passed through as well. For the purpose of formatting, the
+// width of the escaped text is always computed excluding the Escape
+// characters.
+//
+// The formfeed character acts like a newline but it also terminates
+// all columns in the current line (effectively calling Flush). Tab-
+// terminated cells in the next line start new columns. Unless found
+// inside an HTML tag or inside an escaped text segment, formfeed
+// characters appear as newlines in the output.
+//
+// The Writer must buffer input internally, because proper spacing
+// of one line may depend on the cells in future lines. Clients must
+// call Flush when done calling Write.
+//
+type Writer struct {
+	// configuration
+	output   io.Writer
+	minwidth int
+	tabwidth int
+	padding  int
+	padbytes [8]byte
+	flags    uint
+
+	// current state
+	buf     []byte   // collected text excluding tabs or line breaks
+	pos     int      // buffer position up to which cell.width of incomplete cell has been computed
+	cell    cell     // current incomplete cell; cell.width is up to buf[pos] excluding ignored sections
+	endChar byte     // terminating char of escaped sequence (Escape for escapes, '>', ';' for HTML tags/entities, or 0)
+	lines   [][]cell // list of lines; each line is a list of cells
+	widths  []int    // list of column widths in runes - re-used during formatting
+
+	maxwidths []int // list of max column widths in runes
+}
+
+// addLine adds a new line.
+// flushed is a hint indicating whether the underlying writer was just flushed.
+// If so, the previous line is not likely to be a good indicator of the new line's cells.
+func (b *Writer) addLine(flushed bool) {
+	// Grow slice instead of appending,
+	// as that gives us an opportunity
+	// to re-use an existing []cell.
+	if n := len(b.lines) + 1; n <= cap(b.lines) {
+		b.lines = b.lines[:n]
+		b.lines[n-1] = b.lines[n-1][:0]
+	} else {
+		b.lines = append(b.lines, nil)
+	}
+
+	if !flushed {
+		// The previous line is probably a good indicator
+		// of how many cells the current line will have.
+		// If the current line's capacity is smaller than that,
+		// abandon it and make a new one.
+		if n := len(b.lines); n >= 2 {
+			if prev := len(b.lines[n-2]); prev > cap(b.lines[n-1]) {
+				b.lines[n-1] = make([]cell, 0, prev)
+			}
+		}
+	}
+}
+
+// Reset the current state.
+func (b *Writer) reset() {
+	b.buf = b.buf[:0]
+	b.pos = 0
+	b.cell = cell{}
+	b.endChar = 0
+	b.lines = b.lines[0:0]
+	b.widths = b.widths[0:0]
+	b.addLine(true)
+}
+
+// Internal representation (current state):
+//
+// - all text written is appended to buf; tabs and line breaks are stripped away
+// - at any given time there is a (possibly empty) incomplete cell at the end
+//   (the cell starts after a tab or line break)
+// - cell.size is the number of bytes belonging to the cell so far
+// - cell.width is text width in runes of that cell from the start of the cell to
+//   position pos; html tags and entities are excluded from this width if html
+//   filtering is enabled
+// - the sizes and widths of processed text are kept in the lines list
+//   which contains a list of cells for each line
+// - the widths list is a temporary list with current widths used during
+//   formatting; it is kept in Writer because it's re-used
+//
+//                    |<---------- size ---------->|
+//                    |                            |
+//                    |<- width ->|<- ignored ->|  |
+//                    |           |             |  |
+// [---processed---tab------------<tag>...</tag>...]
+// ^                  ^                         ^
+// |                  |                         |
+// buf                start of incomplete cell  pos
+
+// Formatting can be controlled with these flags.
+const (
+	// Ignore html tags and treat entities (starting with '&'
+	// and ending in ';') as single characters (width = 1).
+	FilterHTML uint = 1 << iota
+
+	// Strip Escape characters bracketing escaped text segments
+	// instead of passing them through unchanged with the text.
+	StripEscape
+
+	// Force right-alignment of cell content.
+	// Default is left-alignment.
+	AlignRight
+
+	// Handle empty columns as if they were not present in
+	// the input in the first place.
+	DiscardEmptyColumns
+
+	// Always use tabs for indentation columns (i.e., padding of
+	// leading empty cells on the left) independent of padchar.
+	TabIndent
+
+	// Print a vertical bar ('|') between columns (after formatting).
+	// Discarded columns appear as zero-width columns ("||").
+	Debug
+
+	// Remember maximum widths seen per column even after Flush() is called.
+	RememberWidths
+)
+
+// A Writer must be initialized with a call to Init. The first parameter (output)
+// specifies the filter output. The remaining parameters control the formatting:
+//
+//	minwidth	minimal cell width including any padding
+//	tabwidth	width of tab characters (equivalent number of spaces)
+//	padding		padding added to a cell before computing its width
+//	padchar		ASCII char used for padding
+//			if padchar == '\t', the Writer will assume that the
+//			width of a '\t' in the formatted output is tabwidth,
+//			and cells are left-aligned independent of align_left
+//			(for correct-looking results, tabwidth must correspond
+//			to the tab width in the viewer displaying the result)
+//	flags		formatting control
+//
+func (b *Writer) Init(output io.Writer, minwidth, tabwidth, padding int, padchar byte, flags uint) *Writer {
+	if minwidth < 0 || tabwidth < 0 || padding < 0 {
+		panic("negative minwidth, tabwidth, or padding")
+	}
+	b.output = output
+	b.minwidth = minwidth
+	b.tabwidth = tabwidth
+	b.padding = padding
+	for i := range b.padbytes {
+		b.padbytes[i] = padchar
+	}
+	if padchar == '\t' {
+		// tab padding enforces left-alignment
+		flags &^= AlignRight
+	}
+	b.flags = flags
+
+	b.reset()
+
+	return b
+}
+
+// debugging support (keep code around)
+func (b *Writer) dump() {
+	pos := 0
+	for i, line := range b.lines {
+		print("(", i, ") ")
+		for _, c := range line {
+			print("[", string(b.buf[pos:pos+c.size]), "]")
+			pos += c.size
+		}
+		print("\n")
+	}
+	print("\n")
+}
+
+// local error wrapper so we can distinguish errors we want to return
+// as errors from genuine panics (which we don't want to return as errors)
+type osError struct {
+	err error
+}
+
+func (b *Writer) write0(buf []byte) {
+	n, err := b.output.Write(buf)
+	if n != len(buf) && err == nil {
+		err = io.ErrShortWrite
+	}
+	if err != nil {
+		panic(osError{err})
+	}
+}
+
+func (b *Writer) writeN(src []byte, n int) {
+	for n > len(src) {
+		b.write0(src)
+		n -= len(src)
+	}
+	b.write0(src[0:n])
+}
+
+var (
+	newline = []byte{'\n'}
+	tabs    = []byte("\t\t\t\t\t\t\t\t")
+)
+
+func (b *Writer) writePadding(textw, cellw int, useTabs bool) {
+	if b.padbytes[0] == '\t' || useTabs {
+		// padding is done with tabs
+		if b.tabwidth == 0 {
+			return // tabs have no width - can't do any padding
+		}
+		// make cellw the smallest multiple of b.tabwidth
+		cellw = (cellw + b.tabwidth - 1) / b.tabwidth * b.tabwidth
+		n := cellw - textw // amount of padding
+		if n < 0 {
+			panic("internal error")
+		}
+		b.writeN(tabs, (n+b.tabwidth-1)/b.tabwidth)
+		return
+	}
+
+	// padding is done with non-tab characters
+	b.writeN(b.padbytes[0:], cellw-textw)
+}
+
+var vbar = []byte{'|'}
+
+func (b *Writer) writeLines(pos0 int, line0, line1 int) (pos int) {
+	pos = pos0
+	for i := line0; i < line1; i++ {
+		line := b.lines[i]
+
+		// if TabIndent is set, use tabs to pad leading empty cells
+		useTabs := b.flags&TabIndent != 0
+
+		for j, c := range line {
+			if j > 0 && b.flags&Debug != 0 {
+				// indicate column break
+				b.write0(vbar)
+			}
+
+			if c.size == 0 {
+				// empty cell
+				if j < len(b.widths) {
+					b.writePadding(c.width, b.widths[j], useTabs)
+				}
+			} else {
+				// non-empty cell
+				useTabs = false
+				if b.flags&AlignRight == 0 { // align left
+					b.write0(b.buf[pos : pos+c.size])
+					pos += c.size
+					if j < len(b.widths) {
+						b.writePadding(c.width, b.widths[j], false)
+					}
+				} else { // align right
+					if j < len(b.widths) {
+						b.writePadding(c.width, b.widths[j], false)
+					}
+					b.write0(b.buf[pos : pos+c.size])
+					pos += c.size
+				}
+			}
+		}
+
+		if i+1 == len(b.lines) {
+			// last buffered line - we don't have a newline, so just write
+			// any outstanding buffered data
+			b.write0(b.buf[pos : pos+b.cell.size])
+			pos += b.cell.size
+		} else {
+			// not the last line - write newline
+			b.write0(newline)
+		}
+	}
+	return
+}
+
+// Format the text between line0 and line1 (excluding line1); pos
+// is the buffer position corresponding to the beginning of line0.
+// Returns the buffer position corresponding to the beginning of
+// line1 and an error, if any.
+//
+func (b *Writer) format(pos0 int, line0, line1 int) (pos int) {
+	pos = pos0
+	column := len(b.widths)
+	for this := line0; this < line1; this++ {
+		line := b.lines[this]
+
+		if column >= len(line)-1 {
+			continue
+		}
+		// cell exists in this column => this line
+		// has more cells than the previous line
+		// (the last cell per line is ignored because cells are
+		// tab-terminated; the last cell per line describes the
+		// text before the newline/formfeed and does not belong
+		// to a column)
+
+		// print unprinted lines until beginning of block
+		pos = b.writeLines(pos, line0, this)
+		line0 = this
+
+		// column block begin
+		width := b.minwidth // minimal column width
+		discardable := true // true if all cells in this column are empty and "soft"
+		for ; this < line1; this++ {
+			line = b.lines[this]
+			if column >= len(line)-1 {
+				break
+			}
+			// cell exists in this column
+			c := line[column]
+			// update width
+			if w := c.width + b.padding; w > width {
+				width = w
+			}
+			// update discardable
+			if c.width > 0 || c.htab {
+				discardable = false
+			}
+		}
+		// column block end
+
+		// discard empty columns if necessary
+		if discardable && b.flags&DiscardEmptyColumns != 0 {
+			width = 0
+		}
+
+		if b.flags&RememberWidths != 0 {
+			if len(b.maxwidths) < len(b.widths) {
+				b.maxwidths = append(b.maxwidths, b.widths[len(b.maxwidths):]...)
+			}
+
+			switch {
+			case len(b.maxwidths) == len(b.widths):
+				b.maxwidths = append(b.maxwidths, width)
+			case b.maxwidths[len(b.widths)] > width:
+				width = b.maxwidths[len(b.widths)]
+			case b.maxwidths[len(b.widths)] < width:
+				b.maxwidths[len(b.widths)] = width
+			}
+		}
+
+		// format and print all columns to the right of this column
+		// (we know the widths of this column and all columns to the left)
+		b.widths = append(b.widths, width) // push width
+		pos = b.format(pos, line0, this)
+		b.widths = b.widths[0 : len(b.widths)-1] // pop width
+		line0 = this
+	}
+
+	// print unprinted lines until end
+	return b.writeLines(pos, line0, line1)
+}
+
+// Append text to current cell.
+func (b *Writer) append(text []byte) {
+	b.buf = append(b.buf, text...)
+	b.cell.size += len(text)
+}
+
+// Update the cell width.
+func (b *Writer) updateWidth() {
+	b.cell.width += utf8.RuneCount(b.buf[b.pos:])
+	b.pos = len(b.buf)
+}
+
+// To escape a text segment, bracket it with Escape characters.
+// For instance, the tab in this string "Ignore this tab: \xff\t\xff"
+// does not terminate a cell and constitutes a single character of
+// width one for formatting purposes.
+//
+// The value 0xff was chosen because it cannot appear in a valid UTF-8 sequence.
+//
+const Escape = '\xff'
+
+// Start escaped mode.
+func (b *Writer) startEscape(ch byte) {
+	switch ch {
+	case Escape:
+		b.endChar = Escape
+	case '<':
+		b.endChar = '>'
+	case '&':
+		b.endChar = ';'
+	}
+}
+
+// Terminate escaped mode. If the escaped text was an HTML tag, its width
+// is assumed to be zero for formatting purposes; if it was an HTML entity,
+// its width is assumed to be one. In all other cases, the width is the
+// unicode width of the text.
+//
+func (b *Writer) endEscape() {
+	switch b.endChar {
+	case Escape:
+		b.updateWidth()
+		if b.flags&StripEscape == 0 {
+			b.cell.width -= 2 // don't count the Escape chars
+		}
+	case '>': // tag of zero width
+	case ';':
+		b.cell.width++ // entity, count as one rune
+	}
+	b.pos = len(b.buf)
+	b.endChar = 0
+}
+
+// Terminate the current cell by adding it to the list of cells of the
+// current line. Returns the number of cells in that line.
+//
+func (b *Writer) terminateCell(htab bool) int {
+	b.cell.htab = htab
+	line := &b.lines[len(b.lines)-1]
+	*line = append(*line, b.cell)
+	b.cell = cell{}
+	return len(*line)
+}
+
+func handlePanic(err *error, op string) {
+	if e := recover(); e != nil {
+		if nerr, ok := e.(osError); ok {
+			*err = nerr.err
+			return
+		}
+		panic("tabwriter: panic during " + op)
+	}
+}
+
+// RememberedWidths returns a copy of the remembered per-column maximum widths.
+// Requires use of the RememberWidths flag, and is not threadsafe.
+func (b *Writer) RememberedWidths() []int {
+	retval := make([]int, len(b.maxwidths))
+	copy(retval, b.maxwidths)
+	return retval
+}
+
+// SetRememberedWidths sets the remembered per-column maximum widths.
+// Requires use of the RememberWidths flag, and is not threadsafe.
+func (b *Writer) SetRememberedWidths(widths []int) *Writer {
+	b.maxwidths = make([]int, len(widths))
+	copy(b.maxwidths, widths)
+	return b
+}
+
+// Flush should be called after the last call to Write to ensure
+// that any data buffered in the Writer is written to output. Any
+// incomplete escape sequence at the end is considered
+// complete for formatting purposes.
+func (b *Writer) Flush() error {
+	return b.flush()
+}
+
+func (b *Writer) flush() (err error) {
+	defer b.reset() // even in the presence of errors
+	defer handlePanic(&err, "Flush")
+
+	// add current cell if not empty
+	if b.cell.size > 0 {
+		if b.endChar != 0 {
+			// inside escape - terminate it even if incomplete
+			b.endEscape()
+		}
+		b.terminateCell(false)
+	}
+
+	// format contents of buffer
+	b.format(0, 0, len(b.lines))
+	return nil
+}
+
+var hbar = []byte("---\n")
+
+// Write writes buf to the writer b.
+// The only errors returned are ones encountered
+// while writing to the underlying output stream.
+//
+func (b *Writer) Write(buf []byte) (n int, err error) {
+	defer handlePanic(&err, "Write")
+
+	// split text into cells
+	n = 0
+	for i, ch := range buf {
+		if b.endChar == 0 {
+			// outside escape
+			switch ch {
+			case '\t', '\v', '\n', '\f':
+				// end of cell
+				b.append(buf[n:i])
+				b.updateWidth()
+				n = i + 1 // ch consumed
+				ncells := b.terminateCell(ch == '\t')
+				if ch == '\n' || ch == '\f' {
+					// terminate line
+					b.addLine(ch == '\f')
+					if ch == '\f' || ncells == 1 {
+						// A '\f' always forces a flush. Otherwise, if the previous
+						// line has only one cell which does not have an impact on
+						// the formatting of the following lines (the last cell per
+						// line is ignored by format()), thus we can flush the
+						// Writer contents.
+						if err = b.Flush(); err != nil {
+							return
+						}
+						if ch == '\f' && b.flags&Debug != 0 {
+							// indicate section break
+							b.write0(hbar)
+						}
+					}
+				}
+
+			case Escape:
+				// start of escaped sequence
+				b.append(buf[n:i])
+				b.updateWidth()
+				n = i
+				if b.flags&StripEscape != 0 {
+					n++ // strip Escape
+				}
+				b.startEscape(Escape)
+
+			case '<', '&':
+				// possibly an html tag/entity
+				if b.flags&FilterHTML != 0 {
+					// begin of tag/entity
+					b.append(buf[n:i])
+					b.updateWidth()
+					n = i
+					b.startEscape(ch)
+				}
+			}
+
+		} else {
+			// inside escape
+			if ch == b.endChar {
+				// end of tag/entity
+				j := i + 1
+				if ch == Escape && b.flags&StripEscape != 0 {
+					j = i // strip Escape
+				}
+				b.append(buf[n:j])
+				n = i + 1 // ch consumed
+				b.endEscape()
+			}
+		}
+	}
+
+	// append leftover text
+	b.append(buf[n:])
+	n = len(buf)
+	return
+}
+
+// NewWriter allocates and initializes a new tabwriter.Writer.
+// The parameters are the same as for the Init function.
+//
+func NewWriter(output io.Writer, minwidth, tabwidth, padding int, padchar byte, flags uint) *Writer {
+	return new(Writer).Init(output, minwidth, tabwidth, padding, padchar, flags)
+}
diff --git a/vendor/github.com/magiconair/properties/.gitignore b/vendor/github.com/magiconair/properties/.gitignore
new file mode 100644
index 0000000000..e7081ff522
--- /dev/null
+++ b/vendor/github.com/magiconair/properties/.gitignore
@@ -0,0 +1,6 @@
+*.sublime-project
+*.sublime-workspace
+*.un~
+*.swp
+.idea/
+*.iml
diff --git a/vendor/github.com/magiconair/properties/LICENSE.md b/vendor/github.com/magiconair/properties/LICENSE.md
new file mode 100644
index 0000000000..79c87e3e6f
--- /dev/null
+++ b/vendor/github.com/magiconair/properties/LICENSE.md
@@ -0,0 +1,24 @@
+Copyright (c) 2013-2020, Frank Schroeder
+
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+ * Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer.
+
+ * Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
+ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/vendor/github.com/magiconair/properties/README.md b/vendor/github.com/magiconair/properties/README.md
new file mode 100644
index 0000000000..4872685f46
--- /dev/null
+++ b/vendor/github.com/magiconair/properties/README.md
@@ -0,0 +1,98 @@
+[![](https://img.shields.io/github/tag/magiconair/properties.svg?style=flat-square&label=release)](https://github.com/magiconair/properties/releases)
+[![License](https://img.shields.io/badge/License-BSD%202--Clause-orange.svg?style=flat-square)](https://raw.githubusercontent.com/magiconair/properties/master/LICENSE)
+[![GoDoc](http://img.shields.io/badge/godoc-reference-5272B4.svg?style=flat-square)](http://godoc.org/github.com/magiconair/properties)
+
+# Overview
+
+properties is a Go library for reading and writing properties files.
+
+It supports reading from multiple files or URLs and Spring style recursive
+property expansion of expressions like `${key}` to their corresponding value.
+Value expressions can refer to other keys like in `${key}` or to environment
+variables like in `${USER}`.  Filenames can also contain environment variables
+like in `/home/${USER}/myapp.properties`.
+
+Properties can be decoded into structs, maps, arrays and values through
+struct tags.
+
+Comments and the order of keys are preserved. Comments can be modified
+and can be written to the output.
+
+The properties library supports both ISO-8859-1 and UTF-8 encoded data.
+
+Starting from version 1.3.0 the behavior of the MustXXX() functions is
+configurable by providing a custom `ErrorHandler` function. The default has
+changed from `panic` to `log.Fatal` but this is configurable and custom
+error handling functions can be provided. See the package documentation for
+details.
+
+Read the full documentation on [![GoDoc](http://img.shields.io/badge/godoc-reference-5272B4.svg?style=flat-square)](http://godoc.org/github.com/magiconair/properties)
+
+## Getting Started
+
+```go
+import (
+	"flag"
+	"github.com/magiconair/properties"
+)
+
+func main() {
+	// init from a file
+	p := properties.MustLoadFile("${HOME}/config.properties", properties.UTF8)
+
+	// or multiple files
+	p = properties.MustLoadFiles([]string{
+			"${HOME}/config.properties",
+			"${HOME}/config-${USER}.properties",
+		}, properties.UTF8, true)
+
+	// or from a map
+	p = properties.LoadMap(map[string]string{"key": "value", "abc": "def"})
+
+	// or from a string
+	p = properties.MustLoadString("key=value\nabc=def")
+
+	// or from a URL
+	p = properties.MustLoadURL("http://host/path")
+
+	// or from multiple URLs
+	p = properties.MustLoadURL([]string{
+			"http://host/config",
+			"http://host/config-${USER}",
+		}, true)
+
+	// or from flags
+	p.MustFlag(flag.CommandLine)
+
+	// get values through getters
+	host := p.MustGetString("host")
+	port := p.GetInt("port", 8080)
+
+	// or through Decode
+	type Config struct {
+		Host    string        `properties:"host"`
+		Port    int           `properties:"port,default=9000"`
+		Accept  []string      `properties:"accept,default=image/png;image;gif"`
+		Timeout time.Duration `properties:"timeout,default=5s"`
+	}
+	var cfg Config
+	if err := p.Decode(&cfg); err != nil {
+		log.Fatal(err)
+	}
+}
+
+```
+
+## Installation and Upgrade
+
+```
+$ go get -u github.com/magiconair/properties
+```
+
+## License
+
+2 clause BSD license. See [LICENSE](https://github.com/magiconair/properties/blob/master/LICENSE) file for details.
+
+## ToDo
+
+* Dump contents with passwords and secrets obscured
diff --git a/vendor/github.com/magiconair/properties/decode.go b/vendor/github.com/magiconair/properties/decode.go
new file mode 100644
index 0000000000..f5e252f8d9
--- /dev/null
+++ b/vendor/github.com/magiconair/properties/decode.go
@@ -0,0 +1,289 @@
+// Copyright 2013-2022 Frank Schroeder. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package properties
+
+import (
+	"fmt"
+	"reflect"
+	"strconv"
+	"strings"
+	"time"
+)
+
+// Decode assigns property values to exported fields of a struct.
+//
+// Decode traverses v recursively and returns an error if a value cannot be
+// converted to the field type or a required value is missing for a field.
+//
+// The following type dependent decodings are used:
+//
+// String, boolean, numeric fields have the value of the property key assigned.
+// The property key name is the name of the field. A different key and a default
+// value can be set in the field's tag. Fields without default value are
+// required. If the value cannot be converted to the field type an error is
+// returned.
+//
+// time.Duration fields have the result of time.ParseDuration() assigned.
+//
+// time.Time fields have the vaule of time.Parse() assigned. The default layout
+// is time.RFC3339 but can be set in the field's tag.
+//
+// Arrays and slices of string, boolean, numeric, time.Duration and time.Time
+// fields have the value interpreted as a comma separated list of values. The
+// individual values are trimmed of whitespace and empty values are ignored. A
+// default value can be provided as a semicolon separated list in the field's
+// tag.
+//
+// Struct fields are decoded recursively using the field name plus "." as
+// prefix. The prefix (without dot) can be overridden in the field's tag.
+// Default values are not supported in the field's tag. Specify them on the
+// fields of the inner struct instead.
+//
+// Map fields must have a key of type string and are decoded recursively by
+// using the field's name plus ".' as prefix and the next element of the key
+// name as map key. The prefix (without dot) can be overridden in the field's
+// tag. Default values are not supported.
+//
+// Examples:
+//
+//	// Field is ignored.
+//	Field int `properties:"-"`
+//
+//	// Field is assigned value of 'Field'.
+//	Field int
+//
+//	// Field is assigned value of 'myName'.
+//	Field int `properties:"myName"`
+//
+//	// Field is assigned value of key 'myName' and has a default
+//	// value 15 if the key does not exist.
+//	Field int `properties:"myName,default=15"`
+//
+//	// Field is assigned value of key 'Field' and has a default
+//	// value 15 if the key does not exist.
+//	Field int `properties:",default=15"`
+//
+//	// Field is assigned value of key 'date' and the date
+//	// is in format 2006-01-02
+//	Field time.Time `properties:"date,layout=2006-01-02"`
+//
+//	// Field is assigned the non-empty and whitespace trimmed
+//	// values of key 'Field' split by commas.
+//	Field []string
+//
+//	// Field is assigned the non-empty and whitespace trimmed
+//	// values of key 'Field' split by commas and has a default
+//	// value ["a", "b", "c"] if the key does not exist.
+//	Field []string `properties:",default=a;b;c"`
+//
+//	// Field is decoded recursively with "Field." as key prefix.
+//	Field SomeStruct
+//
+//	// Field is decoded recursively with "myName." as key prefix.
+//	Field SomeStruct `properties:"myName"`
+//
+//	// Field is decoded recursively with "Field." as key prefix
+//	// and the next dotted element of the key as map key.
+//	Field map[string]string
+//
+//	// Field is decoded recursively with "myName." as key prefix
+//	// and the next dotted element of the key as map key.
+//	Field map[string]string `properties:"myName"`
+func (p *Properties) Decode(x interface{}) error {
+	t, v := reflect.TypeOf(x), reflect.ValueOf(x)
+	if t.Kind() != reflect.Ptr || v.Elem().Type().Kind() != reflect.Struct {
+		return fmt.Errorf("not a pointer to struct: %s", t)
+	}
+	if err := dec(p, "", nil, nil, v); err != nil {
+		return err
+	}
+	return nil
+}
+
+func dec(p *Properties, key string, def *string, opts map[string]string, v reflect.Value) error {
+	t := v.Type()
+
+	// value returns the property value for key or the default if provided.
+	value := func() (string, error) {
+		if val, ok := p.Get(key); ok {
+			return val, nil
+		}
+		if def != nil {
+			return *def, nil
+		}
+		return "", fmt.Errorf("missing required key %s", key)
+	}
+
+	// conv converts a string to a value of the given type.
+	conv := func(s string, t reflect.Type) (val reflect.Value, err error) {
+		var v interface{}
+
+		switch {
+		case isDuration(t):
+			v, err = time.ParseDuration(s)
+
+		case isTime(t):
+			layout := opts["layout"]
+			if layout == "" {
+				layout = time.RFC3339
+			}
+			v, err = time.Parse(layout, s)
+
+		case isBool(t):
+			v, err = boolVal(s), nil
+
+		case isString(t):
+			v, err = s, nil
+
+		case isFloat(t):
+			v, err = strconv.ParseFloat(s, 64)
+
+		case isInt(t):
+			v, err = strconv.ParseInt(s, 10, 64)
+
+		case isUint(t):
+			v, err = strconv.ParseUint(s, 10, 64)
+
+		default:
+			return reflect.Zero(t), fmt.Errorf("unsupported type %s", t)
+		}
+		if err != nil {
+			return reflect.Zero(t), err
+		}
+		return reflect.ValueOf(v).Convert(t), nil
+	}
+
+	// keydef returns the property key and the default value based on the
+	// name of the struct field and the options in the tag.
+	keydef := func(f reflect.StructField) (string, *string, map[string]string) {
+		_key, _opts := parseTag(f.Tag.Get("properties"))
+
+		var _def *string
+		if d, ok := _opts["default"]; ok {
+			_def = &d
+		}
+		if _key != "" {
+			return _key, _def, _opts
+		}
+		return f.Name, _def, _opts
+	}
+
+	switch {
+	case isDuration(t) || isTime(t) || isBool(t) || isString(t) || isFloat(t) || isInt(t) || isUint(t):
+		s, err := value()
+		if err != nil {
+			return err
+		}
+		val, err := conv(s, t)
+		if err != nil {
+			return err
+		}
+		v.Set(val)
+
+	case isPtr(t):
+		return dec(p, key, def, opts, v.Elem())
+
+	case isStruct(t):
+		for i := 0; i < v.NumField(); i++ {
+			fv := v.Field(i)
+			fk, def, opts := keydef(t.Field(i))
+			if fk == "-" {
+				continue
+			}
+			if !fv.CanSet() {
+				return fmt.Errorf("cannot set %s", t.Field(i).Name)
+			}
+			if key != "" {
+				fk = key + "." + fk
+			}
+			if err := dec(p, fk, def, opts, fv); err != nil {
+				return err
+			}
+		}
+		return nil
+
+	case isArray(t):
+		val, err := value()
+		if err != nil {
+			return err
+		}
+		vals := split(val, ";")
+		a := reflect.MakeSlice(t, 0, len(vals))
+		for _, s := range vals {
+			val, err := conv(s, t.Elem())
+			if err != nil {
+				return err
+			}
+			a = reflect.Append(a, val)
+		}
+		v.Set(a)
+
+	case isMap(t):
+		valT := t.Elem()
+		m := reflect.MakeMap(t)
+		for postfix := range p.FilterStripPrefix(key + ".").m {
+			pp := strings.SplitN(postfix, ".", 2)
+			mk, mv := pp[0], reflect.New(valT)
+			if err := dec(p, key+"."+mk, nil, nil, mv); err != nil {
+				return err
+			}
+			m.SetMapIndex(reflect.ValueOf(mk), mv.Elem())
+		}
+		v.Set(m)
+
+	default:
+		return fmt.Errorf("unsupported type %s", t)
+	}
+	return nil
+}
+
+// split splits a string on sep, trims whitespace of elements
+// and omits empty elements
+func split(s string, sep string) []string {
+	var a []string
+	for _, v := range strings.Split(s, sep) {
+		if v = strings.TrimSpace(v); v != "" {
+			a = append(a, v)
+		}
+	}
+	return a
+}
+
+// parseTag parses a "key,k=v,k=v,..."
+func parseTag(tag string) (key string, opts map[string]string) {
+	opts = map[string]string{}
+	for i, s := range strings.Split(tag, ",") {
+		if i == 0 {
+			key = s
+			continue
+		}
+
+		pp := strings.SplitN(s, "=", 2)
+		if len(pp) == 1 {
+			opts[pp[0]] = ""
+		} else {
+			opts[pp[0]] = pp[1]
+		}
+	}
+	return key, opts
+}
+
+func isArray(t reflect.Type) bool    { return t.Kind() == reflect.Array || t.Kind() == reflect.Slice }
+func isBool(t reflect.Type) bool     { return t.Kind() == reflect.Bool }
+func isDuration(t reflect.Type) bool { return t == reflect.TypeOf(time.Second) }
+func isMap(t reflect.Type) bool      { return t.Kind() == reflect.Map }
+func isPtr(t reflect.Type) bool      { return t.Kind() == reflect.Ptr }
+func isString(t reflect.Type) bool   { return t.Kind() == reflect.String }
+func isStruct(t reflect.Type) bool   { return t.Kind() == reflect.Struct }
+func isTime(t reflect.Type) bool     { return t == reflect.TypeOf(time.Time{}) }
+func isFloat(t reflect.Type) bool {
+	return t.Kind() == reflect.Float32 || t.Kind() == reflect.Float64
+}
+func isInt(t reflect.Type) bool {
+	return t.Kind() == reflect.Int || t.Kind() == reflect.Int8 || t.Kind() == reflect.Int16 || t.Kind() == reflect.Int32 || t.Kind() == reflect.Int64
+}
+func isUint(t reflect.Type) bool {
+	return t.Kind() == reflect.Uint || t.Kind() == reflect.Uint8 || t.Kind() == reflect.Uint16 || t.Kind() == reflect.Uint32 || t.Kind() == reflect.Uint64
+}
diff --git a/vendor/github.com/magiconair/properties/doc.go b/vendor/github.com/magiconair/properties/doc.go
new file mode 100644
index 0000000000..7c79793159
--- /dev/null
+++ b/vendor/github.com/magiconair/properties/doc.go
@@ -0,0 +1,155 @@
+// Copyright 2013-2022 Frank Schroeder. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package properties provides functions for reading and writing
+// ISO-8859-1 and UTF-8 encoded .properties files and has
+// support for recursive property expansion.
+//
+// Java properties files are ISO-8859-1 encoded and use Unicode
+// literals for characters outside the ISO character set. Unicode
+// literals can be used in UTF-8 encoded properties files but
+// aren't necessary.
+//
+// To load a single properties file use MustLoadFile():
+//
+//	p := properties.MustLoadFile(filename, properties.UTF8)
+//
+// To load multiple properties files use MustLoadFiles()
+// which loads the files in the given order and merges the
+// result. Missing properties files can be ignored if the
+// 'ignoreMissing' flag is set to true.
+//
+// Filenames can contain environment variables which are expanded
+// before loading.
+//
+//	f1 := "/etc/myapp/myapp.conf"
+//	f2 := "/home/${USER}/myapp.conf"
+//	p := MustLoadFiles([]string{f1, f2}, properties.UTF8, true)
+//
+// All of the different key/value delimiters ' ', ':' and '=' are
+// supported as well as the comment characters '!' and '#' and
+// multi-line values.
+//
+//	! this is a comment
+//	# and so is this
+//
+//	# the following expressions are equal
+//	key value
+//	key=value
+//	key:value
+//	key = value
+//	key : value
+//	key = val\
+//	      ue
+//
+// Properties stores all comments preceding a key and provides
+// GetComments() and SetComments() methods to retrieve and
+// update them. The convenience functions GetComment() and
+// SetComment() allow access to the last comment. The
+// WriteComment() method writes properties files including
+// the comments and with the keys in the original order.
+// This can be used for sanitizing properties files.
+//
+// Property expansion is recursive and circular references
+// and malformed expressions are not allowed and cause an
+// error. Expansion of environment variables is supported.
+//
+//	# standard property
+//	key = value
+//
+//	# property expansion: key2 = value
+//	key2 = ${key}
+//
+//	# recursive expansion: key3 = value
+//	key3 = ${key2}
+//
+//	# circular reference (error)
+//	key = ${key}
+//
+//	# malformed expression (error)
+//	key = ${ke
+//
+//	# refers to the users' home dir
+//	home = ${HOME}
+//
+//	# local key takes precedence over env var: u = foo
+//	USER = foo
+//	u = ${USER}
+//
+// The default property expansion format is ${key} but can be
+// changed by setting different pre- and postfix values on the
+// Properties object.
+//
+//	p := properties.NewProperties()
+//	p.Prefix = "#["
+//	p.Postfix = "]#"
+//
+// Properties provides convenience functions for getting typed
+// values with default values if the key does not exist or the
+// type conversion failed.
+//
+//	# Returns true if the value is either "1", "on", "yes" or "true"
+//	# Returns false for every other value and the default value if
+//	# the key does not exist.
+//	v = p.GetBool("key", false)
+//
+//	# Returns the value if the key exists and the format conversion
+//	# was successful. Otherwise, the default value is returned.
+//	v = p.GetInt64("key", 999)
+//	v = p.GetUint64("key", 999)
+//	v = p.GetFloat64("key", 123.0)
+//	v = p.GetString("key", "def")
+//	v = p.GetDuration("key", 999)
+//
+// As an alternative properties may be applied with the standard
+// library's flag implementation at any time.
+//
+//	# Standard configuration
+//	v = flag.Int("key", 999, "help message")
+//	flag.Parse()
+//
+//	# Merge p into the flag set
+//	p.MustFlag(flag.CommandLine)
+//
+// Properties provides several MustXXX() convenience functions
+// which will terminate the app if an error occurs. The behavior
+// of the failure is configurable and the default is to call
+// log.Fatal(err). To have the MustXXX() functions panic instead
+// of logging the error set a different ErrorHandler before
+// you use the Properties package.
+//
+//	properties.ErrorHandler = properties.PanicHandler
+//
+//	# Will panic instead of logging an error
+//	p := properties.MustLoadFile("config.properties")
+//
+// You can also provide your own ErrorHandler function. The only requirement
+// is that the error handler function must exit after handling the error.
+//
+//	  properties.ErrorHandler = func(err error) {
+//		     fmt.Println(err)
+//	      os.Exit(1)
+//	  }
+//
+//	  # Will write to stdout and then exit
+//	  p := properties.MustLoadFile("config.properties")
+//
+// Properties can also be loaded into a struct via the `Decode`
+// method, e.g.
+//
+//	type S struct {
+//	    A string        `properties:"a,default=foo"`
+//	    D time.Duration `properties:"timeout,default=5s"`
+//	    E time.Time     `properties:"expires,layout=2006-01-02,default=2015-01-01"`
+//	}
+//
+// See `Decode()` method for the full documentation.
+//
+// The following documents provide a description of the properties
+// file format.
+//
+// http://en.wikipedia.org/wiki/.properties
+//
+// http://docs.oracle.com/javase/7/docs/api/java/util/Properties.html#load%28java.io.Reader%29
+package properties
diff --git a/vendor/github.com/magiconair/properties/integrate.go b/vendor/github.com/magiconair/properties/integrate.go
new file mode 100644
index 0000000000..35d0ae97b3
--- /dev/null
+++ b/vendor/github.com/magiconair/properties/integrate.go
@@ -0,0 +1,35 @@
+// Copyright 2013-2022 Frank Schroeder. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package properties
+
+import "flag"
+
+// MustFlag sets flags that are skipped by dst.Parse when p contains
+// the respective key for flag.Flag.Name.
+//
+// It's use is recommended with command line arguments as in:
+//
+//	flag.Parse()
+//	p.MustFlag(flag.CommandLine)
+func (p *Properties) MustFlag(dst *flag.FlagSet) {
+	m := make(map[string]*flag.Flag)
+	dst.VisitAll(func(f *flag.Flag) {
+		m[f.Name] = f
+	})
+	dst.Visit(func(f *flag.Flag) {
+		delete(m, f.Name) // overridden
+	})
+
+	for name, f := range m {
+		v, ok := p.Get(name)
+		if !ok {
+			continue
+		}
+
+		if err := f.Value.Set(v); err != nil {
+			ErrorHandler(err)
+		}
+	}
+}
diff --git a/vendor/github.com/magiconair/properties/lex.go b/vendor/github.com/magiconair/properties/lex.go
new file mode 100644
index 0000000000..3d15a1f6ed
--- /dev/null
+++ b/vendor/github.com/magiconair/properties/lex.go
@@ -0,0 +1,395 @@
+// Copyright 2013-2022 Frank Schroeder. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+//
+// Parts of the lexer are from the template/text/parser package
+// For these parts the following applies:
+//
+// Copyright 2011 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file of the go 1.2
+// distribution.
+
+package properties
+
+import (
+	"fmt"
+	"strconv"
+	"strings"
+	"unicode/utf8"
+)
+
+// item represents a token or text string returned from the scanner.
+type item struct {
+	typ itemType // The type of this item.
+	pos int      // The starting position, in bytes, of this item in the input string.
+	val string   // The value of this item.
+}
+
+func (i item) String() string {
+	switch {
+	case i.typ == itemEOF:
+		return "EOF"
+	case i.typ == itemError:
+		return i.val
+	case len(i.val) > 10:
+		return fmt.Sprintf("%.10q...", i.val)
+	}
+	return fmt.Sprintf("%q", i.val)
+}
+
+// itemType identifies the type of lex items.
+type itemType int
+
+const (
+	itemError itemType = iota // error occurred; value is text of error
+	itemEOF
+	itemKey     // a key
+	itemValue   // a value
+	itemComment // a comment
+)
+
+// defines a constant for EOF
+const eof = -1
+
+// permitted whitespace characters space, FF and TAB
+const whitespace = " \f\t"
+
+// stateFn represents the state of the scanner as a function that returns the next state.
+type stateFn func(*lexer) stateFn
+
+// lexer holds the state of the scanner.
+type lexer struct {
+	input   string    // the string being scanned
+	state   stateFn   // the next lexing function to enter
+	pos     int       // current position in the input
+	start   int       // start position of this item
+	width   int       // width of last rune read from input
+	lastPos int       // position of most recent item returned by nextItem
+	runes   []rune    // scanned runes for this item
+	items   chan item // channel of scanned items
+}
+
+// next returns the next rune in the input.
+func (l *lexer) next() rune {
+	if l.pos >= len(l.input) {
+		l.width = 0
+		return eof
+	}
+	r, w := utf8.DecodeRuneInString(l.input[l.pos:])
+	l.width = w
+	l.pos += l.width
+	return r
+}
+
+// peek returns but does not consume the next rune in the input.
+func (l *lexer) peek() rune {
+	r := l.next()
+	l.backup()
+	return r
+}
+
+// backup steps back one rune. Can only be called once per call of next.
+func (l *lexer) backup() {
+	l.pos -= l.width
+}
+
+// emit passes an item back to the client.
+func (l *lexer) emit(t itemType) {
+	i := item{t, l.start, string(l.runes)}
+	l.items <- i
+	l.start = l.pos
+	l.runes = l.runes[:0]
+}
+
+// ignore skips over the pending input before this point.
+func (l *lexer) ignore() {
+	l.start = l.pos
+}
+
+// appends the rune to the current value
+func (l *lexer) appendRune(r rune) {
+	l.runes = append(l.runes, r)
+}
+
+// accept consumes the next rune if it's from the valid set.
+func (l *lexer) accept(valid string) bool {
+	if strings.ContainsRune(valid, l.next()) {
+		return true
+	}
+	l.backup()
+	return false
+}
+
+// acceptRun consumes a run of runes from the valid set.
+func (l *lexer) acceptRun(valid string) {
+	for strings.ContainsRune(valid, l.next()) {
+	}
+	l.backup()
+}
+
+// lineNumber reports which line we're on, based on the position of
+// the previous item returned by nextItem. Doing it this way
+// means we don't have to worry about peek double counting.
+func (l *lexer) lineNumber() int {
+	return 1 + strings.Count(l.input[:l.lastPos], "\n")
+}
+
+// errorf returns an error token and terminates the scan by passing
+// back a nil pointer that will be the next state, terminating l.nextItem.
+func (l *lexer) errorf(format string, args ...interface{}) stateFn {
+	l.items <- item{itemError, l.start, fmt.Sprintf(format, args...)}
+	return nil
+}
+
+// nextItem returns the next item from the input.
+func (l *lexer) nextItem() item {
+	i := <-l.items
+	l.lastPos = i.pos
+	return i
+}
+
+// lex creates a new scanner for the input string.
+func lex(input string) *lexer {
+	l := &lexer{
+		input: input,
+		items: make(chan item),
+		runes: make([]rune, 0, 32),
+	}
+	go l.run()
+	return l
+}
+
+// run runs the state machine for the lexer.
+func (l *lexer) run() {
+	for l.state = lexBeforeKey(l); l.state != nil; {
+		l.state = l.state(l)
+	}
+}
+
+// state functions
+
+// lexBeforeKey scans until a key begins.
+func lexBeforeKey(l *lexer) stateFn {
+	switch r := l.next(); {
+	case isEOF(r):
+		l.emit(itemEOF)
+		return nil
+
+	case isEOL(r):
+		l.ignore()
+		return lexBeforeKey
+
+	case isComment(r):
+		return lexComment
+
+	case isWhitespace(r):
+		l.ignore()
+		return lexBeforeKey
+
+	default:
+		l.backup()
+		return lexKey
+	}
+}
+
+// lexComment scans a comment line. The comment character has already been scanned.
+func lexComment(l *lexer) stateFn {
+	l.acceptRun(whitespace)
+	l.ignore()
+	for {
+		switch r := l.next(); {
+		case isEOF(r):
+			l.ignore()
+			l.emit(itemEOF)
+			return nil
+		case isEOL(r):
+			l.emit(itemComment)
+			return lexBeforeKey
+		default:
+			l.appendRune(r)
+		}
+	}
+}
+
+// lexKey scans the key up to a delimiter
+func lexKey(l *lexer) stateFn {
+	var r rune
+
+Loop:
+	for {
+		switch r = l.next(); {
+
+		case isEscape(r):
+			err := l.scanEscapeSequence()
+			if err != nil {
+				return l.errorf(err.Error())
+			}
+
+		case isEndOfKey(r):
+			l.backup()
+			break Loop
+
+		case isEOF(r):
+			break Loop
+
+		default:
+			l.appendRune(r)
+		}
+	}
+
+	if len(l.runes) > 0 {
+		l.emit(itemKey)
+	}
+
+	if isEOF(r) {
+		l.emit(itemEOF)
+		return nil
+	}
+
+	return lexBeforeValue
+}
+
+// lexBeforeValue scans the delimiter between key and value.
+// Leading and trailing whitespace is ignored.
+// We expect to be just after the key.
+func lexBeforeValue(l *lexer) stateFn {
+	l.acceptRun(whitespace)
+	l.accept(":=")
+	l.acceptRun(whitespace)
+	l.ignore()
+	return lexValue
+}
+
+// lexValue scans text until the end of the line. We expect to be just after the delimiter.
+func lexValue(l *lexer) stateFn {
+	for {
+		switch r := l.next(); {
+		case isEscape(r):
+			if isEOL(l.peek()) {
+				l.next()
+				l.acceptRun(whitespace)
+			} else {
+				err := l.scanEscapeSequence()
+				if err != nil {
+					return l.errorf(err.Error())
+				}
+			}
+
+		case isEOL(r):
+			l.emit(itemValue)
+			l.ignore()
+			return lexBeforeKey
+
+		case isEOF(r):
+			l.emit(itemValue)
+			l.emit(itemEOF)
+			return nil
+
+		default:
+			l.appendRune(r)
+		}
+	}
+}
+
+// scanEscapeSequence scans either one of the escaped characters
+// or a unicode literal. We expect to be after the escape character.
+func (l *lexer) scanEscapeSequence() error {
+	switch r := l.next(); {
+
+	case isEscapedCharacter(r):
+		l.appendRune(decodeEscapedCharacter(r))
+		return nil
+
+	case atUnicodeLiteral(r):
+		return l.scanUnicodeLiteral()
+
+	case isEOF(r):
+		return fmt.Errorf("premature EOF")
+
+	// silently drop the escape character and append the rune as is
+	default:
+		l.appendRune(r)
+		return nil
+	}
+}
+
+// scans a unicode literal in the form \uXXXX. We expect to be after the \u.
+func (l *lexer) scanUnicodeLiteral() error {
+	// scan the digits
+	d := make([]rune, 4)
+	for i := 0; i < 4; i++ {
+		d[i] = l.next()
+		if d[i] == eof || !strings.ContainsRune("0123456789abcdefABCDEF", d[i]) {
+			return fmt.Errorf("invalid unicode literal")
+		}
+	}
+
+	// decode the digits into a rune
+	r, err := strconv.ParseInt(string(d), 16, 0)
+	if err != nil {
+		return err
+	}
+
+	l.appendRune(rune(r))
+	return nil
+}
+
+// decodeEscapedCharacter returns the unescaped rune. We expect to be after the escape character.
+func decodeEscapedCharacter(r rune) rune {
+	switch r {
+	case 'f':
+		return '\f'
+	case 'n':
+		return '\n'
+	case 'r':
+		return '\r'
+	case 't':
+		return '\t'
+	default:
+		return r
+	}
+}
+
+// atUnicodeLiteral reports whether we are at a unicode literal.
+// The escape character has already been consumed.
+func atUnicodeLiteral(r rune) bool {
+	return r == 'u'
+}
+
+// isComment reports whether we are at the start of a comment.
+func isComment(r rune) bool {
+	return r == '#' || r == '!'
+}
+
+// isEndOfKey reports whether the rune terminates the current key.
+func isEndOfKey(r rune) bool {
+	return strings.ContainsRune(" \f\t\r\n:=", r)
+}
+
+// isEOF reports whether we are at EOF.
+func isEOF(r rune) bool {
+	return r == eof
+}
+
+// isEOL reports whether we are at a new line character.
+func isEOL(r rune) bool {
+	return r == '\n' || r == '\r'
+}
+
+// isEscape reports whether the rune is the escape character which
+// prefixes unicode literals and other escaped characters.
+func isEscape(r rune) bool {
+	return r == '\\'
+}
+
+// isEscapedCharacter reports whether we are at one of the characters that need escaping.
+// The escape character has already been consumed.
+func isEscapedCharacter(r rune) bool {
+	return strings.ContainsRune(" :=fnrt", r)
+}
+
+// isWhitespace reports whether the rune is a whitespace character.
+func isWhitespace(r rune) bool {
+	return strings.ContainsRune(whitespace, r)
+}
diff --git a/vendor/github.com/magiconair/properties/load.go b/vendor/github.com/magiconair/properties/load.go
new file mode 100644
index 0000000000..6567e0c719
--- /dev/null
+++ b/vendor/github.com/magiconair/properties/load.go
@@ -0,0 +1,314 @@
+// Copyright 2013-2022 Frank Schroeder. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package properties
+
+import (
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"strings"
+)
+
+// Encoding specifies encoding of the input data.
+type Encoding uint
+
+const (
+	// utf8Default is a private placeholder for the zero value of Encoding to
+	// ensure that it has the correct meaning. UTF8 is the default encoding but
+	// was assigned a non-zero value which cannot be changed without breaking
+	// existing code. Clients should continue to use the public constants.
+	utf8Default Encoding = iota
+
+	// UTF8 interprets the input data as UTF-8.
+	UTF8
+
+	// ISO_8859_1 interprets the input data as ISO-8859-1.
+	ISO_8859_1
+)
+
+type Loader struct {
+	// Encoding determines how the data from files and byte buffers
+	// is interpreted. For URLs the Content-Type header is used
+	// to determine the encoding of the data.
+	Encoding Encoding
+
+	// DisableExpansion configures the property expansion of the
+	// returned property object. When set to true, the property values
+	// will not be expanded and the Property object will not be checked
+	// for invalid expansion expressions.
+	DisableExpansion bool
+
+	// IgnoreMissing configures whether missing files or URLs which return
+	// 404 are reported as errors. When set to true, missing files and 404
+	// status codes are not reported as errors.
+	IgnoreMissing bool
+}
+
+// Load reads a buffer into a Properties struct.
+func (l *Loader) LoadBytes(buf []byte) (*Properties, error) {
+	return l.loadBytes(buf, l.Encoding)
+}
+
+// LoadReader reads an io.Reader into a Properties struct.
+func (l *Loader) LoadReader(r io.Reader) (*Properties, error) {
+	if buf, err := io.ReadAll(r); err != nil {
+		return nil, err
+	} else {
+		return l.loadBytes(buf, l.Encoding)
+	}
+}
+
+// LoadAll reads the content of multiple URLs or files in the given order into
+// a Properties struct. If IgnoreMissing is true then a 404 status code or
+// missing file will not be reported as error. Encoding sets the encoding for
+// files. For the URLs see LoadURL for the Content-Type header and the
+// encoding.
+func (l *Loader) LoadAll(names []string) (*Properties, error) {
+	all := NewProperties()
+	for _, name := range names {
+		n, err := expandName(name)
+		if err != nil {
+			return nil, err
+		}
+
+		var p *Properties
+		switch {
+		case strings.HasPrefix(n, "http://"):
+			p, err = l.LoadURL(n)
+		case strings.HasPrefix(n, "https://"):
+			p, err = l.LoadURL(n)
+		default:
+			p, err = l.LoadFile(n)
+		}
+		if err != nil {
+			return nil, err
+		}
+		all.Merge(p)
+	}
+
+	all.DisableExpansion = l.DisableExpansion
+	if all.DisableExpansion {
+		return all, nil
+	}
+	return all, all.check()
+}
+
+// LoadFile reads a file into a Properties struct.
+// If IgnoreMissing is true then a missing file will not be
+// reported as error.
+func (l *Loader) LoadFile(filename string) (*Properties, error) {
+	data, err := os.ReadFile(filename)
+	if err != nil {
+		if l.IgnoreMissing && os.IsNotExist(err) {
+			LogPrintf("properties: %s not found. skipping", filename)
+			return NewProperties(), nil
+		}
+		return nil, err
+	}
+	return l.loadBytes(data, l.Encoding)
+}
+
+// LoadURL reads the content of the URL into a Properties struct.
+//
+// The encoding is determined via the Content-Type header which
+// should be set to 'text/plain'. If the 'charset' parameter is
+// missing, 'iso-8859-1' or 'latin1' the encoding is set to
+// ISO-8859-1. If the 'charset' parameter is set to 'utf-8' the
+// encoding is set to UTF-8. A missing content type header is
+// interpreted as 'text/plain; charset=utf-8'.
+func (l *Loader) LoadURL(url string) (*Properties, error) {
+	resp, err := http.Get(url)
+	if err != nil {
+		return nil, fmt.Errorf("properties: error fetching %q. %s", url, err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode == 404 && l.IgnoreMissing {
+		LogPrintf("properties: %s returned %d. skipping", url, resp.StatusCode)
+		return NewProperties(), nil
+	}
+
+	if resp.StatusCode != 200 {
+		return nil, fmt.Errorf("properties: %s returned %d", url, resp.StatusCode)
+	}
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, fmt.Errorf("properties: %s error reading response. %s", url, err)
+	}
+
+	ct := resp.Header.Get("Content-Type")
+	ct = strings.Join(strings.Fields(ct), "")
+	var enc Encoding
+	switch strings.ToLower(ct) {
+	case "text/plain", "text/plain;charset=iso-8859-1", "text/plain;charset=latin1":
+		enc = ISO_8859_1
+	case "", "text/plain;charset=utf-8":
+		enc = UTF8
+	default:
+		return nil, fmt.Errorf("properties: invalid content type %s", ct)
+	}
+
+	return l.loadBytes(body, enc)
+}
+
+func (l *Loader) loadBytes(buf []byte, enc Encoding) (*Properties, error) {
+	p, err := parse(convert(buf, enc))
+	if err != nil {
+		return nil, err
+	}
+	p.DisableExpansion = l.DisableExpansion
+	if p.DisableExpansion {
+		return p, nil
+	}
+	return p, p.check()
+}
+
+// Load reads a buffer into a Properties struct.
+func Load(buf []byte, enc Encoding) (*Properties, error) {
+	l := &Loader{Encoding: enc}
+	return l.LoadBytes(buf)
+}
+
+// LoadString reads an UTF8 string into a properties struct.
+func LoadString(s string) (*Properties, error) {
+	l := &Loader{Encoding: UTF8}
+	return l.LoadBytes([]byte(s))
+}
+
+// LoadMap creates a new Properties struct from a string map.
+func LoadMap(m map[string]string) *Properties {
+	p := NewProperties()
+	for k, v := range m {
+		p.Set(k, v)
+	}
+	return p
+}
+
+// LoadFile reads a file into a Properties struct.
+func LoadFile(filename string, enc Encoding) (*Properties, error) {
+	l := &Loader{Encoding: enc}
+	return l.LoadAll([]string{filename})
+}
+
+// LoadReader reads an io.Reader into a Properties struct.
+func LoadReader(r io.Reader, enc Encoding) (*Properties, error) {
+	l := &Loader{Encoding: enc}
+	return l.LoadReader(r)
+}
+
+// LoadFiles reads multiple files in the given order into
+// a Properties struct. If 'ignoreMissing' is true then
+// non-existent files will not be reported as error.
+func LoadFiles(filenames []string, enc Encoding, ignoreMissing bool) (*Properties, error) {
+	l := &Loader{Encoding: enc, IgnoreMissing: ignoreMissing}
+	return l.LoadAll(filenames)
+}
+
+// LoadURL reads the content of the URL into a Properties struct.
+// See Loader#LoadURL for details.
+func LoadURL(url string) (*Properties, error) {
+	l := &Loader{Encoding: UTF8}
+	return l.LoadAll([]string{url})
+}
+
+// LoadURLs reads the content of multiple URLs in the given order into a
+// Properties struct. If IgnoreMissing is true then a 404 status code will
+// not be reported as error. See Loader#LoadURL for the Content-Type header
+// and the encoding.
+func LoadURLs(urls []string, ignoreMissing bool) (*Properties, error) {
+	l := &Loader{Encoding: UTF8, IgnoreMissing: ignoreMissing}
+	return l.LoadAll(urls)
+}
+
+// LoadAll reads the content of multiple URLs or files in the given order into a
+// Properties struct. If 'ignoreMissing' is true then a 404 status code or missing file will
+// not be reported as error. Encoding sets the encoding for files. For the URLs please see
+// LoadURL for the Content-Type header and the encoding.
+func LoadAll(names []string, enc Encoding, ignoreMissing bool) (*Properties, error) {
+	l := &Loader{Encoding: enc, IgnoreMissing: ignoreMissing}
+	return l.LoadAll(names)
+}
+
+// MustLoadString reads an UTF8 string into a Properties struct and
+// panics on error.
+func MustLoadString(s string) *Properties {
+	return must(LoadString(s))
+}
+
+// MustLoadSReader reads an io.Reader into a Properties struct and
+// panics on error.
+func MustLoadReader(r io.Reader, enc Encoding) *Properties {
+	return must(LoadReader(r, enc))
+}
+
+// MustLoadFile reads a file into a Properties struct and
+// panics on error.
+func MustLoadFile(filename string, enc Encoding) *Properties {
+	return must(LoadFile(filename, enc))
+}
+
+// MustLoadFiles reads multiple files in the given order into
+// a Properties struct and panics on error. If 'ignoreMissing'
+// is true then non-existent files will not be reported as error.
+func MustLoadFiles(filenames []string, enc Encoding, ignoreMissing bool) *Properties {
+	return must(LoadFiles(filenames, enc, ignoreMissing))
+}
+
+// MustLoadURL reads the content of a URL into a Properties struct and
+// panics on error.
+func MustLoadURL(url string) *Properties {
+	return must(LoadURL(url))
+}
+
+// MustLoadURLs reads the content of multiple URLs in the given order into a
+// Properties struct and panics on error. If 'ignoreMissing' is true then a 404
+// status code will not be reported as error.
+func MustLoadURLs(urls []string, ignoreMissing bool) *Properties {
+	return must(LoadURLs(urls, ignoreMissing))
+}
+
+// MustLoadAll reads the content of multiple URLs or files in the given order into a
+// Properties struct. If 'ignoreMissing' is true then a 404 status code or missing file will
+// not be reported as error. Encoding sets the encoding for files. For the URLs please see
+// LoadURL for the Content-Type header and the encoding. It panics on error.
+func MustLoadAll(names []string, enc Encoding, ignoreMissing bool) *Properties {
+	return must(LoadAll(names, enc, ignoreMissing))
+}
+
+func must(p *Properties, err error) *Properties {
+	if err != nil {
+		ErrorHandler(err)
+	}
+	return p
+}
+
+// expandName expands ${ENV_VAR} expressions in a name.
+// If the environment variable does not exist then it will be replaced
+// with an empty string. Malformed expressions like "${ENV_VAR" will
+// be reported as error.
+func expandName(name string) (string, error) {
+	return expand(name, []string{}, "${", "}", make(map[string]string))
+}
+
+// Interprets a byte buffer either as an ISO-8859-1 or UTF-8 encoded string.
+// For ISO-8859-1 we can convert each byte straight into a rune since the
+// first 256 unicode code points cover ISO-8859-1.
+func convert(buf []byte, enc Encoding) string {
+	switch enc {
+	case utf8Default, UTF8:
+		return string(buf)
+	case ISO_8859_1:
+		runes := make([]rune, len(buf))
+		for i, b := range buf {
+			runes[i] = rune(b)
+		}
+		return string(runes)
+	default:
+		ErrorHandler(fmt.Errorf("unsupported encoding %v", enc))
+	}
+	panic("ErrorHandler should exit")
+}
diff --git a/vendor/github.com/magiconair/properties/parser.go b/vendor/github.com/magiconair/properties/parser.go
new file mode 100644
index 0000000000..fccfd39f6b
--- /dev/null
+++ b/vendor/github.com/magiconair/properties/parser.go
@@ -0,0 +1,86 @@
+// Copyright 2013-2022 Frank Schroeder. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package properties
+
+import (
+	"fmt"
+	"runtime"
+)
+
+type parser struct {
+	lex *lexer
+}
+
+func parse(input string) (properties *Properties, err error) {
+	p := &parser{lex: lex(input)}
+	defer p.recover(&err)
+
+	properties = NewProperties()
+	key := ""
+	comments := []string{}
+
+	for {
+		token := p.expectOneOf(itemComment, itemKey, itemEOF)
+		switch token.typ {
+		case itemEOF:
+			goto done
+		case itemComment:
+			comments = append(comments, token.val)
+			continue
+		case itemKey:
+			key = token.val
+			if _, ok := properties.m[key]; !ok {
+				properties.k = append(properties.k, key)
+			}
+		}
+
+		token = p.expectOneOf(itemValue, itemEOF)
+		if len(comments) > 0 {
+			properties.c[key] = comments
+			comments = []string{}
+		}
+		switch token.typ {
+		case itemEOF:
+			properties.m[key] = ""
+			goto done
+		case itemValue:
+			properties.m[key] = token.val
+		}
+	}
+
+done:
+	return properties, nil
+}
+
+func (p *parser) errorf(format string, args ...interface{}) {
+	format = fmt.Sprintf("properties: Line %d: %s", p.lex.lineNumber(), format)
+	panic(fmt.Errorf(format, args...))
+}
+
+func (p *parser) expectOneOf(expected ...itemType) (token item) {
+	token = p.lex.nextItem()
+	for _, v := range expected {
+		if token.typ == v {
+			return token
+		}
+	}
+	p.unexpected(token)
+	panic("unexpected token")
+}
+
+func (p *parser) unexpected(token item) {
+	p.errorf(token.String())
+}
+
+// recover is the handler that turns panics into returns from the top level of Parse.
+func (p *parser) recover(errp *error) {
+	e := recover()
+	if e != nil {
+		if _, ok := e.(runtime.Error); ok {
+			panic(e)
+		}
+		*errp = e.(error)
+	}
+}
diff --git a/vendor/github.com/magiconair/properties/properties.go b/vendor/github.com/magiconair/properties/properties.go
new file mode 100644
index 0000000000..fb2f7b4048
--- /dev/null
+++ b/vendor/github.com/magiconair/properties/properties.go
@@ -0,0 +1,848 @@
+// Copyright 2013-2022 Frank Schroeder. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package properties
+
+// BUG(frank): Set() does not check for invalid unicode literals since this is currently handled by the lexer.
+// BUG(frank): Write() does not allow to configure the newline character. Therefore, on Windows LF is used.
+
+import (
+	"bytes"
+	"fmt"
+	"io"
+	"log"
+	"os"
+	"regexp"
+	"sort"
+	"strconv"
+	"strings"
+	"time"
+	"unicode/utf8"
+)
+
+const maxExpansionDepth = 64
+
+// ErrorHandlerFunc defines the type of function which handles failures
+// of the MustXXX() functions. An error handler function must exit
+// the application after handling the error.
+type ErrorHandlerFunc func(error)
+
+// ErrorHandler is the function which handles failures of the MustXXX()
+// functions. The default is LogFatalHandler.
+var ErrorHandler ErrorHandlerFunc = LogFatalHandler
+
+// LogHandlerFunc defines the function prototype for logging errors.
+type LogHandlerFunc func(fmt string, args ...interface{})
+
+// LogPrintf defines a log handler which uses log.Printf.
+var LogPrintf LogHandlerFunc = log.Printf
+
+// LogFatalHandler handles the error by logging a fatal error and exiting.
+func LogFatalHandler(err error) {
+	log.Fatal(err)
+}
+
+// PanicHandler handles the error by panicking.
+func PanicHandler(err error) {
+	panic(err)
+}
+
+// -----------------------------------------------------------------------------
+
+// A Properties contains the key/value pairs from the properties input.
+// All values are stored in unexpanded form and are expanded at runtime
+type Properties struct {
+	// Pre-/Postfix for property expansion.
+	Prefix  string
+	Postfix string
+
+	// DisableExpansion controls the expansion of properties on Get()
+	// and the check for circular references on Set(). When set to
+	// true Properties behaves like a simple key/value store and does
+	// not check for circular references on Get() or on Set().
+	DisableExpansion bool
+
+	// Stores the key/value pairs
+	m map[string]string
+
+	// Stores the comments per key.
+	c map[string][]string
+
+	// Stores the keys in order of appearance.
+	k []string
+
+	// WriteSeparator specifies the separator of key and value while writing the properties.
+	WriteSeparator string
+}
+
+// NewProperties creates a new Properties struct with the default
+// configuration for "${key}" expressions.
+func NewProperties() *Properties {
+	return &Properties{
+		Prefix:  "${",
+		Postfix: "}",
+		m:       map[string]string{},
+		c:       map[string][]string{},
+		k:       []string{},
+	}
+}
+
+// Load reads a buffer into the given Properties struct.
+func (p *Properties) Load(buf []byte, enc Encoding) error {
+	l := &Loader{Encoding: enc, DisableExpansion: p.DisableExpansion}
+	newProperties, err := l.LoadBytes(buf)
+	if err != nil {
+		return err
+	}
+	p.Merge(newProperties)
+	return nil
+}
+
+// Get returns the expanded value for the given key if exists.
+// Otherwise, ok is false.
+func (p *Properties) Get(key string) (value string, ok bool) {
+	v, ok := p.m[key]
+	if p.DisableExpansion {
+		return v, ok
+	}
+	if !ok {
+		return "", false
+	}
+
+	expanded, err := p.expand(key, v)
+
+	// we guarantee that the expanded value is free of
+	// circular references and malformed expressions
+	// so we panic if we still get an error here.
+	if err != nil {
+		ErrorHandler(err)
+	}
+
+	return expanded, true
+}
+
+// MustGet returns the expanded value for the given key if exists.
+// Otherwise, it panics.
+func (p *Properties) MustGet(key string) string {
+	if v, ok := p.Get(key); ok {
+		return v
+	}
+	ErrorHandler(invalidKeyError(key))
+	panic("ErrorHandler should exit")
+}
+
+// ----------------------------------------------------------------------------
+
+// ClearComments removes the comments for all keys.
+func (p *Properties) ClearComments() {
+	p.c = map[string][]string{}
+}
+
+// ----------------------------------------------------------------------------
+
+// GetComment returns the last comment before the given key or an empty string.
+func (p *Properties) GetComment(key string) string {
+	comments, ok := p.c[key]
+	if !ok || len(comments) == 0 {
+		return ""
+	}
+	return comments[len(comments)-1]
+}
+
+// ----------------------------------------------------------------------------
+
+// GetComments returns all comments that appeared before the given key or nil.
+func (p *Properties) GetComments(key string) []string {
+	if comments, ok := p.c[key]; ok {
+		return comments
+	}
+	return nil
+}
+
+// ----------------------------------------------------------------------------
+
+// SetComment sets the comment for the key.
+func (p *Properties) SetComment(key, comment string) {
+	p.c[key] = []string{comment}
+}
+
+// ----------------------------------------------------------------------------
+
+// SetComments sets the comments for the key. If the comments are nil then
+// all comments for this key are deleted.
+func (p *Properties) SetComments(key string, comments []string) {
+	if comments == nil {
+		delete(p.c, key)
+		return
+	}
+	p.c[key] = comments
+}
+
+// ----------------------------------------------------------------------------
+
+// GetBool checks if the expanded value is one of '1', 'yes',
+// 'true' or 'on' if the key exists. The comparison is case-insensitive.
+// If the key does not exist the default value is returned.
+func (p *Properties) GetBool(key string, def bool) bool {
+	v, err := p.getBool(key)
+	if err != nil {
+		return def
+	}
+	return v
+}
+
+// MustGetBool checks if the expanded value is one of '1', 'yes',
+// 'true' or 'on' if the key exists. The comparison is case-insensitive.
+// If the key does not exist the function panics.
+func (p *Properties) MustGetBool(key string) bool {
+	v, err := p.getBool(key)
+	if err != nil {
+		ErrorHandler(err)
+	}
+	return v
+}
+
+func (p *Properties) getBool(key string) (value bool, err error) {
+	if v, ok := p.Get(key); ok {
+		return boolVal(v), nil
+	}
+	return false, invalidKeyError(key)
+}
+
+func boolVal(v string) bool {
+	v = strings.ToLower(v)
+	return v == "1" || v == "true" || v == "yes" || v == "on"
+}
+
+// ----------------------------------------------------------------------------
+
+// GetDuration parses the expanded value as an time.Duration (in ns) if the
+// key exists. If key does not exist or the value cannot be parsed the default
+// value is returned. In almost all cases you want to use GetParsedDuration().
+func (p *Properties) GetDuration(key string, def time.Duration) time.Duration {
+	v, err := p.getInt64(key)
+	if err != nil {
+		return def
+	}
+	return time.Duration(v)
+}
+
+// MustGetDuration parses the expanded value as an time.Duration (in ns) if
+// the key exists. If key does not exist or the value cannot be parsed the
+// function panics. In almost all cases you want to use MustGetParsedDuration().
+func (p *Properties) MustGetDuration(key string) time.Duration {
+	v, err := p.getInt64(key)
+	if err != nil {
+		ErrorHandler(err)
+	}
+	return time.Duration(v)
+}
+
+// ----------------------------------------------------------------------------
+
+// GetParsedDuration parses the expanded value with time.ParseDuration() if the key exists.
+// If key does not exist or the value cannot be parsed the default
+// value is returned.
+func (p *Properties) GetParsedDuration(key string, def time.Duration) time.Duration {
+	s, ok := p.Get(key)
+	if !ok {
+		return def
+	}
+	v, err := time.ParseDuration(s)
+	if err != nil {
+		return def
+	}
+	return v
+}
+
+// MustGetParsedDuration parses the expanded value with time.ParseDuration() if the key exists.
+// If key does not exist or the value cannot be parsed the function panics.
+func (p *Properties) MustGetParsedDuration(key string) time.Duration {
+	s, ok := p.Get(key)
+	if !ok {
+		ErrorHandler(invalidKeyError(key))
+	}
+	v, err := time.ParseDuration(s)
+	if err != nil {
+		ErrorHandler(err)
+	}
+	return v
+}
+
+// ----------------------------------------------------------------------------
+
+// GetFloat64 parses the expanded value as a float64 if the key exists.
+// If key does not exist or the value cannot be parsed the default
+// value is returned.
+func (p *Properties) GetFloat64(key string, def float64) float64 {
+	v, err := p.getFloat64(key)
+	if err != nil {
+		return def
+	}
+	return v
+}
+
+// MustGetFloat64 parses the expanded value as a float64 if the key exists.
+// If key does not exist or the value cannot be parsed the function panics.
+func (p *Properties) MustGetFloat64(key string) float64 {
+	v, err := p.getFloat64(key)
+	if err != nil {
+		ErrorHandler(err)
+	}
+	return v
+}
+
+func (p *Properties) getFloat64(key string) (value float64, err error) {
+	if v, ok := p.Get(key); ok {
+		value, err = strconv.ParseFloat(v, 64)
+		if err != nil {
+			return 0, err
+		}
+		return value, nil
+	}
+	return 0, invalidKeyError(key)
+}
+
+// ----------------------------------------------------------------------------
+
+// GetInt parses the expanded value as an int if the key exists.
+// If key does not exist or the value cannot be parsed the default
+// value is returned. If the value does not fit into an int the
+// function panics with an out of range error.
+func (p *Properties) GetInt(key string, def int) int {
+	v, err := p.getInt64(key)
+	if err != nil {
+		return def
+	}
+	return intRangeCheck(key, v)
+}
+
+// MustGetInt parses the expanded value as an int if the key exists.
+// If key does not exist or the value cannot be parsed the function panics.
+// If the value does not fit into an int the function panics with
+// an out of range error.
+func (p *Properties) MustGetInt(key string) int {
+	v, err := p.getInt64(key)
+	if err != nil {
+		ErrorHandler(err)
+	}
+	return intRangeCheck(key, v)
+}
+
+// ----------------------------------------------------------------------------
+
+// GetInt64 parses the expanded value as an int64 if the key exists.
+// If key does not exist or the value cannot be parsed the default
+// value is returned.
+func (p *Properties) GetInt64(key string, def int64) int64 {
+	v, err := p.getInt64(key)
+	if err != nil {
+		return def
+	}
+	return v
+}
+
+// MustGetInt64 parses the expanded value as an int if the key exists.
+// If key does not exist or the value cannot be parsed the function panics.
+func (p *Properties) MustGetInt64(key string) int64 {
+	v, err := p.getInt64(key)
+	if err != nil {
+		ErrorHandler(err)
+	}
+	return v
+}
+
+func (p *Properties) getInt64(key string) (value int64, err error) {
+	if v, ok := p.Get(key); ok {
+		value, err = strconv.ParseInt(v, 10, 64)
+		if err != nil {
+			return 0, err
+		}
+		return value, nil
+	}
+	return 0, invalidKeyError(key)
+}
+
+// ----------------------------------------------------------------------------
+
+// GetUint parses the expanded value as an uint if the key exists.
+// If key does not exist or the value cannot be parsed the default
+// value is returned. If the value does not fit into an int the
+// function panics with an out of range error.
+func (p *Properties) GetUint(key string, def uint) uint {
+	v, err := p.getUint64(key)
+	if err != nil {
+		return def
+	}
+	return uintRangeCheck(key, v)
+}
+
+// MustGetUint parses the expanded value as an int if the key exists.
+// If key does not exist or the value cannot be parsed the function panics.
+// If the value does not fit into an int the function panics with
+// an out of range error.
+func (p *Properties) MustGetUint(key string) uint {
+	v, err := p.getUint64(key)
+	if err != nil {
+		ErrorHandler(err)
+	}
+	return uintRangeCheck(key, v)
+}
+
+// ----------------------------------------------------------------------------
+
+// GetUint64 parses the expanded value as an uint64 if the key exists.
+// If key does not exist or the value cannot be parsed the default
+// value is returned.
+func (p *Properties) GetUint64(key string, def uint64) uint64 {
+	v, err := p.getUint64(key)
+	if err != nil {
+		return def
+	}
+	return v
+}
+
+// MustGetUint64 parses the expanded value as an int if the key exists.
+// If key does not exist or the value cannot be parsed the function panics.
+func (p *Properties) MustGetUint64(key string) uint64 {
+	v, err := p.getUint64(key)
+	if err != nil {
+		ErrorHandler(err)
+	}
+	return v
+}
+
+func (p *Properties) getUint64(key string) (value uint64, err error) {
+	if v, ok := p.Get(key); ok {
+		value, err = strconv.ParseUint(v, 10, 64)
+		if err != nil {
+			return 0, err
+		}
+		return value, nil
+	}
+	return 0, invalidKeyError(key)
+}
+
+// ----------------------------------------------------------------------------
+
+// GetString returns the expanded value for the given key if exists or
+// the default value otherwise.
+func (p *Properties) GetString(key, def string) string {
+	if v, ok := p.Get(key); ok {
+		return v
+	}
+	return def
+}
+
+// MustGetString returns the expanded value for the given key if exists or
+// panics otherwise.
+func (p *Properties) MustGetString(key string) string {
+	if v, ok := p.Get(key); ok {
+		return v
+	}
+	ErrorHandler(invalidKeyError(key))
+	panic("ErrorHandler should exit")
+}
+
+// ----------------------------------------------------------------------------
+
+// Filter returns a new properties object which contains all properties
+// for which the key matches the pattern.
+func (p *Properties) Filter(pattern string) (*Properties, error) {
+	re, err := regexp.Compile(pattern)
+	if err != nil {
+		return nil, err
+	}
+
+	return p.FilterRegexp(re), nil
+}
+
+// FilterRegexp returns a new properties object which contains all properties
+// for which the key matches the regular expression.
+func (p *Properties) FilterRegexp(re *regexp.Regexp) *Properties {
+	pp := NewProperties()
+	for _, k := range p.k {
+		if re.MatchString(k) {
+			// TODO(fs): we are ignoring the error which flags a circular reference.
+			// TODO(fs): since we are just copying a subset of keys this cannot happen (fingers crossed)
+			pp.Set(k, p.m[k])
+		}
+	}
+	return pp
+}
+
+// FilterPrefix returns a new properties object with a subset of all keys
+// with the given prefix.
+func (p *Properties) FilterPrefix(prefix string) *Properties {
+	pp := NewProperties()
+	for _, k := range p.k {
+		if strings.HasPrefix(k, prefix) {
+			// TODO(fs): we are ignoring the error which flags a circular reference.
+			// TODO(fs): since we are just copying a subset of keys this cannot happen (fingers crossed)
+			pp.Set(k, p.m[k])
+		}
+	}
+	return pp
+}
+
+// FilterStripPrefix returns a new properties object with a subset of all keys
+// with the given prefix and the prefix removed from the keys.
+func (p *Properties) FilterStripPrefix(prefix string) *Properties {
+	pp := NewProperties()
+	n := len(prefix)
+	for _, k := range p.k {
+		if len(k) > len(prefix) && strings.HasPrefix(k, prefix) {
+			// TODO(fs): we are ignoring the error which flags a circular reference.
+			// TODO(fs): since we are modifying keys I am not entirely sure whether we can create a circular reference
+			// TODO(fs): this function should probably return an error but the signature is fixed
+			pp.Set(k[n:], p.m[k])
+		}
+	}
+	return pp
+}
+
+// Len returns the number of keys.
+func (p *Properties) Len() int {
+	return len(p.m)
+}
+
+// Keys returns all keys in the same order as in the input.
+func (p *Properties) Keys() []string {
+	keys := make([]string, len(p.k))
+	copy(keys, p.k)
+	return keys
+}
+
+// Set sets the property key to the corresponding value.
+// If a value for key existed before then ok is true and prev
+// contains the previous value. If the value contains a
+// circular reference or a malformed expression then
+// an error is returned.
+// An empty key is silently ignored.
+func (p *Properties) Set(key, value string) (prev string, ok bool, err error) {
+	if key == "" {
+		return "", false, nil
+	}
+
+	// if expansion is disabled we allow circular references
+	if p.DisableExpansion {
+		prev, ok = p.Get(key)
+		p.m[key] = value
+		if !ok {
+			p.k = append(p.k, key)
+		}
+		return prev, ok, nil
+	}
+
+	// to check for a circular reference we temporarily need
+	// to set the new value. If there is an error then revert
+	// to the previous state. Only if all tests are successful
+	// then we add the key to the p.k list.
+	prev, ok = p.Get(key)
+	p.m[key] = value
+
+	// now check for a circular reference
+	_, err = p.expand(key, value)
+	if err != nil {
+
+		// revert to the previous state
+		if ok {
+			p.m[key] = prev
+		} else {
+			delete(p.m, key)
+		}
+
+		return "", false, err
+	}
+
+	if !ok {
+		p.k = append(p.k, key)
+	}
+
+	return prev, ok, nil
+}
+
+// SetValue sets property key to the default string value
+// as defined by fmt.Sprintf("%v").
+func (p *Properties) SetValue(key string, value interface{}) error {
+	_, _, err := p.Set(key, fmt.Sprintf("%v", value))
+	return err
+}
+
+// MustSet sets the property key to the corresponding value.
+// If a value for key existed before then ok is true and prev
+// contains the previous value. An empty key is silently ignored.
+func (p *Properties) MustSet(key, value string) (prev string, ok bool) {
+	prev, ok, err := p.Set(key, value)
+	if err != nil {
+		ErrorHandler(err)
+	}
+	return prev, ok
+}
+
+// String returns a string of all expanded 'key = value' pairs.
+func (p *Properties) String() string {
+	var s string
+	for _, key := range p.k {
+		value, _ := p.Get(key)
+		s = fmt.Sprintf("%s%s = %s\n", s, key, value)
+	}
+	return s
+}
+
+// Sort sorts the properties keys in alphabetical order.
+// This is helpfully before writing the properties.
+func (p *Properties) Sort() {
+	sort.Strings(p.k)
+}
+
+// Write writes all unexpanded 'key = value' pairs to the given writer.
+// Write returns the number of bytes written and any write error encountered.
+func (p *Properties) Write(w io.Writer, enc Encoding) (n int, err error) {
+	return p.WriteComment(w, "", enc)
+}
+
+// WriteComment writes all unexpanced 'key = value' pairs to the given writer.
+// If prefix is not empty then comments are written with a blank line and the
+// given prefix. The prefix should be either "# " or "! " to be compatible with
+// the properties file format. Otherwise, the properties parser will not be
+// able to read the file back in. It returns the number of bytes written and
+// any write error encountered.
+func (p *Properties) WriteComment(w io.Writer, prefix string, enc Encoding) (n int, err error) {
+	var x int
+
+	for _, key := range p.k {
+		value := p.m[key]
+
+		if prefix != "" {
+			if comments, ok := p.c[key]; ok {
+				// don't print comments if they are all empty
+				allEmpty := true
+				for _, c := range comments {
+					if c != "" {
+						allEmpty = false
+						break
+					}
+				}
+
+				if !allEmpty {
+					// add a blank line between entries but not at the top
+					if len(comments) > 0 && n > 0 {
+						x, err = fmt.Fprintln(w)
+						if err != nil {
+							return
+						}
+						n += x
+					}
+
+					for _, c := range comments {
+						x, err = fmt.Fprintf(w, "%s%s\n", prefix, c)
+						if err != nil {
+							return
+						}
+						n += x
+					}
+				}
+			}
+		}
+		sep := " = "
+		if p.WriteSeparator != "" {
+			sep = p.WriteSeparator
+		}
+		x, err = fmt.Fprintf(w, "%s%s%s\n", encode(key, " :", enc), sep, encode(value, "", enc))
+		if err != nil {
+			return
+		}
+		n += x
+	}
+	return
+}
+
+// Map returns a copy of the properties as a map.
+func (p *Properties) Map() map[string]string {
+	m := make(map[string]string)
+	for k, v := range p.m {
+		m[k] = v
+	}
+	return m
+}
+
+// FilterFunc returns a copy of the properties which includes the values which passed all filters.
+func (p *Properties) FilterFunc(filters ...func(k, v string) bool) *Properties {
+	pp := NewProperties()
+outer:
+	for k, v := range p.m {
+		for _, f := range filters {
+			if !f(k, v) {
+				continue outer
+			}
+			pp.Set(k, v)
+		}
+	}
+	return pp
+}
+
+// ----------------------------------------------------------------------------
+
+// Delete removes the key and its comments.
+func (p *Properties) Delete(key string) {
+	delete(p.m, key)
+	delete(p.c, key)
+	newKeys := []string{}
+	for _, k := range p.k {
+		if k != key {
+			newKeys = append(newKeys, k)
+		}
+	}
+	p.k = newKeys
+}
+
+// Merge merges properties, comments and keys from other *Properties into p
+func (p *Properties) Merge(other *Properties) {
+	for _, k := range other.k {
+		if _, ok := p.m[k]; !ok {
+			p.k = append(p.k, k)
+		}
+	}
+	for k, v := range other.m {
+		p.m[k] = v
+	}
+	for k, v := range other.c {
+		p.c[k] = v
+	}
+}
+
+// ----------------------------------------------------------------------------
+
+// check expands all values and returns an error if a circular reference or
+// a malformed expression was found.
+func (p *Properties) check() error {
+	for key, value := range p.m {
+		if _, err := p.expand(key, value); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (p *Properties) expand(key, input string) (string, error) {
+	// no pre/postfix -> nothing to expand
+	if p.Prefix == "" && p.Postfix == "" {
+		return input, nil
+	}
+
+	return expand(input, []string{key}, p.Prefix, p.Postfix, p.m)
+}
+
+// expand recursively expands expressions of '(prefix)key(postfix)' to their corresponding values.
+// The function keeps track of the keys that were already expanded and stops if it
+// detects a circular reference or a malformed expression of the form '(prefix)key'.
+func expand(s string, keys []string, prefix, postfix string, values map[string]string) (string, error) {
+	if len(keys) > maxExpansionDepth {
+		return "", fmt.Errorf("expansion too deep")
+	}
+
+	for {
+		start := strings.Index(s, prefix)
+		if start == -1 {
+			return s, nil
+		}
+
+		keyStart := start + len(prefix)
+		keyLen := strings.Index(s[keyStart:], postfix)
+		if keyLen == -1 {
+			return "", fmt.Errorf("malformed expression")
+		}
+
+		end := keyStart + keyLen + len(postfix) - 1
+		key := s[keyStart : keyStart+keyLen]
+
+		// fmt.Printf("s:%q pp:%q start:%d end:%d keyStart:%d keyLen:%d key:%q\n", s, prefix + "..." + postfix, start, end, keyStart, keyLen, key)
+
+		for _, k := range keys {
+			if key == k {
+				var b bytes.Buffer
+				b.WriteString("circular reference in:\n")
+				for _, k1 := range keys {
+					fmt.Fprintf(&b, "%s=%s\n", k1, values[k1])
+				}
+				return "", fmt.Errorf(b.String())
+			}
+		}
+
+		val, ok := values[key]
+		if !ok {
+			val = os.Getenv(key)
+		}
+		new_val, err := expand(val, append(keys, key), prefix, postfix, values)
+		if err != nil {
+			return "", err
+		}
+		s = s[:start] + new_val + s[end+1:]
+	}
+}
+
+// encode encodes a UTF-8 string to ISO-8859-1 and escapes some characters.
+func encode(s string, special string, enc Encoding) string {
+	switch enc {
+	case UTF8:
+		return encodeUtf8(s, special)
+	case ISO_8859_1:
+		return encodeIso(s, special)
+	default:
+		panic(fmt.Sprintf("unsupported encoding %v", enc))
+	}
+}
+
+func encodeUtf8(s string, special string) string {
+	v := ""
+	for pos := 0; pos < len(s); {
+		r, w := utf8.DecodeRuneInString(s[pos:])
+		pos += w
+		v += escape(r, special)
+	}
+	return v
+}
+
+func encodeIso(s string, special string) string {
+	var r rune
+	var w int
+	var v string
+	for pos := 0; pos < len(s); {
+		switch r, w = utf8.DecodeRuneInString(s[pos:]); {
+		case r < 1<<8: // single byte rune -> escape special chars only
+			v += escape(r, special)
+		case r < 1<<16: // two byte rune -> unicode literal
+			v += fmt.Sprintf("\\u%04x", r)
+		default: // more than two bytes per rune -> can't encode
+			v += "?"
+		}
+		pos += w
+	}
+	return v
+}
+
+func escape(r rune, special string) string {
+	switch r {
+	case '\f':
+		return "\\f"
+	case '\n':
+		return "\\n"
+	case '\r':
+		return "\\r"
+	case '\t':
+		return "\\t"
+	case '\\':
+		return "\\\\"
+	default:
+		if strings.ContainsRune(special, r) {
+			return "\\" + string(r)
+		}
+		return string(r)
+	}
+}
+
+func invalidKeyError(key string) error {
+	return fmt.Errorf("unknown property: %s", key)
+}
diff --git a/vendor/github.com/magiconair/properties/rangecheck.go b/vendor/github.com/magiconair/properties/rangecheck.go
new file mode 100644
index 0000000000..dbd60b36e7
--- /dev/null
+++ b/vendor/github.com/magiconair/properties/rangecheck.go
@@ -0,0 +1,31 @@
+// Copyright 2013-2022 Frank Schroeder. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package properties
+
+import (
+	"fmt"
+	"math"
+)
+
+// make this a var to overwrite it in a test
+var is32Bit = ^uint(0) == math.MaxUint32
+
+// intRangeCheck checks if the value fits into the int type and
+// panics if it does not.
+func intRangeCheck(key string, v int64) int {
+	if is32Bit && (v < math.MinInt32 || v > math.MaxInt32) {
+		panic(fmt.Sprintf("Value %d for key %s out of range", v, key))
+	}
+	return int(v)
+}
+
+// uintRangeCheck checks if the value fits into the uint type and
+// panics if it does not.
+func uintRangeCheck(key string, v uint64) uint {
+	if is32Bit && v > math.MaxUint32 {
+		panic(fmt.Sprintf("Value %d for key %s out of range", v, key))
+	}
+	return uint(v)
+}
diff --git a/vendor/github.com/mailru/easyjson/buffer/pool.go b/vendor/github.com/mailru/easyjson/buffer/pool.go
deleted file mode 100644
index 598a54af9d..0000000000
--- a/vendor/github.com/mailru/easyjson/buffer/pool.go
+++ /dev/null
@@ -1,278 +0,0 @@
-// Package buffer implements a buffer for serialization, consisting of a chain of []byte-s to
-// reduce copying and to allow reuse of individual chunks.
-package buffer
-
-import (
-	"io"
-	"net"
-	"sync"
-)
-
-// PoolConfig contains configuration for the allocation and reuse strategy.
-type PoolConfig struct {
-	StartSize  int // Minimum chunk size that is allocated.
-	PooledSize int // Minimum chunk size that is reused, reusing chunks too small will result in overhead.
-	MaxSize    int // Maximum chunk size that will be allocated.
-}
-
-var config = PoolConfig{
-	StartSize:  128,
-	PooledSize: 512,
-	MaxSize:    32768,
-}
-
-// Reuse pool: chunk size -> pool.
-var buffers = map[int]*sync.Pool{}
-
-func initBuffers() {
-	for l := config.PooledSize; l <= config.MaxSize; l *= 2 {
-		buffers[l] = new(sync.Pool)
-	}
-}
-
-func init() {
-	initBuffers()
-}
-
-// Init sets up a non-default pooling and allocation strategy. Should be run before serialization is done.
-func Init(cfg PoolConfig) {
-	config = cfg
-	initBuffers()
-}
-
-// putBuf puts a chunk to reuse pool if it can be reused.
-func putBuf(buf []byte) {
-	size := cap(buf)
-	if size < config.PooledSize {
-		return
-	}
-	if c := buffers[size]; c != nil {
-		c.Put(buf[:0])
-	}
-}
-
-// getBuf gets a chunk from reuse pool or creates a new one if reuse failed.
-func getBuf(size int) []byte {
-	if size >= config.PooledSize {
-		if c := buffers[size]; c != nil {
-			v := c.Get()
-			if v != nil {
-				return v.([]byte)
-			}
-		}
-	}
-	return make([]byte, 0, size)
-}
-
-// Buffer is a buffer optimized for serialization without extra copying.
-type Buffer struct {
-
-	// Buf is the current chunk that can be used for serialization.
-	Buf []byte
-
-	toPool []byte
-	bufs   [][]byte
-}
-
-// EnsureSpace makes sure that the current chunk contains at least s free bytes,
-// possibly creating a new chunk.
-func (b *Buffer) EnsureSpace(s int) {
-	if cap(b.Buf)-len(b.Buf) < s {
-		b.ensureSpaceSlow(s)
-	}
-}
-
-func (b *Buffer) ensureSpaceSlow(s int) {
-	l := len(b.Buf)
-	if l > 0 {
-		if cap(b.toPool) != cap(b.Buf) {
-			// Chunk was reallocated, toPool can be pooled.
-			putBuf(b.toPool)
-		}
-		if cap(b.bufs) == 0 {
-			b.bufs = make([][]byte, 0, 8)
-		}
-		b.bufs = append(b.bufs, b.Buf)
-		l = cap(b.toPool) * 2
-	} else {
-		l = config.StartSize
-	}
-
-	if l > config.MaxSize {
-		l = config.MaxSize
-	}
-	b.Buf = getBuf(l)
-	b.toPool = b.Buf
-}
-
-// AppendByte appends a single byte to buffer.
-func (b *Buffer) AppendByte(data byte) {
-	b.EnsureSpace(1)
-	b.Buf = append(b.Buf, data)
-}
-
-// AppendBytes appends a byte slice to buffer.
-func (b *Buffer) AppendBytes(data []byte) {
-	if len(data) <= cap(b.Buf)-len(b.Buf) {
-		b.Buf = append(b.Buf, data...) // fast path
-	} else {
-		b.appendBytesSlow(data)
-	}
-}
-
-func (b *Buffer) appendBytesSlow(data []byte) {
-	for len(data) > 0 {
-		b.EnsureSpace(1)
-
-		sz := cap(b.Buf) - len(b.Buf)
-		if sz > len(data) {
-			sz = len(data)
-		}
-
-		b.Buf = append(b.Buf, data[:sz]...)
-		data = data[sz:]
-	}
-}
-
-// AppendString appends a string to buffer.
-func (b *Buffer) AppendString(data string) {
-	if len(data) <= cap(b.Buf)-len(b.Buf) {
-		b.Buf = append(b.Buf, data...) // fast path
-	} else {
-		b.appendStringSlow(data)
-	}
-}
-
-func (b *Buffer) appendStringSlow(data string) {
-	for len(data) > 0 {
-		b.EnsureSpace(1)
-
-		sz := cap(b.Buf) - len(b.Buf)
-		if sz > len(data) {
-			sz = len(data)
-		}
-
-		b.Buf = append(b.Buf, data[:sz]...)
-		data = data[sz:]
-	}
-}
-
-// Size computes the size of a buffer by adding sizes of every chunk.
-func (b *Buffer) Size() int {
-	size := len(b.Buf)
-	for _, buf := range b.bufs {
-		size += len(buf)
-	}
-	return size
-}
-
-// DumpTo outputs the contents of a buffer to a writer and resets the buffer.
-func (b *Buffer) DumpTo(w io.Writer) (written int, err error) {
-	bufs := net.Buffers(b.bufs)
-	if len(b.Buf) > 0 {
-		bufs = append(bufs, b.Buf)
-	}
-	n, err := bufs.WriteTo(w)
-
-	for _, buf := range b.bufs {
-		putBuf(buf)
-	}
-	putBuf(b.toPool)
-
-	b.bufs = nil
-	b.Buf = nil
-	b.toPool = nil
-
-	return int(n), err
-}
-
-// BuildBytes creates a single byte slice with all the contents of the buffer. Data is
-// copied if it does not fit in a single chunk. You can optionally provide one byte
-// slice as argument that it will try to reuse.
-func (b *Buffer) BuildBytes(reuse ...[]byte) []byte {
-	if len(b.bufs) == 0 {
-		ret := b.Buf
-		b.toPool = nil
-		b.Buf = nil
-		return ret
-	}
-
-	var ret []byte
-	size := b.Size()
-
-	// If we got a buffer as argument and it is big enough, reuse it.
-	if len(reuse) == 1 && cap(reuse[0]) >= size {
-		ret = reuse[0][:0]
-	} else {
-		ret = make([]byte, 0, size)
-	}
-	for _, buf := range b.bufs {
-		ret = append(ret, buf...)
-		putBuf(buf)
-	}
-
-	ret = append(ret, b.Buf...)
-	putBuf(b.toPool)
-
-	b.bufs = nil
-	b.toPool = nil
-	b.Buf = nil
-
-	return ret
-}
-
-type readCloser struct {
-	offset int
-	bufs   [][]byte
-}
-
-func (r *readCloser) Read(p []byte) (n int, err error) {
-	for _, buf := range r.bufs {
-		// Copy as much as we can.
-		x := copy(p[n:], buf[r.offset:])
-		n += x // Increment how much we filled.
-
-		// Did we empty the whole buffer?
-		if r.offset+x == len(buf) {
-			// On to the next buffer.
-			r.offset = 0
-			r.bufs = r.bufs[1:]
-
-			// We can release this buffer.
-			putBuf(buf)
-		} else {
-			r.offset += x
-		}
-
-		if n == len(p) {
-			break
-		}
-	}
-	// No buffers left or nothing read?
-	if len(r.bufs) == 0 {
-		err = io.EOF
-	}
-	return
-}
-
-func (r *readCloser) Close() error {
-	// Release all remaining buffers.
-	for _, buf := range r.bufs {
-		putBuf(buf)
-	}
-	// In case Close gets called multiple times.
-	r.bufs = nil
-
-	return nil
-}
-
-// ReadCloser creates an io.ReadCloser with all the contents of the buffer.
-func (b *Buffer) ReadCloser() io.ReadCloser {
-	ret := &readCloser{0, append(b.bufs, b.Buf)}
-
-	b.bufs = nil
-	b.toPool = nil
-	b.Buf = nil
-
-	return ret
-}
diff --git a/vendor/github.com/mailru/easyjson/jlexer/bytestostr.go b/vendor/github.com/mailru/easyjson/jlexer/bytestostr.go
deleted file mode 100644
index e68108f868..0000000000
--- a/vendor/github.com/mailru/easyjson/jlexer/bytestostr.go
+++ /dev/null
@@ -1,21 +0,0 @@
-// This file will only be included to the build if neither
-// easyjson_nounsafe nor appengine build tag is set. See README notes
-// for more details.
-
-//+build !easyjson_nounsafe
-//+build !appengine
-
-package jlexer
-
-import (
-	"unsafe"
-)
-
-// bytesToStr creates a string pointing at the slice to avoid copying.
-//
-// Warning: the string returned by the function should be used with care, as the whole input data
-// chunk may be either blocked from being freed by GC because of a single string or the buffer.Data
-// may be garbage-collected even when the string exists.
-func bytesToStr(data []byte) string {
-	return *(*string)(unsafe.Pointer(&data))
-}
diff --git a/vendor/github.com/mailru/easyjson/jlexer/bytestostr_nounsafe.go b/vendor/github.com/mailru/easyjson/jlexer/bytestostr_nounsafe.go
deleted file mode 100644
index 864d1be676..0000000000
--- a/vendor/github.com/mailru/easyjson/jlexer/bytestostr_nounsafe.go
+++ /dev/null
@@ -1,13 +0,0 @@
-// This file is included to the build if any of the buildtags below
-// are defined. Refer to README notes for more details.
-
-//+build easyjson_nounsafe appengine
-
-package jlexer
-
-// bytesToStr creates a string normally from []byte
-//
-// Note that this method is roughly 1.5x slower than using the 'unsafe' method.
-func bytesToStr(data []byte) string {
-	return string(data)
-}
diff --git a/vendor/github.com/mailru/easyjson/jlexer/error.go b/vendor/github.com/mailru/easyjson/jlexer/error.go
deleted file mode 100644
index e90ec40d05..0000000000
--- a/vendor/github.com/mailru/easyjson/jlexer/error.go
+++ /dev/null
@@ -1,15 +0,0 @@
-package jlexer
-
-import "fmt"
-
-// LexerError implements the error interface and represents all possible errors that can be
-// generated during parsing the JSON data.
-type LexerError struct {
-	Reason string
-	Offset int
-	Data   string
-}
-
-func (l *LexerError) Error() string {
-	return fmt.Sprintf("parse error: %s near offset %d of '%s'", l.Reason, l.Offset, l.Data)
-}
diff --git a/vendor/github.com/mailru/easyjson/jlexer/lexer.go b/vendor/github.com/mailru/easyjson/jlexer/lexer.go
deleted file mode 100644
index a27705b12b..0000000000
--- a/vendor/github.com/mailru/easyjson/jlexer/lexer.go
+++ /dev/null
@@ -1,1257 +0,0 @@
-// Package jlexer contains a JSON lexer implementation.
-//
-// It is expected that it is mostly used with generated parser code, so the interface is tuned
-// for a parser that knows what kind of data is expected.
-package jlexer
-
-import (
-	"bytes"
-	"encoding/base64"
-	"encoding/json"
-	"errors"
-	"fmt"
-	"io"
-	"strconv"
-	"unicode"
-	"unicode/utf16"
-	"unicode/utf8"
-
-	"github.com/josharian/intern"
-)
-
-// TokenKind determines type of a token.
-type TokenKind byte
-
-const (
-	TokenUndef  TokenKind = iota // No token.
-	TokenDelim                   // Delimiter: one of '{', '}', '[' or ']'.
-	TokenString                  // A string literal, e.g. "abc\u1234"
-	TokenNumber                  // Number literal, e.g. 1.5e5
-	TokenBool                    // Boolean literal: true or false.
-	TokenNull                    // null keyword.
-)
-
-// token describes a single token: type, position in the input and value.
-type token struct {
-	kind TokenKind // Type of a token.
-
-	boolValue       bool   // Value if a boolean literal token.
-	byteValueCloned bool   // true if byteValue was allocated and does not refer to original json body
-	byteValue       []byte // Raw value of a token.
-	delimValue      byte
-}
-
-// Lexer is a JSON lexer: it iterates over JSON tokens in a byte slice.
-type Lexer struct {
-	Data []byte // Input data given to the lexer.
-
-	start int   // Start of the current token.
-	pos   int   // Current unscanned position in the input stream.
-	token token // Last scanned token, if token.kind != TokenUndef.
-
-	firstElement bool // Whether current element is the first in array or an object.
-	wantSep      byte // A comma or a colon character, which need to occur before a token.
-
-	UseMultipleErrors bool          // If we want to use multiple errors.
-	fatalError        error         // Fatal error occurred during lexing. It is usually a syntax error.
-	multipleErrors    []*LexerError // Semantic errors occurred during lexing. Marshalling will be continued after finding this errors.
-}
-
-// FetchToken scans the input for the next token.
-func (r *Lexer) FetchToken() {
-	r.token.kind = TokenUndef
-	r.start = r.pos
-
-	// Check if r.Data has r.pos element
-	// If it doesn't, it mean corrupted input data
-	if len(r.Data) < r.pos {
-		r.errParse("Unexpected end of data")
-		return
-	}
-	// Determine the type of a token by skipping whitespace and reading the
-	// first character.
-	for _, c := range r.Data[r.pos:] {
-		switch c {
-		case ':', ',':
-			if r.wantSep == c {
-				r.pos++
-				r.start++
-				r.wantSep = 0
-			} else {
-				r.errSyntax()
-			}
-
-		case ' ', '\t', '\r', '\n':
-			r.pos++
-			r.start++
-
-		case '"':
-			if r.wantSep != 0 {
-				r.errSyntax()
-			}
-
-			r.token.kind = TokenString
-			r.fetchString()
-			return
-
-		case '{', '[':
-			if r.wantSep != 0 {
-				r.errSyntax()
-			}
-			r.firstElement = true
-			r.token.kind = TokenDelim
-			r.token.delimValue = r.Data[r.pos]
-			r.pos++
-			return
-
-		case '}', ']':
-			if !r.firstElement && (r.wantSep != ',') {
-				r.errSyntax()
-			}
-			r.wantSep = 0
-			r.token.kind = TokenDelim
-			r.token.delimValue = r.Data[r.pos]
-			r.pos++
-			return
-
-		case '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', '-':
-			if r.wantSep != 0 {
-				r.errSyntax()
-			}
-			r.token.kind = TokenNumber
-			r.fetchNumber()
-			return
-
-		case 'n':
-			if r.wantSep != 0 {
-				r.errSyntax()
-			}
-
-			r.token.kind = TokenNull
-			r.fetchNull()
-			return
-
-		case 't':
-			if r.wantSep != 0 {
-				r.errSyntax()
-			}
-
-			r.token.kind = TokenBool
-			r.token.boolValue = true
-			r.fetchTrue()
-			return
-
-		case 'f':
-			if r.wantSep != 0 {
-				r.errSyntax()
-			}
-
-			r.token.kind = TokenBool
-			r.token.boolValue = false
-			r.fetchFalse()
-			return
-
-		default:
-			r.errSyntax()
-			return
-		}
-	}
-	r.fatalError = io.EOF
-	return
-}
-
-// isTokenEnd returns true if the char can follow a non-delimiter token
-func isTokenEnd(c byte) bool {
-	return c == ' ' || c == '\t' || c == '\r' || c == '\n' || c == '[' || c == ']' || c == '{' || c == '}' || c == ',' || c == ':'
-}
-
-// fetchNull fetches and checks remaining bytes of null keyword.
-func (r *Lexer) fetchNull() {
-	r.pos += 4
-	if r.pos > len(r.Data) ||
-		r.Data[r.pos-3] != 'u' ||
-		r.Data[r.pos-2] != 'l' ||
-		r.Data[r.pos-1] != 'l' ||
-		(r.pos != len(r.Data) && !isTokenEnd(r.Data[r.pos])) {
-
-		r.pos -= 4
-		r.errSyntax()
-	}
-}
-
-// fetchTrue fetches and checks remaining bytes of true keyword.
-func (r *Lexer) fetchTrue() {
-	r.pos += 4
-	if r.pos > len(r.Data) ||
-		r.Data[r.pos-3] != 'r' ||
-		r.Data[r.pos-2] != 'u' ||
-		r.Data[r.pos-1] != 'e' ||
-		(r.pos != len(r.Data) && !isTokenEnd(r.Data[r.pos])) {
-
-		r.pos -= 4
-		r.errSyntax()
-	}
-}
-
-// fetchFalse fetches and checks remaining bytes of false keyword.
-func (r *Lexer) fetchFalse() {
-	r.pos += 5
-	if r.pos > len(r.Data) ||
-		r.Data[r.pos-4] != 'a' ||
-		r.Data[r.pos-3] != 'l' ||
-		r.Data[r.pos-2] != 's' ||
-		r.Data[r.pos-1] != 'e' ||
-		(r.pos != len(r.Data) && !isTokenEnd(r.Data[r.pos])) {
-
-		r.pos -= 5
-		r.errSyntax()
-	}
-}
-
-// fetchNumber scans a number literal token.
-func (r *Lexer) fetchNumber() {
-	hasE := false
-	afterE := false
-	hasDot := false
-
-	r.pos++
-	for i, c := range r.Data[r.pos:] {
-		switch {
-		case c >= '0' && c <= '9':
-			afterE = false
-		case c == '.' && !hasDot:
-			hasDot = true
-		case (c == 'e' || c == 'E') && !hasE:
-			hasE = true
-			hasDot = true
-			afterE = true
-		case (c == '+' || c == '-') && afterE:
-			afterE = false
-		default:
-			r.pos += i
-			if !isTokenEnd(c) {
-				r.errSyntax()
-			} else {
-				r.token.byteValue = r.Data[r.start:r.pos]
-			}
-			return
-		}
-	}
-
-	r.pos = len(r.Data)
-	r.token.byteValue = r.Data[r.start:]
-}
-
-// findStringLen tries to scan into the string literal for ending quote char to determine required size.
-// The size will be exact if no escapes are present and may be inexact if there are escaped chars.
-func findStringLen(data []byte) (isValid bool, length int) {
-	for {
-		idx := bytes.IndexByte(data, '"')
-		if idx == -1 {
-			return false, len(data)
-		}
-		if idx == 0 || (idx > 0 && data[idx-1] != '\\') {
-			return true, length + idx
-		}
-
-		// count \\\\\\\ sequences. even number of slashes means quote is not really escaped
-		cnt := 1
-		for idx-cnt-1 >= 0 && data[idx-cnt-1] == '\\' {
-			cnt++
-		}
-		if cnt%2 == 0 {
-			return true, length + idx
-		}
-
-		length += idx + 1
-		data = data[idx+1:]
-	}
-}
-
-// unescapeStringToken performs unescaping of string token.
-// if no escaping is needed, original string is returned, otherwise - a new one allocated
-func (r *Lexer) unescapeStringToken() (err error) {
-	data := r.token.byteValue
-	var unescapedData []byte
-
-	for {
-		i := bytes.IndexByte(data, '\\')
-		if i == -1 {
-			break
-		}
-
-		escapedRune, escapedBytes, err := decodeEscape(data[i:])
-		if err != nil {
-			r.errParse(err.Error())
-			return err
-		}
-
-		if unescapedData == nil {
-			unescapedData = make([]byte, 0, len(r.token.byteValue))
-		}
-
-		var d [4]byte
-		s := utf8.EncodeRune(d[:], escapedRune)
-		unescapedData = append(unescapedData, data[:i]...)
-		unescapedData = append(unescapedData, d[:s]...)
-
-		data = data[i+escapedBytes:]
-	}
-
-	if unescapedData != nil {
-		r.token.byteValue = append(unescapedData, data...)
-		r.token.byteValueCloned = true
-	}
-	return
-}
-
-// getu4 decodes \uXXXX from the beginning of s, returning the hex value,
-// or it returns -1.
-func getu4(s []byte) rune {
-	if len(s) < 6 || s[0] != '\\' || s[1] != 'u' {
-		return -1
-	}
-	var val rune
-	for i := 2; i < len(s) && i < 6; i++ {
-		var v byte
-		c := s[i]
-		switch c {
-		case '0', '1', '2', '3', '4', '5', '6', '7', '8', '9':
-			v = c - '0'
-		case 'a', 'b', 'c', 'd', 'e', 'f':
-			v = c - 'a' + 10
-		case 'A', 'B', 'C', 'D', 'E', 'F':
-			v = c - 'A' + 10
-		default:
-			return -1
-		}
-
-		val <<= 4
-		val |= rune(v)
-	}
-	return val
-}
-
-// decodeEscape processes a single escape sequence and returns number of bytes processed.
-func decodeEscape(data []byte) (decoded rune, bytesProcessed int, err error) {
-	if len(data) < 2 {
-		return 0, 0, errors.New("incorrect escape symbol \\ at the end of token")
-	}
-
-	c := data[1]
-	switch c {
-	case '"', '/', '\\':
-		return rune(c), 2, nil
-	case 'b':
-		return '\b', 2, nil
-	case 'f':
-		return '\f', 2, nil
-	case 'n':
-		return '\n', 2, nil
-	case 'r':
-		return '\r', 2, nil
-	case 't':
-		return '\t', 2, nil
-	case 'u':
-		rr := getu4(data)
-		if rr < 0 {
-			return 0, 0, errors.New("incorrectly escaped \\uXXXX sequence")
-		}
-
-		read := 6
-		if utf16.IsSurrogate(rr) {
-			rr1 := getu4(data[read:])
-			if dec := utf16.DecodeRune(rr, rr1); dec != unicode.ReplacementChar {
-				read += 6
-				rr = dec
-			} else {
-				rr = unicode.ReplacementChar
-			}
-		}
-		return rr, read, nil
-	}
-
-	return 0, 0, errors.New("incorrectly escaped bytes")
-}
-
-// fetchString scans a string literal token.
-func (r *Lexer) fetchString() {
-	r.pos++
-	data := r.Data[r.pos:]
-
-	isValid, length := findStringLen(data)
-	if !isValid {
-		r.pos += length
-		r.errParse("unterminated string literal")
-		return
-	}
-	r.token.byteValue = data[:length]
-	r.pos += length + 1 // skip closing '"' as well
-}
-
-// scanToken scans the next token if no token is currently available in the lexer.
-func (r *Lexer) scanToken() {
-	if r.token.kind != TokenUndef || r.fatalError != nil {
-		return
-	}
-
-	r.FetchToken()
-}
-
-// consume resets the current token to allow scanning the next one.
-func (r *Lexer) consume() {
-	r.token.kind = TokenUndef
-	r.token.byteValueCloned = false
-	r.token.delimValue = 0
-}
-
-// Ok returns true if no error (including io.EOF) was encountered during scanning.
-func (r *Lexer) Ok() bool {
-	return r.fatalError == nil
-}
-
-const maxErrorContextLen = 13
-
-func (r *Lexer) errParse(what string) {
-	if r.fatalError == nil {
-		var str string
-		if len(r.Data)-r.pos <= maxErrorContextLen {
-			str = string(r.Data)
-		} else {
-			str = string(r.Data[r.pos:r.pos+maxErrorContextLen-3]) + "..."
-		}
-		r.fatalError = &LexerError{
-			Reason: what,
-			Offset: r.pos,
-			Data:   str,
-		}
-	}
-}
-
-func (r *Lexer) errSyntax() {
-	r.errParse("syntax error")
-}
-
-func (r *Lexer) errInvalidToken(expected string) {
-	if r.fatalError != nil {
-		return
-	}
-	if r.UseMultipleErrors {
-		r.pos = r.start
-		r.consume()
-		r.SkipRecursive()
-		switch expected {
-		case "[":
-			r.token.delimValue = ']'
-			r.token.kind = TokenDelim
-		case "{":
-			r.token.delimValue = '}'
-			r.token.kind = TokenDelim
-		}
-		r.addNonfatalError(&LexerError{
-			Reason: fmt.Sprintf("expected %s", expected),
-			Offset: r.start,
-			Data:   string(r.Data[r.start:r.pos]),
-		})
-		return
-	}
-
-	var str string
-	if len(r.token.byteValue) <= maxErrorContextLen {
-		str = string(r.token.byteValue)
-	} else {
-		str = string(r.token.byteValue[:maxErrorContextLen-3]) + "..."
-	}
-	r.fatalError = &LexerError{
-		Reason: fmt.Sprintf("expected %s", expected),
-		Offset: r.pos,
-		Data:   str,
-	}
-}
-
-func (r *Lexer) GetPos() int {
-	return r.pos
-}
-
-// Delim consumes a token and verifies that it is the given delimiter.
-func (r *Lexer) Delim(c byte) {
-	if r.token.kind == TokenUndef && r.Ok() {
-		r.FetchToken()
-	}
-
-	if !r.Ok() || r.token.delimValue != c {
-		r.consume() // errInvalidToken can change token if UseMultipleErrors is enabled.
-		r.errInvalidToken(string([]byte{c}))
-	} else {
-		r.consume()
-	}
-}
-
-// IsDelim returns true if there was no scanning error and next token is the given delimiter.
-func (r *Lexer) IsDelim(c byte) bool {
-	if r.token.kind == TokenUndef && r.Ok() {
-		r.FetchToken()
-	}
-	return !r.Ok() || r.token.delimValue == c
-}
-
-// Null verifies that the next token is null and consumes it.
-func (r *Lexer) Null() {
-	if r.token.kind == TokenUndef && r.Ok() {
-		r.FetchToken()
-	}
-	if !r.Ok() || r.token.kind != TokenNull {
-		r.errInvalidToken("null")
-	}
-	r.consume()
-}
-
-// IsNull returns true if the next token is a null keyword.
-func (r *Lexer) IsNull() bool {
-	if r.token.kind == TokenUndef && r.Ok() {
-		r.FetchToken()
-	}
-	return r.Ok() && r.token.kind == TokenNull
-}
-
-// Skip skips a single token.
-func (r *Lexer) Skip() {
-	if r.token.kind == TokenUndef && r.Ok() {
-		r.FetchToken()
-	}
-	r.consume()
-}
-
-// SkipRecursive skips next array or object completely, or just skips a single token if not
-// an array/object.
-//
-// Note: no syntax validation is performed on the skipped data.
-func (r *Lexer) SkipRecursive() {
-	r.scanToken()
-	var start, end byte
-	startPos := r.start
-
-	switch r.token.delimValue {
-	case '{':
-		start, end = '{', '}'
-	case '[':
-		start, end = '[', ']'
-	default:
-		r.consume()
-		return
-	}
-
-	r.consume()
-
-	level := 1
-	inQuotes := false
-	wasEscape := false
-
-	for i, c := range r.Data[r.pos:] {
-		switch {
-		case c == start && !inQuotes:
-			level++
-		case c == end && !inQuotes:
-			level--
-			if level == 0 {
-				r.pos += i + 1
-				if !json.Valid(r.Data[startPos:r.pos]) {
-					r.pos = len(r.Data)
-					r.fatalError = &LexerError{
-						Reason: "skipped array/object json value is invalid",
-						Offset: r.pos,
-						Data:   string(r.Data[r.pos:]),
-					}
-				}
-				return
-			}
-		case c == '\\' && inQuotes:
-			wasEscape = !wasEscape
-			continue
-		case c == '"' && inQuotes:
-			inQuotes = wasEscape
-		case c == '"':
-			inQuotes = true
-		}
-		wasEscape = false
-	}
-	r.pos = len(r.Data)
-	r.fatalError = &LexerError{
-		Reason: "EOF reached while skipping array/object or token",
-		Offset: r.pos,
-		Data:   string(r.Data[r.pos:]),
-	}
-}
-
-// Raw fetches the next item recursively as a data slice
-func (r *Lexer) Raw() []byte {
-	r.SkipRecursive()
-	if !r.Ok() {
-		return nil
-	}
-	return r.Data[r.start:r.pos]
-}
-
-// IsStart returns whether the lexer is positioned at the start
-// of an input string.
-func (r *Lexer) IsStart() bool {
-	return r.pos == 0
-}
-
-// Consumed reads all remaining bytes from the input, publishing an error if
-// there is anything but whitespace remaining.
-func (r *Lexer) Consumed() {
-	if r.pos > len(r.Data) || !r.Ok() {
-		return
-	}
-
-	for _, c := range r.Data[r.pos:] {
-		if c != ' ' && c != '\t' && c != '\r' && c != '\n' {
-			r.AddError(&LexerError{
-				Reason: "invalid character '" + string(c) + "' after top-level value",
-				Offset: r.pos,
-				Data:   string(r.Data[r.pos:]),
-			})
-			return
-		}
-
-		r.pos++
-		r.start++
-	}
-}
-
-func (r *Lexer) unsafeString(skipUnescape bool) (string, []byte) {
-	if r.token.kind == TokenUndef && r.Ok() {
-		r.FetchToken()
-	}
-	if !r.Ok() || r.token.kind != TokenString {
-		r.errInvalidToken("string")
-		return "", nil
-	}
-	if !skipUnescape {
-		if err := r.unescapeStringToken(); err != nil {
-			r.errInvalidToken("string")
-			return "", nil
-		}
-	}
-
-	bytes := r.token.byteValue
-	ret := bytesToStr(r.token.byteValue)
-	r.consume()
-	return ret, bytes
-}
-
-// UnsafeString returns the string value if the token is a string literal.
-//
-// Warning: returned string may point to the input buffer, so the string should not outlive
-// the input buffer. Intended pattern of usage is as an argument to a switch statement.
-func (r *Lexer) UnsafeString() string {
-	ret, _ := r.unsafeString(false)
-	return ret
-}
-
-// UnsafeBytes returns the byte slice if the token is a string literal.
-func (r *Lexer) UnsafeBytes() []byte {
-	_, ret := r.unsafeString(false)
-	return ret
-}
-
-// UnsafeFieldName returns current member name string token
-func (r *Lexer) UnsafeFieldName(skipUnescape bool) string {
-	ret, _ := r.unsafeString(skipUnescape)
-	return ret
-}
-
-// String reads a string literal.
-func (r *Lexer) String() string {
-	if r.token.kind == TokenUndef && r.Ok() {
-		r.FetchToken()
-	}
-	if !r.Ok() || r.token.kind != TokenString {
-		r.errInvalidToken("string")
-		return ""
-	}
-	if err := r.unescapeStringToken(); err != nil {
-		r.errInvalidToken("string")
-		return ""
-	}
-	var ret string
-	if r.token.byteValueCloned {
-		ret = bytesToStr(r.token.byteValue)
-	} else {
-		ret = string(r.token.byteValue)
-	}
-	r.consume()
-	return ret
-}
-
-// StringIntern reads a string literal, and performs string interning on it.
-func (r *Lexer) StringIntern() string {
-	if r.token.kind == TokenUndef && r.Ok() {
-		r.FetchToken()
-	}
-	if !r.Ok() || r.token.kind != TokenString {
-		r.errInvalidToken("string")
-		return ""
-	}
-	if err := r.unescapeStringToken(); err != nil {
-		r.errInvalidToken("string")
-		return ""
-	}
-	ret := intern.Bytes(r.token.byteValue)
-	r.consume()
-	return ret
-}
-
-// Bytes reads a string literal and base64 decodes it into a byte slice.
-func (r *Lexer) Bytes() []byte {
-	if r.token.kind == TokenUndef && r.Ok() {
-		r.FetchToken()
-	}
-	if !r.Ok() || r.token.kind != TokenString {
-		r.errInvalidToken("string")
-		return nil
-	}
-	if err := r.unescapeStringToken(); err != nil {
-		r.errInvalidToken("string")
-		return nil
-	}
-	ret := make([]byte, base64.StdEncoding.DecodedLen(len(r.token.byteValue)))
-	n, err := base64.StdEncoding.Decode(ret, r.token.byteValue)
-	if err != nil {
-		r.fatalError = &LexerError{
-			Reason: err.Error(),
-		}
-		return nil
-	}
-
-	r.consume()
-	return ret[:n]
-}
-
-// Bool reads a true or false boolean keyword.
-func (r *Lexer) Bool() bool {
-	if r.token.kind == TokenUndef && r.Ok() {
-		r.FetchToken()
-	}
-	if !r.Ok() || r.token.kind != TokenBool {
-		r.errInvalidToken("bool")
-		return false
-	}
-	ret := r.token.boolValue
-	r.consume()
-	return ret
-}
-
-func (r *Lexer) number() string {
-	if r.token.kind == TokenUndef && r.Ok() {
-		r.FetchToken()
-	}
-	if !r.Ok() || r.token.kind != TokenNumber {
-		r.errInvalidToken("number")
-		return ""
-	}
-	ret := bytesToStr(r.token.byteValue)
-	r.consume()
-	return ret
-}
-
-func (r *Lexer) Uint8() uint8 {
-	s := r.number()
-	if !r.Ok() {
-		return 0
-	}
-
-	n, err := strconv.ParseUint(s, 10, 8)
-	if err != nil {
-		r.addNonfatalError(&LexerError{
-			Offset: r.start,
-			Reason: err.Error(),
-			Data:   s,
-		})
-	}
-	return uint8(n)
-}
-
-func (r *Lexer) Uint16() uint16 {
-	s := r.number()
-	if !r.Ok() {
-		return 0
-	}
-
-	n, err := strconv.ParseUint(s, 10, 16)
-	if err != nil {
-		r.addNonfatalError(&LexerError{
-			Offset: r.start,
-			Reason: err.Error(),
-			Data:   s,
-		})
-	}
-	return uint16(n)
-}
-
-func (r *Lexer) Uint32() uint32 {
-	s := r.number()
-	if !r.Ok() {
-		return 0
-	}
-
-	n, err := strconv.ParseUint(s, 10, 32)
-	if err != nil {
-		r.addNonfatalError(&LexerError{
-			Offset: r.start,
-			Reason: err.Error(),
-			Data:   s,
-		})
-	}
-	return uint32(n)
-}
-
-func (r *Lexer) Uint64() uint64 {
-	s := r.number()
-	if !r.Ok() {
-		return 0
-	}
-
-	n, err := strconv.ParseUint(s, 10, 64)
-	if err != nil {
-		r.addNonfatalError(&LexerError{
-			Offset: r.start,
-			Reason: err.Error(),
-			Data:   s,
-		})
-	}
-	return n
-}
-
-func (r *Lexer) Uint() uint {
-	return uint(r.Uint64())
-}
-
-func (r *Lexer) Int8() int8 {
-	s := r.number()
-	if !r.Ok() {
-		return 0
-	}
-
-	n, err := strconv.ParseInt(s, 10, 8)
-	if err != nil {
-		r.addNonfatalError(&LexerError{
-			Offset: r.start,
-			Reason: err.Error(),
-			Data:   s,
-		})
-	}
-	return int8(n)
-}
-
-func (r *Lexer) Int16() int16 {
-	s := r.number()
-	if !r.Ok() {
-		return 0
-	}
-
-	n, err := strconv.ParseInt(s, 10, 16)
-	if err != nil {
-		r.addNonfatalError(&LexerError{
-			Offset: r.start,
-			Reason: err.Error(),
-			Data:   s,
-		})
-	}
-	return int16(n)
-}
-
-func (r *Lexer) Int32() int32 {
-	s := r.number()
-	if !r.Ok() {
-		return 0
-	}
-
-	n, err := strconv.ParseInt(s, 10, 32)
-	if err != nil {
-		r.addNonfatalError(&LexerError{
-			Offset: r.start,
-			Reason: err.Error(),
-			Data:   s,
-		})
-	}
-	return int32(n)
-}
-
-func (r *Lexer) Int64() int64 {
-	s := r.number()
-	if !r.Ok() {
-		return 0
-	}
-
-	n, err := strconv.ParseInt(s, 10, 64)
-	if err != nil {
-		r.addNonfatalError(&LexerError{
-			Offset: r.start,
-			Reason: err.Error(),
-			Data:   s,
-		})
-	}
-	return n
-}
-
-func (r *Lexer) Int() int {
-	return int(r.Int64())
-}
-
-func (r *Lexer) Uint8Str() uint8 {
-	s, b := r.unsafeString(false)
-	if !r.Ok() {
-		return 0
-	}
-
-	n, err := strconv.ParseUint(s, 10, 8)
-	if err != nil {
-		r.addNonfatalError(&LexerError{
-			Offset: r.start,
-			Reason: err.Error(),
-			Data:   string(b),
-		})
-	}
-	return uint8(n)
-}
-
-func (r *Lexer) Uint16Str() uint16 {
-	s, b := r.unsafeString(false)
-	if !r.Ok() {
-		return 0
-	}
-
-	n, err := strconv.ParseUint(s, 10, 16)
-	if err != nil {
-		r.addNonfatalError(&LexerError{
-			Offset: r.start,
-			Reason: err.Error(),
-			Data:   string(b),
-		})
-	}
-	return uint16(n)
-}
-
-func (r *Lexer) Uint32Str() uint32 {
-	s, b := r.unsafeString(false)
-	if !r.Ok() {
-		return 0
-	}
-
-	n, err := strconv.ParseUint(s, 10, 32)
-	if err != nil {
-		r.addNonfatalError(&LexerError{
-			Offset: r.start,
-			Reason: err.Error(),
-			Data:   string(b),
-		})
-	}
-	return uint32(n)
-}
-
-func (r *Lexer) Uint64Str() uint64 {
-	s, b := r.unsafeString(false)
-	if !r.Ok() {
-		return 0
-	}
-
-	n, err := strconv.ParseUint(s, 10, 64)
-	if err != nil {
-		r.addNonfatalError(&LexerError{
-			Offset: r.start,
-			Reason: err.Error(),
-			Data:   string(b),
-		})
-	}
-	return n
-}
-
-func (r *Lexer) UintStr() uint {
-	return uint(r.Uint64Str())
-}
-
-func (r *Lexer) UintptrStr() uintptr {
-	return uintptr(r.Uint64Str())
-}
-
-func (r *Lexer) Int8Str() int8 {
-	s, b := r.unsafeString(false)
-	if !r.Ok() {
-		return 0
-	}
-
-	n, err := strconv.ParseInt(s, 10, 8)
-	if err != nil {
-		r.addNonfatalError(&LexerError{
-			Offset: r.start,
-			Reason: err.Error(),
-			Data:   string(b),
-		})
-	}
-	return int8(n)
-}
-
-func (r *Lexer) Int16Str() int16 {
-	s, b := r.unsafeString(false)
-	if !r.Ok() {
-		return 0
-	}
-
-	n, err := strconv.ParseInt(s, 10, 16)
-	if err != nil {
-		r.addNonfatalError(&LexerError{
-			Offset: r.start,
-			Reason: err.Error(),
-			Data:   string(b),
-		})
-	}
-	return int16(n)
-}
-
-func (r *Lexer) Int32Str() int32 {
-	s, b := r.unsafeString(false)
-	if !r.Ok() {
-		return 0
-	}
-
-	n, err := strconv.ParseInt(s, 10, 32)
-	if err != nil {
-		r.addNonfatalError(&LexerError{
-			Offset: r.start,
-			Reason: err.Error(),
-			Data:   string(b),
-		})
-	}
-	return int32(n)
-}
-
-func (r *Lexer) Int64Str() int64 {
-	s, b := r.unsafeString(false)
-	if !r.Ok() {
-		return 0
-	}
-
-	n, err := strconv.ParseInt(s, 10, 64)
-	if err != nil {
-		r.addNonfatalError(&LexerError{
-			Offset: r.start,
-			Reason: err.Error(),
-			Data:   string(b),
-		})
-	}
-	return n
-}
-
-func (r *Lexer) IntStr() int {
-	return int(r.Int64Str())
-}
-
-func (r *Lexer) Float32() float32 {
-	s := r.number()
-	if !r.Ok() {
-		return 0
-	}
-
-	n, err := strconv.ParseFloat(s, 32)
-	if err != nil {
-		r.addNonfatalError(&LexerError{
-			Offset: r.start,
-			Reason: err.Error(),
-			Data:   s,
-		})
-	}
-	return float32(n)
-}
-
-func (r *Lexer) Float32Str() float32 {
-	s, b := r.unsafeString(false)
-	if !r.Ok() {
-		return 0
-	}
-	n, err := strconv.ParseFloat(s, 32)
-	if err != nil {
-		r.addNonfatalError(&LexerError{
-			Offset: r.start,
-			Reason: err.Error(),
-			Data:   string(b),
-		})
-	}
-	return float32(n)
-}
-
-func (r *Lexer) Float64() float64 {
-	s := r.number()
-	if !r.Ok() {
-		return 0
-	}
-
-	n, err := strconv.ParseFloat(s, 64)
-	if err != nil {
-		r.addNonfatalError(&LexerError{
-			Offset: r.start,
-			Reason: err.Error(),
-			Data:   s,
-		})
-	}
-	return n
-}
-
-func (r *Lexer) Float64Str() float64 {
-	s, b := r.unsafeString(false)
-	if !r.Ok() {
-		return 0
-	}
-	n, err := strconv.ParseFloat(s, 64)
-	if err != nil {
-		r.addNonfatalError(&LexerError{
-			Offset: r.start,
-			Reason: err.Error(),
-			Data:   string(b),
-		})
-	}
-	return n
-}
-
-func (r *Lexer) Error() error {
-	return r.fatalError
-}
-
-func (r *Lexer) AddError(e error) {
-	if r.fatalError == nil {
-		r.fatalError = e
-	}
-}
-
-func (r *Lexer) AddNonFatalError(e error) {
-	r.addNonfatalError(&LexerError{
-		Offset: r.start,
-		Data:   string(r.Data[r.start:r.pos]),
-		Reason: e.Error(),
-	})
-}
-
-func (r *Lexer) addNonfatalError(err *LexerError) {
-	if r.UseMultipleErrors {
-		// We don't want to add errors with the same offset.
-		if len(r.multipleErrors) != 0 && r.multipleErrors[len(r.multipleErrors)-1].Offset == err.Offset {
-			return
-		}
-		r.multipleErrors = append(r.multipleErrors, err)
-		return
-	}
-	r.fatalError = err
-}
-
-func (r *Lexer) GetNonFatalErrors() []*LexerError {
-	return r.multipleErrors
-}
-
-// JsonNumber fetches and json.Number from 'encoding/json' package.
-// Both int, float or string, contains them are valid values
-func (r *Lexer) JsonNumber() json.Number {
-	if r.token.kind == TokenUndef && r.Ok() {
-		r.FetchToken()
-	}
-	if !r.Ok() {
-		r.errInvalidToken("json.Number")
-		return json.Number("")
-	}
-
-	switch r.token.kind {
-	case TokenString:
-		return json.Number(r.String())
-	case TokenNumber:
-		return json.Number(r.Raw())
-	case TokenNull:
-		r.Null()
-		return json.Number("")
-	default:
-		r.errSyntax()
-		return json.Number("")
-	}
-}
-
-// Interface fetches an interface{} analogous to the 'encoding/json' package.
-func (r *Lexer) Interface() interface{} {
-	if r.token.kind == TokenUndef && r.Ok() {
-		r.FetchToken()
-	}
-
-	if !r.Ok() {
-		return nil
-	}
-	switch r.token.kind {
-	case TokenString:
-		return r.String()
-	case TokenNumber:
-		return r.Float64()
-	case TokenBool:
-		return r.Bool()
-	case TokenNull:
-		r.Null()
-		return nil
-	}
-
-	if r.token.delimValue == '{' {
-		r.consume()
-
-		ret := map[string]interface{}{}
-		for !r.IsDelim('}') {
-			key := r.String()
-			r.WantColon()
-			ret[key] = r.Interface()
-			r.WantComma()
-		}
-		r.Delim('}')
-
-		if r.Ok() {
-			return ret
-		} else {
-			return nil
-		}
-	} else if r.token.delimValue == '[' {
-		r.consume()
-
-		ret := []interface{}{}
-		for !r.IsDelim(']') {
-			ret = append(ret, r.Interface())
-			r.WantComma()
-		}
-		r.Delim(']')
-
-		if r.Ok() {
-			return ret
-		} else {
-			return nil
-		}
-	}
-	r.errSyntax()
-	return nil
-}
-
-// WantComma requires a comma to be present before fetching next token.
-func (r *Lexer) WantComma() {
-	r.wantSep = ','
-	r.firstElement = false
-}
-
-// WantColon requires a colon to be present before fetching next token.
-func (r *Lexer) WantColon() {
-	r.wantSep = ':'
-	r.firstElement = false
-}
-
-// CurrentToken returns current token kind if there were no errors and TokenUndef otherwise
-func (r *Lexer) CurrentToken() TokenKind {
-	if r.token.kind == TokenUndef && r.Ok() {
-		r.FetchToken()
-	}
-
-	if !r.Ok() {
-		return TokenUndef
-	}
-
-	return r.token.kind
-}
diff --git a/vendor/github.com/mailru/easyjson/jwriter/writer.go b/vendor/github.com/mailru/easyjson/jwriter/writer.go
deleted file mode 100644
index 34b0ade468..0000000000
--- a/vendor/github.com/mailru/easyjson/jwriter/writer.go
+++ /dev/null
@@ -1,417 +0,0 @@
-// Package jwriter contains a JSON writer.
-package jwriter
-
-import (
-	"io"
-	"strconv"
-	"unicode/utf8"
-
-	"github.com/mailru/easyjson/buffer"
-)
-
-// Flags describe various encoding options. The behavior may be actually implemented in the encoder, but
-// Flags field in Writer is used to set and pass them around.
-type Flags int
-
-const (
-	NilMapAsEmpty   Flags = 1 << iota // Encode nil map as '{}' rather than 'null'.
-	NilSliceAsEmpty                   // Encode nil slice as '[]' rather than 'null'.
-)
-
-// Writer is a JSON writer.
-type Writer struct {
-	Flags Flags
-
-	Error        error
-	Buffer       buffer.Buffer
-	NoEscapeHTML bool
-}
-
-// Size returns the size of the data that was written out.
-func (w *Writer) Size() int {
-	return w.Buffer.Size()
-}
-
-// DumpTo outputs the data to given io.Writer, resetting the buffer.
-func (w *Writer) DumpTo(out io.Writer) (written int, err error) {
-	return w.Buffer.DumpTo(out)
-}
-
-// BuildBytes returns writer data as a single byte slice. You can optionally provide one byte slice
-// as argument that it will try to reuse.
-func (w *Writer) BuildBytes(reuse ...[]byte) ([]byte, error) {
-	if w.Error != nil {
-		return nil, w.Error
-	}
-
-	return w.Buffer.BuildBytes(reuse...), nil
-}
-
-// ReadCloser returns an io.ReadCloser that can be used to read the data.
-// ReadCloser also resets the buffer.
-func (w *Writer) ReadCloser() (io.ReadCloser, error) {
-	if w.Error != nil {
-		return nil, w.Error
-	}
-
-	return w.Buffer.ReadCloser(), nil
-}
-
-// RawByte appends raw binary data to the buffer.
-func (w *Writer) RawByte(c byte) {
-	w.Buffer.AppendByte(c)
-}
-
-// RawByte appends raw binary data to the buffer.
-func (w *Writer) RawString(s string) {
-	w.Buffer.AppendString(s)
-}
-
-// RawBytesString appends string from bytes to the buffer.
-func (w *Writer) RawBytesString(data []byte, err error) {
-	switch {
-	case w.Error != nil:
-		return
-	case err != nil:
-		w.Error = err
-	default:
-		w.String(string(data))
-	}
-}
-
-// Raw appends raw binary data to the buffer or sets the error if it is given. Useful for
-// calling with results of MarshalJSON-like functions.
-func (w *Writer) Raw(data []byte, err error) {
-	switch {
-	case w.Error != nil:
-		return
-	case err != nil:
-		w.Error = err
-	case len(data) > 0:
-		w.Buffer.AppendBytes(data)
-	default:
-		w.RawString("null")
-	}
-}
-
-// RawText encloses raw binary data in quotes and appends in to the buffer.
-// Useful for calling with results of MarshalText-like functions.
-func (w *Writer) RawText(data []byte, err error) {
-	switch {
-	case w.Error != nil:
-		return
-	case err != nil:
-		w.Error = err
-	case len(data) > 0:
-		w.String(string(data))
-	default:
-		w.RawString("null")
-	}
-}
-
-// Base64Bytes appends data to the buffer after base64 encoding it
-func (w *Writer) Base64Bytes(data []byte) {
-	if data == nil {
-		w.Buffer.AppendString("null")
-		return
-	}
-	w.Buffer.AppendByte('"')
-	w.base64(data)
-	w.Buffer.AppendByte('"')
-}
-
-func (w *Writer) Uint8(n uint8) {
-	w.Buffer.EnsureSpace(3)
-	w.Buffer.Buf = strconv.AppendUint(w.Buffer.Buf, uint64(n), 10)
-}
-
-func (w *Writer) Uint16(n uint16) {
-	w.Buffer.EnsureSpace(5)
-	w.Buffer.Buf = strconv.AppendUint(w.Buffer.Buf, uint64(n), 10)
-}
-
-func (w *Writer) Uint32(n uint32) {
-	w.Buffer.EnsureSpace(10)
-	w.Buffer.Buf = strconv.AppendUint(w.Buffer.Buf, uint64(n), 10)
-}
-
-func (w *Writer) Uint(n uint) {
-	w.Buffer.EnsureSpace(20)
-	w.Buffer.Buf = strconv.AppendUint(w.Buffer.Buf, uint64(n), 10)
-}
-
-func (w *Writer) Uint64(n uint64) {
-	w.Buffer.EnsureSpace(20)
-	w.Buffer.Buf = strconv.AppendUint(w.Buffer.Buf, n, 10)
-}
-
-func (w *Writer) Int8(n int8) {
-	w.Buffer.EnsureSpace(4)
-	w.Buffer.Buf = strconv.AppendInt(w.Buffer.Buf, int64(n), 10)
-}
-
-func (w *Writer) Int16(n int16) {
-	w.Buffer.EnsureSpace(6)
-	w.Buffer.Buf = strconv.AppendInt(w.Buffer.Buf, int64(n), 10)
-}
-
-func (w *Writer) Int32(n int32) {
-	w.Buffer.EnsureSpace(11)
-	w.Buffer.Buf = strconv.AppendInt(w.Buffer.Buf, int64(n), 10)
-}
-
-func (w *Writer) Int(n int) {
-	w.Buffer.EnsureSpace(21)
-	w.Buffer.Buf = strconv.AppendInt(w.Buffer.Buf, int64(n), 10)
-}
-
-func (w *Writer) Int64(n int64) {
-	w.Buffer.EnsureSpace(21)
-	w.Buffer.Buf = strconv.AppendInt(w.Buffer.Buf, n, 10)
-}
-
-func (w *Writer) Uint8Str(n uint8) {
-	w.Buffer.EnsureSpace(3)
-	w.Buffer.Buf = append(w.Buffer.Buf, '"')
-	w.Buffer.Buf = strconv.AppendUint(w.Buffer.Buf, uint64(n), 10)
-	w.Buffer.Buf = append(w.Buffer.Buf, '"')
-}
-
-func (w *Writer) Uint16Str(n uint16) {
-	w.Buffer.EnsureSpace(5)
-	w.Buffer.Buf = append(w.Buffer.Buf, '"')
-	w.Buffer.Buf = strconv.AppendUint(w.Buffer.Buf, uint64(n), 10)
-	w.Buffer.Buf = append(w.Buffer.Buf, '"')
-}
-
-func (w *Writer) Uint32Str(n uint32) {
-	w.Buffer.EnsureSpace(10)
-	w.Buffer.Buf = append(w.Buffer.Buf, '"')
-	w.Buffer.Buf = strconv.AppendUint(w.Buffer.Buf, uint64(n), 10)
-	w.Buffer.Buf = append(w.Buffer.Buf, '"')
-}
-
-func (w *Writer) UintStr(n uint) {
-	w.Buffer.EnsureSpace(20)
-	w.Buffer.Buf = append(w.Buffer.Buf, '"')
-	w.Buffer.Buf = strconv.AppendUint(w.Buffer.Buf, uint64(n), 10)
-	w.Buffer.Buf = append(w.Buffer.Buf, '"')
-}
-
-func (w *Writer) Uint64Str(n uint64) {
-	w.Buffer.EnsureSpace(20)
-	w.Buffer.Buf = append(w.Buffer.Buf, '"')
-	w.Buffer.Buf = strconv.AppendUint(w.Buffer.Buf, n, 10)
-	w.Buffer.Buf = append(w.Buffer.Buf, '"')
-}
-
-func (w *Writer) UintptrStr(n uintptr) {
-	w.Buffer.EnsureSpace(20)
-	w.Buffer.Buf = append(w.Buffer.Buf, '"')
-	w.Buffer.Buf = strconv.AppendUint(w.Buffer.Buf, uint64(n), 10)
-	w.Buffer.Buf = append(w.Buffer.Buf, '"')
-}
-
-func (w *Writer) Int8Str(n int8) {
-	w.Buffer.EnsureSpace(4)
-	w.Buffer.Buf = append(w.Buffer.Buf, '"')
-	w.Buffer.Buf = strconv.AppendInt(w.Buffer.Buf, int64(n), 10)
-	w.Buffer.Buf = append(w.Buffer.Buf, '"')
-}
-
-func (w *Writer) Int16Str(n int16) {
-	w.Buffer.EnsureSpace(6)
-	w.Buffer.Buf = append(w.Buffer.Buf, '"')
-	w.Buffer.Buf = strconv.AppendInt(w.Buffer.Buf, int64(n), 10)
-	w.Buffer.Buf = append(w.Buffer.Buf, '"')
-}
-
-func (w *Writer) Int32Str(n int32) {
-	w.Buffer.EnsureSpace(11)
-	w.Buffer.Buf = append(w.Buffer.Buf, '"')
-	w.Buffer.Buf = strconv.AppendInt(w.Buffer.Buf, int64(n), 10)
-	w.Buffer.Buf = append(w.Buffer.Buf, '"')
-}
-
-func (w *Writer) IntStr(n int) {
-	w.Buffer.EnsureSpace(21)
-	w.Buffer.Buf = append(w.Buffer.Buf, '"')
-	w.Buffer.Buf = strconv.AppendInt(w.Buffer.Buf, int64(n), 10)
-	w.Buffer.Buf = append(w.Buffer.Buf, '"')
-}
-
-func (w *Writer) Int64Str(n int64) {
-	w.Buffer.EnsureSpace(21)
-	w.Buffer.Buf = append(w.Buffer.Buf, '"')
-	w.Buffer.Buf = strconv.AppendInt(w.Buffer.Buf, n, 10)
-	w.Buffer.Buf = append(w.Buffer.Buf, '"')
-}
-
-func (w *Writer) Float32(n float32) {
-	w.Buffer.EnsureSpace(20)
-	w.Buffer.Buf = strconv.AppendFloat(w.Buffer.Buf, float64(n), 'g', -1, 32)
-}
-
-func (w *Writer) Float32Str(n float32) {
-	w.Buffer.EnsureSpace(20)
-	w.Buffer.Buf = append(w.Buffer.Buf, '"')
-	w.Buffer.Buf = strconv.AppendFloat(w.Buffer.Buf, float64(n), 'g', -1, 32)
-	w.Buffer.Buf = append(w.Buffer.Buf, '"')
-}
-
-func (w *Writer) Float64(n float64) {
-	w.Buffer.EnsureSpace(20)
-	w.Buffer.Buf = strconv.AppendFloat(w.Buffer.Buf, n, 'g', -1, 64)
-}
-
-func (w *Writer) Float64Str(n float64) {
-	w.Buffer.EnsureSpace(20)
-	w.Buffer.Buf = append(w.Buffer.Buf, '"')
-	w.Buffer.Buf = strconv.AppendFloat(w.Buffer.Buf, float64(n), 'g', -1, 64)
-	w.Buffer.Buf = append(w.Buffer.Buf, '"')
-}
-
-func (w *Writer) Bool(v bool) {
-	w.Buffer.EnsureSpace(5)
-	if v {
-		w.Buffer.Buf = append(w.Buffer.Buf, "true"...)
-	} else {
-		w.Buffer.Buf = append(w.Buffer.Buf, "false"...)
-	}
-}
-
-const chars = "0123456789abcdef"
-
-func getTable(falseValues ...int) [128]bool {
-	table := [128]bool{}
-
-	for i := 0; i < 128; i++ {
-		table[i] = true
-	}
-
-	for _, v := range falseValues {
-		table[v] = false
-	}
-
-	return table
-}
-
-var (
-	htmlEscapeTable   = getTable(0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, '"', '&', '<', '>', '\\')
-	htmlNoEscapeTable = getTable(0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, '"', '\\')
-)
-
-func (w *Writer) String(s string) {
-	w.Buffer.AppendByte('"')
-
-	// Portions of the string that contain no escapes are appended as
-	// byte slices.
-
-	p := 0 // last non-escape symbol
-
-	escapeTable := &htmlEscapeTable
-	if w.NoEscapeHTML {
-		escapeTable = &htmlNoEscapeTable
-	}
-
-	for i := 0; i < len(s); {
-		c := s[i]
-
-		if c < utf8.RuneSelf {
-			if escapeTable[c] {
-				// single-width character, no escaping is required
-				i++
-				continue
-			}
-
-			w.Buffer.AppendString(s[p:i])
-			switch c {
-			case '\t':
-				w.Buffer.AppendString(`\t`)
-			case '\r':
-				w.Buffer.AppendString(`\r`)
-			case '\n':
-				w.Buffer.AppendString(`\n`)
-			case '\\':
-				w.Buffer.AppendString(`\\`)
-			case '"':
-				w.Buffer.AppendString(`\"`)
-			default:
-				w.Buffer.AppendString(`\u00`)
-				w.Buffer.AppendByte(chars[c>>4])
-				w.Buffer.AppendByte(chars[c&0xf])
-			}
-
-			i++
-			p = i
-			continue
-		}
-
-		// broken utf
-		runeValue, runeWidth := utf8.DecodeRuneInString(s[i:])
-		if runeValue == utf8.RuneError && runeWidth == 1 {
-			w.Buffer.AppendString(s[p:i])
-			w.Buffer.AppendString(`\ufffd`)
-			i++
-			p = i
-			continue
-		}
-
-		// jsonp stuff - tab separator and line separator
-		if runeValue == '\u2028' || runeValue == '\u2029' {
-			w.Buffer.AppendString(s[p:i])
-			w.Buffer.AppendString(`\u202`)
-			w.Buffer.AppendByte(chars[runeValue&0xf])
-			i += runeWidth
-			p = i
-			continue
-		}
-		i += runeWidth
-	}
-	w.Buffer.AppendString(s[p:])
-	w.Buffer.AppendByte('"')
-}
-
-const encode = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
-const padChar = '='
-
-func (w *Writer) base64(in []byte) {
-
-	if len(in) == 0 {
-		return
-	}
-
-	w.Buffer.EnsureSpace(((len(in)-1)/3 + 1) * 4)
-
-	si := 0
-	n := (len(in) / 3) * 3
-
-	for si < n {
-		// Convert 3x 8bit source bytes into 4 bytes
-		val := uint(in[si+0])<<16 | uint(in[si+1])<<8 | uint(in[si+2])
-
-		w.Buffer.Buf = append(w.Buffer.Buf, encode[val>>18&0x3F], encode[val>>12&0x3F], encode[val>>6&0x3F], encode[val&0x3F])
-
-		si += 3
-	}
-
-	remain := len(in) - si
-	if remain == 0 {
-		return
-	}
-
-	// Add the remaining small block
-	val := uint(in[si+0]) << 16
-	if remain == 2 {
-		val |= uint(in[si+1]) << 8
-	}
-
-	w.Buffer.Buf = append(w.Buffer.Buf, encode[val>>18&0x3F], encode[val>>12&0x3F])
-
-	switch remain {
-	case 2:
-		w.Buffer.Buf = append(w.Buffer.Buf, encode[val>>6&0x3F], byte(padChar))
-	case 1:
-		w.Buffer.Buf = append(w.Buffer.Buf, byte(padChar), byte(padChar))
-	}
-}
diff --git a/vendor/github.com/mattn/go-runewidth/LICENSE b/vendor/github.com/mattn/go-runewidth/LICENSE
new file mode 100644
index 0000000000..91b5cef30e
--- /dev/null
+++ b/vendor/github.com/mattn/go-runewidth/LICENSE
@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2016 Yasuhiro Matsumoto
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/vendor/github.com/mattn/go-runewidth/README.md b/vendor/github.com/mattn/go-runewidth/README.md
new file mode 100644
index 0000000000..5e2cfd98cb
--- /dev/null
+++ b/vendor/github.com/mattn/go-runewidth/README.md
@@ -0,0 +1,27 @@
+go-runewidth
+============
+
+[![Build Status](https://github.com/mattn/go-runewidth/workflows/test/badge.svg?branch=master)](https://github.com/mattn/go-runewidth/actions?query=workflow%3Atest)
+[![Codecov](https://codecov.io/gh/mattn/go-runewidth/branch/master/graph/badge.svg)](https://codecov.io/gh/mattn/go-runewidth)
+[![GoDoc](https://godoc.org/github.com/mattn/go-runewidth?status.svg)](http://godoc.org/github.com/mattn/go-runewidth)
+[![Go Report Card](https://goreportcard.com/badge/github.com/mattn/go-runewidth)](https://goreportcard.com/report/github.com/mattn/go-runewidth)
+
+Provides functions to get fixed width of the character or string.
+
+Usage
+-----
+
+```go
+runewidth.StringWidth("���☆HIRO") == 12
+```
+
+
+Author
+------
+
+Yasuhiro Matsumoto
+
+License
+-------
+
+under the MIT License: http://mattn.mit-license.org/2013
diff --git a/vendor/github.com/mattn/go-runewidth/runewidth.go b/vendor/github.com/mattn/go-runewidth/runewidth.go
new file mode 100644
index 0000000000..7dfbb3be91
--- /dev/null
+++ b/vendor/github.com/mattn/go-runewidth/runewidth.go
@@ -0,0 +1,358 @@
+package runewidth
+
+import (
+	"os"
+	"strings"
+
+	"github.com/rivo/uniseg"
+)
+
+//go:generate go run script/generate.go
+
+var (
+	// EastAsianWidth will be set true if the current locale is CJK
+	EastAsianWidth bool
+
+	// StrictEmojiNeutral should be set false if handle broken fonts
+	StrictEmojiNeutral bool = true
+
+	// DefaultCondition is a condition in current locale
+	DefaultCondition = &Condition{
+		EastAsianWidth:     false,
+		StrictEmojiNeutral: true,
+	}
+)
+
+func init() {
+	handleEnv()
+}
+
+func handleEnv() {
+	env := os.Getenv("RUNEWIDTH_EASTASIAN")
+	if env == "" {
+		EastAsianWidth = IsEastAsian()
+	} else {
+		EastAsianWidth = env == "1"
+	}
+	// update DefaultCondition
+	if DefaultCondition.EastAsianWidth != EastAsianWidth {
+		DefaultCondition.EastAsianWidth = EastAsianWidth
+		if len(DefaultCondition.combinedLut) > 0 {
+			DefaultCondition.combinedLut = DefaultCondition.combinedLut[:0]
+			CreateLUT()
+		}
+	}
+}
+
+type interval struct {
+	first rune
+	last  rune
+}
+
+type table []interval
+
+func inTables(r rune, ts ...table) bool {
+	for _, t := range ts {
+		if inTable(r, t) {
+			return true
+		}
+	}
+	return false
+}
+
+func inTable(r rune, t table) bool {
+	if r < t[0].first {
+		return false
+	}
+
+	bot := 0
+	top := len(t) - 1
+	for top >= bot {
+		mid := (bot + top) >> 1
+
+		switch {
+		case t[mid].last < r:
+			bot = mid + 1
+		case t[mid].first > r:
+			top = mid - 1
+		default:
+			return true
+		}
+	}
+
+	return false
+}
+
+var private = table{
+	{0x00E000, 0x00F8FF}, {0x0F0000, 0x0FFFFD}, {0x100000, 0x10FFFD},
+}
+
+var nonprint = table{
+	{0x0000, 0x001F}, {0x007F, 0x009F}, {0x00AD, 0x00AD},
+	{0x070F, 0x070F}, {0x180B, 0x180E}, {0x200B, 0x200F},
+	{0x2028, 0x202E}, {0x206A, 0x206F}, {0xD800, 0xDFFF},
+	{0xFEFF, 0xFEFF}, {0xFFF9, 0xFFFB}, {0xFFFE, 0xFFFF},
+}
+
+// Condition have flag EastAsianWidth whether the current locale is CJK or not.
+type Condition struct {
+	combinedLut        []byte
+	EastAsianWidth     bool
+	StrictEmojiNeutral bool
+}
+
+// NewCondition return new instance of Condition which is current locale.
+func NewCondition() *Condition {
+	return &Condition{
+		EastAsianWidth:     EastAsianWidth,
+		StrictEmojiNeutral: StrictEmojiNeutral,
+	}
+}
+
+// RuneWidth returns the number of cells in r.
+// See http://www.unicode.org/reports/tr11/
+func (c *Condition) RuneWidth(r rune) int {
+	if r < 0 || r > 0x10FFFF {
+		return 0
+	}
+	if len(c.combinedLut) > 0 {
+		return int(c.combinedLut[r>>1]>>(uint(r&1)*4)) & 3
+	}
+	// optimized version, verified by TestRuneWidthChecksums()
+	if !c.EastAsianWidth {
+		switch {
+		case r < 0x20:
+			return 0
+		case (r >= 0x7F && r <= 0x9F) || r == 0xAD: // nonprint
+			return 0
+		case r < 0x300:
+			return 1
+		case inTable(r, narrow):
+			return 1
+		case inTables(r, nonprint, combining):
+			return 0
+		case inTable(r, doublewidth):
+			return 2
+		default:
+			return 1
+		}
+	} else {
+		switch {
+		case inTables(r, nonprint, combining):
+			return 0
+		case inTable(r, narrow):
+			return 1
+		case inTables(r, ambiguous, doublewidth):
+			return 2
+		case !c.StrictEmojiNeutral && inTables(r, ambiguous, emoji, narrow):
+			return 2
+		default:
+			return 1
+		}
+	}
+}
+
+// CreateLUT will create an in-memory lookup table of 557056 bytes for faster operation.
+// This should not be called concurrently with other operations on c.
+// If options in c is changed, CreateLUT should be called again.
+func (c *Condition) CreateLUT() {
+	const max = 0x110000
+	lut := c.combinedLut
+	if len(c.combinedLut) != 0 {
+		// Remove so we don't use it.
+		c.combinedLut = nil
+	} else {
+		lut = make([]byte, max/2)
+	}
+	for i := range lut {
+		i32 := int32(i * 2)
+		x0 := c.RuneWidth(i32)
+		x1 := c.RuneWidth(i32 + 1)
+		lut[i] = uint8(x0) | uint8(x1)<<4
+	}
+	c.combinedLut = lut
+}
+
+// StringWidth return width as you can see
+func (c *Condition) StringWidth(s string) (width int) {
+	g := uniseg.NewGraphemes(s)
+	for g.Next() {
+		var chWidth int
+		for _, r := range g.Runes() {
+			chWidth = c.RuneWidth(r)
+			if chWidth > 0 {
+				break // Our best guess at this point is to use the width of the first non-zero-width rune.
+			}
+		}
+		width += chWidth
+	}
+	return
+}
+
+// Truncate return string truncated with w cells
+func (c *Condition) Truncate(s string, w int, tail string) string {
+	if c.StringWidth(s) <= w {
+		return s
+	}
+	w -= c.StringWidth(tail)
+	var width int
+	pos := len(s)
+	g := uniseg.NewGraphemes(s)
+	for g.Next() {
+		var chWidth int
+		for _, r := range g.Runes() {
+			chWidth = c.RuneWidth(r)
+			if chWidth > 0 {
+				break // See StringWidth() for details.
+			}
+		}
+		if width+chWidth > w {
+			pos, _ = g.Positions()
+			break
+		}
+		width += chWidth
+	}
+	return s[:pos] + tail
+}
+
+// TruncateLeft cuts w cells from the beginning of the `s`.
+func (c *Condition) TruncateLeft(s string, w int, prefix string) string {
+	if c.StringWidth(s) <= w {
+		return prefix
+	}
+
+	var width int
+	pos := len(s)
+
+	g := uniseg.NewGraphemes(s)
+	for g.Next() {
+		var chWidth int
+		for _, r := range g.Runes() {
+			chWidth = c.RuneWidth(r)
+			if chWidth > 0 {
+				break // See StringWidth() for details.
+			}
+		}
+
+		if width+chWidth > w {
+			if width < w {
+				_, pos = g.Positions()
+				prefix += strings.Repeat(" ", width+chWidth-w)
+			} else {
+				pos, _ = g.Positions()
+			}
+
+			break
+		}
+
+		width += chWidth
+	}
+
+	return prefix + s[pos:]
+}
+
+// Wrap return string wrapped with w cells
+func (c *Condition) Wrap(s string, w int) string {
+	width := 0
+	out := ""
+	for _, r := range s {
+		cw := c.RuneWidth(r)
+		if r == '\n' {
+			out += string(r)
+			width = 0
+			continue
+		} else if width+cw > w {
+			out += "\n"
+			width = 0
+			out += string(r)
+			width += cw
+			continue
+		}
+		out += string(r)
+		width += cw
+	}
+	return out
+}
+
+// FillLeft return string filled in left by spaces in w cells
+func (c *Condition) FillLeft(s string, w int) string {
+	width := c.StringWidth(s)
+	count := w - width
+	if count > 0 {
+		b := make([]byte, count)
+		for i := range b {
+			b[i] = ' '
+		}
+		return string(b) + s
+	}
+	return s
+}
+
+// FillRight return string filled in left by spaces in w cells
+func (c *Condition) FillRight(s string, w int) string {
+	width := c.StringWidth(s)
+	count := w - width
+	if count > 0 {
+		b := make([]byte, count)
+		for i := range b {
+			b[i] = ' '
+		}
+		return s + string(b)
+	}
+	return s
+}
+
+// RuneWidth returns the number of cells in r.
+// See http://www.unicode.org/reports/tr11/
+func RuneWidth(r rune) int {
+	return DefaultCondition.RuneWidth(r)
+}
+
+// IsAmbiguousWidth returns whether is ambiguous width or not.
+func IsAmbiguousWidth(r rune) bool {
+	return inTables(r, private, ambiguous)
+}
+
+// IsNeutralWidth returns whether is neutral width or not.
+func IsNeutralWidth(r rune) bool {
+	return inTable(r, neutral)
+}
+
+// StringWidth return width as you can see
+func StringWidth(s string) (width int) {
+	return DefaultCondition.StringWidth(s)
+}
+
+// Truncate return string truncated with w cells
+func Truncate(s string, w int, tail string) string {
+	return DefaultCondition.Truncate(s, w, tail)
+}
+
+// TruncateLeft cuts w cells from the beginning of the `s`.
+func TruncateLeft(s string, w int, prefix string) string {
+	return DefaultCondition.TruncateLeft(s, w, prefix)
+}
+
+// Wrap return string wrapped with w cells
+func Wrap(s string, w int) string {
+	return DefaultCondition.Wrap(s, w)
+}
+
+// FillLeft return string filled in left by spaces in w cells
+func FillLeft(s string, w int) string {
+	return DefaultCondition.FillLeft(s, w)
+}
+
+// FillRight return string filled in left by spaces in w cells
+func FillRight(s string, w int) string {
+	return DefaultCondition.FillRight(s, w)
+}
+
+// CreateLUT will create an in-memory lookup table of 557055 bytes for faster operation.
+// This should not be called concurrently with other operations.
+func CreateLUT() {
+	if len(DefaultCondition.combinedLut) > 0 {
+		return
+	}
+	DefaultCondition.CreateLUT()
+}
diff --git a/vendor/github.com/mattn/go-runewidth/runewidth_appengine.go b/vendor/github.com/mattn/go-runewidth/runewidth_appengine.go
new file mode 100644
index 0000000000..84b6528dfe
--- /dev/null
+++ b/vendor/github.com/mattn/go-runewidth/runewidth_appengine.go
@@ -0,0 +1,9 @@
+//go:build appengine
+// +build appengine
+
+package runewidth
+
+// IsEastAsian return true if the current locale is CJK
+func IsEastAsian() bool {
+	return false
+}
diff --git a/vendor/github.com/mattn/go-runewidth/runewidth_js.go b/vendor/github.com/mattn/go-runewidth/runewidth_js.go
new file mode 100644
index 0000000000..c2abbc2db3
--- /dev/null
+++ b/vendor/github.com/mattn/go-runewidth/runewidth_js.go
@@ -0,0 +1,9 @@
+//go:build js && !appengine
+// +build js,!appengine
+
+package runewidth
+
+func IsEastAsian() bool {
+	// TODO: Implement this for the web. Detect east asian in a compatible way, and return true.
+	return false
+}
diff --git a/vendor/github.com/mattn/go-runewidth/runewidth_posix.go b/vendor/github.com/mattn/go-runewidth/runewidth_posix.go
new file mode 100644
index 0000000000..5a31d738ec
--- /dev/null
+++ b/vendor/github.com/mattn/go-runewidth/runewidth_posix.go
@@ -0,0 +1,81 @@
+//go:build !windows && !js && !appengine
+// +build !windows,!js,!appengine
+
+package runewidth
+
+import (
+	"os"
+	"regexp"
+	"strings"
+)
+
+var reLoc = regexp.MustCompile(`^[a-z][a-z][a-z]?(?:_[A-Z][A-Z])?\.(.+)`)
+
+var mblenTable = map[string]int{
+	"utf-8":   6,
+	"utf8":    6,
+	"jis":     8,
+	"eucjp":   3,
+	"euckr":   2,
+	"euccn":   2,
+	"sjis":    2,
+	"cp932":   2,
+	"cp51932": 2,
+	"cp936":   2,
+	"cp949":   2,
+	"cp950":   2,
+	"big5":    2,
+	"gbk":     2,
+	"gb2312":  2,
+}
+
+func isEastAsian(locale string) bool {
+	charset := strings.ToLower(locale)
+	r := reLoc.FindStringSubmatch(locale)
+	if len(r) == 2 {
+		charset = strings.ToLower(r[1])
+	}
+
+	if strings.HasSuffix(charset, "@cjk_narrow") {
+		return false
+	}
+
+	for pos, b := range []byte(charset) {
+		if b == '@' {
+			charset = charset[:pos]
+			break
+		}
+	}
+	max := 1
+	if m, ok := mblenTable[charset]; ok {
+		max = m
+	}
+	if max > 1 && (charset[0] != 'u' ||
+		strings.HasPrefix(locale, "ja") ||
+		strings.HasPrefix(locale, "ko") ||
+		strings.HasPrefix(locale, "zh")) {
+		return true
+	}
+	return false
+}
+
+// IsEastAsian return true if the current locale is CJK
+func IsEastAsian() bool {
+	locale := os.Getenv("LC_ALL")
+	if locale == "" {
+		locale = os.Getenv("LC_CTYPE")
+	}
+	if locale == "" {
+		locale = os.Getenv("LANG")
+	}
+
+	// ignore C locale
+	if locale == "POSIX" || locale == "C" {
+		return false
+	}
+	if len(locale) > 1 && locale[0] == 'C' && (locale[1] == '.' || locale[1] == '-') {
+		return false
+	}
+
+	return isEastAsian(locale)
+}
diff --git a/vendor/github.com/mattn/go-runewidth/runewidth_table.go b/vendor/github.com/mattn/go-runewidth/runewidth_table.go
new file mode 100644
index 0000000000..ad025ad529
--- /dev/null
+++ b/vendor/github.com/mattn/go-runewidth/runewidth_table.go
@@ -0,0 +1,450 @@
+// Code generated by script/generate.go. DO NOT EDIT.
+
+package runewidth
+
+var combining = table{
+	{0x0300, 0x036F}, {0x0483, 0x0489}, {0x07EB, 0x07F3},
+	{0x0C00, 0x0C00}, {0x0C04, 0x0C04}, {0x0CF3, 0x0CF3},
+	{0x0D00, 0x0D01}, {0x135D, 0x135F}, {0x1A7F, 0x1A7F},
+	{0x1AB0, 0x1ACE}, {0x1B6B, 0x1B73}, {0x1DC0, 0x1DFF},
+	{0x20D0, 0x20F0}, {0x2CEF, 0x2CF1}, {0x2DE0, 0x2DFF},
+	{0x3099, 0x309A}, {0xA66F, 0xA672}, {0xA674, 0xA67D},
+	{0xA69E, 0xA69F}, {0xA6F0, 0xA6F1}, {0xA8E0, 0xA8F1},
+	{0xFE20, 0xFE2F}, {0x101FD, 0x101FD}, {0x10376, 0x1037A},
+	{0x10EAB, 0x10EAC}, {0x10F46, 0x10F50}, {0x10F82, 0x10F85},
+	{0x11300, 0x11301}, {0x1133B, 0x1133C}, {0x11366, 0x1136C},
+	{0x11370, 0x11374}, {0x16AF0, 0x16AF4}, {0x1CF00, 0x1CF2D},
+	{0x1CF30, 0x1CF46}, {0x1D165, 0x1D169}, {0x1D16D, 0x1D172},
+	{0x1D17B, 0x1D182}, {0x1D185, 0x1D18B}, {0x1D1AA, 0x1D1AD},
+	{0x1D242, 0x1D244}, {0x1E000, 0x1E006}, {0x1E008, 0x1E018},
+	{0x1E01B, 0x1E021}, {0x1E023, 0x1E024}, {0x1E026, 0x1E02A},
+	{0x1E08F, 0x1E08F}, {0x1E8D0, 0x1E8D6},
+}
+
+var doublewidth = table{
+	{0x1100, 0x115F}, {0x231A, 0x231B}, {0x2329, 0x232A},
+	{0x23E9, 0x23EC}, {0x23F0, 0x23F0}, {0x23F3, 0x23F3},
+	{0x25FD, 0x25FE}, {0x2614, 0x2615}, {0x2648, 0x2653},
+	{0x267F, 0x267F}, {0x2693, 0x2693}, {0x26A1, 0x26A1},
+	{0x26AA, 0x26AB}, {0x26BD, 0x26BE}, {0x26C4, 0x26C5},
+	{0x26CE, 0x26CE}, {0x26D4, 0x26D4}, {0x26EA, 0x26EA},
+	{0x26F2, 0x26F3}, {0x26F5, 0x26F5}, {0x26FA, 0x26FA},
+	{0x26FD, 0x26FD}, {0x2705, 0x2705}, {0x270A, 0x270B},
+	{0x2728, 0x2728}, {0x274C, 0x274C}, {0x274E, 0x274E},
+	{0x2753, 0x2755}, {0x2757, 0x2757}, {0x2795, 0x2797},
+	{0x27B0, 0x27B0}, {0x27BF, 0x27BF}, {0x2B1B, 0x2B1C},
+	{0x2B50, 0x2B50}, {0x2B55, 0x2B55}, {0x2E80, 0x2E99},
+	{0x2E9B, 0x2EF3}, {0x2F00, 0x2FD5}, {0x2FF0, 0x303E},
+	{0x3041, 0x3096}, {0x3099, 0x30FF}, {0x3105, 0x312F},
+	{0x3131, 0x318E}, {0x3190, 0x31E3}, {0x31EF, 0x321E},
+	{0x3220, 0x3247}, {0x3250, 0x4DBF}, {0x4E00, 0xA48C},
+	{0xA490, 0xA4C6}, {0xA960, 0xA97C}, {0xAC00, 0xD7A3},
+	{0xF900, 0xFAFF}, {0xFE10, 0xFE19}, {0xFE30, 0xFE52},
+	{0xFE54, 0xFE66}, {0xFE68, 0xFE6B}, {0xFF01, 0xFF60},
+	{0xFFE0, 0xFFE6}, {0x16FE0, 0x16FE4}, {0x16FF0, 0x16FF1},
+	{0x17000, 0x187F7}, {0x18800, 0x18CD5}, {0x18D00, 0x18D08},
+	{0x1AFF0, 0x1AFF3}, {0x1AFF5, 0x1AFFB}, {0x1AFFD, 0x1AFFE},
+	{0x1B000, 0x1B122}, {0x1B132, 0x1B132}, {0x1B150, 0x1B152},
+	{0x1B155, 0x1B155}, {0x1B164, 0x1B167}, {0x1B170, 0x1B2FB},
+	{0x1F004, 0x1F004}, {0x1F0CF, 0x1F0CF}, {0x1F18E, 0x1F18E},
+	{0x1F191, 0x1F19A}, {0x1F200, 0x1F202}, {0x1F210, 0x1F23B},
+	{0x1F240, 0x1F248}, {0x1F250, 0x1F251}, {0x1F260, 0x1F265},
+	{0x1F300, 0x1F320}, {0x1F32D, 0x1F335}, {0x1F337, 0x1F37C},
+	{0x1F37E, 0x1F393}, {0x1F3A0, 0x1F3CA}, {0x1F3CF, 0x1F3D3},
+	{0x1F3E0, 0x1F3F0}, {0x1F3F4, 0x1F3F4}, {0x1F3F8, 0x1F43E},
+	{0x1F440, 0x1F440}, {0x1F442, 0x1F4FC}, {0x1F4FF, 0x1F53D},
+	{0x1F54B, 0x1F54E}, {0x1F550, 0x1F567}, {0x1F57A, 0x1F57A},
+	{0x1F595, 0x1F596}, {0x1F5A4, 0x1F5A4}, {0x1F5FB, 0x1F64F},
+	{0x1F680, 0x1F6C5}, {0x1F6CC, 0x1F6CC}, {0x1F6D0, 0x1F6D2},
+	{0x1F6D5, 0x1F6D7}, {0x1F6DC, 0x1F6DF}, {0x1F6EB, 0x1F6EC},
+	{0x1F6F4, 0x1F6FC}, {0x1F7E0, 0x1F7EB}, {0x1F7F0, 0x1F7F0},
+	{0x1F90C, 0x1F93A}, {0x1F93C, 0x1F945}, {0x1F947, 0x1F9FF},
+	{0x1FA70, 0x1FA7C}, {0x1FA80, 0x1FA88}, {0x1FA90, 0x1FABD},
+	{0x1FABF, 0x1FAC5}, {0x1FACE, 0x1FADB}, {0x1FAE0, 0x1FAE8},
+	{0x1FAF0, 0x1FAF8}, {0x20000, 0x2FFFD}, {0x30000, 0x3FFFD},
+}
+
+var ambiguous = table{
+	{0x00A1, 0x00A1}, {0x00A4, 0x00A4}, {0x00A7, 0x00A8},
+	{0x00AA, 0x00AA}, {0x00AD, 0x00AE}, {0x00B0, 0x00B4},
+	{0x00B6, 0x00BA}, {0x00BC, 0x00BF}, {0x00C6, 0x00C6},
+	{0x00D0, 0x00D0}, {0x00D7, 0x00D8}, {0x00DE, 0x00E1},
+	{0x00E6, 0x00E6}, {0x00E8, 0x00EA}, {0x00EC, 0x00ED},
+	{0x00F0, 0x00F0}, {0x00F2, 0x00F3}, {0x00F7, 0x00FA},
+	{0x00FC, 0x00FC}, {0x00FE, 0x00FE}, {0x0101, 0x0101},
+	{0x0111, 0x0111}, {0x0113, 0x0113}, {0x011B, 0x011B},
+	{0x0126, 0x0127}, {0x012B, 0x012B}, {0x0131, 0x0133},
+	{0x0138, 0x0138}, {0x013F, 0x0142}, {0x0144, 0x0144},
+	{0x0148, 0x014B}, {0x014D, 0x014D}, {0x0152, 0x0153},
+	{0x0166, 0x0167}, {0x016B, 0x016B}, {0x01CE, 0x01CE},
+	{0x01D0, 0x01D0}, {0x01D2, 0x01D2}, {0x01D4, 0x01D4},
+	{0x01D6, 0x01D6}, {0x01D8, 0x01D8}, {0x01DA, 0x01DA},
+	{0x01DC, 0x01DC}, {0x0251, 0x0251}, {0x0261, 0x0261},
+	{0x02C4, 0x02C4}, {0x02C7, 0x02C7}, {0x02C9, 0x02CB},
+	{0x02CD, 0x02CD}, {0x02D0, 0x02D0}, {0x02D8, 0x02DB},
+	{0x02DD, 0x02DD}, {0x02DF, 0x02DF}, {0x0300, 0x036F},
+	{0x0391, 0x03A1}, {0x03A3, 0x03A9}, {0x03B1, 0x03C1},
+	{0x03C3, 0x03C9}, {0x0401, 0x0401}, {0x0410, 0x044F},
+	{0x0451, 0x0451}, {0x2010, 0x2010}, {0x2013, 0x2016},
+	{0x2018, 0x2019}, {0x201C, 0x201D}, {0x2020, 0x2022},
+	{0x2024, 0x2027}, {0x2030, 0x2030}, {0x2032, 0x2033},
+	{0x2035, 0x2035}, {0x203B, 0x203B}, {0x203E, 0x203E},
+	{0x2074, 0x2074}, {0x207F, 0x207F}, {0x2081, 0x2084},
+	{0x20AC, 0x20AC}, {0x2103, 0x2103}, {0x2105, 0x2105},
+	{0x2109, 0x2109}, {0x2113, 0x2113}, {0x2116, 0x2116},
+	{0x2121, 0x2122}, {0x2126, 0x2126}, {0x212B, 0x212B},
+	{0x2153, 0x2154}, {0x215B, 0x215E}, {0x2160, 0x216B},
+	{0x2170, 0x2179}, {0x2189, 0x2189}, {0x2190, 0x2199},
+	{0x21B8, 0x21B9}, {0x21D2, 0x21D2}, {0x21D4, 0x21D4},
+	{0x21E7, 0x21E7}, {0x2200, 0x2200}, {0x2202, 0x2203},
+	{0x2207, 0x2208}, {0x220B, 0x220B}, {0x220F, 0x220F},
+	{0x2211, 0x2211}, {0x2215, 0x2215}, {0x221A, 0x221A},
+	{0x221D, 0x2220}, {0x2223, 0x2223}, {0x2225, 0x2225},
+	{0x2227, 0x222C}, {0x222E, 0x222E}, {0x2234, 0x2237},
+	{0x223C, 0x223D}, {0x2248, 0x2248}, {0x224C, 0x224C},
+	{0x2252, 0x2252}, {0x2260, 0x2261}, {0x2264, 0x2267},
+	{0x226A, 0x226B}, {0x226E, 0x226F}, {0x2282, 0x2283},
+	{0x2286, 0x2287}, {0x2295, 0x2295}, {0x2299, 0x2299},
+	{0x22A5, 0x22A5}, {0x22BF, 0x22BF}, {0x2312, 0x2312},
+	{0x2460, 0x24E9}, {0x24EB, 0x254B}, {0x2550, 0x2573},
+	{0x2580, 0x258F}, {0x2592, 0x2595}, {0x25A0, 0x25A1},
+	{0x25A3, 0x25A9}, {0x25B2, 0x25B3}, {0x25B6, 0x25B7},
+	{0x25BC, 0x25BD}, {0x25C0, 0x25C1}, {0x25C6, 0x25C8},
+	{0x25CB, 0x25CB}, {0x25CE, 0x25D1}, {0x25E2, 0x25E5},
+	{0x25EF, 0x25EF}, {0x2605, 0x2606}, {0x2609, 0x2609},
+	{0x260E, 0x260F}, {0x261C, 0x261C}, {0x261E, 0x261E},
+	{0x2640, 0x2640}, {0x2642, 0x2642}, {0x2660, 0x2661},
+	{0x2663, 0x2665}, {0x2667, 0x266A}, {0x266C, 0x266D},
+	{0x266F, 0x266F}, {0x269E, 0x269F}, {0x26BF, 0x26BF},
+	{0x26C6, 0x26CD}, {0x26CF, 0x26D3}, {0x26D5, 0x26E1},
+	{0x26E3, 0x26E3}, {0x26E8, 0x26E9}, {0x26EB, 0x26F1},
+	{0x26F4, 0x26F4}, {0x26F6, 0x26F9}, {0x26FB, 0x26FC},
+	{0x26FE, 0x26FF}, {0x273D, 0x273D}, {0x2776, 0x277F},
+	{0x2B56, 0x2B59}, {0x3248, 0x324F}, {0xE000, 0xF8FF},
+	{0xFE00, 0xFE0F}, {0xFFFD, 0xFFFD}, {0x1F100, 0x1F10A},
+	{0x1F110, 0x1F12D}, {0x1F130, 0x1F169}, {0x1F170, 0x1F18D},
+	{0x1F18F, 0x1F190}, {0x1F19B, 0x1F1AC}, {0xE0100, 0xE01EF},
+	{0xF0000, 0xFFFFD}, {0x100000, 0x10FFFD},
+}
+var narrow = table{
+	{0x0020, 0x007E}, {0x00A2, 0x00A3}, {0x00A5, 0x00A6},
+	{0x00AC, 0x00AC}, {0x00AF, 0x00AF}, {0x27E6, 0x27ED},
+	{0x2985, 0x2986},
+}
+
+var neutral = table{
+	{0x0000, 0x001F}, {0x007F, 0x00A0}, {0x00A9, 0x00A9},
+	{0x00AB, 0x00AB}, {0x00B5, 0x00B5}, {0x00BB, 0x00BB},
+	{0x00C0, 0x00C5}, {0x00C7, 0x00CF}, {0x00D1, 0x00D6},
+	{0x00D9, 0x00DD}, {0x00E2, 0x00E5}, {0x00E7, 0x00E7},
+	{0x00EB, 0x00EB}, {0x00EE, 0x00EF}, {0x00F1, 0x00F1},
+	{0x00F4, 0x00F6}, {0x00FB, 0x00FB}, {0x00FD, 0x00FD},
+	{0x00FF, 0x0100}, {0x0102, 0x0110}, {0x0112, 0x0112},
+	{0x0114, 0x011A}, {0x011C, 0x0125}, {0x0128, 0x012A},
+	{0x012C, 0x0130}, {0x0134, 0x0137}, {0x0139, 0x013E},
+	{0x0143, 0x0143}, {0x0145, 0x0147}, {0x014C, 0x014C},
+	{0x014E, 0x0151}, {0x0154, 0x0165}, {0x0168, 0x016A},
+	{0x016C, 0x01CD}, {0x01CF, 0x01CF}, {0x01D1, 0x01D1},
+	{0x01D3, 0x01D3}, {0x01D5, 0x01D5}, {0x01D7, 0x01D7},
+	{0x01D9, 0x01D9}, {0x01DB, 0x01DB}, {0x01DD, 0x0250},
+	{0x0252, 0x0260}, {0x0262, 0x02C3}, {0x02C5, 0x02C6},
+	{0x02C8, 0x02C8}, {0x02CC, 0x02CC}, {0x02CE, 0x02CF},
+	{0x02D1, 0x02D7}, {0x02DC, 0x02DC}, {0x02DE, 0x02DE},
+	{0x02E0, 0x02FF}, {0x0370, 0x0377}, {0x037A, 0x037F},
+	{0x0384, 0x038A}, {0x038C, 0x038C}, {0x038E, 0x0390},
+	{0x03AA, 0x03B0}, {0x03C2, 0x03C2}, {0x03CA, 0x0400},
+	{0x0402, 0x040F}, {0x0450, 0x0450}, {0x0452, 0x052F},
+	{0x0531, 0x0556}, {0x0559, 0x058A}, {0x058D, 0x058F},
+	{0x0591, 0x05C7}, {0x05D0, 0x05EA}, {0x05EF, 0x05F4},
+	{0x0600, 0x070D}, {0x070F, 0x074A}, {0x074D, 0x07B1},
+	{0x07C0, 0x07FA}, {0x07FD, 0x082D}, {0x0830, 0x083E},
+	{0x0840, 0x085B}, {0x085E, 0x085E}, {0x0860, 0x086A},
+	{0x0870, 0x088E}, {0x0890, 0x0891}, {0x0898, 0x0983},
+	{0x0985, 0x098C}, {0x098F, 0x0990}, {0x0993, 0x09A8},
+	{0x09AA, 0x09B0}, {0x09B2, 0x09B2}, {0x09B6, 0x09B9},
+	{0x09BC, 0x09C4}, {0x09C7, 0x09C8}, {0x09CB, 0x09CE},
+	{0x09D7, 0x09D7}, {0x09DC, 0x09DD}, {0x09DF, 0x09E3},
+	{0x09E6, 0x09FE}, {0x0A01, 0x0A03}, {0x0A05, 0x0A0A},
+	{0x0A0F, 0x0A10}, {0x0A13, 0x0A28}, {0x0A2A, 0x0A30},
+	{0x0A32, 0x0A33}, {0x0A35, 0x0A36}, {0x0A38, 0x0A39},
+	{0x0A3C, 0x0A3C}, {0x0A3E, 0x0A42}, {0x0A47, 0x0A48},
+	{0x0A4B, 0x0A4D}, {0x0A51, 0x0A51}, {0x0A59, 0x0A5C},
+	{0x0A5E, 0x0A5E}, {0x0A66, 0x0A76}, {0x0A81, 0x0A83},
+	{0x0A85, 0x0A8D}, {0x0A8F, 0x0A91}, {0x0A93, 0x0AA8},
+	{0x0AAA, 0x0AB0}, {0x0AB2, 0x0AB3}, {0x0AB5, 0x0AB9},
+	{0x0ABC, 0x0AC5}, {0x0AC7, 0x0AC9}, {0x0ACB, 0x0ACD},
+	{0x0AD0, 0x0AD0}, {0x0AE0, 0x0AE3}, {0x0AE6, 0x0AF1},
+	{0x0AF9, 0x0AFF}, {0x0B01, 0x0B03}, {0x0B05, 0x0B0C},
+	{0x0B0F, 0x0B10}, {0x0B13, 0x0B28}, {0x0B2A, 0x0B30},
+	{0x0B32, 0x0B33}, {0x0B35, 0x0B39}, {0x0B3C, 0x0B44},
+	{0x0B47, 0x0B48}, {0x0B4B, 0x0B4D}, {0x0B55, 0x0B57},
+	{0x0B5C, 0x0B5D}, {0x0B5F, 0x0B63}, {0x0B66, 0x0B77},
+	{0x0B82, 0x0B83}, {0x0B85, 0x0B8A}, {0x0B8E, 0x0B90},
+	{0x0B92, 0x0B95}, {0x0B99, 0x0B9A}, {0x0B9C, 0x0B9C},
+	{0x0B9E, 0x0B9F}, {0x0BA3, 0x0BA4}, {0x0BA8, 0x0BAA},
+	{0x0BAE, 0x0BB9}, {0x0BBE, 0x0BC2}, {0x0BC6, 0x0BC8},
+	{0x0BCA, 0x0BCD}, {0x0BD0, 0x0BD0}, {0x0BD7, 0x0BD7},
+	{0x0BE6, 0x0BFA}, {0x0C00, 0x0C0C}, {0x0C0E, 0x0C10},
+	{0x0C12, 0x0C28}, {0x0C2A, 0x0C39}, {0x0C3C, 0x0C44},
+	{0x0C46, 0x0C48}, {0x0C4A, 0x0C4D}, {0x0C55, 0x0C56},
+	{0x0C58, 0x0C5A}, {0x0C5D, 0x0C5D}, {0x0C60, 0x0C63},
+	{0x0C66, 0x0C6F}, {0x0C77, 0x0C8C}, {0x0C8E, 0x0C90},
+	{0x0C92, 0x0CA8}, {0x0CAA, 0x0CB3}, {0x0CB5, 0x0CB9},
+	{0x0CBC, 0x0CC4}, {0x0CC6, 0x0CC8}, {0x0CCA, 0x0CCD},
+	{0x0CD5, 0x0CD6}, {0x0CDD, 0x0CDE}, {0x0CE0, 0x0CE3},
+	{0x0CE6, 0x0CEF}, {0x0CF1, 0x0CF3}, {0x0D00, 0x0D0C},
+	{0x0D0E, 0x0D10}, {0x0D12, 0x0D44}, {0x0D46, 0x0D48},
+	{0x0D4A, 0x0D4F}, {0x0D54, 0x0D63}, {0x0D66, 0x0D7F},
+	{0x0D81, 0x0D83}, {0x0D85, 0x0D96}, {0x0D9A, 0x0DB1},
+	{0x0DB3, 0x0DBB}, {0x0DBD, 0x0DBD}, {0x0DC0, 0x0DC6},
+	{0x0DCA, 0x0DCA}, {0x0DCF, 0x0DD4}, {0x0DD6, 0x0DD6},
+	{0x0DD8, 0x0DDF}, {0x0DE6, 0x0DEF}, {0x0DF2, 0x0DF4},
+	{0x0E01, 0x0E3A}, {0x0E3F, 0x0E5B}, {0x0E81, 0x0E82},
+	{0x0E84, 0x0E84}, {0x0E86, 0x0E8A}, {0x0E8C, 0x0EA3},
+	{0x0EA5, 0x0EA5}, {0x0EA7, 0x0EBD}, {0x0EC0, 0x0EC4},
+	{0x0EC6, 0x0EC6}, {0x0EC8, 0x0ECE}, {0x0ED0, 0x0ED9},
+	{0x0EDC, 0x0EDF}, {0x0F00, 0x0F47}, {0x0F49, 0x0F6C},
+	{0x0F71, 0x0F97}, {0x0F99, 0x0FBC}, {0x0FBE, 0x0FCC},
+	{0x0FCE, 0x0FDA}, {0x1000, 0x10C5}, {0x10C7, 0x10C7},
+	{0x10CD, 0x10CD}, {0x10D0, 0x10FF}, {0x1160, 0x1248},
+	{0x124A, 0x124D}, {0x1250, 0x1256}, {0x1258, 0x1258},
+	{0x125A, 0x125D}, {0x1260, 0x1288}, {0x128A, 0x128D},
+	{0x1290, 0x12B0}, {0x12B2, 0x12B5}, {0x12B8, 0x12BE},
+	{0x12C0, 0x12C0}, {0x12C2, 0x12C5}, {0x12C8, 0x12D6},
+	{0x12D8, 0x1310}, {0x1312, 0x1315}, {0x1318, 0x135A},
+	{0x135D, 0x137C}, {0x1380, 0x1399}, {0x13A0, 0x13F5},
+	{0x13F8, 0x13FD}, {0x1400, 0x169C}, {0x16A0, 0x16F8},
+	{0x1700, 0x1715}, {0x171F, 0x1736}, {0x1740, 0x1753},
+	{0x1760, 0x176C}, {0x176E, 0x1770}, {0x1772, 0x1773},
+	{0x1780, 0x17DD}, {0x17E0, 0x17E9}, {0x17F0, 0x17F9},
+	{0x1800, 0x1819}, {0x1820, 0x1878}, {0x1880, 0x18AA},
+	{0x18B0, 0x18F5}, {0x1900, 0x191E}, {0x1920, 0x192B},
+	{0x1930, 0x193B}, {0x1940, 0x1940}, {0x1944, 0x196D},
+	{0x1970, 0x1974}, {0x1980, 0x19AB}, {0x19B0, 0x19C9},
+	{0x19D0, 0x19DA}, {0x19DE, 0x1A1B}, {0x1A1E, 0x1A5E},
+	{0x1A60, 0x1A7C}, {0x1A7F, 0x1A89}, {0x1A90, 0x1A99},
+	{0x1AA0, 0x1AAD}, {0x1AB0, 0x1ACE}, {0x1B00, 0x1B4C},
+	{0x1B50, 0x1B7E}, {0x1B80, 0x1BF3}, {0x1BFC, 0x1C37},
+	{0x1C3B, 0x1C49}, {0x1C4D, 0x1C88}, {0x1C90, 0x1CBA},
+	{0x1CBD, 0x1CC7}, {0x1CD0, 0x1CFA}, {0x1D00, 0x1F15},
+	{0x1F18, 0x1F1D}, {0x1F20, 0x1F45}, {0x1F48, 0x1F4D},
+	{0x1F50, 0x1F57}, {0x1F59, 0x1F59}, {0x1F5B, 0x1F5B},
+	{0x1F5D, 0x1F5D}, {0x1F5F, 0x1F7D}, {0x1F80, 0x1FB4},
+	{0x1FB6, 0x1FC4}, {0x1FC6, 0x1FD3}, {0x1FD6, 0x1FDB},
+	{0x1FDD, 0x1FEF}, {0x1FF2, 0x1FF4}, {0x1FF6, 0x1FFE},
+	{0x2000, 0x200F}, {0x2011, 0x2012}, {0x2017, 0x2017},
+	{0x201A, 0x201B}, {0x201E, 0x201F}, {0x2023, 0x2023},
+	{0x2028, 0x202F}, {0x2031, 0x2031}, {0x2034, 0x2034},
+	{0x2036, 0x203A}, {0x203C, 0x203D}, {0x203F, 0x2064},
+	{0x2066, 0x2071}, {0x2075, 0x207E}, {0x2080, 0x2080},
+	{0x2085, 0x208E}, {0x2090, 0x209C}, {0x20A0, 0x20A8},
+	{0x20AA, 0x20AB}, {0x20AD, 0x20C0}, {0x20D0, 0x20F0},
+	{0x2100, 0x2102}, {0x2104, 0x2104}, {0x2106, 0x2108},
+	{0x210A, 0x2112}, {0x2114, 0x2115}, {0x2117, 0x2120},
+	{0x2123, 0x2125}, {0x2127, 0x212A}, {0x212C, 0x2152},
+	{0x2155, 0x215A}, {0x215F, 0x215F}, {0x216C, 0x216F},
+	{0x217A, 0x2188}, {0x218A, 0x218B}, {0x219A, 0x21B7},
+	{0x21BA, 0x21D1}, {0x21D3, 0x21D3}, {0x21D5, 0x21E6},
+	{0x21E8, 0x21FF}, {0x2201, 0x2201}, {0x2204, 0x2206},
+	{0x2209, 0x220A}, {0x220C, 0x220E}, {0x2210, 0x2210},
+	{0x2212, 0x2214}, {0x2216, 0x2219}, {0x221B, 0x221C},
+	{0x2221, 0x2222}, {0x2224, 0x2224}, {0x2226, 0x2226},
+	{0x222D, 0x222D}, {0x222F, 0x2233}, {0x2238, 0x223B},
+	{0x223E, 0x2247}, {0x2249, 0x224B}, {0x224D, 0x2251},
+	{0x2253, 0x225F}, {0x2262, 0x2263}, {0x2268, 0x2269},
+	{0x226C, 0x226D}, {0x2270, 0x2281}, {0x2284, 0x2285},
+	{0x2288, 0x2294}, {0x2296, 0x2298}, {0x229A, 0x22A4},
+	{0x22A6, 0x22BE}, {0x22C0, 0x2311}, {0x2313, 0x2319},
+	{0x231C, 0x2328}, {0x232B, 0x23E8}, {0x23ED, 0x23EF},
+	{0x23F1, 0x23F2}, {0x23F4, 0x2426}, {0x2440, 0x244A},
+	{0x24EA, 0x24EA}, {0x254C, 0x254F}, {0x2574, 0x257F},
+	{0x2590, 0x2591}, {0x2596, 0x259F}, {0x25A2, 0x25A2},
+	{0x25AA, 0x25B1}, {0x25B4, 0x25B5}, {0x25B8, 0x25BB},
+	{0x25BE, 0x25BF}, {0x25C2, 0x25C5}, {0x25C9, 0x25CA},
+	{0x25CC, 0x25CD}, {0x25D2, 0x25E1}, {0x25E6, 0x25EE},
+	{0x25F0, 0x25FC}, {0x25FF, 0x2604}, {0x2607, 0x2608},
+	{0x260A, 0x260D}, {0x2610, 0x2613}, {0x2616, 0x261B},
+	{0x261D, 0x261D}, {0x261F, 0x263F}, {0x2641, 0x2641},
+	{0x2643, 0x2647}, {0x2654, 0x265F}, {0x2662, 0x2662},
+	{0x2666, 0x2666}, {0x266B, 0x266B}, {0x266E, 0x266E},
+	{0x2670, 0x267E}, {0x2680, 0x2692}, {0x2694, 0x269D},
+	{0x26A0, 0x26A0}, {0x26A2, 0x26A9}, {0x26AC, 0x26BC},
+	{0x26C0, 0x26C3}, {0x26E2, 0x26E2}, {0x26E4, 0x26E7},
+	{0x2700, 0x2704}, {0x2706, 0x2709}, {0x270C, 0x2727},
+	{0x2729, 0x273C}, {0x273E, 0x274B}, {0x274D, 0x274D},
+	{0x274F, 0x2752}, {0x2756, 0x2756}, {0x2758, 0x2775},
+	{0x2780, 0x2794}, {0x2798, 0x27AF}, {0x27B1, 0x27BE},
+	{0x27C0, 0x27E5}, {0x27EE, 0x2984}, {0x2987, 0x2B1A},
+	{0x2B1D, 0x2B4F}, {0x2B51, 0x2B54}, {0x2B5A, 0x2B73},
+	{0x2B76, 0x2B95}, {0x2B97, 0x2CF3}, {0x2CF9, 0x2D25},
+	{0x2D27, 0x2D27}, {0x2D2D, 0x2D2D}, {0x2D30, 0x2D67},
+	{0x2D6F, 0x2D70}, {0x2D7F, 0x2D96}, {0x2DA0, 0x2DA6},
+	{0x2DA8, 0x2DAE}, {0x2DB0, 0x2DB6}, {0x2DB8, 0x2DBE},
+	{0x2DC0, 0x2DC6}, {0x2DC8, 0x2DCE}, {0x2DD0, 0x2DD6},
+	{0x2DD8, 0x2DDE}, {0x2DE0, 0x2E5D}, {0x303F, 0x303F},
+	{0x4DC0, 0x4DFF}, {0xA4D0, 0xA62B}, {0xA640, 0xA6F7},
+	{0xA700, 0xA7CA}, {0xA7D0, 0xA7D1}, {0xA7D3, 0xA7D3},
+	{0xA7D5, 0xA7D9}, {0xA7F2, 0xA82C}, {0xA830, 0xA839},
+	{0xA840, 0xA877}, {0xA880, 0xA8C5}, {0xA8CE, 0xA8D9},
+	{0xA8E0, 0xA953}, {0xA95F, 0xA95F}, {0xA980, 0xA9CD},
+	{0xA9CF, 0xA9D9}, {0xA9DE, 0xA9FE}, {0xAA00, 0xAA36},
+	{0xAA40, 0xAA4D}, {0xAA50, 0xAA59}, {0xAA5C, 0xAAC2},
+	{0xAADB, 0xAAF6}, {0xAB01, 0xAB06}, {0xAB09, 0xAB0E},
+	{0xAB11, 0xAB16}, {0xAB20, 0xAB26}, {0xAB28, 0xAB2E},
+	{0xAB30, 0xAB6B}, {0xAB70, 0xABED}, {0xABF0, 0xABF9},
+	{0xD7B0, 0xD7C6}, {0xD7CB, 0xD7FB}, {0xD800, 0xDFFF},
+	{0xFB00, 0xFB06}, {0xFB13, 0xFB17}, {0xFB1D, 0xFB36},
+	{0xFB38, 0xFB3C}, {0xFB3E, 0xFB3E}, {0xFB40, 0xFB41},
+	{0xFB43, 0xFB44}, {0xFB46, 0xFBC2}, {0xFBD3, 0xFD8F},
+	{0xFD92, 0xFDC7}, {0xFDCF, 0xFDCF}, {0xFDF0, 0xFDFF},
+	{0xFE20, 0xFE2F}, {0xFE70, 0xFE74}, {0xFE76, 0xFEFC},
+	{0xFEFF, 0xFEFF}, {0xFFF9, 0xFFFC}, {0x10000, 0x1000B},
+	{0x1000D, 0x10026}, {0x10028, 0x1003A}, {0x1003C, 0x1003D},
+	{0x1003F, 0x1004D}, {0x10050, 0x1005D}, {0x10080, 0x100FA},
+	{0x10100, 0x10102}, {0x10107, 0x10133}, {0x10137, 0x1018E},
+	{0x10190, 0x1019C}, {0x101A0, 0x101A0}, {0x101D0, 0x101FD},
+	{0x10280, 0x1029C}, {0x102A0, 0x102D0}, {0x102E0, 0x102FB},
+	{0x10300, 0x10323}, {0x1032D, 0x1034A}, {0x10350, 0x1037A},
+	{0x10380, 0x1039D}, {0x1039F, 0x103C3}, {0x103C8, 0x103D5},
+	{0x10400, 0x1049D}, {0x104A0, 0x104A9}, {0x104B0, 0x104D3},
+	{0x104D8, 0x104FB}, {0x10500, 0x10527}, {0x10530, 0x10563},
+	{0x1056F, 0x1057A}, {0x1057C, 0x1058A}, {0x1058C, 0x10592},
+	{0x10594, 0x10595}, {0x10597, 0x105A1}, {0x105A3, 0x105B1},
+	{0x105B3, 0x105B9}, {0x105BB, 0x105BC}, {0x10600, 0x10736},
+	{0x10740, 0x10755}, {0x10760, 0x10767}, {0x10780, 0x10785},
+	{0x10787, 0x107B0}, {0x107B2, 0x107BA}, {0x10800, 0x10805},
+	{0x10808, 0x10808}, {0x1080A, 0x10835}, {0x10837, 0x10838},
+	{0x1083C, 0x1083C}, {0x1083F, 0x10855}, {0x10857, 0x1089E},
+	{0x108A7, 0x108AF}, {0x108E0, 0x108F2}, {0x108F4, 0x108F5},
+	{0x108FB, 0x1091B}, {0x1091F, 0x10939}, {0x1093F, 0x1093F},
+	{0x10980, 0x109B7}, {0x109BC, 0x109CF}, {0x109D2, 0x10A03},
+	{0x10A05, 0x10A06}, {0x10A0C, 0x10A13}, {0x10A15, 0x10A17},
+	{0x10A19, 0x10A35}, {0x10A38, 0x10A3A}, {0x10A3F, 0x10A48},
+	{0x10A50, 0x10A58}, {0x10A60, 0x10A9F}, {0x10AC0, 0x10AE6},
+	{0x10AEB, 0x10AF6}, {0x10B00, 0x10B35}, {0x10B39, 0x10B55},
+	{0x10B58, 0x10B72}, {0x10B78, 0x10B91}, {0x10B99, 0x10B9C},
+	{0x10BA9, 0x10BAF}, {0x10C00, 0x10C48}, {0x10C80, 0x10CB2},
+	{0x10CC0, 0x10CF2}, {0x10CFA, 0x10D27}, {0x10D30, 0x10D39},
+	{0x10E60, 0x10E7E}, {0x10E80, 0x10EA9}, {0x10EAB, 0x10EAD},
+	{0x10EB0, 0x10EB1}, {0x10EFD, 0x10F27}, {0x10F30, 0x10F59},
+	{0x10F70, 0x10F89}, {0x10FB0, 0x10FCB}, {0x10FE0, 0x10FF6},
+	{0x11000, 0x1104D}, {0x11052, 0x11075}, {0x1107F, 0x110C2},
+	{0x110CD, 0x110CD}, {0x110D0, 0x110E8}, {0x110F0, 0x110F9},
+	{0x11100, 0x11134}, {0x11136, 0x11147}, {0x11150, 0x11176},
+	{0x11180, 0x111DF}, {0x111E1, 0x111F4}, {0x11200, 0x11211},
+	{0x11213, 0x11241}, {0x11280, 0x11286}, {0x11288, 0x11288},
+	{0x1128A, 0x1128D}, {0x1128F, 0x1129D}, {0x1129F, 0x112A9},
+	{0x112B0, 0x112EA}, {0x112F0, 0x112F9}, {0x11300, 0x11303},
+	{0x11305, 0x1130C}, {0x1130F, 0x11310}, {0x11313, 0x11328},
+	{0x1132A, 0x11330}, {0x11332, 0x11333}, {0x11335, 0x11339},
+	{0x1133B, 0x11344}, {0x11347, 0x11348}, {0x1134B, 0x1134D},
+	{0x11350, 0x11350}, {0x11357, 0x11357}, {0x1135D, 0x11363},
+	{0x11366, 0x1136C}, {0x11370, 0x11374}, {0x11400, 0x1145B},
+	{0x1145D, 0x11461}, {0x11480, 0x114C7}, {0x114D0, 0x114D9},
+	{0x11580, 0x115B5}, {0x115B8, 0x115DD}, {0x11600, 0x11644},
+	{0x11650, 0x11659}, {0x11660, 0x1166C}, {0x11680, 0x116B9},
+	{0x116C0, 0x116C9}, {0x11700, 0x1171A}, {0x1171D, 0x1172B},
+	{0x11730, 0x11746}, {0x11800, 0x1183B}, {0x118A0, 0x118F2},
+	{0x118FF, 0x11906}, {0x11909, 0x11909}, {0x1190C, 0x11913},
+	{0x11915, 0x11916}, {0x11918, 0x11935}, {0x11937, 0x11938},
+	{0x1193B, 0x11946}, {0x11950, 0x11959}, {0x119A0, 0x119A7},
+	{0x119AA, 0x119D7}, {0x119DA, 0x119E4}, {0x11A00, 0x11A47},
+	{0x11A50, 0x11AA2}, {0x11AB0, 0x11AF8}, {0x11B00, 0x11B09},
+	{0x11C00, 0x11C08}, {0x11C0A, 0x11C36}, {0x11C38, 0x11C45},
+	{0x11C50, 0x11C6C}, {0x11C70, 0x11C8F}, {0x11C92, 0x11CA7},
+	{0x11CA9, 0x11CB6}, {0x11D00, 0x11D06}, {0x11D08, 0x11D09},
+	{0x11D0B, 0x11D36}, {0x11D3A, 0x11D3A}, {0x11D3C, 0x11D3D},
+	{0x11D3F, 0x11D47}, {0x11D50, 0x11D59}, {0x11D60, 0x11D65},
+	{0x11D67, 0x11D68}, {0x11D6A, 0x11D8E}, {0x11D90, 0x11D91},
+	{0x11D93, 0x11D98}, {0x11DA0, 0x11DA9}, {0x11EE0, 0x11EF8},
+	{0x11F00, 0x11F10}, {0x11F12, 0x11F3A}, {0x11F3E, 0x11F59},
+	{0x11FB0, 0x11FB0}, {0x11FC0, 0x11FF1}, {0x11FFF, 0x12399},
+	{0x12400, 0x1246E}, {0x12470, 0x12474}, {0x12480, 0x12543},
+	{0x12F90, 0x12FF2}, {0x13000, 0x13455}, {0x14400, 0x14646},
+	{0x16800, 0x16A38}, {0x16A40, 0x16A5E}, {0x16A60, 0x16A69},
+	{0x16A6E, 0x16ABE}, {0x16AC0, 0x16AC9}, {0x16AD0, 0x16AED},
+	{0x16AF0, 0x16AF5}, {0x16B00, 0x16B45}, {0x16B50, 0x16B59},
+	{0x16B5B, 0x16B61}, {0x16B63, 0x16B77}, {0x16B7D, 0x16B8F},
+	{0x16E40, 0x16E9A}, {0x16F00, 0x16F4A}, {0x16F4F, 0x16F87},
+	{0x16F8F, 0x16F9F}, {0x1BC00, 0x1BC6A}, {0x1BC70, 0x1BC7C},
+	{0x1BC80, 0x1BC88}, {0x1BC90, 0x1BC99}, {0x1BC9C, 0x1BCA3},
+	{0x1CF00, 0x1CF2D}, {0x1CF30, 0x1CF46}, {0x1CF50, 0x1CFC3},
+	{0x1D000, 0x1D0F5}, {0x1D100, 0x1D126}, {0x1D129, 0x1D1EA},
+	{0x1D200, 0x1D245}, {0x1D2C0, 0x1D2D3}, {0x1D2E0, 0x1D2F3},
+	{0x1D300, 0x1D356}, {0x1D360, 0x1D378}, {0x1D400, 0x1D454},
+	{0x1D456, 0x1D49C}, {0x1D49E, 0x1D49F}, {0x1D4A2, 0x1D4A2},
+	{0x1D4A5, 0x1D4A6}, {0x1D4A9, 0x1D4AC}, {0x1D4AE, 0x1D4B9},
+	{0x1D4BB, 0x1D4BB}, {0x1D4BD, 0x1D4C3}, {0x1D4C5, 0x1D505},
+	{0x1D507, 0x1D50A}, {0x1D50D, 0x1D514}, {0x1D516, 0x1D51C},
+	{0x1D51E, 0x1D539}, {0x1D53B, 0x1D53E}, {0x1D540, 0x1D544},
+	{0x1D546, 0x1D546}, {0x1D54A, 0x1D550}, {0x1D552, 0x1D6A5},
+	{0x1D6A8, 0x1D7CB}, {0x1D7CE, 0x1DA8B}, {0x1DA9B, 0x1DA9F},
+	{0x1DAA1, 0x1DAAF}, {0x1DF00, 0x1DF1E}, {0x1DF25, 0x1DF2A},
+	{0x1E000, 0x1E006}, {0x1E008, 0x1E018}, {0x1E01B, 0x1E021},
+	{0x1E023, 0x1E024}, {0x1E026, 0x1E02A}, {0x1E030, 0x1E06D},
+	{0x1E08F, 0x1E08F}, {0x1E100, 0x1E12C}, {0x1E130, 0x1E13D},
+	{0x1E140, 0x1E149}, {0x1E14E, 0x1E14F}, {0x1E290, 0x1E2AE},
+	{0x1E2C0, 0x1E2F9}, {0x1E2FF, 0x1E2FF}, {0x1E4D0, 0x1E4F9},
+	{0x1E7E0, 0x1E7E6}, {0x1E7E8, 0x1E7EB}, {0x1E7ED, 0x1E7EE},
+	{0x1E7F0, 0x1E7FE}, {0x1E800, 0x1E8C4}, {0x1E8C7, 0x1E8D6},
+	{0x1E900, 0x1E94B}, {0x1E950, 0x1E959}, {0x1E95E, 0x1E95F},
+	{0x1EC71, 0x1ECB4}, {0x1ED01, 0x1ED3D}, {0x1EE00, 0x1EE03},
+	{0x1EE05, 0x1EE1F}, {0x1EE21, 0x1EE22}, {0x1EE24, 0x1EE24},
+	{0x1EE27, 0x1EE27}, {0x1EE29, 0x1EE32}, {0x1EE34, 0x1EE37},
+	{0x1EE39, 0x1EE39}, {0x1EE3B, 0x1EE3B}, {0x1EE42, 0x1EE42},
+	{0x1EE47, 0x1EE47}, {0x1EE49, 0x1EE49}, {0x1EE4B, 0x1EE4B},
+	{0x1EE4D, 0x1EE4F}, {0x1EE51, 0x1EE52}, {0x1EE54, 0x1EE54},
+	{0x1EE57, 0x1EE57}, {0x1EE59, 0x1EE59}, {0x1EE5B, 0x1EE5B},
+	{0x1EE5D, 0x1EE5D}, {0x1EE5F, 0x1EE5F}, {0x1EE61, 0x1EE62},
+	{0x1EE64, 0x1EE64}, {0x1EE67, 0x1EE6A}, {0x1EE6C, 0x1EE72},
+	{0x1EE74, 0x1EE77}, {0x1EE79, 0x1EE7C}, {0x1EE7E, 0x1EE7E},
+	{0x1EE80, 0x1EE89}, {0x1EE8B, 0x1EE9B}, {0x1EEA1, 0x1EEA3},
+	{0x1EEA5, 0x1EEA9}, {0x1EEAB, 0x1EEBB}, {0x1EEF0, 0x1EEF1},
+	{0x1F000, 0x1F003}, {0x1F005, 0x1F02B}, {0x1F030, 0x1F093},
+	{0x1F0A0, 0x1F0AE}, {0x1F0B1, 0x1F0BF}, {0x1F0C1, 0x1F0CE},
+	{0x1F0D1, 0x1F0F5}, {0x1F10B, 0x1F10F}, {0x1F12E, 0x1F12F},
+	{0x1F16A, 0x1F16F}, {0x1F1AD, 0x1F1AD}, {0x1F1E6, 0x1F1FF},
+	{0x1F321, 0x1F32C}, {0x1F336, 0x1F336}, {0x1F37D, 0x1F37D},
+	{0x1F394, 0x1F39F}, {0x1F3CB, 0x1F3CE}, {0x1F3D4, 0x1F3DF},
+	{0x1F3F1, 0x1F3F3}, {0x1F3F5, 0x1F3F7}, {0x1F43F, 0x1F43F},
+	{0x1F441, 0x1F441}, {0x1F4FD, 0x1F4FE}, {0x1F53E, 0x1F54A},
+	{0x1F54F, 0x1F54F}, {0x1F568, 0x1F579}, {0x1F57B, 0x1F594},
+	{0x1F597, 0x1F5A3}, {0x1F5A5, 0x1F5FA}, {0x1F650, 0x1F67F},
+	{0x1F6C6, 0x1F6CB}, {0x1F6CD, 0x1F6CF}, {0x1F6D3, 0x1F6D4},
+	{0x1F6E0, 0x1F6EA}, {0x1F6F0, 0x1F6F3}, {0x1F700, 0x1F776},
+	{0x1F77B, 0x1F7D9}, {0x1F800, 0x1F80B}, {0x1F810, 0x1F847},
+	{0x1F850, 0x1F859}, {0x1F860, 0x1F887}, {0x1F890, 0x1F8AD},
+	{0x1F8B0, 0x1F8B1}, {0x1F900, 0x1F90B}, {0x1F93B, 0x1F93B},
+	{0x1F946, 0x1F946}, {0x1FA00, 0x1FA53}, {0x1FA60, 0x1FA6D},
+	{0x1FB00, 0x1FB92}, {0x1FB94, 0x1FBCA}, {0x1FBF0, 0x1FBF9},
+	{0xE0001, 0xE0001}, {0xE0020, 0xE007F},
+}
+
+var emoji = table{
+	{0x203C, 0x203C}, {0x2049, 0x2049}, {0x2122, 0x2122},
+	{0x2139, 0x2139}, {0x2194, 0x2199}, {0x21A9, 0x21AA},
+	{0x231A, 0x231B}, {0x2328, 0x2328}, {0x2388, 0x2388},
+	{0x23CF, 0x23CF}, {0x23E9, 0x23F3}, {0x23F8, 0x23FA},
+	{0x24C2, 0x24C2}, {0x25AA, 0x25AB}, {0x25B6, 0x25B6},
+	{0x25C0, 0x25C0}, {0x25FB, 0x25FE}, {0x2600, 0x2605},
+	{0x2607, 0x2612}, {0x2614, 0x2685}, {0x2690, 0x2705},
+	{0x2708, 0x2712}, {0x2714, 0x2714}, {0x2716, 0x2716},
+	{0x271D, 0x271D}, {0x2721, 0x2721}, {0x2728, 0x2728},
+	{0x2733, 0x2734}, {0x2744, 0x2744}, {0x2747, 0x2747},
+	{0x274C, 0x274C}, {0x274E, 0x274E}, {0x2753, 0x2755},
+	{0x2757, 0x2757}, {0x2763, 0x2767}, {0x2795, 0x2797},
+	{0x27A1, 0x27A1}, {0x27B0, 0x27B0}, {0x27BF, 0x27BF},
+	{0x2934, 0x2935}, {0x2B05, 0x2B07}, {0x2B1B, 0x2B1C},
+	{0x2B50, 0x2B50}, {0x2B55, 0x2B55}, {0x3030, 0x3030},
+	{0x303D, 0x303D}, {0x3297, 0x3297}, {0x3299, 0x3299},
+	{0x1F000, 0x1F0FF}, {0x1F10D, 0x1F10F}, {0x1F12F, 0x1F12F},
+	{0x1F16C, 0x1F171}, {0x1F17E, 0x1F17F}, {0x1F18E, 0x1F18E},
+	{0x1F191, 0x1F19A}, {0x1F1AD, 0x1F1E5}, {0x1F201, 0x1F20F},
+	{0x1F21A, 0x1F21A}, {0x1F22F, 0x1F22F}, {0x1F232, 0x1F23A},
+	{0x1F23C, 0x1F23F}, {0x1F249, 0x1F3FA}, {0x1F400, 0x1F53D},
+	{0x1F546, 0x1F64F}, {0x1F680, 0x1F6FF}, {0x1F774, 0x1F77F},
+	{0x1F7D5, 0x1F7FF}, {0x1F80C, 0x1F80F}, {0x1F848, 0x1F84F},
+	{0x1F85A, 0x1F85F}, {0x1F888, 0x1F88F}, {0x1F8AE, 0x1F8FF},
+	{0x1F90C, 0x1F93A}, {0x1F93C, 0x1F945}, {0x1F947, 0x1FAFF},
+	{0x1FC00, 0x1FFFD},
+}
diff --git a/vendor/github.com/mattn/go-runewidth/runewidth_windows.go b/vendor/github.com/mattn/go-runewidth/runewidth_windows.go
new file mode 100644
index 0000000000..5f987a310f
--- /dev/null
+++ b/vendor/github.com/mattn/go-runewidth/runewidth_windows.go
@@ -0,0 +1,28 @@
+//go:build windows && !appengine
+// +build windows,!appengine
+
+package runewidth
+
+import (
+	"syscall"
+)
+
+var (
+	kernel32               = syscall.NewLazyDLL("kernel32")
+	procGetConsoleOutputCP = kernel32.NewProc("GetConsoleOutputCP")
+)
+
+// IsEastAsian return true if the current locale is CJK
+func IsEastAsian() bool {
+	r1, _, _ := procGetConsoleOutputCP.Call()
+	if r1 == 0 {
+		return false
+	}
+
+	switch int(r1) {
+	case 932, 51932, 936, 949, 950:
+		return true
+	}
+
+	return false
+}
diff --git a/vendor/github.com/mitchellh/copystructure/LICENSE b/vendor/github.com/mitchellh/copystructure/LICENSE
new file mode 100644
index 0000000000..2298515904
--- /dev/null
+++ b/vendor/github.com/mitchellh/copystructure/LICENSE
@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2014 Mitchell Hashimoto
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
diff --git a/vendor/github.com/mitchellh/copystructure/README.md b/vendor/github.com/mitchellh/copystructure/README.md
new file mode 100644
index 0000000000..f0fbd2e5c9
--- /dev/null
+++ b/vendor/github.com/mitchellh/copystructure/README.md
@@ -0,0 +1,21 @@
+# copystructure
+
+copystructure is a Go library for deep copying values in Go.
+
+This allows you to copy Go values that may contain reference values
+such as maps, slices, or pointers, and copy their data as well instead
+of just their references.
+
+## Installation
+
+Standard `go get`:
+
+```
+$ go get github.com/mitchellh/copystructure
+```
+
+## Usage & Example
+
+For usage and examples see the [Godoc](http://godoc.org/github.com/mitchellh/copystructure).
+
+The `Copy` function has examples associated with it there.
diff --git a/vendor/github.com/mitchellh/copystructure/copier_time.go b/vendor/github.com/mitchellh/copystructure/copier_time.go
new file mode 100644
index 0000000000..db6a6aa1a1
--- /dev/null
+++ b/vendor/github.com/mitchellh/copystructure/copier_time.go
@@ -0,0 +1,15 @@
+package copystructure
+
+import (
+	"reflect"
+	"time"
+)
+
+func init() {
+	Copiers[reflect.TypeOf(time.Time{})] = timeCopier
+}
+
+func timeCopier(v interface{}) (interface{}, error) {
+	// Just... copy it.
+	return v.(time.Time), nil
+}
diff --git a/vendor/github.com/mitchellh/copystructure/copystructure.go b/vendor/github.com/mitchellh/copystructure/copystructure.go
new file mode 100644
index 0000000000..8089e6670a
--- /dev/null
+++ b/vendor/github.com/mitchellh/copystructure/copystructure.go
@@ -0,0 +1,631 @@
+package copystructure
+
+import (
+	"errors"
+	"reflect"
+	"sync"
+
+	"github.com/mitchellh/reflectwalk"
+)
+
+const tagKey = "copy"
+
+// Copy returns a deep copy of v.
+//
+// Copy is unable to copy unexported fields in a struct (lowercase field names).
+// Unexported fields can't be reflected by the Go runtime and therefore
+// copystructure can't perform any data copies.
+//
+// For structs, copy behavior can be controlled with struct tags. For example:
+//
+//   struct {
+//     Name string
+//     Data *bytes.Buffer `copy:"shallow"`
+//   }
+//
+// The available tag values are:
+//
+// * "ignore" - The field will be ignored, effectively resulting in it being
+//   assigned the zero value in the copy.
+//
+// * "shallow" - The field will be be shallow copied. This means that references
+//   values such as pointers, maps, slices, etc. will be directly assigned
+//   versus deep copied.
+//
+func Copy(v interface{}) (interface{}, error) {
+	return Config{}.Copy(v)
+}
+
+// CopierFunc is a function that knows how to deep copy a specific type.
+// Register these globally with the Copiers variable.
+type CopierFunc func(interface{}) (interface{}, error)
+
+// Copiers is a map of types that behave specially when they are copied.
+// If a type is found in this map while deep copying, this function
+// will be called to copy it instead of attempting to copy all fields.
+//
+// The key should be the type, obtained using: reflect.TypeOf(value with type).
+//
+// It is unsafe to write to this map after Copies have started. If you
+// are writing to this map while also copying, wrap all modifications to
+// this map as well as to Copy in a mutex.
+var Copiers map[reflect.Type]CopierFunc = make(map[reflect.Type]CopierFunc)
+
+// ShallowCopiers is a map of pointer types that behave specially
+// when they are copied.  If a type is found in this map while deep
+// copying, the pointer value will be shallow copied and not walked
+// into.
+//
+// The key should be the type, obtained using: reflect.TypeOf(value
+// with type).
+//
+// It is unsafe to write to this map after Copies have started. If you
+// are writing to this map while also copying, wrap all modifications to
+// this map as well as to Copy in a mutex.
+var ShallowCopiers map[reflect.Type]struct{} = make(map[reflect.Type]struct{})
+
+// Must is a helper that wraps a call to a function returning
+// (interface{}, error) and panics if the error is non-nil. It is intended
+// for use in variable initializations and should only be used when a copy
+// error should be a crashing case.
+func Must(v interface{}, err error) interface{} {
+	if err != nil {
+		panic("copy error: " + err.Error())
+	}
+
+	return v
+}
+
+var errPointerRequired = errors.New("Copy argument must be a pointer when Lock is true")
+
+type Config struct {
+	// Lock any types that are a sync.Locker and are not a mutex while copying.
+	// If there is an RLocker method, use that to get the sync.Locker.
+	Lock bool
+
+	// Copiers is a map of types associated with a CopierFunc. Use the global
+	// Copiers map if this is nil.
+	Copiers map[reflect.Type]CopierFunc
+
+	// ShallowCopiers is a map of pointer types that when they are
+	// shallow copied no matter where they are encountered. Use the
+	// global ShallowCopiers if this is nil.
+	ShallowCopiers map[reflect.Type]struct{}
+}
+
+func (c Config) Copy(v interface{}) (interface{}, error) {
+	if c.Lock && reflect.ValueOf(v).Kind() != reflect.Ptr {
+		return nil, errPointerRequired
+	}
+
+	w := new(walker)
+	if c.Lock {
+		w.useLocks = true
+	}
+
+	if c.Copiers == nil {
+		c.Copiers = Copiers
+	}
+	w.copiers = c.Copiers
+
+	if c.ShallowCopiers == nil {
+		c.ShallowCopiers = ShallowCopiers
+	}
+	w.shallowCopiers = c.ShallowCopiers
+
+	err := reflectwalk.Walk(v, w)
+	if err != nil {
+		return nil, err
+	}
+
+	// Get the result. If the result is nil, then we want to turn it
+	// into a typed nil if we can.
+	result := w.Result
+	if result == nil {
+		val := reflect.ValueOf(v)
+		result = reflect.Indirect(reflect.New(val.Type())).Interface()
+	}
+
+	return result, nil
+}
+
+// Return the key used to index interfaces types we've seen. Store the number
+// of pointers in the upper 32bits, and the depth in the lower 32bits. This is
+// easy to calculate, easy to match a key with our current depth, and we don't
+// need to deal with initializing and cleaning up nested maps or slices.
+func ifaceKey(pointers, depth int) uint64 {
+	return uint64(pointers)<<32 | uint64(depth)
+}
+
+type walker struct {
+	Result interface{}
+
+	copiers        map[reflect.Type]CopierFunc
+	shallowCopiers map[reflect.Type]struct{}
+	depth          int
+	ignoreDepth    int
+	vals           []reflect.Value
+	cs             []reflect.Value
+
+	// This stores the number of pointers we've walked over, indexed by depth.
+	ps []int
+
+	// If an interface is indirected by a pointer, we need to know the type of
+	// interface to create when creating the new value.  Store the interface
+	// types here, indexed by both the walk depth and the number of pointers
+	// already seen at that depth. Use ifaceKey to calculate the proper uint64
+	// value.
+	ifaceTypes map[uint64]reflect.Type
+
+	// any locks we've taken, indexed by depth
+	locks []sync.Locker
+	// take locks while walking the structure
+	useLocks bool
+}
+
+func (w *walker) Enter(l reflectwalk.Location) error {
+	w.depth++
+
+	// ensure we have enough elements to index via w.depth
+	for w.depth >= len(w.locks) {
+		w.locks = append(w.locks, nil)
+	}
+
+	for len(w.ps) < w.depth+1 {
+		w.ps = append(w.ps, 0)
+	}
+
+	return nil
+}
+
+func (w *walker) Exit(l reflectwalk.Location) error {
+	locker := w.locks[w.depth]
+	w.locks[w.depth] = nil
+	if locker != nil {
+		defer locker.Unlock()
+	}
+
+	// clear out pointers and interfaces as we exit the stack
+	w.ps[w.depth] = 0
+
+	for k := range w.ifaceTypes {
+		mask := uint64(^uint32(0))
+		if k&mask == uint64(w.depth) {
+			delete(w.ifaceTypes, k)
+		}
+	}
+
+	w.depth--
+	if w.ignoreDepth > w.depth {
+		w.ignoreDepth = 0
+	}
+
+	if w.ignoring() {
+		return nil
+	}
+
+	switch l {
+	case reflectwalk.Array:
+		fallthrough
+	case reflectwalk.Map:
+		fallthrough
+	case reflectwalk.Slice:
+		w.replacePointerMaybe()
+
+		// Pop map off our container
+		w.cs = w.cs[:len(w.cs)-1]
+	case reflectwalk.MapValue:
+		// Pop off the key and value
+		mv := w.valPop()
+		mk := w.valPop()
+		m := w.cs[len(w.cs)-1]
+
+		// If mv is the zero value, SetMapIndex deletes the key form the map,
+		// or in this case never adds it. We need to create a properly typed
+		// zero value so that this key can be set.
+		if !mv.IsValid() {
+			mv = reflect.Zero(m.Elem().Type().Elem())
+		}
+		m.Elem().SetMapIndex(mk, mv)
+	case reflectwalk.ArrayElem:
+		// Pop off the value and the index and set it on the array
+		v := w.valPop()
+		i := w.valPop().Interface().(int)
+		if v.IsValid() {
+			a := w.cs[len(w.cs)-1]
+			ae := a.Elem().Index(i) // storing array as pointer on stack - so need Elem() call
+			if ae.CanSet() {
+				ae.Set(v)
+			}
+		}
+	case reflectwalk.SliceElem:
+		// Pop off the value and the index and set it on the slice
+		v := w.valPop()
+		i := w.valPop().Interface().(int)
+		if v.IsValid() {
+			s := w.cs[len(w.cs)-1]
+			se := s.Elem().Index(i)
+			if se.CanSet() {
+				se.Set(v)
+			}
+		}
+	case reflectwalk.Struct:
+		w.replacePointerMaybe()
+
+		// Remove the struct from the container stack
+		w.cs = w.cs[:len(w.cs)-1]
+	case reflectwalk.StructField:
+		// Pop off the value and the field
+		v := w.valPop()
+		f := w.valPop().Interface().(reflect.StructField)
+		if v.IsValid() {
+			s := w.cs[len(w.cs)-1]
+			sf := reflect.Indirect(s).FieldByName(f.Name)
+
+			if sf.CanSet() {
+				sf.Set(v)
+			}
+		}
+	case reflectwalk.WalkLoc:
+		// Clear out the slices for GC
+		w.cs = nil
+		w.vals = nil
+	}
+
+	return nil
+}
+
+func (w *walker) Map(m reflect.Value) error {
+	if w.ignoring() {
+		return nil
+	}
+	w.lock(m)
+
+	// Create the map. If the map itself is nil, then just make a nil map
+	var newMap reflect.Value
+	if m.IsNil() {
+		newMap = reflect.New(m.Type())
+	} else {
+		newMap = wrapPtr(reflect.MakeMap(m.Type()))
+	}
+
+	w.cs = append(w.cs, newMap)
+	w.valPush(newMap)
+	return nil
+}
+
+func (w *walker) MapElem(m, k, v reflect.Value) error {
+	return nil
+}
+
+func (w *walker) PointerEnter(v bool) error {
+	if v {
+		w.ps[w.depth]++
+	}
+	return nil
+}
+
+func (w *walker) PointerExit(v bool) error {
+	if v {
+		w.ps[w.depth]--
+	}
+	return nil
+}
+
+func (w *walker) Pointer(v reflect.Value) error {
+	if _, ok := w.shallowCopiers[v.Type()]; ok {
+		// Shallow copy this value. Use the same logic as primitive, then
+		// return skip.
+		if err := w.Primitive(v); err != nil {
+			return err
+		}
+
+		return reflectwalk.SkipEntry
+	}
+
+	return nil
+}
+
+func (w *walker) Interface(v reflect.Value) error {
+	if !v.IsValid() {
+		return nil
+	}
+	if w.ifaceTypes == nil {
+		w.ifaceTypes = make(map[uint64]reflect.Type)
+	}
+
+	w.ifaceTypes[ifaceKey(w.ps[w.depth], w.depth)] = v.Type()
+	return nil
+}
+
+func (w *walker) Primitive(v reflect.Value) error {
+	if w.ignoring() {
+		return nil
+	}
+	w.lock(v)
+
+	// IsValid verifies the v is non-zero and CanInterface verifies
+	// that we're allowed to read this value (unexported fields).
+	var newV reflect.Value
+	if v.IsValid() && v.CanInterface() {
+		newV = reflect.New(v.Type())
+		newV.Elem().Set(v)
+	}
+
+	w.valPush(newV)
+	w.replacePointerMaybe()
+	return nil
+}
+
+func (w *walker) Slice(s reflect.Value) error {
+	if w.ignoring() {
+		return nil
+	}
+	w.lock(s)
+
+	var newS reflect.Value
+	if s.IsNil() {
+		newS = reflect.New(s.Type())
+	} else {
+		newS = wrapPtr(reflect.MakeSlice(s.Type(), s.Len(), s.Cap()))
+	}
+
+	w.cs = append(w.cs, newS)
+	w.valPush(newS)
+	return nil
+}
+
+func (w *walker) SliceElem(i int, elem reflect.Value) error {
+	if w.ignoring() {
+		return nil
+	}
+
+	// We don't write the slice here because elem might still be
+	// arbitrarily complex. Just record the index and continue on.
+	w.valPush(reflect.ValueOf(i))
+
+	return nil
+}
+
+func (w *walker) Array(a reflect.Value) error {
+	if w.ignoring() {
+		return nil
+	}
+	w.lock(a)
+
+	newA := reflect.New(a.Type())
+
+	w.cs = append(w.cs, newA)
+	w.valPush(newA)
+	return nil
+}
+
+func (w *walker) ArrayElem(i int, elem reflect.Value) error {
+	if w.ignoring() {
+		return nil
+	}
+
+	// We don't write the array here because elem might still be
+	// arbitrarily complex. Just record the index and continue on.
+	w.valPush(reflect.ValueOf(i))
+
+	return nil
+}
+
+func (w *walker) Struct(s reflect.Value) error {
+	if w.ignoring() {
+		return nil
+	}
+	w.lock(s)
+
+	var v reflect.Value
+	if c, ok := w.copiers[s.Type()]; ok {
+		// We have a Copier for this struct, so we use that copier to
+		// get the copy, and we ignore anything deeper than this.
+		w.ignoreDepth = w.depth
+
+		dup, err := c(s.Interface())
+		if err != nil {
+			return err
+		}
+
+		// We need to put a pointer to the value on the value stack,
+		// so allocate a new pointer and set it.
+		v = reflect.New(s.Type())
+		reflect.Indirect(v).Set(reflect.ValueOf(dup))
+	} else {
+		// No copier, we copy ourselves and allow reflectwalk to guide
+		// us deeper into the structure for copying.
+		v = reflect.New(s.Type())
+	}
+
+	// Push the value onto the value stack for setting the struct field,
+	// and add the struct itself to the containers stack in case we walk
+	// deeper so that its own fields can be modified.
+	w.valPush(v)
+	w.cs = append(w.cs, v)
+
+	return nil
+}
+
+func (w *walker) StructField(f reflect.StructField, v reflect.Value) error {
+	if w.ignoring() {
+		return nil
+	}
+
+	// If PkgPath is non-empty, this is a private (unexported) field.
+	// We do not set this unexported since the Go runtime doesn't allow us.
+	if f.PkgPath != "" {
+		return reflectwalk.SkipEntry
+	}
+
+	switch f.Tag.Get(tagKey) {
+	case "shallow":
+		// If we're shallow copying then assign the value directly to the
+		// struct and skip the entry.
+		if v.IsValid() {
+			s := w.cs[len(w.cs)-1]
+			sf := reflect.Indirect(s).FieldByName(f.Name)
+			if sf.CanSet() {
+				sf.Set(v)
+			}
+		}
+
+		return reflectwalk.SkipEntry
+
+	case "ignore":
+		// Do nothing
+		return reflectwalk.SkipEntry
+	}
+
+	// Push the field onto the stack, we'll handle it when we exit
+	// the struct field in Exit...
+	w.valPush(reflect.ValueOf(f))
+
+	return nil
+}
+
+// ignore causes the walker to ignore any more values until we exit this on
+func (w *walker) ignore() {
+	w.ignoreDepth = w.depth
+}
+
+func (w *walker) ignoring() bool {
+	return w.ignoreDepth > 0 && w.depth >= w.ignoreDepth
+}
+
+func (w *walker) pointerPeek() bool {
+	return w.ps[w.depth] > 0
+}
+
+func (w *walker) valPop() reflect.Value {
+	result := w.vals[len(w.vals)-1]
+	w.vals = w.vals[:len(w.vals)-1]
+
+	// If we're out of values, that means we popped everything off. In
+	// this case, we reset the result so the next pushed value becomes
+	// the result.
+	if len(w.vals) == 0 {
+		w.Result = nil
+	}
+
+	return result
+}
+
+func (w *walker) valPush(v reflect.Value) {
+	w.vals = append(w.vals, v)
+
+	// If we haven't set the result yet, then this is the result since
+	// it is the first (outermost) value we're seeing.
+	if w.Result == nil && v.IsValid() {
+		w.Result = v.Interface()
+	}
+}
+
+func (w *walker) replacePointerMaybe() {
+	// Determine the last pointer value. If it is NOT a pointer, then
+	// we need to push that onto the stack.
+	if !w.pointerPeek() {
+		w.valPush(reflect.Indirect(w.valPop()))
+		return
+	}
+
+	v := w.valPop()
+
+	// If the expected type is a pointer to an interface of any depth,
+	// such as *interface{}, **interface{}, etc., then we need to convert
+	// the value "v" from *CONCRETE to *interface{} so types match for
+	// Set.
+	//
+	// Example if v is type *Foo where Foo is a struct, v would become
+	// *interface{} instead. This only happens if we have an interface expectation
+	// at this depth.
+	//
+	// For more info, see GH-16
+	if iType, ok := w.ifaceTypes[ifaceKey(w.ps[w.depth], w.depth)]; ok && iType.Kind() == reflect.Interface {
+		y := reflect.New(iType)           // Create *interface{}
+		y.Elem().Set(reflect.Indirect(v)) // Assign "Foo" to interface{} (dereferenced)
+		v = y                             // v is now typed *interface{} (where *v = Foo)
+	}
+
+	for i := 1; i < w.ps[w.depth]; i++ {
+		if iType, ok := w.ifaceTypes[ifaceKey(w.ps[w.depth]-i, w.depth)]; ok {
+			iface := reflect.New(iType).Elem()
+			iface.Set(v)
+			v = iface
+		}
+
+		p := reflect.New(v.Type())
+		p.Elem().Set(v)
+		v = p
+	}
+
+	w.valPush(v)
+}
+
+// if this value is a Locker, lock it and add it to the locks slice
+func (w *walker) lock(v reflect.Value) {
+	if !w.useLocks {
+		return
+	}
+
+	if !v.IsValid() || !v.CanInterface() {
+		return
+	}
+
+	type rlocker interface {
+		RLocker() sync.Locker
+	}
+
+	var locker sync.Locker
+
+	// We can't call Interface() on a value directly, since that requires
+	// a copy. This is OK, since the pointer to a value which is a sync.Locker
+	// is also a sync.Locker.
+	if v.Kind() == reflect.Ptr {
+		switch l := v.Interface().(type) {
+		case rlocker:
+			// don't lock a mutex directly
+			if _, ok := l.(*sync.RWMutex); !ok {
+				locker = l.RLocker()
+			}
+		case sync.Locker:
+			locker = l
+		}
+	} else if v.CanAddr() {
+		switch l := v.Addr().Interface().(type) {
+		case rlocker:
+			// don't lock a mutex directly
+			if _, ok := l.(*sync.RWMutex); !ok {
+				locker = l.RLocker()
+			}
+		case sync.Locker:
+			locker = l
+		}
+	}
+
+	// still no callable locker
+	if locker == nil {
+		return
+	}
+
+	// don't lock a mutex directly
+	switch locker.(type) {
+	case *sync.Mutex, *sync.RWMutex:
+		return
+	}
+
+	locker.Lock()
+	w.locks[w.depth] = locker
+}
+
+// wrapPtr is a helper that takes v and always make it *v. copystructure
+// stores things internally as pointers until the last moment before unwrapping
+func wrapPtr(v reflect.Value) reflect.Value {
+	if !v.IsValid() {
+		return v
+	}
+	vPtr := reflect.New(v.Type())
+	vPtr.Elem().Set(v)
+	return vPtr
+}
diff --git a/vendor/github.com/mitchellh/go-wordwrap/LICENSE.md b/vendor/github.com/mitchellh/go-wordwrap/LICENSE.md
new file mode 100644
index 0000000000..2298515904
--- /dev/null
+++ b/vendor/github.com/mitchellh/go-wordwrap/LICENSE.md
@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2014 Mitchell Hashimoto
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
diff --git a/vendor/github.com/mitchellh/go-wordwrap/README.md b/vendor/github.com/mitchellh/go-wordwrap/README.md
new file mode 100644
index 0000000000..60ae311700
--- /dev/null
+++ b/vendor/github.com/mitchellh/go-wordwrap/README.md
@@ -0,0 +1,39 @@
+# go-wordwrap
+
+`go-wordwrap` (Golang package: `wordwrap`) is a package for Go that
+automatically wraps words into multiple lines. The primary use case for this
+is in formatting CLI output, but of course word wrapping is a generally useful
+thing to do.
+
+## Installation and Usage
+
+Install using `go get github.com/mitchellh/go-wordwrap`.
+
+Full documentation is available at
+http://godoc.org/github.com/mitchellh/go-wordwrap
+
+Below is an example of its usage ignoring errors:
+
+```go
+wrapped := wordwrap.WrapString("foo bar baz", 3)
+fmt.Println(wrapped)
+```
+
+Would output:
+
+```
+foo
+bar
+baz
+```
+
+## Word Wrap Algorithm
+
+This library doesn't use any clever algorithm for word wrapping. The wrapping
+is actually very naive: whenever there is whitespace or an explicit linebreak.
+The goal of this library is for word wrapping CLI output, so the input is
+typically pretty well controlled human language. Because of this, the naive
+approach typically works just fine.
+
+In the future, we'd like to make the algorithm more advanced. We would do
+so without breaking the API.
diff --git a/vendor/github.com/mitchellh/go-wordwrap/wordwrap.go b/vendor/github.com/mitchellh/go-wordwrap/wordwrap.go
new file mode 100644
index 0000000000..f7bedda388
--- /dev/null
+++ b/vendor/github.com/mitchellh/go-wordwrap/wordwrap.go
@@ -0,0 +1,83 @@
+package wordwrap
+
+import (
+	"bytes"
+	"unicode"
+)
+
+const nbsp = 0xA0
+
+// WrapString wraps the given string within lim width in characters.
+//
+// Wrapping is currently naive and only happens at white-space. A future
+// version of the library will implement smarter wrapping. This means that
+// pathological cases can dramatically reach past the limit, such as a very
+// long word.
+func WrapString(s string, lim uint) string {
+	// Initialize a buffer with a slightly larger size to account for breaks
+	init := make([]byte, 0, len(s))
+	buf := bytes.NewBuffer(init)
+
+	var current uint
+	var wordBuf, spaceBuf bytes.Buffer
+	var wordBufLen, spaceBufLen uint
+
+	for _, char := range s {
+		if char == '\n' {
+			if wordBuf.Len() == 0 {
+				if current+spaceBufLen > lim {
+					current = 0
+				} else {
+					current += spaceBufLen
+					spaceBuf.WriteTo(buf)
+				}
+				spaceBuf.Reset()
+				spaceBufLen = 0
+			} else {
+				current += spaceBufLen + wordBufLen
+				spaceBuf.WriteTo(buf)
+				spaceBuf.Reset()
+				spaceBufLen = 0
+				wordBuf.WriteTo(buf)
+				wordBuf.Reset()
+				wordBufLen = 0
+			}
+			buf.WriteRune(char)
+			current = 0
+		} else if unicode.IsSpace(char) && char != nbsp {
+			if spaceBuf.Len() == 0 || wordBuf.Len() > 0 {
+				current += spaceBufLen + wordBufLen
+				spaceBuf.WriteTo(buf)
+				spaceBuf.Reset()
+				spaceBufLen = 0
+				wordBuf.WriteTo(buf)
+				wordBuf.Reset()
+				wordBufLen = 0
+			}
+
+			spaceBuf.WriteRune(char)
+			spaceBufLen++
+		} else {
+			wordBuf.WriteRune(char)
+			wordBufLen++
+
+			if current+wordBufLen+spaceBufLen > lim && wordBufLen < lim {
+				buf.WriteRune('\n')
+				current = 0
+				spaceBuf.Reset()
+				spaceBufLen = 0
+			}
+		}
+	}
+
+	if wordBuf.Len() == 0 {
+		if current+spaceBufLen <= lim {
+			spaceBuf.WriteTo(buf)
+		}
+	} else {
+		spaceBuf.WriteTo(buf)
+		wordBuf.WriteTo(buf)
+	}
+
+	return buf.String()
+}
diff --git a/vendor/github.com/mitchellh/reflectwalk/.travis.yml b/vendor/github.com/mitchellh/reflectwalk/.travis.yml
new file mode 100644
index 0000000000..4f2ee4d973
--- /dev/null
+++ b/vendor/github.com/mitchellh/reflectwalk/.travis.yml
@@ -0,0 +1 @@
+language: go
diff --git a/vendor/github.com/mitchellh/reflectwalk/LICENSE b/vendor/github.com/mitchellh/reflectwalk/LICENSE
new file mode 100644
index 0000000000..f9c841a51e
--- /dev/null
+++ b/vendor/github.com/mitchellh/reflectwalk/LICENSE
@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2013 Mitchell Hashimoto
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
diff --git a/vendor/github.com/mitchellh/reflectwalk/README.md b/vendor/github.com/mitchellh/reflectwalk/README.md
new file mode 100644
index 0000000000..ac82cd2e15
--- /dev/null
+++ b/vendor/github.com/mitchellh/reflectwalk/README.md
@@ -0,0 +1,6 @@
+# reflectwalk
+
+reflectwalk is a Go library for "walking" a value in Go using reflection,
+in the same way a directory tree can be "walked" on the filesystem. Walking
+a complex structure can allow you to do manipulations on unknown structures
+such as those decoded from JSON.
diff --git a/vendor/github.com/mitchellh/reflectwalk/location.go b/vendor/github.com/mitchellh/reflectwalk/location.go
new file mode 100644
index 0000000000..6a7f176117
--- /dev/null
+++ b/vendor/github.com/mitchellh/reflectwalk/location.go
@@ -0,0 +1,19 @@
+package reflectwalk
+
+//go:generate stringer -type=Location location.go
+
+type Location uint
+
+const (
+	None Location = iota
+	Map
+	MapKey
+	MapValue
+	Slice
+	SliceElem
+	Array
+	ArrayElem
+	Struct
+	StructField
+	WalkLoc
+)
diff --git a/vendor/github.com/mitchellh/reflectwalk/location_string.go b/vendor/github.com/mitchellh/reflectwalk/location_string.go
new file mode 100644
index 0000000000..70760cf4c7
--- /dev/null
+++ b/vendor/github.com/mitchellh/reflectwalk/location_string.go
@@ -0,0 +1,16 @@
+// Code generated by "stringer -type=Location location.go"; DO NOT EDIT.
+
+package reflectwalk
+
+import "fmt"
+
+const _Location_name = "NoneMapMapKeyMapValueSliceSliceElemArrayArrayElemStructStructFieldWalkLoc"
+
+var _Location_index = [...]uint8{0, 4, 7, 13, 21, 26, 35, 40, 49, 55, 66, 73}
+
+func (i Location) String() string {
+	if i >= Location(len(_Location_index)-1) {
+		return fmt.Sprintf("Location(%d)", i)
+	}
+	return _Location_name[_Location_index[i]:_Location_index[i+1]]
+}
diff --git a/vendor/github.com/mitchellh/reflectwalk/reflectwalk.go b/vendor/github.com/mitchellh/reflectwalk/reflectwalk.go
new file mode 100644
index 0000000000..7fee7b050b
--- /dev/null
+++ b/vendor/github.com/mitchellh/reflectwalk/reflectwalk.go
@@ -0,0 +1,420 @@
+// reflectwalk is a package that allows you to "walk" complex structures
+// similar to how you may "walk" a filesystem: visiting every element one
+// by one and calling callback functions allowing you to handle and manipulate
+// those elements.
+package reflectwalk
+
+import (
+	"errors"
+	"reflect"
+)
+
+// PrimitiveWalker implementations are able to handle primitive values
+// within complex structures. Primitive values are numbers, strings,
+// booleans, funcs, chans.
+//
+// These primitive values are often members of more complex
+// structures (slices, maps, etc.) that are walkable by other interfaces.
+type PrimitiveWalker interface {
+	Primitive(reflect.Value) error
+}
+
+// InterfaceWalker implementations are able to handle interface values as they
+// are encountered during the walk.
+type InterfaceWalker interface {
+	Interface(reflect.Value) error
+}
+
+// MapWalker implementations are able to handle individual elements
+// found within a map structure.
+type MapWalker interface {
+	Map(m reflect.Value) error
+	MapElem(m, k, v reflect.Value) error
+}
+
+// SliceWalker implementations are able to handle slice elements found
+// within complex structures.
+type SliceWalker interface {
+	Slice(reflect.Value) error
+	SliceElem(int, reflect.Value) error
+}
+
+// ArrayWalker implementations are able to handle array elements found
+// within complex structures.
+type ArrayWalker interface {
+	Array(reflect.Value) error
+	ArrayElem(int, reflect.Value) error
+}
+
+// StructWalker is an interface that has methods that are called for
+// structs when a Walk is done.
+type StructWalker interface {
+	Struct(reflect.Value) error
+	StructField(reflect.StructField, reflect.Value) error
+}
+
+// EnterExitWalker implementations are notified before and after
+// they walk deeper into complex structures (into struct fields,
+// into slice elements, etc.)
+type EnterExitWalker interface {
+	Enter(Location) error
+	Exit(Location) error
+}
+
+// PointerWalker implementations are notified when the value they're
+// walking is a pointer or not. Pointer is called for _every_ value whether
+// it is a pointer or not.
+type PointerWalker interface {
+	PointerEnter(bool) error
+	PointerExit(bool) error
+}
+
+// PointerValueWalker implementations are notified with the value of
+// a particular pointer when a pointer is walked. Pointer is called
+// right before PointerEnter.
+type PointerValueWalker interface {
+	Pointer(reflect.Value) error
+}
+
+// SkipEntry can be returned from walk functions to skip walking
+// the value of this field. This is only valid in the following functions:
+//
+//   - Struct: skips all fields from being walked
+//   - StructField: skips walking the struct value
+//
+var SkipEntry = errors.New("skip this entry")
+
+// Walk takes an arbitrary value and an interface and traverses the
+// value, calling callbacks on the interface if they are supported.
+// The interface should implement one or more of the walker interfaces
+// in this package, such as PrimitiveWalker, StructWalker, etc.
+func Walk(data, walker interface{}) (err error) {
+	v := reflect.ValueOf(data)
+	ew, ok := walker.(EnterExitWalker)
+	if ok {
+		err = ew.Enter(WalkLoc)
+	}
+
+	if err == nil {
+		err = walk(v, walker)
+	}
+
+	if ok && err == nil {
+		err = ew.Exit(WalkLoc)
+	}
+
+	return
+}
+
+func walk(v reflect.Value, w interface{}) (err error) {
+	// Determine if we're receiving a pointer and if so notify the walker.
+	// The logic here is convoluted but very important (tests will fail if
+	// almost any part is changed). I will try to explain here.
+	//
+	// First, we check if the value is an interface, if so, we really need
+	// to check the interface's VALUE to see whether it is a pointer.
+	//
+	// Check whether the value is then a pointer. If so, then set pointer
+	// to true to notify the user.
+	//
+	// If we still have a pointer or an interface after the indirections, then
+	// we unwrap another level
+	//
+	// At this time, we also set "v" to be the dereferenced value. This is
+	// because once we've unwrapped the pointer we want to use that value.
+	pointer := false
+	pointerV := v
+
+	for {
+		if pointerV.Kind() == reflect.Interface {
+			if iw, ok := w.(InterfaceWalker); ok {
+				if err = iw.Interface(pointerV); err != nil {
+					return
+				}
+			}
+
+			pointerV = pointerV.Elem()
+		}
+
+		if pointerV.Kind() == reflect.Ptr {
+			if pw, ok := w.(PointerValueWalker); ok {
+				if err = pw.Pointer(pointerV); err != nil {
+					if err == SkipEntry {
+						// Skip the rest of this entry but clear the error
+						return nil
+					}
+
+					return
+				}
+			}
+
+			pointer = true
+			v = reflect.Indirect(pointerV)
+		}
+		if pw, ok := w.(PointerWalker); ok {
+			if err = pw.PointerEnter(pointer); err != nil {
+				return
+			}
+
+			defer func(pointer bool) {
+				if err != nil {
+					return
+				}
+
+				err = pw.PointerExit(pointer)
+			}(pointer)
+		}
+
+		if pointer {
+			pointerV = v
+		}
+		pointer = false
+
+		// If we still have a pointer or interface we have to indirect another level.
+		switch pointerV.Kind() {
+		case reflect.Ptr, reflect.Interface:
+			continue
+		}
+		break
+	}
+
+	// We preserve the original value here because if it is an interface
+	// type, we want to pass that directly into the walkPrimitive, so that
+	// we can set it.
+	originalV := v
+	if v.Kind() == reflect.Interface {
+		v = v.Elem()
+	}
+
+	k := v.Kind()
+	if k >= reflect.Int && k <= reflect.Complex128 {
+		k = reflect.Int
+	}
+
+	switch k {
+	// Primitives
+	case reflect.Bool, reflect.Chan, reflect.Func, reflect.Int, reflect.String, reflect.Invalid:
+		err = walkPrimitive(originalV, w)
+		return
+	case reflect.Map:
+		err = walkMap(v, w)
+		return
+	case reflect.Slice:
+		err = walkSlice(v, w)
+		return
+	case reflect.Struct:
+		err = walkStruct(v, w)
+		return
+	case reflect.Array:
+		err = walkArray(v, w)
+		return
+	default:
+		panic("unsupported type: " + k.String())
+	}
+}
+
+func walkMap(v reflect.Value, w interface{}) error {
+	ew, ewok := w.(EnterExitWalker)
+	if ewok {
+		ew.Enter(Map)
+	}
+
+	if mw, ok := w.(MapWalker); ok {
+		if err := mw.Map(v); err != nil {
+			return err
+		}
+	}
+
+	for _, k := range v.MapKeys() {
+		kv := v.MapIndex(k)
+
+		if mw, ok := w.(MapWalker); ok {
+			if err := mw.MapElem(v, k, kv); err != nil {
+				return err
+			}
+		}
+
+		ew, ok := w.(EnterExitWalker)
+		if ok {
+			ew.Enter(MapKey)
+		}
+
+		if err := walk(k, w); err != nil {
+			return err
+		}
+
+		if ok {
+			ew.Exit(MapKey)
+			ew.Enter(MapValue)
+		}
+
+		// get the map value again as it may have changed in the MapElem call
+		if err := walk(v.MapIndex(k), w); err != nil {
+			return err
+		}
+
+		if ok {
+			ew.Exit(MapValue)
+		}
+	}
+
+	if ewok {
+		ew.Exit(Map)
+	}
+
+	return nil
+}
+
+func walkPrimitive(v reflect.Value, w interface{}) error {
+	if pw, ok := w.(PrimitiveWalker); ok {
+		return pw.Primitive(v)
+	}
+
+	return nil
+}
+
+func walkSlice(v reflect.Value, w interface{}) (err error) {
+	ew, ok := w.(EnterExitWalker)
+	if ok {
+		ew.Enter(Slice)
+	}
+
+	if sw, ok := w.(SliceWalker); ok {
+		if err := sw.Slice(v); err != nil {
+			return err
+		}
+	}
+
+	for i := 0; i < v.Len(); i++ {
+		elem := v.Index(i)
+
+		if sw, ok := w.(SliceWalker); ok {
+			if err := sw.SliceElem(i, elem); err != nil {
+				return err
+			}
+		}
+
+		ew, ok := w.(EnterExitWalker)
+		if ok {
+			ew.Enter(SliceElem)
+		}
+
+		if err := walk(elem, w); err != nil {
+			return err
+		}
+
+		if ok {
+			ew.Exit(SliceElem)
+		}
+	}
+
+	ew, ok = w.(EnterExitWalker)
+	if ok {
+		ew.Exit(Slice)
+	}
+
+	return nil
+}
+
+func walkArray(v reflect.Value, w interface{}) (err error) {
+	ew, ok := w.(EnterExitWalker)
+	if ok {
+		ew.Enter(Array)
+	}
+
+	if aw, ok := w.(ArrayWalker); ok {
+		if err := aw.Array(v); err != nil {
+			return err
+		}
+	}
+
+	for i := 0; i < v.Len(); i++ {
+		elem := v.Index(i)
+
+		if aw, ok := w.(ArrayWalker); ok {
+			if err := aw.ArrayElem(i, elem); err != nil {
+				return err
+			}
+		}
+
+		ew, ok := w.(EnterExitWalker)
+		if ok {
+			ew.Enter(ArrayElem)
+		}
+
+		if err := walk(elem, w); err != nil {
+			return err
+		}
+
+		if ok {
+			ew.Exit(ArrayElem)
+		}
+	}
+
+	ew, ok = w.(EnterExitWalker)
+	if ok {
+		ew.Exit(Array)
+	}
+
+	return nil
+}
+
+func walkStruct(v reflect.Value, w interface{}) (err error) {
+	ew, ewok := w.(EnterExitWalker)
+	if ewok {
+		ew.Enter(Struct)
+	}
+
+	skip := false
+	if sw, ok := w.(StructWalker); ok {
+		err = sw.Struct(v)
+		if err == SkipEntry {
+			skip = true
+			err = nil
+		}
+		if err != nil {
+			return
+		}
+	}
+
+	if !skip {
+		vt := v.Type()
+		for i := 0; i < vt.NumField(); i++ {
+			sf := vt.Field(i)
+			f := v.FieldByIndex([]int{i})
+
+			if sw, ok := w.(StructWalker); ok {
+				err = sw.StructField(sf, f)
+
+				// SkipEntry just pretends this field doesn't even exist
+				if err == SkipEntry {
+					continue
+				}
+
+				if err != nil {
+					return
+				}
+			}
+
+			ew, ok := w.(EnterExitWalker)
+			if ok {
+				ew.Enter(StructField)
+			}
+
+			err = walk(f, w)
+			if err != nil {
+				return
+			}
+
+			if ok {
+				ew.Exit(StructField)
+			}
+		}
+	}
+
+	if ewok {
+		ew.Exit(Struct)
+	}
+
+	return nil
+}
diff --git a/vendor/github.com/moby/term/.gitignore b/vendor/github.com/moby/term/.gitignore
new file mode 100644
index 0000000000..b0747ff010
--- /dev/null
+++ b/vendor/github.com/moby/term/.gitignore
@@ -0,0 +1,8 @@
+# if you want to ignore files created by your editor/tools, consider using a
+# global .gitignore or .git/info/exclude see https://help.github.com/articles/ignoring-files
+.*
+!.github
+!.gitignore
+profile.out
+# support running go modules in vendor mode for local development
+vendor/
diff --git a/vendor/github.com/moby/term/LICENSE b/vendor/github.com/moby/term/LICENSE
new file mode 100644
index 0000000000..6d8d58fb67
--- /dev/null
+++ b/vendor/github.com/moby/term/LICENSE
@@ -0,0 +1,191 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        https://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   Copyright 2013-2018 Docker, Inc.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       https://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/vendor/github.com/moby/term/README.md b/vendor/github.com/moby/term/README.md
new file mode 100644
index 0000000000..0ce92cc339
--- /dev/null
+++ b/vendor/github.com/moby/term/README.md
@@ -0,0 +1,36 @@
+# term - utilities for dealing with terminals
+
+![Test](https://github.com/moby/term/workflows/Test/badge.svg) [![GoDoc](https://godoc.org/github.com/moby/term?status.svg)](https://godoc.org/github.com/moby/term) [![Go Report Card](https://goreportcard.com/badge/github.com/moby/term)](https://goreportcard.com/report/github.com/moby/term)
+
+term provides structures and helper functions to work with terminal (state, sizes).
+
+#### Using term
+
+```go
+package main
+
+import (
+	"log"
+	"os"
+
+	"github.com/moby/term"
+)
+
+func main() {
+	fd := os.Stdin.Fd()
+	if term.IsTerminal(fd) {
+		ws, err := term.GetWinsize(fd)
+		if err != nil {
+			log.Fatalf("term.GetWinsize: %s", err)
+		}
+		log.Printf("%d:%d\n", ws.Height, ws.Width)
+	}
+}
+```
+
+## Contributing
+
+Want to hack on term? [Docker's contributions guidelines](https://github.com/docker/docker/blob/master/CONTRIBUTING.md) apply.
+
+## Copyright and license
+Code and documentation copyright 2015 Docker, inc. Code released under the Apache 2.0 license. Docs released under Creative commons.
diff --git a/vendor/github.com/moby/term/ascii.go b/vendor/github.com/moby/term/ascii.go
new file mode 100644
index 0000000000..55873c0556
--- /dev/null
+++ b/vendor/github.com/moby/term/ascii.go
@@ -0,0 +1,66 @@
+package term
+
+import (
+	"fmt"
+	"strings"
+)
+
+// ASCII list the possible supported ASCII key sequence
+var ASCII = []string{
+	"ctrl-@",
+	"ctrl-a",
+	"ctrl-b",
+	"ctrl-c",
+	"ctrl-d",
+	"ctrl-e",
+	"ctrl-f",
+	"ctrl-g",
+	"ctrl-h",
+	"ctrl-i",
+	"ctrl-j",
+	"ctrl-k",
+	"ctrl-l",
+	"ctrl-m",
+	"ctrl-n",
+	"ctrl-o",
+	"ctrl-p",
+	"ctrl-q",
+	"ctrl-r",
+	"ctrl-s",
+	"ctrl-t",
+	"ctrl-u",
+	"ctrl-v",
+	"ctrl-w",
+	"ctrl-x",
+	"ctrl-y",
+	"ctrl-z",
+	"ctrl-[",
+	"ctrl-\\",
+	"ctrl-]",
+	"ctrl-^",
+	"ctrl-_",
+}
+
+// ToBytes converts a string representing a suite of key-sequence to the corresponding ASCII code.
+func ToBytes(keys string) ([]byte, error) {
+	codes := []byte{}
+next:
+	for _, key := range strings.Split(keys, ",") {
+		if len(key) != 1 {
+			for code, ctrl := range ASCII {
+				if ctrl == key {
+					codes = append(codes, byte(code))
+					continue next
+				}
+			}
+			if key == "DEL" {
+				codes = append(codes, 127)
+			} else {
+				return nil, fmt.Errorf("Unknown character: '%s'", key)
+			}
+		} else {
+			codes = append(codes, key[0])
+		}
+	}
+	return codes, nil
+}
diff --git a/vendor/github.com/moby/term/doc.go b/vendor/github.com/moby/term/doc.go
new file mode 100644
index 0000000000..c9bc032443
--- /dev/null
+++ b/vendor/github.com/moby/term/doc.go
@@ -0,0 +1,3 @@
+// Package term provides structures and helper functions to work with
+// terminal (state, sizes).
+package term
diff --git a/vendor/github.com/moby/term/proxy.go b/vendor/github.com/moby/term/proxy.go
new file mode 100644
index 0000000000..c47756b89a
--- /dev/null
+++ b/vendor/github.com/moby/term/proxy.go
@@ -0,0 +1,88 @@
+package term
+
+import (
+	"io"
+)
+
+// EscapeError is special error which returned by a TTY proxy reader's Read()
+// method in case its detach escape sequence is read.
+type EscapeError struct{}
+
+func (EscapeError) Error() string {
+	return "read escape sequence"
+}
+
+// escapeProxy is used only for attaches with a TTY. It is used to proxy
+// stdin keypresses from the underlying reader and look for the passed in
+// escape key sequence to signal a detach.
+type escapeProxy struct {
+	escapeKeys   []byte
+	escapeKeyPos int
+	r            io.Reader
+	buf          []byte
+}
+
+// NewEscapeProxy returns a new TTY proxy reader which wraps the given reader
+// and detects when the specified escape keys are read, in which case the Read
+// method will return an error of type EscapeError.
+func NewEscapeProxy(r io.Reader, escapeKeys []byte) io.Reader {
+	return &escapeProxy{
+		escapeKeys: escapeKeys,
+		r:          r,
+	}
+}
+
+func (r *escapeProxy) Read(buf []byte) (n int, err error) {
+	if len(r.escapeKeys) > 0 && r.escapeKeyPos == len(r.escapeKeys) {
+		return 0, EscapeError{}
+	}
+
+	if len(r.buf) > 0 {
+		n = copy(buf, r.buf)
+		r.buf = r.buf[n:]
+	}
+
+	nr, err := r.r.Read(buf[n:])
+	n += nr
+	if len(r.escapeKeys) == 0 {
+		return n, err
+	}
+
+	for i := 0; i < n; i++ {
+		if buf[i] == r.escapeKeys[r.escapeKeyPos] {
+			r.escapeKeyPos++
+
+			// Check if the full escape sequence is matched.
+			if r.escapeKeyPos == len(r.escapeKeys) {
+				n = i + 1 - r.escapeKeyPos
+				if n < 0 {
+					n = 0
+				}
+				return n, EscapeError{}
+			}
+			continue
+		}
+
+		// If we need to prepend a partial escape sequence from the previous
+		// read, make sure the new buffer size doesn't exceed len(buf).
+		// Otherwise, preserve any extra data in a buffer for the next read.
+		if i < r.escapeKeyPos {
+			preserve := make([]byte, 0, r.escapeKeyPos+n)
+			preserve = append(preserve, r.escapeKeys[:r.escapeKeyPos]...)
+			preserve = append(preserve, buf[:n]...)
+			n = copy(buf, preserve)
+			i += r.escapeKeyPos
+			r.buf = append(r.buf, preserve[n:]...)
+		}
+		r.escapeKeyPos = 0
+	}
+
+	// If we're in the middle of reading an escape sequence, make sure we don't
+	// let the caller read it. If later on we find that this is not the escape
+	// sequence, we'll prepend it back to buf.
+	n -= r.escapeKeyPos
+	if n < 0 {
+		n = 0
+	}
+	return n, err
+}
diff --git a/vendor/github.com/moby/term/term.go b/vendor/github.com/moby/term/term.go
new file mode 100644
index 0000000000..f9d8988ef8
--- /dev/null
+++ b/vendor/github.com/moby/term/term.go
@@ -0,0 +1,85 @@
+package term
+
+import "io"
+
+// State holds the platform-specific state / console mode for the terminal.
+type State terminalState
+
+// Winsize represents the size of the terminal window.
+type Winsize struct {
+	Height uint16
+	Width  uint16
+
+	// Only used on Unix
+	x uint16
+	y uint16
+}
+
+// StdStreams returns the standard streams (stdin, stdout, stderr).
+//
+// On Windows, it attempts to turn on VT handling on all std handles if
+// supported, or falls back to terminal emulation. On Unix, this returns
+// the standard [os.Stdin], [os.Stdout] and [os.Stderr].
+func StdStreams() (stdIn io.ReadCloser, stdOut, stdErr io.Writer) {
+	return stdStreams()
+}
+
+// GetFdInfo returns the file descriptor for an os.File and indicates whether the file represents a terminal.
+func GetFdInfo(in interface{}) (fd uintptr, isTerminal bool) {
+	return getFdInfo(in)
+}
+
+// GetWinsize returns the window size based on the specified file descriptor.
+func GetWinsize(fd uintptr) (*Winsize, error) {
+	return getWinsize(fd)
+}
+
+// SetWinsize tries to set the specified window size for the specified file
+// descriptor. It is only implemented on Unix, and returns an error on Windows.
+func SetWinsize(fd uintptr, ws *Winsize) error {
+	return setWinsize(fd, ws)
+}
+
+// IsTerminal returns true if the given file descriptor is a terminal.
+func IsTerminal(fd uintptr) bool {
+	return isTerminal(fd)
+}
+
+// RestoreTerminal restores the terminal connected to the given file descriptor
+// to a previous state.
+func RestoreTerminal(fd uintptr, state *State) error {
+	return restoreTerminal(fd, state)
+}
+
+// SaveState saves the state of the terminal connected to the given file descriptor.
+func SaveState(fd uintptr) (*State, error) {
+	return saveState(fd)
+}
+
+// DisableEcho applies the specified state to the terminal connected to the file
+// descriptor, with echo disabled.
+func DisableEcho(fd uintptr, state *State) error {
+	return disableEcho(fd, state)
+}
+
+// SetRawTerminal puts the terminal connected to the given file descriptor into
+// raw mode and returns the previous state. On UNIX, this is the equivalent of
+// [MakeRaw], and puts both the input and output into raw mode. On Windows, it
+// only puts the input into raw mode.
+func SetRawTerminal(fd uintptr) (previousState *State, err error) {
+	return setRawTerminal(fd)
+}
+
+// SetRawTerminalOutput puts the output of terminal connected to the given file
+// descriptor into raw mode. On UNIX, this does nothing and returns nil for the
+// state. On Windows, it disables LF -> CRLF translation.
+func SetRawTerminalOutput(fd uintptr) (previousState *State, err error) {
+	return setRawTerminalOutput(fd)
+}
+
+// MakeRaw puts the terminal (Windows Console) connected to the
+// given file descriptor into raw mode and returns the previous state of
+// the terminal so that it can be restored.
+func MakeRaw(fd uintptr) (previousState *State, err error) {
+	return makeRaw(fd)
+}
diff --git a/vendor/github.com/moby/term/term_unix.go b/vendor/github.com/moby/term/term_unix.go
new file mode 100644
index 0000000000..579ce5530a
--- /dev/null
+++ b/vendor/github.com/moby/term/term_unix.go
@@ -0,0 +1,98 @@
+//go:build !windows
+// +build !windows
+
+package term
+
+import (
+	"errors"
+	"io"
+	"os"
+
+	"golang.org/x/sys/unix"
+)
+
+// ErrInvalidState is returned if the state of the terminal is invalid.
+//
+// Deprecated: ErrInvalidState is no longer used.
+var ErrInvalidState = errors.New("Invalid terminal state")
+
+// terminalState holds the platform-specific state / console mode for the terminal.
+type terminalState struct {
+	termios unix.Termios
+}
+
+func stdStreams() (stdIn io.ReadCloser, stdOut, stdErr io.Writer) {
+	return os.Stdin, os.Stdout, os.Stderr
+}
+
+func getFdInfo(in interface{}) (uintptr, bool) {
+	var inFd uintptr
+	var isTerminalIn bool
+	if file, ok := in.(*os.File); ok {
+		inFd = file.Fd()
+		isTerminalIn = isTerminal(inFd)
+	}
+	return inFd, isTerminalIn
+}
+
+func getWinsize(fd uintptr) (*Winsize, error) {
+	uws, err := unix.IoctlGetWinsize(int(fd), unix.TIOCGWINSZ)
+	ws := &Winsize{Height: uws.Row, Width: uws.Col, x: uws.Xpixel, y: uws.Ypixel}
+	return ws, err
+}
+
+func setWinsize(fd uintptr, ws *Winsize) error {
+	return unix.IoctlSetWinsize(int(fd), unix.TIOCSWINSZ, &unix.Winsize{
+		Row:    ws.Height,
+		Col:    ws.Width,
+		Xpixel: ws.x,
+		Ypixel: ws.y,
+	})
+}
+
+func isTerminal(fd uintptr) bool {
+	_, err := tcget(fd)
+	return err == nil
+}
+
+func restoreTerminal(fd uintptr, state *State) error {
+	if state == nil {
+		return errors.New("invalid terminal state")
+	}
+	return tcset(fd, &state.termios)
+}
+
+func saveState(fd uintptr) (*State, error) {
+	termios, err := tcget(fd)
+	if err != nil {
+		return nil, err
+	}
+	return &State{termios: *termios}, nil
+}
+
+func disableEcho(fd uintptr, state *State) error {
+	newState := state.termios
+	newState.Lflag &^= unix.ECHO
+
+	return tcset(fd, &newState)
+}
+
+func setRawTerminal(fd uintptr) (*State, error) {
+	return makeRaw(fd)
+}
+
+func setRawTerminalOutput(uintptr) (*State, error) {
+	return nil, nil
+}
+
+func tcget(fd uintptr) (*unix.Termios, error) {
+	p, err := unix.IoctlGetTermios(int(fd), getTermios)
+	if err != nil {
+		return nil, err
+	}
+	return p, nil
+}
+
+func tcset(fd uintptr, p *unix.Termios) error {
+	return unix.IoctlSetTermios(int(fd), setTermios, p)
+}
diff --git a/vendor/github.com/moby/term/term_windows.go b/vendor/github.com/moby/term/term_windows.go
new file mode 100644
index 0000000000..81ccff0428
--- /dev/null
+++ b/vendor/github.com/moby/term/term_windows.go
@@ -0,0 +1,176 @@
+package term
+
+import (
+	"fmt"
+	"io"
+	"os"
+	"os/signal"
+
+	windowsconsole "github.com/moby/term/windows"
+	"golang.org/x/sys/windows"
+)
+
+// terminalState holds the platform-specific state / console mode for the terminal.
+type terminalState struct {
+	mode uint32
+}
+
+// vtInputSupported is true if winterm.ENABLE_VIRTUAL_TERMINAL_INPUT is supported by the console
+var vtInputSupported bool
+
+func stdStreams() (stdIn io.ReadCloser, stdOut, stdErr io.Writer) {
+	// Turn on VT handling on all std handles, if possible. This might
+	// fail, in which case we will fall back to terminal emulation.
+	var (
+		emulateStdin, emulateStdout, emulateStderr bool
+
+		mode uint32
+	)
+
+	fd := windows.Handle(os.Stdin.Fd())
+	if err := windows.GetConsoleMode(fd, &mode); err == nil {
+		// Validate that winterm.ENABLE_VIRTUAL_TERMINAL_INPUT is supported, but do not set it.
+		if err = windows.SetConsoleMode(fd, mode|windows.ENABLE_VIRTUAL_TERMINAL_INPUT); err != nil {
+			emulateStdin = true
+		} else {
+			vtInputSupported = true
+		}
+		// Unconditionally set the console mode back even on failure because SetConsoleMode
+		// remembers invalid bits on input handles.
+		_ = windows.SetConsoleMode(fd, mode)
+	}
+
+	fd = windows.Handle(os.Stdout.Fd())
+	if err := windows.GetConsoleMode(fd, &mode); err == nil {
+		// Validate winterm.DISABLE_NEWLINE_AUTO_RETURN is supported, but do not set it.
+		if err = windows.SetConsoleMode(fd, mode|windows.ENABLE_VIRTUAL_TERMINAL_PROCESSING|windows.DISABLE_NEWLINE_AUTO_RETURN); err != nil {
+			emulateStdout = true
+		} else {
+			_ = windows.SetConsoleMode(fd, mode|windows.ENABLE_VIRTUAL_TERMINAL_PROCESSING)
+		}
+	}
+
+	fd = windows.Handle(os.Stderr.Fd())
+	if err := windows.GetConsoleMode(fd, &mode); err == nil {
+		// Validate winterm.DISABLE_NEWLINE_AUTO_RETURN is supported, but do not set it.
+		if err = windows.SetConsoleMode(fd, mode|windows.ENABLE_VIRTUAL_TERMINAL_PROCESSING|windows.DISABLE_NEWLINE_AUTO_RETURN); err != nil {
+			emulateStderr = true
+		} else {
+			_ = windows.SetConsoleMode(fd, mode|windows.ENABLE_VIRTUAL_TERMINAL_PROCESSING)
+		}
+	}
+
+	if emulateStdin {
+		h := uint32(windows.STD_INPUT_HANDLE)
+		stdIn = windowsconsole.NewAnsiReader(int(h))
+	} else {
+		stdIn = os.Stdin
+	}
+
+	if emulateStdout {
+		h := uint32(windows.STD_OUTPUT_HANDLE)
+		stdOut = windowsconsole.NewAnsiWriter(int(h))
+	} else {
+		stdOut = os.Stdout
+	}
+
+	if emulateStderr {
+		h := uint32(windows.STD_ERROR_HANDLE)
+		stdErr = windowsconsole.NewAnsiWriter(int(h))
+	} else {
+		stdErr = os.Stderr
+	}
+
+	return stdIn, stdOut, stdErr
+}
+
+func getFdInfo(in interface{}) (uintptr, bool) {
+	return windowsconsole.GetHandleInfo(in)
+}
+
+func getWinsize(fd uintptr) (*Winsize, error) {
+	var info windows.ConsoleScreenBufferInfo
+	if err := windows.GetConsoleScreenBufferInfo(windows.Handle(fd), &info); err != nil {
+		return nil, err
+	}
+
+	winsize := &Winsize{
+		Width:  uint16(info.Window.Right - info.Window.Left + 1),
+		Height: uint16(info.Window.Bottom - info.Window.Top + 1),
+	}
+
+	return winsize, nil
+}
+
+func setWinsize(fd uintptr, ws *Winsize) error {
+	return fmt.Errorf("not implemented on Windows")
+}
+
+func isTerminal(fd uintptr) bool {
+	var mode uint32
+	err := windows.GetConsoleMode(windows.Handle(fd), &mode)
+	return err == nil
+}
+
+func restoreTerminal(fd uintptr, state *State) error {
+	return windows.SetConsoleMode(windows.Handle(fd), state.mode)
+}
+
+func saveState(fd uintptr) (*State, error) {
+	var mode uint32
+
+	if err := windows.GetConsoleMode(windows.Handle(fd), &mode); err != nil {
+		return nil, err
+	}
+
+	return &State{mode: mode}, nil
+}
+
+func disableEcho(fd uintptr, state *State) error {
+	// See https://msdn.microsoft.com/en-us/library/windows/desktop/ms683462(v=vs.85).aspx
+	mode := state.mode
+	mode &^= windows.ENABLE_ECHO_INPUT
+	mode |= windows.ENABLE_PROCESSED_INPUT | windows.ENABLE_LINE_INPUT
+	err := windows.SetConsoleMode(windows.Handle(fd), mode)
+	if err != nil {
+		return err
+	}
+
+	// Register an interrupt handler to catch and restore prior state
+	restoreAtInterrupt(fd, state)
+	return nil
+}
+
+func setRawTerminal(fd uintptr) (*State, error) {
+	oldState, err := MakeRaw(fd)
+	if err != nil {
+		return nil, err
+	}
+
+	// Register an interrupt handler to catch and restore prior state
+	restoreAtInterrupt(fd, oldState)
+	return oldState, err
+}
+
+func setRawTerminalOutput(fd uintptr) (*State, error) {
+	oldState, err := saveState(fd)
+	if err != nil {
+		return nil, err
+	}
+
+	// Ignore failures, since winterm.DISABLE_NEWLINE_AUTO_RETURN might not be supported on this
+	// version of Windows.
+	_ = windows.SetConsoleMode(windows.Handle(fd), oldState.mode|windows.DISABLE_NEWLINE_AUTO_RETURN)
+	return oldState, err
+}
+
+func restoreAtInterrupt(fd uintptr, state *State) {
+	sigchan := make(chan os.Signal, 1)
+	signal.Notify(sigchan, os.Interrupt)
+
+	go func() {
+		_ = <-sigchan
+		_ = RestoreTerminal(fd, state)
+		os.Exit(0)
+	}()
+}
diff --git a/vendor/github.com/moby/term/termios_bsd.go b/vendor/github.com/moby/term/termios_bsd.go
new file mode 100644
index 0000000000..45f77e03c7
--- /dev/null
+++ b/vendor/github.com/moby/term/termios_bsd.go
@@ -0,0 +1,13 @@
+//go:build darwin || freebsd || openbsd || netbsd
+// +build darwin freebsd openbsd netbsd
+
+package term
+
+import (
+	"golang.org/x/sys/unix"
+)
+
+const (
+	getTermios = unix.TIOCGETA
+	setTermios = unix.TIOCSETA
+)
diff --git a/vendor/github.com/moby/term/termios_nonbsd.go b/vendor/github.com/moby/term/termios_nonbsd.go
new file mode 100644
index 0000000000..88b7b21563
--- /dev/null
+++ b/vendor/github.com/moby/term/termios_nonbsd.go
@@ -0,0 +1,13 @@
+//go:build !darwin && !freebsd && !netbsd && !openbsd && !windows
+// +build !darwin,!freebsd,!netbsd,!openbsd,!windows
+
+package term
+
+import (
+	"golang.org/x/sys/unix"
+)
+
+const (
+	getTermios = unix.TCGETS
+	setTermios = unix.TCSETS
+)
diff --git a/vendor/github.com/moby/term/termios_unix.go b/vendor/github.com/moby/term/termios_unix.go
new file mode 100644
index 0000000000..60c823783c
--- /dev/null
+++ b/vendor/github.com/moby/term/termios_unix.go
@@ -0,0 +1,35 @@
+//go:build !windows
+// +build !windows
+
+package term
+
+import (
+	"golang.org/x/sys/unix"
+)
+
+// Termios is the Unix API for terminal I/O.
+//
+// Deprecated: use [unix.Termios].
+type Termios = unix.Termios
+
+func makeRaw(fd uintptr) (*State, error) {
+	termios, err := tcget(fd)
+	if err != nil {
+		return nil, err
+	}
+
+	oldState := State{termios: *termios}
+
+	termios.Iflag &^= unix.IGNBRK | unix.BRKINT | unix.PARMRK | unix.ISTRIP | unix.INLCR | unix.IGNCR | unix.ICRNL | unix.IXON
+	termios.Oflag &^= unix.OPOST
+	termios.Lflag &^= unix.ECHO | unix.ECHONL | unix.ICANON | unix.ISIG | unix.IEXTEN
+	termios.Cflag &^= unix.CSIZE | unix.PARENB
+	termios.Cflag |= unix.CS8
+	termios.Cc[unix.VMIN] = 1
+	termios.Cc[unix.VTIME] = 0
+
+	if err := tcset(fd, termios); err != nil {
+		return nil, err
+	}
+	return &oldState, nil
+}
diff --git a/vendor/github.com/moby/term/termios_windows.go b/vendor/github.com/moby/term/termios_windows.go
new file mode 100644
index 0000000000..5be4e76011
--- /dev/null
+++ b/vendor/github.com/moby/term/termios_windows.go
@@ -0,0 +1,37 @@
+package term
+
+import "golang.org/x/sys/windows"
+
+func makeRaw(fd uintptr) (*State, error) {
+	state, err := SaveState(fd)
+	if err != nil {
+		return nil, err
+	}
+
+	mode := state.mode
+
+	// See
+	// -- https://msdn.microsoft.com/en-us/library/windows/desktop/ms686033(v=vs.85).aspx
+	// -- https://msdn.microsoft.com/en-us/library/windows/desktop/ms683462(v=vs.85).aspx
+
+	// Disable these modes
+	mode &^= windows.ENABLE_ECHO_INPUT
+	mode &^= windows.ENABLE_LINE_INPUT
+	mode &^= windows.ENABLE_MOUSE_INPUT
+	mode &^= windows.ENABLE_WINDOW_INPUT
+	mode &^= windows.ENABLE_PROCESSED_INPUT
+
+	// Enable these modes
+	mode |= windows.ENABLE_EXTENDED_FLAGS
+	mode |= windows.ENABLE_INSERT_MODE
+	mode |= windows.ENABLE_QUICK_EDIT_MODE
+	if vtInputSupported {
+		mode |= windows.ENABLE_VIRTUAL_TERMINAL_INPUT
+	}
+
+	err = windows.SetConsoleMode(windows.Handle(fd), mode)
+	if err != nil {
+		return nil, err
+	}
+	return state, nil
+}
diff --git a/vendor/github.com/moby/term/windows/ansi_reader.go b/vendor/github.com/moby/term/windows/ansi_reader.go
new file mode 100644
index 0000000000..fb34c547aa
--- /dev/null
+++ b/vendor/github.com/moby/term/windows/ansi_reader.go
@@ -0,0 +1,252 @@
+//go:build windows
+// +build windows
+
+package windowsconsole
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"io"
+	"os"
+	"strings"
+	"unsafe"
+
+	ansiterm "github.com/Azure/go-ansiterm"
+	"github.com/Azure/go-ansiterm/winterm"
+)
+
+const (
+	escapeSequence = ansiterm.KEY_ESC_CSI
+)
+
+// ansiReader wraps a standard input file (e.g., os.Stdin) providing ANSI sequence translation.
+type ansiReader struct {
+	file     *os.File
+	fd       uintptr
+	buffer   []byte
+	cbBuffer int
+	command  []byte
+}
+
+// NewAnsiReader returns an io.ReadCloser that provides VT100 terminal emulation on top of a
+// Windows console input handle.
+func NewAnsiReader(nFile int) io.ReadCloser {
+	file, fd := winterm.GetStdFile(nFile)
+	return &ansiReader{
+		file:    file,
+		fd:      fd,
+		command: make([]byte, 0, ansiterm.ANSI_MAX_CMD_LENGTH),
+		buffer:  make([]byte, 0),
+	}
+}
+
+// Close closes the wrapped file.
+func (ar *ansiReader) Close() (err error) {
+	return ar.file.Close()
+}
+
+// Fd returns the file descriptor of the wrapped file.
+func (ar *ansiReader) Fd() uintptr {
+	return ar.fd
+}
+
+// Read reads up to len(p) bytes of translated input events into p.
+func (ar *ansiReader) Read(p []byte) (int, error) {
+	if len(p) == 0 {
+		return 0, nil
+	}
+
+	// Previously read bytes exist, read as much as we can and return
+	if len(ar.buffer) > 0 {
+		originalLength := len(ar.buffer)
+		copiedLength := copy(p, ar.buffer)
+
+		if copiedLength == originalLength {
+			ar.buffer = make([]byte, 0, len(p))
+		} else {
+			ar.buffer = ar.buffer[copiedLength:]
+		}
+
+		return copiedLength, nil
+	}
+
+	// Read and translate key events
+	events, err := readInputEvents(ar, len(p))
+	if err != nil {
+		return 0, err
+	} else if len(events) == 0 {
+		return 0, nil
+	}
+
+	keyBytes := translateKeyEvents(events, []byte(escapeSequence))
+
+	// Save excess bytes and right-size keyBytes
+	if len(keyBytes) > len(p) {
+		ar.buffer = keyBytes[len(p):]
+		keyBytes = keyBytes[:len(p)]
+	} else if len(keyBytes) == 0 {
+		return 0, nil
+	}
+
+	copiedLength := copy(p, keyBytes)
+	if copiedLength != len(keyBytes) {
+		return 0, errors.New("unexpected copy length encountered")
+	}
+
+	return copiedLength, nil
+}
+
+// readInputEvents polls until at least one event is available.
+func readInputEvents(ar *ansiReader, maxBytes int) ([]winterm.INPUT_RECORD, error) {
+	// Determine the maximum number of records to retrieve
+	// -- Cast around the type system to obtain the size of a single INPUT_RECORD.
+	//    unsafe.Sizeof requires an expression vs. a type-reference; the casting
+	//    tricks the type system into believing it has such an expression.
+	recordSize := int(unsafe.Sizeof(*((*winterm.INPUT_RECORD)(unsafe.Pointer(&maxBytes)))))
+	countRecords := maxBytes / recordSize
+	if countRecords > ansiterm.MAX_INPUT_EVENTS {
+		countRecords = ansiterm.MAX_INPUT_EVENTS
+	} else if countRecords == 0 {
+		countRecords = 1
+	}
+
+	// Wait for and read input events
+	events := make([]winterm.INPUT_RECORD, countRecords)
+	nEvents := uint32(0)
+	eventsExist, err := winterm.WaitForSingleObject(ar.fd, winterm.WAIT_INFINITE)
+	if err != nil {
+		return nil, err
+	}
+
+	if eventsExist {
+		err = winterm.ReadConsoleInput(ar.fd, events, &nEvents)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	// Return a slice restricted to the number of returned records
+	return events[:nEvents], nil
+}
+
+// KeyEvent Translation Helpers
+
+var arrowKeyMapPrefix = map[uint16]string{
+	winterm.VK_UP:    "%s%sA",
+	winterm.VK_DOWN:  "%s%sB",
+	winterm.VK_RIGHT: "%s%sC",
+	winterm.VK_LEFT:  "%s%sD",
+}
+
+var keyMapPrefix = map[uint16]string{
+	winterm.VK_UP:     "\x1B[%sA",
+	winterm.VK_DOWN:   "\x1B[%sB",
+	winterm.VK_RIGHT:  "\x1B[%sC",
+	winterm.VK_LEFT:   "\x1B[%sD",
+	winterm.VK_HOME:   "\x1B[1%s~", // showkey shows ^[[1
+	winterm.VK_END:    "\x1B[4%s~", // showkey shows ^[[4
+	winterm.VK_INSERT: "\x1B[2%s~",
+	winterm.VK_DELETE: "\x1B[3%s~",
+	winterm.VK_PRIOR:  "\x1B[5%s~",
+	winterm.VK_NEXT:   "\x1B[6%s~",
+	winterm.VK_F1:     "",
+	winterm.VK_F2:     "",
+	winterm.VK_F3:     "\x1B[13%s~",
+	winterm.VK_F4:     "\x1B[14%s~",
+	winterm.VK_F5:     "\x1B[15%s~",
+	winterm.VK_F6:     "\x1B[17%s~",
+	winterm.VK_F7:     "\x1B[18%s~",
+	winterm.VK_F8:     "\x1B[19%s~",
+	winterm.VK_F9:     "\x1B[20%s~",
+	winterm.VK_F10:    "\x1B[21%s~",
+	winterm.VK_F11:    "\x1B[23%s~",
+	winterm.VK_F12:    "\x1B[24%s~",
+}
+
+// translateKeyEvents converts the input events into the appropriate ANSI string.
+func translateKeyEvents(events []winterm.INPUT_RECORD, escapeSequence []byte) []byte {
+	var buffer bytes.Buffer
+	for _, event := range events {
+		if event.EventType == winterm.KEY_EVENT && event.KeyEvent.KeyDown != 0 {
+			buffer.WriteString(keyToString(&event.KeyEvent, escapeSequence))
+		}
+	}
+
+	return buffer.Bytes()
+}
+
+// keyToString maps the given input event record to the corresponding string.
+func keyToString(keyEvent *winterm.KEY_EVENT_RECORD, escapeSequence []byte) string {
+	if keyEvent.UnicodeChar == 0 {
+		return formatVirtualKey(keyEvent.VirtualKeyCode, keyEvent.ControlKeyState, escapeSequence)
+	}
+
+	_, alt, control := getControlKeys(keyEvent.ControlKeyState)
+	if control {
+		// TODO(azlinux): Implement following control sequences
+		// <Ctrl>-D  Signals the end of input from the keyboard; also exits current shell.
+		// <Ctrl>-H  Deletes the first character to the left of the cursor. Also called the ERASE key.
+		// <Ctrl>-Q  Restarts printing after it has been stopped with <Ctrl>-s.
+		// <Ctrl>-S  Suspends printing on the screen (does not stop the program).
+		// <Ctrl>-U  Deletes all characters on the current line. Also called the KILL key.
+		// <Ctrl>-E  Quits current command and creates a core
+	}
+
+	// <Alt>+Key generates ESC N Key
+	if !control && alt {
+		return ansiterm.KEY_ESC_N + strings.ToLower(string(rune(keyEvent.UnicodeChar)))
+	}
+
+	return string(rune(keyEvent.UnicodeChar))
+}
+
+// formatVirtualKey converts a virtual key (e.g., up arrow) into the appropriate ANSI string.
+func formatVirtualKey(key uint16, controlState uint32, escapeSequence []byte) string {
+	shift, alt, control := getControlKeys(controlState)
+	modifier := getControlKeysModifier(shift, alt, control)
+
+	if format, ok := arrowKeyMapPrefix[key]; ok {
+		return fmt.Sprintf(format, escapeSequence, modifier)
+	}
+
+	if format, ok := keyMapPrefix[key]; ok {
+		return fmt.Sprintf(format, modifier)
+	}
+
+	return ""
+}
+
+// getControlKeys extracts the shift, alt, and ctrl key states.
+func getControlKeys(controlState uint32) (shift, alt, control bool) {
+	shift = 0 != (controlState & winterm.SHIFT_PRESSED)
+	alt = 0 != (controlState & (winterm.LEFT_ALT_PRESSED | winterm.RIGHT_ALT_PRESSED))
+	control = 0 != (controlState & (winterm.LEFT_CTRL_PRESSED | winterm.RIGHT_CTRL_PRESSED))
+	return shift, alt, control
+}
+
+// getControlKeysModifier returns the ANSI modifier for the given combination of control keys.
+func getControlKeysModifier(shift, alt, control bool) string {
+	if shift && alt && control {
+		return ansiterm.KEY_CONTROL_PARAM_8
+	}
+	if alt && control {
+		return ansiterm.KEY_CONTROL_PARAM_7
+	}
+	if shift && control {
+		return ansiterm.KEY_CONTROL_PARAM_6
+	}
+	if control {
+		return ansiterm.KEY_CONTROL_PARAM_5
+	}
+	if shift && alt {
+		return ansiterm.KEY_CONTROL_PARAM_4
+	}
+	if alt {
+		return ansiterm.KEY_CONTROL_PARAM_3
+	}
+	if shift {
+		return ansiterm.KEY_CONTROL_PARAM_2
+	}
+	return ""
+}
diff --git a/vendor/github.com/moby/term/windows/ansi_writer.go b/vendor/github.com/moby/term/windows/ansi_writer.go
new file mode 100644
index 0000000000..4243307fd3
--- /dev/null
+++ b/vendor/github.com/moby/term/windows/ansi_writer.go
@@ -0,0 +1,57 @@
+//go:build windows
+// +build windows
+
+package windowsconsole
+
+import (
+	"io"
+	"os"
+
+	ansiterm "github.com/Azure/go-ansiterm"
+	"github.com/Azure/go-ansiterm/winterm"
+)
+
+// ansiWriter wraps a standard output file (e.g., os.Stdout) providing ANSI sequence translation.
+type ansiWriter struct {
+	file           *os.File
+	fd             uintptr
+	infoReset      *winterm.CONSOLE_SCREEN_BUFFER_INFO
+	command        []byte
+	escapeSequence []byte
+	inAnsiSequence bool
+	parser         *ansiterm.AnsiParser
+}
+
+// NewAnsiWriter returns an io.Writer that provides VT100 terminal emulation on top of a
+// Windows console output handle.
+func NewAnsiWriter(nFile int) io.Writer {
+	file, fd := winterm.GetStdFile(nFile)
+	info, err := winterm.GetConsoleScreenBufferInfo(fd)
+	if err != nil {
+		return nil
+	}
+
+	parser := ansiterm.CreateParser("Ground", winterm.CreateWinEventHandler(fd, file))
+
+	return &ansiWriter{
+		file:           file,
+		fd:             fd,
+		infoReset:      info,
+		command:        make([]byte, 0, ansiterm.ANSI_MAX_CMD_LENGTH),
+		escapeSequence: []byte(ansiterm.KEY_ESC_CSI),
+		parser:         parser,
+	}
+}
+
+func (aw *ansiWriter) Fd() uintptr {
+	return aw.fd
+}
+
+// Write writes len(p) bytes from p to the underlying data stream.
+func (aw *ansiWriter) Write(p []byte) (total int, err error) {
+	if len(p) == 0 {
+		return 0, nil
+	}
+
+	return aw.parser.Parse(p)
+}
diff --git a/vendor/github.com/moby/term/windows/console.go b/vendor/github.com/moby/term/windows/console.go
new file mode 100644
index 0000000000..21e57bd52f
--- /dev/null
+++ b/vendor/github.com/moby/term/windows/console.go
@@ -0,0 +1,43 @@
+//go:build windows
+// +build windows
+
+package windowsconsole
+
+import (
+	"os"
+
+	"golang.org/x/sys/windows"
+)
+
+// GetHandleInfo returns file descriptor and bool indicating whether the file is a console.
+func GetHandleInfo(in interface{}) (uintptr, bool) {
+	switch t := in.(type) {
+	case *ansiReader:
+		return t.Fd(), true
+	case *ansiWriter:
+		return t.Fd(), true
+	}
+
+	var inFd uintptr
+	var isTerminal bool
+
+	if file, ok := in.(*os.File); ok {
+		inFd = file.Fd()
+		isTerminal = isConsole(inFd)
+	}
+	return inFd, isTerminal
+}
+
+// IsConsole returns true if the given file descriptor is a Windows Console.
+// The code assumes that GetConsoleMode will return an error for file descriptors that are not a console.
+//
+// Deprecated: use [windows.GetConsoleMode] or [golang.org/x/term.IsTerminal].
+func IsConsole(fd uintptr) bool {
+	return isConsole(fd)
+}
+
+func isConsole(fd uintptr) bool {
+	var mode uint32
+	err := windows.GetConsoleMode(windows.Handle(fd), &mode)
+	return err == nil
+}
diff --git a/vendor/github.com/moby/term/windows/doc.go b/vendor/github.com/moby/term/windows/doc.go
new file mode 100644
index 0000000000..54265fffaf
--- /dev/null
+++ b/vendor/github.com/moby/term/windows/doc.go
@@ -0,0 +1,5 @@
+// These files implement ANSI-aware input and output streams for use by the Docker Windows client.
+// When asked for the set of standard streams (e.g., stdin, stdout, stderr), the code will create
+// and return pseudo-streams that convert ANSI sequences to / from Windows Console API calls.
+
+package windowsconsole
diff --git a/vendor/github.com/monochromegane/go-gitignore/.travis.yml b/vendor/github.com/monochromegane/go-gitignore/.travis.yml
new file mode 100644
index 0000000000..b06a36a466
--- /dev/null
+++ b/vendor/github.com/monochromegane/go-gitignore/.travis.yml
@@ -0,0 +1,6 @@
+language: go
+go:
+  - 1.14.x
+  - master
+script:
+  - go test -v ./...
diff --git a/vendor/github.com/monochromegane/go-gitignore/LICENSE b/vendor/github.com/monochromegane/go-gitignore/LICENSE
new file mode 100644
index 0000000000..91b84e9277
--- /dev/null
+++ b/vendor/github.com/monochromegane/go-gitignore/LICENSE
@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) [2015] [go-gitignore]
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/vendor/github.com/monochromegane/go-gitignore/README.md b/vendor/github.com/monochromegane/go-gitignore/README.md
new file mode 100644
index 0000000000..51a480747b
--- /dev/null
+++ b/vendor/github.com/monochromegane/go-gitignore/README.md
@@ -0,0 +1,95 @@
+# go-gitignore [![Build Status](https://travis-ci.org/monochromegane/go-gitignore.svg)](https://travis-ci.org/monochromegane/go-gitignore)
+
+A fast gitignore matching library for Go.
+
+This library use simple tree index for matching, so keep fast if gitignore file has many pattern.
+
+## Usage
+
+```go
+gitignore, _ := gitignore.NewGitIgnore("/path/to/gitignore")
+
+path := "/path/to/file"
+isDir := false
+gitignore.Match(path, isDir)
+```
+
+### Specify base directory
+
+go-gitignore treat `path` as a base directory.
+If you want to specify other base (e.g. current directory and Global gitignore), you can like the following.
+
+```go
+gitignore, _ := gitignore.NewGitIgnore("/home/you/.gitignore", ".")
+```
+
+### From io.Reader
+
+go-gitignore can initialize from io.Reader.
+
+```go
+gitignore, _ := gitignore.NewGitIgnoreFromReader(base, reader)
+```
+
+## Simple tree index
+
+go-gitignore parse gitignore file, and generate a simple tree index for matching like the following.
+
+```
+.
+├── accept
+│   ├── absolute
+│   │   └── depth
+│   │       ├── initial
+│   │       └── other
+│   └── relative
+│       └── depth
+│           ├── initial
+│           └── other
+└── ignore
+    ├── absolute
+    │   └── depth
+    │       ├── initial
+    │       └── other
+    └── relative
+        └── depth
+            ├── initial
+            └── other
+```
+
+## Features
+
+- Support absolute path (/path/to/ignore)
+- Support relative path (path/to/ignore)
+- Support accept pattern (!path/to/accept)
+- Support directory pattern (path/to/directory/)
+- Support glob pattern (path/to/\*.txt)
+
+*note: glob pattern*
+
+go-gitignore use [filepath.Match](https://golang.org/pkg/path/filepath/#Match) for matching meta char pattern, so not support recursive pattern (path/`**`/file).
+
+## Installation
+
+```sh
+$ go get github.com/monochromegane/go-gitignore
+```
+
+## Contribution
+
+1. Fork it
+2. Create a feature branch
+3. Commit your changes
+4. Rebase your local changes against the master branch
+5. Run test suite with the `go test ./...` command and confirm that it passes
+6. Run `gofmt -s`
+7. Create new Pull Request
+
+## License
+
+[MIT](https://github.com/monochromegane/go-gitignore/blob/master/LICENSE)
+
+## Author
+
+[monochromegane](https://github.com/monochromegane)
+
diff --git a/vendor/github.com/monochromegane/go-gitignore/depth_holder.go b/vendor/github.com/monochromegane/go-gitignore/depth_holder.go
new file mode 100644
index 0000000000..9805b325d4
--- /dev/null
+++ b/vendor/github.com/monochromegane/go-gitignore/depth_holder.go
@@ -0,0 +1,79 @@
+package gitignore
+
+import "strings"
+
+const (
+	asc = iota
+	desc
+)
+
+type depthPatternHolder struct {
+	patterns depthPatterns
+	order    int
+}
+
+func newDepthPatternHolder(order int) depthPatternHolder {
+	return depthPatternHolder{
+		patterns: depthPatterns{m: map[int]initialPatternHolder{}},
+		order:    order,
+	}
+}
+
+func (h *depthPatternHolder) add(pattern string) {
+	count := strings.Count(strings.Trim(pattern, "/"), "/")
+	h.patterns.set(count+1, pattern)
+}
+
+func (h depthPatternHolder) match(path string, isDir bool) bool {
+	if h.patterns.size() == 0 {
+		return false
+	}
+
+	for depth := 1; ; depth++ {
+		var part string
+		var isLast, isDirCurrent bool
+		if h.order == asc {
+			part, isLast = cutN(path, depth)
+			if isLast {
+				isDirCurrent = isDir
+			} else {
+				isDirCurrent = false
+			}
+		} else {
+			part, isLast = cutLastN(path, depth)
+			isDirCurrent = isDir
+		}
+		if patterns, ok := h.patterns.get(depth); ok {
+			if patterns.match(part, isDirCurrent) {
+				return true
+			}
+		}
+		if isLast {
+			break
+		}
+	}
+	return false
+}
+
+type depthPatterns struct {
+	m map[int]initialPatternHolder
+}
+
+func (p *depthPatterns) set(depth int, pattern string) {
+	if ps, ok := p.m[depth]; ok {
+		ps.add(pattern)
+	} else {
+		holder := newInitialPatternHolder()
+		holder.add(pattern)
+		p.m[depth] = holder
+	}
+}
+
+func (p depthPatterns) get(depth int) (initialPatternHolder, bool) {
+	patterns, ok := p.m[depth]
+	return patterns, ok
+}
+
+func (p depthPatterns) size() int {
+	return len(p.m)
+}
diff --git a/vendor/github.com/monochromegane/go-gitignore/full_scan_patterns.go b/vendor/github.com/monochromegane/go-gitignore/full_scan_patterns.go
new file mode 100644
index 0000000000..8c04ef3a77
--- /dev/null
+++ b/vendor/github.com/monochromegane/go-gitignore/full_scan_patterns.go
@@ -0,0 +1,31 @@
+package gitignore
+
+import "strings"
+
+// Only benchmark use
+type fullScanPatterns struct {
+	absolute patterns
+	relative patterns
+}
+
+func newFullScanPatterns() *fullScanPatterns {
+	return &fullScanPatterns{
+		absolute: patterns{},
+		relative: patterns{},
+	}
+}
+
+func (ps *fullScanPatterns) add(pattern string) {
+	if strings.HasPrefix(pattern, "/") {
+		ps.absolute.add(newPattern(pattern))
+	} else {
+		ps.relative.add(newPattern(pattern))
+	}
+}
+
+func (ps fullScanPatterns) match(path string, isDir bool) bool {
+	if ps.absolute.match(path, isDir) {
+		return true
+	}
+	return ps.relative.match(path, isDir)
+}
diff --git a/vendor/github.com/monochromegane/go-gitignore/gitignore.go b/vendor/github.com/monochromegane/go-gitignore/gitignore.go
new file mode 100644
index 0000000000..9c719a6cab
--- /dev/null
+++ b/vendor/github.com/monochromegane/go-gitignore/gitignore.go
@@ -0,0 +1,80 @@
+package gitignore
+
+import (
+	"bufio"
+	"io"
+	"os"
+	"path/filepath"
+	"strings"
+)
+
+type IgnoreMatcher interface {
+	Match(path string, isDir bool) bool
+}
+
+type DummyIgnoreMatcher bool
+
+func (d DummyIgnoreMatcher) Match(path string, isDir bool) bool {
+	return bool(d)
+}
+
+type gitIgnore struct {
+	ignorePatterns scanStrategy
+	acceptPatterns scanStrategy
+	path           string
+}
+
+func NewGitIgnore(gitignore string, base ...string) (IgnoreMatcher, error) {
+	var path string
+	if len(base) > 0 {
+		path = base[0]
+	} else {
+		path = filepath.Dir(gitignore)
+	}
+
+	file, err := os.Open(gitignore)
+	if err != nil {
+		return nil, err
+	}
+	defer file.Close()
+
+	return NewGitIgnoreFromReader(path, file), nil
+}
+
+func NewGitIgnoreFromReader(path string, r io.Reader) IgnoreMatcher {
+	g := gitIgnore{
+		ignorePatterns: newIndexScanPatterns(),
+		acceptPatterns: newIndexScanPatterns(),
+		path:           path,
+	}
+	scanner := bufio.NewScanner(r)
+	for scanner.Scan() {
+		line := strings.Trim(scanner.Text(), " ")
+		if len(line) == 0 || strings.HasPrefix(line, "#") {
+			continue
+		}
+		if strings.HasPrefix(line, `\#`) {
+			line = strings.TrimPrefix(line, `\`)
+		}
+
+		if strings.HasPrefix(line, "!") {
+			g.acceptPatterns.add(strings.TrimPrefix(line, "!"))
+		} else {
+			g.ignorePatterns.add(line)
+		}
+	}
+	return g
+}
+
+func (g gitIgnore) Match(path string, isDir bool) bool {
+	relativePath, err := filepath.Rel(g.path, path)
+	if err != nil {
+		return false
+	}
+	relativePath = filepath.ToSlash(relativePath)
+
+	if g.acceptPatterns.match(relativePath, isDir) {
+		return false
+	}
+	return g.ignorePatterns.match(relativePath, isDir)
+}
diff --git a/vendor/github.com/monochromegane/go-gitignore/index_scan_patterns.go b/vendor/github.com/monochromegane/go-gitignore/index_scan_patterns.go
new file mode 100644
index 0000000000..882280e953
--- /dev/null
+++ b/vendor/github.com/monochromegane/go-gitignore/index_scan_patterns.go
@@ -0,0 +1,35 @@
+package gitignore
+
+import "strings"
+
+type indexScanPatterns struct {
+	absolute depthPatternHolder
+	relative depthPatternHolder
+}
+
+func newIndexScanPatterns() *indexScanPatterns {
+	return &indexScanPatterns{
+		absolute: newDepthPatternHolder(asc),
+		relative: newDepthPatternHolder(desc),
+	}
+}
+
+func (ps *indexScanPatterns) add(pattern string) {
+	if strings.HasPrefix(pattern, "/") {
+		ps.absolute.add(pattern)
+	} else {
+		ps.relative.add(pattern)
+	}
+}
+
+func (ps indexScanPatterns) match(path string, isDir bool) bool {
+	if ps.absolute.match(path, isDir) {
+		return true
+	}
+	return ps.relative.match(path, isDir)
+}
+
+type scanStrategy interface {
+	add(pattern string)
+	match(path string, isDir bool) bool
+}
diff --git a/vendor/github.com/monochromegane/go-gitignore/initial_holder.go b/vendor/github.com/monochromegane/go-gitignore/initial_holder.go
new file mode 100644
index 0000000000..86f0bfee2b
--- /dev/null
+++ b/vendor/github.com/monochromegane/go-gitignore/initial_holder.go
@@ -0,0 +1,62 @@
+package gitignore
+
+import "strings"
+
+const initials = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ."
+
+type initialPatternHolder struct {
+	patterns      initialPatterns
+	otherPatterns *patterns
+}
+
+func newInitialPatternHolder() initialPatternHolder {
+	return initialPatternHolder{
+		patterns:      initialPatterns{m: map[byte]*patterns{}},
+		otherPatterns: &patterns{},
+	}
+}
+
+func (h *initialPatternHolder) add(pattern string) {
+	trimedPattern := strings.TrimPrefix(pattern, "/")
+	if strings.IndexAny(trimedPattern[0:1], initials) != -1 {
+		h.patterns.set(trimedPattern[0], newPatternForEqualizedPath(pattern))
+	} else {
+		h.otherPatterns.add(newPatternForEqualizedPath(pattern))
+	}
+}
+
+func (h initialPatternHolder) match(path string, isDir bool) bool {
+	if h.patterns.size() == 0 && h.otherPatterns.size() == 0 {
+		return false
+	}
+	if patterns, ok := h.patterns.get(path[0]); ok {
+		if patterns.match(path, isDir) {
+			return true
+		}
+	}
+	return h.otherPatterns.match(path, isDir)
+}
+
+type initialPatterns struct {
+	m map[byte]*patterns
+}
+
+func (p *initialPatterns) set(initial byte, pattern pattern) {
+	if ps, ok := p.m[initial]; ok {
+		ps.add(pattern)
+	} else {
+		patterns := &patterns{}
+		patterns.add(pattern)
+		p.m[initial] = patterns
+
+	}
+}
+
+func (p initialPatterns) get(initial byte) (*patterns, bool) {
+	patterns, ok := p.m[initial]
+	return patterns, ok
+}
+
+func (p initialPatterns) size() int {
+	return len(p.m)
+}
diff --git a/vendor/github.com/monochromegane/go-gitignore/match.go b/vendor/github.com/monochromegane/go-gitignore/match.go
new file mode 100644
index 0000000000..4140a9bdc5
--- /dev/null
+++ b/vendor/github.com/monochromegane/go-gitignore/match.go
@@ -0,0 +1,24 @@
+package gitignore
+
+import "path/filepath"
+
+type pathMatcher interface {
+	match(path string) bool
+}
+
+type simpleMatcher struct {
+	path string
+}
+
+func (m simpleMatcher) match(path string) bool {
+	return m.path == path
+}
+
+type filepathMatcher struct {
+	path string
+}
+
+func (m filepathMatcher) match(path string) bool {
+	match, _ := filepath.Match(m.path, path)
+	return match
+}
diff --git a/vendor/github.com/monochromegane/go-gitignore/pattern.go b/vendor/github.com/monochromegane/go-gitignore/pattern.go
new file mode 100644
index 0000000000..93adbf7636
--- /dev/null
+++ b/vendor/github.com/monochromegane/go-gitignore/pattern.go
@@ -0,0 +1,69 @@
+package gitignore
+
+import (
+	"path/filepath"
+	"strings"
+)
+
+var Separator = string(filepath.Separator)
+
+type pattern struct {
+	hasRootPrefix     bool
+	hasDirSuffix      bool
+	pathDepth         int
+	matcher           pathMatcher
+	onlyEqualizedPath bool
+}
+
+func newPattern(path string) pattern {
+	hasRootPrefix := path[0] == '/'
+	hasDirSuffix := path[len(path)-1] == '/'
+
+	var pathDepth int
+	if !hasRootPrefix {
+		pathDepth = strings.Count(path, "/")
+	}
+
+	var matcher pathMatcher
+	matchingPath := strings.Trim(path, "/")
+	if hasMeta(path) {
+		matcher = filepathMatcher{path: matchingPath}
+	} else {
+		matcher = simpleMatcher{path: matchingPath}
+	}
+
+	return pattern{
+		hasRootPrefix: hasRootPrefix,
+		hasDirSuffix:  hasDirSuffix,
+		pathDepth:     pathDepth,
+		matcher:       matcher,
+	}
+}
+
+func newPatternForEqualizedPath(path string) pattern {
+	pattern := newPattern(path)
+	pattern.onlyEqualizedPath = true
+	return pattern
+}
+
+func (p pattern) match(path string, isDir bool) bool {
+
+	if p.hasDirSuffix && !isDir {
+		return false
+	}
+
+	var targetPath string
+	if p.hasRootPrefix || p.onlyEqualizedPath {
+		// absolute pattern or only equalized path mode
+		targetPath = path
+	} else {
+		// relative pattern
+		targetPath = p.equalizeDepth(path)
+	}
+	return p.matcher.match(targetPath)
+}
+
+func (p pattern) equalizeDepth(path string) string {
+	equalizedPath, _ := cutLastN(path, p.pathDepth+1)
+	return equalizedPath
+}
diff --git a/vendor/github.com/monochromegane/go-gitignore/patterns.go b/vendor/github.com/monochromegane/go-gitignore/patterns.go
new file mode 100644
index 0000000000..6770fb4655
--- /dev/null
+++ b/vendor/github.com/monochromegane/go-gitignore/patterns.go
@@ -0,0 +1,22 @@
+package gitignore
+
+type patterns struct {
+	patterns []pattern
+}
+
+func (ps *patterns) add(pattern pattern) {
+	ps.patterns = append(ps.patterns, pattern)
+}
+
+func (ps *patterns) size() int {
+	return len(ps.patterns)
+}
+
+func (ps patterns) match(path string, isDir bool) bool {
+	for _, p := range ps.patterns {
+		if match := p.match(path, isDir); match {
+			return true
+		}
+	}
+	return false
+}
diff --git a/vendor/github.com/monochromegane/go-gitignore/util.go b/vendor/github.com/monochromegane/go-gitignore/util.go
new file mode 100644
index 0000000000..b5ab9bbfd2
--- /dev/null
+++ b/vendor/github.com/monochromegane/go-gitignore/util.go
@@ -0,0 +1,45 @@
+package gitignore
+
+import (
+	"os"
+	"strings"
+)
+
+func cutN(path string, n int) (string, bool) {
+	isLast := true
+
+	var i, count int
+	for i < len(path)-1 {
+		if os.IsPathSeparator(path[i]) {
+			count++
+			if count >= n {
+				isLast = false
+				break
+			}
+		}
+		i++
+	}
+	return path[:i+1], isLast
+}
+
+func cutLastN(path string, n int) (string, bool) {
+	isLast := true
+	i := len(path) - 1
+
+	var count int
+	for i >= 0 {
+		if os.IsPathSeparator(path[i]) {
+			count++
+			if count >= n {
+				isLast = false
+				break
+			}
+		}
+		i--
+	}
+	return path[i+1:], isLast
+}
+
+func hasMeta(path string) bool {
+	return strings.IndexAny(path, "*?[") >= 0
+}
diff --git a/vendor/github.com/opencontainers/go-digest/.mailmap b/vendor/github.com/opencontainers/go-digest/.mailmap
new file mode 100644
index 0000000000..eaf8b2f9e6
--- /dev/null
+++ b/vendor/github.com/opencontainers/go-digest/.mailmap
@@ -0,0 +1,4 @@
+Aaron Lehmann <aaronl@vitelus.com> <aaron.lehmann@docker.com>
+Derek McGowan <derek@mcg.dev> <derek@mcgstyle.net>
+Stephen J Day <stephen.day@docker.com> <stevvooe@users.noreply.github.com>
+Haibing Zhou <zhouhaibing089@gmail.com>
diff --git a/vendor/github.com/opencontainers/go-digest/.pullapprove.yml b/vendor/github.com/opencontainers/go-digest/.pullapprove.yml
new file mode 100644
index 0000000000..b6165f83ca
--- /dev/null
+++ b/vendor/github.com/opencontainers/go-digest/.pullapprove.yml
@@ -0,0 +1,28 @@
+version: 2
+
+requirements:
+  signed_off_by:
+    required: true
+
+always_pending:
+  title_regex: '^WIP'
+  explanation: 'Work in progress...'
+
+group_defaults:
+  required: 2
+  approve_by_comment:
+    enabled: true
+    approve_regex: '^LGTM'
+    reject_regex: '^Rejected'
+  reset_on_push:
+    enabled: true
+  author_approval:
+    ignored: true
+  conditions:
+    branches:
+      - master
+
+groups:
+  go-digest:
+    teams:
+      - go-digest-maintainers
diff --git a/vendor/github.com/opencontainers/go-digest/.travis.yml b/vendor/github.com/opencontainers/go-digest/.travis.yml
new file mode 100644
index 0000000000..5775f885c1
--- /dev/null
+++ b/vendor/github.com/opencontainers/go-digest/.travis.yml
@@ -0,0 +1,5 @@
+language: go
+go:
+  - 1.12.x
+  - 1.13.x
+  - master
diff --git a/vendor/github.com/opencontainers/go-digest/CONTRIBUTING.md b/vendor/github.com/opencontainers/go-digest/CONTRIBUTING.md
new file mode 100644
index 0000000000..e4d962ac16
--- /dev/null
+++ b/vendor/github.com/opencontainers/go-digest/CONTRIBUTING.md
@@ -0,0 +1,72 @@
+# Contributing to Docker open source projects
+
+Want to hack on this project? Awesome! Here are instructions to get you started.
+
+This project is a part of the [Docker](https://www.docker.com) project, and follows
+the same rules and principles. If you're already familiar with the way
+Docker does things, you'll feel right at home.
+
+Otherwise, go read Docker's
+[contributions guidelines](https://github.com/docker/docker/blob/master/CONTRIBUTING.md),
+[issue triaging](https://github.com/docker/docker/blob/master/project/ISSUE-TRIAGE.md),
+[review process](https://github.com/docker/docker/blob/master/project/REVIEWING.md) and
+[branches and tags](https://github.com/docker/docker/blob/master/project/BRANCHES-AND-TAGS.md).
+
+For an in-depth description of our contribution process, visit the
+contributors guide: [Understand how to contribute](https://docs.docker.com/opensource/workflow/make-a-contribution/)
+
+### Sign your work
+
+The sign-off is a simple line at the end of the explanation for the patch. Your
+signature certifies that you wrote the patch or otherwise have the right to pass
+it on as an open-source patch. The rules are pretty simple: if you can certify
+the below (from [developercertificate.org](http://developercertificate.org/)):
+
+```
+Developer Certificate of Origin
+Version 1.1
+
+Copyright (C) 2004, 2006 The Linux Foundation and its contributors.
+1 Letterman Drive
+Suite D4700
+San Francisco, CA, 94129
+
+Everyone is permitted to copy and distribute verbatim copies of this
+license document, but changing it is not allowed.
+
+
+Developer's Certificate of Origin 1.1
+
+By making a contribution to this project, I certify that:
+
+(a) The contribution was created in whole or in part by me and I
+    have the right to submit it under the open source license
+    indicated in the file; or
+
+(b) The contribution is based upon previous work that, to the best
+    of my knowledge, is covered under an appropriate open source
+    license and I have the right under that license to submit that
+    work with modifications, whether created in whole or in part
+    by me, under the same open source license (unless I am
+    permitted to submit under a different license), as indicated
+    in the file; or
+
+(c) The contribution was provided directly to me by some other
+    person who certified (a), (b) or (c) and I have not modified
+    it.
+
+(d) I understand and agree that this project and the contribution
+    are public and that a record of the contribution (including all
+    personal information I submit with it, including my sign-off) is
+    maintained indefinitely and may be redistributed consistent with
+    this project or the open source license(s) involved.
+```
+
+Then you just add a line to every git commit message:
+
+    Signed-off-by: Joe Smith <joe.smith@email.com>
+
+Use your real name (sorry, no pseudonyms or anonymous contributions.)
+
+If you set your `user.name` and `user.email` git configs, you can sign your
+commit automatically with `git commit -s`.
diff --git a/vendor/github.com/opencontainers/go-digest/LICENSE b/vendor/github.com/opencontainers/go-digest/LICENSE
new file mode 100644
index 0000000000..3ac8ab6487
--- /dev/null
+++ b/vendor/github.com/opencontainers/go-digest/LICENSE
@@ -0,0 +1,192 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        https://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   Copyright 2019, 2020 OCI Contributors
+   Copyright 2016 Docker, Inc.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       https://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/vendor/github.com/opencontainers/go-digest/LICENSE.docs b/vendor/github.com/opencontainers/go-digest/LICENSE.docs
new file mode 100644
index 0000000000..e26cd4fc8e
--- /dev/null
+++ b/vendor/github.com/opencontainers/go-digest/LICENSE.docs
@@ -0,0 +1,425 @@
+Attribution-ShareAlike 4.0 International
+
+=======================================================================
+
+Creative Commons Corporation ("Creative Commons") is not a law firm and
+does not provide legal services or legal advice. Distribution of
+Creative Commons public licenses does not create a lawyer-client or
+other relationship. Creative Commons makes its licenses and related
+information available on an "as-is" basis. Creative Commons gives no
+warranties regarding its licenses, any material licensed under their
+terms and conditions, or any related information. Creative Commons
+disclaims all liability for damages resulting from their use to the
+fullest extent possible.
+
+Using Creative Commons Public Licenses
+
+Creative Commons public licenses provide a standard set of terms and
+conditions that creators and other rights holders may use to share
+original works of authorship and other material subject to copyright
+and certain other rights specified in the public license below. The
+following considerations are for informational purposes only, are not
+exhaustive, and do not form part of our licenses.
+
+     Considerations for licensors: Our public licenses are
+     intended for use by those authorized to give the public
+     permission to use material in ways otherwise restricted by
+     copyright and certain other rights. Our licenses are
+     irrevocable. Licensors should read and understand the terms
+     and conditions of the license they choose before applying it.
+     Licensors should also secure all rights necessary before
+     applying our licenses so that the public can reuse the
+     material as expected. Licensors should clearly mark any
+     material not subject to the license. This includes other CC-
+     licensed material, or material used under an exception or
+     limitation to copyright. More considerations for licensors:
+	wiki.creativecommons.org/Considerations_for_licensors
+
+     Considerations for the public: By using one of our public
+     licenses, a licensor grants the public permission to use the
+     licensed material under specified terms and conditions. If
+     the licensor's permission is not necessary for any reason--for
+     example, because of any applicable exception or limitation to
+     copyright--then that use is not regulated by the license. Our
+     licenses grant only permissions under copyright and certain
+     other rights that a licensor has authority to grant. Use of
+     the licensed material may still be restricted for other
+     reasons, including because others have copyright or other
+     rights in the material. A licensor may make special requests,
+     such as asking that all changes be marked or described.
+     Although not required by our licenses, you are encouraged to
+     respect those requests where reasonable. More_considerations
+     for the public:
+	wiki.creativecommons.org/Considerations_for_licensees
+
+=======================================================================
+
+Creative Commons Attribution-ShareAlike 4.0 International Public
+License
+
+By exercising the Licensed Rights (defined below), You accept and agree
+to be bound by the terms and conditions of this Creative Commons
+Attribution-ShareAlike 4.0 International Public License ("Public
+License"). To the extent this Public License may be interpreted as a
+contract, You are granted the Licensed Rights in consideration of Your
+acceptance of these terms and conditions, and the Licensor grants You
+such rights in consideration of benefits the Licensor receives from
+making the Licensed Material available under these terms and
+conditions.
+
+
+Section 1 -- Definitions.
+
+  a. Adapted Material means material subject to Copyright and Similar
+     Rights that is derived from or based upon the Licensed Material
+     and in which the Licensed Material is translated, altered,
+     arranged, transformed, or otherwise modified in a manner requiring
+     permission under the Copyright and Similar Rights held by the
+     Licensor. For purposes of this Public License, where the Licensed
+     Material is a musical work, performance, or sound recording,
+     Adapted Material is always produced where the Licensed Material is
+     synched in timed relation with a moving image.
+
+  b. Adapter's License means the license You apply to Your Copyright
+     and Similar Rights in Your contributions to Adapted Material in
+     accordance with the terms and conditions of this Public License.
+
+  c. BY-SA Compatible License means a license listed at
+     creativecommons.org/compatiblelicenses, approved by Creative
+     Commons as essentially the equivalent of this Public License.
+
+  d. Copyright and Similar Rights means copyright and/or similar rights
+     closely related to copyright including, without limitation,
+     performance, broadcast, sound recording, and Sui Generis Database
+     Rights, without regard to how the rights are labeled or
+     categorized. For purposes of this Public License, the rights
+     specified in Section 2(b)(1)-(2) are not Copyright and Similar
+     Rights.
+
+  e. Effective Technological Measures means those measures that, in the
+     absence of proper authority, may not be circumvented under laws
+     fulfilling obligations under Article 11 of the WIPO Copyright
+     Treaty adopted on December 20, 1996, and/or similar international
+     agreements.
+
+  f. Exceptions and Limitations means fair use, fair dealing, and/or
+     any other exception or limitation to Copyright and Similar Rights
+     that applies to Your use of the Licensed Material.
+
+  g. License Elements means the license attributes listed in the name
+     of a Creative Commons Public License. The License Elements of this
+     Public License are Attribution and ShareAlike.
+
+  h. Licensed Material means the artistic or literary work, database,
+     or other material to which the Licensor applied this Public
+     License.
+
+  i. Licensed Rights means the rights granted to You subject to the
+     terms and conditions of this Public License, which are limited to
+     all Copyright and Similar Rights that apply to Your use of the
+     Licensed Material and that the Licensor has authority to license.
+
+  j. Licensor means the individual(s) or entity(ies) granting rights
+     under this Public License.
+
+  k. Share means to provide material to the public by any means or
+     process that requires permission under the Licensed Rights, such
+     as reproduction, public display, public performance, distribution,
+     dissemination, communication, or importation, and to make material
+     available to the public including in ways that members of the
+     public may access the material from a place and at a time
+     individually chosen by them.
+
+  l. Sui Generis Database Rights means rights other than copyright
+     resulting from Directive 96/9/EC of the European Parliament and of
+     the Council of 11 March 1996 on the legal protection of databases,
+     as amended and/or succeeded, as well as other essentially
+     equivalent rights anywhere in the world.
+
+  m. You means the individual or entity exercising the Licensed Rights
+     under this Public License. Your has a corresponding meaning.
+
+
+Section 2 -- Scope.
+
+  a. License grant.
+
+       1. Subject to the terms and conditions of this Public License,
+          the Licensor hereby grants You a worldwide, royalty-free,
+          non-sublicensable, non-exclusive, irrevocable license to
+          exercise the Licensed Rights in the Licensed Material to:
+
+            a. reproduce and Share the Licensed Material, in whole or
+               in part; and
+
+            b. produce, reproduce, and Share Adapted Material.
+
+       2. Exceptions and Limitations. For the avoidance of doubt, where
+          Exceptions and Limitations apply to Your use, this Public
+          License does not apply, and You do not need to comply with
+          its terms and conditions.
+
+       3. Term. The term of this Public License is specified in Section
+          6(a).
+
+       4. Media and formats; technical modifications allowed. The
+          Licensor authorizes You to exercise the Licensed Rights in
+          all media and formats whether now known or hereafter created,
+          and to make technical modifications necessary to do so. The
+          Licensor waives and/or agrees not to assert any right or
+          authority to forbid You from making technical modifications
+          necessary to exercise the Licensed Rights, including
+          technical modifications necessary to circumvent Effective
+          Technological Measures. For purposes of this Public License,
+          simply making modifications authorized by this Section 2(a)
+          (4) never produces Adapted Material.
+
+       5. Downstream recipients.
+
+            a. Offer from the Licensor -- Licensed Material. Every
+               recipient of the Licensed Material automatically
+               receives an offer from the Licensor to exercise the
+               Licensed Rights under the terms and conditions of this
+               Public License.
+
+            b. Additional offer from the Licensor -- Adapted Material.
+               Every recipient of Adapted Material from You
+               automatically receives an offer from the Licensor to
+               exercise the Licensed Rights in the Adapted Material
+               under the conditions of the Adapter's License You apply.
+
+            c. No downstream restrictions. You may not offer or impose
+               any additional or different terms or conditions on, or
+               apply any Effective Technological Measures to, the
+               Licensed Material if doing so restricts exercise of the
+               Licensed Rights by any recipient of the Licensed
+               Material.
+
+       6. No endorsement. Nothing in this Public License constitutes or
+          may be construed as permission to assert or imply that You
+          are, or that Your use of the Licensed Material is, connected
+          with, or sponsored, endorsed, or granted official status by,
+          the Licensor or others designated to receive attribution as
+          provided in Section 3(a)(1)(A)(i).
+
+  b. Other rights.
+
+       1. Moral rights, such as the right of integrity, are not
+          licensed under this Public License, nor are publicity,
+          privacy, and/or other similar personality rights; however, to
+          the extent possible, the Licensor waives and/or agrees not to
+          assert any such rights held by the Licensor to the limited
+          extent necessary to allow You to exercise the Licensed
+          Rights, but not otherwise.
+
+       2. Patent and trademark rights are not licensed under this
+          Public License.
+
+       3. To the extent possible, the Licensor waives any right to
+          collect royalties from You for the exercise of the Licensed
+          Rights, whether directly or through a collecting society
+          under any voluntary or waivable statutory or compulsory
+          licensing scheme. In all other cases the Licensor expressly
+          reserves any right to collect such royalties.
+
+
+Section 3 -- License Conditions.
+
+Your exercise of the Licensed Rights is expressly made subject to the
+following conditions.
+
+  a. Attribution.
+
+       1. If You Share the Licensed Material (including in modified
+          form), You must:
+
+            a. retain the following if it is supplied by the Licensor
+               with the Licensed Material:
+
+                 i. identification of the creator(s) of the Licensed
+                    Material and any others designated to receive
+                    attribution, in any reasonable manner requested by
+                    the Licensor (including by pseudonym if
+                    designated);
+
+                ii. a copyright notice;
+
+               iii. a notice that refers to this Public License;
+
+                iv. a notice that refers to the disclaimer of
+                    warranties;
+
+                 v. a URI or hyperlink to the Licensed Material to the
+                    extent reasonably practicable;
+
+            b. indicate if You modified the Licensed Material and
+               retain an indication of any previous modifications; and
+
+            c. indicate the Licensed Material is licensed under this
+               Public License, and include the text of, or the URI or
+               hyperlink to, this Public License.
+
+       2. You may satisfy the conditions in Section 3(a)(1) in any
+          reasonable manner based on the medium, means, and context in
+          which You Share the Licensed Material. For example, it may be
+          reasonable to satisfy the conditions by providing a URI or
+          hyperlink to a resource that includes the required
+          information.
+
+       3. If requested by the Licensor, You must remove any of the
+          information required by Section 3(a)(1)(A) to the extent
+          reasonably practicable.
+
+  b. ShareAlike.
+
+     In addition to the conditions in Section 3(a), if You Share
+     Adapted Material You produce, the following conditions also apply.
+
+       1. The Adapter's License You apply must be a Creative Commons
+          license with the same License Elements, this version or
+          later, or a BY-SA Compatible License.
+
+       2. You must include the text of, or the URI or hyperlink to, the
+          Adapter's License You apply. You may satisfy this condition
+          in any reasonable manner based on the medium, means, and
+          context in which You Share Adapted Material.
+
+       3. You may not offer or impose any additional or different terms
+          or conditions on, or apply any Effective Technological
+          Measures to, Adapted Material that restrict exercise of the
+          rights granted under the Adapter's License You apply.
+
+
+Section 4 -- Sui Generis Database Rights.
+
+Where the Licensed Rights include Sui Generis Database Rights that
+apply to Your use of the Licensed Material:
+
+  a. for the avoidance of doubt, Section 2(a)(1) grants You the right
+     to extract, reuse, reproduce, and Share all or a substantial
+     portion of the contents of the database;
+
+  b. if You include all or a substantial portion of the database
+     contents in a database in which You have Sui Generis Database
+     Rights, then the database in which You have Sui Generis Database
+     Rights (but not its individual contents) is Adapted Material,
+
+     including for purposes of Section 3(b); and
+  c. You must comply with the conditions in Section 3(a) if You Share
+     all or a substantial portion of the contents of the database.
+
+For the avoidance of doubt, this Section 4 supplements and does not
+replace Your obligations under this Public License where the Licensed
+Rights include other Copyright and Similar Rights.
+
+
+Section 5 -- Disclaimer of Warranties and Limitation of Liability.
+
+  a. UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE
+     EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS
+     AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF
+     ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS,
+     IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION,
+     WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR
+     PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS,
+     ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT
+     KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT
+     ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU.
+
+  b. TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE
+     TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION,
+     NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT,
+     INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES,
+     COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR
+     USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN
+     ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR
+     DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR
+     IN PART, THIS LIMITATION MAY NOT APPLY TO YOU.
+
+  c. The disclaimer of warranties and limitation of liability provided
+     above shall be interpreted in a manner that, to the extent
+     possible, most closely approximates an absolute disclaimer and
+     waiver of all liability.
+
+
+Section 6 -- Term and Termination.
+
+  a. This Public License applies for the term of the Copyright and
+     Similar Rights licensed here. However, if You fail to comply with
+     this Public License, then Your rights under this Public License
+     terminate automatically.
+
+  b. Where Your right to use the Licensed Material has terminated under
+     Section 6(a), it reinstates:
+
+       1. automatically as of the date the violation is cured, provided
+          it is cured within 30 days of Your discovery of the
+          violation; or
+
+       2. upon express reinstatement by the Licensor.
+
+     For the avoidance of doubt, this Section 6(b) does not affect any
+     right the Licensor may have to seek remedies for Your violations
+     of this Public License.
+
+  c. For the avoidance of doubt, the Licensor may also offer the
+     Licensed Material under separate terms or conditions or stop
+     distributing the Licensed Material at any time; however, doing so
+     will not terminate this Public License.
+
+  d. Sections 1, 5, 6, 7, and 8 survive termination of this Public
+     License.
+
+
+Section 7 -- Other Terms and Conditions.
+
+  a. The Licensor shall not be bound by any additional or different
+     terms or conditions communicated by You unless expressly agreed.
+
+  b. Any arrangements, understandings, or agreements regarding the
+     Licensed Material not stated herein are separate from and
+     independent of the terms and conditions of this Public License.
+
+
+Section 8 -- Interpretation.
+
+  a. For the avoidance of doubt, this Public License does not, and
+     shall not be interpreted to, reduce, limit, restrict, or impose
+     conditions on any use of the Licensed Material that could lawfully
+     be made without permission under this Public License.
+
+  b. To the extent possible, if any provision of this Public License is
+     deemed unenforceable, it shall be automatically reformed to the
+     minimum extent necessary to make it enforceable. If the provision
+     cannot be reformed, it shall be severed from this Public License
+     without affecting the enforceability of the remaining terms and
+     conditions.
+
+  c. No term or condition of this Public License will be waived and no
+     failure to comply consented to unless expressly agreed to by the
+     Licensor.
+
+  d. Nothing in this Public License constitutes or may be interpreted
+     as a limitation upon, or waiver of, any privileges and immunities
+     that apply to the Licensor or You, including from the legal
+     processes of any jurisdiction or authority.
+
+
+=======================================================================
+
+Creative Commons is not a party to its public licenses.
+Notwithstanding, Creative Commons may elect to apply one of its public
+licenses to material it publishes and in those instances will be
+considered the "Licensor." Except for the limited purpose of indicating
+that material is shared under a Creative Commons public license or as
+otherwise permitted by the Creative Commons policies published at
+creativecommons.org/policies, Creative Commons does not authorize the
+use of the trademark "Creative Commons" or any other trademark or logo
+of Creative Commons without its prior written consent including,
+without limitation, in connection with any unauthorized modifications
+to any of its public licenses or any other arrangements,
+understandings, or agreements concerning use of licensed material. For
+the avoidance of doubt, this paragraph does not form part of the public
+licenses.
+
+Creative Commons may be contacted at creativecommons.org.
diff --git a/vendor/github.com/opencontainers/go-digest/MAINTAINERS b/vendor/github.com/opencontainers/go-digest/MAINTAINERS
new file mode 100644
index 0000000000..843b1b2061
--- /dev/null
+++ b/vendor/github.com/opencontainers/go-digest/MAINTAINERS
@@ -0,0 +1,5 @@
+Derek McGowan <derek@mcgstyle.net> (@dmcgowan)
+Stephen Day <stevvooe@gmail.com> (@stevvooe)
+Vincent Batts <vbatts@hashbangbash.com> (@vbatts)
+Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> (@AkihiroSuda)
+Sebastiaan van Stijn <github@gone.nl> (@thaJeztah)
diff --git a/vendor/github.com/opencontainers/go-digest/README.md b/vendor/github.com/opencontainers/go-digest/README.md
new file mode 100644
index 0000000000..a11287207e
--- /dev/null
+++ b/vendor/github.com/opencontainers/go-digest/README.md
@@ -0,0 +1,96 @@
+# go-digest
+
+[![GoDoc](https://godoc.org/github.com/opencontainers/go-digest?status.svg)](https://godoc.org/github.com/opencontainers/go-digest) [![Go Report Card](https://goreportcard.com/badge/github.com/opencontainers/go-digest)](https://goreportcard.com/report/github.com/opencontainers/go-digest) [![Build Status](https://travis-ci.org/opencontainers/go-digest.svg?branch=master)](https://travis-ci.org/opencontainers/go-digest)
+
+Common digest package used across the container ecosystem.
+
+Please see the [godoc](https://godoc.org/github.com/opencontainers/go-digest) for more information.
+
+# What is a digest?
+
+A digest is just a [hash](https://en.wikipedia.org/wiki/Hash_function).
+
+The most common use case for a digest is to create a content identifier for use in [Content Addressable Storage](https://en.wikipedia.org/wiki/Content-addressable_storage) systems:
+
+```go
+id := digest.FromBytes([]byte("my content"))
+```
+
+In the example above, the id can be used to uniquely identify the byte slice "my content".
+This allows two disparate applications to agree on a verifiable identifier without having to trust one another.
+
+An identifying digest can be verified, as follows:
+
+```go
+if id != digest.FromBytes([]byte("my content")) {
+  return errors.New("the content has changed!")
+}
+```
+
+A `Verifier` type can be used to handle cases where an `io.Reader` makes more sense:
+
+```go
+rd := getContent()
+verifier := id.Verifier()
+io.Copy(verifier, rd)
+
+if !verifier.Verified() {
+  return errors.New("the content has changed!")
+}
+```
+
+Using [Merkle DAGs](https://en.wikipedia.org/wiki/Merkle_tree), this can power a rich, safe, content distribution system.
+
+# Usage
+
+While the [godoc](https://godoc.org/github.com/opencontainers/go-digest) is considered the best resource, a few important items need to be called out when using this package.
+
+1. Make sure to import the hash implementations into your application or the package will panic.
+    You should have something like the following in the main (or other entrypoint) of your application:
+   
+    ```go
+    import (
+        _ "crypto/sha256"
+        _ "crypto/sha512"
+    )
+    ```
+    This may seem inconvenient but it allows you replace the hash 
+    implementations with others, such as https://github.com/stevvooe/resumable.
+ 
+2. Even though `digest.Digest` may be assemblable as a string, _always_ verify your input with `digest.Parse` or use `Digest.Validate` when accepting untrusted input.
+    While there are measures to avoid common problems, this will ensure you have valid digests in the rest of your application.
+
+3. While alternative encodings of hash values (digests) are possible (for example, base64), this package deals exclusively with hex-encoded digests.
+
+# Stability
+
+The Go API, at this stage, is considered stable, unless otherwise noted.
+
+As always, before using a package export, read the [godoc](https://godoc.org/github.com/opencontainers/go-digest).
+
+# Contributing
+
+This package is considered fairly complete.
+It has been in production in thousands (millions?) of deployments and is fairly battle-hardened.
+New additions will be met with skepticism.
+If you think there is a missing feature, please file a bug clearly describing the problem and the alternatives you tried before submitting a PR.
+
+## Code of Conduct
+
+Participation in the OpenContainers community is governed by [OpenContainer's Code of Conduct][code-of-conduct].
+
+## Security
+
+If you find an issue, please follow the [security][security] protocol to report it.
+
+# Copyright and license
+
+Copyright © 2019, 2020 OCI Contributors
+Copyright © 2016 Docker, Inc.
+All rights reserved, except as follows.
+Code is released under the [Apache 2.0 license](LICENSE).
+This `README.md` file and the [`CONTRIBUTING.md`](CONTRIBUTING.md) file are licensed under the Creative Commons Attribution 4.0 International License under the terms and conditions set forth in the file [`LICENSE.docs`](LICENSE.docs).
+You may obtain a duplicate copy of the same license, titled CC BY-SA 4.0, at http://creativecommons.org/licenses/by-sa/4.0/.
+
+[security]: https://github.com/opencontainers/org/blob/master/security
+[code-of-conduct]: https://github.com/opencontainers/org/blob/master/CODE_OF_CONDUCT.md
diff --git a/vendor/github.com/opencontainers/go-digest/algorithm.go b/vendor/github.com/opencontainers/go-digest/algorithm.go
new file mode 100644
index 0000000000..490951dc3f
--- /dev/null
+++ b/vendor/github.com/opencontainers/go-digest/algorithm.go
@@ -0,0 +1,193 @@
+// Copyright 2019, 2020 OCI Contributors
+// Copyright 2017 Docker, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package digest
+
+import (
+	"crypto"
+	"fmt"
+	"hash"
+	"io"
+	"regexp"
+)
+
+// Algorithm identifies and implementation of a digester by an identifier.
+// Note the that this defines both the hash algorithm used and the string
+// encoding.
+type Algorithm string
+
+// supported digest types
+const (
+	SHA256 Algorithm = "sha256" // sha256 with hex encoding (lower case only)
+	SHA384 Algorithm = "sha384" // sha384 with hex encoding (lower case only)
+	SHA512 Algorithm = "sha512" // sha512 with hex encoding (lower case only)
+
+	// Canonical is the primary digest algorithm used with the distribution
+	// project. Other digests may be used but this one is the primary storage
+	// digest.
+	Canonical = SHA256
+)
+
+var (
+	// TODO(stevvooe): Follow the pattern of the standard crypto package for
+	// registration of digests. Effectively, we are a registerable set and
+	// common symbol access.
+
+	// algorithms maps values to hash.Hash implementations. Other algorithms
+	// may be available but they cannot be calculated by the digest package.
+	algorithms = map[Algorithm]crypto.Hash{
+		SHA256: crypto.SHA256,
+		SHA384: crypto.SHA384,
+		SHA512: crypto.SHA512,
+	}
+
+	// anchoredEncodedRegexps contains anchored regular expressions for hex-encoded digests.
+	// Note that /A-F/ disallowed.
+	anchoredEncodedRegexps = map[Algorithm]*regexp.Regexp{
+		SHA256: regexp.MustCompile(`^[a-f0-9]{64}$`),
+		SHA384: regexp.MustCompile(`^[a-f0-9]{96}$`),
+		SHA512: regexp.MustCompile(`^[a-f0-9]{128}$`),
+	}
+)
+
+// Available returns true if the digest type is available for use. If this
+// returns false, Digester and Hash will return nil.
+func (a Algorithm) Available() bool {
+	h, ok := algorithms[a]
+	if !ok {
+		return false
+	}
+
+	// check availability of the hash, as well
+	return h.Available()
+}
+
+func (a Algorithm) String() string {
+	return string(a)
+}
+
+// Size returns number of bytes returned by the hash.
+func (a Algorithm) Size() int {
+	h, ok := algorithms[a]
+	if !ok {
+		return 0
+	}
+	return h.Size()
+}
+
+// Set implemented to allow use of Algorithm as a command line flag.
+func (a *Algorithm) Set(value string) error {
+	if value == "" {
+		*a = Canonical
+	} else {
+		// just do a type conversion, support is queried with Available.
+		*a = Algorithm(value)
+	}
+
+	if !a.Available() {
+		return ErrDigestUnsupported
+	}
+
+	return nil
+}
+
+// Digester returns a new digester for the specified algorithm. If the algorithm
+// does not have a digester implementation, nil will be returned. This can be
+// checked by calling Available before calling Digester.
+func (a Algorithm) Digester() Digester {
+	return &digester{
+		alg:  a,
+		hash: a.Hash(),
+	}
+}
+
+// Hash returns a new hash as used by the algorithm. If not available, the
+// method will panic. Check Algorithm.Available() before calling.
+func (a Algorithm) Hash() hash.Hash {
+	if !a.Available() {
+		// Empty algorithm string is invalid
+		if a == "" {
+			panic(fmt.Sprintf("empty digest algorithm, validate before calling Algorithm.Hash()"))
+		}
+
+		// NOTE(stevvooe): A missing hash is usually a programming error that
+		// must be resolved at compile time. We don't import in the digest
+		// package to allow users to choose their hash implementation (such as
+		// when using stevvooe/resumable or a hardware accelerated package).
+		//
+		// Applications that may want to resolve the hash at runtime should
+		// call Algorithm.Available before call Algorithm.Hash().
+		panic(fmt.Sprintf("%v not available (make sure it is imported)", a))
+	}
+
+	return algorithms[a].New()
+}
+
+// Encode encodes the raw bytes of a digest, typically from a hash.Hash, into
+// the encoded portion of the digest.
+func (a Algorithm) Encode(d []byte) string {
+	// TODO(stevvooe): Currently, all algorithms use a hex encoding. When we
+	// add support for back registration, we can modify this accordingly.
+	return fmt.Sprintf("%x", d)
+}
+
+// FromReader returns the digest of the reader using the algorithm.
+func (a Algorithm) FromReader(rd io.Reader) (Digest, error) {
+	digester := a.Digester()
+
+	if _, err := io.Copy(digester.Hash(), rd); err != nil {
+		return "", err
+	}
+
+	return digester.Digest(), nil
+}
+
+// FromBytes digests the input and returns a Digest.
+func (a Algorithm) FromBytes(p []byte) Digest {
+	digester := a.Digester()
+
+	if _, err := digester.Hash().Write(p); err != nil {
+		// Writes to a Hash should never fail. None of the existing
+		// hash implementations in the stdlib or hashes vendored
+		// here can return errors from Write. Having a panic in this
+		// condition instead of having FromBytes return an error value
+		// avoids unnecessary error handling paths in all callers.
+		panic("write to hash function returned error: " + err.Error())
+	}
+
+	return digester.Digest()
+}
+
+// FromString digests the string input and returns a Digest.
+func (a Algorithm) FromString(s string) Digest {
+	return a.FromBytes([]byte(s))
+}
+
+// Validate validates the encoded portion string
+func (a Algorithm) Validate(encoded string) error {
+	r, ok := anchoredEncodedRegexps[a]
+	if !ok {
+		return ErrDigestUnsupported
+	}
+	// Digests much always be hex-encoded, ensuring that their hex portion will
+	// always be size*2
+	if a.Size()*2 != len(encoded) {
+		return ErrDigestInvalidLength
+	}
+	if r.MatchString(encoded) {
+		return nil
+	}
+	return ErrDigestInvalidFormat
+}
diff --git a/vendor/github.com/opencontainers/go-digest/digest.go b/vendor/github.com/opencontainers/go-digest/digest.go
new file mode 100644
index 0000000000..518b5e7154
--- /dev/null
+++ b/vendor/github.com/opencontainers/go-digest/digest.go
@@ -0,0 +1,157 @@
+// Copyright 2019, 2020 OCI Contributors
+// Copyright 2017 Docker, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package digest
+
+import (
+	"fmt"
+	"hash"
+	"io"
+	"regexp"
+	"strings"
+)
+
+// Digest allows simple protection of hex formatted digest strings, prefixed
+// by their algorithm. Strings of type Digest have some guarantee of being in
+// the correct format and it provides quick access to the components of a
+// digest string.
+//
+// The following is an example of the contents of Digest types:
+//
+// 	sha256:7173b809ca12ec5dee4506cd86be934c4596dd234ee82c0662eac04a8c2c71dc
+//
+// This allows to abstract the digest behind this type and work only in those
+// terms.
+type Digest string
+
+// NewDigest returns a Digest from alg and a hash.Hash object.
+func NewDigest(alg Algorithm, h hash.Hash) Digest {
+	return NewDigestFromBytes(alg, h.Sum(nil))
+}
+
+// NewDigestFromBytes returns a new digest from the byte contents of p.
+// Typically, this can come from hash.Hash.Sum(...) or xxx.SumXXX(...)
+// functions. This is also useful for rebuilding digests from binary
+// serializations.
+func NewDigestFromBytes(alg Algorithm, p []byte) Digest {
+	return NewDigestFromEncoded(alg, alg.Encode(p))
+}
+
+// NewDigestFromHex is deprecated. Please use NewDigestFromEncoded.
+func NewDigestFromHex(alg, hex string) Digest {
+	return NewDigestFromEncoded(Algorithm(alg), hex)
+}
+
+// NewDigestFromEncoded returns a Digest from alg and the encoded digest.
+func NewDigestFromEncoded(alg Algorithm, encoded string) Digest {
+	return Digest(fmt.Sprintf("%s:%s", alg, encoded))
+}
+
+// DigestRegexp matches valid digest types.
+var DigestRegexp = regexp.MustCompile(`[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+`)
+
+// DigestRegexpAnchored matches valid digest types, anchored to the start and end of the match.
+var DigestRegexpAnchored = regexp.MustCompile(`^` + DigestRegexp.String() + `$`)
+
+var (
+	// ErrDigestInvalidFormat returned when digest format invalid.
+	ErrDigestInvalidFormat = fmt.Errorf("invalid checksum digest format")
+
+	// ErrDigestInvalidLength returned when digest has invalid length.
+	ErrDigestInvalidLength = fmt.Errorf("invalid checksum digest length")
+
+	// ErrDigestUnsupported returned when the digest algorithm is unsupported.
+	ErrDigestUnsupported = fmt.Errorf("unsupported digest algorithm")
+)
+
+// Parse parses s and returns the validated digest object. An error will
+// be returned if the format is invalid.
+func Parse(s string) (Digest, error) {
+	d := Digest(s)
+	return d, d.Validate()
+}
+
+// FromReader consumes the content of rd until io.EOF, returning canonical digest.
+func FromReader(rd io.Reader) (Digest, error) {
+	return Canonical.FromReader(rd)
+}
+
+// FromBytes digests the input and returns a Digest.
+func FromBytes(p []byte) Digest {
+	return Canonical.FromBytes(p)
+}
+
+// FromString digests the input and returns a Digest.
+func FromString(s string) Digest {
+	return Canonical.FromString(s)
+}
+
+// Validate checks that the contents of d is a valid digest, returning an
+// error if not.
+func (d Digest) Validate() error {
+	s := string(d)
+	i := strings.Index(s, ":")
+	if i <= 0 || i+1 == len(s) {
+		return ErrDigestInvalidFormat
+	}
+	algorithm, encoded := Algorithm(s[:i]), s[i+1:]
+	if !algorithm.Available() {
+		if !DigestRegexpAnchored.MatchString(s) {
+			return ErrDigestInvalidFormat
+		}
+		return ErrDigestUnsupported
+	}
+	return algorithm.Validate(encoded)
+}
+
+// Algorithm returns the algorithm portion of the digest. This will panic if
+// the underlying digest is not in a valid format.
+func (d Digest) Algorithm() Algorithm {
+	return Algorithm(d[:d.sepIndex()])
+}
+
+// Verifier returns a writer object that can be used to verify a stream of
+// content against the digest. If the digest is invalid, the method will panic.
+func (d Digest) Verifier() Verifier {
+	return hashVerifier{
+		hash:   d.Algorithm().Hash(),
+		digest: d,
+	}
+}
+
+// Encoded returns the encoded portion of the digest. This will panic if the
+// underlying digest is not in a valid format.
+func (d Digest) Encoded() string {
+	return string(d[d.sepIndex()+1:])
+}
+
+// Hex is deprecated. Please use Digest.Encoded.
+func (d Digest) Hex() string {
+	return d.Encoded()
+}
+
+func (d Digest) String() string {
+	return string(d)
+}
+
+func (d Digest) sepIndex() int {
+	i := strings.Index(string(d), ":")
+
+	if i < 0 {
+		panic(fmt.Sprintf("no ':' separator in digest %q", d))
+	}
+
+	return i
+}
diff --git a/vendor/github.com/opencontainers/go-digest/digester.go b/vendor/github.com/opencontainers/go-digest/digester.go
new file mode 100644
index 0000000000..ede9077571
--- /dev/null
+++ b/vendor/github.com/opencontainers/go-digest/digester.go
@@ -0,0 +1,40 @@
+// Copyright 2019, 2020 OCI Contributors
+// Copyright 2017 Docker, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package digest
+
+import "hash"
+
+// Digester calculates the digest of written data. Writes should go directly
+// to the return value of Hash, while calling Digest will return the current
+// value of the digest.
+type Digester interface {
+	Hash() hash.Hash // provides direct access to underlying hash instance.
+	Digest() Digest
+}
+
+// digester provides a simple digester definition that embeds a hasher.
+type digester struct {
+	alg  Algorithm
+	hash hash.Hash
+}
+
+func (d *digester) Hash() hash.Hash {
+	return d.hash
+}
+
+func (d *digester) Digest() Digest {
+	return NewDigest(d.alg, d.hash)
+}
diff --git a/vendor/github.com/opencontainers/go-digest/doc.go b/vendor/github.com/opencontainers/go-digest/doc.go
new file mode 100644
index 0000000000..83d3a936ca
--- /dev/null
+++ b/vendor/github.com/opencontainers/go-digest/doc.go
@@ -0,0 +1,62 @@
+// Copyright 2019, 2020 OCI Contributors
+// Copyright 2017 Docker, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package digest provides a generalized type to opaquely represent message
+// digests and their operations within the registry. The Digest type is
+// designed to serve as a flexible identifier in a content-addressable system.
+// More importantly, it provides tools and wrappers to work with
+// hash.Hash-based digests with little effort.
+//
+// Basics
+//
+// The format of a digest is simply a string with two parts, dubbed the
+// "algorithm" and the "digest", separated by a colon:
+//
+// 	<algorithm>:<digest>
+//
+// An example of a sha256 digest representation follows:
+//
+// 	sha256:7173b809ca12ec5dee4506cd86be934c4596dd234ee82c0662eac04a8c2c71dc
+//
+// The "algorithm" portion defines both the hashing algorithm used to calculate
+// the digest and the encoding of the resulting digest, which defaults to "hex"
+// if not otherwise specified. Currently, all supported algorithms have their
+// digests encoded in hex strings.
+//
+// In the example above, the string "sha256" is the algorithm and the hex bytes
+// are the "digest".
+//
+// Because the Digest type is simply a string, once a valid Digest is
+// obtained, comparisons are cheap, quick and simple to express with the
+// standard equality operator.
+//
+// Verification
+//
+// The main benefit of using the Digest type is simple verification against a
+// given digest. The Verifier interface, modeled after the stdlib hash.Hash
+// interface, provides a common write sink for digest verification. After
+// writing is complete, calling the Verifier.Verified method will indicate
+// whether or not the stream of bytes matches the target digest.
+//
+// Missing Features
+//
+// In addition to the above, we intend to add the following features to this
+// package:
+//
+// 1. A Digester type that supports write sink digest calculation.
+//
+// 2. Suspend and resume of ongoing digest calculations to support efficient digest verification in the registry.
+//
+package digest
diff --git a/vendor/github.com/opencontainers/go-digest/verifiers.go b/vendor/github.com/opencontainers/go-digest/verifiers.go
new file mode 100644
index 0000000000..afef506f46
--- /dev/null
+++ b/vendor/github.com/opencontainers/go-digest/verifiers.go
@@ -0,0 +1,46 @@
+// Copyright 2019, 2020 OCI Contributors
+// Copyright 2017 Docker, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package digest
+
+import (
+	"hash"
+	"io"
+)
+
+// Verifier presents a general verification interface to be used with message
+// digests and other byte stream verifications. Users instantiate a Verifier
+// from one of the various methods, write the data under test to it then check
+// the result with the Verified method.
+type Verifier interface {
+	io.Writer
+
+	// Verified will return true if the content written to Verifier matches
+	// the digest.
+	Verified() bool
+}
+
+type hashVerifier struct {
+	digest Digest
+	hash   hash.Hash
+}
+
+func (hv hashVerifier) Write(p []byte) (n int, err error) {
+	return hv.hash.Write(p)
+}
+
+func (hv hashVerifier) Verified() bool {
+	return hv.digest == NewDigest(hv.digest.Algorithm(), hv.hash)
+}
diff --git a/vendor/github.com/opencontainers/image-spec/LICENSE b/vendor/github.com/opencontainers/image-spec/LICENSE
new file mode 100644
index 0000000000..9fdc20fdb6
--- /dev/null
+++ b/vendor/github.com/opencontainers/image-spec/LICENSE
@@ -0,0 +1,191 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   Copyright 2016 The Linux Foundation.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/vendor/github.com/opencontainers/image-spec/specs-go/v1/annotations.go b/vendor/github.com/opencontainers/image-spec/specs-go/v1/annotations.go
new file mode 100644
index 0000000000..581cf7cdfa
--- /dev/null
+++ b/vendor/github.com/opencontainers/image-spec/specs-go/v1/annotations.go
@@ -0,0 +1,62 @@
+// Copyright 2016 The Linux Foundation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package v1
+
+const (
+	// AnnotationCreated is the annotation key for the date and time on which the image was built (date-time string as defined by RFC 3339).
+	AnnotationCreated = "org.opencontainers.image.created"
+
+	// AnnotationAuthors is the annotation key for the contact details of the people or organization responsible for the image (freeform string).
+	AnnotationAuthors = "org.opencontainers.image.authors"
+
+	// AnnotationURL is the annotation key for the URL to find more information on the image.
+	AnnotationURL = "org.opencontainers.image.url"
+
+	// AnnotationDocumentation is the annotation key for the URL to get documentation on the image.
+	AnnotationDocumentation = "org.opencontainers.image.documentation"
+
+	// AnnotationSource is the annotation key for the URL to get source code for building the image.
+	AnnotationSource = "org.opencontainers.image.source"
+
+	// AnnotationVersion is the annotation key for the version of the packaged software.
+	// The version MAY match a label or tag in the source code repository.
+	// The version MAY be Semantic versioning-compatible.
+	AnnotationVersion = "org.opencontainers.image.version"
+
+	// AnnotationRevision is the annotation key for the source control revision identifier for the packaged software.
+	AnnotationRevision = "org.opencontainers.image.revision"
+
+	// AnnotationVendor is the annotation key for the name of the distributing entity, organization or individual.
+	AnnotationVendor = "org.opencontainers.image.vendor"
+
+	// AnnotationLicenses is the annotation key for the license(s) under which contained software is distributed as an SPDX License Expression.
+	AnnotationLicenses = "org.opencontainers.image.licenses"
+
+	// AnnotationRefName is the annotation key for the name of the reference for a target.
+	// SHOULD only be considered valid when on descriptors on `index.json` within image layout.
+	AnnotationRefName = "org.opencontainers.image.ref.name"
+
+	// AnnotationTitle is the annotation key for the human-readable title of the image.
+	AnnotationTitle = "org.opencontainers.image.title"
+
+	// AnnotationDescription is the annotation key for the human-readable description of the software packaged in the image.
+	AnnotationDescription = "org.opencontainers.image.description"
+
+	// AnnotationBaseImageDigest is the annotation key for the digest of the image's base image.
+	AnnotationBaseImageDigest = "org.opencontainers.image.base.digest"
+
+	// AnnotationBaseImageName is the annotation key for the image reference of the image's base image.
+	AnnotationBaseImageName = "org.opencontainers.image.base.name"
+)
diff --git a/vendor/github.com/opencontainers/image-spec/specs-go/v1/config.go b/vendor/github.com/opencontainers/image-spec/specs-go/v1/config.go
new file mode 100644
index 0000000000..36b0aeb8f1
--- /dev/null
+++ b/vendor/github.com/opencontainers/image-spec/specs-go/v1/config.go
@@ -0,0 +1,111 @@
+// Copyright 2016 The Linux Foundation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package v1
+
+import (
+	"time"
+
+	digest "github.com/opencontainers/go-digest"
+)
+
+// ImageConfig defines the execution parameters which should be used as a base when running a container using an image.
+type ImageConfig struct {
+	// User defines the username or UID which the process in the container should run as.
+	User string `json:"User,omitempty"`
+
+	// ExposedPorts a set of ports to expose from a container running this image.
+	ExposedPorts map[string]struct{} `json:"ExposedPorts,omitempty"`
+
+	// Env is a list of environment variables to be used in a container.
+	Env []string `json:"Env,omitempty"`
+
+	// Entrypoint defines a list of arguments to use as the command to execute when the container starts.
+	Entrypoint []string `json:"Entrypoint,omitempty"`
+
+	// Cmd defines the default arguments to the entrypoint of the container.
+	Cmd []string `json:"Cmd,omitempty"`
+
+	// Volumes is a set of directories describing where the process is likely write data specific to a container instance.
+	Volumes map[string]struct{} `json:"Volumes,omitempty"`
+
+	// WorkingDir sets the current working directory of the entrypoint process in the container.
+	WorkingDir string `json:"WorkingDir,omitempty"`
+
+	// Labels contains arbitrary metadata for the container.
+	Labels map[string]string `json:"Labels,omitempty"`
+
+	// StopSignal contains the system call signal that will be sent to the container to exit.
+	StopSignal string `json:"StopSignal,omitempty"`
+
+	// ArgsEscaped
+	//
+	// Deprecated: This field is present only for legacy compatibility with
+	// Docker and should not be used by new image builders.  It is used by Docker
+	// for Windows images to indicate that the `Entrypoint` or `Cmd` or both,
+	// contains only a single element array, that is a pre-escaped, and combined
+	// into a single string `CommandLine`. If `true` the value in `Entrypoint` or
+	// `Cmd` should be used as-is to avoid double escaping.
+	// https://github.com/opencontainers/image-spec/pull/892
+	ArgsEscaped bool `json:"ArgsEscaped,omitempty"`
+}
+
+// RootFS describes a layer content addresses
+type RootFS struct {
+	// Type is the type of the rootfs.
+	Type string `json:"type"`
+
+	// DiffIDs is an array of layer content hashes (DiffIDs), in order from bottom-most to top-most.
+	DiffIDs []digest.Digest `json:"diff_ids"`
+}
+
+// History describes the history of a layer.
+type History struct {
+	// Created is the combined date and time at which the layer was created, formatted as defined by RFC 3339, section 5.6.
+	Created *time.Time `json:"created,omitempty"`
+
+	// CreatedBy is the command which created the layer.
+	CreatedBy string `json:"created_by,omitempty"`
+
+	// Author is the author of the build point.
+	Author string `json:"author,omitempty"`
+
+	// Comment is a custom message set when creating the layer.
+	Comment string `json:"comment,omitempty"`
+
+	// EmptyLayer is used to mark if the history item created a filesystem diff.
+	EmptyLayer bool `json:"empty_layer,omitempty"`
+}
+
+// Image is the JSON structure which describes some basic information about the image.
+// This provides the `application/vnd.oci.image.config.v1+json` mediatype when marshalled to JSON.
+type Image struct {
+	// Created is the combined date and time at which the image was created, formatted as defined by RFC 3339, section 5.6.
+	Created *time.Time `json:"created,omitempty"`
+
+	// Author defines the name and/or email address of the person or entity which created and is responsible for maintaining the image.
+	Author string `json:"author,omitempty"`
+
+	// Platform describes the platform which the image in the manifest runs on.
+	Platform
+
+	// Config defines the execution parameters which should be used as a base when running a container using the image.
+	Config ImageConfig `json:"config,omitempty"`
+
+	// RootFS references the layer content addresses used by the image.
+	RootFS RootFS `json:"rootfs"`
+
+	// History describes the history of each layer.
+	History []History `json:"history,omitempty"`
+}
diff --git a/vendor/github.com/opencontainers/image-spec/specs-go/v1/descriptor.go b/vendor/github.com/opencontainers/image-spec/specs-go/v1/descriptor.go
new file mode 100644
index 0000000000..1881b11814
--- /dev/null
+++ b/vendor/github.com/opencontainers/image-spec/specs-go/v1/descriptor.go
@@ -0,0 +1,80 @@
+// Copyright 2016-2022 The Linux Foundation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package v1
+
+import digest "github.com/opencontainers/go-digest"
+
+// Descriptor describes the disposition of targeted content.
+// This structure provides `application/vnd.oci.descriptor.v1+json` mediatype
+// when marshalled to JSON.
+type Descriptor struct {
+	// MediaType is the media type of the object this schema refers to.
+	MediaType string `json:"mediaType"`
+
+	// Digest is the digest of the targeted content.
+	Digest digest.Digest `json:"digest"`
+
+	// Size specifies the size in bytes of the blob.
+	Size int64 `json:"size"`
+
+	// URLs specifies a list of URLs from which this object MAY be downloaded
+	URLs []string `json:"urls,omitempty"`
+
+	// Annotations contains arbitrary metadata relating to the targeted content.
+	Annotations map[string]string `json:"annotations,omitempty"`
+
+	// Data is an embedding of the targeted content. This is encoded as a base64
+	// string when marshalled to JSON (automatically, by encoding/json). If
+	// present, Data can be used directly to avoid fetching the targeted content.
+	Data []byte `json:"data,omitempty"`
+
+	// Platform describes the platform which the image in the manifest runs on.
+	//
+	// This should only be used when referring to a manifest.
+	Platform *Platform `json:"platform,omitempty"`
+
+	// ArtifactType is the IANA media type of this artifact.
+	ArtifactType string `json:"artifactType,omitempty"`
+}
+
+// Platform describes the platform which the image in the manifest runs on.
+type Platform struct {
+	// Architecture field specifies the CPU architecture, for example
+	// `amd64` or `ppc64le`.
+	Architecture string `json:"architecture"`
+
+	// OS specifies the operating system, for example `linux` or `windows`.
+	OS string `json:"os"`
+
+	// OSVersion is an optional field specifying the operating system
+	// version, for example on Windows `10.0.14393.1066`.
+	OSVersion string `json:"os.version,omitempty"`
+
+	// OSFeatures is an optional field specifying an array of strings,
+	// each listing a required OS feature (for example on Windows `win32k`).
+	OSFeatures []string `json:"os.features,omitempty"`
+
+	// Variant is an optional field specifying a variant of the CPU, for
+	// example `v7` to specify ARMv7 when architecture is `arm`.
+	Variant string `json:"variant,omitempty"`
+}
+
+// DescriptorEmptyJSON is the descriptor of a blob with content of `{}`.
+var DescriptorEmptyJSON = Descriptor{
+	MediaType: MediaTypeEmptyJSON,
+	Digest:    `sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a`,
+	Size:      2,
+	Data:      []byte(`{}`),
+}
diff --git a/vendor/github.com/opencontainers/image-spec/specs-go/v1/index.go b/vendor/github.com/opencontainers/image-spec/specs-go/v1/index.go
new file mode 100644
index 0000000000..e2bed9d4e4
--- /dev/null
+++ b/vendor/github.com/opencontainers/image-spec/specs-go/v1/index.go
@@ -0,0 +1,38 @@
+// Copyright 2016 The Linux Foundation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package v1
+
+import "github.com/opencontainers/image-spec/specs-go"
+
+// Index references manifests for various platforms.
+// This structure provides `application/vnd.oci.image.index.v1+json` mediatype when marshalled to JSON.
+type Index struct {
+	specs.Versioned
+
+	// MediaType specifies the type of this document data structure e.g. `application/vnd.oci.image.index.v1+json`
+	MediaType string `json:"mediaType,omitempty"`
+
+	// ArtifactType specifies the IANA media type of artifact when the manifest is used for an artifact.
+	ArtifactType string `json:"artifactType,omitempty"`
+
+	// Manifests references platform specific manifests.
+	Manifests []Descriptor `json:"manifests"`
+
+	// Subject is an optional link from the image manifest to another manifest forming an association between the image manifest and the other manifest.
+	Subject *Descriptor `json:"subject,omitempty"`
+
+	// Annotations contains arbitrary metadata for the image index.
+	Annotations map[string]string `json:"annotations,omitempty"`
+}
diff --git a/vendor/github.com/opencontainers/image-spec/specs-go/v1/layout.go b/vendor/github.com/opencontainers/image-spec/specs-go/v1/layout.go
new file mode 100644
index 0000000000..c5503cb305
--- /dev/null
+++ b/vendor/github.com/opencontainers/image-spec/specs-go/v1/layout.go
@@ -0,0 +1,32 @@
+// Copyright 2016 The Linux Foundation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package v1
+
+const (
+	// ImageLayoutFile is the file name containing ImageLayout in an OCI Image Layout
+	ImageLayoutFile = "oci-layout"
+	// ImageLayoutVersion is the version of ImageLayout
+	ImageLayoutVersion = "1.0.0"
+	// ImageIndexFile is the file name of the entry point for references and descriptors in an OCI Image Layout
+	ImageIndexFile = "index.json"
+	// ImageBlobsDir is the directory name containing content addressable blobs in an OCI Image Layout
+	ImageBlobsDir = "blobs"
+)
+
+// ImageLayout is the structure in the "oci-layout" file, found in the root
+// of an OCI Image-layout directory.
+type ImageLayout struct {
+	Version string `json:"imageLayoutVersion"`
+}
diff --git a/vendor/github.com/opencontainers/image-spec/specs-go/v1/manifest.go b/vendor/github.com/opencontainers/image-spec/specs-go/v1/manifest.go
new file mode 100644
index 0000000000..26fec52a6b
--- /dev/null
+++ b/vendor/github.com/opencontainers/image-spec/specs-go/v1/manifest.go
@@ -0,0 +1,41 @@
+// Copyright 2016-2022 The Linux Foundation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package v1
+
+import "github.com/opencontainers/image-spec/specs-go"
+
+// Manifest provides `application/vnd.oci.image.manifest.v1+json` mediatype structure when marshalled to JSON.
+type Manifest struct {
+	specs.Versioned
+
+	// MediaType specifies the type of this document data structure e.g. `application/vnd.oci.image.manifest.v1+json`
+	MediaType string `json:"mediaType,omitempty"`
+
+	// ArtifactType specifies the IANA media type of artifact when the manifest is used for an artifact.
+	ArtifactType string `json:"artifactType,omitempty"`
+
+	// Config references a configuration object for a container, by digest.
+	// The referenced configuration object is a JSON blob that the runtime uses to set up the container.
+	Config Descriptor `json:"config"`
+
+	// Layers is an indexed list of layers referenced by the manifest.
+	Layers []Descriptor `json:"layers"`
+
+	// Subject is an optional link from the image manifest to another manifest forming an association between the image manifest and the other manifest.
+	Subject *Descriptor `json:"subject,omitempty"`
+
+	// Annotations contains arbitrary metadata for the image manifest.
+	Annotations map[string]string `json:"annotations,omitempty"`
+}
diff --git a/vendor/github.com/opencontainers/image-spec/specs-go/v1/mediatype.go b/vendor/github.com/opencontainers/image-spec/specs-go/v1/mediatype.go
new file mode 100644
index 0000000000..ce8313e796
--- /dev/null
+++ b/vendor/github.com/opencontainers/image-spec/specs-go/v1/mediatype.go
@@ -0,0 +1,85 @@
+// Copyright 2016 The Linux Foundation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package v1
+
+const (
+	// MediaTypeDescriptor specifies the media type for a content descriptor.
+	MediaTypeDescriptor = "application/vnd.oci.descriptor.v1+json"
+
+	// MediaTypeLayoutHeader specifies the media type for the oci-layout.
+	MediaTypeLayoutHeader = "application/vnd.oci.layout.header.v1+json"
+
+	// MediaTypeImageIndex specifies the media type for an image index.
+	MediaTypeImageIndex = "application/vnd.oci.image.index.v1+json"
+
+	// MediaTypeImageManifest specifies the media type for an image manifest.
+	MediaTypeImageManifest = "application/vnd.oci.image.manifest.v1+json"
+
+	// MediaTypeImageConfig specifies the media type for the image configuration.
+	MediaTypeImageConfig = "application/vnd.oci.image.config.v1+json"
+
+	// MediaTypeEmptyJSON specifies the media type for an unused blob containing the value "{}".
+	MediaTypeEmptyJSON = "application/vnd.oci.empty.v1+json"
+)
+
+const (
+	// MediaTypeImageLayer is the media type used for layers referenced by the manifest.
+	MediaTypeImageLayer = "application/vnd.oci.image.layer.v1.tar"
+
+	// MediaTypeImageLayerGzip is the media type used for gzipped layers
+	// referenced by the manifest.
+	MediaTypeImageLayerGzip = "application/vnd.oci.image.layer.v1.tar+gzip"
+
+	// MediaTypeImageLayerZstd is the media type used for zstd compressed
+	// layers referenced by the manifest.
+	MediaTypeImageLayerZstd = "application/vnd.oci.image.layer.v1.tar+zstd"
+)
+
+// Non-distributable layer media-types.
+//
+// Deprecated: Non-distributable layers are deprecated, and not recommended
+// for future use. Implementations SHOULD NOT produce new non-distributable
+// layers.
+// https://github.com/opencontainers/image-spec/pull/965
+const (
+	// MediaTypeImageLayerNonDistributable is the media type for layers referenced by
+	// the manifest but with distribution restrictions.
+	//
+	// Deprecated: Non-distributable layers are deprecated, and not recommended
+	// for future use. Implementations SHOULD NOT produce new non-distributable
+	// layers.
+	// https://github.com/opencontainers/image-spec/pull/965
+	MediaTypeImageLayerNonDistributable = "application/vnd.oci.image.layer.nondistributable.v1.tar"
+
+	// MediaTypeImageLayerNonDistributableGzip is the media type for
+	// gzipped layers referenced by the manifest but with distribution
+	// restrictions.
+	//
+	// Deprecated: Non-distributable layers are deprecated, and not recommended
+	// for future use. Implementations SHOULD NOT produce new non-distributable
+	// layers.
+	// https://github.com/opencontainers/image-spec/pull/965
+	MediaTypeImageLayerNonDistributableGzip = "application/vnd.oci.image.layer.nondistributable.v1.tar+gzip"
+
+	// MediaTypeImageLayerNonDistributableZstd is the media type for zstd
+	// compressed layers referenced by the manifest but with distribution
+	// restrictions.
+	//
+	// Deprecated: Non-distributable layers are deprecated, and not recommended
+	// for future use. Implementations SHOULD NOT produce new non-distributable
+	// layers.
+	// https://github.com/opencontainers/image-spec/pull/965
+	MediaTypeImageLayerNonDistributableZstd = "application/vnd.oci.image.layer.nondistributable.v1.tar+zstd"
+)
diff --git a/vendor/github.com/opencontainers/image-spec/specs-go/version.go b/vendor/github.com/opencontainers/image-spec/specs-go/version.go
new file mode 100644
index 0000000000..c3897c7ca0
--- /dev/null
+++ b/vendor/github.com/opencontainers/image-spec/specs-go/version.go
@@ -0,0 +1,32 @@
+// Copyright 2016 The Linux Foundation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package specs
+
+import "fmt"
+
+const (
+	// VersionMajor is for an API incompatible changes
+	VersionMajor = 1
+	// VersionMinor is for functionality in a backwards-compatible manner
+	VersionMinor = 1
+	// VersionPatch is for backwards-compatible bug fixes
+	VersionPatch = 1
+
+	// VersionDev indicates development branch. Releases will be empty string.
+	VersionDev = ""
+)
+
+// Version is the specification version that the package types support.
+var Version = fmt.Sprintf("%d.%d.%d%s", VersionMajor, VersionMinor, VersionPatch, VersionDev)
diff --git a/vendor/github.com/go-openapi/swag/file.go b/vendor/github.com/opencontainers/image-spec/specs-go/versioned.go
similarity index 54%
rename from vendor/github.com/go-openapi/swag/file.go
rename to vendor/github.com/opencontainers/image-spec/specs-go/versioned.go
index 16accc55f8..58a1510f33 100644
--- a/vendor/github.com/go-openapi/swag/file.go
+++ b/vendor/github.com/opencontainers/image-spec/specs-go/versioned.go
@@ -1,10 +1,10 @@
-// Copyright 2015 go-swagger maintainers
+// Copyright 2016 The Linux Foundation
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
-//    http://www.apache.org/licenses/LICENSE-2.0
+//     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
@@ -12,22 +12,12 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-package swag
+package specs
 
-import "mime/multipart"
-
-// File represents an uploaded file.
-type File struct {
-	Data   multipart.File
-	Header *multipart.FileHeader
-}
-
-// Read bytes from the file
-func (f *File) Read(p []byte) (n int, err error) {
-	return f.Data.Read(p)
-}
-
-// Close the file
-func (f *File) Close() error {
-	return f.Data.Close()
+// Versioned provides a struct with the manifest schemaVersion and mediaType.
+// Incoming content with unknown schema version can be decoded against this
+// struct to check the version.
+type Versioned struct {
+	// SchemaVersion is the image manifest schema that this image follows
+	SchemaVersion int `json:"schemaVersion"`
 }
diff --git a/vendor/github.com/openshift/api/.ci-operator.yaml b/vendor/github.com/openshift/api/.ci-operator.yaml
index e307e5af66..284a910090 100644
--- a/vendor/github.com/openshift/api/.ci-operator.yaml
+++ b/vendor/github.com/openshift/api/.ci-operator.yaml
@@ -1,4 +1,4 @@
 build_root_image:
   name: release
   namespace: openshift
-  tag: rhel-9-release-golang-1.24-openshift-4.21
+  tag: rhel-9-release-golang-1.24-openshift-4.22
diff --git a/vendor/github.com/openshift/api/.coderabbit.yaml b/vendor/github.com/openshift/api/.coderabbit.yaml
new file mode 100644
index 0000000000..a3ee2d122e
--- /dev/null
+++ b/vendor/github.com/openshift/api/.coderabbit.yaml
@@ -0,0 +1,29 @@
+language: en-US
+reviews:
+  profile: chill
+  high_level_summary: false
+  review_status: true
+  commit_status: true
+  collapse_walkthrough: true
+  changed_files_summary: false
+  sequence_diagrams: false
+  estimate_code_review_effort: false
+  poem: false
+  suggested_labels: false
+  path_filters:
+  - "!payload-manifests"
+  - "!**/zz_generated.crd-manifests/*" # Contains files
+  - "!**/zz_generated.featuregated-crd-manifests/**" # Contains folders
+  - "!openapi/**"
+  - "!**/vendor/**"
+  - "!vendor/**"
+  tools:
+    golangci-lint:
+      enabled: true
+knowledge_base:
+  code_guidelines:
+    enabled: true
+    filePatterns:
+    - AGENTS.md
+  learnings:
+    scope: local
diff --git a/vendor/github.com/openshift/api/.golangci.go-validated.yaml b/vendor/github.com/openshift/api/.golangci.go-validated.yaml
index 44c73149d4..ed8fcdbe2d 100644
--- a/vendor/github.com/openshift/api/.golangci.go-validated.yaml
+++ b/vendor/github.com/openshift/api/.golangci.go-validated.yaml
@@ -12,6 +12,7 @@ linters:
           linters:
             enable:
             - optionalfields
+            - nonpointerstructs
             disable:
             - "*"
           lintersConfig:
diff --git a/vendor/github.com/openshift/api/.golangci.yaml b/vendor/github.com/openshift/api/.golangci.yaml
index 8da22c5e51..608fb0ed2e 100644
--- a/vendor/github.com/openshift/api/.golangci.yaml
+++ b/vendor/github.com/openshift/api/.golangci.yaml
@@ -13,10 +13,15 @@ linters:
             enable:
               - forbiddenmarkers
               - maxlength
+              - minlength
               - namingconventions
               - nobools
               - nomaps
+              - preferredmarkers
               - statussubresource
+            disable:
+              - statusoptional # This is legacy and not something we currently recommend.
+              - nonpointerstructs # This is intended for native types, not CRD types.
           lintersConfig:
             conditions:
               isFirstField: Warn
@@ -28,7 +33,6 @@ linters:
               - identifier: "openshift:validation:FeatureSetAwareEnum"
               - identifier: "openshift:validation:FeatureSetAwareXValidation"
               - identifier: "kubebuilder:validation:UniqueItems"
-              - identifier: "kubebuilder:validation:Pattern" # Use CEL expressions instead
             optionalfields:
               pointers:
                 preference: WhenRequired
@@ -42,6 +46,11 @@ linters:
                 # This will force omitzero on optional struct fields.
                 # This means they can be omitted correctly and prevents the need for pointers to structs.
                 policy: SuggestFix
+            preferredmarkers:
+              markers:
+              - preferredIdentifier: "kubebuilder:validation:XValidation"
+                equivalentIdentifiers:
+                - identifier: "kubebuilder:validation:Pattern" # Use CEL expressions instead to allow more expressive error messages.
             requiredfields:
               pointers:
                 # This will force pointers when the field is required, but only when the zero
@@ -58,15 +67,13 @@ linters:
                 policy: SuggestFix
             namingconventions:
               conventions:
-              - name: norefs
-                violationMatcher: "(?i)ref(erence)?s?$"
-                operation: Drop
-                message: "reference fields should not need to be named ref(s)/reference(s)"
               - name: nokind
                 violationMatcher: "^Kind$"
                 operation: Replacement
                 replacement: "Resource"
                 message: "API Kinds can be ambiguous and should be replaced with Resource"
+            noreferences:
+              policy: NoReferences
             uniquemarkers:
               customMarkers:
               - identifier: "openshift:validation:FeatureGateAwareEnum"
@@ -99,6 +106,14 @@ linters:
         # This regex must always be updated in tandem with the regex in .golangci.go-validated.yaml that prevents `optionalfields` from being applied to the files in the path.
         path: machine/v1beta1/(types_awsprovider.go|types_azureprovider.go|types_gcpprovider.go|types_vsphereprovider.go)|machine/v1alpha1/types_openstack.go
         text: "optionalfields"
+      - linters:
+        - kubeapilinter
+        # Silence norefs lint for `Ref` field in ClusterAPI as it refers to an OCI image reference, not a kube object reference.
+        path: operator/v1alpha1/types_clusterapi.go
+        text: "noreferences: naming convention \"no-references\": field ClusterAPIInstallerComponentImage.Ref: field names should not contain reference-related words"
+      - linters:
+        - kubeapilinter
+        path: features|payload-command/*.go
 issues:
   # We have a lot of existing issues.
   # Want to make sure that those adding new fields have an
diff --git a/vendor/github.com/openshift/api/Dockerfile.ocp b/vendor/github.com/openshift/api/Dockerfile.ocp
index 45d24f4fcc..65bd2228ad 100644
--- a/vendor/github.com/openshift/api/Dockerfile.ocp
+++ b/vendor/github.com/openshift/api/Dockerfile.ocp
@@ -1,10 +1,10 @@
-FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.24-openshift-4.21 AS builder
+FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.24-openshift-4.22 AS builder
 WORKDIR /go/src/github.com/openshift/api
 COPY . .
 ENV GO_PACKAGE github.com/openshift/api
 RUN make build --warn-undefined-variables
 
-FROM registry.ci.openshift.org/ocp/4.21:base-rhel9
+FROM registry.ci.openshift.org/ocp/4.22:base-rhel9
 
 # copy the built binaries to /usr/bin
 COPY --from=builder /go/src/github.com/openshift/api/render /usr/bin/
diff --git a/vendor/github.com/openshift/api/Makefile b/vendor/github.com/openshift/api/Makefile
index c069d80401..9b32b58e43 100644
--- a/vendor/github.com/openshift/api/Makefile
+++ b/vendor/github.com/openshift/api/Makefile
@@ -114,15 +114,17 @@ update-scripts: update-compatibility update-openapi update-deepcopy update-proto
 # Update codegen runs all generators in the order they are defined in the root.go file.
 # The per group generators are:[compatibility, deepcopy, swagger-docs, empty-partial-schema, schema-patch, crd-manifest-merge]
 # The multi group generators are:[openapi]
+# The payload generation must come after these generators have run so they are included here as well, rather than in update-non-codegen.
 .PHONY: update-codegen
 update-codegen:
 	hack/update-codegen.sh
+	make update-payload-crds update-payload-featuregates
 
 # Update non-codegen runs all generators that are not part of the codegen utility, or
 # are part of it, but are not run by default when invoking codegen without a specific generator.
 # E.g. the payload feature gates which is not part of the generator style, but is still a subcommand.
 .PHONY: update-non-codegen
-update-non-codegen: update-protobuf tests-vendor update-prerelease-lifecycle-gen update-payload-crds update-payload-featuregates
+update-non-codegen: update-protobuf tests-vendor update-prerelease-lifecycle-gen 
 
 .PHONY: update-compatibility
 update-compatibility:
diff --git a/vendor/github.com/openshift/api/apiextensions/install.go b/vendor/github.com/openshift/api/apiextensions/install.go
new file mode 100644
index 0000000000..adaca4d6ba
--- /dev/null
+++ b/vendor/github.com/openshift/api/apiextensions/install.go
@@ -0,0 +1,26 @@
+package apiextensions
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+
+	apiextensionsv1alpha1 "github.com/openshift/api/apiextensions/v1alpha1"
+)
+
+const (
+	GroupName = "apiextensions.openshift.io"
+)
+
+var (
+	schemeBuilder = runtime.NewSchemeBuilder(apiextensionsv1alpha1.Install)
+	// Install is a function which adds every version of this group to a scheme
+	Install = schemeBuilder.AddToScheme
+)
+
+func Resource(resource string) schema.GroupResource {
+	return schema.GroupResource{Group: GroupName, Resource: resource}
+}
+
+func Kind(kind string) schema.GroupKind {
+	return schema.GroupKind{Group: GroupName, Kind: kind}
+}
diff --git a/vendor/github.com/openshift/api/apiextensions/v1alpha1/Makefile b/vendor/github.com/openshift/api/apiextensions/v1alpha1/Makefile
new file mode 100644
index 0000000000..6cf1a197f7
--- /dev/null
+++ b/vendor/github.com/openshift/api/apiextensions/v1alpha1/Makefile
@@ -0,0 +1,3 @@
+.PHONY: test
+test:
+	make -C ../../tests test GINKGO_EXTRA_ARGS=--focus="apiextensions.openshift.io/v1alpha1"
diff --git a/vendor/github.com/openshift/api/apiextensions/v1alpha1/doc.go b/vendor/github.com/openshift/api/apiextensions/v1alpha1/doc.go
new file mode 100644
index 0000000000..e5d665fbbc
--- /dev/null
+++ b/vendor/github.com/openshift/api/apiextensions/v1alpha1/doc.go
@@ -0,0 +1,8 @@
+// +k8s:deepcopy-gen=package,register
+// +k8s:defaulter-gen=TypeMeta
+// +k8s:openapi-gen=true
+// +openshift:featuregated-schema-gen=true
+
+// +groupName=apiextensions.openshift.io
+// Package v1alpha1 is the v1alpha1 version of the API.
+package v1alpha1
diff --git a/vendor/github.com/openshift/api/apiextensions/v1alpha1/register.go b/vendor/github.com/openshift/api/apiextensions/v1alpha1/register.go
new file mode 100644
index 0000000000..a2f99e2a50
--- /dev/null
+++ b/vendor/github.com/openshift/api/apiextensions/v1alpha1/register.go
@@ -0,0 +1,39 @@
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+var (
+	GroupName     = "apiextensions.openshift.io"
+	GroupVersion  = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
+	schemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
+	// Install is a function which adds this version to a scheme
+	Install = schemeBuilder.AddToScheme
+
+	// SchemeGroupVersion generated code relies on this name
+	// Deprecated
+	SchemeGroupVersion = GroupVersion
+	// AddToScheme exists solely to keep the old generators creating valid code
+	// DEPRECATED
+	AddToScheme = schemeBuilder.AddToScheme
+)
+
+// Resource generated code relies on this being here, but it logically belongs to the group
+// DEPRECATED
+func Resource(resource string) schema.GroupResource {
+	return schema.GroupResource{Group: GroupName, Resource: resource}
+}
+
+func addKnownTypes(scheme *runtime.Scheme) error {
+	metav1.AddToGroupVersion(scheme, GroupVersion)
+
+	scheme.AddKnownTypes(GroupVersion,
+		&CompatibilityRequirement{},
+		&CompatibilityRequirementList{},
+	)
+
+	return nil
+}
diff --git a/vendor/github.com/openshift/api/apiextensions/v1alpha1/types_compatibilityrequirement.go b/vendor/github.com/openshift/api/apiextensions/v1alpha1/types_compatibilityrequirement.go
new file mode 100644
index 0000000000..5abbfec7c1
--- /dev/null
+++ b/vendor/github.com/openshift/api/apiextensions/v1alpha1/types_compatibilityrequirement.go
@@ -0,0 +1,388 @@
+package v1alpha1
+
+import (
+	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// CompatibilityRequirement expresses a set of requirements on a target CRD.
+// It is used to ensure compatibility between different actors using the same
+// CRD.
+//
+// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.
+// +openshift:compatibility-gen:level=4
+// +openshift:file-pattern=cvoRunLevel=0000_20,operatorName=crd-compatibility-checker,operatorOrdering=01
+// +openshift:enable:FeatureGate=CRDCompatibilityRequirementOperator
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+// +kubebuilder:resource:path=compatibilityrequirements,scope=Cluster
+// +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/2479
+// +kubebuilder:metadata:annotations="release.openshift.io/feature-gate=CRDCompatibilityRequirementOperator"
+type CompatibilityRequirement struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +required
+	metav1.ObjectMeta `json:"metadata,omitzero"`
+
+	// spec is the specification of the desired behavior of the Compatibility Requirement.
+	// +required
+	Spec CompatibilityRequirementSpec `json:"spec,omitzero"`
+
+	// status is the most recently observed status of the Compatibility Requirement.
+	// +optional
+	Status CompatibilityRequirementStatus `json:"status,omitzero"`
+}
+
+// CompatibilityRequirementSpec is the specification of the desired behavior of the Compatibility Requirement.
+type CompatibilityRequirementSpec struct {
+	// compatibilitySchema defines the schema used by
+	// customResourceDefinitionSchemaValidation and objectSchemaValidation.
+	// This field is required.
+	// +required
+	CompatibilitySchema CompatibilitySchema `json:"compatibilitySchema,omitzero"`
+
+	// customResourceDefinitionSchemaValidation ensures that updates to the
+	// installed CRD are compatible with this compatibility requirement. If not
+	// specified, admission of the target CRD will not be validated.
+	// This field is optional.
+	// +optional
+	CustomResourceDefinitionSchemaValidation CustomResourceDefinitionSchemaValidation `json:"customResourceDefinitionSchemaValidation,omitzero"`
+
+	// objectSchemaValidation ensures that matching resources conform to
+	// compatibilitySchema. If not specified, admission of matching resources
+	// will not be validated.
+	// This field is optional.
+	// +optional
+	ObjectSchemaValidation ObjectSchemaValidation `json:"objectSchemaValidation,omitzero"`
+}
+
+// CRDDataType indicates the type of the CRD data.
+// +kubebuilder:validation:Enum=YAML
+type CRDDataType string
+
+const (
+	// CRDDataTypeYAML indicates that the CRD data is in YAML format.
+	CRDDataTypeYAML CRDDataType = "YAML"
+)
+
+// CRDData contains the complete definition of a CRD.
+type CRDData struct {
+	// type indicates the type of the CRD data. The only supported type is "YAML".
+	// This field is required.
+	// +required
+	Type CRDDataType `json:"type,omitempty"`
+
+	// data contains the complete definition of the CRD. This field must be in
+	// the format specified by the type field. It may not be longer than 1572864
+	// characters.
+	// This field is required.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=1572864
+	// +required
+	Data string `json:"data,omitempty"`
+}
+
+// APIVersionSelectionType specifies a method for automatically selecting a
+// set of API versions to require.
+// +kubebuilder:validation:Enum=StorageOnly;AllServed
+type APIVersionSelectionType string
+
+const (
+	APIVersionSetTypeStorageOnly APIVersionSelectionType = "StorageOnly"
+	APIVersionSetTypeAllServed   APIVersionSelectionType = "AllServed"
+)
+
+// APIVersionString is a string representing a kubernetes API version.
+// +kubebuilder:validation:MinLength=1
+// +kubebuilder:validation:MaxLength=63
+// +kubebuilder:validation:XValidation:rule="!format.dns1035Label().validate(self).hasValue()",message="It must contain only lower-case alphanumeric characters and hyphens and must start with an alphabetic character and end with an alphanumeric character"
+type APIVersionString string
+
+// APIVersions specifies a set of API versions of a CRD.
+// +kubebuilder:validation:XValidation:rule="self.defaultSelection != 'AllServed' || !has(self.additionalVersions)",message="additionalVersions may not be defined when defaultSelection is 'AllServed'"
+type APIVersions struct {
+	// defaultSelection specifies a method for automatically selecting a set of
+	// versions to require.
+	//
+	// Valid options are StorageOnly and AllServed.
+	// When set to StorageOnly, only the storage version is selected for
+	// compatibility assessment.
+	// When set to AllServed, all served versions are selected for compatibility
+	// assessment.
+	//
+	// This field is required.
+	// +required
+	DefaultSelection APIVersionSelectionType `json:"defaultSelection,omitempty"`
+
+	// additionalVersions specifies a set api versions to require in addition to
+	// the default selection. It is explicitly permitted to specify a version in
+	// additionalVersions which was also selected by the default selection. The
+	// selections will be merged and deduplicated.
+	//
+	// Each item must be at most 63 characters in length, and must must consist
+	// of only lowercase alphanumeric characters and hyphens, and must start
+	// with an alphabetic character and end with an alphanumeric character.// with an alphabetic character and end with an alphanumeric character.
+	// At most 32 additional versions may be specified.
+	//
+	// +kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:MaxItems=32
+	// +listType=set
+	// +optional
+	AdditionalVersions []APIVersionString `json:"additionalVersions,omitempty"`
+}
+
+// APIExcludedField describes a field in the schema which will not be validated by
+// crdSchemaValidation or objectSchemaValidation.
+type APIExcludedField struct {
+	// path is the path to the field in the schema.
+	// Paths are dot-separated field names (e.g., "fieldA.fieldB.fieldC") representing nested object fields.
+	// If part of the path is a slice (e.g., "status.conditions") the remaining path is applied to all items in the slice
+	// (e.g., "status.conditions.lastTransitionTimestamp").
+	// Each field name must be a valid Kubernetes CRD field name: start with a letter, contain only
+	// letters, digits, and underscores, and be between 1 and 63 characters in length.
+	// A path may contain at most 16 fields.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=1023
+	// +kubebuilder:validation:XValidation:rule="self.split('.').size() <= 16",message="There may be at most 16 fields in the path."
+	// +kubebuilder:validation:XValidation:rule="self.split('.', 16).all(f, f.matches('^[a-zA-Z][a-zA-Z0-9_]{0,62}$'))",message="path must be dot-separated field names, each starting with a letter and containing only letters, digits, and underscores not exceeding 63 characters. There may be at most 16 fields in the path."
+	// +required
+	Path string `json:"path,omitempty"`
+
+	// versions are the API versions the field is excluded from.
+	// When not specified, the field is excluded from all versions.
+	//
+	// Each item must be at most 63 characters in length, and must must
+	// consist of only lowercase alphanumeric characters and hyphens, and must
+	// start with an alphabetic character and end with an alphanumeric
+	// character.
+	// At most 32 versions may be specified.
+	//
+	// +kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:MaxItems=32
+	// +listType=set
+	// +optional
+	Versions []APIVersionString `json:"versions,omitempty"`
+}
+
+// CompatibilitySchema defines the schema used by crdSchemaValidation and objectSchemaValidation.
+type CompatibilitySchema struct {
+	// customResourceDefinition contains the complete definition of the CRD for schema and object validation purposes.
+	// This field is required.
+	// +required
+	CustomResourceDefinition CRDData `json:"customResourceDefinition,omitzero"`
+
+	// requiredVersions specifies a subset of the CRD's API versions which will be asserted for compatibility.
+	// This field is required.
+	// +required
+	RequiredVersions APIVersions `json:"requiredVersions,omitzero"`
+
+	// excludedFields is a set of fields in the schema which will not be validated by
+	// crdSchemaValidation or objectSchemaValidation.
+	// The list may contain at most 64 fields.
+	// When not specified, all fields in the schema will be validated.
+	// +kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:MaxItems=64
+	// +listType=atomic
+	// +optional
+	ExcludedFields []APIExcludedField `json:"excludedFields,omitempty"`
+}
+
+// CustomResourceDefinitionSchemaValidation ensures that updates to the installed CRD are compatible with this compatibility requirement.
+type CustomResourceDefinitionSchemaValidation struct {
+	// action determines whether violations are rejected (Deny) or admitted with an API warning (Warn).
+	// Valid options are Deny and Warn.
+	// When set to Deny, incompatible CRDs will be rejected and not admitted to the cluster.
+	// When set to Warn, incompatible CRDs will be allowed but a warning will be generated in the API response.
+	// This field is required.
+	// +required
+	Action CRDAdmitAction `json:"action,omitempty"`
+}
+
+// ObjectSchemaValidation ensures that matching objects conform to the compatibilitySchema.
+type ObjectSchemaValidation struct {
+	// action determines whether violations are rejected (Deny) or admitted with an API warning (Warn).
+	// Valid options are Deny and Warn.
+	// When set to Deny, incompatible Objects will be rejected and not admitted to the cluster.
+	// When set to Warn, incompatible Objects will be allowed but a warning will be generated in the API response.
+	// This field is required.
+	// +required
+	Action CRDAdmitAction `json:"action,omitempty"`
+
+	// namespaceSelector defines a label selector for namespaces. If defined,
+	// only objects in a namespace with matching labels will be subject to
+	// validation. When not specified, objects for validation will not be
+	// filtered by namespace.
+	// +kubebuilder:validation:XValidation:rule="size(self.matchLabels) > 0 || size(self.matchExpressions) > 0",message="must have at least one of matchLabels or matchExpressions when specified"
+	// +optional
+	NamespaceSelector metav1.LabelSelector `json:"namespaceSelector,omitempty"`
+	// objectSelector defines a label selector for objects. If defined, only
+	// objects with matching labels will be subject to validation. When not
+	// specified, objects for validation will not be filtered by label.
+	// +kubebuilder:validation:XValidation:rule="size(self.matchLabels) > 0 || size(self.matchExpressions) > 0",message="must have at least one of matchLabels or matchExpressions when specified"
+	// +optional
+	ObjectSelector metav1.LabelSelector `json:"objectSelector,omitempty"`
+
+	// matchConditions defines the matchConditions field of the resulting ValidatingWebhookConfiguration.
+	// When present, must contain between 1 and 64 match conditions.
+	// When not specified, the webhook will match all requests according to its other selectors.
+	// +listType=map
+	// +listMapKey=name
+	// +kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:MaxItems=64
+	// +optional
+	MatchConditions []admissionregistrationv1.MatchCondition `json:"matchConditions,omitempty"`
+}
+
+// CRDAdmitAction determines the action taken when a CRD is not compatible.
+// +kubebuilder:validation:Enum=Deny;Warn
+// +enum
+type CRDAdmitAction string
+
+const (
+	// CRDAdmitActionDeny means that incompatible CRDs will be rejected.
+	CRDAdmitActionDeny CRDAdmitAction = "Deny"
+
+	// CRDAdmitActionWarn means that incompatible CRDs will be allowed but a warning will be generated.
+	CRDAdmitActionWarn CRDAdmitAction = "Warn"
+)
+
+// CompatibilityRequirement's Progressing condition and corresponding reasons.
+const (
+	// CompatibilityRequirementProgressing is false if the spec has been
+	// completely reconciled against the condition's observed generation.
+	// True indicates that reconciliation is still in progress and the current status does not represent
+	// a stable state. Progressing false with an error reason indicates that the object cannot be reconciled.
+	CompatibilityRequirementProgressing string = "Progressing"
+
+	// CompatibilityRequirementConfigurationErrorReason indicates that
+	// reconciliation cannot progress due to an invalid spec. The controller
+	// will not reconcile this object again until the spec is updated.
+	CompatibilityRequirementConfigurationErrorReason string = "ConfigurationError"
+
+	// CompatibilityRequirementTransientErrorReason indicates that
+	// reconciliation failed due to an error that can be retried.
+	CompatibilityRequirementTransientErrorReason string = "TransientError"
+
+	// CompatibilityRequirementUpToDateReason surfaces when reconciliation
+	// completed successfully for the condition's observed generation.
+	CompatibilityRequirementUpToDateReason string = "UpToDate"
+)
+
+// CompatibilityRequirement's Admitted condition and corresponding reasons.
+const (
+	// CompatibilityRequirementAdmitted is true if the requirement has been configured in the validating webhook,
+	// otherwise false.
+	CompatibilityRequirementAdmitted string = "Admitted"
+
+	// CompatibilityRequirementAdmittedReason surfaces when the requirement has been configured in the validating webhook.
+	CompatibilityRequirementAdmittedReason string = "Admitted"
+
+	// CompatibilityRequirementNotAdmittedReason surfaces when the requirement has not been configured in the validating webhook.
+	CompatibilityRequirementNotAdmittedReason string = "NotAdmitted"
+)
+
+// CompatibilityRequirement's Compatible condition and corresponding reasons.
+const (
+	// CompatibilityRequirementCompatible is true if the observed CRD is compatible with the requirement,
+	// otherwise false. Note that Compatible may be false when adding a new requirement which the existing
+	// CRD does not meet.
+	CompatibilityRequirementCompatible string = "Compatible"
+
+	// CompatibilityRequirementRequirementsNotMetReason surfaces when a CRD exists, and it is not compatible with this requirement.
+	CompatibilityRequirementRequirementsNotMetReason string = "RequirementsNotMet"
+
+	// CompatibilityRequirementCRDNotFoundReason surfaces when the referenced CRD does not exist.
+	CompatibilityRequirementCRDNotFoundReason string = "CRDNotFound"
+
+	// CompatibilityRequirementCompatibleWithWarningsReason surfaces when the CRD exists and is compatible with this requirement, but Message contains one or more warning messages.
+	CompatibilityRequirementCompatibleWithWarningsReason string = "CompatibleWithWarnings"
+
+	// CompatibilityRequirementCompatibleReason surfaces when the CRD exists and is compatible with this requirement.
+	CompatibilityRequirementCompatibleReason string = "Compatible"
+)
+
+// CompatibilityRequirementStatus defines the observed status of the Compatibility Requirement.
+// +kubebuilder:validation:MinProperties=1
+// +kubebuilder:validation:XValidation:rule="!has(oldSelf.crdName) || has(self.crdName) && oldSelf.crdName == self.crdName",message="crdName cannot be changed once set"
+type CompatibilityRequirementStatus struct {
+	// conditions is a list of conditions and their status.
+	// Known condition types are Progressing, Admitted, and Compatible.
+	//
+	// The Progressing condition indicates if reconciliation of a CompatibilityRequirement is still
+	// progressing or has finished.
+	//
+	// The Admitted condition indicates if the validating webhook has been configured.
+	//
+	// The Compatible condition indicates if the observed CRD is compatible with the requirement.
+	//
+	// +optional
+	// +listType=map
+	// +listMapKey=type
+	// +kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:MaxItems=32
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+
+	// observedCRD documents the uid and generation of the CRD object when the current status was written.
+	// This field will be omitted if the target CRD does not exist or could not be retrieved.
+	// +optional
+	ObservedCRD ObservedCRD `json:"observedCRD,omitzero"`
+
+	// crdName is the name of the target CRD. The target CRD is not required to
+	// exist, as we may legitimately place requirements on it before it is
+	// created.  The observed CRD is given in status.observedCRD, which will be
+	// empty if no CRD is observed.
+	// When present, must be between 1 and 253 characters and conform to RFC 1123 subdomain format:
+	// lowercase alphanumeric characters, '-' or '.', starting and ending with alphanumeric characters.
+	// When not specified, the requirement applies to any CRD name discovered from the compatibility schema.
+	// This field is optional. Once set, the value cannot be changed and must always remain set.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=253
+	// +kubebuilder:validation:XValidation:rule="!format.dns1123Subdomain().validate(self).hasValue()",message="a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character."
+	// +optional
+	CRDName string `json:"crdName,omitempty"`
+}
+
+// ObservedCRD contains information about the observed target CRD.
+// +kubebuilder:validation:XValidation:rule="oldSelf.uid != self.uid || self.generation >= oldSelf.generation",message="generation may only increase on the same CRD"
+type ObservedCRD struct {
+	// uid is the uid of the observed CRD.
+	// Must be a valid UUID consisting of lowercase hexadecimal digits in 5 hyphenated blocks (8-4-4-4-12 format).
+	// Length must be between 1 and 36 characters.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=36
+	// +kubebuilder:validation:Format=uuid
+	// +required
+	UID string `json:"uid,omitempty"`
+
+	// generation is the observed generation of the CRD.
+	// Must be a positive integer (minimum value of 1).
+	// +kubebuilder:validation:Minimum=1
+	// +required
+	Generation int64 `json:"generation,omitempty"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// CompatibilityRequirementList is a collection of CompatibilityRequirements.
+//
+// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.
+// +openshift:compatibility-gen:level=4
+type CompatibilityRequirementList struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard list's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metav1.ListMeta `json:"metadata,omitzero"`
+
+	// items is a list of CompatibilityRequirements.
+	// +kubebuilder:validation:MaxItems=1000
+	// +optional
+	Items []CompatibilityRequirement `json:"items,omitempty"`
+}
diff --git a/vendor/github.com/openshift/api/apiextensions/v1alpha1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/apiextensions/v1alpha1/zz_generated.deepcopy.go
new file mode 100644
index 0000000000..a9ff411a88
--- /dev/null
+++ b/vendor/github.com/openshift/api/apiextensions/v1alpha1/zz_generated.deepcopy.go
@@ -0,0 +1,254 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+// Code generated by codegen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *APIExcludedField) DeepCopyInto(out *APIExcludedField) {
+	*out = *in
+	if in.Versions != nil {
+		in, out := &in.Versions, &out.Versions
+		*out = make([]APIVersionString, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new APIExcludedField.
+func (in *APIExcludedField) DeepCopy() *APIExcludedField {
+	if in == nil {
+		return nil
+	}
+	out := new(APIExcludedField)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *APIVersions) DeepCopyInto(out *APIVersions) {
+	*out = *in
+	if in.AdditionalVersions != nil {
+		in, out := &in.AdditionalVersions, &out.AdditionalVersions
+		*out = make([]APIVersionString, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new APIVersions.
+func (in *APIVersions) DeepCopy() *APIVersions {
+	if in == nil {
+		return nil
+	}
+	out := new(APIVersions)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CRDData) DeepCopyInto(out *CRDData) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CRDData.
+func (in *CRDData) DeepCopy() *CRDData {
+	if in == nil {
+		return nil
+	}
+	out := new(CRDData)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CompatibilityRequirement) DeepCopyInto(out *CompatibilityRequirement) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CompatibilityRequirement.
+func (in *CompatibilityRequirement) DeepCopy() *CompatibilityRequirement {
+	if in == nil {
+		return nil
+	}
+	out := new(CompatibilityRequirement)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *CompatibilityRequirement) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CompatibilityRequirementList) DeepCopyInto(out *CompatibilityRequirementList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]CompatibilityRequirement, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CompatibilityRequirementList.
+func (in *CompatibilityRequirementList) DeepCopy() *CompatibilityRequirementList {
+	if in == nil {
+		return nil
+	}
+	out := new(CompatibilityRequirementList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *CompatibilityRequirementList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CompatibilityRequirementSpec) DeepCopyInto(out *CompatibilityRequirementSpec) {
+	*out = *in
+	in.CompatibilitySchema.DeepCopyInto(&out.CompatibilitySchema)
+	out.CustomResourceDefinitionSchemaValidation = in.CustomResourceDefinitionSchemaValidation
+	in.ObjectSchemaValidation.DeepCopyInto(&out.ObjectSchemaValidation)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CompatibilityRequirementSpec.
+func (in *CompatibilityRequirementSpec) DeepCopy() *CompatibilityRequirementSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(CompatibilityRequirementSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CompatibilityRequirementStatus) DeepCopyInto(out *CompatibilityRequirementStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]v1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	out.ObservedCRD = in.ObservedCRD
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CompatibilityRequirementStatus.
+func (in *CompatibilityRequirementStatus) DeepCopy() *CompatibilityRequirementStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(CompatibilityRequirementStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CompatibilitySchema) DeepCopyInto(out *CompatibilitySchema) {
+	*out = *in
+	out.CustomResourceDefinition = in.CustomResourceDefinition
+	in.RequiredVersions.DeepCopyInto(&out.RequiredVersions)
+	if in.ExcludedFields != nil {
+		in, out := &in.ExcludedFields, &out.ExcludedFields
+		*out = make([]APIExcludedField, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CompatibilitySchema.
+func (in *CompatibilitySchema) DeepCopy() *CompatibilitySchema {
+	if in == nil {
+		return nil
+	}
+	out := new(CompatibilitySchema)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CustomResourceDefinitionSchemaValidation) DeepCopyInto(out *CustomResourceDefinitionSchemaValidation) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CustomResourceDefinitionSchemaValidation.
+func (in *CustomResourceDefinitionSchemaValidation) DeepCopy() *CustomResourceDefinitionSchemaValidation {
+	if in == nil {
+		return nil
+	}
+	out := new(CustomResourceDefinitionSchemaValidation)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ObjectSchemaValidation) DeepCopyInto(out *ObjectSchemaValidation) {
+	*out = *in
+	in.NamespaceSelector.DeepCopyInto(&out.NamespaceSelector)
+	in.ObjectSelector.DeepCopyInto(&out.ObjectSelector)
+	if in.MatchConditions != nil {
+		in, out := &in.MatchConditions, &out.MatchConditions
+		*out = make([]admissionregistrationv1.MatchCondition, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ObjectSchemaValidation.
+func (in *ObjectSchemaValidation) DeepCopy() *ObjectSchemaValidation {
+	if in == nil {
+		return nil
+	}
+	out := new(ObjectSchemaValidation)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ObservedCRD) DeepCopyInto(out *ObservedCRD) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ObservedCRD.
+func (in *ObservedCRD) DeepCopy() *ObservedCRD {
+	if in == nil {
+		return nil
+	}
+	out := new(ObservedCRD)
+	in.DeepCopyInto(out)
+	return out
+}
diff --git a/vendor/github.com/openshift/api/apiextensions/v1alpha1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/apiextensions/v1alpha1/zz_generated.featuregated-crd-manifests.yaml
new file mode 100644
index 0000000000..433546401c
--- /dev/null
+++ b/vendor/github.com/openshift/api/apiextensions/v1alpha1/zz_generated.featuregated-crd-manifests.yaml
@@ -0,0 +1,24 @@
+compatibilityrequirements.apiextensions.openshift.io:
+  Annotations:
+    release.openshift.io/feature-gate: CRDCompatibilityRequirementOperator
+  ApprovedPRNumber: https://github.com/openshift/api/pull/2479
+  CRDName: compatibilityrequirements.apiextensions.openshift.io
+  Capability: ""
+  Category: ""
+  FeatureGates:
+  - CRDCompatibilityRequirementOperator
+  FilenameOperatorName: crd-compatibility-checker
+  FilenameOperatorOrdering: "01"
+  FilenameRunLevel: "0000_20"
+  GroupName: apiextensions.openshift.io
+  HasStatus: true
+  KindName: CompatibilityRequirement
+  Labels: {}
+  PluralName: compatibilityrequirements
+  PrinterColumns: []
+  Scope: Cluster
+  ShortNames: null
+  TopLevelFeatureGates:
+  - CRDCompatibilityRequirementOperator
+  Version: v1alpha1
+
diff --git a/vendor/github.com/openshift/api/apiextensions/v1alpha1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/apiextensions/v1alpha1/zz_generated.swagger_doc_generated.go
new file mode 100644
index 0000000000..a9a4e707e7
--- /dev/null
+++ b/vendor/github.com/openshift/api/apiextensions/v1alpha1/zz_generated.swagger_doc_generated.go
@@ -0,0 +1,129 @@
+package v1alpha1
+
+// This file contains a collection of methods that can be used from go-restful to
+// generate Swagger API documentation for its models. Please read this PR for more
+// information on the implementation: https://github.com/emicklei/go-restful/pull/215
+//
+// TODOs are ignored from the parser (e.g. TODO(andronat):... || TODO:...) if and only if
+// they are on one line! For multiple line or blocks that you want to ignore use ---.
+// Any context after a --- is ignored.
+//
+// Those methods can be generated by using hack/update-swagger-docs.sh
+
+// AUTO-GENERATED FUNCTIONS START HERE
+var map_APIExcludedField = map[string]string{
+	"":         "APIExcludedField describes a field in the schema which will not be validated by crdSchemaValidation or objectSchemaValidation.",
+	"path":     "path is the path to the field in the schema. Paths are dot-separated field names (e.g., \"fieldA.fieldB.fieldC\") representing nested object fields. If part of the path is a slice (e.g., \"status.conditions\") the remaining path is applied to all items in the slice (e.g., \"status.conditions.lastTransitionTimestamp\"). Each field name must be a valid Kubernetes CRD field name: start with a letter, contain only letters, digits, and underscores, and be between 1 and 63 characters in length. A path may contain at most 16 fields.",
+	"versions": "versions are the API versions the field is excluded from. When not specified, the field is excluded from all versions.\n\nEach item must be at most 63 characters in length, and must must consist of only lowercase alphanumeric characters and hyphens, and must start with an alphabetic character and end with an alphanumeric character. At most 32 versions may be specified.",
+}
+
+func (APIExcludedField) SwaggerDoc() map[string]string {
+	return map_APIExcludedField
+}
+
+var map_APIVersions = map[string]string{
+	"":                   "APIVersions specifies a set of API versions of a CRD.",
+	"defaultSelection":   "defaultSelection specifies a method for automatically selecting a set of versions to require.\n\nValid options are StorageOnly and AllServed. When set to StorageOnly, only the storage version is selected for compatibility assessment. When set to AllServed, all served versions are selected for compatibility assessment.\n\nThis field is required.",
+	"additionalVersions": "additionalVersions specifies a set api versions to require in addition to the default selection. It is explicitly permitted to specify a version in additionalVersions which was also selected by the default selection. The selections will be merged and deduplicated.\n\nEach item must be at most 63 characters in length, and must must consist of only lowercase alphanumeric characters and hyphens, and must start with an alphabetic character and end with an alphanumeric character.// with an alphabetic character and end with an alphanumeric character. At most 32 additional versions may be specified.",
+}
+
+func (APIVersions) SwaggerDoc() map[string]string {
+	return map_APIVersions
+}
+
+var map_CRDData = map[string]string{
+	"":     "CRDData contains the complete definition of a CRD.",
+	"type": "type indicates the type of the CRD data. The only supported type is \"YAML\". This field is required.",
+	"data": "data contains the complete definition of the CRD. This field must be in the format specified by the type field. It may not be longer than 1572864 characters. This field is required.",
+}
+
+func (CRDData) SwaggerDoc() map[string]string {
+	return map_CRDData
+}
+
+var map_CompatibilityRequirement = map[string]string{
+	"":         "CompatibilityRequirement expresses a set of requirements on a target CRD. It is used to ensure compatibility between different actors using the same CRD.\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.",
+	"metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+	"spec":     "spec is the specification of the desired behavior of the Compatibility Requirement.",
+	"status":   "status is the most recently observed status of the Compatibility Requirement.",
+}
+
+func (CompatibilityRequirement) SwaggerDoc() map[string]string {
+	return map_CompatibilityRequirement
+}
+
+var map_CompatibilityRequirementList = map[string]string{
+	"":         "CompatibilityRequirementList is a collection of CompatibilityRequirements.\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.",
+	"metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+	"items":    "items is a list of CompatibilityRequirements.",
+}
+
+func (CompatibilityRequirementList) SwaggerDoc() map[string]string {
+	return map_CompatibilityRequirementList
+}
+
+var map_CompatibilityRequirementSpec = map[string]string{
+	"":                    "CompatibilityRequirementSpec is the specification of the desired behavior of the Compatibility Requirement.",
+	"compatibilitySchema": "compatibilitySchema defines the schema used by customResourceDefinitionSchemaValidation and objectSchemaValidation. This field is required.",
+	"customResourceDefinitionSchemaValidation": "customResourceDefinitionSchemaValidation ensures that updates to the installed CRD are compatible with this compatibility requirement. If not specified, admission of the target CRD will not be validated. This field is optional.",
+	"objectSchemaValidation":                   "objectSchemaValidation ensures that matching resources conform to compatibilitySchema. If not specified, admission of matching resources will not be validated. This field is optional.",
+}
+
+func (CompatibilityRequirementSpec) SwaggerDoc() map[string]string {
+	return map_CompatibilityRequirementSpec
+}
+
+var map_CompatibilityRequirementStatus = map[string]string{
+	"":            "CompatibilityRequirementStatus defines the observed status of the Compatibility Requirement.",
+	"conditions":  "conditions is a list of conditions and their status. Known condition types are Progressing, Admitted, and Compatible.\n\nThe Progressing condition indicates if reconciliation of a CompatibilityRequirement is still progressing or has finished.\n\nThe Admitted condition indicates if the validating webhook has been configured.\n\nThe Compatible condition indicates if the observed CRD is compatible with the requirement.",
+	"observedCRD": "observedCRD documents the uid and generation of the CRD object when the current status was written. This field will be omitted if the target CRD does not exist or could not be retrieved.",
+	"crdName":     "crdName is the name of the target CRD. The target CRD is not required to exist, as we may legitimately place requirements on it before it is created.  The observed CRD is given in status.observedCRD, which will be empty if no CRD is observed. When present, must be between 1 and 253 characters and conform to RFC 1123 subdomain format: lowercase alphanumeric characters, '-' or '.', starting and ending with alphanumeric characters. When not specified, the requirement applies to any CRD name discovered from the compatibility schema. This field is optional. Once set, the value cannot be changed and must always remain set.",
+}
+
+func (CompatibilityRequirementStatus) SwaggerDoc() map[string]string {
+	return map_CompatibilityRequirementStatus
+}
+
+var map_CompatibilitySchema = map[string]string{
+	"":                         "CompatibilitySchema defines the schema used by crdSchemaValidation and objectSchemaValidation.",
+	"customResourceDefinition": "customResourceDefinition contains the complete definition of the CRD for schema and object validation purposes. This field is required.",
+	"requiredVersions":         "requiredVersions specifies a subset of the CRD's API versions which will be asserted for compatibility. This field is required.",
+	"excludedFields":           "excludedFields is a set of fields in the schema which will not be validated by crdSchemaValidation or objectSchemaValidation. The list may contain at most 64 fields. When not specified, all fields in the schema will be validated.",
+}
+
+func (CompatibilitySchema) SwaggerDoc() map[string]string {
+	return map_CompatibilitySchema
+}
+
+var map_CustomResourceDefinitionSchemaValidation = map[string]string{
+	"":       "CustomResourceDefinitionSchemaValidation ensures that updates to the installed CRD are compatible with this compatibility requirement.",
+	"action": "action determines whether violations are rejected (Deny) or admitted with an API warning (Warn). Valid options are Deny and Warn. When set to Deny, incompatible CRDs will be rejected and not admitted to the cluster. When set to Warn, incompatible CRDs will be allowed but a warning will be generated in the API response. This field is required.",
+}
+
+func (CustomResourceDefinitionSchemaValidation) SwaggerDoc() map[string]string {
+	return map_CustomResourceDefinitionSchemaValidation
+}
+
+var map_ObjectSchemaValidation = map[string]string{
+	"":                  "ObjectSchemaValidation ensures that matching objects conform to the compatibilitySchema.",
+	"action":            "action determines whether violations are rejected (Deny) or admitted with an API warning (Warn). Valid options are Deny and Warn. When set to Deny, incompatible Objects will be rejected and not admitted to the cluster. When set to Warn, incompatible Objects will be allowed but a warning will be generated in the API response. This field is required.",
+	"namespaceSelector": "namespaceSelector defines a label selector for namespaces. If defined, only objects in a namespace with matching labels will be subject to validation. When not specified, objects for validation will not be filtered by namespace.",
+	"objectSelector":    "objectSelector defines a label selector for objects. If defined, only objects with matching labels will be subject to validation. When not specified, objects for validation will not be filtered by label.",
+	"matchConditions":   "matchConditions defines the matchConditions field of the resulting ValidatingWebhookConfiguration. When present, must contain between 1 and 64 match conditions. When not specified, the webhook will match all requests according to its other selectors.",
+}
+
+func (ObjectSchemaValidation) SwaggerDoc() map[string]string {
+	return map_ObjectSchemaValidation
+}
+
+var map_ObservedCRD = map[string]string{
+	"":           "ObservedCRD contains information about the observed target CRD.",
+	"uid":        "uid is the uid of the observed CRD. Must be a valid UUID consisting of lowercase hexadecimal digits in 5 hyphenated blocks (8-4-4-4-12 format). Length must be between 1 and 36 characters.",
+	"generation": "generation is the observed generation of the CRD. Must be a positive integer (minimum value of 1).",
+}
+
+func (ObservedCRD) SwaggerDoc() map[string]string {
+	return map_ObservedCRD
+}
+
+// AUTO-GENERATED FUNCTIONS END HERE
diff --git a/vendor/github.com/openshift/api/config/v1/register.go b/vendor/github.com/openshift/api/config/v1/register.go
index eac29a2367..222c7f0cc7 100644
--- a/vendor/github.com/openshift/api/config/v1/register.go
+++ b/vendor/github.com/openshift/api/config/v1/register.go
@@ -76,6 +76,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 		&ImagePolicyList{},
 		&ClusterImagePolicy{},
 		&ClusterImagePolicyList{},
+		&InsightsDataGather{},
+		&InsightsDataGatherList{},
 	)
 	metav1.AddToGroupVersion(scheme, GroupVersion)
 	return nil
diff --git a/vendor/github.com/openshift/api/config/v1/types_apiserver.go b/vendor/github.com/openshift/api/config/v1/types_apiserver.go
index 0afe7b1d8d..31d8881858 100644
--- a/vendor/github.com/openshift/api/config/v1/types_apiserver.go
+++ b/vendor/github.com/openshift/api/config/v1/types_apiserver.go
@@ -212,6 +212,7 @@ type APIServerEncryption struct {
 
 // +openshift:validation:FeatureGateAwareEnum:featureGate="",enum="";identity;aescbc;aesgcm
 // +openshift:validation:FeatureGateAwareEnum:featureGate=KMSEncryptionProvider,enum="";identity;aescbc;aesgcm;KMS
+// +openshift:validation:FeatureGateAwareEnum:featureGate=KMSEncryption,enum="";identity;aescbc;aesgcm;KMS
 type EncryptionType string
 
 const (
diff --git a/vendor/github.com/openshift/api/config/v1/types_authentication.go b/vendor/github.com/openshift/api/config/v1/types_authentication.go
index 52a41b2fef..e7433281f4 100644
--- a/vendor/github.com/openshift/api/config/v1/types_authentication.go
+++ b/vendor/github.com/openshift/api/config/v1/types_authentication.go
@@ -5,7 +5,7 @@ import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 // +genclient
 // +genclient:nonNamespaced
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-// +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDC;ExternalOIDCWithUIDAndExtraClaimMappings,rule="!has(self.spec.oidcProviders) || self.spec.oidcProviders.all(p, !has(p.oidcClients) || p.oidcClients.all(specC, self.status.oidcClients.exists(statusC, statusC.componentNamespace == specC.componentNamespace && statusC.componentName == specC.componentName) || (has(oldSelf.spec.oidcProviders) && oldSelf.spec.oidcProviders.exists(oldP, oldP.name == p.name && has(oldP.oidcClients) && oldP.oidcClients.exists(oldC, oldC.componentNamespace == specC.componentNamespace && oldC.componentName == specC.componentName)))))",message="all oidcClients in the oidcProviders must match their componentName and componentNamespace to either a previously configured oidcClient or they must exist in the status.oidcClients"
+// +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDC;ExternalOIDCWithUIDAndExtraClaimMappings;ExternalOIDCWithUpstreamParity,rule="!has(self.spec.oidcProviders) || self.spec.oidcProviders.all(p, !has(p.oidcClients) || p.oidcClients.all(specC, self.status.oidcClients.exists(statusC, statusC.componentNamespace == specC.componentNamespace && statusC.componentName == specC.componentName) || (has(oldSelf.spec.oidcProviders) && oldSelf.spec.oidcProviders.exists(oldP, oldP.name == p.name && has(oldP.oidcClients) && oldP.oidcClients.exists(oldC, oldC.componentNamespace == specC.componentNamespace && oldC.componentName == specC.componentName)))))",message="all oidcClients in the oidcProviders must match their componentName and componentNamespace to either a previously configured oidcClient or they must exist in the status.oidcClients"
 
 // Authentication specifies cluster-wide settings for authentication (like OAuth and
 // webhook token authenticators). The canonical name of an instance is `cluster`.
@@ -80,8 +80,7 @@ type AuthenticationSpec struct {
 	// +optional
 	ServiceAccountIssuer string `json:"serviceAccountIssuer"`
 
-	// oidcProviders are OIDC identity providers that can issue tokens
-	// for this cluster
+	// oidcProviders are OIDC identity providers that can issue tokens for this cluster
 	// Can only be set if "Type" is set to "OIDC".
 	//
 	// At most one provider can be configured.
@@ -91,6 +90,7 @@ type AuthenticationSpec struct {
 	// +kubebuilder:validation:MaxItems=1
 	// +openshift:enable:FeatureGate=ExternalOIDC
 	// +openshift:enable:FeatureGate=ExternalOIDCWithUIDAndExtraClaimMappings
+	// +openshift:enable:FeatureGate=ExternalOIDCWithUpstreamParity
 	// +optional
 	OIDCProviders []OIDCProvider `json:"oidcProviders,omitempty"`
 }
@@ -112,8 +112,7 @@ type AuthenticationStatus struct {
 	// +optional
 	IntegratedOAuthMetadata ConfigMapNameReference `json:"integratedOAuthMetadata"`
 
-	// oidcClients is where participating operators place the current OIDC client status
-	// for OIDC clients that can be customized by the cluster-admin.
+	// oidcClients is where participating operators place the current OIDC client status for OIDC clients that can be customized by the cluster-admin.
 	//
 	// +listType=map
 	// +listMapKey=componentNamespace
@@ -145,8 +144,7 @@ type AuthenticationType string
 
 const (
 	// None means that no cluster managed authentication system is in place.
-	// Note that user login will only work if a manually configured system is in place and
-	// referenced in authentication spec via oauthMetadata and
+	// Note that user login will only work if a manually configured system is in place and referenced in authentication spec via oauthMetadata and
 	// webhookTokenAuthenticator/oidcProviders
 	AuthenticationTypeNone AuthenticationType = "None"
 
@@ -198,10 +196,8 @@ const (
 )
 
 type OIDCProvider struct {
-	// name is a required field that configures the unique human-readable identifier
-	// associated with the identity provider.
-	// It is used to distinguish between multiple identity providers
-	// and has no impact on token validation or authentication mechanics.
+	// name is a required field that configures the unique human-readable identifier associated with the identity provider.
+	// It is used to distinguish between multiple identity providers and has no impact on token validation or authentication mechanics.
 	//
 	// name must not be an empty string ("").
 	//
@@ -209,15 +205,12 @@ type OIDCProvider struct {
 	// +required
 	Name string `json:"name"`
 
-	// issuer is a required field that configures how the platform interacts
-	// with the identity provider and how tokens issued from the identity provider
-	// are evaluated by the Kubernetes API server.
+	// issuer is a required field that configures how the platform interacts with the identity provider and how tokens issued from the identity provider are evaluated by the Kubernetes API server.
 	//
 	// +required
 	Issuer TokenIssuer `json:"issuer"`
 
-	// oidcClients is an optional field that configures how on-cluster,
-	// platform clients should request tokens from the identity provider.
+	// oidcClients is an optional field that configures how on-cluster, platform clients should request tokens from the identity provider.
 	// oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs.
 	//
 	// +listType=map
@@ -227,32 +220,40 @@ type OIDCProvider struct {
 	// +optional
 	OIDCClients []OIDCClientConfig `json:"oidcClients"`
 
-	// claimMappings is a required field that configures the rules to be used by
-	// the Kubernetes API server for translating claims in a JWT token, issued
-	// by the identity provider, to a cluster identity.
+	// claimMappings is a required field that configures the rules to be used by the Kubernetes API server for translating claims in a JWT token, issued by the identity provider, to a cluster identity.
 	//
 	// +required
 	ClaimMappings TokenClaimMappings `json:"claimMappings"`
 
-	// claimValidationRules is an optional field that configures the rules to
-	// be used by the Kubernetes API server for validating the claims in a JWT
-	// token issued by the identity provider.
+	// claimValidationRules is an optional field that configures the rules to be used by the Kubernetes API server for validating the claims in a JWT token issued by the identity provider.
 	//
 	// Validation rules are joined via an AND operation.
 	//
 	// +listType=atomic
 	// +optional
 	ClaimValidationRules []TokenClaimValidationRule `json:"claimValidationRules,omitempty"`
+
+	// userValidationRules is an optional field that configures the set of rules used to validate the cluster user identity that was constructed via mapping token claims to user identity attributes.
+	// Rules are CEL expressions that must evaluate to 'true' for authentication to succeed.
+	// If any rule in the chain of rules evaluates to 'false', authentication will fail.
+	// When specified, at least one rule must be specified and no more than 64 rules may be specified.
+	//
+	// +kubebuilder:validation:MaxItems=64
+	// +kubebuilder:validation:MinItems=1
+	// +listType=map
+	// +listMapKey=expression
+	// +optional
+	// +openshift:enable:FeatureGate=ExternalOIDCWithUpstreamParity
+	UserValidationRules []TokenUserValidationRule `json:"userValidationRules,omitempty"`
 }
 
 // +kubebuilder:validation:MinLength=1
 type TokenAudience string
 
+// +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDCWithUpstreamParity,rule="self.?discoveryURL.orValue(\"\").size() > 0 ? (self.issuerURL.size() == 0 || self.discoveryURL.find('^.+[^/]') != self.issuerURL.find('^.+[^/]')) : true",message="discoveryURL must be different from issuerURL"
 type TokenIssuer struct {
-	// issuerURL is a required field that configures the URL used to issue tokens
-	// by the identity provider.
-	// The Kubernetes API server determines how authentication tokens should be handled
-	// by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers.
+	// issuerURL is a required field that configures the URL used to issue tokens by the identity provider.
+	// The Kubernetes API server determines how authentication tokens should be handled by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers.
 	//
 	// Must be at least 1 character and must not exceed 512 characters in length.
 	// Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user.
@@ -267,8 +268,7 @@ type TokenIssuer struct {
 	// +required
 	URL string `json:"issuerURL"`
 
-	// audiences is a required field that configures the acceptable audiences
-	// the JWT token, issued by the identity provider, must be issued to.
+	// audiences is a required field that configures the acceptable audiences the JWT token, issued by the identity provider, must be issued to.
 	// At least one of the entries must match the 'aud' claim in the JWT token.
 	//
 	// audiences must contain at least one entry and must not exceed ten entries.
@@ -279,54 +279,65 @@ type TokenIssuer struct {
 	// +required
 	Audiences []TokenAudience `json:"audiences"`
 
-	// issuerCertificateAuthority is an optional field that configures the
-	// certificate authority, used by the Kubernetes API server, to validate
-	// the connection to the identity provider when fetching discovery information.
+	// issuerCertificateAuthority is an optional field that configures the certificate authority, used by the Kubernetes API server, to validate the connection to the identity provider when fetching discovery information.
 	//
 	// When not specified, the system trust is used.
 	//
-	// When specified, it must reference a ConfigMap in the openshift-config
-	// namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt'
-	// key in the data field of the ConfigMap.
+	// When specified, it must reference a ConfigMap in the openshift-config namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' key in the data field of the ConfigMap.
 	//
 	// +optional
 	CertificateAuthority ConfigMapNameReference `json:"issuerCertificateAuthority"`
+	// discoveryURL is an optional field that, if specified, overrides the default discovery endpoint used to retrieve OIDC configuration metadata.
+	// By default, the discovery URL is derived from `issuerURL` as "{issuerURL}/.well-known/openid-configuration".
+	//
+	// The discoveryURL must be a valid absolute HTTPS URL.
+	// It must not contain query parameters, user information, or fragments.
+	// Additionally, it must differ from the value of `issuerURL` (ignoring trailing slashes).
+	// The discoveryURL value must be at least 1 character long and no longer than 2048 characters.
+	//
+	// +optional
+	// +openshift:enable:FeatureGate=ExternalOIDCWithUpstreamParity
+	// +kubebuilder:validation:XValidation:rule="isURL(self)",message="discoveryURL must be a valid URL"
+	// +kubebuilder:validation:XValidation:rule="url(self).getScheme() == 'https'",message="discoveryURL must be a valid https URL"
+	// +kubebuilder:validation:XValidation:rule="url(self).getQuery().size() == 0",message="discoveryURL must not contain query parameters"
+	// +kubebuilder:validation:XValidation:rule="self.matches('^[^#]*$')",message="discoveryURL must not contain fragments"
+	// +kubebuilder:validation:XValidation:rule="!self.matches('^https://.+:.+@.+/.*$')",message="discoveryURL must not contain user info"
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=2048
+	DiscoveryURL string `json:"discoveryURL,omitempty"`
 }
 
 type TokenClaimMappings struct {
-	// username is a required field that configures how the username of a cluster identity
-	// should be constructed from the claims in a JWT token issued by the identity provider.
+	// username is a required field that configures how the username of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider.
 	//
 	// +required
 	Username UsernameClaimMapping `json:"username"`
 
-	// groups is an optional field that configures how the groups of a cluster identity
-	// should be constructed from the claims in a JWT token issued
-	// by the identity provider.
-	// When referencing a claim, if the claim is present in the JWT
-	// token, its value must be a list of groups separated by a comma (',').
+	// groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider.
+	//
+	// When referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (',').
+	//
 	// For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values.
 	//
 	// +optional
 	Groups PrefixedClaimMapping `json:"groups,omitempty"`
 
-	// uid is an optional field for configuring the claim mapping
-	// used to construct the uid for the cluster identity.
+	// uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity.
 	//
 	// When using uid.claim to specify the claim it must be a single string value.
 	// When using uid.expression the expression must result in a single string value.
 	//
-	// When omitted, this means the user has no opinion and the platform
-	// is left to choose a default, which is subject to change over time.
+	// When omitted, this means the user has no opinion and the platform is left to choose a default, which is subject to change over time.
+	//
 	// The current default is to use the 'sub' claim.
 	//
 	// +optional
 	// +openshift:enable:FeatureGate=ExternalOIDCWithUIDAndExtraClaimMappings
 	UID *TokenClaimOrExpressionMapping `json:"uid,omitempty"`
 
-	// extra is an optional field for configuring the mappings
-	// used to construct the extra attribute for the cluster identity.
+	// extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity.
 	// When omitted, no extra attributes will be present on the cluster identity.
+	//
 	// key values for extra mappings must be unique.
 	// A maximum of 32 extra attribute mappings may be provided.
 	//
@@ -338,52 +349,39 @@ type TokenClaimMappings struct {
 	Extra []ExtraMapping `json:"extra,omitempty"`
 }
 
-// TokenClaimMapping allows specifying a JWT token
-// claim to be used when mapping claims from an
-// authentication token to cluster identities.
+// TokenClaimMapping allows specifying a JWT token claim to be used when mapping claims from an authentication token to cluster identities.
 type TokenClaimMapping struct {
-	// claim is a required field that configures the JWT token
-	// claim whose value is assigned to the cluster identity
-	// field associated with this mapping.
+	// claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.
 	//
 	// +required
 	Claim string `json:"claim"`
 }
 
-// TokenClaimOrExpressionMapping allows specifying either a JWT
-// token claim or CEL expression to be used when mapping claims
-// from an authentication token to cluster identities.
+// TokenClaimOrExpressionMapping allows specifying either a JWT token claim or CEL expression to be used when mapping claims from an authentication token to cluster identities.
 // +kubebuilder:validation:XValidation:rule="has(self.claim) ? !has(self.expression) : has(self.expression)",message="precisely one of claim or expression must be set"
 type TokenClaimOrExpressionMapping struct {
-	// claim is an optional field for specifying the
-	// JWT token claim that is used in the mapping.
-	// The value of this claim will be assigned to
-	// the field in which this mapping is associated.
+	// claim is an optional field for specifying the JWT token claim that is used in the mapping.
+	// The value of this claim will be assigned to the field in which this mapping is associated.
 	//
 	// Precisely one of claim or expression must be set.
 	// claim must not be specified when expression is set.
-	// When specified, claim must be at least 1 character in length
-	// and must not exceed 256 characters in length.
+	// When specified, claim must be at least 1 character in length and must not exceed 256 characters in length.
 	//
 	// +optional
 	// +kubebuilder:validation:MaxLength=256
 	// +kubebuilder:validation:MinLength=1
 	Claim string `json:"claim,omitempty"`
 
-	// expression is an optional field for specifying a
-	// CEL expression that produces a string value from
-	// JWT token claims.
+	// expression is an optional field for specifying a CEL expression that produces a string value from JWT token claims.
 	//
-	// CEL expressions have access to the token claims
-	// through a CEL variable, 'claims'.
+	// CEL expressions have access to the token claims through a CEL variable, 'claims'.
 	// 'claims' is a map of claim names to claim values.
 	// For example, the 'sub' claim value can be accessed as 'claims.sub'.
 	// Nested claims can be accessed using dot notation ('claims.foo.bar').
 	//
 	// Precisely one of claim or expression must be set.
 	// expression must not be specified when claim is set.
-	// When specified, expression must be at least 1 character in length
-	// and must not exceed 1024 characters in length.
+	// When specified, expression must be at least 1 character in length and must not exceed 1024 characters in length.
 	//
 	// +optional
 	// +kubebuilder:validation:MaxLength=1024
@@ -391,13 +389,10 @@ type TokenClaimOrExpressionMapping struct {
 	Expression string `json:"expression,omitempty"`
 }
 
-// ExtraMapping allows specifying a key and CEL expression
-// to evaluate the keys' value. It is used to create additional
-// mappings and attributes added to a cluster identity from
-// a provided authentication token.
+// ExtraMapping allows specifying a key and CEL expression to evaluate the keys' value.
+// It is used to create additional mappings and attributes added to a cluster identity from a provided authentication token.
 type ExtraMapping struct {
-	// key is a required field that specifies the string
-	// to use as the extra attribute key.
+	// key is a required field that specifies the string to use as the extra attribute key.
 	//
 	// key must be a domain-prefix path (e.g 'example.org/foo').
 	// key must not exceed 510 characters in length.
@@ -410,8 +405,7 @@ type ExtraMapping struct {
 	// It must only contain lower case alphanumeric characters and '-' or '.'.
 	// It must not use the reserved domains, or be subdomains of, "kubernetes.io", "k8s.io", and "openshift.io".
 	//
-	// The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one
-	// alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'.
+	// The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'.
 	// It must not exceed 256 characters in length.
 	//
 	// +required
@@ -433,14 +427,12 @@ type ExtraMapping struct {
 	// +kubebuilder:validation:XValidation:rule="self.split('/', 2)[1].size() <= 256",message="the path of the key must not exceed 256 characters in length"
 	Key string `json:"key"`
 
-	// valueExpression is a required field to specify the CEL expression to extract
-	// the extra attribute value from a JWT token's claims.
+	// valueExpression is a required field to specify the CEL expression to extract the extra attribute value from a JWT token's claims.
 	// valueExpression must produce a string or string array value.
 	// "", [], and null are treated as the extra mapping not being present.
 	// Empty string values within an array are filtered out.
 	//
-	// CEL expressions have access to the token claims
-	// through a CEL variable, 'claims'.
+	// CEL expressions have access to the token claims through a CEL variable, 'claims'.
 	// 'claims' is a map of claim names to claim values.
 	// For example, the 'sub' claim value can be accessed as 'claims.sub'.
 	// Nested claims can be accessed using dot notation ('claims.foo.bar').
@@ -454,12 +446,10 @@ type ExtraMapping struct {
 	ValueExpression string `json:"valueExpression"`
 }
 
-// OIDCClientConfig configures how platform clients
-// interact with identity providers as an authentication
-// method
+// OIDCClientConfig configures how platform clients interact with identity providers as an authentication method.
 type OIDCClientConfig struct {
-	// componentName is a required field that specifies the name of the platform
-	// component being configured to use the identity provider as an authentication mode.
+	// componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode.
+	//
 	// It is used in combination with componentNamespace as a unique identifier.
 	//
 	// componentName must not be an empty string ("") and must not exceed 256 characters in length.
@@ -469,9 +459,8 @@ type OIDCClientConfig struct {
 	// +required
 	ComponentName string `json:"componentName"`
 
-	// componentNamespace is a required field that specifies the namespace in which the
-	// platform component being configured to use the identity provider as an authentication
-	// mode is running.
+	// componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running.
+	//
 	// It is used in combination with componentName as a unique identifier.
 	//
 	// componentNamespace must not be an empty string ("") and must not exceed 63 characters in length.
@@ -481,11 +470,8 @@ type OIDCClientConfig struct {
 	// +required
 	ComponentNamespace string `json:"componentNamespace"`
 
-	// clientID is a required field that configures the client identifier, from
-	// the identity provider, that the platform component uses for authentication
-	// requests made to the identity provider.
-	// The identity provider must accept this identifier for platform components
-	// to be able to use the identity provider as an authentication mode.
+	// clientID is a required field that configures the client identifier, from the identity provider, that the platform component uses for authentication requests made to the identity provider.
+	// The identity provider must accept this identifier for platform components to be able to use the identity provider as an authentication mode.
 	//
 	// clientID must not be an empty string ("").
 	//
@@ -493,27 +479,21 @@ type OIDCClientConfig struct {
 	// +required
 	ClientID string `json:"clientID"`
 
-	// clientSecret is an optional field that configures the client secret used
-	// by the platform component when making authentication requests to the identity provider.
+	// clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider.
 	//
-	// When not specified, no client secret will be used when making authentication requests
-	// to the identity provider.
+	// When not specified, no client secret will be used when making authentication requests to the identity provider.
+	//
+	// When specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field.
 	//
-	// When specified, clientSecret references a Secret in the 'openshift-config'
-	// namespace that contains the client secret in the 'clientSecret' key of the '.data' field.
 	// The client secret will be used when making authentication requests to the identity provider.
 	//
-	// Public clients do not require a client secret but private
-	// clients do require a client secret to work with the identity provider.
+	// Public clients do not require a client secret but private clients do require a client secret to work with the identity provider.
 	//
 	// +optional
 	ClientSecret SecretNameReference `json:"clientSecret"`
 
-	// extraScopes is an optional field that configures the extra scopes that should
-	// be requested by the platform component when making authentication requests to the
-	// identity provider.
-	// This is useful if you have configured claim mappings that requires specific
-	// scopes to be requested beyond the standard OIDC scopes.
+	// extraScopes is an optional field that configures the extra scopes that should be requested by the platform component when making authentication requests to the identity provider.
+	// This is useful if you have configured claim mappings that requires specific scopes to be requested beyond the standard OIDC scopes.
 	//
 	// When omitted, no additional scopes are requested.
 	//
@@ -526,8 +506,7 @@ type OIDCClientConfig struct {
 // of platform components and how they interact with
 // the configured identity providers.
 type OIDCClientStatus struct {
-	// componentName is a required field that specifies the name of the platform
-	// component using the identity provider as an authentication mode.
+	// componentName is a required field that specifies the name of the platform component using the identity provider as an authentication mode.
 	// It is used in combination with componentNamespace as a unique identifier.
 	//
 	// componentName must not be an empty string ("") and must not exceed 256 characters in length.
@@ -537,9 +516,8 @@ type OIDCClientStatus struct {
 	// +required
 	ComponentName string `json:"componentName"`
 
-	// componentNamespace is a required field that specifies the namespace in which the
-	// platform component using the identity provider as an authentication
-	// mode is running.
+	// componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running.
+	//
 	// It is used in combination with componentName as a unique identifier.
 	//
 	// componentNamespace must not be an empty string ("") and must not exceed 63 characters in length.
@@ -550,6 +528,7 @@ type OIDCClientStatus struct {
 	ComponentNamespace string `json:"componentNamespace"`
 
 	// currentOIDCClients is an optional list of clients that the component is currently using.
+	//
 	// Entries must have unique issuerURL/clientID pairs.
 	//
 	// +listType=map
@@ -558,8 +537,7 @@ type OIDCClientStatus struct {
 	// +optional
 	CurrentOIDCClients []OIDCClientReference `json:"currentOIDCClients"`
 
-	// consumingUsers is an optional list of ServiceAccounts requiring
-	// read permissions on the `clientSecret` secret.
+	// consumingUsers is an optional list of ServiceAccounts requiring read permissions on the `clientSecret` secret.
 	//
 	// consumingUsers must not exceed 5 entries.
 	//
@@ -585,8 +563,7 @@ type OIDCClientStatus struct {
 // OIDCClientReference is a reference to a platform component
 // client configuration.
 type OIDCClientReference struct {
-	// oidcProviderName is a required reference to the 'name' of the identity provider
-	// configured in 'oidcProviders' that this client is associated with.
+	// oidcProviderName is a required reference to the 'name' of the identity provider configured in 'oidcProviders' that this client is associated with.
 	//
 	// oidcProviderName must not be an empty string ("").
 	//
@@ -594,8 +571,7 @@ type OIDCClientReference struct {
 	// +required
 	OIDCProviderName string `json:"oidcProviderName"`
 
-	// issuerURL is a required field that specifies the URL of the identity
-	// provider that this client is configured to make requests against.
+	// issuerURL is a required field that specifies the URL of the identity provider that this client is configured to make requests against.
 	//
 	// issuerURL must use the 'https' scheme.
 	//
@@ -603,9 +579,7 @@ type OIDCClientReference struct {
 	// +required
 	IssuerURL string `json:"issuerURL"`
 
-	// clientID is a required field that specifies the client identifier, from
-	// the identity provider, that the platform component is using for authentication
-	// requests made to the identity provider.
+	// clientID is a required field that specifies the client identifier, from the identity provider, that the platform component is using for authentication requests made to the identity provider.
 	//
 	// clientID must not be empty.
 	//
@@ -617,9 +591,7 @@ type OIDCClientReference struct {
 // +kubebuilder:validation:XValidation:rule="has(self.prefixPolicy) && self.prefixPolicy == 'Prefix' ? (has(self.prefix) && size(self.prefix.prefixString) > 0) : !has(self.prefix)",message="prefix must be set if prefixPolicy is 'Prefix', but must remain unset otherwise"
 // +union
 type UsernameClaimMapping struct {
-	// claim is a required field that configures the JWT token
-	// claim whose value is assigned to the cluster identity
-	// field associated with this mapping.
+	// claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.
 	//
 	// claim must not be an empty string ("") and must not exceed 256 characters.
 	//
@@ -628,23 +600,21 @@ type UsernameClaimMapping struct {
 	// +kubebuilder:validation:MaxLength:=256
 	Claim string `json:"claim"`
 
-	// prefixPolicy is an optional field that configures how a prefix should be
-	// applied to the value of the JWT claim specified in the 'claim' field.
+	// prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field.
 	//
 	// Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string).
 	//
-	// When set to 'Prefix', the value specified in the prefix field will be
-	// prepended to the value of the JWT claim.
+	// When set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim.
+	//
 	// The prefix field must be set when prefixPolicy is 'Prefix'.
 	//
-	// When set to 'NoPrefix', no prefix will be prepended to the value
-	// of the JWT claim.
+	// When set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim.
+	//
+	// When omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time.
+	// Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'.
 	//
-	// When omitted, this means no opinion and the platform is left to choose
-	// any prefixes that are applied which is subject to change over time.
-	// Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim
-	// when the claim is not 'email'.
 	// As an example, consider the following scenario:
+	//
 	//    `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`,
 	//    the JWT claims include "username":"userA" and "email":"userA@myoidc.tld",
 	//    and `claim` is set to:
@@ -656,8 +626,7 @@ type UsernameClaimMapping struct {
 	// +unionDiscriminator
 	PrefixPolicy UsernamePrefixPolicy `json:"prefixPolicy"`
 
-	// prefix configures the prefix that should be prepended to the value
-	// of the JWT claim.
+	// prefix configures the prefix that should be prepended to the value of the JWT claim.
 	//
 	// prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise.
 	//
@@ -666,9 +635,7 @@ type UsernameClaimMapping struct {
 	Prefix *UsernamePrefix `json:"prefix"`
 }
 
-// UsernamePrefixPolicy configures how prefixes should be applied
-// to values extracted from the JWT claims during the process of mapping
-// JWT claims to cluster identity attributes.
+// UsernamePrefixPolicy configures how prefixes should be applied to values extracted from the JWT claims during the process of mapping JWT claims to cluster identity attributes.
 // +enum
 type UsernamePrefixPolicy string
 
@@ -687,9 +654,7 @@ var (
 // UsernamePrefix configures the string that should
 // be used as a prefix for username claim mappings.
 type UsernamePrefix struct {
-	// prefixString is a required field that configures the prefix that will
-	// be applied to cluster identity username attribute
-	// during the process of mapping JWT claims to cluster identity attributes.
+	// prefixString is a required field that configures the prefix that will be applied to cluster identity username attribute during the process of mapping JWT claims to cluster identity attributes.
 	//
 	// prefixString must not be an empty string ("").
 	//
@@ -703,51 +668,62 @@ type UsernamePrefix struct {
 type PrefixedClaimMapping struct {
 	TokenClaimMapping `json:",inline"`
 
-	// prefix is an optional field that configures the prefix that will be
-	// applied to the cluster identity attribute during the process of mapping
-	// JWT claims to cluster identity attributes.
+	// prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes.
 	//
 	// When omitted (""), no prefix is applied to the cluster identity attribute.
 	//
-	// Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains
-	// an array of strings "a", "b" and  "c", the mapping will result in an
-	// array of string "myoidc:a", "myoidc:b" and "myoidc:c".
+	// Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c".
 	//
 	// +optional
 	Prefix string `json:"prefix"`
 }
 
-// TokenValidationRuleType represents the different
-// claim validation rule types that can be configured.
+// TokenValidationRuleType defines the type of token validation rule.
 // +enum
+// +openshift:validation:FeatureGateAwareEnum:featureGate="",enum="RequiredClaim";
+// +openshift:validation:FeatureGateAwareEnum:featureGate=ExternalOIDC,enum="RequiredClaim";
+// +openshift:validation:FeatureGateAwareEnum:featureGate=ExternalOIDCWithUIDAndExtraClaimMappings,enum="RequiredClaim";
+// +openshift:validation:FeatureGateAwareEnum:featureGate=ExternalOIDCWithUpstreamParity,enum="RequiredClaim";"CEL"
 type TokenValidationRuleType string
 
 const (
+	// TokenValidationRuleTypeRequiredClaim indicates that the token must contain a specific claim.
+	// Used as a value for TokenValidationRuleType.
 	TokenValidationRuleTypeRequiredClaim = "RequiredClaim"
+	// TokenValidationRuleTypeCEL indicates that the token validation is defined via a CEL expression.
+	// Used as a value for TokenValidationRuleType.
+	TokenValidationRuleTypeCEL = "CEL"
 )
 
+// TokenClaimValidationRule represents a validation rule based on token claims.
+// If type is RequiredClaim, requiredClaim must be set.
+// If Type is CEL, CEL must be set and RequiredClaim must be omitted.
+//
+// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'RequiredClaim' ? has(self.requiredClaim) : !has(self.requiredClaim)",message="requiredClaim must be set when type is 'RequiredClaim', and forbidden otherwise"
+// +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDCWithUpstreamParity,rule="has(self.type) && self.type == 'CEL' ? has(self.cel) : !has(self.cel)",message="cel must be set when type is 'CEL', and forbidden otherwise"
 type TokenClaimValidationRule struct {
 	// type is an optional field that configures the type of the validation rule.
 	//
-	// Allowed values are 'RequiredClaim' and omitted (not provided or an empty string).
-	//
-	// When set to 'RequiredClaim', the Kubernetes API server
-	// will be configured to validate that the incoming JWT
-	// contains the required claim and that its value matches
-	// the required value.
+	// Allowed values are "RequiredClaim" and "CEL".
 	//
-	// Defaults to 'RequiredClaim'.
+	// When set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value.
 	//
-	// +kubebuilder:validation:Enum={"RequiredClaim"}
-	// +kubebuilder:default="RequiredClaim"
+	// When set to 'CEL', the Kubernetes API server will be configured to validate the incoming JWT against the configured CEL expression.
+	// +required
 	Type TokenValidationRuleType `json:"type"`
 
-	// requiredClaim is an optional field that configures the required claim
-	// and value that the Kubernetes API server will use to validate if an incoming
-	// JWT is valid for this identity provider.
+	// requiredClaim allows configuring a required claim name and its expected value.
+	// This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value.
+	// The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider.
 	//
 	// +optional
 	RequiredClaim *TokenRequiredClaim `json:"requiredClaim,omitempty"`
+
+	// cel holds the CEL expression and message for validation.
+	// Must be set when Type is "CEL", and forbidden otherwise.
+	// +optional
+	// +openshift:enable:FeatureGate=ExternalOIDCWithUpstreamParity
+	CEL TokenClaimValidationCELRule `json:"cel,omitempty,omitzero"`
 }
 
 type TokenRequiredClaim struct {
@@ -760,10 +736,8 @@ type TokenRequiredClaim struct {
 	// +required
 	Claim string `json:"claim"`
 
-	// requiredValue is a required field that configures the value that 'claim' must
-	// have when taken from the incoming JWT claims.
-	// If the value in the JWT claims does not match, the token
-	// will be rejected for authentication.
+	// requiredValue is a required field that configures the value that 'claim' must have when taken from the incoming JWT claims.
+	// If the value in the JWT claims does not match, the token will be rejected for authentication.
 	//
 	// requiredValue must not be an empty string ("").
 	//
@@ -771,3 +745,43 @@ type TokenRequiredClaim struct {
 	// +required
 	RequiredValue string `json:"requiredValue"`
 }
+
+type TokenClaimValidationCELRule struct {
+	// expression is a CEL expression evaluated against token claims.
+	// expression is required, must be at least 1 character in length and must not exceed 1024 characters.
+	// The expression must return a boolean value where 'true' signals a valid token and 'false' an invalid one.
+	//
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=1024
+	// +required
+	Expression string `json:"expression,omitempty"`
+
+	// message is a required human-readable message to be logged by the Kubernetes API server if the CEL expression defined in 'expression' fails.
+	// message must be at least 1 character in length and must not exceed 256 characters.
+	// +required
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=256
+	Message string `json:"message,omitempty"`
+}
+
+// TokenUserValidationRule provides a CEL-based rule used to validate a token subject.
+// Each rule contains a CEL expression that is evaluated against the token’s claims.
+type TokenUserValidationRule struct {
+	// expression is a required CEL expression that performs a validation on cluster user identity attributes like username, groups, etc.
+	//
+	// The expression must evaluate to a boolean value.
+	// When the expression evaluates to 'true', the cluster user identity is considered valid.
+	// When the expression evaluates to 'false', the cluster user identity is not considered valid.
+	// expression must be at least 1 character in length and must not exceed 1024 characters.
+	//
+	// +required
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=1024
+	Expression string `json:"expression,omitempty"`
+	// message is a required human-readable message to be logged by the Kubernetes API server if the CEL expression defined in 'expression' fails.
+	// message must be at least 1 character in length and must not exceed 256 characters.
+	// +required
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=256
+	Message string `json:"message,omitempty"`
+}
diff --git a/vendor/github.com/openshift/api/config/v1/types_cluster_image_policy.go b/vendor/github.com/openshift/api/config/v1/types_cluster_image_policy.go
index ca604e05c5..491390098c 100644
--- a/vendor/github.com/openshift/api/config/v1/types_cluster_image_policy.go
+++ b/vendor/github.com/openshift/api/config/v1/types_cluster_image_policy.go
@@ -52,7 +52,7 @@ type ClusterImagePolicySpec struct {
 	// policy is a required field that contains configuration to allow scopes to be verified, and defines how
 	// images not matching the verification policy will be treated.
 	// +required
-	Policy Policy `json:"policy"`
+	Policy ImageSigstoreVerificationPolicy `json:"policy"`
 }
 
 // +k8s:deepcopy-gen=true
diff --git a/vendor/github.com/openshift/api/config/v1/types_cluster_version.go b/vendor/github.com/openshift/api/config/v1/types_cluster_version.go
index e5aad151ea..5f36f693de 100644
--- a/vendor/github.com/openshift/api/config/v1/types_cluster_version.go
+++ b/vendor/github.com/openshift/api/config/v1/types_cluster_version.go
@@ -199,9 +199,23 @@ type ClusterVersionStatus struct {
 	// availableUpdates. This list may be empty if no updates are
 	// recommended, if the update service is unavailable, or if an empty
 	// or invalid channel has been specified.
+	// +kubebuilder:validation:MaxItems=500
 	// +listType=atomic
 	// +optional
 	ConditionalUpdates []ConditionalUpdate `json:"conditionalUpdates,omitempty"`
+
+	// conditionalUpdateRisks contains the list of risks associated with conditionalUpdates.
+	// When performing a conditional update, all its associated risks will be compared with the set of accepted risks in the spec.desiredUpdate.acceptRisks field.
+	// If all risks for a conditional update are included in the spec.desiredUpdate.acceptRisks set, the conditional update can proceed, otherwise it is blocked.
+	// The risk names in the list must be unique.
+	// conditionalUpdateRisks must not contain more than 500 entries.
+	// +openshift:enable:FeatureGate=ClusterUpdateAcceptRisks
+	// +kubebuilder:validation:MaxItems=500
+	// +kubebuilder:validation:MinItems=1
+	// +listType=map
+	// +listMapKey=name
+	// +optional
+	ConditionalUpdateRisks []ConditionalUpdateRisk `json:"conditionalUpdateRisks,omitempty"`
 }
 
 // UpdateState is a constant representing whether an update was successfully
@@ -258,7 +272,7 @@ type UpdateHistory struct {
 	Verified bool `json:"verified"`
 
 	// acceptedRisks records risks which were accepted to initiate the update.
-	// For example, it may menition an Upgradeable=False or missing signature
+	// For example, it may mention an Upgradeable=False or missing signature
 	// that was overridden via desiredUpdate.force, or an update that was
 	// initiated despite not being in the availableUpdates set of recommended
 	// update targets.
@@ -732,6 +746,30 @@ type Update struct {
 	//
 	// +optional
 	Force bool `json:"force"`
+
+	// acceptRisks is an optional set of names of conditional update risks that are considered acceptable.
+	// A conditional update is performed only if all of its risks are acceptable.
+	// This list may contain entries that apply to current, previous or future updates.
+	// The entries therefore may not map directly to a risk in .status.conditionalUpdateRisks.
+	// acceptRisks must not contain more than 1000 entries.
+	// Entries in this list must be unique.
+	// +openshift:enable:FeatureGate=ClusterUpdateAcceptRisks
+	// +kubebuilder:validation:MaxItems=1000
+	// +kubebuilder:validation:MinItems=1
+	// +listType=map
+	// +listMapKey=name
+	// +optional
+	AcceptRisks []AcceptRisk `json:"acceptRisks,omitempty"`
+}
+
+// AcceptRisk represents a risk that is considered acceptable.
+type AcceptRisk struct {
+	// name is the name of the acceptable risk.
+	// It must be a non-empty string and must not exceed 256 characters.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=256
+	// +required
+	Name string `json:"name,omitempty"`
 }
 
 // Release represents an OpenShift release image and associated metadata.
@@ -787,12 +825,27 @@ type ConditionalUpdate struct {
 	// +required
 	Release Release `json:"release"`
 
+	// riskNames represents the set of the names of conditionalUpdateRisks that are relevant to this update for some clusters.
+	// The Applies condition of each conditionalUpdateRisks entry declares if that risk applies to this cluster.
+	// A conditional update is accepted only if each of its risks either does not apply to the cluster or is considered acceptable by the cluster administrator.
+	// The latter means that the risk names are included in value of the spec.desiredUpdate.acceptRisks field.
+	// Entries must be unique and must not exceed 256 characters.
+	// riskNames must not contain more than 500 entries.
+	// +openshift:enable:FeatureGate=ClusterUpdateAcceptRisks
+	// +kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:items:MaxLength=256
+	// +kubebuilder:validation:MaxItems=500
+	// +listType=set
+	// +optional
+	RiskNames []string `json:"riskNames,omitempty"`
+
 	// risks represents the range of issues associated with
 	// updating to the target release. The cluster-version
 	// operator will evaluate all entries, and only recommend the
 	// update if there is at least one entry and all entries
 	// recommend the update.
 	// +kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:MaxItems=200
 	// +patchMergeKey=name
 	// +patchStrategy=merge
 	// +listType=map
@@ -813,6 +866,20 @@ type ConditionalUpdate struct {
 // for not recommending a conditional update.
 // +k8s:deepcopy-gen=true
 type ConditionalUpdateRisk struct {
+	// conditions represents the observations of the conditional update
+	// risk's current status. Known types are:
+	// * Applies, for whether the risk applies to the current cluster.
+	// The condition's types in the list must be unique.
+	// conditions must not contain more than one entry.
+	// +openshift:enable:FeatureGate=ClusterUpdateAcceptRisks
+	// +kubebuilder:validation:XValidation:rule="self.exists_one(x, x.type == 'Applies')",message="must contain a condition of type 'Applies'"
+	// +kubebuilder:validation:MaxItems=8
+	// +kubebuilder:validation:MinItems=1
+	// +listType=map
+	// +listMapKey=type
+	// +optional
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+
 	// url contains information about this risk.
 	// +kubebuilder:validation:Format=uri
 	// +kubebuilder:validation:MinLength=1
diff --git a/vendor/github.com/openshift/api/config/v1/types_image_policy.go b/vendor/github.com/openshift/api/config/v1/types_image_policy.go
index a6a6405130..3cc46141c9 100644
--- a/vendor/github.com/openshift/api/config/v1/types_image_policy.go
+++ b/vendor/github.com/openshift/api/config/v1/types_image_policy.go
@@ -51,7 +51,7 @@ type ImagePolicySpec struct {
 	// policy is a required field that contains configuration to allow scopes to be verified, and defines how
 	// images not matching the verification policy will be treated.
 	// +required
-	Policy Policy `json:"policy"`
+	Policy ImageSigstoreVerificationPolicy `json:"policy"`
 }
 
 // +kubebuilder:validation:XValidation:rule="size(self.split('/')[0].split('.')) == 1 ? self.split('/')[0].split('.')[0].split(':')[0] == 'localhost' : true",message="invalid image scope format, scope must contain a fully qualified domain name or 'localhost'"
@@ -60,8 +60,8 @@ type ImagePolicySpec struct {
 // +kubebuilder:validation:MaxLength=512
 type ImageScope string
 
-// Policy defines the verification policy for the items in the scopes list.
-type Policy struct {
+// ImageSigstoreVerificationPolicy defines the verification policy for the items in the scopes list.
+type ImageSigstoreVerificationPolicy struct {
 	// rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval.
 	// This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated.
 	// +required
@@ -89,18 +89,18 @@ type PolicyRootOfTrust struct {
 	// publicKey defines the root of trust configuration based on a sigstore public key. Optionally include a Rekor public key for Rekor verification.
 	// publicKey is required when policyType is PublicKey, and forbidden otherwise.
 	// +optional
-	PublicKey *PublicKey `json:"publicKey,omitempty"`
+	PublicKey *ImagePolicyPublicKeyRootOfTrust `json:"publicKey,omitempty"`
 	// fulcioCAWithRekor defines the root of trust configuration based on the Fulcio certificate and the Rekor public key.
 	// fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise
 	// For more information about Fulcio and Rekor, please refer to the document at:
 	// https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor
 	// +optional
-	FulcioCAWithRekor *FulcioCAWithRekor `json:"fulcioCAWithRekor,omitempty"`
+	FulcioCAWithRekor *ImagePolicyFulcioCAWithRekorRootOfTrust `json:"fulcioCAWithRekor,omitempty"`
 	// pki defines the root of trust configuration based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates.
 	// pki is required when policyType is PKI, and forbidden otherwise.
 	// +optional
 	// +openshift:enable:FeatureGate=SigstoreImageVerificationPKI
-	PKI *PKI `json:"pki,omitempty"`
+	PKI *ImagePolicyPKIRootOfTrust `json:"pki,omitempty"`
 }
 
 // +openshift:validation:FeatureGateAwareEnum:featureGate="",enum=PublicKey;FulcioCAWithRekor
@@ -113,8 +113,8 @@ const (
 	PKIRootOfTrust               PolicyType = "PKI"
 )
 
-// PublicKey defines the root of trust based on a sigstore public key.
-type PublicKey struct {
+// ImagePolicyPublicKeyRootOfTrust defines the root of trust based on a sigstore public key.
+type ImagePolicyPublicKeyRootOfTrust struct {
 	// keyData is a required field contains inline base64-encoded data for the PEM format public key.
 	// keyData must be at most 8192 characters.
 	// +required
@@ -132,8 +132,8 @@ type PublicKey struct {
 	RekorKeyData []byte `json:"rekorKeyData,omitempty"`
 }
 
-// FulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key.
-type FulcioCAWithRekor struct {
+// ImagePolicyFulcioCAWithRekorRootOfTrust defines the root of trust based on the Fulcio certificate and the Rekor public key.
+type ImagePolicyFulcioCAWithRekorRootOfTrust struct {
 	// fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA.
 	// fulcioCAData must be at most 8192 characters.
 	// +required
@@ -172,8 +172,8 @@ type PolicyFulcioSubject struct {
 	SignedEmail string `json:"signedEmail"`
 }
 
-// PKI defines the root of trust based on Root CA(s) and corresponding intermediate certificates.
-type PKI struct {
+// ImagePolicyPKIRootOfTrust defines the root of trust based on Root CA(s) and corresponding intermediate certificates.
+type ImagePolicyPKIRootOfTrust struct {
 	// caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters.
 	// +required
 	// +kubebuilder:validation:MaxLength=8192
diff --git a/vendor/github.com/openshift/api/config/v1/types_infrastructure.go b/vendor/github.com/openshift/api/config/v1/types_infrastructure.go
index 313ed57a41..369ba1e7a0 100644
--- a/vendor/github.com/openshift/api/config/v1/types_infrastructure.go
+++ b/vendor/github.com/openshift/api/config/v1/types_infrastructure.go
@@ -302,9 +302,10 @@ type PlatformSpec struct {
 	// balancers, dynamic volume provisioning, machine creation and deletion, and
 	// other integrations are enabled. If None, no infrastructure automation is
 	// enabled. Allowed values are "AWS", "Azure", "BareMetal", "GCP", "Libvirt",
-	// "OpenStack", "VSphere", "oVirt", "KubeVirt", "EquinixMetal", "PowerVS",
-	// "AlibabaCloud", "Nutanix" and "None". Individual components may not support all platforms,
-	// and must handle unrecognized platforms as None if they do not support that platform.
+	// "OpenStack", "VSphere", "oVirt", "IBMCloud", "KubeVirt", "EquinixMetal",
+	// "PowerVS", "AlibabaCloud", "Nutanix", "External", and "None". Individual
+	// components may not support all platforms, and must handle unrecognized
+	// platforms as None if they do not support that platform.
 	//
 	// +unionDiscriminator
 	Type PlatformType `json:"type"`
diff --git a/vendor/github.com/openshift/api/config/v1/types_insights.go b/vendor/github.com/openshift/api/config/v1/types_insights.go
new file mode 100644
index 0000000000..710d4303da
--- /dev/null
+++ b/vendor/github.com/openshift/api/config/v1/types_insights.go
@@ -0,0 +1,231 @@
+package v1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// InsightsDataGather provides data gather configuration options for the Insights Operator.
+//
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+//
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:path=insightsdatagathers,scope=Cluster
+// +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/2448
+// +openshift:file-pattern=cvoRunLevel=0000_10,operatorName=config-operator,operatorOrdering=01
+// +openshift:enable:FeatureGate=InsightsConfig
+// +openshift:capability=Insights
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+// +openshift:compatibility-gen:level=1
+type InsightsDataGather struct {
+	metav1.TypeMeta `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+	// spec holds user settable values for configuration
+	// +required
+	Spec InsightsDataGatherSpec `json:"spec,omitempty,omitzero"`
+}
+
+// InsightsDataGatherSpec contains the configuration for the data gathering.
+type InsightsDataGatherSpec struct {
+	// gatherConfig is a required spec attribute that includes all the configuration options related to gathering of the Insights data and its uploading to the ingress.
+	// +required
+	GatherConfig GatherConfig `json:"gatherConfig,omitempty,omitzero"`
+}
+
+// GatherConfig provides data gathering configuration options.
+type GatherConfig struct {
+	// dataPolicy is an optional list of DataPolicyOptions that allows user to enable additional obfuscation of the Insights archive data.
+	// It may not exceed 2 items and must not contain duplicates.
+	// Valid values are ObfuscateNetworking and WorkloadNames.
+	// When set to ObfuscateNetworking the IP addresses and the cluster domain name are obfuscated.
+	// When set to WorkloadNames, the gathered data about cluster resources will not contain the workload names for your deployments. Resources UIDs will be used instead.
+	// When omitted no obfuscation is applied.
+	// +kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:MaxItems=2
+	// +kubebuilder:validation:XValidation:rule="self.all(x, self.exists_one(y, x == y))",message="dataPolicy items must be unique"
+	// +listType=atomic
+	// +optional
+	DataPolicy []DataPolicyOption `json:"dataPolicy,omitempty"`
+	// gatherers is a required field that specifies the configuration of the gatherers.
+	// +required
+	Gatherers Gatherers `json:"gatherers,omitempty,omitzero"`
+	// storage is an optional field that allows user to define persistent storage for gathering jobs to store the Insights data archive.
+	// If omitted, the gathering job will use ephemeral storage.
+	// +optional
+	Storage Storage `json:"storage,omitempty,omitzero"`
+}
+
+// Gatherers specifies the configuration of the gatherers
+// +kubebuilder:validation:XValidation:rule="has(self.mode) && self.mode == 'Custom' ?  has(self.custom) : !has(self.custom)",message="custom is required when mode is Custom, and forbidden otherwise"
+// +union
+type Gatherers struct {
+	// mode is a required field that specifies the mode for gatherers. Allowed values are All, None, and Custom.
+	// When set to All, all gatherers will run and gather data.
+	// When set to None, all gatherers will be disabled and no data will be gathered.
+	// When set to Custom, the custom configuration from the custom field will be applied.
+	// +unionDiscriminator
+	// +required
+	Mode GatheringMode `json:"mode,omitempty"`
+	// custom provides gathering configuration.
+	// It is required when mode is Custom, and forbidden otherwise.
+	// Custom configuration allows user to disable only a subset of gatherers.
+	// Gatherers that are not explicitly disabled in custom configuration will run.
+	// +unionMember
+	// +optional
+	Custom Custom `json:"custom,omitempty,omitzero"`
+}
+
+// Custom provides the custom configuration of gatherers
+type Custom struct {
+	// configs is a required list of gatherers configurations that can be used to enable or disable specific gatherers.
+	// It may not exceed 100 items and each gatherer can be present only once.
+	// It is possible to disable an entire set of gatherers while allowing a specific function within that set.
+	// The particular gatherers IDs can be found at https://github.com/openshift/insights-operator/blob/master/docs/gathered-data.md.
+	// Run the following command to get the names of last active gatherers:
+	// "oc get insightsoperators.operator.openshift.io cluster -o json | jq '.status.gatherStatus.gatherers[].name'"
+	// +kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:MaxItems=100
+	// +listType=map
+	// +listMapKey=name
+	// +required
+	Configs []GathererConfig `json:"configs,omitempty"`
+}
+
+// GatheringMode defines the valid gathering modes.
+// +kubebuilder:validation:Enum=All;None;Custom
+type GatheringMode string
+
+const (
+	// Enabled enables all gatherers
+	GatheringModeAll GatheringMode = "All"
+	// Disabled disables all gatherers
+	GatheringModeNone GatheringMode = "None"
+	// Custom applies the configuration from GatheringConfig.
+	GatheringModeCustom GatheringMode = "Custom"
+)
+
+// DataPolicyOption declares valid data policy options
+// +kubebuilder:validation:Enum=ObfuscateNetworking;WorkloadNames
+type DataPolicyOption string
+
+const (
+	// IP addresses and cluster domain name are obfuscated
+	DataPolicyOptionObfuscateNetworking DataPolicyOption = "ObfuscateNetworking"
+	// Data from Deployment Validation Operator are obfuscated
+	DataPolicyOptionObfuscateWorkloadNames DataPolicyOption = "WorkloadNames"
+)
+
+// Storage provides persistent storage configuration options for gathering jobs.
+// If the type is set to PersistentVolume, then the PersistentVolume must be defined.
+// If the type is set to Ephemeral, then the PersistentVolume must not be defined.
+// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'PersistentVolume' ?  has(self.persistentVolume) : !has(self.persistentVolume)",message="persistentVolume is required when type is PersistentVolume, and forbidden otherwise"
+// +union
+type Storage struct {
+	// type is a required field that specifies the type of storage that will be used to store the Insights data archive.
+	// Valid values are "PersistentVolume" and "Ephemeral".
+	// When set to Ephemeral, the Insights data archive is stored in the ephemeral storage of the gathering job.
+	// When set to PersistentVolume, the Insights data archive is stored in the PersistentVolume that is defined by the persistentVolume field.
+	// +unionDiscriminator
+	// +required
+	Type StorageType `json:"type,omitempty"`
+	// persistentVolume is an optional field that specifies the PersistentVolume that will be used to store the Insights data archive.
+	// The PersistentVolume must be created in the openshift-insights namespace.
+	// +unionMember
+	// +optional
+	PersistentVolume PersistentVolumeConfig `json:"persistentVolume,omitempty,omitzero"`
+}
+
+// StorageType declares valid storage types
+// +kubebuilder:validation:Enum=PersistentVolume;Ephemeral
+type StorageType string
+
+const (
+	// StorageTypePersistentVolume storage type
+	StorageTypePersistentVolume StorageType = "PersistentVolume"
+	// StorageTypeEphemeral storage type
+	StorageTypeEphemeral StorageType = "Ephemeral"
+)
+
+// PersistentVolumeConfig provides configuration options for PersistentVolume storage.
+type PersistentVolumeConfig struct {
+	// claim is a required field that specifies the configuration of the PersistentVolumeClaim that will be used to store the Insights data archive.
+	// The PersistentVolumeClaim must be created in the openshift-insights namespace.
+	// +required
+	Claim PersistentVolumeClaimReference `json:"claim,omitempty,omitzero"`
+	// mountPath is an optional field specifying the directory where the PVC will be mounted inside the Insights data gathering Pod.
+	// When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time.
+	// The current default mount path is /var/lib/insights-operator
+	// The path may not exceed 1024 characters and must not contain a colon.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=1024
+	// +kubebuilder:validation:XValidation:rule="!self.contains(':')",message="mountPath must not contain a colon"
+	// +optional
+	MountPath string `json:"mountPath,omitempty"`
+}
+
+// PersistentVolumeClaimReference is a reference to a PersistentVolumeClaim.
+type PersistentVolumeClaimReference struct {
+	// name is the name of the PersistentVolumeClaim that will be used to store the Insights data archive.
+	// It is a string that follows the DNS1123 subdomain format.
+	// It must be at most 253 characters in length, and must consist only of lower case alphanumeric characters, '-' and '.', and must start and end with an alphanumeric character.
+	// +kubebuilder:validation:XValidation:rule="!format.dns1123Subdomain().validate(self).hasValue()",message="a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character."
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=253
+	// +required
+	Name string `json:"name,omitempty"`
+}
+
+// GathererConfig allows to configure specific gatherers
+type GathererConfig struct {
+	// name is the required name of a specific gatherer.
+	// It may not exceed 256 characters.
+	// The format for a gatherer name is: {gatherer}/{function} where the function is optional.
+	// Gatherer consists of a lowercase letters only that may include underscores (_).
+	// Function consists of a lowercase letters only that may include underscores (_) and is separated from the gatherer by a forward slash (/).
+	// The particular gatherers can be found at https://github.com/openshift/insights-operator/blob/master/docs/gathered-data.md.
+	// Run the following command to get the names of last active gatherers:
+	// "oc get insightsoperators.operator.openshift.io cluster -o json | jq '.status.gatherStatus.gatherers[].name'"
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=256
+	// +kubebuilder:validation:XValidation:rule=`self.matches("^[a-z]+[_a-z]*[a-z]([/a-z][_a-z]*)?[a-z]$")`,message=`gatherer name must be in the format of {gatherer}/{function} where the gatherer and function are lowercase letters only that may include underscores (_) and are separated by a forward slash (/) if the function is provided`
+	// +required
+	Name string `json:"name,omitempty"`
+	// state is a required field that allows you to configure specific gatherer. Valid values are "Enabled" and "Disabled".
+	// When set to Enabled the gatherer will run.
+	// When set to Disabled the gatherer will not run.
+	// +required
+	State GathererState `json:"state,omitempty"`
+}
+
+// GathererState declares valid gatherer state types.
+// +kubebuilder:validation:Enum=Enabled;Disabled
+type GathererState string
+
+const (
+	// GathererStateEnabled gatherer state, which means that the gatherer will run.
+	GathererStateEnabled GathererState = "Enabled"
+	// GathererStateDisabled gatherer state, which means that the gatherer will not run.
+	GathererStateDisabled GathererState = "Disabled"
+)
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// InsightsDataGatherList is a collection of items
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+// +openshift:compatibility-gen:level=1
+type InsightsDataGatherList struct {
+	metav1.TypeMeta `json:",inline"`
+	// metadata is the required standard list's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +required
+	metav1.ListMeta `json:"metadata,omitempty"`
+	// items is the required list of InsightsDataGather objects
+	// it may not exceed 100 items
+	// +kubebuilder:validation:MinItems=0
+	// +kubebuilder:validation:MaxItems=100
+	// +required
+	Items []InsightsDataGather `json:"items,omitempty"`
+}
diff --git a/vendor/github.com/openshift/api/config/v1/types_network.go b/vendor/github.com/openshift/api/config/v1/types_network.go
index c0d1602b37..fb8ed2fff7 100644
--- a/vendor/github.com/openshift/api/config/v1/types_network.go
+++ b/vendor/github.com/openshift/api/config/v1/types_network.go
@@ -41,7 +41,7 @@ type Network struct {
 // As a general rule, this SHOULD NOT be read directly. Instead, you should
 // consume the NetworkStatus, as it indicates the currently deployed configuration.
 // Currently, most spec fields are immutable after installation. Please view the individual ones for further details on each.
-// +openshift:validation:FeatureGateAwareXValidation:featureGate=NetworkDiagnosticsConfig,rule="!has(self.networkDiagnostics) || !has(self.networkDiagnostics.mode) || self.networkDiagnostics.mode!='Disabled' || !has(self.networkDiagnostics.sourcePlacement) && !has(self.networkDiagnostics.targetPlacement)",message="cannot set networkDiagnostics.sourcePlacement and networkDiagnostics.targetPlacement when networkDiagnostics.mode is Disabled"
+// +kubebuilder:validation:XValidation:rule="!has(self.networkDiagnostics) || !has(self.networkDiagnostics.mode) || self.networkDiagnostics.mode!='Disabled' || !has(self.networkDiagnostics.sourcePlacement) && !has(self.networkDiagnostics.targetPlacement)",message="cannot set networkDiagnostics.sourcePlacement and networkDiagnostics.targetPlacement when networkDiagnostics.mode is Disabled"
 type NetworkSpec struct {
 	// IP address pool to use for pod IPs.
 	// This field is immutable after installation.
@@ -85,7 +85,6 @@ type NetworkSpec struct {
 	// the network diagnostics feature will be disabled.
 	//
 	// +optional
-	// +openshift:enable:FeatureGate=NetworkDiagnosticsConfig
 	NetworkDiagnostics NetworkDiagnostics `json:"networkDiagnostics"`
 }
 
@@ -119,7 +118,6 @@ type NetworkStatus struct {
 	// +optional
 	// +listType=map
 	// +listMapKey=type
-	// +openshift:enable:FeatureGate=NetworkDiagnosticsConfig
 	Conditions []metav1.Condition `json:"conditions,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/api/config/v1/types_tlssecurityprofile.go b/vendor/github.com/openshift/api/config/v1/types_tlssecurityprofile.go
index b18ef647c2..48657b0894 100644
--- a/vendor/github.com/openshift/api/config/v1/types_tlssecurityprofile.go
+++ b/vendor/github.com/openshift/api/config/v1/types_tlssecurityprofile.go
@@ -4,178 +4,115 @@ package v1
 // is used by operators to apply TLS security settings to operands.
 // +union
 type TLSSecurityProfile struct {
-	// type is one of Old, Intermediate, Modern or Custom. Custom provides
-	// the ability to specify individual TLS security profile parameters.
-	// Old, Intermediate and Modern are TLS security profiles based on:
+	// type is one of Old, Intermediate, Modern or Custom. Custom provides the
+	// ability to specify individual TLS security profile parameters.
 	//
-	// https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
+	// The profiles are based on version 5.7 of the Mozilla Server Side TLS
+	// configuration guidelines. The cipher lists consist of the configuration's
+	// "ciphersuites" followed by the Go-specific "ciphers" from the guidelines.
+	// See: https://ssl-config.mozilla.org/guidelines/5.7.json
 	//
-	// The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers
-	// are found to be insecure.  Depending on precisely which ciphers are available to a process, the list may be
-	// reduced.
-	//
-	// Note that the Modern profile is currently not supported because it is not
-	// yet well adopted by common software libraries.
+	// The profiles are intent based, so they may change over time as new ciphers are
+	// developed and existing ciphers are found to be insecure. Depending on
+	// precisely which ciphers are available to a process, the list may be reduced.
 	//
 	// +unionDiscriminator
 	// +optional
 	Type TLSProfileType `json:"type"`
-	// old is a TLS security profile based on:
-	//
-	// https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility
-	//
-	// and looks like this (yaml):
+
+	// old is a TLS profile for use when services need to be accessed by very old
+	// clients or libraries and should be used only as a last resort.
 	//
+	// This profile is equivalent to a Custom profile specified as:
+	//   minTLSVersion: VersionTLS10
 	//   ciphers:
-	//
 	//     - TLS_AES_128_GCM_SHA256
-	//
 	//     - TLS_AES_256_GCM_SHA384
-	//
 	//     - TLS_CHACHA20_POLY1305_SHA256
-	//
 	//     - ECDHE-ECDSA-AES128-GCM-SHA256
-	//
 	//     - ECDHE-RSA-AES128-GCM-SHA256
-	//
 	//     - ECDHE-ECDSA-AES256-GCM-SHA384
-	//
 	//     - ECDHE-RSA-AES256-GCM-SHA384
-	//
 	//     - ECDHE-ECDSA-CHACHA20-POLY1305
-	//
 	//     - ECDHE-RSA-CHACHA20-POLY1305
-	//
-	//     - DHE-RSA-AES128-GCM-SHA256
-	//
-	//     - DHE-RSA-AES256-GCM-SHA384
-	//
-	//     - DHE-RSA-CHACHA20-POLY1305
-	//
 	//     - ECDHE-ECDSA-AES128-SHA256
-	//
 	//     - ECDHE-RSA-AES128-SHA256
-	//
 	//     - ECDHE-ECDSA-AES128-SHA
-	//
 	//     - ECDHE-RSA-AES128-SHA
-	//
-	//     - ECDHE-ECDSA-AES256-SHA384
-	//
-	//     - ECDHE-RSA-AES256-SHA384
-	//
 	//     - ECDHE-ECDSA-AES256-SHA
-	//
 	//     - ECDHE-RSA-AES256-SHA
-	//
-	//     - DHE-RSA-AES128-SHA256
-	//
-	//     - DHE-RSA-AES256-SHA256
-	//
 	//     - AES128-GCM-SHA256
-	//
 	//     - AES256-GCM-SHA384
-	//
 	//     - AES128-SHA256
-	//
-	//     - AES256-SHA256
-	//
 	//     - AES128-SHA
-	//
 	//     - AES256-SHA
-	//
 	//     - DES-CBC3-SHA
 	//
-	//   minTLSVersion: VersionTLS10
-	//
 	// +optional
 	// +nullable
 	Old *OldTLSProfile `json:"old,omitempty"`
-	// intermediate is a TLS security profile based on:
-	//
-	// https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29
-	//
-	// and looks like this (yaml):
+
+	// intermediate is a TLS profile for use when you do not need compatibility with
+	// legacy clients and want to remain highly secure while being compatible with
+	// most clients currently in use.
 	//
+	// This profile is equivalent to a Custom profile specified as:
+	//   minTLSVersion: VersionTLS12
 	//   ciphers:
-	//
 	//     - TLS_AES_128_GCM_SHA256
-	//
 	//     - TLS_AES_256_GCM_SHA384
-	//
 	//     - TLS_CHACHA20_POLY1305_SHA256
-	//
 	//     - ECDHE-ECDSA-AES128-GCM-SHA256
-	//
 	//     - ECDHE-RSA-AES128-GCM-SHA256
-	//
 	//     - ECDHE-ECDSA-AES256-GCM-SHA384
-	//
 	//     - ECDHE-RSA-AES256-GCM-SHA384
-	//
 	//     - ECDHE-ECDSA-CHACHA20-POLY1305
-	//
 	//     - ECDHE-RSA-CHACHA20-POLY1305
 	//
-	//     - DHE-RSA-AES128-GCM-SHA256
-	//
-	//     - DHE-RSA-AES256-GCM-SHA384
-	//
-	//   minTLSVersion: VersionTLS12
-	//
 	// +optional
 	// +nullable
 	Intermediate *IntermediateTLSProfile `json:"intermediate,omitempty"`
-	// modern is a TLS security profile based on:
-	//
-	// https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
-	//
-	// and looks like this (yaml):
+
+	// modern is a TLS security profile for use with clients that support TLS 1.3 and
+	// do not need backward compatibility for older clients.
 	//
+	// This profile is equivalent to a Custom profile specified as:
+	//   minTLSVersion: VersionTLS13
 	//   ciphers:
-	//
 	//     - TLS_AES_128_GCM_SHA256
-	//
 	//     - TLS_AES_256_GCM_SHA384
-	//
 	//     - TLS_CHACHA20_POLY1305_SHA256
 	//
-	//   minTLSVersion: VersionTLS13
-	//
 	// +optional
 	// +nullable
 	Modern *ModernTLSProfile `json:"modern,omitempty"`
+
 	// custom is a user-defined TLS security profile. Be extremely careful using a custom
 	// profile as invalid configurations can be catastrophic. An example custom profile
 	// looks like this:
 	//
+	//   minTLSVersion: VersionTLS11
 	//   ciphers:
-	//
 	//     - ECDHE-ECDSA-CHACHA20-POLY1305
-	//
 	//     - ECDHE-RSA-CHACHA20-POLY1305
-	//
 	//     - ECDHE-RSA-AES128-GCM-SHA256
-	//
 	//     - ECDHE-ECDSA-AES128-GCM-SHA256
 	//
-	//   minTLSVersion: VersionTLS11
-	//
 	// +optional
 	// +nullable
 	Custom *CustomTLSProfile `json:"custom,omitempty"`
 }
 
-// OldTLSProfile is a TLS security profile based on:
-// https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility
+// OldTLSProfile is a TLS security profile based on the "old" configuration of
+// the Mozilla Server Side TLS configuration guidelines.
 type OldTLSProfile struct{}
 
-// IntermediateTLSProfile is a TLS security profile based on:
-// https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29
+// IntermediateTLSProfile is a TLS security profile based on the "intermediate"
+// configuration of the Mozilla Server Side TLS configuration guidelines.
 type IntermediateTLSProfile struct{}
 
-// ModernTLSProfile is a TLS security profile based on:
-// https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
+// ModernTLSProfile is a TLS security profile based on the "modern" configuration
+// of the Mozilla Server Side TLS configuration guidelines.
 type ModernTLSProfile struct{}
 
 // CustomTLSProfile is a user-defined TLS security profile. Be extremely careful
@@ -189,28 +126,33 @@ type CustomTLSProfile struct {
 type TLSProfileType string
 
 const (
-	// Old is a TLS security profile based on:
-	// https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility
+	// TLSProfileOldType sets parameters based on the "old" configuration of
+	// the Mozilla Server Side TLS configuration guidelines.
 	TLSProfileOldType TLSProfileType = "Old"
-	// Intermediate is a TLS security profile based on:
-	// https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29
+
+	// TLSProfileIntermediateType sets parameters based on the "intermediate"
+	// configuration of the Mozilla Server Side TLS configuration guidelines.
 	TLSProfileIntermediateType TLSProfileType = "Intermediate"
-	// Modern is a TLS security profile based on:
-	// https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
+
+	// TLSProfileModernType sets parameters based on the "modern" configuration
+	// of the Mozilla Server Side TLS configuration guidelines.
 	TLSProfileModernType TLSProfileType = "Modern"
-	// Custom is a TLS security profile that allows for user-defined parameters.
+
+	// TLSProfileCustomType is a TLS security profile that allows for user-defined parameters.
 	TLSProfileCustomType TLSProfileType = "Custom"
 )
 
 // TLSProfileSpec is the desired behavior of a TLSSecurityProfile.
 type TLSProfileSpec struct {
 	// ciphers is used to specify the cipher algorithms that are negotiated
-	// during the TLS handshake.  Operators may remove entries their operands
-	// do not support.  For example, to use DES-CBC3-SHA  (yaml):
+	// during the TLS handshake. Operators may remove entries that their operands
+	// do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml):
 	//
 	//   ciphers:
-	//     - DES-CBC3-SHA
+	//     - ECDHE-RSA-AES128-GCM-SHA256
 	//
+	// TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable
+	// and are always enabled when TLS 1.3 is negotiated.
 	// +listType=atomic
 	Ciphers []string `json:"ciphers"`
 	// minTLSVersion is used to specify the minimal version of the TLS protocol
@@ -219,8 +161,6 @@ type TLSProfileSpec struct {
 	//
 	//   minTLSVersion: VersionTLS11
 	//
-	// NOTE: currently the highest minTLSVersion allowed is VersionTLS12
-	//
 	MinTLSVersion TLSProtocolVersion `json:"minTLSVersion"`
 }
 
@@ -245,11 +185,18 @@ const (
 	VersionTLS13 TLSProtocolVersion = "VersionTLS13"
 )
 
-// TLSProfiles Contains a map of TLSProfileType names to TLSProfileSpec.
+// TLSProfiles contains a map of TLSProfileType names to TLSProfileSpec.
+//
+// These profiles are based on version 5.7 of the Mozilla Server Side TLS
+// configuration guidelines. See: https://ssl-config.mozilla.org/guidelines/5.7.json
+//
+// Each Ciphers slice is the configuration's "ciphersuites" followed by the
+// Go-specific "ciphers" from the guidelines JSON.
 //
-// NOTE: The caller needs to make sure to check that these constants are valid for their binary. Not all
-// entries map to values for all binaries.  In the case of ties, the kube-apiserver wins.  Do not fail,
-// just be sure to whitelist only and everything will be ok.
+// NOTE: The caller needs to make sure to check that these constants are valid
+// for their binary. Not all entries map to values for all binaries. In the case
+// of ties, the kube-apiserver wins. Do not fail, just be sure to include only
+// valid entries and everything will be ok.
 var TLSProfiles = map[TLSProfileType]*TLSProfileSpec{
 	TLSProfileOldType: {
 		Ciphers: []string{
@@ -262,23 +209,15 @@ var TLSProfiles = map[TLSProfileType]*TLSProfileSpec{
 			"ECDHE-RSA-AES256-GCM-SHA384",
 			"ECDHE-ECDSA-CHACHA20-POLY1305",
 			"ECDHE-RSA-CHACHA20-POLY1305",
-			"DHE-RSA-AES128-GCM-SHA256",
-			"DHE-RSA-AES256-GCM-SHA384",
-			"DHE-RSA-CHACHA20-POLY1305",
 			"ECDHE-ECDSA-AES128-SHA256",
 			"ECDHE-RSA-AES128-SHA256",
 			"ECDHE-ECDSA-AES128-SHA",
 			"ECDHE-RSA-AES128-SHA",
-			"ECDHE-ECDSA-AES256-SHA384",
-			"ECDHE-RSA-AES256-SHA384",
 			"ECDHE-ECDSA-AES256-SHA",
 			"ECDHE-RSA-AES256-SHA",
-			"DHE-RSA-AES128-SHA256",
-			"DHE-RSA-AES256-SHA256",
 			"AES128-GCM-SHA256",
 			"AES256-GCM-SHA384",
 			"AES128-SHA256",
-			"AES256-SHA256",
 			"AES128-SHA",
 			"AES256-SHA",
 			"DES-CBC3-SHA",
@@ -296,8 +235,6 @@ var TLSProfiles = map[TLSProfileType]*TLSProfileSpec{
 			"ECDHE-RSA-AES256-GCM-SHA384",
 			"ECDHE-ECDSA-CHACHA20-POLY1305",
 			"ECDHE-RSA-CHACHA20-POLY1305",
-			"DHE-RSA-AES128-GCM-SHA256",
-			"DHE-RSA-AES256-GCM-SHA384",
 		},
 		MinTLSVersion: VersionTLS12,
 	},
diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go
index fe8c112273..30b85b78e9 100644
--- a/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go
+++ b/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go
@@ -316,6 +316,22 @@ func (in *AWSServiceEndpoint) DeepCopy() *AWSServiceEndpoint {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AcceptRisk) DeepCopyInto(out *AcceptRisk) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AcceptRisk.
+func (in *AcceptRisk) DeepCopy() *AcceptRisk {
+	if in == nil {
+		return nil
+	}
+	out := new(AcceptRisk)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AdmissionConfig) DeepCopyInto(out *AdmissionConfig) {
 	*out = *in
@@ -1393,7 +1409,7 @@ func (in *ClusterVersionSpec) DeepCopyInto(out *ClusterVersionSpec) {
 	if in.DesiredUpdate != nil {
 		in, out := &in.DesiredUpdate, &out.DesiredUpdate
 		*out = new(Update)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	if in.Capabilities != nil {
 		in, out := &in.Capabilities, &out.Capabilities
@@ -1456,6 +1472,13 @@ func (in *ClusterVersionStatus) DeepCopyInto(out *ClusterVersionStatus) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.ConditionalUpdateRisks != nil {
+		in, out := &in.ConditionalUpdateRisks, &out.ConditionalUpdateRisks
+		*out = make([]ConditionalUpdateRisk, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	return
 }
 
@@ -1544,6 +1567,11 @@ func (in *ComponentRouteStatus) DeepCopy() *ComponentRouteStatus {
 func (in *ConditionalUpdate) DeepCopyInto(out *ConditionalUpdate) {
 	*out = *in
 	in.Release.DeepCopyInto(&out.Release)
+	if in.RiskNames != nil {
+		in, out := &in.RiskNames, &out.RiskNames
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
 	if in.Risks != nil {
 		in, out := &in.Risks, &out.Risks
 		*out = make([]ConditionalUpdateRisk, len(*in))
@@ -1574,6 +1602,13 @@ func (in *ConditionalUpdate) DeepCopy() *ConditionalUpdate {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ConditionalUpdateRisk) DeepCopyInto(out *ConditionalUpdateRisk) {
 	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]metav1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.MatchingRules != nil {
 		in, out := &in.MatchingRules, &out.MatchingRules
 		*out = make([]ClusterCondition, len(*in))
@@ -1736,6 +1771,27 @@ func (in *ConsoleStatus) DeepCopy() *ConsoleStatus {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Custom) DeepCopyInto(out *Custom) {
+	*out = *in
+	if in.Configs != nil {
+		in, out := &in.Configs, &out.Configs
+		*out = make([]GathererConfig, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Custom.
+func (in *Custom) DeepCopy() *Custom {
+	if in == nil {
+		return nil
+	}
+	out := new(Custom)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CustomFeatureGates) DeepCopyInto(out *CustomFeatureGates) {
 	*out = *in
@@ -2340,33 +2396,6 @@ func (in *FeatureGateTests) DeepCopy() *FeatureGateTests {
 	return out
 }
 
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *FulcioCAWithRekor) DeepCopyInto(out *FulcioCAWithRekor) {
-	*out = *in
-	if in.FulcioCAData != nil {
-		in, out := &in.FulcioCAData, &out.FulcioCAData
-		*out = make([]byte, len(*in))
-		copy(*out, *in)
-	}
-	if in.RekorKeyData != nil {
-		in, out := &in.RekorKeyData, &out.RekorKeyData
-		*out = make([]byte, len(*in))
-		copy(*out, *in)
-	}
-	out.FulcioSubject = in.FulcioSubject
-	return
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FulcioCAWithRekor.
-func (in *FulcioCAWithRekor) DeepCopy() *FulcioCAWithRekor {
-	if in == nil {
-		return nil
-	}
-	out := new(FulcioCAWithRekor)
-	in.DeepCopyInto(out)
-	return out
-}
-
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GCPPlatformSpec) DeepCopyInto(out *GCPPlatformSpec) {
 	*out = *in
@@ -2446,6 +2475,62 @@ func (in *GCPResourceTag) DeepCopy() *GCPResourceTag {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GatherConfig) DeepCopyInto(out *GatherConfig) {
+	*out = *in
+	if in.DataPolicy != nil {
+		in, out := &in.DataPolicy, &out.DataPolicy
+		*out = make([]DataPolicyOption, len(*in))
+		copy(*out, *in)
+	}
+	in.Gatherers.DeepCopyInto(&out.Gatherers)
+	out.Storage = in.Storage
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GatherConfig.
+func (in *GatherConfig) DeepCopy() *GatherConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(GatherConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GathererConfig) DeepCopyInto(out *GathererConfig) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GathererConfig.
+func (in *GathererConfig) DeepCopy() *GathererConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(GathererConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Gatherers) DeepCopyInto(out *Gatherers) {
+	*out = *in
+	in.Custom.DeepCopyInto(&out.Custom)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Gatherers.
+func (in *Gatherers) DeepCopy() *Gatherers {
+	if in == nil {
+		return nil
+	}
+	out := new(Gatherers)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GenericAPIServerConfig) DeepCopyInto(out *GenericAPIServerConfig) {
 	*out = *in
@@ -3067,6 +3152,33 @@ func (in *ImagePolicy) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImagePolicyFulcioCAWithRekorRootOfTrust) DeepCopyInto(out *ImagePolicyFulcioCAWithRekorRootOfTrust) {
+	*out = *in
+	if in.FulcioCAData != nil {
+		in, out := &in.FulcioCAData, &out.FulcioCAData
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	if in.RekorKeyData != nil {
+		in, out := &in.RekorKeyData, &out.RekorKeyData
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	out.FulcioSubject = in.FulcioSubject
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePolicyFulcioCAWithRekorRootOfTrust.
+func (in *ImagePolicyFulcioCAWithRekorRootOfTrust) DeepCopy() *ImagePolicyFulcioCAWithRekorRootOfTrust {
+	if in == nil {
+		return nil
+	}
+	out := new(ImagePolicyFulcioCAWithRekorRootOfTrust)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ImagePolicyList) DeepCopyInto(out *ImagePolicyList) {
 	*out = *in
@@ -3100,6 +3212,59 @@ func (in *ImagePolicyList) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImagePolicyPKIRootOfTrust) DeepCopyInto(out *ImagePolicyPKIRootOfTrust) {
+	*out = *in
+	if in.CertificateAuthorityRootsData != nil {
+		in, out := &in.CertificateAuthorityRootsData, &out.CertificateAuthorityRootsData
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	if in.CertificateAuthorityIntermediatesData != nil {
+		in, out := &in.CertificateAuthorityIntermediatesData, &out.CertificateAuthorityIntermediatesData
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	out.PKICertificateSubject = in.PKICertificateSubject
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePolicyPKIRootOfTrust.
+func (in *ImagePolicyPKIRootOfTrust) DeepCopy() *ImagePolicyPKIRootOfTrust {
+	if in == nil {
+		return nil
+	}
+	out := new(ImagePolicyPKIRootOfTrust)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImagePolicyPublicKeyRootOfTrust) DeepCopyInto(out *ImagePolicyPublicKeyRootOfTrust) {
+	*out = *in
+	if in.KeyData != nil {
+		in, out := &in.KeyData, &out.KeyData
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	if in.RekorKeyData != nil {
+		in, out := &in.RekorKeyData, &out.RekorKeyData
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePolicyPublicKeyRootOfTrust.
+func (in *ImagePolicyPublicKeyRootOfTrust) DeepCopy() *ImagePolicyPublicKeyRootOfTrust {
+	if in == nil {
+		return nil
+	}
+	out := new(ImagePolicyPublicKeyRootOfTrust)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ImagePolicySpec) DeepCopyInto(out *ImagePolicySpec) {
 	*out = *in
@@ -3145,6 +3310,28 @@ func (in *ImagePolicyStatus) DeepCopy() *ImagePolicyStatus {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImageSigstoreVerificationPolicy) DeepCopyInto(out *ImageSigstoreVerificationPolicy) {
+	*out = *in
+	in.RootOfTrust.DeepCopyInto(&out.RootOfTrust)
+	if in.SignedIdentity != nil {
+		in, out := &in.SignedIdentity, &out.SignedIdentity
+		*out = new(PolicyIdentity)
+		(*in).DeepCopyInto(*out)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageSigstoreVerificationPolicy.
+func (in *ImageSigstoreVerificationPolicy) DeepCopy() *ImageSigstoreVerificationPolicy {
+	if in == nil {
+		return nil
+	}
+	out := new(ImageSigstoreVerificationPolicy)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ImageSpec) DeepCopyInto(out *ImageSpec) {
 	*out = *in
@@ -3549,6 +3736,83 @@ func (in *IngressStatus) DeepCopy() *IngressStatus {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *InsightsDataGather) DeepCopyInto(out *InsightsDataGather) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InsightsDataGather.
+func (in *InsightsDataGather) DeepCopy() *InsightsDataGather {
+	if in == nil {
+		return nil
+	}
+	out := new(InsightsDataGather)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *InsightsDataGather) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *InsightsDataGatherList) DeepCopyInto(out *InsightsDataGatherList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]InsightsDataGather, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InsightsDataGatherList.
+func (in *InsightsDataGatherList) DeepCopy() *InsightsDataGatherList {
+	if in == nil {
+		return nil
+	}
+	out := new(InsightsDataGatherList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *InsightsDataGatherList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *InsightsDataGatherSpec) DeepCopyInto(out *InsightsDataGatherSpec) {
+	*out = *in
+	in.GatherConfig.DeepCopyInto(&out.GatherConfig)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InsightsDataGatherSpec.
+func (in *InsightsDataGatherSpec) DeepCopy() *InsightsDataGatherSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(InsightsDataGatherSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *IntermediateTLSProfile) DeepCopyInto(out *IntermediateTLSProfile) {
 	*out = *in
@@ -4578,6 +4842,11 @@ func (in *OIDCProvider) DeepCopyInto(out *OIDCProvider) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.UserValidationRules != nil {
+		in, out := &in.UserValidationRules, &out.UserValidationRules
+		*out = make([]TokenUserValidationRule, len(*in))
+		copy(*out, *in)
+	}
 	return
 }
 
@@ -4956,44 +5225,50 @@ func (in *OvirtPlatformStatus) DeepCopy() *OvirtPlatformStatus {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *PKI) DeepCopyInto(out *PKI) {
+func (in *PKICertificateSubject) DeepCopyInto(out *PKICertificateSubject) {
 	*out = *in
-	if in.CertificateAuthorityRootsData != nil {
-		in, out := &in.CertificateAuthorityRootsData, &out.CertificateAuthorityRootsData
-		*out = make([]byte, len(*in))
-		copy(*out, *in)
-	}
-	if in.CertificateAuthorityIntermediatesData != nil {
-		in, out := &in.CertificateAuthorityIntermediatesData, &out.CertificateAuthorityIntermediatesData
-		*out = make([]byte, len(*in))
-		copy(*out, *in)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PKICertificateSubject.
+func (in *PKICertificateSubject) DeepCopy() *PKICertificateSubject {
+	if in == nil {
+		return nil
 	}
-	out.PKICertificateSubject = in.PKICertificateSubject
+	out := new(PKICertificateSubject)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PersistentVolumeClaimReference) DeepCopyInto(out *PersistentVolumeClaimReference) {
+	*out = *in
 	return
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PKI.
-func (in *PKI) DeepCopy() *PKI {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PersistentVolumeClaimReference.
+func (in *PersistentVolumeClaimReference) DeepCopy() *PersistentVolumeClaimReference {
 	if in == nil {
 		return nil
 	}
-	out := new(PKI)
+	out := new(PersistentVolumeClaimReference)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *PKICertificateSubject) DeepCopyInto(out *PKICertificateSubject) {
+func (in *PersistentVolumeConfig) DeepCopyInto(out *PersistentVolumeConfig) {
 	*out = *in
+	out.Claim = in.Claim
 	return
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PKICertificateSubject.
-func (in *PKICertificateSubject) DeepCopy() *PKICertificateSubject {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PersistentVolumeConfig.
+func (in *PersistentVolumeConfig) DeepCopy() *PersistentVolumeConfig {
 	if in == nil {
 		return nil
 	}
-	out := new(PKICertificateSubject)
+	out := new(PersistentVolumeConfig)
 	in.DeepCopyInto(out)
 	return out
 }
@@ -5170,28 +5445,6 @@ func (in *PlatformStatus) DeepCopy() *PlatformStatus {
 	return out
 }
 
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *Policy) DeepCopyInto(out *Policy) {
-	*out = *in
-	in.RootOfTrust.DeepCopyInto(&out.RootOfTrust)
-	if in.SignedIdentity != nil {
-		in, out := &in.SignedIdentity, &out.SignedIdentity
-		*out = new(PolicyIdentity)
-		(*in).DeepCopyInto(*out)
-	}
-	return
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Policy.
-func (in *Policy) DeepCopy() *Policy {
-	if in == nil {
-		return nil
-	}
-	out := new(Policy)
-	in.DeepCopyInto(out)
-	return out
-}
-
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PolicyFulcioSubject) DeepCopyInto(out *PolicyFulcioSubject) {
 	*out = *in
@@ -5271,17 +5524,17 @@ func (in *PolicyRootOfTrust) DeepCopyInto(out *PolicyRootOfTrust) {
 	*out = *in
 	if in.PublicKey != nil {
 		in, out := &in.PublicKey, &out.PublicKey
-		*out = new(PublicKey)
+		*out = new(ImagePolicyPublicKeyRootOfTrust)
 		(*in).DeepCopyInto(*out)
 	}
 	if in.FulcioCAWithRekor != nil {
 		in, out := &in.FulcioCAWithRekor, &out.FulcioCAWithRekor
-		*out = new(FulcioCAWithRekor)
+		*out = new(ImagePolicyFulcioCAWithRekorRootOfTrust)
 		(*in).DeepCopyInto(*out)
 	}
 	if in.PKI != nil {
 		in, out := &in.PKI, &out.PKI
-		*out = new(PKI)
+		*out = new(ImagePolicyPKIRootOfTrust)
 		(*in).DeepCopyInto(*out)
 	}
 	return
@@ -5597,32 +5850,6 @@ func (in *ProxyStatus) DeepCopy() *ProxyStatus {
 	return out
 }
 
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *PublicKey) DeepCopyInto(out *PublicKey) {
-	*out = *in
-	if in.KeyData != nil {
-		in, out := &in.KeyData, &out.KeyData
-		*out = make([]byte, len(*in))
-		copy(*out, *in)
-	}
-	if in.RekorKeyData != nil {
-		in, out := &in.RekorKeyData, &out.RekorKeyData
-		*out = make([]byte, len(*in))
-		copy(*out, *in)
-	}
-	return
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PublicKey.
-func (in *PublicKey) DeepCopy() *PublicKey {
-	if in == nil {
-		return nil
-	}
-	out := new(PublicKey)
-	in.DeepCopyInto(out)
-	return out
-}
-
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RegistryLocation) DeepCopyInto(out *RegistryLocation) {
 	*out = *in
@@ -5960,6 +6187,23 @@ func (in *SignatureStore) DeepCopy() *SignatureStore {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Storage) DeepCopyInto(out *Storage) {
+	*out = *in
+	out.PersistentVolume = in.PersistentVolume
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Storage.
+func (in *Storage) DeepCopy() *Storage {
+	if in == nil {
+		return nil
+	}
+	out := new(Storage)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *StringSource) DeepCopyInto(out *StringSource) {
 	*out = *in
@@ -6201,6 +6445,22 @@ func (in *TokenClaimOrExpressionMapping) DeepCopy() *TokenClaimOrExpressionMappi
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TokenClaimValidationCELRule) DeepCopyInto(out *TokenClaimValidationCELRule) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenClaimValidationCELRule.
+func (in *TokenClaimValidationCELRule) DeepCopy() *TokenClaimValidationCELRule {
+	if in == nil {
+		return nil
+	}
+	out := new(TokenClaimValidationCELRule)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TokenClaimValidationRule) DeepCopyInto(out *TokenClaimValidationRule) {
 	*out = *in
@@ -6209,6 +6469,7 @@ func (in *TokenClaimValidationRule) DeepCopyInto(out *TokenClaimValidationRule)
 		*out = new(TokenRequiredClaim)
 		**out = **in
 	}
+	out.CEL = in.CEL
 	return
 }
 
@@ -6281,9 +6542,30 @@ func (in *TokenRequiredClaim) DeepCopy() *TokenRequiredClaim {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TokenUserValidationRule) DeepCopyInto(out *TokenUserValidationRule) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenUserValidationRule.
+func (in *TokenUserValidationRule) DeepCopy() *TokenUserValidationRule {
+	if in == nil {
+		return nil
+	}
+	out := new(TokenUserValidationRule)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Update) DeepCopyInto(out *Update) {
 	*out = *in
+	if in.AcceptRisks != nil {
+		in, out := &in.AcceptRisks, &out.AcceptRisks
+		*out = make([]AcceptRisk, len(*in))
+		copy(*out, *in)
+	}
 	return
 }
 
diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml
index e56c1a15a9..eb7c485e03 100644
--- a/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml
+++ b/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml
@@ -6,6 +6,7 @@ apiservers.config.openshift.io:
   Capability: ""
   Category: ""
   FeatureGates:
+  - KMSEncryption
   - KMSEncryptionProvider
   FilenameOperatorName: config-operator
   FilenameOperatorOrdering: "01"
@@ -31,6 +32,7 @@ authentications.config.openshift.io:
   FeatureGates:
   - ExternalOIDC
   - ExternalOIDCWithUIDAndExtraClaimMappings
+  - ExternalOIDCWithUpstreamParity
   FilenameOperatorName: config-operator
   FilenameOperatorOrdering: "01"
   FilenameRunLevel: "0000_10"
@@ -141,6 +143,7 @@ clusterversions.config.openshift.io:
   Capability: ""
   Category: ""
   FeatureGates:
+  - ClusterUpdateAcceptRisks
   - ImageStreamImportMode
   - SignatureStores
   FilenameOperatorName: cluster-version-operator
@@ -410,6 +413,29 @@ ingresses.config.openshift.io:
   TopLevelFeatureGates: []
   Version: v1
 
+insightsdatagathers.config.openshift.io:
+  Annotations: {}
+  ApprovedPRNumber: https://github.com/openshift/api/pull/2448
+  CRDName: insightsdatagathers.config.openshift.io
+  Capability: Insights
+  Category: ""
+  FeatureGates:
+  - InsightsConfig
+  FilenameOperatorName: config-operator
+  FilenameOperatorOrdering: "01"
+  FilenameRunLevel: "0000_10"
+  GroupName: config.openshift.io
+  HasStatus: false
+  KindName: InsightsDataGather
+  Labels: {}
+  PluralName: insightsdatagathers
+  PrinterColumns: []
+  Scope: Cluster
+  ShortNames: null
+  TopLevelFeatureGates:
+  - InsightsConfig
+  Version: v1
+
 networks.config.openshift.io:
   Annotations:
     release.openshift.io/bootstrap-required: "true"
@@ -417,8 +443,7 @@ networks.config.openshift.io:
   CRDName: networks.config.openshift.io
   Capability: ""
   Category: ""
-  FeatureGates:
-  - NetworkDiagnosticsConfig
+  FeatureGates: []
   FilenameOperatorName: config-operator
   FilenameOperatorOrdering: "01"
   FilenameRunLevel: "0000_10"
diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go
index 766ac5ddab..69fb37c523 100644
--- a/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go
+++ b/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go
@@ -407,11 +407,11 @@ func (ExtraMapping) SwaggerDoc() map[string]string {
 }
 
 var map_OIDCClientConfig = map[string]string{
-	"":                   "OIDCClientConfig configures how platform clients interact with identity providers as an authentication method",
-	"componentName":      "componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode. It is used in combination with componentNamespace as a unique identifier.\n\ncomponentName must not be an empty string (\"\") and must not exceed 256 characters in length.",
-	"componentNamespace": "componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running. It is used in combination with componentName as a unique identifier.\n\ncomponentNamespace must not be an empty string (\"\") and must not exceed 63 characters in length.",
+	"":                   "OIDCClientConfig configures how platform clients interact with identity providers as an authentication method.",
+	"componentName":      "componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode.\n\nIt is used in combination with componentNamespace as a unique identifier.\n\ncomponentName must not be an empty string (\"\") and must not exceed 256 characters in length.",
+	"componentNamespace": "componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running.\n\nIt is used in combination with componentName as a unique identifier.\n\ncomponentNamespace must not be an empty string (\"\") and must not exceed 63 characters in length.",
 	"clientID":           "clientID is a required field that configures the client identifier, from the identity provider, that the platform component uses for authentication requests made to the identity provider. The identity provider must accept this identifier for platform components to be able to use the identity provider as an authentication mode.\n\nclientID must not be an empty string (\"\").",
-	"clientSecret":       "clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider.\n\nWhen not specified, no client secret will be used when making authentication requests to the identity provider.\n\nWhen specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field. The client secret will be used when making authentication requests to the identity provider.\n\nPublic clients do not require a client secret but private clients do require a client secret to work with the identity provider.",
+	"clientSecret":       "clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider.\n\nWhen not specified, no client secret will be used when making authentication requests to the identity provider.\n\nWhen specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field.\n\nThe client secret will be used when making authentication requests to the identity provider.\n\nPublic clients do not require a client secret but private clients do require a client secret to work with the identity provider.",
 	"extraScopes":        "extraScopes is an optional field that configures the extra scopes that should be requested by the platform component when making authentication requests to the identity provider. This is useful if you have configured claim mappings that requires specific scopes to be requested beyond the standard OIDC scopes.\n\nWhen omitted, no additional scopes are requested.",
 }
 
@@ -433,8 +433,8 @@ func (OIDCClientReference) SwaggerDoc() map[string]string {
 var map_OIDCClientStatus = map[string]string{
 	"":                   "OIDCClientStatus represents the current state of platform components and how they interact with the configured identity providers.",
 	"componentName":      "componentName is a required field that specifies the name of the platform component using the identity provider as an authentication mode. It is used in combination with componentNamespace as a unique identifier.\n\ncomponentName must not be an empty string (\"\") and must not exceed 256 characters in length.",
-	"componentNamespace": "componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running. It is used in combination with componentName as a unique identifier.\n\ncomponentNamespace must not be an empty string (\"\") and must not exceed 63 characters in length.",
-	"currentOIDCClients": "currentOIDCClients is an optional list of clients that the component is currently using. Entries must have unique issuerURL/clientID pairs.",
+	"componentNamespace": "componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running.\n\nIt is used in combination with componentName as a unique identifier.\n\ncomponentNamespace must not be an empty string (\"\") and must not exceed 63 characters in length.",
+	"currentOIDCClients": "currentOIDCClients is an optional list of clients that the component is currently using.\n\nEntries must have unique issuerURL/clientID pairs.",
 	"consumingUsers":     "consumingUsers is an optional list of ServiceAccounts requiring read permissions on the `clientSecret` secret.\n\nconsumingUsers must not exceed 5 entries.",
 	"conditions":         "conditions are used to communicate the state of the `oidcClients` entry.\n\nSupported conditions include Available, Degraded and Progressing.\n\nIf Available is true, the component is successfully using the configured client. If Degraded is true, that means something has gone wrong trying to handle the client configuration. If Progressing is true, that means the component is taking some action related to the `oidcClients` entry.",
 }
@@ -449,6 +449,7 @@ var map_OIDCProvider = map[string]string{
 	"oidcClients":          "oidcClients is an optional field that configures how on-cluster, platform clients should request tokens from the identity provider. oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs.",
 	"claimMappings":        "claimMappings is a required field that configures the rules to be used by the Kubernetes API server for translating claims in a JWT token, issued by the identity provider, to a cluster identity.",
 	"claimValidationRules": "claimValidationRules is an optional field that configures the rules to be used by the Kubernetes API server for validating the claims in a JWT token issued by the identity provider.\n\nValidation rules are joined via an AND operation.",
+	"userValidationRules":  "userValidationRules is an optional field that configures the set of rules used to validate the cluster user identity that was constructed via mapping token claims to user identity attributes. Rules are CEL expressions that must evaluate to 'true' for authentication to succeed. If any rule in the chain of rules evaluates to 'false', authentication will fail. When specified, at least one rule must be specified and no more than 64 rules may be specified.",
 }
 
 func (OIDCProvider) SwaggerDoc() map[string]string {
@@ -457,7 +458,7 @@ func (OIDCProvider) SwaggerDoc() map[string]string {
 
 var map_PrefixedClaimMapping = map[string]string{
 	"":       "PrefixedClaimMapping configures a claim mapping that allows for an optional prefix.",
-	"prefix": "prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes.\n\nWhen omitted (\"\"), no prefix is applied to the cluster identity attribute.\n\nExample: if `prefix` is set to \"myoidc:\" and the `claim` in JWT contains an array of strings \"a\", \"b\" and  \"c\", the mapping will result in an array of string \"myoidc:a\", \"myoidc:b\" and \"myoidc:c\".",
+	"prefix": "prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes.\n\nWhen omitted (\"\"), no prefix is applied to the cluster identity attribute.\n\nExample: if `prefix` is set to \"myoidc:\" and the `claim` in JWT contains an array of strings \"a\", \"b\" and \"c\", the mapping will result in an array of string \"myoidc:a\", \"myoidc:b\" and \"myoidc:c\".",
 }
 
 func (PrefixedClaimMapping) SwaggerDoc() map[string]string {
@@ -475,9 +476,9 @@ func (TokenClaimMapping) SwaggerDoc() map[string]string {
 
 var map_TokenClaimMappings = map[string]string{
 	"username": "username is a required field that configures how the username of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider.",
-	"groups":   "groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider. When referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (','). For example - '\"example\"' and '\"exampleOne\", \"exampleTwo\", \"exampleThree\"' are valid claim values.",
-	"uid":      "uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity.\n\nWhen using uid.claim to specify the claim it must be a single string value. When using uid.expression the expression must result in a single string value.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose a default, which is subject to change over time. The current default is to use the 'sub' claim.",
-	"extra":    "extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity. key values for extra mappings must be unique. A maximum of 32 extra attribute mappings may be provided.",
+	"groups":   "groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider.\n\nWhen referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (',').\n\nFor example - '\"example\"' and '\"exampleOne\", \"exampleTwo\", \"exampleThree\"' are valid claim values.",
+	"uid":      "uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity.\n\nWhen using uid.claim to specify the claim it must be a single string value. When using uid.expression the expression must result in a single string value.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose a default, which is subject to change over time.\n\nThe current default is to use the 'sub' claim.",
+	"extra":    "extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity.\n\nkey values for extra mappings must be unique. A maximum of 32 extra attribute mappings may be provided.",
 }
 
 func (TokenClaimMappings) SwaggerDoc() map[string]string {
@@ -494,9 +495,20 @@ func (TokenClaimOrExpressionMapping) SwaggerDoc() map[string]string {
 	return map_TokenClaimOrExpressionMapping
 }
 
+var map_TokenClaimValidationCELRule = map[string]string{
+	"expression": "expression is a CEL expression evaluated against token claims. expression is required, must be at least 1 character in length and must not exceed 1024 characters. The expression must return a boolean value where 'true' signals a valid token and 'false' an invalid one.",
+	"message":    "message is a required human-readable message to be logged by the Kubernetes API server if the CEL expression defined in 'expression' fails. message must be at least 1 character in length and must not exceed 256 characters.",
+}
+
+func (TokenClaimValidationCELRule) SwaggerDoc() map[string]string {
+	return map_TokenClaimValidationCELRule
+}
+
 var map_TokenClaimValidationRule = map[string]string{
-	"type":          "type is an optional field that configures the type of the validation rule.\n\nAllowed values are 'RequiredClaim' and omitted (not provided or an empty string).\n\nWhen set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value.\n\nDefaults to 'RequiredClaim'.",
-	"requiredClaim": "requiredClaim is an optional field that configures the required claim and value that the Kubernetes API server will use to validate if an incoming JWT is valid for this identity provider.",
+	"":              "TokenClaimValidationRule represents a validation rule based on token claims. If type is RequiredClaim, requiredClaim must be set. If Type is CEL, CEL must be set and RequiredClaim must be omitted.",
+	"type":          "type is an optional field that configures the type of the validation rule.\n\nAllowed values are \"RequiredClaim\" and \"CEL\".\n\nWhen set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value.\n\nWhen set to 'CEL', the Kubernetes API server will be configured to validate the incoming JWT against the configured CEL expression.",
+	"requiredClaim": "requiredClaim allows configuring a required claim name and its expected value. This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider.",
+	"cel":           "cel holds the CEL expression and message for validation. Must be set when Type is \"CEL\", and forbidden otherwise.",
 }
 
 func (TokenClaimValidationRule) SwaggerDoc() map[string]string {
@@ -507,6 +519,7 @@ var map_TokenIssuer = map[string]string{
 	"issuerURL":                  "issuerURL is a required field that configures the URL used to issue tokens by the identity provider. The Kubernetes API server determines how authentication tokens should be handled by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers.\n\nMust be at least 1 character and must not exceed 512 characters in length. Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user.",
 	"audiences":                  "audiences is a required field that configures the acceptable audiences the JWT token, issued by the identity provider, must be issued to. At least one of the entries must match the 'aud' claim in the JWT token.\n\naudiences must contain at least one entry and must not exceed ten entries.",
 	"issuerCertificateAuthority": "issuerCertificateAuthority is an optional field that configures the certificate authority, used by the Kubernetes API server, to validate the connection to the identity provider when fetching discovery information.\n\nWhen not specified, the system trust is used.\n\nWhen specified, it must reference a ConfigMap in the openshift-config namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' key in the data field of the ConfigMap.",
+	"discoveryURL":               "discoveryURL is an optional field that, if specified, overrides the default discovery endpoint used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `issuerURL` as \"{issuerURL}/.well-known/openid-configuration\".\n\nThe discoveryURL must be a valid absolute HTTPS URL. It must not contain query parameters, user information, or fragments. Additionally, it must differ from the value of `issuerURL` (ignoring trailing slashes). The discoveryURL value must be at least 1 character long and no longer than 2048 characters.",
 }
 
 func (TokenIssuer) SwaggerDoc() map[string]string {
@@ -522,9 +535,19 @@ func (TokenRequiredClaim) SwaggerDoc() map[string]string {
 	return map_TokenRequiredClaim
 }
 
+var map_TokenUserValidationRule = map[string]string{
+	"":           "TokenUserValidationRule provides a CEL-based rule used to validate a token subject. Each rule contains a CEL expression that is evaluated against the token’s claims.",
+	"expression": "expression is a required CEL expression that performs a validation on cluster user identity attributes like username, groups, etc.\n\nThe expression must evaluate to a boolean value. When the expression evaluates to 'true', the cluster user identity is considered valid. When the expression evaluates to 'false', the cluster user identity is not considered valid. expression must be at least 1 character in length and must not exceed 1024 characters.",
+	"message":    "message is a required human-readable message to be logged by the Kubernetes API server if the CEL expression defined in 'expression' fails. message must be at least 1 character in length and must not exceed 256 characters.",
+}
+
+func (TokenUserValidationRule) SwaggerDoc() map[string]string {
+	return map_TokenUserValidationRule
+}
+
 var map_UsernameClaimMapping = map[string]string{
 	"claim":        "claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.\n\nclaim must not be an empty string (\"\") and must not exceed 256 characters.",
-	"prefixPolicy": "prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field.\n\nAllowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string).\n\nWhen set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim. The prefix field must be set when prefixPolicy is 'Prefix'.\n\nWhen set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim.\n\nWhen omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'. As an example, consider the following scenario:\n   `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`,\n   the JWT claims include \"username\":\"userA\" and \"email\":\"userA@myoidc.tld\",\n   and `claim` is set to:\n   - \"username\": the mapped value will be \"https://myoidc.tld#userA\"\n   - \"email\": the mapped value will be \"userA@myoidc.tld\"",
+	"prefixPolicy": "prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field.\n\nAllowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string).\n\nWhen set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim.\n\nThe prefix field must be set when prefixPolicy is 'Prefix'.\n\nWhen set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim.\n\nWhen omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'.\n\nAs an example, consider the following scenario:\n\n   `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`,\n   the JWT claims include \"username\":\"userA\" and \"email\":\"userA@myoidc.tld\",\n   and `claim` is set to:\n   - \"username\": the mapped value will be \"https://myoidc.tld#userA\"\n   - \"email\": the mapped value will be \"userA@myoidc.tld\"",
 	"prefix":       "prefix configures the prefix that should be prepended to the value of the JWT claim.\n\nprefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise.",
 }
 
@@ -724,6 +747,15 @@ func (OperandVersion) SwaggerDoc() map[string]string {
 	return map_OperandVersion
 }
 
+var map_AcceptRisk = map[string]string{
+	"":     "AcceptRisk represents a risk that is considered acceptable.",
+	"name": "name is the name of the acceptable risk. It must be a non-empty string and must not exceed 256 characters.",
+}
+
+func (AcceptRisk) SwaggerDoc() map[string]string {
+	return map_AcceptRisk
+}
+
 var map_ClusterCondition = map[string]string{
 	"":       "ClusterCondition is a union of typed cluster conditions.  The 'type' property determines which of the type-specific properties are relevant. When evaluated on a cluster, the condition may match, not match, or fail to evaluate.",
 	"type":   "type represents the cluster-condition type. This defines the members and semantics of any additional properties.",
@@ -790,15 +822,16 @@ func (ClusterVersionSpec) SwaggerDoc() map[string]string {
 }
 
 var map_ClusterVersionStatus = map[string]string{
-	"":                   "ClusterVersionStatus reports the status of the cluster versioning, including any upgrades that are in progress. The current field will be set to whichever version the cluster is reconciling to, and the conditions array will report whether the update succeeded, is in progress, or is failing.",
-	"desired":            "desired is the version that the cluster is reconciling towards. If the cluster is not yet fully initialized desired will be set with the information available, which may be an image or a tag.",
-	"history":            "history contains a list of the most recent versions applied to the cluster. This value may be empty during cluster startup, and then will be updated when a new update is being applied. The newest update is first in the list and it is ordered by recency. Updates in the history have state Completed if the rollout completed - if an update was failing or halfway applied the state will be Partial. Only a limited amount of update history is preserved.",
-	"observedGeneration": "observedGeneration reports which version of the spec is being synced. If this value is not equal to metadata.generation, then the desired and conditions fields may represent a previous version.",
-	"versionHash":        "versionHash is a fingerprint of the content that the cluster will be updated with. It is used by the operator to avoid unnecessary work and is for internal use only.",
-	"capabilities":       "capabilities describes the state of optional, core cluster components.",
-	"conditions":         "conditions provides information about the cluster version. The condition \"Available\" is set to true if the desiredUpdate has been reached. The condition \"Progressing\" is set to true if an update is being applied. The condition \"Degraded\" is set to true if an update is currently blocked by a temporary or permanent error. Conditions are only valid for the current desiredUpdate when metadata.generation is equal to status.generation.",
-	"availableUpdates":   "availableUpdates contains updates recommended for this cluster. Updates which appear in conditionalUpdates but not in availableUpdates may expose this cluster to known issues. This list may be empty if no updates are recommended, if the update service is unavailable, or if an invalid channel has been specified.",
-	"conditionalUpdates": "conditionalUpdates contains the list of updates that may be recommended for this cluster if it meets specific required conditions. Consumers interested in the set of updates that are actually recommended for this cluster should use availableUpdates. This list may be empty if no updates are recommended, if the update service is unavailable, or if an empty or invalid channel has been specified.",
+	"":                       "ClusterVersionStatus reports the status of the cluster versioning, including any upgrades that are in progress. The current field will be set to whichever version the cluster is reconciling to, and the conditions array will report whether the update succeeded, is in progress, or is failing.",
+	"desired":                "desired is the version that the cluster is reconciling towards. If the cluster is not yet fully initialized desired will be set with the information available, which may be an image or a tag.",
+	"history":                "history contains a list of the most recent versions applied to the cluster. This value may be empty during cluster startup, and then will be updated when a new update is being applied. The newest update is first in the list and it is ordered by recency. Updates in the history have state Completed if the rollout completed - if an update was failing or halfway applied the state will be Partial. Only a limited amount of update history is preserved.",
+	"observedGeneration":     "observedGeneration reports which version of the spec is being synced. If this value is not equal to metadata.generation, then the desired and conditions fields may represent a previous version.",
+	"versionHash":            "versionHash is a fingerprint of the content that the cluster will be updated with. It is used by the operator to avoid unnecessary work and is for internal use only.",
+	"capabilities":           "capabilities describes the state of optional, core cluster components.",
+	"conditions":             "conditions provides information about the cluster version. The condition \"Available\" is set to true if the desiredUpdate has been reached. The condition \"Progressing\" is set to true if an update is being applied. The condition \"Degraded\" is set to true if an update is currently blocked by a temporary or permanent error. Conditions are only valid for the current desiredUpdate when metadata.generation is equal to status.generation.",
+	"availableUpdates":       "availableUpdates contains updates recommended for this cluster. Updates which appear in conditionalUpdates but not in availableUpdates may expose this cluster to known issues. This list may be empty if no updates are recommended, if the update service is unavailable, or if an invalid channel has been specified.",
+	"conditionalUpdates":     "conditionalUpdates contains the list of updates that may be recommended for this cluster if it meets specific required conditions. Consumers interested in the set of updates that are actually recommended for this cluster should use availableUpdates. This list may be empty if no updates are recommended, if the update service is unavailable, or if an empty or invalid channel has been specified.",
+	"conditionalUpdateRisks": "conditionalUpdateRisks contains the list of risks associated with conditionalUpdates. When performing a conditional update, all its associated risks will be compared with the set of accepted risks in the spec.desiredUpdate.acceptRisks field. If all risks for a conditional update are included in the spec.desiredUpdate.acceptRisks set, the conditional update can proceed, otherwise it is blocked. The risk names in the list must be unique. conditionalUpdateRisks must not contain more than 500 entries.",
 }
 
 func (ClusterVersionStatus) SwaggerDoc() map[string]string {
@@ -821,6 +854,7 @@ func (ComponentOverride) SwaggerDoc() map[string]string {
 var map_ConditionalUpdate = map[string]string{
 	"":           "ConditionalUpdate represents an update which is recommended to some clusters on the version the current cluster is reconciling, but which may not be recommended for the current cluster.",
 	"release":    "release is the target of the update.",
+	"riskNames":  "riskNames represents the set of the names of conditionalUpdateRisks that are relevant to this update for some clusters. The Applies condition of each conditionalUpdateRisks entry declares if that risk applies to this cluster. A conditional update is accepted only if each of its risks either does not apply to the cluster or is considered acceptable by the cluster administrator. The latter means that the risk names are included in value of the spec.desiredUpdate.acceptRisks field. Entries must be unique and must not exceed 256 characters. riskNames must not contain more than 500 entries.",
 	"risks":      "risks represents the range of issues associated with updating to the target release. The cluster-version operator will evaluate all entries, and only recommend the update if there is at least one entry and all entries recommend the update.",
 	"conditions": "conditions represents the observations of the conditional update's current status. Known types are: * Recommended, for whether the update is recommended for the current cluster.",
 }
@@ -831,6 +865,7 @@ func (ConditionalUpdate) SwaggerDoc() map[string]string {
 
 var map_ConditionalUpdateRisk = map[string]string{
 	"":              "ConditionalUpdateRisk represents a reason and cluster-state for not recommending a conditional update.",
+	"conditions":    "conditions represents the observations of the conditional update risk's current status. Known types are: * Applies, for whether the risk applies to the current cluster. The condition's types in the list must be unique. conditions must not contain more than one entry.",
 	"url":           "url contains information about this risk.",
 	"name":          "name is the CamelCase reason for not recommending a conditional update, in the event that matchingRules match the cluster state.",
 	"message":       "message provides additional information about the risk of updating, in the event that matchingRules match the cluster state. This is only to be consumed by humans. It may contain Line Feed characters (U+000A), which should be rendered as new lines.",
@@ -879,6 +914,7 @@ var map_Update = map[string]string{
 	"version":      "version is a semantic version identifying the update version. version is required if architecture is specified. If both version and image are set, the version extracted from the referenced image must match the specified version.",
 	"image":        "image is a container image location that contains the update. image should be used when the desired version does not exist in availableUpdates or history. When image is set, architecture cannot be specified. If both version and image are set, the version extracted from the referenced image must match the specified version.",
 	"force":        "force allows an administrator to update to an image that has failed verification or upgradeable checks that are designed to keep your cluster safe. Only use this if: * you are testing unsigned release images in short-lived test clusters or * you are working around a known bug in the cluster-version\n  operator and you have verified the authenticity of the provided\n  image yourself.\nThe provided image will run with full administrative access to the cluster. Do not use this flag with images that come from unknown or potentially malicious sources.",
+	"acceptRisks":  "acceptRisks is an optional set of names of conditional update risks that are considered acceptable. A conditional update is performed only if all of its risks are acceptable. This list may contain entries that apply to current, previous or future updates. The entries therefore may not map directly to a risk in .status.conditionalUpdateRisks. acceptRisks must not contain more than 1000 entries. Entries in this list must be unique.",
 }
 
 func (Update) SwaggerDoc() map[string]string {
@@ -893,7 +929,7 @@ var map_UpdateHistory = map[string]string{
 	"version":        "version is a semantic version identifying the update version. If the requested image does not define a version, or if a failure occurs retrieving the image, this value may be empty.",
 	"image":          "image is a container image location that contains the update. This value is always populated.",
 	"verified":       "verified indicates whether the provided update was properly verified before it was installed. If this is false the cluster may not be trusted. Verified does not cover upgradeable checks that depend on the cluster state at the time when the update target was accepted.",
-	"acceptedRisks":  "acceptedRisks records risks which were accepted to initiate the update. For example, it may menition an Upgradeable=False or missing signature that was overridden via desiredUpdate.force, or an update that was initiated despite not being in the availableUpdates set of recommended update targets.",
+	"acceptedRisks":  "acceptedRisks records risks which were accepted to initiate the update. For example, it may mention an Upgradeable=False or missing signature that was overridden via desiredUpdate.force, or an update that was initiated despite not being in the availableUpdates set of recommended update targets.",
 }
 
 func (UpdateHistory) SwaggerDoc() map[string]string {
@@ -1214,17 +1250,6 @@ func (ImageDigestMirrors) SwaggerDoc() map[string]string {
 	return map_ImageDigestMirrors
 }
 
-var map_FulcioCAWithRekor = map[string]string{
-	"":              "FulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key.",
-	"fulcioCAData":  "fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. fulcioCAData must be at most 8192 characters. ",
-	"rekorKeyData":  "rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters. ",
-	"fulcioSubject": "fulcioSubject is a required field specifies OIDC issuer and the email of the Fulcio authentication configuration.",
-}
-
-func (FulcioCAWithRekor) SwaggerDoc() map[string]string {
-	return map_FulcioCAWithRekor
-}
-
 var map_ImagePolicy = map[string]string{
 	"":         "ImagePolicy holds namespace-wide configuration for image signature verification\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
 	"metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
@@ -1236,6 +1261,17 @@ func (ImagePolicy) SwaggerDoc() map[string]string {
 	return map_ImagePolicy
 }
 
+var map_ImagePolicyFulcioCAWithRekorRootOfTrust = map[string]string{
+	"":              "ImagePolicyFulcioCAWithRekorRootOfTrust defines the root of trust based on the Fulcio certificate and the Rekor public key.",
+	"fulcioCAData":  "fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. fulcioCAData must be at most 8192 characters. ",
+	"rekorKeyData":  "rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters. ",
+	"fulcioSubject": "fulcioSubject is a required field specifies OIDC issuer and the email of the Fulcio authentication configuration.",
+}
+
+func (ImagePolicyFulcioCAWithRekorRootOfTrust) SwaggerDoc() map[string]string {
+	return map_ImagePolicyFulcioCAWithRekorRootOfTrust
+}
+
 var map_ImagePolicyList = map[string]string{
 	"":         "ImagePolicyList is a list of ImagePolicy resources\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
 	"metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
@@ -1246,6 +1282,27 @@ func (ImagePolicyList) SwaggerDoc() map[string]string {
 	return map_ImagePolicyList
 }
 
+var map_ImagePolicyPKIRootOfTrust = map[string]string{
+	"":                      "ImagePolicyPKIRootOfTrust defines the root of trust based on Root CA(s) and corresponding intermediate certificates.",
+	"caRootsData":           "caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters. ",
+	"caIntermediatesData":   "caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. caIntermediatesData requires caRootsData to be set. ",
+	"pkiCertificateSubject": "pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued.",
+}
+
+func (ImagePolicyPKIRootOfTrust) SwaggerDoc() map[string]string {
+	return map_ImagePolicyPKIRootOfTrust
+}
+
+var map_ImagePolicyPublicKeyRootOfTrust = map[string]string{
+	"":             "ImagePolicyPublicKeyRootOfTrust defines the root of trust based on a sigstore public key.",
+	"keyData":      "keyData is a required field contains inline base64-encoded data for the PEM format public key. keyData must be at most 8192 characters. ",
+	"rekorKeyData": "rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters. ",
+}
+
+func (ImagePolicyPublicKeyRootOfTrust) SwaggerDoc() map[string]string {
+	return map_ImagePolicyPublicKeyRootOfTrust
+}
+
 var map_ImagePolicySpec = map[string]string{
 	"":       "ImagePolicySpec is the specification of the ImagePolicy CRD.",
 	"scopes": "scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the \"Docker Registry HTTP API V2\". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e.  *.example.com is a valid case, but example*.*.com is not. This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker",
@@ -1264,15 +1321,14 @@ func (ImagePolicyStatus) SwaggerDoc() map[string]string {
 	return map_ImagePolicyStatus
 }
 
-var map_PKI = map[string]string{
-	"":                      "PKI defines the root of trust based on Root CA(s) and corresponding intermediate certificates.",
-	"caRootsData":           "caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters. ",
-	"caIntermediatesData":   "caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. caIntermediatesData requires caRootsData to be set. ",
-	"pkiCertificateSubject": "pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued.",
+var map_ImageSigstoreVerificationPolicy = map[string]string{
+	"":               "ImageSigstoreVerificationPolicy defines the verification policy for the items in the scopes list.",
+	"rootOfTrust":    "rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated.",
+	"signedIdentity": "signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is \"MatchRepoDigestOrExact\".",
 }
 
-func (PKI) SwaggerDoc() map[string]string {
-	return map_PKI
+func (ImageSigstoreVerificationPolicy) SwaggerDoc() map[string]string {
+	return map_ImageSigstoreVerificationPolicy
 }
 
 var map_PKICertificateSubject = map[string]string{
@@ -1285,16 +1341,6 @@ func (PKICertificateSubject) SwaggerDoc() map[string]string {
 	return map_PKICertificateSubject
 }
 
-var map_Policy = map[string]string{
-	"":               "Policy defines the verification policy for the items in the scopes list.",
-	"rootOfTrust":    "rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated.",
-	"signedIdentity": "signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is \"MatchRepoDigestOrExact\".",
-}
-
-func (Policy) SwaggerDoc() map[string]string {
-	return map_Policy
-}
-
 var map_PolicyFulcioSubject = map[string]string{
 	"":            "PolicyFulcioSubject defines the OIDC issuer and the email of the Fulcio authentication configuration.",
 	"oidcIssuer":  "oidcIssuer is a required filed contains the expected OIDC issuer. The oidcIssuer must be a valid URL and at most 2048 characters in length. It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. Example: \"https://expected.OIDC.issuer/\"",
@@ -1345,16 +1391,6 @@ func (PolicyRootOfTrust) SwaggerDoc() map[string]string {
 	return map_PolicyRootOfTrust
 }
 
-var map_PublicKey = map[string]string{
-	"":             "PublicKey defines the root of trust based on a sigstore public key.",
-	"keyData":      "keyData is a required field contains inline base64-encoded data for the PEM format public key. keyData must be at most 8192 characters. ",
-	"rekorKeyData": "rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters. ",
-}
-
-func (PublicKey) SwaggerDoc() map[string]string {
-	return map_PublicKey
-}
-
 var map_ImageTagMirrorSet = map[string]string{
 	"":         "ImageTagMirrorSet holds cluster-wide information about how to handle registry mirror rules on using tag pull specification. When multiple policies are defined, the outcome of the behavior is defined on each field.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
 	"metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
@@ -1888,7 +1924,7 @@ func (OvirtPlatformStatus) SwaggerDoc() map[string]string {
 
 var map_PlatformSpec = map[string]string{
 	"":             "PlatformSpec holds the desired state specific to the underlying infrastructure provider of the current cluster. Since these are used at spec-level for the underlying cluster, it is supposed that only one of the spec structs is set.",
-	"type":         "type is the underlying infrastructure provider for the cluster. This value controls whether infrastructure automation such as service load balancers, dynamic volume provisioning, machine creation and deletion, and other integrations are enabled. If None, no infrastructure automation is enabled. Allowed values are \"AWS\", \"Azure\", \"BareMetal\", \"GCP\", \"Libvirt\", \"OpenStack\", \"VSphere\", \"oVirt\", \"KubeVirt\", \"EquinixMetal\", \"PowerVS\", \"AlibabaCloud\", \"Nutanix\" and \"None\". Individual components may not support all platforms, and must handle unrecognized platforms as None if they do not support that platform.",
+	"type":         "type is the underlying infrastructure provider for the cluster. This value controls whether infrastructure automation such as service load balancers, dynamic volume provisioning, machine creation and deletion, and other integrations are enabled. If None, no infrastructure automation is enabled. Allowed values are \"AWS\", \"Azure\", \"BareMetal\", \"GCP\", \"Libvirt\", \"OpenStack\", \"VSphere\", \"oVirt\", \"IBMCloud\", \"KubeVirt\", \"EquinixMetal\", \"PowerVS\", \"AlibabaCloud\", \"Nutanix\", \"External\", and \"None\". Individual components may not support all platforms, and must handle unrecognized platforms as None if they do not support that platform.",
 	"aws":          "aws contains settings specific to the Amazon Web Services infrastructure provider.",
 	"azure":        "azure contains settings specific to the Azure infrastructure provider.",
 	"gcp":          "gcp contains settings specific to the Google Cloud Platform infrastructure provider.",
@@ -2191,6 +2227,104 @@ func (LoadBalancer) SwaggerDoc() map[string]string {
 	return map_LoadBalancer
 }
 
+var map_Custom = map[string]string{
+	"":        "Custom provides the custom configuration of gatherers",
+	"configs": "configs is a required list of gatherers configurations that can be used to enable or disable specific gatherers. It may not exceed 100 items and each gatherer can be present only once. It is possible to disable an entire set of gatherers while allowing a specific function within that set. The particular gatherers IDs can be found at https://github.com/openshift/insights-operator/blob/master/docs/gathered-data.md. Run the following command to get the names of last active gatherers: \"oc get insightsoperators.operator.openshift.io cluster -o json | jq '.status.gatherStatus.gatherers[].name'\"",
+}
+
+func (Custom) SwaggerDoc() map[string]string {
+	return map_Custom
+}
+
+var map_GatherConfig = map[string]string{
+	"":           "GatherConfig provides data gathering configuration options.",
+	"dataPolicy": "dataPolicy is an optional list of DataPolicyOptions that allows user to enable additional obfuscation of the Insights archive data. It may not exceed 2 items and must not contain duplicates. Valid values are ObfuscateNetworking and WorkloadNames. When set to ObfuscateNetworking the IP addresses and the cluster domain name are obfuscated. When set to WorkloadNames, the gathered data about cluster resources will not contain the workload names for your deployments. Resources UIDs will be used instead. When omitted no obfuscation is applied.",
+	"gatherers":  "gatherers is a required field that specifies the configuration of the gatherers.",
+	"storage":    "storage is an optional field that allows user to define persistent storage for gathering jobs to store the Insights data archive. If omitted, the gathering job will use ephemeral storage.",
+}
+
+func (GatherConfig) SwaggerDoc() map[string]string {
+	return map_GatherConfig
+}
+
+var map_GathererConfig = map[string]string{
+	"":      "GathererConfig allows to configure specific gatherers",
+	"name":  "name is the required name of a specific gatherer. It may not exceed 256 characters. The format for a gatherer name is: {gatherer}/{function} where the function is optional. Gatherer consists of a lowercase letters only that may include underscores (_). Function consists of a lowercase letters only that may include underscores (_) and is separated from the gatherer by a forward slash (/). The particular gatherers can be found at https://github.com/openshift/insights-operator/blob/master/docs/gathered-data.md. Run the following command to get the names of last active gatherers: \"oc get insightsoperators.operator.openshift.io cluster -o json | jq '.status.gatherStatus.gatherers[].name'\"",
+	"state": "state is a required field that allows you to configure specific gatherer. Valid values are \"Enabled\" and \"Disabled\". When set to Enabled the gatherer will run. When set to Disabled the gatherer will not run.",
+}
+
+func (GathererConfig) SwaggerDoc() map[string]string {
+	return map_GathererConfig
+}
+
+var map_Gatherers = map[string]string{
+	"":       "Gatherers specifies the configuration of the gatherers",
+	"mode":   "mode is a required field that specifies the mode for gatherers. Allowed values are All, None, and Custom. When set to All, all gatherers will run and gather data. When set to None, all gatherers will be disabled and no data will be gathered. When set to Custom, the custom configuration from the custom field will be applied.",
+	"custom": "custom provides gathering configuration. It is required when mode is Custom, and forbidden otherwise. Custom configuration allows user to disable only a subset of gatherers. Gatherers that are not explicitly disabled in custom configuration will run.",
+}
+
+func (Gatherers) SwaggerDoc() map[string]string {
+	return map_Gatherers
+}
+
+var map_InsightsDataGather = map[string]string{
+	"":         "InsightsDataGather provides data gather configuration options for the Insights Operator.\n\n\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
+	"metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+	"spec":     "spec holds user settable values for configuration",
+}
+
+func (InsightsDataGather) SwaggerDoc() map[string]string {
+	return map_InsightsDataGather
+}
+
+var map_InsightsDataGatherList = map[string]string{
+	"":         "InsightsDataGatherList is a collection of items Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
+	"metadata": "metadata is the required standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+	"items":    "items is the required list of InsightsDataGather objects it may not exceed 100 items",
+}
+
+func (InsightsDataGatherList) SwaggerDoc() map[string]string {
+	return map_InsightsDataGatherList
+}
+
+var map_InsightsDataGatherSpec = map[string]string{
+	"":             "InsightsDataGatherSpec contains the configuration for the data gathering.",
+	"gatherConfig": "gatherConfig is a required spec attribute that includes all the configuration options related to gathering of the Insights data and its uploading to the ingress.",
+}
+
+func (InsightsDataGatherSpec) SwaggerDoc() map[string]string {
+	return map_InsightsDataGatherSpec
+}
+
+var map_PersistentVolumeClaimReference = map[string]string{
+	"":     "PersistentVolumeClaimReference is a reference to a PersistentVolumeClaim.",
+	"name": "name is the name of the PersistentVolumeClaim that will be used to store the Insights data archive. It is a string that follows the DNS1123 subdomain format. It must be at most 253 characters in length, and must consist only of lower case alphanumeric characters, '-' and '.', and must start and end with an alphanumeric character.",
+}
+
+func (PersistentVolumeClaimReference) SwaggerDoc() map[string]string {
+	return map_PersistentVolumeClaimReference
+}
+
+var map_PersistentVolumeConfig = map[string]string{
+	"":          "PersistentVolumeConfig provides configuration options for PersistentVolume storage.",
+	"claim":     "claim is a required field that specifies the configuration of the PersistentVolumeClaim that will be used to store the Insights data archive. The PersistentVolumeClaim must be created in the openshift-insights namespace.",
+	"mountPath": "mountPath is an optional field specifying the directory where the PVC will be mounted inside the Insights data gathering Pod. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default mount path is /var/lib/insights-operator The path may not exceed 1024 characters and must not contain a colon.",
+}
+
+func (PersistentVolumeConfig) SwaggerDoc() map[string]string {
+	return map_PersistentVolumeConfig
+}
+
+var map_Storage = map[string]string{
+	"":                 "Storage provides persistent storage configuration options for gathering jobs. If the type is set to PersistentVolume, then the PersistentVolume must be defined. If the type is set to Ephemeral, then the PersistentVolume must not be defined.",
+	"type":             "type is a required field that specifies the type of storage that will be used to store the Insights data archive. Valid values are \"PersistentVolume\" and \"Ephemeral\". When set to Ephemeral, the Insights data archive is stored in the ephemeral storage of the gathering job. When set to PersistentVolume, the Insights data archive is stored in the PersistentVolume that is defined by the persistentVolume field.",
+	"persistentVolume": "persistentVolume is an optional field that specifies the PersistentVolume that will be used to store the Insights data archive. The PersistentVolume must be created in the openshift-insights namespace.",
+}
+
+func (Storage) SwaggerDoc() map[string]string {
+	return map_Storage
+}
+
 var map_AWSKMSConfig = map[string]string{
 	"":       "AWSKMSConfig defines the KMS config specific to AWS KMS provider",
 	"keyARN": "keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. The value must adhere to the format `arn:aws:kms:<region>:<account_id>:key/<key_id>`, where: - `<region>` is the AWS region consisting of lowercase letters and hyphens followed by a number. - `<account_id>` is a 12-digit numeric identifier for the AWS account. - `<key_id>` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens.",
@@ -2845,7 +2979,7 @@ func (CustomTLSProfile) SwaggerDoc() map[string]string {
 }
 
 var map_IntermediateTLSProfile = map[string]string{
-	"": "IntermediateTLSProfile is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29",
+	"": "IntermediateTLSProfile is a TLS security profile based on the \"intermediate\" configuration of the Mozilla Server Side TLS configuration guidelines.",
 }
 
 func (IntermediateTLSProfile) SwaggerDoc() map[string]string {
@@ -2853,7 +2987,7 @@ func (IntermediateTLSProfile) SwaggerDoc() map[string]string {
 }
 
 var map_ModernTLSProfile = map[string]string{
-	"": "ModernTLSProfile is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility",
+	"": "ModernTLSProfile is a TLS security profile based on the \"modern\" configuration of the Mozilla Server Side TLS configuration guidelines.",
 }
 
 func (ModernTLSProfile) SwaggerDoc() map[string]string {
@@ -2861,7 +2995,7 @@ func (ModernTLSProfile) SwaggerDoc() map[string]string {
 }
 
 var map_OldTLSProfile = map[string]string{
-	"": "OldTLSProfile is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility",
+	"": "OldTLSProfile is a TLS security profile based on the \"old\" configuration of the Mozilla Server Side TLS configuration guidelines.",
 }
 
 func (OldTLSProfile) SwaggerDoc() map[string]string {
@@ -2870,8 +3004,8 @@ func (OldTLSProfile) SwaggerDoc() map[string]string {
 
 var map_TLSProfileSpec = map[string]string{
 	"":              "TLSProfileSpec is the desired behavior of a TLSSecurityProfile.",
-	"ciphers":       "ciphers is used to specify the cipher algorithms that are negotiated during the TLS handshake.  Operators may remove entries their operands do not support.  For example, to use DES-CBC3-SHA  (yaml):\n\n  ciphers:\n    - DES-CBC3-SHA",
-	"minTLSVersion": "minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml):\n\n  minTLSVersion: VersionTLS11\n\nNOTE: currently the highest minTLSVersion allowed is VersionTLS12",
+	"ciphers":       "ciphers is used to specify the cipher algorithms that are negotiated during the TLS handshake. Operators may remove entries that their operands do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml):\n\n  ciphers:\n    - ECDHE-RSA-AES128-GCM-SHA256\n\nTLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable and are always enabled when TLS 1.3 is negotiated.",
+	"minTLSVersion": "minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml):\n\n  minTLSVersion: VersionTLS11",
 }
 
 func (TLSProfileSpec) SwaggerDoc() map[string]string {
@@ -2880,11 +3014,11 @@ func (TLSProfileSpec) SwaggerDoc() map[string]string {
 
 var map_TLSSecurityProfile = map[string]string{
 	"":             "TLSSecurityProfile defines the schema for a TLS security profile. This object is used by operators to apply TLS security settings to operands.",
-	"type":         "type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. Old, Intermediate and Modern are TLS security profiles based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations\n\nThe profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure.  Depending on precisely which ciphers are available to a process, the list may be reduced.\n\nNote that the Modern profile is currently not supported because it is not yet well adopted by common software libraries.",
-	"old":          "old is a TLS security profile based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility\n\nand looks like this (yaml):\n\n  ciphers:\n\n    - TLS_AES_128_GCM_SHA256\n\n    - TLS_AES_256_GCM_SHA384\n\n    - TLS_CHACHA20_POLY1305_SHA256\n\n    - ECDHE-ECDSA-AES128-GCM-SHA256\n\n    - ECDHE-RSA-AES128-GCM-SHA256\n\n    - ECDHE-ECDSA-AES256-GCM-SHA384\n\n    - ECDHE-RSA-AES256-GCM-SHA384\n\n    - ECDHE-ECDSA-CHACHA20-POLY1305\n\n    - ECDHE-RSA-CHACHA20-POLY1305\n\n    - DHE-RSA-AES128-GCM-SHA256\n\n    - DHE-RSA-AES256-GCM-SHA384\n\n    - DHE-RSA-CHACHA20-POLY1305\n\n    - ECDHE-ECDSA-AES128-SHA256\n\n    - ECDHE-RSA-AES128-SHA256\n\n    - ECDHE-ECDSA-AES128-SHA\n\n    - ECDHE-RSA-AES128-SHA\n\n    - ECDHE-ECDSA-AES256-SHA384\n\n    - ECDHE-RSA-AES256-SHA384\n\n    - ECDHE-ECDSA-AES256-SHA\n\n    - ECDHE-RSA-AES256-SHA\n\n    - DHE-RSA-AES128-SHA256\n\n    - DHE-RSA-AES256-SHA256\n\n    - AES128-GCM-SHA256\n\n    - AES256-GCM-SHA384\n\n    - AES128-SHA256\n\n    - AES256-SHA256\n\n    - AES128-SHA\n\n    - AES256-SHA\n\n    - DES-CBC3-SHA\n\n  minTLSVersion: VersionTLS10",
-	"intermediate": "intermediate is a TLS security profile based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29\n\nand looks like this (yaml):\n\n  ciphers:\n\n    - TLS_AES_128_GCM_SHA256\n\n    - TLS_AES_256_GCM_SHA384\n\n    - TLS_CHACHA20_POLY1305_SHA256\n\n    - ECDHE-ECDSA-AES128-GCM-SHA256\n\n    - ECDHE-RSA-AES128-GCM-SHA256\n\n    - ECDHE-ECDSA-AES256-GCM-SHA384\n\n    - ECDHE-RSA-AES256-GCM-SHA384\n\n    - ECDHE-ECDSA-CHACHA20-POLY1305\n\n    - ECDHE-RSA-CHACHA20-POLY1305\n\n    - DHE-RSA-AES128-GCM-SHA256\n\n    - DHE-RSA-AES256-GCM-SHA384\n\n  minTLSVersion: VersionTLS12",
-	"modern":       "modern is a TLS security profile based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility\n\nand looks like this (yaml):\n\n  ciphers:\n\n    - TLS_AES_128_GCM_SHA256\n\n    - TLS_AES_256_GCM_SHA384\n\n    - TLS_CHACHA20_POLY1305_SHA256\n\n  minTLSVersion: VersionTLS13",
-	"custom":       "custom is a user-defined TLS security profile. Be extremely careful using a custom profile as invalid configurations can be catastrophic. An example custom profile looks like this:\n\n  ciphers:\n\n    - ECDHE-ECDSA-CHACHA20-POLY1305\n\n    - ECDHE-RSA-CHACHA20-POLY1305\n\n    - ECDHE-RSA-AES128-GCM-SHA256\n\n    - ECDHE-ECDSA-AES128-GCM-SHA256\n\n  minTLSVersion: VersionTLS11",
+	"type":         "type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters.\n\nThe profiles are based on version 5.7 of the Mozilla Server Side TLS configuration guidelines. The cipher lists consist of the configuration's \"ciphersuites\" followed by the Go-specific \"ciphers\" from the guidelines. See: https://ssl-config.mozilla.org/guidelines/5.7.json\n\nThe profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be reduced.",
+	"old":          "old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort.\n\nThis profile is equivalent to a Custom profile specified as:\n  minTLSVersion: VersionTLS10\n  ciphers:\n    - TLS_AES_128_GCM_SHA256\n    - TLS_AES_256_GCM_SHA384\n    - TLS_CHACHA20_POLY1305_SHA256\n    - ECDHE-ECDSA-AES128-GCM-SHA256\n    - ECDHE-RSA-AES128-GCM-SHA256\n    - ECDHE-ECDSA-AES256-GCM-SHA384\n    - ECDHE-RSA-AES256-GCM-SHA384\n    - ECDHE-ECDSA-CHACHA20-POLY1305\n    - ECDHE-RSA-CHACHA20-POLY1305\n    - ECDHE-ECDSA-AES128-SHA256\n    - ECDHE-RSA-AES128-SHA256\n    - ECDHE-ECDSA-AES128-SHA\n    - ECDHE-RSA-AES128-SHA\n    - ECDHE-ECDSA-AES256-SHA\n    - ECDHE-RSA-AES256-SHA\n    - AES128-GCM-SHA256\n    - AES256-GCM-SHA384\n    - AES128-SHA256\n    - AES128-SHA\n    - AES256-SHA\n    - DES-CBC3-SHA",
+	"intermediate": "intermediate is a TLS profile for use when you do not need compatibility with legacy clients and want to remain highly secure while being compatible with most clients currently in use.\n\nThis profile is equivalent to a Custom profile specified as:\n  minTLSVersion: VersionTLS12\n  ciphers:\n    - TLS_AES_128_GCM_SHA256\n    - TLS_AES_256_GCM_SHA384\n    - TLS_CHACHA20_POLY1305_SHA256\n    - ECDHE-ECDSA-AES128-GCM-SHA256\n    - ECDHE-RSA-AES128-GCM-SHA256\n    - ECDHE-ECDSA-AES256-GCM-SHA384\n    - ECDHE-RSA-AES256-GCM-SHA384\n    - ECDHE-ECDSA-CHACHA20-POLY1305\n    - ECDHE-RSA-CHACHA20-POLY1305",
+	"modern":       "modern is a TLS security profile for use with clients that support TLS 1.3 and do not need backward compatibility for older clients.\n\nThis profile is equivalent to a Custom profile specified as:\n  minTLSVersion: VersionTLS13\n  ciphers:\n    - TLS_AES_128_GCM_SHA256\n    - TLS_AES_256_GCM_SHA384\n    - TLS_CHACHA20_POLY1305_SHA256",
+	"custom":       "custom is a user-defined TLS security profile. Be extremely careful using a custom profile as invalid configurations can be catastrophic. An example custom profile looks like this:\n\n  minTLSVersion: VersionTLS11\n  ciphers:\n    - ECDHE-ECDSA-CHACHA20-POLY1305\n    - ECDHE-RSA-CHACHA20-POLY1305\n    - ECDHE-RSA-AES128-GCM-SHA256\n    - ECDHE-ECDSA-AES128-GCM-SHA256",
 }
 
 func (TLSSecurityProfile) SwaggerDoc() map[string]string {
diff --git a/vendor/github.com/openshift/api/config/v1alpha1/register.go b/vendor/github.com/openshift/api/config/v1alpha1/register.go
index 4b30ea380b..c909624950 100644
--- a/vendor/github.com/openshift/api/config/v1alpha1/register.go
+++ b/vendor/github.com/openshift/api/config/v1alpha1/register.go
@@ -40,6 +40,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 		&ImagePolicyList{},
 		&ClusterImagePolicy{},
 		&ClusterImagePolicyList{},
+		&CRIOCredentialProviderConfig{},
+		&CRIOCredentialProviderConfigList{},
 	)
 	metav1.AddToGroupVersion(scheme, GroupVersion)
 	return nil
diff --git a/vendor/github.com/openshift/api/config/v1alpha1/types_backup.go b/vendor/github.com/openshift/api/config/v1alpha1/types_backup.go
index 77df372d43..0f3da51847 100644
--- a/vendor/github.com/openshift/api/config/v1alpha1/types_backup.go
+++ b/vendor/github.com/openshift/api/config/v1alpha1/types_backup.go
@@ -93,7 +93,7 @@ type EtcdBackupSpec struct {
 	PVCName string `json:"pvcName"`
 }
 
-// RetentionType is the enumeration of valid retention policy types
+// RetentionType is the enumeration of valid retention policy types.
 // +enum
 // +kubebuilder:validation:Enum:="RetentionNumber";"RetentionSize"
 type RetentionType string
@@ -115,7 +115,6 @@ type RetentionPolicy struct {
 	// The current default is RetentionNumber with 15 backups kept.
 	// +unionDiscriminator
 	// +required
-	// +kubebuilder:validation:Enum:="";"RetentionNumber";"RetentionSize"
 	RetentionType RetentionType `json:"retentionType"`
 
 	// retentionNumber configures the retention policy based on the number of backups
diff --git a/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_image_policy.go b/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_image_policy.go
index 107b9e29a4..e8d7603d7b 100644
--- a/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_image_policy.go
+++ b/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_image_policy.go
@@ -51,7 +51,7 @@ type ClusterImagePolicySpec struct {
 	// policy contains configuration to allow scopes to be verified, and defines how
 	// images not matching the verification policy will be treated.
 	// +required
-	Policy Policy `json:"policy"`
+	Policy ImageSigstoreVerificationPolicy `json:"policy"`
 }
 
 // +k8s:deepcopy-gen=true
diff --git a/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go b/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go
index 0653eeb5a5..29bf8ba488 100644
--- a/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go
+++ b/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go
@@ -94,6 +94,11 @@ type ClusterMonitoringSpec struct {
 	// When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time.
 	// +optional
 	MetricsServerConfig MetricsServerConfig `json:"metricsServerConfig,omitempty,omitzero"`
+	// prometheusOperatorConfig is an optional field that can be used to configure the Prometheus Operator component.
+	// Specifically, it can configure how the Prometheus Operator instance is deployed, pod scheduling, and resource allocation.
+	// When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time.
+	// +optional
+	PrometheusOperatorConfig PrometheusOperatorConfig `json:"prometheusOperatorConfig,omitempty,omitzero"`
 }
 
 // UserDefinedMonitoring config for user-defined projects.
@@ -185,6 +190,7 @@ type AlertmanagerCustomConfig struct {
 	//      limit: null
 	// Maximum length for this list is 10.
 	// Minimum length for this list is 1.
+	// Each resource name must be unique within this list.
 	// +optional
 	// +listType=map
 	// +listMapKey=name
@@ -218,8 +224,8 @@ type AlertmanagerCustomConfig struct {
 	// When omitted, this means the user has no opinion and the platform is left
 	// to choose reasonable defaults. These defaults are subject to change over time.
 	// Defaults are empty/unset.
-	// Maximum length for this list is 10
-	// Minimum length for this list is 1
+	// Maximum length for this list is 10.
+	// Minimum length for this list is 1.
 	// +kubebuilder:validation:MaxItems=10
 	// +kubebuilder:validation:MinItems=1
 	// +listType=atomic
@@ -235,7 +241,7 @@ type AlertmanagerCustomConfig struct {
 	// This field maps directly to the `topologySpreadConstraints` field in the Pod spec.
 	// Default is empty list.
 	// Maximum length for this list is 10.
-	// Minimum length for this list is 1
+	// Minimum length for this list is 1.
 	// Entries must have unique topologyKey and whenUnsatisfiable pairs.
 	// +kubebuilder:validation:MaxItems=10
 	// +kubebuilder:validation:MinItems=1
@@ -356,8 +362,8 @@ type MetricsServerConfig struct {
 	// When omitted, this means the user has no opinion and the platform is left
 	// to choose reasonable defaults. These defaults are subject to change over time.
 	// Defaults are empty/unset.
-	// Maximum length for this list is 10
-	// Minimum length for this list is 1
+	// Maximum length for this list is 10.
+	// Minimum length for this list is 1.
 	// +kubebuilder:validation:MaxItems=10
 	// +kubebuilder:validation:MinItems=1
 	// +listType=atomic
@@ -389,6 +395,7 @@ type MetricsServerConfig struct {
 	//      limit: null
 	// Maximum length for this list is 10.
 	// Minimum length for this list is 1.
+	// Each resource name must be unique within this list.
 	// +optional
 	// +listType=map
 	// +listMapKey=name
@@ -405,7 +412,91 @@ type MetricsServerConfig struct {
 	// This field maps directly to the `topologySpreadConstraints` field in the Pod spec.
 	// Default is empty list.
 	// Maximum length for this list is 10.
-	// Minimum length for this list is 1
+	// Minimum length for this list is 1.
+	// Entries must have unique topologyKey and whenUnsatisfiable pairs.
+	// +kubebuilder:validation:MaxItems=10
+	// +kubebuilder:validation:MinItems=1
+	// +listType=map
+	// +listMapKey=topologyKey
+	// +listMapKey=whenUnsatisfiable
+	// +optional
+	TopologySpreadConstraints []v1.TopologySpreadConstraint `json:"topologySpreadConstraints,omitempty"`
+}
+
+// PrometheusOperatorConfig provides configuration options for the Prometheus Operator instance
+// Use this configuration to control how the Prometheus Operator instance is deployed, how it logs, and how its pods are scheduled.
+// +kubebuilder:validation:MinProperties=1
+type PrometheusOperatorConfig struct {
+	// logLevel defines the verbosity of logs emitted by Prometheus Operator.
+	// This field allows users to control the amount and severity of logs generated, which can be useful
+	// for debugging issues or reducing noise in production environments.
+	// Allowed values are Error, Warn, Info, and Debug.
+	// When set to Error, only errors will be logged.
+	// When set to Warn, both warnings and errors will be logged.
+	// When set to Info, general information, warnings, and errors will all be logged.
+	// When set to Debug, detailed debugging information will be logged.
+	// When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time.
+	// The current default value is `Info`.
+	// +optional
+	LogLevel LogLevel `json:"logLevel,omitempty"`
+	// nodeSelector defines the nodes on which the Pods are scheduled
+	// nodeSelector is optional.
+	//
+	// When omitted, this means the user has no opinion and the platform is left
+	// to choose reasonable defaults. These defaults are subject to change over time.
+	// The current default value is `kubernetes.io/os: linux`.
+	// When specified, nodeSelector must contain at least 1 entry and must not contain more than 10 entries.
+	// +optional
+	// +kubebuilder:validation:MinProperties=1
+	// +kubebuilder:validation:MaxProperties=10
+	NodeSelector map[string]string `json:"nodeSelector,omitempty"`
+	// resources defines the compute resource requests and limits for the Prometheus Operator container.
+	// This includes CPU, memory and HugePages constraints to help control scheduling and resource usage.
+	// When not specified, defaults are used by the platform. Requests cannot exceed limits.
+	// This field is optional.
+	// More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+	// This is a simplified API that maps to Kubernetes ResourceRequirements.
+	// The current default values are:
+	//   resources:
+	//    - name: cpu
+	//      request: 4m
+	//      limit: null
+	//    - name: memory
+	//      request: 40Mi
+	//      limit: null
+	// Maximum length for this list is 10.
+	// Minimum length for this list is 1.
+	// Each resource name must be unique within this list.
+	// +optional
+	// +listType=map
+	// +listMapKey=name
+	// +kubebuilder:validation:MaxItems=10
+	// +kubebuilder:validation:MinItems=1
+	Resources []ContainerResource `json:"resources,omitempty"`
+	// tolerations defines tolerations for the pods.
+	// tolerations is optional.
+	//
+	// When omitted, this means the user has no opinion and the platform is left
+	// to choose reasonable defaults. These defaults are subject to change over time.
+	// Defaults are empty/unset.
+	// Maximum length for this list is 10.
+	// Minimum length for this list is 1.
+	// +kubebuilder:validation:MaxItems=10
+	// +kubebuilder:validation:MinItems=1
+	// +listType=atomic
+	// +optional
+	Tolerations []v1.Toleration `json:"tolerations,omitempty"`
+	// topologySpreadConstraints defines rules for how Prometheus Operator Pods should be distributed
+	// across topology domains such as zones, nodes, or other user-defined labels.
+	// topologySpreadConstraints is optional.
+	// This helps improve high availability and resource efficiency by avoiding placing
+	// too many replicas in the same failure domain.
+	//
+	// When omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time.
+	// This field maps directly to the `topologySpreadConstraints` field in the Pod spec.
+	// Default is empty list.
+	// Maximum length for this list is 10.
+	// Minimum length for this list is 1.
 	// Entries must have unique topologyKey and whenUnsatisfiable pairs.
 	// +kubebuilder:validation:MaxItems=10
 	// +kubebuilder:validation:MinItems=1
diff --git a/vendor/github.com/openshift/api/config/v1alpha1/types_crio_credential_provider_config.go b/vendor/github.com/openshift/api/config/v1alpha1/types_crio_credential_provider_config.go
new file mode 100644
index 0000000000..9e2e0d39d2
--- /dev/null
+++ b/vendor/github.com/openshift/api/config/v1alpha1/types_crio_credential_provider_config.go
@@ -0,0 +1,186 @@
+package v1alpha1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// CRIOCredentialProviderConfig holds cluster-wide singleton resource configurations for CRI-O credential provider, the name of this instance is "cluster". CRI-O credential provider is a binary shipped with CRI-O that provides a way to obtain container image pull credentials from external sources.
+// For example, it can be used to fetch mirror registry credentials from secrets resources in the cluster within the same namespace the pod will be running in.
+// CRIOCredentialProviderConfig configuration specifies the pod image sources registries that should trigger the CRI-O credential provider execution, which will resolve the CRI-O mirror configurations and obtain the necessary credentials for pod creation.
+// Note: Configuration changes will only take effect after the kubelet restarts, which is automatically managed by the cluster during rollout.
+//
+// The resource is a singleton named "cluster".
+//
+// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:path=criocredentialproviderconfigs,scope=Cluster
+// +kubebuilder:subresource:status
+// +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/2557
+// +openshift:file-pattern=cvoRunLevel=0000_10,operatorName=config-operator,operatorOrdering=01
+// +openshift:enable:FeatureGate=CRIOCredentialProviderConfig
+// +openshift:compatibility-gen:level=4
+// +kubebuilder:validation:XValidation:rule="self.metadata.name == 'cluster'",message="criocredentialproviderconfig is a singleton, .metadata.name must be 'cluster'"
+type CRIOCredentialProviderConfig struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitzero"`
+
+	// spec defines the desired configuration of the CRI-O Credential Provider.
+	// This field is required and must be provided when creating the resource.
+	// +required
+	Spec *CRIOCredentialProviderConfigSpec `json:"spec,omitempty,omitzero"`
+
+	// status represents the current state of the CRIOCredentialProviderConfig.
+	// When omitted or nil, it indicates that the status has not yet been set by the controller.
+	// The controller will populate this field with validation conditions and operational state.
+	// +optional
+	Status CRIOCredentialProviderConfigStatus `json:"status,omitzero,omitempty"`
+}
+
+// CRIOCredentialProviderConfigSpec defines the desired configuration of the CRI-O Credential Provider.
+// +kubebuilder:validation:MinProperties=0
+type CRIOCredentialProviderConfigSpec struct {
+	// matchImages is a list of string patterns used to determine whether
+	// the CRI-O credential provider should be invoked for a given image. This list is
+	// passed to the kubelet CredentialProviderConfig, and if any pattern matches
+	// the requested image, CRI-O credential provider will be invoked to obtain credentials for pulling
+	// that image or its mirrors.
+	// Depending on the platform, the CRI-O credential provider may be installed alongside an existing platform specific provider.
+	// Conflicts between the existing platform specific provider image match configuration and this list will be handled by
+	// the following precedence rule: credentials from built-in kubelet providers (e.g., ECR, GCR, ACR) take precedence over those
+	// from the CRIOCredentialProviderConfig when both match the same image.
+	// To avoid uncertainty, it is recommended to avoid configuring your private image patterns to overlap with
+	// existing platform specific provider config(e.g., the entries from https://github.com/openshift/machine-config-operator/blob/main/templates/common/aws/files/etc-kubernetes-credential-providers-ecr-credential-provider.yaml).
+	// You can check the resource's Status conditions
+	// to see if any entries were ignored due to exact matches with known built-in provider patterns.
+	//
+	// This field is optional, the items of the list must contain between 1 and 50 entries.
+	// The list is treated as a set, so duplicate entries are not allowed.
+	//
+	// For more details, see:
+	// https://kubernetes.io/docs/tasks/administer-cluster/kubelet-credential-provider/
+	// https://github.com/cri-o/crio-credential-provider#architecture
+	//
+	// Each entry in matchImages is a pattern which can optionally contain a port and a path. Each entry must be no longer than 512 characters.
+	// Wildcards ('*') are supported for full subdomain labels, such as '*.k8s.io' or 'k8s.*.io',
+	// and for top-level domains, such as 'k8s.*' (which matches 'k8s.io' or 'k8s.net').
+	// A global wildcard '*' (matching any domain) is not allowed.
+	// Wildcards may replace an entire hostname label (e.g., *.example.com), but they cannot appear within a label (e.g., f*oo.example.com) and are not allowed in the port or path.
+	// For example, 'example.*.com' is valid, but 'exa*mple.*.com' is not.
+	// Each wildcard matches only a single domain label,
+	// so '*.io' does **not** match '*.k8s.io'.
+	//
+	// A match exists between an image and a matchImage when all of the below are true:
+	// Both contain the same number of domain parts and each part matches.
+	// The URL path of an matchImages must be a prefix of the target image URL path.
+	// If the matchImages contains a port, then the port must match in the image as well.
+	//
+	// Example values of matchImages:
+	// - 123456789.dkr.ecr.us-east-1.amazonaws.com
+	// - *.azurecr.io
+	// - gcr.io
+	// - *.*.registry.io
+	// - registry.io:8080/path
+	//
+	// +kubebuilder:validation:MaxItems=50
+	// +kubebuilder:validation:MinItems=1
+	// +listType=set
+	// +optional
+	MatchImages []MatchImage `json:"matchImages,omitempty"`
+}
+
+// MatchImage is a string pattern used to match container image registry addresses.
+// It must be a valid fully qualified domain name with optional wildcard, port, and path.
+// The maximum length is 512 characters.
+//
+// Wildcards ('*') are supported for full subdomain labels and top-level domains.
+// Each entry can optionally contain a port (e.g., :8080) and a path (e.g., /path).
+// Wildcards are not allowed in the port or path portions.
+//
+// Examples:
+// - "registry.io" - matches exactly registry.io
+// - "*.azurecr.io" - matches any single subdomain of azurecr.io
+// - "registry.io:8080/path" - matches with specific port and path prefix
+//
+// +kubebuilder:validation:MaxLength=512
+// +kubebuilder:validation:MinLength=1
+// +kubebuilder:validation:XValidation:rule="self != '*'",message="global wildcard '*' is not allowed"
+// +kubebuilder:validation:XValidation:rule=`self.matches('^((\\*|[a-z0-9]([a-z0-9-]*[a-z0-9])?)(\\.(\\*|[a-z0-9]([a-z0-9-]*[a-z0-9])?))*)(:[0-9]+)?(/[-a-z0-9._/]*)?$')`,message="invalid matchImages value, must be a valid fully qualified domain name in lowercase with optional wildcard, port, and path"
+type MatchImage string
+
+// +k8s:deepcopy-gen=true
+// CRIOCredentialProviderConfigStatus defines the observed state of CRIOCredentialProviderConfig
+// +kubebuilder:validation:MinProperties=1
+type CRIOCredentialProviderConfigStatus struct {
+	// conditions represent the latest available observations of the configuration state.
+	// When omitted, it indicates that no conditions have been reported yet.
+	// The maximum number of conditions is 16.
+	// Conditions are stored as a map keyed by condition type, ensuring uniqueness.
+	//
+	// Expected condition types include:
+	// "Validated": indicates whether the matchImages configuration is valid
+	// +optional
+	// +kubebuilder:validation:MaxItems=16
+	// +kubebuilder:validation:MinItems=1
+	// +listType=map
+	// +listMapKey=type
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// CRIOCredentialProviderConfigList contains a list of CRIOCredentialProviderConfig resources
+//
+// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.
+// +openshift:compatibility-gen:level=4
+type CRIOCredentialProviderConfigList struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard list's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ListMeta `json:"metadata"`
+
+	Items []CRIOCredentialProviderConfig `json:"items"`
+}
+
+const (
+	// ConditionTypeValidated is a condition type that indicates whether the CRIOCredentialProviderConfig
+	// matchImages configuration has been validated successfully.
+	// When True, all matchImage patterns are valid and have been applied.
+	// When False, the configuration contains errors (see Reason for details).
+	// Possible reasons for False status:
+	// - ValidationFailed: matchImages contains invalid patterns
+	// - ConfigurationPartiallyApplied: some matchImage entries were ignored due to conflicts
+	ConditionTypeValidated = "Validated"
+
+	// ReasonValidationFailed is a condition reason used with ConditionTypeValidated=False
+	// to indicate that the matchImages configuration contains one or more invalid registry patterns
+	// that do not conform to the required format (valid FQDN with optional wildcard, port, and path).
+	ReasonValidationFailed = "ValidationFailed"
+
+	// ReasonConfigurationPartiallyApplied is a condition reason used with ConditionTypeValidated=False
+	// to indicate that some matchImage entries were ignored due to conflicts or overlapping patterns.
+	// The condition message will contain details about which entries were ignored and why.
+	ReasonConfigurationPartiallyApplied = "ConfigurationPartiallyApplied"
+
+	// ConditionTypeMachineConfigRendered is a condition type that indicates whether
+	// the CRIOCredentialProviderConfig has been successfully rendered into a
+	// MachineConfig object.
+	// When True, the corresponding MachineConfig is present in the cluster.
+	// When False, rendering failed.
+	ConditionTypeMachineConfigRendered = "MachineConfigRendered"
+
+	// ReasonMachineConfigRenderingSucceeded is a condition reason used with ConditionTypeMachineConfigRendered=True
+	// to indicate that the MachineConfig was successfully created/updated in the API server.
+	ReasonMachineConfigRenderingSucceeded = "MachineConfigRenderingSucceeded"
+
+	// ReasonMachineConfigRenderingFailed is a condition reason used with ConditionTypeMachineConfigRendered=False
+	// to indicate that the MachineConfig creation/update failed.
+	// The condition message will contain details about the failure.
+	ReasonMachineConfigRenderingFailed = "MachineConfigRenderingFailed"
+)
diff --git a/vendor/github.com/openshift/api/config/v1alpha1/types_image_policy.go b/vendor/github.com/openshift/api/config/v1alpha1/types_image_policy.go
index 64a89e4a63..977ca3dde3 100644
--- a/vendor/github.com/openshift/api/config/v1alpha1/types_image_policy.go
+++ b/vendor/github.com/openshift/api/config/v1alpha1/types_image_policy.go
@@ -50,7 +50,7 @@ type ImagePolicySpec struct {
 	// policy contains configuration to allow scopes to be verified, and defines how
 	// images not matching the verification policy will be treated.
 	// +required
-	Policy Policy `json:"policy"`
+	Policy ImageSigstoreVerificationPolicy `json:"policy"`
 }
 
 // +kubebuilder:validation:XValidation:rule="size(self.split('/')[0].split('.')) == 1 ? self.split('/')[0].split('.')[0].split(':')[0] == 'localhost' : true",message="invalid image scope format, scope must contain a fully qualified domain name or 'localhost'"
@@ -59,8 +59,8 @@ type ImagePolicySpec struct {
 // +kubebuilder:validation:MaxLength=512
 type ImageScope string
 
-// Policy defines the verification policy for the items in the scopes list.
-type Policy struct {
+// ImageSigstoreVerificationPolicy defines the verification policy for the items in the scopes list.
+type ImageSigstoreVerificationPolicy struct {
 	// rootOfTrust specifies the root of trust for the policy.
 	// +required
 	RootOfTrust PolicyRootOfTrust `json:"rootOfTrust"`
@@ -84,16 +84,16 @@ type PolicyRootOfTrust struct {
 	PolicyType PolicyType `json:"policyType"`
 	// publicKey defines the root of trust based on a sigstore public key.
 	// +optional
-	PublicKey *PublicKey `json:"publicKey,omitempty"`
+	PublicKey *ImagePolicyPublicKeyRootOfTrust `json:"publicKey,omitempty"`
 	// fulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key.
 	// For more information about Fulcio and Rekor, please refer to the document at:
 	// https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor
 	// +optional
-	FulcioCAWithRekor *FulcioCAWithRekor `json:"fulcioCAWithRekor,omitempty"`
+	FulcioCAWithRekor *ImagePolicyFulcioCAWithRekorRootOfTrust `json:"fulcioCAWithRekor,omitempty"`
 	// pki defines the root of trust based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates.
 	// +optional
 	// +openshift:enable:FeatureGate=SigstoreImageVerificationPKI
-	PKI *PKI `json:"pki,omitempty"`
+	PKI *ImagePolicyPKIRootOfTrust `json:"pki,omitempty"`
 }
 
 // +openshift:validation:FeatureGateAwareEnum:featureGate="",enum=PublicKey;FulcioCAWithRekor
@@ -106,8 +106,8 @@ const (
 	PKIRootOfTrust               PolicyType = "PKI"
 )
 
-// PublicKey defines the root of trust based on a sigstore public key.
-type PublicKey struct {
+// ImagePolicyPublicKeyRootOfTrust defines the root of trust based on a sigstore public key.
+type ImagePolicyPublicKeyRootOfTrust struct {
 	// keyData contains inline base64-encoded data for the PEM format public key.
 	// KeyData must be at most 8192 characters.
 	// +required
@@ -120,8 +120,8 @@ type PublicKey struct {
 	RekorKeyData []byte `json:"rekorKeyData,omitempty"`
 }
 
-// FulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key.
-type FulcioCAWithRekor struct {
+// ImagePolicyFulcioCAWithRekorRootOfTrust defines the root of trust based on the Fulcio certificate and the Rekor public key.
+type ImagePolicyFulcioCAWithRekorRootOfTrust struct {
 	// fulcioCAData contains inline base64-encoded data for the PEM format fulcio CA.
 	// fulcioCAData must be at most 8192 characters.
 	// +required
@@ -151,8 +151,8 @@ type PolicyFulcioSubject struct {
 	SignedEmail string `json:"signedEmail"`
 }
 
-// PKI defines the root of trust based on Root CA(s) and corresponding intermediate certificates.
-type PKI struct {
+// ImagePolicyPKIRootOfTrust defines the root of trust based on Root CA(s) and corresponding intermediate certificates.
+type ImagePolicyPKIRootOfTrust struct {
 	// caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters.
 	// +required
 	// +kubebuilder:validation:MaxLength=8192
diff --git a/vendor/github.com/openshift/api/config/v1alpha1/types_insights.go b/vendor/github.com/openshift/api/config/v1alpha1/types_insights.go
index 46666ae3b2..bef31b905a 100644
--- a/vendor/github.com/openshift/api/config/v1alpha1/types_insights.go
+++ b/vendor/github.com/openshift/api/config/v1alpha1/types_insights.go
@@ -16,6 +16,7 @@ import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 // +openshift:file-pattern=cvoRunLevel=0000_10,operatorName=config-operator,operatorOrdering=01
 // +openshift:enable:FeatureGate=InsightsConfig
 // +openshift:compatibility-gen:level=4
+// +openshift:capability=Insights
 type InsightsDataGather struct {
 	metav1.TypeMeta `json:",inline"`
 
diff --git a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go
index 6549f6cbe4..dc51326b97 100644
--- a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go
+++ b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go
@@ -192,6 +192,115 @@ func (in *BackupStatus) DeepCopy() *BackupStatus {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CRIOCredentialProviderConfig) DeepCopyInto(out *CRIOCredentialProviderConfig) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	if in.Spec != nil {
+		in, out := &in.Spec, &out.Spec
+		*out = new(CRIOCredentialProviderConfigSpec)
+		(*in).DeepCopyInto(*out)
+	}
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CRIOCredentialProviderConfig.
+func (in *CRIOCredentialProviderConfig) DeepCopy() *CRIOCredentialProviderConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(CRIOCredentialProviderConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *CRIOCredentialProviderConfig) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CRIOCredentialProviderConfigList) DeepCopyInto(out *CRIOCredentialProviderConfigList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]CRIOCredentialProviderConfig, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CRIOCredentialProviderConfigList.
+func (in *CRIOCredentialProviderConfigList) DeepCopy() *CRIOCredentialProviderConfigList {
+	if in == nil {
+		return nil
+	}
+	out := new(CRIOCredentialProviderConfigList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *CRIOCredentialProviderConfigList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CRIOCredentialProviderConfigSpec) DeepCopyInto(out *CRIOCredentialProviderConfigSpec) {
+	*out = *in
+	if in.MatchImages != nil {
+		in, out := &in.MatchImages, &out.MatchImages
+		*out = make([]MatchImage, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CRIOCredentialProviderConfigSpec.
+func (in *CRIOCredentialProviderConfigSpec) DeepCopy() *CRIOCredentialProviderConfigSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(CRIOCredentialProviderConfigSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CRIOCredentialProviderConfigStatus) DeepCopyInto(out *CRIOCredentialProviderConfigStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]metav1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CRIOCredentialProviderConfigStatus.
+func (in *CRIOCredentialProviderConfigStatus) DeepCopy() *CRIOCredentialProviderConfigStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(CRIOCredentialProviderConfigStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClusterImagePolicy) DeepCopyInto(out *ClusterImagePolicy) {
 	*out = *in
@@ -365,6 +474,7 @@ func (in *ClusterMonitoringSpec) DeepCopyInto(out *ClusterMonitoringSpec) {
 	out.UserDefined = in.UserDefined
 	in.AlertmanagerConfig.DeepCopyInto(&out.AlertmanagerConfig)
 	in.MetricsServerConfig.DeepCopyInto(&out.MetricsServerConfig)
+	in.PrometheusOperatorConfig.DeepCopyInto(&out.PrometheusOperatorConfig)
 	return
 }
 
@@ -429,33 +539,6 @@ func (in *EtcdBackupSpec) DeepCopy() *EtcdBackupSpec {
 	return out
 }
 
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *FulcioCAWithRekor) DeepCopyInto(out *FulcioCAWithRekor) {
-	*out = *in
-	if in.FulcioCAData != nil {
-		in, out := &in.FulcioCAData, &out.FulcioCAData
-		*out = make([]byte, len(*in))
-		copy(*out, *in)
-	}
-	if in.RekorKeyData != nil {
-		in, out := &in.RekorKeyData, &out.RekorKeyData
-		*out = make([]byte, len(*in))
-		copy(*out, *in)
-	}
-	out.FulcioSubject = in.FulcioSubject
-	return
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FulcioCAWithRekor.
-func (in *FulcioCAWithRekor) DeepCopy() *FulcioCAWithRekor {
-	if in == nil {
-		return nil
-	}
-	out := new(FulcioCAWithRekor)
-	in.DeepCopyInto(out)
-	return out
-}
-
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GatherConfig) DeepCopyInto(out *GatherConfig) {
 	*out = *in
@@ -510,6 +593,33 @@ func (in *ImagePolicy) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImagePolicyFulcioCAWithRekorRootOfTrust) DeepCopyInto(out *ImagePolicyFulcioCAWithRekorRootOfTrust) {
+	*out = *in
+	if in.FulcioCAData != nil {
+		in, out := &in.FulcioCAData, &out.FulcioCAData
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	if in.RekorKeyData != nil {
+		in, out := &in.RekorKeyData, &out.RekorKeyData
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	out.FulcioSubject = in.FulcioSubject
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePolicyFulcioCAWithRekorRootOfTrust.
+func (in *ImagePolicyFulcioCAWithRekorRootOfTrust) DeepCopy() *ImagePolicyFulcioCAWithRekorRootOfTrust {
+	if in == nil {
+		return nil
+	}
+	out := new(ImagePolicyFulcioCAWithRekorRootOfTrust)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ImagePolicyList) DeepCopyInto(out *ImagePolicyList) {
 	*out = *in
@@ -543,6 +653,59 @@ func (in *ImagePolicyList) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImagePolicyPKIRootOfTrust) DeepCopyInto(out *ImagePolicyPKIRootOfTrust) {
+	*out = *in
+	if in.CertificateAuthorityRootsData != nil {
+		in, out := &in.CertificateAuthorityRootsData, &out.CertificateAuthorityRootsData
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	if in.CertificateAuthorityIntermediatesData != nil {
+		in, out := &in.CertificateAuthorityIntermediatesData, &out.CertificateAuthorityIntermediatesData
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	out.PKICertificateSubject = in.PKICertificateSubject
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePolicyPKIRootOfTrust.
+func (in *ImagePolicyPKIRootOfTrust) DeepCopy() *ImagePolicyPKIRootOfTrust {
+	if in == nil {
+		return nil
+	}
+	out := new(ImagePolicyPKIRootOfTrust)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImagePolicyPublicKeyRootOfTrust) DeepCopyInto(out *ImagePolicyPublicKeyRootOfTrust) {
+	*out = *in
+	if in.KeyData != nil {
+		in, out := &in.KeyData, &out.KeyData
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	if in.RekorKeyData != nil {
+		in, out := &in.RekorKeyData, &out.RekorKeyData
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePolicyPublicKeyRootOfTrust.
+func (in *ImagePolicyPublicKeyRootOfTrust) DeepCopy() *ImagePolicyPublicKeyRootOfTrust {
+	if in == nil {
+		return nil
+	}
+	out := new(ImagePolicyPublicKeyRootOfTrust)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ImagePolicySpec) DeepCopyInto(out *ImagePolicySpec) {
 	*out = *in
@@ -588,6 +751,24 @@ func (in *ImagePolicyStatus) DeepCopy() *ImagePolicyStatus {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImageSigstoreVerificationPolicy) DeepCopyInto(out *ImageSigstoreVerificationPolicy) {
+	*out = *in
+	in.RootOfTrust.DeepCopyInto(&out.RootOfTrust)
+	in.SignedIdentity.DeepCopyInto(&out.SignedIdentity)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageSigstoreVerificationPolicy.
+func (in *ImageSigstoreVerificationPolicy) DeepCopy() *ImageSigstoreVerificationPolicy {
+	if in == nil {
+		return nil
+	}
+	out := new(ImageSigstoreVerificationPolicy)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InsightsDataGather) DeepCopyInto(out *InsightsDataGather) {
 	*out = *in
@@ -727,33 +908,6 @@ func (in *MetricsServerConfig) DeepCopy() *MetricsServerConfig {
 	return out
 }
 
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *PKI) DeepCopyInto(out *PKI) {
-	*out = *in
-	if in.CertificateAuthorityRootsData != nil {
-		in, out := &in.CertificateAuthorityRootsData, &out.CertificateAuthorityRootsData
-		*out = make([]byte, len(*in))
-		copy(*out, *in)
-	}
-	if in.CertificateAuthorityIntermediatesData != nil {
-		in, out := &in.CertificateAuthorityIntermediatesData, &out.CertificateAuthorityIntermediatesData
-		*out = make([]byte, len(*in))
-		copy(*out, *in)
-	}
-	out.PKICertificateSubject = in.PKICertificateSubject
-	return
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PKI.
-func (in *PKI) DeepCopy() *PKI {
-	if in == nil {
-		return nil
-	}
-	out := new(PKI)
-	in.DeepCopyInto(out)
-	return out
-}
-
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PKICertificateSubject) DeepCopyInto(out *PKICertificateSubject) {
 	*out = *in
@@ -803,24 +957,6 @@ func (in *PersistentVolumeConfig) DeepCopy() *PersistentVolumeConfig {
 	return out
 }
 
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *Policy) DeepCopyInto(out *Policy) {
-	*out = *in
-	in.RootOfTrust.DeepCopyInto(&out.RootOfTrust)
-	in.SignedIdentity.DeepCopyInto(&out.SignedIdentity)
-	return
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Policy.
-func (in *Policy) DeepCopy() *Policy {
-	if in == nil {
-		return nil
-	}
-	out := new(Policy)
-	in.DeepCopyInto(out)
-	return out
-}
-
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PolicyFulcioSubject) DeepCopyInto(out *PolicyFulcioSubject) {
 	*out = *in
@@ -900,17 +1036,17 @@ func (in *PolicyRootOfTrust) DeepCopyInto(out *PolicyRootOfTrust) {
 	*out = *in
 	if in.PublicKey != nil {
 		in, out := &in.PublicKey, &out.PublicKey
-		*out = new(PublicKey)
+		*out = new(ImagePolicyPublicKeyRootOfTrust)
 		(*in).DeepCopyInto(*out)
 	}
 	if in.FulcioCAWithRekor != nil {
 		in, out := &in.FulcioCAWithRekor, &out.FulcioCAWithRekor
-		*out = new(FulcioCAWithRekor)
+		*out = new(ImagePolicyFulcioCAWithRekorRootOfTrust)
 		(*in).DeepCopyInto(*out)
 	}
 	if in.PKI != nil {
 		in, out := &in.PKI, &out.PKI
-		*out = new(PKI)
+		*out = new(ImagePolicyPKIRootOfTrust)
 		(*in).DeepCopyInto(*out)
 	}
 	return
@@ -927,27 +1063,45 @@ func (in *PolicyRootOfTrust) DeepCopy() *PolicyRootOfTrust {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *PublicKey) DeepCopyInto(out *PublicKey) {
+func (in *PrometheusOperatorConfig) DeepCopyInto(out *PrometheusOperatorConfig) {
 	*out = *in
-	if in.KeyData != nil {
-		in, out := &in.KeyData, &out.KeyData
-		*out = make([]byte, len(*in))
-		copy(*out, *in)
+	if in.NodeSelector != nil {
+		in, out := &in.NodeSelector, &out.NodeSelector
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
 	}
-	if in.RekorKeyData != nil {
-		in, out := &in.RekorKeyData, &out.RekorKeyData
-		*out = make([]byte, len(*in))
-		copy(*out, *in)
+	if in.Resources != nil {
+		in, out := &in.Resources, &out.Resources
+		*out = make([]ContainerResource, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tolerations != nil {
+		in, out := &in.Tolerations, &out.Tolerations
+		*out = make([]v1.Toleration, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TopologySpreadConstraints != nil {
+		in, out := &in.TopologySpreadConstraints, &out.TopologySpreadConstraints
+		*out = make([]v1.TopologySpreadConstraint, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
 	}
 	return
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PublicKey.
-func (in *PublicKey) DeepCopy() *PublicKey {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PrometheusOperatorConfig.
+func (in *PrometheusOperatorConfig) DeepCopy() *PrometheusOperatorConfig {
 	if in == nil {
 		return nil
 	}
-	out := new(PublicKey)
+	out := new(PrometheusOperatorConfig)
 	in.DeepCopyInto(out)
 	return out
 }
diff --git a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml
index 2f79f801dd..14091b5872 100644
--- a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml
+++ b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml
@@ -21,6 +21,29 @@ backups.config.openshift.io:
   - AutomatedEtcdBackup
   Version: v1alpha1
 
+criocredentialproviderconfigs.config.openshift.io:
+  Annotations: {}
+  ApprovedPRNumber: https://github.com/openshift/api/pull/2557
+  CRDName: criocredentialproviderconfigs.config.openshift.io
+  Capability: ""
+  Category: ""
+  FeatureGates:
+  - CRIOCredentialProviderConfig
+  FilenameOperatorName: config-operator
+  FilenameOperatorOrdering: "01"
+  FilenameRunLevel: "0000_10"
+  GroupName: config.openshift.io
+  HasStatus: true
+  KindName: CRIOCredentialProviderConfig
+  Labels: {}
+  PluralName: criocredentialproviderconfigs
+  PrinterColumns: []
+  Scope: Cluster
+  ShortNames: null
+  TopLevelFeatureGates:
+  - CRIOCredentialProviderConfig
+  Version: v1alpha1
+
 clusterimagepolicies.config.openshift.io:
   Annotations: {}
   ApprovedPRNumber: https://github.com/openshift/api/pull/1457
@@ -97,7 +120,7 @@ insightsdatagathers.config.openshift.io:
   Annotations: {}
   ApprovedPRNumber: https://github.com/openshift/api/pull/1245
   CRDName: insightsdatagathers.config.openshift.io
-  Capability: ""
+  Capability: Insights
   Category: ""
   FeatureGates:
   - InsightsConfig
diff --git a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go
index 6ba6ad11f4..c060ce8746 100644
--- a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go
+++ b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go
@@ -132,10 +132,10 @@ var map_AlertmanagerCustomConfig = map[string]string{
 	"":                          "AlertmanagerCustomConfig represents the configuration for a custom Alertmanager deployment. alertmanagerCustomConfig provides configuration options for the default Alertmanager instance that runs in the `openshift-monitoring` namespace. Use this configuration to control whether the default Alertmanager is deployed, how it logs, and how its pods are scheduled.",
 	"logLevel":                  "logLevel defines the verbosity of logs emitted by Alertmanager. This field allows users to control the amount and severity of logs generated, which can be useful for debugging issues or reducing noise in production environments. Allowed values are Error, Warn, Info, and Debug. When set to Error, only errors will be logged. When set to Warn, both warnings and errors will be logged. When set to Info, general information, warnings, and errors will all be logged. When set to Debug, detailed debugging information will be logged. When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. The current default value is `Info`.",
 	"nodeSelector":              "nodeSelector defines the nodes on which the Pods are scheduled nodeSelector is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. The current default value is `kubernetes.io/os: linux`.",
-	"resources":                 "resources defines the compute resource requests and limits for the Alertmanager container. This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. When not specified, defaults are used by the platform. Requests cannot exceed limits. This field is optional. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are:\n  resources:\n   - name: cpu\n     request: 4m\n     limit: null\n   - name: memory\n     request: 40Mi\n     limit: null\nMaximum length for this list is 10. Minimum length for this list is 1.",
+	"resources":                 "resources defines the compute resource requests and limits for the Alertmanager container. This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. When not specified, defaults are used by the platform. Requests cannot exceed limits. This field is optional. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are:\n  resources:\n   - name: cpu\n     request: 4m\n     limit: null\n   - name: memory\n     request: 40Mi\n     limit: null\nMaximum length for this list is 10. Minimum length for this list is 1. Each resource name must be unique within this list.",
 	"secrets":                   "secrets defines a list of secrets that need to be mounted into the Alertmanager. The secrets must reside within the same namespace as the Alertmanager object. They will be added as volumes named secret-<secret-name> and mounted at /etc/alertmanager/secrets/<secret-name> within the 'alertmanager' container of the Alertmanager Pods.\n\nThese secrets can be used to authenticate Alertmanager with endpoint receivers. For example, you can use secrets to: - Provide certificates for TLS authentication with receivers that require private CA certificates - Store credentials for Basic HTTP authentication with receivers that require password-based auth - Store any other authentication credentials needed by your alert receivers\n\nThis field is optional. Maximum length for this list is 10. Minimum length for this list is 1. Entries in this list must be unique.",
-	"tolerations":               "tolerations defines tolerations for the pods. tolerations is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. Defaults are empty/unset. Maximum length for this list is 10 Minimum length for this list is 1",
-	"topologySpreadConstraints": "topologySpreadConstraints defines rules for how Alertmanager Pods should be distributed across topology domains such as zones, nodes, or other user-defined labels. topologySpreadConstraints is optional. This helps improve high availability and resource efficiency by avoiding placing too many replicas in the same failure domain.\n\nWhen omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time. This field maps directly to the `topologySpreadConstraints` field in the Pod spec. Default is empty list. Maximum length for this list is 10. Minimum length for this list is 1 Entries must have unique topologyKey and whenUnsatisfiable pairs.",
+	"tolerations":               "tolerations defines tolerations for the pods. tolerations is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. Defaults are empty/unset. Maximum length for this list is 10. Minimum length for this list is 1.",
+	"topologySpreadConstraints": "topologySpreadConstraints defines rules for how Alertmanager Pods should be distributed across topology domains such as zones, nodes, or other user-defined labels. topologySpreadConstraints is optional. This helps improve high availability and resource efficiency by avoiding placing too many replicas in the same failure domain.\n\nWhen omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time. This field maps directly to the `topologySpreadConstraints` field in the Pod spec. Default is empty list. Maximum length for this list is 10. Minimum length for this list is 1. Entries must have unique topologyKey and whenUnsatisfiable pairs.",
 	"volumeClaimTemplate":       "volumeClaimTemplate Defines persistent storage for Alertmanager. Use this setting to configure the persistent volume claim, including storage class, volume size, and name. If omitted, the Pod uses ephemeral storage and alert data will not persist across restarts. This field is optional.",
 }
 
@@ -174,10 +174,11 @@ func (ClusterMonitoringList) SwaggerDoc() map[string]string {
 }
 
 var map_ClusterMonitoringSpec = map[string]string{
-	"":                    "ClusterMonitoringSpec defines the desired state of Cluster Monitoring Operator",
-	"userDefined":         "userDefined set the deployment mode for user-defined monitoring in addition to the default platform monitoring. userDefined is optional. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default value is `Disabled`.",
-	"alertmanagerConfig":  "alertmanagerConfig allows users to configure how the default Alertmanager instance should be deployed in the `openshift-monitoring` namespace. alertmanagerConfig is optional. When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. The current default value is `DefaultConfig`.",
-	"metricsServerConfig": "metricsServerConfig is an optional field that can be used to configure the Kubernetes Metrics Server that runs in the openshift-monitoring namespace. Specifically, it can configure how the Metrics Server instance is deployed, pod scheduling, its audit policy and log verbosity. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time.",
+	"":                         "ClusterMonitoringSpec defines the desired state of Cluster Monitoring Operator",
+	"userDefined":              "userDefined set the deployment mode for user-defined monitoring in addition to the default platform monitoring. userDefined is optional. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default value is `Disabled`.",
+	"alertmanagerConfig":       "alertmanagerConfig allows users to configure how the default Alertmanager instance should be deployed in the `openshift-monitoring` namespace. alertmanagerConfig is optional. When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. The current default value is `DefaultConfig`.",
+	"metricsServerConfig":      "metricsServerConfig is an optional field that can be used to configure the Kubernetes Metrics Server that runs in the openshift-monitoring namespace. Specifically, it can configure how the Metrics Server instance is deployed, pod scheduling, its audit policy and log verbosity. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time.",
+	"prometheusOperatorConfig": "prometheusOperatorConfig is an optional field that can be used to configure the Prometheus Operator component. Specifically, it can configure how the Prometheus Operator instance is deployed, pod scheduling, and resource allocation. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time.",
 }
 
 func (ClusterMonitoringSpec) SwaggerDoc() map[string]string {
@@ -207,16 +208,29 @@ var map_MetricsServerConfig = map[string]string{
 	"":                          "MetricsServerConfig provides configuration options for the Metrics Server instance that runs in the `openshift-monitoring` namespace. Use this configuration to control how the Metrics Server instance is deployed, how it logs, and how its pods are scheduled.",
 	"audit":                     "audit defines the audit configuration used by the Metrics Server instance. audit is optional. When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. The current default sets audit.profile to Metadata",
 	"nodeSelector":              "nodeSelector defines the nodes on which the Pods are scheduled nodeSelector is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. The current default value is `kubernetes.io/os: linux`.",
-	"tolerations":               "tolerations defines tolerations for the pods. tolerations is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. Defaults are empty/unset. Maximum length for this list is 10 Minimum length for this list is 1",
+	"tolerations":               "tolerations defines tolerations for the pods. tolerations is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. Defaults are empty/unset. Maximum length for this list is 10. Minimum length for this list is 1.",
 	"verbosity":                 "verbosity defines the verbosity of log messages for Metrics Server. Valid values are Errors, Info, Trace, TraceAll and omitted. When set to Errors, only critical messages and errors are logged. When set to Info, only basic information messages are logged. When set to Trace, information useful for general debugging is logged. When set to TraceAll, detailed information about metric scraping is logged. When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. The current default value is `Errors`",
-	"resources":                 "resources defines the compute resource requests and limits for the Metrics Server container. This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. When not specified, defaults are used by the platform. Requests cannot exceed limits. This field is optional. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are:\n  resources:\n   - name: cpu\n     request: 4m\n     limit: null\n   - name: memory\n     request: 40Mi\n     limit: null\nMaximum length for this list is 10. Minimum length for this list is 1.",
-	"topologySpreadConstraints": "topologySpreadConstraints defines rules for how Metrics Server Pods should be distributed across topology domains such as zones, nodes, or other user-defined labels. topologySpreadConstraints is optional. This helps improve high availability and resource efficiency by avoiding placing too many replicas in the same failure domain.\n\nWhen omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time. This field maps directly to the `topologySpreadConstraints` field in the Pod spec. Default is empty list. Maximum length for this list is 10. Minimum length for this list is 1 Entries must have unique topologyKey and whenUnsatisfiable pairs.",
+	"resources":                 "resources defines the compute resource requests and limits for the Metrics Server container. This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. When not specified, defaults are used by the platform. Requests cannot exceed limits. This field is optional. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are:\n  resources:\n   - name: cpu\n     request: 4m\n     limit: null\n   - name: memory\n     request: 40Mi\n     limit: null\nMaximum length for this list is 10. Minimum length for this list is 1. Each resource name must be unique within this list.",
+	"topologySpreadConstraints": "topologySpreadConstraints defines rules for how Metrics Server Pods should be distributed across topology domains such as zones, nodes, or other user-defined labels. topologySpreadConstraints is optional. This helps improve high availability and resource efficiency by avoiding placing too many replicas in the same failure domain.\n\nWhen omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time. This field maps directly to the `topologySpreadConstraints` field in the Pod spec. Default is empty list. Maximum length for this list is 10. Minimum length for this list is 1. Entries must have unique topologyKey and whenUnsatisfiable pairs.",
 }
 
 func (MetricsServerConfig) SwaggerDoc() map[string]string {
 	return map_MetricsServerConfig
 }
 
+var map_PrometheusOperatorConfig = map[string]string{
+	"":                          "PrometheusOperatorConfig provides configuration options for the Prometheus Operator instance Use this configuration to control how the Prometheus Operator instance is deployed, how it logs, and how its pods are scheduled.",
+	"logLevel":                  "logLevel defines the verbosity of logs emitted by Prometheus Operator. This field allows users to control the amount and severity of logs generated, which can be useful for debugging issues or reducing noise in production environments. Allowed values are Error, Warn, Info, and Debug. When set to Error, only errors will be logged. When set to Warn, both warnings and errors will be logged. When set to Info, general information, warnings, and errors will all be logged. When set to Debug, detailed debugging information will be logged. When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. The current default value is `Info`.",
+	"nodeSelector":              "nodeSelector defines the nodes on which the Pods are scheduled nodeSelector is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. The current default value is `kubernetes.io/os: linux`. When specified, nodeSelector must contain at least 1 entry and must not contain more than 10 entries.",
+	"resources":                 "resources defines the compute resource requests and limits for the Prometheus Operator container. This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. When not specified, defaults are used by the platform. Requests cannot exceed limits. This field is optional. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are:\n  resources:\n   - name: cpu\n     request: 4m\n     limit: null\n   - name: memory\n     request: 40Mi\n     limit: null\nMaximum length for this list is 10. Minimum length for this list is 1. Each resource name must be unique within this list.",
+	"tolerations":               "tolerations defines tolerations for the pods. tolerations is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. Defaults are empty/unset. Maximum length for this list is 10. Minimum length for this list is 1.",
+	"topologySpreadConstraints": "topologySpreadConstraints defines rules for how Prometheus Operator Pods should be distributed across topology domains such as zones, nodes, or other user-defined labels. topologySpreadConstraints is optional. This helps improve high availability and resource efficiency by avoiding placing too many replicas in the same failure domain.\n\nWhen omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time. This field maps directly to the `topologySpreadConstraints` field in the Pod spec. Default is empty list. Maximum length for this list is 10. Minimum length for this list is 1. Entries must have unique topologyKey and whenUnsatisfiable pairs.",
+}
+
+func (PrometheusOperatorConfig) SwaggerDoc() map[string]string {
+	return map_PrometheusOperatorConfig
+}
+
 var map_UserDefinedMonitoring = map[string]string{
 	"":     "UserDefinedMonitoring config for user-defined projects.",
 	"mode": "mode defines the different configurations of UserDefinedMonitoring Valid values are Disabled and NamespaceIsolated Disabled disables monitoring for user-defined projects. This restricts the default monitoring stack, installed in the openshift-monitoring project, to monitor only platform namespaces, which prevents any custom monitoring configurations or resources from being applied to user-defined namespaces. NamespaceIsolated enables monitoring for user-defined projects with namespace-scoped tenancy. This ensures that metrics, alerts, and monitoring data are isolated at the namespace level. The current default value is `Disabled`.",
@@ -226,15 +240,42 @@ func (UserDefinedMonitoring) SwaggerDoc() map[string]string {
 	return map_UserDefinedMonitoring
 }
 
-var map_FulcioCAWithRekor = map[string]string{
-	"":              "FulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key.",
-	"fulcioCAData":  "fulcioCAData contains inline base64-encoded data for the PEM format fulcio CA. fulcioCAData must be at most 8192 characters.",
-	"rekorKeyData":  "rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.",
-	"fulcioSubject": "fulcioSubject specifies OIDC issuer and the email of the Fulcio authentication configuration.",
+var map_CRIOCredentialProviderConfig = map[string]string{
+	"":         "CRIOCredentialProviderConfig holds cluster-wide singleton resource configurations for CRI-O credential provider, the name of this instance is \"cluster\". CRI-O credential provider is a binary shipped with CRI-O that provides a way to obtain container image pull credentials from external sources. For example, it can be used to fetch mirror registry credentials from secrets resources in the cluster within the same namespace the pod will be running in. CRIOCredentialProviderConfig configuration specifies the pod image sources registries that should trigger the CRI-O credential provider execution, which will resolve the CRI-O mirror configurations and obtain the necessary credentials for pod creation. Note: Configuration changes will only take effect after the kubelet restarts, which is automatically managed by the cluster during rollout.\n\nThe resource is a singleton named \"cluster\".\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.",
+	"metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+	"spec":     "spec defines the desired configuration of the CRI-O Credential Provider. This field is required and must be provided when creating the resource.",
+	"status":   "status represents the current state of the CRIOCredentialProviderConfig. When omitted or nil, it indicates that the status has not yet been set by the controller. The controller will populate this field with validation conditions and operational state.",
+}
+
+func (CRIOCredentialProviderConfig) SwaggerDoc() map[string]string {
+	return map_CRIOCredentialProviderConfig
+}
+
+var map_CRIOCredentialProviderConfigList = map[string]string{
+	"":         "CRIOCredentialProviderConfigList contains a list of CRIOCredentialProviderConfig resources\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.",
+	"metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+}
+
+func (CRIOCredentialProviderConfigList) SwaggerDoc() map[string]string {
+	return map_CRIOCredentialProviderConfigList
 }
 
-func (FulcioCAWithRekor) SwaggerDoc() map[string]string {
-	return map_FulcioCAWithRekor
+var map_CRIOCredentialProviderConfigSpec = map[string]string{
+	"":            "CRIOCredentialProviderConfigSpec defines the desired configuration of the CRI-O Credential Provider.",
+	"matchImages": "matchImages is a list of string patterns used to determine whether the CRI-O credential provider should be invoked for a given image. This list is passed to the kubelet CredentialProviderConfig, and if any pattern matches the requested image, CRI-O credential provider will be invoked to obtain credentials for pulling that image or its mirrors. Depending on the platform, the CRI-O credential provider may be installed alongside an existing platform specific provider. Conflicts between the existing platform specific provider image match configuration and this list will be handled by the following precedence rule: credentials from built-in kubelet providers (e.g., ECR, GCR, ACR) take precedence over those from the CRIOCredentialProviderConfig when both match the same image. To avoid uncertainty, it is recommended to avoid configuring your private image patterns to overlap with existing platform specific provider config(e.g., the entries from https://github.com/openshift/machine-config-operator/blob/main/templates/common/aws/files/etc-kubernetes-credential-providers-ecr-credential-provider.yaml). You can check the resource's Status conditions to see if any entries were ignored due to exact matches with known built-in provider patterns.\n\nThis field is optional, the items of the list must contain between 1 and 50 entries. The list is treated as a set, so duplicate entries are not allowed.\n\nFor more details, see: https://kubernetes.io/docs/tasks/administer-cluster/kubelet-credential-provider/ https://github.com/cri-o/crio-credential-provider#architecture\n\nEach entry in matchImages is a pattern which can optionally contain a port and a path. Each entry must be no longer than 512 characters. Wildcards ('*') are supported for full subdomain labels, such as '*.k8s.io' or 'k8s.*.io', and for top-level domains, such as 'k8s.*' (which matches 'k8s.io' or 'k8s.net'). A global wildcard '*' (matching any domain) is not allowed. Wildcards may replace an entire hostname label (e.g., *.example.com), but they cannot appear within a label (e.g., f*oo.example.com) and are not allowed in the port or path. For example, 'example.*.com' is valid, but 'exa*mple.*.com' is not. Each wildcard matches only a single domain label, so '*.io' does **not** match '*.k8s.io'.\n\nA match exists between an image and a matchImage when all of the below are true: Both contain the same number of domain parts and each part matches. The URL path of an matchImages must be a prefix of the target image URL path. If the matchImages contains a port, then the port must match in the image as well.\n\nExample values of matchImages: - 123456789.dkr.ecr.us-east-1.amazonaws.com - *.azurecr.io - gcr.io - *.*.registry.io - registry.io:8080/path",
+}
+
+func (CRIOCredentialProviderConfigSpec) SwaggerDoc() map[string]string {
+	return map_CRIOCredentialProviderConfigSpec
+}
+
+var map_CRIOCredentialProviderConfigStatus = map[string]string{
+	"":           "CRIOCredentialProviderConfigStatus defines the observed state of CRIOCredentialProviderConfig",
+	"conditions": "conditions represent the latest available observations of the configuration state. When omitted, it indicates that no conditions have been reported yet. The maximum number of conditions is 16. Conditions are stored as a map keyed by condition type, ensuring uniqueness.\n\nExpected condition types include: \"Validated\": indicates whether the matchImages configuration is valid",
+}
+
+func (CRIOCredentialProviderConfigStatus) SwaggerDoc() map[string]string {
+	return map_CRIOCredentialProviderConfigStatus
 }
 
 var map_ImagePolicy = map[string]string{
@@ -248,6 +289,17 @@ func (ImagePolicy) SwaggerDoc() map[string]string {
 	return map_ImagePolicy
 }
 
+var map_ImagePolicyFulcioCAWithRekorRootOfTrust = map[string]string{
+	"":              "ImagePolicyFulcioCAWithRekorRootOfTrust defines the root of trust based on the Fulcio certificate and the Rekor public key.",
+	"fulcioCAData":  "fulcioCAData contains inline base64-encoded data for the PEM format fulcio CA. fulcioCAData must be at most 8192 characters.",
+	"rekorKeyData":  "rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.",
+	"fulcioSubject": "fulcioSubject specifies OIDC issuer and the email of the Fulcio authentication configuration.",
+}
+
+func (ImagePolicyFulcioCAWithRekorRootOfTrust) SwaggerDoc() map[string]string {
+	return map_ImagePolicyFulcioCAWithRekorRootOfTrust
+}
+
 var map_ImagePolicyList = map[string]string{
 	"":         "ImagePolicyList is a list of ImagePolicy resources\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.",
 	"metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
@@ -257,6 +309,27 @@ func (ImagePolicyList) SwaggerDoc() map[string]string {
 	return map_ImagePolicyList
 }
 
+var map_ImagePolicyPKIRootOfTrust = map[string]string{
+	"":                      "ImagePolicyPKIRootOfTrust defines the root of trust based on Root CA(s) and corresponding intermediate certificates.",
+	"caRootsData":           "caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters. ",
+	"caIntermediatesData":   "caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. caIntermediatesData requires caRootsData to be set. ",
+	"pkiCertificateSubject": "pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued.",
+}
+
+func (ImagePolicyPKIRootOfTrust) SwaggerDoc() map[string]string {
+	return map_ImagePolicyPKIRootOfTrust
+}
+
+var map_ImagePolicyPublicKeyRootOfTrust = map[string]string{
+	"":             "ImagePolicyPublicKeyRootOfTrust defines the root of trust based on a sigstore public key.",
+	"keyData":      "keyData contains inline base64-encoded data for the PEM format public key. KeyData must be at most 8192 characters.",
+	"rekorKeyData": "rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.",
+}
+
+func (ImagePolicyPublicKeyRootOfTrust) SwaggerDoc() map[string]string {
+	return map_ImagePolicyPublicKeyRootOfTrust
+}
+
 var map_ImagePolicySpec = map[string]string{
 	"":       "ImagePolicySpec is the specification of the ImagePolicy CRD.",
 	"scopes": "scopes defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the \"Docker Registry HTTP API V2\". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e.  *.example.com is a valid case, but example*.*.com is not. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker",
@@ -275,15 +348,14 @@ func (ImagePolicyStatus) SwaggerDoc() map[string]string {
 	return map_ImagePolicyStatus
 }
 
-var map_PKI = map[string]string{
-	"":                      "PKI defines the root of trust based on Root CA(s) and corresponding intermediate certificates.",
-	"caRootsData":           "caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters. ",
-	"caIntermediatesData":   "caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. caIntermediatesData requires caRootsData to be set. ",
-	"pkiCertificateSubject": "pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued.",
+var map_ImageSigstoreVerificationPolicy = map[string]string{
+	"":               "ImageSigstoreVerificationPolicy defines the verification policy for the items in the scopes list.",
+	"rootOfTrust":    "rootOfTrust specifies the root of trust for the policy.",
+	"signedIdentity": "signedIdentity specifies what image identity the signature claims about the image. The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is \"MatchRepoDigestOrExact\".",
 }
 
-func (PKI) SwaggerDoc() map[string]string {
-	return map_PKI
+func (ImageSigstoreVerificationPolicy) SwaggerDoc() map[string]string {
+	return map_ImageSigstoreVerificationPolicy
 }
 
 var map_PKICertificateSubject = map[string]string{
@@ -296,16 +368,6 @@ func (PKICertificateSubject) SwaggerDoc() map[string]string {
 	return map_PKICertificateSubject
 }
 
-var map_Policy = map[string]string{
-	"":               "Policy defines the verification policy for the items in the scopes list.",
-	"rootOfTrust":    "rootOfTrust specifies the root of trust for the policy.",
-	"signedIdentity": "signedIdentity specifies what image identity the signature claims about the image. The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is \"MatchRepoDigestOrExact\".",
-}
-
-func (Policy) SwaggerDoc() map[string]string {
-	return map_Policy
-}
-
 var map_PolicyFulcioSubject = map[string]string{
 	"":            "PolicyFulcioSubject defines the OIDC issuer and the email of the Fulcio authentication configuration.",
 	"oidcIssuer":  "oidcIssuer contains the expected OIDC issuer. It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. Example: \"https://expected.OIDC.issuer/\"",
@@ -356,16 +418,6 @@ func (PolicyRootOfTrust) SwaggerDoc() map[string]string {
 	return map_PolicyRootOfTrust
 }
 
-var map_PublicKey = map[string]string{
-	"":             "PublicKey defines the root of trust based on a sigstore public key.",
-	"keyData":      "keyData contains inline base64-encoded data for the PEM format public key. KeyData must be at most 8192 characters.",
-	"rekorKeyData": "rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.",
-}
-
-func (PublicKey) SwaggerDoc() map[string]string {
-	return map_PublicKey
-}
-
 var map_GatherConfig = map[string]string{
 	"":                  "gatherConfig provides data gathering configuration options.",
 	"dataPolicy":        "dataPolicy allows user to enable additional global obfuscation of the IP addresses and base domain in the Insights archive data. Valid values are \"None\" and \"ObfuscateNetworking\". When set to None the data is not obfuscated. When set to ObfuscateNetworking the IP addresses and the cluster domain name are obfuscated. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time.",
diff --git a/vendor/github.com/openshift/api/config/v1alpha2/types_insights.go b/vendor/github.com/openshift/api/config/v1alpha2/types_insights.go
index d59f5920b1..fbe666249a 100644
--- a/vendor/github.com/openshift/api/config/v1alpha2/types_insights.go
+++ b/vendor/github.com/openshift/api/config/v1alpha2/types_insights.go
@@ -16,6 +16,7 @@ import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 // +openshift:file-pattern=cvoRunLevel=0000_10,operatorName=config-operator,operatorOrdering=01
 // +openshift:enable:FeatureGate=InsightsConfig
 // +openshift:compatibility-gen:level=4
+// +openshift:capability=Insights
 type InsightsDataGather struct {
 	metav1.TypeMeta `json:",inline"`
 	// metadata is the standard object's metadata.
diff --git a/vendor/github.com/openshift/api/config/v1alpha2/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/config/v1alpha2/zz_generated.featuregated-crd-manifests.yaml
index 99fe308ef8..1f73e723eb 100644
--- a/vendor/github.com/openshift/api/config/v1alpha2/zz_generated.featuregated-crd-manifests.yaml
+++ b/vendor/github.com/openshift/api/config/v1alpha2/zz_generated.featuregated-crd-manifests.yaml
@@ -2,7 +2,7 @@ insightsdatagathers.config.openshift.io:
   Annotations: {}
   ApprovedPRNumber: https://github.com/openshift/api/pull/2195
   CRDName: insightsdatagathers.config.openshift.io
-  Capability: ""
+  Capability: Insights
   Category: ""
   FeatureGates:
   - InsightsConfig
diff --git a/vendor/github.com/openshift/api/console/v1/types_console_sample.go b/vendor/github.com/openshift/api/console/v1/types_console_sample.go
index bd0f656969..c296059b7e 100644
--- a/vendor/github.com/openshift/api/console/v1/types_console_sample.go
+++ b/vendor/github.com/openshift/api/console/v1/types_console_sample.go
@@ -125,7 +125,8 @@ type ConsoleSampleSpec struct {
 
 // ConsoleSampleSourceType is an enumeration of the supported sample types.
 // Unsupported samples types will be ignored in the web console.
-// +kubebuilder:validation:Enum:=GitImport;ContainerImport
+// +kubebuilder:validation:Enum:="GitImport";"ContainerImport"
+// +enum
 type ConsoleSampleSourceType string
 
 const (
@@ -144,7 +145,6 @@ type ConsoleSampleSource struct {
 	// type of the sample, currently supported: "GitImport";"ContainerImport"
 	// +unionDiscriminator
 	// +required
-	// +kubebuilder:validation:Enum:="GitImport";"ContainerImport"
 	Type ConsoleSampleSourceType `json:"type"`
 
 	// gitImport allows the user to import code from a git repository.
diff --git a/vendor/github.com/openshift/api/etcd/README.md b/vendor/github.com/openshift/api/etcd/README.md
new file mode 100644
index 0000000000..b92d553df7
--- /dev/null
+++ b/vendor/github.com/openshift/api/etcd/README.md
@@ -0,0 +1,211 @@
+# etcd.openshift.io API Group
+
+This API group contains CRDs related to etcd cluster management in Two Node OpenShift with Fencing deployments.
+
+## API Versions
+
+### v1alpha1
+
+Contains the `PacemakerCluster` custom resource for monitoring Pacemaker cluster health in Two Node OpenShift with Fencing deployments.
+
+#### PacemakerCluster
+
+- **Feature Gate**: `DualReplica`
+- **Component**: `two-node-fencing`
+- **Scope**: Cluster-scoped singleton resource (must be named "cluster")
+- **Resource Path**: `pacemakerclusters.etcd.openshift.io`
+
+The `PacemakerCluster` resource provides visibility into the health and status of a Pacemaker-managed cluster.
+It is periodically updated by the cluster-etcd-operator's status collector.
+
+### Status Subresource Design
+
+This resource uses the standard Kubernetes status subresource pattern (`+kubebuilder:subresource:status`).
+The status collector creates the resource without status, then immediately populates it via the `/status` endpoint.
+
+**Why not atomic create-with-status?**
+
+We initially explored removing the status subresource to allow creating the resource with status in a single
+atomic operation. This would ensure the resource is never observed in an incomplete state. However:
+
+1. The Kubernetes API server strips the `status` field from create requests when a status subresource is enabled
+2. Without the subresource, we cannot use separate RBAC for spec vs status updates
+3. The OpenShift API test framework assumes status subresource exists for status update tests
+
+The status collector performs a two-step operation: create resource, then immediately update status.
+The brief window where status is empty is acceptable since the healthcheck controller handles missing status gracefully.
+
+### Pacemaker Resources
+
+A **pacemaker resource** is a unit of work managed by pacemaker. In pacemaker terminology, resources are services
+or applications that pacemaker monitors, starts, stops, and moves between nodes to maintain high availability.
+
+For Two Node OpenShift with Fencing, we manage three resource types:
+- **Kubelet**: The Kubernetes node agent and a prerequisite for etcd
+- **Etcd**: The distributed key-value store
+- **FencingAgent**: Used to isolate failed nodes during a quorum loss event (tracked separately)
+
+### Status Structure
+
+```yaml
+status:                    # Optional on creation, populated via status subresource
+  conditions:              # Required when status present (min 3 items)
+    - type: Healthy
+    - type: InService
+    - type: NodeCountAsExpected
+  lastUpdated: <timestamp> # Required when status present, cannot decrease
+  nodes:                   # Control-plane nodes (0-5, expects 2 for TNF)
+    - nodeName: <hostname> # RFC 1123 subdomain name
+      addresses:           # Required: List of node addresses (1-8 items)
+        - type: InternalIP # Currently only InternalIP is supported
+          address: <ip>    # First address used for etcd peer URLs
+      conditions:          # Required: Node-level conditions (min 9 items)
+        - type: Healthy
+        - type: Online
+        - type: InService
+        - type: Active
+        - type: Ready
+        - type: Clean
+        - type: Member
+        - type: FencingAvailable
+        - type: FencingHealthy
+      resources:           # Required: Pacemaker resources on this node (min 2)
+        - name: Kubelet    # Both Kubelet and Etcd must be present
+          conditions:      # Required: Resource-level conditions (min 8 items)
+            - type: Healthy
+            - type: InService
+            - type: Managed
+            - type: Enabled
+            - type: Operational
+            - type: Active
+            - type: Started
+            - type: Schedulable
+        - name: Etcd
+          conditions: [...]  # Same 8 conditions as Kubelet (abbreviated)
+      fencingAgents:       # Required: Fencing agents for THIS node (1-8)
+        - name: <unique_id>  # e.g., "master-0_redfish" (unique, max 300 chars)
+          method: <method>   # Fencing method: "Redfish" or "IPMI"
+          conditions: [...]  # Same 8 conditions as resources (abbreviated)
+```
+
+### Fencing Agents
+
+Fencing agents are STONITH (Shoot The Other Node In The Head) devices used to isolate failed nodes.
+Unlike regular pacemaker resources (Kubelet, Etcd), fencing agents are tracked separately because:
+
+1. **Mapping by target, not schedule**: Resources are mapped to the node where they are scheduled to run.
+   Fencing agents are mapped to the node they can *fence* (their target), regardless of which node
+   their monitoring operations are scheduled on.
+
+2. **Multiple agents per node**: A node can have multiple fencing agents for redundancy
+   (e.g., both Redfish and IPMI). Expected: 1 per node, supported: up to 8.
+
+3. **Health tracking via two node-level conditions**:
+   - **FencingAvailable**: True if at least one agent is healthy (fencing works), False if all agents unhealthy (degrades operator)
+   - **FencingHealthy**: True if all agents are healthy (ideal state), False if any agent is unhealthy (emits warning events)
+
+### Cluster-Level Conditions
+
+| Condition | True | False |
+|-----------|------|-------|
+| `Healthy` | Cluster is healthy (`ClusterHealthy`) | Cluster has issues (`ClusterUnhealthy`) |
+| `InService` | In service (`InService`) | In maintenance (`InMaintenance`) |
+| `NodeCountAsExpected` | Node count is as expected (`AsExpected`) | Wrong count (`InsufficientNodes`, `ExcessiveNodes`) |
+
+### Node-Level Conditions
+
+| Condition | True | False |
+|-----------|------|-------|
+| `Healthy` | Node is healthy (`NodeHealthy`) | Node has issues (`NodeUnhealthy`) |
+| `Online` | Node is online (`Online`) | Node is offline (`Offline`) |
+| `InService` | In service (`InService`) | In maintenance (`InMaintenance`) |
+| `Active` | Node is active (`Active`) | Node is in standby (`Standby`) |
+| `Ready` | Node is ready (`Ready`) | Node is pending (`Pending`) |
+| `Clean` | Node is clean (`Clean`) | Node is unclean (`Unclean`) |
+| `Member` | Node is a member (`Member`) | Not a member (`NotMember`) |
+| `FencingAvailable` | At least one agent healthy (`FencingAvailable`) | All agents unhealthy (`FencingUnavailable`) - degrades operator |
+| `FencingHealthy` | All agents healthy (`FencingHealthy`) | Some agents unhealthy (`FencingUnhealthy`) - emits warnings |
+
+### Resource-Level Conditions
+
+Each resource in the `resources` array and each fencing agent in the `fencingAgents` array has its own conditions.
+
+| Condition | True | False |
+|-----------|------|-------|
+| `Healthy` | Resource is healthy (`ResourceHealthy`) | Resource has issues (`ResourceUnhealthy`) |
+| `InService` | In service (`InService`) | In maintenance (`InMaintenance`) |
+| `Managed` | Managed by pacemaker (`Managed`) | Not managed (`Unmanaged`) |
+| `Enabled` | Resource is enabled (`Enabled`) | Resource is disabled (`Disabled`) |
+| `Operational` | Resource is operational (`Operational`) | Resource has failed (`Failed`) |
+| `Active` | Resource is active (`Active`) | Resource is not active (`Inactive`) |
+| `Started` | Resource is started (`Started`) | Resource is stopped (`Stopped`) |
+| `Schedulable` | Resource is schedulable (`Schedulable`) | Resource is not schedulable (`Unschedulable`) |
+
+### Validation Rules
+
+**Resource naming:**
+- Resource name must be "cluster" (singleton)
+
+**Node name validation:**
+- Must be a lowercase RFC 1123 subdomain name
+- Consists of lowercase alphanumeric characters, '-' or '.'
+- Must start and end with an alphanumeric character
+- Maximum 253 characters
+
+**Node addresses:**
+- Uses `PacemakerNodeAddress` type (similar to `corev1.NodeAddress` but with IP validation)
+- Currently only `InternalIP` type is supported
+- Pacemaker allows multiple addresses for Corosync communication between nodes (1-8 addresses)
+- The first address in the list is used for IP-based peer URLs for etcd membership
+- IP validation:
+  - Must be a valid global unicast IPv4 or IPv6 address
+  - Must be in canonical form (e.g., `192.168.1.1` not `192.168.001.001`, or `2001:db8::1` not `2001:0db8::1`)
+  - Excludes loopback, link-local, and multicast addresses
+  - Maximum length is 39 characters (full IPv6 address)
+
+**Timestamp validation:**
+- `lastUpdated` is required when status is present
+- Once set, cannot be set to an earlier timestamp (validation uses `!has(oldSelf.lastUpdated)` to handle initial creation)
+- Timestamps must always increase (prevents stale updates from overwriting newer data)
+
+**Status fields:**
+- `status` - Optional on creation (pointer type), populated via status subresource
+- When status is present, all fields within are required:
+  - `conditions` - Required array of cluster conditions (min 3 items)
+  - `lastUpdated` - Required timestamp for staleness detection
+  - `nodes` - Required array of control-plane node statuses (min 0, max 5; empty allowed for catastrophic failures)
+
+**Node fields (when node present):**
+- `nodeName` - Required, RFC 1123 subdomain
+- `addresses` - Required (min 1, max 8 items)
+- `conditions` - Required (min 9 items with specific types enforced via XValidation)
+- `resources` - Required (min 2 items: Kubelet and Etcd)
+- `fencingAgents` - Required (min 1, max 8 items)
+
+**Conditions validation:**
+- Cluster-level: MinItems=3 (Healthy, InService, NodeCountAsExpected)
+- Node-level: MinItems=9 (Healthy, Online, InService, Active, Ready, Clean, Member, FencingAvailable, FencingHealthy)
+- Resource-level: MinItems=8 (Healthy, InService, Managed, Enabled, Operational, Active, Started, Schedulable)
+- Fencing agent-level: MinItems=8 (same conditions as resources)
+
+All condition arrays have XValidation rules to ensure specific condition types are present.
+
+**Resource names:**
+- Valid values are: `Kubelet`, `Etcd`
+- Both resources must be present in each node's `resources` array
+
+**Fencing agent fields:**
+- `name`: Unique identifier for the fencing agent (e.g., "master-0_redfish")
+  - Must be unique within the `fencingAgents` array
+  - May contain alphanumeric characters, dots, hyphens, and underscores (`^[a-zA-Z0-9._-]+$`)
+  - Maximum 300 characters (provides headroom beyond 253 node name + underscore + method)
+- `method`: Fencing method enum - valid values are `Redfish` or `IPMI`
+- `conditions`: Required, same 8 conditions as resources
+
+Note: The target node is implied by the parent `PacemakerClusterNodeStatus` - fencing agents are nested under the node they can fence.
+
+### Usage
+
+The cluster-etcd-operator healthcheck controller watches this resource and updates operator conditions based on
+the cluster state. The aggregate `Healthy` conditions at each level (cluster, node, resource) provide a quick
+way to determine overall health.
diff --git a/vendor/github.com/openshift/api/etcd/install.go b/vendor/github.com/openshift/api/etcd/install.go
new file mode 100644
index 0000000000..7e7474152c
--- /dev/null
+++ b/vendor/github.com/openshift/api/etcd/install.go
@@ -0,0 +1,26 @@
+package etcd
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+
+	v1alpha1 "github.com/openshift/api/etcd/v1alpha1"
+)
+
+const (
+	GroupName = "etcd.openshift.io"
+)
+
+var (
+	schemeBuilder = runtime.NewSchemeBuilder(v1alpha1.Install)
+	// Install is a function which adds every version of this group to a scheme
+	Install = schemeBuilder.AddToScheme
+)
+
+func Resource(resource string) schema.GroupResource {
+	return schema.GroupResource{Group: GroupName, Resource: resource}
+}
+
+func Kind(kind string) schema.GroupKind {
+	return schema.GroupKind{Group: GroupName, Kind: kind}
+}
diff --git a/vendor/github.com/openshift/api/etcd/v1alpha1/Makefile b/vendor/github.com/openshift/api/etcd/v1alpha1/Makefile
new file mode 100644
index 0000000000..3d019662af
--- /dev/null
+++ b/vendor/github.com/openshift/api/etcd/v1alpha1/Makefile
@@ -0,0 +1,3 @@
+.PHONY: test
+test:
+	make -C ../../tests test GINKGO_EXTRA_ARGS=--focus="etcd.openshift.io/v1alpha1"
diff --git a/vendor/github.com/openshift/api/etcd/v1alpha1/doc.go b/vendor/github.com/openshift/api/etcd/v1alpha1/doc.go
new file mode 100644
index 0000000000..aea92fb381
--- /dev/null
+++ b/vendor/github.com/openshift/api/etcd/v1alpha1/doc.go
@@ -0,0 +1,6 @@
+// +k8s:deepcopy-gen=package,register
+// +k8s:defaulter-gen=TypeMeta
+// +k8s:openapi-gen=true
+// +openshift:featuregated-schema-gen=true
+// +groupName=etcd.openshift.io
+package v1alpha1
diff --git a/vendor/github.com/openshift/api/etcd/v1alpha1/register.go b/vendor/github.com/openshift/api/etcd/v1alpha1/register.go
new file mode 100644
index 0000000000..1dc6482f83
--- /dev/null
+++ b/vendor/github.com/openshift/api/etcd/v1alpha1/register.go
@@ -0,0 +1,39 @@
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+var (
+	GroupName     = "etcd.openshift.io"
+	GroupVersion  = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
+	schemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
+	// Install is a function which adds this version to a scheme
+	Install = schemeBuilder.AddToScheme
+
+	// SchemeGroupVersion generated code relies on this name
+	// Deprecated
+	SchemeGroupVersion = GroupVersion
+	// AddToScheme exists solely to keep the old generators creating valid code
+	// DEPRECATED
+	AddToScheme = schemeBuilder.AddToScheme
+)
+
+// Resource generated code relies on this being here, but it logically belongs to the group
+// DEPRECATED
+func Resource(resource string) schema.GroupResource {
+	return schema.GroupResource{Group: GroupName, Resource: resource}
+}
+
+func addKnownTypes(scheme *runtime.Scheme) error {
+	metav1.AddToGroupVersion(scheme, GroupVersion)
+
+	scheme.AddKnownTypes(GroupVersion,
+		&PacemakerCluster{},
+		&PacemakerClusterList{},
+	)
+
+	return nil
+}
diff --git a/vendor/github.com/openshift/api/etcd/v1alpha1/types_pacemakercluster.go b/vendor/github.com/openshift/api/etcd/v1alpha1/types_pacemakercluster.go
new file mode 100644
index 0000000000..ab06d0e390
--- /dev/null
+++ b/vendor/github.com/openshift/api/etcd/v1alpha1/types_pacemakercluster.go
@@ -0,0 +1,736 @@
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// PacemakerCluster is used in Two Node OpenShift with Fencing deployments to monitor the health
+// of etcd running under pacemaker.
+
+// Cluster-level condition types for PacemakerCluster.status.conditions
+const (
+	// ClusterHealthyConditionType tracks the overall health of the pacemaker cluster.
+	// This is an aggregate condition that reflects the health of all cluster-level conditions and node health.
+	// Specifically, it aggregates the following conditions:
+	// - ClusterInServiceConditionType
+	// - ClusterNodeCountAsExpectedConditionType
+	// - NodeHealthyConditionType (for each node)
+	// When True, the cluster is healthy with reason "ClusterHealthy".
+	// When False, the cluster is unhealthy with reason "ClusterUnhealthy".
+	ClusterHealthyConditionType = "Healthy"
+
+	// ClusterInServiceConditionType tracks whether the cluster is in service (not in maintenance mode).
+	// Maintenance mode is a cluster-wide setting that prevents pacemaker from starting or stopping resources.
+	// When True, the cluster is in service with reason "InService". This is the normal operating state.
+	// When False, the cluster is in maintenance mode with reason "InMaintenance". This is an unexpected state.
+	ClusterInServiceConditionType = "InService"
+
+	// ClusterNodeCountAsExpectedConditionType tracks whether the cluster has the expected number of nodes.
+	// For Two Node OpenShift with Fencing, we are expecting exactly 2 nodes.
+	// When True, the expected number of nodes are present with reason "AsExpected".
+	// When False, the node count is incorrect with reason "InsufficientNodes" or "ExcessiveNodes".
+	ClusterNodeCountAsExpectedConditionType = "NodeCountAsExpected"
+)
+
+// ClusterHealthy condition reasons
+const (
+	// ClusterHealthyReasonHealthy means the pacemaker cluster is healthy and operating normally.
+	ClusterHealthyReasonHealthy = "ClusterHealthy"
+
+	// ClusterHealthyReasonUnhealthy means the pacemaker cluster has issues that need investigation.
+	ClusterHealthyReasonUnhealthy = "ClusterUnhealthy"
+)
+
+// ClusterInService condition reasons
+const (
+	// ClusterInServiceReasonInService means the cluster is in service (not in maintenance mode).
+	// This is the normal operating state.
+	ClusterInServiceReasonInService = "InService"
+
+	// ClusterInServiceReasonInMaintenance means the cluster is in maintenance mode.
+	// In maintenance mode, pacemaker will not start or stop any resources. Entering and exiting this state requires
+	// manual user intervention, and is unexpected during normal cluster operation.
+	ClusterInServiceReasonInMaintenance = "InMaintenance"
+)
+
+// ClusterNodeCountAsExpected condition reasons
+const (
+	// ClusterNodeCountAsExpectedReasonAsExpected means the expected number of nodes are present.
+	// For Two Node OpenShift with Fencing, we are expecting exactly 2 nodes. This is the expected healthy state.
+	ClusterNodeCountAsExpectedReasonAsExpected = "AsExpected"
+
+	// ClusterNodeCountAsExpectedReasonInsufficientNodes means fewer nodes than expected are present.
+	// For Two Node OpenShift with Fencing, this means that less than 2 nodes are present. Under normal operation, this will only happen during
+	// a node replacement operation. It's also possible to enter this state with manual user intervention, but
+	// will also require user intervention to restore normal functionality.
+	ClusterNodeCountAsExpectedReasonInsufficientNodes = "InsufficientNodes"
+
+	// ClusterNodeCountAsExpectedReasonExcessiveNodes means more nodes than expected are present.
+	// For Two Node OpenShift with Fencing, this means more than 2 nodes are present. This should be investigated as it is unexpected and should
+	// never happen during normal cluster operation. It is possible to enter this state with manual user intervention,
+	// but will also require user intervention to restore normal functionality.
+	ClusterNodeCountAsExpectedReasonExcessiveNodes = "ExcessiveNodes"
+)
+
+// Node-level condition types for PacemakerCluster.status.nodes[].conditions
+const (
+	// NodeHealthyConditionType tracks the overall health of a node in the pacemaker cluster.
+	// This is an aggregate condition that reflects the health of all node-level conditions and resource health.
+	// Specifically, it aggregates the following conditions:
+	// - NodeOnlineConditionType
+	// - NodeInServiceConditionType
+	// - NodeActiveConditionType
+	// - NodeReadyConditionType
+	// - NodeCleanConditionType
+	// - NodeMemberConditionType
+	// - NodeFencingAvailableConditionType
+	// - NodeFencingHealthyConditionType
+	// - ResourceHealthyConditionType (for each resource in the node's resources list)
+	// When True, the node is healthy with reason "NodeHealthy".
+	// When False, the node is unhealthy with reason "NodeUnhealthy".
+	NodeHealthyConditionType = "Healthy"
+
+	// NodeOnlineConditionType tracks whether a node is online.
+	// When True, the node is online with reason "Online". This is the normal operating state.
+	// When False, the node is offline with reason "Offline". This can occur during reboots, failures, maintenance, or replacement.
+	NodeOnlineConditionType = "Online"
+
+	// NodeInServiceConditionType tracks whether a node is in service (not in maintenance mode).
+	// A node in maintenance mode is ignored by pacemaker while maintenance mode is active.
+	// When True, the node is in service with reason "InService". This is the normal operating state.
+	// When False, the node is in maintenance mode with reason "InMaintenance". This is an unexpected state.
+	NodeInServiceConditionType = "InService"
+
+	// NodeActiveConditionType tracks whether a node is active (not in standby mode).
+	// When a node enters standby mode, pacemaker moves its resources to other nodes in the cluster.
+	// In Two Node OpenShift with Fencing, we do not use standby mode during normal operation.
+	// When True, the node is active with reason "Active". This is the normal operating state.
+	// When False, the node is in standby mode with reason "Standby". This is an unexpected state.
+	NodeActiveConditionType = "Active"
+
+	// NodeReadyConditionType tracks whether a node is ready (not in a pending state).
+	// A node in a pending state is in the process of joining or leaving the cluster.
+	// When True, the node is ready with reason "Ready". This is the normal operating state.
+	// When False, the node is pending with reason "Pending". This is expected to be temporary.
+	NodeReadyConditionType = "Ready"
+
+	// NodeCleanConditionType tracks whether a node is in a clean state.
+	// An unclean state means that pacemaker was unable to confirm the node's state, which signifies issues
+	// in fencing, communication, or configuration.
+	// When True, the node is clean with reason "Clean". This is the normal operating state.
+	// When False, the node is unclean with reason "Unclean". This is an unexpected state.
+	NodeCleanConditionType = "Clean"
+
+	// NodeMemberConditionType tracks whether a node is a member of the cluster.
+	// Some configurations may use remote nodes or ping nodes, which are nodes that are not members.
+	// For Two Node OpenShift with Fencing, we expect both nodes to be members.
+	// When True, the node is a member with reason "Member". This is the normal operating state.
+	// When False, the node is not a member with reason "NotMember". This is an unexpected state.
+	NodeMemberConditionType = "Member"
+
+	// NodeFencingAvailableConditionType tracks whether a node can be fenced by at least one fencing agent.
+	// For Two Node OpenShift with Fencing, each node needs at least one healthy fencing agent to ensure
+	// that the cluster can recover from a node failure via STONITH (Shoot The Other Node In The Head).
+	// When True, at least one fencing agent is healthy with reason "FencingAvailable".
+	// When False, all fencing agents are unhealthy with reason "FencingUnavailable". This is a critical
+	// state that should degrade the operator.
+	NodeFencingAvailableConditionType = "FencingAvailable"
+
+	// NodeFencingHealthyConditionType tracks whether all fencing agents for a node are healthy.
+	// This is an aggregate condition that reflects the health of all fencing agents targeting this node.
+	// When True, all fencing agents are healthy with reason "FencingHealthy".
+	// When False, one or more fencing agents are unhealthy with reason "FencingUnhealthy". Warning events
+	// should be emitted for failing agents, but the operator should not be degraded if FencingAvailable is True.
+	NodeFencingHealthyConditionType = "FencingHealthy"
+)
+
+// NodeHealthy condition reasons
+const (
+	// NodeHealthyReasonHealthy means the node is healthy and operating normally.
+	NodeHealthyReasonHealthy = "NodeHealthy"
+
+	// NodeHealthyReasonUnhealthy means the node has issues that need investigation.
+	NodeHealthyReasonUnhealthy = "NodeUnhealthy"
+)
+
+// NodeOnline condition reasons
+const (
+	// NodeOnlineReasonOnline means the node is online. This is the normal operating state.
+	NodeOnlineReasonOnline = "Online"
+
+	// NodeOnlineReasonOffline means the node is offline.
+	NodeOnlineReasonOffline = "Offline"
+)
+
+// NodeInService condition reasons
+const (
+	// NodeInServiceReasonInService means the node is in service (not in maintenance mode).
+	// This is the normal operating state.
+	NodeInServiceReasonInService = "InService"
+
+	// NodeInServiceReasonInMaintenance means the node is in maintenance mode.
+	// This is an unexpected state.
+	NodeInServiceReasonInMaintenance = "InMaintenance"
+)
+
+// NodeActive condition reasons
+const (
+	// NodeActiveReasonActive means the node is active (not in standby mode).
+	// This is the normal operating state.
+	NodeActiveReasonActive = "Active"
+
+	// NodeActiveReasonStandby means the node is in standby mode.
+	// This is an unexpected state.
+	NodeActiveReasonStandby = "Standby"
+)
+
+// NodeReady condition reasons
+const (
+	// NodeReadyReasonReady means the node is ready (not in a pending state).
+	// This is the normal operating state.
+	NodeReadyReasonReady = "Ready"
+
+	// NodeReadyReasonPending means the node is joining or leaving the cluster.
+	// This state is expected to be temporary.
+	NodeReadyReasonPending = "Pending"
+)
+
+// NodeClean condition reasons
+const (
+	// NodeCleanReasonClean means the node is in a clean state.
+	// This is the normal operating state.
+	NodeCleanReasonClean = "Clean"
+
+	// NodeCleanReasonUnclean means the node is in an unclean state.
+	// Pacemaker was unable to confirm the node's state, which signifies issues in fencing, communication, or configuration.
+	// This is an unexpected state.
+	NodeCleanReasonUnclean = "Unclean"
+)
+
+// NodeMember condition reasons
+const (
+	// NodeMemberReasonMember means the node is a member of the cluster.
+	// For Two Node OpenShift with Fencing, we expect both nodes to be members. This is the normal operating state.
+	NodeMemberReasonMember = "Member"
+
+	// NodeMemberReasonNotMember means the node is not a member of the cluster.
+	// This is an unexpected state.
+	NodeMemberReasonNotMember = "NotMember"
+)
+
+// NodeFencingAvailable condition reasons
+const (
+	// NodeFencingAvailableReasonAvailable means at least one fencing agent for this node is healthy.
+	// The cluster can fence this node if needed. This is the normal operating state.
+	NodeFencingAvailableReasonAvailable = "FencingAvailable"
+
+	// NodeFencingAvailableReasonUnavailable means all fencing agents for this node are unhealthy.
+	// The cluster cannot fence this node, which compromises high availability.
+	// This is a critical state that should degrade the operator.
+	NodeFencingAvailableReasonUnavailable = "FencingUnavailable"
+)
+
+// NodeFencingHealthy condition reasons
+const (
+	// NodeFencingHealthyReasonHealthy means all fencing agents for this node are healthy.
+	// This is the ideal operating state with full redundancy.
+	NodeFencingHealthyReasonHealthy = "FencingHealthy"
+
+	// NodeFencingHealthyReasonUnhealthy means one or more fencing agents for this node are unhealthy.
+	// Warning events should be emitted for failing agents, but the operator should not be degraded
+	// if FencingAvailable is still True.
+	NodeFencingHealthyReasonUnhealthy = "FencingUnhealthy"
+)
+
+// Resource-level condition types for PacemakerCluster.status.nodes[].resources[].conditions
+const (
+	// ResourceHealthyConditionType tracks the overall health of a pacemaker resource.
+	// This is an aggregate condition that reflects the health of all resource-level conditions.
+	// Specifically, it aggregates the following conditions:
+	// - ResourceInServiceConditionType
+	// - ResourceManagedConditionType
+	// - ResourceEnabledConditionType
+	// - ResourceOperationalConditionType
+	// - ResourceActiveConditionType
+	// - ResourceStartedConditionType
+	// - ResourceSchedulableConditionType
+	// When True, the resource is healthy with reason "ResourceHealthy".
+	// When False, the resource is unhealthy with reason "ResourceUnhealthy".
+	ResourceHealthyConditionType = "Healthy"
+
+	// ResourceInServiceConditionType tracks whether a resource is in service (not in maintenance mode).
+	// Resources in maintenance mode are not monitored or moved by pacemaker.
+	// In Two Node OpenShift with Fencing, we do not expect any resources to be in maintenance mode.
+	// When True, the resource is in service with reason "InService". This is the normal operating state.
+	// When False, the resource is in maintenance mode with reason "InMaintenance". This is an unexpected state.
+	ResourceInServiceConditionType = "InService"
+
+	// ResourceManagedConditionType tracks whether a resource is managed by pacemaker.
+	// Resources that are not managed by pacemaker are effectively invisible to the pacemaker HA logic.
+	// For Two Node OpenShift with Fencing, all resources are expected to be managed.
+	// When True, the resource is managed with reason "Managed". This is the normal operating state.
+	// When False, the resource is not managed with reason "Unmanaged". This is an unexpected state.
+	ResourceManagedConditionType = "Managed"
+
+	// ResourceEnabledConditionType tracks whether a resource is enabled.
+	// Resources that are disabled are stopped and not automatically managed or started by the cluster.
+	// In Two Node OpenShift with Fencing, we do not expect any resources to be disabled.
+	// When True, the resource is enabled with reason "Enabled". This is the normal operating state.
+	// When False, the resource is disabled with reason "Disabled". This is an unexpected state.
+	ResourceEnabledConditionType = "Enabled"
+
+	// ResourceOperationalConditionType tracks whether a resource is operational (not failed).
+	// A failed resource is one that is not able to start or is in an error state.
+	// When True, the resource is operational with reason "Operational". This is the normal operating state.
+	// When False, the resource has failed with reason "Failed". This is an unexpected state.
+	ResourceOperationalConditionType = "Operational"
+
+	// ResourceActiveConditionType tracks whether a resource is active.
+	// An active resource is running on a cluster node.
+	// In Two Node OpenShift with Fencing, all resources are expected to be active.
+	// When True, the resource is active with reason "Active". This is the normal operating state.
+	// When False, the resource is not active with reason "Inactive". This is an unexpected state.
+	ResourceActiveConditionType = "Active"
+
+	// ResourceStartedConditionType tracks whether a resource is started.
+	// It's normal for a resource like etcd to become stopped in the event of a quorum loss event because
+	// the pacemaker recovery logic will fence a node and restore etcd quorum on the surviving node as a cluster-of-one.
+	// A resource that stays stopped for an extended period of time is an unexpected state and should be investigated.
+	// When True, the resource is started with reason "Started". This is the normal operating state.
+	// When False, the resource is not started with reason "Stopped". This is expected to be temporary.
+	ResourceStartedConditionType = "Started"
+
+	// ResourceSchedulableConditionType tracks whether a resource is schedulable (not blocked).
+	// A resource that is not schedulable is unable to start or move to a different node.
+	// In Two Node OpenShift with Fencing, we do not expect any resources to be unschedulable.
+	// When True, the resource is schedulable with reason "Schedulable". This is the normal operating state.
+	// When False, the resource is not schedulable with reason "Unschedulable". This is an unexpected state.
+	ResourceSchedulableConditionType = "Schedulable"
+)
+
+// ResourceHealthy condition reasons
+const (
+	// ResourceHealthyReasonHealthy means the resource is healthy and operating normally.
+	ResourceHealthyReasonHealthy = "ResourceHealthy"
+
+	// ResourceHealthyReasonUnhealthy means the resource has issues that need investigation.
+	ResourceHealthyReasonUnhealthy = "ResourceUnhealthy"
+)
+
+// ResourceInService condition reasons
+const (
+	// ResourceInServiceReasonInService means the resource is in service (not in maintenance mode).
+	// This is the normal operating state.
+	ResourceInServiceReasonInService = "InService"
+
+	// ResourceInServiceReasonInMaintenance means the resource is in maintenance mode.
+	// Resources in maintenance mode are not monitored or moved by pacemaker. This is an unexpected state.
+	ResourceInServiceReasonInMaintenance = "InMaintenance"
+)
+
+// ResourceManaged condition reasons
+const (
+	// ResourceManagedReasonManaged means the resource is managed by pacemaker.
+	// This is the normal operating state.
+	ResourceManagedReasonManaged = "Managed"
+
+	// ResourceManagedReasonUnmanaged means the resource is not managed by pacemaker.
+	// Resources that are not managed by pacemaker are effectively invisible to the pacemaker HA logic.
+	// This is an unexpected state.
+	ResourceManagedReasonUnmanaged = "Unmanaged"
+)
+
+// ResourceEnabled condition reasons
+const (
+	// ResourceEnabledReasonEnabled means the resource is enabled.
+	// This is the normal operating state.
+	ResourceEnabledReasonEnabled = "Enabled"
+
+	// ResourceEnabledReasonDisabled means the resource is disabled.
+	// Resources that are disabled are stopped and not automatically managed or started by the cluster.
+	// This is an unexpected state.
+	ResourceEnabledReasonDisabled = "Disabled"
+)
+
+// ResourceOperational condition reasons
+const (
+	// ResourceOperationalReasonOperational means the resource is operational (not failed).
+	// This is the normal operating state.
+	ResourceOperationalReasonOperational = "Operational"
+
+	// ResourceOperationalReasonFailed means the resource has failed.
+	// A failed resource is one that is not able to start or is in an error state. This is an unexpected state.
+	ResourceOperationalReasonFailed = "Failed"
+)
+
+// ResourceActive condition reasons
+const (
+	// ResourceActiveReasonActive means the resource is active.
+	// An active resource is running on a cluster node. This is the normal operating state.
+	ResourceActiveReasonActive = "Active"
+
+	// ResourceActiveReasonInactive means the resource is not active.
+	// This is an unexpected state.
+	ResourceActiveReasonInactive = "Inactive"
+)
+
+// ResourceStarted condition reasons
+const (
+	// ResourceStartedReasonStarted means the resource is started.
+	// This is the normal operating state.
+	ResourceStartedReasonStarted = "Started"
+
+	// ResourceStartedReasonStopped means the resource is stopped.
+	// It's normal for a resource like etcd to become stopped in the event of a quorum loss event because
+	// the pacemaker recovery logic will fence a node and restore etcd quorum on the surviving node as a cluster-of-one.
+	// A resource that stays stopped for an extended period of time is an unexpected state and should be investigated.
+	ResourceStartedReasonStopped = "Stopped"
+)
+
+// ResourceSchedulable condition reasons
+const (
+	// ResourceSchedulableReasonSchedulable means the resource is schedulable (not blocked).
+	// This is the normal operating state.
+	ResourceSchedulableReasonSchedulable = "Schedulable"
+
+	// ResourceSchedulableReasonUnschedulable means the resource is not schedulable (blocked).
+	// A resource that is not schedulable is unable to start or move to a different node. This is an unexpected state.
+	ResourceSchedulableReasonUnschedulable = "Unschedulable"
+)
+
+// PacemakerNodeAddressType represents the type of a node address.
+// Currently only InternalIP is supported.
+// +kubebuilder:validation:Enum=InternalIP
+// +enum
+type PacemakerNodeAddressType string
+
+const (
+	// PacemakerNodeInternalIP is an internal IP address assigned to the node.
+	// This is typically the IP address used for intra-cluster communication.
+	PacemakerNodeInternalIP PacemakerNodeAddressType = "InternalIP"
+)
+
+// PacemakerNodeAddress contains information for a node's address.
+// This is similar to corev1.NodeAddress but adds validation for IP addresses.
+type PacemakerNodeAddress struct {
+	// type is the type of node address.
+	// Currently only "InternalIP" is supported.
+	// +required
+	Type PacemakerNodeAddressType `json:"type,omitempty"`
+
+	// address is the node address.
+	// For InternalIP, this must be a valid global unicast IPv4 or IPv6 address in canonical form.
+	// Canonical form means the shortest standard representation (e.g., "192.168.1.1" not "192.168.001.001",
+	// or "2001:db8::1" not "2001:0db8::1"). Maximum length is 39 characters (full IPv6 address).
+	// Global unicast includes private/RFC1918 addresses but excludes loopback, link-local, and multicast.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=39
+	// +kubebuilder:validation:XValidation:rule="isIP(self) && ip.isCanonical(self) && ip(self).isGlobalUnicast()",message="must be a valid global unicast IPv4 or IPv6 address in canonical form"
+	// +required
+	Address string `json:"address,omitempty"`
+}
+
+// PacemakerClusterResourceName represents the name of a pacemaker resource.
+// Fencing agents are tracked separately in the fencingAgents field.
+// +kubebuilder:validation:Enum=Kubelet;Etcd
+// +enum
+type PacemakerClusterResourceName string
+
+// PacemakerClusterResourceName values
+const (
+	// PacemakerClusterResourceNameKubelet is the kubelet pacemaker resource.
+	// The kubelet resource is a prerequisite for etcd in Two Node OpenShift with Fencing deployments.
+	PacemakerClusterResourceNameKubelet PacemakerClusterResourceName = "Kubelet"
+
+	// PacemakerClusterResourceNameEtcd is the etcd pacemaker resource.
+	// The etcd resource may temporarily transition to stopped during pacemaker quorum-recovery operations.
+	PacemakerClusterResourceNameEtcd PacemakerClusterResourceName = "Etcd"
+)
+
+// FencingMethod represents the method used by a fencing agent to isolate failed nodes.
+// Valid values are "Redfish" and "IPMI".
+// +kubebuilder:validation:Enum=Redfish;IPMI
+// +enum
+type FencingMethod string
+
+// FencingMethod values
+const (
+	// FencingMethodRedfish uses Redfish, a standard RESTful API for server management.
+	FencingMethodRedfish FencingMethod = "Redfish"
+
+	// FencingMethodIPMI uses IPMI (Intelligent Platform Management Interface), a hardware management interface.
+	FencingMethodIPMI FencingMethod = "IPMI"
+)
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// PacemakerCluster represents the current state of the pacemaker cluster as reported by the pcs status command.
+// PacemakerCluster is a cluster-scoped singleton resource. The name of this instance is "cluster". This
+// resource provides a view into the health and status of a pacemaker-managed cluster in Two Node OpenShift with Fencing deployments.
+//
+// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.
+// +openshift:compatibility-gen:level=4
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:path=pacemakerclusters,scope=Cluster,singular=pacemakercluster
+// +kubebuilder:subresource:status
+// +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/2544
+// +openshift:file-pattern=cvoRunLevel=0000_25,operatorName=etcd,operatorOrdering=01,operatorComponent=two-node-fencing
+// +openshift:enable:FeatureGate=DualReplica
+// +kubebuilder:validation:XValidation:rule="self.metadata.name == 'cluster'",message="PacemakerCluster must be named 'cluster'"
+// +kubebuilder:validation:XValidation:rule="!has(oldSelf.status) || has(self.status)",message="status may not be removed once set"
+type PacemakerCluster struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +required
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// status contains the actual pacemaker cluster status information collected from the cluster.
+	// The goal of this status is to be able to quickly identify if pacemaker is in a healthy state.
+	// In Two Node OpenShift with Fencing, a healthy pacemaker cluster has 2 nodes, both of which have healthy kubelet, etcd, and fencing resources.
+	// This field is optional on creation - the status collector populates it immediately after creating
+	// the resource via the status subresource.
+	// +optional
+	Status PacemakerClusterStatus `json:"status,omitzero"`
+}
+
+// PacemakerClusterStatus contains the actual pacemaker cluster status information. As part of validating the status
+// object, we need to ensure that the lastUpdated timestamp may not be set to an earlier timestamp than the current value.
+// The validation rule checks if oldSelf has lastUpdated before comparing, to handle the initial status creation case.
+// +kubebuilder:validation:XValidation:rule="!has(oldSelf.lastUpdated) || self.lastUpdated >= oldSelf.lastUpdated",message="lastUpdated may not be set to an earlier timestamp"
+type PacemakerClusterStatus struct {
+	// conditions represent the observations of the pacemaker cluster's current state.
+	// Known condition types are: "Healthy", "InService", "NodeCountAsExpected".
+	// The "Healthy" condition is an aggregate that tracks the overall health of the cluster.
+	// The "InService" condition tracks whether the cluster is in service (not in maintenance mode).
+	// The "NodeCountAsExpected" condition tracks whether the expected number of nodes are present.
+	// Each of these conditions is required, so the array must contain at least 3 items.
+	// +listType=map
+	// +listMapKey=type
+	// +kubebuilder:validation:MinItems=3
+	// +kubebuilder:validation:MaxItems=8
+	// +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Healthy')",message="conditions must contain a condition of type Healthy"
+	// +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'InService')",message="conditions must contain a condition of type InService"
+	// +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'NodeCountAsExpected')",message="conditions must contain a condition of type NodeCountAsExpected"
+	// +required
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+
+	// lastUpdated is the timestamp when this status was last updated. This is useful for identifying
+	// stale status reports. It must be a valid timestamp in RFC3339 format. Once set, this field cannot
+	// be removed and cannot be set to an earlier timestamp than the current value.
+	// +kubebuilder:validation:Format=date-time
+	// +required
+	LastUpdated metav1.Time `json:"lastUpdated,omitempty,omitzero"`
+
+	// nodes provides detailed status for each control-plane node in the Pacemaker cluster.
+	// While Pacemaker supports up to 32 nodes, the limit is set to 5 (max OpenShift control-plane nodes).
+	// For Two Node OpenShift with Fencing, exactly 2 nodes are expected in a healthy cluster.
+	// An empty list indicates a catastrophic failure where Pacemaker reports no nodes.
+	// +listType=map
+	// +listMapKey=nodeName
+	// +kubebuilder:validation:MinItems=0
+	// +kubebuilder:validation:MaxItems=5
+	// +required
+	Nodes *[]PacemakerClusterNodeStatus `json:"nodes,omitempty"`
+}
+
+// PacemakerClusterNodeStatus represents the status of a single node in the pacemaker cluster including
+// the node's conditions and the health of critical resources running on that node.
+type PacemakerClusterNodeStatus struct {
+	// conditions represent the observations of the node's current state.
+	// Known condition types are: "Healthy", "Online", "InService", "Active", "Ready", "Clean", "Member",
+	// "FencingAvailable", "FencingHealthy".
+	// The "Healthy" condition is an aggregate that tracks the overall health of the node.
+	// The "Online" condition tracks whether the node is online.
+	// The "InService" condition tracks whether the node is in service (not in maintenance mode).
+	// The "Active" condition tracks whether the node is active (not in standby mode).
+	// The "Ready" condition tracks whether the node is ready (not in a pending state).
+	// The "Clean" condition tracks whether the node is in a clean (status known) state.
+	// The "Member" condition tracks whether the node is a member of the cluster.
+	// The "FencingAvailable" condition tracks whether this node can be fenced by at least one healthy agent.
+	// The "FencingHealthy" condition tracks whether all fencing agents for this node are healthy.
+	// Each of these conditions is required, so the array must contain at least 9 items.
+	// +listType=map
+	// +listMapKey=type
+	// +kubebuilder:validation:MinItems=9
+	// +kubebuilder:validation:MaxItems=16
+	// +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Healthy')",message="conditions must contain a condition of type Healthy"
+	// +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Online')",message="conditions must contain a condition of type Online"
+	// +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'InService')",message="conditions must contain a condition of type InService"
+	// +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Active')",message="conditions must contain a condition of type Active"
+	// +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Ready')",message="conditions must contain a condition of type Ready"
+	// +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Clean')",message="conditions must contain a condition of type Clean"
+	// +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Member')",message="conditions must contain a condition of type Member"
+	// +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'FencingAvailable')",message="conditions must contain a condition of type FencingAvailable"
+	// +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'FencingHealthy')",message="conditions must contain a condition of type FencingHealthy"
+	// +required
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+
+	// nodeName is the name of the node. This is expected to match the Kubernetes node's name, which must be a lowercase
+	// RFC 1123 subdomain consisting of lowercase alphanumeric characters, '-' or '.', starting and ending with
+	// an alphanumeric character, and be at most 253 characters in length.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=253
+	// +kubebuilder:validation:XValidation:rule="!format.dns1123Subdomain().validate(self).hasValue()",message="nodeName must be a lowercase RFC 1123 subdomain consisting of lowercase alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character"
+	// +required
+	NodeName string `json:"nodeName,omitempty"`
+
+	// addresses is a list of IP addresses for the node.
+	// Pacemaker allows multiple IP addresses for Corosync communication between nodes.
+	// The first address in this list is used for IP-based peer URLs for etcd membership.
+	// Each address must be a valid global unicast IPv4 or IPv6 address in canonical form
+	// (e.g., "192.168.1.1" not "192.168.001.001", or "2001:db8::1" not "2001:0db8::1").
+	// This excludes loopback, link-local, and multicast addresses.
+	// +listType=atomic
+	// +kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:MaxItems=8
+	// +required
+	Addresses []PacemakerNodeAddress `json:"addresses,omitempty"`
+
+	// resources contains the status of pacemaker resources scheduled on this node.
+	// Each resource entry includes the resource name and its health conditions.
+	// For Two Node OpenShift with Fencing, we track Kubelet and Etcd resources per node.
+	// Both resources are required to be present, so the array must contain at least 2 items.
+	// Valid resource names are "Kubelet" and "Etcd".
+	// Fencing agents are tracked separately in the fencingAgents field.
+	// +listType=map
+	// +listMapKey=name
+	// +kubebuilder:validation:MinItems=2
+	// +kubebuilder:validation:MaxItems=8
+	// +kubebuilder:validation:XValidation:rule="self.exists(r, r.name == 'Kubelet')",message="resources must contain a resource named Kubelet"
+	// +kubebuilder:validation:XValidation:rule="self.exists(r, r.name == 'Etcd')",message="resources must contain a resource named Etcd"
+	// +required
+	Resources []PacemakerClusterResourceStatus `json:"resources,omitempty"`
+
+	// fencingAgents contains the status of fencing agents that can fence this node.
+	// Unlike resources (which are scheduled to run on this node), fencing agents are mapped
+	// to the node they can fence (their target), not the node where monitoring operations run.
+	// Each fencing agent entry includes a unique name, fencing type, target node, and health conditions.
+	// A node is considered fence-capable if at least one fencing agent is healthy.
+	// Expected to have 1 fencing agent per node, but up to 8 are supported for redundancy.
+	// Names must be unique within this array.
+	// +listType=map
+	// +listMapKey=name
+	// +kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:MaxItems=8
+	// +kubebuilder:validation:XValidation:rule="self.all(x, self.exists_one(y, x.name == y.name))",message="fencing agent names must be unique"
+	// +required
+	FencingAgents []PacemakerClusterFencingAgentStatus `json:"fencingAgents,omitempty"`
+}
+
+// PacemakerClusterFencingAgentStatus represents the status of a fencing agent that can fence a node.
+// Fencing agents are STONITH (Shoot The Other Node In The Head) devices used to isolate failed nodes.
+// Unlike regular pacemaker resources, fencing agents are mapped to their target node (the node they
+// can fence), not the node where their monitoring operations are scheduled.
+type PacemakerClusterFencingAgentStatus struct {
+	// conditions represent the observations of the fencing agent's current state.
+	// Known condition types are: "Healthy", "InService", "Managed", "Enabled", "Operational",
+	// "Active", "Started", "Schedulable".
+	// The "Healthy" condition is an aggregate that tracks the overall health of the fencing agent.
+	// The "InService" condition tracks whether the fencing agent is in service (not in maintenance mode).
+	// The "Managed" condition tracks whether the fencing agent is managed by pacemaker.
+	// The "Enabled" condition tracks whether the fencing agent is enabled.
+	// The "Operational" condition tracks whether the fencing agent is operational (not failed).
+	// The "Active" condition tracks whether the fencing agent is active (available to be used).
+	// The "Started" condition tracks whether the fencing agent is started.
+	// The "Schedulable" condition tracks whether the fencing agent is schedulable (not blocked).
+	// Each of these conditions is required, so the array must contain at least 8 items.
+	// +listType=map
+	// +listMapKey=type
+	// +kubebuilder:validation:MinItems=8
+	// +kubebuilder:validation:MaxItems=16
+	// +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Healthy')",message="conditions must contain a condition of type Healthy"
+	// +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'InService')",message="conditions must contain a condition of type InService"
+	// +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Managed')",message="conditions must contain a condition of type Managed"
+	// +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Enabled')",message="conditions must contain a condition of type Enabled"
+	// +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Operational')",message="conditions must contain a condition of type Operational"
+	// +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Active')",message="conditions must contain a condition of type Active"
+	// +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Started')",message="conditions must contain a condition of type Started"
+	// +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Schedulable')",message="conditions must contain a condition of type Schedulable"
+	// +required
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+
+	// name is the unique identifier for this fencing agent (e.g., "master-0_redfish").
+	// The name must be unique within the fencingAgents array for this node.
+	// It may contain alphanumeric characters, dots, hyphens, and underscores.
+	// Maximum length is 300 characters, providing headroom beyond the typical format of
+	// <node_name>_<type> (253 for RFC 1123 node name + 1 underscore + type).
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=300
+	// +kubebuilder:validation:XValidation:rule="self.matches('^[a-zA-Z0-9._-]+$')",message="name must contain only alphanumeric characters, dots, hyphens, and underscores"
+	// +required
+	Name string `json:"name,omitempty"`
+
+	// method is the fencing method used by this agent.
+	// Valid values are "Redfish" and "IPMI".
+	// Redfish is a standard RESTful API for server management.
+	// IPMI (Intelligent Platform Management Interface) is a hardware management interface.
+	// +required
+	Method FencingMethod `json:"method,omitempty"`
+}
+
+// PacemakerClusterResourceStatus represents the status of a pacemaker resource scheduled on a node.
+// A pacemaker resource is a unit of work managed by pacemaker. In pacemaker terminology, resources are services or
+// applications that pacemaker monitors, starts, stops, and moves between nodes to maintain high availability.
+// For Two Node OpenShift with Fencing, we track two resources per node:
+//   - Kubelet (the Kubernetes node agent and a prerequisite for etcd)
+//   - Etcd (the distributed key-value store)
+//
+// Fencing agents are tracked separately in the fencingAgents field because they are mapped to
+// their target node (the node they can fence), not the node where monitoring operations are scheduled.
+type PacemakerClusterResourceStatus struct {
+	// conditions represent the observations of the resource's current state.
+	// Known condition types are: "Healthy", "InService", "Managed", "Enabled", "Operational",
+	// "Active", "Started", "Schedulable".
+	// The "Healthy" condition is an aggregate that tracks the overall health of the resource.
+	// The "InService" condition tracks whether the resource is in service (not in maintenance mode).
+	// The "Managed" condition tracks whether the resource is managed by pacemaker.
+	// The "Enabled" condition tracks whether the resource is enabled.
+	// The "Operational" condition tracks whether the resource is operational (not failed).
+	// The "Active" condition tracks whether the resource is active (available to be used).
+	// The "Started" condition tracks whether the resource is started.
+	// The "Schedulable" condition tracks whether the resource is schedulable (not blocked).
+	// Each of these conditions is required, so the array must contain at least 8 items.
+	// +listType=map
+	// +listMapKey=type
+	// +kubebuilder:validation:MinItems=8
+	// +kubebuilder:validation:MaxItems=16
+	// +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Healthy')",message="conditions must contain a condition of type Healthy"
+	// +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'InService')",message="conditions must contain a condition of type InService"
+	// +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Managed')",message="conditions must contain a condition of type Managed"
+	// +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Enabled')",message="conditions must contain a condition of type Enabled"
+	// +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Operational')",message="conditions must contain a condition of type Operational"
+	// +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Active')",message="conditions must contain a condition of type Active"
+	// +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Started')",message="conditions must contain a condition of type Started"
+	// +kubebuilder:validation:XValidation:rule="self.exists(c, c.type == 'Schedulable')",message="conditions must contain a condition of type Schedulable"
+	// +required
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+
+	// name is the name of the pacemaker resource.
+	// Valid values are "Kubelet" and "Etcd".
+	// The Kubelet resource is a prerequisite for etcd in Two Node OpenShift with Fencing deployments.
+	// The Etcd resource may temporarily transition to stopped during pacemaker quorum-recovery operations.
+	// Fencing agents are tracked separately in the node's fencingAgents field.
+	// +required
+	Name PacemakerClusterResourceName `json:"name,omitempty"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// PacemakerClusterList contains a list of PacemakerCluster objects. PacemakerCluster is a cluster-scoped singleton
+// resource; only one instance named "cluster" may exist. This list type exists only to satisfy Kubernetes API
+// conventions.
+//
+// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.
+// +openshift:compatibility-gen:level=4
+type PacemakerClusterList struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard list's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ListMeta `json:"metadata,omitempty"`
+
+	// items is a list of PacemakerCluster objects.
+	Items []PacemakerCluster `json:"items"`
+}
diff --git a/vendor/github.com/openshift/api/etcd/v1alpha1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/etcd/v1alpha1/zz_generated.deepcopy.go
new file mode 100644
index 0000000000..17bf978510
--- /dev/null
+++ b/vendor/github.com/openshift/api/etcd/v1alpha1/zz_generated.deepcopy.go
@@ -0,0 +1,210 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+// Code generated by codegen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PacemakerCluster) DeepCopyInto(out *PacemakerCluster) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PacemakerCluster.
+func (in *PacemakerCluster) DeepCopy() *PacemakerCluster {
+	if in == nil {
+		return nil
+	}
+	out := new(PacemakerCluster)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *PacemakerCluster) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PacemakerClusterFencingAgentStatus) DeepCopyInto(out *PacemakerClusterFencingAgentStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]v1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PacemakerClusterFencingAgentStatus.
+func (in *PacemakerClusterFencingAgentStatus) DeepCopy() *PacemakerClusterFencingAgentStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(PacemakerClusterFencingAgentStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PacemakerClusterList) DeepCopyInto(out *PacemakerClusterList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]PacemakerCluster, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PacemakerClusterList.
+func (in *PacemakerClusterList) DeepCopy() *PacemakerClusterList {
+	if in == nil {
+		return nil
+	}
+	out := new(PacemakerClusterList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *PacemakerClusterList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PacemakerClusterNodeStatus) DeepCopyInto(out *PacemakerClusterNodeStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]v1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Addresses != nil {
+		in, out := &in.Addresses, &out.Addresses
+		*out = make([]PacemakerNodeAddress, len(*in))
+		copy(*out, *in)
+	}
+	if in.Resources != nil {
+		in, out := &in.Resources, &out.Resources
+		*out = make([]PacemakerClusterResourceStatus, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.FencingAgents != nil {
+		in, out := &in.FencingAgents, &out.FencingAgents
+		*out = make([]PacemakerClusterFencingAgentStatus, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PacemakerClusterNodeStatus.
+func (in *PacemakerClusterNodeStatus) DeepCopy() *PacemakerClusterNodeStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(PacemakerClusterNodeStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PacemakerClusterResourceStatus) DeepCopyInto(out *PacemakerClusterResourceStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]v1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PacemakerClusterResourceStatus.
+func (in *PacemakerClusterResourceStatus) DeepCopy() *PacemakerClusterResourceStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(PacemakerClusterResourceStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PacemakerClusterStatus) DeepCopyInto(out *PacemakerClusterStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]v1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	in.LastUpdated.DeepCopyInto(&out.LastUpdated)
+	if in.Nodes != nil {
+		in, out := &in.Nodes, &out.Nodes
+		*out = new([]PacemakerClusterNodeStatus)
+		if **in != nil {
+			in, out := *in, *out
+			*out = make([]PacemakerClusterNodeStatus, len(*in))
+			for i := range *in {
+				(*in)[i].DeepCopyInto(&(*out)[i])
+			}
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PacemakerClusterStatus.
+func (in *PacemakerClusterStatus) DeepCopy() *PacemakerClusterStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(PacemakerClusterStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PacemakerNodeAddress) DeepCopyInto(out *PacemakerNodeAddress) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PacemakerNodeAddress.
+func (in *PacemakerNodeAddress) DeepCopy() *PacemakerNodeAddress {
+	if in == nil {
+		return nil
+	}
+	out := new(PacemakerNodeAddress)
+	in.DeepCopyInto(out)
+	return out
+}
diff --git a/vendor/github.com/openshift/api/etcd/v1alpha1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/etcd/v1alpha1/zz_generated.featuregated-crd-manifests.yaml
new file mode 100644
index 0000000000..f5a64682ab
--- /dev/null
+++ b/vendor/github.com/openshift/api/etcd/v1alpha1/zz_generated.featuregated-crd-manifests.yaml
@@ -0,0 +1,23 @@
+pacemakerclusters.etcd.openshift.io:
+  Annotations: {}
+  ApprovedPRNumber: https://github.com/openshift/api/pull/2544
+  CRDName: pacemakerclusters.etcd.openshift.io
+  Capability: ""
+  Category: ""
+  FeatureGates:
+  - DualReplica
+  FilenameOperatorName: etcd
+  FilenameOperatorOrdering: "01"
+  FilenameRunLevel: "0000_25"
+  GroupName: etcd.openshift.io
+  HasStatus: true
+  KindName: PacemakerCluster
+  Labels: {}
+  PluralName: pacemakerclusters
+  PrinterColumns: []
+  Scope: Cluster
+  ShortNames: null
+  TopLevelFeatureGates:
+  - DualReplica
+  Version: v1alpha1
+
diff --git a/vendor/github.com/openshift/api/etcd/v1alpha1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/etcd/v1alpha1/zz_generated.swagger_doc_generated.go
new file mode 100644
index 0000000000..62e1c3ebd7
--- /dev/null
+++ b/vendor/github.com/openshift/api/etcd/v1alpha1/zz_generated.swagger_doc_generated.go
@@ -0,0 +1,89 @@
+package v1alpha1
+
+// This file contains a collection of methods that can be used from go-restful to
+// generate Swagger API documentation for its models. Please read this PR for more
+// information on the implementation: https://github.com/emicklei/go-restful/pull/215
+//
+// TODOs are ignored from the parser (e.g. TODO(andronat):... || TODO:...) if and only if
+// they are on one line! For multiple line or blocks that you want to ignore use ---.
+// Any context after a --- is ignored.
+//
+// Those methods can be generated by using hack/update-swagger-docs.sh
+
+// AUTO-GENERATED FUNCTIONS START HERE
+var map_PacemakerCluster = map[string]string{
+	"":         "PacemakerCluster represents the current state of the pacemaker cluster as reported by the pcs status command. PacemakerCluster is a cluster-scoped singleton resource. The name of this instance is \"cluster\". This resource provides a view into the health and status of a pacemaker-managed cluster in Two Node OpenShift with Fencing deployments.\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.",
+	"metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+	"status":   "status contains the actual pacemaker cluster status information collected from the cluster. The goal of this status is to be able to quickly identify if pacemaker is in a healthy state. In Two Node OpenShift with Fencing, a healthy pacemaker cluster has 2 nodes, both of which have healthy kubelet, etcd, and fencing resources. This field is optional on creation - the status collector populates it immediately after creating the resource via the status subresource.",
+}
+
+func (PacemakerCluster) SwaggerDoc() map[string]string {
+	return map_PacemakerCluster
+}
+
+var map_PacemakerClusterFencingAgentStatus = map[string]string{
+	"":           "PacemakerClusterFencingAgentStatus represents the status of a fencing agent that can fence a node. Fencing agents are STONITH (Shoot The Other Node In The Head) devices used to isolate failed nodes. Unlike regular pacemaker resources, fencing agents are mapped to their target node (the node they can fence), not the node where their monitoring operations are scheduled.",
+	"conditions": "conditions represent the observations of the fencing agent's current state. Known condition types are: \"Healthy\", \"InService\", \"Managed\", \"Enabled\", \"Operational\", \"Active\", \"Started\", \"Schedulable\". The \"Healthy\" condition is an aggregate that tracks the overall health of the fencing agent. The \"InService\" condition tracks whether the fencing agent is in service (not in maintenance mode). The \"Managed\" condition tracks whether the fencing agent is managed by pacemaker. The \"Enabled\" condition tracks whether the fencing agent is enabled. The \"Operational\" condition tracks whether the fencing agent is operational (not failed). The \"Active\" condition tracks whether the fencing agent is active (available to be used). The \"Started\" condition tracks whether the fencing agent is started. The \"Schedulable\" condition tracks whether the fencing agent is schedulable (not blocked). Each of these conditions is required, so the array must contain at least 8 items.",
+	"name":       "name is the unique identifier for this fencing agent (e.g., \"master-0_redfish\"). The name must be unique within the fencingAgents array for this node. It may contain alphanumeric characters, dots, hyphens, and underscores. Maximum length is 300 characters, providing headroom beyond the typical format of <node_name>_<type> (253 for RFC 1123 node name + 1 underscore + type).",
+	"method":     "method is the fencing method used by this agent. Valid values are \"Redfish\" and \"IPMI\". Redfish is a standard RESTful API for server management. IPMI (Intelligent Platform Management Interface) is a hardware management interface.",
+}
+
+func (PacemakerClusterFencingAgentStatus) SwaggerDoc() map[string]string {
+	return map_PacemakerClusterFencingAgentStatus
+}
+
+var map_PacemakerClusterList = map[string]string{
+	"":         "PacemakerClusterList contains a list of PacemakerCluster objects. PacemakerCluster is a cluster-scoped singleton resource; only one instance named \"cluster\" may exist. This list type exists only to satisfy Kubernetes API conventions.\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.",
+	"metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+	"items":    "items is a list of PacemakerCluster objects.",
+}
+
+func (PacemakerClusterList) SwaggerDoc() map[string]string {
+	return map_PacemakerClusterList
+}
+
+var map_PacemakerClusterNodeStatus = map[string]string{
+	"":              "PacemakerClusterNodeStatus represents the status of a single node in the pacemaker cluster including the node's conditions and the health of critical resources running on that node.",
+	"conditions":    "conditions represent the observations of the node's current state. Known condition types are: \"Healthy\", \"Online\", \"InService\", \"Active\", \"Ready\", \"Clean\", \"Member\", \"FencingAvailable\", \"FencingHealthy\". The \"Healthy\" condition is an aggregate that tracks the overall health of the node. The \"Online\" condition tracks whether the node is online. The \"InService\" condition tracks whether the node is in service (not in maintenance mode). The \"Active\" condition tracks whether the node is active (not in standby mode). The \"Ready\" condition tracks whether the node is ready (not in a pending state). The \"Clean\" condition tracks whether the node is in a clean (status known) state. The \"Member\" condition tracks whether the node is a member of the cluster. The \"FencingAvailable\" condition tracks whether this node can be fenced by at least one healthy agent. The \"FencingHealthy\" condition tracks whether all fencing agents for this node are healthy. Each of these conditions is required, so the array must contain at least 9 items.",
+	"nodeName":      "nodeName is the name of the node. This is expected to match the Kubernetes node's name, which must be a lowercase RFC 1123 subdomain consisting of lowercase alphanumeric characters, '-' or '.', starting and ending with an alphanumeric character, and be at most 253 characters in length.",
+	"addresses":     "addresses is a list of IP addresses for the node. Pacemaker allows multiple IP addresses for Corosync communication between nodes. The first address in this list is used for IP-based peer URLs for etcd membership. Each address must be a valid global unicast IPv4 or IPv6 address in canonical form (e.g., \"192.168.1.1\" not \"192.168.001.001\", or \"2001:db8::1\" not \"2001:0db8::1\"). This excludes loopback, link-local, and multicast addresses.",
+	"resources":     "resources contains the status of pacemaker resources scheduled on this node. Each resource entry includes the resource name and its health conditions. For Two Node OpenShift with Fencing, we track Kubelet and Etcd resources per node. Both resources are required to be present, so the array must contain at least 2 items. Valid resource names are \"Kubelet\" and \"Etcd\". Fencing agents are tracked separately in the fencingAgents field.",
+	"fencingAgents": "fencingAgents contains the status of fencing agents that can fence this node. Unlike resources (which are scheduled to run on this node), fencing agents are mapped to the node they can fence (their target), not the node where monitoring operations run. Each fencing agent entry includes a unique name, fencing type, target node, and health conditions. A node is considered fence-capable if at least one fencing agent is healthy. Expected to have 1 fencing agent per node, but up to 8 are supported for redundancy. Names must be unique within this array.",
+}
+
+func (PacemakerClusterNodeStatus) SwaggerDoc() map[string]string {
+	return map_PacemakerClusterNodeStatus
+}
+
+var map_PacemakerClusterResourceStatus = map[string]string{
+	"":           "PacemakerClusterResourceStatus represents the status of a pacemaker resource scheduled on a node. A pacemaker resource is a unit of work managed by pacemaker. In pacemaker terminology, resources are services or applications that pacemaker monitors, starts, stops, and moves between nodes to maintain high availability. For Two Node OpenShift with Fencing, we track two resources per node:\n  - Kubelet (the Kubernetes node agent and a prerequisite for etcd)\n  - Etcd (the distributed key-value store)\n\nFencing agents are tracked separately in the fencingAgents field because they are mapped to their target node (the node they can fence), not the node where monitoring operations are scheduled.",
+	"conditions": "conditions represent the observations of the resource's current state. Known condition types are: \"Healthy\", \"InService\", \"Managed\", \"Enabled\", \"Operational\", \"Active\", \"Started\", \"Schedulable\". The \"Healthy\" condition is an aggregate that tracks the overall health of the resource. The \"InService\" condition tracks whether the resource is in service (not in maintenance mode). The \"Managed\" condition tracks whether the resource is managed by pacemaker. The \"Enabled\" condition tracks whether the resource is enabled. The \"Operational\" condition tracks whether the resource is operational (not failed). The \"Active\" condition tracks whether the resource is active (available to be used). The \"Started\" condition tracks whether the resource is started. The \"Schedulable\" condition tracks whether the resource is schedulable (not blocked). Each of these conditions is required, so the array must contain at least 8 items.",
+	"name":       "name is the name of the pacemaker resource. Valid values are \"Kubelet\" and \"Etcd\". The Kubelet resource is a prerequisite for etcd in Two Node OpenShift with Fencing deployments. The Etcd resource may temporarily transition to stopped during pacemaker quorum-recovery operations. Fencing agents are tracked separately in the node's fencingAgents field.",
+}
+
+func (PacemakerClusterResourceStatus) SwaggerDoc() map[string]string {
+	return map_PacemakerClusterResourceStatus
+}
+
+var map_PacemakerClusterStatus = map[string]string{
+	"":            "PacemakerClusterStatus contains the actual pacemaker cluster status information. As part of validating the status object, we need to ensure that the lastUpdated timestamp may not be set to an earlier timestamp than the current value. The validation rule checks if oldSelf has lastUpdated before comparing, to handle the initial status creation case.",
+	"conditions":  "conditions represent the observations of the pacemaker cluster's current state. Known condition types are: \"Healthy\", \"InService\", \"NodeCountAsExpected\". The \"Healthy\" condition is an aggregate that tracks the overall health of the cluster. The \"InService\" condition tracks whether the cluster is in service (not in maintenance mode). The \"NodeCountAsExpected\" condition tracks whether the expected number of nodes are present. Each of these conditions is required, so the array must contain at least 3 items.",
+	"lastUpdated": "lastUpdated is the timestamp when this status was last updated. This is useful for identifying stale status reports. It must be a valid timestamp in RFC3339 format. Once set, this field cannot be removed and cannot be set to an earlier timestamp than the current value.",
+	"nodes":       "nodes provides detailed status for each control-plane node in the Pacemaker cluster. While Pacemaker supports up to 32 nodes, the limit is set to 5 (max OpenShift control-plane nodes). For Two Node OpenShift with Fencing, exactly 2 nodes are expected in a healthy cluster. An empty list indicates a catastrophic failure where Pacemaker reports no nodes.",
+}
+
+func (PacemakerClusterStatus) SwaggerDoc() map[string]string {
+	return map_PacemakerClusterStatus
+}
+
+var map_PacemakerNodeAddress = map[string]string{
+	"":        "PacemakerNodeAddress contains information for a node's address. This is similar to corev1.NodeAddress but adds validation for IP addresses.",
+	"type":    "type is the type of node address. Currently only \"InternalIP\" is supported.",
+	"address": "address is the node address. For InternalIP, this must be a valid global unicast IPv4 or IPv6 address in canonical form. Canonical form means the shortest standard representation (e.g., \"192.168.1.1\" not \"192.168.001.001\", or \"2001:db8::1\" not \"2001:0db8::1\"). Maximum length is 39 characters (full IPv6 address). Global unicast includes private/RFC1918 addresses but excludes loopback, link-local, and multicast.",
+}
+
+func (PacemakerNodeAddress) SwaggerDoc() map[string]string {
+	return map_PacemakerNodeAddress
+}
+
+// AUTO-GENERATED FUNCTIONS END HERE
diff --git a/vendor/github.com/openshift/api/features.md b/vendor/github.com/openshift/api/features.md
index 056ae3719a..adfd5a7e76 100644
--- a/vendor/github.com/openshift/api/features.md
+++ b/vendor/github.com/openshift/api/features.md
@@ -5,14 +5,16 @@
 | EventedPLEG| | | | | | | |  |
 | MachineAPIOperatorDisableMachineHealthCheckController| | | | | | | |  |
 | MultiArchInstallAzure| | | | | | | |  |
-| NewOLMBoxCutterRuntime| | | | | | | |  |
 | ShortCertRotation| | | | | | | |  |
+| ClusterAPIComputeInstall| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | |  |
+| ClusterAPIControlPlaneInstall| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | |  |
 | ClusterAPIMachineManagementVSphere| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | |  |
 | Example2| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | |  |
 | ExternalSnapshotMetadata| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | |  |
-| IngressControllerDynamicConfigurationManager| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | |  |
+| KMSEncryptionProvider| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | |  |
+| NetworkConnect| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | |  |
+| NewOLMBoxCutterRuntime| | | | <span style="background-color: #519450">Enabled</span> | | | | <span style="background-color: #519450">Enabled</span>  |
 | NewOLMCatalogdAPIV1Metas| | | | <span style="background-color: #519450">Enabled</span> | | | | <span style="background-color: #519450">Enabled</span>  |
-| NewOLMOwnSingleNamespace| | | | <span style="background-color: #519450">Enabled</span> | | | | <span style="background-color: #519450">Enabled</span>  |
 | NewOLMPreflightPermissionChecks| | | | <span style="background-color: #519450">Enabled</span> | | | | <span style="background-color: #519450">Enabled</span>  |
 | NoRegistryClusterInstall| | | | <span style="background-color: #519450">Enabled</span> | | | | <span style="background-color: #519450">Enabled</span>  |
 | ProvisioningRequestAvailable| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | |  |
@@ -30,36 +32,43 @@
 | BootcNodeManagement| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | CBORServingAndStorage| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | CRDCompatibilityRequirementOperator| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
+| CRIOCredentialProviderConfig| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | ClientsPreferCBOR| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | ClusterAPIInstallIBMCloud| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | ClusterAPIMachineManagement| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | ClusterMonitoringConfig| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
+| ClusterUpdateAcceptRisks| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | ClusterVersionOperatorConfiguration| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
+| ConfigurablePKI| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | DNSNameResolver| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
+| DRAPartitionableDevices| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | DualReplica| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | DyanmicServiceEndpointIBMCloud| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
+| EVPN| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | EtcdBackendQuota| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | EventTTL| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | Example| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
+| ExternalOIDCWithUpstreamParity| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | GCPClusterHostedDNS| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | GCPCustomAPIEndpoints| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | GCPCustomAPIEndpointsInstall| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | GCPDualStackInstall| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
+| GatewayAPIWithoutOLM| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | HyperShiftOnlyDynamicResourceAllocation| <span style="background-color: #519450">Enabled</span> | | <span style="background-color: #519450">Enabled</span> | | <span style="background-color: #519450">Enabled</span> | | <span style="background-color: #519450">Enabled</span> |  |
 | ImageModeStatusReporting| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
+| IngressControllerDynamicConfigurationManager| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | InsightsConfig| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | InsightsOnDemandDataGather| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | IrreconcilableMachineConfig| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
-| KMSEncryptionProvider| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
+| KMSEncryption| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | MachineAPIMigration| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
-| ManagedBootImagesCPMS| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | MaxUnavailableStatefulSet| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | MinimumKubeletVersion| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | MixedCPUsAllocation| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | MultiDiskSetup| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
-| MutableCSINodeAllocatableCount| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | MutatingAdmissionPolicy| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | NewOLM| | <span style="background-color: #519450">Enabled</span> | | <span style="background-color: #519450">Enabled</span> | | <span style="background-color: #519450">Enabled</span> | | <span style="background-color: #519450">Enabled</span>  |
+| NewOLMOwnSingleNamespace| | <span style="background-color: #519450">Enabled</span> | | <span style="background-color: #519450">Enabled</span> | | <span style="background-color: #519450">Enabled</span> | | <span style="background-color: #519450">Enabled</span>  |
 | NewOLMWebhookProviderOpenshiftServiceCA| | <span style="background-color: #519450">Enabled</span> | | <span style="background-color: #519450">Enabled</span> | | <span style="background-color: #519450">Enabled</span> | | <span style="background-color: #519450">Enabled</span>  |
 | NutanixMultiSubnets| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | OSStreams| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
@@ -71,12 +80,8 @@
 | VSphereHostVMGroupZonal| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | VSphereMixedNodeEnv| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | VolumeGroupSnapshot| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
-| AdditionalRoutingCapabilities| <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
-| AdminNetworkPolicy| <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
-| AlibabaPlatform| <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | AzureWorkloadIdentity| <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | BuildCSIVolumes| <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
-| CPMSMachineNamePrefix| <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | ConsolePluginContentSecurityPolicy| <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | ExternalOIDC| <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | ExternalOIDCWithUIDAndExtraClaimMappings| <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
@@ -91,16 +96,12 @@
 | ManagedBootImages| <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | ManagedBootImagesAWS| <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | ManagedBootImagesAzure| <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
+| ManagedBootImagesCPMS| <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | ManagedBootImagesvSphere| <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | MetricsCollectionProfiles| <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
-| NetworkDiagnosticsConfig| <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
-| NetworkLiveMigration| <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
-| NetworkSegmentation| <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
+| MutableCSINodeAllocatableCount| <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | OpenShiftPodSecurityAdmission| <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | PinnedImages| <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
-| PreconfiguredUDNAddresses| <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
-| ProcMountType| <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
-| RouteAdvertisements| <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | RouteExternalCertificate| <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | ServiceAccountTokenNodeBinding| <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | SigstoreImageVerification| <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
@@ -111,4 +112,3 @@
 | UserNamespacesSupport| <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | VSphereMultiDisk| <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | VSphereMultiNetworks| <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
-| VolumeAttributesClass| <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
diff --git a/vendor/github.com/openshift/api/features/features.go b/vendor/github.com/openshift/api/features/features.go
index fdecf485b7..588f39e7f3 100644
--- a/vendor/github.com/openshift/api/features/features.go
+++ b/vendor/github.com/openshift/api/features/features.go
@@ -1,46 +1,83 @@
 package features
 
 import (
-	"fmt"
-
 	configv1 "github.com/openshift/api/config/v1"
+	"k8s.io/apimachinery/pkg/util/sets"
 )
 
-func FeatureSets(clusterProfile ClusterProfileName, featureSet configv1.FeatureSet) (*FeatureGateEnabledDisabled, error) {
-	byFeatureSet, ok := allFeatureGates[clusterProfile]
-	if !ok {
-		return nil, fmt.Errorf("no information found for ClusterProfile=%q", clusterProfile)
-	}
-	featureGates, ok := byFeatureSet[featureSet]
-	if !ok {
-		return nil, fmt.Errorf("no information found for FeatureSet=%q under ClusterProfile=%q", featureSet, clusterProfile)
+// Generating this many versions future proofs us until at least 2040.
+const minOpenshiftVersion uint64 = 4
+const maxOpenshiftVersion uint64 = 10
+
+func FeatureSets(version uint64, clusterProfile ClusterProfileName, featureSet configv1.FeatureSet) *FeatureGateEnabledDisabled {
+	enabledDisabled := &FeatureGateEnabledDisabled{}
+
+	for name, statuses := range allFeatureGates {
+		enabled := false
+
+		for _, status := range statuses {
+			if status.isEnabled(version, clusterProfile, featureSet) {
+				enabled = true
+				break
+			}
+		}
+
+		if enabled {
+			enabledDisabled.Enabled = append(enabledDisabled.Enabled, FeatureGateDescription{
+				FeatureGateAttributes: configv1.FeatureGateAttributes{
+					Name: name,
+				},
+			})
+		} else {
+			enabledDisabled.Disabled = append(enabledDisabled.Disabled, FeatureGateDescription{
+				FeatureGateAttributes: configv1.FeatureGateAttributes{
+					Name: name,
+				},
+			})
+		}
 	}
-	return featureGates.DeepCopy(), nil
+
+	return enabledDisabled
 }
 
-func AllFeatureSets() map[ClusterProfileName]map[configv1.FeatureSet]*FeatureGateEnabledDisabled {
-	ret := map[ClusterProfileName]map[configv1.FeatureSet]*FeatureGateEnabledDisabled{}
+func AllFeatureSets() map[uint64]map[ClusterProfileName]map[configv1.FeatureSet]*FeatureGateEnabledDisabled {
+	versions := sets.New[uint64]()
+	for version := minOpenshiftVersion; version <= maxOpenshiftVersion; version++ {
+		versions.Insert(version)
+	}
 
-	for clusterProfile, byFeatureSet := range allFeatureGates {
-		newByFeatureSet := map[configv1.FeatureSet]*FeatureGateEnabledDisabled{}
+	clusterProfiles := sets.New[ClusterProfileName](AllClusterProfiles...)
+	featureSets := sets.New[configv1.FeatureSet](configv1.AllFixedFeatureSets...)
 
-		for featureSet, enabledDisabled := range byFeatureSet {
-			newByFeatureSet[featureSet] = enabledDisabled.DeepCopy()
+	// Check for versions explicitly being set among the gates.
+	for _, statuses := range allFeatureGates {
+		for _, status := range statuses {
+			versions.Insert(status.version.UnsortedList()...)
+		}
+	}
+
+	ret := map[uint64]map[ClusterProfileName]map[configv1.FeatureSet]*FeatureGateEnabledDisabled{}
+	for version := range versions {
+		ret[version] = map[ClusterProfileName]map[configv1.FeatureSet]*FeatureGateEnabledDisabled{}
+		for clusterProfile := range clusterProfiles {
+			ret[version][clusterProfile] = map[configv1.FeatureSet]*FeatureGateEnabledDisabled{}
+			for featureSet := range featureSets {
+				ret[version][clusterProfile][featureSet] = FeatureSets(version, clusterProfile, featureSet)
+			}
 		}
-		ret[clusterProfile] = newByFeatureSet
 	}
 
 	return ret
 }
 
 var (
-	allFeatureGates = map[ClusterProfileName]map[configv1.FeatureSet]*FeatureGateEnabledDisabled{}
+	allFeatureGates = map[configv1.FeatureGateName][]featureGateStatus{}
 
 	FeatureGateConsolePluginCSP = newFeatureGate("ConsolePluginContentSecurityPolicy").
 					reportProblemsToJiraComponent("Management Console").
 					contactPerson("jhadvig").
 					productScope(ocpSpecific).
-					enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+					enable(inDefault(), inOKD(), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 					enhancementPR("https://github.com/openshift/enhancements/pull/1706").
 					mustRegister()
 
@@ -49,7 +86,7 @@ var (
 							contactPerson("ibihim").
 							productScope(kubernetes).
 							enhancementPR("https://github.com/kubernetes/enhancements/issues/4193").
-							enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+							enable(inDefault(), inOKD(), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 							mustRegister()
 
 	FeatureGateMutatingAdmissionPolicy = newFeatureGate("MutatingAdmissionPolicy").
@@ -57,7 +94,7 @@ var (
 						contactPerson("benluddy").
 						productScope(kubernetes).
 						enhancementPR("https://github.com/kubernetes/enhancements/issues/3962").
-						enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+						enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 						mustRegister()
 
 	FeatureGateGatewayAPI = newFeatureGate("GatewayAPI").
@@ -65,7 +102,7 @@ var (
 				contactPerson("miciah").
 				productScope(ocpSpecific).
 				enhancementPR(legacyFeatureGateWithoutEnhancement).
-				enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+				enable(inDefault(), inOKD(), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 				mustRegister()
 
 	FeatureGateOpenShiftPodSecurityAdmission = newFeatureGate("OpenShiftPodSecurityAdmission").
@@ -73,7 +110,7 @@ var (
 							contactPerson("ibihim").
 							productScope(ocpSpecific).
 							enhancementPR("https://github.com/openshift/enhancements/pull/899").
-							enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+							enable(inDefault(), inOKD(), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 							mustRegister()
 
 	FeatureGateBuildCSIVolumes = newFeatureGate("BuildCSIVolumes").
@@ -81,7 +118,7 @@ var (
 					contactPerson("adkaplan").
 					productScope(ocpSpecific).
 					enhancementPR(legacyFeatureGateWithoutEnhancement).
-					enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+					enable(inDefault(), inOKD(), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 					mustRegister()
 
 	FeatureGateAzureWorkloadIdentity = newFeatureGate("AzureWorkloadIdentity").
@@ -89,7 +126,7 @@ var (
 						contactPerson("abutcher").
 						productScope(ocpSpecific).
 						enhancementPR(legacyFeatureGateWithoutEnhancement).
-						enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+						enable(inDefault(), inOKD(), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 						mustRegister()
 
 	FeatureGateAzureDedicatedHosts = newFeatureGate("AzureDedicatedHosts").
@@ -97,7 +134,7 @@ var (
 					contactPerson("rvanderp3").
 					productScope(ocpSpecific).
 					enhancementPR("https://github.com/openshift/enhancements/pull/1783").
-					enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+					enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 					mustRegister()
 
 	FeatureGateMaxUnavailableStatefulSet = newFeatureGate("MaxUnavailableStatefulSet").
@@ -105,7 +142,7 @@ var (
 						contactPerson("atiratree").
 						productScope(kubernetes).
 						enhancementPR("https://github.com/kubernetes/enhancements/issues/961").
-						enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+						enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 						mustRegister()
 
 	FeatureGateEventedPLEG = newFeatureGate("EventedPLEG").
@@ -120,7 +157,7 @@ var (
 						contactPerson("sgrunert").
 						productScope(ocpSpecific).
 						enhancementPR(legacyFeatureGateWithoutEnhancement).
-						enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default, configv1.OKD).
+						enable(inDefault(), inOKD(), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 						mustRegister()
 
 	FeatureGateSigstoreImageVerificationPKI = newFeatureGate("SigstoreImageVerificationPKI").
@@ -128,23 +165,23 @@ var (
 						contactPerson("QiWang").
 						productScope(ocpSpecific).
 						enhancementPR("https://github.com/openshift/enhancements/pull/1658").
-						enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default, configv1.OKD).
+						enable(inDefault(), inOKD(), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 						mustRegister()
 
-	FeatureGateAlibabaPlatform = newFeatureGate("AlibabaPlatform").
-					reportProblemsToJiraComponent("cloud-provider").
-					contactPerson("jspeed").
-					productScope(ocpSpecific).
-					enhancementPR(legacyFeatureGateWithoutEnhancement).
-					enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
-					mustRegister()
+	FeatureGateCRIOCredentialProviderConfig = newFeatureGate("CRIOCredentialProviderConfig").
+						reportProblemsToJiraComponent("node").
+						contactPerson("QiWang").
+						productScope(ocpSpecific).
+						enhancementPR("https://github.com/openshift/enhancements/pull/1861").
+						enable(inDevPreviewNoUpgrade(), inTechPreviewNoUpgrade()).
+						mustRegister()
 
 	FeatureGateVSphereHostVMGroupZonal = newFeatureGate("VSphereHostVMGroupZonal").
 						reportProblemsToJiraComponent("splat").
 						contactPerson("jcpowermac").
 						productScope(ocpSpecific).
 						enhancementPR("https://github.com/openshift/enhancements/pull/1677").
-						enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+						enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 						mustRegister()
 
 	FeatureGateVSphereMultiDisk = newFeatureGate("VSphereMultiDisk").
@@ -152,7 +189,7 @@ var (
 					contactPerson("vr4manta").
 					productScope(ocpSpecific).
 					enhancementPR("https://github.com/openshift/enhancements/pull/1709").
-					enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+					enable(inDefault(), inOKD(), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 					mustRegister()
 
 	FeatureGateRouteExternalCertificate = newFeatureGate("RouteExternalCertificate").
@@ -160,71 +197,31 @@ var (
 						contactPerson("chiragkyal").
 						productScope(ocpSpecific).
 						enhancementPR(legacyFeatureGateWithoutEnhancement).
-						enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+						enable(inDefault(), inOKD(), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 						mustRegister()
 
-	FeatureGateCPMSMachineNamePrefix = newFeatureGate("CPMSMachineNamePrefix").
-						reportProblemsToJiraComponent("Cloud Compute / ControlPlaneMachineSet").
-						contactPerson("chiragkyal").
-						productScope(ocpSpecific).
-						enhancementPR("https://github.com/openshift/enhancements/pull/1714").
-						enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
-						mustRegister()
-
-	FeatureGateAdminNetworkPolicy = newFeatureGate("AdminNetworkPolicy").
+	FeatureGateNetworkConnect = newFeatureGate("NetworkConnect").
 					reportProblemsToJiraComponent("Networking/ovn-kubernetes").
 					contactPerson("tssurya").
 					productScope(ocpSpecific).
-					enhancementPR(legacyFeatureGateWithoutEnhancement).
-					enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
-					mustRegister()
-
-	FeatureGateNetworkSegmentation = newFeatureGate("NetworkSegmentation").
-					reportProblemsToJiraComponent("Networking/ovn-kubernetes").
-					contactPerson("tssurya").
-					productScope(ocpSpecific).
-					enhancementPR("https://github.com/openshift/enhancements/pull/1623").
-					enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
-					mustRegister()
-
-	FeatureGateAdditionalRoutingCapabilities = newFeatureGate("AdditionalRoutingCapabilities").
-							reportProblemsToJiraComponent("Networking/cluster-network-operator").
-							contactPerson("jcaamano").
-							productScope(ocpSpecific).
-							enhancementPR(legacyFeatureGateWithoutEnhancement).
-							enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
-							mustRegister()
-
-	FeatureGateRouteAdvertisements = newFeatureGate("RouteAdvertisements").
-					reportProblemsToJiraComponent("Networking/ovn-kubernetes").
-					contactPerson("jcaamano").
-					productScope(ocpSpecific).
-					enhancementPR(legacyFeatureGateWithoutEnhancement).
-					enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+					enhancementPR("https://github.com/ovn-kubernetes/ovn-kubernetes/pull/5246").
+					enable(inDevPreviewNoUpgrade()).
 					mustRegister()
 
-	FeatureGateNetworkLiveMigration = newFeatureGate("NetworkLiveMigration").
-					reportProblemsToJiraComponent("Networking/ovn-kubernetes").
-					contactPerson("pliu").
-					productScope(ocpSpecific).
-					enhancementPR(legacyFeatureGateWithoutEnhancement).
-					enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
-					mustRegister()
-
-	FeatureGateNetworkDiagnosticsConfig = newFeatureGate("NetworkDiagnosticsConfig").
-						reportProblemsToJiraComponent("Networking/cluster-network-operator").
-						contactPerson("kyrtapz").
-						productScope(ocpSpecific).
-						enhancementPR(legacyFeatureGateWithoutEnhancement).
-						enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
-						mustRegister()
+	FeatureGateEVPN = newFeatureGate("EVPN").
+			reportProblemsToJiraComponent("Networking/ovn-kubernetes").
+			contactPerson("jcaamano").
+			productScope(ocpSpecific).
+			enhancementPR("https://github.com/openshift/enhancements/pull/1862").
+			enable(inDevPreviewNoUpgrade(), inTechPreviewNoUpgrade()).
+			mustRegister()
 
 	FeatureGateOVNObservability = newFeatureGate("OVNObservability").
 					reportProblemsToJiraComponent("Networking").
 					contactPerson("npinaeva").
 					productScope(ocpSpecific).
 					enhancementPR(legacyFeatureGateWithoutEnhancement).
-					enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+					enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 					mustRegister()
 
 	FeatureGateBackendQuotaGiB = newFeatureGate("EtcdBackendQuota").
@@ -232,7 +229,7 @@ var (
 					contactPerson("hasbro17").
 					productScope(ocpSpecific).
 					enhancementPR(legacyFeatureGateWithoutEnhancement).
-					enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+					enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 					mustRegister()
 
 	FeatureGateAutomatedEtcdBackup = newFeatureGate("AutomatedEtcdBackup").
@@ -240,7 +237,7 @@ var (
 					contactPerson("hasbro17").
 					productScope(ocpSpecific).
 					enhancementPR(legacyFeatureGateWithoutEnhancement).
-					enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+					enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 					mustRegister()
 
 	FeatureGateMachineAPIOperatorDisableMachineHealthCheckController = newFeatureGate("MachineAPIOperatorDisableMachineHealthCheckController").
@@ -255,7 +252,7 @@ var (
 					contactPerson("miciah").
 					productScope(ocpSpecific).
 					enhancementPR(legacyFeatureGateWithoutEnhancement).
-					enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+					enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 					mustRegister()
 
 	FeatureGateMachineConfigNodes = newFeatureGate("MachineConfigNodes").
@@ -263,7 +260,7 @@ var (
 					contactPerson("ijanssen").
 					productScope(ocpSpecific).
 					enhancementPR("https://github.com/openshift/enhancements/pull/1765").
-					enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+					enable(inDefault(), inOKD(), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 					mustRegister()
 
 	FeatureGateImageModeStatusReporting = newFeatureGate("ImageModeStatusReporting").
@@ -271,7 +268,7 @@ var (
 						contactPerson("ijanssen").
 						productScope(ocpSpecific).
 						enhancementPR("https://github.com/openshift/enhancements/pull/1809").
-						enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+						enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 						mustRegister()
 
 	FeatureGateClusterAPIInstall = newFeatureGate("ClusterAPIInstall").
@@ -286,7 +283,7 @@ var (
 					contactPerson("barbacbd").
 					productScope(ocpSpecific).
 					enhancementPR(legacyFeatureGateWithoutEnhancement).
-					enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+					enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 					mustRegister()
 
 	FeatureGateAWSClusterHostedDNS = newFeatureGate("AWSClusterHostedDNS").
@@ -294,7 +291,7 @@ var (
 					contactPerson("barbacbd").
 					productScope(ocpSpecific).
 					enhancementPR(legacyFeatureGateWithoutEnhancement).
-					enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+					enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 					mustRegister()
 
 	FeatureGateAzureClusterHostedDNSInstall = newFeatureGate("AzureClusterHostedDNSInstall").
@@ -302,7 +299,7 @@ var (
 						contactPerson("sadasu").
 						productScope(ocpSpecific).
 						enhancementPR("https://github.com/openshift/enhancements/pull/1468").
-						enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+						enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 						mustRegister()
 
 	FeatureGateMixedCPUsAllocation = newFeatureGate("MixedCPUsAllocation").
@@ -310,7 +307,7 @@ var (
 					contactPerson("titzhak").
 					productScope(ocpSpecific).
 					enhancementPR(legacyFeatureGateWithoutEnhancement).
-					enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+					enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 					mustRegister()
 
 	FeatureGateManagedBootImages = newFeatureGate("ManagedBootImages").
@@ -318,7 +315,7 @@ var (
 					contactPerson("djoshy").
 					productScope(ocpSpecific).
 					enhancementPR(legacyFeatureGateWithoutEnhancement).
-					enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+					enable(inDefault(), inOKD(), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 					mustRegister()
 
 	FeatureGateManagedBootImagesAWS = newFeatureGate("ManagedBootImagesAWS").
@@ -326,7 +323,7 @@ var (
 					contactPerson("djoshy").
 					productScope(ocpSpecific).
 					enhancementPR(legacyFeatureGateWithoutEnhancement).
-					enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+					enable(inDefault(), inOKD(), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 					mustRegister()
 
 	FeatureGateManagedBootImagesvSphere = newFeatureGate("ManagedBootImagesvSphere").
@@ -334,7 +331,7 @@ var (
 						contactPerson("rsaini").
 						productScope(ocpSpecific).
 						enhancementPR("https://github.com/openshift/enhancements/pull/1496").
-						enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+						enable(inDefault(), inOKD(), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 						mustRegister()
 
 	FeatureGateManagedBootImagesAzure = newFeatureGate("ManagedBootImagesAzure").
@@ -342,7 +339,7 @@ var (
 						contactPerson("djoshy").
 						productScope(ocpSpecific).
 						enhancementPR("https://github.com/openshift/enhancements/pull/1761").
-						enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+						enable(inDefault(), inOKD(), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 						mustRegister()
 
 	FeatureGateManagedBootImagesCPMS = newFeatureGate("ManagedBootImagesCPMS").
@@ -350,7 +347,7 @@ var (
 						contactPerson("djoshy").
 						productScope(ocpSpecific).
 						enhancementPR("https://github.com/openshift/enhancements/pull/1818").
-						enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+						enable(inDefault(), inOKD(), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 						mustRegister()
 
 	FeatureGateBootImageSkewEnforcement = newFeatureGate("BootImageSkewEnforcement").
@@ -358,7 +355,7 @@ var (
 						contactPerson("djoshy").
 						productScope(ocpSpecific).
 						enhancementPR("https://github.com/openshift/enhancements/pull/1761").
-						enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+						enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 						mustRegister()
 
 	FeatureGateBootcNodeManagement = newFeatureGate("BootcNodeManagement").
@@ -366,7 +363,7 @@ var (
 					contactPerson("inesqyx").
 					productScope(ocpSpecific).
 					enhancementPR(legacyFeatureGateWithoutEnhancement).
-					enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+					enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 					mustRegister()
 
 	FeatureGateSignatureStores = newFeatureGate("SignatureStores").
@@ -374,7 +371,7 @@ var (
 					contactPerson("lmohanty").
 					productScope(ocpSpecific).
 					enhancementPR(legacyFeatureGateWithoutEnhancement).
-					enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+					enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 					mustRegister()
 
 	FeatureGateKMSv1 = newFeatureGate("KMSv1").
@@ -382,7 +379,7 @@ var (
 				contactPerson("dgrisonnet").
 				productScope(kubernetes).
 				enhancementPR(legacyFeatureGateWithoutEnhancement).
-				enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+				enable(inDefault(), inOKD(), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 				mustRegister()
 
 	FeatureGatePinnedImages = newFeatureGate("PinnedImages").
@@ -390,7 +387,7 @@ var (
 				contactPerson("RishabhSaini").
 				productScope(ocpSpecific).
 				enhancementPR(legacyFeatureGateWithoutEnhancement).
-				enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+				enable(inDefault(), inOKD(), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 				mustRegister()
 
 	FeatureGateUpgradeStatus = newFeatureGate("UpgradeStatus").
@@ -398,23 +395,15 @@ var (
 					contactPerson("pmuller").
 					productScope(ocpSpecific).
 					enhancementPR(legacyFeatureGateWithoutEnhancement).
-					enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default, configv1.OKD).
+					enable(inDefault(), inOKD(), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 					mustRegister()
 
-	FeatureGateVolumeAttributesClass = newFeatureGate("VolumeAttributesClass").
-						reportProblemsToJiraComponent("Storage / Kubernetes External Components").
-						contactPerson("dfajmon").
-						productScope(kubernetes).
-						enhancementPR("https://github.com/kubernetes/enhancements/issues/3751").
-						enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
-						mustRegister()
-
 	FeatureGateVolumeGroupSnapshot = newFeatureGate("VolumeGroupSnapshot").
 					reportProblemsToJiraComponent("Storage / Kubernetes External Components").
 					contactPerson("fbertina").
 					productScope(kubernetes).
 					enhancementPR("https://github.com/kubernetes/enhancements/issues/3476").
-					enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+					enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 					mustRegister()
 
 	FeatureGateExternalSnapshotMetadata = newFeatureGate("ExternalSnapshotMetadata").
@@ -422,7 +411,7 @@ var (
 						contactPerson("jdobson").
 						productScope(kubernetes).
 						enhancementPR("https://github.com/kubernetes/enhancements/issues/3314").
-						enableIn(configv1.DevPreviewNoUpgrade).
+						enable(inDevPreviewNoUpgrade()).
 						mustRegister()
 
 	FeatureGateExternalOIDC = newFeatureGate("ExternalOIDC").
@@ -430,7 +419,7 @@ var (
 				contactPerson("liouk").
 				productScope(ocpSpecific).
 				enhancementPR("https://github.com/openshift/enhancements/pull/1596").
-				enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default, configv1.OKD).
+				enable(inDefault(), inOKD(), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 				mustRegister()
 
 	FeatureGateExternalOIDCWithAdditionalClaimMappings = newFeatureGate("ExternalOIDCWithUIDAndExtraClaimMappings").
@@ -438,15 +427,23 @@ var (
 								contactPerson("bpalmer").
 								productScope(ocpSpecific).
 								enhancementPR("https://github.com/openshift/enhancements/pull/1777").
-								enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default, configv1.OKD).
+								enable(inDefault(), inOKD(), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 								mustRegister()
 
+	FeatureGateExternalOIDCWithUpstreamParity = newFeatureGate("ExternalOIDCWithUpstreamParity").
+							reportProblemsToJiraComponent("authentication").
+							contactPerson("saldawam").
+							productScope(ocpSpecific).
+							enhancementPR("https://github.com/openshift/enhancements/pull/1763").
+							enable(inDevPreviewNoUpgrade(), inTechPreviewNoUpgrade()).
+							mustRegister()
+
 	FeatureGateExample = newFeatureGate("Example").
 				reportProblemsToJiraComponent("cluster-config").
 				contactPerson("deads").
 				productScope(ocpSpecific).
 				enhancementPR(legacyFeatureGateWithoutEnhancement).
-				enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+				enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 				mustRegister()
 
 	FeatureGateExample2 = newFeatureGate("Example2").
@@ -454,7 +451,7 @@ var (
 				contactPerson("JoelSpeed").
 				productScope(ocpSpecific).
 				enhancementPR(legacyFeatureGateWithoutEnhancement).
-				enableIn(configv1.DevPreviewNoUpgrade).
+				enable(inDevPreviewNoUpgrade()).
 				mustRegister()
 
 	FeatureGateNewOLM = newFeatureGate("NewOLM").
@@ -462,7 +459,7 @@ var (
 				contactPerson("joe").
 				productScope(ocpSpecific).
 				enhancementPR(legacyFeatureGateWithoutEnhancement).
-				enableForClusterProfile(SelfManaged, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default, configv1.OKD).
+				enable(inClusterProfile(SelfManaged), inDefault(), inOKD(), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 				mustRegister()
 
 	FeatureGateNewOLMCatalogdAPIV1Metas = newFeatureGate("NewOLMCatalogdAPIV1Metas").
@@ -470,7 +467,7 @@ var (
 						contactPerson("jordank").
 						productScope(ocpSpecific).
 						enhancementPR("https://github.com/openshift/enhancements/pull/1749").
-						enableForClusterProfile(SelfManaged, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+						enable(inClusterProfile(SelfManaged), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 						mustRegister()
 
 	FeatureGateNewOLMPreflightPermissionChecks = newFeatureGate("NewOLMPreflightPermissionChecks").
@@ -478,7 +475,7 @@ var (
 							contactPerson("tshort").
 							productScope(ocpSpecific).
 							enhancementPR("https://github.com/openshift/enhancements/pull/1768").
-							enableForClusterProfile(SelfManaged, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+							enable(inClusterProfile(SelfManaged), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 							mustRegister()
 
 	FeatureGateNewOLMOwnSingleNamespace = newFeatureGate("NewOLMOwnSingleNamespace").
@@ -486,7 +483,7 @@ var (
 						contactPerson("nschieder").
 						productScope(ocpSpecific).
 						enhancementPR("https://github.com/openshift/enhancements/pull/1849").
-						enableForClusterProfile(SelfManaged, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+						enable(inClusterProfile(SelfManaged), inDefault(), inOKD(), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 						mustRegister()
 
 	FeatureGateNewOLMWebhookProviderOpenshiftServiceCA = newFeatureGate("NewOLMWebhookProviderOpenshiftServiceCA").
@@ -494,7 +491,7 @@ var (
 								contactPerson("pegoncal").
 								productScope(ocpSpecific).
 								enhancementPR("https://github.com/openshift/enhancements/pull/1844").
-								enableForClusterProfile(SelfManaged, configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+								enable(inClusterProfile(SelfManaged), inDefault(), inOKD(), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 								mustRegister()
 
 	FeatureGateNewOLMBoxCutterRuntime = newFeatureGate("NewOLMBoxCutterRuntime").
@@ -502,6 +499,7 @@ var (
 						contactPerson("pegoncal").
 						productScope(ocpSpecific).
 						enhancementPR("https://github.com/openshift/enhancements/pull/1890").
+						enable(inClusterProfile(SelfManaged), inDevPreviewNoUpgrade(), inTechPreviewNoUpgrade()).
 						mustRegister()
 
 	FeatureGateInsightsOnDemandDataGather = newFeatureGate("InsightsOnDemandDataGather").
@@ -509,7 +507,7 @@ var (
 						contactPerson("tremes").
 						productScope(ocpSpecific).
 						enhancementPR(legacyFeatureGateWithoutEnhancement).
-						enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+						enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 						mustRegister()
 
 	FeatureGateInsightsConfig = newFeatureGate("InsightsConfig").
@@ -517,7 +515,7 @@ var (
 					contactPerson("tremes").
 					productScope(ocpSpecific).
 					enhancementPR(legacyFeatureGateWithoutEnhancement).
-					enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+					enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 					mustRegister()
 
 	FeatureGateMetricsCollectionProfiles = newFeatureGate("MetricsCollectionProfiles").
@@ -525,7 +523,7 @@ var (
 						contactPerson("rexagod").
 						productScope(ocpSpecific).
 						enhancementPR(legacyFeatureGateWithoutEnhancement).
-						enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+						enable(inDefault(), inOKD(), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 						mustRegister()
 
 	FeatureGateClusterAPIInstallIBMCloud = newFeatureGate("ClusterAPIInstallIBMCloud").
@@ -533,7 +531,7 @@ var (
 						contactPerson("cjschaef").
 						productScope(ocpSpecific).
 						enhancementPR(legacyFeatureGateWithoutEnhancement).
-						enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+						enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 						mustRegister()
 
 	FeatureGateMachineAPIMigration = newFeatureGate("MachineAPIMigration").
@@ -541,7 +539,7 @@ var (
 					contactPerson("jspeed").
 					productScope(ocpSpecific).
 					enhancementPR(legacyFeatureGateWithoutEnhancement).
-					enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+					enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 					mustRegister()
 
 	FeatureGateClusterAPIMachineManagement = newFeatureGate("ClusterAPIMachineManagement").
@@ -549,7 +547,7 @@ var (
 						contactPerson("ddonati").
 						productScope(ocpSpecific).
 						enhancementPR("https://github.com/openshift/enhancements/pull/1465").
-						enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+						enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 						mustRegister()
 
 	FeatureGateClusterAPIMachineManagementVSphere = newFeatureGate("ClusterAPIMachineManagementVSphere").
@@ -557,7 +555,7 @@ var (
 							contactPerson("jcpowermac").
 							productScope(ocpSpecific).
 							enhancementPR("https://github.com/openshift/enhancements/pull/1465").
-							enableIn(configv1.DevPreviewNoUpgrade).
+							enable(inDevPreviewNoUpgrade()).
 							mustRegister()
 
 	FeatureGateClusterMonitoringConfig = newFeatureGate("ClusterMonitoringConfig").
@@ -565,7 +563,7 @@ var (
 						contactPerson("marioferh").
 						productScope(ocpSpecific).
 						enhancementPR(legacyFeatureGateWithoutEnhancement).
-						enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+						enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 						mustRegister()
 
 	FeatureGateMultiArchInstallAzure = newFeatureGate("MultiArchInstallAzure").
@@ -580,7 +578,7 @@ var (
 						contactPerson("psundara").
 						productScope(ocpSpecific).
 						enhancementPR(legacyFeatureGateWithoutEnhancement).
-						enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+						enable(inDefault(), inOKD(), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 						mustRegister()
 
 	FeatureGateUserNamespacesSupport = newFeatureGate("UserNamespacesSupport").
@@ -588,7 +586,7 @@ var (
 						contactPerson("haircommander").
 						productScope(kubernetes).
 						enhancementPR("https://github.com/kubernetes/enhancements/issues/127").
-						enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default, configv1.OKD).
+						enable(inDefault(), inOKD(), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 						mustRegister()
 
 	// Note: this feature is perma-alpha, but it is safe and desireable to enable.
@@ -599,38 +597,30 @@ var (
 							contactPerson("haircommander").
 							productScope(kubernetes).
 							enhancementPR("https://github.com/kubernetes/enhancements/issues/127").
-							enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default, configv1.OKD).
+							enable(inDefault(), inOKD(), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 							mustRegister()
 
-	FeatureGateProcMountType = newFeatureGate("ProcMountType").
-					reportProblemsToJiraComponent("Node").
-					contactPerson("haircommander").
-					productScope(kubernetes).
-					enhancementPR("https://github.com/kubernetes/enhancements/issues/4265").
-					enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default, configv1.OKD).
-					mustRegister()
-
 	FeatureGateVSphereMultiNetworks = newFeatureGate("VSphereMultiNetworks").
 					reportProblemsToJiraComponent("SPLAT").
 					contactPerson("rvanderp").
 					productScope(ocpSpecific).
 					enhancementPR(legacyFeatureGateWithoutEnhancement).
-					enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+					enable(inDefault(), inOKD(), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 					mustRegister()
 
 	FeatureGateIngressControllerDynamicConfigurationManager = newFeatureGate("IngressControllerDynamicConfigurationManager").
 								reportProblemsToJiraComponent("Networking/router").
 								contactPerson("miciah").
 								productScope(ocpSpecific).
-								enhancementPR(legacyFeatureGateWithoutEnhancement).
-								enableIn(configv1.DevPreviewNoUpgrade).
+								enhancementPR("https://github.com/openshift/enhancements/pull/1687").
+								enable(inDevPreviewNoUpgrade(), inTechPreviewNoUpgrade()).
 								mustRegister()
 
 	FeatureGateMinimumKubeletVersion = newFeatureGate("MinimumKubeletVersion").
 						reportProblemsToJiraComponent("Node").
 						contactPerson("haircommander").
 						productScope(ocpSpecific).
-						enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+						enable(inDevPreviewNoUpgrade(), inTechPreviewNoUpgrade()).
 						enhancementPR("https://github.com/openshift/enhancements/pull/1697").
 						mustRegister()
 
@@ -639,7 +629,7 @@ var (
 					contactPerson("yanhli").
 					productScope(ocpSpecific).
 					enhancementPR("https://github.com/openshift/enhancements/pull/1711").
-					enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+					enable(inDevPreviewNoUpgrade(), inTechPreviewNoUpgrade()).
 					mustRegister()
 
 	FeatureGateKMSEncryptionProvider = newFeatureGate("KMSEncryptionProvider").
@@ -647,15 +637,23 @@ var (
 						contactPerson("swghosh").
 						productScope(ocpSpecific).
 						enhancementPR("https://github.com/openshift/enhancements/pull/1682").
-						enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+						enable(inDevPreviewNoUpgrade()).
 						mustRegister()
 
+	FeatureGateKMSEncryption = newFeatureGate("KMSEncryption").
+					reportProblemsToJiraComponent("kube-apiserver").
+					contactPerson("ardaguclu").
+					productScope(ocpSpecific).
+					enhancementPR("https://github.com/openshift/enhancements/pull/1900").
+					enable(inDevPreviewNoUpgrade(), inTechPreviewNoUpgrade()).
+					mustRegister()
+
 	FeatureGateHighlyAvailableArbiter = newFeatureGate("HighlyAvailableArbiter").
 						reportProblemsToJiraComponent("Two Node with Arbiter").
 						contactPerson("eggfoobar").
 						productScope(ocpSpecific).
 						enhancementPR("https://github.com/openshift/enhancements/pull/1674").
-						enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default, configv1.OKD).
+						enable(inDefault(), inOKD(), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 						mustRegister()
 
 	FeatureGateCVOConfiguration = newFeatureGate("ClusterVersionOperatorConfiguration").
@@ -663,15 +661,23 @@ var (
 					contactPerson("dhurta").
 					productScope(ocpSpecific).
 					enhancementPR("https://github.com/openshift/enhancements/pull/1492").
-					enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+					enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 					mustRegister()
 
+	FeatureGateClusterUpdateAcceptRisks = newFeatureGate("ClusterUpdateAcceptRisks").
+						reportProblemsToJiraComponent("Cluster Version Operator").
+						contactPerson("hongkliu").
+						productScope(ocpSpecific).
+						enhancementPR("https://github.com/openshift/enhancements/pull/1807").
+						enable(inDevPreviewNoUpgrade(), inTechPreviewNoUpgrade()).
+						mustRegister()
+
 	FeatureGateGCPCustomAPIEndpoints = newFeatureGate("GCPCustomAPIEndpoints").
 						reportProblemsToJiraComponent("Installer").
 						contactPerson("barbacbd").
 						productScope(ocpSpecific).
 						enhancementPR("https://github.com/openshift/enhancements/pull/1492").
-						enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+						enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 						mustRegister()
 
 	FeatureGateDyanmicServiceEndpointIBMCloud = newFeatureGate("DyanmicServiceEndpointIBMCloud").
@@ -679,7 +685,7 @@ var (
 							contactPerson("jared-hayes-dev").
 							productScope(ocpSpecific).
 							enhancementPR("https://github.com/openshift/enhancements/pull/1712").
-							enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+							enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 							mustRegister()
 
 	FeatureGateSELinuxMount = newFeatureGate("SELinuxMount").
@@ -687,7 +693,7 @@ var (
 				contactPerson("jsafrane").
 				productScope(kubernetes).
 				enhancementPR("https://github.com/kubernetes/enhancements/issues/1710").
-				enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+				enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 				mustRegister()
 
 	FeatureGateDualReplica = newFeatureGate("DualReplica").
@@ -695,7 +701,7 @@ var (
 				contactPerson("jaypoulz").
 				productScope(ocpSpecific).
 				enhancementPR("https://github.com/openshift/enhancements/pull/1675").
-				enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+				enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 				mustRegister()
 
 	FeatureGateGatewayAPIController = newFeatureGate("GatewayAPIController").
@@ -708,7 +714,7 @@ var (
 		// A dedicated feature gate now controls the Gateway Controller to distinguish
 		// its production readiness from that of the CRDs.
 		enhancementPR("https://github.com/openshift/enhancements/pull/1756").
-		enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+		enable(inDefault(), inOKD(), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 		mustRegister()
 
 	FeatureShortCertRotation = newFeatureGate("ShortCertRotation").
@@ -723,7 +729,7 @@ var (
 									contactPerson("rbednar").
 									productScope(ocpSpecific).
 									enhancementPR("https://github.com/openshift/enhancements/pull/1748").
-									enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+									enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 									mustRegister()
 
 	FeatureGateAzureMultiDisk = newFeatureGate("AzureMultiDisk").
@@ -731,7 +737,7 @@ var (
 					contactPerson("jcpowermac").
 					productScope(ocpSpecific).
 					enhancementPR("https://github.com/openshift/enhancements/pull/1779").
-					enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+					enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 					mustRegister()
 
 	FeatureGateStoragePerformantSecurityPolicy = newFeatureGate("StoragePerformantSecurityPolicy").
@@ -739,7 +745,7 @@ var (
 							contactPerson("hekumar").
 							productScope(ocpSpecific).
 							enhancementPR("https://github.com/openshift/enhancements/pull/1804").
-							enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default, configv1.OKD).
+							enable(inDefault(), inOKD(), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 							mustRegister()
 
 	FeatureGateMultiDiskSetup = newFeatureGate("MultiDiskSetup").
@@ -747,7 +753,7 @@ var (
 					contactPerson("jcpowermac").
 					productScope(ocpSpecific).
 					enhancementPR("https://github.com/openshift/enhancements/pull/1805").
-					enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+					enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 					mustRegister()
 
 	FeatureGateAWSDedicatedHosts = newFeatureGate("AWSDedicatedHosts").
@@ -755,7 +761,7 @@ var (
 					contactPerson("rvanderp3").
 					productScope(ocpSpecific).
 					enhancementPR("https://github.com/openshift/enhancements/pull/1781").
-					enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+					enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 					mustRegister()
 
 	FeatureGateVSphereMixedNodeEnv = newFeatureGate("VSphereMixedNodeEnv").
@@ -763,31 +769,23 @@ var (
 					contactPerson("vr4manta").
 					productScope(ocpSpecific).
 					enhancementPR("https://github.com/openshift/enhancements/pull/1772").
-					enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+					enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 					mustRegister()
 
-	FeatureGatePreconfiguredUDNAddresses = newFeatureGate("PreconfiguredUDNAddresses").
-						reportProblemsToJiraComponent("Networking/ovn-kubernetes").
-						contactPerson("kyrtapz").
-						productScope(ocpSpecific).
-						enhancementPR("https://github.com/openshift/enhancements/pull/1793").
-						enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default, configv1.OKD).
-						mustRegister()
-
 	FeatureGateAWSServiceLBNetworkSecurityGroup = newFeatureGate("AWSServiceLBNetworkSecurityGroup").
 							reportProblemsToJiraComponent("Cloud Compute / Cloud Controller Manager").
 							contactPerson("mtulio").
 							productScope(ocpSpecific).
 							enhancementPR("https://github.com/openshift/enhancements/pull/1802").
-							enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+							enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 							mustRegister()
 
 	FeatureGateImageVolume = newFeatureGate("ImageVolume").
-			reportProblemsToJiraComponent("Node").
+				reportProblemsToJiraComponent("Node").
 				contactPerson("haircommander").
 				productScope(kubernetes).
 				enhancementPR("https://github.com/openshift/enhancements/pull/1792").
-				enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default, configv1.OKD).
+				enable(inDefault(), inOKD(), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 				mustRegister()
 
 	FeatureGateNoRegistryClusterInstall = newFeatureGate("NoRegistryClusterInstall").
@@ -795,7 +793,7 @@ var (
 						contactPerson("andfasano").
 						productScope(ocpSpecific).
 						enhancementPR("https://github.com/openshift/enhancements/pull/1821").
-						enableForClusterProfile(SelfManaged, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+						enable(inClusterProfile(SelfManaged), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 						mustRegister()
 
 	FeatureGateGCPClusterHostedDNSInstall = newFeatureGate("GCPClusterHostedDNSInstall").
@@ -803,7 +801,7 @@ var (
 						contactPerson("barbacbd").
 						productScope(ocpSpecific).
 						enhancementPR("https://github.com/openshift/enhancements/pull/1468").
-						enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+						enable(inDefault(), inOKD(), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 						mustRegister()
 
 	FeatureGateAWSClusterHostedDNSInstall = newFeatureGate("AWSClusterHostedDNSInstall").
@@ -811,7 +809,7 @@ var (
 						contactPerson("barbacbd").
 						productScope(ocpSpecific).
 						enhancementPR("https://github.com/openshift/enhancements/pull/1468").
-						enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+						enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 						mustRegister()
 
 	FeatureGateGCPCustomAPIEndpointsInstall = newFeatureGate("GCPCustomAPIEndpointsInstall").
@@ -819,7 +817,7 @@ var (
 						contactPerson("barbacbd").
 						productScope(ocpSpecific).
 						enhancementPR("https://github.com/openshift/enhancements/pull/1492").
-						enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+						enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 						mustRegister()
 
 	FeatureGateIrreconcilableMachineConfig = newFeatureGate("IrreconcilableMachineConfig").
@@ -827,14 +825,14 @@ var (
 						contactPerson("pabrodri").
 						productScope(ocpSpecific).
 						enhancementPR("https://github.com/openshift/enhancements/pull/1785").
-						enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+						enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 						mustRegister()
 	FeatureGateAWSDualStackInstall = newFeatureGate("AWSDualStackInstall").
 					reportProblemsToJiraComponent("Installer").
 					contactPerson("sadasu").
 					productScope(ocpSpecific).
 					enhancementPR("https://github.com/openshift/enhancements/pull/1806").
-					enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+					enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 					mustRegister()
 
 	FeatureGateAzureDualStackInstall = newFeatureGate("AzureDualStackInstall").
@@ -842,7 +840,7 @@ var (
 						contactPerson("jhixson74").
 						productScope(ocpSpecific).
 						enhancementPR("https://github.com/openshift/enhancements/pull/1806").
-						enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+						enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 						mustRegister()
 
 	FeatureGateGCPDualStackInstall = newFeatureGate("GCPDualStackInstall").
@@ -850,7 +848,7 @@ var (
 					contactPerson("barbacbd").
 					productScope(ocpSpecific).
 					enhancementPR("https://github.com/openshift/enhancements/pull/1806").
-					enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+					enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 					mustRegister()
 
 	FeatureCBORServingAndStorage = newFeatureGate("CBORServingAndStorage").
@@ -858,7 +856,7 @@ var (
 					contactPerson("benluddy").
 					productScope(kubernetes).
 					enhancementPR("https://github.com/kubernetes/enhancements/issues/4222").
-					enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+					enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 					mustRegister()
 
 	FeatureCBORClientsAllowCBOR = newFeatureGate("ClientsAllowCBOR").
@@ -873,7 +871,7 @@ var (
 					contactPerson("benluddy").
 					productScope(kubernetes).
 					enhancementPR("https://github.com/kubernetes/enhancements/issues/4222").
-					enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+					enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 					mustRegister()
 
 	FeatureEventTTL = newFeatureGate("EventTTL").
@@ -881,7 +879,7 @@ var (
 			contactPerson("tjungblu").
 			productScope(ocpSpecific).
 			enhancementPR("https://github.com/openshift/enhancements/pull/1857").
-			enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+			enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 			mustRegister()
 
 	FeatureGateMutableCSINodeAllocatableCount = newFeatureGate("MutableCSINodeAllocatableCount").
@@ -889,14 +887,14 @@ var (
 							contactPerson("jsafrane").
 							productScope(kubernetes).
 							enhancementPR("https://github.com/kubernetes/enhancements/issues/4876").
-							enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+							enable(inDevPreviewNoUpgrade(), inTechPreviewNoUpgrade(), inDefault(), inOKD()).
 							mustRegister()
 	FeatureGateOSStreams = newFeatureGate("OSStreams").
 				reportProblemsToJiraComponent("MachineConfigOperator").
 				contactPerson("pabrodri").
 				productScope(ocpSpecific).
 				enhancementPR("https://github.com/openshift/enhancements/pull/1874").
-				enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+				enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 				mustRegister()
 
 	FeatureGateCRDCompatibilityRequirementOperator = newFeatureGate("CRDCompatibilityRequirementOperator").
@@ -904,14 +902,14 @@ var (
 							contactPerson("ddonati").
 							productScope(ocpSpecific).
 							enhancementPR("https://github.com/openshift/enhancements/pull/1845").
-							enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+							enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 							mustRegister()
 	FeatureGateOnPremDNSRecords = newFeatureGate("OnPremDNSRecords").
 					reportProblemsToJiraComponent("Networking / On-Prem DNS").
 					contactPerson("bnemec").
 					productScope(ocpSpecific).
 					enhancementPR("https://github.com/openshift/enhancements/pull/1803").
-					enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+					enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 					mustRegister()
 
 	FeatureGateProvisioningRequestAvailable = newFeatureGate("ProvisioningRequestAvailable").
@@ -919,7 +917,7 @@ var (
 						contactPerson("elmiko").
 						productScope(ocpSpecific).
 						enhancementPR("https://github.com/openshift/enhancements/pull/1752").
-						enableIn(configv1.DevPreviewNoUpgrade).
+						enable(inDevPreviewNoUpgrade()).
 						mustRegister()
 
 	FeatureGateHyperShiftOnlyDynamicResourceAllocation = newFeatureGate("HyperShiftOnlyDynamicResourceAllocation").
@@ -927,6 +925,46 @@ var (
 								contactPerson("csrwng").
 								productScope(ocpSpecific).
 								enhancementPR("https://github.com/kubernetes/enhancements/issues/4381").
-								enableForClusterProfile(Hypershift, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default, configv1.OKD).
+								enable(inClusterProfile(Hypershift), inDefault(), inOKD(), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
 								mustRegister()
+
+	FeatureGateDRAPartitionableDevices = newFeatureGate("DRAPartitionableDevices").
+						reportProblemsToJiraComponent("Node").
+						contactPerson("harche").
+						productScope(kubernetes).
+						enhancementPR("https://github.com/kubernetes/enhancements/issues/4815").
+						enable(inDevPreviewNoUpgrade(), inTechPreviewNoUpgrade()).
+						mustRegister()
+
+	FeatureGateConfigurablePKI = newFeatureGate("ConfigurablePKI").
+					reportProblemsToJiraComponent("kube-apiserver").
+					contactPerson("sanchezl").
+					productScope(ocpSpecific).
+					enhancementPR("https://github.com/openshift/enhancements/pull/1882").
+					enable(inDevPreviewNoUpgrade(), inTechPreviewNoUpgrade()).
+					mustRegister()
+
+	FeatureGateClusterAPIControlPlaneInstall = newFeatureGate("ClusterAPIControlPlaneInstall").
+							reportProblemsToJiraComponent("Installer / openshift-installer").
+							contactPerson("patrickdillon").
+							productScope(ocpSpecific).
+							enhancementPR("https://github.com/openshift/enhancements/pull/1465").
+							enable(inDevPreviewNoUpgrade()).
+							mustRegister()
+
+	FeatureGateClusterAPIComputeInstall = newFeatureGate("ClusterAPIComputeInstall").
+						reportProblemsToJiraComponent("Installer / openshift-installer").
+						contactPerson("patrickdillon").
+						productScope(ocpSpecific).
+						enhancementPR("https://github.com/openshift/enhancements/pull/1465").
+						enable(inDevPreviewNoUpgrade()).
+						mustRegister()
+
+	FeatureGateGatewayAPIWithoutOLM = newFeatureGate("GatewayAPIWithoutOLM").
+					reportProblemsToJiraComponent("Routing").
+					contactPerson("miciah").
+					productScope(ocpSpecific).
+					enhancementPR("https://github.com/openshift/enhancements/pull/1933").
+					enable(inDevPreviewNoUpgrade(), inTechPreviewNoUpgrade()).
+					mustRegister()
 )
diff --git a/vendor/github.com/openshift/api/features/legacyfeaturegates.go b/vendor/github.com/openshift/api/features/legacyfeaturegates.go
index dd11fdf663..a92c0b9bb9 100644
--- a/vendor/github.com/openshift/api/features/legacyfeaturegates.go
+++ b/vendor/github.com/openshift/api/features/legacyfeaturegates.go
@@ -7,10 +7,6 @@ var legacyFeatureGates = sets.New(
 	// never add to this list, if you think you have an exception ask @deads2k
 	"AWSEFSDriverVolumeMetrics",
 	// never add to this list, if you think you have an exception ask @deads2k
-	"AdditionalRoutingCapabilities",
-	// never add to this list, if you think you have an exception ask @deads2k
-	"AdminNetworkPolicy",
-	// never add to this list, if you think you have an exception ask @deads2k
 	"AlibabaPlatform",
 	// never add to this list, if you think you have an exception ask @deads2k
 	"AutomatedEtcdBackup",
@@ -79,12 +75,6 @@ var legacyFeatureGates = sets.New(
 	// never add to this list, if you think you have an exception ask @deads2k
 	"MultiArchInstallGCP",
 	// never add to this list, if you think you have an exception ask @deads2k
-	"NetworkDiagnosticsConfig",
-	// never add to this list, if you think you have an exception ask @deads2k
-	"NetworkLiveMigration",
-	// never add to this list, if you think you have an exception ask @deads2k
-	"NetworkSegmentation",
-	// never add to this list, if you think you have an exception ask @deads2k
 	"NewOLM",
 	// never add to this list, if you think you have an exception ask @deads2k
 	"OVNObservability",
@@ -95,8 +85,6 @@ var legacyFeatureGates = sets.New(
 	// never add to this list, if you think you have an exception ask @deads2k
 	"PrivateHostedZoneAWS",
 	// never add to this list, if you think you have an exception ask @deads2k
-	"RouteAdvertisements",
-	// never add to this list, if you think you have an exception ask @deads2k
 	"RouteExternalCertificate",
 	// never add to this list, if you think you have an exception ask @deads2k
 	"SetEIPForNLBIngressController",
diff --git a/vendor/github.com/openshift/api/features/util.go b/vendor/github.com/openshift/api/features/util.go
index 59bb7bff40..243b325be9 100644
--- a/vendor/github.com/openshift/api/features/util.go
+++ b/vendor/github.com/openshift/api/features/util.go
@@ -2,9 +2,11 @@ package features
 
 import (
 	"fmt"
-	configv1 "github.com/openshift/api/config/v1"
 	"net/url"
 	"strings"
+
+	configv1 "github.com/openshift/api/config/v1"
+	"k8s.io/apimachinery/pkg/util/sets"
 )
 
 // FeatureGateDescription is a golang-only interface used to contains details for a feature gate.
@@ -44,6 +46,77 @@ var (
 	kubernetes  = OwningProduct("Kubernetes")
 )
 
+type featureGateEnableOption func(s *featureGateStatus)
+
+type versionOperator string
+
+var (
+	equal              = versionOperator("=")
+	greaterThan        = versionOperator(">")
+	greaterThanOrEqual = versionOperator(">=")
+	lessThan           = versionOperator("<")
+	lessThanOrEqual    = versionOperator("<=")
+)
+
+func inVersion(version uint64, op versionOperator) featureGateEnableOption {
+	return func(s *featureGateStatus) {
+		switch op {
+		case equal:
+			s.version.Insert(version)
+		case greaterThan:
+			for v := version + 1; v <= maxOpenshiftVersion; v++ {
+				s.version.Insert(v)
+			}
+		case greaterThanOrEqual:
+			for v := version; v <= maxOpenshiftVersion; v++ {
+				s.version.Insert(v)
+			}
+		case lessThan:
+			for v := minOpenshiftVersion; v < version; v++ {
+				s.version.Insert(v)
+			}
+		case lessThanOrEqual:
+			for v := minOpenshiftVersion; v <= version; v++ {
+				s.version.Insert(v)
+			}
+		default:
+			panic(fmt.Sprintf("invalid version operator: %s", op))
+		}
+	}
+}
+
+func inClusterProfile(clusterProfile ClusterProfileName) featureGateEnableOption {
+	return func(s *featureGateStatus) {
+		s.clusterProfile.Insert(clusterProfile)
+	}
+}
+
+func withFeatureSet(featureSet configv1.FeatureSet) featureGateEnableOption {
+	return func(s *featureGateStatus) {
+		s.featureSets.Insert(featureSet)
+	}
+}
+
+func inDefault() featureGateEnableOption {
+	return withFeatureSet(configv1.Default)
+}
+
+func inTechPreviewNoUpgrade() featureGateEnableOption {
+	return withFeatureSet(configv1.TechPreviewNoUpgrade)
+}
+
+func inDevPreviewNoUpgrade() featureGateEnableOption {
+	return withFeatureSet(configv1.DevPreviewNoUpgrade)
+}
+
+func inCustomNoUpgrade() featureGateEnableOption {
+	return withFeatureSet(configv1.CustomNoUpgrade)
+}
+
+func inOKD() featureGateEnableOption {
+	return withFeatureSet(configv1.OKD)
+}
+
 type featureGateBuilder struct {
 	name                string
 	owningJiraComponent string
@@ -51,7 +124,22 @@ type featureGateBuilder struct {
 	owningProduct       OwningProduct
 	enhancementPRURL    string
 
-	statusByClusterProfileByFeatureSet map[ClusterProfileName]map[configv1.FeatureSet]bool
+	status []featureGateStatus
+}
+type featureGateStatus struct {
+	version        sets.Set[uint64]
+	clusterProfile sets.Set[ClusterProfileName]
+	featureSets    sets.Set[configv1.FeatureSet]
+}
+
+func (s *featureGateStatus) isEnabled(version uint64, clusterProfile ClusterProfileName, featureSet configv1.FeatureSet) bool {
+	// If either version or clusterprofile are empty, match all.
+	matchesVersion := len(s.version) == 0 || s.version.Has(version)
+	matchesClusterProfile := len(s.clusterProfile) == 0 || s.clusterProfile.Has(clusterProfile)
+
+	matchesFeatureSet := s.featureSets.Has(featureSet)
+
+	return matchesVersion && matchesClusterProfile && matchesFeatureSet
 }
 
 const (
@@ -60,18 +148,9 @@ const (
 
 // newFeatureGate featuregate are disabled in every FeatureSet and selectively enabled
 func newFeatureGate(name string) *featureGateBuilder {
-	b := &featureGateBuilder{
-		name:                               name,
-		statusByClusterProfileByFeatureSet: map[ClusterProfileName]map[configv1.FeatureSet]bool{},
-	}
-	for _, clusterProfile := range AllClusterProfiles {
-		byFeatureSet := map[configv1.FeatureSet]bool{}
-		for _, featureSet := range configv1.AllFixedFeatureSets {
-			byFeatureSet[featureSet] = false
-		}
-		b.statusByClusterProfileByFeatureSet[clusterProfile] = byFeatureSet
+	return &featureGateBuilder{
+		name: name,
 	}
-	return b
 }
 
 func (b *featureGateBuilder) reportProblemsToJiraComponent(owningJiraComponent string) *featureGateBuilder {
@@ -94,19 +173,19 @@ func (b *featureGateBuilder) enhancementPR(url string) *featureGateBuilder {
 	return b
 }
 
-func (b *featureGateBuilder) enableIn(featureSets ...configv1.FeatureSet) *featureGateBuilder {
-	for clusterProfile := range b.statusByClusterProfileByFeatureSet {
-		for _, featureSet := range featureSets {
-			b.statusByClusterProfileByFeatureSet[clusterProfile][featureSet] = true
-		}
+func (b *featureGateBuilder) enable(opts ...featureGateEnableOption) *featureGateBuilder {
+	status := featureGateStatus{
+		version:        sets.New[uint64](),
+		clusterProfile: sets.New[ClusterProfileName](),
+		featureSets:    sets.New[configv1.FeatureSet](),
 	}
-	return b
-}
 
-func (b *featureGateBuilder) enableForClusterProfile(clusterProfile ClusterProfileName, featureSets ...configv1.FeatureSet) *featureGateBuilder {
-	for _, featureSet := range featureSets {
-		b.statusByClusterProfileByFeatureSet[clusterProfile][featureSet] = true
+	for _, opt := range opts {
+		opt(&status)
 	}
+
+	b.status = append(b.status, status)
+
 	return b
 }
 
@@ -133,41 +212,18 @@ func (b *featureGateBuilder) register() (configv1.FeatureGateName, error) {
 	case len(b.enhancementPRURL) == 0:
 		return "", fmt.Errorf("FeatureGate/%s is missing an enhancementPR with GA Graduation Criteria like https://github.com/openshift/enhancements/pull/#### or https://github.com/kubernetes/enhancements/issues/####", b.name)
 
-	case !strings.HasPrefix(b.enhancementPRURL, "https://github.com/openshift/enhancements/pull/") && !strings.HasPrefix(b.enhancementPRURL, "https://github.com/kubernetes/enhancements/issues/"):
-		return "", fmt.Errorf("FeatureGate/%s enhancementPR format is incorrect; must be like https://github.com/openshift/enhancements/pull/#### or https://github.com/kubernetes/enhancements/issues/####", b.name)
+	case !strings.HasPrefix(b.enhancementPRURL, "https://github.com/openshift/enhancements/pull/") &&
+		!strings.HasPrefix(b.enhancementPRURL, "https://github.com/kubernetes/enhancements/issues/") &&
+		!strings.HasPrefix(b.enhancementPRURL, "https://github.com/ovn-kubernetes/ovn-kubernetes/pull/"):
+		return "", fmt.Errorf("FeatureGate/%s enhancementPR format is incorrect; must be like https://github.com/openshift/enhancements/pull/#### or https://github.com/kubernetes/enhancements/issues/#### or https://github.com/ovn-kubernetes/ovn-kubernetes/pull/####", b.name)
 
 	case enhancementPRErr != nil:
 		return "", fmt.Errorf("FeatureGate/%s is enhancementPR is invalid: %w", b.name, enhancementPRErr)
 	}
 
 	featureGateName := configv1.FeatureGateName(b.name)
-	description := FeatureGateDescription{
-		FeatureGateAttributes: configv1.FeatureGateAttributes{
-			Name: featureGateName,
-		},
-		OwningJiraComponent: b.owningJiraComponent,
-		ResponsiblePerson:   b.responsiblePerson,
-		OwningProduct:       b.owningProduct,
-		EnhancementPR:       b.enhancementPRURL,
-	}
-
-	// statusByClusterProfileByFeatureSet is initialized by constructor to be false for every combination
-	for clusterProfile, byFeatureSet := range b.statusByClusterProfileByFeatureSet {
-		for featureSet, enabled := range byFeatureSet {
-			if _, ok := allFeatureGates[clusterProfile]; !ok {
-				allFeatureGates[clusterProfile] = map[configv1.FeatureSet]*FeatureGateEnabledDisabled{}
-			}
-			if _, ok := allFeatureGates[clusterProfile][featureSet]; !ok {
-				allFeatureGates[clusterProfile][featureSet] = &FeatureGateEnabledDisabled{}
-			}
 
-			if enabled {
-				allFeatureGates[clusterProfile][featureSet].Enabled = append(allFeatureGates[clusterProfile][featureSet].Enabled, description)
-			} else {
-				allFeatureGates[clusterProfile][featureSet].Disabled = append(allFeatureGates[clusterProfile][featureSet].Disabled, description)
-			}
-		}
-	}
+	allFeatureGates[featureGateName] = b.status
 
 	return featureGateName, nil
 }
diff --git a/vendor/github.com/openshift/api/install.go b/vendor/github.com/openshift/api/install.go
index cc91150009..e4574e7c4f 100644
--- a/vendor/github.com/openshift/api/install.go
+++ b/vendor/github.com/openshift/api/install.go
@@ -47,6 +47,7 @@ import (
 	kstoragev1beta1 "k8s.io/api/storage/v1beta1"
 	"k8s.io/apimachinery/pkg/runtime"
 
+	"github.com/openshift/api/apiextensions"
 	"github.com/openshift/api/apiserver"
 	"github.com/openshift/api/apps"
 	"github.com/openshift/api/authorization"
@@ -54,6 +55,7 @@ import (
 	"github.com/openshift/api/cloudnetwork"
 	"github.com/openshift/api/config"
 	"github.com/openshift/api/console"
+	"github.com/openshift/api/etcd"
 	"github.com/openshift/api/helm"
 	"github.com/openshift/api/image"
 	"github.com/openshift/api/imageregistry"
@@ -83,12 +85,14 @@ import (
 
 var (
 	schemeBuilder = runtime.NewSchemeBuilder(
+		apiextensions.Install,
 		apiserver.Install,
 		apps.Install,
 		authorization.Install,
 		build.Install,
 		config.Install,
 		console.Install,
+		etcd.Install,
 		helm.Install,
 		image.Install,
 		imageregistry.Install,
diff --git a/vendor/github.com/openshift/api/machine/v1/types_controlplanemachineset.go b/vendor/github.com/openshift/api/machine/v1/types_controlplanemachineset.go
index d7661cf389..25ffc9f46d 100644
--- a/vendor/github.com/openshift/api/machine/v1/types_controlplanemachineset.go
+++ b/vendor/github.com/openshift/api/machine/v1/types_controlplanemachineset.go
@@ -53,10 +53,9 @@ type ControlPlaneMachineSetSpec struct {
 	// For example, if machineNamePrefix is set to 'control-plane',
 	// and three machines are created, their names might be:
 	// control-plane-abcde-0, control-plane-fghij-1, control-plane-klmno-2
-	// +openshift:validation:FeatureGateAwareXValidation:featureGate=CPMSMachineNamePrefix,rule="!format.dns1123Subdomain().validate(self).hasValue()",message="a lowercase RFC 1123 subdomain must consist of lowercase alphanumeric characters, hyphens ('-'), and periods ('.'). Each block, separated by periods, must start and end with an alphanumeric character. Hyphens are not allowed at the start or end of a block, and consecutive periods are not permitted."
+	// +kubebuilder:validation:XValidation:rule="!format.dns1123Subdomain().validate(self).hasValue()",message="a lowercase RFC 1123 subdomain must consist of lowercase alphanumeric characters, hyphens ('-'), and periods ('.'). Each block, separated by periods, must start and end with an alphanumeric character. Hyphens are not allowed at the start or end of a block, and consecutive periods are not permitted."
 	// +kubebuilder:validation:MinLength=1
 	// +kubebuilder:validation:MaxLength=245
-	// +openshift:enable:FeatureGate=CPMSMachineNamePrefix
 	// +optional
 	MachineNamePrefix string `json:"machineNamePrefix,omitempty"`
 
diff --git a/vendor/github.com/openshift/api/machine/v1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/machine/v1/zz_generated.featuregated-crd-manifests.yaml
index 7be04ec844..b001170faf 100644
--- a/vendor/github.com/openshift/api/machine/v1/zz_generated.featuregated-crd-manifests.yaml
+++ b/vendor/github.com/openshift/api/machine/v1/zz_generated.featuregated-crd-manifests.yaml
@@ -7,7 +7,6 @@ controlplanemachinesets.machine.openshift.io:
   Capability: MachineAPI
   Category: ""
   FeatureGates:
-  - CPMSMachineNamePrefix
   - MachineAPIMigration
   FilenameOperatorName: control-plane-machine-set
   FilenameOperatorOrdering: "01"
diff --git a/vendor/github.com/openshift/api/machine/v1beta1/types_awsprovider.go b/vendor/github.com/openshift/api/machine/v1beta1/types_awsprovider.go
index c6442186a0..e3508d6679 100644
--- a/vendor/github.com/openshift/api/machine/v1beta1/types_awsprovider.go
+++ b/vendor/github.com/openshift/api/machine/v1beta1/types_awsprovider.go
@@ -331,9 +331,16 @@ type Filter struct {
 
 // TagSpecification is the name/value pair for a tag
 type TagSpecification struct {
-	// name of the tag
+	// name of the tag.
+	// This field is required and must be a non-empty string.
+	// Must be between 1 and 128 characters in length.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=128
+	// +required
 	Name string `json:"name"`
-	// value of the tag
+	// value of the tag.
+	// When omitted, this creates a tag with an empty string as the value.
+	// +optional
 	Value string `json:"value"`
 }
 
@@ -407,6 +414,26 @@ type AWSMachineProviderStatus struct {
 	// +listType=map
 	// +listMapKey=type
 	Conditions []metav1.Condition `json:"conditions,omitempty"`
+	// dedicatedHost tracks the dynamically allocated dedicated host.
+	// This field is populated when allocationStrategy is Dynamic (with or without DynamicHostAllocation).
+	// When omitted, this indicates that the dedicated host has not yet been allocated, or allocation is in progress.
+	// +optional
+	DedicatedHost *DedicatedHostStatus `json:"dedicatedHost,omitempty"`
+}
+
+// DedicatedHostStatus defines the observed state of a dynamically allocated dedicated host
+// associated with an AWSMachine. This struct is used to track the ID of the dedicated host.
+type DedicatedHostStatus struct {
+	// id tracks the dynamically allocated dedicated host ID.
+	// This field is populated when allocationStrategy is Dynamic (with or without DynamicHostAllocation).
+	// The value must start with "h-" followed by either 8 or 17 lowercase hexadecimal characters (0-9 and a-f).
+	// The use of 8 lowercase hexadecimal characters is for older legacy hosts that may not have been migrated to newer format.
+	// Must be either 10 or 19 characters in length.
+	// +kubebuilder:validation:XValidation:rule="self.matches('^h-([0-9a-f]{8}|[0-9a-f]{17})$')",message="id must start with 'h-' followed by either 8 or 17 lowercase hexadecimal characters (0-9 and a-f)"
+	// +kubebuilder:validation:MinLength=10
+	// +kubebuilder:validation:MaxLength=19
+	// +required
+	ID string `json:"id,omitempty"`
 }
 
 // MarketType describes the market type of an EC2 Instance
@@ -454,20 +481,77 @@ type HostAffinity string
 
 const (
 	// HostAffinityAnyAvailable lets the platform select any available dedicated host.
+
 	HostAffinityAnyAvailable HostAffinity = "AnyAvailable"
 
 	// HostAffinityDedicatedHost requires specifying a particular host via dedicatedHost.host.hostID.
 	HostAffinityDedicatedHost HostAffinity = "DedicatedHost"
 )
 
+// AllocationStrategy selects how a dedicated host is provided to the system for assigning to the instance.
+// +kubebuilder:validation:Enum:=UserProvided;Dynamic
+// +enum
+type AllocationStrategy string
+
+const (
+	// AllocationStrategyUserProvided specifies that the system should assign instances to a user-provided dedicated host.
+	AllocationStrategyUserProvided AllocationStrategy = "UserProvided"
+
+	// AllocationStrategyDynamic specifies that the system should dynamically allocate a dedicated host for instances.
+	AllocationStrategyDynamic AllocationStrategy = "Dynamic"
+)
+
 // DedicatedHost represents the configuration for the usage of dedicated host.
+// +kubebuilder:validation:XValidation:rule="self.allocationStrategy == 'UserProvided' ? has(self.id) : !has(self.id)",message="id is required when allocationStrategy is UserProvided, and forbidden otherwise"
+// +kubebuilder:validation:XValidation:rule="has(self.dynamicHostAllocation) ? self.allocationStrategy == 'Dynamic' : true",message="dynamicHostAllocation is only allowed when allocationStrategy is Dynamic"
+// +union
 type DedicatedHost struct {
+	// allocationStrategy specifies if the dedicated host will be provided by the admin through the id field or if the host will be dynamically allocated.
+	// Valid values are UserProvided and Dynamic.
+	// When omitted, the value defaults to "UserProvided", which requires the id field to be set.
+	// When allocationStrategy is set to UserProvided, an ID of the dedicated host to assign must be provided.
+	// When allocationStrategy is set to Dynamic, a dedicated host will be allocated and used to assign instances.
+	// When allocationStrategy is set to Dynamic, and dynamicHostAllocation is configured, a dedicated host will be allocated and the tags in dynamicHostAllocation will be assigned to that host.
+	// +optional
+	// +unionDiscriminator
+	// +default="UserProvided"
+	AllocationStrategy *AllocationStrategy `json:"allocationStrategy,omitempty"`
+
 	// id identifies the AWS Dedicated Host on which the instance must run.
-	// The value must start with "h-" followed by 17 lowercase hexadecimal characters (0-9 and a-f).
-	// Must be exactly 19 characters in length.
-	// +kubebuilder:validation:XValidation:rule="self.matches('^h-[0-9a-f]{17}$')",message="hostID must start with 'h-' followed by 17 lowercase hexadecimal characters (0-9 and a-f)"
-	// +kubebuilder:validation:MinLength=19
+	// The value must start with "h-" followed by either 8 or 17 lowercase hexadecimal characters (0-9 and a-f).
+	// The use of 8 lowercase hexadecimal characters is for older legacy hosts that may not have been migrated to newer format.
+	// Must be either 10 or 19 characters in length.
+	// This field is required when allocationStrategy is UserProvided, and forbidden otherwise.
+	// When omitted with allocationStrategy set to Dynamic, the platform will dynamically allocate a dedicated host.
+	// +kubebuilder:validation:XValidation:rule="self.matches('^h-([0-9a-f]{8}|[0-9a-f]{17})$')",message="id must start with 'h-' followed by either 8 or 17 lowercase hexadecimal characters (0-9 and a-f)"
+	// +kubebuilder:validation:MinLength=10
 	// +kubebuilder:validation:MaxLength=19
-	// +required
+	// +optional
+	// +unionMember=UserProvided
 	ID string `json:"id,omitempty"`
+
+	// dynamicHostAllocation specifies tags to apply to a dynamically allocated dedicated host.
+	// This field is only allowed when allocationStrategy is Dynamic, and is mutually exclusive with id.
+	// When specified, a dedicated host will be allocated with the provided tags applied.
+	// When omitted (and allocationStrategy is Dynamic), a dedicated host will be allocated without any additional tags.
+	// +optional
+	// +unionMember=Dynamic
+	DynamicHostAllocation *DynamicHostAllocationSpec `json:"dynamicHostAllocation,omitempty"`
+}
+
+// DynamicHostAllocationSpec defines the configuration for dynamic dedicated host allocation.
+// This specification always allocates exactly one dedicated host per machine.
+// At least one property must be specified when this struct is used.
+// Currently only Tags are available for configuring, but in the future more configs may become available.
+// +kubebuilder:validation:MinProperties=1
+type DynamicHostAllocationSpec struct {
+	// tags specifies a set of key-value pairs to apply to the allocated dedicated host.
+	// When omitted, no additional user-defined tags will be applied to the allocated host.
+	// A maximum of 50 tags can be specified.
+	// +kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:MaxItems=50
+	// +listType=map
+	// +listMapKey=name
+	// +optional
+	Tags *[]TagSpecification `json:"tags,omitempty"`
 }
diff --git a/vendor/github.com/openshift/api/machine/v1beta1/types_machine.go b/vendor/github.com/openshift/api/machine/v1beta1/types_machine.go
index 33f472f926..6bfe850812 100644
--- a/vendor/github.com/openshift/api/machine/v1beta1/types_machine.go
+++ b/vendor/github.com/openshift/api/machine/v1beta1/types_machine.go
@@ -185,6 +185,18 @@ const (
 	MachineAuthorityMigrating MachineAuthority = "Migrating"
 )
 
+// SynchronizedAPI holds the last stable value of authoritativeAPI.
+// +kubebuilder:validation:Enum=MachineAPI;ClusterAPI
+type SynchronizedAPI string
+
+const (
+	// MachineAPISynchronized indicates that the Machine API is the last synchronized API.
+	MachineAPISynchronized SynchronizedAPI = "MachineAPI"
+
+	// ClusterAPISynchronized indicates that the Cluster API is the last synchronized API.
+	ClusterAPISynchronized SynchronizedAPI = "ClusterAPI"
+)
+
 // +genclient
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
@@ -317,6 +329,7 @@ type LifecycleHook struct {
 
 // MachineStatus defines the observed state of Machine
 // +openshift:validation:FeatureGateAwareXValidation:featureGate=MachineAPIMigration,rule="!has(oldSelf.synchronizedGeneration) || (has(self.synchronizedGeneration) && self.synchronizedGeneration >= oldSelf.synchronizedGeneration) || (oldSelf.authoritativeAPI == 'Migrating' && self.authoritativeAPI != 'Migrating')",message="synchronizedGeneration must not decrease unless authoritativeAPI is transitioning from Migrating to another value"
+// +openshift:validation:FeatureGateAwareXValidation:featureGate=MachineAPIMigration,rule="has(self.authoritativeAPI) || !has(oldSelf.authoritativeAPI)",message="authoritativeAPI may not be removed once set"
 type MachineStatus struct {
 	// nodeRef will point to the corresponding Node if it exists.
 	// +optional
@@ -406,6 +419,14 @@ type MachineStatus struct {
 	// +optional
 	AuthoritativeAPI MachineAuthority `json:"authoritativeAPI,omitempty"`
 
+	// synchronizedAPI holds the last stable value of authoritativeAPI.
+	// It is used to detect migration cancellation requests and to restore the resource to its previous state.
+	// Valid values are "MachineAPI" and "ClusterAPI".
+	// When omitted, the resource has not yet been reconciled by the migration controller.
+	// +openshift:enable:FeatureGate=MachineAPIMigration
+	// +optional
+	SynchronizedAPI SynchronizedAPI `json:"synchronizedAPI,omitempty"`
+
 	// synchronizedGeneration is the generation of the authoritative resource that the non-authoritative resource is synchronised with.
 	// This field is set when the authoritative resource is updated and the sync controller has updated the non-authoritative resource to match.
 	// +kubebuilder:validation:Minimum=0
diff --git a/vendor/github.com/openshift/api/machine/v1beta1/types_machineset.go b/vendor/github.com/openshift/api/machine/v1beta1/types_machineset.go
index a2343dc398..be5476344b 100644
--- a/vendor/github.com/openshift/api/machine/v1beta1/types_machineset.go
+++ b/vendor/github.com/openshift/api/machine/v1beta1/types_machineset.go
@@ -112,6 +112,7 @@ type MachineTemplateSpec struct {
 
 // MachineSetStatus defines the observed state of MachineSet
 // +openshift:validation:FeatureGateAwareXValidation:featureGate=MachineAPIMigration,rule="!has(oldSelf.synchronizedGeneration) || (has(self.synchronizedGeneration) && self.synchronizedGeneration >= oldSelf.synchronizedGeneration) || (oldSelf.authoritativeAPI == 'Migrating' && self.authoritativeAPI != 'Migrating')",message="synchronizedGeneration must not decrease unless authoritativeAPI is transitioning from Migrating to another value"
+// +openshift:validation:FeatureGateAwareXValidation:featureGate=MachineAPIMigration,rule="has(self.authoritativeAPI) || !has(oldSelf.authoritativeAPI)",message="authoritativeAPI may not be removed once set"
 type MachineSetStatus struct {
 	// replicas is the most recently observed number of replicas.
 	// +optional
@@ -168,6 +169,14 @@ type MachineSetStatus struct {
 	// +optional
 	AuthoritativeAPI MachineAuthority `json:"authoritativeAPI,omitempty"`
 
+	// synchronizedAPI holds the last stable value of authoritativeAPI.
+	// It is used to detect migration cancellation requests and to restore the resource to its previous state.
+	// Valid values are "MachineAPI" and "ClusterAPI".
+	// When omitted, the resource has not yet been reconciled by the migration controller.
+	// +openshift:enable:FeatureGate=MachineAPIMigration
+	// +optional
+	SynchronizedAPI SynchronizedAPI `json:"synchronizedAPI,omitempty"`
+
 	// synchronizedGeneration is the generation of the authoritative resource that the non-authoritative resource is synchronised with.
 	// This field is set when the authoritative resource is updated and the sync controller has updated the non-authoritative resource to match.
 	// +kubebuilder:validation:Minimum=0
diff --git a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.deepcopy.go
index d08906c7d8..63b9bb5ff8 100644
--- a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.deepcopy.go
+++ b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.deepcopy.go
@@ -152,6 +152,11 @@ func (in *AWSMachineProviderStatus) DeepCopyInto(out *AWSMachineProviderStatus)
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.DedicatedHost != nil {
+		in, out := &in.DedicatedHost, &out.DedicatedHost
+		*out = new(DedicatedHostStatus)
+		**out = **in
+	}
 	return
 }
 
@@ -512,6 +517,16 @@ func (in *DataDiskManagedDiskParameters) DeepCopy() *DataDiskManagedDiskParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DedicatedHost) DeepCopyInto(out *DedicatedHost) {
 	*out = *in
+	if in.AllocationStrategy != nil {
+		in, out := &in.AllocationStrategy, &out.AllocationStrategy
+		*out = new(AllocationStrategy)
+		**out = **in
+	}
+	if in.DynamicHostAllocation != nil {
+		in, out := &in.DynamicHostAllocation, &out.DynamicHostAllocation
+		*out = new(DynamicHostAllocationSpec)
+		(*in).DeepCopyInto(*out)
+	}
 	return
 }
 
@@ -525,6 +540,22 @@ func (in *DedicatedHost) DeepCopy() *DedicatedHost {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DedicatedHostStatus) DeepCopyInto(out *DedicatedHostStatus) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DedicatedHostStatus.
+func (in *DedicatedHostStatus) DeepCopy() *DedicatedHostStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(DedicatedHostStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DiskEncryptionSetParameters) DeepCopyInto(out *DiskEncryptionSetParameters) {
 	*out = *in
@@ -557,6 +588,31 @@ func (in *DiskSettings) DeepCopy() *DiskSettings {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DynamicHostAllocationSpec) DeepCopyInto(out *DynamicHostAllocationSpec) {
+	*out = *in
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = new([]TagSpecification)
+		if **in != nil {
+			in, out := *in, *out
+			*out = make([]TagSpecification, len(*in))
+			copy(*out, *in)
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DynamicHostAllocationSpec.
+func (in *DynamicHostAllocationSpec) DeepCopy() *DynamicHostAllocationSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(DynamicHostAllocationSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EBSBlockDeviceSpec) DeepCopyInto(out *EBSBlockDeviceSpec) {
 	*out = *in
@@ -935,7 +991,7 @@ func (in *HostPlacement) DeepCopyInto(out *HostPlacement) {
 	if in.DedicatedHost != nil {
 		in, out := &in.DedicatedHost, &out.DedicatedHost
 		*out = new(DedicatedHost)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	return
 }
diff --git a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go
index 903faf94ba..2c4a9030cc 100644
--- a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go
+++ b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go
@@ -54,6 +54,7 @@ var map_AWSMachineProviderStatus = map[string]string{
 	"instanceId":    "instanceId is the instance ID of the machine created in AWS",
 	"instanceState": "instanceState is the state of the AWS instance for this machine",
 	"conditions":    "conditions is a set of conditions associated with the Machine to indicate errors or other status",
+	"dedicatedHost": "dedicatedHost tracks the dynamically allocated dedicated host. This field is populated when allocationStrategy is Dynamic (with or without DynamicHostAllocation). When omitted, this indicates that the dedicated host has not yet been allocated, or allocation is in progress.",
 }
 
 func (AWSMachineProviderStatus) SwaggerDoc() map[string]string {
@@ -93,14 +94,34 @@ func (CPUOptions) SwaggerDoc() map[string]string {
 }
 
 var map_DedicatedHost = map[string]string{
-	"":   "DedicatedHost represents the configuration for the usage of dedicated host.",
-	"id": "id identifies the AWS Dedicated Host on which the instance must run. The value must start with \"h-\" followed by 17 lowercase hexadecimal characters (0-9 and a-f). Must be exactly 19 characters in length.",
+	"":                      "DedicatedHost represents the configuration for the usage of dedicated host.",
+	"allocationStrategy":    "allocationStrategy specifies if the dedicated host will be provided by the admin through the id field or if the host will be dynamically allocated. Valid values are UserProvided and Dynamic. When omitted, the value defaults to \"UserProvided\", which requires the id field to be set. When allocationStrategy is set to UserProvided, an ID of the dedicated host to assign must be provided. When allocationStrategy is set to Dynamic, a dedicated host will be allocated and used to assign instances. When allocationStrategy is set to Dynamic, and dynamicHostAllocation is configured, a dedicated host will be allocated and the tags in dynamicHostAllocation will be assigned to that host.",
+	"id":                    "id identifies the AWS Dedicated Host on which the instance must run. The value must start with \"h-\" followed by either 8 or 17 lowercase hexadecimal characters (0-9 and a-f). The use of 8 lowercase hexadecimal characters is for older legacy hosts that may not have been migrated to newer format. Must be either 10 or 19 characters in length. This field is required when allocationStrategy is UserProvided, and forbidden otherwise. When omitted with allocationStrategy set to Dynamic, the platform will dynamically allocate a dedicated host.",
+	"dynamicHostAllocation": "dynamicHostAllocation specifies tags to apply to a dynamically allocated dedicated host. This field is only allowed when allocationStrategy is Dynamic, and is mutually exclusive with id. When specified, a dedicated host will be allocated with the provided tags applied. When omitted (and allocationStrategy is Dynamic), a dedicated host will be allocated without any additional tags.",
 }
 
 func (DedicatedHost) SwaggerDoc() map[string]string {
 	return map_DedicatedHost
 }
 
+var map_DedicatedHostStatus = map[string]string{
+	"":   "DedicatedHostStatus defines the observed state of a dynamically allocated dedicated host associated with an AWSMachine. This struct is used to track the ID of the dedicated host.",
+	"id": "id tracks the dynamically allocated dedicated host ID. This field is populated when allocationStrategy is Dynamic (with or without DynamicHostAllocation). The value must start with \"h-\" followed by either 8 or 17 lowercase hexadecimal characters (0-9 and a-f). The use of 8 lowercase hexadecimal characters is for older legacy hosts that may not have been migrated to newer format. Must be either 10 or 19 characters in length.",
+}
+
+func (DedicatedHostStatus) SwaggerDoc() map[string]string {
+	return map_DedicatedHostStatus
+}
+
+var map_DynamicHostAllocationSpec = map[string]string{
+	"":     "DynamicHostAllocationSpec defines the configuration for dynamic dedicated host allocation. This specification always allocates exactly one dedicated host per machine. At least one property must be specified when this struct is used. Currently only Tags are available for configuring, but in the future more configs may become available.",
+	"tags": "tags specifies a set of key-value pairs to apply to the allocated dedicated host. When omitted, no additional user-defined tags will be applied to the allocated host. A maximum of 50 tags can be specified.",
+}
+
+func (DynamicHostAllocationSpec) SwaggerDoc() map[string]string {
+	return map_DynamicHostAllocationSpec
+}
+
 var map_EBSBlockDeviceSpec = map[string]string{
 	"":                    "EBSBlockDeviceSpec describes a block device for an EBS volume. https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/EbsBlockDevice",
 	"deleteOnTermination": "Indicates whether the EBS volume is deleted on machine termination.\n\nDeprecated: setting this field has no effect.",
@@ -176,8 +197,8 @@ func (SpotMarketOptions) SwaggerDoc() map[string]string {
 
 var map_TagSpecification = map[string]string{
 	"":      "TagSpecification is the name/value pair for a tag",
-	"name":  "name of the tag",
-	"value": "value of the tag",
+	"name":  "name of the tag. This field is required and must be a non-empty string. Must be between 1 and 128 characters in length.",
+	"value": "value of the tag. When omitted, this creates a tag with an empty string as the value.",
 }
 
 func (TagSpecification) SwaggerDoc() map[string]string {
@@ -626,6 +647,7 @@ var map_MachineStatus = map[string]string{
 	"phase":                  "phase represents the current phase of machine actuation. One of: Failed, Provisioning, Provisioned, Running, Deleting",
 	"conditions":             "conditions defines the current state of the Machine",
 	"authoritativeAPI":       "authoritativeAPI is the API that is authoritative for this resource. Valid values are MachineAPI, ClusterAPI and Migrating. This value is updated by the migration controller to reflect the authoritative API. Machine API and Cluster API controllers use this value to determine whether or not to reconcile the resource. When set to Migrating, the migration controller is currently performing the handover of authority from one API to the other.",
+	"synchronizedAPI":        "synchronizedAPI holds the last stable value of authoritativeAPI. It is used to detect migration cancellation requests and to restore the resource to its previous state. Valid values are \"MachineAPI\" and \"ClusterAPI\". When omitted, the resource has not yet been reconciled by the migration controller.",
 	"synchronizedGeneration": "synchronizedGeneration is the generation of the authoritative resource that the non-authoritative resource is synchronised with. This field is set when the authoritative resource is updated and the sync controller has updated the non-authoritative resource to match.",
 }
 
@@ -729,6 +751,7 @@ var map_MachineSetStatus = map[string]string{
 	"errorReason":            "In the event that there is a terminal problem reconciling the replicas, both ErrorReason and ErrorMessage will be set. ErrorReason will be populated with a succinct value suitable for machine interpretation, while ErrorMessage will contain a more verbose string suitable for logging and human consumption.\n\nThese fields should not be set for transitive errors that a controller faces that are expected to be fixed automatically over time (like service outages), but instead indicate that something is fundamentally wrong with the MachineTemplate's spec or the configuration of the machine controller, and that manual intervention is required. Examples of terminal errors would be invalid combinations of settings in the spec, values that are unsupported by the machine controller, or the responsible machine controller itself being critically misconfigured.\n\nAny transient errors that occur during the reconciliation of Machines can be added as events to the MachineSet object and/or logged in the controller's output.",
 	"conditions":             "conditions defines the current state of the MachineSet",
 	"authoritativeAPI":       "authoritativeAPI is the API that is authoritative for this resource. Valid values are MachineAPI, ClusterAPI and Migrating. This value is updated by the migration controller to reflect the authoritative API. Machine API and Cluster API controllers use this value to determine whether or not to reconcile the resource. When set to Migrating, the migration controller is currently performing the handover of authority from one API to the other.",
+	"synchronizedAPI":        "synchronizedAPI holds the last stable value of authoritativeAPI. It is used to detect migration cancellation requests and to restore the resource to its previous state. Valid values are \"MachineAPI\" and \"ClusterAPI\". When omitted, the resource has not yet been reconciled by the migration controller.",
 	"synchronizedGeneration": "synchronizedGeneration is the generation of the authoritative resource that the non-authoritative resource is synchronised with. This field is set when the authoritative resource is updated and the sync controller has updated the non-authoritative resource to match.",
 }
 
diff --git a/vendor/github.com/openshift/api/operator/v1/types_console.go b/vendor/github.com/openshift/api/operator/v1/types_console.go
index e030a65c86..35795b2b71 100644
--- a/vendor/github.com/openshift/api/operator/v1/types_console.go
+++ b/vendor/github.com/openshift/api/operator/v1/types_console.go
@@ -107,6 +107,9 @@ const (
 
 	// gettingStartedBanner is the name of the 'Getting started resources' banner in the console UI Overview page.
 	GettingStartedBanner ConsoleCapabilityName = "GettingStartedBanner"
+
+	// guidedTour is the name of the 'Guided Tour' feature in console UI.
+	GuidedTour ConsoleCapabilityName = "GuidedTour"
 )
 
 // CapabilityState defines the state of the capability in the console UI.
@@ -134,8 +137,8 @@ type CapabilityVisibility struct {
 // Capabilities contains set of UI capabilities and their state in the console UI.
 type Capability struct {
 	// name is the unique name of a capability.
-	// Available capabilities are LightspeedButton and GettingStartedBanner.
-	// +kubebuilder:validation:Enum:="LightspeedButton";"GettingStartedBanner"
+	// Available capabilities are LightspeedButton, GettingStartedBanner, and GuidedTour.
+	// +kubebuilder:validation:Enum:="LightspeedButton";"GettingStartedBanner";"GuidedTour"
 	// +required
 	Name ConsoleCapabilityName `json:"name"`
 	// visibility defines the visibility state of the capability.
@@ -281,10 +284,10 @@ type ConsoleCustomization struct {
 
 	// capabilities defines an array of capabilities that can be interacted with in the console UI.
 	// Each capability defines a visual state that can be interacted with the console to render in the UI.
-	// Available capabilities are LightspeedButton and GettingStartedBanner.
+	// Available capabilities are LightspeedButton, GettingStartedBanner, and GuidedTour.
 	// Each of the available capabilities may appear only once in the list.
 	// +kubebuilder:validation:MinItems=1
-	// +kubebuilder:validation:MaxItems=2
+	// +kubebuilder:validation:MaxItems=3
 	// +listType=map
 	// +listMapKey=name
 	// +optional
diff --git a/vendor/github.com/openshift/api/operator/v1/types_machineconfiguration.go b/vendor/github.com/openshift/api/operator/v1/types_machineconfiguration.go
index c6bcd22bc0..f5836af0f8 100644
--- a/vendor/github.com/openshift/api/operator/v1/types_machineconfiguration.go
+++ b/vendor/github.com/openshift/api/operator/v1/types_machineconfiguration.go
@@ -18,7 +18,8 @@ import (
 // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
 // +openshift:compatibility-gen:level=1
 // +openshift:validation:FeatureGateAwareXValidation:featureGate=BootImageSkewEnforcement,rule="self.?status.bootImageSkewEnforcementStatus.mode.orValue(\"\") == 'Automatic' ? self.?spec.managedBootImages.hasValue() || self.?status.managedBootImagesStatus.hasValue() : true",message="when skew enforcement is in Automatic mode, a boot image configuration is required"
-// +openshift:validation:FeatureGateAwareXValidation:featureGate=BootImageSkewEnforcement,rule="self.?status.bootImageSkewEnforcementStatus.mode.orValue(\"\") == 'Automatic' ? !(self.?spec.managedBootImages.machineManagers.hasValue()) || self.spec.managedBootImages.machineManagers.exists(m, m.selection.mode == 'All' && m.resource == 'machinesets' && m.apiGroup == 'machine.openshift.io') : true",message="when skew enforcement is in Automatic mode, managedBootImages must contain a MachineManager opting in all MachineAPI MachineSets"
+// +openshift:validation:FeatureGateAwareXValidation:featureGate=BootImageSkewEnforcement,rule="self.?status.bootImageSkewEnforcementStatus.mode.orValue(\"\") == 'Automatic' ? !(self.?spec.managedBootImages.machineManagers.hasValue()) || size(self.spec.managedBootImages.machineManagers) > 0 : true",message="when skew enforcement is in Automatic mode, managedBootImages.machineManagers must not be an empty list"
+// +openshift:validation:FeatureGateAwareXValidation:featureGate=BootImageSkewEnforcement,rule="self.?status.bootImageSkewEnforcementStatus.mode.orValue(\"\") == 'Automatic' ? !(self.?spec.managedBootImages.machineManagers.hasValue()) || !self.spec.managedBootImages.machineManagers.exists(m, m.resource == 'machinesets' && m.apiGroup == 'machine.openshift.io') || self.spec.managedBootImages.machineManagers.exists(m, m.resource == 'machinesets' && m.apiGroup == 'machine.openshift.io' && m.selection.mode == 'All') : true",message="when skew enforcement is in Automatic mode, any MachineAPI MachineSet MachineManager must use selection mode 'All'"
 // +openshift:validation:FeatureGateAwareXValidation:featureGate=BootImageSkewEnforcement,rule="self.?status.bootImageSkewEnforcementStatus.mode.orValue(\"\") == 'Automatic' ? !(self.?status.managedBootImagesStatus.machineManagers.hasValue()) || self.status.managedBootImagesStatus.machineManagers.exists(m, m.selection.mode == 'All' && m.resource == 'machinesets' && m.apiGroup == 'machine.openshift.io'): true",message="when skew enforcement is in Automatic mode, managedBootImagesStatus must contain a MachineManager opting in all MachineAPI MachineSets"
 type MachineConfiguration struct {
 	metav1.TypeMeta `json:",inline"`
diff --git a/vendor/github.com/openshift/api/operator/v1/types_network.go b/vendor/github.com/openshift/api/operator/v1/types_network.go
index 111240eecf..1cf56f549b 100644
--- a/vendor/github.com/openshift/api/operator/v1/types_network.go
+++ b/vendor/github.com/openshift/api/operator/v1/types_network.go
@@ -54,7 +54,7 @@ type NetworkList struct {
 
 // NetworkSpec is the top-level network configuration object.
 // +kubebuilder:validation:XValidation:rule="!has(self.defaultNetwork) || !has(self.defaultNetwork.ovnKubernetesConfig) || !has(self.defaultNetwork.ovnKubernetesConfig.gatewayConfig) || !has(self.defaultNetwork.ovnKubernetesConfig.gatewayConfig.ipForwarding) || self.defaultNetwork.ovnKubernetesConfig.gatewayConfig.ipForwarding == oldSelf.defaultNetwork.ovnKubernetesConfig.gatewayConfig.ipForwarding || self.defaultNetwork.ovnKubernetesConfig.gatewayConfig.ipForwarding == 'Restricted' || self.defaultNetwork.ovnKubernetesConfig.gatewayConfig.ipForwarding == 'Global'",message="invalid value for IPForwarding, valid values are 'Restricted' or 'Global'"
-// +openshift:validation:FeatureGateAwareXValidation:featureGate=RouteAdvertisements,rule="(has(self.additionalRoutingCapabilities) && ('FRR' in self.additionalRoutingCapabilities.providers)) || !has(self.defaultNetwork) || !has(self.defaultNetwork.ovnKubernetesConfig) || !has(self.defaultNetwork.ovnKubernetesConfig.routeAdvertisements) || self.defaultNetwork.ovnKubernetesConfig.routeAdvertisements != 'Enabled'",message="Route advertisements cannot be Enabled if 'FRR' routing capability provider is not available"
+// +kubebuilder:validation:XValidation:rule="(has(self.additionalRoutingCapabilities) && ('FRR' in self.additionalRoutingCapabilities.providers)) || !has(self.defaultNetwork) || !has(self.defaultNetwork.ovnKubernetesConfig) || !has(self.defaultNetwork.ovnKubernetesConfig.routeAdvertisements) || self.defaultNetwork.ovnKubernetesConfig.routeAdvertisements != 'Enabled'",message="Route advertisements cannot be Enabled if 'FRR' routing capability provider is not available"
 type NetworkSpec struct {
 	OperatorSpec `json:",inline"`
 
@@ -136,7 +136,6 @@ type NetworkSpec struct {
 	// capabilities acquired through the enablement of these components but may
 	// require specific configuration on their side to do so; refer to their
 	// respective documentation and configuration options.
-	// +openshift:enable:FeatureGate=AdditionalRoutingCapabilities
 	// +optional
 	AdditionalRoutingCapabilities *AdditionalRoutingCapabilities `json:"additionalRoutingCapabilities,omitempty"`
 }
@@ -157,7 +156,7 @@ const (
 )
 
 // NetworkMigration represents the cluster network migration configuration.
-// +openshift:validation:FeatureGateAwareXValidation:featureGate=NetworkLiveMigration,rule="!has(self.mtu) || !has(self.networkType) || self.networkType == \"\" || has(self.mode) && self.mode == 'Live'",message="networkType migration in mode other than 'Live' may not be configured at the same time as mtu migration"
+// +kubebuilder:validation:XValidation:rule="!has(self.mtu) || !has(self.networkType) || self.networkType == \"\" || has(self.mode) && self.mode == 'Live'",message="networkType migration in mode other than 'Live' may not be configured at the same time as mtu migration"
 type NetworkMigration struct {
 	// mtu contains the MTU migration configuration. Set this to allow changing
 	// the MTU values for the default network. If unset, the operation of
@@ -465,7 +464,6 @@ type OVNKubernetesConfig struct {
 	// means the user has no opinion and the platform is left to choose
 	// reasonable defaults. These defaults are subject to change over time. The
 	// current default is "Disabled".
-	// +openshift:enable:FeatureGate=RouteAdvertisements
 	// +optional
 	RouteAdvertisements RouteAdvertisementsEnablement `json:"routeAdvertisements,omitempty"`
 }
diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_console_01_consoles.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_console_01_consoles.crd.yaml
index a18cf575ea..f6f31fb401 100644
--- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_console_01_consoles.crd.yaml
+++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_console_01_consoles.crd.yaml
@@ -88,7 +88,7 @@ spec:
                     description: |-
                       capabilities defines an array of capabilities that can be interacted with in the console UI.
                       Each capability defines a visual state that can be interacted with the console to render in the UI.
-                      Available capabilities are LightspeedButton and GettingStartedBanner.
+                      Available capabilities are LightspeedButton, GettingStartedBanner, and GuidedTour.
                       Each of the available capabilities may appear only once in the list.
                     items:
                       description: Capabilities contains set of UI capabilities and
@@ -97,10 +97,11 @@ spec:
                         name:
                           description: |-
                             name is the unique name of a capability.
-                            Available capabilities are LightspeedButton and GettingStartedBanner.
+                            Available capabilities are LightspeedButton, GettingStartedBanner, and GuidedTour.
                           enum:
                           - LightspeedButton
                           - GettingStartedBanner
+                          - GuidedTour
                           type: string
                         visibility:
                           description: visibility defines the visibility state of
@@ -122,7 +123,7 @@ spec:
                       - name
                       - visibility
                       type: object
-                    maxItems: 2
+                    maxItems: 3
                     minItems: 1
                     type: array
                     x-kubernetes-list-map-keys:
diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers.crd.yaml
index d37991c458..fd7ecdeba2 100644
--- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers.crd.yaml
+++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers.crd.yaml
@@ -1994,27 +1994,25 @@ spec:
                       profile as invalid configurations can be catastrophic. An example custom profile
                       looks like this:
 
+                        minTLSVersion: VersionTLS11
                         ciphers:
-
                           - ECDHE-ECDSA-CHACHA20-POLY1305
-
                           - ECDHE-RSA-CHACHA20-POLY1305
-
                           - ECDHE-RSA-AES128-GCM-SHA256
-
                           - ECDHE-ECDSA-AES128-GCM-SHA256
-
-                        minTLSVersion: VersionTLS11
                     nullable: true
                     properties:
                       ciphers:
                         description: |-
                           ciphers is used to specify the cipher algorithms that are negotiated
-                          during the TLS handshake.  Operators may remove entries their operands
-                          do not support.  For example, to use DES-CBC3-SHA  (yaml):
+                          during the TLS handshake. Operators may remove entries that their operands
+                          do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml):
 
                             ciphers:
-                              - DES-CBC3-SHA
+                              - ECDHE-RSA-AES128-GCM-SHA256
+
+                          TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable
+                          and are always enabled when TLS 1.3 is negotiated.
                         items:
                           type: string
                         type: array
@@ -2026,8 +2024,6 @@ spec:
                           versions 1.1, 1.2 and 1.3 (yaml):
 
                             minTLSVersion: VersionTLS11
-
-                          NOTE: currently the highest minTLSVersion allowed is VersionTLS12
                         enum:
                         - VersionTLS10
                         - VersionTLS11
@@ -2037,143 +2033,81 @@ spec:
                     type: object
                   intermediate:
                     description: |-
-                      intermediate is a TLS security profile based on:
-
-                      https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29
-
-                      and looks like this (yaml):
+                      intermediate is a TLS profile for use when you do not need compatibility with
+                      legacy clients and want to remain highly secure while being compatible with
+                      most clients currently in use.
 
+                      This profile is equivalent to a Custom profile specified as:
+                        minTLSVersion: VersionTLS12
                         ciphers:
-
                           - TLS_AES_128_GCM_SHA256
-
                           - TLS_AES_256_GCM_SHA384
-
                           - TLS_CHACHA20_POLY1305_SHA256
-
                           - ECDHE-ECDSA-AES128-GCM-SHA256
-
                           - ECDHE-RSA-AES128-GCM-SHA256
-
                           - ECDHE-ECDSA-AES256-GCM-SHA384
-
                           - ECDHE-RSA-AES256-GCM-SHA384
-
                           - ECDHE-ECDSA-CHACHA20-POLY1305
-
                           - ECDHE-RSA-CHACHA20-POLY1305
-
-                          - DHE-RSA-AES128-GCM-SHA256
-
-                          - DHE-RSA-AES256-GCM-SHA384
-
-                        minTLSVersion: VersionTLS12
                     nullable: true
                     type: object
                   modern:
                     description: |-
-                      modern is a TLS security profile based on:
-
-                      https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
-
-                      and looks like this (yaml):
+                      modern is a TLS security profile for use with clients that support TLS 1.3 and
+                      do not need backward compatibility for older clients.
 
+                      This profile is equivalent to a Custom profile specified as:
+                        minTLSVersion: VersionTLS13
                         ciphers:
-
                           - TLS_AES_128_GCM_SHA256
-
                           - TLS_AES_256_GCM_SHA384
-
                           - TLS_CHACHA20_POLY1305_SHA256
-
-                        minTLSVersion: VersionTLS13
                     nullable: true
                     type: object
                   old:
                     description: |-
-                      old is a TLS security profile based on:
-
-                      https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility
-
-                      and looks like this (yaml):
+                      old is a TLS profile for use when services need to be accessed by very old
+                      clients or libraries and should be used only as a last resort.
 
+                      This profile is equivalent to a Custom profile specified as:
+                        minTLSVersion: VersionTLS10
                         ciphers:
-
                           - TLS_AES_128_GCM_SHA256
-
                           - TLS_AES_256_GCM_SHA384
-
                           - TLS_CHACHA20_POLY1305_SHA256
-
                           - ECDHE-ECDSA-AES128-GCM-SHA256
-
                           - ECDHE-RSA-AES128-GCM-SHA256
-
                           - ECDHE-ECDSA-AES256-GCM-SHA384
-
                           - ECDHE-RSA-AES256-GCM-SHA384
-
                           - ECDHE-ECDSA-CHACHA20-POLY1305
-
                           - ECDHE-RSA-CHACHA20-POLY1305
-
-                          - DHE-RSA-AES128-GCM-SHA256
-
-                          - DHE-RSA-AES256-GCM-SHA384
-
-                          - DHE-RSA-CHACHA20-POLY1305
-
                           - ECDHE-ECDSA-AES128-SHA256
-
                           - ECDHE-RSA-AES128-SHA256
-
                           - ECDHE-ECDSA-AES128-SHA
-
                           - ECDHE-RSA-AES128-SHA
-
-                          - ECDHE-ECDSA-AES256-SHA384
-
-                          - ECDHE-RSA-AES256-SHA384
-
                           - ECDHE-ECDSA-AES256-SHA
-
                           - ECDHE-RSA-AES256-SHA
-
-                          - DHE-RSA-AES128-SHA256
-
-                          - DHE-RSA-AES256-SHA256
-
                           - AES128-GCM-SHA256
-
                           - AES256-GCM-SHA384
-
                           - AES128-SHA256
-
-                          - AES256-SHA256
-
                           - AES128-SHA
-
                           - AES256-SHA
-
                           - DES-CBC3-SHA
-
-                        minTLSVersion: VersionTLS10
                     nullable: true
                     type: object
                   type:
                     description: |-
-                      type is one of Old, Intermediate, Modern or Custom. Custom provides
-                      the ability to specify individual TLS security profile parameters.
-                      Old, Intermediate and Modern are TLS security profiles based on:
-
-                      https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
+                      type is one of Old, Intermediate, Modern or Custom. Custom provides the
+                      ability to specify individual TLS security profile parameters.
 
-                      The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers
-                      are found to be insecure.  Depending on precisely which ciphers are available to a process, the list may be
-                      reduced.
+                      The profiles are based on version 5.7 of the Mozilla Server Side TLS
+                      configuration guidelines. The cipher lists consist of the configuration's
+                      "ciphersuites" followed by the Go-specific "ciphers" from the guidelines.
+                      See: https://ssl-config.mozilla.org/guidelines/5.7.json
 
-                      Note that the Modern profile is currently not supported because it is not
-                      yet well adopted by common software libraries.
+                      The profiles are intent based, so they may change over time as new ciphers are
+                      developed and existing ciphers are found to be insecure. Depending on
+                      precisely which ciphers are available to a process, the list may be reduced.
                     enum:
                     - Old
                     - Intermediate
@@ -3307,11 +3241,14 @@ spec:
                   ciphers:
                     description: |-
                       ciphers is used to specify the cipher algorithms that are negotiated
-                      during the TLS handshake.  Operators may remove entries their operands
-                      do not support.  For example, to use DES-CBC3-SHA  (yaml):
+                      during the TLS handshake. Operators may remove entries that their operands
+                      do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml):
 
                         ciphers:
-                          - DES-CBC3-SHA
+                          - ECDHE-RSA-AES128-GCM-SHA256
+
+                      TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable
+                      and are always enabled when TLS 1.3 is negotiated.
                     items:
                       type: string
                     type: array
@@ -3323,8 +3260,6 @@ spec:
                       versions 1.1, 1.2 and 1.3 (yaml):
 
                         minTLSVersion: VersionTLS11
-
-                      NOTE: currently the highest minTLSVersion allowed is VersionTLS12
                     enum:
                     - VersionTLS10
                     - VersionTLS11
diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_70_network_01_networks.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_70_network_01_networks.crd.yaml
index 7a41655bd1..60459deca7 100644
--- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_70_network_01_networks.crd.yaml
+++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_70_network_01_networks.crd.yaml
@@ -914,13 +914,6 @@ spec:
                 type: boolean
             type: object
             x-kubernetes-validations:
-            - message: Route advertisements cannot be Enabled if 'FRR' routing capability
-                provider is not available
-              rule: (has(self.additionalRoutingCapabilities) && ('FRR' in self.additionalRoutingCapabilities.providers))
-                || !has(self.defaultNetwork) || !has(self.defaultNetwork.ovnKubernetesConfig)
-                || !has(self.defaultNetwork.ovnKubernetesConfig.routeAdvertisements)
-                || self.defaultNetwork.ovnKubernetesConfig.routeAdvertisements !=
-                'Enabled'
             - message: invalid value for IPForwarding, valid values are 'Restricted'
                 or 'Global'
               rule: '!has(self.defaultNetwork) || !has(self.defaultNetwork.ovnKubernetesConfig)
@@ -931,6 +924,13 @@ spec:
                 || self.defaultNetwork.ovnKubernetesConfig.gatewayConfig.ipForwarding
                 == ''Restricted'' || self.defaultNetwork.ovnKubernetesConfig.gatewayConfig.ipForwarding
                 == ''Global'''
+            - message: Route advertisements cannot be Enabled if 'FRR' routing capability
+                provider is not available
+              rule: (has(self.additionalRoutingCapabilities) && ('FRR' in self.additionalRoutingCapabilities.providers))
+                || !has(self.defaultNetwork) || !has(self.defaultNetwork.ovnKubernetesConfig)
+                || !has(self.defaultNetwork.ovnKubernetesConfig.routeAdvertisements)
+                || self.defaultNetwork.ovnKubernetesConfig.routeAdvertisements !=
+                'Enabled'
           status:
             description: |-
               NetworkStatus is detailed operator status, which is distilled
diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-CustomNoUpgrade.crd.yaml
index c165fca6bf..831b519754 100644
--- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-CustomNoUpgrade.crd.yaml
+++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-CustomNoUpgrade.crd.yaml
@@ -1524,12 +1524,19 @@ spec:
           rule: 'self.?status.bootImageSkewEnforcementStatus.mode.orValue("") == ''Automatic''
             ? self.?spec.managedBootImages.hasValue() || self.?status.managedBootImagesStatus.hasValue()
             : true'
-        - message: when skew enforcement is in Automatic mode, managedBootImages must
-            contain a MachineManager opting in all MachineAPI MachineSets
+        - message: when skew enforcement is in Automatic mode, managedBootImages.machineManagers
+            must not be an empty list
           rule: 'self.?status.bootImageSkewEnforcementStatus.mode.orValue("") == ''Automatic''
-            ? !(self.?spec.managedBootImages.machineManagers.hasValue()) || self.spec.managedBootImages.machineManagers.exists(m,
-            m.selection.mode == ''All'' && m.resource == ''machinesets'' && m.apiGroup
-            == ''machine.openshift.io'') : true'
+            ? !(self.?spec.managedBootImages.machineManagers.hasValue()) || size(self.spec.managedBootImages.machineManagers)
+            > 0 : true'
+        - message: when skew enforcement is in Automatic mode, any MachineAPI MachineSet
+            MachineManager must use selection mode 'All'
+          rule: 'self.?status.bootImageSkewEnforcementStatus.mode.orValue("") == ''Automatic''
+            ? !(self.?spec.managedBootImages.machineManagers.hasValue()) || !self.spec.managedBootImages.machineManagers.exists(m,
+            m.resource == ''machinesets'' && m.apiGroup == ''machine.openshift.io'')
+            || self.spec.managedBootImages.machineManagers.exists(m, m.resource ==
+            ''machinesets'' && m.apiGroup == ''machine.openshift.io'' && m.selection.mode
+            == ''All'') : true'
         - message: when skew enforcement is in Automatic mode, managedBootImagesStatus
             must contain a MachineManager opting in all MachineAPI MachineSets
           rule: 'self.?status.bootImageSkewEnforcementStatus.mode.orValue("") == ''Automatic''
diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-Default.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-Default.crd.yaml
index 3de28dcdf3..2e65e97c84 100644
--- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-Default.crd.yaml
+++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-Default.crd.yaml
@@ -108,6 +108,7 @@ spec:
                             controlplanemachinesets means that the machine manager will only register resources of the kind ControlPlaneMachineSet.
                           enum:
                           - machinesets
+                          - controlplanemachinesets
                           type: string
                         selection:
                           description: selection allows granular control of the machine
@@ -197,6 +198,11 @@ spec:
                       - resource
                       - selection
                       type: object
+                      x-kubernetes-validations:
+                      - message: Only All or None selection mode is permitted for
+                          ControlPlaneMachineSets
+                        rule: self.resource != 'controlplanemachinesets' || self.selection.mode
+                          == 'All' || self.selection.mode == 'None'
                     maxItems: 5
                     type: array
                     x-kubernetes-list-map-keys:
@@ -741,6 +747,7 @@ spec:
                             controlplanemachinesets means that the machine manager will only register resources of the kind ControlPlaneMachineSet.
                           enum:
                           - machinesets
+                          - controlplanemachinesets
                           type: string
                         selection:
                           description: selection allows granular control of the machine
@@ -830,6 +837,11 @@ spec:
                       - resource
                       - selection
                       type: object
+                      x-kubernetes-validations:
+                      - message: Only All or None selection mode is permitted for
+                          ControlPlaneMachineSets
+                        rule: self.resource != 'controlplanemachinesets' || self.selection.mode
+                          == 'All' || self.selection.mode == 'None'
                     maxItems: 5
                     type: array
                     x-kubernetes-list-map-keys:
diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-DevPreviewNoUpgrade.crd.yaml
index 544168f415..201cee1f87 100644
--- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-DevPreviewNoUpgrade.crd.yaml
+++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-DevPreviewNoUpgrade.crd.yaml
@@ -1524,12 +1524,19 @@ spec:
           rule: 'self.?status.bootImageSkewEnforcementStatus.mode.orValue("") == ''Automatic''
             ? self.?spec.managedBootImages.hasValue() || self.?status.managedBootImagesStatus.hasValue()
             : true'
-        - message: when skew enforcement is in Automatic mode, managedBootImages must
-            contain a MachineManager opting in all MachineAPI MachineSets
+        - message: when skew enforcement is in Automatic mode, managedBootImages.machineManagers
+            must not be an empty list
           rule: 'self.?status.bootImageSkewEnforcementStatus.mode.orValue("") == ''Automatic''
-            ? !(self.?spec.managedBootImages.machineManagers.hasValue()) || self.spec.managedBootImages.machineManagers.exists(m,
-            m.selection.mode == ''All'' && m.resource == ''machinesets'' && m.apiGroup
-            == ''machine.openshift.io'') : true'
+            ? !(self.?spec.managedBootImages.machineManagers.hasValue()) || size(self.spec.managedBootImages.machineManagers)
+            > 0 : true'
+        - message: when skew enforcement is in Automatic mode, any MachineAPI MachineSet
+            MachineManager must use selection mode 'All'
+          rule: 'self.?status.bootImageSkewEnforcementStatus.mode.orValue("") == ''Automatic''
+            ? !(self.?spec.managedBootImages.machineManagers.hasValue()) || !self.spec.managedBootImages.machineManagers.exists(m,
+            m.resource == ''machinesets'' && m.apiGroup == ''machine.openshift.io'')
+            || self.spec.managedBootImages.machineManagers.exists(m, m.resource ==
+            ''machinesets'' && m.apiGroup == ''machine.openshift.io'' && m.selection.mode
+            == ''All'') : true'
         - message: when skew enforcement is in Automatic mode, managedBootImagesStatus
             must contain a MachineManager opting in all MachineAPI MachineSets
           rule: 'self.?status.bootImageSkewEnforcementStatus.mode.orValue("") == ''Automatic''
diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-OKD.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-OKD.crd.yaml
index 6c763ea479..1d16002284 100644
--- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-OKD.crd.yaml
+++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-OKD.crd.yaml
@@ -108,6 +108,7 @@ spec:
                             controlplanemachinesets means that the machine manager will only register resources of the kind ControlPlaneMachineSet.
                           enum:
                           - machinesets
+                          - controlplanemachinesets
                           type: string
                         selection:
                           description: selection allows granular control of the machine
@@ -197,6 +198,11 @@ spec:
                       - resource
                       - selection
                       type: object
+                      x-kubernetes-validations:
+                      - message: Only All or None selection mode is permitted for
+                          ControlPlaneMachineSets
+                        rule: self.resource != 'controlplanemachinesets' || self.selection.mode
+                          == 'All' || self.selection.mode == 'None'
                     maxItems: 5
                     type: array
                     x-kubernetes-list-map-keys:
@@ -741,6 +747,7 @@ spec:
                             controlplanemachinesets means that the machine manager will only register resources of the kind ControlPlaneMachineSet.
                           enum:
                           - machinesets
+                          - controlplanemachinesets
                           type: string
                         selection:
                           description: selection allows granular control of the machine
@@ -830,6 +837,11 @@ spec:
                       - resource
                       - selection
                       type: object
+                      x-kubernetes-validations:
+                      - message: Only All or None selection mode is permitted for
+                          ControlPlaneMachineSets
+                        rule: self.resource != 'controlplanemachinesets' || self.selection.mode
+                          == 'All' || self.selection.mode == 'None'
                     maxItems: 5
                     type: array
                     x-kubernetes-list-map-keys:
diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-TechPreviewNoUpgrade.crd.yaml
index 0cc415a588..0e521a7577 100644
--- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-TechPreviewNoUpgrade.crd.yaml
+++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-TechPreviewNoUpgrade.crd.yaml
@@ -1524,12 +1524,19 @@ spec:
           rule: 'self.?status.bootImageSkewEnforcementStatus.mode.orValue("") == ''Automatic''
             ? self.?spec.managedBootImages.hasValue() || self.?status.managedBootImagesStatus.hasValue()
             : true'
-        - message: when skew enforcement is in Automatic mode, managedBootImages must
-            contain a MachineManager opting in all MachineAPI MachineSets
+        - message: when skew enforcement is in Automatic mode, managedBootImages.machineManagers
+            must not be an empty list
           rule: 'self.?status.bootImageSkewEnforcementStatus.mode.orValue("") == ''Automatic''
-            ? !(self.?spec.managedBootImages.machineManagers.hasValue()) || self.spec.managedBootImages.machineManagers.exists(m,
-            m.selection.mode == ''All'' && m.resource == ''machinesets'' && m.apiGroup
-            == ''machine.openshift.io'') : true'
+            ? !(self.?spec.managedBootImages.machineManagers.hasValue()) || size(self.spec.managedBootImages.machineManagers)
+            > 0 : true'
+        - message: when skew enforcement is in Automatic mode, any MachineAPI MachineSet
+            MachineManager must use selection mode 'All'
+          rule: 'self.?status.bootImageSkewEnforcementStatus.mode.orValue("") == ''Automatic''
+            ? !(self.?spec.managedBootImages.machineManagers.hasValue()) || !self.spec.managedBootImages.machineManagers.exists(m,
+            m.resource == ''machinesets'' && m.apiGroup == ''machine.openshift.io'')
+            || self.spec.managedBootImages.machineManagers.exists(m, m.resource ==
+            ''machinesets'' && m.apiGroup == ''machine.openshift.io'' && m.selection.mode
+            == ''All'') : true'
         - message: when skew enforcement is in Automatic mode, managedBootImagesStatus
             must contain a MachineManager opting in all MachineAPI MachineSets
           rule: 'self.?status.bootImageSkewEnforcementStatus.mode.orValue("") == ''Automatic''
diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml
index e7c94e2869..51a758804d 100644
--- a/vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml
+++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml
@@ -327,10 +327,7 @@ networks.operator.openshift.io:
   CRDName: networks.operator.openshift.io
   Capability: ""
   Category: ""
-  FeatureGates:
-  - AdditionalRoutingCapabilities
-  - NetworkLiveMigration
-  - RouteAdvertisements
+  FeatureGates: []
   FilenameOperatorName: network
   FilenameOperatorOrdering: "01"
   FilenameRunLevel: "0000_70"
diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go
index 06096a6c81..64aac26eb3 100644
--- a/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go
+++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go
@@ -210,7 +210,7 @@ func (AddPage) SwaggerDoc() map[string]string {
 
 var map_Capability = map[string]string{
 	"":           "Capabilities contains set of UI capabilities and their state in the console UI.",
-	"name":       "name is the unique name of a capability. Available capabilities are LightspeedButton and GettingStartedBanner.",
+	"name":       "name is the unique name of a capability. Available capabilities are LightspeedButton, GettingStartedBanner, and GuidedTour.",
 	"visibility": "visibility defines the visibility state of the capability.",
 }
 
@@ -259,7 +259,7 @@ func (ConsoleConfigRoute) SwaggerDoc() map[string]string {
 var map_ConsoleCustomization = map[string]string{
 	"":                     "ConsoleCustomization defines a list of optional configuration for the console UI. Ensure that Logos and CustomLogoFile cannot be set at the same time.",
 	"logos":                "logos is used to replace the OpenShift Masthead and Favicon logos in the console UI with custom logos. logos is an optional field that allows a list of logos. Only one of logos or customLogoFile can be set at a time. If logos is set, customLogoFile must be unset. When specified, there must be at least one entry and no more than 2 entries. Each type must appear only once in the list.",
-	"capabilities":         "capabilities defines an array of capabilities that can be interacted with in the console UI. Each capability defines a visual state that can be interacted with the console to render in the UI. Available capabilities are LightspeedButton and GettingStartedBanner. Each of the available capabilities may appear only once in the list.",
+	"capabilities":         "capabilities defines an array of capabilities that can be interacted with in the console UI. Each capability defines a visual state that can be interacted with the console to render in the UI. Available capabilities are LightspeedButton, GettingStartedBanner, and GuidedTour. Each of the available capabilities may appear only once in the list.",
 	"brand":                "brand is the default branding of the web console which can be overridden by providing the brand field.  There is a limited set of specific brand options. This field controls elements of the console such as the logo. Invalid value will prevent a console rollout.",
 	"documentationBaseURL": "documentationBaseURL links to external documentation are shown in various sections of the web console.  Providing documentationBaseURL will override the default documentation URL. Invalid value will prevent a console rollout.",
 	"customProductName":    "customProductName is the name that will be displayed in page titles, logo alt text, and the about dialog instead of the normal OpenShift product name.",
diff --git a/vendor/github.com/openshift/api/operator/v1alpha1/register.go b/vendor/github.com/openshift/api/operator/v1alpha1/register.go
index 3e9b09cced..ec19cba3a9 100644
--- a/vendor/github.com/openshift/api/operator/v1alpha1/register.go
+++ b/vendor/github.com/openshift/api/operator/v1alpha1/register.go
@@ -41,6 +41,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 		&EtcdBackupList{},
 		&ClusterVersionOperator{},
 		&ClusterVersionOperatorList{},
+		&ClusterAPI{},
+		&ClusterAPIList{},
 	)
 
 	return nil
diff --git a/vendor/github.com/openshift/api/operator/v1alpha1/types_clusterapi.go b/vendor/github.com/openshift/api/operator/v1alpha1/types_clusterapi.go
new file mode 100644
index 0000000000..c38fbaf97e
--- /dev/null
+++ b/vendor/github.com/openshift/api/operator/v1alpha1/types_clusterapi.go
@@ -0,0 +1,229 @@
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:path=clusterapis,scope=Cluster
+// +kubebuilder:subresource:status
+// +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/2564
+// +openshift:file-pattern=cvoRunLevel=0000_30,operatorName=cluster-api,operatorOrdering=01
+// +openshift:enable:FeatureGate=ClusterAPIMachineManagement
+// +kubebuilder:metadata:annotations="release.openshift.io/feature-gate=ClusterAPIMachineManagement"
+
+// ClusterAPI provides configuration for the capi-operator.
+//
+// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.
+// +openshift:compatibility-gen:level=4
+// +kubebuilder:validation:XValidation:rule="self.metadata.name == 'cluster'",message="clusterapi is a singleton, .metadata.name must be 'cluster'"
+type ClusterAPI struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +required
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// spec is the specification of the desired behavior of the capi-operator.
+	// +required
+	Spec *ClusterAPISpec `json:"spec,omitempty"`
+
+	// status defines the observed status of the capi-operator.
+	// +optional
+	Status ClusterAPIStatus `json:"status,omitzero"`
+}
+
+// ClusterAPISpec defines the desired configuration of the capi-operator.
+// The spec is required but we deliberately allow it to be empty.
+// +kubebuilder:validation:MinProperties=0
+// +kubebuilder:validation:XValidation:rule="!has(oldSelf.unmanagedCustomResourceDefinitions) || has(self.unmanagedCustomResourceDefinitions)",message="unmanagedCustomResourceDefinitions cannot be unset once set"
+type ClusterAPISpec struct {
+	// unmanagedCustomResourceDefinitions is a list of ClusterResourceDefinition (CRD)
+	// names that should not be managed by the capi-operator installer
+	// controller. This allows external actors to own specific CRDs while
+	// capi-operator manages others.
+	//
+	// Each CRD name must be a valid DNS-1123 subdomain consisting of lowercase
+	// alphanumeric characters, '-' or '.', and must start and end with an
+	// alphanumeric character, with a maximum length of 253 characters.
+	// CRD names must contain at least two '.' characters.
+	// Example: "clusters.cluster.x-k8s.io"
+	//
+	// Items cannot be removed from this list once added.
+	//
+	// The maximum number of unmanagedCustomResourceDefinitions is 128.
+	//
+	// +optional
+	// +listType=set
+	// +kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:MaxItems=128
+	// +kubebuilder:validation:XValidation:rule="oldSelf.all(item, item in self)",message="items cannot be removed from unmanagedCustomResourceDefinitions list"
+	// +kubebuilder:validation:items:XValidation:rule="!format.dns1123Subdomain().validate(self).hasValue()",message="a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character."
+	// +kubebuilder:validation:items:XValidation:rule="self.split('.').size() > 2",message="CRD names must contain at least two '.' characters."
+	// +kubebuilder:validation:items:MinLength=1
+	// +kubebuilder:validation:items:MaxLength=253
+	UnmanagedCustomResourceDefinitions []string `json:"unmanagedCustomResourceDefinitions,omitempty"`
+}
+
+// RevisionName represents the name of a revision. The name must be between 1
+// and 255 characters long.
+// +kubebuilder:validation:MinLength=1
+// +kubebuilder:validation:MaxLength=255
+type RevisionName string
+
+// ClusterAPIStatus describes the current state of the capi-operator.
+// +kubebuilder:validation:XValidation:rule="self.revisions.exists(r, r.name == self.desiredRevision && self.revisions.all(s, s.revision <= r.revision))",message="desiredRevision must be the name of the revision with the highest revision number"
+// +kubebuilder:validation:XValidation:rule="!has(self.currentRevision) || self.revisions.exists(r, r.name == self.currentRevision)",message="currentRevision must correspond to an entry in the revisions list"
+type ClusterAPIStatus struct {
+	// currentRevision is the name of the most recently fully applied revision.
+	// It is written by the installer controller. If it is absent, it indicates
+	// that no revision has been fully applied yet.
+	// If set, currentRevision must correspond to an entry in the revisions list.
+	// +optional
+	CurrentRevision RevisionName `json:"currentRevision,omitempty"`
+
+	// desiredRevision is the name of the desired revision. It is written by the
+	// revision controller. It must be set to the name of the entry in the
+	// revisions list with the highest revision number.
+	// +required
+	DesiredRevision RevisionName `json:"desiredRevision,omitempty"`
+
+	// revisions is a list of all currently active revisions. A revision is
+	// active until the installer controller updates currentRevision to a later
+	// revision. It is written by the revision controller.
+	//
+	// The maximum number of revisions is 16.
+	// All revisions must have a unique name.
+	// All revisions must have a unique revision number.
+	// When adding a revision, the revision number must be greater than the highest revision number in the list.
+	// Revisions are immutable, although they can be deleted.
+	//
+	// +required
+	// +listType=atomic
+	// +kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:MaxItems=16
+	// +kubebuilder:validation:XValidation:rule="self.all(x, self.exists_one(y, x.name == y.name))",message="each revision must have a unique name"
+	// +kubebuilder:validation:XValidation:rule="self.all(x, self.exists_one(y, x.revision == y.revision))",message="each revision must have a unique revision number"
+	// +kubebuilder:validation:XValidation:rule="self.all(new, oldSelf.exists(old, old.name == new.name) || oldSelf.all(old, new.revision > old.revision))",message="new revisions must have a revision number greater than all existing revisions"
+	// +kubebuilder:validation:XValidation:rule="oldSelf.all(old, !self.exists(new, new.name == old.name) || self.exists(new, new == old))",message="existing revisions are immutable, but may be removed"
+	Revisions []ClusterAPIInstallerRevision `json:"revisions,omitempty"`
+}
+
+// +structType=atomic
+type ClusterAPIInstallerRevision struct {
+	// name is the name of a revision.
+	// +required
+	Name RevisionName `json:"name,omitempty"`
+
+	// revision is a monotonically increasing number that is assigned to a revision.
+	// +required
+	// +kubebuilder:validation:Minimum=1
+	Revision int64 `json:"revision,omitempty"`
+
+	// contentID uniquely identifies the content of this revision.
+	// The contentID must be between 1 and 255 characters long.
+	// +required
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=255
+	ContentID string `json:"contentID,omitempty"`
+
+	// unmanagedCustomResourceDefinitions is a list of the names of
+	// ClusterResourceDefinition (CRD) objects which are included in this
+	// revision, but which should not be installed or updated. If not set, all
+	// CRDs in the revision will be managed by the CAPI operator.
+	// +listType=atomic
+	// +kubebuilder:validation:items:XValidation:rule="!format.dns1123Subdomain().validate(self).hasValue()",message="a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character."
+	// +kubebuilder:validation:items:MinLength=1
+	// +kubebuilder:validation:items:MaxLength=253
+	// +kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:MaxItems=128
+	// +optional
+	UnmanagedCustomResourceDefinitions []string `json:"unmanagedCustomResourceDefinitions,omitempty"`
+
+	// components is list of components which will be installed by this
+	// revision. Components will be installed in the order they are listed.
+	//
+	// The maximum number of components is 32.
+	//
+	// +required
+	// +listType=atomic
+	// +kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:MaxItems=32
+	Components []ClusterAPIInstallerComponent `json:"components,omitempty"`
+}
+
+// InstallerComponentType is the type of component to install.
+// +kubebuilder:validation:Enum=Image
+// +enum
+type InstallerComponentType string
+
+const (
+	// InstallerComponentTypeImage is an image source for a component.
+	InstallerComponentTypeImage InstallerComponentType = "Image"
+)
+
+// ClusterAPIInstallerComponent defines a component which will be installed by this revision.
+// +union
+// +kubebuilder:validation:XValidation:rule="self.type == 'Image' ? has(self.image) : !has(self.image)",message="image is required when type is Image, and forbidden otherwise"
+type ClusterAPIInstallerComponent struct {
+	// type is the source type of the component.
+	// The only valid value is Image.
+	// When set to Image, the image field must be set and will define an image source for the component.
+	// +required
+	// +unionDiscriminator
+	Type InstallerComponentType `json:"type,omitempty"`
+
+	// image defines an image source for a component. The image must contain a
+	// /capi-operator-installer directory containing the component manifests.
+	// +optional
+	Image ClusterAPIInstallerComponentImage `json:"image,omitzero"`
+}
+
+// ImageDigestFormat is a type that conforms to the format host[:port][/namespace]/name@sha256:<digest>.
+// The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9.
+// The length of the field must be between 1 to 447 characters.
+// +kubebuilder:validation:MinLength=1
+// +kubebuilder:validation:MaxLength=447
+// +kubebuilder:validation:XValidation:rule=`(self.split('@').size() == 2 && self.split('@')[1].matches('^sha256:[a-f0-9]{64}$'))`,message="the OCI Image reference must end with a valid '@sha256:<digest>' suffix, where '<digest>' is 64 characters long"
+// +kubebuilder:validation:XValidation:rule=`(self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$'))`,message="the OCI Image name should follow the host[:port][/namespace]/name format, resembling a valid URL without the scheme"
+type ImageDigestFormat string
+
+// ClusterAPIInstallerComponentImage defines an image source for a component.
+type ClusterAPIInstallerComponentImage struct {
+	// ref is an image reference to the image containing the component manifests. The reference
+	// must be a valid image digest reference in the format host[:port][/namespace]/name@sha256:<digest>.
+	// The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9.
+	// The length of the field must be between 1 to 447 characters.
+	// +required
+	Ref ImageDigestFormat `json:"ref,omitempty"`
+
+	// profile is the name of a profile to use from the image.
+	//
+	// A profile name may be up to 255 characters long. It must consist of alphanumeric characters, '-', or '_'.
+	// +required
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=255
+	// +kubebuilder:validation:XValidation:rule="self.matches('^[a-zA-Z0-9-_]+$')",message="profile must consist of alphanumeric characters, '-', or '_'"
+	Profile string `json:"profile,omitempty"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ClusterAPIList contains a list of ClusterAPI configurations
+//
+// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.
+// +openshift:compatibility-gen:level=4
+type ClusterAPIList struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard list's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ListMeta `json:"metadata"`
+
+	// items contains the items
+	Items []ClusterAPI `json:"items"`
+}
diff --git a/vendor/github.com/openshift/api/operator/v1alpha1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/operator/v1alpha1/zz_generated.deepcopy.go
index de4c071281..1f3fd281e1 100644
--- a/vendor/github.com/openshift/api/operator/v1alpha1/zz_generated.deepcopy.go
+++ b/vendor/github.com/openshift/api/operator/v1alpha1/zz_generated.deepcopy.go
@@ -26,6 +26,174 @@ func (in *BackupJobReference) DeepCopy() *BackupJobReference {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterAPI) DeepCopyInto(out *ClusterAPI) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	if in.Spec != nil {
+		in, out := &in.Spec, &out.Spec
+		*out = new(ClusterAPISpec)
+		(*in).DeepCopyInto(*out)
+	}
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterAPI.
+func (in *ClusterAPI) DeepCopy() *ClusterAPI {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterAPI)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ClusterAPI) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterAPIInstallerComponent) DeepCopyInto(out *ClusterAPIInstallerComponent) {
+	*out = *in
+	out.Image = in.Image
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterAPIInstallerComponent.
+func (in *ClusterAPIInstallerComponent) DeepCopy() *ClusterAPIInstallerComponent {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterAPIInstallerComponent)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterAPIInstallerComponentImage) DeepCopyInto(out *ClusterAPIInstallerComponentImage) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterAPIInstallerComponentImage.
+func (in *ClusterAPIInstallerComponentImage) DeepCopy() *ClusterAPIInstallerComponentImage {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterAPIInstallerComponentImage)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterAPIInstallerRevision) DeepCopyInto(out *ClusterAPIInstallerRevision) {
+	*out = *in
+	if in.UnmanagedCustomResourceDefinitions != nil {
+		in, out := &in.UnmanagedCustomResourceDefinitions, &out.UnmanagedCustomResourceDefinitions
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.Components != nil {
+		in, out := &in.Components, &out.Components
+		*out = make([]ClusterAPIInstallerComponent, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterAPIInstallerRevision.
+func (in *ClusterAPIInstallerRevision) DeepCopy() *ClusterAPIInstallerRevision {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterAPIInstallerRevision)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterAPIList) DeepCopyInto(out *ClusterAPIList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]ClusterAPI, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterAPIList.
+func (in *ClusterAPIList) DeepCopy() *ClusterAPIList {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterAPIList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ClusterAPIList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterAPISpec) DeepCopyInto(out *ClusterAPISpec) {
+	*out = *in
+	if in.UnmanagedCustomResourceDefinitions != nil {
+		in, out := &in.UnmanagedCustomResourceDefinitions, &out.UnmanagedCustomResourceDefinitions
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterAPISpec.
+func (in *ClusterAPISpec) DeepCopy() *ClusterAPISpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterAPISpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterAPIStatus) DeepCopyInto(out *ClusterAPIStatus) {
+	*out = *in
+	if in.Revisions != nil {
+		in, out := &in.Revisions, &out.Revisions
+		*out = make([]ClusterAPIInstallerRevision, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterAPIStatus.
+func (in *ClusterAPIStatus) DeepCopy() *ClusterAPIStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterAPIStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClusterVersionOperator) DeepCopyInto(out *ClusterVersionOperator) {
 	*out = *in
diff --git a/vendor/github.com/openshift/api/operator/v1alpha1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/operator/v1alpha1/zz_generated.featuregated-crd-manifests.yaml
index 0d595be801..3ad442d9d8 100644
--- a/vendor/github.com/openshift/api/operator/v1alpha1/zz_generated.featuregated-crd-manifests.yaml
+++ b/vendor/github.com/openshift/api/operator/v1alpha1/zz_generated.featuregated-crd-manifests.yaml
@@ -1,3 +1,27 @@
+clusterapis.operator.openshift.io:
+  Annotations:
+    release.openshift.io/feature-gate: ClusterAPIMachineManagement
+  ApprovedPRNumber: https://github.com/openshift/api/pull/2564
+  CRDName: clusterapis.operator.openshift.io
+  Capability: ""
+  Category: ""
+  FeatureGates:
+  - ClusterAPIMachineManagement
+  FilenameOperatorName: cluster-api
+  FilenameOperatorOrdering: "01"
+  FilenameRunLevel: "0000_30"
+  GroupName: operator.openshift.io
+  HasStatus: true
+  KindName: ClusterAPI
+  Labels: {}
+  PluralName: clusterapis
+  PrinterColumns: []
+  Scope: Cluster
+  ShortNames: null
+  TopLevelFeatureGates:
+  - ClusterAPIMachineManagement
+  Version: v1alpha1
+
 clusterversionoperators.operator.openshift.io:
   Annotations: {}
   ApprovedPRNumber: https://github.com/openshift/api/pull/2044
diff --git a/vendor/github.com/openshift/api/operator/v1alpha1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/operator/v1alpha1/zz_generated.swagger_doc_generated.go
index 9060bf9981..94d48269d4 100644
--- a/vendor/github.com/openshift/api/operator/v1alpha1/zz_generated.swagger_doc_generated.go
+++ b/vendor/github.com/openshift/api/operator/v1alpha1/zz_generated.swagger_doc_generated.go
@@ -135,6 +135,79 @@ func (VersionAvailability) SwaggerDoc() map[string]string {
 	return map_VersionAvailability
 }
 
+var map_ClusterAPI = map[string]string{
+	"":         "ClusterAPI provides configuration for the capi-operator.\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.",
+	"metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+	"spec":     "spec is the specification of the desired behavior of the capi-operator.",
+	"status":   "status defines the observed status of the capi-operator.",
+}
+
+func (ClusterAPI) SwaggerDoc() map[string]string {
+	return map_ClusterAPI
+}
+
+var map_ClusterAPIInstallerComponent = map[string]string{
+	"":      "ClusterAPIInstallerComponent defines a component which will be installed by this revision.",
+	"type":  "type is the source type of the component. The only valid value is Image. When set to Image, the image field must be set and will define an image source for the component.",
+	"image": "image defines an image source for a component. The image must contain a /capi-operator-installer directory containing the component manifests.",
+}
+
+func (ClusterAPIInstallerComponent) SwaggerDoc() map[string]string {
+	return map_ClusterAPIInstallerComponent
+}
+
+var map_ClusterAPIInstallerComponentImage = map[string]string{
+	"":        "ClusterAPIInstallerComponentImage defines an image source for a component.",
+	"ref":     "ref is an image reference to the image containing the component manifests. The reference must be a valid image digest reference in the format host[:port][/namespace]/name@sha256:<digest>. The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. The length of the field must be between 1 to 447 characters.",
+	"profile": "profile is the name of a profile to use from the image.\n\nA profile name may be up to 255 characters long. It must consist of alphanumeric characters, '-', or '_'.",
+}
+
+func (ClusterAPIInstallerComponentImage) SwaggerDoc() map[string]string {
+	return map_ClusterAPIInstallerComponentImage
+}
+
+var map_ClusterAPIInstallerRevision = map[string]string{
+	"name":                               "name is the name of a revision.",
+	"revision":                           "revision is a monotonically increasing number that is assigned to a revision.",
+	"contentID":                          "contentID uniquely identifies the content of this revision. The contentID must be between 1 and 255 characters long.",
+	"unmanagedCustomResourceDefinitions": "unmanagedCustomResourceDefinitions is a list of the names of ClusterResourceDefinition (CRD) objects which are included in this revision, but which should not be installed or updated. If not set, all CRDs in the revision will be managed by the CAPI operator.",
+	"components":                         "components is list of components which will be installed by this revision. Components will be installed in the order they are listed.\n\nThe maximum number of components is 32.",
+}
+
+func (ClusterAPIInstallerRevision) SwaggerDoc() map[string]string {
+	return map_ClusterAPIInstallerRevision
+}
+
+var map_ClusterAPIList = map[string]string{
+	"":         "ClusterAPIList contains a list of ClusterAPI configurations\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.",
+	"metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+	"items":    "items contains the items",
+}
+
+func (ClusterAPIList) SwaggerDoc() map[string]string {
+	return map_ClusterAPIList
+}
+
+var map_ClusterAPISpec = map[string]string{
+	"":                                   "ClusterAPISpec defines the desired configuration of the capi-operator. The spec is required but we deliberately allow it to be empty.",
+	"unmanagedCustomResourceDefinitions": "unmanagedCustomResourceDefinitions is a list of ClusterResourceDefinition (CRD) names that should not be managed by the capi-operator installer controller. This allows external actors to own specific CRDs while capi-operator manages others.\n\nEach CRD name must be a valid DNS-1123 subdomain consisting of lowercase alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character, with a maximum length of 253 characters. CRD names must contain at least two '.' characters. Example: \"clusters.cluster.x-k8s.io\"\n\nItems cannot be removed from this list once added.\n\nThe maximum number of unmanagedCustomResourceDefinitions is 128.",
+}
+
+func (ClusterAPISpec) SwaggerDoc() map[string]string {
+	return map_ClusterAPISpec
+}
+
+var map_ClusterAPIStatus = map[string]string{
+	"":                "ClusterAPIStatus describes the current state of the capi-operator.",
+	"currentRevision": "currentRevision is the name of the most recently fully applied revision. It is written by the installer controller. If it is absent, it indicates that no revision has been fully applied yet. If set, currentRevision must correspond to an entry in the revisions list.",
+	"desiredRevision": "desiredRevision is the name of the desired revision. It is written by the revision controller. It must be set to the name of the entry in the revisions list with the highest revision number.",
+	"revisions":       "revisions is a list of all currently active revisions. A revision is active until the installer controller updates currentRevision to a later revision. It is written by the revision controller.\n\nThe maximum number of revisions is 16. All revisions must have a unique name. All revisions must have a unique revision number. When adding a revision, the revision number must be greater than the highest revision number in the list. Revisions are immutable, although they can be deleted.",
+}
+
+func (ClusterAPIStatus) SwaggerDoc() map[string]string {
+	return map_ClusterAPIStatus
+}
+
 var map_ClusterVersionOperator = map[string]string{
 	"":         "ClusterVersionOperator holds cluster-wide information about the Cluster Version Operator.\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.",
 	"metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
diff --git a/vendor/github.com/openshift/api/operatoringress/v1/types.go b/vendor/github.com/openshift/api/operatoringress/v1/types.go
index f256507cce..bb0b174049 100644
--- a/vendor/github.com/openshift/api/operatoringress/v1/types.go
+++ b/vendor/github.com/openshift/api/operatoringress/v1/types.go
@@ -49,9 +49,10 @@ type DNSRecordSpec struct {
 	// targets are record targets.
 	//
 	// +kubebuilder:validation:MinItems=1
+	// +listType=atomic
 	// +required
 	Targets []string `json:"targets"`
-	// recordType is the DNS record type. For example, "A" or "CNAME".
+	// recordType is the DNS record type. For example, "A", "AAAA", or "CNAME".
 	// +required
 	RecordType DNSRecordType `json:"recordType"`
 	// recordTTL is the record TTL in seconds. If zero, the default is 30.
@@ -81,6 +82,7 @@ type DNSRecordSpec struct {
 // DNSRecordStatus is the most recently observed status of each record.
 type DNSRecordStatus struct {
 	// zones are the status of the record in each zone.
+	// +listType=atomic
 	// +optional
 	Zones []DNSZoneStatus `json:"zones,omitempty"`
 
@@ -103,6 +105,8 @@ type DNSZoneStatus struct {
 	// If publishing the record succeeds, the "Published" condition will be
 	// set with status "True" and upon failure it will be set to "False" along
 	// with the reason and message describing the cause of the failure.
+	//
+	// +listType=atomic
 	Conditions []DNSZoneCondition `json:"conditions,omitempty"`
 }
 
@@ -129,7 +133,8 @@ type DNSZoneCondition struct {
 }
 
 // DNSRecordType is a DNS resource record type.
-// +kubebuilder:validation:Enum=CNAME;A
+// +openshift:validation:FeatureGateAwareEnum:featureGate="",enum=CNAME;A
+// +openshift:validation:FeatureGateAwareEnum:featureGate=AzureDualStackInstall;GCPDualStackInstall,enum=CNAME;A;AAAA
 type DNSRecordType string
 
 const (
@@ -138,6 +143,9 @@ const (
 
 	// ARecordType is an RFC 1035 A record.
 	ARecordType DNSRecordType = "A"
+
+	// AAAARecordType is an RFC 3596 AAAA record that is used to map a domain name to an IPv6 address.
+	AAAARecordType DNSRecordType = "AAAA"
 )
 
 // DNSManagementPolicy is a policy for configuring how the dns controller
@@ -169,5 +177,6 @@ type DNSRecordList struct {
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	metav1.ListMeta `json:"metadata,omitempty"`
 
+	// +listType=atomic
 	Items []DNSRecord `json:"items"`
 }
diff --git a/vendor/github.com/openshift/api/operatoringress/v1/zz_generated.crd-manifests/0000_50_dns_01_dnsrecords-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/operatoringress/v1/zz_generated.crd-manifests/0000_50_dns_01_dnsrecords-CustomNoUpgrade.crd.yaml
new file mode 100644
index 0000000000..842bc8cb2d
--- /dev/null
+++ b/vendor/github.com/openshift/api/operatoringress/v1/zz_generated.crd-manifests/0000_50_dns_01_dnsrecords-CustomNoUpgrade.crd.yaml
@@ -0,0 +1,191 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    api-approved.openshift.io: https://github.com/openshift/api/pull/584
+    api.openshift.io/merged-by-featuregates: "true"
+    capability.openshift.io/name: Ingress
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    release.openshift.io/feature-set: CustomNoUpgrade
+  name: dnsrecords.ingress.operator.openshift.io
+spec:
+  group: ingress.operator.openshift.io
+  names:
+    kind: DNSRecord
+    listKind: DNSRecordList
+    plural: dnsrecords
+    singular: dnsrecord
+  scope: Namespaced
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: |-
+          DNSRecord is a DNS record managed in the zones defined by
+          dns.config.openshift.io/cluster .spec.publicZone and .spec.privateZone.
+
+          Cluster admin manipulation of this resource is not supported. This resource
+          is only for internal communication of OpenShift operators.
+
+          If DNSManagementPolicy is "Unmanaged", the operator will not be responsible
+          for managing the DNS records on the cloud provider.
+
+          Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: spec is the specification of the desired behavior of the
+              dnsRecord.
+            properties:
+              dnsManagementPolicy:
+                default: Managed
+                description: |-
+                  dnsManagementPolicy denotes the current policy applied on the DNS
+                  record. Records that have policy set as "Unmanaged" are ignored by
+                  the ingress operator.  This means that the DNS record on the cloud
+                  provider is not managed by the operator, and the "Published" status
+                  condition will be updated to "Unknown" status, since it is externally
+                  managed. Any existing record on the cloud provider can be deleted at
+                  the discretion of the cluster admin.
+
+                  This field defaults to Managed. Valid values are "Managed" and
+                  "Unmanaged".
+                enum:
+                - Managed
+                - Unmanaged
+                type: string
+              dnsName:
+                description: dnsName is the hostname of the DNS record
+                minLength: 1
+                type: string
+              recordTTL:
+                description: |-
+                  recordTTL is the record TTL in seconds. If zero, the default is 30.
+                  RecordTTL will not be used in AWS regions Alias targets, but
+                  will be used in CNAME targets, per AWS API contract.
+                format: int64
+                minimum: 0
+                type: integer
+              recordType:
+                description: recordType is the DNS record type. For example, "A",
+                  "AAAA", or "CNAME".
+                enum:
+                - CNAME
+                - A
+                - AAAA
+                type: string
+              targets:
+                description: targets are record targets.
+                items:
+                  type: string
+                minItems: 1
+                type: array
+                x-kubernetes-list-type: atomic
+            required:
+            - dnsManagementPolicy
+            - dnsName
+            - recordTTL
+            - recordType
+            - targets
+            type: object
+          status:
+            description: status is the most recently observed status of the dnsRecord.
+            properties:
+              observedGeneration:
+                description: |-
+                  observedGeneration is the most recently observed generation of the
+                  DNSRecord.  When the DNSRecord is updated, the controller updates the
+                  corresponding record in each managed zone.  If an update for a
+                  particular zone fails, that failure is recorded in the status
+                  condition for the zone so that the controller can determine that it
+                  needs to retry the update for that specific zone.
+                format: int64
+                type: integer
+              zones:
+                description: zones are the status of the record in each zone.
+                items:
+                  description: DNSZoneStatus is the status of a record within a specific
+                    zone.
+                  properties:
+                    conditions:
+                      description: |-
+                        conditions are any conditions associated with the record in the zone.
+
+                        If publishing the record succeeds, the "Published" condition will be
+                        set with status "True" and upon failure it will be set to "False" along
+                        with the reason and message describing the cause of the failure.
+                      items:
+                        description: DNSZoneCondition is just the standard condition
+                          fields.
+                        properties:
+                          lastTransitionTime:
+                            format: date-time
+                            type: string
+                          message:
+                            type: string
+                          reason:
+                            type: string
+                          status:
+                            minLength: 1
+                            type: string
+                          type:
+                            minLength: 1
+                            type: string
+                        required:
+                        - status
+                        - type
+                        type: object
+                      type: array
+                      x-kubernetes-list-type: atomic
+                    dnsZone:
+                      description: dnsZone is the zone where the record is published.
+                      properties:
+                        id:
+                          description: |-
+                            id is the identifier that can be used to find the DNS hosted zone.
+
+                            on AWS zone can be fetched using `ID` as id in [1]
+                            on Azure zone can be fetched using `ID` as a pre-determined name in [2],
+                            on GCP zone can be fetched using `ID` as a pre-determined name in [3].
+
+                            [1]: https://docs.aws.amazon.com/cli/latest/reference/route53/get-hosted-zone.html#options
+                            [2]: https://docs.microsoft.com/en-us/cli/azure/network/dns/zone?view=azure-cli-latest#az-network-dns-zone-show
+                            [3]: https://cloud.google.com/dns/docs/reference/v1/managedZones/get
+                          type: string
+                        tags:
+                          additionalProperties:
+                            type: string
+                          description: |-
+                            tags can be used to query the DNS hosted zone.
+
+                            on AWS, resourcegroupstaggingapi [1] can be used to fetch a zone using `Tags` as tag-filters,
+
+                            [1]: https://docs.aws.amazon.com/cli/latest/reference/resourcegroupstaggingapi/get-resources.html#options
+                          type: object
+                      type: object
+                  type: object
+                type: array
+                x-kubernetes-list-type: atomic
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
diff --git a/vendor/github.com/openshift/api/operatoringress/v1/zz_generated.crd-manifests/0000_50_dns_01_dnsrecords.crd.yaml b/vendor/github.com/openshift/api/operatoringress/v1/zz_generated.crd-manifests/0000_50_dns_01_dnsrecords-Default.crd.yaml
similarity index 97%
rename from vendor/github.com/openshift/api/operatoringress/v1/zz_generated.crd-manifests/0000_50_dns_01_dnsrecords.crd.yaml
rename to vendor/github.com/openshift/api/operatoringress/v1/zz_generated.crd-manifests/0000_50_dns_01_dnsrecords-Default.crd.yaml
index c0a64012d8..d5a090dd43 100644
--- a/vendor/github.com/openshift/api/operatoringress/v1/zz_generated.crd-manifests/0000_50_dns_01_dnsrecords.crd.yaml
+++ b/vendor/github.com/openshift/api/operatoringress/v1/zz_generated.crd-manifests/0000_50_dns_01_dnsrecords-Default.crd.yaml
@@ -7,6 +7,7 @@ metadata:
     capability.openshift.io/name: Ingress
     include.release.openshift.io/ibm-cloud-managed: "true"
     include.release.openshift.io/self-managed-high-availability: "true"
+    release.openshift.io/feature-set: Default
   name: dnsrecords.ingress.operator.openshift.io
 spec:
   group: ingress.operator.openshift.io
@@ -83,8 +84,8 @@ spec:
                 minimum: 0
                 type: integer
               recordType:
-                description: recordType is the DNS record type. For example, "A" or
-                  "CNAME".
+                description: recordType is the DNS record type. For example, "A",
+                  "AAAA", or "CNAME".
                 enum:
                 - CNAME
                 - A
@@ -95,6 +96,7 @@ spec:
                   type: string
                 minItems: 1
                 type: array
+                x-kubernetes-list-type: atomic
             required:
             - dnsManagementPolicy
             - dnsName
@@ -150,6 +152,7 @@ spec:
                         - type
                         type: object
                       type: array
+                      x-kubernetes-list-type: atomic
                     dnsZone:
                       description: dnsZone is the zone where the record is published.
                       properties:
@@ -178,6 +181,7 @@ spec:
                       type: object
                   type: object
                 type: array
+                x-kubernetes-list-type: atomic
             type: object
         type: object
     served: true
diff --git a/vendor/github.com/openshift/api/operatoringress/v1/zz_generated.crd-manifests/0000_50_dns_01_dnsrecords-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/operatoringress/v1/zz_generated.crd-manifests/0000_50_dns_01_dnsrecords-DevPreviewNoUpgrade.crd.yaml
new file mode 100644
index 0000000000..c0caf06e8f
--- /dev/null
+++ b/vendor/github.com/openshift/api/operatoringress/v1/zz_generated.crd-manifests/0000_50_dns_01_dnsrecords-DevPreviewNoUpgrade.crd.yaml
@@ -0,0 +1,191 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    api-approved.openshift.io: https://github.com/openshift/api/pull/584
+    api.openshift.io/merged-by-featuregates: "true"
+    capability.openshift.io/name: Ingress
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    release.openshift.io/feature-set: DevPreviewNoUpgrade
+  name: dnsrecords.ingress.operator.openshift.io
+spec:
+  group: ingress.operator.openshift.io
+  names:
+    kind: DNSRecord
+    listKind: DNSRecordList
+    plural: dnsrecords
+    singular: dnsrecord
+  scope: Namespaced
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: |-
+          DNSRecord is a DNS record managed in the zones defined by
+          dns.config.openshift.io/cluster .spec.publicZone and .spec.privateZone.
+
+          Cluster admin manipulation of this resource is not supported. This resource
+          is only for internal communication of OpenShift operators.
+
+          If DNSManagementPolicy is "Unmanaged", the operator will not be responsible
+          for managing the DNS records on the cloud provider.
+
+          Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: spec is the specification of the desired behavior of the
+              dnsRecord.
+            properties:
+              dnsManagementPolicy:
+                default: Managed
+                description: |-
+                  dnsManagementPolicy denotes the current policy applied on the DNS
+                  record. Records that have policy set as "Unmanaged" are ignored by
+                  the ingress operator.  This means that the DNS record on the cloud
+                  provider is not managed by the operator, and the "Published" status
+                  condition will be updated to "Unknown" status, since it is externally
+                  managed. Any existing record on the cloud provider can be deleted at
+                  the discretion of the cluster admin.
+
+                  This field defaults to Managed. Valid values are "Managed" and
+                  "Unmanaged".
+                enum:
+                - Managed
+                - Unmanaged
+                type: string
+              dnsName:
+                description: dnsName is the hostname of the DNS record
+                minLength: 1
+                type: string
+              recordTTL:
+                description: |-
+                  recordTTL is the record TTL in seconds. If zero, the default is 30.
+                  RecordTTL will not be used in AWS regions Alias targets, but
+                  will be used in CNAME targets, per AWS API contract.
+                format: int64
+                minimum: 0
+                type: integer
+              recordType:
+                description: recordType is the DNS record type. For example, "A",
+                  "AAAA", or "CNAME".
+                enum:
+                - CNAME
+                - A
+                - AAAA
+                type: string
+              targets:
+                description: targets are record targets.
+                items:
+                  type: string
+                minItems: 1
+                type: array
+                x-kubernetes-list-type: atomic
+            required:
+            - dnsManagementPolicy
+            - dnsName
+            - recordTTL
+            - recordType
+            - targets
+            type: object
+          status:
+            description: status is the most recently observed status of the dnsRecord.
+            properties:
+              observedGeneration:
+                description: |-
+                  observedGeneration is the most recently observed generation of the
+                  DNSRecord.  When the DNSRecord is updated, the controller updates the
+                  corresponding record in each managed zone.  If an update for a
+                  particular zone fails, that failure is recorded in the status
+                  condition for the zone so that the controller can determine that it
+                  needs to retry the update for that specific zone.
+                format: int64
+                type: integer
+              zones:
+                description: zones are the status of the record in each zone.
+                items:
+                  description: DNSZoneStatus is the status of a record within a specific
+                    zone.
+                  properties:
+                    conditions:
+                      description: |-
+                        conditions are any conditions associated with the record in the zone.
+
+                        If publishing the record succeeds, the "Published" condition will be
+                        set with status "True" and upon failure it will be set to "False" along
+                        with the reason and message describing the cause of the failure.
+                      items:
+                        description: DNSZoneCondition is just the standard condition
+                          fields.
+                        properties:
+                          lastTransitionTime:
+                            format: date-time
+                            type: string
+                          message:
+                            type: string
+                          reason:
+                            type: string
+                          status:
+                            minLength: 1
+                            type: string
+                          type:
+                            minLength: 1
+                            type: string
+                        required:
+                        - status
+                        - type
+                        type: object
+                      type: array
+                      x-kubernetes-list-type: atomic
+                    dnsZone:
+                      description: dnsZone is the zone where the record is published.
+                      properties:
+                        id:
+                          description: |-
+                            id is the identifier that can be used to find the DNS hosted zone.
+
+                            on AWS zone can be fetched using `ID` as id in [1]
+                            on Azure zone can be fetched using `ID` as a pre-determined name in [2],
+                            on GCP zone can be fetched using `ID` as a pre-determined name in [3].
+
+                            [1]: https://docs.aws.amazon.com/cli/latest/reference/route53/get-hosted-zone.html#options
+                            [2]: https://docs.microsoft.com/en-us/cli/azure/network/dns/zone?view=azure-cli-latest#az-network-dns-zone-show
+                            [3]: https://cloud.google.com/dns/docs/reference/v1/managedZones/get
+                          type: string
+                        tags:
+                          additionalProperties:
+                            type: string
+                          description: |-
+                            tags can be used to query the DNS hosted zone.
+
+                            on AWS, resourcegroupstaggingapi [1] can be used to fetch a zone using `Tags` as tag-filters,
+
+                            [1]: https://docs.aws.amazon.com/cli/latest/reference/resourcegroupstaggingapi/get-resources.html#options
+                          type: object
+                      type: object
+                  type: object
+                type: array
+                x-kubernetes-list-type: atomic
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
diff --git a/manifests/00-custom-resource-definition-internal.yaml b/vendor/github.com/openshift/api/operatoringress/v1/zz_generated.crd-manifests/0000_50_dns_01_dnsrecords-OKD.crd.yaml
similarity index 97%
rename from manifests/00-custom-resource-definition-internal.yaml
rename to vendor/github.com/openshift/api/operatoringress/v1/zz_generated.crd-manifests/0000_50_dns_01_dnsrecords-OKD.crd.yaml
index c0a64012d8..12a1fae9b8 100644
--- a/manifests/00-custom-resource-definition-internal.yaml
+++ b/vendor/github.com/openshift/api/operatoringress/v1/zz_generated.crd-manifests/0000_50_dns_01_dnsrecords-OKD.crd.yaml
@@ -7,6 +7,7 @@ metadata:
     capability.openshift.io/name: Ingress
     include.release.openshift.io/ibm-cloud-managed: "true"
     include.release.openshift.io/self-managed-high-availability: "true"
+    release.openshift.io/feature-set: OKD
   name: dnsrecords.ingress.operator.openshift.io
 spec:
   group: ingress.operator.openshift.io
@@ -83,8 +84,8 @@ spec:
                 minimum: 0
                 type: integer
               recordType:
-                description: recordType is the DNS record type. For example, "A" or
-                  "CNAME".
+                description: recordType is the DNS record type. For example, "A",
+                  "AAAA", or "CNAME".
                 enum:
                 - CNAME
                 - A
@@ -95,6 +96,7 @@ spec:
                   type: string
                 minItems: 1
                 type: array
+                x-kubernetes-list-type: atomic
             required:
             - dnsManagementPolicy
             - dnsName
@@ -150,6 +152,7 @@ spec:
                         - type
                         type: object
                       type: array
+                      x-kubernetes-list-type: atomic
                     dnsZone:
                       description: dnsZone is the zone where the record is published.
                       properties:
@@ -178,6 +181,7 @@ spec:
                       type: object
                   type: object
                 type: array
+                x-kubernetes-list-type: atomic
             type: object
         type: object
     served: true
diff --git a/vendor/github.com/openshift/api/operatoringress/v1/zz_generated.crd-manifests/0000_50_dns_01_dnsrecords-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/operatoringress/v1/zz_generated.crd-manifests/0000_50_dns_01_dnsrecords-TechPreviewNoUpgrade.crd.yaml
new file mode 100644
index 0000000000..399c208487
--- /dev/null
+++ b/vendor/github.com/openshift/api/operatoringress/v1/zz_generated.crd-manifests/0000_50_dns_01_dnsrecords-TechPreviewNoUpgrade.crd.yaml
@@ -0,0 +1,191 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    api-approved.openshift.io: https://github.com/openshift/api/pull/584
+    api.openshift.io/merged-by-featuregates: "true"
+    capability.openshift.io/name: Ingress
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    release.openshift.io/feature-set: TechPreviewNoUpgrade
+  name: dnsrecords.ingress.operator.openshift.io
+spec:
+  group: ingress.operator.openshift.io
+  names:
+    kind: DNSRecord
+    listKind: DNSRecordList
+    plural: dnsrecords
+    singular: dnsrecord
+  scope: Namespaced
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: |-
+          DNSRecord is a DNS record managed in the zones defined by
+          dns.config.openshift.io/cluster .spec.publicZone and .spec.privateZone.
+
+          Cluster admin manipulation of this resource is not supported. This resource
+          is only for internal communication of OpenShift operators.
+
+          If DNSManagementPolicy is "Unmanaged", the operator will not be responsible
+          for managing the DNS records on the cloud provider.
+
+          Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: spec is the specification of the desired behavior of the
+              dnsRecord.
+            properties:
+              dnsManagementPolicy:
+                default: Managed
+                description: |-
+                  dnsManagementPolicy denotes the current policy applied on the DNS
+                  record. Records that have policy set as "Unmanaged" are ignored by
+                  the ingress operator.  This means that the DNS record on the cloud
+                  provider is not managed by the operator, and the "Published" status
+                  condition will be updated to "Unknown" status, since it is externally
+                  managed. Any existing record on the cloud provider can be deleted at
+                  the discretion of the cluster admin.
+
+                  This field defaults to Managed. Valid values are "Managed" and
+                  "Unmanaged".
+                enum:
+                - Managed
+                - Unmanaged
+                type: string
+              dnsName:
+                description: dnsName is the hostname of the DNS record
+                minLength: 1
+                type: string
+              recordTTL:
+                description: |-
+                  recordTTL is the record TTL in seconds. If zero, the default is 30.
+                  RecordTTL will not be used in AWS regions Alias targets, but
+                  will be used in CNAME targets, per AWS API contract.
+                format: int64
+                minimum: 0
+                type: integer
+              recordType:
+                description: recordType is the DNS record type. For example, "A",
+                  "AAAA", or "CNAME".
+                enum:
+                - CNAME
+                - A
+                - AAAA
+                type: string
+              targets:
+                description: targets are record targets.
+                items:
+                  type: string
+                minItems: 1
+                type: array
+                x-kubernetes-list-type: atomic
+            required:
+            - dnsManagementPolicy
+            - dnsName
+            - recordTTL
+            - recordType
+            - targets
+            type: object
+          status:
+            description: status is the most recently observed status of the dnsRecord.
+            properties:
+              observedGeneration:
+                description: |-
+                  observedGeneration is the most recently observed generation of the
+                  DNSRecord.  When the DNSRecord is updated, the controller updates the
+                  corresponding record in each managed zone.  If an update for a
+                  particular zone fails, that failure is recorded in the status
+                  condition for the zone so that the controller can determine that it
+                  needs to retry the update for that specific zone.
+                format: int64
+                type: integer
+              zones:
+                description: zones are the status of the record in each zone.
+                items:
+                  description: DNSZoneStatus is the status of a record within a specific
+                    zone.
+                  properties:
+                    conditions:
+                      description: |-
+                        conditions are any conditions associated with the record in the zone.
+
+                        If publishing the record succeeds, the "Published" condition will be
+                        set with status "True" and upon failure it will be set to "False" along
+                        with the reason and message describing the cause of the failure.
+                      items:
+                        description: DNSZoneCondition is just the standard condition
+                          fields.
+                        properties:
+                          lastTransitionTime:
+                            format: date-time
+                            type: string
+                          message:
+                            type: string
+                          reason:
+                            type: string
+                          status:
+                            minLength: 1
+                            type: string
+                          type:
+                            minLength: 1
+                            type: string
+                        required:
+                        - status
+                        - type
+                        type: object
+                      type: array
+                      x-kubernetes-list-type: atomic
+                    dnsZone:
+                      description: dnsZone is the zone where the record is published.
+                      properties:
+                        id:
+                          description: |-
+                            id is the identifier that can be used to find the DNS hosted zone.
+
+                            on AWS zone can be fetched using `ID` as id in [1]
+                            on Azure zone can be fetched using `ID` as a pre-determined name in [2],
+                            on GCP zone can be fetched using `ID` as a pre-determined name in [3].
+
+                            [1]: https://docs.aws.amazon.com/cli/latest/reference/route53/get-hosted-zone.html#options
+                            [2]: https://docs.microsoft.com/en-us/cli/azure/network/dns/zone?view=azure-cli-latest#az-network-dns-zone-show
+                            [3]: https://cloud.google.com/dns/docs/reference/v1/managedZones/get
+                          type: string
+                        tags:
+                          additionalProperties:
+                            type: string
+                          description: |-
+                            tags can be used to query the DNS hosted zone.
+
+                            on AWS, resourcegroupstaggingapi [1] can be used to fetch a zone using `Tags` as tag-filters,
+
+                            [1]: https://docs.aws.amazon.com/cli/latest/reference/resourcegroupstaggingapi/get-resources.html#options
+                          type: object
+                      type: object
+                  type: object
+                type: array
+                x-kubernetes-list-type: atomic
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
diff --git a/vendor/github.com/openshift/api/operatoringress/v1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/operatoringress/v1/zz_generated.featuregated-crd-manifests.yaml
index 1a2fc330ab..ca2af253ab 100644
--- a/vendor/github.com/openshift/api/operatoringress/v1/zz_generated.featuregated-crd-manifests.yaml
+++ b/vendor/github.com/openshift/api/operatoringress/v1/zz_generated.featuregated-crd-manifests.yaml
@@ -4,7 +4,9 @@ dnsrecords.ingress.operator.openshift.io:
   CRDName: dnsrecords.ingress.operator.openshift.io
   Capability: Ingress
   Category: ""
-  FeatureGates: []
+  FeatureGates:
+  - AzureDualStackInstall
+  - GCPDualStackInstall
   FilenameOperatorName: dns
   FilenameOperatorOrdering: "01"
   FilenameRunLevel: "0000_50"
diff --git a/vendor/github.com/openshift/api/operatoringress/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/operatoringress/v1/zz_generated.swagger_doc_generated.go
index 56ef173aa4..8eecccccd7 100644
--- a/vendor/github.com/openshift/api/operatoringress/v1/zz_generated.swagger_doc_generated.go
+++ b/vendor/github.com/openshift/api/operatoringress/v1/zz_generated.swagger_doc_generated.go
@@ -35,7 +35,7 @@ var map_DNSRecordSpec = map[string]string{
 	"":                    "DNSRecordSpec contains the details of a DNS record.",
 	"dnsName":             "dnsName is the hostname of the DNS record",
 	"targets":             "targets are record targets.",
-	"recordType":          "recordType is the DNS record type. For example, \"A\" or \"CNAME\".",
+	"recordType":          "recordType is the DNS record type. For example, \"A\", \"AAAA\", or \"CNAME\".",
 	"recordTTL":           "recordTTL is the record TTL in seconds. If zero, the default is 30. RecordTTL will not be used in AWS regions Alias targets, but will be used in CNAME targets, per AWS API contract.",
 	"dnsManagementPolicy": "dnsManagementPolicy denotes the current policy applied on the DNS record. Records that have policy set as \"Unmanaged\" are ignored by the ingress operator.  This means that the DNS record on the cloud provider is not managed by the operator, and the \"Published\" status condition will be updated to \"Unknown\" status, since it is externally managed. Any existing record on the cloud provider can be deleted at the discretion of the cluster admin.\n\nThis field defaults to Managed. Valid values are \"Managed\" and \"Unmanaged\".",
 }
diff --git a/vendor/github.com/peterbourgon/diskv/LICENSE b/vendor/github.com/peterbourgon/diskv/LICENSE
new file mode 100644
index 0000000000..41ce7f16e1
--- /dev/null
+++ b/vendor/github.com/peterbourgon/diskv/LICENSE
@@ -0,0 +1,19 @@
+Copyright (c) 2011-2012 Peter Bourgon
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
diff --git a/vendor/github.com/peterbourgon/diskv/README.md b/vendor/github.com/peterbourgon/diskv/README.md
new file mode 100644
index 0000000000..3474739edc
--- /dev/null
+++ b/vendor/github.com/peterbourgon/diskv/README.md
@@ -0,0 +1,141 @@
+# What is diskv?
+
+Diskv (disk-vee) is a simple, persistent key-value store written in the Go
+language. It starts with an incredibly simple API for storing arbitrary data on
+a filesystem by key, and builds several layers of performance-enhancing
+abstraction on top.  The end result is a conceptually simple, but highly
+performant, disk-backed storage system.
+
+[![Build Status][1]][2]
+
+[1]: https://drone.io/github.com/peterbourgon/diskv/status.png
+[2]: https://drone.io/github.com/peterbourgon/diskv/latest
+
+
+# Installing
+
+Install [Go 1][3], either [from source][4] or [with a prepackaged binary][5].
+Then,
+
+```bash
+$ go get github.com/peterbourgon/diskv
+```
+
+[3]: http://golang.org
+[4]: http://golang.org/doc/install/source
+[5]: http://golang.org/doc/install
+
+
+# Usage
+
+```go
+package main
+
+import (
+	"fmt"
+	"github.com/peterbourgon/diskv"
+)
+
+func main() {
+	// Simplest transform function: put all the data files into the base dir.
+	flatTransform := func(s string) []string { return []string{} }
+
+	// Initialize a new diskv store, rooted at "my-data-dir", with a 1MB cache.
+	d := diskv.New(diskv.Options{
+		BasePath:     "my-data-dir",
+		Transform:    flatTransform,
+		CacheSizeMax: 1024 * 1024,
+	})
+
+	// Write three bytes to the key "alpha".
+	key := "alpha"
+	d.Write(key, []byte{'1', '2', '3'})
+
+	// Read the value back out of the store.
+	value, _ := d.Read(key)
+	fmt.Printf("%v\n", value)
+
+	// Erase the key+value from the store (and the disk).
+	d.Erase(key)
+}
+```
+
+More complex examples can be found in the "examples" subdirectory.
+
+
+# Theory
+
+## Basic idea
+
+At its core, diskv is a map of a key (`string`) to arbitrary data (`[]byte`).
+The data is written to a single file on disk, with the same name as the key.
+The key determines where that file will be stored, via a user-provided
+`TransformFunc`, which takes a key and returns a slice (`[]string`)
+corresponding to a path list where the key file will be stored. The simplest
+TransformFunc,
+
+```go
+func SimpleTransform (key string) []string {
+    return []string{}
+}
+```
+
+will place all keys in the same, base directory. The design is inspired by
+[Redis diskstore][6]; a TransformFunc which emulates the default diskstore
+behavior is available in the content-addressable-storage example.
+
+[6]: http://groups.google.com/group/redis-db/browse_thread/thread/d444bc786689bde9?pli=1
+
+**Note** that your TransformFunc should ensure that one valid key doesn't
+transform to a subset of another valid key. That is, it shouldn't be possible
+to construct valid keys that resolve to directory names. As a concrete example,
+if your TransformFunc splits on every 3 characters, then
+
+```go
+d.Write("abcabc", val) // OK: written to <base>/abc/abc/abcabc
+d.Write("abc", val)    // Error: attempted write to <base>/abc/abc, but it's a directory
+```
+
+This will be addressed in an upcoming version of diskv.
+
+Probably the most important design principle behind diskv is that your data is
+always flatly available on the disk. diskv will never do anything that would
+prevent you from accessing, copying, backing up, or otherwise interacting with
+your data via common UNIX commandline tools.
+
+## Adding a cache
+
+An in-memory caching layer is provided by combining the BasicStore
+functionality with a simple map structure, and keeping it up-to-date as
+appropriate. Since the map structure in Go is not threadsafe, it's combined
+with a RWMutex to provide safe concurrent access.
+
+## Adding order
+
+diskv is a key-value store and therefore inherently unordered. An ordering
+system can be injected into the store by passing something which satisfies the
+diskv.Index interface. (A default implementation, using Google's
+[btree][7] package, is provided.) Basically, diskv keeps an ordered (by a
+user-provided Less function) index of the keys, which can be queried.
+
+[7]: https://github.com/google/btree
+
+## Adding compression
+
+Something which implements the diskv.Compression interface may be passed
+during store creation, so that all Writes and Reads are filtered through
+a compression/decompression pipeline. Several default implementations,
+using stdlib compression algorithms, are provided. Note that data is cached
+compressed; the cost of decompression is borne with each Read.
+
+## Streaming
+
+diskv also now provides ReadStream and WriteStream methods, to allow very large
+data to be handled efficiently.
+
+
+# Future plans
+
+ * Needs plenty of robust testing: huge datasets, etc...
+ * More thorough benchmarking
+ * Your suggestions for use-cases I haven't thought of
diff --git a/vendor/github.com/peterbourgon/diskv/compression.go b/vendor/github.com/peterbourgon/diskv/compression.go
new file mode 100644
index 0000000000..5192b02733
--- /dev/null
+++ b/vendor/github.com/peterbourgon/diskv/compression.go
@@ -0,0 +1,64 @@
+package diskv
+
+import (
+	"compress/flate"
+	"compress/gzip"
+	"compress/zlib"
+	"io"
+)
+
+// Compression is an interface that Diskv uses to implement compression of
+// data. Writer takes a destination io.Writer and returns a WriteCloser that
+// compresses all data written through it. Reader takes a source io.Reader and
+// returns a ReadCloser that decompresses all data read through it. You may
+// define these methods on your own type, or use one of the NewCompression
+// helpers.
+type Compression interface {
+	Writer(dst io.Writer) (io.WriteCloser, error)
+	Reader(src io.Reader) (io.ReadCloser, error)
+}
+
+// NewGzipCompression returns a Gzip-based Compression.
+func NewGzipCompression() Compression {
+	return NewGzipCompressionLevel(flate.DefaultCompression)
+}
+
+// NewGzipCompressionLevel returns a Gzip-based Compression with the given level.
+func NewGzipCompressionLevel(level int) Compression {
+	return &genericCompression{
+		wf: func(w io.Writer) (io.WriteCloser, error) { return gzip.NewWriterLevel(w, level) },
+		rf: func(r io.Reader) (io.ReadCloser, error) { return gzip.NewReader(r) },
+	}
+}
+
+// NewZlibCompression returns a Zlib-based Compression.
+func NewZlibCompression() Compression {
+	return NewZlibCompressionLevel(flate.DefaultCompression)
+}
+
+// NewZlibCompressionLevel returns a Zlib-based Compression with the given level.
+func NewZlibCompressionLevel(level int) Compression {
+	return NewZlibCompressionLevelDict(level, nil)
+}
+
+// NewZlibCompressionLevelDict returns a Zlib-based Compression with the given
+// level, based on the given dictionary.
+func NewZlibCompressionLevelDict(level int, dict []byte) Compression {
+	return &genericCompression{
+		func(w io.Writer) (io.WriteCloser, error) { return zlib.NewWriterLevelDict(w, level, dict) },
+		func(r io.Reader) (io.ReadCloser, error) { return zlib.NewReaderDict(r, dict) },
+	}
+}
+
+type genericCompression struct {
+	wf func(w io.Writer) (io.WriteCloser, error)
+	rf func(r io.Reader) (io.ReadCloser, error)
+}
+
+func (g *genericCompression) Writer(dst io.Writer) (io.WriteCloser, error) {
+	return g.wf(dst)
+}
+
+func (g *genericCompression) Reader(src io.Reader) (io.ReadCloser, error) {
+	return g.rf(src)
+}
diff --git a/vendor/github.com/peterbourgon/diskv/diskv.go b/vendor/github.com/peterbourgon/diskv/diskv.go
new file mode 100644
index 0000000000..524dc0a6e3
--- /dev/null
+++ b/vendor/github.com/peterbourgon/diskv/diskv.go
@@ -0,0 +1,624 @@
+// Diskv (disk-vee) is a simple, persistent, key-value store.
+// It stores all data flatly on the filesystem.
+
+package diskv
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"strings"
+	"sync"
+	"syscall"
+)
+
+const (
+	defaultBasePath             = "diskv"
+	defaultFilePerm os.FileMode = 0666
+	defaultPathPerm os.FileMode = 0777
+)
+
+var (
+	defaultTransform   = func(s string) []string { return []string{} }
+	errCanceled        = errors.New("canceled")
+	errEmptyKey        = errors.New("empty key")
+	errBadKey          = errors.New("bad key")
+	errImportDirectory = errors.New("can't import a directory")
+)
+
+// TransformFunction transforms a key into a slice of strings, with each
+// element in the slice representing a directory in the file path where the
+// key's entry will eventually be stored.
+//
+// For example, if TransformFunc transforms "abcdef" to ["ab", "cde", "f"],
+// the final location of the data file will be <basedir>/ab/cde/f/abcdef
+type TransformFunction func(s string) []string
+
+// Options define a set of properties that dictate Diskv behavior.
+// All values are optional.
+type Options struct {
+	BasePath     string
+	Transform    TransformFunction
+	CacheSizeMax uint64 // bytes
+	PathPerm     os.FileMode
+	FilePerm     os.FileMode
+	// If TempDir is set, it will enable filesystem atomic writes by
+	// writing temporary files to that location before being moved
+	// to BasePath.
+	// Note that TempDir MUST be on the same device/partition as
+	// BasePath.
+	TempDir string
+
+	Index     Index
+	IndexLess LessFunction
+
+	Compression Compression
+}
+
+// Diskv implements the Diskv interface. You shouldn't construct Diskv
+// structures directly; instead, use the New constructor.
+type Diskv struct {
+	Options
+	mu        sync.RWMutex
+	cache     map[string][]byte
+	cacheSize uint64
+}
+
+// New returns an initialized Diskv structure, ready to use.
+// If the path identified by baseDir already contains data,
+// it will be accessible, but not yet cached.
+func New(o Options) *Diskv {
+	if o.BasePath == "" {
+		o.BasePath = defaultBasePath
+	}
+	if o.Transform == nil {
+		o.Transform = defaultTransform
+	}
+	if o.PathPerm == 0 {
+		o.PathPerm = defaultPathPerm
+	}
+	if o.FilePerm == 0 {
+		o.FilePerm = defaultFilePerm
+	}
+
+	d := &Diskv{
+		Options:   o,
+		cache:     map[string][]byte{},
+		cacheSize: 0,
+	}
+
+	if d.Index != nil && d.IndexLess != nil {
+		d.Index.Initialize(d.IndexLess, d.Keys(nil))
+	}
+
+	return d
+}
+
+// Write synchronously writes the key-value pair to disk, making it immediately
+// available for reads. Write relies on the filesystem to perform an eventual
+// sync to physical media. If you need stronger guarantees, see WriteStream.
+func (d *Diskv) Write(key string, val []byte) error {
+	return d.WriteStream(key, bytes.NewBuffer(val), false)
+}
+
+// WriteStream writes the data represented by the io.Reader to the disk, under
+// the provided key. If sync is true, WriteStream performs an explicit sync on
+// the file as soon as it's written.
+//
+// bytes.Buffer provides io.Reader semantics for basic data types.
+func (d *Diskv) WriteStream(key string, r io.Reader, sync bool) error {
+	if len(key) <= 0 {
+		return errEmptyKey
+	}
+
+	d.mu.Lock()
+	defer d.mu.Unlock()
+
+	return d.writeStreamWithLock(key, r, sync)
+}
+
+// createKeyFileWithLock either creates the key file directly, or
+// creates a temporary file in TempDir if it is set.
+func (d *Diskv) createKeyFileWithLock(key string) (*os.File, error) {
+	if d.TempDir != "" {
+		if err := os.MkdirAll(d.TempDir, d.PathPerm); err != nil {
+			return nil, fmt.Errorf("temp mkdir: %s", err)
+		}
+		f, err := ioutil.TempFile(d.TempDir, "")
+		if err != nil {
+			return nil, fmt.Errorf("temp file: %s", err)
+		}
+
+		if err := f.Chmod(d.FilePerm); err != nil {
+			f.Close()           // error deliberately ignored
+			os.Remove(f.Name()) // error deliberately ignored
+			return nil, fmt.Errorf("chmod: %s", err)
+		}
+		return f, nil
+	}
+
+	mode := os.O_WRONLY | os.O_CREATE | os.O_TRUNC // overwrite if exists
+	f, err := os.OpenFile(d.completeFilename(key), mode, d.FilePerm)
+	if err != nil {
+		return nil, fmt.Errorf("open file: %s", err)
+	}
+	return f, nil
+}
+
+// writeStream does no input validation checking.
+func (d *Diskv) writeStreamWithLock(key string, r io.Reader, sync bool) error {
+	if err := d.ensurePathWithLock(key); err != nil {
+		return fmt.Errorf("ensure path: %s", err)
+	}
+
+	f, err := d.createKeyFileWithLock(key)
+	if err != nil {
+		return fmt.Errorf("create key file: %s", err)
+	}
+
+	wc := io.WriteCloser(&nopWriteCloser{f})
+	if d.Compression != nil {
+		wc, err = d.Compression.Writer(f)
+		if err != nil {
+			f.Close()           // error deliberately ignored
+			os.Remove(f.Name()) // error deliberately ignored
+			return fmt.Errorf("compression writer: %s", err)
+		}
+	}
+
+	if _, err := io.Copy(wc, r); err != nil {
+		f.Close()           // error deliberately ignored
+		os.Remove(f.Name()) // error deliberately ignored
+		return fmt.Errorf("i/o copy: %s", err)
+	}
+
+	if err := wc.Close(); err != nil {
+		f.Close()           // error deliberately ignored
+		os.Remove(f.Name()) // error deliberately ignored
+		return fmt.Errorf("compression close: %s", err)
+	}
+
+	if sync {
+		if err := f.Sync(); err != nil {
+			f.Close()           // error deliberately ignored
+			os.Remove(f.Name()) // error deliberately ignored
+			return fmt.Errorf("file sync: %s", err)
+		}
+	}
+
+	if err := f.Close(); err != nil {
+		return fmt.Errorf("file close: %s", err)
+	}
+
+	if f.Name() != d.completeFilename(key) {
+		if err := os.Rename(f.Name(), d.completeFilename(key)); err != nil {
+			os.Remove(f.Name()) // error deliberately ignored
+			return fmt.Errorf("rename: %s", err)
+		}
+	}
+
+	if d.Index != nil {
+		d.Index.Insert(key)
+	}
+
+	d.bustCacheWithLock(key) // cache only on read
+
+	return nil
+}
+
+// Import imports the source file into diskv under the destination key. If the
+// destination key already exists, it's overwritten. If move is true, the
+// source file is removed after a successful import.
+func (d *Diskv) Import(srcFilename, dstKey string, move bool) (err error) {
+	if dstKey == "" {
+		return errEmptyKey
+	}
+
+	if fi, err := os.Stat(srcFilename); err != nil {
+		return err
+	} else if fi.IsDir() {
+		return errImportDirectory
+	}
+
+	d.mu.Lock()
+	defer d.mu.Unlock()
+
+	if err := d.ensurePathWithLock(dstKey); err != nil {
+		return fmt.Errorf("ensure path: %s", err)
+	}
+
+	if move {
+		if err := syscall.Rename(srcFilename, d.completeFilename(dstKey)); err == nil {
+			d.bustCacheWithLock(dstKey)
+			return nil
+		} else if err != syscall.EXDEV {
+			// If it failed due to being on a different device, fall back to copying
+			return err
+		}
+	}
+
+	f, err := os.Open(srcFilename)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+	err = d.writeStreamWithLock(dstKey, f, false)
+	if err == nil && move {
+		err = os.Remove(srcFilename)
+	}
+	return err
+}
+
+// Read reads the key and returns the value.
+// If the key is available in the cache, Read won't touch the disk.
+// If the key is not in the cache, Read will have the side-effect of
+// lazily caching the value.
+func (d *Diskv) Read(key string) ([]byte, error) {
+	rc, err := d.ReadStream(key, false)
+	if err != nil {
+		return []byte{}, err
+	}
+	defer rc.Close()
+	return ioutil.ReadAll(rc)
+}
+
+// ReadStream reads the key and returns the value (data) as an io.ReadCloser.
+// If the value is cached from a previous read, and direct is false,
+// ReadStream will use the cached value. Otherwise, it will return a handle to
+// the file on disk, and cache the data on read.
+//
+// If direct is true, ReadStream will lazily delete any cached value for the
+// key, and return a direct handle to the file on disk.
+//
+// If compression is enabled, ReadStream taps into the io.Reader stream prior
+// to decompression, and caches the compressed data.
+func (d *Diskv) ReadStream(key string, direct bool) (io.ReadCloser, error) {
+	d.mu.RLock()
+	defer d.mu.RUnlock()
+
+	if val, ok := d.cache[key]; ok {
+		if !direct {
+			buf := bytes.NewBuffer(val)
+			if d.Compression != nil {
+				return d.Compression.Reader(buf)
+			}
+			return ioutil.NopCloser(buf), nil
+		}
+
+		go func() {
+			d.mu.Lock()
+			defer d.mu.Unlock()
+			d.uncacheWithLock(key, uint64(len(val)))
+		}()
+	}
+
+	return d.readWithRLock(key)
+}
+
+// read ignores the cache, and returns an io.ReadCloser representing the
+// decompressed data for the given key, streamed from the disk. Clients should
+// acquire a read lock on the Diskv and check the cache themselves before
+// calling read.
+func (d *Diskv) readWithRLock(key string) (io.ReadCloser, error) {
+	filename := d.completeFilename(key)
+
+	fi, err := os.Stat(filename)
+	if err != nil {
+		return nil, err
+	}
+	if fi.IsDir() {
+		return nil, os.ErrNotExist
+	}
+
+	f, err := os.Open(filename)
+	if err != nil {
+		return nil, err
+	}
+
+	var r io.Reader
+	if d.CacheSizeMax > 0 {
+		r = newSiphon(f, d, key)
+	} else {
+		r = &closingReader{f}
+	}
+
+	var rc = io.ReadCloser(ioutil.NopCloser(r))
+	if d.Compression != nil {
+		rc, err = d.Compression.Reader(r)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return rc, nil
+}
+
+// closingReader provides a Reader that automatically closes the
+// embedded ReadCloser when it reaches EOF
+type closingReader struct {
+	rc io.ReadCloser
+}
+
+func (cr closingReader) Read(p []byte) (int, error) {
+	n, err := cr.rc.Read(p)
+	if err == io.EOF {
+		if closeErr := cr.rc.Close(); closeErr != nil {
+			return n, closeErr // close must succeed for Read to succeed
+		}
+	}
+	return n, err
+}
+
+// siphon is like a TeeReader: it copies all data read through it to an
+// internal buffer, and moves that buffer to the cache at EOF.
+type siphon struct {
+	f   *os.File
+	d   *Diskv
+	key string
+	buf *bytes.Buffer
+}
+
+// newSiphon constructs a siphoning reader that represents the passed file.
+// When a successful series of reads ends in an EOF, the siphon will write
+// the buffered data to Diskv's cache under the given key.
+func newSiphon(f *os.File, d *Diskv, key string) io.Reader {
+	return &siphon{
+		f:   f,
+		d:   d,
+		key: key,
+		buf: &bytes.Buffer{},
+	}
+}
+
+// Read implements the io.Reader interface for siphon.
+func (s *siphon) Read(p []byte) (int, error) {
+	n, err := s.f.Read(p)
+
+	if err == nil {
+		return s.buf.Write(p[0:n]) // Write must succeed for Read to succeed
+	}
+
+	if err == io.EOF {
+		s.d.cacheWithoutLock(s.key, s.buf.Bytes()) // cache may fail
+		if closeErr := s.f.Close(); closeErr != nil {
+			return n, closeErr // close must succeed for Read to succeed
+		}
+		return n, err
+	}
+
+	return n, err
+}
+
+// Erase synchronously erases the given key from the disk and the cache.
+func (d *Diskv) Erase(key string) error {
+	d.mu.Lock()
+	defer d.mu.Unlock()
+
+	d.bustCacheWithLock(key)
+
+	// erase from index
+	if d.Index != nil {
+		d.Index.Delete(key)
+	}
+
+	// erase from disk
+	filename := d.completeFilename(key)
+	if s, err := os.Stat(filename); err == nil {
+		if s.IsDir() {
+			return errBadKey
+		}
+		if err = os.Remove(filename); err != nil {
+			return err
+		}
+	} else {
+		// Return err as-is so caller can do os.IsNotExist(err).
+		return err
+	}
+
+	// clean up and return
+	d.pruneDirsWithLock(key)
+	return nil
+}
+
+// EraseAll will delete all of the data from the store, both in the cache and on
+// the disk. Note that EraseAll doesn't distinguish diskv-related data from non-
+// diskv-related data. Care should be taken to always specify a diskv base
+// directory that is exclusively for diskv data.
+func (d *Diskv) EraseAll() error {
+	d.mu.Lock()
+	defer d.mu.Unlock()
+	d.cache = make(map[string][]byte)
+	d.cacheSize = 0
+	if d.TempDir != "" {
+		os.RemoveAll(d.TempDir) // errors ignored
+	}
+	return os.RemoveAll(d.BasePath)
+}
+
+// Has returns true if the given key exists.
+func (d *Diskv) Has(key string) bool {
+	d.mu.Lock()
+	defer d.mu.Unlock()
+
+	if _, ok := d.cache[key]; ok {
+		return true
+	}
+
+	filename := d.completeFilename(key)
+	s, err := os.Stat(filename)
+	if err != nil {
+		return false
+	}
+	if s.IsDir() {
+		return false
+	}
+
+	return true
+}
+
+// Keys returns a channel that will yield every key accessible by the store,
+// in undefined order. If a cancel channel is provided, closing it will
+// terminate and close the keys channel.
+func (d *Diskv) Keys(cancel <-chan struct{}) <-chan string {
+	return d.KeysPrefix("", cancel)
+}
+
+// KeysPrefix returns a channel that will yield every key accessible by the
+// store with the given prefix, in undefined order. If a cancel channel is
+// provided, closing it will terminate and close the keys channel. If the
+// provided prefix is the empty string, all keys will be yielded.
+func (d *Diskv) KeysPrefix(prefix string, cancel <-chan struct{}) <-chan string {
+	var prepath string
+	if prefix == "" {
+		prepath = d.BasePath
+	} else {
+		prepath = d.pathFor(prefix)
+	}
+	c := make(chan string)
+	go func() {
+		filepath.Walk(prepath, walker(c, prefix, cancel))
+		close(c)
+	}()
+	return c
+}
+
+// walker returns a function which satisfies the filepath.WalkFunc interface.
+// It sends every non-directory file entry down the channel c.
+func walker(c chan<- string, prefix string, cancel <-chan struct{}) filepath.WalkFunc {
+	return func(path string, info os.FileInfo, err error) error {
+		if err != nil {
+			return err
+		}
+
+		if info.IsDir() || !strings.HasPrefix(info.Name(), prefix) {
+			return nil // "pass"
+		}
+
+		select {
+		case c <- info.Name():
+		case <-cancel:
+			return errCanceled
+		}
+
+		return nil
+	}
+}
+
+// pathFor returns the absolute path for location on the filesystem where the
+// data for the given key will be stored.
+func (d *Diskv) pathFor(key string) string {
+	return filepath.Join(d.BasePath, filepath.Join(d.Transform(key)...))
+}
+
+// ensurePathWithLock is a helper function that generates all necessary
+// directories on the filesystem for the given key.
+func (d *Diskv) ensurePathWithLock(key string) error {
+	return os.MkdirAll(d.pathFor(key), d.PathPerm)
+}
+
+// completeFilename returns the absolute path to the file for the given key.
+func (d *Diskv) completeFilename(key string) string {
+	return filepath.Join(d.pathFor(key), key)
+}
+
+// cacheWithLock attempts to cache the given key-value pair in the store's
+// cache. It can fail if the value is larger than the cache's maximum size.
+func (d *Diskv) cacheWithLock(key string, val []byte) error {
+	valueSize := uint64(len(val))
+	if err := d.ensureCacheSpaceWithLock(valueSize); err != nil {
+		return fmt.Errorf("%s; not caching", err)
+	}
+
+	// be very strict about memory guarantees
+	if (d.cacheSize + valueSize) > d.CacheSizeMax {
+		panic(fmt.Sprintf("failed to make room for value (%d/%d)", valueSize, d.CacheSizeMax))
+	}
+
+	d.cache[key] = val
+	d.cacheSize += valueSize
+	return nil
+}
+
+// cacheWithoutLock acquires the store's (write) mutex and calls cacheWithLock.
+func (d *Diskv) cacheWithoutLock(key string, val []byte) error {
+	d.mu.Lock()
+	defer d.mu.Unlock()
+	return d.cacheWithLock(key, val)
+}
+
+func (d *Diskv) bustCacheWithLock(key string) {
+	if val, ok := d.cache[key]; ok {
+		d.uncacheWithLock(key, uint64(len(val)))
+	}
+}
+
+func (d *Diskv) uncacheWithLock(key string, sz uint64) {
+	d.cacheSize -= sz
+	delete(d.cache, key)
+}
+
+// pruneDirsWithLock deletes empty directories in the path walk leading to the
+// key k. Typically this function is called after an Erase is made.
+func (d *Diskv) pruneDirsWithLock(key string) error {
+	pathlist := d.Transform(key)
+	for i := range pathlist {
+		dir := filepath.Join(d.BasePath, filepath.Join(pathlist[:len(pathlist)-i]...))
+
+		// thanks to Steven Blenkinsop for this snippet
+		switch fi, err := os.Stat(dir); true {
+		case err != nil:
+			return err
+		case !fi.IsDir():
+			panic(fmt.Sprintf("corrupt dirstate at %s", dir))
+		}
+
+		nlinks, err := filepath.Glob(filepath.Join(dir, "*"))
+		if err != nil {
+			return err
+		} else if len(nlinks) > 0 {
+			return nil // has subdirs -- do not prune
+		}
+		if err = os.Remove(dir); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// ensureCacheSpaceWithLock deletes entries from the cache in arbitrary order
+// until the cache has at least valueSize bytes available.
+func (d *Diskv) ensureCacheSpaceWithLock(valueSize uint64) error {
+	if valueSize > d.CacheSizeMax {
+		return fmt.Errorf("value size (%d bytes) too large for cache (%d bytes)", valueSize, d.CacheSizeMax)
+	}
+
+	safe := func() bool { return (d.cacheSize + valueSize) <= d.CacheSizeMax }
+
+	for key, val := range d.cache {
+		if safe() {
+			break
+		}
+
+		d.uncacheWithLock(key, uint64(len(val)))
+	}
+
+	if !safe() {
+		panic(fmt.Sprintf("%d bytes still won't fit in the cache! (max %d bytes)", valueSize, d.CacheSizeMax))
+	}
+
+	return nil
+}
+
+// nopWriteCloser wraps an io.Writer and provides a no-op Close method to
+// satisfy the io.WriteCloser interface.
+type nopWriteCloser struct {
+	io.Writer
+}
+
+func (wc *nopWriteCloser) Write(p []byte) (int, error) { return wc.Writer.Write(p) }
+func (wc *nopWriteCloser) Close() error                { return nil }
diff --git a/vendor/github.com/peterbourgon/diskv/index.go b/vendor/github.com/peterbourgon/diskv/index.go
new file mode 100644
index 0000000000..96fee5152b
--- /dev/null
+++ b/vendor/github.com/peterbourgon/diskv/index.go
@@ -0,0 +1,115 @@
+package diskv
+
+import (
+	"sync"
+
+	"github.com/google/btree"
+)
+
+// Index is a generic interface for things that can
+// provide an ordered list of keys.
+type Index interface {
+	Initialize(less LessFunction, keys <-chan string)
+	Insert(key string)
+	Delete(key string)
+	Keys(from string, n int) []string
+}
+
+// LessFunction is used to initialize an Index of keys in a specific order.
+type LessFunction func(string, string) bool
+
+// btreeString is a custom data type that satisfies the BTree Less interface,
+// making the strings it wraps sortable by the BTree package.
+type btreeString struct {
+	s string
+	l LessFunction
+}
+
+// Less satisfies the BTree.Less interface using the btreeString's LessFunction.
+func (s btreeString) Less(i btree.Item) bool {
+	return s.l(s.s, i.(btreeString).s)
+}
+
+// BTreeIndex is an implementation of the Index interface using google/btree.
+type BTreeIndex struct {
+	sync.RWMutex
+	LessFunction
+	*btree.BTree
+}
+
+// Initialize populates the BTree tree with data from the keys channel,
+// according to the passed less function. It's destructive to the BTreeIndex.
+func (i *BTreeIndex) Initialize(less LessFunction, keys <-chan string) {
+	i.Lock()
+	defer i.Unlock()
+	i.LessFunction = less
+	i.BTree = rebuild(less, keys)
+}
+
+// Insert inserts the given key (only) into the BTree tree.
+func (i *BTreeIndex) Insert(key string) {
+	i.Lock()
+	defer i.Unlock()
+	if i.BTree == nil || i.LessFunction == nil {
+		panic("uninitialized index")
+	}
+	i.BTree.ReplaceOrInsert(btreeString{s: key, l: i.LessFunction})
+}
+
+// Delete removes the given key (only) from the BTree tree.
+func (i *BTreeIndex) Delete(key string) {
+	i.Lock()
+	defer i.Unlock()
+	if i.BTree == nil || i.LessFunction == nil {
+		panic("uninitialized index")
+	}
+	i.BTree.Delete(btreeString{s: key, l: i.LessFunction})
+}
+
+// Keys yields a maximum of n keys in order. If the passed 'from' key is empty,
+// Keys will return the first n keys. If the passed 'from' key is non-empty, the
+// first key in the returned slice will be the key that immediately follows the
+// passed key, in key order.
+func (i *BTreeIndex) Keys(from string, n int) []string {
+	i.RLock()
+	defer i.RUnlock()
+
+	if i.BTree == nil || i.LessFunction == nil {
+		panic("uninitialized index")
+	}
+
+	if i.BTree.Len() <= 0 {
+		return []string{}
+	}
+
+	btreeFrom := btreeString{s: from, l: i.LessFunction}
+	skipFirst := true
+	if len(from) <= 0 || !i.BTree.Has(btreeFrom) {
+		// no such key, so fabricate an always-smallest item
+		btreeFrom = btreeString{s: "", l: func(string, string) bool { return true }}
+		skipFirst = false
+	}
+
+	keys := []string{}
+	iterator := func(i btree.Item) bool {
+		keys = append(keys, i.(btreeString).s)
+		return len(keys) < n
+	}
+	i.BTree.AscendGreaterOrEqual(btreeFrom, iterator)
+
+	if skipFirst && len(keys) > 0 {
+		keys = keys[1:]
+	}
+
+	return keys
+}
+
+// rebuildIndex does the work of regenerating the index
+// with the given keys.
+func rebuild(less LessFunction, keys <-chan string) *btree.BTree {
+	tree := btree.New(2)
+	for key := range keys {
+		tree.ReplaceOrInsert(btreeString{s: key, l: less})
+	}
+	return tree
+}
diff --git a/vendor/github.com/rivo/uniseg/LICENSE.txt b/vendor/github.com/rivo/uniseg/LICENSE.txt
new file mode 100644
index 0000000000..5040f1ef80
--- /dev/null
+++ b/vendor/github.com/rivo/uniseg/LICENSE.txt
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2019 Oliver Kuederle
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/vendor/github.com/rivo/uniseg/README.md b/vendor/github.com/rivo/uniseg/README.md
new file mode 100644
index 0000000000..a8191b8154
--- /dev/null
+++ b/vendor/github.com/rivo/uniseg/README.md
@@ -0,0 +1,137 @@
+# Unicode Text Segmentation for Go
+
+[![Go Reference](https://pkg.go.dev/badge/github.com/rivo/uniseg.svg)](https://pkg.go.dev/github.com/rivo/uniseg)
+[![Go Report](https://img.shields.io/badge/go%20report-A%2B-brightgreen.svg)](https://goreportcard.com/report/github.com/rivo/uniseg)
+
+This Go package implements Unicode Text Segmentation according to [Unicode Standard Annex #29](https://unicode.org/reports/tr29/), Unicode Line Breaking according to [Unicode Standard Annex #14](https://unicode.org/reports/tr14/) (Unicode version 15.0.0), and monospace font string width calculation similar to [wcwidth](https://man7.org/linux/man-pages/man3/wcwidth.3.html).
+
+## Background
+
+### Grapheme Clusters
+
+In Go, [strings are read-only slices of bytes](https://go.dev/blog/strings). They can be turned into Unicode code points using the `for` loop or by casting: `[]rune(str)`. However, multiple code points may be combined into one user-perceived character or what the Unicode specification calls "grapheme cluster". Here are some examples:
+
+|String|Bytes (UTF-8)|Code points (runes)|Grapheme clusters|
+|-|-|-|-|
+|Käse|6 bytes: `4b 61 cc 88 73 65`|5 code points: `4b 61 308 73 65`|4 clusters: `[4b],[61 308],[73],[65]`|
+|���🌈|14 bytes: `f0 9f 8f b3 ef b8 8f e2 80 8d f0 9f 8c 88`|4 code points: `1f3f3 fe0f 200d 1f308`|1 cluster: `[1f3f3 fe0f 200d 1f308]`|
+|🇩🇪|8 bytes: `f0 9f 87 a9 f0 9f 87 aa`|2 code points: `1f1e9 1f1ea`|1 cluster: `[1f1e9 1f1ea]`|
+
+This package provides tools to iterate over these grapheme clusters. This may be used to determine the number of user-perceived characters, to split strings in their intended places, or to extract individual characters which form a unit.
+
+### Word Boundaries
+
+Word boundaries are used in a number of different contexts. The most familiar ones are selection (double-click mouse selection), cursor movement ("move to next word" control-arrow keys), and the dialog option "Whole Word Search" for search and replace. They are also used in database queries, to determine whether elements are within a certain number of words of one another. Searching may also use word boundaries in determining matching items. This package provides tools to determine word boundaries within strings.
+
+### Sentence Boundaries
+
+Sentence boundaries are often used for triple-click or some other method of selecting or iterating through blocks of text that are larger than single words. They are also used to determine whether words occur within the same sentence in database queries. This package provides tools to determine sentence boundaries within strings.
+
+### Line Breaking
+
+Line breaking, also known as word wrapping, is the process of breaking a section of text into lines such that it will fit in the available width of a page, window or other display area. This package provides tools to determine where a string may or may not be broken and where it must be broken (for example after newline characters).
+
+### Monospace Width
+
+Most terminals or text displays / text editors using a monospace font (for example source code editors) use a fixed width for each character. Some characters such as emojis or characters found in Asian and other languages may take up more than one character cell. This package provides tools to determine the number of cells a string will take up when displayed in a monospace font. See [here](https://pkg.go.dev/github.com/rivo/uniseg#hdr-Monospace_Width) for more information.
+
+## Installation
+
+```bash
+go get github.com/rivo/uniseg
+```
+
+## Examples
+
+### Counting Characters in a String
+
+```go
+n := uniseg.GraphemeClusterCount("🇩🇪���🌈")
+fmt.Println(n)
+// 2
+```
+
+### Calculating the Monospace String Width
+
+```go
+width := uniseg.StringWidth("🇩🇪���🌈!")
+fmt.Println(width)
+// 5
+```
+
+### Using the [`Graphemes`](https://pkg.go.dev/github.com/rivo/uniseg#Graphemes) Class
+
+This is the most convenient method of iterating over grapheme clusters:
+
+```go
+gr := uniseg.NewGraphemes("��!")
+for gr.Next() {
+	fmt.Printf("%x ", gr.Runes())
+}
+// [1f44d 1f3fc] [21]
+```
+
+### Using the [`Step`](https://pkg.go.dev/github.com/rivo/uniseg#Step) or [`StepString`](https://pkg.go.dev/github.com/rivo/uniseg#StepString) Function
+
+This avoids allocating a new `Graphemes` object but it requires the handling of states and boundaries:
+
+```go
+str := "🇩🇪���🌈"
+state := -1
+var c string
+for len(str) > 0 {
+	c, str, _, state = uniseg.StepString(str, state)
+	fmt.Printf("%x ", []rune(c))
+}
+// [1f1e9 1f1ea] [1f3f3 fe0f 200d 1f308]
+```
+
+### Advanced Examples
+
+The [`Graphemes`](https://pkg.go.dev/github.com/rivo/uniseg#Graphemes) class offers the most convenient way to access all functionality of this package. But in some cases, it may be better to use the specialized functions directly. For example, if you're only interested in word segmentation, use [`FirstWord`](https://pkg.go.dev/github.com/rivo/uniseg#FirstWord) or [`FirstWordInString`](https://pkg.go.dev/github.com/rivo/uniseg#FirstWordInString):
+
+```go
+str := "Hello, world!"
+state := -1
+var c string
+for len(str) > 0 {
+	c, str, state = uniseg.FirstWordInString(str, state)
+	fmt.Printf("(%s)\n", c)
+}
+// (Hello)
+// (,)
+// ( )
+// (world)
+// (!)
+```
+
+Similarly, use
+
+- [`FirstGraphemeCluster`](https://pkg.go.dev/github.com/rivo/uniseg#FirstGraphemeCluster) or [`FirstGraphemeClusterInString`](https://pkg.go.dev/github.com/rivo/uniseg#FirstGraphemeClusterInString) for grapheme cluster determination only,
+- [`FirstSentence`](https://pkg.go.dev/github.com/rivo/uniseg#FirstSentence) or [`FirstSentenceInString`](https://pkg.go.dev/github.com/rivo/uniseg#FirstSentenceInString) for sentence segmentation only, and
+- [`FirstLineSegment`](https://pkg.go.dev/github.com/rivo/uniseg#FirstLineSegment) or [`FirstLineSegmentInString`](https://pkg.go.dev/github.com/rivo/uniseg#FirstLineSegmentInString) for line breaking / word wrapping (although using [`Step`](https://pkg.go.dev/github.com/rivo/uniseg#Step) or [`StepString`](https://pkg.go.dev/github.com/rivo/uniseg#StepString) is preferred as it will observe grapheme cluster boundaries).
+
+If you're only interested in the width of characters, use [`FirstGraphemeCluster`](https://pkg.go.dev/github.com/rivo/uniseg#FirstGraphemeCluster) or [`FirstGraphemeClusterInString`](https://pkg.go.dev/github.com/rivo/uniseg#FirstGraphemeClusterInString). It is much faster than using [`Step`](https://pkg.go.dev/github.com/rivo/uniseg#Step), [`StepString`](https://pkg.go.dev/github.com/rivo/uniseg#StepString), or the [`Graphemes`](https://pkg.go.dev/github.com/rivo/uniseg#Graphemes) class because it does not include the logic for word / sentence / line boundaries.
+
+Finally, if you need to reverse a string while preserving grapheme clusters, use [`ReverseString`](https://pkg.go.dev/github.com/rivo/uniseg#ReverseString):
+
+```go
+fmt.Println(uniseg.ReverseString("🇩🇪���🌈"))
+// ���🌈🇩🇪
+```
+
+## Documentation
+
+Refer to https://pkg.go.dev/github.com/rivo/uniseg for the package's documentation.
+
+## Dependencies
+
+This package does not depend on any packages outside the standard library.
+
+## Sponsor this Project
+
+[Become a Sponsor on GitHub](https://github.com/sponsors/rivo?metadata_source=uniseg_readme) to support this project!
+
+## Your Feedback
+
+Add your issue here on GitHub, preferably before submitting any PR's. Feel free to get in touch if you have any questions.
\ No newline at end of file
diff --git a/vendor/github.com/rivo/uniseg/doc.go b/vendor/github.com/rivo/uniseg/doc.go
new file mode 100644
index 0000000000..11224ae22d
--- /dev/null
+++ b/vendor/github.com/rivo/uniseg/doc.go
@@ -0,0 +1,108 @@
+/*
+Package uniseg implements Unicode Text Segmentation, Unicode Line Breaking, and
+string width calculation for monospace fonts. Unicode Text Segmentation conforms
+to Unicode Standard Annex #29 (https://unicode.org/reports/tr29/) and Unicode
+Line Breaking conforms to Unicode Standard Annex #14
+(https://unicode.org/reports/tr14/).
+
+In short, using this package, you can split a string into grapheme clusters
+(what people would usually refer to as a "character"), into words, and into
+sentences. Or, in its simplest case, this package allows you to count the number
+of characters in a string, especially when it contains complex characters such
+as emojis, combining characters, or characters from Asian, Arabic, Hebrew, or
+other languages. Additionally, you can use it to implement line breaking (or
+"word wrapping"), that is, to determine where text can be broken over to the
+next line when the width of the line is not big enough to fit the entire text.
+Finally, you can use it to calculate the display width of a string for monospace
+fonts.
+
+# Getting Started
+
+If you just want to count the number of characters in a string, you can use
+[GraphemeClusterCount]. If you want to determine the display width of a string,
+you can use [StringWidth]. If you want to iterate over a string, you can use
+[Step], [StepString], or the [Graphemes] class (more convenient but less
+performant). This will provide you with all information: grapheme clusters,
+word boundaries, sentence boundaries, line breaks, and monospace character
+widths. The specialized functions [FirstGraphemeCluster],
+[FirstGraphemeClusterInString], [FirstWord], [FirstWordInString],
+[FirstSentence], and [FirstSentenceInString] can be used if only one type of
+information is needed.
+
+# Grapheme Clusters
+
+Consider the rainbow flag emoji: ���🌈. On most modern systems, it appears as one
+character. But its string representation actually has 14 bytes, so counting
+bytes (or using len("���🌈")) will not work as expected. Counting runes won't,
+either: The flag has 4 Unicode code points, thus 4 runes. The stdlib function
+utf8.RuneCountInString("���🌈") and len([]rune("���🌈")) will both return 4.
+
+The [GraphemeClusterCount] function will return 1 for the rainbow flag emoji.
+The Graphemes class and a variety of functions in this package will allow you to
+split strings into its grapheme clusters.
+
+# Word Boundaries
+
+Word boundaries are used in a number of different contexts. The most familiar
+ones are selection (double-click mouse selection), cursor movement ("move to
+next word" control-arrow keys), and the dialog option "Whole Word Search" for
+search and replace. This package provides methods for determining word
+boundaries.
+
+# Sentence Boundaries
+
+Sentence boundaries are often used for triple-click or some other method of
+selecting or iterating through blocks of text that are larger than single words.
+They are also used to determine whether words occur within the same sentence in
+database queries. This package provides methods for determining sentence
+boundaries.
+
+# Line Breaking
+
+Line breaking, also known as word wrapping, is the process of breaking a section
+of text into lines such that it will fit in the available width of a page,
+window or other display area. This package provides methods to determine the
+positions in a string where a line must be broken, may be broken, or must not be
+broken.
+
+# Monospace Width
+
+Monospace width, as referred to in this package, is the width of a string in a
+monospace font. This is commonly used in terminal user interfaces or text
+displays or editors that don't support proportional fonts. A width of 1
+corresponds to a single character cell. The C function [wcswidth()] and its
+implementation in other programming languages is in widespread use for the same
+purpose. However, there is no standard for the calculation of such widths, and
+this package differs from wcswidth() in a number of ways, presumably to generate
+more visually pleasing results.
+
+To start, we assume that every code point has a width of 1, with the following
+exceptions:
+
+  - Code points with grapheme cluster break properties Control, CR, LF, Extend,
+    and ZWJ have a width of 0.
+  - U+2E3A, Two-Em Dash, has a width of 3.
+  - U+2E3B, Three-Em Dash, has a width of 4.
+  - Characters with the East-Asian Width properties "Fullwidth" (F) and "Wide"
+    (W) have a width of 2. (Properties "Ambiguous" (A) and "Neutral" (N) both
+    have a width of 1.)
+  - Code points with grapheme cluster break property Regional Indicator have a
+    width of 2.
+  - Code points with grapheme cluster break property Extended Pictographic have
+    a width of 2, unless their Emoji Presentation flag is "No", in which case
+    the width is 1.
+
+For Hangul grapheme clusters composed of conjoining Jamo and for Regional
+Indicators (flags), all code points except the first one have a width of 0. For
+grapheme clusters starting with an Extended Pictographic, any additional code
+point will force a total width of 2, except if the Variation Selector-15
+(U+FE0E) is included, in which case the total width is always 1. Grapheme
+clusters ending with Variation Selector-16 (U+FE0F) have a width of 2.
+
+Note that whether these widths appear correct depends on your application's
+render engine, to which extent it conforms to the Unicode Standard, and its
+choice of font.
+
+[wcswidth()]: https://man7.org/linux/man-pages/man3/wcswidth.3.html
+*/
+package uniseg
diff --git a/vendor/github.com/rivo/uniseg/eastasianwidth.go b/vendor/github.com/rivo/uniseg/eastasianwidth.go
new file mode 100644
index 0000000000..5fc54d9915
--- /dev/null
+++ b/vendor/github.com/rivo/uniseg/eastasianwidth.go
@@ -0,0 +1,2588 @@
+// Code generated via go generate from gen_properties.go. DO NOT EDIT.
+
+package uniseg
+
+// eastAsianWidth are taken from
+// https://www.unicode.org/Public/15.0.0/ucd/EastAsianWidth.txt
+// and
+// https://unicode.org/Public/15.0.0/ucd/emoji/emoji-data.txt
+// ("Extended_Pictographic" only)
+// on September 5, 2023. See https://www.unicode.org/license.html for the Unicode
+// license agreement.
+var eastAsianWidth = [][3]int{
+	{0x0000, 0x001F, prN},     // Cc    [32] <control-0000>..<control-001F>
+	{0x0020, 0x0020, prNa},    // Zs         SPACE
+	{0x0021, 0x0023, prNa},    // Po     [3] EXCLAMATION MARK..NUMBER SIGN
+	{0x0024, 0x0024, prNa},    // Sc         DOLLAR SIGN
+	{0x0025, 0x0027, prNa},    // Po     [3] PERCENT SIGN..APOSTROPHE
+	{0x0028, 0x0028, prNa},    // Ps         LEFT PARENTHESIS
+	{0x0029, 0x0029, prNa},    // Pe         RIGHT PARENTHESIS
+	{0x002A, 0x002A, prNa},    // Po         ASTERISK
+	{0x002B, 0x002B, prNa},    // Sm         PLUS SIGN
+	{0x002C, 0x002C, prNa},    // Po         COMMA
+	{0x002D, 0x002D, prNa},    // Pd         HYPHEN-MINUS
+	{0x002E, 0x002F, prNa},    // Po     [2] FULL STOP..SOLIDUS
+	{0x0030, 0x0039, prNa},    // Nd    [10] DIGIT ZERO..DIGIT NINE
+	{0x003A, 0x003B, prNa},    // Po     [2] COLON..SEMICOLON
+	{0x003C, 0x003E, prNa},    // Sm     [3] LESS-THAN SIGN..GREATER-THAN SIGN
+	{0x003F, 0x0040, prNa},    // Po     [2] QUESTION MARK..COMMERCIAL AT
+	{0x0041, 0x005A, prNa},    // Lu    [26] LATIN CAPITAL LETTER A..LATIN CAPITAL LETTER Z
+	{0x005B, 0x005B, prNa},    // Ps         LEFT SQUARE BRACKET
+	{0x005C, 0x005C, prNa},    // Po         REVERSE SOLIDUS
+	{0x005D, 0x005D, prNa},    // Pe         RIGHT SQUARE BRACKET
+	{0x005E, 0x005E, prNa},    // Sk         CIRCUMFLEX ACCENT
+	{0x005F, 0x005F, prNa},    // Pc         LOW LINE
+	{0x0060, 0x0060, prNa},    // Sk         GRAVE ACCENT
+	{0x0061, 0x007A, prNa},    // Ll    [26] LATIN SMALL LETTER A..LATIN SMALL LETTER Z
+	{0x007B, 0x007B, prNa},    // Ps         LEFT CURLY BRACKET
+	{0x007C, 0x007C, prNa},    // Sm         VERTICAL LINE
+	{0x007D, 0x007D, prNa},    // Pe         RIGHT CURLY BRACKET
+	{0x007E, 0x007E, prNa},    // Sm         TILDE
+	{0x007F, 0x007F, prN},     // Cc         <control-007F>
+	{0x0080, 0x009F, prN},     // Cc    [32] <control-0080>..<control-009F>
+	{0x00A0, 0x00A0, prN},     // Zs         NO-BREAK SPACE
+	{0x00A1, 0x00A1, prA},     // Po         INVERTED EXCLAMATION MARK
+	{0x00A2, 0x00A3, prNa},    // Sc     [2] CENT SIGN..POUND SIGN
+	{0x00A4, 0x00A4, prA},     // Sc         CURRENCY SIGN
+	{0x00A5, 0x00A5, prNa},    // Sc         YEN SIGN
+	{0x00A6, 0x00A6, prNa},    // So         BROKEN BAR
+	{0x00A7, 0x00A7, prA},     // Po         SECTION SIGN
+	{0x00A8, 0x00A8, prA},     // Sk         DIAERESIS
+	{0x00A9, 0x00A9, prN},     // So         COPYRIGHT SIGN
+	{0x00AA, 0x00AA, prA},     // Lo         FEMININE ORDINAL INDICATOR
+	{0x00AB, 0x00AB, prN},     // Pi         LEFT-POINTING DOUBLE ANGLE QUOTATION MARK
+	{0x00AC, 0x00AC, prNa},    // Sm         NOT SIGN
+	{0x00AD, 0x00AD, prA},     // Cf         SOFT HYPHEN
+	{0x00AE, 0x00AE, prA},     // So         REGISTERED SIGN
+	{0x00AF, 0x00AF, prNa},    // Sk         MACRON
+	{0x00B0, 0x00B0, prA},     // So         DEGREE SIGN
+	{0x00B1, 0x00B1, prA},     // Sm         PLUS-MINUS SIGN
+	{0x00B2, 0x00B3, prA},     // No     [2] SUPERSCRIPT TWO..SUPERSCRIPT THREE
+	{0x00B4, 0x00B4, prA},     // Sk         ACUTE ACCENT
+	{0x00B5, 0x00B5, prN},     // Ll         MICRO SIGN
+	{0x00B6, 0x00B7, prA},     // Po     [2] PILCROW SIGN..MIDDLE DOT
+	{0x00B8, 0x00B8, prA},     // Sk         CEDILLA
+	{0x00B9, 0x00B9, prA},     // No         SUPERSCRIPT ONE
+	{0x00BA, 0x00BA, prA},     // Lo         MASCULINE ORDINAL INDICATOR
+	{0x00BB, 0x00BB, prN},     // Pf         RIGHT-POINTING DOUBLE ANGLE QUOTATION MARK
+	{0x00BC, 0x00BE, prA},     // No     [3] VULGAR FRACTION ONE QUARTER..VULGAR FRACTION THREE QUARTERS
+	{0x00BF, 0x00BF, prA},     // Po         INVERTED QUESTION MARK
+	{0x00C0, 0x00C5, prN},     // Lu     [6] LATIN CAPITAL LETTER A WITH GRAVE..LATIN CAPITAL LETTER A WITH RING ABOVE
+	{0x00C6, 0x00C6, prA},     // Lu         LATIN CAPITAL LETTER AE
+	{0x00C7, 0x00CF, prN},     // Lu     [9] LATIN CAPITAL LETTER C WITH CEDILLA..LATIN CAPITAL LETTER I WITH DIAERESIS
+	{0x00D0, 0x00D0, prA},     // Lu         LATIN CAPITAL LETTER ETH
+	{0x00D1, 0x00D6, prN},     // Lu     [6] LATIN CAPITAL LETTER N WITH TILDE..LATIN CAPITAL LETTER O WITH DIAERESIS
+	{0x00D7, 0x00D7, prA},     // Sm         MULTIPLICATION SIGN
+	{0x00D8, 0x00D8, prA},     // Lu         LATIN CAPITAL LETTER O WITH STROKE
+	{0x00D9, 0x00DD, prN},     // Lu     [5] LATIN CAPITAL LETTER U WITH GRAVE..LATIN CAPITAL LETTER Y WITH ACUTE
+	{0x00DE, 0x00E1, prA},     // L&     [4] LATIN CAPITAL LETTER THORN..LATIN SMALL LETTER A WITH ACUTE
+	{0x00E2, 0x00E5, prN},     // Ll     [4] LATIN SMALL LETTER A WITH CIRCUMFLEX..LATIN SMALL LETTER A WITH RING ABOVE
+	{0x00E6, 0x00E6, prA},     // Ll         LATIN SMALL LETTER AE
+	{0x00E7, 0x00E7, prN},     // Ll         LATIN SMALL LETTER C WITH CEDILLA
+	{0x00E8, 0x00EA, prA},     // Ll     [3] LATIN SMALL LETTER E WITH GRAVE..LATIN SMALL LETTER E WITH CIRCUMFLEX
+	{0x00EB, 0x00EB, prN},     // Ll         LATIN SMALL LETTER E WITH DIAERESIS
+	{0x00EC, 0x00ED, prA},     // Ll     [2] LATIN SMALL LETTER I WITH GRAVE..LATIN SMALL LETTER I WITH ACUTE
+	{0x00EE, 0x00EF, prN},     // Ll     [2] LATIN SMALL LETTER I WITH CIRCUMFLEX..LATIN SMALL LETTER I WITH DIAERESIS
+	{0x00F0, 0x00F0, prA},     // Ll         LATIN SMALL LETTER ETH
+	{0x00F1, 0x00F1, prN},     // Ll         LATIN SMALL LETTER N WITH TILDE
+	{0x00F2, 0x00F3, prA},     // Ll     [2] LATIN SMALL LETTER O WITH GRAVE..LATIN SMALL LETTER O WITH ACUTE
+	{0x00F4, 0x00F6, prN},     // Ll     [3] LATIN SMALL LETTER O WITH CIRCUMFLEX..LATIN SMALL LETTER O WITH DIAERESIS
+	{0x00F7, 0x00F7, prA},     // Sm         DIVISION SIGN
+	{0x00F8, 0x00FA, prA},     // Ll     [3] LATIN SMALL LETTER O WITH STROKE..LATIN SMALL LETTER U WITH ACUTE
+	{0x00FB, 0x00FB, prN},     // Ll         LATIN SMALL LETTER U WITH CIRCUMFLEX
+	{0x00FC, 0x00FC, prA},     // Ll         LATIN SMALL LETTER U WITH DIAERESIS
+	{0x00FD, 0x00FD, prN},     // Ll         LATIN SMALL LETTER Y WITH ACUTE
+	{0x00FE, 0x00FE, prA},     // Ll         LATIN SMALL LETTER THORN
+	{0x00FF, 0x00FF, prN},     // Ll         LATIN SMALL LETTER Y WITH DIAERESIS
+	{0x0100, 0x0100, prN},     // Lu         LATIN CAPITAL LETTER A WITH MACRON
+	{0x0101, 0x0101, prA},     // Ll         LATIN SMALL LETTER A WITH MACRON
+	{0x0102, 0x0110, prN},     // L&    [15] LATIN CAPITAL LETTER A WITH BREVE..LATIN CAPITAL LETTER D WITH STROKE
+	{0x0111, 0x0111, prA},     // Ll         LATIN SMALL LETTER D WITH STROKE
+	{0x0112, 0x0112, prN},     // Lu         LATIN CAPITAL LETTER E WITH MACRON
+	{0x0113, 0x0113, prA},     // Ll         LATIN SMALL LETTER E WITH MACRON
+	{0x0114, 0x011A, prN},     // L&     [7] LATIN CAPITAL LETTER E WITH BREVE..LATIN CAPITAL LETTER E WITH CARON
+	{0x011B, 0x011B, prA},     // Ll         LATIN SMALL LETTER E WITH CARON
+	{0x011C, 0x0125, prN},     // L&    [10] LATIN CAPITAL LETTER G WITH CIRCUMFLEX..LATIN SMALL LETTER H WITH CIRCUMFLEX
+	{0x0126, 0x0127, prA},     // L&     [2] LATIN CAPITAL LETTER H WITH STROKE..LATIN SMALL LETTER H WITH STROKE
+	{0x0128, 0x012A, prN},     // L&     [3] LATIN CAPITAL LETTER I WITH TILDE..LATIN CAPITAL LETTER I WITH MACRON
+	{0x012B, 0x012B, prA},     // Ll         LATIN SMALL LETTER I WITH MACRON
+	{0x012C, 0x0130, prN},     // L&     [5] LATIN CAPITAL LETTER I WITH BREVE..LATIN CAPITAL LETTER I WITH DOT ABOVE
+	{0x0131, 0x0133, prA},     // L&     [3] LATIN SMALL LETTER DOTLESS I..LATIN SMALL LIGATURE IJ
+	{0x0134, 0x0137, prN},     // L&     [4] LATIN CAPITAL LETTER J WITH CIRCUMFLEX..LATIN SMALL LETTER K WITH CEDILLA
+	{0x0138, 0x0138, prA},     // Ll         LATIN SMALL LETTER KRA
+	{0x0139, 0x013E, prN},     // L&     [6] LATIN CAPITAL LETTER L WITH ACUTE..LATIN SMALL LETTER L WITH CARON
+	{0x013F, 0x0142, prA},     // L&     [4] LATIN CAPITAL LETTER L WITH MIDDLE DOT..LATIN SMALL LETTER L WITH STROKE
+	{0x0143, 0x0143, prN},     // Lu         LATIN CAPITAL LETTER N WITH ACUTE
+	{0x0144, 0x0144, prA},     // Ll         LATIN SMALL LETTER N WITH ACUTE
+	{0x0145, 0x0147, prN},     // L&     [3] LATIN CAPITAL LETTER N WITH CEDILLA..LATIN CAPITAL LETTER N WITH CARON
+	{0x0148, 0x014B, prA},     // L&     [4] LATIN SMALL LETTER N WITH CARON..LATIN SMALL LETTER ENG
+	{0x014C, 0x014C, prN},     // Lu         LATIN CAPITAL LETTER O WITH MACRON
+	{0x014D, 0x014D, prA},     // Ll         LATIN SMALL LETTER O WITH MACRON
+	{0x014E, 0x0151, prN},     // L&     [4] LATIN CAPITAL LETTER O WITH BREVE..LATIN SMALL LETTER O WITH DOUBLE ACUTE
+	{0x0152, 0x0153, prA},     // L&     [2] LATIN CAPITAL LIGATURE OE..LATIN SMALL LIGATURE OE
+	{0x0154, 0x0165, prN},     // L&    [18] LATIN CAPITAL LETTER R WITH ACUTE..LATIN SMALL LETTER T WITH CARON
+	{0x0166, 0x0167, prA},     // L&     [2] LATIN CAPITAL LETTER T WITH STROKE..LATIN SMALL LETTER T WITH STROKE
+	{0x0168, 0x016A, prN},     // L&     [3] LATIN CAPITAL LETTER U WITH TILDE..LATIN CAPITAL LETTER U WITH MACRON
+	{0x016B, 0x016B, prA},     // Ll         LATIN SMALL LETTER U WITH MACRON
+	{0x016C, 0x017F, prN},     // L&    [20] LATIN CAPITAL LETTER U WITH BREVE..LATIN SMALL LETTER LONG S
+	{0x0180, 0x01BA, prN},     // L&    [59] LATIN SMALL LETTER B WITH STROKE..LATIN SMALL LETTER EZH WITH TAIL
+	{0x01BB, 0x01BB, prN},     // Lo         LATIN LETTER TWO WITH STROKE
+	{0x01BC, 0x01BF, prN},     // L&     [4] LATIN CAPITAL LETTER TONE FIVE..LATIN LETTER WYNN
+	{0x01C0, 0x01C3, prN},     // Lo     [4] LATIN LETTER DENTAL CLICK..LATIN LETTER RETROFLEX CLICK
+	{0x01C4, 0x01CD, prN},     // L&    [10] LATIN CAPITAL LETTER DZ WITH CARON..LATIN CAPITAL LETTER A WITH CARON
+	{0x01CE, 0x01CE, prA},     // Ll         LATIN SMALL LETTER A WITH CARON
+	{0x01CF, 0x01CF, prN},     // Lu         LATIN CAPITAL LETTER I WITH CARON
+	{0x01D0, 0x01D0, prA},     // Ll         LATIN SMALL LETTER I WITH CARON
+	{0x01D1, 0x01D1, prN},     // Lu         LATIN CAPITAL LETTER O WITH CARON
+	{0x01D2, 0x01D2, prA},     // Ll         LATIN SMALL LETTER O WITH CARON
+	{0x01D3, 0x01D3, prN},     // Lu         LATIN CAPITAL LETTER U WITH CARON
+	{0x01D4, 0x01D4, prA},     // Ll         LATIN SMALL LETTER U WITH CARON
+	{0x01D5, 0x01D5, prN},     // Lu         LATIN CAPITAL LETTER U WITH DIAERESIS AND MACRON
+	{0x01D6, 0x01D6, prA},     // Ll         LATIN SMALL LETTER U WITH DIAERESIS AND MACRON
+	{0x01D7, 0x01D7, prN},     // Lu         LATIN CAPITAL LETTER U WITH DIAERESIS AND ACUTE
+	{0x01D8, 0x01D8, prA},     // Ll         LATIN SMALL LETTER U WITH DIAERESIS AND ACUTE
+	{0x01D9, 0x01D9, prN},     // Lu         LATIN CAPITAL LETTER U WITH DIAERESIS AND CARON
+	{0x01DA, 0x01DA, prA},     // Ll         LATIN SMALL LETTER U WITH DIAERESIS AND CARON
+	{0x01DB, 0x01DB, prN},     // Lu         LATIN CAPITAL LETTER U WITH DIAERESIS AND GRAVE
+	{0x01DC, 0x01DC, prA},     // Ll         LATIN SMALL LETTER U WITH DIAERESIS AND GRAVE
+	{0x01DD, 0x024F, prN},     // L&   [115] LATIN SMALL LETTER TURNED E..LATIN SMALL LETTER Y WITH STROKE
+	{0x0250, 0x0250, prN},     // Ll         LATIN SMALL LETTER TURNED A
+	{0x0251, 0x0251, prA},     // Ll         LATIN SMALL LETTER ALPHA
+	{0x0252, 0x0260, prN},     // Ll    [15] LATIN SMALL LETTER TURNED ALPHA..LATIN SMALL LETTER G WITH HOOK
+	{0x0261, 0x0261, prA},     // Ll         LATIN SMALL LETTER SCRIPT G
+	{0x0262, 0x0293, prN},     // Ll    [50] LATIN LETTER SMALL CAPITAL G..LATIN SMALL LETTER EZH WITH CURL
+	{0x0294, 0x0294, prN},     // Lo         LATIN LETTER GLOTTAL STOP
+	{0x0295, 0x02AF, prN},     // Ll    [27] LATIN LETTER PHARYNGEAL VOICED FRICATIVE..LATIN SMALL LETTER TURNED H WITH FISHHOOK AND TAIL
+	{0x02B0, 0x02C1, prN},     // Lm    [18] MODIFIER LETTER SMALL H..MODIFIER LETTER REVERSED GLOTTAL STOP
+	{0x02C2, 0x02C3, prN},     // Sk     [2] MODIFIER LETTER LEFT ARROWHEAD..MODIFIER LETTER RIGHT ARROWHEAD
+	{0x02C4, 0x02C4, prA},     // Sk         MODIFIER LETTER UP ARROWHEAD
+	{0x02C5, 0x02C5, prN},     // Sk         MODIFIER LETTER DOWN ARROWHEAD
+	{0x02C6, 0x02C6, prN},     // Lm         MODIFIER LETTER CIRCUMFLEX ACCENT
+	{0x02C7, 0x02C7, prA},     // Lm         CARON
+	{0x02C8, 0x02C8, prN},     // Lm         MODIFIER LETTER VERTICAL LINE
+	{0x02C9, 0x02CB, prA},     // Lm     [3] MODIFIER LETTER MACRON..MODIFIER LETTER GRAVE ACCENT
+	{0x02CC, 0x02CC, prN},     // Lm         MODIFIER LETTER LOW VERTICAL LINE
+	{0x02CD, 0x02CD, prA},     // Lm         MODIFIER LETTER LOW MACRON
+	{0x02CE, 0x02CF, prN},     // Lm     [2] MODIFIER LETTER LOW GRAVE ACCENT..MODIFIER LETTER LOW ACUTE ACCENT
+	{0x02D0, 0x02D0, prA},     // Lm         MODIFIER LETTER TRIANGULAR COLON
+	{0x02D1, 0x02D1, prN},     // Lm         MODIFIER LETTER HALF TRIANGULAR COLON
+	{0x02D2, 0x02D7, prN},     // Sk     [6] MODIFIER LETTER CENTRED RIGHT HALF RING..MODIFIER LETTER MINUS SIGN
+	{0x02D8, 0x02DB, prA},     // Sk     [4] BREVE..OGONEK
+	{0x02DC, 0x02DC, prN},     // Sk         SMALL TILDE
+	{0x02DD, 0x02DD, prA},     // Sk         DOUBLE ACUTE ACCENT
+	{0x02DE, 0x02DE, prN},     // Sk         MODIFIER LETTER RHOTIC HOOK
+	{0x02DF, 0x02DF, prA},     // Sk         MODIFIER LETTER CROSS ACCENT
+	{0x02E0, 0x02E4, prN},     // Lm     [5] MODIFIER LETTER SMALL GAMMA..MODIFIER LETTER SMALL REVERSED GLOTTAL STOP
+	{0x02E5, 0x02EB, prN},     // Sk     [7] MODIFIER LETTER EXTRA-HIGH TONE BAR..MODIFIER LETTER YANG DEPARTING TONE MARK
+	{0x02EC, 0x02EC, prN},     // Lm         MODIFIER LETTER VOICING
+	{0x02ED, 0x02ED, prN},     // Sk         MODIFIER LETTER UNASPIRATED
+	{0x02EE, 0x02EE, prN},     // Lm         MODIFIER LETTER DOUBLE APOSTROPHE
+	{0x02EF, 0x02FF, prN},     // Sk    [17] MODIFIER LETTER LOW DOWN ARROWHEAD..MODIFIER LETTER LOW LEFT ARROW
+	{0x0300, 0x036F, prA},     // Mn   [112] COMBINING GRAVE ACCENT..COMBINING LATIN SMALL LETTER X
+	{0x0370, 0x0373, prN},     // L&     [4] GREEK CAPITAL LETTER HETA..GREEK SMALL LETTER ARCHAIC SAMPI
+	{0x0374, 0x0374, prN},     // Lm         GREEK NUMERAL SIGN
+	{0x0375, 0x0375, prN},     // Sk         GREEK LOWER NUMERAL SIGN
+	{0x0376, 0x0377, prN},     // L&     [2] GREEK CAPITAL LETTER PAMPHYLIAN DIGAMMA..GREEK SMALL LETTER PAMPHYLIAN DIGAMMA
+	{0x037A, 0x037A, prN},     // Lm         GREEK YPOGEGRAMMENI
+	{0x037B, 0x037D, prN},     // Ll     [3] GREEK SMALL REVERSED LUNATE SIGMA SYMBOL..GREEK SMALL REVERSED DOTTED LUNATE SIGMA SYMBOL
+	{0x037E, 0x037E, prN},     // Po         GREEK QUESTION MARK
+	{0x037F, 0x037F, prN},     // Lu         GREEK CAPITAL LETTER YOT
+	{0x0384, 0x0385, prN},     // Sk     [2] GREEK TONOS..GREEK DIALYTIKA TONOS
+	{0x0386, 0x0386, prN},     // Lu         GREEK CAPITAL LETTER ALPHA WITH TONOS
+	{0x0387, 0x0387, prN},     // Po         GREEK ANO TELEIA
+	{0x0388, 0x038A, prN},     // Lu     [3] GREEK CAPITAL LETTER EPSILON WITH TONOS..GREEK CAPITAL LETTER IOTA WITH TONOS
+	{0x038C, 0x038C, prN},     // Lu         GREEK CAPITAL LETTER OMICRON WITH TONOS
+	{0x038E, 0x0390, prN},     // L&     [3] GREEK CAPITAL LETTER UPSILON WITH TONOS..GREEK SMALL LETTER IOTA WITH DIALYTIKA AND TONOS
+	{0x0391, 0x03A1, prA},     // Lu    [17] GREEK CAPITAL LETTER ALPHA..GREEK CAPITAL LETTER RHO
+	{0x03A3, 0x03A9, prA},     // Lu     [7] GREEK CAPITAL LETTER SIGMA..GREEK CAPITAL LETTER OMEGA
+	{0x03AA, 0x03B0, prN},     // L&     [7] GREEK CAPITAL LETTER IOTA WITH DIALYTIKA..GREEK SMALL LETTER UPSILON WITH DIALYTIKA AND TONOS
+	{0x03B1, 0x03C1, prA},     // Ll    [17] GREEK SMALL LETTER ALPHA..GREEK SMALL LETTER RHO
+	{0x03C2, 0x03C2, prN},     // Ll         GREEK SMALL LETTER FINAL SIGMA
+	{0x03C3, 0x03C9, prA},     // Ll     [7] GREEK SMALL LETTER SIGMA..GREEK SMALL LETTER OMEGA
+	{0x03CA, 0x03F5, prN},     // L&    [44] GREEK SMALL LETTER IOTA WITH DIALYTIKA..GREEK LUNATE EPSILON SYMBOL
+	{0x03F6, 0x03F6, prN},     // Sm         GREEK REVERSED LUNATE EPSILON SYMBOL
+	{0x03F7, 0x03FF, prN},     // L&     [9] GREEK CAPITAL LETTER SHO..GREEK CAPITAL REVERSED DOTTED LUNATE SIGMA SYMBOL
+	{0x0400, 0x0400, prN},     // Lu         CYRILLIC CAPITAL LETTER IE WITH GRAVE
+	{0x0401, 0x0401, prA},     // Lu         CYRILLIC CAPITAL LETTER IO
+	{0x0402, 0x040F, prN},     // Lu    [14] CYRILLIC CAPITAL LETTER DJE..CYRILLIC CAPITAL LETTER DZHE
+	{0x0410, 0x044F, prA},     // L&    [64] CYRILLIC CAPITAL LETTER A..CYRILLIC SMALL LETTER YA
+	{0x0450, 0x0450, prN},     // Ll         CYRILLIC SMALL LETTER IE WITH GRAVE
+	{0x0451, 0x0451, prA},     // Ll         CYRILLIC SMALL LETTER IO
+	{0x0452, 0x0481, prN},     // L&    [48] CYRILLIC SMALL LETTER DJE..CYRILLIC SMALL LETTER KOPPA
+	{0x0482, 0x0482, prN},     // So         CYRILLIC THOUSANDS SIGN
+	{0x0483, 0x0487, prN},     // Mn     [5] COMBINING CYRILLIC TITLO..COMBINING CYRILLIC POKRYTIE
+	{0x0488, 0x0489, prN},     // Me     [2] COMBINING CYRILLIC HUNDRED THOUSANDS SIGN..COMBINING CYRILLIC MILLIONS SIGN
+	{0x048A, 0x04FF, prN},     // L&   [118] CYRILLIC CAPITAL LETTER SHORT I WITH TAIL..CYRILLIC SMALL LETTER HA WITH STROKE
+	{0x0500, 0x052F, prN},     // L&    [48] CYRILLIC CAPITAL LETTER KOMI DE..CYRILLIC SMALL LETTER EL WITH DESCENDER
+	{0x0531, 0x0556, prN},     // Lu    [38] ARMENIAN CAPITAL LETTER AYB..ARMENIAN CAPITAL LETTER FEH
+	{0x0559, 0x0559, prN},     // Lm         ARMENIAN MODIFIER LETTER LEFT HALF RING
+	{0x055A, 0x055F, prN},     // Po     [6] ARMENIAN APOSTROPHE..ARMENIAN ABBREVIATION MARK
+	{0x0560, 0x0588, prN},     // Ll    [41] ARMENIAN SMALL LETTER TURNED AYB..ARMENIAN SMALL LETTER YI WITH STROKE
+	{0x0589, 0x0589, prN},     // Po         ARMENIAN FULL STOP
+	{0x058A, 0x058A, prN},     // Pd         ARMENIAN HYPHEN
+	{0x058D, 0x058E, prN},     // So     [2] RIGHT-FACING ARMENIAN ETERNITY SIGN..LEFT-FACING ARMENIAN ETERNITY SIGN
+	{0x058F, 0x058F, prN},     // Sc         ARMENIAN DRAM SIGN
+	{0x0591, 0x05BD, prN},     // Mn    [45] HEBREW ACCENT ETNAHTA..HEBREW POINT METEG
+	{0x05BE, 0x05BE, prN},     // Pd         HEBREW PUNCTUATION MAQAF
+	{0x05BF, 0x05BF, prN},     // Mn         HEBREW POINT RAFE
+	{0x05C0, 0x05C0, prN},     // Po         HEBREW PUNCTUATION PASEQ
+	{0x05C1, 0x05C2, prN},     // Mn     [2] HEBREW POINT SHIN DOT..HEBREW POINT SIN DOT
+	{0x05C3, 0x05C3, prN},     // Po         HEBREW PUNCTUATION SOF PASUQ
+	{0x05C4, 0x05C5, prN},     // Mn     [2] HEBREW MARK UPPER DOT..HEBREW MARK LOWER DOT
+	{0x05C6, 0x05C6, prN},     // Po         HEBREW PUNCTUATION NUN HAFUKHA
+	{0x05C7, 0x05C7, prN},     // Mn         HEBREW POINT QAMATS QATAN
+	{0x05D0, 0x05EA, prN},     // Lo    [27] HEBREW LETTER ALEF..HEBREW LETTER TAV
+	{0x05EF, 0x05F2, prN},     // Lo     [4] HEBREW YOD TRIANGLE..HEBREW LIGATURE YIDDISH DOUBLE YOD
+	{0x05F3, 0x05F4, prN},     // Po     [2] HEBREW PUNCTUATION GERESH..HEBREW PUNCTUATION GERSHAYIM
+	{0x0600, 0x0605, prN},     // Cf     [6] ARABIC NUMBER SIGN..ARABIC NUMBER MARK ABOVE
+	{0x0606, 0x0608, prN},     // Sm     [3] ARABIC-INDIC CUBE ROOT..ARABIC RAY
+	{0x0609, 0x060A, prN},     // Po     [2] ARABIC-INDIC PER MILLE SIGN..ARABIC-INDIC PER TEN THOUSAND SIGN
+	{0x060B, 0x060B, prN},     // Sc         AFGHANI SIGN
+	{0x060C, 0x060D, prN},     // Po     [2] ARABIC COMMA..ARABIC DATE SEPARATOR
+	{0x060E, 0x060F, prN},     // So     [2] ARABIC POETIC VERSE SIGN..ARABIC SIGN MISRA
+	{0x0610, 0x061A, prN},     // Mn    [11] ARABIC SIGN SALLALLAHOU ALAYHE WASSALLAM..ARABIC SMALL KASRA
+	{0x061B, 0x061B, prN},     // Po         ARABIC SEMICOLON
+	{0x061C, 0x061C, prN},     // Cf         ARABIC LETTER MARK
+	{0x061D, 0x061F, prN},     // Po     [3] ARABIC END OF TEXT MARK..ARABIC QUESTION MARK
+	{0x0620, 0x063F, prN},     // Lo    [32] ARABIC LETTER KASHMIRI YEH..ARABIC LETTER FARSI YEH WITH THREE DOTS ABOVE
+	{0x0640, 0x0640, prN},     // Lm         ARABIC TATWEEL
+	{0x0641, 0x064A, prN},     // Lo    [10] ARABIC LETTER FEH..ARABIC LETTER YEH
+	{0x064B, 0x065F, prN},     // Mn    [21] ARABIC FATHATAN..ARABIC WAVY HAMZA BELOW
+	{0x0660, 0x0669, prN},     // Nd    [10] ARABIC-INDIC DIGIT ZERO..ARABIC-INDIC DIGIT NINE
+	{0x066A, 0x066D, prN},     // Po     [4] ARABIC PERCENT SIGN..ARABIC FIVE POINTED STAR
+	{0x066E, 0x066F, prN},     // Lo     [2] ARABIC LETTER DOTLESS BEH..ARABIC LETTER DOTLESS QAF
+	{0x0670, 0x0670, prN},     // Mn         ARABIC LETTER SUPERSCRIPT ALEF
+	{0x0671, 0x06D3, prN},     // Lo    [99] ARABIC LETTER ALEF WASLA..ARABIC LETTER YEH BARREE WITH HAMZA ABOVE
+	{0x06D4, 0x06D4, prN},     // Po         ARABIC FULL STOP
+	{0x06D5, 0x06D5, prN},     // Lo         ARABIC LETTER AE
+	{0x06D6, 0x06DC, prN},     // Mn     [7] ARABIC SMALL HIGH LIGATURE SAD WITH LAM WITH ALEF MAKSURA..ARABIC SMALL HIGH SEEN
+	{0x06DD, 0x06DD, prN},     // Cf         ARABIC END OF AYAH
+	{0x06DE, 0x06DE, prN},     // So         ARABIC START OF RUB EL HIZB
+	{0x06DF, 0x06E4, prN},     // Mn     [6] ARABIC SMALL HIGH ROUNDED ZERO..ARABIC SMALL HIGH MADDA
+	{0x06E5, 0x06E6, prN},     // Lm     [2] ARABIC SMALL WAW..ARABIC SMALL YEH
+	{0x06E7, 0x06E8, prN},     // Mn     [2] ARABIC SMALL HIGH YEH..ARABIC SMALL HIGH NOON
+	{0x06E9, 0x06E9, prN},     // So         ARABIC PLACE OF SAJDAH
+	{0x06EA, 0x06ED, prN},     // Mn     [4] ARABIC EMPTY CENTRE LOW STOP..ARABIC SMALL LOW MEEM
+	{0x06EE, 0x06EF, prN},     // Lo     [2] ARABIC LETTER DAL WITH INVERTED V..ARABIC LETTER REH WITH INVERTED V
+	{0x06F0, 0x06F9, prN},     // Nd    [10] EXTENDED ARABIC-INDIC DIGIT ZERO..EXTENDED ARABIC-INDIC DIGIT NINE
+	{0x06FA, 0x06FC, prN},     // Lo     [3] ARABIC LETTER SHEEN WITH DOT BELOW..ARABIC LETTER GHAIN WITH DOT BELOW
+	{0x06FD, 0x06FE, prN},     // So     [2] ARABIC SIGN SINDHI AMPERSAND..ARABIC SIGN SINDHI POSTPOSITION MEN
+	{0x06FF, 0x06FF, prN},     // Lo         ARABIC LETTER HEH WITH INVERTED V
+	{0x0700, 0x070D, prN},     // Po    [14] SYRIAC END OF PARAGRAPH..SYRIAC HARKLEAN ASTERISCUS
+	{0x070F, 0x070F, prN},     // Cf         SYRIAC ABBREVIATION MARK
+	{0x0710, 0x0710, prN},     // Lo         SYRIAC LETTER ALAPH
+	{0x0711, 0x0711, prN},     // Mn         SYRIAC LETTER SUPERSCRIPT ALAPH
+	{0x0712, 0x072F, prN},     // Lo    [30] SYRIAC LETTER BETH..SYRIAC LETTER PERSIAN DHALATH
+	{0x0730, 0x074A, prN},     // Mn    [27] SYRIAC PTHAHA ABOVE..SYRIAC BARREKH
+	{0x074D, 0x074F, prN},     // Lo     [3] SYRIAC LETTER SOGDIAN ZHAIN..SYRIAC LETTER SOGDIAN FE
+	{0x0750, 0x077F, prN},     // Lo    [48] ARABIC LETTER BEH WITH THREE DOTS HORIZONTALLY BELOW..ARABIC LETTER KAF WITH TWO DOTS ABOVE
+	{0x0780, 0x07A5, prN},     // Lo    [38] THAANA LETTER HAA..THAANA LETTER WAAVU
+	{0x07A6, 0x07B0, prN},     // Mn    [11] THAANA ABAFILI..THAANA SUKUN
+	{0x07B1, 0x07B1, prN},     // Lo         THAANA LETTER NAA
+	{0x07C0, 0x07C9, prN},     // Nd    [10] NKO DIGIT ZERO..NKO DIGIT NINE
+	{0x07CA, 0x07EA, prN},     // Lo    [33] NKO LETTER A..NKO LETTER JONA RA
+	{0x07EB, 0x07F3, prN},     // Mn     [9] NKO COMBINING SHORT HIGH TONE..NKO COMBINING DOUBLE DOT ABOVE
+	{0x07F4, 0x07F5, prN},     // Lm     [2] NKO HIGH TONE APOSTROPHE..NKO LOW TONE APOSTROPHE
+	{0x07F6, 0x07F6, prN},     // So         NKO SYMBOL OO DENNEN
+	{0x07F7, 0x07F9, prN},     // Po     [3] NKO SYMBOL GBAKURUNEN..NKO EXCLAMATION MARK
+	{0x07FA, 0x07FA, prN},     // Lm         NKO LAJANYALAN
+	{0x07FD, 0x07FD, prN},     // Mn         NKO DANTAYALAN
+	{0x07FE, 0x07FF, prN},     // Sc     [2] NKO DOROME SIGN..NKO TAMAN SIGN
+	{0x0800, 0x0815, prN},     // Lo    [22] SAMARITAN LETTER ALAF..SAMARITAN LETTER TAAF
+	{0x0816, 0x0819, prN},     // Mn     [4] SAMARITAN MARK IN..SAMARITAN MARK DAGESH
+	{0x081A, 0x081A, prN},     // Lm         SAMARITAN MODIFIER LETTER EPENTHETIC YUT
+	{0x081B, 0x0823, prN},     // Mn     [9] SAMARITAN MARK EPENTHETIC YUT..SAMARITAN VOWEL SIGN A
+	{0x0824, 0x0824, prN},     // Lm         SAMARITAN MODIFIER LETTER SHORT A
+	{0x0825, 0x0827, prN},     // Mn     [3] SAMARITAN VOWEL SIGN SHORT A..SAMARITAN VOWEL SIGN U
+	{0x0828, 0x0828, prN},     // Lm         SAMARITAN MODIFIER LETTER I
+	{0x0829, 0x082D, prN},     // Mn     [5] SAMARITAN VOWEL SIGN LONG I..SAMARITAN MARK NEQUDAA
+	{0x0830, 0x083E, prN},     // Po    [15] SAMARITAN PUNCTUATION NEQUDAA..SAMARITAN PUNCTUATION ANNAAU
+	{0x0840, 0x0858, prN},     // Lo    [25] MANDAIC LETTER HALQA..MANDAIC LETTER AIN
+	{0x0859, 0x085B, prN},     // Mn     [3] MANDAIC AFFRICATION MARK..MANDAIC GEMINATION MARK
+	{0x085E, 0x085E, prN},     // Po         MANDAIC PUNCTUATION
+	{0x0860, 0x086A, prN},     // Lo    [11] SYRIAC LETTER MALAYALAM NGA..SYRIAC LETTER MALAYALAM SSA
+	{0x0870, 0x0887, prN},     // Lo    [24] ARABIC LETTER ALEF WITH ATTACHED FATHA..ARABIC BASELINE ROUND DOT
+	{0x0888, 0x0888, prN},     // Sk         ARABIC RAISED ROUND DOT
+	{0x0889, 0x088E, prN},     // Lo     [6] ARABIC LETTER NOON WITH INVERTED SMALL V..ARABIC VERTICAL TAIL
+	{0x0890, 0x0891, prN},     // Cf     [2] ARABIC POUND MARK ABOVE..ARABIC PIASTRE MARK ABOVE
+	{0x0898, 0x089F, prN},     // Mn     [8] ARABIC SMALL HIGH WORD AL-JUZ..ARABIC HALF MADDA OVER MADDA
+	{0x08A0, 0x08C8, prN},     // Lo    [41] ARABIC LETTER BEH WITH SMALL V BELOW..ARABIC LETTER GRAF
+	{0x08C9, 0x08C9, prN},     // Lm         ARABIC SMALL FARSI YEH
+	{0x08CA, 0x08E1, prN},     // Mn    [24] ARABIC SMALL HIGH FARSI YEH..ARABIC SMALL HIGH SIGN SAFHA
+	{0x08E2, 0x08E2, prN},     // Cf         ARABIC DISPUTED END OF AYAH
+	{0x08E3, 0x08FF, prN},     // Mn    [29] ARABIC TURNED DAMMA BELOW..ARABIC MARK SIDEWAYS NOON GHUNNA
+	{0x0900, 0x0902, prN},     // Mn     [3] DEVANAGARI SIGN INVERTED CANDRABINDU..DEVANAGARI SIGN ANUSVARA
+	{0x0903, 0x0903, prN},     // Mc         DEVANAGARI SIGN VISARGA
+	{0x0904, 0x0939, prN},     // Lo    [54] DEVANAGARI LETTER SHORT A..DEVANAGARI LETTER HA
+	{0x093A, 0x093A, prN},     // Mn         DEVANAGARI VOWEL SIGN OE
+	{0x093B, 0x093B, prN},     // Mc         DEVANAGARI VOWEL SIGN OOE
+	{0x093C, 0x093C, prN},     // Mn         DEVANAGARI SIGN NUKTA
+	{0x093D, 0x093D, prN},     // Lo         DEVANAGARI SIGN AVAGRAHA
+	{0x093E, 0x0940, prN},     // Mc     [3] DEVANAGARI VOWEL SIGN AA..DEVANAGARI VOWEL SIGN II
+	{0x0941, 0x0948, prN},     // Mn     [8] DEVANAGARI VOWEL SIGN U..DEVANAGARI VOWEL SIGN AI
+	{0x0949, 0x094C, prN},     // Mc     [4] DEVANAGARI VOWEL SIGN CANDRA O..DEVANAGARI VOWEL SIGN AU
+	{0x094D, 0x094D, prN},     // Mn         DEVANAGARI SIGN VIRAMA
+	{0x094E, 0x094F, prN},     // Mc     [2] DEVANAGARI VOWEL SIGN PRISHTHAMATRA E..DEVANAGARI VOWEL SIGN AW
+	{0x0950, 0x0950, prN},     // Lo         DEVANAGARI OM
+	{0x0951, 0x0957, prN},     // Mn     [7] DEVANAGARI STRESS SIGN UDATTA..DEVANAGARI VOWEL SIGN UUE
+	{0x0958, 0x0961, prN},     // Lo    [10] DEVANAGARI LETTER QA..DEVANAGARI LETTER VOCALIC LL
+	{0x0962, 0x0963, prN},     // Mn     [2] DEVANAGARI VOWEL SIGN VOCALIC L..DEVANAGARI VOWEL SIGN VOCALIC LL
+	{0x0964, 0x0965, prN},     // Po     [2] DEVANAGARI DANDA..DEVANAGARI DOUBLE DANDA
+	{0x0966, 0x096F, prN},     // Nd    [10] DEVANAGARI DIGIT ZERO..DEVANAGARI DIGIT NINE
+	{0x0970, 0x0970, prN},     // Po         DEVANAGARI ABBREVIATION SIGN
+	{0x0971, 0x0971, prN},     // Lm         DEVANAGARI SIGN HIGH SPACING DOT
+	{0x0972, 0x097F, prN},     // Lo    [14] DEVANAGARI LETTER CANDRA A..DEVANAGARI LETTER BBA
+	{0x0980, 0x0980, prN},     // Lo         BENGALI ANJI
+	{0x0981, 0x0981, prN},     // Mn         BENGALI SIGN CANDRABINDU
+	{0x0982, 0x0983, prN},     // Mc     [2] BENGALI SIGN ANUSVARA..BENGALI SIGN VISARGA
+	{0x0985, 0x098C, prN},     // Lo     [8] BENGALI LETTER A..BENGALI LETTER VOCALIC L
+	{0x098F, 0x0990, prN},     // Lo     [2] BENGALI LETTER E..BENGALI LETTER AI
+	{0x0993, 0x09A8, prN},     // Lo    [22] BENGALI LETTER O..BENGALI LETTER NA
+	{0x09AA, 0x09B0, prN},     // Lo     [7] BENGALI LETTER PA..BENGALI LETTER RA
+	{0x09B2, 0x09B2, prN},     // Lo         BENGALI LETTER LA
+	{0x09B6, 0x09B9, prN},     // Lo     [4] BENGALI LETTER SHA..BENGALI LETTER HA
+	{0x09BC, 0x09BC, prN},     // Mn         BENGALI SIGN NUKTA
+	{0x09BD, 0x09BD, prN},     // Lo         BENGALI SIGN AVAGRAHA
+	{0x09BE, 0x09C0, prN},     // Mc     [3] BENGALI VOWEL SIGN AA..BENGALI VOWEL SIGN II
+	{0x09C1, 0x09C4, prN},     // Mn     [4] BENGALI VOWEL SIGN U..BENGALI VOWEL SIGN VOCALIC RR
+	{0x09C7, 0x09C8, prN},     // Mc     [2] BENGALI VOWEL SIGN E..BENGALI VOWEL SIGN AI
+	{0x09CB, 0x09CC, prN},     // Mc     [2] BENGALI VOWEL SIGN O..BENGALI VOWEL SIGN AU
+	{0x09CD, 0x09CD, prN},     // Mn         BENGALI SIGN VIRAMA
+	{0x09CE, 0x09CE, prN},     // Lo         BENGALI LETTER KHANDA TA
+	{0x09D7, 0x09D7, prN},     // Mc         BENGALI AU LENGTH MARK
+	{0x09DC, 0x09DD, prN},     // Lo     [2] BENGALI LETTER RRA..BENGALI LETTER RHA
+	{0x09DF, 0x09E1, prN},     // Lo     [3] BENGALI LETTER YYA..BENGALI LETTER VOCALIC LL
+	{0x09E2, 0x09E3, prN},     // Mn     [2] BENGALI VOWEL SIGN VOCALIC L..BENGALI VOWEL SIGN VOCALIC LL
+	{0x09E6, 0x09EF, prN},     // Nd    [10] BENGALI DIGIT ZERO..BENGALI DIGIT NINE
+	{0x09F0, 0x09F1, prN},     // Lo     [2] BENGALI LETTER RA WITH MIDDLE DIAGONAL..BENGALI LETTER RA WITH LOWER DIAGONAL
+	{0x09F2, 0x09F3, prN},     // Sc     [2] BENGALI RUPEE MARK..BENGALI RUPEE SIGN
+	{0x09F4, 0x09F9, prN},     // No     [6] BENGALI CURRENCY NUMERATOR ONE..BENGALI CURRENCY DENOMINATOR SIXTEEN
+	{0x09FA, 0x09FA, prN},     // So         BENGALI ISSHAR
+	{0x09FB, 0x09FB, prN},     // Sc         BENGALI GANDA MARK
+	{0x09FC, 0x09FC, prN},     // Lo         BENGALI LETTER VEDIC ANUSVARA
+	{0x09FD, 0x09FD, prN},     // Po         BENGALI ABBREVIATION SIGN
+	{0x09FE, 0x09FE, prN},     // Mn         BENGALI SANDHI MARK
+	{0x0A01, 0x0A02, prN},     // Mn     [2] GURMUKHI SIGN ADAK BINDI..GURMUKHI SIGN BINDI
+	{0x0A03, 0x0A03, prN},     // Mc         GURMUKHI SIGN VISARGA
+	{0x0A05, 0x0A0A, prN},     // Lo     [6] GURMUKHI LETTER A..GURMUKHI LETTER UU
+	{0x0A0F, 0x0A10, prN},     // Lo     [2] GURMUKHI LETTER EE..GURMUKHI LETTER AI
+	{0x0A13, 0x0A28, prN},     // Lo    [22] GURMUKHI LETTER OO..GURMUKHI LETTER NA
+	{0x0A2A, 0x0A30, prN},     // Lo     [7] GURMUKHI LETTER PA..GURMUKHI LETTER RA
+	{0x0A32, 0x0A33, prN},     // Lo     [2] GURMUKHI LETTER LA..GURMUKHI LETTER LLA
+	{0x0A35, 0x0A36, prN},     // Lo     [2] GURMUKHI LETTER VA..GURMUKHI LETTER SHA
+	{0x0A38, 0x0A39, prN},     // Lo     [2] GURMUKHI LETTER SA..GURMUKHI LETTER HA
+	{0x0A3C, 0x0A3C, prN},     // Mn         GURMUKHI SIGN NUKTA
+	{0x0A3E, 0x0A40, prN},     // Mc     [3] GURMUKHI VOWEL SIGN AA..GURMUKHI VOWEL SIGN II
+	{0x0A41, 0x0A42, prN},     // Mn     [2] GURMUKHI VOWEL SIGN U..GURMUKHI VOWEL SIGN UU
+	{0x0A47, 0x0A48, prN},     // Mn     [2] GURMUKHI VOWEL SIGN EE..GURMUKHI VOWEL SIGN AI
+	{0x0A4B, 0x0A4D, prN},     // Mn     [3] GURMUKHI VOWEL SIGN OO..GURMUKHI SIGN VIRAMA
+	{0x0A51, 0x0A51, prN},     // Mn         GURMUKHI SIGN UDAAT
+	{0x0A59, 0x0A5C, prN},     // Lo     [4] GURMUKHI LETTER KHHA..GURMUKHI LETTER RRA
+	{0x0A5E, 0x0A5E, prN},     // Lo         GURMUKHI LETTER FA
+	{0x0A66, 0x0A6F, prN},     // Nd    [10] GURMUKHI DIGIT ZERO..GURMUKHI DIGIT NINE
+	{0x0A70, 0x0A71, prN},     // Mn     [2] GURMUKHI TIPPI..GURMUKHI ADDAK
+	{0x0A72, 0x0A74, prN},     // Lo     [3] GURMUKHI IRI..GURMUKHI EK ONKAR
+	{0x0A75, 0x0A75, prN},     // Mn         GURMUKHI SIGN YAKASH
+	{0x0A76, 0x0A76, prN},     // Po         GURMUKHI ABBREVIATION SIGN
+	{0x0A81, 0x0A82, prN},     // Mn     [2] GUJARATI SIGN CANDRABINDU..GUJARATI SIGN ANUSVARA
+	{0x0A83, 0x0A83, prN},     // Mc         GUJARATI SIGN VISARGA
+	{0x0A85, 0x0A8D, prN},     // Lo     [9] GUJARATI LETTER A..GUJARATI VOWEL CANDRA E
+	{0x0A8F, 0x0A91, prN},     // Lo     [3] GUJARATI LETTER E..GUJARATI VOWEL CANDRA O
+	{0x0A93, 0x0AA8, prN},     // Lo    [22] GUJARATI LETTER O..GUJARATI LETTER NA
+	{0x0AAA, 0x0AB0, prN},     // Lo     [7] GUJARATI LETTER PA..GUJARATI LETTER RA
+	{0x0AB2, 0x0AB3, prN},     // Lo     [2] GUJARATI LETTER LA..GUJARATI LETTER LLA
+	{0x0AB5, 0x0AB9, prN},     // Lo     [5] GUJARATI LETTER VA..GUJARATI LETTER HA
+	{0x0ABC, 0x0ABC, prN},     // Mn         GUJARATI SIGN NUKTA
+	{0x0ABD, 0x0ABD, prN},     // Lo         GUJARATI SIGN AVAGRAHA
+	{0x0ABE, 0x0AC0, prN},     // Mc     [3] GUJARATI VOWEL SIGN AA..GUJARATI VOWEL SIGN II
+	{0x0AC1, 0x0AC5, prN},     // Mn     [5] GUJARATI VOWEL SIGN U..GUJARATI VOWEL SIGN CANDRA E
+	{0x0AC7, 0x0AC8, prN},     // Mn     [2] GUJARATI VOWEL SIGN E..GUJARATI VOWEL SIGN AI
+	{0x0AC9, 0x0AC9, prN},     // Mc         GUJARATI VOWEL SIGN CANDRA O
+	{0x0ACB, 0x0ACC, prN},     // Mc     [2] GUJARATI VOWEL SIGN O..GUJARATI VOWEL SIGN AU
+	{0x0ACD, 0x0ACD, prN},     // Mn         GUJARATI SIGN VIRAMA
+	{0x0AD0, 0x0AD0, prN},     // Lo         GUJARATI OM
+	{0x0AE0, 0x0AE1, prN},     // Lo     [2] GUJARATI LETTER VOCALIC RR..GUJARATI LETTER VOCALIC LL
+	{0x0AE2, 0x0AE3, prN},     // Mn     [2] GUJARATI VOWEL SIGN VOCALIC L..GUJARATI VOWEL SIGN VOCALIC LL
+	{0x0AE6, 0x0AEF, prN},     // Nd    [10] GUJARATI DIGIT ZERO..GUJARATI DIGIT NINE
+	{0x0AF0, 0x0AF0, prN},     // Po         GUJARATI ABBREVIATION SIGN
+	{0x0AF1, 0x0AF1, prN},     // Sc         GUJARATI RUPEE SIGN
+	{0x0AF9, 0x0AF9, prN},     // Lo         GUJARATI LETTER ZHA
+	{0x0AFA, 0x0AFF, prN},     // Mn     [6] GUJARATI SIGN SUKUN..GUJARATI SIGN TWO-CIRCLE NUKTA ABOVE
+	{0x0B01, 0x0B01, prN},     // Mn         ORIYA SIGN CANDRABINDU
+	{0x0B02, 0x0B03, prN},     // Mc     [2] ORIYA SIGN ANUSVARA..ORIYA SIGN VISARGA
+	{0x0B05, 0x0B0C, prN},     // Lo     [8] ORIYA LETTER A..ORIYA LETTER VOCALIC L
+	{0x0B0F, 0x0B10, prN},     // Lo     [2] ORIYA LETTER E..ORIYA LETTER AI
+	{0x0B13, 0x0B28, prN},     // Lo    [22] ORIYA LETTER O..ORIYA LETTER NA
+	{0x0B2A, 0x0B30, prN},     // Lo     [7] ORIYA LETTER PA..ORIYA LETTER RA
+	{0x0B32, 0x0B33, prN},     // Lo     [2] ORIYA LETTER LA..ORIYA LETTER LLA
+	{0x0B35, 0x0B39, prN},     // Lo     [5] ORIYA LETTER VA..ORIYA LETTER HA
+	{0x0B3C, 0x0B3C, prN},     // Mn         ORIYA SIGN NUKTA
+	{0x0B3D, 0x0B3D, prN},     // Lo         ORIYA SIGN AVAGRAHA
+	{0x0B3E, 0x0B3E, prN},     // Mc         ORIYA VOWEL SIGN AA
+	{0x0B3F, 0x0B3F, prN},     // Mn         ORIYA VOWEL SIGN I
+	{0x0B40, 0x0B40, prN},     // Mc         ORIYA VOWEL SIGN II
+	{0x0B41, 0x0B44, prN},     // Mn     [4] ORIYA VOWEL SIGN U..ORIYA VOWEL SIGN VOCALIC RR
+	{0x0B47, 0x0B48, prN},     // Mc     [2] ORIYA VOWEL SIGN E..ORIYA VOWEL SIGN AI
+	{0x0B4B, 0x0B4C, prN},     // Mc     [2] ORIYA VOWEL SIGN O..ORIYA VOWEL SIGN AU
+	{0x0B4D, 0x0B4D, prN},     // Mn         ORIYA SIGN VIRAMA
+	{0x0B55, 0x0B56, prN},     // Mn     [2] ORIYA SIGN OVERLINE..ORIYA AI LENGTH MARK
+	{0x0B57, 0x0B57, prN},     // Mc         ORIYA AU LENGTH MARK
+	{0x0B5C, 0x0B5D, prN},     // Lo     [2] ORIYA LETTER RRA..ORIYA LETTER RHA
+	{0x0B5F, 0x0B61, prN},     // Lo     [3] ORIYA LETTER YYA..ORIYA LETTER VOCALIC LL
+	{0x0B62, 0x0B63, prN},     // Mn     [2] ORIYA VOWEL SIGN VOCALIC L..ORIYA VOWEL SIGN VOCALIC LL
+	{0x0B66, 0x0B6F, prN},     // Nd    [10] ORIYA DIGIT ZERO..ORIYA DIGIT NINE
+	{0x0B70, 0x0B70, prN},     // So         ORIYA ISSHAR
+	{0x0B71, 0x0B71, prN},     // Lo         ORIYA LETTER WA
+	{0x0B72, 0x0B77, prN},     // No     [6] ORIYA FRACTION ONE QUARTER..ORIYA FRACTION THREE SIXTEENTHS
+	{0x0B82, 0x0B82, prN},     // Mn         TAMIL SIGN ANUSVARA
+	{0x0B83, 0x0B83, prN},     // Lo         TAMIL SIGN VISARGA
+	{0x0B85, 0x0B8A, prN},     // Lo     [6] TAMIL LETTER A..TAMIL LETTER UU
+	{0x0B8E, 0x0B90, prN},     // Lo     [3] TAMIL LETTER E..TAMIL LETTER AI
+	{0x0B92, 0x0B95, prN},     // Lo     [4] TAMIL LETTER O..TAMIL LETTER KA
+	{0x0B99, 0x0B9A, prN},     // Lo     [2] TAMIL LETTER NGA..TAMIL LETTER CA
+	{0x0B9C, 0x0B9C, prN},     // Lo         TAMIL LETTER JA
+	{0x0B9E, 0x0B9F, prN},     // Lo     [2] TAMIL LETTER NYA..TAMIL LETTER TTA
+	{0x0BA3, 0x0BA4, prN},     // Lo     [2] TAMIL LETTER NNA..TAMIL LETTER TA
+	{0x0BA8, 0x0BAA, prN},     // Lo     [3] TAMIL LETTER NA..TAMIL LETTER PA
+	{0x0BAE, 0x0BB9, prN},     // Lo    [12] TAMIL LETTER MA..TAMIL LETTER HA
+	{0x0BBE, 0x0BBF, prN},     // Mc     [2] TAMIL VOWEL SIGN AA..TAMIL VOWEL SIGN I
+	{0x0BC0, 0x0BC0, prN},     // Mn         TAMIL VOWEL SIGN II
+	{0x0BC1, 0x0BC2, prN},     // Mc     [2] TAMIL VOWEL SIGN U..TAMIL VOWEL SIGN UU
+	{0x0BC6, 0x0BC8, prN},     // Mc     [3] TAMIL VOWEL SIGN E..TAMIL VOWEL SIGN AI
+	{0x0BCA, 0x0BCC, prN},     // Mc     [3] TAMIL VOWEL SIGN O..TAMIL VOWEL SIGN AU
+	{0x0BCD, 0x0BCD, prN},     // Mn         TAMIL SIGN VIRAMA
+	{0x0BD0, 0x0BD0, prN},     // Lo         TAMIL OM
+	{0x0BD7, 0x0BD7, prN},     // Mc         TAMIL AU LENGTH MARK
+	{0x0BE6, 0x0BEF, prN},     // Nd    [10] TAMIL DIGIT ZERO..TAMIL DIGIT NINE
+	{0x0BF0, 0x0BF2, prN},     // No     [3] TAMIL NUMBER TEN..TAMIL NUMBER ONE THOUSAND
+	{0x0BF3, 0x0BF8, prN},     // So     [6] TAMIL DAY SIGN..TAMIL AS ABOVE SIGN
+	{0x0BF9, 0x0BF9, prN},     // Sc         TAMIL RUPEE SIGN
+	{0x0BFA, 0x0BFA, prN},     // So         TAMIL NUMBER SIGN
+	{0x0C00, 0x0C00, prN},     // Mn         TELUGU SIGN COMBINING CANDRABINDU ABOVE
+	{0x0C01, 0x0C03, prN},     // Mc     [3] TELUGU SIGN CANDRABINDU..TELUGU SIGN VISARGA
+	{0x0C04, 0x0C04, prN},     // Mn         TELUGU SIGN COMBINING ANUSVARA ABOVE
+	{0x0C05, 0x0C0C, prN},     // Lo     [8] TELUGU LETTER A..TELUGU LETTER VOCALIC L
+	{0x0C0E, 0x0C10, prN},     // Lo     [3] TELUGU LETTER E..TELUGU LETTER AI
+	{0x0C12, 0x0C28, prN},     // Lo    [23] TELUGU LETTER O..TELUGU LETTER NA
+	{0x0C2A, 0x0C39, prN},     // Lo    [16] TELUGU LETTER PA..TELUGU LETTER HA
+	{0x0C3C, 0x0C3C, prN},     // Mn         TELUGU SIGN NUKTA
+	{0x0C3D, 0x0C3D, prN},     // Lo         TELUGU SIGN AVAGRAHA
+	{0x0C3E, 0x0C40, prN},     // Mn     [3] TELUGU VOWEL SIGN AA..TELUGU VOWEL SIGN II
+	{0x0C41, 0x0C44, prN},     // Mc     [4] TELUGU VOWEL SIGN U..TELUGU VOWEL SIGN VOCALIC RR
+	{0x0C46, 0x0C48, prN},     // Mn     [3] TELUGU VOWEL SIGN E..TELUGU VOWEL SIGN AI
+	{0x0C4A, 0x0C4D, prN},     // Mn     [4] TELUGU VOWEL SIGN O..TELUGU SIGN VIRAMA
+	{0x0C55, 0x0C56, prN},     // Mn     [2] TELUGU LENGTH MARK..TELUGU AI LENGTH MARK
+	{0x0C58, 0x0C5A, prN},     // Lo     [3] TELUGU LETTER TSA..TELUGU LETTER RRRA
+	{0x0C5D, 0x0C5D, prN},     // Lo         TELUGU LETTER NAKAARA POLLU
+	{0x0C60, 0x0C61, prN},     // Lo     [2] TELUGU LETTER VOCALIC RR..TELUGU LETTER VOCALIC LL
+	{0x0C62, 0x0C63, prN},     // Mn     [2] TELUGU VOWEL SIGN VOCALIC L..TELUGU VOWEL SIGN VOCALIC LL
+	{0x0C66, 0x0C6F, prN},     // Nd    [10] TELUGU DIGIT ZERO..TELUGU DIGIT NINE
+	{0x0C77, 0x0C77, prN},     // Po         TELUGU SIGN SIDDHAM
+	{0x0C78, 0x0C7E, prN},     // No     [7] TELUGU FRACTION DIGIT ZERO FOR ODD POWERS OF FOUR..TELUGU FRACTION DIGIT THREE FOR EVEN POWERS OF FOUR
+	{0x0C7F, 0x0C7F, prN},     // So         TELUGU SIGN TUUMU
+	{0x0C80, 0x0C80, prN},     // Lo         KANNADA SIGN SPACING CANDRABINDU
+	{0x0C81, 0x0C81, prN},     // Mn         KANNADA SIGN CANDRABINDU
+	{0x0C82, 0x0C83, prN},     // Mc     [2] KANNADA SIGN ANUSVARA..KANNADA SIGN VISARGA
+	{0x0C84, 0x0C84, prN},     // Po         KANNADA SIGN SIDDHAM
+	{0x0C85, 0x0C8C, prN},     // Lo     [8] KANNADA LETTER A..KANNADA LETTER VOCALIC L
+	{0x0C8E, 0x0C90, prN},     // Lo     [3] KANNADA LETTER E..KANNADA LETTER AI
+	{0x0C92, 0x0CA8, prN},     // Lo    [23] KANNADA LETTER O..KANNADA LETTER NA
+	{0x0CAA, 0x0CB3, prN},     // Lo    [10] KANNADA LETTER PA..KANNADA LETTER LLA
+	{0x0CB5, 0x0CB9, prN},     // Lo     [5] KANNADA LETTER VA..KANNADA LETTER HA
+	{0x0CBC, 0x0CBC, prN},     // Mn         KANNADA SIGN NUKTA
+	{0x0CBD, 0x0CBD, prN},     // Lo         KANNADA SIGN AVAGRAHA
+	{0x0CBE, 0x0CBE, prN},     // Mc         KANNADA VOWEL SIGN AA
+	{0x0CBF, 0x0CBF, prN},     // Mn         KANNADA VOWEL SIGN I
+	{0x0CC0, 0x0CC4, prN},     // Mc     [5] KANNADA VOWEL SIGN II..KANNADA VOWEL SIGN VOCALIC RR
+	{0x0CC6, 0x0CC6, prN},     // Mn         KANNADA VOWEL SIGN E
+	{0x0CC7, 0x0CC8, prN},     // Mc     [2] KANNADA VOWEL SIGN EE..KANNADA VOWEL SIGN AI
+	{0x0CCA, 0x0CCB, prN},     // Mc     [2] KANNADA VOWEL SIGN O..KANNADA VOWEL SIGN OO
+	{0x0CCC, 0x0CCD, prN},     // Mn     [2] KANNADA VOWEL SIGN AU..KANNADA SIGN VIRAMA
+	{0x0CD5, 0x0CD6, prN},     // Mc     [2] KANNADA LENGTH MARK..KANNADA AI LENGTH MARK
+	{0x0CDD, 0x0CDE, prN},     // Lo     [2] KANNADA LETTER NAKAARA POLLU..KANNADA LETTER FA
+	{0x0CE0, 0x0CE1, prN},     // Lo     [2] KANNADA LETTER VOCALIC RR..KANNADA LETTER VOCALIC LL
+	{0x0CE2, 0x0CE3, prN},     // Mn     [2] KANNADA VOWEL SIGN VOCALIC L..KANNADA VOWEL SIGN VOCALIC LL
+	{0x0CE6, 0x0CEF, prN},     // Nd    [10] KANNADA DIGIT ZERO..KANNADA DIGIT NINE
+	{0x0CF1, 0x0CF2, prN},     // Lo     [2] KANNADA SIGN JIHVAMULIYA..KANNADA SIGN UPADHMANIYA
+	{0x0CF3, 0x0CF3, prN},     // Mc         KANNADA SIGN COMBINING ANUSVARA ABOVE RIGHT
+	{0x0D00, 0x0D01, prN},     // Mn     [2] MALAYALAM SIGN COMBINING ANUSVARA ABOVE..MALAYALAM SIGN CANDRABINDU
+	{0x0D02, 0x0D03, prN},     // Mc     [2] MALAYALAM SIGN ANUSVARA..MALAYALAM SIGN VISARGA
+	{0x0D04, 0x0D0C, prN},     // Lo     [9] MALAYALAM LETTER VEDIC ANUSVARA..MALAYALAM LETTER VOCALIC L
+	{0x0D0E, 0x0D10, prN},     // Lo     [3] MALAYALAM LETTER E..MALAYALAM LETTER AI
+	{0x0D12, 0x0D3A, prN},     // Lo    [41] MALAYALAM LETTER O..MALAYALAM LETTER TTTA
+	{0x0D3B, 0x0D3C, prN},     // Mn     [2] MALAYALAM SIGN VERTICAL BAR VIRAMA..MALAYALAM SIGN CIRCULAR VIRAMA
+	{0x0D3D, 0x0D3D, prN},     // Lo         MALAYALAM SIGN AVAGRAHA
+	{0x0D3E, 0x0D40, prN},     // Mc     [3] MALAYALAM VOWEL SIGN AA..MALAYALAM VOWEL SIGN II
+	{0x0D41, 0x0D44, prN},     // Mn     [4] MALAYALAM VOWEL SIGN U..MALAYALAM VOWEL SIGN VOCALIC RR
+	{0x0D46, 0x0D48, prN},     // Mc     [3] MALAYALAM VOWEL SIGN E..MALAYALAM VOWEL SIGN AI
+	{0x0D4A, 0x0D4C, prN},     // Mc     [3] MALAYALAM VOWEL SIGN O..MALAYALAM VOWEL SIGN AU
+	{0x0D4D, 0x0D4D, prN},     // Mn         MALAYALAM SIGN VIRAMA
+	{0x0D4E, 0x0D4E, prN},     // Lo         MALAYALAM LETTER DOT REPH
+	{0x0D4F, 0x0D4F, prN},     // So         MALAYALAM SIGN PARA
+	{0x0D54, 0x0D56, prN},     // Lo     [3] MALAYALAM LETTER CHILLU M..MALAYALAM LETTER CHILLU LLL
+	{0x0D57, 0x0D57, prN},     // Mc         MALAYALAM AU LENGTH MARK
+	{0x0D58, 0x0D5E, prN},     // No     [7] MALAYALAM FRACTION ONE ONE-HUNDRED-AND-SIXTIETH..MALAYALAM FRACTION ONE FIFTH
+	{0x0D5F, 0x0D61, prN},     // Lo     [3] MALAYALAM LETTER ARCHAIC II..MALAYALAM LETTER VOCALIC LL
+	{0x0D62, 0x0D63, prN},     // Mn     [2] MALAYALAM VOWEL SIGN VOCALIC L..MALAYALAM VOWEL SIGN VOCALIC LL
+	{0x0D66, 0x0D6F, prN},     // Nd    [10] MALAYALAM DIGIT ZERO..MALAYALAM DIGIT NINE
+	{0x0D70, 0x0D78, prN},     // No     [9] MALAYALAM NUMBER TEN..MALAYALAM FRACTION THREE SIXTEENTHS
+	{0x0D79, 0x0D79, prN},     // So         MALAYALAM DATE MARK
+	{0x0D7A, 0x0D7F, prN},     // Lo     [6] MALAYALAM LETTER CHILLU NN..MALAYALAM LETTER CHILLU K
+	{0x0D81, 0x0D81, prN},     // Mn         SINHALA SIGN CANDRABINDU
+	{0x0D82, 0x0D83, prN},     // Mc     [2] SINHALA SIGN ANUSVARAYA..SINHALA SIGN VISARGAYA
+	{0x0D85, 0x0D96, prN},     // Lo    [18] SINHALA LETTER AYANNA..SINHALA LETTER AUYANNA
+	{0x0D9A, 0x0DB1, prN},     // Lo    [24] SINHALA LETTER ALPAPRAANA KAYANNA..SINHALA LETTER DANTAJA NAYANNA
+	{0x0DB3, 0x0DBB, prN},     // Lo     [9] SINHALA LETTER SANYAKA DAYANNA..SINHALA LETTER RAYANNA
+	{0x0DBD, 0x0DBD, prN},     // Lo         SINHALA LETTER DANTAJA LAYANNA
+	{0x0DC0, 0x0DC6, prN},     // Lo     [7] SINHALA LETTER VAYANNA..SINHALA LETTER FAYANNA
+	{0x0DCA, 0x0DCA, prN},     // Mn         SINHALA SIGN AL-LAKUNA
+	{0x0DCF, 0x0DD1, prN},     // Mc     [3] SINHALA VOWEL SIGN AELA-PILLA..SINHALA VOWEL SIGN DIGA AEDA-PILLA
+	{0x0DD2, 0x0DD4, prN},     // Mn     [3] SINHALA VOWEL SIGN KETTI IS-PILLA..SINHALA VOWEL SIGN KETTI PAA-PILLA
+	{0x0DD6, 0x0DD6, prN},     // Mn         SINHALA VOWEL SIGN DIGA PAA-PILLA
+	{0x0DD8, 0x0DDF, prN},     // Mc     [8] SINHALA VOWEL SIGN GAETTA-PILLA..SINHALA VOWEL SIGN GAYANUKITTA
+	{0x0DE6, 0x0DEF, prN},     // Nd    [10] SINHALA LITH DIGIT ZERO..SINHALA LITH DIGIT NINE
+	{0x0DF2, 0x0DF3, prN},     // Mc     [2] SINHALA VOWEL SIGN DIGA GAETTA-PILLA..SINHALA VOWEL SIGN DIGA GAYANUKITTA
+	{0x0DF4, 0x0DF4, prN},     // Po         SINHALA PUNCTUATION KUNDDALIYA
+	{0x0E01, 0x0E30, prN},     // Lo    [48] THAI CHARACTER KO KAI..THAI CHARACTER SARA A
+	{0x0E31, 0x0E31, prN},     // Mn         THAI CHARACTER MAI HAN-AKAT
+	{0x0E32, 0x0E33, prN},     // Lo     [2] THAI CHARACTER SARA AA..THAI CHARACTER SARA AM
+	{0x0E34, 0x0E3A, prN},     // Mn     [7] THAI CHARACTER SARA I..THAI CHARACTER PHINTHU
+	{0x0E3F, 0x0E3F, prN},     // Sc         THAI CURRENCY SYMBOL BAHT
+	{0x0E40, 0x0E45, prN},     // Lo     [6] THAI CHARACTER SARA E..THAI CHARACTER LAKKHANGYAO
+	{0x0E46, 0x0E46, prN},     // Lm         THAI CHARACTER MAIYAMOK
+	{0x0E47, 0x0E4E, prN},     // Mn     [8] THAI CHARACTER MAITAIKHU..THAI CHARACTER YAMAKKAN
+	{0x0E4F, 0x0E4F, prN},     // Po         THAI CHARACTER FONGMAN
+	{0x0E50, 0x0E59, prN},     // Nd    [10] THAI DIGIT ZERO..THAI DIGIT NINE
+	{0x0E5A, 0x0E5B, prN},     // Po     [2] THAI CHARACTER ANGKHANKHU..THAI CHARACTER KHOMUT
+	{0x0E81, 0x0E82, prN},     // Lo     [2] LAO LETTER KO..LAO LETTER KHO SUNG
+	{0x0E84, 0x0E84, prN},     // Lo         LAO LETTER KHO TAM
+	{0x0E86, 0x0E8A, prN},     // Lo     [5] LAO LETTER PALI GHA..LAO LETTER SO TAM
+	{0x0E8C, 0x0EA3, prN},     // Lo    [24] LAO LETTER PALI JHA..LAO LETTER LO LING
+	{0x0EA5, 0x0EA5, prN},     // Lo         LAO LETTER LO LOOT
+	{0x0EA7, 0x0EB0, prN},     // Lo    [10] LAO LETTER WO..LAO VOWEL SIGN A
+	{0x0EB1, 0x0EB1, prN},     // Mn         LAO VOWEL SIGN MAI KAN
+	{0x0EB2, 0x0EB3, prN},     // Lo     [2] LAO VOWEL SIGN AA..LAO VOWEL SIGN AM
+	{0x0EB4, 0x0EBC, prN},     // Mn     [9] LAO VOWEL SIGN I..LAO SEMIVOWEL SIGN LO
+	{0x0EBD, 0x0EBD, prN},     // Lo         LAO SEMIVOWEL SIGN NYO
+	{0x0EC0, 0x0EC4, prN},     // Lo     [5] LAO VOWEL SIGN E..LAO VOWEL SIGN AI
+	{0x0EC6, 0x0EC6, prN},     // Lm         LAO KO LA
+	{0x0EC8, 0x0ECE, prN},     // Mn     [7] LAO TONE MAI EK..LAO YAMAKKAN
+	{0x0ED0, 0x0ED9, prN},     // Nd    [10] LAO DIGIT ZERO..LAO DIGIT NINE
+	{0x0EDC, 0x0EDF, prN},     // Lo     [4] LAO HO NO..LAO LETTER KHMU NYO
+	{0x0F00, 0x0F00, prN},     // Lo         TIBETAN SYLLABLE OM
+	{0x0F01, 0x0F03, prN},     // So     [3] TIBETAN MARK GTER YIG MGO TRUNCATED A..TIBETAN MARK GTER YIG MGO -UM GTER TSHEG MA
+	{0x0F04, 0x0F12, prN},     // Po    [15] TIBETAN MARK INITIAL YIG MGO MDUN MA..TIBETAN MARK RGYA GRAM SHAD
+	{0x0F13, 0x0F13, prN},     // So         TIBETAN MARK CARET -DZUD RTAGS ME LONG CAN
+	{0x0F14, 0x0F14, prN},     // Po         TIBETAN MARK GTER TSHEG
+	{0x0F15, 0x0F17, prN},     // So     [3] TIBETAN LOGOTYPE SIGN CHAD RTAGS..TIBETAN ASTROLOGICAL SIGN SGRA GCAN -CHAR RTAGS
+	{0x0F18, 0x0F19, prN},     // Mn     [2] TIBETAN ASTROLOGICAL SIGN -KHYUD PA..TIBETAN ASTROLOGICAL SIGN SDONG TSHUGS
+	{0x0F1A, 0x0F1F, prN},     // So     [6] TIBETAN SIGN RDEL DKAR GCIG..TIBETAN SIGN RDEL DKAR RDEL NAG
+	{0x0F20, 0x0F29, prN},     // Nd    [10] TIBETAN DIGIT ZERO..TIBETAN DIGIT NINE
+	{0x0F2A, 0x0F33, prN},     // No    [10] TIBETAN DIGIT HALF ONE..TIBETAN DIGIT HALF ZERO
+	{0x0F34, 0x0F34, prN},     // So         TIBETAN MARK BSDUS RTAGS
+	{0x0F35, 0x0F35, prN},     // Mn         TIBETAN MARK NGAS BZUNG NYI ZLA
+	{0x0F36, 0x0F36, prN},     // So         TIBETAN MARK CARET -DZUD RTAGS BZHI MIG CAN
+	{0x0F37, 0x0F37, prN},     // Mn         TIBETAN MARK NGAS BZUNG SGOR RTAGS
+	{0x0F38, 0x0F38, prN},     // So         TIBETAN MARK CHE MGO
+	{0x0F39, 0x0F39, prN},     // Mn         TIBETAN MARK TSA -PHRU
+	{0x0F3A, 0x0F3A, prN},     // Ps         TIBETAN MARK GUG RTAGS GYON
+	{0x0F3B, 0x0F3B, prN},     // Pe         TIBETAN MARK GUG RTAGS GYAS
+	{0x0F3C, 0x0F3C, prN},     // Ps         TIBETAN MARK ANG KHANG GYON
+	{0x0F3D, 0x0F3D, prN},     // Pe         TIBETAN MARK ANG KHANG GYAS
+	{0x0F3E, 0x0F3F, prN},     // Mc     [2] TIBETAN SIGN YAR TSHES..TIBETAN SIGN MAR TSHES
+	{0x0F40, 0x0F47, prN},     // Lo     [8] TIBETAN LETTER KA..TIBETAN LETTER JA
+	{0x0F49, 0x0F6C, prN},     // Lo    [36] TIBETAN LETTER NYA..TIBETAN LETTER RRA
+	{0x0F71, 0x0F7E, prN},     // Mn    [14] TIBETAN VOWEL SIGN AA..TIBETAN SIGN RJES SU NGA RO
+	{0x0F7F, 0x0F7F, prN},     // Mc         TIBETAN SIGN RNAM BCAD
+	{0x0F80, 0x0F84, prN},     // Mn     [5] TIBETAN VOWEL SIGN REVERSED I..TIBETAN MARK HALANTA
+	{0x0F85, 0x0F85, prN},     // Po         TIBETAN MARK PALUTA
+	{0x0F86, 0x0F87, prN},     // Mn     [2] TIBETAN SIGN LCI RTAGS..TIBETAN SIGN YANG RTAGS
+	{0x0F88, 0x0F8C, prN},     // Lo     [5] TIBETAN SIGN LCE TSA CAN..TIBETAN SIGN INVERTED MCHU CAN
+	{0x0F8D, 0x0F97, prN},     // Mn    [11] TIBETAN SUBJOINED SIGN LCE TSA CAN..TIBETAN SUBJOINED LETTER JA
+	{0x0F99, 0x0FBC, prN},     // Mn    [36] TIBETAN SUBJOINED LETTER NYA..TIBETAN SUBJOINED LETTER FIXED-FORM RA
+	{0x0FBE, 0x0FC5, prN},     // So     [8] TIBETAN KU RU KHA..TIBETAN SYMBOL RDO RJE
+	{0x0FC6, 0x0FC6, prN},     // Mn         TIBETAN SYMBOL PADMA GDAN
+	{0x0FC7, 0x0FCC, prN},     // So     [6] TIBETAN SYMBOL RDO RJE RGYA GRAM..TIBETAN SYMBOL NOR BU BZHI -KHYIL
+	{0x0FCE, 0x0FCF, prN},     // So     [2] TIBETAN SIGN RDEL NAG RDEL DKAR..TIBETAN SIGN RDEL NAG GSUM
+	{0x0FD0, 0x0FD4, prN},     // Po     [5] TIBETAN MARK BSKA- SHOG GI MGO RGYAN..TIBETAN MARK CLOSING BRDA RNYING YIG MGO SGAB MA
+	{0x0FD5, 0x0FD8, prN},     // So     [4] RIGHT-FACING SVASTI SIGN..LEFT-FACING SVASTI SIGN WITH DOTS
+	{0x0FD9, 0x0FDA, prN},     // Po     [2] TIBETAN MARK LEADING MCHAN RTAGS..TIBETAN MARK TRAILING MCHAN RTAGS
+	{0x1000, 0x102A, prN},     // Lo    [43] MYANMAR LETTER KA..MYANMAR LETTER AU
+	{0x102B, 0x102C, prN},     // Mc     [2] MYANMAR VOWEL SIGN TALL AA..MYANMAR VOWEL SIGN AA
+	{0x102D, 0x1030, prN},     // Mn     [4] MYANMAR VOWEL SIGN I..MYANMAR VOWEL SIGN UU
+	{0x1031, 0x1031, prN},     // Mc         MYANMAR VOWEL SIGN E
+	{0x1032, 0x1037, prN},     // Mn     [6] MYANMAR VOWEL SIGN AI..MYANMAR SIGN DOT BELOW
+	{0x1038, 0x1038, prN},     // Mc         MYANMAR SIGN VISARGA
+	{0x1039, 0x103A, prN},     // Mn     [2] MYANMAR SIGN VIRAMA..MYANMAR SIGN ASAT
+	{0x103B, 0x103C, prN},     // Mc     [2] MYANMAR CONSONANT SIGN MEDIAL YA..MYANMAR CONSONANT SIGN MEDIAL RA
+	{0x103D, 0x103E, prN},     // Mn     [2] MYANMAR CONSONANT SIGN MEDIAL WA..MYANMAR CONSONANT SIGN MEDIAL HA
+	{0x103F, 0x103F, prN},     // Lo         MYANMAR LETTER GREAT SA
+	{0x1040, 0x1049, prN},     // Nd    [10] MYANMAR DIGIT ZERO..MYANMAR DIGIT NINE
+	{0x104A, 0x104F, prN},     // Po     [6] MYANMAR SIGN LITTLE SECTION..MYANMAR SYMBOL GENITIVE
+	{0x1050, 0x1055, prN},     // Lo     [6] MYANMAR LETTER SHA..MYANMAR LETTER VOCALIC LL
+	{0x1056, 0x1057, prN},     // Mc     [2] MYANMAR VOWEL SIGN VOCALIC R..MYANMAR VOWEL SIGN VOCALIC RR
+	{0x1058, 0x1059, prN},     // Mn     [2] MYANMAR VOWEL SIGN VOCALIC L..MYANMAR VOWEL SIGN VOCALIC LL
+	{0x105A, 0x105D, prN},     // Lo     [4] MYANMAR LETTER MON NGA..MYANMAR LETTER MON BBE
+	{0x105E, 0x1060, prN},     // Mn     [3] MYANMAR CONSONANT SIGN MON MEDIAL NA..MYANMAR CONSONANT SIGN MON MEDIAL LA
+	{0x1061, 0x1061, prN},     // Lo         MYANMAR LETTER SGAW KAREN SHA
+	{0x1062, 0x1064, prN},     // Mc     [3] MYANMAR VOWEL SIGN SGAW KAREN EU..MYANMAR TONE MARK SGAW KAREN KE PHO
+	{0x1065, 0x1066, prN},     // Lo     [2] MYANMAR LETTER WESTERN PWO KAREN THA..MYANMAR LETTER WESTERN PWO KAREN PWA
+	{0x1067, 0x106D, prN},     // Mc     [7] MYANMAR VOWEL SIGN WESTERN PWO KAREN EU..MYANMAR SIGN WESTERN PWO KAREN TONE-5
+	{0x106E, 0x1070, prN},     // Lo     [3] MYANMAR LETTER EASTERN PWO KAREN NNA..MYANMAR LETTER EASTERN PWO KAREN GHWA
+	{0x1071, 0x1074, prN},     // Mn     [4] MYANMAR VOWEL SIGN GEBA KAREN I..MYANMAR VOWEL SIGN KAYAH EE
+	{0x1075, 0x1081, prN},     // Lo    [13] MYANMAR LETTER SHAN KA..MYANMAR LETTER SHAN HA
+	{0x1082, 0x1082, prN},     // Mn         MYANMAR CONSONANT SIGN SHAN MEDIAL WA
+	{0x1083, 0x1084, prN},     // Mc     [2] MYANMAR VOWEL SIGN SHAN AA..MYANMAR VOWEL SIGN SHAN E
+	{0x1085, 0x1086, prN},     // Mn     [2] MYANMAR VOWEL SIGN SHAN E ABOVE..MYANMAR VOWEL SIGN SHAN FINAL Y
+	{0x1087, 0x108C, prN},     // Mc     [6] MYANMAR SIGN SHAN TONE-2..MYANMAR SIGN SHAN COUNCIL TONE-3
+	{0x108D, 0x108D, prN},     // Mn         MYANMAR SIGN SHAN COUNCIL EMPHATIC TONE
+	{0x108E, 0x108E, prN},     // Lo         MYANMAR LETTER RUMAI PALAUNG FA
+	{0x108F, 0x108F, prN},     // Mc         MYANMAR SIGN RUMAI PALAUNG TONE-5
+	{0x1090, 0x1099, prN},     // Nd    [10] MYANMAR SHAN DIGIT ZERO..MYANMAR SHAN DIGIT NINE
+	{0x109A, 0x109C, prN},     // Mc     [3] MYANMAR SIGN KHAMTI TONE-1..MYANMAR VOWEL SIGN AITON A
+	{0x109D, 0x109D, prN},     // Mn         MYANMAR VOWEL SIGN AITON AI
+	{0x109E, 0x109F, prN},     // So     [2] MYANMAR SYMBOL SHAN ONE..MYANMAR SYMBOL SHAN EXCLAMATION
+	{0x10A0, 0x10C5, prN},     // Lu    [38] GEORGIAN CAPITAL LETTER AN..GEORGIAN CAPITAL LETTER HOE
+	{0x10C7, 0x10C7, prN},     // Lu         GEORGIAN CAPITAL LETTER YN
+	{0x10CD, 0x10CD, prN},     // Lu         GEORGIAN CAPITAL LETTER AEN
+	{0x10D0, 0x10FA, prN},     // Ll    [43] GEORGIAN LETTER AN..GEORGIAN LETTER AIN
+	{0x10FB, 0x10FB, prN},     // Po         GEORGIAN PARAGRAPH SEPARATOR
+	{0x10FC, 0x10FC, prN},     // Lm         MODIFIER LETTER GEORGIAN NAR
+	{0x10FD, 0x10FF, prN},     // Ll     [3] GEORGIAN LETTER AEN..GEORGIAN LETTER LABIAL SIGN
+	{0x1100, 0x115F, prW},     // Lo    [96] HANGUL CHOSEONG KIYEOK..HANGUL CHOSEONG FILLER
+	{0x1160, 0x11FF, prN},     // Lo   [160] HANGUL JUNGSEONG FILLER..HANGUL JONGSEONG SSANGNIEUN
+	{0x1200, 0x1248, prN},     // Lo    [73] ETHIOPIC SYLLABLE HA..ETHIOPIC SYLLABLE QWA
+	{0x124A, 0x124D, prN},     // Lo     [4] ETHIOPIC SYLLABLE QWI..ETHIOPIC SYLLABLE QWE
+	{0x1250, 0x1256, prN},     // Lo     [7] ETHIOPIC SYLLABLE QHA..ETHIOPIC SYLLABLE QHO
+	{0x1258, 0x1258, prN},     // Lo         ETHIOPIC SYLLABLE QHWA
+	{0x125A, 0x125D, prN},     // Lo     [4] ETHIOPIC SYLLABLE QHWI..ETHIOPIC SYLLABLE QHWE
+	{0x1260, 0x1288, prN},     // Lo    [41] ETHIOPIC SYLLABLE BA..ETHIOPIC SYLLABLE XWA
+	{0x128A, 0x128D, prN},     // Lo     [4] ETHIOPIC SYLLABLE XWI..ETHIOPIC SYLLABLE XWE
+	{0x1290, 0x12B0, prN},     // Lo    [33] ETHIOPIC SYLLABLE NA..ETHIOPIC SYLLABLE KWA
+	{0x12B2, 0x12B5, prN},     // Lo     [4] ETHIOPIC SYLLABLE KWI..ETHIOPIC SYLLABLE KWE
+	{0x12B8, 0x12BE, prN},     // Lo     [7] ETHIOPIC SYLLABLE KXA..ETHIOPIC SYLLABLE KXO
+	{0x12C0, 0x12C0, prN},     // Lo         ETHIOPIC SYLLABLE KXWA
+	{0x12C2, 0x12C5, prN},     // Lo     [4] ETHIOPIC SYLLABLE KXWI..ETHIOPIC SYLLABLE KXWE
+	{0x12C8, 0x12D6, prN},     // Lo    [15] ETHIOPIC SYLLABLE WA..ETHIOPIC SYLLABLE PHARYNGEAL O
+	{0x12D8, 0x1310, prN},     // Lo    [57] ETHIOPIC SYLLABLE ZA..ETHIOPIC SYLLABLE GWA
+	{0x1312, 0x1315, prN},     // Lo     [4] ETHIOPIC SYLLABLE GWI..ETHIOPIC SYLLABLE GWE
+	{0x1318, 0x135A, prN},     // Lo    [67] ETHIOPIC SYLLABLE GGA..ETHIOPIC SYLLABLE FYA
+	{0x135D, 0x135F, prN},     // Mn     [3] ETHIOPIC COMBINING GEMINATION AND VOWEL LENGTH MARK..ETHIOPIC COMBINING GEMINATION MARK
+	{0x1360, 0x1368, prN},     // Po     [9] ETHIOPIC SECTION MARK..ETHIOPIC PARAGRAPH SEPARATOR
+	{0x1369, 0x137C, prN},     // No    [20] ETHIOPIC DIGIT ONE..ETHIOPIC NUMBER TEN THOUSAND
+	{0x1380, 0x138F, prN},     // Lo    [16] ETHIOPIC SYLLABLE SEBATBEIT MWA..ETHIOPIC SYLLABLE PWE
+	{0x1390, 0x1399, prN},     // So    [10] ETHIOPIC TONAL MARK YIZET..ETHIOPIC TONAL MARK KURT
+	{0x13A0, 0x13F5, prN},     // Lu    [86] CHEROKEE LETTER A..CHEROKEE LETTER MV
+	{0x13F8, 0x13FD, prN},     // Ll     [6] CHEROKEE SMALL LETTER YE..CHEROKEE SMALL LETTER MV
+	{0x1400, 0x1400, prN},     // Pd         CANADIAN SYLLABICS HYPHEN
+	{0x1401, 0x166C, prN},     // Lo   [620] CANADIAN SYLLABICS E..CANADIAN SYLLABICS CARRIER TTSA
+	{0x166D, 0x166D, prN},     // So         CANADIAN SYLLABICS CHI SIGN
+	{0x166E, 0x166E, prN},     // Po         CANADIAN SYLLABICS FULL STOP
+	{0x166F, 0x167F, prN},     // Lo    [17] CANADIAN SYLLABICS QAI..CANADIAN SYLLABICS BLACKFOOT W
+	{0x1680, 0x1680, prN},     // Zs         OGHAM SPACE MARK
+	{0x1681, 0x169A, prN},     // Lo    [26] OGHAM LETTER BEITH..OGHAM LETTER PEITH
+	{0x169B, 0x169B, prN},     // Ps         OGHAM FEATHER MARK
+	{0x169C, 0x169C, prN},     // Pe         OGHAM REVERSED FEATHER MARK
+	{0x16A0, 0x16EA, prN},     // Lo    [75] RUNIC LETTER FEHU FEOH FE F..RUNIC LETTER X
+	{0x16EB, 0x16ED, prN},     // Po     [3] RUNIC SINGLE PUNCTUATION..RUNIC CROSS PUNCTUATION
+	{0x16EE, 0x16F0, prN},     // Nl     [3] RUNIC ARLAUG SYMBOL..RUNIC BELGTHOR SYMBOL
+	{0x16F1, 0x16F8, prN},     // Lo     [8] RUNIC LETTER K..RUNIC LETTER FRANKS CASKET AESC
+	{0x1700, 0x1711, prN},     // Lo    [18] TAGALOG LETTER A..TAGALOG LETTER HA
+	{0x1712, 0x1714, prN},     // Mn     [3] TAGALOG VOWEL SIGN I..TAGALOG SIGN VIRAMA
+	{0x1715, 0x1715, prN},     // Mc         TAGALOG SIGN PAMUDPOD
+	{0x171F, 0x171F, prN},     // Lo         TAGALOG LETTER ARCHAIC RA
+	{0x1720, 0x1731, prN},     // Lo    [18] HANUNOO LETTER A..HANUNOO LETTER HA
+	{0x1732, 0x1733, prN},     // Mn     [2] HANUNOO VOWEL SIGN I..HANUNOO VOWEL SIGN U
+	{0x1734, 0x1734, prN},     // Mc         HANUNOO SIGN PAMUDPOD
+	{0x1735, 0x1736, prN},     // Po     [2] PHILIPPINE SINGLE PUNCTUATION..PHILIPPINE DOUBLE PUNCTUATION
+	{0x1740, 0x1751, prN},     // Lo    [18] BUHID LETTER A..BUHID LETTER HA
+	{0x1752, 0x1753, prN},     // Mn     [2] BUHID VOWEL SIGN I..BUHID VOWEL SIGN U
+	{0x1760, 0x176C, prN},     // Lo    [13] TAGBANWA LETTER A..TAGBANWA LETTER YA
+	{0x176E, 0x1770, prN},     // Lo     [3] TAGBANWA LETTER LA..TAGBANWA LETTER SA
+	{0x1772, 0x1773, prN},     // Mn     [2] TAGBANWA VOWEL SIGN I..TAGBANWA VOWEL SIGN U
+	{0x1780, 0x17B3, prN},     // Lo    [52] KHMER LETTER KA..KHMER INDEPENDENT VOWEL QAU
+	{0x17B4, 0x17B5, prN},     // Mn     [2] KHMER VOWEL INHERENT AQ..KHMER VOWEL INHERENT AA
+	{0x17B6, 0x17B6, prN},     // Mc         KHMER VOWEL SIGN AA
+	{0x17B7, 0x17BD, prN},     // Mn     [7] KHMER VOWEL SIGN I..KHMER VOWEL SIGN UA
+	{0x17BE, 0x17C5, prN},     // Mc     [8] KHMER VOWEL SIGN OE..KHMER VOWEL SIGN AU
+	{0x17C6, 0x17C6, prN},     // Mn         KHMER SIGN NIKAHIT
+	{0x17C7, 0x17C8, prN},     // Mc     [2] KHMER SIGN REAHMUK..KHMER SIGN YUUKALEAPINTU
+	{0x17C9, 0x17D3, prN},     // Mn    [11] KHMER SIGN MUUSIKATOAN..KHMER SIGN BATHAMASAT
+	{0x17D4, 0x17D6, prN},     // Po     [3] KHMER SIGN KHAN..KHMER SIGN CAMNUC PII KUUH
+	{0x17D7, 0x17D7, prN},     // Lm         KHMER SIGN LEK TOO
+	{0x17D8, 0x17DA, prN},     // Po     [3] KHMER SIGN BEYYAL..KHMER SIGN KOOMUUT
+	{0x17DB, 0x17DB, prN},     // Sc         KHMER CURRENCY SYMBOL RIEL
+	{0x17DC, 0x17DC, prN},     // Lo         KHMER SIGN AVAKRAHASANYA
+	{0x17DD, 0x17DD, prN},     // Mn         KHMER SIGN ATTHACAN
+	{0x17E0, 0x17E9, prN},     // Nd    [10] KHMER DIGIT ZERO..KHMER DIGIT NINE
+	{0x17F0, 0x17F9, prN},     // No    [10] KHMER SYMBOL LEK ATTAK SON..KHMER SYMBOL LEK ATTAK PRAM-BUON
+	{0x1800, 0x1805, prN},     // Po     [6] MONGOLIAN BIRGA..MONGOLIAN FOUR DOTS
+	{0x1806, 0x1806, prN},     // Pd         MONGOLIAN TODO SOFT HYPHEN
+	{0x1807, 0x180A, prN},     // Po     [4] MONGOLIAN SIBE SYLLABLE BOUNDARY MARKER..MONGOLIAN NIRUGU
+	{0x180B, 0x180D, prN},     // Mn     [3] MONGOLIAN FREE VARIATION SELECTOR ONE..MONGOLIAN FREE VARIATION SELECTOR THREE
+	{0x180E, 0x180E, prN},     // Cf         MONGOLIAN VOWEL SEPARATOR
+	{0x180F, 0x180F, prN},     // Mn         MONGOLIAN FREE VARIATION SELECTOR FOUR
+	{0x1810, 0x1819, prN},     // Nd    [10] MONGOLIAN DIGIT ZERO..MONGOLIAN DIGIT NINE
+	{0x1820, 0x1842, prN},     // Lo    [35] MONGOLIAN LETTER A..MONGOLIAN LETTER CHI
+	{0x1843, 0x1843, prN},     // Lm         MONGOLIAN LETTER TODO LONG VOWEL SIGN
+	{0x1844, 0x1878, prN},     // Lo    [53] MONGOLIAN LETTER TODO E..MONGOLIAN LETTER CHA WITH TWO DOTS
+	{0x1880, 0x1884, prN},     // Lo     [5] MONGOLIAN LETTER ALI GALI ANUSVARA ONE..MONGOLIAN LETTER ALI GALI INVERTED UBADAMA
+	{0x1885, 0x1886, prN},     // Mn     [2] MONGOLIAN LETTER ALI GALI BALUDA..MONGOLIAN LETTER ALI GALI THREE BALUDA
+	{0x1887, 0x18A8, prN},     // Lo    [34] MONGOLIAN LETTER ALI GALI A..MONGOLIAN LETTER MANCHU ALI GALI BHA
+	{0x18A9, 0x18A9, prN},     // Mn         MONGOLIAN LETTER ALI GALI DAGALGA
+	{0x18AA, 0x18AA, prN},     // Lo         MONGOLIAN LETTER MANCHU ALI GALI LHA
+	{0x18B0, 0x18F5, prN},     // Lo    [70] CANADIAN SYLLABICS OY..CANADIAN SYLLABICS CARRIER DENTAL S
+	{0x1900, 0x191E, prN},     // Lo    [31] LIMBU VOWEL-CARRIER LETTER..LIMBU LETTER TRA
+	{0x1920, 0x1922, prN},     // Mn     [3] LIMBU VOWEL SIGN A..LIMBU VOWEL SIGN U
+	{0x1923, 0x1926, prN},     // Mc     [4] LIMBU VOWEL SIGN EE..LIMBU VOWEL SIGN AU
+	{0x1927, 0x1928, prN},     // Mn     [2] LIMBU VOWEL SIGN E..LIMBU VOWEL SIGN O
+	{0x1929, 0x192B, prN},     // Mc     [3] LIMBU SUBJOINED LETTER YA..LIMBU SUBJOINED LETTER WA
+	{0x1930, 0x1931, prN},     // Mc     [2] LIMBU SMALL LETTER KA..LIMBU SMALL LETTER NGA
+	{0x1932, 0x1932, prN},     // Mn         LIMBU SMALL LETTER ANUSVARA
+	{0x1933, 0x1938, prN},     // Mc     [6] LIMBU SMALL LETTER TA..LIMBU SMALL LETTER LA
+	{0x1939, 0x193B, prN},     // Mn     [3] LIMBU SIGN MUKPHRENG..LIMBU SIGN SA-I
+	{0x1940, 0x1940, prN},     // So         LIMBU SIGN LOO
+	{0x1944, 0x1945, prN},     // Po     [2] LIMBU EXCLAMATION MARK..LIMBU QUESTION MARK
+	{0x1946, 0x194F, prN},     // Nd    [10] LIMBU DIGIT ZERO..LIMBU DIGIT NINE
+	{0x1950, 0x196D, prN},     // Lo    [30] TAI LE LETTER KA..TAI LE LETTER AI
+	{0x1970, 0x1974, prN},     // Lo     [5] TAI LE LETTER TONE-2..TAI LE LETTER TONE-6
+	{0x1980, 0x19AB, prN},     // Lo    [44] NEW TAI LUE LETTER HIGH QA..NEW TAI LUE LETTER LOW SUA
+	{0x19B0, 0x19C9, prN},     // Lo    [26] NEW TAI LUE VOWEL SIGN VOWEL SHORTENER..NEW TAI LUE TONE MARK-2
+	{0x19D0, 0x19D9, prN},     // Nd    [10] NEW TAI LUE DIGIT ZERO..NEW TAI LUE DIGIT NINE
+	{0x19DA, 0x19DA, prN},     // No         NEW TAI LUE THAM DIGIT ONE
+	{0x19DE, 0x19DF, prN},     // So     [2] NEW TAI LUE SIGN LAE..NEW TAI LUE SIGN LAEV
+	{0x19E0, 0x19FF, prN},     // So    [32] KHMER SYMBOL PATHAMASAT..KHMER SYMBOL DAP-PRAM ROC
+	{0x1A00, 0x1A16, prN},     // Lo    [23] BUGINESE LETTER KA..BUGINESE LETTER HA
+	{0x1A17, 0x1A18, prN},     // Mn     [2] BUGINESE VOWEL SIGN I..BUGINESE VOWEL SIGN U
+	{0x1A19, 0x1A1A, prN},     // Mc     [2] BUGINESE VOWEL SIGN E..BUGINESE VOWEL SIGN O
+	{0x1A1B, 0x1A1B, prN},     // Mn         BUGINESE VOWEL SIGN AE
+	{0x1A1E, 0x1A1F, prN},     // Po     [2] BUGINESE PALLAWA..BUGINESE END OF SECTION
+	{0x1A20, 0x1A54, prN},     // Lo    [53] TAI THAM LETTER HIGH KA..TAI THAM LETTER GREAT SA
+	{0x1A55, 0x1A55, prN},     // Mc         TAI THAM CONSONANT SIGN MEDIAL RA
+	{0x1A56, 0x1A56, prN},     // Mn         TAI THAM CONSONANT SIGN MEDIAL LA
+	{0x1A57, 0x1A57, prN},     // Mc         TAI THAM CONSONANT SIGN LA TANG LAI
+	{0x1A58, 0x1A5E, prN},     // Mn     [7] TAI THAM SIGN MAI KANG LAI..TAI THAM CONSONANT SIGN SA
+	{0x1A60, 0x1A60, prN},     // Mn         TAI THAM SIGN SAKOT
+	{0x1A61, 0x1A61, prN},     // Mc         TAI THAM VOWEL SIGN A
+	{0x1A62, 0x1A62, prN},     // Mn         TAI THAM VOWEL SIGN MAI SAT
+	{0x1A63, 0x1A64, prN},     // Mc     [2] TAI THAM VOWEL SIGN AA..TAI THAM VOWEL SIGN TALL AA
+	{0x1A65, 0x1A6C, prN},     // Mn     [8] TAI THAM VOWEL SIGN I..TAI THAM VOWEL SIGN OA BELOW
+	{0x1A6D, 0x1A72, prN},     // Mc     [6] TAI THAM VOWEL SIGN OY..TAI THAM VOWEL SIGN THAM AI
+	{0x1A73, 0x1A7C, prN},     // Mn    [10] TAI THAM VOWEL SIGN OA ABOVE..TAI THAM SIGN KHUEN-LUE KARAN
+	{0x1A7F, 0x1A7F, prN},     // Mn         TAI THAM COMBINING CRYPTOGRAMMIC DOT
+	{0x1A80, 0x1A89, prN},     // Nd    [10] TAI THAM HORA DIGIT ZERO..TAI THAM HORA DIGIT NINE
+	{0x1A90, 0x1A99, prN},     // Nd    [10] TAI THAM THAM DIGIT ZERO..TAI THAM THAM DIGIT NINE
+	{0x1AA0, 0x1AA6, prN},     // Po     [7] TAI THAM SIGN WIANG..TAI THAM SIGN REVERSED ROTATED RANA
+	{0x1AA7, 0x1AA7, prN},     // Lm         TAI THAM SIGN MAI YAMOK
+	{0x1AA8, 0x1AAD, prN},     // Po     [6] TAI THAM SIGN KAAN..TAI THAM SIGN CAANG
+	{0x1AB0, 0x1ABD, prN},     // Mn    [14] COMBINING DOUBLED CIRCUMFLEX ACCENT..COMBINING PARENTHESES BELOW
+	{0x1ABE, 0x1ABE, prN},     // Me         COMBINING PARENTHESES OVERLAY
+	{0x1ABF, 0x1ACE, prN},     // Mn    [16] COMBINING LATIN SMALL LETTER W BELOW..COMBINING LATIN SMALL LETTER INSULAR T
+	{0x1B00, 0x1B03, prN},     // Mn     [4] BALINESE SIGN ULU RICEM..BALINESE SIGN SURANG
+	{0x1B04, 0x1B04, prN},     // Mc         BALINESE SIGN BISAH
+	{0x1B05, 0x1B33, prN},     // Lo    [47] BALINESE LETTER AKARA..BALINESE LETTER HA
+	{0x1B34, 0x1B34, prN},     // Mn         BALINESE SIGN REREKAN
+	{0x1B35, 0x1B35, prN},     // Mc         BALINESE VOWEL SIGN TEDUNG
+	{0x1B36, 0x1B3A, prN},     // Mn     [5] BALINESE VOWEL SIGN ULU..BALINESE VOWEL SIGN RA REPA
+	{0x1B3B, 0x1B3B, prN},     // Mc         BALINESE VOWEL SIGN RA REPA TEDUNG
+	{0x1B3C, 0x1B3C, prN},     // Mn         BALINESE VOWEL SIGN LA LENGA
+	{0x1B3D, 0x1B41, prN},     // Mc     [5] BALINESE VOWEL SIGN LA LENGA TEDUNG..BALINESE VOWEL SIGN TALING REPA TEDUNG
+	{0x1B42, 0x1B42, prN},     // Mn         BALINESE VOWEL SIGN PEPET
+	{0x1B43, 0x1B44, prN},     // Mc     [2] BALINESE VOWEL SIGN PEPET TEDUNG..BALINESE ADEG ADEG
+	{0x1B45, 0x1B4C, prN},     // Lo     [8] BALINESE LETTER KAF SASAK..BALINESE LETTER ARCHAIC JNYA
+	{0x1B50, 0x1B59, prN},     // Nd    [10] BALINESE DIGIT ZERO..BALINESE DIGIT NINE
+	{0x1B5A, 0x1B60, prN},     // Po     [7] BALINESE PANTI..BALINESE PAMENENG
+	{0x1B61, 0x1B6A, prN},     // So    [10] BALINESE MUSICAL SYMBOL DONG..BALINESE MUSICAL SYMBOL DANG GEDE
+	{0x1B6B, 0x1B73, prN},     // Mn     [9] BALINESE MUSICAL SYMBOL COMBINING TEGEH..BALINESE MUSICAL SYMBOL COMBINING GONG
+	{0x1B74, 0x1B7C, prN},     // So     [9] BALINESE MUSICAL SYMBOL RIGHT-HAND OPEN DUG..BALINESE MUSICAL SYMBOL LEFT-HAND OPEN PING
+	{0x1B7D, 0x1B7E, prN},     // Po     [2] BALINESE PANTI LANTANG..BALINESE PAMADA LANTANG
+	{0x1B80, 0x1B81, prN},     // Mn     [2] SUNDANESE SIGN PANYECEK..SUNDANESE SIGN PANGLAYAR
+	{0x1B82, 0x1B82, prN},     // Mc         SUNDANESE SIGN PANGWISAD
+	{0x1B83, 0x1BA0, prN},     // Lo    [30] SUNDANESE LETTER A..SUNDANESE LETTER HA
+	{0x1BA1, 0x1BA1, prN},     // Mc         SUNDANESE CONSONANT SIGN PAMINGKAL
+	{0x1BA2, 0x1BA5, prN},     // Mn     [4] SUNDANESE CONSONANT SIGN PANYAKRA..SUNDANESE VOWEL SIGN PANYUKU
+	{0x1BA6, 0x1BA7, prN},     // Mc     [2] SUNDANESE VOWEL SIGN PANAELAENG..SUNDANESE VOWEL SIGN PANOLONG
+	{0x1BA8, 0x1BA9, prN},     // Mn     [2] SUNDANESE VOWEL SIGN PAMEPET..SUNDANESE VOWEL SIGN PANEULEUNG
+	{0x1BAA, 0x1BAA, prN},     // Mc         SUNDANESE SIGN PAMAAEH
+	{0x1BAB, 0x1BAD, prN},     // Mn     [3] SUNDANESE SIGN VIRAMA..SUNDANESE CONSONANT SIGN PASANGAN WA
+	{0x1BAE, 0x1BAF, prN},     // Lo     [2] SUNDANESE LETTER KHA..SUNDANESE LETTER SYA
+	{0x1BB0, 0x1BB9, prN},     // Nd    [10] SUNDANESE DIGIT ZERO..SUNDANESE DIGIT NINE
+	{0x1BBA, 0x1BBF, prN},     // Lo     [6] SUNDANESE AVAGRAHA..SUNDANESE LETTER FINAL M
+	{0x1BC0, 0x1BE5, prN},     // Lo    [38] BATAK LETTER A..BATAK LETTER U
+	{0x1BE6, 0x1BE6, prN},     // Mn         BATAK SIGN TOMPI
+	{0x1BE7, 0x1BE7, prN},     // Mc         BATAK VOWEL SIGN E
+	{0x1BE8, 0x1BE9, prN},     // Mn     [2] BATAK VOWEL SIGN PAKPAK E..BATAK VOWEL SIGN EE
+	{0x1BEA, 0x1BEC, prN},     // Mc     [3] BATAK VOWEL SIGN I..BATAK VOWEL SIGN O
+	{0x1BED, 0x1BED, prN},     // Mn         BATAK VOWEL SIGN KARO O
+	{0x1BEE, 0x1BEE, prN},     // Mc         BATAK VOWEL SIGN U
+	{0x1BEF, 0x1BF1, prN},     // Mn     [3] BATAK VOWEL SIGN U FOR SIMALUNGUN SA..BATAK CONSONANT SIGN H
+	{0x1BF2, 0x1BF3, prN},     // Mc     [2] BATAK PANGOLAT..BATAK PANONGONAN
+	{0x1BFC, 0x1BFF, prN},     // Po     [4] BATAK SYMBOL BINDU NA METEK..BATAK SYMBOL BINDU PANGOLAT
+	{0x1C00, 0x1C23, prN},     // Lo    [36] LEPCHA LETTER KA..LEPCHA LETTER A
+	{0x1C24, 0x1C2B, prN},     // Mc     [8] LEPCHA SUBJOINED LETTER YA..LEPCHA VOWEL SIGN UU
+	{0x1C2C, 0x1C33, prN},     // Mn     [8] LEPCHA VOWEL SIGN E..LEPCHA CONSONANT SIGN T
+	{0x1C34, 0x1C35, prN},     // Mc     [2] LEPCHA CONSONANT SIGN NYIN-DO..LEPCHA CONSONANT SIGN KANG
+	{0x1C36, 0x1C37, prN},     // Mn     [2] LEPCHA SIGN RAN..LEPCHA SIGN NUKTA
+	{0x1C3B, 0x1C3F, prN},     // Po     [5] LEPCHA PUNCTUATION TA-ROL..LEPCHA PUNCTUATION TSHOOK
+	{0x1C40, 0x1C49, prN},     // Nd    [10] LEPCHA DIGIT ZERO..LEPCHA DIGIT NINE
+	{0x1C4D, 0x1C4F, prN},     // Lo     [3] LEPCHA LETTER TTA..LEPCHA LETTER DDA
+	{0x1C50, 0x1C59, prN},     // Nd    [10] OL CHIKI DIGIT ZERO..OL CHIKI DIGIT NINE
+	{0x1C5A, 0x1C77, prN},     // Lo    [30] OL CHIKI LETTER LA..OL CHIKI LETTER OH
+	{0x1C78, 0x1C7D, prN},     // Lm     [6] OL CHIKI MU TTUDDAG..OL CHIKI AHAD
+	{0x1C7E, 0x1C7F, prN},     // Po     [2] OL CHIKI PUNCTUATION MUCAAD..OL CHIKI PUNCTUATION DOUBLE MUCAAD
+	{0x1C80, 0x1C88, prN},     // Ll     [9] CYRILLIC SMALL LETTER ROUNDED VE..CYRILLIC SMALL LETTER UNBLENDED UK
+	{0x1C90, 0x1CBA, prN},     // Lu    [43] GEORGIAN MTAVRULI CAPITAL LETTER AN..GEORGIAN MTAVRULI CAPITAL LETTER AIN
+	{0x1CBD, 0x1CBF, prN},     // Lu     [3] GEORGIAN MTAVRULI CAPITAL LETTER AEN..GEORGIAN MTAVRULI CAPITAL LETTER LABIAL SIGN
+	{0x1CC0, 0x1CC7, prN},     // Po     [8] SUNDANESE PUNCTUATION BINDU SURYA..SUNDANESE PUNCTUATION BINDU BA SATANGA
+	{0x1CD0, 0x1CD2, prN},     // Mn     [3] VEDIC TONE KARSHANA..VEDIC TONE PRENKHA
+	{0x1CD3, 0x1CD3, prN},     // Po         VEDIC SIGN NIHSHVASA
+	{0x1CD4, 0x1CE0, prN},     // Mn    [13] VEDIC SIGN YAJURVEDIC MIDLINE SVARITA..VEDIC TONE RIGVEDIC KASHMIRI INDEPENDENT SVARITA
+	{0x1CE1, 0x1CE1, prN},     // Mc         VEDIC TONE ATHARVAVEDIC INDEPENDENT SVARITA
+	{0x1CE2, 0x1CE8, prN},     // Mn     [7] VEDIC SIGN VISARGA SVARITA..VEDIC SIGN VISARGA ANUDATTA WITH TAIL
+	{0x1CE9, 0x1CEC, prN},     // Lo     [4] VEDIC SIGN ANUSVARA ANTARGOMUKHA..VEDIC SIGN ANUSVARA VAMAGOMUKHA WITH TAIL
+	{0x1CED, 0x1CED, prN},     // Mn         VEDIC SIGN TIRYAK
+	{0x1CEE, 0x1CF3, prN},     // Lo     [6] VEDIC SIGN HEXIFORM LONG ANUSVARA..VEDIC SIGN ROTATED ARDHAVISARGA
+	{0x1CF4, 0x1CF4, prN},     // Mn         VEDIC TONE CANDRA ABOVE
+	{0x1CF5, 0x1CF6, prN},     // Lo     [2] VEDIC SIGN JIHVAMULIYA..VEDIC SIGN UPADHMANIYA
+	{0x1CF7, 0x1CF7, prN},     // Mc         VEDIC SIGN ATIKRAMA
+	{0x1CF8, 0x1CF9, prN},     // Mn     [2] VEDIC TONE RING ABOVE..VEDIC TONE DOUBLE RING ABOVE
+	{0x1CFA, 0x1CFA, prN},     // Lo         VEDIC SIGN DOUBLE ANUSVARA ANTARGOMUKHA
+	{0x1D00, 0x1D2B, prN},     // Ll    [44] LATIN LETTER SMALL CAPITAL A..CYRILLIC LETTER SMALL CAPITAL EL
+	{0x1D2C, 0x1D6A, prN},     // Lm    [63] MODIFIER LETTER CAPITAL A..GREEK SUBSCRIPT SMALL LETTER CHI
+	{0x1D6B, 0x1D77, prN},     // Ll    [13] LATIN SMALL LETTER UE..LATIN SMALL LETTER TURNED G
+	{0x1D78, 0x1D78, prN},     // Lm         MODIFIER LETTER CYRILLIC EN
+	{0x1D79, 0x1D7F, prN},     // Ll     [7] LATIN SMALL LETTER INSULAR G..LATIN SMALL LETTER UPSILON WITH STROKE
+	{0x1D80, 0x1D9A, prN},     // Ll    [27] LATIN SMALL LETTER B WITH PALATAL HOOK..LATIN SMALL LETTER EZH WITH RETROFLEX HOOK
+	{0x1D9B, 0x1DBF, prN},     // Lm    [37] MODIFIER LETTER SMALL TURNED ALPHA..MODIFIER LETTER SMALL THETA
+	{0x1DC0, 0x1DFF, prN},     // Mn    [64] COMBINING DOTTED GRAVE ACCENT..COMBINING RIGHT ARROWHEAD AND DOWN ARROWHEAD BELOW
+	{0x1E00, 0x1EFF, prN},     // L&   [256] LATIN CAPITAL LETTER A WITH RING BELOW..LATIN SMALL LETTER Y WITH LOOP
+	{0x1F00, 0x1F15, prN},     // L&    [22] GREEK SMALL LETTER ALPHA WITH PSILI..GREEK SMALL LETTER EPSILON WITH DASIA AND OXIA
+	{0x1F18, 0x1F1D, prN},     // Lu     [6] GREEK CAPITAL LETTER EPSILON WITH PSILI..GREEK CAPITAL LETTER EPSILON WITH DASIA AND OXIA
+	{0x1F20, 0x1F45, prN},     // L&    [38] GREEK SMALL LETTER ETA WITH PSILI..GREEK SMALL LETTER OMICRON WITH DASIA AND OXIA
+	{0x1F48, 0x1F4D, prN},     // Lu     [6] GREEK CAPITAL LETTER OMICRON WITH PSILI..GREEK CAPITAL LETTER OMICRON WITH DASIA AND OXIA
+	{0x1F50, 0x1F57, prN},     // Ll     [8] GREEK SMALL LETTER UPSILON WITH PSILI..GREEK SMALL LETTER UPSILON WITH DASIA AND PERISPOMENI
+	{0x1F59, 0x1F59, prN},     // Lu         GREEK CAPITAL LETTER UPSILON WITH DASIA
+	{0x1F5B, 0x1F5B, prN},     // Lu         GREEK CAPITAL LETTER UPSILON WITH DASIA AND VARIA
+	{0x1F5D, 0x1F5D, prN},     // Lu         GREEK CAPITAL LETTER UPSILON WITH DASIA AND OXIA
+	{0x1F5F, 0x1F7D, prN},     // L&    [31] GREEK CAPITAL LETTER UPSILON WITH DASIA AND PERISPOMENI..GREEK SMALL LETTER OMEGA WITH OXIA
+	{0x1F80, 0x1FB4, prN},     // L&    [53] GREEK SMALL LETTER ALPHA WITH PSILI AND YPOGEGRAMMENI..GREEK SMALL LETTER ALPHA WITH OXIA AND YPOGEGRAMMENI
+	{0x1FB6, 0x1FBC, prN},     // L&     [7] GREEK SMALL LETTER ALPHA WITH PERISPOMENI..GREEK CAPITAL LETTER ALPHA WITH PROSGEGRAMMENI
+	{0x1FBD, 0x1FBD, prN},     // Sk         GREEK KORONIS
+	{0x1FBE, 0x1FBE, prN},     // Ll         GREEK PROSGEGRAMMENI
+	{0x1FBF, 0x1FC1, prN},     // Sk     [3] GREEK PSILI..GREEK DIALYTIKA AND PERISPOMENI
+	{0x1FC2, 0x1FC4, prN},     // Ll     [3] GREEK SMALL LETTER ETA WITH VARIA AND YPOGEGRAMMENI..GREEK SMALL LETTER ETA WITH OXIA AND YPOGEGRAMMENI
+	{0x1FC6, 0x1FCC, prN},     // L&     [7] GREEK SMALL LETTER ETA WITH PERISPOMENI..GREEK CAPITAL LETTER ETA WITH PROSGEGRAMMENI
+	{0x1FCD, 0x1FCF, prN},     // Sk     [3] GREEK PSILI AND VARIA..GREEK PSILI AND PERISPOMENI
+	{0x1FD0, 0x1FD3, prN},     // Ll     [4] GREEK SMALL LETTER IOTA WITH VRACHY..GREEK SMALL LETTER IOTA WITH DIALYTIKA AND OXIA
+	{0x1FD6, 0x1FDB, prN},     // L&     [6] GREEK SMALL LETTER IOTA WITH PERISPOMENI..GREEK CAPITAL LETTER IOTA WITH OXIA
+	{0x1FDD, 0x1FDF, prN},     // Sk     [3] GREEK DASIA AND VARIA..GREEK DASIA AND PERISPOMENI
+	{0x1FE0, 0x1FEC, prN},     // L&    [13] GREEK SMALL LETTER UPSILON WITH VRACHY..GREEK CAPITAL LETTER RHO WITH DASIA
+	{0x1FED, 0x1FEF, prN},     // Sk     [3] GREEK DIALYTIKA AND VARIA..GREEK VARIA
+	{0x1FF2, 0x1FF4, prN},     // Ll     [3] GREEK SMALL LETTER OMEGA WITH VARIA AND YPOGEGRAMMENI..GREEK SMALL LETTER OMEGA WITH OXIA AND YPOGEGRAMMENI
+	{0x1FF6, 0x1FFC, prN},     // L&     [7] GREEK SMALL LETTER OMEGA WITH PERISPOMENI..GREEK CAPITAL LETTER OMEGA WITH PROSGEGRAMMENI
+	{0x1FFD, 0x1FFE, prN},     // Sk     [2] GREEK OXIA..GREEK DASIA
+	{0x2000, 0x200A, prN},     // Zs    [11] EN QUAD..HAIR SPACE
+	{0x200B, 0x200F, prN},     // Cf     [5] ZERO WIDTH SPACE..RIGHT-TO-LEFT MARK
+	{0x2010, 0x2010, prA},     // Pd         HYPHEN
+	{0x2011, 0x2012, prN},     // Pd     [2] NON-BREAKING HYPHEN..FIGURE DASH
+	{0x2013, 0x2015, prA},     // Pd     [3] EN DASH..HORIZONTAL BAR
+	{0x2016, 0x2016, prA},     // Po         DOUBLE VERTICAL LINE
+	{0x2017, 0x2017, prN},     // Po         DOUBLE LOW LINE
+	{0x2018, 0x2018, prA},     // Pi         LEFT SINGLE QUOTATION MARK
+	{0x2019, 0x2019, prA},     // Pf         RIGHT SINGLE QUOTATION MARK
+	{0x201A, 0x201A, prN},     // Ps         SINGLE LOW-9 QUOTATION MARK
+	{0x201B, 0x201B, prN},     // Pi         SINGLE HIGH-REVERSED-9 QUOTATION MARK
+	{0x201C, 0x201C, prA},     // Pi         LEFT DOUBLE QUOTATION MARK
+	{0x201D, 0x201D, prA},     // Pf         RIGHT DOUBLE QUOTATION MARK
+	{0x201E, 0x201E, prN},     // Ps         DOUBLE LOW-9 QUOTATION MARK
+	{0x201F, 0x201F, prN},     // Pi         DOUBLE HIGH-REVERSED-9 QUOTATION MARK
+	{0x2020, 0x2022, prA},     // Po     [3] DAGGER..BULLET
+	{0x2023, 0x2023, prN},     // Po         TRIANGULAR BULLET
+	{0x2024, 0x2027, prA},     // Po     [4] ONE DOT LEADER..HYPHENATION POINT
+	{0x2028, 0x2028, prN},     // Zl         LINE SEPARATOR
+	{0x2029, 0x2029, prN},     // Zp         PARAGRAPH SEPARATOR
+	{0x202A, 0x202E, prN},     // Cf     [5] LEFT-TO-RIGHT EMBEDDING..RIGHT-TO-LEFT OVERRIDE
+	{0x202F, 0x202F, prN},     // Zs         NARROW NO-BREAK SPACE
+	{0x2030, 0x2030, prA},     // Po         PER MILLE SIGN
+	{0x2031, 0x2031, prN},     // Po         PER TEN THOUSAND SIGN
+	{0x2032, 0x2033, prA},     // Po     [2] PRIME..DOUBLE PRIME
+	{0x2034, 0x2034, prN},     // Po         TRIPLE PRIME
+	{0x2035, 0x2035, prA},     // Po         REVERSED PRIME
+	{0x2036, 0x2038, prN},     // Po     [3] REVERSED DOUBLE PRIME..CARET
+	{0x2039, 0x2039, prN},     // Pi         SINGLE LEFT-POINTING ANGLE QUOTATION MARK
+	{0x203A, 0x203A, prN},     // Pf         SINGLE RIGHT-POINTING ANGLE QUOTATION MARK
+	{0x203B, 0x203B, prA},     // Po         REFERENCE MARK
+	{0x203C, 0x203D, prN},     // Po     [2] DOUBLE EXCLAMATION MARK..INTERROBANG
+	{0x203E, 0x203E, prA},     // Po         OVERLINE
+	{0x203F, 0x2040, prN},     // Pc     [2] UNDERTIE..CHARACTER TIE
+	{0x2041, 0x2043, prN},     // Po     [3] CARET INSERTION POINT..HYPHEN BULLET
+	{0x2044, 0x2044, prN},     // Sm         FRACTION SLASH
+	{0x2045, 0x2045, prN},     // Ps         LEFT SQUARE BRACKET WITH QUILL
+	{0x2046, 0x2046, prN},     // Pe         RIGHT SQUARE BRACKET WITH QUILL
+	{0x2047, 0x2051, prN},     // Po    [11] DOUBLE QUESTION MARK..TWO ASTERISKS ALIGNED VERTICALLY
+	{0x2052, 0x2052, prN},     // Sm         COMMERCIAL MINUS SIGN
+	{0x2053, 0x2053, prN},     // Po         SWUNG DASH
+	{0x2054, 0x2054, prN},     // Pc         INVERTED UNDERTIE
+	{0x2055, 0x205E, prN},     // Po    [10] FLOWER PUNCTUATION MARK..VERTICAL FOUR DOTS
+	{0x205F, 0x205F, prN},     // Zs         MEDIUM MATHEMATICAL SPACE
+	{0x2060, 0x2064, prN},     // Cf     [5] WORD JOINER..INVISIBLE PLUS
+	{0x2066, 0x206F, prN},     // Cf    [10] LEFT-TO-RIGHT ISOLATE..NOMINAL DIGIT SHAPES
+	{0x2070, 0x2070, prN},     // No         SUPERSCRIPT ZERO
+	{0x2071, 0x2071, prN},     // Lm         SUPERSCRIPT LATIN SMALL LETTER I
+	{0x2074, 0x2074, prA},     // No         SUPERSCRIPT FOUR
+	{0x2075, 0x2079, prN},     // No     [5] SUPERSCRIPT FIVE..SUPERSCRIPT NINE
+	{0x207A, 0x207C, prN},     // Sm     [3] SUPERSCRIPT PLUS SIGN..SUPERSCRIPT EQUALS SIGN
+	{0x207D, 0x207D, prN},     // Ps         SUPERSCRIPT LEFT PARENTHESIS
+	{0x207E, 0x207E, prN},     // Pe         SUPERSCRIPT RIGHT PARENTHESIS
+	{0x207F, 0x207F, prA},     // Lm         SUPERSCRIPT LATIN SMALL LETTER N
+	{0x2080, 0x2080, prN},     // No         SUBSCRIPT ZERO
+	{0x2081, 0x2084, prA},     // No     [4] SUBSCRIPT ONE..SUBSCRIPT FOUR
+	{0x2085, 0x2089, prN},     // No     [5] SUBSCRIPT FIVE..SUBSCRIPT NINE
+	{0x208A, 0x208C, prN},     // Sm     [3] SUBSCRIPT PLUS SIGN..SUBSCRIPT EQUALS SIGN
+	{0x208D, 0x208D, prN},     // Ps         SUBSCRIPT LEFT PARENTHESIS
+	{0x208E, 0x208E, prN},     // Pe         SUBSCRIPT RIGHT PARENTHESIS
+	{0x2090, 0x209C, prN},     // Lm    [13] LATIN SUBSCRIPT SMALL LETTER A..LATIN SUBSCRIPT SMALL LETTER T
+	{0x20A0, 0x20A8, prN},     // Sc     [9] EURO-CURRENCY SIGN..RUPEE SIGN
+	{0x20A9, 0x20A9, prH},     // Sc         WON SIGN
+	{0x20AA, 0x20AB, prN},     // Sc     [2] NEW SHEQEL SIGN..DONG SIGN
+	{0x20AC, 0x20AC, prA},     // Sc         EURO SIGN
+	{0x20AD, 0x20C0, prN},     // Sc    [20] KIP SIGN..SOM SIGN
+	{0x20D0, 0x20DC, prN},     // Mn    [13] COMBINING LEFT HARPOON ABOVE..COMBINING FOUR DOTS ABOVE
+	{0x20DD, 0x20E0, prN},     // Me     [4] COMBINING ENCLOSING CIRCLE..COMBINING ENCLOSING CIRCLE BACKSLASH
+	{0x20E1, 0x20E1, prN},     // Mn         COMBINING LEFT RIGHT ARROW ABOVE
+	{0x20E2, 0x20E4, prN},     // Me     [3] COMBINING ENCLOSING SCREEN..COMBINING ENCLOSING UPWARD POINTING TRIANGLE
+	{0x20E5, 0x20F0, prN},     // Mn    [12] COMBINING REVERSE SOLIDUS OVERLAY..COMBINING ASTERISK ABOVE
+	{0x2100, 0x2101, prN},     // So     [2] ACCOUNT OF..ADDRESSED TO THE SUBJECT
+	{0x2102, 0x2102, prN},     // Lu         DOUBLE-STRUCK CAPITAL C
+	{0x2103, 0x2103, prA},     // So         DEGREE CELSIUS
+	{0x2104, 0x2104, prN},     // So         CENTRE LINE SYMBOL
+	{0x2105, 0x2105, prA},     // So         CARE OF
+	{0x2106, 0x2106, prN},     // So         CADA UNA
+	{0x2107, 0x2107, prN},     // Lu         EULER CONSTANT
+	{0x2108, 0x2108, prN},     // So         SCRUPLE
+	{0x2109, 0x2109, prA},     // So         DEGREE FAHRENHEIT
+	{0x210A, 0x2112, prN},     // L&     [9] SCRIPT SMALL G..SCRIPT CAPITAL L
+	{0x2113, 0x2113, prA},     // Ll         SCRIPT SMALL L
+	{0x2114, 0x2114, prN},     // So         L B BAR SYMBOL
+	{0x2115, 0x2115, prN},     // Lu         DOUBLE-STRUCK CAPITAL N
+	{0x2116, 0x2116, prA},     // So         NUMERO SIGN
+	{0x2117, 0x2117, prN},     // So         SOUND RECORDING COPYRIGHT
+	{0x2118, 0x2118, prN},     // Sm         SCRIPT CAPITAL P
+	{0x2119, 0x211D, prN},     // Lu     [5] DOUBLE-STRUCK CAPITAL P..DOUBLE-STRUCK CAPITAL R
+	{0x211E, 0x2120, prN},     // So     [3] PRESCRIPTION TAKE..SERVICE MARK
+	{0x2121, 0x2122, prA},     // So     [2] TELEPHONE SIGN..TRADE MARK SIGN
+	{0x2123, 0x2123, prN},     // So         VERSICLE
+	{0x2124, 0x2124, prN},     // Lu         DOUBLE-STRUCK CAPITAL Z
+	{0x2125, 0x2125, prN},     // So         OUNCE SIGN
+	{0x2126, 0x2126, prA},     // Lu         OHM SIGN
+	{0x2127, 0x2127, prN},     // So         INVERTED OHM SIGN
+	{0x2128, 0x2128, prN},     // Lu         BLACK-LETTER CAPITAL Z
+	{0x2129, 0x2129, prN},     // So         TURNED GREEK SMALL LETTER IOTA
+	{0x212A, 0x212A, prN},     // Lu         KELVIN SIGN
+	{0x212B, 0x212B, prA},     // Lu         ANGSTROM SIGN
+	{0x212C, 0x212D, prN},     // Lu     [2] SCRIPT CAPITAL B..BLACK-LETTER CAPITAL C
+	{0x212E, 0x212E, prN},     // So         ESTIMATED SYMBOL
+	{0x212F, 0x2134, prN},     // L&     [6] SCRIPT SMALL E..SCRIPT SMALL O
+	{0x2135, 0x2138, prN},     // Lo     [4] ALEF SYMBOL..DALET SYMBOL
+	{0x2139, 0x2139, prN},     // Ll         INFORMATION SOURCE
+	{0x213A, 0x213B, prN},     // So     [2] ROTATED CAPITAL Q..FACSIMILE SIGN
+	{0x213C, 0x213F, prN},     // L&     [4] DOUBLE-STRUCK SMALL PI..DOUBLE-STRUCK CAPITAL PI
+	{0x2140, 0x2144, prN},     // Sm     [5] DOUBLE-STRUCK N-ARY SUMMATION..TURNED SANS-SERIF CAPITAL Y
+	{0x2145, 0x2149, prN},     // L&     [5] DOUBLE-STRUCK ITALIC CAPITAL D..DOUBLE-STRUCK ITALIC SMALL J
+	{0x214A, 0x214A, prN},     // So         PROPERTY LINE
+	{0x214B, 0x214B, prN},     // Sm         TURNED AMPERSAND
+	{0x214C, 0x214D, prN},     // So     [2] PER SIGN..AKTIESELSKAB
+	{0x214E, 0x214E, prN},     // Ll         TURNED SMALL F
+	{0x214F, 0x214F, prN},     // So         SYMBOL FOR SAMARITAN SOURCE
+	{0x2150, 0x2152, prN},     // No     [3] VULGAR FRACTION ONE SEVENTH..VULGAR FRACTION ONE TENTH
+	{0x2153, 0x2154, prA},     // No     [2] VULGAR FRACTION ONE THIRD..VULGAR FRACTION TWO THIRDS
+	{0x2155, 0x215A, prN},     // No     [6] VULGAR FRACTION ONE FIFTH..VULGAR FRACTION FIVE SIXTHS
+	{0x215B, 0x215E, prA},     // No     [4] VULGAR FRACTION ONE EIGHTH..VULGAR FRACTION SEVEN EIGHTHS
+	{0x215F, 0x215F, prN},     // No         FRACTION NUMERATOR ONE
+	{0x2160, 0x216B, prA},     // Nl    [12] ROMAN NUMERAL ONE..ROMAN NUMERAL TWELVE
+	{0x216C, 0x216F, prN},     // Nl     [4] ROMAN NUMERAL FIFTY..ROMAN NUMERAL ONE THOUSAND
+	{0x2170, 0x2179, prA},     // Nl    [10] SMALL ROMAN NUMERAL ONE..SMALL ROMAN NUMERAL TEN
+	{0x217A, 0x2182, prN},     // Nl     [9] SMALL ROMAN NUMERAL ELEVEN..ROMAN NUMERAL TEN THOUSAND
+	{0x2183, 0x2184, prN},     // L&     [2] ROMAN NUMERAL REVERSED ONE HUNDRED..LATIN SMALL LETTER REVERSED C
+	{0x2185, 0x2188, prN},     // Nl     [4] ROMAN NUMERAL SIX LATE FORM..ROMAN NUMERAL ONE HUNDRED THOUSAND
+	{0x2189, 0x2189, prA},     // No         VULGAR FRACTION ZERO THIRDS
+	{0x218A, 0x218B, prN},     // So     [2] TURNED DIGIT TWO..TURNED DIGIT THREE
+	{0x2190, 0x2194, prA},     // Sm     [5] LEFTWARDS ARROW..LEFT RIGHT ARROW
+	{0x2195, 0x2199, prA},     // So     [5] UP DOWN ARROW..SOUTH WEST ARROW
+	{0x219A, 0x219B, prN},     // Sm     [2] LEFTWARDS ARROW WITH STROKE..RIGHTWARDS ARROW WITH STROKE
+	{0x219C, 0x219F, prN},     // So     [4] LEFTWARDS WAVE ARROW..UPWARDS TWO HEADED ARROW
+	{0x21A0, 0x21A0, prN},     // Sm         RIGHTWARDS TWO HEADED ARROW
+	{0x21A1, 0x21A2, prN},     // So     [2] DOWNWARDS TWO HEADED ARROW..LEFTWARDS ARROW WITH TAIL
+	{0x21A3, 0x21A3, prN},     // Sm         RIGHTWARDS ARROW WITH TAIL
+	{0x21A4, 0x21A5, prN},     // So     [2] LEFTWARDS ARROW FROM BAR..UPWARDS ARROW FROM BAR
+	{0x21A6, 0x21A6, prN},     // Sm         RIGHTWARDS ARROW FROM BAR
+	{0x21A7, 0x21AD, prN},     // So     [7] DOWNWARDS ARROW FROM BAR..LEFT RIGHT WAVE ARROW
+	{0x21AE, 0x21AE, prN},     // Sm         LEFT RIGHT ARROW WITH STROKE
+	{0x21AF, 0x21B7, prN},     // So     [9] DOWNWARDS ZIGZAG ARROW..CLOCKWISE TOP SEMICIRCLE ARROW
+	{0x21B8, 0x21B9, prA},     // So     [2] NORTH WEST ARROW TO LONG BAR..LEFTWARDS ARROW TO BAR OVER RIGHTWARDS ARROW TO BAR
+	{0x21BA, 0x21CD, prN},     // So    [20] ANTICLOCKWISE OPEN CIRCLE ARROW..LEFTWARDS DOUBLE ARROW WITH STROKE
+	{0x21CE, 0x21CF, prN},     // Sm     [2] LEFT RIGHT DOUBLE ARROW WITH STROKE..RIGHTWARDS DOUBLE ARROW WITH STROKE
+	{0x21D0, 0x21D1, prN},     // So     [2] LEFTWARDS DOUBLE ARROW..UPWARDS DOUBLE ARROW
+	{0x21D2, 0x21D2, prA},     // Sm         RIGHTWARDS DOUBLE ARROW
+	{0x21D3, 0x21D3, prN},     // So         DOWNWARDS DOUBLE ARROW
+	{0x21D4, 0x21D4, prA},     // Sm         LEFT RIGHT DOUBLE ARROW
+	{0x21D5, 0x21E6, prN},     // So    [18] UP DOWN DOUBLE ARROW..LEFTWARDS WHITE ARROW
+	{0x21E7, 0x21E7, prA},     // So         UPWARDS WHITE ARROW
+	{0x21E8, 0x21F3, prN},     // So    [12] RIGHTWARDS WHITE ARROW..UP DOWN WHITE ARROW
+	{0x21F4, 0x21FF, prN},     // Sm    [12] RIGHT ARROW WITH SMALL CIRCLE..LEFT RIGHT OPEN-HEADED ARROW
+	{0x2200, 0x2200, prA},     // Sm         FOR ALL
+	{0x2201, 0x2201, prN},     // Sm         COMPLEMENT
+	{0x2202, 0x2203, prA},     // Sm     [2] PARTIAL DIFFERENTIAL..THERE EXISTS
+	{0x2204, 0x2206, prN},     // Sm     [3] THERE DOES NOT EXIST..INCREMENT
+	{0x2207, 0x2208, prA},     // Sm     [2] NABLA..ELEMENT OF
+	{0x2209, 0x220A, prN},     // Sm     [2] NOT AN ELEMENT OF..SMALL ELEMENT OF
+	{0x220B, 0x220B, prA},     // Sm         CONTAINS AS MEMBER
+	{0x220C, 0x220E, prN},     // Sm     [3] DOES NOT CONTAIN AS MEMBER..END OF PROOF
+	{0x220F, 0x220F, prA},     // Sm         N-ARY PRODUCT
+	{0x2210, 0x2210, prN},     // Sm         N-ARY COPRODUCT
+	{0x2211, 0x2211, prA},     // Sm         N-ARY SUMMATION
+	{0x2212, 0x2214, prN},     // Sm     [3] MINUS SIGN..DOT PLUS
+	{0x2215, 0x2215, prA},     // Sm         DIVISION SLASH
+	{0x2216, 0x2219, prN},     // Sm     [4] SET MINUS..BULLET OPERATOR
+	{0x221A, 0x221A, prA},     // Sm         SQUARE ROOT
+	{0x221B, 0x221C, prN},     // Sm     [2] CUBE ROOT..FOURTH ROOT
+	{0x221D, 0x2220, prA},     // Sm     [4] PROPORTIONAL TO..ANGLE
+	{0x2221, 0x2222, prN},     // Sm     [2] MEASURED ANGLE..SPHERICAL ANGLE
+	{0x2223, 0x2223, prA},     // Sm         DIVIDES
+	{0x2224, 0x2224, prN},     // Sm         DOES NOT DIVIDE
+	{0x2225, 0x2225, prA},     // Sm         PARALLEL TO
+	{0x2226, 0x2226, prN},     // Sm         NOT PARALLEL TO
+	{0x2227, 0x222C, prA},     // Sm     [6] LOGICAL AND..DOUBLE INTEGRAL
+	{0x222D, 0x222D, prN},     // Sm         TRIPLE INTEGRAL
+	{0x222E, 0x222E, prA},     // Sm         CONTOUR INTEGRAL
+	{0x222F, 0x2233, prN},     // Sm     [5] SURFACE INTEGRAL..ANTICLOCKWISE CONTOUR INTEGRAL
+	{0x2234, 0x2237, prA},     // Sm     [4] THEREFORE..PROPORTION
+	{0x2238, 0x223B, prN},     // Sm     [4] DOT MINUS..HOMOTHETIC
+	{0x223C, 0x223D, prA},     // Sm     [2] TILDE OPERATOR..REVERSED TILDE
+	{0x223E, 0x2247, prN},     // Sm    [10] INVERTED LAZY S..NEITHER APPROXIMATELY NOR ACTUALLY EQUAL TO
+	{0x2248, 0x2248, prA},     // Sm         ALMOST EQUAL TO
+	{0x2249, 0x224B, prN},     // Sm     [3] NOT ALMOST EQUAL TO..TRIPLE TILDE
+	{0x224C, 0x224C, prA},     // Sm         ALL EQUAL TO
+	{0x224D, 0x2251, prN},     // Sm     [5] EQUIVALENT TO..GEOMETRICALLY EQUAL TO
+	{0x2252, 0x2252, prA},     // Sm         APPROXIMATELY EQUAL TO OR THE IMAGE OF
+	{0x2253, 0x225F, prN},     // Sm    [13] IMAGE OF OR APPROXIMATELY EQUAL TO..QUESTIONED EQUAL TO
+	{0x2260, 0x2261, prA},     // Sm     [2] NOT EQUAL TO..IDENTICAL TO
+	{0x2262, 0x2263, prN},     // Sm     [2] NOT IDENTICAL TO..STRICTLY EQUIVALENT TO
+	{0x2264, 0x2267, prA},     // Sm     [4] LESS-THAN OR EQUAL TO..GREATER-THAN OVER EQUAL TO
+	{0x2268, 0x2269, prN},     // Sm     [2] LESS-THAN BUT NOT EQUAL TO..GREATER-THAN BUT NOT EQUAL TO
+	{0x226A, 0x226B, prA},     // Sm     [2] MUCH LESS-THAN..MUCH GREATER-THAN
+	{0x226C, 0x226D, prN},     // Sm     [2] BETWEEN..NOT EQUIVALENT TO
+	{0x226E, 0x226F, prA},     // Sm     [2] NOT LESS-THAN..NOT GREATER-THAN
+	{0x2270, 0x2281, prN},     // Sm    [18] NEITHER LESS-THAN NOR EQUAL TO..DOES NOT SUCCEED
+	{0x2282, 0x2283, prA},     // Sm     [2] SUBSET OF..SUPERSET OF
+	{0x2284, 0x2285, prN},     // Sm     [2] NOT A SUBSET OF..NOT A SUPERSET OF
+	{0x2286, 0x2287, prA},     // Sm     [2] SUBSET OF OR EQUAL TO..SUPERSET OF OR EQUAL TO
+	{0x2288, 0x2294, prN},     // Sm    [13] NEITHER A SUBSET OF NOR EQUAL TO..SQUARE CUP
+	{0x2295, 0x2295, prA},     // Sm         CIRCLED PLUS
+	{0x2296, 0x2298, prN},     // Sm     [3] CIRCLED MINUS..CIRCLED DIVISION SLASH
+	{0x2299, 0x2299, prA},     // Sm         CIRCLED DOT OPERATOR
+	{0x229A, 0x22A4, prN},     // Sm    [11] CIRCLED RING OPERATOR..DOWN TACK
+	{0x22A5, 0x22A5, prA},     // Sm         UP TACK
+	{0x22A6, 0x22BE, prN},     // Sm    [25] ASSERTION..RIGHT ANGLE WITH ARC
+	{0x22BF, 0x22BF, prA},     // Sm         RIGHT TRIANGLE
+	{0x22C0, 0x22FF, prN},     // Sm    [64] N-ARY LOGICAL AND..Z NOTATION BAG MEMBERSHIP
+	{0x2300, 0x2307, prN},     // So     [8] DIAMETER SIGN..WAVY LINE
+	{0x2308, 0x2308, prN},     // Ps         LEFT CEILING
+	{0x2309, 0x2309, prN},     // Pe         RIGHT CEILING
+	{0x230A, 0x230A, prN},     // Ps         LEFT FLOOR
+	{0x230B, 0x230B, prN},     // Pe         RIGHT FLOOR
+	{0x230C, 0x2311, prN},     // So     [6] BOTTOM RIGHT CROP..SQUARE LOZENGE
+	{0x2312, 0x2312, prA},     // So         ARC
+	{0x2313, 0x2319, prN},     // So     [7] SEGMENT..TURNED NOT SIGN
+	{0x231A, 0x231B, prW},     // So     [2] WATCH..HOURGLASS
+	{0x231C, 0x231F, prN},     // So     [4] TOP LEFT CORNER..BOTTOM RIGHT CORNER
+	{0x2320, 0x2321, prN},     // Sm     [2] TOP HALF INTEGRAL..BOTTOM HALF INTEGRAL
+	{0x2322, 0x2328, prN},     // So     [7] FROWN..KEYBOARD
+	{0x2329, 0x2329, prW},     // Ps         LEFT-POINTING ANGLE BRACKET
+	{0x232A, 0x232A, prW},     // Pe         RIGHT-POINTING ANGLE BRACKET
+	{0x232B, 0x237B, prN},     // So    [81] ERASE TO THE LEFT..NOT CHECK MARK
+	{0x237C, 0x237C, prN},     // Sm         RIGHT ANGLE WITH DOWNWARDS ZIGZAG ARROW
+	{0x237D, 0x239A, prN},     // So    [30] SHOULDERED OPEN BOX..CLEAR SCREEN SYMBOL
+	{0x239B, 0x23B3, prN},     // Sm    [25] LEFT PARENTHESIS UPPER HOOK..SUMMATION BOTTOM
+	{0x23B4, 0x23DB, prN},     // So    [40] TOP SQUARE BRACKET..FUSE
+	{0x23DC, 0x23E1, prN},     // Sm     [6] TOP PARENTHESIS..BOTTOM TORTOISE SHELL BRACKET
+	{0x23E2, 0x23E8, prN},     // So     [7] WHITE TRAPEZIUM..DECIMAL EXPONENT SYMBOL
+	{0x23E9, 0x23EC, prW},     // So     [4] BLACK RIGHT-POINTING DOUBLE TRIANGLE..BLACK DOWN-POINTING DOUBLE TRIANGLE
+	{0x23ED, 0x23EF, prN},     // So     [3] BLACK RIGHT-POINTING DOUBLE TRIANGLE WITH VERTICAL BAR..BLACK RIGHT-POINTING TRIANGLE WITH DOUBLE VERTICAL BAR
+	{0x23F0, 0x23F0, prW},     // So         ALARM CLOCK
+	{0x23F1, 0x23F2, prN},     // So     [2] STOPWATCH..TIMER CLOCK
+	{0x23F3, 0x23F3, prW},     // So         HOURGLASS WITH FLOWING SAND
+	{0x23F4, 0x23FF, prN},     // So    [12] BLACK MEDIUM LEFT-POINTING TRIANGLE..OBSERVER EYE SYMBOL
+	{0x2400, 0x2426, prN},     // So    [39] SYMBOL FOR NULL..SYMBOL FOR SUBSTITUTE FORM TWO
+	{0x2440, 0x244A, prN},     // So    [11] OCR HOOK..OCR DOUBLE BACKSLASH
+	{0x2460, 0x249B, prA},     // No    [60] CIRCLED DIGIT ONE..NUMBER TWENTY FULL STOP
+	{0x249C, 0x24E9, prA},     // So    [78] PARENTHESIZED LATIN SMALL LETTER A..CIRCLED LATIN SMALL LETTER Z
+	{0x24EA, 0x24EA, prN},     // No         CIRCLED DIGIT ZERO
+	{0x24EB, 0x24FF, prA},     // No    [21] NEGATIVE CIRCLED NUMBER ELEVEN..NEGATIVE CIRCLED DIGIT ZERO
+	{0x2500, 0x254B, prA},     // So    [76] BOX DRAWINGS LIGHT HORIZONTAL..BOX DRAWINGS HEAVY VERTICAL AND HORIZONTAL
+	{0x254C, 0x254F, prN},     // So     [4] BOX DRAWINGS LIGHT DOUBLE DASH HORIZONTAL..BOX DRAWINGS HEAVY DOUBLE DASH VERTICAL
+	{0x2550, 0x2573, prA},     // So    [36] BOX DRAWINGS DOUBLE HORIZONTAL..BOX DRAWINGS LIGHT DIAGONAL CROSS
+	{0x2574, 0x257F, prN},     // So    [12] BOX DRAWINGS LIGHT LEFT..BOX DRAWINGS HEAVY UP AND LIGHT DOWN
+	{0x2580, 0x258F, prA},     // So    [16] UPPER HALF BLOCK..LEFT ONE EIGHTH BLOCK
+	{0x2590, 0x2591, prN},     // So     [2] RIGHT HALF BLOCK..LIGHT SHADE
+	{0x2592, 0x2595, prA},     // So     [4] MEDIUM SHADE..RIGHT ONE EIGHTH BLOCK
+	{0x2596, 0x259F, prN},     // So    [10] QUADRANT LOWER LEFT..QUADRANT UPPER RIGHT AND LOWER LEFT AND LOWER RIGHT
+	{0x25A0, 0x25A1, prA},     // So     [2] BLACK SQUARE..WHITE SQUARE
+	{0x25A2, 0x25A2, prN},     // So         WHITE SQUARE WITH ROUNDED CORNERS
+	{0x25A3, 0x25A9, prA},     // So     [7] WHITE SQUARE CONTAINING BLACK SMALL SQUARE..SQUARE WITH DIAGONAL CROSSHATCH FILL
+	{0x25AA, 0x25B1, prN},     // So     [8] BLACK SMALL SQUARE..WHITE PARALLELOGRAM
+	{0x25B2, 0x25B3, prA},     // So     [2] BLACK UP-POINTING TRIANGLE..WHITE UP-POINTING TRIANGLE
+	{0x25B4, 0x25B5, prN},     // So     [2] BLACK UP-POINTING SMALL TRIANGLE..WHITE UP-POINTING SMALL TRIANGLE
+	{0x25B6, 0x25B6, prA},     // So         BLACK RIGHT-POINTING TRIANGLE
+	{0x25B7, 0x25B7, prA},     // Sm         WHITE RIGHT-POINTING TRIANGLE
+	{0x25B8, 0x25BB, prN},     // So     [4] BLACK RIGHT-POINTING SMALL TRIANGLE..WHITE RIGHT-POINTING POINTER
+	{0x25BC, 0x25BD, prA},     // So     [2] BLACK DOWN-POINTING TRIANGLE..WHITE DOWN-POINTING TRIANGLE
+	{0x25BE, 0x25BF, prN},     // So     [2] BLACK DOWN-POINTING SMALL TRIANGLE..WHITE DOWN-POINTING SMALL TRIANGLE
+	{0x25C0, 0x25C0, prA},     // So         BLACK LEFT-POINTING TRIANGLE
+	{0x25C1, 0x25C1, prA},     // Sm         WHITE LEFT-POINTING TRIANGLE
+	{0x25C2, 0x25C5, prN},     // So     [4] BLACK LEFT-POINTING SMALL TRIANGLE..WHITE LEFT-POINTING POINTER
+	{0x25C6, 0x25C8, prA},     // So     [3] BLACK DIAMOND..WHITE DIAMOND CONTAINING BLACK SMALL DIAMOND
+	{0x25C9, 0x25CA, prN},     // So     [2] FISHEYE..LOZENGE
+	{0x25CB, 0x25CB, prA},     // So         WHITE CIRCLE
+	{0x25CC, 0x25CD, prN},     // So     [2] DOTTED CIRCLE..CIRCLE WITH VERTICAL FILL
+	{0x25CE, 0x25D1, prA},     // So     [4] BULLSEYE..CIRCLE WITH RIGHT HALF BLACK
+	{0x25D2, 0x25E1, prN},     // So    [16] CIRCLE WITH LOWER HALF BLACK..LOWER HALF CIRCLE
+	{0x25E2, 0x25E5, prA},     // So     [4] BLACK LOWER RIGHT TRIANGLE..BLACK UPPER RIGHT TRIANGLE
+	{0x25E6, 0x25EE, prN},     // So     [9] WHITE BULLET..UP-POINTING TRIANGLE WITH RIGHT HALF BLACK
+	{0x25EF, 0x25EF, prA},     // So         LARGE CIRCLE
+	{0x25F0, 0x25F7, prN},     // So     [8] WHITE SQUARE WITH UPPER LEFT QUADRANT..WHITE CIRCLE WITH UPPER RIGHT QUADRANT
+	{0x25F8, 0x25FC, prN},     // Sm     [5] UPPER LEFT TRIANGLE..BLACK MEDIUM SQUARE
+	{0x25FD, 0x25FE, prW},     // Sm     [2] WHITE MEDIUM SMALL SQUARE..BLACK MEDIUM SMALL SQUARE
+	{0x25FF, 0x25FF, prN},     // Sm         LOWER RIGHT TRIANGLE
+	{0x2600, 0x2604, prN},     // So     [5] BLACK SUN WITH RAYS..COMET
+	{0x2605, 0x2606, prA},     // So     [2] BLACK STAR..WHITE STAR
+	{0x2607, 0x2608, prN},     // So     [2] LIGHTNING..THUNDERSTORM
+	{0x2609, 0x2609, prA},     // So         SUN
+	{0x260A, 0x260D, prN},     // So     [4] ASCENDING NODE..OPPOSITION
+	{0x260E, 0x260F, prA},     // So     [2] BLACK TELEPHONE..WHITE TELEPHONE
+	{0x2610, 0x2613, prN},     // So     [4] BALLOT BOX..SALTIRE
+	{0x2614, 0x2615, prW},     // So     [2] UMBRELLA WITH RAIN DROPS..HOT BEVERAGE
+	{0x2616, 0x261B, prN},     // So     [6] WHITE SHOGI PIECE..BLACK RIGHT POINTING INDEX
+	{0x261C, 0x261C, prA},     // So         WHITE LEFT POINTING INDEX
+	{0x261D, 0x261D, prN},     // So         WHITE UP POINTING INDEX
+	{0x261E, 0x261E, prA},     // So         WHITE RIGHT POINTING INDEX
+	{0x261F, 0x263F, prN},     // So    [33] WHITE DOWN POINTING INDEX..MERCURY
+	{0x2640, 0x2640, prA},     // So         FEMALE SIGN
+	{0x2641, 0x2641, prN},     // So         EARTH
+	{0x2642, 0x2642, prA},     // So         MALE SIGN
+	{0x2643, 0x2647, prN},     // So     [5] JUPITER..PLUTO
+	{0x2648, 0x2653, prW},     // So    [12] ARIES..PISCES
+	{0x2654, 0x265F, prN},     // So    [12] WHITE CHESS KING..BLACK CHESS PAWN
+	{0x2660, 0x2661, prA},     // So     [2] BLACK SPADE SUIT..WHITE HEART SUIT
+	{0x2662, 0x2662, prN},     // So         WHITE DIAMOND SUIT
+	{0x2663, 0x2665, prA},     // So     [3] BLACK CLUB SUIT..BLACK HEART SUIT
+	{0x2666, 0x2666, prN},     // So         BLACK DIAMOND SUIT
+	{0x2667, 0x266A, prA},     // So     [4] WHITE CLUB SUIT..EIGHTH NOTE
+	{0x266B, 0x266B, prN},     // So         BEAMED EIGHTH NOTES
+	{0x266C, 0x266D, prA},     // So     [2] BEAMED SIXTEENTH NOTES..MUSIC FLAT SIGN
+	{0x266E, 0x266E, prN},     // So         MUSIC NATURAL SIGN
+	{0x266F, 0x266F, prA},     // Sm         MUSIC SHARP SIGN
+	{0x2670, 0x267E, prN},     // So    [15] WEST SYRIAC CROSS..PERMANENT PAPER SIGN
+	{0x267F, 0x267F, prW},     // So         WHEELCHAIR SYMBOL
+	{0x2680, 0x2692, prN},     // So    [19] DIE FACE-1..HAMMER AND PICK
+	{0x2693, 0x2693, prW},     // So         ANCHOR
+	{0x2694, 0x269D, prN},     // So    [10] CROSSED SWORDS..OUTLINED WHITE STAR
+	{0x269E, 0x269F, prA},     // So     [2] THREE LINES CONVERGING RIGHT..THREE LINES CONVERGING LEFT
+	{0x26A0, 0x26A0, prN},     // So         WARNING SIGN
+	{0x26A1, 0x26A1, prW},     // So         HIGH VOLTAGE SIGN
+	{0x26A2, 0x26A9, prN},     // So     [8] DOUBLED FEMALE SIGN..HORIZONTAL MALE WITH STROKE SIGN
+	{0x26AA, 0x26AB, prW},     // So     [2] MEDIUM WHITE CIRCLE..MEDIUM BLACK CIRCLE
+	{0x26AC, 0x26BC, prN},     // So    [17] MEDIUM SMALL WHITE CIRCLE..SESQUIQUADRATE
+	{0x26BD, 0x26BE, prW},     // So     [2] SOCCER BALL..BASEBALL
+	{0x26BF, 0x26BF, prA},     // So         SQUARED KEY
+	{0x26C0, 0x26C3, prN},     // So     [4] WHITE DRAUGHTS MAN..BLACK DRAUGHTS KING
+	{0x26C4, 0x26C5, prW},     // So     [2] SNOWMAN WITHOUT SNOW..SUN BEHIND CLOUD
+	{0x26C6, 0x26CD, prA},     // So     [8] RAIN..DISABLED CAR
+	{0x26CE, 0x26CE, prW},     // So         OPHIUCHUS
+	{0x26CF, 0x26D3, prA},     // So     [5] PICK..CHAINS
+	{0x26D4, 0x26D4, prW},     // So         NO ENTRY
+	{0x26D5, 0x26E1, prA},     // So    [13] ALTERNATE ONE-WAY LEFT WAY TRAFFIC..RESTRICTED LEFT ENTRY-2
+	{0x26E2, 0x26E2, prN},     // So         ASTRONOMICAL SYMBOL FOR URANUS
+	{0x26E3, 0x26E3, prA},     // So         HEAVY CIRCLE WITH STROKE AND TWO DOTS ABOVE
+	{0x26E4, 0x26E7, prN},     // So     [4] PENTAGRAM..INVERTED PENTAGRAM
+	{0x26E8, 0x26E9, prA},     // So     [2] BLACK CROSS ON SHIELD..SHINTO SHRINE
+	{0x26EA, 0x26EA, prW},     // So         CHURCH
+	{0x26EB, 0x26F1, prA},     // So     [7] CASTLE..UMBRELLA ON GROUND
+	{0x26F2, 0x26F3, prW},     // So     [2] FOUNTAIN..FLAG IN HOLE
+	{0x26F4, 0x26F4, prA},     // So         FERRY
+	{0x26F5, 0x26F5, prW},     // So         SAILBOAT
+	{0x26F6, 0x26F9, prA},     // So     [4] SQUARE FOUR CORNERS..PERSON WITH BALL
+	{0x26FA, 0x26FA, prW},     // So         TENT
+	{0x26FB, 0x26FC, prA},     // So     [2] JAPANESE BANK SYMBOL..HEADSTONE GRAVEYARD SYMBOL
+	{0x26FD, 0x26FD, prW},     // So         FUEL PUMP
+	{0x26FE, 0x26FF, prA},     // So     [2] CUP ON BLACK SQUARE..WHITE FLAG WITH HORIZONTAL MIDDLE BLACK STRIPE
+	{0x2700, 0x2704, prN},     // So     [5] BLACK SAFETY SCISSORS..WHITE SCISSORS
+	{0x2705, 0x2705, prW},     // So         WHITE HEAVY CHECK MARK
+	{0x2706, 0x2709, prN},     // So     [4] TELEPHONE LOCATION SIGN..ENVELOPE
+	{0x270A, 0x270B, prW},     // So     [2] RAISED FIST..RAISED HAND
+	{0x270C, 0x2727, prN},     // So    [28] VICTORY HAND..WHITE FOUR POINTED STAR
+	{0x2728, 0x2728, prW},     // So         SPARKLES
+	{0x2729, 0x273C, prN},     // So    [20] STRESS OUTLINED WHITE STAR..OPEN CENTRE TEARDROP-SPOKED ASTERISK
+	{0x273D, 0x273D, prA},     // So         HEAVY TEARDROP-SPOKED ASTERISK
+	{0x273E, 0x274B, prN},     // So    [14] SIX PETALLED BLACK AND WHITE FLORETTE..HEAVY EIGHT TEARDROP-SPOKED PROPELLER ASTERISK
+	{0x274C, 0x274C, prW},     // So         CROSS MARK
+	{0x274D, 0x274D, prN},     // So         SHADOWED WHITE CIRCLE
+	{0x274E, 0x274E, prW},     // So         NEGATIVE SQUARED CROSS MARK
+	{0x274F, 0x2752, prN},     // So     [4] LOWER RIGHT DROP-SHADOWED WHITE SQUARE..UPPER RIGHT SHADOWED WHITE SQUARE
+	{0x2753, 0x2755, prW},     // So     [3] BLACK QUESTION MARK ORNAMENT..WHITE EXCLAMATION MARK ORNAMENT
+	{0x2756, 0x2756, prN},     // So         BLACK DIAMOND MINUS WHITE X
+	{0x2757, 0x2757, prW},     // So         HEAVY EXCLAMATION MARK SYMBOL
+	{0x2758, 0x2767, prN},     // So    [16] LIGHT VERTICAL BAR..ROTATED FLORAL HEART BULLET
+	{0x2768, 0x2768, prN},     // Ps         MEDIUM LEFT PARENTHESIS ORNAMENT
+	{0x2769, 0x2769, prN},     // Pe         MEDIUM RIGHT PARENTHESIS ORNAMENT
+	{0x276A, 0x276A, prN},     // Ps         MEDIUM FLATTENED LEFT PARENTHESIS ORNAMENT
+	{0x276B, 0x276B, prN},     // Pe         MEDIUM FLATTENED RIGHT PARENTHESIS ORNAMENT
+	{0x276C, 0x276C, prN},     // Ps         MEDIUM LEFT-POINTING ANGLE BRACKET ORNAMENT
+	{0x276D, 0x276D, prN},     // Pe         MEDIUM RIGHT-POINTING ANGLE BRACKET ORNAMENT
+	{0x276E, 0x276E, prN},     // Ps         HEAVY LEFT-POINTING ANGLE QUOTATION MARK ORNAMENT
+	{0x276F, 0x276F, prN},     // Pe         HEAVY RIGHT-POINTING ANGLE QUOTATION MARK ORNAMENT
+	{0x2770, 0x2770, prN},     // Ps         HEAVY LEFT-POINTING ANGLE BRACKET ORNAMENT
+	{0x2771, 0x2771, prN},     // Pe         HEAVY RIGHT-POINTING ANGLE BRACKET ORNAMENT
+	{0x2772, 0x2772, prN},     // Ps         LIGHT LEFT TORTOISE SHELL BRACKET ORNAMENT
+	{0x2773, 0x2773, prN},     // Pe         LIGHT RIGHT TORTOISE SHELL BRACKET ORNAMENT
+	{0x2774, 0x2774, prN},     // Ps         MEDIUM LEFT CURLY BRACKET ORNAMENT
+	{0x2775, 0x2775, prN},     // Pe         MEDIUM RIGHT CURLY BRACKET ORNAMENT
+	{0x2776, 0x277F, prA},     // No    [10] DINGBAT NEGATIVE CIRCLED DIGIT ONE..DINGBAT NEGATIVE CIRCLED NUMBER TEN
+	{0x2780, 0x2793, prN},     // No    [20] DINGBAT CIRCLED SANS-SERIF DIGIT ONE..DINGBAT NEGATIVE CIRCLED SANS-SERIF NUMBER TEN
+	{0x2794, 0x2794, prN},     // So         HEAVY WIDE-HEADED RIGHTWARDS ARROW
+	{0x2795, 0x2797, prW},     // So     [3] HEAVY PLUS SIGN..HEAVY DIVISION SIGN
+	{0x2798, 0x27AF, prN},     // So    [24] HEAVY SOUTH EAST ARROW..NOTCHED LOWER RIGHT-SHADOWED WHITE RIGHTWARDS ARROW
+	{0x27B0, 0x27B0, prW},     // So         CURLY LOOP
+	{0x27B1, 0x27BE, prN},     // So    [14] NOTCHED UPPER RIGHT-SHADOWED WHITE RIGHTWARDS ARROW..OPEN-OUTLINED RIGHTWARDS ARROW
+	{0x27BF, 0x27BF, prW},     // So         DOUBLE CURLY LOOP
+	{0x27C0, 0x27C4, prN},     // Sm     [5] THREE DIMENSIONAL ANGLE..OPEN SUPERSET
+	{0x27C5, 0x27C5, prN},     // Ps         LEFT S-SHAPED BAG DELIMITER
+	{0x27C6, 0x27C6, prN},     // Pe         RIGHT S-SHAPED BAG DELIMITER
+	{0x27C7, 0x27E5, prN},     // Sm    [31] OR WITH DOT INSIDE..WHITE SQUARE WITH RIGHTWARDS TICK
+	{0x27E6, 0x27E6, prNa},    // Ps         MATHEMATICAL LEFT WHITE SQUARE BRACKET
+	{0x27E7, 0x27E7, prNa},    // Pe         MATHEMATICAL RIGHT WHITE SQUARE BRACKET
+	{0x27E8, 0x27E8, prNa},    // Ps         MATHEMATICAL LEFT ANGLE BRACKET
+	{0x27E9, 0x27E9, prNa},    // Pe         MATHEMATICAL RIGHT ANGLE BRACKET
+	{0x27EA, 0x27EA, prNa},    // Ps         MATHEMATICAL LEFT DOUBLE ANGLE BRACKET
+	{0x27EB, 0x27EB, prNa},    // Pe         MATHEMATICAL RIGHT DOUBLE ANGLE BRACKET
+	{0x27EC, 0x27EC, prNa},    // Ps         MATHEMATICAL LEFT WHITE TORTOISE SHELL BRACKET
+	{0x27ED, 0x27ED, prNa},    // Pe         MATHEMATICAL RIGHT WHITE TORTOISE SHELL BRACKET
+	{0x27EE, 0x27EE, prN},     // Ps         MATHEMATICAL LEFT FLATTENED PARENTHESIS
+	{0x27EF, 0x27EF, prN},     // Pe         MATHEMATICAL RIGHT FLATTENED PARENTHESIS
+	{0x27F0, 0x27FF, prN},     // Sm    [16] UPWARDS QUADRUPLE ARROW..LONG RIGHTWARDS SQUIGGLE ARROW
+	{0x2800, 0x28FF, prN},     // So   [256] BRAILLE PATTERN BLANK..BRAILLE PATTERN DOTS-12345678
+	{0x2900, 0x297F, prN},     // Sm   [128] RIGHTWARDS TWO-HEADED ARROW WITH VERTICAL STROKE..DOWN FISH TAIL
+	{0x2980, 0x2982, prN},     // Sm     [3] TRIPLE VERTICAL BAR DELIMITER..Z NOTATION TYPE COLON
+	{0x2983, 0x2983, prN},     // Ps         LEFT WHITE CURLY BRACKET
+	{0x2984, 0x2984, prN},     // Pe         RIGHT WHITE CURLY BRACKET
+	{0x2985, 0x2985, prNa},    // Ps         LEFT WHITE PARENTHESIS
+	{0x2986, 0x2986, prNa},    // Pe         RIGHT WHITE PARENTHESIS
+	{0x2987, 0x2987, prN},     // Ps         Z NOTATION LEFT IMAGE BRACKET
+	{0x2988, 0x2988, prN},     // Pe         Z NOTATION RIGHT IMAGE BRACKET
+	{0x2989, 0x2989, prN},     // Ps         Z NOTATION LEFT BINDING BRACKET
+	{0x298A, 0x298A, prN},     // Pe         Z NOTATION RIGHT BINDING BRACKET
+	{0x298B, 0x298B, prN},     // Ps         LEFT SQUARE BRACKET WITH UNDERBAR
+	{0x298C, 0x298C, prN},     // Pe         RIGHT SQUARE BRACKET WITH UNDERBAR
+	{0x298D, 0x298D, prN},     // Ps         LEFT SQUARE BRACKET WITH TICK IN TOP CORNER
+	{0x298E, 0x298E, prN},     // Pe         RIGHT SQUARE BRACKET WITH TICK IN BOTTOM CORNER
+	{0x298F, 0x298F, prN},     // Ps         LEFT SQUARE BRACKET WITH TICK IN BOTTOM CORNER
+	{0x2990, 0x2990, prN},     // Pe         RIGHT SQUARE BRACKET WITH TICK IN TOP CORNER
+	{0x2991, 0x2991, prN},     // Ps         LEFT ANGLE BRACKET WITH DOT
+	{0x2992, 0x2992, prN},     // Pe         RIGHT ANGLE BRACKET WITH DOT
+	{0x2993, 0x2993, prN},     // Ps         LEFT ARC LESS-THAN BRACKET
+	{0x2994, 0x2994, prN},     // Pe         RIGHT ARC GREATER-THAN BRACKET
+	{0x2995, 0x2995, prN},     // Ps         DOUBLE LEFT ARC GREATER-THAN BRACKET
+	{0x2996, 0x2996, prN},     // Pe         DOUBLE RIGHT ARC LESS-THAN BRACKET
+	{0x2997, 0x2997, prN},     // Ps         LEFT BLACK TORTOISE SHELL BRACKET
+	{0x2998, 0x2998, prN},     // Pe         RIGHT BLACK TORTOISE SHELL BRACKET
+	{0x2999, 0x29D7, prN},     // Sm    [63] DOTTED FENCE..BLACK HOURGLASS
+	{0x29D8, 0x29D8, prN},     // Ps         LEFT WIGGLY FENCE
+	{0x29D9, 0x29D9, prN},     // Pe         RIGHT WIGGLY FENCE
+	{0x29DA, 0x29DA, prN},     // Ps         LEFT DOUBLE WIGGLY FENCE
+	{0x29DB, 0x29DB, prN},     // Pe         RIGHT DOUBLE WIGGLY FENCE
+	{0x29DC, 0x29FB, prN},     // Sm    [32] INCOMPLETE INFINITY..TRIPLE PLUS
+	{0x29FC, 0x29FC, prN},     // Ps         LEFT-POINTING CURVED ANGLE BRACKET
+	{0x29FD, 0x29FD, prN},     // Pe         RIGHT-POINTING CURVED ANGLE BRACKET
+	{0x29FE, 0x29FF, prN},     // Sm     [2] TINY..MINY
+	{0x2A00, 0x2AFF, prN},     // Sm   [256] N-ARY CIRCLED DOT OPERATOR..N-ARY WHITE VERTICAL BAR
+	{0x2B00, 0x2B1A, prN},     // So    [27] NORTH EAST WHITE ARROW..DOTTED SQUARE
+	{0x2B1B, 0x2B1C, prW},     // So     [2] BLACK LARGE SQUARE..WHITE LARGE SQUARE
+	{0x2B1D, 0x2B2F, prN},     // So    [19] BLACK VERY SMALL SQUARE..WHITE VERTICAL ELLIPSE
+	{0x2B30, 0x2B44, prN},     // Sm    [21] LEFT ARROW WITH SMALL CIRCLE..RIGHTWARDS ARROW THROUGH SUPERSET
+	{0x2B45, 0x2B46, prN},     // So     [2] LEFTWARDS QUADRUPLE ARROW..RIGHTWARDS QUADRUPLE ARROW
+	{0x2B47, 0x2B4C, prN},     // Sm     [6] REVERSE TILDE OPERATOR ABOVE RIGHTWARDS ARROW..RIGHTWARDS ARROW ABOVE REVERSE TILDE OPERATOR
+	{0x2B4D, 0x2B4F, prN},     // So     [3] DOWNWARDS TRIANGLE-HEADED ZIGZAG ARROW..SHORT BACKSLANTED SOUTH ARROW
+	{0x2B50, 0x2B50, prW},     // So         WHITE MEDIUM STAR
+	{0x2B51, 0x2B54, prN},     // So     [4] BLACK SMALL STAR..WHITE RIGHT-POINTING PENTAGON
+	{0x2B55, 0x2B55, prW},     // So         HEAVY LARGE CIRCLE
+	{0x2B56, 0x2B59, prA},     // So     [4] HEAVY OVAL WITH OVAL INSIDE..HEAVY CIRCLED SALTIRE
+	{0x2B5A, 0x2B73, prN},     // So    [26] SLANTED NORTH ARROW WITH HOOKED HEAD..DOWNWARDS TRIANGLE-HEADED ARROW TO BAR
+	{0x2B76, 0x2B95, prN},     // So    [32] NORTH WEST TRIANGLE-HEADED ARROW TO BAR..RIGHTWARDS BLACK ARROW
+	{0x2B97, 0x2BFF, prN},     // So   [105] SYMBOL FOR TYPE A ELECTRONICS..HELLSCHREIBER PAUSE SYMBOL
+	{0x2C00, 0x2C5F, prN},     // L&    [96] GLAGOLITIC CAPITAL LETTER AZU..GLAGOLITIC SMALL LETTER CAUDATE CHRIVI
+	{0x2C60, 0x2C7B, prN},     // L&    [28] LATIN CAPITAL LETTER L WITH DOUBLE BAR..LATIN LETTER SMALL CAPITAL TURNED E
+	{0x2C7C, 0x2C7D, prN},     // Lm     [2] LATIN SUBSCRIPT SMALL LETTER J..MODIFIER LETTER CAPITAL V
+	{0x2C7E, 0x2C7F, prN},     // Lu     [2] LATIN CAPITAL LETTER S WITH SWASH TAIL..LATIN CAPITAL LETTER Z WITH SWASH TAIL
+	{0x2C80, 0x2CE4, prN},     // L&   [101] COPTIC CAPITAL LETTER ALFA..COPTIC SYMBOL KAI
+	{0x2CE5, 0x2CEA, prN},     // So     [6] COPTIC SYMBOL MI RO..COPTIC SYMBOL SHIMA SIMA
+	{0x2CEB, 0x2CEE, prN},     // L&     [4] COPTIC CAPITAL LETTER CRYPTOGRAMMIC SHEI..COPTIC SMALL LETTER CRYPTOGRAMMIC GANGIA
+	{0x2CEF, 0x2CF1, prN},     // Mn     [3] COPTIC COMBINING NI ABOVE..COPTIC COMBINING SPIRITUS LENIS
+	{0x2CF2, 0x2CF3, prN},     // L&     [2] COPTIC CAPITAL LETTER BOHAIRIC KHEI..COPTIC SMALL LETTER BOHAIRIC KHEI
+	{0x2CF9, 0x2CFC, prN},     // Po     [4] COPTIC OLD NUBIAN FULL STOP..COPTIC OLD NUBIAN VERSE DIVIDER
+	{0x2CFD, 0x2CFD, prN},     // No         COPTIC FRACTION ONE HALF
+	{0x2CFE, 0x2CFF, prN},     // Po     [2] COPTIC FULL STOP..COPTIC MORPHOLOGICAL DIVIDER
+	{0x2D00, 0x2D25, prN},     // Ll    [38] GEORGIAN SMALL LETTER AN..GEORGIAN SMALL LETTER HOE
+	{0x2D27, 0x2D27, prN},     // Ll         GEORGIAN SMALL LETTER YN
+	{0x2D2D, 0x2D2D, prN},     // Ll         GEORGIAN SMALL LETTER AEN
+	{0x2D30, 0x2D67, prN},     // Lo    [56] TIFINAGH LETTER YA..TIFINAGH LETTER YO
+	{0x2D6F, 0x2D6F, prN},     // Lm         TIFINAGH MODIFIER LETTER LABIALIZATION MARK
+	{0x2D70, 0x2D70, prN},     // Po         TIFINAGH SEPARATOR MARK
+	{0x2D7F, 0x2D7F, prN},     // Mn         TIFINAGH CONSONANT JOINER
+	{0x2D80, 0x2D96, prN},     // Lo    [23] ETHIOPIC SYLLABLE LOA..ETHIOPIC SYLLABLE GGWE
+	{0x2DA0, 0x2DA6, prN},     // Lo     [7] ETHIOPIC SYLLABLE SSA..ETHIOPIC SYLLABLE SSO
+	{0x2DA8, 0x2DAE, prN},     // Lo     [7] ETHIOPIC SYLLABLE CCA..ETHIOPIC SYLLABLE CCO
+	{0x2DB0, 0x2DB6, prN},     // Lo     [7] ETHIOPIC SYLLABLE ZZA..ETHIOPIC SYLLABLE ZZO
+	{0x2DB8, 0x2DBE, prN},     // Lo     [7] ETHIOPIC SYLLABLE CCHA..ETHIOPIC SYLLABLE CCHO
+	{0x2DC0, 0x2DC6, prN},     // Lo     [7] ETHIOPIC SYLLABLE QYA..ETHIOPIC SYLLABLE QYO
+	{0x2DC8, 0x2DCE, prN},     // Lo     [7] ETHIOPIC SYLLABLE KYA..ETHIOPIC SYLLABLE KYO
+	{0x2DD0, 0x2DD6, prN},     // Lo     [7] ETHIOPIC SYLLABLE XYA..ETHIOPIC SYLLABLE XYO
+	{0x2DD8, 0x2DDE, prN},     // Lo     [7] ETHIOPIC SYLLABLE GYA..ETHIOPIC SYLLABLE GYO
+	{0x2DE0, 0x2DFF, prN},     // Mn    [32] COMBINING CYRILLIC LETTER BE..COMBINING CYRILLIC LETTER IOTIFIED BIG YUS
+	{0x2E00, 0x2E01, prN},     // Po     [2] RIGHT ANGLE SUBSTITUTION MARKER..RIGHT ANGLE DOTTED SUBSTITUTION MARKER
+	{0x2E02, 0x2E02, prN},     // Pi         LEFT SUBSTITUTION BRACKET
+	{0x2E03, 0x2E03, prN},     // Pf         RIGHT SUBSTITUTION BRACKET
+	{0x2E04, 0x2E04, prN},     // Pi         LEFT DOTTED SUBSTITUTION BRACKET
+	{0x2E05, 0x2E05, prN},     // Pf         RIGHT DOTTED SUBSTITUTION BRACKET
+	{0x2E06, 0x2E08, prN},     // Po     [3] RAISED INTERPOLATION MARKER..DOTTED TRANSPOSITION MARKER
+	{0x2E09, 0x2E09, prN},     // Pi         LEFT TRANSPOSITION BRACKET
+	{0x2E0A, 0x2E0A, prN},     // Pf         RIGHT TRANSPOSITION BRACKET
+	{0x2E0B, 0x2E0B, prN},     // Po         RAISED SQUARE
+	{0x2E0C, 0x2E0C, prN},     // Pi         LEFT RAISED OMISSION BRACKET
+	{0x2E0D, 0x2E0D, prN},     // Pf         RIGHT RAISED OMISSION BRACKET
+	{0x2E0E, 0x2E16, prN},     // Po     [9] EDITORIAL CORONIS..DOTTED RIGHT-POINTING ANGLE
+	{0x2E17, 0x2E17, prN},     // Pd         DOUBLE OBLIQUE HYPHEN
+	{0x2E18, 0x2E19, prN},     // Po     [2] INVERTED INTERROBANG..PALM BRANCH
+	{0x2E1A, 0x2E1A, prN},     // Pd         HYPHEN WITH DIAERESIS
+	{0x2E1B, 0x2E1B, prN},     // Po         TILDE WITH RING ABOVE
+	{0x2E1C, 0x2E1C, prN},     // Pi         LEFT LOW PARAPHRASE BRACKET
+	{0x2E1D, 0x2E1D, prN},     // Pf         RIGHT LOW PARAPHRASE BRACKET
+	{0x2E1E, 0x2E1F, prN},     // Po     [2] TILDE WITH DOT ABOVE..TILDE WITH DOT BELOW
+	{0x2E20, 0x2E20, prN},     // Pi         LEFT VERTICAL BAR WITH QUILL
+	{0x2E21, 0x2E21, prN},     // Pf         RIGHT VERTICAL BAR WITH QUILL
+	{0x2E22, 0x2E22, prN},     // Ps         TOP LEFT HALF BRACKET
+	{0x2E23, 0x2E23, prN},     // Pe         TOP RIGHT HALF BRACKET
+	{0x2E24, 0x2E24, prN},     // Ps         BOTTOM LEFT HALF BRACKET
+	{0x2E25, 0x2E25, prN},     // Pe         BOTTOM RIGHT HALF BRACKET
+	{0x2E26, 0x2E26, prN},     // Ps         LEFT SIDEWAYS U BRACKET
+	{0x2E27, 0x2E27, prN},     // Pe         RIGHT SIDEWAYS U BRACKET
+	{0x2E28, 0x2E28, prN},     // Ps         LEFT DOUBLE PARENTHESIS
+	{0x2E29, 0x2E29, prN},     // Pe         RIGHT DOUBLE PARENTHESIS
+	{0x2E2A, 0x2E2E, prN},     // Po     [5] TWO DOTS OVER ONE DOT PUNCTUATION..REVERSED QUESTION MARK
+	{0x2E2F, 0x2E2F, prN},     // Lm         VERTICAL TILDE
+	{0x2E30, 0x2E39, prN},     // Po    [10] RING POINT..TOP HALF SECTION SIGN
+	{0x2E3A, 0x2E3B, prN},     // Pd     [2] TWO-EM DASH..THREE-EM DASH
+	{0x2E3C, 0x2E3F, prN},     // Po     [4] STENOGRAPHIC FULL STOP..CAPITULUM
+	{0x2E40, 0x2E40, prN},     // Pd         DOUBLE HYPHEN
+	{0x2E41, 0x2E41, prN},     // Po         REVERSED COMMA
+	{0x2E42, 0x2E42, prN},     // Ps         DOUBLE LOW-REVERSED-9 QUOTATION MARK
+	{0x2E43, 0x2E4F, prN},     // Po    [13] DASH WITH LEFT UPTURN..CORNISH VERSE DIVIDER
+	{0x2E50, 0x2E51, prN},     // So     [2] CROSS PATTY WITH RIGHT CROSSBAR..CROSS PATTY WITH LEFT CROSSBAR
+	{0x2E52, 0x2E54, prN},     // Po     [3] TIRONIAN SIGN CAPITAL ET..MEDIEVAL QUESTION MARK
+	{0x2E55, 0x2E55, prN},     // Ps         LEFT SQUARE BRACKET WITH STROKE
+	{0x2E56, 0x2E56, prN},     // Pe         RIGHT SQUARE BRACKET WITH STROKE
+	{0x2E57, 0x2E57, prN},     // Ps         LEFT SQUARE BRACKET WITH DOUBLE STROKE
+	{0x2E58, 0x2E58, prN},     // Pe         RIGHT SQUARE BRACKET WITH DOUBLE STROKE
+	{0x2E59, 0x2E59, prN},     // Ps         TOP HALF LEFT PARENTHESIS
+	{0x2E5A, 0x2E5A, prN},     // Pe         TOP HALF RIGHT PARENTHESIS
+	{0x2E5B, 0x2E5B, prN},     // Ps         BOTTOM HALF LEFT PARENTHESIS
+	{0x2E5C, 0x2E5C, prN},     // Pe         BOTTOM HALF RIGHT PARENTHESIS
+	{0x2E5D, 0x2E5D, prN},     // Pd         OBLIQUE HYPHEN
+	{0x2E80, 0x2E99, prW},     // So    [26] CJK RADICAL REPEAT..CJK RADICAL RAP
+	{0x2E9B, 0x2EF3, prW},     // So    [89] CJK RADICAL CHOKE..CJK RADICAL C-SIMPLIFIED TURTLE
+	{0x2F00, 0x2FD5, prW},     // So   [214] KANGXI RADICAL ONE..KANGXI RADICAL FLUTE
+	{0x2FF0, 0x2FFB, prW},     // So    [12] IDEOGRAPHIC DESCRIPTION CHARACTER LEFT TO RIGHT..IDEOGRAPHIC DESCRIPTION CHARACTER OVERLAID
+	{0x3000, 0x3000, prF},     // Zs         IDEOGRAPHIC SPACE
+	{0x3001, 0x3003, prW},     // Po     [3] IDEOGRAPHIC COMMA..DITTO MARK
+	{0x3004, 0x3004, prW},     // So         JAPANESE INDUSTRIAL STANDARD SYMBOL
+	{0x3005, 0x3005, prW},     // Lm         IDEOGRAPHIC ITERATION MARK
+	{0x3006, 0x3006, prW},     // Lo         IDEOGRAPHIC CLOSING MARK
+	{0x3007, 0x3007, prW},     // Nl         IDEOGRAPHIC NUMBER ZERO
+	{0x3008, 0x3008, prW},     // Ps         LEFT ANGLE BRACKET
+	{0x3009, 0x3009, prW},     // Pe         RIGHT ANGLE BRACKET
+	{0x300A, 0x300A, prW},     // Ps         LEFT DOUBLE ANGLE BRACKET
+	{0x300B, 0x300B, prW},     // Pe         RIGHT DOUBLE ANGLE BRACKET
+	{0x300C, 0x300C, prW},     // Ps         LEFT CORNER BRACKET
+	{0x300D, 0x300D, prW},     // Pe         RIGHT CORNER BRACKET
+	{0x300E, 0x300E, prW},     // Ps         LEFT WHITE CORNER BRACKET
+	{0x300F, 0x300F, prW},     // Pe         RIGHT WHITE CORNER BRACKET
+	{0x3010, 0x3010, prW},     // Ps         LEFT BLACK LENTICULAR BRACKET
+	{0x3011, 0x3011, prW},     // Pe         RIGHT BLACK LENTICULAR BRACKET
+	{0x3012, 0x3013, prW},     // So     [2] POSTAL MARK..GETA MARK
+	{0x3014, 0x3014, prW},     // Ps         LEFT TORTOISE SHELL BRACKET
+	{0x3015, 0x3015, prW},     // Pe         RIGHT TORTOISE SHELL BRACKET
+	{0x3016, 0x3016, prW},     // Ps         LEFT WHITE LENTICULAR BRACKET
+	{0x3017, 0x3017, prW},     // Pe         RIGHT WHITE LENTICULAR BRACKET
+	{0x3018, 0x3018, prW},     // Ps         LEFT WHITE TORTOISE SHELL BRACKET
+	{0x3019, 0x3019, prW},     // Pe         RIGHT WHITE TORTOISE SHELL BRACKET
+	{0x301A, 0x301A, prW},     // Ps         LEFT WHITE SQUARE BRACKET
+	{0x301B, 0x301B, prW},     // Pe         RIGHT WHITE SQUARE BRACKET
+	{0x301C, 0x301C, prW},     // Pd         WAVE DASH
+	{0x301D, 0x301D, prW},     // Ps         REVERSED DOUBLE PRIME QUOTATION MARK
+	{0x301E, 0x301F, prW},     // Pe     [2] DOUBLE PRIME QUOTATION MARK..LOW DOUBLE PRIME QUOTATION MARK
+	{0x3020, 0x3020, prW},     // So         POSTAL MARK FACE
+	{0x3021, 0x3029, prW},     // Nl     [9] HANGZHOU NUMERAL ONE..HANGZHOU NUMERAL NINE
+	{0x302A, 0x302D, prW},     // Mn     [4] IDEOGRAPHIC LEVEL TONE MARK..IDEOGRAPHIC ENTERING TONE MARK
+	{0x302E, 0x302F, prW},     // Mc     [2] HANGUL SINGLE DOT TONE MARK..HANGUL DOUBLE DOT TONE MARK
+	{0x3030, 0x3030, prW},     // Pd         WAVY DASH
+	{0x3031, 0x3035, prW},     // Lm     [5] VERTICAL KANA REPEAT MARK..VERTICAL KANA REPEAT MARK LOWER HALF
+	{0x3036, 0x3037, prW},     // So     [2] CIRCLED POSTAL MARK..IDEOGRAPHIC TELEGRAPH LINE FEED SEPARATOR SYMBOL
+	{0x3038, 0x303A, prW},     // Nl     [3] HANGZHOU NUMERAL TEN..HANGZHOU NUMERAL THIRTY
+	{0x303B, 0x303B, prW},     // Lm         VERTICAL IDEOGRAPHIC ITERATION MARK
+	{0x303C, 0x303C, prW},     // Lo         MASU MARK
+	{0x303D, 0x303D, prW},     // Po         PART ALTERNATION MARK
+	{0x303E, 0x303E, prW},     // So         IDEOGRAPHIC VARIATION INDICATOR
+	{0x303F, 0x303F, prN},     // So         IDEOGRAPHIC HALF FILL SPACE
+	{0x3041, 0x3096, prW},     // Lo    [86] HIRAGANA LETTER SMALL A..HIRAGANA LETTER SMALL KE
+	{0x3099, 0x309A, prW},     // Mn     [2] COMBINING KATAKANA-HIRAGANA VOICED SOUND MARK..COMBINING KATAKANA-HIRAGANA SEMI-VOICED SOUND MARK
+	{0x309B, 0x309C, prW},     // Sk     [2] KATAKANA-HIRAGANA VOICED SOUND MARK..KATAKANA-HIRAGANA SEMI-VOICED SOUND MARK
+	{0x309D, 0x309E, prW},     // Lm     [2] HIRAGANA ITERATION MARK..HIRAGANA VOICED ITERATION MARK
+	{0x309F, 0x309F, prW},     // Lo         HIRAGANA DIGRAPH YORI
+	{0x30A0, 0x30A0, prW},     // Pd         KATAKANA-HIRAGANA DOUBLE HYPHEN
+	{0x30A1, 0x30FA, prW},     // Lo    [90] KATAKANA LETTER SMALL A..KATAKANA LETTER VO
+	{0x30FB, 0x30FB, prW},     // Po         KATAKANA MIDDLE DOT
+	{0x30FC, 0x30FE, prW},     // Lm     [3] KATAKANA-HIRAGANA PROLONGED SOUND MARK..KATAKANA VOICED ITERATION MARK
+	{0x30FF, 0x30FF, prW},     // Lo         KATAKANA DIGRAPH KOTO
+	{0x3105, 0x312F, prW},     // Lo    [43] BOPOMOFO LETTER B..BOPOMOFO LETTER NN
+	{0x3131, 0x318E, prW},     // Lo    [94] HANGUL LETTER KIYEOK..HANGUL LETTER ARAEAE
+	{0x3190, 0x3191, prW},     // So     [2] IDEOGRAPHIC ANNOTATION LINKING MARK..IDEOGRAPHIC ANNOTATION REVERSE MARK
+	{0x3192, 0x3195, prW},     // No     [4] IDEOGRAPHIC ANNOTATION ONE MARK..IDEOGRAPHIC ANNOTATION FOUR MARK
+	{0x3196, 0x319F, prW},     // So    [10] IDEOGRAPHIC ANNOTATION TOP MARK..IDEOGRAPHIC ANNOTATION MAN MARK
+	{0x31A0, 0x31BF, prW},     // Lo    [32] BOPOMOFO LETTER BU..BOPOMOFO LETTER AH
+	{0x31C0, 0x31E3, prW},     // So    [36] CJK STROKE T..CJK STROKE Q
+	{0x31F0, 0x31FF, prW},     // Lo    [16] KATAKANA LETTER SMALL KU..KATAKANA LETTER SMALL RO
+	{0x3200, 0x321E, prW},     // So    [31] PARENTHESIZED HANGUL KIYEOK..PARENTHESIZED KOREAN CHARACTER O HU
+	{0x3220, 0x3229, prW},     // No    [10] PARENTHESIZED IDEOGRAPH ONE..PARENTHESIZED IDEOGRAPH TEN
+	{0x322A, 0x3247, prW},     // So    [30] PARENTHESIZED IDEOGRAPH MOON..CIRCLED IDEOGRAPH KOTO
+	{0x3248, 0x324F, prA},     // No     [8] CIRCLED NUMBER TEN ON BLACK SQUARE..CIRCLED NUMBER EIGHTY ON BLACK SQUARE
+	{0x3250, 0x3250, prW},     // So         PARTNERSHIP SIGN
+	{0x3251, 0x325F, prW},     // No    [15] CIRCLED NUMBER TWENTY ONE..CIRCLED NUMBER THIRTY FIVE
+	{0x3260, 0x327F, prW},     // So    [32] CIRCLED HANGUL KIYEOK..KOREAN STANDARD SYMBOL
+	{0x3280, 0x3289, prW},     // No    [10] CIRCLED IDEOGRAPH ONE..CIRCLED IDEOGRAPH TEN
+	{0x328A, 0x32B0, prW},     // So    [39] CIRCLED IDEOGRAPH MOON..CIRCLED IDEOGRAPH NIGHT
+	{0x32B1, 0x32BF, prW},     // No    [15] CIRCLED NUMBER THIRTY SIX..CIRCLED NUMBER FIFTY
+	{0x32C0, 0x32FF, prW},     // So    [64] IDEOGRAPHIC TELEGRAPH SYMBOL FOR JANUARY..SQUARE ERA NAME REIWA
+	{0x3300, 0x33FF, prW},     // So   [256] SQUARE APAATO..SQUARE GAL
+	{0x3400, 0x4DBF, prW},     // Lo  [6592] CJK UNIFIED IDEOGRAPH-3400..CJK UNIFIED IDEOGRAPH-4DBF
+	{0x4DC0, 0x4DFF, prN},     // So    [64] HEXAGRAM FOR THE CREATIVE HEAVEN..HEXAGRAM FOR BEFORE COMPLETION
+	{0x4E00, 0x9FFF, prW},     // Lo [20992] CJK UNIFIED IDEOGRAPH-4E00..CJK UNIFIED IDEOGRAPH-9FFF
+	{0xA000, 0xA014, prW},     // Lo    [21] YI SYLLABLE IT..YI SYLLABLE E
+	{0xA015, 0xA015, prW},     // Lm         YI SYLLABLE WU
+	{0xA016, 0xA48C, prW},     // Lo  [1143] YI SYLLABLE BIT..YI SYLLABLE YYR
+	{0xA490, 0xA4C6, prW},     // So    [55] YI RADICAL QOT..YI RADICAL KE
+	{0xA4D0, 0xA4F7, prN},     // Lo    [40] LISU LETTER BA..LISU LETTER OE
+	{0xA4F8, 0xA4FD, prN},     // Lm     [6] LISU LETTER TONE MYA TI..LISU LETTER TONE MYA JEU
+	{0xA4FE, 0xA4FF, prN},     // Po     [2] LISU PUNCTUATION COMMA..LISU PUNCTUATION FULL STOP
+	{0xA500, 0xA60B, prN},     // Lo   [268] VAI SYLLABLE EE..VAI SYLLABLE NG
+	{0xA60C, 0xA60C, prN},     // Lm         VAI SYLLABLE LENGTHENER
+	{0xA60D, 0xA60F, prN},     // Po     [3] VAI COMMA..VAI QUESTION MARK
+	{0xA610, 0xA61F, prN},     // Lo    [16] VAI SYLLABLE NDOLE FA..VAI SYMBOL JONG
+	{0xA620, 0xA629, prN},     // Nd    [10] VAI DIGIT ZERO..VAI DIGIT NINE
+	{0xA62A, 0xA62B, prN},     // Lo     [2] VAI SYLLABLE NDOLE MA..VAI SYLLABLE NDOLE DO
+	{0xA640, 0xA66D, prN},     // L&    [46] CYRILLIC CAPITAL LETTER ZEMLYA..CYRILLIC SMALL LETTER DOUBLE MONOCULAR O
+	{0xA66E, 0xA66E, prN},     // Lo         CYRILLIC LETTER MULTIOCULAR O
+	{0xA66F, 0xA66F, prN},     // Mn         COMBINING CYRILLIC VZMET
+	{0xA670, 0xA672, prN},     // Me     [3] COMBINING CYRILLIC TEN MILLIONS SIGN..COMBINING CYRILLIC THOUSAND MILLIONS SIGN
+	{0xA673, 0xA673, prN},     // Po         SLAVONIC ASTERISK
+	{0xA674, 0xA67D, prN},     // Mn    [10] COMBINING CYRILLIC LETTER UKRAINIAN IE..COMBINING CYRILLIC PAYEROK
+	{0xA67E, 0xA67E, prN},     // Po         CYRILLIC KAVYKA
+	{0xA67F, 0xA67F, prN},     // Lm         CYRILLIC PAYEROK
+	{0xA680, 0xA69B, prN},     // L&    [28] CYRILLIC CAPITAL LETTER DWE..CYRILLIC SMALL LETTER CROSSED O
+	{0xA69C, 0xA69D, prN},     // Lm     [2] MODIFIER LETTER CYRILLIC HARD SIGN..MODIFIER LETTER CYRILLIC SOFT SIGN
+	{0xA69E, 0xA69F, prN},     // Mn     [2] COMBINING CYRILLIC LETTER EF..COMBINING CYRILLIC LETTER IOTIFIED E
+	{0xA6A0, 0xA6E5, prN},     // Lo    [70] BAMUM LETTER A..BAMUM LETTER KI
+	{0xA6E6, 0xA6EF, prN},     // Nl    [10] BAMUM LETTER MO..BAMUM LETTER KOGHOM
+	{0xA6F0, 0xA6F1, prN},     // Mn     [2] BAMUM COMBINING MARK KOQNDON..BAMUM COMBINING MARK TUKWENTIS
+	{0xA6F2, 0xA6F7, prN},     // Po     [6] BAMUM NJAEMLI..BAMUM QUESTION MARK
+	{0xA700, 0xA716, prN},     // Sk    [23] MODIFIER LETTER CHINESE TONE YIN PING..MODIFIER LETTER EXTRA-LOW LEFT-STEM TONE BAR
+	{0xA717, 0xA71F, prN},     // Lm     [9] MODIFIER LETTER DOT VERTICAL BAR..MODIFIER LETTER LOW INVERTED EXCLAMATION MARK
+	{0xA720, 0xA721, prN},     // Sk     [2] MODIFIER LETTER STRESS AND HIGH TONE..MODIFIER LETTER STRESS AND LOW TONE
+	{0xA722, 0xA76F, prN},     // L&    [78] LATIN CAPITAL LETTER EGYPTOLOGICAL ALEF..LATIN SMALL LETTER CON
+	{0xA770, 0xA770, prN},     // Lm         MODIFIER LETTER US
+	{0xA771, 0xA787, prN},     // L&    [23] LATIN SMALL LETTER DUM..LATIN SMALL LETTER INSULAR T
+	{0xA788, 0xA788, prN},     // Lm         MODIFIER LETTER LOW CIRCUMFLEX ACCENT
+	{0xA789, 0xA78A, prN},     // Sk     [2] MODIFIER LETTER COLON..MODIFIER LETTER SHORT EQUALS SIGN
+	{0xA78B, 0xA78E, prN},     // L&     [4] LATIN CAPITAL LETTER SALTILLO..LATIN SMALL LETTER L WITH RETROFLEX HOOK AND BELT
+	{0xA78F, 0xA78F, prN},     // Lo         LATIN LETTER SINOLOGICAL DOT
+	{0xA790, 0xA7CA, prN},     // L&    [59] LATIN CAPITAL LETTER N WITH DESCENDER..LATIN SMALL LETTER S WITH SHORT STROKE OVERLAY
+	{0xA7D0, 0xA7D1, prN},     // L&     [2] LATIN CAPITAL LETTER CLOSED INSULAR G..LATIN SMALL LETTER CLOSED INSULAR G
+	{0xA7D3, 0xA7D3, prN},     // Ll         LATIN SMALL LETTER DOUBLE THORN
+	{0xA7D5, 0xA7D9, prN},     // L&     [5] LATIN SMALL LETTER DOUBLE WYNN..LATIN SMALL LETTER SIGMOID S
+	{0xA7F2, 0xA7F4, prN},     // Lm     [3] MODIFIER LETTER CAPITAL C..MODIFIER LETTER CAPITAL Q
+	{0xA7F5, 0xA7F6, prN},     // L&     [2] LATIN CAPITAL LETTER REVERSED HALF H..LATIN SMALL LETTER REVERSED HALF H
+	{0xA7F7, 0xA7F7, prN},     // Lo         LATIN EPIGRAPHIC LETTER SIDEWAYS I
+	{0xA7F8, 0xA7F9, prN},     // Lm     [2] MODIFIER LETTER CAPITAL H WITH STROKE..MODIFIER LETTER SMALL LIGATURE OE
+	{0xA7FA, 0xA7FA, prN},     // Ll         LATIN LETTER SMALL CAPITAL TURNED M
+	{0xA7FB, 0xA7FF, prN},     // Lo     [5] LATIN EPIGRAPHIC LETTER REVERSED F..LATIN EPIGRAPHIC LETTER ARCHAIC M
+	{0xA800, 0xA801, prN},     // Lo     [2] SYLOTI NAGRI LETTER A..SYLOTI NAGRI LETTER I
+	{0xA802, 0xA802, prN},     // Mn         SYLOTI NAGRI SIGN DVISVARA
+	{0xA803, 0xA805, prN},     // Lo     [3] SYLOTI NAGRI LETTER U..SYLOTI NAGRI LETTER O
+	{0xA806, 0xA806, prN},     // Mn         SYLOTI NAGRI SIGN HASANTA
+	{0xA807, 0xA80A, prN},     // Lo     [4] SYLOTI NAGRI LETTER KO..SYLOTI NAGRI LETTER GHO
+	{0xA80B, 0xA80B, prN},     // Mn         SYLOTI NAGRI SIGN ANUSVARA
+	{0xA80C, 0xA822, prN},     // Lo    [23] SYLOTI NAGRI LETTER CO..SYLOTI NAGRI LETTER HO
+	{0xA823, 0xA824, prN},     // Mc     [2] SYLOTI NAGRI VOWEL SIGN A..SYLOTI NAGRI VOWEL SIGN I
+	{0xA825, 0xA826, prN},     // Mn     [2] SYLOTI NAGRI VOWEL SIGN U..SYLOTI NAGRI VOWEL SIGN E
+	{0xA827, 0xA827, prN},     // Mc         SYLOTI NAGRI VOWEL SIGN OO
+	{0xA828, 0xA82B, prN},     // So     [4] SYLOTI NAGRI POETRY MARK-1..SYLOTI NAGRI POETRY MARK-4
+	{0xA82C, 0xA82C, prN},     // Mn         SYLOTI NAGRI SIGN ALTERNATE HASANTA
+	{0xA830, 0xA835, prN},     // No     [6] NORTH INDIC FRACTION ONE QUARTER..NORTH INDIC FRACTION THREE SIXTEENTHS
+	{0xA836, 0xA837, prN},     // So     [2] NORTH INDIC QUARTER MARK..NORTH INDIC PLACEHOLDER MARK
+	{0xA838, 0xA838, prN},     // Sc         NORTH INDIC RUPEE MARK
+	{0xA839, 0xA839, prN},     // So         NORTH INDIC QUANTITY MARK
+	{0xA840, 0xA873, prN},     // Lo    [52] PHAGS-PA LETTER KA..PHAGS-PA LETTER CANDRABINDU
+	{0xA874, 0xA877, prN},     // Po     [4] PHAGS-PA SINGLE HEAD MARK..PHAGS-PA MARK DOUBLE SHAD
+	{0xA880, 0xA881, prN},     // Mc     [2] SAURASHTRA SIGN ANUSVARA..SAURASHTRA SIGN VISARGA
+	{0xA882, 0xA8B3, prN},     // Lo    [50] SAURASHTRA LETTER A..SAURASHTRA LETTER LLA
+	{0xA8B4, 0xA8C3, prN},     // Mc    [16] SAURASHTRA CONSONANT SIGN HAARU..SAURASHTRA VOWEL SIGN AU
+	{0xA8C4, 0xA8C5, prN},     // Mn     [2] SAURASHTRA SIGN VIRAMA..SAURASHTRA SIGN CANDRABINDU
+	{0xA8CE, 0xA8CF, prN},     // Po     [2] SAURASHTRA DANDA..SAURASHTRA DOUBLE DANDA
+	{0xA8D0, 0xA8D9, prN},     // Nd    [10] SAURASHTRA DIGIT ZERO..SAURASHTRA DIGIT NINE
+	{0xA8E0, 0xA8F1, prN},     // Mn    [18] COMBINING DEVANAGARI DIGIT ZERO..COMBINING DEVANAGARI SIGN AVAGRAHA
+	{0xA8F2, 0xA8F7, prN},     // Lo     [6] DEVANAGARI SIGN SPACING CANDRABINDU..DEVANAGARI SIGN CANDRABINDU AVAGRAHA
+	{0xA8F8, 0xA8FA, prN},     // Po     [3] DEVANAGARI SIGN PUSHPIKA..DEVANAGARI CARET
+	{0xA8FB, 0xA8FB, prN},     // Lo         DEVANAGARI HEADSTROKE
+	{0xA8FC, 0xA8FC, prN},     // Po         DEVANAGARI SIGN SIDDHAM
+	{0xA8FD, 0xA8FE, prN},     // Lo     [2] DEVANAGARI JAIN OM..DEVANAGARI LETTER AY
+	{0xA8FF, 0xA8FF, prN},     // Mn         DEVANAGARI VOWEL SIGN AY
+	{0xA900, 0xA909, prN},     // Nd    [10] KAYAH LI DIGIT ZERO..KAYAH LI DIGIT NINE
+	{0xA90A, 0xA925, prN},     // Lo    [28] KAYAH LI LETTER KA..KAYAH LI LETTER OO
+	{0xA926, 0xA92D, prN},     // Mn     [8] KAYAH LI VOWEL UE..KAYAH LI TONE CALYA PLOPHU
+	{0xA92E, 0xA92F, prN},     // Po     [2] KAYAH LI SIGN CWI..KAYAH LI SIGN SHYA
+	{0xA930, 0xA946, prN},     // Lo    [23] REJANG LETTER KA..REJANG LETTER A
+	{0xA947, 0xA951, prN},     // Mn    [11] REJANG VOWEL SIGN I..REJANG CONSONANT SIGN R
+	{0xA952, 0xA953, prN},     // Mc     [2] REJANG CONSONANT SIGN H..REJANG VIRAMA
+	{0xA95F, 0xA95F, prN},     // Po         REJANG SECTION MARK
+	{0xA960, 0xA97C, prW},     // Lo    [29] HANGUL CHOSEONG TIKEUT-MIEUM..HANGUL CHOSEONG SSANGYEORINHIEUH
+	{0xA980, 0xA982, prN},     // Mn     [3] JAVANESE SIGN PANYANGGA..JAVANESE SIGN LAYAR
+	{0xA983, 0xA983, prN},     // Mc         JAVANESE SIGN WIGNYAN
+	{0xA984, 0xA9B2, prN},     // Lo    [47] JAVANESE LETTER A..JAVANESE LETTER HA
+	{0xA9B3, 0xA9B3, prN},     // Mn         JAVANESE SIGN CECAK TELU
+	{0xA9B4, 0xA9B5, prN},     // Mc     [2] JAVANESE VOWEL SIGN TARUNG..JAVANESE VOWEL SIGN TOLONG
+	{0xA9B6, 0xA9B9, prN},     // Mn     [4] JAVANESE VOWEL SIGN WULU..JAVANESE VOWEL SIGN SUKU MENDUT
+	{0xA9BA, 0xA9BB, prN},     // Mc     [2] JAVANESE VOWEL SIGN TALING..JAVANESE VOWEL SIGN DIRGA MURE
+	{0xA9BC, 0xA9BD, prN},     // Mn     [2] JAVANESE VOWEL SIGN PEPET..JAVANESE CONSONANT SIGN KERET
+	{0xA9BE, 0xA9C0, prN},     // Mc     [3] JAVANESE CONSONANT SIGN PENGKAL..JAVANESE PANGKON
+	{0xA9C1, 0xA9CD, prN},     // Po    [13] JAVANESE LEFT RERENGGAN..JAVANESE TURNED PADA PISELEH
+	{0xA9CF, 0xA9CF, prN},     // Lm         JAVANESE PANGRANGKEP
+	{0xA9D0, 0xA9D9, prN},     // Nd    [10] JAVANESE DIGIT ZERO..JAVANESE DIGIT NINE
+	{0xA9DE, 0xA9DF, prN},     // Po     [2] JAVANESE PADA TIRTA TUMETES..JAVANESE PADA ISEN-ISEN
+	{0xA9E0, 0xA9E4, prN},     // Lo     [5] MYANMAR LETTER SHAN GHA..MYANMAR LETTER SHAN BHA
+	{0xA9E5, 0xA9E5, prN},     // Mn         MYANMAR SIGN SHAN SAW
+	{0xA9E6, 0xA9E6, prN},     // Lm         MYANMAR MODIFIER LETTER SHAN REDUPLICATION
+	{0xA9E7, 0xA9EF, prN},     // Lo     [9] MYANMAR LETTER TAI LAING NYA..MYANMAR LETTER TAI LAING NNA
+	{0xA9F0, 0xA9F9, prN},     // Nd    [10] MYANMAR TAI LAING DIGIT ZERO..MYANMAR TAI LAING DIGIT NINE
+	{0xA9FA, 0xA9FE, prN},     // Lo     [5] MYANMAR LETTER TAI LAING LLA..MYANMAR LETTER TAI LAING BHA
+	{0xAA00, 0xAA28, prN},     // Lo    [41] CHAM LETTER A..CHAM LETTER HA
+	{0xAA29, 0xAA2E, prN},     // Mn     [6] CHAM VOWEL SIGN AA..CHAM VOWEL SIGN OE
+	{0xAA2F, 0xAA30, prN},     // Mc     [2] CHAM VOWEL SIGN O..CHAM VOWEL SIGN AI
+	{0xAA31, 0xAA32, prN},     // Mn     [2] CHAM VOWEL SIGN AU..CHAM VOWEL SIGN UE
+	{0xAA33, 0xAA34, prN},     // Mc     [2] CHAM CONSONANT SIGN YA..CHAM CONSONANT SIGN RA
+	{0xAA35, 0xAA36, prN},     // Mn     [2] CHAM CONSONANT SIGN LA..CHAM CONSONANT SIGN WA
+	{0xAA40, 0xAA42, prN},     // Lo     [3] CHAM LETTER FINAL K..CHAM LETTER FINAL NG
+	{0xAA43, 0xAA43, prN},     // Mn         CHAM CONSONANT SIGN FINAL NG
+	{0xAA44, 0xAA4B, prN},     // Lo     [8] CHAM LETTER FINAL CH..CHAM LETTER FINAL SS
+	{0xAA4C, 0xAA4C, prN},     // Mn         CHAM CONSONANT SIGN FINAL M
+	{0xAA4D, 0xAA4D, prN},     // Mc         CHAM CONSONANT SIGN FINAL H
+	{0xAA50, 0xAA59, prN},     // Nd    [10] CHAM DIGIT ZERO..CHAM DIGIT NINE
+	{0xAA5C, 0xAA5F, prN},     // Po     [4] CHAM PUNCTUATION SPIRAL..CHAM PUNCTUATION TRIPLE DANDA
+	{0xAA60, 0xAA6F, prN},     // Lo    [16] MYANMAR LETTER KHAMTI GA..MYANMAR LETTER KHAMTI FA
+	{0xAA70, 0xAA70, prN},     // Lm         MYANMAR MODIFIER LETTER KHAMTI REDUPLICATION
+	{0xAA71, 0xAA76, prN},     // Lo     [6] MYANMAR LETTER KHAMTI XA..MYANMAR LOGOGRAM KHAMTI HM
+	{0xAA77, 0xAA79, prN},     // So     [3] MYANMAR SYMBOL AITON EXCLAMATION..MYANMAR SYMBOL AITON TWO
+	{0xAA7A, 0xAA7A, prN},     // Lo         MYANMAR LETTER AITON RA
+	{0xAA7B, 0xAA7B, prN},     // Mc         MYANMAR SIGN PAO KAREN TONE
+	{0xAA7C, 0xAA7C, prN},     // Mn         MYANMAR SIGN TAI LAING TONE-2
+	{0xAA7D, 0xAA7D, prN},     // Mc         MYANMAR SIGN TAI LAING TONE-5
+	{0xAA7E, 0xAA7F, prN},     // Lo     [2] MYANMAR LETTER SHWE PALAUNG CHA..MYANMAR LETTER SHWE PALAUNG SHA
+	{0xAA80, 0xAAAF, prN},     // Lo    [48] TAI VIET LETTER LOW KO..TAI VIET LETTER HIGH O
+	{0xAAB0, 0xAAB0, prN},     // Mn         TAI VIET MAI KANG
+	{0xAAB1, 0xAAB1, prN},     // Lo         TAI VIET VOWEL AA
+	{0xAAB2, 0xAAB4, prN},     // Mn     [3] TAI VIET VOWEL I..TAI VIET VOWEL U
+	{0xAAB5, 0xAAB6, prN},     // Lo     [2] TAI VIET VOWEL E..TAI VIET VOWEL O
+	{0xAAB7, 0xAAB8, prN},     // Mn     [2] TAI VIET MAI KHIT..TAI VIET VOWEL IA
+	{0xAAB9, 0xAABD, prN},     // Lo     [5] TAI VIET VOWEL UEA..TAI VIET VOWEL AN
+	{0xAABE, 0xAABF, prN},     // Mn     [2] TAI VIET VOWEL AM..TAI VIET TONE MAI EK
+	{0xAAC0, 0xAAC0, prN},     // Lo         TAI VIET TONE MAI NUENG
+	{0xAAC1, 0xAAC1, prN},     // Mn         TAI VIET TONE MAI THO
+	{0xAAC2, 0xAAC2, prN},     // Lo         TAI VIET TONE MAI SONG
+	{0xAADB, 0xAADC, prN},     // Lo     [2] TAI VIET SYMBOL KON..TAI VIET SYMBOL NUENG
+	{0xAADD, 0xAADD, prN},     // Lm         TAI VIET SYMBOL SAM
+	{0xAADE, 0xAADF, prN},     // Po     [2] TAI VIET SYMBOL HO HOI..TAI VIET SYMBOL KOI KOI
+	{0xAAE0, 0xAAEA, prN},     // Lo    [11] MEETEI MAYEK LETTER E..MEETEI MAYEK LETTER SSA
+	{0xAAEB, 0xAAEB, prN},     // Mc         MEETEI MAYEK VOWEL SIGN II
+	{0xAAEC, 0xAAED, prN},     // Mn     [2] MEETEI MAYEK VOWEL SIGN UU..MEETEI MAYEK VOWEL SIGN AAI
+	{0xAAEE, 0xAAEF, prN},     // Mc     [2] MEETEI MAYEK VOWEL SIGN AU..MEETEI MAYEK VOWEL SIGN AAU
+	{0xAAF0, 0xAAF1, prN},     // Po     [2] MEETEI MAYEK CHEIKHAN..MEETEI MAYEK AHANG KHUDAM
+	{0xAAF2, 0xAAF2, prN},     // Lo         MEETEI MAYEK ANJI
+	{0xAAF3, 0xAAF4, prN},     // Lm     [2] MEETEI MAYEK SYLLABLE REPETITION MARK..MEETEI MAYEK WORD REPETITION MARK
+	{0xAAF5, 0xAAF5, prN},     // Mc         MEETEI MAYEK VOWEL SIGN VISARGA
+	{0xAAF6, 0xAAF6, prN},     // Mn         MEETEI MAYEK VIRAMA
+	{0xAB01, 0xAB06, prN},     // Lo     [6] ETHIOPIC SYLLABLE TTHU..ETHIOPIC SYLLABLE TTHO
+	{0xAB09, 0xAB0E, prN},     // Lo     [6] ETHIOPIC SYLLABLE DDHU..ETHIOPIC SYLLABLE DDHO
+	{0xAB11, 0xAB16, prN},     // Lo     [6] ETHIOPIC SYLLABLE DZU..ETHIOPIC SYLLABLE DZO
+	{0xAB20, 0xAB26, prN},     // Lo     [7] ETHIOPIC SYLLABLE CCHHA..ETHIOPIC SYLLABLE CCHHO
+	{0xAB28, 0xAB2E, prN},     // Lo     [7] ETHIOPIC SYLLABLE BBA..ETHIOPIC SYLLABLE BBO
+	{0xAB30, 0xAB5A, prN},     // Ll    [43] LATIN SMALL LETTER BARRED ALPHA..LATIN SMALL LETTER Y WITH SHORT RIGHT LEG
+	{0xAB5B, 0xAB5B, prN},     // Sk         MODIFIER BREVE WITH INVERTED BREVE
+	{0xAB5C, 0xAB5F, prN},     // Lm     [4] MODIFIER LETTER SMALL HENG..MODIFIER LETTER SMALL U WITH LEFT HOOK
+	{0xAB60, 0xAB68, prN},     // Ll     [9] LATIN SMALL LETTER SAKHA YAT..LATIN SMALL LETTER TURNED R WITH MIDDLE TILDE
+	{0xAB69, 0xAB69, prN},     // Lm         MODIFIER LETTER SMALL TURNED W
+	{0xAB6A, 0xAB6B, prN},     // Sk     [2] MODIFIER LETTER LEFT TACK..MODIFIER LETTER RIGHT TACK
+	{0xAB70, 0xABBF, prN},     // Ll    [80] CHEROKEE SMALL LETTER A..CHEROKEE SMALL LETTER YA
+	{0xABC0, 0xABE2, prN},     // Lo    [35] MEETEI MAYEK LETTER KOK..MEETEI MAYEK LETTER I LONSUM
+	{0xABE3, 0xABE4, prN},     // Mc     [2] MEETEI MAYEK VOWEL SIGN ONAP..MEETEI MAYEK VOWEL SIGN INAP
+	{0xABE5, 0xABE5, prN},     // Mn         MEETEI MAYEK VOWEL SIGN ANAP
+	{0xABE6, 0xABE7, prN},     // Mc     [2] MEETEI MAYEK VOWEL SIGN YENAP..MEETEI MAYEK VOWEL SIGN SOUNAP
+	{0xABE8, 0xABE8, prN},     // Mn         MEETEI MAYEK VOWEL SIGN UNAP
+	{0xABE9, 0xABEA, prN},     // Mc     [2] MEETEI MAYEK VOWEL SIGN CHEINAP..MEETEI MAYEK VOWEL SIGN NUNG
+	{0xABEB, 0xABEB, prN},     // Po         MEETEI MAYEK CHEIKHEI
+	{0xABEC, 0xABEC, prN},     // Mc         MEETEI MAYEK LUM IYEK
+	{0xABED, 0xABED, prN},     // Mn         MEETEI MAYEK APUN IYEK
+	{0xABF0, 0xABF9, prN},     // Nd    [10] MEETEI MAYEK DIGIT ZERO..MEETEI MAYEK DIGIT NINE
+	{0xAC00, 0xD7A3, prW},     // Lo [11172] HANGUL SYLLABLE GA..HANGUL SYLLABLE HIH
+	{0xD7B0, 0xD7C6, prN},     // Lo    [23] HANGUL JUNGSEONG O-YEO..HANGUL JUNGSEONG ARAEA-E
+	{0xD7CB, 0xD7FB, prN},     // Lo    [49] HANGUL JONGSEONG NIEUN-RIEUL..HANGUL JONGSEONG PHIEUPH-THIEUTH
+	{0xD800, 0xDB7F, prN},     // Cs   [896] <surrogate-D800>..<surrogate-DB7F>
+	{0xDB80, 0xDBFF, prN},     // Cs   [128] <surrogate-DB80>..<surrogate-DBFF>
+	{0xDC00, 0xDFFF, prN},     // Cs  [1024] <surrogate-DC00>..<surrogate-DFFF>
+	{0xE000, 0xF8FF, prA},     // Co  [6400] <private-use-E000>..<private-use-F8FF>
+	{0xF900, 0xFA6D, prW},     // Lo   [366] CJK COMPATIBILITY IDEOGRAPH-F900..CJK COMPATIBILITY IDEOGRAPH-FA6D
+	{0xFA6E, 0xFA6F, prW},     // Cn     [2] <reserved-FA6E>..<reserved-FA6F>
+	{0xFA70, 0xFAD9, prW},     // Lo   [106] CJK COMPATIBILITY IDEOGRAPH-FA70..CJK COMPATIBILITY IDEOGRAPH-FAD9
+	{0xFADA, 0xFAFF, prW},     // Cn    [38] <reserved-FADA>..<reserved-FAFF>
+	{0xFB00, 0xFB06, prN},     // Ll     [7] LATIN SMALL LIGATURE FF..LATIN SMALL LIGATURE ST
+	{0xFB13, 0xFB17, prN},     // Ll     [5] ARMENIAN SMALL LIGATURE MEN NOW..ARMENIAN SMALL LIGATURE MEN XEH
+	{0xFB1D, 0xFB1D, prN},     // Lo         HEBREW LETTER YOD WITH HIRIQ
+	{0xFB1E, 0xFB1E, prN},     // Mn         HEBREW POINT JUDEO-SPANISH VARIKA
+	{0xFB1F, 0xFB28, prN},     // Lo    [10] HEBREW LIGATURE YIDDISH YOD YOD PATAH..HEBREW LETTER WIDE TAV
+	{0xFB29, 0xFB29, prN},     // Sm         HEBREW LETTER ALTERNATIVE PLUS SIGN
+	{0xFB2A, 0xFB36, prN},     // Lo    [13] HEBREW LETTER SHIN WITH SHIN DOT..HEBREW LETTER ZAYIN WITH DAGESH
+	{0xFB38, 0xFB3C, prN},     // Lo     [5] HEBREW LETTER TET WITH DAGESH..HEBREW LETTER LAMED WITH DAGESH
+	{0xFB3E, 0xFB3E, prN},     // Lo         HEBREW LETTER MEM WITH DAGESH
+	{0xFB40, 0xFB41, prN},     // Lo     [2] HEBREW LETTER NUN WITH DAGESH..HEBREW LETTER SAMEKH WITH DAGESH
+	{0xFB43, 0xFB44, prN},     // Lo     [2] HEBREW LETTER FINAL PE WITH DAGESH..HEBREW LETTER PE WITH DAGESH
+	{0xFB46, 0xFB4F, prN},     // Lo    [10] HEBREW LETTER TSADI WITH DAGESH..HEBREW LIGATURE ALEF LAMED
+	{0xFB50, 0xFBB1, prN},     // Lo    [98] ARABIC LETTER ALEF WASLA ISOLATED FORM..ARABIC LETTER YEH BARREE WITH HAMZA ABOVE FINAL FORM
+	{0xFBB2, 0xFBC2, prN},     // Sk    [17] ARABIC SYMBOL DOT ABOVE..ARABIC SYMBOL WASLA ABOVE
+	{0xFBD3, 0xFD3D, prN},     // Lo   [363] ARABIC LETTER NG ISOLATED FORM..ARABIC LIGATURE ALEF WITH FATHATAN ISOLATED FORM
+	{0xFD3E, 0xFD3E, prN},     // Pe         ORNATE LEFT PARENTHESIS
+	{0xFD3F, 0xFD3F, prN},     // Ps         ORNATE RIGHT PARENTHESIS
+	{0xFD40, 0xFD4F, prN},     // So    [16] ARABIC LIGATURE RAHIMAHU ALLAAH..ARABIC LIGATURE RAHIMAHUM ALLAAH
+	{0xFD50, 0xFD8F, prN},     // Lo    [64] ARABIC LIGATURE TEH WITH JEEM WITH MEEM INITIAL FORM..ARABIC LIGATURE MEEM WITH KHAH WITH MEEM INITIAL FORM
+	{0xFD92, 0xFDC7, prN},     // Lo    [54] ARABIC LIGATURE MEEM WITH JEEM WITH KHAH INITIAL FORM..ARABIC LIGATURE NOON WITH JEEM WITH YEH FINAL FORM
+	{0xFDCF, 0xFDCF, prN},     // So         ARABIC LIGATURE SALAAMUHU ALAYNAA
+	{0xFDF0, 0xFDFB, prN},     // Lo    [12] ARABIC LIGATURE SALLA USED AS KORANIC STOP SIGN ISOLATED FORM..ARABIC LIGATURE JALLAJALALOUHOU
+	{0xFDFC, 0xFDFC, prN},     // Sc         RIAL SIGN
+	{0xFDFD, 0xFDFF, prN},     // So     [3] ARABIC LIGATURE BISMILLAH AR-RAHMAN AR-RAHEEM..ARABIC LIGATURE AZZA WA JALL
+	{0xFE00, 0xFE0F, prA},     // Mn    [16] VARIATION SELECTOR-1..VARIATION SELECTOR-16
+	{0xFE10, 0xFE16, prW},     // Po     [7] PRESENTATION FORM FOR VERTICAL COMMA..PRESENTATION FORM FOR VERTICAL QUESTION MARK
+	{0xFE17, 0xFE17, prW},     // Ps         PRESENTATION FORM FOR VERTICAL LEFT WHITE LENTICULAR BRACKET
+	{0xFE18, 0xFE18, prW},     // Pe         PRESENTATION FORM FOR VERTICAL RIGHT WHITE LENTICULAR BRAKCET
+	{0xFE19, 0xFE19, prW},     // Po         PRESENTATION FORM FOR VERTICAL HORIZONTAL ELLIPSIS
+	{0xFE20, 0xFE2F, prN},     // Mn    [16] COMBINING LIGATURE LEFT HALF..COMBINING CYRILLIC TITLO RIGHT HALF
+	{0xFE30, 0xFE30, prW},     // Po         PRESENTATION FORM FOR VERTICAL TWO DOT LEADER
+	{0xFE31, 0xFE32, prW},     // Pd     [2] PRESENTATION FORM FOR VERTICAL EM DASH..PRESENTATION FORM FOR VERTICAL EN DASH
+	{0xFE33, 0xFE34, prW},     // Pc     [2] PRESENTATION FORM FOR VERTICAL LOW LINE..PRESENTATION FORM FOR VERTICAL WAVY LOW LINE
+	{0xFE35, 0xFE35, prW},     // Ps         PRESENTATION FORM FOR VERTICAL LEFT PARENTHESIS
+	{0xFE36, 0xFE36, prW},     // Pe         PRESENTATION FORM FOR VERTICAL RIGHT PARENTHESIS
+	{0xFE37, 0xFE37, prW},     // Ps         PRESENTATION FORM FOR VERTICAL LEFT CURLY BRACKET
+	{0xFE38, 0xFE38, prW},     // Pe         PRESENTATION FORM FOR VERTICAL RIGHT CURLY BRACKET
+	{0xFE39, 0xFE39, prW},     // Ps         PRESENTATION FORM FOR VERTICAL LEFT TORTOISE SHELL BRACKET
+	{0xFE3A, 0xFE3A, prW},     // Pe         PRESENTATION FORM FOR VERTICAL RIGHT TORTOISE SHELL BRACKET
+	{0xFE3B, 0xFE3B, prW},     // Ps         PRESENTATION FORM FOR VERTICAL LEFT BLACK LENTICULAR BRACKET
+	{0xFE3C, 0xFE3C, prW},     // Pe         PRESENTATION FORM FOR VERTICAL RIGHT BLACK LENTICULAR BRACKET
+	{0xFE3D, 0xFE3D, prW},     // Ps         PRESENTATION FORM FOR VERTICAL LEFT DOUBLE ANGLE BRACKET
+	{0xFE3E, 0xFE3E, prW},     // Pe         PRESENTATION FORM FOR VERTICAL RIGHT DOUBLE ANGLE BRACKET
+	{0xFE3F, 0xFE3F, prW},     // Ps         PRESENTATION FORM FOR VERTICAL LEFT ANGLE BRACKET
+	{0xFE40, 0xFE40, prW},     // Pe         PRESENTATION FORM FOR VERTICAL RIGHT ANGLE BRACKET
+	{0xFE41, 0xFE41, prW},     // Ps         PRESENTATION FORM FOR VERTICAL LEFT CORNER BRACKET
+	{0xFE42, 0xFE42, prW},     // Pe         PRESENTATION FORM FOR VERTICAL RIGHT CORNER BRACKET
+	{0xFE43, 0xFE43, prW},     // Ps         PRESENTATION FORM FOR VERTICAL LEFT WHITE CORNER BRACKET
+	{0xFE44, 0xFE44, prW},     // Pe         PRESENTATION FORM FOR VERTICAL RIGHT WHITE CORNER BRACKET
+	{0xFE45, 0xFE46, prW},     // Po     [2] SESAME DOT..WHITE SESAME DOT
+	{0xFE47, 0xFE47, prW},     // Ps         PRESENTATION FORM FOR VERTICAL LEFT SQUARE BRACKET
+	{0xFE48, 0xFE48, prW},     // Pe         PRESENTATION FORM FOR VERTICAL RIGHT SQUARE BRACKET
+	{0xFE49, 0xFE4C, prW},     // Po     [4] DASHED OVERLINE..DOUBLE WAVY OVERLINE
+	{0xFE4D, 0xFE4F, prW},     // Pc     [3] DASHED LOW LINE..WAVY LOW LINE
+	{0xFE50, 0xFE52, prW},     // Po     [3] SMALL COMMA..SMALL FULL STOP
+	{0xFE54, 0xFE57, prW},     // Po     [4] SMALL SEMICOLON..SMALL EXCLAMATION MARK
+	{0xFE58, 0xFE58, prW},     // Pd         SMALL EM DASH
+	{0xFE59, 0xFE59, prW},     // Ps         SMALL LEFT PARENTHESIS
+	{0xFE5A, 0xFE5A, prW},     // Pe         SMALL RIGHT PARENTHESIS
+	{0xFE5B, 0xFE5B, prW},     // Ps         SMALL LEFT CURLY BRACKET
+	{0xFE5C, 0xFE5C, prW},     // Pe         SMALL RIGHT CURLY BRACKET
+	{0xFE5D, 0xFE5D, prW},     // Ps         SMALL LEFT TORTOISE SHELL BRACKET
+	{0xFE5E, 0xFE5E, prW},     // Pe         SMALL RIGHT TORTOISE SHELL BRACKET
+	{0xFE5F, 0xFE61, prW},     // Po     [3] SMALL NUMBER SIGN..SMALL ASTERISK
+	{0xFE62, 0xFE62, prW},     // Sm         SMALL PLUS SIGN
+	{0xFE63, 0xFE63, prW},     // Pd         SMALL HYPHEN-MINUS
+	{0xFE64, 0xFE66, prW},     // Sm     [3] SMALL LESS-THAN SIGN..SMALL EQUALS SIGN
+	{0xFE68, 0xFE68, prW},     // Po         SMALL REVERSE SOLIDUS
+	{0xFE69, 0xFE69, prW},     // Sc         SMALL DOLLAR SIGN
+	{0xFE6A, 0xFE6B, prW},     // Po     [2] SMALL PERCENT SIGN..SMALL COMMERCIAL AT
+	{0xFE70, 0xFE74, prN},     // Lo     [5] ARABIC FATHATAN ISOLATED FORM..ARABIC KASRATAN ISOLATED FORM
+	{0xFE76, 0xFEFC, prN},     // Lo   [135] ARABIC FATHA ISOLATED FORM..ARABIC LIGATURE LAM WITH ALEF FINAL FORM
+	{0xFEFF, 0xFEFF, prN},     // Cf         ZERO WIDTH NO-BREAK SPACE
+	{0xFF01, 0xFF03, prF},     // Po     [3] FULLWIDTH EXCLAMATION MARK..FULLWIDTH NUMBER SIGN
+	{0xFF04, 0xFF04, prF},     // Sc         FULLWIDTH DOLLAR SIGN
+	{0xFF05, 0xFF07, prF},     // Po     [3] FULLWIDTH PERCENT SIGN..FULLWIDTH APOSTROPHE
+	{0xFF08, 0xFF08, prF},     // Ps         FULLWIDTH LEFT PARENTHESIS
+	{0xFF09, 0xFF09, prF},     // Pe         FULLWIDTH RIGHT PARENTHESIS
+	{0xFF0A, 0xFF0A, prF},     // Po         FULLWIDTH ASTERISK
+	{0xFF0B, 0xFF0B, prF},     // Sm         FULLWIDTH PLUS SIGN
+	{0xFF0C, 0xFF0C, prF},     // Po         FULLWIDTH COMMA
+	{0xFF0D, 0xFF0D, prF},     // Pd         FULLWIDTH HYPHEN-MINUS
+	{0xFF0E, 0xFF0F, prF},     // Po     [2] FULLWIDTH FULL STOP..FULLWIDTH SOLIDUS
+	{0xFF10, 0xFF19, prF},     // Nd    [10] FULLWIDTH DIGIT ZERO..FULLWIDTH DIGIT NINE
+	{0xFF1A, 0xFF1B, prF},     // Po     [2] FULLWIDTH COLON..FULLWIDTH SEMICOLON
+	{0xFF1C, 0xFF1E, prF},     // Sm     [3] FULLWIDTH LESS-THAN SIGN..FULLWIDTH GREATER-THAN SIGN
+	{0xFF1F, 0xFF20, prF},     // Po     [2] FULLWIDTH QUESTION MARK..FULLWIDTH COMMERCIAL AT
+	{0xFF21, 0xFF3A, prF},     // Lu    [26] FULLWIDTH LATIN CAPITAL LETTER A..FULLWIDTH LATIN CAPITAL LETTER Z
+	{0xFF3B, 0xFF3B, prF},     // Ps         FULLWIDTH LEFT SQUARE BRACKET
+	{0xFF3C, 0xFF3C, prF},     // Po         FULLWIDTH REVERSE SOLIDUS
+	{0xFF3D, 0xFF3D, prF},     // Pe         FULLWIDTH RIGHT SQUARE BRACKET
+	{0xFF3E, 0xFF3E, prF},     // Sk         FULLWIDTH CIRCUMFLEX ACCENT
+	{0xFF3F, 0xFF3F, prF},     // Pc         FULLWIDTH LOW LINE
+	{0xFF40, 0xFF40, prF},     // Sk         FULLWIDTH GRAVE ACCENT
+	{0xFF41, 0xFF5A, prF},     // Ll    [26] FULLWIDTH LATIN SMALL LETTER A..FULLWIDTH LATIN SMALL LETTER Z
+	{0xFF5B, 0xFF5B, prF},     // Ps         FULLWIDTH LEFT CURLY BRACKET
+	{0xFF5C, 0xFF5C, prF},     // Sm         FULLWIDTH VERTICAL LINE
+	{0xFF5D, 0xFF5D, prF},     // Pe         FULLWIDTH RIGHT CURLY BRACKET
+	{0xFF5E, 0xFF5E, prF},     // Sm         FULLWIDTH TILDE
+	{0xFF5F, 0xFF5F, prF},     // Ps         FULLWIDTH LEFT WHITE PARENTHESIS
+	{0xFF60, 0xFF60, prF},     // Pe         FULLWIDTH RIGHT WHITE PARENTHESIS
+	{0xFF61, 0xFF61, prH},     // Po         HALFWIDTH IDEOGRAPHIC FULL STOP
+	{0xFF62, 0xFF62, prH},     // Ps         HALFWIDTH LEFT CORNER BRACKET
+	{0xFF63, 0xFF63, prH},     // Pe         HALFWIDTH RIGHT CORNER BRACKET
+	{0xFF64, 0xFF65, prH},     // Po     [2] HALFWIDTH IDEOGRAPHIC COMMA..HALFWIDTH KATAKANA MIDDLE DOT
+	{0xFF66, 0xFF6F, prH},     // Lo    [10] HALFWIDTH KATAKANA LETTER WO..HALFWIDTH KATAKANA LETTER SMALL TU
+	{0xFF70, 0xFF70, prH},     // Lm         HALFWIDTH KATAKANA-HIRAGANA PROLONGED SOUND MARK
+	{0xFF71, 0xFF9D, prH},     // Lo    [45] HALFWIDTH KATAKANA LETTER A..HALFWIDTH KATAKANA LETTER N
+	{0xFF9E, 0xFF9F, prH},     // Lm     [2] HALFWIDTH KATAKANA VOICED SOUND MARK..HALFWIDTH KATAKANA SEMI-VOICED SOUND MARK
+	{0xFFA0, 0xFFBE, prH},     // Lo    [31] HALFWIDTH HANGUL FILLER..HALFWIDTH HANGUL LETTER HIEUH
+	{0xFFC2, 0xFFC7, prH},     // Lo     [6] HALFWIDTH HANGUL LETTER A..HALFWIDTH HANGUL LETTER E
+	{0xFFCA, 0xFFCF, prH},     // Lo     [6] HALFWIDTH HANGUL LETTER YEO..HALFWIDTH HANGUL LETTER OE
+	{0xFFD2, 0xFFD7, prH},     // Lo     [6] HALFWIDTH HANGUL LETTER YO..HALFWIDTH HANGUL LETTER YU
+	{0xFFDA, 0xFFDC, prH},     // Lo     [3] HALFWIDTH HANGUL LETTER EU..HALFWIDTH HANGUL LETTER I
+	{0xFFE0, 0xFFE1, prF},     // Sc     [2] FULLWIDTH CENT SIGN..FULLWIDTH POUND SIGN
+	{0xFFE2, 0xFFE2, prF},     // Sm         FULLWIDTH NOT SIGN
+	{0xFFE3, 0xFFE3, prF},     // Sk         FULLWIDTH MACRON
+	{0xFFE4, 0xFFE4, prF},     // So         FULLWIDTH BROKEN BAR
+	{0xFFE5, 0xFFE6, prF},     // Sc     [2] FULLWIDTH YEN SIGN..FULLWIDTH WON SIGN
+	{0xFFE8, 0xFFE8, prH},     // So         HALFWIDTH FORMS LIGHT VERTICAL
+	{0xFFE9, 0xFFEC, prH},     // Sm     [4] HALFWIDTH LEFTWARDS ARROW..HALFWIDTH DOWNWARDS ARROW
+	{0xFFED, 0xFFEE, prH},     // So     [2] HALFWIDTH BLACK SQUARE..HALFWIDTH WHITE CIRCLE
+	{0xFFF9, 0xFFFB, prN},     // Cf     [3] INTERLINEAR ANNOTATION ANCHOR..INTERLINEAR ANNOTATION TERMINATOR
+	{0xFFFC, 0xFFFC, prN},     // So         OBJECT REPLACEMENT CHARACTER
+	{0xFFFD, 0xFFFD, prA},     // So         REPLACEMENT CHARACTER
+	{0x10000, 0x1000B, prN},   // Lo    [12] LINEAR B SYLLABLE B008 A..LINEAR B SYLLABLE B046 JE
+	{0x1000D, 0x10026, prN},   // Lo    [26] LINEAR B SYLLABLE B036 JO..LINEAR B SYLLABLE B032 QO
+	{0x10028, 0x1003A, prN},   // Lo    [19] LINEAR B SYLLABLE B060 RA..LINEAR B SYLLABLE B042 WO
+	{0x1003C, 0x1003D, prN},   // Lo     [2] LINEAR B SYLLABLE B017 ZA..LINEAR B SYLLABLE B074 ZE
+	{0x1003F, 0x1004D, prN},   // Lo    [15] LINEAR B SYLLABLE B020 ZO..LINEAR B SYLLABLE B091 TWO
+	{0x10050, 0x1005D, prN},   // Lo    [14] LINEAR B SYMBOL B018..LINEAR B SYMBOL B089
+	{0x10080, 0x100FA, prN},   // Lo   [123] LINEAR B IDEOGRAM B100 MAN..LINEAR B IDEOGRAM VESSEL B305
+	{0x10100, 0x10102, prN},   // Po     [3] AEGEAN WORD SEPARATOR LINE..AEGEAN CHECK MARK
+	{0x10107, 0x10133, prN},   // No    [45] AEGEAN NUMBER ONE..AEGEAN NUMBER NINETY THOUSAND
+	{0x10137, 0x1013F, prN},   // So     [9] AEGEAN WEIGHT BASE UNIT..AEGEAN MEASURE THIRD SUBUNIT
+	{0x10140, 0x10174, prN},   // Nl    [53] GREEK ACROPHONIC ATTIC ONE QUARTER..GREEK ACROPHONIC STRATIAN FIFTY MNAS
+	{0x10175, 0x10178, prN},   // No     [4] GREEK ONE HALF SIGN..GREEK THREE QUARTERS SIGN
+	{0x10179, 0x10189, prN},   // So    [17] GREEK YEAR SIGN..GREEK TRYBLION BASE SIGN
+	{0x1018A, 0x1018B, prN},   // No     [2] GREEK ZERO SIGN..GREEK ONE QUARTER SIGN
+	{0x1018C, 0x1018E, prN},   // So     [3] GREEK SINUSOID SIGN..NOMISMA SIGN
+	{0x10190, 0x1019C, prN},   // So    [13] ROMAN SEXTANS SIGN..ASCIA SYMBOL
+	{0x101A0, 0x101A0, prN},   // So         GREEK SYMBOL TAU RHO
+	{0x101D0, 0x101FC, prN},   // So    [45] PHAISTOS DISC SIGN PEDESTRIAN..PHAISTOS DISC SIGN WAVY BAND
+	{0x101FD, 0x101FD, prN},   // Mn         PHAISTOS DISC SIGN COMBINING OBLIQUE STROKE
+	{0x10280, 0x1029C, prN},   // Lo    [29] LYCIAN LETTER A..LYCIAN LETTER X
+	{0x102A0, 0x102D0, prN},   // Lo    [49] CARIAN LETTER A..CARIAN LETTER UUU3
+	{0x102E0, 0x102E0, prN},   // Mn         COPTIC EPACT THOUSANDS MARK
+	{0x102E1, 0x102FB, prN},   // No    [27] COPTIC EPACT DIGIT ONE..COPTIC EPACT NUMBER NINE HUNDRED
+	{0x10300, 0x1031F, prN},   // Lo    [32] OLD ITALIC LETTER A..OLD ITALIC LETTER ESS
+	{0x10320, 0x10323, prN},   // No     [4] OLD ITALIC NUMERAL ONE..OLD ITALIC NUMERAL FIFTY
+	{0x1032D, 0x1032F, prN},   // Lo     [3] OLD ITALIC LETTER YE..OLD ITALIC LETTER SOUTHERN TSE
+	{0x10330, 0x10340, prN},   // Lo    [17] GOTHIC LETTER AHSA..GOTHIC LETTER PAIRTHRA
+	{0x10341, 0x10341, prN},   // Nl         GOTHIC LETTER NINETY
+	{0x10342, 0x10349, prN},   // Lo     [8] GOTHIC LETTER RAIDA..GOTHIC LETTER OTHAL
+	{0x1034A, 0x1034A, prN},   // Nl         GOTHIC LETTER NINE HUNDRED
+	{0x10350, 0x10375, prN},   // Lo    [38] OLD PERMIC LETTER AN..OLD PERMIC LETTER IA
+	{0x10376, 0x1037A, prN},   // Mn     [5] COMBINING OLD PERMIC LETTER AN..COMBINING OLD PERMIC LETTER SII
+	{0x10380, 0x1039D, prN},   // Lo    [30] UGARITIC LETTER ALPA..UGARITIC LETTER SSU
+	{0x1039F, 0x1039F, prN},   // Po         UGARITIC WORD DIVIDER
+	{0x103A0, 0x103C3, prN},   // Lo    [36] OLD PERSIAN SIGN A..OLD PERSIAN SIGN HA
+	{0x103C8, 0x103CF, prN},   // Lo     [8] OLD PERSIAN SIGN AURAMAZDAA..OLD PERSIAN SIGN BUUMISH
+	{0x103D0, 0x103D0, prN},   // Po         OLD PERSIAN WORD DIVIDER
+	{0x103D1, 0x103D5, prN},   // Nl     [5] OLD PERSIAN NUMBER ONE..OLD PERSIAN NUMBER HUNDRED
+	{0x10400, 0x1044F, prN},   // L&    [80] DESERET CAPITAL LETTER LONG I..DESERET SMALL LETTER EW
+	{0x10450, 0x1047F, prN},   // Lo    [48] SHAVIAN LETTER PEEP..SHAVIAN LETTER YEW
+	{0x10480, 0x1049D, prN},   // Lo    [30] OSMANYA LETTER ALEF..OSMANYA LETTER OO
+	{0x104A0, 0x104A9, prN},   // Nd    [10] OSMANYA DIGIT ZERO..OSMANYA DIGIT NINE
+	{0x104B0, 0x104D3, prN},   // Lu    [36] OSAGE CAPITAL LETTER A..OSAGE CAPITAL LETTER ZHA
+	{0x104D8, 0x104FB, prN},   // Ll    [36] OSAGE SMALL LETTER A..OSAGE SMALL LETTER ZHA
+	{0x10500, 0x10527, prN},   // Lo    [40] ELBASAN LETTER A..ELBASAN LETTER KHE
+	{0x10530, 0x10563, prN},   // Lo    [52] CAUCASIAN ALBANIAN LETTER ALT..CAUCASIAN ALBANIAN LETTER KIW
+	{0x1056F, 0x1056F, prN},   // Po         CAUCASIAN ALBANIAN CITATION MARK
+	{0x10570, 0x1057A, prN},   // Lu    [11] VITHKUQI CAPITAL LETTER A..VITHKUQI CAPITAL LETTER GA
+	{0x1057C, 0x1058A, prN},   // Lu    [15] VITHKUQI CAPITAL LETTER HA..VITHKUQI CAPITAL LETTER RE
+	{0x1058C, 0x10592, prN},   // Lu     [7] VITHKUQI CAPITAL LETTER SE..VITHKUQI CAPITAL LETTER XE
+	{0x10594, 0x10595, prN},   // Lu     [2] VITHKUQI CAPITAL LETTER Y..VITHKUQI CAPITAL LETTER ZE
+	{0x10597, 0x105A1, prN},   // Ll    [11] VITHKUQI SMALL LETTER A..VITHKUQI SMALL LETTER GA
+	{0x105A3, 0x105B1, prN},   // Ll    [15] VITHKUQI SMALL LETTER HA..VITHKUQI SMALL LETTER RE
+	{0x105B3, 0x105B9, prN},   // Ll     [7] VITHKUQI SMALL LETTER SE..VITHKUQI SMALL LETTER XE
+	{0x105BB, 0x105BC, prN},   // Ll     [2] VITHKUQI SMALL LETTER Y..VITHKUQI SMALL LETTER ZE
+	{0x10600, 0x10736, prN},   // Lo   [311] LINEAR A SIGN AB001..LINEAR A SIGN A664
+	{0x10740, 0x10755, prN},   // Lo    [22] LINEAR A SIGN A701 A..LINEAR A SIGN A732 JE
+	{0x10760, 0x10767, prN},   // Lo     [8] LINEAR A SIGN A800..LINEAR A SIGN A807
+	{0x10780, 0x10785, prN},   // Lm     [6] MODIFIER LETTER SMALL CAPITAL AA..MODIFIER LETTER SMALL B WITH HOOK
+	{0x10787, 0x107B0, prN},   // Lm    [42] MODIFIER LETTER SMALL DZ DIGRAPH..MODIFIER LETTER SMALL V WITH RIGHT HOOK
+	{0x107B2, 0x107BA, prN},   // Lm     [9] MODIFIER LETTER SMALL CAPITAL Y..MODIFIER LETTER SMALL S WITH CURL
+	{0x10800, 0x10805, prN},   // Lo     [6] CYPRIOT SYLLABLE A..CYPRIOT SYLLABLE JA
+	{0x10808, 0x10808, prN},   // Lo         CYPRIOT SYLLABLE JO
+	{0x1080A, 0x10835, prN},   // Lo    [44] CYPRIOT SYLLABLE KA..CYPRIOT SYLLABLE WO
+	{0x10837, 0x10838, prN},   // Lo     [2] CYPRIOT SYLLABLE XA..CYPRIOT SYLLABLE XE
+	{0x1083C, 0x1083C, prN},   // Lo         CYPRIOT SYLLABLE ZA
+	{0x1083F, 0x1083F, prN},   // Lo         CYPRIOT SYLLABLE ZO
+	{0x10840, 0x10855, prN},   // Lo    [22] IMPERIAL ARAMAIC LETTER ALEPH..IMPERIAL ARAMAIC LETTER TAW
+	{0x10857, 0x10857, prN},   // Po         IMPERIAL ARAMAIC SECTION SIGN
+	{0x10858, 0x1085F, prN},   // No     [8] IMPERIAL ARAMAIC NUMBER ONE..IMPERIAL ARAMAIC NUMBER TEN THOUSAND
+	{0x10860, 0x10876, prN},   // Lo    [23] PALMYRENE LETTER ALEPH..PALMYRENE LETTER TAW
+	{0x10877, 0x10878, prN},   // So     [2] PALMYRENE LEFT-POINTING FLEURON..PALMYRENE RIGHT-POINTING FLEURON
+	{0x10879, 0x1087F, prN},   // No     [7] PALMYRENE NUMBER ONE..PALMYRENE NUMBER TWENTY
+	{0x10880, 0x1089E, prN},   // Lo    [31] NABATAEAN LETTER FINAL ALEPH..NABATAEAN LETTER TAW
+	{0x108A7, 0x108AF, prN},   // No     [9] NABATAEAN NUMBER ONE..NABATAEAN NUMBER ONE HUNDRED
+	{0x108E0, 0x108F2, prN},   // Lo    [19] HATRAN LETTER ALEPH..HATRAN LETTER QOPH
+	{0x108F4, 0x108F5, prN},   // Lo     [2] HATRAN LETTER SHIN..HATRAN LETTER TAW
+	{0x108FB, 0x108FF, prN},   // No     [5] HATRAN NUMBER ONE..HATRAN NUMBER ONE HUNDRED
+	{0x10900, 0x10915, prN},   // Lo    [22] PHOENICIAN LETTER ALF..PHOENICIAN LETTER TAU
+	{0x10916, 0x1091B, prN},   // No     [6] PHOENICIAN NUMBER ONE..PHOENICIAN NUMBER THREE
+	{0x1091F, 0x1091F, prN},   // Po         PHOENICIAN WORD SEPARATOR
+	{0x10920, 0x10939, prN},   // Lo    [26] LYDIAN LETTER A..LYDIAN LETTER C
+	{0x1093F, 0x1093F, prN},   // Po         LYDIAN TRIANGULAR MARK
+	{0x10980, 0x1099F, prN},   // Lo    [32] MEROITIC HIEROGLYPHIC LETTER A..MEROITIC HIEROGLYPHIC SYMBOL VIDJ-2
+	{0x109A0, 0x109B7, prN},   // Lo    [24] MEROITIC CURSIVE LETTER A..MEROITIC CURSIVE LETTER DA
+	{0x109BC, 0x109BD, prN},   // No     [2] MEROITIC CURSIVE FRACTION ELEVEN TWELFTHS..MEROITIC CURSIVE FRACTION ONE HALF
+	{0x109BE, 0x109BF, prN},   // Lo     [2] MEROITIC CURSIVE LOGOGRAM RMT..MEROITIC CURSIVE LOGOGRAM IMN
+	{0x109C0, 0x109CF, prN},   // No    [16] MEROITIC CURSIVE NUMBER ONE..MEROITIC CURSIVE NUMBER SEVENTY
+	{0x109D2, 0x109FF, prN},   // No    [46] MEROITIC CURSIVE NUMBER ONE HUNDRED..MEROITIC CURSIVE FRACTION TEN TWELFTHS
+	{0x10A00, 0x10A00, prN},   // Lo         KHAROSHTHI LETTER A
+	{0x10A01, 0x10A03, prN},   // Mn     [3] KHAROSHTHI VOWEL SIGN I..KHAROSHTHI VOWEL SIGN VOCALIC R
+	{0x10A05, 0x10A06, prN},   // Mn     [2] KHAROSHTHI VOWEL SIGN E..KHAROSHTHI VOWEL SIGN O
+	{0x10A0C, 0x10A0F, prN},   // Mn     [4] KHAROSHTHI VOWEL LENGTH MARK..KHAROSHTHI SIGN VISARGA
+	{0x10A10, 0x10A13, prN},   // Lo     [4] KHAROSHTHI LETTER KA..KHAROSHTHI LETTER GHA
+	{0x10A15, 0x10A17, prN},   // Lo     [3] KHAROSHTHI LETTER CA..KHAROSHTHI LETTER JA
+	{0x10A19, 0x10A35, prN},   // Lo    [29] KHAROSHTHI LETTER NYA..KHAROSHTHI LETTER VHA
+	{0x10A38, 0x10A3A, prN},   // Mn     [3] KHAROSHTHI SIGN BAR ABOVE..KHAROSHTHI SIGN DOT BELOW
+	{0x10A3F, 0x10A3F, prN},   // Mn         KHAROSHTHI VIRAMA
+	{0x10A40, 0x10A48, prN},   // No     [9] KHAROSHTHI DIGIT ONE..KHAROSHTHI FRACTION ONE HALF
+	{0x10A50, 0x10A58, prN},   // Po     [9] KHAROSHTHI PUNCTUATION DOT..KHAROSHTHI PUNCTUATION LINES
+	{0x10A60, 0x10A7C, prN},   // Lo    [29] OLD SOUTH ARABIAN LETTER HE..OLD SOUTH ARABIAN LETTER THETH
+	{0x10A7D, 0x10A7E, prN},   // No     [2] OLD SOUTH ARABIAN NUMBER ONE..OLD SOUTH ARABIAN NUMBER FIFTY
+	{0x10A7F, 0x10A7F, prN},   // Po         OLD SOUTH ARABIAN NUMERIC INDICATOR
+	{0x10A80, 0x10A9C, prN},   // Lo    [29] OLD NORTH ARABIAN LETTER HEH..OLD NORTH ARABIAN LETTER ZAH
+	{0x10A9D, 0x10A9F, prN},   // No     [3] OLD NORTH ARABIAN NUMBER ONE..OLD NORTH ARABIAN NUMBER TWENTY
+	{0x10AC0, 0x10AC7, prN},   // Lo     [8] MANICHAEAN LETTER ALEPH..MANICHAEAN LETTER WAW
+	{0x10AC8, 0x10AC8, prN},   // So         MANICHAEAN SIGN UD
+	{0x10AC9, 0x10AE4, prN},   // Lo    [28] MANICHAEAN LETTER ZAYIN..MANICHAEAN LETTER TAW
+	{0x10AE5, 0x10AE6, prN},   // Mn     [2] MANICHAEAN ABBREVIATION MARK ABOVE..MANICHAEAN ABBREVIATION MARK BELOW
+	{0x10AEB, 0x10AEF, prN},   // No     [5] MANICHAEAN NUMBER ONE..MANICHAEAN NUMBER ONE HUNDRED
+	{0x10AF0, 0x10AF6, prN},   // Po     [7] MANICHAEAN PUNCTUATION STAR..MANICHAEAN PUNCTUATION LINE FILLER
+	{0x10B00, 0x10B35, prN},   // Lo    [54] AVESTAN LETTER A..AVESTAN LETTER HE
+	{0x10B39, 0x10B3F, prN},   // Po     [7] AVESTAN ABBREVIATION MARK..LARGE ONE RING OVER TWO RINGS PUNCTUATION
+	{0x10B40, 0x10B55, prN},   // Lo    [22] INSCRIPTIONAL PARTHIAN LETTER ALEPH..INSCRIPTIONAL PARTHIAN LETTER TAW
+	{0x10B58, 0x10B5F, prN},   // No     [8] INSCRIPTIONAL PARTHIAN NUMBER ONE..INSCRIPTIONAL PARTHIAN NUMBER ONE THOUSAND
+	{0x10B60, 0x10B72, prN},   // Lo    [19] INSCRIPTIONAL PAHLAVI LETTER ALEPH..INSCRIPTIONAL PAHLAVI LETTER TAW
+	{0x10B78, 0x10B7F, prN},   // No     [8] INSCRIPTIONAL PAHLAVI NUMBER ONE..INSCRIPTIONAL PAHLAVI NUMBER ONE THOUSAND
+	{0x10B80, 0x10B91, prN},   // Lo    [18] PSALTER PAHLAVI LETTER ALEPH..PSALTER PAHLAVI LETTER TAW
+	{0x10B99, 0x10B9C, prN},   // Po     [4] PSALTER PAHLAVI SECTION MARK..PSALTER PAHLAVI FOUR DOTS WITH DOT
+	{0x10BA9, 0x10BAF, prN},   // No     [7] PSALTER PAHLAVI NUMBER ONE..PSALTER PAHLAVI NUMBER ONE HUNDRED
+	{0x10C00, 0x10C48, prN},   // Lo    [73] OLD TURKIC LETTER ORKHON A..OLD TURKIC LETTER ORKHON BASH
+	{0x10C80, 0x10CB2, prN},   // Lu    [51] OLD HUNGARIAN CAPITAL LETTER A..OLD HUNGARIAN CAPITAL LETTER US
+	{0x10CC0, 0x10CF2, prN},   // Ll    [51] OLD HUNGARIAN SMALL LETTER A..OLD HUNGARIAN SMALL LETTER US
+	{0x10CFA, 0x10CFF, prN},   // No     [6] OLD HUNGARIAN NUMBER ONE..OLD HUNGARIAN NUMBER ONE THOUSAND
+	{0x10D00, 0x10D23, prN},   // Lo    [36] HANIFI ROHINGYA LETTER A..HANIFI ROHINGYA MARK NA KHONNA
+	{0x10D24, 0x10D27, prN},   // Mn     [4] HANIFI ROHINGYA SIGN HARBAHAY..HANIFI ROHINGYA SIGN TASSI
+	{0x10D30, 0x10D39, prN},   // Nd    [10] HANIFI ROHINGYA DIGIT ZERO..HANIFI ROHINGYA DIGIT NINE
+	{0x10E60, 0x10E7E, prN},   // No    [31] RUMI DIGIT ONE..RUMI FRACTION TWO THIRDS
+	{0x10E80, 0x10EA9, prN},   // Lo    [42] YEZIDI LETTER ELIF..YEZIDI LETTER ET
+	{0x10EAB, 0x10EAC, prN},   // Mn     [2] YEZIDI COMBINING HAMZA MARK..YEZIDI COMBINING MADDA MARK
+	{0x10EAD, 0x10EAD, prN},   // Pd         YEZIDI HYPHENATION MARK
+	{0x10EB0, 0x10EB1, prN},   // Lo     [2] YEZIDI LETTER LAM WITH DOT ABOVE..YEZIDI LETTER YOT WITH CIRCUMFLEX ABOVE
+	{0x10EFD, 0x10EFF, prN},   // Mn     [3] ARABIC SMALL LOW WORD SAKTA..ARABIC SMALL LOW WORD MADDA
+	{0x10F00, 0x10F1C, prN},   // Lo    [29] OLD SOGDIAN LETTER ALEPH..OLD SOGDIAN LETTER FINAL TAW WITH VERTICAL TAIL
+	{0x10F1D, 0x10F26, prN},   // No    [10] OLD SOGDIAN NUMBER ONE..OLD SOGDIAN FRACTION ONE HALF
+	{0x10F27, 0x10F27, prN},   // Lo         OLD SOGDIAN LIGATURE AYIN-DALETH
+	{0x10F30, 0x10F45, prN},   // Lo    [22] SOGDIAN LETTER ALEPH..SOGDIAN INDEPENDENT SHIN
+	{0x10F46, 0x10F50, prN},   // Mn    [11] SOGDIAN COMBINING DOT BELOW..SOGDIAN COMBINING STROKE BELOW
+	{0x10F51, 0x10F54, prN},   // No     [4] SOGDIAN NUMBER ONE..SOGDIAN NUMBER ONE HUNDRED
+	{0x10F55, 0x10F59, prN},   // Po     [5] SOGDIAN PUNCTUATION TWO VERTICAL BARS..SOGDIAN PUNCTUATION HALF CIRCLE WITH DOT
+	{0x10F70, 0x10F81, prN},   // Lo    [18] OLD UYGHUR LETTER ALEPH..OLD UYGHUR LETTER LESH
+	{0x10F82, 0x10F85, prN},   // Mn     [4] OLD UYGHUR COMBINING DOT ABOVE..OLD UYGHUR COMBINING TWO DOTS BELOW
+	{0x10F86, 0x10F89, prN},   // Po     [4] OLD UYGHUR PUNCTUATION BAR..OLD UYGHUR PUNCTUATION FOUR DOTS
+	{0x10FB0, 0x10FC4, prN},   // Lo    [21] CHORASMIAN LETTER ALEPH..CHORASMIAN LETTER TAW
+	{0x10FC5, 0x10FCB, prN},   // No     [7] CHORASMIAN NUMBER ONE..CHORASMIAN NUMBER ONE HUNDRED
+	{0x10FE0, 0x10FF6, prN},   // Lo    [23] ELYMAIC LETTER ALEPH..ELYMAIC LIGATURE ZAYIN-YODH
+	{0x11000, 0x11000, prN},   // Mc         BRAHMI SIGN CANDRABINDU
+	{0x11001, 0x11001, prN},   // Mn         BRAHMI SIGN ANUSVARA
+	{0x11002, 0x11002, prN},   // Mc         BRAHMI SIGN VISARGA
+	{0x11003, 0x11037, prN},   // Lo    [53] BRAHMI SIGN JIHVAMULIYA..BRAHMI LETTER OLD TAMIL NNNA
+	{0x11038, 0x11046, prN},   // Mn    [15] BRAHMI VOWEL SIGN AA..BRAHMI VIRAMA
+	{0x11047, 0x1104D, prN},   // Po     [7] BRAHMI DANDA..BRAHMI PUNCTUATION LOTUS
+	{0x11052, 0x11065, prN},   // No    [20] BRAHMI NUMBER ONE..BRAHMI NUMBER ONE THOUSAND
+	{0x11066, 0x1106F, prN},   // Nd    [10] BRAHMI DIGIT ZERO..BRAHMI DIGIT NINE
+	{0x11070, 0x11070, prN},   // Mn         BRAHMI SIGN OLD TAMIL VIRAMA
+	{0x11071, 0x11072, prN},   // Lo     [2] BRAHMI LETTER OLD TAMIL SHORT E..BRAHMI LETTER OLD TAMIL SHORT O
+	{0x11073, 0x11074, prN},   // Mn     [2] BRAHMI VOWEL SIGN OLD TAMIL SHORT E..BRAHMI VOWEL SIGN OLD TAMIL SHORT O
+	{0x11075, 0x11075, prN},   // Lo         BRAHMI LETTER OLD TAMIL LLA
+	{0x1107F, 0x1107F, prN},   // Mn         BRAHMI NUMBER JOINER
+	{0x11080, 0x11081, prN},   // Mn     [2] KAITHI SIGN CANDRABINDU..KAITHI SIGN ANUSVARA
+	{0x11082, 0x11082, prN},   // Mc         KAITHI SIGN VISARGA
+	{0x11083, 0x110AF, prN},   // Lo    [45] KAITHI LETTER A..KAITHI LETTER HA
+	{0x110B0, 0x110B2, prN},   // Mc     [3] KAITHI VOWEL SIGN AA..KAITHI VOWEL SIGN II
+	{0x110B3, 0x110B6, prN},   // Mn     [4] KAITHI VOWEL SIGN U..KAITHI VOWEL SIGN AI
+	{0x110B7, 0x110B8, prN},   // Mc     [2] KAITHI VOWEL SIGN O..KAITHI VOWEL SIGN AU
+	{0x110B9, 0x110BA, prN},   // Mn     [2] KAITHI SIGN VIRAMA..KAITHI SIGN NUKTA
+	{0x110BB, 0x110BC, prN},   // Po     [2] KAITHI ABBREVIATION SIGN..KAITHI ENUMERATION SIGN
+	{0x110BD, 0x110BD, prN},   // Cf         KAITHI NUMBER SIGN
+	{0x110BE, 0x110C1, prN},   // Po     [4] KAITHI SECTION MARK..KAITHI DOUBLE DANDA
+	{0x110C2, 0x110C2, prN},   // Mn         KAITHI VOWEL SIGN VOCALIC R
+	{0x110CD, 0x110CD, prN},   // Cf         KAITHI NUMBER SIGN ABOVE
+	{0x110D0, 0x110E8, prN},   // Lo    [25] SORA SOMPENG LETTER SAH..SORA SOMPENG LETTER MAE
+	{0x110F0, 0x110F9, prN},   // Nd    [10] SORA SOMPENG DIGIT ZERO..SORA SOMPENG DIGIT NINE
+	{0x11100, 0x11102, prN},   // Mn     [3] CHAKMA SIGN CANDRABINDU..CHAKMA SIGN VISARGA
+	{0x11103, 0x11126, prN},   // Lo    [36] CHAKMA LETTER AA..CHAKMA LETTER HAA
+	{0x11127, 0x1112B, prN},   // Mn     [5] CHAKMA VOWEL SIGN A..CHAKMA VOWEL SIGN UU
+	{0x1112C, 0x1112C, prN},   // Mc         CHAKMA VOWEL SIGN E
+	{0x1112D, 0x11134, prN},   // Mn     [8] CHAKMA VOWEL SIGN AI..CHAKMA MAAYYAA
+	{0x11136, 0x1113F, prN},   // Nd    [10] CHAKMA DIGIT ZERO..CHAKMA DIGIT NINE
+	{0x11140, 0x11143, prN},   // Po     [4] CHAKMA SECTION MARK..CHAKMA QUESTION MARK
+	{0x11144, 0x11144, prN},   // Lo         CHAKMA LETTER LHAA
+	{0x11145, 0x11146, prN},   // Mc     [2] CHAKMA VOWEL SIGN AA..CHAKMA VOWEL SIGN EI
+	{0x11147, 0x11147, prN},   // Lo         CHAKMA LETTER VAA
+	{0x11150, 0x11172, prN},   // Lo    [35] MAHAJANI LETTER A..MAHAJANI LETTER RRA
+	{0x11173, 0x11173, prN},   // Mn         MAHAJANI SIGN NUKTA
+	{0x11174, 0x11175, prN},   // Po     [2] MAHAJANI ABBREVIATION SIGN..MAHAJANI SECTION MARK
+	{0x11176, 0x11176, prN},   // Lo         MAHAJANI LIGATURE SHRI
+	{0x11180, 0x11181, prN},   // Mn     [2] SHARADA SIGN CANDRABINDU..SHARADA SIGN ANUSVARA
+	{0x11182, 0x11182, prN},   // Mc         SHARADA SIGN VISARGA
+	{0x11183, 0x111B2, prN},   // Lo    [48] SHARADA LETTER A..SHARADA LETTER HA
+	{0x111B3, 0x111B5, prN},   // Mc     [3] SHARADA VOWEL SIGN AA..SHARADA VOWEL SIGN II
+	{0x111B6, 0x111BE, prN},   // Mn     [9] SHARADA VOWEL SIGN U..SHARADA VOWEL SIGN O
+	{0x111BF, 0x111C0, prN},   // Mc     [2] SHARADA VOWEL SIGN AU..SHARADA SIGN VIRAMA
+	{0x111C1, 0x111C4, prN},   // Lo     [4] SHARADA SIGN AVAGRAHA..SHARADA OM
+	{0x111C5, 0x111C8, prN},   // Po     [4] SHARADA DANDA..SHARADA SEPARATOR
+	{0x111C9, 0x111CC, prN},   // Mn     [4] SHARADA SANDHI MARK..SHARADA EXTRA SHORT VOWEL MARK
+	{0x111CD, 0x111CD, prN},   // Po         SHARADA SUTRA MARK
+	{0x111CE, 0x111CE, prN},   // Mc         SHARADA VOWEL SIGN PRISHTHAMATRA E
+	{0x111CF, 0x111CF, prN},   // Mn         SHARADA SIGN INVERTED CANDRABINDU
+	{0x111D0, 0x111D9, prN},   // Nd    [10] SHARADA DIGIT ZERO..SHARADA DIGIT NINE
+	{0x111DA, 0x111DA, prN},   // Lo         SHARADA EKAM
+	{0x111DB, 0x111DB, prN},   // Po         SHARADA SIGN SIDDHAM
+	{0x111DC, 0x111DC, prN},   // Lo         SHARADA HEADSTROKE
+	{0x111DD, 0x111DF, prN},   // Po     [3] SHARADA CONTINUATION SIGN..SHARADA SECTION MARK-2
+	{0x111E1, 0x111F4, prN},   // No    [20] SINHALA ARCHAIC DIGIT ONE..SINHALA ARCHAIC NUMBER ONE THOUSAND
+	{0x11200, 0x11211, prN},   // Lo    [18] KHOJKI LETTER A..KHOJKI LETTER JJA
+	{0x11213, 0x1122B, prN},   // Lo    [25] KHOJKI LETTER NYA..KHOJKI LETTER LLA
+	{0x1122C, 0x1122E, prN},   // Mc     [3] KHOJKI VOWEL SIGN AA..KHOJKI VOWEL SIGN II
+	{0x1122F, 0x11231, prN},   // Mn     [3] KHOJKI VOWEL SIGN U..KHOJKI VOWEL SIGN AI
+	{0x11232, 0x11233, prN},   // Mc     [2] KHOJKI VOWEL SIGN O..KHOJKI VOWEL SIGN AU
+	{0x11234, 0x11234, prN},   // Mn         KHOJKI SIGN ANUSVARA
+	{0x11235, 0x11235, prN},   // Mc         KHOJKI SIGN VIRAMA
+	{0x11236, 0x11237, prN},   // Mn     [2] KHOJKI SIGN NUKTA..KHOJKI SIGN SHADDA
+	{0x11238, 0x1123D, prN},   // Po     [6] KHOJKI DANDA..KHOJKI ABBREVIATION SIGN
+	{0x1123E, 0x1123E, prN},   // Mn         KHOJKI SIGN SUKUN
+	{0x1123F, 0x11240, prN},   // Lo     [2] KHOJKI LETTER QA..KHOJKI LETTER SHORT I
+	{0x11241, 0x11241, prN},   // Mn         KHOJKI VOWEL SIGN VOCALIC R
+	{0x11280, 0x11286, prN},   // Lo     [7] MULTANI LETTER A..MULTANI LETTER GA
+	{0x11288, 0x11288, prN},   // Lo         MULTANI LETTER GHA
+	{0x1128A, 0x1128D, prN},   // Lo     [4] MULTANI LETTER CA..MULTANI LETTER JJA
+	{0x1128F, 0x1129D, prN},   // Lo    [15] MULTANI LETTER NYA..MULTANI LETTER BA
+	{0x1129F, 0x112A8, prN},   // Lo    [10] MULTANI LETTER BHA..MULTANI LETTER RHA
+	{0x112A9, 0x112A9, prN},   // Po         MULTANI SECTION MARK
+	{0x112B0, 0x112DE, prN},   // Lo    [47] KHUDAWADI LETTER A..KHUDAWADI LETTER HA
+	{0x112DF, 0x112DF, prN},   // Mn         KHUDAWADI SIGN ANUSVARA
+	{0x112E0, 0x112E2, prN},   // Mc     [3] KHUDAWADI VOWEL SIGN AA..KHUDAWADI VOWEL SIGN II
+	{0x112E3, 0x112EA, prN},   // Mn     [8] KHUDAWADI VOWEL SIGN U..KHUDAWADI SIGN VIRAMA
+	{0x112F0, 0x112F9, prN},   // Nd    [10] KHUDAWADI DIGIT ZERO..KHUDAWADI DIGIT NINE
+	{0x11300, 0x11301, prN},   // Mn     [2] GRANTHA SIGN COMBINING ANUSVARA ABOVE..GRANTHA SIGN CANDRABINDU
+	{0x11302, 0x11303, prN},   // Mc     [2] GRANTHA SIGN ANUSVARA..GRANTHA SIGN VISARGA
+	{0x11305, 0x1130C, prN},   // Lo     [8] GRANTHA LETTER A..GRANTHA LETTER VOCALIC L
+	{0x1130F, 0x11310, prN},   // Lo     [2] GRANTHA LETTER EE..GRANTHA LETTER AI
+	{0x11313, 0x11328, prN},   // Lo    [22] GRANTHA LETTER OO..GRANTHA LETTER NA
+	{0x1132A, 0x11330, prN},   // Lo     [7] GRANTHA LETTER PA..GRANTHA LETTER RA
+	{0x11332, 0x11333, prN},   // Lo     [2] GRANTHA LETTER LA..GRANTHA LETTER LLA
+	{0x11335, 0x11339, prN},   // Lo     [5] GRANTHA LETTER VA..GRANTHA LETTER HA
+	{0x1133B, 0x1133C, prN},   // Mn     [2] COMBINING BINDU BELOW..GRANTHA SIGN NUKTA
+	{0x1133D, 0x1133D, prN},   // Lo         GRANTHA SIGN AVAGRAHA
+	{0x1133E, 0x1133F, prN},   // Mc     [2] GRANTHA VOWEL SIGN AA..GRANTHA VOWEL SIGN I
+	{0x11340, 0x11340, prN},   // Mn         GRANTHA VOWEL SIGN II
+	{0x11341, 0x11344, prN},   // Mc     [4] GRANTHA VOWEL SIGN U..GRANTHA VOWEL SIGN VOCALIC RR
+	{0x11347, 0x11348, prN},   // Mc     [2] GRANTHA VOWEL SIGN EE..GRANTHA VOWEL SIGN AI
+	{0x1134B, 0x1134D, prN},   // Mc     [3] GRANTHA VOWEL SIGN OO..GRANTHA SIGN VIRAMA
+	{0x11350, 0x11350, prN},   // Lo         GRANTHA OM
+	{0x11357, 0x11357, prN},   // Mc         GRANTHA AU LENGTH MARK
+	{0x1135D, 0x11361, prN},   // Lo     [5] GRANTHA SIGN PLUTA..GRANTHA LETTER VOCALIC LL
+	{0x11362, 0x11363, prN},   // Mc     [2] GRANTHA VOWEL SIGN VOCALIC L..GRANTHA VOWEL SIGN VOCALIC LL
+	{0x11366, 0x1136C, prN},   // Mn     [7] COMBINING GRANTHA DIGIT ZERO..COMBINING GRANTHA DIGIT SIX
+	{0x11370, 0x11374, prN},   // Mn     [5] COMBINING GRANTHA LETTER A..COMBINING GRANTHA LETTER PA
+	{0x11400, 0x11434, prN},   // Lo    [53] NEWA LETTER A..NEWA LETTER HA
+	{0x11435, 0x11437, prN},   // Mc     [3] NEWA VOWEL SIGN AA..NEWA VOWEL SIGN II
+	{0x11438, 0x1143F, prN},   // Mn     [8] NEWA VOWEL SIGN U..NEWA VOWEL SIGN AI
+	{0x11440, 0x11441, prN},   // Mc     [2] NEWA VOWEL SIGN O..NEWA VOWEL SIGN AU
+	{0x11442, 0x11444, prN},   // Mn     [3] NEWA SIGN VIRAMA..NEWA SIGN ANUSVARA
+	{0x11445, 0x11445, prN},   // Mc         NEWA SIGN VISARGA
+	{0x11446, 0x11446, prN},   // Mn         NEWA SIGN NUKTA
+	{0x11447, 0x1144A, prN},   // Lo     [4] NEWA SIGN AVAGRAHA..NEWA SIDDHI
+	{0x1144B, 0x1144F, prN},   // Po     [5] NEWA DANDA..NEWA ABBREVIATION SIGN
+	{0x11450, 0x11459, prN},   // Nd    [10] NEWA DIGIT ZERO..NEWA DIGIT NINE
+	{0x1145A, 0x1145B, prN},   // Po     [2] NEWA DOUBLE COMMA..NEWA PLACEHOLDER MARK
+	{0x1145D, 0x1145D, prN},   // Po         NEWA INSERTION SIGN
+	{0x1145E, 0x1145E, prN},   // Mn         NEWA SANDHI MARK
+	{0x1145F, 0x11461, prN},   // Lo     [3] NEWA LETTER VEDIC ANUSVARA..NEWA SIGN UPADHMANIYA
+	{0x11480, 0x114AF, prN},   // Lo    [48] TIRHUTA ANJI..TIRHUTA LETTER HA
+	{0x114B0, 0x114B2, prN},   // Mc     [3] TIRHUTA VOWEL SIGN AA..TIRHUTA VOWEL SIGN II
+	{0x114B3, 0x114B8, prN},   // Mn     [6] TIRHUTA VOWEL SIGN U..TIRHUTA VOWEL SIGN VOCALIC LL
+	{0x114B9, 0x114B9, prN},   // Mc         TIRHUTA VOWEL SIGN E
+	{0x114BA, 0x114BA, prN},   // Mn         TIRHUTA VOWEL SIGN SHORT E
+	{0x114BB, 0x114BE, prN},   // Mc     [4] TIRHUTA VOWEL SIGN AI..TIRHUTA VOWEL SIGN AU
+	{0x114BF, 0x114C0, prN},   // Mn     [2] TIRHUTA SIGN CANDRABINDU..TIRHUTA SIGN ANUSVARA
+	{0x114C1, 0x114C1, prN},   // Mc         TIRHUTA SIGN VISARGA
+	{0x114C2, 0x114C3, prN},   // Mn     [2] TIRHUTA SIGN VIRAMA..TIRHUTA SIGN NUKTA
+	{0x114C4, 0x114C5, prN},   // Lo     [2] TIRHUTA SIGN AVAGRAHA..TIRHUTA GVANG
+	{0x114C6, 0x114C6, prN},   // Po         TIRHUTA ABBREVIATION SIGN
+	{0x114C7, 0x114C7, prN},   // Lo         TIRHUTA OM
+	{0x114D0, 0x114D9, prN},   // Nd    [10] TIRHUTA DIGIT ZERO..TIRHUTA DIGIT NINE
+	{0x11580, 0x115AE, prN},   // Lo    [47] SIDDHAM LETTER A..SIDDHAM LETTER HA
+	{0x115AF, 0x115B1, prN},   // Mc     [3] SIDDHAM VOWEL SIGN AA..SIDDHAM VOWEL SIGN II
+	{0x115B2, 0x115B5, prN},   // Mn     [4] SIDDHAM VOWEL SIGN U..SIDDHAM VOWEL SIGN VOCALIC RR
+	{0x115B8, 0x115BB, prN},   // Mc     [4] SIDDHAM VOWEL SIGN E..SIDDHAM VOWEL SIGN AU
+	{0x115BC, 0x115BD, prN},   // Mn     [2] SIDDHAM SIGN CANDRABINDU..SIDDHAM SIGN ANUSVARA
+	{0x115BE, 0x115BE, prN},   // Mc         SIDDHAM SIGN VISARGA
+	{0x115BF, 0x115C0, prN},   // Mn     [2] SIDDHAM SIGN VIRAMA..SIDDHAM SIGN NUKTA
+	{0x115C1, 0x115D7, prN},   // Po    [23] SIDDHAM SIGN SIDDHAM..SIDDHAM SECTION MARK WITH CIRCLES AND FOUR ENCLOSURES
+	{0x115D8, 0x115DB, prN},   // Lo     [4] SIDDHAM LETTER THREE-CIRCLE ALTERNATE I..SIDDHAM LETTER ALTERNATE U
+	{0x115DC, 0x115DD, prN},   // Mn     [2] SIDDHAM VOWEL SIGN ALTERNATE U..SIDDHAM VOWEL SIGN ALTERNATE UU
+	{0x11600, 0x1162F, prN},   // Lo    [48] MODI LETTER A..MODI LETTER LLA
+	{0x11630, 0x11632, prN},   // Mc     [3] MODI VOWEL SIGN AA..MODI VOWEL SIGN II
+	{0x11633, 0x1163A, prN},   // Mn     [8] MODI VOWEL SIGN U..MODI VOWEL SIGN AI
+	{0x1163B, 0x1163C, prN},   // Mc     [2] MODI VOWEL SIGN O..MODI VOWEL SIGN AU
+	{0x1163D, 0x1163D, prN},   // Mn         MODI SIGN ANUSVARA
+	{0x1163E, 0x1163E, prN},   // Mc         MODI SIGN VISARGA
+	{0x1163F, 0x11640, prN},   // Mn     [2] MODI SIGN VIRAMA..MODI SIGN ARDHACANDRA
+	{0x11641, 0x11643, prN},   // Po     [3] MODI DANDA..MODI ABBREVIATION SIGN
+	{0x11644, 0x11644, prN},   // Lo         MODI SIGN HUVA
+	{0x11650, 0x11659, prN},   // Nd    [10] MODI DIGIT ZERO..MODI DIGIT NINE
+	{0x11660, 0x1166C, prN},   // Po    [13] MONGOLIAN BIRGA WITH ORNAMENT..MONGOLIAN TURNED SWIRL BIRGA WITH DOUBLE ORNAMENT
+	{0x11680, 0x116AA, prN},   // Lo    [43] TAKRI LETTER A..TAKRI LETTER RRA
+	{0x116AB, 0x116AB, prN},   // Mn         TAKRI SIGN ANUSVARA
+	{0x116AC, 0x116AC, prN},   // Mc         TAKRI SIGN VISARGA
+	{0x116AD, 0x116AD, prN},   // Mn         TAKRI VOWEL SIGN AA
+	{0x116AE, 0x116AF, prN},   // Mc     [2] TAKRI VOWEL SIGN I..TAKRI VOWEL SIGN II
+	{0x116B0, 0x116B5, prN},   // Mn     [6] TAKRI VOWEL SIGN U..TAKRI VOWEL SIGN AU
+	{0x116B6, 0x116B6, prN},   // Mc         TAKRI SIGN VIRAMA
+	{0x116B7, 0x116B7, prN},   // Mn         TAKRI SIGN NUKTA
+	{0x116B8, 0x116B8, prN},   // Lo         TAKRI LETTER ARCHAIC KHA
+	{0x116B9, 0x116B9, prN},   // Po         TAKRI ABBREVIATION SIGN
+	{0x116C0, 0x116C9, prN},   // Nd    [10] TAKRI DIGIT ZERO..TAKRI DIGIT NINE
+	{0x11700, 0x1171A, prN},   // Lo    [27] AHOM LETTER KA..AHOM LETTER ALTERNATE BA
+	{0x1171D, 0x1171F, prN},   // Mn     [3] AHOM CONSONANT SIGN MEDIAL LA..AHOM CONSONANT SIGN MEDIAL LIGATING RA
+	{0x11720, 0x11721, prN},   // Mc     [2] AHOM VOWEL SIGN A..AHOM VOWEL SIGN AA
+	{0x11722, 0x11725, prN},   // Mn     [4] AHOM VOWEL SIGN I..AHOM VOWEL SIGN UU
+	{0x11726, 0x11726, prN},   // Mc         AHOM VOWEL SIGN E
+	{0x11727, 0x1172B, prN},   // Mn     [5] AHOM VOWEL SIGN AW..AHOM SIGN KILLER
+	{0x11730, 0x11739, prN},   // Nd    [10] AHOM DIGIT ZERO..AHOM DIGIT NINE
+	{0x1173A, 0x1173B, prN},   // No     [2] AHOM NUMBER TEN..AHOM NUMBER TWENTY
+	{0x1173C, 0x1173E, prN},   // Po     [3] AHOM SIGN SMALL SECTION..AHOM SIGN RULAI
+	{0x1173F, 0x1173F, prN},   // So         AHOM SYMBOL VI
+	{0x11740, 0x11746, prN},   // Lo     [7] AHOM LETTER CA..AHOM LETTER LLA
+	{0x11800, 0x1182B, prN},   // Lo    [44] DOGRA LETTER A..DOGRA LETTER RRA
+	{0x1182C, 0x1182E, prN},   // Mc     [3] DOGRA VOWEL SIGN AA..DOGRA VOWEL SIGN II
+	{0x1182F, 0x11837, prN},   // Mn     [9] DOGRA VOWEL SIGN U..DOGRA SIGN ANUSVARA
+	{0x11838, 0x11838, prN},   // Mc         DOGRA SIGN VISARGA
+	{0x11839, 0x1183A, prN},   // Mn     [2] DOGRA SIGN VIRAMA..DOGRA SIGN NUKTA
+	{0x1183B, 0x1183B, prN},   // Po         DOGRA ABBREVIATION SIGN
+	{0x118A0, 0x118DF, prN},   // L&    [64] WARANG CITI CAPITAL LETTER NGAA..WARANG CITI SMALL LETTER VIYO
+	{0x118E0, 0x118E9, prN},   // Nd    [10] WARANG CITI DIGIT ZERO..WARANG CITI DIGIT NINE
+	{0x118EA, 0x118F2, prN},   // No     [9] WARANG CITI NUMBER TEN..WARANG CITI NUMBER NINETY
+	{0x118FF, 0x118FF, prN},   // Lo         WARANG CITI OM
+	{0x11900, 0x11906, prN},   // Lo     [7] DIVES AKURU LETTER A..DIVES AKURU LETTER E
+	{0x11909, 0x11909, prN},   // Lo         DIVES AKURU LETTER O
+	{0x1190C, 0x11913, prN},   // Lo     [8] DIVES AKURU LETTER KA..DIVES AKURU LETTER JA
+	{0x11915, 0x11916, prN},   // Lo     [2] DIVES AKURU LETTER NYA..DIVES AKURU LETTER TTA
+	{0x11918, 0x1192F, prN},   // Lo    [24] DIVES AKURU LETTER DDA..DIVES AKURU LETTER ZA
+	{0x11930, 0x11935, prN},   // Mc     [6] DIVES AKURU VOWEL SIGN AA..DIVES AKURU VOWEL SIGN E
+	{0x11937, 0x11938, prN},   // Mc     [2] DIVES AKURU VOWEL SIGN AI..DIVES AKURU VOWEL SIGN O
+	{0x1193B, 0x1193C, prN},   // Mn     [2] DIVES AKURU SIGN ANUSVARA..DIVES AKURU SIGN CANDRABINDU
+	{0x1193D, 0x1193D, prN},   // Mc         DIVES AKURU SIGN HALANTA
+	{0x1193E, 0x1193E, prN},   // Mn         DIVES AKURU VIRAMA
+	{0x1193F, 0x1193F, prN},   // Lo         DIVES AKURU PREFIXED NASAL SIGN
+	{0x11940, 0x11940, prN},   // Mc         DIVES AKURU MEDIAL YA
+	{0x11941, 0x11941, prN},   // Lo         DIVES AKURU INITIAL RA
+	{0x11942, 0x11942, prN},   // Mc         DIVES AKURU MEDIAL RA
+	{0x11943, 0x11943, prN},   // Mn         DIVES AKURU SIGN NUKTA
+	{0x11944, 0x11946, prN},   // Po     [3] DIVES AKURU DOUBLE DANDA..DIVES AKURU END OF TEXT MARK
+	{0x11950, 0x11959, prN},   // Nd    [10] DIVES AKURU DIGIT ZERO..DIVES AKURU DIGIT NINE
+	{0x119A0, 0x119A7, prN},   // Lo     [8] NANDINAGARI LETTER A..NANDINAGARI LETTER VOCALIC RR
+	{0x119AA, 0x119D0, prN},   // Lo    [39] NANDINAGARI LETTER E..NANDINAGARI LETTER RRA
+	{0x119D1, 0x119D3, prN},   // Mc     [3] NANDINAGARI VOWEL SIGN AA..NANDINAGARI VOWEL SIGN II
+	{0x119D4, 0x119D7, prN},   // Mn     [4] NANDINAGARI VOWEL SIGN U..NANDINAGARI VOWEL SIGN VOCALIC RR
+	{0x119DA, 0x119DB, prN},   // Mn     [2] NANDINAGARI VOWEL SIGN E..NANDINAGARI VOWEL SIGN AI
+	{0x119DC, 0x119DF, prN},   // Mc     [4] NANDINAGARI VOWEL SIGN O..NANDINAGARI SIGN VISARGA
+	{0x119E0, 0x119E0, prN},   // Mn         NANDINAGARI SIGN VIRAMA
+	{0x119E1, 0x119E1, prN},   // Lo         NANDINAGARI SIGN AVAGRAHA
+	{0x119E2, 0x119E2, prN},   // Po         NANDINAGARI SIGN SIDDHAM
+	{0x119E3, 0x119E3, prN},   // Lo         NANDINAGARI HEADSTROKE
+	{0x119E4, 0x119E4, prN},   // Mc         NANDINAGARI VOWEL SIGN PRISHTHAMATRA E
+	{0x11A00, 0x11A00, prN},   // Lo         ZANABAZAR SQUARE LETTER A
+	{0x11A01, 0x11A0A, prN},   // Mn    [10] ZANABAZAR SQUARE VOWEL SIGN I..ZANABAZAR SQUARE VOWEL LENGTH MARK
+	{0x11A0B, 0x11A32, prN},   // Lo    [40] ZANABAZAR SQUARE LETTER KA..ZANABAZAR SQUARE LETTER KSSA
+	{0x11A33, 0x11A38, prN},   // Mn     [6] ZANABAZAR SQUARE FINAL CONSONANT MARK..ZANABAZAR SQUARE SIGN ANUSVARA
+	{0x11A39, 0x11A39, prN},   // Mc         ZANABAZAR SQUARE SIGN VISARGA
+	{0x11A3A, 0x11A3A, prN},   // Lo         ZANABAZAR SQUARE CLUSTER-INITIAL LETTER RA
+	{0x11A3B, 0x11A3E, prN},   // Mn     [4] ZANABAZAR SQUARE CLUSTER-FINAL LETTER YA..ZANABAZAR SQUARE CLUSTER-FINAL LETTER VA
+	{0x11A3F, 0x11A46, prN},   // Po     [8] ZANABAZAR SQUARE INITIAL HEAD MARK..ZANABAZAR SQUARE CLOSING DOUBLE-LINED HEAD MARK
+	{0x11A47, 0x11A47, prN},   // Mn         ZANABAZAR SQUARE SUBJOINER
+	{0x11A50, 0x11A50, prN},   // Lo         SOYOMBO LETTER A
+	{0x11A51, 0x11A56, prN},   // Mn     [6] SOYOMBO VOWEL SIGN I..SOYOMBO VOWEL SIGN OE
+	{0x11A57, 0x11A58, prN},   // Mc     [2] SOYOMBO VOWEL SIGN AI..SOYOMBO VOWEL SIGN AU
+	{0x11A59, 0x11A5B, prN},   // Mn     [3] SOYOMBO VOWEL SIGN VOCALIC R..SOYOMBO VOWEL LENGTH MARK
+	{0x11A5C, 0x11A89, prN},   // Lo    [46] SOYOMBO LETTER KA..SOYOMBO CLUSTER-INITIAL LETTER SA
+	{0x11A8A, 0x11A96, prN},   // Mn    [13] SOYOMBO FINAL CONSONANT SIGN G..SOYOMBO SIGN ANUSVARA
+	{0x11A97, 0x11A97, prN},   // Mc         SOYOMBO SIGN VISARGA
+	{0x11A98, 0x11A99, prN},   // Mn     [2] SOYOMBO GEMINATION MARK..SOYOMBO SUBJOINER
+	{0x11A9A, 0x11A9C, prN},   // Po     [3] SOYOMBO MARK TSHEG..SOYOMBO MARK DOUBLE SHAD
+	{0x11A9D, 0x11A9D, prN},   // Lo         SOYOMBO MARK PLUTA
+	{0x11A9E, 0x11AA2, prN},   // Po     [5] SOYOMBO HEAD MARK WITH MOON AND SUN AND TRIPLE FLAME..SOYOMBO TERMINAL MARK-2
+	{0x11AB0, 0x11ABF, prN},   // Lo    [16] CANADIAN SYLLABICS NATTILIK HI..CANADIAN SYLLABICS SPA
+	{0x11AC0, 0x11AF8, prN},   // Lo    [57] PAU CIN HAU LETTER PA..PAU CIN HAU GLOTTAL STOP FINAL
+	{0x11B00, 0x11B09, prN},   // Po    [10] DEVANAGARI HEAD MARK..DEVANAGARI SIGN MINDU
+	{0x11C00, 0x11C08, prN},   // Lo     [9] BHAIKSUKI LETTER A..BHAIKSUKI LETTER VOCALIC L
+	{0x11C0A, 0x11C2E, prN},   // Lo    [37] BHAIKSUKI LETTER E..BHAIKSUKI LETTER HA
+	{0x11C2F, 0x11C2F, prN},   // Mc         BHAIKSUKI VOWEL SIGN AA
+	{0x11C30, 0x11C36, prN},   // Mn     [7] BHAIKSUKI VOWEL SIGN I..BHAIKSUKI VOWEL SIGN VOCALIC L
+	{0x11C38, 0x11C3D, prN},   // Mn     [6] BHAIKSUKI VOWEL SIGN E..BHAIKSUKI SIGN ANUSVARA
+	{0x11C3E, 0x11C3E, prN},   // Mc         BHAIKSUKI SIGN VISARGA
+	{0x11C3F, 0x11C3F, prN},   // Mn         BHAIKSUKI SIGN VIRAMA
+	{0x11C40, 0x11C40, prN},   // Lo         BHAIKSUKI SIGN AVAGRAHA
+	{0x11C41, 0x11C45, prN},   // Po     [5] BHAIKSUKI DANDA..BHAIKSUKI GAP FILLER-2
+	{0x11C50, 0x11C59, prN},   // Nd    [10] BHAIKSUKI DIGIT ZERO..BHAIKSUKI DIGIT NINE
+	{0x11C5A, 0x11C6C, prN},   // No    [19] BHAIKSUKI NUMBER ONE..BHAIKSUKI HUNDREDS UNIT MARK
+	{0x11C70, 0x11C71, prN},   // Po     [2] MARCHEN HEAD MARK..MARCHEN MARK SHAD
+	{0x11C72, 0x11C8F, prN},   // Lo    [30] MARCHEN LETTER KA..MARCHEN LETTER A
+	{0x11C92, 0x11CA7, prN},   // Mn    [22] MARCHEN SUBJOINED LETTER KA..MARCHEN SUBJOINED LETTER ZA
+	{0x11CA9, 0x11CA9, prN},   // Mc         MARCHEN SUBJOINED LETTER YA
+	{0x11CAA, 0x11CB0, prN},   // Mn     [7] MARCHEN SUBJOINED LETTER RA..MARCHEN VOWEL SIGN AA
+	{0x11CB1, 0x11CB1, prN},   // Mc         MARCHEN VOWEL SIGN I
+	{0x11CB2, 0x11CB3, prN},   // Mn     [2] MARCHEN VOWEL SIGN U..MARCHEN VOWEL SIGN E
+	{0x11CB4, 0x11CB4, prN},   // Mc         MARCHEN VOWEL SIGN O
+	{0x11CB5, 0x11CB6, prN},   // Mn     [2] MARCHEN SIGN ANUSVARA..MARCHEN SIGN CANDRABINDU
+	{0x11D00, 0x11D06, prN},   // Lo     [7] MASARAM GONDI LETTER A..MASARAM GONDI LETTER E
+	{0x11D08, 0x11D09, prN},   // Lo     [2] MASARAM GONDI LETTER AI..MASARAM GONDI LETTER O
+	{0x11D0B, 0x11D30, prN},   // Lo    [38] MASARAM GONDI LETTER AU..MASARAM GONDI LETTER TRA
+	{0x11D31, 0x11D36, prN},   // Mn     [6] MASARAM GONDI VOWEL SIGN AA..MASARAM GONDI VOWEL SIGN VOCALIC R
+	{0x11D3A, 0x11D3A, prN},   // Mn         MASARAM GONDI VOWEL SIGN E
+	{0x11D3C, 0x11D3D, prN},   // Mn     [2] MASARAM GONDI VOWEL SIGN AI..MASARAM GONDI VOWEL SIGN O
+	{0x11D3F, 0x11D45, prN},   // Mn     [7] MASARAM GONDI VOWEL SIGN AU..MASARAM GONDI VIRAMA
+	{0x11D46, 0x11D46, prN},   // Lo         MASARAM GONDI REPHA
+	{0x11D47, 0x11D47, prN},   // Mn         MASARAM GONDI RA-KARA
+	{0x11D50, 0x11D59, prN},   // Nd    [10] MASARAM GONDI DIGIT ZERO..MASARAM GONDI DIGIT NINE
+	{0x11D60, 0x11D65, prN},   // Lo     [6] GUNJALA GONDI LETTER A..GUNJALA GONDI LETTER UU
+	{0x11D67, 0x11D68, prN},   // Lo     [2] GUNJALA GONDI LETTER EE..GUNJALA GONDI LETTER AI
+	{0x11D6A, 0x11D89, prN},   // Lo    [32] GUNJALA GONDI LETTER OO..GUNJALA GONDI LETTER SA
+	{0x11D8A, 0x11D8E, prN},   // Mc     [5] GUNJALA GONDI VOWEL SIGN AA..GUNJALA GONDI VOWEL SIGN UU
+	{0x11D90, 0x11D91, prN},   // Mn     [2] GUNJALA GONDI VOWEL SIGN EE..GUNJALA GONDI VOWEL SIGN AI
+	{0x11D93, 0x11D94, prN},   // Mc     [2] GUNJALA GONDI VOWEL SIGN OO..GUNJALA GONDI VOWEL SIGN AU
+	{0x11D95, 0x11D95, prN},   // Mn         GUNJALA GONDI SIGN ANUSVARA
+	{0x11D96, 0x11D96, prN},   // Mc         GUNJALA GONDI SIGN VISARGA
+	{0x11D97, 0x11D97, prN},   // Mn         GUNJALA GONDI VIRAMA
+	{0x11D98, 0x11D98, prN},   // Lo         GUNJALA GONDI OM
+	{0x11DA0, 0x11DA9, prN},   // Nd    [10] GUNJALA GONDI DIGIT ZERO..GUNJALA GONDI DIGIT NINE
+	{0x11EE0, 0x11EF2, prN},   // Lo    [19] MAKASAR LETTER KA..MAKASAR ANGKA
+	{0x11EF3, 0x11EF4, prN},   // Mn     [2] MAKASAR VOWEL SIGN I..MAKASAR VOWEL SIGN U
+	{0x11EF5, 0x11EF6, prN},   // Mc     [2] MAKASAR VOWEL SIGN E..MAKASAR VOWEL SIGN O
+	{0x11EF7, 0x11EF8, prN},   // Po     [2] MAKASAR PASSIMBANG..MAKASAR END OF SECTION
+	{0x11F00, 0x11F01, prN},   // Mn     [2] KAWI SIGN CANDRABINDU..KAWI SIGN ANUSVARA
+	{0x11F02, 0x11F02, prN},   // Lo         KAWI SIGN REPHA
+	{0x11F03, 0x11F03, prN},   // Mc         KAWI SIGN VISARGA
+	{0x11F04, 0x11F10, prN},   // Lo    [13] KAWI LETTER A..KAWI LETTER O
+	{0x11F12, 0x11F33, prN},   // Lo    [34] KAWI LETTER KA..KAWI LETTER JNYA
+	{0x11F34, 0x11F35, prN},   // Mc     [2] KAWI VOWEL SIGN AA..KAWI VOWEL SIGN ALTERNATE AA
+	{0x11F36, 0x11F3A, prN},   // Mn     [5] KAWI VOWEL SIGN I..KAWI VOWEL SIGN VOCALIC R
+	{0x11F3E, 0x11F3F, prN},   // Mc     [2] KAWI VOWEL SIGN E..KAWI VOWEL SIGN AI
+	{0x11F40, 0x11F40, prN},   // Mn         KAWI VOWEL SIGN EU
+	{0x11F41, 0x11F41, prN},   // Mc         KAWI SIGN KILLER
+	{0x11F42, 0x11F42, prN},   // Mn         KAWI CONJOINER
+	{0x11F43, 0x11F4F, prN},   // Po    [13] KAWI DANDA..KAWI PUNCTUATION CLOSING SPIRAL
+	{0x11F50, 0x11F59, prN},   // Nd    [10] KAWI DIGIT ZERO..KAWI DIGIT NINE
+	{0x11FB0, 0x11FB0, prN},   // Lo         LISU LETTER YHA
+	{0x11FC0, 0x11FD4, prN},   // No    [21] TAMIL FRACTION ONE THREE-HUNDRED-AND-TWENTIETH..TAMIL FRACTION DOWNSCALING FACTOR KIIZH
+	{0x11FD5, 0x11FDC, prN},   // So     [8] TAMIL SIGN NEL..TAMIL SIGN MUKKURUNI
+	{0x11FDD, 0x11FE0, prN},   // Sc     [4] TAMIL SIGN KAACU..TAMIL SIGN VARAAKAN
+	{0x11FE1, 0x11FF1, prN},   // So    [17] TAMIL SIGN PAARAM..TAMIL SIGN VAKAIYARAA
+	{0x11FFF, 0x11FFF, prN},   // Po         TAMIL PUNCTUATION END OF TEXT
+	{0x12000, 0x12399, prN},   // Lo   [922] CUNEIFORM SIGN A..CUNEIFORM SIGN U U
+	{0x12400, 0x1246E, prN},   // Nl   [111] CUNEIFORM NUMERIC SIGN TWO ASH..CUNEIFORM NUMERIC SIGN NINE U VARIANT FORM
+	{0x12470, 0x12474, prN},   // Po     [5] CUNEIFORM PUNCTUATION SIGN OLD ASSYRIAN WORD DIVIDER..CUNEIFORM PUNCTUATION SIGN DIAGONAL QUADCOLON
+	{0x12480, 0x12543, prN},   // Lo   [196] CUNEIFORM SIGN AB TIMES NUN TENU..CUNEIFORM SIGN ZU5 TIMES THREE DISH TENU
+	{0x12F90, 0x12FF0, prN},   // Lo    [97] CYPRO-MINOAN SIGN CM001..CYPRO-MINOAN SIGN CM114
+	{0x12FF1, 0x12FF2, prN},   // Po     [2] CYPRO-MINOAN SIGN CM301..CYPRO-MINOAN SIGN CM302
+	{0x13000, 0x1342F, prN},   // Lo  [1072] EGYPTIAN HIEROGLYPH A001..EGYPTIAN HIEROGLYPH V011D
+	{0x13430, 0x1343F, prN},   // Cf    [16] EGYPTIAN HIEROGLYPH VERTICAL JOINER..EGYPTIAN HIEROGLYPH END WALLED ENCLOSURE
+	{0x13440, 0x13440, prN},   // Mn         EGYPTIAN HIEROGLYPH MIRROR HORIZONTALLY
+	{0x13441, 0x13446, prN},   // Lo     [6] EGYPTIAN HIEROGLYPH FULL BLANK..EGYPTIAN HIEROGLYPH WIDE LOST SIGN
+	{0x13447, 0x13455, prN},   // Mn    [15] EGYPTIAN HIEROGLYPH MODIFIER DAMAGED AT TOP START..EGYPTIAN HIEROGLYPH MODIFIER DAMAGED
+	{0x14400, 0x14646, prN},   // Lo   [583] ANATOLIAN HIEROGLYPH A001..ANATOLIAN HIEROGLYPH A530
+	{0x16800, 0x16A38, prN},   // Lo   [569] BAMUM LETTER PHASE-A NGKUE MFON..BAMUM LETTER PHASE-F VUEQ
+	{0x16A40, 0x16A5E, prN},   // Lo    [31] MRO LETTER TA..MRO LETTER TEK
+	{0x16A60, 0x16A69, prN},   // Nd    [10] MRO DIGIT ZERO..MRO DIGIT NINE
+	{0x16A6E, 0x16A6F, prN},   // Po     [2] MRO DANDA..MRO DOUBLE DANDA
+	{0x16A70, 0x16ABE, prN},   // Lo    [79] TANGSA LETTER OZ..TANGSA LETTER ZA
+	{0x16AC0, 0x16AC9, prN},   // Nd    [10] TANGSA DIGIT ZERO..TANGSA DIGIT NINE
+	{0x16AD0, 0x16AED, prN},   // Lo    [30] BASSA VAH LETTER ENNI..BASSA VAH LETTER I
+	{0x16AF0, 0x16AF4, prN},   // Mn     [5] BASSA VAH COMBINING HIGH TONE..BASSA VAH COMBINING HIGH-LOW TONE
+	{0x16AF5, 0x16AF5, prN},   // Po         BASSA VAH FULL STOP
+	{0x16B00, 0x16B2F, prN},   // Lo    [48] PAHAWH HMONG VOWEL KEEB..PAHAWH HMONG CONSONANT CAU
+	{0x16B30, 0x16B36, prN},   // Mn     [7] PAHAWH HMONG MARK CIM TUB..PAHAWH HMONG MARK CIM TAUM
+	{0x16B37, 0x16B3B, prN},   // Po     [5] PAHAWH HMONG SIGN VOS THOM..PAHAWH HMONG SIGN VOS FEEM
+	{0x16B3C, 0x16B3F, prN},   // So     [4] PAHAWH HMONG SIGN XYEEM NTXIV..PAHAWH HMONG SIGN XYEEM FAIB
+	{0x16B40, 0x16B43, prN},   // Lm     [4] PAHAWH HMONG SIGN VOS SEEV..PAHAWH HMONG SIGN IB YAM
+	{0x16B44, 0x16B44, prN},   // Po         PAHAWH HMONG SIGN XAUS
+	{0x16B45, 0x16B45, prN},   // So         PAHAWH HMONG SIGN CIM TSOV ROG
+	{0x16B50, 0x16B59, prN},   // Nd    [10] PAHAWH HMONG DIGIT ZERO..PAHAWH HMONG DIGIT NINE
+	{0x16B5B, 0x16B61, prN},   // No     [7] PAHAWH HMONG NUMBER TENS..PAHAWH HMONG NUMBER TRILLIONS
+	{0x16B63, 0x16B77, prN},   // Lo    [21] PAHAWH HMONG SIGN VOS LUB..PAHAWH HMONG SIGN CIM NRES TOS
+	{0x16B7D, 0x16B8F, prN},   // Lo    [19] PAHAWH HMONG CLAN SIGN TSHEEJ..PAHAWH HMONG CLAN SIGN VWJ
+	{0x16E40, 0x16E7F, prN},   // L&    [64] MEDEFAIDRIN CAPITAL LETTER M..MEDEFAIDRIN SMALL LETTER Y
+	{0x16E80, 0x16E96, prN},   // No    [23] MEDEFAIDRIN DIGIT ZERO..MEDEFAIDRIN DIGIT THREE ALTERNATE FORM
+	{0x16E97, 0x16E9A, prN},   // Po     [4] MEDEFAIDRIN COMMA..MEDEFAIDRIN EXCLAMATION OH
+	{0x16F00, 0x16F4A, prN},   // Lo    [75] MIAO LETTER PA..MIAO LETTER RTE
+	{0x16F4F, 0x16F4F, prN},   // Mn         MIAO SIGN CONSONANT MODIFIER BAR
+	{0x16F50, 0x16F50, prN},   // Lo         MIAO LETTER NASALIZATION
+	{0x16F51, 0x16F87, prN},   // Mc    [55] MIAO SIGN ASPIRATION..MIAO VOWEL SIGN UI
+	{0x16F8F, 0x16F92, prN},   // Mn     [4] MIAO TONE RIGHT..MIAO TONE BELOW
+	{0x16F93, 0x16F9F, prN},   // Lm    [13] MIAO LETTER TONE-2..MIAO LETTER REFORMED TONE-8
+	{0x16FE0, 0x16FE1, prW},   // Lm     [2] TANGUT ITERATION MARK..NUSHU ITERATION MARK
+	{0x16FE2, 0x16FE2, prW},   // Po         OLD CHINESE HOOK MARK
+	{0x16FE3, 0x16FE3, prW},   // Lm         OLD CHINESE ITERATION MARK
+	{0x16FE4, 0x16FE4, prW},   // Mn         KHITAN SMALL SCRIPT FILLER
+	{0x16FF0, 0x16FF1, prW},   // Mc     [2] VIETNAMESE ALTERNATE READING MARK CA..VIETNAMESE ALTERNATE READING MARK NHAY
+	{0x17000, 0x187F7, prW},   // Lo  [6136] TANGUT IDEOGRAPH-17000..TANGUT IDEOGRAPH-187F7
+	{0x18800, 0x18AFF, prW},   // Lo   [768] TANGUT COMPONENT-001..TANGUT COMPONENT-768
+	{0x18B00, 0x18CD5, prW},   // Lo   [470] KHITAN SMALL SCRIPT CHARACTER-18B00..KHITAN SMALL SCRIPT CHARACTER-18CD5
+	{0x18D00, 0x18D08, prW},   // Lo     [9] TANGUT IDEOGRAPH-18D00..TANGUT IDEOGRAPH-18D08
+	{0x1AFF0, 0x1AFF3, prW},   // Lm     [4] KATAKANA LETTER MINNAN TONE-2..KATAKANA LETTER MINNAN TONE-5
+	{0x1AFF5, 0x1AFFB, prW},   // Lm     [7] KATAKANA LETTER MINNAN TONE-7..KATAKANA LETTER MINNAN NASALIZED TONE-5
+	{0x1AFFD, 0x1AFFE, prW},   // Lm     [2] KATAKANA LETTER MINNAN NASALIZED TONE-7..KATAKANA LETTER MINNAN NASALIZED TONE-8
+	{0x1B000, 0x1B0FF, prW},   // Lo   [256] KATAKANA LETTER ARCHAIC E..HENTAIGANA LETTER RE-2
+	{0x1B100, 0x1B122, prW},   // Lo    [35] HENTAIGANA LETTER RE-3..KATAKANA LETTER ARCHAIC WU
+	{0x1B132, 0x1B132, prW},   // Lo         HIRAGANA LETTER SMALL KO
+	{0x1B150, 0x1B152, prW},   // Lo     [3] HIRAGANA LETTER SMALL WI..HIRAGANA LETTER SMALL WO
+	{0x1B155, 0x1B155, prW},   // Lo         KATAKANA LETTER SMALL KO
+	{0x1B164, 0x1B167, prW},   // Lo     [4] KATAKANA LETTER SMALL WI..KATAKANA LETTER SMALL N
+	{0x1B170, 0x1B2FB, prW},   // Lo   [396] NUSHU CHARACTER-1B170..NUSHU CHARACTER-1B2FB
+	{0x1BC00, 0x1BC6A, prN},   // Lo   [107] DUPLOYAN LETTER H..DUPLOYAN LETTER VOCALIC M
+	{0x1BC70, 0x1BC7C, prN},   // Lo    [13] DUPLOYAN AFFIX LEFT HORIZONTAL SECANT..DUPLOYAN AFFIX ATTACHED TANGENT HOOK
+	{0x1BC80, 0x1BC88, prN},   // Lo     [9] DUPLOYAN AFFIX HIGH ACUTE..DUPLOYAN AFFIX HIGH VERTICAL
+	{0x1BC90, 0x1BC99, prN},   // Lo    [10] DUPLOYAN AFFIX LOW ACUTE..DUPLOYAN AFFIX LOW ARROW
+	{0x1BC9C, 0x1BC9C, prN},   // So         DUPLOYAN SIGN O WITH CROSS
+	{0x1BC9D, 0x1BC9E, prN},   // Mn     [2] DUPLOYAN THICK LETTER SELECTOR..DUPLOYAN DOUBLE MARK
+	{0x1BC9F, 0x1BC9F, prN},   // Po         DUPLOYAN PUNCTUATION CHINOOK FULL STOP
+	{0x1BCA0, 0x1BCA3, prN},   // Cf     [4] SHORTHAND FORMAT LETTER OVERLAP..SHORTHAND FORMAT UP STEP
+	{0x1CF00, 0x1CF2D, prN},   // Mn    [46] ZNAMENNY COMBINING MARK GORAZDO NIZKO S KRYZHEM ON LEFT..ZNAMENNY COMBINING MARK KRYZH ON LEFT
+	{0x1CF30, 0x1CF46, prN},   // Mn    [23] ZNAMENNY COMBINING TONAL RANGE MARK MRACHNO..ZNAMENNY PRIZNAK MODIFIER ROG
+	{0x1CF50, 0x1CFC3, prN},   // So   [116] ZNAMENNY NEUME KRYUK..ZNAMENNY NEUME PAUK
+	{0x1D000, 0x1D0F5, prN},   // So   [246] BYZANTINE MUSICAL SYMBOL PSILI..BYZANTINE MUSICAL SYMBOL GORGON NEO KATO
+	{0x1D100, 0x1D126, prN},   // So    [39] MUSICAL SYMBOL SINGLE BARLINE..MUSICAL SYMBOL DRUM CLEF-2
+	{0x1D129, 0x1D164, prN},   // So    [60] MUSICAL SYMBOL MULTIPLE MEASURE REST..MUSICAL SYMBOL ONE HUNDRED TWENTY-EIGHTH NOTE
+	{0x1D165, 0x1D166, prN},   // Mc     [2] MUSICAL SYMBOL COMBINING STEM..MUSICAL SYMBOL COMBINING SPRECHGESANG STEM
+	{0x1D167, 0x1D169, prN},   // Mn     [3] MUSICAL SYMBOL COMBINING TREMOLO-1..MUSICAL SYMBOL COMBINING TREMOLO-3
+	{0x1D16A, 0x1D16C, prN},   // So     [3] MUSICAL SYMBOL FINGERED TREMOLO-1..MUSICAL SYMBOL FINGERED TREMOLO-3
+	{0x1D16D, 0x1D172, prN},   // Mc     [6] MUSICAL SYMBOL COMBINING AUGMENTATION DOT..MUSICAL SYMBOL COMBINING FLAG-5
+	{0x1D173, 0x1D17A, prN},   // Cf     [8] MUSICAL SYMBOL BEGIN BEAM..MUSICAL SYMBOL END PHRASE
+	{0x1D17B, 0x1D182, prN},   // Mn     [8] MUSICAL SYMBOL COMBINING ACCENT..MUSICAL SYMBOL COMBINING LOURE
+	{0x1D183, 0x1D184, prN},   // So     [2] MUSICAL SYMBOL ARPEGGIATO UP..MUSICAL SYMBOL ARPEGGIATO DOWN
+	{0x1D185, 0x1D18B, prN},   // Mn     [7] MUSICAL SYMBOL COMBINING DOIT..MUSICAL SYMBOL COMBINING TRIPLE TONGUE
+	{0x1D18C, 0x1D1A9, prN},   // So    [30] MUSICAL SYMBOL RINFORZANDO..MUSICAL SYMBOL DEGREE SLASH
+	{0x1D1AA, 0x1D1AD, prN},   // Mn     [4] MUSICAL SYMBOL COMBINING DOWN BOW..MUSICAL SYMBOL COMBINING SNAP PIZZICATO
+	{0x1D1AE, 0x1D1EA, prN},   // So    [61] MUSICAL SYMBOL PEDAL MARK..MUSICAL SYMBOL KORON
+	{0x1D200, 0x1D241, prN},   // So    [66] GREEK VOCAL NOTATION SYMBOL-1..GREEK INSTRUMENTAL NOTATION SYMBOL-54
+	{0x1D242, 0x1D244, prN},   // Mn     [3] COMBINING GREEK MUSICAL TRISEME..COMBINING GREEK MUSICAL PENTASEME
+	{0x1D245, 0x1D245, prN},   // So         GREEK MUSICAL LEIMMA
+	{0x1D2C0, 0x1D2D3, prN},   // No    [20] KAKTOVIK NUMERAL ZERO..KAKTOVIK NUMERAL NINETEEN
+	{0x1D2E0, 0x1D2F3, prN},   // No    [20] MAYAN NUMERAL ZERO..MAYAN NUMERAL NINETEEN
+	{0x1D300, 0x1D356, prN},   // So    [87] MONOGRAM FOR EARTH..TETRAGRAM FOR FOSTERING
+	{0x1D360, 0x1D378, prN},   // No    [25] COUNTING ROD UNIT DIGIT ONE..TALLY MARK FIVE
+	{0x1D400, 0x1D454, prN},   // L&    [85] MATHEMATICAL BOLD CAPITAL A..MATHEMATICAL ITALIC SMALL G
+	{0x1D456, 0x1D49C, prN},   // L&    [71] MATHEMATICAL ITALIC SMALL I..MATHEMATICAL SCRIPT CAPITAL A
+	{0x1D49E, 0x1D49F, prN},   // Lu     [2] MATHEMATICAL SCRIPT CAPITAL C..MATHEMATICAL SCRIPT CAPITAL D
+	{0x1D4A2, 0x1D4A2, prN},   // Lu         MATHEMATICAL SCRIPT CAPITAL G
+	{0x1D4A5, 0x1D4A6, prN},   // Lu     [2] MATHEMATICAL SCRIPT CAPITAL J..MATHEMATICAL SCRIPT CAPITAL K
+	{0x1D4A9, 0x1D4AC, prN},   // Lu     [4] MATHEMATICAL SCRIPT CAPITAL N..MATHEMATICAL SCRIPT CAPITAL Q
+	{0x1D4AE, 0x1D4B9, prN},   // L&    [12] MATHEMATICAL SCRIPT CAPITAL S..MATHEMATICAL SCRIPT SMALL D
+	{0x1D4BB, 0x1D4BB, prN},   // Ll         MATHEMATICAL SCRIPT SMALL F
+	{0x1D4BD, 0x1D4C3, prN},   // Ll     [7] MATHEMATICAL SCRIPT SMALL H..MATHEMATICAL SCRIPT SMALL N
+	{0x1D4C5, 0x1D505, prN},   // L&    [65] MATHEMATICAL SCRIPT SMALL P..MATHEMATICAL FRAKTUR CAPITAL B
+	{0x1D507, 0x1D50A, prN},   // Lu     [4] MATHEMATICAL FRAKTUR CAPITAL D..MATHEMATICAL FRAKTUR CAPITAL G
+	{0x1D50D, 0x1D514, prN},   // Lu     [8] MATHEMATICAL FRAKTUR CAPITAL J..MATHEMATICAL FRAKTUR CAPITAL Q
+	{0x1D516, 0x1D51C, prN},   // Lu     [7] MATHEMATICAL FRAKTUR CAPITAL S..MATHEMATICAL FRAKTUR CAPITAL Y
+	{0x1D51E, 0x1D539, prN},   // L&    [28] MATHEMATICAL FRAKTUR SMALL A..MATHEMATICAL DOUBLE-STRUCK CAPITAL B
+	{0x1D53B, 0x1D53E, prN},   // Lu     [4] MATHEMATICAL DOUBLE-STRUCK CAPITAL D..MATHEMATICAL DOUBLE-STRUCK CAPITAL G
+	{0x1D540, 0x1D544, prN},   // Lu     [5] MATHEMATICAL DOUBLE-STRUCK CAPITAL I..MATHEMATICAL DOUBLE-STRUCK CAPITAL M
+	{0x1D546, 0x1D546, prN},   // Lu         MATHEMATICAL DOUBLE-STRUCK CAPITAL O
+	{0x1D54A, 0x1D550, prN},   // Lu     [7] MATHEMATICAL DOUBLE-STRUCK CAPITAL S..MATHEMATICAL DOUBLE-STRUCK CAPITAL Y
+	{0x1D552, 0x1D6A5, prN},   // L&   [340] MATHEMATICAL DOUBLE-STRUCK SMALL A..MATHEMATICAL ITALIC SMALL DOTLESS J
+	{0x1D6A8, 0x1D6C0, prN},   // Lu    [25] MATHEMATICAL BOLD CAPITAL ALPHA..MATHEMATICAL BOLD CAPITAL OMEGA
+	{0x1D6C1, 0x1D6C1, prN},   // Sm         MATHEMATICAL BOLD NABLA
+	{0x1D6C2, 0x1D6DA, prN},   // Ll    [25] MATHEMATICAL BOLD SMALL ALPHA..MATHEMATICAL BOLD SMALL OMEGA
+	{0x1D6DB, 0x1D6DB, prN},   // Sm         MATHEMATICAL BOLD PARTIAL DIFFERENTIAL
+	{0x1D6DC, 0x1D6FA, prN},   // L&    [31] MATHEMATICAL BOLD EPSILON SYMBOL..MATHEMATICAL ITALIC CAPITAL OMEGA
+	{0x1D6FB, 0x1D6FB, prN},   // Sm         MATHEMATICAL ITALIC NABLA
+	{0x1D6FC, 0x1D714, prN},   // Ll    [25] MATHEMATICAL ITALIC SMALL ALPHA..MATHEMATICAL ITALIC SMALL OMEGA
+	{0x1D715, 0x1D715, prN},   // Sm         MATHEMATICAL ITALIC PARTIAL DIFFERENTIAL
+	{0x1D716, 0x1D734, prN},   // L&    [31] MATHEMATICAL ITALIC EPSILON SYMBOL..MATHEMATICAL BOLD ITALIC CAPITAL OMEGA
+	{0x1D735, 0x1D735, prN},   // Sm         MATHEMATICAL BOLD ITALIC NABLA
+	{0x1D736, 0x1D74E, prN},   // Ll    [25] MATHEMATICAL BOLD ITALIC SMALL ALPHA..MATHEMATICAL BOLD ITALIC SMALL OMEGA
+	{0x1D74F, 0x1D74F, prN},   // Sm         MATHEMATICAL BOLD ITALIC PARTIAL DIFFERENTIAL
+	{0x1D750, 0x1D76E, prN},   // L&    [31] MATHEMATICAL BOLD ITALIC EPSILON SYMBOL..MATHEMATICAL SANS-SERIF BOLD CAPITAL OMEGA
+	{0x1D76F, 0x1D76F, prN},   // Sm         MATHEMATICAL SANS-SERIF BOLD NABLA
+	{0x1D770, 0x1D788, prN},   // Ll    [25] MATHEMATICAL SANS-SERIF BOLD SMALL ALPHA..MATHEMATICAL SANS-SERIF BOLD SMALL OMEGA
+	{0x1D789, 0x1D789, prN},   // Sm         MATHEMATICAL SANS-SERIF BOLD PARTIAL DIFFERENTIAL
+	{0x1D78A, 0x1D7A8, prN},   // L&    [31] MATHEMATICAL SANS-SERIF BOLD EPSILON SYMBOL..MATHEMATICAL SANS-SERIF BOLD ITALIC CAPITAL OMEGA
+	{0x1D7A9, 0x1D7A9, prN},   // Sm         MATHEMATICAL SANS-SERIF BOLD ITALIC NABLA
+	{0x1D7AA, 0x1D7C2, prN},   // Ll    [25] MATHEMATICAL SANS-SERIF BOLD ITALIC SMALL ALPHA..MATHEMATICAL SANS-SERIF BOLD ITALIC SMALL OMEGA
+	{0x1D7C3, 0x1D7C3, prN},   // Sm         MATHEMATICAL SANS-SERIF BOLD ITALIC PARTIAL DIFFERENTIAL
+	{0x1D7C4, 0x1D7CB, prN},   // L&     [8] MATHEMATICAL SANS-SERIF BOLD ITALIC EPSILON SYMBOL..MATHEMATICAL BOLD SMALL DIGAMMA
+	{0x1D7CE, 0x1D7FF, prN},   // Nd    [50] MATHEMATICAL BOLD DIGIT ZERO..MATHEMATICAL MONOSPACE DIGIT NINE
+	{0x1D800, 0x1D9FF, prN},   // So   [512] SIGNWRITING HAND-FIST INDEX..SIGNWRITING HEAD
+	{0x1DA00, 0x1DA36, prN},   // Mn    [55] SIGNWRITING HEAD RIM..SIGNWRITING AIR SUCKING IN
+	{0x1DA37, 0x1DA3A, prN},   // So     [4] SIGNWRITING AIR BLOW SMALL ROTATIONS..SIGNWRITING BREATH EXHALE
+	{0x1DA3B, 0x1DA6C, prN},   // Mn    [50] SIGNWRITING MOUTH CLOSED NEUTRAL..SIGNWRITING EXCITEMENT
+	{0x1DA6D, 0x1DA74, prN},   // So     [8] SIGNWRITING SHOULDER HIP SPINE..SIGNWRITING TORSO-FLOORPLANE TWISTING
+	{0x1DA75, 0x1DA75, prN},   // Mn         SIGNWRITING UPPER BODY TILTING FROM HIP JOINTS
+	{0x1DA76, 0x1DA83, prN},   // So    [14] SIGNWRITING LIMB COMBINATION..SIGNWRITING LOCATION DEPTH
+	{0x1DA84, 0x1DA84, prN},   // Mn         SIGNWRITING LOCATION HEAD NECK
+	{0x1DA85, 0x1DA86, prN},   // So     [2] SIGNWRITING LOCATION TORSO..SIGNWRITING LOCATION LIMBS DIGITS
+	{0x1DA87, 0x1DA8B, prN},   // Po     [5] SIGNWRITING COMMA..SIGNWRITING PARENTHESIS
+	{0x1DA9B, 0x1DA9F, prN},   // Mn     [5] SIGNWRITING FILL MODIFIER-2..SIGNWRITING FILL MODIFIER-6
+	{0x1DAA1, 0x1DAAF, prN},   // Mn    [15] SIGNWRITING ROTATION MODIFIER-2..SIGNWRITING ROTATION MODIFIER-16
+	{0x1DF00, 0x1DF09, prN},   // Ll    [10] LATIN SMALL LETTER FENG DIGRAPH WITH TRILL..LATIN SMALL LETTER T WITH HOOK AND RETROFLEX HOOK
+	{0x1DF0A, 0x1DF0A, prN},   // Lo         LATIN LETTER RETROFLEX CLICK WITH RETROFLEX HOOK
+	{0x1DF0B, 0x1DF1E, prN},   // Ll    [20] LATIN SMALL LETTER ESH WITH DOUBLE BAR..LATIN SMALL LETTER S WITH CURL
+	{0x1DF25, 0x1DF2A, prN},   // Ll     [6] LATIN SMALL LETTER D WITH MID-HEIGHT LEFT HOOK..LATIN SMALL LETTER T WITH MID-HEIGHT LEFT HOOK
+	{0x1E000, 0x1E006, prN},   // Mn     [7] COMBINING GLAGOLITIC LETTER AZU..COMBINING GLAGOLITIC LETTER ZHIVETE
+	{0x1E008, 0x1E018, prN},   // Mn    [17] COMBINING GLAGOLITIC LETTER ZEMLJA..COMBINING GLAGOLITIC LETTER HERU
+	{0x1E01B, 0x1E021, prN},   // Mn     [7] COMBINING GLAGOLITIC LETTER SHTA..COMBINING GLAGOLITIC LETTER YATI
+	{0x1E023, 0x1E024, prN},   // Mn     [2] COMBINING GLAGOLITIC LETTER YU..COMBINING GLAGOLITIC LETTER SMALL YUS
+	{0x1E026, 0x1E02A, prN},   // Mn     [5] COMBINING GLAGOLITIC LETTER YO..COMBINING GLAGOLITIC LETTER FITA
+	{0x1E030, 0x1E06D, prN},   // Lm    [62] MODIFIER LETTER CYRILLIC SMALL A..MODIFIER LETTER CYRILLIC SMALL STRAIGHT U WITH STROKE
+	{0x1E08F, 0x1E08F, prN},   // Mn         COMBINING CYRILLIC SMALL LETTER BYELORUSSIAN-UKRAINIAN I
+	{0x1E100, 0x1E12C, prN},   // Lo    [45] NYIAKENG PUACHUE HMONG LETTER MA..NYIAKENG PUACHUE HMONG LETTER W
+	{0x1E130, 0x1E136, prN},   // Mn     [7] NYIAKENG PUACHUE HMONG TONE-B..NYIAKENG PUACHUE HMONG TONE-D
+	{0x1E137, 0x1E13D, prN},   // Lm     [7] NYIAKENG PUACHUE HMONG SIGN FOR PERSON..NYIAKENG PUACHUE HMONG SYLLABLE LENGTHENER
+	{0x1E140, 0x1E149, prN},   // Nd    [10] NYIAKENG PUACHUE HMONG DIGIT ZERO..NYIAKENG PUACHUE HMONG DIGIT NINE
+	{0x1E14E, 0x1E14E, prN},   // Lo         NYIAKENG PUACHUE HMONG LOGOGRAM NYAJ
+	{0x1E14F, 0x1E14F, prN},   // So         NYIAKENG PUACHUE HMONG CIRCLED CA
+	{0x1E290, 0x1E2AD, prN},   // Lo    [30] TOTO LETTER PA..TOTO LETTER A
+	{0x1E2AE, 0x1E2AE, prN},   // Mn         TOTO SIGN RISING TONE
+	{0x1E2C0, 0x1E2EB, prN},   // Lo    [44] WANCHO LETTER AA..WANCHO LETTER YIH
+	{0x1E2EC, 0x1E2EF, prN},   // Mn     [4] WANCHO TONE TUP..WANCHO TONE KOINI
+	{0x1E2F0, 0x1E2F9, prN},   // Nd    [10] WANCHO DIGIT ZERO..WANCHO DIGIT NINE
+	{0x1E2FF, 0x1E2FF, prN},   // Sc         WANCHO NGUN SIGN
+	{0x1E4D0, 0x1E4EA, prN},   // Lo    [27] NAG MUNDARI LETTER O..NAG MUNDARI LETTER ELL
+	{0x1E4EB, 0x1E4EB, prN},   // Lm         NAG MUNDARI SIGN OJOD
+	{0x1E4EC, 0x1E4EF, prN},   // Mn     [4] NAG MUNDARI SIGN MUHOR..NAG MUNDARI SIGN SUTUH
+	{0x1E4F0, 0x1E4F9, prN},   // Nd    [10] NAG MUNDARI DIGIT ZERO..NAG MUNDARI DIGIT NINE
+	{0x1E7E0, 0x1E7E6, prN},   // Lo     [7] ETHIOPIC SYLLABLE HHYA..ETHIOPIC SYLLABLE HHYO
+	{0x1E7E8, 0x1E7EB, prN},   // Lo     [4] ETHIOPIC SYLLABLE GURAGE HHWA..ETHIOPIC SYLLABLE HHWE
+	{0x1E7ED, 0x1E7EE, prN},   // Lo     [2] ETHIOPIC SYLLABLE GURAGE MWI..ETHIOPIC SYLLABLE GURAGE MWEE
+	{0x1E7F0, 0x1E7FE, prN},   // Lo    [15] ETHIOPIC SYLLABLE GURAGE QWI..ETHIOPIC SYLLABLE GURAGE PWEE
+	{0x1E800, 0x1E8C4, prN},   // Lo   [197] MENDE KIKAKUI SYLLABLE M001 KI..MENDE KIKAKUI SYLLABLE M060 NYON
+	{0x1E8C7, 0x1E8CF, prN},   // No     [9] MENDE KIKAKUI DIGIT ONE..MENDE KIKAKUI DIGIT NINE
+	{0x1E8D0, 0x1E8D6, prN},   // Mn     [7] MENDE KIKAKUI COMBINING NUMBER TEENS..MENDE KIKAKUI COMBINING NUMBER MILLIONS
+	{0x1E900, 0x1E943, prN},   // L&    [68] ADLAM CAPITAL LETTER ALIF..ADLAM SMALL LETTER SHA
+	{0x1E944, 0x1E94A, prN},   // Mn     [7] ADLAM ALIF LENGTHENER..ADLAM NUKTA
+	{0x1E94B, 0x1E94B, prN},   // Lm         ADLAM NASALIZATION MARK
+	{0x1E950, 0x1E959, prN},   // Nd    [10] ADLAM DIGIT ZERO..ADLAM DIGIT NINE
+	{0x1E95E, 0x1E95F, prN},   // Po     [2] ADLAM INITIAL EXCLAMATION MARK..ADLAM INITIAL QUESTION MARK
+	{0x1EC71, 0x1ECAB, prN},   // No    [59] INDIC SIYAQ NUMBER ONE..INDIC SIYAQ NUMBER PREFIXED NINE
+	{0x1ECAC, 0x1ECAC, prN},   // So         INDIC SIYAQ PLACEHOLDER
+	{0x1ECAD, 0x1ECAF, prN},   // No     [3] INDIC SIYAQ FRACTION ONE QUARTER..INDIC SIYAQ FRACTION THREE QUARTERS
+	{0x1ECB0, 0x1ECB0, prN},   // Sc         INDIC SIYAQ RUPEE MARK
+	{0x1ECB1, 0x1ECB4, prN},   // No     [4] INDIC SIYAQ NUMBER ALTERNATE ONE..INDIC SIYAQ ALTERNATE LAKH MARK
+	{0x1ED01, 0x1ED2D, prN},   // No    [45] OTTOMAN SIYAQ NUMBER ONE..OTTOMAN SIYAQ NUMBER NINETY THOUSAND
+	{0x1ED2E, 0x1ED2E, prN},   // So         OTTOMAN SIYAQ MARRATAN
+	{0x1ED2F, 0x1ED3D, prN},   // No    [15] OTTOMAN SIYAQ ALTERNATE NUMBER TWO..OTTOMAN SIYAQ FRACTION ONE SIXTH
+	{0x1EE00, 0x1EE03, prN},   // Lo     [4] ARABIC MATHEMATICAL ALEF..ARABIC MATHEMATICAL DAL
+	{0x1EE05, 0x1EE1F, prN},   // Lo    [27] ARABIC MATHEMATICAL WAW..ARABIC MATHEMATICAL DOTLESS QAF
+	{0x1EE21, 0x1EE22, prN},   // Lo     [2] ARABIC MATHEMATICAL INITIAL BEH..ARABIC MATHEMATICAL INITIAL JEEM
+	{0x1EE24, 0x1EE24, prN},   // Lo         ARABIC MATHEMATICAL INITIAL HEH
+	{0x1EE27, 0x1EE27, prN},   // Lo         ARABIC MATHEMATICAL INITIAL HAH
+	{0x1EE29, 0x1EE32, prN},   // Lo    [10] ARABIC MATHEMATICAL INITIAL YEH..ARABIC MATHEMATICAL INITIAL QAF
+	{0x1EE34, 0x1EE37, prN},   // Lo     [4] ARABIC MATHEMATICAL INITIAL SHEEN..ARABIC MATHEMATICAL INITIAL KHAH
+	{0x1EE39, 0x1EE39, prN},   // Lo         ARABIC MATHEMATICAL INITIAL DAD
+	{0x1EE3B, 0x1EE3B, prN},   // Lo         ARABIC MATHEMATICAL INITIAL GHAIN
+	{0x1EE42, 0x1EE42, prN},   // Lo         ARABIC MATHEMATICAL TAILED JEEM
+	{0x1EE47, 0x1EE47, prN},   // Lo         ARABIC MATHEMATICAL TAILED HAH
+	{0x1EE49, 0x1EE49, prN},   // Lo         ARABIC MATHEMATICAL TAILED YEH
+	{0x1EE4B, 0x1EE4B, prN},   // Lo         ARABIC MATHEMATICAL TAILED LAM
+	{0x1EE4D, 0x1EE4F, prN},   // Lo     [3] ARABIC MATHEMATICAL TAILED NOON..ARABIC MATHEMATICAL TAILED AIN
+	{0x1EE51, 0x1EE52, prN},   // Lo     [2] ARABIC MATHEMATICAL TAILED SAD..ARABIC MATHEMATICAL TAILED QAF
+	{0x1EE54, 0x1EE54, prN},   // Lo         ARABIC MATHEMATICAL TAILED SHEEN
+	{0x1EE57, 0x1EE57, prN},   // Lo         ARABIC MATHEMATICAL TAILED KHAH
+	{0x1EE59, 0x1EE59, prN},   // Lo         ARABIC MATHEMATICAL TAILED DAD
+	{0x1EE5B, 0x1EE5B, prN},   // Lo         ARABIC MATHEMATICAL TAILED GHAIN
+	{0x1EE5D, 0x1EE5D, prN},   // Lo         ARABIC MATHEMATICAL TAILED DOTLESS NOON
+	{0x1EE5F, 0x1EE5F, prN},   // Lo         ARABIC MATHEMATICAL TAILED DOTLESS QAF
+	{0x1EE61, 0x1EE62, prN},   // Lo     [2] ARABIC MATHEMATICAL STRETCHED BEH..ARABIC MATHEMATICAL STRETCHED JEEM
+	{0x1EE64, 0x1EE64, prN},   // Lo         ARABIC MATHEMATICAL STRETCHED HEH
+	{0x1EE67, 0x1EE6A, prN},   // Lo     [4] ARABIC MATHEMATICAL STRETCHED HAH..ARABIC MATHEMATICAL STRETCHED KAF
+	{0x1EE6C, 0x1EE72, prN},   // Lo     [7] ARABIC MATHEMATICAL STRETCHED MEEM..ARABIC MATHEMATICAL STRETCHED QAF
+	{0x1EE74, 0x1EE77, prN},   // Lo     [4] ARABIC MATHEMATICAL STRETCHED SHEEN..ARABIC MATHEMATICAL STRETCHED KHAH
+	{0x1EE79, 0x1EE7C, prN},   // Lo     [4] ARABIC MATHEMATICAL STRETCHED DAD..ARABIC MATHEMATICAL STRETCHED DOTLESS BEH
+	{0x1EE7E, 0x1EE7E, prN},   // Lo         ARABIC MATHEMATICAL STRETCHED DOTLESS FEH
+	{0x1EE80, 0x1EE89, prN},   // Lo    [10] ARABIC MATHEMATICAL LOOPED ALEF..ARABIC MATHEMATICAL LOOPED YEH
+	{0x1EE8B, 0x1EE9B, prN},   // Lo    [17] ARABIC MATHEMATICAL LOOPED LAM..ARABIC MATHEMATICAL LOOPED GHAIN
+	{0x1EEA1, 0x1EEA3, prN},   // Lo     [3] ARABIC MATHEMATICAL DOUBLE-STRUCK BEH..ARABIC MATHEMATICAL DOUBLE-STRUCK DAL
+	{0x1EEA5, 0x1EEA9, prN},   // Lo     [5] ARABIC MATHEMATICAL DOUBLE-STRUCK WAW..ARABIC MATHEMATICAL DOUBLE-STRUCK YEH
+	{0x1EEAB, 0x1EEBB, prN},   // Lo    [17] ARABIC MATHEMATICAL DOUBLE-STRUCK LAM..ARABIC MATHEMATICAL DOUBLE-STRUCK GHAIN
+	{0x1EEF0, 0x1EEF1, prN},   // Sm     [2] ARABIC MATHEMATICAL OPERATOR MEEM WITH HAH WITH TATWEEL..ARABIC MATHEMATICAL OPERATOR HAH WITH DAL
+	{0x1F000, 0x1F003, prN},   // So     [4] MAHJONG TILE EAST WIND..MAHJONG TILE NORTH WIND
+	{0x1F004, 0x1F004, prW},   // So         MAHJONG TILE RED DRAGON
+	{0x1F005, 0x1F02B, prN},   // So    [39] MAHJONG TILE GREEN DRAGON..MAHJONG TILE BACK
+	{0x1F030, 0x1F093, prN},   // So   [100] DOMINO TILE HORIZONTAL BACK..DOMINO TILE VERTICAL-06-06
+	{0x1F0A0, 0x1F0AE, prN},   // So    [15] PLAYING CARD BACK..PLAYING CARD KING OF SPADES
+	{0x1F0B1, 0x1F0BF, prN},   // So    [15] PLAYING CARD ACE OF HEARTS..PLAYING CARD RED JOKER
+	{0x1F0C1, 0x1F0CE, prN},   // So    [14] PLAYING CARD ACE OF DIAMONDS..PLAYING CARD KING OF DIAMONDS
+	{0x1F0CF, 0x1F0CF, prW},   // So         PLAYING CARD BLACK JOKER
+	{0x1F0D1, 0x1F0F5, prN},   // So    [37] PLAYING CARD ACE OF CLUBS..PLAYING CARD TRUMP-21
+	{0x1F100, 0x1F10A, prA},   // No    [11] DIGIT ZERO FULL STOP..DIGIT NINE COMMA
+	{0x1F10B, 0x1F10C, prN},   // No     [2] DINGBAT CIRCLED SANS-SERIF DIGIT ZERO..DINGBAT NEGATIVE CIRCLED SANS-SERIF DIGIT ZERO
+	{0x1F10D, 0x1F10F, prN},   // So     [3] CIRCLED ZERO WITH SLASH..CIRCLED DOLLAR SIGN WITH OVERLAID BACKSLASH
+	{0x1F110, 0x1F12D, prA},   // So    [30] PARENTHESIZED LATIN CAPITAL LETTER A..CIRCLED CD
+	{0x1F12E, 0x1F12F, prN},   // So     [2] CIRCLED WZ..COPYLEFT SYMBOL
+	{0x1F130, 0x1F169, prA},   // So    [58] SQUARED LATIN CAPITAL LETTER A..NEGATIVE CIRCLED LATIN CAPITAL LETTER Z
+	{0x1F16A, 0x1F16F, prN},   // So     [6] RAISED MC SIGN..CIRCLED HUMAN FIGURE
+	{0x1F170, 0x1F18D, prA},   // So    [30] NEGATIVE SQUARED LATIN CAPITAL LETTER A..NEGATIVE SQUARED SA
+	{0x1F18E, 0x1F18E, prW},   // So         NEGATIVE SQUARED AB
+	{0x1F18F, 0x1F190, prA},   // So     [2] NEGATIVE SQUARED WC..SQUARE DJ
+	{0x1F191, 0x1F19A, prW},   // So    [10] SQUARED CL..SQUARED VS
+	{0x1F19B, 0x1F1AC, prA},   // So    [18] SQUARED THREE D..SQUARED VOD
+	{0x1F1AD, 0x1F1AD, prN},   // So         MASK WORK SYMBOL
+	{0x1F1E6, 0x1F1FF, prN},   // So    [26] REGIONAL INDICATOR SYMBOL LETTER A..REGIONAL INDICATOR SYMBOL LETTER Z
+	{0x1F200, 0x1F202, prW},   // So     [3] SQUARE HIRAGANA HOKA..SQUARED KATAKANA SA
+	{0x1F210, 0x1F23B, prW},   // So    [44] SQUARED CJK UNIFIED IDEOGRAPH-624B..SQUARED CJK UNIFIED IDEOGRAPH-914D
+	{0x1F240, 0x1F248, prW},   // So     [9] TORTOISE SHELL BRACKETED CJK UNIFIED IDEOGRAPH-672C..TORTOISE SHELL BRACKETED CJK UNIFIED IDEOGRAPH-6557
+	{0x1F250, 0x1F251, prW},   // So     [2] CIRCLED IDEOGRAPH ADVANTAGE..CIRCLED IDEOGRAPH ACCEPT
+	{0x1F260, 0x1F265, prW},   // So     [6] ROUNDED SYMBOL FOR FU..ROUNDED SYMBOL FOR CAI
+	{0x1F300, 0x1F320, prW},   // So    [33] CYCLONE..SHOOTING STAR
+	{0x1F321, 0x1F32C, prN},   // So    [12] THERMOMETER..WIND BLOWING FACE
+	{0x1F32D, 0x1F335, prW},   // So     [9] HOT DOG..CACTUS
+	{0x1F336, 0x1F336, prN},   // So         HOT PEPPER
+	{0x1F337, 0x1F37C, prW},   // So    [70] TULIP..BABY BOTTLE
+	{0x1F37D, 0x1F37D, prN},   // So         FORK AND KNIFE WITH PLATE
+	{0x1F37E, 0x1F393, prW},   // So    [22] BOTTLE WITH POPPING CORK..GRADUATION CAP
+	{0x1F394, 0x1F39F, prN},   // So    [12] HEART WITH TIP ON THE LEFT..ADMISSION TICKETS
+	{0x1F3A0, 0x1F3CA, prW},   // So    [43] CAROUSEL HORSE..SWIMMER
+	{0x1F3CB, 0x1F3CE, prN},   // So     [4] WEIGHT LIFTER..RACING CAR
+	{0x1F3CF, 0x1F3D3, prW},   // So     [5] CRICKET BAT AND BALL..TABLE TENNIS PADDLE AND BALL
+	{0x1F3D4, 0x1F3DF, prN},   // So    [12] SNOW CAPPED MOUNTAIN..STADIUM
+	{0x1F3E0, 0x1F3F0, prW},   // So    [17] HOUSE BUILDING..EUROPEAN CASTLE
+	{0x1F3F1, 0x1F3F3, prN},   // So     [3] WHITE PENNANT..WAVING WHITE FLAG
+	{0x1F3F4, 0x1F3F4, prW},   // So         WAVING BLACK FLAG
+	{0x1F3F5, 0x1F3F7, prN},   // So     [3] ROSETTE..LABEL
+	{0x1F3F8, 0x1F3FA, prW},   // So     [3] BADMINTON RACQUET AND SHUTTLECOCK..AMPHORA
+	{0x1F3FB, 0x1F3FF, prW},   // Sk     [5] EMOJI MODIFIER FITZPATRICK TYPE-1-2..EMOJI MODIFIER FITZPATRICK TYPE-6
+	{0x1F400, 0x1F43E, prW},   // So    [63] RAT..PAW PRINTS
+	{0x1F43F, 0x1F43F, prN},   // So         CHIPMUNK
+	{0x1F440, 0x1F440, prW},   // So         EYES
+	{0x1F441, 0x1F441, prN},   // So         EYE
+	{0x1F442, 0x1F4FC, prW},   // So   [187] EAR..VIDEOCASSETTE
+	{0x1F4FD, 0x1F4FE, prN},   // So     [2] FILM PROJECTOR..PORTABLE STEREO
+	{0x1F4FF, 0x1F53D, prW},   // So    [63] PRAYER BEADS..DOWN-POINTING SMALL RED TRIANGLE
+	{0x1F53E, 0x1F54A, prN},   // So    [13] LOWER RIGHT SHADOWED WHITE CIRCLE..DOVE OF PEACE
+	{0x1F54B, 0x1F54E, prW},   // So     [4] KAABA..MENORAH WITH NINE BRANCHES
+	{0x1F54F, 0x1F54F, prN},   // So         BOWL OF HYGIEIA
+	{0x1F550, 0x1F567, prW},   // So    [24] CLOCK FACE ONE OCLOCK..CLOCK FACE TWELVE-THIRTY
+	{0x1F568, 0x1F579, prN},   // So    [18] RIGHT SPEAKER..JOYSTICK
+	{0x1F57A, 0x1F57A, prW},   // So         MAN DANCING
+	{0x1F57B, 0x1F594, prN},   // So    [26] LEFT HAND TELEPHONE RECEIVER..REVERSED VICTORY HAND
+	{0x1F595, 0x1F596, prW},   // So     [2] REVERSED HAND WITH MIDDLE FINGER EXTENDED..RAISED HAND WITH PART BETWEEN MIDDLE AND RING FINGERS
+	{0x1F597, 0x1F5A3, prN},   // So    [13] WHITE DOWN POINTING LEFT HAND INDEX..BLACK DOWN POINTING BACKHAND INDEX
+	{0x1F5A4, 0x1F5A4, prW},   // So         BLACK HEART
+	{0x1F5A5, 0x1F5FA, prN},   // So    [86] DESKTOP COMPUTER..WORLD MAP
+	{0x1F5FB, 0x1F5FF, prW},   // So     [5] MOUNT FUJI..MOYAI
+	{0x1F600, 0x1F64F, prW},   // So    [80] GRINNING FACE..PERSON WITH FOLDED HANDS
+	{0x1F650, 0x1F67F, prN},   // So    [48] NORTH WEST POINTING LEAF..REVERSE CHECKER BOARD
+	{0x1F680, 0x1F6C5, prW},   // So    [70] ROCKET..LEFT LUGGAGE
+	{0x1F6C6, 0x1F6CB, prN},   // So     [6] TRIANGLE WITH ROUNDED CORNERS..COUCH AND LAMP
+	{0x1F6CC, 0x1F6CC, prW},   // So         SLEEPING ACCOMMODATION
+	{0x1F6CD, 0x1F6CF, prN},   // So     [3] SHOPPING BAGS..BED
+	{0x1F6D0, 0x1F6D2, prW},   // So     [3] PLACE OF WORSHIP..SHOPPING TROLLEY
+	{0x1F6D3, 0x1F6D4, prN},   // So     [2] STUPA..PAGODA
+	{0x1F6D5, 0x1F6D7, prW},   // So     [3] HINDU TEMPLE..ELEVATOR
+	{0x1F6DC, 0x1F6DF, prW},   // So     [4] WIRELESS..RING BUOY
+	{0x1F6E0, 0x1F6EA, prN},   // So    [11] HAMMER AND WRENCH..NORTHEAST-POINTING AIRPLANE
+	{0x1F6EB, 0x1F6EC, prW},   // So     [2] AIRPLANE DEPARTURE..AIRPLANE ARRIVING
+	{0x1F6F0, 0x1F6F3, prN},   // So     [4] SATELLITE..PASSENGER SHIP
+	{0x1F6F4, 0x1F6FC, prW},   // So     [9] SCOOTER..ROLLER SKATE
+	{0x1F700, 0x1F776, prN},   // So   [119] ALCHEMICAL SYMBOL FOR QUINTESSENCE..LUNAR ECLIPSE
+	{0x1F77B, 0x1F77F, prN},   // So     [5] HAUMEA..ORCUS
+	{0x1F780, 0x1F7D9, prN},   // So    [90] BLACK LEFT-POINTING ISOSCELES RIGHT TRIANGLE..NINE POINTED WHITE STAR
+	{0x1F7E0, 0x1F7EB, prW},   // So    [12] LARGE ORANGE CIRCLE..LARGE BROWN SQUARE
+	{0x1F7F0, 0x1F7F0, prW},   // So         HEAVY EQUALS SIGN
+	{0x1F800, 0x1F80B, prN},   // So    [12] LEFTWARDS ARROW WITH SMALL TRIANGLE ARROWHEAD..DOWNWARDS ARROW WITH LARGE TRIANGLE ARROWHEAD
+	{0x1F810, 0x1F847, prN},   // So    [56] LEFTWARDS ARROW WITH SMALL EQUILATERAL ARROWHEAD..DOWNWARDS HEAVY ARROW
+	{0x1F850, 0x1F859, prN},   // So    [10] LEFTWARDS SANS-SERIF ARROW..UP DOWN SANS-SERIF ARROW
+	{0x1F860, 0x1F887, prN},   // So    [40] WIDE-HEADED LEFTWARDS LIGHT BARB ARROW..WIDE-HEADED SOUTH WEST VERY HEAVY BARB ARROW
+	{0x1F890, 0x1F8AD, prN},   // So    [30] LEFTWARDS TRIANGLE ARROWHEAD..WHITE ARROW SHAFT WIDTH TWO THIRDS
+	{0x1F8B0, 0x1F8B1, prN},   // So     [2] ARROW POINTING UPWARDS THEN NORTH WEST..ARROW POINTING RIGHTWARDS THEN CURVING SOUTH WEST
+	{0x1F900, 0x1F90B, prN},   // So    [12] CIRCLED CROSS FORMEE WITH FOUR DOTS..DOWNWARD FACING NOTCHED HOOK WITH DOT
+	{0x1F90C, 0x1F93A, prW},   // So    [47] PINCHED FINGERS..FENCER
+	{0x1F93B, 0x1F93B, prN},   // So         MODERN PENTATHLON
+	{0x1F93C, 0x1F945, prW},   // So    [10] WRESTLERS..GOAL NET
+	{0x1F946, 0x1F946, prN},   // So         RIFLE
+	{0x1F947, 0x1F9FF, prW},   // So   [185] FIRST PLACE MEDAL..NAZAR AMULET
+	{0x1FA00, 0x1FA53, prN},   // So    [84] NEUTRAL CHESS KING..BLACK CHESS KNIGHT-BISHOP
+	{0x1FA60, 0x1FA6D, prN},   // So    [14] XIANGQI RED GENERAL..XIANGQI BLACK SOLDIER
+	{0x1FA70, 0x1FA7C, prW},   // So    [13] BALLET SHOES..CRUTCH
+	{0x1FA80, 0x1FA88, prW},   // So     [9] YO-YO..FLUTE
+	{0x1FA90, 0x1FABD, prW},   // So    [46] RINGED PLANET..WING
+	{0x1FABF, 0x1FAC5, prW},   // So     [7] GOOSE..PERSON WITH CROWN
+	{0x1FACE, 0x1FADB, prW},   // So    [14] MOOSE..PEA POD
+	{0x1FAE0, 0x1FAE8, prW},   // So     [9] MELTING FACE..SHAKING FACE
+	{0x1FAF0, 0x1FAF8, prW},   // So     [9] HAND WITH INDEX FINGER AND THUMB CROSSED..RIGHTWARDS PUSHING HAND
+	{0x1FB00, 0x1FB92, prN},   // So   [147] BLOCK SEXTANT-1..UPPER HALF INVERSE MEDIUM SHADE AND LOWER HALF BLOCK
+	{0x1FB94, 0x1FBCA, prN},   // So    [55] LEFT HALF INVERSE MEDIUM SHADE AND RIGHT HALF BLOCK..WHITE UP-POINTING CHEVRON
+	{0x1FBF0, 0x1FBF9, prN},   // Nd    [10] SEGMENTED DIGIT ZERO..SEGMENTED DIGIT NINE
+	{0x20000, 0x2A6DF, prW},   // Lo [42720] CJK UNIFIED IDEOGRAPH-20000..CJK UNIFIED IDEOGRAPH-2A6DF
+	{0x2A6E0, 0x2A6FF, prW},   // Cn    [32] <reserved-2A6E0>..<reserved-2A6FF>
+	{0x2A700, 0x2B739, prW},   // Lo  [4154] CJK UNIFIED IDEOGRAPH-2A700..CJK UNIFIED IDEOGRAPH-2B739
+	{0x2B73A, 0x2B73F, prW},   // Cn     [6] <reserved-2B73A>..<reserved-2B73F>
+	{0x2B740, 0x2B81D, prW},   // Lo   [222] CJK UNIFIED IDEOGRAPH-2B740..CJK UNIFIED IDEOGRAPH-2B81D
+	{0x2B81E, 0x2B81F, prW},   // Cn     [2] <reserved-2B81E>..<reserved-2B81F>
+	{0x2B820, 0x2CEA1, prW},   // Lo  [5762] CJK UNIFIED IDEOGRAPH-2B820..CJK UNIFIED IDEOGRAPH-2CEA1
+	{0x2CEA2, 0x2CEAF, prW},   // Cn    [14] <reserved-2CEA2>..<reserved-2CEAF>
+	{0x2CEB0, 0x2EBE0, prW},   // Lo  [7473] CJK UNIFIED IDEOGRAPH-2CEB0..CJK UNIFIED IDEOGRAPH-2EBE0
+	{0x2EBE1, 0x2F7FF, prW},   // Cn  [3103] <reserved-2EBE1>..<reserved-2F7FF>
+	{0x2F800, 0x2FA1D, prW},   // Lo   [542] CJK COMPATIBILITY IDEOGRAPH-2F800..CJK COMPATIBILITY IDEOGRAPH-2FA1D
+	{0x2FA1E, 0x2FA1F, prW},   // Cn     [2] <reserved-2FA1E>..<reserved-2FA1F>
+	{0x2FA20, 0x2FFFD, prW},   // Cn  [1502] <reserved-2FA20>..<reserved-2FFFD>
+	{0x30000, 0x3134A, prW},   // Lo  [4939] CJK UNIFIED IDEOGRAPH-30000..CJK UNIFIED IDEOGRAPH-3134A
+	{0x3134B, 0x3134F, prW},   // Cn     [5] <reserved-3134B>..<reserved-3134F>
+	{0x31350, 0x323AF, prW},   // Lo  [4192] CJK UNIFIED IDEOGRAPH-31350..CJK UNIFIED IDEOGRAPH-323AF
+	{0x323B0, 0x3FFFD, prW},   // Cn [56398] <reserved-323B0>..<reserved-3FFFD>
+	{0xE0001, 0xE0001, prN},   // Cf         LANGUAGE TAG
+	{0xE0020, 0xE007F, prN},   // Cf    [96] TAG SPACE..CANCEL TAG
+	{0xE0100, 0xE01EF, prA},   // Mn   [240] VARIATION SELECTOR-17..VARIATION SELECTOR-256
+	{0xF0000, 0xFFFFD, prA},   // Co [65534] <private-use-F0000>..<private-use-FFFFD>
+	{0x100000, 0x10FFFD, prA}, // Co [65534] <private-use-100000>..<private-use-10FFFD>
+}
diff --git a/vendor/github.com/rivo/uniseg/emojipresentation.go b/vendor/github.com/rivo/uniseg/emojipresentation.go
new file mode 100644
index 0000000000..9b5f499c4a
--- /dev/null
+++ b/vendor/github.com/rivo/uniseg/emojipresentation.go
@@ -0,0 +1,295 @@
+// Code generated via go generate from gen_properties.go. DO NOT EDIT.
+
+package uniseg
+
+// emojiPresentation are taken from
+//
+// and
+// https://unicode.org/Public/15.0.0/ucd/emoji/emoji-data.txt
+// ("Extended_Pictographic" only)
+// on September 5, 2023. See https://www.unicode.org/license.html for the Unicode
+// license agreement.
+var emojiPresentation = [][3]int{
+	{0x231A, 0x231B, prEmojiPresentation},   // E0.6   [2] (⌚..⌛)    watch..hourglass done
+	{0x23E9, 0x23EC, prEmojiPresentation},   // E0.6   [4] (�..�)    fast-forward button..fast down button
+	{0x23F0, 0x23F0, prEmojiPresentation},   // E0.6   [1] (�)       alarm clock
+	{0x23F3, 0x23F3, prEmojiPresentation},   // E0.6   [1] (�)       hourglass not done
+	{0x25FD, 0x25FE, prEmojiPresentation},   // E0.6   [2] (â—½..â—¾)    white medium-small square..black medium-small square
+	{0x2614, 0x2615, prEmojiPresentation},   // E0.6   [2] (☔..☕)    umbrella with rain drops..hot beverage
+	{0x2648, 0x2653, prEmojiPresentation},   // E0.6  [12] (♈..♓)    Aries..Pisces
+	{0x267F, 0x267F, prEmojiPresentation},   // E0.6   [1] (♿)       wheelchair symbol
+	{0x2693, 0x2693, prEmojiPresentation},   // E0.6   [1] (âš“)       anchor
+	{0x26A1, 0x26A1, prEmojiPresentation},   // E0.6   [1] (âš¡)       high voltage
+	{0x26AA, 0x26AB, prEmojiPresentation},   // E0.6   [2] (⚪..⚫)    white circle..black circle
+	{0x26BD, 0x26BE, prEmojiPresentation},   // E0.6   [2] (âš½..âš¾)    soccer ball..baseball
+	{0x26C4, 0x26C5, prEmojiPresentation},   // E0.6   [2] (⛄..⛅)    snowman without snow..sun behind cloud
+	{0x26CE, 0x26CE, prEmojiPresentation},   // E0.6   [1] (⛎)       Ophiuchus
+	{0x26D4, 0x26D4, prEmojiPresentation},   // E0.6   [1] (â›”)       no entry
+	{0x26EA, 0x26EA, prEmojiPresentation},   // E0.6   [1] (⛪)       church
+	{0x26F2, 0x26F3, prEmojiPresentation},   // E0.6   [2] (⛲..⛳)    fountain..flag in hole
+	{0x26F5, 0x26F5, prEmojiPresentation},   // E0.6   [1] (⛵)       sailboat
+	{0x26FA, 0x26FA, prEmojiPresentation},   // E0.6   [1] (⛺)       tent
+	{0x26FD, 0x26FD, prEmojiPresentation},   // E0.6   [1] (⛽)       fuel pump
+	{0x2705, 0x2705, prEmojiPresentation},   // E0.6   [1] (✅)       check mark button
+	{0x270A, 0x270B, prEmojiPresentation},   // E0.6   [2] (✊..✋)    raised fist..raised hand
+	{0x2728, 0x2728, prEmojiPresentation},   // E0.6   [1] (✨)       sparkles
+	{0x274C, 0x274C, prEmojiPresentation},   // E0.6   [1] (�)       cross mark
+	{0x274E, 0x274E, prEmojiPresentation},   // E0.6   [1] (�)       cross mark button
+	{0x2753, 0x2755, prEmojiPresentation},   // E0.6   [3] (�..�)    red question mark..white exclamation mark
+	{0x2757, 0x2757, prEmojiPresentation},   // E0.6   [1] (�)       red exclamation mark
+	{0x2795, 0x2797, prEmojiPresentation},   // E0.6   [3] (âž•..âž—)    plus..divide
+	{0x27B0, 0x27B0, prEmojiPresentation},   // E0.6   [1] (âž°)       curly loop
+	{0x27BF, 0x27BF, prEmojiPresentation},   // E1.0   [1] (âž¿)       double curly loop
+	{0x2B1B, 0x2B1C, prEmojiPresentation},   // E0.6   [2] (⬛..⬜)    black large square..white large square
+	{0x2B50, 0x2B50, prEmojiPresentation},   // E0.6   [1] (â­�)       star
+	{0x2B55, 0x2B55, prEmojiPresentation},   // E0.6   [1] (â­•)       hollow red circle
+	{0x1F004, 0x1F004, prEmojiPresentation}, // E0.6   [1] (🀄)       mahjong red dragon
+	{0x1F0CF, 0x1F0CF, prEmojiPresentation}, // E0.6   [1] (�)       joker
+	{0x1F18E, 0x1F18E, prEmojiPresentation}, // E0.6   [1] (🆎)       AB button (blood type)
+	{0x1F191, 0x1F19A, prEmojiPresentation}, // E0.6  [10] (🆑..🆚)    CL button..VS button
+	{0x1F1E6, 0x1F1FF, prEmojiPresentation}, // E0.0  [26] (🇦..🇿)    regional indicator symbol letter a..regional indicator symbol letter z
+	{0x1F201, 0x1F201, prEmojiPresentation}, // E0.6   [1] (�)       Japanese “here� button
+	{0x1F21A, 0x1F21A, prEmojiPresentation}, // E0.6   [1] (🈚)       Japanese “free of charge� button
+	{0x1F22F, 0x1F22F, prEmojiPresentation}, // E0.6   [1] (🈯)       Japanese “reserved� button
+	{0x1F232, 0x1F236, prEmojiPresentation}, // E0.6   [5] (🈲..🈶)    Japanese “prohibited� button..Japanese “not free of charge� button
+	{0x1F238, 0x1F23A, prEmojiPresentation}, // E0.6   [3] (🈸..🈺)    Japanese “application� button..Japanese “open for business� button
+	{0x1F250, 0x1F251, prEmojiPresentation}, // E0.6   [2] (�..🉑)    Japanese “bargain� button..Japanese “acceptable� button
+	{0x1F300, 0x1F30C, prEmojiPresentation}, // E0.6  [13] (🌀..🌌)    cyclone..milky way
+	{0x1F30D, 0x1F30E, prEmojiPresentation}, // E0.7   [2] (�..🌎)    globe showing Europe-Africa..globe showing Americas
+	{0x1F30F, 0x1F30F, prEmojiPresentation}, // E0.6   [1] (�)       globe showing Asia-Australia
+	{0x1F310, 0x1F310, prEmojiPresentation}, // E1.0   [1] (�)       globe with meridians
+	{0x1F311, 0x1F311, prEmojiPresentation}, // E0.6   [1] (🌑)       new moon
+	{0x1F312, 0x1F312, prEmojiPresentation}, // E1.0   [1] (🌒)       waxing crescent moon
+	{0x1F313, 0x1F315, prEmojiPresentation}, // E0.6   [3] (🌓..🌕)    first quarter moon..full moon
+	{0x1F316, 0x1F318, prEmojiPresentation}, // E1.0   [3] (🌖..🌘)    waning gibbous moon..waning crescent moon
+	{0x1F319, 0x1F319, prEmojiPresentation}, // E0.6   [1] (🌙)       crescent moon
+	{0x1F31A, 0x1F31A, prEmojiPresentation}, // E1.0   [1] (🌚)       new moon face
+	{0x1F31B, 0x1F31B, prEmojiPresentation}, // E0.6   [1] (🌛)       first quarter moon face
+	{0x1F31C, 0x1F31C, prEmojiPresentation}, // E0.7   [1] (🌜)       last quarter moon face
+	{0x1F31D, 0x1F31E, prEmojiPresentation}, // E1.0   [2] (�..🌞)    full moon face..sun with face
+	{0x1F31F, 0x1F320, prEmojiPresentation}, // E0.6   [2] (🌟..🌠)    glowing star..shooting star
+	{0x1F32D, 0x1F32F, prEmojiPresentation}, // E1.0   [3] (🌭..🌯)    hot dog..burrito
+	{0x1F330, 0x1F331, prEmojiPresentation}, // E0.6   [2] (🌰..🌱)    chestnut..seedling
+	{0x1F332, 0x1F333, prEmojiPresentation}, // E1.0   [2] (🌲..🌳)    evergreen tree..deciduous tree
+	{0x1F334, 0x1F335, prEmojiPresentation}, // E0.6   [2] (🌴..🌵)    palm tree..cactus
+	{0x1F337, 0x1F34A, prEmojiPresentation}, // E0.6  [20] (🌷..�)    tulip..tangerine
+	{0x1F34B, 0x1F34B, prEmojiPresentation}, // E1.0   [1] (�)       lemon
+	{0x1F34C, 0x1F34F, prEmojiPresentation}, // E0.6   [4] (�..�)    banana..green apple
+	{0x1F350, 0x1F350, prEmojiPresentation}, // E1.0   [1] (�)       pear
+	{0x1F351, 0x1F37B, prEmojiPresentation}, // E0.6  [43] (�..�)    peach..clinking beer mugs
+	{0x1F37C, 0x1F37C, prEmojiPresentation}, // E1.0   [1] (�)       baby bottle
+	{0x1F37E, 0x1F37F, prEmojiPresentation}, // E1.0   [2] (�..�)    bottle with popping cork..popcorn
+	{0x1F380, 0x1F393, prEmojiPresentation}, // E0.6  [20] (🎀..🎓)    ribbon..graduation cap
+	{0x1F3A0, 0x1F3C4, prEmojiPresentation}, // E0.6  [37] (🎠..�)    carousel horse..person surfing
+	{0x1F3C5, 0x1F3C5, prEmojiPresentation}, // E1.0   [1] (�)       sports medal
+	{0x1F3C6, 0x1F3C6, prEmojiPresentation}, // E0.6   [1] (�)       trophy
+	{0x1F3C7, 0x1F3C7, prEmojiPresentation}, // E1.0   [1] (�)       horse racing
+	{0x1F3C8, 0x1F3C8, prEmojiPresentation}, // E0.6   [1] (�)       american football
+	{0x1F3C9, 0x1F3C9, prEmojiPresentation}, // E1.0   [1] (�)       rugby football
+	{0x1F3CA, 0x1F3CA, prEmojiPresentation}, // E0.6   [1] (�)       person swimming
+	{0x1F3CF, 0x1F3D3, prEmojiPresentation}, // E1.0   [5] (�..�)    cricket game..ping pong
+	{0x1F3E0, 0x1F3E3, prEmojiPresentation}, // E0.6   [4] (�..�)    house..Japanese post office
+	{0x1F3E4, 0x1F3E4, prEmojiPresentation}, // E1.0   [1] (�)       post office
+	{0x1F3E5, 0x1F3F0, prEmojiPresentation}, // E0.6  [12] (�..�)    hospital..castle
+	{0x1F3F4, 0x1F3F4, prEmojiPresentation}, // E1.0   [1] (�)       black flag
+	{0x1F3F8, 0x1F407, prEmojiPresentation}, // E1.0  [16] (�..�)    badminton..rabbit
+	{0x1F408, 0x1F408, prEmojiPresentation}, // E0.7   [1] (�)       cat
+	{0x1F409, 0x1F40B, prEmojiPresentation}, // E1.0   [3] (�..�)    dragon..whale
+	{0x1F40C, 0x1F40E, prEmojiPresentation}, // E0.6   [3] (�..�)    snail..horse
+	{0x1F40F, 0x1F410, prEmojiPresentation}, // E1.0   [2] (�..�)    ram..goat
+	{0x1F411, 0x1F412, prEmojiPresentation}, // E0.6   [2] (�..�)    ewe..monkey
+	{0x1F413, 0x1F413, prEmojiPresentation}, // E1.0   [1] (�)       rooster
+	{0x1F414, 0x1F414, prEmojiPresentation}, // E0.6   [1] (�)       chicken
+	{0x1F415, 0x1F415, prEmojiPresentation}, // E0.7   [1] (�)       dog
+	{0x1F416, 0x1F416, prEmojiPresentation}, // E1.0   [1] (�)       pig
+	{0x1F417, 0x1F429, prEmojiPresentation}, // E0.6  [19] (�..�)    boar..poodle
+	{0x1F42A, 0x1F42A, prEmojiPresentation}, // E1.0   [1] (�)       camel
+	{0x1F42B, 0x1F43E, prEmojiPresentation}, // E0.6  [20] (�..�)    two-hump camel..paw prints
+	{0x1F440, 0x1F440, prEmojiPresentation}, // E0.6   [1] (👀)       eyes
+	{0x1F442, 0x1F464, prEmojiPresentation}, // E0.6  [35] (👂..👤)    ear..bust in silhouette
+	{0x1F465, 0x1F465, prEmojiPresentation}, // E1.0   [1] (👥)       busts in silhouette
+	{0x1F466, 0x1F46B, prEmojiPresentation}, // E0.6   [6] (👦..👫)    boy..woman and man holding hands
+	{0x1F46C, 0x1F46D, prEmojiPresentation}, // E1.0   [2] (👬..👭)    men holding hands..women holding hands
+	{0x1F46E, 0x1F4AC, prEmojiPresentation}, // E0.6  [63] (👮..💬)    police officer..speech balloon
+	{0x1F4AD, 0x1F4AD, prEmojiPresentation}, // E1.0   [1] (💭)       thought balloon
+	{0x1F4AE, 0x1F4B5, prEmojiPresentation}, // E0.6   [8] (💮..💵)    white flower..dollar banknote
+	{0x1F4B6, 0x1F4B7, prEmojiPresentation}, // E1.0   [2] (💶..💷)    euro banknote..pound banknote
+	{0x1F4B8, 0x1F4EB, prEmojiPresentation}, // E0.6  [52] (💸..📫)    money with wings..closed mailbox with raised flag
+	{0x1F4EC, 0x1F4ED, prEmojiPresentation}, // E0.7   [2] (📬..📭)    open mailbox with raised flag..open mailbox with lowered flag
+	{0x1F4EE, 0x1F4EE, prEmojiPresentation}, // E0.6   [1] (📮)       postbox
+	{0x1F4EF, 0x1F4EF, prEmojiPresentation}, // E1.0   [1] (📯)       postal horn
+	{0x1F4F0, 0x1F4F4, prEmojiPresentation}, // E0.6   [5] (📰..📴)    newspaper..mobile phone off
+	{0x1F4F5, 0x1F4F5, prEmojiPresentation}, // E1.0   [1] (📵)       no mobile phones
+	{0x1F4F6, 0x1F4F7, prEmojiPresentation}, // E0.6   [2] (📶..📷)    antenna bars..camera
+	{0x1F4F8, 0x1F4F8, prEmojiPresentation}, // E1.0   [1] (📸)       camera with flash
+	{0x1F4F9, 0x1F4FC, prEmojiPresentation}, // E0.6   [4] (📹..📼)    video camera..videocassette
+	{0x1F4FF, 0x1F502, prEmojiPresentation}, // E1.0   [4] (📿..🔂)    prayer beads..repeat single button
+	{0x1F503, 0x1F503, prEmojiPresentation}, // E0.6   [1] (🔃)       clockwise vertical arrows
+	{0x1F504, 0x1F507, prEmojiPresentation}, // E1.0   [4] (🔄..🔇)    counterclockwise arrows button..muted speaker
+	{0x1F508, 0x1F508, prEmojiPresentation}, // E0.7   [1] (🔈)       speaker low volume
+	{0x1F509, 0x1F509, prEmojiPresentation}, // E1.0   [1] (🔉)       speaker medium volume
+	{0x1F50A, 0x1F514, prEmojiPresentation}, // E0.6  [11] (🔊..🔔)    speaker high volume..bell
+	{0x1F515, 0x1F515, prEmojiPresentation}, // E1.0   [1] (🔕)       bell with slash
+	{0x1F516, 0x1F52B, prEmojiPresentation}, // E0.6  [22] (🔖..🔫)    bookmark..water pistol
+	{0x1F52C, 0x1F52D, prEmojiPresentation}, // E1.0   [2] (🔬..🔭)    microscope..telescope
+	{0x1F52E, 0x1F53D, prEmojiPresentation}, // E0.6  [16] (🔮..🔽)    crystal ball..downwards button
+	{0x1F54B, 0x1F54E, prEmojiPresentation}, // E1.0   [4] (🕋..🕎)    kaaba..menorah
+	{0x1F550, 0x1F55B, prEmojiPresentation}, // E0.6  [12] (�..🕛)    one o’clock..twelve o’clock
+	{0x1F55C, 0x1F567, prEmojiPresentation}, // E0.7  [12] (🕜..🕧)    one-thirty..twelve-thirty
+	{0x1F57A, 0x1F57A, prEmojiPresentation}, // E3.0   [1] (🕺)       man dancing
+	{0x1F595, 0x1F596, prEmojiPresentation}, // E1.0   [2] (🖕..🖖)    middle finger..vulcan salute
+	{0x1F5A4, 0x1F5A4, prEmojiPresentation}, // E3.0   [1] (🖤)       black heart
+	{0x1F5FB, 0x1F5FF, prEmojiPresentation}, // E0.6   [5] (🗻..🗿)    mount fuji..moai
+	{0x1F600, 0x1F600, prEmojiPresentation}, // E1.0   [1] (😀)       grinning face
+	{0x1F601, 0x1F606, prEmojiPresentation}, // E0.6   [6] (�..😆)    beaming face with smiling eyes..grinning squinting face
+	{0x1F607, 0x1F608, prEmojiPresentation}, // E1.0   [2] (😇..😈)    smiling face with halo..smiling face with horns
+	{0x1F609, 0x1F60D, prEmojiPresentation}, // E0.6   [5] (😉..�)    winking face..smiling face with heart-eyes
+	{0x1F60E, 0x1F60E, prEmojiPresentation}, // E1.0   [1] (😎)       smiling face with sunglasses
+	{0x1F60F, 0x1F60F, prEmojiPresentation}, // E0.6   [1] (�)       smirking face
+	{0x1F610, 0x1F610, prEmojiPresentation}, // E0.7   [1] (�)       neutral face
+	{0x1F611, 0x1F611, prEmojiPresentation}, // E1.0   [1] (😑)       expressionless face
+	{0x1F612, 0x1F614, prEmojiPresentation}, // E0.6   [3] (😒..😔)    unamused face..pensive face
+	{0x1F615, 0x1F615, prEmojiPresentation}, // E1.0   [1] (😕)       confused face
+	{0x1F616, 0x1F616, prEmojiPresentation}, // E0.6   [1] (😖)       confounded face
+	{0x1F617, 0x1F617, prEmojiPresentation}, // E1.0   [1] (😗)       kissing face
+	{0x1F618, 0x1F618, prEmojiPresentation}, // E0.6   [1] (😘)       face blowing a kiss
+	{0x1F619, 0x1F619, prEmojiPresentation}, // E1.0   [1] (😙)       kissing face with smiling eyes
+	{0x1F61A, 0x1F61A, prEmojiPresentation}, // E0.6   [1] (😚)       kissing face with closed eyes
+	{0x1F61B, 0x1F61B, prEmojiPresentation}, // E1.0   [1] (😛)       face with tongue
+	{0x1F61C, 0x1F61E, prEmojiPresentation}, // E0.6   [3] (😜..😞)    winking face with tongue..disappointed face
+	{0x1F61F, 0x1F61F, prEmojiPresentation}, // E1.0   [1] (😟)       worried face
+	{0x1F620, 0x1F625, prEmojiPresentation}, // E0.6   [6] (😠..😥)    angry face..sad but relieved face
+	{0x1F626, 0x1F627, prEmojiPresentation}, // E1.0   [2] (😦..😧)    frowning face with open mouth..anguished face
+	{0x1F628, 0x1F62B, prEmojiPresentation}, // E0.6   [4] (😨..😫)    fearful face..tired face
+	{0x1F62C, 0x1F62C, prEmojiPresentation}, // E1.0   [1] (😬)       grimacing face
+	{0x1F62D, 0x1F62D, prEmojiPresentation}, // E0.6   [1] (😭)       loudly crying face
+	{0x1F62E, 0x1F62F, prEmojiPresentation}, // E1.0   [2] (😮..😯)    face with open mouth..hushed face
+	{0x1F630, 0x1F633, prEmojiPresentation}, // E0.6   [4] (😰..😳)    anxious face with sweat..flushed face
+	{0x1F634, 0x1F634, prEmojiPresentation}, // E1.0   [1] (😴)       sleeping face
+	{0x1F635, 0x1F635, prEmojiPresentation}, // E0.6   [1] (😵)       face with crossed-out eyes
+	{0x1F636, 0x1F636, prEmojiPresentation}, // E1.0   [1] (😶)       face without mouth
+	{0x1F637, 0x1F640, prEmojiPresentation}, // E0.6  [10] (😷..🙀)    face with medical mask..weary cat
+	{0x1F641, 0x1F644, prEmojiPresentation}, // E1.0   [4] (�..🙄)    slightly frowning face..face with rolling eyes
+	{0x1F645, 0x1F64F, prEmojiPresentation}, // E0.6  [11] (🙅..�)    person gesturing NO..folded hands
+	{0x1F680, 0x1F680, prEmojiPresentation}, // E0.6   [1] (🚀)       rocket
+	{0x1F681, 0x1F682, prEmojiPresentation}, // E1.0   [2] (�..🚂)    helicopter..locomotive
+	{0x1F683, 0x1F685, prEmojiPresentation}, // E0.6   [3] (🚃..🚅)    railway car..bullet train
+	{0x1F686, 0x1F686, prEmojiPresentation}, // E1.0   [1] (🚆)       train
+	{0x1F687, 0x1F687, prEmojiPresentation}, // E0.6   [1] (🚇)       metro
+	{0x1F688, 0x1F688, prEmojiPresentation}, // E1.0   [1] (🚈)       light rail
+	{0x1F689, 0x1F689, prEmojiPresentation}, // E0.6   [1] (🚉)       station
+	{0x1F68A, 0x1F68B, prEmojiPresentation}, // E1.0   [2] (🚊..🚋)    tram..tram car
+	{0x1F68C, 0x1F68C, prEmojiPresentation}, // E0.6   [1] (🚌)       bus
+	{0x1F68D, 0x1F68D, prEmojiPresentation}, // E0.7   [1] (�)       oncoming bus
+	{0x1F68E, 0x1F68E, prEmojiPresentation}, // E1.0   [1] (🚎)       trolleybus
+	{0x1F68F, 0x1F68F, prEmojiPresentation}, // E0.6   [1] (�)       bus stop
+	{0x1F690, 0x1F690, prEmojiPresentation}, // E1.0   [1] (�)       minibus
+	{0x1F691, 0x1F693, prEmojiPresentation}, // E0.6   [3] (🚑..🚓)    ambulance..police car
+	{0x1F694, 0x1F694, prEmojiPresentation}, // E0.7   [1] (🚔)       oncoming police car
+	{0x1F695, 0x1F695, prEmojiPresentation}, // E0.6   [1] (🚕)       taxi
+	{0x1F696, 0x1F696, prEmojiPresentation}, // E1.0   [1] (🚖)       oncoming taxi
+	{0x1F697, 0x1F697, prEmojiPresentation}, // E0.6   [1] (🚗)       automobile
+	{0x1F698, 0x1F698, prEmojiPresentation}, // E0.7   [1] (🚘)       oncoming automobile
+	{0x1F699, 0x1F69A, prEmojiPresentation}, // E0.6   [2] (🚙..🚚)    sport utility vehicle..delivery truck
+	{0x1F69B, 0x1F6A1, prEmojiPresentation}, // E1.0   [7] (🚛..🚡)    articulated lorry..aerial tramway
+	{0x1F6A2, 0x1F6A2, prEmojiPresentation}, // E0.6   [1] (🚢)       ship
+	{0x1F6A3, 0x1F6A3, prEmojiPresentation}, // E1.0   [1] (🚣)       person rowing boat
+	{0x1F6A4, 0x1F6A5, prEmojiPresentation}, // E0.6   [2] (🚤..🚥)    speedboat..horizontal traffic light
+	{0x1F6A6, 0x1F6A6, prEmojiPresentation}, // E1.0   [1] (🚦)       vertical traffic light
+	{0x1F6A7, 0x1F6AD, prEmojiPresentation}, // E0.6   [7] (🚧..🚭)    construction..no smoking
+	{0x1F6AE, 0x1F6B1, prEmojiPresentation}, // E1.0   [4] (🚮..🚱)    litter in bin sign..non-potable water
+	{0x1F6B2, 0x1F6B2, prEmojiPresentation}, // E0.6   [1] (🚲)       bicycle
+	{0x1F6B3, 0x1F6B5, prEmojiPresentation}, // E1.0   [3] (🚳..🚵)    no bicycles..person mountain biking
+	{0x1F6B6, 0x1F6B6, prEmojiPresentation}, // E0.6   [1] (🚶)       person walking
+	{0x1F6B7, 0x1F6B8, prEmojiPresentation}, // E1.0   [2] (🚷..🚸)    no pedestrians..children crossing
+	{0x1F6B9, 0x1F6BE, prEmojiPresentation}, // E0.6   [6] (🚹..🚾)    men’s room..water closet
+	{0x1F6BF, 0x1F6BF, prEmojiPresentation}, // E1.0   [1] (🚿)       shower
+	{0x1F6C0, 0x1F6C0, prEmojiPresentation}, // E0.6   [1] (🛀)       person taking bath
+	{0x1F6C1, 0x1F6C5, prEmojiPresentation}, // E1.0   [5] (�..🛅)    bathtub..left luggage
+	{0x1F6CC, 0x1F6CC, prEmojiPresentation}, // E1.0   [1] (🛌)       person in bed
+	{0x1F6D0, 0x1F6D0, prEmojiPresentation}, // E1.0   [1] (�)       place of worship
+	{0x1F6D1, 0x1F6D2, prEmojiPresentation}, // E3.0   [2] (🛑..🛒)    stop sign..shopping cart
+	{0x1F6D5, 0x1F6D5, prEmojiPresentation}, // E12.0  [1] (🛕)       hindu temple
+	{0x1F6D6, 0x1F6D7, prEmojiPresentation}, // E13.0  [2] (🛖..🛗)    hut..elevator
+	{0x1F6DC, 0x1F6DC, prEmojiPresentation}, // E15.0  [1] (🛜)       wireless
+	{0x1F6DD, 0x1F6DF, prEmojiPresentation}, // E14.0  [3] (�..🛟)    playground slide..ring buoy
+	{0x1F6EB, 0x1F6EC, prEmojiPresentation}, // E1.0   [2] (🛫..🛬)    airplane departure..airplane arrival
+	{0x1F6F4, 0x1F6F6, prEmojiPresentation}, // E3.0   [3] (🛴..🛶)    kick scooter..canoe
+	{0x1F6F7, 0x1F6F8, prEmojiPresentation}, // E5.0   [2] (🛷..🛸)    sled..flying saucer
+	{0x1F6F9, 0x1F6F9, prEmojiPresentation}, // E11.0  [1] (🛹)       skateboard
+	{0x1F6FA, 0x1F6FA, prEmojiPresentation}, // E12.0  [1] (🛺)       auto rickshaw
+	{0x1F6FB, 0x1F6FC, prEmojiPresentation}, // E13.0  [2] (🛻..🛼)    pickup truck..roller skate
+	{0x1F7E0, 0x1F7EB, prEmojiPresentation}, // E12.0 [12] (🟠..🟫)    orange circle..brown square
+	{0x1F7F0, 0x1F7F0, prEmojiPresentation}, // E14.0  [1] (🟰)       heavy equals sign
+	{0x1F90C, 0x1F90C, prEmojiPresentation}, // E13.0  [1] (🤌)       pinched fingers
+	{0x1F90D, 0x1F90F, prEmojiPresentation}, // E12.0  [3] (�..�)    white heart..pinching hand
+	{0x1F910, 0x1F918, prEmojiPresentation}, // E1.0   [9] (�..🤘)    zipper-mouth face..sign of the horns
+	{0x1F919, 0x1F91E, prEmojiPresentation}, // E3.0   [6] (🤙..🤞)    call me hand..crossed fingers
+	{0x1F91F, 0x1F91F, prEmojiPresentation}, // E5.0   [1] (🤟)       love-you gesture
+	{0x1F920, 0x1F927, prEmojiPresentation}, // E3.0   [8] (🤠..🤧)    cowboy hat face..sneezing face
+	{0x1F928, 0x1F92F, prEmojiPresentation}, // E5.0   [8] (🤨..🤯)    face with raised eyebrow..exploding head
+	{0x1F930, 0x1F930, prEmojiPresentation}, // E3.0   [1] (🤰)       pregnant woman
+	{0x1F931, 0x1F932, prEmojiPresentation}, // E5.0   [2] (🤱..🤲)    breast-feeding..palms up together
+	{0x1F933, 0x1F93A, prEmojiPresentation}, // E3.0   [8] (🤳..🤺)    selfie..person fencing
+	{0x1F93C, 0x1F93E, prEmojiPresentation}, // E3.0   [3] (🤼..🤾)    people wrestling..person playing handball
+	{0x1F93F, 0x1F93F, prEmojiPresentation}, // E12.0  [1] (🤿)       diving mask
+	{0x1F940, 0x1F945, prEmojiPresentation}, // E3.0   [6] (🥀..🥅)    wilted flower..goal net
+	{0x1F947, 0x1F94B, prEmojiPresentation}, // E3.0   [5] (🥇..🥋)    1st place medal..martial arts uniform
+	{0x1F94C, 0x1F94C, prEmojiPresentation}, // E5.0   [1] (🥌)       curling stone
+	{0x1F94D, 0x1F94F, prEmojiPresentation}, // E11.0  [3] (�..�)    lacrosse..flying disc
+	{0x1F950, 0x1F95E, prEmojiPresentation}, // E3.0  [15] (�..🥞)    croissant..pancakes
+	{0x1F95F, 0x1F96B, prEmojiPresentation}, // E5.0  [13] (🥟..🥫)    dumpling..canned food
+	{0x1F96C, 0x1F970, prEmojiPresentation}, // E11.0  [5] (🥬..🥰)    leafy green..smiling face with hearts
+	{0x1F971, 0x1F971, prEmojiPresentation}, // E12.0  [1] (🥱)       yawning face
+	{0x1F972, 0x1F972, prEmojiPresentation}, // E13.0  [1] (🥲)       smiling face with tear
+	{0x1F973, 0x1F976, prEmojiPresentation}, // E11.0  [4] (🥳..🥶)    partying face..cold face
+	{0x1F977, 0x1F978, prEmojiPresentation}, // E13.0  [2] (🥷..🥸)    ninja..disguised face
+	{0x1F979, 0x1F979, prEmojiPresentation}, // E14.0  [1] (🥹)       face holding back tears
+	{0x1F97A, 0x1F97A, prEmojiPresentation}, // E11.0  [1] (🥺)       pleading face
+	{0x1F97B, 0x1F97B, prEmojiPresentation}, // E12.0  [1] (🥻)       sari
+	{0x1F97C, 0x1F97F, prEmojiPresentation}, // E11.0  [4] (🥼..🥿)    lab coat..flat shoe
+	{0x1F980, 0x1F984, prEmojiPresentation}, // E1.0   [5] (🦀..🦄)    crab..unicorn
+	{0x1F985, 0x1F991, prEmojiPresentation}, // E3.0  [13] (🦅..🦑)    eagle..squid
+	{0x1F992, 0x1F997, prEmojiPresentation}, // E5.0   [6] (🦒..🦗)    giraffe..cricket
+	{0x1F998, 0x1F9A2, prEmojiPresentation}, // E11.0 [11] (🦘..🦢)    kangaroo..swan
+	{0x1F9A3, 0x1F9A4, prEmojiPresentation}, // E13.0  [2] (🦣..🦤)    mammoth..dodo
+	{0x1F9A5, 0x1F9AA, prEmojiPresentation}, // E12.0  [6] (🦥..🦪)    sloth..oyster
+	{0x1F9AB, 0x1F9AD, prEmojiPresentation}, // E13.0  [3] (🦫..🦭)    beaver..seal
+	{0x1F9AE, 0x1F9AF, prEmojiPresentation}, // E12.0  [2] (🦮..🦯)    guide dog..white cane
+	{0x1F9B0, 0x1F9B9, prEmojiPresentation}, // E11.0 [10] (🦰..🦹)    red hair..supervillain
+	{0x1F9BA, 0x1F9BF, prEmojiPresentation}, // E12.0  [6] (🦺..🦿)    safety vest..mechanical leg
+	{0x1F9C0, 0x1F9C0, prEmojiPresentation}, // E1.0   [1] (🧀)       cheese wedge
+	{0x1F9C1, 0x1F9C2, prEmojiPresentation}, // E11.0  [2] (�..🧂)    cupcake..salt
+	{0x1F9C3, 0x1F9CA, prEmojiPresentation}, // E12.0  [8] (🧃..🧊)    beverage box..ice
+	{0x1F9CB, 0x1F9CB, prEmojiPresentation}, // E13.0  [1] (🧋)       bubble tea
+	{0x1F9CC, 0x1F9CC, prEmojiPresentation}, // E14.0  [1] (🧌)       troll
+	{0x1F9CD, 0x1F9CF, prEmojiPresentation}, // E12.0  [3] (�..�)    person standing..deaf person
+	{0x1F9D0, 0x1F9E6, prEmojiPresentation}, // E5.0  [23] (�..🧦)    face with monocle..socks
+	{0x1F9E7, 0x1F9FF, prEmojiPresentation}, // E11.0 [25] (🧧..🧿)    red envelope..nazar amulet
+	{0x1FA70, 0x1FA73, prEmojiPresentation}, // E12.0  [4] (🩰..🩳)    ballet shoes..shorts
+	{0x1FA74, 0x1FA74, prEmojiPresentation}, // E13.0  [1] (🩴)       thong sandal
+	{0x1FA75, 0x1FA77, prEmojiPresentation}, // E15.0  [3] (🩵..🩷)    light blue heart..pink heart
+	{0x1FA78, 0x1FA7A, prEmojiPresentation}, // E12.0  [3] (🩸..🩺)    drop of blood..stethoscope
+	{0x1FA7B, 0x1FA7C, prEmojiPresentation}, // E14.0  [2] (🩻..🩼)    x-ray..crutch
+	{0x1FA80, 0x1FA82, prEmojiPresentation}, // E12.0  [3] (🪀..🪂)    yo-yo..parachute
+	{0x1FA83, 0x1FA86, prEmojiPresentation}, // E13.0  [4] (🪃..🪆)    boomerang..nesting dolls
+	{0x1FA87, 0x1FA88, prEmojiPresentation}, // E15.0  [2] (🪇..🪈)    maracas..flute
+	{0x1FA90, 0x1FA95, prEmojiPresentation}, // E12.0  [6] (�..🪕)    ringed planet..banjo
+	{0x1FA96, 0x1FAA8, prEmojiPresentation}, // E13.0 [19] (🪖..🪨)    military helmet..rock
+	{0x1FAA9, 0x1FAAC, prEmojiPresentation}, // E14.0  [4] (🪩..🪬)    mirror ball..hamsa
+	{0x1FAAD, 0x1FAAF, prEmojiPresentation}, // E15.0  [3] (🪭..🪯)    folding hand fan..khanda
+	{0x1FAB0, 0x1FAB6, prEmojiPresentation}, // E13.0  [7] (🪰..🪶)    fly..feather
+	{0x1FAB7, 0x1FABA, prEmojiPresentation}, // E14.0  [4] (🪷..🪺)    lotus..nest with eggs
+	{0x1FABB, 0x1FABD, prEmojiPresentation}, // E15.0  [3] (🪻..🪽)    hyacinth..wing
+	{0x1FABF, 0x1FABF, prEmojiPresentation}, // E15.0  [1] (🪿)       goose
+	{0x1FAC0, 0x1FAC2, prEmojiPresentation}, // E13.0  [3] (🫀..🫂)    anatomical heart..people hugging
+	{0x1FAC3, 0x1FAC5, prEmojiPresentation}, // E14.0  [3] (🫃..🫅)    pregnant man..person with crown
+	{0x1FACE, 0x1FACF, prEmojiPresentation}, // E15.0  [2] (🫎..�)    moose..donkey
+	{0x1FAD0, 0x1FAD6, prEmojiPresentation}, // E13.0  [7] (�..🫖)    blueberries..teapot
+	{0x1FAD7, 0x1FAD9, prEmojiPresentation}, // E14.0  [3] (🫗..🫙)    pouring liquid..jar
+	{0x1FADA, 0x1FADB, prEmojiPresentation}, // E15.0  [2] (🫚..🫛)    ginger root..pea pod
+	{0x1FAE0, 0x1FAE7, prEmojiPresentation}, // E14.0  [8] (🫠..🫧)    melting face..bubbles
+	{0x1FAE8, 0x1FAE8, prEmojiPresentation}, // E15.0  [1] (🫨)       shaking face
+	{0x1FAF0, 0x1FAF6, prEmojiPresentation}, // E14.0  [7] (🫰..🫶)    hand with index finger and thumb crossed..heart hands
+	{0x1FAF7, 0x1FAF8, prEmojiPresentation}, // E15.0  [2] (🫷..🫸)    leftwards pushing hand..rightwards pushing hand
+}
diff --git a/vendor/github.com/rivo/uniseg/gen_breaktest.go b/vendor/github.com/rivo/uniseg/gen_breaktest.go
new file mode 100644
index 0000000000..6bfbeb5e7f
--- /dev/null
+++ b/vendor/github.com/rivo/uniseg/gen_breaktest.go
@@ -0,0 +1,215 @@
+//go:build generate
+
+// This program generates a Go containing a slice of test cases based on the
+// Unicode Character Database auxiliary data files. The command line arguments
+// are as follows:
+//
+//   1. The name of the Unicode data file (just the filename, without extension).
+//   2. The name of the locally generated Go file.
+//   3. The name of the slice containing the test cases.
+//   4. The name of the generator, for logging purposes.
+//
+//go:generate go run gen_breaktest.go GraphemeBreakTest graphemebreak_test.go graphemeBreakTestCases graphemes
+//go:generate go run gen_breaktest.go WordBreakTest wordbreak_test.go wordBreakTestCases words
+//go:generate go run gen_breaktest.go SentenceBreakTest sentencebreak_test.go sentenceBreakTestCases sentences
+//go:generate go run gen_breaktest.go LineBreakTest linebreak_test.go lineBreakTestCases lines
+
+package main
+
+import (
+	"bufio"
+	"bytes"
+	"errors"
+	"fmt"
+	"go/format"
+	"io/ioutil"
+	"log"
+	"net/http"
+	"os"
+	"time"
+)
+
+// We want to test against a specific version rather than the latest. When the
+// package is upgraded to a new version, change these to generate new tests.
+const (
+	testCaseURL = `https://www.unicode.org/Public/15.0.0/ucd/auxiliary/%s.txt`
+)
+
+func main() {
+	if len(os.Args) < 5 {
+		fmt.Println("Not enough arguments, see code for details")
+		os.Exit(1)
+	}
+
+	log.SetPrefix("gen_breaktest (" + os.Args[4] + "): ")
+	log.SetFlags(0)
+
+	// Read text of testcases and parse into Go source code.
+	src, err := parse(fmt.Sprintf(testCaseURL, os.Args[1]))
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	// Format the Go code.
+	formatted, err := format.Source(src)
+	if err != nil {
+		log.Fatalln("gofmt:", err)
+	}
+
+	// Write it out.
+	log.Print("Writing to ", os.Args[2])
+	if err := ioutil.WriteFile(os.Args[2], formatted, 0644); err != nil {
+		log.Fatal(err)
+	}
+}
+
+// parse reads a break text file, either from a local file or from a URL. It
+// parses the file data into Go source code representing the test cases.
+func parse(url string) ([]byte, error) {
+	log.Printf("Parsing %s", url)
+	res, err := http.Get(url)
+	if err != nil {
+		return nil, err
+	}
+	body := res.Body
+	defer body.Close()
+
+	buf := new(bytes.Buffer)
+	buf.Grow(120 << 10)
+	buf.WriteString(`// Code generated via go generate from gen_breaktest.go. DO NOT EDIT.
+
+package uniseg
+
+// ` + os.Args[3] + ` are Grapheme testcases taken from
+// ` + url + `
+// on ` + time.Now().Format("January 2, 2006") + `. See
+// https://www.unicode.org/license.html for the Unicode license agreement.
+var ` + os.Args[3] + ` = []testCase {
+`)
+
+	sc := bufio.NewScanner(body)
+	num := 1
+	var line []byte
+	original := make([]byte, 0, 64)
+	expected := make([]byte, 0, 64)
+	for sc.Scan() {
+		num++
+		line = sc.Bytes()
+		if len(line) == 0 || line[0] == '#' {
+			continue
+		}
+		var comment []byte
+		if i := bytes.IndexByte(line, '#'); i >= 0 {
+			comment = bytes.TrimSpace(line[i+1:])
+			line = bytes.TrimSpace(line[:i])
+		}
+		original, expected, err := parseRuneSequence(line, original[:0], expected[:0])
+		if err != nil {
+			return nil, fmt.Errorf(`line %d: %v: %q`, num, err, line)
+		}
+		fmt.Fprintf(buf, "\t{original: \"%s\", expected: %s}, // %s\n", original, expected, comment)
+	}
+	if err := sc.Err(); err != nil {
+		return nil, err
+	}
+
+	// Check for final "# EOF", useful check if we're streaming via HTTP
+	if !bytes.Equal(line, []byte("# EOF")) {
+		return nil, fmt.Errorf(`line %d: exected "# EOF" as final line, got %q`, num, line)
+	}
+	buf.WriteString("}\n")
+	return buf.Bytes(), nil
+}
+
+// Used by parseRuneSequence to match input via bytes.HasPrefix.
+var (
+	prefixBreak     = []byte("÷ ")
+	prefixDontBreak = []byte("× ")
+	breakOk         = []byte("÷")
+	breakNo         = []byte("×")
+)
+
+// parseRuneSequence parses a rune + breaking opportunity sequence from b
+// and appends the Go code for testcase.original to orig
+// and appends the Go code for testcase.expected to exp.
+// It retuns the new orig and exp slices.
+//
+// E.g. for the input b="÷ 0020 × 0308 ÷ 1F1E6 ÷"
+// it will append
+//
+//	"\u0020\u0308\U0001F1E6"
+//
+// and "[][]rune{{0x0020,0x0308},{0x1F1E6},}"
+// to orig and exp respectively.
+//
+// The formatting of exp is expected to be cleaned up by gofmt or format.Source.
+// Note we explicitly require the sequence to start with ÷ and we implicitly
+// require it to end with ÷.
+func parseRuneSequence(b, orig, exp []byte) ([]byte, []byte, error) {
+	// Check for and remove first ÷ or ×.
+	if !bytes.HasPrefix(b, prefixBreak) && !bytes.HasPrefix(b, prefixDontBreak) {
+		return nil, nil, errors.New("expected ÷ or × as first character")
+	}
+	if bytes.HasPrefix(b, prefixBreak) {
+		b = b[len(prefixBreak):]
+	} else {
+		b = b[len(prefixDontBreak):]
+	}
+
+	boundary := true
+	exp = append(exp, "[][]rune{"...)
+	for len(b) > 0 {
+		if boundary {
+			exp = append(exp, '{')
+		}
+		exp = append(exp, "0x"...)
+		// Find end of hex digits.
+		var i int
+		for i = 0; i < len(b) && b[i] != ' '; i++ {
+			if d := b[i]; ('0' <= d || d <= '9') ||
+				('A' <= d || d <= 'F') ||
+				('a' <= d || d <= 'f') {
+				continue
+			}
+			return nil, nil, errors.New("bad hex digit")
+		}
+		switch i {
+		case 4:
+			orig = append(orig, "\\u"...)
+		case 5:
+			orig = append(orig, "\\U000"...)
+		default:
+			return nil, nil, errors.New("unsupport code point hex length")
+		}
+		orig = append(orig, b[:i]...)
+		exp = append(exp, b[:i]...)
+		b = b[i:]
+
+		// Check for space between hex and ÷ or ×.
+		if len(b) < 1 || b[0] != ' ' {
+			return nil, nil, errors.New("bad input")
+		}
+		b = b[1:]
+
+		// Check for next boundary.
+		switch {
+		case bytes.HasPrefix(b, breakOk):
+			boundary = true
+			b = b[len(breakOk):]
+		case bytes.HasPrefix(b, breakNo):
+			boundary = false
+			b = b[len(breakNo):]
+		default:
+			return nil, nil, errors.New("missing ÷ or ×")
+		}
+		if boundary {
+			exp = append(exp, '}')
+		}
+		exp = append(exp, ',')
+		if len(b) > 0 && b[0] == ' ' {
+			b = b[1:]
+		}
+	}
+	exp = append(exp, '}')
+	return orig, exp, nil
+}
diff --git a/vendor/github.com/rivo/uniseg/gen_properties.go b/vendor/github.com/rivo/uniseg/gen_properties.go
new file mode 100644
index 0000000000..8992d2c5f8
--- /dev/null
+++ b/vendor/github.com/rivo/uniseg/gen_properties.go
@@ -0,0 +1,261 @@
+//go:build generate
+
+// This program generates a property file in Go file from Unicode Character
+// Database auxiliary data files. The command line arguments are as follows:
+//
+//  1. The name of the Unicode data file (just the filename, without extension).
+//     Can be "-" (to skip) if the emoji flag is included.
+//  2. The name of the locally generated Go file.
+//  3. The name of the slice mapping code points to properties.
+//  4. The name of the generator, for logging purposes.
+//  5. (Optional) Flags, comma-separated. The following flags are available:
+//     - "emojis=<property>": include the specified emoji properties (e.g.
+//     "Extended_Pictographic").
+//     - "gencat": include general category properties.
+//
+//go:generate go run gen_properties.go auxiliary/GraphemeBreakProperty graphemeproperties.go graphemeCodePoints graphemes emojis=Extended_Pictographic
+//go:generate go run gen_properties.go auxiliary/WordBreakProperty wordproperties.go workBreakCodePoints words emojis=Extended_Pictographic
+//go:generate go run gen_properties.go auxiliary/SentenceBreakProperty sentenceproperties.go sentenceBreakCodePoints sentences
+//go:generate go run gen_properties.go LineBreak lineproperties.go lineBreakCodePoints lines gencat
+//go:generate go run gen_properties.go EastAsianWidth eastasianwidth.go eastAsianWidth eastasianwidth
+//go:generate go run gen_properties.go - emojipresentation.go emojiPresentation emojipresentation emojis=Emoji_Presentation
+package main
+
+import (
+	"bufio"
+	"bytes"
+	"errors"
+	"fmt"
+	"go/format"
+	"io/ioutil"
+	"log"
+	"net/http"
+	"os"
+	"regexp"
+	"sort"
+	"strconv"
+	"strings"
+	"time"
+)
+
+// We want to test against a specific version rather than the latest. When the
+// package is upgraded to a new version, change these to generate new tests.
+const (
+	propertyURL = `https://www.unicode.org/Public/15.0.0/ucd/%s.txt`
+	emojiURL    = `https://unicode.org/Public/15.0.0/ucd/emoji/emoji-data.txt`
+)
+
+// The regular expression for a line containing a code point range property.
+var propertyPattern = regexp.MustCompile(`^([0-9A-F]{4,6})(\.\.([0-9A-F]{4,6}))?\s*;\s*([A-Za-z0-9_]+)\s*#\s(.+)$`)
+
+func main() {
+	if len(os.Args) < 5 {
+		fmt.Println("Not enough arguments, see code for details")
+		os.Exit(1)
+	}
+
+	log.SetPrefix("gen_properties (" + os.Args[4] + "): ")
+	log.SetFlags(0)
+
+	// Parse flags.
+	flags := make(map[string]string)
+	if len(os.Args) >= 6 {
+		for _, flag := range strings.Split(os.Args[5], ",") {
+			flagFields := strings.Split(flag, "=")
+			if len(flagFields) == 1 {
+				flags[flagFields[0]] = "yes"
+			} else {
+				flags[flagFields[0]] = flagFields[1]
+			}
+		}
+	}
+
+	// Parse the text file and generate Go source code from it.
+	_, includeGeneralCategory := flags["gencat"]
+	var mainURL string
+	if os.Args[1] != "-" {
+		mainURL = fmt.Sprintf(propertyURL, os.Args[1])
+	}
+	src, err := parse(mainURL, flags["emojis"], includeGeneralCategory)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	// Format the Go code.
+	formatted, err := format.Source([]byte(src))
+	if err != nil {
+		log.Fatal("gofmt:", err)
+	}
+
+	// Save it to the (local) target file.
+	log.Print("Writing to ", os.Args[2])
+	if err := ioutil.WriteFile(os.Args[2], formatted, 0644); err != nil {
+		log.Fatal(err)
+	}
+}
+
+// parse parses the Unicode Properties text files located at the given URLs and
+// returns their equivalent Go source code to be used in the uniseg package. If
+// "emojiProperty" is not an empty string, emoji code points for that emoji
+// property (e.g. "Extended_Pictographic") will be included. In those cases, you
+// may pass an empty "propertyURL" to skip parsing the main properties file. If
+// "includeGeneralCategory" is true, the Unicode General Category property will
+// be extracted from the comments and included in the output.
+func parse(propertyURL, emojiProperty string, includeGeneralCategory bool) (string, error) {
+	if propertyURL == "" && emojiProperty == "" {
+		return "", errors.New("no properties to parse")
+	}
+
+	// Temporary buffer to hold properties.
+	var properties [][4]string
+
+	// Open the first URL.
+	if propertyURL != "" {
+		log.Printf("Parsing %s", propertyURL)
+		res, err := http.Get(propertyURL)
+		if err != nil {
+			return "", err
+		}
+		in1 := res.Body
+		defer in1.Close()
+
+		// Parse it.
+		scanner := bufio.NewScanner(in1)
+		num := 0
+		for scanner.Scan() {
+			num++
+			line := strings.TrimSpace(scanner.Text())
+
+			// Skip comments and empty lines.
+			if strings.HasPrefix(line, "#") || line == "" {
+				continue
+			}
+
+			// Everything else must be a code point range, a property and a comment.
+			from, to, property, comment, err := parseProperty(line)
+			if err != nil {
+				return "", fmt.Errorf("%s line %d: %v", os.Args[4], num, err)
+			}
+			properties = append(properties, [4]string{from, to, property, comment})
+		}
+		if err := scanner.Err(); err != nil {
+			return "", err
+		}
+	}
+
+	// Open the second URL.
+	if emojiProperty != "" {
+		log.Printf("Parsing %s", emojiURL)
+		res, err := http.Get(emojiURL)
+		if err != nil {
+			return "", err
+		}
+		in2 := res.Body
+		defer in2.Close()
+
+		// Parse it.
+		scanner := bufio.NewScanner(in2)
+		num := 0
+		for scanner.Scan() {
+			num++
+			line := scanner.Text()
+
+			// Skip comments, empty lines, and everything not containing
+			// "Extended_Pictographic".
+			if strings.HasPrefix(line, "#") || line == "" || !strings.Contains(line, emojiProperty) {
+				continue
+			}
+
+			// Everything else must be a code point range, a property and a comment.
+			from, to, property, comment, err := parseProperty(line)
+			if err != nil {
+				return "", fmt.Errorf("emojis line %d: %v", num, err)
+			}
+			properties = append(properties, [4]string{from, to, property, comment})
+		}
+		if err := scanner.Err(); err != nil {
+			return "", err
+		}
+	}
+
+	// Avoid overflow during binary search.
+	if len(properties) >= 1<<31 {
+		return "", errors.New("too many properties")
+	}
+
+	// Sort properties.
+	sort.Slice(properties, func(i, j int) bool {
+		left, _ := strconv.ParseUint(properties[i][0], 16, 64)
+		right, _ := strconv.ParseUint(properties[j][0], 16, 64)
+		return left < right
+	})
+
+	// Header.
+	var (
+		buf          bytes.Buffer
+		emojiComment string
+	)
+	columns := 3
+	if includeGeneralCategory {
+		columns = 4
+	}
+	if emojiURL != "" {
+		emojiComment = `
+// and
+// ` + emojiURL + `
+// ("Extended_Pictographic" only)`
+	}
+	buf.WriteString(`// Code generated via go generate from gen_properties.go. DO NOT EDIT.
+
+package uniseg
+
+// ` + os.Args[3] + ` are taken from
+// ` + propertyURL + emojiComment + `
+// on ` + time.Now().Format("January 2, 2006") + `. See https://www.unicode.org/license.html for the Unicode
+// license agreement.
+var ` + os.Args[3] + ` = [][` + strconv.Itoa(columns) + `]int{
+	`)
+
+	// Properties.
+	for _, prop := range properties {
+		if includeGeneralCategory {
+			generalCategory := "gc" + prop[3][:2]
+			if generalCategory == "gcL&" {
+				generalCategory = "gcLC"
+			}
+			prop[3] = prop[3][3:]
+			fmt.Fprintf(&buf, "{0x%s,0x%s,%s,%s}, // %s\n", prop[0], prop[1], translateProperty("pr", prop[2]), generalCategory, prop[3])
+		} else {
+			fmt.Fprintf(&buf, "{0x%s,0x%s,%s}, // %s\n", prop[0], prop[1], translateProperty("pr", prop[2]), prop[3])
+		}
+	}
+
+	// Tail.
+	buf.WriteString("}")
+
+	return buf.String(), nil
+}
+
+// parseProperty parses a line of the Unicode properties text file containing a
+// property for a code point range and returns it along with its comment.
+func parseProperty(line string) (from, to, property, comment string, err error) {
+	fields := propertyPattern.FindStringSubmatch(line)
+	if fields == nil {
+		err = errors.New("no property found")
+		return
+	}
+	from = fields[1]
+	to = fields[3]
+	if to == "" {
+		to = from
+	}
+	property = fields[4]
+	comment = fields[5]
+	return
+}
+
+// translateProperty translates a property name as used in the Unicode data file
+// to a variable used in the Go code.
+func translateProperty(prefix, property string) string {
+	return prefix + strings.ReplaceAll(property, "_", "")
+}
diff --git a/vendor/github.com/rivo/uniseg/grapheme.go b/vendor/github.com/rivo/uniseg/grapheme.go
new file mode 100644
index 0000000000..b12403d43c
--- /dev/null
+++ b/vendor/github.com/rivo/uniseg/grapheme.go
@@ -0,0 +1,331 @@
+package uniseg
+
+import "unicode/utf8"
+
+// Graphemes implements an iterator over Unicode grapheme clusters, or
+// user-perceived characters. While iterating, it also provides information
+// about word boundaries, sentence boundaries, line breaks, and monospace
+// character widths.
+//
+// After constructing the class via [NewGraphemes] for a given string "str",
+// [Graphemes.Next] is called for every grapheme cluster in a loop until it
+// returns false. Inside the loop, information about the grapheme cluster as
+// well as boundary information and character width is available via the various
+// methods (see examples below).
+//
+// This class basically wraps the [StepString] parser and provides a convenient
+// interface to it. If you are only interested in some parts of this package's
+// functionality, using the specialized functions starting with "First" is
+// almost always faster.
+type Graphemes struct {
+	// The original string.
+	original string
+
+	// The remaining string to be parsed.
+	remaining string
+
+	// The current grapheme cluster.
+	cluster string
+
+	// The byte offset of the current grapheme cluster relative to the original
+	// string.
+	offset int
+
+	// The current boundary information of the [Step] parser.
+	boundaries int
+
+	// The current state of the [Step] parser.
+	state int
+}
+
+// NewGraphemes returns a new grapheme cluster iterator.
+func NewGraphemes(str string) *Graphemes {
+	return &Graphemes{
+		original:  str,
+		remaining: str,
+		state:     -1,
+	}
+}
+
+// Next advances the iterator by one grapheme cluster and returns false if no
+// clusters are left. This function must be called before the first cluster is
+// accessed.
+func (g *Graphemes) Next() bool {
+	if len(g.remaining) == 0 {
+		// We're already past the end.
+		g.state = -2
+		g.cluster = ""
+		return false
+	}
+	g.offset += len(g.cluster)
+	g.cluster, g.remaining, g.boundaries, g.state = StepString(g.remaining, g.state)
+	return true
+}
+
+// Runes returns a slice of runes (code points) which corresponds to the current
+// grapheme cluster. If the iterator is already past the end or [Graphemes.Next]
+// has not yet been called, nil is returned.
+func (g *Graphemes) Runes() []rune {
+	if g.state < 0 {
+		return nil
+	}
+	return []rune(g.cluster)
+}
+
+// Str returns a substring of the original string which corresponds to the
+// current grapheme cluster. If the iterator is already past the end or
+// [Graphemes.Next] has not yet been called, an empty string is returned.
+func (g *Graphemes) Str() string {
+	return g.cluster
+}
+
+// Bytes returns a byte slice which corresponds to the current grapheme cluster.
+// If the iterator is already past the end or [Graphemes.Next] has not yet been
+// called, nil is returned.
+func (g *Graphemes) Bytes() []byte {
+	if g.state < 0 {
+		return nil
+	}
+	return []byte(g.cluster)
+}
+
+// Positions returns the interval of the current grapheme cluster as byte
+// positions into the original string. The first returned value "from" indexes
+// the first byte and the second returned value "to" indexes the first byte that
+// is not included anymore, i.e. str[from:to] is the current grapheme cluster of
+// the original string "str". If [Graphemes.Next] has not yet been called, both
+// values are 0. If the iterator is already past the end, both values are 1.
+func (g *Graphemes) Positions() (int, int) {
+	if g.state == -1 {
+		return 0, 0
+	} else if g.state == -2 {
+		return 1, 1
+	}
+	return g.offset, g.offset + len(g.cluster)
+}
+
+// IsWordBoundary returns true if a word ends after the current grapheme
+// cluster.
+func (g *Graphemes) IsWordBoundary() bool {
+	if g.state < 0 {
+		return true
+	}
+	return g.boundaries&MaskWord != 0
+}
+
+// IsSentenceBoundary returns true if a sentence ends after the current
+// grapheme cluster.
+func (g *Graphemes) IsSentenceBoundary() bool {
+	if g.state < 0 {
+		return true
+	}
+	return g.boundaries&MaskSentence != 0
+}
+
+// LineBreak returns whether the line can be broken after the current grapheme
+// cluster. A value of [LineDontBreak] means the line may not be broken, a value
+// of [LineMustBreak] means the line must be broken, and a value of
+// [LineCanBreak] means the line may or may not be broken.
+func (g *Graphemes) LineBreak() int {
+	if g.state == -1 {
+		return LineDontBreak
+	}
+	if g.state == -2 {
+		return LineMustBreak
+	}
+	return g.boundaries & MaskLine
+}
+
+// Width returns the monospace width of the current grapheme cluster.
+func (g *Graphemes) Width() int {
+	if g.state < 0 {
+		return 0
+	}
+	return g.boundaries >> ShiftWidth
+}
+
+// Reset puts the iterator into its initial state such that the next call to
+// [Graphemes.Next] sets it to the first grapheme cluster again.
+func (g *Graphemes) Reset() {
+	g.state = -1
+	g.offset = 0
+	g.cluster = ""
+	g.remaining = g.original
+}
+
+// GraphemeClusterCount returns the number of user-perceived characters
+// (grapheme clusters) for the given string.
+func GraphemeClusterCount(s string) (n int) {
+	state := -1
+	for len(s) > 0 {
+		_, s, _, state = FirstGraphemeClusterInString(s, state)
+		n++
+	}
+	return
+}
+
+// ReverseString reverses the given string while observing grapheme cluster
+// boundaries.
+func ReverseString(s string) string {
+	str := []byte(s)
+	reversed := make([]byte, len(str))
+	state := -1
+	index := len(str)
+	for len(str) > 0 {
+		var cluster []byte
+		cluster, str, _, state = FirstGraphemeCluster(str, state)
+		index -= len(cluster)
+		copy(reversed[index:], cluster)
+		if index <= len(str)/2 {
+			break
+		}
+	}
+	return string(reversed)
+}
+
+// The number of bits the grapheme property must be shifted to make place for
+// grapheme states.
+const shiftGraphemePropState = 4
+
+// FirstGraphemeCluster returns the first grapheme cluster found in the given
+// byte slice according to the rules of [Unicode Standard Annex #29, Grapheme
+// Cluster Boundaries]. This function can be called continuously to extract all
+// grapheme clusters from a byte slice, as illustrated in the example below.
+//
+// If you don't know the current state, for example when calling the function
+// for the first time, you must pass -1. For consecutive calls, pass the state
+// and rest slice returned by the previous call.
+//
+// The "rest" slice is the sub-slice of the original byte slice "b" starting
+// after the last byte of the identified grapheme cluster. If the length of the
+// "rest" slice is 0, the entire byte slice "b" has been processed. The
+// "cluster" byte slice is the sub-slice of the input slice containing the
+// identified grapheme cluster.
+//
+// The returned width is the width of the grapheme cluster for most monospace
+// fonts where a value of 1 represents one character cell.
+//
+// Given an empty byte slice "b", the function returns nil values.
+//
+// While slightly less convenient than using the Graphemes class, this function
+// has much better performance and makes no allocations. It lends itself well to
+// large byte slices.
+//
+// [Unicode Standard Annex #29, Grapheme Cluster Boundaries]: http://unicode.org/reports/tr29/#Grapheme_Cluster_Boundaries
+func FirstGraphemeCluster(b []byte, state int) (cluster, rest []byte, width, newState int) {
+	// An empty byte slice returns nothing.
+	if len(b) == 0 {
+		return
+	}
+
+	// Extract the first rune.
+	r, length := utf8.DecodeRune(b)
+	if len(b) <= length { // If we're already past the end, there is nothing else to parse.
+		var prop int
+		if state < 0 {
+			prop = propertyGraphemes(r)
+		} else {
+			prop = state >> shiftGraphemePropState
+		}
+		return b, nil, runeWidth(r, prop), grAny | (prop << shiftGraphemePropState)
+	}
+
+	// If we don't know the state, determine it now.
+	var firstProp int
+	if state < 0 {
+		state, firstProp, _ = transitionGraphemeState(state, r)
+	} else {
+		firstProp = state >> shiftGraphemePropState
+	}
+	width += runeWidth(r, firstProp)
+
+	// Transition until we find a boundary.
+	for {
+		var (
+			prop     int
+			boundary bool
+		)
+
+		r, l := utf8.DecodeRune(b[length:])
+		state, prop, boundary = transitionGraphemeState(state&maskGraphemeState, r)
+
+		if boundary {
+			return b[:length], b[length:], width, state | (prop << shiftGraphemePropState)
+		}
+
+		if firstProp == prExtendedPictographic {
+			if r == vs15 {
+				width = 1
+			} else if r == vs16 {
+				width = 2
+			}
+		} else if firstProp != prRegionalIndicator && firstProp != prL {
+			width += runeWidth(r, prop)
+		}
+
+		length += l
+		if len(b) <= length {
+			return b, nil, width, grAny | (prop << shiftGraphemePropState)
+		}
+	}
+}
+
+// FirstGraphemeClusterInString is like [FirstGraphemeCluster] but its input and
+// outputs are strings.
+func FirstGraphemeClusterInString(str string, state int) (cluster, rest string, width, newState int) {
+	// An empty string returns nothing.
+	if len(str) == 0 {
+		return
+	}
+
+	// Extract the first rune.
+	r, length := utf8.DecodeRuneInString(str)
+	if len(str) <= length { // If we're already past the end, there is nothing else to parse.
+		var prop int
+		if state < 0 {
+			prop = propertyGraphemes(r)
+		} else {
+			prop = state >> shiftGraphemePropState
+		}
+		return str, "", runeWidth(r, prop), grAny | (prop << shiftGraphemePropState)
+	}
+
+	// If we don't know the state, determine it now.
+	var firstProp int
+	if state < 0 {
+		state, firstProp, _ = transitionGraphemeState(state, r)
+	} else {
+		firstProp = state >> shiftGraphemePropState
+	}
+	width += runeWidth(r, firstProp)
+
+	// Transition until we find a boundary.
+	for {
+		var (
+			prop     int
+			boundary bool
+		)
+
+		r, l := utf8.DecodeRuneInString(str[length:])
+		state, prop, boundary = transitionGraphemeState(state&maskGraphemeState, r)
+
+		if boundary {
+			return str[:length], str[length:], width, state | (prop << shiftGraphemePropState)
+		}
+
+		if firstProp == prExtendedPictographic {
+			if r == vs15 {
+				width = 1
+			} else if r == vs16 {
+				width = 2
+			}
+		} else if firstProp != prRegionalIndicator && firstProp != prL {
+			width += runeWidth(r, prop)
+		}
+
+		length += l
+		if len(str) <= length {
+			return str, "", width, grAny | (prop << shiftGraphemePropState)
+		}
+	}
+}
diff --git a/vendor/github.com/rivo/uniseg/graphemeproperties.go b/vendor/github.com/rivo/uniseg/graphemeproperties.go
new file mode 100644
index 0000000000..0aff4a619a
--- /dev/null
+++ b/vendor/github.com/rivo/uniseg/graphemeproperties.go
@@ -0,0 +1,1915 @@
+// Code generated via go generate from gen_properties.go. DO NOT EDIT.
+
+package uniseg
+
+// graphemeCodePoints are taken from
+// https://www.unicode.org/Public/15.0.0/ucd/auxiliary/GraphemeBreakProperty.txt
+// and
+// https://unicode.org/Public/15.0.0/ucd/emoji/emoji-data.txt
+// ("Extended_Pictographic" only)
+// on September 5, 2023. See https://www.unicode.org/license.html for the Unicode
+// license agreement.
+var graphemeCodePoints = [][3]int{
+	{0x0000, 0x0009, prControl},                // Cc  [10] <control-0000>..<control-0009>
+	{0x000A, 0x000A, prLF},                     // Cc       <control-000A>
+	{0x000B, 0x000C, prControl},                // Cc   [2] <control-000B>..<control-000C>
+	{0x000D, 0x000D, prCR},                     // Cc       <control-000D>
+	{0x000E, 0x001F, prControl},                // Cc  [18] <control-000E>..<control-001F>
+	{0x007F, 0x009F, prControl},                // Cc  [33] <control-007F>..<control-009F>
+	{0x00A9, 0x00A9, prExtendedPictographic},   // E0.6   [1] (©�)       copyright
+	{0x00AD, 0x00AD, prControl},                // Cf       SOFT HYPHEN
+	{0x00AE, 0x00AE, prExtendedPictographic},   // E0.6   [1] (®�)       registered
+	{0x0300, 0x036F, prExtend},                 // Mn [112] COMBINING GRAVE ACCENT..COMBINING LATIN SMALL LETTER X
+	{0x0483, 0x0487, prExtend},                 // Mn   [5] COMBINING CYRILLIC TITLO..COMBINING CYRILLIC POKRYTIE
+	{0x0488, 0x0489, prExtend},                 // Me   [2] COMBINING CYRILLIC HUNDRED THOUSANDS SIGN..COMBINING CYRILLIC MILLIONS SIGN
+	{0x0591, 0x05BD, prExtend},                 // Mn  [45] HEBREW ACCENT ETNAHTA..HEBREW POINT METEG
+	{0x05BF, 0x05BF, prExtend},                 // Mn       HEBREW POINT RAFE
+	{0x05C1, 0x05C2, prExtend},                 // Mn   [2] HEBREW POINT SHIN DOT..HEBREW POINT SIN DOT
+	{0x05C4, 0x05C5, prExtend},                 // Mn   [2] HEBREW MARK UPPER DOT..HEBREW MARK LOWER DOT
+	{0x05C7, 0x05C7, prExtend},                 // Mn       HEBREW POINT QAMATS QATAN
+	{0x0600, 0x0605, prPrepend},                // Cf   [6] ARABIC NUMBER SIGN..ARABIC NUMBER MARK ABOVE
+	{0x0610, 0x061A, prExtend},                 // Mn  [11] ARABIC SIGN SALLALLAHOU ALAYHE WASSALLAM..ARABIC SMALL KASRA
+	{0x061C, 0x061C, prControl},                // Cf       ARABIC LETTER MARK
+	{0x064B, 0x065F, prExtend},                 // Mn  [21] ARABIC FATHATAN..ARABIC WAVY HAMZA BELOW
+	{0x0670, 0x0670, prExtend},                 // Mn       ARABIC LETTER SUPERSCRIPT ALEF
+	{0x06D6, 0x06DC, prExtend},                 // Mn   [7] ARABIC SMALL HIGH LIGATURE SAD WITH LAM WITH ALEF MAKSURA..ARABIC SMALL HIGH SEEN
+	{0x06DD, 0x06DD, prPrepend},                // Cf       ARABIC END OF AYAH
+	{0x06DF, 0x06E4, prExtend},                 // Mn   [6] ARABIC SMALL HIGH ROUNDED ZERO..ARABIC SMALL HIGH MADDA
+	{0x06E7, 0x06E8, prExtend},                 // Mn   [2] ARABIC SMALL HIGH YEH..ARABIC SMALL HIGH NOON
+	{0x06EA, 0x06ED, prExtend},                 // Mn   [4] ARABIC EMPTY CENTRE LOW STOP..ARABIC SMALL LOW MEEM
+	{0x070F, 0x070F, prPrepend},                // Cf       SYRIAC ABBREVIATION MARK
+	{0x0711, 0x0711, prExtend},                 // Mn       SYRIAC LETTER SUPERSCRIPT ALAPH
+	{0x0730, 0x074A, prExtend},                 // Mn  [27] SYRIAC PTHAHA ABOVE..SYRIAC BARREKH
+	{0x07A6, 0x07B0, prExtend},                 // Mn  [11] THAANA ABAFILI..THAANA SUKUN
+	{0x07EB, 0x07F3, prExtend},                 // Mn   [9] NKO COMBINING SHORT HIGH TONE..NKO COMBINING DOUBLE DOT ABOVE
+	{0x07FD, 0x07FD, prExtend},                 // Mn       NKO DANTAYALAN
+	{0x0816, 0x0819, prExtend},                 // Mn   [4] SAMARITAN MARK IN..SAMARITAN MARK DAGESH
+	{0x081B, 0x0823, prExtend},                 // Mn   [9] SAMARITAN MARK EPENTHETIC YUT..SAMARITAN VOWEL SIGN A
+	{0x0825, 0x0827, prExtend},                 // Mn   [3] SAMARITAN VOWEL SIGN SHORT A..SAMARITAN VOWEL SIGN U
+	{0x0829, 0x082D, prExtend},                 // Mn   [5] SAMARITAN VOWEL SIGN LONG I..SAMARITAN MARK NEQUDAA
+	{0x0859, 0x085B, prExtend},                 // Mn   [3] MANDAIC AFFRICATION MARK..MANDAIC GEMINATION MARK
+	{0x0890, 0x0891, prPrepend},                // Cf   [2] ARABIC POUND MARK ABOVE..ARABIC PIASTRE MARK ABOVE
+	{0x0898, 0x089F, prExtend},                 // Mn   [8] ARABIC SMALL HIGH WORD AL-JUZ..ARABIC HALF MADDA OVER MADDA
+	{0x08CA, 0x08E1, prExtend},                 // Mn  [24] ARABIC SMALL HIGH FARSI YEH..ARABIC SMALL HIGH SIGN SAFHA
+	{0x08E2, 0x08E2, prPrepend},                // Cf       ARABIC DISPUTED END OF AYAH
+	{0x08E3, 0x0902, prExtend},                 // Mn  [32] ARABIC TURNED DAMMA BELOW..DEVANAGARI SIGN ANUSVARA
+	{0x0903, 0x0903, prSpacingMark},            // Mc       DEVANAGARI SIGN VISARGA
+	{0x093A, 0x093A, prExtend},                 // Mn       DEVANAGARI VOWEL SIGN OE
+	{0x093B, 0x093B, prSpacingMark},            // Mc       DEVANAGARI VOWEL SIGN OOE
+	{0x093C, 0x093C, prExtend},                 // Mn       DEVANAGARI SIGN NUKTA
+	{0x093E, 0x0940, prSpacingMark},            // Mc   [3] DEVANAGARI VOWEL SIGN AA..DEVANAGARI VOWEL SIGN II
+	{0x0941, 0x0948, prExtend},                 // Mn   [8] DEVANAGARI VOWEL SIGN U..DEVANAGARI VOWEL SIGN AI
+	{0x0949, 0x094C, prSpacingMark},            // Mc   [4] DEVANAGARI VOWEL SIGN CANDRA O..DEVANAGARI VOWEL SIGN AU
+	{0x094D, 0x094D, prExtend},                 // Mn       DEVANAGARI SIGN VIRAMA
+	{0x094E, 0x094F, prSpacingMark},            // Mc   [2] DEVANAGARI VOWEL SIGN PRISHTHAMATRA E..DEVANAGARI VOWEL SIGN AW
+	{0x0951, 0x0957, prExtend},                 // Mn   [7] DEVANAGARI STRESS SIGN UDATTA..DEVANAGARI VOWEL SIGN UUE
+	{0x0962, 0x0963, prExtend},                 // Mn   [2] DEVANAGARI VOWEL SIGN VOCALIC L..DEVANAGARI VOWEL SIGN VOCALIC LL
+	{0x0981, 0x0981, prExtend},                 // Mn       BENGALI SIGN CANDRABINDU
+	{0x0982, 0x0983, prSpacingMark},            // Mc   [2] BENGALI SIGN ANUSVARA..BENGALI SIGN VISARGA
+	{0x09BC, 0x09BC, prExtend},                 // Mn       BENGALI SIGN NUKTA
+	{0x09BE, 0x09BE, prExtend},                 // Mc       BENGALI VOWEL SIGN AA
+	{0x09BF, 0x09C0, prSpacingMark},            // Mc   [2] BENGALI VOWEL SIGN I..BENGALI VOWEL SIGN II
+	{0x09C1, 0x09C4, prExtend},                 // Mn   [4] BENGALI VOWEL SIGN U..BENGALI VOWEL SIGN VOCALIC RR
+	{0x09C7, 0x09C8, prSpacingMark},            // Mc   [2] BENGALI VOWEL SIGN E..BENGALI VOWEL SIGN AI
+	{0x09CB, 0x09CC, prSpacingMark},            // Mc   [2] BENGALI VOWEL SIGN O..BENGALI VOWEL SIGN AU
+	{0x09CD, 0x09CD, prExtend},                 // Mn       BENGALI SIGN VIRAMA
+	{0x09D7, 0x09D7, prExtend},                 // Mc       BENGALI AU LENGTH MARK
+	{0x09E2, 0x09E3, prExtend},                 // Mn   [2] BENGALI VOWEL SIGN VOCALIC L..BENGALI VOWEL SIGN VOCALIC LL
+	{0x09FE, 0x09FE, prExtend},                 // Mn       BENGALI SANDHI MARK
+	{0x0A01, 0x0A02, prExtend},                 // Mn   [2] GURMUKHI SIGN ADAK BINDI..GURMUKHI SIGN BINDI
+	{0x0A03, 0x0A03, prSpacingMark},            // Mc       GURMUKHI SIGN VISARGA
+	{0x0A3C, 0x0A3C, prExtend},                 // Mn       GURMUKHI SIGN NUKTA
+	{0x0A3E, 0x0A40, prSpacingMark},            // Mc   [3] GURMUKHI VOWEL SIGN AA..GURMUKHI VOWEL SIGN II
+	{0x0A41, 0x0A42, prExtend},                 // Mn   [2] GURMUKHI VOWEL SIGN U..GURMUKHI VOWEL SIGN UU
+	{0x0A47, 0x0A48, prExtend},                 // Mn   [2] GURMUKHI VOWEL SIGN EE..GURMUKHI VOWEL SIGN AI
+	{0x0A4B, 0x0A4D, prExtend},                 // Mn   [3] GURMUKHI VOWEL SIGN OO..GURMUKHI SIGN VIRAMA
+	{0x0A51, 0x0A51, prExtend},                 // Mn       GURMUKHI SIGN UDAAT
+	{0x0A70, 0x0A71, prExtend},                 // Mn   [2] GURMUKHI TIPPI..GURMUKHI ADDAK
+	{0x0A75, 0x0A75, prExtend},                 // Mn       GURMUKHI SIGN YAKASH
+	{0x0A81, 0x0A82, prExtend},                 // Mn   [2] GUJARATI SIGN CANDRABINDU..GUJARATI SIGN ANUSVARA
+	{0x0A83, 0x0A83, prSpacingMark},            // Mc       GUJARATI SIGN VISARGA
+	{0x0ABC, 0x0ABC, prExtend},                 // Mn       GUJARATI SIGN NUKTA
+	{0x0ABE, 0x0AC0, prSpacingMark},            // Mc   [3] GUJARATI VOWEL SIGN AA..GUJARATI VOWEL SIGN II
+	{0x0AC1, 0x0AC5, prExtend},                 // Mn   [5] GUJARATI VOWEL SIGN U..GUJARATI VOWEL SIGN CANDRA E
+	{0x0AC7, 0x0AC8, prExtend},                 // Mn   [2] GUJARATI VOWEL SIGN E..GUJARATI VOWEL SIGN AI
+	{0x0AC9, 0x0AC9, prSpacingMark},            // Mc       GUJARATI VOWEL SIGN CANDRA O
+	{0x0ACB, 0x0ACC, prSpacingMark},            // Mc   [2] GUJARATI VOWEL SIGN O..GUJARATI VOWEL SIGN AU
+	{0x0ACD, 0x0ACD, prExtend},                 // Mn       GUJARATI SIGN VIRAMA
+	{0x0AE2, 0x0AE3, prExtend},                 // Mn   [2] GUJARATI VOWEL SIGN VOCALIC L..GUJARATI VOWEL SIGN VOCALIC LL
+	{0x0AFA, 0x0AFF, prExtend},                 // Mn   [6] GUJARATI SIGN SUKUN..GUJARATI SIGN TWO-CIRCLE NUKTA ABOVE
+	{0x0B01, 0x0B01, prExtend},                 // Mn       ORIYA SIGN CANDRABINDU
+	{0x0B02, 0x0B03, prSpacingMark},            // Mc   [2] ORIYA SIGN ANUSVARA..ORIYA SIGN VISARGA
+	{0x0B3C, 0x0B3C, prExtend},                 // Mn       ORIYA SIGN NUKTA
+	{0x0B3E, 0x0B3E, prExtend},                 // Mc       ORIYA VOWEL SIGN AA
+	{0x0B3F, 0x0B3F, prExtend},                 // Mn       ORIYA VOWEL SIGN I
+	{0x0B40, 0x0B40, prSpacingMark},            // Mc       ORIYA VOWEL SIGN II
+	{0x0B41, 0x0B44, prExtend},                 // Mn   [4] ORIYA VOWEL SIGN U..ORIYA VOWEL SIGN VOCALIC RR
+	{0x0B47, 0x0B48, prSpacingMark},            // Mc   [2] ORIYA VOWEL SIGN E..ORIYA VOWEL SIGN AI
+	{0x0B4B, 0x0B4C, prSpacingMark},            // Mc   [2] ORIYA VOWEL SIGN O..ORIYA VOWEL SIGN AU
+	{0x0B4D, 0x0B4D, prExtend},                 // Mn       ORIYA SIGN VIRAMA
+	{0x0B55, 0x0B56, prExtend},                 // Mn   [2] ORIYA SIGN OVERLINE..ORIYA AI LENGTH MARK
+	{0x0B57, 0x0B57, prExtend},                 // Mc       ORIYA AU LENGTH MARK
+	{0x0B62, 0x0B63, prExtend},                 // Mn   [2] ORIYA VOWEL SIGN VOCALIC L..ORIYA VOWEL SIGN VOCALIC LL
+	{0x0B82, 0x0B82, prExtend},                 // Mn       TAMIL SIGN ANUSVARA
+	{0x0BBE, 0x0BBE, prExtend},                 // Mc       TAMIL VOWEL SIGN AA
+	{0x0BBF, 0x0BBF, prSpacingMark},            // Mc       TAMIL VOWEL SIGN I
+	{0x0BC0, 0x0BC0, prExtend},                 // Mn       TAMIL VOWEL SIGN II
+	{0x0BC1, 0x0BC2, prSpacingMark},            // Mc   [2] TAMIL VOWEL SIGN U..TAMIL VOWEL SIGN UU
+	{0x0BC6, 0x0BC8, prSpacingMark},            // Mc   [3] TAMIL VOWEL SIGN E..TAMIL VOWEL SIGN AI
+	{0x0BCA, 0x0BCC, prSpacingMark},            // Mc   [3] TAMIL VOWEL SIGN O..TAMIL VOWEL SIGN AU
+	{0x0BCD, 0x0BCD, prExtend},                 // Mn       TAMIL SIGN VIRAMA
+	{0x0BD7, 0x0BD7, prExtend},                 // Mc       TAMIL AU LENGTH MARK
+	{0x0C00, 0x0C00, prExtend},                 // Mn       TELUGU SIGN COMBINING CANDRABINDU ABOVE
+	{0x0C01, 0x0C03, prSpacingMark},            // Mc   [3] TELUGU SIGN CANDRABINDU..TELUGU SIGN VISARGA
+	{0x0C04, 0x0C04, prExtend},                 // Mn       TELUGU SIGN COMBINING ANUSVARA ABOVE
+	{0x0C3C, 0x0C3C, prExtend},                 // Mn       TELUGU SIGN NUKTA
+	{0x0C3E, 0x0C40, prExtend},                 // Mn   [3] TELUGU VOWEL SIGN AA..TELUGU VOWEL SIGN II
+	{0x0C41, 0x0C44, prSpacingMark},            // Mc   [4] TELUGU VOWEL SIGN U..TELUGU VOWEL SIGN VOCALIC RR
+	{0x0C46, 0x0C48, prExtend},                 // Mn   [3] TELUGU VOWEL SIGN E..TELUGU VOWEL SIGN AI
+	{0x0C4A, 0x0C4D, prExtend},                 // Mn   [4] TELUGU VOWEL SIGN O..TELUGU SIGN VIRAMA
+	{0x0C55, 0x0C56, prExtend},                 // Mn   [2] TELUGU LENGTH MARK..TELUGU AI LENGTH MARK
+	{0x0C62, 0x0C63, prExtend},                 // Mn   [2] TELUGU VOWEL SIGN VOCALIC L..TELUGU VOWEL SIGN VOCALIC LL
+	{0x0C81, 0x0C81, prExtend},                 // Mn       KANNADA SIGN CANDRABINDU
+	{0x0C82, 0x0C83, prSpacingMark},            // Mc   [2] KANNADA SIGN ANUSVARA..KANNADA SIGN VISARGA
+	{0x0CBC, 0x0CBC, prExtend},                 // Mn       KANNADA SIGN NUKTA
+	{0x0CBE, 0x0CBE, prSpacingMark},            // Mc       KANNADA VOWEL SIGN AA
+	{0x0CBF, 0x0CBF, prExtend},                 // Mn       KANNADA VOWEL SIGN I
+	{0x0CC0, 0x0CC1, prSpacingMark},            // Mc   [2] KANNADA VOWEL SIGN II..KANNADA VOWEL SIGN U
+	{0x0CC2, 0x0CC2, prExtend},                 // Mc       KANNADA VOWEL SIGN UU
+	{0x0CC3, 0x0CC4, prSpacingMark},            // Mc   [2] KANNADA VOWEL SIGN VOCALIC R..KANNADA VOWEL SIGN VOCALIC RR
+	{0x0CC6, 0x0CC6, prExtend},                 // Mn       KANNADA VOWEL SIGN E
+	{0x0CC7, 0x0CC8, prSpacingMark},            // Mc   [2] KANNADA VOWEL SIGN EE..KANNADA VOWEL SIGN AI
+	{0x0CCA, 0x0CCB, prSpacingMark},            // Mc   [2] KANNADA VOWEL SIGN O..KANNADA VOWEL SIGN OO
+	{0x0CCC, 0x0CCD, prExtend},                 // Mn   [2] KANNADA VOWEL SIGN AU..KANNADA SIGN VIRAMA
+	{0x0CD5, 0x0CD6, prExtend},                 // Mc   [2] KANNADA LENGTH MARK..KANNADA AI LENGTH MARK
+	{0x0CE2, 0x0CE3, prExtend},                 // Mn   [2] KANNADA VOWEL SIGN VOCALIC L..KANNADA VOWEL SIGN VOCALIC LL
+	{0x0CF3, 0x0CF3, prSpacingMark},            // Mc       KANNADA SIGN COMBINING ANUSVARA ABOVE RIGHT
+	{0x0D00, 0x0D01, prExtend},                 // Mn   [2] MALAYALAM SIGN COMBINING ANUSVARA ABOVE..MALAYALAM SIGN CANDRABINDU
+	{0x0D02, 0x0D03, prSpacingMark},            // Mc   [2] MALAYALAM SIGN ANUSVARA..MALAYALAM SIGN VISARGA
+	{0x0D3B, 0x0D3C, prExtend},                 // Mn   [2] MALAYALAM SIGN VERTICAL BAR VIRAMA..MALAYALAM SIGN CIRCULAR VIRAMA
+	{0x0D3E, 0x0D3E, prExtend},                 // Mc       MALAYALAM VOWEL SIGN AA
+	{0x0D3F, 0x0D40, prSpacingMark},            // Mc   [2] MALAYALAM VOWEL SIGN I..MALAYALAM VOWEL SIGN II
+	{0x0D41, 0x0D44, prExtend},                 // Mn   [4] MALAYALAM VOWEL SIGN U..MALAYALAM VOWEL SIGN VOCALIC RR
+	{0x0D46, 0x0D48, prSpacingMark},            // Mc   [3] MALAYALAM VOWEL SIGN E..MALAYALAM VOWEL SIGN AI
+	{0x0D4A, 0x0D4C, prSpacingMark},            // Mc   [3] MALAYALAM VOWEL SIGN O..MALAYALAM VOWEL SIGN AU
+	{0x0D4D, 0x0D4D, prExtend},                 // Mn       MALAYALAM SIGN VIRAMA
+	{0x0D4E, 0x0D4E, prPrepend},                // Lo       MALAYALAM LETTER DOT REPH
+	{0x0D57, 0x0D57, prExtend},                 // Mc       MALAYALAM AU LENGTH MARK
+	{0x0D62, 0x0D63, prExtend},                 // Mn   [2] MALAYALAM VOWEL SIGN VOCALIC L..MALAYALAM VOWEL SIGN VOCALIC LL
+	{0x0D81, 0x0D81, prExtend},                 // Mn       SINHALA SIGN CANDRABINDU
+	{0x0D82, 0x0D83, prSpacingMark},            // Mc   [2] SINHALA SIGN ANUSVARAYA..SINHALA SIGN VISARGAYA
+	{0x0DCA, 0x0DCA, prExtend},                 // Mn       SINHALA SIGN AL-LAKUNA
+	{0x0DCF, 0x0DCF, prExtend},                 // Mc       SINHALA VOWEL SIGN AELA-PILLA
+	{0x0DD0, 0x0DD1, prSpacingMark},            // Mc   [2] SINHALA VOWEL SIGN KETTI AEDA-PILLA..SINHALA VOWEL SIGN DIGA AEDA-PILLA
+	{0x0DD2, 0x0DD4, prExtend},                 // Mn   [3] SINHALA VOWEL SIGN KETTI IS-PILLA..SINHALA VOWEL SIGN KETTI PAA-PILLA
+	{0x0DD6, 0x0DD6, prExtend},                 // Mn       SINHALA VOWEL SIGN DIGA PAA-PILLA
+	{0x0DD8, 0x0DDE, prSpacingMark},            // Mc   [7] SINHALA VOWEL SIGN GAETTA-PILLA..SINHALA VOWEL SIGN KOMBUVA HAA GAYANUKITTA
+	{0x0DDF, 0x0DDF, prExtend},                 // Mc       SINHALA VOWEL SIGN GAYANUKITTA
+	{0x0DF2, 0x0DF3, prSpacingMark},            // Mc   [2] SINHALA VOWEL SIGN DIGA GAETTA-PILLA..SINHALA VOWEL SIGN DIGA GAYANUKITTA
+	{0x0E31, 0x0E31, prExtend},                 // Mn       THAI CHARACTER MAI HAN-AKAT
+	{0x0E33, 0x0E33, prSpacingMark},            // Lo       THAI CHARACTER SARA AM
+	{0x0E34, 0x0E3A, prExtend},                 // Mn   [7] THAI CHARACTER SARA I..THAI CHARACTER PHINTHU
+	{0x0E47, 0x0E4E, prExtend},                 // Mn   [8] THAI CHARACTER MAITAIKHU..THAI CHARACTER YAMAKKAN
+	{0x0EB1, 0x0EB1, prExtend},                 // Mn       LAO VOWEL SIGN MAI KAN
+	{0x0EB3, 0x0EB3, prSpacingMark},            // Lo       LAO VOWEL SIGN AM
+	{0x0EB4, 0x0EBC, prExtend},                 // Mn   [9] LAO VOWEL SIGN I..LAO SEMIVOWEL SIGN LO
+	{0x0EC8, 0x0ECE, prExtend},                 // Mn   [7] LAO TONE MAI EK..LAO YAMAKKAN
+	{0x0F18, 0x0F19, prExtend},                 // Mn   [2] TIBETAN ASTROLOGICAL SIGN -KHYUD PA..TIBETAN ASTROLOGICAL SIGN SDONG TSHUGS
+	{0x0F35, 0x0F35, prExtend},                 // Mn       TIBETAN MARK NGAS BZUNG NYI ZLA
+	{0x0F37, 0x0F37, prExtend},                 // Mn       TIBETAN MARK NGAS BZUNG SGOR RTAGS
+	{0x0F39, 0x0F39, prExtend},                 // Mn       TIBETAN MARK TSA -PHRU
+	{0x0F3E, 0x0F3F, prSpacingMark},            // Mc   [2] TIBETAN SIGN YAR TSHES..TIBETAN SIGN MAR TSHES
+	{0x0F71, 0x0F7E, prExtend},                 // Mn  [14] TIBETAN VOWEL SIGN AA..TIBETAN SIGN RJES SU NGA RO
+	{0x0F7F, 0x0F7F, prSpacingMark},            // Mc       TIBETAN SIGN RNAM BCAD
+	{0x0F80, 0x0F84, prExtend},                 // Mn   [5] TIBETAN VOWEL SIGN REVERSED I..TIBETAN MARK HALANTA
+	{0x0F86, 0x0F87, prExtend},                 // Mn   [2] TIBETAN SIGN LCI RTAGS..TIBETAN SIGN YANG RTAGS
+	{0x0F8D, 0x0F97, prExtend},                 // Mn  [11] TIBETAN SUBJOINED SIGN LCE TSA CAN..TIBETAN SUBJOINED LETTER JA
+	{0x0F99, 0x0FBC, prExtend},                 // Mn  [36] TIBETAN SUBJOINED LETTER NYA..TIBETAN SUBJOINED LETTER FIXED-FORM RA
+	{0x0FC6, 0x0FC6, prExtend},                 // Mn       TIBETAN SYMBOL PADMA GDAN
+	{0x102D, 0x1030, prExtend},                 // Mn   [4] MYANMAR VOWEL SIGN I..MYANMAR VOWEL SIGN UU
+	{0x1031, 0x1031, prSpacingMark},            // Mc       MYANMAR VOWEL SIGN E
+	{0x1032, 0x1037, prExtend},                 // Mn   [6] MYANMAR VOWEL SIGN AI..MYANMAR SIGN DOT BELOW
+	{0x1039, 0x103A, prExtend},                 // Mn   [2] MYANMAR SIGN VIRAMA..MYANMAR SIGN ASAT
+	{0x103B, 0x103C, prSpacingMark},            // Mc   [2] MYANMAR CONSONANT SIGN MEDIAL YA..MYANMAR CONSONANT SIGN MEDIAL RA
+	{0x103D, 0x103E, prExtend},                 // Mn   [2] MYANMAR CONSONANT SIGN MEDIAL WA..MYANMAR CONSONANT SIGN MEDIAL HA
+	{0x1056, 0x1057, prSpacingMark},            // Mc   [2] MYANMAR VOWEL SIGN VOCALIC R..MYANMAR VOWEL SIGN VOCALIC RR
+	{0x1058, 0x1059, prExtend},                 // Mn   [2] MYANMAR VOWEL SIGN VOCALIC L..MYANMAR VOWEL SIGN VOCALIC LL
+	{0x105E, 0x1060, prExtend},                 // Mn   [3] MYANMAR CONSONANT SIGN MON MEDIAL NA..MYANMAR CONSONANT SIGN MON MEDIAL LA
+	{0x1071, 0x1074, prExtend},                 // Mn   [4] MYANMAR VOWEL SIGN GEBA KAREN I..MYANMAR VOWEL SIGN KAYAH EE
+	{0x1082, 0x1082, prExtend},                 // Mn       MYANMAR CONSONANT SIGN SHAN MEDIAL WA
+	{0x1084, 0x1084, prSpacingMark},            // Mc       MYANMAR VOWEL SIGN SHAN E
+	{0x1085, 0x1086, prExtend},                 // Mn   [2] MYANMAR VOWEL SIGN SHAN E ABOVE..MYANMAR VOWEL SIGN SHAN FINAL Y
+	{0x108D, 0x108D, prExtend},                 // Mn       MYANMAR SIGN SHAN COUNCIL EMPHATIC TONE
+	{0x109D, 0x109D, prExtend},                 // Mn       MYANMAR VOWEL SIGN AITON AI
+	{0x1100, 0x115F, prL},                      // Lo  [96] HANGUL CHOSEONG KIYEOK..HANGUL CHOSEONG FILLER
+	{0x1160, 0x11A7, prV},                      // Lo  [72] HANGUL JUNGSEONG FILLER..HANGUL JUNGSEONG O-YAE
+	{0x11A8, 0x11FF, prT},                      // Lo  [88] HANGUL JONGSEONG KIYEOK..HANGUL JONGSEONG SSANGNIEUN
+	{0x135D, 0x135F, prExtend},                 // Mn   [3] ETHIOPIC COMBINING GEMINATION AND VOWEL LENGTH MARK..ETHIOPIC COMBINING GEMINATION MARK
+	{0x1712, 0x1714, prExtend},                 // Mn   [3] TAGALOG VOWEL SIGN I..TAGALOG SIGN VIRAMA
+	{0x1715, 0x1715, prSpacingMark},            // Mc       TAGALOG SIGN PAMUDPOD
+	{0x1732, 0x1733, prExtend},                 // Mn   [2] HANUNOO VOWEL SIGN I..HANUNOO VOWEL SIGN U
+	{0x1734, 0x1734, prSpacingMark},            // Mc       HANUNOO SIGN PAMUDPOD
+	{0x1752, 0x1753, prExtend},                 // Mn   [2] BUHID VOWEL SIGN I..BUHID VOWEL SIGN U
+	{0x1772, 0x1773, prExtend},                 // Mn   [2] TAGBANWA VOWEL SIGN I..TAGBANWA VOWEL SIGN U
+	{0x17B4, 0x17B5, prExtend},                 // Mn   [2] KHMER VOWEL INHERENT AQ..KHMER VOWEL INHERENT AA
+	{0x17B6, 0x17B6, prSpacingMark},            // Mc       KHMER VOWEL SIGN AA
+	{0x17B7, 0x17BD, prExtend},                 // Mn   [7] KHMER VOWEL SIGN I..KHMER VOWEL SIGN UA
+	{0x17BE, 0x17C5, prSpacingMark},            // Mc   [8] KHMER VOWEL SIGN OE..KHMER VOWEL SIGN AU
+	{0x17C6, 0x17C6, prExtend},                 // Mn       KHMER SIGN NIKAHIT
+	{0x17C7, 0x17C8, prSpacingMark},            // Mc   [2] KHMER SIGN REAHMUK..KHMER SIGN YUUKALEAPINTU
+	{0x17C9, 0x17D3, prExtend},                 // Mn  [11] KHMER SIGN MUUSIKATOAN..KHMER SIGN BATHAMASAT
+	{0x17DD, 0x17DD, prExtend},                 // Mn       KHMER SIGN ATTHACAN
+	{0x180B, 0x180D, prExtend},                 // Mn   [3] MONGOLIAN FREE VARIATION SELECTOR ONE..MONGOLIAN FREE VARIATION SELECTOR THREE
+	{0x180E, 0x180E, prControl},                // Cf       MONGOLIAN VOWEL SEPARATOR
+	{0x180F, 0x180F, prExtend},                 // Mn       MONGOLIAN FREE VARIATION SELECTOR FOUR
+	{0x1885, 0x1886, prExtend},                 // Mn   [2] MONGOLIAN LETTER ALI GALI BALUDA..MONGOLIAN LETTER ALI GALI THREE BALUDA
+	{0x18A9, 0x18A9, prExtend},                 // Mn       MONGOLIAN LETTER ALI GALI DAGALGA
+	{0x1920, 0x1922, prExtend},                 // Mn   [3] LIMBU VOWEL SIGN A..LIMBU VOWEL SIGN U
+	{0x1923, 0x1926, prSpacingMark},            // Mc   [4] LIMBU VOWEL SIGN EE..LIMBU VOWEL SIGN AU
+	{0x1927, 0x1928, prExtend},                 // Mn   [2] LIMBU VOWEL SIGN E..LIMBU VOWEL SIGN O
+	{0x1929, 0x192B, prSpacingMark},            // Mc   [3] LIMBU SUBJOINED LETTER YA..LIMBU SUBJOINED LETTER WA
+	{0x1930, 0x1931, prSpacingMark},            // Mc   [2] LIMBU SMALL LETTER KA..LIMBU SMALL LETTER NGA
+	{0x1932, 0x1932, prExtend},                 // Mn       LIMBU SMALL LETTER ANUSVARA
+	{0x1933, 0x1938, prSpacingMark},            // Mc   [6] LIMBU SMALL LETTER TA..LIMBU SMALL LETTER LA
+	{0x1939, 0x193B, prExtend},                 // Mn   [3] LIMBU SIGN MUKPHRENG..LIMBU SIGN SA-I
+	{0x1A17, 0x1A18, prExtend},                 // Mn   [2] BUGINESE VOWEL SIGN I..BUGINESE VOWEL SIGN U
+	{0x1A19, 0x1A1A, prSpacingMark},            // Mc   [2] BUGINESE VOWEL SIGN E..BUGINESE VOWEL SIGN O
+	{0x1A1B, 0x1A1B, prExtend},                 // Mn       BUGINESE VOWEL SIGN AE
+	{0x1A55, 0x1A55, prSpacingMark},            // Mc       TAI THAM CONSONANT SIGN MEDIAL RA
+	{0x1A56, 0x1A56, prExtend},                 // Mn       TAI THAM CONSONANT SIGN MEDIAL LA
+	{0x1A57, 0x1A57, prSpacingMark},            // Mc       TAI THAM CONSONANT SIGN LA TANG LAI
+	{0x1A58, 0x1A5E, prExtend},                 // Mn   [7] TAI THAM SIGN MAI KANG LAI..TAI THAM CONSONANT SIGN SA
+	{0x1A60, 0x1A60, prExtend},                 // Mn       TAI THAM SIGN SAKOT
+	{0x1A62, 0x1A62, prExtend},                 // Mn       TAI THAM VOWEL SIGN MAI SAT
+	{0x1A65, 0x1A6C, prExtend},                 // Mn   [8] TAI THAM VOWEL SIGN I..TAI THAM VOWEL SIGN OA BELOW
+	{0x1A6D, 0x1A72, prSpacingMark},            // Mc   [6] TAI THAM VOWEL SIGN OY..TAI THAM VOWEL SIGN THAM AI
+	{0x1A73, 0x1A7C, prExtend},                 // Mn  [10] TAI THAM VOWEL SIGN OA ABOVE..TAI THAM SIGN KHUEN-LUE KARAN
+	{0x1A7F, 0x1A7F, prExtend},                 // Mn       TAI THAM COMBINING CRYPTOGRAMMIC DOT
+	{0x1AB0, 0x1ABD, prExtend},                 // Mn  [14] COMBINING DOUBLED CIRCUMFLEX ACCENT..COMBINING PARENTHESES BELOW
+	{0x1ABE, 0x1ABE, prExtend},                 // Me       COMBINING PARENTHESES OVERLAY
+	{0x1ABF, 0x1ACE, prExtend},                 // Mn  [16] COMBINING LATIN SMALL LETTER W BELOW..COMBINING LATIN SMALL LETTER INSULAR T
+	{0x1B00, 0x1B03, prExtend},                 // Mn   [4] BALINESE SIGN ULU RICEM..BALINESE SIGN SURANG
+	{0x1B04, 0x1B04, prSpacingMark},            // Mc       BALINESE SIGN BISAH
+	{0x1B34, 0x1B34, prExtend},                 // Mn       BALINESE SIGN REREKAN
+	{0x1B35, 0x1B35, prExtend},                 // Mc       BALINESE VOWEL SIGN TEDUNG
+	{0x1B36, 0x1B3A, prExtend},                 // Mn   [5] BALINESE VOWEL SIGN ULU..BALINESE VOWEL SIGN RA REPA
+	{0x1B3B, 0x1B3B, prSpacingMark},            // Mc       BALINESE VOWEL SIGN RA REPA TEDUNG
+	{0x1B3C, 0x1B3C, prExtend},                 // Mn       BALINESE VOWEL SIGN LA LENGA
+	{0x1B3D, 0x1B41, prSpacingMark},            // Mc   [5] BALINESE VOWEL SIGN LA LENGA TEDUNG..BALINESE VOWEL SIGN TALING REPA TEDUNG
+	{0x1B42, 0x1B42, prExtend},                 // Mn       BALINESE VOWEL SIGN PEPET
+	{0x1B43, 0x1B44, prSpacingMark},            // Mc   [2] BALINESE VOWEL SIGN PEPET TEDUNG..BALINESE ADEG ADEG
+	{0x1B6B, 0x1B73, prExtend},                 // Mn   [9] BALINESE MUSICAL SYMBOL COMBINING TEGEH..BALINESE MUSICAL SYMBOL COMBINING GONG
+	{0x1B80, 0x1B81, prExtend},                 // Mn   [2] SUNDANESE SIGN PANYECEK..SUNDANESE SIGN PANGLAYAR
+	{0x1B82, 0x1B82, prSpacingMark},            // Mc       SUNDANESE SIGN PANGWISAD
+	{0x1BA1, 0x1BA1, prSpacingMark},            // Mc       SUNDANESE CONSONANT SIGN PAMINGKAL
+	{0x1BA2, 0x1BA5, prExtend},                 // Mn   [4] SUNDANESE CONSONANT SIGN PANYAKRA..SUNDANESE VOWEL SIGN PANYUKU
+	{0x1BA6, 0x1BA7, prSpacingMark},            // Mc   [2] SUNDANESE VOWEL SIGN PANAELAENG..SUNDANESE VOWEL SIGN PANOLONG
+	{0x1BA8, 0x1BA9, prExtend},                 // Mn   [2] SUNDANESE VOWEL SIGN PAMEPET..SUNDANESE VOWEL SIGN PANEULEUNG
+	{0x1BAA, 0x1BAA, prSpacingMark},            // Mc       SUNDANESE SIGN PAMAAEH
+	{0x1BAB, 0x1BAD, prExtend},                 // Mn   [3] SUNDANESE SIGN VIRAMA..SUNDANESE CONSONANT SIGN PASANGAN WA
+	{0x1BE6, 0x1BE6, prExtend},                 // Mn       BATAK SIGN TOMPI
+	{0x1BE7, 0x1BE7, prSpacingMark},            // Mc       BATAK VOWEL SIGN E
+	{0x1BE8, 0x1BE9, prExtend},                 // Mn   [2] BATAK VOWEL SIGN PAKPAK E..BATAK VOWEL SIGN EE
+	{0x1BEA, 0x1BEC, prSpacingMark},            // Mc   [3] BATAK VOWEL SIGN I..BATAK VOWEL SIGN O
+	{0x1BED, 0x1BED, prExtend},                 // Mn       BATAK VOWEL SIGN KARO O
+	{0x1BEE, 0x1BEE, prSpacingMark},            // Mc       BATAK VOWEL SIGN U
+	{0x1BEF, 0x1BF1, prExtend},                 // Mn   [3] BATAK VOWEL SIGN U FOR SIMALUNGUN SA..BATAK CONSONANT SIGN H
+	{0x1BF2, 0x1BF3, prSpacingMark},            // Mc   [2] BATAK PANGOLAT..BATAK PANONGONAN
+	{0x1C24, 0x1C2B, prSpacingMark},            // Mc   [8] LEPCHA SUBJOINED LETTER YA..LEPCHA VOWEL SIGN UU
+	{0x1C2C, 0x1C33, prExtend},                 // Mn   [8] LEPCHA VOWEL SIGN E..LEPCHA CONSONANT SIGN T
+	{0x1C34, 0x1C35, prSpacingMark},            // Mc   [2] LEPCHA CONSONANT SIGN NYIN-DO..LEPCHA CONSONANT SIGN KANG
+	{0x1C36, 0x1C37, prExtend},                 // Mn   [2] LEPCHA SIGN RAN..LEPCHA SIGN NUKTA
+	{0x1CD0, 0x1CD2, prExtend},                 // Mn   [3] VEDIC TONE KARSHANA..VEDIC TONE PRENKHA
+	{0x1CD4, 0x1CE0, prExtend},                 // Mn  [13] VEDIC SIGN YAJURVEDIC MIDLINE SVARITA..VEDIC TONE RIGVEDIC KASHMIRI INDEPENDENT SVARITA
+	{0x1CE1, 0x1CE1, prSpacingMark},            // Mc       VEDIC TONE ATHARVAVEDIC INDEPENDENT SVARITA
+	{0x1CE2, 0x1CE8, prExtend},                 // Mn   [7] VEDIC SIGN VISARGA SVARITA..VEDIC SIGN VISARGA ANUDATTA WITH TAIL
+	{0x1CED, 0x1CED, prExtend},                 // Mn       VEDIC SIGN TIRYAK
+	{0x1CF4, 0x1CF4, prExtend},                 // Mn       VEDIC TONE CANDRA ABOVE
+	{0x1CF7, 0x1CF7, prSpacingMark},            // Mc       VEDIC SIGN ATIKRAMA
+	{0x1CF8, 0x1CF9, prExtend},                 // Mn   [2] VEDIC TONE RING ABOVE..VEDIC TONE DOUBLE RING ABOVE
+	{0x1DC0, 0x1DFF, prExtend},                 // Mn  [64] COMBINING DOTTED GRAVE ACCENT..COMBINING RIGHT ARROWHEAD AND DOWN ARROWHEAD BELOW
+	{0x200B, 0x200B, prControl},                // Cf       ZERO WIDTH SPACE
+	{0x200C, 0x200C, prExtend},                 // Cf       ZERO WIDTH NON-JOINER
+	{0x200D, 0x200D, prZWJ},                    // Cf       ZERO WIDTH JOINER
+	{0x200E, 0x200F, prControl},                // Cf   [2] LEFT-TO-RIGHT MARK..RIGHT-TO-LEFT MARK
+	{0x2028, 0x2028, prControl},                // Zl       LINE SEPARATOR
+	{0x2029, 0x2029, prControl},                // Zp       PARAGRAPH SEPARATOR
+	{0x202A, 0x202E, prControl},                // Cf   [5] LEFT-TO-RIGHT EMBEDDING..RIGHT-TO-LEFT OVERRIDE
+	{0x203C, 0x203C, prExtendedPictographic},   // E0.6   [1] (‼�)       double exclamation mark
+	{0x2049, 0x2049, prExtendedPictographic},   // E0.6   [1] (��)       exclamation question mark
+	{0x2060, 0x2064, prControl},                // Cf   [5] WORD JOINER..INVISIBLE PLUS
+	{0x2065, 0x2065, prControl},                // Cn       <reserved-2065>
+	{0x2066, 0x206F, prControl},                // Cf  [10] LEFT-TO-RIGHT ISOLATE..NOMINAL DIGIT SHAPES
+	{0x20D0, 0x20DC, prExtend},                 // Mn  [13] COMBINING LEFT HARPOON ABOVE..COMBINING FOUR DOTS ABOVE
+	{0x20DD, 0x20E0, prExtend},                 // Me   [4] COMBINING ENCLOSING CIRCLE..COMBINING ENCLOSING CIRCLE BACKSLASH
+	{0x20E1, 0x20E1, prExtend},                 // Mn       COMBINING LEFT RIGHT ARROW ABOVE
+	{0x20E2, 0x20E4, prExtend},                 // Me   [3] COMBINING ENCLOSING SCREEN..COMBINING ENCLOSING UPWARD POINTING TRIANGLE
+	{0x20E5, 0x20F0, prExtend},                 // Mn  [12] COMBINING REVERSE SOLIDUS OVERLAY..COMBINING ASTERISK ABOVE
+	{0x2122, 0x2122, prExtendedPictographic},   // E0.6   [1] (™�)       trade mark
+	{0x2139, 0x2139, prExtendedPictographic},   // E0.6   [1] (ℹ�)       information
+	{0x2194, 0x2199, prExtendedPictographic},   // E0.6   [6] (↔�..↙�)    left-right arrow..down-left arrow
+	{0x21A9, 0x21AA, prExtendedPictographic},   // E0.6   [2] (↩�..↪�)    right arrow curving left..left arrow curving right
+	{0x231A, 0x231B, prExtendedPictographic},   // E0.6   [2] (⌚..⌛)    watch..hourglass done
+	{0x2328, 0x2328, prExtendedPictographic},   // E1.0   [1] (⌨�)       keyboard
+	{0x2388, 0x2388, prExtendedPictographic},   // E0.0   [1] (⎈)       HELM SYMBOL
+	{0x23CF, 0x23CF, prExtendedPictographic},   // E1.0   [1] (��)       eject button
+	{0x23E9, 0x23EC, prExtendedPictographic},   // E0.6   [4] (�..�)    fast-forward button..fast down button
+	{0x23ED, 0x23EE, prExtendedPictographic},   // E0.7   [2] (��..��)    next track button..last track button
+	{0x23EF, 0x23EF, prExtendedPictographic},   // E1.0   [1] (��)       play or pause button
+	{0x23F0, 0x23F0, prExtendedPictographic},   // E0.6   [1] (�)       alarm clock
+	{0x23F1, 0x23F2, prExtendedPictographic},   // E1.0   [2] (��..��)    stopwatch..timer clock
+	{0x23F3, 0x23F3, prExtendedPictographic},   // E0.6   [1] (�)       hourglass not done
+	{0x23F8, 0x23FA, prExtendedPictographic},   // E0.7   [3] (��..��)    pause button..record button
+	{0x24C2, 0x24C2, prExtendedPictographic},   // E0.6   [1] (Ⓜ�)       circled M
+	{0x25AA, 0x25AB, prExtendedPictographic},   // E0.6   [2] (▪�..▫�)    black small square..white small square
+	{0x25B6, 0x25B6, prExtendedPictographic},   // E0.6   [1] (▶�)       play button
+	{0x25C0, 0x25C0, prExtendedPictographic},   // E0.6   [1] (◀�)       reverse button
+	{0x25FB, 0x25FE, prExtendedPictographic},   // E0.6   [4] (◻�..◾)    white medium square..black medium-small square
+	{0x2600, 0x2601, prExtendedPictographic},   // E0.6   [2] (☀�..��)    sun..cloud
+	{0x2602, 0x2603, prExtendedPictographic},   // E0.7   [2] (☂�..☃�)    umbrella..snowman
+	{0x2604, 0x2604, prExtendedPictographic},   // E1.0   [1] (☄�)       comet
+	{0x2605, 0x2605, prExtendedPictographic},   // E0.0   [1] (★)       BLACK STAR
+	{0x2607, 0x260D, prExtendedPictographic},   // E0.0   [7] (☇..�)    LIGHTNING..OPPOSITION
+	{0x260E, 0x260E, prExtendedPictographic},   // E0.6   [1] (☎�)       telephone
+	{0x260F, 0x2610, prExtendedPictographic},   // E0.0   [2] (�..�)    WHITE TELEPHONE..BALLOT BOX
+	{0x2611, 0x2611, prExtendedPictographic},   // E0.6   [1] (☑�)       check box with check
+	{0x2612, 0x2612, prExtendedPictographic},   // E0.0   [1] (☒)       BALLOT BOX WITH X
+	{0x2614, 0x2615, prExtendedPictographic},   // E0.6   [2] (☔..☕)    umbrella with rain drops..hot beverage
+	{0x2616, 0x2617, prExtendedPictographic},   // E0.0   [2] (☖..☗)    WHITE SHOGI PIECE..BLACK SHOGI PIECE
+	{0x2618, 0x2618, prExtendedPictographic},   // E1.0   [1] (☘�)       shamrock
+	{0x2619, 0x261C, prExtendedPictographic},   // E0.0   [4] (☙..☜)    REVERSED ROTATED FLORAL HEART BULLET..WHITE LEFT POINTING INDEX
+	{0x261D, 0x261D, prExtendedPictographic},   // E0.6   [1] (��)       index pointing up
+	{0x261E, 0x261F, prExtendedPictographic},   // E0.0   [2] (☞..☟)    WHITE RIGHT POINTING INDEX..WHITE DOWN POINTING INDEX
+	{0x2620, 0x2620, prExtendedPictographic},   // E1.0   [1] (☠�)       skull and crossbones
+	{0x2621, 0x2621, prExtendedPictographic},   // E0.0   [1] (☡)       CAUTION SIGN
+	{0x2622, 0x2623, prExtendedPictographic},   // E1.0   [2] (☢�..☣�)    radioactive..biohazard
+	{0x2624, 0x2625, prExtendedPictographic},   // E0.0   [2] (☤..☥)    CADUCEUS..ANKH
+	{0x2626, 0x2626, prExtendedPictographic},   // E1.0   [1] (☦�)       orthodox cross
+	{0x2627, 0x2629, prExtendedPictographic},   // E0.0   [3] (☧..☩)    CHI RHO..CROSS OF JERUSALEM
+	{0x262A, 0x262A, prExtendedPictographic},   // E0.7   [1] (☪�)       star and crescent
+	{0x262B, 0x262D, prExtendedPictographic},   // E0.0   [3] (☫..☭)    FARSI SYMBOL..HAMMER AND SICKLE
+	{0x262E, 0x262E, prExtendedPictographic},   // E1.0   [1] (☮�)       peace symbol
+	{0x262F, 0x262F, prExtendedPictographic},   // E0.7   [1] (☯�)       yin yang
+	{0x2630, 0x2637, prExtendedPictographic},   // E0.0   [8] (☰..☷)    TRIGRAM FOR HEAVEN..TRIGRAM FOR EARTH
+	{0x2638, 0x2639, prExtendedPictographic},   // E0.7   [2] (☸�..☹�)    wheel of dharma..frowning face
+	{0x263A, 0x263A, prExtendedPictographic},   // E0.6   [1] (☺�)       smiling face
+	{0x263B, 0x263F, prExtendedPictographic},   // E0.0   [5] (☻..☿)    BLACK SMILING FACE..MERCURY
+	{0x2640, 0x2640, prExtendedPictographic},   // E4.0   [1] (♀�)       female sign
+	{0x2641, 0x2641, prExtendedPictographic},   // E0.0   [1] (�)       EARTH
+	{0x2642, 0x2642, prExtendedPictographic},   // E4.0   [1] (♂�)       male sign
+	{0x2643, 0x2647, prExtendedPictographic},   // E0.0   [5] (♃..♇)    JUPITER..PLUTO
+	{0x2648, 0x2653, prExtendedPictographic},   // E0.6  [12] (♈..♓)    Aries..Pisces
+	{0x2654, 0x265E, prExtendedPictographic},   // E0.0  [11] (♔..♞)    WHITE CHESS KING..BLACK CHESS KNIGHT
+	{0x265F, 0x265F, prExtendedPictographic},   // E11.0  [1] (♟�)       chess pawn
+	{0x2660, 0x2660, prExtendedPictographic},   // E0.6   [1] (♠�)       spade suit
+	{0x2661, 0x2662, prExtendedPictographic},   // E0.0   [2] (♡..♢)    WHITE HEART SUIT..WHITE DIAMOND SUIT
+	{0x2663, 0x2663, prExtendedPictographic},   // E0.6   [1] (♣�)       club suit
+	{0x2664, 0x2664, prExtendedPictographic},   // E0.0   [1] (♤)       WHITE SPADE SUIT
+	{0x2665, 0x2666, prExtendedPictographic},   // E0.6   [2] (♥�..♦�)    heart suit..diamond suit
+	{0x2667, 0x2667, prExtendedPictographic},   // E0.0   [1] (♧)       WHITE CLUB SUIT
+	{0x2668, 0x2668, prExtendedPictographic},   // E0.6   [1] (♨�)       hot springs
+	{0x2669, 0x267A, prExtendedPictographic},   // E0.0  [18] (♩..♺)    QUARTER NOTE..RECYCLING SYMBOL FOR GENERIC MATERIALS
+	{0x267B, 0x267B, prExtendedPictographic},   // E0.6   [1] (♻�)       recycling symbol
+	{0x267C, 0x267D, prExtendedPictographic},   // E0.0   [2] (♼..♽)    RECYCLED PAPER SYMBOL..PARTIALLY-RECYCLED PAPER SYMBOL
+	{0x267E, 0x267E, prExtendedPictographic},   // E11.0  [1] (♾�)       infinity
+	{0x267F, 0x267F, prExtendedPictographic},   // E0.6   [1] (♿)       wheelchair symbol
+	{0x2680, 0x2685, prExtendedPictographic},   // E0.0   [6] (⚀..⚅)    DIE FACE-1..DIE FACE-6
+	{0x2690, 0x2691, prExtendedPictographic},   // E0.0   [2] (�..⚑)    WHITE FLAG..BLACK FLAG
+	{0x2692, 0x2692, prExtendedPictographic},   // E1.0   [1] (⚒�)       hammer and pick
+	{0x2693, 0x2693, prExtendedPictographic},   // E0.6   [1] (âš“)       anchor
+	{0x2694, 0x2694, prExtendedPictographic},   // E1.0   [1] (⚔�)       crossed swords
+	{0x2695, 0x2695, prExtendedPictographic},   // E4.0   [1] (⚕�)       medical symbol
+	{0x2696, 0x2697, prExtendedPictographic},   // E1.0   [2] (⚖�..⚗�)    balance scale..alembic
+	{0x2698, 0x2698, prExtendedPictographic},   // E0.0   [1] (⚘)       FLOWER
+	{0x2699, 0x2699, prExtendedPictographic},   // E1.0   [1] (⚙�)       gear
+	{0x269A, 0x269A, prExtendedPictographic},   // E0.0   [1] (âšš)       STAFF OF HERMES
+	{0x269B, 0x269C, prExtendedPictographic},   // E1.0   [2] (⚛�..⚜�)    atom symbol..fleur-de-lis
+	{0x269D, 0x269F, prExtendedPictographic},   // E0.0   [3] (�..⚟)    OUTLINED WHITE STAR..THREE LINES CONVERGING LEFT
+	{0x26A0, 0x26A1, prExtendedPictographic},   // E0.6   [2] (⚠�..⚡)    warning..high voltage
+	{0x26A2, 0x26A6, prExtendedPictographic},   // E0.0   [5] (⚢..⚦)    DOUBLED FEMALE SIGN..MALE WITH STROKE SIGN
+	{0x26A7, 0x26A7, prExtendedPictographic},   // E13.0  [1] (⚧�)       transgender symbol
+	{0x26A8, 0x26A9, prExtendedPictographic},   // E0.0   [2] (⚨..⚩)    VERTICAL MALE WITH STROKE SIGN..HORIZONTAL MALE WITH STROKE SIGN
+	{0x26AA, 0x26AB, prExtendedPictographic},   // E0.6   [2] (⚪..⚫)    white circle..black circle
+	{0x26AC, 0x26AF, prExtendedPictographic},   // E0.0   [4] (⚬..⚯)    MEDIUM SMALL WHITE CIRCLE..UNMARRIED PARTNERSHIP SYMBOL
+	{0x26B0, 0x26B1, prExtendedPictographic},   // E1.0   [2] (⚰�..⚱�)    coffin..funeral urn
+	{0x26B2, 0x26BC, prExtendedPictographic},   // E0.0  [11] (âš²..âš¼)    NEUTER..SESQUIQUADRATE
+	{0x26BD, 0x26BE, prExtendedPictographic},   // E0.6   [2] (âš½..âš¾)    soccer ball..baseball
+	{0x26BF, 0x26C3, prExtendedPictographic},   // E0.0   [5] (⚿..⛃)    SQUARED KEY..BLACK DRAUGHTS KING
+	{0x26C4, 0x26C5, prExtendedPictographic},   // E0.6   [2] (⛄..⛅)    snowman without snow..sun behind cloud
+	{0x26C6, 0x26C7, prExtendedPictographic},   // E0.0   [2] (⛆..⛇)    RAIN..BLACK SNOWMAN
+	{0x26C8, 0x26C8, prExtendedPictographic},   // E0.7   [1] (⛈�)       cloud with lightning and rain
+	{0x26C9, 0x26CD, prExtendedPictographic},   // E0.0   [5] (⛉..�)    TURNED WHITE SHOGI PIECE..DISABLED CAR
+	{0x26CE, 0x26CE, prExtendedPictographic},   // E0.6   [1] (⛎)       Ophiuchus
+	{0x26CF, 0x26CF, prExtendedPictographic},   // E0.7   [1] (��)       pick
+	{0x26D0, 0x26D0, prExtendedPictographic},   // E0.0   [1] (�)       CAR SLIDING
+	{0x26D1, 0x26D1, prExtendedPictographic},   // E0.7   [1] (⛑�)       rescue worker’s helmet
+	{0x26D2, 0x26D2, prExtendedPictographic},   // E0.0   [1] (â›’)       CIRCLED CROSSING LANES
+	{0x26D3, 0x26D3, prExtendedPictographic},   // E0.7   [1] (⛓�)       chains
+	{0x26D4, 0x26D4, prExtendedPictographic},   // E0.6   [1] (â›”)       no entry
+	{0x26D5, 0x26E8, prExtendedPictographic},   // E0.0  [20] (⛕..⛨)    ALTERNATE ONE-WAY LEFT WAY TRAFFIC..BLACK CROSS ON SHIELD
+	{0x26E9, 0x26E9, prExtendedPictographic},   // E0.7   [1] (⛩�)       shinto shrine
+	{0x26EA, 0x26EA, prExtendedPictographic},   // E0.6   [1] (⛪)       church
+	{0x26EB, 0x26EF, prExtendedPictographic},   // E0.0   [5] (⛫..⛯)    CASTLE..MAP SYMBOL FOR LIGHTHOUSE
+	{0x26F0, 0x26F1, prExtendedPictographic},   // E0.7   [2] (⛰�..⛱�)    mountain..umbrella on ground
+	{0x26F2, 0x26F3, prExtendedPictographic},   // E0.6   [2] (⛲..⛳)    fountain..flag in hole
+	{0x26F4, 0x26F4, prExtendedPictographic},   // E0.7   [1] (⛴�)       ferry
+	{0x26F5, 0x26F5, prExtendedPictographic},   // E0.6   [1] (⛵)       sailboat
+	{0x26F6, 0x26F6, prExtendedPictographic},   // E0.0   [1] (⛶)       SQUARE FOUR CORNERS
+	{0x26F7, 0x26F9, prExtendedPictographic},   // E0.7   [3] (⛷�..⛹�)    skier..person bouncing ball
+	{0x26FA, 0x26FA, prExtendedPictographic},   // E0.6   [1] (⛺)       tent
+	{0x26FB, 0x26FC, prExtendedPictographic},   // E0.0   [2] (⛻..⛼)    JAPANESE BANK SYMBOL..HEADSTONE GRAVEYARD SYMBOL
+	{0x26FD, 0x26FD, prExtendedPictographic},   // E0.6   [1] (⛽)       fuel pump
+	{0x26FE, 0x2701, prExtendedPictographic},   // E0.0   [4] (⛾..�)    CUP ON BLACK SQUARE..UPPER BLADE SCISSORS
+	{0x2702, 0x2702, prExtendedPictographic},   // E0.6   [1] (✂�)       scissors
+	{0x2703, 0x2704, prExtendedPictographic},   // E0.0   [2] (✃..✄)    LOWER BLADE SCISSORS..WHITE SCISSORS
+	{0x2705, 0x2705, prExtendedPictographic},   // E0.6   [1] (✅)       check mark button
+	{0x2708, 0x270C, prExtendedPictographic},   // E0.6   [5] (✈�..✌�)    airplane..victory hand
+	{0x270D, 0x270D, prExtendedPictographic},   // E0.7   [1] (��)       writing hand
+	{0x270E, 0x270E, prExtendedPictographic},   // E0.0   [1] (✎)       LOWER RIGHT PENCIL
+	{0x270F, 0x270F, prExtendedPictographic},   // E0.6   [1] (��)       pencil
+	{0x2710, 0x2711, prExtendedPictographic},   // E0.0   [2] (�..✑)    UPPER RIGHT PENCIL..WHITE NIB
+	{0x2712, 0x2712, prExtendedPictographic},   // E0.6   [1] (✒�)       black nib
+	{0x2714, 0x2714, prExtendedPictographic},   // E0.6   [1] (✔�)       check mark
+	{0x2716, 0x2716, prExtendedPictographic},   // E0.6   [1] (✖�)       multiply
+	{0x271D, 0x271D, prExtendedPictographic},   // E0.7   [1] (��)       latin cross
+	{0x2721, 0x2721, prExtendedPictographic},   // E0.7   [1] (✡�)       star of David
+	{0x2728, 0x2728, prExtendedPictographic},   // E0.6   [1] (✨)       sparkles
+	{0x2733, 0x2734, prExtendedPictographic},   // E0.6   [2] (✳�..✴�)    eight-spoked asterisk..eight-pointed star
+	{0x2744, 0x2744, prExtendedPictographic},   // E0.6   [1] (��)       snowflake
+	{0x2747, 0x2747, prExtendedPictographic},   // E0.6   [1] (��)       sparkle
+	{0x274C, 0x274C, prExtendedPictographic},   // E0.6   [1] (�)       cross mark
+	{0x274E, 0x274E, prExtendedPictographic},   // E0.6   [1] (�)       cross mark button
+	{0x2753, 0x2755, prExtendedPictographic},   // E0.6   [3] (�..�)    red question mark..white exclamation mark
+	{0x2757, 0x2757, prExtendedPictographic},   // E0.6   [1] (�)       red exclamation mark
+	{0x2763, 0x2763, prExtendedPictographic},   // E1.0   [1] (��)       heart exclamation
+	{0x2764, 0x2764, prExtendedPictographic},   // E0.6   [1] (��)       red heart
+	{0x2765, 0x2767, prExtendedPictographic},   // E0.0   [3] (�..�)    ROTATED HEAVY BLACK HEART BULLET..ROTATED FLORAL HEART BULLET
+	{0x2795, 0x2797, prExtendedPictographic},   // E0.6   [3] (âž•..âž—)    plus..divide
+	{0x27A1, 0x27A1, prExtendedPictographic},   // E0.6   [1] (➡�)       right arrow
+	{0x27B0, 0x27B0, prExtendedPictographic},   // E0.6   [1] (âž°)       curly loop
+	{0x27BF, 0x27BF, prExtendedPictographic},   // E1.0   [1] (âž¿)       double curly loop
+	{0x2934, 0x2935, prExtendedPictographic},   // E0.6   [2] (⤴�..⤵�)    right arrow curving up..right arrow curving down
+	{0x2B05, 0x2B07, prExtendedPictographic},   // E0.6   [3] (⬅�..⬇�)    left arrow..down arrow
+	{0x2B1B, 0x2B1C, prExtendedPictographic},   // E0.6   [2] (⬛..⬜)    black large square..white large square
+	{0x2B50, 0x2B50, prExtendedPictographic},   // E0.6   [1] (â­�)       star
+	{0x2B55, 0x2B55, prExtendedPictographic},   // E0.6   [1] (â­•)       hollow red circle
+	{0x2CEF, 0x2CF1, prExtend},                 // Mn   [3] COPTIC COMBINING NI ABOVE..COPTIC COMBINING SPIRITUS LENIS
+	{0x2D7F, 0x2D7F, prExtend},                 // Mn       TIFINAGH CONSONANT JOINER
+	{0x2DE0, 0x2DFF, prExtend},                 // Mn  [32] COMBINING CYRILLIC LETTER BE..COMBINING CYRILLIC LETTER IOTIFIED BIG YUS
+	{0x302A, 0x302D, prExtend},                 // Mn   [4] IDEOGRAPHIC LEVEL TONE MARK..IDEOGRAPHIC ENTERING TONE MARK
+	{0x302E, 0x302F, prExtend},                 // Mc   [2] HANGUL SINGLE DOT TONE MARK..HANGUL DOUBLE DOT TONE MARK
+	{0x3030, 0x3030, prExtendedPictographic},   // E0.6   [1] (〰�)       wavy dash
+	{0x303D, 0x303D, prExtendedPictographic},   // E0.6   [1] (〽�)       part alternation mark
+	{0x3099, 0x309A, prExtend},                 // Mn   [2] COMBINING KATAKANA-HIRAGANA VOICED SOUND MARK..COMBINING KATAKANA-HIRAGANA SEMI-VOICED SOUND MARK
+	{0x3297, 0x3297, prExtendedPictographic},   // E0.6   [1] (㊗�)       Japanese “congratulations� button
+	{0x3299, 0x3299, prExtendedPictographic},   // E0.6   [1] (㊙�)       Japanese “secret� button
+	{0xA66F, 0xA66F, prExtend},                 // Mn       COMBINING CYRILLIC VZMET
+	{0xA670, 0xA672, prExtend},                 // Me   [3] COMBINING CYRILLIC TEN MILLIONS SIGN..COMBINING CYRILLIC THOUSAND MILLIONS SIGN
+	{0xA674, 0xA67D, prExtend},                 // Mn  [10] COMBINING CYRILLIC LETTER UKRAINIAN IE..COMBINING CYRILLIC PAYEROK
+	{0xA69E, 0xA69F, prExtend},                 // Mn   [2] COMBINING CYRILLIC LETTER EF..COMBINING CYRILLIC LETTER IOTIFIED E
+	{0xA6F0, 0xA6F1, prExtend},                 // Mn   [2] BAMUM COMBINING MARK KOQNDON..BAMUM COMBINING MARK TUKWENTIS
+	{0xA802, 0xA802, prExtend},                 // Mn       SYLOTI NAGRI SIGN DVISVARA
+	{0xA806, 0xA806, prExtend},                 // Mn       SYLOTI NAGRI SIGN HASANTA
+	{0xA80B, 0xA80B, prExtend},                 // Mn       SYLOTI NAGRI SIGN ANUSVARA
+	{0xA823, 0xA824, prSpacingMark},            // Mc   [2] SYLOTI NAGRI VOWEL SIGN A..SYLOTI NAGRI VOWEL SIGN I
+	{0xA825, 0xA826, prExtend},                 // Mn   [2] SYLOTI NAGRI VOWEL SIGN U..SYLOTI NAGRI VOWEL SIGN E
+	{0xA827, 0xA827, prSpacingMark},            // Mc       SYLOTI NAGRI VOWEL SIGN OO
+	{0xA82C, 0xA82C, prExtend},                 // Mn       SYLOTI NAGRI SIGN ALTERNATE HASANTA
+	{0xA880, 0xA881, prSpacingMark},            // Mc   [2] SAURASHTRA SIGN ANUSVARA..SAURASHTRA SIGN VISARGA
+	{0xA8B4, 0xA8C3, prSpacingMark},            // Mc  [16] SAURASHTRA CONSONANT SIGN HAARU..SAURASHTRA VOWEL SIGN AU
+	{0xA8C4, 0xA8C5, prExtend},                 // Mn   [2] SAURASHTRA SIGN VIRAMA..SAURASHTRA SIGN CANDRABINDU
+	{0xA8E0, 0xA8F1, prExtend},                 // Mn  [18] COMBINING DEVANAGARI DIGIT ZERO..COMBINING DEVANAGARI SIGN AVAGRAHA
+	{0xA8FF, 0xA8FF, prExtend},                 // Mn       DEVANAGARI VOWEL SIGN AY
+	{0xA926, 0xA92D, prExtend},                 // Mn   [8] KAYAH LI VOWEL UE..KAYAH LI TONE CALYA PLOPHU
+	{0xA947, 0xA951, prExtend},                 // Mn  [11] REJANG VOWEL SIGN I..REJANG CONSONANT SIGN R
+	{0xA952, 0xA953, prSpacingMark},            // Mc   [2] REJANG CONSONANT SIGN H..REJANG VIRAMA
+	{0xA960, 0xA97C, prL},                      // Lo  [29] HANGUL CHOSEONG TIKEUT-MIEUM..HANGUL CHOSEONG SSANGYEORINHIEUH
+	{0xA980, 0xA982, prExtend},                 // Mn   [3] JAVANESE SIGN PANYANGGA..JAVANESE SIGN LAYAR
+	{0xA983, 0xA983, prSpacingMark},            // Mc       JAVANESE SIGN WIGNYAN
+	{0xA9B3, 0xA9B3, prExtend},                 // Mn       JAVANESE SIGN CECAK TELU
+	{0xA9B4, 0xA9B5, prSpacingMark},            // Mc   [2] JAVANESE VOWEL SIGN TARUNG..JAVANESE VOWEL SIGN TOLONG
+	{0xA9B6, 0xA9B9, prExtend},                 // Mn   [4] JAVANESE VOWEL SIGN WULU..JAVANESE VOWEL SIGN SUKU MENDUT
+	{0xA9BA, 0xA9BB, prSpacingMark},            // Mc   [2] JAVANESE VOWEL SIGN TALING..JAVANESE VOWEL SIGN DIRGA MURE
+	{0xA9BC, 0xA9BD, prExtend},                 // Mn   [2] JAVANESE VOWEL SIGN PEPET..JAVANESE CONSONANT SIGN KERET
+	{0xA9BE, 0xA9C0, prSpacingMark},            // Mc   [3] JAVANESE CONSONANT SIGN PENGKAL..JAVANESE PANGKON
+	{0xA9E5, 0xA9E5, prExtend},                 // Mn       MYANMAR SIGN SHAN SAW
+	{0xAA29, 0xAA2E, prExtend},                 // Mn   [6] CHAM VOWEL SIGN AA..CHAM VOWEL SIGN OE
+	{0xAA2F, 0xAA30, prSpacingMark},            // Mc   [2] CHAM VOWEL SIGN O..CHAM VOWEL SIGN AI
+	{0xAA31, 0xAA32, prExtend},                 // Mn   [2] CHAM VOWEL SIGN AU..CHAM VOWEL SIGN UE
+	{0xAA33, 0xAA34, prSpacingMark},            // Mc   [2] CHAM CONSONANT SIGN YA..CHAM CONSONANT SIGN RA
+	{0xAA35, 0xAA36, prExtend},                 // Mn   [2] CHAM CONSONANT SIGN LA..CHAM CONSONANT SIGN WA
+	{0xAA43, 0xAA43, prExtend},                 // Mn       CHAM CONSONANT SIGN FINAL NG
+	{0xAA4C, 0xAA4C, prExtend},                 // Mn       CHAM CONSONANT SIGN FINAL M
+	{0xAA4D, 0xAA4D, prSpacingMark},            // Mc       CHAM CONSONANT SIGN FINAL H
+	{0xAA7C, 0xAA7C, prExtend},                 // Mn       MYANMAR SIGN TAI LAING TONE-2
+	{0xAAB0, 0xAAB0, prExtend},                 // Mn       TAI VIET MAI KANG
+	{0xAAB2, 0xAAB4, prExtend},                 // Mn   [3] TAI VIET VOWEL I..TAI VIET VOWEL U
+	{0xAAB7, 0xAAB8, prExtend},                 // Mn   [2] TAI VIET MAI KHIT..TAI VIET VOWEL IA
+	{0xAABE, 0xAABF, prExtend},                 // Mn   [2] TAI VIET VOWEL AM..TAI VIET TONE MAI EK
+	{0xAAC1, 0xAAC1, prExtend},                 // Mn       TAI VIET TONE MAI THO
+	{0xAAEB, 0xAAEB, prSpacingMark},            // Mc       MEETEI MAYEK VOWEL SIGN II
+	{0xAAEC, 0xAAED, prExtend},                 // Mn   [2] MEETEI MAYEK VOWEL SIGN UU..MEETEI MAYEK VOWEL SIGN AAI
+	{0xAAEE, 0xAAEF, prSpacingMark},            // Mc   [2] MEETEI MAYEK VOWEL SIGN AU..MEETEI MAYEK VOWEL SIGN AAU
+	{0xAAF5, 0xAAF5, prSpacingMark},            // Mc       MEETEI MAYEK VOWEL SIGN VISARGA
+	{0xAAF6, 0xAAF6, prExtend},                 // Mn       MEETEI MAYEK VIRAMA
+	{0xABE3, 0xABE4, prSpacingMark},            // Mc   [2] MEETEI MAYEK VOWEL SIGN ONAP..MEETEI MAYEK VOWEL SIGN INAP
+	{0xABE5, 0xABE5, prExtend},                 // Mn       MEETEI MAYEK VOWEL SIGN ANAP
+	{0xABE6, 0xABE7, prSpacingMark},            // Mc   [2] MEETEI MAYEK VOWEL SIGN YENAP..MEETEI MAYEK VOWEL SIGN SOUNAP
+	{0xABE8, 0xABE8, prExtend},                 // Mn       MEETEI MAYEK VOWEL SIGN UNAP
+	{0xABE9, 0xABEA, prSpacingMark},            // Mc   [2] MEETEI MAYEK VOWEL SIGN CHEINAP..MEETEI MAYEK VOWEL SIGN NUNG
+	{0xABEC, 0xABEC, prSpacingMark},            // Mc       MEETEI MAYEK LUM IYEK
+	{0xABED, 0xABED, prExtend},                 // Mn       MEETEI MAYEK APUN IYEK
+	{0xAC00, 0xAC00, prLV},                     // Lo       HANGUL SYLLABLE GA
+	{0xAC01, 0xAC1B, prLVT},                    // Lo  [27] HANGUL SYLLABLE GAG..HANGUL SYLLABLE GAH
+	{0xAC1C, 0xAC1C, prLV},                     // Lo       HANGUL SYLLABLE GAE
+	{0xAC1D, 0xAC37, prLVT},                    // Lo  [27] HANGUL SYLLABLE GAEG..HANGUL SYLLABLE GAEH
+	{0xAC38, 0xAC38, prLV},                     // Lo       HANGUL SYLLABLE GYA
+	{0xAC39, 0xAC53, prLVT},                    // Lo  [27] HANGUL SYLLABLE GYAG..HANGUL SYLLABLE GYAH
+	{0xAC54, 0xAC54, prLV},                     // Lo       HANGUL SYLLABLE GYAE
+	{0xAC55, 0xAC6F, prLVT},                    // Lo  [27] HANGUL SYLLABLE GYAEG..HANGUL SYLLABLE GYAEH
+	{0xAC70, 0xAC70, prLV},                     // Lo       HANGUL SYLLABLE GEO
+	{0xAC71, 0xAC8B, prLVT},                    // Lo  [27] HANGUL SYLLABLE GEOG..HANGUL SYLLABLE GEOH
+	{0xAC8C, 0xAC8C, prLV},                     // Lo       HANGUL SYLLABLE GE
+	{0xAC8D, 0xACA7, prLVT},                    // Lo  [27] HANGUL SYLLABLE GEG..HANGUL SYLLABLE GEH
+	{0xACA8, 0xACA8, prLV},                     // Lo       HANGUL SYLLABLE GYEO
+	{0xACA9, 0xACC3, prLVT},                    // Lo  [27] HANGUL SYLLABLE GYEOG..HANGUL SYLLABLE GYEOH
+	{0xACC4, 0xACC4, prLV},                     // Lo       HANGUL SYLLABLE GYE
+	{0xACC5, 0xACDF, prLVT},                    // Lo  [27] HANGUL SYLLABLE GYEG..HANGUL SYLLABLE GYEH
+	{0xACE0, 0xACE0, prLV},                     // Lo       HANGUL SYLLABLE GO
+	{0xACE1, 0xACFB, prLVT},                    // Lo  [27] HANGUL SYLLABLE GOG..HANGUL SYLLABLE GOH
+	{0xACFC, 0xACFC, prLV},                     // Lo       HANGUL SYLLABLE GWA
+	{0xACFD, 0xAD17, prLVT},                    // Lo  [27] HANGUL SYLLABLE GWAG..HANGUL SYLLABLE GWAH
+	{0xAD18, 0xAD18, prLV},                     // Lo       HANGUL SYLLABLE GWAE
+	{0xAD19, 0xAD33, prLVT},                    // Lo  [27] HANGUL SYLLABLE GWAEG..HANGUL SYLLABLE GWAEH
+	{0xAD34, 0xAD34, prLV},                     // Lo       HANGUL SYLLABLE GOE
+	{0xAD35, 0xAD4F, prLVT},                    // Lo  [27] HANGUL SYLLABLE GOEG..HANGUL SYLLABLE GOEH
+	{0xAD50, 0xAD50, prLV},                     // Lo       HANGUL SYLLABLE GYO
+	{0xAD51, 0xAD6B, prLVT},                    // Lo  [27] HANGUL SYLLABLE GYOG..HANGUL SYLLABLE GYOH
+	{0xAD6C, 0xAD6C, prLV},                     // Lo       HANGUL SYLLABLE GU
+	{0xAD6D, 0xAD87, prLVT},                    // Lo  [27] HANGUL SYLLABLE GUG..HANGUL SYLLABLE GUH
+	{0xAD88, 0xAD88, prLV},                     // Lo       HANGUL SYLLABLE GWEO
+	{0xAD89, 0xADA3, prLVT},                    // Lo  [27] HANGUL SYLLABLE GWEOG..HANGUL SYLLABLE GWEOH
+	{0xADA4, 0xADA4, prLV},                     // Lo       HANGUL SYLLABLE GWE
+	{0xADA5, 0xADBF, prLVT},                    // Lo  [27] HANGUL SYLLABLE GWEG..HANGUL SYLLABLE GWEH
+	{0xADC0, 0xADC0, prLV},                     // Lo       HANGUL SYLLABLE GWI
+	{0xADC1, 0xADDB, prLVT},                    // Lo  [27] HANGUL SYLLABLE GWIG..HANGUL SYLLABLE GWIH
+	{0xADDC, 0xADDC, prLV},                     // Lo       HANGUL SYLLABLE GYU
+	{0xADDD, 0xADF7, prLVT},                    // Lo  [27] HANGUL SYLLABLE GYUG..HANGUL SYLLABLE GYUH
+	{0xADF8, 0xADF8, prLV},                     // Lo       HANGUL SYLLABLE GEU
+	{0xADF9, 0xAE13, prLVT},                    // Lo  [27] HANGUL SYLLABLE GEUG..HANGUL SYLLABLE GEUH
+	{0xAE14, 0xAE14, prLV},                     // Lo       HANGUL SYLLABLE GYI
+	{0xAE15, 0xAE2F, prLVT},                    // Lo  [27] HANGUL SYLLABLE GYIG..HANGUL SYLLABLE GYIH
+	{0xAE30, 0xAE30, prLV},                     // Lo       HANGUL SYLLABLE GI
+	{0xAE31, 0xAE4B, prLVT},                    // Lo  [27] HANGUL SYLLABLE GIG..HANGUL SYLLABLE GIH
+	{0xAE4C, 0xAE4C, prLV},                     // Lo       HANGUL SYLLABLE GGA
+	{0xAE4D, 0xAE67, prLVT},                    // Lo  [27] HANGUL SYLLABLE GGAG..HANGUL SYLLABLE GGAH
+	{0xAE68, 0xAE68, prLV},                     // Lo       HANGUL SYLLABLE GGAE
+	{0xAE69, 0xAE83, prLVT},                    // Lo  [27] HANGUL SYLLABLE GGAEG..HANGUL SYLLABLE GGAEH
+	{0xAE84, 0xAE84, prLV},                     // Lo       HANGUL SYLLABLE GGYA
+	{0xAE85, 0xAE9F, prLVT},                    // Lo  [27] HANGUL SYLLABLE GGYAG..HANGUL SYLLABLE GGYAH
+	{0xAEA0, 0xAEA0, prLV},                     // Lo       HANGUL SYLLABLE GGYAE
+	{0xAEA1, 0xAEBB, prLVT},                    // Lo  [27] HANGUL SYLLABLE GGYAEG..HANGUL SYLLABLE GGYAEH
+	{0xAEBC, 0xAEBC, prLV},                     // Lo       HANGUL SYLLABLE GGEO
+	{0xAEBD, 0xAED7, prLVT},                    // Lo  [27] HANGUL SYLLABLE GGEOG..HANGUL SYLLABLE GGEOH
+	{0xAED8, 0xAED8, prLV},                     // Lo       HANGUL SYLLABLE GGE
+	{0xAED9, 0xAEF3, prLVT},                    // Lo  [27] HANGUL SYLLABLE GGEG..HANGUL SYLLABLE GGEH
+	{0xAEF4, 0xAEF4, prLV},                     // Lo       HANGUL SYLLABLE GGYEO
+	{0xAEF5, 0xAF0F, prLVT},                    // Lo  [27] HANGUL SYLLABLE GGYEOG..HANGUL SYLLABLE GGYEOH
+	{0xAF10, 0xAF10, prLV},                     // Lo       HANGUL SYLLABLE GGYE
+	{0xAF11, 0xAF2B, prLVT},                    // Lo  [27] HANGUL SYLLABLE GGYEG..HANGUL SYLLABLE GGYEH
+	{0xAF2C, 0xAF2C, prLV},                     // Lo       HANGUL SYLLABLE GGO
+	{0xAF2D, 0xAF47, prLVT},                    // Lo  [27] HANGUL SYLLABLE GGOG..HANGUL SYLLABLE GGOH
+	{0xAF48, 0xAF48, prLV},                     // Lo       HANGUL SYLLABLE GGWA
+	{0xAF49, 0xAF63, prLVT},                    // Lo  [27] HANGUL SYLLABLE GGWAG..HANGUL SYLLABLE GGWAH
+	{0xAF64, 0xAF64, prLV},                     // Lo       HANGUL SYLLABLE GGWAE
+	{0xAF65, 0xAF7F, prLVT},                    // Lo  [27] HANGUL SYLLABLE GGWAEG..HANGUL SYLLABLE GGWAEH
+	{0xAF80, 0xAF80, prLV},                     // Lo       HANGUL SYLLABLE GGOE
+	{0xAF81, 0xAF9B, prLVT},                    // Lo  [27] HANGUL SYLLABLE GGOEG..HANGUL SYLLABLE GGOEH
+	{0xAF9C, 0xAF9C, prLV},                     // Lo       HANGUL SYLLABLE GGYO
+	{0xAF9D, 0xAFB7, prLVT},                    // Lo  [27] HANGUL SYLLABLE GGYOG..HANGUL SYLLABLE GGYOH
+	{0xAFB8, 0xAFB8, prLV},                     // Lo       HANGUL SYLLABLE GGU
+	{0xAFB9, 0xAFD3, prLVT},                    // Lo  [27] HANGUL SYLLABLE GGUG..HANGUL SYLLABLE GGUH
+	{0xAFD4, 0xAFD4, prLV},                     // Lo       HANGUL SYLLABLE GGWEO
+	{0xAFD5, 0xAFEF, prLVT},                    // Lo  [27] HANGUL SYLLABLE GGWEOG..HANGUL SYLLABLE GGWEOH
+	{0xAFF0, 0xAFF0, prLV},                     // Lo       HANGUL SYLLABLE GGWE
+	{0xAFF1, 0xB00B, prLVT},                    // Lo  [27] HANGUL SYLLABLE GGWEG..HANGUL SYLLABLE GGWEH
+	{0xB00C, 0xB00C, prLV},                     // Lo       HANGUL SYLLABLE GGWI
+	{0xB00D, 0xB027, prLVT},                    // Lo  [27] HANGUL SYLLABLE GGWIG..HANGUL SYLLABLE GGWIH
+	{0xB028, 0xB028, prLV},                     // Lo       HANGUL SYLLABLE GGYU
+	{0xB029, 0xB043, prLVT},                    // Lo  [27] HANGUL SYLLABLE GGYUG..HANGUL SYLLABLE GGYUH
+	{0xB044, 0xB044, prLV},                     // Lo       HANGUL SYLLABLE GGEU
+	{0xB045, 0xB05F, prLVT},                    // Lo  [27] HANGUL SYLLABLE GGEUG..HANGUL SYLLABLE GGEUH
+	{0xB060, 0xB060, prLV},                     // Lo       HANGUL SYLLABLE GGYI
+	{0xB061, 0xB07B, prLVT},                    // Lo  [27] HANGUL SYLLABLE GGYIG..HANGUL SYLLABLE GGYIH
+	{0xB07C, 0xB07C, prLV},                     // Lo       HANGUL SYLLABLE GGI
+	{0xB07D, 0xB097, prLVT},                    // Lo  [27] HANGUL SYLLABLE GGIG..HANGUL SYLLABLE GGIH
+	{0xB098, 0xB098, prLV},                     // Lo       HANGUL SYLLABLE NA
+	{0xB099, 0xB0B3, prLVT},                    // Lo  [27] HANGUL SYLLABLE NAG..HANGUL SYLLABLE NAH
+	{0xB0B4, 0xB0B4, prLV},                     // Lo       HANGUL SYLLABLE NAE
+	{0xB0B5, 0xB0CF, prLVT},                    // Lo  [27] HANGUL SYLLABLE NAEG..HANGUL SYLLABLE NAEH
+	{0xB0D0, 0xB0D0, prLV},                     // Lo       HANGUL SYLLABLE NYA
+	{0xB0D1, 0xB0EB, prLVT},                    // Lo  [27] HANGUL SYLLABLE NYAG..HANGUL SYLLABLE NYAH
+	{0xB0EC, 0xB0EC, prLV},                     // Lo       HANGUL SYLLABLE NYAE
+	{0xB0ED, 0xB107, prLVT},                    // Lo  [27] HANGUL SYLLABLE NYAEG..HANGUL SYLLABLE NYAEH
+	{0xB108, 0xB108, prLV},                     // Lo       HANGUL SYLLABLE NEO
+	{0xB109, 0xB123, prLVT},                    // Lo  [27] HANGUL SYLLABLE NEOG..HANGUL SYLLABLE NEOH
+	{0xB124, 0xB124, prLV},                     // Lo       HANGUL SYLLABLE NE
+	{0xB125, 0xB13F, prLVT},                    // Lo  [27] HANGUL SYLLABLE NEG..HANGUL SYLLABLE NEH
+	{0xB140, 0xB140, prLV},                     // Lo       HANGUL SYLLABLE NYEO
+	{0xB141, 0xB15B, prLVT},                    // Lo  [27] HANGUL SYLLABLE NYEOG..HANGUL SYLLABLE NYEOH
+	{0xB15C, 0xB15C, prLV},                     // Lo       HANGUL SYLLABLE NYE
+	{0xB15D, 0xB177, prLVT},                    // Lo  [27] HANGUL SYLLABLE NYEG..HANGUL SYLLABLE NYEH
+	{0xB178, 0xB178, prLV},                     // Lo       HANGUL SYLLABLE NO
+	{0xB179, 0xB193, prLVT},                    // Lo  [27] HANGUL SYLLABLE NOG..HANGUL SYLLABLE NOH
+	{0xB194, 0xB194, prLV},                     // Lo       HANGUL SYLLABLE NWA
+	{0xB195, 0xB1AF, prLVT},                    // Lo  [27] HANGUL SYLLABLE NWAG..HANGUL SYLLABLE NWAH
+	{0xB1B0, 0xB1B0, prLV},                     // Lo       HANGUL SYLLABLE NWAE
+	{0xB1B1, 0xB1CB, prLVT},                    // Lo  [27] HANGUL SYLLABLE NWAEG..HANGUL SYLLABLE NWAEH
+	{0xB1CC, 0xB1CC, prLV},                     // Lo       HANGUL SYLLABLE NOE
+	{0xB1CD, 0xB1E7, prLVT},                    // Lo  [27] HANGUL SYLLABLE NOEG..HANGUL SYLLABLE NOEH
+	{0xB1E8, 0xB1E8, prLV},                     // Lo       HANGUL SYLLABLE NYO
+	{0xB1E9, 0xB203, prLVT},                    // Lo  [27] HANGUL SYLLABLE NYOG..HANGUL SYLLABLE NYOH
+	{0xB204, 0xB204, prLV},                     // Lo       HANGUL SYLLABLE NU
+	{0xB205, 0xB21F, prLVT},                    // Lo  [27] HANGUL SYLLABLE NUG..HANGUL SYLLABLE NUH
+	{0xB220, 0xB220, prLV},                     // Lo       HANGUL SYLLABLE NWEO
+	{0xB221, 0xB23B, prLVT},                    // Lo  [27] HANGUL SYLLABLE NWEOG..HANGUL SYLLABLE NWEOH
+	{0xB23C, 0xB23C, prLV},                     // Lo       HANGUL SYLLABLE NWE
+	{0xB23D, 0xB257, prLVT},                    // Lo  [27] HANGUL SYLLABLE NWEG..HANGUL SYLLABLE NWEH
+	{0xB258, 0xB258, prLV},                     // Lo       HANGUL SYLLABLE NWI
+	{0xB259, 0xB273, prLVT},                    // Lo  [27] HANGUL SYLLABLE NWIG..HANGUL SYLLABLE NWIH
+	{0xB274, 0xB274, prLV},                     // Lo       HANGUL SYLLABLE NYU
+	{0xB275, 0xB28F, prLVT},                    // Lo  [27] HANGUL SYLLABLE NYUG..HANGUL SYLLABLE NYUH
+	{0xB290, 0xB290, prLV},                     // Lo       HANGUL SYLLABLE NEU
+	{0xB291, 0xB2AB, prLVT},                    // Lo  [27] HANGUL SYLLABLE NEUG..HANGUL SYLLABLE NEUH
+	{0xB2AC, 0xB2AC, prLV},                     // Lo       HANGUL SYLLABLE NYI
+	{0xB2AD, 0xB2C7, prLVT},                    // Lo  [27] HANGUL SYLLABLE NYIG..HANGUL SYLLABLE NYIH
+	{0xB2C8, 0xB2C8, prLV},                     // Lo       HANGUL SYLLABLE NI
+	{0xB2C9, 0xB2E3, prLVT},                    // Lo  [27] HANGUL SYLLABLE NIG..HANGUL SYLLABLE NIH
+	{0xB2E4, 0xB2E4, prLV},                     // Lo       HANGUL SYLLABLE DA
+	{0xB2E5, 0xB2FF, prLVT},                    // Lo  [27] HANGUL SYLLABLE DAG..HANGUL SYLLABLE DAH
+	{0xB300, 0xB300, prLV},                     // Lo       HANGUL SYLLABLE DAE
+	{0xB301, 0xB31B, prLVT},                    // Lo  [27] HANGUL SYLLABLE DAEG..HANGUL SYLLABLE DAEH
+	{0xB31C, 0xB31C, prLV},                     // Lo       HANGUL SYLLABLE DYA
+	{0xB31D, 0xB337, prLVT},                    // Lo  [27] HANGUL SYLLABLE DYAG..HANGUL SYLLABLE DYAH
+	{0xB338, 0xB338, prLV},                     // Lo       HANGUL SYLLABLE DYAE
+	{0xB339, 0xB353, prLVT},                    // Lo  [27] HANGUL SYLLABLE DYAEG..HANGUL SYLLABLE DYAEH
+	{0xB354, 0xB354, prLV},                     // Lo       HANGUL SYLLABLE DEO
+	{0xB355, 0xB36F, prLVT},                    // Lo  [27] HANGUL SYLLABLE DEOG..HANGUL SYLLABLE DEOH
+	{0xB370, 0xB370, prLV},                     // Lo       HANGUL SYLLABLE DE
+	{0xB371, 0xB38B, prLVT},                    // Lo  [27] HANGUL SYLLABLE DEG..HANGUL SYLLABLE DEH
+	{0xB38C, 0xB38C, prLV},                     // Lo       HANGUL SYLLABLE DYEO
+	{0xB38D, 0xB3A7, prLVT},                    // Lo  [27] HANGUL SYLLABLE DYEOG..HANGUL SYLLABLE DYEOH
+	{0xB3A8, 0xB3A8, prLV},                     // Lo       HANGUL SYLLABLE DYE
+	{0xB3A9, 0xB3C3, prLVT},                    // Lo  [27] HANGUL SYLLABLE DYEG..HANGUL SYLLABLE DYEH
+	{0xB3C4, 0xB3C4, prLV},                     // Lo       HANGUL SYLLABLE DO
+	{0xB3C5, 0xB3DF, prLVT},                    // Lo  [27] HANGUL SYLLABLE DOG..HANGUL SYLLABLE DOH
+	{0xB3E0, 0xB3E0, prLV},                     // Lo       HANGUL SYLLABLE DWA
+	{0xB3E1, 0xB3FB, prLVT},                    // Lo  [27] HANGUL SYLLABLE DWAG..HANGUL SYLLABLE DWAH
+	{0xB3FC, 0xB3FC, prLV},                     // Lo       HANGUL SYLLABLE DWAE
+	{0xB3FD, 0xB417, prLVT},                    // Lo  [27] HANGUL SYLLABLE DWAEG..HANGUL SYLLABLE DWAEH
+	{0xB418, 0xB418, prLV},                     // Lo       HANGUL SYLLABLE DOE
+	{0xB419, 0xB433, prLVT},                    // Lo  [27] HANGUL SYLLABLE DOEG..HANGUL SYLLABLE DOEH
+	{0xB434, 0xB434, prLV},                     // Lo       HANGUL SYLLABLE DYO
+	{0xB435, 0xB44F, prLVT},                    // Lo  [27] HANGUL SYLLABLE DYOG..HANGUL SYLLABLE DYOH
+	{0xB450, 0xB450, prLV},                     // Lo       HANGUL SYLLABLE DU
+	{0xB451, 0xB46B, prLVT},                    // Lo  [27] HANGUL SYLLABLE DUG..HANGUL SYLLABLE DUH
+	{0xB46C, 0xB46C, prLV},                     // Lo       HANGUL SYLLABLE DWEO
+	{0xB46D, 0xB487, prLVT},                    // Lo  [27] HANGUL SYLLABLE DWEOG..HANGUL SYLLABLE DWEOH
+	{0xB488, 0xB488, prLV},                     // Lo       HANGUL SYLLABLE DWE
+	{0xB489, 0xB4A3, prLVT},                    // Lo  [27] HANGUL SYLLABLE DWEG..HANGUL SYLLABLE DWEH
+	{0xB4A4, 0xB4A4, prLV},                     // Lo       HANGUL SYLLABLE DWI
+	{0xB4A5, 0xB4BF, prLVT},                    // Lo  [27] HANGUL SYLLABLE DWIG..HANGUL SYLLABLE DWIH
+	{0xB4C0, 0xB4C0, prLV},                     // Lo       HANGUL SYLLABLE DYU
+	{0xB4C1, 0xB4DB, prLVT},                    // Lo  [27] HANGUL SYLLABLE DYUG..HANGUL SYLLABLE DYUH
+	{0xB4DC, 0xB4DC, prLV},                     // Lo       HANGUL SYLLABLE DEU
+	{0xB4DD, 0xB4F7, prLVT},                    // Lo  [27] HANGUL SYLLABLE DEUG..HANGUL SYLLABLE DEUH
+	{0xB4F8, 0xB4F8, prLV},                     // Lo       HANGUL SYLLABLE DYI
+	{0xB4F9, 0xB513, prLVT},                    // Lo  [27] HANGUL SYLLABLE DYIG..HANGUL SYLLABLE DYIH
+	{0xB514, 0xB514, prLV},                     // Lo       HANGUL SYLLABLE DI
+	{0xB515, 0xB52F, prLVT},                    // Lo  [27] HANGUL SYLLABLE DIG..HANGUL SYLLABLE DIH
+	{0xB530, 0xB530, prLV},                     // Lo       HANGUL SYLLABLE DDA
+	{0xB531, 0xB54B, prLVT},                    // Lo  [27] HANGUL SYLLABLE DDAG..HANGUL SYLLABLE DDAH
+	{0xB54C, 0xB54C, prLV},                     // Lo       HANGUL SYLLABLE DDAE
+	{0xB54D, 0xB567, prLVT},                    // Lo  [27] HANGUL SYLLABLE DDAEG..HANGUL SYLLABLE DDAEH
+	{0xB568, 0xB568, prLV},                     // Lo       HANGUL SYLLABLE DDYA
+	{0xB569, 0xB583, prLVT},                    // Lo  [27] HANGUL SYLLABLE DDYAG..HANGUL SYLLABLE DDYAH
+	{0xB584, 0xB584, prLV},                     // Lo       HANGUL SYLLABLE DDYAE
+	{0xB585, 0xB59F, prLVT},                    // Lo  [27] HANGUL SYLLABLE DDYAEG..HANGUL SYLLABLE DDYAEH
+	{0xB5A0, 0xB5A0, prLV},                     // Lo       HANGUL SYLLABLE DDEO
+	{0xB5A1, 0xB5BB, prLVT},                    // Lo  [27] HANGUL SYLLABLE DDEOG..HANGUL SYLLABLE DDEOH
+	{0xB5BC, 0xB5BC, prLV},                     // Lo       HANGUL SYLLABLE DDE
+	{0xB5BD, 0xB5D7, prLVT},                    // Lo  [27] HANGUL SYLLABLE DDEG..HANGUL SYLLABLE DDEH
+	{0xB5D8, 0xB5D8, prLV},                     // Lo       HANGUL SYLLABLE DDYEO
+	{0xB5D9, 0xB5F3, prLVT},                    // Lo  [27] HANGUL SYLLABLE DDYEOG..HANGUL SYLLABLE DDYEOH
+	{0xB5F4, 0xB5F4, prLV},                     // Lo       HANGUL SYLLABLE DDYE
+	{0xB5F5, 0xB60F, prLVT},                    // Lo  [27] HANGUL SYLLABLE DDYEG..HANGUL SYLLABLE DDYEH
+	{0xB610, 0xB610, prLV},                     // Lo       HANGUL SYLLABLE DDO
+	{0xB611, 0xB62B, prLVT},                    // Lo  [27] HANGUL SYLLABLE DDOG..HANGUL SYLLABLE DDOH
+	{0xB62C, 0xB62C, prLV},                     // Lo       HANGUL SYLLABLE DDWA
+	{0xB62D, 0xB647, prLVT},                    // Lo  [27] HANGUL SYLLABLE DDWAG..HANGUL SYLLABLE DDWAH
+	{0xB648, 0xB648, prLV},                     // Lo       HANGUL SYLLABLE DDWAE
+	{0xB649, 0xB663, prLVT},                    // Lo  [27] HANGUL SYLLABLE DDWAEG..HANGUL SYLLABLE DDWAEH
+	{0xB664, 0xB664, prLV},                     // Lo       HANGUL SYLLABLE DDOE
+	{0xB665, 0xB67F, prLVT},                    // Lo  [27] HANGUL SYLLABLE DDOEG..HANGUL SYLLABLE DDOEH
+	{0xB680, 0xB680, prLV},                     // Lo       HANGUL SYLLABLE DDYO
+	{0xB681, 0xB69B, prLVT},                    // Lo  [27] HANGUL SYLLABLE DDYOG..HANGUL SYLLABLE DDYOH
+	{0xB69C, 0xB69C, prLV},                     // Lo       HANGUL SYLLABLE DDU
+	{0xB69D, 0xB6B7, prLVT},                    // Lo  [27] HANGUL SYLLABLE DDUG..HANGUL SYLLABLE DDUH
+	{0xB6B8, 0xB6B8, prLV},                     // Lo       HANGUL SYLLABLE DDWEO
+	{0xB6B9, 0xB6D3, prLVT},                    // Lo  [27] HANGUL SYLLABLE DDWEOG..HANGUL SYLLABLE DDWEOH
+	{0xB6D4, 0xB6D4, prLV},                     // Lo       HANGUL SYLLABLE DDWE
+	{0xB6D5, 0xB6EF, prLVT},                    // Lo  [27] HANGUL SYLLABLE DDWEG..HANGUL SYLLABLE DDWEH
+	{0xB6F0, 0xB6F0, prLV},                     // Lo       HANGUL SYLLABLE DDWI
+	{0xB6F1, 0xB70B, prLVT},                    // Lo  [27] HANGUL SYLLABLE DDWIG..HANGUL SYLLABLE DDWIH
+	{0xB70C, 0xB70C, prLV},                     // Lo       HANGUL SYLLABLE DDYU
+	{0xB70D, 0xB727, prLVT},                    // Lo  [27] HANGUL SYLLABLE DDYUG..HANGUL SYLLABLE DDYUH
+	{0xB728, 0xB728, prLV},                     // Lo       HANGUL SYLLABLE DDEU
+	{0xB729, 0xB743, prLVT},                    // Lo  [27] HANGUL SYLLABLE DDEUG..HANGUL SYLLABLE DDEUH
+	{0xB744, 0xB744, prLV},                     // Lo       HANGUL SYLLABLE DDYI
+	{0xB745, 0xB75F, prLVT},                    // Lo  [27] HANGUL SYLLABLE DDYIG..HANGUL SYLLABLE DDYIH
+	{0xB760, 0xB760, prLV},                     // Lo       HANGUL SYLLABLE DDI
+	{0xB761, 0xB77B, prLVT},                    // Lo  [27] HANGUL SYLLABLE DDIG..HANGUL SYLLABLE DDIH
+	{0xB77C, 0xB77C, prLV},                     // Lo       HANGUL SYLLABLE RA
+	{0xB77D, 0xB797, prLVT},                    // Lo  [27] HANGUL SYLLABLE RAG..HANGUL SYLLABLE RAH
+	{0xB798, 0xB798, prLV},                     // Lo       HANGUL SYLLABLE RAE
+	{0xB799, 0xB7B3, prLVT},                    // Lo  [27] HANGUL SYLLABLE RAEG..HANGUL SYLLABLE RAEH
+	{0xB7B4, 0xB7B4, prLV},                     // Lo       HANGUL SYLLABLE RYA
+	{0xB7B5, 0xB7CF, prLVT},                    // Lo  [27] HANGUL SYLLABLE RYAG..HANGUL SYLLABLE RYAH
+	{0xB7D0, 0xB7D0, prLV},                     // Lo       HANGUL SYLLABLE RYAE
+	{0xB7D1, 0xB7EB, prLVT},                    // Lo  [27] HANGUL SYLLABLE RYAEG..HANGUL SYLLABLE RYAEH
+	{0xB7EC, 0xB7EC, prLV},                     // Lo       HANGUL SYLLABLE REO
+	{0xB7ED, 0xB807, prLVT},                    // Lo  [27] HANGUL SYLLABLE REOG..HANGUL SYLLABLE REOH
+	{0xB808, 0xB808, prLV},                     // Lo       HANGUL SYLLABLE RE
+	{0xB809, 0xB823, prLVT},                    // Lo  [27] HANGUL SYLLABLE REG..HANGUL SYLLABLE REH
+	{0xB824, 0xB824, prLV},                     // Lo       HANGUL SYLLABLE RYEO
+	{0xB825, 0xB83F, prLVT},                    // Lo  [27] HANGUL SYLLABLE RYEOG..HANGUL SYLLABLE RYEOH
+	{0xB840, 0xB840, prLV},                     // Lo       HANGUL SYLLABLE RYE
+	{0xB841, 0xB85B, prLVT},                    // Lo  [27] HANGUL SYLLABLE RYEG..HANGUL SYLLABLE RYEH
+	{0xB85C, 0xB85C, prLV},                     // Lo       HANGUL SYLLABLE RO
+	{0xB85D, 0xB877, prLVT},                    // Lo  [27] HANGUL SYLLABLE ROG..HANGUL SYLLABLE ROH
+	{0xB878, 0xB878, prLV},                     // Lo       HANGUL SYLLABLE RWA
+	{0xB879, 0xB893, prLVT},                    // Lo  [27] HANGUL SYLLABLE RWAG..HANGUL SYLLABLE RWAH
+	{0xB894, 0xB894, prLV},                     // Lo       HANGUL SYLLABLE RWAE
+	{0xB895, 0xB8AF, prLVT},                    // Lo  [27] HANGUL SYLLABLE RWAEG..HANGUL SYLLABLE RWAEH
+	{0xB8B0, 0xB8B0, prLV},                     // Lo       HANGUL SYLLABLE ROE
+	{0xB8B1, 0xB8CB, prLVT},                    // Lo  [27] HANGUL SYLLABLE ROEG..HANGUL SYLLABLE ROEH
+	{0xB8CC, 0xB8CC, prLV},                     // Lo       HANGUL SYLLABLE RYO
+	{0xB8CD, 0xB8E7, prLVT},                    // Lo  [27] HANGUL SYLLABLE RYOG..HANGUL SYLLABLE RYOH
+	{0xB8E8, 0xB8E8, prLV},                     // Lo       HANGUL SYLLABLE RU
+	{0xB8E9, 0xB903, prLVT},                    // Lo  [27] HANGUL SYLLABLE RUG..HANGUL SYLLABLE RUH
+	{0xB904, 0xB904, prLV},                     // Lo       HANGUL SYLLABLE RWEO
+	{0xB905, 0xB91F, prLVT},                    // Lo  [27] HANGUL SYLLABLE RWEOG..HANGUL SYLLABLE RWEOH
+	{0xB920, 0xB920, prLV},                     // Lo       HANGUL SYLLABLE RWE
+	{0xB921, 0xB93B, prLVT},                    // Lo  [27] HANGUL SYLLABLE RWEG..HANGUL SYLLABLE RWEH
+	{0xB93C, 0xB93C, prLV},                     // Lo       HANGUL SYLLABLE RWI
+	{0xB93D, 0xB957, prLVT},                    // Lo  [27] HANGUL SYLLABLE RWIG..HANGUL SYLLABLE RWIH
+	{0xB958, 0xB958, prLV},                     // Lo       HANGUL SYLLABLE RYU
+	{0xB959, 0xB973, prLVT},                    // Lo  [27] HANGUL SYLLABLE RYUG..HANGUL SYLLABLE RYUH
+	{0xB974, 0xB974, prLV},                     // Lo       HANGUL SYLLABLE REU
+	{0xB975, 0xB98F, prLVT},                    // Lo  [27] HANGUL SYLLABLE REUG..HANGUL SYLLABLE REUH
+	{0xB990, 0xB990, prLV},                     // Lo       HANGUL SYLLABLE RYI
+	{0xB991, 0xB9AB, prLVT},                    // Lo  [27] HANGUL SYLLABLE RYIG..HANGUL SYLLABLE RYIH
+	{0xB9AC, 0xB9AC, prLV},                     // Lo       HANGUL SYLLABLE RI
+	{0xB9AD, 0xB9C7, prLVT},                    // Lo  [27] HANGUL SYLLABLE RIG..HANGUL SYLLABLE RIH
+	{0xB9C8, 0xB9C8, prLV},                     // Lo       HANGUL SYLLABLE MA
+	{0xB9C9, 0xB9E3, prLVT},                    // Lo  [27] HANGUL SYLLABLE MAG..HANGUL SYLLABLE MAH
+	{0xB9E4, 0xB9E4, prLV},                     // Lo       HANGUL SYLLABLE MAE
+	{0xB9E5, 0xB9FF, prLVT},                    // Lo  [27] HANGUL SYLLABLE MAEG..HANGUL SYLLABLE MAEH
+	{0xBA00, 0xBA00, prLV},                     // Lo       HANGUL SYLLABLE MYA
+	{0xBA01, 0xBA1B, prLVT},                    // Lo  [27] HANGUL SYLLABLE MYAG..HANGUL SYLLABLE MYAH
+	{0xBA1C, 0xBA1C, prLV},                     // Lo       HANGUL SYLLABLE MYAE
+	{0xBA1D, 0xBA37, prLVT},                    // Lo  [27] HANGUL SYLLABLE MYAEG..HANGUL SYLLABLE MYAEH
+	{0xBA38, 0xBA38, prLV},                     // Lo       HANGUL SYLLABLE MEO
+	{0xBA39, 0xBA53, prLVT},                    // Lo  [27] HANGUL SYLLABLE MEOG..HANGUL SYLLABLE MEOH
+	{0xBA54, 0xBA54, prLV},                     // Lo       HANGUL SYLLABLE ME
+	{0xBA55, 0xBA6F, prLVT},                    // Lo  [27] HANGUL SYLLABLE MEG..HANGUL SYLLABLE MEH
+	{0xBA70, 0xBA70, prLV},                     // Lo       HANGUL SYLLABLE MYEO
+	{0xBA71, 0xBA8B, prLVT},                    // Lo  [27] HANGUL SYLLABLE MYEOG..HANGUL SYLLABLE MYEOH
+	{0xBA8C, 0xBA8C, prLV},                     // Lo       HANGUL SYLLABLE MYE
+	{0xBA8D, 0xBAA7, prLVT},                    // Lo  [27] HANGUL SYLLABLE MYEG..HANGUL SYLLABLE MYEH
+	{0xBAA8, 0xBAA8, prLV},                     // Lo       HANGUL SYLLABLE MO
+	{0xBAA9, 0xBAC3, prLVT},                    // Lo  [27] HANGUL SYLLABLE MOG..HANGUL SYLLABLE MOH
+	{0xBAC4, 0xBAC4, prLV},                     // Lo       HANGUL SYLLABLE MWA
+	{0xBAC5, 0xBADF, prLVT},                    // Lo  [27] HANGUL SYLLABLE MWAG..HANGUL SYLLABLE MWAH
+	{0xBAE0, 0xBAE0, prLV},                     // Lo       HANGUL SYLLABLE MWAE
+	{0xBAE1, 0xBAFB, prLVT},                    // Lo  [27] HANGUL SYLLABLE MWAEG..HANGUL SYLLABLE MWAEH
+	{0xBAFC, 0xBAFC, prLV},                     // Lo       HANGUL SYLLABLE MOE
+	{0xBAFD, 0xBB17, prLVT},                    // Lo  [27] HANGUL SYLLABLE MOEG..HANGUL SYLLABLE MOEH
+	{0xBB18, 0xBB18, prLV},                     // Lo       HANGUL SYLLABLE MYO
+	{0xBB19, 0xBB33, prLVT},                    // Lo  [27] HANGUL SYLLABLE MYOG..HANGUL SYLLABLE MYOH
+	{0xBB34, 0xBB34, prLV},                     // Lo       HANGUL SYLLABLE MU
+	{0xBB35, 0xBB4F, prLVT},                    // Lo  [27] HANGUL SYLLABLE MUG..HANGUL SYLLABLE MUH
+	{0xBB50, 0xBB50, prLV},                     // Lo       HANGUL SYLLABLE MWEO
+	{0xBB51, 0xBB6B, prLVT},                    // Lo  [27] HANGUL SYLLABLE MWEOG..HANGUL SYLLABLE MWEOH
+	{0xBB6C, 0xBB6C, prLV},                     // Lo       HANGUL SYLLABLE MWE
+	{0xBB6D, 0xBB87, prLVT},                    // Lo  [27] HANGUL SYLLABLE MWEG..HANGUL SYLLABLE MWEH
+	{0xBB88, 0xBB88, prLV},                     // Lo       HANGUL SYLLABLE MWI
+	{0xBB89, 0xBBA3, prLVT},                    // Lo  [27] HANGUL SYLLABLE MWIG..HANGUL SYLLABLE MWIH
+	{0xBBA4, 0xBBA4, prLV},                     // Lo       HANGUL SYLLABLE MYU
+	{0xBBA5, 0xBBBF, prLVT},                    // Lo  [27] HANGUL SYLLABLE MYUG..HANGUL SYLLABLE MYUH
+	{0xBBC0, 0xBBC0, prLV},                     // Lo       HANGUL SYLLABLE MEU
+	{0xBBC1, 0xBBDB, prLVT},                    // Lo  [27] HANGUL SYLLABLE MEUG..HANGUL SYLLABLE MEUH
+	{0xBBDC, 0xBBDC, prLV},                     // Lo       HANGUL SYLLABLE MYI
+	{0xBBDD, 0xBBF7, prLVT},                    // Lo  [27] HANGUL SYLLABLE MYIG..HANGUL SYLLABLE MYIH
+	{0xBBF8, 0xBBF8, prLV},                     // Lo       HANGUL SYLLABLE MI
+	{0xBBF9, 0xBC13, prLVT},                    // Lo  [27] HANGUL SYLLABLE MIG..HANGUL SYLLABLE MIH
+	{0xBC14, 0xBC14, prLV},                     // Lo       HANGUL SYLLABLE BA
+	{0xBC15, 0xBC2F, prLVT},                    // Lo  [27] HANGUL SYLLABLE BAG..HANGUL SYLLABLE BAH
+	{0xBC30, 0xBC30, prLV},                     // Lo       HANGUL SYLLABLE BAE
+	{0xBC31, 0xBC4B, prLVT},                    // Lo  [27] HANGUL SYLLABLE BAEG..HANGUL SYLLABLE BAEH
+	{0xBC4C, 0xBC4C, prLV},                     // Lo       HANGUL SYLLABLE BYA
+	{0xBC4D, 0xBC67, prLVT},                    // Lo  [27] HANGUL SYLLABLE BYAG..HANGUL SYLLABLE BYAH
+	{0xBC68, 0xBC68, prLV},                     // Lo       HANGUL SYLLABLE BYAE
+	{0xBC69, 0xBC83, prLVT},                    // Lo  [27] HANGUL SYLLABLE BYAEG..HANGUL SYLLABLE BYAEH
+	{0xBC84, 0xBC84, prLV},                     // Lo       HANGUL SYLLABLE BEO
+	{0xBC85, 0xBC9F, prLVT},                    // Lo  [27] HANGUL SYLLABLE BEOG..HANGUL SYLLABLE BEOH
+	{0xBCA0, 0xBCA0, prLV},                     // Lo       HANGUL SYLLABLE BE
+	{0xBCA1, 0xBCBB, prLVT},                    // Lo  [27] HANGUL SYLLABLE BEG..HANGUL SYLLABLE BEH
+	{0xBCBC, 0xBCBC, prLV},                     // Lo       HANGUL SYLLABLE BYEO
+	{0xBCBD, 0xBCD7, prLVT},                    // Lo  [27] HANGUL SYLLABLE BYEOG..HANGUL SYLLABLE BYEOH
+	{0xBCD8, 0xBCD8, prLV},                     // Lo       HANGUL SYLLABLE BYE
+	{0xBCD9, 0xBCF3, prLVT},                    // Lo  [27] HANGUL SYLLABLE BYEG..HANGUL SYLLABLE BYEH
+	{0xBCF4, 0xBCF4, prLV},                     // Lo       HANGUL SYLLABLE BO
+	{0xBCF5, 0xBD0F, prLVT},                    // Lo  [27] HANGUL SYLLABLE BOG..HANGUL SYLLABLE BOH
+	{0xBD10, 0xBD10, prLV},                     // Lo       HANGUL SYLLABLE BWA
+	{0xBD11, 0xBD2B, prLVT},                    // Lo  [27] HANGUL SYLLABLE BWAG..HANGUL SYLLABLE BWAH
+	{0xBD2C, 0xBD2C, prLV},                     // Lo       HANGUL SYLLABLE BWAE
+	{0xBD2D, 0xBD47, prLVT},                    // Lo  [27] HANGUL SYLLABLE BWAEG..HANGUL SYLLABLE BWAEH
+	{0xBD48, 0xBD48, prLV},                     // Lo       HANGUL SYLLABLE BOE
+	{0xBD49, 0xBD63, prLVT},                    // Lo  [27] HANGUL SYLLABLE BOEG..HANGUL SYLLABLE BOEH
+	{0xBD64, 0xBD64, prLV},                     // Lo       HANGUL SYLLABLE BYO
+	{0xBD65, 0xBD7F, prLVT},                    // Lo  [27] HANGUL SYLLABLE BYOG..HANGUL SYLLABLE BYOH
+	{0xBD80, 0xBD80, prLV},                     // Lo       HANGUL SYLLABLE BU
+	{0xBD81, 0xBD9B, prLVT},                    // Lo  [27] HANGUL SYLLABLE BUG..HANGUL SYLLABLE BUH
+	{0xBD9C, 0xBD9C, prLV},                     // Lo       HANGUL SYLLABLE BWEO
+	{0xBD9D, 0xBDB7, prLVT},                    // Lo  [27] HANGUL SYLLABLE BWEOG..HANGUL SYLLABLE BWEOH
+	{0xBDB8, 0xBDB8, prLV},                     // Lo       HANGUL SYLLABLE BWE
+	{0xBDB9, 0xBDD3, prLVT},                    // Lo  [27] HANGUL SYLLABLE BWEG..HANGUL SYLLABLE BWEH
+	{0xBDD4, 0xBDD4, prLV},                     // Lo       HANGUL SYLLABLE BWI
+	{0xBDD5, 0xBDEF, prLVT},                    // Lo  [27] HANGUL SYLLABLE BWIG..HANGUL SYLLABLE BWIH
+	{0xBDF0, 0xBDF0, prLV},                     // Lo       HANGUL SYLLABLE BYU
+	{0xBDF1, 0xBE0B, prLVT},                    // Lo  [27] HANGUL SYLLABLE BYUG..HANGUL SYLLABLE BYUH
+	{0xBE0C, 0xBE0C, prLV},                     // Lo       HANGUL SYLLABLE BEU
+	{0xBE0D, 0xBE27, prLVT},                    // Lo  [27] HANGUL SYLLABLE BEUG..HANGUL SYLLABLE BEUH
+	{0xBE28, 0xBE28, prLV},                     // Lo       HANGUL SYLLABLE BYI
+	{0xBE29, 0xBE43, prLVT},                    // Lo  [27] HANGUL SYLLABLE BYIG..HANGUL SYLLABLE BYIH
+	{0xBE44, 0xBE44, prLV},                     // Lo       HANGUL SYLLABLE BI
+	{0xBE45, 0xBE5F, prLVT},                    // Lo  [27] HANGUL SYLLABLE BIG..HANGUL SYLLABLE BIH
+	{0xBE60, 0xBE60, prLV},                     // Lo       HANGUL SYLLABLE BBA
+	{0xBE61, 0xBE7B, prLVT},                    // Lo  [27] HANGUL SYLLABLE BBAG..HANGUL SYLLABLE BBAH
+	{0xBE7C, 0xBE7C, prLV},                     // Lo       HANGUL SYLLABLE BBAE
+	{0xBE7D, 0xBE97, prLVT},                    // Lo  [27] HANGUL SYLLABLE BBAEG..HANGUL SYLLABLE BBAEH
+	{0xBE98, 0xBE98, prLV},                     // Lo       HANGUL SYLLABLE BBYA
+	{0xBE99, 0xBEB3, prLVT},                    // Lo  [27] HANGUL SYLLABLE BBYAG..HANGUL SYLLABLE BBYAH
+	{0xBEB4, 0xBEB4, prLV},                     // Lo       HANGUL SYLLABLE BBYAE
+	{0xBEB5, 0xBECF, prLVT},                    // Lo  [27] HANGUL SYLLABLE BBYAEG..HANGUL SYLLABLE BBYAEH
+	{0xBED0, 0xBED0, prLV},                     // Lo       HANGUL SYLLABLE BBEO
+	{0xBED1, 0xBEEB, prLVT},                    // Lo  [27] HANGUL SYLLABLE BBEOG..HANGUL SYLLABLE BBEOH
+	{0xBEEC, 0xBEEC, prLV},                     // Lo       HANGUL SYLLABLE BBE
+	{0xBEED, 0xBF07, prLVT},                    // Lo  [27] HANGUL SYLLABLE BBEG..HANGUL SYLLABLE BBEH
+	{0xBF08, 0xBF08, prLV},                     // Lo       HANGUL SYLLABLE BBYEO
+	{0xBF09, 0xBF23, prLVT},                    // Lo  [27] HANGUL SYLLABLE BBYEOG..HANGUL SYLLABLE BBYEOH
+	{0xBF24, 0xBF24, prLV},                     // Lo       HANGUL SYLLABLE BBYE
+	{0xBF25, 0xBF3F, prLVT},                    // Lo  [27] HANGUL SYLLABLE BBYEG..HANGUL SYLLABLE BBYEH
+	{0xBF40, 0xBF40, prLV},                     // Lo       HANGUL SYLLABLE BBO
+	{0xBF41, 0xBF5B, prLVT},                    // Lo  [27] HANGUL SYLLABLE BBOG..HANGUL SYLLABLE BBOH
+	{0xBF5C, 0xBF5C, prLV},                     // Lo       HANGUL SYLLABLE BBWA
+	{0xBF5D, 0xBF77, prLVT},                    // Lo  [27] HANGUL SYLLABLE BBWAG..HANGUL SYLLABLE BBWAH
+	{0xBF78, 0xBF78, prLV},                     // Lo       HANGUL SYLLABLE BBWAE
+	{0xBF79, 0xBF93, prLVT},                    // Lo  [27] HANGUL SYLLABLE BBWAEG..HANGUL SYLLABLE BBWAEH
+	{0xBF94, 0xBF94, prLV},                     // Lo       HANGUL SYLLABLE BBOE
+	{0xBF95, 0xBFAF, prLVT},                    // Lo  [27] HANGUL SYLLABLE BBOEG..HANGUL SYLLABLE BBOEH
+	{0xBFB0, 0xBFB0, prLV},                     // Lo       HANGUL SYLLABLE BBYO
+	{0xBFB1, 0xBFCB, prLVT},                    // Lo  [27] HANGUL SYLLABLE BBYOG..HANGUL SYLLABLE BBYOH
+	{0xBFCC, 0xBFCC, prLV},                     // Lo       HANGUL SYLLABLE BBU
+	{0xBFCD, 0xBFE7, prLVT},                    // Lo  [27] HANGUL SYLLABLE BBUG..HANGUL SYLLABLE BBUH
+	{0xBFE8, 0xBFE8, prLV},                     // Lo       HANGUL SYLLABLE BBWEO
+	{0xBFE9, 0xC003, prLVT},                    // Lo  [27] HANGUL SYLLABLE BBWEOG..HANGUL SYLLABLE BBWEOH
+	{0xC004, 0xC004, prLV},                     // Lo       HANGUL SYLLABLE BBWE
+	{0xC005, 0xC01F, prLVT},                    // Lo  [27] HANGUL SYLLABLE BBWEG..HANGUL SYLLABLE BBWEH
+	{0xC020, 0xC020, prLV},                     // Lo       HANGUL SYLLABLE BBWI
+	{0xC021, 0xC03B, prLVT},                    // Lo  [27] HANGUL SYLLABLE BBWIG..HANGUL SYLLABLE BBWIH
+	{0xC03C, 0xC03C, prLV},                     // Lo       HANGUL SYLLABLE BBYU
+	{0xC03D, 0xC057, prLVT},                    // Lo  [27] HANGUL SYLLABLE BBYUG..HANGUL SYLLABLE BBYUH
+	{0xC058, 0xC058, prLV},                     // Lo       HANGUL SYLLABLE BBEU
+	{0xC059, 0xC073, prLVT},                    // Lo  [27] HANGUL SYLLABLE BBEUG..HANGUL SYLLABLE BBEUH
+	{0xC074, 0xC074, prLV},                     // Lo       HANGUL SYLLABLE BBYI
+	{0xC075, 0xC08F, prLVT},                    // Lo  [27] HANGUL SYLLABLE BBYIG..HANGUL SYLLABLE BBYIH
+	{0xC090, 0xC090, prLV},                     // Lo       HANGUL SYLLABLE BBI
+	{0xC091, 0xC0AB, prLVT},                    // Lo  [27] HANGUL SYLLABLE BBIG..HANGUL SYLLABLE BBIH
+	{0xC0AC, 0xC0AC, prLV},                     // Lo       HANGUL SYLLABLE SA
+	{0xC0AD, 0xC0C7, prLVT},                    // Lo  [27] HANGUL SYLLABLE SAG..HANGUL SYLLABLE SAH
+	{0xC0C8, 0xC0C8, prLV},                     // Lo       HANGUL SYLLABLE SAE
+	{0xC0C9, 0xC0E3, prLVT},                    // Lo  [27] HANGUL SYLLABLE SAEG..HANGUL SYLLABLE SAEH
+	{0xC0E4, 0xC0E4, prLV},                     // Lo       HANGUL SYLLABLE SYA
+	{0xC0E5, 0xC0FF, prLVT},                    // Lo  [27] HANGUL SYLLABLE SYAG..HANGUL SYLLABLE SYAH
+	{0xC100, 0xC100, prLV},                     // Lo       HANGUL SYLLABLE SYAE
+	{0xC101, 0xC11B, prLVT},                    // Lo  [27] HANGUL SYLLABLE SYAEG..HANGUL SYLLABLE SYAEH
+	{0xC11C, 0xC11C, prLV},                     // Lo       HANGUL SYLLABLE SEO
+	{0xC11D, 0xC137, prLVT},                    // Lo  [27] HANGUL SYLLABLE SEOG..HANGUL SYLLABLE SEOH
+	{0xC138, 0xC138, prLV},                     // Lo       HANGUL SYLLABLE SE
+	{0xC139, 0xC153, prLVT},                    // Lo  [27] HANGUL SYLLABLE SEG..HANGUL SYLLABLE SEH
+	{0xC154, 0xC154, prLV},                     // Lo       HANGUL SYLLABLE SYEO
+	{0xC155, 0xC16F, prLVT},                    // Lo  [27] HANGUL SYLLABLE SYEOG..HANGUL SYLLABLE SYEOH
+	{0xC170, 0xC170, prLV},                     // Lo       HANGUL SYLLABLE SYE
+	{0xC171, 0xC18B, prLVT},                    // Lo  [27] HANGUL SYLLABLE SYEG..HANGUL SYLLABLE SYEH
+	{0xC18C, 0xC18C, prLV},                     // Lo       HANGUL SYLLABLE SO
+	{0xC18D, 0xC1A7, prLVT},                    // Lo  [27] HANGUL SYLLABLE SOG..HANGUL SYLLABLE SOH
+	{0xC1A8, 0xC1A8, prLV},                     // Lo       HANGUL SYLLABLE SWA
+	{0xC1A9, 0xC1C3, prLVT},                    // Lo  [27] HANGUL SYLLABLE SWAG..HANGUL SYLLABLE SWAH
+	{0xC1C4, 0xC1C4, prLV},                     // Lo       HANGUL SYLLABLE SWAE
+	{0xC1C5, 0xC1DF, prLVT},                    // Lo  [27] HANGUL SYLLABLE SWAEG..HANGUL SYLLABLE SWAEH
+	{0xC1E0, 0xC1E0, prLV},                     // Lo       HANGUL SYLLABLE SOE
+	{0xC1E1, 0xC1FB, prLVT},                    // Lo  [27] HANGUL SYLLABLE SOEG..HANGUL SYLLABLE SOEH
+	{0xC1FC, 0xC1FC, prLV},                     // Lo       HANGUL SYLLABLE SYO
+	{0xC1FD, 0xC217, prLVT},                    // Lo  [27] HANGUL SYLLABLE SYOG..HANGUL SYLLABLE SYOH
+	{0xC218, 0xC218, prLV},                     // Lo       HANGUL SYLLABLE SU
+	{0xC219, 0xC233, prLVT},                    // Lo  [27] HANGUL SYLLABLE SUG..HANGUL SYLLABLE SUH
+	{0xC234, 0xC234, prLV},                     // Lo       HANGUL SYLLABLE SWEO
+	{0xC235, 0xC24F, prLVT},                    // Lo  [27] HANGUL SYLLABLE SWEOG..HANGUL SYLLABLE SWEOH
+	{0xC250, 0xC250, prLV},                     // Lo       HANGUL SYLLABLE SWE
+	{0xC251, 0xC26B, prLVT},                    // Lo  [27] HANGUL SYLLABLE SWEG..HANGUL SYLLABLE SWEH
+	{0xC26C, 0xC26C, prLV},                     // Lo       HANGUL SYLLABLE SWI
+	{0xC26D, 0xC287, prLVT},                    // Lo  [27] HANGUL SYLLABLE SWIG..HANGUL SYLLABLE SWIH
+	{0xC288, 0xC288, prLV},                     // Lo       HANGUL SYLLABLE SYU
+	{0xC289, 0xC2A3, prLVT},                    // Lo  [27] HANGUL SYLLABLE SYUG..HANGUL SYLLABLE SYUH
+	{0xC2A4, 0xC2A4, prLV},                     // Lo       HANGUL SYLLABLE SEU
+	{0xC2A5, 0xC2BF, prLVT},                    // Lo  [27] HANGUL SYLLABLE SEUG..HANGUL SYLLABLE SEUH
+	{0xC2C0, 0xC2C0, prLV},                     // Lo       HANGUL SYLLABLE SYI
+	{0xC2C1, 0xC2DB, prLVT},                    // Lo  [27] HANGUL SYLLABLE SYIG..HANGUL SYLLABLE SYIH
+	{0xC2DC, 0xC2DC, prLV},                     // Lo       HANGUL SYLLABLE SI
+	{0xC2DD, 0xC2F7, prLVT},                    // Lo  [27] HANGUL SYLLABLE SIG..HANGUL SYLLABLE SIH
+	{0xC2F8, 0xC2F8, prLV},                     // Lo       HANGUL SYLLABLE SSA
+	{0xC2F9, 0xC313, prLVT},                    // Lo  [27] HANGUL SYLLABLE SSAG..HANGUL SYLLABLE SSAH
+	{0xC314, 0xC314, prLV},                     // Lo       HANGUL SYLLABLE SSAE
+	{0xC315, 0xC32F, prLVT},                    // Lo  [27] HANGUL SYLLABLE SSAEG..HANGUL SYLLABLE SSAEH
+	{0xC330, 0xC330, prLV},                     // Lo       HANGUL SYLLABLE SSYA
+	{0xC331, 0xC34B, prLVT},                    // Lo  [27] HANGUL SYLLABLE SSYAG..HANGUL SYLLABLE SSYAH
+	{0xC34C, 0xC34C, prLV},                     // Lo       HANGUL SYLLABLE SSYAE
+	{0xC34D, 0xC367, prLVT},                    // Lo  [27] HANGUL SYLLABLE SSYAEG..HANGUL SYLLABLE SSYAEH
+	{0xC368, 0xC368, prLV},                     // Lo       HANGUL SYLLABLE SSEO
+	{0xC369, 0xC383, prLVT},                    // Lo  [27] HANGUL SYLLABLE SSEOG..HANGUL SYLLABLE SSEOH
+	{0xC384, 0xC384, prLV},                     // Lo       HANGUL SYLLABLE SSE
+	{0xC385, 0xC39F, prLVT},                    // Lo  [27] HANGUL SYLLABLE SSEG..HANGUL SYLLABLE SSEH
+	{0xC3A0, 0xC3A0, prLV},                     // Lo       HANGUL SYLLABLE SSYEO
+	{0xC3A1, 0xC3BB, prLVT},                    // Lo  [27] HANGUL SYLLABLE SSYEOG..HANGUL SYLLABLE SSYEOH
+	{0xC3BC, 0xC3BC, prLV},                     // Lo       HANGUL SYLLABLE SSYE
+	{0xC3BD, 0xC3D7, prLVT},                    // Lo  [27] HANGUL SYLLABLE SSYEG..HANGUL SYLLABLE SSYEH
+	{0xC3D8, 0xC3D8, prLV},                     // Lo       HANGUL SYLLABLE SSO
+	{0xC3D9, 0xC3F3, prLVT},                    // Lo  [27] HANGUL SYLLABLE SSOG..HANGUL SYLLABLE SSOH
+	{0xC3F4, 0xC3F4, prLV},                     // Lo       HANGUL SYLLABLE SSWA
+	{0xC3F5, 0xC40F, prLVT},                    // Lo  [27] HANGUL SYLLABLE SSWAG..HANGUL SYLLABLE SSWAH
+	{0xC410, 0xC410, prLV},                     // Lo       HANGUL SYLLABLE SSWAE
+	{0xC411, 0xC42B, prLVT},                    // Lo  [27] HANGUL SYLLABLE SSWAEG..HANGUL SYLLABLE SSWAEH
+	{0xC42C, 0xC42C, prLV},                     // Lo       HANGUL SYLLABLE SSOE
+	{0xC42D, 0xC447, prLVT},                    // Lo  [27] HANGUL SYLLABLE SSOEG..HANGUL SYLLABLE SSOEH
+	{0xC448, 0xC448, prLV},                     // Lo       HANGUL SYLLABLE SSYO
+	{0xC449, 0xC463, prLVT},                    // Lo  [27] HANGUL SYLLABLE SSYOG..HANGUL SYLLABLE SSYOH
+	{0xC464, 0xC464, prLV},                     // Lo       HANGUL SYLLABLE SSU
+	{0xC465, 0xC47F, prLVT},                    // Lo  [27] HANGUL SYLLABLE SSUG..HANGUL SYLLABLE SSUH
+	{0xC480, 0xC480, prLV},                     // Lo       HANGUL SYLLABLE SSWEO
+	{0xC481, 0xC49B, prLVT},                    // Lo  [27] HANGUL SYLLABLE SSWEOG..HANGUL SYLLABLE SSWEOH
+	{0xC49C, 0xC49C, prLV},                     // Lo       HANGUL SYLLABLE SSWE
+	{0xC49D, 0xC4B7, prLVT},                    // Lo  [27] HANGUL SYLLABLE SSWEG..HANGUL SYLLABLE SSWEH
+	{0xC4B8, 0xC4B8, prLV},                     // Lo       HANGUL SYLLABLE SSWI
+	{0xC4B9, 0xC4D3, prLVT},                    // Lo  [27] HANGUL SYLLABLE SSWIG..HANGUL SYLLABLE SSWIH
+	{0xC4D4, 0xC4D4, prLV},                     // Lo       HANGUL SYLLABLE SSYU
+	{0xC4D5, 0xC4EF, prLVT},                    // Lo  [27] HANGUL SYLLABLE SSYUG..HANGUL SYLLABLE SSYUH
+	{0xC4F0, 0xC4F0, prLV},                     // Lo       HANGUL SYLLABLE SSEU
+	{0xC4F1, 0xC50B, prLVT},                    // Lo  [27] HANGUL SYLLABLE SSEUG..HANGUL SYLLABLE SSEUH
+	{0xC50C, 0xC50C, prLV},                     // Lo       HANGUL SYLLABLE SSYI
+	{0xC50D, 0xC527, prLVT},                    // Lo  [27] HANGUL SYLLABLE SSYIG..HANGUL SYLLABLE SSYIH
+	{0xC528, 0xC528, prLV},                     // Lo       HANGUL SYLLABLE SSI
+	{0xC529, 0xC543, prLVT},                    // Lo  [27] HANGUL SYLLABLE SSIG..HANGUL SYLLABLE SSIH
+	{0xC544, 0xC544, prLV},                     // Lo       HANGUL SYLLABLE A
+	{0xC545, 0xC55F, prLVT},                    // Lo  [27] HANGUL SYLLABLE AG..HANGUL SYLLABLE AH
+	{0xC560, 0xC560, prLV},                     // Lo       HANGUL SYLLABLE AE
+	{0xC561, 0xC57B, prLVT},                    // Lo  [27] HANGUL SYLLABLE AEG..HANGUL SYLLABLE AEH
+	{0xC57C, 0xC57C, prLV},                     // Lo       HANGUL SYLLABLE YA
+	{0xC57D, 0xC597, prLVT},                    // Lo  [27] HANGUL SYLLABLE YAG..HANGUL SYLLABLE YAH
+	{0xC598, 0xC598, prLV},                     // Lo       HANGUL SYLLABLE YAE
+	{0xC599, 0xC5B3, prLVT},                    // Lo  [27] HANGUL SYLLABLE YAEG..HANGUL SYLLABLE YAEH
+	{0xC5B4, 0xC5B4, prLV},                     // Lo       HANGUL SYLLABLE EO
+	{0xC5B5, 0xC5CF, prLVT},                    // Lo  [27] HANGUL SYLLABLE EOG..HANGUL SYLLABLE EOH
+	{0xC5D0, 0xC5D0, prLV},                     // Lo       HANGUL SYLLABLE E
+	{0xC5D1, 0xC5EB, prLVT},                    // Lo  [27] HANGUL SYLLABLE EG..HANGUL SYLLABLE EH
+	{0xC5EC, 0xC5EC, prLV},                     // Lo       HANGUL SYLLABLE YEO
+	{0xC5ED, 0xC607, prLVT},                    // Lo  [27] HANGUL SYLLABLE YEOG..HANGUL SYLLABLE YEOH
+	{0xC608, 0xC608, prLV},                     // Lo       HANGUL SYLLABLE YE
+	{0xC609, 0xC623, prLVT},                    // Lo  [27] HANGUL SYLLABLE YEG..HANGUL SYLLABLE YEH
+	{0xC624, 0xC624, prLV},                     // Lo       HANGUL SYLLABLE O
+	{0xC625, 0xC63F, prLVT},                    // Lo  [27] HANGUL SYLLABLE OG..HANGUL SYLLABLE OH
+	{0xC640, 0xC640, prLV},                     // Lo       HANGUL SYLLABLE WA
+	{0xC641, 0xC65B, prLVT},                    // Lo  [27] HANGUL SYLLABLE WAG..HANGUL SYLLABLE WAH
+	{0xC65C, 0xC65C, prLV},                     // Lo       HANGUL SYLLABLE WAE
+	{0xC65D, 0xC677, prLVT},                    // Lo  [27] HANGUL SYLLABLE WAEG..HANGUL SYLLABLE WAEH
+	{0xC678, 0xC678, prLV},                     // Lo       HANGUL SYLLABLE OE
+	{0xC679, 0xC693, prLVT},                    // Lo  [27] HANGUL SYLLABLE OEG..HANGUL SYLLABLE OEH
+	{0xC694, 0xC694, prLV},                     // Lo       HANGUL SYLLABLE YO
+	{0xC695, 0xC6AF, prLVT},                    // Lo  [27] HANGUL SYLLABLE YOG..HANGUL SYLLABLE YOH
+	{0xC6B0, 0xC6B0, prLV},                     // Lo       HANGUL SYLLABLE U
+	{0xC6B1, 0xC6CB, prLVT},                    // Lo  [27] HANGUL SYLLABLE UG..HANGUL SYLLABLE UH
+	{0xC6CC, 0xC6CC, prLV},                     // Lo       HANGUL SYLLABLE WEO
+	{0xC6CD, 0xC6E7, prLVT},                    // Lo  [27] HANGUL SYLLABLE WEOG..HANGUL SYLLABLE WEOH
+	{0xC6E8, 0xC6E8, prLV},                     // Lo       HANGUL SYLLABLE WE
+	{0xC6E9, 0xC703, prLVT},                    // Lo  [27] HANGUL SYLLABLE WEG..HANGUL SYLLABLE WEH
+	{0xC704, 0xC704, prLV},                     // Lo       HANGUL SYLLABLE WI
+	{0xC705, 0xC71F, prLVT},                    // Lo  [27] HANGUL SYLLABLE WIG..HANGUL SYLLABLE WIH
+	{0xC720, 0xC720, prLV},                     // Lo       HANGUL SYLLABLE YU
+	{0xC721, 0xC73B, prLVT},                    // Lo  [27] HANGUL SYLLABLE YUG..HANGUL SYLLABLE YUH
+	{0xC73C, 0xC73C, prLV},                     // Lo       HANGUL SYLLABLE EU
+	{0xC73D, 0xC757, prLVT},                    // Lo  [27] HANGUL SYLLABLE EUG..HANGUL SYLLABLE EUH
+	{0xC758, 0xC758, prLV},                     // Lo       HANGUL SYLLABLE YI
+	{0xC759, 0xC773, prLVT},                    // Lo  [27] HANGUL SYLLABLE YIG..HANGUL SYLLABLE YIH
+	{0xC774, 0xC774, prLV},                     // Lo       HANGUL SYLLABLE I
+	{0xC775, 0xC78F, prLVT},                    // Lo  [27] HANGUL SYLLABLE IG..HANGUL SYLLABLE IH
+	{0xC790, 0xC790, prLV},                     // Lo       HANGUL SYLLABLE JA
+	{0xC791, 0xC7AB, prLVT},                    // Lo  [27] HANGUL SYLLABLE JAG..HANGUL SYLLABLE JAH
+	{0xC7AC, 0xC7AC, prLV},                     // Lo       HANGUL SYLLABLE JAE
+	{0xC7AD, 0xC7C7, prLVT},                    // Lo  [27] HANGUL SYLLABLE JAEG..HANGUL SYLLABLE JAEH
+	{0xC7C8, 0xC7C8, prLV},                     // Lo       HANGUL SYLLABLE JYA
+	{0xC7C9, 0xC7E3, prLVT},                    // Lo  [27] HANGUL SYLLABLE JYAG..HANGUL SYLLABLE JYAH
+	{0xC7E4, 0xC7E4, prLV},                     // Lo       HANGUL SYLLABLE JYAE
+	{0xC7E5, 0xC7FF, prLVT},                    // Lo  [27] HANGUL SYLLABLE JYAEG..HANGUL SYLLABLE JYAEH
+	{0xC800, 0xC800, prLV},                     // Lo       HANGUL SYLLABLE JEO
+	{0xC801, 0xC81B, prLVT},                    // Lo  [27] HANGUL SYLLABLE JEOG..HANGUL SYLLABLE JEOH
+	{0xC81C, 0xC81C, prLV},                     // Lo       HANGUL SYLLABLE JE
+	{0xC81D, 0xC837, prLVT},                    // Lo  [27] HANGUL SYLLABLE JEG..HANGUL SYLLABLE JEH
+	{0xC838, 0xC838, prLV},                     // Lo       HANGUL SYLLABLE JYEO
+	{0xC839, 0xC853, prLVT},                    // Lo  [27] HANGUL SYLLABLE JYEOG..HANGUL SYLLABLE JYEOH
+	{0xC854, 0xC854, prLV},                     // Lo       HANGUL SYLLABLE JYE
+	{0xC855, 0xC86F, prLVT},                    // Lo  [27] HANGUL SYLLABLE JYEG..HANGUL SYLLABLE JYEH
+	{0xC870, 0xC870, prLV},                     // Lo       HANGUL SYLLABLE JO
+	{0xC871, 0xC88B, prLVT},                    // Lo  [27] HANGUL SYLLABLE JOG..HANGUL SYLLABLE JOH
+	{0xC88C, 0xC88C, prLV},                     // Lo       HANGUL SYLLABLE JWA
+	{0xC88D, 0xC8A7, prLVT},                    // Lo  [27] HANGUL SYLLABLE JWAG..HANGUL SYLLABLE JWAH
+	{0xC8A8, 0xC8A8, prLV},                     // Lo       HANGUL SYLLABLE JWAE
+	{0xC8A9, 0xC8C3, prLVT},                    // Lo  [27] HANGUL SYLLABLE JWAEG..HANGUL SYLLABLE JWAEH
+	{0xC8C4, 0xC8C4, prLV},                     // Lo       HANGUL SYLLABLE JOE
+	{0xC8C5, 0xC8DF, prLVT},                    // Lo  [27] HANGUL SYLLABLE JOEG..HANGUL SYLLABLE JOEH
+	{0xC8E0, 0xC8E0, prLV},                     // Lo       HANGUL SYLLABLE JYO
+	{0xC8E1, 0xC8FB, prLVT},                    // Lo  [27] HANGUL SYLLABLE JYOG..HANGUL SYLLABLE JYOH
+	{0xC8FC, 0xC8FC, prLV},                     // Lo       HANGUL SYLLABLE JU
+	{0xC8FD, 0xC917, prLVT},                    // Lo  [27] HANGUL SYLLABLE JUG..HANGUL SYLLABLE JUH
+	{0xC918, 0xC918, prLV},                     // Lo       HANGUL SYLLABLE JWEO
+	{0xC919, 0xC933, prLVT},                    // Lo  [27] HANGUL SYLLABLE JWEOG..HANGUL SYLLABLE JWEOH
+	{0xC934, 0xC934, prLV},                     // Lo       HANGUL SYLLABLE JWE
+	{0xC935, 0xC94F, prLVT},                    // Lo  [27] HANGUL SYLLABLE JWEG..HANGUL SYLLABLE JWEH
+	{0xC950, 0xC950, prLV},                     // Lo       HANGUL SYLLABLE JWI
+	{0xC951, 0xC96B, prLVT},                    // Lo  [27] HANGUL SYLLABLE JWIG..HANGUL SYLLABLE JWIH
+	{0xC96C, 0xC96C, prLV},                     // Lo       HANGUL SYLLABLE JYU
+	{0xC96D, 0xC987, prLVT},                    // Lo  [27] HANGUL SYLLABLE JYUG..HANGUL SYLLABLE JYUH
+	{0xC988, 0xC988, prLV},                     // Lo       HANGUL SYLLABLE JEU
+	{0xC989, 0xC9A3, prLVT},                    // Lo  [27] HANGUL SYLLABLE JEUG..HANGUL SYLLABLE JEUH
+	{0xC9A4, 0xC9A4, prLV},                     // Lo       HANGUL SYLLABLE JYI
+	{0xC9A5, 0xC9BF, prLVT},                    // Lo  [27] HANGUL SYLLABLE JYIG..HANGUL SYLLABLE JYIH
+	{0xC9C0, 0xC9C0, prLV},                     // Lo       HANGUL SYLLABLE JI
+	{0xC9C1, 0xC9DB, prLVT},                    // Lo  [27] HANGUL SYLLABLE JIG..HANGUL SYLLABLE JIH
+	{0xC9DC, 0xC9DC, prLV},                     // Lo       HANGUL SYLLABLE JJA
+	{0xC9DD, 0xC9F7, prLVT},                    // Lo  [27] HANGUL SYLLABLE JJAG..HANGUL SYLLABLE JJAH
+	{0xC9F8, 0xC9F8, prLV},                     // Lo       HANGUL SYLLABLE JJAE
+	{0xC9F9, 0xCA13, prLVT},                    // Lo  [27] HANGUL SYLLABLE JJAEG..HANGUL SYLLABLE JJAEH
+	{0xCA14, 0xCA14, prLV},                     // Lo       HANGUL SYLLABLE JJYA
+	{0xCA15, 0xCA2F, prLVT},                    // Lo  [27] HANGUL SYLLABLE JJYAG..HANGUL SYLLABLE JJYAH
+	{0xCA30, 0xCA30, prLV},                     // Lo       HANGUL SYLLABLE JJYAE
+	{0xCA31, 0xCA4B, prLVT},                    // Lo  [27] HANGUL SYLLABLE JJYAEG..HANGUL SYLLABLE JJYAEH
+	{0xCA4C, 0xCA4C, prLV},                     // Lo       HANGUL SYLLABLE JJEO
+	{0xCA4D, 0xCA67, prLVT},                    // Lo  [27] HANGUL SYLLABLE JJEOG..HANGUL SYLLABLE JJEOH
+	{0xCA68, 0xCA68, prLV},                     // Lo       HANGUL SYLLABLE JJE
+	{0xCA69, 0xCA83, prLVT},                    // Lo  [27] HANGUL SYLLABLE JJEG..HANGUL SYLLABLE JJEH
+	{0xCA84, 0xCA84, prLV},                     // Lo       HANGUL SYLLABLE JJYEO
+	{0xCA85, 0xCA9F, prLVT},                    // Lo  [27] HANGUL SYLLABLE JJYEOG..HANGUL SYLLABLE JJYEOH
+	{0xCAA0, 0xCAA0, prLV},                     // Lo       HANGUL SYLLABLE JJYE
+	{0xCAA1, 0xCABB, prLVT},                    // Lo  [27] HANGUL SYLLABLE JJYEG..HANGUL SYLLABLE JJYEH
+	{0xCABC, 0xCABC, prLV},                     // Lo       HANGUL SYLLABLE JJO
+	{0xCABD, 0xCAD7, prLVT},                    // Lo  [27] HANGUL SYLLABLE JJOG..HANGUL SYLLABLE JJOH
+	{0xCAD8, 0xCAD8, prLV},                     // Lo       HANGUL SYLLABLE JJWA
+	{0xCAD9, 0xCAF3, prLVT},                    // Lo  [27] HANGUL SYLLABLE JJWAG..HANGUL SYLLABLE JJWAH
+	{0xCAF4, 0xCAF4, prLV},                     // Lo       HANGUL SYLLABLE JJWAE
+	{0xCAF5, 0xCB0F, prLVT},                    // Lo  [27] HANGUL SYLLABLE JJWAEG..HANGUL SYLLABLE JJWAEH
+	{0xCB10, 0xCB10, prLV},                     // Lo       HANGUL SYLLABLE JJOE
+	{0xCB11, 0xCB2B, prLVT},                    // Lo  [27] HANGUL SYLLABLE JJOEG..HANGUL SYLLABLE JJOEH
+	{0xCB2C, 0xCB2C, prLV},                     // Lo       HANGUL SYLLABLE JJYO
+	{0xCB2D, 0xCB47, prLVT},                    // Lo  [27] HANGUL SYLLABLE JJYOG..HANGUL SYLLABLE JJYOH
+	{0xCB48, 0xCB48, prLV},                     // Lo       HANGUL SYLLABLE JJU
+	{0xCB49, 0xCB63, prLVT},                    // Lo  [27] HANGUL SYLLABLE JJUG..HANGUL SYLLABLE JJUH
+	{0xCB64, 0xCB64, prLV},                     // Lo       HANGUL SYLLABLE JJWEO
+	{0xCB65, 0xCB7F, prLVT},                    // Lo  [27] HANGUL SYLLABLE JJWEOG..HANGUL SYLLABLE JJWEOH
+	{0xCB80, 0xCB80, prLV},                     // Lo       HANGUL SYLLABLE JJWE
+	{0xCB81, 0xCB9B, prLVT},                    // Lo  [27] HANGUL SYLLABLE JJWEG..HANGUL SYLLABLE JJWEH
+	{0xCB9C, 0xCB9C, prLV},                     // Lo       HANGUL SYLLABLE JJWI
+	{0xCB9D, 0xCBB7, prLVT},                    // Lo  [27] HANGUL SYLLABLE JJWIG..HANGUL SYLLABLE JJWIH
+	{0xCBB8, 0xCBB8, prLV},                     // Lo       HANGUL SYLLABLE JJYU
+	{0xCBB9, 0xCBD3, prLVT},                    // Lo  [27] HANGUL SYLLABLE JJYUG..HANGUL SYLLABLE JJYUH
+	{0xCBD4, 0xCBD4, prLV},                     // Lo       HANGUL SYLLABLE JJEU
+	{0xCBD5, 0xCBEF, prLVT},                    // Lo  [27] HANGUL SYLLABLE JJEUG..HANGUL SYLLABLE JJEUH
+	{0xCBF0, 0xCBF0, prLV},                     // Lo       HANGUL SYLLABLE JJYI
+	{0xCBF1, 0xCC0B, prLVT},                    // Lo  [27] HANGUL SYLLABLE JJYIG..HANGUL SYLLABLE JJYIH
+	{0xCC0C, 0xCC0C, prLV},                     // Lo       HANGUL SYLLABLE JJI
+	{0xCC0D, 0xCC27, prLVT},                    // Lo  [27] HANGUL SYLLABLE JJIG..HANGUL SYLLABLE JJIH
+	{0xCC28, 0xCC28, prLV},                     // Lo       HANGUL SYLLABLE CA
+	{0xCC29, 0xCC43, prLVT},                    // Lo  [27] HANGUL SYLLABLE CAG..HANGUL SYLLABLE CAH
+	{0xCC44, 0xCC44, prLV},                     // Lo       HANGUL SYLLABLE CAE
+	{0xCC45, 0xCC5F, prLVT},                    // Lo  [27] HANGUL SYLLABLE CAEG..HANGUL SYLLABLE CAEH
+	{0xCC60, 0xCC60, prLV},                     // Lo       HANGUL SYLLABLE CYA
+	{0xCC61, 0xCC7B, prLVT},                    // Lo  [27] HANGUL SYLLABLE CYAG..HANGUL SYLLABLE CYAH
+	{0xCC7C, 0xCC7C, prLV},                     // Lo       HANGUL SYLLABLE CYAE
+	{0xCC7D, 0xCC97, prLVT},                    // Lo  [27] HANGUL SYLLABLE CYAEG..HANGUL SYLLABLE CYAEH
+	{0xCC98, 0xCC98, prLV},                     // Lo       HANGUL SYLLABLE CEO
+	{0xCC99, 0xCCB3, prLVT},                    // Lo  [27] HANGUL SYLLABLE CEOG..HANGUL SYLLABLE CEOH
+	{0xCCB4, 0xCCB4, prLV},                     // Lo       HANGUL SYLLABLE CE
+	{0xCCB5, 0xCCCF, prLVT},                    // Lo  [27] HANGUL SYLLABLE CEG..HANGUL SYLLABLE CEH
+	{0xCCD0, 0xCCD0, prLV},                     // Lo       HANGUL SYLLABLE CYEO
+	{0xCCD1, 0xCCEB, prLVT},                    // Lo  [27] HANGUL SYLLABLE CYEOG..HANGUL SYLLABLE CYEOH
+	{0xCCEC, 0xCCEC, prLV},                     // Lo       HANGUL SYLLABLE CYE
+	{0xCCED, 0xCD07, prLVT},                    // Lo  [27] HANGUL SYLLABLE CYEG..HANGUL SYLLABLE CYEH
+	{0xCD08, 0xCD08, prLV},                     // Lo       HANGUL SYLLABLE CO
+	{0xCD09, 0xCD23, prLVT},                    // Lo  [27] HANGUL SYLLABLE COG..HANGUL SYLLABLE COH
+	{0xCD24, 0xCD24, prLV},                     // Lo       HANGUL SYLLABLE CWA
+	{0xCD25, 0xCD3F, prLVT},                    // Lo  [27] HANGUL SYLLABLE CWAG..HANGUL SYLLABLE CWAH
+	{0xCD40, 0xCD40, prLV},                     // Lo       HANGUL SYLLABLE CWAE
+	{0xCD41, 0xCD5B, prLVT},                    // Lo  [27] HANGUL SYLLABLE CWAEG..HANGUL SYLLABLE CWAEH
+	{0xCD5C, 0xCD5C, prLV},                     // Lo       HANGUL SYLLABLE COE
+	{0xCD5D, 0xCD77, prLVT},                    // Lo  [27] HANGUL SYLLABLE COEG..HANGUL SYLLABLE COEH
+	{0xCD78, 0xCD78, prLV},                     // Lo       HANGUL SYLLABLE CYO
+	{0xCD79, 0xCD93, prLVT},                    // Lo  [27] HANGUL SYLLABLE CYOG..HANGUL SYLLABLE CYOH
+	{0xCD94, 0xCD94, prLV},                     // Lo       HANGUL SYLLABLE CU
+	{0xCD95, 0xCDAF, prLVT},                    // Lo  [27] HANGUL SYLLABLE CUG..HANGUL SYLLABLE CUH
+	{0xCDB0, 0xCDB0, prLV},                     // Lo       HANGUL SYLLABLE CWEO
+	{0xCDB1, 0xCDCB, prLVT},                    // Lo  [27] HANGUL SYLLABLE CWEOG..HANGUL SYLLABLE CWEOH
+	{0xCDCC, 0xCDCC, prLV},                     // Lo       HANGUL SYLLABLE CWE
+	{0xCDCD, 0xCDE7, prLVT},                    // Lo  [27] HANGUL SYLLABLE CWEG..HANGUL SYLLABLE CWEH
+	{0xCDE8, 0xCDE8, prLV},                     // Lo       HANGUL SYLLABLE CWI
+	{0xCDE9, 0xCE03, prLVT},                    // Lo  [27] HANGUL SYLLABLE CWIG..HANGUL SYLLABLE CWIH
+	{0xCE04, 0xCE04, prLV},                     // Lo       HANGUL SYLLABLE CYU
+	{0xCE05, 0xCE1F, prLVT},                    // Lo  [27] HANGUL SYLLABLE CYUG..HANGUL SYLLABLE CYUH
+	{0xCE20, 0xCE20, prLV},                     // Lo       HANGUL SYLLABLE CEU
+	{0xCE21, 0xCE3B, prLVT},                    // Lo  [27] HANGUL SYLLABLE CEUG..HANGUL SYLLABLE CEUH
+	{0xCE3C, 0xCE3C, prLV},                     // Lo       HANGUL SYLLABLE CYI
+	{0xCE3D, 0xCE57, prLVT},                    // Lo  [27] HANGUL SYLLABLE CYIG..HANGUL SYLLABLE CYIH
+	{0xCE58, 0xCE58, prLV},                     // Lo       HANGUL SYLLABLE CI
+	{0xCE59, 0xCE73, prLVT},                    // Lo  [27] HANGUL SYLLABLE CIG..HANGUL SYLLABLE CIH
+	{0xCE74, 0xCE74, prLV},                     // Lo       HANGUL SYLLABLE KA
+	{0xCE75, 0xCE8F, prLVT},                    // Lo  [27] HANGUL SYLLABLE KAG..HANGUL SYLLABLE KAH
+	{0xCE90, 0xCE90, prLV},                     // Lo       HANGUL SYLLABLE KAE
+	{0xCE91, 0xCEAB, prLVT},                    // Lo  [27] HANGUL SYLLABLE KAEG..HANGUL SYLLABLE KAEH
+	{0xCEAC, 0xCEAC, prLV},                     // Lo       HANGUL SYLLABLE KYA
+	{0xCEAD, 0xCEC7, prLVT},                    // Lo  [27] HANGUL SYLLABLE KYAG..HANGUL SYLLABLE KYAH
+	{0xCEC8, 0xCEC8, prLV},                     // Lo       HANGUL SYLLABLE KYAE
+	{0xCEC9, 0xCEE3, prLVT},                    // Lo  [27] HANGUL SYLLABLE KYAEG..HANGUL SYLLABLE KYAEH
+	{0xCEE4, 0xCEE4, prLV},                     // Lo       HANGUL SYLLABLE KEO
+	{0xCEE5, 0xCEFF, prLVT},                    // Lo  [27] HANGUL SYLLABLE KEOG..HANGUL SYLLABLE KEOH
+	{0xCF00, 0xCF00, prLV},                     // Lo       HANGUL SYLLABLE KE
+	{0xCF01, 0xCF1B, prLVT},                    // Lo  [27] HANGUL SYLLABLE KEG..HANGUL SYLLABLE KEH
+	{0xCF1C, 0xCF1C, prLV},                     // Lo       HANGUL SYLLABLE KYEO
+	{0xCF1D, 0xCF37, prLVT},                    // Lo  [27] HANGUL SYLLABLE KYEOG..HANGUL SYLLABLE KYEOH
+	{0xCF38, 0xCF38, prLV},                     // Lo       HANGUL SYLLABLE KYE
+	{0xCF39, 0xCF53, prLVT},                    // Lo  [27] HANGUL SYLLABLE KYEG..HANGUL SYLLABLE KYEH
+	{0xCF54, 0xCF54, prLV},                     // Lo       HANGUL SYLLABLE KO
+	{0xCF55, 0xCF6F, prLVT},                    // Lo  [27] HANGUL SYLLABLE KOG..HANGUL SYLLABLE KOH
+	{0xCF70, 0xCF70, prLV},                     // Lo       HANGUL SYLLABLE KWA
+	{0xCF71, 0xCF8B, prLVT},                    // Lo  [27] HANGUL SYLLABLE KWAG..HANGUL SYLLABLE KWAH
+	{0xCF8C, 0xCF8C, prLV},                     // Lo       HANGUL SYLLABLE KWAE
+	{0xCF8D, 0xCFA7, prLVT},                    // Lo  [27] HANGUL SYLLABLE KWAEG..HANGUL SYLLABLE KWAEH
+	{0xCFA8, 0xCFA8, prLV},                     // Lo       HANGUL SYLLABLE KOE
+	{0xCFA9, 0xCFC3, prLVT},                    // Lo  [27] HANGUL SYLLABLE KOEG..HANGUL SYLLABLE KOEH
+	{0xCFC4, 0xCFC4, prLV},                     // Lo       HANGUL SYLLABLE KYO
+	{0xCFC5, 0xCFDF, prLVT},                    // Lo  [27] HANGUL SYLLABLE KYOG..HANGUL SYLLABLE KYOH
+	{0xCFE0, 0xCFE0, prLV},                     // Lo       HANGUL SYLLABLE KU
+	{0xCFE1, 0xCFFB, prLVT},                    // Lo  [27] HANGUL SYLLABLE KUG..HANGUL SYLLABLE KUH
+	{0xCFFC, 0xCFFC, prLV},                     // Lo       HANGUL SYLLABLE KWEO
+	{0xCFFD, 0xD017, prLVT},                    // Lo  [27] HANGUL SYLLABLE KWEOG..HANGUL SYLLABLE KWEOH
+	{0xD018, 0xD018, prLV},                     // Lo       HANGUL SYLLABLE KWE
+	{0xD019, 0xD033, prLVT},                    // Lo  [27] HANGUL SYLLABLE KWEG..HANGUL SYLLABLE KWEH
+	{0xD034, 0xD034, prLV},                     // Lo       HANGUL SYLLABLE KWI
+	{0xD035, 0xD04F, prLVT},                    // Lo  [27] HANGUL SYLLABLE KWIG..HANGUL SYLLABLE KWIH
+	{0xD050, 0xD050, prLV},                     // Lo       HANGUL SYLLABLE KYU
+	{0xD051, 0xD06B, prLVT},                    // Lo  [27] HANGUL SYLLABLE KYUG..HANGUL SYLLABLE KYUH
+	{0xD06C, 0xD06C, prLV},                     // Lo       HANGUL SYLLABLE KEU
+	{0xD06D, 0xD087, prLVT},                    // Lo  [27] HANGUL SYLLABLE KEUG..HANGUL SYLLABLE KEUH
+	{0xD088, 0xD088, prLV},                     // Lo       HANGUL SYLLABLE KYI
+	{0xD089, 0xD0A3, prLVT},                    // Lo  [27] HANGUL SYLLABLE KYIG..HANGUL SYLLABLE KYIH
+	{0xD0A4, 0xD0A4, prLV},                     // Lo       HANGUL SYLLABLE KI
+	{0xD0A5, 0xD0BF, prLVT},                    // Lo  [27] HANGUL SYLLABLE KIG..HANGUL SYLLABLE KIH
+	{0xD0C0, 0xD0C0, prLV},                     // Lo       HANGUL SYLLABLE TA
+	{0xD0C1, 0xD0DB, prLVT},                    // Lo  [27] HANGUL SYLLABLE TAG..HANGUL SYLLABLE TAH
+	{0xD0DC, 0xD0DC, prLV},                     // Lo       HANGUL SYLLABLE TAE
+	{0xD0DD, 0xD0F7, prLVT},                    // Lo  [27] HANGUL SYLLABLE TAEG..HANGUL SYLLABLE TAEH
+	{0xD0F8, 0xD0F8, prLV},                     // Lo       HANGUL SYLLABLE TYA
+	{0xD0F9, 0xD113, prLVT},                    // Lo  [27] HANGUL SYLLABLE TYAG..HANGUL SYLLABLE TYAH
+	{0xD114, 0xD114, prLV},                     // Lo       HANGUL SYLLABLE TYAE
+	{0xD115, 0xD12F, prLVT},                    // Lo  [27] HANGUL SYLLABLE TYAEG..HANGUL SYLLABLE TYAEH
+	{0xD130, 0xD130, prLV},                     // Lo       HANGUL SYLLABLE TEO
+	{0xD131, 0xD14B, prLVT},                    // Lo  [27] HANGUL SYLLABLE TEOG..HANGUL SYLLABLE TEOH
+	{0xD14C, 0xD14C, prLV},                     // Lo       HANGUL SYLLABLE TE
+	{0xD14D, 0xD167, prLVT},                    // Lo  [27] HANGUL SYLLABLE TEG..HANGUL SYLLABLE TEH
+	{0xD168, 0xD168, prLV},                     // Lo       HANGUL SYLLABLE TYEO
+	{0xD169, 0xD183, prLVT},                    // Lo  [27] HANGUL SYLLABLE TYEOG..HANGUL SYLLABLE TYEOH
+	{0xD184, 0xD184, prLV},                     // Lo       HANGUL SYLLABLE TYE
+	{0xD185, 0xD19F, prLVT},                    // Lo  [27] HANGUL SYLLABLE TYEG..HANGUL SYLLABLE TYEH
+	{0xD1A0, 0xD1A0, prLV},                     // Lo       HANGUL SYLLABLE TO
+	{0xD1A1, 0xD1BB, prLVT},                    // Lo  [27] HANGUL SYLLABLE TOG..HANGUL SYLLABLE TOH
+	{0xD1BC, 0xD1BC, prLV},                     // Lo       HANGUL SYLLABLE TWA
+	{0xD1BD, 0xD1D7, prLVT},                    // Lo  [27] HANGUL SYLLABLE TWAG..HANGUL SYLLABLE TWAH
+	{0xD1D8, 0xD1D8, prLV},                     // Lo       HANGUL SYLLABLE TWAE
+	{0xD1D9, 0xD1F3, prLVT},                    // Lo  [27] HANGUL SYLLABLE TWAEG..HANGUL SYLLABLE TWAEH
+	{0xD1F4, 0xD1F4, prLV},                     // Lo       HANGUL SYLLABLE TOE
+	{0xD1F5, 0xD20F, prLVT},                    // Lo  [27] HANGUL SYLLABLE TOEG..HANGUL SYLLABLE TOEH
+	{0xD210, 0xD210, prLV},                     // Lo       HANGUL SYLLABLE TYO
+	{0xD211, 0xD22B, prLVT},                    // Lo  [27] HANGUL SYLLABLE TYOG..HANGUL SYLLABLE TYOH
+	{0xD22C, 0xD22C, prLV},                     // Lo       HANGUL SYLLABLE TU
+	{0xD22D, 0xD247, prLVT},                    // Lo  [27] HANGUL SYLLABLE TUG..HANGUL SYLLABLE TUH
+	{0xD248, 0xD248, prLV},                     // Lo       HANGUL SYLLABLE TWEO
+	{0xD249, 0xD263, prLVT},                    // Lo  [27] HANGUL SYLLABLE TWEOG..HANGUL SYLLABLE TWEOH
+	{0xD264, 0xD264, prLV},                     // Lo       HANGUL SYLLABLE TWE
+	{0xD265, 0xD27F, prLVT},                    // Lo  [27] HANGUL SYLLABLE TWEG..HANGUL SYLLABLE TWEH
+	{0xD280, 0xD280, prLV},                     // Lo       HANGUL SYLLABLE TWI
+	{0xD281, 0xD29B, prLVT},                    // Lo  [27] HANGUL SYLLABLE TWIG..HANGUL SYLLABLE TWIH
+	{0xD29C, 0xD29C, prLV},                     // Lo       HANGUL SYLLABLE TYU
+	{0xD29D, 0xD2B7, prLVT},                    // Lo  [27] HANGUL SYLLABLE TYUG..HANGUL SYLLABLE TYUH
+	{0xD2B8, 0xD2B8, prLV},                     // Lo       HANGUL SYLLABLE TEU
+	{0xD2B9, 0xD2D3, prLVT},                    // Lo  [27] HANGUL SYLLABLE TEUG..HANGUL SYLLABLE TEUH
+	{0xD2D4, 0xD2D4, prLV},                     // Lo       HANGUL SYLLABLE TYI
+	{0xD2D5, 0xD2EF, prLVT},                    // Lo  [27] HANGUL SYLLABLE TYIG..HANGUL SYLLABLE TYIH
+	{0xD2F0, 0xD2F0, prLV},                     // Lo       HANGUL SYLLABLE TI
+	{0xD2F1, 0xD30B, prLVT},                    // Lo  [27] HANGUL SYLLABLE TIG..HANGUL SYLLABLE TIH
+	{0xD30C, 0xD30C, prLV},                     // Lo       HANGUL SYLLABLE PA
+	{0xD30D, 0xD327, prLVT},                    // Lo  [27] HANGUL SYLLABLE PAG..HANGUL SYLLABLE PAH
+	{0xD328, 0xD328, prLV},                     // Lo       HANGUL SYLLABLE PAE
+	{0xD329, 0xD343, prLVT},                    // Lo  [27] HANGUL SYLLABLE PAEG..HANGUL SYLLABLE PAEH
+	{0xD344, 0xD344, prLV},                     // Lo       HANGUL SYLLABLE PYA
+	{0xD345, 0xD35F, prLVT},                    // Lo  [27] HANGUL SYLLABLE PYAG..HANGUL SYLLABLE PYAH
+	{0xD360, 0xD360, prLV},                     // Lo       HANGUL SYLLABLE PYAE
+	{0xD361, 0xD37B, prLVT},                    // Lo  [27] HANGUL SYLLABLE PYAEG..HANGUL SYLLABLE PYAEH
+	{0xD37C, 0xD37C, prLV},                     // Lo       HANGUL SYLLABLE PEO
+	{0xD37D, 0xD397, prLVT},                    // Lo  [27] HANGUL SYLLABLE PEOG..HANGUL SYLLABLE PEOH
+	{0xD398, 0xD398, prLV},                     // Lo       HANGUL SYLLABLE PE
+	{0xD399, 0xD3B3, prLVT},                    // Lo  [27] HANGUL SYLLABLE PEG..HANGUL SYLLABLE PEH
+	{0xD3B4, 0xD3B4, prLV},                     // Lo       HANGUL SYLLABLE PYEO
+	{0xD3B5, 0xD3CF, prLVT},                    // Lo  [27] HANGUL SYLLABLE PYEOG..HANGUL SYLLABLE PYEOH
+	{0xD3D0, 0xD3D0, prLV},                     // Lo       HANGUL SYLLABLE PYE
+	{0xD3D1, 0xD3EB, prLVT},                    // Lo  [27] HANGUL SYLLABLE PYEG..HANGUL SYLLABLE PYEH
+	{0xD3EC, 0xD3EC, prLV},                     // Lo       HANGUL SYLLABLE PO
+	{0xD3ED, 0xD407, prLVT},                    // Lo  [27] HANGUL SYLLABLE POG..HANGUL SYLLABLE POH
+	{0xD408, 0xD408, prLV},                     // Lo       HANGUL SYLLABLE PWA
+	{0xD409, 0xD423, prLVT},                    // Lo  [27] HANGUL SYLLABLE PWAG..HANGUL SYLLABLE PWAH
+	{0xD424, 0xD424, prLV},                     // Lo       HANGUL SYLLABLE PWAE
+	{0xD425, 0xD43F, prLVT},                    // Lo  [27] HANGUL SYLLABLE PWAEG..HANGUL SYLLABLE PWAEH
+	{0xD440, 0xD440, prLV},                     // Lo       HANGUL SYLLABLE POE
+	{0xD441, 0xD45B, prLVT},                    // Lo  [27] HANGUL SYLLABLE POEG..HANGUL SYLLABLE POEH
+	{0xD45C, 0xD45C, prLV},                     // Lo       HANGUL SYLLABLE PYO
+	{0xD45D, 0xD477, prLVT},                    // Lo  [27] HANGUL SYLLABLE PYOG..HANGUL SYLLABLE PYOH
+	{0xD478, 0xD478, prLV},                     // Lo       HANGUL SYLLABLE PU
+	{0xD479, 0xD493, prLVT},                    // Lo  [27] HANGUL SYLLABLE PUG..HANGUL SYLLABLE PUH
+	{0xD494, 0xD494, prLV},                     // Lo       HANGUL SYLLABLE PWEO
+	{0xD495, 0xD4AF, prLVT},                    // Lo  [27] HANGUL SYLLABLE PWEOG..HANGUL SYLLABLE PWEOH
+	{0xD4B0, 0xD4B0, prLV},                     // Lo       HANGUL SYLLABLE PWE
+	{0xD4B1, 0xD4CB, prLVT},                    // Lo  [27] HANGUL SYLLABLE PWEG..HANGUL SYLLABLE PWEH
+	{0xD4CC, 0xD4CC, prLV},                     // Lo       HANGUL SYLLABLE PWI
+	{0xD4CD, 0xD4E7, prLVT},                    // Lo  [27] HANGUL SYLLABLE PWIG..HANGUL SYLLABLE PWIH
+	{0xD4E8, 0xD4E8, prLV},                     // Lo       HANGUL SYLLABLE PYU
+	{0xD4E9, 0xD503, prLVT},                    // Lo  [27] HANGUL SYLLABLE PYUG..HANGUL SYLLABLE PYUH
+	{0xD504, 0xD504, prLV},                     // Lo       HANGUL SYLLABLE PEU
+	{0xD505, 0xD51F, prLVT},                    // Lo  [27] HANGUL SYLLABLE PEUG..HANGUL SYLLABLE PEUH
+	{0xD520, 0xD520, prLV},                     // Lo       HANGUL SYLLABLE PYI
+	{0xD521, 0xD53B, prLVT},                    // Lo  [27] HANGUL SYLLABLE PYIG..HANGUL SYLLABLE PYIH
+	{0xD53C, 0xD53C, prLV},                     // Lo       HANGUL SYLLABLE PI
+	{0xD53D, 0xD557, prLVT},                    // Lo  [27] HANGUL SYLLABLE PIG..HANGUL SYLLABLE PIH
+	{0xD558, 0xD558, prLV},                     // Lo       HANGUL SYLLABLE HA
+	{0xD559, 0xD573, prLVT},                    // Lo  [27] HANGUL SYLLABLE HAG..HANGUL SYLLABLE HAH
+	{0xD574, 0xD574, prLV},                     // Lo       HANGUL SYLLABLE HAE
+	{0xD575, 0xD58F, prLVT},                    // Lo  [27] HANGUL SYLLABLE HAEG..HANGUL SYLLABLE HAEH
+	{0xD590, 0xD590, prLV},                     // Lo       HANGUL SYLLABLE HYA
+	{0xD591, 0xD5AB, prLVT},                    // Lo  [27] HANGUL SYLLABLE HYAG..HANGUL SYLLABLE HYAH
+	{0xD5AC, 0xD5AC, prLV},                     // Lo       HANGUL SYLLABLE HYAE
+	{0xD5AD, 0xD5C7, prLVT},                    // Lo  [27] HANGUL SYLLABLE HYAEG..HANGUL SYLLABLE HYAEH
+	{0xD5C8, 0xD5C8, prLV},                     // Lo       HANGUL SYLLABLE HEO
+	{0xD5C9, 0xD5E3, prLVT},                    // Lo  [27] HANGUL SYLLABLE HEOG..HANGUL SYLLABLE HEOH
+	{0xD5E4, 0xD5E4, prLV},                     // Lo       HANGUL SYLLABLE HE
+	{0xD5E5, 0xD5FF, prLVT},                    // Lo  [27] HANGUL SYLLABLE HEG..HANGUL SYLLABLE HEH
+	{0xD600, 0xD600, prLV},                     // Lo       HANGUL SYLLABLE HYEO
+	{0xD601, 0xD61B, prLVT},                    // Lo  [27] HANGUL SYLLABLE HYEOG..HANGUL SYLLABLE HYEOH
+	{0xD61C, 0xD61C, prLV},                     // Lo       HANGUL SYLLABLE HYE
+	{0xD61D, 0xD637, prLVT},                    // Lo  [27] HANGUL SYLLABLE HYEG..HANGUL SYLLABLE HYEH
+	{0xD638, 0xD638, prLV},                     // Lo       HANGUL SYLLABLE HO
+	{0xD639, 0xD653, prLVT},                    // Lo  [27] HANGUL SYLLABLE HOG..HANGUL SYLLABLE HOH
+	{0xD654, 0xD654, prLV},                     // Lo       HANGUL SYLLABLE HWA
+	{0xD655, 0xD66F, prLVT},                    // Lo  [27] HANGUL SYLLABLE HWAG..HANGUL SYLLABLE HWAH
+	{0xD670, 0xD670, prLV},                     // Lo       HANGUL SYLLABLE HWAE
+	{0xD671, 0xD68B, prLVT},                    // Lo  [27] HANGUL SYLLABLE HWAEG..HANGUL SYLLABLE HWAEH
+	{0xD68C, 0xD68C, prLV},                     // Lo       HANGUL SYLLABLE HOE
+	{0xD68D, 0xD6A7, prLVT},                    // Lo  [27] HANGUL SYLLABLE HOEG..HANGUL SYLLABLE HOEH
+	{0xD6A8, 0xD6A8, prLV},                     // Lo       HANGUL SYLLABLE HYO
+	{0xD6A9, 0xD6C3, prLVT},                    // Lo  [27] HANGUL SYLLABLE HYOG..HANGUL SYLLABLE HYOH
+	{0xD6C4, 0xD6C4, prLV},                     // Lo       HANGUL SYLLABLE HU
+	{0xD6C5, 0xD6DF, prLVT},                    // Lo  [27] HANGUL SYLLABLE HUG..HANGUL SYLLABLE HUH
+	{0xD6E0, 0xD6E0, prLV},                     // Lo       HANGUL SYLLABLE HWEO
+	{0xD6E1, 0xD6FB, prLVT},                    // Lo  [27] HANGUL SYLLABLE HWEOG..HANGUL SYLLABLE HWEOH
+	{0xD6FC, 0xD6FC, prLV},                     // Lo       HANGUL SYLLABLE HWE
+	{0xD6FD, 0xD717, prLVT},                    // Lo  [27] HANGUL SYLLABLE HWEG..HANGUL SYLLABLE HWEH
+	{0xD718, 0xD718, prLV},                     // Lo       HANGUL SYLLABLE HWI
+	{0xD719, 0xD733, prLVT},                    // Lo  [27] HANGUL SYLLABLE HWIG..HANGUL SYLLABLE HWIH
+	{0xD734, 0xD734, prLV},                     // Lo       HANGUL SYLLABLE HYU
+	{0xD735, 0xD74F, prLVT},                    // Lo  [27] HANGUL SYLLABLE HYUG..HANGUL SYLLABLE HYUH
+	{0xD750, 0xD750, prLV},                     // Lo       HANGUL SYLLABLE HEU
+	{0xD751, 0xD76B, prLVT},                    // Lo  [27] HANGUL SYLLABLE HEUG..HANGUL SYLLABLE HEUH
+	{0xD76C, 0xD76C, prLV},                     // Lo       HANGUL SYLLABLE HYI
+	{0xD76D, 0xD787, prLVT},                    // Lo  [27] HANGUL SYLLABLE HYIG..HANGUL SYLLABLE HYIH
+	{0xD788, 0xD788, prLV},                     // Lo       HANGUL SYLLABLE HI
+	{0xD789, 0xD7A3, prLVT},                    // Lo  [27] HANGUL SYLLABLE HIG..HANGUL SYLLABLE HIH
+	{0xD7B0, 0xD7C6, prV},                      // Lo  [23] HANGUL JUNGSEONG O-YEO..HANGUL JUNGSEONG ARAEA-E
+	{0xD7CB, 0xD7FB, prT},                      // Lo  [49] HANGUL JONGSEONG NIEUN-RIEUL..HANGUL JONGSEONG PHIEUPH-THIEUTH
+	{0xFB1E, 0xFB1E, prExtend},                 // Mn       HEBREW POINT JUDEO-SPANISH VARIKA
+	{0xFE00, 0xFE0F, prExtend},                 // Mn  [16] VARIATION SELECTOR-1..VARIATION SELECTOR-16
+	{0xFE20, 0xFE2F, prExtend},                 // Mn  [16] COMBINING LIGATURE LEFT HALF..COMBINING CYRILLIC TITLO RIGHT HALF
+	{0xFEFF, 0xFEFF, prControl},                // Cf       ZERO WIDTH NO-BREAK SPACE
+	{0xFF9E, 0xFF9F, prExtend},                 // Lm   [2] HALFWIDTH KATAKANA VOICED SOUND MARK..HALFWIDTH KATAKANA SEMI-VOICED SOUND MARK
+	{0xFFF0, 0xFFF8, prControl},                // Cn   [9] <reserved-FFF0>..<reserved-FFF8>
+	{0xFFF9, 0xFFFB, prControl},                // Cf   [3] INTERLINEAR ANNOTATION ANCHOR..INTERLINEAR ANNOTATION TERMINATOR
+	{0x101FD, 0x101FD, prExtend},               // Mn       PHAISTOS DISC SIGN COMBINING OBLIQUE STROKE
+	{0x102E0, 0x102E0, prExtend},               // Mn       COPTIC EPACT THOUSANDS MARK
+	{0x10376, 0x1037A, prExtend},               // Mn   [5] COMBINING OLD PERMIC LETTER AN..COMBINING OLD PERMIC LETTER SII
+	{0x10A01, 0x10A03, prExtend},               // Mn   [3] KHAROSHTHI VOWEL SIGN I..KHAROSHTHI VOWEL SIGN VOCALIC R
+	{0x10A05, 0x10A06, prExtend},               // Mn   [2] KHAROSHTHI VOWEL SIGN E..KHAROSHTHI VOWEL SIGN O
+	{0x10A0C, 0x10A0F, prExtend},               // Mn   [4] KHAROSHTHI VOWEL LENGTH MARK..KHAROSHTHI SIGN VISARGA
+	{0x10A38, 0x10A3A, prExtend},               // Mn   [3] KHAROSHTHI SIGN BAR ABOVE..KHAROSHTHI SIGN DOT BELOW
+	{0x10A3F, 0x10A3F, prExtend},               // Mn       KHAROSHTHI VIRAMA
+	{0x10AE5, 0x10AE6, prExtend},               // Mn   [2] MANICHAEAN ABBREVIATION MARK ABOVE..MANICHAEAN ABBREVIATION MARK BELOW
+	{0x10D24, 0x10D27, prExtend},               // Mn   [4] HANIFI ROHINGYA SIGN HARBAHAY..HANIFI ROHINGYA SIGN TASSI
+	{0x10EAB, 0x10EAC, prExtend},               // Mn   [2] YEZIDI COMBINING HAMZA MARK..YEZIDI COMBINING MADDA MARK
+	{0x10EFD, 0x10EFF, prExtend},               // Mn   [3] ARABIC SMALL LOW WORD SAKTA..ARABIC SMALL LOW WORD MADDA
+	{0x10F46, 0x10F50, prExtend},               // Mn  [11] SOGDIAN COMBINING DOT BELOW..SOGDIAN COMBINING STROKE BELOW
+	{0x10F82, 0x10F85, prExtend},               // Mn   [4] OLD UYGHUR COMBINING DOT ABOVE..OLD UYGHUR COMBINING TWO DOTS BELOW
+	{0x11000, 0x11000, prSpacingMark},          // Mc       BRAHMI SIGN CANDRABINDU
+	{0x11001, 0x11001, prExtend},               // Mn       BRAHMI SIGN ANUSVARA
+	{0x11002, 0x11002, prSpacingMark},          // Mc       BRAHMI SIGN VISARGA
+	{0x11038, 0x11046, prExtend},               // Mn  [15] BRAHMI VOWEL SIGN AA..BRAHMI VIRAMA
+	{0x11070, 0x11070, prExtend},               // Mn       BRAHMI SIGN OLD TAMIL VIRAMA
+	{0x11073, 0x11074, prExtend},               // Mn   [2] BRAHMI VOWEL SIGN OLD TAMIL SHORT E..BRAHMI VOWEL SIGN OLD TAMIL SHORT O
+	{0x1107F, 0x11081, prExtend},               // Mn   [3] BRAHMI NUMBER JOINER..KAITHI SIGN ANUSVARA
+	{0x11082, 0x11082, prSpacingMark},          // Mc       KAITHI SIGN VISARGA
+	{0x110B0, 0x110B2, prSpacingMark},          // Mc   [3] KAITHI VOWEL SIGN AA..KAITHI VOWEL SIGN II
+	{0x110B3, 0x110B6, prExtend},               // Mn   [4] KAITHI VOWEL SIGN U..KAITHI VOWEL SIGN AI
+	{0x110B7, 0x110B8, prSpacingMark},          // Mc   [2] KAITHI VOWEL SIGN O..KAITHI VOWEL SIGN AU
+	{0x110B9, 0x110BA, prExtend},               // Mn   [2] KAITHI SIGN VIRAMA..KAITHI SIGN NUKTA
+	{0x110BD, 0x110BD, prPrepend},              // Cf       KAITHI NUMBER SIGN
+	{0x110C2, 0x110C2, prExtend},               // Mn       KAITHI VOWEL SIGN VOCALIC R
+	{0x110CD, 0x110CD, prPrepend},              // Cf       KAITHI NUMBER SIGN ABOVE
+	{0x11100, 0x11102, prExtend},               // Mn   [3] CHAKMA SIGN CANDRABINDU..CHAKMA SIGN VISARGA
+	{0x11127, 0x1112B, prExtend},               // Mn   [5] CHAKMA VOWEL SIGN A..CHAKMA VOWEL SIGN UU
+	{0x1112C, 0x1112C, prSpacingMark},          // Mc       CHAKMA VOWEL SIGN E
+	{0x1112D, 0x11134, prExtend},               // Mn   [8] CHAKMA VOWEL SIGN AI..CHAKMA MAAYYAA
+	{0x11145, 0x11146, prSpacingMark},          // Mc   [2] CHAKMA VOWEL SIGN AA..CHAKMA VOWEL SIGN EI
+	{0x11173, 0x11173, prExtend},               // Mn       MAHAJANI SIGN NUKTA
+	{0x11180, 0x11181, prExtend},               // Mn   [2] SHARADA SIGN CANDRABINDU..SHARADA SIGN ANUSVARA
+	{0x11182, 0x11182, prSpacingMark},          // Mc       SHARADA SIGN VISARGA
+	{0x111B3, 0x111B5, prSpacingMark},          // Mc   [3] SHARADA VOWEL SIGN AA..SHARADA VOWEL SIGN II
+	{0x111B6, 0x111BE, prExtend},               // Mn   [9] SHARADA VOWEL SIGN U..SHARADA VOWEL SIGN O
+	{0x111BF, 0x111C0, prSpacingMark},          // Mc   [2] SHARADA VOWEL SIGN AU..SHARADA SIGN VIRAMA
+	{0x111C2, 0x111C3, prPrepend},              // Lo   [2] SHARADA SIGN JIHVAMULIYA..SHARADA SIGN UPADHMANIYA
+	{0x111C9, 0x111CC, prExtend},               // Mn   [4] SHARADA SANDHI MARK..SHARADA EXTRA SHORT VOWEL MARK
+	{0x111CE, 0x111CE, prSpacingMark},          // Mc       SHARADA VOWEL SIGN PRISHTHAMATRA E
+	{0x111CF, 0x111CF, prExtend},               // Mn       SHARADA SIGN INVERTED CANDRABINDU
+	{0x1122C, 0x1122E, prSpacingMark},          // Mc   [3] KHOJKI VOWEL SIGN AA..KHOJKI VOWEL SIGN II
+	{0x1122F, 0x11231, prExtend},               // Mn   [3] KHOJKI VOWEL SIGN U..KHOJKI VOWEL SIGN AI
+	{0x11232, 0x11233, prSpacingMark},          // Mc   [2] KHOJKI VOWEL SIGN O..KHOJKI VOWEL SIGN AU
+	{0x11234, 0x11234, prExtend},               // Mn       KHOJKI SIGN ANUSVARA
+	{0x11235, 0x11235, prSpacingMark},          // Mc       KHOJKI SIGN VIRAMA
+	{0x11236, 0x11237, prExtend},               // Mn   [2] KHOJKI SIGN NUKTA..KHOJKI SIGN SHADDA
+	{0x1123E, 0x1123E, prExtend},               // Mn       KHOJKI SIGN SUKUN
+	{0x11241, 0x11241, prExtend},               // Mn       KHOJKI VOWEL SIGN VOCALIC R
+	{0x112DF, 0x112DF, prExtend},               // Mn       KHUDAWADI SIGN ANUSVARA
+	{0x112E0, 0x112E2, prSpacingMark},          // Mc   [3] KHUDAWADI VOWEL SIGN AA..KHUDAWADI VOWEL SIGN II
+	{0x112E3, 0x112EA, prExtend},               // Mn   [8] KHUDAWADI VOWEL SIGN U..KHUDAWADI SIGN VIRAMA
+	{0x11300, 0x11301, prExtend},               // Mn   [2] GRANTHA SIGN COMBINING ANUSVARA ABOVE..GRANTHA SIGN CANDRABINDU
+	{0x11302, 0x11303, prSpacingMark},          // Mc   [2] GRANTHA SIGN ANUSVARA..GRANTHA SIGN VISARGA
+	{0x1133B, 0x1133C, prExtend},               // Mn   [2] COMBINING BINDU BELOW..GRANTHA SIGN NUKTA
+	{0x1133E, 0x1133E, prExtend},               // Mc       GRANTHA VOWEL SIGN AA
+	{0x1133F, 0x1133F, prSpacingMark},          // Mc       GRANTHA VOWEL SIGN I
+	{0x11340, 0x11340, prExtend},               // Mn       GRANTHA VOWEL SIGN II
+	{0x11341, 0x11344, prSpacingMark},          // Mc   [4] GRANTHA VOWEL SIGN U..GRANTHA VOWEL SIGN VOCALIC RR
+	{0x11347, 0x11348, prSpacingMark},          // Mc   [2] GRANTHA VOWEL SIGN EE..GRANTHA VOWEL SIGN AI
+	{0x1134B, 0x1134D, prSpacingMark},          // Mc   [3] GRANTHA VOWEL SIGN OO..GRANTHA SIGN VIRAMA
+	{0x11357, 0x11357, prExtend},               // Mc       GRANTHA AU LENGTH MARK
+	{0x11362, 0x11363, prSpacingMark},          // Mc   [2] GRANTHA VOWEL SIGN VOCALIC L..GRANTHA VOWEL SIGN VOCALIC LL
+	{0x11366, 0x1136C, prExtend},               // Mn   [7] COMBINING GRANTHA DIGIT ZERO..COMBINING GRANTHA DIGIT SIX
+	{0x11370, 0x11374, prExtend},               // Mn   [5] COMBINING GRANTHA LETTER A..COMBINING GRANTHA LETTER PA
+	{0x11435, 0x11437, prSpacingMark},          // Mc   [3] NEWA VOWEL SIGN AA..NEWA VOWEL SIGN II
+	{0x11438, 0x1143F, prExtend},               // Mn   [8] NEWA VOWEL SIGN U..NEWA VOWEL SIGN AI
+	{0x11440, 0x11441, prSpacingMark},          // Mc   [2] NEWA VOWEL SIGN O..NEWA VOWEL SIGN AU
+	{0x11442, 0x11444, prExtend},               // Mn   [3] NEWA SIGN VIRAMA..NEWA SIGN ANUSVARA
+	{0x11445, 0x11445, prSpacingMark},          // Mc       NEWA SIGN VISARGA
+	{0x11446, 0x11446, prExtend},               // Mn       NEWA SIGN NUKTA
+	{0x1145E, 0x1145E, prExtend},               // Mn       NEWA SANDHI MARK
+	{0x114B0, 0x114B0, prExtend},               // Mc       TIRHUTA VOWEL SIGN AA
+	{0x114B1, 0x114B2, prSpacingMark},          // Mc   [2] TIRHUTA VOWEL SIGN I..TIRHUTA VOWEL SIGN II
+	{0x114B3, 0x114B8, prExtend},               // Mn   [6] TIRHUTA VOWEL SIGN U..TIRHUTA VOWEL SIGN VOCALIC LL
+	{0x114B9, 0x114B9, prSpacingMark},          // Mc       TIRHUTA VOWEL SIGN E
+	{0x114BA, 0x114BA, prExtend},               // Mn       TIRHUTA VOWEL SIGN SHORT E
+	{0x114BB, 0x114BC, prSpacingMark},          // Mc   [2] TIRHUTA VOWEL SIGN AI..TIRHUTA VOWEL SIGN O
+	{0x114BD, 0x114BD, prExtend},               // Mc       TIRHUTA VOWEL SIGN SHORT O
+	{0x114BE, 0x114BE, prSpacingMark},          // Mc       TIRHUTA VOWEL SIGN AU
+	{0x114BF, 0x114C0, prExtend},               // Mn   [2] TIRHUTA SIGN CANDRABINDU..TIRHUTA SIGN ANUSVARA
+	{0x114C1, 0x114C1, prSpacingMark},          // Mc       TIRHUTA SIGN VISARGA
+	{0x114C2, 0x114C3, prExtend},               // Mn   [2] TIRHUTA SIGN VIRAMA..TIRHUTA SIGN NUKTA
+	{0x115AF, 0x115AF, prExtend},               // Mc       SIDDHAM VOWEL SIGN AA
+	{0x115B0, 0x115B1, prSpacingMark},          // Mc   [2] SIDDHAM VOWEL SIGN I..SIDDHAM VOWEL SIGN II
+	{0x115B2, 0x115B5, prExtend},               // Mn   [4] SIDDHAM VOWEL SIGN U..SIDDHAM VOWEL SIGN VOCALIC RR
+	{0x115B8, 0x115BB, prSpacingMark},          // Mc   [4] SIDDHAM VOWEL SIGN E..SIDDHAM VOWEL SIGN AU
+	{0x115BC, 0x115BD, prExtend},               // Mn   [2] SIDDHAM SIGN CANDRABINDU..SIDDHAM SIGN ANUSVARA
+	{0x115BE, 0x115BE, prSpacingMark},          // Mc       SIDDHAM SIGN VISARGA
+	{0x115BF, 0x115C0, prExtend},               // Mn   [2] SIDDHAM SIGN VIRAMA..SIDDHAM SIGN NUKTA
+	{0x115DC, 0x115DD, prExtend},               // Mn   [2] SIDDHAM VOWEL SIGN ALTERNATE U..SIDDHAM VOWEL SIGN ALTERNATE UU
+	{0x11630, 0x11632, prSpacingMark},          // Mc   [3] MODI VOWEL SIGN AA..MODI VOWEL SIGN II
+	{0x11633, 0x1163A, prExtend},               // Mn   [8] MODI VOWEL SIGN U..MODI VOWEL SIGN AI
+	{0x1163B, 0x1163C, prSpacingMark},          // Mc   [2] MODI VOWEL SIGN O..MODI VOWEL SIGN AU
+	{0x1163D, 0x1163D, prExtend},               // Mn       MODI SIGN ANUSVARA
+	{0x1163E, 0x1163E, prSpacingMark},          // Mc       MODI SIGN VISARGA
+	{0x1163F, 0x11640, prExtend},               // Mn   [2] MODI SIGN VIRAMA..MODI SIGN ARDHACANDRA
+	{0x116AB, 0x116AB, prExtend},               // Mn       TAKRI SIGN ANUSVARA
+	{0x116AC, 0x116AC, prSpacingMark},          // Mc       TAKRI SIGN VISARGA
+	{0x116AD, 0x116AD, prExtend},               // Mn       TAKRI VOWEL SIGN AA
+	{0x116AE, 0x116AF, prSpacingMark},          // Mc   [2] TAKRI VOWEL SIGN I..TAKRI VOWEL SIGN II
+	{0x116B0, 0x116B5, prExtend},               // Mn   [6] TAKRI VOWEL SIGN U..TAKRI VOWEL SIGN AU
+	{0x116B6, 0x116B6, prSpacingMark},          // Mc       TAKRI SIGN VIRAMA
+	{0x116B7, 0x116B7, prExtend},               // Mn       TAKRI SIGN NUKTA
+	{0x1171D, 0x1171F, prExtend},               // Mn   [3] AHOM CONSONANT SIGN MEDIAL LA..AHOM CONSONANT SIGN MEDIAL LIGATING RA
+	{0x11722, 0x11725, prExtend},               // Mn   [4] AHOM VOWEL SIGN I..AHOM VOWEL SIGN UU
+	{0x11726, 0x11726, prSpacingMark},          // Mc       AHOM VOWEL SIGN E
+	{0x11727, 0x1172B, prExtend},               // Mn   [5] AHOM VOWEL SIGN AW..AHOM SIGN KILLER
+	{0x1182C, 0x1182E, prSpacingMark},          // Mc   [3] DOGRA VOWEL SIGN AA..DOGRA VOWEL SIGN II
+	{0x1182F, 0x11837, prExtend},               // Mn   [9] DOGRA VOWEL SIGN U..DOGRA SIGN ANUSVARA
+	{0x11838, 0x11838, prSpacingMark},          // Mc       DOGRA SIGN VISARGA
+	{0x11839, 0x1183A, prExtend},               // Mn   [2] DOGRA SIGN VIRAMA..DOGRA SIGN NUKTA
+	{0x11930, 0x11930, prExtend},               // Mc       DIVES AKURU VOWEL SIGN AA
+	{0x11931, 0x11935, prSpacingMark},          // Mc   [5] DIVES AKURU VOWEL SIGN I..DIVES AKURU VOWEL SIGN E
+	{0x11937, 0x11938, prSpacingMark},          // Mc   [2] DIVES AKURU VOWEL SIGN AI..DIVES AKURU VOWEL SIGN O
+	{0x1193B, 0x1193C, prExtend},               // Mn   [2] DIVES AKURU SIGN ANUSVARA..DIVES AKURU SIGN CANDRABINDU
+	{0x1193D, 0x1193D, prSpacingMark},          // Mc       DIVES AKURU SIGN HALANTA
+	{0x1193E, 0x1193E, prExtend},               // Mn       DIVES AKURU VIRAMA
+	{0x1193F, 0x1193F, prPrepend},              // Lo       DIVES AKURU PREFIXED NASAL SIGN
+	{0x11940, 0x11940, prSpacingMark},          // Mc       DIVES AKURU MEDIAL YA
+	{0x11941, 0x11941, prPrepend},              // Lo       DIVES AKURU INITIAL RA
+	{0x11942, 0x11942, prSpacingMark},          // Mc       DIVES AKURU MEDIAL RA
+	{0x11943, 0x11943, prExtend},               // Mn       DIVES AKURU SIGN NUKTA
+	{0x119D1, 0x119D3, prSpacingMark},          // Mc   [3] NANDINAGARI VOWEL SIGN AA..NANDINAGARI VOWEL SIGN II
+	{0x119D4, 0x119D7, prExtend},               // Mn   [4] NANDINAGARI VOWEL SIGN U..NANDINAGARI VOWEL SIGN VOCALIC RR
+	{0x119DA, 0x119DB, prExtend},               // Mn   [2] NANDINAGARI VOWEL SIGN E..NANDINAGARI VOWEL SIGN AI
+	{0x119DC, 0x119DF, prSpacingMark},          // Mc   [4] NANDINAGARI VOWEL SIGN O..NANDINAGARI SIGN VISARGA
+	{0x119E0, 0x119E0, prExtend},               // Mn       NANDINAGARI SIGN VIRAMA
+	{0x119E4, 0x119E4, prSpacingMark},          // Mc       NANDINAGARI VOWEL SIGN PRISHTHAMATRA E
+	{0x11A01, 0x11A0A, prExtend},               // Mn  [10] ZANABAZAR SQUARE VOWEL SIGN I..ZANABAZAR SQUARE VOWEL LENGTH MARK
+	{0x11A33, 0x11A38, prExtend},               // Mn   [6] ZANABAZAR SQUARE FINAL CONSONANT MARK..ZANABAZAR SQUARE SIGN ANUSVARA
+	{0x11A39, 0x11A39, prSpacingMark},          // Mc       ZANABAZAR SQUARE SIGN VISARGA
+	{0x11A3A, 0x11A3A, prPrepend},              // Lo       ZANABAZAR SQUARE CLUSTER-INITIAL LETTER RA
+	{0x11A3B, 0x11A3E, prExtend},               // Mn   [4] ZANABAZAR SQUARE CLUSTER-FINAL LETTER YA..ZANABAZAR SQUARE CLUSTER-FINAL LETTER VA
+	{0x11A47, 0x11A47, prExtend},               // Mn       ZANABAZAR SQUARE SUBJOINER
+	{0x11A51, 0x11A56, prExtend},               // Mn   [6] SOYOMBO VOWEL SIGN I..SOYOMBO VOWEL SIGN OE
+	{0x11A57, 0x11A58, prSpacingMark},          // Mc   [2] SOYOMBO VOWEL SIGN AI..SOYOMBO VOWEL SIGN AU
+	{0x11A59, 0x11A5B, prExtend},               // Mn   [3] SOYOMBO VOWEL SIGN VOCALIC R..SOYOMBO VOWEL LENGTH MARK
+	{0x11A84, 0x11A89, prPrepend},              // Lo   [6] SOYOMBO SIGN JIHVAMULIYA..SOYOMBO CLUSTER-INITIAL LETTER SA
+	{0x11A8A, 0x11A96, prExtend},               // Mn  [13] SOYOMBO FINAL CONSONANT SIGN G..SOYOMBO SIGN ANUSVARA
+	{0x11A97, 0x11A97, prSpacingMark},          // Mc       SOYOMBO SIGN VISARGA
+	{0x11A98, 0x11A99, prExtend},               // Mn   [2] SOYOMBO GEMINATION MARK..SOYOMBO SUBJOINER
+	{0x11C2F, 0x11C2F, prSpacingMark},          // Mc       BHAIKSUKI VOWEL SIGN AA
+	{0x11C30, 0x11C36, prExtend},               // Mn   [7] BHAIKSUKI VOWEL SIGN I..BHAIKSUKI VOWEL SIGN VOCALIC L
+	{0x11C38, 0x11C3D, prExtend},               // Mn   [6] BHAIKSUKI VOWEL SIGN E..BHAIKSUKI SIGN ANUSVARA
+	{0x11C3E, 0x11C3E, prSpacingMark},          // Mc       BHAIKSUKI SIGN VISARGA
+	{0x11C3F, 0x11C3F, prExtend},               // Mn       BHAIKSUKI SIGN VIRAMA
+	{0x11C92, 0x11CA7, prExtend},               // Mn  [22] MARCHEN SUBJOINED LETTER KA..MARCHEN SUBJOINED LETTER ZA
+	{0x11CA9, 0x11CA9, prSpacingMark},          // Mc       MARCHEN SUBJOINED LETTER YA
+	{0x11CAA, 0x11CB0, prExtend},               // Mn   [7] MARCHEN SUBJOINED LETTER RA..MARCHEN VOWEL SIGN AA
+	{0x11CB1, 0x11CB1, prSpacingMark},          // Mc       MARCHEN VOWEL SIGN I
+	{0x11CB2, 0x11CB3, prExtend},               // Mn   [2] MARCHEN VOWEL SIGN U..MARCHEN VOWEL SIGN E
+	{0x11CB4, 0x11CB4, prSpacingMark},          // Mc       MARCHEN VOWEL SIGN O
+	{0x11CB5, 0x11CB6, prExtend},               // Mn   [2] MARCHEN SIGN ANUSVARA..MARCHEN SIGN CANDRABINDU
+	{0x11D31, 0x11D36, prExtend},               // Mn   [6] MASARAM GONDI VOWEL SIGN AA..MASARAM GONDI VOWEL SIGN VOCALIC R
+	{0x11D3A, 0x11D3A, prExtend},               // Mn       MASARAM GONDI VOWEL SIGN E
+	{0x11D3C, 0x11D3D, prExtend},               // Mn   [2] MASARAM GONDI VOWEL SIGN AI..MASARAM GONDI VOWEL SIGN O
+	{0x11D3F, 0x11D45, prExtend},               // Mn   [7] MASARAM GONDI VOWEL SIGN AU..MASARAM GONDI VIRAMA
+	{0x11D46, 0x11D46, prPrepend},              // Lo       MASARAM GONDI REPHA
+	{0x11D47, 0x11D47, prExtend},               // Mn       MASARAM GONDI RA-KARA
+	{0x11D8A, 0x11D8E, prSpacingMark},          // Mc   [5] GUNJALA GONDI VOWEL SIGN AA..GUNJALA GONDI VOWEL SIGN UU
+	{0x11D90, 0x11D91, prExtend},               // Mn   [2] GUNJALA GONDI VOWEL SIGN EE..GUNJALA GONDI VOWEL SIGN AI
+	{0x11D93, 0x11D94, prSpacingMark},          // Mc   [2] GUNJALA GONDI VOWEL SIGN OO..GUNJALA GONDI VOWEL SIGN AU
+	{0x11D95, 0x11D95, prExtend},               // Mn       GUNJALA GONDI SIGN ANUSVARA
+	{0x11D96, 0x11D96, prSpacingMark},          // Mc       GUNJALA GONDI SIGN VISARGA
+	{0x11D97, 0x11D97, prExtend},               // Mn       GUNJALA GONDI VIRAMA
+	{0x11EF3, 0x11EF4, prExtend},               // Mn   [2] MAKASAR VOWEL SIGN I..MAKASAR VOWEL SIGN U
+	{0x11EF5, 0x11EF6, prSpacingMark},          // Mc   [2] MAKASAR VOWEL SIGN E..MAKASAR VOWEL SIGN O
+	{0x11F00, 0x11F01, prExtend},               // Mn   [2] KAWI SIGN CANDRABINDU..KAWI SIGN ANUSVARA
+	{0x11F02, 0x11F02, prPrepend},              // Lo       KAWI SIGN REPHA
+	{0x11F03, 0x11F03, prSpacingMark},          // Mc       KAWI SIGN VISARGA
+	{0x11F34, 0x11F35, prSpacingMark},          // Mc   [2] KAWI VOWEL SIGN AA..KAWI VOWEL SIGN ALTERNATE AA
+	{0x11F36, 0x11F3A, prExtend},               // Mn   [5] KAWI VOWEL SIGN I..KAWI VOWEL SIGN VOCALIC R
+	{0x11F3E, 0x11F3F, prSpacingMark},          // Mc   [2] KAWI VOWEL SIGN E..KAWI VOWEL SIGN AI
+	{0x11F40, 0x11F40, prExtend},               // Mn       KAWI VOWEL SIGN EU
+	{0x11F41, 0x11F41, prSpacingMark},          // Mc       KAWI SIGN KILLER
+	{0x11F42, 0x11F42, prExtend},               // Mn       KAWI CONJOINER
+	{0x13430, 0x1343F, prControl},              // Cf  [16] EGYPTIAN HIEROGLYPH VERTICAL JOINER..EGYPTIAN HIEROGLYPH END WALLED ENCLOSURE
+	{0x13440, 0x13440, prExtend},               // Mn       EGYPTIAN HIEROGLYPH MIRROR HORIZONTALLY
+	{0x13447, 0x13455, prExtend},               // Mn  [15] EGYPTIAN HIEROGLYPH MODIFIER DAMAGED AT TOP START..EGYPTIAN HIEROGLYPH MODIFIER DAMAGED
+	{0x16AF0, 0x16AF4, prExtend},               // Mn   [5] BASSA VAH COMBINING HIGH TONE..BASSA VAH COMBINING HIGH-LOW TONE
+	{0x16B30, 0x16B36, prExtend},               // Mn   [7] PAHAWH HMONG MARK CIM TUB..PAHAWH HMONG MARK CIM TAUM
+	{0x16F4F, 0x16F4F, prExtend},               // Mn       MIAO SIGN CONSONANT MODIFIER BAR
+	{0x16F51, 0x16F87, prSpacingMark},          // Mc  [55] MIAO SIGN ASPIRATION..MIAO VOWEL SIGN UI
+	{0x16F8F, 0x16F92, prExtend},               // Mn   [4] MIAO TONE RIGHT..MIAO TONE BELOW
+	{0x16FE4, 0x16FE4, prExtend},               // Mn       KHITAN SMALL SCRIPT FILLER
+	{0x16FF0, 0x16FF1, prSpacingMark},          // Mc   [2] VIETNAMESE ALTERNATE READING MARK CA..VIETNAMESE ALTERNATE READING MARK NHAY
+	{0x1BC9D, 0x1BC9E, prExtend},               // Mn   [2] DUPLOYAN THICK LETTER SELECTOR..DUPLOYAN DOUBLE MARK
+	{0x1BCA0, 0x1BCA3, prControl},              // Cf   [4] SHORTHAND FORMAT LETTER OVERLAP..SHORTHAND FORMAT UP STEP
+	{0x1CF00, 0x1CF2D, prExtend},               // Mn  [46] ZNAMENNY COMBINING MARK GORAZDO NIZKO S KRYZHEM ON LEFT..ZNAMENNY COMBINING MARK KRYZH ON LEFT
+	{0x1CF30, 0x1CF46, prExtend},               // Mn  [23] ZNAMENNY COMBINING TONAL RANGE MARK MRACHNO..ZNAMENNY PRIZNAK MODIFIER ROG
+	{0x1D165, 0x1D165, prExtend},               // Mc       MUSICAL SYMBOL COMBINING STEM
+	{0x1D166, 0x1D166, prSpacingMark},          // Mc       MUSICAL SYMBOL COMBINING SPRECHGESANG STEM
+	{0x1D167, 0x1D169, prExtend},               // Mn   [3] MUSICAL SYMBOL COMBINING TREMOLO-1..MUSICAL SYMBOL COMBINING TREMOLO-3
+	{0x1D16D, 0x1D16D, prSpacingMark},          // Mc       MUSICAL SYMBOL COMBINING AUGMENTATION DOT
+	{0x1D16E, 0x1D172, prExtend},               // Mc   [5] MUSICAL SYMBOL COMBINING FLAG-1..MUSICAL SYMBOL COMBINING FLAG-5
+	{0x1D173, 0x1D17A, prControl},              // Cf   [8] MUSICAL SYMBOL BEGIN BEAM..MUSICAL SYMBOL END PHRASE
+	{0x1D17B, 0x1D182, prExtend},               // Mn   [8] MUSICAL SYMBOL COMBINING ACCENT..MUSICAL SYMBOL COMBINING LOURE
+	{0x1D185, 0x1D18B, prExtend},               // Mn   [7] MUSICAL SYMBOL COMBINING DOIT..MUSICAL SYMBOL COMBINING TRIPLE TONGUE
+	{0x1D1AA, 0x1D1AD, prExtend},               // Mn   [4] MUSICAL SYMBOL COMBINING DOWN BOW..MUSICAL SYMBOL COMBINING SNAP PIZZICATO
+	{0x1D242, 0x1D244, prExtend},               // Mn   [3] COMBINING GREEK MUSICAL TRISEME..COMBINING GREEK MUSICAL PENTASEME
+	{0x1DA00, 0x1DA36, prExtend},               // Mn  [55] SIGNWRITING HEAD RIM..SIGNWRITING AIR SUCKING IN
+	{0x1DA3B, 0x1DA6C, prExtend},               // Mn  [50] SIGNWRITING MOUTH CLOSED NEUTRAL..SIGNWRITING EXCITEMENT
+	{0x1DA75, 0x1DA75, prExtend},               // Mn       SIGNWRITING UPPER BODY TILTING FROM HIP JOINTS
+	{0x1DA84, 0x1DA84, prExtend},               // Mn       SIGNWRITING LOCATION HEAD NECK
+	{0x1DA9B, 0x1DA9F, prExtend},               // Mn   [5] SIGNWRITING FILL MODIFIER-2..SIGNWRITING FILL MODIFIER-6
+	{0x1DAA1, 0x1DAAF, prExtend},               // Mn  [15] SIGNWRITING ROTATION MODIFIER-2..SIGNWRITING ROTATION MODIFIER-16
+	{0x1E000, 0x1E006, prExtend},               // Mn   [7] COMBINING GLAGOLITIC LETTER AZU..COMBINING GLAGOLITIC LETTER ZHIVETE
+	{0x1E008, 0x1E018, prExtend},               // Mn  [17] COMBINING GLAGOLITIC LETTER ZEMLJA..COMBINING GLAGOLITIC LETTER HERU
+	{0x1E01B, 0x1E021, prExtend},               // Mn   [7] COMBINING GLAGOLITIC LETTER SHTA..COMBINING GLAGOLITIC LETTER YATI
+	{0x1E023, 0x1E024, prExtend},               // Mn   [2] COMBINING GLAGOLITIC LETTER YU..COMBINING GLAGOLITIC LETTER SMALL YUS
+	{0x1E026, 0x1E02A, prExtend},               // Mn   [5] COMBINING GLAGOLITIC LETTER YO..COMBINING GLAGOLITIC LETTER FITA
+	{0x1E08F, 0x1E08F, prExtend},               // Mn       COMBINING CYRILLIC SMALL LETTER BYELORUSSIAN-UKRAINIAN I
+	{0x1E130, 0x1E136, prExtend},               // Mn   [7] NYIAKENG PUACHUE HMONG TONE-B..NYIAKENG PUACHUE HMONG TONE-D
+	{0x1E2AE, 0x1E2AE, prExtend},               // Mn       TOTO SIGN RISING TONE
+	{0x1E2EC, 0x1E2EF, prExtend},               // Mn   [4] WANCHO TONE TUP..WANCHO TONE KOINI
+	{0x1E4EC, 0x1E4EF, prExtend},               // Mn   [4] NAG MUNDARI SIGN MUHOR..NAG MUNDARI SIGN SUTUH
+	{0x1E8D0, 0x1E8D6, prExtend},               // Mn   [7] MENDE KIKAKUI COMBINING NUMBER TEENS..MENDE KIKAKUI COMBINING NUMBER MILLIONS
+	{0x1E944, 0x1E94A, prExtend},               // Mn   [7] ADLAM ALIF LENGTHENER..ADLAM NUKTA
+	{0x1F000, 0x1F003, prExtendedPictographic}, // E0.0   [4] (🀀..🀃)    MAHJONG TILE EAST WIND..MAHJONG TILE NORTH WIND
+	{0x1F004, 0x1F004, prExtendedPictographic}, // E0.6   [1] (🀄)       mahjong red dragon
+	{0x1F005, 0x1F0CE, prExtendedPictographic}, // E0.0 [202] (🀅..🃎)    MAHJONG TILE GREEN DRAGON..PLAYING CARD KING OF DIAMONDS
+	{0x1F0CF, 0x1F0CF, prExtendedPictographic}, // E0.6   [1] (�)       joker
+	{0x1F0D0, 0x1F0FF, prExtendedPictographic}, // E0.0  [48] (�..🃿)    <reserved-1F0D0>..<reserved-1F0FF>
+	{0x1F10D, 0x1F10F, prExtendedPictographic}, // E0.0   [3] (�..�)    CIRCLED ZERO WITH SLASH..CIRCLED DOLLAR SIGN WITH OVERLAID BACKSLASH
+	{0x1F12F, 0x1F12F, prExtendedPictographic}, // E0.0   [1] (🄯)       COPYLEFT SYMBOL
+	{0x1F16C, 0x1F16F, prExtendedPictographic}, // E0.0   [4] (🅬..🅯)    RAISED MR SIGN..CIRCLED HUMAN FIGURE
+	{0x1F170, 0x1F171, prExtendedPictographic}, // E0.6   [2] (🅰�..🅱�)    A button (blood type)..B button (blood type)
+	{0x1F17E, 0x1F17F, prExtendedPictographic}, // E0.6   [2] (🅾�..🅿�)    O button (blood type)..P button
+	{0x1F18E, 0x1F18E, prExtendedPictographic}, // E0.6   [1] (🆎)       AB button (blood type)
+	{0x1F191, 0x1F19A, prExtendedPictographic}, // E0.6  [10] (🆑..🆚)    CL button..VS button
+	{0x1F1AD, 0x1F1E5, prExtendedPictographic}, // E0.0  [57] (🆭..🇥)    MASK WORK SYMBOL..<reserved-1F1E5>
+	{0x1F1E6, 0x1F1FF, prRegionalIndicator},    // So  [26] REGIONAL INDICATOR SYMBOL LETTER A..REGIONAL INDICATOR SYMBOL LETTER Z
+	{0x1F201, 0x1F202, prExtendedPictographic}, // E0.6   [2] (�..🈂�)    Japanese “here� button..Japanese “service charge� button
+	{0x1F203, 0x1F20F, prExtendedPictographic}, // E0.0  [13] (🈃..�)    <reserved-1F203>..<reserved-1F20F>
+	{0x1F21A, 0x1F21A, prExtendedPictographic}, // E0.6   [1] (🈚)       Japanese “free of charge� button
+	{0x1F22F, 0x1F22F, prExtendedPictographic}, // E0.6   [1] (🈯)       Japanese “reserved� button
+	{0x1F232, 0x1F23A, prExtendedPictographic}, // E0.6   [9] (🈲..🈺)    Japanese “prohibited� button..Japanese “open for business� button
+	{0x1F23C, 0x1F23F, prExtendedPictographic}, // E0.0   [4] (🈼..🈿)    <reserved-1F23C>..<reserved-1F23F>
+	{0x1F249, 0x1F24F, prExtendedPictographic}, // E0.0   [7] (🉉..�)    <reserved-1F249>..<reserved-1F24F>
+	{0x1F250, 0x1F251, prExtendedPictographic}, // E0.6   [2] (�..🉑)    Japanese “bargain� button..Japanese “acceptable� button
+	{0x1F252, 0x1F2FF, prExtendedPictographic}, // E0.0 [174] (🉒..🋿)    <reserved-1F252>..<reserved-1F2FF>
+	{0x1F300, 0x1F30C, prExtendedPictographic}, // E0.6  [13] (🌀..🌌)    cyclone..milky way
+	{0x1F30D, 0x1F30E, prExtendedPictographic}, // E0.7   [2] (�..🌎)    globe showing Europe-Africa..globe showing Americas
+	{0x1F30F, 0x1F30F, prExtendedPictographic}, // E0.6   [1] (�)       globe showing Asia-Australia
+	{0x1F310, 0x1F310, prExtendedPictographic}, // E1.0   [1] (�)       globe with meridians
+	{0x1F311, 0x1F311, prExtendedPictographic}, // E0.6   [1] (🌑)       new moon
+	{0x1F312, 0x1F312, prExtendedPictographic}, // E1.0   [1] (🌒)       waxing crescent moon
+	{0x1F313, 0x1F315, prExtendedPictographic}, // E0.6   [3] (🌓..🌕)    first quarter moon..full moon
+	{0x1F316, 0x1F318, prExtendedPictographic}, // E1.0   [3] (🌖..🌘)    waning gibbous moon..waning crescent moon
+	{0x1F319, 0x1F319, prExtendedPictographic}, // E0.6   [1] (🌙)       crescent moon
+	{0x1F31A, 0x1F31A, prExtendedPictographic}, // E1.0   [1] (🌚)       new moon face
+	{0x1F31B, 0x1F31B, prExtendedPictographic}, // E0.6   [1] (🌛)       first quarter moon face
+	{0x1F31C, 0x1F31C, prExtendedPictographic}, // E0.7   [1] (🌜)       last quarter moon face
+	{0x1F31D, 0x1F31E, prExtendedPictographic}, // E1.0   [2] (�..🌞)    full moon face..sun with face
+	{0x1F31F, 0x1F320, prExtendedPictographic}, // E0.6   [2] (🌟..🌠)    glowing star..shooting star
+	{0x1F321, 0x1F321, prExtendedPictographic}, // E0.7   [1] (🌡�)       thermometer
+	{0x1F322, 0x1F323, prExtendedPictographic}, // E0.0   [2] (🌢..🌣)    BLACK DROPLET..WHITE SUN
+	{0x1F324, 0x1F32C, prExtendedPictographic}, // E0.7   [9] (🌤�..🌬�)    sun behind small cloud..wind face
+	{0x1F32D, 0x1F32F, prExtendedPictographic}, // E1.0   [3] (🌭..🌯)    hot dog..burrito
+	{0x1F330, 0x1F331, prExtendedPictographic}, // E0.6   [2] (🌰..🌱)    chestnut..seedling
+	{0x1F332, 0x1F333, prExtendedPictographic}, // E1.0   [2] (🌲..🌳)    evergreen tree..deciduous tree
+	{0x1F334, 0x1F335, prExtendedPictographic}, // E0.6   [2] (🌴..🌵)    palm tree..cactus
+	{0x1F336, 0x1F336, prExtendedPictographic}, // E0.7   [1] (🌶�)       hot pepper
+	{0x1F337, 0x1F34A, prExtendedPictographic}, // E0.6  [20] (🌷..�)    tulip..tangerine
+	{0x1F34B, 0x1F34B, prExtendedPictographic}, // E1.0   [1] (�)       lemon
+	{0x1F34C, 0x1F34F, prExtendedPictographic}, // E0.6   [4] (�..�)    banana..green apple
+	{0x1F350, 0x1F350, prExtendedPictographic}, // E1.0   [1] (�)       pear
+	{0x1F351, 0x1F37B, prExtendedPictographic}, // E0.6  [43] (�..�)    peach..clinking beer mugs
+	{0x1F37C, 0x1F37C, prExtendedPictographic}, // E1.0   [1] (�)       baby bottle
+	{0x1F37D, 0x1F37D, prExtendedPictographic}, // E0.7   [1] (��)       fork and knife with plate
+	{0x1F37E, 0x1F37F, prExtendedPictographic}, // E1.0   [2] (�..�)    bottle with popping cork..popcorn
+	{0x1F380, 0x1F393, prExtendedPictographic}, // E0.6  [20] (🎀..🎓)    ribbon..graduation cap
+	{0x1F394, 0x1F395, prExtendedPictographic}, // E0.0   [2] (🎔..🎕)    HEART WITH TIP ON THE LEFT..BOUQUET OF FLOWERS
+	{0x1F396, 0x1F397, prExtendedPictographic}, // E0.7   [2] (🎖�..🎗�)    military medal..reminder ribbon
+	{0x1F398, 0x1F398, prExtendedPictographic}, // E0.0   [1] (🎘)       MUSICAL KEYBOARD WITH JACKS
+	{0x1F399, 0x1F39B, prExtendedPictographic}, // E0.7   [3] (🎙�..🎛�)    studio microphone..control knobs
+	{0x1F39C, 0x1F39D, prExtendedPictographic}, // E0.0   [2] (🎜..�)    BEAMED ASCENDING MUSICAL NOTES..BEAMED DESCENDING MUSICAL NOTES
+	{0x1F39E, 0x1F39F, prExtendedPictographic}, // E0.7   [2] (🎞�..🎟�)    film frames..admission tickets
+	{0x1F3A0, 0x1F3C4, prExtendedPictographic}, // E0.6  [37] (🎠..�)    carousel horse..person surfing
+	{0x1F3C5, 0x1F3C5, prExtendedPictographic}, // E1.0   [1] (�)       sports medal
+	{0x1F3C6, 0x1F3C6, prExtendedPictographic}, // E0.6   [1] (�)       trophy
+	{0x1F3C7, 0x1F3C7, prExtendedPictographic}, // E1.0   [1] (�)       horse racing
+	{0x1F3C8, 0x1F3C8, prExtendedPictographic}, // E0.6   [1] (�)       american football
+	{0x1F3C9, 0x1F3C9, prExtendedPictographic}, // E1.0   [1] (�)       rugby football
+	{0x1F3CA, 0x1F3CA, prExtendedPictographic}, // E0.6   [1] (�)       person swimming
+	{0x1F3CB, 0x1F3CE, prExtendedPictographic}, // E0.7   [4] (��..��)    person lifting weights..racing car
+	{0x1F3CF, 0x1F3D3, prExtendedPictographic}, // E1.0   [5] (�..�)    cricket game..ping pong
+	{0x1F3D4, 0x1F3DF, prExtendedPictographic}, // E0.7  [12] (��..��)    snow-capped mountain..stadium
+	{0x1F3E0, 0x1F3E3, prExtendedPictographic}, // E0.6   [4] (�..�)    house..Japanese post office
+	{0x1F3E4, 0x1F3E4, prExtendedPictographic}, // E1.0   [1] (�)       post office
+	{0x1F3E5, 0x1F3F0, prExtendedPictographic}, // E0.6  [12] (�..�)    hospital..castle
+	{0x1F3F1, 0x1F3F2, prExtendedPictographic}, // E0.0   [2] (�..�)    WHITE PENNANT..BLACK PENNANT
+	{0x1F3F3, 0x1F3F3, prExtendedPictographic}, // E0.7   [1] (��)       white flag
+	{0x1F3F4, 0x1F3F4, prExtendedPictographic}, // E1.0   [1] (�)       black flag
+	{0x1F3F5, 0x1F3F5, prExtendedPictographic}, // E0.7   [1] (��)       rosette
+	{0x1F3F6, 0x1F3F6, prExtendedPictographic}, // E0.0   [1] (�)       BLACK ROSETTE
+	{0x1F3F7, 0x1F3F7, prExtendedPictographic}, // E0.7   [1] (��)       label
+	{0x1F3F8, 0x1F3FA, prExtendedPictographic}, // E1.0   [3] (�..�)    badminton..amphora
+	{0x1F3FB, 0x1F3FF, prExtend},               // Sk   [5] EMOJI MODIFIER FITZPATRICK TYPE-1-2..EMOJI MODIFIER FITZPATRICK TYPE-6
+	{0x1F400, 0x1F407, prExtendedPictographic}, // E1.0   [8] (�..�)    rat..rabbit
+	{0x1F408, 0x1F408, prExtendedPictographic}, // E0.7   [1] (�)       cat
+	{0x1F409, 0x1F40B, prExtendedPictographic}, // E1.0   [3] (�..�)    dragon..whale
+	{0x1F40C, 0x1F40E, prExtendedPictographic}, // E0.6   [3] (�..�)    snail..horse
+	{0x1F40F, 0x1F410, prExtendedPictographic}, // E1.0   [2] (�..�)    ram..goat
+	{0x1F411, 0x1F412, prExtendedPictographic}, // E0.6   [2] (�..�)    ewe..monkey
+	{0x1F413, 0x1F413, prExtendedPictographic}, // E1.0   [1] (�)       rooster
+	{0x1F414, 0x1F414, prExtendedPictographic}, // E0.6   [1] (�)       chicken
+	{0x1F415, 0x1F415, prExtendedPictographic}, // E0.7   [1] (�)       dog
+	{0x1F416, 0x1F416, prExtendedPictographic}, // E1.0   [1] (�)       pig
+	{0x1F417, 0x1F429, prExtendedPictographic}, // E0.6  [19] (�..�)    boar..poodle
+	{0x1F42A, 0x1F42A, prExtendedPictographic}, // E1.0   [1] (�)       camel
+	{0x1F42B, 0x1F43E, prExtendedPictographic}, // E0.6  [20] (�..�)    two-hump camel..paw prints
+	{0x1F43F, 0x1F43F, prExtendedPictographic}, // E0.7   [1] (��)       chipmunk
+	{0x1F440, 0x1F440, prExtendedPictographic}, // E0.6   [1] (👀)       eyes
+	{0x1F441, 0x1F441, prExtendedPictographic}, // E0.7   [1] (��)       eye
+	{0x1F442, 0x1F464, prExtendedPictographic}, // E0.6  [35] (👂..👤)    ear..bust in silhouette
+	{0x1F465, 0x1F465, prExtendedPictographic}, // E1.0   [1] (👥)       busts in silhouette
+	{0x1F466, 0x1F46B, prExtendedPictographic}, // E0.6   [6] (👦..👫)    boy..woman and man holding hands
+	{0x1F46C, 0x1F46D, prExtendedPictographic}, // E1.0   [2] (👬..👭)    men holding hands..women holding hands
+	{0x1F46E, 0x1F4AC, prExtendedPictographic}, // E0.6  [63] (👮..💬)    police officer..speech balloon
+	{0x1F4AD, 0x1F4AD, prExtendedPictographic}, // E1.0   [1] (💭)       thought balloon
+	{0x1F4AE, 0x1F4B5, prExtendedPictographic}, // E0.6   [8] (💮..💵)    white flower..dollar banknote
+	{0x1F4B6, 0x1F4B7, prExtendedPictographic}, // E1.0   [2] (💶..💷)    euro banknote..pound banknote
+	{0x1F4B8, 0x1F4EB, prExtendedPictographic}, // E0.6  [52] (💸..📫)    money with wings..closed mailbox with raised flag
+	{0x1F4EC, 0x1F4ED, prExtendedPictographic}, // E0.7   [2] (📬..📭)    open mailbox with raised flag..open mailbox with lowered flag
+	{0x1F4EE, 0x1F4EE, prExtendedPictographic}, // E0.6   [1] (📮)       postbox
+	{0x1F4EF, 0x1F4EF, prExtendedPictographic}, // E1.0   [1] (📯)       postal horn
+	{0x1F4F0, 0x1F4F4, prExtendedPictographic}, // E0.6   [5] (📰..📴)    newspaper..mobile phone off
+	{0x1F4F5, 0x1F4F5, prExtendedPictographic}, // E1.0   [1] (📵)       no mobile phones
+	{0x1F4F6, 0x1F4F7, prExtendedPictographic}, // E0.6   [2] (📶..📷)    antenna bars..camera
+	{0x1F4F8, 0x1F4F8, prExtendedPictographic}, // E1.0   [1] (📸)       camera with flash
+	{0x1F4F9, 0x1F4FC, prExtendedPictographic}, // E0.6   [4] (📹..📼)    video camera..videocassette
+	{0x1F4FD, 0x1F4FD, prExtendedPictographic}, // E0.7   [1] (📽�)       film projector
+	{0x1F4FE, 0x1F4FE, prExtendedPictographic}, // E0.0   [1] (📾)       PORTABLE STEREO
+	{0x1F4FF, 0x1F502, prExtendedPictographic}, // E1.0   [4] (📿..🔂)    prayer beads..repeat single button
+	{0x1F503, 0x1F503, prExtendedPictographic}, // E0.6   [1] (🔃)       clockwise vertical arrows
+	{0x1F504, 0x1F507, prExtendedPictographic}, // E1.0   [4] (🔄..🔇)    counterclockwise arrows button..muted speaker
+	{0x1F508, 0x1F508, prExtendedPictographic}, // E0.7   [1] (🔈)       speaker low volume
+	{0x1F509, 0x1F509, prExtendedPictographic}, // E1.0   [1] (🔉)       speaker medium volume
+	{0x1F50A, 0x1F514, prExtendedPictographic}, // E0.6  [11] (🔊..🔔)    speaker high volume..bell
+	{0x1F515, 0x1F515, prExtendedPictographic}, // E1.0   [1] (🔕)       bell with slash
+	{0x1F516, 0x1F52B, prExtendedPictographic}, // E0.6  [22] (🔖..🔫)    bookmark..water pistol
+	{0x1F52C, 0x1F52D, prExtendedPictographic}, // E1.0   [2] (🔬..🔭)    microscope..telescope
+	{0x1F52E, 0x1F53D, prExtendedPictographic}, // E0.6  [16] (🔮..🔽)    crystal ball..downwards button
+	{0x1F546, 0x1F548, prExtendedPictographic}, // E0.0   [3] (🕆..🕈)    WHITE LATIN CROSS..CELTIC CROSS
+	{0x1F549, 0x1F54A, prExtendedPictographic}, // E0.7   [2] (🕉�..🕊�)    om..dove
+	{0x1F54B, 0x1F54E, prExtendedPictographic}, // E1.0   [4] (🕋..🕎)    kaaba..menorah
+	{0x1F54F, 0x1F54F, prExtendedPictographic}, // E0.0   [1] (�)       BOWL OF HYGIEIA
+	{0x1F550, 0x1F55B, prExtendedPictographic}, // E0.6  [12] (�..🕛)    one o’clock..twelve o’clock
+	{0x1F55C, 0x1F567, prExtendedPictographic}, // E0.7  [12] (🕜..🕧)    one-thirty..twelve-thirty
+	{0x1F568, 0x1F56E, prExtendedPictographic}, // E0.0   [7] (🕨..🕮)    RIGHT SPEAKER..BOOK
+	{0x1F56F, 0x1F570, prExtendedPictographic}, // E0.7   [2] (🕯�..🕰�)    candle..mantelpiece clock
+	{0x1F571, 0x1F572, prExtendedPictographic}, // E0.0   [2] (🕱..🕲)    BLACK SKULL AND CROSSBONES..NO PIRACY
+	{0x1F573, 0x1F579, prExtendedPictographic}, // E0.7   [7] (🕳�..🕹�)    hole..joystick
+	{0x1F57A, 0x1F57A, prExtendedPictographic}, // E3.0   [1] (🕺)       man dancing
+	{0x1F57B, 0x1F586, prExtendedPictographic}, // E0.0  [12] (🕻..🖆)    LEFT HAND TELEPHONE RECEIVER..PEN OVER STAMPED ENVELOPE
+	{0x1F587, 0x1F587, prExtendedPictographic}, // E0.7   [1] (🖇�)       linked paperclips
+	{0x1F588, 0x1F589, prExtendedPictographic}, // E0.0   [2] (🖈..🖉)    BLACK PUSHPIN..LOWER LEFT PENCIL
+	{0x1F58A, 0x1F58D, prExtendedPictographic}, // E0.7   [4] (🖊�..��)    pen..crayon
+	{0x1F58E, 0x1F58F, prExtendedPictographic}, // E0.0   [2] (🖎..�)    LEFT WRITING HAND..TURNED OK HAND SIGN
+	{0x1F590, 0x1F590, prExtendedPictographic}, // E0.7   [1] (��)       hand with fingers splayed
+	{0x1F591, 0x1F594, prExtendedPictographic}, // E0.0   [4] (🖑..🖔)    REVERSED RAISED HAND WITH FINGERS SPLAYED..REVERSED VICTORY HAND
+	{0x1F595, 0x1F596, prExtendedPictographic}, // E1.0   [2] (🖕..🖖)    middle finger..vulcan salute
+	{0x1F597, 0x1F5A3, prExtendedPictographic}, // E0.0  [13] (🖗..🖣)    WHITE DOWN POINTING LEFT HAND INDEX..BLACK DOWN POINTING BACKHAND INDEX
+	{0x1F5A4, 0x1F5A4, prExtendedPictographic}, // E3.0   [1] (🖤)       black heart
+	{0x1F5A5, 0x1F5A5, prExtendedPictographic}, // E0.7   [1] (🖥�)       desktop computer
+	{0x1F5A6, 0x1F5A7, prExtendedPictographic}, // E0.0   [2] (🖦..🖧)    KEYBOARD AND MOUSE..THREE NETWORKED COMPUTERS
+	{0x1F5A8, 0x1F5A8, prExtendedPictographic}, // E0.7   [1] (🖨�)       printer
+	{0x1F5A9, 0x1F5B0, prExtendedPictographic}, // E0.0   [8] (🖩..🖰)    POCKET CALCULATOR..TWO BUTTON MOUSE
+	{0x1F5B1, 0x1F5B2, prExtendedPictographic}, // E0.7   [2] (🖱�..🖲�)    computer mouse..trackball
+	{0x1F5B3, 0x1F5BB, prExtendedPictographic}, // E0.0   [9] (🖳..🖻)    OLD PERSONAL COMPUTER..DOCUMENT WITH PICTURE
+	{0x1F5BC, 0x1F5BC, prExtendedPictographic}, // E0.7   [1] (🖼�)       framed picture
+	{0x1F5BD, 0x1F5C1, prExtendedPictographic}, // E0.0   [5] (🖽..�)    FRAME WITH TILES..OPEN FOLDER
+	{0x1F5C2, 0x1F5C4, prExtendedPictographic}, // E0.7   [3] (🗂�..🗄�)    card index dividers..file cabinet
+	{0x1F5C5, 0x1F5D0, prExtendedPictographic}, // E0.0  [12] (🗅..�)    EMPTY NOTE..PAGES
+	{0x1F5D1, 0x1F5D3, prExtendedPictographic}, // E0.7   [3] (🗑�..🗓�)    wastebasket..spiral calendar
+	{0x1F5D4, 0x1F5DB, prExtendedPictographic}, // E0.0   [8] (🗔..🗛)    DESKTOP WINDOW..DECREASE FONT SIZE SYMBOL
+	{0x1F5DC, 0x1F5DE, prExtendedPictographic}, // E0.7   [3] (🗜�..🗞�)    clamp..rolled-up newspaper
+	{0x1F5DF, 0x1F5E0, prExtendedPictographic}, // E0.0   [2] (🗟..🗠)    PAGE WITH CIRCLED TEXT..STOCK CHART
+	{0x1F5E1, 0x1F5E1, prExtendedPictographic}, // E0.7   [1] (🗡�)       dagger
+	{0x1F5E2, 0x1F5E2, prExtendedPictographic}, // E0.0   [1] (🗢)       LIPS
+	{0x1F5E3, 0x1F5E3, prExtendedPictographic}, // E0.7   [1] (🗣�)       speaking head
+	{0x1F5E4, 0x1F5E7, prExtendedPictographic}, // E0.0   [4] (🗤..🗧)    THREE RAYS ABOVE..THREE RAYS RIGHT
+	{0x1F5E8, 0x1F5E8, prExtendedPictographic}, // E2.0   [1] (🗨�)       left speech bubble
+	{0x1F5E9, 0x1F5EE, prExtendedPictographic}, // E0.0   [6] (🗩..🗮)    RIGHT SPEECH BUBBLE..LEFT ANGER BUBBLE
+	{0x1F5EF, 0x1F5EF, prExtendedPictographic}, // E0.7   [1] (🗯�)       right anger bubble
+	{0x1F5F0, 0x1F5F2, prExtendedPictographic}, // E0.0   [3] (🗰..🗲)    MOOD BUBBLE..LIGHTNING MOOD
+	{0x1F5F3, 0x1F5F3, prExtendedPictographic}, // E0.7   [1] (🗳�)       ballot box with ballot
+	{0x1F5F4, 0x1F5F9, prExtendedPictographic}, // E0.0   [6] (🗴..🗹)    BALLOT SCRIPT X..BALLOT BOX WITH BOLD CHECK
+	{0x1F5FA, 0x1F5FA, prExtendedPictographic}, // E0.7   [1] (🗺�)       world map
+	{0x1F5FB, 0x1F5FF, prExtendedPictographic}, // E0.6   [5] (🗻..🗿)    mount fuji..moai
+	{0x1F600, 0x1F600, prExtendedPictographic}, // E1.0   [1] (😀)       grinning face
+	{0x1F601, 0x1F606, prExtendedPictographic}, // E0.6   [6] (�..😆)    beaming face with smiling eyes..grinning squinting face
+	{0x1F607, 0x1F608, prExtendedPictographic}, // E1.0   [2] (😇..😈)    smiling face with halo..smiling face with horns
+	{0x1F609, 0x1F60D, prExtendedPictographic}, // E0.6   [5] (😉..�)    winking face..smiling face with heart-eyes
+	{0x1F60E, 0x1F60E, prExtendedPictographic}, // E1.0   [1] (😎)       smiling face with sunglasses
+	{0x1F60F, 0x1F60F, prExtendedPictographic}, // E0.6   [1] (�)       smirking face
+	{0x1F610, 0x1F610, prExtendedPictographic}, // E0.7   [1] (�)       neutral face
+	{0x1F611, 0x1F611, prExtendedPictographic}, // E1.0   [1] (😑)       expressionless face
+	{0x1F612, 0x1F614, prExtendedPictographic}, // E0.6   [3] (😒..😔)    unamused face..pensive face
+	{0x1F615, 0x1F615, prExtendedPictographic}, // E1.0   [1] (😕)       confused face
+	{0x1F616, 0x1F616, prExtendedPictographic}, // E0.6   [1] (😖)       confounded face
+	{0x1F617, 0x1F617, prExtendedPictographic}, // E1.0   [1] (😗)       kissing face
+	{0x1F618, 0x1F618, prExtendedPictographic}, // E0.6   [1] (😘)       face blowing a kiss
+	{0x1F619, 0x1F619, prExtendedPictographic}, // E1.0   [1] (😙)       kissing face with smiling eyes
+	{0x1F61A, 0x1F61A, prExtendedPictographic}, // E0.6   [1] (😚)       kissing face with closed eyes
+	{0x1F61B, 0x1F61B, prExtendedPictographic}, // E1.0   [1] (😛)       face with tongue
+	{0x1F61C, 0x1F61E, prExtendedPictographic}, // E0.6   [3] (😜..😞)    winking face with tongue..disappointed face
+	{0x1F61F, 0x1F61F, prExtendedPictographic}, // E1.0   [1] (😟)       worried face
+	{0x1F620, 0x1F625, prExtendedPictographic}, // E0.6   [6] (😠..😥)    angry face..sad but relieved face
+	{0x1F626, 0x1F627, prExtendedPictographic}, // E1.0   [2] (😦..😧)    frowning face with open mouth..anguished face
+	{0x1F628, 0x1F62B, prExtendedPictographic}, // E0.6   [4] (😨..😫)    fearful face..tired face
+	{0x1F62C, 0x1F62C, prExtendedPictographic}, // E1.0   [1] (😬)       grimacing face
+	{0x1F62D, 0x1F62D, prExtendedPictographic}, // E0.6   [1] (😭)       loudly crying face
+	{0x1F62E, 0x1F62F, prExtendedPictographic}, // E1.0   [2] (😮..😯)    face with open mouth..hushed face
+	{0x1F630, 0x1F633, prExtendedPictographic}, // E0.6   [4] (😰..😳)    anxious face with sweat..flushed face
+	{0x1F634, 0x1F634, prExtendedPictographic}, // E1.0   [1] (😴)       sleeping face
+	{0x1F635, 0x1F635, prExtendedPictographic}, // E0.6   [1] (😵)       face with crossed-out eyes
+	{0x1F636, 0x1F636, prExtendedPictographic}, // E1.0   [1] (😶)       face without mouth
+	{0x1F637, 0x1F640, prExtendedPictographic}, // E0.6  [10] (😷..🙀)    face with medical mask..weary cat
+	{0x1F641, 0x1F644, prExtendedPictographic}, // E1.0   [4] (�..🙄)    slightly frowning face..face with rolling eyes
+	{0x1F645, 0x1F64F, prExtendedPictographic}, // E0.6  [11] (🙅..�)    person gesturing NO..folded hands
+	{0x1F680, 0x1F680, prExtendedPictographic}, // E0.6   [1] (🚀)       rocket
+	{0x1F681, 0x1F682, prExtendedPictographic}, // E1.0   [2] (�..🚂)    helicopter..locomotive
+	{0x1F683, 0x1F685, prExtendedPictographic}, // E0.6   [3] (🚃..🚅)    railway car..bullet train
+	{0x1F686, 0x1F686, prExtendedPictographic}, // E1.0   [1] (🚆)       train
+	{0x1F687, 0x1F687, prExtendedPictographic}, // E0.6   [1] (🚇)       metro
+	{0x1F688, 0x1F688, prExtendedPictographic}, // E1.0   [1] (🚈)       light rail
+	{0x1F689, 0x1F689, prExtendedPictographic}, // E0.6   [1] (🚉)       station
+	{0x1F68A, 0x1F68B, prExtendedPictographic}, // E1.0   [2] (🚊..🚋)    tram..tram car
+	{0x1F68C, 0x1F68C, prExtendedPictographic}, // E0.6   [1] (🚌)       bus
+	{0x1F68D, 0x1F68D, prExtendedPictographic}, // E0.7   [1] (�)       oncoming bus
+	{0x1F68E, 0x1F68E, prExtendedPictographic}, // E1.0   [1] (🚎)       trolleybus
+	{0x1F68F, 0x1F68F, prExtendedPictographic}, // E0.6   [1] (�)       bus stop
+	{0x1F690, 0x1F690, prExtendedPictographic}, // E1.0   [1] (�)       minibus
+	{0x1F691, 0x1F693, prExtendedPictographic}, // E0.6   [3] (🚑..🚓)    ambulance..police car
+	{0x1F694, 0x1F694, prExtendedPictographic}, // E0.7   [1] (🚔)       oncoming police car
+	{0x1F695, 0x1F695, prExtendedPictographic}, // E0.6   [1] (🚕)       taxi
+	{0x1F696, 0x1F696, prExtendedPictographic}, // E1.0   [1] (🚖)       oncoming taxi
+	{0x1F697, 0x1F697, prExtendedPictographic}, // E0.6   [1] (🚗)       automobile
+	{0x1F698, 0x1F698, prExtendedPictographic}, // E0.7   [1] (🚘)       oncoming automobile
+	{0x1F699, 0x1F69A, prExtendedPictographic}, // E0.6   [2] (🚙..🚚)    sport utility vehicle..delivery truck
+	{0x1F69B, 0x1F6A1, prExtendedPictographic}, // E1.0   [7] (🚛..🚡)    articulated lorry..aerial tramway
+	{0x1F6A2, 0x1F6A2, prExtendedPictographic}, // E0.6   [1] (🚢)       ship
+	{0x1F6A3, 0x1F6A3, prExtendedPictographic}, // E1.0   [1] (🚣)       person rowing boat
+	{0x1F6A4, 0x1F6A5, prExtendedPictographic}, // E0.6   [2] (🚤..🚥)    speedboat..horizontal traffic light
+	{0x1F6A6, 0x1F6A6, prExtendedPictographic}, // E1.0   [1] (🚦)       vertical traffic light
+	{0x1F6A7, 0x1F6AD, prExtendedPictographic}, // E0.6   [7] (🚧..🚭)    construction..no smoking
+	{0x1F6AE, 0x1F6B1, prExtendedPictographic}, // E1.0   [4] (🚮..🚱)    litter in bin sign..non-potable water
+	{0x1F6B2, 0x1F6B2, prExtendedPictographic}, // E0.6   [1] (🚲)       bicycle
+	{0x1F6B3, 0x1F6B5, prExtendedPictographic}, // E1.0   [3] (🚳..🚵)    no bicycles..person mountain biking
+	{0x1F6B6, 0x1F6B6, prExtendedPictographic}, // E0.6   [1] (🚶)       person walking
+	{0x1F6B7, 0x1F6B8, prExtendedPictographic}, // E1.0   [2] (🚷..🚸)    no pedestrians..children crossing
+	{0x1F6B9, 0x1F6BE, prExtendedPictographic}, // E0.6   [6] (🚹..🚾)    men’s room..water closet
+	{0x1F6BF, 0x1F6BF, prExtendedPictographic}, // E1.0   [1] (🚿)       shower
+	{0x1F6C0, 0x1F6C0, prExtendedPictographic}, // E0.6   [1] (🛀)       person taking bath
+	{0x1F6C1, 0x1F6C5, prExtendedPictographic}, // E1.0   [5] (�..🛅)    bathtub..left luggage
+	{0x1F6C6, 0x1F6CA, prExtendedPictographic}, // E0.0   [5] (🛆..🛊)    TRIANGLE WITH ROUNDED CORNERS..GIRLS SYMBOL
+	{0x1F6CB, 0x1F6CB, prExtendedPictographic}, // E0.7   [1] (🛋�)       couch and lamp
+	{0x1F6CC, 0x1F6CC, prExtendedPictographic}, // E1.0   [1] (🛌)       person in bed
+	{0x1F6CD, 0x1F6CF, prExtendedPictographic}, // E0.7   [3] (��..��)    shopping bags..bed
+	{0x1F6D0, 0x1F6D0, prExtendedPictographic}, // E1.0   [1] (�)       place of worship
+	{0x1F6D1, 0x1F6D2, prExtendedPictographic}, // E3.0   [2] (🛑..🛒)    stop sign..shopping cart
+	{0x1F6D3, 0x1F6D4, prExtendedPictographic}, // E0.0   [2] (🛓..🛔)    STUPA..PAGODA
+	{0x1F6D5, 0x1F6D5, prExtendedPictographic}, // E12.0  [1] (🛕)       hindu temple
+	{0x1F6D6, 0x1F6D7, prExtendedPictographic}, // E13.0  [2] (🛖..🛗)    hut..elevator
+	{0x1F6D8, 0x1F6DB, prExtendedPictographic}, // E0.0   [4] (🛘..🛛)    <reserved-1F6D8>..<reserved-1F6DB>
+	{0x1F6DC, 0x1F6DC, prExtendedPictographic}, // E15.0  [1] (🛜)       wireless
+	{0x1F6DD, 0x1F6DF, prExtendedPictographic}, // E14.0  [3] (�..🛟)    playground slide..ring buoy
+	{0x1F6E0, 0x1F6E5, prExtendedPictographic}, // E0.7   [6] (🛠�..🛥�)    hammer and wrench..motor boat
+	{0x1F6E6, 0x1F6E8, prExtendedPictographic}, // E0.0   [3] (🛦..🛨)    UP-POINTING MILITARY AIRPLANE..UP-POINTING SMALL AIRPLANE
+	{0x1F6E9, 0x1F6E9, prExtendedPictographic}, // E0.7   [1] (🛩�)       small airplane
+	{0x1F6EA, 0x1F6EA, prExtendedPictographic}, // E0.0   [1] (🛪)       NORTHEAST-POINTING AIRPLANE
+	{0x1F6EB, 0x1F6EC, prExtendedPictographic}, // E1.0   [2] (🛫..🛬)    airplane departure..airplane arrival
+	{0x1F6ED, 0x1F6EF, prExtendedPictographic}, // E0.0   [3] (🛭..🛯)    <reserved-1F6ED>..<reserved-1F6EF>
+	{0x1F6F0, 0x1F6F0, prExtendedPictographic}, // E0.7   [1] (🛰�)       satellite
+	{0x1F6F1, 0x1F6F2, prExtendedPictographic}, // E0.0   [2] (🛱..🛲)    ONCOMING FIRE ENGINE..DIESEL LOCOMOTIVE
+	{0x1F6F3, 0x1F6F3, prExtendedPictographic}, // E0.7   [1] (🛳�)       passenger ship
+	{0x1F6F4, 0x1F6F6, prExtendedPictographic}, // E3.0   [3] (🛴..🛶)    kick scooter..canoe
+	{0x1F6F7, 0x1F6F8, prExtendedPictographic}, // E5.0   [2] (🛷..🛸)    sled..flying saucer
+	{0x1F6F9, 0x1F6F9, prExtendedPictographic}, // E11.0  [1] (🛹)       skateboard
+	{0x1F6FA, 0x1F6FA, prExtendedPictographic}, // E12.0  [1] (🛺)       auto rickshaw
+	{0x1F6FB, 0x1F6FC, prExtendedPictographic}, // E13.0  [2] (🛻..🛼)    pickup truck..roller skate
+	{0x1F6FD, 0x1F6FF, prExtendedPictographic}, // E0.0   [3] (🛽..🛿)    <reserved-1F6FD>..<reserved-1F6FF>
+	{0x1F774, 0x1F77F, prExtendedPictographic}, // E0.0  [12] (�..�)    LOT OF FORTUNE..ORCUS
+	{0x1F7D5, 0x1F7DF, prExtendedPictographic}, // E0.0  [11] (🟕..🟟)    CIRCLED TRIANGLE..<reserved-1F7DF>
+	{0x1F7E0, 0x1F7EB, prExtendedPictographic}, // E12.0 [12] (🟠..🟫)    orange circle..brown square
+	{0x1F7EC, 0x1F7EF, prExtendedPictographic}, // E0.0   [4] (🟬..🟯)    <reserved-1F7EC>..<reserved-1F7EF>
+	{0x1F7F0, 0x1F7F0, prExtendedPictographic}, // E14.0  [1] (🟰)       heavy equals sign
+	{0x1F7F1, 0x1F7FF, prExtendedPictographic}, // E0.0  [15] (🟱..🟿)    <reserved-1F7F1>..<reserved-1F7FF>
+	{0x1F80C, 0x1F80F, prExtendedPictographic}, // E0.0   [4] (🠌..�)    <reserved-1F80C>..<reserved-1F80F>
+	{0x1F848, 0x1F84F, prExtendedPictographic}, // E0.0   [8] (🡈..�)    <reserved-1F848>..<reserved-1F84F>
+	{0x1F85A, 0x1F85F, prExtendedPictographic}, // E0.0   [6] (🡚..🡟)    <reserved-1F85A>..<reserved-1F85F>
+	{0x1F888, 0x1F88F, prExtendedPictographic}, // E0.0   [8] (🢈..�)    <reserved-1F888>..<reserved-1F88F>
+	{0x1F8AE, 0x1F8FF, prExtendedPictographic}, // E0.0  [82] (🢮..🣿)    <reserved-1F8AE>..<reserved-1F8FF>
+	{0x1F90C, 0x1F90C, prExtendedPictographic}, // E13.0  [1] (🤌)       pinched fingers
+	{0x1F90D, 0x1F90F, prExtendedPictographic}, // E12.0  [3] (�..�)    white heart..pinching hand
+	{0x1F910, 0x1F918, prExtendedPictographic}, // E1.0   [9] (�..🤘)    zipper-mouth face..sign of the horns
+	{0x1F919, 0x1F91E, prExtendedPictographic}, // E3.0   [6] (🤙..🤞)    call me hand..crossed fingers
+	{0x1F91F, 0x1F91F, prExtendedPictographic}, // E5.0   [1] (🤟)       love-you gesture
+	{0x1F920, 0x1F927, prExtendedPictographic}, // E3.0   [8] (🤠..🤧)    cowboy hat face..sneezing face
+	{0x1F928, 0x1F92F, prExtendedPictographic}, // E5.0   [8] (🤨..🤯)    face with raised eyebrow..exploding head
+	{0x1F930, 0x1F930, prExtendedPictographic}, // E3.0   [1] (🤰)       pregnant woman
+	{0x1F931, 0x1F932, prExtendedPictographic}, // E5.0   [2] (🤱..🤲)    breast-feeding..palms up together
+	{0x1F933, 0x1F93A, prExtendedPictographic}, // E3.0   [8] (🤳..🤺)    selfie..person fencing
+	{0x1F93C, 0x1F93E, prExtendedPictographic}, // E3.0   [3] (🤼..🤾)    people wrestling..person playing handball
+	{0x1F93F, 0x1F93F, prExtendedPictographic}, // E12.0  [1] (🤿)       diving mask
+	{0x1F940, 0x1F945, prExtendedPictographic}, // E3.0   [6] (🥀..🥅)    wilted flower..goal net
+	{0x1F947, 0x1F94B, prExtendedPictographic}, // E3.0   [5] (🥇..🥋)    1st place medal..martial arts uniform
+	{0x1F94C, 0x1F94C, prExtendedPictographic}, // E5.0   [1] (🥌)       curling stone
+	{0x1F94D, 0x1F94F, prExtendedPictographic}, // E11.0  [3] (�..�)    lacrosse..flying disc
+	{0x1F950, 0x1F95E, prExtendedPictographic}, // E3.0  [15] (�..🥞)    croissant..pancakes
+	{0x1F95F, 0x1F96B, prExtendedPictographic}, // E5.0  [13] (🥟..🥫)    dumpling..canned food
+	{0x1F96C, 0x1F970, prExtendedPictographic}, // E11.0  [5] (🥬..🥰)    leafy green..smiling face with hearts
+	{0x1F971, 0x1F971, prExtendedPictographic}, // E12.0  [1] (🥱)       yawning face
+	{0x1F972, 0x1F972, prExtendedPictographic}, // E13.0  [1] (🥲)       smiling face with tear
+	{0x1F973, 0x1F976, prExtendedPictographic}, // E11.0  [4] (🥳..🥶)    partying face..cold face
+	{0x1F977, 0x1F978, prExtendedPictographic}, // E13.0  [2] (🥷..🥸)    ninja..disguised face
+	{0x1F979, 0x1F979, prExtendedPictographic}, // E14.0  [1] (🥹)       face holding back tears
+	{0x1F97A, 0x1F97A, prExtendedPictographic}, // E11.0  [1] (🥺)       pleading face
+	{0x1F97B, 0x1F97B, prExtendedPictographic}, // E12.0  [1] (🥻)       sari
+	{0x1F97C, 0x1F97F, prExtendedPictographic}, // E11.0  [4] (🥼..🥿)    lab coat..flat shoe
+	{0x1F980, 0x1F984, prExtendedPictographic}, // E1.0   [5] (🦀..🦄)    crab..unicorn
+	{0x1F985, 0x1F991, prExtendedPictographic}, // E3.0  [13] (🦅..🦑)    eagle..squid
+	{0x1F992, 0x1F997, prExtendedPictographic}, // E5.0   [6] (🦒..🦗)    giraffe..cricket
+	{0x1F998, 0x1F9A2, prExtendedPictographic}, // E11.0 [11] (🦘..🦢)    kangaroo..swan
+	{0x1F9A3, 0x1F9A4, prExtendedPictographic}, // E13.0  [2] (🦣..🦤)    mammoth..dodo
+	{0x1F9A5, 0x1F9AA, prExtendedPictographic}, // E12.0  [6] (🦥..🦪)    sloth..oyster
+	{0x1F9AB, 0x1F9AD, prExtendedPictographic}, // E13.0  [3] (🦫..🦭)    beaver..seal
+	{0x1F9AE, 0x1F9AF, prExtendedPictographic}, // E12.0  [2] (🦮..🦯)    guide dog..white cane
+	{0x1F9B0, 0x1F9B9, prExtendedPictographic}, // E11.0 [10] (🦰..🦹)    red hair..supervillain
+	{0x1F9BA, 0x1F9BF, prExtendedPictographic}, // E12.0  [6] (🦺..🦿)    safety vest..mechanical leg
+	{0x1F9C0, 0x1F9C0, prExtendedPictographic}, // E1.0   [1] (🧀)       cheese wedge
+	{0x1F9C1, 0x1F9C2, prExtendedPictographic}, // E11.0  [2] (�..🧂)    cupcake..salt
+	{0x1F9C3, 0x1F9CA, prExtendedPictographic}, // E12.0  [8] (🧃..🧊)    beverage box..ice
+	{0x1F9CB, 0x1F9CB, prExtendedPictographic}, // E13.0  [1] (🧋)       bubble tea
+	{0x1F9CC, 0x1F9CC, prExtendedPictographic}, // E14.0  [1] (🧌)       troll
+	{0x1F9CD, 0x1F9CF, prExtendedPictographic}, // E12.0  [3] (�..�)    person standing..deaf person
+	{0x1F9D0, 0x1F9E6, prExtendedPictographic}, // E5.0  [23] (�..🧦)    face with monocle..socks
+	{0x1F9E7, 0x1F9FF, prExtendedPictographic}, // E11.0 [25] (🧧..🧿)    red envelope..nazar amulet
+	{0x1FA00, 0x1FA6F, prExtendedPictographic}, // E0.0 [112] (🨀..🩯)    NEUTRAL CHESS KING..<reserved-1FA6F>
+	{0x1FA70, 0x1FA73, prExtendedPictographic}, // E12.0  [4] (🩰..🩳)    ballet shoes..shorts
+	{0x1FA74, 0x1FA74, prExtendedPictographic}, // E13.0  [1] (🩴)       thong sandal
+	{0x1FA75, 0x1FA77, prExtendedPictographic}, // E15.0  [3] (🩵..🩷)    light blue heart..pink heart
+	{0x1FA78, 0x1FA7A, prExtendedPictographic}, // E12.0  [3] (🩸..🩺)    drop of blood..stethoscope
+	{0x1FA7B, 0x1FA7C, prExtendedPictographic}, // E14.0  [2] (🩻..🩼)    x-ray..crutch
+	{0x1FA7D, 0x1FA7F, prExtendedPictographic}, // E0.0   [3] (🩽..🩿)    <reserved-1FA7D>..<reserved-1FA7F>
+	{0x1FA80, 0x1FA82, prExtendedPictographic}, // E12.0  [3] (🪀..🪂)    yo-yo..parachute
+	{0x1FA83, 0x1FA86, prExtendedPictographic}, // E13.0  [4] (🪃..🪆)    boomerang..nesting dolls
+	{0x1FA87, 0x1FA88, prExtendedPictographic}, // E15.0  [2] (🪇..🪈)    maracas..flute
+	{0x1FA89, 0x1FA8F, prExtendedPictographic}, // E0.0   [7] (🪉..�)    <reserved-1FA89>..<reserved-1FA8F>
+	{0x1FA90, 0x1FA95, prExtendedPictographic}, // E12.0  [6] (�..🪕)    ringed planet..banjo
+	{0x1FA96, 0x1FAA8, prExtendedPictographic}, // E13.0 [19] (🪖..🪨)    military helmet..rock
+	{0x1FAA9, 0x1FAAC, prExtendedPictographic}, // E14.0  [4] (🪩..🪬)    mirror ball..hamsa
+	{0x1FAAD, 0x1FAAF, prExtendedPictographic}, // E15.0  [3] (🪭..🪯)    folding hand fan..khanda
+	{0x1FAB0, 0x1FAB6, prExtendedPictographic}, // E13.0  [7] (🪰..🪶)    fly..feather
+	{0x1FAB7, 0x1FABA, prExtendedPictographic}, // E14.0  [4] (🪷..🪺)    lotus..nest with eggs
+	{0x1FABB, 0x1FABD, prExtendedPictographic}, // E15.0  [3] (🪻..🪽)    hyacinth..wing
+	{0x1FABE, 0x1FABE, prExtendedPictographic}, // E0.0   [1] (🪾)       <reserved-1FABE>
+	{0x1FABF, 0x1FABF, prExtendedPictographic}, // E15.0  [1] (🪿)       goose
+	{0x1FAC0, 0x1FAC2, prExtendedPictographic}, // E13.0  [3] (🫀..🫂)    anatomical heart..people hugging
+	{0x1FAC3, 0x1FAC5, prExtendedPictographic}, // E14.0  [3] (🫃..🫅)    pregnant man..person with crown
+	{0x1FAC6, 0x1FACD, prExtendedPictographic}, // E0.0   [8] (🫆..�)    <reserved-1FAC6>..<reserved-1FACD>
+	{0x1FACE, 0x1FACF, prExtendedPictographic}, // E15.0  [2] (🫎..�)    moose..donkey
+	{0x1FAD0, 0x1FAD6, prExtendedPictographic}, // E13.0  [7] (�..🫖)    blueberries..teapot
+	{0x1FAD7, 0x1FAD9, prExtendedPictographic}, // E14.0  [3] (🫗..🫙)    pouring liquid..jar
+	{0x1FADA, 0x1FADB, prExtendedPictographic}, // E15.0  [2] (🫚..🫛)    ginger root..pea pod
+	{0x1FADC, 0x1FADF, prExtendedPictographic}, // E0.0   [4] (🫜..🫟)    <reserved-1FADC>..<reserved-1FADF>
+	{0x1FAE0, 0x1FAE7, prExtendedPictographic}, // E14.0  [8] (🫠..🫧)    melting face..bubbles
+	{0x1FAE8, 0x1FAE8, prExtendedPictographic}, // E15.0  [1] (🫨)       shaking face
+	{0x1FAE9, 0x1FAEF, prExtendedPictographic}, // E0.0   [7] (🫩..🫯)    <reserved-1FAE9>..<reserved-1FAEF>
+	{0x1FAF0, 0x1FAF6, prExtendedPictographic}, // E14.0  [7] (🫰..🫶)    hand with index finger and thumb crossed..heart hands
+	{0x1FAF7, 0x1FAF8, prExtendedPictographic}, // E15.0  [2] (🫷..🫸)    leftwards pushing hand..rightwards pushing hand
+	{0x1FAF9, 0x1FAFF, prExtendedPictographic}, // E0.0   [7] (🫹..🫿)    <reserved-1FAF9>..<reserved-1FAFF>
+	{0x1FC00, 0x1FFFD, prExtendedPictographic}, // E0.0[1022] (🰀..🿽)    <reserved-1FC00>..<reserved-1FFFD>
+	{0xE0000, 0xE0000, prControl},              // Cn       <reserved-E0000>
+	{0xE0001, 0xE0001, prControl},              // Cf       LANGUAGE TAG
+	{0xE0002, 0xE001F, prControl},              // Cn  [30] <reserved-E0002>..<reserved-E001F>
+	{0xE0020, 0xE007F, prExtend},               // Cf  [96] TAG SPACE..CANCEL TAG
+	{0xE0080, 0xE00FF, prControl},              // Cn [128] <reserved-E0080>..<reserved-E00FF>
+	{0xE0100, 0xE01EF, prExtend},               // Mn [240] VARIATION SELECTOR-17..VARIATION SELECTOR-256
+	{0xE01F0, 0xE0FFF, prControl},              // Cn [3600] <reserved-E01F0>..<reserved-E0FFF>
+}
diff --git a/vendor/github.com/rivo/uniseg/graphemerules.go b/vendor/github.com/rivo/uniseg/graphemerules.go
new file mode 100644
index 0000000000..5d399d29c8
--- /dev/null
+++ b/vendor/github.com/rivo/uniseg/graphemerules.go
@@ -0,0 +1,176 @@
+package uniseg
+
+// The states of the grapheme cluster parser.
+const (
+	grAny = iota
+	grCR
+	grControlLF
+	grL
+	grLVV
+	grLVTT
+	grPrepend
+	grExtendedPictographic
+	grExtendedPictographicZWJ
+	grRIOdd
+	grRIEven
+)
+
+// The grapheme cluster parser's breaking instructions.
+const (
+	grNoBoundary = iota
+	grBoundary
+)
+
+// grTransitions implements the grapheme cluster parser's state transitions.
+// Maps state and property to a new state, a breaking instruction, and rule
+// number. The breaking instruction always refers to the boundary between the
+// last and next code point. Returns negative values if no transition is found.
+//
+// This function is used as follows:
+//
+//  1. Find specific state + specific property. Stop if found.
+//  2. Find specific state + any property.
+//  3. Find any state + specific property.
+//  4. If only (2) or (3) (but not both) was found, stop.
+//  5. If both (2) and (3) were found, use state from (3) and breaking instruction
+//     from the transition with the lower rule number, prefer (3) if rule numbers
+//     are equal. Stop.
+//  6. Assume grAny and grBoundary.
+//
+// Unicode version 15.0.0.
+func grTransitions(state, prop int) (newState int, newProp int, boundary int) {
+	// It turns out that using a big switch statement is much faster than using
+	// a map.
+
+	switch uint64(state) | uint64(prop)<<32 {
+	// GB5
+	case grAny | prCR<<32:
+		return grCR, grBoundary, 50
+	case grAny | prLF<<32:
+		return grControlLF, grBoundary, 50
+	case grAny | prControl<<32:
+		return grControlLF, grBoundary, 50
+
+	// GB4
+	case grCR | prAny<<32:
+		return grAny, grBoundary, 40
+	case grControlLF | prAny<<32:
+		return grAny, grBoundary, 40
+
+	// GB3
+	case grCR | prLF<<32:
+		return grControlLF, grNoBoundary, 30
+
+	// GB6
+	case grAny | prL<<32:
+		return grL, grBoundary, 9990
+	case grL | prL<<32:
+		return grL, grNoBoundary, 60
+	case grL | prV<<32:
+		return grLVV, grNoBoundary, 60
+	case grL | prLV<<32:
+		return grLVV, grNoBoundary, 60
+	case grL | prLVT<<32:
+		return grLVTT, grNoBoundary, 60
+
+	// GB7
+	case grAny | prLV<<32:
+		return grLVV, grBoundary, 9990
+	case grAny | prV<<32:
+		return grLVV, grBoundary, 9990
+	case grLVV | prV<<32:
+		return grLVV, grNoBoundary, 70
+	case grLVV | prT<<32:
+		return grLVTT, grNoBoundary, 70
+
+	// GB8
+	case grAny | prLVT<<32:
+		return grLVTT, grBoundary, 9990
+	case grAny | prT<<32:
+		return grLVTT, grBoundary, 9990
+	case grLVTT | prT<<32:
+		return grLVTT, grNoBoundary, 80
+
+	// GB9
+	case grAny | prExtend<<32:
+		return grAny, grNoBoundary, 90
+	case grAny | prZWJ<<32:
+		return grAny, grNoBoundary, 90
+
+	// GB9a
+	case grAny | prSpacingMark<<32:
+		return grAny, grNoBoundary, 91
+
+	// GB9b
+	case grAny | prPrepend<<32:
+		return grPrepend, grBoundary, 9990
+	case grPrepend | prAny<<32:
+		return grAny, grNoBoundary, 92
+
+	// GB11
+	case grAny | prExtendedPictographic<<32:
+		return grExtendedPictographic, grBoundary, 9990
+	case grExtendedPictographic | prExtend<<32:
+		return grExtendedPictographic, grNoBoundary, 110
+	case grExtendedPictographic | prZWJ<<32:
+		return grExtendedPictographicZWJ, grNoBoundary, 110
+	case grExtendedPictographicZWJ | prExtendedPictographic<<32:
+		return grExtendedPictographic, grNoBoundary, 110
+
+	// GB12 / GB13
+	case grAny | prRegionalIndicator<<32:
+		return grRIOdd, grBoundary, 9990
+	case grRIOdd | prRegionalIndicator<<32:
+		return grRIEven, grNoBoundary, 120
+	case grRIEven | prRegionalIndicator<<32:
+		return grRIOdd, grBoundary, 120
+	default:
+		return -1, -1, -1
+	}
+}
+
+// transitionGraphemeState determines the new state of the grapheme cluster
+// parser given the current state and the next code point. It also returns the
+// code point's grapheme property (the value mapped by the [graphemeCodePoints]
+// table) and whether a cluster boundary was detected.
+func transitionGraphemeState(state int, r rune) (newState, prop int, boundary bool) {
+	// Determine the property of the next character.
+	prop = propertyGraphemes(r)
+
+	// Find the applicable transition.
+	nextState, nextProp, _ := grTransitions(state, prop)
+	if nextState >= 0 {
+		// We have a specific transition. We'll use it.
+		return nextState, prop, nextProp == grBoundary
+	}
+
+	// No specific transition found. Try the less specific ones.
+	anyPropState, anyPropProp, anyPropRule := grTransitions(state, prAny)
+	anyStateState, anyStateProp, anyStateRule := grTransitions(grAny, prop)
+	if anyPropState >= 0 && anyStateState >= 0 {
+		// Both apply. We'll use a mix (see comments for grTransitions).
+		newState = anyStateState
+		boundary = anyStateProp == grBoundary
+		if anyPropRule < anyStateRule {
+			boundary = anyPropProp == grBoundary
+		}
+		return
+	}
+
+	if anyPropState >= 0 {
+		// We only have a specific state.
+		return anyPropState, prop, anyPropProp == grBoundary
+		// This branch will probably never be reached because okAnyState will
+		// always be true given the current transition map. But we keep it here
+		// for future modifications to the transition map where this may not be
+		// true anymore.
+	}
+
+	if anyStateState >= 0 {
+		// We only have a specific property.
+		return anyStateState, prop, anyStateProp == grBoundary
+	}
+
+	// No known transition. GB999: Any ÷ Any.
+	return grAny, prop, true
+}
diff --git a/vendor/github.com/rivo/uniseg/line.go b/vendor/github.com/rivo/uniseg/line.go
new file mode 100644
index 0000000000..7a46318d93
--- /dev/null
+++ b/vendor/github.com/rivo/uniseg/line.go
@@ -0,0 +1,134 @@
+package uniseg
+
+import "unicode/utf8"
+
+// FirstLineSegment returns the prefix of the given byte slice after which a
+// decision to break the string over to the next line can or must be made,
+// according to the rules of [Unicode Standard Annex #14]. This is used to
+// implement line breaking.
+//
+// Line breaking, also known as word wrapping, is the process of breaking a
+// section of text into lines such that it will fit in the available width of a
+// page, window or other display area.
+//
+// The returned "segment" may not be broken into smaller parts, unless no other
+// breaking opportunities present themselves, in which case you may break by
+// grapheme clusters (using the [FirstGraphemeCluster] function to determine the
+// grapheme clusters).
+//
+// The "mustBreak" flag indicates whether you MUST break the line after the
+// given segment (true), for example after newline characters, or you MAY break
+// the line after the given segment (false).
+//
+// This function can be called continuously to extract all non-breaking sub-sets
+// from a byte slice, as illustrated in the example below.
+//
+// If you don't know the current state, for example when calling the function
+// for the first time, you must pass -1. For consecutive calls, pass the state
+// and rest slice returned by the previous call.
+//
+// The "rest" slice is the sub-slice of the original byte slice "b" starting
+// after the last byte of the identified line segment. If the length of the
+// "rest" slice is 0, the entire byte slice "b" has been processed. The
+// "segment" byte slice is the sub-slice of the input slice containing the
+// identified line segment.
+//
+// Given an empty byte slice "b", the function returns nil values.
+//
+// Note that in accordance with [UAX #14 LB3], the final segment will end with
+// "mustBreak" set to true. You can choose to ignore this by checking if the
+// length of the "rest" slice is 0 and calling [HasTrailingLineBreak] or
+// [HasTrailingLineBreakInString] on the last rune.
+//
+// Note also that this algorithm may break within grapheme clusters. This is
+// addressed in Section 8.2 Example 6 of UAX #14. To avoid this, you can use
+// the [Step] function instead.
+//
+// [Unicode Standard Annex #14]: https://www.unicode.org/reports/tr14/
+// [UAX #14 LB3]: https://www.unicode.org/reports/tr14/#Algorithm
+func FirstLineSegment(b []byte, state int) (segment, rest []byte, mustBreak bool, newState int) {
+	// An empty byte slice returns nothing.
+	if len(b) == 0 {
+		return
+	}
+
+	// Extract the first rune.
+	r, length := utf8.DecodeRune(b)
+	if len(b) <= length { // If we're already past the end, there is nothing else to parse.
+		return b, nil, true, lbAny // LB3.
+	}
+
+	// If we don't know the state, determine it now.
+	if state < 0 {
+		state, _ = transitionLineBreakState(state, r, b[length:], "")
+	}
+
+	// Transition until we find a boundary.
+	var boundary int
+	for {
+		r, l := utf8.DecodeRune(b[length:])
+		state, boundary = transitionLineBreakState(state, r, b[length+l:], "")
+
+		if boundary != LineDontBreak {
+			return b[:length], b[length:], boundary == LineMustBreak, state
+		}
+
+		length += l
+		if len(b) <= length {
+			return b, nil, true, lbAny // LB3
+		}
+	}
+}
+
+// FirstLineSegmentInString is like [FirstLineSegment] but its input and outputs
+// are strings.
+func FirstLineSegmentInString(str string, state int) (segment, rest string, mustBreak bool, newState int) {
+	// An empty byte slice returns nothing.
+	if len(str) == 0 {
+		return
+	}
+
+	// Extract the first rune.
+	r, length := utf8.DecodeRuneInString(str)
+	if len(str) <= length { // If we're already past the end, there is nothing else to parse.
+		return str, "", true, lbAny // LB3.
+	}
+
+	// If we don't know the state, determine it now.
+	if state < 0 {
+		state, _ = transitionLineBreakState(state, r, nil, str[length:])
+	}
+
+	// Transition until we find a boundary.
+	var boundary int
+	for {
+		r, l := utf8.DecodeRuneInString(str[length:])
+		state, boundary = transitionLineBreakState(state, r, nil, str[length+l:])
+
+		if boundary != LineDontBreak {
+			return str[:length], str[length:], boundary == LineMustBreak, state
+		}
+
+		length += l
+		if len(str) <= length {
+			return str, "", true, lbAny // LB3.
+		}
+	}
+}
+
+// HasTrailingLineBreak returns true if the last rune in the given byte slice is
+// one of the hard line break code points defined in LB4 and LB5 of [UAX #14].
+//
+// [UAX #14]: https://www.unicode.org/reports/tr14/#Algorithm
+func HasTrailingLineBreak(b []byte) bool {
+	r, _ := utf8.DecodeLastRune(b)
+	property, _ := propertyLineBreak(r)
+	return property == prBK || property == prCR || property == prLF || property == prNL
+}
+
+// HasTrailingLineBreakInString is like [HasTrailingLineBreak] but for a string.
+func HasTrailingLineBreakInString(str string) bool {
+	r, _ := utf8.DecodeLastRuneInString(str)
+	property, _ := propertyLineBreak(r)
+	return property == prBK || property == prCR || property == prLF || property == prNL
+}
diff --git a/vendor/github.com/rivo/uniseg/lineproperties.go b/vendor/github.com/rivo/uniseg/lineproperties.go
new file mode 100644
index 0000000000..ac7fac4c05
--- /dev/null
+++ b/vendor/github.com/rivo/uniseg/lineproperties.go
@@ -0,0 +1,3554 @@
+// Code generated via go generate from gen_properties.go. DO NOT EDIT.
+
+package uniseg
+
+// lineBreakCodePoints are taken from
+// https://www.unicode.org/Public/15.0.0/ucd/LineBreak.txt
+// and
+// https://unicode.org/Public/15.0.0/ucd/emoji/emoji-data.txt
+// ("Extended_Pictographic" only)
+// on September 5, 2023. See https://www.unicode.org/license.html for the Unicode
+// license agreement.
+var lineBreakCodePoints = [][4]int{
+	{0x0000, 0x0008, prCM, gcCc},     //     [9] <control-0000>..<control-0008>
+	{0x0009, 0x0009, prBA, gcCc},     //         <control-0009>
+	{0x000A, 0x000A, prLF, gcCc},     //         <control-000A>
+	{0x000B, 0x000C, prBK, gcCc},     //     [2] <control-000B>..<control-000C>
+	{0x000D, 0x000D, prCR, gcCc},     //         <control-000D>
+	{0x000E, 0x001F, prCM, gcCc},     //    [18] <control-000E>..<control-001F>
+	{0x0020, 0x0020, prSP, gcZs},     //         SPACE
+	{0x0021, 0x0021, prEX, gcPo},     //         EXCLAMATION MARK
+	{0x0022, 0x0022, prQU, gcPo},     //         QUOTATION MARK
+	{0x0023, 0x0023, prAL, gcPo},     //         NUMBER SIGN
+	{0x0024, 0x0024, prPR, gcSc},     //         DOLLAR SIGN
+	{0x0025, 0x0025, prPO, gcPo},     //         PERCENT SIGN
+	{0x0026, 0x0026, prAL, gcPo},     //         AMPERSAND
+	{0x0027, 0x0027, prQU, gcPo},     //         APOSTROPHE
+	{0x0028, 0x0028, prOP, gcPs},     //         LEFT PARENTHESIS
+	{0x0029, 0x0029, prCP, gcPe},     //         RIGHT PARENTHESIS
+	{0x002A, 0x002A, prAL, gcPo},     //         ASTERISK
+	{0x002B, 0x002B, prPR, gcSm},     //         PLUS SIGN
+	{0x002C, 0x002C, prIS, gcPo},     //         COMMA
+	{0x002D, 0x002D, prHY, gcPd},     //         HYPHEN-MINUS
+	{0x002E, 0x002E, prIS, gcPo},     //         FULL STOP
+	{0x002F, 0x002F, prSY, gcPo},     //         SOLIDUS
+	{0x0030, 0x0039, prNU, gcNd},     //    [10] DIGIT ZERO..DIGIT NINE
+	{0x003A, 0x003B, prIS, gcPo},     //     [2] COLON..SEMICOLON
+	{0x003C, 0x003E, prAL, gcSm},     //     [3] LESS-THAN SIGN..GREATER-THAN SIGN
+	{0x003F, 0x003F, prEX, gcPo},     //         QUESTION MARK
+	{0x0040, 0x0040, prAL, gcPo},     //         COMMERCIAL AT
+	{0x0041, 0x005A, prAL, gcLu},     //    [26] LATIN CAPITAL LETTER A..LATIN CAPITAL LETTER Z
+	{0x005B, 0x005B, prOP, gcPs},     //         LEFT SQUARE BRACKET
+	{0x005C, 0x005C, prPR, gcPo},     //         REVERSE SOLIDUS
+	{0x005D, 0x005D, prCP, gcPe},     //         RIGHT SQUARE BRACKET
+	{0x005E, 0x005E, prAL, gcSk},     //         CIRCUMFLEX ACCENT
+	{0x005F, 0x005F, prAL, gcPc},     //         LOW LINE
+	{0x0060, 0x0060, prAL, gcSk},     //         GRAVE ACCENT
+	{0x0061, 0x007A, prAL, gcLl},     //    [26] LATIN SMALL LETTER A..LATIN SMALL LETTER Z
+	{0x007B, 0x007B, prOP, gcPs},     //         LEFT CURLY BRACKET
+	{0x007C, 0x007C, prBA, gcSm},     //         VERTICAL LINE
+	{0x007D, 0x007D, prCL, gcPe},     //         RIGHT CURLY BRACKET
+	{0x007E, 0x007E, prAL, gcSm},     //         TILDE
+	{0x007F, 0x007F, prCM, gcCc},     //         <control-007F>
+	{0x0080, 0x0084, prCM, gcCc},     //     [5] <control-0080>..<control-0084>
+	{0x0085, 0x0085, prNL, gcCc},     //         <control-0085>
+	{0x0086, 0x009F, prCM, gcCc},     //    [26] <control-0086>..<control-009F>
+	{0x00A0, 0x00A0, prGL, gcZs},     //         NO-BREAK SPACE
+	{0x00A1, 0x00A1, prOP, gcPo},     //         INVERTED EXCLAMATION MARK
+	{0x00A2, 0x00A2, prPO, gcSc},     //         CENT SIGN
+	{0x00A3, 0x00A5, prPR, gcSc},     //     [3] POUND SIGN..YEN SIGN
+	{0x00A6, 0x00A6, prAL, gcSo},     //         BROKEN BAR
+	{0x00A7, 0x00A7, prAI, gcPo},     //         SECTION SIGN
+	{0x00A8, 0x00A8, prAI, gcSk},     //         DIAERESIS
+	{0x00A9, 0x00A9, prAL, gcSo},     //         COPYRIGHT SIGN
+	{0x00AA, 0x00AA, prAI, gcLo},     //         FEMININE ORDINAL INDICATOR
+	{0x00AB, 0x00AB, prQU, gcPi},     //         LEFT-POINTING DOUBLE ANGLE QUOTATION MARK
+	{0x00AC, 0x00AC, prAL, gcSm},     //         NOT SIGN
+	{0x00AD, 0x00AD, prBA, gcCf},     //         SOFT HYPHEN
+	{0x00AE, 0x00AE, prAL, gcSo},     //         REGISTERED SIGN
+	{0x00AF, 0x00AF, prAL, gcSk},     //         MACRON
+	{0x00B0, 0x00B0, prPO, gcSo},     //         DEGREE SIGN
+	{0x00B1, 0x00B1, prPR, gcSm},     //         PLUS-MINUS SIGN
+	{0x00B2, 0x00B3, prAI, gcNo},     //     [2] SUPERSCRIPT TWO..SUPERSCRIPT THREE
+	{0x00B4, 0x00B4, prBB, gcSk},     //         ACUTE ACCENT
+	{0x00B5, 0x00B5, prAL, gcLl},     //         MICRO SIGN
+	{0x00B6, 0x00B7, prAI, gcPo},     //     [2] PILCROW SIGN..MIDDLE DOT
+	{0x00B8, 0x00B8, prAI, gcSk},     //         CEDILLA
+	{0x00B9, 0x00B9, prAI, gcNo},     //         SUPERSCRIPT ONE
+	{0x00BA, 0x00BA, prAI, gcLo},     //         MASCULINE ORDINAL INDICATOR
+	{0x00BB, 0x00BB, prQU, gcPf},     //         RIGHT-POINTING DOUBLE ANGLE QUOTATION MARK
+	{0x00BC, 0x00BE, prAI, gcNo},     //     [3] VULGAR FRACTION ONE QUARTER..VULGAR FRACTION THREE QUARTERS
+	{0x00BF, 0x00BF, prOP, gcPo},     //         INVERTED QUESTION MARK
+	{0x00C0, 0x00D6, prAL, gcLu},     //    [23] LATIN CAPITAL LETTER A WITH GRAVE..LATIN CAPITAL LETTER O WITH DIAERESIS
+	{0x00D7, 0x00D7, prAI, gcSm},     //         MULTIPLICATION SIGN
+	{0x00D8, 0x00F6, prAL, gcLC},     //    [31] LATIN CAPITAL LETTER O WITH STROKE..LATIN SMALL LETTER O WITH DIAERESIS
+	{0x00F7, 0x00F7, prAI, gcSm},     //         DIVISION SIGN
+	{0x00F8, 0x00FF, prAL, gcLl},     //     [8] LATIN SMALL LETTER O WITH STROKE..LATIN SMALL LETTER Y WITH DIAERESIS
+	{0x0100, 0x017F, prAL, gcLC},     //   [128] LATIN CAPITAL LETTER A WITH MACRON..LATIN SMALL LETTER LONG S
+	{0x0180, 0x01BA, prAL, gcLC},     //    [59] LATIN SMALL LETTER B WITH STROKE..LATIN SMALL LETTER EZH WITH TAIL
+	{0x01BB, 0x01BB, prAL, gcLo},     //         LATIN LETTER TWO WITH STROKE
+	{0x01BC, 0x01BF, prAL, gcLC},     //     [4] LATIN CAPITAL LETTER TONE FIVE..LATIN LETTER WYNN
+	{0x01C0, 0x01C3, prAL, gcLo},     //     [4] LATIN LETTER DENTAL CLICK..LATIN LETTER RETROFLEX CLICK
+	{0x01C4, 0x024F, prAL, gcLC},     //   [140] LATIN CAPITAL LETTER DZ WITH CARON..LATIN SMALL LETTER Y WITH STROKE
+	{0x0250, 0x0293, prAL, gcLl},     //    [68] LATIN SMALL LETTER TURNED A..LATIN SMALL LETTER EZH WITH CURL
+	{0x0294, 0x0294, prAL, gcLo},     //         LATIN LETTER GLOTTAL STOP
+	{0x0295, 0x02AF, prAL, gcLl},     //    [27] LATIN LETTER PHARYNGEAL VOICED FRICATIVE..LATIN SMALL LETTER TURNED H WITH FISHHOOK AND TAIL
+	{0x02B0, 0x02C1, prAL, gcLm},     //    [18] MODIFIER LETTER SMALL H..MODIFIER LETTER REVERSED GLOTTAL STOP
+	{0x02C2, 0x02C5, prAL, gcSk},     //     [4] MODIFIER LETTER LEFT ARROWHEAD..MODIFIER LETTER DOWN ARROWHEAD
+	{0x02C6, 0x02C6, prAL, gcLm},     //         MODIFIER LETTER CIRCUMFLEX ACCENT
+	{0x02C7, 0x02C7, prAI, gcLm},     //         CARON
+	{0x02C8, 0x02C8, prBB, gcLm},     //         MODIFIER LETTER VERTICAL LINE
+	{0x02C9, 0x02CB, prAI, gcLm},     //     [3] MODIFIER LETTER MACRON..MODIFIER LETTER GRAVE ACCENT
+	{0x02CC, 0x02CC, prBB, gcLm},     //         MODIFIER LETTER LOW VERTICAL LINE
+	{0x02CD, 0x02CD, prAI, gcLm},     //         MODIFIER LETTER LOW MACRON
+	{0x02CE, 0x02CF, prAL, gcLm},     //     [2] MODIFIER LETTER LOW GRAVE ACCENT..MODIFIER LETTER LOW ACUTE ACCENT
+	{0x02D0, 0x02D0, prAI, gcLm},     //         MODIFIER LETTER TRIANGULAR COLON
+	{0x02D1, 0x02D1, prAL, gcLm},     //         MODIFIER LETTER HALF TRIANGULAR COLON
+	{0x02D2, 0x02D7, prAL, gcSk},     //     [6] MODIFIER LETTER CENTRED RIGHT HALF RING..MODIFIER LETTER MINUS SIGN
+	{0x02D8, 0x02DB, prAI, gcSk},     //     [4] BREVE..OGONEK
+	{0x02DC, 0x02DC, prAL, gcSk},     //         SMALL TILDE
+	{0x02DD, 0x02DD, prAI, gcSk},     //         DOUBLE ACUTE ACCENT
+	{0x02DE, 0x02DE, prAL, gcSk},     //         MODIFIER LETTER RHOTIC HOOK
+	{0x02DF, 0x02DF, prBB, gcSk},     //         MODIFIER LETTER CROSS ACCENT
+	{0x02E0, 0x02E4, prAL, gcLm},     //     [5] MODIFIER LETTER SMALL GAMMA..MODIFIER LETTER SMALL REVERSED GLOTTAL STOP
+	{0x02E5, 0x02EB, prAL, gcSk},     //     [7] MODIFIER LETTER EXTRA-HIGH TONE BAR..MODIFIER LETTER YANG DEPARTING TONE MARK
+	{0x02EC, 0x02EC, prAL, gcLm},     //         MODIFIER LETTER VOICING
+	{0x02ED, 0x02ED, prAL, gcSk},     //         MODIFIER LETTER UNASPIRATED
+	{0x02EE, 0x02EE, prAL, gcLm},     //         MODIFIER LETTER DOUBLE APOSTROPHE
+	{0x02EF, 0x02FF, prAL, gcSk},     //    [17] MODIFIER LETTER LOW DOWN ARROWHEAD..MODIFIER LETTER LOW LEFT ARROW
+	{0x0300, 0x034E, prCM, gcMn},     //    [79] COMBINING GRAVE ACCENT..COMBINING UPWARDS ARROW BELOW
+	{0x034F, 0x034F, prGL, gcMn},     //         COMBINING GRAPHEME JOINER
+	{0x0350, 0x035B, prCM, gcMn},     //    [12] COMBINING RIGHT ARROWHEAD ABOVE..COMBINING ZIGZAG ABOVE
+	{0x035C, 0x0362, prGL, gcMn},     //     [7] COMBINING DOUBLE BREVE BELOW..COMBINING DOUBLE RIGHTWARDS ARROW BELOW
+	{0x0363, 0x036F, prCM, gcMn},     //    [13] COMBINING LATIN SMALL LETTER A..COMBINING LATIN SMALL LETTER X
+	{0x0370, 0x0373, prAL, gcLC},     //     [4] GREEK CAPITAL LETTER HETA..GREEK SMALL LETTER ARCHAIC SAMPI
+	{0x0374, 0x0374, prAL, gcLm},     //         GREEK NUMERAL SIGN
+	{0x0375, 0x0375, prAL, gcSk},     //         GREEK LOWER NUMERAL SIGN
+	{0x0376, 0x0377, prAL, gcLC},     //     [2] GREEK CAPITAL LETTER PAMPHYLIAN DIGAMMA..GREEK SMALL LETTER PAMPHYLIAN DIGAMMA
+	{0x037A, 0x037A, prAL, gcLm},     //         GREEK YPOGEGRAMMENI
+	{0x037B, 0x037D, prAL, gcLl},     //     [3] GREEK SMALL REVERSED LUNATE SIGMA SYMBOL..GREEK SMALL REVERSED DOTTED LUNATE SIGMA SYMBOL
+	{0x037E, 0x037E, prIS, gcPo},     //         GREEK QUESTION MARK
+	{0x037F, 0x037F, prAL, gcLu},     //         GREEK CAPITAL LETTER YOT
+	{0x0384, 0x0385, prAL, gcSk},     //     [2] GREEK TONOS..GREEK DIALYTIKA TONOS
+	{0x0386, 0x0386, prAL, gcLu},     //         GREEK CAPITAL LETTER ALPHA WITH TONOS
+	{0x0387, 0x0387, prAL, gcPo},     //         GREEK ANO TELEIA
+	{0x0388, 0x038A, prAL, gcLu},     //     [3] GREEK CAPITAL LETTER EPSILON WITH TONOS..GREEK CAPITAL LETTER IOTA WITH TONOS
+	{0x038C, 0x038C, prAL, gcLu},     //         GREEK CAPITAL LETTER OMICRON WITH TONOS
+	{0x038E, 0x03A1, prAL, gcLC},     //    [20] GREEK CAPITAL LETTER UPSILON WITH TONOS..GREEK CAPITAL LETTER RHO
+	{0x03A3, 0x03F5, prAL, gcLC},     //    [83] GREEK CAPITAL LETTER SIGMA..GREEK LUNATE EPSILON SYMBOL
+	{0x03F6, 0x03F6, prAL, gcSm},     //         GREEK REVERSED LUNATE EPSILON SYMBOL
+	{0x03F7, 0x03FF, prAL, gcLC},     //     [9] GREEK CAPITAL LETTER SHO..GREEK CAPITAL REVERSED DOTTED LUNATE SIGMA SYMBOL
+	{0x0400, 0x0481, prAL, gcLC},     //   [130] CYRILLIC CAPITAL LETTER IE WITH GRAVE..CYRILLIC SMALL LETTER KOPPA
+	{0x0482, 0x0482, prAL, gcSo},     //         CYRILLIC THOUSANDS SIGN
+	{0x0483, 0x0487, prCM, gcMn},     //     [5] COMBINING CYRILLIC TITLO..COMBINING CYRILLIC POKRYTIE
+	{0x0488, 0x0489, prCM, gcMe},     //     [2] COMBINING CYRILLIC HUNDRED THOUSANDS SIGN..COMBINING CYRILLIC MILLIONS SIGN
+	{0x048A, 0x04FF, prAL, gcLC},     //   [118] CYRILLIC CAPITAL LETTER SHORT I WITH TAIL..CYRILLIC SMALL LETTER HA WITH STROKE
+	{0x0500, 0x052F, prAL, gcLC},     //    [48] CYRILLIC CAPITAL LETTER KOMI DE..CYRILLIC SMALL LETTER EL WITH DESCENDER
+	{0x0531, 0x0556, prAL, gcLu},     //    [38] ARMENIAN CAPITAL LETTER AYB..ARMENIAN CAPITAL LETTER FEH
+	{0x0559, 0x0559, prAL, gcLm},     //         ARMENIAN MODIFIER LETTER LEFT HALF RING
+	{0x055A, 0x055F, prAL, gcPo},     //     [6] ARMENIAN APOSTROPHE..ARMENIAN ABBREVIATION MARK
+	{0x0560, 0x0588, prAL, gcLl},     //    [41] ARMENIAN SMALL LETTER TURNED AYB..ARMENIAN SMALL LETTER YI WITH STROKE
+	{0x0589, 0x0589, prIS, gcPo},     //         ARMENIAN FULL STOP
+	{0x058A, 0x058A, prBA, gcPd},     //         ARMENIAN HYPHEN
+	{0x058D, 0x058E, prAL, gcSo},     //     [2] RIGHT-FACING ARMENIAN ETERNITY SIGN..LEFT-FACING ARMENIAN ETERNITY SIGN
+	{0x058F, 0x058F, prPR, gcSc},     //         ARMENIAN DRAM SIGN
+	{0x0591, 0x05BD, prCM, gcMn},     //    [45] HEBREW ACCENT ETNAHTA..HEBREW POINT METEG
+	{0x05BE, 0x05BE, prBA, gcPd},     //         HEBREW PUNCTUATION MAQAF
+	{0x05BF, 0x05BF, prCM, gcMn},     //         HEBREW POINT RAFE
+	{0x05C0, 0x05C0, prAL, gcPo},     //         HEBREW PUNCTUATION PASEQ
+	{0x05C1, 0x05C2, prCM, gcMn},     //     [2] HEBREW POINT SHIN DOT..HEBREW POINT SIN DOT
+	{0x05C3, 0x05C3, prAL, gcPo},     //         HEBREW PUNCTUATION SOF PASUQ
+	{0x05C4, 0x05C5, prCM, gcMn},     //     [2] HEBREW MARK UPPER DOT..HEBREW MARK LOWER DOT
+	{0x05C6, 0x05C6, prEX, gcPo},     //         HEBREW PUNCTUATION NUN HAFUKHA
+	{0x05C7, 0x05C7, prCM, gcMn},     //         HEBREW POINT QAMATS QATAN
+	{0x05D0, 0x05EA, prHL, gcLo},     //    [27] HEBREW LETTER ALEF..HEBREW LETTER TAV
+	{0x05EF, 0x05F2, prHL, gcLo},     //     [4] HEBREW YOD TRIANGLE..HEBREW LIGATURE YIDDISH DOUBLE YOD
+	{0x05F3, 0x05F4, prAL, gcPo},     //     [2] HEBREW PUNCTUATION GERESH..HEBREW PUNCTUATION GERSHAYIM
+	{0x0600, 0x0605, prAL, gcCf},     //     [6] ARABIC NUMBER SIGN..ARABIC NUMBER MARK ABOVE
+	{0x0606, 0x0608, prAL, gcSm},     //     [3] ARABIC-INDIC CUBE ROOT..ARABIC RAY
+	{0x0609, 0x060A, prPO, gcPo},     //     [2] ARABIC-INDIC PER MILLE SIGN..ARABIC-INDIC PER TEN THOUSAND SIGN
+	{0x060B, 0x060B, prPO, gcSc},     //         AFGHANI SIGN
+	{0x060C, 0x060D, prIS, gcPo},     //     [2] ARABIC COMMA..ARABIC DATE SEPARATOR
+	{0x060E, 0x060F, prAL, gcSo},     //     [2] ARABIC POETIC VERSE SIGN..ARABIC SIGN MISRA
+	{0x0610, 0x061A, prCM, gcMn},     //    [11] ARABIC SIGN SALLALLAHOU ALAYHE WASSALLAM..ARABIC SMALL KASRA
+	{0x061B, 0x061B, prEX, gcPo},     //         ARABIC SEMICOLON
+	{0x061C, 0x061C, prCM, gcCf},     //         ARABIC LETTER MARK
+	{0x061D, 0x061F, prEX, gcPo},     //     [3] ARABIC END OF TEXT MARK..ARABIC QUESTION MARK
+	{0x0620, 0x063F, prAL, gcLo},     //    [32] ARABIC LETTER KASHMIRI YEH..ARABIC LETTER FARSI YEH WITH THREE DOTS ABOVE
+	{0x0640, 0x0640, prAL, gcLm},     //         ARABIC TATWEEL
+	{0x0641, 0x064A, prAL, gcLo},     //    [10] ARABIC LETTER FEH..ARABIC LETTER YEH
+	{0x064B, 0x065F, prCM, gcMn},     //    [21] ARABIC FATHATAN..ARABIC WAVY HAMZA BELOW
+	{0x0660, 0x0669, prNU, gcNd},     //    [10] ARABIC-INDIC DIGIT ZERO..ARABIC-INDIC DIGIT NINE
+	{0x066A, 0x066A, prPO, gcPo},     //         ARABIC PERCENT SIGN
+	{0x066B, 0x066C, prNU, gcPo},     //     [2] ARABIC DECIMAL SEPARATOR..ARABIC THOUSANDS SEPARATOR
+	{0x066D, 0x066D, prAL, gcPo},     //         ARABIC FIVE POINTED STAR
+	{0x066E, 0x066F, prAL, gcLo},     //     [2] ARABIC LETTER DOTLESS BEH..ARABIC LETTER DOTLESS QAF
+	{0x0670, 0x0670, prCM, gcMn},     //         ARABIC LETTER SUPERSCRIPT ALEF
+	{0x0671, 0x06D3, prAL, gcLo},     //    [99] ARABIC LETTER ALEF WASLA..ARABIC LETTER YEH BARREE WITH HAMZA ABOVE
+	{0x06D4, 0x06D4, prEX, gcPo},     //         ARABIC FULL STOP
+	{0x06D5, 0x06D5, prAL, gcLo},     //         ARABIC LETTER AE
+	{0x06D6, 0x06DC, prCM, gcMn},     //     [7] ARABIC SMALL HIGH LIGATURE SAD WITH LAM WITH ALEF MAKSURA..ARABIC SMALL HIGH SEEN
+	{0x06DD, 0x06DD, prAL, gcCf},     //         ARABIC END OF AYAH
+	{0x06DE, 0x06DE, prAL, gcSo},     //         ARABIC START OF RUB EL HIZB
+	{0x06DF, 0x06E4, prCM, gcMn},     //     [6] ARABIC SMALL HIGH ROUNDED ZERO..ARABIC SMALL HIGH MADDA
+	{0x06E5, 0x06E6, prAL, gcLm},     //     [2] ARABIC SMALL WAW..ARABIC SMALL YEH
+	{0x06E7, 0x06E8, prCM, gcMn},     //     [2] ARABIC SMALL HIGH YEH..ARABIC SMALL HIGH NOON
+	{0x06E9, 0x06E9, prAL, gcSo},     //         ARABIC PLACE OF SAJDAH
+	{0x06EA, 0x06ED, prCM, gcMn},     //     [4] ARABIC EMPTY CENTRE LOW STOP..ARABIC SMALL LOW MEEM
+	{0x06EE, 0x06EF, prAL, gcLo},     //     [2] ARABIC LETTER DAL WITH INVERTED V..ARABIC LETTER REH WITH INVERTED V
+	{0x06F0, 0x06F9, prNU, gcNd},     //    [10] EXTENDED ARABIC-INDIC DIGIT ZERO..EXTENDED ARABIC-INDIC DIGIT NINE
+	{0x06FA, 0x06FC, prAL, gcLo},     //     [3] ARABIC LETTER SHEEN WITH DOT BELOW..ARABIC LETTER GHAIN WITH DOT BELOW
+	{0x06FD, 0x06FE, prAL, gcSo},     //     [2] ARABIC SIGN SINDHI AMPERSAND..ARABIC SIGN SINDHI POSTPOSITION MEN
+	{0x06FF, 0x06FF, prAL, gcLo},     //         ARABIC LETTER HEH WITH INVERTED V
+	{0x0700, 0x070D, prAL, gcPo},     //    [14] SYRIAC END OF PARAGRAPH..SYRIAC HARKLEAN ASTERISCUS
+	{0x070F, 0x070F, prAL, gcCf},     //         SYRIAC ABBREVIATION MARK
+	{0x0710, 0x0710, prAL, gcLo},     //         SYRIAC LETTER ALAPH
+	{0x0711, 0x0711, prCM, gcMn},     //         SYRIAC LETTER SUPERSCRIPT ALAPH
+	{0x0712, 0x072F, prAL, gcLo},     //    [30] SYRIAC LETTER BETH..SYRIAC LETTER PERSIAN DHALATH
+	{0x0730, 0x074A, prCM, gcMn},     //    [27] SYRIAC PTHAHA ABOVE..SYRIAC BARREKH
+	{0x074D, 0x074F, prAL, gcLo},     //     [3] SYRIAC LETTER SOGDIAN ZHAIN..SYRIAC LETTER SOGDIAN FE
+	{0x0750, 0x077F, prAL, gcLo},     //    [48] ARABIC LETTER BEH WITH THREE DOTS HORIZONTALLY BELOW..ARABIC LETTER KAF WITH TWO DOTS ABOVE
+	{0x0780, 0x07A5, prAL, gcLo},     //    [38] THAANA LETTER HAA..THAANA LETTER WAAVU
+	{0x07A6, 0x07B0, prCM, gcMn},     //    [11] THAANA ABAFILI..THAANA SUKUN
+	{0x07B1, 0x07B1, prAL, gcLo},     //         THAANA LETTER NAA
+	{0x07C0, 0x07C9, prNU, gcNd},     //    [10] NKO DIGIT ZERO..NKO DIGIT NINE
+	{0x07CA, 0x07EA, prAL, gcLo},     //    [33] NKO LETTER A..NKO LETTER JONA RA
+	{0x07EB, 0x07F3, prCM, gcMn},     //     [9] NKO COMBINING SHORT HIGH TONE..NKO COMBINING DOUBLE DOT ABOVE
+	{0x07F4, 0x07F5, prAL, gcLm},     //     [2] NKO HIGH TONE APOSTROPHE..NKO LOW TONE APOSTROPHE
+	{0x07F6, 0x07F6, prAL, gcSo},     //         NKO SYMBOL OO DENNEN
+	{0x07F7, 0x07F7, prAL, gcPo},     //         NKO SYMBOL GBAKURUNEN
+	{0x07F8, 0x07F8, prIS, gcPo},     //         NKO COMMA
+	{0x07F9, 0x07F9, prEX, gcPo},     //         NKO EXCLAMATION MARK
+	{0x07FA, 0x07FA, prAL, gcLm},     //         NKO LAJANYALAN
+	{0x07FD, 0x07FD, prCM, gcMn},     //         NKO DANTAYALAN
+	{0x07FE, 0x07FF, prPR, gcSc},     //     [2] NKO DOROME SIGN..NKO TAMAN SIGN
+	{0x0800, 0x0815, prAL, gcLo},     //    [22] SAMARITAN LETTER ALAF..SAMARITAN LETTER TAAF
+	{0x0816, 0x0819, prCM, gcMn},     //     [4] SAMARITAN MARK IN..SAMARITAN MARK DAGESH
+	{0x081A, 0x081A, prAL, gcLm},     //         SAMARITAN MODIFIER LETTER EPENTHETIC YUT
+	{0x081B, 0x0823, prCM, gcMn},     //     [9] SAMARITAN MARK EPENTHETIC YUT..SAMARITAN VOWEL SIGN A
+	{0x0824, 0x0824, prAL, gcLm},     //         SAMARITAN MODIFIER LETTER SHORT A
+	{0x0825, 0x0827, prCM, gcMn},     //     [3] SAMARITAN VOWEL SIGN SHORT A..SAMARITAN VOWEL SIGN U
+	{0x0828, 0x0828, prAL, gcLm},     //         SAMARITAN MODIFIER LETTER I
+	{0x0829, 0x082D, prCM, gcMn},     //     [5] SAMARITAN VOWEL SIGN LONG I..SAMARITAN MARK NEQUDAA
+	{0x0830, 0x083E, prAL, gcPo},     //    [15] SAMARITAN PUNCTUATION NEQUDAA..SAMARITAN PUNCTUATION ANNAAU
+	{0x0840, 0x0858, prAL, gcLo},     //    [25] MANDAIC LETTER HALQA..MANDAIC LETTER AIN
+	{0x0859, 0x085B, prCM, gcMn},     //     [3] MANDAIC AFFRICATION MARK..MANDAIC GEMINATION MARK
+	{0x085E, 0x085E, prAL, gcPo},     //         MANDAIC PUNCTUATION
+	{0x0860, 0x086A, prAL, gcLo},     //    [11] SYRIAC LETTER MALAYALAM NGA..SYRIAC LETTER MALAYALAM SSA
+	{0x0870, 0x0887, prAL, gcLo},     //    [24] ARABIC LETTER ALEF WITH ATTACHED FATHA..ARABIC BASELINE ROUND DOT
+	{0x0888, 0x0888, prAL, gcSk},     //         ARABIC RAISED ROUND DOT
+	{0x0889, 0x088E, prAL, gcLo},     //     [6] ARABIC LETTER NOON WITH INVERTED SMALL V..ARABIC VERTICAL TAIL
+	{0x0890, 0x0891, prAL, gcCf},     //     [2] ARABIC POUND MARK ABOVE..ARABIC PIASTRE MARK ABOVE
+	{0x0898, 0x089F, prCM, gcMn},     //     [8] ARABIC SMALL HIGH WORD AL-JUZ..ARABIC HALF MADDA OVER MADDA
+	{0x08A0, 0x08C8, prAL, gcLo},     //    [41] ARABIC LETTER BEH WITH SMALL V BELOW..ARABIC LETTER GRAF
+	{0x08C9, 0x08C9, prAL, gcLm},     //         ARABIC SMALL FARSI YEH
+	{0x08CA, 0x08E1, prCM, gcMn},     //    [24] ARABIC SMALL HIGH FARSI YEH..ARABIC SMALL HIGH SIGN SAFHA
+	{0x08E2, 0x08E2, prAL, gcCf},     //         ARABIC DISPUTED END OF AYAH
+	{0x08E3, 0x08FF, prCM, gcMn},     //    [29] ARABIC TURNED DAMMA BELOW..ARABIC MARK SIDEWAYS NOON GHUNNA
+	{0x0900, 0x0902, prCM, gcMn},     //     [3] DEVANAGARI SIGN INVERTED CANDRABINDU..DEVANAGARI SIGN ANUSVARA
+	{0x0903, 0x0903, prCM, gcMc},     //         DEVANAGARI SIGN VISARGA
+	{0x0904, 0x0939, prAL, gcLo},     //    [54] DEVANAGARI LETTER SHORT A..DEVANAGARI LETTER HA
+	{0x093A, 0x093A, prCM, gcMn},     //         DEVANAGARI VOWEL SIGN OE
+	{0x093B, 0x093B, prCM, gcMc},     //         DEVANAGARI VOWEL SIGN OOE
+	{0x093C, 0x093C, prCM, gcMn},     //         DEVANAGARI SIGN NUKTA
+	{0x093D, 0x093D, prAL, gcLo},     //         DEVANAGARI SIGN AVAGRAHA
+	{0x093E, 0x0940, prCM, gcMc},     //     [3] DEVANAGARI VOWEL SIGN AA..DEVANAGARI VOWEL SIGN II
+	{0x0941, 0x0948, prCM, gcMn},     //     [8] DEVANAGARI VOWEL SIGN U..DEVANAGARI VOWEL SIGN AI
+	{0x0949, 0x094C, prCM, gcMc},     //     [4] DEVANAGARI VOWEL SIGN CANDRA O..DEVANAGARI VOWEL SIGN AU
+	{0x094D, 0x094D, prCM, gcMn},     //         DEVANAGARI SIGN VIRAMA
+	{0x094E, 0x094F, prCM, gcMc},     //     [2] DEVANAGARI VOWEL SIGN PRISHTHAMATRA E..DEVANAGARI VOWEL SIGN AW
+	{0x0950, 0x0950, prAL, gcLo},     //         DEVANAGARI OM
+	{0x0951, 0x0957, prCM, gcMn},     //     [7] DEVANAGARI STRESS SIGN UDATTA..DEVANAGARI VOWEL SIGN UUE
+	{0x0958, 0x0961, prAL, gcLo},     //    [10] DEVANAGARI LETTER QA..DEVANAGARI LETTER VOCALIC LL
+	{0x0962, 0x0963, prCM, gcMn},     //     [2] DEVANAGARI VOWEL SIGN VOCALIC L..DEVANAGARI VOWEL SIGN VOCALIC LL
+	{0x0964, 0x0965, prBA, gcPo},     //     [2] DEVANAGARI DANDA..DEVANAGARI DOUBLE DANDA
+	{0x0966, 0x096F, prNU, gcNd},     //    [10] DEVANAGARI DIGIT ZERO..DEVANAGARI DIGIT NINE
+	{0x0970, 0x0970, prAL, gcPo},     //         DEVANAGARI ABBREVIATION SIGN
+	{0x0971, 0x0971, prAL, gcLm},     //         DEVANAGARI SIGN HIGH SPACING DOT
+	{0x0972, 0x097F, prAL, gcLo},     //    [14] DEVANAGARI LETTER CANDRA A..DEVANAGARI LETTER BBA
+	{0x0980, 0x0980, prAL, gcLo},     //         BENGALI ANJI
+	{0x0981, 0x0981, prCM, gcMn},     //         BENGALI SIGN CANDRABINDU
+	{0x0982, 0x0983, prCM, gcMc},     //     [2] BENGALI SIGN ANUSVARA..BENGALI SIGN VISARGA
+	{0x0985, 0x098C, prAL, gcLo},     //     [8] BENGALI LETTER A..BENGALI LETTER VOCALIC L
+	{0x098F, 0x0990, prAL, gcLo},     //     [2] BENGALI LETTER E..BENGALI LETTER AI
+	{0x0993, 0x09A8, prAL, gcLo},     //    [22] BENGALI LETTER O..BENGALI LETTER NA
+	{0x09AA, 0x09B0, prAL, gcLo},     //     [7] BENGALI LETTER PA..BENGALI LETTER RA
+	{0x09B2, 0x09B2, prAL, gcLo},     //         BENGALI LETTER LA
+	{0x09B6, 0x09B9, prAL, gcLo},     //     [4] BENGALI LETTER SHA..BENGALI LETTER HA
+	{0x09BC, 0x09BC, prCM, gcMn},     //         BENGALI SIGN NUKTA
+	{0x09BD, 0x09BD, prAL, gcLo},     //         BENGALI SIGN AVAGRAHA
+	{0x09BE, 0x09C0, prCM, gcMc},     //     [3] BENGALI VOWEL SIGN AA..BENGALI VOWEL SIGN II
+	{0x09C1, 0x09C4, prCM, gcMn},     //     [4] BENGALI VOWEL SIGN U..BENGALI VOWEL SIGN VOCALIC RR
+	{0x09C7, 0x09C8, prCM, gcMc},     //     [2] BENGALI VOWEL SIGN E..BENGALI VOWEL SIGN AI
+	{0x09CB, 0x09CC, prCM, gcMc},     //     [2] BENGALI VOWEL SIGN O..BENGALI VOWEL SIGN AU
+	{0x09CD, 0x09CD, prCM, gcMn},     //         BENGALI SIGN VIRAMA
+	{0x09CE, 0x09CE, prAL, gcLo},     //         BENGALI LETTER KHANDA TA
+	{0x09D7, 0x09D7, prCM, gcMc},     //         BENGALI AU LENGTH MARK
+	{0x09DC, 0x09DD, prAL, gcLo},     //     [2] BENGALI LETTER RRA..BENGALI LETTER RHA
+	{0x09DF, 0x09E1, prAL, gcLo},     //     [3] BENGALI LETTER YYA..BENGALI LETTER VOCALIC LL
+	{0x09E2, 0x09E3, prCM, gcMn},     //     [2] BENGALI VOWEL SIGN VOCALIC L..BENGALI VOWEL SIGN VOCALIC LL
+	{0x09E6, 0x09EF, prNU, gcNd},     //    [10] BENGALI DIGIT ZERO..BENGALI DIGIT NINE
+	{0x09F0, 0x09F1, prAL, gcLo},     //     [2] BENGALI LETTER RA WITH MIDDLE DIAGONAL..BENGALI LETTER RA WITH LOWER DIAGONAL
+	{0x09F2, 0x09F3, prPO, gcSc},     //     [2] BENGALI RUPEE MARK..BENGALI RUPEE SIGN
+	{0x09F4, 0x09F8, prAL, gcNo},     //     [5] BENGALI CURRENCY NUMERATOR ONE..BENGALI CURRENCY NUMERATOR ONE LESS THAN THE DENOMINATOR
+	{0x09F9, 0x09F9, prPO, gcNo},     //         BENGALI CURRENCY DENOMINATOR SIXTEEN
+	{0x09FA, 0x09FA, prAL, gcSo},     //         BENGALI ISSHAR
+	{0x09FB, 0x09FB, prPR, gcSc},     //         BENGALI GANDA MARK
+	{0x09FC, 0x09FC, prAL, gcLo},     //         BENGALI LETTER VEDIC ANUSVARA
+	{0x09FD, 0x09FD, prAL, gcPo},     //         BENGALI ABBREVIATION SIGN
+	{0x09FE, 0x09FE, prCM, gcMn},     //         BENGALI SANDHI MARK
+	{0x0A01, 0x0A02, prCM, gcMn},     //     [2] GURMUKHI SIGN ADAK BINDI..GURMUKHI SIGN BINDI
+	{0x0A03, 0x0A03, prCM, gcMc},     //         GURMUKHI SIGN VISARGA
+	{0x0A05, 0x0A0A, prAL, gcLo},     //     [6] GURMUKHI LETTER A..GURMUKHI LETTER UU
+	{0x0A0F, 0x0A10, prAL, gcLo},     //     [2] GURMUKHI LETTER EE..GURMUKHI LETTER AI
+	{0x0A13, 0x0A28, prAL, gcLo},     //    [22] GURMUKHI LETTER OO..GURMUKHI LETTER NA
+	{0x0A2A, 0x0A30, prAL, gcLo},     //     [7] GURMUKHI LETTER PA..GURMUKHI LETTER RA
+	{0x0A32, 0x0A33, prAL, gcLo},     //     [2] GURMUKHI LETTER LA..GURMUKHI LETTER LLA
+	{0x0A35, 0x0A36, prAL, gcLo},     //     [2] GURMUKHI LETTER VA..GURMUKHI LETTER SHA
+	{0x0A38, 0x0A39, prAL, gcLo},     //     [2] GURMUKHI LETTER SA..GURMUKHI LETTER HA
+	{0x0A3C, 0x0A3C, prCM, gcMn},     //         GURMUKHI SIGN NUKTA
+	{0x0A3E, 0x0A40, prCM, gcMc},     //     [3] GURMUKHI VOWEL SIGN AA..GURMUKHI VOWEL SIGN II
+	{0x0A41, 0x0A42, prCM, gcMn},     //     [2] GURMUKHI VOWEL SIGN U..GURMUKHI VOWEL SIGN UU
+	{0x0A47, 0x0A48, prCM, gcMn},     //     [2] GURMUKHI VOWEL SIGN EE..GURMUKHI VOWEL SIGN AI
+	{0x0A4B, 0x0A4D, prCM, gcMn},     //     [3] GURMUKHI VOWEL SIGN OO..GURMUKHI SIGN VIRAMA
+	{0x0A51, 0x0A51, prCM, gcMn},     //         GURMUKHI SIGN UDAAT
+	{0x0A59, 0x0A5C, prAL, gcLo},     //     [4] GURMUKHI LETTER KHHA..GURMUKHI LETTER RRA
+	{0x0A5E, 0x0A5E, prAL, gcLo},     //         GURMUKHI LETTER FA
+	{0x0A66, 0x0A6F, prNU, gcNd},     //    [10] GURMUKHI DIGIT ZERO..GURMUKHI DIGIT NINE
+	{0x0A70, 0x0A71, prCM, gcMn},     //     [2] GURMUKHI TIPPI..GURMUKHI ADDAK
+	{0x0A72, 0x0A74, prAL, gcLo},     //     [3] GURMUKHI IRI..GURMUKHI EK ONKAR
+	{0x0A75, 0x0A75, prCM, gcMn},     //         GURMUKHI SIGN YAKASH
+	{0x0A76, 0x0A76, prAL, gcPo},     //         GURMUKHI ABBREVIATION SIGN
+	{0x0A81, 0x0A82, prCM, gcMn},     //     [2] GUJARATI SIGN CANDRABINDU..GUJARATI SIGN ANUSVARA
+	{0x0A83, 0x0A83, prCM, gcMc},     //         GUJARATI SIGN VISARGA
+	{0x0A85, 0x0A8D, prAL, gcLo},     //     [9] GUJARATI LETTER A..GUJARATI VOWEL CANDRA E
+	{0x0A8F, 0x0A91, prAL, gcLo},     //     [3] GUJARATI LETTER E..GUJARATI VOWEL CANDRA O
+	{0x0A93, 0x0AA8, prAL, gcLo},     //    [22] GUJARATI LETTER O..GUJARATI LETTER NA
+	{0x0AAA, 0x0AB0, prAL, gcLo},     //     [7] GUJARATI LETTER PA..GUJARATI LETTER RA
+	{0x0AB2, 0x0AB3, prAL, gcLo},     //     [2] GUJARATI LETTER LA..GUJARATI LETTER LLA
+	{0x0AB5, 0x0AB9, prAL, gcLo},     //     [5] GUJARATI LETTER VA..GUJARATI LETTER HA
+	{0x0ABC, 0x0ABC, prCM, gcMn},     //         GUJARATI SIGN NUKTA
+	{0x0ABD, 0x0ABD, prAL, gcLo},     //         GUJARATI SIGN AVAGRAHA
+	{0x0ABE, 0x0AC0, prCM, gcMc},     //     [3] GUJARATI VOWEL SIGN AA..GUJARATI VOWEL SIGN II
+	{0x0AC1, 0x0AC5, prCM, gcMn},     //     [5] GUJARATI VOWEL SIGN U..GUJARATI VOWEL SIGN CANDRA E
+	{0x0AC7, 0x0AC8, prCM, gcMn},     //     [2] GUJARATI VOWEL SIGN E..GUJARATI VOWEL SIGN AI
+	{0x0AC9, 0x0AC9, prCM, gcMc},     //         GUJARATI VOWEL SIGN CANDRA O
+	{0x0ACB, 0x0ACC, prCM, gcMc},     //     [2] GUJARATI VOWEL SIGN O..GUJARATI VOWEL SIGN AU
+	{0x0ACD, 0x0ACD, prCM, gcMn},     //         GUJARATI SIGN VIRAMA
+	{0x0AD0, 0x0AD0, prAL, gcLo},     //         GUJARATI OM
+	{0x0AE0, 0x0AE1, prAL, gcLo},     //     [2] GUJARATI LETTER VOCALIC RR..GUJARATI LETTER VOCALIC LL
+	{0x0AE2, 0x0AE3, prCM, gcMn},     //     [2] GUJARATI VOWEL SIGN VOCALIC L..GUJARATI VOWEL SIGN VOCALIC LL
+	{0x0AE6, 0x0AEF, prNU, gcNd},     //    [10] GUJARATI DIGIT ZERO..GUJARATI DIGIT NINE
+	{0x0AF0, 0x0AF0, prAL, gcPo},     //         GUJARATI ABBREVIATION SIGN
+	{0x0AF1, 0x0AF1, prPR, gcSc},     //         GUJARATI RUPEE SIGN
+	{0x0AF9, 0x0AF9, prAL, gcLo},     //         GUJARATI LETTER ZHA
+	{0x0AFA, 0x0AFF, prCM, gcMn},     //     [6] GUJARATI SIGN SUKUN..GUJARATI SIGN TWO-CIRCLE NUKTA ABOVE
+	{0x0B01, 0x0B01, prCM, gcMn},     //         ORIYA SIGN CANDRABINDU
+	{0x0B02, 0x0B03, prCM, gcMc},     //     [2] ORIYA SIGN ANUSVARA..ORIYA SIGN VISARGA
+	{0x0B05, 0x0B0C, prAL, gcLo},     //     [8] ORIYA LETTER A..ORIYA LETTER VOCALIC L
+	{0x0B0F, 0x0B10, prAL, gcLo},     //     [2] ORIYA LETTER E..ORIYA LETTER AI
+	{0x0B13, 0x0B28, prAL, gcLo},     //    [22] ORIYA LETTER O..ORIYA LETTER NA
+	{0x0B2A, 0x0B30, prAL, gcLo},     //     [7] ORIYA LETTER PA..ORIYA LETTER RA
+	{0x0B32, 0x0B33, prAL, gcLo},     //     [2] ORIYA LETTER LA..ORIYA LETTER LLA
+	{0x0B35, 0x0B39, prAL, gcLo},     //     [5] ORIYA LETTER VA..ORIYA LETTER HA
+	{0x0B3C, 0x0B3C, prCM, gcMn},     //         ORIYA SIGN NUKTA
+	{0x0B3D, 0x0B3D, prAL, gcLo},     //         ORIYA SIGN AVAGRAHA
+	{0x0B3E, 0x0B3E, prCM, gcMc},     //         ORIYA VOWEL SIGN AA
+	{0x0B3F, 0x0B3F, prCM, gcMn},     //         ORIYA VOWEL SIGN I
+	{0x0B40, 0x0B40, prCM, gcMc},     //         ORIYA VOWEL SIGN II
+	{0x0B41, 0x0B44, prCM, gcMn},     //     [4] ORIYA VOWEL SIGN U..ORIYA VOWEL SIGN VOCALIC RR
+	{0x0B47, 0x0B48, prCM, gcMc},     //     [2] ORIYA VOWEL SIGN E..ORIYA VOWEL SIGN AI
+	{0x0B4B, 0x0B4C, prCM, gcMc},     //     [2] ORIYA VOWEL SIGN O..ORIYA VOWEL SIGN AU
+	{0x0B4D, 0x0B4D, prCM, gcMn},     //         ORIYA SIGN VIRAMA
+	{0x0B55, 0x0B56, prCM, gcMn},     //     [2] ORIYA SIGN OVERLINE..ORIYA AI LENGTH MARK
+	{0x0B57, 0x0B57, prCM, gcMc},     //         ORIYA AU LENGTH MARK
+	{0x0B5C, 0x0B5D, prAL, gcLo},     //     [2] ORIYA LETTER RRA..ORIYA LETTER RHA
+	{0x0B5F, 0x0B61, prAL, gcLo},     //     [3] ORIYA LETTER YYA..ORIYA LETTER VOCALIC LL
+	{0x0B62, 0x0B63, prCM, gcMn},     //     [2] ORIYA VOWEL SIGN VOCALIC L..ORIYA VOWEL SIGN VOCALIC LL
+	{0x0B66, 0x0B6F, prNU, gcNd},     //    [10] ORIYA DIGIT ZERO..ORIYA DIGIT NINE
+	{0x0B70, 0x0B70, prAL, gcSo},     //         ORIYA ISSHAR
+	{0x0B71, 0x0B71, prAL, gcLo},     //         ORIYA LETTER WA
+	{0x0B72, 0x0B77, prAL, gcNo},     //     [6] ORIYA FRACTION ONE QUARTER..ORIYA FRACTION THREE SIXTEENTHS
+	{0x0B82, 0x0B82, prCM, gcMn},     //         TAMIL SIGN ANUSVARA
+	{0x0B83, 0x0B83, prAL, gcLo},     //         TAMIL SIGN VISARGA
+	{0x0B85, 0x0B8A, prAL, gcLo},     //     [6] TAMIL LETTER A..TAMIL LETTER UU
+	{0x0B8E, 0x0B90, prAL, gcLo},     //     [3] TAMIL LETTER E..TAMIL LETTER AI
+	{0x0B92, 0x0B95, prAL, gcLo},     //     [4] TAMIL LETTER O..TAMIL LETTER KA
+	{0x0B99, 0x0B9A, prAL, gcLo},     //     [2] TAMIL LETTER NGA..TAMIL LETTER CA
+	{0x0B9C, 0x0B9C, prAL, gcLo},     //         TAMIL LETTER JA
+	{0x0B9E, 0x0B9F, prAL, gcLo},     //     [2] TAMIL LETTER NYA..TAMIL LETTER TTA
+	{0x0BA3, 0x0BA4, prAL, gcLo},     //     [2] TAMIL LETTER NNA..TAMIL LETTER TA
+	{0x0BA8, 0x0BAA, prAL, gcLo},     //     [3] TAMIL LETTER NA..TAMIL LETTER PA
+	{0x0BAE, 0x0BB9, prAL, gcLo},     //    [12] TAMIL LETTER MA..TAMIL LETTER HA
+	{0x0BBE, 0x0BBF, prCM, gcMc},     //     [2] TAMIL VOWEL SIGN AA..TAMIL VOWEL SIGN I
+	{0x0BC0, 0x0BC0, prCM, gcMn},     //         TAMIL VOWEL SIGN II
+	{0x0BC1, 0x0BC2, prCM, gcMc},     //     [2] TAMIL VOWEL SIGN U..TAMIL VOWEL SIGN UU
+	{0x0BC6, 0x0BC8, prCM, gcMc},     //     [3] TAMIL VOWEL SIGN E..TAMIL VOWEL SIGN AI
+	{0x0BCA, 0x0BCC, prCM, gcMc},     //     [3] TAMIL VOWEL SIGN O..TAMIL VOWEL SIGN AU
+	{0x0BCD, 0x0BCD, prCM, gcMn},     //         TAMIL SIGN VIRAMA
+	{0x0BD0, 0x0BD0, prAL, gcLo},     //         TAMIL OM
+	{0x0BD7, 0x0BD7, prCM, gcMc},     //         TAMIL AU LENGTH MARK
+	{0x0BE6, 0x0BEF, prNU, gcNd},     //    [10] TAMIL DIGIT ZERO..TAMIL DIGIT NINE
+	{0x0BF0, 0x0BF2, prAL, gcNo},     //     [3] TAMIL NUMBER TEN..TAMIL NUMBER ONE THOUSAND
+	{0x0BF3, 0x0BF8, prAL, gcSo},     //     [6] TAMIL DAY SIGN..TAMIL AS ABOVE SIGN
+	{0x0BF9, 0x0BF9, prPR, gcSc},     //         TAMIL RUPEE SIGN
+	{0x0BFA, 0x0BFA, prAL, gcSo},     //         TAMIL NUMBER SIGN
+	{0x0C00, 0x0C00, prCM, gcMn},     //         TELUGU SIGN COMBINING CANDRABINDU ABOVE
+	{0x0C01, 0x0C03, prCM, gcMc},     //     [3] TELUGU SIGN CANDRABINDU..TELUGU SIGN VISARGA
+	{0x0C04, 0x0C04, prCM, gcMn},     //         TELUGU SIGN COMBINING ANUSVARA ABOVE
+	{0x0C05, 0x0C0C, prAL, gcLo},     //     [8] TELUGU LETTER A..TELUGU LETTER VOCALIC L
+	{0x0C0E, 0x0C10, prAL, gcLo},     //     [3] TELUGU LETTER E..TELUGU LETTER AI
+	{0x0C12, 0x0C28, prAL, gcLo},     //    [23] TELUGU LETTER O..TELUGU LETTER NA
+	{0x0C2A, 0x0C39, prAL, gcLo},     //    [16] TELUGU LETTER PA..TELUGU LETTER HA
+	{0x0C3C, 0x0C3C, prCM, gcMn},     //         TELUGU SIGN NUKTA
+	{0x0C3D, 0x0C3D, prAL, gcLo},     //         TELUGU SIGN AVAGRAHA
+	{0x0C3E, 0x0C40, prCM, gcMn},     //     [3] TELUGU VOWEL SIGN AA..TELUGU VOWEL SIGN II
+	{0x0C41, 0x0C44, prCM, gcMc},     //     [4] TELUGU VOWEL SIGN U..TELUGU VOWEL SIGN VOCALIC RR
+	{0x0C46, 0x0C48, prCM, gcMn},     //     [3] TELUGU VOWEL SIGN E..TELUGU VOWEL SIGN AI
+	{0x0C4A, 0x0C4D, prCM, gcMn},     //     [4] TELUGU VOWEL SIGN O..TELUGU SIGN VIRAMA
+	{0x0C55, 0x0C56, prCM, gcMn},     //     [2] TELUGU LENGTH MARK..TELUGU AI LENGTH MARK
+	{0x0C58, 0x0C5A, prAL, gcLo},     //     [3] TELUGU LETTER TSA..TELUGU LETTER RRRA
+	{0x0C5D, 0x0C5D, prAL, gcLo},     //         TELUGU LETTER NAKAARA POLLU
+	{0x0C60, 0x0C61, prAL, gcLo},     //     [2] TELUGU LETTER VOCALIC RR..TELUGU LETTER VOCALIC LL
+	{0x0C62, 0x0C63, prCM, gcMn},     //     [2] TELUGU VOWEL SIGN VOCALIC L..TELUGU VOWEL SIGN VOCALIC LL
+	{0x0C66, 0x0C6F, prNU, gcNd},     //    [10] TELUGU DIGIT ZERO..TELUGU DIGIT NINE
+	{0x0C77, 0x0C77, prBB, gcPo},     //         TELUGU SIGN SIDDHAM
+	{0x0C78, 0x0C7E, prAL, gcNo},     //     [7] TELUGU FRACTION DIGIT ZERO FOR ODD POWERS OF FOUR..TELUGU FRACTION DIGIT THREE FOR EVEN POWERS OF FOUR
+	{0x0C7F, 0x0C7F, prAL, gcSo},     //         TELUGU SIGN TUUMU
+	{0x0C80, 0x0C80, prAL, gcLo},     //         KANNADA SIGN SPACING CANDRABINDU
+	{0x0C81, 0x0C81, prCM, gcMn},     //         KANNADA SIGN CANDRABINDU
+	{0x0C82, 0x0C83, prCM, gcMc},     //     [2] KANNADA SIGN ANUSVARA..KANNADA SIGN VISARGA
+	{0x0C84, 0x0C84, prBB, gcPo},     //         KANNADA SIGN SIDDHAM
+	{0x0C85, 0x0C8C, prAL, gcLo},     //     [8] KANNADA LETTER A..KANNADA LETTER VOCALIC L
+	{0x0C8E, 0x0C90, prAL, gcLo},     //     [3] KANNADA LETTER E..KANNADA LETTER AI
+	{0x0C92, 0x0CA8, prAL, gcLo},     //    [23] KANNADA LETTER O..KANNADA LETTER NA
+	{0x0CAA, 0x0CB3, prAL, gcLo},     //    [10] KANNADA LETTER PA..KANNADA LETTER LLA
+	{0x0CB5, 0x0CB9, prAL, gcLo},     //     [5] KANNADA LETTER VA..KANNADA LETTER HA
+	{0x0CBC, 0x0CBC, prCM, gcMn},     //         KANNADA SIGN NUKTA
+	{0x0CBD, 0x0CBD, prAL, gcLo},     //         KANNADA SIGN AVAGRAHA
+	{0x0CBE, 0x0CBE, prCM, gcMc},     //         KANNADA VOWEL SIGN AA
+	{0x0CBF, 0x0CBF, prCM, gcMn},     //         KANNADA VOWEL SIGN I
+	{0x0CC0, 0x0CC4, prCM, gcMc},     //     [5] KANNADA VOWEL SIGN II..KANNADA VOWEL SIGN VOCALIC RR
+	{0x0CC6, 0x0CC6, prCM, gcMn},     //         KANNADA VOWEL SIGN E
+	{0x0CC7, 0x0CC8, prCM, gcMc},     //     [2] KANNADA VOWEL SIGN EE..KANNADA VOWEL SIGN AI
+	{0x0CCA, 0x0CCB, prCM, gcMc},     //     [2] KANNADA VOWEL SIGN O..KANNADA VOWEL SIGN OO
+	{0x0CCC, 0x0CCD, prCM, gcMn},     //     [2] KANNADA VOWEL SIGN AU..KANNADA SIGN VIRAMA
+	{0x0CD5, 0x0CD6, prCM, gcMc},     //     [2] KANNADA LENGTH MARK..KANNADA AI LENGTH MARK
+	{0x0CDD, 0x0CDE, prAL, gcLo},     //     [2] KANNADA LETTER NAKAARA POLLU..KANNADA LETTER FA
+	{0x0CE0, 0x0CE1, prAL, gcLo},     //     [2] KANNADA LETTER VOCALIC RR..KANNADA LETTER VOCALIC LL
+	{0x0CE2, 0x0CE3, prCM, gcMn},     //     [2] KANNADA VOWEL SIGN VOCALIC L..KANNADA VOWEL SIGN VOCALIC LL
+	{0x0CE6, 0x0CEF, prNU, gcNd},     //    [10] KANNADA DIGIT ZERO..KANNADA DIGIT NINE
+	{0x0CF1, 0x0CF2, prAL, gcLo},     //     [2] KANNADA SIGN JIHVAMULIYA..KANNADA SIGN UPADHMANIYA
+	{0x0CF3, 0x0CF3, prCM, gcMc},     //         KANNADA SIGN COMBINING ANUSVARA ABOVE RIGHT
+	{0x0D00, 0x0D01, prCM, gcMn},     //     [2] MALAYALAM SIGN COMBINING ANUSVARA ABOVE..MALAYALAM SIGN CANDRABINDU
+	{0x0D02, 0x0D03, prCM, gcMc},     //     [2] MALAYALAM SIGN ANUSVARA..MALAYALAM SIGN VISARGA
+	{0x0D04, 0x0D0C, prAL, gcLo},     //     [9] MALAYALAM LETTER VEDIC ANUSVARA..MALAYALAM LETTER VOCALIC L
+	{0x0D0E, 0x0D10, prAL, gcLo},     //     [3] MALAYALAM LETTER E..MALAYALAM LETTER AI
+	{0x0D12, 0x0D3A, prAL, gcLo},     //    [41] MALAYALAM LETTER O..MALAYALAM LETTER TTTA
+	{0x0D3B, 0x0D3C, prCM, gcMn},     //     [2] MALAYALAM SIGN VERTICAL BAR VIRAMA..MALAYALAM SIGN CIRCULAR VIRAMA
+	{0x0D3D, 0x0D3D, prAL, gcLo},     //         MALAYALAM SIGN AVAGRAHA
+	{0x0D3E, 0x0D40, prCM, gcMc},     //     [3] MALAYALAM VOWEL SIGN AA..MALAYALAM VOWEL SIGN II
+	{0x0D41, 0x0D44, prCM, gcMn},     //     [4] MALAYALAM VOWEL SIGN U..MALAYALAM VOWEL SIGN VOCALIC RR
+	{0x0D46, 0x0D48, prCM, gcMc},     //     [3] MALAYALAM VOWEL SIGN E..MALAYALAM VOWEL SIGN AI
+	{0x0D4A, 0x0D4C, prCM, gcMc},     //     [3] MALAYALAM VOWEL SIGN O..MALAYALAM VOWEL SIGN AU
+	{0x0D4D, 0x0D4D, prCM, gcMn},     //         MALAYALAM SIGN VIRAMA
+	{0x0D4E, 0x0D4E, prAL, gcLo},     //         MALAYALAM LETTER DOT REPH
+	{0x0D4F, 0x0D4F, prAL, gcSo},     //         MALAYALAM SIGN PARA
+	{0x0D54, 0x0D56, prAL, gcLo},     //     [3] MALAYALAM LETTER CHILLU M..MALAYALAM LETTER CHILLU LLL
+	{0x0D57, 0x0D57, prCM, gcMc},     //         MALAYALAM AU LENGTH MARK
+	{0x0D58, 0x0D5E, prAL, gcNo},     //     [7] MALAYALAM FRACTION ONE ONE-HUNDRED-AND-SIXTIETH..MALAYALAM FRACTION ONE FIFTH
+	{0x0D5F, 0x0D61, prAL, gcLo},     //     [3] MALAYALAM LETTER ARCHAIC II..MALAYALAM LETTER VOCALIC LL
+	{0x0D62, 0x0D63, prCM, gcMn},     //     [2] MALAYALAM VOWEL SIGN VOCALIC L..MALAYALAM VOWEL SIGN VOCALIC LL
+	{0x0D66, 0x0D6F, prNU, gcNd},     //    [10] MALAYALAM DIGIT ZERO..MALAYALAM DIGIT NINE
+	{0x0D70, 0x0D78, prAL, gcNo},     //     [9] MALAYALAM NUMBER TEN..MALAYALAM FRACTION THREE SIXTEENTHS
+	{0x0D79, 0x0D79, prPO, gcSo},     //         MALAYALAM DATE MARK
+	{0x0D7A, 0x0D7F, prAL, gcLo},     //     [6] MALAYALAM LETTER CHILLU NN..MALAYALAM LETTER CHILLU K
+	{0x0D81, 0x0D81, prCM, gcMn},     //         SINHALA SIGN CANDRABINDU
+	{0x0D82, 0x0D83, prCM, gcMc},     //     [2] SINHALA SIGN ANUSVARAYA..SINHALA SIGN VISARGAYA
+	{0x0D85, 0x0D96, prAL, gcLo},     //    [18] SINHALA LETTER AYANNA..SINHALA LETTER AUYANNA
+	{0x0D9A, 0x0DB1, prAL, gcLo},     //    [24] SINHALA LETTER ALPAPRAANA KAYANNA..SINHALA LETTER DANTAJA NAYANNA
+	{0x0DB3, 0x0DBB, prAL, gcLo},     //     [9] SINHALA LETTER SANYAKA DAYANNA..SINHALA LETTER RAYANNA
+	{0x0DBD, 0x0DBD, prAL, gcLo},     //         SINHALA LETTER DANTAJA LAYANNA
+	{0x0DC0, 0x0DC6, prAL, gcLo},     //     [7] SINHALA LETTER VAYANNA..SINHALA LETTER FAYANNA
+	{0x0DCA, 0x0DCA, prCM, gcMn},     //         SINHALA SIGN AL-LAKUNA
+	{0x0DCF, 0x0DD1, prCM, gcMc},     //     [3] SINHALA VOWEL SIGN AELA-PILLA..SINHALA VOWEL SIGN DIGA AEDA-PILLA
+	{0x0DD2, 0x0DD4, prCM, gcMn},     //     [3] SINHALA VOWEL SIGN KETTI IS-PILLA..SINHALA VOWEL SIGN KETTI PAA-PILLA
+	{0x0DD6, 0x0DD6, prCM, gcMn},     //         SINHALA VOWEL SIGN DIGA PAA-PILLA
+	{0x0DD8, 0x0DDF, prCM, gcMc},     //     [8] SINHALA VOWEL SIGN GAETTA-PILLA..SINHALA VOWEL SIGN GAYANUKITTA
+	{0x0DE6, 0x0DEF, prNU, gcNd},     //    [10] SINHALA LITH DIGIT ZERO..SINHALA LITH DIGIT NINE
+	{0x0DF2, 0x0DF3, prCM, gcMc},     //     [2] SINHALA VOWEL SIGN DIGA GAETTA-PILLA..SINHALA VOWEL SIGN DIGA GAYANUKITTA
+	{0x0DF4, 0x0DF4, prAL, gcPo},     //         SINHALA PUNCTUATION KUNDDALIYA
+	{0x0E01, 0x0E30, prSA, gcLo},     //    [48] THAI CHARACTER KO KAI..THAI CHARACTER SARA A
+	{0x0E31, 0x0E31, prSA, gcMn},     //         THAI CHARACTER MAI HAN-AKAT
+	{0x0E32, 0x0E33, prSA, gcLo},     //     [2] THAI CHARACTER SARA AA..THAI CHARACTER SARA AM
+	{0x0E34, 0x0E3A, prSA, gcMn},     //     [7] THAI CHARACTER SARA I..THAI CHARACTER PHINTHU
+	{0x0E3F, 0x0E3F, prPR, gcSc},     //         THAI CURRENCY SYMBOL BAHT
+	{0x0E40, 0x0E45, prSA, gcLo},     //     [6] THAI CHARACTER SARA E..THAI CHARACTER LAKKHANGYAO
+	{0x0E46, 0x0E46, prSA, gcLm},     //         THAI CHARACTER MAIYAMOK
+	{0x0E47, 0x0E4E, prSA, gcMn},     //     [8] THAI CHARACTER MAITAIKHU..THAI CHARACTER YAMAKKAN
+	{0x0E4F, 0x0E4F, prAL, gcPo},     //         THAI CHARACTER FONGMAN
+	{0x0E50, 0x0E59, prNU, gcNd},     //    [10] THAI DIGIT ZERO..THAI DIGIT NINE
+	{0x0E5A, 0x0E5B, prBA, gcPo},     //     [2] THAI CHARACTER ANGKHANKHU..THAI CHARACTER KHOMUT
+	{0x0E81, 0x0E82, prSA, gcLo},     //     [2] LAO LETTER KO..LAO LETTER KHO SUNG
+	{0x0E84, 0x0E84, prSA, gcLo},     //         LAO LETTER KHO TAM
+	{0x0E86, 0x0E8A, prSA, gcLo},     //     [5] LAO LETTER PALI GHA..LAO LETTER SO TAM
+	{0x0E8C, 0x0EA3, prSA, gcLo},     //    [24] LAO LETTER PALI JHA..LAO LETTER LO LING
+	{0x0EA5, 0x0EA5, prSA, gcLo},     //         LAO LETTER LO LOOT
+	{0x0EA7, 0x0EB0, prSA, gcLo},     //    [10] LAO LETTER WO..LAO VOWEL SIGN A
+	{0x0EB1, 0x0EB1, prSA, gcMn},     //         LAO VOWEL SIGN MAI KAN
+	{0x0EB2, 0x0EB3, prSA, gcLo},     //     [2] LAO VOWEL SIGN AA..LAO VOWEL SIGN AM
+	{0x0EB4, 0x0EBC, prSA, gcMn},     //     [9] LAO VOWEL SIGN I..LAO SEMIVOWEL SIGN LO
+	{0x0EBD, 0x0EBD, prSA, gcLo},     //         LAO SEMIVOWEL SIGN NYO
+	{0x0EC0, 0x0EC4, prSA, gcLo},     //     [5] LAO VOWEL SIGN E..LAO VOWEL SIGN AI
+	{0x0EC6, 0x0EC6, prSA, gcLm},     //         LAO KO LA
+	{0x0EC8, 0x0ECE, prSA, gcMn},     //     [7] LAO TONE MAI EK..LAO YAMAKKAN
+	{0x0ED0, 0x0ED9, prNU, gcNd},     //    [10] LAO DIGIT ZERO..LAO DIGIT NINE
+	{0x0EDC, 0x0EDF, prSA, gcLo},     //     [4] LAO HO NO..LAO LETTER KHMU NYO
+	{0x0F00, 0x0F00, prAL, gcLo},     //         TIBETAN SYLLABLE OM
+	{0x0F01, 0x0F03, prBB, gcSo},     //     [3] TIBETAN MARK GTER YIG MGO TRUNCATED A..TIBETAN MARK GTER YIG MGO -UM GTER TSHEG MA
+	{0x0F04, 0x0F04, prBB, gcPo},     //         TIBETAN MARK INITIAL YIG MGO MDUN MA
+	{0x0F05, 0x0F05, prAL, gcPo},     //         TIBETAN MARK CLOSING YIG MGO SGAB MA
+	{0x0F06, 0x0F07, prBB, gcPo},     //     [2] TIBETAN MARK CARET YIG MGO PHUR SHAD MA..TIBETAN MARK YIG MGO TSHEG SHAD MA
+	{0x0F08, 0x0F08, prGL, gcPo},     //         TIBETAN MARK SBRUL SHAD
+	{0x0F09, 0x0F0A, prBB, gcPo},     //     [2] TIBETAN MARK BSKUR YIG MGO..TIBETAN MARK BKA- SHOG YIG MGO
+	{0x0F0B, 0x0F0B, prBA, gcPo},     //         TIBETAN MARK INTERSYLLABIC TSHEG
+	{0x0F0C, 0x0F0C, prGL, gcPo},     //         TIBETAN MARK DELIMITER TSHEG BSTAR
+	{0x0F0D, 0x0F11, prEX, gcPo},     //     [5] TIBETAN MARK SHAD..TIBETAN MARK RIN CHEN SPUNGS SHAD
+	{0x0F12, 0x0F12, prGL, gcPo},     //         TIBETAN MARK RGYA GRAM SHAD
+	{0x0F13, 0x0F13, prAL, gcSo},     //         TIBETAN MARK CARET -DZUD RTAGS ME LONG CAN
+	{0x0F14, 0x0F14, prEX, gcPo},     //         TIBETAN MARK GTER TSHEG
+	{0x0F15, 0x0F17, prAL, gcSo},     //     [3] TIBETAN LOGOTYPE SIGN CHAD RTAGS..TIBETAN ASTROLOGICAL SIGN SGRA GCAN -CHAR RTAGS
+	{0x0F18, 0x0F19, prCM, gcMn},     //     [2] TIBETAN ASTROLOGICAL SIGN -KHYUD PA..TIBETAN ASTROLOGICAL SIGN SDONG TSHUGS
+	{0x0F1A, 0x0F1F, prAL, gcSo},     //     [6] TIBETAN SIGN RDEL DKAR GCIG..TIBETAN SIGN RDEL DKAR RDEL NAG
+	{0x0F20, 0x0F29, prNU, gcNd},     //    [10] TIBETAN DIGIT ZERO..TIBETAN DIGIT NINE
+	{0x0F2A, 0x0F33, prAL, gcNo},     //    [10] TIBETAN DIGIT HALF ONE..TIBETAN DIGIT HALF ZERO
+	{0x0F34, 0x0F34, prBA, gcSo},     //         TIBETAN MARK BSDUS RTAGS
+	{0x0F35, 0x0F35, prCM, gcMn},     //         TIBETAN MARK NGAS BZUNG NYI ZLA
+	{0x0F36, 0x0F36, prAL, gcSo},     //         TIBETAN MARK CARET -DZUD RTAGS BZHI MIG CAN
+	{0x0F37, 0x0F37, prCM, gcMn},     //         TIBETAN MARK NGAS BZUNG SGOR RTAGS
+	{0x0F38, 0x0F38, prAL, gcSo},     //         TIBETAN MARK CHE MGO
+	{0x0F39, 0x0F39, prCM, gcMn},     //         TIBETAN MARK TSA -PHRU
+	{0x0F3A, 0x0F3A, prOP, gcPs},     //         TIBETAN MARK GUG RTAGS GYON
+	{0x0F3B, 0x0F3B, prCL, gcPe},     //         TIBETAN MARK GUG RTAGS GYAS
+	{0x0F3C, 0x0F3C, prOP, gcPs},     //         TIBETAN MARK ANG KHANG GYON
+	{0x0F3D, 0x0F3D, prCL, gcPe},     //         TIBETAN MARK ANG KHANG GYAS
+	{0x0F3E, 0x0F3F, prCM, gcMc},     //     [2] TIBETAN SIGN YAR TSHES..TIBETAN SIGN MAR TSHES
+	{0x0F40, 0x0F47, prAL, gcLo},     //     [8] TIBETAN LETTER KA..TIBETAN LETTER JA
+	{0x0F49, 0x0F6C, prAL, gcLo},     //    [36] TIBETAN LETTER NYA..TIBETAN LETTER RRA
+	{0x0F71, 0x0F7E, prCM, gcMn},     //    [14] TIBETAN VOWEL SIGN AA..TIBETAN SIGN RJES SU NGA RO
+	{0x0F7F, 0x0F7F, prBA, gcMc},     //         TIBETAN SIGN RNAM BCAD
+	{0x0F80, 0x0F84, prCM, gcMn},     //     [5] TIBETAN VOWEL SIGN REVERSED I..TIBETAN MARK HALANTA
+	{0x0F85, 0x0F85, prBA, gcPo},     //         TIBETAN MARK PALUTA
+	{0x0F86, 0x0F87, prCM, gcMn},     //     [2] TIBETAN SIGN LCI RTAGS..TIBETAN SIGN YANG RTAGS
+	{0x0F88, 0x0F8C, prAL, gcLo},     //     [5] TIBETAN SIGN LCE TSA CAN..TIBETAN SIGN INVERTED MCHU CAN
+	{0x0F8D, 0x0F97, prCM, gcMn},     //    [11] TIBETAN SUBJOINED SIGN LCE TSA CAN..TIBETAN SUBJOINED LETTER JA
+	{0x0F99, 0x0FBC, prCM, gcMn},     //    [36] TIBETAN SUBJOINED LETTER NYA..TIBETAN SUBJOINED LETTER FIXED-FORM RA
+	{0x0FBE, 0x0FBF, prBA, gcSo},     //     [2] TIBETAN KU RU KHA..TIBETAN KU RU KHA BZHI MIG CAN
+	{0x0FC0, 0x0FC5, prAL, gcSo},     //     [6] TIBETAN CANTILLATION SIGN HEAVY BEAT..TIBETAN SYMBOL RDO RJE
+	{0x0FC6, 0x0FC6, prCM, gcMn},     //         TIBETAN SYMBOL PADMA GDAN
+	{0x0FC7, 0x0FCC, prAL, gcSo},     //     [6] TIBETAN SYMBOL RDO RJE RGYA GRAM..TIBETAN SYMBOL NOR BU BZHI -KHYIL
+	{0x0FCE, 0x0FCF, prAL, gcSo},     //     [2] TIBETAN SIGN RDEL NAG RDEL DKAR..TIBETAN SIGN RDEL NAG GSUM
+	{0x0FD0, 0x0FD1, prBB, gcPo},     //     [2] TIBETAN MARK BSKA- SHOG GI MGO RGYAN..TIBETAN MARK MNYAM YIG GI MGO RGYAN
+	{0x0FD2, 0x0FD2, prBA, gcPo},     //         TIBETAN MARK NYIS TSHEG
+	{0x0FD3, 0x0FD3, prBB, gcPo},     //         TIBETAN MARK INITIAL BRDA RNYING YIG MGO MDUN MA
+	{0x0FD4, 0x0FD4, prAL, gcPo},     //         TIBETAN MARK CLOSING BRDA RNYING YIG MGO SGAB MA
+	{0x0FD5, 0x0FD8, prAL, gcSo},     //     [4] RIGHT-FACING SVASTI SIGN..LEFT-FACING SVASTI SIGN WITH DOTS
+	{0x0FD9, 0x0FDA, prGL, gcPo},     //     [2] TIBETAN MARK LEADING MCHAN RTAGS..TIBETAN MARK TRAILING MCHAN RTAGS
+	{0x1000, 0x102A, prSA, gcLo},     //    [43] MYANMAR LETTER KA..MYANMAR LETTER AU
+	{0x102B, 0x102C, prSA, gcMc},     //     [2] MYANMAR VOWEL SIGN TALL AA..MYANMAR VOWEL SIGN AA
+	{0x102D, 0x1030, prSA, gcMn},     //     [4] MYANMAR VOWEL SIGN I..MYANMAR VOWEL SIGN UU
+	{0x1031, 0x1031, prSA, gcMc},     //         MYANMAR VOWEL SIGN E
+	{0x1032, 0x1037, prSA, gcMn},     //     [6] MYANMAR VOWEL SIGN AI..MYANMAR SIGN DOT BELOW
+	{0x1038, 0x1038, prSA, gcMc},     //         MYANMAR SIGN VISARGA
+	{0x1039, 0x103A, prSA, gcMn},     //     [2] MYANMAR SIGN VIRAMA..MYANMAR SIGN ASAT
+	{0x103B, 0x103C, prSA, gcMc},     //     [2] MYANMAR CONSONANT SIGN MEDIAL YA..MYANMAR CONSONANT SIGN MEDIAL RA
+	{0x103D, 0x103E, prSA, gcMn},     //     [2] MYANMAR CONSONANT SIGN MEDIAL WA..MYANMAR CONSONANT SIGN MEDIAL HA
+	{0x103F, 0x103F, prSA, gcLo},     //         MYANMAR LETTER GREAT SA
+	{0x1040, 0x1049, prNU, gcNd},     //    [10] MYANMAR DIGIT ZERO..MYANMAR DIGIT NINE
+	{0x104A, 0x104B, prBA, gcPo},     //     [2] MYANMAR SIGN LITTLE SECTION..MYANMAR SIGN SECTION
+	{0x104C, 0x104F, prAL, gcPo},     //     [4] MYANMAR SYMBOL LOCATIVE..MYANMAR SYMBOL GENITIVE
+	{0x1050, 0x1055, prSA, gcLo},     //     [6] MYANMAR LETTER SHA..MYANMAR LETTER VOCALIC LL
+	{0x1056, 0x1057, prSA, gcMc},     //     [2] MYANMAR VOWEL SIGN VOCALIC R..MYANMAR VOWEL SIGN VOCALIC RR
+	{0x1058, 0x1059, prSA, gcMn},     //     [2] MYANMAR VOWEL SIGN VOCALIC L..MYANMAR VOWEL SIGN VOCALIC LL
+	{0x105A, 0x105D, prSA, gcLo},     //     [4] MYANMAR LETTER MON NGA..MYANMAR LETTER MON BBE
+	{0x105E, 0x1060, prSA, gcMn},     //     [3] MYANMAR CONSONANT SIGN MON MEDIAL NA..MYANMAR CONSONANT SIGN MON MEDIAL LA
+	{0x1061, 0x1061, prSA, gcLo},     //         MYANMAR LETTER SGAW KAREN SHA
+	{0x1062, 0x1064, prSA, gcMc},     //     [3] MYANMAR VOWEL SIGN SGAW KAREN EU..MYANMAR TONE MARK SGAW KAREN KE PHO
+	{0x1065, 0x1066, prSA, gcLo},     //     [2] MYANMAR LETTER WESTERN PWO KAREN THA..MYANMAR LETTER WESTERN PWO KAREN PWA
+	{0x1067, 0x106D, prSA, gcMc},     //     [7] MYANMAR VOWEL SIGN WESTERN PWO KAREN EU..MYANMAR SIGN WESTERN PWO KAREN TONE-5
+	{0x106E, 0x1070, prSA, gcLo},     //     [3] MYANMAR LETTER EASTERN PWO KAREN NNA..MYANMAR LETTER EASTERN PWO KAREN GHWA
+	{0x1071, 0x1074, prSA, gcMn},     //     [4] MYANMAR VOWEL SIGN GEBA KAREN I..MYANMAR VOWEL SIGN KAYAH EE
+	{0x1075, 0x1081, prSA, gcLo},     //    [13] MYANMAR LETTER SHAN KA..MYANMAR LETTER SHAN HA
+	{0x1082, 0x1082, prSA, gcMn},     //         MYANMAR CONSONANT SIGN SHAN MEDIAL WA
+	{0x1083, 0x1084, prSA, gcMc},     //     [2] MYANMAR VOWEL SIGN SHAN AA..MYANMAR VOWEL SIGN SHAN E
+	{0x1085, 0x1086, prSA, gcMn},     //     [2] MYANMAR VOWEL SIGN SHAN E ABOVE..MYANMAR VOWEL SIGN SHAN FINAL Y
+	{0x1087, 0x108C, prSA, gcMc},     //     [6] MYANMAR SIGN SHAN TONE-2..MYANMAR SIGN SHAN COUNCIL TONE-3
+	{0x108D, 0x108D, prSA, gcMn},     //         MYANMAR SIGN SHAN COUNCIL EMPHATIC TONE
+	{0x108E, 0x108E, prSA, gcLo},     //         MYANMAR LETTER RUMAI PALAUNG FA
+	{0x108F, 0x108F, prSA, gcMc},     //         MYANMAR SIGN RUMAI PALAUNG TONE-5
+	{0x1090, 0x1099, prNU, gcNd},     //    [10] MYANMAR SHAN DIGIT ZERO..MYANMAR SHAN DIGIT NINE
+	{0x109A, 0x109C, prSA, gcMc},     //     [3] MYANMAR SIGN KHAMTI TONE-1..MYANMAR VOWEL SIGN AITON A
+	{0x109D, 0x109D, prSA, gcMn},     //         MYANMAR VOWEL SIGN AITON AI
+	{0x109E, 0x109F, prSA, gcSo},     //     [2] MYANMAR SYMBOL SHAN ONE..MYANMAR SYMBOL SHAN EXCLAMATION
+	{0x10A0, 0x10C5, prAL, gcLu},     //    [38] GEORGIAN CAPITAL LETTER AN..GEORGIAN CAPITAL LETTER HOE
+	{0x10C7, 0x10C7, prAL, gcLu},     //         GEORGIAN CAPITAL LETTER YN
+	{0x10CD, 0x10CD, prAL, gcLu},     //         GEORGIAN CAPITAL LETTER AEN
+	{0x10D0, 0x10FA, prAL, gcLl},     //    [43] GEORGIAN LETTER AN..GEORGIAN LETTER AIN
+	{0x10FB, 0x10FB, prAL, gcPo},     //         GEORGIAN PARAGRAPH SEPARATOR
+	{0x10FC, 0x10FC, prAL, gcLm},     //         MODIFIER LETTER GEORGIAN NAR
+	{0x10FD, 0x10FF, prAL, gcLl},     //     [3] GEORGIAN LETTER AEN..GEORGIAN LETTER LABIAL SIGN
+	{0x1100, 0x115F, prJL, gcLo},     //    [96] HANGUL CHOSEONG KIYEOK..HANGUL CHOSEONG FILLER
+	{0x1160, 0x11A7, prJV, gcLo},     //    [72] HANGUL JUNGSEONG FILLER..HANGUL JUNGSEONG O-YAE
+	{0x11A8, 0x11FF, prJT, gcLo},     //    [88] HANGUL JONGSEONG KIYEOK..HANGUL JONGSEONG SSANGNIEUN
+	{0x1200, 0x1248, prAL, gcLo},     //    [73] ETHIOPIC SYLLABLE HA..ETHIOPIC SYLLABLE QWA
+	{0x124A, 0x124D, prAL, gcLo},     //     [4] ETHIOPIC SYLLABLE QWI..ETHIOPIC SYLLABLE QWE
+	{0x1250, 0x1256, prAL, gcLo},     //     [7] ETHIOPIC SYLLABLE QHA..ETHIOPIC SYLLABLE QHO
+	{0x1258, 0x1258, prAL, gcLo},     //         ETHIOPIC SYLLABLE QHWA
+	{0x125A, 0x125D, prAL, gcLo},     //     [4] ETHIOPIC SYLLABLE QHWI..ETHIOPIC SYLLABLE QHWE
+	{0x1260, 0x1288, prAL, gcLo},     //    [41] ETHIOPIC SYLLABLE BA..ETHIOPIC SYLLABLE XWA
+	{0x128A, 0x128D, prAL, gcLo},     //     [4] ETHIOPIC SYLLABLE XWI..ETHIOPIC SYLLABLE XWE
+	{0x1290, 0x12B0, prAL, gcLo},     //    [33] ETHIOPIC SYLLABLE NA..ETHIOPIC SYLLABLE KWA
+	{0x12B2, 0x12B5, prAL, gcLo},     //     [4] ETHIOPIC SYLLABLE KWI..ETHIOPIC SYLLABLE KWE
+	{0x12B8, 0x12BE, prAL, gcLo},     //     [7] ETHIOPIC SYLLABLE KXA..ETHIOPIC SYLLABLE KXO
+	{0x12C0, 0x12C0, prAL, gcLo},     //         ETHIOPIC SYLLABLE KXWA
+	{0x12C2, 0x12C5, prAL, gcLo},     //     [4] ETHIOPIC SYLLABLE KXWI..ETHIOPIC SYLLABLE KXWE
+	{0x12C8, 0x12D6, prAL, gcLo},     //    [15] ETHIOPIC SYLLABLE WA..ETHIOPIC SYLLABLE PHARYNGEAL O
+	{0x12D8, 0x1310, prAL, gcLo},     //    [57] ETHIOPIC SYLLABLE ZA..ETHIOPIC SYLLABLE GWA
+	{0x1312, 0x1315, prAL, gcLo},     //     [4] ETHIOPIC SYLLABLE GWI..ETHIOPIC SYLLABLE GWE
+	{0x1318, 0x135A, prAL, gcLo},     //    [67] ETHIOPIC SYLLABLE GGA..ETHIOPIC SYLLABLE FYA
+	{0x135D, 0x135F, prCM, gcMn},     //     [3] ETHIOPIC COMBINING GEMINATION AND VOWEL LENGTH MARK..ETHIOPIC COMBINING GEMINATION MARK
+	{0x1360, 0x1360, prAL, gcPo},     //         ETHIOPIC SECTION MARK
+	{0x1361, 0x1361, prBA, gcPo},     //         ETHIOPIC WORDSPACE
+	{0x1362, 0x1368, prAL, gcPo},     //     [7] ETHIOPIC FULL STOP..ETHIOPIC PARAGRAPH SEPARATOR
+	{0x1369, 0x137C, prAL, gcNo},     //    [20] ETHIOPIC DIGIT ONE..ETHIOPIC NUMBER TEN THOUSAND
+	{0x1380, 0x138F, prAL, gcLo},     //    [16] ETHIOPIC SYLLABLE SEBATBEIT MWA..ETHIOPIC SYLLABLE PWE
+	{0x1390, 0x1399, prAL, gcSo},     //    [10] ETHIOPIC TONAL MARK YIZET..ETHIOPIC TONAL MARK KURT
+	{0x13A0, 0x13F5, prAL, gcLu},     //    [86] CHEROKEE LETTER A..CHEROKEE LETTER MV
+	{0x13F8, 0x13FD, prAL, gcLl},     //     [6] CHEROKEE SMALL LETTER YE..CHEROKEE SMALL LETTER MV
+	{0x1400, 0x1400, prBA, gcPd},     //         CANADIAN SYLLABICS HYPHEN
+	{0x1401, 0x166C, prAL, gcLo},     //   [620] CANADIAN SYLLABICS E..CANADIAN SYLLABICS CARRIER TTSA
+	{0x166D, 0x166D, prAL, gcSo},     //         CANADIAN SYLLABICS CHI SIGN
+	{0x166E, 0x166E, prAL, gcPo},     //         CANADIAN SYLLABICS FULL STOP
+	{0x166F, 0x167F, prAL, gcLo},     //    [17] CANADIAN SYLLABICS QAI..CANADIAN SYLLABICS BLACKFOOT W
+	{0x1680, 0x1680, prBA, gcZs},     //         OGHAM SPACE MARK
+	{0x1681, 0x169A, prAL, gcLo},     //    [26] OGHAM LETTER BEITH..OGHAM LETTER PEITH
+	{0x169B, 0x169B, prOP, gcPs},     //         OGHAM FEATHER MARK
+	{0x169C, 0x169C, prCL, gcPe},     //         OGHAM REVERSED FEATHER MARK
+	{0x16A0, 0x16EA, prAL, gcLo},     //    [75] RUNIC LETTER FEHU FEOH FE F..RUNIC LETTER X
+	{0x16EB, 0x16ED, prBA, gcPo},     //     [3] RUNIC SINGLE PUNCTUATION..RUNIC CROSS PUNCTUATION
+	{0x16EE, 0x16F0, prAL, gcNl},     //     [3] RUNIC ARLAUG SYMBOL..RUNIC BELGTHOR SYMBOL
+	{0x16F1, 0x16F8, prAL, gcLo},     //     [8] RUNIC LETTER K..RUNIC LETTER FRANKS CASKET AESC
+	{0x1700, 0x1711, prAL, gcLo},     //    [18] TAGALOG LETTER A..TAGALOG LETTER HA
+	{0x1712, 0x1714, prCM, gcMn},     //     [3] TAGALOG VOWEL SIGN I..TAGALOG SIGN VIRAMA
+	{0x1715, 0x1715, prCM, gcMc},     //         TAGALOG SIGN PAMUDPOD
+	{0x171F, 0x171F, prAL, gcLo},     //         TAGALOG LETTER ARCHAIC RA
+	{0x1720, 0x1731, prAL, gcLo},     //    [18] HANUNOO LETTER A..HANUNOO LETTER HA
+	{0x1732, 0x1733, prCM, gcMn},     //     [2] HANUNOO VOWEL SIGN I..HANUNOO VOWEL SIGN U
+	{0x1734, 0x1734, prCM, gcMc},     //         HANUNOO SIGN PAMUDPOD
+	{0x1735, 0x1736, prBA, gcPo},     //     [2] PHILIPPINE SINGLE PUNCTUATION..PHILIPPINE DOUBLE PUNCTUATION
+	{0x1740, 0x1751, prAL, gcLo},     //    [18] BUHID LETTER A..BUHID LETTER HA
+	{0x1752, 0x1753, prCM, gcMn},     //     [2] BUHID VOWEL SIGN I..BUHID VOWEL SIGN U
+	{0x1760, 0x176C, prAL, gcLo},     //    [13] TAGBANWA LETTER A..TAGBANWA LETTER YA
+	{0x176E, 0x1770, prAL, gcLo},     //     [3] TAGBANWA LETTER LA..TAGBANWA LETTER SA
+	{0x1772, 0x1773, prCM, gcMn},     //     [2] TAGBANWA VOWEL SIGN I..TAGBANWA VOWEL SIGN U
+	{0x1780, 0x17B3, prSA, gcLo},     //    [52] KHMER LETTER KA..KHMER INDEPENDENT VOWEL QAU
+	{0x17B4, 0x17B5, prSA, gcMn},     //     [2] KHMER VOWEL INHERENT AQ..KHMER VOWEL INHERENT AA
+	{0x17B6, 0x17B6, prSA, gcMc},     //         KHMER VOWEL SIGN AA
+	{0x17B7, 0x17BD, prSA, gcMn},     //     [7] KHMER VOWEL SIGN I..KHMER VOWEL SIGN UA
+	{0x17BE, 0x17C5, prSA, gcMc},     //     [8] KHMER VOWEL SIGN OE..KHMER VOWEL SIGN AU
+	{0x17C6, 0x17C6, prSA, gcMn},     //         KHMER SIGN NIKAHIT
+	{0x17C7, 0x17C8, prSA, gcMc},     //     [2] KHMER SIGN REAHMUK..KHMER SIGN YUUKALEAPINTU
+	{0x17C9, 0x17D3, prSA, gcMn},     //    [11] KHMER SIGN MUUSIKATOAN..KHMER SIGN BATHAMASAT
+	{0x17D4, 0x17D5, prBA, gcPo},     //     [2] KHMER SIGN KHAN..KHMER SIGN BARIYOOSAN
+	{0x17D6, 0x17D6, prNS, gcPo},     //         KHMER SIGN CAMNUC PII KUUH
+	{0x17D7, 0x17D7, prSA, gcLm},     //         KHMER SIGN LEK TOO
+	{0x17D8, 0x17D8, prBA, gcPo},     //         KHMER SIGN BEYYAL
+	{0x17D9, 0x17D9, prAL, gcPo},     //         KHMER SIGN PHNAEK MUAN
+	{0x17DA, 0x17DA, prBA, gcPo},     //         KHMER SIGN KOOMUUT
+	{0x17DB, 0x17DB, prPR, gcSc},     //         KHMER CURRENCY SYMBOL RIEL
+	{0x17DC, 0x17DC, prSA, gcLo},     //         KHMER SIGN AVAKRAHASANYA
+	{0x17DD, 0x17DD, prSA, gcMn},     //         KHMER SIGN ATTHACAN
+	{0x17E0, 0x17E9, prNU, gcNd},     //    [10] KHMER DIGIT ZERO..KHMER DIGIT NINE
+	{0x17F0, 0x17F9, prAL, gcNo},     //    [10] KHMER SYMBOL LEK ATTAK SON..KHMER SYMBOL LEK ATTAK PRAM-BUON
+	{0x1800, 0x1801, prAL, gcPo},     //     [2] MONGOLIAN BIRGA..MONGOLIAN ELLIPSIS
+	{0x1802, 0x1803, prEX, gcPo},     //     [2] MONGOLIAN COMMA..MONGOLIAN FULL STOP
+	{0x1804, 0x1805, prBA, gcPo},     //     [2] MONGOLIAN COLON..MONGOLIAN FOUR DOTS
+	{0x1806, 0x1806, prBB, gcPd},     //         MONGOLIAN TODO SOFT HYPHEN
+	{0x1807, 0x1807, prAL, gcPo},     //         MONGOLIAN SIBE SYLLABLE BOUNDARY MARKER
+	{0x1808, 0x1809, prEX, gcPo},     //     [2] MONGOLIAN MANCHU COMMA..MONGOLIAN MANCHU FULL STOP
+	{0x180A, 0x180A, prAL, gcPo},     //         MONGOLIAN NIRUGU
+	{0x180B, 0x180D, prCM, gcMn},     //     [3] MONGOLIAN FREE VARIATION SELECTOR ONE..MONGOLIAN FREE VARIATION SELECTOR THREE
+	{0x180E, 0x180E, prGL, gcCf},     //         MONGOLIAN VOWEL SEPARATOR
+	{0x180F, 0x180F, prCM, gcMn},     //         MONGOLIAN FREE VARIATION SELECTOR FOUR
+	{0x1810, 0x1819, prNU, gcNd},     //    [10] MONGOLIAN DIGIT ZERO..MONGOLIAN DIGIT NINE
+	{0x1820, 0x1842, prAL, gcLo},     //    [35] MONGOLIAN LETTER A..MONGOLIAN LETTER CHI
+	{0x1843, 0x1843, prAL, gcLm},     //         MONGOLIAN LETTER TODO LONG VOWEL SIGN
+	{0x1844, 0x1878, prAL, gcLo},     //    [53] MONGOLIAN LETTER TODO E..MONGOLIAN LETTER CHA WITH TWO DOTS
+	{0x1880, 0x1884, prAL, gcLo},     //     [5] MONGOLIAN LETTER ALI GALI ANUSVARA ONE..MONGOLIAN LETTER ALI GALI INVERTED UBADAMA
+	{0x1885, 0x1886, prCM, gcMn},     //     [2] MONGOLIAN LETTER ALI GALI BALUDA..MONGOLIAN LETTER ALI GALI THREE BALUDA
+	{0x1887, 0x18A8, prAL, gcLo},     //    [34] MONGOLIAN LETTER ALI GALI A..MONGOLIAN LETTER MANCHU ALI GALI BHA
+	{0x18A9, 0x18A9, prCM, gcMn},     //         MONGOLIAN LETTER ALI GALI DAGALGA
+	{0x18AA, 0x18AA, prAL, gcLo},     //         MONGOLIAN LETTER MANCHU ALI GALI LHA
+	{0x18B0, 0x18F5, prAL, gcLo},     //    [70] CANADIAN SYLLABICS OY..CANADIAN SYLLABICS CARRIER DENTAL S
+	{0x1900, 0x191E, prAL, gcLo},     //    [31] LIMBU VOWEL-CARRIER LETTER..LIMBU LETTER TRA
+	{0x1920, 0x1922, prCM, gcMn},     //     [3] LIMBU VOWEL SIGN A..LIMBU VOWEL SIGN U
+	{0x1923, 0x1926, prCM, gcMc},     //     [4] LIMBU VOWEL SIGN EE..LIMBU VOWEL SIGN AU
+	{0x1927, 0x1928, prCM, gcMn},     //     [2] LIMBU VOWEL SIGN E..LIMBU VOWEL SIGN O
+	{0x1929, 0x192B, prCM, gcMc},     //     [3] LIMBU SUBJOINED LETTER YA..LIMBU SUBJOINED LETTER WA
+	{0x1930, 0x1931, prCM, gcMc},     //     [2] LIMBU SMALL LETTER KA..LIMBU SMALL LETTER NGA
+	{0x1932, 0x1932, prCM, gcMn},     //         LIMBU SMALL LETTER ANUSVARA
+	{0x1933, 0x1938, prCM, gcMc},     //     [6] LIMBU SMALL LETTER TA..LIMBU SMALL LETTER LA
+	{0x1939, 0x193B, prCM, gcMn},     //     [3] LIMBU SIGN MUKPHRENG..LIMBU SIGN SA-I
+	{0x1940, 0x1940, prAL, gcSo},     //         LIMBU SIGN LOO
+	{0x1944, 0x1945, prEX, gcPo},     //     [2] LIMBU EXCLAMATION MARK..LIMBU QUESTION MARK
+	{0x1946, 0x194F, prNU, gcNd},     //    [10] LIMBU DIGIT ZERO..LIMBU DIGIT NINE
+	{0x1950, 0x196D, prSA, gcLo},     //    [30] TAI LE LETTER KA..TAI LE LETTER AI
+	{0x1970, 0x1974, prSA, gcLo},     //     [5] TAI LE LETTER TONE-2..TAI LE LETTER TONE-6
+	{0x1980, 0x19AB, prSA, gcLo},     //    [44] NEW TAI LUE LETTER HIGH QA..NEW TAI LUE LETTER LOW SUA
+	{0x19B0, 0x19C9, prSA, gcLo},     //    [26] NEW TAI LUE VOWEL SIGN VOWEL SHORTENER..NEW TAI LUE TONE MARK-2
+	{0x19D0, 0x19D9, prNU, gcNd},     //    [10] NEW TAI LUE DIGIT ZERO..NEW TAI LUE DIGIT NINE
+	{0x19DA, 0x19DA, prSA, gcNo},     //         NEW TAI LUE THAM DIGIT ONE
+	{0x19DE, 0x19DF, prSA, gcSo},     //     [2] NEW TAI LUE SIGN LAE..NEW TAI LUE SIGN LAEV
+	{0x19E0, 0x19FF, prAL, gcSo},     //    [32] KHMER SYMBOL PATHAMASAT..KHMER SYMBOL DAP-PRAM ROC
+	{0x1A00, 0x1A16, prAL, gcLo},     //    [23] BUGINESE LETTER KA..BUGINESE LETTER HA
+	{0x1A17, 0x1A18, prCM, gcMn},     //     [2] BUGINESE VOWEL SIGN I..BUGINESE VOWEL SIGN U
+	{0x1A19, 0x1A1A, prCM, gcMc},     //     [2] BUGINESE VOWEL SIGN E..BUGINESE VOWEL SIGN O
+	{0x1A1B, 0x1A1B, prCM, gcMn},     //         BUGINESE VOWEL SIGN AE
+	{0x1A1E, 0x1A1F, prAL, gcPo},     //     [2] BUGINESE PALLAWA..BUGINESE END OF SECTION
+	{0x1A20, 0x1A54, prSA, gcLo},     //    [53] TAI THAM LETTER HIGH KA..TAI THAM LETTER GREAT SA
+	{0x1A55, 0x1A55, prSA, gcMc},     //         TAI THAM CONSONANT SIGN MEDIAL RA
+	{0x1A56, 0x1A56, prSA, gcMn},     //         TAI THAM CONSONANT SIGN MEDIAL LA
+	{0x1A57, 0x1A57, prSA, gcMc},     //         TAI THAM CONSONANT SIGN LA TANG LAI
+	{0x1A58, 0x1A5E, prSA, gcMn},     //     [7] TAI THAM SIGN MAI KANG LAI..TAI THAM CONSONANT SIGN SA
+	{0x1A60, 0x1A60, prSA, gcMn},     //         TAI THAM SIGN SAKOT
+	{0x1A61, 0x1A61, prSA, gcMc},     //         TAI THAM VOWEL SIGN A
+	{0x1A62, 0x1A62, prSA, gcMn},     //         TAI THAM VOWEL SIGN MAI SAT
+	{0x1A63, 0x1A64, prSA, gcMc},     //     [2] TAI THAM VOWEL SIGN AA..TAI THAM VOWEL SIGN TALL AA
+	{0x1A65, 0x1A6C, prSA, gcMn},     //     [8] TAI THAM VOWEL SIGN I..TAI THAM VOWEL SIGN OA BELOW
+	{0x1A6D, 0x1A72, prSA, gcMc},     //     [6] TAI THAM VOWEL SIGN OY..TAI THAM VOWEL SIGN THAM AI
+	{0x1A73, 0x1A7C, prSA, gcMn},     //    [10] TAI THAM VOWEL SIGN OA ABOVE..TAI THAM SIGN KHUEN-LUE KARAN
+	{0x1A7F, 0x1A7F, prCM, gcMn},     //         TAI THAM COMBINING CRYPTOGRAMMIC DOT
+	{0x1A80, 0x1A89, prNU, gcNd},     //    [10] TAI THAM HORA DIGIT ZERO..TAI THAM HORA DIGIT NINE
+	{0x1A90, 0x1A99, prNU, gcNd},     //    [10] TAI THAM THAM DIGIT ZERO..TAI THAM THAM DIGIT NINE
+	{0x1AA0, 0x1AA6, prSA, gcPo},     //     [7] TAI THAM SIGN WIANG..TAI THAM SIGN REVERSED ROTATED RANA
+	{0x1AA7, 0x1AA7, prSA, gcLm},     //         TAI THAM SIGN MAI YAMOK
+	{0x1AA8, 0x1AAD, prSA, gcPo},     //     [6] TAI THAM SIGN KAAN..TAI THAM SIGN CAANG
+	{0x1AB0, 0x1ABD, prCM, gcMn},     //    [14] COMBINING DOUBLED CIRCUMFLEX ACCENT..COMBINING PARENTHESES BELOW
+	{0x1ABE, 0x1ABE, prCM, gcMe},     //         COMBINING PARENTHESES OVERLAY
+	{0x1ABF, 0x1ACE, prCM, gcMn},     //    [16] COMBINING LATIN SMALL LETTER W BELOW..COMBINING LATIN SMALL LETTER INSULAR T
+	{0x1B00, 0x1B03, prCM, gcMn},     //     [4] BALINESE SIGN ULU RICEM..BALINESE SIGN SURANG
+	{0x1B04, 0x1B04, prCM, gcMc},     //         BALINESE SIGN BISAH
+	{0x1B05, 0x1B33, prAL, gcLo},     //    [47] BALINESE LETTER AKARA..BALINESE LETTER HA
+	{0x1B34, 0x1B34, prCM, gcMn},     //         BALINESE SIGN REREKAN
+	{0x1B35, 0x1B35, prCM, gcMc},     //         BALINESE VOWEL SIGN TEDUNG
+	{0x1B36, 0x1B3A, prCM, gcMn},     //     [5] BALINESE VOWEL SIGN ULU..BALINESE VOWEL SIGN RA REPA
+	{0x1B3B, 0x1B3B, prCM, gcMc},     //         BALINESE VOWEL SIGN RA REPA TEDUNG
+	{0x1B3C, 0x1B3C, prCM, gcMn},     //         BALINESE VOWEL SIGN LA LENGA
+	{0x1B3D, 0x1B41, prCM, gcMc},     //     [5] BALINESE VOWEL SIGN LA LENGA TEDUNG..BALINESE VOWEL SIGN TALING REPA TEDUNG
+	{0x1B42, 0x1B42, prCM, gcMn},     //         BALINESE VOWEL SIGN PEPET
+	{0x1B43, 0x1B44, prCM, gcMc},     //     [2] BALINESE VOWEL SIGN PEPET TEDUNG..BALINESE ADEG ADEG
+	{0x1B45, 0x1B4C, prAL, gcLo},     //     [8] BALINESE LETTER KAF SASAK..BALINESE LETTER ARCHAIC JNYA
+	{0x1B50, 0x1B59, prNU, gcNd},     //    [10] BALINESE DIGIT ZERO..BALINESE DIGIT NINE
+	{0x1B5A, 0x1B5B, prBA, gcPo},     //     [2] BALINESE PANTI..BALINESE PAMADA
+	{0x1B5C, 0x1B5C, prAL, gcPo},     //         BALINESE WINDU
+	{0x1B5D, 0x1B60, prBA, gcPo},     //     [4] BALINESE CARIK PAMUNGKAH..BALINESE PAMENENG
+	{0x1B61, 0x1B6A, prAL, gcSo},     //    [10] BALINESE MUSICAL SYMBOL DONG..BALINESE MUSICAL SYMBOL DANG GEDE
+	{0x1B6B, 0x1B73, prCM, gcMn},     //     [9] BALINESE MUSICAL SYMBOL COMBINING TEGEH..BALINESE MUSICAL SYMBOL COMBINING GONG
+	{0x1B74, 0x1B7C, prAL, gcSo},     //     [9] BALINESE MUSICAL SYMBOL RIGHT-HAND OPEN DUG..BALINESE MUSICAL SYMBOL LEFT-HAND OPEN PING
+	{0x1B7D, 0x1B7E, prBA, gcPo},     //     [2] BALINESE PANTI LANTANG..BALINESE PAMADA LANTANG
+	{0x1B80, 0x1B81, prCM, gcMn},     //     [2] SUNDANESE SIGN PANYECEK..SUNDANESE SIGN PANGLAYAR
+	{0x1B82, 0x1B82, prCM, gcMc},     //         SUNDANESE SIGN PANGWISAD
+	{0x1B83, 0x1BA0, prAL, gcLo},     //    [30] SUNDANESE LETTER A..SUNDANESE LETTER HA
+	{0x1BA1, 0x1BA1, prCM, gcMc},     //         SUNDANESE CONSONANT SIGN PAMINGKAL
+	{0x1BA2, 0x1BA5, prCM, gcMn},     //     [4] SUNDANESE CONSONANT SIGN PANYAKRA..SUNDANESE VOWEL SIGN PANYUKU
+	{0x1BA6, 0x1BA7, prCM, gcMc},     //     [2] SUNDANESE VOWEL SIGN PANAELAENG..SUNDANESE VOWEL SIGN PANOLONG
+	{0x1BA8, 0x1BA9, prCM, gcMn},     //     [2] SUNDANESE VOWEL SIGN PAMEPET..SUNDANESE VOWEL SIGN PANEULEUNG
+	{0x1BAA, 0x1BAA, prCM, gcMc},     //         SUNDANESE SIGN PAMAAEH
+	{0x1BAB, 0x1BAD, prCM, gcMn},     //     [3] SUNDANESE SIGN VIRAMA..SUNDANESE CONSONANT SIGN PASANGAN WA
+	{0x1BAE, 0x1BAF, prAL, gcLo},     //     [2] SUNDANESE LETTER KHA..SUNDANESE LETTER SYA
+	{0x1BB0, 0x1BB9, prNU, gcNd},     //    [10] SUNDANESE DIGIT ZERO..SUNDANESE DIGIT NINE
+	{0x1BBA, 0x1BBF, prAL, gcLo},     //     [6] SUNDANESE AVAGRAHA..SUNDANESE LETTER FINAL M
+	{0x1BC0, 0x1BE5, prAL, gcLo},     //    [38] BATAK LETTER A..BATAK LETTER U
+	{0x1BE6, 0x1BE6, prCM, gcMn},     //         BATAK SIGN TOMPI
+	{0x1BE7, 0x1BE7, prCM, gcMc},     //         BATAK VOWEL SIGN E
+	{0x1BE8, 0x1BE9, prCM, gcMn},     //     [2] BATAK VOWEL SIGN PAKPAK E..BATAK VOWEL SIGN EE
+	{0x1BEA, 0x1BEC, prCM, gcMc},     //     [3] BATAK VOWEL SIGN I..BATAK VOWEL SIGN O
+	{0x1BED, 0x1BED, prCM, gcMn},     //         BATAK VOWEL SIGN KARO O
+	{0x1BEE, 0x1BEE, prCM, gcMc},     //         BATAK VOWEL SIGN U
+	{0x1BEF, 0x1BF1, prCM, gcMn},     //     [3] BATAK VOWEL SIGN U FOR SIMALUNGUN SA..BATAK CONSONANT SIGN H
+	{0x1BF2, 0x1BF3, prCM, gcMc},     //     [2] BATAK PANGOLAT..BATAK PANONGONAN
+	{0x1BFC, 0x1BFF, prAL, gcPo},     //     [4] BATAK SYMBOL BINDU NA METEK..BATAK SYMBOL BINDU PANGOLAT
+	{0x1C00, 0x1C23, prAL, gcLo},     //    [36] LEPCHA LETTER KA..LEPCHA LETTER A
+	{0x1C24, 0x1C2B, prCM, gcMc},     //     [8] LEPCHA SUBJOINED LETTER YA..LEPCHA VOWEL SIGN UU
+	{0x1C2C, 0x1C33, prCM, gcMn},     //     [8] LEPCHA VOWEL SIGN E..LEPCHA CONSONANT SIGN T
+	{0x1C34, 0x1C35, prCM, gcMc},     //     [2] LEPCHA CONSONANT SIGN NYIN-DO..LEPCHA CONSONANT SIGN KANG
+	{0x1C36, 0x1C37, prCM, gcMn},     //     [2] LEPCHA SIGN RAN..LEPCHA SIGN NUKTA
+	{0x1C3B, 0x1C3F, prBA, gcPo},     //     [5] LEPCHA PUNCTUATION TA-ROL..LEPCHA PUNCTUATION TSHOOK
+	{0x1C40, 0x1C49, prNU, gcNd},     //    [10] LEPCHA DIGIT ZERO..LEPCHA DIGIT NINE
+	{0x1C4D, 0x1C4F, prAL, gcLo},     //     [3] LEPCHA LETTER TTA..LEPCHA LETTER DDA
+	{0x1C50, 0x1C59, prNU, gcNd},     //    [10] OL CHIKI DIGIT ZERO..OL CHIKI DIGIT NINE
+	{0x1C5A, 0x1C77, prAL, gcLo},     //    [30] OL CHIKI LETTER LA..OL CHIKI LETTER OH
+	{0x1C78, 0x1C7D, prAL, gcLm},     //     [6] OL CHIKI MU TTUDDAG..OL CHIKI AHAD
+	{0x1C7E, 0x1C7F, prBA, gcPo},     //     [2] OL CHIKI PUNCTUATION MUCAAD..OL CHIKI PUNCTUATION DOUBLE MUCAAD
+	{0x1C80, 0x1C88, prAL, gcLl},     //     [9] CYRILLIC SMALL LETTER ROUNDED VE..CYRILLIC SMALL LETTER UNBLENDED UK
+	{0x1C90, 0x1CBA, prAL, gcLu},     //    [43] GEORGIAN MTAVRULI CAPITAL LETTER AN..GEORGIAN MTAVRULI CAPITAL LETTER AIN
+	{0x1CBD, 0x1CBF, prAL, gcLu},     //     [3] GEORGIAN MTAVRULI CAPITAL LETTER AEN..GEORGIAN MTAVRULI CAPITAL LETTER LABIAL SIGN
+	{0x1CC0, 0x1CC7, prAL, gcPo},     //     [8] SUNDANESE PUNCTUATION BINDU SURYA..SUNDANESE PUNCTUATION BINDU BA SATANGA
+	{0x1CD0, 0x1CD2, prCM, gcMn},     //     [3] VEDIC TONE KARSHANA..VEDIC TONE PRENKHA
+	{0x1CD3, 0x1CD3, prAL, gcPo},     //         VEDIC SIGN NIHSHVASA
+	{0x1CD4, 0x1CE0, prCM, gcMn},     //    [13] VEDIC SIGN YAJURVEDIC MIDLINE SVARITA..VEDIC TONE RIGVEDIC KASHMIRI INDEPENDENT SVARITA
+	{0x1CE1, 0x1CE1, prCM, gcMc},     //         VEDIC TONE ATHARVAVEDIC INDEPENDENT SVARITA
+	{0x1CE2, 0x1CE8, prCM, gcMn},     //     [7] VEDIC SIGN VISARGA SVARITA..VEDIC SIGN VISARGA ANUDATTA WITH TAIL
+	{0x1CE9, 0x1CEC, prAL, gcLo},     //     [4] VEDIC SIGN ANUSVARA ANTARGOMUKHA..VEDIC SIGN ANUSVARA VAMAGOMUKHA WITH TAIL
+	{0x1CED, 0x1CED, prCM, gcMn},     //         VEDIC SIGN TIRYAK
+	{0x1CEE, 0x1CF3, prAL, gcLo},     //     [6] VEDIC SIGN HEXIFORM LONG ANUSVARA..VEDIC SIGN ROTATED ARDHAVISARGA
+	{0x1CF4, 0x1CF4, prCM, gcMn},     //         VEDIC TONE CANDRA ABOVE
+	{0x1CF5, 0x1CF6, prAL, gcLo},     //     [2] VEDIC SIGN JIHVAMULIYA..VEDIC SIGN UPADHMANIYA
+	{0x1CF7, 0x1CF7, prCM, gcMc},     //         VEDIC SIGN ATIKRAMA
+	{0x1CF8, 0x1CF9, prCM, gcMn},     //     [2] VEDIC TONE RING ABOVE..VEDIC TONE DOUBLE RING ABOVE
+	{0x1CFA, 0x1CFA, prAL, gcLo},     //         VEDIC SIGN DOUBLE ANUSVARA ANTARGOMUKHA
+	{0x1D00, 0x1D2B, prAL, gcLl},     //    [44] LATIN LETTER SMALL CAPITAL A..CYRILLIC LETTER SMALL CAPITAL EL
+	{0x1D2C, 0x1D6A, prAL, gcLm},     //    [63] MODIFIER LETTER CAPITAL A..GREEK SUBSCRIPT SMALL LETTER CHI
+	{0x1D6B, 0x1D77, prAL, gcLl},     //    [13] LATIN SMALL LETTER UE..LATIN SMALL LETTER TURNED G
+	{0x1D78, 0x1D78, prAL, gcLm},     //         MODIFIER LETTER CYRILLIC EN
+	{0x1D79, 0x1D7F, prAL, gcLl},     //     [7] LATIN SMALL LETTER INSULAR G..LATIN SMALL LETTER UPSILON WITH STROKE
+	{0x1D80, 0x1D9A, prAL, gcLl},     //    [27] LATIN SMALL LETTER B WITH PALATAL HOOK..LATIN SMALL LETTER EZH WITH RETROFLEX HOOK
+	{0x1D9B, 0x1DBF, prAL, gcLm},     //    [37] MODIFIER LETTER SMALL TURNED ALPHA..MODIFIER LETTER SMALL THETA
+	{0x1DC0, 0x1DCC, prCM, gcMn},     //    [13] COMBINING DOTTED GRAVE ACCENT..COMBINING MACRON-BREVE
+	{0x1DCD, 0x1DCD, prGL, gcMn},     //         COMBINING DOUBLE CIRCUMFLEX ABOVE
+	{0x1DCE, 0x1DFB, prCM, gcMn},     //    [46] COMBINING OGONEK ABOVE..COMBINING DELETION MARK
+	{0x1DFC, 0x1DFC, prGL, gcMn},     //         COMBINING DOUBLE INVERTED BREVE BELOW
+	{0x1DFD, 0x1DFF, prCM, gcMn},     //     [3] COMBINING ALMOST EQUAL TO BELOW..COMBINING RIGHT ARROWHEAD AND DOWN ARROWHEAD BELOW
+	{0x1E00, 0x1EFF, prAL, gcLC},     //   [256] LATIN CAPITAL LETTER A WITH RING BELOW..LATIN SMALL LETTER Y WITH LOOP
+	{0x1F00, 0x1F15, prAL, gcLC},     //    [22] GREEK SMALL LETTER ALPHA WITH PSILI..GREEK SMALL LETTER EPSILON WITH DASIA AND OXIA
+	{0x1F18, 0x1F1D, prAL, gcLu},     //     [6] GREEK CAPITAL LETTER EPSILON WITH PSILI..GREEK CAPITAL LETTER EPSILON WITH DASIA AND OXIA
+	{0x1F20, 0x1F45, prAL, gcLC},     //    [38] GREEK SMALL LETTER ETA WITH PSILI..GREEK SMALL LETTER OMICRON WITH DASIA AND OXIA
+	{0x1F48, 0x1F4D, prAL, gcLu},     //     [6] GREEK CAPITAL LETTER OMICRON WITH PSILI..GREEK CAPITAL LETTER OMICRON WITH DASIA AND OXIA
+	{0x1F50, 0x1F57, prAL, gcLl},     //     [8] GREEK SMALL LETTER UPSILON WITH PSILI..GREEK SMALL LETTER UPSILON WITH DASIA AND PERISPOMENI
+	{0x1F59, 0x1F59, prAL, gcLu},     //         GREEK CAPITAL LETTER UPSILON WITH DASIA
+	{0x1F5B, 0x1F5B, prAL, gcLu},     //         GREEK CAPITAL LETTER UPSILON WITH DASIA AND VARIA
+	{0x1F5D, 0x1F5D, prAL, gcLu},     //         GREEK CAPITAL LETTER UPSILON WITH DASIA AND OXIA
+	{0x1F5F, 0x1F7D, prAL, gcLC},     //    [31] GREEK CAPITAL LETTER UPSILON WITH DASIA AND PERISPOMENI..GREEK SMALL LETTER OMEGA WITH OXIA
+	{0x1F80, 0x1FB4, prAL, gcLC},     //    [53] GREEK SMALL LETTER ALPHA WITH PSILI AND YPOGEGRAMMENI..GREEK SMALL LETTER ALPHA WITH OXIA AND YPOGEGRAMMENI
+	{0x1FB6, 0x1FBC, prAL, gcLC},     //     [7] GREEK SMALL LETTER ALPHA WITH PERISPOMENI..GREEK CAPITAL LETTER ALPHA WITH PROSGEGRAMMENI
+	{0x1FBD, 0x1FBD, prAL, gcSk},     //         GREEK KORONIS
+	{0x1FBE, 0x1FBE, prAL, gcLl},     //         GREEK PROSGEGRAMMENI
+	{0x1FBF, 0x1FC1, prAL, gcSk},     //     [3] GREEK PSILI..GREEK DIALYTIKA AND PERISPOMENI
+	{0x1FC2, 0x1FC4, prAL, gcLl},     //     [3] GREEK SMALL LETTER ETA WITH VARIA AND YPOGEGRAMMENI..GREEK SMALL LETTER ETA WITH OXIA AND YPOGEGRAMMENI
+	{0x1FC6, 0x1FCC, prAL, gcLC},     //     [7] GREEK SMALL LETTER ETA WITH PERISPOMENI..GREEK CAPITAL LETTER ETA WITH PROSGEGRAMMENI
+	{0x1FCD, 0x1FCF, prAL, gcSk},     //     [3] GREEK PSILI AND VARIA..GREEK PSILI AND PERISPOMENI
+	{0x1FD0, 0x1FD3, prAL, gcLl},     //     [4] GREEK SMALL LETTER IOTA WITH VRACHY..GREEK SMALL LETTER IOTA WITH DIALYTIKA AND OXIA
+	{0x1FD6, 0x1FDB, prAL, gcLC},     //     [6] GREEK SMALL LETTER IOTA WITH PERISPOMENI..GREEK CAPITAL LETTER IOTA WITH OXIA
+	{0x1FDD, 0x1FDF, prAL, gcSk},     //     [3] GREEK DASIA AND VARIA..GREEK DASIA AND PERISPOMENI
+	{0x1FE0, 0x1FEC, prAL, gcLC},     //    [13] GREEK SMALL LETTER UPSILON WITH VRACHY..GREEK CAPITAL LETTER RHO WITH DASIA
+	{0x1FED, 0x1FEF, prAL, gcSk},     //     [3] GREEK DIALYTIKA AND VARIA..GREEK VARIA
+	{0x1FF2, 0x1FF4, prAL, gcLl},     //     [3] GREEK SMALL LETTER OMEGA WITH VARIA AND YPOGEGRAMMENI..GREEK SMALL LETTER OMEGA WITH OXIA AND YPOGEGRAMMENI
+	{0x1FF6, 0x1FFC, prAL, gcLC},     //     [7] GREEK SMALL LETTER OMEGA WITH PERISPOMENI..GREEK CAPITAL LETTER OMEGA WITH PROSGEGRAMMENI
+	{0x1FFD, 0x1FFD, prBB, gcSk},     //         GREEK OXIA
+	{0x1FFE, 0x1FFE, prAL, gcSk},     //         GREEK DASIA
+	{0x2000, 0x2006, prBA, gcZs},     //     [7] EN QUAD..SIX-PER-EM SPACE
+	{0x2007, 0x2007, prGL, gcZs},     //         FIGURE SPACE
+	{0x2008, 0x200A, prBA, gcZs},     //     [3] PUNCTUATION SPACE..HAIR SPACE
+	{0x200B, 0x200B, prZW, gcCf},     //         ZERO WIDTH SPACE
+	{0x200C, 0x200C, prCM, gcCf},     //         ZERO WIDTH NON-JOINER
+	{0x200D, 0x200D, prZWJ, gcCf},    //         ZERO WIDTH JOINER
+	{0x200E, 0x200F, prCM, gcCf},     //     [2] LEFT-TO-RIGHT MARK..RIGHT-TO-LEFT MARK
+	{0x2010, 0x2010, prBA, gcPd},     //         HYPHEN
+	{0x2011, 0x2011, prGL, gcPd},     //         NON-BREAKING HYPHEN
+	{0x2012, 0x2013, prBA, gcPd},     //     [2] FIGURE DASH..EN DASH
+	{0x2014, 0x2014, prB2, gcPd},     //         EM DASH
+	{0x2015, 0x2015, prAI, gcPd},     //         HORIZONTAL BAR
+	{0x2016, 0x2016, prAI, gcPo},     //         DOUBLE VERTICAL LINE
+	{0x2017, 0x2017, prAL, gcPo},     //         DOUBLE LOW LINE
+	{0x2018, 0x2018, prQU, gcPi},     //         LEFT SINGLE QUOTATION MARK
+	{0x2019, 0x2019, prQU, gcPf},     //         RIGHT SINGLE QUOTATION MARK
+	{0x201A, 0x201A, prOP, gcPs},     //         SINGLE LOW-9 QUOTATION MARK
+	{0x201B, 0x201C, prQU, gcPi},     //     [2] SINGLE HIGH-REVERSED-9 QUOTATION MARK..LEFT DOUBLE QUOTATION MARK
+	{0x201D, 0x201D, prQU, gcPf},     //         RIGHT DOUBLE QUOTATION MARK
+	{0x201E, 0x201E, prOP, gcPs},     //         DOUBLE LOW-9 QUOTATION MARK
+	{0x201F, 0x201F, prQU, gcPi},     //         DOUBLE HIGH-REVERSED-9 QUOTATION MARK
+	{0x2020, 0x2021, prAI, gcPo},     //     [2] DAGGER..DOUBLE DAGGER
+	{0x2022, 0x2023, prAL, gcPo},     //     [2] BULLET..TRIANGULAR BULLET
+	{0x2024, 0x2026, prIN, gcPo},     //     [3] ONE DOT LEADER..HORIZONTAL ELLIPSIS
+	{0x2027, 0x2027, prBA, gcPo},     //         HYPHENATION POINT
+	{0x2028, 0x2028, prBK, gcZl},     //         LINE SEPARATOR
+	{0x2029, 0x2029, prBK, gcZp},     //         PARAGRAPH SEPARATOR
+	{0x202A, 0x202E, prCM, gcCf},     //     [5] LEFT-TO-RIGHT EMBEDDING..RIGHT-TO-LEFT OVERRIDE
+	{0x202F, 0x202F, prGL, gcZs},     //         NARROW NO-BREAK SPACE
+	{0x2030, 0x2037, prPO, gcPo},     //     [8] PER MILLE SIGN..REVERSED TRIPLE PRIME
+	{0x2038, 0x2038, prAL, gcPo},     //         CARET
+	{0x2039, 0x2039, prQU, gcPi},     //         SINGLE LEFT-POINTING ANGLE QUOTATION MARK
+	{0x203A, 0x203A, prQU, gcPf},     //         SINGLE RIGHT-POINTING ANGLE QUOTATION MARK
+	{0x203B, 0x203B, prAI, gcPo},     //         REFERENCE MARK
+	{0x203C, 0x203D, prNS, gcPo},     //     [2] DOUBLE EXCLAMATION MARK..INTERROBANG
+	{0x203E, 0x203E, prAL, gcPo},     //         OVERLINE
+	{0x203F, 0x2040, prAL, gcPc},     //     [2] UNDERTIE..CHARACTER TIE
+	{0x2041, 0x2043, prAL, gcPo},     //     [3] CARET INSERTION POINT..HYPHEN BULLET
+	{0x2044, 0x2044, prIS, gcSm},     //         FRACTION SLASH
+	{0x2045, 0x2045, prOP, gcPs},     //         LEFT SQUARE BRACKET WITH QUILL
+	{0x2046, 0x2046, prCL, gcPe},     //         RIGHT SQUARE BRACKET WITH QUILL
+	{0x2047, 0x2049, prNS, gcPo},     //     [3] DOUBLE QUESTION MARK..EXCLAMATION QUESTION MARK
+	{0x204A, 0x2051, prAL, gcPo},     //     [8] TIRONIAN SIGN ET..TWO ASTERISKS ALIGNED VERTICALLY
+	{0x2052, 0x2052, prAL, gcSm},     //         COMMERCIAL MINUS SIGN
+	{0x2053, 0x2053, prAL, gcPo},     //         SWUNG DASH
+	{0x2054, 0x2054, prAL, gcPc},     //         INVERTED UNDERTIE
+	{0x2055, 0x2055, prAL, gcPo},     //         FLOWER PUNCTUATION MARK
+	{0x2056, 0x2056, prBA, gcPo},     //         THREE DOT PUNCTUATION
+	{0x2057, 0x2057, prPO, gcPo},     //         QUADRUPLE PRIME
+	{0x2058, 0x205B, prBA, gcPo},     //     [4] FOUR DOT PUNCTUATION..FOUR DOT MARK
+	{0x205C, 0x205C, prAL, gcPo},     //         DOTTED CROSS
+	{0x205D, 0x205E, prBA, gcPo},     //     [2] TRICOLON..VERTICAL FOUR DOTS
+	{0x205F, 0x205F, prBA, gcZs},     //         MEDIUM MATHEMATICAL SPACE
+	{0x2060, 0x2060, prWJ, gcCf},     //         WORD JOINER
+	{0x2061, 0x2064, prAL, gcCf},     //     [4] FUNCTION APPLICATION..INVISIBLE PLUS
+	{0x2066, 0x206F, prCM, gcCf},     //    [10] LEFT-TO-RIGHT ISOLATE..NOMINAL DIGIT SHAPES
+	{0x2070, 0x2070, prAL, gcNo},     //         SUPERSCRIPT ZERO
+	{0x2071, 0x2071, prAL, gcLm},     //         SUPERSCRIPT LATIN SMALL LETTER I
+	{0x2074, 0x2074, prAI, gcNo},     //         SUPERSCRIPT FOUR
+	{0x2075, 0x2079, prAL, gcNo},     //     [5] SUPERSCRIPT FIVE..SUPERSCRIPT NINE
+	{0x207A, 0x207C, prAL, gcSm},     //     [3] SUPERSCRIPT PLUS SIGN..SUPERSCRIPT EQUALS SIGN
+	{0x207D, 0x207D, prOP, gcPs},     //         SUPERSCRIPT LEFT PARENTHESIS
+	{0x207E, 0x207E, prCL, gcPe},     //         SUPERSCRIPT RIGHT PARENTHESIS
+	{0x207F, 0x207F, prAI, gcLm},     //         SUPERSCRIPT LATIN SMALL LETTER N
+	{0x2080, 0x2080, prAL, gcNo},     //         SUBSCRIPT ZERO
+	{0x2081, 0x2084, prAI, gcNo},     //     [4] SUBSCRIPT ONE..SUBSCRIPT FOUR
+	{0x2085, 0x2089, prAL, gcNo},     //     [5] SUBSCRIPT FIVE..SUBSCRIPT NINE
+	{0x208A, 0x208C, prAL, gcSm},     //     [3] SUBSCRIPT PLUS SIGN..SUBSCRIPT EQUALS SIGN
+	{0x208D, 0x208D, prOP, gcPs},     //         SUBSCRIPT LEFT PARENTHESIS
+	{0x208E, 0x208E, prCL, gcPe},     //         SUBSCRIPT RIGHT PARENTHESIS
+	{0x2090, 0x209C, prAL, gcLm},     //    [13] LATIN SUBSCRIPT SMALL LETTER A..LATIN SUBSCRIPT SMALL LETTER T
+	{0x20A0, 0x20A6, prPR, gcSc},     //     [7] EURO-CURRENCY SIGN..NAIRA SIGN
+	{0x20A7, 0x20A7, prPO, gcSc},     //         PESETA SIGN
+	{0x20A8, 0x20B5, prPR, gcSc},     //    [14] RUPEE SIGN..CEDI SIGN
+	{0x20B6, 0x20B6, prPO, gcSc},     //         LIVRE TOURNOIS SIGN
+	{0x20B7, 0x20BA, prPR, gcSc},     //     [4] SPESMILO SIGN..TURKISH LIRA SIGN
+	{0x20BB, 0x20BB, prPO, gcSc},     //         NORDIC MARK SIGN
+	{0x20BC, 0x20BD, prPR, gcSc},     //     [2] MANAT SIGN..RUBLE SIGN
+	{0x20BE, 0x20BE, prPO, gcSc},     //         LARI SIGN
+	{0x20BF, 0x20BF, prPR, gcSc},     //         BITCOIN SIGN
+	{0x20C0, 0x20C0, prPO, gcSc},     //         SOM SIGN
+	{0x20C1, 0x20CF, prPR, gcCn},     //    [15] <reserved-20C1>..<reserved-20CF>
+	{0x20D0, 0x20DC, prCM, gcMn},     //    [13] COMBINING LEFT HARPOON ABOVE..COMBINING FOUR DOTS ABOVE
+	{0x20DD, 0x20E0, prCM, gcMe},     //     [4] COMBINING ENCLOSING CIRCLE..COMBINING ENCLOSING CIRCLE BACKSLASH
+	{0x20E1, 0x20E1, prCM, gcMn},     //         COMBINING LEFT RIGHT ARROW ABOVE
+	{0x20E2, 0x20E4, prCM, gcMe},     //     [3] COMBINING ENCLOSING SCREEN..COMBINING ENCLOSING UPWARD POINTING TRIANGLE
+	{0x20E5, 0x20F0, prCM, gcMn},     //    [12] COMBINING REVERSE SOLIDUS OVERLAY..COMBINING ASTERISK ABOVE
+	{0x2100, 0x2101, prAL, gcSo},     //     [2] ACCOUNT OF..ADDRESSED TO THE SUBJECT
+	{0x2102, 0x2102, prAL, gcLu},     //         DOUBLE-STRUCK CAPITAL C
+	{0x2103, 0x2103, prPO, gcSo},     //         DEGREE CELSIUS
+	{0x2104, 0x2104, prAL, gcSo},     //         CENTRE LINE SYMBOL
+	{0x2105, 0x2105, prAI, gcSo},     //         CARE OF
+	{0x2106, 0x2106, prAL, gcSo},     //         CADA UNA
+	{0x2107, 0x2107, prAL, gcLu},     //         EULER CONSTANT
+	{0x2108, 0x2108, prAL, gcSo},     //         SCRUPLE
+	{0x2109, 0x2109, prPO, gcSo},     //         DEGREE FAHRENHEIT
+	{0x210A, 0x2112, prAL, gcLC},     //     [9] SCRIPT SMALL G..SCRIPT CAPITAL L
+	{0x2113, 0x2113, prAI, gcLl},     //         SCRIPT SMALL L
+	{0x2114, 0x2114, prAL, gcSo},     //         L B BAR SYMBOL
+	{0x2115, 0x2115, prAL, gcLu},     //         DOUBLE-STRUCK CAPITAL N
+	{0x2116, 0x2116, prPR, gcSo},     //         NUMERO SIGN
+	{0x2117, 0x2117, prAL, gcSo},     //         SOUND RECORDING COPYRIGHT
+	{0x2118, 0x2118, prAL, gcSm},     //         SCRIPT CAPITAL P
+	{0x2119, 0x211D, prAL, gcLu},     //     [5] DOUBLE-STRUCK CAPITAL P..DOUBLE-STRUCK CAPITAL R
+	{0x211E, 0x2120, prAL, gcSo},     //     [3] PRESCRIPTION TAKE..SERVICE MARK
+	{0x2121, 0x2122, prAI, gcSo},     //     [2] TELEPHONE SIGN..TRADE MARK SIGN
+	{0x2123, 0x2123, prAL, gcSo},     //         VERSICLE
+	{0x2124, 0x2124, prAL, gcLu},     //         DOUBLE-STRUCK CAPITAL Z
+	{0x2125, 0x2125, prAL, gcSo},     //         OUNCE SIGN
+	{0x2126, 0x2126, prAL, gcLu},     //         OHM SIGN
+	{0x2127, 0x2127, prAL, gcSo},     //         INVERTED OHM SIGN
+	{0x2128, 0x2128, prAL, gcLu},     //         BLACK-LETTER CAPITAL Z
+	{0x2129, 0x2129, prAL, gcSo},     //         TURNED GREEK SMALL LETTER IOTA
+	{0x212A, 0x212A, prAL, gcLu},     //         KELVIN SIGN
+	{0x212B, 0x212B, prAI, gcLu},     //         ANGSTROM SIGN
+	{0x212C, 0x212D, prAL, gcLu},     //     [2] SCRIPT CAPITAL B..BLACK-LETTER CAPITAL C
+	{0x212E, 0x212E, prAL, gcSo},     //         ESTIMATED SYMBOL
+	{0x212F, 0x2134, prAL, gcLC},     //     [6] SCRIPT SMALL E..SCRIPT SMALL O
+	{0x2135, 0x2138, prAL, gcLo},     //     [4] ALEF SYMBOL..DALET SYMBOL
+	{0x2139, 0x2139, prAL, gcLl},     //         INFORMATION SOURCE
+	{0x213A, 0x213B, prAL, gcSo},     //     [2] ROTATED CAPITAL Q..FACSIMILE SIGN
+	{0x213C, 0x213F, prAL, gcLC},     //     [4] DOUBLE-STRUCK SMALL PI..DOUBLE-STRUCK CAPITAL PI
+	{0x2140, 0x2144, prAL, gcSm},     //     [5] DOUBLE-STRUCK N-ARY SUMMATION..TURNED SANS-SERIF CAPITAL Y
+	{0x2145, 0x2149, prAL, gcLC},     //     [5] DOUBLE-STRUCK ITALIC CAPITAL D..DOUBLE-STRUCK ITALIC SMALL J
+	{0x214A, 0x214A, prAL, gcSo},     //         PROPERTY LINE
+	{0x214B, 0x214B, prAL, gcSm},     //         TURNED AMPERSAND
+	{0x214C, 0x214D, prAL, gcSo},     //     [2] PER SIGN..AKTIESELSKAB
+	{0x214E, 0x214E, prAL, gcLl},     //         TURNED SMALL F
+	{0x214F, 0x214F, prAL, gcSo},     //         SYMBOL FOR SAMARITAN SOURCE
+	{0x2150, 0x2153, prAL, gcNo},     //     [4] VULGAR FRACTION ONE SEVENTH..VULGAR FRACTION ONE THIRD
+	{0x2154, 0x2155, prAI, gcNo},     //     [2] VULGAR FRACTION TWO THIRDS..VULGAR FRACTION ONE FIFTH
+	{0x2156, 0x215A, prAL, gcNo},     //     [5] VULGAR FRACTION TWO FIFTHS..VULGAR FRACTION FIVE SIXTHS
+	{0x215B, 0x215B, prAI, gcNo},     //         VULGAR FRACTION ONE EIGHTH
+	{0x215C, 0x215D, prAL, gcNo},     //     [2] VULGAR FRACTION THREE EIGHTHS..VULGAR FRACTION FIVE EIGHTHS
+	{0x215E, 0x215E, prAI, gcNo},     //         VULGAR FRACTION SEVEN EIGHTHS
+	{0x215F, 0x215F, prAL, gcNo},     //         FRACTION NUMERATOR ONE
+	{0x2160, 0x216B, prAI, gcNl},     //    [12] ROMAN NUMERAL ONE..ROMAN NUMERAL TWELVE
+	{0x216C, 0x216F, prAL, gcNl},     //     [4] ROMAN NUMERAL FIFTY..ROMAN NUMERAL ONE THOUSAND
+	{0x2170, 0x2179, prAI, gcNl},     //    [10] SMALL ROMAN NUMERAL ONE..SMALL ROMAN NUMERAL TEN
+	{0x217A, 0x2182, prAL, gcNl},     //     [9] SMALL ROMAN NUMERAL ELEVEN..ROMAN NUMERAL TEN THOUSAND
+	{0x2183, 0x2184, prAL, gcLC},     //     [2] ROMAN NUMERAL REVERSED ONE HUNDRED..LATIN SMALL LETTER REVERSED C
+	{0x2185, 0x2188, prAL, gcNl},     //     [4] ROMAN NUMERAL SIX LATE FORM..ROMAN NUMERAL ONE HUNDRED THOUSAND
+	{0x2189, 0x2189, prAI, gcNo},     //         VULGAR FRACTION ZERO THIRDS
+	{0x218A, 0x218B, prAL, gcSo},     //     [2] TURNED DIGIT TWO..TURNED DIGIT THREE
+	{0x2190, 0x2194, prAI, gcSm},     //     [5] LEFTWARDS ARROW..LEFT RIGHT ARROW
+	{0x2195, 0x2199, prAI, gcSo},     //     [5] UP DOWN ARROW..SOUTH WEST ARROW
+	{0x219A, 0x219B, prAL, gcSm},     //     [2] LEFTWARDS ARROW WITH STROKE..RIGHTWARDS ARROW WITH STROKE
+	{0x219C, 0x219F, prAL, gcSo},     //     [4] LEFTWARDS WAVE ARROW..UPWARDS TWO HEADED ARROW
+	{0x21A0, 0x21A0, prAL, gcSm},     //         RIGHTWARDS TWO HEADED ARROW
+	{0x21A1, 0x21A2, prAL, gcSo},     //     [2] DOWNWARDS TWO HEADED ARROW..LEFTWARDS ARROW WITH TAIL
+	{0x21A3, 0x21A3, prAL, gcSm},     //         RIGHTWARDS ARROW WITH TAIL
+	{0x21A4, 0x21A5, prAL, gcSo},     //     [2] LEFTWARDS ARROW FROM BAR..UPWARDS ARROW FROM BAR
+	{0x21A6, 0x21A6, prAL, gcSm},     //         RIGHTWARDS ARROW FROM BAR
+	{0x21A7, 0x21AD, prAL, gcSo},     //     [7] DOWNWARDS ARROW FROM BAR..LEFT RIGHT WAVE ARROW
+	{0x21AE, 0x21AE, prAL, gcSm},     //         LEFT RIGHT ARROW WITH STROKE
+	{0x21AF, 0x21CD, prAL, gcSo},     //    [31] DOWNWARDS ZIGZAG ARROW..LEFTWARDS DOUBLE ARROW WITH STROKE
+	{0x21CE, 0x21CF, prAL, gcSm},     //     [2] LEFT RIGHT DOUBLE ARROW WITH STROKE..RIGHTWARDS DOUBLE ARROW WITH STROKE
+	{0x21D0, 0x21D1, prAL, gcSo},     //     [2] LEFTWARDS DOUBLE ARROW..UPWARDS DOUBLE ARROW
+	{0x21D2, 0x21D2, prAI, gcSm},     //         RIGHTWARDS DOUBLE ARROW
+	{0x21D3, 0x21D3, prAL, gcSo},     //         DOWNWARDS DOUBLE ARROW
+	{0x21D4, 0x21D4, prAI, gcSm},     //         LEFT RIGHT DOUBLE ARROW
+	{0x21D5, 0x21F3, prAL, gcSo},     //    [31] UP DOWN DOUBLE ARROW..UP DOWN WHITE ARROW
+	{0x21F4, 0x21FF, prAL, gcSm},     //    [12] RIGHT ARROW WITH SMALL CIRCLE..LEFT RIGHT OPEN-HEADED ARROW
+	{0x2200, 0x2200, prAI, gcSm},     //         FOR ALL
+	{0x2201, 0x2201, prAL, gcSm},     //         COMPLEMENT
+	{0x2202, 0x2203, prAI, gcSm},     //     [2] PARTIAL DIFFERENTIAL..THERE EXISTS
+	{0x2204, 0x2206, prAL, gcSm},     //     [3] THERE DOES NOT EXIST..INCREMENT
+	{0x2207, 0x2208, prAI, gcSm},     //     [2] NABLA..ELEMENT OF
+	{0x2209, 0x220A, prAL, gcSm},     //     [2] NOT AN ELEMENT OF..SMALL ELEMENT OF
+	{0x220B, 0x220B, prAI, gcSm},     //         CONTAINS AS MEMBER
+	{0x220C, 0x220E, prAL, gcSm},     //     [3] DOES NOT CONTAIN AS MEMBER..END OF PROOF
+	{0x220F, 0x220F, prAI, gcSm},     //         N-ARY PRODUCT
+	{0x2210, 0x2210, prAL, gcSm},     //         N-ARY COPRODUCT
+	{0x2211, 0x2211, prAI, gcSm},     //         N-ARY SUMMATION
+	{0x2212, 0x2213, prPR, gcSm},     //     [2] MINUS SIGN..MINUS-OR-PLUS SIGN
+	{0x2214, 0x2214, prAL, gcSm},     //         DOT PLUS
+	{0x2215, 0x2215, prAI, gcSm},     //         DIVISION SLASH
+	{0x2216, 0x2219, prAL, gcSm},     //     [4] SET MINUS..BULLET OPERATOR
+	{0x221A, 0x221A, prAI, gcSm},     //         SQUARE ROOT
+	{0x221B, 0x221C, prAL, gcSm},     //     [2] CUBE ROOT..FOURTH ROOT
+	{0x221D, 0x2220, prAI, gcSm},     //     [4] PROPORTIONAL TO..ANGLE
+	{0x2221, 0x2222, prAL, gcSm},     //     [2] MEASURED ANGLE..SPHERICAL ANGLE
+	{0x2223, 0x2223, prAI, gcSm},     //         DIVIDES
+	{0x2224, 0x2224, prAL, gcSm},     //         DOES NOT DIVIDE
+	{0x2225, 0x2225, prAI, gcSm},     //         PARALLEL TO
+	{0x2226, 0x2226, prAL, gcSm},     //         NOT PARALLEL TO
+	{0x2227, 0x222C, prAI, gcSm},     //     [6] LOGICAL AND..DOUBLE INTEGRAL
+	{0x222D, 0x222D, prAL, gcSm},     //         TRIPLE INTEGRAL
+	{0x222E, 0x222E, prAI, gcSm},     //         CONTOUR INTEGRAL
+	{0x222F, 0x2233, prAL, gcSm},     //     [5] SURFACE INTEGRAL..ANTICLOCKWISE CONTOUR INTEGRAL
+	{0x2234, 0x2237, prAI, gcSm},     //     [4] THEREFORE..PROPORTION
+	{0x2238, 0x223B, prAL, gcSm},     //     [4] DOT MINUS..HOMOTHETIC
+	{0x223C, 0x223D, prAI, gcSm},     //     [2] TILDE OPERATOR..REVERSED TILDE
+	{0x223E, 0x2247, prAL, gcSm},     //    [10] INVERTED LAZY S..NEITHER APPROXIMATELY NOR ACTUALLY EQUAL TO
+	{0x2248, 0x2248, prAI, gcSm},     //         ALMOST EQUAL TO
+	{0x2249, 0x224B, prAL, gcSm},     //     [3] NOT ALMOST EQUAL TO..TRIPLE TILDE
+	{0x224C, 0x224C, prAI, gcSm},     //         ALL EQUAL TO
+	{0x224D, 0x2251, prAL, gcSm},     //     [5] EQUIVALENT TO..GEOMETRICALLY EQUAL TO
+	{0x2252, 0x2252, prAI, gcSm},     //         APPROXIMATELY EQUAL TO OR THE IMAGE OF
+	{0x2253, 0x225F, prAL, gcSm},     //    [13] IMAGE OF OR APPROXIMATELY EQUAL TO..QUESTIONED EQUAL TO
+	{0x2260, 0x2261, prAI, gcSm},     //     [2] NOT EQUAL TO..IDENTICAL TO
+	{0x2262, 0x2263, prAL, gcSm},     //     [2] NOT IDENTICAL TO..STRICTLY EQUIVALENT TO
+	{0x2264, 0x2267, prAI, gcSm},     //     [4] LESS-THAN OR EQUAL TO..GREATER-THAN OVER EQUAL TO
+	{0x2268, 0x2269, prAL, gcSm},     //     [2] LESS-THAN BUT NOT EQUAL TO..GREATER-THAN BUT NOT EQUAL TO
+	{0x226A, 0x226B, prAI, gcSm},     //     [2] MUCH LESS-THAN..MUCH GREATER-THAN
+	{0x226C, 0x226D, prAL, gcSm},     //     [2] BETWEEN..NOT EQUIVALENT TO
+	{0x226E, 0x226F, prAI, gcSm},     //     [2] NOT LESS-THAN..NOT GREATER-THAN
+	{0x2270, 0x2281, prAL, gcSm},     //    [18] NEITHER LESS-THAN NOR EQUAL TO..DOES NOT SUCCEED
+	{0x2282, 0x2283, prAI, gcSm},     //     [2] SUBSET OF..SUPERSET OF
+	{0x2284, 0x2285, prAL, gcSm},     //     [2] NOT A SUBSET OF..NOT A SUPERSET OF
+	{0x2286, 0x2287, prAI, gcSm},     //     [2] SUBSET OF OR EQUAL TO..SUPERSET OF OR EQUAL TO
+	{0x2288, 0x2294, prAL, gcSm},     //    [13] NEITHER A SUBSET OF NOR EQUAL TO..SQUARE CUP
+	{0x2295, 0x2295, prAI, gcSm},     //         CIRCLED PLUS
+	{0x2296, 0x2298, prAL, gcSm},     //     [3] CIRCLED MINUS..CIRCLED DIVISION SLASH
+	{0x2299, 0x2299, prAI, gcSm},     //         CIRCLED DOT OPERATOR
+	{0x229A, 0x22A4, prAL, gcSm},     //    [11] CIRCLED RING OPERATOR..DOWN TACK
+	{0x22A5, 0x22A5, prAI, gcSm},     //         UP TACK
+	{0x22A6, 0x22BE, prAL, gcSm},     //    [25] ASSERTION..RIGHT ANGLE WITH ARC
+	{0x22BF, 0x22BF, prAI, gcSm},     //         RIGHT TRIANGLE
+	{0x22C0, 0x22EE, prAL, gcSm},     //    [47] N-ARY LOGICAL AND..VERTICAL ELLIPSIS
+	{0x22EF, 0x22EF, prIN, gcSm},     //         MIDLINE HORIZONTAL ELLIPSIS
+	{0x22F0, 0x22FF, prAL, gcSm},     //    [16] UP RIGHT DIAGONAL ELLIPSIS..Z NOTATION BAG MEMBERSHIP
+	{0x2300, 0x2307, prAL, gcSo},     //     [8] DIAMETER SIGN..WAVY LINE
+	{0x2308, 0x2308, prOP, gcPs},     //         LEFT CEILING
+	{0x2309, 0x2309, prCL, gcPe},     //         RIGHT CEILING
+	{0x230A, 0x230A, prOP, gcPs},     //         LEFT FLOOR
+	{0x230B, 0x230B, prCL, gcPe},     //         RIGHT FLOOR
+	{0x230C, 0x2311, prAL, gcSo},     //     [6] BOTTOM RIGHT CROP..SQUARE LOZENGE
+	{0x2312, 0x2312, prAI, gcSo},     //         ARC
+	{0x2313, 0x2319, prAL, gcSo},     //     [7] SEGMENT..TURNED NOT SIGN
+	{0x231A, 0x231B, prID, gcSo},     //     [2] WATCH..HOURGLASS
+	{0x231C, 0x231F, prAL, gcSo},     //     [4] TOP LEFT CORNER..BOTTOM RIGHT CORNER
+	{0x2320, 0x2321, prAL, gcSm},     //     [2] TOP HALF INTEGRAL..BOTTOM HALF INTEGRAL
+	{0x2322, 0x2328, prAL, gcSo},     //     [7] FROWN..KEYBOARD
+	{0x2329, 0x2329, prOP, gcPs},     //         LEFT-POINTING ANGLE BRACKET
+	{0x232A, 0x232A, prCL, gcPe},     //         RIGHT-POINTING ANGLE BRACKET
+	{0x232B, 0x237B, prAL, gcSo},     //    [81] ERASE TO THE LEFT..NOT CHECK MARK
+	{0x237C, 0x237C, prAL, gcSm},     //         RIGHT ANGLE WITH DOWNWARDS ZIGZAG ARROW
+	{0x237D, 0x239A, prAL, gcSo},     //    [30] SHOULDERED OPEN BOX..CLEAR SCREEN SYMBOL
+	{0x239B, 0x23B3, prAL, gcSm},     //    [25] LEFT PARENTHESIS UPPER HOOK..SUMMATION BOTTOM
+	{0x23B4, 0x23DB, prAL, gcSo},     //    [40] TOP SQUARE BRACKET..FUSE
+	{0x23DC, 0x23E1, prAL, gcSm},     //     [6] TOP PARENTHESIS..BOTTOM TORTOISE SHELL BRACKET
+	{0x23E2, 0x23EF, prAL, gcSo},     //    [14] WHITE TRAPEZIUM..BLACK RIGHT-POINTING TRIANGLE WITH DOUBLE VERTICAL BAR
+	{0x23F0, 0x23F3, prID, gcSo},     //     [4] ALARM CLOCK..HOURGLASS WITH FLOWING SAND
+	{0x23F4, 0x23FF, prAL, gcSo},     //    [12] BLACK MEDIUM LEFT-POINTING TRIANGLE..OBSERVER EYE SYMBOL
+	{0x2400, 0x2426, prAL, gcSo},     //    [39] SYMBOL FOR NULL..SYMBOL FOR SUBSTITUTE FORM TWO
+	{0x2440, 0x244A, prAL, gcSo},     //    [11] OCR HOOK..OCR DOUBLE BACKSLASH
+	{0x2460, 0x249B, prAI, gcNo},     //    [60] CIRCLED DIGIT ONE..NUMBER TWENTY FULL STOP
+	{0x249C, 0x24E9, prAI, gcSo},     //    [78] PARENTHESIZED LATIN SMALL LETTER A..CIRCLED LATIN SMALL LETTER Z
+	{0x24EA, 0x24FE, prAI, gcNo},     //    [21] CIRCLED DIGIT ZERO..DOUBLE CIRCLED NUMBER TEN
+	{0x24FF, 0x24FF, prAL, gcNo},     //         NEGATIVE CIRCLED DIGIT ZERO
+	{0x2500, 0x254B, prAI, gcSo},     //    [76] BOX DRAWINGS LIGHT HORIZONTAL..BOX DRAWINGS HEAVY VERTICAL AND HORIZONTAL
+	{0x254C, 0x254F, prAL, gcSo},     //     [4] BOX DRAWINGS LIGHT DOUBLE DASH HORIZONTAL..BOX DRAWINGS HEAVY DOUBLE DASH VERTICAL
+	{0x2550, 0x2574, prAI, gcSo},     //    [37] BOX DRAWINGS DOUBLE HORIZONTAL..BOX DRAWINGS LIGHT LEFT
+	{0x2575, 0x257F, prAL, gcSo},     //    [11] BOX DRAWINGS LIGHT UP..BOX DRAWINGS HEAVY UP AND LIGHT DOWN
+	{0x2580, 0x258F, prAI, gcSo},     //    [16] UPPER HALF BLOCK..LEFT ONE EIGHTH BLOCK
+	{0x2590, 0x2591, prAL, gcSo},     //     [2] RIGHT HALF BLOCK..LIGHT SHADE
+	{0x2592, 0x2595, prAI, gcSo},     //     [4] MEDIUM SHADE..RIGHT ONE EIGHTH BLOCK
+	{0x2596, 0x259F, prAL, gcSo},     //    [10] QUADRANT LOWER LEFT..QUADRANT UPPER RIGHT AND LOWER LEFT AND LOWER RIGHT
+	{0x25A0, 0x25A1, prAI, gcSo},     //     [2] BLACK SQUARE..WHITE SQUARE
+	{0x25A2, 0x25A2, prAL, gcSo},     //         WHITE SQUARE WITH ROUNDED CORNERS
+	{0x25A3, 0x25A9, prAI, gcSo},     //     [7] WHITE SQUARE CONTAINING BLACK SMALL SQUARE..SQUARE WITH DIAGONAL CROSSHATCH FILL
+	{0x25AA, 0x25B1, prAL, gcSo},     //     [8] BLACK SMALL SQUARE..WHITE PARALLELOGRAM
+	{0x25B2, 0x25B3, prAI, gcSo},     //     [2] BLACK UP-POINTING TRIANGLE..WHITE UP-POINTING TRIANGLE
+	{0x25B4, 0x25B5, prAL, gcSo},     //     [2] BLACK UP-POINTING SMALL TRIANGLE..WHITE UP-POINTING SMALL TRIANGLE
+	{0x25B6, 0x25B6, prAI, gcSo},     //         BLACK RIGHT-POINTING TRIANGLE
+	{0x25B7, 0x25B7, prAI, gcSm},     //         WHITE RIGHT-POINTING TRIANGLE
+	{0x25B8, 0x25BB, prAL, gcSo},     //     [4] BLACK RIGHT-POINTING SMALL TRIANGLE..WHITE RIGHT-POINTING POINTER
+	{0x25BC, 0x25BD, prAI, gcSo},     //     [2] BLACK DOWN-POINTING TRIANGLE..WHITE DOWN-POINTING TRIANGLE
+	{0x25BE, 0x25BF, prAL, gcSo},     //     [2] BLACK DOWN-POINTING SMALL TRIANGLE..WHITE DOWN-POINTING SMALL TRIANGLE
+	{0x25C0, 0x25C0, prAI, gcSo},     //         BLACK LEFT-POINTING TRIANGLE
+	{0x25C1, 0x25C1, prAI, gcSm},     //         WHITE LEFT-POINTING TRIANGLE
+	{0x25C2, 0x25C5, prAL, gcSo},     //     [4] BLACK LEFT-POINTING SMALL TRIANGLE..WHITE LEFT-POINTING POINTER
+	{0x25C6, 0x25C8, prAI, gcSo},     //     [3] BLACK DIAMOND..WHITE DIAMOND CONTAINING BLACK SMALL DIAMOND
+	{0x25C9, 0x25CA, prAL, gcSo},     //     [2] FISHEYE..LOZENGE
+	{0x25CB, 0x25CB, prAI, gcSo},     //         WHITE CIRCLE
+	{0x25CC, 0x25CD, prAL, gcSo},     //     [2] DOTTED CIRCLE..CIRCLE WITH VERTICAL FILL
+	{0x25CE, 0x25D1, prAI, gcSo},     //     [4] BULLSEYE..CIRCLE WITH RIGHT HALF BLACK
+	{0x25D2, 0x25E1, prAL, gcSo},     //    [16] CIRCLE WITH LOWER HALF BLACK..LOWER HALF CIRCLE
+	{0x25E2, 0x25E5, prAI, gcSo},     //     [4] BLACK LOWER RIGHT TRIANGLE..BLACK UPPER RIGHT TRIANGLE
+	{0x25E6, 0x25EE, prAL, gcSo},     //     [9] WHITE BULLET..UP-POINTING TRIANGLE WITH RIGHT HALF BLACK
+	{0x25EF, 0x25EF, prAI, gcSo},     //         LARGE CIRCLE
+	{0x25F0, 0x25F7, prAL, gcSo},     //     [8] WHITE SQUARE WITH UPPER LEFT QUADRANT..WHITE CIRCLE WITH UPPER RIGHT QUADRANT
+	{0x25F8, 0x25FF, prAL, gcSm},     //     [8] UPPER LEFT TRIANGLE..LOWER RIGHT TRIANGLE
+	{0x2600, 0x2603, prID, gcSo},     //     [4] BLACK SUN WITH RAYS..SNOWMAN
+	{0x2604, 0x2604, prAL, gcSo},     //         COMET
+	{0x2605, 0x2606, prAI, gcSo},     //     [2] BLACK STAR..WHITE STAR
+	{0x2607, 0x2608, prAL, gcSo},     //     [2] LIGHTNING..THUNDERSTORM
+	{0x2609, 0x2609, prAI, gcSo},     //         SUN
+	{0x260A, 0x260D, prAL, gcSo},     //     [4] ASCENDING NODE..OPPOSITION
+	{0x260E, 0x260F, prAI, gcSo},     //     [2] BLACK TELEPHONE..WHITE TELEPHONE
+	{0x2610, 0x2613, prAL, gcSo},     //     [4] BALLOT BOX..SALTIRE
+	{0x2614, 0x2615, prID, gcSo},     //     [2] UMBRELLA WITH RAIN DROPS..HOT BEVERAGE
+	{0x2616, 0x2617, prAI, gcSo},     //     [2] WHITE SHOGI PIECE..BLACK SHOGI PIECE
+	{0x2618, 0x2618, prID, gcSo},     //         SHAMROCK
+	{0x2619, 0x2619, prAL, gcSo},     //         REVERSED ROTATED FLORAL HEART BULLET
+	{0x261A, 0x261C, prID, gcSo},     //     [3] BLACK LEFT POINTING INDEX..WHITE LEFT POINTING INDEX
+	{0x261D, 0x261D, prEB, gcSo},     //         WHITE UP POINTING INDEX
+	{0x261E, 0x261F, prID, gcSo},     //     [2] WHITE RIGHT POINTING INDEX..WHITE DOWN POINTING INDEX
+	{0x2620, 0x2638, prAL, gcSo},     //    [25] SKULL AND CROSSBONES..WHEEL OF DHARMA
+	{0x2639, 0x263B, prID, gcSo},     //     [3] WHITE FROWNING FACE..BLACK SMILING FACE
+	{0x263C, 0x263F, prAL, gcSo},     //     [4] WHITE SUN WITH RAYS..MERCURY
+	{0x2640, 0x2640, prAI, gcSo},     //         FEMALE SIGN
+	{0x2641, 0x2641, prAL, gcSo},     //         EARTH
+	{0x2642, 0x2642, prAI, gcSo},     //         MALE SIGN
+	{0x2643, 0x265F, prAL, gcSo},     //    [29] JUPITER..BLACK CHESS PAWN
+	{0x2660, 0x2661, prAI, gcSo},     //     [2] BLACK SPADE SUIT..WHITE HEART SUIT
+	{0x2662, 0x2662, prAL, gcSo},     //         WHITE DIAMOND SUIT
+	{0x2663, 0x2665, prAI, gcSo},     //     [3] BLACK CLUB SUIT..BLACK HEART SUIT
+	{0x2666, 0x2666, prAL, gcSo},     //         BLACK DIAMOND SUIT
+	{0x2667, 0x2667, prAI, gcSo},     //         WHITE CLUB SUIT
+	{0x2668, 0x2668, prID, gcSo},     //         HOT SPRINGS
+	{0x2669, 0x266A, prAI, gcSo},     //     [2] QUARTER NOTE..EIGHTH NOTE
+	{0x266B, 0x266B, prAL, gcSo},     //         BEAMED EIGHTH NOTES
+	{0x266C, 0x266D, prAI, gcSo},     //     [2] BEAMED SIXTEENTH NOTES..MUSIC FLAT SIGN
+	{0x266E, 0x266E, prAL, gcSo},     //         MUSIC NATURAL SIGN
+	{0x266F, 0x266F, prAI, gcSm},     //         MUSIC SHARP SIGN
+	{0x2670, 0x267E, prAL, gcSo},     //    [15] WEST SYRIAC CROSS..PERMANENT PAPER SIGN
+	{0x267F, 0x267F, prID, gcSo},     //         WHEELCHAIR SYMBOL
+	{0x2680, 0x269D, prAL, gcSo},     //    [30] DIE FACE-1..OUTLINED WHITE STAR
+	{0x269E, 0x269F, prAI, gcSo},     //     [2] THREE LINES CONVERGING RIGHT..THREE LINES CONVERGING LEFT
+	{0x26A0, 0x26BC, prAL, gcSo},     //    [29] WARNING SIGN..SESQUIQUADRATE
+	{0x26BD, 0x26C8, prID, gcSo},     //    [12] SOCCER BALL..THUNDER CLOUD AND RAIN
+	{0x26C9, 0x26CC, prAI, gcSo},     //     [4] TURNED WHITE SHOGI PIECE..CROSSING LANES
+	{0x26CD, 0x26CD, prID, gcSo},     //         DISABLED CAR
+	{0x26CE, 0x26CE, prAL, gcSo},     //         OPHIUCHUS
+	{0x26CF, 0x26D1, prID, gcSo},     //     [3] PICK..HELMET WITH WHITE CROSS
+	{0x26D2, 0x26D2, prAI, gcSo},     //         CIRCLED CROSSING LANES
+	{0x26D3, 0x26D4, prID, gcSo},     //     [2] CHAINS..NO ENTRY
+	{0x26D5, 0x26D7, prAI, gcSo},     //     [3] ALTERNATE ONE-WAY LEFT WAY TRAFFIC..WHITE TWO-WAY LEFT WAY TRAFFIC
+	{0x26D8, 0x26D9, prID, gcSo},     //     [2] BLACK LEFT LANE MERGE..WHITE LEFT LANE MERGE
+	{0x26DA, 0x26DB, prAI, gcSo},     //     [2] DRIVE SLOW SIGN..HEAVY WHITE DOWN-POINTING TRIANGLE
+	{0x26DC, 0x26DC, prID, gcSo},     //         LEFT CLOSED ENTRY
+	{0x26DD, 0x26DE, prAI, gcSo},     //     [2] SQUARED SALTIRE..FALLING DIAGONAL IN WHITE CIRCLE IN BLACK SQUARE
+	{0x26DF, 0x26E1, prID, gcSo},     //     [3] BLACK TRUCK..RESTRICTED LEFT ENTRY-2
+	{0x26E2, 0x26E2, prAL, gcSo},     //         ASTRONOMICAL SYMBOL FOR URANUS
+	{0x26E3, 0x26E3, prAI, gcSo},     //         HEAVY CIRCLE WITH STROKE AND TWO DOTS ABOVE
+	{0x26E4, 0x26E7, prAL, gcSo},     //     [4] PENTAGRAM..INVERTED PENTAGRAM
+	{0x26E8, 0x26E9, prAI, gcSo},     //     [2] BLACK CROSS ON SHIELD..SHINTO SHRINE
+	{0x26EA, 0x26EA, prID, gcSo},     //         CHURCH
+	{0x26EB, 0x26F0, prAI, gcSo},     //     [6] CASTLE..MOUNTAIN
+	{0x26F1, 0x26F5, prID, gcSo},     //     [5] UMBRELLA ON GROUND..SAILBOAT
+	{0x26F6, 0x26F6, prAI, gcSo},     //         SQUARE FOUR CORNERS
+	{0x26F7, 0x26F8, prID, gcSo},     //     [2] SKIER..ICE SKATE
+	{0x26F9, 0x26F9, prEB, gcSo},     //         PERSON WITH BALL
+	{0x26FA, 0x26FA, prID, gcSo},     //         TENT
+	{0x26FB, 0x26FC, prAI, gcSo},     //     [2] JAPANESE BANK SYMBOL..HEADSTONE GRAVEYARD SYMBOL
+	{0x26FD, 0x26FF, prID, gcSo},     //     [3] FUEL PUMP..WHITE FLAG WITH HORIZONTAL MIDDLE BLACK STRIPE
+	{0x2700, 0x2704, prID, gcSo},     //     [5] BLACK SAFETY SCISSORS..WHITE SCISSORS
+	{0x2705, 0x2707, prAL, gcSo},     //     [3] WHITE HEAVY CHECK MARK..TAPE DRIVE
+	{0x2708, 0x2709, prID, gcSo},     //     [2] AIRPLANE..ENVELOPE
+	{0x270A, 0x270D, prEB, gcSo},     //     [4] RAISED FIST..WRITING HAND
+	{0x270E, 0x2756, prAL, gcSo},     //    [73] LOWER RIGHT PENCIL..BLACK DIAMOND MINUS WHITE X
+	{0x2757, 0x2757, prAI, gcSo},     //         HEAVY EXCLAMATION MARK SYMBOL
+	{0x2758, 0x275A, prAL, gcSo},     //     [3] LIGHT VERTICAL BAR..HEAVY VERTICAL BAR
+	{0x275B, 0x2760, prQU, gcSo},     //     [6] HEAVY SINGLE TURNED COMMA QUOTATION MARK ORNAMENT..HEAVY LOW DOUBLE COMMA QUOTATION MARK ORNAMENT
+	{0x2761, 0x2761, prAL, gcSo},     //         CURVED STEM PARAGRAPH SIGN ORNAMENT
+	{0x2762, 0x2763, prEX, gcSo},     //     [2] HEAVY EXCLAMATION MARK ORNAMENT..HEAVY HEART EXCLAMATION MARK ORNAMENT
+	{0x2764, 0x2764, prID, gcSo},     //         HEAVY BLACK HEART
+	{0x2765, 0x2767, prAL, gcSo},     //     [3] ROTATED HEAVY BLACK HEART BULLET..ROTATED FLORAL HEART BULLET
+	{0x2768, 0x2768, prOP, gcPs},     //         MEDIUM LEFT PARENTHESIS ORNAMENT
+	{0x2769, 0x2769, prCL, gcPe},     //         MEDIUM RIGHT PARENTHESIS ORNAMENT
+	{0x276A, 0x276A, prOP, gcPs},     //         MEDIUM FLATTENED LEFT PARENTHESIS ORNAMENT
+	{0x276B, 0x276B, prCL, gcPe},     //         MEDIUM FLATTENED RIGHT PARENTHESIS ORNAMENT
+	{0x276C, 0x276C, prOP, gcPs},     //         MEDIUM LEFT-POINTING ANGLE BRACKET ORNAMENT
+	{0x276D, 0x276D, prCL, gcPe},     //         MEDIUM RIGHT-POINTING ANGLE BRACKET ORNAMENT
+	{0x276E, 0x276E, prOP, gcPs},     //         HEAVY LEFT-POINTING ANGLE QUOTATION MARK ORNAMENT
+	{0x276F, 0x276F, prCL, gcPe},     //         HEAVY RIGHT-POINTING ANGLE QUOTATION MARK ORNAMENT
+	{0x2770, 0x2770, prOP, gcPs},     //         HEAVY LEFT-POINTING ANGLE BRACKET ORNAMENT
+	{0x2771, 0x2771, prCL, gcPe},     //         HEAVY RIGHT-POINTING ANGLE BRACKET ORNAMENT
+	{0x2772, 0x2772, prOP, gcPs},     //         LIGHT LEFT TORTOISE SHELL BRACKET ORNAMENT
+	{0x2773, 0x2773, prCL, gcPe},     //         LIGHT RIGHT TORTOISE SHELL BRACKET ORNAMENT
+	{0x2774, 0x2774, prOP, gcPs},     //         MEDIUM LEFT CURLY BRACKET ORNAMENT
+	{0x2775, 0x2775, prCL, gcPe},     //         MEDIUM RIGHT CURLY BRACKET ORNAMENT
+	{0x2776, 0x2793, prAI, gcNo},     //    [30] DINGBAT NEGATIVE CIRCLED DIGIT ONE..DINGBAT NEGATIVE CIRCLED SANS-SERIF NUMBER TEN
+	{0x2794, 0x27BF, prAL, gcSo},     //    [44] HEAVY WIDE-HEADED RIGHTWARDS ARROW..DOUBLE CURLY LOOP
+	{0x27C0, 0x27C4, prAL, gcSm},     //     [5] THREE DIMENSIONAL ANGLE..OPEN SUPERSET
+	{0x27C5, 0x27C5, prOP, gcPs},     //         LEFT S-SHAPED BAG DELIMITER
+	{0x27C6, 0x27C6, prCL, gcPe},     //         RIGHT S-SHAPED BAG DELIMITER
+	{0x27C7, 0x27E5, prAL, gcSm},     //    [31] OR WITH DOT INSIDE..WHITE SQUARE WITH RIGHTWARDS TICK
+	{0x27E6, 0x27E6, prOP, gcPs},     //         MATHEMATICAL LEFT WHITE SQUARE BRACKET
+	{0x27E7, 0x27E7, prCL, gcPe},     //         MATHEMATICAL RIGHT WHITE SQUARE BRACKET
+	{0x27E8, 0x27E8, prOP, gcPs},     //         MATHEMATICAL LEFT ANGLE BRACKET
+	{0x27E9, 0x27E9, prCL, gcPe},     //         MATHEMATICAL RIGHT ANGLE BRACKET
+	{0x27EA, 0x27EA, prOP, gcPs},     //         MATHEMATICAL LEFT DOUBLE ANGLE BRACKET
+	{0x27EB, 0x27EB, prCL, gcPe},     //         MATHEMATICAL RIGHT DOUBLE ANGLE BRACKET
+	{0x27EC, 0x27EC, prOP, gcPs},     //         MATHEMATICAL LEFT WHITE TORTOISE SHELL BRACKET
+	{0x27ED, 0x27ED, prCL, gcPe},     //         MATHEMATICAL RIGHT WHITE TORTOISE SHELL BRACKET
+	{0x27EE, 0x27EE, prOP, gcPs},     //         MATHEMATICAL LEFT FLATTENED PARENTHESIS
+	{0x27EF, 0x27EF, prCL, gcPe},     //         MATHEMATICAL RIGHT FLATTENED PARENTHESIS
+	{0x27F0, 0x27FF, prAL, gcSm},     //    [16] UPWARDS QUADRUPLE ARROW..LONG RIGHTWARDS SQUIGGLE ARROW
+	{0x2800, 0x28FF, prAL, gcSo},     //   [256] BRAILLE PATTERN BLANK..BRAILLE PATTERN DOTS-12345678
+	{0x2900, 0x297F, prAL, gcSm},     //   [128] RIGHTWARDS TWO-HEADED ARROW WITH VERTICAL STROKE..DOWN FISH TAIL
+	{0x2980, 0x2982, prAL, gcSm},     //     [3] TRIPLE VERTICAL BAR DELIMITER..Z NOTATION TYPE COLON
+	{0x2983, 0x2983, prOP, gcPs},     //         LEFT WHITE CURLY BRACKET
+	{0x2984, 0x2984, prCL, gcPe},     //         RIGHT WHITE CURLY BRACKET
+	{0x2985, 0x2985, prOP, gcPs},     //         LEFT WHITE PARENTHESIS
+	{0x2986, 0x2986, prCL, gcPe},     //         RIGHT WHITE PARENTHESIS
+	{0x2987, 0x2987, prOP, gcPs},     //         Z NOTATION LEFT IMAGE BRACKET
+	{0x2988, 0x2988, prCL, gcPe},     //         Z NOTATION RIGHT IMAGE BRACKET
+	{0x2989, 0x2989, prOP, gcPs},     //         Z NOTATION LEFT BINDING BRACKET
+	{0x298A, 0x298A, prCL, gcPe},     //         Z NOTATION RIGHT BINDING BRACKET
+	{0x298B, 0x298B, prOP, gcPs},     //         LEFT SQUARE BRACKET WITH UNDERBAR
+	{0x298C, 0x298C, prCL, gcPe},     //         RIGHT SQUARE BRACKET WITH UNDERBAR
+	{0x298D, 0x298D, prOP, gcPs},     //         LEFT SQUARE BRACKET WITH TICK IN TOP CORNER
+	{0x298E, 0x298E, prCL, gcPe},     //         RIGHT SQUARE BRACKET WITH TICK IN BOTTOM CORNER
+	{0x298F, 0x298F, prOP, gcPs},     //         LEFT SQUARE BRACKET WITH TICK IN BOTTOM CORNER
+	{0x2990, 0x2990, prCL, gcPe},     //         RIGHT SQUARE BRACKET WITH TICK IN TOP CORNER
+	{0x2991, 0x2991, prOP, gcPs},     //         LEFT ANGLE BRACKET WITH DOT
+	{0x2992, 0x2992, prCL, gcPe},     //         RIGHT ANGLE BRACKET WITH DOT
+	{0x2993, 0x2993, prOP, gcPs},     //         LEFT ARC LESS-THAN BRACKET
+	{0x2994, 0x2994, prCL, gcPe},     //         RIGHT ARC GREATER-THAN BRACKET
+	{0x2995, 0x2995, prOP, gcPs},     //         DOUBLE LEFT ARC GREATER-THAN BRACKET
+	{0x2996, 0x2996, prCL, gcPe},     //         DOUBLE RIGHT ARC LESS-THAN BRACKET
+	{0x2997, 0x2997, prOP, gcPs},     //         LEFT BLACK TORTOISE SHELL BRACKET
+	{0x2998, 0x2998, prCL, gcPe},     //         RIGHT BLACK TORTOISE SHELL BRACKET
+	{0x2999, 0x29D7, prAL, gcSm},     //    [63] DOTTED FENCE..BLACK HOURGLASS
+	{0x29D8, 0x29D8, prOP, gcPs},     //         LEFT WIGGLY FENCE
+	{0x29D9, 0x29D9, prCL, gcPe},     //         RIGHT WIGGLY FENCE
+	{0x29DA, 0x29DA, prOP, gcPs},     //         LEFT DOUBLE WIGGLY FENCE
+	{0x29DB, 0x29DB, prCL, gcPe},     //         RIGHT DOUBLE WIGGLY FENCE
+	{0x29DC, 0x29FB, prAL, gcSm},     //    [32] INCOMPLETE INFINITY..TRIPLE PLUS
+	{0x29FC, 0x29FC, prOP, gcPs},     //         LEFT-POINTING CURVED ANGLE BRACKET
+	{0x29FD, 0x29FD, prCL, gcPe},     //         RIGHT-POINTING CURVED ANGLE BRACKET
+	{0x29FE, 0x29FF, prAL, gcSm},     //     [2] TINY..MINY
+	{0x2A00, 0x2AFF, prAL, gcSm},     //   [256] N-ARY CIRCLED DOT OPERATOR..N-ARY WHITE VERTICAL BAR
+	{0x2B00, 0x2B2F, prAL, gcSo},     //    [48] NORTH EAST WHITE ARROW..WHITE VERTICAL ELLIPSE
+	{0x2B30, 0x2B44, prAL, gcSm},     //    [21] LEFT ARROW WITH SMALL CIRCLE..RIGHTWARDS ARROW THROUGH SUPERSET
+	{0x2B45, 0x2B46, prAL, gcSo},     //     [2] LEFTWARDS QUADRUPLE ARROW..RIGHTWARDS QUADRUPLE ARROW
+	{0x2B47, 0x2B4C, prAL, gcSm},     //     [6] REVERSE TILDE OPERATOR ABOVE RIGHTWARDS ARROW..RIGHTWARDS ARROW ABOVE REVERSE TILDE OPERATOR
+	{0x2B4D, 0x2B54, prAL, gcSo},     //     [8] DOWNWARDS TRIANGLE-HEADED ZIGZAG ARROW..WHITE RIGHT-POINTING PENTAGON
+	{0x2B55, 0x2B59, prAI, gcSo},     //     [5] HEAVY LARGE CIRCLE..HEAVY CIRCLED SALTIRE
+	{0x2B5A, 0x2B73, prAL, gcSo},     //    [26] SLANTED NORTH ARROW WITH HOOKED HEAD..DOWNWARDS TRIANGLE-HEADED ARROW TO BAR
+	{0x2B76, 0x2B95, prAL, gcSo},     //    [32] NORTH WEST TRIANGLE-HEADED ARROW TO BAR..RIGHTWARDS BLACK ARROW
+	{0x2B97, 0x2BFF, prAL, gcSo},     //   [105] SYMBOL FOR TYPE A ELECTRONICS..HELLSCHREIBER PAUSE SYMBOL
+	{0x2C00, 0x2C5F, prAL, gcLC},     //    [96] GLAGOLITIC CAPITAL LETTER AZU..GLAGOLITIC SMALL LETTER CAUDATE CHRIVI
+	{0x2C60, 0x2C7B, prAL, gcLC},     //    [28] LATIN CAPITAL LETTER L WITH DOUBLE BAR..LATIN LETTER SMALL CAPITAL TURNED E
+	{0x2C7C, 0x2C7D, prAL, gcLm},     //     [2] LATIN SUBSCRIPT SMALL LETTER J..MODIFIER LETTER CAPITAL V
+	{0x2C7E, 0x2C7F, prAL, gcLu},     //     [2] LATIN CAPITAL LETTER S WITH SWASH TAIL..LATIN CAPITAL LETTER Z WITH SWASH TAIL
+	{0x2C80, 0x2CE4, prAL, gcLC},     //   [101] COPTIC CAPITAL LETTER ALFA..COPTIC SYMBOL KAI
+	{0x2CE5, 0x2CEA, prAL, gcSo},     //     [6] COPTIC SYMBOL MI RO..COPTIC SYMBOL SHIMA SIMA
+	{0x2CEB, 0x2CEE, prAL, gcLC},     //     [4] COPTIC CAPITAL LETTER CRYPTOGRAMMIC SHEI..COPTIC SMALL LETTER CRYPTOGRAMMIC GANGIA
+	{0x2CEF, 0x2CF1, prCM, gcMn},     //     [3] COPTIC COMBINING NI ABOVE..COPTIC COMBINING SPIRITUS LENIS
+	{0x2CF2, 0x2CF3, prAL, gcLC},     //     [2] COPTIC CAPITAL LETTER BOHAIRIC KHEI..COPTIC SMALL LETTER BOHAIRIC KHEI
+	{0x2CF9, 0x2CF9, prEX, gcPo},     //         COPTIC OLD NUBIAN FULL STOP
+	{0x2CFA, 0x2CFC, prBA, gcPo},     //     [3] COPTIC OLD NUBIAN DIRECT QUESTION MARK..COPTIC OLD NUBIAN VERSE DIVIDER
+	{0x2CFD, 0x2CFD, prAL, gcNo},     //         COPTIC FRACTION ONE HALF
+	{0x2CFE, 0x2CFE, prEX, gcPo},     //         COPTIC FULL STOP
+	{0x2CFF, 0x2CFF, prBA, gcPo},     //         COPTIC MORPHOLOGICAL DIVIDER
+	{0x2D00, 0x2D25, prAL, gcLl},     //    [38] GEORGIAN SMALL LETTER AN..GEORGIAN SMALL LETTER HOE
+	{0x2D27, 0x2D27, prAL, gcLl},     //         GEORGIAN SMALL LETTER YN
+	{0x2D2D, 0x2D2D, prAL, gcLl},     //         GEORGIAN SMALL LETTER AEN
+	{0x2D30, 0x2D67, prAL, gcLo},     //    [56] TIFINAGH LETTER YA..TIFINAGH LETTER YO
+	{0x2D6F, 0x2D6F, prAL, gcLm},     //         TIFINAGH MODIFIER LETTER LABIALIZATION MARK
+	{0x2D70, 0x2D70, prBA, gcPo},     //         TIFINAGH SEPARATOR MARK
+	{0x2D7F, 0x2D7F, prCM, gcMn},     //         TIFINAGH CONSONANT JOINER
+	{0x2D80, 0x2D96, prAL, gcLo},     //    [23] ETHIOPIC SYLLABLE LOA..ETHIOPIC SYLLABLE GGWE
+	{0x2DA0, 0x2DA6, prAL, gcLo},     //     [7] ETHIOPIC SYLLABLE SSA..ETHIOPIC SYLLABLE SSO
+	{0x2DA8, 0x2DAE, prAL, gcLo},     //     [7] ETHIOPIC SYLLABLE CCA..ETHIOPIC SYLLABLE CCO
+	{0x2DB0, 0x2DB6, prAL, gcLo},     //     [7] ETHIOPIC SYLLABLE ZZA..ETHIOPIC SYLLABLE ZZO
+	{0x2DB8, 0x2DBE, prAL, gcLo},     //     [7] ETHIOPIC SYLLABLE CCHA..ETHIOPIC SYLLABLE CCHO
+	{0x2DC0, 0x2DC6, prAL, gcLo},     //     [7] ETHIOPIC SYLLABLE QYA..ETHIOPIC SYLLABLE QYO
+	{0x2DC8, 0x2DCE, prAL, gcLo},     //     [7] ETHIOPIC SYLLABLE KYA..ETHIOPIC SYLLABLE KYO
+	{0x2DD0, 0x2DD6, prAL, gcLo},     //     [7] ETHIOPIC SYLLABLE XYA..ETHIOPIC SYLLABLE XYO
+	{0x2DD8, 0x2DDE, prAL, gcLo},     //     [7] ETHIOPIC SYLLABLE GYA..ETHIOPIC SYLLABLE GYO
+	{0x2DE0, 0x2DFF, prCM, gcMn},     //    [32] COMBINING CYRILLIC LETTER BE..COMBINING CYRILLIC LETTER IOTIFIED BIG YUS
+	{0x2E00, 0x2E01, prQU, gcPo},     //     [2] RIGHT ANGLE SUBSTITUTION MARKER..RIGHT ANGLE DOTTED SUBSTITUTION MARKER
+	{0x2E02, 0x2E02, prQU, gcPi},     //         LEFT SUBSTITUTION BRACKET
+	{0x2E03, 0x2E03, prQU, gcPf},     //         RIGHT SUBSTITUTION BRACKET
+	{0x2E04, 0x2E04, prQU, gcPi},     //         LEFT DOTTED SUBSTITUTION BRACKET
+	{0x2E05, 0x2E05, prQU, gcPf},     //         RIGHT DOTTED SUBSTITUTION BRACKET
+	{0x2E06, 0x2E08, prQU, gcPo},     //     [3] RAISED INTERPOLATION MARKER..DOTTED TRANSPOSITION MARKER
+	{0x2E09, 0x2E09, prQU, gcPi},     //         LEFT TRANSPOSITION BRACKET
+	{0x2E0A, 0x2E0A, prQU, gcPf},     //         RIGHT TRANSPOSITION BRACKET
+	{0x2E0B, 0x2E0B, prQU, gcPo},     //         RAISED SQUARE
+	{0x2E0C, 0x2E0C, prQU, gcPi},     //         LEFT RAISED OMISSION BRACKET
+	{0x2E0D, 0x2E0D, prQU, gcPf},     //         RIGHT RAISED OMISSION BRACKET
+	{0x2E0E, 0x2E15, prBA, gcPo},     //     [8] EDITORIAL CORONIS..UPWARDS ANCORA
+	{0x2E16, 0x2E16, prAL, gcPo},     //         DOTTED RIGHT-POINTING ANGLE
+	{0x2E17, 0x2E17, prBA, gcPd},     //         DOUBLE OBLIQUE HYPHEN
+	{0x2E18, 0x2E18, prOP, gcPo},     //         INVERTED INTERROBANG
+	{0x2E19, 0x2E19, prBA, gcPo},     //         PALM BRANCH
+	{0x2E1A, 0x2E1A, prAL, gcPd},     //         HYPHEN WITH DIAERESIS
+	{0x2E1B, 0x2E1B, prAL, gcPo},     //         TILDE WITH RING ABOVE
+	{0x2E1C, 0x2E1C, prQU, gcPi},     //         LEFT LOW PARAPHRASE BRACKET
+	{0x2E1D, 0x2E1D, prQU, gcPf},     //         RIGHT LOW PARAPHRASE BRACKET
+	{0x2E1E, 0x2E1F, prAL, gcPo},     //     [2] TILDE WITH DOT ABOVE..TILDE WITH DOT BELOW
+	{0x2E20, 0x2E20, prQU, gcPi},     //         LEFT VERTICAL BAR WITH QUILL
+	{0x2E21, 0x2E21, prQU, gcPf},     //         RIGHT VERTICAL BAR WITH QUILL
+	{0x2E22, 0x2E22, prOP, gcPs},     //         TOP LEFT HALF BRACKET
+	{0x2E23, 0x2E23, prCL, gcPe},     //         TOP RIGHT HALF BRACKET
+	{0x2E24, 0x2E24, prOP, gcPs},     //         BOTTOM LEFT HALF BRACKET
+	{0x2E25, 0x2E25, prCL, gcPe},     //         BOTTOM RIGHT HALF BRACKET
+	{0x2E26, 0x2E26, prOP, gcPs},     //         LEFT SIDEWAYS U BRACKET
+	{0x2E27, 0x2E27, prCL, gcPe},     //         RIGHT SIDEWAYS U BRACKET
+	{0x2E28, 0x2E28, prOP, gcPs},     //         LEFT DOUBLE PARENTHESIS
+	{0x2E29, 0x2E29, prCL, gcPe},     //         RIGHT DOUBLE PARENTHESIS
+	{0x2E2A, 0x2E2D, prBA, gcPo},     //     [4] TWO DOTS OVER ONE DOT PUNCTUATION..FIVE DOT MARK
+	{0x2E2E, 0x2E2E, prEX, gcPo},     //         REVERSED QUESTION MARK
+	{0x2E2F, 0x2E2F, prAL, gcLm},     //         VERTICAL TILDE
+	{0x2E30, 0x2E31, prBA, gcPo},     //     [2] RING POINT..WORD SEPARATOR MIDDLE DOT
+	{0x2E32, 0x2E32, prAL, gcPo},     //         TURNED COMMA
+	{0x2E33, 0x2E34, prBA, gcPo},     //     [2] RAISED DOT..RAISED COMMA
+	{0x2E35, 0x2E39, prAL, gcPo},     //     [5] TURNED SEMICOLON..TOP HALF SECTION SIGN
+	{0x2E3A, 0x2E3B, prB2, gcPd},     //     [2] TWO-EM DASH..THREE-EM DASH
+	{0x2E3C, 0x2E3E, prBA, gcPo},     //     [3] STENOGRAPHIC FULL STOP..WIGGLY VERTICAL LINE
+	{0x2E3F, 0x2E3F, prAL, gcPo},     //         CAPITULUM
+	{0x2E40, 0x2E40, prBA, gcPd},     //         DOUBLE HYPHEN
+	{0x2E41, 0x2E41, prBA, gcPo},     //         REVERSED COMMA
+	{0x2E42, 0x2E42, prOP, gcPs},     //         DOUBLE LOW-REVERSED-9 QUOTATION MARK
+	{0x2E43, 0x2E4A, prBA, gcPo},     //     [8] DASH WITH LEFT UPTURN..DOTTED SOLIDUS
+	{0x2E4B, 0x2E4B, prAL, gcPo},     //         TRIPLE DAGGER
+	{0x2E4C, 0x2E4C, prBA, gcPo},     //         MEDIEVAL COMMA
+	{0x2E4D, 0x2E4D, prAL, gcPo},     //         PARAGRAPHUS MARK
+	{0x2E4E, 0x2E4F, prBA, gcPo},     //     [2] PUNCTUS ELEVATUS MARK..CORNISH VERSE DIVIDER
+	{0x2E50, 0x2E51, prAL, gcSo},     //     [2] CROSS PATTY WITH RIGHT CROSSBAR..CROSS PATTY WITH LEFT CROSSBAR
+	{0x2E52, 0x2E52, prAL, gcPo},     //         TIRONIAN SIGN CAPITAL ET
+	{0x2E53, 0x2E54, prEX, gcPo},     //     [2] MEDIEVAL EXCLAMATION MARK..MEDIEVAL QUESTION MARK
+	{0x2E55, 0x2E55, prOP, gcPs},     //         LEFT SQUARE BRACKET WITH STROKE
+	{0x2E56, 0x2E56, prCL, gcPe},     //         RIGHT SQUARE BRACKET WITH STROKE
+	{0x2E57, 0x2E57, prOP, gcPs},     //         LEFT SQUARE BRACKET WITH DOUBLE STROKE
+	{0x2E58, 0x2E58, prCL, gcPe},     //         RIGHT SQUARE BRACKET WITH DOUBLE STROKE
+	{0x2E59, 0x2E59, prOP, gcPs},     //         TOP HALF LEFT PARENTHESIS
+	{0x2E5A, 0x2E5A, prCL, gcPe},     //         TOP HALF RIGHT PARENTHESIS
+	{0x2E5B, 0x2E5B, prOP, gcPs},     //         BOTTOM HALF LEFT PARENTHESIS
+	{0x2E5C, 0x2E5C, prCL, gcPe},     //         BOTTOM HALF RIGHT PARENTHESIS
+	{0x2E5D, 0x2E5D, prBA, gcPd},     //         OBLIQUE HYPHEN
+	{0x2E80, 0x2E99, prID, gcSo},     //    [26] CJK RADICAL REPEAT..CJK RADICAL RAP
+	{0x2E9B, 0x2EF3, prID, gcSo},     //    [89] CJK RADICAL CHOKE..CJK RADICAL C-SIMPLIFIED TURTLE
+	{0x2F00, 0x2FD5, prID, gcSo},     //   [214] KANGXI RADICAL ONE..KANGXI RADICAL FLUTE
+	{0x2FF0, 0x2FFB, prID, gcSo},     //    [12] IDEOGRAPHIC DESCRIPTION CHARACTER LEFT TO RIGHT..IDEOGRAPHIC DESCRIPTION CHARACTER OVERLAID
+	{0x3000, 0x3000, prBA, gcZs},     //         IDEOGRAPHIC SPACE
+	{0x3001, 0x3002, prCL, gcPo},     //     [2] IDEOGRAPHIC COMMA..IDEOGRAPHIC FULL STOP
+	{0x3003, 0x3003, prID, gcPo},     //         DITTO MARK
+	{0x3004, 0x3004, prID, gcSo},     //         JAPANESE INDUSTRIAL STANDARD SYMBOL
+	{0x3005, 0x3005, prNS, gcLm},     //         IDEOGRAPHIC ITERATION MARK
+	{0x3006, 0x3006, prID, gcLo},     //         IDEOGRAPHIC CLOSING MARK
+	{0x3007, 0x3007, prID, gcNl},     //         IDEOGRAPHIC NUMBER ZERO
+	{0x3008, 0x3008, prOP, gcPs},     //         LEFT ANGLE BRACKET
+	{0x3009, 0x3009, prCL, gcPe},     //         RIGHT ANGLE BRACKET
+	{0x300A, 0x300A, prOP, gcPs},     //         LEFT DOUBLE ANGLE BRACKET
+	{0x300B, 0x300B, prCL, gcPe},     //         RIGHT DOUBLE ANGLE BRACKET
+	{0x300C, 0x300C, prOP, gcPs},     //         LEFT CORNER BRACKET
+	{0x300D, 0x300D, prCL, gcPe},     //         RIGHT CORNER BRACKET
+	{0x300E, 0x300E, prOP, gcPs},     //         LEFT WHITE CORNER BRACKET
+	{0x300F, 0x300F, prCL, gcPe},     //         RIGHT WHITE CORNER BRACKET
+	{0x3010, 0x3010, prOP, gcPs},     //         LEFT BLACK LENTICULAR BRACKET
+	{0x3011, 0x3011, prCL, gcPe},     //         RIGHT BLACK LENTICULAR BRACKET
+	{0x3012, 0x3013, prID, gcSo},     //     [2] POSTAL MARK..GETA MARK
+	{0x3014, 0x3014, prOP, gcPs},     //         LEFT TORTOISE SHELL BRACKET
+	{0x3015, 0x3015, prCL, gcPe},     //         RIGHT TORTOISE SHELL BRACKET
+	{0x3016, 0x3016, prOP, gcPs},     //         LEFT WHITE LENTICULAR BRACKET
+	{0x3017, 0x3017, prCL, gcPe},     //         RIGHT WHITE LENTICULAR BRACKET
+	{0x3018, 0x3018, prOP, gcPs},     //         LEFT WHITE TORTOISE SHELL BRACKET
+	{0x3019, 0x3019, prCL, gcPe},     //         RIGHT WHITE TORTOISE SHELL BRACKET
+	{0x301A, 0x301A, prOP, gcPs},     //         LEFT WHITE SQUARE BRACKET
+	{0x301B, 0x301B, prCL, gcPe},     //         RIGHT WHITE SQUARE BRACKET
+	{0x301C, 0x301C, prNS, gcPd},     //         WAVE DASH
+	{0x301D, 0x301D, prOP, gcPs},     //         REVERSED DOUBLE PRIME QUOTATION MARK
+	{0x301E, 0x301F, prCL, gcPe},     //     [2] DOUBLE PRIME QUOTATION MARK..LOW DOUBLE PRIME QUOTATION MARK
+	{0x3020, 0x3020, prID, gcSo},     //         POSTAL MARK FACE
+	{0x3021, 0x3029, prID, gcNl},     //     [9] HANGZHOU NUMERAL ONE..HANGZHOU NUMERAL NINE
+	{0x302A, 0x302D, prCM, gcMn},     //     [4] IDEOGRAPHIC LEVEL TONE MARK..IDEOGRAPHIC ENTERING TONE MARK
+	{0x302E, 0x302F, prCM, gcMc},     //     [2] HANGUL SINGLE DOT TONE MARK..HANGUL DOUBLE DOT TONE MARK
+	{0x3030, 0x3030, prID, gcPd},     //         WAVY DASH
+	{0x3031, 0x3034, prID, gcLm},     //     [4] VERTICAL KANA REPEAT MARK..VERTICAL KANA REPEAT WITH VOICED SOUND MARK UPPER HALF
+	{0x3035, 0x3035, prCM, gcLm},     //         VERTICAL KANA REPEAT MARK LOWER HALF
+	{0x3036, 0x3037, prID, gcSo},     //     [2] CIRCLED POSTAL MARK..IDEOGRAPHIC TELEGRAPH LINE FEED SEPARATOR SYMBOL
+	{0x3038, 0x303A, prID, gcNl},     //     [3] HANGZHOU NUMERAL TEN..HANGZHOU NUMERAL THIRTY
+	{0x303B, 0x303B, prNS, gcLm},     //         VERTICAL IDEOGRAPHIC ITERATION MARK
+	{0x303C, 0x303C, prNS, gcLo},     //         MASU MARK
+	{0x303D, 0x303D, prID, gcPo},     //         PART ALTERNATION MARK
+	{0x303E, 0x303F, prID, gcSo},     //     [2] IDEOGRAPHIC VARIATION INDICATOR..IDEOGRAPHIC HALF FILL SPACE
+	{0x3041, 0x3041, prCJ, gcLo},     //         HIRAGANA LETTER SMALL A
+	{0x3042, 0x3042, prID, gcLo},     //         HIRAGANA LETTER A
+	{0x3043, 0x3043, prCJ, gcLo},     //         HIRAGANA LETTER SMALL I
+	{0x3044, 0x3044, prID, gcLo},     //         HIRAGANA LETTER I
+	{0x3045, 0x3045, prCJ, gcLo},     //         HIRAGANA LETTER SMALL U
+	{0x3046, 0x3046, prID, gcLo},     //         HIRAGANA LETTER U
+	{0x3047, 0x3047, prCJ, gcLo},     //         HIRAGANA LETTER SMALL E
+	{0x3048, 0x3048, prID, gcLo},     //         HIRAGANA LETTER E
+	{0x3049, 0x3049, prCJ, gcLo},     //         HIRAGANA LETTER SMALL O
+	{0x304A, 0x3062, prID, gcLo},     //    [25] HIRAGANA LETTER O..HIRAGANA LETTER DI
+	{0x3063, 0x3063, prCJ, gcLo},     //         HIRAGANA LETTER SMALL TU
+	{0x3064, 0x3082, prID, gcLo},     //    [31] HIRAGANA LETTER TU..HIRAGANA LETTER MO
+	{0x3083, 0x3083, prCJ, gcLo},     //         HIRAGANA LETTER SMALL YA
+	{0x3084, 0x3084, prID, gcLo},     //         HIRAGANA LETTER YA
+	{0x3085, 0x3085, prCJ, gcLo},     //         HIRAGANA LETTER SMALL YU
+	{0x3086, 0x3086, prID, gcLo},     //         HIRAGANA LETTER YU
+	{0x3087, 0x3087, prCJ, gcLo},     //         HIRAGANA LETTER SMALL YO
+	{0x3088, 0x308D, prID, gcLo},     //     [6] HIRAGANA LETTER YO..HIRAGANA LETTER RO
+	{0x308E, 0x308E, prCJ, gcLo},     //         HIRAGANA LETTER SMALL WA
+	{0x308F, 0x3094, prID, gcLo},     //     [6] HIRAGANA LETTER WA..HIRAGANA LETTER VU
+	{0x3095, 0x3096, prCJ, gcLo},     //     [2] HIRAGANA LETTER SMALL KA..HIRAGANA LETTER SMALL KE
+	{0x3099, 0x309A, prCM, gcMn},     //     [2] COMBINING KATAKANA-HIRAGANA VOICED SOUND MARK..COMBINING KATAKANA-HIRAGANA SEMI-VOICED SOUND MARK
+	{0x309B, 0x309C, prNS, gcSk},     //     [2] KATAKANA-HIRAGANA VOICED SOUND MARK..KATAKANA-HIRAGANA SEMI-VOICED SOUND MARK
+	{0x309D, 0x309E, prNS, gcLm},     //     [2] HIRAGANA ITERATION MARK..HIRAGANA VOICED ITERATION MARK
+	{0x309F, 0x309F, prID, gcLo},     //         HIRAGANA DIGRAPH YORI
+	{0x30A0, 0x30A0, prNS, gcPd},     //         KATAKANA-HIRAGANA DOUBLE HYPHEN
+	{0x30A1, 0x30A1, prCJ, gcLo},     //         KATAKANA LETTER SMALL A
+	{0x30A2, 0x30A2, prID, gcLo},     //         KATAKANA LETTER A
+	{0x30A3, 0x30A3, prCJ, gcLo},     //         KATAKANA LETTER SMALL I
+	{0x30A4, 0x30A4, prID, gcLo},     //         KATAKANA LETTER I
+	{0x30A5, 0x30A5, prCJ, gcLo},     //         KATAKANA LETTER SMALL U
+	{0x30A6, 0x30A6, prID, gcLo},     //         KATAKANA LETTER U
+	{0x30A7, 0x30A7, prCJ, gcLo},     //         KATAKANA LETTER SMALL E
+	{0x30A8, 0x30A8, prID, gcLo},     //         KATAKANA LETTER E
+	{0x30A9, 0x30A9, prCJ, gcLo},     //         KATAKANA LETTER SMALL O
+	{0x30AA, 0x30C2, prID, gcLo},     //    [25] KATAKANA LETTER O..KATAKANA LETTER DI
+	{0x30C3, 0x30C3, prCJ, gcLo},     //         KATAKANA LETTER SMALL TU
+	{0x30C4, 0x30E2, prID, gcLo},     //    [31] KATAKANA LETTER TU..KATAKANA LETTER MO
+	{0x30E3, 0x30E3, prCJ, gcLo},     //         KATAKANA LETTER SMALL YA
+	{0x30E4, 0x30E4, prID, gcLo},     //         KATAKANA LETTER YA
+	{0x30E5, 0x30E5, prCJ, gcLo},     //         KATAKANA LETTER SMALL YU
+	{0x30E6, 0x30E6, prID, gcLo},     //         KATAKANA LETTER YU
+	{0x30E7, 0x30E7, prCJ, gcLo},     //         KATAKANA LETTER SMALL YO
+	{0x30E8, 0x30ED, prID, gcLo},     //     [6] KATAKANA LETTER YO..KATAKANA LETTER RO
+	{0x30EE, 0x30EE, prCJ, gcLo},     //         KATAKANA LETTER SMALL WA
+	{0x30EF, 0x30F4, prID, gcLo},     //     [6] KATAKANA LETTER WA..KATAKANA LETTER VU
+	{0x30F5, 0x30F6, prCJ, gcLo},     //     [2] KATAKANA LETTER SMALL KA..KATAKANA LETTER SMALL KE
+	{0x30F7, 0x30FA, prID, gcLo},     //     [4] KATAKANA LETTER VA..KATAKANA LETTER VO
+	{0x30FB, 0x30FB, prNS, gcPo},     //         KATAKANA MIDDLE DOT
+	{0x30FC, 0x30FC, prCJ, gcLm},     //         KATAKANA-HIRAGANA PROLONGED SOUND MARK
+	{0x30FD, 0x30FE, prNS, gcLm},     //     [2] KATAKANA ITERATION MARK..KATAKANA VOICED ITERATION MARK
+	{0x30FF, 0x30FF, prID, gcLo},     //         KATAKANA DIGRAPH KOTO
+	{0x3105, 0x312F, prID, gcLo},     //    [43] BOPOMOFO LETTER B..BOPOMOFO LETTER NN
+	{0x3131, 0x318E, prID, gcLo},     //    [94] HANGUL LETTER KIYEOK..HANGUL LETTER ARAEAE
+	{0x3190, 0x3191, prID, gcSo},     //     [2] IDEOGRAPHIC ANNOTATION LINKING MARK..IDEOGRAPHIC ANNOTATION REVERSE MARK
+	{0x3192, 0x3195, prID, gcNo},     //     [4] IDEOGRAPHIC ANNOTATION ONE MARK..IDEOGRAPHIC ANNOTATION FOUR MARK
+	{0x3196, 0x319F, prID, gcSo},     //    [10] IDEOGRAPHIC ANNOTATION TOP MARK..IDEOGRAPHIC ANNOTATION MAN MARK
+	{0x31A0, 0x31BF, prID, gcLo},     //    [32] BOPOMOFO LETTER BU..BOPOMOFO LETTER AH
+	{0x31C0, 0x31E3, prID, gcSo},     //    [36] CJK STROKE T..CJK STROKE Q
+	{0x31F0, 0x31FF, prCJ, gcLo},     //    [16] KATAKANA LETTER SMALL KU..KATAKANA LETTER SMALL RO
+	{0x3200, 0x321E, prID, gcSo},     //    [31] PARENTHESIZED HANGUL KIYEOK..PARENTHESIZED KOREAN CHARACTER O HU
+	{0x3220, 0x3229, prID, gcNo},     //    [10] PARENTHESIZED IDEOGRAPH ONE..PARENTHESIZED IDEOGRAPH TEN
+	{0x322A, 0x3247, prID, gcSo},     //    [30] PARENTHESIZED IDEOGRAPH MOON..CIRCLED IDEOGRAPH KOTO
+	{0x3248, 0x324F, prAI, gcNo},     //     [8] CIRCLED NUMBER TEN ON BLACK SQUARE..CIRCLED NUMBER EIGHTY ON BLACK SQUARE
+	{0x3250, 0x3250, prID, gcSo},     //         PARTNERSHIP SIGN
+	{0x3251, 0x325F, prID, gcNo},     //    [15] CIRCLED NUMBER TWENTY ONE..CIRCLED NUMBER THIRTY FIVE
+	{0x3260, 0x327F, prID, gcSo},     //    [32] CIRCLED HANGUL KIYEOK..KOREAN STANDARD SYMBOL
+	{0x3280, 0x3289, prID, gcNo},     //    [10] CIRCLED IDEOGRAPH ONE..CIRCLED IDEOGRAPH TEN
+	{0x328A, 0x32B0, prID, gcSo},     //    [39] CIRCLED IDEOGRAPH MOON..CIRCLED IDEOGRAPH NIGHT
+	{0x32B1, 0x32BF, prID, gcNo},     //    [15] CIRCLED NUMBER THIRTY SIX..CIRCLED NUMBER FIFTY
+	{0x32C0, 0x32FF, prID, gcSo},     //    [64] IDEOGRAPHIC TELEGRAPH SYMBOL FOR JANUARY..SQUARE ERA NAME REIWA
+	{0x3300, 0x33FF, prID, gcSo},     //   [256] SQUARE APAATO..SQUARE GAL
+	{0x3400, 0x4DBF, prID, gcLo},     //  [6592] CJK UNIFIED IDEOGRAPH-3400..CJK UNIFIED IDEOGRAPH-4DBF
+	{0x4DC0, 0x4DFF, prAL, gcSo},     //    [64] HEXAGRAM FOR THE CREATIVE HEAVEN..HEXAGRAM FOR BEFORE COMPLETION
+	{0x4E00, 0x9FFF, prID, gcLo},     // [20992] CJK UNIFIED IDEOGRAPH-4E00..CJK UNIFIED IDEOGRAPH-9FFF
+	{0xA000, 0xA014, prID, gcLo},     //    [21] YI SYLLABLE IT..YI SYLLABLE E
+	{0xA015, 0xA015, prNS, gcLm},     //         YI SYLLABLE WU
+	{0xA016, 0xA48C, prID, gcLo},     //  [1143] YI SYLLABLE BIT..YI SYLLABLE YYR
+	{0xA490, 0xA4C6, prID, gcSo},     //    [55] YI RADICAL QOT..YI RADICAL KE
+	{0xA4D0, 0xA4F7, prAL, gcLo},     //    [40] LISU LETTER BA..LISU LETTER OE
+	{0xA4F8, 0xA4FD, prAL, gcLm},     //     [6] LISU LETTER TONE MYA TI..LISU LETTER TONE MYA JEU
+	{0xA4FE, 0xA4FF, prBA, gcPo},     //     [2] LISU PUNCTUATION COMMA..LISU PUNCTUATION FULL STOP
+	{0xA500, 0xA60B, prAL, gcLo},     //   [268] VAI SYLLABLE EE..VAI SYLLABLE NG
+	{0xA60C, 0xA60C, prAL, gcLm},     //         VAI SYLLABLE LENGTHENER
+	{0xA60D, 0xA60D, prBA, gcPo},     //         VAI COMMA
+	{0xA60E, 0xA60E, prEX, gcPo},     //         VAI FULL STOP
+	{0xA60F, 0xA60F, prBA, gcPo},     //         VAI QUESTION MARK
+	{0xA610, 0xA61F, prAL, gcLo},     //    [16] VAI SYLLABLE NDOLE FA..VAI SYMBOL JONG
+	{0xA620, 0xA629, prNU, gcNd},     //    [10] VAI DIGIT ZERO..VAI DIGIT NINE
+	{0xA62A, 0xA62B, prAL, gcLo},     //     [2] VAI SYLLABLE NDOLE MA..VAI SYLLABLE NDOLE DO
+	{0xA640, 0xA66D, prAL, gcLC},     //    [46] CYRILLIC CAPITAL LETTER ZEMLYA..CYRILLIC SMALL LETTER DOUBLE MONOCULAR O
+	{0xA66E, 0xA66E, prAL, gcLo},     //         CYRILLIC LETTER MULTIOCULAR O
+	{0xA66F, 0xA66F, prCM, gcMn},     //         COMBINING CYRILLIC VZMET
+	{0xA670, 0xA672, prCM, gcMe},     //     [3] COMBINING CYRILLIC TEN MILLIONS SIGN..COMBINING CYRILLIC THOUSAND MILLIONS SIGN
+	{0xA673, 0xA673, prAL, gcPo},     //         SLAVONIC ASTERISK
+	{0xA674, 0xA67D, prCM, gcMn},     //    [10] COMBINING CYRILLIC LETTER UKRAINIAN IE..COMBINING CYRILLIC PAYEROK
+	{0xA67E, 0xA67E, prAL, gcPo},     //         CYRILLIC KAVYKA
+	{0xA67F, 0xA67F, prAL, gcLm},     //         CYRILLIC PAYEROK
+	{0xA680, 0xA69B, prAL, gcLC},     //    [28] CYRILLIC CAPITAL LETTER DWE..CYRILLIC SMALL LETTER CROSSED O
+	{0xA69C, 0xA69D, prAL, gcLm},     //     [2] MODIFIER LETTER CYRILLIC HARD SIGN..MODIFIER LETTER CYRILLIC SOFT SIGN
+	{0xA69E, 0xA69F, prCM, gcMn},     //     [2] COMBINING CYRILLIC LETTER EF..COMBINING CYRILLIC LETTER IOTIFIED E
+	{0xA6A0, 0xA6E5, prAL, gcLo},     //    [70] BAMUM LETTER A..BAMUM LETTER KI
+	{0xA6E6, 0xA6EF, prAL, gcNl},     //    [10] BAMUM LETTER MO..BAMUM LETTER KOGHOM
+	{0xA6F0, 0xA6F1, prCM, gcMn},     //     [2] BAMUM COMBINING MARK KOQNDON..BAMUM COMBINING MARK TUKWENTIS
+	{0xA6F2, 0xA6F2, prAL, gcPo},     //         BAMUM NJAEMLI
+	{0xA6F3, 0xA6F7, prBA, gcPo},     //     [5] BAMUM FULL STOP..BAMUM QUESTION MARK
+	{0xA700, 0xA716, prAL, gcSk},     //    [23] MODIFIER LETTER CHINESE TONE YIN PING..MODIFIER LETTER EXTRA-LOW LEFT-STEM TONE BAR
+	{0xA717, 0xA71F, prAL, gcLm},     //     [9] MODIFIER LETTER DOT VERTICAL BAR..MODIFIER LETTER LOW INVERTED EXCLAMATION MARK
+	{0xA720, 0xA721, prAL, gcSk},     //     [2] MODIFIER LETTER STRESS AND HIGH TONE..MODIFIER LETTER STRESS AND LOW TONE
+	{0xA722, 0xA76F, prAL, gcLC},     //    [78] LATIN CAPITAL LETTER EGYPTOLOGICAL ALEF..LATIN SMALL LETTER CON
+	{0xA770, 0xA770, prAL, gcLm},     //         MODIFIER LETTER US
+	{0xA771, 0xA787, prAL, gcLC},     //    [23] LATIN SMALL LETTER DUM..LATIN SMALL LETTER INSULAR T
+	{0xA788, 0xA788, prAL, gcLm},     //         MODIFIER LETTER LOW CIRCUMFLEX ACCENT
+	{0xA789, 0xA78A, prAL, gcSk},     //     [2] MODIFIER LETTER COLON..MODIFIER LETTER SHORT EQUALS SIGN
+	{0xA78B, 0xA78E, prAL, gcLC},     //     [4] LATIN CAPITAL LETTER SALTILLO..LATIN SMALL LETTER L WITH RETROFLEX HOOK AND BELT
+	{0xA78F, 0xA78F, prAL, gcLo},     //         LATIN LETTER SINOLOGICAL DOT
+	{0xA790, 0xA7CA, prAL, gcLC},     //    [59] LATIN CAPITAL LETTER N WITH DESCENDER..LATIN SMALL LETTER S WITH SHORT STROKE OVERLAY
+	{0xA7D0, 0xA7D1, prAL, gcLC},     //     [2] LATIN CAPITAL LETTER CLOSED INSULAR G..LATIN SMALL LETTER CLOSED INSULAR G
+	{0xA7D3, 0xA7D3, prAL, gcLl},     //         LATIN SMALL LETTER DOUBLE THORN
+	{0xA7D5, 0xA7D9, prAL, gcLC},     //     [5] LATIN SMALL LETTER DOUBLE WYNN..LATIN SMALL LETTER SIGMOID S
+	{0xA7F2, 0xA7F4, prAL, gcLm},     //     [3] MODIFIER LETTER CAPITAL C..MODIFIER LETTER CAPITAL Q
+	{0xA7F5, 0xA7F6, prAL, gcLC},     //     [2] LATIN CAPITAL LETTER REVERSED HALF H..LATIN SMALL LETTER REVERSED HALF H
+	{0xA7F7, 0xA7F7, prAL, gcLo},     //         LATIN EPIGRAPHIC LETTER SIDEWAYS I
+	{0xA7F8, 0xA7F9, prAL, gcLm},     //     [2] MODIFIER LETTER CAPITAL H WITH STROKE..MODIFIER LETTER SMALL LIGATURE OE
+	{0xA7FA, 0xA7FA, prAL, gcLl},     //         LATIN LETTER SMALL CAPITAL TURNED M
+	{0xA7FB, 0xA7FF, prAL, gcLo},     //     [5] LATIN EPIGRAPHIC LETTER REVERSED F..LATIN EPIGRAPHIC LETTER ARCHAIC M
+	{0xA800, 0xA801, prAL, gcLo},     //     [2] SYLOTI NAGRI LETTER A..SYLOTI NAGRI LETTER I
+	{0xA802, 0xA802, prCM, gcMn},     //         SYLOTI NAGRI SIGN DVISVARA
+	{0xA803, 0xA805, prAL, gcLo},     //     [3] SYLOTI NAGRI LETTER U..SYLOTI NAGRI LETTER O
+	{0xA806, 0xA806, prCM, gcMn},     //         SYLOTI NAGRI SIGN HASANTA
+	{0xA807, 0xA80A, prAL, gcLo},     //     [4] SYLOTI NAGRI LETTER KO..SYLOTI NAGRI LETTER GHO
+	{0xA80B, 0xA80B, prCM, gcMn},     //         SYLOTI NAGRI SIGN ANUSVARA
+	{0xA80C, 0xA822, prAL, gcLo},     //    [23] SYLOTI NAGRI LETTER CO..SYLOTI NAGRI LETTER HO
+	{0xA823, 0xA824, prCM, gcMc},     //     [2] SYLOTI NAGRI VOWEL SIGN A..SYLOTI NAGRI VOWEL SIGN I
+	{0xA825, 0xA826, prCM, gcMn},     //     [2] SYLOTI NAGRI VOWEL SIGN U..SYLOTI NAGRI VOWEL SIGN E
+	{0xA827, 0xA827, prCM, gcMc},     //         SYLOTI NAGRI VOWEL SIGN OO
+	{0xA828, 0xA82B, prAL, gcSo},     //     [4] SYLOTI NAGRI POETRY MARK-1..SYLOTI NAGRI POETRY MARK-4
+	{0xA82C, 0xA82C, prCM, gcMn},     //         SYLOTI NAGRI SIGN ALTERNATE HASANTA
+	{0xA830, 0xA835, prAL, gcNo},     //     [6] NORTH INDIC FRACTION ONE QUARTER..NORTH INDIC FRACTION THREE SIXTEENTHS
+	{0xA836, 0xA837, prAL, gcSo},     //     [2] NORTH INDIC QUARTER MARK..NORTH INDIC PLACEHOLDER MARK
+	{0xA838, 0xA838, prPO, gcSc},     //         NORTH INDIC RUPEE MARK
+	{0xA839, 0xA839, prAL, gcSo},     //         NORTH INDIC QUANTITY MARK
+	{0xA840, 0xA873, prAL, gcLo},     //    [52] PHAGS-PA LETTER KA..PHAGS-PA LETTER CANDRABINDU
+	{0xA874, 0xA875, prBB, gcPo},     //     [2] PHAGS-PA SINGLE HEAD MARK..PHAGS-PA DOUBLE HEAD MARK
+	{0xA876, 0xA877, prEX, gcPo},     //     [2] PHAGS-PA MARK SHAD..PHAGS-PA MARK DOUBLE SHAD
+	{0xA880, 0xA881, prCM, gcMc},     //     [2] SAURASHTRA SIGN ANUSVARA..SAURASHTRA SIGN VISARGA
+	{0xA882, 0xA8B3, prAL, gcLo},     //    [50] SAURASHTRA LETTER A..SAURASHTRA LETTER LLA
+	{0xA8B4, 0xA8C3, prCM, gcMc},     //    [16] SAURASHTRA CONSONANT SIGN HAARU..SAURASHTRA VOWEL SIGN AU
+	{0xA8C4, 0xA8C5, prCM, gcMn},     //     [2] SAURASHTRA SIGN VIRAMA..SAURASHTRA SIGN CANDRABINDU
+	{0xA8CE, 0xA8CF, prBA, gcPo},     //     [2] SAURASHTRA DANDA..SAURASHTRA DOUBLE DANDA
+	{0xA8D0, 0xA8D9, prNU, gcNd},     //    [10] SAURASHTRA DIGIT ZERO..SAURASHTRA DIGIT NINE
+	{0xA8E0, 0xA8F1, prCM, gcMn},     //    [18] COMBINING DEVANAGARI DIGIT ZERO..COMBINING DEVANAGARI SIGN AVAGRAHA
+	{0xA8F2, 0xA8F7, prAL, gcLo},     //     [6] DEVANAGARI SIGN SPACING CANDRABINDU..DEVANAGARI SIGN CANDRABINDU AVAGRAHA
+	{0xA8F8, 0xA8FA, prAL, gcPo},     //     [3] DEVANAGARI SIGN PUSHPIKA..DEVANAGARI CARET
+	{0xA8FB, 0xA8FB, prAL, gcLo},     //         DEVANAGARI HEADSTROKE
+	{0xA8FC, 0xA8FC, prBB, gcPo},     //         DEVANAGARI SIGN SIDDHAM
+	{0xA8FD, 0xA8FE, prAL, gcLo},     //     [2] DEVANAGARI JAIN OM..DEVANAGARI LETTER AY
+	{0xA8FF, 0xA8FF, prCM, gcMn},     //         DEVANAGARI VOWEL SIGN AY
+	{0xA900, 0xA909, prNU, gcNd},     //    [10] KAYAH LI DIGIT ZERO..KAYAH LI DIGIT NINE
+	{0xA90A, 0xA925, prAL, gcLo},     //    [28] KAYAH LI LETTER KA..KAYAH LI LETTER OO
+	{0xA926, 0xA92D, prCM, gcMn},     //     [8] KAYAH LI VOWEL UE..KAYAH LI TONE CALYA PLOPHU
+	{0xA92E, 0xA92F, prBA, gcPo},     //     [2] KAYAH LI SIGN CWI..KAYAH LI SIGN SHYA
+	{0xA930, 0xA946, prAL, gcLo},     //    [23] REJANG LETTER KA..REJANG LETTER A
+	{0xA947, 0xA951, prCM, gcMn},     //    [11] REJANG VOWEL SIGN I..REJANG CONSONANT SIGN R
+	{0xA952, 0xA953, prCM, gcMc},     //     [2] REJANG CONSONANT SIGN H..REJANG VIRAMA
+	{0xA95F, 0xA95F, prAL, gcPo},     //         REJANG SECTION MARK
+	{0xA960, 0xA97C, prJL, gcLo},     //    [29] HANGUL CHOSEONG TIKEUT-MIEUM..HANGUL CHOSEONG SSANGYEORINHIEUH
+	{0xA980, 0xA982, prCM, gcMn},     //     [3] JAVANESE SIGN PANYANGGA..JAVANESE SIGN LAYAR
+	{0xA983, 0xA983, prCM, gcMc},     //         JAVANESE SIGN WIGNYAN
+	{0xA984, 0xA9B2, prAL, gcLo},     //    [47] JAVANESE LETTER A..JAVANESE LETTER HA
+	{0xA9B3, 0xA9B3, prCM, gcMn},     //         JAVANESE SIGN CECAK TELU
+	{0xA9B4, 0xA9B5, prCM, gcMc},     //     [2] JAVANESE VOWEL SIGN TARUNG..JAVANESE VOWEL SIGN TOLONG
+	{0xA9B6, 0xA9B9, prCM, gcMn},     //     [4] JAVANESE VOWEL SIGN WULU..JAVANESE VOWEL SIGN SUKU MENDUT
+	{0xA9BA, 0xA9BB, prCM, gcMc},     //     [2] JAVANESE VOWEL SIGN TALING..JAVANESE VOWEL SIGN DIRGA MURE
+	{0xA9BC, 0xA9BD, prCM, gcMn},     //     [2] JAVANESE VOWEL SIGN PEPET..JAVANESE CONSONANT SIGN KERET
+	{0xA9BE, 0xA9C0, prCM, gcMc},     //     [3] JAVANESE CONSONANT SIGN PENGKAL..JAVANESE PANGKON
+	{0xA9C1, 0xA9C6, prAL, gcPo},     //     [6] JAVANESE LEFT RERENGGAN..JAVANESE PADA WINDU
+	{0xA9C7, 0xA9C9, prBA, gcPo},     //     [3] JAVANESE PADA PANGKAT..JAVANESE PADA LUNGSI
+	{0xA9CA, 0xA9CD, prAL, gcPo},     //     [4] JAVANESE PADA ADEG..JAVANESE TURNED PADA PISELEH
+	{0xA9CF, 0xA9CF, prAL, gcLm},     //         JAVANESE PANGRANGKEP
+	{0xA9D0, 0xA9D9, prNU, gcNd},     //    [10] JAVANESE DIGIT ZERO..JAVANESE DIGIT NINE
+	{0xA9DE, 0xA9DF, prAL, gcPo},     //     [2] JAVANESE PADA TIRTA TUMETES..JAVANESE PADA ISEN-ISEN
+	{0xA9E0, 0xA9E4, prSA, gcLo},     //     [5] MYANMAR LETTER SHAN GHA..MYANMAR LETTER SHAN BHA
+	{0xA9E5, 0xA9E5, prSA, gcMn},     //         MYANMAR SIGN SHAN SAW
+	{0xA9E6, 0xA9E6, prSA, gcLm},     //         MYANMAR MODIFIER LETTER SHAN REDUPLICATION
+	{0xA9E7, 0xA9EF, prSA, gcLo},     //     [9] MYANMAR LETTER TAI LAING NYA..MYANMAR LETTER TAI LAING NNA
+	{0xA9F0, 0xA9F9, prNU, gcNd},     //    [10] MYANMAR TAI LAING DIGIT ZERO..MYANMAR TAI LAING DIGIT NINE
+	{0xA9FA, 0xA9FE, prSA, gcLo},     //     [5] MYANMAR LETTER TAI LAING LLA..MYANMAR LETTER TAI LAING BHA
+	{0xAA00, 0xAA28, prAL, gcLo},     //    [41] CHAM LETTER A..CHAM LETTER HA
+	{0xAA29, 0xAA2E, prCM, gcMn},     //     [6] CHAM VOWEL SIGN AA..CHAM VOWEL SIGN OE
+	{0xAA2F, 0xAA30, prCM, gcMc},     //     [2] CHAM VOWEL SIGN O..CHAM VOWEL SIGN AI
+	{0xAA31, 0xAA32, prCM, gcMn},     //     [2] CHAM VOWEL SIGN AU..CHAM VOWEL SIGN UE
+	{0xAA33, 0xAA34, prCM, gcMc},     //     [2] CHAM CONSONANT SIGN YA..CHAM CONSONANT SIGN RA
+	{0xAA35, 0xAA36, prCM, gcMn},     //     [2] CHAM CONSONANT SIGN LA..CHAM CONSONANT SIGN WA
+	{0xAA40, 0xAA42, prAL, gcLo},     //     [3] CHAM LETTER FINAL K..CHAM LETTER FINAL NG
+	{0xAA43, 0xAA43, prCM, gcMn},     //         CHAM CONSONANT SIGN FINAL NG
+	{0xAA44, 0xAA4B, prAL, gcLo},     //     [8] CHAM LETTER FINAL CH..CHAM LETTER FINAL SS
+	{0xAA4C, 0xAA4C, prCM, gcMn},     //         CHAM CONSONANT SIGN FINAL M
+	{0xAA4D, 0xAA4D, prCM, gcMc},     //         CHAM CONSONANT SIGN FINAL H
+	{0xAA50, 0xAA59, prNU, gcNd},     //    [10] CHAM DIGIT ZERO..CHAM DIGIT NINE
+	{0xAA5C, 0xAA5C, prAL, gcPo},     //         CHAM PUNCTUATION SPIRAL
+	{0xAA5D, 0xAA5F, prBA, gcPo},     //     [3] CHAM PUNCTUATION DANDA..CHAM PUNCTUATION TRIPLE DANDA
+	{0xAA60, 0xAA6F, prSA, gcLo},     //    [16] MYANMAR LETTER KHAMTI GA..MYANMAR LETTER KHAMTI FA
+	{0xAA70, 0xAA70, prSA, gcLm},     //         MYANMAR MODIFIER LETTER KHAMTI REDUPLICATION
+	{0xAA71, 0xAA76, prSA, gcLo},     //     [6] MYANMAR LETTER KHAMTI XA..MYANMAR LOGOGRAM KHAMTI HM
+	{0xAA77, 0xAA79, prSA, gcSo},     //     [3] MYANMAR SYMBOL AITON EXCLAMATION..MYANMAR SYMBOL AITON TWO
+	{0xAA7A, 0xAA7A, prSA, gcLo},     //         MYANMAR LETTER AITON RA
+	{0xAA7B, 0xAA7B, prSA, gcMc},     //         MYANMAR SIGN PAO KAREN TONE
+	{0xAA7C, 0xAA7C, prSA, gcMn},     //         MYANMAR SIGN TAI LAING TONE-2
+	{0xAA7D, 0xAA7D, prSA, gcMc},     //         MYANMAR SIGN TAI LAING TONE-5
+	{0xAA7E, 0xAA7F, prSA, gcLo},     //     [2] MYANMAR LETTER SHWE PALAUNG CHA..MYANMAR LETTER SHWE PALAUNG SHA
+	{0xAA80, 0xAAAF, prSA, gcLo},     //    [48] TAI VIET LETTER LOW KO..TAI VIET LETTER HIGH O
+	{0xAAB0, 0xAAB0, prSA, gcMn},     //         TAI VIET MAI KANG
+	{0xAAB1, 0xAAB1, prSA, gcLo},     //         TAI VIET VOWEL AA
+	{0xAAB2, 0xAAB4, prSA, gcMn},     //     [3] TAI VIET VOWEL I..TAI VIET VOWEL U
+	{0xAAB5, 0xAAB6, prSA, gcLo},     //     [2] TAI VIET VOWEL E..TAI VIET VOWEL O
+	{0xAAB7, 0xAAB8, prSA, gcMn},     //     [2] TAI VIET MAI KHIT..TAI VIET VOWEL IA
+	{0xAAB9, 0xAABD, prSA, gcLo},     //     [5] TAI VIET VOWEL UEA..TAI VIET VOWEL AN
+	{0xAABE, 0xAABF, prSA, gcMn},     //     [2] TAI VIET VOWEL AM..TAI VIET TONE MAI EK
+	{0xAAC0, 0xAAC0, prSA, gcLo},     //         TAI VIET TONE MAI NUENG
+	{0xAAC1, 0xAAC1, prSA, gcMn},     //         TAI VIET TONE MAI THO
+	{0xAAC2, 0xAAC2, prSA, gcLo},     //         TAI VIET TONE MAI SONG
+	{0xAADB, 0xAADC, prSA, gcLo},     //     [2] TAI VIET SYMBOL KON..TAI VIET SYMBOL NUENG
+	{0xAADD, 0xAADD, prSA, gcLm},     //         TAI VIET SYMBOL SAM
+	{0xAADE, 0xAADF, prSA, gcPo},     //     [2] TAI VIET SYMBOL HO HOI..TAI VIET SYMBOL KOI KOI
+	{0xAAE0, 0xAAEA, prAL, gcLo},     //    [11] MEETEI MAYEK LETTER E..MEETEI MAYEK LETTER SSA
+	{0xAAEB, 0xAAEB, prCM, gcMc},     //         MEETEI MAYEK VOWEL SIGN II
+	{0xAAEC, 0xAAED, prCM, gcMn},     //     [2] MEETEI MAYEK VOWEL SIGN UU..MEETEI MAYEK VOWEL SIGN AAI
+	{0xAAEE, 0xAAEF, prCM, gcMc},     //     [2] MEETEI MAYEK VOWEL SIGN AU..MEETEI MAYEK VOWEL SIGN AAU
+	{0xAAF0, 0xAAF1, prBA, gcPo},     //     [2] MEETEI MAYEK CHEIKHAN..MEETEI MAYEK AHANG KHUDAM
+	{0xAAF2, 0xAAF2, prAL, gcLo},     //         MEETEI MAYEK ANJI
+	{0xAAF3, 0xAAF4, prAL, gcLm},     //     [2] MEETEI MAYEK SYLLABLE REPETITION MARK..MEETEI MAYEK WORD REPETITION MARK
+	{0xAAF5, 0xAAF5, prCM, gcMc},     //         MEETEI MAYEK VOWEL SIGN VISARGA
+	{0xAAF6, 0xAAF6, prCM, gcMn},     //         MEETEI MAYEK VIRAMA
+	{0xAB01, 0xAB06, prAL, gcLo},     //     [6] ETHIOPIC SYLLABLE TTHU..ETHIOPIC SYLLABLE TTHO
+	{0xAB09, 0xAB0E, prAL, gcLo},     //     [6] ETHIOPIC SYLLABLE DDHU..ETHIOPIC SYLLABLE DDHO
+	{0xAB11, 0xAB16, prAL, gcLo},     //     [6] ETHIOPIC SYLLABLE DZU..ETHIOPIC SYLLABLE DZO
+	{0xAB20, 0xAB26, prAL, gcLo},     //     [7] ETHIOPIC SYLLABLE CCHHA..ETHIOPIC SYLLABLE CCHHO
+	{0xAB28, 0xAB2E, prAL, gcLo},     //     [7] ETHIOPIC SYLLABLE BBA..ETHIOPIC SYLLABLE BBO
+	{0xAB30, 0xAB5A, prAL, gcLl},     //    [43] LATIN SMALL LETTER BARRED ALPHA..LATIN SMALL LETTER Y WITH SHORT RIGHT LEG
+	{0xAB5B, 0xAB5B, prAL, gcSk},     //         MODIFIER BREVE WITH INVERTED BREVE
+	{0xAB5C, 0xAB5F, prAL, gcLm},     //     [4] MODIFIER LETTER SMALL HENG..MODIFIER LETTER SMALL U WITH LEFT HOOK
+	{0xAB60, 0xAB68, prAL, gcLl},     //     [9] LATIN SMALL LETTER SAKHA YAT..LATIN SMALL LETTER TURNED R WITH MIDDLE TILDE
+	{0xAB69, 0xAB69, prAL, gcLm},     //         MODIFIER LETTER SMALL TURNED W
+	{0xAB6A, 0xAB6B, prAL, gcSk},     //     [2] MODIFIER LETTER LEFT TACK..MODIFIER LETTER RIGHT TACK
+	{0xAB70, 0xABBF, prAL, gcLl},     //    [80] CHEROKEE SMALL LETTER A..CHEROKEE SMALL LETTER YA
+	{0xABC0, 0xABE2, prAL, gcLo},     //    [35] MEETEI MAYEK LETTER KOK..MEETEI MAYEK LETTER I LONSUM
+	{0xABE3, 0xABE4, prCM, gcMc},     //     [2] MEETEI MAYEK VOWEL SIGN ONAP..MEETEI MAYEK VOWEL SIGN INAP
+	{0xABE5, 0xABE5, prCM, gcMn},     //         MEETEI MAYEK VOWEL SIGN ANAP
+	{0xABE6, 0xABE7, prCM, gcMc},     //     [2] MEETEI MAYEK VOWEL SIGN YENAP..MEETEI MAYEK VOWEL SIGN SOUNAP
+	{0xABE8, 0xABE8, prCM, gcMn},     //         MEETEI MAYEK VOWEL SIGN UNAP
+	{0xABE9, 0xABEA, prCM, gcMc},     //     [2] MEETEI MAYEK VOWEL SIGN CHEINAP..MEETEI MAYEK VOWEL SIGN NUNG
+	{0xABEB, 0xABEB, prBA, gcPo},     //         MEETEI MAYEK CHEIKHEI
+	{0xABEC, 0xABEC, prCM, gcMc},     //         MEETEI MAYEK LUM IYEK
+	{0xABED, 0xABED, prCM, gcMn},     //         MEETEI MAYEK APUN IYEK
+	{0xABF0, 0xABF9, prNU, gcNd},     //    [10] MEETEI MAYEK DIGIT ZERO..MEETEI MAYEK DIGIT NINE
+	{0xAC00, 0xAC00, prH2, gcLo},     //         HANGUL SYLLABLE GA
+	{0xAC01, 0xAC1B, prH3, gcLo},     //    [27] HANGUL SYLLABLE GAG..HANGUL SYLLABLE GAH
+	{0xAC1C, 0xAC1C, prH2, gcLo},     //         HANGUL SYLLABLE GAE
+	{0xAC1D, 0xAC37, prH3, gcLo},     //    [27] HANGUL SYLLABLE GAEG..HANGUL SYLLABLE GAEH
+	{0xAC38, 0xAC38, prH2, gcLo},     //         HANGUL SYLLABLE GYA
+	{0xAC39, 0xAC53, prH3, gcLo},     //    [27] HANGUL SYLLABLE GYAG..HANGUL SYLLABLE GYAH
+	{0xAC54, 0xAC54, prH2, gcLo},     //         HANGUL SYLLABLE GYAE
+	{0xAC55, 0xAC6F, prH3, gcLo},     //    [27] HANGUL SYLLABLE GYAEG..HANGUL SYLLABLE GYAEH
+	{0xAC70, 0xAC70, prH2, gcLo},     //         HANGUL SYLLABLE GEO
+	{0xAC71, 0xAC8B, prH3, gcLo},     //    [27] HANGUL SYLLABLE GEOG..HANGUL SYLLABLE GEOH
+	{0xAC8C, 0xAC8C, prH2, gcLo},     //         HANGUL SYLLABLE GE
+	{0xAC8D, 0xACA7, prH3, gcLo},     //    [27] HANGUL SYLLABLE GEG..HANGUL SYLLABLE GEH
+	{0xACA8, 0xACA8, prH2, gcLo},     //         HANGUL SYLLABLE GYEO
+	{0xACA9, 0xACC3, prH3, gcLo},     //    [27] HANGUL SYLLABLE GYEOG..HANGUL SYLLABLE GYEOH
+	{0xACC4, 0xACC4, prH2, gcLo},     //         HANGUL SYLLABLE GYE
+	{0xACC5, 0xACDF, prH3, gcLo},     //    [27] HANGUL SYLLABLE GYEG..HANGUL SYLLABLE GYEH
+	{0xACE0, 0xACE0, prH2, gcLo},     //         HANGUL SYLLABLE GO
+	{0xACE1, 0xACFB, prH3, gcLo},     //    [27] HANGUL SYLLABLE GOG..HANGUL SYLLABLE GOH
+	{0xACFC, 0xACFC, prH2, gcLo},     //         HANGUL SYLLABLE GWA
+	{0xACFD, 0xAD17, prH3, gcLo},     //    [27] HANGUL SYLLABLE GWAG..HANGUL SYLLABLE GWAH
+	{0xAD18, 0xAD18, prH2, gcLo},     //         HANGUL SYLLABLE GWAE
+	{0xAD19, 0xAD33, prH3, gcLo},     //    [27] HANGUL SYLLABLE GWAEG..HANGUL SYLLABLE GWAEH
+	{0xAD34, 0xAD34, prH2, gcLo},     //         HANGUL SYLLABLE GOE
+	{0xAD35, 0xAD4F, prH3, gcLo},     //    [27] HANGUL SYLLABLE GOEG..HANGUL SYLLABLE GOEH
+	{0xAD50, 0xAD50, prH2, gcLo},     //         HANGUL SYLLABLE GYO
+	{0xAD51, 0xAD6B, prH3, gcLo},     //    [27] HANGUL SYLLABLE GYOG..HANGUL SYLLABLE GYOH
+	{0xAD6C, 0xAD6C, prH2, gcLo},     //         HANGUL SYLLABLE GU
+	{0xAD6D, 0xAD87, prH3, gcLo},     //    [27] HANGUL SYLLABLE GUG..HANGUL SYLLABLE GUH
+	{0xAD88, 0xAD88, prH2, gcLo},     //         HANGUL SYLLABLE GWEO
+	{0xAD89, 0xADA3, prH3, gcLo},     //    [27] HANGUL SYLLABLE GWEOG..HANGUL SYLLABLE GWEOH
+	{0xADA4, 0xADA4, prH2, gcLo},     //         HANGUL SYLLABLE GWE
+	{0xADA5, 0xADBF, prH3, gcLo},     //    [27] HANGUL SYLLABLE GWEG..HANGUL SYLLABLE GWEH
+	{0xADC0, 0xADC0, prH2, gcLo},     //         HANGUL SYLLABLE GWI
+	{0xADC1, 0xADDB, prH3, gcLo},     //    [27] HANGUL SYLLABLE GWIG..HANGUL SYLLABLE GWIH
+	{0xADDC, 0xADDC, prH2, gcLo},     //         HANGUL SYLLABLE GYU
+	{0xADDD, 0xADF7, prH3, gcLo},     //    [27] HANGUL SYLLABLE GYUG..HANGUL SYLLABLE GYUH
+	{0xADF8, 0xADF8, prH2, gcLo},     //         HANGUL SYLLABLE GEU
+	{0xADF9, 0xAE13, prH3, gcLo},     //    [27] HANGUL SYLLABLE GEUG..HANGUL SYLLABLE GEUH
+	{0xAE14, 0xAE14, prH2, gcLo},     //         HANGUL SYLLABLE GYI
+	{0xAE15, 0xAE2F, prH3, gcLo},     //    [27] HANGUL SYLLABLE GYIG..HANGUL SYLLABLE GYIH
+	{0xAE30, 0xAE30, prH2, gcLo},     //         HANGUL SYLLABLE GI
+	{0xAE31, 0xAE4B, prH3, gcLo},     //    [27] HANGUL SYLLABLE GIG..HANGUL SYLLABLE GIH
+	{0xAE4C, 0xAE4C, prH2, gcLo},     //         HANGUL SYLLABLE GGA
+	{0xAE4D, 0xAE67, prH3, gcLo},     //    [27] HANGUL SYLLABLE GGAG..HANGUL SYLLABLE GGAH
+	{0xAE68, 0xAE68, prH2, gcLo},     //         HANGUL SYLLABLE GGAE
+	{0xAE69, 0xAE83, prH3, gcLo},     //    [27] HANGUL SYLLABLE GGAEG..HANGUL SYLLABLE GGAEH
+	{0xAE84, 0xAE84, prH2, gcLo},     //         HANGUL SYLLABLE GGYA
+	{0xAE85, 0xAE9F, prH3, gcLo},     //    [27] HANGUL SYLLABLE GGYAG..HANGUL SYLLABLE GGYAH
+	{0xAEA0, 0xAEA0, prH2, gcLo},     //         HANGUL SYLLABLE GGYAE
+	{0xAEA1, 0xAEBB, prH3, gcLo},     //    [27] HANGUL SYLLABLE GGYAEG..HANGUL SYLLABLE GGYAEH
+	{0xAEBC, 0xAEBC, prH2, gcLo},     //         HANGUL SYLLABLE GGEO
+	{0xAEBD, 0xAED7, prH3, gcLo},     //    [27] HANGUL SYLLABLE GGEOG..HANGUL SYLLABLE GGEOH
+	{0xAED8, 0xAED8, prH2, gcLo},     //         HANGUL SYLLABLE GGE
+	{0xAED9, 0xAEF3, prH3, gcLo},     //    [27] HANGUL SYLLABLE GGEG..HANGUL SYLLABLE GGEH
+	{0xAEF4, 0xAEF4, prH2, gcLo},     //         HANGUL SYLLABLE GGYEO
+	{0xAEF5, 0xAF0F, prH3, gcLo},     //    [27] HANGUL SYLLABLE GGYEOG..HANGUL SYLLABLE GGYEOH
+	{0xAF10, 0xAF10, prH2, gcLo},     //         HANGUL SYLLABLE GGYE
+	{0xAF11, 0xAF2B, prH3, gcLo},     //    [27] HANGUL SYLLABLE GGYEG..HANGUL SYLLABLE GGYEH
+	{0xAF2C, 0xAF2C, prH2, gcLo},     //         HANGUL SYLLABLE GGO
+	{0xAF2D, 0xAF47, prH3, gcLo},     //    [27] HANGUL SYLLABLE GGOG..HANGUL SYLLABLE GGOH
+	{0xAF48, 0xAF48, prH2, gcLo},     //         HANGUL SYLLABLE GGWA
+	{0xAF49, 0xAF63, prH3, gcLo},     //    [27] HANGUL SYLLABLE GGWAG..HANGUL SYLLABLE GGWAH
+	{0xAF64, 0xAF64, prH2, gcLo},     //         HANGUL SYLLABLE GGWAE
+	{0xAF65, 0xAF7F, prH3, gcLo},     //    [27] HANGUL SYLLABLE GGWAEG..HANGUL SYLLABLE GGWAEH
+	{0xAF80, 0xAF80, prH2, gcLo},     //         HANGUL SYLLABLE GGOE
+	{0xAF81, 0xAF9B, prH3, gcLo},     //    [27] HANGUL SYLLABLE GGOEG..HANGUL SYLLABLE GGOEH
+	{0xAF9C, 0xAF9C, prH2, gcLo},     //         HANGUL SYLLABLE GGYO
+	{0xAF9D, 0xAFB7, prH3, gcLo},     //    [27] HANGUL SYLLABLE GGYOG..HANGUL SYLLABLE GGYOH
+	{0xAFB8, 0xAFB8, prH2, gcLo},     //         HANGUL SYLLABLE GGU
+	{0xAFB9, 0xAFD3, prH3, gcLo},     //    [27] HANGUL SYLLABLE GGUG..HANGUL SYLLABLE GGUH
+	{0xAFD4, 0xAFD4, prH2, gcLo},     //         HANGUL SYLLABLE GGWEO
+	{0xAFD5, 0xAFEF, prH3, gcLo},     //    [27] HANGUL SYLLABLE GGWEOG..HANGUL SYLLABLE GGWEOH
+	{0xAFF0, 0xAFF0, prH2, gcLo},     //         HANGUL SYLLABLE GGWE
+	{0xAFF1, 0xB00B, prH3, gcLo},     //    [27] HANGUL SYLLABLE GGWEG..HANGUL SYLLABLE GGWEH
+	{0xB00C, 0xB00C, prH2, gcLo},     //         HANGUL SYLLABLE GGWI
+	{0xB00D, 0xB027, prH3, gcLo},     //    [27] HANGUL SYLLABLE GGWIG..HANGUL SYLLABLE GGWIH
+	{0xB028, 0xB028, prH2, gcLo},     //         HANGUL SYLLABLE GGYU
+	{0xB029, 0xB043, prH3, gcLo},     //    [27] HANGUL SYLLABLE GGYUG..HANGUL SYLLABLE GGYUH
+	{0xB044, 0xB044, prH2, gcLo},     //         HANGUL SYLLABLE GGEU
+	{0xB045, 0xB05F, prH3, gcLo},     //    [27] HANGUL SYLLABLE GGEUG..HANGUL SYLLABLE GGEUH
+	{0xB060, 0xB060, prH2, gcLo},     //         HANGUL SYLLABLE GGYI
+	{0xB061, 0xB07B, prH3, gcLo},     //    [27] HANGUL SYLLABLE GGYIG..HANGUL SYLLABLE GGYIH
+	{0xB07C, 0xB07C, prH2, gcLo},     //         HANGUL SYLLABLE GGI
+	{0xB07D, 0xB097, prH3, gcLo},     //    [27] HANGUL SYLLABLE GGIG..HANGUL SYLLABLE GGIH
+	{0xB098, 0xB098, prH2, gcLo},     //         HANGUL SYLLABLE NA
+	{0xB099, 0xB0B3, prH3, gcLo},     //    [27] HANGUL SYLLABLE NAG..HANGUL SYLLABLE NAH
+	{0xB0B4, 0xB0B4, prH2, gcLo},     //         HANGUL SYLLABLE NAE
+	{0xB0B5, 0xB0CF, prH3, gcLo},     //    [27] HANGUL SYLLABLE NAEG..HANGUL SYLLABLE NAEH
+	{0xB0D0, 0xB0D0, prH2, gcLo},     //         HANGUL SYLLABLE NYA
+	{0xB0D1, 0xB0EB, prH3, gcLo},     //    [27] HANGUL SYLLABLE NYAG..HANGUL SYLLABLE NYAH
+	{0xB0EC, 0xB0EC, prH2, gcLo},     //         HANGUL SYLLABLE NYAE
+	{0xB0ED, 0xB107, prH3, gcLo},     //    [27] HANGUL SYLLABLE NYAEG..HANGUL SYLLABLE NYAEH
+	{0xB108, 0xB108, prH2, gcLo},     //         HANGUL SYLLABLE NEO
+	{0xB109, 0xB123, prH3, gcLo},     //    [27] HANGUL SYLLABLE NEOG..HANGUL SYLLABLE NEOH
+	{0xB124, 0xB124, prH2, gcLo},     //         HANGUL SYLLABLE NE
+	{0xB125, 0xB13F, prH3, gcLo},     //    [27] HANGUL SYLLABLE NEG..HANGUL SYLLABLE NEH
+	{0xB140, 0xB140, prH2, gcLo},     //         HANGUL SYLLABLE NYEO
+	{0xB141, 0xB15B, prH3, gcLo},     //    [27] HANGUL SYLLABLE NYEOG..HANGUL SYLLABLE NYEOH
+	{0xB15C, 0xB15C, prH2, gcLo},     //         HANGUL SYLLABLE NYE
+	{0xB15D, 0xB177, prH3, gcLo},     //    [27] HANGUL SYLLABLE NYEG..HANGUL SYLLABLE NYEH
+	{0xB178, 0xB178, prH2, gcLo},     //         HANGUL SYLLABLE NO
+	{0xB179, 0xB193, prH3, gcLo},     //    [27] HANGUL SYLLABLE NOG..HANGUL SYLLABLE NOH
+	{0xB194, 0xB194, prH2, gcLo},     //         HANGUL SYLLABLE NWA
+	{0xB195, 0xB1AF, prH3, gcLo},     //    [27] HANGUL SYLLABLE NWAG..HANGUL SYLLABLE NWAH
+	{0xB1B0, 0xB1B0, prH2, gcLo},     //         HANGUL SYLLABLE NWAE
+	{0xB1B1, 0xB1CB, prH3, gcLo},     //    [27] HANGUL SYLLABLE NWAEG..HANGUL SYLLABLE NWAEH
+	{0xB1CC, 0xB1CC, prH2, gcLo},     //         HANGUL SYLLABLE NOE
+	{0xB1CD, 0xB1E7, prH3, gcLo},     //    [27] HANGUL SYLLABLE NOEG..HANGUL SYLLABLE NOEH
+	{0xB1E8, 0xB1E8, prH2, gcLo},     //         HANGUL SYLLABLE NYO
+	{0xB1E9, 0xB203, prH3, gcLo},     //    [27] HANGUL SYLLABLE NYOG..HANGUL SYLLABLE NYOH
+	{0xB204, 0xB204, prH2, gcLo},     //         HANGUL SYLLABLE NU
+	{0xB205, 0xB21F, prH3, gcLo},     //    [27] HANGUL SYLLABLE NUG..HANGUL SYLLABLE NUH
+	{0xB220, 0xB220, prH2, gcLo},     //         HANGUL SYLLABLE NWEO
+	{0xB221, 0xB23B, prH3, gcLo},     //    [27] HANGUL SYLLABLE NWEOG..HANGUL SYLLABLE NWEOH
+	{0xB23C, 0xB23C, prH2, gcLo},     //         HANGUL SYLLABLE NWE
+	{0xB23D, 0xB257, prH3, gcLo},     //    [27] HANGUL SYLLABLE NWEG..HANGUL SYLLABLE NWEH
+	{0xB258, 0xB258, prH2, gcLo},     //         HANGUL SYLLABLE NWI
+	{0xB259, 0xB273, prH3, gcLo},     //    [27] HANGUL SYLLABLE NWIG..HANGUL SYLLABLE NWIH
+	{0xB274, 0xB274, prH2, gcLo},     //         HANGUL SYLLABLE NYU
+	{0xB275, 0xB28F, prH3, gcLo},     //    [27] HANGUL SYLLABLE NYUG..HANGUL SYLLABLE NYUH
+	{0xB290, 0xB290, prH2, gcLo},     //         HANGUL SYLLABLE NEU
+	{0xB291, 0xB2AB, prH3, gcLo},     //    [27] HANGUL SYLLABLE NEUG..HANGUL SYLLABLE NEUH
+	{0xB2AC, 0xB2AC, prH2, gcLo},     //         HANGUL SYLLABLE NYI
+	{0xB2AD, 0xB2C7, prH3, gcLo},     //    [27] HANGUL SYLLABLE NYIG..HANGUL SYLLABLE NYIH
+	{0xB2C8, 0xB2C8, prH2, gcLo},     //         HANGUL SYLLABLE NI
+	{0xB2C9, 0xB2E3, prH3, gcLo},     //    [27] HANGUL SYLLABLE NIG..HANGUL SYLLABLE NIH
+	{0xB2E4, 0xB2E4, prH2, gcLo},     //         HANGUL SYLLABLE DA
+	{0xB2E5, 0xB2FF, prH3, gcLo},     //    [27] HANGUL SYLLABLE DAG..HANGUL SYLLABLE DAH
+	{0xB300, 0xB300, prH2, gcLo},     //         HANGUL SYLLABLE DAE
+	{0xB301, 0xB31B, prH3, gcLo},     //    [27] HANGUL SYLLABLE DAEG..HANGUL SYLLABLE DAEH
+	{0xB31C, 0xB31C, prH2, gcLo},     //         HANGUL SYLLABLE DYA
+	{0xB31D, 0xB337, prH3, gcLo},     //    [27] HANGUL SYLLABLE DYAG..HANGUL SYLLABLE DYAH
+	{0xB338, 0xB338, prH2, gcLo},     //         HANGUL SYLLABLE DYAE
+	{0xB339, 0xB353, prH3, gcLo},     //    [27] HANGUL SYLLABLE DYAEG..HANGUL SYLLABLE DYAEH
+	{0xB354, 0xB354, prH2, gcLo},     //         HANGUL SYLLABLE DEO
+	{0xB355, 0xB36F, prH3, gcLo},     //    [27] HANGUL SYLLABLE DEOG..HANGUL SYLLABLE DEOH
+	{0xB370, 0xB370, prH2, gcLo},     //         HANGUL SYLLABLE DE
+	{0xB371, 0xB38B, prH3, gcLo},     //    [27] HANGUL SYLLABLE DEG..HANGUL SYLLABLE DEH
+	{0xB38C, 0xB38C, prH2, gcLo},     //         HANGUL SYLLABLE DYEO
+	{0xB38D, 0xB3A7, prH3, gcLo},     //    [27] HANGUL SYLLABLE DYEOG..HANGUL SYLLABLE DYEOH
+	{0xB3A8, 0xB3A8, prH2, gcLo},     //         HANGUL SYLLABLE DYE
+	{0xB3A9, 0xB3C3, prH3, gcLo},     //    [27] HANGUL SYLLABLE DYEG..HANGUL SYLLABLE DYEH
+	{0xB3C4, 0xB3C4, prH2, gcLo},     //         HANGUL SYLLABLE DO
+	{0xB3C5, 0xB3DF, prH3, gcLo},     //    [27] HANGUL SYLLABLE DOG..HANGUL SYLLABLE DOH
+	{0xB3E0, 0xB3E0, prH2, gcLo},     //         HANGUL SYLLABLE DWA
+	{0xB3E1, 0xB3FB, prH3, gcLo},     //    [27] HANGUL SYLLABLE DWAG..HANGUL SYLLABLE DWAH
+	{0xB3FC, 0xB3FC, prH2, gcLo},     //         HANGUL SYLLABLE DWAE
+	{0xB3FD, 0xB417, prH3, gcLo},     //    [27] HANGUL SYLLABLE DWAEG..HANGUL SYLLABLE DWAEH
+	{0xB418, 0xB418, prH2, gcLo},     //         HANGUL SYLLABLE DOE
+	{0xB419, 0xB433, prH3, gcLo},     //    [27] HANGUL SYLLABLE DOEG..HANGUL SYLLABLE DOEH
+	{0xB434, 0xB434, prH2, gcLo},     //         HANGUL SYLLABLE DYO
+	{0xB435, 0xB44F, prH3, gcLo},     //    [27] HANGUL SYLLABLE DYOG..HANGUL SYLLABLE DYOH
+	{0xB450, 0xB450, prH2, gcLo},     //         HANGUL SYLLABLE DU
+	{0xB451, 0xB46B, prH3, gcLo},     //    [27] HANGUL SYLLABLE DUG..HANGUL SYLLABLE DUH
+	{0xB46C, 0xB46C, prH2, gcLo},     //         HANGUL SYLLABLE DWEO
+	{0xB46D, 0xB487, prH3, gcLo},     //    [27] HANGUL SYLLABLE DWEOG..HANGUL SYLLABLE DWEOH
+	{0xB488, 0xB488, prH2, gcLo},     //         HANGUL SYLLABLE DWE
+	{0xB489, 0xB4A3, prH3, gcLo},     //    [27] HANGUL SYLLABLE DWEG..HANGUL SYLLABLE DWEH
+	{0xB4A4, 0xB4A4, prH2, gcLo},     //         HANGUL SYLLABLE DWI
+	{0xB4A5, 0xB4BF, prH3, gcLo},     //    [27] HANGUL SYLLABLE DWIG..HANGUL SYLLABLE DWIH
+	{0xB4C0, 0xB4C0, prH2, gcLo},     //         HANGUL SYLLABLE DYU
+	{0xB4C1, 0xB4DB, prH3, gcLo},     //    [27] HANGUL SYLLABLE DYUG..HANGUL SYLLABLE DYUH
+	{0xB4DC, 0xB4DC, prH2, gcLo},     //         HANGUL SYLLABLE DEU
+	{0xB4DD, 0xB4F7, prH3, gcLo},     //    [27] HANGUL SYLLABLE DEUG..HANGUL SYLLABLE DEUH
+	{0xB4F8, 0xB4F8, prH2, gcLo},     //         HANGUL SYLLABLE DYI
+	{0xB4F9, 0xB513, prH3, gcLo},     //    [27] HANGUL SYLLABLE DYIG..HANGUL SYLLABLE DYIH
+	{0xB514, 0xB514, prH2, gcLo},     //         HANGUL SYLLABLE DI
+	{0xB515, 0xB52F, prH3, gcLo},     //    [27] HANGUL SYLLABLE DIG..HANGUL SYLLABLE DIH
+	{0xB530, 0xB530, prH2, gcLo},     //         HANGUL SYLLABLE DDA
+	{0xB531, 0xB54B, prH3, gcLo},     //    [27] HANGUL SYLLABLE DDAG..HANGUL SYLLABLE DDAH
+	{0xB54C, 0xB54C, prH2, gcLo},     //         HANGUL SYLLABLE DDAE
+	{0xB54D, 0xB567, prH3, gcLo},     //    [27] HANGUL SYLLABLE DDAEG..HANGUL SYLLABLE DDAEH
+	{0xB568, 0xB568, prH2, gcLo},     //         HANGUL SYLLABLE DDYA
+	{0xB569, 0xB583, prH3, gcLo},     //    [27] HANGUL SYLLABLE DDYAG..HANGUL SYLLABLE DDYAH
+	{0xB584, 0xB584, prH2, gcLo},     //         HANGUL SYLLABLE DDYAE
+	{0xB585, 0xB59F, prH3, gcLo},     //    [27] HANGUL SYLLABLE DDYAEG..HANGUL SYLLABLE DDYAEH
+	{0xB5A0, 0xB5A0, prH2, gcLo},     //         HANGUL SYLLABLE DDEO
+	{0xB5A1, 0xB5BB, prH3, gcLo},     //    [27] HANGUL SYLLABLE DDEOG..HANGUL SYLLABLE DDEOH
+	{0xB5BC, 0xB5BC, prH2, gcLo},     //         HANGUL SYLLABLE DDE
+	{0xB5BD, 0xB5D7, prH3, gcLo},     //    [27] HANGUL SYLLABLE DDEG..HANGUL SYLLABLE DDEH
+	{0xB5D8, 0xB5D8, prH2, gcLo},     //         HANGUL SYLLABLE DDYEO
+	{0xB5D9, 0xB5F3, prH3, gcLo},     //    [27] HANGUL SYLLABLE DDYEOG..HANGUL SYLLABLE DDYEOH
+	{0xB5F4, 0xB5F4, prH2, gcLo},     //         HANGUL SYLLABLE DDYE
+	{0xB5F5, 0xB60F, prH3, gcLo},     //    [27] HANGUL SYLLABLE DDYEG..HANGUL SYLLABLE DDYEH
+	{0xB610, 0xB610, prH2, gcLo},     //         HANGUL SYLLABLE DDO
+	{0xB611, 0xB62B, prH3, gcLo},     //    [27] HANGUL SYLLABLE DDOG..HANGUL SYLLABLE DDOH
+	{0xB62C, 0xB62C, prH2, gcLo},     //         HANGUL SYLLABLE DDWA
+	{0xB62D, 0xB647, prH3, gcLo},     //    [27] HANGUL SYLLABLE DDWAG..HANGUL SYLLABLE DDWAH
+	{0xB648, 0xB648, prH2, gcLo},     //         HANGUL SYLLABLE DDWAE
+	{0xB649, 0xB663, prH3, gcLo},     //    [27] HANGUL SYLLABLE DDWAEG..HANGUL SYLLABLE DDWAEH
+	{0xB664, 0xB664, prH2, gcLo},     //         HANGUL SYLLABLE DDOE
+	{0xB665, 0xB67F, prH3, gcLo},     //    [27] HANGUL SYLLABLE DDOEG..HANGUL SYLLABLE DDOEH
+	{0xB680, 0xB680, prH2, gcLo},     //         HANGUL SYLLABLE DDYO
+	{0xB681, 0xB69B, prH3, gcLo},     //    [27] HANGUL SYLLABLE DDYOG..HANGUL SYLLABLE DDYOH
+	{0xB69C, 0xB69C, prH2, gcLo},     //         HANGUL SYLLABLE DDU
+	{0xB69D, 0xB6B7, prH3, gcLo},     //    [27] HANGUL SYLLABLE DDUG..HANGUL SYLLABLE DDUH
+	{0xB6B8, 0xB6B8, prH2, gcLo},     //         HANGUL SYLLABLE DDWEO
+	{0xB6B9, 0xB6D3, prH3, gcLo},     //    [27] HANGUL SYLLABLE DDWEOG..HANGUL SYLLABLE DDWEOH
+	{0xB6D4, 0xB6D4, prH2, gcLo},     //         HANGUL SYLLABLE DDWE
+	{0xB6D5, 0xB6EF, prH3, gcLo},     //    [27] HANGUL SYLLABLE DDWEG..HANGUL SYLLABLE DDWEH
+	{0xB6F0, 0xB6F0, prH2, gcLo},     //         HANGUL SYLLABLE DDWI
+	{0xB6F1, 0xB70B, prH3, gcLo},     //    [27] HANGUL SYLLABLE DDWIG..HANGUL SYLLABLE DDWIH
+	{0xB70C, 0xB70C, prH2, gcLo},     //         HANGUL SYLLABLE DDYU
+	{0xB70D, 0xB727, prH3, gcLo},     //    [27] HANGUL SYLLABLE DDYUG..HANGUL SYLLABLE DDYUH
+	{0xB728, 0xB728, prH2, gcLo},     //         HANGUL SYLLABLE DDEU
+	{0xB729, 0xB743, prH3, gcLo},     //    [27] HANGUL SYLLABLE DDEUG..HANGUL SYLLABLE DDEUH
+	{0xB744, 0xB744, prH2, gcLo},     //         HANGUL SYLLABLE DDYI
+	{0xB745, 0xB75F, prH3, gcLo},     //    [27] HANGUL SYLLABLE DDYIG..HANGUL SYLLABLE DDYIH
+	{0xB760, 0xB760, prH2, gcLo},     //         HANGUL SYLLABLE DDI
+	{0xB761, 0xB77B, prH3, gcLo},     //    [27] HANGUL SYLLABLE DDIG..HANGUL SYLLABLE DDIH
+	{0xB77C, 0xB77C, prH2, gcLo},     //         HANGUL SYLLABLE RA
+	{0xB77D, 0xB797, prH3, gcLo},     //    [27] HANGUL SYLLABLE RAG..HANGUL SYLLABLE RAH
+	{0xB798, 0xB798, prH2, gcLo},     //         HANGUL SYLLABLE RAE
+	{0xB799, 0xB7B3, prH3, gcLo},     //    [27] HANGUL SYLLABLE RAEG..HANGUL SYLLABLE RAEH
+	{0xB7B4, 0xB7B4, prH2, gcLo},     //         HANGUL SYLLABLE RYA
+	{0xB7B5, 0xB7CF, prH3, gcLo},     //    [27] HANGUL SYLLABLE RYAG..HANGUL SYLLABLE RYAH
+	{0xB7D0, 0xB7D0, prH2, gcLo},     //         HANGUL SYLLABLE RYAE
+	{0xB7D1, 0xB7EB, prH3, gcLo},     //    [27] HANGUL SYLLABLE RYAEG..HANGUL SYLLABLE RYAEH
+	{0xB7EC, 0xB7EC, prH2, gcLo},     //         HANGUL SYLLABLE REO
+	{0xB7ED, 0xB807, prH3, gcLo},     //    [27] HANGUL SYLLABLE REOG..HANGUL SYLLABLE REOH
+	{0xB808, 0xB808, prH2, gcLo},     //         HANGUL SYLLABLE RE
+	{0xB809, 0xB823, prH3, gcLo},     //    [27] HANGUL SYLLABLE REG..HANGUL SYLLABLE REH
+	{0xB824, 0xB824, prH2, gcLo},     //         HANGUL SYLLABLE RYEO
+	{0xB825, 0xB83F, prH3, gcLo},     //    [27] HANGUL SYLLABLE RYEOG..HANGUL SYLLABLE RYEOH
+	{0xB840, 0xB840, prH2, gcLo},     //         HANGUL SYLLABLE RYE
+	{0xB841, 0xB85B, prH3, gcLo},     //    [27] HANGUL SYLLABLE RYEG..HANGUL SYLLABLE RYEH
+	{0xB85C, 0xB85C, prH2, gcLo},     //         HANGUL SYLLABLE RO
+	{0xB85D, 0xB877, prH3, gcLo},     //    [27] HANGUL SYLLABLE ROG..HANGUL SYLLABLE ROH
+	{0xB878, 0xB878, prH2, gcLo},     //         HANGUL SYLLABLE RWA
+	{0xB879, 0xB893, prH3, gcLo},     //    [27] HANGUL SYLLABLE RWAG..HANGUL SYLLABLE RWAH
+	{0xB894, 0xB894, prH2, gcLo},     //         HANGUL SYLLABLE RWAE
+	{0xB895, 0xB8AF, prH3, gcLo},     //    [27] HANGUL SYLLABLE RWAEG..HANGUL SYLLABLE RWAEH
+	{0xB8B0, 0xB8B0, prH2, gcLo},     //         HANGUL SYLLABLE ROE
+	{0xB8B1, 0xB8CB, prH3, gcLo},     //    [27] HANGUL SYLLABLE ROEG..HANGUL SYLLABLE ROEH
+	{0xB8CC, 0xB8CC, prH2, gcLo},     //         HANGUL SYLLABLE RYO
+	{0xB8CD, 0xB8E7, prH3, gcLo},     //    [27] HANGUL SYLLABLE RYOG..HANGUL SYLLABLE RYOH
+	{0xB8E8, 0xB8E8, prH2, gcLo},     //         HANGUL SYLLABLE RU
+	{0xB8E9, 0xB903, prH3, gcLo},     //    [27] HANGUL SYLLABLE RUG..HANGUL SYLLABLE RUH
+	{0xB904, 0xB904, prH2, gcLo},     //         HANGUL SYLLABLE RWEO
+	{0xB905, 0xB91F, prH3, gcLo},     //    [27] HANGUL SYLLABLE RWEOG..HANGUL SYLLABLE RWEOH
+	{0xB920, 0xB920, prH2, gcLo},     //         HANGUL SYLLABLE RWE
+	{0xB921, 0xB93B, prH3, gcLo},     //    [27] HANGUL SYLLABLE RWEG..HANGUL SYLLABLE RWEH
+	{0xB93C, 0xB93C, prH2, gcLo},     //         HANGUL SYLLABLE RWI
+	{0xB93D, 0xB957, prH3, gcLo},     //    [27] HANGUL SYLLABLE RWIG..HANGUL SYLLABLE RWIH
+	{0xB958, 0xB958, prH2, gcLo},     //         HANGUL SYLLABLE RYU
+	{0xB959, 0xB973, prH3, gcLo},     //    [27] HANGUL SYLLABLE RYUG..HANGUL SYLLABLE RYUH
+	{0xB974, 0xB974, prH2, gcLo},     //         HANGUL SYLLABLE REU
+	{0xB975, 0xB98F, prH3, gcLo},     //    [27] HANGUL SYLLABLE REUG..HANGUL SYLLABLE REUH
+	{0xB990, 0xB990, prH2, gcLo},     //         HANGUL SYLLABLE RYI
+	{0xB991, 0xB9AB, prH3, gcLo},     //    [27] HANGUL SYLLABLE RYIG..HANGUL SYLLABLE RYIH
+	{0xB9AC, 0xB9AC, prH2, gcLo},     //         HANGUL SYLLABLE RI
+	{0xB9AD, 0xB9C7, prH3, gcLo},     //    [27] HANGUL SYLLABLE RIG..HANGUL SYLLABLE RIH
+	{0xB9C8, 0xB9C8, prH2, gcLo},     //         HANGUL SYLLABLE MA
+	{0xB9C9, 0xB9E3, prH3, gcLo},     //    [27] HANGUL SYLLABLE MAG..HANGUL SYLLABLE MAH
+	{0xB9E4, 0xB9E4, prH2, gcLo},     //         HANGUL SYLLABLE MAE
+	{0xB9E5, 0xB9FF, prH3, gcLo},     //    [27] HANGUL SYLLABLE MAEG..HANGUL SYLLABLE MAEH
+	{0xBA00, 0xBA00, prH2, gcLo},     //         HANGUL SYLLABLE MYA
+	{0xBA01, 0xBA1B, prH3, gcLo},     //    [27] HANGUL SYLLABLE MYAG..HANGUL SYLLABLE MYAH
+	{0xBA1C, 0xBA1C, prH2, gcLo},     //         HANGUL SYLLABLE MYAE
+	{0xBA1D, 0xBA37, prH3, gcLo},     //    [27] HANGUL SYLLABLE MYAEG..HANGUL SYLLABLE MYAEH
+	{0xBA38, 0xBA38, prH2, gcLo},     //         HANGUL SYLLABLE MEO
+	{0xBA39, 0xBA53, prH3, gcLo},     //    [27] HANGUL SYLLABLE MEOG..HANGUL SYLLABLE MEOH
+	{0xBA54, 0xBA54, prH2, gcLo},     //         HANGUL SYLLABLE ME
+	{0xBA55, 0xBA6F, prH3, gcLo},     //    [27] HANGUL SYLLABLE MEG..HANGUL SYLLABLE MEH
+	{0xBA70, 0xBA70, prH2, gcLo},     //         HANGUL SYLLABLE MYEO
+	{0xBA71, 0xBA8B, prH3, gcLo},     //    [27] HANGUL SYLLABLE MYEOG..HANGUL SYLLABLE MYEOH
+	{0xBA8C, 0xBA8C, prH2, gcLo},     //         HANGUL SYLLABLE MYE
+	{0xBA8D, 0xBAA7, prH3, gcLo},     //    [27] HANGUL SYLLABLE MYEG..HANGUL SYLLABLE MYEH
+	{0xBAA8, 0xBAA8, prH2, gcLo},     //         HANGUL SYLLABLE MO
+	{0xBAA9, 0xBAC3, prH3, gcLo},     //    [27] HANGUL SYLLABLE MOG..HANGUL SYLLABLE MOH
+	{0xBAC4, 0xBAC4, prH2, gcLo},     //         HANGUL SYLLABLE MWA
+	{0xBAC5, 0xBADF, prH3, gcLo},     //    [27] HANGUL SYLLABLE MWAG..HANGUL SYLLABLE MWAH
+	{0xBAE0, 0xBAE0, prH2, gcLo},     //         HANGUL SYLLABLE MWAE
+	{0xBAE1, 0xBAFB, prH3, gcLo},     //    [27] HANGUL SYLLABLE MWAEG..HANGUL SYLLABLE MWAEH
+	{0xBAFC, 0xBAFC, prH2, gcLo},     //         HANGUL SYLLABLE MOE
+	{0xBAFD, 0xBB17, prH3, gcLo},     //    [27] HANGUL SYLLABLE MOEG..HANGUL SYLLABLE MOEH
+	{0xBB18, 0xBB18, prH2, gcLo},     //         HANGUL SYLLABLE MYO
+	{0xBB19, 0xBB33, prH3, gcLo},     //    [27] HANGUL SYLLABLE MYOG..HANGUL SYLLABLE MYOH
+	{0xBB34, 0xBB34, prH2, gcLo},     //         HANGUL SYLLABLE MU
+	{0xBB35, 0xBB4F, prH3, gcLo},     //    [27] HANGUL SYLLABLE MUG..HANGUL SYLLABLE MUH
+	{0xBB50, 0xBB50, prH2, gcLo},     //         HANGUL SYLLABLE MWEO
+	{0xBB51, 0xBB6B, prH3, gcLo},     //    [27] HANGUL SYLLABLE MWEOG..HANGUL SYLLABLE MWEOH
+	{0xBB6C, 0xBB6C, prH2, gcLo},     //         HANGUL SYLLABLE MWE
+	{0xBB6D, 0xBB87, prH3, gcLo},     //    [27] HANGUL SYLLABLE MWEG..HANGUL SYLLABLE MWEH
+	{0xBB88, 0xBB88, prH2, gcLo},     //         HANGUL SYLLABLE MWI
+	{0xBB89, 0xBBA3, prH3, gcLo},     //    [27] HANGUL SYLLABLE MWIG..HANGUL SYLLABLE MWIH
+	{0xBBA4, 0xBBA4, prH2, gcLo},     //         HANGUL SYLLABLE MYU
+	{0xBBA5, 0xBBBF, prH3, gcLo},     //    [27] HANGUL SYLLABLE MYUG..HANGUL SYLLABLE MYUH
+	{0xBBC0, 0xBBC0, prH2, gcLo},     //         HANGUL SYLLABLE MEU
+	{0xBBC1, 0xBBDB, prH3, gcLo},     //    [27] HANGUL SYLLABLE MEUG..HANGUL SYLLABLE MEUH
+	{0xBBDC, 0xBBDC, prH2, gcLo},     //         HANGUL SYLLABLE MYI
+	{0xBBDD, 0xBBF7, prH3, gcLo},     //    [27] HANGUL SYLLABLE MYIG..HANGUL SYLLABLE MYIH
+	{0xBBF8, 0xBBF8, prH2, gcLo},     //         HANGUL SYLLABLE MI
+	{0xBBF9, 0xBC13, prH3, gcLo},     //    [27] HANGUL SYLLABLE MIG..HANGUL SYLLABLE MIH
+	{0xBC14, 0xBC14, prH2, gcLo},     //         HANGUL SYLLABLE BA
+	{0xBC15, 0xBC2F, prH3, gcLo},     //    [27] HANGUL SYLLABLE BAG..HANGUL SYLLABLE BAH
+	{0xBC30, 0xBC30, prH2, gcLo},     //         HANGUL SYLLABLE BAE
+	{0xBC31, 0xBC4B, prH3, gcLo},     //    [27] HANGUL SYLLABLE BAEG..HANGUL SYLLABLE BAEH
+	{0xBC4C, 0xBC4C, prH2, gcLo},     //         HANGUL SYLLABLE BYA
+	{0xBC4D, 0xBC67, prH3, gcLo},     //    [27] HANGUL SYLLABLE BYAG..HANGUL SYLLABLE BYAH
+	{0xBC68, 0xBC68, prH2, gcLo},     //         HANGUL SYLLABLE BYAE
+	{0xBC69, 0xBC83, prH3, gcLo},     //    [27] HANGUL SYLLABLE BYAEG..HANGUL SYLLABLE BYAEH
+	{0xBC84, 0xBC84, prH2, gcLo},     //         HANGUL SYLLABLE BEO
+	{0xBC85, 0xBC9F, prH3, gcLo},     //    [27] HANGUL SYLLABLE BEOG..HANGUL SYLLABLE BEOH
+	{0xBCA0, 0xBCA0, prH2, gcLo},     //         HANGUL SYLLABLE BE
+	{0xBCA1, 0xBCBB, prH3, gcLo},     //    [27] HANGUL SYLLABLE BEG..HANGUL SYLLABLE BEH
+	{0xBCBC, 0xBCBC, prH2, gcLo},     //         HANGUL SYLLABLE BYEO
+	{0xBCBD, 0xBCD7, prH3, gcLo},     //    [27] HANGUL SYLLABLE BYEOG..HANGUL SYLLABLE BYEOH
+	{0xBCD8, 0xBCD8, prH2, gcLo},     //         HANGUL SYLLABLE BYE
+	{0xBCD9, 0xBCF3, prH3, gcLo},     //    [27] HANGUL SYLLABLE BYEG..HANGUL SYLLABLE BYEH
+	{0xBCF4, 0xBCF4, prH2, gcLo},     //         HANGUL SYLLABLE BO
+	{0xBCF5, 0xBD0F, prH3, gcLo},     //    [27] HANGUL SYLLABLE BOG..HANGUL SYLLABLE BOH
+	{0xBD10, 0xBD10, prH2, gcLo},     //         HANGUL SYLLABLE BWA
+	{0xBD11, 0xBD2B, prH3, gcLo},     //    [27] HANGUL SYLLABLE BWAG..HANGUL SYLLABLE BWAH
+	{0xBD2C, 0xBD2C, prH2, gcLo},     //         HANGUL SYLLABLE BWAE
+	{0xBD2D, 0xBD47, prH3, gcLo},     //    [27] HANGUL SYLLABLE BWAEG..HANGUL SYLLABLE BWAEH
+	{0xBD48, 0xBD48, prH2, gcLo},     //         HANGUL SYLLABLE BOE
+	{0xBD49, 0xBD63, prH3, gcLo},     //    [27] HANGUL SYLLABLE BOEG..HANGUL SYLLABLE BOEH
+	{0xBD64, 0xBD64, prH2, gcLo},     //         HANGUL SYLLABLE BYO
+	{0xBD65, 0xBD7F, prH3, gcLo},     //    [27] HANGUL SYLLABLE BYOG..HANGUL SYLLABLE BYOH
+	{0xBD80, 0xBD80, prH2, gcLo},     //         HANGUL SYLLABLE BU
+	{0xBD81, 0xBD9B, prH3, gcLo},     //    [27] HANGUL SYLLABLE BUG..HANGUL SYLLABLE BUH
+	{0xBD9C, 0xBD9C, prH2, gcLo},     //         HANGUL SYLLABLE BWEO
+	{0xBD9D, 0xBDB7, prH3, gcLo},     //    [27] HANGUL SYLLABLE BWEOG..HANGUL SYLLABLE BWEOH
+	{0xBDB8, 0xBDB8, prH2, gcLo},     //         HANGUL SYLLABLE BWE
+	{0xBDB9, 0xBDD3, prH3, gcLo},     //    [27] HANGUL SYLLABLE BWEG..HANGUL SYLLABLE BWEH
+	{0xBDD4, 0xBDD4, prH2, gcLo},     //         HANGUL SYLLABLE BWI
+	{0xBDD5, 0xBDEF, prH3, gcLo},     //    [27] HANGUL SYLLABLE BWIG..HANGUL SYLLABLE BWIH
+	{0xBDF0, 0xBDF0, prH2, gcLo},     //         HANGUL SYLLABLE BYU
+	{0xBDF1, 0xBE0B, prH3, gcLo},     //    [27] HANGUL SYLLABLE BYUG..HANGUL SYLLABLE BYUH
+	{0xBE0C, 0xBE0C, prH2, gcLo},     //         HANGUL SYLLABLE BEU
+	{0xBE0D, 0xBE27, prH3, gcLo},     //    [27] HANGUL SYLLABLE BEUG..HANGUL SYLLABLE BEUH
+	{0xBE28, 0xBE28, prH2, gcLo},     //         HANGUL SYLLABLE BYI
+	{0xBE29, 0xBE43, prH3, gcLo},     //    [27] HANGUL SYLLABLE BYIG..HANGUL SYLLABLE BYIH
+	{0xBE44, 0xBE44, prH2, gcLo},     //         HANGUL SYLLABLE BI
+	{0xBE45, 0xBE5F, prH3, gcLo},     //    [27] HANGUL SYLLABLE BIG..HANGUL SYLLABLE BIH
+	{0xBE60, 0xBE60, prH2, gcLo},     //         HANGUL SYLLABLE BBA
+	{0xBE61, 0xBE7B, prH3, gcLo},     //    [27] HANGUL SYLLABLE BBAG..HANGUL SYLLABLE BBAH
+	{0xBE7C, 0xBE7C, prH2, gcLo},     //         HANGUL SYLLABLE BBAE
+	{0xBE7D, 0xBE97, prH3, gcLo},     //    [27] HANGUL SYLLABLE BBAEG..HANGUL SYLLABLE BBAEH
+	{0xBE98, 0xBE98, prH2, gcLo},     //         HANGUL SYLLABLE BBYA
+	{0xBE99, 0xBEB3, prH3, gcLo},     //    [27] HANGUL SYLLABLE BBYAG..HANGUL SYLLABLE BBYAH
+	{0xBEB4, 0xBEB4, prH2, gcLo},     //         HANGUL SYLLABLE BBYAE
+	{0xBEB5, 0xBECF, prH3, gcLo},     //    [27] HANGUL SYLLABLE BBYAEG..HANGUL SYLLABLE BBYAEH
+	{0xBED0, 0xBED0, prH2, gcLo},     //         HANGUL SYLLABLE BBEO
+	{0xBED1, 0xBEEB, prH3, gcLo},     //    [27] HANGUL SYLLABLE BBEOG..HANGUL SYLLABLE BBEOH
+	{0xBEEC, 0xBEEC, prH2, gcLo},     //         HANGUL SYLLABLE BBE
+	{0xBEED, 0xBF07, prH3, gcLo},     //    [27] HANGUL SYLLABLE BBEG..HANGUL SYLLABLE BBEH
+	{0xBF08, 0xBF08, prH2, gcLo},     //         HANGUL SYLLABLE BBYEO
+	{0xBF09, 0xBF23, prH3, gcLo},     //    [27] HANGUL SYLLABLE BBYEOG..HANGUL SYLLABLE BBYEOH
+	{0xBF24, 0xBF24, prH2, gcLo},     //         HANGUL SYLLABLE BBYE
+	{0xBF25, 0xBF3F, prH3, gcLo},     //    [27] HANGUL SYLLABLE BBYEG..HANGUL SYLLABLE BBYEH
+	{0xBF40, 0xBF40, prH2, gcLo},     //         HANGUL SYLLABLE BBO
+	{0xBF41, 0xBF5B, prH3, gcLo},     //    [27] HANGUL SYLLABLE BBOG..HANGUL SYLLABLE BBOH
+	{0xBF5C, 0xBF5C, prH2, gcLo},     //         HANGUL SYLLABLE BBWA
+	{0xBF5D, 0xBF77, prH3, gcLo},     //    [27] HANGUL SYLLABLE BBWAG..HANGUL SYLLABLE BBWAH
+	{0xBF78, 0xBF78, prH2, gcLo},     //         HANGUL SYLLABLE BBWAE
+	{0xBF79, 0xBF93, prH3, gcLo},     //    [27] HANGUL SYLLABLE BBWAEG..HANGUL SYLLABLE BBWAEH
+	{0xBF94, 0xBF94, prH2, gcLo},     //         HANGUL SYLLABLE BBOE
+	{0xBF95, 0xBFAF, prH3, gcLo},     //    [27] HANGUL SYLLABLE BBOEG..HANGUL SYLLABLE BBOEH
+	{0xBFB0, 0xBFB0, prH2, gcLo},     //         HANGUL SYLLABLE BBYO
+	{0xBFB1, 0xBFCB, prH3, gcLo},     //    [27] HANGUL SYLLABLE BBYOG..HANGUL SYLLABLE BBYOH
+	{0xBFCC, 0xBFCC, prH2, gcLo},     //         HANGUL SYLLABLE BBU
+	{0xBFCD, 0xBFE7, prH3, gcLo},     //    [27] HANGUL SYLLABLE BBUG..HANGUL SYLLABLE BBUH
+	{0xBFE8, 0xBFE8, prH2, gcLo},     //         HANGUL SYLLABLE BBWEO
+	{0xBFE9, 0xC003, prH3, gcLo},     //    [27] HANGUL SYLLABLE BBWEOG..HANGUL SYLLABLE BBWEOH
+	{0xC004, 0xC004, prH2, gcLo},     //         HANGUL SYLLABLE BBWE
+	{0xC005, 0xC01F, prH3, gcLo},     //    [27] HANGUL SYLLABLE BBWEG..HANGUL SYLLABLE BBWEH
+	{0xC020, 0xC020, prH2, gcLo},     //         HANGUL SYLLABLE BBWI
+	{0xC021, 0xC03B, prH3, gcLo},     //    [27] HANGUL SYLLABLE BBWIG..HANGUL SYLLABLE BBWIH
+	{0xC03C, 0xC03C, prH2, gcLo},     //         HANGUL SYLLABLE BBYU
+	{0xC03D, 0xC057, prH3, gcLo},     //    [27] HANGUL SYLLABLE BBYUG..HANGUL SYLLABLE BBYUH
+	{0xC058, 0xC058, prH2, gcLo},     //         HANGUL SYLLABLE BBEU
+	{0xC059, 0xC073, prH3, gcLo},     //    [27] HANGUL SYLLABLE BBEUG..HANGUL SYLLABLE BBEUH
+	{0xC074, 0xC074, prH2, gcLo},     //         HANGUL SYLLABLE BBYI
+	{0xC075, 0xC08F, prH3, gcLo},     //    [27] HANGUL SYLLABLE BBYIG..HANGUL SYLLABLE BBYIH
+	{0xC090, 0xC090, prH2, gcLo},     //         HANGUL SYLLABLE BBI
+	{0xC091, 0xC0AB, prH3, gcLo},     //    [27] HANGUL SYLLABLE BBIG..HANGUL SYLLABLE BBIH
+	{0xC0AC, 0xC0AC, prH2, gcLo},     //         HANGUL SYLLABLE SA
+	{0xC0AD, 0xC0C7, prH3, gcLo},     //    [27] HANGUL SYLLABLE SAG..HANGUL SYLLABLE SAH
+	{0xC0C8, 0xC0C8, prH2, gcLo},     //         HANGUL SYLLABLE SAE
+	{0xC0C9, 0xC0E3, prH3, gcLo},     //    [27] HANGUL SYLLABLE SAEG..HANGUL SYLLABLE SAEH
+	{0xC0E4, 0xC0E4, prH2, gcLo},     //         HANGUL SYLLABLE SYA
+	{0xC0E5, 0xC0FF, prH3, gcLo},     //    [27] HANGUL SYLLABLE SYAG..HANGUL SYLLABLE SYAH
+	{0xC100, 0xC100, prH2, gcLo},     //         HANGUL SYLLABLE SYAE
+	{0xC101, 0xC11B, prH3, gcLo},     //    [27] HANGUL SYLLABLE SYAEG..HANGUL SYLLABLE SYAEH
+	{0xC11C, 0xC11C, prH2, gcLo},     //         HANGUL SYLLABLE SEO
+	{0xC11D, 0xC137, prH3, gcLo},     //    [27] HANGUL SYLLABLE SEOG..HANGUL SYLLABLE SEOH
+	{0xC138, 0xC138, prH2, gcLo},     //         HANGUL SYLLABLE SE
+	{0xC139, 0xC153, prH3, gcLo},     //    [27] HANGUL SYLLABLE SEG..HANGUL SYLLABLE SEH
+	{0xC154, 0xC154, prH2, gcLo},     //         HANGUL SYLLABLE SYEO
+	{0xC155, 0xC16F, prH3, gcLo},     //    [27] HANGUL SYLLABLE SYEOG..HANGUL SYLLABLE SYEOH
+	{0xC170, 0xC170, prH2, gcLo},     //         HANGUL SYLLABLE SYE
+	{0xC171, 0xC18B, prH3, gcLo},     //    [27] HANGUL SYLLABLE SYEG..HANGUL SYLLABLE SYEH
+	{0xC18C, 0xC18C, prH2, gcLo},     //         HANGUL SYLLABLE SO
+	{0xC18D, 0xC1A7, prH3, gcLo},     //    [27] HANGUL SYLLABLE SOG..HANGUL SYLLABLE SOH
+	{0xC1A8, 0xC1A8, prH2, gcLo},     //         HANGUL SYLLABLE SWA
+	{0xC1A9, 0xC1C3, prH3, gcLo},     //    [27] HANGUL SYLLABLE SWAG..HANGUL SYLLABLE SWAH
+	{0xC1C4, 0xC1C4, prH2, gcLo},     //         HANGUL SYLLABLE SWAE
+	{0xC1C5, 0xC1DF, prH3, gcLo},     //    [27] HANGUL SYLLABLE SWAEG..HANGUL SYLLABLE SWAEH
+	{0xC1E0, 0xC1E0, prH2, gcLo},     //         HANGUL SYLLABLE SOE
+	{0xC1E1, 0xC1FB, prH3, gcLo},     //    [27] HANGUL SYLLABLE SOEG..HANGUL SYLLABLE SOEH
+	{0xC1FC, 0xC1FC, prH2, gcLo},     //         HANGUL SYLLABLE SYO
+	{0xC1FD, 0xC217, prH3, gcLo},     //    [27] HANGUL SYLLABLE SYOG..HANGUL SYLLABLE SYOH
+	{0xC218, 0xC218, prH2, gcLo},     //         HANGUL SYLLABLE SU
+	{0xC219, 0xC233, prH3, gcLo},     //    [27] HANGUL SYLLABLE SUG..HANGUL SYLLABLE SUH
+	{0xC234, 0xC234, prH2, gcLo},     //         HANGUL SYLLABLE SWEO
+	{0xC235, 0xC24F, prH3, gcLo},     //    [27] HANGUL SYLLABLE SWEOG..HANGUL SYLLABLE SWEOH
+	{0xC250, 0xC250, prH2, gcLo},     //         HANGUL SYLLABLE SWE
+	{0xC251, 0xC26B, prH3, gcLo},     //    [27] HANGUL SYLLABLE SWEG..HANGUL SYLLABLE SWEH
+	{0xC26C, 0xC26C, prH2, gcLo},     //         HANGUL SYLLABLE SWI
+	{0xC26D, 0xC287, prH3, gcLo},     //    [27] HANGUL SYLLABLE SWIG..HANGUL SYLLABLE SWIH
+	{0xC288, 0xC288, prH2, gcLo},     //         HANGUL SYLLABLE SYU
+	{0xC289, 0xC2A3, prH3, gcLo},     //    [27] HANGUL SYLLABLE SYUG..HANGUL SYLLABLE SYUH
+	{0xC2A4, 0xC2A4, prH2, gcLo},     //         HANGUL SYLLABLE SEU
+	{0xC2A5, 0xC2BF, prH3, gcLo},     //    [27] HANGUL SYLLABLE SEUG..HANGUL SYLLABLE SEUH
+	{0xC2C0, 0xC2C0, prH2, gcLo},     //         HANGUL SYLLABLE SYI
+	{0xC2C1, 0xC2DB, prH3, gcLo},     //    [27] HANGUL SYLLABLE SYIG..HANGUL SYLLABLE SYIH
+	{0xC2DC, 0xC2DC, prH2, gcLo},     //         HANGUL SYLLABLE SI
+	{0xC2DD, 0xC2F7, prH3, gcLo},     //    [27] HANGUL SYLLABLE SIG..HANGUL SYLLABLE SIH
+	{0xC2F8, 0xC2F8, prH2, gcLo},     //         HANGUL SYLLABLE SSA
+	{0xC2F9, 0xC313, prH3, gcLo},     //    [27] HANGUL SYLLABLE SSAG..HANGUL SYLLABLE SSAH
+	{0xC314, 0xC314, prH2, gcLo},     //         HANGUL SYLLABLE SSAE
+	{0xC315, 0xC32F, prH3, gcLo},     //    [27] HANGUL SYLLABLE SSAEG..HANGUL SYLLABLE SSAEH
+	{0xC330, 0xC330, prH2, gcLo},     //         HANGUL SYLLABLE SSYA
+	{0xC331, 0xC34B, prH3, gcLo},     //    [27] HANGUL SYLLABLE SSYAG..HANGUL SYLLABLE SSYAH
+	{0xC34C, 0xC34C, prH2, gcLo},     //         HANGUL SYLLABLE SSYAE
+	{0xC34D, 0xC367, prH3, gcLo},     //    [27] HANGUL SYLLABLE SSYAEG..HANGUL SYLLABLE SSYAEH
+	{0xC368, 0xC368, prH2, gcLo},     //         HANGUL SYLLABLE SSEO
+	{0xC369, 0xC383, prH3, gcLo},     //    [27] HANGUL SYLLABLE SSEOG..HANGUL SYLLABLE SSEOH
+	{0xC384, 0xC384, prH2, gcLo},     //         HANGUL SYLLABLE SSE
+	{0xC385, 0xC39F, prH3, gcLo},     //    [27] HANGUL SYLLABLE SSEG..HANGUL SYLLABLE SSEH
+	{0xC3A0, 0xC3A0, prH2, gcLo},     //         HANGUL SYLLABLE SSYEO
+	{0xC3A1, 0xC3BB, prH3, gcLo},     //    [27] HANGUL SYLLABLE SSYEOG..HANGUL SYLLABLE SSYEOH
+	{0xC3BC, 0xC3BC, prH2, gcLo},     //         HANGUL SYLLABLE SSYE
+	{0xC3BD, 0xC3D7, prH3, gcLo},     //    [27] HANGUL SYLLABLE SSYEG..HANGUL SYLLABLE SSYEH
+	{0xC3D8, 0xC3D8, prH2, gcLo},     //         HANGUL SYLLABLE SSO
+	{0xC3D9, 0xC3F3, prH3, gcLo},     //    [27] HANGUL SYLLABLE SSOG..HANGUL SYLLABLE SSOH
+	{0xC3F4, 0xC3F4, prH2, gcLo},     //         HANGUL SYLLABLE SSWA
+	{0xC3F5, 0xC40F, prH3, gcLo},     //    [27] HANGUL SYLLABLE SSWAG..HANGUL SYLLABLE SSWAH
+	{0xC410, 0xC410, prH2, gcLo},     //         HANGUL SYLLABLE SSWAE
+	{0xC411, 0xC42B, prH3, gcLo},     //    [27] HANGUL SYLLABLE SSWAEG..HANGUL SYLLABLE SSWAEH
+	{0xC42C, 0xC42C, prH2, gcLo},     //         HANGUL SYLLABLE SSOE
+	{0xC42D, 0xC447, prH3, gcLo},     //    [27] HANGUL SYLLABLE SSOEG..HANGUL SYLLABLE SSOEH
+	{0xC448, 0xC448, prH2, gcLo},     //         HANGUL SYLLABLE SSYO
+	{0xC449, 0xC463, prH3, gcLo},     //    [27] HANGUL SYLLABLE SSYOG..HANGUL SYLLABLE SSYOH
+	{0xC464, 0xC464, prH2, gcLo},     //         HANGUL SYLLABLE SSU
+	{0xC465, 0xC47F, prH3, gcLo},     //    [27] HANGUL SYLLABLE SSUG..HANGUL SYLLABLE SSUH
+	{0xC480, 0xC480, prH2, gcLo},     //         HANGUL SYLLABLE SSWEO
+	{0xC481, 0xC49B, prH3, gcLo},     //    [27] HANGUL SYLLABLE SSWEOG..HANGUL SYLLABLE SSWEOH
+	{0xC49C, 0xC49C, prH2, gcLo},     //         HANGUL SYLLABLE SSWE
+	{0xC49D, 0xC4B7, prH3, gcLo},     //    [27] HANGUL SYLLABLE SSWEG..HANGUL SYLLABLE SSWEH
+	{0xC4B8, 0xC4B8, prH2, gcLo},     //         HANGUL SYLLABLE SSWI
+	{0xC4B9, 0xC4D3, prH3, gcLo},     //    [27] HANGUL SYLLABLE SSWIG..HANGUL SYLLABLE SSWIH
+	{0xC4D4, 0xC4D4, prH2, gcLo},     //         HANGUL SYLLABLE SSYU
+	{0xC4D5, 0xC4EF, prH3, gcLo},     //    [27] HANGUL SYLLABLE SSYUG..HANGUL SYLLABLE SSYUH
+	{0xC4F0, 0xC4F0, prH2, gcLo},     //         HANGUL SYLLABLE SSEU
+	{0xC4F1, 0xC50B, prH3, gcLo},     //    [27] HANGUL SYLLABLE SSEUG..HANGUL SYLLABLE SSEUH
+	{0xC50C, 0xC50C, prH2, gcLo},     //         HANGUL SYLLABLE SSYI
+	{0xC50D, 0xC527, prH3, gcLo},     //    [27] HANGUL SYLLABLE SSYIG..HANGUL SYLLABLE SSYIH
+	{0xC528, 0xC528, prH2, gcLo},     //         HANGUL SYLLABLE SSI
+	{0xC529, 0xC543, prH3, gcLo},     //    [27] HANGUL SYLLABLE SSIG..HANGUL SYLLABLE SSIH
+	{0xC544, 0xC544, prH2, gcLo},     //         HANGUL SYLLABLE A
+	{0xC545, 0xC55F, prH3, gcLo},     //    [27] HANGUL SYLLABLE AG..HANGUL SYLLABLE AH
+	{0xC560, 0xC560, prH2, gcLo},     //         HANGUL SYLLABLE AE
+	{0xC561, 0xC57B, prH3, gcLo},     //    [27] HANGUL SYLLABLE AEG..HANGUL SYLLABLE AEH
+	{0xC57C, 0xC57C, prH2, gcLo},     //         HANGUL SYLLABLE YA
+	{0xC57D, 0xC597, prH3, gcLo},     //    [27] HANGUL SYLLABLE YAG..HANGUL SYLLABLE YAH
+	{0xC598, 0xC598, prH2, gcLo},     //         HANGUL SYLLABLE YAE
+	{0xC599, 0xC5B3, prH3, gcLo},     //    [27] HANGUL SYLLABLE YAEG..HANGUL SYLLABLE YAEH
+	{0xC5B4, 0xC5B4, prH2, gcLo},     //         HANGUL SYLLABLE EO
+	{0xC5B5, 0xC5CF, prH3, gcLo},     //    [27] HANGUL SYLLABLE EOG..HANGUL SYLLABLE EOH
+	{0xC5D0, 0xC5D0, prH2, gcLo},     //         HANGUL SYLLABLE E
+	{0xC5D1, 0xC5EB, prH3, gcLo},     //    [27] HANGUL SYLLABLE EG..HANGUL SYLLABLE EH
+	{0xC5EC, 0xC5EC, prH2, gcLo},     //         HANGUL SYLLABLE YEO
+	{0xC5ED, 0xC607, prH3, gcLo},     //    [27] HANGUL SYLLABLE YEOG..HANGUL SYLLABLE YEOH
+	{0xC608, 0xC608, prH2, gcLo},     //         HANGUL SYLLABLE YE
+	{0xC609, 0xC623, prH3, gcLo},     //    [27] HANGUL SYLLABLE YEG..HANGUL SYLLABLE YEH
+	{0xC624, 0xC624, prH2, gcLo},     //         HANGUL SYLLABLE O
+	{0xC625, 0xC63F, prH3, gcLo},     //    [27] HANGUL SYLLABLE OG..HANGUL SYLLABLE OH
+	{0xC640, 0xC640, prH2, gcLo},     //         HANGUL SYLLABLE WA
+	{0xC641, 0xC65B, prH3, gcLo},     //    [27] HANGUL SYLLABLE WAG..HANGUL SYLLABLE WAH
+	{0xC65C, 0xC65C, prH2, gcLo},     //         HANGUL SYLLABLE WAE
+	{0xC65D, 0xC677, prH3, gcLo},     //    [27] HANGUL SYLLABLE WAEG..HANGUL SYLLABLE WAEH
+	{0xC678, 0xC678, prH2, gcLo},     //         HANGUL SYLLABLE OE
+	{0xC679, 0xC693, prH3, gcLo},     //    [27] HANGUL SYLLABLE OEG..HANGUL SYLLABLE OEH
+	{0xC694, 0xC694, prH2, gcLo},     //         HANGUL SYLLABLE YO
+	{0xC695, 0xC6AF, prH3, gcLo},     //    [27] HANGUL SYLLABLE YOG..HANGUL SYLLABLE YOH
+	{0xC6B0, 0xC6B0, prH2, gcLo},     //         HANGUL SYLLABLE U
+	{0xC6B1, 0xC6CB, prH3, gcLo},     //    [27] HANGUL SYLLABLE UG..HANGUL SYLLABLE UH
+	{0xC6CC, 0xC6CC, prH2, gcLo},     //         HANGUL SYLLABLE WEO
+	{0xC6CD, 0xC6E7, prH3, gcLo},     //    [27] HANGUL SYLLABLE WEOG..HANGUL SYLLABLE WEOH
+	{0xC6E8, 0xC6E8, prH2, gcLo},     //         HANGUL SYLLABLE WE
+	{0xC6E9, 0xC703, prH3, gcLo},     //    [27] HANGUL SYLLABLE WEG..HANGUL SYLLABLE WEH
+	{0xC704, 0xC704, prH2, gcLo},     //         HANGUL SYLLABLE WI
+	{0xC705, 0xC71F, prH3, gcLo},     //    [27] HANGUL SYLLABLE WIG..HANGUL SYLLABLE WIH
+	{0xC720, 0xC720, prH2, gcLo},     //         HANGUL SYLLABLE YU
+	{0xC721, 0xC73B, prH3, gcLo},     //    [27] HANGUL SYLLABLE YUG..HANGUL SYLLABLE YUH
+	{0xC73C, 0xC73C, prH2, gcLo},     //         HANGUL SYLLABLE EU
+	{0xC73D, 0xC757, prH3, gcLo},     //    [27] HANGUL SYLLABLE EUG..HANGUL SYLLABLE EUH
+	{0xC758, 0xC758, prH2, gcLo},     //         HANGUL SYLLABLE YI
+	{0xC759, 0xC773, prH3, gcLo},     //    [27] HANGUL SYLLABLE YIG..HANGUL SYLLABLE YIH
+	{0xC774, 0xC774, prH2, gcLo},     //         HANGUL SYLLABLE I
+	{0xC775, 0xC78F, prH3, gcLo},     //    [27] HANGUL SYLLABLE IG..HANGUL SYLLABLE IH
+	{0xC790, 0xC790, prH2, gcLo},     //         HANGUL SYLLABLE JA
+	{0xC791, 0xC7AB, prH3, gcLo},     //    [27] HANGUL SYLLABLE JAG..HANGUL SYLLABLE JAH
+	{0xC7AC, 0xC7AC, prH2, gcLo},     //         HANGUL SYLLABLE JAE
+	{0xC7AD, 0xC7C7, prH3, gcLo},     //    [27] HANGUL SYLLABLE JAEG..HANGUL SYLLABLE JAEH
+	{0xC7C8, 0xC7C8, prH2, gcLo},     //         HANGUL SYLLABLE JYA
+	{0xC7C9, 0xC7E3, prH3, gcLo},     //    [27] HANGUL SYLLABLE JYAG..HANGUL SYLLABLE JYAH
+	{0xC7E4, 0xC7E4, prH2, gcLo},     //         HANGUL SYLLABLE JYAE
+	{0xC7E5, 0xC7FF, prH3, gcLo},     //    [27] HANGUL SYLLABLE JYAEG..HANGUL SYLLABLE JYAEH
+	{0xC800, 0xC800, prH2, gcLo},     //         HANGUL SYLLABLE JEO
+	{0xC801, 0xC81B, prH3, gcLo},     //    [27] HANGUL SYLLABLE JEOG..HANGUL SYLLABLE JEOH
+	{0xC81C, 0xC81C, prH2, gcLo},     //         HANGUL SYLLABLE JE
+	{0xC81D, 0xC837, prH3, gcLo},     //    [27] HANGUL SYLLABLE JEG..HANGUL SYLLABLE JEH
+	{0xC838, 0xC838, prH2, gcLo},     //         HANGUL SYLLABLE JYEO
+	{0xC839, 0xC853, prH3, gcLo},     //    [27] HANGUL SYLLABLE JYEOG..HANGUL SYLLABLE JYEOH
+	{0xC854, 0xC854, prH2, gcLo},     //         HANGUL SYLLABLE JYE
+	{0xC855, 0xC86F, prH3, gcLo},     //    [27] HANGUL SYLLABLE JYEG..HANGUL SYLLABLE JYEH
+	{0xC870, 0xC870, prH2, gcLo},     //         HANGUL SYLLABLE JO
+	{0xC871, 0xC88B, prH3, gcLo},     //    [27] HANGUL SYLLABLE JOG..HANGUL SYLLABLE JOH
+	{0xC88C, 0xC88C, prH2, gcLo},     //         HANGUL SYLLABLE JWA
+	{0xC88D, 0xC8A7, prH3, gcLo},     //    [27] HANGUL SYLLABLE JWAG..HANGUL SYLLABLE JWAH
+	{0xC8A8, 0xC8A8, prH2, gcLo},     //         HANGUL SYLLABLE JWAE
+	{0xC8A9, 0xC8C3, prH3, gcLo},     //    [27] HANGUL SYLLABLE JWAEG..HANGUL SYLLABLE JWAEH
+	{0xC8C4, 0xC8C4, prH2, gcLo},     //         HANGUL SYLLABLE JOE
+	{0xC8C5, 0xC8DF, prH3, gcLo},     //    [27] HANGUL SYLLABLE JOEG..HANGUL SYLLABLE JOEH
+	{0xC8E0, 0xC8E0, prH2, gcLo},     //         HANGUL SYLLABLE JYO
+	{0xC8E1, 0xC8FB, prH3, gcLo},     //    [27] HANGUL SYLLABLE JYOG..HANGUL SYLLABLE JYOH
+	{0xC8FC, 0xC8FC, prH2, gcLo},     //         HANGUL SYLLABLE JU
+	{0xC8FD, 0xC917, prH3, gcLo},     //    [27] HANGUL SYLLABLE JUG..HANGUL SYLLABLE JUH
+	{0xC918, 0xC918, prH2, gcLo},     //         HANGUL SYLLABLE JWEO
+	{0xC919, 0xC933, prH3, gcLo},     //    [27] HANGUL SYLLABLE JWEOG..HANGUL SYLLABLE JWEOH
+	{0xC934, 0xC934, prH2, gcLo},     //         HANGUL SYLLABLE JWE
+	{0xC935, 0xC94F, prH3, gcLo},     //    [27] HANGUL SYLLABLE JWEG..HANGUL SYLLABLE JWEH
+	{0xC950, 0xC950, prH2, gcLo},     //         HANGUL SYLLABLE JWI
+	{0xC951, 0xC96B, prH3, gcLo},     //    [27] HANGUL SYLLABLE JWIG..HANGUL SYLLABLE JWIH
+	{0xC96C, 0xC96C, prH2, gcLo},     //         HANGUL SYLLABLE JYU
+	{0xC96D, 0xC987, prH3, gcLo},     //    [27] HANGUL SYLLABLE JYUG..HANGUL SYLLABLE JYUH
+	{0xC988, 0xC988, prH2, gcLo},     //         HANGUL SYLLABLE JEU
+	{0xC989, 0xC9A3, prH3, gcLo},     //    [27] HANGUL SYLLABLE JEUG..HANGUL SYLLABLE JEUH
+	{0xC9A4, 0xC9A4, prH2, gcLo},     //         HANGUL SYLLABLE JYI
+	{0xC9A5, 0xC9BF, prH3, gcLo},     //    [27] HANGUL SYLLABLE JYIG..HANGUL SYLLABLE JYIH
+	{0xC9C0, 0xC9C0, prH2, gcLo},     //         HANGUL SYLLABLE JI
+	{0xC9C1, 0xC9DB, prH3, gcLo},     //    [27] HANGUL SYLLABLE JIG..HANGUL SYLLABLE JIH
+	{0xC9DC, 0xC9DC, prH2, gcLo},     //         HANGUL SYLLABLE JJA
+	{0xC9DD, 0xC9F7, prH3, gcLo},     //    [27] HANGUL SYLLABLE JJAG..HANGUL SYLLABLE JJAH
+	{0xC9F8, 0xC9F8, prH2, gcLo},     //         HANGUL SYLLABLE JJAE
+	{0xC9F9, 0xCA13, prH3, gcLo},     //    [27] HANGUL SYLLABLE JJAEG..HANGUL SYLLABLE JJAEH
+	{0xCA14, 0xCA14, prH2, gcLo},     //         HANGUL SYLLABLE JJYA
+	{0xCA15, 0xCA2F, prH3, gcLo},     //    [27] HANGUL SYLLABLE JJYAG..HANGUL SYLLABLE JJYAH
+	{0xCA30, 0xCA30, prH2, gcLo},     //         HANGUL SYLLABLE JJYAE
+	{0xCA31, 0xCA4B, prH3, gcLo},     //    [27] HANGUL SYLLABLE JJYAEG..HANGUL SYLLABLE JJYAEH
+	{0xCA4C, 0xCA4C, prH2, gcLo},     //         HANGUL SYLLABLE JJEO
+	{0xCA4D, 0xCA67, prH3, gcLo},     //    [27] HANGUL SYLLABLE JJEOG..HANGUL SYLLABLE JJEOH
+	{0xCA68, 0xCA68, prH2, gcLo},     //         HANGUL SYLLABLE JJE
+	{0xCA69, 0xCA83, prH3, gcLo},     //    [27] HANGUL SYLLABLE JJEG..HANGUL SYLLABLE JJEH
+	{0xCA84, 0xCA84, prH2, gcLo},     //         HANGUL SYLLABLE JJYEO
+	{0xCA85, 0xCA9F, prH3, gcLo},     //    [27] HANGUL SYLLABLE JJYEOG..HANGUL SYLLABLE JJYEOH
+	{0xCAA0, 0xCAA0, prH2, gcLo},     //         HANGUL SYLLABLE JJYE
+	{0xCAA1, 0xCABB, prH3, gcLo},     //    [27] HANGUL SYLLABLE JJYEG..HANGUL SYLLABLE JJYEH
+	{0xCABC, 0xCABC, prH2, gcLo},     //         HANGUL SYLLABLE JJO
+	{0xCABD, 0xCAD7, prH3, gcLo},     //    [27] HANGUL SYLLABLE JJOG..HANGUL SYLLABLE JJOH
+	{0xCAD8, 0xCAD8, prH2, gcLo},     //         HANGUL SYLLABLE JJWA
+	{0xCAD9, 0xCAF3, prH3, gcLo},     //    [27] HANGUL SYLLABLE JJWAG..HANGUL SYLLABLE JJWAH
+	{0xCAF4, 0xCAF4, prH2, gcLo},     //         HANGUL SYLLABLE JJWAE
+	{0xCAF5, 0xCB0F, prH3, gcLo},     //    [27] HANGUL SYLLABLE JJWAEG..HANGUL SYLLABLE JJWAEH
+	{0xCB10, 0xCB10, prH2, gcLo},     //         HANGUL SYLLABLE JJOE
+	{0xCB11, 0xCB2B, prH3, gcLo},     //    [27] HANGUL SYLLABLE JJOEG..HANGUL SYLLABLE JJOEH
+	{0xCB2C, 0xCB2C, prH2, gcLo},     //         HANGUL SYLLABLE JJYO
+	{0xCB2D, 0xCB47, prH3, gcLo},     //    [27] HANGUL SYLLABLE JJYOG..HANGUL SYLLABLE JJYOH
+	{0xCB48, 0xCB48, prH2, gcLo},     //         HANGUL SYLLABLE JJU
+	{0xCB49, 0xCB63, prH3, gcLo},     //    [27] HANGUL SYLLABLE JJUG..HANGUL SYLLABLE JJUH
+	{0xCB64, 0xCB64, prH2, gcLo},     //         HANGUL SYLLABLE JJWEO
+	{0xCB65, 0xCB7F, prH3, gcLo},     //    [27] HANGUL SYLLABLE JJWEOG..HANGUL SYLLABLE JJWEOH
+	{0xCB80, 0xCB80, prH2, gcLo},     //         HANGUL SYLLABLE JJWE
+	{0xCB81, 0xCB9B, prH3, gcLo},     //    [27] HANGUL SYLLABLE JJWEG..HANGUL SYLLABLE JJWEH
+	{0xCB9C, 0xCB9C, prH2, gcLo},     //         HANGUL SYLLABLE JJWI
+	{0xCB9D, 0xCBB7, prH3, gcLo},     //    [27] HANGUL SYLLABLE JJWIG..HANGUL SYLLABLE JJWIH
+	{0xCBB8, 0xCBB8, prH2, gcLo},     //         HANGUL SYLLABLE JJYU
+	{0xCBB9, 0xCBD3, prH3, gcLo},     //    [27] HANGUL SYLLABLE JJYUG..HANGUL SYLLABLE JJYUH
+	{0xCBD4, 0xCBD4, prH2, gcLo},     //         HANGUL SYLLABLE JJEU
+	{0xCBD5, 0xCBEF, prH3, gcLo},     //    [27] HANGUL SYLLABLE JJEUG..HANGUL SYLLABLE JJEUH
+	{0xCBF0, 0xCBF0, prH2, gcLo},     //         HANGUL SYLLABLE JJYI
+	{0xCBF1, 0xCC0B, prH3, gcLo},     //    [27] HANGUL SYLLABLE JJYIG..HANGUL SYLLABLE JJYIH
+	{0xCC0C, 0xCC0C, prH2, gcLo},     //         HANGUL SYLLABLE JJI
+	{0xCC0D, 0xCC27, prH3, gcLo},     //    [27] HANGUL SYLLABLE JJIG..HANGUL SYLLABLE JJIH
+	{0xCC28, 0xCC28, prH2, gcLo},     //         HANGUL SYLLABLE CA
+	{0xCC29, 0xCC43, prH3, gcLo},     //    [27] HANGUL SYLLABLE CAG..HANGUL SYLLABLE CAH
+	{0xCC44, 0xCC44, prH2, gcLo},     //         HANGUL SYLLABLE CAE
+	{0xCC45, 0xCC5F, prH3, gcLo},     //    [27] HANGUL SYLLABLE CAEG..HANGUL SYLLABLE CAEH
+	{0xCC60, 0xCC60, prH2, gcLo},     //         HANGUL SYLLABLE CYA
+	{0xCC61, 0xCC7B, prH3, gcLo},     //    [27] HANGUL SYLLABLE CYAG..HANGUL SYLLABLE CYAH
+	{0xCC7C, 0xCC7C, prH2, gcLo},     //         HANGUL SYLLABLE CYAE
+	{0xCC7D, 0xCC97, prH3, gcLo},     //    [27] HANGUL SYLLABLE CYAEG..HANGUL SYLLABLE CYAEH
+	{0xCC98, 0xCC98, prH2, gcLo},     //         HANGUL SYLLABLE CEO
+	{0xCC99, 0xCCB3, prH3, gcLo},     //    [27] HANGUL SYLLABLE CEOG..HANGUL SYLLABLE CEOH
+	{0xCCB4, 0xCCB4, prH2, gcLo},     //         HANGUL SYLLABLE CE
+	{0xCCB5, 0xCCCF, prH3, gcLo},     //    [27] HANGUL SYLLABLE CEG..HANGUL SYLLABLE CEH
+	{0xCCD0, 0xCCD0, prH2, gcLo},     //         HANGUL SYLLABLE CYEO
+	{0xCCD1, 0xCCEB, prH3, gcLo},     //    [27] HANGUL SYLLABLE CYEOG..HANGUL SYLLABLE CYEOH
+	{0xCCEC, 0xCCEC, prH2, gcLo},     //         HANGUL SYLLABLE CYE
+	{0xCCED, 0xCD07, prH3, gcLo},     //    [27] HANGUL SYLLABLE CYEG..HANGUL SYLLABLE CYEH
+	{0xCD08, 0xCD08, prH2, gcLo},     //         HANGUL SYLLABLE CO
+	{0xCD09, 0xCD23, prH3, gcLo},     //    [27] HANGUL SYLLABLE COG..HANGUL SYLLABLE COH
+	{0xCD24, 0xCD24, prH2, gcLo},     //         HANGUL SYLLABLE CWA
+	{0xCD25, 0xCD3F, prH3, gcLo},     //    [27] HANGUL SYLLABLE CWAG..HANGUL SYLLABLE CWAH
+	{0xCD40, 0xCD40, prH2, gcLo},     //         HANGUL SYLLABLE CWAE
+	{0xCD41, 0xCD5B, prH3, gcLo},     //    [27] HANGUL SYLLABLE CWAEG..HANGUL SYLLABLE CWAEH
+	{0xCD5C, 0xCD5C, prH2, gcLo},     //         HANGUL SYLLABLE COE
+	{0xCD5D, 0xCD77, prH3, gcLo},     //    [27] HANGUL SYLLABLE COEG..HANGUL SYLLABLE COEH
+	{0xCD78, 0xCD78, prH2, gcLo},     //         HANGUL SYLLABLE CYO
+	{0xCD79, 0xCD93, prH3, gcLo},     //    [27] HANGUL SYLLABLE CYOG..HANGUL SYLLABLE CYOH
+	{0xCD94, 0xCD94, prH2, gcLo},     //         HANGUL SYLLABLE CU
+	{0xCD95, 0xCDAF, prH3, gcLo},     //    [27] HANGUL SYLLABLE CUG..HANGUL SYLLABLE CUH
+	{0xCDB0, 0xCDB0, prH2, gcLo},     //         HANGUL SYLLABLE CWEO
+	{0xCDB1, 0xCDCB, prH3, gcLo},     //    [27] HANGUL SYLLABLE CWEOG..HANGUL SYLLABLE CWEOH
+	{0xCDCC, 0xCDCC, prH2, gcLo},     //         HANGUL SYLLABLE CWE
+	{0xCDCD, 0xCDE7, prH3, gcLo},     //    [27] HANGUL SYLLABLE CWEG..HANGUL SYLLABLE CWEH
+	{0xCDE8, 0xCDE8, prH2, gcLo},     //         HANGUL SYLLABLE CWI
+	{0xCDE9, 0xCE03, prH3, gcLo},     //    [27] HANGUL SYLLABLE CWIG..HANGUL SYLLABLE CWIH
+	{0xCE04, 0xCE04, prH2, gcLo},     //         HANGUL SYLLABLE CYU
+	{0xCE05, 0xCE1F, prH3, gcLo},     //    [27] HANGUL SYLLABLE CYUG..HANGUL SYLLABLE CYUH
+	{0xCE20, 0xCE20, prH2, gcLo},     //         HANGUL SYLLABLE CEU
+	{0xCE21, 0xCE3B, prH3, gcLo},     //    [27] HANGUL SYLLABLE CEUG..HANGUL SYLLABLE CEUH
+	{0xCE3C, 0xCE3C, prH2, gcLo},     //         HANGUL SYLLABLE CYI
+	{0xCE3D, 0xCE57, prH3, gcLo},     //    [27] HANGUL SYLLABLE CYIG..HANGUL SYLLABLE CYIH
+	{0xCE58, 0xCE58, prH2, gcLo},     //         HANGUL SYLLABLE CI
+	{0xCE59, 0xCE73, prH3, gcLo},     //    [27] HANGUL SYLLABLE CIG..HANGUL SYLLABLE CIH
+	{0xCE74, 0xCE74, prH2, gcLo},     //         HANGUL SYLLABLE KA
+	{0xCE75, 0xCE8F, prH3, gcLo},     //    [27] HANGUL SYLLABLE KAG..HANGUL SYLLABLE KAH
+	{0xCE90, 0xCE90, prH2, gcLo},     //         HANGUL SYLLABLE KAE
+	{0xCE91, 0xCEAB, prH3, gcLo},     //    [27] HANGUL SYLLABLE KAEG..HANGUL SYLLABLE KAEH
+	{0xCEAC, 0xCEAC, prH2, gcLo},     //         HANGUL SYLLABLE KYA
+	{0xCEAD, 0xCEC7, prH3, gcLo},     //    [27] HANGUL SYLLABLE KYAG..HANGUL SYLLABLE KYAH
+	{0xCEC8, 0xCEC8, prH2, gcLo},     //         HANGUL SYLLABLE KYAE
+	{0xCEC9, 0xCEE3, prH3, gcLo},     //    [27] HANGUL SYLLABLE KYAEG..HANGUL SYLLABLE KYAEH
+	{0xCEE4, 0xCEE4, prH2, gcLo},     //         HANGUL SYLLABLE KEO
+	{0xCEE5, 0xCEFF, prH3, gcLo},     //    [27] HANGUL SYLLABLE KEOG..HANGUL SYLLABLE KEOH
+	{0xCF00, 0xCF00, prH2, gcLo},     //         HANGUL SYLLABLE KE
+	{0xCF01, 0xCF1B, prH3, gcLo},     //    [27] HANGUL SYLLABLE KEG..HANGUL SYLLABLE KEH
+	{0xCF1C, 0xCF1C, prH2, gcLo},     //         HANGUL SYLLABLE KYEO
+	{0xCF1D, 0xCF37, prH3, gcLo},     //    [27] HANGUL SYLLABLE KYEOG..HANGUL SYLLABLE KYEOH
+	{0xCF38, 0xCF38, prH2, gcLo},     //         HANGUL SYLLABLE KYE
+	{0xCF39, 0xCF53, prH3, gcLo},     //    [27] HANGUL SYLLABLE KYEG..HANGUL SYLLABLE KYEH
+	{0xCF54, 0xCF54, prH2, gcLo},     //         HANGUL SYLLABLE KO
+	{0xCF55, 0xCF6F, prH3, gcLo},     //    [27] HANGUL SYLLABLE KOG..HANGUL SYLLABLE KOH
+	{0xCF70, 0xCF70, prH2, gcLo},     //         HANGUL SYLLABLE KWA
+	{0xCF71, 0xCF8B, prH3, gcLo},     //    [27] HANGUL SYLLABLE KWAG..HANGUL SYLLABLE KWAH
+	{0xCF8C, 0xCF8C, prH2, gcLo},     //         HANGUL SYLLABLE KWAE
+	{0xCF8D, 0xCFA7, prH3, gcLo},     //    [27] HANGUL SYLLABLE KWAEG..HANGUL SYLLABLE KWAEH
+	{0xCFA8, 0xCFA8, prH2, gcLo},     //         HANGUL SYLLABLE KOE
+	{0xCFA9, 0xCFC3, prH3, gcLo},     //    [27] HANGUL SYLLABLE KOEG..HANGUL SYLLABLE KOEH
+	{0xCFC4, 0xCFC4, prH2, gcLo},     //         HANGUL SYLLABLE KYO
+	{0xCFC5, 0xCFDF, prH3, gcLo},     //    [27] HANGUL SYLLABLE KYOG..HANGUL SYLLABLE KYOH
+	{0xCFE0, 0xCFE0, prH2, gcLo},     //         HANGUL SYLLABLE KU
+	{0xCFE1, 0xCFFB, prH3, gcLo},     //    [27] HANGUL SYLLABLE KUG..HANGUL SYLLABLE KUH
+	{0xCFFC, 0xCFFC, prH2, gcLo},     //         HANGUL SYLLABLE KWEO
+	{0xCFFD, 0xD017, prH3, gcLo},     //    [27] HANGUL SYLLABLE KWEOG..HANGUL SYLLABLE KWEOH
+	{0xD018, 0xD018, prH2, gcLo},     //         HANGUL SYLLABLE KWE
+	{0xD019, 0xD033, prH3, gcLo},     //    [27] HANGUL SYLLABLE KWEG..HANGUL SYLLABLE KWEH
+	{0xD034, 0xD034, prH2, gcLo},     //         HANGUL SYLLABLE KWI
+	{0xD035, 0xD04F, prH3, gcLo},     //    [27] HANGUL SYLLABLE KWIG..HANGUL SYLLABLE KWIH
+	{0xD050, 0xD050, prH2, gcLo},     //         HANGUL SYLLABLE KYU
+	{0xD051, 0xD06B, prH3, gcLo},     //    [27] HANGUL SYLLABLE KYUG..HANGUL SYLLABLE KYUH
+	{0xD06C, 0xD06C, prH2, gcLo},     //         HANGUL SYLLABLE KEU
+	{0xD06D, 0xD087, prH3, gcLo},     //    [27] HANGUL SYLLABLE KEUG..HANGUL SYLLABLE KEUH
+	{0xD088, 0xD088, prH2, gcLo},     //         HANGUL SYLLABLE KYI
+	{0xD089, 0xD0A3, prH3, gcLo},     //    [27] HANGUL SYLLABLE KYIG..HANGUL SYLLABLE KYIH
+	{0xD0A4, 0xD0A4, prH2, gcLo},     //         HANGUL SYLLABLE KI
+	{0xD0A5, 0xD0BF, prH3, gcLo},     //    [27] HANGUL SYLLABLE KIG..HANGUL SYLLABLE KIH
+	{0xD0C0, 0xD0C0, prH2, gcLo},     //         HANGUL SYLLABLE TA
+	{0xD0C1, 0xD0DB, prH3, gcLo},     //    [27] HANGUL SYLLABLE TAG..HANGUL SYLLABLE TAH
+	{0xD0DC, 0xD0DC, prH2, gcLo},     //         HANGUL SYLLABLE TAE
+	{0xD0DD, 0xD0F7, prH3, gcLo},     //    [27] HANGUL SYLLABLE TAEG..HANGUL SYLLABLE TAEH
+	{0xD0F8, 0xD0F8, prH2, gcLo},     //         HANGUL SYLLABLE TYA
+	{0xD0F9, 0xD113, prH3, gcLo},     //    [27] HANGUL SYLLABLE TYAG..HANGUL SYLLABLE TYAH
+	{0xD114, 0xD114, prH2, gcLo},     //         HANGUL SYLLABLE TYAE
+	{0xD115, 0xD12F, prH3, gcLo},     //    [27] HANGUL SYLLABLE TYAEG..HANGUL SYLLABLE TYAEH
+	{0xD130, 0xD130, prH2, gcLo},     //         HANGUL SYLLABLE TEO
+	{0xD131, 0xD14B, prH3, gcLo},     //    [27] HANGUL SYLLABLE TEOG..HANGUL SYLLABLE TEOH
+	{0xD14C, 0xD14C, prH2, gcLo},     //         HANGUL SYLLABLE TE
+	{0xD14D, 0xD167, prH3, gcLo},     //    [27] HANGUL SYLLABLE TEG..HANGUL SYLLABLE TEH
+	{0xD168, 0xD168, prH2, gcLo},     //         HANGUL SYLLABLE TYEO
+	{0xD169, 0xD183, prH3, gcLo},     //    [27] HANGUL SYLLABLE TYEOG..HANGUL SYLLABLE TYEOH
+	{0xD184, 0xD184, prH2, gcLo},     //         HANGUL SYLLABLE TYE
+	{0xD185, 0xD19F, prH3, gcLo},     //    [27] HANGUL SYLLABLE TYEG..HANGUL SYLLABLE TYEH
+	{0xD1A0, 0xD1A0, prH2, gcLo},     //         HANGUL SYLLABLE TO
+	{0xD1A1, 0xD1BB, prH3, gcLo},     //    [27] HANGUL SYLLABLE TOG..HANGUL SYLLABLE TOH
+	{0xD1BC, 0xD1BC, prH2, gcLo},     //         HANGUL SYLLABLE TWA
+	{0xD1BD, 0xD1D7, prH3, gcLo},     //    [27] HANGUL SYLLABLE TWAG..HANGUL SYLLABLE TWAH
+	{0xD1D8, 0xD1D8, prH2, gcLo},     //         HANGUL SYLLABLE TWAE
+	{0xD1D9, 0xD1F3, prH3, gcLo},     //    [27] HANGUL SYLLABLE TWAEG..HANGUL SYLLABLE TWAEH
+	{0xD1F4, 0xD1F4, prH2, gcLo},     //         HANGUL SYLLABLE TOE
+	{0xD1F5, 0xD20F, prH3, gcLo},     //    [27] HANGUL SYLLABLE TOEG..HANGUL SYLLABLE TOEH
+	{0xD210, 0xD210, prH2, gcLo},     //         HANGUL SYLLABLE TYO
+	{0xD211, 0xD22B, prH3, gcLo},     //    [27] HANGUL SYLLABLE TYOG..HANGUL SYLLABLE TYOH
+	{0xD22C, 0xD22C, prH2, gcLo},     //         HANGUL SYLLABLE TU
+	{0xD22D, 0xD247, prH3, gcLo},     //    [27] HANGUL SYLLABLE TUG..HANGUL SYLLABLE TUH
+	{0xD248, 0xD248, prH2, gcLo},     //         HANGUL SYLLABLE TWEO
+	{0xD249, 0xD263, prH3, gcLo},     //    [27] HANGUL SYLLABLE TWEOG..HANGUL SYLLABLE TWEOH
+	{0xD264, 0xD264, prH2, gcLo},     //         HANGUL SYLLABLE TWE
+	{0xD265, 0xD27F, prH3, gcLo},     //    [27] HANGUL SYLLABLE TWEG..HANGUL SYLLABLE TWEH
+	{0xD280, 0xD280, prH2, gcLo},     //         HANGUL SYLLABLE TWI
+	{0xD281, 0xD29B, prH3, gcLo},     //    [27] HANGUL SYLLABLE TWIG..HANGUL SYLLABLE TWIH
+	{0xD29C, 0xD29C, prH2, gcLo},     //         HANGUL SYLLABLE TYU
+	{0xD29D, 0xD2B7, prH3, gcLo},     //    [27] HANGUL SYLLABLE TYUG..HANGUL SYLLABLE TYUH
+	{0xD2B8, 0xD2B8, prH2, gcLo},     //         HANGUL SYLLABLE TEU
+	{0xD2B9, 0xD2D3, prH3, gcLo},     //    [27] HANGUL SYLLABLE TEUG..HANGUL SYLLABLE TEUH
+	{0xD2D4, 0xD2D4, prH2, gcLo},     //         HANGUL SYLLABLE TYI
+	{0xD2D5, 0xD2EF, prH3, gcLo},     //    [27] HANGUL SYLLABLE TYIG..HANGUL SYLLABLE TYIH
+	{0xD2F0, 0xD2F0, prH2, gcLo},     //         HANGUL SYLLABLE TI
+	{0xD2F1, 0xD30B, prH3, gcLo},     //    [27] HANGUL SYLLABLE TIG..HANGUL SYLLABLE TIH
+	{0xD30C, 0xD30C, prH2, gcLo},     //         HANGUL SYLLABLE PA
+	{0xD30D, 0xD327, prH3, gcLo},     //    [27] HANGUL SYLLABLE PAG..HANGUL SYLLABLE PAH
+	{0xD328, 0xD328, prH2, gcLo},     //         HANGUL SYLLABLE PAE
+	{0xD329, 0xD343, prH3, gcLo},     //    [27] HANGUL SYLLABLE PAEG..HANGUL SYLLABLE PAEH
+	{0xD344, 0xD344, prH2, gcLo},     //         HANGUL SYLLABLE PYA
+	{0xD345, 0xD35F, prH3, gcLo},     //    [27] HANGUL SYLLABLE PYAG..HANGUL SYLLABLE PYAH
+	{0xD360, 0xD360, prH2, gcLo},     //         HANGUL SYLLABLE PYAE
+	{0xD361, 0xD37B, prH3, gcLo},     //    [27] HANGUL SYLLABLE PYAEG..HANGUL SYLLABLE PYAEH
+	{0xD37C, 0xD37C, prH2, gcLo},     //         HANGUL SYLLABLE PEO
+	{0xD37D, 0xD397, prH3, gcLo},     //    [27] HANGUL SYLLABLE PEOG..HANGUL SYLLABLE PEOH
+	{0xD398, 0xD398, prH2, gcLo},     //         HANGUL SYLLABLE PE
+	{0xD399, 0xD3B3, prH3, gcLo},     //    [27] HANGUL SYLLABLE PEG..HANGUL SYLLABLE PEH
+	{0xD3B4, 0xD3B4, prH2, gcLo},     //         HANGUL SYLLABLE PYEO
+	{0xD3B5, 0xD3CF, prH3, gcLo},     //    [27] HANGUL SYLLABLE PYEOG..HANGUL SYLLABLE PYEOH
+	{0xD3D0, 0xD3D0, prH2, gcLo},     //         HANGUL SYLLABLE PYE
+	{0xD3D1, 0xD3EB, prH3, gcLo},     //    [27] HANGUL SYLLABLE PYEG..HANGUL SYLLABLE PYEH
+	{0xD3EC, 0xD3EC, prH2, gcLo},     //         HANGUL SYLLABLE PO
+	{0xD3ED, 0xD407, prH3, gcLo},     //    [27] HANGUL SYLLABLE POG..HANGUL SYLLABLE POH
+	{0xD408, 0xD408, prH2, gcLo},     //         HANGUL SYLLABLE PWA
+	{0xD409, 0xD423, prH3, gcLo},     //    [27] HANGUL SYLLABLE PWAG..HANGUL SYLLABLE PWAH
+	{0xD424, 0xD424, prH2, gcLo},     //         HANGUL SYLLABLE PWAE
+	{0xD425, 0xD43F, prH3, gcLo},     //    [27] HANGUL SYLLABLE PWAEG..HANGUL SYLLABLE PWAEH
+	{0xD440, 0xD440, prH2, gcLo},     //         HANGUL SYLLABLE POE
+	{0xD441, 0xD45B, prH3, gcLo},     //    [27] HANGUL SYLLABLE POEG..HANGUL SYLLABLE POEH
+	{0xD45C, 0xD45C, prH2, gcLo},     //         HANGUL SYLLABLE PYO
+	{0xD45D, 0xD477, prH3, gcLo},     //    [27] HANGUL SYLLABLE PYOG..HANGUL SYLLABLE PYOH
+	{0xD478, 0xD478, prH2, gcLo},     //         HANGUL SYLLABLE PU
+	{0xD479, 0xD493, prH3, gcLo},     //    [27] HANGUL SYLLABLE PUG..HANGUL SYLLABLE PUH
+	{0xD494, 0xD494, prH2, gcLo},     //         HANGUL SYLLABLE PWEO
+	{0xD495, 0xD4AF, prH3, gcLo},     //    [27] HANGUL SYLLABLE PWEOG..HANGUL SYLLABLE PWEOH
+	{0xD4B0, 0xD4B0, prH2, gcLo},     //         HANGUL SYLLABLE PWE
+	{0xD4B1, 0xD4CB, prH3, gcLo},     //    [27] HANGUL SYLLABLE PWEG..HANGUL SYLLABLE PWEH
+	{0xD4CC, 0xD4CC, prH2, gcLo},     //         HANGUL SYLLABLE PWI
+	{0xD4CD, 0xD4E7, prH3, gcLo},     //    [27] HANGUL SYLLABLE PWIG..HANGUL SYLLABLE PWIH
+	{0xD4E8, 0xD4E8, prH2, gcLo},     //         HANGUL SYLLABLE PYU
+	{0xD4E9, 0xD503, prH3, gcLo},     //    [27] HANGUL SYLLABLE PYUG..HANGUL SYLLABLE PYUH
+	{0xD504, 0xD504, prH2, gcLo},     //         HANGUL SYLLABLE PEU
+	{0xD505, 0xD51F, prH3, gcLo},     //    [27] HANGUL SYLLABLE PEUG..HANGUL SYLLABLE PEUH
+	{0xD520, 0xD520, prH2, gcLo},     //         HANGUL SYLLABLE PYI
+	{0xD521, 0xD53B, prH3, gcLo},     //    [27] HANGUL SYLLABLE PYIG..HANGUL SYLLABLE PYIH
+	{0xD53C, 0xD53C, prH2, gcLo},     //         HANGUL SYLLABLE PI
+	{0xD53D, 0xD557, prH3, gcLo},     //    [27] HANGUL SYLLABLE PIG..HANGUL SYLLABLE PIH
+	{0xD558, 0xD558, prH2, gcLo},     //         HANGUL SYLLABLE HA
+	{0xD559, 0xD573, prH3, gcLo},     //    [27] HANGUL SYLLABLE HAG..HANGUL SYLLABLE HAH
+	{0xD574, 0xD574, prH2, gcLo},     //         HANGUL SYLLABLE HAE
+	{0xD575, 0xD58F, prH3, gcLo},     //    [27] HANGUL SYLLABLE HAEG..HANGUL SYLLABLE HAEH
+	{0xD590, 0xD590, prH2, gcLo},     //         HANGUL SYLLABLE HYA
+	{0xD591, 0xD5AB, prH3, gcLo},     //    [27] HANGUL SYLLABLE HYAG..HANGUL SYLLABLE HYAH
+	{0xD5AC, 0xD5AC, prH2, gcLo},     //         HANGUL SYLLABLE HYAE
+	{0xD5AD, 0xD5C7, prH3, gcLo},     //    [27] HANGUL SYLLABLE HYAEG..HANGUL SYLLABLE HYAEH
+	{0xD5C8, 0xD5C8, prH2, gcLo},     //         HANGUL SYLLABLE HEO
+	{0xD5C9, 0xD5E3, prH3, gcLo},     //    [27] HANGUL SYLLABLE HEOG..HANGUL SYLLABLE HEOH
+	{0xD5E4, 0xD5E4, prH2, gcLo},     //         HANGUL SYLLABLE HE
+	{0xD5E5, 0xD5FF, prH3, gcLo},     //    [27] HANGUL SYLLABLE HEG..HANGUL SYLLABLE HEH
+	{0xD600, 0xD600, prH2, gcLo},     //         HANGUL SYLLABLE HYEO
+	{0xD601, 0xD61B, prH3, gcLo},     //    [27] HANGUL SYLLABLE HYEOG..HANGUL SYLLABLE HYEOH
+	{0xD61C, 0xD61C, prH2, gcLo},     //         HANGUL SYLLABLE HYE
+	{0xD61D, 0xD637, prH3, gcLo},     //    [27] HANGUL SYLLABLE HYEG..HANGUL SYLLABLE HYEH
+	{0xD638, 0xD638, prH2, gcLo},     //         HANGUL SYLLABLE HO
+	{0xD639, 0xD653, prH3, gcLo},     //    [27] HANGUL SYLLABLE HOG..HANGUL SYLLABLE HOH
+	{0xD654, 0xD654, prH2, gcLo},     //         HANGUL SYLLABLE HWA
+	{0xD655, 0xD66F, prH3, gcLo},     //    [27] HANGUL SYLLABLE HWAG..HANGUL SYLLABLE HWAH
+	{0xD670, 0xD670, prH2, gcLo},     //         HANGUL SYLLABLE HWAE
+	{0xD671, 0xD68B, prH3, gcLo},     //    [27] HANGUL SYLLABLE HWAEG..HANGUL SYLLABLE HWAEH
+	{0xD68C, 0xD68C, prH2, gcLo},     //         HANGUL SYLLABLE HOE
+	{0xD68D, 0xD6A7, prH3, gcLo},     //    [27] HANGUL SYLLABLE HOEG..HANGUL SYLLABLE HOEH
+	{0xD6A8, 0xD6A8, prH2, gcLo},     //         HANGUL SYLLABLE HYO
+	{0xD6A9, 0xD6C3, prH3, gcLo},     //    [27] HANGUL SYLLABLE HYOG..HANGUL SYLLABLE HYOH
+	{0xD6C4, 0xD6C4, prH2, gcLo},     //         HANGUL SYLLABLE HU
+	{0xD6C5, 0xD6DF, prH3, gcLo},     //    [27] HANGUL SYLLABLE HUG..HANGUL SYLLABLE HUH
+	{0xD6E0, 0xD6E0, prH2, gcLo},     //         HANGUL SYLLABLE HWEO
+	{0xD6E1, 0xD6FB, prH3, gcLo},     //    [27] HANGUL SYLLABLE HWEOG..HANGUL SYLLABLE HWEOH
+	{0xD6FC, 0xD6FC, prH2, gcLo},     //         HANGUL SYLLABLE HWE
+	{0xD6FD, 0xD717, prH3, gcLo},     //    [27] HANGUL SYLLABLE HWEG..HANGUL SYLLABLE HWEH
+	{0xD718, 0xD718, prH2, gcLo},     //         HANGUL SYLLABLE HWI
+	{0xD719, 0xD733, prH3, gcLo},     //    [27] HANGUL SYLLABLE HWIG..HANGUL SYLLABLE HWIH
+	{0xD734, 0xD734, prH2, gcLo},     //         HANGUL SYLLABLE HYU
+	{0xD735, 0xD74F, prH3, gcLo},     //    [27] HANGUL SYLLABLE HYUG..HANGUL SYLLABLE HYUH
+	{0xD750, 0xD750, prH2, gcLo},     //         HANGUL SYLLABLE HEU
+	{0xD751, 0xD76B, prH3, gcLo},     //    [27] HANGUL SYLLABLE HEUG..HANGUL SYLLABLE HEUH
+	{0xD76C, 0xD76C, prH2, gcLo},     //         HANGUL SYLLABLE HYI
+	{0xD76D, 0xD787, prH3, gcLo},     //    [27] HANGUL SYLLABLE HYIG..HANGUL SYLLABLE HYIH
+	{0xD788, 0xD788, prH2, gcLo},     //         HANGUL SYLLABLE HI
+	{0xD789, 0xD7A3, prH3, gcLo},     //    [27] HANGUL SYLLABLE HIG..HANGUL SYLLABLE HIH
+	{0xD7B0, 0xD7C6, prJV, gcLo},     //    [23] HANGUL JUNGSEONG O-YEO..HANGUL JUNGSEONG ARAEA-E
+	{0xD7CB, 0xD7FB, prJT, gcLo},     //    [49] HANGUL JONGSEONG NIEUN-RIEUL..HANGUL JONGSEONG PHIEUPH-THIEUTH
+	{0xD800, 0xDB7F, prSG, gcCs},     //   [896] <surrogate-D800>..<surrogate-DB7F>
+	{0xDB80, 0xDBFF, prSG, gcCs},     //   [128] <surrogate-DB80>..<surrogate-DBFF>
+	{0xDC00, 0xDFFF, prSG, gcCs},     //  [1024] <surrogate-DC00>..<surrogate-DFFF>
+	{0xE000, 0xF8FF, prXX, gcCo},     //  [6400] <private-use-E000>..<private-use-F8FF>
+	{0xF900, 0xFA6D, prID, gcLo},     //   [366] CJK COMPATIBILITY IDEOGRAPH-F900..CJK COMPATIBILITY IDEOGRAPH-FA6D
+	{0xFA6E, 0xFA6F, prID, gcCn},     //     [2] <reserved-FA6E>..<reserved-FA6F>
+	{0xFA70, 0xFAD9, prID, gcLo},     //   [106] CJK COMPATIBILITY IDEOGRAPH-FA70..CJK COMPATIBILITY IDEOGRAPH-FAD9
+	{0xFADA, 0xFAFF, prID, gcCn},     //    [38] <reserved-FADA>..<reserved-FAFF>
+	{0xFB00, 0xFB06, prAL, gcLl},     //     [7] LATIN SMALL LIGATURE FF..LATIN SMALL LIGATURE ST
+	{0xFB13, 0xFB17, prAL, gcLl},     //     [5] ARMENIAN SMALL LIGATURE MEN NOW..ARMENIAN SMALL LIGATURE MEN XEH
+	{0xFB1D, 0xFB1D, prHL, gcLo},     //         HEBREW LETTER YOD WITH HIRIQ
+	{0xFB1E, 0xFB1E, prCM, gcMn},     //         HEBREW POINT JUDEO-SPANISH VARIKA
+	{0xFB1F, 0xFB28, prHL, gcLo},     //    [10] HEBREW LIGATURE YIDDISH YOD YOD PATAH..HEBREW LETTER WIDE TAV
+	{0xFB29, 0xFB29, prAL, gcSm},     //         HEBREW LETTER ALTERNATIVE PLUS SIGN
+	{0xFB2A, 0xFB36, prHL, gcLo},     //    [13] HEBREW LETTER SHIN WITH SHIN DOT..HEBREW LETTER ZAYIN WITH DAGESH
+	{0xFB38, 0xFB3C, prHL, gcLo},     //     [5] HEBREW LETTER TET WITH DAGESH..HEBREW LETTER LAMED WITH DAGESH
+	{0xFB3E, 0xFB3E, prHL, gcLo},     //         HEBREW LETTER MEM WITH DAGESH
+	{0xFB40, 0xFB41, prHL, gcLo},     //     [2] HEBREW LETTER NUN WITH DAGESH..HEBREW LETTER SAMEKH WITH DAGESH
+	{0xFB43, 0xFB44, prHL, gcLo},     //     [2] HEBREW LETTER FINAL PE WITH DAGESH..HEBREW LETTER PE WITH DAGESH
+	{0xFB46, 0xFB4F, prHL, gcLo},     //    [10] HEBREW LETTER TSADI WITH DAGESH..HEBREW LIGATURE ALEF LAMED
+	{0xFB50, 0xFBB1, prAL, gcLo},     //    [98] ARABIC LETTER ALEF WASLA ISOLATED FORM..ARABIC LETTER YEH BARREE WITH HAMZA ABOVE FINAL FORM
+	{0xFBB2, 0xFBC2, prAL, gcSk},     //    [17] ARABIC SYMBOL DOT ABOVE..ARABIC SYMBOL WASLA ABOVE
+	{0xFBD3, 0xFD3D, prAL, gcLo},     //   [363] ARABIC LETTER NG ISOLATED FORM..ARABIC LIGATURE ALEF WITH FATHATAN ISOLATED FORM
+	{0xFD3E, 0xFD3E, prCL, gcPe},     //         ORNATE LEFT PARENTHESIS
+	{0xFD3F, 0xFD3F, prOP, gcPs},     //         ORNATE RIGHT PARENTHESIS
+	{0xFD40, 0xFD4F, prAL, gcSo},     //    [16] ARABIC LIGATURE RAHIMAHU ALLAAH..ARABIC LIGATURE RAHIMAHUM ALLAAH
+	{0xFD50, 0xFD8F, prAL, gcLo},     //    [64] ARABIC LIGATURE TEH WITH JEEM WITH MEEM INITIAL FORM..ARABIC LIGATURE MEEM WITH KHAH WITH MEEM INITIAL FORM
+	{0xFD92, 0xFDC7, prAL, gcLo},     //    [54] ARABIC LIGATURE MEEM WITH JEEM WITH KHAH INITIAL FORM..ARABIC LIGATURE NOON WITH JEEM WITH YEH FINAL FORM
+	{0xFDCF, 0xFDCF, prAL, gcSo},     //         ARABIC LIGATURE SALAAMUHU ALAYNAA
+	{0xFDF0, 0xFDFB, prAL, gcLo},     //    [12] ARABIC LIGATURE SALLA USED AS KORANIC STOP SIGN ISOLATED FORM..ARABIC LIGATURE JALLAJALALOUHOU
+	{0xFDFC, 0xFDFC, prPO, gcSc},     //         RIAL SIGN
+	{0xFDFD, 0xFDFF, prAL, gcSo},     //     [3] ARABIC LIGATURE BISMILLAH AR-RAHMAN AR-RAHEEM..ARABIC LIGATURE AZZA WA JALL
+	{0xFE00, 0xFE0F, prCM, gcMn},     //    [16] VARIATION SELECTOR-1..VARIATION SELECTOR-16
+	{0xFE10, 0xFE10, prIS, gcPo},     //         PRESENTATION FORM FOR VERTICAL COMMA
+	{0xFE11, 0xFE12, prCL, gcPo},     //     [2] PRESENTATION FORM FOR VERTICAL IDEOGRAPHIC COMMA..PRESENTATION FORM FOR VERTICAL IDEOGRAPHIC FULL STOP
+	{0xFE13, 0xFE14, prIS, gcPo},     //     [2] PRESENTATION FORM FOR VERTICAL COLON..PRESENTATION FORM FOR VERTICAL SEMICOLON
+	{0xFE15, 0xFE16, prEX, gcPo},     //     [2] PRESENTATION FORM FOR VERTICAL EXCLAMATION MARK..PRESENTATION FORM FOR VERTICAL QUESTION MARK
+	{0xFE17, 0xFE17, prOP, gcPs},     //         PRESENTATION FORM FOR VERTICAL LEFT WHITE LENTICULAR BRACKET
+	{0xFE18, 0xFE18, prCL, gcPe},     //         PRESENTATION FORM FOR VERTICAL RIGHT WHITE LENTICULAR BRAKCET
+	{0xFE19, 0xFE19, prIN, gcPo},     //         PRESENTATION FORM FOR VERTICAL HORIZONTAL ELLIPSIS
+	{0xFE20, 0xFE2F, prCM, gcMn},     //    [16] COMBINING LIGATURE LEFT HALF..COMBINING CYRILLIC TITLO RIGHT HALF
+	{0xFE30, 0xFE30, prID, gcPo},     //         PRESENTATION FORM FOR VERTICAL TWO DOT LEADER
+	{0xFE31, 0xFE32, prID, gcPd},     //     [2] PRESENTATION FORM FOR VERTICAL EM DASH..PRESENTATION FORM FOR VERTICAL EN DASH
+	{0xFE33, 0xFE34, prID, gcPc},     //     [2] PRESENTATION FORM FOR VERTICAL LOW LINE..PRESENTATION FORM FOR VERTICAL WAVY LOW LINE
+	{0xFE35, 0xFE35, prOP, gcPs},     //         PRESENTATION FORM FOR VERTICAL LEFT PARENTHESIS
+	{0xFE36, 0xFE36, prCL, gcPe},     //         PRESENTATION FORM FOR VERTICAL RIGHT PARENTHESIS
+	{0xFE37, 0xFE37, prOP, gcPs},     //         PRESENTATION FORM FOR VERTICAL LEFT CURLY BRACKET
+	{0xFE38, 0xFE38, prCL, gcPe},     //         PRESENTATION FORM FOR VERTICAL RIGHT CURLY BRACKET
+	{0xFE39, 0xFE39, prOP, gcPs},     //         PRESENTATION FORM FOR VERTICAL LEFT TORTOISE SHELL BRACKET
+	{0xFE3A, 0xFE3A, prCL, gcPe},     //         PRESENTATION FORM FOR VERTICAL RIGHT TORTOISE SHELL BRACKET
+	{0xFE3B, 0xFE3B, prOP, gcPs},     //         PRESENTATION FORM FOR VERTICAL LEFT BLACK LENTICULAR BRACKET
+	{0xFE3C, 0xFE3C, prCL, gcPe},     //         PRESENTATION FORM FOR VERTICAL RIGHT BLACK LENTICULAR BRACKET
+	{0xFE3D, 0xFE3D, prOP, gcPs},     //         PRESENTATION FORM FOR VERTICAL LEFT DOUBLE ANGLE BRACKET
+	{0xFE3E, 0xFE3E, prCL, gcPe},     //         PRESENTATION FORM FOR VERTICAL RIGHT DOUBLE ANGLE BRACKET
+	{0xFE3F, 0xFE3F, prOP, gcPs},     //         PRESENTATION FORM FOR VERTICAL LEFT ANGLE BRACKET
+	{0xFE40, 0xFE40, prCL, gcPe},     //         PRESENTATION FORM FOR VERTICAL RIGHT ANGLE BRACKET
+	{0xFE41, 0xFE41, prOP, gcPs},     //         PRESENTATION FORM FOR VERTICAL LEFT CORNER BRACKET
+	{0xFE42, 0xFE42, prCL, gcPe},     //         PRESENTATION FORM FOR VERTICAL RIGHT CORNER BRACKET
+	{0xFE43, 0xFE43, prOP, gcPs},     //         PRESENTATION FORM FOR VERTICAL LEFT WHITE CORNER BRACKET
+	{0xFE44, 0xFE44, prCL, gcPe},     //         PRESENTATION FORM FOR VERTICAL RIGHT WHITE CORNER BRACKET
+	{0xFE45, 0xFE46, prID, gcPo},     //     [2] SESAME DOT..WHITE SESAME DOT
+	{0xFE47, 0xFE47, prOP, gcPs},     //         PRESENTATION FORM FOR VERTICAL LEFT SQUARE BRACKET
+	{0xFE48, 0xFE48, prCL, gcPe},     //         PRESENTATION FORM FOR VERTICAL RIGHT SQUARE BRACKET
+	{0xFE49, 0xFE4C, prID, gcPo},     //     [4] DASHED OVERLINE..DOUBLE WAVY OVERLINE
+	{0xFE4D, 0xFE4F, prID, gcPc},     //     [3] DASHED LOW LINE..WAVY LOW LINE
+	{0xFE50, 0xFE50, prCL, gcPo},     //         SMALL COMMA
+	{0xFE51, 0xFE51, prID, gcPo},     //         SMALL IDEOGRAPHIC COMMA
+	{0xFE52, 0xFE52, prCL, gcPo},     //         SMALL FULL STOP
+	{0xFE54, 0xFE55, prNS, gcPo},     //     [2] SMALL SEMICOLON..SMALL COLON
+	{0xFE56, 0xFE57, prEX, gcPo},     //     [2] SMALL QUESTION MARK..SMALL EXCLAMATION MARK
+	{0xFE58, 0xFE58, prID, gcPd},     //         SMALL EM DASH
+	{0xFE59, 0xFE59, prOP, gcPs},     //         SMALL LEFT PARENTHESIS
+	{0xFE5A, 0xFE5A, prCL, gcPe},     //         SMALL RIGHT PARENTHESIS
+	{0xFE5B, 0xFE5B, prOP, gcPs},     //         SMALL LEFT CURLY BRACKET
+	{0xFE5C, 0xFE5C, prCL, gcPe},     //         SMALL RIGHT CURLY BRACKET
+	{0xFE5D, 0xFE5D, prOP, gcPs},     //         SMALL LEFT TORTOISE SHELL BRACKET
+	{0xFE5E, 0xFE5E, prCL, gcPe},     //         SMALL RIGHT TORTOISE SHELL BRACKET
+	{0xFE5F, 0xFE61, prID, gcPo},     //     [3] SMALL NUMBER SIGN..SMALL ASTERISK
+	{0xFE62, 0xFE62, prID, gcSm},     //         SMALL PLUS SIGN
+	{0xFE63, 0xFE63, prID, gcPd},     //         SMALL HYPHEN-MINUS
+	{0xFE64, 0xFE66, prID, gcSm},     //     [3] SMALL LESS-THAN SIGN..SMALL EQUALS SIGN
+	{0xFE68, 0xFE68, prID, gcPo},     //         SMALL REVERSE SOLIDUS
+	{0xFE69, 0xFE69, prPR, gcSc},     //         SMALL DOLLAR SIGN
+	{0xFE6A, 0xFE6A, prPO, gcPo},     //         SMALL PERCENT SIGN
+	{0xFE6B, 0xFE6B, prID, gcPo},     //         SMALL COMMERCIAL AT
+	{0xFE70, 0xFE74, prAL, gcLo},     //     [5] ARABIC FATHATAN ISOLATED FORM..ARABIC KASRATAN ISOLATED FORM
+	{0xFE76, 0xFEFC, prAL, gcLo},     //   [135] ARABIC FATHA ISOLATED FORM..ARABIC LIGATURE LAM WITH ALEF FINAL FORM
+	{0xFEFF, 0xFEFF, prWJ, gcCf},     //         ZERO WIDTH NO-BREAK SPACE
+	{0xFF01, 0xFF01, prEX, gcPo},     //         FULLWIDTH EXCLAMATION MARK
+	{0xFF02, 0xFF03, prID, gcPo},     //     [2] FULLWIDTH QUOTATION MARK..FULLWIDTH NUMBER SIGN
+	{0xFF04, 0xFF04, prPR, gcSc},     //         FULLWIDTH DOLLAR SIGN
+	{0xFF05, 0xFF05, prPO, gcPo},     //         FULLWIDTH PERCENT SIGN
+	{0xFF06, 0xFF07, prID, gcPo},     //     [2] FULLWIDTH AMPERSAND..FULLWIDTH APOSTROPHE
+	{0xFF08, 0xFF08, prOP, gcPs},     //         FULLWIDTH LEFT PARENTHESIS
+	{0xFF09, 0xFF09, prCL, gcPe},     //         FULLWIDTH RIGHT PARENTHESIS
+	{0xFF0A, 0xFF0A, prID, gcPo},     //         FULLWIDTH ASTERISK
+	{0xFF0B, 0xFF0B, prID, gcSm},     //         FULLWIDTH PLUS SIGN
+	{0xFF0C, 0xFF0C, prCL, gcPo},     //         FULLWIDTH COMMA
+	{0xFF0D, 0xFF0D, prID, gcPd},     //         FULLWIDTH HYPHEN-MINUS
+	{0xFF0E, 0xFF0E, prCL, gcPo},     //         FULLWIDTH FULL STOP
+	{0xFF0F, 0xFF0F, prID, gcPo},     //         FULLWIDTH SOLIDUS
+	{0xFF10, 0xFF19, prID, gcNd},     //    [10] FULLWIDTH DIGIT ZERO..FULLWIDTH DIGIT NINE
+	{0xFF1A, 0xFF1B, prNS, gcPo},     //     [2] FULLWIDTH COLON..FULLWIDTH SEMICOLON
+	{0xFF1C, 0xFF1E, prID, gcSm},     //     [3] FULLWIDTH LESS-THAN SIGN..FULLWIDTH GREATER-THAN SIGN
+	{0xFF1F, 0xFF1F, prEX, gcPo},     //         FULLWIDTH QUESTION MARK
+	{0xFF20, 0xFF20, prID, gcPo},     //         FULLWIDTH COMMERCIAL AT
+	{0xFF21, 0xFF3A, prID, gcLu},     //    [26] FULLWIDTH LATIN CAPITAL LETTER A..FULLWIDTH LATIN CAPITAL LETTER Z
+	{0xFF3B, 0xFF3B, prOP, gcPs},     //         FULLWIDTH LEFT SQUARE BRACKET
+	{0xFF3C, 0xFF3C, prID, gcPo},     //         FULLWIDTH REVERSE SOLIDUS
+	{0xFF3D, 0xFF3D, prCL, gcPe},     //         FULLWIDTH RIGHT SQUARE BRACKET
+	{0xFF3E, 0xFF3E, prID, gcSk},     //         FULLWIDTH CIRCUMFLEX ACCENT
+	{0xFF3F, 0xFF3F, prID, gcPc},     //         FULLWIDTH LOW LINE
+	{0xFF40, 0xFF40, prID, gcSk},     //         FULLWIDTH GRAVE ACCENT
+	{0xFF41, 0xFF5A, prID, gcLl},     //    [26] FULLWIDTH LATIN SMALL LETTER A..FULLWIDTH LATIN SMALL LETTER Z
+	{0xFF5B, 0xFF5B, prOP, gcPs},     //         FULLWIDTH LEFT CURLY BRACKET
+	{0xFF5C, 0xFF5C, prID, gcSm},     //         FULLWIDTH VERTICAL LINE
+	{0xFF5D, 0xFF5D, prCL, gcPe},     //         FULLWIDTH RIGHT CURLY BRACKET
+	{0xFF5E, 0xFF5E, prID, gcSm},     //         FULLWIDTH TILDE
+	{0xFF5F, 0xFF5F, prOP, gcPs},     //         FULLWIDTH LEFT WHITE PARENTHESIS
+	{0xFF60, 0xFF60, prCL, gcPe},     //         FULLWIDTH RIGHT WHITE PARENTHESIS
+	{0xFF61, 0xFF61, prCL, gcPo},     //         HALFWIDTH IDEOGRAPHIC FULL STOP
+	{0xFF62, 0xFF62, prOP, gcPs},     //         HALFWIDTH LEFT CORNER BRACKET
+	{0xFF63, 0xFF63, prCL, gcPe},     //         HALFWIDTH RIGHT CORNER BRACKET
+	{0xFF64, 0xFF64, prCL, gcPo},     //         HALFWIDTH IDEOGRAPHIC COMMA
+	{0xFF65, 0xFF65, prNS, gcPo},     //         HALFWIDTH KATAKANA MIDDLE DOT
+	{0xFF66, 0xFF66, prID, gcLo},     //         HALFWIDTH KATAKANA LETTER WO
+	{0xFF67, 0xFF6F, prCJ, gcLo},     //     [9] HALFWIDTH KATAKANA LETTER SMALL A..HALFWIDTH KATAKANA LETTER SMALL TU
+	{0xFF70, 0xFF70, prCJ, gcLm},     //         HALFWIDTH KATAKANA-HIRAGANA PROLONGED SOUND MARK
+	{0xFF71, 0xFF9D, prID, gcLo},     //    [45] HALFWIDTH KATAKANA LETTER A..HALFWIDTH KATAKANA LETTER N
+	{0xFF9E, 0xFF9F, prNS, gcLm},     //     [2] HALFWIDTH KATAKANA VOICED SOUND MARK..HALFWIDTH KATAKANA SEMI-VOICED SOUND MARK
+	{0xFFA0, 0xFFBE, prID, gcLo},     //    [31] HALFWIDTH HANGUL FILLER..HALFWIDTH HANGUL LETTER HIEUH
+	{0xFFC2, 0xFFC7, prID, gcLo},     //     [6] HALFWIDTH HANGUL LETTER A..HALFWIDTH HANGUL LETTER E
+	{0xFFCA, 0xFFCF, prID, gcLo},     //     [6] HALFWIDTH HANGUL LETTER YEO..HALFWIDTH HANGUL LETTER OE
+	{0xFFD2, 0xFFD7, prID, gcLo},     //     [6] HALFWIDTH HANGUL LETTER YO..HALFWIDTH HANGUL LETTER YU
+	{0xFFDA, 0xFFDC, prID, gcLo},     //     [3] HALFWIDTH HANGUL LETTER EU..HALFWIDTH HANGUL LETTER I
+	{0xFFE0, 0xFFE0, prPO, gcSc},     //         FULLWIDTH CENT SIGN
+	{0xFFE1, 0xFFE1, prPR, gcSc},     //         FULLWIDTH POUND SIGN
+	{0xFFE2, 0xFFE2, prID, gcSm},     //         FULLWIDTH NOT SIGN
+	{0xFFE3, 0xFFE3, prID, gcSk},     //         FULLWIDTH MACRON
+	{0xFFE4, 0xFFE4, prID, gcSo},     //         FULLWIDTH BROKEN BAR
+	{0xFFE5, 0xFFE6, prPR, gcSc},     //     [2] FULLWIDTH YEN SIGN..FULLWIDTH WON SIGN
+	{0xFFE8, 0xFFE8, prAL, gcSo},     //         HALFWIDTH FORMS LIGHT VERTICAL
+	{0xFFE9, 0xFFEC, prAL, gcSm},     //     [4] HALFWIDTH LEFTWARDS ARROW..HALFWIDTH DOWNWARDS ARROW
+	{0xFFED, 0xFFEE, prAL, gcSo},     //     [2] HALFWIDTH BLACK SQUARE..HALFWIDTH WHITE CIRCLE
+	{0xFFF9, 0xFFFB, prCM, gcCf},     //     [3] INTERLINEAR ANNOTATION ANCHOR..INTERLINEAR ANNOTATION TERMINATOR
+	{0xFFFC, 0xFFFC, prCB, gcSo},     //         OBJECT REPLACEMENT CHARACTER
+	{0xFFFD, 0xFFFD, prAI, gcSo},     //         REPLACEMENT CHARACTER
+	{0x10000, 0x1000B, prAL, gcLo},   //    [12] LINEAR B SYLLABLE B008 A..LINEAR B SYLLABLE B046 JE
+	{0x1000D, 0x10026, prAL, gcLo},   //    [26] LINEAR B SYLLABLE B036 JO..LINEAR B SYLLABLE B032 QO
+	{0x10028, 0x1003A, prAL, gcLo},   //    [19] LINEAR B SYLLABLE B060 RA..LINEAR B SYLLABLE B042 WO
+	{0x1003C, 0x1003D, prAL, gcLo},   //     [2] LINEAR B SYLLABLE B017 ZA..LINEAR B SYLLABLE B074 ZE
+	{0x1003F, 0x1004D, prAL, gcLo},   //    [15] LINEAR B SYLLABLE B020 ZO..LINEAR B SYLLABLE B091 TWO
+	{0x10050, 0x1005D, prAL, gcLo},   //    [14] LINEAR B SYMBOL B018..LINEAR B SYMBOL B089
+	{0x10080, 0x100FA, prAL, gcLo},   //   [123] LINEAR B IDEOGRAM B100 MAN..LINEAR B IDEOGRAM VESSEL B305
+	{0x10100, 0x10102, prBA, gcPo},   //     [3] AEGEAN WORD SEPARATOR LINE..AEGEAN CHECK MARK
+	{0x10107, 0x10133, prAL, gcNo},   //    [45] AEGEAN NUMBER ONE..AEGEAN NUMBER NINETY THOUSAND
+	{0x10137, 0x1013F, prAL, gcSo},   //     [9] AEGEAN WEIGHT BASE UNIT..AEGEAN MEASURE THIRD SUBUNIT
+	{0x10140, 0x10174, prAL, gcNl},   //    [53] GREEK ACROPHONIC ATTIC ONE QUARTER..GREEK ACROPHONIC STRATIAN FIFTY MNAS
+	{0x10175, 0x10178, prAL, gcNo},   //     [4] GREEK ONE HALF SIGN..GREEK THREE QUARTERS SIGN
+	{0x10179, 0x10189, prAL, gcSo},   //    [17] GREEK YEAR SIGN..GREEK TRYBLION BASE SIGN
+	{0x1018A, 0x1018B, prAL, gcNo},   //     [2] GREEK ZERO SIGN..GREEK ONE QUARTER SIGN
+	{0x1018C, 0x1018E, prAL, gcSo},   //     [3] GREEK SINUSOID SIGN..NOMISMA SIGN
+	{0x10190, 0x1019C, prAL, gcSo},   //    [13] ROMAN SEXTANS SIGN..ASCIA SYMBOL
+	{0x101A0, 0x101A0, prAL, gcSo},   //         GREEK SYMBOL TAU RHO
+	{0x101D0, 0x101FC, prAL, gcSo},   //    [45] PHAISTOS DISC SIGN PEDESTRIAN..PHAISTOS DISC SIGN WAVY BAND
+	{0x101FD, 0x101FD, prCM, gcMn},   //         PHAISTOS DISC SIGN COMBINING OBLIQUE STROKE
+	{0x10280, 0x1029C, prAL, gcLo},   //    [29] LYCIAN LETTER A..LYCIAN LETTER X
+	{0x102A0, 0x102D0, prAL, gcLo},   //    [49] CARIAN LETTER A..CARIAN LETTER UUU3
+	{0x102E0, 0x102E0, prCM, gcMn},   //         COPTIC EPACT THOUSANDS MARK
+	{0x102E1, 0x102FB, prAL, gcNo},   //    [27] COPTIC EPACT DIGIT ONE..COPTIC EPACT NUMBER NINE HUNDRED
+	{0x10300, 0x1031F, prAL, gcLo},   //    [32] OLD ITALIC LETTER A..OLD ITALIC LETTER ESS
+	{0x10320, 0x10323, prAL, gcNo},   //     [4] OLD ITALIC NUMERAL ONE..OLD ITALIC NUMERAL FIFTY
+	{0x1032D, 0x1032F, prAL, gcLo},   //     [3] OLD ITALIC LETTER YE..OLD ITALIC LETTER SOUTHERN TSE
+	{0x10330, 0x10340, prAL, gcLo},   //    [17] GOTHIC LETTER AHSA..GOTHIC LETTER PAIRTHRA
+	{0x10341, 0x10341, prAL, gcNl},   //         GOTHIC LETTER NINETY
+	{0x10342, 0x10349, prAL, gcLo},   //     [8] GOTHIC LETTER RAIDA..GOTHIC LETTER OTHAL
+	{0x1034A, 0x1034A, prAL, gcNl},   //         GOTHIC LETTER NINE HUNDRED
+	{0x10350, 0x10375, prAL, gcLo},   //    [38] OLD PERMIC LETTER AN..OLD PERMIC LETTER IA
+	{0x10376, 0x1037A, prCM, gcMn},   //     [5] COMBINING OLD PERMIC LETTER AN..COMBINING OLD PERMIC LETTER SII
+	{0x10380, 0x1039D, prAL, gcLo},   //    [30] UGARITIC LETTER ALPA..UGARITIC LETTER SSU
+	{0x1039F, 0x1039F, prBA, gcPo},   //         UGARITIC WORD DIVIDER
+	{0x103A0, 0x103C3, prAL, gcLo},   //    [36] OLD PERSIAN SIGN A..OLD PERSIAN SIGN HA
+	{0x103C8, 0x103CF, prAL, gcLo},   //     [8] OLD PERSIAN SIGN AURAMAZDAA..OLD PERSIAN SIGN BUUMISH
+	{0x103D0, 0x103D0, prBA, gcPo},   //         OLD PERSIAN WORD DIVIDER
+	{0x103D1, 0x103D5, prAL, gcNl},   //     [5] OLD PERSIAN NUMBER ONE..OLD PERSIAN NUMBER HUNDRED
+	{0x10400, 0x1044F, prAL, gcLC},   //    [80] DESERET CAPITAL LETTER LONG I..DESERET SMALL LETTER EW
+	{0x10450, 0x1047F, prAL, gcLo},   //    [48] SHAVIAN LETTER PEEP..SHAVIAN LETTER YEW
+	{0x10480, 0x1049D, prAL, gcLo},   //    [30] OSMANYA LETTER ALEF..OSMANYA LETTER OO
+	{0x104A0, 0x104A9, prNU, gcNd},   //    [10] OSMANYA DIGIT ZERO..OSMANYA DIGIT NINE
+	{0x104B0, 0x104D3, prAL, gcLu},   //    [36] OSAGE CAPITAL LETTER A..OSAGE CAPITAL LETTER ZHA
+	{0x104D8, 0x104FB, prAL, gcLl},   //    [36] OSAGE SMALL LETTER A..OSAGE SMALL LETTER ZHA
+	{0x10500, 0x10527, prAL, gcLo},   //    [40] ELBASAN LETTER A..ELBASAN LETTER KHE
+	{0x10530, 0x10563, prAL, gcLo},   //    [52] CAUCASIAN ALBANIAN LETTER ALT..CAUCASIAN ALBANIAN LETTER KIW
+	{0x1056F, 0x1056F, prAL, gcPo},   //         CAUCASIAN ALBANIAN CITATION MARK
+	{0x10570, 0x1057A, prAL, gcLu},   //    [11] VITHKUQI CAPITAL LETTER A..VITHKUQI CAPITAL LETTER GA
+	{0x1057C, 0x1058A, prAL, gcLu},   //    [15] VITHKUQI CAPITAL LETTER HA..VITHKUQI CAPITAL LETTER RE
+	{0x1058C, 0x10592, prAL, gcLu},   //     [7] VITHKUQI CAPITAL LETTER SE..VITHKUQI CAPITAL LETTER XE
+	{0x10594, 0x10595, prAL, gcLu},   //     [2] VITHKUQI CAPITAL LETTER Y..VITHKUQI CAPITAL LETTER ZE
+	{0x10597, 0x105A1, prAL, gcLl},   //    [11] VITHKUQI SMALL LETTER A..VITHKUQI SMALL LETTER GA
+	{0x105A3, 0x105B1, prAL, gcLl},   //    [15] VITHKUQI SMALL LETTER HA..VITHKUQI SMALL LETTER RE
+	{0x105B3, 0x105B9, prAL, gcLl},   //     [7] VITHKUQI SMALL LETTER SE..VITHKUQI SMALL LETTER XE
+	{0x105BB, 0x105BC, prAL, gcLl},   //     [2] VITHKUQI SMALL LETTER Y..VITHKUQI SMALL LETTER ZE
+	{0x10600, 0x10736, prAL, gcLo},   //   [311] LINEAR A SIGN AB001..LINEAR A SIGN A664
+	{0x10740, 0x10755, prAL, gcLo},   //    [22] LINEAR A SIGN A701 A..LINEAR A SIGN A732 JE
+	{0x10760, 0x10767, prAL, gcLo},   //     [8] LINEAR A SIGN A800..LINEAR A SIGN A807
+	{0x10780, 0x10785, prAL, gcLm},   //     [6] MODIFIER LETTER SMALL CAPITAL AA..MODIFIER LETTER SMALL B WITH HOOK
+	{0x10787, 0x107B0, prAL, gcLm},   //    [42] MODIFIER LETTER SMALL DZ DIGRAPH..MODIFIER LETTER SMALL V WITH RIGHT HOOK
+	{0x107B2, 0x107BA, prAL, gcLm},   //     [9] MODIFIER LETTER SMALL CAPITAL Y..MODIFIER LETTER SMALL S WITH CURL
+	{0x10800, 0x10805, prAL, gcLo},   //     [6] CYPRIOT SYLLABLE A..CYPRIOT SYLLABLE JA
+	{0x10808, 0x10808, prAL, gcLo},   //         CYPRIOT SYLLABLE JO
+	{0x1080A, 0x10835, prAL, gcLo},   //    [44] CYPRIOT SYLLABLE KA..CYPRIOT SYLLABLE WO
+	{0x10837, 0x10838, prAL, gcLo},   //     [2] CYPRIOT SYLLABLE XA..CYPRIOT SYLLABLE XE
+	{0x1083C, 0x1083C, prAL, gcLo},   //         CYPRIOT SYLLABLE ZA
+	{0x1083F, 0x1083F, prAL, gcLo},   //         CYPRIOT SYLLABLE ZO
+	{0x10840, 0x10855, prAL, gcLo},   //    [22] IMPERIAL ARAMAIC LETTER ALEPH..IMPERIAL ARAMAIC LETTER TAW
+	{0x10857, 0x10857, prBA, gcPo},   //         IMPERIAL ARAMAIC SECTION SIGN
+	{0x10858, 0x1085F, prAL, gcNo},   //     [8] IMPERIAL ARAMAIC NUMBER ONE..IMPERIAL ARAMAIC NUMBER TEN THOUSAND
+	{0x10860, 0x10876, prAL, gcLo},   //    [23] PALMYRENE LETTER ALEPH..PALMYRENE LETTER TAW
+	{0x10877, 0x10878, prAL, gcSo},   //     [2] PALMYRENE LEFT-POINTING FLEURON..PALMYRENE RIGHT-POINTING FLEURON
+	{0x10879, 0x1087F, prAL, gcNo},   //     [7] PALMYRENE NUMBER ONE..PALMYRENE NUMBER TWENTY
+	{0x10880, 0x1089E, prAL, gcLo},   //    [31] NABATAEAN LETTER FINAL ALEPH..NABATAEAN LETTER TAW
+	{0x108A7, 0x108AF, prAL, gcNo},   //     [9] NABATAEAN NUMBER ONE..NABATAEAN NUMBER ONE HUNDRED
+	{0x108E0, 0x108F2, prAL, gcLo},   //    [19] HATRAN LETTER ALEPH..HATRAN LETTER QOPH
+	{0x108F4, 0x108F5, prAL, gcLo},   //     [2] HATRAN LETTER SHIN..HATRAN LETTER TAW
+	{0x108FB, 0x108FF, prAL, gcNo},   //     [5] HATRAN NUMBER ONE..HATRAN NUMBER ONE HUNDRED
+	{0x10900, 0x10915, prAL, gcLo},   //    [22] PHOENICIAN LETTER ALF..PHOENICIAN LETTER TAU
+	{0x10916, 0x1091B, prAL, gcNo},   //     [6] PHOENICIAN NUMBER ONE..PHOENICIAN NUMBER THREE
+	{0x1091F, 0x1091F, prBA, gcPo},   //         PHOENICIAN WORD SEPARATOR
+	{0x10920, 0x10939, prAL, gcLo},   //    [26] LYDIAN LETTER A..LYDIAN LETTER C
+	{0x1093F, 0x1093F, prAL, gcPo},   //         LYDIAN TRIANGULAR MARK
+	{0x10980, 0x1099F, prAL, gcLo},   //    [32] MEROITIC HIEROGLYPHIC LETTER A..MEROITIC HIEROGLYPHIC SYMBOL VIDJ-2
+	{0x109A0, 0x109B7, prAL, gcLo},   //    [24] MEROITIC CURSIVE LETTER A..MEROITIC CURSIVE LETTER DA
+	{0x109BC, 0x109BD, prAL, gcNo},   //     [2] MEROITIC CURSIVE FRACTION ELEVEN TWELFTHS..MEROITIC CURSIVE FRACTION ONE HALF
+	{0x109BE, 0x109BF, prAL, gcLo},   //     [2] MEROITIC CURSIVE LOGOGRAM RMT..MEROITIC CURSIVE LOGOGRAM IMN
+	{0x109C0, 0x109CF, prAL, gcNo},   //    [16] MEROITIC CURSIVE NUMBER ONE..MEROITIC CURSIVE NUMBER SEVENTY
+	{0x109D2, 0x109FF, prAL, gcNo},   //    [46] MEROITIC CURSIVE NUMBER ONE HUNDRED..MEROITIC CURSIVE FRACTION TEN TWELFTHS
+	{0x10A00, 0x10A00, prAL, gcLo},   //         KHAROSHTHI LETTER A
+	{0x10A01, 0x10A03, prCM, gcMn},   //     [3] KHAROSHTHI VOWEL SIGN I..KHAROSHTHI VOWEL SIGN VOCALIC R
+	{0x10A05, 0x10A06, prCM, gcMn},   //     [2] KHAROSHTHI VOWEL SIGN E..KHAROSHTHI VOWEL SIGN O
+	{0x10A0C, 0x10A0F, prCM, gcMn},   //     [4] KHAROSHTHI VOWEL LENGTH MARK..KHAROSHTHI SIGN VISARGA
+	{0x10A10, 0x10A13, prAL, gcLo},   //     [4] KHAROSHTHI LETTER KA..KHAROSHTHI LETTER GHA
+	{0x10A15, 0x10A17, prAL, gcLo},   //     [3] KHAROSHTHI LETTER CA..KHAROSHTHI LETTER JA
+	{0x10A19, 0x10A35, prAL, gcLo},   //    [29] KHAROSHTHI LETTER NYA..KHAROSHTHI LETTER VHA
+	{0x10A38, 0x10A3A, prCM, gcMn},   //     [3] KHAROSHTHI SIGN BAR ABOVE..KHAROSHTHI SIGN DOT BELOW
+	{0x10A3F, 0x10A3F, prCM, gcMn},   //         KHAROSHTHI VIRAMA
+	{0x10A40, 0x10A48, prAL, gcNo},   //     [9] KHAROSHTHI DIGIT ONE..KHAROSHTHI FRACTION ONE HALF
+	{0x10A50, 0x10A57, prBA, gcPo},   //     [8] KHAROSHTHI PUNCTUATION DOT..KHAROSHTHI PUNCTUATION DOUBLE DANDA
+	{0x10A58, 0x10A58, prAL, gcPo},   //         KHAROSHTHI PUNCTUATION LINES
+	{0x10A60, 0x10A7C, prAL, gcLo},   //    [29] OLD SOUTH ARABIAN LETTER HE..OLD SOUTH ARABIAN LETTER THETH
+	{0x10A7D, 0x10A7E, prAL, gcNo},   //     [2] OLD SOUTH ARABIAN NUMBER ONE..OLD SOUTH ARABIAN NUMBER FIFTY
+	{0x10A7F, 0x10A7F, prAL, gcPo},   //         OLD SOUTH ARABIAN NUMERIC INDICATOR
+	{0x10A80, 0x10A9C, prAL, gcLo},   //    [29] OLD NORTH ARABIAN LETTER HEH..OLD NORTH ARABIAN LETTER ZAH
+	{0x10A9D, 0x10A9F, prAL, gcNo},   //     [3] OLD NORTH ARABIAN NUMBER ONE..OLD NORTH ARABIAN NUMBER TWENTY
+	{0x10AC0, 0x10AC7, prAL, gcLo},   //     [8] MANICHAEAN LETTER ALEPH..MANICHAEAN LETTER WAW
+	{0x10AC8, 0x10AC8, prAL, gcSo},   //         MANICHAEAN SIGN UD
+	{0x10AC9, 0x10AE4, prAL, gcLo},   //    [28] MANICHAEAN LETTER ZAYIN..MANICHAEAN LETTER TAW
+	{0x10AE5, 0x10AE6, prCM, gcMn},   //     [2] MANICHAEAN ABBREVIATION MARK ABOVE..MANICHAEAN ABBREVIATION MARK BELOW
+	{0x10AEB, 0x10AEF, prAL, gcNo},   //     [5] MANICHAEAN NUMBER ONE..MANICHAEAN NUMBER ONE HUNDRED
+	{0x10AF0, 0x10AF5, prBA, gcPo},   //     [6] MANICHAEAN PUNCTUATION STAR..MANICHAEAN PUNCTUATION TWO DOTS
+	{0x10AF6, 0x10AF6, prIN, gcPo},   //         MANICHAEAN PUNCTUATION LINE FILLER
+	{0x10B00, 0x10B35, prAL, gcLo},   //    [54] AVESTAN LETTER A..AVESTAN LETTER HE
+	{0x10B39, 0x10B3F, prBA, gcPo},   //     [7] AVESTAN ABBREVIATION MARK..LARGE ONE RING OVER TWO RINGS PUNCTUATION
+	{0x10B40, 0x10B55, prAL, gcLo},   //    [22] INSCRIPTIONAL PARTHIAN LETTER ALEPH..INSCRIPTIONAL PARTHIAN LETTER TAW
+	{0x10B58, 0x10B5F, prAL, gcNo},   //     [8] INSCRIPTIONAL PARTHIAN NUMBER ONE..INSCRIPTIONAL PARTHIAN NUMBER ONE THOUSAND
+	{0x10B60, 0x10B72, prAL, gcLo},   //    [19] INSCRIPTIONAL PAHLAVI LETTER ALEPH..INSCRIPTIONAL PAHLAVI LETTER TAW
+	{0x10B78, 0x10B7F, prAL, gcNo},   //     [8] INSCRIPTIONAL PAHLAVI NUMBER ONE..INSCRIPTIONAL PAHLAVI NUMBER ONE THOUSAND
+	{0x10B80, 0x10B91, prAL, gcLo},   //    [18] PSALTER PAHLAVI LETTER ALEPH..PSALTER PAHLAVI LETTER TAW
+	{0x10B99, 0x10B9C, prAL, gcPo},   //     [4] PSALTER PAHLAVI SECTION MARK..PSALTER PAHLAVI FOUR DOTS WITH DOT
+	{0x10BA9, 0x10BAF, prAL, gcNo},   //     [7] PSALTER PAHLAVI NUMBER ONE..PSALTER PAHLAVI NUMBER ONE HUNDRED
+	{0x10C00, 0x10C48, prAL, gcLo},   //    [73] OLD TURKIC LETTER ORKHON A..OLD TURKIC LETTER ORKHON BASH
+	{0x10C80, 0x10CB2, prAL, gcLu},   //    [51] OLD HUNGARIAN CAPITAL LETTER A..OLD HUNGARIAN CAPITAL LETTER US
+	{0x10CC0, 0x10CF2, prAL, gcLl},   //    [51] OLD HUNGARIAN SMALL LETTER A..OLD HUNGARIAN SMALL LETTER US
+	{0x10CFA, 0x10CFF, prAL, gcNo},   //     [6] OLD HUNGARIAN NUMBER ONE..OLD HUNGARIAN NUMBER ONE THOUSAND
+	{0x10D00, 0x10D23, prAL, gcLo},   //    [36] HANIFI ROHINGYA LETTER A..HANIFI ROHINGYA MARK NA KHONNA
+	{0x10D24, 0x10D27, prCM, gcMn},   //     [4] HANIFI ROHINGYA SIGN HARBAHAY..HANIFI ROHINGYA SIGN TASSI
+	{0x10D30, 0x10D39, prNU, gcNd},   //    [10] HANIFI ROHINGYA DIGIT ZERO..HANIFI ROHINGYA DIGIT NINE
+	{0x10E60, 0x10E7E, prAL, gcNo},   //    [31] RUMI DIGIT ONE..RUMI FRACTION TWO THIRDS
+	{0x10E80, 0x10EA9, prAL, gcLo},   //    [42] YEZIDI LETTER ELIF..YEZIDI LETTER ET
+	{0x10EAB, 0x10EAC, prCM, gcMn},   //     [2] YEZIDI COMBINING HAMZA MARK..YEZIDI COMBINING MADDA MARK
+	{0x10EAD, 0x10EAD, prBA, gcPd},   //         YEZIDI HYPHENATION MARK
+	{0x10EB0, 0x10EB1, prAL, gcLo},   //     [2] YEZIDI LETTER LAM WITH DOT ABOVE..YEZIDI LETTER YOT WITH CIRCUMFLEX ABOVE
+	{0x10EFD, 0x10EFF, prCM, gcMn},   //     [3] ARABIC SMALL LOW WORD SAKTA..ARABIC SMALL LOW WORD MADDA
+	{0x10F00, 0x10F1C, prAL, gcLo},   //    [29] OLD SOGDIAN LETTER ALEPH..OLD SOGDIAN LETTER FINAL TAW WITH VERTICAL TAIL
+	{0x10F1D, 0x10F26, prAL, gcNo},   //    [10] OLD SOGDIAN NUMBER ONE..OLD SOGDIAN FRACTION ONE HALF
+	{0x10F27, 0x10F27, prAL, gcLo},   //         OLD SOGDIAN LIGATURE AYIN-DALETH
+	{0x10F30, 0x10F45, prAL, gcLo},   //    [22] SOGDIAN LETTER ALEPH..SOGDIAN INDEPENDENT SHIN
+	{0x10F46, 0x10F50, prCM, gcMn},   //    [11] SOGDIAN COMBINING DOT BELOW..SOGDIAN COMBINING STROKE BELOW
+	{0x10F51, 0x10F54, prAL, gcNo},   //     [4] SOGDIAN NUMBER ONE..SOGDIAN NUMBER ONE HUNDRED
+	{0x10F55, 0x10F59, prAL, gcPo},   //     [5] SOGDIAN PUNCTUATION TWO VERTICAL BARS..SOGDIAN PUNCTUATION HALF CIRCLE WITH DOT
+	{0x10F70, 0x10F81, prAL, gcLo},   //    [18] OLD UYGHUR LETTER ALEPH..OLD UYGHUR LETTER LESH
+	{0x10F82, 0x10F85, prCM, gcMn},   //     [4] OLD UYGHUR COMBINING DOT ABOVE..OLD UYGHUR COMBINING TWO DOTS BELOW
+	{0x10F86, 0x10F89, prAL, gcPo},   //     [4] OLD UYGHUR PUNCTUATION BAR..OLD UYGHUR PUNCTUATION FOUR DOTS
+	{0x10FB0, 0x10FC4, prAL, gcLo},   //    [21] CHORASMIAN LETTER ALEPH..CHORASMIAN LETTER TAW
+	{0x10FC5, 0x10FCB, prAL, gcNo},   //     [7] CHORASMIAN NUMBER ONE..CHORASMIAN NUMBER ONE HUNDRED
+	{0x10FE0, 0x10FF6, prAL, gcLo},   //    [23] ELYMAIC LETTER ALEPH..ELYMAIC LIGATURE ZAYIN-YODH
+	{0x11000, 0x11000, prCM, gcMc},   //         BRAHMI SIGN CANDRABINDU
+	{0x11001, 0x11001, prCM, gcMn},   //         BRAHMI SIGN ANUSVARA
+	{0x11002, 0x11002, prCM, gcMc},   //         BRAHMI SIGN VISARGA
+	{0x11003, 0x11037, prAL, gcLo},   //    [53] BRAHMI SIGN JIHVAMULIYA..BRAHMI LETTER OLD TAMIL NNNA
+	{0x11038, 0x11046, prCM, gcMn},   //    [15] BRAHMI VOWEL SIGN AA..BRAHMI VIRAMA
+	{0x11047, 0x11048, prBA, gcPo},   //     [2] BRAHMI DANDA..BRAHMI DOUBLE DANDA
+	{0x11049, 0x1104D, prAL, gcPo},   //     [5] BRAHMI PUNCTUATION DOT..BRAHMI PUNCTUATION LOTUS
+	{0x11052, 0x11065, prAL, gcNo},   //    [20] BRAHMI NUMBER ONE..BRAHMI NUMBER ONE THOUSAND
+	{0x11066, 0x1106F, prNU, gcNd},   //    [10] BRAHMI DIGIT ZERO..BRAHMI DIGIT NINE
+	{0x11070, 0x11070, prCM, gcMn},   //         BRAHMI SIGN OLD TAMIL VIRAMA
+	{0x11071, 0x11072, prAL, gcLo},   //     [2] BRAHMI LETTER OLD TAMIL SHORT E..BRAHMI LETTER OLD TAMIL SHORT O
+	{0x11073, 0x11074, prCM, gcMn},   //     [2] BRAHMI VOWEL SIGN OLD TAMIL SHORT E..BRAHMI VOWEL SIGN OLD TAMIL SHORT O
+	{0x11075, 0x11075, prAL, gcLo},   //         BRAHMI LETTER OLD TAMIL LLA
+	{0x1107F, 0x1107F, prCM, gcMn},   //         BRAHMI NUMBER JOINER
+	{0x11080, 0x11081, prCM, gcMn},   //     [2] KAITHI SIGN CANDRABINDU..KAITHI SIGN ANUSVARA
+	{0x11082, 0x11082, prCM, gcMc},   //         KAITHI SIGN VISARGA
+	{0x11083, 0x110AF, prAL, gcLo},   //    [45] KAITHI LETTER A..KAITHI LETTER HA
+	{0x110B0, 0x110B2, prCM, gcMc},   //     [3] KAITHI VOWEL SIGN AA..KAITHI VOWEL SIGN II
+	{0x110B3, 0x110B6, prCM, gcMn},   //     [4] KAITHI VOWEL SIGN U..KAITHI VOWEL SIGN AI
+	{0x110B7, 0x110B8, prCM, gcMc},   //     [2] KAITHI VOWEL SIGN O..KAITHI VOWEL SIGN AU
+	{0x110B9, 0x110BA, prCM, gcMn},   //     [2] KAITHI SIGN VIRAMA..KAITHI SIGN NUKTA
+	{0x110BB, 0x110BC, prAL, gcPo},   //     [2] KAITHI ABBREVIATION SIGN..KAITHI ENUMERATION SIGN
+	{0x110BD, 0x110BD, prAL, gcCf},   //         KAITHI NUMBER SIGN
+	{0x110BE, 0x110C1, prBA, gcPo},   //     [4] KAITHI SECTION MARK..KAITHI DOUBLE DANDA
+	{0x110C2, 0x110C2, prCM, gcMn},   //         KAITHI VOWEL SIGN VOCALIC R
+	{0x110CD, 0x110CD, prAL, gcCf},   //         KAITHI NUMBER SIGN ABOVE
+	{0x110D0, 0x110E8, prAL, gcLo},   //    [25] SORA SOMPENG LETTER SAH..SORA SOMPENG LETTER MAE
+	{0x110F0, 0x110F9, prNU, gcNd},   //    [10] SORA SOMPENG DIGIT ZERO..SORA SOMPENG DIGIT NINE
+	{0x11100, 0x11102, prCM, gcMn},   //     [3] CHAKMA SIGN CANDRABINDU..CHAKMA SIGN VISARGA
+	{0x11103, 0x11126, prAL, gcLo},   //    [36] CHAKMA LETTER AA..CHAKMA LETTER HAA
+	{0x11127, 0x1112B, prCM, gcMn},   //     [5] CHAKMA VOWEL SIGN A..CHAKMA VOWEL SIGN UU
+	{0x1112C, 0x1112C, prCM, gcMc},   //         CHAKMA VOWEL SIGN E
+	{0x1112D, 0x11134, prCM, gcMn},   //     [8] CHAKMA VOWEL SIGN AI..CHAKMA MAAYYAA
+	{0x11136, 0x1113F, prNU, gcNd},   //    [10] CHAKMA DIGIT ZERO..CHAKMA DIGIT NINE
+	{0x11140, 0x11143, prBA, gcPo},   //     [4] CHAKMA SECTION MARK..CHAKMA QUESTION MARK
+	{0x11144, 0x11144, prAL, gcLo},   //         CHAKMA LETTER LHAA
+	{0x11145, 0x11146, prCM, gcMc},   //     [2] CHAKMA VOWEL SIGN AA..CHAKMA VOWEL SIGN EI
+	{0x11147, 0x11147, prAL, gcLo},   //         CHAKMA LETTER VAA
+	{0x11150, 0x11172, prAL, gcLo},   //    [35] MAHAJANI LETTER A..MAHAJANI LETTER RRA
+	{0x11173, 0x11173, prCM, gcMn},   //         MAHAJANI SIGN NUKTA
+	{0x11174, 0x11174, prAL, gcPo},   //         MAHAJANI ABBREVIATION SIGN
+	{0x11175, 0x11175, prBB, gcPo},   //         MAHAJANI SECTION MARK
+	{0x11176, 0x11176, prAL, gcLo},   //         MAHAJANI LIGATURE SHRI
+	{0x11180, 0x11181, prCM, gcMn},   //     [2] SHARADA SIGN CANDRABINDU..SHARADA SIGN ANUSVARA
+	{0x11182, 0x11182, prCM, gcMc},   //         SHARADA SIGN VISARGA
+	{0x11183, 0x111B2, prAL, gcLo},   //    [48] SHARADA LETTER A..SHARADA LETTER HA
+	{0x111B3, 0x111B5, prCM, gcMc},   //     [3] SHARADA VOWEL SIGN AA..SHARADA VOWEL SIGN II
+	{0x111B6, 0x111BE, prCM, gcMn},   //     [9] SHARADA VOWEL SIGN U..SHARADA VOWEL SIGN O
+	{0x111BF, 0x111C0, prCM, gcMc},   //     [2] SHARADA VOWEL SIGN AU..SHARADA SIGN VIRAMA
+	{0x111C1, 0x111C4, prAL, gcLo},   //     [4] SHARADA SIGN AVAGRAHA..SHARADA OM
+	{0x111C5, 0x111C6, prBA, gcPo},   //     [2] SHARADA DANDA..SHARADA DOUBLE DANDA
+	{0x111C7, 0x111C7, prAL, gcPo},   //         SHARADA ABBREVIATION SIGN
+	{0x111C8, 0x111C8, prBA, gcPo},   //         SHARADA SEPARATOR
+	{0x111C9, 0x111CC, prCM, gcMn},   //     [4] SHARADA SANDHI MARK..SHARADA EXTRA SHORT VOWEL MARK
+	{0x111CD, 0x111CD, prAL, gcPo},   //         SHARADA SUTRA MARK
+	{0x111CE, 0x111CE, prCM, gcMc},   //         SHARADA VOWEL SIGN PRISHTHAMATRA E
+	{0x111CF, 0x111CF, prCM, gcMn},   //         SHARADA SIGN INVERTED CANDRABINDU
+	{0x111D0, 0x111D9, prNU, gcNd},   //    [10] SHARADA DIGIT ZERO..SHARADA DIGIT NINE
+	{0x111DA, 0x111DA, prAL, gcLo},   //         SHARADA EKAM
+	{0x111DB, 0x111DB, prBB, gcPo},   //         SHARADA SIGN SIDDHAM
+	{0x111DC, 0x111DC, prAL, gcLo},   //         SHARADA HEADSTROKE
+	{0x111DD, 0x111DF, prBA, gcPo},   //     [3] SHARADA CONTINUATION SIGN..SHARADA SECTION MARK-2
+	{0x111E1, 0x111F4, prAL, gcNo},   //    [20] SINHALA ARCHAIC DIGIT ONE..SINHALA ARCHAIC NUMBER ONE THOUSAND
+	{0x11200, 0x11211, prAL, gcLo},   //    [18] KHOJKI LETTER A..KHOJKI LETTER JJA
+	{0x11213, 0x1122B, prAL, gcLo},   //    [25] KHOJKI LETTER NYA..KHOJKI LETTER LLA
+	{0x1122C, 0x1122E, prCM, gcMc},   //     [3] KHOJKI VOWEL SIGN AA..KHOJKI VOWEL SIGN II
+	{0x1122F, 0x11231, prCM, gcMn},   //     [3] KHOJKI VOWEL SIGN U..KHOJKI VOWEL SIGN AI
+	{0x11232, 0x11233, prCM, gcMc},   //     [2] KHOJKI VOWEL SIGN O..KHOJKI VOWEL SIGN AU
+	{0x11234, 0x11234, prCM, gcMn},   //         KHOJKI SIGN ANUSVARA
+	{0x11235, 0x11235, prCM, gcMc},   //         KHOJKI SIGN VIRAMA
+	{0x11236, 0x11237, prCM, gcMn},   //     [2] KHOJKI SIGN NUKTA..KHOJKI SIGN SHADDA
+	{0x11238, 0x11239, prBA, gcPo},   //     [2] KHOJKI DANDA..KHOJKI DOUBLE DANDA
+	{0x1123A, 0x1123A, prAL, gcPo},   //         KHOJKI WORD SEPARATOR
+	{0x1123B, 0x1123C, prBA, gcPo},   //     [2] KHOJKI SECTION MARK..KHOJKI DOUBLE SECTION MARK
+	{0x1123D, 0x1123D, prAL, gcPo},   //         KHOJKI ABBREVIATION SIGN
+	{0x1123E, 0x1123E, prCM, gcMn},   //         KHOJKI SIGN SUKUN
+	{0x1123F, 0x11240, prAL, gcLo},   //     [2] KHOJKI LETTER QA..KHOJKI LETTER SHORT I
+	{0x11241, 0x11241, prCM, gcMn},   //         KHOJKI VOWEL SIGN VOCALIC R
+	{0x11280, 0x11286, prAL, gcLo},   //     [7] MULTANI LETTER A..MULTANI LETTER GA
+	{0x11288, 0x11288, prAL, gcLo},   //         MULTANI LETTER GHA
+	{0x1128A, 0x1128D, prAL, gcLo},   //     [4] MULTANI LETTER CA..MULTANI LETTER JJA
+	{0x1128F, 0x1129D, prAL, gcLo},   //    [15] MULTANI LETTER NYA..MULTANI LETTER BA
+	{0x1129F, 0x112A8, prAL, gcLo},   //    [10] MULTANI LETTER BHA..MULTANI LETTER RHA
+	{0x112A9, 0x112A9, prBA, gcPo},   //         MULTANI SECTION MARK
+	{0x112B0, 0x112DE, prAL, gcLo},   //    [47] KHUDAWADI LETTER A..KHUDAWADI LETTER HA
+	{0x112DF, 0x112DF, prCM, gcMn},   //         KHUDAWADI SIGN ANUSVARA
+	{0x112E0, 0x112E2, prCM, gcMc},   //     [3] KHUDAWADI VOWEL SIGN AA..KHUDAWADI VOWEL SIGN II
+	{0x112E3, 0x112EA, prCM, gcMn},   //     [8] KHUDAWADI VOWEL SIGN U..KHUDAWADI SIGN VIRAMA
+	{0x112F0, 0x112F9, prNU, gcNd},   //    [10] KHUDAWADI DIGIT ZERO..KHUDAWADI DIGIT NINE
+	{0x11300, 0x11301, prCM, gcMn},   //     [2] GRANTHA SIGN COMBINING ANUSVARA ABOVE..GRANTHA SIGN CANDRABINDU
+	{0x11302, 0x11303, prCM, gcMc},   //     [2] GRANTHA SIGN ANUSVARA..GRANTHA SIGN VISARGA
+	{0x11305, 0x1130C, prAL, gcLo},   //     [8] GRANTHA LETTER A..GRANTHA LETTER VOCALIC L
+	{0x1130F, 0x11310, prAL, gcLo},   //     [2] GRANTHA LETTER EE..GRANTHA LETTER AI
+	{0x11313, 0x11328, prAL, gcLo},   //    [22] GRANTHA LETTER OO..GRANTHA LETTER NA
+	{0x1132A, 0x11330, prAL, gcLo},   //     [7] GRANTHA LETTER PA..GRANTHA LETTER RA
+	{0x11332, 0x11333, prAL, gcLo},   //     [2] GRANTHA LETTER LA..GRANTHA LETTER LLA
+	{0x11335, 0x11339, prAL, gcLo},   //     [5] GRANTHA LETTER VA..GRANTHA LETTER HA
+	{0x1133B, 0x1133C, prCM, gcMn},   //     [2] COMBINING BINDU BELOW..GRANTHA SIGN NUKTA
+	{0x1133D, 0x1133D, prAL, gcLo},   //         GRANTHA SIGN AVAGRAHA
+	{0x1133E, 0x1133F, prCM, gcMc},   //     [2] GRANTHA VOWEL SIGN AA..GRANTHA VOWEL SIGN I
+	{0x11340, 0x11340, prCM, gcMn},   //         GRANTHA VOWEL SIGN II
+	{0x11341, 0x11344, prCM, gcMc},   //     [4] GRANTHA VOWEL SIGN U..GRANTHA VOWEL SIGN VOCALIC RR
+	{0x11347, 0x11348, prCM, gcMc},   //     [2] GRANTHA VOWEL SIGN EE..GRANTHA VOWEL SIGN AI
+	{0x1134B, 0x1134D, prCM, gcMc},   //     [3] GRANTHA VOWEL SIGN OO..GRANTHA SIGN VIRAMA
+	{0x11350, 0x11350, prAL, gcLo},   //         GRANTHA OM
+	{0x11357, 0x11357, prCM, gcMc},   //         GRANTHA AU LENGTH MARK
+	{0x1135D, 0x11361, prAL, gcLo},   //     [5] GRANTHA SIGN PLUTA..GRANTHA LETTER VOCALIC LL
+	{0x11362, 0x11363, prCM, gcMc},   //     [2] GRANTHA VOWEL SIGN VOCALIC L..GRANTHA VOWEL SIGN VOCALIC LL
+	{0x11366, 0x1136C, prCM, gcMn},   //     [7] COMBINING GRANTHA DIGIT ZERO..COMBINING GRANTHA DIGIT SIX
+	{0x11370, 0x11374, prCM, gcMn},   //     [5] COMBINING GRANTHA LETTER A..COMBINING GRANTHA LETTER PA
+	{0x11400, 0x11434, prAL, gcLo},   //    [53] NEWA LETTER A..NEWA LETTER HA
+	{0x11435, 0x11437, prCM, gcMc},   //     [3] NEWA VOWEL SIGN AA..NEWA VOWEL SIGN II
+	{0x11438, 0x1143F, prCM, gcMn},   //     [8] NEWA VOWEL SIGN U..NEWA VOWEL SIGN AI
+	{0x11440, 0x11441, prCM, gcMc},   //     [2] NEWA VOWEL SIGN O..NEWA VOWEL SIGN AU
+	{0x11442, 0x11444, prCM, gcMn},   //     [3] NEWA SIGN VIRAMA..NEWA SIGN ANUSVARA
+	{0x11445, 0x11445, prCM, gcMc},   //         NEWA SIGN VISARGA
+	{0x11446, 0x11446, prCM, gcMn},   //         NEWA SIGN NUKTA
+	{0x11447, 0x1144A, prAL, gcLo},   //     [4] NEWA SIGN AVAGRAHA..NEWA SIDDHI
+	{0x1144B, 0x1144E, prBA, gcPo},   //     [4] NEWA DANDA..NEWA GAP FILLER
+	{0x1144F, 0x1144F, prAL, gcPo},   //         NEWA ABBREVIATION SIGN
+	{0x11450, 0x11459, prNU, gcNd},   //    [10] NEWA DIGIT ZERO..NEWA DIGIT NINE
+	{0x1145A, 0x1145B, prBA, gcPo},   //     [2] NEWA DOUBLE COMMA..NEWA PLACEHOLDER MARK
+	{0x1145D, 0x1145D, prAL, gcPo},   //         NEWA INSERTION SIGN
+	{0x1145E, 0x1145E, prCM, gcMn},   //         NEWA SANDHI MARK
+	{0x1145F, 0x11461, prAL, gcLo},   //     [3] NEWA LETTER VEDIC ANUSVARA..NEWA SIGN UPADHMANIYA
+	{0x11480, 0x114AF, prAL, gcLo},   //    [48] TIRHUTA ANJI..TIRHUTA LETTER HA
+	{0x114B0, 0x114B2, prCM, gcMc},   //     [3] TIRHUTA VOWEL SIGN AA..TIRHUTA VOWEL SIGN II
+	{0x114B3, 0x114B8, prCM, gcMn},   //     [6] TIRHUTA VOWEL SIGN U..TIRHUTA VOWEL SIGN VOCALIC LL
+	{0x114B9, 0x114B9, prCM, gcMc},   //         TIRHUTA VOWEL SIGN E
+	{0x114BA, 0x114BA, prCM, gcMn},   //         TIRHUTA VOWEL SIGN SHORT E
+	{0x114BB, 0x114BE, prCM, gcMc},   //     [4] TIRHUTA VOWEL SIGN AI..TIRHUTA VOWEL SIGN AU
+	{0x114BF, 0x114C0, prCM, gcMn},   //     [2] TIRHUTA SIGN CANDRABINDU..TIRHUTA SIGN ANUSVARA
+	{0x114C1, 0x114C1, prCM, gcMc},   //         TIRHUTA SIGN VISARGA
+	{0x114C2, 0x114C3, prCM, gcMn},   //     [2] TIRHUTA SIGN VIRAMA..TIRHUTA SIGN NUKTA
+	{0x114C4, 0x114C5, prAL, gcLo},   //     [2] TIRHUTA SIGN AVAGRAHA..TIRHUTA GVANG
+	{0x114C6, 0x114C6, prAL, gcPo},   //         TIRHUTA ABBREVIATION SIGN
+	{0x114C7, 0x114C7, prAL, gcLo},   //         TIRHUTA OM
+	{0x114D0, 0x114D9, prNU, gcNd},   //    [10] TIRHUTA DIGIT ZERO..TIRHUTA DIGIT NINE
+	{0x11580, 0x115AE, prAL, gcLo},   //    [47] SIDDHAM LETTER A..SIDDHAM LETTER HA
+	{0x115AF, 0x115B1, prCM, gcMc},   //     [3] SIDDHAM VOWEL SIGN AA..SIDDHAM VOWEL SIGN II
+	{0x115B2, 0x115B5, prCM, gcMn},   //     [4] SIDDHAM VOWEL SIGN U..SIDDHAM VOWEL SIGN VOCALIC RR
+	{0x115B8, 0x115BB, prCM, gcMc},   //     [4] SIDDHAM VOWEL SIGN E..SIDDHAM VOWEL SIGN AU
+	{0x115BC, 0x115BD, prCM, gcMn},   //     [2] SIDDHAM SIGN CANDRABINDU..SIDDHAM SIGN ANUSVARA
+	{0x115BE, 0x115BE, prCM, gcMc},   //         SIDDHAM SIGN VISARGA
+	{0x115BF, 0x115C0, prCM, gcMn},   //     [2] SIDDHAM SIGN VIRAMA..SIDDHAM SIGN NUKTA
+	{0x115C1, 0x115C1, prBB, gcPo},   //         SIDDHAM SIGN SIDDHAM
+	{0x115C2, 0x115C3, prBA, gcPo},   //     [2] SIDDHAM DANDA..SIDDHAM DOUBLE DANDA
+	{0x115C4, 0x115C5, prEX, gcPo},   //     [2] SIDDHAM SEPARATOR DOT..SIDDHAM SEPARATOR BAR
+	{0x115C6, 0x115C8, prAL, gcPo},   //     [3] SIDDHAM REPETITION MARK-1..SIDDHAM REPETITION MARK-3
+	{0x115C9, 0x115D7, prBA, gcPo},   //    [15] SIDDHAM END OF TEXT MARK..SIDDHAM SECTION MARK WITH CIRCLES AND FOUR ENCLOSURES
+	{0x115D8, 0x115DB, prAL, gcLo},   //     [4] SIDDHAM LETTER THREE-CIRCLE ALTERNATE I..SIDDHAM LETTER ALTERNATE U
+	{0x115DC, 0x115DD, prCM, gcMn},   //     [2] SIDDHAM VOWEL SIGN ALTERNATE U..SIDDHAM VOWEL SIGN ALTERNATE UU
+	{0x11600, 0x1162F, prAL, gcLo},   //    [48] MODI LETTER A..MODI LETTER LLA
+	{0x11630, 0x11632, prCM, gcMc},   //     [3] MODI VOWEL SIGN AA..MODI VOWEL SIGN II
+	{0x11633, 0x1163A, prCM, gcMn},   //     [8] MODI VOWEL SIGN U..MODI VOWEL SIGN AI
+	{0x1163B, 0x1163C, prCM, gcMc},   //     [2] MODI VOWEL SIGN O..MODI VOWEL SIGN AU
+	{0x1163D, 0x1163D, prCM, gcMn},   //         MODI SIGN ANUSVARA
+	{0x1163E, 0x1163E, prCM, gcMc},   //         MODI SIGN VISARGA
+	{0x1163F, 0x11640, prCM, gcMn},   //     [2] MODI SIGN VIRAMA..MODI SIGN ARDHACANDRA
+	{0x11641, 0x11642, prBA, gcPo},   //     [2] MODI DANDA..MODI DOUBLE DANDA
+	{0x11643, 0x11643, prAL, gcPo},   //         MODI ABBREVIATION SIGN
+	{0x11644, 0x11644, prAL, gcLo},   //         MODI SIGN HUVA
+	{0x11650, 0x11659, prNU, gcNd},   //    [10] MODI DIGIT ZERO..MODI DIGIT NINE
+	{0x11660, 0x1166C, prBB, gcPo},   //    [13] MONGOLIAN BIRGA WITH ORNAMENT..MONGOLIAN TURNED SWIRL BIRGA WITH DOUBLE ORNAMENT
+	{0x11680, 0x116AA, prAL, gcLo},   //    [43] TAKRI LETTER A..TAKRI LETTER RRA
+	{0x116AB, 0x116AB, prCM, gcMn},   //         TAKRI SIGN ANUSVARA
+	{0x116AC, 0x116AC, prCM, gcMc},   //         TAKRI SIGN VISARGA
+	{0x116AD, 0x116AD, prCM, gcMn},   //         TAKRI VOWEL SIGN AA
+	{0x116AE, 0x116AF, prCM, gcMc},   //     [2] TAKRI VOWEL SIGN I..TAKRI VOWEL SIGN II
+	{0x116B0, 0x116B5, prCM, gcMn},   //     [6] TAKRI VOWEL SIGN U..TAKRI VOWEL SIGN AU
+	{0x116B6, 0x116B6, prCM, gcMc},   //         TAKRI SIGN VIRAMA
+	{0x116B7, 0x116B7, prCM, gcMn},   //         TAKRI SIGN NUKTA
+	{0x116B8, 0x116B8, prAL, gcLo},   //         TAKRI LETTER ARCHAIC KHA
+	{0x116B9, 0x116B9, prAL, gcPo},   //         TAKRI ABBREVIATION SIGN
+	{0x116C0, 0x116C9, prNU, gcNd},   //    [10] TAKRI DIGIT ZERO..TAKRI DIGIT NINE
+	{0x11700, 0x1171A, prSA, gcLo},   //    [27] AHOM LETTER KA..AHOM LETTER ALTERNATE BA
+	{0x1171D, 0x1171F, prSA, gcMn},   //     [3] AHOM CONSONANT SIGN MEDIAL LA..AHOM CONSONANT SIGN MEDIAL LIGATING RA
+	{0x11720, 0x11721, prSA, gcMc},   //     [2] AHOM VOWEL SIGN A..AHOM VOWEL SIGN AA
+	{0x11722, 0x11725, prSA, gcMn},   //     [4] AHOM VOWEL SIGN I..AHOM VOWEL SIGN UU
+	{0x11726, 0x11726, prSA, gcMc},   //         AHOM VOWEL SIGN E
+	{0x11727, 0x1172B, prSA, gcMn},   //     [5] AHOM VOWEL SIGN AW..AHOM SIGN KILLER
+	{0x11730, 0x11739, prNU, gcNd},   //    [10] AHOM DIGIT ZERO..AHOM DIGIT NINE
+	{0x1173A, 0x1173B, prSA, gcNo},   //     [2] AHOM NUMBER TEN..AHOM NUMBER TWENTY
+	{0x1173C, 0x1173E, prBA, gcPo},   //     [3] AHOM SIGN SMALL SECTION..AHOM SIGN RULAI
+	{0x1173F, 0x1173F, prSA, gcSo},   //         AHOM SYMBOL VI
+	{0x11740, 0x11746, prSA, gcLo},   //     [7] AHOM LETTER CA..AHOM LETTER LLA
+	{0x11800, 0x1182B, prAL, gcLo},   //    [44] DOGRA LETTER A..DOGRA LETTER RRA
+	{0x1182C, 0x1182E, prCM, gcMc},   //     [3] DOGRA VOWEL SIGN AA..DOGRA VOWEL SIGN II
+	{0x1182F, 0x11837, prCM, gcMn},   //     [9] DOGRA VOWEL SIGN U..DOGRA SIGN ANUSVARA
+	{0x11838, 0x11838, prCM, gcMc},   //         DOGRA SIGN VISARGA
+	{0x11839, 0x1183A, prCM, gcMn},   //     [2] DOGRA SIGN VIRAMA..DOGRA SIGN NUKTA
+	{0x1183B, 0x1183B, prAL, gcPo},   //         DOGRA ABBREVIATION SIGN
+	{0x118A0, 0x118DF, prAL, gcLC},   //    [64] WARANG CITI CAPITAL LETTER NGAA..WARANG CITI SMALL LETTER VIYO
+	{0x118E0, 0x118E9, prNU, gcNd},   //    [10] WARANG CITI DIGIT ZERO..WARANG CITI DIGIT NINE
+	{0x118EA, 0x118F2, prAL, gcNo},   //     [9] WARANG CITI NUMBER TEN..WARANG CITI NUMBER NINETY
+	{0x118FF, 0x118FF, prAL, gcLo},   //         WARANG CITI OM
+	{0x11900, 0x11906, prAL, gcLo},   //     [7] DIVES AKURU LETTER A..DIVES AKURU LETTER E
+	{0x11909, 0x11909, prAL, gcLo},   //         DIVES AKURU LETTER O
+	{0x1190C, 0x11913, prAL, gcLo},   //     [8] DIVES AKURU LETTER KA..DIVES AKURU LETTER JA
+	{0x11915, 0x11916, prAL, gcLo},   //     [2] DIVES AKURU LETTER NYA..DIVES AKURU LETTER TTA
+	{0x11918, 0x1192F, prAL, gcLo},   //    [24] DIVES AKURU LETTER DDA..DIVES AKURU LETTER ZA
+	{0x11930, 0x11935, prCM, gcMc},   //     [6] DIVES AKURU VOWEL SIGN AA..DIVES AKURU VOWEL SIGN E
+	{0x11937, 0x11938, prCM, gcMc},   //     [2] DIVES AKURU VOWEL SIGN AI..DIVES AKURU VOWEL SIGN O
+	{0x1193B, 0x1193C, prCM, gcMn},   //     [2] DIVES AKURU SIGN ANUSVARA..DIVES AKURU SIGN CANDRABINDU
+	{0x1193D, 0x1193D, prCM, gcMc},   //         DIVES AKURU SIGN HALANTA
+	{0x1193E, 0x1193E, prCM, gcMn},   //         DIVES AKURU VIRAMA
+	{0x1193F, 0x1193F, prAL, gcLo},   //         DIVES AKURU PREFIXED NASAL SIGN
+	{0x11940, 0x11940, prCM, gcMc},   //         DIVES AKURU MEDIAL YA
+	{0x11941, 0x11941, prAL, gcLo},   //         DIVES AKURU INITIAL RA
+	{0x11942, 0x11942, prCM, gcMc},   //         DIVES AKURU MEDIAL RA
+	{0x11943, 0x11943, prCM, gcMn},   //         DIVES AKURU SIGN NUKTA
+	{0x11944, 0x11946, prBA, gcPo},   //     [3] DIVES AKURU DOUBLE DANDA..DIVES AKURU END OF TEXT MARK
+	{0x11950, 0x11959, prNU, gcNd},   //    [10] DIVES AKURU DIGIT ZERO..DIVES AKURU DIGIT NINE
+	{0x119A0, 0x119A7, prAL, gcLo},   //     [8] NANDINAGARI LETTER A..NANDINAGARI LETTER VOCALIC RR
+	{0x119AA, 0x119D0, prAL, gcLo},   //    [39] NANDINAGARI LETTER E..NANDINAGARI LETTER RRA
+	{0x119D1, 0x119D3, prCM, gcMc},   //     [3] NANDINAGARI VOWEL SIGN AA..NANDINAGARI VOWEL SIGN II
+	{0x119D4, 0x119D7, prCM, gcMn},   //     [4] NANDINAGARI VOWEL SIGN U..NANDINAGARI VOWEL SIGN VOCALIC RR
+	{0x119DA, 0x119DB, prCM, gcMn},   //     [2] NANDINAGARI VOWEL SIGN E..NANDINAGARI VOWEL SIGN AI
+	{0x119DC, 0x119DF, prCM, gcMc},   //     [4] NANDINAGARI VOWEL SIGN O..NANDINAGARI SIGN VISARGA
+	{0x119E0, 0x119E0, prCM, gcMn},   //         NANDINAGARI SIGN VIRAMA
+	{0x119E1, 0x119E1, prAL, gcLo},   //         NANDINAGARI SIGN AVAGRAHA
+	{0x119E2, 0x119E2, prBB, gcPo},   //         NANDINAGARI SIGN SIDDHAM
+	{0x119E3, 0x119E3, prAL, gcLo},   //         NANDINAGARI HEADSTROKE
+	{0x119E4, 0x119E4, prCM, gcMc},   //         NANDINAGARI VOWEL SIGN PRISHTHAMATRA E
+	{0x11A00, 0x11A00, prAL, gcLo},   //         ZANABAZAR SQUARE LETTER A
+	{0x11A01, 0x11A0A, prCM, gcMn},   //    [10] ZANABAZAR SQUARE VOWEL SIGN I..ZANABAZAR SQUARE VOWEL LENGTH MARK
+	{0x11A0B, 0x11A32, prAL, gcLo},   //    [40] ZANABAZAR SQUARE LETTER KA..ZANABAZAR SQUARE LETTER KSSA
+	{0x11A33, 0x11A38, prCM, gcMn},   //     [6] ZANABAZAR SQUARE FINAL CONSONANT MARK..ZANABAZAR SQUARE SIGN ANUSVARA
+	{0x11A39, 0x11A39, prCM, gcMc},   //         ZANABAZAR SQUARE SIGN VISARGA
+	{0x11A3A, 0x11A3A, prAL, gcLo},   //         ZANABAZAR SQUARE CLUSTER-INITIAL LETTER RA
+	{0x11A3B, 0x11A3E, prCM, gcMn},   //     [4] ZANABAZAR SQUARE CLUSTER-FINAL LETTER YA..ZANABAZAR SQUARE CLUSTER-FINAL LETTER VA
+	{0x11A3F, 0x11A3F, prBB, gcPo},   //         ZANABAZAR SQUARE INITIAL HEAD MARK
+	{0x11A40, 0x11A40, prAL, gcPo},   //         ZANABAZAR SQUARE CLOSING HEAD MARK
+	{0x11A41, 0x11A44, prBA, gcPo},   //     [4] ZANABAZAR SQUARE MARK TSHEG..ZANABAZAR SQUARE MARK LONG TSHEG
+	{0x11A45, 0x11A45, prBB, gcPo},   //         ZANABAZAR SQUARE INITIAL DOUBLE-LINED HEAD MARK
+	{0x11A46, 0x11A46, prAL, gcPo},   //         ZANABAZAR SQUARE CLOSING DOUBLE-LINED HEAD MARK
+	{0x11A47, 0x11A47, prCM, gcMn},   //         ZANABAZAR SQUARE SUBJOINER
+	{0x11A50, 0x11A50, prAL, gcLo},   //         SOYOMBO LETTER A
+	{0x11A51, 0x11A56, prCM, gcMn},   //     [6] SOYOMBO VOWEL SIGN I..SOYOMBO VOWEL SIGN OE
+	{0x11A57, 0x11A58, prCM, gcMc},   //     [2] SOYOMBO VOWEL SIGN AI..SOYOMBO VOWEL SIGN AU
+	{0x11A59, 0x11A5B, prCM, gcMn},   //     [3] SOYOMBO VOWEL SIGN VOCALIC R..SOYOMBO VOWEL LENGTH MARK
+	{0x11A5C, 0x11A89, prAL, gcLo},   //    [46] SOYOMBO LETTER KA..SOYOMBO CLUSTER-INITIAL LETTER SA
+	{0x11A8A, 0x11A96, prCM, gcMn},   //    [13] SOYOMBO FINAL CONSONANT SIGN G..SOYOMBO SIGN ANUSVARA
+	{0x11A97, 0x11A97, prCM, gcMc},   //         SOYOMBO SIGN VISARGA
+	{0x11A98, 0x11A99, prCM, gcMn},   //     [2] SOYOMBO GEMINATION MARK..SOYOMBO SUBJOINER
+	{0x11A9A, 0x11A9C, prBA, gcPo},   //     [3] SOYOMBO MARK TSHEG..SOYOMBO MARK DOUBLE SHAD
+	{0x11A9D, 0x11A9D, prAL, gcLo},   //         SOYOMBO MARK PLUTA
+	{0x11A9E, 0x11AA0, prBB, gcPo},   //     [3] SOYOMBO HEAD MARK WITH MOON AND SUN AND TRIPLE FLAME..SOYOMBO HEAD MARK WITH MOON AND SUN
+	{0x11AA1, 0x11AA2, prBA, gcPo},   //     [2] SOYOMBO TERMINAL MARK-1..SOYOMBO TERMINAL MARK-2
+	{0x11AB0, 0x11ABF, prAL, gcLo},   //    [16] CANADIAN SYLLABICS NATTILIK HI..CANADIAN SYLLABICS SPA
+	{0x11AC0, 0x11AF8, prAL, gcLo},   //    [57] PAU CIN HAU LETTER PA..PAU CIN HAU GLOTTAL STOP FINAL
+	{0x11B00, 0x11B09, prBB, gcPo},   //    [10] DEVANAGARI HEAD MARK..DEVANAGARI SIGN MINDU
+	{0x11C00, 0x11C08, prAL, gcLo},   //     [9] BHAIKSUKI LETTER A..BHAIKSUKI LETTER VOCALIC L
+	{0x11C0A, 0x11C2E, prAL, gcLo},   //    [37] BHAIKSUKI LETTER E..BHAIKSUKI LETTER HA
+	{0x11C2F, 0x11C2F, prCM, gcMc},   //         BHAIKSUKI VOWEL SIGN AA
+	{0x11C30, 0x11C36, prCM, gcMn},   //     [7] BHAIKSUKI VOWEL SIGN I..BHAIKSUKI VOWEL SIGN VOCALIC L
+	{0x11C38, 0x11C3D, prCM, gcMn},   //     [6] BHAIKSUKI VOWEL SIGN E..BHAIKSUKI SIGN ANUSVARA
+	{0x11C3E, 0x11C3E, prCM, gcMc},   //         BHAIKSUKI SIGN VISARGA
+	{0x11C3F, 0x11C3F, prCM, gcMn},   //         BHAIKSUKI SIGN VIRAMA
+	{0x11C40, 0x11C40, prAL, gcLo},   //         BHAIKSUKI SIGN AVAGRAHA
+	{0x11C41, 0x11C45, prBA, gcPo},   //     [5] BHAIKSUKI DANDA..BHAIKSUKI GAP FILLER-2
+	{0x11C50, 0x11C59, prNU, gcNd},   //    [10] BHAIKSUKI DIGIT ZERO..BHAIKSUKI DIGIT NINE
+	{0x11C5A, 0x11C6C, prAL, gcNo},   //    [19] BHAIKSUKI NUMBER ONE..BHAIKSUKI HUNDREDS UNIT MARK
+	{0x11C70, 0x11C70, prBB, gcPo},   //         MARCHEN HEAD MARK
+	{0x11C71, 0x11C71, prEX, gcPo},   //         MARCHEN MARK SHAD
+	{0x11C72, 0x11C8F, prAL, gcLo},   //    [30] MARCHEN LETTER KA..MARCHEN LETTER A
+	{0x11C92, 0x11CA7, prCM, gcMn},   //    [22] MARCHEN SUBJOINED LETTER KA..MARCHEN SUBJOINED LETTER ZA
+	{0x11CA9, 0x11CA9, prCM, gcMc},   //         MARCHEN SUBJOINED LETTER YA
+	{0x11CAA, 0x11CB0, prCM, gcMn},   //     [7] MARCHEN SUBJOINED LETTER RA..MARCHEN VOWEL SIGN AA
+	{0x11CB1, 0x11CB1, prCM, gcMc},   //         MARCHEN VOWEL SIGN I
+	{0x11CB2, 0x11CB3, prCM, gcMn},   //     [2] MARCHEN VOWEL SIGN U..MARCHEN VOWEL SIGN E
+	{0x11CB4, 0x11CB4, prCM, gcMc},   //         MARCHEN VOWEL SIGN O
+	{0x11CB5, 0x11CB6, prCM, gcMn},   //     [2] MARCHEN SIGN ANUSVARA..MARCHEN SIGN CANDRABINDU
+	{0x11D00, 0x11D06, prAL, gcLo},   //     [7] MASARAM GONDI LETTER A..MASARAM GONDI LETTER E
+	{0x11D08, 0x11D09, prAL, gcLo},   //     [2] MASARAM GONDI LETTER AI..MASARAM GONDI LETTER O
+	{0x11D0B, 0x11D30, prAL, gcLo},   //    [38] MASARAM GONDI LETTER AU..MASARAM GONDI LETTER TRA
+	{0x11D31, 0x11D36, prCM, gcMn},   //     [6] MASARAM GONDI VOWEL SIGN AA..MASARAM GONDI VOWEL SIGN VOCALIC R
+	{0x11D3A, 0x11D3A, prCM, gcMn},   //         MASARAM GONDI VOWEL SIGN E
+	{0x11D3C, 0x11D3D, prCM, gcMn},   //     [2] MASARAM GONDI VOWEL SIGN AI..MASARAM GONDI VOWEL SIGN O
+	{0x11D3F, 0x11D45, prCM, gcMn},   //     [7] MASARAM GONDI VOWEL SIGN AU..MASARAM GONDI VIRAMA
+	{0x11D46, 0x11D46, prAL, gcLo},   //         MASARAM GONDI REPHA
+	{0x11D47, 0x11D47, prCM, gcMn},   //         MASARAM GONDI RA-KARA
+	{0x11D50, 0x11D59, prNU, gcNd},   //    [10] MASARAM GONDI DIGIT ZERO..MASARAM GONDI DIGIT NINE
+	{0x11D60, 0x11D65, prAL, gcLo},   //     [6] GUNJALA GONDI LETTER A..GUNJALA GONDI LETTER UU
+	{0x11D67, 0x11D68, prAL, gcLo},   //     [2] GUNJALA GONDI LETTER EE..GUNJALA GONDI LETTER AI
+	{0x11D6A, 0x11D89, prAL, gcLo},   //    [32] GUNJALA GONDI LETTER OO..GUNJALA GONDI LETTER SA
+	{0x11D8A, 0x11D8E, prCM, gcMc},   //     [5] GUNJALA GONDI VOWEL SIGN AA..GUNJALA GONDI VOWEL SIGN UU
+	{0x11D90, 0x11D91, prCM, gcMn},   //     [2] GUNJALA GONDI VOWEL SIGN EE..GUNJALA GONDI VOWEL SIGN AI
+	{0x11D93, 0x11D94, prCM, gcMc},   //     [2] GUNJALA GONDI VOWEL SIGN OO..GUNJALA GONDI VOWEL SIGN AU
+	{0x11D95, 0x11D95, prCM, gcMn},   //         GUNJALA GONDI SIGN ANUSVARA
+	{0x11D96, 0x11D96, prCM, gcMc},   //         GUNJALA GONDI SIGN VISARGA
+	{0x11D97, 0x11D97, prCM, gcMn},   //         GUNJALA GONDI VIRAMA
+	{0x11D98, 0x11D98, prAL, gcLo},   //         GUNJALA GONDI OM
+	{0x11DA0, 0x11DA9, prNU, gcNd},   //    [10] GUNJALA GONDI DIGIT ZERO..GUNJALA GONDI DIGIT NINE
+	{0x11EE0, 0x11EF2, prAL, gcLo},   //    [19] MAKASAR LETTER KA..MAKASAR ANGKA
+	{0x11EF3, 0x11EF4, prCM, gcMn},   //     [2] MAKASAR VOWEL SIGN I..MAKASAR VOWEL SIGN U
+	{0x11EF5, 0x11EF6, prCM, gcMc},   //     [2] MAKASAR VOWEL SIGN E..MAKASAR VOWEL SIGN O
+	{0x11EF7, 0x11EF8, prAL, gcPo},   //     [2] MAKASAR PASSIMBANG..MAKASAR END OF SECTION
+	{0x11F00, 0x11F01, prCM, gcMn},   //     [2] KAWI SIGN CANDRABINDU..KAWI SIGN ANUSVARA
+	{0x11F02, 0x11F02, prAL, gcLo},   //         KAWI SIGN REPHA
+	{0x11F03, 0x11F03, prCM, gcMc},   //         KAWI SIGN VISARGA
+	{0x11F04, 0x11F10, prAL, gcLo},   //    [13] KAWI LETTER A..KAWI LETTER O
+	{0x11F12, 0x11F33, prAL, gcLo},   //    [34] KAWI LETTER KA..KAWI LETTER JNYA
+	{0x11F34, 0x11F35, prCM, gcMc},   //     [2] KAWI VOWEL SIGN AA..KAWI VOWEL SIGN ALTERNATE AA
+	{0x11F36, 0x11F3A, prCM, gcMn},   //     [5] KAWI VOWEL SIGN I..KAWI VOWEL SIGN VOCALIC R
+	{0x11F3E, 0x11F3F, prCM, gcMc},   //     [2] KAWI VOWEL SIGN E..KAWI VOWEL SIGN AI
+	{0x11F40, 0x11F40, prCM, gcMn},   //         KAWI VOWEL SIGN EU
+	{0x11F41, 0x11F41, prCM, gcMc},   //         KAWI SIGN KILLER
+	{0x11F42, 0x11F42, prCM, gcMn},   //         KAWI CONJOINER
+	{0x11F43, 0x11F44, prBA, gcPo},   //     [2] KAWI DANDA..KAWI DOUBLE DANDA
+	{0x11F45, 0x11F4F, prID, gcPo},   //    [11] KAWI PUNCTUATION SECTION MARKER..KAWI PUNCTUATION CLOSING SPIRAL
+	{0x11F50, 0x11F59, prNU, gcNd},   //    [10] KAWI DIGIT ZERO..KAWI DIGIT NINE
+	{0x11FB0, 0x11FB0, prAL, gcLo},   //         LISU LETTER YHA
+	{0x11FC0, 0x11FD4, prAL, gcNo},   //    [21] TAMIL FRACTION ONE THREE-HUNDRED-AND-TWENTIETH..TAMIL FRACTION DOWNSCALING FACTOR KIIZH
+	{0x11FD5, 0x11FDC, prAL, gcSo},   //     [8] TAMIL SIGN NEL..TAMIL SIGN MUKKURUNI
+	{0x11FDD, 0x11FE0, prPO, gcSc},   //     [4] TAMIL SIGN KAACU..TAMIL SIGN VARAAKAN
+	{0x11FE1, 0x11FF1, prAL, gcSo},   //    [17] TAMIL SIGN PAARAM..TAMIL SIGN VAKAIYARAA
+	{0x11FFF, 0x11FFF, prBA, gcPo},   //         TAMIL PUNCTUATION END OF TEXT
+	{0x12000, 0x12399, prAL, gcLo},   //   [922] CUNEIFORM SIGN A..CUNEIFORM SIGN U U
+	{0x12400, 0x1246E, prAL, gcNl},   //   [111] CUNEIFORM NUMERIC SIGN TWO ASH..CUNEIFORM NUMERIC SIGN NINE U VARIANT FORM
+	{0x12470, 0x12474, prBA, gcPo},   //     [5] CUNEIFORM PUNCTUATION SIGN OLD ASSYRIAN WORD DIVIDER..CUNEIFORM PUNCTUATION SIGN DIAGONAL QUADCOLON
+	{0x12480, 0x12543, prAL, gcLo},   //   [196] CUNEIFORM SIGN AB TIMES NUN TENU..CUNEIFORM SIGN ZU5 TIMES THREE DISH TENU
+	{0x12F90, 0x12FF0, prAL, gcLo},   //    [97] CYPRO-MINOAN SIGN CM001..CYPRO-MINOAN SIGN CM114
+	{0x12FF1, 0x12FF2, prAL, gcPo},   //     [2] CYPRO-MINOAN SIGN CM301..CYPRO-MINOAN SIGN CM302
+	{0x13000, 0x13257, prAL, gcLo},   //   [600] EGYPTIAN HIEROGLYPH A001..EGYPTIAN HIEROGLYPH O006
+	{0x13258, 0x1325A, prOP, gcLo},   //     [3] EGYPTIAN HIEROGLYPH O006A..EGYPTIAN HIEROGLYPH O006C
+	{0x1325B, 0x1325D, prCL, gcLo},   //     [3] EGYPTIAN HIEROGLYPH O006D..EGYPTIAN HIEROGLYPH O006F
+	{0x1325E, 0x13281, prAL, gcLo},   //    [36] EGYPTIAN HIEROGLYPH O007..EGYPTIAN HIEROGLYPH O033
+	{0x13282, 0x13282, prCL, gcLo},   //         EGYPTIAN HIEROGLYPH O033A
+	{0x13283, 0x13285, prAL, gcLo},   //     [3] EGYPTIAN HIEROGLYPH O034..EGYPTIAN HIEROGLYPH O036
+	{0x13286, 0x13286, prOP, gcLo},   //         EGYPTIAN HIEROGLYPH O036A
+	{0x13287, 0x13287, prCL, gcLo},   //         EGYPTIAN HIEROGLYPH O036B
+	{0x13288, 0x13288, prOP, gcLo},   //         EGYPTIAN HIEROGLYPH O036C
+	{0x13289, 0x13289, prCL, gcLo},   //         EGYPTIAN HIEROGLYPH O036D
+	{0x1328A, 0x13378, prAL, gcLo},   //   [239] EGYPTIAN HIEROGLYPH O037..EGYPTIAN HIEROGLYPH V011
+	{0x13379, 0x13379, prOP, gcLo},   //         EGYPTIAN HIEROGLYPH V011A
+	{0x1337A, 0x1337B, prCL, gcLo},   //     [2] EGYPTIAN HIEROGLYPH V011B..EGYPTIAN HIEROGLYPH V011C
+	{0x1337C, 0x1342F, prAL, gcLo},   //   [180] EGYPTIAN HIEROGLYPH V012..EGYPTIAN HIEROGLYPH V011D
+	{0x13430, 0x13436, prGL, gcCf},   //     [7] EGYPTIAN HIEROGLYPH VERTICAL JOINER..EGYPTIAN HIEROGLYPH OVERLAY MIDDLE
+	{0x13437, 0x13437, prOP, gcCf},   //         EGYPTIAN HIEROGLYPH BEGIN SEGMENT
+	{0x13438, 0x13438, prCL, gcCf},   //         EGYPTIAN HIEROGLYPH END SEGMENT
+	{0x13439, 0x1343B, prGL, gcCf},   //     [3] EGYPTIAN HIEROGLYPH INSERT AT MIDDLE..EGYPTIAN HIEROGLYPH INSERT AT BOTTOM
+	{0x1343C, 0x1343C, prOP, gcCf},   //         EGYPTIAN HIEROGLYPH BEGIN ENCLOSURE
+	{0x1343D, 0x1343D, prCL, gcCf},   //         EGYPTIAN HIEROGLYPH END ENCLOSURE
+	{0x1343E, 0x1343E, prOP, gcCf},   //         EGYPTIAN HIEROGLYPH BEGIN WALLED ENCLOSURE
+	{0x1343F, 0x1343F, prCL, gcCf},   //         EGYPTIAN HIEROGLYPH END WALLED ENCLOSURE
+	{0x13440, 0x13440, prCM, gcMn},   //         EGYPTIAN HIEROGLYPH MIRROR HORIZONTALLY
+	{0x13441, 0x13446, prAL, gcLo},   //     [6] EGYPTIAN HIEROGLYPH FULL BLANK..EGYPTIAN HIEROGLYPH WIDE LOST SIGN
+	{0x13447, 0x13455, prCM, gcMn},   //    [15] EGYPTIAN HIEROGLYPH MODIFIER DAMAGED AT TOP START..EGYPTIAN HIEROGLYPH MODIFIER DAMAGED
+	{0x14400, 0x145CD, prAL, gcLo},   //   [462] ANATOLIAN HIEROGLYPH A001..ANATOLIAN HIEROGLYPH A409
+	{0x145CE, 0x145CE, prOP, gcLo},   //         ANATOLIAN HIEROGLYPH A410 BEGIN LOGOGRAM MARK
+	{0x145CF, 0x145CF, prCL, gcLo},   //         ANATOLIAN HIEROGLYPH A410A END LOGOGRAM MARK
+	{0x145D0, 0x14646, prAL, gcLo},   //   [119] ANATOLIAN HIEROGLYPH A411..ANATOLIAN HIEROGLYPH A530
+	{0x16800, 0x16A38, prAL, gcLo},   //   [569] BAMUM LETTER PHASE-A NGKUE MFON..BAMUM LETTER PHASE-F VUEQ
+	{0x16A40, 0x16A5E, prAL, gcLo},   //    [31] MRO LETTER TA..MRO LETTER TEK
+	{0x16A60, 0x16A69, prNU, gcNd},   //    [10] MRO DIGIT ZERO..MRO DIGIT NINE
+	{0x16A6E, 0x16A6F, prBA, gcPo},   //     [2] MRO DANDA..MRO DOUBLE DANDA
+	{0x16A70, 0x16ABE, prAL, gcLo},   //    [79] TANGSA LETTER OZ..TANGSA LETTER ZA
+	{0x16AC0, 0x16AC9, prNU, gcNd},   //    [10] TANGSA DIGIT ZERO..TANGSA DIGIT NINE
+	{0x16AD0, 0x16AED, prAL, gcLo},   //    [30] BASSA VAH LETTER ENNI..BASSA VAH LETTER I
+	{0x16AF0, 0x16AF4, prCM, gcMn},   //     [5] BASSA VAH COMBINING HIGH TONE..BASSA VAH COMBINING HIGH-LOW TONE
+	{0x16AF5, 0x16AF5, prBA, gcPo},   //         BASSA VAH FULL STOP
+	{0x16B00, 0x16B2F, prAL, gcLo},   //    [48] PAHAWH HMONG VOWEL KEEB..PAHAWH HMONG CONSONANT CAU
+	{0x16B30, 0x16B36, prCM, gcMn},   //     [7] PAHAWH HMONG MARK CIM TUB..PAHAWH HMONG MARK CIM TAUM
+	{0x16B37, 0x16B39, prBA, gcPo},   //     [3] PAHAWH HMONG SIGN VOS THOM..PAHAWH HMONG SIGN CIM CHEEM
+	{0x16B3A, 0x16B3B, prAL, gcPo},   //     [2] PAHAWH HMONG SIGN VOS THIAB..PAHAWH HMONG SIGN VOS FEEM
+	{0x16B3C, 0x16B3F, prAL, gcSo},   //     [4] PAHAWH HMONG SIGN XYEEM NTXIV..PAHAWH HMONG SIGN XYEEM FAIB
+	{0x16B40, 0x16B43, prAL, gcLm},   //     [4] PAHAWH HMONG SIGN VOS SEEV..PAHAWH HMONG SIGN IB YAM
+	{0x16B44, 0x16B44, prBA, gcPo},   //         PAHAWH HMONG SIGN XAUS
+	{0x16B45, 0x16B45, prAL, gcSo},   //         PAHAWH HMONG SIGN CIM TSOV ROG
+	{0x16B50, 0x16B59, prNU, gcNd},   //    [10] PAHAWH HMONG DIGIT ZERO..PAHAWH HMONG DIGIT NINE
+	{0x16B5B, 0x16B61, prAL, gcNo},   //     [7] PAHAWH HMONG NUMBER TENS..PAHAWH HMONG NUMBER TRILLIONS
+	{0x16B63, 0x16B77, prAL, gcLo},   //    [21] PAHAWH HMONG SIGN VOS LUB..PAHAWH HMONG SIGN CIM NRES TOS
+	{0x16B7D, 0x16B8F, prAL, gcLo},   //    [19] PAHAWH HMONG CLAN SIGN TSHEEJ..PAHAWH HMONG CLAN SIGN VWJ
+	{0x16E40, 0x16E7F, prAL, gcLC},   //    [64] MEDEFAIDRIN CAPITAL LETTER M..MEDEFAIDRIN SMALL LETTER Y
+	{0x16E80, 0x16E96, prAL, gcNo},   //    [23] MEDEFAIDRIN DIGIT ZERO..MEDEFAIDRIN DIGIT THREE ALTERNATE FORM
+	{0x16E97, 0x16E98, prBA, gcPo},   //     [2] MEDEFAIDRIN COMMA..MEDEFAIDRIN FULL STOP
+	{0x16E99, 0x16E9A, prAL, gcPo},   //     [2] MEDEFAIDRIN SYMBOL AIVA..MEDEFAIDRIN EXCLAMATION OH
+	{0x16F00, 0x16F4A, prAL, gcLo},   //    [75] MIAO LETTER PA..MIAO LETTER RTE
+	{0x16F4F, 0x16F4F, prCM, gcMn},   //         MIAO SIGN CONSONANT MODIFIER BAR
+	{0x16F50, 0x16F50, prAL, gcLo},   //         MIAO LETTER NASALIZATION
+	{0x16F51, 0x16F87, prCM, gcMc},   //    [55] MIAO SIGN ASPIRATION..MIAO VOWEL SIGN UI
+	{0x16F8F, 0x16F92, prCM, gcMn},   //     [4] MIAO TONE RIGHT..MIAO TONE BELOW
+	{0x16F93, 0x16F9F, prAL, gcLm},   //    [13] MIAO LETTER TONE-2..MIAO LETTER REFORMED TONE-8
+	{0x16FE0, 0x16FE1, prNS, gcLm},   //     [2] TANGUT ITERATION MARK..NUSHU ITERATION MARK
+	{0x16FE2, 0x16FE2, prNS, gcPo},   //         OLD CHINESE HOOK MARK
+	{0x16FE3, 0x16FE3, prNS, gcLm},   //         OLD CHINESE ITERATION MARK
+	{0x16FE4, 0x16FE4, prGL, gcMn},   //         KHITAN SMALL SCRIPT FILLER
+	{0x16FF0, 0x16FF1, prCM, gcMc},   //     [2] VIETNAMESE ALTERNATE READING MARK CA..VIETNAMESE ALTERNATE READING MARK NHAY
+	{0x17000, 0x187F7, prID, gcLo},   //  [6136] TANGUT IDEOGRAPH-17000..TANGUT IDEOGRAPH-187F7
+	{0x18800, 0x18AFF, prID, gcLo},   //   [768] TANGUT COMPONENT-001..TANGUT COMPONENT-768
+	{0x18B00, 0x18CD5, prAL, gcLo},   //   [470] KHITAN SMALL SCRIPT CHARACTER-18B00..KHITAN SMALL SCRIPT CHARACTER-18CD5
+	{0x18D00, 0x18D08, prID, gcLo},   //     [9] TANGUT IDEOGRAPH-18D00..TANGUT IDEOGRAPH-18D08
+	{0x1AFF0, 0x1AFF3, prAL, gcLm},   //     [4] KATAKANA LETTER MINNAN TONE-2..KATAKANA LETTER MINNAN TONE-5
+	{0x1AFF5, 0x1AFFB, prAL, gcLm},   //     [7] KATAKANA LETTER MINNAN TONE-7..KATAKANA LETTER MINNAN NASALIZED TONE-5
+	{0x1AFFD, 0x1AFFE, prAL, gcLm},   //     [2] KATAKANA LETTER MINNAN NASALIZED TONE-7..KATAKANA LETTER MINNAN NASALIZED TONE-8
+	{0x1B000, 0x1B0FF, prID, gcLo},   //   [256] KATAKANA LETTER ARCHAIC E..HENTAIGANA LETTER RE-2
+	{0x1B100, 0x1B122, prID, gcLo},   //    [35] HENTAIGANA LETTER RE-3..KATAKANA LETTER ARCHAIC WU
+	{0x1B132, 0x1B132, prCJ, gcLo},   //         HIRAGANA LETTER SMALL KO
+	{0x1B150, 0x1B152, prCJ, gcLo},   //     [3] HIRAGANA LETTER SMALL WI..HIRAGANA LETTER SMALL WO
+	{0x1B155, 0x1B155, prCJ, gcLo},   //         KATAKANA LETTER SMALL KO
+	{0x1B164, 0x1B167, prCJ, gcLo},   //     [4] KATAKANA LETTER SMALL WI..KATAKANA LETTER SMALL N
+	{0x1B170, 0x1B2FB, prID, gcLo},   //   [396] NUSHU CHARACTER-1B170..NUSHU CHARACTER-1B2FB
+	{0x1BC00, 0x1BC6A, prAL, gcLo},   //   [107] DUPLOYAN LETTER H..DUPLOYAN LETTER VOCALIC M
+	{0x1BC70, 0x1BC7C, prAL, gcLo},   //    [13] DUPLOYAN AFFIX LEFT HORIZONTAL SECANT..DUPLOYAN AFFIX ATTACHED TANGENT HOOK
+	{0x1BC80, 0x1BC88, prAL, gcLo},   //     [9] DUPLOYAN AFFIX HIGH ACUTE..DUPLOYAN AFFIX HIGH VERTICAL
+	{0x1BC90, 0x1BC99, prAL, gcLo},   //    [10] DUPLOYAN AFFIX LOW ACUTE..DUPLOYAN AFFIX LOW ARROW
+	{0x1BC9C, 0x1BC9C, prAL, gcSo},   //         DUPLOYAN SIGN O WITH CROSS
+	{0x1BC9D, 0x1BC9E, prCM, gcMn},   //     [2] DUPLOYAN THICK LETTER SELECTOR..DUPLOYAN DOUBLE MARK
+	{0x1BC9F, 0x1BC9F, prBA, gcPo},   //         DUPLOYAN PUNCTUATION CHINOOK FULL STOP
+	{0x1BCA0, 0x1BCA3, prCM, gcCf},   //     [4] SHORTHAND FORMAT LETTER OVERLAP..SHORTHAND FORMAT UP STEP
+	{0x1CF00, 0x1CF2D, prCM, gcMn},   //    [46] ZNAMENNY COMBINING MARK GORAZDO NIZKO S KRYZHEM ON LEFT..ZNAMENNY COMBINING MARK KRYZH ON LEFT
+	{0x1CF30, 0x1CF46, prCM, gcMn},   //    [23] ZNAMENNY COMBINING TONAL RANGE MARK MRACHNO..ZNAMENNY PRIZNAK MODIFIER ROG
+	{0x1CF50, 0x1CFC3, prAL, gcSo},   //   [116] ZNAMENNY NEUME KRYUK..ZNAMENNY NEUME PAUK
+	{0x1D000, 0x1D0F5, prAL, gcSo},   //   [246] BYZANTINE MUSICAL SYMBOL PSILI..BYZANTINE MUSICAL SYMBOL GORGON NEO KATO
+	{0x1D100, 0x1D126, prAL, gcSo},   //    [39] MUSICAL SYMBOL SINGLE BARLINE..MUSICAL SYMBOL DRUM CLEF-2
+	{0x1D129, 0x1D164, prAL, gcSo},   //    [60] MUSICAL SYMBOL MULTIPLE MEASURE REST..MUSICAL SYMBOL ONE HUNDRED TWENTY-EIGHTH NOTE
+	{0x1D165, 0x1D166, prCM, gcMc},   //     [2] MUSICAL SYMBOL COMBINING STEM..MUSICAL SYMBOL COMBINING SPRECHGESANG STEM
+	{0x1D167, 0x1D169, prCM, gcMn},   //     [3] MUSICAL SYMBOL COMBINING TREMOLO-1..MUSICAL SYMBOL COMBINING TREMOLO-3
+	{0x1D16A, 0x1D16C, prAL, gcSo},   //     [3] MUSICAL SYMBOL FINGERED TREMOLO-1..MUSICAL SYMBOL FINGERED TREMOLO-3
+	{0x1D16D, 0x1D172, prCM, gcMc},   //     [6] MUSICAL SYMBOL COMBINING AUGMENTATION DOT..MUSICAL SYMBOL COMBINING FLAG-5
+	{0x1D173, 0x1D17A, prCM, gcCf},   //     [8] MUSICAL SYMBOL BEGIN BEAM..MUSICAL SYMBOL END PHRASE
+	{0x1D17B, 0x1D182, prCM, gcMn},   //     [8] MUSICAL SYMBOL COMBINING ACCENT..MUSICAL SYMBOL COMBINING LOURE
+	{0x1D183, 0x1D184, prAL, gcSo},   //     [2] MUSICAL SYMBOL ARPEGGIATO UP..MUSICAL SYMBOL ARPEGGIATO DOWN
+	{0x1D185, 0x1D18B, prCM, gcMn},   //     [7] MUSICAL SYMBOL COMBINING DOIT..MUSICAL SYMBOL COMBINING TRIPLE TONGUE
+	{0x1D18C, 0x1D1A9, prAL, gcSo},   //    [30] MUSICAL SYMBOL RINFORZANDO..MUSICAL SYMBOL DEGREE SLASH
+	{0x1D1AA, 0x1D1AD, prCM, gcMn},   //     [4] MUSICAL SYMBOL COMBINING DOWN BOW..MUSICAL SYMBOL COMBINING SNAP PIZZICATO
+	{0x1D1AE, 0x1D1EA, prAL, gcSo},   //    [61] MUSICAL SYMBOL PEDAL MARK..MUSICAL SYMBOL KORON
+	{0x1D200, 0x1D241, prAL, gcSo},   //    [66] GREEK VOCAL NOTATION SYMBOL-1..GREEK INSTRUMENTAL NOTATION SYMBOL-54
+	{0x1D242, 0x1D244, prCM, gcMn},   //     [3] COMBINING GREEK MUSICAL TRISEME..COMBINING GREEK MUSICAL PENTASEME
+	{0x1D245, 0x1D245, prAL, gcSo},   //         GREEK MUSICAL LEIMMA
+	{0x1D2C0, 0x1D2D3, prAL, gcNo},   //    [20] KAKTOVIK NUMERAL ZERO..KAKTOVIK NUMERAL NINETEEN
+	{0x1D2E0, 0x1D2F3, prAL, gcNo},   //    [20] MAYAN NUMERAL ZERO..MAYAN NUMERAL NINETEEN
+	{0x1D300, 0x1D356, prAL, gcSo},   //    [87] MONOGRAM FOR EARTH..TETRAGRAM FOR FOSTERING
+	{0x1D360, 0x1D378, prAL, gcNo},   //    [25] COUNTING ROD UNIT DIGIT ONE..TALLY MARK FIVE
+	{0x1D400, 0x1D454, prAL, gcLC},   //    [85] MATHEMATICAL BOLD CAPITAL A..MATHEMATICAL ITALIC SMALL G
+	{0x1D456, 0x1D49C, prAL, gcLC},   //    [71] MATHEMATICAL ITALIC SMALL I..MATHEMATICAL SCRIPT CAPITAL A
+	{0x1D49E, 0x1D49F, prAL, gcLu},   //     [2] MATHEMATICAL SCRIPT CAPITAL C..MATHEMATICAL SCRIPT CAPITAL D
+	{0x1D4A2, 0x1D4A2, prAL, gcLu},   //         MATHEMATICAL SCRIPT CAPITAL G
+	{0x1D4A5, 0x1D4A6, prAL, gcLu},   //     [2] MATHEMATICAL SCRIPT CAPITAL J..MATHEMATICAL SCRIPT CAPITAL K
+	{0x1D4A9, 0x1D4AC, prAL, gcLu},   //     [4] MATHEMATICAL SCRIPT CAPITAL N..MATHEMATICAL SCRIPT CAPITAL Q
+	{0x1D4AE, 0x1D4B9, prAL, gcLC},   //    [12] MATHEMATICAL SCRIPT CAPITAL S..MATHEMATICAL SCRIPT SMALL D
+	{0x1D4BB, 0x1D4BB, prAL, gcLl},   //         MATHEMATICAL SCRIPT SMALL F
+	{0x1D4BD, 0x1D4C3, prAL, gcLl},   //     [7] MATHEMATICAL SCRIPT SMALL H..MATHEMATICAL SCRIPT SMALL N
+	{0x1D4C5, 0x1D505, prAL, gcLC},   //    [65] MATHEMATICAL SCRIPT SMALL P..MATHEMATICAL FRAKTUR CAPITAL B
+	{0x1D507, 0x1D50A, prAL, gcLu},   //     [4] MATHEMATICAL FRAKTUR CAPITAL D..MATHEMATICAL FRAKTUR CAPITAL G
+	{0x1D50D, 0x1D514, prAL, gcLu},   //     [8] MATHEMATICAL FRAKTUR CAPITAL J..MATHEMATICAL FRAKTUR CAPITAL Q
+	{0x1D516, 0x1D51C, prAL, gcLu},   //     [7] MATHEMATICAL FRAKTUR CAPITAL S..MATHEMATICAL FRAKTUR CAPITAL Y
+	{0x1D51E, 0x1D539, prAL, gcLC},   //    [28] MATHEMATICAL FRAKTUR SMALL A..MATHEMATICAL DOUBLE-STRUCK CAPITAL B
+	{0x1D53B, 0x1D53E, prAL, gcLu},   //     [4] MATHEMATICAL DOUBLE-STRUCK CAPITAL D..MATHEMATICAL DOUBLE-STRUCK CAPITAL G
+	{0x1D540, 0x1D544, prAL, gcLu},   //     [5] MATHEMATICAL DOUBLE-STRUCK CAPITAL I..MATHEMATICAL DOUBLE-STRUCK CAPITAL M
+	{0x1D546, 0x1D546, prAL, gcLu},   //         MATHEMATICAL DOUBLE-STRUCK CAPITAL O
+	{0x1D54A, 0x1D550, prAL, gcLu},   //     [7] MATHEMATICAL DOUBLE-STRUCK CAPITAL S..MATHEMATICAL DOUBLE-STRUCK CAPITAL Y
+	{0x1D552, 0x1D6A5, prAL, gcLC},   //   [340] MATHEMATICAL DOUBLE-STRUCK SMALL A..MATHEMATICAL ITALIC SMALL DOTLESS J
+	{0x1D6A8, 0x1D6C0, prAL, gcLu},   //    [25] MATHEMATICAL BOLD CAPITAL ALPHA..MATHEMATICAL BOLD CAPITAL OMEGA
+	{0x1D6C1, 0x1D6C1, prAL, gcSm},   //         MATHEMATICAL BOLD NABLA
+	{0x1D6C2, 0x1D6DA, prAL, gcLl},   //    [25] MATHEMATICAL BOLD SMALL ALPHA..MATHEMATICAL BOLD SMALL OMEGA
+	{0x1D6DB, 0x1D6DB, prAL, gcSm},   //         MATHEMATICAL BOLD PARTIAL DIFFERENTIAL
+	{0x1D6DC, 0x1D6FA, prAL, gcLC},   //    [31] MATHEMATICAL BOLD EPSILON SYMBOL..MATHEMATICAL ITALIC CAPITAL OMEGA
+	{0x1D6FB, 0x1D6FB, prAL, gcSm},   //         MATHEMATICAL ITALIC NABLA
+	{0x1D6FC, 0x1D714, prAL, gcLl},   //    [25] MATHEMATICAL ITALIC SMALL ALPHA..MATHEMATICAL ITALIC SMALL OMEGA
+	{0x1D715, 0x1D715, prAL, gcSm},   //         MATHEMATICAL ITALIC PARTIAL DIFFERENTIAL
+	{0x1D716, 0x1D734, prAL, gcLC},   //    [31] MATHEMATICAL ITALIC EPSILON SYMBOL..MATHEMATICAL BOLD ITALIC CAPITAL OMEGA
+	{0x1D735, 0x1D735, prAL, gcSm},   //         MATHEMATICAL BOLD ITALIC NABLA
+	{0x1D736, 0x1D74E, prAL, gcLl},   //    [25] MATHEMATICAL BOLD ITALIC SMALL ALPHA..MATHEMATICAL BOLD ITALIC SMALL OMEGA
+	{0x1D74F, 0x1D74F, prAL, gcSm},   //         MATHEMATICAL BOLD ITALIC PARTIAL DIFFERENTIAL
+	{0x1D750, 0x1D76E, prAL, gcLC},   //    [31] MATHEMATICAL BOLD ITALIC EPSILON SYMBOL..MATHEMATICAL SANS-SERIF BOLD CAPITAL OMEGA
+	{0x1D76F, 0x1D76F, prAL, gcSm},   //         MATHEMATICAL SANS-SERIF BOLD NABLA
+	{0x1D770, 0x1D788, prAL, gcLl},   //    [25] MATHEMATICAL SANS-SERIF BOLD SMALL ALPHA..MATHEMATICAL SANS-SERIF BOLD SMALL OMEGA
+	{0x1D789, 0x1D789, prAL, gcSm},   //         MATHEMATICAL SANS-SERIF BOLD PARTIAL DIFFERENTIAL
+	{0x1D78A, 0x1D7A8, prAL, gcLC},   //    [31] MATHEMATICAL SANS-SERIF BOLD EPSILON SYMBOL..MATHEMATICAL SANS-SERIF BOLD ITALIC CAPITAL OMEGA
+	{0x1D7A9, 0x1D7A9, prAL, gcSm},   //         MATHEMATICAL SANS-SERIF BOLD ITALIC NABLA
+	{0x1D7AA, 0x1D7C2, prAL, gcLl},   //    [25] MATHEMATICAL SANS-SERIF BOLD ITALIC SMALL ALPHA..MATHEMATICAL SANS-SERIF BOLD ITALIC SMALL OMEGA
+	{0x1D7C3, 0x1D7C3, prAL, gcSm},   //         MATHEMATICAL SANS-SERIF BOLD ITALIC PARTIAL DIFFERENTIAL
+	{0x1D7C4, 0x1D7CB, prAL, gcLC},   //     [8] MATHEMATICAL SANS-SERIF BOLD ITALIC EPSILON SYMBOL..MATHEMATICAL BOLD SMALL DIGAMMA
+	{0x1D7CE, 0x1D7FF, prNU, gcNd},   //    [50] MATHEMATICAL BOLD DIGIT ZERO..MATHEMATICAL MONOSPACE DIGIT NINE
+	{0x1D800, 0x1D9FF, prAL, gcSo},   //   [512] SIGNWRITING HAND-FIST INDEX..SIGNWRITING HEAD
+	{0x1DA00, 0x1DA36, prCM, gcMn},   //    [55] SIGNWRITING HEAD RIM..SIGNWRITING AIR SUCKING IN
+	{0x1DA37, 0x1DA3A, prAL, gcSo},   //     [4] SIGNWRITING AIR BLOW SMALL ROTATIONS..SIGNWRITING BREATH EXHALE
+	{0x1DA3B, 0x1DA6C, prCM, gcMn},   //    [50] SIGNWRITING MOUTH CLOSED NEUTRAL..SIGNWRITING EXCITEMENT
+	{0x1DA6D, 0x1DA74, prAL, gcSo},   //     [8] SIGNWRITING SHOULDER HIP SPINE..SIGNWRITING TORSO-FLOORPLANE TWISTING
+	{0x1DA75, 0x1DA75, prCM, gcMn},   //         SIGNWRITING UPPER BODY TILTING FROM HIP JOINTS
+	{0x1DA76, 0x1DA83, prAL, gcSo},   //    [14] SIGNWRITING LIMB COMBINATION..SIGNWRITING LOCATION DEPTH
+	{0x1DA84, 0x1DA84, prCM, gcMn},   //         SIGNWRITING LOCATION HEAD NECK
+	{0x1DA85, 0x1DA86, prAL, gcSo},   //     [2] SIGNWRITING LOCATION TORSO..SIGNWRITING LOCATION LIMBS DIGITS
+	{0x1DA87, 0x1DA8A, prBA, gcPo},   //     [4] SIGNWRITING COMMA..SIGNWRITING COLON
+	{0x1DA8B, 0x1DA8B, prAL, gcPo},   //         SIGNWRITING PARENTHESIS
+	{0x1DA9B, 0x1DA9F, prCM, gcMn},   //     [5] SIGNWRITING FILL MODIFIER-2..SIGNWRITING FILL MODIFIER-6
+	{0x1DAA1, 0x1DAAF, prCM, gcMn},   //    [15] SIGNWRITING ROTATION MODIFIER-2..SIGNWRITING ROTATION MODIFIER-16
+	{0x1DF00, 0x1DF09, prAL, gcLl},   //    [10] LATIN SMALL LETTER FENG DIGRAPH WITH TRILL..LATIN SMALL LETTER T WITH HOOK AND RETROFLEX HOOK
+	{0x1DF0A, 0x1DF0A, prAL, gcLo},   //         LATIN LETTER RETROFLEX CLICK WITH RETROFLEX HOOK
+	{0x1DF0B, 0x1DF1E, prAL, gcLl},   //    [20] LATIN SMALL LETTER ESH WITH DOUBLE BAR..LATIN SMALL LETTER S WITH CURL
+	{0x1DF25, 0x1DF2A, prAL, gcLl},   //     [6] LATIN SMALL LETTER D WITH MID-HEIGHT LEFT HOOK..LATIN SMALL LETTER T WITH MID-HEIGHT LEFT HOOK
+	{0x1E000, 0x1E006, prCM, gcMn},   //     [7] COMBINING GLAGOLITIC LETTER AZU..COMBINING GLAGOLITIC LETTER ZHIVETE
+	{0x1E008, 0x1E018, prCM, gcMn},   //    [17] COMBINING GLAGOLITIC LETTER ZEMLJA..COMBINING GLAGOLITIC LETTER HERU
+	{0x1E01B, 0x1E021, prCM, gcMn},   //     [7] COMBINING GLAGOLITIC LETTER SHTA..COMBINING GLAGOLITIC LETTER YATI
+	{0x1E023, 0x1E024, prCM, gcMn},   //     [2] COMBINING GLAGOLITIC LETTER YU..COMBINING GLAGOLITIC LETTER SMALL YUS
+	{0x1E026, 0x1E02A, prCM, gcMn},   //     [5] COMBINING GLAGOLITIC LETTER YO..COMBINING GLAGOLITIC LETTER FITA
+	{0x1E030, 0x1E06D, prAL, gcLm},   //    [62] MODIFIER LETTER CYRILLIC SMALL A..MODIFIER LETTER CYRILLIC SMALL STRAIGHT U WITH STROKE
+	{0x1E08F, 0x1E08F, prCM, gcMn},   //         COMBINING CYRILLIC SMALL LETTER BYELORUSSIAN-UKRAINIAN I
+	{0x1E100, 0x1E12C, prAL, gcLo},   //    [45] NYIAKENG PUACHUE HMONG LETTER MA..NYIAKENG PUACHUE HMONG LETTER W
+	{0x1E130, 0x1E136, prCM, gcMn},   //     [7] NYIAKENG PUACHUE HMONG TONE-B..NYIAKENG PUACHUE HMONG TONE-D
+	{0x1E137, 0x1E13D, prAL, gcLm},   //     [7] NYIAKENG PUACHUE HMONG SIGN FOR PERSON..NYIAKENG PUACHUE HMONG SYLLABLE LENGTHENER
+	{0x1E140, 0x1E149, prNU, gcNd},   //    [10] NYIAKENG PUACHUE HMONG DIGIT ZERO..NYIAKENG PUACHUE HMONG DIGIT NINE
+	{0x1E14E, 0x1E14E, prAL, gcLo},   //         NYIAKENG PUACHUE HMONG LOGOGRAM NYAJ
+	{0x1E14F, 0x1E14F, prAL, gcSo},   //         NYIAKENG PUACHUE HMONG CIRCLED CA
+	{0x1E290, 0x1E2AD, prAL, gcLo},   //    [30] TOTO LETTER PA..TOTO LETTER A
+	{0x1E2AE, 0x1E2AE, prCM, gcMn},   //         TOTO SIGN RISING TONE
+	{0x1E2C0, 0x1E2EB, prAL, gcLo},   //    [44] WANCHO LETTER AA..WANCHO LETTER YIH
+	{0x1E2EC, 0x1E2EF, prCM, gcMn},   //     [4] WANCHO TONE TUP..WANCHO TONE KOINI
+	{0x1E2F0, 0x1E2F9, prNU, gcNd},   //    [10] WANCHO DIGIT ZERO..WANCHO DIGIT NINE
+	{0x1E2FF, 0x1E2FF, prPR, gcSc},   //         WANCHO NGUN SIGN
+	{0x1E4D0, 0x1E4EA, prAL, gcLo},   //    [27] NAG MUNDARI LETTER O..NAG MUNDARI LETTER ELL
+	{0x1E4EB, 0x1E4EB, prAL, gcLm},   //         NAG MUNDARI SIGN OJOD
+	{0x1E4EC, 0x1E4EF, prCM, gcMn},   //     [4] NAG MUNDARI SIGN MUHOR..NAG MUNDARI SIGN SUTUH
+	{0x1E4F0, 0x1E4F9, prNU, gcNd},   //    [10] NAG MUNDARI DIGIT ZERO..NAG MUNDARI DIGIT NINE
+	{0x1E7E0, 0x1E7E6, prAL, gcLo},   //     [7] ETHIOPIC SYLLABLE HHYA..ETHIOPIC SYLLABLE HHYO
+	{0x1E7E8, 0x1E7EB, prAL, gcLo},   //     [4] ETHIOPIC SYLLABLE GURAGE HHWA..ETHIOPIC SYLLABLE HHWE
+	{0x1E7ED, 0x1E7EE, prAL, gcLo},   //     [2] ETHIOPIC SYLLABLE GURAGE MWI..ETHIOPIC SYLLABLE GURAGE MWEE
+	{0x1E7F0, 0x1E7FE, prAL, gcLo},   //    [15] ETHIOPIC SYLLABLE GURAGE QWI..ETHIOPIC SYLLABLE GURAGE PWEE
+	{0x1E800, 0x1E8C4, prAL, gcLo},   //   [197] MENDE KIKAKUI SYLLABLE M001 KI..MENDE KIKAKUI SYLLABLE M060 NYON
+	{0x1E8C7, 0x1E8CF, prAL, gcNo},   //     [9] MENDE KIKAKUI DIGIT ONE..MENDE KIKAKUI DIGIT NINE
+	{0x1E8D0, 0x1E8D6, prCM, gcMn},   //     [7] MENDE KIKAKUI COMBINING NUMBER TEENS..MENDE KIKAKUI COMBINING NUMBER MILLIONS
+	{0x1E900, 0x1E943, prAL, gcLC},   //    [68] ADLAM CAPITAL LETTER ALIF..ADLAM SMALL LETTER SHA
+	{0x1E944, 0x1E94A, prCM, gcMn},   //     [7] ADLAM ALIF LENGTHENER..ADLAM NUKTA
+	{0x1E94B, 0x1E94B, prAL, gcLm},   //         ADLAM NASALIZATION MARK
+	{0x1E950, 0x1E959, prNU, gcNd},   //    [10] ADLAM DIGIT ZERO..ADLAM DIGIT NINE
+	{0x1E95E, 0x1E95F, prOP, gcPo},   //     [2] ADLAM INITIAL EXCLAMATION MARK..ADLAM INITIAL QUESTION MARK
+	{0x1EC71, 0x1ECAB, prAL, gcNo},   //    [59] INDIC SIYAQ NUMBER ONE..INDIC SIYAQ NUMBER PREFIXED NINE
+	{0x1ECAC, 0x1ECAC, prPO, gcSo},   //         INDIC SIYAQ PLACEHOLDER
+	{0x1ECAD, 0x1ECAF, prAL, gcNo},   //     [3] INDIC SIYAQ FRACTION ONE QUARTER..INDIC SIYAQ FRACTION THREE QUARTERS
+	{0x1ECB0, 0x1ECB0, prPO, gcSc},   //         INDIC SIYAQ RUPEE MARK
+	{0x1ECB1, 0x1ECB4, prAL, gcNo},   //     [4] INDIC SIYAQ NUMBER ALTERNATE ONE..INDIC SIYAQ ALTERNATE LAKH MARK
+	{0x1ED01, 0x1ED2D, prAL, gcNo},   //    [45] OTTOMAN SIYAQ NUMBER ONE..OTTOMAN SIYAQ NUMBER NINETY THOUSAND
+	{0x1ED2E, 0x1ED2E, prAL, gcSo},   //         OTTOMAN SIYAQ MARRATAN
+	{0x1ED2F, 0x1ED3D, prAL, gcNo},   //    [15] OTTOMAN SIYAQ ALTERNATE NUMBER TWO..OTTOMAN SIYAQ FRACTION ONE SIXTH
+	{0x1EE00, 0x1EE03, prAL, gcLo},   //     [4] ARABIC MATHEMATICAL ALEF..ARABIC MATHEMATICAL DAL
+	{0x1EE05, 0x1EE1F, prAL, gcLo},   //    [27] ARABIC MATHEMATICAL WAW..ARABIC MATHEMATICAL DOTLESS QAF
+	{0x1EE21, 0x1EE22, prAL, gcLo},   //     [2] ARABIC MATHEMATICAL INITIAL BEH..ARABIC MATHEMATICAL INITIAL JEEM
+	{0x1EE24, 0x1EE24, prAL, gcLo},   //         ARABIC MATHEMATICAL INITIAL HEH
+	{0x1EE27, 0x1EE27, prAL, gcLo},   //         ARABIC MATHEMATICAL INITIAL HAH
+	{0x1EE29, 0x1EE32, prAL, gcLo},   //    [10] ARABIC MATHEMATICAL INITIAL YEH..ARABIC MATHEMATICAL INITIAL QAF
+	{0x1EE34, 0x1EE37, prAL, gcLo},   //     [4] ARABIC MATHEMATICAL INITIAL SHEEN..ARABIC MATHEMATICAL INITIAL KHAH
+	{0x1EE39, 0x1EE39, prAL, gcLo},   //         ARABIC MATHEMATICAL INITIAL DAD
+	{0x1EE3B, 0x1EE3B, prAL, gcLo},   //         ARABIC MATHEMATICAL INITIAL GHAIN
+	{0x1EE42, 0x1EE42, prAL, gcLo},   //         ARABIC MATHEMATICAL TAILED JEEM
+	{0x1EE47, 0x1EE47, prAL, gcLo},   //         ARABIC MATHEMATICAL TAILED HAH
+	{0x1EE49, 0x1EE49, prAL, gcLo},   //         ARABIC MATHEMATICAL TAILED YEH
+	{0x1EE4B, 0x1EE4B, prAL, gcLo},   //         ARABIC MATHEMATICAL TAILED LAM
+	{0x1EE4D, 0x1EE4F, prAL, gcLo},   //     [3] ARABIC MATHEMATICAL TAILED NOON..ARABIC MATHEMATICAL TAILED AIN
+	{0x1EE51, 0x1EE52, prAL, gcLo},   //     [2] ARABIC MATHEMATICAL TAILED SAD..ARABIC MATHEMATICAL TAILED QAF
+	{0x1EE54, 0x1EE54, prAL, gcLo},   //         ARABIC MATHEMATICAL TAILED SHEEN
+	{0x1EE57, 0x1EE57, prAL, gcLo},   //         ARABIC MATHEMATICAL TAILED KHAH
+	{0x1EE59, 0x1EE59, prAL, gcLo},   //         ARABIC MATHEMATICAL TAILED DAD
+	{0x1EE5B, 0x1EE5B, prAL, gcLo},   //         ARABIC MATHEMATICAL TAILED GHAIN
+	{0x1EE5D, 0x1EE5D, prAL, gcLo},   //         ARABIC MATHEMATICAL TAILED DOTLESS NOON
+	{0x1EE5F, 0x1EE5F, prAL, gcLo},   //         ARABIC MATHEMATICAL TAILED DOTLESS QAF
+	{0x1EE61, 0x1EE62, prAL, gcLo},   //     [2] ARABIC MATHEMATICAL STRETCHED BEH..ARABIC MATHEMATICAL STRETCHED JEEM
+	{0x1EE64, 0x1EE64, prAL, gcLo},   //         ARABIC MATHEMATICAL STRETCHED HEH
+	{0x1EE67, 0x1EE6A, prAL, gcLo},   //     [4] ARABIC MATHEMATICAL STRETCHED HAH..ARABIC MATHEMATICAL STRETCHED KAF
+	{0x1EE6C, 0x1EE72, prAL, gcLo},   //     [7] ARABIC MATHEMATICAL STRETCHED MEEM..ARABIC MATHEMATICAL STRETCHED QAF
+	{0x1EE74, 0x1EE77, prAL, gcLo},   //     [4] ARABIC MATHEMATICAL STRETCHED SHEEN..ARABIC MATHEMATICAL STRETCHED KHAH
+	{0x1EE79, 0x1EE7C, prAL, gcLo},   //     [4] ARABIC MATHEMATICAL STRETCHED DAD..ARABIC MATHEMATICAL STRETCHED DOTLESS BEH
+	{0x1EE7E, 0x1EE7E, prAL, gcLo},   //         ARABIC MATHEMATICAL STRETCHED DOTLESS FEH
+	{0x1EE80, 0x1EE89, prAL, gcLo},   //    [10] ARABIC MATHEMATICAL LOOPED ALEF..ARABIC MATHEMATICAL LOOPED YEH
+	{0x1EE8B, 0x1EE9B, prAL, gcLo},   //    [17] ARABIC MATHEMATICAL LOOPED LAM..ARABIC MATHEMATICAL LOOPED GHAIN
+	{0x1EEA1, 0x1EEA3, prAL, gcLo},   //     [3] ARABIC MATHEMATICAL DOUBLE-STRUCK BEH..ARABIC MATHEMATICAL DOUBLE-STRUCK DAL
+	{0x1EEA5, 0x1EEA9, prAL, gcLo},   //     [5] ARABIC MATHEMATICAL DOUBLE-STRUCK WAW..ARABIC MATHEMATICAL DOUBLE-STRUCK YEH
+	{0x1EEAB, 0x1EEBB, prAL, gcLo},   //    [17] ARABIC MATHEMATICAL DOUBLE-STRUCK LAM..ARABIC MATHEMATICAL DOUBLE-STRUCK GHAIN
+	{0x1EEF0, 0x1EEF1, prAL, gcSm},   //     [2] ARABIC MATHEMATICAL OPERATOR MEEM WITH HAH WITH TATWEEL..ARABIC MATHEMATICAL OPERATOR HAH WITH DAL
+	{0x1F000, 0x1F02B, prID, gcSo},   //    [44] MAHJONG TILE EAST WIND..MAHJONG TILE BACK
+	{0x1F02C, 0x1F02F, prID, gcCn},   //     [4] <reserved-1F02C>..<reserved-1F02F>
+	{0x1F030, 0x1F093, prID, gcSo},   //   [100] DOMINO TILE HORIZONTAL BACK..DOMINO TILE VERTICAL-06-06
+	{0x1F094, 0x1F09F, prID, gcCn},   //    [12] <reserved-1F094>..<reserved-1F09F>
+	{0x1F0A0, 0x1F0AE, prID, gcSo},   //    [15] PLAYING CARD BACK..PLAYING CARD KING OF SPADES
+	{0x1F0AF, 0x1F0B0, prID, gcCn},   //     [2] <reserved-1F0AF>..<reserved-1F0B0>
+	{0x1F0B1, 0x1F0BF, prID, gcSo},   //    [15] PLAYING CARD ACE OF HEARTS..PLAYING CARD RED JOKER
+	{0x1F0C0, 0x1F0C0, prID, gcCn},   //         <reserved-1F0C0>
+	{0x1F0C1, 0x1F0CF, prID, gcSo},   //    [15] PLAYING CARD ACE OF DIAMONDS..PLAYING CARD BLACK JOKER
+	{0x1F0D0, 0x1F0D0, prID, gcCn},   //         <reserved-1F0D0>
+	{0x1F0D1, 0x1F0F5, prID, gcSo},   //    [37] PLAYING CARD ACE OF CLUBS..PLAYING CARD TRUMP-21
+	{0x1F0F6, 0x1F0FF, prID, gcCn},   //    [10] <reserved-1F0F6>..<reserved-1F0FF>
+	{0x1F100, 0x1F10C, prAI, gcNo},   //    [13] DIGIT ZERO FULL STOP..DINGBAT NEGATIVE CIRCLED SANS-SERIF DIGIT ZERO
+	{0x1F10D, 0x1F10F, prID, gcSo},   //     [3] CIRCLED ZERO WITH SLASH..CIRCLED DOLLAR SIGN WITH OVERLAID BACKSLASH
+	{0x1F110, 0x1F12D, prAI, gcSo},   //    [30] PARENTHESIZED LATIN CAPITAL LETTER A..CIRCLED CD
+	{0x1F12E, 0x1F12F, prAL, gcSo},   //     [2] CIRCLED WZ..COPYLEFT SYMBOL
+	{0x1F130, 0x1F169, prAI, gcSo},   //    [58] SQUARED LATIN CAPITAL LETTER A..NEGATIVE CIRCLED LATIN CAPITAL LETTER Z
+	{0x1F16A, 0x1F16C, prAL, gcSo},   //     [3] RAISED MC SIGN..RAISED MR SIGN
+	{0x1F16D, 0x1F16F, prID, gcSo},   //     [3] CIRCLED CC..CIRCLED HUMAN FIGURE
+	{0x1F170, 0x1F1AC, prAI, gcSo},   //    [61] NEGATIVE SQUARED LATIN CAPITAL LETTER A..SQUARED VOD
+	{0x1F1AD, 0x1F1AD, prID, gcSo},   //         MASK WORK SYMBOL
+	{0x1F1AE, 0x1F1E5, prID, gcCn},   //    [56] <reserved-1F1AE>..<reserved-1F1E5>
+	{0x1F1E6, 0x1F1FF, prRI, gcSo},   //    [26] REGIONAL INDICATOR SYMBOL LETTER A..REGIONAL INDICATOR SYMBOL LETTER Z
+	{0x1F200, 0x1F202, prID, gcSo},   //     [3] SQUARE HIRAGANA HOKA..SQUARED KATAKANA SA
+	{0x1F203, 0x1F20F, prID, gcCn},   //    [13] <reserved-1F203>..<reserved-1F20F>
+	{0x1F210, 0x1F23B, prID, gcSo},   //    [44] SQUARED CJK UNIFIED IDEOGRAPH-624B..SQUARED CJK UNIFIED IDEOGRAPH-914D
+	{0x1F23C, 0x1F23F, prID, gcCn},   //     [4] <reserved-1F23C>..<reserved-1F23F>
+	{0x1F240, 0x1F248, prID, gcSo},   //     [9] TORTOISE SHELL BRACKETED CJK UNIFIED IDEOGRAPH-672C..TORTOISE SHELL BRACKETED CJK UNIFIED IDEOGRAPH-6557
+	{0x1F249, 0x1F24F, prID, gcCn},   //     [7] <reserved-1F249>..<reserved-1F24F>
+	{0x1F250, 0x1F251, prID, gcSo},   //     [2] CIRCLED IDEOGRAPH ADVANTAGE..CIRCLED IDEOGRAPH ACCEPT
+	{0x1F252, 0x1F25F, prID, gcCn},   //    [14] <reserved-1F252>..<reserved-1F25F>
+	{0x1F260, 0x1F265, prID, gcSo},   //     [6] ROUNDED SYMBOL FOR FU..ROUNDED SYMBOL FOR CAI
+	{0x1F266, 0x1F2FF, prID, gcCn},   //   [154] <reserved-1F266>..<reserved-1F2FF>
+	{0x1F300, 0x1F384, prID, gcSo},   //   [133] CYCLONE..CHRISTMAS TREE
+	{0x1F385, 0x1F385, prEB, gcSo},   //         FATHER CHRISTMAS
+	{0x1F386, 0x1F39B, prID, gcSo},   //    [22] FIREWORKS..CONTROL KNOBS
+	{0x1F39C, 0x1F39D, prAL, gcSo},   //     [2] BEAMED ASCENDING MUSICAL NOTES..BEAMED DESCENDING MUSICAL NOTES
+	{0x1F39E, 0x1F3B4, prID, gcSo},   //    [23] FILM FRAMES..FLOWER PLAYING CARDS
+	{0x1F3B5, 0x1F3B6, prAL, gcSo},   //     [2] MUSICAL NOTE..MULTIPLE MUSICAL NOTES
+	{0x1F3B7, 0x1F3BB, prID, gcSo},   //     [5] SAXOPHONE..VIOLIN
+	{0x1F3BC, 0x1F3BC, prAL, gcSo},   //         MUSICAL SCORE
+	{0x1F3BD, 0x1F3C1, prID, gcSo},   //     [5] RUNNING SHIRT WITH SASH..CHEQUERED FLAG
+	{0x1F3C2, 0x1F3C4, prEB, gcSo},   //     [3] SNOWBOARDER..SURFER
+	{0x1F3C5, 0x1F3C6, prID, gcSo},   //     [2] SPORTS MEDAL..TROPHY
+	{0x1F3C7, 0x1F3C7, prEB, gcSo},   //         HORSE RACING
+	{0x1F3C8, 0x1F3C9, prID, gcSo},   //     [2] AMERICAN FOOTBALL..RUGBY FOOTBALL
+	{0x1F3CA, 0x1F3CC, prEB, gcSo},   //     [3] SWIMMER..GOLFER
+	{0x1F3CD, 0x1F3FA, prID, gcSo},   //    [46] RACING MOTORCYCLE..AMPHORA
+	{0x1F3FB, 0x1F3FF, prEM, gcSk},   //     [5] EMOJI MODIFIER FITZPATRICK TYPE-1-2..EMOJI MODIFIER FITZPATRICK TYPE-6
+	{0x1F400, 0x1F441, prID, gcSo},   //    [66] RAT..EYE
+	{0x1F442, 0x1F443, prEB, gcSo},   //     [2] EAR..NOSE
+	{0x1F444, 0x1F445, prID, gcSo},   //     [2] MOUTH..TONGUE
+	{0x1F446, 0x1F450, prEB, gcSo},   //    [11] WHITE UP POINTING BACKHAND INDEX..OPEN HANDS SIGN
+	{0x1F451, 0x1F465, prID, gcSo},   //    [21] CROWN..BUSTS IN SILHOUETTE
+	{0x1F466, 0x1F478, prEB, gcSo},   //    [19] BOY..PRINCESS
+	{0x1F479, 0x1F47B, prID, gcSo},   //     [3] JAPANESE OGRE..GHOST
+	{0x1F47C, 0x1F47C, prEB, gcSo},   //         BABY ANGEL
+	{0x1F47D, 0x1F480, prID, gcSo},   //     [4] EXTRATERRESTRIAL ALIEN..SKULL
+	{0x1F481, 0x1F483, prEB, gcSo},   //     [3] INFORMATION DESK PERSON..DANCER
+	{0x1F484, 0x1F484, prID, gcSo},   //         LIPSTICK
+	{0x1F485, 0x1F487, prEB, gcSo},   //     [3] NAIL POLISH..HAIRCUT
+	{0x1F488, 0x1F48E, prID, gcSo},   //     [7] BARBER POLE..GEM STONE
+	{0x1F48F, 0x1F48F, prEB, gcSo},   //         KISS
+	{0x1F490, 0x1F490, prID, gcSo},   //         BOUQUET
+	{0x1F491, 0x1F491, prEB, gcSo},   //         COUPLE WITH HEART
+	{0x1F492, 0x1F49F, prID, gcSo},   //    [14] WEDDING..HEART DECORATION
+	{0x1F4A0, 0x1F4A0, prAL, gcSo},   //         DIAMOND SHAPE WITH A DOT INSIDE
+	{0x1F4A1, 0x1F4A1, prID, gcSo},   //         ELECTRIC LIGHT BULB
+	{0x1F4A2, 0x1F4A2, prAL, gcSo},   //         ANGER SYMBOL
+	{0x1F4A3, 0x1F4A3, prID, gcSo},   //         BOMB
+	{0x1F4A4, 0x1F4A4, prAL, gcSo},   //         SLEEPING SYMBOL
+	{0x1F4A5, 0x1F4A9, prID, gcSo},   //     [5] COLLISION SYMBOL..PILE OF POO
+	{0x1F4AA, 0x1F4AA, prEB, gcSo},   //         FLEXED BICEPS
+	{0x1F4AB, 0x1F4AE, prID, gcSo},   //     [4] DIZZY SYMBOL..WHITE FLOWER
+	{0x1F4AF, 0x1F4AF, prAL, gcSo},   //         HUNDRED POINTS SYMBOL
+	{0x1F4B0, 0x1F4B0, prID, gcSo},   //         MONEY BAG
+	{0x1F4B1, 0x1F4B2, prAL, gcSo},   //     [2] CURRENCY EXCHANGE..HEAVY DOLLAR SIGN
+	{0x1F4B3, 0x1F4FF, prID, gcSo},   //    [77] CREDIT CARD..PRAYER BEADS
+	{0x1F500, 0x1F506, prAL, gcSo},   //     [7] TWISTED RIGHTWARDS ARROWS..HIGH BRIGHTNESS SYMBOL
+	{0x1F507, 0x1F516, prID, gcSo},   //    [16] SPEAKER WITH CANCELLATION STROKE..BOOKMARK
+	{0x1F517, 0x1F524, prAL, gcSo},   //    [14] LINK SYMBOL..INPUT SYMBOL FOR LATIN LETTERS
+	{0x1F525, 0x1F531, prID, gcSo},   //    [13] FIRE..TRIDENT EMBLEM
+	{0x1F532, 0x1F549, prAL, gcSo},   //    [24] BLACK SQUARE BUTTON..OM SYMBOL
+	{0x1F54A, 0x1F573, prID, gcSo},   //    [42] DOVE OF PEACE..HOLE
+	{0x1F574, 0x1F575, prEB, gcSo},   //     [2] MAN IN BUSINESS SUIT LEVITATING..SLEUTH OR SPY
+	{0x1F576, 0x1F579, prID, gcSo},   //     [4] DARK SUNGLASSES..JOYSTICK
+	{0x1F57A, 0x1F57A, prEB, gcSo},   //         MAN DANCING
+	{0x1F57B, 0x1F58F, prID, gcSo},   //    [21] LEFT HAND TELEPHONE RECEIVER..TURNED OK HAND SIGN
+	{0x1F590, 0x1F590, prEB, gcSo},   //         RAISED HAND WITH FINGERS SPLAYED
+	{0x1F591, 0x1F594, prID, gcSo},   //     [4] REVERSED RAISED HAND WITH FINGERS SPLAYED..REVERSED VICTORY HAND
+	{0x1F595, 0x1F596, prEB, gcSo},   //     [2] REVERSED HAND WITH MIDDLE FINGER EXTENDED..RAISED HAND WITH PART BETWEEN MIDDLE AND RING FINGERS
+	{0x1F597, 0x1F5D3, prID, gcSo},   //    [61] WHITE DOWN POINTING LEFT HAND INDEX..SPIRAL CALENDAR PAD
+	{0x1F5D4, 0x1F5DB, prAL, gcSo},   //     [8] DESKTOP WINDOW..DECREASE FONT SIZE SYMBOL
+	{0x1F5DC, 0x1F5F3, prID, gcSo},   //    [24] COMPRESSION..BALLOT BOX WITH BALLOT
+	{0x1F5F4, 0x1F5F9, prAL, gcSo},   //     [6] BALLOT SCRIPT X..BALLOT BOX WITH BOLD CHECK
+	{0x1F5FA, 0x1F5FF, prID, gcSo},   //     [6] WORLD MAP..MOYAI
+	{0x1F600, 0x1F644, prID, gcSo},   //    [69] GRINNING FACE..FACE WITH ROLLING EYES
+	{0x1F645, 0x1F647, prEB, gcSo},   //     [3] FACE WITH NO GOOD GESTURE..PERSON BOWING DEEPLY
+	{0x1F648, 0x1F64A, prID, gcSo},   //     [3] SEE-NO-EVIL MONKEY..SPEAK-NO-EVIL MONKEY
+	{0x1F64B, 0x1F64F, prEB, gcSo},   //     [5] HAPPY PERSON RAISING ONE HAND..PERSON WITH FOLDED HANDS
+	{0x1F650, 0x1F675, prAL, gcSo},   //    [38] NORTH WEST POINTING LEAF..SWASH AMPERSAND ORNAMENT
+	{0x1F676, 0x1F678, prQU, gcSo},   //     [3] SANS-SERIF HEAVY DOUBLE TURNED COMMA QUOTATION MARK ORNAMENT..SANS-SERIF HEAVY LOW DOUBLE COMMA QUOTATION MARK ORNAMENT
+	{0x1F679, 0x1F67B, prNS, gcSo},   //     [3] HEAVY INTERROBANG ORNAMENT..HEAVY SANS-SERIF INTERROBANG ORNAMENT
+	{0x1F67C, 0x1F67F, prAL, gcSo},   //     [4] VERY HEAVY SOLIDUS..REVERSE CHECKER BOARD
+	{0x1F680, 0x1F6A2, prID, gcSo},   //    [35] ROCKET..SHIP
+	{0x1F6A3, 0x1F6A3, prEB, gcSo},   //         ROWBOAT
+	{0x1F6A4, 0x1F6B3, prID, gcSo},   //    [16] SPEEDBOAT..NO BICYCLES
+	{0x1F6B4, 0x1F6B6, prEB, gcSo},   //     [3] BICYCLIST..PEDESTRIAN
+	{0x1F6B7, 0x1F6BF, prID, gcSo},   //     [9] NO PEDESTRIANS..SHOWER
+	{0x1F6C0, 0x1F6C0, prEB, gcSo},   //         BATH
+	{0x1F6C1, 0x1F6CB, prID, gcSo},   //    [11] BATHTUB..COUCH AND LAMP
+	{0x1F6CC, 0x1F6CC, prEB, gcSo},   //         SLEEPING ACCOMMODATION
+	{0x1F6CD, 0x1F6D7, prID, gcSo},   //    [11] SHOPPING BAGS..ELEVATOR
+	{0x1F6D8, 0x1F6DB, prID, gcCn},   //     [4] <reserved-1F6D8>..<reserved-1F6DB>
+	{0x1F6DC, 0x1F6EC, prID, gcSo},   //    [17] WIRELESS..AIRPLANE ARRIVING
+	{0x1F6ED, 0x1F6EF, prID, gcCn},   //     [3] <reserved-1F6ED>..<reserved-1F6EF>
+	{0x1F6F0, 0x1F6FC, prID, gcSo},   //    [13] SATELLITE..ROLLER SKATE
+	{0x1F6FD, 0x1F6FF, prID, gcCn},   //     [3] <reserved-1F6FD>..<reserved-1F6FF>
+	{0x1F700, 0x1F773, prAL, gcSo},   //   [116] ALCHEMICAL SYMBOL FOR QUINTESSENCE..ALCHEMICAL SYMBOL FOR HALF OUNCE
+	{0x1F774, 0x1F776, prID, gcSo},   //     [3] LOT OF FORTUNE..LUNAR ECLIPSE
+	{0x1F777, 0x1F77A, prID, gcCn},   //     [4] <reserved-1F777>..<reserved-1F77A>
+	{0x1F77B, 0x1F77F, prID, gcSo},   //     [5] HAUMEA..ORCUS
+	{0x1F780, 0x1F7D4, prAL, gcSo},   //    [85] BLACK LEFT-POINTING ISOSCELES RIGHT TRIANGLE..HEAVY TWELVE POINTED PINWHEEL STAR
+	{0x1F7D5, 0x1F7D9, prID, gcSo},   //     [5] CIRCLED TRIANGLE..NINE POINTED WHITE STAR
+	{0x1F7DA, 0x1F7DF, prID, gcCn},   //     [6] <reserved-1F7DA>..<reserved-1F7DF>
+	{0x1F7E0, 0x1F7EB, prID, gcSo},   //    [12] LARGE ORANGE CIRCLE..LARGE BROWN SQUARE
+	{0x1F7EC, 0x1F7EF, prID, gcCn},   //     [4] <reserved-1F7EC>..<reserved-1F7EF>
+	{0x1F7F0, 0x1F7F0, prID, gcSo},   //         HEAVY EQUALS SIGN
+	{0x1F7F1, 0x1F7FF, prID, gcCn},   //    [15] <reserved-1F7F1>..<reserved-1F7FF>
+	{0x1F800, 0x1F80B, prAL, gcSo},   //    [12] LEFTWARDS ARROW WITH SMALL TRIANGLE ARROWHEAD..DOWNWARDS ARROW WITH LARGE TRIANGLE ARROWHEAD
+	{0x1F80C, 0x1F80F, prID, gcCn},   //     [4] <reserved-1F80C>..<reserved-1F80F>
+	{0x1F810, 0x1F847, prAL, gcSo},   //    [56] LEFTWARDS ARROW WITH SMALL EQUILATERAL ARROWHEAD..DOWNWARDS HEAVY ARROW
+	{0x1F848, 0x1F84F, prID, gcCn},   //     [8] <reserved-1F848>..<reserved-1F84F>
+	{0x1F850, 0x1F859, prAL, gcSo},   //    [10] LEFTWARDS SANS-SERIF ARROW..UP DOWN SANS-SERIF ARROW
+	{0x1F85A, 0x1F85F, prID, gcCn},   //     [6] <reserved-1F85A>..<reserved-1F85F>
+	{0x1F860, 0x1F887, prAL, gcSo},   //    [40] WIDE-HEADED LEFTWARDS LIGHT BARB ARROW..WIDE-HEADED SOUTH WEST VERY HEAVY BARB ARROW
+	{0x1F888, 0x1F88F, prID, gcCn},   //     [8] <reserved-1F888>..<reserved-1F88F>
+	{0x1F890, 0x1F8AD, prAL, gcSo},   //    [30] LEFTWARDS TRIANGLE ARROWHEAD..WHITE ARROW SHAFT WIDTH TWO THIRDS
+	{0x1F8AE, 0x1F8AF, prID, gcCn},   //     [2] <reserved-1F8AE>..<reserved-1F8AF>
+	{0x1F8B0, 0x1F8B1, prID, gcSo},   //     [2] ARROW POINTING UPWARDS THEN NORTH WEST..ARROW POINTING RIGHTWARDS THEN CURVING SOUTH WEST
+	{0x1F8B2, 0x1F8FF, prID, gcCn},   //    [78] <reserved-1F8B2>..<reserved-1F8FF>
+	{0x1F900, 0x1F90B, prAL, gcSo},   //    [12] CIRCLED CROSS FORMEE WITH FOUR DOTS..DOWNWARD FACING NOTCHED HOOK WITH DOT
+	{0x1F90C, 0x1F90C, prEB, gcSo},   //         PINCHED FINGERS
+	{0x1F90D, 0x1F90E, prID, gcSo},   //     [2] WHITE HEART..BROWN HEART
+	{0x1F90F, 0x1F90F, prEB, gcSo},   //         PINCHING HAND
+	{0x1F910, 0x1F917, prID, gcSo},   //     [8] ZIPPER-MOUTH FACE..HUGGING FACE
+	{0x1F918, 0x1F91F, prEB, gcSo},   //     [8] SIGN OF THE HORNS..I LOVE YOU HAND SIGN
+	{0x1F920, 0x1F925, prID, gcSo},   //     [6] FACE WITH COWBOY HAT..LYING FACE
+	{0x1F926, 0x1F926, prEB, gcSo},   //         FACE PALM
+	{0x1F927, 0x1F92F, prID, gcSo},   //     [9] SNEEZING FACE..SHOCKED FACE WITH EXPLODING HEAD
+	{0x1F930, 0x1F939, prEB, gcSo},   //    [10] PREGNANT WOMAN..JUGGLING
+	{0x1F93A, 0x1F93B, prID, gcSo},   //     [2] FENCER..MODERN PENTATHLON
+	{0x1F93C, 0x1F93E, prEB, gcSo},   //     [3] WRESTLERS..HANDBALL
+	{0x1F93F, 0x1F976, prID, gcSo},   //    [56] DIVING MASK..FREEZING FACE
+	{0x1F977, 0x1F977, prEB, gcSo},   //         NINJA
+	{0x1F978, 0x1F9B4, prID, gcSo},   //    [61] DISGUISED FACE..BONE
+	{0x1F9B5, 0x1F9B6, prEB, gcSo},   //     [2] LEG..FOOT
+	{0x1F9B7, 0x1F9B7, prID, gcSo},   //         TOOTH
+	{0x1F9B8, 0x1F9B9, prEB, gcSo},   //     [2] SUPERHERO..SUPERVILLAIN
+	{0x1F9BA, 0x1F9BA, prID, gcSo},   //         SAFETY VEST
+	{0x1F9BB, 0x1F9BB, prEB, gcSo},   //         EAR WITH HEARING AID
+	{0x1F9BC, 0x1F9CC, prID, gcSo},   //    [17] MOTORIZED WHEELCHAIR..TROLL
+	{0x1F9CD, 0x1F9CF, prEB, gcSo},   //     [3] STANDING PERSON..DEAF PERSON
+	{0x1F9D0, 0x1F9D0, prID, gcSo},   //         FACE WITH MONOCLE
+	{0x1F9D1, 0x1F9DD, prEB, gcSo},   //    [13] ADULT..ELF
+	{0x1F9DE, 0x1F9FF, prID, gcSo},   //    [34] GENIE..NAZAR AMULET
+	{0x1FA00, 0x1FA53, prAL, gcSo},   //    [84] NEUTRAL CHESS KING..BLACK CHESS KNIGHT-BISHOP
+	{0x1FA54, 0x1FA5F, prID, gcCn},   //    [12] <reserved-1FA54>..<reserved-1FA5F>
+	{0x1FA60, 0x1FA6D, prID, gcSo},   //    [14] XIANGQI RED GENERAL..XIANGQI BLACK SOLDIER
+	{0x1FA6E, 0x1FA6F, prID, gcCn},   //     [2] <reserved-1FA6E>..<reserved-1FA6F>
+	{0x1FA70, 0x1FA7C, prID, gcSo},   //    [13] BALLET SHOES..CRUTCH
+	{0x1FA7D, 0x1FA7F, prID, gcCn},   //     [3] <reserved-1FA7D>..<reserved-1FA7F>
+	{0x1FA80, 0x1FA88, prID, gcSo},   //     [9] YO-YO..FLUTE
+	{0x1FA89, 0x1FA8F, prID, gcCn},   //     [7] <reserved-1FA89>..<reserved-1FA8F>
+	{0x1FA90, 0x1FABD, prID, gcSo},   //    [46] RINGED PLANET..WING
+	{0x1FABE, 0x1FABE, prID, gcCn},   //         <reserved-1FABE>
+	{0x1FABF, 0x1FAC2, prID, gcSo},   //     [4] GOOSE..PEOPLE HUGGING
+	{0x1FAC3, 0x1FAC5, prEB, gcSo},   //     [3] PREGNANT MAN..PERSON WITH CROWN
+	{0x1FAC6, 0x1FACD, prID, gcCn},   //     [8] <reserved-1FAC6>..<reserved-1FACD>
+	{0x1FACE, 0x1FADB, prID, gcSo},   //    [14] MOOSE..PEA POD
+	{0x1FADC, 0x1FADF, prID, gcCn},   //     [4] <reserved-1FADC>..<reserved-1FADF>
+	{0x1FAE0, 0x1FAE8, prID, gcSo},   //     [9] MELTING FACE..SHAKING FACE
+	{0x1FAE9, 0x1FAEF, prID, gcCn},   //     [7] <reserved-1FAE9>..<reserved-1FAEF>
+	{0x1FAF0, 0x1FAF8, prEB, gcSo},   //     [9] HAND WITH INDEX FINGER AND THUMB CROSSED..RIGHTWARDS PUSHING HAND
+	{0x1FAF9, 0x1FAFF, prID, gcCn},   //     [7] <reserved-1FAF9>..<reserved-1FAFF>
+	{0x1FB00, 0x1FB92, prAL, gcSo},   //   [147] BLOCK SEXTANT-1..UPPER HALF INVERSE MEDIUM SHADE AND LOWER HALF BLOCK
+	{0x1FB94, 0x1FBCA, prAL, gcSo},   //    [55] LEFT HALF INVERSE MEDIUM SHADE AND RIGHT HALF BLOCK..WHITE UP-POINTING CHEVRON
+	{0x1FBF0, 0x1FBF9, prNU, gcNd},   //    [10] SEGMENTED DIGIT ZERO..SEGMENTED DIGIT NINE
+	{0x1FC00, 0x1FFFD, prID, gcCn},   //  [1022] <reserved-1FC00>..<reserved-1FFFD>
+	{0x20000, 0x2A6DF, prID, gcLo},   // [42720] CJK UNIFIED IDEOGRAPH-20000..CJK UNIFIED IDEOGRAPH-2A6DF
+	{0x2A6E0, 0x2A6FF, prID, gcCn},   //    [32] <reserved-2A6E0>..<reserved-2A6FF>
+	{0x2A700, 0x2B739, prID, gcLo},   //  [4154] CJK UNIFIED IDEOGRAPH-2A700..CJK UNIFIED IDEOGRAPH-2B739
+	{0x2B73A, 0x2B73F, prID, gcCn},   //     [6] <reserved-2B73A>..<reserved-2B73F>
+	{0x2B740, 0x2B81D, prID, gcLo},   //   [222] CJK UNIFIED IDEOGRAPH-2B740..CJK UNIFIED IDEOGRAPH-2B81D
+	{0x2B81E, 0x2B81F, prID, gcCn},   //     [2] <reserved-2B81E>..<reserved-2B81F>
+	{0x2B820, 0x2CEA1, prID, gcLo},   //  [5762] CJK UNIFIED IDEOGRAPH-2B820..CJK UNIFIED IDEOGRAPH-2CEA1
+	{0x2CEA2, 0x2CEAF, prID, gcCn},   //    [14] <reserved-2CEA2>..<reserved-2CEAF>
+	{0x2CEB0, 0x2EBE0, prID, gcLo},   //  [7473] CJK UNIFIED IDEOGRAPH-2CEB0..CJK UNIFIED IDEOGRAPH-2EBE0
+	{0x2EBE1, 0x2F7FF, prID, gcCn},   //  [3103] <reserved-2EBE1>..<reserved-2F7FF>
+	{0x2F800, 0x2FA1D, prID, gcLo},   //   [542] CJK COMPATIBILITY IDEOGRAPH-2F800..CJK COMPATIBILITY IDEOGRAPH-2FA1D
+	{0x2FA1E, 0x2FA1F, prID, gcCn},   //     [2] <reserved-2FA1E>..<reserved-2FA1F>
+	{0x2FA20, 0x2FFFD, prID, gcCn},   //  [1502] <reserved-2FA20>..<reserved-2FFFD>
+	{0x30000, 0x3134A, prID, gcLo},   //  [4939] CJK UNIFIED IDEOGRAPH-30000..CJK UNIFIED IDEOGRAPH-3134A
+	{0x3134B, 0x3134F, prID, gcCn},   //     [5] <reserved-3134B>..<reserved-3134F>
+	{0x31350, 0x323AF, prID, gcLo},   //  [4192] CJK UNIFIED IDEOGRAPH-31350..CJK UNIFIED IDEOGRAPH-323AF
+	{0x323B0, 0x3FFFD, prID, gcCn},   // [56398] <reserved-323B0>..<reserved-3FFFD>
+	{0xE0001, 0xE0001, prCM, gcCf},   //         LANGUAGE TAG
+	{0xE0020, 0xE007F, prCM, gcCf},   //    [96] TAG SPACE..CANCEL TAG
+	{0xE0100, 0xE01EF, prCM, gcMn},   //   [240] VARIATION SELECTOR-17..VARIATION SELECTOR-256
+	{0xF0000, 0xFFFFD, prXX, gcCo},   // [65534] <private-use-F0000>..<private-use-FFFFD>
+	{0x100000, 0x10FFFD, prXX, gcCo}, // [65534] <private-use-100000>..<private-use-10FFFD>
+}
diff --git a/vendor/github.com/rivo/uniseg/linerules.go b/vendor/github.com/rivo/uniseg/linerules.go
new file mode 100644
index 0000000000..7708ae0fbe
--- /dev/null
+++ b/vendor/github.com/rivo/uniseg/linerules.go
@@ -0,0 +1,626 @@
+package uniseg
+
+import "unicode/utf8"
+
+// The states of the line break parser.
+const (
+	lbAny = iota
+	lbBK
+	lbCR
+	lbLF
+	lbNL
+	lbSP
+	lbZW
+	lbWJ
+	lbGL
+	lbBA
+	lbHY
+	lbCL
+	lbCP
+	lbEX
+	lbIS
+	lbSY
+	lbOP
+	lbQU
+	lbQUSP
+	lbNS
+	lbCLCPSP
+	lbB2
+	lbB2SP
+	lbCB
+	lbBB
+	lbLB21a
+	lbHL
+	lbAL
+	lbNU
+	lbPR
+	lbEB
+	lbIDEM
+	lbNUNU
+	lbNUSY
+	lbNUIS
+	lbNUCL
+	lbNUCP
+	lbPO
+	lbJL
+	lbJV
+	lbJT
+	lbH2
+	lbH3
+	lbOddRI
+	lbEvenRI
+	lbExtPicCn
+	lbZWJBit     = 64
+	lbCPeaFWHBit = 128
+)
+
+// These constants define whether a given text may be broken into the next line.
+// If the break is optional (LineCanBreak), you may choose to break or not based
+// on your own criteria, for example, if the text has reached the available
+// width.
+const (
+	LineDontBreak = iota // You may not break the line here.
+	LineCanBreak         // You may or may not break the line here.
+	LineMustBreak        // You must break the line here.
+)
+
+// lbTransitions implements the line break parser's state transitions. It's
+// anologous to [grTransitions], see comments there for details.
+//
+// Unicode version 15.0.0.
+func lbTransitions(state, prop int) (newState, lineBreak, rule int) {
+	switch uint64(state) | uint64(prop)<<32 {
+	// LB4.
+	case lbBK | prAny<<32:
+		return lbAny, LineMustBreak, 40
+
+	// LB5.
+	case lbCR | prLF<<32:
+		return lbLF, LineDontBreak, 50
+	case lbCR | prAny<<32:
+		return lbAny, LineMustBreak, 50
+	case lbLF | prAny<<32:
+		return lbAny, LineMustBreak, 50
+	case lbNL | prAny<<32:
+		return lbAny, LineMustBreak, 50
+
+	// LB6.
+	case lbAny | prBK<<32:
+		return lbBK, LineDontBreak, 60
+	case lbAny | prCR<<32:
+		return lbCR, LineDontBreak, 60
+	case lbAny | prLF<<32:
+		return lbLF, LineDontBreak, 60
+	case lbAny | prNL<<32:
+		return lbNL, LineDontBreak, 60
+
+	// LB7.
+	case lbAny | prSP<<32:
+		return lbSP, LineDontBreak, 70
+	case lbAny | prZW<<32:
+		return lbZW, LineDontBreak, 70
+
+	// LB8.
+	case lbZW | prSP<<32:
+		return lbZW, LineDontBreak, 70
+	case lbZW | prAny<<32:
+		return lbAny, LineCanBreak, 80
+
+	// LB11.
+	case lbAny | prWJ<<32:
+		return lbWJ, LineDontBreak, 110
+	case lbWJ | prAny<<32:
+		return lbAny, LineDontBreak, 110
+
+	// LB12.
+	case lbAny | prGL<<32:
+		return lbGL, LineCanBreak, 310
+	case lbGL | prAny<<32:
+		return lbAny, LineDontBreak, 120
+
+	// LB13 (simple transitions).
+	case lbAny | prCL<<32:
+		return lbCL, LineCanBreak, 310
+	case lbAny | prCP<<32:
+		return lbCP, LineCanBreak, 310
+	case lbAny | prEX<<32:
+		return lbEX, LineDontBreak, 130
+	case lbAny | prIS<<32:
+		return lbIS, LineCanBreak, 310
+	case lbAny | prSY<<32:
+		return lbSY, LineCanBreak, 310
+
+	// LB14.
+	case lbAny | prOP<<32:
+		return lbOP, LineCanBreak, 310
+	case lbOP | prSP<<32:
+		return lbOP, LineDontBreak, 70
+	case lbOP | prAny<<32:
+		return lbAny, LineDontBreak, 140
+
+	// LB15.
+	case lbQU | prSP<<32:
+		return lbQUSP, LineDontBreak, 70
+	case lbQU | prOP<<32:
+		return lbOP, LineDontBreak, 150
+	case lbQUSP | prOP<<32:
+		return lbOP, LineDontBreak, 150
+
+	// LB16.
+	case lbCL | prSP<<32:
+		return lbCLCPSP, LineDontBreak, 70
+	case lbNUCL | prSP<<32:
+		return lbCLCPSP, LineDontBreak, 70
+	case lbCP | prSP<<32:
+		return lbCLCPSP, LineDontBreak, 70
+	case lbNUCP | prSP<<32:
+		return lbCLCPSP, LineDontBreak, 70
+	case lbCL | prNS<<32:
+		return lbNS, LineDontBreak, 160
+	case lbNUCL | prNS<<32:
+		return lbNS, LineDontBreak, 160
+	case lbCP | prNS<<32:
+		return lbNS, LineDontBreak, 160
+	case lbNUCP | prNS<<32:
+		return lbNS, LineDontBreak, 160
+	case lbCLCPSP | prNS<<32:
+		return lbNS, LineDontBreak, 160
+
+	// LB17.
+	case lbAny | prB2<<32:
+		return lbB2, LineCanBreak, 310
+	case lbB2 | prSP<<32:
+		return lbB2SP, LineDontBreak, 70
+	case lbB2 | prB2<<32:
+		return lbB2, LineDontBreak, 170
+	case lbB2SP | prB2<<32:
+		return lbB2, LineDontBreak, 170
+
+	// LB18.
+	case lbSP | prAny<<32:
+		return lbAny, LineCanBreak, 180
+	case lbQUSP | prAny<<32:
+		return lbAny, LineCanBreak, 180
+	case lbCLCPSP | prAny<<32:
+		return lbAny, LineCanBreak, 180
+	case lbB2SP | prAny<<32:
+		return lbAny, LineCanBreak, 180
+
+	// LB19.
+	case lbAny | prQU<<32:
+		return lbQU, LineDontBreak, 190
+	case lbQU | prAny<<32:
+		return lbAny, LineDontBreak, 190
+
+	// LB20.
+	case lbAny | prCB<<32:
+		return lbCB, LineCanBreak, 200
+	case lbCB | prAny<<32:
+		return lbAny, LineCanBreak, 200
+
+	// LB21.
+	case lbAny | prBA<<32:
+		return lbBA, LineDontBreak, 210
+	case lbAny | prHY<<32:
+		return lbHY, LineDontBreak, 210
+	case lbAny | prNS<<32:
+		return lbNS, LineDontBreak, 210
+	case lbAny | prBB<<32:
+		return lbBB, LineCanBreak, 310
+	case lbBB | prAny<<32:
+		return lbAny, LineDontBreak, 210
+
+	// LB21a.
+	case lbAny | prHL<<32:
+		return lbHL, LineCanBreak, 310
+	case lbHL | prHY<<32:
+		return lbLB21a, LineDontBreak, 210
+	case lbHL | prBA<<32:
+		return lbLB21a, LineDontBreak, 210
+	case lbLB21a | prAny<<32:
+		return lbAny, LineDontBreak, 211
+
+	// LB21b.
+	case lbSY | prHL<<32:
+		return lbHL, LineDontBreak, 212
+	case lbNUSY | prHL<<32:
+		return lbHL, LineDontBreak, 212
+
+	// LB22.
+	case lbAny | prIN<<32:
+		return lbAny, LineDontBreak, 220
+
+	// LB23.
+	case lbAny | prAL<<32:
+		return lbAL, LineCanBreak, 310
+	case lbAny | prNU<<32:
+		return lbNU, LineCanBreak, 310
+	case lbAL | prNU<<32:
+		return lbNU, LineDontBreak, 230
+	case lbHL | prNU<<32:
+		return lbNU, LineDontBreak, 230
+	case lbNU | prAL<<32:
+		return lbAL, LineDontBreak, 230
+	case lbNU | prHL<<32:
+		return lbHL, LineDontBreak, 230
+	case lbNUNU | prAL<<32:
+		return lbAL, LineDontBreak, 230
+	case lbNUNU | prHL<<32:
+		return lbHL, LineDontBreak, 230
+
+	// LB23a.
+	case lbAny | prPR<<32:
+		return lbPR, LineCanBreak, 310
+	case lbAny | prID<<32:
+		return lbIDEM, LineCanBreak, 310
+	case lbAny | prEB<<32:
+		return lbEB, LineCanBreak, 310
+	case lbAny | prEM<<32:
+		return lbIDEM, LineCanBreak, 310
+	case lbPR | prID<<32:
+		return lbIDEM, LineDontBreak, 231
+	case lbPR | prEB<<32:
+		return lbEB, LineDontBreak, 231
+	case lbPR | prEM<<32:
+		return lbIDEM, LineDontBreak, 231
+	case lbIDEM | prPO<<32:
+		return lbPO, LineDontBreak, 231
+	case lbEB | prPO<<32:
+		return lbPO, LineDontBreak, 231
+
+	// LB24.
+	case lbAny | prPO<<32:
+		return lbPO, LineCanBreak, 310
+	case lbPR | prAL<<32:
+		return lbAL, LineDontBreak, 240
+	case lbPR | prHL<<32:
+		return lbHL, LineDontBreak, 240
+	case lbPO | prAL<<32:
+		return lbAL, LineDontBreak, 240
+	case lbPO | prHL<<32:
+		return lbHL, LineDontBreak, 240
+	case lbAL | prPR<<32:
+		return lbPR, LineDontBreak, 240
+	case lbAL | prPO<<32:
+		return lbPO, LineDontBreak, 240
+	case lbHL | prPR<<32:
+		return lbPR, LineDontBreak, 240
+	case lbHL | prPO<<32:
+		return lbPO, LineDontBreak, 240
+
+	// LB25 (simple transitions).
+	case lbPR | prNU<<32:
+		return lbNU, LineDontBreak, 250
+	case lbPO | prNU<<32:
+		return lbNU, LineDontBreak, 250
+	case lbOP | prNU<<32:
+		return lbNU, LineDontBreak, 250
+	case lbHY | prNU<<32:
+		return lbNU, LineDontBreak, 250
+	case lbNU | prNU<<32:
+		return lbNUNU, LineDontBreak, 250
+	case lbNU | prSY<<32:
+		return lbNUSY, LineDontBreak, 250
+	case lbNU | prIS<<32:
+		return lbNUIS, LineDontBreak, 250
+	case lbNUNU | prNU<<32:
+		return lbNUNU, LineDontBreak, 250
+	case lbNUNU | prSY<<32:
+		return lbNUSY, LineDontBreak, 250
+	case lbNUNU | prIS<<32:
+		return lbNUIS, LineDontBreak, 250
+	case lbNUSY | prNU<<32:
+		return lbNUNU, LineDontBreak, 250
+	case lbNUSY | prSY<<32:
+		return lbNUSY, LineDontBreak, 250
+	case lbNUSY | prIS<<32:
+		return lbNUIS, LineDontBreak, 250
+	case lbNUIS | prNU<<32:
+		return lbNUNU, LineDontBreak, 250
+	case lbNUIS | prSY<<32:
+		return lbNUSY, LineDontBreak, 250
+	case lbNUIS | prIS<<32:
+		return lbNUIS, LineDontBreak, 250
+	case lbNU | prCL<<32:
+		return lbNUCL, LineDontBreak, 250
+	case lbNU | prCP<<32:
+		return lbNUCP, LineDontBreak, 250
+	case lbNUNU | prCL<<32:
+		return lbNUCL, LineDontBreak, 250
+	case lbNUNU | prCP<<32:
+		return lbNUCP, LineDontBreak, 250
+	case lbNUSY | prCL<<32:
+		return lbNUCL, LineDontBreak, 250
+	case lbNUSY | prCP<<32:
+		return lbNUCP, LineDontBreak, 250
+	case lbNUIS | prCL<<32:
+		return lbNUCL, LineDontBreak, 250
+	case lbNUIS | prCP<<32:
+		return lbNUCP, LineDontBreak, 250
+	case lbNU | prPO<<32:
+		return lbPO, LineDontBreak, 250
+	case lbNUNU | prPO<<32:
+		return lbPO, LineDontBreak, 250
+	case lbNUSY | prPO<<32:
+		return lbPO, LineDontBreak, 250
+	case lbNUIS | prPO<<32:
+		return lbPO, LineDontBreak, 250
+	case lbNUCL | prPO<<32:
+		return lbPO, LineDontBreak, 250
+	case lbNUCP | prPO<<32:
+		return lbPO, LineDontBreak, 250
+	case lbNU | prPR<<32:
+		return lbPR, LineDontBreak, 250
+	case lbNUNU | prPR<<32:
+		return lbPR, LineDontBreak, 250
+	case lbNUSY | prPR<<32:
+		return lbPR, LineDontBreak, 250
+	case lbNUIS | prPR<<32:
+		return lbPR, LineDontBreak, 250
+	case lbNUCL | prPR<<32:
+		return lbPR, LineDontBreak, 250
+	case lbNUCP | prPR<<32:
+		return lbPR, LineDontBreak, 250
+
+	// LB26.
+	case lbAny | prJL<<32:
+		return lbJL, LineCanBreak, 310
+	case lbAny | prJV<<32:
+		return lbJV, LineCanBreak, 310
+	case lbAny | prJT<<32:
+		return lbJT, LineCanBreak, 310
+	case lbAny | prH2<<32:
+		return lbH2, LineCanBreak, 310
+	case lbAny | prH3<<32:
+		return lbH3, LineCanBreak, 310
+	case lbJL | prJL<<32:
+		return lbJL, LineDontBreak, 260
+	case lbJL | prJV<<32:
+		return lbJV, LineDontBreak, 260
+	case lbJL | prH2<<32:
+		return lbH2, LineDontBreak, 260
+	case lbJL | prH3<<32:
+		return lbH3, LineDontBreak, 260
+	case lbJV | prJV<<32:
+		return lbJV, LineDontBreak, 260
+	case lbJV | prJT<<32:
+		return lbJT, LineDontBreak, 260
+	case lbH2 | prJV<<32:
+		return lbJV, LineDontBreak, 260
+	case lbH2 | prJT<<32:
+		return lbJT, LineDontBreak, 260
+	case lbJT | prJT<<32:
+		return lbJT, LineDontBreak, 260
+	case lbH3 | prJT<<32:
+		return lbJT, LineDontBreak, 260
+
+	// LB27.
+	case lbJL | prPO<<32:
+		return lbPO, LineDontBreak, 270
+	case lbJV | prPO<<32:
+		return lbPO, LineDontBreak, 270
+	case lbJT | prPO<<32:
+		return lbPO, LineDontBreak, 270
+	case lbH2 | prPO<<32:
+		return lbPO, LineDontBreak, 270
+	case lbH3 | prPO<<32:
+		return lbPO, LineDontBreak, 270
+	case lbPR | prJL<<32:
+		return lbJL, LineDontBreak, 270
+	case lbPR | prJV<<32:
+		return lbJV, LineDontBreak, 270
+	case lbPR | prJT<<32:
+		return lbJT, LineDontBreak, 270
+	case lbPR | prH2<<32:
+		return lbH2, LineDontBreak, 270
+	case lbPR | prH3<<32:
+		return lbH3, LineDontBreak, 270
+
+	// LB28.
+	case lbAL | prAL<<32:
+		return lbAL, LineDontBreak, 280
+	case lbAL | prHL<<32:
+		return lbHL, LineDontBreak, 280
+	case lbHL | prAL<<32:
+		return lbAL, LineDontBreak, 280
+	case lbHL | prHL<<32:
+		return lbHL, LineDontBreak, 280
+
+	// LB29.
+	case lbIS | prAL<<32:
+		return lbAL, LineDontBreak, 290
+	case lbIS | prHL<<32:
+		return lbHL, LineDontBreak, 290
+	case lbNUIS | prAL<<32:
+		return lbAL, LineDontBreak, 290
+	case lbNUIS | prHL<<32:
+		return lbHL, LineDontBreak, 290
+
+	default:
+		return -1, -1, -1
+	}
+}
+
+// transitionLineBreakState determines the new state of the line break parser
+// given the current state and the next code point. It also returns the type of
+// line break: LineDontBreak, LineCanBreak, or LineMustBreak. If more than one
+// code point is needed to determine the new state, the byte slice or the string
+// starting after rune "r" can be used (whichever is not nil or empty) for
+// further lookups.
+func transitionLineBreakState(state int, r rune, b []byte, str string) (newState int, lineBreak int) {
+	// Determine the property of the next character.
+	nextProperty, generalCategory := propertyLineBreak(r)
+
+	// Prepare.
+	var forceNoBreak, isCPeaFWH bool
+	if state >= 0 && state&lbCPeaFWHBit != 0 {
+		isCPeaFWH = true // LB30: CP but ea is not F, W, or H.
+		state = state &^ lbCPeaFWHBit
+	}
+	if state >= 0 && state&lbZWJBit != 0 {
+		state = state &^ lbZWJBit // Extract zero-width joiner bit.
+		forceNoBreak = true       // LB8a.
+	}
+
+	defer func() {
+		// Transition into LB30.
+		if newState == lbCP || newState == lbNUCP {
+			ea := propertyEastAsianWidth(r)
+			if ea != prF && ea != prW && ea != prH {
+				newState |= lbCPeaFWHBit
+			}
+		}
+
+		// Override break.
+		if forceNoBreak {
+			lineBreak = LineDontBreak
+		}
+	}()
+
+	// LB1.
+	if nextProperty == prAI || nextProperty == prSG || nextProperty == prXX {
+		nextProperty = prAL
+	} else if nextProperty == prSA {
+		if generalCategory == gcMn || generalCategory == gcMc {
+			nextProperty = prCM
+		} else {
+			nextProperty = prAL
+		}
+	} else if nextProperty == prCJ {
+		nextProperty = prNS
+	}
+
+	// Combining marks.
+	if nextProperty == prZWJ || nextProperty == prCM {
+		var bit int
+		if nextProperty == prZWJ {
+			bit = lbZWJBit
+		}
+		mustBreakState := state < 0 || state == lbBK || state == lbCR || state == lbLF || state == lbNL
+		if !mustBreakState && state != lbSP && state != lbZW && state != lbQUSP && state != lbCLCPSP && state != lbB2SP {
+			// LB9.
+			return state | bit, LineDontBreak
+		} else {
+			// LB10.
+			if mustBreakState {
+				return lbAL | bit, LineMustBreak
+			}
+			return lbAL | bit, LineCanBreak
+		}
+	}
+
+	// Find the applicable transition in the table.
+	var rule int
+	newState, lineBreak, rule = lbTransitions(state, nextProperty)
+	if newState < 0 {
+		// No specific transition found. Try the less specific ones.
+		anyPropProp, anyPropLineBreak, anyPropRule := lbTransitions(state, prAny)
+		anyStateProp, anyStateLineBreak, anyStateRule := lbTransitions(lbAny, nextProperty)
+		if anyPropProp >= 0 && anyStateProp >= 0 {
+			// Both apply. We'll use a mix (see comments for grTransitions).
+			newState, lineBreak, rule = anyStateProp, anyStateLineBreak, anyStateRule
+			if anyPropRule < anyStateRule {
+				lineBreak, rule = anyPropLineBreak, anyPropRule
+			}
+		} else if anyPropProp >= 0 {
+			// We only have a specific state.
+			newState, lineBreak, rule = anyPropProp, anyPropLineBreak, anyPropRule
+			// This branch will probably never be reached because okAnyState will
+			// always be true given the current transition map. But we keep it here
+			// for future modifications to the transition map where this may not be
+			// true anymore.
+		} else if anyStateProp >= 0 {
+			// We only have a specific property.
+			newState, lineBreak, rule = anyStateProp, anyStateLineBreak, anyStateRule
+		} else {
+			// No known transition. LB31: ALL ÷ ALL.
+			newState, lineBreak, rule = lbAny, LineCanBreak, 310
+		}
+	}
+
+	// LB12a.
+	if rule > 121 &&
+		nextProperty == prGL &&
+		(state != lbSP && state != lbBA && state != lbHY && state != lbLB21a && state != lbQUSP && state != lbCLCPSP && state != lbB2SP) {
+		return lbGL, LineDontBreak
+	}
+
+	// LB13.
+	if rule > 130 && state != lbNU && state != lbNUNU {
+		switch nextProperty {
+		case prCL:
+			return lbCL, LineDontBreak
+		case prCP:
+			return lbCP, LineDontBreak
+		case prIS:
+			return lbIS, LineDontBreak
+		case prSY:
+			return lbSY, LineDontBreak
+		}
+	}
+
+	// LB25 (look ahead).
+	if rule > 250 &&
+		(state == lbPR || state == lbPO) &&
+		nextProperty == prOP || nextProperty == prHY {
+		var r rune
+		if b != nil { // Byte slice version.
+			r, _ = utf8.DecodeRune(b)
+		} else { // String version.
+			r, _ = utf8.DecodeRuneInString(str)
+		}
+		if r != utf8.RuneError {
+			pr, _ := propertyLineBreak(r)
+			if pr == prNU {
+				return lbNU, LineDontBreak
+			}
+		}
+	}
+
+	// LB30 (part one).
+	if rule > 300 {
+		if (state == lbAL || state == lbHL || state == lbNU || state == lbNUNU) && nextProperty == prOP {
+			ea := propertyEastAsianWidth(r)
+			if ea != prF && ea != prW && ea != prH {
+				return lbOP, LineDontBreak
+			}
+		} else if isCPeaFWH {
+			switch nextProperty {
+			case prAL:
+				return lbAL, LineDontBreak
+			case prHL:
+				return lbHL, LineDontBreak
+			case prNU:
+				return lbNU, LineDontBreak
+			}
+		}
+	}
+
+	// LB30a.
+	if newState == lbAny && nextProperty == prRI {
+		if state != lbOddRI && state != lbEvenRI { // Includes state == -1.
+			// Transition into the first RI.
+			return lbOddRI, lineBreak
+		}
+		if state == lbOddRI {
+			// Don't break pairs of Regional Indicators.
+			return lbEvenRI, LineDontBreak
+		}
+		return lbOddRI, lineBreak
+	}
+
+	// LB30b.
+	if rule > 302 {
+		if nextProperty == prEM {
+			if state == lbEB || state == lbExtPicCn {
+				return prAny, LineDontBreak
+			}
+		}
+		graphemeProperty := propertyGraphemes(r)
+		if graphemeProperty == prExtendedPictographic && generalCategory == gcCn {
+			return lbExtPicCn, LineCanBreak
+		}
+	}
+
+	return
+}
diff --git a/vendor/github.com/rivo/uniseg/properties.go b/vendor/github.com/rivo/uniseg/properties.go
new file mode 100644
index 0000000000..6290e6810f
--- /dev/null
+++ b/vendor/github.com/rivo/uniseg/properties.go
@@ -0,0 +1,208 @@
+package uniseg
+
+// The Unicode properties as used in the various parsers. Only the ones needed
+// in the context of this package are included.
+const (
+	prXX      = 0    // Same as prAny.
+	prAny     = iota // prAny must be 0.
+	prPrepend        // Grapheme properties must come first, to reduce the number of bits stored in the state vector.
+	prCR
+	prLF
+	prControl
+	prExtend
+	prRegionalIndicator
+	prSpacingMark
+	prL
+	prV
+	prT
+	prLV
+	prLVT
+	prZWJ
+	prExtendedPictographic
+	prNewline
+	prWSegSpace
+	prDoubleQuote
+	prSingleQuote
+	prMidNumLet
+	prNumeric
+	prMidLetter
+	prMidNum
+	prExtendNumLet
+	prALetter
+	prFormat
+	prHebrewLetter
+	prKatakana
+	prSp
+	prSTerm
+	prClose
+	prSContinue
+	prATerm
+	prUpper
+	prLower
+	prSep
+	prOLetter
+	prCM
+	prBA
+	prBK
+	prSP
+	prEX
+	prQU
+	prAL
+	prPR
+	prPO
+	prOP
+	prCP
+	prIS
+	prHY
+	prSY
+	prNU
+	prCL
+	prNL
+	prGL
+	prAI
+	prBB
+	prHL
+	prSA
+	prJL
+	prJV
+	prJT
+	prNS
+	prZW
+	prB2
+	prIN
+	prWJ
+	prID
+	prEB
+	prCJ
+	prH2
+	prH3
+	prSG
+	prCB
+	prRI
+	prEM
+	prN
+	prNa
+	prA
+	prW
+	prH
+	prF
+	prEmojiPresentation
+)
+
+// Unicode General Categories. Only the ones needed in the context of this
+// package are included.
+const (
+	gcNone = iota // gcNone must be 0.
+	gcCc
+	gcZs
+	gcPo
+	gcSc
+	gcPs
+	gcPe
+	gcSm
+	gcPd
+	gcNd
+	gcLu
+	gcSk
+	gcPc
+	gcLl
+	gcSo
+	gcLo
+	gcPi
+	gcCf
+	gcNo
+	gcPf
+	gcLC
+	gcLm
+	gcMn
+	gcMe
+	gcMc
+	gcNl
+	gcZl
+	gcZp
+	gcCn
+	gcCs
+	gcCo
+)
+
+// Special code points.
+const (
+	vs15 = 0xfe0e // Variation Selector-15 (text presentation)
+	vs16 = 0xfe0f // Variation Selector-16 (emoji presentation)
+)
+
+// propertySearch performs a binary search on a property slice and returns the
+// entry whose range (start = first array element, end = second array element)
+// includes r, or an array of 0's if no such entry was found.
+func propertySearch[E interface{ [3]int | [4]int }](dictionary []E, r rune) (result E) {
+	// Run a binary search.
+	from := 0
+	to := len(dictionary)
+	for to > from {
+		middle := (from + to) / 2
+		cpRange := dictionary[middle]
+		if int(r) < cpRange[0] {
+			to = middle
+			continue
+		}
+		if int(r) > cpRange[1] {
+			from = middle + 1
+			continue
+		}
+		return cpRange
+	}
+	return
+}
+
+// property returns the Unicode property value (see constants above) of the
+// given code point.
+func property(dictionary [][3]int, r rune) int {
+	return propertySearch(dictionary, r)[2]
+}
+
+// propertyLineBreak returns the Unicode property value and General Category
+// (see constants above) of the given code point, as listed in the line break
+// code points table, while fast tracking ASCII digits and letters.
+func propertyLineBreak(r rune) (property, generalCategory int) {
+	if r >= 'a' && r <= 'z' {
+		return prAL, gcLl
+	}
+	if r >= 'A' && r <= 'Z' {
+		return prAL, gcLu
+	}
+	if r >= '0' && r <= '9' {
+		return prNU, gcNd
+	}
+	entry := propertySearch(lineBreakCodePoints, r)
+	return entry[2], entry[3]
+}
+
+// propertyGraphemes returns the Unicode grapheme cluster property value of the
+// given code point while fast tracking ASCII characters.
+func propertyGraphemes(r rune) int {
+	if r >= 0x20 && r <= 0x7e {
+		return prAny
+	}
+	if r == 0x0a {
+		return prLF
+	}
+	if r == 0x0d {
+		return prCR
+	}
+	if r >= 0 && r <= 0x1f || r == 0x7f {
+		return prControl
+	}
+	return property(graphemeCodePoints, r)
+}
+
+// propertyEastAsianWidth returns the Unicode East Asian Width property value of
+// the given code point while fast tracking ASCII characters.
+func propertyEastAsianWidth(r rune) int {
+	if r >= 0x20 && r <= 0x7e {
+		return prNa
+	}
+	if r >= 0 && r <= 0x1f || r == 0x7f {
+		return prN
+	}
+	return property(eastAsianWidth, r)
+}
diff --git a/vendor/github.com/rivo/uniseg/sentence.go b/vendor/github.com/rivo/uniseg/sentence.go
new file mode 100644
index 0000000000..adc2a35773
--- /dev/null
+++ b/vendor/github.com/rivo/uniseg/sentence.go
@@ -0,0 +1,90 @@
+package uniseg
+
+import "unicode/utf8"
+
+// FirstSentence returns the first sentence found in the given byte slice
+// according to the rules of [Unicode Standard Annex #29, Sentence Boundaries].
+// This function can be called continuously to extract all sentences from a byte
+// slice, as illustrated in the example below.
+//
+// If you don't know the current state, for example when calling the function
+// for the first time, you must pass -1. For consecutive calls, pass the state
+// and rest slice returned by the previous call.
+//
+// The "rest" slice is the sub-slice of the original byte slice "b" starting
+// after the last byte of the identified sentence. If the length of the "rest"
+// slice is 0, the entire byte slice "b" has been processed. The "sentence" byte
+// slice is the sub-slice of the input slice containing the identified sentence.
+//
+// Given an empty byte slice "b", the function returns nil values.
+//
+// [Unicode Standard Annex #29, Sentence Boundaries]: http://unicode.org/reports/tr29/#Sentence_Boundaries
+func FirstSentence(b []byte, state int) (sentence, rest []byte, newState int) {
+	// An empty byte slice returns nothing.
+	if len(b) == 0 {
+		return
+	}
+
+	// Extract the first rune.
+	r, length := utf8.DecodeRune(b)
+	if len(b) <= length { // If we're already past the end, there is nothing else to parse.
+		return b, nil, sbAny
+	}
+
+	// If we don't know the state, determine it now.
+	if state < 0 {
+		state, _ = transitionSentenceBreakState(state, r, b[length:], "")
+	}
+
+	// Transition until we find a boundary.
+	var boundary bool
+	for {
+		r, l := utf8.DecodeRune(b[length:])
+		state, boundary = transitionSentenceBreakState(state, r, b[length+l:], "")
+
+		if boundary {
+			return b[:length], b[length:], state
+		}
+
+		length += l
+		if len(b) <= length {
+			return b, nil, sbAny
+		}
+	}
+}
+
+// FirstSentenceInString is like [FirstSentence] but its input and outputs are
+// strings.
+func FirstSentenceInString(str string, state int) (sentence, rest string, newState int) {
+	// An empty byte slice returns nothing.
+	if len(str) == 0 {
+		return
+	}
+
+	// Extract the first rune.
+	r, length := utf8.DecodeRuneInString(str)
+	if len(str) <= length { // If we're already past the end, there is nothing else to parse.
+		return str, "", sbAny
+	}
+
+	// If we don't know the state, determine it now.
+	if state < 0 {
+		state, _ = transitionSentenceBreakState(state, r, nil, str[length:])
+	}
+
+	// Transition until we find a boundary.
+	var boundary bool
+	for {
+		r, l := utf8.DecodeRuneInString(str[length:])
+		state, boundary = transitionSentenceBreakState(state, r, nil, str[length+l:])
+
+		if boundary {
+			return str[:length], str[length:], state
+		}
+
+		length += l
+		if len(str) <= length {
+			return str, "", sbAny
+		}
+	}
+}
diff --git a/vendor/github.com/rivo/uniseg/sentenceproperties.go b/vendor/github.com/rivo/uniseg/sentenceproperties.go
new file mode 100644
index 0000000000..67717ec1f3
--- /dev/null
+++ b/vendor/github.com/rivo/uniseg/sentenceproperties.go
@@ -0,0 +1,2845 @@
+// Code generated via go generate from gen_properties.go. DO NOT EDIT.
+
+package uniseg
+
+// sentenceBreakCodePoints are taken from
+// https://www.unicode.org/Public/15.0.0/ucd/auxiliary/SentenceBreakProperty.txt
+// and
+// https://unicode.org/Public/15.0.0/ucd/emoji/emoji-data.txt
+// ("Extended_Pictographic" only)
+// on September 5, 2023. See https://www.unicode.org/license.html for the Unicode
+// license agreement.
+var sentenceBreakCodePoints = [][3]int{
+	{0x0009, 0x0009, prSp},        // Cc       <control-0009>
+	{0x000A, 0x000A, prLF},        // Cc       <control-000A>
+	{0x000B, 0x000C, prSp},        // Cc   [2] <control-000B>..<control-000C>
+	{0x000D, 0x000D, prCR},        // Cc       <control-000D>
+	{0x0020, 0x0020, prSp},        // Zs       SPACE
+	{0x0021, 0x0021, prSTerm},     // Po       EXCLAMATION MARK
+	{0x0022, 0x0022, prClose},     // Po       QUOTATION MARK
+	{0x0027, 0x0027, prClose},     // Po       APOSTROPHE
+	{0x0028, 0x0028, prClose},     // Ps       LEFT PARENTHESIS
+	{0x0029, 0x0029, prClose},     // Pe       RIGHT PARENTHESIS
+	{0x002C, 0x002C, prSContinue}, // Po       COMMA
+	{0x002D, 0x002D, prSContinue}, // Pd       HYPHEN-MINUS
+	{0x002E, 0x002E, prATerm},     // Po       FULL STOP
+	{0x0030, 0x0039, prNumeric},   // Nd  [10] DIGIT ZERO..DIGIT NINE
+	{0x003A, 0x003A, prSContinue}, // Po       COLON
+	{0x003F, 0x003F, prSTerm},     // Po       QUESTION MARK
+	{0x0041, 0x005A, prUpper},     // L&  [26] LATIN CAPITAL LETTER A..LATIN CAPITAL LETTER Z
+	{0x005B, 0x005B, prClose},     // Ps       LEFT SQUARE BRACKET
+	{0x005D, 0x005D, prClose},     // Pe       RIGHT SQUARE BRACKET
+	{0x0061, 0x007A, prLower},     // L&  [26] LATIN SMALL LETTER A..LATIN SMALL LETTER Z
+	{0x007B, 0x007B, prClose},     // Ps       LEFT CURLY BRACKET
+	{0x007D, 0x007D, prClose},     // Pe       RIGHT CURLY BRACKET
+	{0x0085, 0x0085, prSep},       // Cc       <control-0085>
+	{0x00A0, 0x00A0, prSp},        // Zs       NO-BREAK SPACE
+	{0x00AA, 0x00AA, prLower},     // Lo       FEMININE ORDINAL INDICATOR
+	{0x00AB, 0x00AB, prClose},     // Pi       LEFT-POINTING DOUBLE ANGLE QUOTATION MARK
+	{0x00AD, 0x00AD, prFormat},    // Cf       SOFT HYPHEN
+	{0x00B5, 0x00B5, prLower},     // L&       MICRO SIGN
+	{0x00BA, 0x00BA, prLower},     // Lo       MASCULINE ORDINAL INDICATOR
+	{0x00BB, 0x00BB, prClose},     // Pf       RIGHT-POINTING DOUBLE ANGLE QUOTATION MARK
+	{0x00C0, 0x00D6, prUpper},     // L&  [23] LATIN CAPITAL LETTER A WITH GRAVE..LATIN CAPITAL LETTER O WITH DIAERESIS
+	{0x00D8, 0x00DE, prUpper},     // L&   [7] LATIN CAPITAL LETTER O WITH STROKE..LATIN CAPITAL LETTER THORN
+	{0x00DF, 0x00F6, prLower},     // L&  [24] LATIN SMALL LETTER SHARP S..LATIN SMALL LETTER O WITH DIAERESIS
+	{0x00F8, 0x00FF, prLower},     // L&   [8] LATIN SMALL LETTER O WITH STROKE..LATIN SMALL LETTER Y WITH DIAERESIS
+	{0x0100, 0x0100, prUpper},     // L&       LATIN CAPITAL LETTER A WITH MACRON
+	{0x0101, 0x0101, prLower},     // L&       LATIN SMALL LETTER A WITH MACRON
+	{0x0102, 0x0102, prUpper},     // L&       LATIN CAPITAL LETTER A WITH BREVE
+	{0x0103, 0x0103, prLower},     // L&       LATIN SMALL LETTER A WITH BREVE
+	{0x0104, 0x0104, prUpper},     // L&       LATIN CAPITAL LETTER A WITH OGONEK
+	{0x0105, 0x0105, prLower},     // L&       LATIN SMALL LETTER A WITH OGONEK
+	{0x0106, 0x0106, prUpper},     // L&       LATIN CAPITAL LETTER C WITH ACUTE
+	{0x0107, 0x0107, prLower},     // L&       LATIN SMALL LETTER C WITH ACUTE
+	{0x0108, 0x0108, prUpper},     // L&       LATIN CAPITAL LETTER C WITH CIRCUMFLEX
+	{0x0109, 0x0109, prLower},     // L&       LATIN SMALL LETTER C WITH CIRCUMFLEX
+	{0x010A, 0x010A, prUpper},     // L&       LATIN CAPITAL LETTER C WITH DOT ABOVE
+	{0x010B, 0x010B, prLower},     // L&       LATIN SMALL LETTER C WITH DOT ABOVE
+	{0x010C, 0x010C, prUpper},     // L&       LATIN CAPITAL LETTER C WITH CARON
+	{0x010D, 0x010D, prLower},     // L&       LATIN SMALL LETTER C WITH CARON
+	{0x010E, 0x010E, prUpper},     // L&       LATIN CAPITAL LETTER D WITH CARON
+	{0x010F, 0x010F, prLower},     // L&       LATIN SMALL LETTER D WITH CARON
+	{0x0110, 0x0110, prUpper},     // L&       LATIN CAPITAL LETTER D WITH STROKE
+	{0x0111, 0x0111, prLower},     // L&       LATIN SMALL LETTER D WITH STROKE
+	{0x0112, 0x0112, prUpper},     // L&       LATIN CAPITAL LETTER E WITH MACRON
+	{0x0113, 0x0113, prLower},     // L&       LATIN SMALL LETTER E WITH MACRON
+	{0x0114, 0x0114, prUpper},     // L&       LATIN CAPITAL LETTER E WITH BREVE
+	{0x0115, 0x0115, prLower},     // L&       LATIN SMALL LETTER E WITH BREVE
+	{0x0116, 0x0116, prUpper},     // L&       LATIN CAPITAL LETTER E WITH DOT ABOVE
+	{0x0117, 0x0117, prLower},     // L&       LATIN SMALL LETTER E WITH DOT ABOVE
+	{0x0118, 0x0118, prUpper},     // L&       LATIN CAPITAL LETTER E WITH OGONEK
+	{0x0119, 0x0119, prLower},     // L&       LATIN SMALL LETTER E WITH OGONEK
+	{0x011A, 0x011A, prUpper},     // L&       LATIN CAPITAL LETTER E WITH CARON
+	{0x011B, 0x011B, prLower},     // L&       LATIN SMALL LETTER E WITH CARON
+	{0x011C, 0x011C, prUpper},     // L&       LATIN CAPITAL LETTER G WITH CIRCUMFLEX
+	{0x011D, 0x011D, prLower},     // L&       LATIN SMALL LETTER G WITH CIRCUMFLEX
+	{0x011E, 0x011E, prUpper},     // L&       LATIN CAPITAL LETTER G WITH BREVE
+	{0x011F, 0x011F, prLower},     // L&       LATIN SMALL LETTER G WITH BREVE
+	{0x0120, 0x0120, prUpper},     // L&       LATIN CAPITAL LETTER G WITH DOT ABOVE
+	{0x0121, 0x0121, prLower},     // L&       LATIN SMALL LETTER G WITH DOT ABOVE
+	{0x0122, 0x0122, prUpper},     // L&       LATIN CAPITAL LETTER G WITH CEDILLA
+	{0x0123, 0x0123, prLower},     // L&       LATIN SMALL LETTER G WITH CEDILLA
+	{0x0124, 0x0124, prUpper},     // L&       LATIN CAPITAL LETTER H WITH CIRCUMFLEX
+	{0x0125, 0x0125, prLower},     // L&       LATIN SMALL LETTER H WITH CIRCUMFLEX
+	{0x0126, 0x0126, prUpper},     // L&       LATIN CAPITAL LETTER H WITH STROKE
+	{0x0127, 0x0127, prLower},     // L&       LATIN SMALL LETTER H WITH STROKE
+	{0x0128, 0x0128, prUpper},     // L&       LATIN CAPITAL LETTER I WITH TILDE
+	{0x0129, 0x0129, prLower},     // L&       LATIN SMALL LETTER I WITH TILDE
+	{0x012A, 0x012A, prUpper},     // L&       LATIN CAPITAL LETTER I WITH MACRON
+	{0x012B, 0x012B, prLower},     // L&       LATIN SMALL LETTER I WITH MACRON
+	{0x012C, 0x012C, prUpper},     // L&       LATIN CAPITAL LETTER I WITH BREVE
+	{0x012D, 0x012D, prLower},     // L&       LATIN SMALL LETTER I WITH BREVE
+	{0x012E, 0x012E, prUpper},     // L&       LATIN CAPITAL LETTER I WITH OGONEK
+	{0x012F, 0x012F, prLower},     // L&       LATIN SMALL LETTER I WITH OGONEK
+	{0x0130, 0x0130, prUpper},     // L&       LATIN CAPITAL LETTER I WITH DOT ABOVE
+	{0x0131, 0x0131, prLower},     // L&       LATIN SMALL LETTER DOTLESS I
+	{0x0132, 0x0132, prUpper},     // L&       LATIN CAPITAL LIGATURE IJ
+	{0x0133, 0x0133, prLower},     // L&       LATIN SMALL LIGATURE IJ
+	{0x0134, 0x0134, prUpper},     // L&       LATIN CAPITAL LETTER J WITH CIRCUMFLEX
+	{0x0135, 0x0135, prLower},     // L&       LATIN SMALL LETTER J WITH CIRCUMFLEX
+	{0x0136, 0x0136, prUpper},     // L&       LATIN CAPITAL LETTER K WITH CEDILLA
+	{0x0137, 0x0138, prLower},     // L&   [2] LATIN SMALL LETTER K WITH CEDILLA..LATIN SMALL LETTER KRA
+	{0x0139, 0x0139, prUpper},     // L&       LATIN CAPITAL LETTER L WITH ACUTE
+	{0x013A, 0x013A, prLower},     // L&       LATIN SMALL LETTER L WITH ACUTE
+	{0x013B, 0x013B, prUpper},     // L&       LATIN CAPITAL LETTER L WITH CEDILLA
+	{0x013C, 0x013C, prLower},     // L&       LATIN SMALL LETTER L WITH CEDILLA
+	{0x013D, 0x013D, prUpper},     // L&       LATIN CAPITAL LETTER L WITH CARON
+	{0x013E, 0x013E, prLower},     // L&       LATIN SMALL LETTER L WITH CARON
+	{0x013F, 0x013F, prUpper},     // L&       LATIN CAPITAL LETTER L WITH MIDDLE DOT
+	{0x0140, 0x0140, prLower},     // L&       LATIN SMALL LETTER L WITH MIDDLE DOT
+	{0x0141, 0x0141, prUpper},     // L&       LATIN CAPITAL LETTER L WITH STROKE
+	{0x0142, 0x0142, prLower},     // L&       LATIN SMALL LETTER L WITH STROKE
+	{0x0143, 0x0143, prUpper},     // L&       LATIN CAPITAL LETTER N WITH ACUTE
+	{0x0144, 0x0144, prLower},     // L&       LATIN SMALL LETTER N WITH ACUTE
+	{0x0145, 0x0145, prUpper},     // L&       LATIN CAPITAL LETTER N WITH CEDILLA
+	{0x0146, 0x0146, prLower},     // L&       LATIN SMALL LETTER N WITH CEDILLA
+	{0x0147, 0x0147, prUpper},     // L&       LATIN CAPITAL LETTER N WITH CARON
+	{0x0148, 0x0149, prLower},     // L&   [2] LATIN SMALL LETTER N WITH CARON..LATIN SMALL LETTER N PRECEDED BY APOSTROPHE
+	{0x014A, 0x014A, prUpper},     // L&       LATIN CAPITAL LETTER ENG
+	{0x014B, 0x014B, prLower},     // L&       LATIN SMALL LETTER ENG
+	{0x014C, 0x014C, prUpper},     // L&       LATIN CAPITAL LETTER O WITH MACRON
+	{0x014D, 0x014D, prLower},     // L&       LATIN SMALL LETTER O WITH MACRON
+	{0x014E, 0x014E, prUpper},     // L&       LATIN CAPITAL LETTER O WITH BREVE
+	{0x014F, 0x014F, prLower},     // L&       LATIN SMALL LETTER O WITH BREVE
+	{0x0150, 0x0150, prUpper},     // L&       LATIN CAPITAL LETTER O WITH DOUBLE ACUTE
+	{0x0151, 0x0151, prLower},     // L&       LATIN SMALL LETTER O WITH DOUBLE ACUTE
+	{0x0152, 0x0152, prUpper},     // L&       LATIN CAPITAL LIGATURE OE
+	{0x0153, 0x0153, prLower},     // L&       LATIN SMALL LIGATURE OE
+	{0x0154, 0x0154, prUpper},     // L&       LATIN CAPITAL LETTER R WITH ACUTE
+	{0x0155, 0x0155, prLower},     // L&       LATIN SMALL LETTER R WITH ACUTE
+	{0x0156, 0x0156, prUpper},     // L&       LATIN CAPITAL LETTER R WITH CEDILLA
+	{0x0157, 0x0157, prLower},     // L&       LATIN SMALL LETTER R WITH CEDILLA
+	{0x0158, 0x0158, prUpper},     // L&       LATIN CAPITAL LETTER R WITH CARON
+	{0x0159, 0x0159, prLower},     // L&       LATIN SMALL LETTER R WITH CARON
+	{0x015A, 0x015A, prUpper},     // L&       LATIN CAPITAL LETTER S WITH ACUTE
+	{0x015B, 0x015B, prLower},     // L&       LATIN SMALL LETTER S WITH ACUTE
+	{0x015C, 0x015C, prUpper},     // L&       LATIN CAPITAL LETTER S WITH CIRCUMFLEX
+	{0x015D, 0x015D, prLower},     // L&       LATIN SMALL LETTER S WITH CIRCUMFLEX
+	{0x015E, 0x015E, prUpper},     // L&       LATIN CAPITAL LETTER S WITH CEDILLA
+	{0x015F, 0x015F, prLower},     // L&       LATIN SMALL LETTER S WITH CEDILLA
+	{0x0160, 0x0160, prUpper},     // L&       LATIN CAPITAL LETTER S WITH CARON
+	{0x0161, 0x0161, prLower},     // L&       LATIN SMALL LETTER S WITH CARON
+	{0x0162, 0x0162, prUpper},     // L&       LATIN CAPITAL LETTER T WITH CEDILLA
+	{0x0163, 0x0163, prLower},     // L&       LATIN SMALL LETTER T WITH CEDILLA
+	{0x0164, 0x0164, prUpper},     // L&       LATIN CAPITAL LETTER T WITH CARON
+	{0x0165, 0x0165, prLower},     // L&       LATIN SMALL LETTER T WITH CARON
+	{0x0166, 0x0166, prUpper},     // L&       LATIN CAPITAL LETTER T WITH STROKE
+	{0x0167, 0x0167, prLower},     // L&       LATIN SMALL LETTER T WITH STROKE
+	{0x0168, 0x0168, prUpper},     // L&       LATIN CAPITAL LETTER U WITH TILDE
+	{0x0169, 0x0169, prLower},     // L&       LATIN SMALL LETTER U WITH TILDE
+	{0x016A, 0x016A, prUpper},     // L&       LATIN CAPITAL LETTER U WITH MACRON
+	{0x016B, 0x016B, prLower},     // L&       LATIN SMALL LETTER U WITH MACRON
+	{0x016C, 0x016C, prUpper},     // L&       LATIN CAPITAL LETTER U WITH BREVE
+	{0x016D, 0x016D, prLower},     // L&       LATIN SMALL LETTER U WITH BREVE
+	{0x016E, 0x016E, prUpper},     // L&       LATIN CAPITAL LETTER U WITH RING ABOVE
+	{0x016F, 0x016F, prLower},     // L&       LATIN SMALL LETTER U WITH RING ABOVE
+	{0x0170, 0x0170, prUpper},     // L&       LATIN CAPITAL LETTER U WITH DOUBLE ACUTE
+	{0x0171, 0x0171, prLower},     // L&       LATIN SMALL LETTER U WITH DOUBLE ACUTE
+	{0x0172, 0x0172, prUpper},     // L&       LATIN CAPITAL LETTER U WITH OGONEK
+	{0x0173, 0x0173, prLower},     // L&       LATIN SMALL LETTER U WITH OGONEK
+	{0x0174, 0x0174, prUpper},     // L&       LATIN CAPITAL LETTER W WITH CIRCUMFLEX
+	{0x0175, 0x0175, prLower},     // L&       LATIN SMALL LETTER W WITH CIRCUMFLEX
+	{0x0176, 0x0176, prUpper},     // L&       LATIN CAPITAL LETTER Y WITH CIRCUMFLEX
+	{0x0177, 0x0177, prLower},     // L&       LATIN SMALL LETTER Y WITH CIRCUMFLEX
+	{0x0178, 0x0179, prUpper},     // L&   [2] LATIN CAPITAL LETTER Y WITH DIAERESIS..LATIN CAPITAL LETTER Z WITH ACUTE
+	{0x017A, 0x017A, prLower},     // L&       LATIN SMALL LETTER Z WITH ACUTE
+	{0x017B, 0x017B, prUpper},     // L&       LATIN CAPITAL LETTER Z WITH DOT ABOVE
+	{0x017C, 0x017C, prLower},     // L&       LATIN SMALL LETTER Z WITH DOT ABOVE
+	{0x017D, 0x017D, prUpper},     // L&       LATIN CAPITAL LETTER Z WITH CARON
+	{0x017E, 0x0180, prLower},     // L&   [3] LATIN SMALL LETTER Z WITH CARON..LATIN SMALL LETTER B WITH STROKE
+	{0x0181, 0x0182, prUpper},     // L&   [2] LATIN CAPITAL LETTER B WITH HOOK..LATIN CAPITAL LETTER B WITH TOPBAR
+	{0x0183, 0x0183, prLower},     // L&       LATIN SMALL LETTER B WITH TOPBAR
+	{0x0184, 0x0184, prUpper},     // L&       LATIN CAPITAL LETTER TONE SIX
+	{0x0185, 0x0185, prLower},     // L&       LATIN SMALL LETTER TONE SIX
+	{0x0186, 0x0187, prUpper},     // L&   [2] LATIN CAPITAL LETTER OPEN O..LATIN CAPITAL LETTER C WITH HOOK
+	{0x0188, 0x0188, prLower},     // L&       LATIN SMALL LETTER C WITH HOOK
+	{0x0189, 0x018B, prUpper},     // L&   [3] LATIN CAPITAL LETTER AFRICAN D..LATIN CAPITAL LETTER D WITH TOPBAR
+	{0x018C, 0x018D, prLower},     // L&   [2] LATIN SMALL LETTER D WITH TOPBAR..LATIN SMALL LETTER TURNED DELTA
+	{0x018E, 0x0191, prUpper},     // L&   [4] LATIN CAPITAL LETTER REVERSED E..LATIN CAPITAL LETTER F WITH HOOK
+	{0x0192, 0x0192, prLower},     // L&       LATIN SMALL LETTER F WITH HOOK
+	{0x0193, 0x0194, prUpper},     // L&   [2] LATIN CAPITAL LETTER G WITH HOOK..LATIN CAPITAL LETTER GAMMA
+	{0x0195, 0x0195, prLower},     // L&       LATIN SMALL LETTER HV
+	{0x0196, 0x0198, prUpper},     // L&   [3] LATIN CAPITAL LETTER IOTA..LATIN CAPITAL LETTER K WITH HOOK
+	{0x0199, 0x019B, prLower},     // L&   [3] LATIN SMALL LETTER K WITH HOOK..LATIN SMALL LETTER LAMBDA WITH STROKE
+	{0x019C, 0x019D, prUpper},     // L&   [2] LATIN CAPITAL LETTER TURNED M..LATIN CAPITAL LETTER N WITH LEFT HOOK
+	{0x019E, 0x019E, prLower},     // L&       LATIN SMALL LETTER N WITH LONG RIGHT LEG
+	{0x019F, 0x01A0, prUpper},     // L&   [2] LATIN CAPITAL LETTER O WITH MIDDLE TILDE..LATIN CAPITAL LETTER O WITH HORN
+	{0x01A1, 0x01A1, prLower},     // L&       LATIN SMALL LETTER O WITH HORN
+	{0x01A2, 0x01A2, prUpper},     // L&       LATIN CAPITAL LETTER OI
+	{0x01A3, 0x01A3, prLower},     // L&       LATIN SMALL LETTER OI
+	{0x01A4, 0x01A4, prUpper},     // L&       LATIN CAPITAL LETTER P WITH HOOK
+	{0x01A5, 0x01A5, prLower},     // L&       LATIN SMALL LETTER P WITH HOOK
+	{0x01A6, 0x01A7, prUpper},     // L&   [2] LATIN LETTER YR..LATIN CAPITAL LETTER TONE TWO
+	{0x01A8, 0x01A8, prLower},     // L&       LATIN SMALL LETTER TONE TWO
+	{0x01A9, 0x01A9, prUpper},     // L&       LATIN CAPITAL LETTER ESH
+	{0x01AA, 0x01AB, prLower},     // L&   [2] LATIN LETTER REVERSED ESH LOOP..LATIN SMALL LETTER T WITH PALATAL HOOK
+	{0x01AC, 0x01AC, prUpper},     // L&       LATIN CAPITAL LETTER T WITH HOOK
+	{0x01AD, 0x01AD, prLower},     // L&       LATIN SMALL LETTER T WITH HOOK
+	{0x01AE, 0x01AF, prUpper},     // L&   [2] LATIN CAPITAL LETTER T WITH RETROFLEX HOOK..LATIN CAPITAL LETTER U WITH HORN
+	{0x01B0, 0x01B0, prLower},     // L&       LATIN SMALL LETTER U WITH HORN
+	{0x01B1, 0x01B3, prUpper},     // L&   [3] LATIN CAPITAL LETTER UPSILON..LATIN CAPITAL LETTER Y WITH HOOK
+	{0x01B4, 0x01B4, prLower},     // L&       LATIN SMALL LETTER Y WITH HOOK
+	{0x01B5, 0x01B5, prUpper},     // L&       LATIN CAPITAL LETTER Z WITH STROKE
+	{0x01B6, 0x01B6, prLower},     // L&       LATIN SMALL LETTER Z WITH STROKE
+	{0x01B7, 0x01B8, prUpper},     // L&   [2] LATIN CAPITAL LETTER EZH..LATIN CAPITAL LETTER EZH REVERSED
+	{0x01B9, 0x01BA, prLower},     // L&   [2] LATIN SMALL LETTER EZH REVERSED..LATIN SMALL LETTER EZH WITH TAIL
+	{0x01BB, 0x01BB, prOLetter},   // Lo       LATIN LETTER TWO WITH STROKE
+	{0x01BC, 0x01BC, prUpper},     // L&       LATIN CAPITAL LETTER TONE FIVE
+	{0x01BD, 0x01BF, prLower},     // L&   [3] LATIN SMALL LETTER TONE FIVE..LATIN LETTER WYNN
+	{0x01C0, 0x01C3, prOLetter},   // Lo   [4] LATIN LETTER DENTAL CLICK..LATIN LETTER RETROFLEX CLICK
+	{0x01C4, 0x01C5, prUpper},     // L&   [2] LATIN CAPITAL LETTER DZ WITH CARON..LATIN CAPITAL LETTER D WITH SMALL LETTER Z WITH CARON
+	{0x01C6, 0x01C6, prLower},     // L&       LATIN SMALL LETTER DZ WITH CARON
+	{0x01C7, 0x01C8, prUpper},     // L&   [2] LATIN CAPITAL LETTER LJ..LATIN CAPITAL LETTER L WITH SMALL LETTER J
+	{0x01C9, 0x01C9, prLower},     // L&       LATIN SMALL LETTER LJ
+	{0x01CA, 0x01CB, prUpper},     // L&   [2] LATIN CAPITAL LETTER NJ..LATIN CAPITAL LETTER N WITH SMALL LETTER J
+	{0x01CC, 0x01CC, prLower},     // L&       LATIN SMALL LETTER NJ
+	{0x01CD, 0x01CD, prUpper},     // L&       LATIN CAPITAL LETTER A WITH CARON
+	{0x01CE, 0x01CE, prLower},     // L&       LATIN SMALL LETTER A WITH CARON
+	{0x01CF, 0x01CF, prUpper},     // L&       LATIN CAPITAL LETTER I WITH CARON
+	{0x01D0, 0x01D0, prLower},     // L&       LATIN SMALL LETTER I WITH CARON
+	{0x01D1, 0x01D1, prUpper},     // L&       LATIN CAPITAL LETTER O WITH CARON
+	{0x01D2, 0x01D2, prLower},     // L&       LATIN SMALL LETTER O WITH CARON
+	{0x01D3, 0x01D3, prUpper},     // L&       LATIN CAPITAL LETTER U WITH CARON
+	{0x01D4, 0x01D4, prLower},     // L&       LATIN SMALL LETTER U WITH CARON
+	{0x01D5, 0x01D5, prUpper},     // L&       LATIN CAPITAL LETTER U WITH DIAERESIS AND MACRON
+	{0x01D6, 0x01D6, prLower},     // L&       LATIN SMALL LETTER U WITH DIAERESIS AND MACRON
+	{0x01D7, 0x01D7, prUpper},     // L&       LATIN CAPITAL LETTER U WITH DIAERESIS AND ACUTE
+	{0x01D8, 0x01D8, prLower},     // L&       LATIN SMALL LETTER U WITH DIAERESIS AND ACUTE
+	{0x01D9, 0x01D9, prUpper},     // L&       LATIN CAPITAL LETTER U WITH DIAERESIS AND CARON
+	{0x01DA, 0x01DA, prLower},     // L&       LATIN SMALL LETTER U WITH DIAERESIS AND CARON
+	{0x01DB, 0x01DB, prUpper},     // L&       LATIN CAPITAL LETTER U WITH DIAERESIS AND GRAVE
+	{0x01DC, 0x01DD, prLower},     // L&   [2] LATIN SMALL LETTER U WITH DIAERESIS AND GRAVE..LATIN SMALL LETTER TURNED E
+	{0x01DE, 0x01DE, prUpper},     // L&       LATIN CAPITAL LETTER A WITH DIAERESIS AND MACRON
+	{0x01DF, 0x01DF, prLower},     // L&       LATIN SMALL LETTER A WITH DIAERESIS AND MACRON
+	{0x01E0, 0x01E0, prUpper},     // L&       LATIN CAPITAL LETTER A WITH DOT ABOVE AND MACRON
+	{0x01E1, 0x01E1, prLower},     // L&       LATIN SMALL LETTER A WITH DOT ABOVE AND MACRON
+	{0x01E2, 0x01E2, prUpper},     // L&       LATIN CAPITAL LETTER AE WITH MACRON
+	{0x01E3, 0x01E3, prLower},     // L&       LATIN SMALL LETTER AE WITH MACRON
+	{0x01E4, 0x01E4, prUpper},     // L&       LATIN CAPITAL LETTER G WITH STROKE
+	{0x01E5, 0x01E5, prLower},     // L&       LATIN SMALL LETTER G WITH STROKE
+	{0x01E6, 0x01E6, prUpper},     // L&       LATIN CAPITAL LETTER G WITH CARON
+	{0x01E7, 0x01E7, prLower},     // L&       LATIN SMALL LETTER G WITH CARON
+	{0x01E8, 0x01E8, prUpper},     // L&       LATIN CAPITAL LETTER K WITH CARON
+	{0x01E9, 0x01E9, prLower},     // L&       LATIN SMALL LETTER K WITH CARON
+	{0x01EA, 0x01EA, prUpper},     // L&       LATIN CAPITAL LETTER O WITH OGONEK
+	{0x01EB, 0x01EB, prLower},     // L&       LATIN SMALL LETTER O WITH OGONEK
+	{0x01EC, 0x01EC, prUpper},     // L&       LATIN CAPITAL LETTER O WITH OGONEK AND MACRON
+	{0x01ED, 0x01ED, prLower},     // L&       LATIN SMALL LETTER O WITH OGONEK AND MACRON
+	{0x01EE, 0x01EE, prUpper},     // L&       LATIN CAPITAL LETTER EZH WITH CARON
+	{0x01EF, 0x01F0, prLower},     // L&   [2] LATIN SMALL LETTER EZH WITH CARON..LATIN SMALL LETTER J WITH CARON
+	{0x01F1, 0x01F2, prUpper},     // L&   [2] LATIN CAPITAL LETTER DZ..LATIN CAPITAL LETTER D WITH SMALL LETTER Z
+	{0x01F3, 0x01F3, prLower},     // L&       LATIN SMALL LETTER DZ
+	{0x01F4, 0x01F4, prUpper},     // L&       LATIN CAPITAL LETTER G WITH ACUTE
+	{0x01F5, 0x01F5, prLower},     // L&       LATIN SMALL LETTER G WITH ACUTE
+	{0x01F6, 0x01F8, prUpper},     // L&   [3] LATIN CAPITAL LETTER HWAIR..LATIN CAPITAL LETTER N WITH GRAVE
+	{0x01F9, 0x01F9, prLower},     // L&       LATIN SMALL LETTER N WITH GRAVE
+	{0x01FA, 0x01FA, prUpper},     // L&       LATIN CAPITAL LETTER A WITH RING ABOVE AND ACUTE
+	{0x01FB, 0x01FB, prLower},     // L&       LATIN SMALL LETTER A WITH RING ABOVE AND ACUTE
+	{0x01FC, 0x01FC, prUpper},     // L&       LATIN CAPITAL LETTER AE WITH ACUTE
+	{0x01FD, 0x01FD, prLower},     // L&       LATIN SMALL LETTER AE WITH ACUTE
+	{0x01FE, 0x01FE, prUpper},     // L&       LATIN CAPITAL LETTER O WITH STROKE AND ACUTE
+	{0x01FF, 0x01FF, prLower},     // L&       LATIN SMALL LETTER O WITH STROKE AND ACUTE
+	{0x0200, 0x0200, prUpper},     // L&       LATIN CAPITAL LETTER A WITH DOUBLE GRAVE
+	{0x0201, 0x0201, prLower},     // L&       LATIN SMALL LETTER A WITH DOUBLE GRAVE
+	{0x0202, 0x0202, prUpper},     // L&       LATIN CAPITAL LETTER A WITH INVERTED BREVE
+	{0x0203, 0x0203, prLower},     // L&       LATIN SMALL LETTER A WITH INVERTED BREVE
+	{0x0204, 0x0204, prUpper},     // L&       LATIN CAPITAL LETTER E WITH DOUBLE GRAVE
+	{0x0205, 0x0205, prLower},     // L&       LATIN SMALL LETTER E WITH DOUBLE GRAVE
+	{0x0206, 0x0206, prUpper},     // L&       LATIN CAPITAL LETTER E WITH INVERTED BREVE
+	{0x0207, 0x0207, prLower},     // L&       LATIN SMALL LETTER E WITH INVERTED BREVE
+	{0x0208, 0x0208, prUpper},     // L&       LATIN CAPITAL LETTER I WITH DOUBLE GRAVE
+	{0x0209, 0x0209, prLower},     // L&       LATIN SMALL LETTER I WITH DOUBLE GRAVE
+	{0x020A, 0x020A, prUpper},     // L&       LATIN CAPITAL LETTER I WITH INVERTED BREVE
+	{0x020B, 0x020B, prLower},     // L&       LATIN SMALL LETTER I WITH INVERTED BREVE
+	{0x020C, 0x020C, prUpper},     // L&       LATIN CAPITAL LETTER O WITH DOUBLE GRAVE
+	{0x020D, 0x020D, prLower},     // L&       LATIN SMALL LETTER O WITH DOUBLE GRAVE
+	{0x020E, 0x020E, prUpper},     // L&       LATIN CAPITAL LETTER O WITH INVERTED BREVE
+	{0x020F, 0x020F, prLower},     // L&       LATIN SMALL LETTER O WITH INVERTED BREVE
+	{0x0210, 0x0210, prUpper},     // L&       LATIN CAPITAL LETTER R WITH DOUBLE GRAVE
+	{0x0211, 0x0211, prLower},     // L&       LATIN SMALL LETTER R WITH DOUBLE GRAVE
+	{0x0212, 0x0212, prUpper},     // L&       LATIN CAPITAL LETTER R WITH INVERTED BREVE
+	{0x0213, 0x0213, prLower},     // L&       LATIN SMALL LETTER R WITH INVERTED BREVE
+	{0x0214, 0x0214, prUpper},     // L&       LATIN CAPITAL LETTER U WITH DOUBLE GRAVE
+	{0x0215, 0x0215, prLower},     // L&       LATIN SMALL LETTER U WITH DOUBLE GRAVE
+	{0x0216, 0x0216, prUpper},     // L&       LATIN CAPITAL LETTER U WITH INVERTED BREVE
+	{0x0217, 0x0217, prLower},     // L&       LATIN SMALL LETTER U WITH INVERTED BREVE
+	{0x0218, 0x0218, prUpper},     // L&       LATIN CAPITAL LETTER S WITH COMMA BELOW
+	{0x0219, 0x0219, prLower},     // L&       LATIN SMALL LETTER S WITH COMMA BELOW
+	{0x021A, 0x021A, prUpper},     // L&       LATIN CAPITAL LETTER T WITH COMMA BELOW
+	{0x021B, 0x021B, prLower},     // L&       LATIN SMALL LETTER T WITH COMMA BELOW
+	{0x021C, 0x021C, prUpper},     // L&       LATIN CAPITAL LETTER YOGH
+	{0x021D, 0x021D, prLower},     // L&       LATIN SMALL LETTER YOGH
+	{0x021E, 0x021E, prUpper},     // L&       LATIN CAPITAL LETTER H WITH CARON
+	{0x021F, 0x021F, prLower},     // L&       LATIN SMALL LETTER H WITH CARON
+	{0x0220, 0x0220, prUpper},     // L&       LATIN CAPITAL LETTER N WITH LONG RIGHT LEG
+	{0x0221, 0x0221, prLower},     // L&       LATIN SMALL LETTER D WITH CURL
+	{0x0222, 0x0222, prUpper},     // L&       LATIN CAPITAL LETTER OU
+	{0x0223, 0x0223, prLower},     // L&       LATIN SMALL LETTER OU
+	{0x0224, 0x0224, prUpper},     // L&       LATIN CAPITAL LETTER Z WITH HOOK
+	{0x0225, 0x0225, prLower},     // L&       LATIN SMALL LETTER Z WITH HOOK
+	{0x0226, 0x0226, prUpper},     // L&       LATIN CAPITAL LETTER A WITH DOT ABOVE
+	{0x0227, 0x0227, prLower},     // L&       LATIN SMALL LETTER A WITH DOT ABOVE
+	{0x0228, 0x0228, prUpper},     // L&       LATIN CAPITAL LETTER E WITH CEDILLA
+	{0x0229, 0x0229, prLower},     // L&       LATIN SMALL LETTER E WITH CEDILLA
+	{0x022A, 0x022A, prUpper},     // L&       LATIN CAPITAL LETTER O WITH DIAERESIS AND MACRON
+	{0x022B, 0x022B, prLower},     // L&       LATIN SMALL LETTER O WITH DIAERESIS AND MACRON
+	{0x022C, 0x022C, prUpper},     // L&       LATIN CAPITAL LETTER O WITH TILDE AND MACRON
+	{0x022D, 0x022D, prLower},     // L&       LATIN SMALL LETTER O WITH TILDE AND MACRON
+	{0x022E, 0x022E, prUpper},     // L&       LATIN CAPITAL LETTER O WITH DOT ABOVE
+	{0x022F, 0x022F, prLower},     // L&       LATIN SMALL LETTER O WITH DOT ABOVE
+	{0x0230, 0x0230, prUpper},     // L&       LATIN CAPITAL LETTER O WITH DOT ABOVE AND MACRON
+	{0x0231, 0x0231, prLower},     // L&       LATIN SMALL LETTER O WITH DOT ABOVE AND MACRON
+	{0x0232, 0x0232, prUpper},     // L&       LATIN CAPITAL LETTER Y WITH MACRON
+	{0x0233, 0x0239, prLower},     // L&   [7] LATIN SMALL LETTER Y WITH MACRON..LATIN SMALL LETTER QP DIGRAPH
+	{0x023A, 0x023B, prUpper},     // L&   [2] LATIN CAPITAL LETTER A WITH STROKE..LATIN CAPITAL LETTER C WITH STROKE
+	{0x023C, 0x023C, prLower},     // L&       LATIN SMALL LETTER C WITH STROKE
+	{0x023D, 0x023E, prUpper},     // L&   [2] LATIN CAPITAL LETTER L WITH BAR..LATIN CAPITAL LETTER T WITH DIAGONAL STROKE
+	{0x023F, 0x0240, prLower},     // L&   [2] LATIN SMALL LETTER S WITH SWASH TAIL..LATIN SMALL LETTER Z WITH SWASH TAIL
+	{0x0241, 0x0241, prUpper},     // L&       LATIN CAPITAL LETTER GLOTTAL STOP
+	{0x0242, 0x0242, prLower},     // L&       LATIN SMALL LETTER GLOTTAL STOP
+	{0x0243, 0x0246, prUpper},     // L&   [4] LATIN CAPITAL LETTER B WITH STROKE..LATIN CAPITAL LETTER E WITH STROKE
+	{0x0247, 0x0247, prLower},     // L&       LATIN SMALL LETTER E WITH STROKE
+	{0x0248, 0x0248, prUpper},     // L&       LATIN CAPITAL LETTER J WITH STROKE
+	{0x0249, 0x0249, prLower},     // L&       LATIN SMALL LETTER J WITH STROKE
+	{0x024A, 0x024A, prUpper},     // L&       LATIN CAPITAL LETTER SMALL Q WITH HOOK TAIL
+	{0x024B, 0x024B, prLower},     // L&       LATIN SMALL LETTER Q WITH HOOK TAIL
+	{0x024C, 0x024C, prUpper},     // L&       LATIN CAPITAL LETTER R WITH STROKE
+	{0x024D, 0x024D, prLower},     // L&       LATIN SMALL LETTER R WITH STROKE
+	{0x024E, 0x024E, prUpper},     // L&       LATIN CAPITAL LETTER Y WITH STROKE
+	{0x024F, 0x0293, prLower},     // L&  [69] LATIN SMALL LETTER Y WITH STROKE..LATIN SMALL LETTER EZH WITH CURL
+	{0x0294, 0x0294, prOLetter},   // Lo       LATIN LETTER GLOTTAL STOP
+	{0x0295, 0x02AF, prLower},     // L&  [27] LATIN LETTER PHARYNGEAL VOICED FRICATIVE..LATIN SMALL LETTER TURNED H WITH FISHHOOK AND TAIL
+	{0x02B0, 0x02B8, prLower},     // Lm   [9] MODIFIER LETTER SMALL H..MODIFIER LETTER SMALL Y
+	{0x02B9, 0x02BF, prOLetter},   // Lm   [7] MODIFIER LETTER PRIME..MODIFIER LETTER LEFT HALF RING
+	{0x02C0, 0x02C1, prLower},     // Lm   [2] MODIFIER LETTER GLOTTAL STOP..MODIFIER LETTER REVERSED GLOTTAL STOP
+	{0x02C6, 0x02D1, prOLetter},   // Lm  [12] MODIFIER LETTER CIRCUMFLEX ACCENT..MODIFIER LETTER HALF TRIANGULAR COLON
+	{0x02E0, 0x02E4, prLower},     // Lm   [5] MODIFIER LETTER SMALL GAMMA..MODIFIER LETTER SMALL REVERSED GLOTTAL STOP
+	{0x02EC, 0x02EC, prOLetter},   // Lm       MODIFIER LETTER VOICING
+	{0x02EE, 0x02EE, prOLetter},   // Lm       MODIFIER LETTER DOUBLE APOSTROPHE
+	{0x0300, 0x036F, prExtend},    // Mn [112] COMBINING GRAVE ACCENT..COMBINING LATIN SMALL LETTER X
+	{0x0370, 0x0370, prUpper},     // L&       GREEK CAPITAL LETTER HETA
+	{0x0371, 0x0371, prLower},     // L&       GREEK SMALL LETTER HETA
+	{0x0372, 0x0372, prUpper},     // L&       GREEK CAPITAL LETTER ARCHAIC SAMPI
+	{0x0373, 0x0373, prLower},     // L&       GREEK SMALL LETTER ARCHAIC SAMPI
+	{0x0374, 0x0374, prOLetter},   // Lm       GREEK NUMERAL SIGN
+	{0x0376, 0x0376, prUpper},     // L&       GREEK CAPITAL LETTER PAMPHYLIAN DIGAMMA
+	{0x0377, 0x0377, prLower},     // L&       GREEK SMALL LETTER PAMPHYLIAN DIGAMMA
+	{0x037A, 0x037A, prLower},     // Lm       GREEK YPOGEGRAMMENI
+	{0x037B, 0x037D, prLower},     // L&   [3] GREEK SMALL REVERSED LUNATE SIGMA SYMBOL..GREEK SMALL REVERSED DOTTED LUNATE SIGMA SYMBOL
+	{0x037F, 0x037F, prUpper},     // L&       GREEK CAPITAL LETTER YOT
+	{0x0386, 0x0386, prUpper},     // L&       GREEK CAPITAL LETTER ALPHA WITH TONOS
+	{0x0388, 0x038A, prUpper},     // L&   [3] GREEK CAPITAL LETTER EPSILON WITH TONOS..GREEK CAPITAL LETTER IOTA WITH TONOS
+	{0x038C, 0x038C, prUpper},     // L&       GREEK CAPITAL LETTER OMICRON WITH TONOS
+	{0x038E, 0x038F, prUpper},     // L&   [2] GREEK CAPITAL LETTER UPSILON WITH TONOS..GREEK CAPITAL LETTER OMEGA WITH TONOS
+	{0x0390, 0x0390, prLower},     // L&       GREEK SMALL LETTER IOTA WITH DIALYTIKA AND TONOS
+	{0x0391, 0x03A1, prUpper},     // L&  [17] GREEK CAPITAL LETTER ALPHA..GREEK CAPITAL LETTER RHO
+	{0x03A3, 0x03AB, prUpper},     // L&   [9] GREEK CAPITAL LETTER SIGMA..GREEK CAPITAL LETTER UPSILON WITH DIALYTIKA
+	{0x03AC, 0x03CE, prLower},     // L&  [35] GREEK SMALL LETTER ALPHA WITH TONOS..GREEK SMALL LETTER OMEGA WITH TONOS
+	{0x03CF, 0x03CF, prUpper},     // L&       GREEK CAPITAL KAI SYMBOL
+	{0x03D0, 0x03D1, prLower},     // L&   [2] GREEK BETA SYMBOL..GREEK THETA SYMBOL
+	{0x03D2, 0x03D4, prUpper},     // L&   [3] GREEK UPSILON WITH HOOK SYMBOL..GREEK UPSILON WITH DIAERESIS AND HOOK SYMBOL
+	{0x03D5, 0x03D7, prLower},     // L&   [3] GREEK PHI SYMBOL..GREEK KAI SYMBOL
+	{0x03D8, 0x03D8, prUpper},     // L&       GREEK LETTER ARCHAIC KOPPA
+	{0x03D9, 0x03D9, prLower},     // L&       GREEK SMALL LETTER ARCHAIC KOPPA
+	{0x03DA, 0x03DA, prUpper},     // L&       GREEK LETTER STIGMA
+	{0x03DB, 0x03DB, prLower},     // L&       GREEK SMALL LETTER STIGMA
+	{0x03DC, 0x03DC, prUpper},     // L&       GREEK LETTER DIGAMMA
+	{0x03DD, 0x03DD, prLower},     // L&       GREEK SMALL LETTER DIGAMMA
+	{0x03DE, 0x03DE, prUpper},     // L&       GREEK LETTER KOPPA
+	{0x03DF, 0x03DF, prLower},     // L&       GREEK SMALL LETTER KOPPA
+	{0x03E0, 0x03E0, prUpper},     // L&       GREEK LETTER SAMPI
+	{0x03E1, 0x03E1, prLower},     // L&       GREEK SMALL LETTER SAMPI
+	{0x03E2, 0x03E2, prUpper},     // L&       COPTIC CAPITAL LETTER SHEI
+	{0x03E3, 0x03E3, prLower},     // L&       COPTIC SMALL LETTER SHEI
+	{0x03E4, 0x03E4, prUpper},     // L&       COPTIC CAPITAL LETTER FEI
+	{0x03E5, 0x03E5, prLower},     // L&       COPTIC SMALL LETTER FEI
+	{0x03E6, 0x03E6, prUpper},     // L&       COPTIC CAPITAL LETTER KHEI
+	{0x03E7, 0x03E7, prLower},     // L&       COPTIC SMALL LETTER KHEI
+	{0x03E8, 0x03E8, prUpper},     // L&       COPTIC CAPITAL LETTER HORI
+	{0x03E9, 0x03E9, prLower},     // L&       COPTIC SMALL LETTER HORI
+	{0x03EA, 0x03EA, prUpper},     // L&       COPTIC CAPITAL LETTER GANGIA
+	{0x03EB, 0x03EB, prLower},     // L&       COPTIC SMALL LETTER GANGIA
+	{0x03EC, 0x03EC, prUpper},     // L&       COPTIC CAPITAL LETTER SHIMA
+	{0x03ED, 0x03ED, prLower},     // L&       COPTIC SMALL LETTER SHIMA
+	{0x03EE, 0x03EE, prUpper},     // L&       COPTIC CAPITAL LETTER DEI
+	{0x03EF, 0x03F3, prLower},     // L&   [5] COPTIC SMALL LETTER DEI..GREEK LETTER YOT
+	{0x03F4, 0x03F4, prUpper},     // L&       GREEK CAPITAL THETA SYMBOL
+	{0x03F5, 0x03F5, prLower},     // L&       GREEK LUNATE EPSILON SYMBOL
+	{0x03F7, 0x03F7, prUpper},     // L&       GREEK CAPITAL LETTER SHO
+	{0x03F8, 0x03F8, prLower},     // L&       GREEK SMALL LETTER SHO
+	{0x03F9, 0x03FA, prUpper},     // L&   [2] GREEK CAPITAL LUNATE SIGMA SYMBOL..GREEK CAPITAL LETTER SAN
+	{0x03FB, 0x03FC, prLower},     // L&   [2] GREEK SMALL LETTER SAN..GREEK RHO WITH STROKE SYMBOL
+	{0x03FD, 0x042F, prUpper},     // L&  [51] GREEK CAPITAL REVERSED LUNATE SIGMA SYMBOL..CYRILLIC CAPITAL LETTER YA
+	{0x0430, 0x045F, prLower},     // L&  [48] CYRILLIC SMALL LETTER A..CYRILLIC SMALL LETTER DZHE
+	{0x0460, 0x0460, prUpper},     // L&       CYRILLIC CAPITAL LETTER OMEGA
+	{0x0461, 0x0461, prLower},     // L&       CYRILLIC SMALL LETTER OMEGA
+	{0x0462, 0x0462, prUpper},     // L&       CYRILLIC CAPITAL LETTER YAT
+	{0x0463, 0x0463, prLower},     // L&       CYRILLIC SMALL LETTER YAT
+	{0x0464, 0x0464, prUpper},     // L&       CYRILLIC CAPITAL LETTER IOTIFIED E
+	{0x0465, 0x0465, prLower},     // L&       CYRILLIC SMALL LETTER IOTIFIED E
+	{0x0466, 0x0466, prUpper},     // L&       CYRILLIC CAPITAL LETTER LITTLE YUS
+	{0x0467, 0x0467, prLower},     // L&       CYRILLIC SMALL LETTER LITTLE YUS
+	{0x0468, 0x0468, prUpper},     // L&       CYRILLIC CAPITAL LETTER IOTIFIED LITTLE YUS
+	{0x0469, 0x0469, prLower},     // L&       CYRILLIC SMALL LETTER IOTIFIED LITTLE YUS
+	{0x046A, 0x046A, prUpper},     // L&       CYRILLIC CAPITAL LETTER BIG YUS
+	{0x046B, 0x046B, prLower},     // L&       CYRILLIC SMALL LETTER BIG YUS
+	{0x046C, 0x046C, prUpper},     // L&       CYRILLIC CAPITAL LETTER IOTIFIED BIG YUS
+	{0x046D, 0x046D, prLower},     // L&       CYRILLIC SMALL LETTER IOTIFIED BIG YUS
+	{0x046E, 0x046E, prUpper},     // L&       CYRILLIC CAPITAL LETTER KSI
+	{0x046F, 0x046F, prLower},     // L&       CYRILLIC SMALL LETTER KSI
+	{0x0470, 0x0470, prUpper},     // L&       CYRILLIC CAPITAL LETTER PSI
+	{0x0471, 0x0471, prLower},     // L&       CYRILLIC SMALL LETTER PSI
+	{0x0472, 0x0472, prUpper},     // L&       CYRILLIC CAPITAL LETTER FITA
+	{0x0473, 0x0473, prLower},     // L&       CYRILLIC SMALL LETTER FITA
+	{0x0474, 0x0474, prUpper},     // L&       CYRILLIC CAPITAL LETTER IZHITSA
+	{0x0475, 0x0475, prLower},     // L&       CYRILLIC SMALL LETTER IZHITSA
+	{0x0476, 0x0476, prUpper},     // L&       CYRILLIC CAPITAL LETTER IZHITSA WITH DOUBLE GRAVE ACCENT
+	{0x0477, 0x0477, prLower},     // L&       CYRILLIC SMALL LETTER IZHITSA WITH DOUBLE GRAVE ACCENT
+	{0x0478, 0x0478, prUpper},     // L&       CYRILLIC CAPITAL LETTER UK
+	{0x0479, 0x0479, prLower},     // L&       CYRILLIC SMALL LETTER UK
+	{0x047A, 0x047A, prUpper},     // L&       CYRILLIC CAPITAL LETTER ROUND OMEGA
+	{0x047B, 0x047B, prLower},     // L&       CYRILLIC SMALL LETTER ROUND OMEGA
+	{0x047C, 0x047C, prUpper},     // L&       CYRILLIC CAPITAL LETTER OMEGA WITH TITLO
+	{0x047D, 0x047D, prLower},     // L&       CYRILLIC SMALL LETTER OMEGA WITH TITLO
+	{0x047E, 0x047E, prUpper},     // L&       CYRILLIC CAPITAL LETTER OT
+	{0x047F, 0x047F, prLower},     // L&       CYRILLIC SMALL LETTER OT
+	{0x0480, 0x0480, prUpper},     // L&       CYRILLIC CAPITAL LETTER KOPPA
+	{0x0481, 0x0481, prLower},     // L&       CYRILLIC SMALL LETTER KOPPA
+	{0x0483, 0x0487, prExtend},    // Mn   [5] COMBINING CYRILLIC TITLO..COMBINING CYRILLIC POKRYTIE
+	{0x0488, 0x0489, prExtend},    // Me   [2] COMBINING CYRILLIC HUNDRED THOUSANDS SIGN..COMBINING CYRILLIC MILLIONS SIGN
+	{0x048A, 0x048A, prUpper},     // L&       CYRILLIC CAPITAL LETTER SHORT I WITH TAIL
+	{0x048B, 0x048B, prLower},     // L&       CYRILLIC SMALL LETTER SHORT I WITH TAIL
+	{0x048C, 0x048C, prUpper},     // L&       CYRILLIC CAPITAL LETTER SEMISOFT SIGN
+	{0x048D, 0x048D, prLower},     // L&       CYRILLIC SMALL LETTER SEMISOFT SIGN
+	{0x048E, 0x048E, prUpper},     // L&       CYRILLIC CAPITAL LETTER ER WITH TICK
+	{0x048F, 0x048F, prLower},     // L&       CYRILLIC SMALL LETTER ER WITH TICK
+	{0x0490, 0x0490, prUpper},     // L&       CYRILLIC CAPITAL LETTER GHE WITH UPTURN
+	{0x0491, 0x0491, prLower},     // L&       CYRILLIC SMALL LETTER GHE WITH UPTURN
+	{0x0492, 0x0492, prUpper},     // L&       CYRILLIC CAPITAL LETTER GHE WITH STROKE
+	{0x0493, 0x0493, prLower},     // L&       CYRILLIC SMALL LETTER GHE WITH STROKE
+	{0x0494, 0x0494, prUpper},     // L&       CYRILLIC CAPITAL LETTER GHE WITH MIDDLE HOOK
+	{0x0495, 0x0495, prLower},     // L&       CYRILLIC SMALL LETTER GHE WITH MIDDLE HOOK
+	{0x0496, 0x0496, prUpper},     // L&       CYRILLIC CAPITAL LETTER ZHE WITH DESCENDER
+	{0x0497, 0x0497, prLower},     // L&       CYRILLIC SMALL LETTER ZHE WITH DESCENDER
+	{0x0498, 0x0498, prUpper},     // L&       CYRILLIC CAPITAL LETTER ZE WITH DESCENDER
+	{0x0499, 0x0499, prLower},     // L&       CYRILLIC SMALL LETTER ZE WITH DESCENDER
+	{0x049A, 0x049A, prUpper},     // L&       CYRILLIC CAPITAL LETTER KA WITH DESCENDER
+	{0x049B, 0x049B, prLower},     // L&       CYRILLIC SMALL LETTER KA WITH DESCENDER
+	{0x049C, 0x049C, prUpper},     // L&       CYRILLIC CAPITAL LETTER KA WITH VERTICAL STROKE
+	{0x049D, 0x049D, prLower},     // L&       CYRILLIC SMALL LETTER KA WITH VERTICAL STROKE
+	{0x049E, 0x049E, prUpper},     // L&       CYRILLIC CAPITAL LETTER KA WITH STROKE
+	{0x049F, 0x049F, prLower},     // L&       CYRILLIC SMALL LETTER KA WITH STROKE
+	{0x04A0, 0x04A0, prUpper},     // L&       CYRILLIC CAPITAL LETTER BASHKIR KA
+	{0x04A1, 0x04A1, prLower},     // L&       CYRILLIC SMALL LETTER BASHKIR KA
+	{0x04A2, 0x04A2, prUpper},     // L&       CYRILLIC CAPITAL LETTER EN WITH DESCENDER
+	{0x04A3, 0x04A3, prLower},     // L&       CYRILLIC SMALL LETTER EN WITH DESCENDER
+	{0x04A4, 0x04A4, prUpper},     // L&       CYRILLIC CAPITAL LIGATURE EN GHE
+	{0x04A5, 0x04A5, prLower},     // L&       CYRILLIC SMALL LIGATURE EN GHE
+	{0x04A6, 0x04A6, prUpper},     // L&       CYRILLIC CAPITAL LETTER PE WITH MIDDLE HOOK
+	{0x04A7, 0x04A7, prLower},     // L&       CYRILLIC SMALL LETTER PE WITH MIDDLE HOOK
+	{0x04A8, 0x04A8, prUpper},     // L&       CYRILLIC CAPITAL LETTER ABKHASIAN HA
+	{0x04A9, 0x04A9, prLower},     // L&       CYRILLIC SMALL LETTER ABKHASIAN HA
+	{0x04AA, 0x04AA, prUpper},     // L&       CYRILLIC CAPITAL LETTER ES WITH DESCENDER
+	{0x04AB, 0x04AB, prLower},     // L&       CYRILLIC SMALL LETTER ES WITH DESCENDER
+	{0x04AC, 0x04AC, prUpper},     // L&       CYRILLIC CAPITAL LETTER TE WITH DESCENDER
+	{0x04AD, 0x04AD, prLower},     // L&       CYRILLIC SMALL LETTER TE WITH DESCENDER
+	{0x04AE, 0x04AE, prUpper},     // L&       CYRILLIC CAPITAL LETTER STRAIGHT U
+	{0x04AF, 0x04AF, prLower},     // L&       CYRILLIC SMALL LETTER STRAIGHT U
+	{0x04B0, 0x04B0, prUpper},     // L&       CYRILLIC CAPITAL LETTER STRAIGHT U WITH STROKE
+	{0x04B1, 0x04B1, prLower},     // L&       CYRILLIC SMALL LETTER STRAIGHT U WITH STROKE
+	{0x04B2, 0x04B2, prUpper},     // L&       CYRILLIC CAPITAL LETTER HA WITH DESCENDER
+	{0x04B3, 0x04B3, prLower},     // L&       CYRILLIC SMALL LETTER HA WITH DESCENDER
+	{0x04B4, 0x04B4, prUpper},     // L&       CYRILLIC CAPITAL LIGATURE TE TSE
+	{0x04B5, 0x04B5, prLower},     // L&       CYRILLIC SMALL LIGATURE TE TSE
+	{0x04B6, 0x04B6, prUpper},     // L&       CYRILLIC CAPITAL LETTER CHE WITH DESCENDER
+	{0x04B7, 0x04B7, prLower},     // L&       CYRILLIC SMALL LETTER CHE WITH DESCENDER
+	{0x04B8, 0x04B8, prUpper},     // L&       CYRILLIC CAPITAL LETTER CHE WITH VERTICAL STROKE
+	{0x04B9, 0x04B9, prLower},     // L&       CYRILLIC SMALL LETTER CHE WITH VERTICAL STROKE
+	{0x04BA, 0x04BA, prUpper},     // L&       CYRILLIC CAPITAL LETTER SHHA
+	{0x04BB, 0x04BB, prLower},     // L&       CYRILLIC SMALL LETTER SHHA
+	{0x04BC, 0x04BC, prUpper},     // L&       CYRILLIC CAPITAL LETTER ABKHASIAN CHE
+	{0x04BD, 0x04BD, prLower},     // L&       CYRILLIC SMALL LETTER ABKHASIAN CHE
+	{0x04BE, 0x04BE, prUpper},     // L&       CYRILLIC CAPITAL LETTER ABKHASIAN CHE WITH DESCENDER
+	{0x04BF, 0x04BF, prLower},     // L&       CYRILLIC SMALL LETTER ABKHASIAN CHE WITH DESCENDER
+	{0x04C0, 0x04C1, prUpper},     // L&   [2] CYRILLIC LETTER PALOCHKA..CYRILLIC CAPITAL LETTER ZHE WITH BREVE
+	{0x04C2, 0x04C2, prLower},     // L&       CYRILLIC SMALL LETTER ZHE WITH BREVE
+	{0x04C3, 0x04C3, prUpper},     // L&       CYRILLIC CAPITAL LETTER KA WITH HOOK
+	{0x04C4, 0x04C4, prLower},     // L&       CYRILLIC SMALL LETTER KA WITH HOOK
+	{0x04C5, 0x04C5, prUpper},     // L&       CYRILLIC CAPITAL LETTER EL WITH TAIL
+	{0x04C6, 0x04C6, prLower},     // L&       CYRILLIC SMALL LETTER EL WITH TAIL
+	{0x04C7, 0x04C7, prUpper},     // L&       CYRILLIC CAPITAL LETTER EN WITH HOOK
+	{0x04C8, 0x04C8, prLower},     // L&       CYRILLIC SMALL LETTER EN WITH HOOK
+	{0x04C9, 0x04C9, prUpper},     // L&       CYRILLIC CAPITAL LETTER EN WITH TAIL
+	{0x04CA, 0x04CA, prLower},     // L&       CYRILLIC SMALL LETTER EN WITH TAIL
+	{0x04CB, 0x04CB, prUpper},     // L&       CYRILLIC CAPITAL LETTER KHAKASSIAN CHE
+	{0x04CC, 0x04CC, prLower},     // L&       CYRILLIC SMALL LETTER KHAKASSIAN CHE
+	{0x04CD, 0x04CD, prUpper},     // L&       CYRILLIC CAPITAL LETTER EM WITH TAIL
+	{0x04CE, 0x04CF, prLower},     // L&   [2] CYRILLIC SMALL LETTER EM WITH TAIL..CYRILLIC SMALL LETTER PALOCHKA
+	{0x04D0, 0x04D0, prUpper},     // L&       CYRILLIC CAPITAL LETTER A WITH BREVE
+	{0x04D1, 0x04D1, prLower},     // L&       CYRILLIC SMALL LETTER A WITH BREVE
+	{0x04D2, 0x04D2, prUpper},     // L&       CYRILLIC CAPITAL LETTER A WITH DIAERESIS
+	{0x04D3, 0x04D3, prLower},     // L&       CYRILLIC SMALL LETTER A WITH DIAERESIS
+	{0x04D4, 0x04D4, prUpper},     // L&       CYRILLIC CAPITAL LIGATURE A IE
+	{0x04D5, 0x04D5, prLower},     // L&       CYRILLIC SMALL LIGATURE A IE
+	{0x04D6, 0x04D6, prUpper},     // L&       CYRILLIC CAPITAL LETTER IE WITH BREVE
+	{0x04D7, 0x04D7, prLower},     // L&       CYRILLIC SMALL LETTER IE WITH BREVE
+	{0x04D8, 0x04D8, prUpper},     // L&       CYRILLIC CAPITAL LETTER SCHWA
+	{0x04D9, 0x04D9, prLower},     // L&       CYRILLIC SMALL LETTER SCHWA
+	{0x04DA, 0x04DA, prUpper},     // L&       CYRILLIC CAPITAL LETTER SCHWA WITH DIAERESIS
+	{0x04DB, 0x04DB, prLower},     // L&       CYRILLIC SMALL LETTER SCHWA WITH DIAERESIS
+	{0x04DC, 0x04DC, prUpper},     // L&       CYRILLIC CAPITAL LETTER ZHE WITH DIAERESIS
+	{0x04DD, 0x04DD, prLower},     // L&       CYRILLIC SMALL LETTER ZHE WITH DIAERESIS
+	{0x04DE, 0x04DE, prUpper},     // L&       CYRILLIC CAPITAL LETTER ZE WITH DIAERESIS
+	{0x04DF, 0x04DF, prLower},     // L&       CYRILLIC SMALL LETTER ZE WITH DIAERESIS
+	{0x04E0, 0x04E0, prUpper},     // L&       CYRILLIC CAPITAL LETTER ABKHASIAN DZE
+	{0x04E1, 0x04E1, prLower},     // L&       CYRILLIC SMALL LETTER ABKHASIAN DZE
+	{0x04E2, 0x04E2, prUpper},     // L&       CYRILLIC CAPITAL LETTER I WITH MACRON
+	{0x04E3, 0x04E3, prLower},     // L&       CYRILLIC SMALL LETTER I WITH MACRON
+	{0x04E4, 0x04E4, prUpper},     // L&       CYRILLIC CAPITAL LETTER I WITH DIAERESIS
+	{0x04E5, 0x04E5, prLower},     // L&       CYRILLIC SMALL LETTER I WITH DIAERESIS
+	{0x04E6, 0x04E6, prUpper},     // L&       CYRILLIC CAPITAL LETTER O WITH DIAERESIS
+	{0x04E7, 0x04E7, prLower},     // L&       CYRILLIC SMALL LETTER O WITH DIAERESIS
+	{0x04E8, 0x04E8, prUpper},     // L&       CYRILLIC CAPITAL LETTER BARRED O
+	{0x04E9, 0x04E9, prLower},     // L&       CYRILLIC SMALL LETTER BARRED O
+	{0x04EA, 0x04EA, prUpper},     // L&       CYRILLIC CAPITAL LETTER BARRED O WITH DIAERESIS
+	{0x04EB, 0x04EB, prLower},     // L&       CYRILLIC SMALL LETTER BARRED O WITH DIAERESIS
+	{0x04EC, 0x04EC, prUpper},     // L&       CYRILLIC CAPITAL LETTER E WITH DIAERESIS
+	{0x04ED, 0x04ED, prLower},     // L&       CYRILLIC SMALL LETTER E WITH DIAERESIS
+	{0x04EE, 0x04EE, prUpper},     // L&       CYRILLIC CAPITAL LETTER U WITH MACRON
+	{0x04EF, 0x04EF, prLower},     // L&       CYRILLIC SMALL LETTER U WITH MACRON
+	{0x04F0, 0x04F0, prUpper},     // L&       CYRILLIC CAPITAL LETTER U WITH DIAERESIS
+	{0x04F1, 0x04F1, prLower},     // L&       CYRILLIC SMALL LETTER U WITH DIAERESIS
+	{0x04F2, 0x04F2, prUpper},     // L&       CYRILLIC CAPITAL LETTER U WITH DOUBLE ACUTE
+	{0x04F3, 0x04F3, prLower},     // L&       CYRILLIC SMALL LETTER U WITH DOUBLE ACUTE
+	{0x04F4, 0x04F4, prUpper},     // L&       CYRILLIC CAPITAL LETTER CHE WITH DIAERESIS
+	{0x04F5, 0x04F5, prLower},     // L&       CYRILLIC SMALL LETTER CHE WITH DIAERESIS
+	{0x04F6, 0x04F6, prUpper},     // L&       CYRILLIC CAPITAL LETTER GHE WITH DESCENDER
+	{0x04F7, 0x04F7, prLower},     // L&       CYRILLIC SMALL LETTER GHE WITH DESCENDER
+	{0x04F8, 0x04F8, prUpper},     // L&       CYRILLIC CAPITAL LETTER YERU WITH DIAERESIS
+	{0x04F9, 0x04F9, prLower},     // L&       CYRILLIC SMALL LETTER YERU WITH DIAERESIS
+	{0x04FA, 0x04FA, prUpper},     // L&       CYRILLIC CAPITAL LETTER GHE WITH STROKE AND HOOK
+	{0x04FB, 0x04FB, prLower},     // L&       CYRILLIC SMALL LETTER GHE WITH STROKE AND HOOK
+	{0x04FC, 0x04FC, prUpper},     // L&       CYRILLIC CAPITAL LETTER HA WITH HOOK
+	{0x04FD, 0x04FD, prLower},     // L&       CYRILLIC SMALL LETTER HA WITH HOOK
+	{0x04FE, 0x04FE, prUpper},     // L&       CYRILLIC CAPITAL LETTER HA WITH STROKE
+	{0x04FF, 0x04FF, prLower},     // L&       CYRILLIC SMALL LETTER HA WITH STROKE
+	{0x0500, 0x0500, prUpper},     // L&       CYRILLIC CAPITAL LETTER KOMI DE
+	{0x0501, 0x0501, prLower},     // L&       CYRILLIC SMALL LETTER KOMI DE
+	{0x0502, 0x0502, prUpper},     // L&       CYRILLIC CAPITAL LETTER KOMI DJE
+	{0x0503, 0x0503, prLower},     // L&       CYRILLIC SMALL LETTER KOMI DJE
+	{0x0504, 0x0504, prUpper},     // L&       CYRILLIC CAPITAL LETTER KOMI ZJE
+	{0x0505, 0x0505, prLower},     // L&       CYRILLIC SMALL LETTER KOMI ZJE
+	{0x0506, 0x0506, prUpper},     // L&       CYRILLIC CAPITAL LETTER KOMI DZJE
+	{0x0507, 0x0507, prLower},     // L&       CYRILLIC SMALL LETTER KOMI DZJE
+	{0x0508, 0x0508, prUpper},     // L&       CYRILLIC CAPITAL LETTER KOMI LJE
+	{0x0509, 0x0509, prLower},     // L&       CYRILLIC SMALL LETTER KOMI LJE
+	{0x050A, 0x050A, prUpper},     // L&       CYRILLIC CAPITAL LETTER KOMI NJE
+	{0x050B, 0x050B, prLower},     // L&       CYRILLIC SMALL LETTER KOMI NJE
+	{0x050C, 0x050C, prUpper},     // L&       CYRILLIC CAPITAL LETTER KOMI SJE
+	{0x050D, 0x050D, prLower},     // L&       CYRILLIC SMALL LETTER KOMI SJE
+	{0x050E, 0x050E, prUpper},     // L&       CYRILLIC CAPITAL LETTER KOMI TJE
+	{0x050F, 0x050F, prLower},     // L&       CYRILLIC SMALL LETTER KOMI TJE
+	{0x0510, 0x0510, prUpper},     // L&       CYRILLIC CAPITAL LETTER REVERSED ZE
+	{0x0511, 0x0511, prLower},     // L&       CYRILLIC SMALL LETTER REVERSED ZE
+	{0x0512, 0x0512, prUpper},     // L&       CYRILLIC CAPITAL LETTER EL WITH HOOK
+	{0x0513, 0x0513, prLower},     // L&       CYRILLIC SMALL LETTER EL WITH HOOK
+	{0x0514, 0x0514, prUpper},     // L&       CYRILLIC CAPITAL LETTER LHA
+	{0x0515, 0x0515, prLower},     // L&       CYRILLIC SMALL LETTER LHA
+	{0x0516, 0x0516, prUpper},     // L&       CYRILLIC CAPITAL LETTER RHA
+	{0x0517, 0x0517, prLower},     // L&       CYRILLIC SMALL LETTER RHA
+	{0x0518, 0x0518, prUpper},     // L&       CYRILLIC CAPITAL LETTER YAE
+	{0x0519, 0x0519, prLower},     // L&       CYRILLIC SMALL LETTER YAE
+	{0x051A, 0x051A, prUpper},     // L&       CYRILLIC CAPITAL LETTER QA
+	{0x051B, 0x051B, prLower},     // L&       CYRILLIC SMALL LETTER QA
+	{0x051C, 0x051C, prUpper},     // L&       CYRILLIC CAPITAL LETTER WE
+	{0x051D, 0x051D, prLower},     // L&       CYRILLIC SMALL LETTER WE
+	{0x051E, 0x051E, prUpper},     // L&       CYRILLIC CAPITAL LETTER ALEUT KA
+	{0x051F, 0x051F, prLower},     // L&       CYRILLIC SMALL LETTER ALEUT KA
+	{0x0520, 0x0520, prUpper},     // L&       CYRILLIC CAPITAL LETTER EL WITH MIDDLE HOOK
+	{0x0521, 0x0521, prLower},     // L&       CYRILLIC SMALL LETTER EL WITH MIDDLE HOOK
+	{0x0522, 0x0522, prUpper},     // L&       CYRILLIC CAPITAL LETTER EN WITH MIDDLE HOOK
+	{0x0523, 0x0523, prLower},     // L&       CYRILLIC SMALL LETTER EN WITH MIDDLE HOOK
+	{0x0524, 0x0524, prUpper},     // L&       CYRILLIC CAPITAL LETTER PE WITH DESCENDER
+	{0x0525, 0x0525, prLower},     // L&       CYRILLIC SMALL LETTER PE WITH DESCENDER
+	{0x0526, 0x0526, prUpper},     // L&       CYRILLIC CAPITAL LETTER SHHA WITH DESCENDER
+	{0x0527, 0x0527, prLower},     // L&       CYRILLIC SMALL LETTER SHHA WITH DESCENDER
+	{0x0528, 0x0528, prUpper},     // L&       CYRILLIC CAPITAL LETTER EN WITH LEFT HOOK
+	{0x0529, 0x0529, prLower},     // L&       CYRILLIC SMALL LETTER EN WITH LEFT HOOK
+	{0x052A, 0x052A, prUpper},     // L&       CYRILLIC CAPITAL LETTER DZZHE
+	{0x052B, 0x052B, prLower},     // L&       CYRILLIC SMALL LETTER DZZHE
+	{0x052C, 0x052C, prUpper},     // L&       CYRILLIC CAPITAL LETTER DCHE
+	{0x052D, 0x052D, prLower},     // L&       CYRILLIC SMALL LETTER DCHE
+	{0x052E, 0x052E, prUpper},     // L&       CYRILLIC CAPITAL LETTER EL WITH DESCENDER
+	{0x052F, 0x052F, prLower},     // L&       CYRILLIC SMALL LETTER EL WITH DESCENDER
+	{0x0531, 0x0556, prUpper},     // L&  [38] ARMENIAN CAPITAL LETTER AYB..ARMENIAN CAPITAL LETTER FEH
+	{0x0559, 0x0559, prOLetter},   // Lm       ARMENIAN MODIFIER LETTER LEFT HALF RING
+	{0x055D, 0x055D, prSContinue}, // Po       ARMENIAN COMMA
+	{0x0560, 0x0588, prLower},     // L&  [41] ARMENIAN SMALL LETTER TURNED AYB..ARMENIAN SMALL LETTER YI WITH STROKE
+	{0x0589, 0x0589, prSTerm},     // Po       ARMENIAN FULL STOP
+	{0x0591, 0x05BD, prExtend},    // Mn  [45] HEBREW ACCENT ETNAHTA..HEBREW POINT METEG
+	{0x05BF, 0x05BF, prExtend},    // Mn       HEBREW POINT RAFE
+	{0x05C1, 0x05C2, prExtend},    // Mn   [2] HEBREW POINT SHIN DOT..HEBREW POINT SIN DOT
+	{0x05C4, 0x05C5, prExtend},    // Mn   [2] HEBREW MARK UPPER DOT..HEBREW MARK LOWER DOT
+	{0x05C7, 0x05C7, prExtend},    // Mn       HEBREW POINT QAMATS QATAN
+	{0x05D0, 0x05EA, prOLetter},   // Lo  [27] HEBREW LETTER ALEF..HEBREW LETTER TAV
+	{0x05EF, 0x05F2, prOLetter},   // Lo   [4] HEBREW YOD TRIANGLE..HEBREW LIGATURE YIDDISH DOUBLE YOD
+	{0x05F3, 0x05F3, prOLetter},   // Po       HEBREW PUNCTUATION GERESH
+	{0x0600, 0x0605, prFormat},    // Cf   [6] ARABIC NUMBER SIGN..ARABIC NUMBER MARK ABOVE
+	{0x060C, 0x060D, prSContinue}, // Po   [2] ARABIC COMMA..ARABIC DATE SEPARATOR
+	{0x0610, 0x061A, prExtend},    // Mn  [11] ARABIC SIGN SALLALLAHOU ALAYHE WASSALLAM..ARABIC SMALL KASRA
+	{0x061C, 0x061C, prFormat},    // Cf       ARABIC LETTER MARK
+	{0x061D, 0x061F, prSTerm},     // Po   [3] ARABIC END OF TEXT MARK..ARABIC QUESTION MARK
+	{0x0620, 0x063F, prOLetter},   // Lo  [32] ARABIC LETTER KASHMIRI YEH..ARABIC LETTER FARSI YEH WITH THREE DOTS ABOVE
+	{0x0640, 0x0640, prOLetter},   // Lm       ARABIC TATWEEL
+	{0x0641, 0x064A, prOLetter},   // Lo  [10] ARABIC LETTER FEH..ARABIC LETTER YEH
+	{0x064B, 0x065F, prExtend},    // Mn  [21] ARABIC FATHATAN..ARABIC WAVY HAMZA BELOW
+	{0x0660, 0x0669, prNumeric},   // Nd  [10] ARABIC-INDIC DIGIT ZERO..ARABIC-INDIC DIGIT NINE
+	{0x066B, 0x066C, prNumeric},   // Po   [2] ARABIC DECIMAL SEPARATOR..ARABIC THOUSANDS SEPARATOR
+	{0x066E, 0x066F, prOLetter},   // Lo   [2] ARABIC LETTER DOTLESS BEH..ARABIC LETTER DOTLESS QAF
+	{0x0670, 0x0670, prExtend},    // Mn       ARABIC LETTER SUPERSCRIPT ALEF
+	{0x0671, 0x06D3, prOLetter},   // Lo  [99] ARABIC LETTER ALEF WASLA..ARABIC LETTER YEH BARREE WITH HAMZA ABOVE
+	{0x06D4, 0x06D4, prSTerm},     // Po       ARABIC FULL STOP
+	{0x06D5, 0x06D5, prOLetter},   // Lo       ARABIC LETTER AE
+	{0x06D6, 0x06DC, prExtend},    // Mn   [7] ARABIC SMALL HIGH LIGATURE SAD WITH LAM WITH ALEF MAKSURA..ARABIC SMALL HIGH SEEN
+	{0x06DD, 0x06DD, prFormat},    // Cf       ARABIC END OF AYAH
+	{0x06DF, 0x06E4, prExtend},    // Mn   [6] ARABIC SMALL HIGH ROUNDED ZERO..ARABIC SMALL HIGH MADDA
+	{0x06E5, 0x06E6, prOLetter},   // Lm   [2] ARABIC SMALL WAW..ARABIC SMALL YEH
+	{0x06E7, 0x06E8, prExtend},    // Mn   [2] ARABIC SMALL HIGH YEH..ARABIC SMALL HIGH NOON
+	{0x06EA, 0x06ED, prExtend},    // Mn   [4] ARABIC EMPTY CENTRE LOW STOP..ARABIC SMALL LOW MEEM
+	{0x06EE, 0x06EF, prOLetter},   // Lo   [2] ARABIC LETTER DAL WITH INVERTED V..ARABIC LETTER REH WITH INVERTED V
+	{0x06F0, 0x06F9, prNumeric},   // Nd  [10] EXTENDED ARABIC-INDIC DIGIT ZERO..EXTENDED ARABIC-INDIC DIGIT NINE
+	{0x06FA, 0x06FC, prOLetter},   // Lo   [3] ARABIC LETTER SHEEN WITH DOT BELOW..ARABIC LETTER GHAIN WITH DOT BELOW
+	{0x06FF, 0x06FF, prOLetter},   // Lo       ARABIC LETTER HEH WITH INVERTED V
+	{0x0700, 0x0702, prSTerm},     // Po   [3] SYRIAC END OF PARAGRAPH..SYRIAC SUBLINEAR FULL STOP
+	{0x070F, 0x070F, prFormat},    // Cf       SYRIAC ABBREVIATION MARK
+	{0x0710, 0x0710, prOLetter},   // Lo       SYRIAC LETTER ALAPH
+	{0x0711, 0x0711, prExtend},    // Mn       SYRIAC LETTER SUPERSCRIPT ALAPH
+	{0x0712, 0x072F, prOLetter},   // Lo  [30] SYRIAC LETTER BETH..SYRIAC LETTER PERSIAN DHALATH
+	{0x0730, 0x074A, prExtend},    // Mn  [27] SYRIAC PTHAHA ABOVE..SYRIAC BARREKH
+	{0x074D, 0x07A5, prOLetter},   // Lo  [89] SYRIAC LETTER SOGDIAN ZHAIN..THAANA LETTER WAAVU
+	{0x07A6, 0x07B0, prExtend},    // Mn  [11] THAANA ABAFILI..THAANA SUKUN
+	{0x07B1, 0x07B1, prOLetter},   // Lo       THAANA LETTER NAA
+	{0x07C0, 0x07C9, prNumeric},   // Nd  [10] NKO DIGIT ZERO..NKO DIGIT NINE
+	{0x07CA, 0x07EA, prOLetter},   // Lo  [33] NKO LETTER A..NKO LETTER JONA RA
+	{0x07EB, 0x07F3, prExtend},    // Mn   [9] NKO COMBINING SHORT HIGH TONE..NKO COMBINING DOUBLE DOT ABOVE
+	{0x07F4, 0x07F5, prOLetter},   // Lm   [2] NKO HIGH TONE APOSTROPHE..NKO LOW TONE APOSTROPHE
+	{0x07F8, 0x07F8, prSContinue}, // Po       NKO COMMA
+	{0x07F9, 0x07F9, prSTerm},     // Po       NKO EXCLAMATION MARK
+	{0x07FA, 0x07FA, prOLetter},   // Lm       NKO LAJANYALAN
+	{0x07FD, 0x07FD, prExtend},    // Mn       NKO DANTAYALAN
+	{0x0800, 0x0815, prOLetter},   // Lo  [22] SAMARITAN LETTER ALAF..SAMARITAN LETTER TAAF
+	{0x0816, 0x0819, prExtend},    // Mn   [4] SAMARITAN MARK IN..SAMARITAN MARK DAGESH
+	{0x081A, 0x081A, prOLetter},   // Lm       SAMARITAN MODIFIER LETTER EPENTHETIC YUT
+	{0x081B, 0x0823, prExtend},    // Mn   [9] SAMARITAN MARK EPENTHETIC YUT..SAMARITAN VOWEL SIGN A
+	{0x0824, 0x0824, prOLetter},   // Lm       SAMARITAN MODIFIER LETTER SHORT A
+	{0x0825, 0x0827, prExtend},    // Mn   [3] SAMARITAN VOWEL SIGN SHORT A..SAMARITAN VOWEL SIGN U
+	{0x0828, 0x0828, prOLetter},   // Lm       SAMARITAN MODIFIER LETTER I
+	{0x0829, 0x082D, prExtend},    // Mn   [5] SAMARITAN VOWEL SIGN LONG I..SAMARITAN MARK NEQUDAA
+	{0x0837, 0x0837, prSTerm},     // Po       SAMARITAN PUNCTUATION MELODIC QITSA
+	{0x0839, 0x0839, prSTerm},     // Po       SAMARITAN PUNCTUATION QITSA
+	{0x083D, 0x083E, prSTerm},     // Po   [2] SAMARITAN PUNCTUATION SOF MASHFAAT..SAMARITAN PUNCTUATION ANNAAU
+	{0x0840, 0x0858, prOLetter},   // Lo  [25] MANDAIC LETTER HALQA..MANDAIC LETTER AIN
+	{0x0859, 0x085B, prExtend},    // Mn   [3] MANDAIC AFFRICATION MARK..MANDAIC GEMINATION MARK
+	{0x0860, 0x086A, prOLetter},   // Lo  [11] SYRIAC LETTER MALAYALAM NGA..SYRIAC LETTER MALAYALAM SSA
+	{0x0870, 0x0887, prOLetter},   // Lo  [24] ARABIC LETTER ALEF WITH ATTACHED FATHA..ARABIC BASELINE ROUND DOT
+	{0x0889, 0x088E, prOLetter},   // Lo   [6] ARABIC LETTER NOON WITH INVERTED SMALL V..ARABIC VERTICAL TAIL
+	{0x0890, 0x0891, prFormat},    // Cf   [2] ARABIC POUND MARK ABOVE..ARABIC PIASTRE MARK ABOVE
+	{0x0898, 0x089F, prExtend},    // Mn   [8] ARABIC SMALL HIGH WORD AL-JUZ..ARABIC HALF MADDA OVER MADDA
+	{0x08A0, 0x08C8, prOLetter},   // Lo  [41] ARABIC LETTER BEH WITH SMALL V BELOW..ARABIC LETTER GRAF
+	{0x08C9, 0x08C9, prOLetter},   // Lm       ARABIC SMALL FARSI YEH
+	{0x08CA, 0x08E1, prExtend},    // Mn  [24] ARABIC SMALL HIGH FARSI YEH..ARABIC SMALL HIGH SIGN SAFHA
+	{0x08E2, 0x08E2, prFormat},    // Cf       ARABIC DISPUTED END OF AYAH
+	{0x08E3, 0x0902, prExtend},    // Mn  [32] ARABIC TURNED DAMMA BELOW..DEVANAGARI SIGN ANUSVARA
+	{0x0903, 0x0903, prExtend},    // Mc       DEVANAGARI SIGN VISARGA
+	{0x0904, 0x0939, prOLetter},   // Lo  [54] DEVANAGARI LETTER SHORT A..DEVANAGARI LETTER HA
+	{0x093A, 0x093A, prExtend},    // Mn       DEVANAGARI VOWEL SIGN OE
+	{0x093B, 0x093B, prExtend},    // Mc       DEVANAGARI VOWEL SIGN OOE
+	{0x093C, 0x093C, prExtend},    // Mn       DEVANAGARI SIGN NUKTA
+	{0x093D, 0x093D, prOLetter},   // Lo       DEVANAGARI SIGN AVAGRAHA
+	{0x093E, 0x0940, prExtend},    // Mc   [3] DEVANAGARI VOWEL SIGN AA..DEVANAGARI VOWEL SIGN II
+	{0x0941, 0x0948, prExtend},    // Mn   [8] DEVANAGARI VOWEL SIGN U..DEVANAGARI VOWEL SIGN AI
+	{0x0949, 0x094C, prExtend},    // Mc   [4] DEVANAGARI VOWEL SIGN CANDRA O..DEVANAGARI VOWEL SIGN AU
+	{0x094D, 0x094D, prExtend},    // Mn       DEVANAGARI SIGN VIRAMA
+	{0x094E, 0x094F, prExtend},    // Mc   [2] DEVANAGARI VOWEL SIGN PRISHTHAMATRA E..DEVANAGARI VOWEL SIGN AW
+	{0x0950, 0x0950, prOLetter},   // Lo       DEVANAGARI OM
+	{0x0951, 0x0957, prExtend},    // Mn   [7] DEVANAGARI STRESS SIGN UDATTA..DEVANAGARI VOWEL SIGN UUE
+	{0x0958, 0x0961, prOLetter},   // Lo  [10] DEVANAGARI LETTER QA..DEVANAGARI LETTER VOCALIC LL
+	{0x0962, 0x0963, prExtend},    // Mn   [2] DEVANAGARI VOWEL SIGN VOCALIC L..DEVANAGARI VOWEL SIGN VOCALIC LL
+	{0x0964, 0x0965, prSTerm},     // Po   [2] DEVANAGARI DANDA..DEVANAGARI DOUBLE DANDA
+	{0x0966, 0x096F, prNumeric},   // Nd  [10] DEVANAGARI DIGIT ZERO..DEVANAGARI DIGIT NINE
+	{0x0971, 0x0971, prOLetter},   // Lm       DEVANAGARI SIGN HIGH SPACING DOT
+	{0x0972, 0x0980, prOLetter},   // Lo  [15] DEVANAGARI LETTER CANDRA A..BENGALI ANJI
+	{0x0981, 0x0981, prExtend},    // Mn       BENGALI SIGN CANDRABINDU
+	{0x0982, 0x0983, prExtend},    // Mc   [2] BENGALI SIGN ANUSVARA..BENGALI SIGN VISARGA
+	{0x0985, 0x098C, prOLetter},   // Lo   [8] BENGALI LETTER A..BENGALI LETTER VOCALIC L
+	{0x098F, 0x0990, prOLetter},   // Lo   [2] BENGALI LETTER E..BENGALI LETTER AI
+	{0x0993, 0x09A8, prOLetter},   // Lo  [22] BENGALI LETTER O..BENGALI LETTER NA
+	{0x09AA, 0x09B0, prOLetter},   // Lo   [7] BENGALI LETTER PA..BENGALI LETTER RA
+	{0x09B2, 0x09B2, prOLetter},   // Lo       BENGALI LETTER LA
+	{0x09B6, 0x09B9, prOLetter},   // Lo   [4] BENGALI LETTER SHA..BENGALI LETTER HA
+	{0x09BC, 0x09BC, prExtend},    // Mn       BENGALI SIGN NUKTA
+	{0x09BD, 0x09BD, prOLetter},   // Lo       BENGALI SIGN AVAGRAHA
+	{0x09BE, 0x09C0, prExtend},    // Mc   [3] BENGALI VOWEL SIGN AA..BENGALI VOWEL SIGN II
+	{0x09C1, 0x09C4, prExtend},    // Mn   [4] BENGALI VOWEL SIGN U..BENGALI VOWEL SIGN VOCALIC RR
+	{0x09C7, 0x09C8, prExtend},    // Mc   [2] BENGALI VOWEL SIGN E..BENGALI VOWEL SIGN AI
+	{0x09CB, 0x09CC, prExtend},    // Mc   [2] BENGALI VOWEL SIGN O..BENGALI VOWEL SIGN AU
+	{0x09CD, 0x09CD, prExtend},    // Mn       BENGALI SIGN VIRAMA
+	{0x09CE, 0x09CE, prOLetter},   // Lo       BENGALI LETTER KHANDA TA
+	{0x09D7, 0x09D7, prExtend},    // Mc       BENGALI AU LENGTH MARK
+	{0x09DC, 0x09DD, prOLetter},   // Lo   [2] BENGALI LETTER RRA..BENGALI LETTER RHA
+	{0x09DF, 0x09E1, prOLetter},   // Lo   [3] BENGALI LETTER YYA..BENGALI LETTER VOCALIC LL
+	{0x09E2, 0x09E3, prExtend},    // Mn   [2] BENGALI VOWEL SIGN VOCALIC L..BENGALI VOWEL SIGN VOCALIC LL
+	{0x09E6, 0x09EF, prNumeric},   // Nd  [10] BENGALI DIGIT ZERO..BENGALI DIGIT NINE
+	{0x09F0, 0x09F1, prOLetter},   // Lo   [2] BENGALI LETTER RA WITH MIDDLE DIAGONAL..BENGALI LETTER RA WITH LOWER DIAGONAL
+	{0x09FC, 0x09FC, prOLetter},   // Lo       BENGALI LETTER VEDIC ANUSVARA
+	{0x09FE, 0x09FE, prExtend},    // Mn       BENGALI SANDHI MARK
+	{0x0A01, 0x0A02, prExtend},    // Mn   [2] GURMUKHI SIGN ADAK BINDI..GURMUKHI SIGN BINDI
+	{0x0A03, 0x0A03, prExtend},    // Mc       GURMUKHI SIGN VISARGA
+	{0x0A05, 0x0A0A, prOLetter},   // Lo   [6] GURMUKHI LETTER A..GURMUKHI LETTER UU
+	{0x0A0F, 0x0A10, prOLetter},   // Lo   [2] GURMUKHI LETTER EE..GURMUKHI LETTER AI
+	{0x0A13, 0x0A28, prOLetter},   // Lo  [22] GURMUKHI LETTER OO..GURMUKHI LETTER NA
+	{0x0A2A, 0x0A30, prOLetter},   // Lo   [7] GURMUKHI LETTER PA..GURMUKHI LETTER RA
+	{0x0A32, 0x0A33, prOLetter},   // Lo   [2] GURMUKHI LETTER LA..GURMUKHI LETTER LLA
+	{0x0A35, 0x0A36, prOLetter},   // Lo   [2] GURMUKHI LETTER VA..GURMUKHI LETTER SHA
+	{0x0A38, 0x0A39, prOLetter},   // Lo   [2] GURMUKHI LETTER SA..GURMUKHI LETTER HA
+	{0x0A3C, 0x0A3C, prExtend},    // Mn       GURMUKHI SIGN NUKTA
+	{0x0A3E, 0x0A40, prExtend},    // Mc   [3] GURMUKHI VOWEL SIGN AA..GURMUKHI VOWEL SIGN II
+	{0x0A41, 0x0A42, prExtend},    // Mn   [2] GURMUKHI VOWEL SIGN U..GURMUKHI VOWEL SIGN UU
+	{0x0A47, 0x0A48, prExtend},    // Mn   [2] GURMUKHI VOWEL SIGN EE..GURMUKHI VOWEL SIGN AI
+	{0x0A4B, 0x0A4D, prExtend},    // Mn   [3] GURMUKHI VOWEL SIGN OO..GURMUKHI SIGN VIRAMA
+	{0x0A51, 0x0A51, prExtend},    // Mn       GURMUKHI SIGN UDAAT
+	{0x0A59, 0x0A5C, prOLetter},   // Lo   [4] GURMUKHI LETTER KHHA..GURMUKHI LETTER RRA
+	{0x0A5E, 0x0A5E, prOLetter},   // Lo       GURMUKHI LETTER FA
+	{0x0A66, 0x0A6F, prNumeric},   // Nd  [10] GURMUKHI DIGIT ZERO..GURMUKHI DIGIT NINE
+	{0x0A70, 0x0A71, prExtend},    // Mn   [2] GURMUKHI TIPPI..GURMUKHI ADDAK
+	{0x0A72, 0x0A74, prOLetter},   // Lo   [3] GURMUKHI IRI..GURMUKHI EK ONKAR
+	{0x0A75, 0x0A75, prExtend},    // Mn       GURMUKHI SIGN YAKASH
+	{0x0A81, 0x0A82, prExtend},    // Mn   [2] GUJARATI SIGN CANDRABINDU..GUJARATI SIGN ANUSVARA
+	{0x0A83, 0x0A83, prExtend},    // Mc       GUJARATI SIGN VISARGA
+	{0x0A85, 0x0A8D, prOLetter},   // Lo   [9] GUJARATI LETTER A..GUJARATI VOWEL CANDRA E
+	{0x0A8F, 0x0A91, prOLetter},   // Lo   [3] GUJARATI LETTER E..GUJARATI VOWEL CANDRA O
+	{0x0A93, 0x0AA8, prOLetter},   // Lo  [22] GUJARATI LETTER O..GUJARATI LETTER NA
+	{0x0AAA, 0x0AB0, prOLetter},   // Lo   [7] GUJARATI LETTER PA..GUJARATI LETTER RA
+	{0x0AB2, 0x0AB3, prOLetter},   // Lo   [2] GUJARATI LETTER LA..GUJARATI LETTER LLA
+	{0x0AB5, 0x0AB9, prOLetter},   // Lo   [5] GUJARATI LETTER VA..GUJARATI LETTER HA
+	{0x0ABC, 0x0ABC, prExtend},    // Mn       GUJARATI SIGN NUKTA
+	{0x0ABD, 0x0ABD, prOLetter},   // Lo       GUJARATI SIGN AVAGRAHA
+	{0x0ABE, 0x0AC0, prExtend},    // Mc   [3] GUJARATI VOWEL SIGN AA..GUJARATI VOWEL SIGN II
+	{0x0AC1, 0x0AC5, prExtend},    // Mn   [5] GUJARATI VOWEL SIGN U..GUJARATI VOWEL SIGN CANDRA E
+	{0x0AC7, 0x0AC8, prExtend},    // Mn   [2] GUJARATI VOWEL SIGN E..GUJARATI VOWEL SIGN AI
+	{0x0AC9, 0x0AC9, prExtend},    // Mc       GUJARATI VOWEL SIGN CANDRA O
+	{0x0ACB, 0x0ACC, prExtend},    // Mc   [2] GUJARATI VOWEL SIGN O..GUJARATI VOWEL SIGN AU
+	{0x0ACD, 0x0ACD, prExtend},    // Mn       GUJARATI SIGN VIRAMA
+	{0x0AD0, 0x0AD0, prOLetter},   // Lo       GUJARATI OM
+	{0x0AE0, 0x0AE1, prOLetter},   // Lo   [2] GUJARATI LETTER VOCALIC RR..GUJARATI LETTER VOCALIC LL
+	{0x0AE2, 0x0AE3, prExtend},    // Mn   [2] GUJARATI VOWEL SIGN VOCALIC L..GUJARATI VOWEL SIGN VOCALIC LL
+	{0x0AE6, 0x0AEF, prNumeric},   // Nd  [10] GUJARATI DIGIT ZERO..GUJARATI DIGIT NINE
+	{0x0AF9, 0x0AF9, prOLetter},   // Lo       GUJARATI LETTER ZHA
+	{0x0AFA, 0x0AFF, prExtend},    // Mn   [6] GUJARATI SIGN SUKUN..GUJARATI SIGN TWO-CIRCLE NUKTA ABOVE
+	{0x0B01, 0x0B01, prExtend},    // Mn       ORIYA SIGN CANDRABINDU
+	{0x0B02, 0x0B03, prExtend},    // Mc   [2] ORIYA SIGN ANUSVARA..ORIYA SIGN VISARGA
+	{0x0B05, 0x0B0C, prOLetter},   // Lo   [8] ORIYA LETTER A..ORIYA LETTER VOCALIC L
+	{0x0B0F, 0x0B10, prOLetter},   // Lo   [2] ORIYA LETTER E..ORIYA LETTER AI
+	{0x0B13, 0x0B28, prOLetter},   // Lo  [22] ORIYA LETTER O..ORIYA LETTER NA
+	{0x0B2A, 0x0B30, prOLetter},   // Lo   [7] ORIYA LETTER PA..ORIYA LETTER RA
+	{0x0B32, 0x0B33, prOLetter},   // Lo   [2] ORIYA LETTER LA..ORIYA LETTER LLA
+	{0x0B35, 0x0B39, prOLetter},   // Lo   [5] ORIYA LETTER VA..ORIYA LETTER HA
+	{0x0B3C, 0x0B3C, prExtend},    // Mn       ORIYA SIGN NUKTA
+	{0x0B3D, 0x0B3D, prOLetter},   // Lo       ORIYA SIGN AVAGRAHA
+	{0x0B3E, 0x0B3E, prExtend},    // Mc       ORIYA VOWEL SIGN AA
+	{0x0B3F, 0x0B3F, prExtend},    // Mn       ORIYA VOWEL SIGN I
+	{0x0B40, 0x0B40, prExtend},    // Mc       ORIYA VOWEL SIGN II
+	{0x0B41, 0x0B44, prExtend},    // Mn   [4] ORIYA VOWEL SIGN U..ORIYA VOWEL SIGN VOCALIC RR
+	{0x0B47, 0x0B48, prExtend},    // Mc   [2] ORIYA VOWEL SIGN E..ORIYA VOWEL SIGN AI
+	{0x0B4B, 0x0B4C, prExtend},    // Mc   [2] ORIYA VOWEL SIGN O..ORIYA VOWEL SIGN AU
+	{0x0B4D, 0x0B4D, prExtend},    // Mn       ORIYA SIGN VIRAMA
+	{0x0B55, 0x0B56, prExtend},    // Mn   [2] ORIYA SIGN OVERLINE..ORIYA AI LENGTH MARK
+	{0x0B57, 0x0B57, prExtend},    // Mc       ORIYA AU LENGTH MARK
+	{0x0B5C, 0x0B5D, prOLetter},   // Lo   [2] ORIYA LETTER RRA..ORIYA LETTER RHA
+	{0x0B5F, 0x0B61, prOLetter},   // Lo   [3] ORIYA LETTER YYA..ORIYA LETTER VOCALIC LL
+	{0x0B62, 0x0B63, prExtend},    // Mn   [2] ORIYA VOWEL SIGN VOCALIC L..ORIYA VOWEL SIGN VOCALIC LL
+	{0x0B66, 0x0B6F, prNumeric},   // Nd  [10] ORIYA DIGIT ZERO..ORIYA DIGIT NINE
+	{0x0B71, 0x0B71, prOLetter},   // Lo       ORIYA LETTER WA
+	{0x0B82, 0x0B82, prExtend},    // Mn       TAMIL SIGN ANUSVARA
+	{0x0B83, 0x0B83, prOLetter},   // Lo       TAMIL SIGN VISARGA
+	{0x0B85, 0x0B8A, prOLetter},   // Lo   [6] TAMIL LETTER A..TAMIL LETTER UU
+	{0x0B8E, 0x0B90, prOLetter},   // Lo   [3] TAMIL LETTER E..TAMIL LETTER AI
+	{0x0B92, 0x0B95, prOLetter},   // Lo   [4] TAMIL LETTER O..TAMIL LETTER KA
+	{0x0B99, 0x0B9A, prOLetter},   // Lo   [2] TAMIL LETTER NGA..TAMIL LETTER CA
+	{0x0B9C, 0x0B9C, prOLetter},   // Lo       TAMIL LETTER JA
+	{0x0B9E, 0x0B9F, prOLetter},   // Lo   [2] TAMIL LETTER NYA..TAMIL LETTER TTA
+	{0x0BA3, 0x0BA4, prOLetter},   // Lo   [2] TAMIL LETTER NNA..TAMIL LETTER TA
+	{0x0BA8, 0x0BAA, prOLetter},   // Lo   [3] TAMIL LETTER NA..TAMIL LETTER PA
+	{0x0BAE, 0x0BB9, prOLetter},   // Lo  [12] TAMIL LETTER MA..TAMIL LETTER HA
+	{0x0BBE, 0x0BBF, prExtend},    // Mc   [2] TAMIL VOWEL SIGN AA..TAMIL VOWEL SIGN I
+	{0x0BC0, 0x0BC0, prExtend},    // Mn       TAMIL VOWEL SIGN II
+	{0x0BC1, 0x0BC2, prExtend},    // Mc   [2] TAMIL VOWEL SIGN U..TAMIL VOWEL SIGN UU
+	{0x0BC6, 0x0BC8, prExtend},    // Mc   [3] TAMIL VOWEL SIGN E..TAMIL VOWEL SIGN AI
+	{0x0BCA, 0x0BCC, prExtend},    // Mc   [3] TAMIL VOWEL SIGN O..TAMIL VOWEL SIGN AU
+	{0x0BCD, 0x0BCD, prExtend},    // Mn       TAMIL SIGN VIRAMA
+	{0x0BD0, 0x0BD0, prOLetter},   // Lo       TAMIL OM
+	{0x0BD7, 0x0BD7, prExtend},    // Mc       TAMIL AU LENGTH MARK
+	{0x0BE6, 0x0BEF, prNumeric},   // Nd  [10] TAMIL DIGIT ZERO..TAMIL DIGIT NINE
+	{0x0C00, 0x0C00, prExtend},    // Mn       TELUGU SIGN COMBINING CANDRABINDU ABOVE
+	{0x0C01, 0x0C03, prExtend},    // Mc   [3] TELUGU SIGN CANDRABINDU..TELUGU SIGN VISARGA
+	{0x0C04, 0x0C04, prExtend},    // Mn       TELUGU SIGN COMBINING ANUSVARA ABOVE
+	{0x0C05, 0x0C0C, prOLetter},   // Lo   [8] TELUGU LETTER A..TELUGU LETTER VOCALIC L
+	{0x0C0E, 0x0C10, prOLetter},   // Lo   [3] TELUGU LETTER E..TELUGU LETTER AI
+	{0x0C12, 0x0C28, prOLetter},   // Lo  [23] TELUGU LETTER O..TELUGU LETTER NA
+	{0x0C2A, 0x0C39, prOLetter},   // Lo  [16] TELUGU LETTER PA..TELUGU LETTER HA
+	{0x0C3C, 0x0C3C, prExtend},    // Mn       TELUGU SIGN NUKTA
+	{0x0C3D, 0x0C3D, prOLetter},   // Lo       TELUGU SIGN AVAGRAHA
+	{0x0C3E, 0x0C40, prExtend},    // Mn   [3] TELUGU VOWEL SIGN AA..TELUGU VOWEL SIGN II
+	{0x0C41, 0x0C44, prExtend},    // Mc   [4] TELUGU VOWEL SIGN U..TELUGU VOWEL SIGN VOCALIC RR
+	{0x0C46, 0x0C48, prExtend},    // Mn   [3] TELUGU VOWEL SIGN E..TELUGU VOWEL SIGN AI
+	{0x0C4A, 0x0C4D, prExtend},    // Mn   [4] TELUGU VOWEL SIGN O..TELUGU SIGN VIRAMA
+	{0x0C55, 0x0C56, prExtend},    // Mn   [2] TELUGU LENGTH MARK..TELUGU AI LENGTH MARK
+	{0x0C58, 0x0C5A, prOLetter},   // Lo   [3] TELUGU LETTER TSA..TELUGU LETTER RRRA
+	{0x0C5D, 0x0C5D, prOLetter},   // Lo       TELUGU LETTER NAKAARA POLLU
+	{0x0C60, 0x0C61, prOLetter},   // Lo   [2] TELUGU LETTER VOCALIC RR..TELUGU LETTER VOCALIC LL
+	{0x0C62, 0x0C63, prExtend},    // Mn   [2] TELUGU VOWEL SIGN VOCALIC L..TELUGU VOWEL SIGN VOCALIC LL
+	{0x0C66, 0x0C6F, prNumeric},   // Nd  [10] TELUGU DIGIT ZERO..TELUGU DIGIT NINE
+	{0x0C80, 0x0C80, prOLetter},   // Lo       KANNADA SIGN SPACING CANDRABINDU
+	{0x0C81, 0x0C81, prExtend},    // Mn       KANNADA SIGN CANDRABINDU
+	{0x0C82, 0x0C83, prExtend},    // Mc   [2] KANNADA SIGN ANUSVARA..KANNADA SIGN VISARGA
+	{0x0C85, 0x0C8C, prOLetter},   // Lo   [8] KANNADA LETTER A..KANNADA LETTER VOCALIC L
+	{0x0C8E, 0x0C90, prOLetter},   // Lo   [3] KANNADA LETTER E..KANNADA LETTER AI
+	{0x0C92, 0x0CA8, prOLetter},   // Lo  [23] KANNADA LETTER O..KANNADA LETTER NA
+	{0x0CAA, 0x0CB3, prOLetter},   // Lo  [10] KANNADA LETTER PA..KANNADA LETTER LLA
+	{0x0CB5, 0x0CB9, prOLetter},   // Lo   [5] KANNADA LETTER VA..KANNADA LETTER HA
+	{0x0CBC, 0x0CBC, prExtend},    // Mn       KANNADA SIGN NUKTA
+	{0x0CBD, 0x0CBD, prOLetter},   // Lo       KANNADA SIGN AVAGRAHA
+	{0x0CBE, 0x0CBE, prExtend},    // Mc       KANNADA VOWEL SIGN AA
+	{0x0CBF, 0x0CBF, prExtend},    // Mn       KANNADA VOWEL SIGN I
+	{0x0CC0, 0x0CC4, prExtend},    // Mc   [5] KANNADA VOWEL SIGN II..KANNADA VOWEL SIGN VOCALIC RR
+	{0x0CC6, 0x0CC6, prExtend},    // Mn       KANNADA VOWEL SIGN E
+	{0x0CC7, 0x0CC8, prExtend},    // Mc   [2] KANNADA VOWEL SIGN EE..KANNADA VOWEL SIGN AI
+	{0x0CCA, 0x0CCB, prExtend},    // Mc   [2] KANNADA VOWEL SIGN O..KANNADA VOWEL SIGN OO
+	{0x0CCC, 0x0CCD, prExtend},    // Mn   [2] KANNADA VOWEL SIGN AU..KANNADA SIGN VIRAMA
+	{0x0CD5, 0x0CD6, prExtend},    // Mc   [2] KANNADA LENGTH MARK..KANNADA AI LENGTH MARK
+	{0x0CDD, 0x0CDE, prOLetter},   // Lo   [2] KANNADA LETTER NAKAARA POLLU..KANNADA LETTER FA
+	{0x0CE0, 0x0CE1, prOLetter},   // Lo   [2] KANNADA LETTER VOCALIC RR..KANNADA LETTER VOCALIC LL
+	{0x0CE2, 0x0CE3, prExtend},    // Mn   [2] KANNADA VOWEL SIGN VOCALIC L..KANNADA VOWEL SIGN VOCALIC LL
+	{0x0CE6, 0x0CEF, prNumeric},   // Nd  [10] KANNADA DIGIT ZERO..KANNADA DIGIT NINE
+	{0x0CF1, 0x0CF2, prOLetter},   // Lo   [2] KANNADA SIGN JIHVAMULIYA..KANNADA SIGN UPADHMANIYA
+	{0x0CF3, 0x0CF3, prExtend},    // Mc       KANNADA SIGN COMBINING ANUSVARA ABOVE RIGHT
+	{0x0D00, 0x0D01, prExtend},    // Mn   [2] MALAYALAM SIGN COMBINING ANUSVARA ABOVE..MALAYALAM SIGN CANDRABINDU
+	{0x0D02, 0x0D03, prExtend},    // Mc   [2] MALAYALAM SIGN ANUSVARA..MALAYALAM SIGN VISARGA
+	{0x0D04, 0x0D0C, prOLetter},   // Lo   [9] MALAYALAM LETTER VEDIC ANUSVARA..MALAYALAM LETTER VOCALIC L
+	{0x0D0E, 0x0D10, prOLetter},   // Lo   [3] MALAYALAM LETTER E..MALAYALAM LETTER AI
+	{0x0D12, 0x0D3A, prOLetter},   // Lo  [41] MALAYALAM LETTER O..MALAYALAM LETTER TTTA
+	{0x0D3B, 0x0D3C, prExtend},    // Mn   [2] MALAYALAM SIGN VERTICAL BAR VIRAMA..MALAYALAM SIGN CIRCULAR VIRAMA
+	{0x0D3D, 0x0D3D, prOLetter},   // Lo       MALAYALAM SIGN AVAGRAHA
+	{0x0D3E, 0x0D40, prExtend},    // Mc   [3] MALAYALAM VOWEL SIGN AA..MALAYALAM VOWEL SIGN II
+	{0x0D41, 0x0D44, prExtend},    // Mn   [4] MALAYALAM VOWEL SIGN U..MALAYALAM VOWEL SIGN VOCALIC RR
+	{0x0D46, 0x0D48, prExtend},    // Mc   [3] MALAYALAM VOWEL SIGN E..MALAYALAM VOWEL SIGN AI
+	{0x0D4A, 0x0D4C, prExtend},    // Mc   [3] MALAYALAM VOWEL SIGN O..MALAYALAM VOWEL SIGN AU
+	{0x0D4D, 0x0D4D, prExtend},    // Mn       MALAYALAM SIGN VIRAMA
+	{0x0D4E, 0x0D4E, prOLetter},   // Lo       MALAYALAM LETTER DOT REPH
+	{0x0D54, 0x0D56, prOLetter},   // Lo   [3] MALAYALAM LETTER CHILLU M..MALAYALAM LETTER CHILLU LLL
+	{0x0D57, 0x0D57, prExtend},    // Mc       MALAYALAM AU LENGTH MARK
+	{0x0D5F, 0x0D61, prOLetter},   // Lo   [3] MALAYALAM LETTER ARCHAIC II..MALAYALAM LETTER VOCALIC LL
+	{0x0D62, 0x0D63, prExtend},    // Mn   [2] MALAYALAM VOWEL SIGN VOCALIC L..MALAYALAM VOWEL SIGN VOCALIC LL
+	{0x0D66, 0x0D6F, prNumeric},   // Nd  [10] MALAYALAM DIGIT ZERO..MALAYALAM DIGIT NINE
+	{0x0D7A, 0x0D7F, prOLetter},   // Lo   [6] MALAYALAM LETTER CHILLU NN..MALAYALAM LETTER CHILLU K
+	{0x0D81, 0x0D81, prExtend},    // Mn       SINHALA SIGN CANDRABINDU
+	{0x0D82, 0x0D83, prExtend},    // Mc   [2] SINHALA SIGN ANUSVARAYA..SINHALA SIGN VISARGAYA
+	{0x0D85, 0x0D96, prOLetter},   // Lo  [18] SINHALA LETTER AYANNA..SINHALA LETTER AUYANNA
+	{0x0D9A, 0x0DB1, prOLetter},   // Lo  [24] SINHALA LETTER ALPAPRAANA KAYANNA..SINHALA LETTER DANTAJA NAYANNA
+	{0x0DB3, 0x0DBB, prOLetter},   // Lo   [9] SINHALA LETTER SANYAKA DAYANNA..SINHALA LETTER RAYANNA
+	{0x0DBD, 0x0DBD, prOLetter},   // Lo       SINHALA LETTER DANTAJA LAYANNA
+	{0x0DC0, 0x0DC6, prOLetter},   // Lo   [7] SINHALA LETTER VAYANNA..SINHALA LETTER FAYANNA
+	{0x0DCA, 0x0DCA, prExtend},    // Mn       SINHALA SIGN AL-LAKUNA
+	{0x0DCF, 0x0DD1, prExtend},    // Mc   [3] SINHALA VOWEL SIGN AELA-PILLA..SINHALA VOWEL SIGN DIGA AEDA-PILLA
+	{0x0DD2, 0x0DD4, prExtend},    // Mn   [3] SINHALA VOWEL SIGN KETTI IS-PILLA..SINHALA VOWEL SIGN KETTI PAA-PILLA
+	{0x0DD6, 0x0DD6, prExtend},    // Mn       SINHALA VOWEL SIGN DIGA PAA-PILLA
+	{0x0DD8, 0x0DDF, prExtend},    // Mc   [8] SINHALA VOWEL SIGN GAETTA-PILLA..SINHALA VOWEL SIGN GAYANUKITTA
+	{0x0DE6, 0x0DEF, prNumeric},   // Nd  [10] SINHALA LITH DIGIT ZERO..SINHALA LITH DIGIT NINE
+	{0x0DF2, 0x0DF3, prExtend},    // Mc   [2] SINHALA VOWEL SIGN DIGA GAETTA-PILLA..SINHALA VOWEL SIGN DIGA GAYANUKITTA
+	{0x0E01, 0x0E30, prOLetter},   // Lo  [48] THAI CHARACTER KO KAI..THAI CHARACTER SARA A
+	{0x0E31, 0x0E31, prExtend},    // Mn       THAI CHARACTER MAI HAN-AKAT
+	{0x0E32, 0x0E33, prOLetter},   // Lo   [2] THAI CHARACTER SARA AA..THAI CHARACTER SARA AM
+	{0x0E34, 0x0E3A, prExtend},    // Mn   [7] THAI CHARACTER SARA I..THAI CHARACTER PHINTHU
+	{0x0E40, 0x0E45, prOLetter},   // Lo   [6] THAI CHARACTER SARA E..THAI CHARACTER LAKKHANGYAO
+	{0x0E46, 0x0E46, prOLetter},   // Lm       THAI CHARACTER MAIYAMOK
+	{0x0E47, 0x0E4E, prExtend},    // Mn   [8] THAI CHARACTER MAITAIKHU..THAI CHARACTER YAMAKKAN
+	{0x0E50, 0x0E59, prNumeric},   // Nd  [10] THAI DIGIT ZERO..THAI DIGIT NINE
+	{0x0E81, 0x0E82, prOLetter},   // Lo   [2] LAO LETTER KO..LAO LETTER KHO SUNG
+	{0x0E84, 0x0E84, prOLetter},   // Lo       LAO LETTER KHO TAM
+	{0x0E86, 0x0E8A, prOLetter},   // Lo   [5] LAO LETTER PALI GHA..LAO LETTER SO TAM
+	{0x0E8C, 0x0EA3, prOLetter},   // Lo  [24] LAO LETTER PALI JHA..LAO LETTER LO LING
+	{0x0EA5, 0x0EA5, prOLetter},   // Lo       LAO LETTER LO LOOT
+	{0x0EA7, 0x0EB0, prOLetter},   // Lo  [10] LAO LETTER WO..LAO VOWEL SIGN A
+	{0x0EB1, 0x0EB1, prExtend},    // Mn       LAO VOWEL SIGN MAI KAN
+	{0x0EB2, 0x0EB3, prOLetter},   // Lo   [2] LAO VOWEL SIGN AA..LAO VOWEL SIGN AM
+	{0x0EB4, 0x0EBC, prExtend},    // Mn   [9] LAO VOWEL SIGN I..LAO SEMIVOWEL SIGN LO
+	{0x0EBD, 0x0EBD, prOLetter},   // Lo       LAO SEMIVOWEL SIGN NYO
+	{0x0EC0, 0x0EC4, prOLetter},   // Lo   [5] LAO VOWEL SIGN E..LAO VOWEL SIGN AI
+	{0x0EC6, 0x0EC6, prOLetter},   // Lm       LAO KO LA
+	{0x0EC8, 0x0ECE, prExtend},    // Mn   [7] LAO TONE MAI EK..LAO YAMAKKAN
+	{0x0ED0, 0x0ED9, prNumeric},   // Nd  [10] LAO DIGIT ZERO..LAO DIGIT NINE
+	{0x0EDC, 0x0EDF, prOLetter},   // Lo   [4] LAO HO NO..LAO LETTER KHMU NYO
+	{0x0F00, 0x0F00, prOLetter},   // Lo       TIBETAN SYLLABLE OM
+	{0x0F18, 0x0F19, prExtend},    // Mn   [2] TIBETAN ASTROLOGICAL SIGN -KHYUD PA..TIBETAN ASTROLOGICAL SIGN SDONG TSHUGS
+	{0x0F20, 0x0F29, prNumeric},   // Nd  [10] TIBETAN DIGIT ZERO..TIBETAN DIGIT NINE
+	{0x0F35, 0x0F35, prExtend},    // Mn       TIBETAN MARK NGAS BZUNG NYI ZLA
+	{0x0F37, 0x0F37, prExtend},    // Mn       TIBETAN MARK NGAS BZUNG SGOR RTAGS
+	{0x0F39, 0x0F39, prExtend},    // Mn       TIBETAN MARK TSA -PHRU
+	{0x0F3A, 0x0F3A, prClose},     // Ps       TIBETAN MARK GUG RTAGS GYON
+	{0x0F3B, 0x0F3B, prClose},     // Pe       TIBETAN MARK GUG RTAGS GYAS
+	{0x0F3C, 0x0F3C, prClose},     // Ps       TIBETAN MARK ANG KHANG GYON
+	{0x0F3D, 0x0F3D, prClose},     // Pe       TIBETAN MARK ANG KHANG GYAS
+	{0x0F3E, 0x0F3F, prExtend},    // Mc   [2] TIBETAN SIGN YAR TSHES..TIBETAN SIGN MAR TSHES
+	{0x0F40, 0x0F47, prOLetter},   // Lo   [8] TIBETAN LETTER KA..TIBETAN LETTER JA
+	{0x0F49, 0x0F6C, prOLetter},   // Lo  [36] TIBETAN LETTER NYA..TIBETAN LETTER RRA
+	{0x0F71, 0x0F7E, prExtend},    // Mn  [14] TIBETAN VOWEL SIGN AA..TIBETAN SIGN RJES SU NGA RO
+	{0x0F7F, 0x0F7F, prExtend},    // Mc       TIBETAN SIGN RNAM BCAD
+	{0x0F80, 0x0F84, prExtend},    // Mn   [5] TIBETAN VOWEL SIGN REVERSED I..TIBETAN MARK HALANTA
+	{0x0F86, 0x0F87, prExtend},    // Mn   [2] TIBETAN SIGN LCI RTAGS..TIBETAN SIGN YANG RTAGS
+	{0x0F88, 0x0F8C, prOLetter},   // Lo   [5] TIBETAN SIGN LCE TSA CAN..TIBETAN SIGN INVERTED MCHU CAN
+	{0x0F8D, 0x0F97, prExtend},    // Mn  [11] TIBETAN SUBJOINED SIGN LCE TSA CAN..TIBETAN SUBJOINED LETTER JA
+	{0x0F99, 0x0FBC, prExtend},    // Mn  [36] TIBETAN SUBJOINED LETTER NYA..TIBETAN SUBJOINED LETTER FIXED-FORM RA
+	{0x0FC6, 0x0FC6, prExtend},    // Mn       TIBETAN SYMBOL PADMA GDAN
+	{0x1000, 0x102A, prOLetter},   // Lo  [43] MYANMAR LETTER KA..MYANMAR LETTER AU
+	{0x102B, 0x102C, prExtend},    // Mc   [2] MYANMAR VOWEL SIGN TALL AA..MYANMAR VOWEL SIGN AA
+	{0x102D, 0x1030, prExtend},    // Mn   [4] MYANMAR VOWEL SIGN I..MYANMAR VOWEL SIGN UU
+	{0x1031, 0x1031, prExtend},    // Mc       MYANMAR VOWEL SIGN E
+	{0x1032, 0x1037, prExtend},    // Mn   [6] MYANMAR VOWEL SIGN AI..MYANMAR SIGN DOT BELOW
+	{0x1038, 0x1038, prExtend},    // Mc       MYANMAR SIGN VISARGA
+	{0x1039, 0x103A, prExtend},    // Mn   [2] MYANMAR SIGN VIRAMA..MYANMAR SIGN ASAT
+	{0x103B, 0x103C, prExtend},    // Mc   [2] MYANMAR CONSONANT SIGN MEDIAL YA..MYANMAR CONSONANT SIGN MEDIAL RA
+	{0x103D, 0x103E, prExtend},    // Mn   [2] MYANMAR CONSONANT SIGN MEDIAL WA..MYANMAR CONSONANT SIGN MEDIAL HA
+	{0x103F, 0x103F, prOLetter},   // Lo       MYANMAR LETTER GREAT SA
+	{0x1040, 0x1049, prNumeric},   // Nd  [10] MYANMAR DIGIT ZERO..MYANMAR DIGIT NINE
+	{0x104A, 0x104B, prSTerm},     // Po   [2] MYANMAR SIGN LITTLE SECTION..MYANMAR SIGN SECTION
+	{0x1050, 0x1055, prOLetter},   // Lo   [6] MYANMAR LETTER SHA..MYANMAR LETTER VOCALIC LL
+	{0x1056, 0x1057, prExtend},    // Mc   [2] MYANMAR VOWEL SIGN VOCALIC R..MYANMAR VOWEL SIGN VOCALIC RR
+	{0x1058, 0x1059, prExtend},    // Mn   [2] MYANMAR VOWEL SIGN VOCALIC L..MYANMAR VOWEL SIGN VOCALIC LL
+	{0x105A, 0x105D, prOLetter},   // Lo   [4] MYANMAR LETTER MON NGA..MYANMAR LETTER MON BBE
+	{0x105E, 0x1060, prExtend},    // Mn   [3] MYANMAR CONSONANT SIGN MON MEDIAL NA..MYANMAR CONSONANT SIGN MON MEDIAL LA
+	{0x1061, 0x1061, prOLetter},   // Lo       MYANMAR LETTER SGAW KAREN SHA
+	{0x1062, 0x1064, prExtend},    // Mc   [3] MYANMAR VOWEL SIGN SGAW KAREN EU..MYANMAR TONE MARK SGAW KAREN KE PHO
+	{0x1065, 0x1066, prOLetter},   // Lo   [2] MYANMAR LETTER WESTERN PWO KAREN THA..MYANMAR LETTER WESTERN PWO KAREN PWA
+	{0x1067, 0x106D, prExtend},    // Mc   [7] MYANMAR VOWEL SIGN WESTERN PWO KAREN EU..MYANMAR SIGN WESTERN PWO KAREN TONE-5
+	{0x106E, 0x1070, prOLetter},   // Lo   [3] MYANMAR LETTER EASTERN PWO KAREN NNA..MYANMAR LETTER EASTERN PWO KAREN GHWA
+	{0x1071, 0x1074, prExtend},    // Mn   [4] MYANMAR VOWEL SIGN GEBA KAREN I..MYANMAR VOWEL SIGN KAYAH EE
+	{0x1075, 0x1081, prOLetter},   // Lo  [13] MYANMAR LETTER SHAN KA..MYANMAR LETTER SHAN HA
+	{0x1082, 0x1082, prExtend},    // Mn       MYANMAR CONSONANT SIGN SHAN MEDIAL WA
+	{0x1083, 0x1084, prExtend},    // Mc   [2] MYANMAR VOWEL SIGN SHAN AA..MYANMAR VOWEL SIGN SHAN E
+	{0x1085, 0x1086, prExtend},    // Mn   [2] MYANMAR VOWEL SIGN SHAN E ABOVE..MYANMAR VOWEL SIGN SHAN FINAL Y
+	{0x1087, 0x108C, prExtend},    // Mc   [6] MYANMAR SIGN SHAN TONE-2..MYANMAR SIGN SHAN COUNCIL TONE-3
+	{0x108D, 0x108D, prExtend},    // Mn       MYANMAR SIGN SHAN COUNCIL EMPHATIC TONE
+	{0x108E, 0x108E, prOLetter},   // Lo       MYANMAR LETTER RUMAI PALAUNG FA
+	{0x108F, 0x108F, prExtend},    // Mc       MYANMAR SIGN RUMAI PALAUNG TONE-5
+	{0x1090, 0x1099, prNumeric},   // Nd  [10] MYANMAR SHAN DIGIT ZERO..MYANMAR SHAN DIGIT NINE
+	{0x109A, 0x109C, prExtend},    // Mc   [3] MYANMAR SIGN KHAMTI TONE-1..MYANMAR VOWEL SIGN AITON A
+	{0x109D, 0x109D, prExtend},    // Mn       MYANMAR VOWEL SIGN AITON AI
+	{0x10A0, 0x10C5, prUpper},     // L&  [38] GEORGIAN CAPITAL LETTER AN..GEORGIAN CAPITAL LETTER HOE
+	{0x10C7, 0x10C7, prUpper},     // L&       GEORGIAN CAPITAL LETTER YN
+	{0x10CD, 0x10CD, prUpper},     // L&       GEORGIAN CAPITAL LETTER AEN
+	{0x10D0, 0x10FA, prOLetter},   // L&  [43] GEORGIAN LETTER AN..GEORGIAN LETTER AIN
+	{0x10FC, 0x10FC, prLower},     // Lm       MODIFIER LETTER GEORGIAN NAR
+	{0x10FD, 0x10FF, prOLetter},   // L&   [3] GEORGIAN LETTER AEN..GEORGIAN LETTER LABIAL SIGN
+	{0x1100, 0x1248, prOLetter},   // Lo [329] HANGUL CHOSEONG KIYEOK..ETHIOPIC SYLLABLE QWA
+	{0x124A, 0x124D, prOLetter},   // Lo   [4] ETHIOPIC SYLLABLE QWI..ETHIOPIC SYLLABLE QWE
+	{0x1250, 0x1256, prOLetter},   // Lo   [7] ETHIOPIC SYLLABLE QHA..ETHIOPIC SYLLABLE QHO
+	{0x1258, 0x1258, prOLetter},   // Lo       ETHIOPIC SYLLABLE QHWA
+	{0x125A, 0x125D, prOLetter},   // Lo   [4] ETHIOPIC SYLLABLE QHWI..ETHIOPIC SYLLABLE QHWE
+	{0x1260, 0x1288, prOLetter},   // Lo  [41] ETHIOPIC SYLLABLE BA..ETHIOPIC SYLLABLE XWA
+	{0x128A, 0x128D, prOLetter},   // Lo   [4] ETHIOPIC SYLLABLE XWI..ETHIOPIC SYLLABLE XWE
+	{0x1290, 0x12B0, prOLetter},   // Lo  [33] ETHIOPIC SYLLABLE NA..ETHIOPIC SYLLABLE KWA
+	{0x12B2, 0x12B5, prOLetter},   // Lo   [4] ETHIOPIC SYLLABLE KWI..ETHIOPIC SYLLABLE KWE
+	{0x12B8, 0x12BE, prOLetter},   // Lo   [7] ETHIOPIC SYLLABLE KXA..ETHIOPIC SYLLABLE KXO
+	{0x12C0, 0x12C0, prOLetter},   // Lo       ETHIOPIC SYLLABLE KXWA
+	{0x12C2, 0x12C5, prOLetter},   // Lo   [4] ETHIOPIC SYLLABLE KXWI..ETHIOPIC SYLLABLE KXWE
+	{0x12C8, 0x12D6, prOLetter},   // Lo  [15] ETHIOPIC SYLLABLE WA..ETHIOPIC SYLLABLE PHARYNGEAL O
+	{0x12D8, 0x1310, prOLetter},   // Lo  [57] ETHIOPIC SYLLABLE ZA..ETHIOPIC SYLLABLE GWA
+	{0x1312, 0x1315, prOLetter},   // Lo   [4] ETHIOPIC SYLLABLE GWI..ETHIOPIC SYLLABLE GWE
+	{0x1318, 0x135A, prOLetter},   // Lo  [67] ETHIOPIC SYLLABLE GGA..ETHIOPIC SYLLABLE FYA
+	{0x135D, 0x135F, prExtend},    // Mn   [3] ETHIOPIC COMBINING GEMINATION AND VOWEL LENGTH MARK..ETHIOPIC COMBINING GEMINATION MARK
+	{0x1362, 0x1362, prSTerm},     // Po       ETHIOPIC FULL STOP
+	{0x1367, 0x1368, prSTerm},     // Po   [2] ETHIOPIC QUESTION MARK..ETHIOPIC PARAGRAPH SEPARATOR
+	{0x1380, 0x138F, prOLetter},   // Lo  [16] ETHIOPIC SYLLABLE SEBATBEIT MWA..ETHIOPIC SYLLABLE PWE
+	{0x13A0, 0x13F5, prUpper},     // L&  [86] CHEROKEE LETTER A..CHEROKEE LETTER MV
+	{0x13F8, 0x13FD, prLower},     // L&   [6] CHEROKEE SMALL LETTER YE..CHEROKEE SMALL LETTER MV
+	{0x1401, 0x166C, prOLetter},   // Lo [620] CANADIAN SYLLABICS E..CANADIAN SYLLABICS CARRIER TTSA
+	{0x166E, 0x166E, prSTerm},     // Po       CANADIAN SYLLABICS FULL STOP
+	{0x166F, 0x167F, prOLetter},   // Lo  [17] CANADIAN SYLLABICS QAI..CANADIAN SYLLABICS BLACKFOOT W
+	{0x1680, 0x1680, prSp},        // Zs       OGHAM SPACE MARK
+	{0x1681, 0x169A, prOLetter},   // Lo  [26] OGHAM LETTER BEITH..OGHAM LETTER PEITH
+	{0x169B, 0x169B, prClose},     // Ps       OGHAM FEATHER MARK
+	{0x169C, 0x169C, prClose},     // Pe       OGHAM REVERSED FEATHER MARK
+	{0x16A0, 0x16EA, prOLetter},   // Lo  [75] RUNIC LETTER FEHU FEOH FE F..RUNIC LETTER X
+	{0x16EE, 0x16F0, prOLetter},   // Nl   [3] RUNIC ARLAUG SYMBOL..RUNIC BELGTHOR SYMBOL
+	{0x16F1, 0x16F8, prOLetter},   // Lo   [8] RUNIC LETTER K..RUNIC LETTER FRANKS CASKET AESC
+	{0x1700, 0x1711, prOLetter},   // Lo  [18] TAGALOG LETTER A..TAGALOG LETTER HA
+	{0x1712, 0x1714, prExtend},    // Mn   [3] TAGALOG VOWEL SIGN I..TAGALOG SIGN VIRAMA
+	{0x1715, 0x1715, prExtend},    // Mc       TAGALOG SIGN PAMUDPOD
+	{0x171F, 0x1731, prOLetter},   // Lo  [19] TAGALOG LETTER ARCHAIC RA..HANUNOO LETTER HA
+	{0x1732, 0x1733, prExtend},    // Mn   [2] HANUNOO VOWEL SIGN I..HANUNOO VOWEL SIGN U
+	{0x1734, 0x1734, prExtend},    // Mc       HANUNOO SIGN PAMUDPOD
+	{0x1735, 0x1736, prSTerm},     // Po   [2] PHILIPPINE SINGLE PUNCTUATION..PHILIPPINE DOUBLE PUNCTUATION
+	{0x1740, 0x1751, prOLetter},   // Lo  [18] BUHID LETTER A..BUHID LETTER HA
+	{0x1752, 0x1753, prExtend},    // Mn   [2] BUHID VOWEL SIGN I..BUHID VOWEL SIGN U
+	{0x1760, 0x176C, prOLetter},   // Lo  [13] TAGBANWA LETTER A..TAGBANWA LETTER YA
+	{0x176E, 0x1770, prOLetter},   // Lo   [3] TAGBANWA LETTER LA..TAGBANWA LETTER SA
+	{0x1772, 0x1773, prExtend},    // Mn   [2] TAGBANWA VOWEL SIGN I..TAGBANWA VOWEL SIGN U
+	{0x1780, 0x17B3, prOLetter},   // Lo  [52] KHMER LETTER KA..KHMER INDEPENDENT VOWEL QAU
+	{0x17B4, 0x17B5, prExtend},    // Mn   [2] KHMER VOWEL INHERENT AQ..KHMER VOWEL INHERENT AA
+	{0x17B6, 0x17B6, prExtend},    // Mc       KHMER VOWEL SIGN AA
+	{0x17B7, 0x17BD, prExtend},    // Mn   [7] KHMER VOWEL SIGN I..KHMER VOWEL SIGN UA
+	{0x17BE, 0x17C5, prExtend},    // Mc   [8] KHMER VOWEL SIGN OE..KHMER VOWEL SIGN AU
+	{0x17C6, 0x17C6, prExtend},    // Mn       KHMER SIGN NIKAHIT
+	{0x17C7, 0x17C8, prExtend},    // Mc   [2] KHMER SIGN REAHMUK..KHMER SIGN YUUKALEAPINTU
+	{0x17C9, 0x17D3, prExtend},    // Mn  [11] KHMER SIGN MUUSIKATOAN..KHMER SIGN BATHAMASAT
+	{0x17D7, 0x17D7, prOLetter},   // Lm       KHMER SIGN LEK TOO
+	{0x17DC, 0x17DC, prOLetter},   // Lo       KHMER SIGN AVAKRAHASANYA
+	{0x17DD, 0x17DD, prExtend},    // Mn       KHMER SIGN ATTHACAN
+	{0x17E0, 0x17E9, prNumeric},   // Nd  [10] KHMER DIGIT ZERO..KHMER DIGIT NINE
+	{0x1802, 0x1802, prSContinue}, // Po       MONGOLIAN COMMA
+	{0x1803, 0x1803, prSTerm},     // Po       MONGOLIAN FULL STOP
+	{0x1808, 0x1808, prSContinue}, // Po       MONGOLIAN MANCHU COMMA
+	{0x1809, 0x1809, prSTerm},     // Po       MONGOLIAN MANCHU FULL STOP
+	{0x180B, 0x180D, prExtend},    // Mn   [3] MONGOLIAN FREE VARIATION SELECTOR ONE..MONGOLIAN FREE VARIATION SELECTOR THREE
+	{0x180E, 0x180E, prFormat},    // Cf       MONGOLIAN VOWEL SEPARATOR
+	{0x180F, 0x180F, prExtend},    // Mn       MONGOLIAN FREE VARIATION SELECTOR FOUR
+	{0x1810, 0x1819, prNumeric},   // Nd  [10] MONGOLIAN DIGIT ZERO..MONGOLIAN DIGIT NINE
+	{0x1820, 0x1842, prOLetter},   // Lo  [35] MONGOLIAN LETTER A..MONGOLIAN LETTER CHI
+	{0x1843, 0x1843, prOLetter},   // Lm       MONGOLIAN LETTER TODO LONG VOWEL SIGN
+	{0x1844, 0x1878, prOLetter},   // Lo  [53] MONGOLIAN LETTER TODO E..MONGOLIAN LETTER CHA WITH TWO DOTS
+	{0x1880, 0x1884, prOLetter},   // Lo   [5] MONGOLIAN LETTER ALI GALI ANUSVARA ONE..MONGOLIAN LETTER ALI GALI INVERTED UBADAMA
+	{0x1885, 0x1886, prExtend},    // Mn   [2] MONGOLIAN LETTER ALI GALI BALUDA..MONGOLIAN LETTER ALI GALI THREE BALUDA
+	{0x1887, 0x18A8, prOLetter},   // Lo  [34] MONGOLIAN LETTER ALI GALI A..MONGOLIAN LETTER MANCHU ALI GALI BHA
+	{0x18A9, 0x18A9, prExtend},    // Mn       MONGOLIAN LETTER ALI GALI DAGALGA
+	{0x18AA, 0x18AA, prOLetter},   // Lo       MONGOLIAN LETTER MANCHU ALI GALI LHA
+	{0x18B0, 0x18F5, prOLetter},   // Lo  [70] CANADIAN SYLLABICS OY..CANADIAN SYLLABICS CARRIER DENTAL S
+	{0x1900, 0x191E, prOLetter},   // Lo  [31] LIMBU VOWEL-CARRIER LETTER..LIMBU LETTER TRA
+	{0x1920, 0x1922, prExtend},    // Mn   [3] LIMBU VOWEL SIGN A..LIMBU VOWEL SIGN U
+	{0x1923, 0x1926, prExtend},    // Mc   [4] LIMBU VOWEL SIGN EE..LIMBU VOWEL SIGN AU
+	{0x1927, 0x1928, prExtend},    // Mn   [2] LIMBU VOWEL SIGN E..LIMBU VOWEL SIGN O
+	{0x1929, 0x192B, prExtend},    // Mc   [3] LIMBU SUBJOINED LETTER YA..LIMBU SUBJOINED LETTER WA
+	{0x1930, 0x1931, prExtend},    // Mc   [2] LIMBU SMALL LETTER KA..LIMBU SMALL LETTER NGA
+	{0x1932, 0x1932, prExtend},    // Mn       LIMBU SMALL LETTER ANUSVARA
+	{0x1933, 0x1938, prExtend},    // Mc   [6] LIMBU SMALL LETTER TA..LIMBU SMALL LETTER LA
+	{0x1939, 0x193B, prExtend},    // Mn   [3] LIMBU SIGN MUKPHRENG..LIMBU SIGN SA-I
+	{0x1944, 0x1945, prSTerm},     // Po   [2] LIMBU EXCLAMATION MARK..LIMBU QUESTION MARK
+	{0x1946, 0x194F, prNumeric},   // Nd  [10] LIMBU DIGIT ZERO..LIMBU DIGIT NINE
+	{0x1950, 0x196D, prOLetter},   // Lo  [30] TAI LE LETTER KA..TAI LE LETTER AI
+	{0x1970, 0x1974, prOLetter},   // Lo   [5] TAI LE LETTER TONE-2..TAI LE LETTER TONE-6
+	{0x1980, 0x19AB, prOLetter},   // Lo  [44] NEW TAI LUE LETTER HIGH QA..NEW TAI LUE LETTER LOW SUA
+	{0x19B0, 0x19C9, prOLetter},   // Lo  [26] NEW TAI LUE VOWEL SIGN VOWEL SHORTENER..NEW TAI LUE TONE MARK-2
+	{0x19D0, 0x19D9, prNumeric},   // Nd  [10] NEW TAI LUE DIGIT ZERO..NEW TAI LUE DIGIT NINE
+	{0x1A00, 0x1A16, prOLetter},   // Lo  [23] BUGINESE LETTER KA..BUGINESE LETTER HA
+	{0x1A17, 0x1A18, prExtend},    // Mn   [2] BUGINESE VOWEL SIGN I..BUGINESE VOWEL SIGN U
+	{0x1A19, 0x1A1A, prExtend},    // Mc   [2] BUGINESE VOWEL SIGN E..BUGINESE VOWEL SIGN O
+	{0x1A1B, 0x1A1B, prExtend},    // Mn       BUGINESE VOWEL SIGN AE
+	{0x1A20, 0x1A54, prOLetter},   // Lo  [53] TAI THAM LETTER HIGH KA..TAI THAM LETTER GREAT SA
+	{0x1A55, 0x1A55, prExtend},    // Mc       TAI THAM CONSONANT SIGN MEDIAL RA
+	{0x1A56, 0x1A56, prExtend},    // Mn       TAI THAM CONSONANT SIGN MEDIAL LA
+	{0x1A57, 0x1A57, prExtend},    // Mc       TAI THAM CONSONANT SIGN LA TANG LAI
+	{0x1A58, 0x1A5E, prExtend},    // Mn   [7] TAI THAM SIGN MAI KANG LAI..TAI THAM CONSONANT SIGN SA
+	{0x1A60, 0x1A60, prExtend},    // Mn       TAI THAM SIGN SAKOT
+	{0x1A61, 0x1A61, prExtend},    // Mc       TAI THAM VOWEL SIGN A
+	{0x1A62, 0x1A62, prExtend},    // Mn       TAI THAM VOWEL SIGN MAI SAT
+	{0x1A63, 0x1A64, prExtend},    // Mc   [2] TAI THAM VOWEL SIGN AA..TAI THAM VOWEL SIGN TALL AA
+	{0x1A65, 0x1A6C, prExtend},    // Mn   [8] TAI THAM VOWEL SIGN I..TAI THAM VOWEL SIGN OA BELOW
+	{0x1A6D, 0x1A72, prExtend},    // Mc   [6] TAI THAM VOWEL SIGN OY..TAI THAM VOWEL SIGN THAM AI
+	{0x1A73, 0x1A7C, prExtend},    // Mn  [10] TAI THAM VOWEL SIGN OA ABOVE..TAI THAM SIGN KHUEN-LUE KARAN
+	{0x1A7F, 0x1A7F, prExtend},    // Mn       TAI THAM COMBINING CRYPTOGRAMMIC DOT
+	{0x1A80, 0x1A89, prNumeric},   // Nd  [10] TAI THAM HORA DIGIT ZERO..TAI THAM HORA DIGIT NINE
+	{0x1A90, 0x1A99, prNumeric},   // Nd  [10] TAI THAM THAM DIGIT ZERO..TAI THAM THAM DIGIT NINE
+	{0x1AA7, 0x1AA7, prOLetter},   // Lm       TAI THAM SIGN MAI YAMOK
+	{0x1AA8, 0x1AAB, prSTerm},     // Po   [4] TAI THAM SIGN KAAN..TAI THAM SIGN SATKAANKUU
+	{0x1AB0, 0x1ABD, prExtend},    // Mn  [14] COMBINING DOUBLED CIRCUMFLEX ACCENT..COMBINING PARENTHESES BELOW
+	{0x1ABE, 0x1ABE, prExtend},    // Me       COMBINING PARENTHESES OVERLAY
+	{0x1ABF, 0x1ACE, prExtend},    // Mn  [16] COMBINING LATIN SMALL LETTER W BELOW..COMBINING LATIN SMALL LETTER INSULAR T
+	{0x1B00, 0x1B03, prExtend},    // Mn   [4] BALINESE SIGN ULU RICEM..BALINESE SIGN SURANG
+	{0x1B04, 0x1B04, prExtend},    // Mc       BALINESE SIGN BISAH
+	{0x1B05, 0x1B33, prOLetter},   // Lo  [47] BALINESE LETTER AKARA..BALINESE LETTER HA
+	{0x1B34, 0x1B34, prExtend},    // Mn       BALINESE SIGN REREKAN
+	{0x1B35, 0x1B35, prExtend},    // Mc       BALINESE VOWEL SIGN TEDUNG
+	{0x1B36, 0x1B3A, prExtend},    // Mn   [5] BALINESE VOWEL SIGN ULU..BALINESE VOWEL SIGN RA REPA
+	{0x1B3B, 0x1B3B, prExtend},    // Mc       BALINESE VOWEL SIGN RA REPA TEDUNG
+	{0x1B3C, 0x1B3C, prExtend},    // Mn       BALINESE VOWEL SIGN LA LENGA
+	{0x1B3D, 0x1B41, prExtend},    // Mc   [5] BALINESE VOWEL SIGN LA LENGA TEDUNG..BALINESE VOWEL SIGN TALING REPA TEDUNG
+	{0x1B42, 0x1B42, prExtend},    // Mn       BALINESE VOWEL SIGN PEPET
+	{0x1B43, 0x1B44, prExtend},    // Mc   [2] BALINESE VOWEL SIGN PEPET TEDUNG..BALINESE ADEG ADEG
+	{0x1B45, 0x1B4C, prOLetter},   // Lo   [8] BALINESE LETTER KAF SASAK..BALINESE LETTER ARCHAIC JNYA
+	{0x1B50, 0x1B59, prNumeric},   // Nd  [10] BALINESE DIGIT ZERO..BALINESE DIGIT NINE
+	{0x1B5A, 0x1B5B, prSTerm},     // Po   [2] BALINESE PANTI..BALINESE PAMADA
+	{0x1B5E, 0x1B5F, prSTerm},     // Po   [2] BALINESE CARIK SIKI..BALINESE CARIK PAREREN
+	{0x1B6B, 0x1B73, prExtend},    // Mn   [9] BALINESE MUSICAL SYMBOL COMBINING TEGEH..BALINESE MUSICAL SYMBOL COMBINING GONG
+	{0x1B7D, 0x1B7E, prSTerm},     // Po   [2] BALINESE PANTI LANTANG..BALINESE PAMADA LANTANG
+	{0x1B80, 0x1B81, prExtend},    // Mn   [2] SUNDANESE SIGN PANYECEK..SUNDANESE SIGN PANGLAYAR
+	{0x1B82, 0x1B82, prExtend},    // Mc       SUNDANESE SIGN PANGWISAD
+	{0x1B83, 0x1BA0, prOLetter},   // Lo  [30] SUNDANESE LETTER A..SUNDANESE LETTER HA
+	{0x1BA1, 0x1BA1, prExtend},    // Mc       SUNDANESE CONSONANT SIGN PAMINGKAL
+	{0x1BA2, 0x1BA5, prExtend},    // Mn   [4] SUNDANESE CONSONANT SIGN PANYAKRA..SUNDANESE VOWEL SIGN PANYUKU
+	{0x1BA6, 0x1BA7, prExtend},    // Mc   [2] SUNDANESE VOWEL SIGN PANAELAENG..SUNDANESE VOWEL SIGN PANOLONG
+	{0x1BA8, 0x1BA9, prExtend},    // Mn   [2] SUNDANESE VOWEL SIGN PAMEPET..SUNDANESE VOWEL SIGN PANEULEUNG
+	{0x1BAA, 0x1BAA, prExtend},    // Mc       SUNDANESE SIGN PAMAAEH
+	{0x1BAB, 0x1BAD, prExtend},    // Mn   [3] SUNDANESE SIGN VIRAMA..SUNDANESE CONSONANT SIGN PASANGAN WA
+	{0x1BAE, 0x1BAF, prOLetter},   // Lo   [2] SUNDANESE LETTER KHA..SUNDANESE LETTER SYA
+	{0x1BB0, 0x1BB9, prNumeric},   // Nd  [10] SUNDANESE DIGIT ZERO..SUNDANESE DIGIT NINE
+	{0x1BBA, 0x1BE5, prOLetter},   // Lo  [44] SUNDANESE AVAGRAHA..BATAK LETTER U
+	{0x1BE6, 0x1BE6, prExtend},    // Mn       BATAK SIGN TOMPI
+	{0x1BE7, 0x1BE7, prExtend},    // Mc       BATAK VOWEL SIGN E
+	{0x1BE8, 0x1BE9, prExtend},    // Mn   [2] BATAK VOWEL SIGN PAKPAK E..BATAK VOWEL SIGN EE
+	{0x1BEA, 0x1BEC, prExtend},    // Mc   [3] BATAK VOWEL SIGN I..BATAK VOWEL SIGN O
+	{0x1BED, 0x1BED, prExtend},    // Mn       BATAK VOWEL SIGN KARO O
+	{0x1BEE, 0x1BEE, prExtend},    // Mc       BATAK VOWEL SIGN U
+	{0x1BEF, 0x1BF1, prExtend},    // Mn   [3] BATAK VOWEL SIGN U FOR SIMALUNGUN SA..BATAK CONSONANT SIGN H
+	{0x1BF2, 0x1BF3, prExtend},    // Mc   [2] BATAK PANGOLAT..BATAK PANONGONAN
+	{0x1C00, 0x1C23, prOLetter},   // Lo  [36] LEPCHA LETTER KA..LEPCHA LETTER A
+	{0x1C24, 0x1C2B, prExtend},    // Mc   [8] LEPCHA SUBJOINED LETTER YA..LEPCHA VOWEL SIGN UU
+	{0x1C2C, 0x1C33, prExtend},    // Mn   [8] LEPCHA VOWEL SIGN E..LEPCHA CONSONANT SIGN T
+	{0x1C34, 0x1C35, prExtend},    // Mc   [2] LEPCHA CONSONANT SIGN NYIN-DO..LEPCHA CONSONANT SIGN KANG
+	{0x1C36, 0x1C37, prExtend},    // Mn   [2] LEPCHA SIGN RAN..LEPCHA SIGN NUKTA
+	{0x1C3B, 0x1C3C, prSTerm},     // Po   [2] LEPCHA PUNCTUATION TA-ROL..LEPCHA PUNCTUATION NYET THYOOM TA-ROL
+	{0x1C40, 0x1C49, prNumeric},   // Nd  [10] LEPCHA DIGIT ZERO..LEPCHA DIGIT NINE
+	{0x1C4D, 0x1C4F, prOLetter},   // Lo   [3] LEPCHA LETTER TTA..LEPCHA LETTER DDA
+	{0x1C50, 0x1C59, prNumeric},   // Nd  [10] OL CHIKI DIGIT ZERO..OL CHIKI DIGIT NINE
+	{0x1C5A, 0x1C77, prOLetter},   // Lo  [30] OL CHIKI LETTER LA..OL CHIKI LETTER OH
+	{0x1C78, 0x1C7D, prOLetter},   // Lm   [6] OL CHIKI MU TTUDDAG..OL CHIKI AHAD
+	{0x1C7E, 0x1C7F, prSTerm},     // Po   [2] OL CHIKI PUNCTUATION MUCAAD..OL CHIKI PUNCTUATION DOUBLE MUCAAD
+	{0x1C80, 0x1C88, prLower},     // L&   [9] CYRILLIC SMALL LETTER ROUNDED VE..CYRILLIC SMALL LETTER UNBLENDED UK
+	{0x1C90, 0x1CBA, prOLetter},   // L&  [43] GEORGIAN MTAVRULI CAPITAL LETTER AN..GEORGIAN MTAVRULI CAPITAL LETTER AIN
+	{0x1CBD, 0x1CBF, prOLetter},   // L&   [3] GEORGIAN MTAVRULI CAPITAL LETTER AEN..GEORGIAN MTAVRULI CAPITAL LETTER LABIAL SIGN
+	{0x1CD0, 0x1CD2, prExtend},    // Mn   [3] VEDIC TONE KARSHANA..VEDIC TONE PRENKHA
+	{0x1CD4, 0x1CE0, prExtend},    // Mn  [13] VEDIC SIGN YAJURVEDIC MIDLINE SVARITA..VEDIC TONE RIGVEDIC KASHMIRI INDEPENDENT SVARITA
+	{0x1CE1, 0x1CE1, prExtend},    // Mc       VEDIC TONE ATHARVAVEDIC INDEPENDENT SVARITA
+	{0x1CE2, 0x1CE8, prExtend},    // Mn   [7] VEDIC SIGN VISARGA SVARITA..VEDIC SIGN VISARGA ANUDATTA WITH TAIL
+	{0x1CE9, 0x1CEC, prOLetter},   // Lo   [4] VEDIC SIGN ANUSVARA ANTARGOMUKHA..VEDIC SIGN ANUSVARA VAMAGOMUKHA WITH TAIL
+	{0x1CED, 0x1CED, prExtend},    // Mn       VEDIC SIGN TIRYAK
+	{0x1CEE, 0x1CF3, prOLetter},   // Lo   [6] VEDIC SIGN HEXIFORM LONG ANUSVARA..VEDIC SIGN ROTATED ARDHAVISARGA
+	{0x1CF4, 0x1CF4, prExtend},    // Mn       VEDIC TONE CANDRA ABOVE
+	{0x1CF5, 0x1CF6, prOLetter},   // Lo   [2] VEDIC SIGN JIHVAMULIYA..VEDIC SIGN UPADHMANIYA
+	{0x1CF7, 0x1CF7, prExtend},    // Mc       VEDIC SIGN ATIKRAMA
+	{0x1CF8, 0x1CF9, prExtend},    // Mn   [2] VEDIC TONE RING ABOVE..VEDIC TONE DOUBLE RING ABOVE
+	{0x1CFA, 0x1CFA, prOLetter},   // Lo       VEDIC SIGN DOUBLE ANUSVARA ANTARGOMUKHA
+	{0x1D00, 0x1D2B, prLower},     // L&  [44] LATIN LETTER SMALL CAPITAL A..CYRILLIC LETTER SMALL CAPITAL EL
+	{0x1D2C, 0x1D6A, prLower},     // Lm  [63] MODIFIER LETTER CAPITAL A..GREEK SUBSCRIPT SMALL LETTER CHI
+	{0x1D6B, 0x1D77, prLower},     // L&  [13] LATIN SMALL LETTER UE..LATIN SMALL LETTER TURNED G
+	{0x1D78, 0x1D78, prLower},     // Lm       MODIFIER LETTER CYRILLIC EN
+	{0x1D79, 0x1D9A, prLower},     // L&  [34] LATIN SMALL LETTER INSULAR G..LATIN SMALL LETTER EZH WITH RETROFLEX HOOK
+	{0x1D9B, 0x1DBF, prLower},     // Lm  [37] MODIFIER LETTER SMALL TURNED ALPHA..MODIFIER LETTER SMALL THETA
+	{0x1DC0, 0x1DFF, prExtend},    // Mn  [64] COMBINING DOTTED GRAVE ACCENT..COMBINING RIGHT ARROWHEAD AND DOWN ARROWHEAD BELOW
+	{0x1E00, 0x1E00, prUpper},     // L&       LATIN CAPITAL LETTER A WITH RING BELOW
+	{0x1E01, 0x1E01, prLower},     // L&       LATIN SMALL LETTER A WITH RING BELOW
+	{0x1E02, 0x1E02, prUpper},     // L&       LATIN CAPITAL LETTER B WITH DOT ABOVE
+	{0x1E03, 0x1E03, prLower},     // L&       LATIN SMALL LETTER B WITH DOT ABOVE
+	{0x1E04, 0x1E04, prUpper},     // L&       LATIN CAPITAL LETTER B WITH DOT BELOW
+	{0x1E05, 0x1E05, prLower},     // L&       LATIN SMALL LETTER B WITH DOT BELOW
+	{0x1E06, 0x1E06, prUpper},     // L&       LATIN CAPITAL LETTER B WITH LINE BELOW
+	{0x1E07, 0x1E07, prLower},     // L&       LATIN SMALL LETTER B WITH LINE BELOW
+	{0x1E08, 0x1E08, prUpper},     // L&       LATIN CAPITAL LETTER C WITH CEDILLA AND ACUTE
+	{0x1E09, 0x1E09, prLower},     // L&       LATIN SMALL LETTER C WITH CEDILLA AND ACUTE
+	{0x1E0A, 0x1E0A, prUpper},     // L&       LATIN CAPITAL LETTER D WITH DOT ABOVE
+	{0x1E0B, 0x1E0B, prLower},     // L&       LATIN SMALL LETTER D WITH DOT ABOVE
+	{0x1E0C, 0x1E0C, prUpper},     // L&       LATIN CAPITAL LETTER D WITH DOT BELOW
+	{0x1E0D, 0x1E0D, prLower},     // L&       LATIN SMALL LETTER D WITH DOT BELOW
+	{0x1E0E, 0x1E0E, prUpper},     // L&       LATIN CAPITAL LETTER D WITH LINE BELOW
+	{0x1E0F, 0x1E0F, prLower},     // L&       LATIN SMALL LETTER D WITH LINE BELOW
+	{0x1E10, 0x1E10, prUpper},     // L&       LATIN CAPITAL LETTER D WITH CEDILLA
+	{0x1E11, 0x1E11, prLower},     // L&       LATIN SMALL LETTER D WITH CEDILLA
+	{0x1E12, 0x1E12, prUpper},     // L&       LATIN CAPITAL LETTER D WITH CIRCUMFLEX BELOW
+	{0x1E13, 0x1E13, prLower},     // L&       LATIN SMALL LETTER D WITH CIRCUMFLEX BELOW
+	{0x1E14, 0x1E14, prUpper},     // L&       LATIN CAPITAL LETTER E WITH MACRON AND GRAVE
+	{0x1E15, 0x1E15, prLower},     // L&       LATIN SMALL LETTER E WITH MACRON AND GRAVE
+	{0x1E16, 0x1E16, prUpper},     // L&       LATIN CAPITAL LETTER E WITH MACRON AND ACUTE
+	{0x1E17, 0x1E17, prLower},     // L&       LATIN SMALL LETTER E WITH MACRON AND ACUTE
+	{0x1E18, 0x1E18, prUpper},     // L&       LATIN CAPITAL LETTER E WITH CIRCUMFLEX BELOW
+	{0x1E19, 0x1E19, prLower},     // L&       LATIN SMALL LETTER E WITH CIRCUMFLEX BELOW
+	{0x1E1A, 0x1E1A, prUpper},     // L&       LATIN CAPITAL LETTER E WITH TILDE BELOW
+	{0x1E1B, 0x1E1B, prLower},     // L&       LATIN SMALL LETTER E WITH TILDE BELOW
+	{0x1E1C, 0x1E1C, prUpper},     // L&       LATIN CAPITAL LETTER E WITH CEDILLA AND BREVE
+	{0x1E1D, 0x1E1D, prLower},     // L&       LATIN SMALL LETTER E WITH CEDILLA AND BREVE
+	{0x1E1E, 0x1E1E, prUpper},     // L&       LATIN CAPITAL LETTER F WITH DOT ABOVE
+	{0x1E1F, 0x1E1F, prLower},     // L&       LATIN SMALL LETTER F WITH DOT ABOVE
+	{0x1E20, 0x1E20, prUpper},     // L&       LATIN CAPITAL LETTER G WITH MACRON
+	{0x1E21, 0x1E21, prLower},     // L&       LATIN SMALL LETTER G WITH MACRON
+	{0x1E22, 0x1E22, prUpper},     // L&       LATIN CAPITAL LETTER H WITH DOT ABOVE
+	{0x1E23, 0x1E23, prLower},     // L&       LATIN SMALL LETTER H WITH DOT ABOVE
+	{0x1E24, 0x1E24, prUpper},     // L&       LATIN CAPITAL LETTER H WITH DOT BELOW
+	{0x1E25, 0x1E25, prLower},     // L&       LATIN SMALL LETTER H WITH DOT BELOW
+	{0x1E26, 0x1E26, prUpper},     // L&       LATIN CAPITAL LETTER H WITH DIAERESIS
+	{0x1E27, 0x1E27, prLower},     // L&       LATIN SMALL LETTER H WITH DIAERESIS
+	{0x1E28, 0x1E28, prUpper},     // L&       LATIN CAPITAL LETTER H WITH CEDILLA
+	{0x1E29, 0x1E29, prLower},     // L&       LATIN SMALL LETTER H WITH CEDILLA
+	{0x1E2A, 0x1E2A, prUpper},     // L&       LATIN CAPITAL LETTER H WITH BREVE BELOW
+	{0x1E2B, 0x1E2B, prLower},     // L&       LATIN SMALL LETTER H WITH BREVE BELOW
+	{0x1E2C, 0x1E2C, prUpper},     // L&       LATIN CAPITAL LETTER I WITH TILDE BELOW
+	{0x1E2D, 0x1E2D, prLower},     // L&       LATIN SMALL LETTER I WITH TILDE BELOW
+	{0x1E2E, 0x1E2E, prUpper},     // L&       LATIN CAPITAL LETTER I WITH DIAERESIS AND ACUTE
+	{0x1E2F, 0x1E2F, prLower},     // L&       LATIN SMALL LETTER I WITH DIAERESIS AND ACUTE
+	{0x1E30, 0x1E30, prUpper},     // L&       LATIN CAPITAL LETTER K WITH ACUTE
+	{0x1E31, 0x1E31, prLower},     // L&       LATIN SMALL LETTER K WITH ACUTE
+	{0x1E32, 0x1E32, prUpper},     // L&       LATIN CAPITAL LETTER K WITH DOT BELOW
+	{0x1E33, 0x1E33, prLower},     // L&       LATIN SMALL LETTER K WITH DOT BELOW
+	{0x1E34, 0x1E34, prUpper},     // L&       LATIN CAPITAL LETTER K WITH LINE BELOW
+	{0x1E35, 0x1E35, prLower},     // L&       LATIN SMALL LETTER K WITH LINE BELOW
+	{0x1E36, 0x1E36, prUpper},     // L&       LATIN CAPITAL LETTER L WITH DOT BELOW
+	{0x1E37, 0x1E37, prLower},     // L&       LATIN SMALL LETTER L WITH DOT BELOW
+	{0x1E38, 0x1E38, prUpper},     // L&       LATIN CAPITAL LETTER L WITH DOT BELOW AND MACRON
+	{0x1E39, 0x1E39, prLower},     // L&       LATIN SMALL LETTER L WITH DOT BELOW AND MACRON
+	{0x1E3A, 0x1E3A, prUpper},     // L&       LATIN CAPITAL LETTER L WITH LINE BELOW
+	{0x1E3B, 0x1E3B, prLower},     // L&       LATIN SMALL LETTER L WITH LINE BELOW
+	{0x1E3C, 0x1E3C, prUpper},     // L&       LATIN CAPITAL LETTER L WITH CIRCUMFLEX BELOW
+	{0x1E3D, 0x1E3D, prLower},     // L&       LATIN SMALL LETTER L WITH CIRCUMFLEX BELOW
+	{0x1E3E, 0x1E3E, prUpper},     // L&       LATIN CAPITAL LETTER M WITH ACUTE
+	{0x1E3F, 0x1E3F, prLower},     // L&       LATIN SMALL LETTER M WITH ACUTE
+	{0x1E40, 0x1E40, prUpper},     // L&       LATIN CAPITAL LETTER M WITH DOT ABOVE
+	{0x1E41, 0x1E41, prLower},     // L&       LATIN SMALL LETTER M WITH DOT ABOVE
+	{0x1E42, 0x1E42, prUpper},     // L&       LATIN CAPITAL LETTER M WITH DOT BELOW
+	{0x1E43, 0x1E43, prLower},     // L&       LATIN SMALL LETTER M WITH DOT BELOW
+	{0x1E44, 0x1E44, prUpper},     // L&       LATIN CAPITAL LETTER N WITH DOT ABOVE
+	{0x1E45, 0x1E45, prLower},     // L&       LATIN SMALL LETTER N WITH DOT ABOVE
+	{0x1E46, 0x1E46, prUpper},     // L&       LATIN CAPITAL LETTER N WITH DOT BELOW
+	{0x1E47, 0x1E47, prLower},     // L&       LATIN SMALL LETTER N WITH DOT BELOW
+	{0x1E48, 0x1E48, prUpper},     // L&       LATIN CAPITAL LETTER N WITH LINE BELOW
+	{0x1E49, 0x1E49, prLower},     // L&       LATIN SMALL LETTER N WITH LINE BELOW
+	{0x1E4A, 0x1E4A, prUpper},     // L&       LATIN CAPITAL LETTER N WITH CIRCUMFLEX BELOW
+	{0x1E4B, 0x1E4B, prLower},     // L&       LATIN SMALL LETTER N WITH CIRCUMFLEX BELOW
+	{0x1E4C, 0x1E4C, prUpper},     // L&       LATIN CAPITAL LETTER O WITH TILDE AND ACUTE
+	{0x1E4D, 0x1E4D, prLower},     // L&       LATIN SMALL LETTER O WITH TILDE AND ACUTE
+	{0x1E4E, 0x1E4E, prUpper},     // L&       LATIN CAPITAL LETTER O WITH TILDE AND DIAERESIS
+	{0x1E4F, 0x1E4F, prLower},     // L&       LATIN SMALL LETTER O WITH TILDE AND DIAERESIS
+	{0x1E50, 0x1E50, prUpper},     // L&       LATIN CAPITAL LETTER O WITH MACRON AND GRAVE
+	{0x1E51, 0x1E51, prLower},     // L&       LATIN SMALL LETTER O WITH MACRON AND GRAVE
+	{0x1E52, 0x1E52, prUpper},     // L&       LATIN CAPITAL LETTER O WITH MACRON AND ACUTE
+	{0x1E53, 0x1E53, prLower},     // L&       LATIN SMALL LETTER O WITH MACRON AND ACUTE
+	{0x1E54, 0x1E54, prUpper},     // L&       LATIN CAPITAL LETTER P WITH ACUTE
+	{0x1E55, 0x1E55, prLower},     // L&       LATIN SMALL LETTER P WITH ACUTE
+	{0x1E56, 0x1E56, prUpper},     // L&       LATIN CAPITAL LETTER P WITH DOT ABOVE
+	{0x1E57, 0x1E57, prLower},     // L&       LATIN SMALL LETTER P WITH DOT ABOVE
+	{0x1E58, 0x1E58, prUpper},     // L&       LATIN CAPITAL LETTER R WITH DOT ABOVE
+	{0x1E59, 0x1E59, prLower},     // L&       LATIN SMALL LETTER R WITH DOT ABOVE
+	{0x1E5A, 0x1E5A, prUpper},     // L&       LATIN CAPITAL LETTER R WITH DOT BELOW
+	{0x1E5B, 0x1E5B, prLower},     // L&       LATIN SMALL LETTER R WITH DOT BELOW
+	{0x1E5C, 0x1E5C, prUpper},     // L&       LATIN CAPITAL LETTER R WITH DOT BELOW AND MACRON
+	{0x1E5D, 0x1E5D, prLower},     // L&       LATIN SMALL LETTER R WITH DOT BELOW AND MACRON
+	{0x1E5E, 0x1E5E, prUpper},     // L&       LATIN CAPITAL LETTER R WITH LINE BELOW
+	{0x1E5F, 0x1E5F, prLower},     // L&       LATIN SMALL LETTER R WITH LINE BELOW
+	{0x1E60, 0x1E60, prUpper},     // L&       LATIN CAPITAL LETTER S WITH DOT ABOVE
+	{0x1E61, 0x1E61, prLower},     // L&       LATIN SMALL LETTER S WITH DOT ABOVE
+	{0x1E62, 0x1E62, prUpper},     // L&       LATIN CAPITAL LETTER S WITH DOT BELOW
+	{0x1E63, 0x1E63, prLower},     // L&       LATIN SMALL LETTER S WITH DOT BELOW
+	{0x1E64, 0x1E64, prUpper},     // L&       LATIN CAPITAL LETTER S WITH ACUTE AND DOT ABOVE
+	{0x1E65, 0x1E65, prLower},     // L&       LATIN SMALL LETTER S WITH ACUTE AND DOT ABOVE
+	{0x1E66, 0x1E66, prUpper},     // L&       LATIN CAPITAL LETTER S WITH CARON AND DOT ABOVE
+	{0x1E67, 0x1E67, prLower},     // L&       LATIN SMALL LETTER S WITH CARON AND DOT ABOVE
+	{0x1E68, 0x1E68, prUpper},     // L&       LATIN CAPITAL LETTER S WITH DOT BELOW AND DOT ABOVE
+	{0x1E69, 0x1E69, prLower},     // L&       LATIN SMALL LETTER S WITH DOT BELOW AND DOT ABOVE
+	{0x1E6A, 0x1E6A, prUpper},     // L&       LATIN CAPITAL LETTER T WITH DOT ABOVE
+	{0x1E6B, 0x1E6B, prLower},     // L&       LATIN SMALL LETTER T WITH DOT ABOVE
+	{0x1E6C, 0x1E6C, prUpper},     // L&       LATIN CAPITAL LETTER T WITH DOT BELOW
+	{0x1E6D, 0x1E6D, prLower},     // L&       LATIN SMALL LETTER T WITH DOT BELOW
+	{0x1E6E, 0x1E6E, prUpper},     // L&       LATIN CAPITAL LETTER T WITH LINE BELOW
+	{0x1E6F, 0x1E6F, prLower},     // L&       LATIN SMALL LETTER T WITH LINE BELOW
+	{0x1E70, 0x1E70, prUpper},     // L&       LATIN CAPITAL LETTER T WITH CIRCUMFLEX BELOW
+	{0x1E71, 0x1E71, prLower},     // L&       LATIN SMALL LETTER T WITH CIRCUMFLEX BELOW
+	{0x1E72, 0x1E72, prUpper},     // L&       LATIN CAPITAL LETTER U WITH DIAERESIS BELOW
+	{0x1E73, 0x1E73, prLower},     // L&       LATIN SMALL LETTER U WITH DIAERESIS BELOW
+	{0x1E74, 0x1E74, prUpper},     // L&       LATIN CAPITAL LETTER U WITH TILDE BELOW
+	{0x1E75, 0x1E75, prLower},     // L&       LATIN SMALL LETTER U WITH TILDE BELOW
+	{0x1E76, 0x1E76, prUpper},     // L&       LATIN CAPITAL LETTER U WITH CIRCUMFLEX BELOW
+	{0x1E77, 0x1E77, prLower},     // L&       LATIN SMALL LETTER U WITH CIRCUMFLEX BELOW
+	{0x1E78, 0x1E78, prUpper},     // L&       LATIN CAPITAL LETTER U WITH TILDE AND ACUTE
+	{0x1E79, 0x1E79, prLower},     // L&       LATIN SMALL LETTER U WITH TILDE AND ACUTE
+	{0x1E7A, 0x1E7A, prUpper},     // L&       LATIN CAPITAL LETTER U WITH MACRON AND DIAERESIS
+	{0x1E7B, 0x1E7B, prLower},     // L&       LATIN SMALL LETTER U WITH MACRON AND DIAERESIS
+	{0x1E7C, 0x1E7C, prUpper},     // L&       LATIN CAPITAL LETTER V WITH TILDE
+	{0x1E7D, 0x1E7D, prLower},     // L&       LATIN SMALL LETTER V WITH TILDE
+	{0x1E7E, 0x1E7E, prUpper},     // L&       LATIN CAPITAL LETTER V WITH DOT BELOW
+	{0x1E7F, 0x1E7F, prLower},     // L&       LATIN SMALL LETTER V WITH DOT BELOW
+	{0x1E80, 0x1E80, prUpper},     // L&       LATIN CAPITAL LETTER W WITH GRAVE
+	{0x1E81, 0x1E81, prLower},     // L&       LATIN SMALL LETTER W WITH GRAVE
+	{0x1E82, 0x1E82, prUpper},     // L&       LATIN CAPITAL LETTER W WITH ACUTE
+	{0x1E83, 0x1E83, prLower},     // L&       LATIN SMALL LETTER W WITH ACUTE
+	{0x1E84, 0x1E84, prUpper},     // L&       LATIN CAPITAL LETTER W WITH DIAERESIS
+	{0x1E85, 0x1E85, prLower},     // L&       LATIN SMALL LETTER W WITH DIAERESIS
+	{0x1E86, 0x1E86, prUpper},     // L&       LATIN CAPITAL LETTER W WITH DOT ABOVE
+	{0x1E87, 0x1E87, prLower},     // L&       LATIN SMALL LETTER W WITH DOT ABOVE
+	{0x1E88, 0x1E88, prUpper},     // L&       LATIN CAPITAL LETTER W WITH DOT BELOW
+	{0x1E89, 0x1E89, prLower},     // L&       LATIN SMALL LETTER W WITH DOT BELOW
+	{0x1E8A, 0x1E8A, prUpper},     // L&       LATIN CAPITAL LETTER X WITH DOT ABOVE
+	{0x1E8B, 0x1E8B, prLower},     // L&       LATIN SMALL LETTER X WITH DOT ABOVE
+	{0x1E8C, 0x1E8C, prUpper},     // L&       LATIN CAPITAL LETTER X WITH DIAERESIS
+	{0x1E8D, 0x1E8D, prLower},     // L&       LATIN SMALL LETTER X WITH DIAERESIS
+	{0x1E8E, 0x1E8E, prUpper},     // L&       LATIN CAPITAL LETTER Y WITH DOT ABOVE
+	{0x1E8F, 0x1E8F, prLower},     // L&       LATIN SMALL LETTER Y WITH DOT ABOVE
+	{0x1E90, 0x1E90, prUpper},     // L&       LATIN CAPITAL LETTER Z WITH CIRCUMFLEX
+	{0x1E91, 0x1E91, prLower},     // L&       LATIN SMALL LETTER Z WITH CIRCUMFLEX
+	{0x1E92, 0x1E92, prUpper},     // L&       LATIN CAPITAL LETTER Z WITH DOT BELOW
+	{0x1E93, 0x1E93, prLower},     // L&       LATIN SMALL LETTER Z WITH DOT BELOW
+	{0x1E94, 0x1E94, prUpper},     // L&       LATIN CAPITAL LETTER Z WITH LINE BELOW
+	{0x1E95, 0x1E9D, prLower},     // L&   [9] LATIN SMALL LETTER Z WITH LINE BELOW..LATIN SMALL LETTER LONG S WITH HIGH STROKE
+	{0x1E9E, 0x1E9E, prUpper},     // L&       LATIN CAPITAL LETTER SHARP S
+	{0x1E9F, 0x1E9F, prLower},     // L&       LATIN SMALL LETTER DELTA
+	{0x1EA0, 0x1EA0, prUpper},     // L&       LATIN CAPITAL LETTER A WITH DOT BELOW
+	{0x1EA1, 0x1EA1, prLower},     // L&       LATIN SMALL LETTER A WITH DOT BELOW
+	{0x1EA2, 0x1EA2, prUpper},     // L&       LATIN CAPITAL LETTER A WITH HOOK ABOVE
+	{0x1EA3, 0x1EA3, prLower},     // L&       LATIN SMALL LETTER A WITH HOOK ABOVE
+	{0x1EA4, 0x1EA4, prUpper},     // L&       LATIN CAPITAL LETTER A WITH CIRCUMFLEX AND ACUTE
+	{0x1EA5, 0x1EA5, prLower},     // L&       LATIN SMALL LETTER A WITH CIRCUMFLEX AND ACUTE
+	{0x1EA6, 0x1EA6, prUpper},     // L&       LATIN CAPITAL LETTER A WITH CIRCUMFLEX AND GRAVE
+	{0x1EA7, 0x1EA7, prLower},     // L&       LATIN SMALL LETTER A WITH CIRCUMFLEX AND GRAVE
+	{0x1EA8, 0x1EA8, prUpper},     // L&       LATIN CAPITAL LETTER A WITH CIRCUMFLEX AND HOOK ABOVE
+	{0x1EA9, 0x1EA9, prLower},     // L&       LATIN SMALL LETTER A WITH CIRCUMFLEX AND HOOK ABOVE
+	{0x1EAA, 0x1EAA, prUpper},     // L&       LATIN CAPITAL LETTER A WITH CIRCUMFLEX AND TILDE
+	{0x1EAB, 0x1EAB, prLower},     // L&       LATIN SMALL LETTER A WITH CIRCUMFLEX AND TILDE
+	{0x1EAC, 0x1EAC, prUpper},     // L&       LATIN CAPITAL LETTER A WITH CIRCUMFLEX AND DOT BELOW
+	{0x1EAD, 0x1EAD, prLower},     // L&       LATIN SMALL LETTER A WITH CIRCUMFLEX AND DOT BELOW
+	{0x1EAE, 0x1EAE, prUpper},     // L&       LATIN CAPITAL LETTER A WITH BREVE AND ACUTE
+	{0x1EAF, 0x1EAF, prLower},     // L&       LATIN SMALL LETTER A WITH BREVE AND ACUTE
+	{0x1EB0, 0x1EB0, prUpper},     // L&       LATIN CAPITAL LETTER A WITH BREVE AND GRAVE
+	{0x1EB1, 0x1EB1, prLower},     // L&       LATIN SMALL LETTER A WITH BREVE AND GRAVE
+	{0x1EB2, 0x1EB2, prUpper},     // L&       LATIN CAPITAL LETTER A WITH BREVE AND HOOK ABOVE
+	{0x1EB3, 0x1EB3, prLower},     // L&       LATIN SMALL LETTER A WITH BREVE AND HOOK ABOVE
+	{0x1EB4, 0x1EB4, prUpper},     // L&       LATIN CAPITAL LETTER A WITH BREVE AND TILDE
+	{0x1EB5, 0x1EB5, prLower},     // L&       LATIN SMALL LETTER A WITH BREVE AND TILDE
+	{0x1EB6, 0x1EB6, prUpper},     // L&       LATIN CAPITAL LETTER A WITH BREVE AND DOT BELOW
+	{0x1EB7, 0x1EB7, prLower},     // L&       LATIN SMALL LETTER A WITH BREVE AND DOT BELOW
+	{0x1EB8, 0x1EB8, prUpper},     // L&       LATIN CAPITAL LETTER E WITH DOT BELOW
+	{0x1EB9, 0x1EB9, prLower},     // L&       LATIN SMALL LETTER E WITH DOT BELOW
+	{0x1EBA, 0x1EBA, prUpper},     // L&       LATIN CAPITAL LETTER E WITH HOOK ABOVE
+	{0x1EBB, 0x1EBB, prLower},     // L&       LATIN SMALL LETTER E WITH HOOK ABOVE
+	{0x1EBC, 0x1EBC, prUpper},     // L&       LATIN CAPITAL LETTER E WITH TILDE
+	{0x1EBD, 0x1EBD, prLower},     // L&       LATIN SMALL LETTER E WITH TILDE
+	{0x1EBE, 0x1EBE, prUpper},     // L&       LATIN CAPITAL LETTER E WITH CIRCUMFLEX AND ACUTE
+	{0x1EBF, 0x1EBF, prLower},     // L&       LATIN SMALL LETTER E WITH CIRCUMFLEX AND ACUTE
+	{0x1EC0, 0x1EC0, prUpper},     // L&       LATIN CAPITAL LETTER E WITH CIRCUMFLEX AND GRAVE
+	{0x1EC1, 0x1EC1, prLower},     // L&       LATIN SMALL LETTER E WITH CIRCUMFLEX AND GRAVE
+	{0x1EC2, 0x1EC2, prUpper},     // L&       LATIN CAPITAL LETTER E WITH CIRCUMFLEX AND HOOK ABOVE
+	{0x1EC3, 0x1EC3, prLower},     // L&       LATIN SMALL LETTER E WITH CIRCUMFLEX AND HOOK ABOVE
+	{0x1EC4, 0x1EC4, prUpper},     // L&       LATIN CAPITAL LETTER E WITH CIRCUMFLEX AND TILDE
+	{0x1EC5, 0x1EC5, prLower},     // L&       LATIN SMALL LETTER E WITH CIRCUMFLEX AND TILDE
+	{0x1EC6, 0x1EC6, prUpper},     // L&       LATIN CAPITAL LETTER E WITH CIRCUMFLEX AND DOT BELOW
+	{0x1EC7, 0x1EC7, prLower},     // L&       LATIN SMALL LETTER E WITH CIRCUMFLEX AND DOT BELOW
+	{0x1EC8, 0x1EC8, prUpper},     // L&       LATIN CAPITAL LETTER I WITH HOOK ABOVE
+	{0x1EC9, 0x1EC9, prLower},     // L&       LATIN SMALL LETTER I WITH HOOK ABOVE
+	{0x1ECA, 0x1ECA, prUpper},     // L&       LATIN CAPITAL LETTER I WITH DOT BELOW
+	{0x1ECB, 0x1ECB, prLower},     // L&       LATIN SMALL LETTER I WITH DOT BELOW
+	{0x1ECC, 0x1ECC, prUpper},     // L&       LATIN CAPITAL LETTER O WITH DOT BELOW
+	{0x1ECD, 0x1ECD, prLower},     // L&       LATIN SMALL LETTER O WITH DOT BELOW
+	{0x1ECE, 0x1ECE, prUpper},     // L&       LATIN CAPITAL LETTER O WITH HOOK ABOVE
+	{0x1ECF, 0x1ECF, prLower},     // L&       LATIN SMALL LETTER O WITH HOOK ABOVE
+	{0x1ED0, 0x1ED0, prUpper},     // L&       LATIN CAPITAL LETTER O WITH CIRCUMFLEX AND ACUTE
+	{0x1ED1, 0x1ED1, prLower},     // L&       LATIN SMALL LETTER O WITH CIRCUMFLEX AND ACUTE
+	{0x1ED2, 0x1ED2, prUpper},     // L&       LATIN CAPITAL LETTER O WITH CIRCUMFLEX AND GRAVE
+	{0x1ED3, 0x1ED3, prLower},     // L&       LATIN SMALL LETTER O WITH CIRCUMFLEX AND GRAVE
+	{0x1ED4, 0x1ED4, prUpper},     // L&       LATIN CAPITAL LETTER O WITH CIRCUMFLEX AND HOOK ABOVE
+	{0x1ED5, 0x1ED5, prLower},     // L&       LATIN SMALL LETTER O WITH CIRCUMFLEX AND HOOK ABOVE
+	{0x1ED6, 0x1ED6, prUpper},     // L&       LATIN CAPITAL LETTER O WITH CIRCUMFLEX AND TILDE
+	{0x1ED7, 0x1ED7, prLower},     // L&       LATIN SMALL LETTER O WITH CIRCUMFLEX AND TILDE
+	{0x1ED8, 0x1ED8, prUpper},     // L&       LATIN CAPITAL LETTER O WITH CIRCUMFLEX AND DOT BELOW
+	{0x1ED9, 0x1ED9, prLower},     // L&       LATIN SMALL LETTER O WITH CIRCUMFLEX AND DOT BELOW
+	{0x1EDA, 0x1EDA, prUpper},     // L&       LATIN CAPITAL LETTER O WITH HORN AND ACUTE
+	{0x1EDB, 0x1EDB, prLower},     // L&       LATIN SMALL LETTER O WITH HORN AND ACUTE
+	{0x1EDC, 0x1EDC, prUpper},     // L&       LATIN CAPITAL LETTER O WITH HORN AND GRAVE
+	{0x1EDD, 0x1EDD, prLower},     // L&       LATIN SMALL LETTER O WITH HORN AND GRAVE
+	{0x1EDE, 0x1EDE, prUpper},     // L&       LATIN CAPITAL LETTER O WITH HORN AND HOOK ABOVE
+	{0x1EDF, 0x1EDF, prLower},     // L&       LATIN SMALL LETTER O WITH HORN AND HOOK ABOVE
+	{0x1EE0, 0x1EE0, prUpper},     // L&       LATIN CAPITAL LETTER O WITH HORN AND TILDE
+	{0x1EE1, 0x1EE1, prLower},     // L&       LATIN SMALL LETTER O WITH HORN AND TILDE
+	{0x1EE2, 0x1EE2, prUpper},     // L&       LATIN CAPITAL LETTER O WITH HORN AND DOT BELOW
+	{0x1EE3, 0x1EE3, prLower},     // L&       LATIN SMALL LETTER O WITH HORN AND DOT BELOW
+	{0x1EE4, 0x1EE4, prUpper},     // L&       LATIN CAPITAL LETTER U WITH DOT BELOW
+	{0x1EE5, 0x1EE5, prLower},     // L&       LATIN SMALL LETTER U WITH DOT BELOW
+	{0x1EE6, 0x1EE6, prUpper},     // L&       LATIN CAPITAL LETTER U WITH HOOK ABOVE
+	{0x1EE7, 0x1EE7, prLower},     // L&       LATIN SMALL LETTER U WITH HOOK ABOVE
+	{0x1EE8, 0x1EE8, prUpper},     // L&       LATIN CAPITAL LETTER U WITH HORN AND ACUTE
+	{0x1EE9, 0x1EE9, prLower},     // L&       LATIN SMALL LETTER U WITH HORN AND ACUTE
+	{0x1EEA, 0x1EEA, prUpper},     // L&       LATIN CAPITAL LETTER U WITH HORN AND GRAVE
+	{0x1EEB, 0x1EEB, prLower},     // L&       LATIN SMALL LETTER U WITH HORN AND GRAVE
+	{0x1EEC, 0x1EEC, prUpper},     // L&       LATIN CAPITAL LETTER U WITH HORN AND HOOK ABOVE
+	{0x1EED, 0x1EED, prLower},     // L&       LATIN SMALL LETTER U WITH HORN AND HOOK ABOVE
+	{0x1EEE, 0x1EEE, prUpper},     // L&       LATIN CAPITAL LETTER U WITH HORN AND TILDE
+	{0x1EEF, 0x1EEF, prLower},     // L&       LATIN SMALL LETTER U WITH HORN AND TILDE
+	{0x1EF0, 0x1EF0, prUpper},     // L&       LATIN CAPITAL LETTER U WITH HORN AND DOT BELOW
+	{0x1EF1, 0x1EF1, prLower},     // L&       LATIN SMALL LETTER U WITH HORN AND DOT BELOW
+	{0x1EF2, 0x1EF2, prUpper},     // L&       LATIN CAPITAL LETTER Y WITH GRAVE
+	{0x1EF3, 0x1EF3, prLower},     // L&       LATIN SMALL LETTER Y WITH GRAVE
+	{0x1EF4, 0x1EF4, prUpper},     // L&       LATIN CAPITAL LETTER Y WITH DOT BELOW
+	{0x1EF5, 0x1EF5, prLower},     // L&       LATIN SMALL LETTER Y WITH DOT BELOW
+	{0x1EF6, 0x1EF6, prUpper},     // L&       LATIN CAPITAL LETTER Y WITH HOOK ABOVE
+	{0x1EF7, 0x1EF7, prLower},     // L&       LATIN SMALL LETTER Y WITH HOOK ABOVE
+	{0x1EF8, 0x1EF8, prUpper},     // L&       LATIN CAPITAL LETTER Y WITH TILDE
+	{0x1EF9, 0x1EF9, prLower},     // L&       LATIN SMALL LETTER Y WITH TILDE
+	{0x1EFA, 0x1EFA, prUpper},     // L&       LATIN CAPITAL LETTER MIDDLE-WELSH LL
+	{0x1EFB, 0x1EFB, prLower},     // L&       LATIN SMALL LETTER MIDDLE-WELSH LL
+	{0x1EFC, 0x1EFC, prUpper},     // L&       LATIN CAPITAL LETTER MIDDLE-WELSH V
+	{0x1EFD, 0x1EFD, prLower},     // L&       LATIN SMALL LETTER MIDDLE-WELSH V
+	{0x1EFE, 0x1EFE, prUpper},     // L&       LATIN CAPITAL LETTER Y WITH LOOP
+	{0x1EFF, 0x1F07, prLower},     // L&   [9] LATIN SMALL LETTER Y WITH LOOP..GREEK SMALL LETTER ALPHA WITH DASIA AND PERISPOMENI
+	{0x1F08, 0x1F0F, prUpper},     // L&   [8] GREEK CAPITAL LETTER ALPHA WITH PSILI..GREEK CAPITAL LETTER ALPHA WITH DASIA AND PERISPOMENI
+	{0x1F10, 0x1F15, prLower},     // L&   [6] GREEK SMALL LETTER EPSILON WITH PSILI..GREEK SMALL LETTER EPSILON WITH DASIA AND OXIA
+	{0x1F18, 0x1F1D, prUpper},     // L&   [6] GREEK CAPITAL LETTER EPSILON WITH PSILI..GREEK CAPITAL LETTER EPSILON WITH DASIA AND OXIA
+	{0x1F20, 0x1F27, prLower},     // L&   [8] GREEK SMALL LETTER ETA WITH PSILI..GREEK SMALL LETTER ETA WITH DASIA AND PERISPOMENI
+	{0x1F28, 0x1F2F, prUpper},     // L&   [8] GREEK CAPITAL LETTER ETA WITH PSILI..GREEK CAPITAL LETTER ETA WITH DASIA AND PERISPOMENI
+	{0x1F30, 0x1F37, prLower},     // L&   [8] GREEK SMALL LETTER IOTA WITH PSILI..GREEK SMALL LETTER IOTA WITH DASIA AND PERISPOMENI
+	{0x1F38, 0x1F3F, prUpper},     // L&   [8] GREEK CAPITAL LETTER IOTA WITH PSILI..GREEK CAPITAL LETTER IOTA WITH DASIA AND PERISPOMENI
+	{0x1F40, 0x1F45, prLower},     // L&   [6] GREEK SMALL LETTER OMICRON WITH PSILI..GREEK SMALL LETTER OMICRON WITH DASIA AND OXIA
+	{0x1F48, 0x1F4D, prUpper},     // L&   [6] GREEK CAPITAL LETTER OMICRON WITH PSILI..GREEK CAPITAL LETTER OMICRON WITH DASIA AND OXIA
+	{0x1F50, 0x1F57, prLower},     // L&   [8] GREEK SMALL LETTER UPSILON WITH PSILI..GREEK SMALL LETTER UPSILON WITH DASIA AND PERISPOMENI
+	{0x1F59, 0x1F59, prUpper},     // L&       GREEK CAPITAL LETTER UPSILON WITH DASIA
+	{0x1F5B, 0x1F5B, prUpper},     // L&       GREEK CAPITAL LETTER UPSILON WITH DASIA AND VARIA
+	{0x1F5D, 0x1F5D, prUpper},     // L&       GREEK CAPITAL LETTER UPSILON WITH DASIA AND OXIA
+	{0x1F5F, 0x1F5F, prUpper},     // L&       GREEK CAPITAL LETTER UPSILON WITH DASIA AND PERISPOMENI
+	{0x1F60, 0x1F67, prLower},     // L&   [8] GREEK SMALL LETTER OMEGA WITH PSILI..GREEK SMALL LETTER OMEGA WITH DASIA AND PERISPOMENI
+	{0x1F68, 0x1F6F, prUpper},     // L&   [8] GREEK CAPITAL LETTER OMEGA WITH PSILI..GREEK CAPITAL LETTER OMEGA WITH DASIA AND PERISPOMENI
+	{0x1F70, 0x1F7D, prLower},     // L&  [14] GREEK SMALL LETTER ALPHA WITH VARIA..GREEK SMALL LETTER OMEGA WITH OXIA
+	{0x1F80, 0x1F87, prLower},     // L&   [8] GREEK SMALL LETTER ALPHA WITH PSILI AND YPOGEGRAMMENI..GREEK SMALL LETTER ALPHA WITH DASIA AND PERISPOMENI AND YPOGEGRAMMENI
+	{0x1F88, 0x1F8F, prUpper},     // L&   [8] GREEK CAPITAL LETTER ALPHA WITH PSILI AND PROSGEGRAMMENI..GREEK CAPITAL LETTER ALPHA WITH DASIA AND PERISPOMENI AND PROSGEGRAMMENI
+	{0x1F90, 0x1F97, prLower},     // L&   [8] GREEK SMALL LETTER ETA WITH PSILI AND YPOGEGRAMMENI..GREEK SMALL LETTER ETA WITH DASIA AND PERISPOMENI AND YPOGEGRAMMENI
+	{0x1F98, 0x1F9F, prUpper},     // L&   [8] GREEK CAPITAL LETTER ETA WITH PSILI AND PROSGEGRAMMENI..GREEK CAPITAL LETTER ETA WITH DASIA AND PERISPOMENI AND PROSGEGRAMMENI
+	{0x1FA0, 0x1FA7, prLower},     // L&   [8] GREEK SMALL LETTER OMEGA WITH PSILI AND YPOGEGRAMMENI..GREEK SMALL LETTER OMEGA WITH DASIA AND PERISPOMENI AND YPOGEGRAMMENI
+	{0x1FA8, 0x1FAF, prUpper},     // L&   [8] GREEK CAPITAL LETTER OMEGA WITH PSILI AND PROSGEGRAMMENI..GREEK CAPITAL LETTER OMEGA WITH DASIA AND PERISPOMENI AND PROSGEGRAMMENI
+	{0x1FB0, 0x1FB4, prLower},     // L&   [5] GREEK SMALL LETTER ALPHA WITH VRACHY..GREEK SMALL LETTER ALPHA WITH OXIA AND YPOGEGRAMMENI
+	{0x1FB6, 0x1FB7, prLower},     // L&   [2] GREEK SMALL LETTER ALPHA WITH PERISPOMENI..GREEK SMALL LETTER ALPHA WITH PERISPOMENI AND YPOGEGRAMMENI
+	{0x1FB8, 0x1FBC, prUpper},     // L&   [5] GREEK CAPITAL LETTER ALPHA WITH VRACHY..GREEK CAPITAL LETTER ALPHA WITH PROSGEGRAMMENI
+	{0x1FBE, 0x1FBE, prLower},     // L&       GREEK PROSGEGRAMMENI
+	{0x1FC2, 0x1FC4, prLower},     // L&   [3] GREEK SMALL LETTER ETA WITH VARIA AND YPOGEGRAMMENI..GREEK SMALL LETTER ETA WITH OXIA AND YPOGEGRAMMENI
+	{0x1FC6, 0x1FC7, prLower},     // L&   [2] GREEK SMALL LETTER ETA WITH PERISPOMENI..GREEK SMALL LETTER ETA WITH PERISPOMENI AND YPOGEGRAMMENI
+	{0x1FC8, 0x1FCC, prUpper},     // L&   [5] GREEK CAPITAL LETTER EPSILON WITH VARIA..GREEK CAPITAL LETTER ETA WITH PROSGEGRAMMENI
+	{0x1FD0, 0x1FD3, prLower},     // L&   [4] GREEK SMALL LETTER IOTA WITH VRACHY..GREEK SMALL LETTER IOTA WITH DIALYTIKA AND OXIA
+	{0x1FD6, 0x1FD7, prLower},     // L&   [2] GREEK SMALL LETTER IOTA WITH PERISPOMENI..GREEK SMALL LETTER IOTA WITH DIALYTIKA AND PERISPOMENI
+	{0x1FD8, 0x1FDB, prUpper},     // L&   [4] GREEK CAPITAL LETTER IOTA WITH VRACHY..GREEK CAPITAL LETTER IOTA WITH OXIA
+	{0x1FE0, 0x1FE7, prLower},     // L&   [8] GREEK SMALL LETTER UPSILON WITH VRACHY..GREEK SMALL LETTER UPSILON WITH DIALYTIKA AND PERISPOMENI
+	{0x1FE8, 0x1FEC, prUpper},     // L&   [5] GREEK CAPITAL LETTER UPSILON WITH VRACHY..GREEK CAPITAL LETTER RHO WITH DASIA
+	{0x1FF2, 0x1FF4, prLower},     // L&   [3] GREEK SMALL LETTER OMEGA WITH VARIA AND YPOGEGRAMMENI..GREEK SMALL LETTER OMEGA WITH OXIA AND YPOGEGRAMMENI
+	{0x1FF6, 0x1FF7, prLower},     // L&   [2] GREEK SMALL LETTER OMEGA WITH PERISPOMENI..GREEK SMALL LETTER OMEGA WITH PERISPOMENI AND YPOGEGRAMMENI
+	{0x1FF8, 0x1FFC, prUpper},     // L&   [5] GREEK CAPITAL LETTER OMICRON WITH VARIA..GREEK CAPITAL LETTER OMEGA WITH PROSGEGRAMMENI
+	{0x2000, 0x200A, prSp},        // Zs  [11] EN QUAD..HAIR SPACE
+	{0x200B, 0x200B, prFormat},    // Cf       ZERO WIDTH SPACE
+	{0x200C, 0x200D, prExtend},    // Cf   [2] ZERO WIDTH NON-JOINER..ZERO WIDTH JOINER
+	{0x200E, 0x200F, prFormat},    // Cf   [2] LEFT-TO-RIGHT MARK..RIGHT-TO-LEFT MARK
+	{0x2013, 0x2014, prSContinue}, // Pd   [2] EN DASH..EM DASH
+	{0x2018, 0x2018, prClose},     // Pi       LEFT SINGLE QUOTATION MARK
+	{0x2019, 0x2019, prClose},     // Pf       RIGHT SINGLE QUOTATION MARK
+	{0x201A, 0x201A, prClose},     // Ps       SINGLE LOW-9 QUOTATION MARK
+	{0x201B, 0x201C, prClose},     // Pi   [2] SINGLE HIGH-REVERSED-9 QUOTATION MARK..LEFT DOUBLE QUOTATION MARK
+	{0x201D, 0x201D, prClose},     // Pf       RIGHT DOUBLE QUOTATION MARK
+	{0x201E, 0x201E, prClose},     // Ps       DOUBLE LOW-9 QUOTATION MARK
+	{0x201F, 0x201F, prClose},     // Pi       DOUBLE HIGH-REVERSED-9 QUOTATION MARK
+	{0x2024, 0x2024, prATerm},     // Po       ONE DOT LEADER
+	{0x2028, 0x2028, prSep},       // Zl       LINE SEPARATOR
+	{0x2029, 0x2029, prSep},       // Zp       PARAGRAPH SEPARATOR
+	{0x202A, 0x202E, prFormat},    // Cf   [5] LEFT-TO-RIGHT EMBEDDING..RIGHT-TO-LEFT OVERRIDE
+	{0x202F, 0x202F, prSp},        // Zs       NARROW NO-BREAK SPACE
+	{0x2039, 0x2039, prClose},     // Pi       SINGLE LEFT-POINTING ANGLE QUOTATION MARK
+	{0x203A, 0x203A, prClose},     // Pf       SINGLE RIGHT-POINTING ANGLE QUOTATION MARK
+	{0x203C, 0x203D, prSTerm},     // Po   [2] DOUBLE EXCLAMATION MARK..INTERROBANG
+	{0x2045, 0x2045, prClose},     // Ps       LEFT SQUARE BRACKET WITH QUILL
+	{0x2046, 0x2046, prClose},     // Pe       RIGHT SQUARE BRACKET WITH QUILL
+	{0x2047, 0x2049, prSTerm},     // Po   [3] DOUBLE QUESTION MARK..EXCLAMATION QUESTION MARK
+	{0x205F, 0x205F, prSp},        // Zs       MEDIUM MATHEMATICAL SPACE
+	{0x2060, 0x2064, prFormat},    // Cf   [5] WORD JOINER..INVISIBLE PLUS
+	{0x2066, 0x206F, prFormat},    // Cf  [10] LEFT-TO-RIGHT ISOLATE..NOMINAL DIGIT SHAPES
+	{0x2071, 0x2071, prLower},     // Lm       SUPERSCRIPT LATIN SMALL LETTER I
+	{0x207D, 0x207D, prClose},     // Ps       SUPERSCRIPT LEFT PARENTHESIS
+	{0x207E, 0x207E, prClose},     // Pe       SUPERSCRIPT RIGHT PARENTHESIS
+	{0x207F, 0x207F, prLower},     // Lm       SUPERSCRIPT LATIN SMALL LETTER N
+	{0x208D, 0x208D, prClose},     // Ps       SUBSCRIPT LEFT PARENTHESIS
+	{0x208E, 0x208E, prClose},     // Pe       SUBSCRIPT RIGHT PARENTHESIS
+	{0x2090, 0x209C, prLower},     // Lm  [13] LATIN SUBSCRIPT SMALL LETTER A..LATIN SUBSCRIPT SMALL LETTER T
+	{0x20D0, 0x20DC, prExtend},    // Mn  [13] COMBINING LEFT HARPOON ABOVE..COMBINING FOUR DOTS ABOVE
+	{0x20DD, 0x20E0, prExtend},    // Me   [4] COMBINING ENCLOSING CIRCLE..COMBINING ENCLOSING CIRCLE BACKSLASH
+	{0x20E1, 0x20E1, prExtend},    // Mn       COMBINING LEFT RIGHT ARROW ABOVE
+	{0x20E2, 0x20E4, prExtend},    // Me   [3] COMBINING ENCLOSING SCREEN..COMBINING ENCLOSING UPWARD POINTING TRIANGLE
+	{0x20E5, 0x20F0, prExtend},    // Mn  [12] COMBINING REVERSE SOLIDUS OVERLAY..COMBINING ASTERISK ABOVE
+	{0x2102, 0x2102, prUpper},     // L&       DOUBLE-STRUCK CAPITAL C
+	{0x2107, 0x2107, prUpper},     // L&       EULER CONSTANT
+	{0x210A, 0x210A, prLower},     // L&       SCRIPT SMALL G
+	{0x210B, 0x210D, prUpper},     // L&   [3] SCRIPT CAPITAL H..DOUBLE-STRUCK CAPITAL H
+	{0x210E, 0x210F, prLower},     // L&   [2] PLANCK CONSTANT..PLANCK CONSTANT OVER TWO PI
+	{0x2110, 0x2112, prUpper},     // L&   [3] SCRIPT CAPITAL I..SCRIPT CAPITAL L
+	{0x2113, 0x2113, prLower},     // L&       SCRIPT SMALL L
+	{0x2115, 0x2115, prUpper},     // L&       DOUBLE-STRUCK CAPITAL N
+	{0x2119, 0x211D, prUpper},     // L&   [5] DOUBLE-STRUCK CAPITAL P..DOUBLE-STRUCK CAPITAL R
+	{0x2124, 0x2124, prUpper},     // L&       DOUBLE-STRUCK CAPITAL Z
+	{0x2126, 0x2126, prUpper},     // L&       OHM SIGN
+	{0x2128, 0x2128, prUpper},     // L&       BLACK-LETTER CAPITAL Z
+	{0x212A, 0x212D, prUpper},     // L&   [4] KELVIN SIGN..BLACK-LETTER CAPITAL C
+	{0x212F, 0x212F, prLower},     // L&       SCRIPT SMALL E
+	{0x2130, 0x2133, prUpper},     // L&   [4] SCRIPT CAPITAL E..SCRIPT CAPITAL M
+	{0x2134, 0x2134, prLower},     // L&       SCRIPT SMALL O
+	{0x2135, 0x2138, prOLetter},   // Lo   [4] ALEF SYMBOL..DALET SYMBOL
+	{0x2139, 0x2139, prLower},     // L&       INFORMATION SOURCE
+	{0x213C, 0x213D, prLower},     // L&   [2] DOUBLE-STRUCK SMALL PI..DOUBLE-STRUCK SMALL GAMMA
+	{0x213E, 0x213F, prUpper},     // L&   [2] DOUBLE-STRUCK CAPITAL GAMMA..DOUBLE-STRUCK CAPITAL PI
+	{0x2145, 0x2145, prUpper},     // L&       DOUBLE-STRUCK ITALIC CAPITAL D
+	{0x2146, 0x2149, prLower},     // L&   [4] DOUBLE-STRUCK ITALIC SMALL D..DOUBLE-STRUCK ITALIC SMALL J
+	{0x214E, 0x214E, prLower},     // L&       TURNED SMALL F
+	{0x2160, 0x216F, prUpper},     // Nl  [16] ROMAN NUMERAL ONE..ROMAN NUMERAL ONE THOUSAND
+	{0x2170, 0x217F, prLower},     // Nl  [16] SMALL ROMAN NUMERAL ONE..SMALL ROMAN NUMERAL ONE THOUSAND
+	{0x2180, 0x2182, prOLetter},   // Nl   [3] ROMAN NUMERAL ONE THOUSAND C D..ROMAN NUMERAL TEN THOUSAND
+	{0x2183, 0x2183, prUpper},     // L&       ROMAN NUMERAL REVERSED ONE HUNDRED
+	{0x2184, 0x2184, prLower},     // L&       LATIN SMALL LETTER REVERSED C
+	{0x2185, 0x2188, prOLetter},   // Nl   [4] ROMAN NUMERAL SIX LATE FORM..ROMAN NUMERAL ONE HUNDRED THOUSAND
+	{0x2308, 0x2308, prClose},     // Ps       LEFT CEILING
+	{0x2309, 0x2309, prClose},     // Pe       RIGHT CEILING
+	{0x230A, 0x230A, prClose},     // Ps       LEFT FLOOR
+	{0x230B, 0x230B, prClose},     // Pe       RIGHT FLOOR
+	{0x2329, 0x2329, prClose},     // Ps       LEFT-POINTING ANGLE BRACKET
+	{0x232A, 0x232A, prClose},     // Pe       RIGHT-POINTING ANGLE BRACKET
+	{0x24B6, 0x24CF, prUpper},     // So  [26] CIRCLED LATIN CAPITAL LETTER A..CIRCLED LATIN CAPITAL LETTER Z
+	{0x24D0, 0x24E9, prLower},     // So  [26] CIRCLED LATIN SMALL LETTER A..CIRCLED LATIN SMALL LETTER Z
+	{0x275B, 0x2760, prClose},     // So   [6] HEAVY SINGLE TURNED COMMA QUOTATION MARK ORNAMENT..HEAVY LOW DOUBLE COMMA QUOTATION MARK ORNAMENT
+	{0x2768, 0x2768, prClose},     // Ps       MEDIUM LEFT PARENTHESIS ORNAMENT
+	{0x2769, 0x2769, prClose},     // Pe       MEDIUM RIGHT PARENTHESIS ORNAMENT
+	{0x276A, 0x276A, prClose},     // Ps       MEDIUM FLATTENED LEFT PARENTHESIS ORNAMENT
+	{0x276B, 0x276B, prClose},     // Pe       MEDIUM FLATTENED RIGHT PARENTHESIS ORNAMENT
+	{0x276C, 0x276C, prClose},     // Ps       MEDIUM LEFT-POINTING ANGLE BRACKET ORNAMENT
+	{0x276D, 0x276D, prClose},     // Pe       MEDIUM RIGHT-POINTING ANGLE BRACKET ORNAMENT
+	{0x276E, 0x276E, prClose},     // Ps       HEAVY LEFT-POINTING ANGLE QUOTATION MARK ORNAMENT
+	{0x276F, 0x276F, prClose},     // Pe       HEAVY RIGHT-POINTING ANGLE QUOTATION MARK ORNAMENT
+	{0x2770, 0x2770, prClose},     // Ps       HEAVY LEFT-POINTING ANGLE BRACKET ORNAMENT
+	{0x2771, 0x2771, prClose},     // Pe       HEAVY RIGHT-POINTING ANGLE BRACKET ORNAMENT
+	{0x2772, 0x2772, prClose},     // Ps       LIGHT LEFT TORTOISE SHELL BRACKET ORNAMENT
+	{0x2773, 0x2773, prClose},     // Pe       LIGHT RIGHT TORTOISE SHELL BRACKET ORNAMENT
+	{0x2774, 0x2774, prClose},     // Ps       MEDIUM LEFT CURLY BRACKET ORNAMENT
+	{0x2775, 0x2775, prClose},     // Pe       MEDIUM RIGHT CURLY BRACKET ORNAMENT
+	{0x27C5, 0x27C5, prClose},     // Ps       LEFT S-SHAPED BAG DELIMITER
+	{0x27C6, 0x27C6, prClose},     // Pe       RIGHT S-SHAPED BAG DELIMITER
+	{0x27E6, 0x27E6, prClose},     // Ps       MATHEMATICAL LEFT WHITE SQUARE BRACKET
+	{0x27E7, 0x27E7, prClose},     // Pe       MATHEMATICAL RIGHT WHITE SQUARE BRACKET
+	{0x27E8, 0x27E8, prClose},     // Ps       MATHEMATICAL LEFT ANGLE BRACKET
+	{0x27E9, 0x27E9, prClose},     // Pe       MATHEMATICAL RIGHT ANGLE BRACKET
+	{0x27EA, 0x27EA, prClose},     // Ps       MATHEMATICAL LEFT DOUBLE ANGLE BRACKET
+	{0x27EB, 0x27EB, prClose},     // Pe       MATHEMATICAL RIGHT DOUBLE ANGLE BRACKET
+	{0x27EC, 0x27EC, prClose},     // Ps       MATHEMATICAL LEFT WHITE TORTOISE SHELL BRACKET
+	{0x27ED, 0x27ED, prClose},     // Pe       MATHEMATICAL RIGHT WHITE TORTOISE SHELL BRACKET
+	{0x27EE, 0x27EE, prClose},     // Ps       MATHEMATICAL LEFT FLATTENED PARENTHESIS
+	{0x27EF, 0x27EF, prClose},     // Pe       MATHEMATICAL RIGHT FLATTENED PARENTHESIS
+	{0x2983, 0x2983, prClose},     // Ps       LEFT WHITE CURLY BRACKET
+	{0x2984, 0x2984, prClose},     // Pe       RIGHT WHITE CURLY BRACKET
+	{0x2985, 0x2985, prClose},     // Ps       LEFT WHITE PARENTHESIS
+	{0x2986, 0x2986, prClose},     // Pe       RIGHT WHITE PARENTHESIS
+	{0x2987, 0x2987, prClose},     // Ps       Z NOTATION LEFT IMAGE BRACKET
+	{0x2988, 0x2988, prClose},     // Pe       Z NOTATION RIGHT IMAGE BRACKET
+	{0x2989, 0x2989, prClose},     // Ps       Z NOTATION LEFT BINDING BRACKET
+	{0x298A, 0x298A, prClose},     // Pe       Z NOTATION RIGHT BINDING BRACKET
+	{0x298B, 0x298B, prClose},     // Ps       LEFT SQUARE BRACKET WITH UNDERBAR
+	{0x298C, 0x298C, prClose},     // Pe       RIGHT SQUARE BRACKET WITH UNDERBAR
+	{0x298D, 0x298D, prClose},     // Ps       LEFT SQUARE BRACKET WITH TICK IN TOP CORNER
+	{0x298E, 0x298E, prClose},     // Pe       RIGHT SQUARE BRACKET WITH TICK IN BOTTOM CORNER
+	{0x298F, 0x298F, prClose},     // Ps       LEFT SQUARE BRACKET WITH TICK IN BOTTOM CORNER
+	{0x2990, 0x2990, prClose},     // Pe       RIGHT SQUARE BRACKET WITH TICK IN TOP CORNER
+	{0x2991, 0x2991, prClose},     // Ps       LEFT ANGLE BRACKET WITH DOT
+	{0x2992, 0x2992, prClose},     // Pe       RIGHT ANGLE BRACKET WITH DOT
+	{0x2993, 0x2993, prClose},     // Ps       LEFT ARC LESS-THAN BRACKET
+	{0x2994, 0x2994, prClose},     // Pe       RIGHT ARC GREATER-THAN BRACKET
+	{0x2995, 0x2995, prClose},     // Ps       DOUBLE LEFT ARC GREATER-THAN BRACKET
+	{0x2996, 0x2996, prClose},     // Pe       DOUBLE RIGHT ARC LESS-THAN BRACKET
+	{0x2997, 0x2997, prClose},     // Ps       LEFT BLACK TORTOISE SHELL BRACKET
+	{0x2998, 0x2998, prClose},     // Pe       RIGHT BLACK TORTOISE SHELL BRACKET
+	{0x29D8, 0x29D8, prClose},     // Ps       LEFT WIGGLY FENCE
+	{0x29D9, 0x29D9, prClose},     // Pe       RIGHT WIGGLY FENCE
+	{0x29DA, 0x29DA, prClose},     // Ps       LEFT DOUBLE WIGGLY FENCE
+	{0x29DB, 0x29DB, prClose},     // Pe       RIGHT DOUBLE WIGGLY FENCE
+	{0x29FC, 0x29FC, prClose},     // Ps       LEFT-POINTING CURVED ANGLE BRACKET
+	{0x29FD, 0x29FD, prClose},     // Pe       RIGHT-POINTING CURVED ANGLE BRACKET
+	{0x2C00, 0x2C2F, prUpper},     // L&  [48] GLAGOLITIC CAPITAL LETTER AZU..GLAGOLITIC CAPITAL LETTER CAUDATE CHRIVI
+	{0x2C30, 0x2C5F, prLower},     // L&  [48] GLAGOLITIC SMALL LETTER AZU..GLAGOLITIC SMALL LETTER CAUDATE CHRIVI
+	{0x2C60, 0x2C60, prUpper},     // L&       LATIN CAPITAL LETTER L WITH DOUBLE BAR
+	{0x2C61, 0x2C61, prLower},     // L&       LATIN SMALL LETTER L WITH DOUBLE BAR
+	{0x2C62, 0x2C64, prUpper},     // L&   [3] LATIN CAPITAL LETTER L WITH MIDDLE TILDE..LATIN CAPITAL LETTER R WITH TAIL
+	{0x2C65, 0x2C66, prLower},     // L&   [2] LATIN SMALL LETTER A WITH STROKE..LATIN SMALL LETTER T WITH DIAGONAL STROKE
+	{0x2C67, 0x2C67, prUpper},     // L&       LATIN CAPITAL LETTER H WITH DESCENDER
+	{0x2C68, 0x2C68, prLower},     // L&       LATIN SMALL LETTER H WITH DESCENDER
+	{0x2C69, 0x2C69, prUpper},     // L&       LATIN CAPITAL LETTER K WITH DESCENDER
+	{0x2C6A, 0x2C6A, prLower},     // L&       LATIN SMALL LETTER K WITH DESCENDER
+	{0x2C6B, 0x2C6B, prUpper},     // L&       LATIN CAPITAL LETTER Z WITH DESCENDER
+	{0x2C6C, 0x2C6C, prLower},     // L&       LATIN SMALL LETTER Z WITH DESCENDER
+	{0x2C6D, 0x2C70, prUpper},     // L&   [4] LATIN CAPITAL LETTER ALPHA..LATIN CAPITAL LETTER TURNED ALPHA
+	{0x2C71, 0x2C71, prLower},     // L&       LATIN SMALL LETTER V WITH RIGHT HOOK
+	{0x2C72, 0x2C72, prUpper},     // L&       LATIN CAPITAL LETTER W WITH HOOK
+	{0x2C73, 0x2C74, prLower},     // L&   [2] LATIN SMALL LETTER W WITH HOOK..LATIN SMALL LETTER V WITH CURL
+	{0x2C75, 0x2C75, prUpper},     // L&       LATIN CAPITAL LETTER HALF H
+	{0x2C76, 0x2C7B, prLower},     // L&   [6] LATIN SMALL LETTER HALF H..LATIN LETTER SMALL CAPITAL TURNED E
+	{0x2C7C, 0x2C7D, prLower},     // Lm   [2] LATIN SUBSCRIPT SMALL LETTER J..MODIFIER LETTER CAPITAL V
+	{0x2C7E, 0x2C80, prUpper},     // L&   [3] LATIN CAPITAL LETTER S WITH SWASH TAIL..COPTIC CAPITAL LETTER ALFA
+	{0x2C81, 0x2C81, prLower},     // L&       COPTIC SMALL LETTER ALFA
+	{0x2C82, 0x2C82, prUpper},     // L&       COPTIC CAPITAL LETTER VIDA
+	{0x2C83, 0x2C83, prLower},     // L&       COPTIC SMALL LETTER VIDA
+	{0x2C84, 0x2C84, prUpper},     // L&       COPTIC CAPITAL LETTER GAMMA
+	{0x2C85, 0x2C85, prLower},     // L&       COPTIC SMALL LETTER GAMMA
+	{0x2C86, 0x2C86, prUpper},     // L&       COPTIC CAPITAL LETTER DALDA
+	{0x2C87, 0x2C87, prLower},     // L&       COPTIC SMALL LETTER DALDA
+	{0x2C88, 0x2C88, prUpper},     // L&       COPTIC CAPITAL LETTER EIE
+	{0x2C89, 0x2C89, prLower},     // L&       COPTIC SMALL LETTER EIE
+	{0x2C8A, 0x2C8A, prUpper},     // L&       COPTIC CAPITAL LETTER SOU
+	{0x2C8B, 0x2C8B, prLower},     // L&       COPTIC SMALL LETTER SOU
+	{0x2C8C, 0x2C8C, prUpper},     // L&       COPTIC CAPITAL LETTER ZATA
+	{0x2C8D, 0x2C8D, prLower},     // L&       COPTIC SMALL LETTER ZATA
+	{0x2C8E, 0x2C8E, prUpper},     // L&       COPTIC CAPITAL LETTER HATE
+	{0x2C8F, 0x2C8F, prLower},     // L&       COPTIC SMALL LETTER HATE
+	{0x2C90, 0x2C90, prUpper},     // L&       COPTIC CAPITAL LETTER THETHE
+	{0x2C91, 0x2C91, prLower},     // L&       COPTIC SMALL LETTER THETHE
+	{0x2C92, 0x2C92, prUpper},     // L&       COPTIC CAPITAL LETTER IAUDA
+	{0x2C93, 0x2C93, prLower},     // L&       COPTIC SMALL LETTER IAUDA
+	{0x2C94, 0x2C94, prUpper},     // L&       COPTIC CAPITAL LETTER KAPA
+	{0x2C95, 0x2C95, prLower},     // L&       COPTIC SMALL LETTER KAPA
+	{0x2C96, 0x2C96, prUpper},     // L&       COPTIC CAPITAL LETTER LAULA
+	{0x2C97, 0x2C97, prLower},     // L&       COPTIC SMALL LETTER LAULA
+	{0x2C98, 0x2C98, prUpper},     // L&       COPTIC CAPITAL LETTER MI
+	{0x2C99, 0x2C99, prLower},     // L&       COPTIC SMALL LETTER MI
+	{0x2C9A, 0x2C9A, prUpper},     // L&       COPTIC CAPITAL LETTER NI
+	{0x2C9B, 0x2C9B, prLower},     // L&       COPTIC SMALL LETTER NI
+	{0x2C9C, 0x2C9C, prUpper},     // L&       COPTIC CAPITAL LETTER KSI
+	{0x2C9D, 0x2C9D, prLower},     // L&       COPTIC SMALL LETTER KSI
+	{0x2C9E, 0x2C9E, prUpper},     // L&       COPTIC CAPITAL LETTER O
+	{0x2C9F, 0x2C9F, prLower},     // L&       COPTIC SMALL LETTER O
+	{0x2CA0, 0x2CA0, prUpper},     // L&       COPTIC CAPITAL LETTER PI
+	{0x2CA1, 0x2CA1, prLower},     // L&       COPTIC SMALL LETTER PI
+	{0x2CA2, 0x2CA2, prUpper},     // L&       COPTIC CAPITAL LETTER RO
+	{0x2CA3, 0x2CA3, prLower},     // L&       COPTIC SMALL LETTER RO
+	{0x2CA4, 0x2CA4, prUpper},     // L&       COPTIC CAPITAL LETTER SIMA
+	{0x2CA5, 0x2CA5, prLower},     // L&       COPTIC SMALL LETTER SIMA
+	{0x2CA6, 0x2CA6, prUpper},     // L&       COPTIC CAPITAL LETTER TAU
+	{0x2CA7, 0x2CA7, prLower},     // L&       COPTIC SMALL LETTER TAU
+	{0x2CA8, 0x2CA8, prUpper},     // L&       COPTIC CAPITAL LETTER UA
+	{0x2CA9, 0x2CA9, prLower},     // L&       COPTIC SMALL LETTER UA
+	{0x2CAA, 0x2CAA, prUpper},     // L&       COPTIC CAPITAL LETTER FI
+	{0x2CAB, 0x2CAB, prLower},     // L&       COPTIC SMALL LETTER FI
+	{0x2CAC, 0x2CAC, prUpper},     // L&       COPTIC CAPITAL LETTER KHI
+	{0x2CAD, 0x2CAD, prLower},     // L&       COPTIC SMALL LETTER KHI
+	{0x2CAE, 0x2CAE, prUpper},     // L&       COPTIC CAPITAL LETTER PSI
+	{0x2CAF, 0x2CAF, prLower},     // L&       COPTIC SMALL LETTER PSI
+	{0x2CB0, 0x2CB0, prUpper},     // L&       COPTIC CAPITAL LETTER OOU
+	{0x2CB1, 0x2CB1, prLower},     // L&       COPTIC SMALL LETTER OOU
+	{0x2CB2, 0x2CB2, prUpper},     // L&       COPTIC CAPITAL LETTER DIALECT-P ALEF
+	{0x2CB3, 0x2CB3, prLower},     // L&       COPTIC SMALL LETTER DIALECT-P ALEF
+	{0x2CB4, 0x2CB4, prUpper},     // L&       COPTIC CAPITAL LETTER OLD COPTIC AIN
+	{0x2CB5, 0x2CB5, prLower},     // L&       COPTIC SMALL LETTER OLD COPTIC AIN
+	{0x2CB6, 0x2CB6, prUpper},     // L&       COPTIC CAPITAL LETTER CRYPTOGRAMMIC EIE
+	{0x2CB7, 0x2CB7, prLower},     // L&       COPTIC SMALL LETTER CRYPTOGRAMMIC EIE
+	{0x2CB8, 0x2CB8, prUpper},     // L&       COPTIC CAPITAL LETTER DIALECT-P KAPA
+	{0x2CB9, 0x2CB9, prLower},     // L&       COPTIC SMALL LETTER DIALECT-P KAPA
+	{0x2CBA, 0x2CBA, prUpper},     // L&       COPTIC CAPITAL LETTER DIALECT-P NI
+	{0x2CBB, 0x2CBB, prLower},     // L&       COPTIC SMALL LETTER DIALECT-P NI
+	{0x2CBC, 0x2CBC, prUpper},     // L&       COPTIC CAPITAL LETTER CRYPTOGRAMMIC NI
+	{0x2CBD, 0x2CBD, prLower},     // L&       COPTIC SMALL LETTER CRYPTOGRAMMIC NI
+	{0x2CBE, 0x2CBE, prUpper},     // L&       COPTIC CAPITAL LETTER OLD COPTIC OOU
+	{0x2CBF, 0x2CBF, prLower},     // L&       COPTIC SMALL LETTER OLD COPTIC OOU
+	{0x2CC0, 0x2CC0, prUpper},     // L&       COPTIC CAPITAL LETTER SAMPI
+	{0x2CC1, 0x2CC1, prLower},     // L&       COPTIC SMALL LETTER SAMPI
+	{0x2CC2, 0x2CC2, prUpper},     // L&       COPTIC CAPITAL LETTER CROSSED SHEI
+	{0x2CC3, 0x2CC3, prLower},     // L&       COPTIC SMALL LETTER CROSSED SHEI
+	{0x2CC4, 0x2CC4, prUpper},     // L&       COPTIC CAPITAL LETTER OLD COPTIC SHEI
+	{0x2CC5, 0x2CC5, prLower},     // L&       COPTIC SMALL LETTER OLD COPTIC SHEI
+	{0x2CC6, 0x2CC6, prUpper},     // L&       COPTIC CAPITAL LETTER OLD COPTIC ESH
+	{0x2CC7, 0x2CC7, prLower},     // L&       COPTIC SMALL LETTER OLD COPTIC ESH
+	{0x2CC8, 0x2CC8, prUpper},     // L&       COPTIC CAPITAL LETTER AKHMIMIC KHEI
+	{0x2CC9, 0x2CC9, prLower},     // L&       COPTIC SMALL LETTER AKHMIMIC KHEI
+	{0x2CCA, 0x2CCA, prUpper},     // L&       COPTIC CAPITAL LETTER DIALECT-P HORI
+	{0x2CCB, 0x2CCB, prLower},     // L&       COPTIC SMALL LETTER DIALECT-P HORI
+	{0x2CCC, 0x2CCC, prUpper},     // L&       COPTIC CAPITAL LETTER OLD COPTIC HORI
+	{0x2CCD, 0x2CCD, prLower},     // L&       COPTIC SMALL LETTER OLD COPTIC HORI
+	{0x2CCE, 0x2CCE, prUpper},     // L&       COPTIC CAPITAL LETTER OLD COPTIC HA
+	{0x2CCF, 0x2CCF, prLower},     // L&       COPTIC SMALL LETTER OLD COPTIC HA
+	{0x2CD0, 0x2CD0, prUpper},     // L&       COPTIC CAPITAL LETTER L-SHAPED HA
+	{0x2CD1, 0x2CD1, prLower},     // L&       COPTIC SMALL LETTER L-SHAPED HA
+	{0x2CD2, 0x2CD2, prUpper},     // L&       COPTIC CAPITAL LETTER OLD COPTIC HEI
+	{0x2CD3, 0x2CD3, prLower},     // L&       COPTIC SMALL LETTER OLD COPTIC HEI
+	{0x2CD4, 0x2CD4, prUpper},     // L&       COPTIC CAPITAL LETTER OLD COPTIC HAT
+	{0x2CD5, 0x2CD5, prLower},     // L&       COPTIC SMALL LETTER OLD COPTIC HAT
+	{0x2CD6, 0x2CD6, prUpper},     // L&       COPTIC CAPITAL LETTER OLD COPTIC GANGIA
+	{0x2CD7, 0x2CD7, prLower},     // L&       COPTIC SMALL LETTER OLD COPTIC GANGIA
+	{0x2CD8, 0x2CD8, prUpper},     // L&       COPTIC CAPITAL LETTER OLD COPTIC DJA
+	{0x2CD9, 0x2CD9, prLower},     // L&       COPTIC SMALL LETTER OLD COPTIC DJA
+	{0x2CDA, 0x2CDA, prUpper},     // L&       COPTIC CAPITAL LETTER OLD COPTIC SHIMA
+	{0x2CDB, 0x2CDB, prLower},     // L&       COPTIC SMALL LETTER OLD COPTIC SHIMA
+	{0x2CDC, 0x2CDC, prUpper},     // L&       COPTIC CAPITAL LETTER OLD NUBIAN SHIMA
+	{0x2CDD, 0x2CDD, prLower},     // L&       COPTIC SMALL LETTER OLD NUBIAN SHIMA
+	{0x2CDE, 0x2CDE, prUpper},     // L&       COPTIC CAPITAL LETTER OLD NUBIAN NGI
+	{0x2CDF, 0x2CDF, prLower},     // L&       COPTIC SMALL LETTER OLD NUBIAN NGI
+	{0x2CE0, 0x2CE0, prUpper},     // L&       COPTIC CAPITAL LETTER OLD NUBIAN NYI
+	{0x2CE1, 0x2CE1, prLower},     // L&       COPTIC SMALL LETTER OLD NUBIAN NYI
+	{0x2CE2, 0x2CE2, prUpper},     // L&       COPTIC CAPITAL LETTER OLD NUBIAN WAU
+	{0x2CE3, 0x2CE4, prLower},     // L&   [2] COPTIC SMALL LETTER OLD NUBIAN WAU..COPTIC SYMBOL KAI
+	{0x2CEB, 0x2CEB, prUpper},     // L&       COPTIC CAPITAL LETTER CRYPTOGRAMMIC SHEI
+	{0x2CEC, 0x2CEC, prLower},     // L&       COPTIC SMALL LETTER CRYPTOGRAMMIC SHEI
+	{0x2CED, 0x2CED, prUpper},     // L&       COPTIC CAPITAL LETTER CRYPTOGRAMMIC GANGIA
+	{0x2CEE, 0x2CEE, prLower},     // L&       COPTIC SMALL LETTER CRYPTOGRAMMIC GANGIA
+	{0x2CEF, 0x2CF1, prExtend},    // Mn   [3] COPTIC COMBINING NI ABOVE..COPTIC COMBINING SPIRITUS LENIS
+	{0x2CF2, 0x2CF2, prUpper},     // L&       COPTIC CAPITAL LETTER BOHAIRIC KHEI
+	{0x2CF3, 0x2CF3, prLower},     // L&       COPTIC SMALL LETTER BOHAIRIC KHEI
+	{0x2D00, 0x2D25, prLower},     // L&  [38] GEORGIAN SMALL LETTER AN..GEORGIAN SMALL LETTER HOE
+	{0x2D27, 0x2D27, prLower},     // L&       GEORGIAN SMALL LETTER YN
+	{0x2D2D, 0x2D2D, prLower},     // L&       GEORGIAN SMALL LETTER AEN
+	{0x2D30, 0x2D67, prOLetter},   // Lo  [56] TIFINAGH LETTER YA..TIFINAGH LETTER YO
+	{0x2D6F, 0x2D6F, prOLetter},   // Lm       TIFINAGH MODIFIER LETTER LABIALIZATION MARK
+	{0x2D7F, 0x2D7F, prExtend},    // Mn       TIFINAGH CONSONANT JOINER
+	{0x2D80, 0x2D96, prOLetter},   // Lo  [23] ETHIOPIC SYLLABLE LOA..ETHIOPIC SYLLABLE GGWE
+	{0x2DA0, 0x2DA6, prOLetter},   // Lo   [7] ETHIOPIC SYLLABLE SSA..ETHIOPIC SYLLABLE SSO
+	{0x2DA8, 0x2DAE, prOLetter},   // Lo   [7] ETHIOPIC SYLLABLE CCA..ETHIOPIC SYLLABLE CCO
+	{0x2DB0, 0x2DB6, prOLetter},   // Lo   [7] ETHIOPIC SYLLABLE ZZA..ETHIOPIC SYLLABLE ZZO
+	{0x2DB8, 0x2DBE, prOLetter},   // Lo   [7] ETHIOPIC SYLLABLE CCHA..ETHIOPIC SYLLABLE CCHO
+	{0x2DC0, 0x2DC6, prOLetter},   // Lo   [7] ETHIOPIC SYLLABLE QYA..ETHIOPIC SYLLABLE QYO
+	{0x2DC8, 0x2DCE, prOLetter},   // Lo   [7] ETHIOPIC SYLLABLE KYA..ETHIOPIC SYLLABLE KYO
+	{0x2DD0, 0x2DD6, prOLetter},   // Lo   [7] ETHIOPIC SYLLABLE XYA..ETHIOPIC SYLLABLE XYO
+	{0x2DD8, 0x2DDE, prOLetter},   // Lo   [7] ETHIOPIC SYLLABLE GYA..ETHIOPIC SYLLABLE GYO
+	{0x2DE0, 0x2DFF, prExtend},    // Mn  [32] COMBINING CYRILLIC LETTER BE..COMBINING CYRILLIC LETTER IOTIFIED BIG YUS
+	{0x2E00, 0x2E01, prClose},     // Po   [2] RIGHT ANGLE SUBSTITUTION MARKER..RIGHT ANGLE DOTTED SUBSTITUTION MARKER
+	{0x2E02, 0x2E02, prClose},     // Pi       LEFT SUBSTITUTION BRACKET
+	{0x2E03, 0x2E03, prClose},     // Pf       RIGHT SUBSTITUTION BRACKET
+	{0x2E04, 0x2E04, prClose},     // Pi       LEFT DOTTED SUBSTITUTION BRACKET
+	{0x2E05, 0x2E05, prClose},     // Pf       RIGHT DOTTED SUBSTITUTION BRACKET
+	{0x2E06, 0x2E08, prClose},     // Po   [3] RAISED INTERPOLATION MARKER..DOTTED TRANSPOSITION MARKER
+	{0x2E09, 0x2E09, prClose},     // Pi       LEFT TRANSPOSITION BRACKET
+	{0x2E0A, 0x2E0A, prClose},     // Pf       RIGHT TRANSPOSITION BRACKET
+	{0x2E0B, 0x2E0B, prClose},     // Po       RAISED SQUARE
+	{0x2E0C, 0x2E0C, prClose},     // Pi       LEFT RAISED OMISSION BRACKET
+	{0x2E0D, 0x2E0D, prClose},     // Pf       RIGHT RAISED OMISSION BRACKET
+	{0x2E1C, 0x2E1C, prClose},     // Pi       LEFT LOW PARAPHRASE BRACKET
+	{0x2E1D, 0x2E1D, prClose},     // Pf       RIGHT LOW PARAPHRASE BRACKET
+	{0x2E20, 0x2E20, prClose},     // Pi       LEFT VERTICAL BAR WITH QUILL
+	{0x2E21, 0x2E21, prClose},     // Pf       RIGHT VERTICAL BAR WITH QUILL
+	{0x2E22, 0x2E22, prClose},     // Ps       TOP LEFT HALF BRACKET
+	{0x2E23, 0x2E23, prClose},     // Pe       TOP RIGHT HALF BRACKET
+	{0x2E24, 0x2E24, prClose},     // Ps       BOTTOM LEFT HALF BRACKET
+	{0x2E25, 0x2E25, prClose},     // Pe       BOTTOM RIGHT HALF BRACKET
+	{0x2E26, 0x2E26, prClose},     // Ps       LEFT SIDEWAYS U BRACKET
+	{0x2E27, 0x2E27, prClose},     // Pe       RIGHT SIDEWAYS U BRACKET
+	{0x2E28, 0x2E28, prClose},     // Ps       LEFT DOUBLE PARENTHESIS
+	{0x2E29, 0x2E29, prClose},     // Pe       RIGHT DOUBLE PARENTHESIS
+	{0x2E2E, 0x2E2E, prSTerm},     // Po       REVERSED QUESTION MARK
+	{0x2E2F, 0x2E2F, prOLetter},   // Lm       VERTICAL TILDE
+	{0x2E3C, 0x2E3C, prSTerm},     // Po       STENOGRAPHIC FULL STOP
+	{0x2E42, 0x2E42, prClose},     // Ps       DOUBLE LOW-REVERSED-9 QUOTATION MARK
+	{0x2E53, 0x2E54, prSTerm},     // Po   [2] MEDIEVAL EXCLAMATION MARK..MEDIEVAL QUESTION MARK
+	{0x2E55, 0x2E55, prClose},     // Ps       LEFT SQUARE BRACKET WITH STROKE
+	{0x2E56, 0x2E56, prClose},     // Pe       RIGHT SQUARE BRACKET WITH STROKE
+	{0x2E57, 0x2E57, prClose},     // Ps       LEFT SQUARE BRACKET WITH DOUBLE STROKE
+	{0x2E58, 0x2E58, prClose},     // Pe       RIGHT SQUARE BRACKET WITH DOUBLE STROKE
+	{0x2E59, 0x2E59, prClose},     // Ps       TOP HALF LEFT PARENTHESIS
+	{0x2E5A, 0x2E5A, prClose},     // Pe       TOP HALF RIGHT PARENTHESIS
+	{0x2E5B, 0x2E5B, prClose},     // Ps       BOTTOM HALF LEFT PARENTHESIS
+	{0x2E5C, 0x2E5C, prClose},     // Pe       BOTTOM HALF RIGHT PARENTHESIS
+	{0x3000, 0x3000, prSp},        // Zs       IDEOGRAPHIC SPACE
+	{0x3001, 0x3001, prSContinue}, // Po       IDEOGRAPHIC COMMA
+	{0x3002, 0x3002, prSTerm},     // Po       IDEOGRAPHIC FULL STOP
+	{0x3005, 0x3005, prOLetter},   // Lm       IDEOGRAPHIC ITERATION MARK
+	{0x3006, 0x3006, prOLetter},   // Lo       IDEOGRAPHIC CLOSING MARK
+	{0x3007, 0x3007, prOLetter},   // Nl       IDEOGRAPHIC NUMBER ZERO
+	{0x3008, 0x3008, prClose},     // Ps       LEFT ANGLE BRACKET
+	{0x3009, 0x3009, prClose},     // Pe       RIGHT ANGLE BRACKET
+	{0x300A, 0x300A, prClose},     // Ps       LEFT DOUBLE ANGLE BRACKET
+	{0x300B, 0x300B, prClose},     // Pe       RIGHT DOUBLE ANGLE BRACKET
+	{0x300C, 0x300C, prClose},     // Ps       LEFT CORNER BRACKET
+	{0x300D, 0x300D, prClose},     // Pe       RIGHT CORNER BRACKET
+	{0x300E, 0x300E, prClose},     // Ps       LEFT WHITE CORNER BRACKET
+	{0x300F, 0x300F, prClose},     // Pe       RIGHT WHITE CORNER BRACKET
+	{0x3010, 0x3010, prClose},     // Ps       LEFT BLACK LENTICULAR BRACKET
+	{0x3011, 0x3011, prClose},     // Pe       RIGHT BLACK LENTICULAR BRACKET
+	{0x3014, 0x3014, prClose},     // Ps       LEFT TORTOISE SHELL BRACKET
+	{0x3015, 0x3015, prClose},     // Pe       RIGHT TORTOISE SHELL BRACKET
+	{0x3016, 0x3016, prClose},     // Ps       LEFT WHITE LENTICULAR BRACKET
+	{0x3017, 0x3017, prClose},     // Pe       RIGHT WHITE LENTICULAR BRACKET
+	{0x3018, 0x3018, prClose},     // Ps       LEFT WHITE TORTOISE SHELL BRACKET
+	{0x3019, 0x3019, prClose},     // Pe       RIGHT WHITE TORTOISE SHELL BRACKET
+	{0x301A, 0x301A, prClose},     // Ps       LEFT WHITE SQUARE BRACKET
+	{0x301B, 0x301B, prClose},     // Pe       RIGHT WHITE SQUARE BRACKET
+	{0x301D, 0x301D, prClose},     // Ps       REVERSED DOUBLE PRIME QUOTATION MARK
+	{0x301E, 0x301F, prClose},     // Pe   [2] DOUBLE PRIME QUOTATION MARK..LOW DOUBLE PRIME QUOTATION MARK
+	{0x3021, 0x3029, prOLetter},   // Nl   [9] HANGZHOU NUMERAL ONE..HANGZHOU NUMERAL NINE
+	{0x302A, 0x302D, prExtend},    // Mn   [4] IDEOGRAPHIC LEVEL TONE MARK..IDEOGRAPHIC ENTERING TONE MARK
+	{0x302E, 0x302F, prExtend},    // Mc   [2] HANGUL SINGLE DOT TONE MARK..HANGUL DOUBLE DOT TONE MARK
+	{0x3031, 0x3035, prOLetter},   // Lm   [5] VERTICAL KANA REPEAT MARK..VERTICAL KANA REPEAT MARK LOWER HALF
+	{0x3038, 0x303A, prOLetter},   // Nl   [3] HANGZHOU NUMERAL TEN..HANGZHOU NUMERAL THIRTY
+	{0x303B, 0x303B, prOLetter},   // Lm       VERTICAL IDEOGRAPHIC ITERATION MARK
+	{0x303C, 0x303C, prOLetter},   // Lo       MASU MARK
+	{0x3041, 0x3096, prOLetter},   // Lo  [86] HIRAGANA LETTER SMALL A..HIRAGANA LETTER SMALL KE
+	{0x3099, 0x309A, prExtend},    // Mn   [2] COMBINING KATAKANA-HIRAGANA VOICED SOUND MARK..COMBINING KATAKANA-HIRAGANA SEMI-VOICED SOUND MARK
+	{0x309D, 0x309E, prOLetter},   // Lm   [2] HIRAGANA ITERATION MARK..HIRAGANA VOICED ITERATION MARK
+	{0x309F, 0x309F, prOLetter},   // Lo       HIRAGANA DIGRAPH YORI
+	{0x30A1, 0x30FA, prOLetter},   // Lo  [90] KATAKANA LETTER SMALL A..KATAKANA LETTER VO
+	{0x30FC, 0x30FE, prOLetter},   // Lm   [3] KATAKANA-HIRAGANA PROLONGED SOUND MARK..KATAKANA VOICED ITERATION MARK
+	{0x30FF, 0x30FF, prOLetter},   // Lo       KATAKANA DIGRAPH KOTO
+	{0x3105, 0x312F, prOLetter},   // Lo  [43] BOPOMOFO LETTER B..BOPOMOFO LETTER NN
+	{0x3131, 0x318E, prOLetter},   // Lo  [94] HANGUL LETTER KIYEOK..HANGUL LETTER ARAEAE
+	{0x31A0, 0x31BF, prOLetter},   // Lo  [32] BOPOMOFO LETTER BU..BOPOMOFO LETTER AH
+	{0x31F0, 0x31FF, prOLetter},   // Lo  [16] KATAKANA LETTER SMALL KU..KATAKANA LETTER SMALL RO
+	{0x3400, 0x4DBF, prOLetter},   // Lo [6592] CJK UNIFIED IDEOGRAPH-3400..CJK UNIFIED IDEOGRAPH-4DBF
+	{0x4E00, 0xA014, prOLetter},   // Lo [21013] CJK UNIFIED IDEOGRAPH-4E00..YI SYLLABLE E
+	{0xA015, 0xA015, prOLetter},   // Lm       YI SYLLABLE WU
+	{0xA016, 0xA48C, prOLetter},   // Lo [1143] YI SYLLABLE BIT..YI SYLLABLE YYR
+	{0xA4D0, 0xA4F7, prOLetter},   // Lo  [40] LISU LETTER BA..LISU LETTER OE
+	{0xA4F8, 0xA4FD, prOLetter},   // Lm   [6] LISU LETTER TONE MYA TI..LISU LETTER TONE MYA JEU
+	{0xA4FF, 0xA4FF, prSTerm},     // Po       LISU PUNCTUATION FULL STOP
+	{0xA500, 0xA60B, prOLetter},   // Lo [268] VAI SYLLABLE EE..VAI SYLLABLE NG
+	{0xA60C, 0xA60C, prOLetter},   // Lm       VAI SYLLABLE LENGTHENER
+	{0xA60E, 0xA60F, prSTerm},     // Po   [2] VAI FULL STOP..VAI QUESTION MARK
+	{0xA610, 0xA61F, prOLetter},   // Lo  [16] VAI SYLLABLE NDOLE FA..VAI SYMBOL JONG
+	{0xA620, 0xA629, prNumeric},   // Nd  [10] VAI DIGIT ZERO..VAI DIGIT NINE
+	{0xA62A, 0xA62B, prOLetter},   // Lo   [2] VAI SYLLABLE NDOLE MA..VAI SYLLABLE NDOLE DO
+	{0xA640, 0xA640, prUpper},     // L&       CYRILLIC CAPITAL LETTER ZEMLYA
+	{0xA641, 0xA641, prLower},     // L&       CYRILLIC SMALL LETTER ZEMLYA
+	{0xA642, 0xA642, prUpper},     // L&       CYRILLIC CAPITAL LETTER DZELO
+	{0xA643, 0xA643, prLower},     // L&       CYRILLIC SMALL LETTER DZELO
+	{0xA644, 0xA644, prUpper},     // L&       CYRILLIC CAPITAL LETTER REVERSED DZE
+	{0xA645, 0xA645, prLower},     // L&       CYRILLIC SMALL LETTER REVERSED DZE
+	{0xA646, 0xA646, prUpper},     // L&       CYRILLIC CAPITAL LETTER IOTA
+	{0xA647, 0xA647, prLower},     // L&       CYRILLIC SMALL LETTER IOTA
+	{0xA648, 0xA648, prUpper},     // L&       CYRILLIC CAPITAL LETTER DJERV
+	{0xA649, 0xA649, prLower},     // L&       CYRILLIC SMALL LETTER DJERV
+	{0xA64A, 0xA64A, prUpper},     // L&       CYRILLIC CAPITAL LETTER MONOGRAPH UK
+	{0xA64B, 0xA64B, prLower},     // L&       CYRILLIC SMALL LETTER MONOGRAPH UK
+	{0xA64C, 0xA64C, prUpper},     // L&       CYRILLIC CAPITAL LETTER BROAD OMEGA
+	{0xA64D, 0xA64D, prLower},     // L&       CYRILLIC SMALL LETTER BROAD OMEGA
+	{0xA64E, 0xA64E, prUpper},     // L&       CYRILLIC CAPITAL LETTER NEUTRAL YER
+	{0xA64F, 0xA64F, prLower},     // L&       CYRILLIC SMALL LETTER NEUTRAL YER
+	{0xA650, 0xA650, prUpper},     // L&       CYRILLIC CAPITAL LETTER YERU WITH BACK YER
+	{0xA651, 0xA651, prLower},     // L&       CYRILLIC SMALL LETTER YERU WITH BACK YER
+	{0xA652, 0xA652, prUpper},     // L&       CYRILLIC CAPITAL LETTER IOTIFIED YAT
+	{0xA653, 0xA653, prLower},     // L&       CYRILLIC SMALL LETTER IOTIFIED YAT
+	{0xA654, 0xA654, prUpper},     // L&       CYRILLIC CAPITAL LETTER REVERSED YU
+	{0xA655, 0xA655, prLower},     // L&       CYRILLIC SMALL LETTER REVERSED YU
+	{0xA656, 0xA656, prUpper},     // L&       CYRILLIC CAPITAL LETTER IOTIFIED A
+	{0xA657, 0xA657, prLower},     // L&       CYRILLIC SMALL LETTER IOTIFIED A
+	{0xA658, 0xA658, prUpper},     // L&       CYRILLIC CAPITAL LETTER CLOSED LITTLE YUS
+	{0xA659, 0xA659, prLower},     // L&       CYRILLIC SMALL LETTER CLOSED LITTLE YUS
+	{0xA65A, 0xA65A, prUpper},     // L&       CYRILLIC CAPITAL LETTER BLENDED YUS
+	{0xA65B, 0xA65B, prLower},     // L&       CYRILLIC SMALL LETTER BLENDED YUS
+	{0xA65C, 0xA65C, prUpper},     // L&       CYRILLIC CAPITAL LETTER IOTIFIED CLOSED LITTLE YUS
+	{0xA65D, 0xA65D, prLower},     // L&       CYRILLIC SMALL LETTER IOTIFIED CLOSED LITTLE YUS
+	{0xA65E, 0xA65E, prUpper},     // L&       CYRILLIC CAPITAL LETTER YN
+	{0xA65F, 0xA65F, prLower},     // L&       CYRILLIC SMALL LETTER YN
+	{0xA660, 0xA660, prUpper},     // L&       CYRILLIC CAPITAL LETTER REVERSED TSE
+	{0xA661, 0xA661, prLower},     // L&       CYRILLIC SMALL LETTER REVERSED TSE
+	{0xA662, 0xA662, prUpper},     // L&       CYRILLIC CAPITAL LETTER SOFT DE
+	{0xA663, 0xA663, prLower},     // L&       CYRILLIC SMALL LETTER SOFT DE
+	{0xA664, 0xA664, prUpper},     // L&       CYRILLIC CAPITAL LETTER SOFT EL
+	{0xA665, 0xA665, prLower},     // L&       CYRILLIC SMALL LETTER SOFT EL
+	{0xA666, 0xA666, prUpper},     // L&       CYRILLIC CAPITAL LETTER SOFT EM
+	{0xA667, 0xA667, prLower},     // L&       CYRILLIC SMALL LETTER SOFT EM
+	{0xA668, 0xA668, prUpper},     // L&       CYRILLIC CAPITAL LETTER MONOCULAR O
+	{0xA669, 0xA669, prLower},     // L&       CYRILLIC SMALL LETTER MONOCULAR O
+	{0xA66A, 0xA66A, prUpper},     // L&       CYRILLIC CAPITAL LETTER BINOCULAR O
+	{0xA66B, 0xA66B, prLower},     // L&       CYRILLIC SMALL LETTER BINOCULAR O
+	{0xA66C, 0xA66C, prUpper},     // L&       CYRILLIC CAPITAL LETTER DOUBLE MONOCULAR O
+	{0xA66D, 0xA66D, prLower},     // L&       CYRILLIC SMALL LETTER DOUBLE MONOCULAR O
+	{0xA66E, 0xA66E, prOLetter},   // Lo       CYRILLIC LETTER MULTIOCULAR O
+	{0xA66F, 0xA66F, prExtend},    // Mn       COMBINING CYRILLIC VZMET
+	{0xA670, 0xA672, prExtend},    // Me   [3] COMBINING CYRILLIC TEN MILLIONS SIGN..COMBINING CYRILLIC THOUSAND MILLIONS SIGN
+	{0xA674, 0xA67D, prExtend},    // Mn  [10] COMBINING CYRILLIC LETTER UKRAINIAN IE..COMBINING CYRILLIC PAYEROK
+	{0xA67F, 0xA67F, prOLetter},   // Lm       CYRILLIC PAYEROK
+	{0xA680, 0xA680, prUpper},     // L&       CYRILLIC CAPITAL LETTER DWE
+	{0xA681, 0xA681, prLower},     // L&       CYRILLIC SMALL LETTER DWE
+	{0xA682, 0xA682, prUpper},     // L&       CYRILLIC CAPITAL LETTER DZWE
+	{0xA683, 0xA683, prLower},     // L&       CYRILLIC SMALL LETTER DZWE
+	{0xA684, 0xA684, prUpper},     // L&       CYRILLIC CAPITAL LETTER ZHWE
+	{0xA685, 0xA685, prLower},     // L&       CYRILLIC SMALL LETTER ZHWE
+	{0xA686, 0xA686, prUpper},     // L&       CYRILLIC CAPITAL LETTER CCHE
+	{0xA687, 0xA687, prLower},     // L&       CYRILLIC SMALL LETTER CCHE
+	{0xA688, 0xA688, prUpper},     // L&       CYRILLIC CAPITAL LETTER DZZE
+	{0xA689, 0xA689, prLower},     // L&       CYRILLIC SMALL LETTER DZZE
+	{0xA68A, 0xA68A, prUpper},     // L&       CYRILLIC CAPITAL LETTER TE WITH MIDDLE HOOK
+	{0xA68B, 0xA68B, prLower},     // L&       CYRILLIC SMALL LETTER TE WITH MIDDLE HOOK
+	{0xA68C, 0xA68C, prUpper},     // L&       CYRILLIC CAPITAL LETTER TWE
+	{0xA68D, 0xA68D, prLower},     // L&       CYRILLIC SMALL LETTER TWE
+	{0xA68E, 0xA68E, prUpper},     // L&       CYRILLIC CAPITAL LETTER TSWE
+	{0xA68F, 0xA68F, prLower},     // L&       CYRILLIC SMALL LETTER TSWE
+	{0xA690, 0xA690, prUpper},     // L&       CYRILLIC CAPITAL LETTER TSSE
+	{0xA691, 0xA691, prLower},     // L&       CYRILLIC SMALL LETTER TSSE
+	{0xA692, 0xA692, prUpper},     // L&       CYRILLIC CAPITAL LETTER TCHE
+	{0xA693, 0xA693, prLower},     // L&       CYRILLIC SMALL LETTER TCHE
+	{0xA694, 0xA694, prUpper},     // L&       CYRILLIC CAPITAL LETTER HWE
+	{0xA695, 0xA695, prLower},     // L&       CYRILLIC SMALL LETTER HWE
+	{0xA696, 0xA696, prUpper},     // L&       CYRILLIC CAPITAL LETTER SHWE
+	{0xA697, 0xA697, prLower},     // L&       CYRILLIC SMALL LETTER SHWE
+	{0xA698, 0xA698, prUpper},     // L&       CYRILLIC CAPITAL LETTER DOUBLE O
+	{0xA699, 0xA699, prLower},     // L&       CYRILLIC SMALL LETTER DOUBLE O
+	{0xA69A, 0xA69A, prUpper},     // L&       CYRILLIC CAPITAL LETTER CROSSED O
+	{0xA69B, 0xA69B, prLower},     // L&       CYRILLIC SMALL LETTER CROSSED O
+	{0xA69C, 0xA69D, prLower},     // Lm   [2] MODIFIER LETTER CYRILLIC HARD SIGN..MODIFIER LETTER CYRILLIC SOFT SIGN
+	{0xA69E, 0xA69F, prExtend},    // Mn   [2] COMBINING CYRILLIC LETTER EF..COMBINING CYRILLIC LETTER IOTIFIED E
+	{0xA6A0, 0xA6E5, prOLetter},   // Lo  [70] BAMUM LETTER A..BAMUM LETTER KI
+	{0xA6E6, 0xA6EF, prOLetter},   // Nl  [10] BAMUM LETTER MO..BAMUM LETTER KOGHOM
+	{0xA6F0, 0xA6F1, prExtend},    // Mn   [2] BAMUM COMBINING MARK KOQNDON..BAMUM COMBINING MARK TUKWENTIS
+	{0xA6F3, 0xA6F3, prSTerm},     // Po       BAMUM FULL STOP
+	{0xA6F7, 0xA6F7, prSTerm},     // Po       BAMUM QUESTION MARK
+	{0xA717, 0xA71F, prOLetter},   // Lm   [9] MODIFIER LETTER DOT VERTICAL BAR..MODIFIER LETTER LOW INVERTED EXCLAMATION MARK
+	{0xA722, 0xA722, prUpper},     // L&       LATIN CAPITAL LETTER EGYPTOLOGICAL ALEF
+	{0xA723, 0xA723, prLower},     // L&       LATIN SMALL LETTER EGYPTOLOGICAL ALEF
+	{0xA724, 0xA724, prUpper},     // L&       LATIN CAPITAL LETTER EGYPTOLOGICAL AIN
+	{0xA725, 0xA725, prLower},     // L&       LATIN SMALL LETTER EGYPTOLOGICAL AIN
+	{0xA726, 0xA726, prUpper},     // L&       LATIN CAPITAL LETTER HENG
+	{0xA727, 0xA727, prLower},     // L&       LATIN SMALL LETTER HENG
+	{0xA728, 0xA728, prUpper},     // L&       LATIN CAPITAL LETTER TZ
+	{0xA729, 0xA729, prLower},     // L&       LATIN SMALL LETTER TZ
+	{0xA72A, 0xA72A, prUpper},     // L&       LATIN CAPITAL LETTER TRESILLO
+	{0xA72B, 0xA72B, prLower},     // L&       LATIN SMALL LETTER TRESILLO
+	{0xA72C, 0xA72C, prUpper},     // L&       LATIN CAPITAL LETTER CUATRILLO
+	{0xA72D, 0xA72D, prLower},     // L&       LATIN SMALL LETTER CUATRILLO
+	{0xA72E, 0xA72E, prUpper},     // L&       LATIN CAPITAL LETTER CUATRILLO WITH COMMA
+	{0xA72F, 0xA731, prLower},     // L&   [3] LATIN SMALL LETTER CUATRILLO WITH COMMA..LATIN LETTER SMALL CAPITAL S
+	{0xA732, 0xA732, prUpper},     // L&       LATIN CAPITAL LETTER AA
+	{0xA733, 0xA733, prLower},     // L&       LATIN SMALL LETTER AA
+	{0xA734, 0xA734, prUpper},     // L&       LATIN CAPITAL LETTER AO
+	{0xA735, 0xA735, prLower},     // L&       LATIN SMALL LETTER AO
+	{0xA736, 0xA736, prUpper},     // L&       LATIN CAPITAL LETTER AU
+	{0xA737, 0xA737, prLower},     // L&       LATIN SMALL LETTER AU
+	{0xA738, 0xA738, prUpper},     // L&       LATIN CAPITAL LETTER AV
+	{0xA739, 0xA739, prLower},     // L&       LATIN SMALL LETTER AV
+	{0xA73A, 0xA73A, prUpper},     // L&       LATIN CAPITAL LETTER AV WITH HORIZONTAL BAR
+	{0xA73B, 0xA73B, prLower},     // L&       LATIN SMALL LETTER AV WITH HORIZONTAL BAR
+	{0xA73C, 0xA73C, prUpper},     // L&       LATIN CAPITAL LETTER AY
+	{0xA73D, 0xA73D, prLower},     // L&       LATIN SMALL LETTER AY
+	{0xA73E, 0xA73E, prUpper},     // L&       LATIN CAPITAL LETTER REVERSED C WITH DOT
+	{0xA73F, 0xA73F, prLower},     // L&       LATIN SMALL LETTER REVERSED C WITH DOT
+	{0xA740, 0xA740, prUpper},     // L&       LATIN CAPITAL LETTER K WITH STROKE
+	{0xA741, 0xA741, prLower},     // L&       LATIN SMALL LETTER K WITH STROKE
+	{0xA742, 0xA742, prUpper},     // L&       LATIN CAPITAL LETTER K WITH DIAGONAL STROKE
+	{0xA743, 0xA743, prLower},     // L&       LATIN SMALL LETTER K WITH DIAGONAL STROKE
+	{0xA744, 0xA744, prUpper},     // L&       LATIN CAPITAL LETTER K WITH STROKE AND DIAGONAL STROKE
+	{0xA745, 0xA745, prLower},     // L&       LATIN SMALL LETTER K WITH STROKE AND DIAGONAL STROKE
+	{0xA746, 0xA746, prUpper},     // L&       LATIN CAPITAL LETTER BROKEN L
+	{0xA747, 0xA747, prLower},     // L&       LATIN SMALL LETTER BROKEN L
+	{0xA748, 0xA748, prUpper},     // L&       LATIN CAPITAL LETTER L WITH HIGH STROKE
+	{0xA749, 0xA749, prLower},     // L&       LATIN SMALL LETTER L WITH HIGH STROKE
+	{0xA74A, 0xA74A, prUpper},     // L&       LATIN CAPITAL LETTER O WITH LONG STROKE OVERLAY
+	{0xA74B, 0xA74B, prLower},     // L&       LATIN SMALL LETTER O WITH LONG STROKE OVERLAY
+	{0xA74C, 0xA74C, prUpper},     // L&       LATIN CAPITAL LETTER O WITH LOOP
+	{0xA74D, 0xA74D, prLower},     // L&       LATIN SMALL LETTER O WITH LOOP
+	{0xA74E, 0xA74E, prUpper},     // L&       LATIN CAPITAL LETTER OO
+	{0xA74F, 0xA74F, prLower},     // L&       LATIN SMALL LETTER OO
+	{0xA750, 0xA750, prUpper},     // L&       LATIN CAPITAL LETTER P WITH STROKE THROUGH DESCENDER
+	{0xA751, 0xA751, prLower},     // L&       LATIN SMALL LETTER P WITH STROKE THROUGH DESCENDER
+	{0xA752, 0xA752, prUpper},     // L&       LATIN CAPITAL LETTER P WITH FLOURISH
+	{0xA753, 0xA753, prLower},     // L&       LATIN SMALL LETTER P WITH FLOURISH
+	{0xA754, 0xA754, prUpper},     // L&       LATIN CAPITAL LETTER P WITH SQUIRREL TAIL
+	{0xA755, 0xA755, prLower},     // L&       LATIN SMALL LETTER P WITH SQUIRREL TAIL
+	{0xA756, 0xA756, prUpper},     // L&       LATIN CAPITAL LETTER Q WITH STROKE THROUGH DESCENDER
+	{0xA757, 0xA757, prLower},     // L&       LATIN SMALL LETTER Q WITH STROKE THROUGH DESCENDER
+	{0xA758, 0xA758, prUpper},     // L&       LATIN CAPITAL LETTER Q WITH DIAGONAL STROKE
+	{0xA759, 0xA759, prLower},     // L&       LATIN SMALL LETTER Q WITH DIAGONAL STROKE
+	{0xA75A, 0xA75A, prUpper},     // L&       LATIN CAPITAL LETTER R ROTUNDA
+	{0xA75B, 0xA75B, prLower},     // L&       LATIN SMALL LETTER R ROTUNDA
+	{0xA75C, 0xA75C, prUpper},     // L&       LATIN CAPITAL LETTER RUM ROTUNDA
+	{0xA75D, 0xA75D, prLower},     // L&       LATIN SMALL LETTER RUM ROTUNDA
+	{0xA75E, 0xA75E, prUpper},     // L&       LATIN CAPITAL LETTER V WITH DIAGONAL STROKE
+	{0xA75F, 0xA75F, prLower},     // L&       LATIN SMALL LETTER V WITH DIAGONAL STROKE
+	{0xA760, 0xA760, prUpper},     // L&       LATIN CAPITAL LETTER VY
+	{0xA761, 0xA761, prLower},     // L&       LATIN SMALL LETTER VY
+	{0xA762, 0xA762, prUpper},     // L&       LATIN CAPITAL LETTER VISIGOTHIC Z
+	{0xA763, 0xA763, prLower},     // L&       LATIN SMALL LETTER VISIGOTHIC Z
+	{0xA764, 0xA764, prUpper},     // L&       LATIN CAPITAL LETTER THORN WITH STROKE
+	{0xA765, 0xA765, prLower},     // L&       LATIN SMALL LETTER THORN WITH STROKE
+	{0xA766, 0xA766, prUpper},     // L&       LATIN CAPITAL LETTER THORN WITH STROKE THROUGH DESCENDER
+	{0xA767, 0xA767, prLower},     // L&       LATIN SMALL LETTER THORN WITH STROKE THROUGH DESCENDER
+	{0xA768, 0xA768, prUpper},     // L&       LATIN CAPITAL LETTER VEND
+	{0xA769, 0xA769, prLower},     // L&       LATIN SMALL LETTER VEND
+	{0xA76A, 0xA76A, prUpper},     // L&       LATIN CAPITAL LETTER ET
+	{0xA76B, 0xA76B, prLower},     // L&       LATIN SMALL LETTER ET
+	{0xA76C, 0xA76C, prUpper},     // L&       LATIN CAPITAL LETTER IS
+	{0xA76D, 0xA76D, prLower},     // L&       LATIN SMALL LETTER IS
+	{0xA76E, 0xA76E, prUpper},     // L&       LATIN CAPITAL LETTER CON
+	{0xA76F, 0xA76F, prLower},     // L&       LATIN SMALL LETTER CON
+	{0xA770, 0xA770, prLower},     // Lm       MODIFIER LETTER US
+	{0xA771, 0xA778, prLower},     // L&   [8] LATIN SMALL LETTER DUM..LATIN SMALL LETTER UM
+	{0xA779, 0xA779, prUpper},     // L&       LATIN CAPITAL LETTER INSULAR D
+	{0xA77A, 0xA77A, prLower},     // L&       LATIN SMALL LETTER INSULAR D
+	{0xA77B, 0xA77B, prUpper},     // L&       LATIN CAPITAL LETTER INSULAR F
+	{0xA77C, 0xA77C, prLower},     // L&       LATIN SMALL LETTER INSULAR F
+	{0xA77D, 0xA77E, prUpper},     // L&   [2] LATIN CAPITAL LETTER INSULAR G..LATIN CAPITAL LETTER TURNED INSULAR G
+	{0xA77F, 0xA77F, prLower},     // L&       LATIN SMALL LETTER TURNED INSULAR G
+	{0xA780, 0xA780, prUpper},     // L&       LATIN CAPITAL LETTER TURNED L
+	{0xA781, 0xA781, prLower},     // L&       LATIN SMALL LETTER TURNED L
+	{0xA782, 0xA782, prUpper},     // L&       LATIN CAPITAL LETTER INSULAR R
+	{0xA783, 0xA783, prLower},     // L&       LATIN SMALL LETTER INSULAR R
+	{0xA784, 0xA784, prUpper},     // L&       LATIN CAPITAL LETTER INSULAR S
+	{0xA785, 0xA785, prLower},     // L&       LATIN SMALL LETTER INSULAR S
+	{0xA786, 0xA786, prUpper},     // L&       LATIN CAPITAL LETTER INSULAR T
+	{0xA787, 0xA787, prLower},     // L&       LATIN SMALL LETTER INSULAR T
+	{0xA788, 0xA788, prOLetter},   // Lm       MODIFIER LETTER LOW CIRCUMFLEX ACCENT
+	{0xA78B, 0xA78B, prUpper},     // L&       LATIN CAPITAL LETTER SALTILLO
+	{0xA78C, 0xA78C, prLower},     // L&       LATIN SMALL LETTER SALTILLO
+	{0xA78D, 0xA78D, prUpper},     // L&       LATIN CAPITAL LETTER TURNED H
+	{0xA78E, 0xA78E, prLower},     // L&       LATIN SMALL LETTER L WITH RETROFLEX HOOK AND BELT
+	{0xA78F, 0xA78F, prOLetter},   // Lo       LATIN LETTER SINOLOGICAL DOT
+	{0xA790, 0xA790, prUpper},     // L&       LATIN CAPITAL LETTER N WITH DESCENDER
+	{0xA791, 0xA791, prLower},     // L&       LATIN SMALL LETTER N WITH DESCENDER
+	{0xA792, 0xA792, prUpper},     // L&       LATIN CAPITAL LETTER C WITH BAR
+	{0xA793, 0xA795, prLower},     // L&   [3] LATIN SMALL LETTER C WITH BAR..LATIN SMALL LETTER H WITH PALATAL HOOK
+	{0xA796, 0xA796, prUpper},     // L&       LATIN CAPITAL LETTER B WITH FLOURISH
+	{0xA797, 0xA797, prLower},     // L&       LATIN SMALL LETTER B WITH FLOURISH
+	{0xA798, 0xA798, prUpper},     // L&       LATIN CAPITAL LETTER F WITH STROKE
+	{0xA799, 0xA799, prLower},     // L&       LATIN SMALL LETTER F WITH STROKE
+	{0xA79A, 0xA79A, prUpper},     // L&       LATIN CAPITAL LETTER VOLAPUK AE
+	{0xA79B, 0xA79B, prLower},     // L&       LATIN SMALL LETTER VOLAPUK AE
+	{0xA79C, 0xA79C, prUpper},     // L&       LATIN CAPITAL LETTER VOLAPUK OE
+	{0xA79D, 0xA79D, prLower},     // L&       LATIN SMALL LETTER VOLAPUK OE
+	{0xA79E, 0xA79E, prUpper},     // L&       LATIN CAPITAL LETTER VOLAPUK UE
+	{0xA79F, 0xA79F, prLower},     // L&       LATIN SMALL LETTER VOLAPUK UE
+	{0xA7A0, 0xA7A0, prUpper},     // L&       LATIN CAPITAL LETTER G WITH OBLIQUE STROKE
+	{0xA7A1, 0xA7A1, prLower},     // L&       LATIN SMALL LETTER G WITH OBLIQUE STROKE
+	{0xA7A2, 0xA7A2, prUpper},     // L&       LATIN CAPITAL LETTER K WITH OBLIQUE STROKE
+	{0xA7A3, 0xA7A3, prLower},     // L&       LATIN SMALL LETTER K WITH OBLIQUE STROKE
+	{0xA7A4, 0xA7A4, prUpper},     // L&       LATIN CAPITAL LETTER N WITH OBLIQUE STROKE
+	{0xA7A5, 0xA7A5, prLower},     // L&       LATIN SMALL LETTER N WITH OBLIQUE STROKE
+	{0xA7A6, 0xA7A6, prUpper},     // L&       LATIN CAPITAL LETTER R WITH OBLIQUE STROKE
+	{0xA7A7, 0xA7A7, prLower},     // L&       LATIN SMALL LETTER R WITH OBLIQUE STROKE
+	{0xA7A8, 0xA7A8, prUpper},     // L&       LATIN CAPITAL LETTER S WITH OBLIQUE STROKE
+	{0xA7A9, 0xA7A9, prLower},     // L&       LATIN SMALL LETTER S WITH OBLIQUE STROKE
+	{0xA7AA, 0xA7AE, prUpper},     // L&   [5] LATIN CAPITAL LETTER H WITH HOOK..LATIN CAPITAL LETTER SMALL CAPITAL I
+	{0xA7AF, 0xA7AF, prLower},     // L&       LATIN LETTER SMALL CAPITAL Q
+	{0xA7B0, 0xA7B4, prUpper},     // L&   [5] LATIN CAPITAL LETTER TURNED K..LATIN CAPITAL LETTER BETA
+	{0xA7B5, 0xA7B5, prLower},     // L&       LATIN SMALL LETTER BETA
+	{0xA7B6, 0xA7B6, prUpper},     // L&       LATIN CAPITAL LETTER OMEGA
+	{0xA7B7, 0xA7B7, prLower},     // L&       LATIN SMALL LETTER OMEGA
+	{0xA7B8, 0xA7B8, prUpper},     // L&       LATIN CAPITAL LETTER U WITH STROKE
+	{0xA7B9, 0xA7B9, prLower},     // L&       LATIN SMALL LETTER U WITH STROKE
+	{0xA7BA, 0xA7BA, prUpper},     // L&       LATIN CAPITAL LETTER GLOTTAL A
+	{0xA7BB, 0xA7BB, prLower},     // L&       LATIN SMALL LETTER GLOTTAL A
+	{0xA7BC, 0xA7BC, prUpper},     // L&       LATIN CAPITAL LETTER GLOTTAL I
+	{0xA7BD, 0xA7BD, prLower},     // L&       LATIN SMALL LETTER GLOTTAL I
+	{0xA7BE, 0xA7BE, prUpper},     // L&       LATIN CAPITAL LETTER GLOTTAL U
+	{0xA7BF, 0xA7BF, prLower},     // L&       LATIN SMALL LETTER GLOTTAL U
+	{0xA7C0, 0xA7C0, prUpper},     // L&       LATIN CAPITAL LETTER OLD POLISH O
+	{0xA7C1, 0xA7C1, prLower},     // L&       LATIN SMALL LETTER OLD POLISH O
+	{0xA7C2, 0xA7C2, prUpper},     // L&       LATIN CAPITAL LETTER ANGLICANA W
+	{0xA7C3, 0xA7C3, prLower},     // L&       LATIN SMALL LETTER ANGLICANA W
+	{0xA7C4, 0xA7C7, prUpper},     // L&   [4] LATIN CAPITAL LETTER C WITH PALATAL HOOK..LATIN CAPITAL LETTER D WITH SHORT STROKE OVERLAY
+	{0xA7C8, 0xA7C8, prLower},     // L&       LATIN SMALL LETTER D WITH SHORT STROKE OVERLAY
+	{0xA7C9, 0xA7C9, prUpper},     // L&       LATIN CAPITAL LETTER S WITH SHORT STROKE OVERLAY
+	{0xA7CA, 0xA7CA, prLower},     // L&       LATIN SMALL LETTER S WITH SHORT STROKE OVERLAY
+	{0xA7D0, 0xA7D0, prUpper},     // L&       LATIN CAPITAL LETTER CLOSED INSULAR G
+	{0xA7D1, 0xA7D1, prLower},     // L&       LATIN SMALL LETTER CLOSED INSULAR G
+	{0xA7D3, 0xA7D3, prLower},     // L&       LATIN SMALL LETTER DOUBLE THORN
+	{0xA7D5, 0xA7D5, prLower},     // L&       LATIN SMALL LETTER DOUBLE WYNN
+	{0xA7D6, 0xA7D6, prUpper},     // L&       LATIN CAPITAL LETTER MIDDLE SCOTS S
+	{0xA7D7, 0xA7D7, prLower},     // L&       LATIN SMALL LETTER MIDDLE SCOTS S
+	{0xA7D8, 0xA7D8, prUpper},     // L&       LATIN CAPITAL LETTER SIGMOID S
+	{0xA7D9, 0xA7D9, prLower},     // L&       LATIN SMALL LETTER SIGMOID S
+	{0xA7F2, 0xA7F4, prLower},     // Lm   [3] MODIFIER LETTER CAPITAL C..MODIFIER LETTER CAPITAL Q
+	{0xA7F5, 0xA7F5, prUpper},     // L&       LATIN CAPITAL LETTER REVERSED HALF H
+	{0xA7F6, 0xA7F6, prLower},     // L&       LATIN SMALL LETTER REVERSED HALF H
+	{0xA7F7, 0xA7F7, prOLetter},   // Lo       LATIN EPIGRAPHIC LETTER SIDEWAYS I
+	{0xA7F8, 0xA7F9, prLower},     // Lm   [2] MODIFIER LETTER CAPITAL H WITH STROKE..MODIFIER LETTER SMALL LIGATURE OE
+	{0xA7FA, 0xA7FA, prLower},     // L&       LATIN LETTER SMALL CAPITAL TURNED M
+	{0xA7FB, 0xA801, prOLetter},   // Lo   [7] LATIN EPIGRAPHIC LETTER REVERSED F..SYLOTI NAGRI LETTER I
+	{0xA802, 0xA802, prExtend},    // Mn       SYLOTI NAGRI SIGN DVISVARA
+	{0xA803, 0xA805, prOLetter},   // Lo   [3] SYLOTI NAGRI LETTER U..SYLOTI NAGRI LETTER O
+	{0xA806, 0xA806, prExtend},    // Mn       SYLOTI NAGRI SIGN HASANTA
+	{0xA807, 0xA80A, prOLetter},   // Lo   [4] SYLOTI NAGRI LETTER KO..SYLOTI NAGRI LETTER GHO
+	{0xA80B, 0xA80B, prExtend},    // Mn       SYLOTI NAGRI SIGN ANUSVARA
+	{0xA80C, 0xA822, prOLetter},   // Lo  [23] SYLOTI NAGRI LETTER CO..SYLOTI NAGRI LETTER HO
+	{0xA823, 0xA824, prExtend},    // Mc   [2] SYLOTI NAGRI VOWEL SIGN A..SYLOTI NAGRI VOWEL SIGN I
+	{0xA825, 0xA826, prExtend},    // Mn   [2] SYLOTI NAGRI VOWEL SIGN U..SYLOTI NAGRI VOWEL SIGN E
+	{0xA827, 0xA827, prExtend},    // Mc       SYLOTI NAGRI VOWEL SIGN OO
+	{0xA82C, 0xA82C, prExtend},    // Mn       SYLOTI NAGRI SIGN ALTERNATE HASANTA
+	{0xA840, 0xA873, prOLetter},   // Lo  [52] PHAGS-PA LETTER KA..PHAGS-PA LETTER CANDRABINDU
+	{0xA876, 0xA877, prSTerm},     // Po   [2] PHAGS-PA MARK SHAD..PHAGS-PA MARK DOUBLE SHAD
+	{0xA880, 0xA881, prExtend},    // Mc   [2] SAURASHTRA SIGN ANUSVARA..SAURASHTRA SIGN VISARGA
+	{0xA882, 0xA8B3, prOLetter},   // Lo  [50] SAURASHTRA LETTER A..SAURASHTRA LETTER LLA
+	{0xA8B4, 0xA8C3, prExtend},    // Mc  [16] SAURASHTRA CONSONANT SIGN HAARU..SAURASHTRA VOWEL SIGN AU
+	{0xA8C4, 0xA8C5, prExtend},    // Mn   [2] SAURASHTRA SIGN VIRAMA..SAURASHTRA SIGN CANDRABINDU
+	{0xA8CE, 0xA8CF, prSTerm},     // Po   [2] SAURASHTRA DANDA..SAURASHTRA DOUBLE DANDA
+	{0xA8D0, 0xA8D9, prNumeric},   // Nd  [10] SAURASHTRA DIGIT ZERO..SAURASHTRA DIGIT NINE
+	{0xA8E0, 0xA8F1, prExtend},    // Mn  [18] COMBINING DEVANAGARI DIGIT ZERO..COMBINING DEVANAGARI SIGN AVAGRAHA
+	{0xA8F2, 0xA8F7, prOLetter},   // Lo   [6] DEVANAGARI SIGN SPACING CANDRABINDU..DEVANAGARI SIGN CANDRABINDU AVAGRAHA
+	{0xA8FB, 0xA8FB, prOLetter},   // Lo       DEVANAGARI HEADSTROKE
+	{0xA8FD, 0xA8FE, prOLetter},   // Lo   [2] DEVANAGARI JAIN OM..DEVANAGARI LETTER AY
+	{0xA8FF, 0xA8FF, prExtend},    // Mn       DEVANAGARI VOWEL SIGN AY
+	{0xA900, 0xA909, prNumeric},   // Nd  [10] KAYAH LI DIGIT ZERO..KAYAH LI DIGIT NINE
+	{0xA90A, 0xA925, prOLetter},   // Lo  [28] KAYAH LI LETTER KA..KAYAH LI LETTER OO
+	{0xA926, 0xA92D, prExtend},    // Mn   [8] KAYAH LI VOWEL UE..KAYAH LI TONE CALYA PLOPHU
+	{0xA92F, 0xA92F, prSTerm},     // Po       KAYAH LI SIGN SHYA
+	{0xA930, 0xA946, prOLetter},   // Lo  [23] REJANG LETTER KA..REJANG LETTER A
+	{0xA947, 0xA951, prExtend},    // Mn  [11] REJANG VOWEL SIGN I..REJANG CONSONANT SIGN R
+	{0xA952, 0xA953, prExtend},    // Mc   [2] REJANG CONSONANT SIGN H..REJANG VIRAMA
+	{0xA960, 0xA97C, prOLetter},   // Lo  [29] HANGUL CHOSEONG TIKEUT-MIEUM..HANGUL CHOSEONG SSANGYEORINHIEUH
+	{0xA980, 0xA982, prExtend},    // Mn   [3] JAVANESE SIGN PANYANGGA..JAVANESE SIGN LAYAR
+	{0xA983, 0xA983, prExtend},    // Mc       JAVANESE SIGN WIGNYAN
+	{0xA984, 0xA9B2, prOLetter},   // Lo  [47] JAVANESE LETTER A..JAVANESE LETTER HA
+	{0xA9B3, 0xA9B3, prExtend},    // Mn       JAVANESE SIGN CECAK TELU
+	{0xA9B4, 0xA9B5, prExtend},    // Mc   [2] JAVANESE VOWEL SIGN TARUNG..JAVANESE VOWEL SIGN TOLONG
+	{0xA9B6, 0xA9B9, prExtend},    // Mn   [4] JAVANESE VOWEL SIGN WULU..JAVANESE VOWEL SIGN SUKU MENDUT
+	{0xA9BA, 0xA9BB, prExtend},    // Mc   [2] JAVANESE VOWEL SIGN TALING..JAVANESE VOWEL SIGN DIRGA MURE
+	{0xA9BC, 0xA9BD, prExtend},    // Mn   [2] JAVANESE VOWEL SIGN PEPET..JAVANESE CONSONANT SIGN KERET
+	{0xA9BE, 0xA9C0, prExtend},    // Mc   [3] JAVANESE CONSONANT SIGN PENGKAL..JAVANESE PANGKON
+	{0xA9C8, 0xA9C9, prSTerm},     // Po   [2] JAVANESE PADA LINGSA..JAVANESE PADA LUNGSI
+	{0xA9CF, 0xA9CF, prOLetter},   // Lm       JAVANESE PANGRANGKEP
+	{0xA9D0, 0xA9D9, prNumeric},   // Nd  [10] JAVANESE DIGIT ZERO..JAVANESE DIGIT NINE
+	{0xA9E0, 0xA9E4, prOLetter},   // Lo   [5] MYANMAR LETTER SHAN GHA..MYANMAR LETTER SHAN BHA
+	{0xA9E5, 0xA9E5, prExtend},    // Mn       MYANMAR SIGN SHAN SAW
+	{0xA9E6, 0xA9E6, prOLetter},   // Lm       MYANMAR MODIFIER LETTER SHAN REDUPLICATION
+	{0xA9E7, 0xA9EF, prOLetter},   // Lo   [9] MYANMAR LETTER TAI LAING NYA..MYANMAR LETTER TAI LAING NNA
+	{0xA9F0, 0xA9F9, prNumeric},   // Nd  [10] MYANMAR TAI LAING DIGIT ZERO..MYANMAR TAI LAING DIGIT NINE
+	{0xA9FA, 0xA9FE, prOLetter},   // Lo   [5] MYANMAR LETTER TAI LAING LLA..MYANMAR LETTER TAI LAING BHA
+	{0xAA00, 0xAA28, prOLetter},   // Lo  [41] CHAM LETTER A..CHAM LETTER HA
+	{0xAA29, 0xAA2E, prExtend},    // Mn   [6] CHAM VOWEL SIGN AA..CHAM VOWEL SIGN OE
+	{0xAA2F, 0xAA30, prExtend},    // Mc   [2] CHAM VOWEL SIGN O..CHAM VOWEL SIGN AI
+	{0xAA31, 0xAA32, prExtend},    // Mn   [2] CHAM VOWEL SIGN AU..CHAM VOWEL SIGN UE
+	{0xAA33, 0xAA34, prExtend},    // Mc   [2] CHAM CONSONANT SIGN YA..CHAM CONSONANT SIGN RA
+	{0xAA35, 0xAA36, prExtend},    // Mn   [2] CHAM CONSONANT SIGN LA..CHAM CONSONANT SIGN WA
+	{0xAA40, 0xAA42, prOLetter},   // Lo   [3] CHAM LETTER FINAL K..CHAM LETTER FINAL NG
+	{0xAA43, 0xAA43, prExtend},    // Mn       CHAM CONSONANT SIGN FINAL NG
+	{0xAA44, 0xAA4B, prOLetter},   // Lo   [8] CHAM LETTER FINAL CH..CHAM LETTER FINAL SS
+	{0xAA4C, 0xAA4C, prExtend},    // Mn       CHAM CONSONANT SIGN FINAL M
+	{0xAA4D, 0xAA4D, prExtend},    // Mc       CHAM CONSONANT SIGN FINAL H
+	{0xAA50, 0xAA59, prNumeric},   // Nd  [10] CHAM DIGIT ZERO..CHAM DIGIT NINE
+	{0xAA5D, 0xAA5F, prSTerm},     // Po   [3] CHAM PUNCTUATION DANDA..CHAM PUNCTUATION TRIPLE DANDA
+	{0xAA60, 0xAA6F, prOLetter},   // Lo  [16] MYANMAR LETTER KHAMTI GA..MYANMAR LETTER KHAMTI FA
+	{0xAA70, 0xAA70, prOLetter},   // Lm       MYANMAR MODIFIER LETTER KHAMTI REDUPLICATION
+	{0xAA71, 0xAA76, prOLetter},   // Lo   [6] MYANMAR LETTER KHAMTI XA..MYANMAR LOGOGRAM KHAMTI HM
+	{0xAA7A, 0xAA7A, prOLetter},   // Lo       MYANMAR LETTER AITON RA
+	{0xAA7B, 0xAA7B, prExtend},    // Mc       MYANMAR SIGN PAO KAREN TONE
+	{0xAA7C, 0xAA7C, prExtend},    // Mn       MYANMAR SIGN TAI LAING TONE-2
+	{0xAA7D, 0xAA7D, prExtend},    // Mc       MYANMAR SIGN TAI LAING TONE-5
+	{0xAA7E, 0xAAAF, prOLetter},   // Lo  [50] MYANMAR LETTER SHWE PALAUNG CHA..TAI VIET LETTER HIGH O
+	{0xAAB0, 0xAAB0, prExtend},    // Mn       TAI VIET MAI KANG
+	{0xAAB1, 0xAAB1, prOLetter},   // Lo       TAI VIET VOWEL AA
+	{0xAAB2, 0xAAB4, prExtend},    // Mn   [3] TAI VIET VOWEL I..TAI VIET VOWEL U
+	{0xAAB5, 0xAAB6, prOLetter},   // Lo   [2] TAI VIET VOWEL E..TAI VIET VOWEL O
+	{0xAAB7, 0xAAB8, prExtend},    // Mn   [2] TAI VIET MAI KHIT..TAI VIET VOWEL IA
+	{0xAAB9, 0xAABD, prOLetter},   // Lo   [5] TAI VIET VOWEL UEA..TAI VIET VOWEL AN
+	{0xAABE, 0xAABF, prExtend},    // Mn   [2] TAI VIET VOWEL AM..TAI VIET TONE MAI EK
+	{0xAAC0, 0xAAC0, prOLetter},   // Lo       TAI VIET TONE MAI NUENG
+	{0xAAC1, 0xAAC1, prExtend},    // Mn       TAI VIET TONE MAI THO
+	{0xAAC2, 0xAAC2, prOLetter},   // Lo       TAI VIET TONE MAI SONG
+	{0xAADB, 0xAADC, prOLetter},   // Lo   [2] TAI VIET SYMBOL KON..TAI VIET SYMBOL NUENG
+	{0xAADD, 0xAADD, prOLetter},   // Lm       TAI VIET SYMBOL SAM
+	{0xAAE0, 0xAAEA, prOLetter},   // Lo  [11] MEETEI MAYEK LETTER E..MEETEI MAYEK LETTER SSA
+	{0xAAEB, 0xAAEB, prExtend},    // Mc       MEETEI MAYEK VOWEL SIGN II
+	{0xAAEC, 0xAAED, prExtend},    // Mn   [2] MEETEI MAYEK VOWEL SIGN UU..MEETEI MAYEK VOWEL SIGN AAI
+	{0xAAEE, 0xAAEF, prExtend},    // Mc   [2] MEETEI MAYEK VOWEL SIGN AU..MEETEI MAYEK VOWEL SIGN AAU
+	{0xAAF0, 0xAAF1, prSTerm},     // Po   [2] MEETEI MAYEK CHEIKHAN..MEETEI MAYEK AHANG KHUDAM
+	{0xAAF2, 0xAAF2, prOLetter},   // Lo       MEETEI MAYEK ANJI
+	{0xAAF3, 0xAAF4, prOLetter},   // Lm   [2] MEETEI MAYEK SYLLABLE REPETITION MARK..MEETEI MAYEK WORD REPETITION MARK
+	{0xAAF5, 0xAAF5, prExtend},    // Mc       MEETEI MAYEK VOWEL SIGN VISARGA
+	{0xAAF6, 0xAAF6, prExtend},    // Mn       MEETEI MAYEK VIRAMA
+	{0xAB01, 0xAB06, prOLetter},   // Lo   [6] ETHIOPIC SYLLABLE TTHU..ETHIOPIC SYLLABLE TTHO
+	{0xAB09, 0xAB0E, prOLetter},   // Lo   [6] ETHIOPIC SYLLABLE DDHU..ETHIOPIC SYLLABLE DDHO
+	{0xAB11, 0xAB16, prOLetter},   // Lo   [6] ETHIOPIC SYLLABLE DZU..ETHIOPIC SYLLABLE DZO
+	{0xAB20, 0xAB26, prOLetter},   // Lo   [7] ETHIOPIC SYLLABLE CCHHA..ETHIOPIC SYLLABLE CCHHO
+	{0xAB28, 0xAB2E, prOLetter},   // Lo   [7] ETHIOPIC SYLLABLE BBA..ETHIOPIC SYLLABLE BBO
+	{0xAB30, 0xAB5A, prLower},     // L&  [43] LATIN SMALL LETTER BARRED ALPHA..LATIN SMALL LETTER Y WITH SHORT RIGHT LEG
+	{0xAB5C, 0xAB5F, prLower},     // Lm   [4] MODIFIER LETTER SMALL HENG..MODIFIER LETTER SMALL U WITH LEFT HOOK
+	{0xAB60, 0xAB68, prLower},     // L&   [9] LATIN SMALL LETTER SAKHA YAT..LATIN SMALL LETTER TURNED R WITH MIDDLE TILDE
+	{0xAB69, 0xAB69, prLower},     // Lm       MODIFIER LETTER SMALL TURNED W
+	{0xAB70, 0xABBF, prLower},     // L&  [80] CHEROKEE SMALL LETTER A..CHEROKEE SMALL LETTER YA
+	{0xABC0, 0xABE2, prOLetter},   // Lo  [35] MEETEI MAYEK LETTER KOK..MEETEI MAYEK LETTER I LONSUM
+	{0xABE3, 0xABE4, prExtend},    // Mc   [2] MEETEI MAYEK VOWEL SIGN ONAP..MEETEI MAYEK VOWEL SIGN INAP
+	{0xABE5, 0xABE5, prExtend},    // Mn       MEETEI MAYEK VOWEL SIGN ANAP
+	{0xABE6, 0xABE7, prExtend},    // Mc   [2] MEETEI MAYEK VOWEL SIGN YENAP..MEETEI MAYEK VOWEL SIGN SOUNAP
+	{0xABE8, 0xABE8, prExtend},    // Mn       MEETEI MAYEK VOWEL SIGN UNAP
+	{0xABE9, 0xABEA, prExtend},    // Mc   [2] MEETEI MAYEK VOWEL SIGN CHEINAP..MEETEI MAYEK VOWEL SIGN NUNG
+	{0xABEB, 0xABEB, prSTerm},     // Po       MEETEI MAYEK CHEIKHEI
+	{0xABEC, 0xABEC, prExtend},    // Mc       MEETEI MAYEK LUM IYEK
+	{0xABED, 0xABED, prExtend},    // Mn       MEETEI MAYEK APUN IYEK
+	{0xABF0, 0xABF9, prNumeric},   // Nd  [10] MEETEI MAYEK DIGIT ZERO..MEETEI MAYEK DIGIT NINE
+	{0xAC00, 0xD7A3, prOLetter},   // Lo [11172] HANGUL SYLLABLE GA..HANGUL SYLLABLE HIH
+	{0xD7B0, 0xD7C6, prOLetter},   // Lo  [23] HANGUL JUNGSEONG O-YEO..HANGUL JUNGSEONG ARAEA-E
+	{0xD7CB, 0xD7FB, prOLetter},   // Lo  [49] HANGUL JONGSEONG NIEUN-RIEUL..HANGUL JONGSEONG PHIEUPH-THIEUTH
+	{0xF900, 0xFA6D, prOLetter},   // Lo [366] CJK COMPATIBILITY IDEOGRAPH-F900..CJK COMPATIBILITY IDEOGRAPH-FA6D
+	{0xFA70, 0xFAD9, prOLetter},   // Lo [106] CJK COMPATIBILITY IDEOGRAPH-FA70..CJK COMPATIBILITY IDEOGRAPH-FAD9
+	{0xFB00, 0xFB06, prLower},     // L&   [7] LATIN SMALL LIGATURE FF..LATIN SMALL LIGATURE ST
+	{0xFB13, 0xFB17, prLower},     // L&   [5] ARMENIAN SMALL LIGATURE MEN NOW..ARMENIAN SMALL LIGATURE MEN XEH
+	{0xFB1D, 0xFB1D, prOLetter},   // Lo       HEBREW LETTER YOD WITH HIRIQ
+	{0xFB1E, 0xFB1E, prExtend},    // Mn       HEBREW POINT JUDEO-SPANISH VARIKA
+	{0xFB1F, 0xFB28, prOLetter},   // Lo  [10] HEBREW LIGATURE YIDDISH YOD YOD PATAH..HEBREW LETTER WIDE TAV
+	{0xFB2A, 0xFB36, prOLetter},   // Lo  [13] HEBREW LETTER SHIN WITH SHIN DOT..HEBREW LETTER ZAYIN WITH DAGESH
+	{0xFB38, 0xFB3C, prOLetter},   // Lo   [5] HEBREW LETTER TET WITH DAGESH..HEBREW LETTER LAMED WITH DAGESH
+	{0xFB3E, 0xFB3E, prOLetter},   // Lo       HEBREW LETTER MEM WITH DAGESH
+	{0xFB40, 0xFB41, prOLetter},   // Lo   [2] HEBREW LETTER NUN WITH DAGESH..HEBREW LETTER SAMEKH WITH DAGESH
+	{0xFB43, 0xFB44, prOLetter},   // Lo   [2] HEBREW LETTER FINAL PE WITH DAGESH..HEBREW LETTER PE WITH DAGESH
+	{0xFB46, 0xFBB1, prOLetter},   // Lo [108] HEBREW LETTER TSADI WITH DAGESH..ARABIC LETTER YEH BARREE WITH HAMZA ABOVE FINAL FORM
+	{0xFBD3, 0xFD3D, prOLetter},   // Lo [363] ARABIC LETTER NG ISOLATED FORM..ARABIC LIGATURE ALEF WITH FATHATAN ISOLATED FORM
+	{0xFD3E, 0xFD3E, prClose},     // Pe       ORNATE LEFT PARENTHESIS
+	{0xFD3F, 0xFD3F, prClose},     // Ps       ORNATE RIGHT PARENTHESIS
+	{0xFD50, 0xFD8F, prOLetter},   // Lo  [64] ARABIC LIGATURE TEH WITH JEEM WITH MEEM INITIAL FORM..ARABIC LIGATURE MEEM WITH KHAH WITH MEEM INITIAL FORM
+	{0xFD92, 0xFDC7, prOLetter},   // Lo  [54] ARABIC LIGATURE MEEM WITH JEEM WITH KHAH INITIAL FORM..ARABIC LIGATURE NOON WITH JEEM WITH YEH FINAL FORM
+	{0xFDF0, 0xFDFB, prOLetter},   // Lo  [12] ARABIC LIGATURE SALLA USED AS KORANIC STOP SIGN ISOLATED FORM..ARABIC LIGATURE JALLAJALALOUHOU
+	{0xFE00, 0xFE0F, prExtend},    // Mn  [16] VARIATION SELECTOR-1..VARIATION SELECTOR-16
+	{0xFE10, 0xFE11, prSContinue}, // Po   [2] PRESENTATION FORM FOR VERTICAL COMMA..PRESENTATION FORM FOR VERTICAL IDEOGRAPHIC COMMA
+	{0xFE13, 0xFE13, prSContinue}, // Po       PRESENTATION FORM FOR VERTICAL COLON
+	{0xFE17, 0xFE17, prClose},     // Ps       PRESENTATION FORM FOR VERTICAL LEFT WHITE LENTICULAR BRACKET
+	{0xFE18, 0xFE18, prClose},     // Pe       PRESENTATION FORM FOR VERTICAL RIGHT WHITE LENTICULAR BRAKCET
+	{0xFE20, 0xFE2F, prExtend},    // Mn  [16] COMBINING LIGATURE LEFT HALF..COMBINING CYRILLIC TITLO RIGHT HALF
+	{0xFE31, 0xFE32, prSContinue}, // Pd   [2] PRESENTATION FORM FOR VERTICAL EM DASH..PRESENTATION FORM FOR VERTICAL EN DASH
+	{0xFE35, 0xFE35, prClose},     // Ps       PRESENTATION FORM FOR VERTICAL LEFT PARENTHESIS
+	{0xFE36, 0xFE36, prClose},     // Pe       PRESENTATION FORM FOR VERTICAL RIGHT PARENTHESIS
+	{0xFE37, 0xFE37, prClose},     // Ps       PRESENTATION FORM FOR VERTICAL LEFT CURLY BRACKET
+	{0xFE38, 0xFE38, prClose},     // Pe       PRESENTATION FORM FOR VERTICAL RIGHT CURLY BRACKET
+	{0xFE39, 0xFE39, prClose},     // Ps       PRESENTATION FORM FOR VERTICAL LEFT TORTOISE SHELL BRACKET
+	{0xFE3A, 0xFE3A, prClose},     // Pe       PRESENTATION FORM FOR VERTICAL RIGHT TORTOISE SHELL BRACKET
+	{0xFE3B, 0xFE3B, prClose},     // Ps       PRESENTATION FORM FOR VERTICAL LEFT BLACK LENTICULAR BRACKET
+	{0xFE3C, 0xFE3C, prClose},     // Pe       PRESENTATION FORM FOR VERTICAL RIGHT BLACK LENTICULAR BRACKET
+	{0xFE3D, 0xFE3D, prClose},     // Ps       PRESENTATION FORM FOR VERTICAL LEFT DOUBLE ANGLE BRACKET
+	{0xFE3E, 0xFE3E, prClose},     // Pe       PRESENTATION FORM FOR VERTICAL RIGHT DOUBLE ANGLE BRACKET
+	{0xFE3F, 0xFE3F, prClose},     // Ps       PRESENTATION FORM FOR VERTICAL LEFT ANGLE BRACKET
+	{0xFE40, 0xFE40, prClose},     // Pe       PRESENTATION FORM FOR VERTICAL RIGHT ANGLE BRACKET
+	{0xFE41, 0xFE41, prClose},     // Ps       PRESENTATION FORM FOR VERTICAL LEFT CORNER BRACKET
+	{0xFE42, 0xFE42, prClose},     // Pe       PRESENTATION FORM FOR VERTICAL RIGHT CORNER BRACKET
+	{0xFE43, 0xFE43, prClose},     // Ps       PRESENTATION FORM FOR VERTICAL LEFT WHITE CORNER BRACKET
+	{0xFE44, 0xFE44, prClose},     // Pe       PRESENTATION FORM FOR VERTICAL RIGHT WHITE CORNER BRACKET
+	{0xFE47, 0xFE47, prClose},     // Ps       PRESENTATION FORM FOR VERTICAL LEFT SQUARE BRACKET
+	{0xFE48, 0xFE48, prClose},     // Pe       PRESENTATION FORM FOR VERTICAL RIGHT SQUARE BRACKET
+	{0xFE50, 0xFE51, prSContinue}, // Po   [2] SMALL COMMA..SMALL IDEOGRAPHIC COMMA
+	{0xFE52, 0xFE52, prATerm},     // Po       SMALL FULL STOP
+	{0xFE55, 0xFE55, prSContinue}, // Po       SMALL COLON
+	{0xFE56, 0xFE57, prSTerm},     // Po   [2] SMALL QUESTION MARK..SMALL EXCLAMATION MARK
+	{0xFE58, 0xFE58, prSContinue}, // Pd       SMALL EM DASH
+	{0xFE59, 0xFE59, prClose},     // Ps       SMALL LEFT PARENTHESIS
+	{0xFE5A, 0xFE5A, prClose},     // Pe       SMALL RIGHT PARENTHESIS
+	{0xFE5B, 0xFE5B, prClose},     // Ps       SMALL LEFT CURLY BRACKET
+	{0xFE5C, 0xFE5C, prClose},     // Pe       SMALL RIGHT CURLY BRACKET
+	{0xFE5D, 0xFE5D, prClose},     // Ps       SMALL LEFT TORTOISE SHELL BRACKET
+	{0xFE5E, 0xFE5E, prClose},     // Pe       SMALL RIGHT TORTOISE SHELL BRACKET
+	{0xFE63, 0xFE63, prSContinue}, // Pd       SMALL HYPHEN-MINUS
+	{0xFE70, 0xFE74, prOLetter},   // Lo   [5] ARABIC FATHATAN ISOLATED FORM..ARABIC KASRATAN ISOLATED FORM
+	{0xFE76, 0xFEFC, prOLetter},   // Lo [135] ARABIC FATHA ISOLATED FORM..ARABIC LIGATURE LAM WITH ALEF FINAL FORM
+	{0xFEFF, 0xFEFF, prFormat},    // Cf       ZERO WIDTH NO-BREAK SPACE
+	{0xFF01, 0xFF01, prSTerm},     // Po       FULLWIDTH EXCLAMATION MARK
+	{0xFF08, 0xFF08, prClose},     // Ps       FULLWIDTH LEFT PARENTHESIS
+	{0xFF09, 0xFF09, prClose},     // Pe       FULLWIDTH RIGHT PARENTHESIS
+	{0xFF0C, 0xFF0C, prSContinue}, // Po       FULLWIDTH COMMA
+	{0xFF0D, 0xFF0D, prSContinue}, // Pd       FULLWIDTH HYPHEN-MINUS
+	{0xFF0E, 0xFF0E, prATerm},     // Po       FULLWIDTH FULL STOP
+	{0xFF10, 0xFF19, prNumeric},   // Nd  [10] FULLWIDTH DIGIT ZERO..FULLWIDTH DIGIT NINE
+	{0xFF1A, 0xFF1A, prSContinue}, // Po       FULLWIDTH COLON
+	{0xFF1F, 0xFF1F, prSTerm},     // Po       FULLWIDTH QUESTION MARK
+	{0xFF21, 0xFF3A, prUpper},     // L&  [26] FULLWIDTH LATIN CAPITAL LETTER A..FULLWIDTH LATIN CAPITAL LETTER Z
+	{0xFF3B, 0xFF3B, prClose},     // Ps       FULLWIDTH LEFT SQUARE BRACKET
+	{0xFF3D, 0xFF3D, prClose},     // Pe       FULLWIDTH RIGHT SQUARE BRACKET
+	{0xFF41, 0xFF5A, prLower},     // L&  [26] FULLWIDTH LATIN SMALL LETTER A..FULLWIDTH LATIN SMALL LETTER Z
+	{0xFF5B, 0xFF5B, prClose},     // Ps       FULLWIDTH LEFT CURLY BRACKET
+	{0xFF5D, 0xFF5D, prClose},     // Pe       FULLWIDTH RIGHT CURLY BRACKET
+	{0xFF5F, 0xFF5F, prClose},     // Ps       FULLWIDTH LEFT WHITE PARENTHESIS
+	{0xFF60, 0xFF60, prClose},     // Pe       FULLWIDTH RIGHT WHITE PARENTHESIS
+	{0xFF61, 0xFF61, prSTerm},     // Po       HALFWIDTH IDEOGRAPHIC FULL STOP
+	{0xFF62, 0xFF62, prClose},     // Ps       HALFWIDTH LEFT CORNER BRACKET
+	{0xFF63, 0xFF63, prClose},     // Pe       HALFWIDTH RIGHT CORNER BRACKET
+	{0xFF64, 0xFF64, prSContinue}, // Po       HALFWIDTH IDEOGRAPHIC COMMA
+	{0xFF66, 0xFF6F, prOLetter},   // Lo  [10] HALFWIDTH KATAKANA LETTER WO..HALFWIDTH KATAKANA LETTER SMALL TU
+	{0xFF70, 0xFF70, prOLetter},   // Lm       HALFWIDTH KATAKANA-HIRAGANA PROLONGED SOUND MARK
+	{0xFF71, 0xFF9D, prOLetter},   // Lo  [45] HALFWIDTH KATAKANA LETTER A..HALFWIDTH KATAKANA LETTER N
+	{0xFF9E, 0xFF9F, prExtend},    // Lm   [2] HALFWIDTH KATAKANA VOICED SOUND MARK..HALFWIDTH KATAKANA SEMI-VOICED SOUND MARK
+	{0xFFA0, 0xFFBE, prOLetter},   // Lo  [31] HALFWIDTH HANGUL FILLER..HALFWIDTH HANGUL LETTER HIEUH
+	{0xFFC2, 0xFFC7, prOLetter},   // Lo   [6] HALFWIDTH HANGUL LETTER A..HALFWIDTH HANGUL LETTER E
+	{0xFFCA, 0xFFCF, prOLetter},   // Lo   [6] HALFWIDTH HANGUL LETTER YEO..HALFWIDTH HANGUL LETTER OE
+	{0xFFD2, 0xFFD7, prOLetter},   // Lo   [6] HALFWIDTH HANGUL LETTER YO..HALFWIDTH HANGUL LETTER YU
+	{0xFFDA, 0xFFDC, prOLetter},   // Lo   [3] HALFWIDTH HANGUL LETTER EU..HALFWIDTH HANGUL LETTER I
+	{0xFFF9, 0xFFFB, prFormat},    // Cf   [3] INTERLINEAR ANNOTATION ANCHOR..INTERLINEAR ANNOTATION TERMINATOR
+	{0x10000, 0x1000B, prOLetter}, // Lo  [12] LINEAR B SYLLABLE B008 A..LINEAR B SYLLABLE B046 JE
+	{0x1000D, 0x10026, prOLetter}, // Lo  [26] LINEAR B SYLLABLE B036 JO..LINEAR B SYLLABLE B032 QO
+	{0x10028, 0x1003A, prOLetter}, // Lo  [19] LINEAR B SYLLABLE B060 RA..LINEAR B SYLLABLE B042 WO
+	{0x1003C, 0x1003D, prOLetter}, // Lo   [2] LINEAR B SYLLABLE B017 ZA..LINEAR B SYLLABLE B074 ZE
+	{0x1003F, 0x1004D, prOLetter}, // Lo  [15] LINEAR B SYLLABLE B020 ZO..LINEAR B SYLLABLE B091 TWO
+	{0x10050, 0x1005D, prOLetter}, // Lo  [14] LINEAR B SYMBOL B018..LINEAR B SYMBOL B089
+	{0x10080, 0x100FA, prOLetter}, // Lo [123] LINEAR B IDEOGRAM B100 MAN..LINEAR B IDEOGRAM VESSEL B305
+	{0x10140, 0x10174, prOLetter}, // Nl  [53] GREEK ACROPHONIC ATTIC ONE QUARTER..GREEK ACROPHONIC STRATIAN FIFTY MNAS
+	{0x101FD, 0x101FD, prExtend},  // Mn       PHAISTOS DISC SIGN COMBINING OBLIQUE STROKE
+	{0x10280, 0x1029C, prOLetter}, // Lo  [29] LYCIAN LETTER A..LYCIAN LETTER X
+	{0x102A0, 0x102D0, prOLetter}, // Lo  [49] CARIAN LETTER A..CARIAN LETTER UUU3
+	{0x102E0, 0x102E0, prExtend},  // Mn       COPTIC EPACT THOUSANDS MARK
+	{0x10300, 0x1031F, prOLetter}, // Lo  [32] OLD ITALIC LETTER A..OLD ITALIC LETTER ESS
+	{0x1032D, 0x10340, prOLetter}, // Lo  [20] OLD ITALIC LETTER YE..GOTHIC LETTER PAIRTHRA
+	{0x10341, 0x10341, prOLetter}, // Nl       GOTHIC LETTER NINETY
+	{0x10342, 0x10349, prOLetter}, // Lo   [8] GOTHIC LETTER RAIDA..GOTHIC LETTER OTHAL
+	{0x1034A, 0x1034A, prOLetter}, // Nl       GOTHIC LETTER NINE HUNDRED
+	{0x10350, 0x10375, prOLetter}, // Lo  [38] OLD PERMIC LETTER AN..OLD PERMIC LETTER IA
+	{0x10376, 0x1037A, prExtend},  // Mn   [5] COMBINING OLD PERMIC LETTER AN..COMBINING OLD PERMIC LETTER SII
+	{0x10380, 0x1039D, prOLetter}, // Lo  [30] UGARITIC LETTER ALPA..UGARITIC LETTER SSU
+	{0x103A0, 0x103C3, prOLetter}, // Lo  [36] OLD PERSIAN SIGN A..OLD PERSIAN SIGN HA
+	{0x103C8, 0x103CF, prOLetter}, // Lo   [8] OLD PERSIAN SIGN AURAMAZDAA..OLD PERSIAN SIGN BUUMISH
+	{0x103D1, 0x103D5, prOLetter}, // Nl   [5] OLD PERSIAN NUMBER ONE..OLD PERSIAN NUMBER HUNDRED
+	{0x10400, 0x10427, prUpper},   // L&  [40] DESERET CAPITAL LETTER LONG I..DESERET CAPITAL LETTER EW
+	{0x10428, 0x1044F, prLower},   // L&  [40] DESERET SMALL LETTER LONG I..DESERET SMALL LETTER EW
+	{0x10450, 0x1049D, prOLetter}, // Lo  [78] SHAVIAN LETTER PEEP..OSMANYA LETTER OO
+	{0x104A0, 0x104A9, prNumeric}, // Nd  [10] OSMANYA DIGIT ZERO..OSMANYA DIGIT NINE
+	{0x104B0, 0x104D3, prUpper},   // L&  [36] OSAGE CAPITAL LETTER A..OSAGE CAPITAL LETTER ZHA
+	{0x104D8, 0x104FB, prLower},   // L&  [36] OSAGE SMALL LETTER A..OSAGE SMALL LETTER ZHA
+	{0x10500, 0x10527, prOLetter}, // Lo  [40] ELBASAN LETTER A..ELBASAN LETTER KHE
+	{0x10530, 0x10563, prOLetter}, // Lo  [52] CAUCASIAN ALBANIAN LETTER ALT..CAUCASIAN ALBANIAN LETTER KIW
+	{0x10570, 0x1057A, prUpper},   // L&  [11] VITHKUQI CAPITAL LETTER A..VITHKUQI CAPITAL LETTER GA
+	{0x1057C, 0x1058A, prUpper},   // L&  [15] VITHKUQI CAPITAL LETTER HA..VITHKUQI CAPITAL LETTER RE
+	{0x1058C, 0x10592, prUpper},   // L&   [7] VITHKUQI CAPITAL LETTER SE..VITHKUQI CAPITAL LETTER XE
+	{0x10594, 0x10595, prUpper},   // L&   [2] VITHKUQI CAPITAL LETTER Y..VITHKUQI CAPITAL LETTER ZE
+	{0x10597, 0x105A1, prLower},   // L&  [11] VITHKUQI SMALL LETTER A..VITHKUQI SMALL LETTER GA
+	{0x105A3, 0x105B1, prLower},   // L&  [15] VITHKUQI SMALL LETTER HA..VITHKUQI SMALL LETTER RE
+	{0x105B3, 0x105B9, prLower},   // L&   [7] VITHKUQI SMALL LETTER SE..VITHKUQI SMALL LETTER XE
+	{0x105BB, 0x105BC, prLower},   // L&   [2] VITHKUQI SMALL LETTER Y..VITHKUQI SMALL LETTER ZE
+	{0x10600, 0x10736, prOLetter}, // Lo [311] LINEAR A SIGN AB001..LINEAR A SIGN A664
+	{0x10740, 0x10755, prOLetter}, // Lo  [22] LINEAR A SIGN A701 A..LINEAR A SIGN A732 JE
+	{0x10760, 0x10767, prOLetter}, // Lo   [8] LINEAR A SIGN A800..LINEAR A SIGN A807
+	{0x10780, 0x10780, prLower},   // Lm       MODIFIER LETTER SMALL CAPITAL AA
+	{0x10781, 0x10782, prOLetter}, // Lm   [2] MODIFIER LETTER SUPERSCRIPT TRIANGULAR COLON..MODIFIER LETTER SUPERSCRIPT HALF TRIANGULAR COLON
+	{0x10783, 0x10785, prLower},   // Lm   [3] MODIFIER LETTER SMALL AE..MODIFIER LETTER SMALL B WITH HOOK
+	{0x10787, 0x107B0, prLower},   // Lm  [42] MODIFIER LETTER SMALL DZ DIGRAPH..MODIFIER LETTER SMALL V WITH RIGHT HOOK
+	{0x107B2, 0x107BA, prLower},   // Lm   [9] MODIFIER LETTER SMALL CAPITAL Y..MODIFIER LETTER SMALL S WITH CURL
+	{0x10800, 0x10805, prOLetter}, // Lo   [6] CYPRIOT SYLLABLE A..CYPRIOT SYLLABLE JA
+	{0x10808, 0x10808, prOLetter}, // Lo       CYPRIOT SYLLABLE JO
+	{0x1080A, 0x10835, prOLetter}, // Lo  [44] CYPRIOT SYLLABLE KA..CYPRIOT SYLLABLE WO
+	{0x10837, 0x10838, prOLetter}, // Lo   [2] CYPRIOT SYLLABLE XA..CYPRIOT SYLLABLE XE
+	{0x1083C, 0x1083C, prOLetter}, // Lo       CYPRIOT SYLLABLE ZA
+	{0x1083F, 0x10855, prOLetter}, // Lo  [23] CYPRIOT SYLLABLE ZO..IMPERIAL ARAMAIC LETTER TAW
+	{0x10860, 0x10876, prOLetter}, // Lo  [23] PALMYRENE LETTER ALEPH..PALMYRENE LETTER TAW
+	{0x10880, 0x1089E, prOLetter}, // Lo  [31] NABATAEAN LETTER FINAL ALEPH..NABATAEAN LETTER TAW
+	{0x108E0, 0x108F2, prOLetter}, // Lo  [19] HATRAN LETTER ALEPH..HATRAN LETTER QOPH
+	{0x108F4, 0x108F5, prOLetter}, // Lo   [2] HATRAN LETTER SHIN..HATRAN LETTER TAW
+	{0x10900, 0x10915, prOLetter}, // Lo  [22] PHOENICIAN LETTER ALF..PHOENICIAN LETTER TAU
+	{0x10920, 0x10939, prOLetter}, // Lo  [26] LYDIAN LETTER A..LYDIAN LETTER C
+	{0x10980, 0x109B7, prOLetter}, // Lo  [56] MEROITIC HIEROGLYPHIC LETTER A..MEROITIC CURSIVE LETTER DA
+	{0x109BE, 0x109BF, prOLetter}, // Lo   [2] MEROITIC CURSIVE LOGOGRAM RMT..MEROITIC CURSIVE LOGOGRAM IMN
+	{0x10A00, 0x10A00, prOLetter}, // Lo       KHAROSHTHI LETTER A
+	{0x10A01, 0x10A03, prExtend},  // Mn   [3] KHAROSHTHI VOWEL SIGN I..KHAROSHTHI VOWEL SIGN VOCALIC R
+	{0x10A05, 0x10A06, prExtend},  // Mn   [2] KHAROSHTHI VOWEL SIGN E..KHAROSHTHI VOWEL SIGN O
+	{0x10A0C, 0x10A0F, prExtend},  // Mn   [4] KHAROSHTHI VOWEL LENGTH MARK..KHAROSHTHI SIGN VISARGA
+	{0x10A10, 0x10A13, prOLetter}, // Lo   [4] KHAROSHTHI LETTER KA..KHAROSHTHI LETTER GHA
+	{0x10A15, 0x10A17, prOLetter}, // Lo   [3] KHAROSHTHI LETTER CA..KHAROSHTHI LETTER JA
+	{0x10A19, 0x10A35, prOLetter}, // Lo  [29] KHAROSHTHI LETTER NYA..KHAROSHTHI LETTER VHA
+	{0x10A38, 0x10A3A, prExtend},  // Mn   [3] KHAROSHTHI SIGN BAR ABOVE..KHAROSHTHI SIGN DOT BELOW
+	{0x10A3F, 0x10A3F, prExtend},  // Mn       KHAROSHTHI VIRAMA
+	{0x10A56, 0x10A57, prSTerm},   // Po   [2] KHAROSHTHI PUNCTUATION DANDA..KHAROSHTHI PUNCTUATION DOUBLE DANDA
+	{0x10A60, 0x10A7C, prOLetter}, // Lo  [29] OLD SOUTH ARABIAN LETTER HE..OLD SOUTH ARABIAN LETTER THETH
+	{0x10A80, 0x10A9C, prOLetter}, // Lo  [29] OLD NORTH ARABIAN LETTER HEH..OLD NORTH ARABIAN LETTER ZAH
+	{0x10AC0, 0x10AC7, prOLetter}, // Lo   [8] MANICHAEAN LETTER ALEPH..MANICHAEAN LETTER WAW
+	{0x10AC9, 0x10AE4, prOLetter}, // Lo  [28] MANICHAEAN LETTER ZAYIN..MANICHAEAN LETTER TAW
+	{0x10AE5, 0x10AE6, prExtend},  // Mn   [2] MANICHAEAN ABBREVIATION MARK ABOVE..MANICHAEAN ABBREVIATION MARK BELOW
+	{0x10B00, 0x10B35, prOLetter}, // Lo  [54] AVESTAN LETTER A..AVESTAN LETTER HE
+	{0x10B40, 0x10B55, prOLetter}, // Lo  [22] INSCRIPTIONAL PARTHIAN LETTER ALEPH..INSCRIPTIONAL PARTHIAN LETTER TAW
+	{0x10B60, 0x10B72, prOLetter}, // Lo  [19] INSCRIPTIONAL PAHLAVI LETTER ALEPH..INSCRIPTIONAL PAHLAVI LETTER TAW
+	{0x10B80, 0x10B91, prOLetter}, // Lo  [18] PSALTER PAHLAVI LETTER ALEPH..PSALTER PAHLAVI LETTER TAW
+	{0x10C00, 0x10C48, prOLetter}, // Lo  [73] OLD TURKIC LETTER ORKHON A..OLD TURKIC LETTER ORKHON BASH
+	{0x10C80, 0x10CB2, prUpper},   // L&  [51] OLD HUNGARIAN CAPITAL LETTER A..OLD HUNGARIAN CAPITAL LETTER US
+	{0x10CC0, 0x10CF2, prLower},   // L&  [51] OLD HUNGARIAN SMALL LETTER A..OLD HUNGARIAN SMALL LETTER US
+	{0x10D00, 0x10D23, prOLetter}, // Lo  [36] HANIFI ROHINGYA LETTER A..HANIFI ROHINGYA MARK NA KHONNA
+	{0x10D24, 0x10D27, prExtend},  // Mn   [4] HANIFI ROHINGYA SIGN HARBAHAY..HANIFI ROHINGYA SIGN TASSI
+	{0x10D30, 0x10D39, prNumeric}, // Nd  [10] HANIFI ROHINGYA DIGIT ZERO..HANIFI ROHINGYA DIGIT NINE
+	{0x10E80, 0x10EA9, prOLetter}, // Lo  [42] YEZIDI LETTER ELIF..YEZIDI LETTER ET
+	{0x10EAB, 0x10EAC, prExtend},  // Mn   [2] YEZIDI COMBINING HAMZA MARK..YEZIDI COMBINING MADDA MARK
+	{0x10EB0, 0x10EB1, prOLetter}, // Lo   [2] YEZIDI LETTER LAM WITH DOT ABOVE..YEZIDI LETTER YOT WITH CIRCUMFLEX ABOVE
+	{0x10EFD, 0x10EFF, prExtend},  // Mn   [3] ARABIC SMALL LOW WORD SAKTA..ARABIC SMALL LOW WORD MADDA
+	{0x10F00, 0x10F1C, prOLetter}, // Lo  [29] OLD SOGDIAN LETTER ALEPH..OLD SOGDIAN LETTER FINAL TAW WITH VERTICAL TAIL
+	{0x10F27, 0x10F27, prOLetter}, // Lo       OLD SOGDIAN LIGATURE AYIN-DALETH
+	{0x10F30, 0x10F45, prOLetter}, // Lo  [22] SOGDIAN LETTER ALEPH..SOGDIAN INDEPENDENT SHIN
+	{0x10F46, 0x10F50, prExtend},  // Mn  [11] SOGDIAN COMBINING DOT BELOW..SOGDIAN COMBINING STROKE BELOW
+	{0x10F55, 0x10F59, prSTerm},   // Po   [5] SOGDIAN PUNCTUATION TWO VERTICAL BARS..SOGDIAN PUNCTUATION HALF CIRCLE WITH DOT
+	{0x10F70, 0x10F81, prOLetter}, // Lo  [18] OLD UYGHUR LETTER ALEPH..OLD UYGHUR LETTER LESH
+	{0x10F82, 0x10F85, prExtend},  // Mn   [4] OLD UYGHUR COMBINING DOT ABOVE..OLD UYGHUR COMBINING TWO DOTS BELOW
+	{0x10F86, 0x10F89, prSTerm},   // Po   [4] OLD UYGHUR PUNCTUATION BAR..OLD UYGHUR PUNCTUATION FOUR DOTS
+	{0x10FB0, 0x10FC4, prOLetter}, // Lo  [21] CHORASMIAN LETTER ALEPH..CHORASMIAN LETTER TAW
+	{0x10FE0, 0x10FF6, prOLetter}, // Lo  [23] ELYMAIC LETTER ALEPH..ELYMAIC LIGATURE ZAYIN-YODH
+	{0x11000, 0x11000, prExtend},  // Mc       BRAHMI SIGN CANDRABINDU
+	{0x11001, 0x11001, prExtend},  // Mn       BRAHMI SIGN ANUSVARA
+	{0x11002, 0x11002, prExtend},  // Mc       BRAHMI SIGN VISARGA
+	{0x11003, 0x11037, prOLetter}, // Lo  [53] BRAHMI SIGN JIHVAMULIYA..BRAHMI LETTER OLD TAMIL NNNA
+	{0x11038, 0x11046, prExtend},  // Mn  [15] BRAHMI VOWEL SIGN AA..BRAHMI VIRAMA
+	{0x11047, 0x11048, prSTerm},   // Po   [2] BRAHMI DANDA..BRAHMI DOUBLE DANDA
+	{0x11066, 0x1106F, prNumeric}, // Nd  [10] BRAHMI DIGIT ZERO..BRAHMI DIGIT NINE
+	{0x11070, 0x11070, prExtend},  // Mn       BRAHMI SIGN OLD TAMIL VIRAMA
+	{0x11071, 0x11072, prOLetter}, // Lo   [2] BRAHMI LETTER OLD TAMIL SHORT E..BRAHMI LETTER OLD TAMIL SHORT O
+	{0x11073, 0x11074, prExtend},  // Mn   [2] BRAHMI VOWEL SIGN OLD TAMIL SHORT E..BRAHMI VOWEL SIGN OLD TAMIL SHORT O
+	{0x11075, 0x11075, prOLetter}, // Lo       BRAHMI LETTER OLD TAMIL LLA
+	{0x1107F, 0x11081, prExtend},  // Mn   [3] BRAHMI NUMBER JOINER..KAITHI SIGN ANUSVARA
+	{0x11082, 0x11082, prExtend},  // Mc       KAITHI SIGN VISARGA
+	{0x11083, 0x110AF, prOLetter}, // Lo  [45] KAITHI LETTER A..KAITHI LETTER HA
+	{0x110B0, 0x110B2, prExtend},  // Mc   [3] KAITHI VOWEL SIGN AA..KAITHI VOWEL SIGN II
+	{0x110B3, 0x110B6, prExtend},  // Mn   [4] KAITHI VOWEL SIGN U..KAITHI VOWEL SIGN AI
+	{0x110B7, 0x110B8, prExtend},  // Mc   [2] KAITHI VOWEL SIGN O..KAITHI VOWEL SIGN AU
+	{0x110B9, 0x110BA, prExtend},  // Mn   [2] KAITHI SIGN VIRAMA..KAITHI SIGN NUKTA
+	{0x110BD, 0x110BD, prFormat},  // Cf       KAITHI NUMBER SIGN
+	{0x110BE, 0x110C1, prSTerm},   // Po   [4] KAITHI SECTION MARK..KAITHI DOUBLE DANDA
+	{0x110C2, 0x110C2, prExtend},  // Mn       KAITHI VOWEL SIGN VOCALIC R
+	{0x110CD, 0x110CD, prFormat},  // Cf       KAITHI NUMBER SIGN ABOVE
+	{0x110D0, 0x110E8, prOLetter}, // Lo  [25] SORA SOMPENG LETTER SAH..SORA SOMPENG LETTER MAE
+	{0x110F0, 0x110F9, prNumeric}, // Nd  [10] SORA SOMPENG DIGIT ZERO..SORA SOMPENG DIGIT NINE
+	{0x11100, 0x11102, prExtend},  // Mn   [3] CHAKMA SIGN CANDRABINDU..CHAKMA SIGN VISARGA
+	{0x11103, 0x11126, prOLetter}, // Lo  [36] CHAKMA LETTER AA..CHAKMA LETTER HAA
+	{0x11127, 0x1112B, prExtend},  // Mn   [5] CHAKMA VOWEL SIGN A..CHAKMA VOWEL SIGN UU
+	{0x1112C, 0x1112C, prExtend},  // Mc       CHAKMA VOWEL SIGN E
+	{0x1112D, 0x11134, prExtend},  // Mn   [8] CHAKMA VOWEL SIGN AI..CHAKMA MAAYYAA
+	{0x11136, 0x1113F, prNumeric}, // Nd  [10] CHAKMA DIGIT ZERO..CHAKMA DIGIT NINE
+	{0x11141, 0x11143, prSTerm},   // Po   [3] CHAKMA DANDA..CHAKMA QUESTION MARK
+	{0x11144, 0x11144, prOLetter}, // Lo       CHAKMA LETTER LHAA
+	{0x11145, 0x11146, prExtend},  // Mc   [2] CHAKMA VOWEL SIGN AA..CHAKMA VOWEL SIGN EI
+	{0x11147, 0x11147, prOLetter}, // Lo       CHAKMA LETTER VAA
+	{0x11150, 0x11172, prOLetter}, // Lo  [35] MAHAJANI LETTER A..MAHAJANI LETTER RRA
+	{0x11173, 0x11173, prExtend},  // Mn       MAHAJANI SIGN NUKTA
+	{0x11176, 0x11176, prOLetter}, // Lo       MAHAJANI LIGATURE SHRI
+	{0x11180, 0x11181, prExtend},  // Mn   [2] SHARADA SIGN CANDRABINDU..SHARADA SIGN ANUSVARA
+	{0x11182, 0x11182, prExtend},  // Mc       SHARADA SIGN VISARGA
+	{0x11183, 0x111B2, prOLetter}, // Lo  [48] SHARADA LETTER A..SHARADA LETTER HA
+	{0x111B3, 0x111B5, prExtend},  // Mc   [3] SHARADA VOWEL SIGN AA..SHARADA VOWEL SIGN II
+	{0x111B6, 0x111BE, prExtend},  // Mn   [9] SHARADA VOWEL SIGN U..SHARADA VOWEL SIGN O
+	{0x111BF, 0x111C0, prExtend},  // Mc   [2] SHARADA VOWEL SIGN AU..SHARADA SIGN VIRAMA
+	{0x111C1, 0x111C4, prOLetter}, // Lo   [4] SHARADA SIGN AVAGRAHA..SHARADA OM
+	{0x111C5, 0x111C6, prSTerm},   // Po   [2] SHARADA DANDA..SHARADA DOUBLE DANDA
+	{0x111C9, 0x111CC, prExtend},  // Mn   [4] SHARADA SANDHI MARK..SHARADA EXTRA SHORT VOWEL MARK
+	{0x111CD, 0x111CD, prSTerm},   // Po       SHARADA SUTRA MARK
+	{0x111CE, 0x111CE, prExtend},  // Mc       SHARADA VOWEL SIGN PRISHTHAMATRA E
+	{0x111CF, 0x111CF, prExtend},  // Mn       SHARADA SIGN INVERTED CANDRABINDU
+	{0x111D0, 0x111D9, prNumeric}, // Nd  [10] SHARADA DIGIT ZERO..SHARADA DIGIT NINE
+	{0x111DA, 0x111DA, prOLetter}, // Lo       SHARADA EKAM
+	{0x111DC, 0x111DC, prOLetter}, // Lo       SHARADA HEADSTROKE
+	{0x111DE, 0x111DF, prSTerm},   // Po   [2] SHARADA SECTION MARK-1..SHARADA SECTION MARK-2
+	{0x11200, 0x11211, prOLetter}, // Lo  [18] KHOJKI LETTER A..KHOJKI LETTER JJA
+	{0x11213, 0x1122B, prOLetter}, // Lo  [25] KHOJKI LETTER NYA..KHOJKI LETTER LLA
+	{0x1122C, 0x1122E, prExtend},  // Mc   [3] KHOJKI VOWEL SIGN AA..KHOJKI VOWEL SIGN II
+	{0x1122F, 0x11231, prExtend},  // Mn   [3] KHOJKI VOWEL SIGN U..KHOJKI VOWEL SIGN AI
+	{0x11232, 0x11233, prExtend},  // Mc   [2] KHOJKI VOWEL SIGN O..KHOJKI VOWEL SIGN AU
+	{0x11234, 0x11234, prExtend},  // Mn       KHOJKI SIGN ANUSVARA
+	{0x11235, 0x11235, prExtend},  // Mc       KHOJKI SIGN VIRAMA
+	{0x11236, 0x11237, prExtend},  // Mn   [2] KHOJKI SIGN NUKTA..KHOJKI SIGN SHADDA
+	{0x11238, 0x11239, prSTerm},   // Po   [2] KHOJKI DANDA..KHOJKI DOUBLE DANDA
+	{0x1123B, 0x1123C, prSTerm},   // Po   [2] KHOJKI SECTION MARK..KHOJKI DOUBLE SECTION MARK
+	{0x1123E, 0x1123E, prExtend},  // Mn       KHOJKI SIGN SUKUN
+	{0x1123F, 0x11240, prOLetter}, // Lo   [2] KHOJKI LETTER QA..KHOJKI LETTER SHORT I
+	{0x11241, 0x11241, prExtend},  // Mn       KHOJKI VOWEL SIGN VOCALIC R
+	{0x11280, 0x11286, prOLetter}, // Lo   [7] MULTANI LETTER A..MULTANI LETTER GA
+	{0x11288, 0x11288, prOLetter}, // Lo       MULTANI LETTER GHA
+	{0x1128A, 0x1128D, prOLetter}, // Lo   [4] MULTANI LETTER CA..MULTANI LETTER JJA
+	{0x1128F, 0x1129D, prOLetter}, // Lo  [15] MULTANI LETTER NYA..MULTANI LETTER BA
+	{0x1129F, 0x112A8, prOLetter}, // Lo  [10] MULTANI LETTER BHA..MULTANI LETTER RHA
+	{0x112A9, 0x112A9, prSTerm},   // Po       MULTANI SECTION MARK
+	{0x112B0, 0x112DE, prOLetter}, // Lo  [47] KHUDAWADI LETTER A..KHUDAWADI LETTER HA
+	{0x112DF, 0x112DF, prExtend},  // Mn       KHUDAWADI SIGN ANUSVARA
+	{0x112E0, 0x112E2, prExtend},  // Mc   [3] KHUDAWADI VOWEL SIGN AA..KHUDAWADI VOWEL SIGN II
+	{0x112E3, 0x112EA, prExtend},  // Mn   [8] KHUDAWADI VOWEL SIGN U..KHUDAWADI SIGN VIRAMA
+	{0x112F0, 0x112F9, prNumeric}, // Nd  [10] KHUDAWADI DIGIT ZERO..KHUDAWADI DIGIT NINE
+	{0x11300, 0x11301, prExtend},  // Mn   [2] GRANTHA SIGN COMBINING ANUSVARA ABOVE..GRANTHA SIGN CANDRABINDU
+	{0x11302, 0x11303, prExtend},  // Mc   [2] GRANTHA SIGN ANUSVARA..GRANTHA SIGN VISARGA
+	{0x11305, 0x1130C, prOLetter}, // Lo   [8] GRANTHA LETTER A..GRANTHA LETTER VOCALIC L
+	{0x1130F, 0x11310, prOLetter}, // Lo   [2] GRANTHA LETTER EE..GRANTHA LETTER AI
+	{0x11313, 0x11328, prOLetter}, // Lo  [22] GRANTHA LETTER OO..GRANTHA LETTER NA
+	{0x1132A, 0x11330, prOLetter}, // Lo   [7] GRANTHA LETTER PA..GRANTHA LETTER RA
+	{0x11332, 0x11333, prOLetter}, // Lo   [2] GRANTHA LETTER LA..GRANTHA LETTER LLA
+	{0x11335, 0x11339, prOLetter}, // Lo   [5] GRANTHA LETTER VA..GRANTHA LETTER HA
+	{0x1133B, 0x1133C, prExtend},  // Mn   [2] COMBINING BINDU BELOW..GRANTHA SIGN NUKTA
+	{0x1133D, 0x1133D, prOLetter}, // Lo       GRANTHA SIGN AVAGRAHA
+	{0x1133E, 0x1133F, prExtend},  // Mc   [2] GRANTHA VOWEL SIGN AA..GRANTHA VOWEL SIGN I
+	{0x11340, 0x11340, prExtend},  // Mn       GRANTHA VOWEL SIGN II
+	{0x11341, 0x11344, prExtend},  // Mc   [4] GRANTHA VOWEL SIGN U..GRANTHA VOWEL SIGN VOCALIC RR
+	{0x11347, 0x11348, prExtend},  // Mc   [2] GRANTHA VOWEL SIGN EE..GRANTHA VOWEL SIGN AI
+	{0x1134B, 0x1134D, prExtend},  // Mc   [3] GRANTHA VOWEL SIGN OO..GRANTHA SIGN VIRAMA
+	{0x11350, 0x11350, prOLetter}, // Lo       GRANTHA OM
+	{0x11357, 0x11357, prExtend},  // Mc       GRANTHA AU LENGTH MARK
+	{0x1135D, 0x11361, prOLetter}, // Lo   [5] GRANTHA SIGN PLUTA..GRANTHA LETTER VOCALIC LL
+	{0x11362, 0x11363, prExtend},  // Mc   [2] GRANTHA VOWEL SIGN VOCALIC L..GRANTHA VOWEL SIGN VOCALIC LL
+	{0x11366, 0x1136C, prExtend},  // Mn   [7] COMBINING GRANTHA DIGIT ZERO..COMBINING GRANTHA DIGIT SIX
+	{0x11370, 0x11374, prExtend},  // Mn   [5] COMBINING GRANTHA LETTER A..COMBINING GRANTHA LETTER PA
+	{0x11400, 0x11434, prOLetter}, // Lo  [53] NEWA LETTER A..NEWA LETTER HA
+	{0x11435, 0x11437, prExtend},  // Mc   [3] NEWA VOWEL SIGN AA..NEWA VOWEL SIGN II
+	{0x11438, 0x1143F, prExtend},  // Mn   [8] NEWA VOWEL SIGN U..NEWA VOWEL SIGN AI
+	{0x11440, 0x11441, prExtend},  // Mc   [2] NEWA VOWEL SIGN O..NEWA VOWEL SIGN AU
+	{0x11442, 0x11444, prExtend},  // Mn   [3] NEWA SIGN VIRAMA..NEWA SIGN ANUSVARA
+	{0x11445, 0x11445, prExtend},  // Mc       NEWA SIGN VISARGA
+	{0x11446, 0x11446, prExtend},  // Mn       NEWA SIGN NUKTA
+	{0x11447, 0x1144A, prOLetter}, // Lo   [4] NEWA SIGN AVAGRAHA..NEWA SIDDHI
+	{0x1144B, 0x1144C, prSTerm},   // Po   [2] NEWA DANDA..NEWA DOUBLE DANDA
+	{0x11450, 0x11459, prNumeric}, // Nd  [10] NEWA DIGIT ZERO..NEWA DIGIT NINE
+	{0x1145E, 0x1145E, prExtend},  // Mn       NEWA SANDHI MARK
+	{0x1145F, 0x11461, prOLetter}, // Lo   [3] NEWA LETTER VEDIC ANUSVARA..NEWA SIGN UPADHMANIYA
+	{0x11480, 0x114AF, prOLetter}, // Lo  [48] TIRHUTA ANJI..TIRHUTA LETTER HA
+	{0x114B0, 0x114B2, prExtend},  // Mc   [3] TIRHUTA VOWEL SIGN AA..TIRHUTA VOWEL SIGN II
+	{0x114B3, 0x114B8, prExtend},  // Mn   [6] TIRHUTA VOWEL SIGN U..TIRHUTA VOWEL SIGN VOCALIC LL
+	{0x114B9, 0x114B9, prExtend},  // Mc       TIRHUTA VOWEL SIGN E
+	{0x114BA, 0x114BA, prExtend},  // Mn       TIRHUTA VOWEL SIGN SHORT E
+	{0x114BB, 0x114BE, prExtend},  // Mc   [4] TIRHUTA VOWEL SIGN AI..TIRHUTA VOWEL SIGN AU
+	{0x114BF, 0x114C0, prExtend},  // Mn   [2] TIRHUTA SIGN CANDRABINDU..TIRHUTA SIGN ANUSVARA
+	{0x114C1, 0x114C1, prExtend},  // Mc       TIRHUTA SIGN VISARGA
+	{0x114C2, 0x114C3, prExtend},  // Mn   [2] TIRHUTA SIGN VIRAMA..TIRHUTA SIGN NUKTA
+	{0x114C4, 0x114C5, prOLetter}, // Lo   [2] TIRHUTA SIGN AVAGRAHA..TIRHUTA GVANG
+	{0x114C7, 0x114C7, prOLetter}, // Lo       TIRHUTA OM
+	{0x114D0, 0x114D9, prNumeric}, // Nd  [10] TIRHUTA DIGIT ZERO..TIRHUTA DIGIT NINE
+	{0x11580, 0x115AE, prOLetter}, // Lo  [47] SIDDHAM LETTER A..SIDDHAM LETTER HA
+	{0x115AF, 0x115B1, prExtend},  // Mc   [3] SIDDHAM VOWEL SIGN AA..SIDDHAM VOWEL SIGN II
+	{0x115B2, 0x115B5, prExtend},  // Mn   [4] SIDDHAM VOWEL SIGN U..SIDDHAM VOWEL SIGN VOCALIC RR
+	{0x115B8, 0x115BB, prExtend},  // Mc   [4] SIDDHAM VOWEL SIGN E..SIDDHAM VOWEL SIGN AU
+	{0x115BC, 0x115BD, prExtend},  // Mn   [2] SIDDHAM SIGN CANDRABINDU..SIDDHAM SIGN ANUSVARA
+	{0x115BE, 0x115BE, prExtend},  // Mc       SIDDHAM SIGN VISARGA
+	{0x115BF, 0x115C0, prExtend},  // Mn   [2] SIDDHAM SIGN VIRAMA..SIDDHAM SIGN NUKTA
+	{0x115C2, 0x115C3, prSTerm},   // Po   [2] SIDDHAM DANDA..SIDDHAM DOUBLE DANDA
+	{0x115C9, 0x115D7, prSTerm},   // Po  [15] SIDDHAM END OF TEXT MARK..SIDDHAM SECTION MARK WITH CIRCLES AND FOUR ENCLOSURES
+	{0x115D8, 0x115DB, prOLetter}, // Lo   [4] SIDDHAM LETTER THREE-CIRCLE ALTERNATE I..SIDDHAM LETTER ALTERNATE U
+	{0x115DC, 0x115DD, prExtend},  // Mn   [2] SIDDHAM VOWEL SIGN ALTERNATE U..SIDDHAM VOWEL SIGN ALTERNATE UU
+	{0x11600, 0x1162F, prOLetter}, // Lo  [48] MODI LETTER A..MODI LETTER LLA
+	{0x11630, 0x11632, prExtend},  // Mc   [3] MODI VOWEL SIGN AA..MODI VOWEL SIGN II
+	{0x11633, 0x1163A, prExtend},  // Mn   [8] MODI VOWEL SIGN U..MODI VOWEL SIGN AI
+	{0x1163B, 0x1163C, prExtend},  // Mc   [2] MODI VOWEL SIGN O..MODI VOWEL SIGN AU
+	{0x1163D, 0x1163D, prExtend},  // Mn       MODI SIGN ANUSVARA
+	{0x1163E, 0x1163E, prExtend},  // Mc       MODI SIGN VISARGA
+	{0x1163F, 0x11640, prExtend},  // Mn   [2] MODI SIGN VIRAMA..MODI SIGN ARDHACANDRA
+	{0x11641, 0x11642, prSTerm},   // Po   [2] MODI DANDA..MODI DOUBLE DANDA
+	{0x11644, 0x11644, prOLetter}, // Lo       MODI SIGN HUVA
+	{0x11650, 0x11659, prNumeric}, // Nd  [10] MODI DIGIT ZERO..MODI DIGIT NINE
+	{0x11680, 0x116AA, prOLetter}, // Lo  [43] TAKRI LETTER A..TAKRI LETTER RRA
+	{0x116AB, 0x116AB, prExtend},  // Mn       TAKRI SIGN ANUSVARA
+	{0x116AC, 0x116AC, prExtend},  // Mc       TAKRI SIGN VISARGA
+	{0x116AD, 0x116AD, prExtend},  // Mn       TAKRI VOWEL SIGN AA
+	{0x116AE, 0x116AF, prExtend},  // Mc   [2] TAKRI VOWEL SIGN I..TAKRI VOWEL SIGN II
+	{0x116B0, 0x116B5, prExtend},  // Mn   [6] TAKRI VOWEL SIGN U..TAKRI VOWEL SIGN AU
+	{0x116B6, 0x116B6, prExtend},  // Mc       TAKRI SIGN VIRAMA
+	{0x116B7, 0x116B7, prExtend},  // Mn       TAKRI SIGN NUKTA
+	{0x116B8, 0x116B8, prOLetter}, // Lo       TAKRI LETTER ARCHAIC KHA
+	{0x116C0, 0x116C9, prNumeric}, // Nd  [10] TAKRI DIGIT ZERO..TAKRI DIGIT NINE
+	{0x11700, 0x1171A, prOLetter}, // Lo  [27] AHOM LETTER KA..AHOM LETTER ALTERNATE BA
+	{0x1171D, 0x1171F, prExtend},  // Mn   [3] AHOM CONSONANT SIGN MEDIAL LA..AHOM CONSONANT SIGN MEDIAL LIGATING RA
+	{0x11720, 0x11721, prExtend},  // Mc   [2] AHOM VOWEL SIGN A..AHOM VOWEL SIGN AA
+	{0x11722, 0x11725, prExtend},  // Mn   [4] AHOM VOWEL SIGN I..AHOM VOWEL SIGN UU
+	{0x11726, 0x11726, prExtend},  // Mc       AHOM VOWEL SIGN E
+	{0x11727, 0x1172B, prExtend},  // Mn   [5] AHOM VOWEL SIGN AW..AHOM SIGN KILLER
+	{0x11730, 0x11739, prNumeric}, // Nd  [10] AHOM DIGIT ZERO..AHOM DIGIT NINE
+	{0x1173C, 0x1173E, prSTerm},   // Po   [3] AHOM SIGN SMALL SECTION..AHOM SIGN RULAI
+	{0x11740, 0x11746, prOLetter}, // Lo   [7] AHOM LETTER CA..AHOM LETTER LLA
+	{0x11800, 0x1182B, prOLetter}, // Lo  [44] DOGRA LETTER A..DOGRA LETTER RRA
+	{0x1182C, 0x1182E, prExtend},  // Mc   [3] DOGRA VOWEL SIGN AA..DOGRA VOWEL SIGN II
+	{0x1182F, 0x11837, prExtend},  // Mn   [9] DOGRA VOWEL SIGN U..DOGRA SIGN ANUSVARA
+	{0x11838, 0x11838, prExtend},  // Mc       DOGRA SIGN VISARGA
+	{0x11839, 0x1183A, prExtend},  // Mn   [2] DOGRA SIGN VIRAMA..DOGRA SIGN NUKTA
+	{0x118A0, 0x118BF, prUpper},   // L&  [32] WARANG CITI CAPITAL LETTER NGAA..WARANG CITI CAPITAL LETTER VIYO
+	{0x118C0, 0x118DF, prLower},   // L&  [32] WARANG CITI SMALL LETTER NGAA..WARANG CITI SMALL LETTER VIYO
+	{0x118E0, 0x118E9, prNumeric}, // Nd  [10] WARANG CITI DIGIT ZERO..WARANG CITI DIGIT NINE
+	{0x118FF, 0x11906, prOLetter}, // Lo   [8] WARANG CITI OM..DIVES AKURU LETTER E
+	{0x11909, 0x11909, prOLetter}, // Lo       DIVES AKURU LETTER O
+	{0x1190C, 0x11913, prOLetter}, // Lo   [8] DIVES AKURU LETTER KA..DIVES AKURU LETTER JA
+	{0x11915, 0x11916, prOLetter}, // Lo   [2] DIVES AKURU LETTER NYA..DIVES AKURU LETTER TTA
+	{0x11918, 0x1192F, prOLetter}, // Lo  [24] DIVES AKURU LETTER DDA..DIVES AKURU LETTER ZA
+	{0x11930, 0x11935, prExtend},  // Mc   [6] DIVES AKURU VOWEL SIGN AA..DIVES AKURU VOWEL SIGN E
+	{0x11937, 0x11938, prExtend},  // Mc   [2] DIVES AKURU VOWEL SIGN AI..DIVES AKURU VOWEL SIGN O
+	{0x1193B, 0x1193C, prExtend},  // Mn   [2] DIVES AKURU SIGN ANUSVARA..DIVES AKURU SIGN CANDRABINDU
+	{0x1193D, 0x1193D, prExtend},  // Mc       DIVES AKURU SIGN HALANTA
+	{0x1193E, 0x1193E, prExtend},  // Mn       DIVES AKURU VIRAMA
+	{0x1193F, 0x1193F, prOLetter}, // Lo       DIVES AKURU PREFIXED NASAL SIGN
+	{0x11940, 0x11940, prExtend},  // Mc       DIVES AKURU MEDIAL YA
+	{0x11941, 0x11941, prOLetter}, // Lo       DIVES AKURU INITIAL RA
+	{0x11942, 0x11942, prExtend},  // Mc       DIVES AKURU MEDIAL RA
+	{0x11943, 0x11943, prExtend},  // Mn       DIVES AKURU SIGN NUKTA
+	{0x11944, 0x11944, prSTerm},   // Po       DIVES AKURU DOUBLE DANDA
+	{0x11946, 0x11946, prSTerm},   // Po       DIVES AKURU END OF TEXT MARK
+	{0x11950, 0x11959, prNumeric}, // Nd  [10] DIVES AKURU DIGIT ZERO..DIVES AKURU DIGIT NINE
+	{0x119A0, 0x119A7, prOLetter}, // Lo   [8] NANDINAGARI LETTER A..NANDINAGARI LETTER VOCALIC RR
+	{0x119AA, 0x119D0, prOLetter}, // Lo  [39] NANDINAGARI LETTER E..NANDINAGARI LETTER RRA
+	{0x119D1, 0x119D3, prExtend},  // Mc   [3] NANDINAGARI VOWEL SIGN AA..NANDINAGARI VOWEL SIGN II
+	{0x119D4, 0x119D7, prExtend},  // Mn   [4] NANDINAGARI VOWEL SIGN U..NANDINAGARI VOWEL SIGN VOCALIC RR
+	{0x119DA, 0x119DB, prExtend},  // Mn   [2] NANDINAGARI VOWEL SIGN E..NANDINAGARI VOWEL SIGN AI
+	{0x119DC, 0x119DF, prExtend},  // Mc   [4] NANDINAGARI VOWEL SIGN O..NANDINAGARI SIGN VISARGA
+	{0x119E0, 0x119E0, prExtend},  // Mn       NANDINAGARI SIGN VIRAMA
+	{0x119E1, 0x119E1, prOLetter}, // Lo       NANDINAGARI SIGN AVAGRAHA
+	{0x119E3, 0x119E3, prOLetter}, // Lo       NANDINAGARI HEADSTROKE
+	{0x119E4, 0x119E4, prExtend},  // Mc       NANDINAGARI VOWEL SIGN PRISHTHAMATRA E
+	{0x11A00, 0x11A00, prOLetter}, // Lo       ZANABAZAR SQUARE LETTER A
+	{0x11A01, 0x11A0A, prExtend},  // Mn  [10] ZANABAZAR SQUARE VOWEL SIGN I..ZANABAZAR SQUARE VOWEL LENGTH MARK
+	{0x11A0B, 0x11A32, prOLetter}, // Lo  [40] ZANABAZAR SQUARE LETTER KA..ZANABAZAR SQUARE LETTER KSSA
+	{0x11A33, 0x11A38, prExtend},  // Mn   [6] ZANABAZAR SQUARE FINAL CONSONANT MARK..ZANABAZAR SQUARE SIGN ANUSVARA
+	{0x11A39, 0x11A39, prExtend},  // Mc       ZANABAZAR SQUARE SIGN VISARGA
+	{0x11A3A, 0x11A3A, prOLetter}, // Lo       ZANABAZAR SQUARE CLUSTER-INITIAL LETTER RA
+	{0x11A3B, 0x11A3E, prExtend},  // Mn   [4] ZANABAZAR SQUARE CLUSTER-FINAL LETTER YA..ZANABAZAR SQUARE CLUSTER-FINAL LETTER VA
+	{0x11A42, 0x11A43, prSTerm},   // Po   [2] ZANABAZAR SQUARE MARK SHAD..ZANABAZAR SQUARE MARK DOUBLE SHAD
+	{0x11A47, 0x11A47, prExtend},  // Mn       ZANABAZAR SQUARE SUBJOINER
+	{0x11A50, 0x11A50, prOLetter}, // Lo       SOYOMBO LETTER A
+	{0x11A51, 0x11A56, prExtend},  // Mn   [6] SOYOMBO VOWEL SIGN I..SOYOMBO VOWEL SIGN OE
+	{0x11A57, 0x11A58, prExtend},  // Mc   [2] SOYOMBO VOWEL SIGN AI..SOYOMBO VOWEL SIGN AU
+	{0x11A59, 0x11A5B, prExtend},  // Mn   [3] SOYOMBO VOWEL SIGN VOCALIC R..SOYOMBO VOWEL LENGTH MARK
+	{0x11A5C, 0x11A89, prOLetter}, // Lo  [46] SOYOMBO LETTER KA..SOYOMBO CLUSTER-INITIAL LETTER SA
+	{0x11A8A, 0x11A96, prExtend},  // Mn  [13] SOYOMBO FINAL CONSONANT SIGN G..SOYOMBO SIGN ANUSVARA
+	{0x11A97, 0x11A97, prExtend},  // Mc       SOYOMBO SIGN VISARGA
+	{0x11A98, 0x11A99, prExtend},  // Mn   [2] SOYOMBO GEMINATION MARK..SOYOMBO SUBJOINER
+	{0x11A9B, 0x11A9C, prSTerm},   // Po   [2] SOYOMBO MARK SHAD..SOYOMBO MARK DOUBLE SHAD
+	{0x11A9D, 0x11A9D, prOLetter}, // Lo       SOYOMBO MARK PLUTA
+	{0x11AB0, 0x11AF8, prOLetter}, // Lo  [73] CANADIAN SYLLABICS NATTILIK HI..PAU CIN HAU GLOTTAL STOP FINAL
+	{0x11C00, 0x11C08, prOLetter}, // Lo   [9] BHAIKSUKI LETTER A..BHAIKSUKI LETTER VOCALIC L
+	{0x11C0A, 0x11C2E, prOLetter}, // Lo  [37] BHAIKSUKI LETTER E..BHAIKSUKI LETTER HA
+	{0x11C2F, 0x11C2F, prExtend},  // Mc       BHAIKSUKI VOWEL SIGN AA
+	{0x11C30, 0x11C36, prExtend},  // Mn   [7] BHAIKSUKI VOWEL SIGN I..BHAIKSUKI VOWEL SIGN VOCALIC L
+	{0x11C38, 0x11C3D, prExtend},  // Mn   [6] BHAIKSUKI VOWEL SIGN E..BHAIKSUKI SIGN ANUSVARA
+	{0x11C3E, 0x11C3E, prExtend},  // Mc       BHAIKSUKI SIGN VISARGA
+	{0x11C3F, 0x11C3F, prExtend},  // Mn       BHAIKSUKI SIGN VIRAMA
+	{0x11C40, 0x11C40, prOLetter}, // Lo       BHAIKSUKI SIGN AVAGRAHA
+	{0x11C41, 0x11C42, prSTerm},   // Po   [2] BHAIKSUKI DANDA..BHAIKSUKI DOUBLE DANDA
+	{0x11C50, 0x11C59, prNumeric}, // Nd  [10] BHAIKSUKI DIGIT ZERO..BHAIKSUKI DIGIT NINE
+	{0x11C72, 0x11C8F, prOLetter}, // Lo  [30] MARCHEN LETTER KA..MARCHEN LETTER A
+	{0x11C92, 0x11CA7, prExtend},  // Mn  [22] MARCHEN SUBJOINED LETTER KA..MARCHEN SUBJOINED LETTER ZA
+	{0x11CA9, 0x11CA9, prExtend},  // Mc       MARCHEN SUBJOINED LETTER YA
+	{0x11CAA, 0x11CB0, prExtend},  // Mn   [7] MARCHEN SUBJOINED LETTER RA..MARCHEN VOWEL SIGN AA
+	{0x11CB1, 0x11CB1, prExtend},  // Mc       MARCHEN VOWEL SIGN I
+	{0x11CB2, 0x11CB3, prExtend},  // Mn   [2] MARCHEN VOWEL SIGN U..MARCHEN VOWEL SIGN E
+	{0x11CB4, 0x11CB4, prExtend},  // Mc       MARCHEN VOWEL SIGN O
+	{0x11CB5, 0x11CB6, prExtend},  // Mn   [2] MARCHEN SIGN ANUSVARA..MARCHEN SIGN CANDRABINDU
+	{0x11D00, 0x11D06, prOLetter}, // Lo   [7] MASARAM GONDI LETTER A..MASARAM GONDI LETTER E
+	{0x11D08, 0x11D09, prOLetter}, // Lo   [2] MASARAM GONDI LETTER AI..MASARAM GONDI LETTER O
+	{0x11D0B, 0x11D30, prOLetter}, // Lo  [38] MASARAM GONDI LETTER AU..MASARAM GONDI LETTER TRA
+	{0x11D31, 0x11D36, prExtend},  // Mn   [6] MASARAM GONDI VOWEL SIGN AA..MASARAM GONDI VOWEL SIGN VOCALIC R
+	{0x11D3A, 0x11D3A, prExtend},  // Mn       MASARAM GONDI VOWEL SIGN E
+	{0x11D3C, 0x11D3D, prExtend},  // Mn   [2] MASARAM GONDI VOWEL SIGN AI..MASARAM GONDI VOWEL SIGN O
+	{0x11D3F, 0x11D45, prExtend},  // Mn   [7] MASARAM GONDI VOWEL SIGN AU..MASARAM GONDI VIRAMA
+	{0x11D46, 0x11D46, prOLetter}, // Lo       MASARAM GONDI REPHA
+	{0x11D47, 0x11D47, prExtend},  // Mn       MASARAM GONDI RA-KARA
+	{0x11D50, 0x11D59, prNumeric}, // Nd  [10] MASARAM GONDI DIGIT ZERO..MASARAM GONDI DIGIT NINE
+	{0x11D60, 0x11D65, prOLetter}, // Lo   [6] GUNJALA GONDI LETTER A..GUNJALA GONDI LETTER UU
+	{0x11D67, 0x11D68, prOLetter}, // Lo   [2] GUNJALA GONDI LETTER EE..GUNJALA GONDI LETTER AI
+	{0x11D6A, 0x11D89, prOLetter}, // Lo  [32] GUNJALA GONDI LETTER OO..GUNJALA GONDI LETTER SA
+	{0x11D8A, 0x11D8E, prExtend},  // Mc   [5] GUNJALA GONDI VOWEL SIGN AA..GUNJALA GONDI VOWEL SIGN UU
+	{0x11D90, 0x11D91, prExtend},  // Mn   [2] GUNJALA GONDI VOWEL SIGN EE..GUNJALA GONDI VOWEL SIGN AI
+	{0x11D93, 0x11D94, prExtend},  // Mc   [2] GUNJALA GONDI VOWEL SIGN OO..GUNJALA GONDI VOWEL SIGN AU
+	{0x11D95, 0x11D95, prExtend},  // Mn       GUNJALA GONDI SIGN ANUSVARA
+	{0x11D96, 0x11D96, prExtend},  // Mc       GUNJALA GONDI SIGN VISARGA
+	{0x11D97, 0x11D97, prExtend},  // Mn       GUNJALA GONDI VIRAMA
+	{0x11D98, 0x11D98, prOLetter}, // Lo       GUNJALA GONDI OM
+	{0x11DA0, 0x11DA9, prNumeric}, // Nd  [10] GUNJALA GONDI DIGIT ZERO..GUNJALA GONDI DIGIT NINE
+	{0x11EE0, 0x11EF2, prOLetter}, // Lo  [19] MAKASAR LETTER KA..MAKASAR ANGKA
+	{0x11EF3, 0x11EF4, prExtend},  // Mn   [2] MAKASAR VOWEL SIGN I..MAKASAR VOWEL SIGN U
+	{0x11EF5, 0x11EF6, prExtend},  // Mc   [2] MAKASAR VOWEL SIGN E..MAKASAR VOWEL SIGN O
+	{0x11EF7, 0x11EF8, prSTerm},   // Po   [2] MAKASAR PASSIMBANG..MAKASAR END OF SECTION
+	{0x11F00, 0x11F01, prExtend},  // Mn   [2] KAWI SIGN CANDRABINDU..KAWI SIGN ANUSVARA
+	{0x11F02, 0x11F02, prOLetter}, // Lo       KAWI SIGN REPHA
+	{0x11F03, 0x11F03, prExtend},  // Mc       KAWI SIGN VISARGA
+	{0x11F04, 0x11F10, prOLetter}, // Lo  [13] KAWI LETTER A..KAWI LETTER O
+	{0x11F12, 0x11F33, prOLetter}, // Lo  [34] KAWI LETTER KA..KAWI LETTER JNYA
+	{0x11F34, 0x11F35, prExtend},  // Mc   [2] KAWI VOWEL SIGN AA..KAWI VOWEL SIGN ALTERNATE AA
+	{0x11F36, 0x11F3A, prExtend},  // Mn   [5] KAWI VOWEL SIGN I..KAWI VOWEL SIGN VOCALIC R
+	{0x11F3E, 0x11F3F, prExtend},  // Mc   [2] KAWI VOWEL SIGN E..KAWI VOWEL SIGN AI
+	{0x11F40, 0x11F40, prExtend},  // Mn       KAWI VOWEL SIGN EU
+	{0x11F41, 0x11F41, prExtend},  // Mc       KAWI SIGN KILLER
+	{0x11F42, 0x11F42, prExtend},  // Mn       KAWI CONJOINER
+	{0x11F43, 0x11F44, prSTerm},   // Po   [2] KAWI DANDA..KAWI DOUBLE DANDA
+	{0x11F50, 0x11F59, prNumeric}, // Nd  [10] KAWI DIGIT ZERO..KAWI DIGIT NINE
+	{0x11FB0, 0x11FB0, prOLetter}, // Lo       LISU LETTER YHA
+	{0x12000, 0x12399, prOLetter}, // Lo [922] CUNEIFORM SIGN A..CUNEIFORM SIGN U U
+	{0x12400, 0x1246E, prOLetter}, // Nl [111] CUNEIFORM NUMERIC SIGN TWO ASH..CUNEIFORM NUMERIC SIGN NINE U VARIANT FORM
+	{0x12480, 0x12543, prOLetter}, // Lo [196] CUNEIFORM SIGN AB TIMES NUN TENU..CUNEIFORM SIGN ZU5 TIMES THREE DISH TENU
+	{0x12F90, 0x12FF0, prOLetter}, // Lo  [97] CYPRO-MINOAN SIGN CM001..CYPRO-MINOAN SIGN CM114
+	{0x13000, 0x1342F, prOLetter}, // Lo [1072] EGYPTIAN HIEROGLYPH A001..EGYPTIAN HIEROGLYPH V011D
+	{0x13430, 0x1343F, prFormat},  // Cf  [16] EGYPTIAN HIEROGLYPH VERTICAL JOINER..EGYPTIAN HIEROGLYPH END WALLED ENCLOSURE
+	{0x13440, 0x13440, prExtend},  // Mn       EGYPTIAN HIEROGLYPH MIRROR HORIZONTALLY
+	{0x13441, 0x13446, prOLetter}, // Lo   [6] EGYPTIAN HIEROGLYPH FULL BLANK..EGYPTIAN HIEROGLYPH WIDE LOST SIGN
+	{0x13447, 0x13455, prExtend},  // Mn  [15] EGYPTIAN HIEROGLYPH MODIFIER DAMAGED AT TOP START..EGYPTIAN HIEROGLYPH MODIFIER DAMAGED
+	{0x14400, 0x14646, prOLetter}, // Lo [583] ANATOLIAN HIEROGLYPH A001..ANATOLIAN HIEROGLYPH A530
+	{0x16800, 0x16A38, prOLetter}, // Lo [569] BAMUM LETTER PHASE-A NGKUE MFON..BAMUM LETTER PHASE-F VUEQ
+	{0x16A40, 0x16A5E, prOLetter}, // Lo  [31] MRO LETTER TA..MRO LETTER TEK
+	{0x16A60, 0x16A69, prNumeric}, // Nd  [10] MRO DIGIT ZERO..MRO DIGIT NINE
+	{0x16A6E, 0x16A6F, prSTerm},   // Po   [2] MRO DANDA..MRO DOUBLE DANDA
+	{0x16A70, 0x16ABE, prOLetter}, // Lo  [79] TANGSA LETTER OZ..TANGSA LETTER ZA
+	{0x16AC0, 0x16AC9, prNumeric}, // Nd  [10] TANGSA DIGIT ZERO..TANGSA DIGIT NINE
+	{0x16AD0, 0x16AED, prOLetter}, // Lo  [30] BASSA VAH LETTER ENNI..BASSA VAH LETTER I
+	{0x16AF0, 0x16AF4, prExtend},  // Mn   [5] BASSA VAH COMBINING HIGH TONE..BASSA VAH COMBINING HIGH-LOW TONE
+	{0x16AF5, 0x16AF5, prSTerm},   // Po       BASSA VAH FULL STOP
+	{0x16B00, 0x16B2F, prOLetter}, // Lo  [48] PAHAWH HMONG VOWEL KEEB..PAHAWH HMONG CONSONANT CAU
+	{0x16B30, 0x16B36, prExtend},  // Mn   [7] PAHAWH HMONG MARK CIM TUB..PAHAWH HMONG MARK CIM TAUM
+	{0x16B37, 0x16B38, prSTerm},   // Po   [2] PAHAWH HMONG SIGN VOS THOM..PAHAWH HMONG SIGN VOS TSHAB CEEB
+	{0x16B40, 0x16B43, prOLetter}, // Lm   [4] PAHAWH HMONG SIGN VOS SEEV..PAHAWH HMONG SIGN IB YAM
+	{0x16B44, 0x16B44, prSTerm},   // Po       PAHAWH HMONG SIGN XAUS
+	{0x16B50, 0x16B59, prNumeric}, // Nd  [10] PAHAWH HMONG DIGIT ZERO..PAHAWH HMONG DIGIT NINE
+	{0x16B63, 0x16B77, prOLetter}, // Lo  [21] PAHAWH HMONG SIGN VOS LUB..PAHAWH HMONG SIGN CIM NRES TOS
+	{0x16B7D, 0x16B8F, prOLetter}, // Lo  [19] PAHAWH HMONG CLAN SIGN TSHEEJ..PAHAWH HMONG CLAN SIGN VWJ
+	{0x16E40, 0x16E5F, prUpper},   // L&  [32] MEDEFAIDRIN CAPITAL LETTER M..MEDEFAIDRIN CAPITAL LETTER Y
+	{0x16E60, 0x16E7F, prLower},   // L&  [32] MEDEFAIDRIN SMALL LETTER M..MEDEFAIDRIN SMALL LETTER Y
+	{0x16E98, 0x16E98, prSTerm},   // Po       MEDEFAIDRIN FULL STOP
+	{0x16F00, 0x16F4A, prOLetter}, // Lo  [75] MIAO LETTER PA..MIAO LETTER RTE
+	{0x16F4F, 0x16F4F, prExtend},  // Mn       MIAO SIGN CONSONANT MODIFIER BAR
+	{0x16F50, 0x16F50, prOLetter}, // Lo       MIAO LETTER NASALIZATION
+	{0x16F51, 0x16F87, prExtend},  // Mc  [55] MIAO SIGN ASPIRATION..MIAO VOWEL SIGN UI
+	{0x16F8F, 0x16F92, prExtend},  // Mn   [4] MIAO TONE RIGHT..MIAO TONE BELOW
+	{0x16F93, 0x16F9F, prOLetter}, // Lm  [13] MIAO LETTER TONE-2..MIAO LETTER REFORMED TONE-8
+	{0x16FE0, 0x16FE1, prOLetter}, // Lm   [2] TANGUT ITERATION MARK..NUSHU ITERATION MARK
+	{0x16FE3, 0x16FE3, prOLetter}, // Lm       OLD CHINESE ITERATION MARK
+	{0x16FE4, 0x16FE4, prExtend},  // Mn       KHITAN SMALL SCRIPT FILLER
+	{0x16FF0, 0x16FF1, prExtend},  // Mc   [2] VIETNAMESE ALTERNATE READING MARK CA..VIETNAMESE ALTERNATE READING MARK NHAY
+	{0x17000, 0x187F7, prOLetter}, // Lo [6136] TANGUT IDEOGRAPH-17000..TANGUT IDEOGRAPH-187F7
+	{0x18800, 0x18CD5, prOLetter}, // Lo [1238] TANGUT COMPONENT-001..KHITAN SMALL SCRIPT CHARACTER-18CD5
+	{0x18D00, 0x18D08, prOLetter}, // Lo   [9] TANGUT IDEOGRAPH-18D00..TANGUT IDEOGRAPH-18D08
+	{0x1AFF0, 0x1AFF3, prOLetter}, // Lm   [4] KATAKANA LETTER MINNAN TONE-2..KATAKANA LETTER MINNAN TONE-5
+	{0x1AFF5, 0x1AFFB, prOLetter}, // Lm   [7] KATAKANA LETTER MINNAN TONE-7..KATAKANA LETTER MINNAN NASALIZED TONE-5
+	{0x1AFFD, 0x1AFFE, prOLetter}, // Lm   [2] KATAKANA LETTER MINNAN NASALIZED TONE-7..KATAKANA LETTER MINNAN NASALIZED TONE-8
+	{0x1B000, 0x1B122, prOLetter}, // Lo [291] KATAKANA LETTER ARCHAIC E..KATAKANA LETTER ARCHAIC WU
+	{0x1B132, 0x1B132, prOLetter}, // Lo       HIRAGANA LETTER SMALL KO
+	{0x1B150, 0x1B152, prOLetter}, // Lo   [3] HIRAGANA LETTER SMALL WI..HIRAGANA LETTER SMALL WO
+	{0x1B155, 0x1B155, prOLetter}, // Lo       KATAKANA LETTER SMALL KO
+	{0x1B164, 0x1B167, prOLetter}, // Lo   [4] KATAKANA LETTER SMALL WI..KATAKANA LETTER SMALL N
+	{0x1B170, 0x1B2FB, prOLetter}, // Lo [396] NUSHU CHARACTER-1B170..NUSHU CHARACTER-1B2FB
+	{0x1BC00, 0x1BC6A, prOLetter}, // Lo [107] DUPLOYAN LETTER H..DUPLOYAN LETTER VOCALIC M
+	{0x1BC70, 0x1BC7C, prOLetter}, // Lo  [13] DUPLOYAN AFFIX LEFT HORIZONTAL SECANT..DUPLOYAN AFFIX ATTACHED TANGENT HOOK
+	{0x1BC80, 0x1BC88, prOLetter}, // Lo   [9] DUPLOYAN AFFIX HIGH ACUTE..DUPLOYAN AFFIX HIGH VERTICAL
+	{0x1BC90, 0x1BC99, prOLetter}, // Lo  [10] DUPLOYAN AFFIX LOW ACUTE..DUPLOYAN AFFIX LOW ARROW
+	{0x1BC9D, 0x1BC9E, prExtend},  // Mn   [2] DUPLOYAN THICK LETTER SELECTOR..DUPLOYAN DOUBLE MARK
+	{0x1BC9F, 0x1BC9F, prSTerm},   // Po       DUPLOYAN PUNCTUATION CHINOOK FULL STOP
+	{0x1BCA0, 0x1BCA3, prFormat},  // Cf   [4] SHORTHAND FORMAT LETTER OVERLAP..SHORTHAND FORMAT UP STEP
+	{0x1CF00, 0x1CF2D, prExtend},  // Mn  [46] ZNAMENNY COMBINING MARK GORAZDO NIZKO S KRYZHEM ON LEFT..ZNAMENNY COMBINING MARK KRYZH ON LEFT
+	{0x1CF30, 0x1CF46, prExtend},  // Mn  [23] ZNAMENNY COMBINING TONAL RANGE MARK MRACHNO..ZNAMENNY PRIZNAK MODIFIER ROG
+	{0x1D165, 0x1D166, prExtend},  // Mc   [2] MUSICAL SYMBOL COMBINING STEM..MUSICAL SYMBOL COMBINING SPRECHGESANG STEM
+	{0x1D167, 0x1D169, prExtend},  // Mn   [3] MUSICAL SYMBOL COMBINING TREMOLO-1..MUSICAL SYMBOL COMBINING TREMOLO-3
+	{0x1D16D, 0x1D172, prExtend},  // Mc   [6] MUSICAL SYMBOL COMBINING AUGMENTATION DOT..MUSICAL SYMBOL COMBINING FLAG-5
+	{0x1D173, 0x1D17A, prFormat},  // Cf   [8] MUSICAL SYMBOL BEGIN BEAM..MUSICAL SYMBOL END PHRASE
+	{0x1D17B, 0x1D182, prExtend},  // Mn   [8] MUSICAL SYMBOL COMBINING ACCENT..MUSICAL SYMBOL COMBINING LOURE
+	{0x1D185, 0x1D18B, prExtend},  // Mn   [7] MUSICAL SYMBOL COMBINING DOIT..MUSICAL SYMBOL COMBINING TRIPLE TONGUE
+	{0x1D1AA, 0x1D1AD, prExtend},  // Mn   [4] MUSICAL SYMBOL COMBINING DOWN BOW..MUSICAL SYMBOL COMBINING SNAP PIZZICATO
+	{0x1D242, 0x1D244, prExtend},  // Mn   [3] COMBINING GREEK MUSICAL TRISEME..COMBINING GREEK MUSICAL PENTASEME
+	{0x1D400, 0x1D419, prUpper},   // L&  [26] MATHEMATICAL BOLD CAPITAL A..MATHEMATICAL BOLD CAPITAL Z
+	{0x1D41A, 0x1D433, prLower},   // L&  [26] MATHEMATICAL BOLD SMALL A..MATHEMATICAL BOLD SMALL Z
+	{0x1D434, 0x1D44D, prUpper},   // L&  [26] MATHEMATICAL ITALIC CAPITAL A..MATHEMATICAL ITALIC CAPITAL Z
+	{0x1D44E, 0x1D454, prLower},   // L&   [7] MATHEMATICAL ITALIC SMALL A..MATHEMATICAL ITALIC SMALL G
+	{0x1D456, 0x1D467, prLower},   // L&  [18] MATHEMATICAL ITALIC SMALL I..MATHEMATICAL ITALIC SMALL Z
+	{0x1D468, 0x1D481, prUpper},   // L&  [26] MATHEMATICAL BOLD ITALIC CAPITAL A..MATHEMATICAL BOLD ITALIC CAPITAL Z
+	{0x1D482, 0x1D49B, prLower},   // L&  [26] MATHEMATICAL BOLD ITALIC SMALL A..MATHEMATICAL BOLD ITALIC SMALL Z
+	{0x1D49C, 0x1D49C, prUpper},   // L&       MATHEMATICAL SCRIPT CAPITAL A
+	{0x1D49E, 0x1D49F, prUpper},   // L&   [2] MATHEMATICAL SCRIPT CAPITAL C..MATHEMATICAL SCRIPT CAPITAL D
+	{0x1D4A2, 0x1D4A2, prUpper},   // L&       MATHEMATICAL SCRIPT CAPITAL G
+	{0x1D4A5, 0x1D4A6, prUpper},   // L&   [2] MATHEMATICAL SCRIPT CAPITAL J..MATHEMATICAL SCRIPT CAPITAL K
+	{0x1D4A9, 0x1D4AC, prUpper},   // L&   [4] MATHEMATICAL SCRIPT CAPITAL N..MATHEMATICAL SCRIPT CAPITAL Q
+	{0x1D4AE, 0x1D4B5, prUpper},   // L&   [8] MATHEMATICAL SCRIPT CAPITAL S..MATHEMATICAL SCRIPT CAPITAL Z
+	{0x1D4B6, 0x1D4B9, prLower},   // L&   [4] MATHEMATICAL SCRIPT SMALL A..MATHEMATICAL SCRIPT SMALL D
+	{0x1D4BB, 0x1D4BB, prLower},   // L&       MATHEMATICAL SCRIPT SMALL F
+	{0x1D4BD, 0x1D4C3, prLower},   // L&   [7] MATHEMATICAL SCRIPT SMALL H..MATHEMATICAL SCRIPT SMALL N
+	{0x1D4C5, 0x1D4CF, prLower},   // L&  [11] MATHEMATICAL SCRIPT SMALL P..MATHEMATICAL SCRIPT SMALL Z
+	{0x1D4D0, 0x1D4E9, prUpper},   // L&  [26] MATHEMATICAL BOLD SCRIPT CAPITAL A..MATHEMATICAL BOLD SCRIPT CAPITAL Z
+	{0x1D4EA, 0x1D503, prLower},   // L&  [26] MATHEMATICAL BOLD SCRIPT SMALL A..MATHEMATICAL BOLD SCRIPT SMALL Z
+	{0x1D504, 0x1D505, prUpper},   // L&   [2] MATHEMATICAL FRAKTUR CAPITAL A..MATHEMATICAL FRAKTUR CAPITAL B
+	{0x1D507, 0x1D50A, prUpper},   // L&   [4] MATHEMATICAL FRAKTUR CAPITAL D..MATHEMATICAL FRAKTUR CAPITAL G
+	{0x1D50D, 0x1D514, prUpper},   // L&   [8] MATHEMATICAL FRAKTUR CAPITAL J..MATHEMATICAL FRAKTUR CAPITAL Q
+	{0x1D516, 0x1D51C, prUpper},   // L&   [7] MATHEMATICAL FRAKTUR CAPITAL S..MATHEMATICAL FRAKTUR CAPITAL Y
+	{0x1D51E, 0x1D537, prLower},   // L&  [26] MATHEMATICAL FRAKTUR SMALL A..MATHEMATICAL FRAKTUR SMALL Z
+	{0x1D538, 0x1D539, prUpper},   // L&   [2] MATHEMATICAL DOUBLE-STRUCK CAPITAL A..MATHEMATICAL DOUBLE-STRUCK CAPITAL B
+	{0x1D53B, 0x1D53E, prUpper},   // L&   [4] MATHEMATICAL DOUBLE-STRUCK CAPITAL D..MATHEMATICAL DOUBLE-STRUCK CAPITAL G
+	{0x1D540, 0x1D544, prUpper},   // L&   [5] MATHEMATICAL DOUBLE-STRUCK CAPITAL I..MATHEMATICAL DOUBLE-STRUCK CAPITAL M
+	{0x1D546, 0x1D546, prUpper},   // L&       MATHEMATICAL DOUBLE-STRUCK CAPITAL O
+	{0x1D54A, 0x1D550, prUpper},   // L&   [7] MATHEMATICAL DOUBLE-STRUCK CAPITAL S..MATHEMATICAL DOUBLE-STRUCK CAPITAL Y
+	{0x1D552, 0x1D56B, prLower},   // L&  [26] MATHEMATICAL DOUBLE-STRUCK SMALL A..MATHEMATICAL DOUBLE-STRUCK SMALL Z
+	{0x1D56C, 0x1D585, prUpper},   // L&  [26] MATHEMATICAL BOLD FRAKTUR CAPITAL A..MATHEMATICAL BOLD FRAKTUR CAPITAL Z
+	{0x1D586, 0x1D59F, prLower},   // L&  [26] MATHEMATICAL BOLD FRAKTUR SMALL A..MATHEMATICAL BOLD FRAKTUR SMALL Z
+	{0x1D5A0, 0x1D5B9, prUpper},   // L&  [26] MATHEMATICAL SANS-SERIF CAPITAL A..MATHEMATICAL SANS-SERIF CAPITAL Z
+	{0x1D5BA, 0x1D5D3, prLower},   // L&  [26] MATHEMATICAL SANS-SERIF SMALL A..MATHEMATICAL SANS-SERIF SMALL Z
+	{0x1D5D4, 0x1D5ED, prUpper},   // L&  [26] MATHEMATICAL SANS-SERIF BOLD CAPITAL A..MATHEMATICAL SANS-SERIF BOLD CAPITAL Z
+	{0x1D5EE, 0x1D607, prLower},   // L&  [26] MATHEMATICAL SANS-SERIF BOLD SMALL A..MATHEMATICAL SANS-SERIF BOLD SMALL Z
+	{0x1D608, 0x1D621, prUpper},   // L&  [26] MATHEMATICAL SANS-SERIF ITALIC CAPITAL A..MATHEMATICAL SANS-SERIF ITALIC CAPITAL Z
+	{0x1D622, 0x1D63B, prLower},   // L&  [26] MATHEMATICAL SANS-SERIF ITALIC SMALL A..MATHEMATICAL SANS-SERIF ITALIC SMALL Z
+	{0x1D63C, 0x1D655, prUpper},   // L&  [26] MATHEMATICAL SANS-SERIF BOLD ITALIC CAPITAL A..MATHEMATICAL SANS-SERIF BOLD ITALIC CAPITAL Z
+	{0x1D656, 0x1D66F, prLower},   // L&  [26] MATHEMATICAL SANS-SERIF BOLD ITALIC SMALL A..MATHEMATICAL SANS-SERIF BOLD ITALIC SMALL Z
+	{0x1D670, 0x1D689, prUpper},   // L&  [26] MATHEMATICAL MONOSPACE CAPITAL A..MATHEMATICAL MONOSPACE CAPITAL Z
+	{0x1D68A, 0x1D6A5, prLower},   // L&  [28] MATHEMATICAL MONOSPACE SMALL A..MATHEMATICAL ITALIC SMALL DOTLESS J
+	{0x1D6A8, 0x1D6C0, prUpper},   // L&  [25] MATHEMATICAL BOLD CAPITAL ALPHA..MATHEMATICAL BOLD CAPITAL OMEGA
+	{0x1D6C2, 0x1D6DA, prLower},   // L&  [25] MATHEMATICAL BOLD SMALL ALPHA..MATHEMATICAL BOLD SMALL OMEGA
+	{0x1D6DC, 0x1D6E1, prLower},   // L&   [6] MATHEMATICAL BOLD EPSILON SYMBOL..MATHEMATICAL BOLD PI SYMBOL
+	{0x1D6E2, 0x1D6FA, prUpper},   // L&  [25] MATHEMATICAL ITALIC CAPITAL ALPHA..MATHEMATICAL ITALIC CAPITAL OMEGA
+	{0x1D6FC, 0x1D714, prLower},   // L&  [25] MATHEMATICAL ITALIC SMALL ALPHA..MATHEMATICAL ITALIC SMALL OMEGA
+	{0x1D716, 0x1D71B, prLower},   // L&   [6] MATHEMATICAL ITALIC EPSILON SYMBOL..MATHEMATICAL ITALIC PI SYMBOL
+	{0x1D71C, 0x1D734, prUpper},   // L&  [25] MATHEMATICAL BOLD ITALIC CAPITAL ALPHA..MATHEMATICAL BOLD ITALIC CAPITAL OMEGA
+	{0x1D736, 0x1D74E, prLower},   // L&  [25] MATHEMATICAL BOLD ITALIC SMALL ALPHA..MATHEMATICAL BOLD ITALIC SMALL OMEGA
+	{0x1D750, 0x1D755, prLower},   // L&   [6] MATHEMATICAL BOLD ITALIC EPSILON SYMBOL..MATHEMATICAL BOLD ITALIC PI SYMBOL
+	{0x1D756, 0x1D76E, prUpper},   // L&  [25] MATHEMATICAL SANS-SERIF BOLD CAPITAL ALPHA..MATHEMATICAL SANS-SERIF BOLD CAPITAL OMEGA
+	{0x1D770, 0x1D788, prLower},   // L&  [25] MATHEMATICAL SANS-SERIF BOLD SMALL ALPHA..MATHEMATICAL SANS-SERIF BOLD SMALL OMEGA
+	{0x1D78A, 0x1D78F, prLower},   // L&   [6] MATHEMATICAL SANS-SERIF BOLD EPSILON SYMBOL..MATHEMATICAL SANS-SERIF BOLD PI SYMBOL
+	{0x1D790, 0x1D7A8, prUpper},   // L&  [25] MATHEMATICAL SANS-SERIF BOLD ITALIC CAPITAL ALPHA..MATHEMATICAL SANS-SERIF BOLD ITALIC CAPITAL OMEGA
+	{0x1D7AA, 0x1D7C2, prLower},   // L&  [25] MATHEMATICAL SANS-SERIF BOLD ITALIC SMALL ALPHA..MATHEMATICAL SANS-SERIF BOLD ITALIC SMALL OMEGA
+	{0x1D7C4, 0x1D7C9, prLower},   // L&   [6] MATHEMATICAL SANS-SERIF BOLD ITALIC EPSILON SYMBOL..MATHEMATICAL SANS-SERIF BOLD ITALIC PI SYMBOL
+	{0x1D7CA, 0x1D7CA, prUpper},   // L&       MATHEMATICAL BOLD CAPITAL DIGAMMA
+	{0x1D7CB, 0x1D7CB, prLower},   // L&       MATHEMATICAL BOLD SMALL DIGAMMA
+	{0x1D7CE, 0x1D7FF, prNumeric}, // Nd  [50] MATHEMATICAL BOLD DIGIT ZERO..MATHEMATICAL MONOSPACE DIGIT NINE
+	{0x1DA00, 0x1DA36, prExtend},  // Mn  [55] SIGNWRITING HEAD RIM..SIGNWRITING AIR SUCKING IN
+	{0x1DA3B, 0x1DA6C, prExtend},  // Mn  [50] SIGNWRITING MOUTH CLOSED NEUTRAL..SIGNWRITING EXCITEMENT
+	{0x1DA75, 0x1DA75, prExtend},  // Mn       SIGNWRITING UPPER BODY TILTING FROM HIP JOINTS
+	{0x1DA84, 0x1DA84, prExtend},  // Mn       SIGNWRITING LOCATION HEAD NECK
+	{0x1DA88, 0x1DA88, prSTerm},   // Po       SIGNWRITING FULL STOP
+	{0x1DA9B, 0x1DA9F, prExtend},  // Mn   [5] SIGNWRITING FILL MODIFIER-2..SIGNWRITING FILL MODIFIER-6
+	{0x1DAA1, 0x1DAAF, prExtend},  // Mn  [15] SIGNWRITING ROTATION MODIFIER-2..SIGNWRITING ROTATION MODIFIER-16
+	{0x1DF00, 0x1DF09, prLower},   // L&  [10] LATIN SMALL LETTER FENG DIGRAPH WITH TRILL..LATIN SMALL LETTER T WITH HOOK AND RETROFLEX HOOK
+	{0x1DF0A, 0x1DF0A, prOLetter}, // Lo       LATIN LETTER RETROFLEX CLICK WITH RETROFLEX HOOK
+	{0x1DF0B, 0x1DF1E, prLower},   // L&  [20] LATIN SMALL LETTER ESH WITH DOUBLE BAR..LATIN SMALL LETTER S WITH CURL
+	{0x1DF25, 0x1DF2A, prLower},   // L&   [6] LATIN SMALL LETTER D WITH MID-HEIGHT LEFT HOOK..LATIN SMALL LETTER T WITH MID-HEIGHT LEFT HOOK
+	{0x1E000, 0x1E006, prExtend},  // Mn   [7] COMBINING GLAGOLITIC LETTER AZU..COMBINING GLAGOLITIC LETTER ZHIVETE
+	{0x1E008, 0x1E018, prExtend},  // Mn  [17] COMBINING GLAGOLITIC LETTER ZEMLJA..COMBINING GLAGOLITIC LETTER HERU
+	{0x1E01B, 0x1E021, prExtend},  // Mn   [7] COMBINING GLAGOLITIC LETTER SHTA..COMBINING GLAGOLITIC LETTER YATI
+	{0x1E023, 0x1E024, prExtend},  // Mn   [2] COMBINING GLAGOLITIC LETTER YU..COMBINING GLAGOLITIC LETTER SMALL YUS
+	{0x1E026, 0x1E02A, prExtend},  // Mn   [5] COMBINING GLAGOLITIC LETTER YO..COMBINING GLAGOLITIC LETTER FITA
+	{0x1E030, 0x1E06D, prLower},   // Lm  [62] MODIFIER LETTER CYRILLIC SMALL A..MODIFIER LETTER CYRILLIC SMALL STRAIGHT U WITH STROKE
+	{0x1E08F, 0x1E08F, prExtend},  // Mn       COMBINING CYRILLIC SMALL LETTER BYELORUSSIAN-UKRAINIAN I
+	{0x1E100, 0x1E12C, prOLetter}, // Lo  [45] NYIAKENG PUACHUE HMONG LETTER MA..NYIAKENG PUACHUE HMONG LETTER W
+	{0x1E130, 0x1E136, prExtend},  // Mn   [7] NYIAKENG PUACHUE HMONG TONE-B..NYIAKENG PUACHUE HMONG TONE-D
+	{0x1E137, 0x1E13D, prOLetter}, // Lm   [7] NYIAKENG PUACHUE HMONG SIGN FOR PERSON..NYIAKENG PUACHUE HMONG SYLLABLE LENGTHENER
+	{0x1E140, 0x1E149, prNumeric}, // Nd  [10] NYIAKENG PUACHUE HMONG DIGIT ZERO..NYIAKENG PUACHUE HMONG DIGIT NINE
+	{0x1E14E, 0x1E14E, prOLetter}, // Lo       NYIAKENG PUACHUE HMONG LOGOGRAM NYAJ
+	{0x1E290, 0x1E2AD, prOLetter}, // Lo  [30] TOTO LETTER PA..TOTO LETTER A
+	{0x1E2AE, 0x1E2AE, prExtend},  // Mn       TOTO SIGN RISING TONE
+	{0x1E2C0, 0x1E2EB, prOLetter}, // Lo  [44] WANCHO LETTER AA..WANCHO LETTER YIH
+	{0x1E2EC, 0x1E2EF, prExtend},  // Mn   [4] WANCHO TONE TUP..WANCHO TONE KOINI
+	{0x1E2F0, 0x1E2F9, prNumeric}, // Nd  [10] WANCHO DIGIT ZERO..WANCHO DIGIT NINE
+	{0x1E4D0, 0x1E4EA, prOLetter}, // Lo  [27] NAG MUNDARI LETTER O..NAG MUNDARI LETTER ELL
+	{0x1E4EB, 0x1E4EB, prOLetter}, // Lm       NAG MUNDARI SIGN OJOD
+	{0x1E4EC, 0x1E4EF, prExtend},  // Mn   [4] NAG MUNDARI SIGN MUHOR..NAG MUNDARI SIGN SUTUH
+	{0x1E4F0, 0x1E4F9, prNumeric}, // Nd  [10] NAG MUNDARI DIGIT ZERO..NAG MUNDARI DIGIT NINE
+	{0x1E7E0, 0x1E7E6, prOLetter}, // Lo   [7] ETHIOPIC SYLLABLE HHYA..ETHIOPIC SYLLABLE HHYO
+	{0x1E7E8, 0x1E7EB, prOLetter}, // Lo   [4] ETHIOPIC SYLLABLE GURAGE HHWA..ETHIOPIC SYLLABLE HHWE
+	{0x1E7ED, 0x1E7EE, prOLetter}, // Lo   [2] ETHIOPIC SYLLABLE GURAGE MWI..ETHIOPIC SYLLABLE GURAGE MWEE
+	{0x1E7F0, 0x1E7FE, prOLetter}, // Lo  [15] ETHIOPIC SYLLABLE GURAGE QWI..ETHIOPIC SYLLABLE GURAGE PWEE
+	{0x1E800, 0x1E8C4, prOLetter}, // Lo [197] MENDE KIKAKUI SYLLABLE M001 KI..MENDE KIKAKUI SYLLABLE M060 NYON
+	{0x1E8D0, 0x1E8D6, prExtend},  // Mn   [7] MENDE KIKAKUI COMBINING NUMBER TEENS..MENDE KIKAKUI COMBINING NUMBER MILLIONS
+	{0x1E900, 0x1E921, prUpper},   // L&  [34] ADLAM CAPITAL LETTER ALIF..ADLAM CAPITAL LETTER SHA
+	{0x1E922, 0x1E943, prLower},   // L&  [34] ADLAM SMALL LETTER ALIF..ADLAM SMALL LETTER SHA
+	{0x1E944, 0x1E94A, prExtend},  // Mn   [7] ADLAM ALIF LENGTHENER..ADLAM NUKTA
+	{0x1E94B, 0x1E94B, prOLetter}, // Lm       ADLAM NASALIZATION MARK
+	{0x1E950, 0x1E959, prNumeric}, // Nd  [10] ADLAM DIGIT ZERO..ADLAM DIGIT NINE
+	{0x1EE00, 0x1EE03, prOLetter}, // Lo   [4] ARABIC MATHEMATICAL ALEF..ARABIC MATHEMATICAL DAL
+	{0x1EE05, 0x1EE1F, prOLetter}, // Lo  [27] ARABIC MATHEMATICAL WAW..ARABIC MATHEMATICAL DOTLESS QAF
+	{0x1EE21, 0x1EE22, prOLetter}, // Lo   [2] ARABIC MATHEMATICAL INITIAL BEH..ARABIC MATHEMATICAL INITIAL JEEM
+	{0x1EE24, 0x1EE24, prOLetter}, // Lo       ARABIC MATHEMATICAL INITIAL HEH
+	{0x1EE27, 0x1EE27, prOLetter}, // Lo       ARABIC MATHEMATICAL INITIAL HAH
+	{0x1EE29, 0x1EE32, prOLetter}, // Lo  [10] ARABIC MATHEMATICAL INITIAL YEH..ARABIC MATHEMATICAL INITIAL QAF
+	{0x1EE34, 0x1EE37, prOLetter}, // Lo   [4] ARABIC MATHEMATICAL INITIAL SHEEN..ARABIC MATHEMATICAL INITIAL KHAH
+	{0x1EE39, 0x1EE39, prOLetter}, // Lo       ARABIC MATHEMATICAL INITIAL DAD
+	{0x1EE3B, 0x1EE3B, prOLetter}, // Lo       ARABIC MATHEMATICAL INITIAL GHAIN
+	{0x1EE42, 0x1EE42, prOLetter}, // Lo       ARABIC MATHEMATICAL TAILED JEEM
+	{0x1EE47, 0x1EE47, prOLetter}, // Lo       ARABIC MATHEMATICAL TAILED HAH
+	{0x1EE49, 0x1EE49, prOLetter}, // Lo       ARABIC MATHEMATICAL TAILED YEH
+	{0x1EE4B, 0x1EE4B, prOLetter}, // Lo       ARABIC MATHEMATICAL TAILED LAM
+	{0x1EE4D, 0x1EE4F, prOLetter}, // Lo   [3] ARABIC MATHEMATICAL TAILED NOON..ARABIC MATHEMATICAL TAILED AIN
+	{0x1EE51, 0x1EE52, prOLetter}, // Lo   [2] ARABIC MATHEMATICAL TAILED SAD..ARABIC MATHEMATICAL TAILED QAF
+	{0x1EE54, 0x1EE54, prOLetter}, // Lo       ARABIC MATHEMATICAL TAILED SHEEN
+	{0x1EE57, 0x1EE57, prOLetter}, // Lo       ARABIC MATHEMATICAL TAILED KHAH
+	{0x1EE59, 0x1EE59, prOLetter}, // Lo       ARABIC MATHEMATICAL TAILED DAD
+	{0x1EE5B, 0x1EE5B, prOLetter}, // Lo       ARABIC MATHEMATICAL TAILED GHAIN
+	{0x1EE5D, 0x1EE5D, prOLetter}, // Lo       ARABIC MATHEMATICAL TAILED DOTLESS NOON
+	{0x1EE5F, 0x1EE5F, prOLetter}, // Lo       ARABIC MATHEMATICAL TAILED DOTLESS QAF
+	{0x1EE61, 0x1EE62, prOLetter}, // Lo   [2] ARABIC MATHEMATICAL STRETCHED BEH..ARABIC MATHEMATICAL STRETCHED JEEM
+	{0x1EE64, 0x1EE64, prOLetter}, // Lo       ARABIC MATHEMATICAL STRETCHED HEH
+	{0x1EE67, 0x1EE6A, prOLetter}, // Lo   [4] ARABIC MATHEMATICAL STRETCHED HAH..ARABIC MATHEMATICAL STRETCHED KAF
+	{0x1EE6C, 0x1EE72, prOLetter}, // Lo   [7] ARABIC MATHEMATICAL STRETCHED MEEM..ARABIC MATHEMATICAL STRETCHED QAF
+	{0x1EE74, 0x1EE77, prOLetter}, // Lo   [4] ARABIC MATHEMATICAL STRETCHED SHEEN..ARABIC MATHEMATICAL STRETCHED KHAH
+	{0x1EE79, 0x1EE7C, prOLetter}, // Lo   [4] ARABIC MATHEMATICAL STRETCHED DAD..ARABIC MATHEMATICAL STRETCHED DOTLESS BEH
+	{0x1EE7E, 0x1EE7E, prOLetter}, // Lo       ARABIC MATHEMATICAL STRETCHED DOTLESS FEH
+	{0x1EE80, 0x1EE89, prOLetter}, // Lo  [10] ARABIC MATHEMATICAL LOOPED ALEF..ARABIC MATHEMATICAL LOOPED YEH
+	{0x1EE8B, 0x1EE9B, prOLetter}, // Lo  [17] ARABIC MATHEMATICAL LOOPED LAM..ARABIC MATHEMATICAL LOOPED GHAIN
+	{0x1EEA1, 0x1EEA3, prOLetter}, // Lo   [3] ARABIC MATHEMATICAL DOUBLE-STRUCK BEH..ARABIC MATHEMATICAL DOUBLE-STRUCK DAL
+	{0x1EEA5, 0x1EEA9, prOLetter}, // Lo   [5] ARABIC MATHEMATICAL DOUBLE-STRUCK WAW..ARABIC MATHEMATICAL DOUBLE-STRUCK YEH
+	{0x1EEAB, 0x1EEBB, prOLetter}, // Lo  [17] ARABIC MATHEMATICAL DOUBLE-STRUCK LAM..ARABIC MATHEMATICAL DOUBLE-STRUCK GHAIN
+	{0x1F130, 0x1F149, prUpper},   // So  [26] SQUARED LATIN CAPITAL LETTER A..SQUARED LATIN CAPITAL LETTER Z
+	{0x1F150, 0x1F169, prUpper},   // So  [26] NEGATIVE CIRCLED LATIN CAPITAL LETTER A..NEGATIVE CIRCLED LATIN CAPITAL LETTER Z
+	{0x1F170, 0x1F189, prUpper},   // So  [26] NEGATIVE SQUARED LATIN CAPITAL LETTER A..NEGATIVE SQUARED LATIN CAPITAL LETTER Z
+	{0x1F676, 0x1F678, prClose},   // So   [3] SANS-SERIF HEAVY DOUBLE TURNED COMMA QUOTATION MARK ORNAMENT..SANS-SERIF HEAVY LOW DOUBLE COMMA QUOTATION MARK ORNAMENT
+	{0x1FBF0, 0x1FBF9, prNumeric}, // Nd  [10] SEGMENTED DIGIT ZERO..SEGMENTED DIGIT NINE
+	{0x20000, 0x2A6DF, prOLetter}, // Lo [42720] CJK UNIFIED IDEOGRAPH-20000..CJK UNIFIED IDEOGRAPH-2A6DF
+	{0x2A700, 0x2B739, prOLetter}, // Lo [4154] CJK UNIFIED IDEOGRAPH-2A700..CJK UNIFIED IDEOGRAPH-2B739
+	{0x2B740, 0x2B81D, prOLetter}, // Lo [222] CJK UNIFIED IDEOGRAPH-2B740..CJK UNIFIED IDEOGRAPH-2B81D
+	{0x2B820, 0x2CEA1, prOLetter}, // Lo [5762] CJK UNIFIED IDEOGRAPH-2B820..CJK UNIFIED IDEOGRAPH-2CEA1
+	{0x2CEB0, 0x2EBE0, prOLetter}, // Lo [7473] CJK UNIFIED IDEOGRAPH-2CEB0..CJK UNIFIED IDEOGRAPH-2EBE0
+	{0x2F800, 0x2FA1D, prOLetter}, // Lo [542] CJK COMPATIBILITY IDEOGRAPH-2F800..CJK COMPATIBILITY IDEOGRAPH-2FA1D
+	{0x30000, 0x3134A, prOLetter}, // Lo [4939] CJK UNIFIED IDEOGRAPH-30000..CJK UNIFIED IDEOGRAPH-3134A
+	{0x31350, 0x323AF, prOLetter}, // Lo [4192] CJK UNIFIED IDEOGRAPH-31350..CJK UNIFIED IDEOGRAPH-323AF
+	{0xE0001, 0xE0001, prFormat},  // Cf       LANGUAGE TAG
+	{0xE0020, 0xE007F, prExtend},  // Cf  [96] TAG SPACE..CANCEL TAG
+	{0xE0100, 0xE01EF, prExtend},  // Mn [240] VARIATION SELECTOR-17..VARIATION SELECTOR-256
+}
diff --git a/vendor/github.com/rivo/uniseg/sentencerules.go b/vendor/github.com/rivo/uniseg/sentencerules.go
new file mode 100644
index 0000000000..0b29c7bdb8
--- /dev/null
+++ b/vendor/github.com/rivo/uniseg/sentencerules.go
@@ -0,0 +1,276 @@
+package uniseg
+
+import "unicode/utf8"
+
+// The states of the sentence break parser.
+const (
+	sbAny = iota
+	sbCR
+	sbParaSep
+	sbATerm
+	sbUpper
+	sbLower
+	sbSB7
+	sbSB8Close
+	sbSB8Sp
+	sbSTerm
+	sbSB8aClose
+	sbSB8aSp
+)
+
+// sbTransitions implements the sentence break parser's state transitions. It's
+// anologous to [grTransitions], see comments there for details.
+//
+// Unicode version 15.0.0.
+func sbTransitions(state, prop int) (newState int, sentenceBreak bool, rule int) {
+	switch uint64(state) | uint64(prop)<<32 {
+	// SB3.
+	case sbAny | prCR<<32:
+		return sbCR, false, 9990
+	case sbCR | prLF<<32:
+		return sbParaSep, false, 30
+
+	// SB4.
+	case sbAny | prSep<<32:
+		return sbParaSep, false, 9990
+	case sbAny | prLF<<32:
+		return sbParaSep, false, 9990
+	case sbParaSep | prAny<<32:
+		return sbAny, true, 40
+	case sbCR | prAny<<32:
+		return sbAny, true, 40
+
+	// SB6.
+	case sbAny | prATerm<<32:
+		return sbATerm, false, 9990
+	case sbATerm | prNumeric<<32:
+		return sbAny, false, 60
+	case sbSB7 | prNumeric<<32:
+		return sbAny, false, 60 // Because ATerm also appears in SB7.
+
+	// SB7.
+	case sbAny | prUpper<<32:
+		return sbUpper, false, 9990
+	case sbAny | prLower<<32:
+		return sbLower, false, 9990
+	case sbUpper | prATerm<<32:
+		return sbSB7, false, 70
+	case sbLower | prATerm<<32:
+		return sbSB7, false, 70
+	case sbSB7 | prUpper<<32:
+		return sbUpper, false, 70
+
+	// SB8a.
+	case sbAny | prSTerm<<32:
+		return sbSTerm, false, 9990
+	case sbATerm | prSContinue<<32:
+		return sbAny, false, 81
+	case sbATerm | prATerm<<32:
+		return sbATerm, false, 81
+	case sbATerm | prSTerm<<32:
+		return sbSTerm, false, 81
+	case sbSB7 | prSContinue<<32:
+		return sbAny, false, 81
+	case sbSB7 | prATerm<<32:
+		return sbATerm, false, 81
+	case sbSB7 | prSTerm<<32:
+		return sbSTerm, false, 81
+	case sbSB8Close | prSContinue<<32:
+		return sbAny, false, 81
+	case sbSB8Close | prATerm<<32:
+		return sbATerm, false, 81
+	case sbSB8Close | prSTerm<<32:
+		return sbSTerm, false, 81
+	case sbSB8Sp | prSContinue<<32:
+		return sbAny, false, 81
+	case sbSB8Sp | prATerm<<32:
+		return sbATerm, false, 81
+	case sbSB8Sp | prSTerm<<32:
+		return sbSTerm, false, 81
+	case sbSTerm | prSContinue<<32:
+		return sbAny, false, 81
+	case sbSTerm | prATerm<<32:
+		return sbATerm, false, 81
+	case sbSTerm | prSTerm<<32:
+		return sbSTerm, false, 81
+	case sbSB8aClose | prSContinue<<32:
+		return sbAny, false, 81
+	case sbSB8aClose | prATerm<<32:
+		return sbATerm, false, 81
+	case sbSB8aClose | prSTerm<<32:
+		return sbSTerm, false, 81
+	case sbSB8aSp | prSContinue<<32:
+		return sbAny, false, 81
+	case sbSB8aSp | prATerm<<32:
+		return sbATerm, false, 81
+	case sbSB8aSp | prSTerm<<32:
+		return sbSTerm, false, 81
+
+	// SB9.
+	case sbATerm | prClose<<32:
+		return sbSB8Close, false, 90
+	case sbSB7 | prClose<<32:
+		return sbSB8Close, false, 90
+	case sbSB8Close | prClose<<32:
+		return sbSB8Close, false, 90
+	case sbATerm | prSp<<32:
+		return sbSB8Sp, false, 90
+	case sbSB7 | prSp<<32:
+		return sbSB8Sp, false, 90
+	case sbSB8Close | prSp<<32:
+		return sbSB8Sp, false, 90
+	case sbSTerm | prClose<<32:
+		return sbSB8aClose, false, 90
+	case sbSB8aClose | prClose<<32:
+		return sbSB8aClose, false, 90
+	case sbSTerm | prSp<<32:
+		return sbSB8aSp, false, 90
+	case sbSB8aClose | prSp<<32:
+		return sbSB8aSp, false, 90
+	case sbATerm | prSep<<32:
+		return sbParaSep, false, 90
+	case sbATerm | prCR<<32:
+		return sbParaSep, false, 90
+	case sbATerm | prLF<<32:
+		return sbParaSep, false, 90
+	case sbSB7 | prSep<<32:
+		return sbParaSep, false, 90
+	case sbSB7 | prCR<<32:
+		return sbParaSep, false, 90
+	case sbSB7 | prLF<<32:
+		return sbParaSep, false, 90
+	case sbSB8Close | prSep<<32:
+		return sbParaSep, false, 90
+	case sbSB8Close | prCR<<32:
+		return sbParaSep, false, 90
+	case sbSB8Close | prLF<<32:
+		return sbParaSep, false, 90
+	case sbSTerm | prSep<<32:
+		return sbParaSep, false, 90
+	case sbSTerm | prCR<<32:
+		return sbParaSep, false, 90
+	case sbSTerm | prLF<<32:
+		return sbParaSep, false, 90
+	case sbSB8aClose | prSep<<32:
+		return sbParaSep, false, 90
+	case sbSB8aClose | prCR<<32:
+		return sbParaSep, false, 90
+	case sbSB8aClose | prLF<<32:
+		return sbParaSep, false, 90
+
+	// SB10.
+	case sbSB8Sp | prSp<<32:
+		return sbSB8Sp, false, 100
+	case sbSB8aSp | prSp<<32:
+		return sbSB8aSp, false, 100
+	case sbSB8Sp | prSep<<32:
+		return sbParaSep, false, 100
+	case sbSB8Sp | prCR<<32:
+		return sbParaSep, false, 100
+	case sbSB8Sp | prLF<<32:
+		return sbParaSep, false, 100
+
+	// SB11.
+	case sbATerm | prAny<<32:
+		return sbAny, true, 110
+	case sbSB7 | prAny<<32:
+		return sbAny, true, 110
+	case sbSB8Close | prAny<<32:
+		return sbAny, true, 110
+	case sbSB8Sp | prAny<<32:
+		return sbAny, true, 110
+	case sbSTerm | prAny<<32:
+		return sbAny, true, 110
+	case sbSB8aClose | prAny<<32:
+		return sbAny, true, 110
+	case sbSB8aSp | prAny<<32:
+		return sbAny, true, 110
+	// We'll always break after ParaSep due to SB4.
+
+	default:
+		return -1, false, -1
+	}
+}
+
+// transitionSentenceBreakState determines the new state of the sentence break
+// parser given the current state and the next code point. It also returns
+// whether a sentence boundary was detected. If more than one code point is
+// needed to determine the new state, the byte slice or the string starting
+// after rune "r" can be used (whichever is not nil or empty) for further
+// lookups.
+func transitionSentenceBreakState(state int, r rune, b []byte, str string) (newState int, sentenceBreak bool) {
+	// Determine the property of the next character.
+	nextProperty := property(sentenceBreakCodePoints, r)
+
+	// SB5 (Replacing Ignore Rules).
+	if nextProperty == prExtend || nextProperty == prFormat {
+		if state == sbParaSep || state == sbCR {
+			return sbAny, true // Make sure we don't apply SB5 to SB3 or SB4.
+		}
+		if state < 0 {
+			return sbAny, true // SB1.
+		}
+		return state, false
+	}
+
+	// Find the applicable transition in the table.
+	var rule int
+	newState, sentenceBreak, rule = sbTransitions(state, nextProperty)
+	if newState < 0 {
+		// No specific transition found. Try the less specific ones.
+		anyPropState, anyPropProp, anyPropRule := sbTransitions(state, prAny)
+		anyStateState, anyStateProp, anyStateRule := sbTransitions(sbAny, nextProperty)
+		if anyPropState >= 0 && anyStateState >= 0 {
+			// Both apply. We'll use a mix (see comments for grTransitions).
+			newState, sentenceBreak, rule = anyStateState, anyStateProp, anyStateRule
+			if anyPropRule < anyStateRule {
+				sentenceBreak, rule = anyPropProp, anyPropRule
+			}
+		} else if anyPropState >= 0 {
+			// We only have a specific state.
+			newState, sentenceBreak, rule = anyPropState, anyPropProp, anyPropRule
+			// This branch will probably never be reached because okAnyState will
+			// always be true given the current transition map. But we keep it here
+			// for future modifications to the transition map where this may not be
+			// true anymore.
+		} else if anyStateState >= 0 {
+			// We only have a specific property.
+			newState, sentenceBreak, rule = anyStateState, anyStateProp, anyStateRule
+		} else {
+			// No known transition. SB999: Any × Any.
+			newState, sentenceBreak, rule = sbAny, false, 9990
+		}
+	}
+
+	// SB8.
+	if rule > 80 && (state == sbATerm || state == sbSB8Close || state == sbSB8Sp || state == sbSB7) {
+		// Check the right side of the rule.
+		var length int
+		for nextProperty != prOLetter &&
+			nextProperty != prUpper &&
+			nextProperty != prLower &&
+			nextProperty != prSep &&
+			nextProperty != prCR &&
+			nextProperty != prLF &&
+			nextProperty != prATerm &&
+			nextProperty != prSTerm {
+			// Move on to the next rune.
+			if b != nil { // Byte slice version.
+				r, length = utf8.DecodeRune(b)
+				b = b[length:]
+			} else { // String version.
+				r, length = utf8.DecodeRuneInString(str)
+				str = str[length:]
+			}
+			if r == utf8.RuneError {
+				break
+			}
+			nextProperty = property(sentenceBreakCodePoints, r)
+		}
+		if nextProperty == prLower {
+			return sbLower, false
+		}
+	}
+
+	return
+}
diff --git a/vendor/github.com/rivo/uniseg/step.go b/vendor/github.com/rivo/uniseg/step.go
new file mode 100644
index 0000000000..9b72c5e596
--- /dev/null
+++ b/vendor/github.com/rivo/uniseg/step.go
@@ -0,0 +1,242 @@
+package uniseg
+
+import "unicode/utf8"
+
+// The bit masks used to extract boundary information returned by [Step].
+const (
+	MaskLine     = 3
+	MaskWord     = 4
+	MaskSentence = 8
+)
+
+// The number of bits to shift the boundary information returned by [Step] to
+// obtain the monospace width of the grapheme cluster.
+const ShiftWidth = 4
+
+// The bit positions by which boundary flags are shifted by the [Step] function.
+// These must correspond to the Mask constants.
+const (
+	shiftWord     = 2
+	shiftSentence = 3
+	// shiftwWidth is ShiftWidth above. No mask as these are always the remaining bits.
+)
+
+// The bit positions by which states are shifted by the [Step] function. These
+// values must ensure state values defined for each of the boundary algorithms
+// don't overlap (and that they all still fit in a single int). These must
+// correspond to the Mask constants.
+const (
+	shiftWordState     = 4
+	shiftSentenceState = 9
+	shiftLineState     = 13
+	shiftPropState     = 21 // No mask as these are always the remaining bits.
+)
+
+// The bit mask used to extract the state returned by the [Step] function, after
+// shifting. These values must correspond to the shift constants.
+const (
+	maskGraphemeState = 0xf
+	maskWordState     = 0x1f
+	maskSentenceState = 0xf
+	maskLineState     = 0xff
+)
+
+// Step returns the first grapheme cluster (user-perceived character) found in
+// the given byte slice. It also returns information about the boundary between
+// that grapheme cluster and the one following it as well as the monospace width
+// of the grapheme cluster. There are three types of boundary information: word
+// boundaries, sentence boundaries, and line breaks. This function is therefore
+// a combination of [FirstGraphemeCluster], [FirstWord], [FirstSentence], and
+// [FirstLineSegment].
+//
+// The "boundaries" return value can be evaluated as follows:
+//
+//   - boundaries&MaskWord != 0: The boundary is a word boundary.
+//   - boundaries&MaskWord == 0: The boundary is not a word boundary.
+//   - boundaries&MaskSentence != 0: The boundary is a sentence boundary.
+//   - boundaries&MaskSentence == 0: The boundary is not a sentence boundary.
+//   - boundaries&MaskLine == LineDontBreak: You must not break the line at the
+//     boundary.
+//   - boundaries&MaskLine == LineMustBreak: You must break the line at the
+//     boundary.
+//   - boundaries&MaskLine == LineCanBreak: You may or may not break the line at
+//     the boundary.
+//   - boundaries >> ShiftWidth: The width of the grapheme cluster for most
+//     monospace fonts where a value of 1 represents one character cell.
+//
+// This function can be called continuously to extract all grapheme clusters
+// from a byte slice, as illustrated in the examples below.
+//
+// If you don't know which state to pass, for example when calling the function
+// for the first time, you must pass -1. For consecutive calls, pass the state
+// and rest slice returned by the previous call.
+//
+// The "rest" slice is the sub-slice of the original byte slice "b" starting
+// after the last byte of the identified grapheme cluster. If the length of the
+// "rest" slice is 0, the entire byte slice "b" has been processed. The
+// "cluster" byte slice is the sub-slice of the input slice containing the
+// first identified grapheme cluster.
+//
+// Given an empty byte slice "b", the function returns nil values.
+//
+// While slightly less convenient than using the Graphemes class, this function
+// has much better performance and makes no allocations. It lends itself well to
+// large byte slices.
+//
+// Note that in accordance with [UAX #14 LB3], the final segment will end with
+// a mandatory line break (boundaries&MaskLine == LineMustBreak). You can choose
+// to ignore this by checking if the length of the "rest" slice is 0 and calling
+// [HasTrailingLineBreak] or [HasTrailingLineBreakInString] on the last rune.
+//
+// [UAX #14 LB3]: https://www.unicode.org/reports/tr14/#Algorithm
+func Step(b []byte, state int) (cluster, rest []byte, boundaries int, newState int) {
+	// An empty byte slice returns nothing.
+	if len(b) == 0 {
+		return
+	}
+
+	// Extract the first rune.
+	r, length := utf8.DecodeRune(b)
+	if len(b) <= length { // If we're already past the end, there is nothing else to parse.
+		var prop int
+		if state < 0 {
+			prop = propertyGraphemes(r)
+		} else {
+			prop = state >> shiftPropState
+		}
+		return b, nil, LineMustBreak | (1 << shiftWord) | (1 << shiftSentence) | (runeWidth(r, prop) << ShiftWidth), grAny | (wbAny << shiftWordState) | (sbAny << shiftSentenceState) | (lbAny << shiftLineState) | (prop << shiftPropState)
+	}
+
+	// If we don't know the state, determine it now.
+	var graphemeState, wordState, sentenceState, lineState, firstProp int
+	remainder := b[length:]
+	if state < 0 {
+		graphemeState, firstProp, _ = transitionGraphemeState(state, r)
+		wordState, _ = transitionWordBreakState(state, r, remainder, "")
+		sentenceState, _ = transitionSentenceBreakState(state, r, remainder, "")
+		lineState, _ = transitionLineBreakState(state, r, remainder, "")
+	} else {
+		graphemeState = state & maskGraphemeState
+		wordState = (state >> shiftWordState) & maskWordState
+		sentenceState = (state >> shiftSentenceState) & maskSentenceState
+		lineState = (state >> shiftLineState) & maskLineState
+		firstProp = state >> shiftPropState
+	}
+
+	// Transition until we find a grapheme cluster boundary.
+	width := runeWidth(r, firstProp)
+	for {
+		var (
+			graphemeBoundary, wordBoundary, sentenceBoundary bool
+			lineBreak, prop                                  int
+		)
+
+		r, l := utf8.DecodeRune(remainder)
+		remainder = b[length+l:]
+
+		graphemeState, prop, graphemeBoundary = transitionGraphemeState(graphemeState, r)
+		wordState, wordBoundary = transitionWordBreakState(wordState, r, remainder, "")
+		sentenceState, sentenceBoundary = transitionSentenceBreakState(sentenceState, r, remainder, "")
+		lineState, lineBreak = transitionLineBreakState(lineState, r, remainder, "")
+
+		if graphemeBoundary {
+			boundary := lineBreak | (width << ShiftWidth)
+			if wordBoundary {
+				boundary |= 1 << shiftWord
+			}
+			if sentenceBoundary {
+				boundary |= 1 << shiftSentence
+			}
+			return b[:length], b[length:], boundary, graphemeState | (wordState << shiftWordState) | (sentenceState << shiftSentenceState) | (lineState << shiftLineState) | (prop << shiftPropState)
+		}
+
+		if firstProp == prExtendedPictographic {
+			if r == vs15 {
+				width = 1
+			} else if r == vs16 {
+				width = 2
+			}
+		} else if firstProp != prRegionalIndicator && firstProp != prL {
+			width += runeWidth(r, prop)
+		}
+
+		length += l
+		if len(b) <= length {
+			return b, nil, LineMustBreak | (1 << shiftWord) | (1 << shiftSentence) | (width << ShiftWidth), grAny | (wbAny << shiftWordState) | (sbAny << shiftSentenceState) | (lbAny << shiftLineState) | (prop << shiftPropState)
+		}
+	}
+}
+
+// StepString is like [Step] but its input and outputs are strings.
+func StepString(str string, state int) (cluster, rest string, boundaries int, newState int) {
+	// An empty byte slice returns nothing.
+	if len(str) == 0 {
+		return
+	}
+
+	// Extract the first rune.
+	r, length := utf8.DecodeRuneInString(str)
+	if len(str) <= length { // If we're already past the end, there is nothing else to parse.
+		prop := propertyGraphemes(r)
+		return str, "", LineMustBreak | (1 << shiftWord) | (1 << shiftSentence) | (runeWidth(r, prop) << ShiftWidth), grAny | (wbAny << shiftWordState) | (sbAny << shiftSentenceState) | (lbAny << shiftLineState)
+	}
+
+	// If we don't know the state, determine it now.
+	var graphemeState, wordState, sentenceState, lineState, firstProp int
+	remainder := str[length:]
+	if state < 0 {
+		graphemeState, firstProp, _ = transitionGraphemeState(state, r)
+		wordState, _ = transitionWordBreakState(state, r, nil, remainder)
+		sentenceState, _ = transitionSentenceBreakState(state, r, nil, remainder)
+		lineState, _ = transitionLineBreakState(state, r, nil, remainder)
+	} else {
+		graphemeState = state & maskGraphemeState
+		wordState = (state >> shiftWordState) & maskWordState
+		sentenceState = (state >> shiftSentenceState) & maskSentenceState
+		lineState = (state >> shiftLineState) & maskLineState
+		firstProp = state >> shiftPropState
+	}
+
+	// Transition until we find a grapheme cluster boundary.
+	width := runeWidth(r, firstProp)
+	for {
+		var (
+			graphemeBoundary, wordBoundary, sentenceBoundary bool
+			lineBreak, prop                                  int
+		)
+
+		r, l := utf8.DecodeRuneInString(remainder)
+		remainder = str[length+l:]
+
+		graphemeState, prop, graphemeBoundary = transitionGraphemeState(graphemeState, r)
+		wordState, wordBoundary = transitionWordBreakState(wordState, r, nil, remainder)
+		sentenceState, sentenceBoundary = transitionSentenceBreakState(sentenceState, r, nil, remainder)
+		lineState, lineBreak = transitionLineBreakState(lineState, r, nil, remainder)
+
+		if graphemeBoundary {
+			boundary := lineBreak | (width << ShiftWidth)
+			if wordBoundary {
+				boundary |= 1 << shiftWord
+			}
+			if sentenceBoundary {
+				boundary |= 1 << shiftSentence
+			}
+			return str[:length], str[length:], boundary, graphemeState | (wordState << shiftWordState) | (sentenceState << shiftSentenceState) | (lineState << shiftLineState) | (prop << shiftPropState)
+		}
+
+		if firstProp == prExtendedPictographic {
+			if r == vs15 {
+				width = 1
+			} else if r == vs16 {
+				width = 2
+			}
+		} else if firstProp != prRegionalIndicator && firstProp != prL {
+			width += runeWidth(r, prop)
+		}
+
+		length += l
+		if len(str) <= length {
+			return str, "", LineMustBreak | (1 << shiftWord) | (1 << shiftSentence) | (width << ShiftWidth), grAny | (wbAny << shiftWordState) | (sbAny << shiftSentenceState) | (lbAny << shiftLineState) | (prop << shiftPropState)
+		}
+	}
+}
diff --git a/vendor/github.com/rivo/uniseg/width.go b/vendor/github.com/rivo/uniseg/width.go
new file mode 100644
index 0000000000..975a9f1343
--- /dev/null
+++ b/vendor/github.com/rivo/uniseg/width.go
@@ -0,0 +1,61 @@
+package uniseg
+
+// EastAsianAmbiguousWidth specifies the monospace width for East Asian
+// characters classified as Ambiguous. The default is 1 but some rare fonts
+// render them with a width of 2.
+var EastAsianAmbiguousWidth = 1
+
+// runeWidth returns the monospace width for the given rune. The provided
+// grapheme property is a value mapped by the [graphemeCodePoints] table.
+//
+// Every rune has a width of 1, except for runes with the following properties
+// (evaluated in this order):
+//
+//   - Control, CR, LF, Extend, ZWJ: Width of 0
+//   - \u2e3a, TWO-EM DASH: Width of 3
+//   - \u2e3b, THREE-EM DASH: Width of 4
+//   - East-Asian width Fullwidth and Wide: Width of 2 (Ambiguous and Neutral
+//     have a width of 1)
+//   - Regional Indicator: Width of 2
+//   - Extended Pictographic: Width of 2, unless Emoji Presentation is "No".
+func runeWidth(r rune, graphemeProperty int) int {
+	switch graphemeProperty {
+	case prControl, prCR, prLF, prExtend, prZWJ:
+		return 0
+	case prRegionalIndicator:
+		return 2
+	case prExtendedPictographic:
+		if property(emojiPresentation, r) == prEmojiPresentation {
+			return 2
+		}
+		return 1
+	}
+
+	switch r {
+	case 0x2e3a:
+		return 3
+	case 0x2e3b:
+		return 4
+	}
+
+	switch propertyEastAsianWidth(r) {
+	case prW, prF:
+		return 2
+	case prA:
+		return EastAsianAmbiguousWidth
+	}
+
+	return 1
+}
+
+// StringWidth returns the monospace width for the given string, that is, the
+// number of same-size cells to be occupied by the string.
+func StringWidth(s string) (width int) {
+	state := -1
+	for len(s) > 0 {
+		var w int
+		_, s, w, state = FirstGraphemeClusterInString(s, state)
+		width += w
+	}
+	return
+}
diff --git a/vendor/github.com/rivo/uniseg/word.go b/vendor/github.com/rivo/uniseg/word.go
new file mode 100644
index 0000000000..34fba7f291
--- /dev/null
+++ b/vendor/github.com/rivo/uniseg/word.go
@@ -0,0 +1,89 @@
+package uniseg
+
+import "unicode/utf8"
+
+// FirstWord returns the first word found in the given byte slice according to
+// the rules of [Unicode Standard Annex #29, Word Boundaries]. This function can
+// be called continuously to extract all words from a byte slice, as illustrated
+// in the example below.
+//
+// If you don't know the current state, for example when calling the function
+// for the first time, you must pass -1. For consecutive calls, pass the state
+// and rest slice returned by the previous call.
+//
+// The "rest" slice is the sub-slice of the original byte slice "b" starting
+// after the last byte of the identified word. If the length of the "rest" slice
+// is 0, the entire byte slice "b" has been processed. The "word" byte slice is
+// the sub-slice of the input slice containing the identified word.
+//
+// Given an empty byte slice "b", the function returns nil values.
+//
+// [Unicode Standard Annex #29, Word Boundaries]: http://unicode.org/reports/tr29/#Word_Boundaries
+func FirstWord(b []byte, state int) (word, rest []byte, newState int) {
+	// An empty byte slice returns nothing.
+	if len(b) == 0 {
+		return
+	}
+
+	// Extract the first rune.
+	r, length := utf8.DecodeRune(b)
+	if len(b) <= length { // If we're already past the end, there is nothing else to parse.
+		return b, nil, wbAny
+	}
+
+	// If we don't know the state, determine it now.
+	if state < 0 {
+		state, _ = transitionWordBreakState(state, r, b[length:], "")
+	}
+
+	// Transition until we find a boundary.
+	var boundary bool
+	for {
+		r, l := utf8.DecodeRune(b[length:])
+		state, boundary = transitionWordBreakState(state, r, b[length+l:], "")
+
+		if boundary {
+			return b[:length], b[length:], state
+		}
+
+		length += l
+		if len(b) <= length {
+			return b, nil, wbAny
+		}
+	}
+}
+
+// FirstWordInString is like [FirstWord] but its input and outputs are strings.
+func FirstWordInString(str string, state int) (word, rest string, newState int) {
+	// An empty byte slice returns nothing.
+	if len(str) == 0 {
+		return
+	}
+
+	// Extract the first rune.
+	r, length := utf8.DecodeRuneInString(str)
+	if len(str) <= length { // If we're already past the end, there is nothing else to parse.
+		return str, "", wbAny
+	}
+
+	// If we don't know the state, determine it now.
+	if state < 0 {
+		state, _ = transitionWordBreakState(state, r, nil, str[length:])
+	}
+
+	// Transition until we find a boundary.
+	var boundary bool
+	for {
+		r, l := utf8.DecodeRuneInString(str[length:])
+		state, boundary = transitionWordBreakState(state, r, nil, str[length+l:])
+
+		if boundary {
+			return str[:length], str[length:], state
+		}
+
+		length += l
+		if len(str) <= length {
+			return str, "", wbAny
+		}
+	}
+}
diff --git a/vendor/github.com/rivo/uniseg/wordproperties.go b/vendor/github.com/rivo/uniseg/wordproperties.go
new file mode 100644
index 0000000000..277ca10068
--- /dev/null
+++ b/vendor/github.com/rivo/uniseg/wordproperties.go
@@ -0,0 +1,1883 @@
+// Code generated via go generate from gen_properties.go. DO NOT EDIT.
+
+package uniseg
+
+// workBreakCodePoints are taken from
+// https://www.unicode.org/Public/15.0.0/ucd/auxiliary/WordBreakProperty.txt
+// and
+// https://unicode.org/Public/15.0.0/ucd/emoji/emoji-data.txt
+// ("Extended_Pictographic" only)
+// on September 5, 2023. See https://www.unicode.org/license.html for the Unicode
+// license agreement.
+var workBreakCodePoints = [][3]int{
+	{0x000A, 0x000A, prLF},                     // Cc       <control-000A>
+	{0x000B, 0x000C, prNewline},                // Cc   [2] <control-000B>..<control-000C>
+	{0x000D, 0x000D, prCR},                     // Cc       <control-000D>
+	{0x0020, 0x0020, prWSegSpace},              // Zs       SPACE
+	{0x0022, 0x0022, prDoubleQuote},            // Po       QUOTATION MARK
+	{0x0027, 0x0027, prSingleQuote},            // Po       APOSTROPHE
+	{0x002C, 0x002C, prMidNum},                 // Po       COMMA
+	{0x002E, 0x002E, prMidNumLet},              // Po       FULL STOP
+	{0x0030, 0x0039, prNumeric},                // Nd  [10] DIGIT ZERO..DIGIT NINE
+	{0x003A, 0x003A, prMidLetter},              // Po       COLON
+	{0x003B, 0x003B, prMidNum},                 // Po       SEMICOLON
+	{0x0041, 0x005A, prALetter},                // L&  [26] LATIN CAPITAL LETTER A..LATIN CAPITAL LETTER Z
+	{0x005F, 0x005F, prExtendNumLet},           // Pc       LOW LINE
+	{0x0061, 0x007A, prALetter},                // L&  [26] LATIN SMALL LETTER A..LATIN SMALL LETTER Z
+	{0x0085, 0x0085, prNewline},                // Cc       <control-0085>
+	{0x00A9, 0x00A9, prExtendedPictographic},   // E0.6   [1] (©�)       copyright
+	{0x00AA, 0x00AA, prALetter},                // Lo       FEMININE ORDINAL INDICATOR
+	{0x00AD, 0x00AD, prFormat},                 // Cf       SOFT HYPHEN
+	{0x00AE, 0x00AE, prExtendedPictographic},   // E0.6   [1] (®�)       registered
+	{0x00B5, 0x00B5, prALetter},                // L&       MICRO SIGN
+	{0x00B7, 0x00B7, prMidLetter},              // Po       MIDDLE DOT
+	{0x00BA, 0x00BA, prALetter},                // Lo       MASCULINE ORDINAL INDICATOR
+	{0x00C0, 0x00D6, prALetter},                // L&  [23] LATIN CAPITAL LETTER A WITH GRAVE..LATIN CAPITAL LETTER O WITH DIAERESIS
+	{0x00D8, 0x00F6, prALetter},                // L&  [31] LATIN CAPITAL LETTER O WITH STROKE..LATIN SMALL LETTER O WITH DIAERESIS
+	{0x00F8, 0x01BA, prALetter},                // L& [195] LATIN SMALL LETTER O WITH STROKE..LATIN SMALL LETTER EZH WITH TAIL
+	{0x01BB, 0x01BB, prALetter},                // Lo       LATIN LETTER TWO WITH STROKE
+	{0x01BC, 0x01BF, prALetter},                // L&   [4] LATIN CAPITAL LETTER TONE FIVE..LATIN LETTER WYNN
+	{0x01C0, 0x01C3, prALetter},                // Lo   [4] LATIN LETTER DENTAL CLICK..LATIN LETTER RETROFLEX CLICK
+	{0x01C4, 0x0293, prALetter},                // L& [208] LATIN CAPITAL LETTER DZ WITH CARON..LATIN SMALL LETTER EZH WITH CURL
+	{0x0294, 0x0294, prALetter},                // Lo       LATIN LETTER GLOTTAL STOP
+	{0x0295, 0x02AF, prALetter},                // L&  [27] LATIN LETTER PHARYNGEAL VOICED FRICATIVE..LATIN SMALL LETTER TURNED H WITH FISHHOOK AND TAIL
+	{0x02B0, 0x02C1, prALetter},                // Lm  [18] MODIFIER LETTER SMALL H..MODIFIER LETTER REVERSED GLOTTAL STOP
+	{0x02C2, 0x02C5, prALetter},                // Sk   [4] MODIFIER LETTER LEFT ARROWHEAD..MODIFIER LETTER DOWN ARROWHEAD
+	{0x02C6, 0x02D1, prALetter},                // Lm  [12] MODIFIER LETTER CIRCUMFLEX ACCENT..MODIFIER LETTER HALF TRIANGULAR COLON
+	{0x02D2, 0x02D7, prALetter},                // Sk   [6] MODIFIER LETTER CENTRED RIGHT HALF RING..MODIFIER LETTER MINUS SIGN
+	{0x02DE, 0x02DF, prALetter},                // Sk   [2] MODIFIER LETTER RHOTIC HOOK..MODIFIER LETTER CROSS ACCENT
+	{0x02E0, 0x02E4, prALetter},                // Lm   [5] MODIFIER LETTER SMALL GAMMA..MODIFIER LETTER SMALL REVERSED GLOTTAL STOP
+	{0x02E5, 0x02EB, prALetter},                // Sk   [7] MODIFIER LETTER EXTRA-HIGH TONE BAR..MODIFIER LETTER YANG DEPARTING TONE MARK
+	{0x02EC, 0x02EC, prALetter},                // Lm       MODIFIER LETTER VOICING
+	{0x02ED, 0x02ED, prALetter},                // Sk       MODIFIER LETTER UNASPIRATED
+	{0x02EE, 0x02EE, prALetter},                // Lm       MODIFIER LETTER DOUBLE APOSTROPHE
+	{0x02EF, 0x02FF, prALetter},                // Sk  [17] MODIFIER LETTER LOW DOWN ARROWHEAD..MODIFIER LETTER LOW LEFT ARROW
+	{0x0300, 0x036F, prExtend},                 // Mn [112] COMBINING GRAVE ACCENT..COMBINING LATIN SMALL LETTER X
+	{0x0370, 0x0373, prALetter},                // L&   [4] GREEK CAPITAL LETTER HETA..GREEK SMALL LETTER ARCHAIC SAMPI
+	{0x0374, 0x0374, prALetter},                // Lm       GREEK NUMERAL SIGN
+	{0x0376, 0x0377, prALetter},                // L&   [2] GREEK CAPITAL LETTER PAMPHYLIAN DIGAMMA..GREEK SMALL LETTER PAMPHYLIAN DIGAMMA
+	{0x037A, 0x037A, prALetter},                // Lm       GREEK YPOGEGRAMMENI
+	{0x037B, 0x037D, prALetter},                // L&   [3] GREEK SMALL REVERSED LUNATE SIGMA SYMBOL..GREEK SMALL REVERSED DOTTED LUNATE SIGMA SYMBOL
+	{0x037E, 0x037E, prMidNum},                 // Po       GREEK QUESTION MARK
+	{0x037F, 0x037F, prALetter},                // L&       GREEK CAPITAL LETTER YOT
+	{0x0386, 0x0386, prALetter},                // L&       GREEK CAPITAL LETTER ALPHA WITH TONOS
+	{0x0387, 0x0387, prMidLetter},              // Po       GREEK ANO TELEIA
+	{0x0388, 0x038A, prALetter},                // L&   [3] GREEK CAPITAL LETTER EPSILON WITH TONOS..GREEK CAPITAL LETTER IOTA WITH TONOS
+	{0x038C, 0x038C, prALetter},                // L&       GREEK CAPITAL LETTER OMICRON WITH TONOS
+	{0x038E, 0x03A1, prALetter},                // L&  [20] GREEK CAPITAL LETTER UPSILON WITH TONOS..GREEK CAPITAL LETTER RHO
+	{0x03A3, 0x03F5, prALetter},                // L&  [83] GREEK CAPITAL LETTER SIGMA..GREEK LUNATE EPSILON SYMBOL
+	{0x03F7, 0x0481, prALetter},                // L& [139] GREEK CAPITAL LETTER SHO..CYRILLIC SMALL LETTER KOPPA
+	{0x0483, 0x0487, prExtend},                 // Mn   [5] COMBINING CYRILLIC TITLO..COMBINING CYRILLIC POKRYTIE
+	{0x0488, 0x0489, prExtend},                 // Me   [2] COMBINING CYRILLIC HUNDRED THOUSANDS SIGN..COMBINING CYRILLIC MILLIONS SIGN
+	{0x048A, 0x052F, prALetter},                // L& [166] CYRILLIC CAPITAL LETTER SHORT I WITH TAIL..CYRILLIC SMALL LETTER EL WITH DESCENDER
+	{0x0531, 0x0556, prALetter},                // L&  [38] ARMENIAN CAPITAL LETTER AYB..ARMENIAN CAPITAL LETTER FEH
+	{0x0559, 0x0559, prALetter},                // Lm       ARMENIAN MODIFIER LETTER LEFT HALF RING
+	{0x055A, 0x055C, prALetter},                // Po   [3] ARMENIAN APOSTROPHE..ARMENIAN EXCLAMATION MARK
+	{0x055E, 0x055E, prALetter},                // Po       ARMENIAN QUESTION MARK
+	{0x055F, 0x055F, prMidLetter},              // Po       ARMENIAN ABBREVIATION MARK
+	{0x0560, 0x0588, prALetter},                // L&  [41] ARMENIAN SMALL LETTER TURNED AYB..ARMENIAN SMALL LETTER YI WITH STROKE
+	{0x0589, 0x0589, prMidNum},                 // Po       ARMENIAN FULL STOP
+	{0x058A, 0x058A, prALetter},                // Pd       ARMENIAN HYPHEN
+	{0x0591, 0x05BD, prExtend},                 // Mn  [45] HEBREW ACCENT ETNAHTA..HEBREW POINT METEG
+	{0x05BF, 0x05BF, prExtend},                 // Mn       HEBREW POINT RAFE
+	{0x05C1, 0x05C2, prExtend},                 // Mn   [2] HEBREW POINT SHIN DOT..HEBREW POINT SIN DOT
+	{0x05C4, 0x05C5, prExtend},                 // Mn   [2] HEBREW MARK UPPER DOT..HEBREW MARK LOWER DOT
+	{0x05C7, 0x05C7, prExtend},                 // Mn       HEBREW POINT QAMATS QATAN
+	{0x05D0, 0x05EA, prHebrewLetter},           // Lo  [27] HEBREW LETTER ALEF..HEBREW LETTER TAV
+	{0x05EF, 0x05F2, prHebrewLetter},           // Lo   [4] HEBREW YOD TRIANGLE..HEBREW LIGATURE YIDDISH DOUBLE YOD
+	{0x05F3, 0x05F3, prALetter},                // Po       HEBREW PUNCTUATION GERESH
+	{0x05F4, 0x05F4, prMidLetter},              // Po       HEBREW PUNCTUATION GERSHAYIM
+	{0x0600, 0x0605, prFormat},                 // Cf   [6] ARABIC NUMBER SIGN..ARABIC NUMBER MARK ABOVE
+	{0x060C, 0x060D, prMidNum},                 // Po   [2] ARABIC COMMA..ARABIC DATE SEPARATOR
+	{0x0610, 0x061A, prExtend},                 // Mn  [11] ARABIC SIGN SALLALLAHOU ALAYHE WASSALLAM..ARABIC SMALL KASRA
+	{0x061C, 0x061C, prFormat},                 // Cf       ARABIC LETTER MARK
+	{0x0620, 0x063F, prALetter},                // Lo  [32] ARABIC LETTER KASHMIRI YEH..ARABIC LETTER FARSI YEH WITH THREE DOTS ABOVE
+	{0x0640, 0x0640, prALetter},                // Lm       ARABIC TATWEEL
+	{0x0641, 0x064A, prALetter},                // Lo  [10] ARABIC LETTER FEH..ARABIC LETTER YEH
+	{0x064B, 0x065F, prExtend},                 // Mn  [21] ARABIC FATHATAN..ARABIC WAVY HAMZA BELOW
+	{0x0660, 0x0669, prNumeric},                // Nd  [10] ARABIC-INDIC DIGIT ZERO..ARABIC-INDIC DIGIT NINE
+	{0x066B, 0x066B, prNumeric},                // Po       ARABIC DECIMAL SEPARATOR
+	{0x066C, 0x066C, prMidNum},                 // Po       ARABIC THOUSANDS SEPARATOR
+	{0x066E, 0x066F, prALetter},                // Lo   [2] ARABIC LETTER DOTLESS BEH..ARABIC LETTER DOTLESS QAF
+	{0x0670, 0x0670, prExtend},                 // Mn       ARABIC LETTER SUPERSCRIPT ALEF
+	{0x0671, 0x06D3, prALetter},                // Lo  [99] ARABIC LETTER ALEF WASLA..ARABIC LETTER YEH BARREE WITH HAMZA ABOVE
+	{0x06D5, 0x06D5, prALetter},                // Lo       ARABIC LETTER AE
+	{0x06D6, 0x06DC, prExtend},                 // Mn   [7] ARABIC SMALL HIGH LIGATURE SAD WITH LAM WITH ALEF MAKSURA..ARABIC SMALL HIGH SEEN
+	{0x06DD, 0x06DD, prFormat},                 // Cf       ARABIC END OF AYAH
+	{0x06DF, 0x06E4, prExtend},                 // Mn   [6] ARABIC SMALL HIGH ROUNDED ZERO..ARABIC SMALL HIGH MADDA
+	{0x06E5, 0x06E6, prALetter},                // Lm   [2] ARABIC SMALL WAW..ARABIC SMALL YEH
+	{0x06E7, 0x06E8, prExtend},                 // Mn   [2] ARABIC SMALL HIGH YEH..ARABIC SMALL HIGH NOON
+	{0x06EA, 0x06ED, prExtend},                 // Mn   [4] ARABIC EMPTY CENTRE LOW STOP..ARABIC SMALL LOW MEEM
+	{0x06EE, 0x06EF, prALetter},                // Lo   [2] ARABIC LETTER DAL WITH INVERTED V..ARABIC LETTER REH WITH INVERTED V
+	{0x06F0, 0x06F9, prNumeric},                // Nd  [10] EXTENDED ARABIC-INDIC DIGIT ZERO..EXTENDED ARABIC-INDIC DIGIT NINE
+	{0x06FA, 0x06FC, prALetter},                // Lo   [3] ARABIC LETTER SHEEN WITH DOT BELOW..ARABIC LETTER GHAIN WITH DOT BELOW
+	{0x06FF, 0x06FF, prALetter},                // Lo       ARABIC LETTER HEH WITH INVERTED V
+	{0x070F, 0x070F, prFormat},                 // Cf       SYRIAC ABBREVIATION MARK
+	{0x0710, 0x0710, prALetter},                // Lo       SYRIAC LETTER ALAPH
+	{0x0711, 0x0711, prExtend},                 // Mn       SYRIAC LETTER SUPERSCRIPT ALAPH
+	{0x0712, 0x072F, prALetter},                // Lo  [30] SYRIAC LETTER BETH..SYRIAC LETTER PERSIAN DHALATH
+	{0x0730, 0x074A, prExtend},                 // Mn  [27] SYRIAC PTHAHA ABOVE..SYRIAC BARREKH
+	{0x074D, 0x07A5, prALetter},                // Lo  [89] SYRIAC LETTER SOGDIAN ZHAIN..THAANA LETTER WAAVU
+	{0x07A6, 0x07B0, prExtend},                 // Mn  [11] THAANA ABAFILI..THAANA SUKUN
+	{0x07B1, 0x07B1, prALetter},                // Lo       THAANA LETTER NAA
+	{0x07C0, 0x07C9, prNumeric},                // Nd  [10] NKO DIGIT ZERO..NKO DIGIT NINE
+	{0x07CA, 0x07EA, prALetter},                // Lo  [33] NKO LETTER A..NKO LETTER JONA RA
+	{0x07EB, 0x07F3, prExtend},                 // Mn   [9] NKO COMBINING SHORT HIGH TONE..NKO COMBINING DOUBLE DOT ABOVE
+	{0x07F4, 0x07F5, prALetter},                // Lm   [2] NKO HIGH TONE APOSTROPHE..NKO LOW TONE APOSTROPHE
+	{0x07F8, 0x07F8, prMidNum},                 // Po       NKO COMMA
+	{0x07FA, 0x07FA, prALetter},                // Lm       NKO LAJANYALAN
+	{0x07FD, 0x07FD, prExtend},                 // Mn       NKO DANTAYALAN
+	{0x0800, 0x0815, prALetter},                // Lo  [22] SAMARITAN LETTER ALAF..SAMARITAN LETTER TAAF
+	{0x0816, 0x0819, prExtend},                 // Mn   [4] SAMARITAN MARK IN..SAMARITAN MARK DAGESH
+	{0x081A, 0x081A, prALetter},                // Lm       SAMARITAN MODIFIER LETTER EPENTHETIC YUT
+	{0x081B, 0x0823, prExtend},                 // Mn   [9] SAMARITAN MARK EPENTHETIC YUT..SAMARITAN VOWEL SIGN A
+	{0x0824, 0x0824, prALetter},                // Lm       SAMARITAN MODIFIER LETTER SHORT A
+	{0x0825, 0x0827, prExtend},                 // Mn   [3] SAMARITAN VOWEL SIGN SHORT A..SAMARITAN VOWEL SIGN U
+	{0x0828, 0x0828, prALetter},                // Lm       SAMARITAN MODIFIER LETTER I
+	{0x0829, 0x082D, prExtend},                 // Mn   [5] SAMARITAN VOWEL SIGN LONG I..SAMARITAN MARK NEQUDAA
+	{0x0840, 0x0858, prALetter},                // Lo  [25] MANDAIC LETTER HALQA..MANDAIC LETTER AIN
+	{0x0859, 0x085B, prExtend},                 // Mn   [3] MANDAIC AFFRICATION MARK..MANDAIC GEMINATION MARK
+	{0x0860, 0x086A, prALetter},                // Lo  [11] SYRIAC LETTER MALAYALAM NGA..SYRIAC LETTER MALAYALAM SSA
+	{0x0870, 0x0887, prALetter},                // Lo  [24] ARABIC LETTER ALEF WITH ATTACHED FATHA..ARABIC BASELINE ROUND DOT
+	{0x0889, 0x088E, prALetter},                // Lo   [6] ARABIC LETTER NOON WITH INVERTED SMALL V..ARABIC VERTICAL TAIL
+	{0x0890, 0x0891, prFormat},                 // Cf   [2] ARABIC POUND MARK ABOVE..ARABIC PIASTRE MARK ABOVE
+	{0x0898, 0x089F, prExtend},                 // Mn   [8] ARABIC SMALL HIGH WORD AL-JUZ..ARABIC HALF MADDA OVER MADDA
+	{0x08A0, 0x08C8, prALetter},                // Lo  [41] ARABIC LETTER BEH WITH SMALL V BELOW..ARABIC LETTER GRAF
+	{0x08C9, 0x08C9, prALetter},                // Lm       ARABIC SMALL FARSI YEH
+	{0x08CA, 0x08E1, prExtend},                 // Mn  [24] ARABIC SMALL HIGH FARSI YEH..ARABIC SMALL HIGH SIGN SAFHA
+	{0x08E2, 0x08E2, prFormat},                 // Cf       ARABIC DISPUTED END OF AYAH
+	{0x08E3, 0x0902, prExtend},                 // Mn  [32] ARABIC TURNED DAMMA BELOW..DEVANAGARI SIGN ANUSVARA
+	{0x0903, 0x0903, prExtend},                 // Mc       DEVANAGARI SIGN VISARGA
+	{0x0904, 0x0939, prALetter},                // Lo  [54] DEVANAGARI LETTER SHORT A..DEVANAGARI LETTER HA
+	{0x093A, 0x093A, prExtend},                 // Mn       DEVANAGARI VOWEL SIGN OE
+	{0x093B, 0x093B, prExtend},                 // Mc       DEVANAGARI VOWEL SIGN OOE
+	{0x093C, 0x093C, prExtend},                 // Mn       DEVANAGARI SIGN NUKTA
+	{0x093D, 0x093D, prALetter},                // Lo       DEVANAGARI SIGN AVAGRAHA
+	{0x093E, 0x0940, prExtend},                 // Mc   [3] DEVANAGARI VOWEL SIGN AA..DEVANAGARI VOWEL SIGN II
+	{0x0941, 0x0948, prExtend},                 // Mn   [8] DEVANAGARI VOWEL SIGN U..DEVANAGARI VOWEL SIGN AI
+	{0x0949, 0x094C, prExtend},                 // Mc   [4] DEVANAGARI VOWEL SIGN CANDRA O..DEVANAGARI VOWEL SIGN AU
+	{0x094D, 0x094D, prExtend},                 // Mn       DEVANAGARI SIGN VIRAMA
+	{0x094E, 0x094F, prExtend},                 // Mc   [2] DEVANAGARI VOWEL SIGN PRISHTHAMATRA E..DEVANAGARI VOWEL SIGN AW
+	{0x0950, 0x0950, prALetter},                // Lo       DEVANAGARI OM
+	{0x0951, 0x0957, prExtend},                 // Mn   [7] DEVANAGARI STRESS SIGN UDATTA..DEVANAGARI VOWEL SIGN UUE
+	{0x0958, 0x0961, prALetter},                // Lo  [10] DEVANAGARI LETTER QA..DEVANAGARI LETTER VOCALIC LL
+	{0x0962, 0x0963, prExtend},                 // Mn   [2] DEVANAGARI VOWEL SIGN VOCALIC L..DEVANAGARI VOWEL SIGN VOCALIC LL
+	{0x0966, 0x096F, prNumeric},                // Nd  [10] DEVANAGARI DIGIT ZERO..DEVANAGARI DIGIT NINE
+	{0x0971, 0x0971, prALetter},                // Lm       DEVANAGARI SIGN HIGH SPACING DOT
+	{0x0972, 0x0980, prALetter},                // Lo  [15] DEVANAGARI LETTER CANDRA A..BENGALI ANJI
+	{0x0981, 0x0981, prExtend},                 // Mn       BENGALI SIGN CANDRABINDU
+	{0x0982, 0x0983, prExtend},                 // Mc   [2] BENGALI SIGN ANUSVARA..BENGALI SIGN VISARGA
+	{0x0985, 0x098C, prALetter},                // Lo   [8] BENGALI LETTER A..BENGALI LETTER VOCALIC L
+	{0x098F, 0x0990, prALetter},                // Lo   [2] BENGALI LETTER E..BENGALI LETTER AI
+	{0x0993, 0x09A8, prALetter},                // Lo  [22] BENGALI LETTER O..BENGALI LETTER NA
+	{0x09AA, 0x09B0, prALetter},                // Lo   [7] BENGALI LETTER PA..BENGALI LETTER RA
+	{0x09B2, 0x09B2, prALetter},                // Lo       BENGALI LETTER LA
+	{0x09B6, 0x09B9, prALetter},                // Lo   [4] BENGALI LETTER SHA..BENGALI LETTER HA
+	{0x09BC, 0x09BC, prExtend},                 // Mn       BENGALI SIGN NUKTA
+	{0x09BD, 0x09BD, prALetter},                // Lo       BENGALI SIGN AVAGRAHA
+	{0x09BE, 0x09C0, prExtend},                 // Mc   [3] BENGALI VOWEL SIGN AA..BENGALI VOWEL SIGN II
+	{0x09C1, 0x09C4, prExtend},                 // Mn   [4] BENGALI VOWEL SIGN U..BENGALI VOWEL SIGN VOCALIC RR
+	{0x09C7, 0x09C8, prExtend},                 // Mc   [2] BENGALI VOWEL SIGN E..BENGALI VOWEL SIGN AI
+	{0x09CB, 0x09CC, prExtend},                 // Mc   [2] BENGALI VOWEL SIGN O..BENGALI VOWEL SIGN AU
+	{0x09CD, 0x09CD, prExtend},                 // Mn       BENGALI SIGN VIRAMA
+	{0x09CE, 0x09CE, prALetter},                // Lo       BENGALI LETTER KHANDA TA
+	{0x09D7, 0x09D7, prExtend},                 // Mc       BENGALI AU LENGTH MARK
+	{0x09DC, 0x09DD, prALetter},                // Lo   [2] BENGALI LETTER RRA..BENGALI LETTER RHA
+	{0x09DF, 0x09E1, prALetter},                // Lo   [3] BENGALI LETTER YYA..BENGALI LETTER VOCALIC LL
+	{0x09E2, 0x09E3, prExtend},                 // Mn   [2] BENGALI VOWEL SIGN VOCALIC L..BENGALI VOWEL SIGN VOCALIC LL
+	{0x09E6, 0x09EF, prNumeric},                // Nd  [10] BENGALI DIGIT ZERO..BENGALI DIGIT NINE
+	{0x09F0, 0x09F1, prALetter},                // Lo   [2] BENGALI LETTER RA WITH MIDDLE DIAGONAL..BENGALI LETTER RA WITH LOWER DIAGONAL
+	{0x09FC, 0x09FC, prALetter},                // Lo       BENGALI LETTER VEDIC ANUSVARA
+	{0x09FE, 0x09FE, prExtend},                 // Mn       BENGALI SANDHI MARK
+	{0x0A01, 0x0A02, prExtend},                 // Mn   [2] GURMUKHI SIGN ADAK BINDI..GURMUKHI SIGN BINDI
+	{0x0A03, 0x0A03, prExtend},                 // Mc       GURMUKHI SIGN VISARGA
+	{0x0A05, 0x0A0A, prALetter},                // Lo   [6] GURMUKHI LETTER A..GURMUKHI LETTER UU
+	{0x0A0F, 0x0A10, prALetter},                // Lo   [2] GURMUKHI LETTER EE..GURMUKHI LETTER AI
+	{0x0A13, 0x0A28, prALetter},                // Lo  [22] GURMUKHI LETTER OO..GURMUKHI LETTER NA
+	{0x0A2A, 0x0A30, prALetter},                // Lo   [7] GURMUKHI LETTER PA..GURMUKHI LETTER RA
+	{0x0A32, 0x0A33, prALetter},                // Lo   [2] GURMUKHI LETTER LA..GURMUKHI LETTER LLA
+	{0x0A35, 0x0A36, prALetter},                // Lo   [2] GURMUKHI LETTER VA..GURMUKHI LETTER SHA
+	{0x0A38, 0x0A39, prALetter},                // Lo   [2] GURMUKHI LETTER SA..GURMUKHI LETTER HA
+	{0x0A3C, 0x0A3C, prExtend},                 // Mn       GURMUKHI SIGN NUKTA
+	{0x0A3E, 0x0A40, prExtend},                 // Mc   [3] GURMUKHI VOWEL SIGN AA..GURMUKHI VOWEL SIGN II
+	{0x0A41, 0x0A42, prExtend},                 // Mn   [2] GURMUKHI VOWEL SIGN U..GURMUKHI VOWEL SIGN UU
+	{0x0A47, 0x0A48, prExtend},                 // Mn   [2] GURMUKHI VOWEL SIGN EE..GURMUKHI VOWEL SIGN AI
+	{0x0A4B, 0x0A4D, prExtend},                 // Mn   [3] GURMUKHI VOWEL SIGN OO..GURMUKHI SIGN VIRAMA
+	{0x0A51, 0x0A51, prExtend},                 // Mn       GURMUKHI SIGN UDAAT
+	{0x0A59, 0x0A5C, prALetter},                // Lo   [4] GURMUKHI LETTER KHHA..GURMUKHI LETTER RRA
+	{0x0A5E, 0x0A5E, prALetter},                // Lo       GURMUKHI LETTER FA
+	{0x0A66, 0x0A6F, prNumeric},                // Nd  [10] GURMUKHI DIGIT ZERO..GURMUKHI DIGIT NINE
+	{0x0A70, 0x0A71, prExtend},                 // Mn   [2] GURMUKHI TIPPI..GURMUKHI ADDAK
+	{0x0A72, 0x0A74, prALetter},                // Lo   [3] GURMUKHI IRI..GURMUKHI EK ONKAR
+	{0x0A75, 0x0A75, prExtend},                 // Mn       GURMUKHI SIGN YAKASH
+	{0x0A81, 0x0A82, prExtend},                 // Mn   [2] GUJARATI SIGN CANDRABINDU..GUJARATI SIGN ANUSVARA
+	{0x0A83, 0x0A83, prExtend},                 // Mc       GUJARATI SIGN VISARGA
+	{0x0A85, 0x0A8D, prALetter},                // Lo   [9] GUJARATI LETTER A..GUJARATI VOWEL CANDRA E
+	{0x0A8F, 0x0A91, prALetter},                // Lo   [3] GUJARATI LETTER E..GUJARATI VOWEL CANDRA O
+	{0x0A93, 0x0AA8, prALetter},                // Lo  [22] GUJARATI LETTER O..GUJARATI LETTER NA
+	{0x0AAA, 0x0AB0, prALetter},                // Lo   [7] GUJARATI LETTER PA..GUJARATI LETTER RA
+	{0x0AB2, 0x0AB3, prALetter},                // Lo   [2] GUJARATI LETTER LA..GUJARATI LETTER LLA
+	{0x0AB5, 0x0AB9, prALetter},                // Lo   [5] GUJARATI LETTER VA..GUJARATI LETTER HA
+	{0x0ABC, 0x0ABC, prExtend},                 // Mn       GUJARATI SIGN NUKTA
+	{0x0ABD, 0x0ABD, prALetter},                // Lo       GUJARATI SIGN AVAGRAHA
+	{0x0ABE, 0x0AC0, prExtend},                 // Mc   [3] GUJARATI VOWEL SIGN AA..GUJARATI VOWEL SIGN II
+	{0x0AC1, 0x0AC5, prExtend},                 // Mn   [5] GUJARATI VOWEL SIGN U..GUJARATI VOWEL SIGN CANDRA E
+	{0x0AC7, 0x0AC8, prExtend},                 // Mn   [2] GUJARATI VOWEL SIGN E..GUJARATI VOWEL SIGN AI
+	{0x0AC9, 0x0AC9, prExtend},                 // Mc       GUJARATI VOWEL SIGN CANDRA O
+	{0x0ACB, 0x0ACC, prExtend},                 // Mc   [2] GUJARATI VOWEL SIGN O..GUJARATI VOWEL SIGN AU
+	{0x0ACD, 0x0ACD, prExtend},                 // Mn       GUJARATI SIGN VIRAMA
+	{0x0AD0, 0x0AD0, prALetter},                // Lo       GUJARATI OM
+	{0x0AE0, 0x0AE1, prALetter},                // Lo   [2] GUJARATI LETTER VOCALIC RR..GUJARATI LETTER VOCALIC LL
+	{0x0AE2, 0x0AE3, prExtend},                 // Mn   [2] GUJARATI VOWEL SIGN VOCALIC L..GUJARATI VOWEL SIGN VOCALIC LL
+	{0x0AE6, 0x0AEF, prNumeric},                // Nd  [10] GUJARATI DIGIT ZERO..GUJARATI DIGIT NINE
+	{0x0AF9, 0x0AF9, prALetter},                // Lo       GUJARATI LETTER ZHA
+	{0x0AFA, 0x0AFF, prExtend},                 // Mn   [6] GUJARATI SIGN SUKUN..GUJARATI SIGN TWO-CIRCLE NUKTA ABOVE
+	{0x0B01, 0x0B01, prExtend},                 // Mn       ORIYA SIGN CANDRABINDU
+	{0x0B02, 0x0B03, prExtend},                 // Mc   [2] ORIYA SIGN ANUSVARA..ORIYA SIGN VISARGA
+	{0x0B05, 0x0B0C, prALetter},                // Lo   [8] ORIYA LETTER A..ORIYA LETTER VOCALIC L
+	{0x0B0F, 0x0B10, prALetter},                // Lo   [2] ORIYA LETTER E..ORIYA LETTER AI
+	{0x0B13, 0x0B28, prALetter},                // Lo  [22] ORIYA LETTER O..ORIYA LETTER NA
+	{0x0B2A, 0x0B30, prALetter},                // Lo   [7] ORIYA LETTER PA..ORIYA LETTER RA
+	{0x0B32, 0x0B33, prALetter},                // Lo   [2] ORIYA LETTER LA..ORIYA LETTER LLA
+	{0x0B35, 0x0B39, prALetter},                // Lo   [5] ORIYA LETTER VA..ORIYA LETTER HA
+	{0x0B3C, 0x0B3C, prExtend},                 // Mn       ORIYA SIGN NUKTA
+	{0x0B3D, 0x0B3D, prALetter},                // Lo       ORIYA SIGN AVAGRAHA
+	{0x0B3E, 0x0B3E, prExtend},                 // Mc       ORIYA VOWEL SIGN AA
+	{0x0B3F, 0x0B3F, prExtend},                 // Mn       ORIYA VOWEL SIGN I
+	{0x0B40, 0x0B40, prExtend},                 // Mc       ORIYA VOWEL SIGN II
+	{0x0B41, 0x0B44, prExtend},                 // Mn   [4] ORIYA VOWEL SIGN U..ORIYA VOWEL SIGN VOCALIC RR
+	{0x0B47, 0x0B48, prExtend},                 // Mc   [2] ORIYA VOWEL SIGN E..ORIYA VOWEL SIGN AI
+	{0x0B4B, 0x0B4C, prExtend},                 // Mc   [2] ORIYA VOWEL SIGN O..ORIYA VOWEL SIGN AU
+	{0x0B4D, 0x0B4D, prExtend},                 // Mn       ORIYA SIGN VIRAMA
+	{0x0B55, 0x0B56, prExtend},                 // Mn   [2] ORIYA SIGN OVERLINE..ORIYA AI LENGTH MARK
+	{0x0B57, 0x0B57, prExtend},                 // Mc       ORIYA AU LENGTH MARK
+	{0x0B5C, 0x0B5D, prALetter},                // Lo   [2] ORIYA LETTER RRA..ORIYA LETTER RHA
+	{0x0B5F, 0x0B61, prALetter},                // Lo   [3] ORIYA LETTER YYA..ORIYA LETTER VOCALIC LL
+	{0x0B62, 0x0B63, prExtend},                 // Mn   [2] ORIYA VOWEL SIGN VOCALIC L..ORIYA VOWEL SIGN VOCALIC LL
+	{0x0B66, 0x0B6F, prNumeric},                // Nd  [10] ORIYA DIGIT ZERO..ORIYA DIGIT NINE
+	{0x0B71, 0x0B71, prALetter},                // Lo       ORIYA LETTER WA
+	{0x0B82, 0x0B82, prExtend},                 // Mn       TAMIL SIGN ANUSVARA
+	{0x0B83, 0x0B83, prALetter},                // Lo       TAMIL SIGN VISARGA
+	{0x0B85, 0x0B8A, prALetter},                // Lo   [6] TAMIL LETTER A..TAMIL LETTER UU
+	{0x0B8E, 0x0B90, prALetter},                // Lo   [3] TAMIL LETTER E..TAMIL LETTER AI
+	{0x0B92, 0x0B95, prALetter},                // Lo   [4] TAMIL LETTER O..TAMIL LETTER KA
+	{0x0B99, 0x0B9A, prALetter},                // Lo   [2] TAMIL LETTER NGA..TAMIL LETTER CA
+	{0x0B9C, 0x0B9C, prALetter},                // Lo       TAMIL LETTER JA
+	{0x0B9E, 0x0B9F, prALetter},                // Lo   [2] TAMIL LETTER NYA..TAMIL LETTER TTA
+	{0x0BA3, 0x0BA4, prALetter},                // Lo   [2] TAMIL LETTER NNA..TAMIL LETTER TA
+	{0x0BA8, 0x0BAA, prALetter},                // Lo   [3] TAMIL LETTER NA..TAMIL LETTER PA
+	{0x0BAE, 0x0BB9, prALetter},                // Lo  [12] TAMIL LETTER MA..TAMIL LETTER HA
+	{0x0BBE, 0x0BBF, prExtend},                 // Mc   [2] TAMIL VOWEL SIGN AA..TAMIL VOWEL SIGN I
+	{0x0BC0, 0x0BC0, prExtend},                 // Mn       TAMIL VOWEL SIGN II
+	{0x0BC1, 0x0BC2, prExtend},                 // Mc   [2] TAMIL VOWEL SIGN U..TAMIL VOWEL SIGN UU
+	{0x0BC6, 0x0BC8, prExtend},                 // Mc   [3] TAMIL VOWEL SIGN E..TAMIL VOWEL SIGN AI
+	{0x0BCA, 0x0BCC, prExtend},                 // Mc   [3] TAMIL VOWEL SIGN O..TAMIL VOWEL SIGN AU
+	{0x0BCD, 0x0BCD, prExtend},                 // Mn       TAMIL SIGN VIRAMA
+	{0x0BD0, 0x0BD0, prALetter},                // Lo       TAMIL OM
+	{0x0BD7, 0x0BD7, prExtend},                 // Mc       TAMIL AU LENGTH MARK
+	{0x0BE6, 0x0BEF, prNumeric},                // Nd  [10] TAMIL DIGIT ZERO..TAMIL DIGIT NINE
+	{0x0C00, 0x0C00, prExtend},                 // Mn       TELUGU SIGN COMBINING CANDRABINDU ABOVE
+	{0x0C01, 0x0C03, prExtend},                 // Mc   [3] TELUGU SIGN CANDRABINDU..TELUGU SIGN VISARGA
+	{0x0C04, 0x0C04, prExtend},                 // Mn       TELUGU SIGN COMBINING ANUSVARA ABOVE
+	{0x0C05, 0x0C0C, prALetter},                // Lo   [8] TELUGU LETTER A..TELUGU LETTER VOCALIC L
+	{0x0C0E, 0x0C10, prALetter},                // Lo   [3] TELUGU LETTER E..TELUGU LETTER AI
+	{0x0C12, 0x0C28, prALetter},                // Lo  [23] TELUGU LETTER O..TELUGU LETTER NA
+	{0x0C2A, 0x0C39, prALetter},                // Lo  [16] TELUGU LETTER PA..TELUGU LETTER HA
+	{0x0C3C, 0x0C3C, prExtend},                 // Mn       TELUGU SIGN NUKTA
+	{0x0C3D, 0x0C3D, prALetter},                // Lo       TELUGU SIGN AVAGRAHA
+	{0x0C3E, 0x0C40, prExtend},                 // Mn   [3] TELUGU VOWEL SIGN AA..TELUGU VOWEL SIGN II
+	{0x0C41, 0x0C44, prExtend},                 // Mc   [4] TELUGU VOWEL SIGN U..TELUGU VOWEL SIGN VOCALIC RR
+	{0x0C46, 0x0C48, prExtend},                 // Mn   [3] TELUGU VOWEL SIGN E..TELUGU VOWEL SIGN AI
+	{0x0C4A, 0x0C4D, prExtend},                 // Mn   [4] TELUGU VOWEL SIGN O..TELUGU SIGN VIRAMA
+	{0x0C55, 0x0C56, prExtend},                 // Mn   [2] TELUGU LENGTH MARK..TELUGU AI LENGTH MARK
+	{0x0C58, 0x0C5A, prALetter},                // Lo   [3] TELUGU LETTER TSA..TELUGU LETTER RRRA
+	{0x0C5D, 0x0C5D, prALetter},                // Lo       TELUGU LETTER NAKAARA POLLU
+	{0x0C60, 0x0C61, prALetter},                // Lo   [2] TELUGU LETTER VOCALIC RR..TELUGU LETTER VOCALIC LL
+	{0x0C62, 0x0C63, prExtend},                 // Mn   [2] TELUGU VOWEL SIGN VOCALIC L..TELUGU VOWEL SIGN VOCALIC LL
+	{0x0C66, 0x0C6F, prNumeric},                // Nd  [10] TELUGU DIGIT ZERO..TELUGU DIGIT NINE
+	{0x0C80, 0x0C80, prALetter},                // Lo       KANNADA SIGN SPACING CANDRABINDU
+	{0x0C81, 0x0C81, prExtend},                 // Mn       KANNADA SIGN CANDRABINDU
+	{0x0C82, 0x0C83, prExtend},                 // Mc   [2] KANNADA SIGN ANUSVARA..KANNADA SIGN VISARGA
+	{0x0C85, 0x0C8C, prALetter},                // Lo   [8] KANNADA LETTER A..KANNADA LETTER VOCALIC L
+	{0x0C8E, 0x0C90, prALetter},                // Lo   [3] KANNADA LETTER E..KANNADA LETTER AI
+	{0x0C92, 0x0CA8, prALetter},                // Lo  [23] KANNADA LETTER O..KANNADA LETTER NA
+	{0x0CAA, 0x0CB3, prALetter},                // Lo  [10] KANNADA LETTER PA..KANNADA LETTER LLA
+	{0x0CB5, 0x0CB9, prALetter},                // Lo   [5] KANNADA LETTER VA..KANNADA LETTER HA
+	{0x0CBC, 0x0CBC, prExtend},                 // Mn       KANNADA SIGN NUKTA
+	{0x0CBD, 0x0CBD, prALetter},                // Lo       KANNADA SIGN AVAGRAHA
+	{0x0CBE, 0x0CBE, prExtend},                 // Mc       KANNADA VOWEL SIGN AA
+	{0x0CBF, 0x0CBF, prExtend},                 // Mn       KANNADA VOWEL SIGN I
+	{0x0CC0, 0x0CC4, prExtend},                 // Mc   [5] KANNADA VOWEL SIGN II..KANNADA VOWEL SIGN VOCALIC RR
+	{0x0CC6, 0x0CC6, prExtend},                 // Mn       KANNADA VOWEL SIGN E
+	{0x0CC7, 0x0CC8, prExtend},                 // Mc   [2] KANNADA VOWEL SIGN EE..KANNADA VOWEL SIGN AI
+	{0x0CCA, 0x0CCB, prExtend},                 // Mc   [2] KANNADA VOWEL SIGN O..KANNADA VOWEL SIGN OO
+	{0x0CCC, 0x0CCD, prExtend},                 // Mn   [2] KANNADA VOWEL SIGN AU..KANNADA SIGN VIRAMA
+	{0x0CD5, 0x0CD6, prExtend},                 // Mc   [2] KANNADA LENGTH MARK..KANNADA AI LENGTH MARK
+	{0x0CDD, 0x0CDE, prALetter},                // Lo   [2] KANNADA LETTER NAKAARA POLLU..KANNADA LETTER FA
+	{0x0CE0, 0x0CE1, prALetter},                // Lo   [2] KANNADA LETTER VOCALIC RR..KANNADA LETTER VOCALIC LL
+	{0x0CE2, 0x0CE3, prExtend},                 // Mn   [2] KANNADA VOWEL SIGN VOCALIC L..KANNADA VOWEL SIGN VOCALIC LL
+	{0x0CE6, 0x0CEF, prNumeric},                // Nd  [10] KANNADA DIGIT ZERO..KANNADA DIGIT NINE
+	{0x0CF1, 0x0CF2, prALetter},                // Lo   [2] KANNADA SIGN JIHVAMULIYA..KANNADA SIGN UPADHMANIYA
+	{0x0CF3, 0x0CF3, prExtend},                 // Mc       KANNADA SIGN COMBINING ANUSVARA ABOVE RIGHT
+	{0x0D00, 0x0D01, prExtend},                 // Mn   [2] MALAYALAM SIGN COMBINING ANUSVARA ABOVE..MALAYALAM SIGN CANDRABINDU
+	{0x0D02, 0x0D03, prExtend},                 // Mc   [2] MALAYALAM SIGN ANUSVARA..MALAYALAM SIGN VISARGA
+	{0x0D04, 0x0D0C, prALetter},                // Lo   [9] MALAYALAM LETTER VEDIC ANUSVARA..MALAYALAM LETTER VOCALIC L
+	{0x0D0E, 0x0D10, prALetter},                // Lo   [3] MALAYALAM LETTER E..MALAYALAM LETTER AI
+	{0x0D12, 0x0D3A, prALetter},                // Lo  [41] MALAYALAM LETTER O..MALAYALAM LETTER TTTA
+	{0x0D3B, 0x0D3C, prExtend},                 // Mn   [2] MALAYALAM SIGN VERTICAL BAR VIRAMA..MALAYALAM SIGN CIRCULAR VIRAMA
+	{0x0D3D, 0x0D3D, prALetter},                // Lo       MALAYALAM SIGN AVAGRAHA
+	{0x0D3E, 0x0D40, prExtend},                 // Mc   [3] MALAYALAM VOWEL SIGN AA..MALAYALAM VOWEL SIGN II
+	{0x0D41, 0x0D44, prExtend},                 // Mn   [4] MALAYALAM VOWEL SIGN U..MALAYALAM VOWEL SIGN VOCALIC RR
+	{0x0D46, 0x0D48, prExtend},                 // Mc   [3] MALAYALAM VOWEL SIGN E..MALAYALAM VOWEL SIGN AI
+	{0x0D4A, 0x0D4C, prExtend},                 // Mc   [3] MALAYALAM VOWEL SIGN O..MALAYALAM VOWEL SIGN AU
+	{0x0D4D, 0x0D4D, prExtend},                 // Mn       MALAYALAM SIGN VIRAMA
+	{0x0D4E, 0x0D4E, prALetter},                // Lo       MALAYALAM LETTER DOT REPH
+	{0x0D54, 0x0D56, prALetter},                // Lo   [3] MALAYALAM LETTER CHILLU M..MALAYALAM LETTER CHILLU LLL
+	{0x0D57, 0x0D57, prExtend},                 // Mc       MALAYALAM AU LENGTH MARK
+	{0x0D5F, 0x0D61, prALetter},                // Lo   [3] MALAYALAM LETTER ARCHAIC II..MALAYALAM LETTER VOCALIC LL
+	{0x0D62, 0x0D63, prExtend},                 // Mn   [2] MALAYALAM VOWEL SIGN VOCALIC L..MALAYALAM VOWEL SIGN VOCALIC LL
+	{0x0D66, 0x0D6F, prNumeric},                // Nd  [10] MALAYALAM DIGIT ZERO..MALAYALAM DIGIT NINE
+	{0x0D7A, 0x0D7F, prALetter},                // Lo   [6] MALAYALAM LETTER CHILLU NN..MALAYALAM LETTER CHILLU K
+	{0x0D81, 0x0D81, prExtend},                 // Mn       SINHALA SIGN CANDRABINDU
+	{0x0D82, 0x0D83, prExtend},                 // Mc   [2] SINHALA SIGN ANUSVARAYA..SINHALA SIGN VISARGAYA
+	{0x0D85, 0x0D96, prALetter},                // Lo  [18] SINHALA LETTER AYANNA..SINHALA LETTER AUYANNA
+	{0x0D9A, 0x0DB1, prALetter},                // Lo  [24] SINHALA LETTER ALPAPRAANA KAYANNA..SINHALA LETTER DANTAJA NAYANNA
+	{0x0DB3, 0x0DBB, prALetter},                // Lo   [9] SINHALA LETTER SANYAKA DAYANNA..SINHALA LETTER RAYANNA
+	{0x0DBD, 0x0DBD, prALetter},                // Lo       SINHALA LETTER DANTAJA LAYANNA
+	{0x0DC0, 0x0DC6, prALetter},                // Lo   [7] SINHALA LETTER VAYANNA..SINHALA LETTER FAYANNA
+	{0x0DCA, 0x0DCA, prExtend},                 // Mn       SINHALA SIGN AL-LAKUNA
+	{0x0DCF, 0x0DD1, prExtend},                 // Mc   [3] SINHALA VOWEL SIGN AELA-PILLA..SINHALA VOWEL SIGN DIGA AEDA-PILLA
+	{0x0DD2, 0x0DD4, prExtend},                 // Mn   [3] SINHALA VOWEL SIGN KETTI IS-PILLA..SINHALA VOWEL SIGN KETTI PAA-PILLA
+	{0x0DD6, 0x0DD6, prExtend},                 // Mn       SINHALA VOWEL SIGN DIGA PAA-PILLA
+	{0x0DD8, 0x0DDF, prExtend},                 // Mc   [8] SINHALA VOWEL SIGN GAETTA-PILLA..SINHALA VOWEL SIGN GAYANUKITTA
+	{0x0DE6, 0x0DEF, prNumeric},                // Nd  [10] SINHALA LITH DIGIT ZERO..SINHALA LITH DIGIT NINE
+	{0x0DF2, 0x0DF3, prExtend},                 // Mc   [2] SINHALA VOWEL SIGN DIGA GAETTA-PILLA..SINHALA VOWEL SIGN DIGA GAYANUKITTA
+	{0x0E31, 0x0E31, prExtend},                 // Mn       THAI CHARACTER MAI HAN-AKAT
+	{0x0E34, 0x0E3A, prExtend},                 // Mn   [7] THAI CHARACTER SARA I..THAI CHARACTER PHINTHU
+	{0x0E47, 0x0E4E, prExtend},                 // Mn   [8] THAI CHARACTER MAITAIKHU..THAI CHARACTER YAMAKKAN
+	{0x0E50, 0x0E59, prNumeric},                // Nd  [10] THAI DIGIT ZERO..THAI DIGIT NINE
+	{0x0EB1, 0x0EB1, prExtend},                 // Mn       LAO VOWEL SIGN MAI KAN
+	{0x0EB4, 0x0EBC, prExtend},                 // Mn   [9] LAO VOWEL SIGN I..LAO SEMIVOWEL SIGN LO
+	{0x0EC8, 0x0ECE, prExtend},                 // Mn   [7] LAO TONE MAI EK..LAO YAMAKKAN
+	{0x0ED0, 0x0ED9, prNumeric},                // Nd  [10] LAO DIGIT ZERO..LAO DIGIT NINE
+	{0x0F00, 0x0F00, prALetter},                // Lo       TIBETAN SYLLABLE OM
+	{0x0F18, 0x0F19, prExtend},                 // Mn   [2] TIBETAN ASTROLOGICAL SIGN -KHYUD PA..TIBETAN ASTROLOGICAL SIGN SDONG TSHUGS
+	{0x0F20, 0x0F29, prNumeric},                // Nd  [10] TIBETAN DIGIT ZERO..TIBETAN DIGIT NINE
+	{0x0F35, 0x0F35, prExtend},                 // Mn       TIBETAN MARK NGAS BZUNG NYI ZLA
+	{0x0F37, 0x0F37, prExtend},                 // Mn       TIBETAN MARK NGAS BZUNG SGOR RTAGS
+	{0x0F39, 0x0F39, prExtend},                 // Mn       TIBETAN MARK TSA -PHRU
+	{0x0F3E, 0x0F3F, prExtend},                 // Mc   [2] TIBETAN SIGN YAR TSHES..TIBETAN SIGN MAR TSHES
+	{0x0F40, 0x0F47, prALetter},                // Lo   [8] TIBETAN LETTER KA..TIBETAN LETTER JA
+	{0x0F49, 0x0F6C, prALetter},                // Lo  [36] TIBETAN LETTER NYA..TIBETAN LETTER RRA
+	{0x0F71, 0x0F7E, prExtend},                 // Mn  [14] TIBETAN VOWEL SIGN AA..TIBETAN SIGN RJES SU NGA RO
+	{0x0F7F, 0x0F7F, prExtend},                 // Mc       TIBETAN SIGN RNAM BCAD
+	{0x0F80, 0x0F84, prExtend},                 // Mn   [5] TIBETAN VOWEL SIGN REVERSED I..TIBETAN MARK HALANTA
+	{0x0F86, 0x0F87, prExtend},                 // Mn   [2] TIBETAN SIGN LCI RTAGS..TIBETAN SIGN YANG RTAGS
+	{0x0F88, 0x0F8C, prALetter},                // Lo   [5] TIBETAN SIGN LCE TSA CAN..TIBETAN SIGN INVERTED MCHU CAN
+	{0x0F8D, 0x0F97, prExtend},                 // Mn  [11] TIBETAN SUBJOINED SIGN LCE TSA CAN..TIBETAN SUBJOINED LETTER JA
+	{0x0F99, 0x0FBC, prExtend},                 // Mn  [36] TIBETAN SUBJOINED LETTER NYA..TIBETAN SUBJOINED LETTER FIXED-FORM RA
+	{0x0FC6, 0x0FC6, prExtend},                 // Mn       TIBETAN SYMBOL PADMA GDAN
+	{0x102B, 0x102C, prExtend},                 // Mc   [2] MYANMAR VOWEL SIGN TALL AA..MYANMAR VOWEL SIGN AA
+	{0x102D, 0x1030, prExtend},                 // Mn   [4] MYANMAR VOWEL SIGN I..MYANMAR VOWEL SIGN UU
+	{0x1031, 0x1031, prExtend},                 // Mc       MYANMAR VOWEL SIGN E
+	{0x1032, 0x1037, prExtend},                 // Mn   [6] MYANMAR VOWEL SIGN AI..MYANMAR SIGN DOT BELOW
+	{0x1038, 0x1038, prExtend},                 // Mc       MYANMAR SIGN VISARGA
+	{0x1039, 0x103A, prExtend},                 // Mn   [2] MYANMAR SIGN VIRAMA..MYANMAR SIGN ASAT
+	{0x103B, 0x103C, prExtend},                 // Mc   [2] MYANMAR CONSONANT SIGN MEDIAL YA..MYANMAR CONSONANT SIGN MEDIAL RA
+	{0x103D, 0x103E, prExtend},                 // Mn   [2] MYANMAR CONSONANT SIGN MEDIAL WA..MYANMAR CONSONANT SIGN MEDIAL HA
+	{0x1040, 0x1049, prNumeric},                // Nd  [10] MYANMAR DIGIT ZERO..MYANMAR DIGIT NINE
+	{0x1056, 0x1057, prExtend},                 // Mc   [2] MYANMAR VOWEL SIGN VOCALIC R..MYANMAR VOWEL SIGN VOCALIC RR
+	{0x1058, 0x1059, prExtend},                 // Mn   [2] MYANMAR VOWEL SIGN VOCALIC L..MYANMAR VOWEL SIGN VOCALIC LL
+	{0x105E, 0x1060, prExtend},                 // Mn   [3] MYANMAR CONSONANT SIGN MON MEDIAL NA..MYANMAR CONSONANT SIGN MON MEDIAL LA
+	{0x1062, 0x1064, prExtend},                 // Mc   [3] MYANMAR VOWEL SIGN SGAW KAREN EU..MYANMAR TONE MARK SGAW KAREN KE PHO
+	{0x1067, 0x106D, prExtend},                 // Mc   [7] MYANMAR VOWEL SIGN WESTERN PWO KAREN EU..MYANMAR SIGN WESTERN PWO KAREN TONE-5
+	{0x1071, 0x1074, prExtend},                 // Mn   [4] MYANMAR VOWEL SIGN GEBA KAREN I..MYANMAR VOWEL SIGN KAYAH EE
+	{0x1082, 0x1082, prExtend},                 // Mn       MYANMAR CONSONANT SIGN SHAN MEDIAL WA
+	{0x1083, 0x1084, prExtend},                 // Mc   [2] MYANMAR VOWEL SIGN SHAN AA..MYANMAR VOWEL SIGN SHAN E
+	{0x1085, 0x1086, prExtend},                 // Mn   [2] MYANMAR VOWEL SIGN SHAN E ABOVE..MYANMAR VOWEL SIGN SHAN FINAL Y
+	{0x1087, 0x108C, prExtend},                 // Mc   [6] MYANMAR SIGN SHAN TONE-2..MYANMAR SIGN SHAN COUNCIL TONE-3
+	{0x108D, 0x108D, prExtend},                 // Mn       MYANMAR SIGN SHAN COUNCIL EMPHATIC TONE
+	{0x108F, 0x108F, prExtend},                 // Mc       MYANMAR SIGN RUMAI PALAUNG TONE-5
+	{0x1090, 0x1099, prNumeric},                // Nd  [10] MYANMAR SHAN DIGIT ZERO..MYANMAR SHAN DIGIT NINE
+	{0x109A, 0x109C, prExtend},                 // Mc   [3] MYANMAR SIGN KHAMTI TONE-1..MYANMAR VOWEL SIGN AITON A
+	{0x109D, 0x109D, prExtend},                 // Mn       MYANMAR VOWEL SIGN AITON AI
+	{0x10A0, 0x10C5, prALetter},                // L&  [38] GEORGIAN CAPITAL LETTER AN..GEORGIAN CAPITAL LETTER HOE
+	{0x10C7, 0x10C7, prALetter},                // L&       GEORGIAN CAPITAL LETTER YN
+	{0x10CD, 0x10CD, prALetter},                // L&       GEORGIAN CAPITAL LETTER AEN
+	{0x10D0, 0x10FA, prALetter},                // L&  [43] GEORGIAN LETTER AN..GEORGIAN LETTER AIN
+	{0x10FC, 0x10FC, prALetter},                // Lm       MODIFIER LETTER GEORGIAN NAR
+	{0x10FD, 0x10FF, prALetter},                // L&   [3] GEORGIAN LETTER AEN..GEORGIAN LETTER LABIAL SIGN
+	{0x1100, 0x1248, prALetter},                // Lo [329] HANGUL CHOSEONG KIYEOK..ETHIOPIC SYLLABLE QWA
+	{0x124A, 0x124D, prALetter},                // Lo   [4] ETHIOPIC SYLLABLE QWI..ETHIOPIC SYLLABLE QWE
+	{0x1250, 0x1256, prALetter},                // Lo   [7] ETHIOPIC SYLLABLE QHA..ETHIOPIC SYLLABLE QHO
+	{0x1258, 0x1258, prALetter},                // Lo       ETHIOPIC SYLLABLE QHWA
+	{0x125A, 0x125D, prALetter},                // Lo   [4] ETHIOPIC SYLLABLE QHWI..ETHIOPIC SYLLABLE QHWE
+	{0x1260, 0x1288, prALetter},                // Lo  [41] ETHIOPIC SYLLABLE BA..ETHIOPIC SYLLABLE XWA
+	{0x128A, 0x128D, prALetter},                // Lo   [4] ETHIOPIC SYLLABLE XWI..ETHIOPIC SYLLABLE XWE
+	{0x1290, 0x12B0, prALetter},                // Lo  [33] ETHIOPIC SYLLABLE NA..ETHIOPIC SYLLABLE KWA
+	{0x12B2, 0x12B5, prALetter},                // Lo   [4] ETHIOPIC SYLLABLE KWI..ETHIOPIC SYLLABLE KWE
+	{0x12B8, 0x12BE, prALetter},                // Lo   [7] ETHIOPIC SYLLABLE KXA..ETHIOPIC SYLLABLE KXO
+	{0x12C0, 0x12C0, prALetter},                // Lo       ETHIOPIC SYLLABLE KXWA
+	{0x12C2, 0x12C5, prALetter},                // Lo   [4] ETHIOPIC SYLLABLE KXWI..ETHIOPIC SYLLABLE KXWE
+	{0x12C8, 0x12D6, prALetter},                // Lo  [15] ETHIOPIC SYLLABLE WA..ETHIOPIC SYLLABLE PHARYNGEAL O
+	{0x12D8, 0x1310, prALetter},                // Lo  [57] ETHIOPIC SYLLABLE ZA..ETHIOPIC SYLLABLE GWA
+	{0x1312, 0x1315, prALetter},                // Lo   [4] ETHIOPIC SYLLABLE GWI..ETHIOPIC SYLLABLE GWE
+	{0x1318, 0x135A, prALetter},                // Lo  [67] ETHIOPIC SYLLABLE GGA..ETHIOPIC SYLLABLE FYA
+	{0x135D, 0x135F, prExtend},                 // Mn   [3] ETHIOPIC COMBINING GEMINATION AND VOWEL LENGTH MARK..ETHIOPIC COMBINING GEMINATION MARK
+	{0x1380, 0x138F, prALetter},                // Lo  [16] ETHIOPIC SYLLABLE SEBATBEIT MWA..ETHIOPIC SYLLABLE PWE
+	{0x13A0, 0x13F5, prALetter},                // L&  [86] CHEROKEE LETTER A..CHEROKEE LETTER MV
+	{0x13F8, 0x13FD, prALetter},                // L&   [6] CHEROKEE SMALL LETTER YE..CHEROKEE SMALL LETTER MV
+	{0x1401, 0x166C, prALetter},                // Lo [620] CANADIAN SYLLABICS E..CANADIAN SYLLABICS CARRIER TTSA
+	{0x166F, 0x167F, prALetter},                // Lo  [17] CANADIAN SYLLABICS QAI..CANADIAN SYLLABICS BLACKFOOT W
+	{0x1680, 0x1680, prWSegSpace},              // Zs       OGHAM SPACE MARK
+	{0x1681, 0x169A, prALetter},                // Lo  [26] OGHAM LETTER BEITH..OGHAM LETTER PEITH
+	{0x16A0, 0x16EA, prALetter},                // Lo  [75] RUNIC LETTER FEHU FEOH FE F..RUNIC LETTER X
+	{0x16EE, 0x16F0, prALetter},                // Nl   [3] RUNIC ARLAUG SYMBOL..RUNIC BELGTHOR SYMBOL
+	{0x16F1, 0x16F8, prALetter},                // Lo   [8] RUNIC LETTER K..RUNIC LETTER FRANKS CASKET AESC
+	{0x1700, 0x1711, prALetter},                // Lo  [18] TAGALOG LETTER A..TAGALOG LETTER HA
+	{0x1712, 0x1714, prExtend},                 // Mn   [3] TAGALOG VOWEL SIGN I..TAGALOG SIGN VIRAMA
+	{0x1715, 0x1715, prExtend},                 // Mc       TAGALOG SIGN PAMUDPOD
+	{0x171F, 0x1731, prALetter},                // Lo  [19] TAGALOG LETTER ARCHAIC RA..HANUNOO LETTER HA
+	{0x1732, 0x1733, prExtend},                 // Mn   [2] HANUNOO VOWEL SIGN I..HANUNOO VOWEL SIGN U
+	{0x1734, 0x1734, prExtend},                 // Mc       HANUNOO SIGN PAMUDPOD
+	{0x1740, 0x1751, prALetter},                // Lo  [18] BUHID LETTER A..BUHID LETTER HA
+	{0x1752, 0x1753, prExtend},                 // Mn   [2] BUHID VOWEL SIGN I..BUHID VOWEL SIGN U
+	{0x1760, 0x176C, prALetter},                // Lo  [13] TAGBANWA LETTER A..TAGBANWA LETTER YA
+	{0x176E, 0x1770, prALetter},                // Lo   [3] TAGBANWA LETTER LA..TAGBANWA LETTER SA
+	{0x1772, 0x1773, prExtend},                 // Mn   [2] TAGBANWA VOWEL SIGN I..TAGBANWA VOWEL SIGN U
+	{0x17B4, 0x17B5, prExtend},                 // Mn   [2] KHMER VOWEL INHERENT AQ..KHMER VOWEL INHERENT AA
+	{0x17B6, 0x17B6, prExtend},                 // Mc       KHMER VOWEL SIGN AA
+	{0x17B7, 0x17BD, prExtend},                 // Mn   [7] KHMER VOWEL SIGN I..KHMER VOWEL SIGN UA
+	{0x17BE, 0x17C5, prExtend},                 // Mc   [8] KHMER VOWEL SIGN OE..KHMER VOWEL SIGN AU
+	{0x17C6, 0x17C6, prExtend},                 // Mn       KHMER SIGN NIKAHIT
+	{0x17C7, 0x17C8, prExtend},                 // Mc   [2] KHMER SIGN REAHMUK..KHMER SIGN YUUKALEAPINTU
+	{0x17C9, 0x17D3, prExtend},                 // Mn  [11] KHMER SIGN MUUSIKATOAN..KHMER SIGN BATHAMASAT
+	{0x17DD, 0x17DD, prExtend},                 // Mn       KHMER SIGN ATTHACAN
+	{0x17E0, 0x17E9, prNumeric},                // Nd  [10] KHMER DIGIT ZERO..KHMER DIGIT NINE
+	{0x180B, 0x180D, prExtend},                 // Mn   [3] MONGOLIAN FREE VARIATION SELECTOR ONE..MONGOLIAN FREE VARIATION SELECTOR THREE
+	{0x180E, 0x180E, prFormat},                 // Cf       MONGOLIAN VOWEL SEPARATOR
+	{0x180F, 0x180F, prExtend},                 // Mn       MONGOLIAN FREE VARIATION SELECTOR FOUR
+	{0x1810, 0x1819, prNumeric},                // Nd  [10] MONGOLIAN DIGIT ZERO..MONGOLIAN DIGIT NINE
+	{0x1820, 0x1842, prALetter},                // Lo  [35] MONGOLIAN LETTER A..MONGOLIAN LETTER CHI
+	{0x1843, 0x1843, prALetter},                // Lm       MONGOLIAN LETTER TODO LONG VOWEL SIGN
+	{0x1844, 0x1878, prALetter},                // Lo  [53] MONGOLIAN LETTER TODO E..MONGOLIAN LETTER CHA WITH TWO DOTS
+	{0x1880, 0x1884, prALetter},                // Lo   [5] MONGOLIAN LETTER ALI GALI ANUSVARA ONE..MONGOLIAN LETTER ALI GALI INVERTED UBADAMA
+	{0x1885, 0x1886, prExtend},                 // Mn   [2] MONGOLIAN LETTER ALI GALI BALUDA..MONGOLIAN LETTER ALI GALI THREE BALUDA
+	{0x1887, 0x18A8, prALetter},                // Lo  [34] MONGOLIAN LETTER ALI GALI A..MONGOLIAN LETTER MANCHU ALI GALI BHA
+	{0x18A9, 0x18A9, prExtend},                 // Mn       MONGOLIAN LETTER ALI GALI DAGALGA
+	{0x18AA, 0x18AA, prALetter},                // Lo       MONGOLIAN LETTER MANCHU ALI GALI LHA
+	{0x18B0, 0x18F5, prALetter},                // Lo  [70] CANADIAN SYLLABICS OY..CANADIAN SYLLABICS CARRIER DENTAL S
+	{0x1900, 0x191E, prALetter},                // Lo  [31] LIMBU VOWEL-CARRIER LETTER..LIMBU LETTER TRA
+	{0x1920, 0x1922, prExtend},                 // Mn   [3] LIMBU VOWEL SIGN A..LIMBU VOWEL SIGN U
+	{0x1923, 0x1926, prExtend},                 // Mc   [4] LIMBU VOWEL SIGN EE..LIMBU VOWEL SIGN AU
+	{0x1927, 0x1928, prExtend},                 // Mn   [2] LIMBU VOWEL SIGN E..LIMBU VOWEL SIGN O
+	{0x1929, 0x192B, prExtend},                 // Mc   [3] LIMBU SUBJOINED LETTER YA..LIMBU SUBJOINED LETTER WA
+	{0x1930, 0x1931, prExtend},                 // Mc   [2] LIMBU SMALL LETTER KA..LIMBU SMALL LETTER NGA
+	{0x1932, 0x1932, prExtend},                 // Mn       LIMBU SMALL LETTER ANUSVARA
+	{0x1933, 0x1938, prExtend},                 // Mc   [6] LIMBU SMALL LETTER TA..LIMBU SMALL LETTER LA
+	{0x1939, 0x193B, prExtend},                 // Mn   [3] LIMBU SIGN MUKPHRENG..LIMBU SIGN SA-I
+	{0x1946, 0x194F, prNumeric},                // Nd  [10] LIMBU DIGIT ZERO..LIMBU DIGIT NINE
+	{0x19D0, 0x19D9, prNumeric},                // Nd  [10] NEW TAI LUE DIGIT ZERO..NEW TAI LUE DIGIT NINE
+	{0x1A00, 0x1A16, prALetter},                // Lo  [23] BUGINESE LETTER KA..BUGINESE LETTER HA
+	{0x1A17, 0x1A18, prExtend},                 // Mn   [2] BUGINESE VOWEL SIGN I..BUGINESE VOWEL SIGN U
+	{0x1A19, 0x1A1A, prExtend},                 // Mc   [2] BUGINESE VOWEL SIGN E..BUGINESE VOWEL SIGN O
+	{0x1A1B, 0x1A1B, prExtend},                 // Mn       BUGINESE VOWEL SIGN AE
+	{0x1A55, 0x1A55, prExtend},                 // Mc       TAI THAM CONSONANT SIGN MEDIAL RA
+	{0x1A56, 0x1A56, prExtend},                 // Mn       TAI THAM CONSONANT SIGN MEDIAL LA
+	{0x1A57, 0x1A57, prExtend},                 // Mc       TAI THAM CONSONANT SIGN LA TANG LAI
+	{0x1A58, 0x1A5E, prExtend},                 // Mn   [7] TAI THAM SIGN MAI KANG LAI..TAI THAM CONSONANT SIGN SA
+	{0x1A60, 0x1A60, prExtend},                 // Mn       TAI THAM SIGN SAKOT
+	{0x1A61, 0x1A61, prExtend},                 // Mc       TAI THAM VOWEL SIGN A
+	{0x1A62, 0x1A62, prExtend},                 // Mn       TAI THAM VOWEL SIGN MAI SAT
+	{0x1A63, 0x1A64, prExtend},                 // Mc   [2] TAI THAM VOWEL SIGN AA..TAI THAM VOWEL SIGN TALL AA
+	{0x1A65, 0x1A6C, prExtend},                 // Mn   [8] TAI THAM VOWEL SIGN I..TAI THAM VOWEL SIGN OA BELOW
+	{0x1A6D, 0x1A72, prExtend},                 // Mc   [6] TAI THAM VOWEL SIGN OY..TAI THAM VOWEL SIGN THAM AI
+	{0x1A73, 0x1A7C, prExtend},                 // Mn  [10] TAI THAM VOWEL SIGN OA ABOVE..TAI THAM SIGN KHUEN-LUE KARAN
+	{0x1A7F, 0x1A7F, prExtend},                 // Mn       TAI THAM COMBINING CRYPTOGRAMMIC DOT
+	{0x1A80, 0x1A89, prNumeric},                // Nd  [10] TAI THAM HORA DIGIT ZERO..TAI THAM HORA DIGIT NINE
+	{0x1A90, 0x1A99, prNumeric},                // Nd  [10] TAI THAM THAM DIGIT ZERO..TAI THAM THAM DIGIT NINE
+	{0x1AB0, 0x1ABD, prExtend},                 // Mn  [14] COMBINING DOUBLED CIRCUMFLEX ACCENT..COMBINING PARENTHESES BELOW
+	{0x1ABE, 0x1ABE, prExtend},                 // Me       COMBINING PARENTHESES OVERLAY
+	{0x1ABF, 0x1ACE, prExtend},                 // Mn  [16] COMBINING LATIN SMALL LETTER W BELOW..COMBINING LATIN SMALL LETTER INSULAR T
+	{0x1B00, 0x1B03, prExtend},                 // Mn   [4] BALINESE SIGN ULU RICEM..BALINESE SIGN SURANG
+	{0x1B04, 0x1B04, prExtend},                 // Mc       BALINESE SIGN BISAH
+	{0x1B05, 0x1B33, prALetter},                // Lo  [47] BALINESE LETTER AKARA..BALINESE LETTER HA
+	{0x1B34, 0x1B34, prExtend},                 // Mn       BALINESE SIGN REREKAN
+	{0x1B35, 0x1B35, prExtend},                 // Mc       BALINESE VOWEL SIGN TEDUNG
+	{0x1B36, 0x1B3A, prExtend},                 // Mn   [5] BALINESE VOWEL SIGN ULU..BALINESE VOWEL SIGN RA REPA
+	{0x1B3B, 0x1B3B, prExtend},                 // Mc       BALINESE VOWEL SIGN RA REPA TEDUNG
+	{0x1B3C, 0x1B3C, prExtend},                 // Mn       BALINESE VOWEL SIGN LA LENGA
+	{0x1B3D, 0x1B41, prExtend},                 // Mc   [5] BALINESE VOWEL SIGN LA LENGA TEDUNG..BALINESE VOWEL SIGN TALING REPA TEDUNG
+	{0x1B42, 0x1B42, prExtend},                 // Mn       BALINESE VOWEL SIGN PEPET
+	{0x1B43, 0x1B44, prExtend},                 // Mc   [2] BALINESE VOWEL SIGN PEPET TEDUNG..BALINESE ADEG ADEG
+	{0x1B45, 0x1B4C, prALetter},                // Lo   [8] BALINESE LETTER KAF SASAK..BALINESE LETTER ARCHAIC JNYA
+	{0x1B50, 0x1B59, prNumeric},                // Nd  [10] BALINESE DIGIT ZERO..BALINESE DIGIT NINE
+	{0x1B6B, 0x1B73, prExtend},                 // Mn   [9] BALINESE MUSICAL SYMBOL COMBINING TEGEH..BALINESE MUSICAL SYMBOL COMBINING GONG
+	{0x1B80, 0x1B81, prExtend},                 // Mn   [2] SUNDANESE SIGN PANYECEK..SUNDANESE SIGN PANGLAYAR
+	{0x1B82, 0x1B82, prExtend},                 // Mc       SUNDANESE SIGN PANGWISAD
+	{0x1B83, 0x1BA0, prALetter},                // Lo  [30] SUNDANESE LETTER A..SUNDANESE LETTER HA
+	{0x1BA1, 0x1BA1, prExtend},                 // Mc       SUNDANESE CONSONANT SIGN PAMINGKAL
+	{0x1BA2, 0x1BA5, prExtend},                 // Mn   [4] SUNDANESE CONSONANT SIGN PANYAKRA..SUNDANESE VOWEL SIGN PANYUKU
+	{0x1BA6, 0x1BA7, prExtend},                 // Mc   [2] SUNDANESE VOWEL SIGN PANAELAENG..SUNDANESE VOWEL SIGN PANOLONG
+	{0x1BA8, 0x1BA9, prExtend},                 // Mn   [2] SUNDANESE VOWEL SIGN PAMEPET..SUNDANESE VOWEL SIGN PANEULEUNG
+	{0x1BAA, 0x1BAA, prExtend},                 // Mc       SUNDANESE SIGN PAMAAEH
+	{0x1BAB, 0x1BAD, prExtend},                 // Mn   [3] SUNDANESE SIGN VIRAMA..SUNDANESE CONSONANT SIGN PASANGAN WA
+	{0x1BAE, 0x1BAF, prALetter},                // Lo   [2] SUNDANESE LETTER KHA..SUNDANESE LETTER SYA
+	{0x1BB0, 0x1BB9, prNumeric},                // Nd  [10] SUNDANESE DIGIT ZERO..SUNDANESE DIGIT NINE
+	{0x1BBA, 0x1BE5, prALetter},                // Lo  [44] SUNDANESE AVAGRAHA..BATAK LETTER U
+	{0x1BE6, 0x1BE6, prExtend},                 // Mn       BATAK SIGN TOMPI
+	{0x1BE7, 0x1BE7, prExtend},                 // Mc       BATAK VOWEL SIGN E
+	{0x1BE8, 0x1BE9, prExtend},                 // Mn   [2] BATAK VOWEL SIGN PAKPAK E..BATAK VOWEL SIGN EE
+	{0x1BEA, 0x1BEC, prExtend},                 // Mc   [3] BATAK VOWEL SIGN I..BATAK VOWEL SIGN O
+	{0x1BED, 0x1BED, prExtend},                 // Mn       BATAK VOWEL SIGN KARO O
+	{0x1BEE, 0x1BEE, prExtend},                 // Mc       BATAK VOWEL SIGN U
+	{0x1BEF, 0x1BF1, prExtend},                 // Mn   [3] BATAK VOWEL SIGN U FOR SIMALUNGUN SA..BATAK CONSONANT SIGN H
+	{0x1BF2, 0x1BF3, prExtend},                 // Mc   [2] BATAK PANGOLAT..BATAK PANONGONAN
+	{0x1C00, 0x1C23, prALetter},                // Lo  [36] LEPCHA LETTER KA..LEPCHA LETTER A
+	{0x1C24, 0x1C2B, prExtend},                 // Mc   [8] LEPCHA SUBJOINED LETTER YA..LEPCHA VOWEL SIGN UU
+	{0x1C2C, 0x1C33, prExtend},                 // Mn   [8] LEPCHA VOWEL SIGN E..LEPCHA CONSONANT SIGN T
+	{0x1C34, 0x1C35, prExtend},                 // Mc   [2] LEPCHA CONSONANT SIGN NYIN-DO..LEPCHA CONSONANT SIGN KANG
+	{0x1C36, 0x1C37, prExtend},                 // Mn   [2] LEPCHA SIGN RAN..LEPCHA SIGN NUKTA
+	{0x1C40, 0x1C49, prNumeric},                // Nd  [10] LEPCHA DIGIT ZERO..LEPCHA DIGIT NINE
+	{0x1C4D, 0x1C4F, prALetter},                // Lo   [3] LEPCHA LETTER TTA..LEPCHA LETTER DDA
+	{0x1C50, 0x1C59, prNumeric},                // Nd  [10] OL CHIKI DIGIT ZERO..OL CHIKI DIGIT NINE
+	{0x1C5A, 0x1C77, prALetter},                // Lo  [30] OL CHIKI LETTER LA..OL CHIKI LETTER OH
+	{0x1C78, 0x1C7D, prALetter},                // Lm   [6] OL CHIKI MU TTUDDAG..OL CHIKI AHAD
+	{0x1C80, 0x1C88, prALetter},                // L&   [9] CYRILLIC SMALL LETTER ROUNDED VE..CYRILLIC SMALL LETTER UNBLENDED UK
+	{0x1C90, 0x1CBA, prALetter},                // L&  [43] GEORGIAN MTAVRULI CAPITAL LETTER AN..GEORGIAN MTAVRULI CAPITAL LETTER AIN
+	{0x1CBD, 0x1CBF, prALetter},                // L&   [3] GEORGIAN MTAVRULI CAPITAL LETTER AEN..GEORGIAN MTAVRULI CAPITAL LETTER LABIAL SIGN
+	{0x1CD0, 0x1CD2, prExtend},                 // Mn   [3] VEDIC TONE KARSHANA..VEDIC TONE PRENKHA
+	{0x1CD4, 0x1CE0, prExtend},                 // Mn  [13] VEDIC SIGN YAJURVEDIC MIDLINE SVARITA..VEDIC TONE RIGVEDIC KASHMIRI INDEPENDENT SVARITA
+	{0x1CE1, 0x1CE1, prExtend},                 // Mc       VEDIC TONE ATHARVAVEDIC INDEPENDENT SVARITA
+	{0x1CE2, 0x1CE8, prExtend},                 // Mn   [7] VEDIC SIGN VISARGA SVARITA..VEDIC SIGN VISARGA ANUDATTA WITH TAIL
+	{0x1CE9, 0x1CEC, prALetter},                // Lo   [4] VEDIC SIGN ANUSVARA ANTARGOMUKHA..VEDIC SIGN ANUSVARA VAMAGOMUKHA WITH TAIL
+	{0x1CED, 0x1CED, prExtend},                 // Mn       VEDIC SIGN TIRYAK
+	{0x1CEE, 0x1CF3, prALetter},                // Lo   [6] VEDIC SIGN HEXIFORM LONG ANUSVARA..VEDIC SIGN ROTATED ARDHAVISARGA
+	{0x1CF4, 0x1CF4, prExtend},                 // Mn       VEDIC TONE CANDRA ABOVE
+	{0x1CF5, 0x1CF6, prALetter},                // Lo   [2] VEDIC SIGN JIHVAMULIYA..VEDIC SIGN UPADHMANIYA
+	{0x1CF7, 0x1CF7, prExtend},                 // Mc       VEDIC SIGN ATIKRAMA
+	{0x1CF8, 0x1CF9, prExtend},                 // Mn   [2] VEDIC TONE RING ABOVE..VEDIC TONE DOUBLE RING ABOVE
+	{0x1CFA, 0x1CFA, prALetter},                // Lo       VEDIC SIGN DOUBLE ANUSVARA ANTARGOMUKHA
+	{0x1D00, 0x1D2B, prALetter},                // L&  [44] LATIN LETTER SMALL CAPITAL A..CYRILLIC LETTER SMALL CAPITAL EL
+	{0x1D2C, 0x1D6A, prALetter},                // Lm  [63] MODIFIER LETTER CAPITAL A..GREEK SUBSCRIPT SMALL LETTER CHI
+	{0x1D6B, 0x1D77, prALetter},                // L&  [13] LATIN SMALL LETTER UE..LATIN SMALL LETTER TURNED G
+	{0x1D78, 0x1D78, prALetter},                // Lm       MODIFIER LETTER CYRILLIC EN
+	{0x1D79, 0x1D9A, prALetter},                // L&  [34] LATIN SMALL LETTER INSULAR G..LATIN SMALL LETTER EZH WITH RETROFLEX HOOK
+	{0x1D9B, 0x1DBF, prALetter},                // Lm  [37] MODIFIER LETTER SMALL TURNED ALPHA..MODIFIER LETTER SMALL THETA
+	{0x1DC0, 0x1DFF, prExtend},                 // Mn  [64] COMBINING DOTTED GRAVE ACCENT..COMBINING RIGHT ARROWHEAD AND DOWN ARROWHEAD BELOW
+	{0x1E00, 0x1F15, prALetter},                // L& [278] LATIN CAPITAL LETTER A WITH RING BELOW..GREEK SMALL LETTER EPSILON WITH DASIA AND OXIA
+	{0x1F18, 0x1F1D, prALetter},                // L&   [6] GREEK CAPITAL LETTER EPSILON WITH PSILI..GREEK CAPITAL LETTER EPSILON WITH DASIA AND OXIA
+	{0x1F20, 0x1F45, prALetter},                // L&  [38] GREEK SMALL LETTER ETA WITH PSILI..GREEK SMALL LETTER OMICRON WITH DASIA AND OXIA
+	{0x1F48, 0x1F4D, prALetter},                // L&   [6] GREEK CAPITAL LETTER OMICRON WITH PSILI..GREEK CAPITAL LETTER OMICRON WITH DASIA AND OXIA
+	{0x1F50, 0x1F57, prALetter},                // L&   [8] GREEK SMALL LETTER UPSILON WITH PSILI..GREEK SMALL LETTER UPSILON WITH DASIA AND PERISPOMENI
+	{0x1F59, 0x1F59, prALetter},                // L&       GREEK CAPITAL LETTER UPSILON WITH DASIA
+	{0x1F5B, 0x1F5B, prALetter},                // L&       GREEK CAPITAL LETTER UPSILON WITH DASIA AND VARIA
+	{0x1F5D, 0x1F5D, prALetter},                // L&       GREEK CAPITAL LETTER UPSILON WITH DASIA AND OXIA
+	{0x1F5F, 0x1F7D, prALetter},                // L&  [31] GREEK CAPITAL LETTER UPSILON WITH DASIA AND PERISPOMENI..GREEK SMALL LETTER OMEGA WITH OXIA
+	{0x1F80, 0x1FB4, prALetter},                // L&  [53] GREEK SMALL LETTER ALPHA WITH PSILI AND YPOGEGRAMMENI..GREEK SMALL LETTER ALPHA WITH OXIA AND YPOGEGRAMMENI
+	{0x1FB6, 0x1FBC, prALetter},                // L&   [7] GREEK SMALL LETTER ALPHA WITH PERISPOMENI..GREEK CAPITAL LETTER ALPHA WITH PROSGEGRAMMENI
+	{0x1FBE, 0x1FBE, prALetter},                // L&       GREEK PROSGEGRAMMENI
+	{0x1FC2, 0x1FC4, prALetter},                // L&   [3] GREEK SMALL LETTER ETA WITH VARIA AND YPOGEGRAMMENI..GREEK SMALL LETTER ETA WITH OXIA AND YPOGEGRAMMENI
+	{0x1FC6, 0x1FCC, prALetter},                // L&   [7] GREEK SMALL LETTER ETA WITH PERISPOMENI..GREEK CAPITAL LETTER ETA WITH PROSGEGRAMMENI
+	{0x1FD0, 0x1FD3, prALetter},                // L&   [4] GREEK SMALL LETTER IOTA WITH VRACHY..GREEK SMALL LETTER IOTA WITH DIALYTIKA AND OXIA
+	{0x1FD6, 0x1FDB, prALetter},                // L&   [6] GREEK SMALL LETTER IOTA WITH PERISPOMENI..GREEK CAPITAL LETTER IOTA WITH OXIA
+	{0x1FE0, 0x1FEC, prALetter},                // L&  [13] GREEK SMALL LETTER UPSILON WITH VRACHY..GREEK CAPITAL LETTER RHO WITH DASIA
+	{0x1FF2, 0x1FF4, prALetter},                // L&   [3] GREEK SMALL LETTER OMEGA WITH VARIA AND YPOGEGRAMMENI..GREEK SMALL LETTER OMEGA WITH OXIA AND YPOGEGRAMMENI
+	{0x1FF6, 0x1FFC, prALetter},                // L&   [7] GREEK SMALL LETTER OMEGA WITH PERISPOMENI..GREEK CAPITAL LETTER OMEGA WITH PROSGEGRAMMENI
+	{0x2000, 0x2006, prWSegSpace},              // Zs   [7] EN QUAD..SIX-PER-EM SPACE
+	{0x2008, 0x200A, prWSegSpace},              // Zs   [3] PUNCTUATION SPACE..HAIR SPACE
+	{0x200C, 0x200C, prExtend},                 // Cf       ZERO WIDTH NON-JOINER
+	{0x200D, 0x200D, prZWJ},                    // Cf       ZERO WIDTH JOINER
+	{0x200E, 0x200F, prFormat},                 // Cf   [2] LEFT-TO-RIGHT MARK..RIGHT-TO-LEFT MARK
+	{0x2018, 0x2018, prMidNumLet},              // Pi       LEFT SINGLE QUOTATION MARK
+	{0x2019, 0x2019, prMidNumLet},              // Pf       RIGHT SINGLE QUOTATION MARK
+	{0x2024, 0x2024, prMidNumLet},              // Po       ONE DOT LEADER
+	{0x2027, 0x2027, prMidLetter},              // Po       HYPHENATION POINT
+	{0x2028, 0x2028, prNewline},                // Zl       LINE SEPARATOR
+	{0x2029, 0x2029, prNewline},                // Zp       PARAGRAPH SEPARATOR
+	{0x202A, 0x202E, prFormat},                 // Cf   [5] LEFT-TO-RIGHT EMBEDDING..RIGHT-TO-LEFT OVERRIDE
+	{0x202F, 0x202F, prExtendNumLet},           // Zs       NARROW NO-BREAK SPACE
+	{0x203C, 0x203C, prExtendedPictographic},   // E0.6   [1] (‼�)       double exclamation mark
+	{0x203F, 0x2040, prExtendNumLet},           // Pc   [2] UNDERTIE..CHARACTER TIE
+	{0x2044, 0x2044, prMidNum},                 // Sm       FRACTION SLASH
+	{0x2049, 0x2049, prExtendedPictographic},   // E0.6   [1] (��)       exclamation question mark
+	{0x2054, 0x2054, prExtendNumLet},           // Pc       INVERTED UNDERTIE
+	{0x205F, 0x205F, prWSegSpace},              // Zs       MEDIUM MATHEMATICAL SPACE
+	{0x2060, 0x2064, prFormat},                 // Cf   [5] WORD JOINER..INVISIBLE PLUS
+	{0x2066, 0x206F, prFormat},                 // Cf  [10] LEFT-TO-RIGHT ISOLATE..NOMINAL DIGIT SHAPES
+	{0x2071, 0x2071, prALetter},                // Lm       SUPERSCRIPT LATIN SMALL LETTER I
+	{0x207F, 0x207F, prALetter},                // Lm       SUPERSCRIPT LATIN SMALL LETTER N
+	{0x2090, 0x209C, prALetter},                // Lm  [13] LATIN SUBSCRIPT SMALL LETTER A..LATIN SUBSCRIPT SMALL LETTER T
+	{0x20D0, 0x20DC, prExtend},                 // Mn  [13] COMBINING LEFT HARPOON ABOVE..COMBINING FOUR DOTS ABOVE
+	{0x20DD, 0x20E0, prExtend},                 // Me   [4] COMBINING ENCLOSING CIRCLE..COMBINING ENCLOSING CIRCLE BACKSLASH
+	{0x20E1, 0x20E1, prExtend},                 // Mn       COMBINING LEFT RIGHT ARROW ABOVE
+	{0x20E2, 0x20E4, prExtend},                 // Me   [3] COMBINING ENCLOSING SCREEN..COMBINING ENCLOSING UPWARD POINTING TRIANGLE
+	{0x20E5, 0x20F0, prExtend},                 // Mn  [12] COMBINING REVERSE SOLIDUS OVERLAY..COMBINING ASTERISK ABOVE
+	{0x2102, 0x2102, prALetter},                // L&       DOUBLE-STRUCK CAPITAL C
+	{0x2107, 0x2107, prALetter},                // L&       EULER CONSTANT
+	{0x210A, 0x2113, prALetter},                // L&  [10] SCRIPT SMALL G..SCRIPT SMALL L
+	{0x2115, 0x2115, prALetter},                // L&       DOUBLE-STRUCK CAPITAL N
+	{0x2119, 0x211D, prALetter},                // L&   [5] DOUBLE-STRUCK CAPITAL P..DOUBLE-STRUCK CAPITAL R
+	{0x2122, 0x2122, prExtendedPictographic},   // E0.6   [1] (™�)       trade mark
+	{0x2124, 0x2124, prALetter},                // L&       DOUBLE-STRUCK CAPITAL Z
+	{0x2126, 0x2126, prALetter},                // L&       OHM SIGN
+	{0x2128, 0x2128, prALetter},                // L&       BLACK-LETTER CAPITAL Z
+	{0x212A, 0x212D, prALetter},                // L&   [4] KELVIN SIGN..BLACK-LETTER CAPITAL C
+	{0x212F, 0x2134, prALetter},                // L&   [6] SCRIPT SMALL E..SCRIPT SMALL O
+	{0x2135, 0x2138, prALetter},                // Lo   [4] ALEF SYMBOL..DALET SYMBOL
+	{0x2139, 0x2139, prExtendedPictographic},   // E0.6   [1] (ℹ�)       information
+	{0x2139, 0x2139, prALetter},                // L&       INFORMATION SOURCE
+	{0x213C, 0x213F, prALetter},                // L&   [4] DOUBLE-STRUCK SMALL PI..DOUBLE-STRUCK CAPITAL PI
+	{0x2145, 0x2149, prALetter},                // L&   [5] DOUBLE-STRUCK ITALIC CAPITAL D..DOUBLE-STRUCK ITALIC SMALL J
+	{0x214E, 0x214E, prALetter},                // L&       TURNED SMALL F
+	{0x2160, 0x2182, prALetter},                // Nl  [35] ROMAN NUMERAL ONE..ROMAN NUMERAL TEN THOUSAND
+	{0x2183, 0x2184, prALetter},                // L&   [2] ROMAN NUMERAL REVERSED ONE HUNDRED..LATIN SMALL LETTER REVERSED C
+	{0x2185, 0x2188, prALetter},                // Nl   [4] ROMAN NUMERAL SIX LATE FORM..ROMAN NUMERAL ONE HUNDRED THOUSAND
+	{0x2194, 0x2199, prExtendedPictographic},   // E0.6   [6] (↔�..↙�)    left-right arrow..down-left arrow
+	{0x21A9, 0x21AA, prExtendedPictographic},   // E0.6   [2] (↩�..↪�)    right arrow curving left..left arrow curving right
+	{0x231A, 0x231B, prExtendedPictographic},   // E0.6   [2] (⌚..⌛)    watch..hourglass done
+	{0x2328, 0x2328, prExtendedPictographic},   // E1.0   [1] (⌨�)       keyboard
+	{0x2388, 0x2388, prExtendedPictographic},   // E0.0   [1] (⎈)       HELM SYMBOL
+	{0x23CF, 0x23CF, prExtendedPictographic},   // E1.0   [1] (��)       eject button
+	{0x23E9, 0x23EC, prExtendedPictographic},   // E0.6   [4] (�..�)    fast-forward button..fast down button
+	{0x23ED, 0x23EE, prExtendedPictographic},   // E0.7   [2] (��..��)    next track button..last track button
+	{0x23EF, 0x23EF, prExtendedPictographic},   // E1.0   [1] (��)       play or pause button
+	{0x23F0, 0x23F0, prExtendedPictographic},   // E0.6   [1] (�)       alarm clock
+	{0x23F1, 0x23F2, prExtendedPictographic},   // E1.0   [2] (��..��)    stopwatch..timer clock
+	{0x23F3, 0x23F3, prExtendedPictographic},   // E0.6   [1] (�)       hourglass not done
+	{0x23F8, 0x23FA, prExtendedPictographic},   // E0.7   [3] (��..��)    pause button..record button
+	{0x24B6, 0x24E9, prALetter},                // So  [52] CIRCLED LATIN CAPITAL LETTER A..CIRCLED LATIN SMALL LETTER Z
+	{0x24C2, 0x24C2, prExtendedPictographic},   // E0.6   [1] (Ⓜ�)       circled M
+	{0x25AA, 0x25AB, prExtendedPictographic},   // E0.6   [2] (▪�..▫�)    black small square..white small square
+	{0x25B6, 0x25B6, prExtendedPictographic},   // E0.6   [1] (▶�)       play button
+	{0x25C0, 0x25C0, prExtendedPictographic},   // E0.6   [1] (◀�)       reverse button
+	{0x25FB, 0x25FE, prExtendedPictographic},   // E0.6   [4] (◻�..◾)    white medium square..black medium-small square
+	{0x2600, 0x2601, prExtendedPictographic},   // E0.6   [2] (☀�..��)    sun..cloud
+	{0x2602, 0x2603, prExtendedPictographic},   // E0.7   [2] (☂�..☃�)    umbrella..snowman
+	{0x2604, 0x2604, prExtendedPictographic},   // E1.0   [1] (☄�)       comet
+	{0x2605, 0x2605, prExtendedPictographic},   // E0.0   [1] (★)       BLACK STAR
+	{0x2607, 0x260D, prExtendedPictographic},   // E0.0   [7] (☇..�)    LIGHTNING..OPPOSITION
+	{0x260E, 0x260E, prExtendedPictographic},   // E0.6   [1] (☎�)       telephone
+	{0x260F, 0x2610, prExtendedPictographic},   // E0.0   [2] (�..�)    WHITE TELEPHONE..BALLOT BOX
+	{0x2611, 0x2611, prExtendedPictographic},   // E0.6   [1] (☑�)       check box with check
+	{0x2612, 0x2612, prExtendedPictographic},   // E0.0   [1] (☒)       BALLOT BOX WITH X
+	{0x2614, 0x2615, prExtendedPictographic},   // E0.6   [2] (☔..☕)    umbrella with rain drops..hot beverage
+	{0x2616, 0x2617, prExtendedPictographic},   // E0.0   [2] (☖..☗)    WHITE SHOGI PIECE..BLACK SHOGI PIECE
+	{0x2618, 0x2618, prExtendedPictographic},   // E1.0   [1] (☘�)       shamrock
+	{0x2619, 0x261C, prExtendedPictographic},   // E0.0   [4] (☙..☜)    REVERSED ROTATED FLORAL HEART BULLET..WHITE LEFT POINTING INDEX
+	{0x261D, 0x261D, prExtendedPictographic},   // E0.6   [1] (��)       index pointing up
+	{0x261E, 0x261F, prExtendedPictographic},   // E0.0   [2] (☞..☟)    WHITE RIGHT POINTING INDEX..WHITE DOWN POINTING INDEX
+	{0x2620, 0x2620, prExtendedPictographic},   // E1.0   [1] (☠�)       skull and crossbones
+	{0x2621, 0x2621, prExtendedPictographic},   // E0.0   [1] (☡)       CAUTION SIGN
+	{0x2622, 0x2623, prExtendedPictographic},   // E1.0   [2] (☢�..☣�)    radioactive..biohazard
+	{0x2624, 0x2625, prExtendedPictographic},   // E0.0   [2] (☤..☥)    CADUCEUS..ANKH
+	{0x2626, 0x2626, prExtendedPictographic},   // E1.0   [1] (☦�)       orthodox cross
+	{0x2627, 0x2629, prExtendedPictographic},   // E0.0   [3] (☧..☩)    CHI RHO..CROSS OF JERUSALEM
+	{0x262A, 0x262A, prExtendedPictographic},   // E0.7   [1] (☪�)       star and crescent
+	{0x262B, 0x262D, prExtendedPictographic},   // E0.0   [3] (☫..☭)    FARSI SYMBOL..HAMMER AND SICKLE
+	{0x262E, 0x262E, prExtendedPictographic},   // E1.0   [1] (☮�)       peace symbol
+	{0x262F, 0x262F, prExtendedPictographic},   // E0.7   [1] (☯�)       yin yang
+	{0x2630, 0x2637, prExtendedPictographic},   // E0.0   [8] (☰..☷)    TRIGRAM FOR HEAVEN..TRIGRAM FOR EARTH
+	{0x2638, 0x2639, prExtendedPictographic},   // E0.7   [2] (☸�..☹�)    wheel of dharma..frowning face
+	{0x263A, 0x263A, prExtendedPictographic},   // E0.6   [1] (☺�)       smiling face
+	{0x263B, 0x263F, prExtendedPictographic},   // E0.0   [5] (☻..☿)    BLACK SMILING FACE..MERCURY
+	{0x2640, 0x2640, prExtendedPictographic},   // E4.0   [1] (♀�)       female sign
+	{0x2641, 0x2641, prExtendedPictographic},   // E0.0   [1] (�)       EARTH
+	{0x2642, 0x2642, prExtendedPictographic},   // E4.0   [1] (♂�)       male sign
+	{0x2643, 0x2647, prExtendedPictographic},   // E0.0   [5] (♃..♇)    JUPITER..PLUTO
+	{0x2648, 0x2653, prExtendedPictographic},   // E0.6  [12] (♈..♓)    Aries..Pisces
+	{0x2654, 0x265E, prExtendedPictographic},   // E0.0  [11] (♔..♞)    WHITE CHESS KING..BLACK CHESS KNIGHT
+	{0x265F, 0x265F, prExtendedPictographic},   // E11.0  [1] (♟�)       chess pawn
+	{0x2660, 0x2660, prExtendedPictographic},   // E0.6   [1] (♠�)       spade suit
+	{0x2661, 0x2662, prExtendedPictographic},   // E0.0   [2] (♡..♢)    WHITE HEART SUIT..WHITE DIAMOND SUIT
+	{0x2663, 0x2663, prExtendedPictographic},   // E0.6   [1] (♣�)       club suit
+	{0x2664, 0x2664, prExtendedPictographic},   // E0.0   [1] (♤)       WHITE SPADE SUIT
+	{0x2665, 0x2666, prExtendedPictographic},   // E0.6   [2] (♥�..♦�)    heart suit..diamond suit
+	{0x2667, 0x2667, prExtendedPictographic},   // E0.0   [1] (♧)       WHITE CLUB SUIT
+	{0x2668, 0x2668, prExtendedPictographic},   // E0.6   [1] (♨�)       hot springs
+	{0x2669, 0x267A, prExtendedPictographic},   // E0.0  [18] (♩..♺)    QUARTER NOTE..RECYCLING SYMBOL FOR GENERIC MATERIALS
+	{0x267B, 0x267B, prExtendedPictographic},   // E0.6   [1] (♻�)       recycling symbol
+	{0x267C, 0x267D, prExtendedPictographic},   // E0.0   [2] (♼..♽)    RECYCLED PAPER SYMBOL..PARTIALLY-RECYCLED PAPER SYMBOL
+	{0x267E, 0x267E, prExtendedPictographic},   // E11.0  [1] (♾�)       infinity
+	{0x267F, 0x267F, prExtendedPictographic},   // E0.6   [1] (♿)       wheelchair symbol
+	{0x2680, 0x2685, prExtendedPictographic},   // E0.0   [6] (⚀..⚅)    DIE FACE-1..DIE FACE-6
+	{0x2690, 0x2691, prExtendedPictographic},   // E0.0   [2] (�..⚑)    WHITE FLAG..BLACK FLAG
+	{0x2692, 0x2692, prExtendedPictographic},   // E1.0   [1] (⚒�)       hammer and pick
+	{0x2693, 0x2693, prExtendedPictographic},   // E0.6   [1] (âš“)       anchor
+	{0x2694, 0x2694, prExtendedPictographic},   // E1.0   [1] (⚔�)       crossed swords
+	{0x2695, 0x2695, prExtendedPictographic},   // E4.0   [1] (⚕�)       medical symbol
+	{0x2696, 0x2697, prExtendedPictographic},   // E1.0   [2] (⚖�..⚗�)    balance scale..alembic
+	{0x2698, 0x2698, prExtendedPictographic},   // E0.0   [1] (⚘)       FLOWER
+	{0x2699, 0x2699, prExtendedPictographic},   // E1.0   [1] (⚙�)       gear
+	{0x269A, 0x269A, prExtendedPictographic},   // E0.0   [1] (âšš)       STAFF OF HERMES
+	{0x269B, 0x269C, prExtendedPictographic},   // E1.0   [2] (⚛�..⚜�)    atom symbol..fleur-de-lis
+	{0x269D, 0x269F, prExtendedPictographic},   // E0.0   [3] (�..⚟)    OUTLINED WHITE STAR..THREE LINES CONVERGING LEFT
+	{0x26A0, 0x26A1, prExtendedPictographic},   // E0.6   [2] (⚠�..⚡)    warning..high voltage
+	{0x26A2, 0x26A6, prExtendedPictographic},   // E0.0   [5] (⚢..⚦)    DOUBLED FEMALE SIGN..MALE WITH STROKE SIGN
+	{0x26A7, 0x26A7, prExtendedPictographic},   // E13.0  [1] (⚧�)       transgender symbol
+	{0x26A8, 0x26A9, prExtendedPictographic},   // E0.0   [2] (⚨..⚩)    VERTICAL MALE WITH STROKE SIGN..HORIZONTAL MALE WITH STROKE SIGN
+	{0x26AA, 0x26AB, prExtendedPictographic},   // E0.6   [2] (⚪..⚫)    white circle..black circle
+	{0x26AC, 0x26AF, prExtendedPictographic},   // E0.0   [4] (⚬..⚯)    MEDIUM SMALL WHITE CIRCLE..UNMARRIED PARTNERSHIP SYMBOL
+	{0x26B0, 0x26B1, prExtendedPictographic},   // E1.0   [2] (⚰�..⚱�)    coffin..funeral urn
+	{0x26B2, 0x26BC, prExtendedPictographic},   // E0.0  [11] (âš²..âš¼)    NEUTER..SESQUIQUADRATE
+	{0x26BD, 0x26BE, prExtendedPictographic},   // E0.6   [2] (âš½..âš¾)    soccer ball..baseball
+	{0x26BF, 0x26C3, prExtendedPictographic},   // E0.0   [5] (⚿..⛃)    SQUARED KEY..BLACK DRAUGHTS KING
+	{0x26C4, 0x26C5, prExtendedPictographic},   // E0.6   [2] (⛄..⛅)    snowman without snow..sun behind cloud
+	{0x26C6, 0x26C7, prExtendedPictographic},   // E0.0   [2] (⛆..⛇)    RAIN..BLACK SNOWMAN
+	{0x26C8, 0x26C8, prExtendedPictographic},   // E0.7   [1] (⛈�)       cloud with lightning and rain
+	{0x26C9, 0x26CD, prExtendedPictographic},   // E0.0   [5] (⛉..�)    TURNED WHITE SHOGI PIECE..DISABLED CAR
+	{0x26CE, 0x26CE, prExtendedPictographic},   // E0.6   [1] (⛎)       Ophiuchus
+	{0x26CF, 0x26CF, prExtendedPictographic},   // E0.7   [1] (��)       pick
+	{0x26D0, 0x26D0, prExtendedPictographic},   // E0.0   [1] (�)       CAR SLIDING
+	{0x26D1, 0x26D1, prExtendedPictographic},   // E0.7   [1] (⛑�)       rescue worker’s helmet
+	{0x26D2, 0x26D2, prExtendedPictographic},   // E0.0   [1] (â›’)       CIRCLED CROSSING LANES
+	{0x26D3, 0x26D3, prExtendedPictographic},   // E0.7   [1] (⛓�)       chains
+	{0x26D4, 0x26D4, prExtendedPictographic},   // E0.6   [1] (â›”)       no entry
+	{0x26D5, 0x26E8, prExtendedPictographic},   // E0.0  [20] (⛕..⛨)    ALTERNATE ONE-WAY LEFT WAY TRAFFIC..BLACK CROSS ON SHIELD
+	{0x26E9, 0x26E9, prExtendedPictographic},   // E0.7   [1] (⛩�)       shinto shrine
+	{0x26EA, 0x26EA, prExtendedPictographic},   // E0.6   [1] (⛪)       church
+	{0x26EB, 0x26EF, prExtendedPictographic},   // E0.0   [5] (⛫..⛯)    CASTLE..MAP SYMBOL FOR LIGHTHOUSE
+	{0x26F0, 0x26F1, prExtendedPictographic},   // E0.7   [2] (⛰�..⛱�)    mountain..umbrella on ground
+	{0x26F2, 0x26F3, prExtendedPictographic},   // E0.6   [2] (⛲..⛳)    fountain..flag in hole
+	{0x26F4, 0x26F4, prExtendedPictographic},   // E0.7   [1] (⛴�)       ferry
+	{0x26F5, 0x26F5, prExtendedPictographic},   // E0.6   [1] (⛵)       sailboat
+	{0x26F6, 0x26F6, prExtendedPictographic},   // E0.0   [1] (⛶)       SQUARE FOUR CORNERS
+	{0x26F7, 0x26F9, prExtendedPictographic},   // E0.7   [3] (⛷�..⛹�)    skier..person bouncing ball
+	{0x26FA, 0x26FA, prExtendedPictographic},   // E0.6   [1] (⛺)       tent
+	{0x26FB, 0x26FC, prExtendedPictographic},   // E0.0   [2] (⛻..⛼)    JAPANESE BANK SYMBOL..HEADSTONE GRAVEYARD SYMBOL
+	{0x26FD, 0x26FD, prExtendedPictographic},   // E0.6   [1] (⛽)       fuel pump
+	{0x26FE, 0x2701, prExtendedPictographic},   // E0.0   [4] (⛾..�)    CUP ON BLACK SQUARE..UPPER BLADE SCISSORS
+	{0x2702, 0x2702, prExtendedPictographic},   // E0.6   [1] (✂�)       scissors
+	{0x2703, 0x2704, prExtendedPictographic},   // E0.0   [2] (✃..✄)    LOWER BLADE SCISSORS..WHITE SCISSORS
+	{0x2705, 0x2705, prExtendedPictographic},   // E0.6   [1] (✅)       check mark button
+	{0x2708, 0x270C, prExtendedPictographic},   // E0.6   [5] (✈�..✌�)    airplane..victory hand
+	{0x270D, 0x270D, prExtendedPictographic},   // E0.7   [1] (��)       writing hand
+	{0x270E, 0x270E, prExtendedPictographic},   // E0.0   [1] (✎)       LOWER RIGHT PENCIL
+	{0x270F, 0x270F, prExtendedPictographic},   // E0.6   [1] (��)       pencil
+	{0x2710, 0x2711, prExtendedPictographic},   // E0.0   [2] (�..✑)    UPPER RIGHT PENCIL..WHITE NIB
+	{0x2712, 0x2712, prExtendedPictographic},   // E0.6   [1] (✒�)       black nib
+	{0x2714, 0x2714, prExtendedPictographic},   // E0.6   [1] (✔�)       check mark
+	{0x2716, 0x2716, prExtendedPictographic},   // E0.6   [1] (✖�)       multiply
+	{0x271D, 0x271D, prExtendedPictographic},   // E0.7   [1] (��)       latin cross
+	{0x2721, 0x2721, prExtendedPictographic},   // E0.7   [1] (✡�)       star of David
+	{0x2728, 0x2728, prExtendedPictographic},   // E0.6   [1] (✨)       sparkles
+	{0x2733, 0x2734, prExtendedPictographic},   // E0.6   [2] (✳�..✴�)    eight-spoked asterisk..eight-pointed star
+	{0x2744, 0x2744, prExtendedPictographic},   // E0.6   [1] (��)       snowflake
+	{0x2747, 0x2747, prExtendedPictographic},   // E0.6   [1] (��)       sparkle
+	{0x274C, 0x274C, prExtendedPictographic},   // E0.6   [1] (�)       cross mark
+	{0x274E, 0x274E, prExtendedPictographic},   // E0.6   [1] (�)       cross mark button
+	{0x2753, 0x2755, prExtendedPictographic},   // E0.6   [3] (�..�)    red question mark..white exclamation mark
+	{0x2757, 0x2757, prExtendedPictographic},   // E0.6   [1] (�)       red exclamation mark
+	{0x2763, 0x2763, prExtendedPictographic},   // E1.0   [1] (��)       heart exclamation
+	{0x2764, 0x2764, prExtendedPictographic},   // E0.6   [1] (��)       red heart
+	{0x2765, 0x2767, prExtendedPictographic},   // E0.0   [3] (�..�)    ROTATED HEAVY BLACK HEART BULLET..ROTATED FLORAL HEART BULLET
+	{0x2795, 0x2797, prExtendedPictographic},   // E0.6   [3] (âž•..âž—)    plus..divide
+	{0x27A1, 0x27A1, prExtendedPictographic},   // E0.6   [1] (➡�)       right arrow
+	{0x27B0, 0x27B0, prExtendedPictographic},   // E0.6   [1] (âž°)       curly loop
+	{0x27BF, 0x27BF, prExtendedPictographic},   // E1.0   [1] (âž¿)       double curly loop
+	{0x2934, 0x2935, prExtendedPictographic},   // E0.6   [2] (⤴�..⤵�)    right arrow curving up..right arrow curving down
+	{0x2B05, 0x2B07, prExtendedPictographic},   // E0.6   [3] (⬅�..⬇�)    left arrow..down arrow
+	{0x2B1B, 0x2B1C, prExtendedPictographic},   // E0.6   [2] (⬛..⬜)    black large square..white large square
+	{0x2B50, 0x2B50, prExtendedPictographic},   // E0.6   [1] (â­�)       star
+	{0x2B55, 0x2B55, prExtendedPictographic},   // E0.6   [1] (â­•)       hollow red circle
+	{0x2C00, 0x2C7B, prALetter},                // L& [124] GLAGOLITIC CAPITAL LETTER AZU..LATIN LETTER SMALL CAPITAL TURNED E
+	{0x2C7C, 0x2C7D, prALetter},                // Lm   [2] LATIN SUBSCRIPT SMALL LETTER J..MODIFIER LETTER CAPITAL V
+	{0x2C7E, 0x2CE4, prALetter},                // L& [103] LATIN CAPITAL LETTER S WITH SWASH TAIL..COPTIC SYMBOL KAI
+	{0x2CEB, 0x2CEE, prALetter},                // L&   [4] COPTIC CAPITAL LETTER CRYPTOGRAMMIC SHEI..COPTIC SMALL LETTER CRYPTOGRAMMIC GANGIA
+	{0x2CEF, 0x2CF1, prExtend},                 // Mn   [3] COPTIC COMBINING NI ABOVE..COPTIC COMBINING SPIRITUS LENIS
+	{0x2CF2, 0x2CF3, prALetter},                // L&   [2] COPTIC CAPITAL LETTER BOHAIRIC KHEI..COPTIC SMALL LETTER BOHAIRIC KHEI
+	{0x2D00, 0x2D25, prALetter},                // L&  [38] GEORGIAN SMALL LETTER AN..GEORGIAN SMALL LETTER HOE
+	{0x2D27, 0x2D27, prALetter},                // L&       GEORGIAN SMALL LETTER YN
+	{0x2D2D, 0x2D2D, prALetter},                // L&       GEORGIAN SMALL LETTER AEN
+	{0x2D30, 0x2D67, prALetter},                // Lo  [56] TIFINAGH LETTER YA..TIFINAGH LETTER YO
+	{0x2D6F, 0x2D6F, prALetter},                // Lm       TIFINAGH MODIFIER LETTER LABIALIZATION MARK
+	{0x2D7F, 0x2D7F, prExtend},                 // Mn       TIFINAGH CONSONANT JOINER
+	{0x2D80, 0x2D96, prALetter},                // Lo  [23] ETHIOPIC SYLLABLE LOA..ETHIOPIC SYLLABLE GGWE
+	{0x2DA0, 0x2DA6, prALetter},                // Lo   [7] ETHIOPIC SYLLABLE SSA..ETHIOPIC SYLLABLE SSO
+	{0x2DA8, 0x2DAE, prALetter},                // Lo   [7] ETHIOPIC SYLLABLE CCA..ETHIOPIC SYLLABLE CCO
+	{0x2DB0, 0x2DB6, prALetter},                // Lo   [7] ETHIOPIC SYLLABLE ZZA..ETHIOPIC SYLLABLE ZZO
+	{0x2DB8, 0x2DBE, prALetter},                // Lo   [7] ETHIOPIC SYLLABLE CCHA..ETHIOPIC SYLLABLE CCHO
+	{0x2DC0, 0x2DC6, prALetter},                // Lo   [7] ETHIOPIC SYLLABLE QYA..ETHIOPIC SYLLABLE QYO
+	{0x2DC8, 0x2DCE, prALetter},                // Lo   [7] ETHIOPIC SYLLABLE KYA..ETHIOPIC SYLLABLE KYO
+	{0x2DD0, 0x2DD6, prALetter},                // Lo   [7] ETHIOPIC SYLLABLE XYA..ETHIOPIC SYLLABLE XYO
+	{0x2DD8, 0x2DDE, prALetter},                // Lo   [7] ETHIOPIC SYLLABLE GYA..ETHIOPIC SYLLABLE GYO
+	{0x2DE0, 0x2DFF, prExtend},                 // Mn  [32] COMBINING CYRILLIC LETTER BE..COMBINING CYRILLIC LETTER IOTIFIED BIG YUS
+	{0x2E2F, 0x2E2F, prALetter},                // Lm       VERTICAL TILDE
+	{0x3000, 0x3000, prWSegSpace},              // Zs       IDEOGRAPHIC SPACE
+	{0x3005, 0x3005, prALetter},                // Lm       IDEOGRAPHIC ITERATION MARK
+	{0x302A, 0x302D, prExtend},                 // Mn   [4] IDEOGRAPHIC LEVEL TONE MARK..IDEOGRAPHIC ENTERING TONE MARK
+	{0x302E, 0x302F, prExtend},                 // Mc   [2] HANGUL SINGLE DOT TONE MARK..HANGUL DOUBLE DOT TONE MARK
+	{0x3030, 0x3030, prExtendedPictographic},   // E0.6   [1] (〰�)       wavy dash
+	{0x3031, 0x3035, prKatakana},               // Lm   [5] VERTICAL KANA REPEAT MARK..VERTICAL KANA REPEAT MARK LOWER HALF
+	{0x303B, 0x303B, prALetter},                // Lm       VERTICAL IDEOGRAPHIC ITERATION MARK
+	{0x303C, 0x303C, prALetter},                // Lo       MASU MARK
+	{0x303D, 0x303D, prExtendedPictographic},   // E0.6   [1] (〽�)       part alternation mark
+	{0x3099, 0x309A, prExtend},                 // Mn   [2] COMBINING KATAKANA-HIRAGANA VOICED SOUND MARK..COMBINING KATAKANA-HIRAGANA SEMI-VOICED SOUND MARK
+	{0x309B, 0x309C, prKatakana},               // Sk   [2] KATAKANA-HIRAGANA VOICED SOUND MARK..KATAKANA-HIRAGANA SEMI-VOICED SOUND MARK
+	{0x30A0, 0x30A0, prKatakana},               // Pd       KATAKANA-HIRAGANA DOUBLE HYPHEN
+	{0x30A1, 0x30FA, prKatakana},               // Lo  [90] KATAKANA LETTER SMALL A..KATAKANA LETTER VO
+	{0x30FC, 0x30FE, prKatakana},               // Lm   [3] KATAKANA-HIRAGANA PROLONGED SOUND MARK..KATAKANA VOICED ITERATION MARK
+	{0x30FF, 0x30FF, prKatakana},               // Lo       KATAKANA DIGRAPH KOTO
+	{0x3105, 0x312F, prALetter},                // Lo  [43] BOPOMOFO LETTER B..BOPOMOFO LETTER NN
+	{0x3131, 0x318E, prALetter},                // Lo  [94] HANGUL LETTER KIYEOK..HANGUL LETTER ARAEAE
+	{0x31A0, 0x31BF, prALetter},                // Lo  [32] BOPOMOFO LETTER BU..BOPOMOFO LETTER AH
+	{0x31F0, 0x31FF, prKatakana},               // Lo  [16] KATAKANA LETTER SMALL KU..KATAKANA LETTER SMALL RO
+	{0x3297, 0x3297, prExtendedPictographic},   // E0.6   [1] (㊗�)       Japanese “congratulations� button
+	{0x3299, 0x3299, prExtendedPictographic},   // E0.6   [1] (㊙�)       Japanese “secret� button
+	{0x32D0, 0x32FE, prKatakana},               // So  [47] CIRCLED KATAKANA A..CIRCLED KATAKANA WO
+	{0x3300, 0x3357, prKatakana},               // So  [88] SQUARE APAATO..SQUARE WATTO
+	{0xA000, 0xA014, prALetter},                // Lo  [21] YI SYLLABLE IT..YI SYLLABLE E
+	{0xA015, 0xA015, prALetter},                // Lm       YI SYLLABLE WU
+	{0xA016, 0xA48C, prALetter},                // Lo [1143] YI SYLLABLE BIT..YI SYLLABLE YYR
+	{0xA4D0, 0xA4F7, prALetter},                // Lo  [40] LISU LETTER BA..LISU LETTER OE
+	{0xA4F8, 0xA4FD, prALetter},                // Lm   [6] LISU LETTER TONE MYA TI..LISU LETTER TONE MYA JEU
+	{0xA500, 0xA60B, prALetter},                // Lo [268] VAI SYLLABLE EE..VAI SYLLABLE NG
+	{0xA60C, 0xA60C, prALetter},                // Lm       VAI SYLLABLE LENGTHENER
+	{0xA610, 0xA61F, prALetter},                // Lo  [16] VAI SYLLABLE NDOLE FA..VAI SYMBOL JONG
+	{0xA620, 0xA629, prNumeric},                // Nd  [10] VAI DIGIT ZERO..VAI DIGIT NINE
+	{0xA62A, 0xA62B, prALetter},                // Lo   [2] VAI SYLLABLE NDOLE MA..VAI SYLLABLE NDOLE DO
+	{0xA640, 0xA66D, prALetter},                // L&  [46] CYRILLIC CAPITAL LETTER ZEMLYA..CYRILLIC SMALL LETTER DOUBLE MONOCULAR O
+	{0xA66E, 0xA66E, prALetter},                // Lo       CYRILLIC LETTER MULTIOCULAR O
+	{0xA66F, 0xA66F, prExtend},                 // Mn       COMBINING CYRILLIC VZMET
+	{0xA670, 0xA672, prExtend},                 // Me   [3] COMBINING CYRILLIC TEN MILLIONS SIGN..COMBINING CYRILLIC THOUSAND MILLIONS SIGN
+	{0xA674, 0xA67D, prExtend},                 // Mn  [10] COMBINING CYRILLIC LETTER UKRAINIAN IE..COMBINING CYRILLIC PAYEROK
+	{0xA67F, 0xA67F, prALetter},                // Lm       CYRILLIC PAYEROK
+	{0xA680, 0xA69B, prALetter},                // L&  [28] CYRILLIC CAPITAL LETTER DWE..CYRILLIC SMALL LETTER CROSSED O
+	{0xA69C, 0xA69D, prALetter},                // Lm   [2] MODIFIER LETTER CYRILLIC HARD SIGN..MODIFIER LETTER CYRILLIC SOFT SIGN
+	{0xA69E, 0xA69F, prExtend},                 // Mn   [2] COMBINING CYRILLIC LETTER EF..COMBINING CYRILLIC LETTER IOTIFIED E
+	{0xA6A0, 0xA6E5, prALetter},                // Lo  [70] BAMUM LETTER A..BAMUM LETTER KI
+	{0xA6E6, 0xA6EF, prALetter},                // Nl  [10] BAMUM LETTER MO..BAMUM LETTER KOGHOM
+	{0xA6F0, 0xA6F1, prExtend},                 // Mn   [2] BAMUM COMBINING MARK KOQNDON..BAMUM COMBINING MARK TUKWENTIS
+	{0xA708, 0xA716, prALetter},                // Sk  [15] MODIFIER LETTER EXTRA-HIGH DOTTED TONE BAR..MODIFIER LETTER EXTRA-LOW LEFT-STEM TONE BAR
+	{0xA717, 0xA71F, prALetter},                // Lm   [9] MODIFIER LETTER DOT VERTICAL BAR..MODIFIER LETTER LOW INVERTED EXCLAMATION MARK
+	{0xA720, 0xA721, prALetter},                // Sk   [2] MODIFIER LETTER STRESS AND HIGH TONE..MODIFIER LETTER STRESS AND LOW TONE
+	{0xA722, 0xA76F, prALetter},                // L&  [78] LATIN CAPITAL LETTER EGYPTOLOGICAL ALEF..LATIN SMALL LETTER CON
+	{0xA770, 0xA770, prALetter},                // Lm       MODIFIER LETTER US
+	{0xA771, 0xA787, prALetter},                // L&  [23] LATIN SMALL LETTER DUM..LATIN SMALL LETTER INSULAR T
+	{0xA788, 0xA788, prALetter},                // Lm       MODIFIER LETTER LOW CIRCUMFLEX ACCENT
+	{0xA789, 0xA78A, prALetter},                // Sk   [2] MODIFIER LETTER COLON..MODIFIER LETTER SHORT EQUALS SIGN
+	{0xA78B, 0xA78E, prALetter},                // L&   [4] LATIN CAPITAL LETTER SALTILLO..LATIN SMALL LETTER L WITH RETROFLEX HOOK AND BELT
+	{0xA78F, 0xA78F, prALetter},                // Lo       LATIN LETTER SINOLOGICAL DOT
+	{0xA790, 0xA7CA, prALetter},                // L&  [59] LATIN CAPITAL LETTER N WITH DESCENDER..LATIN SMALL LETTER S WITH SHORT STROKE OVERLAY
+	{0xA7D0, 0xA7D1, prALetter},                // L&   [2] LATIN CAPITAL LETTER CLOSED INSULAR G..LATIN SMALL LETTER CLOSED INSULAR G
+	{0xA7D3, 0xA7D3, prALetter},                // L&       LATIN SMALL LETTER DOUBLE THORN
+	{0xA7D5, 0xA7D9, prALetter},                // L&   [5] LATIN SMALL LETTER DOUBLE WYNN..LATIN SMALL LETTER SIGMOID S
+	{0xA7F2, 0xA7F4, prALetter},                // Lm   [3] MODIFIER LETTER CAPITAL C..MODIFIER LETTER CAPITAL Q
+	{0xA7F5, 0xA7F6, prALetter},                // L&   [2] LATIN CAPITAL LETTER REVERSED HALF H..LATIN SMALL LETTER REVERSED HALF H
+	{0xA7F7, 0xA7F7, prALetter},                // Lo       LATIN EPIGRAPHIC LETTER SIDEWAYS I
+	{0xA7F8, 0xA7F9, prALetter},                // Lm   [2] MODIFIER LETTER CAPITAL H WITH STROKE..MODIFIER LETTER SMALL LIGATURE OE
+	{0xA7FA, 0xA7FA, prALetter},                // L&       LATIN LETTER SMALL CAPITAL TURNED M
+	{0xA7FB, 0xA801, prALetter},                // Lo   [7] LATIN EPIGRAPHIC LETTER REVERSED F..SYLOTI NAGRI LETTER I
+	{0xA802, 0xA802, prExtend},                 // Mn       SYLOTI NAGRI SIGN DVISVARA
+	{0xA803, 0xA805, prALetter},                // Lo   [3] SYLOTI NAGRI LETTER U..SYLOTI NAGRI LETTER O
+	{0xA806, 0xA806, prExtend},                 // Mn       SYLOTI NAGRI SIGN HASANTA
+	{0xA807, 0xA80A, prALetter},                // Lo   [4] SYLOTI NAGRI LETTER KO..SYLOTI NAGRI LETTER GHO
+	{0xA80B, 0xA80B, prExtend},                 // Mn       SYLOTI NAGRI SIGN ANUSVARA
+	{0xA80C, 0xA822, prALetter},                // Lo  [23] SYLOTI NAGRI LETTER CO..SYLOTI NAGRI LETTER HO
+	{0xA823, 0xA824, prExtend},                 // Mc   [2] SYLOTI NAGRI VOWEL SIGN A..SYLOTI NAGRI VOWEL SIGN I
+	{0xA825, 0xA826, prExtend},                 // Mn   [2] SYLOTI NAGRI VOWEL SIGN U..SYLOTI NAGRI VOWEL SIGN E
+	{0xA827, 0xA827, prExtend},                 // Mc       SYLOTI NAGRI VOWEL SIGN OO
+	{0xA82C, 0xA82C, prExtend},                 // Mn       SYLOTI NAGRI SIGN ALTERNATE HASANTA
+	{0xA840, 0xA873, prALetter},                // Lo  [52] PHAGS-PA LETTER KA..PHAGS-PA LETTER CANDRABINDU
+	{0xA880, 0xA881, prExtend},                 // Mc   [2] SAURASHTRA SIGN ANUSVARA..SAURASHTRA SIGN VISARGA
+	{0xA882, 0xA8B3, prALetter},                // Lo  [50] SAURASHTRA LETTER A..SAURASHTRA LETTER LLA
+	{0xA8B4, 0xA8C3, prExtend},                 // Mc  [16] SAURASHTRA CONSONANT SIGN HAARU..SAURASHTRA VOWEL SIGN AU
+	{0xA8C4, 0xA8C5, prExtend},                 // Mn   [2] SAURASHTRA SIGN VIRAMA..SAURASHTRA SIGN CANDRABINDU
+	{0xA8D0, 0xA8D9, prNumeric},                // Nd  [10] SAURASHTRA DIGIT ZERO..SAURASHTRA DIGIT NINE
+	{0xA8E0, 0xA8F1, prExtend},                 // Mn  [18] COMBINING DEVANAGARI DIGIT ZERO..COMBINING DEVANAGARI SIGN AVAGRAHA
+	{0xA8F2, 0xA8F7, prALetter},                // Lo   [6] DEVANAGARI SIGN SPACING CANDRABINDU..DEVANAGARI SIGN CANDRABINDU AVAGRAHA
+	{0xA8FB, 0xA8FB, prALetter},                // Lo       DEVANAGARI HEADSTROKE
+	{0xA8FD, 0xA8FE, prALetter},                // Lo   [2] DEVANAGARI JAIN OM..DEVANAGARI LETTER AY
+	{0xA8FF, 0xA8FF, prExtend},                 // Mn       DEVANAGARI VOWEL SIGN AY
+	{0xA900, 0xA909, prNumeric},                // Nd  [10] KAYAH LI DIGIT ZERO..KAYAH LI DIGIT NINE
+	{0xA90A, 0xA925, prALetter},                // Lo  [28] KAYAH LI LETTER KA..KAYAH LI LETTER OO
+	{0xA926, 0xA92D, prExtend},                 // Mn   [8] KAYAH LI VOWEL UE..KAYAH LI TONE CALYA PLOPHU
+	{0xA930, 0xA946, prALetter},                // Lo  [23] REJANG LETTER KA..REJANG LETTER A
+	{0xA947, 0xA951, prExtend},                 // Mn  [11] REJANG VOWEL SIGN I..REJANG CONSONANT SIGN R
+	{0xA952, 0xA953, prExtend},                 // Mc   [2] REJANG CONSONANT SIGN H..REJANG VIRAMA
+	{0xA960, 0xA97C, prALetter},                // Lo  [29] HANGUL CHOSEONG TIKEUT-MIEUM..HANGUL CHOSEONG SSANGYEORINHIEUH
+	{0xA980, 0xA982, prExtend},                 // Mn   [3] JAVANESE SIGN PANYANGGA..JAVANESE SIGN LAYAR
+	{0xA983, 0xA983, prExtend},                 // Mc       JAVANESE SIGN WIGNYAN
+	{0xA984, 0xA9B2, prALetter},                // Lo  [47] JAVANESE LETTER A..JAVANESE LETTER HA
+	{0xA9B3, 0xA9B3, prExtend},                 // Mn       JAVANESE SIGN CECAK TELU
+	{0xA9B4, 0xA9B5, prExtend},                 // Mc   [2] JAVANESE VOWEL SIGN TARUNG..JAVANESE VOWEL SIGN TOLONG
+	{0xA9B6, 0xA9B9, prExtend},                 // Mn   [4] JAVANESE VOWEL SIGN WULU..JAVANESE VOWEL SIGN SUKU MENDUT
+	{0xA9BA, 0xA9BB, prExtend},                 // Mc   [2] JAVANESE VOWEL SIGN TALING..JAVANESE VOWEL SIGN DIRGA MURE
+	{0xA9BC, 0xA9BD, prExtend},                 // Mn   [2] JAVANESE VOWEL SIGN PEPET..JAVANESE CONSONANT SIGN KERET
+	{0xA9BE, 0xA9C0, prExtend},                 // Mc   [3] JAVANESE CONSONANT SIGN PENGKAL..JAVANESE PANGKON
+	{0xA9CF, 0xA9CF, prALetter},                // Lm       JAVANESE PANGRANGKEP
+	{0xA9D0, 0xA9D9, prNumeric},                // Nd  [10] JAVANESE DIGIT ZERO..JAVANESE DIGIT NINE
+	{0xA9E5, 0xA9E5, prExtend},                 // Mn       MYANMAR SIGN SHAN SAW
+	{0xA9F0, 0xA9F9, prNumeric},                // Nd  [10] MYANMAR TAI LAING DIGIT ZERO..MYANMAR TAI LAING DIGIT NINE
+	{0xAA00, 0xAA28, prALetter},                // Lo  [41] CHAM LETTER A..CHAM LETTER HA
+	{0xAA29, 0xAA2E, prExtend},                 // Mn   [6] CHAM VOWEL SIGN AA..CHAM VOWEL SIGN OE
+	{0xAA2F, 0xAA30, prExtend},                 // Mc   [2] CHAM VOWEL SIGN O..CHAM VOWEL SIGN AI
+	{0xAA31, 0xAA32, prExtend},                 // Mn   [2] CHAM VOWEL SIGN AU..CHAM VOWEL SIGN UE
+	{0xAA33, 0xAA34, prExtend},                 // Mc   [2] CHAM CONSONANT SIGN YA..CHAM CONSONANT SIGN RA
+	{0xAA35, 0xAA36, prExtend},                 // Mn   [2] CHAM CONSONANT SIGN LA..CHAM CONSONANT SIGN WA
+	{0xAA40, 0xAA42, prALetter},                // Lo   [3] CHAM LETTER FINAL K..CHAM LETTER FINAL NG
+	{0xAA43, 0xAA43, prExtend},                 // Mn       CHAM CONSONANT SIGN FINAL NG
+	{0xAA44, 0xAA4B, prALetter},                // Lo   [8] CHAM LETTER FINAL CH..CHAM LETTER FINAL SS
+	{0xAA4C, 0xAA4C, prExtend},                 // Mn       CHAM CONSONANT SIGN FINAL M
+	{0xAA4D, 0xAA4D, prExtend},                 // Mc       CHAM CONSONANT SIGN FINAL H
+	{0xAA50, 0xAA59, prNumeric},                // Nd  [10] CHAM DIGIT ZERO..CHAM DIGIT NINE
+	{0xAA7B, 0xAA7B, prExtend},                 // Mc       MYANMAR SIGN PAO KAREN TONE
+	{0xAA7C, 0xAA7C, prExtend},                 // Mn       MYANMAR SIGN TAI LAING TONE-2
+	{0xAA7D, 0xAA7D, prExtend},                 // Mc       MYANMAR SIGN TAI LAING TONE-5
+	{0xAAB0, 0xAAB0, prExtend},                 // Mn       TAI VIET MAI KANG
+	{0xAAB2, 0xAAB4, prExtend},                 // Mn   [3] TAI VIET VOWEL I..TAI VIET VOWEL U
+	{0xAAB7, 0xAAB8, prExtend},                 // Mn   [2] TAI VIET MAI KHIT..TAI VIET VOWEL IA
+	{0xAABE, 0xAABF, prExtend},                 // Mn   [2] TAI VIET VOWEL AM..TAI VIET TONE MAI EK
+	{0xAAC1, 0xAAC1, prExtend},                 // Mn       TAI VIET TONE MAI THO
+	{0xAAE0, 0xAAEA, prALetter},                // Lo  [11] MEETEI MAYEK LETTER E..MEETEI MAYEK LETTER SSA
+	{0xAAEB, 0xAAEB, prExtend},                 // Mc       MEETEI MAYEK VOWEL SIGN II
+	{0xAAEC, 0xAAED, prExtend},                 // Mn   [2] MEETEI MAYEK VOWEL SIGN UU..MEETEI MAYEK VOWEL SIGN AAI
+	{0xAAEE, 0xAAEF, prExtend},                 // Mc   [2] MEETEI MAYEK VOWEL SIGN AU..MEETEI MAYEK VOWEL SIGN AAU
+	{0xAAF2, 0xAAF2, prALetter},                // Lo       MEETEI MAYEK ANJI
+	{0xAAF3, 0xAAF4, prALetter},                // Lm   [2] MEETEI MAYEK SYLLABLE REPETITION MARK..MEETEI MAYEK WORD REPETITION MARK
+	{0xAAF5, 0xAAF5, prExtend},                 // Mc       MEETEI MAYEK VOWEL SIGN VISARGA
+	{0xAAF6, 0xAAF6, prExtend},                 // Mn       MEETEI MAYEK VIRAMA
+	{0xAB01, 0xAB06, prALetter},                // Lo   [6] ETHIOPIC SYLLABLE TTHU..ETHIOPIC SYLLABLE TTHO
+	{0xAB09, 0xAB0E, prALetter},                // Lo   [6] ETHIOPIC SYLLABLE DDHU..ETHIOPIC SYLLABLE DDHO
+	{0xAB11, 0xAB16, prALetter},                // Lo   [6] ETHIOPIC SYLLABLE DZU..ETHIOPIC SYLLABLE DZO
+	{0xAB20, 0xAB26, prALetter},                // Lo   [7] ETHIOPIC SYLLABLE CCHHA..ETHIOPIC SYLLABLE CCHHO
+	{0xAB28, 0xAB2E, prALetter},                // Lo   [7] ETHIOPIC SYLLABLE BBA..ETHIOPIC SYLLABLE BBO
+	{0xAB30, 0xAB5A, prALetter},                // L&  [43] LATIN SMALL LETTER BARRED ALPHA..LATIN SMALL LETTER Y WITH SHORT RIGHT LEG
+	{0xAB5B, 0xAB5B, prALetter},                // Sk       MODIFIER BREVE WITH INVERTED BREVE
+	{0xAB5C, 0xAB5F, prALetter},                // Lm   [4] MODIFIER LETTER SMALL HENG..MODIFIER LETTER SMALL U WITH LEFT HOOK
+	{0xAB60, 0xAB68, prALetter},                // L&   [9] LATIN SMALL LETTER SAKHA YAT..LATIN SMALL LETTER TURNED R WITH MIDDLE TILDE
+	{0xAB69, 0xAB69, prALetter},                // Lm       MODIFIER LETTER SMALL TURNED W
+	{0xAB70, 0xABBF, prALetter},                // L&  [80] CHEROKEE SMALL LETTER A..CHEROKEE SMALL LETTER YA
+	{0xABC0, 0xABE2, prALetter},                // Lo  [35] MEETEI MAYEK LETTER KOK..MEETEI MAYEK LETTER I LONSUM
+	{0xABE3, 0xABE4, prExtend},                 // Mc   [2] MEETEI MAYEK VOWEL SIGN ONAP..MEETEI MAYEK VOWEL SIGN INAP
+	{0xABE5, 0xABE5, prExtend},                 // Mn       MEETEI MAYEK VOWEL SIGN ANAP
+	{0xABE6, 0xABE7, prExtend},                 // Mc   [2] MEETEI MAYEK VOWEL SIGN YENAP..MEETEI MAYEK VOWEL SIGN SOUNAP
+	{0xABE8, 0xABE8, prExtend},                 // Mn       MEETEI MAYEK VOWEL SIGN UNAP
+	{0xABE9, 0xABEA, prExtend},                 // Mc   [2] MEETEI MAYEK VOWEL SIGN CHEINAP..MEETEI MAYEK VOWEL SIGN NUNG
+	{0xABEC, 0xABEC, prExtend},                 // Mc       MEETEI MAYEK LUM IYEK
+	{0xABED, 0xABED, prExtend},                 // Mn       MEETEI MAYEK APUN IYEK
+	{0xABF0, 0xABF9, prNumeric},                // Nd  [10] MEETEI MAYEK DIGIT ZERO..MEETEI MAYEK DIGIT NINE
+	{0xAC00, 0xD7A3, prALetter},                // Lo [11172] HANGUL SYLLABLE GA..HANGUL SYLLABLE HIH
+	{0xD7B0, 0xD7C6, prALetter},                // Lo  [23] HANGUL JUNGSEONG O-YEO..HANGUL JUNGSEONG ARAEA-E
+	{0xD7CB, 0xD7FB, prALetter},                // Lo  [49] HANGUL JONGSEONG NIEUN-RIEUL..HANGUL JONGSEONG PHIEUPH-THIEUTH
+	{0xFB00, 0xFB06, prALetter},                // L&   [7] LATIN SMALL LIGATURE FF..LATIN SMALL LIGATURE ST
+	{0xFB13, 0xFB17, prALetter},                // L&   [5] ARMENIAN SMALL LIGATURE MEN NOW..ARMENIAN SMALL LIGATURE MEN XEH
+	{0xFB1D, 0xFB1D, prHebrewLetter},           // Lo       HEBREW LETTER YOD WITH HIRIQ
+	{0xFB1E, 0xFB1E, prExtend},                 // Mn       HEBREW POINT JUDEO-SPANISH VARIKA
+	{0xFB1F, 0xFB28, prHebrewLetter},           // Lo  [10] HEBREW LIGATURE YIDDISH YOD YOD PATAH..HEBREW LETTER WIDE TAV
+	{0xFB2A, 0xFB36, prHebrewLetter},           // Lo  [13] HEBREW LETTER SHIN WITH SHIN DOT..HEBREW LETTER ZAYIN WITH DAGESH
+	{0xFB38, 0xFB3C, prHebrewLetter},           // Lo   [5] HEBREW LETTER TET WITH DAGESH..HEBREW LETTER LAMED WITH DAGESH
+	{0xFB3E, 0xFB3E, prHebrewLetter},           // Lo       HEBREW LETTER MEM WITH DAGESH
+	{0xFB40, 0xFB41, prHebrewLetter},           // Lo   [2] HEBREW LETTER NUN WITH DAGESH..HEBREW LETTER SAMEKH WITH DAGESH
+	{0xFB43, 0xFB44, prHebrewLetter},           // Lo   [2] HEBREW LETTER FINAL PE WITH DAGESH..HEBREW LETTER PE WITH DAGESH
+	{0xFB46, 0xFB4F, prHebrewLetter},           // Lo  [10] HEBREW LETTER TSADI WITH DAGESH..HEBREW LIGATURE ALEF LAMED
+	{0xFB50, 0xFBB1, prALetter},                // Lo  [98] ARABIC LETTER ALEF WASLA ISOLATED FORM..ARABIC LETTER YEH BARREE WITH HAMZA ABOVE FINAL FORM
+	{0xFBD3, 0xFD3D, prALetter},                // Lo [363] ARABIC LETTER NG ISOLATED FORM..ARABIC LIGATURE ALEF WITH FATHATAN ISOLATED FORM
+	{0xFD50, 0xFD8F, prALetter},                // Lo  [64] ARABIC LIGATURE TEH WITH JEEM WITH MEEM INITIAL FORM..ARABIC LIGATURE MEEM WITH KHAH WITH MEEM INITIAL FORM
+	{0xFD92, 0xFDC7, prALetter},                // Lo  [54] ARABIC LIGATURE MEEM WITH JEEM WITH KHAH INITIAL FORM..ARABIC LIGATURE NOON WITH JEEM WITH YEH FINAL FORM
+	{0xFDF0, 0xFDFB, prALetter},                // Lo  [12] ARABIC LIGATURE SALLA USED AS KORANIC STOP SIGN ISOLATED FORM..ARABIC LIGATURE JALLAJALALOUHOU
+	{0xFE00, 0xFE0F, prExtend},                 // Mn  [16] VARIATION SELECTOR-1..VARIATION SELECTOR-16
+	{0xFE10, 0xFE10, prMidNum},                 // Po       PRESENTATION FORM FOR VERTICAL COMMA
+	{0xFE13, 0xFE13, prMidLetter},              // Po       PRESENTATION FORM FOR VERTICAL COLON
+	{0xFE14, 0xFE14, prMidNum},                 // Po       PRESENTATION FORM FOR VERTICAL SEMICOLON
+	{0xFE20, 0xFE2F, prExtend},                 // Mn  [16] COMBINING LIGATURE LEFT HALF..COMBINING CYRILLIC TITLO RIGHT HALF
+	{0xFE33, 0xFE34, prExtendNumLet},           // Pc   [2] PRESENTATION FORM FOR VERTICAL LOW LINE..PRESENTATION FORM FOR VERTICAL WAVY LOW LINE
+	{0xFE4D, 0xFE4F, prExtendNumLet},           // Pc   [3] DASHED LOW LINE..WAVY LOW LINE
+	{0xFE50, 0xFE50, prMidNum},                 // Po       SMALL COMMA
+	{0xFE52, 0xFE52, prMidNumLet},              // Po       SMALL FULL STOP
+	{0xFE54, 0xFE54, prMidNum},                 // Po       SMALL SEMICOLON
+	{0xFE55, 0xFE55, prMidLetter},              // Po       SMALL COLON
+	{0xFE70, 0xFE74, prALetter},                // Lo   [5] ARABIC FATHATAN ISOLATED FORM..ARABIC KASRATAN ISOLATED FORM
+	{0xFE76, 0xFEFC, prALetter},                // Lo [135] ARABIC FATHA ISOLATED FORM..ARABIC LIGATURE LAM WITH ALEF FINAL FORM
+	{0xFEFF, 0xFEFF, prFormat},                 // Cf       ZERO WIDTH NO-BREAK SPACE
+	{0xFF07, 0xFF07, prMidNumLet},              // Po       FULLWIDTH APOSTROPHE
+	{0xFF0C, 0xFF0C, prMidNum},                 // Po       FULLWIDTH COMMA
+	{0xFF0E, 0xFF0E, prMidNumLet},              // Po       FULLWIDTH FULL STOP
+	{0xFF10, 0xFF19, prNumeric},                // Nd  [10] FULLWIDTH DIGIT ZERO..FULLWIDTH DIGIT NINE
+	{0xFF1A, 0xFF1A, prMidLetter},              // Po       FULLWIDTH COLON
+	{0xFF1B, 0xFF1B, prMidNum},                 // Po       FULLWIDTH SEMICOLON
+	{0xFF21, 0xFF3A, prALetter},                // L&  [26] FULLWIDTH LATIN CAPITAL LETTER A..FULLWIDTH LATIN CAPITAL LETTER Z
+	{0xFF3F, 0xFF3F, prExtendNumLet},           // Pc       FULLWIDTH LOW LINE
+	{0xFF41, 0xFF5A, prALetter},                // L&  [26] FULLWIDTH LATIN SMALL LETTER A..FULLWIDTH LATIN SMALL LETTER Z
+	{0xFF66, 0xFF6F, prKatakana},               // Lo  [10] HALFWIDTH KATAKANA LETTER WO..HALFWIDTH KATAKANA LETTER SMALL TU
+	{0xFF70, 0xFF70, prKatakana},               // Lm       HALFWIDTH KATAKANA-HIRAGANA PROLONGED SOUND MARK
+	{0xFF71, 0xFF9D, prKatakana},               // Lo  [45] HALFWIDTH KATAKANA LETTER A..HALFWIDTH KATAKANA LETTER N
+	{0xFF9E, 0xFF9F, prExtend},                 // Lm   [2] HALFWIDTH KATAKANA VOICED SOUND MARK..HALFWIDTH KATAKANA SEMI-VOICED SOUND MARK
+	{0xFFA0, 0xFFBE, prALetter},                // Lo  [31] HALFWIDTH HANGUL FILLER..HALFWIDTH HANGUL LETTER HIEUH
+	{0xFFC2, 0xFFC7, prALetter},                // Lo   [6] HALFWIDTH HANGUL LETTER A..HALFWIDTH HANGUL LETTER E
+	{0xFFCA, 0xFFCF, prALetter},                // Lo   [6] HALFWIDTH HANGUL LETTER YEO..HALFWIDTH HANGUL LETTER OE
+	{0xFFD2, 0xFFD7, prALetter},                // Lo   [6] HALFWIDTH HANGUL LETTER YO..HALFWIDTH HANGUL LETTER YU
+	{0xFFDA, 0xFFDC, prALetter},                // Lo   [3] HALFWIDTH HANGUL LETTER EU..HALFWIDTH HANGUL LETTER I
+	{0xFFF9, 0xFFFB, prFormat},                 // Cf   [3] INTERLINEAR ANNOTATION ANCHOR..INTERLINEAR ANNOTATION TERMINATOR
+	{0x10000, 0x1000B, prALetter},              // Lo  [12] LINEAR B SYLLABLE B008 A..LINEAR B SYLLABLE B046 JE
+	{0x1000D, 0x10026, prALetter},              // Lo  [26] LINEAR B SYLLABLE B036 JO..LINEAR B SYLLABLE B032 QO
+	{0x10028, 0x1003A, prALetter},              // Lo  [19] LINEAR B SYLLABLE B060 RA..LINEAR B SYLLABLE B042 WO
+	{0x1003C, 0x1003D, prALetter},              // Lo   [2] LINEAR B SYLLABLE B017 ZA..LINEAR B SYLLABLE B074 ZE
+	{0x1003F, 0x1004D, prALetter},              // Lo  [15] LINEAR B SYLLABLE B020 ZO..LINEAR B SYLLABLE B091 TWO
+	{0x10050, 0x1005D, prALetter},              // Lo  [14] LINEAR B SYMBOL B018..LINEAR B SYMBOL B089
+	{0x10080, 0x100FA, prALetter},              // Lo [123] LINEAR B IDEOGRAM B100 MAN..LINEAR B IDEOGRAM VESSEL B305
+	{0x10140, 0x10174, prALetter},              // Nl  [53] GREEK ACROPHONIC ATTIC ONE QUARTER..GREEK ACROPHONIC STRATIAN FIFTY MNAS
+	{0x101FD, 0x101FD, prExtend},               // Mn       PHAISTOS DISC SIGN COMBINING OBLIQUE STROKE
+	{0x10280, 0x1029C, prALetter},              // Lo  [29] LYCIAN LETTER A..LYCIAN LETTER X
+	{0x102A0, 0x102D0, prALetter},              // Lo  [49] CARIAN LETTER A..CARIAN LETTER UUU3
+	{0x102E0, 0x102E0, prExtend},               // Mn       COPTIC EPACT THOUSANDS MARK
+	{0x10300, 0x1031F, prALetter},              // Lo  [32] OLD ITALIC LETTER A..OLD ITALIC LETTER ESS
+	{0x1032D, 0x10340, prALetter},              // Lo  [20] OLD ITALIC LETTER YE..GOTHIC LETTER PAIRTHRA
+	{0x10341, 0x10341, prALetter},              // Nl       GOTHIC LETTER NINETY
+	{0x10342, 0x10349, prALetter},              // Lo   [8] GOTHIC LETTER RAIDA..GOTHIC LETTER OTHAL
+	{0x1034A, 0x1034A, prALetter},              // Nl       GOTHIC LETTER NINE HUNDRED
+	{0x10350, 0x10375, prALetter},              // Lo  [38] OLD PERMIC LETTER AN..OLD PERMIC LETTER IA
+	{0x10376, 0x1037A, prExtend},               // Mn   [5] COMBINING OLD PERMIC LETTER AN..COMBINING OLD PERMIC LETTER SII
+	{0x10380, 0x1039D, prALetter},              // Lo  [30] UGARITIC LETTER ALPA..UGARITIC LETTER SSU
+	{0x103A0, 0x103C3, prALetter},              // Lo  [36] OLD PERSIAN SIGN A..OLD PERSIAN SIGN HA
+	{0x103C8, 0x103CF, prALetter},              // Lo   [8] OLD PERSIAN SIGN AURAMAZDAA..OLD PERSIAN SIGN BUUMISH
+	{0x103D1, 0x103D5, prALetter},              // Nl   [5] OLD PERSIAN NUMBER ONE..OLD PERSIAN NUMBER HUNDRED
+	{0x10400, 0x1044F, prALetter},              // L&  [80] DESERET CAPITAL LETTER LONG I..DESERET SMALL LETTER EW
+	{0x10450, 0x1049D, prALetter},              // Lo  [78] SHAVIAN LETTER PEEP..OSMANYA LETTER OO
+	{0x104A0, 0x104A9, prNumeric},              // Nd  [10] OSMANYA DIGIT ZERO..OSMANYA DIGIT NINE
+	{0x104B0, 0x104D3, prALetter},              // L&  [36] OSAGE CAPITAL LETTER A..OSAGE CAPITAL LETTER ZHA
+	{0x104D8, 0x104FB, prALetter},              // L&  [36] OSAGE SMALL LETTER A..OSAGE SMALL LETTER ZHA
+	{0x10500, 0x10527, prALetter},              // Lo  [40] ELBASAN LETTER A..ELBASAN LETTER KHE
+	{0x10530, 0x10563, prALetter},              // Lo  [52] CAUCASIAN ALBANIAN LETTER ALT..CAUCASIAN ALBANIAN LETTER KIW
+	{0x10570, 0x1057A, prALetter},              // L&  [11] VITHKUQI CAPITAL LETTER A..VITHKUQI CAPITAL LETTER GA
+	{0x1057C, 0x1058A, prALetter},              // L&  [15] VITHKUQI CAPITAL LETTER HA..VITHKUQI CAPITAL LETTER RE
+	{0x1058C, 0x10592, prALetter},              // L&   [7] VITHKUQI CAPITAL LETTER SE..VITHKUQI CAPITAL LETTER XE
+	{0x10594, 0x10595, prALetter},              // L&   [2] VITHKUQI CAPITAL LETTER Y..VITHKUQI CAPITAL LETTER ZE
+	{0x10597, 0x105A1, prALetter},              // L&  [11] VITHKUQI SMALL LETTER A..VITHKUQI SMALL LETTER GA
+	{0x105A3, 0x105B1, prALetter},              // L&  [15] VITHKUQI SMALL LETTER HA..VITHKUQI SMALL LETTER RE
+	{0x105B3, 0x105B9, prALetter},              // L&   [7] VITHKUQI SMALL LETTER SE..VITHKUQI SMALL LETTER XE
+	{0x105BB, 0x105BC, prALetter},              // L&   [2] VITHKUQI SMALL LETTER Y..VITHKUQI SMALL LETTER ZE
+	{0x10600, 0x10736, prALetter},              // Lo [311] LINEAR A SIGN AB001..LINEAR A SIGN A664
+	{0x10740, 0x10755, prALetter},              // Lo  [22] LINEAR A SIGN A701 A..LINEAR A SIGN A732 JE
+	{0x10760, 0x10767, prALetter},              // Lo   [8] LINEAR A SIGN A800..LINEAR A SIGN A807
+	{0x10780, 0x10785, prALetter},              // Lm   [6] MODIFIER LETTER SMALL CAPITAL AA..MODIFIER LETTER SMALL B WITH HOOK
+	{0x10787, 0x107B0, prALetter},              // Lm  [42] MODIFIER LETTER SMALL DZ DIGRAPH..MODIFIER LETTER SMALL V WITH RIGHT HOOK
+	{0x107B2, 0x107BA, prALetter},              // Lm   [9] MODIFIER LETTER SMALL CAPITAL Y..MODIFIER LETTER SMALL S WITH CURL
+	{0x10800, 0x10805, prALetter},              // Lo   [6] CYPRIOT SYLLABLE A..CYPRIOT SYLLABLE JA
+	{0x10808, 0x10808, prALetter},              // Lo       CYPRIOT SYLLABLE JO
+	{0x1080A, 0x10835, prALetter},              // Lo  [44] CYPRIOT SYLLABLE KA..CYPRIOT SYLLABLE WO
+	{0x10837, 0x10838, prALetter},              // Lo   [2] CYPRIOT SYLLABLE XA..CYPRIOT SYLLABLE XE
+	{0x1083C, 0x1083C, prALetter},              // Lo       CYPRIOT SYLLABLE ZA
+	{0x1083F, 0x10855, prALetter},              // Lo  [23] CYPRIOT SYLLABLE ZO..IMPERIAL ARAMAIC LETTER TAW
+	{0x10860, 0x10876, prALetter},              // Lo  [23] PALMYRENE LETTER ALEPH..PALMYRENE LETTER TAW
+	{0x10880, 0x1089E, prALetter},              // Lo  [31] NABATAEAN LETTER FINAL ALEPH..NABATAEAN LETTER TAW
+	{0x108E0, 0x108F2, prALetter},              // Lo  [19] HATRAN LETTER ALEPH..HATRAN LETTER QOPH
+	{0x108F4, 0x108F5, prALetter},              // Lo   [2] HATRAN LETTER SHIN..HATRAN LETTER TAW
+	{0x10900, 0x10915, prALetter},              // Lo  [22] PHOENICIAN LETTER ALF..PHOENICIAN LETTER TAU
+	{0x10920, 0x10939, prALetter},              // Lo  [26] LYDIAN LETTER A..LYDIAN LETTER C
+	{0x10980, 0x109B7, prALetter},              // Lo  [56] MEROITIC HIEROGLYPHIC LETTER A..MEROITIC CURSIVE LETTER DA
+	{0x109BE, 0x109BF, prALetter},              // Lo   [2] MEROITIC CURSIVE LOGOGRAM RMT..MEROITIC CURSIVE LOGOGRAM IMN
+	{0x10A00, 0x10A00, prALetter},              // Lo       KHAROSHTHI LETTER A
+	{0x10A01, 0x10A03, prExtend},               // Mn   [3] KHAROSHTHI VOWEL SIGN I..KHAROSHTHI VOWEL SIGN VOCALIC R
+	{0x10A05, 0x10A06, prExtend},               // Mn   [2] KHAROSHTHI VOWEL SIGN E..KHAROSHTHI VOWEL SIGN O
+	{0x10A0C, 0x10A0F, prExtend},               // Mn   [4] KHAROSHTHI VOWEL LENGTH MARK..KHAROSHTHI SIGN VISARGA
+	{0x10A10, 0x10A13, prALetter},              // Lo   [4] KHAROSHTHI LETTER KA..KHAROSHTHI LETTER GHA
+	{0x10A15, 0x10A17, prALetter},              // Lo   [3] KHAROSHTHI LETTER CA..KHAROSHTHI LETTER JA
+	{0x10A19, 0x10A35, prALetter},              // Lo  [29] KHAROSHTHI LETTER NYA..KHAROSHTHI LETTER VHA
+	{0x10A38, 0x10A3A, prExtend},               // Mn   [3] KHAROSHTHI SIGN BAR ABOVE..KHAROSHTHI SIGN DOT BELOW
+	{0x10A3F, 0x10A3F, prExtend},               // Mn       KHAROSHTHI VIRAMA
+	{0x10A60, 0x10A7C, prALetter},              // Lo  [29] OLD SOUTH ARABIAN LETTER HE..OLD SOUTH ARABIAN LETTER THETH
+	{0x10A80, 0x10A9C, prALetter},              // Lo  [29] OLD NORTH ARABIAN LETTER HEH..OLD NORTH ARABIAN LETTER ZAH
+	{0x10AC0, 0x10AC7, prALetter},              // Lo   [8] MANICHAEAN LETTER ALEPH..MANICHAEAN LETTER WAW
+	{0x10AC9, 0x10AE4, prALetter},              // Lo  [28] MANICHAEAN LETTER ZAYIN..MANICHAEAN LETTER TAW
+	{0x10AE5, 0x10AE6, prExtend},               // Mn   [2] MANICHAEAN ABBREVIATION MARK ABOVE..MANICHAEAN ABBREVIATION MARK BELOW
+	{0x10B00, 0x10B35, prALetter},              // Lo  [54] AVESTAN LETTER A..AVESTAN LETTER HE
+	{0x10B40, 0x10B55, prALetter},              // Lo  [22] INSCRIPTIONAL PARTHIAN LETTER ALEPH..INSCRIPTIONAL PARTHIAN LETTER TAW
+	{0x10B60, 0x10B72, prALetter},              // Lo  [19] INSCRIPTIONAL PAHLAVI LETTER ALEPH..INSCRIPTIONAL PAHLAVI LETTER TAW
+	{0x10B80, 0x10B91, prALetter},              // Lo  [18] PSALTER PAHLAVI LETTER ALEPH..PSALTER PAHLAVI LETTER TAW
+	{0x10C00, 0x10C48, prALetter},              // Lo  [73] OLD TURKIC LETTER ORKHON A..OLD TURKIC LETTER ORKHON BASH
+	{0x10C80, 0x10CB2, prALetter},              // L&  [51] OLD HUNGARIAN CAPITAL LETTER A..OLD HUNGARIAN CAPITAL LETTER US
+	{0x10CC0, 0x10CF2, prALetter},              // L&  [51] OLD HUNGARIAN SMALL LETTER A..OLD HUNGARIAN SMALL LETTER US
+	{0x10D00, 0x10D23, prALetter},              // Lo  [36] HANIFI ROHINGYA LETTER A..HANIFI ROHINGYA MARK NA KHONNA
+	{0x10D24, 0x10D27, prExtend},               // Mn   [4] HANIFI ROHINGYA SIGN HARBAHAY..HANIFI ROHINGYA SIGN TASSI
+	{0x10D30, 0x10D39, prNumeric},              // Nd  [10] HANIFI ROHINGYA DIGIT ZERO..HANIFI ROHINGYA DIGIT NINE
+	{0x10E80, 0x10EA9, prALetter},              // Lo  [42] YEZIDI LETTER ELIF..YEZIDI LETTER ET
+	{0x10EAB, 0x10EAC, prExtend},               // Mn   [2] YEZIDI COMBINING HAMZA MARK..YEZIDI COMBINING MADDA MARK
+	{0x10EB0, 0x10EB1, prALetter},              // Lo   [2] YEZIDI LETTER LAM WITH DOT ABOVE..YEZIDI LETTER YOT WITH CIRCUMFLEX ABOVE
+	{0x10EFD, 0x10EFF, prExtend},               // Mn   [3] ARABIC SMALL LOW WORD SAKTA..ARABIC SMALL LOW WORD MADDA
+	{0x10F00, 0x10F1C, prALetter},              // Lo  [29] OLD SOGDIAN LETTER ALEPH..OLD SOGDIAN LETTER FINAL TAW WITH VERTICAL TAIL
+	{0x10F27, 0x10F27, prALetter},              // Lo       OLD SOGDIAN LIGATURE AYIN-DALETH
+	{0x10F30, 0x10F45, prALetter},              // Lo  [22] SOGDIAN LETTER ALEPH..SOGDIAN INDEPENDENT SHIN
+	{0x10F46, 0x10F50, prExtend},               // Mn  [11] SOGDIAN COMBINING DOT BELOW..SOGDIAN COMBINING STROKE BELOW
+	{0x10F70, 0x10F81, prALetter},              // Lo  [18] OLD UYGHUR LETTER ALEPH..OLD UYGHUR LETTER LESH
+	{0x10F82, 0x10F85, prExtend},               // Mn   [4] OLD UYGHUR COMBINING DOT ABOVE..OLD UYGHUR COMBINING TWO DOTS BELOW
+	{0x10FB0, 0x10FC4, prALetter},              // Lo  [21] CHORASMIAN LETTER ALEPH..CHORASMIAN LETTER TAW
+	{0x10FE0, 0x10FF6, prALetter},              // Lo  [23] ELYMAIC LETTER ALEPH..ELYMAIC LIGATURE ZAYIN-YODH
+	{0x11000, 0x11000, prExtend},               // Mc       BRAHMI SIGN CANDRABINDU
+	{0x11001, 0x11001, prExtend},               // Mn       BRAHMI SIGN ANUSVARA
+	{0x11002, 0x11002, prExtend},               // Mc       BRAHMI SIGN VISARGA
+	{0x11003, 0x11037, prALetter},              // Lo  [53] BRAHMI SIGN JIHVAMULIYA..BRAHMI LETTER OLD TAMIL NNNA
+	{0x11038, 0x11046, prExtend},               // Mn  [15] BRAHMI VOWEL SIGN AA..BRAHMI VIRAMA
+	{0x11066, 0x1106F, prNumeric},              // Nd  [10] BRAHMI DIGIT ZERO..BRAHMI DIGIT NINE
+	{0x11070, 0x11070, prExtend},               // Mn       BRAHMI SIGN OLD TAMIL VIRAMA
+	{0x11071, 0x11072, prALetter},              // Lo   [2] BRAHMI LETTER OLD TAMIL SHORT E..BRAHMI LETTER OLD TAMIL SHORT O
+	{0x11073, 0x11074, prExtend},               // Mn   [2] BRAHMI VOWEL SIGN OLD TAMIL SHORT E..BRAHMI VOWEL SIGN OLD TAMIL SHORT O
+	{0x11075, 0x11075, prALetter},              // Lo       BRAHMI LETTER OLD TAMIL LLA
+	{0x1107F, 0x11081, prExtend},               // Mn   [3] BRAHMI NUMBER JOINER..KAITHI SIGN ANUSVARA
+	{0x11082, 0x11082, prExtend},               // Mc       KAITHI SIGN VISARGA
+	{0x11083, 0x110AF, prALetter},              // Lo  [45] KAITHI LETTER A..KAITHI LETTER HA
+	{0x110B0, 0x110B2, prExtend},               // Mc   [3] KAITHI VOWEL SIGN AA..KAITHI VOWEL SIGN II
+	{0x110B3, 0x110B6, prExtend},               // Mn   [4] KAITHI VOWEL SIGN U..KAITHI VOWEL SIGN AI
+	{0x110B7, 0x110B8, prExtend},               // Mc   [2] KAITHI VOWEL SIGN O..KAITHI VOWEL SIGN AU
+	{0x110B9, 0x110BA, prExtend},               // Mn   [2] KAITHI SIGN VIRAMA..KAITHI SIGN NUKTA
+	{0x110BD, 0x110BD, prFormat},               // Cf       KAITHI NUMBER SIGN
+	{0x110C2, 0x110C2, prExtend},               // Mn       KAITHI VOWEL SIGN VOCALIC R
+	{0x110CD, 0x110CD, prFormat},               // Cf       KAITHI NUMBER SIGN ABOVE
+	{0x110D0, 0x110E8, prALetter},              // Lo  [25] SORA SOMPENG LETTER SAH..SORA SOMPENG LETTER MAE
+	{0x110F0, 0x110F9, prNumeric},              // Nd  [10] SORA SOMPENG DIGIT ZERO..SORA SOMPENG DIGIT NINE
+	{0x11100, 0x11102, prExtend},               // Mn   [3] CHAKMA SIGN CANDRABINDU..CHAKMA SIGN VISARGA
+	{0x11103, 0x11126, prALetter},              // Lo  [36] CHAKMA LETTER AA..CHAKMA LETTER HAA
+	{0x11127, 0x1112B, prExtend},               // Mn   [5] CHAKMA VOWEL SIGN A..CHAKMA VOWEL SIGN UU
+	{0x1112C, 0x1112C, prExtend},               // Mc       CHAKMA VOWEL SIGN E
+	{0x1112D, 0x11134, prExtend},               // Mn   [8] CHAKMA VOWEL SIGN AI..CHAKMA MAAYYAA
+	{0x11136, 0x1113F, prNumeric},              // Nd  [10] CHAKMA DIGIT ZERO..CHAKMA DIGIT NINE
+	{0x11144, 0x11144, prALetter},              // Lo       CHAKMA LETTER LHAA
+	{0x11145, 0x11146, prExtend},               // Mc   [2] CHAKMA VOWEL SIGN AA..CHAKMA VOWEL SIGN EI
+	{0x11147, 0x11147, prALetter},              // Lo       CHAKMA LETTER VAA
+	{0x11150, 0x11172, prALetter},              // Lo  [35] MAHAJANI LETTER A..MAHAJANI LETTER RRA
+	{0x11173, 0x11173, prExtend},               // Mn       MAHAJANI SIGN NUKTA
+	{0x11176, 0x11176, prALetter},              // Lo       MAHAJANI LIGATURE SHRI
+	{0x11180, 0x11181, prExtend},               // Mn   [2] SHARADA SIGN CANDRABINDU..SHARADA SIGN ANUSVARA
+	{0x11182, 0x11182, prExtend},               // Mc       SHARADA SIGN VISARGA
+	{0x11183, 0x111B2, prALetter},              // Lo  [48] SHARADA LETTER A..SHARADA LETTER HA
+	{0x111B3, 0x111B5, prExtend},               // Mc   [3] SHARADA VOWEL SIGN AA..SHARADA VOWEL SIGN II
+	{0x111B6, 0x111BE, prExtend},               // Mn   [9] SHARADA VOWEL SIGN U..SHARADA VOWEL SIGN O
+	{0x111BF, 0x111C0, prExtend},               // Mc   [2] SHARADA VOWEL SIGN AU..SHARADA SIGN VIRAMA
+	{0x111C1, 0x111C4, prALetter},              // Lo   [4] SHARADA SIGN AVAGRAHA..SHARADA OM
+	{0x111C9, 0x111CC, prExtend},               // Mn   [4] SHARADA SANDHI MARK..SHARADA EXTRA SHORT VOWEL MARK
+	{0x111CE, 0x111CE, prExtend},               // Mc       SHARADA VOWEL SIGN PRISHTHAMATRA E
+	{0x111CF, 0x111CF, prExtend},               // Mn       SHARADA SIGN INVERTED CANDRABINDU
+	{0x111D0, 0x111D9, prNumeric},              // Nd  [10] SHARADA DIGIT ZERO..SHARADA DIGIT NINE
+	{0x111DA, 0x111DA, prALetter},              // Lo       SHARADA EKAM
+	{0x111DC, 0x111DC, prALetter},              // Lo       SHARADA HEADSTROKE
+	{0x11200, 0x11211, prALetter},              // Lo  [18] KHOJKI LETTER A..KHOJKI LETTER JJA
+	{0x11213, 0x1122B, prALetter},              // Lo  [25] KHOJKI LETTER NYA..KHOJKI LETTER LLA
+	{0x1122C, 0x1122E, prExtend},               // Mc   [3] KHOJKI VOWEL SIGN AA..KHOJKI VOWEL SIGN II
+	{0x1122F, 0x11231, prExtend},               // Mn   [3] KHOJKI VOWEL SIGN U..KHOJKI VOWEL SIGN AI
+	{0x11232, 0x11233, prExtend},               // Mc   [2] KHOJKI VOWEL SIGN O..KHOJKI VOWEL SIGN AU
+	{0x11234, 0x11234, prExtend},               // Mn       KHOJKI SIGN ANUSVARA
+	{0x11235, 0x11235, prExtend},               // Mc       KHOJKI SIGN VIRAMA
+	{0x11236, 0x11237, prExtend},               // Mn   [2] KHOJKI SIGN NUKTA..KHOJKI SIGN SHADDA
+	{0x1123E, 0x1123E, prExtend},               // Mn       KHOJKI SIGN SUKUN
+	{0x1123F, 0x11240, prALetter},              // Lo   [2] KHOJKI LETTER QA..KHOJKI LETTER SHORT I
+	{0x11241, 0x11241, prExtend},               // Mn       KHOJKI VOWEL SIGN VOCALIC R
+	{0x11280, 0x11286, prALetter},              // Lo   [7] MULTANI LETTER A..MULTANI LETTER GA
+	{0x11288, 0x11288, prALetter},              // Lo       MULTANI LETTER GHA
+	{0x1128A, 0x1128D, prALetter},              // Lo   [4] MULTANI LETTER CA..MULTANI LETTER JJA
+	{0x1128F, 0x1129D, prALetter},              // Lo  [15] MULTANI LETTER NYA..MULTANI LETTER BA
+	{0x1129F, 0x112A8, prALetter},              // Lo  [10] MULTANI LETTER BHA..MULTANI LETTER RHA
+	{0x112B0, 0x112DE, prALetter},              // Lo  [47] KHUDAWADI LETTER A..KHUDAWADI LETTER HA
+	{0x112DF, 0x112DF, prExtend},               // Mn       KHUDAWADI SIGN ANUSVARA
+	{0x112E0, 0x112E2, prExtend},               // Mc   [3] KHUDAWADI VOWEL SIGN AA..KHUDAWADI VOWEL SIGN II
+	{0x112E3, 0x112EA, prExtend},               // Mn   [8] KHUDAWADI VOWEL SIGN U..KHUDAWADI SIGN VIRAMA
+	{0x112F0, 0x112F9, prNumeric},              // Nd  [10] KHUDAWADI DIGIT ZERO..KHUDAWADI DIGIT NINE
+	{0x11300, 0x11301, prExtend},               // Mn   [2] GRANTHA SIGN COMBINING ANUSVARA ABOVE..GRANTHA SIGN CANDRABINDU
+	{0x11302, 0x11303, prExtend},               // Mc   [2] GRANTHA SIGN ANUSVARA..GRANTHA SIGN VISARGA
+	{0x11305, 0x1130C, prALetter},              // Lo   [8] GRANTHA LETTER A..GRANTHA LETTER VOCALIC L
+	{0x1130F, 0x11310, prALetter},              // Lo   [2] GRANTHA LETTER EE..GRANTHA LETTER AI
+	{0x11313, 0x11328, prALetter},              // Lo  [22] GRANTHA LETTER OO..GRANTHA LETTER NA
+	{0x1132A, 0x11330, prALetter},              // Lo   [7] GRANTHA LETTER PA..GRANTHA LETTER RA
+	{0x11332, 0x11333, prALetter},              // Lo   [2] GRANTHA LETTER LA..GRANTHA LETTER LLA
+	{0x11335, 0x11339, prALetter},              // Lo   [5] GRANTHA LETTER VA..GRANTHA LETTER HA
+	{0x1133B, 0x1133C, prExtend},               // Mn   [2] COMBINING BINDU BELOW..GRANTHA SIGN NUKTA
+	{0x1133D, 0x1133D, prALetter},              // Lo       GRANTHA SIGN AVAGRAHA
+	{0x1133E, 0x1133F, prExtend},               // Mc   [2] GRANTHA VOWEL SIGN AA..GRANTHA VOWEL SIGN I
+	{0x11340, 0x11340, prExtend},               // Mn       GRANTHA VOWEL SIGN II
+	{0x11341, 0x11344, prExtend},               // Mc   [4] GRANTHA VOWEL SIGN U..GRANTHA VOWEL SIGN VOCALIC RR
+	{0x11347, 0x11348, prExtend},               // Mc   [2] GRANTHA VOWEL SIGN EE..GRANTHA VOWEL SIGN AI
+	{0x1134B, 0x1134D, prExtend},               // Mc   [3] GRANTHA VOWEL SIGN OO..GRANTHA SIGN VIRAMA
+	{0x11350, 0x11350, prALetter},              // Lo       GRANTHA OM
+	{0x11357, 0x11357, prExtend},               // Mc       GRANTHA AU LENGTH MARK
+	{0x1135D, 0x11361, prALetter},              // Lo   [5] GRANTHA SIGN PLUTA..GRANTHA LETTER VOCALIC LL
+	{0x11362, 0x11363, prExtend},               // Mc   [2] GRANTHA VOWEL SIGN VOCALIC L..GRANTHA VOWEL SIGN VOCALIC LL
+	{0x11366, 0x1136C, prExtend},               // Mn   [7] COMBINING GRANTHA DIGIT ZERO..COMBINING GRANTHA DIGIT SIX
+	{0x11370, 0x11374, prExtend},               // Mn   [5] COMBINING GRANTHA LETTER A..COMBINING GRANTHA LETTER PA
+	{0x11400, 0x11434, prALetter},              // Lo  [53] NEWA LETTER A..NEWA LETTER HA
+	{0x11435, 0x11437, prExtend},               // Mc   [3] NEWA VOWEL SIGN AA..NEWA VOWEL SIGN II
+	{0x11438, 0x1143F, prExtend},               // Mn   [8] NEWA VOWEL SIGN U..NEWA VOWEL SIGN AI
+	{0x11440, 0x11441, prExtend},               // Mc   [2] NEWA VOWEL SIGN O..NEWA VOWEL SIGN AU
+	{0x11442, 0x11444, prExtend},               // Mn   [3] NEWA SIGN VIRAMA..NEWA SIGN ANUSVARA
+	{0x11445, 0x11445, prExtend},               // Mc       NEWA SIGN VISARGA
+	{0x11446, 0x11446, prExtend},               // Mn       NEWA SIGN NUKTA
+	{0x11447, 0x1144A, prALetter},              // Lo   [4] NEWA SIGN AVAGRAHA..NEWA SIDDHI
+	{0x11450, 0x11459, prNumeric},              // Nd  [10] NEWA DIGIT ZERO..NEWA DIGIT NINE
+	{0x1145E, 0x1145E, prExtend},               // Mn       NEWA SANDHI MARK
+	{0x1145F, 0x11461, prALetter},              // Lo   [3] NEWA LETTER VEDIC ANUSVARA..NEWA SIGN UPADHMANIYA
+	{0x11480, 0x114AF, prALetter},              // Lo  [48] TIRHUTA ANJI..TIRHUTA LETTER HA
+	{0x114B0, 0x114B2, prExtend},               // Mc   [3] TIRHUTA VOWEL SIGN AA..TIRHUTA VOWEL SIGN II
+	{0x114B3, 0x114B8, prExtend},               // Mn   [6] TIRHUTA VOWEL SIGN U..TIRHUTA VOWEL SIGN VOCALIC LL
+	{0x114B9, 0x114B9, prExtend},               // Mc       TIRHUTA VOWEL SIGN E
+	{0x114BA, 0x114BA, prExtend},               // Mn       TIRHUTA VOWEL SIGN SHORT E
+	{0x114BB, 0x114BE, prExtend},               // Mc   [4] TIRHUTA VOWEL SIGN AI..TIRHUTA VOWEL SIGN AU
+	{0x114BF, 0x114C0, prExtend},               // Mn   [2] TIRHUTA SIGN CANDRABINDU..TIRHUTA SIGN ANUSVARA
+	{0x114C1, 0x114C1, prExtend},               // Mc       TIRHUTA SIGN VISARGA
+	{0x114C2, 0x114C3, prExtend},               // Mn   [2] TIRHUTA SIGN VIRAMA..TIRHUTA SIGN NUKTA
+	{0x114C4, 0x114C5, prALetter},              // Lo   [2] TIRHUTA SIGN AVAGRAHA..TIRHUTA GVANG
+	{0x114C7, 0x114C7, prALetter},              // Lo       TIRHUTA OM
+	{0x114D0, 0x114D9, prNumeric},              // Nd  [10] TIRHUTA DIGIT ZERO..TIRHUTA DIGIT NINE
+	{0x11580, 0x115AE, prALetter},              // Lo  [47] SIDDHAM LETTER A..SIDDHAM LETTER HA
+	{0x115AF, 0x115B1, prExtend},               // Mc   [3] SIDDHAM VOWEL SIGN AA..SIDDHAM VOWEL SIGN II
+	{0x115B2, 0x115B5, prExtend},               // Mn   [4] SIDDHAM VOWEL SIGN U..SIDDHAM VOWEL SIGN VOCALIC RR
+	{0x115B8, 0x115BB, prExtend},               // Mc   [4] SIDDHAM VOWEL SIGN E..SIDDHAM VOWEL SIGN AU
+	{0x115BC, 0x115BD, prExtend},               // Mn   [2] SIDDHAM SIGN CANDRABINDU..SIDDHAM SIGN ANUSVARA
+	{0x115BE, 0x115BE, prExtend},               // Mc       SIDDHAM SIGN VISARGA
+	{0x115BF, 0x115C0, prExtend},               // Mn   [2] SIDDHAM SIGN VIRAMA..SIDDHAM SIGN NUKTA
+	{0x115D8, 0x115DB, prALetter},              // Lo   [4] SIDDHAM LETTER THREE-CIRCLE ALTERNATE I..SIDDHAM LETTER ALTERNATE U
+	{0x115DC, 0x115DD, prExtend},               // Mn   [2] SIDDHAM VOWEL SIGN ALTERNATE U..SIDDHAM VOWEL SIGN ALTERNATE UU
+	{0x11600, 0x1162F, prALetter},              // Lo  [48] MODI LETTER A..MODI LETTER LLA
+	{0x11630, 0x11632, prExtend},               // Mc   [3] MODI VOWEL SIGN AA..MODI VOWEL SIGN II
+	{0x11633, 0x1163A, prExtend},               // Mn   [8] MODI VOWEL SIGN U..MODI VOWEL SIGN AI
+	{0x1163B, 0x1163C, prExtend},               // Mc   [2] MODI VOWEL SIGN O..MODI VOWEL SIGN AU
+	{0x1163D, 0x1163D, prExtend},               // Mn       MODI SIGN ANUSVARA
+	{0x1163E, 0x1163E, prExtend},               // Mc       MODI SIGN VISARGA
+	{0x1163F, 0x11640, prExtend},               // Mn   [2] MODI SIGN VIRAMA..MODI SIGN ARDHACANDRA
+	{0x11644, 0x11644, prALetter},              // Lo       MODI SIGN HUVA
+	{0x11650, 0x11659, prNumeric},              // Nd  [10] MODI DIGIT ZERO..MODI DIGIT NINE
+	{0x11680, 0x116AA, prALetter},              // Lo  [43] TAKRI LETTER A..TAKRI LETTER RRA
+	{0x116AB, 0x116AB, prExtend},               // Mn       TAKRI SIGN ANUSVARA
+	{0x116AC, 0x116AC, prExtend},               // Mc       TAKRI SIGN VISARGA
+	{0x116AD, 0x116AD, prExtend},               // Mn       TAKRI VOWEL SIGN AA
+	{0x116AE, 0x116AF, prExtend},               // Mc   [2] TAKRI VOWEL SIGN I..TAKRI VOWEL SIGN II
+	{0x116B0, 0x116B5, prExtend},               // Mn   [6] TAKRI VOWEL SIGN U..TAKRI VOWEL SIGN AU
+	{0x116B6, 0x116B6, prExtend},               // Mc       TAKRI SIGN VIRAMA
+	{0x116B7, 0x116B7, prExtend},               // Mn       TAKRI SIGN NUKTA
+	{0x116B8, 0x116B8, prALetter},              // Lo       TAKRI LETTER ARCHAIC KHA
+	{0x116C0, 0x116C9, prNumeric},              // Nd  [10] TAKRI DIGIT ZERO..TAKRI DIGIT NINE
+	{0x1171D, 0x1171F, prExtend},               // Mn   [3] AHOM CONSONANT SIGN MEDIAL LA..AHOM CONSONANT SIGN MEDIAL LIGATING RA
+	{0x11720, 0x11721, prExtend},               // Mc   [2] AHOM VOWEL SIGN A..AHOM VOWEL SIGN AA
+	{0x11722, 0x11725, prExtend},               // Mn   [4] AHOM VOWEL SIGN I..AHOM VOWEL SIGN UU
+	{0x11726, 0x11726, prExtend},               // Mc       AHOM VOWEL SIGN E
+	{0x11727, 0x1172B, prExtend},               // Mn   [5] AHOM VOWEL SIGN AW..AHOM SIGN KILLER
+	{0x11730, 0x11739, prNumeric},              // Nd  [10] AHOM DIGIT ZERO..AHOM DIGIT NINE
+	{0x11800, 0x1182B, prALetter},              // Lo  [44] DOGRA LETTER A..DOGRA LETTER RRA
+	{0x1182C, 0x1182E, prExtend},               // Mc   [3] DOGRA VOWEL SIGN AA..DOGRA VOWEL SIGN II
+	{0x1182F, 0x11837, prExtend},               // Mn   [9] DOGRA VOWEL SIGN U..DOGRA SIGN ANUSVARA
+	{0x11838, 0x11838, prExtend},               // Mc       DOGRA SIGN VISARGA
+	{0x11839, 0x1183A, prExtend},               // Mn   [2] DOGRA SIGN VIRAMA..DOGRA SIGN NUKTA
+	{0x118A0, 0x118DF, prALetter},              // L&  [64] WARANG CITI CAPITAL LETTER NGAA..WARANG CITI SMALL LETTER VIYO
+	{0x118E0, 0x118E9, prNumeric},              // Nd  [10] WARANG CITI DIGIT ZERO..WARANG CITI DIGIT NINE
+	{0x118FF, 0x11906, prALetter},              // Lo   [8] WARANG CITI OM..DIVES AKURU LETTER E
+	{0x11909, 0x11909, prALetter},              // Lo       DIVES AKURU LETTER O
+	{0x1190C, 0x11913, prALetter},              // Lo   [8] DIVES AKURU LETTER KA..DIVES AKURU LETTER JA
+	{0x11915, 0x11916, prALetter},              // Lo   [2] DIVES AKURU LETTER NYA..DIVES AKURU LETTER TTA
+	{0x11918, 0x1192F, prALetter},              // Lo  [24] DIVES AKURU LETTER DDA..DIVES AKURU LETTER ZA
+	{0x11930, 0x11935, prExtend},               // Mc   [6] DIVES AKURU VOWEL SIGN AA..DIVES AKURU VOWEL SIGN E
+	{0x11937, 0x11938, prExtend},               // Mc   [2] DIVES AKURU VOWEL SIGN AI..DIVES AKURU VOWEL SIGN O
+	{0x1193B, 0x1193C, prExtend},               // Mn   [2] DIVES AKURU SIGN ANUSVARA..DIVES AKURU SIGN CANDRABINDU
+	{0x1193D, 0x1193D, prExtend},               // Mc       DIVES AKURU SIGN HALANTA
+	{0x1193E, 0x1193E, prExtend},               // Mn       DIVES AKURU VIRAMA
+	{0x1193F, 0x1193F, prALetter},              // Lo       DIVES AKURU PREFIXED NASAL SIGN
+	{0x11940, 0x11940, prExtend},               // Mc       DIVES AKURU MEDIAL YA
+	{0x11941, 0x11941, prALetter},              // Lo       DIVES AKURU INITIAL RA
+	{0x11942, 0x11942, prExtend},               // Mc       DIVES AKURU MEDIAL RA
+	{0x11943, 0x11943, prExtend},               // Mn       DIVES AKURU SIGN NUKTA
+	{0x11950, 0x11959, prNumeric},              // Nd  [10] DIVES AKURU DIGIT ZERO..DIVES AKURU DIGIT NINE
+	{0x119A0, 0x119A7, prALetter},              // Lo   [8] NANDINAGARI LETTER A..NANDINAGARI LETTER VOCALIC RR
+	{0x119AA, 0x119D0, prALetter},              // Lo  [39] NANDINAGARI LETTER E..NANDINAGARI LETTER RRA
+	{0x119D1, 0x119D3, prExtend},               // Mc   [3] NANDINAGARI VOWEL SIGN AA..NANDINAGARI VOWEL SIGN II
+	{0x119D4, 0x119D7, prExtend},               // Mn   [4] NANDINAGARI VOWEL SIGN U..NANDINAGARI VOWEL SIGN VOCALIC RR
+	{0x119DA, 0x119DB, prExtend},               // Mn   [2] NANDINAGARI VOWEL SIGN E..NANDINAGARI VOWEL SIGN AI
+	{0x119DC, 0x119DF, prExtend},               // Mc   [4] NANDINAGARI VOWEL SIGN O..NANDINAGARI SIGN VISARGA
+	{0x119E0, 0x119E0, prExtend},               // Mn       NANDINAGARI SIGN VIRAMA
+	{0x119E1, 0x119E1, prALetter},              // Lo       NANDINAGARI SIGN AVAGRAHA
+	{0x119E3, 0x119E3, prALetter},              // Lo       NANDINAGARI HEADSTROKE
+	{0x119E4, 0x119E4, prExtend},               // Mc       NANDINAGARI VOWEL SIGN PRISHTHAMATRA E
+	{0x11A00, 0x11A00, prALetter},              // Lo       ZANABAZAR SQUARE LETTER A
+	{0x11A01, 0x11A0A, prExtend},               // Mn  [10] ZANABAZAR SQUARE VOWEL SIGN I..ZANABAZAR SQUARE VOWEL LENGTH MARK
+	{0x11A0B, 0x11A32, prALetter},              // Lo  [40] ZANABAZAR SQUARE LETTER KA..ZANABAZAR SQUARE LETTER KSSA
+	{0x11A33, 0x11A38, prExtend},               // Mn   [6] ZANABAZAR SQUARE FINAL CONSONANT MARK..ZANABAZAR SQUARE SIGN ANUSVARA
+	{0x11A39, 0x11A39, prExtend},               // Mc       ZANABAZAR SQUARE SIGN VISARGA
+	{0x11A3A, 0x11A3A, prALetter},              // Lo       ZANABAZAR SQUARE CLUSTER-INITIAL LETTER RA
+	{0x11A3B, 0x11A3E, prExtend},               // Mn   [4] ZANABAZAR SQUARE CLUSTER-FINAL LETTER YA..ZANABAZAR SQUARE CLUSTER-FINAL LETTER VA
+	{0x11A47, 0x11A47, prExtend},               // Mn       ZANABAZAR SQUARE SUBJOINER
+	{0x11A50, 0x11A50, prALetter},              // Lo       SOYOMBO LETTER A
+	{0x11A51, 0x11A56, prExtend},               // Mn   [6] SOYOMBO VOWEL SIGN I..SOYOMBO VOWEL SIGN OE
+	{0x11A57, 0x11A58, prExtend},               // Mc   [2] SOYOMBO VOWEL SIGN AI..SOYOMBO VOWEL SIGN AU
+	{0x11A59, 0x11A5B, prExtend},               // Mn   [3] SOYOMBO VOWEL SIGN VOCALIC R..SOYOMBO VOWEL LENGTH MARK
+	{0x11A5C, 0x11A89, prALetter},              // Lo  [46] SOYOMBO LETTER KA..SOYOMBO CLUSTER-INITIAL LETTER SA
+	{0x11A8A, 0x11A96, prExtend},               // Mn  [13] SOYOMBO FINAL CONSONANT SIGN G..SOYOMBO SIGN ANUSVARA
+	{0x11A97, 0x11A97, prExtend},               // Mc       SOYOMBO SIGN VISARGA
+	{0x11A98, 0x11A99, prExtend},               // Mn   [2] SOYOMBO GEMINATION MARK..SOYOMBO SUBJOINER
+	{0x11A9D, 0x11A9D, prALetter},              // Lo       SOYOMBO MARK PLUTA
+	{0x11AB0, 0x11AF8, prALetter},              // Lo  [73] CANADIAN SYLLABICS NATTILIK HI..PAU CIN HAU GLOTTAL STOP FINAL
+	{0x11C00, 0x11C08, prALetter},              // Lo   [9] BHAIKSUKI LETTER A..BHAIKSUKI LETTER VOCALIC L
+	{0x11C0A, 0x11C2E, prALetter},              // Lo  [37] BHAIKSUKI LETTER E..BHAIKSUKI LETTER HA
+	{0x11C2F, 0x11C2F, prExtend},               // Mc       BHAIKSUKI VOWEL SIGN AA
+	{0x11C30, 0x11C36, prExtend},               // Mn   [7] BHAIKSUKI VOWEL SIGN I..BHAIKSUKI VOWEL SIGN VOCALIC L
+	{0x11C38, 0x11C3D, prExtend},               // Mn   [6] BHAIKSUKI VOWEL SIGN E..BHAIKSUKI SIGN ANUSVARA
+	{0x11C3E, 0x11C3E, prExtend},               // Mc       BHAIKSUKI SIGN VISARGA
+	{0x11C3F, 0x11C3F, prExtend},               // Mn       BHAIKSUKI SIGN VIRAMA
+	{0x11C40, 0x11C40, prALetter},              // Lo       BHAIKSUKI SIGN AVAGRAHA
+	{0x11C50, 0x11C59, prNumeric},              // Nd  [10] BHAIKSUKI DIGIT ZERO..BHAIKSUKI DIGIT NINE
+	{0x11C72, 0x11C8F, prALetter},              // Lo  [30] MARCHEN LETTER KA..MARCHEN LETTER A
+	{0x11C92, 0x11CA7, prExtend},               // Mn  [22] MARCHEN SUBJOINED LETTER KA..MARCHEN SUBJOINED LETTER ZA
+	{0x11CA9, 0x11CA9, prExtend},               // Mc       MARCHEN SUBJOINED LETTER YA
+	{0x11CAA, 0x11CB0, prExtend},               // Mn   [7] MARCHEN SUBJOINED LETTER RA..MARCHEN VOWEL SIGN AA
+	{0x11CB1, 0x11CB1, prExtend},               // Mc       MARCHEN VOWEL SIGN I
+	{0x11CB2, 0x11CB3, prExtend},               // Mn   [2] MARCHEN VOWEL SIGN U..MARCHEN VOWEL SIGN E
+	{0x11CB4, 0x11CB4, prExtend},               // Mc       MARCHEN VOWEL SIGN O
+	{0x11CB5, 0x11CB6, prExtend},               // Mn   [2] MARCHEN SIGN ANUSVARA..MARCHEN SIGN CANDRABINDU
+	{0x11D00, 0x11D06, prALetter},              // Lo   [7] MASARAM GONDI LETTER A..MASARAM GONDI LETTER E
+	{0x11D08, 0x11D09, prALetter},              // Lo   [2] MASARAM GONDI LETTER AI..MASARAM GONDI LETTER O
+	{0x11D0B, 0x11D30, prALetter},              // Lo  [38] MASARAM GONDI LETTER AU..MASARAM GONDI LETTER TRA
+	{0x11D31, 0x11D36, prExtend},               // Mn   [6] MASARAM GONDI VOWEL SIGN AA..MASARAM GONDI VOWEL SIGN VOCALIC R
+	{0x11D3A, 0x11D3A, prExtend},               // Mn       MASARAM GONDI VOWEL SIGN E
+	{0x11D3C, 0x11D3D, prExtend},               // Mn   [2] MASARAM GONDI VOWEL SIGN AI..MASARAM GONDI VOWEL SIGN O
+	{0x11D3F, 0x11D45, prExtend},               // Mn   [7] MASARAM GONDI VOWEL SIGN AU..MASARAM GONDI VIRAMA
+	{0x11D46, 0x11D46, prALetter},              // Lo       MASARAM GONDI REPHA
+	{0x11D47, 0x11D47, prExtend},               // Mn       MASARAM GONDI RA-KARA
+	{0x11D50, 0x11D59, prNumeric},              // Nd  [10] MASARAM GONDI DIGIT ZERO..MASARAM GONDI DIGIT NINE
+	{0x11D60, 0x11D65, prALetter},              // Lo   [6] GUNJALA GONDI LETTER A..GUNJALA GONDI LETTER UU
+	{0x11D67, 0x11D68, prALetter},              // Lo   [2] GUNJALA GONDI LETTER EE..GUNJALA GONDI LETTER AI
+	{0x11D6A, 0x11D89, prALetter},              // Lo  [32] GUNJALA GONDI LETTER OO..GUNJALA GONDI LETTER SA
+	{0x11D8A, 0x11D8E, prExtend},               // Mc   [5] GUNJALA GONDI VOWEL SIGN AA..GUNJALA GONDI VOWEL SIGN UU
+	{0x11D90, 0x11D91, prExtend},               // Mn   [2] GUNJALA GONDI VOWEL SIGN EE..GUNJALA GONDI VOWEL SIGN AI
+	{0x11D93, 0x11D94, prExtend},               // Mc   [2] GUNJALA GONDI VOWEL SIGN OO..GUNJALA GONDI VOWEL SIGN AU
+	{0x11D95, 0x11D95, prExtend},               // Mn       GUNJALA GONDI SIGN ANUSVARA
+	{0x11D96, 0x11D96, prExtend},               // Mc       GUNJALA GONDI SIGN VISARGA
+	{0x11D97, 0x11D97, prExtend},               // Mn       GUNJALA GONDI VIRAMA
+	{0x11D98, 0x11D98, prALetter},              // Lo       GUNJALA GONDI OM
+	{0x11DA0, 0x11DA9, prNumeric},              // Nd  [10] GUNJALA GONDI DIGIT ZERO..GUNJALA GONDI DIGIT NINE
+	{0x11EE0, 0x11EF2, prALetter},              // Lo  [19] MAKASAR LETTER KA..MAKASAR ANGKA
+	{0x11EF3, 0x11EF4, prExtend},               // Mn   [2] MAKASAR VOWEL SIGN I..MAKASAR VOWEL SIGN U
+	{0x11EF5, 0x11EF6, prExtend},               // Mc   [2] MAKASAR VOWEL SIGN E..MAKASAR VOWEL SIGN O
+	{0x11F00, 0x11F01, prExtend},               // Mn   [2] KAWI SIGN CANDRABINDU..KAWI SIGN ANUSVARA
+	{0x11F02, 0x11F02, prALetter},              // Lo       KAWI SIGN REPHA
+	{0x11F03, 0x11F03, prExtend},               // Mc       KAWI SIGN VISARGA
+	{0x11F04, 0x11F10, prALetter},              // Lo  [13] KAWI LETTER A..KAWI LETTER O
+	{0x11F12, 0x11F33, prALetter},              // Lo  [34] KAWI LETTER KA..KAWI LETTER JNYA
+	{0x11F34, 0x11F35, prExtend},               // Mc   [2] KAWI VOWEL SIGN AA..KAWI VOWEL SIGN ALTERNATE AA
+	{0x11F36, 0x11F3A, prExtend},               // Mn   [5] KAWI VOWEL SIGN I..KAWI VOWEL SIGN VOCALIC R
+	{0x11F3E, 0x11F3F, prExtend},               // Mc   [2] KAWI VOWEL SIGN E..KAWI VOWEL SIGN AI
+	{0x11F40, 0x11F40, prExtend},               // Mn       KAWI VOWEL SIGN EU
+	{0x11F41, 0x11F41, prExtend},               // Mc       KAWI SIGN KILLER
+	{0x11F42, 0x11F42, prExtend},               // Mn       KAWI CONJOINER
+	{0x11F50, 0x11F59, prNumeric},              // Nd  [10] KAWI DIGIT ZERO..KAWI DIGIT NINE
+	{0x11FB0, 0x11FB0, prALetter},              // Lo       LISU LETTER YHA
+	{0x12000, 0x12399, prALetter},              // Lo [922] CUNEIFORM SIGN A..CUNEIFORM SIGN U U
+	{0x12400, 0x1246E, prALetter},              // Nl [111] CUNEIFORM NUMERIC SIGN TWO ASH..CUNEIFORM NUMERIC SIGN NINE U VARIANT FORM
+	{0x12480, 0x12543, prALetter},              // Lo [196] CUNEIFORM SIGN AB TIMES NUN TENU..CUNEIFORM SIGN ZU5 TIMES THREE DISH TENU
+	{0x12F90, 0x12FF0, prALetter},              // Lo  [97] CYPRO-MINOAN SIGN CM001..CYPRO-MINOAN SIGN CM114
+	{0x13000, 0x1342F, prALetter},              // Lo [1072] EGYPTIAN HIEROGLYPH A001..EGYPTIAN HIEROGLYPH V011D
+	{0x13430, 0x1343F, prFormat},               // Cf  [16] EGYPTIAN HIEROGLYPH VERTICAL JOINER..EGYPTIAN HIEROGLYPH END WALLED ENCLOSURE
+	{0x13440, 0x13440, prExtend},               // Mn       EGYPTIAN HIEROGLYPH MIRROR HORIZONTALLY
+	{0x13441, 0x13446, prALetter},              // Lo   [6] EGYPTIAN HIEROGLYPH FULL BLANK..EGYPTIAN HIEROGLYPH WIDE LOST SIGN
+	{0x13447, 0x13455, prExtend},               // Mn  [15] EGYPTIAN HIEROGLYPH MODIFIER DAMAGED AT TOP START..EGYPTIAN HIEROGLYPH MODIFIER DAMAGED
+	{0x14400, 0x14646, prALetter},              // Lo [583] ANATOLIAN HIEROGLYPH A001..ANATOLIAN HIEROGLYPH A530
+	{0x16800, 0x16A38, prALetter},              // Lo [569] BAMUM LETTER PHASE-A NGKUE MFON..BAMUM LETTER PHASE-F VUEQ
+	{0x16A40, 0x16A5E, prALetter},              // Lo  [31] MRO LETTER TA..MRO LETTER TEK
+	{0x16A60, 0x16A69, prNumeric},              // Nd  [10] MRO DIGIT ZERO..MRO DIGIT NINE
+	{0x16A70, 0x16ABE, prALetter},              // Lo  [79] TANGSA LETTER OZ..TANGSA LETTER ZA
+	{0x16AC0, 0x16AC9, prNumeric},              // Nd  [10] TANGSA DIGIT ZERO..TANGSA DIGIT NINE
+	{0x16AD0, 0x16AED, prALetter},              // Lo  [30] BASSA VAH LETTER ENNI..BASSA VAH LETTER I
+	{0x16AF0, 0x16AF4, prExtend},               // Mn   [5] BASSA VAH COMBINING HIGH TONE..BASSA VAH COMBINING HIGH-LOW TONE
+	{0x16B00, 0x16B2F, prALetter},              // Lo  [48] PAHAWH HMONG VOWEL KEEB..PAHAWH HMONG CONSONANT CAU
+	{0x16B30, 0x16B36, prExtend},               // Mn   [7] PAHAWH HMONG MARK CIM TUB..PAHAWH HMONG MARK CIM TAUM
+	{0x16B40, 0x16B43, prALetter},              // Lm   [4] PAHAWH HMONG SIGN VOS SEEV..PAHAWH HMONG SIGN IB YAM
+	{0x16B50, 0x16B59, prNumeric},              // Nd  [10] PAHAWH HMONG DIGIT ZERO..PAHAWH HMONG DIGIT NINE
+	{0x16B63, 0x16B77, prALetter},              // Lo  [21] PAHAWH HMONG SIGN VOS LUB..PAHAWH HMONG SIGN CIM NRES TOS
+	{0x16B7D, 0x16B8F, prALetter},              // Lo  [19] PAHAWH HMONG CLAN SIGN TSHEEJ..PAHAWH HMONG CLAN SIGN VWJ
+	{0x16E40, 0x16E7F, prALetter},              // L&  [64] MEDEFAIDRIN CAPITAL LETTER M..MEDEFAIDRIN SMALL LETTER Y
+	{0x16F00, 0x16F4A, prALetter},              // Lo  [75] MIAO LETTER PA..MIAO LETTER RTE
+	{0x16F4F, 0x16F4F, prExtend},               // Mn       MIAO SIGN CONSONANT MODIFIER BAR
+	{0x16F50, 0x16F50, prALetter},              // Lo       MIAO LETTER NASALIZATION
+	{0x16F51, 0x16F87, prExtend},               // Mc  [55] MIAO SIGN ASPIRATION..MIAO VOWEL SIGN UI
+	{0x16F8F, 0x16F92, prExtend},               // Mn   [4] MIAO TONE RIGHT..MIAO TONE BELOW
+	{0x16F93, 0x16F9F, prALetter},              // Lm  [13] MIAO LETTER TONE-2..MIAO LETTER REFORMED TONE-8
+	{0x16FE0, 0x16FE1, prALetter},              // Lm   [2] TANGUT ITERATION MARK..NUSHU ITERATION MARK
+	{0x16FE3, 0x16FE3, prALetter},              // Lm       OLD CHINESE ITERATION MARK
+	{0x16FE4, 0x16FE4, prExtend},               // Mn       KHITAN SMALL SCRIPT FILLER
+	{0x16FF0, 0x16FF1, prExtend},               // Mc   [2] VIETNAMESE ALTERNATE READING MARK CA..VIETNAMESE ALTERNATE READING MARK NHAY
+	{0x1AFF0, 0x1AFF3, prKatakana},             // Lm   [4] KATAKANA LETTER MINNAN TONE-2..KATAKANA LETTER MINNAN TONE-5
+	{0x1AFF5, 0x1AFFB, prKatakana},             // Lm   [7] KATAKANA LETTER MINNAN TONE-7..KATAKANA LETTER MINNAN NASALIZED TONE-5
+	{0x1AFFD, 0x1AFFE, prKatakana},             // Lm   [2] KATAKANA LETTER MINNAN NASALIZED TONE-7..KATAKANA LETTER MINNAN NASALIZED TONE-8
+	{0x1B000, 0x1B000, prKatakana},             // Lo       KATAKANA LETTER ARCHAIC E
+	{0x1B120, 0x1B122, prKatakana},             // Lo   [3] KATAKANA LETTER ARCHAIC YI..KATAKANA LETTER ARCHAIC WU
+	{0x1B155, 0x1B155, prKatakana},             // Lo       KATAKANA LETTER SMALL KO
+	{0x1B164, 0x1B167, prKatakana},             // Lo   [4] KATAKANA LETTER SMALL WI..KATAKANA LETTER SMALL N
+	{0x1BC00, 0x1BC6A, prALetter},              // Lo [107] DUPLOYAN LETTER H..DUPLOYAN LETTER VOCALIC M
+	{0x1BC70, 0x1BC7C, prALetter},              // Lo  [13] DUPLOYAN AFFIX LEFT HORIZONTAL SECANT..DUPLOYAN AFFIX ATTACHED TANGENT HOOK
+	{0x1BC80, 0x1BC88, prALetter},              // Lo   [9] DUPLOYAN AFFIX HIGH ACUTE..DUPLOYAN AFFIX HIGH VERTICAL
+	{0x1BC90, 0x1BC99, prALetter},              // Lo  [10] DUPLOYAN AFFIX LOW ACUTE..DUPLOYAN AFFIX LOW ARROW
+	{0x1BC9D, 0x1BC9E, prExtend},               // Mn   [2] DUPLOYAN THICK LETTER SELECTOR..DUPLOYAN DOUBLE MARK
+	{0x1BCA0, 0x1BCA3, prFormat},               // Cf   [4] SHORTHAND FORMAT LETTER OVERLAP..SHORTHAND FORMAT UP STEP
+	{0x1CF00, 0x1CF2D, prExtend},               // Mn  [46] ZNAMENNY COMBINING MARK GORAZDO NIZKO S KRYZHEM ON LEFT..ZNAMENNY COMBINING MARK KRYZH ON LEFT
+	{0x1CF30, 0x1CF46, prExtend},               // Mn  [23] ZNAMENNY COMBINING TONAL RANGE MARK MRACHNO..ZNAMENNY PRIZNAK MODIFIER ROG
+	{0x1D165, 0x1D166, prExtend},               // Mc   [2] MUSICAL SYMBOL COMBINING STEM..MUSICAL SYMBOL COMBINING SPRECHGESANG STEM
+	{0x1D167, 0x1D169, prExtend},               // Mn   [3] MUSICAL SYMBOL COMBINING TREMOLO-1..MUSICAL SYMBOL COMBINING TREMOLO-3
+	{0x1D16D, 0x1D172, prExtend},               // Mc   [6] MUSICAL SYMBOL COMBINING AUGMENTATION DOT..MUSICAL SYMBOL COMBINING FLAG-5
+	{0x1D173, 0x1D17A, prFormat},               // Cf   [8] MUSICAL SYMBOL BEGIN BEAM..MUSICAL SYMBOL END PHRASE
+	{0x1D17B, 0x1D182, prExtend},               // Mn   [8] MUSICAL SYMBOL COMBINING ACCENT..MUSICAL SYMBOL COMBINING LOURE
+	{0x1D185, 0x1D18B, prExtend},               // Mn   [7] MUSICAL SYMBOL COMBINING DOIT..MUSICAL SYMBOL COMBINING TRIPLE TONGUE
+	{0x1D1AA, 0x1D1AD, prExtend},               // Mn   [4] MUSICAL SYMBOL COMBINING DOWN BOW..MUSICAL SYMBOL COMBINING SNAP PIZZICATO
+	{0x1D242, 0x1D244, prExtend},               // Mn   [3] COMBINING GREEK MUSICAL TRISEME..COMBINING GREEK MUSICAL PENTASEME
+	{0x1D400, 0x1D454, prALetter},              // L&  [85] MATHEMATICAL BOLD CAPITAL A..MATHEMATICAL ITALIC SMALL G
+	{0x1D456, 0x1D49C, prALetter},              // L&  [71] MATHEMATICAL ITALIC SMALL I..MATHEMATICAL SCRIPT CAPITAL A
+	{0x1D49E, 0x1D49F, prALetter},              // L&   [2] MATHEMATICAL SCRIPT CAPITAL C..MATHEMATICAL SCRIPT CAPITAL D
+	{0x1D4A2, 0x1D4A2, prALetter},              // L&       MATHEMATICAL SCRIPT CAPITAL G
+	{0x1D4A5, 0x1D4A6, prALetter},              // L&   [2] MATHEMATICAL SCRIPT CAPITAL J..MATHEMATICAL SCRIPT CAPITAL K
+	{0x1D4A9, 0x1D4AC, prALetter},              // L&   [4] MATHEMATICAL SCRIPT CAPITAL N..MATHEMATICAL SCRIPT CAPITAL Q
+	{0x1D4AE, 0x1D4B9, prALetter},              // L&  [12] MATHEMATICAL SCRIPT CAPITAL S..MATHEMATICAL SCRIPT SMALL D
+	{0x1D4BB, 0x1D4BB, prALetter},              // L&       MATHEMATICAL SCRIPT SMALL F
+	{0x1D4BD, 0x1D4C3, prALetter},              // L&   [7] MATHEMATICAL SCRIPT SMALL H..MATHEMATICAL SCRIPT SMALL N
+	{0x1D4C5, 0x1D505, prALetter},              // L&  [65] MATHEMATICAL SCRIPT SMALL P..MATHEMATICAL FRAKTUR CAPITAL B
+	{0x1D507, 0x1D50A, prALetter},              // L&   [4] MATHEMATICAL FRAKTUR CAPITAL D..MATHEMATICAL FRAKTUR CAPITAL G
+	{0x1D50D, 0x1D514, prALetter},              // L&   [8] MATHEMATICAL FRAKTUR CAPITAL J..MATHEMATICAL FRAKTUR CAPITAL Q
+	{0x1D516, 0x1D51C, prALetter},              // L&   [7] MATHEMATICAL FRAKTUR CAPITAL S..MATHEMATICAL FRAKTUR CAPITAL Y
+	{0x1D51E, 0x1D539, prALetter},              // L&  [28] MATHEMATICAL FRAKTUR SMALL A..MATHEMATICAL DOUBLE-STRUCK CAPITAL B
+	{0x1D53B, 0x1D53E, prALetter},              // L&   [4] MATHEMATICAL DOUBLE-STRUCK CAPITAL D..MATHEMATICAL DOUBLE-STRUCK CAPITAL G
+	{0x1D540, 0x1D544, prALetter},              // L&   [5] MATHEMATICAL DOUBLE-STRUCK CAPITAL I..MATHEMATICAL DOUBLE-STRUCK CAPITAL M
+	{0x1D546, 0x1D546, prALetter},              // L&       MATHEMATICAL DOUBLE-STRUCK CAPITAL O
+	{0x1D54A, 0x1D550, prALetter},              // L&   [7] MATHEMATICAL DOUBLE-STRUCK CAPITAL S..MATHEMATICAL DOUBLE-STRUCK CAPITAL Y
+	{0x1D552, 0x1D6A5, prALetter},              // L& [340] MATHEMATICAL DOUBLE-STRUCK SMALL A..MATHEMATICAL ITALIC SMALL DOTLESS J
+	{0x1D6A8, 0x1D6C0, prALetter},              // L&  [25] MATHEMATICAL BOLD CAPITAL ALPHA..MATHEMATICAL BOLD CAPITAL OMEGA
+	{0x1D6C2, 0x1D6DA, prALetter},              // L&  [25] MATHEMATICAL BOLD SMALL ALPHA..MATHEMATICAL BOLD SMALL OMEGA
+	{0x1D6DC, 0x1D6FA, prALetter},              // L&  [31] MATHEMATICAL BOLD EPSILON SYMBOL..MATHEMATICAL ITALIC CAPITAL OMEGA
+	{0x1D6FC, 0x1D714, prALetter},              // L&  [25] MATHEMATICAL ITALIC SMALL ALPHA..MATHEMATICAL ITALIC SMALL OMEGA
+	{0x1D716, 0x1D734, prALetter},              // L&  [31] MATHEMATICAL ITALIC EPSILON SYMBOL..MATHEMATICAL BOLD ITALIC CAPITAL OMEGA
+	{0x1D736, 0x1D74E, prALetter},              // L&  [25] MATHEMATICAL BOLD ITALIC SMALL ALPHA..MATHEMATICAL BOLD ITALIC SMALL OMEGA
+	{0x1D750, 0x1D76E, prALetter},              // L&  [31] MATHEMATICAL BOLD ITALIC EPSILON SYMBOL..MATHEMATICAL SANS-SERIF BOLD CAPITAL OMEGA
+	{0x1D770, 0x1D788, prALetter},              // L&  [25] MATHEMATICAL SANS-SERIF BOLD SMALL ALPHA..MATHEMATICAL SANS-SERIF BOLD SMALL OMEGA
+	{0x1D78A, 0x1D7A8, prALetter},              // L&  [31] MATHEMATICAL SANS-SERIF BOLD EPSILON SYMBOL..MATHEMATICAL SANS-SERIF BOLD ITALIC CAPITAL OMEGA
+	{0x1D7AA, 0x1D7C2, prALetter},              // L&  [25] MATHEMATICAL SANS-SERIF BOLD ITALIC SMALL ALPHA..MATHEMATICAL SANS-SERIF BOLD ITALIC SMALL OMEGA
+	{0x1D7C4, 0x1D7CB, prALetter},              // L&   [8] MATHEMATICAL SANS-SERIF BOLD ITALIC EPSILON SYMBOL..MATHEMATICAL BOLD SMALL DIGAMMA
+	{0x1D7CE, 0x1D7FF, prNumeric},              // Nd  [50] MATHEMATICAL BOLD DIGIT ZERO..MATHEMATICAL MONOSPACE DIGIT NINE
+	{0x1DA00, 0x1DA36, prExtend},               // Mn  [55] SIGNWRITING HEAD RIM..SIGNWRITING AIR SUCKING IN
+	{0x1DA3B, 0x1DA6C, prExtend},               // Mn  [50] SIGNWRITING MOUTH CLOSED NEUTRAL..SIGNWRITING EXCITEMENT
+	{0x1DA75, 0x1DA75, prExtend},               // Mn       SIGNWRITING UPPER BODY TILTING FROM HIP JOINTS
+	{0x1DA84, 0x1DA84, prExtend},               // Mn       SIGNWRITING LOCATION HEAD NECK
+	{0x1DA9B, 0x1DA9F, prExtend},               // Mn   [5] SIGNWRITING FILL MODIFIER-2..SIGNWRITING FILL MODIFIER-6
+	{0x1DAA1, 0x1DAAF, prExtend},               // Mn  [15] SIGNWRITING ROTATION MODIFIER-2..SIGNWRITING ROTATION MODIFIER-16
+	{0x1DF00, 0x1DF09, prALetter},              // L&  [10] LATIN SMALL LETTER FENG DIGRAPH WITH TRILL..LATIN SMALL LETTER T WITH HOOK AND RETROFLEX HOOK
+	{0x1DF0A, 0x1DF0A, prALetter},              // Lo       LATIN LETTER RETROFLEX CLICK WITH RETROFLEX HOOK
+	{0x1DF0B, 0x1DF1E, prALetter},              // L&  [20] LATIN SMALL LETTER ESH WITH DOUBLE BAR..LATIN SMALL LETTER S WITH CURL
+	{0x1DF25, 0x1DF2A, prALetter},              // L&   [6] LATIN SMALL LETTER D WITH MID-HEIGHT LEFT HOOK..LATIN SMALL LETTER T WITH MID-HEIGHT LEFT HOOK
+	{0x1E000, 0x1E006, prExtend},               // Mn   [7] COMBINING GLAGOLITIC LETTER AZU..COMBINING GLAGOLITIC LETTER ZHIVETE
+	{0x1E008, 0x1E018, prExtend},               // Mn  [17] COMBINING GLAGOLITIC LETTER ZEMLJA..COMBINING GLAGOLITIC LETTER HERU
+	{0x1E01B, 0x1E021, prExtend},               // Mn   [7] COMBINING GLAGOLITIC LETTER SHTA..COMBINING GLAGOLITIC LETTER YATI
+	{0x1E023, 0x1E024, prExtend},               // Mn   [2] COMBINING GLAGOLITIC LETTER YU..COMBINING GLAGOLITIC LETTER SMALL YUS
+	{0x1E026, 0x1E02A, prExtend},               // Mn   [5] COMBINING GLAGOLITIC LETTER YO..COMBINING GLAGOLITIC LETTER FITA
+	{0x1E030, 0x1E06D, prALetter},              // Lm  [62] MODIFIER LETTER CYRILLIC SMALL A..MODIFIER LETTER CYRILLIC SMALL STRAIGHT U WITH STROKE
+	{0x1E08F, 0x1E08F, prExtend},               // Mn       COMBINING CYRILLIC SMALL LETTER BYELORUSSIAN-UKRAINIAN I
+	{0x1E100, 0x1E12C, prALetter},              // Lo  [45] NYIAKENG PUACHUE HMONG LETTER MA..NYIAKENG PUACHUE HMONG LETTER W
+	{0x1E130, 0x1E136, prExtend},               // Mn   [7] NYIAKENG PUACHUE HMONG TONE-B..NYIAKENG PUACHUE HMONG TONE-D
+	{0x1E137, 0x1E13D, prALetter},              // Lm   [7] NYIAKENG PUACHUE HMONG SIGN FOR PERSON..NYIAKENG PUACHUE HMONG SYLLABLE LENGTHENER
+	{0x1E140, 0x1E149, prNumeric},              // Nd  [10] NYIAKENG PUACHUE HMONG DIGIT ZERO..NYIAKENG PUACHUE HMONG DIGIT NINE
+	{0x1E14E, 0x1E14E, prALetter},              // Lo       NYIAKENG PUACHUE HMONG LOGOGRAM NYAJ
+	{0x1E290, 0x1E2AD, prALetter},              // Lo  [30] TOTO LETTER PA..TOTO LETTER A
+	{0x1E2AE, 0x1E2AE, prExtend},               // Mn       TOTO SIGN RISING TONE
+	{0x1E2C0, 0x1E2EB, prALetter},              // Lo  [44] WANCHO LETTER AA..WANCHO LETTER YIH
+	{0x1E2EC, 0x1E2EF, prExtend},               // Mn   [4] WANCHO TONE TUP..WANCHO TONE KOINI
+	{0x1E2F0, 0x1E2F9, prNumeric},              // Nd  [10] WANCHO DIGIT ZERO..WANCHO DIGIT NINE
+	{0x1E4D0, 0x1E4EA, prALetter},              // Lo  [27] NAG MUNDARI LETTER O..NAG MUNDARI LETTER ELL
+	{0x1E4EB, 0x1E4EB, prALetter},              // Lm       NAG MUNDARI SIGN OJOD
+	{0x1E4EC, 0x1E4EF, prExtend},               // Mn   [4] NAG MUNDARI SIGN MUHOR..NAG MUNDARI SIGN SUTUH
+	{0x1E4F0, 0x1E4F9, prNumeric},              // Nd  [10] NAG MUNDARI DIGIT ZERO..NAG MUNDARI DIGIT NINE
+	{0x1E7E0, 0x1E7E6, prALetter},              // Lo   [7] ETHIOPIC SYLLABLE HHYA..ETHIOPIC SYLLABLE HHYO
+	{0x1E7E8, 0x1E7EB, prALetter},              // Lo   [4] ETHIOPIC SYLLABLE GURAGE HHWA..ETHIOPIC SYLLABLE HHWE
+	{0x1E7ED, 0x1E7EE, prALetter},              // Lo   [2] ETHIOPIC SYLLABLE GURAGE MWI..ETHIOPIC SYLLABLE GURAGE MWEE
+	{0x1E7F0, 0x1E7FE, prALetter},              // Lo  [15] ETHIOPIC SYLLABLE GURAGE QWI..ETHIOPIC SYLLABLE GURAGE PWEE
+	{0x1E800, 0x1E8C4, prALetter},              // Lo [197] MENDE KIKAKUI SYLLABLE M001 KI..MENDE KIKAKUI SYLLABLE M060 NYON
+	{0x1E8D0, 0x1E8D6, prExtend},               // Mn   [7] MENDE KIKAKUI COMBINING NUMBER TEENS..MENDE KIKAKUI COMBINING NUMBER MILLIONS
+	{0x1E900, 0x1E943, prALetter},              // L&  [68] ADLAM CAPITAL LETTER ALIF..ADLAM SMALL LETTER SHA
+	{0x1E944, 0x1E94A, prExtend},               // Mn   [7] ADLAM ALIF LENGTHENER..ADLAM NUKTA
+	{0x1E94B, 0x1E94B, prALetter},              // Lm       ADLAM NASALIZATION MARK
+	{0x1E950, 0x1E959, prNumeric},              // Nd  [10] ADLAM DIGIT ZERO..ADLAM DIGIT NINE
+	{0x1EE00, 0x1EE03, prALetter},              // Lo   [4] ARABIC MATHEMATICAL ALEF..ARABIC MATHEMATICAL DAL
+	{0x1EE05, 0x1EE1F, prALetter},              // Lo  [27] ARABIC MATHEMATICAL WAW..ARABIC MATHEMATICAL DOTLESS QAF
+	{0x1EE21, 0x1EE22, prALetter},              // Lo   [2] ARABIC MATHEMATICAL INITIAL BEH..ARABIC MATHEMATICAL INITIAL JEEM
+	{0x1EE24, 0x1EE24, prALetter},              // Lo       ARABIC MATHEMATICAL INITIAL HEH
+	{0x1EE27, 0x1EE27, prALetter},              // Lo       ARABIC MATHEMATICAL INITIAL HAH
+	{0x1EE29, 0x1EE32, prALetter},              // Lo  [10] ARABIC MATHEMATICAL INITIAL YEH..ARABIC MATHEMATICAL INITIAL QAF
+	{0x1EE34, 0x1EE37, prALetter},              // Lo   [4] ARABIC MATHEMATICAL INITIAL SHEEN..ARABIC MATHEMATICAL INITIAL KHAH
+	{0x1EE39, 0x1EE39, prALetter},              // Lo       ARABIC MATHEMATICAL INITIAL DAD
+	{0x1EE3B, 0x1EE3B, prALetter},              // Lo       ARABIC MATHEMATICAL INITIAL GHAIN
+	{0x1EE42, 0x1EE42, prALetter},              // Lo       ARABIC MATHEMATICAL TAILED JEEM
+	{0x1EE47, 0x1EE47, prALetter},              // Lo       ARABIC MATHEMATICAL TAILED HAH
+	{0x1EE49, 0x1EE49, prALetter},              // Lo       ARABIC MATHEMATICAL TAILED YEH
+	{0x1EE4B, 0x1EE4B, prALetter},              // Lo       ARABIC MATHEMATICAL TAILED LAM
+	{0x1EE4D, 0x1EE4F, prALetter},              // Lo   [3] ARABIC MATHEMATICAL TAILED NOON..ARABIC MATHEMATICAL TAILED AIN
+	{0x1EE51, 0x1EE52, prALetter},              // Lo   [2] ARABIC MATHEMATICAL TAILED SAD..ARABIC MATHEMATICAL TAILED QAF
+	{0x1EE54, 0x1EE54, prALetter},              // Lo       ARABIC MATHEMATICAL TAILED SHEEN
+	{0x1EE57, 0x1EE57, prALetter},              // Lo       ARABIC MATHEMATICAL TAILED KHAH
+	{0x1EE59, 0x1EE59, prALetter},              // Lo       ARABIC MATHEMATICAL TAILED DAD
+	{0x1EE5B, 0x1EE5B, prALetter},              // Lo       ARABIC MATHEMATICAL TAILED GHAIN
+	{0x1EE5D, 0x1EE5D, prALetter},              // Lo       ARABIC MATHEMATICAL TAILED DOTLESS NOON
+	{0x1EE5F, 0x1EE5F, prALetter},              // Lo       ARABIC MATHEMATICAL TAILED DOTLESS QAF
+	{0x1EE61, 0x1EE62, prALetter},              // Lo   [2] ARABIC MATHEMATICAL STRETCHED BEH..ARABIC MATHEMATICAL STRETCHED JEEM
+	{0x1EE64, 0x1EE64, prALetter},              // Lo       ARABIC MATHEMATICAL STRETCHED HEH
+	{0x1EE67, 0x1EE6A, prALetter},              // Lo   [4] ARABIC MATHEMATICAL STRETCHED HAH..ARABIC MATHEMATICAL STRETCHED KAF
+	{0x1EE6C, 0x1EE72, prALetter},              // Lo   [7] ARABIC MATHEMATICAL STRETCHED MEEM..ARABIC MATHEMATICAL STRETCHED QAF
+	{0x1EE74, 0x1EE77, prALetter},              // Lo   [4] ARABIC MATHEMATICAL STRETCHED SHEEN..ARABIC MATHEMATICAL STRETCHED KHAH
+	{0x1EE79, 0x1EE7C, prALetter},              // Lo   [4] ARABIC MATHEMATICAL STRETCHED DAD..ARABIC MATHEMATICAL STRETCHED DOTLESS BEH
+	{0x1EE7E, 0x1EE7E, prALetter},              // Lo       ARABIC MATHEMATICAL STRETCHED DOTLESS FEH
+	{0x1EE80, 0x1EE89, prALetter},              // Lo  [10] ARABIC MATHEMATICAL LOOPED ALEF..ARABIC MATHEMATICAL LOOPED YEH
+	{0x1EE8B, 0x1EE9B, prALetter},              // Lo  [17] ARABIC MATHEMATICAL LOOPED LAM..ARABIC MATHEMATICAL LOOPED GHAIN
+	{0x1EEA1, 0x1EEA3, prALetter},              // Lo   [3] ARABIC MATHEMATICAL DOUBLE-STRUCK BEH..ARABIC MATHEMATICAL DOUBLE-STRUCK DAL
+	{0x1EEA5, 0x1EEA9, prALetter},              // Lo   [5] ARABIC MATHEMATICAL DOUBLE-STRUCK WAW..ARABIC MATHEMATICAL DOUBLE-STRUCK YEH
+	{0x1EEAB, 0x1EEBB, prALetter},              // Lo  [17] ARABIC MATHEMATICAL DOUBLE-STRUCK LAM..ARABIC MATHEMATICAL DOUBLE-STRUCK GHAIN
+	{0x1F000, 0x1F003, prExtendedPictographic}, // E0.0   [4] (🀀..🀃)    MAHJONG TILE EAST WIND..MAHJONG TILE NORTH WIND
+	{0x1F004, 0x1F004, prExtendedPictographic}, // E0.6   [1] (🀄)       mahjong red dragon
+	{0x1F005, 0x1F0CE, prExtendedPictographic}, // E0.0 [202] (🀅..🃎)    MAHJONG TILE GREEN DRAGON..PLAYING CARD KING OF DIAMONDS
+	{0x1F0CF, 0x1F0CF, prExtendedPictographic}, // E0.6   [1] (�)       joker
+	{0x1F0D0, 0x1F0FF, prExtendedPictographic}, // E0.0  [48] (�..🃿)    <reserved-1F0D0>..<reserved-1F0FF>
+	{0x1F10D, 0x1F10F, prExtendedPictographic}, // E0.0   [3] (�..�)    CIRCLED ZERO WITH SLASH..CIRCLED DOLLAR SIGN WITH OVERLAID BACKSLASH
+	{0x1F12F, 0x1F12F, prExtendedPictographic}, // E0.0   [1] (🄯)       COPYLEFT SYMBOL
+	{0x1F130, 0x1F149, prALetter},              // So  [26] SQUARED LATIN CAPITAL LETTER A..SQUARED LATIN CAPITAL LETTER Z
+	{0x1F150, 0x1F169, prALetter},              // So  [26] NEGATIVE CIRCLED LATIN CAPITAL LETTER A..NEGATIVE CIRCLED LATIN CAPITAL LETTER Z
+	{0x1F16C, 0x1F16F, prExtendedPictographic}, // E0.0   [4] (🅬..🅯)    RAISED MR SIGN..CIRCLED HUMAN FIGURE
+	{0x1F170, 0x1F189, prALetter},              // So  [26] NEGATIVE SQUARED LATIN CAPITAL LETTER A..NEGATIVE SQUARED LATIN CAPITAL LETTER Z
+	{0x1F170, 0x1F171, prExtendedPictographic}, // E0.6   [2] (🅰�..🅱�)    A button (blood type)..B button (blood type)
+	{0x1F17E, 0x1F17F, prExtendedPictographic}, // E0.6   [2] (🅾�..🅿�)    O button (blood type)..P button
+	{0x1F18E, 0x1F18E, prExtendedPictographic}, // E0.6   [1] (🆎)       AB button (blood type)
+	{0x1F191, 0x1F19A, prExtendedPictographic}, // E0.6  [10] (🆑..🆚)    CL button..VS button
+	{0x1F1AD, 0x1F1E5, prExtendedPictographic}, // E0.0  [57] (🆭..🇥)    MASK WORK SYMBOL..<reserved-1F1E5>
+	{0x1F1E6, 0x1F1FF, prRegionalIndicator},    // So  [26] REGIONAL INDICATOR SYMBOL LETTER A..REGIONAL INDICATOR SYMBOL LETTER Z
+	{0x1F201, 0x1F202, prExtendedPictographic}, // E0.6   [2] (�..🈂�)    Japanese “here� button..Japanese “service charge� button
+	{0x1F203, 0x1F20F, prExtendedPictographic}, // E0.0  [13] (🈃..�)    <reserved-1F203>..<reserved-1F20F>
+	{0x1F21A, 0x1F21A, prExtendedPictographic}, // E0.6   [1] (🈚)       Japanese “free of charge� button
+	{0x1F22F, 0x1F22F, prExtendedPictographic}, // E0.6   [1] (🈯)       Japanese “reserved� button
+	{0x1F232, 0x1F23A, prExtendedPictographic}, // E0.6   [9] (🈲..🈺)    Japanese “prohibited� button..Japanese “open for business� button
+	{0x1F23C, 0x1F23F, prExtendedPictographic}, // E0.0   [4] (🈼..🈿)    <reserved-1F23C>..<reserved-1F23F>
+	{0x1F249, 0x1F24F, prExtendedPictographic}, // E0.0   [7] (🉉..�)    <reserved-1F249>..<reserved-1F24F>
+	{0x1F250, 0x1F251, prExtendedPictographic}, // E0.6   [2] (�..🉑)    Japanese “bargain� button..Japanese “acceptable� button
+	{0x1F252, 0x1F2FF, prExtendedPictographic}, // E0.0 [174] (🉒..🋿)    <reserved-1F252>..<reserved-1F2FF>
+	{0x1F300, 0x1F30C, prExtendedPictographic}, // E0.6  [13] (🌀..🌌)    cyclone..milky way
+	{0x1F30D, 0x1F30E, prExtendedPictographic}, // E0.7   [2] (�..🌎)    globe showing Europe-Africa..globe showing Americas
+	{0x1F30F, 0x1F30F, prExtendedPictographic}, // E0.6   [1] (�)       globe showing Asia-Australia
+	{0x1F310, 0x1F310, prExtendedPictographic}, // E1.0   [1] (�)       globe with meridians
+	{0x1F311, 0x1F311, prExtendedPictographic}, // E0.6   [1] (🌑)       new moon
+	{0x1F312, 0x1F312, prExtendedPictographic}, // E1.0   [1] (🌒)       waxing crescent moon
+	{0x1F313, 0x1F315, prExtendedPictographic}, // E0.6   [3] (🌓..🌕)    first quarter moon..full moon
+	{0x1F316, 0x1F318, prExtendedPictographic}, // E1.0   [3] (🌖..🌘)    waning gibbous moon..waning crescent moon
+	{0x1F319, 0x1F319, prExtendedPictographic}, // E0.6   [1] (🌙)       crescent moon
+	{0x1F31A, 0x1F31A, prExtendedPictographic}, // E1.0   [1] (🌚)       new moon face
+	{0x1F31B, 0x1F31B, prExtendedPictographic}, // E0.6   [1] (🌛)       first quarter moon face
+	{0x1F31C, 0x1F31C, prExtendedPictographic}, // E0.7   [1] (🌜)       last quarter moon face
+	{0x1F31D, 0x1F31E, prExtendedPictographic}, // E1.0   [2] (�..🌞)    full moon face..sun with face
+	{0x1F31F, 0x1F320, prExtendedPictographic}, // E0.6   [2] (🌟..🌠)    glowing star..shooting star
+	{0x1F321, 0x1F321, prExtendedPictographic}, // E0.7   [1] (🌡�)       thermometer
+	{0x1F322, 0x1F323, prExtendedPictographic}, // E0.0   [2] (🌢..🌣)    BLACK DROPLET..WHITE SUN
+	{0x1F324, 0x1F32C, prExtendedPictographic}, // E0.7   [9] (🌤�..🌬�)    sun behind small cloud..wind face
+	{0x1F32D, 0x1F32F, prExtendedPictographic}, // E1.0   [3] (🌭..🌯)    hot dog..burrito
+	{0x1F330, 0x1F331, prExtendedPictographic}, // E0.6   [2] (🌰..🌱)    chestnut..seedling
+	{0x1F332, 0x1F333, prExtendedPictographic}, // E1.0   [2] (🌲..🌳)    evergreen tree..deciduous tree
+	{0x1F334, 0x1F335, prExtendedPictographic}, // E0.6   [2] (🌴..🌵)    palm tree..cactus
+	{0x1F336, 0x1F336, prExtendedPictographic}, // E0.7   [1] (🌶�)       hot pepper
+	{0x1F337, 0x1F34A, prExtendedPictographic}, // E0.6  [20] (🌷..�)    tulip..tangerine
+	{0x1F34B, 0x1F34B, prExtendedPictographic}, // E1.0   [1] (�)       lemon
+	{0x1F34C, 0x1F34F, prExtendedPictographic}, // E0.6   [4] (�..�)    banana..green apple
+	{0x1F350, 0x1F350, prExtendedPictographic}, // E1.0   [1] (�)       pear
+	{0x1F351, 0x1F37B, prExtendedPictographic}, // E0.6  [43] (�..�)    peach..clinking beer mugs
+	{0x1F37C, 0x1F37C, prExtendedPictographic}, // E1.0   [1] (�)       baby bottle
+	{0x1F37D, 0x1F37D, prExtendedPictographic}, // E0.7   [1] (��)       fork and knife with plate
+	{0x1F37E, 0x1F37F, prExtendedPictographic}, // E1.0   [2] (�..�)    bottle with popping cork..popcorn
+	{0x1F380, 0x1F393, prExtendedPictographic}, // E0.6  [20] (🎀..🎓)    ribbon..graduation cap
+	{0x1F394, 0x1F395, prExtendedPictographic}, // E0.0   [2] (🎔..🎕)    HEART WITH TIP ON THE LEFT..BOUQUET OF FLOWERS
+	{0x1F396, 0x1F397, prExtendedPictographic}, // E0.7   [2] (🎖�..🎗�)    military medal..reminder ribbon
+	{0x1F398, 0x1F398, prExtendedPictographic}, // E0.0   [1] (🎘)       MUSICAL KEYBOARD WITH JACKS
+	{0x1F399, 0x1F39B, prExtendedPictographic}, // E0.7   [3] (🎙�..🎛�)    studio microphone..control knobs
+	{0x1F39C, 0x1F39D, prExtendedPictographic}, // E0.0   [2] (🎜..�)    BEAMED ASCENDING MUSICAL NOTES..BEAMED DESCENDING MUSICAL NOTES
+	{0x1F39E, 0x1F39F, prExtendedPictographic}, // E0.7   [2] (🎞�..🎟�)    film frames..admission tickets
+	{0x1F3A0, 0x1F3C4, prExtendedPictographic}, // E0.6  [37] (🎠..�)    carousel horse..person surfing
+	{0x1F3C5, 0x1F3C5, prExtendedPictographic}, // E1.0   [1] (�)       sports medal
+	{0x1F3C6, 0x1F3C6, prExtendedPictographic}, // E0.6   [1] (�)       trophy
+	{0x1F3C7, 0x1F3C7, prExtendedPictographic}, // E1.0   [1] (�)       horse racing
+	{0x1F3C8, 0x1F3C8, prExtendedPictographic}, // E0.6   [1] (�)       american football
+	{0x1F3C9, 0x1F3C9, prExtendedPictographic}, // E1.0   [1] (�)       rugby football
+	{0x1F3CA, 0x1F3CA, prExtendedPictographic}, // E0.6   [1] (�)       person swimming
+	{0x1F3CB, 0x1F3CE, prExtendedPictographic}, // E0.7   [4] (��..��)    person lifting weights..racing car
+	{0x1F3CF, 0x1F3D3, prExtendedPictographic}, // E1.0   [5] (�..�)    cricket game..ping pong
+	{0x1F3D4, 0x1F3DF, prExtendedPictographic}, // E0.7  [12] (��..��)    snow-capped mountain..stadium
+	{0x1F3E0, 0x1F3E3, prExtendedPictographic}, // E0.6   [4] (�..�)    house..Japanese post office
+	{0x1F3E4, 0x1F3E4, prExtendedPictographic}, // E1.0   [1] (�)       post office
+	{0x1F3E5, 0x1F3F0, prExtendedPictographic}, // E0.6  [12] (�..�)    hospital..castle
+	{0x1F3F1, 0x1F3F2, prExtendedPictographic}, // E0.0   [2] (�..�)    WHITE PENNANT..BLACK PENNANT
+	{0x1F3F3, 0x1F3F3, prExtendedPictographic}, // E0.7   [1] (��)       white flag
+	{0x1F3F4, 0x1F3F4, prExtendedPictographic}, // E1.0   [1] (�)       black flag
+	{0x1F3F5, 0x1F3F5, prExtendedPictographic}, // E0.7   [1] (��)       rosette
+	{0x1F3F6, 0x1F3F6, prExtendedPictographic}, // E0.0   [1] (�)       BLACK ROSETTE
+	{0x1F3F7, 0x1F3F7, prExtendedPictographic}, // E0.7   [1] (��)       label
+	{0x1F3F8, 0x1F3FA, prExtendedPictographic}, // E1.0   [3] (�..�)    badminton..amphora
+	{0x1F3FB, 0x1F3FF, prExtend},               // Sk   [5] EMOJI MODIFIER FITZPATRICK TYPE-1-2..EMOJI MODIFIER FITZPATRICK TYPE-6
+	{0x1F400, 0x1F407, prExtendedPictographic}, // E1.0   [8] (�..�)    rat..rabbit
+	{0x1F408, 0x1F408, prExtendedPictographic}, // E0.7   [1] (�)       cat
+	{0x1F409, 0x1F40B, prExtendedPictographic}, // E1.0   [3] (�..�)    dragon..whale
+	{0x1F40C, 0x1F40E, prExtendedPictographic}, // E0.6   [3] (�..�)    snail..horse
+	{0x1F40F, 0x1F410, prExtendedPictographic}, // E1.0   [2] (�..�)    ram..goat
+	{0x1F411, 0x1F412, prExtendedPictographic}, // E0.6   [2] (�..�)    ewe..monkey
+	{0x1F413, 0x1F413, prExtendedPictographic}, // E1.0   [1] (�)       rooster
+	{0x1F414, 0x1F414, prExtendedPictographic}, // E0.6   [1] (�)       chicken
+	{0x1F415, 0x1F415, prExtendedPictographic}, // E0.7   [1] (�)       dog
+	{0x1F416, 0x1F416, prExtendedPictographic}, // E1.0   [1] (�)       pig
+	{0x1F417, 0x1F429, prExtendedPictographic}, // E0.6  [19] (�..�)    boar..poodle
+	{0x1F42A, 0x1F42A, prExtendedPictographic}, // E1.0   [1] (�)       camel
+	{0x1F42B, 0x1F43E, prExtendedPictographic}, // E0.6  [20] (�..�)    two-hump camel..paw prints
+	{0x1F43F, 0x1F43F, prExtendedPictographic}, // E0.7   [1] (��)       chipmunk
+	{0x1F440, 0x1F440, prExtendedPictographic}, // E0.6   [1] (👀)       eyes
+	{0x1F441, 0x1F441, prExtendedPictographic}, // E0.7   [1] (��)       eye
+	{0x1F442, 0x1F464, prExtendedPictographic}, // E0.6  [35] (👂..👤)    ear..bust in silhouette
+	{0x1F465, 0x1F465, prExtendedPictographic}, // E1.0   [1] (👥)       busts in silhouette
+	{0x1F466, 0x1F46B, prExtendedPictographic}, // E0.6   [6] (👦..👫)    boy..woman and man holding hands
+	{0x1F46C, 0x1F46D, prExtendedPictographic}, // E1.0   [2] (👬..👭)    men holding hands..women holding hands
+	{0x1F46E, 0x1F4AC, prExtendedPictographic}, // E0.6  [63] (👮..💬)    police officer..speech balloon
+	{0x1F4AD, 0x1F4AD, prExtendedPictographic}, // E1.0   [1] (💭)       thought balloon
+	{0x1F4AE, 0x1F4B5, prExtendedPictographic}, // E0.6   [8] (💮..💵)    white flower..dollar banknote
+	{0x1F4B6, 0x1F4B7, prExtendedPictographic}, // E1.0   [2] (💶..💷)    euro banknote..pound banknote
+	{0x1F4B8, 0x1F4EB, prExtendedPictographic}, // E0.6  [52] (💸..📫)    money with wings..closed mailbox with raised flag
+	{0x1F4EC, 0x1F4ED, prExtendedPictographic}, // E0.7   [2] (📬..📭)    open mailbox with raised flag..open mailbox with lowered flag
+	{0x1F4EE, 0x1F4EE, prExtendedPictographic}, // E0.6   [1] (📮)       postbox
+	{0x1F4EF, 0x1F4EF, prExtendedPictographic}, // E1.0   [1] (📯)       postal horn
+	{0x1F4F0, 0x1F4F4, prExtendedPictographic}, // E0.6   [5] (📰..📴)    newspaper..mobile phone off
+	{0x1F4F5, 0x1F4F5, prExtendedPictographic}, // E1.0   [1] (📵)       no mobile phones
+	{0x1F4F6, 0x1F4F7, prExtendedPictographic}, // E0.6   [2] (📶..📷)    antenna bars..camera
+	{0x1F4F8, 0x1F4F8, prExtendedPictographic}, // E1.0   [1] (📸)       camera with flash
+	{0x1F4F9, 0x1F4FC, prExtendedPictographic}, // E0.6   [4] (📹..📼)    video camera..videocassette
+	{0x1F4FD, 0x1F4FD, prExtendedPictographic}, // E0.7   [1] (📽�)       film projector
+	{0x1F4FE, 0x1F4FE, prExtendedPictographic}, // E0.0   [1] (📾)       PORTABLE STEREO
+	{0x1F4FF, 0x1F502, prExtendedPictographic}, // E1.0   [4] (📿..🔂)    prayer beads..repeat single button
+	{0x1F503, 0x1F503, prExtendedPictographic}, // E0.6   [1] (🔃)       clockwise vertical arrows
+	{0x1F504, 0x1F507, prExtendedPictographic}, // E1.0   [4] (🔄..🔇)    counterclockwise arrows button..muted speaker
+	{0x1F508, 0x1F508, prExtendedPictographic}, // E0.7   [1] (🔈)       speaker low volume
+	{0x1F509, 0x1F509, prExtendedPictographic}, // E1.0   [1] (🔉)       speaker medium volume
+	{0x1F50A, 0x1F514, prExtendedPictographic}, // E0.6  [11] (🔊..🔔)    speaker high volume..bell
+	{0x1F515, 0x1F515, prExtendedPictographic}, // E1.0   [1] (🔕)       bell with slash
+	{0x1F516, 0x1F52B, prExtendedPictographic}, // E0.6  [22] (🔖..🔫)    bookmark..water pistol
+	{0x1F52C, 0x1F52D, prExtendedPictographic}, // E1.0   [2] (🔬..🔭)    microscope..telescope
+	{0x1F52E, 0x1F53D, prExtendedPictographic}, // E0.6  [16] (🔮..🔽)    crystal ball..downwards button
+	{0x1F546, 0x1F548, prExtendedPictographic}, // E0.0   [3] (🕆..🕈)    WHITE LATIN CROSS..CELTIC CROSS
+	{0x1F549, 0x1F54A, prExtendedPictographic}, // E0.7   [2] (🕉�..🕊�)    om..dove
+	{0x1F54B, 0x1F54E, prExtendedPictographic}, // E1.0   [4] (🕋..🕎)    kaaba..menorah
+	{0x1F54F, 0x1F54F, prExtendedPictographic}, // E0.0   [1] (�)       BOWL OF HYGIEIA
+	{0x1F550, 0x1F55B, prExtendedPictographic}, // E0.6  [12] (�..🕛)    one o’clock..twelve o’clock
+	{0x1F55C, 0x1F567, prExtendedPictographic}, // E0.7  [12] (🕜..🕧)    one-thirty..twelve-thirty
+	{0x1F568, 0x1F56E, prExtendedPictographic}, // E0.0   [7] (🕨..🕮)    RIGHT SPEAKER..BOOK
+	{0x1F56F, 0x1F570, prExtendedPictographic}, // E0.7   [2] (🕯�..🕰�)    candle..mantelpiece clock
+	{0x1F571, 0x1F572, prExtendedPictographic}, // E0.0   [2] (🕱..🕲)    BLACK SKULL AND CROSSBONES..NO PIRACY
+	{0x1F573, 0x1F579, prExtendedPictographic}, // E0.7   [7] (🕳�..🕹�)    hole..joystick
+	{0x1F57A, 0x1F57A, prExtendedPictographic}, // E3.0   [1] (🕺)       man dancing
+	{0x1F57B, 0x1F586, prExtendedPictographic}, // E0.0  [12] (🕻..🖆)    LEFT HAND TELEPHONE RECEIVER..PEN OVER STAMPED ENVELOPE
+	{0x1F587, 0x1F587, prExtendedPictographic}, // E0.7   [1] (🖇�)       linked paperclips
+	{0x1F588, 0x1F589, prExtendedPictographic}, // E0.0   [2] (🖈..🖉)    BLACK PUSHPIN..LOWER LEFT PENCIL
+	{0x1F58A, 0x1F58D, prExtendedPictographic}, // E0.7   [4] (🖊�..��)    pen..crayon
+	{0x1F58E, 0x1F58F, prExtendedPictographic}, // E0.0   [2] (🖎..�)    LEFT WRITING HAND..TURNED OK HAND SIGN
+	{0x1F590, 0x1F590, prExtendedPictographic}, // E0.7   [1] (��)       hand with fingers splayed
+	{0x1F591, 0x1F594, prExtendedPictographic}, // E0.0   [4] (🖑..🖔)    REVERSED RAISED HAND WITH FINGERS SPLAYED..REVERSED VICTORY HAND
+	{0x1F595, 0x1F596, prExtendedPictographic}, // E1.0   [2] (🖕..🖖)    middle finger..vulcan salute
+	{0x1F597, 0x1F5A3, prExtendedPictographic}, // E0.0  [13] (🖗..🖣)    WHITE DOWN POINTING LEFT HAND INDEX..BLACK DOWN POINTING BACKHAND INDEX
+	{0x1F5A4, 0x1F5A4, prExtendedPictographic}, // E3.0   [1] (🖤)       black heart
+	{0x1F5A5, 0x1F5A5, prExtendedPictographic}, // E0.7   [1] (🖥�)       desktop computer
+	{0x1F5A6, 0x1F5A7, prExtendedPictographic}, // E0.0   [2] (🖦..🖧)    KEYBOARD AND MOUSE..THREE NETWORKED COMPUTERS
+	{0x1F5A8, 0x1F5A8, prExtendedPictographic}, // E0.7   [1] (🖨�)       printer
+	{0x1F5A9, 0x1F5B0, prExtendedPictographic}, // E0.0   [8] (🖩..🖰)    POCKET CALCULATOR..TWO BUTTON MOUSE
+	{0x1F5B1, 0x1F5B2, prExtendedPictographic}, // E0.7   [2] (🖱�..🖲�)    computer mouse..trackball
+	{0x1F5B3, 0x1F5BB, prExtendedPictographic}, // E0.0   [9] (🖳..🖻)    OLD PERSONAL COMPUTER..DOCUMENT WITH PICTURE
+	{0x1F5BC, 0x1F5BC, prExtendedPictographic}, // E0.7   [1] (🖼�)       framed picture
+	{0x1F5BD, 0x1F5C1, prExtendedPictographic}, // E0.0   [5] (🖽..�)    FRAME WITH TILES..OPEN FOLDER
+	{0x1F5C2, 0x1F5C4, prExtendedPictographic}, // E0.7   [3] (🗂�..🗄�)    card index dividers..file cabinet
+	{0x1F5C5, 0x1F5D0, prExtendedPictographic}, // E0.0  [12] (🗅..�)    EMPTY NOTE..PAGES
+	{0x1F5D1, 0x1F5D3, prExtendedPictographic}, // E0.7   [3] (🗑�..🗓�)    wastebasket..spiral calendar
+	{0x1F5D4, 0x1F5DB, prExtendedPictographic}, // E0.0   [8] (🗔..🗛)    DESKTOP WINDOW..DECREASE FONT SIZE SYMBOL
+	{0x1F5DC, 0x1F5DE, prExtendedPictographic}, // E0.7   [3] (🗜�..🗞�)    clamp..rolled-up newspaper
+	{0x1F5DF, 0x1F5E0, prExtendedPictographic}, // E0.0   [2] (🗟..🗠)    PAGE WITH CIRCLED TEXT..STOCK CHART
+	{0x1F5E1, 0x1F5E1, prExtendedPictographic}, // E0.7   [1] (🗡�)       dagger
+	{0x1F5E2, 0x1F5E2, prExtendedPictographic}, // E0.0   [1] (🗢)       LIPS
+	{0x1F5E3, 0x1F5E3, prExtendedPictographic}, // E0.7   [1] (🗣�)       speaking head
+	{0x1F5E4, 0x1F5E7, prExtendedPictographic}, // E0.0   [4] (🗤..🗧)    THREE RAYS ABOVE..THREE RAYS RIGHT
+	{0x1F5E8, 0x1F5E8, prExtendedPictographic}, // E2.0   [1] (🗨�)       left speech bubble
+	{0x1F5E9, 0x1F5EE, prExtendedPictographic}, // E0.0   [6] (🗩..🗮)    RIGHT SPEECH BUBBLE..LEFT ANGER BUBBLE
+	{0x1F5EF, 0x1F5EF, prExtendedPictographic}, // E0.7   [1] (🗯�)       right anger bubble
+	{0x1F5F0, 0x1F5F2, prExtendedPictographic}, // E0.0   [3] (🗰..🗲)    MOOD BUBBLE..LIGHTNING MOOD
+	{0x1F5F3, 0x1F5F3, prExtendedPictographic}, // E0.7   [1] (🗳�)       ballot box with ballot
+	{0x1F5F4, 0x1F5F9, prExtendedPictographic}, // E0.0   [6] (🗴..🗹)    BALLOT SCRIPT X..BALLOT BOX WITH BOLD CHECK
+	{0x1F5FA, 0x1F5FA, prExtendedPictographic}, // E0.7   [1] (🗺�)       world map
+	{0x1F5FB, 0x1F5FF, prExtendedPictographic}, // E0.6   [5] (🗻..🗿)    mount fuji..moai
+	{0x1F600, 0x1F600, prExtendedPictographic}, // E1.0   [1] (😀)       grinning face
+	{0x1F601, 0x1F606, prExtendedPictographic}, // E0.6   [6] (�..😆)    beaming face with smiling eyes..grinning squinting face
+	{0x1F607, 0x1F608, prExtendedPictographic}, // E1.0   [2] (😇..😈)    smiling face with halo..smiling face with horns
+	{0x1F609, 0x1F60D, prExtendedPictographic}, // E0.6   [5] (😉..�)    winking face..smiling face with heart-eyes
+	{0x1F60E, 0x1F60E, prExtendedPictographic}, // E1.0   [1] (😎)       smiling face with sunglasses
+	{0x1F60F, 0x1F60F, prExtendedPictographic}, // E0.6   [1] (�)       smirking face
+	{0x1F610, 0x1F610, prExtendedPictographic}, // E0.7   [1] (�)       neutral face
+	{0x1F611, 0x1F611, prExtendedPictographic}, // E1.0   [1] (😑)       expressionless face
+	{0x1F612, 0x1F614, prExtendedPictographic}, // E0.6   [3] (😒..😔)    unamused face..pensive face
+	{0x1F615, 0x1F615, prExtendedPictographic}, // E1.0   [1] (😕)       confused face
+	{0x1F616, 0x1F616, prExtendedPictographic}, // E0.6   [1] (😖)       confounded face
+	{0x1F617, 0x1F617, prExtendedPictographic}, // E1.0   [1] (😗)       kissing face
+	{0x1F618, 0x1F618, prExtendedPictographic}, // E0.6   [1] (😘)       face blowing a kiss
+	{0x1F619, 0x1F619, prExtendedPictographic}, // E1.0   [1] (😙)       kissing face with smiling eyes
+	{0x1F61A, 0x1F61A, prExtendedPictographic}, // E0.6   [1] (😚)       kissing face with closed eyes
+	{0x1F61B, 0x1F61B, prExtendedPictographic}, // E1.0   [1] (😛)       face with tongue
+	{0x1F61C, 0x1F61E, prExtendedPictographic}, // E0.6   [3] (😜..😞)    winking face with tongue..disappointed face
+	{0x1F61F, 0x1F61F, prExtendedPictographic}, // E1.0   [1] (😟)       worried face
+	{0x1F620, 0x1F625, prExtendedPictographic}, // E0.6   [6] (😠..😥)    angry face..sad but relieved face
+	{0x1F626, 0x1F627, prExtendedPictographic}, // E1.0   [2] (😦..😧)    frowning face with open mouth..anguished face
+	{0x1F628, 0x1F62B, prExtendedPictographic}, // E0.6   [4] (😨..😫)    fearful face..tired face
+	{0x1F62C, 0x1F62C, prExtendedPictographic}, // E1.0   [1] (😬)       grimacing face
+	{0x1F62D, 0x1F62D, prExtendedPictographic}, // E0.6   [1] (😭)       loudly crying face
+	{0x1F62E, 0x1F62F, prExtendedPictographic}, // E1.0   [2] (😮..😯)    face with open mouth..hushed face
+	{0x1F630, 0x1F633, prExtendedPictographic}, // E0.6   [4] (😰..😳)    anxious face with sweat..flushed face
+	{0x1F634, 0x1F634, prExtendedPictographic}, // E1.0   [1] (😴)       sleeping face
+	{0x1F635, 0x1F635, prExtendedPictographic}, // E0.6   [1] (😵)       face with crossed-out eyes
+	{0x1F636, 0x1F636, prExtendedPictographic}, // E1.0   [1] (😶)       face without mouth
+	{0x1F637, 0x1F640, prExtendedPictographic}, // E0.6  [10] (😷..🙀)    face with medical mask..weary cat
+	{0x1F641, 0x1F644, prExtendedPictographic}, // E1.0   [4] (�..🙄)    slightly frowning face..face with rolling eyes
+	{0x1F645, 0x1F64F, prExtendedPictographic}, // E0.6  [11] (🙅..�)    person gesturing NO..folded hands
+	{0x1F680, 0x1F680, prExtendedPictographic}, // E0.6   [1] (🚀)       rocket
+	{0x1F681, 0x1F682, prExtendedPictographic}, // E1.0   [2] (�..🚂)    helicopter..locomotive
+	{0x1F683, 0x1F685, prExtendedPictographic}, // E0.6   [3] (🚃..🚅)    railway car..bullet train
+	{0x1F686, 0x1F686, prExtendedPictographic}, // E1.0   [1] (🚆)       train
+	{0x1F687, 0x1F687, prExtendedPictographic}, // E0.6   [1] (🚇)       metro
+	{0x1F688, 0x1F688, prExtendedPictographic}, // E1.0   [1] (🚈)       light rail
+	{0x1F689, 0x1F689, prExtendedPictographic}, // E0.6   [1] (🚉)       station
+	{0x1F68A, 0x1F68B, prExtendedPictographic}, // E1.0   [2] (🚊..🚋)    tram..tram car
+	{0x1F68C, 0x1F68C, prExtendedPictographic}, // E0.6   [1] (🚌)       bus
+	{0x1F68D, 0x1F68D, prExtendedPictographic}, // E0.7   [1] (�)       oncoming bus
+	{0x1F68E, 0x1F68E, prExtendedPictographic}, // E1.0   [1] (🚎)       trolleybus
+	{0x1F68F, 0x1F68F, prExtendedPictographic}, // E0.6   [1] (�)       bus stop
+	{0x1F690, 0x1F690, prExtendedPictographic}, // E1.0   [1] (�)       minibus
+	{0x1F691, 0x1F693, prExtendedPictographic}, // E0.6   [3] (🚑..🚓)    ambulance..police car
+	{0x1F694, 0x1F694, prExtendedPictographic}, // E0.7   [1] (🚔)       oncoming police car
+	{0x1F695, 0x1F695, prExtendedPictographic}, // E0.6   [1] (🚕)       taxi
+	{0x1F696, 0x1F696, prExtendedPictographic}, // E1.0   [1] (🚖)       oncoming taxi
+	{0x1F697, 0x1F697, prExtendedPictographic}, // E0.6   [1] (🚗)       automobile
+	{0x1F698, 0x1F698, prExtendedPictographic}, // E0.7   [1] (🚘)       oncoming automobile
+	{0x1F699, 0x1F69A, prExtendedPictographic}, // E0.6   [2] (🚙..🚚)    sport utility vehicle..delivery truck
+	{0x1F69B, 0x1F6A1, prExtendedPictographic}, // E1.0   [7] (🚛..🚡)    articulated lorry..aerial tramway
+	{0x1F6A2, 0x1F6A2, prExtendedPictographic}, // E0.6   [1] (🚢)       ship
+	{0x1F6A3, 0x1F6A3, prExtendedPictographic}, // E1.0   [1] (🚣)       person rowing boat
+	{0x1F6A4, 0x1F6A5, prExtendedPictographic}, // E0.6   [2] (🚤..🚥)    speedboat..horizontal traffic light
+	{0x1F6A6, 0x1F6A6, prExtendedPictographic}, // E1.0   [1] (🚦)       vertical traffic light
+	{0x1F6A7, 0x1F6AD, prExtendedPictographic}, // E0.6   [7] (🚧..🚭)    construction..no smoking
+	{0x1F6AE, 0x1F6B1, prExtendedPictographic}, // E1.0   [4] (🚮..🚱)    litter in bin sign..non-potable water
+	{0x1F6B2, 0x1F6B2, prExtendedPictographic}, // E0.6   [1] (🚲)       bicycle
+	{0x1F6B3, 0x1F6B5, prExtendedPictographic}, // E1.0   [3] (🚳..🚵)    no bicycles..person mountain biking
+	{0x1F6B6, 0x1F6B6, prExtendedPictographic}, // E0.6   [1] (🚶)       person walking
+	{0x1F6B7, 0x1F6B8, prExtendedPictographic}, // E1.0   [2] (🚷..🚸)    no pedestrians..children crossing
+	{0x1F6B9, 0x1F6BE, prExtendedPictographic}, // E0.6   [6] (🚹..🚾)    men’s room..water closet
+	{0x1F6BF, 0x1F6BF, prExtendedPictographic}, // E1.0   [1] (🚿)       shower
+	{0x1F6C0, 0x1F6C0, prExtendedPictographic}, // E0.6   [1] (🛀)       person taking bath
+	{0x1F6C1, 0x1F6C5, prExtendedPictographic}, // E1.0   [5] (�..🛅)    bathtub..left luggage
+	{0x1F6C6, 0x1F6CA, prExtendedPictographic}, // E0.0   [5] (🛆..🛊)    TRIANGLE WITH ROUNDED CORNERS..GIRLS SYMBOL
+	{0x1F6CB, 0x1F6CB, prExtendedPictographic}, // E0.7   [1] (🛋�)       couch and lamp
+	{0x1F6CC, 0x1F6CC, prExtendedPictographic}, // E1.0   [1] (🛌)       person in bed
+	{0x1F6CD, 0x1F6CF, prExtendedPictographic}, // E0.7   [3] (��..��)    shopping bags..bed
+	{0x1F6D0, 0x1F6D0, prExtendedPictographic}, // E1.0   [1] (�)       place of worship
+	{0x1F6D1, 0x1F6D2, prExtendedPictographic}, // E3.0   [2] (🛑..🛒)    stop sign..shopping cart
+	{0x1F6D3, 0x1F6D4, prExtendedPictographic}, // E0.0   [2] (🛓..🛔)    STUPA..PAGODA
+	{0x1F6D5, 0x1F6D5, prExtendedPictographic}, // E12.0  [1] (🛕)       hindu temple
+	{0x1F6D6, 0x1F6D7, prExtendedPictographic}, // E13.0  [2] (🛖..🛗)    hut..elevator
+	{0x1F6D8, 0x1F6DB, prExtendedPictographic}, // E0.0   [4] (🛘..🛛)    <reserved-1F6D8>..<reserved-1F6DB>
+	{0x1F6DC, 0x1F6DC, prExtendedPictographic}, // E15.0  [1] (🛜)       wireless
+	{0x1F6DD, 0x1F6DF, prExtendedPictographic}, // E14.0  [3] (�..🛟)    playground slide..ring buoy
+	{0x1F6E0, 0x1F6E5, prExtendedPictographic}, // E0.7   [6] (🛠�..🛥�)    hammer and wrench..motor boat
+	{0x1F6E6, 0x1F6E8, prExtendedPictographic}, // E0.0   [3] (🛦..🛨)    UP-POINTING MILITARY AIRPLANE..UP-POINTING SMALL AIRPLANE
+	{0x1F6E9, 0x1F6E9, prExtendedPictographic}, // E0.7   [1] (🛩�)       small airplane
+	{0x1F6EA, 0x1F6EA, prExtendedPictographic}, // E0.0   [1] (🛪)       NORTHEAST-POINTING AIRPLANE
+	{0x1F6EB, 0x1F6EC, prExtendedPictographic}, // E1.0   [2] (🛫..🛬)    airplane departure..airplane arrival
+	{0x1F6ED, 0x1F6EF, prExtendedPictographic}, // E0.0   [3] (🛭..🛯)    <reserved-1F6ED>..<reserved-1F6EF>
+	{0x1F6F0, 0x1F6F0, prExtendedPictographic}, // E0.7   [1] (🛰�)       satellite
+	{0x1F6F1, 0x1F6F2, prExtendedPictographic}, // E0.0   [2] (🛱..🛲)    ONCOMING FIRE ENGINE..DIESEL LOCOMOTIVE
+	{0x1F6F3, 0x1F6F3, prExtendedPictographic}, // E0.7   [1] (🛳�)       passenger ship
+	{0x1F6F4, 0x1F6F6, prExtendedPictographic}, // E3.0   [3] (🛴..🛶)    kick scooter..canoe
+	{0x1F6F7, 0x1F6F8, prExtendedPictographic}, // E5.0   [2] (🛷..🛸)    sled..flying saucer
+	{0x1F6F9, 0x1F6F9, prExtendedPictographic}, // E11.0  [1] (🛹)       skateboard
+	{0x1F6FA, 0x1F6FA, prExtendedPictographic}, // E12.0  [1] (🛺)       auto rickshaw
+	{0x1F6FB, 0x1F6FC, prExtendedPictographic}, // E13.0  [2] (🛻..🛼)    pickup truck..roller skate
+	{0x1F6FD, 0x1F6FF, prExtendedPictographic}, // E0.0   [3] (🛽..🛿)    <reserved-1F6FD>..<reserved-1F6FF>
+	{0x1F774, 0x1F77F, prExtendedPictographic}, // E0.0  [12] (�..�)    LOT OF FORTUNE..ORCUS
+	{0x1F7D5, 0x1F7DF, prExtendedPictographic}, // E0.0  [11] (🟕..🟟)    CIRCLED TRIANGLE..<reserved-1F7DF>
+	{0x1F7E0, 0x1F7EB, prExtendedPictographic}, // E12.0 [12] (🟠..🟫)    orange circle..brown square
+	{0x1F7EC, 0x1F7EF, prExtendedPictographic}, // E0.0   [4] (🟬..🟯)    <reserved-1F7EC>..<reserved-1F7EF>
+	{0x1F7F0, 0x1F7F0, prExtendedPictographic}, // E14.0  [1] (🟰)       heavy equals sign
+	{0x1F7F1, 0x1F7FF, prExtendedPictographic}, // E0.0  [15] (🟱..🟿)    <reserved-1F7F1>..<reserved-1F7FF>
+	{0x1F80C, 0x1F80F, prExtendedPictographic}, // E0.0   [4] (🠌..�)    <reserved-1F80C>..<reserved-1F80F>
+	{0x1F848, 0x1F84F, prExtendedPictographic}, // E0.0   [8] (🡈..�)    <reserved-1F848>..<reserved-1F84F>
+	{0x1F85A, 0x1F85F, prExtendedPictographic}, // E0.0   [6] (🡚..🡟)    <reserved-1F85A>..<reserved-1F85F>
+	{0x1F888, 0x1F88F, prExtendedPictographic}, // E0.0   [8] (🢈..�)    <reserved-1F888>..<reserved-1F88F>
+	{0x1F8AE, 0x1F8FF, prExtendedPictographic}, // E0.0  [82] (🢮..🣿)    <reserved-1F8AE>..<reserved-1F8FF>
+	{0x1F90C, 0x1F90C, prExtendedPictographic}, // E13.0  [1] (🤌)       pinched fingers
+	{0x1F90D, 0x1F90F, prExtendedPictographic}, // E12.0  [3] (�..�)    white heart..pinching hand
+	{0x1F910, 0x1F918, prExtendedPictographic}, // E1.0   [9] (�..🤘)    zipper-mouth face..sign of the horns
+	{0x1F919, 0x1F91E, prExtendedPictographic}, // E3.0   [6] (🤙..🤞)    call me hand..crossed fingers
+	{0x1F91F, 0x1F91F, prExtendedPictographic}, // E5.0   [1] (🤟)       love-you gesture
+	{0x1F920, 0x1F927, prExtendedPictographic}, // E3.0   [8] (🤠..🤧)    cowboy hat face..sneezing face
+	{0x1F928, 0x1F92F, prExtendedPictographic}, // E5.0   [8] (🤨..🤯)    face with raised eyebrow..exploding head
+	{0x1F930, 0x1F930, prExtendedPictographic}, // E3.0   [1] (🤰)       pregnant woman
+	{0x1F931, 0x1F932, prExtendedPictographic}, // E5.0   [2] (🤱..🤲)    breast-feeding..palms up together
+	{0x1F933, 0x1F93A, prExtendedPictographic}, // E3.0   [8] (🤳..🤺)    selfie..person fencing
+	{0x1F93C, 0x1F93E, prExtendedPictographic}, // E3.0   [3] (🤼..🤾)    people wrestling..person playing handball
+	{0x1F93F, 0x1F93F, prExtendedPictographic}, // E12.0  [1] (🤿)       diving mask
+	{0x1F940, 0x1F945, prExtendedPictographic}, // E3.0   [6] (🥀..🥅)    wilted flower..goal net
+	{0x1F947, 0x1F94B, prExtendedPictographic}, // E3.0   [5] (🥇..🥋)    1st place medal..martial arts uniform
+	{0x1F94C, 0x1F94C, prExtendedPictographic}, // E5.0   [1] (🥌)       curling stone
+	{0x1F94D, 0x1F94F, prExtendedPictographic}, // E11.0  [3] (�..�)    lacrosse..flying disc
+	{0x1F950, 0x1F95E, prExtendedPictographic}, // E3.0  [15] (�..🥞)    croissant..pancakes
+	{0x1F95F, 0x1F96B, prExtendedPictographic}, // E5.0  [13] (🥟..🥫)    dumpling..canned food
+	{0x1F96C, 0x1F970, prExtendedPictographic}, // E11.0  [5] (🥬..🥰)    leafy green..smiling face with hearts
+	{0x1F971, 0x1F971, prExtendedPictographic}, // E12.0  [1] (🥱)       yawning face
+	{0x1F972, 0x1F972, prExtendedPictographic}, // E13.0  [1] (🥲)       smiling face with tear
+	{0x1F973, 0x1F976, prExtendedPictographic}, // E11.0  [4] (🥳..🥶)    partying face..cold face
+	{0x1F977, 0x1F978, prExtendedPictographic}, // E13.0  [2] (🥷..🥸)    ninja..disguised face
+	{0x1F979, 0x1F979, prExtendedPictographic}, // E14.0  [1] (🥹)       face holding back tears
+	{0x1F97A, 0x1F97A, prExtendedPictographic}, // E11.0  [1] (🥺)       pleading face
+	{0x1F97B, 0x1F97B, prExtendedPictographic}, // E12.0  [1] (🥻)       sari
+	{0x1F97C, 0x1F97F, prExtendedPictographic}, // E11.0  [4] (🥼..🥿)    lab coat..flat shoe
+	{0x1F980, 0x1F984, prExtendedPictographic}, // E1.0   [5] (🦀..🦄)    crab..unicorn
+	{0x1F985, 0x1F991, prExtendedPictographic}, // E3.0  [13] (🦅..🦑)    eagle..squid
+	{0x1F992, 0x1F997, prExtendedPictographic}, // E5.0   [6] (🦒..🦗)    giraffe..cricket
+	{0x1F998, 0x1F9A2, prExtendedPictographic}, // E11.0 [11] (🦘..🦢)    kangaroo..swan
+	{0x1F9A3, 0x1F9A4, prExtendedPictographic}, // E13.0  [2] (🦣..🦤)    mammoth..dodo
+	{0x1F9A5, 0x1F9AA, prExtendedPictographic}, // E12.0  [6] (🦥..🦪)    sloth..oyster
+	{0x1F9AB, 0x1F9AD, prExtendedPictographic}, // E13.0  [3] (🦫..🦭)    beaver..seal
+	{0x1F9AE, 0x1F9AF, prExtendedPictographic}, // E12.0  [2] (🦮..🦯)    guide dog..white cane
+	{0x1F9B0, 0x1F9B9, prExtendedPictographic}, // E11.0 [10] (🦰..🦹)    red hair..supervillain
+	{0x1F9BA, 0x1F9BF, prExtendedPictographic}, // E12.0  [6] (🦺..🦿)    safety vest..mechanical leg
+	{0x1F9C0, 0x1F9C0, prExtendedPictographic}, // E1.0   [1] (🧀)       cheese wedge
+	{0x1F9C1, 0x1F9C2, prExtendedPictographic}, // E11.0  [2] (�..🧂)    cupcake..salt
+	{0x1F9C3, 0x1F9CA, prExtendedPictographic}, // E12.0  [8] (🧃..🧊)    beverage box..ice
+	{0x1F9CB, 0x1F9CB, prExtendedPictographic}, // E13.0  [1] (🧋)       bubble tea
+	{0x1F9CC, 0x1F9CC, prExtendedPictographic}, // E14.0  [1] (🧌)       troll
+	{0x1F9CD, 0x1F9CF, prExtendedPictographic}, // E12.0  [3] (�..�)    person standing..deaf person
+	{0x1F9D0, 0x1F9E6, prExtendedPictographic}, // E5.0  [23] (�..🧦)    face with monocle..socks
+	{0x1F9E7, 0x1F9FF, prExtendedPictographic}, // E11.0 [25] (🧧..🧿)    red envelope..nazar amulet
+	{0x1FA00, 0x1FA6F, prExtendedPictographic}, // E0.0 [112] (🨀..🩯)    NEUTRAL CHESS KING..<reserved-1FA6F>
+	{0x1FA70, 0x1FA73, prExtendedPictographic}, // E12.0  [4] (🩰..🩳)    ballet shoes..shorts
+	{0x1FA74, 0x1FA74, prExtendedPictographic}, // E13.0  [1] (🩴)       thong sandal
+	{0x1FA75, 0x1FA77, prExtendedPictographic}, // E15.0  [3] (🩵..🩷)    light blue heart..pink heart
+	{0x1FA78, 0x1FA7A, prExtendedPictographic}, // E12.0  [3] (🩸..🩺)    drop of blood..stethoscope
+	{0x1FA7B, 0x1FA7C, prExtendedPictographic}, // E14.0  [2] (🩻..🩼)    x-ray..crutch
+	{0x1FA7D, 0x1FA7F, prExtendedPictographic}, // E0.0   [3] (🩽..🩿)    <reserved-1FA7D>..<reserved-1FA7F>
+	{0x1FA80, 0x1FA82, prExtendedPictographic}, // E12.0  [3] (🪀..🪂)    yo-yo..parachute
+	{0x1FA83, 0x1FA86, prExtendedPictographic}, // E13.0  [4] (🪃..🪆)    boomerang..nesting dolls
+	{0x1FA87, 0x1FA88, prExtendedPictographic}, // E15.0  [2] (🪇..🪈)    maracas..flute
+	{0x1FA89, 0x1FA8F, prExtendedPictographic}, // E0.0   [7] (🪉..�)    <reserved-1FA89>..<reserved-1FA8F>
+	{0x1FA90, 0x1FA95, prExtendedPictographic}, // E12.0  [6] (�..🪕)    ringed planet..banjo
+	{0x1FA96, 0x1FAA8, prExtendedPictographic}, // E13.0 [19] (🪖..🪨)    military helmet..rock
+	{0x1FAA9, 0x1FAAC, prExtendedPictographic}, // E14.0  [4] (🪩..🪬)    mirror ball..hamsa
+	{0x1FAAD, 0x1FAAF, prExtendedPictographic}, // E15.0  [3] (🪭..🪯)    folding hand fan..khanda
+	{0x1FAB0, 0x1FAB6, prExtendedPictographic}, // E13.0  [7] (🪰..🪶)    fly..feather
+	{0x1FAB7, 0x1FABA, prExtendedPictographic}, // E14.0  [4] (🪷..🪺)    lotus..nest with eggs
+	{0x1FABB, 0x1FABD, prExtendedPictographic}, // E15.0  [3] (🪻..🪽)    hyacinth..wing
+	{0x1FABE, 0x1FABE, prExtendedPictographic}, // E0.0   [1] (🪾)       <reserved-1FABE>
+	{0x1FABF, 0x1FABF, prExtendedPictographic}, // E15.0  [1] (🪿)       goose
+	{0x1FAC0, 0x1FAC2, prExtendedPictographic}, // E13.0  [3] (🫀..🫂)    anatomical heart..people hugging
+	{0x1FAC3, 0x1FAC5, prExtendedPictographic}, // E14.0  [3] (🫃..🫅)    pregnant man..person with crown
+	{0x1FAC6, 0x1FACD, prExtendedPictographic}, // E0.0   [8] (🫆..�)    <reserved-1FAC6>..<reserved-1FACD>
+	{0x1FACE, 0x1FACF, prExtendedPictographic}, // E15.0  [2] (🫎..�)    moose..donkey
+	{0x1FAD0, 0x1FAD6, prExtendedPictographic}, // E13.0  [7] (�..🫖)    blueberries..teapot
+	{0x1FAD7, 0x1FAD9, prExtendedPictographic}, // E14.0  [3] (🫗..🫙)    pouring liquid..jar
+	{0x1FADA, 0x1FADB, prExtendedPictographic}, // E15.0  [2] (🫚..🫛)    ginger root..pea pod
+	{0x1FADC, 0x1FADF, prExtendedPictographic}, // E0.0   [4] (🫜..🫟)    <reserved-1FADC>..<reserved-1FADF>
+	{0x1FAE0, 0x1FAE7, prExtendedPictographic}, // E14.0  [8] (🫠..🫧)    melting face..bubbles
+	{0x1FAE8, 0x1FAE8, prExtendedPictographic}, // E15.0  [1] (🫨)       shaking face
+	{0x1FAE9, 0x1FAEF, prExtendedPictographic}, // E0.0   [7] (🫩..🫯)    <reserved-1FAE9>..<reserved-1FAEF>
+	{0x1FAF0, 0x1FAF6, prExtendedPictographic}, // E14.0  [7] (🫰..🫶)    hand with index finger and thumb crossed..heart hands
+	{0x1FAF7, 0x1FAF8, prExtendedPictographic}, // E15.0  [2] (🫷..🫸)    leftwards pushing hand..rightwards pushing hand
+	{0x1FAF9, 0x1FAFF, prExtendedPictographic}, // E0.0   [7] (🫹..🫿)    <reserved-1FAF9>..<reserved-1FAFF>
+	{0x1FBF0, 0x1FBF9, prNumeric},              // Nd  [10] SEGMENTED DIGIT ZERO..SEGMENTED DIGIT NINE
+	{0x1FC00, 0x1FFFD, prExtendedPictographic}, // E0.0[1022] (🰀..🿽)    <reserved-1FC00>..<reserved-1FFFD>
+	{0xE0001, 0xE0001, prFormat},               // Cf       LANGUAGE TAG
+	{0xE0020, 0xE007F, prExtend},               // Cf  [96] TAG SPACE..CANCEL TAG
+	{0xE0100, 0xE01EF, prExtend},               // Mn [240] VARIATION SELECTOR-17..VARIATION SELECTOR-256
+}
diff --git a/vendor/github.com/rivo/uniseg/wordrules.go b/vendor/github.com/rivo/uniseg/wordrules.go
new file mode 100644
index 0000000000..57a8c68311
--- /dev/null
+++ b/vendor/github.com/rivo/uniseg/wordrules.go
@@ -0,0 +1,282 @@
+package uniseg
+
+import "unicode/utf8"
+
+// The states of the word break parser.
+const (
+	wbAny = iota
+	wbCR
+	wbLF
+	wbNewline
+	wbWSegSpace
+	wbHebrewLetter
+	wbALetter
+	wbWB7
+	wbWB7c
+	wbNumeric
+	wbWB11
+	wbKatakana
+	wbExtendNumLet
+	wbOddRI
+	wbEvenRI
+	wbZWJBit = 16 // This bit is set for any states followed by at least one zero-width joiner (see WB4 and WB3c).
+)
+
+// wbTransitions implements the word break parser's state transitions. It's
+// anologous to [grTransitions], see comments there for details.
+//
+// Unicode version 15.0.0.
+func wbTransitions(state, prop int) (newState int, wordBreak bool, rule int) {
+	switch uint64(state) | uint64(prop)<<32 {
+	// WB3b.
+	case wbAny | prNewline<<32:
+		return wbNewline, true, 32
+	case wbAny | prCR<<32:
+		return wbCR, true, 32
+	case wbAny | prLF<<32:
+		return wbLF, true, 32
+
+	// WB3a.
+	case wbNewline | prAny<<32:
+		return wbAny, true, 31
+	case wbCR | prAny<<32:
+		return wbAny, true, 31
+	case wbLF | prAny<<32:
+		return wbAny, true, 31
+
+	// WB3.
+	case wbCR | prLF<<32:
+		return wbLF, false, 30
+
+	// WB3d.
+	case wbAny | prWSegSpace<<32:
+		return wbWSegSpace, true, 9990
+	case wbWSegSpace | prWSegSpace<<32:
+		return wbWSegSpace, false, 34
+
+	// WB5.
+	case wbAny | prALetter<<32:
+		return wbALetter, true, 9990
+	case wbAny | prHebrewLetter<<32:
+		return wbHebrewLetter, true, 9990
+	case wbALetter | prALetter<<32:
+		return wbALetter, false, 50
+	case wbALetter | prHebrewLetter<<32:
+		return wbHebrewLetter, false, 50
+	case wbHebrewLetter | prALetter<<32:
+		return wbALetter, false, 50
+	case wbHebrewLetter | prHebrewLetter<<32:
+		return wbHebrewLetter, false, 50
+
+	// WB7. Transitions to wbWB7 handled by transitionWordBreakState().
+	case wbWB7 | prALetter<<32:
+		return wbALetter, false, 70
+	case wbWB7 | prHebrewLetter<<32:
+		return wbHebrewLetter, false, 70
+
+	// WB7a.
+	case wbHebrewLetter | prSingleQuote<<32:
+		return wbAny, false, 71
+
+	// WB7c. Transitions to wbWB7c handled by transitionWordBreakState().
+	case wbWB7c | prHebrewLetter<<32:
+		return wbHebrewLetter, false, 73
+
+	// WB8.
+	case wbAny | prNumeric<<32:
+		return wbNumeric, true, 9990
+	case wbNumeric | prNumeric<<32:
+		return wbNumeric, false, 80
+
+	// WB9.
+	case wbALetter | prNumeric<<32:
+		return wbNumeric, false, 90
+	case wbHebrewLetter | prNumeric<<32:
+		return wbNumeric, false, 90
+
+	// WB10.
+	case wbNumeric | prALetter<<32:
+		return wbALetter, false, 100
+	case wbNumeric | prHebrewLetter<<32:
+		return wbHebrewLetter, false, 100
+
+	// WB11. Transitions to wbWB11 handled by transitionWordBreakState().
+	case wbWB11 | prNumeric<<32:
+		return wbNumeric, false, 110
+
+	// WB13.
+	case wbAny | prKatakana<<32:
+		return wbKatakana, true, 9990
+	case wbKatakana | prKatakana<<32:
+		return wbKatakana, false, 130
+
+	// WB13a.
+	case wbAny | prExtendNumLet<<32:
+		return wbExtendNumLet, true, 9990
+	case wbALetter | prExtendNumLet<<32:
+		return wbExtendNumLet, false, 131
+	case wbHebrewLetter | prExtendNumLet<<32:
+		return wbExtendNumLet, false, 131
+	case wbNumeric | prExtendNumLet<<32:
+		return wbExtendNumLet, false, 131
+	case wbKatakana | prExtendNumLet<<32:
+		return wbExtendNumLet, false, 131
+	case wbExtendNumLet | prExtendNumLet<<32:
+		return wbExtendNumLet, false, 131
+
+	// WB13b.
+	case wbExtendNumLet | prALetter<<32:
+		return wbALetter, false, 132
+	case wbExtendNumLet | prHebrewLetter<<32:
+		return wbHebrewLetter, false, 132
+	case wbExtendNumLet | prNumeric<<32:
+		return wbNumeric, false, 132
+	case wbExtendNumLet | prKatakana<<32:
+		return wbKatakana, false, 132
+
+	default:
+		return -1, false, -1
+	}
+}
+
+// transitionWordBreakState determines the new state of the word break parser
+// given the current state and the next code point. It also returns whether a
+// word boundary was detected. If more than one code point is needed to
+// determine the new state, the byte slice or the string starting after rune "r"
+// can be used (whichever is not nil or empty) for further lookups.
+func transitionWordBreakState(state int, r rune, b []byte, str string) (newState int, wordBreak bool) {
+	// Determine the property of the next character.
+	nextProperty := property(workBreakCodePoints, r)
+
+	// "Replacing Ignore Rules".
+	if nextProperty == prZWJ {
+		// WB4 (for zero-width joiners).
+		if state == wbNewline || state == wbCR || state == wbLF {
+			return wbAny | wbZWJBit, true // Make sure we don't apply WB4 to WB3a.
+		}
+		if state < 0 {
+			return wbAny | wbZWJBit, false
+		}
+		return state | wbZWJBit, false
+	} else if nextProperty == prExtend || nextProperty == prFormat {
+		// WB4 (for Extend and Format).
+		if state == wbNewline || state == wbCR || state == wbLF {
+			return wbAny, true // Make sure we don't apply WB4 to WB3a.
+		}
+		if state == wbWSegSpace || state == wbAny|wbZWJBit {
+			return wbAny, false // We don't break but this is also not WB3d or WB3c.
+		}
+		if state < 0 {
+			return wbAny, false
+		}
+		return state, false
+	} else if nextProperty == prExtendedPictographic && state >= 0 && state&wbZWJBit != 0 {
+		// WB3c.
+		return wbAny, false
+	}
+	if state >= 0 {
+		state = state &^ wbZWJBit
+	}
+
+	// Find the applicable transition in the table.
+	var rule int
+	newState, wordBreak, rule = wbTransitions(state, nextProperty)
+	if newState < 0 {
+		// No specific transition found. Try the less specific ones.
+		anyPropState, anyPropWordBreak, anyPropRule := wbTransitions(state, prAny)
+		anyStateState, anyStateWordBreak, anyStateRule := wbTransitions(wbAny, nextProperty)
+		if anyPropState >= 0 && anyStateState >= 0 {
+			// Both apply. We'll use a mix (see comments for grTransitions).
+			newState, wordBreak, rule = anyStateState, anyStateWordBreak, anyStateRule
+			if anyPropRule < anyStateRule {
+				wordBreak, rule = anyPropWordBreak, anyPropRule
+			}
+		} else if anyPropState >= 0 {
+			// We only have a specific state.
+			newState, wordBreak, rule = anyPropState, anyPropWordBreak, anyPropRule
+			// This branch will probably never be reached because okAnyState will
+			// always be true given the current transition map. But we keep it here
+			// for future modifications to the transition map where this may not be
+			// true anymore.
+		} else if anyStateState >= 0 {
+			// We only have a specific property.
+			newState, wordBreak, rule = anyStateState, anyStateWordBreak, anyStateRule
+		} else {
+			// No known transition. WB999: Any ÷ Any.
+			newState, wordBreak, rule = wbAny, true, 9990
+		}
+	}
+
+	// For those rules that need to look up runes further in the string, we
+	// determine the property after nextProperty, skipping over Format, Extend,
+	// and ZWJ (according to WB4). It's -1 if not needed, if such a rune cannot
+	// be determined (because the text ends or the rune is faulty).
+	farProperty := -1
+	if rule > 60 &&
+		(state == wbALetter || state == wbHebrewLetter || state == wbNumeric) &&
+		(nextProperty == prMidLetter || nextProperty == prMidNumLet || nextProperty == prSingleQuote || // WB6.
+			nextProperty == prDoubleQuote || // WB7b.
+			nextProperty == prMidNum) { // WB12.
+		for {
+			var (
+				r      rune
+				length int
+			)
+			if b != nil { // Byte slice version.
+				r, length = utf8.DecodeRune(b)
+				b = b[length:]
+			} else { // String version.
+				r, length = utf8.DecodeRuneInString(str)
+				str = str[length:]
+			}
+			if r == utf8.RuneError {
+				break
+			}
+			prop := property(workBreakCodePoints, r)
+			if prop == prExtend || prop == prFormat || prop == prZWJ {
+				continue
+			}
+			farProperty = prop
+			break
+		}
+	}
+
+	// WB6.
+	if rule > 60 &&
+		(state == wbALetter || state == wbHebrewLetter) &&
+		(nextProperty == prMidLetter || nextProperty == prMidNumLet || nextProperty == prSingleQuote) &&
+		(farProperty == prALetter || farProperty == prHebrewLetter) {
+		return wbWB7, false
+	}
+
+	// WB7b.
+	if rule > 72 &&
+		state == wbHebrewLetter &&
+		nextProperty == prDoubleQuote &&
+		farProperty == prHebrewLetter {
+		return wbWB7c, false
+	}
+
+	// WB12.
+	if rule > 120 &&
+		state == wbNumeric &&
+		(nextProperty == prMidNum || nextProperty == prMidNumLet || nextProperty == prSingleQuote) &&
+		farProperty == prNumeric {
+		return wbWB11, false
+	}
+
+	// WB15 and WB16.
+	if newState == wbAny && nextProperty == prRegionalIndicator {
+		if state != wbOddRI && state != wbEvenRI { // Includes state == -1.
+			// Transition into the first RI.
+			return wbOddRI, true
+		}
+		if state == wbOddRI {
+			// Don't break pairs of Regional Indicators.
+			return wbEvenRI, false
+		}
+		return wbOddRI, true // We can break after a pair.
+	}
+
+	return
+}
diff --git a/vendor/github.com/rubenv/sql-migrate/.dockerignore b/vendor/github.com/rubenv/sql-migrate/.dockerignore
new file mode 100644
index 0000000000..42bb921b46
--- /dev/null
+++ b/vendor/github.com/rubenv/sql-migrate/.dockerignore
@@ -0,0 +1,6 @@
+*
+!go.mod
+!go.sum
+!*.go
+!sql-migrate/*.go
+!sqlparse/*.go
diff --git a/vendor/github.com/rubenv/sql-migrate/.gitignore b/vendor/github.com/rubenv/sql-migrate/.gitignore
new file mode 100644
index 0000000000..9720db0cfa
--- /dev/null
+++ b/vendor/github.com/rubenv/sql-migrate/.gitignore
@@ -0,0 +1,9 @@
+.*.swp
+*.test
+.idea
+/vendor/
+
+/sql-migrate/test.db
+/test.db
+.vscode/
+bin/
diff --git a/vendor/github.com/rubenv/sql-migrate/.golangci.yaml b/vendor/github.com/rubenv/sql-migrate/.golangci.yaml
new file mode 100644
index 0000000000..f581841653
--- /dev/null
+++ b/vendor/github.com/rubenv/sql-migrate/.golangci.yaml
@@ -0,0 +1,133 @@
+version: "2"
+run:
+  tests: true
+linters:
+  default: none
+  enable:
+    - asciicheck
+    - depguard
+    - errcheck
+    - errorlint
+    - exhaustive
+    - gocritic
+    - govet
+    - ineffassign
+    - nolintlint
+    - revive
+    - staticcheck
+    - unparam
+    - unused
+    - whitespace
+  settings:
+    depguard:
+      rules:
+        main:
+          allow:
+            - $gostd
+            - github.com/denisenkom/go-mssqldb
+            - github.com/go-sql-driver/mysql
+            - github.com/go-gorp/gorp/v3
+            - github.com/lib/pq
+            - github.com/mattn/go-sqlite3
+            - github.com/mitchellh/cli
+            - github.com/olekukonko/tablewriter
+            - github.com/rubenv/sql-migrate
+            - gopkg.in/check.v1
+            - gopkg.in/yaml.v2
+    exhaustive:
+      default-signifies-exhaustive: true
+    gocritic:
+      disabled-checks:
+        - ifElseChain
+    govet:
+      disable:
+        - fieldalignment
+      enable-all: true
+    nolintlint:
+      require-explanation: true
+      require-specific: true
+      allow-no-explanation:
+        - depguard
+      allow-unused: false
+    revive:
+      enable-all-rules: false
+      rules:
+        - name: atomic
+        - name: blank-imports
+        - name: bool-literal-in-expr
+        - name: call-to-gc
+        - name: constant-logical-expr
+        - name: context-as-argument
+        - name: context-keys-type
+        - name: dot-imports
+        - name: duplicated-imports
+        - name: empty-block
+        - name: empty-lines
+        - name: error-naming
+        - name: error-return
+        - name: error-strings
+        - name: errorf
+        - name: exported
+        - name: identical-branches
+        - name: imports-blocklist
+        - name: increment-decrement
+        - name: indent-error-flow
+        - name: modifies-parameter
+        - name: modifies-value-receiver
+        - name: package-comments
+        - name: range
+        - name: range-val-address
+        - name: range-val-in-closure
+        - name: receiver-naming
+        - name: string-format
+        - name: string-of-int
+        - name: struct-tag
+        - name: time-naming
+        - name: unconditional-recursion
+        - name: unexported-naming
+        - name: unexported-return
+        - name: superfluous-else
+        - name: unreachable-code
+        - name: var-declaration
+        - name: waitgroup-by-value
+        - name: unused-receiver
+        - name: unnecessary-stmt
+        - name: unused-parameter
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    rules:
+      - path: (.+)\.go$
+        text: declaration of "err" shadows declaration at
+      - path: (.+)\.go$
+        text: 'error-strings: error strings should not be capitalized or end with punctuation or a newline'
+      - path: (.+)\.go$
+        text: 'ST1005: error strings should not end with punctuation or newline'
+      - path: (.+)\.go$
+        text: 'ST1005: error strings should not be capitalized'
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+issues:
+  max-issues-per-linter: 10000
+  max-same-issues: 10000
+formatters:
+  enable:
+    - gofmt
+    - gofumpt
+    - goimports
+  settings:
+    goimports:
+      local-prefixes:
+        - github.com/rubenv/sql-migrate
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
diff --git a/vendor/github.com/rubenv/sql-migrate/Dockerfile b/vendor/github.com/rubenv/sql-migrate/Dockerfile
new file mode 100644
index 0000000000..238ac714af
--- /dev/null
+++ b/vendor/github.com/rubenv/sql-migrate/Dockerfile
@@ -0,0 +1,25 @@
+ARG GO_VERSION=1.20.6
+ARG ALPINE_VERSION=3.12
+
+### Vendor
+FROM golang:${GO_VERSION} as vendor
+COPY . /project
+WORKDIR /project
+RUN go mod tidy && go mod vendor
+
+### Build binary
+FROM golang:${GO_VERSION} as build-binary
+COPY . /project
+COPY --from=vendor /project/vendor /project/vendor
+WORKDIR /project
+RUN GOOS=linux GOARCH=amd64 CGO_ENABLED=0 GO111MODULE=on go build \
+    -v \
+    -mod vendor \
+    -o /project/bin/sql-migrate \
+        /project/sql-migrate
+
+### Image
+FROM alpine:${ALPINE_VERSION} as image
+COPY --from=build-binary /project/bin/sql-migrate /usr/local/bin/sql-migrate
+RUN chmod +x /usr/local/bin/sql-migrate
+ENTRYPOINT ["sql-migrate"]
diff --git a/vendor/github.com/rubenv/sql-migrate/LICENSE b/vendor/github.com/rubenv/sql-migrate/LICENSE
new file mode 100644
index 0000000000..95e7c9abe7
--- /dev/null
+++ b/vendor/github.com/rubenv/sql-migrate/LICENSE
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (C) 2014-2021 by Ruben Vermeersch <ruben@rocketeer.be>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/vendor/github.com/rubenv/sql-migrate/Makefile b/vendor/github.com/rubenv/sql-migrate/Makefile
new file mode 100644
index 0000000000..e17ae0ad4a
--- /dev/null
+++ b/vendor/github.com/rubenv/sql-migrate/Makefile
@@ -0,0 +1,11 @@
+.PHONY: test lint build
+
+test:
+	go test ./...
+
+lint:
+	golangci-lint run --fix --config .golangci.yaml
+
+build:
+	mkdir -p bin
+	go build -o ./bin/sql-migrate ./sql-migrate
diff --git a/vendor/github.com/rubenv/sql-migrate/README.md b/vendor/github.com/rubenv/sql-migrate/README.md
new file mode 100644
index 0000000000..65fd7f70ef
--- /dev/null
+++ b/vendor/github.com/rubenv/sql-migrate/README.md
@@ -0,0 +1,386 @@
+# sql-migrate
+
+> SQL Schema migration tool for [Go](https://golang.org/). Based on [gorp](https://github.com/go-gorp/gorp) and [goose](https://bitbucket.org/liamstask/goose).
+
+[![Test](https://github.com/rubenv/sql-migrate/actions/workflows/test.yml/badge.svg)](https://github.com/rubenv/sql-migrate/actions/workflows/test.yml) [![Go Reference](https://pkg.go.dev/badge/github.com/rubenv/sql-migrate.svg)](https://pkg.go.dev/github.com/rubenv/sql-migrate)
+
+## Features
+
+- Usable as a CLI tool or as a library
+- Supports SQLite, PostgreSQL, MySQL, MSSQL and Oracle databases (through [gorp](https://github.com/go-gorp/gorp))
+- Can embed migrations into your application
+- Migrations are defined with SQL for full flexibility
+- Atomic migrations
+- Up/down migrations to allow rollback
+- Supports multiple database types in one project
+- Works great with other libraries such as [sqlx](https://jmoiron.github.io/sqlx/)
+- Supported on go1.13+
+
+## Installation
+
+To install the library and command line program, use the following:
+
+```bash
+go get -v github.com/rubenv/sql-migrate/...
+```
+
+For Go version from 1.18, use:
+
+```bash
+go install github.com/rubenv/sql-migrate/...@latest
+```
+
+## Usage
+
+### As a standalone tool
+
+```
+$ sql-migrate --help
+usage: sql-migrate [--version] [--help] <command> [<args>]
+
+Available commands are:
+    down      Undo a database migration
+    new       Create a new migration
+    redo      Reapply the last migration
+    status    Show migration status
+    up        Migrates the database to the most recent version available
+```
+
+Each command requires a configuration file (which defaults to `dbconfig.yml`, but can be specified with the `-config` flag). This config file should specify one or more environments:
+
+```yml
+development:
+  dialect: sqlite3
+  datasource: test.db
+  dir: migrations/sqlite3
+
+production:
+  dialect: postgres
+  datasource: dbname=myapp sslmode=disable
+  dir: migrations/postgres
+  table: migrations
+```
+
+(See more examples for different set ups [here](test-integration/dbconfig.yml))
+
+Also one can obtain env variables in datasource field via `os.ExpandEnv` embedded call for the field.
+This may be useful if one doesn't want to store credentials in file:
+
+```yml
+production:
+  dialect: postgres
+  datasource: host=prodhost dbname=proddb user=${DB_USER} password=${DB_PASSWORD} sslmode=require
+  dir: migrations
+  table: migrations
+```
+
+The `table` setting is optional and will default to `gorp_migrations`.
+
+The environment that will be used can be specified with the `-env` flag (defaults to `development`).
+
+Use the `--help` flag in combination with any of the commands to get an overview of its usage:
+
+```
+$ sql-migrate up --help
+Usage: sql-migrate up [options] ...
+
+  Migrates the database to the most recent version available.
+
+Options:
+
+  -config=dbconfig.yml   Configuration file to use.
+  -env="development"     Environment.
+  -limit=0               Limit the number of migrations (0 = unlimited).
+  -version               Run migrate up to a specific version, eg: the version number of migration 1_initial.sql is 1.
+  -dryrun                Don't apply migrations, just print them.
+```
+
+The `new` command creates a new empty migration template using the following pattern `<current time>-<name>.sql`.
+
+The `up` command applies all available migrations. By contrast, `down` will only apply one migration by default. This behavior can be changed for both by using the `-limit` parameter, and the `-version` parameter. Note `-version` has higher priority than `-limit` if you try to use them both.
+
+The `redo` command will unapply the last migration and reapply it. This is useful during development, when you're writing migrations.
+
+Use the `status` command to see the state of the applied migrations:
+
+```bash
+$ sql-migrate status
++---------------+-----------------------------------------+
+|   MIGRATION   |                 APPLIED                 |
++---------------+-----------------------------------------+
+| 1_initial.sql | 2014-09-13 08:19:06.788354925 +0000 UTC |
+| 2_record.sql  | no                                      |
++---------------+-----------------------------------------+
+```
+
+#### Running Test Integrations
+
+You can see how to run setups for different setups by executing the `.sh` files in [test-integration](test-integration/)
+
+```bash
+# Run mysql-env.sh example (you need to be in the project root directory)
+
+./test-integration/mysql-env.sh
+```
+
+### MySQL Caveat
+
+If you are using MySQL, you must append `?parseTime=true` to the `datasource` configuration. For example:
+
+```yml
+production:
+  dialect: mysql
+  datasource: root@/dbname?parseTime=true
+  dir: migrations/mysql
+  table: migrations
+```
+
+See [here](https://github.com/go-sql-driver/mysql#parsetime) for more information.
+
+### Oracle (oci8)
+
+Oracle Driver is [oci8](https://github.com/mattn/go-oci8), it is not pure Go code and relies on Oracle Office Client ([Instant Client](https://www.oracle.com/database/technologies/instant-client/downloads.html)), more detailed information is in the [oci8 repo](https://github.com/mattn/go-oci8).
+
+#### Install with Oracle support
+
+To install the library and command line program, use the following:
+
+```bash
+go get -tags oracle -v github.com/rubenv/sql-migrate/...
+```
+
+```yml
+development:
+  dialect: oci8
+  datasource: user/password@localhost:1521/sid
+  dir: migrations/oracle
+  table: migrations
+```
+
+### Oracle (godror)
+
+Oracle Driver is [godror](https://github.com/godror/godror), it is not pure Go code and relies on Oracle Office Client ([Instant Client](https://www.oracle.com/database/technologies/instant-client/downloads.html)), more detailed information is in the [godror repository](https://github.com/godror/godror).
+
+#### Install with Oracle support
+
+To install the library and command line program, use the following:
+
+1. Install sql-migrate
+
+```bash
+go get -tags godror -v github.com/rubenv/sql-migrate/...
+```
+
+2. Download Oracle Office Client(e.g. macos, click [Instant Client](https://www.oracle.com/database/technologies/instant-client/downloads.html) if you are other system)
+
+```bash
+wget https://download.oracle.com/otn_software/mac/instantclient/193000/instantclient-basic-macos.x64-19.3.0.0.0dbru.zip
+```
+
+3. Configure environment variables `LD_LIBRARY_PATH`
+
+```
+export LD_LIBRARY_PATH=your_oracle_office_path/instantclient_19_3
+```
+
+```yml
+development:
+  dialect: godror
+  datasource: user/password@localhost:1521/sid
+  dir: migrations/oracle
+  table: migrations
+```
+
+### As a library
+
+Import sql-migrate into your application:
+
+```go
+import "github.com/rubenv/sql-migrate"
+```
+
+Set up a source of migrations, this can be from memory, from a set of files, from bindata (more on that later), or from any library that implements [`http.FileSystem`](https://godoc.org/net/http#FileSystem):
+
+```go
+// Hardcoded strings in memory:
+migrations := &migrate.MemoryMigrationSource{
+    Migrations: []*migrate.Migration{
+        &migrate.Migration{
+            Id:   "123",
+            Up:   []string{"CREATE TABLE people (id int)"},
+            Down: []string{"DROP TABLE people"},
+        },
+    },
+}
+
+// OR: Read migrations from a folder:
+migrations := &migrate.FileMigrationSource{
+    Dir: "db/migrations",
+}
+
+// OR: Use migrations from a packr box
+// Note: Packr is no longer supported, your best option these days is [embed](https://pkg.go.dev/embed)
+migrations := &migrate.PackrMigrationSource{
+    Box: packr.New("migrations", "./migrations"),
+}
+
+// OR: Use pkger which implements `http.FileSystem`
+migrationSource := &migrate.HttpFileSystemMigrationSource{
+    FileSystem: pkger.Dir("/db/migrations"),
+}
+
+// OR: Use migrations from bindata:
+migrations := &migrate.AssetMigrationSource{
+    Asset:    Asset,
+    AssetDir: AssetDir,
+    Dir:      "migrations",
+}
+
+// OR: Read migrations from a `http.FileSystem`
+migrationSource := &migrate.HttpFileSystemMigrationSource{
+    FileSystem: httpFS,
+}
+```
+
+Then use the `Exec` function to upgrade your database:
+
+```go
+db, err := sql.Open("sqlite3", filename)
+if err != nil {
+    // Handle errors!
+}
+
+n, err := migrate.Exec(db, "sqlite3", migrations, migrate.Up)
+if err != nil {
+    // Handle errors!
+}
+fmt.Printf("Applied %d migrations!\n", n)
+```
+
+Note that `n` can be greater than `0` even if there is an error: any migration that succeeded will remain applied even if a later one fails.
+
+Check [the GoDoc reference](https://godoc.org/github.com/rubenv/sql-migrate) for the full documentation.
+
+## Writing migrations
+
+Migrations are defined in SQL files, which contain a set of SQL statements. Special comments are used to distinguish up and down migrations.
+
+```sql
+-- +migrate Up
+-- SQL in section 'Up' is executed when this migration is applied
+CREATE TABLE people (id int);
+
+
+-- +migrate Down
+-- SQL section 'Down' is executed when this migration is rolled back
+DROP TABLE people;
+```
+
+You can put multiple statements in each block, as long as you end them with a semicolon (`;`).
+
+You can alternatively set up a separator string that matches an entire line by setting `sqlparse.LineSeparator`. This
+can be used to imitate, for example, MS SQL Query Analyzer functionality where commands can be separated by a line with
+contents of `GO`. If `sqlparse.LineSeparator` is matched, it will not be included in the resulting migration scripts.
+
+If you have complex statements which contain semicolons, use `StatementBegin` and `StatementEnd` to indicate boundaries:
+
+```sql
+-- +migrate Up
+CREATE TABLE people (id int);
+
+-- +migrate StatementBegin
+CREATE OR REPLACE FUNCTION do_something()
+returns void AS $$
+DECLARE
+  create_query text;
+BEGIN
+  -- Do something here
+END;
+$$
+language plpgsql;
+-- +migrate StatementEnd
+
+-- +migrate Down
+DROP FUNCTION do_something();
+DROP TABLE people;
+```
+
+The order in which migrations are applied is defined through the filename: sql-migrate will sort migrations based on their name. It's recommended to use an increasing version number or a timestamp as the first part of the filename.
+
+Normally each migration is run within a transaction in order to guarantee that it is fully atomic. However some SQL commands (for example creating an index concurrently in PostgreSQL) cannot be executed inside a transaction. In order to execute such a command in a migration, the migration can be run using the `notransaction` option:
+
+```sql
+-- +migrate Up notransaction
+CREATE UNIQUE INDEX CONCURRENTLY people_unique_id_idx ON people (id);
+
+-- +migrate Down
+DROP INDEX people_unique_id_idx;
+```
+
+## Embedding migrations with [embed](https://pkg.go.dev/embed)
+
+If you like your Go applications self-contained (that is: a single binary): use [embed](https://pkg.go.dev/embed) to embed the migration files.
+
+Just write your migration files as usual, as a set of SQL files in a folder.
+
+Import the embed package into your application and point it to your migrations:
+
+```go
+import "embed"
+
+//go:embed migrations/*
+var dbMigrations embed.FS
+```
+
+Use the `EmbedFileSystemMigrationSource` in your application to find the migrations:
+
+```go
+migrations := migrate.EmbedFileSystemMigrationSource{
+	FileSystem: dbMigrations,
+	Root:       "migrations",
+}
+```
+
+Other options such as [packr](https://github.com/gobuffalo/packr) or [go-bindata](https://github.com/shuLhan/go-bindata) are no longer recommended.
+
+## Embedding migrations with libraries that implement `http.FileSystem`
+
+You can also embed migrations with any library that implements `http.FileSystem`, like [`vfsgen`](https://github.com/shurcooL/vfsgen), [`parcello`](https://github.com/phogolabs/parcello), or [`go-resources`](https://github.com/omeid/go-resources).
+
+```go
+migrationSource := &migrate.HttpFileSystemMigrationSource{
+    FileSystem: httpFS,
+}
+```
+
+## Extending
+
+Adding a new migration source means implementing `MigrationSource`.
+
+```go
+type MigrationSource interface {
+    FindMigrations() ([]*Migration, error)
+}
+```
+
+The resulting slice of migrations will be executed in the given order, so it should usually be sorted by the `Id` field.
+
+## Usage with [sqlx](https://jmoiron.github.io/sqlx/)
+
+This library is compatible with sqlx. When calling migrate just dereference the DB from your `*sqlx.DB`:
+
+```
+n, err := migrate.Exec(db.DB, "sqlite3", migrations, migrate.Up)
+                    //   ^^^ <-- Here db is a *sqlx.DB, the db.DB field is the plain sql.DB
+if err != nil {
+    // Handle errors!
+}
+```
+
+## Questions or Feedback?
+
+You can use Github Issues for feedback or questions.
+
+## License
+
+This library is distributed under the [MIT](LICENSE) license.
diff --git a/vendor/github.com/rubenv/sql-migrate/doc.go b/vendor/github.com/rubenv/sql-migrate/doc.go
new file mode 100644
index 0000000000..8ff186d0ff
--- /dev/null
+++ b/vendor/github.com/rubenv/sql-migrate/doc.go
@@ -0,0 +1,238 @@
+/*
+SQL Schema migration tool for Go.
+
+Key features:
+
+  - Usable as a CLI tool or as a library
+  - Supports SQLite, PostgreSQL, MySQL, MSSQL and Oracle databases (through gorp)
+  - Can embed migrations into your application
+  - Migrations are defined with SQL for full flexibility
+  - Atomic migrations
+  - Up/down migrations to allow rollback
+  - Supports multiple database types in one project
+
+# Installation
+
+To install the library and command line program, use the following:
+
+	go get -v github.com/rubenv/sql-migrate/...
+
+# Command-line tool
+
+The main command is called sql-migrate.
+
+	$ sql-migrate --help
+	usage: sql-migrate [--version] [--help] <command> [<args>]
+
+	Available commands are:
+		down      Undo a database migration
+		new       Create a new migration
+		redo      Reapply the last migration
+		status    Show migration status
+		up        Migrates the database to the most recent version available
+
+Each command requires a configuration file (which defaults to dbconfig.yml, but can be specified with the -config flag). This config file should specify one or more environments:
+
+	development:
+		dialect: sqlite3
+		datasource: test.db
+		dir: migrations/sqlite3
+
+	production:
+		dialect: postgres
+		datasource: dbname=myapp sslmode=disable
+		dir: migrations/postgres
+		table: migrations
+
+The `table` setting is optional and will default to `gorp_migrations`.
+
+The environment that will be used can be specified with the -env flag (defaults to development).
+
+Use the --help flag in combination with any of the commands to get an overview of its usage:
+
+	$ sql-migrate up --help
+	Usage: sql-migrate up [options] ...
+
+	  Migrates the database to the most recent version available.
+
+	Options:
+
+	  -config=config.yml   Configuration file to use.
+	  -env="development"   Environment.
+	  -limit=0             Limit the number of migrations (0 = unlimited).
+	  -dryrun              Don't apply migrations, just print them.
+
+The up command applies all available migrations. By contrast, down will only apply one migration by default. This behavior can be changed for both by using the -limit parameter.
+
+The redo command will unapply the last migration and reapply it. This is useful during development, when you're writing migrations.
+
+Use the status command to see the state of the applied migrations:
+
+	$ sql-migrate status
+	+---------------+-----------------------------------------+
+	|   MIGRATION   |                 APPLIED                 |
+	+---------------+-----------------------------------------+
+	| 1_initial.sql | 2014-09-13 08:19:06.788354925 +0000 UTC |
+	| 2_record.sql  | no                                      |
+	+---------------+-----------------------------------------+
+
+# MySQL Caveat
+
+If you are using MySQL, you must append ?parseTime=true to the datasource configuration. For example:
+
+	production:
+		dialect: mysql
+		datasource: root@/dbname?parseTime=true
+		dir: migrations/mysql
+		table: migrations
+
+See https://github.com/go-sql-driver/mysql#parsetime for more information.
+
+# Library
+
+Import sql-migrate into your application:
+
+	import "github.com/rubenv/sql-migrate"
+
+Set up a source of migrations, this can be from memory, from a set of files or from bindata (more on that later):
+
+	// Hardcoded strings in memory:
+	migrations := &migrate.MemoryMigrationSource{
+		Migrations: []*migrate.Migration{
+			&migrate.Migration{
+				Id:   "123",
+				Up:   []string{"CREATE TABLE people (id int)"},
+				Down: []string{"DROP TABLE people"},
+			},
+		},
+	}
+
+	// OR: Read migrations from a folder:
+	migrations := &migrate.FileMigrationSource{
+		Dir: "db/migrations",
+	}
+
+	// OR: Use migrations from bindata:
+	migrations := &migrate.AssetMigrationSource{
+		Asset:    Asset,
+		AssetDir: AssetDir,
+		Dir:      "migrations",
+	}
+
+Then use the Exec function to upgrade your database:
+
+	db, err := sql.Open("sqlite3", filename)
+	if err != nil {
+		// Handle errors!
+	}
+
+	n, err := migrate.Exec(db, "sqlite3", migrations, migrate.Up)
+	if err != nil {
+		// Handle errors!
+	}
+	fmt.Printf("Applied %d migrations!\n", n)
+
+Note that n can be greater than 0 even if there is an error: any migration that succeeded will remain applied even if a later one fails.
+
+The full set of capabilities can be found in the API docs below.
+
+# Writing migrations
+
+Migrations are defined in SQL files, which contain a set of SQL statements. Special comments are used to distinguish up and down migrations.
+
+	-- +migrate Up
+	-- SQL in section 'Up' is executed when this migration is applied
+	CREATE TABLE people (id int);
+
+
+	-- +migrate Down
+	-- SQL section 'Down' is executed when this migration is rolled back
+	DROP TABLE people;
+
+You can put multiple statements in each block, as long as you end them with a semicolon (;).
+
+If you have complex statements which contain semicolons, use StatementBegin and StatementEnd to indicate boundaries:
+
+	-- +migrate Up
+	CREATE TABLE people (id int);
+
+	-- +migrate StatementBegin
+	CREATE OR REPLACE FUNCTION do_something()
+	returns void AS $$
+	DECLARE
+	  create_query text;
+	BEGIN
+	  -- Do something here
+	END;
+	$$
+	language plpgsql;
+	-- +migrate StatementEnd
+
+	-- +migrate Down
+	DROP FUNCTION do_something();
+	DROP TABLE people;
+
+The order in which migrations are applied is defined through the filename: sql-migrate will sort migrations based on their name. It's recommended to use an increasing version number or a timestamp as the first part of the filename.
+
+Normally each migration is run within a transaction in order to guarantee that it is fully atomic. However some SQL commands (for example creating an index concurrently in PostgreSQL) cannot be executed inside a transaction. In order to execute such a command in a migration, the migration can be run using the notransaction option:
+
+	-- +migrate Up notransaction
+	CREATE UNIQUE INDEX people_unique_id_idx CONCURRENTLY ON people (id);
+
+	-- +migrate Down
+	DROP INDEX people_unique_id_idx;
+
+# Embedding migrations with packr
+
+If you like your Go applications self-contained (that is: a single binary): use packr (https://github.com/gobuffalo/packr) to embed the migration files.
+
+Just write your migration files as usual, as a set of SQL files in a folder.
+
+Use the PackrMigrationSource in your application to find the migrations:
+
+	migrations := &migrate.PackrMigrationSource{
+		Box: packr.NewBox("./migrations"),
+	}
+
+If you already have a box and would like to use a subdirectory:
+
+	migrations := &migrate.PackrMigrationSource{
+		Box: myBox,
+		Dir: "./migrations",
+	}
+
+# Embedding migrations with bindata
+
+As an alternative, but slightly less maintained, you can use bindata (https://github.com/shuLhan/go-bindata) to embed the migration files.
+
+Just write your migration files as usual, as a set of SQL files in a folder.
+
+Then use bindata to generate a .go file with the migrations embedded:
+
+	go-bindata -pkg myapp -o bindata.go db/migrations/
+
+The resulting bindata.go file will contain your migrations. Remember to regenerate your bindata.go file whenever you add/modify a migration (go generate will help here, once it arrives).
+
+Use the AssetMigrationSource in your application to find the migrations:
+
+	migrations := &migrate.AssetMigrationSource{
+		Asset:    Asset,
+		AssetDir: AssetDir,
+		Dir:      "db/migrations",
+	}
+
+Both Asset and AssetDir are functions provided by bindata.
+
+Then proceed as usual.
+
+# Extending
+
+Adding a new migration source means implementing MigrationSource.
+
+	type MigrationSource interface {
+		FindMigrations() ([]*Migration, error)
+	}
+
+The resulting slice of migrations will be executed in the given order, so it should usually be sorted by the Id field.
+*/
+package migrate
diff --git a/vendor/github.com/rubenv/sql-migrate/migrate.go b/vendor/github.com/rubenv/sql-migrate/migrate.go
new file mode 100644
index 0000000000..c9cb4a48b6
--- /dev/null
+++ b/vendor/github.com/rubenv/sql-migrate/migrate.go
@@ -0,0 +1,891 @@
+package migrate
+
+import (
+	"bytes"
+	"context"
+	"database/sql"
+	"embed"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"path"
+	"regexp"
+	"sort"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/go-gorp/gorp/v3"
+
+	"github.com/rubenv/sql-migrate/sqlparse"
+)
+
+type MigrationDirection int
+
+const (
+	Up MigrationDirection = iota
+	Down
+)
+
+// MigrationSet provides database parameters for a migration execution
+type MigrationSet struct {
+	// TableName name of the table used to store migration info.
+	TableName string
+	// SchemaName schema that the migration table be referenced.
+	SchemaName string
+	// IgnoreUnknown skips the check to see if there is a migration
+	// ran in the database that is not in MigrationSource.
+	//
+	// This should be used sparingly as it is removing a safety check.
+	IgnoreUnknown bool
+	// DisableCreateTable disable the creation of the migration table
+	DisableCreateTable bool
+}
+
+var migSet = MigrationSet{}
+
+// NewMigrationSet returns a parametrized Migration object
+func (ms MigrationSet) getTableName() string {
+	if ms.TableName == "" {
+		return "gorp_migrations"
+	}
+	return ms.TableName
+}
+
+var numberPrefixRegex = regexp.MustCompile(`^(\d+).*$`)
+
+// PlanError happens where no migration plan could be created between the sets
+// of already applied migrations and the currently found. For example, when the database
+// contains a migration which is not among the migrations list found for an operation.
+type PlanError struct {
+	Migration    *Migration
+	ErrorMessage string
+}
+
+func newPlanError(migration *Migration, errorMessage string) error {
+	return &PlanError{
+		Migration:    migration,
+		ErrorMessage: errorMessage,
+	}
+}
+
+func (p *PlanError) Error() string {
+	return fmt.Sprintf("Unable to create migration plan because of %s: %s",
+		p.Migration.Id, p.ErrorMessage)
+}
+
+// TxError is returned when any error is encountered during a database
+// transaction. It contains the relevant *Migration and notes it's Id in the
+// Error function output.
+type TxError struct {
+	Migration *Migration
+	Err       error
+}
+
+func newTxError(migration *PlannedMigration, err error) error {
+	return &TxError{
+		Migration: migration.Migration,
+		Err:       err,
+	}
+}
+
+func (e *TxError) Error() string {
+	return e.Err.Error() + " handling " + e.Migration.Id
+}
+
+// Set the name of the table used to store migration info.
+//
+// Should be called before any other call such as (Exec, ExecMax, ...).
+func SetTable(name string) {
+	if name != "" {
+		migSet.TableName = name
+	}
+}
+
+// SetSchema sets the name of a schema that the migration table be referenced.
+func SetSchema(name string) {
+	if name != "" {
+		migSet.SchemaName = name
+	}
+}
+
+// SetDisableCreateTable sets the boolean to disable the creation of the migration table
+func SetDisableCreateTable(disable bool) {
+	migSet.DisableCreateTable = disable
+}
+
+// SetIgnoreUnknown sets the flag that skips database check to see if there is a
+// migration in the database that is not in migration source.
+//
+// This should be used sparingly as it is removing a safety check.
+func SetIgnoreUnknown(v bool) {
+	migSet.IgnoreUnknown = v
+}
+
+type Migration struct {
+	Id   string
+	Up   []string
+	Down []string
+
+	DisableTransactionUp   bool
+	DisableTransactionDown bool
+}
+
+func (m Migration) Less(other *Migration) bool {
+	switch {
+	case m.isNumeric() && other.isNumeric() && m.VersionInt() != other.VersionInt():
+		return m.VersionInt() < other.VersionInt()
+	case m.isNumeric() && !other.isNumeric():
+		return true
+	case !m.isNumeric() && other.isNumeric():
+		return false
+	default:
+		return m.Id < other.Id
+	}
+}
+
+func (m Migration) isNumeric() bool {
+	return len(m.NumberPrefixMatches()) > 0
+}
+
+func (m Migration) NumberPrefixMatches() []string {
+	return numberPrefixRegex.FindStringSubmatch(m.Id)
+}
+
+func (m Migration) VersionInt() int64 {
+	v := m.NumberPrefixMatches()[1]
+	value, err := strconv.ParseInt(v, 10, 64)
+	if err != nil {
+		panic(fmt.Sprintf("Could not parse %q into int64: %s", v, err))
+	}
+	return value
+}
+
+type PlannedMigration struct {
+	*Migration
+
+	DisableTransaction bool
+	Queries            []string
+}
+
+type byId []*Migration
+
+func (b byId) Len() int           { return len(b) }
+func (b byId) Swap(i, j int)      { b[i], b[j] = b[j], b[i] }
+func (b byId) Less(i, j int) bool { return b[i].Less(b[j]) }
+
+type MigrationRecord struct {
+	Id        string    `db:"id"`
+	AppliedAt time.Time `db:"applied_at"`
+}
+
+type OracleDialect struct {
+	gorp.OracleDialect
+}
+
+func (OracleDialect) IfTableNotExists(command, _, _ string) string {
+	return command
+}
+
+func (OracleDialect) IfSchemaNotExists(command, _ string) string {
+	return command
+}
+
+func (OracleDialect) IfTableExists(command, _, _ string) string {
+	return command
+}
+
+var MigrationDialects = map[string]gorp.Dialect{
+	"sqlite3":   gorp.SqliteDialect{},
+	"postgres":  gorp.PostgresDialect{},
+	"mysql":     gorp.MySQLDialect{Engine: "InnoDB", Encoding: "UTF8"},
+	"mssql":     gorp.SqlServerDialect{},
+	"oci8":      OracleDialect{},
+	"godror":    OracleDialect{},
+	"snowflake": gorp.SnowflakeDialect{},
+}
+
+type MigrationSource interface {
+	// Finds the migrations.
+	//
+	// The resulting slice of migrations should be sorted by Id.
+	FindMigrations() ([]*Migration, error)
+}
+
+// A hardcoded set of migrations, in-memory.
+type MemoryMigrationSource struct {
+	Migrations []*Migration
+}
+
+var _ MigrationSource = (*MemoryMigrationSource)(nil)
+
+func (m MemoryMigrationSource) FindMigrations() ([]*Migration, error) {
+	// Make sure migrations are sorted. In order to make the MemoryMigrationSource safe for
+	// concurrent use we should not mutate it in place. So `FindMigrations` would sort a copy
+	// of the m.Migrations.
+	migrations := make([]*Migration, len(m.Migrations))
+	copy(migrations, m.Migrations)
+	sort.Sort(byId(migrations))
+	return migrations, nil
+}
+
+// A set of migrations loaded from an http.FileServer
+
+type HttpFileSystemMigrationSource struct {
+	FileSystem http.FileSystem
+}
+
+var _ MigrationSource = (*HttpFileSystemMigrationSource)(nil)
+
+func (f HttpFileSystemMigrationSource) FindMigrations() ([]*Migration, error) {
+	return findMigrations(f.FileSystem, "/")
+}
+
+// A set of migrations loaded from a directory.
+type FileMigrationSource struct {
+	Dir string
+}
+
+var _ MigrationSource = (*FileMigrationSource)(nil)
+
+func (f FileMigrationSource) FindMigrations() ([]*Migration, error) {
+	filesystem := http.Dir(f.Dir)
+	return findMigrations(filesystem, "/")
+}
+
+func findMigrations(dir http.FileSystem, root string) ([]*Migration, error) {
+	migrations := make([]*Migration, 0)
+
+	file, err := dir.Open(root)
+	if err != nil {
+		return nil, err
+	}
+
+	files, err := file.Readdir(0)
+	if err != nil {
+		return nil, err
+	}
+
+	for _, info := range files {
+		if strings.HasSuffix(info.Name(), ".sql") {
+			migration, err := migrationFromFile(dir, root, info)
+			if err != nil {
+				return nil, err
+			}
+
+			migrations = append(migrations, migration)
+		}
+	}
+
+	// Make sure migrations are sorted
+	sort.Sort(byId(migrations))
+
+	return migrations, nil
+}
+
+func migrationFromFile(dir http.FileSystem, root string, info os.FileInfo) (*Migration, error) {
+	path := path.Join(root, info.Name())
+	file, err := dir.Open(path)
+	if err != nil {
+		return nil, fmt.Errorf("Error while opening %s: %w", info.Name(), err)
+	}
+	defer func() { _ = file.Close() }()
+
+	migration, err := ParseMigration(info.Name(), file)
+	if err != nil {
+		return nil, fmt.Errorf("Error while parsing %s: %w", info.Name(), err)
+	}
+	return migration, nil
+}
+
+// Migrations from a bindata asset set.
+type AssetMigrationSource struct {
+	// Asset should return content of file in path if exists
+	Asset func(path string) ([]byte, error)
+
+	// AssetDir should return list of files in the path
+	AssetDir func(path string) ([]string, error)
+
+	// Path in the bindata to use.
+	Dir string
+}
+
+var _ MigrationSource = (*AssetMigrationSource)(nil)
+
+func (a AssetMigrationSource) FindMigrations() ([]*Migration, error) {
+	migrations := make([]*Migration, 0)
+
+	files, err := a.AssetDir(a.Dir)
+	if err != nil {
+		return nil, err
+	}
+
+	for _, name := range files {
+		if strings.HasSuffix(name, ".sql") {
+			file, err := a.Asset(path.Join(a.Dir, name))
+			if err != nil {
+				return nil, err
+			}
+
+			migration, err := ParseMigration(name, bytes.NewReader(file))
+			if err != nil {
+				return nil, err
+			}
+
+			migrations = append(migrations, migration)
+		}
+	}
+
+	// Make sure migrations are sorted
+	sort.Sort(byId(migrations))
+
+	return migrations, nil
+}
+
+// A set of migrations loaded from an go1.16 embed.FS
+type EmbedFileSystemMigrationSource struct {
+	FileSystem embed.FS
+
+	Root string
+}
+
+var _ MigrationSource = (*EmbedFileSystemMigrationSource)(nil)
+
+func (f EmbedFileSystemMigrationSource) FindMigrations() ([]*Migration, error) {
+	return findMigrations(http.FS(f.FileSystem), f.Root)
+}
+
+// Avoids pulling in the packr library for everyone, mimicks the bits of
+// packr.Box that we need.
+type PackrBox interface {
+	List() []string
+	Find(name string) ([]byte, error)
+}
+
+// Migrations from a packr box.
+type PackrMigrationSource struct {
+	Box PackrBox
+
+	// Path in the box to use.
+	Dir string
+}
+
+var _ MigrationSource = (*PackrMigrationSource)(nil)
+
+func (p PackrMigrationSource) FindMigrations() ([]*Migration, error) {
+	migrations := make([]*Migration, 0)
+	items := p.Box.List()
+
+	prefix := ""
+	dir := path.Clean(p.Dir)
+	if dir != "." {
+		prefix = fmt.Sprintf("%s/", dir)
+	}
+
+	for _, item := range items {
+		if !strings.HasPrefix(item, prefix) {
+			continue
+		}
+		name := strings.TrimPrefix(item, prefix)
+		if strings.Contains(name, "/") {
+			continue
+		}
+
+		if strings.HasSuffix(name, ".sql") {
+			file, err := p.Box.Find(item)
+			if err != nil {
+				return nil, err
+			}
+
+			migration, err := ParseMigration(name, bytes.NewReader(file))
+			if err != nil {
+				return nil, err
+			}
+
+			migrations = append(migrations, migration)
+		}
+	}
+
+	// Make sure migrations are sorted
+	sort.Sort(byId(migrations))
+
+	return migrations, nil
+}
+
+// Migration parsing
+func ParseMigration(id string, r io.ReadSeeker) (*Migration, error) {
+	m := &Migration{
+		Id: id,
+	}
+
+	parsed, err := sqlparse.ParseMigration(r)
+	if err != nil {
+		return nil, fmt.Errorf("Error parsing migration (%s): %w", id, err)
+	}
+
+	m.Up = parsed.UpStatements
+	m.Down = parsed.DownStatements
+
+	m.DisableTransactionUp = parsed.DisableTransactionUp
+	m.DisableTransactionDown = parsed.DisableTransactionDown
+
+	return m, nil
+}
+
+type SqlExecutor interface {
+	Exec(query string, args ...interface{}) (sql.Result, error)
+	Insert(list ...interface{}) error
+	Delete(list ...interface{}) (int64, error)
+}
+
+// Execute a set of migrations
+//
+// Returns the number of applied migrations.
+func Exec(db *sql.DB, dialect string, m MigrationSource, dir MigrationDirection) (int, error) {
+	return ExecMaxContext(context.Background(), db, dialect, m, dir, 0)
+}
+
+// Returns the number of applied migrations.
+func (ms MigrationSet) Exec(db *sql.DB, dialect string, m MigrationSource, dir MigrationDirection) (int, error) {
+	return ms.ExecMaxContext(context.Background(), db, dialect, m, dir, 0)
+}
+
+// Execute a set of migrations with an input context.
+//
+// Returns the number of applied migrations.
+func ExecContext(ctx context.Context, db *sql.DB, dialect string, m MigrationSource, dir MigrationDirection) (int, error) {
+	return ExecMaxContext(ctx, db, dialect, m, dir, 0)
+}
+
+// Returns the number of applied migrations.
+func (ms MigrationSet) ExecContext(ctx context.Context, db *sql.DB, dialect string, m MigrationSource, dir MigrationDirection) (int, error) {
+	return ms.ExecMaxContext(ctx, db, dialect, m, dir, 0)
+}
+
+// Execute a set of migrations
+//
+// Will apply at most `max` migrations. Pass 0 for no limit (or use Exec).
+//
+// Returns the number of applied migrations.
+func ExecMax(db *sql.DB, dialect string, m MigrationSource, dir MigrationDirection, max int) (int, error) {
+	return migSet.ExecMax(db, dialect, m, dir, max)
+}
+
+// Execute a set of migrations with an input context.
+//
+// Will apply at most `max` migrations. Pass 0 for no limit (or use Exec).
+//
+// Returns the number of applied migrations.
+func ExecMaxContext(ctx context.Context, db *sql.DB, dialect string, m MigrationSource, dir MigrationDirection, max int) (int, error) {
+	return migSet.ExecMaxContext(ctx, db, dialect, m, dir, max)
+}
+
+// Execute a set of migrations
+//
+// Will apply at the target `version` of migration. Cannot be a negative value.
+//
+// Returns the number of applied migrations.
+func ExecVersion(db *sql.DB, dialect string, m MigrationSource, dir MigrationDirection, version int64) (int, error) {
+	return ExecVersionContext(context.Background(), db, dialect, m, dir, version)
+}
+
+// Execute a set of migrations with an input context.
+//
+// Will apply at the target `version` of migration. Cannot be a negative value.
+//
+// Returns the number of applied migrations.
+func ExecVersionContext(ctx context.Context, db *sql.DB, dialect string, m MigrationSource, dir MigrationDirection, version int64) (int, error) {
+	if version < 0 {
+		return 0, fmt.Errorf("target version %d should not be negative", version)
+	}
+	return migSet.ExecVersionContext(ctx, db, dialect, m, dir, version)
+}
+
+// Returns the number of applied migrations.
+func (ms MigrationSet) ExecMax(db *sql.DB, dialect string, m MigrationSource, dir MigrationDirection, max int) (int, error) {
+	return ms.ExecMaxContext(context.Background(), db, dialect, m, dir, max)
+}
+
+// Returns the number of applied migrations, but applies with an input context.
+func (ms MigrationSet) ExecMaxContext(ctx context.Context, db *sql.DB, dialect string, m MigrationSource, dir MigrationDirection, max int) (int, error) {
+	migrations, dbMap, err := ms.PlanMigration(db, dialect, m, dir, max)
+	if err != nil {
+		return 0, err
+	}
+	return ms.applyMigrations(ctx, dir, migrations, dbMap)
+}
+
+// Returns the number of applied migrations.
+func (ms MigrationSet) ExecVersion(db *sql.DB, dialect string, m MigrationSource, dir MigrationDirection, version int64) (int, error) {
+	return ms.ExecVersionContext(context.Background(), db, dialect, m, dir, version)
+}
+
+func (ms MigrationSet) ExecVersionContext(ctx context.Context, db *sql.DB, dialect string, m MigrationSource, dir MigrationDirection, version int64) (int, error) {
+	migrations, dbMap, err := ms.PlanMigrationToVersion(db, dialect, m, dir, version)
+	if err != nil {
+		return 0, err
+	}
+	return ms.applyMigrations(ctx, dir, migrations, dbMap)
+}
+
+// Applies the planned migrations and returns the number of applied migrations.
+func (MigrationSet) applyMigrations(ctx context.Context, dir MigrationDirection, migrations []*PlannedMigration, dbMap *gorp.DbMap) (int, error) {
+	applied := 0
+	for _, migration := range migrations {
+		var executor SqlExecutor
+		var err error
+
+		if migration.DisableTransaction {
+			executor = dbMap.WithContext(ctx)
+		} else {
+			e, err := dbMap.Begin()
+			if err != nil {
+				return applied, newTxError(migration, err)
+			}
+			executor = e.WithContext(ctx)
+		}
+
+		for _, stmt := range migration.Queries {
+			// remove the semicolon from stmt, fix ORA-00922 issue in database oracle
+			stmt = strings.TrimSuffix(stmt, "\n")
+			stmt = strings.TrimSuffix(stmt, " ")
+			stmt = strings.TrimSuffix(stmt, ";")
+			if _, err := executor.Exec(stmt); err != nil {
+				if trans, ok := executor.(*gorp.Transaction); ok {
+					_ = trans.Rollback()
+				}
+
+				return applied, newTxError(migration, err)
+			}
+		}
+
+		switch dir {
+		case Up:
+			err = executor.Insert(&MigrationRecord{
+				Id:        migration.Id,
+				AppliedAt: time.Now(),
+			})
+			if err != nil {
+				if trans, ok := executor.(*gorp.Transaction); ok {
+					_ = trans.Rollback()
+				}
+
+				return applied, newTxError(migration, err)
+			}
+		case Down:
+			_, err := executor.Delete(&MigrationRecord{
+				Id: migration.Id,
+			})
+			if err != nil {
+				if trans, ok := executor.(*gorp.Transaction); ok {
+					_ = trans.Rollback()
+				}
+
+				return applied, newTxError(migration, err)
+			}
+		default:
+			panic("Not possible")
+		}
+
+		if trans, ok := executor.(*gorp.Transaction); ok {
+			if err := trans.Commit(); err != nil {
+				return applied, newTxError(migration, err)
+			}
+		}
+
+		applied++
+	}
+
+	return applied, nil
+}
+
+// Plan a migration.
+func PlanMigration(db *sql.DB, dialect string, m MigrationSource, dir MigrationDirection, max int) ([]*PlannedMigration, *gorp.DbMap, error) {
+	return migSet.PlanMigration(db, dialect, m, dir, max)
+}
+
+// Plan a migration to version.
+func PlanMigrationToVersion(db *sql.DB, dialect string, m MigrationSource, dir MigrationDirection, version int64) ([]*PlannedMigration, *gorp.DbMap, error) {
+	return migSet.PlanMigrationToVersion(db, dialect, m, dir, version)
+}
+
+// Plan a migration.
+func (ms MigrationSet) PlanMigration(db *sql.DB, dialect string, m MigrationSource, dir MigrationDirection, max int) ([]*PlannedMigration, *gorp.DbMap, error) {
+	return ms.planMigrationCommon(db, dialect, m, dir, max, -1)
+}
+
+// Plan a migration to version.
+func (ms MigrationSet) PlanMigrationToVersion(db *sql.DB, dialect string, m MigrationSource, dir MigrationDirection, version int64) ([]*PlannedMigration, *gorp.DbMap, error) {
+	return ms.planMigrationCommon(db, dialect, m, dir, 0, version)
+}
+
+// A common method to plan a migration.
+func (ms MigrationSet) planMigrationCommon(db *sql.DB, dialect string, m MigrationSource, dir MigrationDirection, max int, version int64) ([]*PlannedMigration, *gorp.DbMap, error) {
+	dbMap, err := ms.getMigrationDbMap(db, dialect)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	migrations, err := m.FindMigrations()
+	if err != nil {
+		return nil, nil, err
+	}
+
+	var migrationRecords []MigrationRecord
+	_, err = dbMap.Select(&migrationRecords, fmt.Sprintf("SELECT * FROM %s", dbMap.Dialect.QuotedTableForQuery(ms.SchemaName, ms.getTableName())))
+	if err != nil {
+		return nil, nil, err
+	}
+
+	// Sort migrations that have been run by Id.
+	var existingMigrations []*Migration
+	for _, migrationRecord := range migrationRecords {
+		existingMigrations = append(existingMigrations, &Migration{
+			Id: migrationRecord.Id,
+		})
+	}
+	sort.Sort(byId(existingMigrations))
+
+	// Make sure all migrations in the database are among the found migrations which
+	// are to be applied.
+	if !ms.IgnoreUnknown {
+		migrationsSearch := make(map[string]struct{})
+		for _, migration := range migrations {
+			migrationsSearch[migration.Id] = struct{}{}
+		}
+		for _, existingMigration := range existingMigrations {
+			if _, ok := migrationsSearch[existingMigration.Id]; !ok {
+				return nil, nil, newPlanError(existingMigration, "unknown migration in database")
+			}
+		}
+	}
+
+	// Get last migration that was run
+	record := &Migration{}
+	if len(existingMigrations) > 0 {
+		record = existingMigrations[len(existingMigrations)-1]
+	}
+
+	result := make([]*PlannedMigration, 0)
+
+	// Add missing migrations up to the last run migration.
+	// This can happen for example when merges happened.
+	if len(existingMigrations) > 0 {
+		result = append(result, ToCatchup(migrations, existingMigrations, record)...)
+	}
+
+	// Figure out which migrations to apply
+	toApply := ToApply(migrations, record.Id, dir)
+	toApplyCount := len(toApply)
+
+	if version >= 0 {
+		targetIndex := 0
+		for targetIndex < len(toApply) {
+			tempVersion := toApply[targetIndex].VersionInt()
+			if dir == Up && tempVersion > version || dir == Down && tempVersion < version {
+				return nil, nil, newPlanError(&Migration{}, fmt.Errorf("unknown migration with version id %d in database", version).Error())
+			}
+			if tempVersion == version {
+				toApplyCount = targetIndex + 1
+				break
+			}
+			targetIndex++
+		}
+		if targetIndex == len(toApply) {
+			return nil, nil, newPlanError(&Migration{}, fmt.Errorf("unknown migration with version id %d in database", version).Error())
+		}
+	} else if max > 0 && max < toApplyCount {
+		toApplyCount = max
+	}
+	for _, v := range toApply[0:toApplyCount] {
+		switch dir {
+		case Up:
+			result = append(result, &PlannedMigration{
+				Migration:          v,
+				Queries:            v.Up,
+				DisableTransaction: v.DisableTransactionUp,
+			})
+		case Down:
+			result = append(result, &PlannedMigration{
+				Migration:          v,
+				Queries:            v.Down,
+				DisableTransaction: v.DisableTransactionDown,
+			})
+		}
+	}
+
+	return result, dbMap, nil
+}
+
+// Skip a set of migrations
+//
+// Will skip at most `max` migrations. Pass 0 for no limit.
+//
+// Returns the number of skipped migrations.
+func SkipMax(db *sql.DB, dialect string, m MigrationSource, dir MigrationDirection, max int) (int, error) {
+	migrations, dbMap, err := PlanMigration(db, dialect, m, dir, max)
+	if err != nil {
+		return 0, err
+	}
+
+	// Skip migrations
+	applied := 0
+	for _, migration := range migrations {
+		var executor SqlExecutor
+
+		if migration.DisableTransaction {
+			executor = dbMap
+		} else {
+			executor, err = dbMap.Begin()
+			if err != nil {
+				return applied, newTxError(migration, err)
+			}
+		}
+
+		err = executor.Insert(&MigrationRecord{
+			Id:        migration.Id,
+			AppliedAt: time.Now(),
+		})
+		if err != nil {
+			if trans, ok := executor.(*gorp.Transaction); ok {
+				_ = trans.Rollback()
+			}
+
+			return applied, newTxError(migration, err)
+		}
+
+		if trans, ok := executor.(*gorp.Transaction); ok {
+			if err := trans.Commit(); err != nil {
+				return applied, newTxError(migration, err)
+			}
+		}
+
+		applied++
+	}
+
+	return applied, nil
+}
+
+// Filter a slice of migrations into ones that should be applied.
+func ToApply(migrations []*Migration, current string, direction MigrationDirection) []*Migration {
+	index := -1
+	if current != "" {
+		for index < len(migrations)-1 {
+			index++
+			if migrations[index].Id == current {
+				break
+			}
+		}
+	}
+
+	switch direction {
+	case Up:
+		return migrations[index+1:]
+	case Down:
+		if index == -1 {
+			return []*Migration{}
+		}
+		toApply := make([]*Migration, index+1)
+		for i := 0; i < index+1; i++ {
+			toApply[index-i] = migrations[i]
+		}
+		return toApply
+	}
+
+	panic("Not possible")
+}
+
+func ToCatchup(migrations, existingMigrations []*Migration, lastRun *Migration) []*PlannedMigration {
+	missing := make([]*PlannedMigration, 0)
+	for _, migration := range migrations {
+		found := false
+		for _, existing := range existingMigrations {
+			if existing.Id == migration.Id {
+				found = true
+				break
+			}
+		}
+		if !found && migration.Less(lastRun) {
+			missing = append(missing, &PlannedMigration{
+				Migration:          migration,
+				Queries:            migration.Up,
+				DisableTransaction: migration.DisableTransactionUp,
+			})
+		}
+	}
+	return missing
+}
+
+func GetMigrationRecords(db *sql.DB, dialect string) ([]*MigrationRecord, error) {
+	return migSet.GetMigrationRecords(db, dialect)
+}
+
+func (ms MigrationSet) GetMigrationRecords(db *sql.DB, dialect string) ([]*MigrationRecord, error) {
+	dbMap, err := ms.getMigrationDbMap(db, dialect)
+	if err != nil {
+		return nil, err
+	}
+
+	var records []*MigrationRecord
+	query := fmt.Sprintf("SELECT * FROM %s ORDER BY %s ASC", dbMap.Dialect.QuotedTableForQuery(ms.SchemaName, ms.getTableName()), dbMap.Dialect.QuoteField("id"))
+	_, err = dbMap.Select(&records, query)
+	if err != nil {
+		return nil, err
+	}
+
+	return records, nil
+}
+
+func (ms MigrationSet) getMigrationDbMap(db *sql.DB, dialect string) (*gorp.DbMap, error) {
+	d, ok := MigrationDialects[dialect]
+	if !ok {
+		return nil, fmt.Errorf("Unknown dialect: %s", dialect)
+	}
+
+	// When using the mysql driver, make sure that the parseTime option is
+	// configured, otherwise it won't map time columns to time.Time. See
+	// https://github.com/rubenv/sql-migrate/issues/2
+	if dialect == "mysql" {
+		var out *time.Time
+		err := db.QueryRow("SELECT NOW()").Scan(&out)
+		if err != nil {
+			if err.Error() == "sql: Scan error on column index 0: unsupported driver -> Scan pair: []uint8 -> *time.Time" ||
+				err.Error() == "sql: Scan error on column index 0: unsupported Scan, storing driver.Value type []uint8 into type *time.Time" ||
+				err.Error() == "sql: Scan error on column index 0, name \"NOW()\": unsupported Scan, storing driver.Value type []uint8 into type *time.Time" {
+				return nil, errors.New(`Cannot parse dates.
+
+Make sure that the parseTime option is supplied to your database connection.
+Check https://github.com/go-sql-driver/mysql#parsetime for more info.`)
+			}
+			return nil, err
+		}
+	}
+
+	// Create migration database map
+	dbMap := &gorp.DbMap{Db: db, Dialect: d}
+	table := dbMap.AddTableWithNameAndSchema(MigrationRecord{}, ms.SchemaName, ms.getTableName()).SetKeys(false, "Id")
+
+	if dialect == "oci8" || dialect == "godror" {
+		table.ColMap("Id").SetMaxSize(4000)
+	}
+
+	if ms.DisableCreateTable {
+		return dbMap, nil
+	}
+
+	err := dbMap.CreateTablesIfNotExists()
+	if err != nil {
+		// Oracle database does not support `if not exists`, so use `ORA-00955:` error code
+		// to check if the table exists.
+		if (dialect == "oci8" || dialect == "godror") && strings.Contains(err.Error(), "ORA-00955:") {
+			return dbMap, nil
+		}
+		return nil, err
+	}
+
+	return dbMap, nil
+}
+
+// TODO: Run migration + record insert in transaction.
diff --git a/vendor/github.com/rubenv/sql-migrate/sqlparse/LICENSE b/vendor/github.com/rubenv/sql-migrate/sqlparse/LICENSE
new file mode 100644
index 0000000000..9c12525138
--- /dev/null
+++ b/vendor/github.com/rubenv/sql-migrate/sqlparse/LICENSE
@@ -0,0 +1,22 @@
+MIT License
+
+Copyright (C) 2014-2017 by Ruben Vermeersch <ruben@rocketeer.be>
+Copyright (C) 2012-2014 by Liam Staskawicz
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
diff --git a/vendor/github.com/rubenv/sql-migrate/sqlparse/README.md b/vendor/github.com/rubenv/sql-migrate/sqlparse/README.md
new file mode 100644
index 0000000000..fa5341abdb
--- /dev/null
+++ b/vendor/github.com/rubenv/sql-migrate/sqlparse/README.md
@@ -0,0 +1,7 @@
+# SQL migration parser
+
+Based on the [goose](https://bitbucket.org/liamstask/goose) migration parser.
+
+## License
+
+This library is distributed under the [MIT](LICENSE) license.
diff --git a/vendor/github.com/rubenv/sql-migrate/sqlparse/sqlparse.go b/vendor/github.com/rubenv/sql-migrate/sqlparse/sqlparse.go
new file mode 100644
index 0000000000..f04460e6e2
--- /dev/null
+++ b/vendor/github.com/rubenv/sql-migrate/sqlparse/sqlparse.go
@@ -0,0 +1,226 @@
+package sqlparse
+
+import (
+	"bufio"
+	"bytes"
+	"fmt"
+	"io"
+	"strings"
+)
+
+const (
+	sqlCmdPrefix        = "-- +migrate "
+	optionNoTransaction = "notransaction"
+)
+
+type ParsedMigration struct {
+	UpStatements   []string
+	DownStatements []string
+
+	DisableTransactionUp   bool
+	DisableTransactionDown bool
+}
+
+// LineSeparator can be used to split migrations by an exact line match. This line
+// will be removed from the output. If left blank, it is not considered. It is defaulted
+// to blank so you will have to set it manually.
+// Use case: in MSSQL, it is convenient to separate commands by GO statements like in
+// SQL Query Analyzer.
+var LineSeparator = ""
+
+func errNoTerminator() error {
+	if len(LineSeparator) == 0 {
+		return fmt.Errorf(`ERROR: The last statement must be ended by a semicolon or '-- +migrate StatementEnd' marker.
+			See https://github.com/rubenv/sql-migrate for details.`)
+	}
+
+	return fmt.Errorf(`ERROR: The last statement must be ended by a semicolon, a line whose contents are %q, or '-- +migrate StatementEnd' marker.
+			See https://github.com/rubenv/sql-migrate for details.`, LineSeparator)
+}
+
+// Checks the line to see if the line has a statement-ending semicolon
+// or if the line contains a double-dash comment.
+func endsWithSemicolon(line string) bool {
+	prev := ""
+	scanner := bufio.NewScanner(strings.NewReader(line))
+	scanner.Split(bufio.ScanWords)
+
+	for scanner.Scan() {
+		word := scanner.Text()
+		if strings.HasPrefix(word, "--") {
+			break
+		}
+		prev = word
+	}
+
+	return strings.HasSuffix(prev, ";")
+}
+
+type migrationDirection int
+
+const (
+	directionNone migrationDirection = iota
+	directionUp
+	directionDown
+)
+
+type migrateCommand struct {
+	Command string
+	Options []string
+}
+
+func (c *migrateCommand) HasOption(opt string) bool {
+	for _, specifiedOption := range c.Options {
+		if specifiedOption == opt {
+			return true
+		}
+	}
+
+	return false
+}
+
+func parseCommand(line string) (*migrateCommand, error) {
+	cmd := &migrateCommand{}
+
+	if !strings.HasPrefix(line, sqlCmdPrefix) {
+		return nil, fmt.Errorf("ERROR: not a sql-migrate command")
+	}
+
+	fields := strings.Fields(line[len(sqlCmdPrefix):])
+	if len(fields) == 0 {
+		return nil, fmt.Errorf(`ERROR: incomplete migration command`)
+	}
+
+	cmd.Command = fields[0]
+
+	cmd.Options = fields[1:]
+
+	return cmd, nil
+}
+
+// Split the given sql script into individual statements.
+//
+// The base case is to simply split on semicolons, as these
+// naturally terminate a statement.
+//
+// However, more complex cases like pl/pgsql can have semicolons
+// within a statement. For these cases, we provide the explicit annotations
+// 'StatementBegin' and 'StatementEnd' to allow the script to
+// tell us to ignore semicolons.
+func ParseMigration(r io.ReadSeeker) (*ParsedMigration, error) {
+	p := &ParsedMigration{}
+
+	_, err := r.Seek(0, 0)
+	if err != nil {
+		return nil, err
+	}
+
+	var buf bytes.Buffer
+	scanner := bufio.NewScanner(r)
+	scanner.Buffer(make([]byte, 0, 64*1024), 1024*1024)
+
+	statementEnded := false
+	ignoreSemicolons := false
+	currentDirection := directionNone
+
+	for scanner.Scan() {
+		line := scanner.Text()
+		// ignore comment except beginning with '-- +'
+		if strings.HasPrefix(line, "-- ") && !strings.HasPrefix(line, "-- +") {
+			continue
+		}
+
+		// handle any migrate-specific commands
+		if strings.HasPrefix(line, sqlCmdPrefix) {
+			cmd, err := parseCommand(line)
+			if err != nil {
+				return nil, err
+			}
+
+			switch cmd.Command {
+			case "Up":
+				if len(strings.TrimSpace(buf.String())) > 0 {
+					return nil, errNoTerminator()
+				}
+				currentDirection = directionUp
+				if cmd.HasOption(optionNoTransaction) {
+					p.DisableTransactionUp = true
+				}
+
+			case "Down":
+				if len(strings.TrimSpace(buf.String())) > 0 {
+					return nil, errNoTerminator()
+				}
+				currentDirection = directionDown
+				if cmd.HasOption(optionNoTransaction) {
+					p.DisableTransactionDown = true
+				}
+
+			case "StatementBegin":
+				if currentDirection != directionNone {
+					ignoreSemicolons = true
+				}
+
+			case "StatementEnd":
+				if currentDirection != directionNone {
+					statementEnded = ignoreSemicolons
+					ignoreSemicolons = false
+				}
+			}
+		}
+
+		if currentDirection == directionNone {
+			continue
+		}
+
+		isLineSeparator := !ignoreSemicolons && len(LineSeparator) > 0 && line == LineSeparator
+
+		if !isLineSeparator && !strings.HasPrefix(line, "-- +") {
+			if _, err := buf.WriteString(line + "\n"); err != nil {
+				return nil, err
+			}
+		}
+
+		// Wrap up the two supported cases: 1) basic with semicolon; 2) psql statement
+		// Lines that end with semicolon that are in a statement block
+		// do not conclude statement.
+		if (!ignoreSemicolons && (endsWithSemicolon(line) || isLineSeparator)) || statementEnded {
+			statementEnded = false
+			switch currentDirection {
+			case directionUp:
+				p.UpStatements = append(p.UpStatements, buf.String())
+
+			case directionDown:
+				p.DownStatements = append(p.DownStatements, buf.String())
+
+			default:
+				panic("impossible state")
+			}
+
+			buf.Reset()
+		}
+	}
+
+	if err := scanner.Err(); err != nil {
+		return nil, err
+	}
+
+	// diagnose likely migration script errors
+	if ignoreSemicolons {
+		return nil, fmt.Errorf("ERROR: saw '-- +migrate StatementBegin' with no matching '-- +migrate StatementEnd'")
+	}
+
+	if currentDirection == directionNone {
+		return nil, fmt.Errorf(`ERROR: no Up/Down annotations found, so no statements were executed.
+			See https://github.com/rubenv/sql-migrate for details.`)
+	}
+
+	// allow comment without sql instruction. Example:
+	// -- +migrate Down
+	// -- nothing to downgrade!
+	if len(strings.TrimSpace(buf.String())) > 0 && !strings.HasPrefix(buf.String(), "-- +") {
+		return nil, errNoTerminator()
+	}
+
+	return p, nil
+}
diff --git a/vendor/github.com/russross/blackfriday/v2/.gitignore b/vendor/github.com/russross/blackfriday/v2/.gitignore
new file mode 100644
index 0000000000..75623dcccb
--- /dev/null
+++ b/vendor/github.com/russross/blackfriday/v2/.gitignore
@@ -0,0 +1,8 @@
+*.out
+*.swp
+*.8
+*.6
+_obj
+_test*
+markdown
+tags
diff --git a/vendor/github.com/russross/blackfriday/v2/.travis.yml b/vendor/github.com/russross/blackfriday/v2/.travis.yml
new file mode 100644
index 0000000000..b0b525a5a8
--- /dev/null
+++ b/vendor/github.com/russross/blackfriday/v2/.travis.yml
@@ -0,0 +1,17 @@
+sudo: false
+language: go
+go:
+  - "1.10.x"
+  - "1.11.x"
+  - tip
+matrix:
+  fast_finish: true
+  allow_failures:
+    - go: tip
+install:
+  - # Do nothing. This is needed to prevent default install action "go get -t -v ./..." from happening here (we want it to happen inside script step).
+script:
+  - go get -t -v ./...
+  - diff -u <(echo -n) <(gofmt -d -s .)
+  - go tool vet .
+  - go test -v ./...
diff --git a/vendor/github.com/russross/blackfriday/v2/LICENSE.txt b/vendor/github.com/russross/blackfriday/v2/LICENSE.txt
new file mode 100644
index 0000000000..2885af3602
--- /dev/null
+++ b/vendor/github.com/russross/blackfriday/v2/LICENSE.txt
@@ -0,0 +1,29 @@
+Blackfriday is distributed under the Simplified BSD License:
+
+> Copyright © 2011 Russ Ross
+> All rights reserved.
+>
+> Redistribution and use in source and binary forms, with or without
+> modification, are permitted provided that the following conditions
+> are met:
+>
+> 1.  Redistributions of source code must retain the above copyright
+>     notice, this list of conditions and the following disclaimer.
+>
+> 2.  Redistributions in binary form must reproduce the above
+>     copyright notice, this list of conditions and the following
+>     disclaimer in the documentation and/or other materials provided with
+>     the distribution.
+>
+> THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+> "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+> LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+> FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+> COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+> INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+> BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+> LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+> CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+> LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+> ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+> POSSIBILITY OF SUCH DAMAGE.
diff --git a/vendor/github.com/russross/blackfriday/v2/README.md b/vendor/github.com/russross/blackfriday/v2/README.md
new file mode 100644
index 0000000000..d9c08a22fc
--- /dev/null
+++ b/vendor/github.com/russross/blackfriday/v2/README.md
@@ -0,0 +1,335 @@
+Blackfriday
+[![Build Status][BuildV2SVG]][BuildV2URL]
+[![PkgGoDev][PkgGoDevV2SVG]][PkgGoDevV2URL]
+===========
+
+Blackfriday is a [Markdown][1] processor implemented in [Go][2]. It
+is paranoid about its input (so you can safely feed it user-supplied
+data), it is fast, it supports common extensions (tables, smart
+punctuation substitutions, etc.), and it is safe for all utf-8
+(unicode) input.
+
+HTML output is currently supported, along with Smartypants
+extensions.
+
+It started as a translation from C of [Sundown][3].
+
+
+Installation
+------------
+
+Blackfriday is compatible with modern Go releases in module mode.
+With Go installed:
+
+    go get github.com/russross/blackfriday/v2
+
+will resolve and add the package to the current development module,
+then build and install it. Alternatively, you can achieve the same
+if you import it in a package:
+
+    import "github.com/russross/blackfriday/v2"
+
+and `go get` without parameters.
+
+Legacy GOPATH mode is unsupported.
+
+
+Versions
+--------
+
+Currently maintained and recommended version of Blackfriday is `v2`. It's being
+developed on its own branch: https://github.com/russross/blackfriday/tree/v2 and the
+documentation is available at
+https://pkg.go.dev/github.com/russross/blackfriday/v2.
+
+It is `go get`-able in module mode at `github.com/russross/blackfriday/v2`.
+
+Version 2 offers a number of improvements over v1:
+
+* Cleaned up API
+* A separate call to [`Parse`][4], which produces an abstract syntax tree for
+  the document
+* Latest bug fixes
+* Flexibility to easily add your own rendering extensions
+
+Potential drawbacks:
+
+* Our benchmarks show v2 to be slightly slower than v1. Currently in the
+  ballpark of around 15%.
+* API breakage. If you can't afford modifying your code to adhere to the new API
+  and don't care too much about the new features, v2 is probably not for you.
+* Several bug fixes are trailing behind and still need to be forward-ported to
+  v2. See issue [#348](https://github.com/russross/blackfriday/issues/348) for
+  tracking.
+
+If you are still interested in the legacy `v1`, you can import it from
+`github.com/russross/blackfriday`. Documentation for the legacy v1 can be found
+here: https://pkg.go.dev/github.com/russross/blackfriday.
+
+
+Usage
+-----
+
+For the most sensible markdown processing, it is as simple as getting your input
+into a byte slice and calling:
+
+```go
+output := blackfriday.Run(input)
+```
+
+Your input will be parsed and the output rendered with a set of most popular
+extensions enabled. If you want the most basic feature set, corresponding with
+the bare Markdown specification, use:
+
+```go
+output := blackfriday.Run(input, blackfriday.WithNoExtensions())
+```
+
+### Sanitize untrusted content
+
+Blackfriday itself does nothing to protect against malicious content. If you are
+dealing with user-supplied markdown, we recommend running Blackfriday's output
+through HTML sanitizer such as [Bluemonday][5].
+
+Here's an example of simple usage of Blackfriday together with Bluemonday:
+
+```go
+import (
+    "github.com/microcosm-cc/bluemonday"
+    "github.com/russross/blackfriday/v2"
+)
+
+// ...
+unsafe := blackfriday.Run(input)
+html := bluemonday.UGCPolicy().SanitizeBytes(unsafe)
+```
+
+### Custom options
+
+If you want to customize the set of options, use `blackfriday.WithExtensions`,
+`blackfriday.WithRenderer` and `blackfriday.WithRefOverride`.
+
+### `blackfriday-tool`
+
+You can also check out `blackfriday-tool` for a more complete example
+of how to use it. Download and install it using:
+
+    go get github.com/russross/blackfriday-tool
+
+This is a simple command-line tool that allows you to process a
+markdown file using a standalone program.  You can also browse the
+source directly on github if you are just looking for some example
+code:
+
+* <https://github.com/russross/blackfriday-tool>
+
+Note that if you have not already done so, installing
+`blackfriday-tool` will be sufficient to download and install
+blackfriday in addition to the tool itself. The tool binary will be
+installed in `$GOPATH/bin`.  This is a statically-linked binary that
+can be copied to wherever you need it without worrying about
+dependencies and library versions.
+
+### Sanitized anchor names
+
+Blackfriday includes an algorithm for creating sanitized anchor names
+corresponding to a given input text. This algorithm is used to create
+anchors for headings when `AutoHeadingIDs` extension is enabled. The
+algorithm has a specification, so that other packages can create
+compatible anchor names and links to those anchors.
+
+The specification is located at https://pkg.go.dev/github.com/russross/blackfriday/v2#hdr-Sanitized_Anchor_Names.
+
+[`SanitizedAnchorName`](https://pkg.go.dev/github.com/russross/blackfriday/v2#SanitizedAnchorName) exposes this functionality, and can be used to
+create compatible links to the anchor names generated by blackfriday.
+This algorithm is also implemented in a small standalone package at
+[`github.com/shurcooL/sanitized_anchor_name`](https://pkg.go.dev/github.com/shurcooL/sanitized_anchor_name). It can be useful for clients
+that want a small package and don't need full functionality of blackfriday.
+
+
+Features
+--------
+
+All features of Sundown are supported, including:
+
+*   **Compatibility**. The Markdown v1.0.3 test suite passes with
+    the `--tidy` option.  Without `--tidy`, the differences are
+    mostly in whitespace and entity escaping, where blackfriday is
+    more consistent and cleaner.
+
+*   **Common extensions**, including table support, fenced code
+    blocks, autolinks, strikethroughs, non-strict emphasis, etc.
+
+*   **Safety**. Blackfriday is paranoid when parsing, making it safe
+    to feed untrusted user input without fear of bad things
+    happening. The test suite stress tests this and there are no
+    known inputs that make it crash.  If you find one, please let me
+    know and send me the input that does it.
+
+    NOTE: "safety" in this context means *runtime safety only*. In order to
+    protect yourself against JavaScript injection in untrusted content, see
+    [this example](https://github.com/russross/blackfriday#sanitize-untrusted-content).
+
+*   **Fast processing**. It is fast enough to render on-demand in
+    most web applications without having to cache the output.
+
+*   **Thread safety**. You can run multiple parsers in different
+    goroutines without ill effect. There is no dependence on global
+    shared state.
+
+*   **Minimal dependencies**. Blackfriday only depends on standard
+    library packages in Go. The source code is pretty
+    self-contained, so it is easy to add to any project, including
+    Google App Engine projects.
+
+*   **Standards compliant**. Output successfully validates using the
+    W3C validation tool for HTML 4.01 and XHTML 1.0 Transitional.
+
+
+Extensions
+----------
+
+In addition to the standard markdown syntax, this package
+implements the following extensions:
+
+*   **Intra-word emphasis supression**. The `_` character is
+    commonly used inside words when discussing code, so having
+    markdown interpret it as an emphasis command is usually the
+    wrong thing. Blackfriday lets you treat all emphasis markers as
+    normal characters when they occur inside a word.
+
+*   **Tables**. Tables can be created by drawing them in the input
+    using a simple syntax:
+
+    ```
+    Name    | Age
+    --------|------
+    Bob     | 27
+    Alice   | 23
+    ```
+
+*   **Fenced code blocks**. In addition to the normal 4-space
+    indentation to mark code blocks, you can explicitly mark them
+    and supply a language (to make syntax highlighting simple). Just
+    mark it like this:
+
+        ```go
+        func getTrue() bool {
+            return true
+        }
+        ```
+
+    You can use 3 or more backticks to mark the beginning of the
+    block, and the same number to mark the end of the block.
+
+    To preserve classes of fenced code blocks while using the bluemonday
+    HTML sanitizer, use the following policy:
+
+    ```go
+    p := bluemonday.UGCPolicy()
+    p.AllowAttrs("class").Matching(regexp.MustCompile("^language-[a-zA-Z0-9]+$")).OnElements("code")
+    html := p.SanitizeBytes(unsafe)
+    ```
+
+*   **Definition lists**. A simple definition list is made of a single-line
+    term followed by a colon and the definition for that term.
+
+        Cat
+        : Fluffy animal everyone likes
+
+        Internet
+        : Vector of transmission for pictures of cats
+
+    Terms must be separated from the previous definition by a blank line.
+
+*   **Footnotes**. A marker in the text that will become a superscript number;
+    a footnote definition that will be placed in a list of footnotes at the
+    end of the document. A footnote looks like this:
+
+        This is a footnote.[^1]
+
+        [^1]: the footnote text.
+
+*   **Autolinking**. Blackfriday can find URLs that have not been
+    explicitly marked as links and turn them into links.
+
+*   **Strikethrough**. Use two tildes (`~~`) to mark text that
+    should be crossed out.
+
+*   **Hard line breaks**. With this extension enabled newlines in the input
+    translate into line breaks in the output. This extension is off by default.
+
+*   **Smart quotes**. Smartypants-style punctuation substitution is
+    supported, turning normal double- and single-quote marks into
+    curly quotes, etc.
+
+*   **LaTeX-style dash parsing** is an additional option, where `--`
+    is translated into `&ndash;`, and `---` is translated into
+    `&mdash;`. This differs from most smartypants processors, which
+    turn a single hyphen into an ndash and a double hyphen into an
+    mdash.
+
+*   **Smart fractions**, where anything that looks like a fraction
+    is translated into suitable HTML (instead of just a few special
+    cases like most smartypant processors). For example, `4/5`
+    becomes `<sup>4</sup>&frasl;<sub>5</sub>`, which renders as
+    <sup>4</sup>&frasl;<sub>5</sub>.
+
+
+Other renderers
+---------------
+
+Blackfriday is structured to allow alternative rendering engines. Here
+are a few of note:
+
+*   [github_flavored_markdown](https://pkg.go.dev/github.com/shurcooL/github_flavored_markdown):
+    provides a GitHub Flavored Markdown renderer with fenced code block
+    highlighting, clickable heading anchor links.
+
+    It's not customizable, and its goal is to produce HTML output
+    equivalent to the [GitHub Markdown API endpoint](https://developer.github.com/v3/markdown/#render-a-markdown-document-in-raw-mode),
+    except the rendering is performed locally.
+
+*   [markdownfmt](https://github.com/shurcooL/markdownfmt): like gofmt,
+    but for markdown.
+
+*   [LaTeX output](https://gitlab.com/ambrevar/blackfriday-latex):
+    renders output as LaTeX.
+
+*   [bfchroma](https://github.com/Depado/bfchroma/): provides convenience
+    integration with the [Chroma](https://github.com/alecthomas/chroma) code
+    highlighting library. bfchroma is only compatible with v2 of Blackfriday and
+    provides a drop-in renderer ready to use with Blackfriday, as well as
+    options and means for further customization.
+
+*   [Blackfriday-Confluence](https://github.com/kentaro-m/blackfriday-confluence): provides a [Confluence Wiki Markup](https://confluence.atlassian.com/doc/confluence-wiki-markup-251003035.html) renderer.
+
+*   [Blackfriday-Slack](https://github.com/karriereat/blackfriday-slack): converts markdown to slack message style
+
+
+TODO
+----
+
+*   More unit testing
+*   Improve Unicode support. It does not understand all Unicode
+    rules (about what constitutes a letter, a punctuation symbol,
+    etc.), so it may fail to detect word boundaries correctly in
+    some instances. It is safe on all UTF-8 input.
+
+
+License
+-------
+
+[Blackfriday is distributed under the Simplified BSD License](LICENSE.txt)
+
+
+   [1]: https://daringfireball.net/projects/markdown/ "Markdown"
+   [2]: https://golang.org/ "Go Language"
+   [3]: https://github.com/vmg/sundown "Sundown"
+   [4]: https://pkg.go.dev/github.com/russross/blackfriday/v2#Parse "Parse func"
+   [5]: https://github.com/microcosm-cc/bluemonday "Bluemonday"
+
+   [BuildV2SVG]: https://travis-ci.org/russross/blackfriday.svg?branch=v2
+   [BuildV2URL]: https://travis-ci.org/russross/blackfriday
+   [PkgGoDevV2SVG]: https://pkg.go.dev/badge/github.com/russross/blackfriday/v2
+   [PkgGoDevV2URL]: https://pkg.go.dev/github.com/russross/blackfriday/v2
diff --git a/vendor/github.com/russross/blackfriday/v2/block.go b/vendor/github.com/russross/blackfriday/v2/block.go
new file mode 100644
index 0000000000..dcd61e6e35
--- /dev/null
+++ b/vendor/github.com/russross/blackfriday/v2/block.go
@@ -0,0 +1,1612 @@
+//
+// Blackfriday Markdown Processor
+// Available at http://github.com/russross/blackfriday
+//
+// Copyright © 2011 Russ Ross <russ@russross.com>.
+// Distributed under the Simplified BSD License.
+// See README.md for details.
+//
+
+//
+// Functions to parse block-level elements.
+//
+
+package blackfriday
+
+import (
+	"bytes"
+	"html"
+	"regexp"
+	"strings"
+	"unicode"
+)
+
+const (
+	charEntity = "&(?:#x[a-f0-9]{1,8}|#[0-9]{1,8}|[a-z][a-z0-9]{1,31});"
+	escapable  = "[!\"#$%&'()*+,./:;<=>?@[\\\\\\]^_`{|}~-]"
+)
+
+var (
+	reBackslashOrAmp      = regexp.MustCompile("[\\&]")
+	reEntityOrEscapedChar = regexp.MustCompile("(?i)\\\\" + escapable + "|" + charEntity)
+)
+
+// Parse block-level data.
+// Note: this function and many that it calls assume that
+// the input buffer ends with a newline.
+func (p *Markdown) block(data []byte) {
+	// this is called recursively: enforce a maximum depth
+	if p.nesting >= p.maxNesting {
+		return
+	}
+	p.nesting++
+
+	// parse out one block-level construct at a time
+	for len(data) > 0 {
+		// prefixed heading:
+		//
+		// # Heading 1
+		// ## Heading 2
+		// ...
+		// ###### Heading 6
+		if p.isPrefixHeading(data) {
+			data = data[p.prefixHeading(data):]
+			continue
+		}
+
+		// block of preformatted HTML:
+		//
+		// <div>
+		//     ...
+		// </div>
+		if data[0] == '<' {
+			if i := p.html(data, true); i > 0 {
+				data = data[i:]
+				continue
+			}
+		}
+
+		// title block
+		//
+		// % stuff
+		// % more stuff
+		// % even more stuff
+		if p.extensions&Titleblock != 0 {
+			if data[0] == '%' {
+				if i := p.titleBlock(data, true); i > 0 {
+					data = data[i:]
+					continue
+				}
+			}
+		}
+
+		// blank lines.  note: returns the # of bytes to skip
+		if i := p.isEmpty(data); i > 0 {
+			data = data[i:]
+			continue
+		}
+
+		// indented code block:
+		//
+		//     func max(a, b int) int {
+		//         if a > b {
+		//             return a
+		//         }
+		//         return b
+		//      }
+		if p.codePrefix(data) > 0 {
+			data = data[p.code(data):]
+			continue
+		}
+
+		// fenced code block:
+		//
+		// ``` go
+		// func fact(n int) int {
+		//     if n <= 1 {
+		//         return n
+		//     }
+		//     return n * fact(n-1)
+		// }
+		// ```
+		if p.extensions&FencedCode != 0 {
+			if i := p.fencedCodeBlock(data, true); i > 0 {
+				data = data[i:]
+				continue
+			}
+		}
+
+		// horizontal rule:
+		//
+		// ------
+		// or
+		// ******
+		// or
+		// ______
+		if p.isHRule(data) {
+			p.addBlock(HorizontalRule, nil)
+			var i int
+			for i = 0; i < len(data) && data[i] != '\n'; i++ {
+			}
+			data = data[i:]
+			continue
+		}
+
+		// block quote:
+		//
+		// > A big quote I found somewhere
+		// > on the web
+		if p.quotePrefix(data) > 0 {
+			data = data[p.quote(data):]
+			continue
+		}
+
+		// table:
+		//
+		// Name  | Age | Phone
+		// ------|-----|---------
+		// Bob   | 31  | 555-1234
+		// Alice | 27  | 555-4321
+		if p.extensions&Tables != 0 {
+			if i := p.table(data); i > 0 {
+				data = data[i:]
+				continue
+			}
+		}
+
+		// an itemized/unordered list:
+		//
+		// * Item 1
+		// * Item 2
+		//
+		// also works with + or -
+		if p.uliPrefix(data) > 0 {
+			data = data[p.list(data, 0):]
+			continue
+		}
+
+		// a numbered/ordered list:
+		//
+		// 1. Item 1
+		// 2. Item 2
+		if p.oliPrefix(data) > 0 {
+			data = data[p.list(data, ListTypeOrdered):]
+			continue
+		}
+
+		// definition lists:
+		//
+		// Term 1
+		// :   Definition a
+		// :   Definition b
+		//
+		// Term 2
+		// :   Definition c
+		if p.extensions&DefinitionLists != 0 {
+			if p.dliPrefix(data) > 0 {
+				data = data[p.list(data, ListTypeDefinition):]
+				continue
+			}
+		}
+
+		// anything else must look like a normal paragraph
+		// note: this finds underlined headings, too
+		data = data[p.paragraph(data):]
+	}
+
+	p.nesting--
+}
+
+func (p *Markdown) addBlock(typ NodeType, content []byte) *Node {
+	p.closeUnmatchedBlocks()
+	container := p.addChild(typ, 0)
+	container.content = content
+	return container
+}
+
+func (p *Markdown) isPrefixHeading(data []byte) bool {
+	if data[0] != '#' {
+		return false
+	}
+
+	if p.extensions&SpaceHeadings != 0 {
+		level := 0
+		for level < 6 && level < len(data) && data[level] == '#' {
+			level++
+		}
+		if level == len(data) || data[level] != ' ' {
+			return false
+		}
+	}
+	return true
+}
+
+func (p *Markdown) prefixHeading(data []byte) int {
+	level := 0
+	for level < 6 && level < len(data) && data[level] == '#' {
+		level++
+	}
+	i := skipChar(data, level, ' ')
+	end := skipUntilChar(data, i, '\n')
+	skip := end
+	id := ""
+	if p.extensions&HeadingIDs != 0 {
+		j, k := 0, 0
+		// find start/end of heading id
+		for j = i; j < end-1 && (data[j] != '{' || data[j+1] != '#'); j++ {
+		}
+		for k = j + 1; k < end && data[k] != '}'; k++ {
+		}
+		// extract heading id iff found
+		if j < end && k < end {
+			id = string(data[j+2 : k])
+			end = j
+			skip = k + 1
+			for end > 0 && data[end-1] == ' ' {
+				end--
+			}
+		}
+	}
+	for end > 0 && data[end-1] == '#' {
+		if isBackslashEscaped(data, end-1) {
+			break
+		}
+		end--
+	}
+	for end > 0 && data[end-1] == ' ' {
+		end--
+	}
+	if end > i {
+		if id == "" && p.extensions&AutoHeadingIDs != 0 {
+			id = SanitizedAnchorName(string(data[i:end]))
+		}
+		block := p.addBlock(Heading, data[i:end])
+		block.HeadingID = id
+		block.Level = level
+	}
+	return skip
+}
+
+func (p *Markdown) isUnderlinedHeading(data []byte) int {
+	// test of level 1 heading
+	if data[0] == '=' {
+		i := skipChar(data, 1, '=')
+		i = skipChar(data, i, ' ')
+		if i < len(data) && data[i] == '\n' {
+			return 1
+		}
+		return 0
+	}
+
+	// test of level 2 heading
+	if data[0] == '-' {
+		i := skipChar(data, 1, '-')
+		i = skipChar(data, i, ' ')
+		if i < len(data) && data[i] == '\n' {
+			return 2
+		}
+		return 0
+	}
+
+	return 0
+}
+
+func (p *Markdown) titleBlock(data []byte, doRender bool) int {
+	if data[0] != '%' {
+		return 0
+	}
+	splitData := bytes.Split(data, []byte("\n"))
+	var i int
+	for idx, b := range splitData {
+		if !bytes.HasPrefix(b, []byte("%")) {
+			i = idx // - 1
+			break
+		}
+	}
+
+	data = bytes.Join(splitData[0:i], []byte("\n"))
+	consumed := len(data)
+	data = bytes.TrimPrefix(data, []byte("% "))
+	data = bytes.Replace(data, []byte("\n% "), []byte("\n"), -1)
+	block := p.addBlock(Heading, data)
+	block.Level = 1
+	block.IsTitleblock = true
+
+	return consumed
+}
+
+func (p *Markdown) html(data []byte, doRender bool) int {
+	var i, j int
+
+	// identify the opening tag
+	if data[0] != '<' {
+		return 0
+	}
+	curtag, tagfound := p.htmlFindTag(data[1:])
+
+	// handle special cases
+	if !tagfound {
+		// check for an HTML comment
+		if size := p.htmlComment(data, doRender); size > 0 {
+			return size
+		}
+
+		// check for an <hr> tag
+		if size := p.htmlHr(data, doRender); size > 0 {
+			return size
+		}
+
+		// no special case recognized
+		return 0
+	}
+
+	// look for an unindented matching closing tag
+	// followed by a blank line
+	found := false
+	/*
+		closetag := []byte("\n</" + curtag + ">")
+		j = len(curtag) + 1
+		for !found {
+			// scan for a closing tag at the beginning of a line
+			if skip := bytes.Index(data[j:], closetag); skip >= 0 {
+				j += skip + len(closetag)
+			} else {
+				break
+			}
+
+			// see if it is the only thing on the line
+			if skip := p.isEmpty(data[j:]); skip > 0 {
+				// see if it is followed by a blank line/eof
+				j += skip
+				if j >= len(data) {
+					found = true
+					i = j
+				} else {
+					if skip := p.isEmpty(data[j:]); skip > 0 {
+						j += skip
+						found = true
+						i = j
+					}
+				}
+			}
+		}
+	*/
+
+	// if not found, try a second pass looking for indented match
+	// but not if tag is "ins" or "del" (following original Markdown.pl)
+	if !found && curtag != "ins" && curtag != "del" {
+		i = 1
+		for i < len(data) {
+			i++
+			for i < len(data) && !(data[i-1] == '<' && data[i] == '/') {
+				i++
+			}
+
+			if i+2+len(curtag) >= len(data) {
+				break
+			}
+
+			j = p.htmlFindEnd(curtag, data[i-1:])
+
+			if j > 0 {
+				i += j - 1
+				found = true
+				break
+			}
+		}
+	}
+
+	if !found {
+		return 0
+	}
+
+	// the end of the block has been found
+	if doRender {
+		// trim newlines
+		end := i
+		for end > 0 && data[end-1] == '\n' {
+			end--
+		}
+		finalizeHTMLBlock(p.addBlock(HTMLBlock, data[:end]))
+	}
+
+	return i
+}
+
+func finalizeHTMLBlock(block *Node) {
+	block.Literal = block.content
+	block.content = nil
+}
+
+// HTML comment, lax form
+func (p *Markdown) htmlComment(data []byte, doRender bool) int {
+	i := p.inlineHTMLComment(data)
+	// needs to end with a blank line
+	if j := p.isEmpty(data[i:]); j > 0 {
+		size := i + j
+		if doRender {
+			// trim trailing newlines
+			end := size
+			for end > 0 && data[end-1] == '\n' {
+				end--
+			}
+			block := p.addBlock(HTMLBlock, data[:end])
+			finalizeHTMLBlock(block)
+		}
+		return size
+	}
+	return 0
+}
+
+// HR, which is the only self-closing block tag considered
+func (p *Markdown) htmlHr(data []byte, doRender bool) int {
+	if len(data) < 4 {
+		return 0
+	}
+	if data[0] != '<' || (data[1] != 'h' && data[1] != 'H') || (data[2] != 'r' && data[2] != 'R') {
+		return 0
+	}
+	if data[3] != ' ' && data[3] != '/' && data[3] != '>' {
+		// not an <hr> tag after all; at least not a valid one
+		return 0
+	}
+	i := 3
+	for i < len(data) && data[i] != '>' && data[i] != '\n' {
+		i++
+	}
+	if i < len(data) && data[i] == '>' {
+		i++
+		if j := p.isEmpty(data[i:]); j > 0 {
+			size := i + j
+			if doRender {
+				// trim newlines
+				end := size
+				for end > 0 && data[end-1] == '\n' {
+					end--
+				}
+				finalizeHTMLBlock(p.addBlock(HTMLBlock, data[:end]))
+			}
+			return size
+		}
+	}
+	return 0
+}
+
+func (p *Markdown) htmlFindTag(data []byte) (string, bool) {
+	i := 0
+	for i < len(data) && isalnum(data[i]) {
+		i++
+	}
+	key := string(data[:i])
+	if _, ok := blockTags[key]; ok {
+		return key, true
+	}
+	return "", false
+}
+
+func (p *Markdown) htmlFindEnd(tag string, data []byte) int {
+	// assume data[0] == '<' && data[1] == '/' already tested
+	if tag == "hr" {
+		return 2
+	}
+	// check if tag is a match
+	closetag := []byte("</" + tag + ">")
+	if !bytes.HasPrefix(data, closetag) {
+		return 0
+	}
+	i := len(closetag)
+
+	// check that the rest of the line is blank
+	skip := 0
+	if skip = p.isEmpty(data[i:]); skip == 0 {
+		return 0
+	}
+	i += skip
+	skip = 0
+
+	if i >= len(data) {
+		return i
+	}
+
+	if p.extensions&LaxHTMLBlocks != 0 {
+		return i
+	}
+	if skip = p.isEmpty(data[i:]); skip == 0 {
+		// following line must be blank
+		return 0
+	}
+
+	return i + skip
+}
+
+func (*Markdown) isEmpty(data []byte) int {
+	// it is okay to call isEmpty on an empty buffer
+	if len(data) == 0 {
+		return 0
+	}
+
+	var i int
+	for i = 0; i < len(data) && data[i] != '\n'; i++ {
+		if data[i] != ' ' && data[i] != '\t' {
+			return 0
+		}
+	}
+	if i < len(data) && data[i] == '\n' {
+		i++
+	}
+	return i
+}
+
+func (*Markdown) isHRule(data []byte) bool {
+	i := 0
+
+	// skip up to three spaces
+	for i < 3 && data[i] == ' ' {
+		i++
+	}
+
+	// look at the hrule char
+	if data[i] != '*' && data[i] != '-' && data[i] != '_' {
+		return false
+	}
+	c := data[i]
+
+	// the whole line must be the char or whitespace
+	n := 0
+	for i < len(data) && data[i] != '\n' {
+		switch {
+		case data[i] == c:
+			n++
+		case data[i] != ' ':
+			return false
+		}
+		i++
+	}
+
+	return n >= 3
+}
+
+// isFenceLine checks if there's a fence line (e.g., ``` or ``` go) at the beginning of data,
+// and returns the end index if so, or 0 otherwise. It also returns the marker found.
+// If info is not nil, it gets set to the syntax specified in the fence line.
+func isFenceLine(data []byte, info *string, oldmarker string) (end int, marker string) {
+	i, size := 0, 0
+
+	// skip up to three spaces
+	for i < len(data) && i < 3 && data[i] == ' ' {
+		i++
+	}
+
+	// check for the marker characters: ~ or `
+	if i >= len(data) {
+		return 0, ""
+	}
+	if data[i] != '~' && data[i] != '`' {
+		return 0, ""
+	}
+
+	c := data[i]
+
+	// the whole line must be the same char or whitespace
+	for i < len(data) && data[i] == c {
+		size++
+		i++
+	}
+
+	// the marker char must occur at least 3 times
+	if size < 3 {
+		return 0, ""
+	}
+	marker = string(data[i-size : i])
+
+	// if this is the end marker, it must match the beginning marker
+	if oldmarker != "" && marker != oldmarker {
+		return 0, ""
+	}
+
+	// TODO(shurcooL): It's probably a good idea to simplify the 2 code paths here
+	// into one, always get the info string, and discard it if the caller doesn't care.
+	if info != nil {
+		infoLength := 0
+		i = skipChar(data, i, ' ')
+
+		if i >= len(data) {
+			if i == len(data) {
+				return i, marker
+			}
+			return 0, ""
+		}
+
+		infoStart := i
+
+		if data[i] == '{' {
+			i++
+			infoStart++
+
+			for i < len(data) && data[i] != '}' && data[i] != '\n' {
+				infoLength++
+				i++
+			}
+
+			if i >= len(data) || data[i] != '}' {
+				return 0, ""
+			}
+
+			// strip all whitespace at the beginning and the end
+			// of the {} block
+			for infoLength > 0 && isspace(data[infoStart]) {
+				infoStart++
+				infoLength--
+			}
+
+			for infoLength > 0 && isspace(data[infoStart+infoLength-1]) {
+				infoLength--
+			}
+			i++
+			i = skipChar(data, i, ' ')
+		} else {
+			for i < len(data) && !isverticalspace(data[i]) {
+				infoLength++
+				i++
+			}
+		}
+
+		*info = strings.TrimSpace(string(data[infoStart : infoStart+infoLength]))
+	}
+
+	if i == len(data) {
+		return i, marker
+	}
+	if i > len(data) || data[i] != '\n' {
+		return 0, ""
+	}
+	return i + 1, marker // Take newline into account.
+}
+
+// fencedCodeBlock returns the end index if data contains a fenced code block at the beginning,
+// or 0 otherwise. It writes to out if doRender is true, otherwise it has no side effects.
+// If doRender is true, a final newline is mandatory to recognize the fenced code block.
+func (p *Markdown) fencedCodeBlock(data []byte, doRender bool) int {
+	var info string
+	beg, marker := isFenceLine(data, &info, "")
+	if beg == 0 || beg >= len(data) {
+		return 0
+	}
+	fenceLength := beg - 1
+
+	var work bytes.Buffer
+	work.Write([]byte(info))
+	work.WriteByte('\n')
+
+	for {
+		// safe to assume beg < len(data)
+
+		// check for the end of the code block
+		fenceEnd, _ := isFenceLine(data[beg:], nil, marker)
+		if fenceEnd != 0 {
+			beg += fenceEnd
+			break
+		}
+
+		// copy the current line
+		end := skipUntilChar(data, beg, '\n') + 1
+
+		// did we reach the end of the buffer without a closing marker?
+		if end >= len(data) {
+			return 0
+		}
+
+		// verbatim copy to the working buffer
+		if doRender {
+			work.Write(data[beg:end])
+		}
+		beg = end
+	}
+
+	if doRender {
+		block := p.addBlock(CodeBlock, work.Bytes()) // TODO: get rid of temp buffer
+		block.IsFenced = true
+		block.FenceLength = fenceLength
+		finalizeCodeBlock(block)
+	}
+
+	return beg
+}
+
+func unescapeChar(str []byte) []byte {
+	if str[0] == '\\' {
+		return []byte{str[1]}
+	}
+	return []byte(html.UnescapeString(string(str)))
+}
+
+func unescapeString(str []byte) []byte {
+	if reBackslashOrAmp.Match(str) {
+		return reEntityOrEscapedChar.ReplaceAllFunc(str, unescapeChar)
+	}
+	return str
+}
+
+func finalizeCodeBlock(block *Node) {
+	if block.IsFenced {
+		newlinePos := bytes.IndexByte(block.content, '\n')
+		firstLine := block.content[:newlinePos]
+		rest := block.content[newlinePos+1:]
+		block.Info = unescapeString(bytes.Trim(firstLine, "\n"))
+		block.Literal = rest
+	} else {
+		block.Literal = block.content
+	}
+	block.content = nil
+}
+
+func (p *Markdown) table(data []byte) int {
+	table := p.addBlock(Table, nil)
+	i, columns := p.tableHeader(data)
+	if i == 0 {
+		p.tip = table.Parent
+		table.Unlink()
+		return 0
+	}
+
+	p.addBlock(TableBody, nil)
+
+	for i < len(data) {
+		pipes, rowStart := 0, i
+		for ; i < len(data) && data[i] != '\n'; i++ {
+			if data[i] == '|' {
+				pipes++
+			}
+		}
+
+		if pipes == 0 {
+			i = rowStart
+			break
+		}
+
+		// include the newline in data sent to tableRow
+		if i < len(data) && data[i] == '\n' {
+			i++
+		}
+		p.tableRow(data[rowStart:i], columns, false)
+	}
+
+	return i
+}
+
+// check if the specified position is preceded by an odd number of backslashes
+func isBackslashEscaped(data []byte, i int) bool {
+	backslashes := 0
+	for i-backslashes-1 >= 0 && data[i-backslashes-1] == '\\' {
+		backslashes++
+	}
+	return backslashes&1 == 1
+}
+
+func (p *Markdown) tableHeader(data []byte) (size int, columns []CellAlignFlags) {
+	i := 0
+	colCount := 1
+	for i = 0; i < len(data) && data[i] != '\n'; i++ {
+		if data[i] == '|' && !isBackslashEscaped(data, i) {
+			colCount++
+		}
+	}
+
+	// doesn't look like a table header
+	if colCount == 1 {
+		return
+	}
+
+	// include the newline in the data sent to tableRow
+	j := i
+	if j < len(data) && data[j] == '\n' {
+		j++
+	}
+	header := data[:j]
+
+	// column count ignores pipes at beginning or end of line
+	if data[0] == '|' {
+		colCount--
+	}
+	if i > 2 && data[i-1] == '|' && !isBackslashEscaped(data, i-1) {
+		colCount--
+	}
+
+	columns = make([]CellAlignFlags, colCount)
+
+	// move on to the header underline
+	i++
+	if i >= len(data) {
+		return
+	}
+
+	if data[i] == '|' && !isBackslashEscaped(data, i) {
+		i++
+	}
+	i = skipChar(data, i, ' ')
+
+	// each column header is of form: / *:?-+:? *|/ with # dashes + # colons >= 3
+	// and trailing | optional on last column
+	col := 0
+	for i < len(data) && data[i] != '\n' {
+		dashes := 0
+
+		if data[i] == ':' {
+			i++
+			columns[col] |= TableAlignmentLeft
+			dashes++
+		}
+		for i < len(data) && data[i] == '-' {
+			i++
+			dashes++
+		}
+		if i < len(data) && data[i] == ':' {
+			i++
+			columns[col] |= TableAlignmentRight
+			dashes++
+		}
+		for i < len(data) && data[i] == ' ' {
+			i++
+		}
+		if i == len(data) {
+			return
+		}
+		// end of column test is messy
+		switch {
+		case dashes < 3:
+			// not a valid column
+			return
+
+		case data[i] == '|' && !isBackslashEscaped(data, i):
+			// marker found, now skip past trailing whitespace
+			col++
+			i++
+			for i < len(data) && data[i] == ' ' {
+				i++
+			}
+
+			// trailing junk found after last column
+			if col >= colCount && i < len(data) && data[i] != '\n' {
+				return
+			}
+
+		case (data[i] != '|' || isBackslashEscaped(data, i)) && col+1 < colCount:
+			// something else found where marker was required
+			return
+
+		case data[i] == '\n':
+			// marker is optional for the last column
+			col++
+
+		default:
+			// trailing junk found after last column
+			return
+		}
+	}
+	if col != colCount {
+		return
+	}
+
+	p.addBlock(TableHead, nil)
+	p.tableRow(header, columns, true)
+	size = i
+	if size < len(data) && data[size] == '\n' {
+		size++
+	}
+	return
+}
+
+func (p *Markdown) tableRow(data []byte, columns []CellAlignFlags, header bool) {
+	p.addBlock(TableRow, nil)
+	i, col := 0, 0
+
+	if data[i] == '|' && !isBackslashEscaped(data, i) {
+		i++
+	}
+
+	for col = 0; col < len(columns) && i < len(data); col++ {
+		for i < len(data) && data[i] == ' ' {
+			i++
+		}
+
+		cellStart := i
+
+		for i < len(data) && (data[i] != '|' || isBackslashEscaped(data, i)) && data[i] != '\n' {
+			i++
+		}
+
+		cellEnd := i
+
+		// skip the end-of-cell marker, possibly taking us past end of buffer
+		i++
+
+		for cellEnd > cellStart && cellEnd-1 < len(data) && data[cellEnd-1] == ' ' {
+			cellEnd--
+		}
+
+		cell := p.addBlock(TableCell, data[cellStart:cellEnd])
+		cell.IsHeader = header
+		cell.Align = columns[col]
+	}
+
+	// pad it out with empty columns to get the right number
+	for ; col < len(columns); col++ {
+		cell := p.addBlock(TableCell, nil)
+		cell.IsHeader = header
+		cell.Align = columns[col]
+	}
+
+	// silently ignore rows with too many cells
+}
+
+// returns blockquote prefix length
+func (p *Markdown) quotePrefix(data []byte) int {
+	i := 0
+	for i < 3 && i < len(data) && data[i] == ' ' {
+		i++
+	}
+	if i < len(data) && data[i] == '>' {
+		if i+1 < len(data) && data[i+1] == ' ' {
+			return i + 2
+		}
+		return i + 1
+	}
+	return 0
+}
+
+// blockquote ends with at least one blank line
+// followed by something without a blockquote prefix
+func (p *Markdown) terminateBlockquote(data []byte, beg, end int) bool {
+	if p.isEmpty(data[beg:]) <= 0 {
+		return false
+	}
+	if end >= len(data) {
+		return true
+	}
+	return p.quotePrefix(data[end:]) == 0 && p.isEmpty(data[end:]) == 0
+}
+
+// parse a blockquote fragment
+func (p *Markdown) quote(data []byte) int {
+	block := p.addBlock(BlockQuote, nil)
+	var raw bytes.Buffer
+	beg, end := 0, 0
+	for beg < len(data) {
+		end = beg
+		// Step over whole lines, collecting them. While doing that, check for
+		// fenced code and if one's found, incorporate it altogether,
+		// irregardless of any contents inside it
+		for end < len(data) && data[end] != '\n' {
+			if p.extensions&FencedCode != 0 {
+				if i := p.fencedCodeBlock(data[end:], false); i > 0 {
+					// -1 to compensate for the extra end++ after the loop:
+					end += i - 1
+					break
+				}
+			}
+			end++
+		}
+		if end < len(data) && data[end] == '\n' {
+			end++
+		}
+		if pre := p.quotePrefix(data[beg:]); pre > 0 {
+			// skip the prefix
+			beg += pre
+		} else if p.terminateBlockquote(data, beg, end) {
+			break
+		}
+		// this line is part of the blockquote
+		raw.Write(data[beg:end])
+		beg = end
+	}
+	p.block(raw.Bytes())
+	p.finalize(block)
+	return end
+}
+
+// returns prefix length for block code
+func (p *Markdown) codePrefix(data []byte) int {
+	if len(data) >= 1 && data[0] == '\t' {
+		return 1
+	}
+	if len(data) >= 4 && data[0] == ' ' && data[1] == ' ' && data[2] == ' ' && data[3] == ' ' {
+		return 4
+	}
+	return 0
+}
+
+func (p *Markdown) code(data []byte) int {
+	var work bytes.Buffer
+
+	i := 0
+	for i < len(data) {
+		beg := i
+		for i < len(data) && data[i] != '\n' {
+			i++
+		}
+		if i < len(data) && data[i] == '\n' {
+			i++
+		}
+
+		blankline := p.isEmpty(data[beg:i]) > 0
+		if pre := p.codePrefix(data[beg:i]); pre > 0 {
+			beg += pre
+		} else if !blankline {
+			// non-empty, non-prefixed line breaks the pre
+			i = beg
+			break
+		}
+
+		// verbatim copy to the working buffer
+		if blankline {
+			work.WriteByte('\n')
+		} else {
+			work.Write(data[beg:i])
+		}
+	}
+
+	// trim all the \n off the end of work
+	workbytes := work.Bytes()
+	eol := len(workbytes)
+	for eol > 0 && workbytes[eol-1] == '\n' {
+		eol--
+	}
+	if eol != len(workbytes) {
+		work.Truncate(eol)
+	}
+
+	work.WriteByte('\n')
+
+	block := p.addBlock(CodeBlock, work.Bytes()) // TODO: get rid of temp buffer
+	block.IsFenced = false
+	finalizeCodeBlock(block)
+
+	return i
+}
+
+// returns unordered list item prefix
+func (p *Markdown) uliPrefix(data []byte) int {
+	i := 0
+	// start with up to 3 spaces
+	for i < len(data) && i < 3 && data[i] == ' ' {
+		i++
+	}
+	if i >= len(data)-1 {
+		return 0
+	}
+	// need one of {'*', '+', '-'} followed by a space or a tab
+	if (data[i] != '*' && data[i] != '+' && data[i] != '-') ||
+		(data[i+1] != ' ' && data[i+1] != '\t') {
+		return 0
+	}
+	return i + 2
+}
+
+// returns ordered list item prefix
+func (p *Markdown) oliPrefix(data []byte) int {
+	i := 0
+
+	// start with up to 3 spaces
+	for i < 3 && i < len(data) && data[i] == ' ' {
+		i++
+	}
+
+	// count the digits
+	start := i
+	for i < len(data) && data[i] >= '0' && data[i] <= '9' {
+		i++
+	}
+	if start == i || i >= len(data)-1 {
+		return 0
+	}
+
+	// we need >= 1 digits followed by a dot and a space or a tab
+	if data[i] != '.' || !(data[i+1] == ' ' || data[i+1] == '\t') {
+		return 0
+	}
+	return i + 2
+}
+
+// returns definition list item prefix
+func (p *Markdown) dliPrefix(data []byte) int {
+	if len(data) < 2 {
+		return 0
+	}
+	i := 0
+	// need a ':' followed by a space or a tab
+	if data[i] != ':' || !(data[i+1] == ' ' || data[i+1] == '\t') {
+		return 0
+	}
+	for i < len(data) && data[i] == ' ' {
+		i++
+	}
+	return i + 2
+}
+
+// parse ordered or unordered list block
+func (p *Markdown) list(data []byte, flags ListType) int {
+	i := 0
+	flags |= ListItemBeginningOfList
+	block := p.addBlock(List, nil)
+	block.ListFlags = flags
+	block.Tight = true
+
+	for i < len(data) {
+		skip := p.listItem(data[i:], &flags)
+		if flags&ListItemContainsBlock != 0 {
+			block.ListData.Tight = false
+		}
+		i += skip
+		if skip == 0 || flags&ListItemEndOfList != 0 {
+			break
+		}
+		flags &= ^ListItemBeginningOfList
+	}
+
+	above := block.Parent
+	finalizeList(block)
+	p.tip = above
+	return i
+}
+
+// Returns true if the list item is not the same type as its parent list
+func (p *Markdown) listTypeChanged(data []byte, flags *ListType) bool {
+	if p.dliPrefix(data) > 0 && *flags&ListTypeDefinition == 0 {
+		return true
+	} else if p.oliPrefix(data) > 0 && *flags&ListTypeOrdered == 0 {
+		return true
+	} else if p.uliPrefix(data) > 0 && (*flags&ListTypeOrdered != 0 || *flags&ListTypeDefinition != 0) {
+		return true
+	}
+	return false
+}
+
+// Returns true if block ends with a blank line, descending if needed
+// into lists and sublists.
+func endsWithBlankLine(block *Node) bool {
+	// TODO: figure this out. Always false now.
+	for block != nil {
+		//if block.lastLineBlank {
+		//return true
+		//}
+		t := block.Type
+		if t == List || t == Item {
+			block = block.LastChild
+		} else {
+			break
+		}
+	}
+	return false
+}
+
+func finalizeList(block *Node) {
+	block.open = false
+	item := block.FirstChild
+	for item != nil {
+		// check for non-final list item ending with blank line:
+		if endsWithBlankLine(item) && item.Next != nil {
+			block.ListData.Tight = false
+			break
+		}
+		// recurse into children of list item, to see if there are spaces
+		// between any of them:
+		subItem := item.FirstChild
+		for subItem != nil {
+			if endsWithBlankLine(subItem) && (item.Next != nil || subItem.Next != nil) {
+				block.ListData.Tight = false
+				break
+			}
+			subItem = subItem.Next
+		}
+		item = item.Next
+	}
+}
+
+// Parse a single list item.
+// Assumes initial prefix is already removed if this is a sublist.
+func (p *Markdown) listItem(data []byte, flags *ListType) int {
+	// keep track of the indentation of the first line
+	itemIndent := 0
+	if data[0] == '\t' {
+		itemIndent += 4
+	} else {
+		for itemIndent < 3 && data[itemIndent] == ' ' {
+			itemIndent++
+		}
+	}
+
+	var bulletChar byte = '*'
+	i := p.uliPrefix(data)
+	if i == 0 {
+		i = p.oliPrefix(data)
+	} else {
+		bulletChar = data[i-2]
+	}
+	if i == 0 {
+		i = p.dliPrefix(data)
+		// reset definition term flag
+		if i > 0 {
+			*flags &= ^ListTypeTerm
+		}
+	}
+	if i == 0 {
+		// if in definition list, set term flag and continue
+		if *flags&ListTypeDefinition != 0 {
+			*flags |= ListTypeTerm
+		} else {
+			return 0
+		}
+	}
+
+	// skip leading whitespace on first line
+	for i < len(data) && data[i] == ' ' {
+		i++
+	}
+
+	// find the end of the line
+	line := i
+	for i > 0 && i < len(data) && data[i-1] != '\n' {
+		i++
+	}
+
+	// get working buffer
+	var raw bytes.Buffer
+
+	// put the first line into the working buffer
+	raw.Write(data[line:i])
+	line = i
+
+	// process the following lines
+	containsBlankLine := false
+	sublist := 0
+	codeBlockMarker := ""
+
+gatherlines:
+	for line < len(data) {
+		i++
+
+		// find the end of this line
+		for i < len(data) && data[i-1] != '\n' {
+			i++
+		}
+
+		// if it is an empty line, guess that it is part of this item
+		// and move on to the next line
+		if p.isEmpty(data[line:i]) > 0 {
+			containsBlankLine = true
+			line = i
+			continue
+		}
+
+		// calculate the indentation
+		indent := 0
+		indentIndex := 0
+		if data[line] == '\t' {
+			indentIndex++
+			indent += 4
+		} else {
+			for indent < 4 && line+indent < i && data[line+indent] == ' ' {
+				indent++
+				indentIndex++
+			}
+		}
+
+		chunk := data[line+indentIndex : i]
+
+		if p.extensions&FencedCode != 0 {
+			// determine if in or out of codeblock
+			// if in codeblock, ignore normal list processing
+			_, marker := isFenceLine(chunk, nil, codeBlockMarker)
+			if marker != "" {
+				if codeBlockMarker == "" {
+					// start of codeblock
+					codeBlockMarker = marker
+				} else {
+					// end of codeblock.
+					codeBlockMarker = ""
+				}
+			}
+			// we are in a codeblock, write line, and continue
+			if codeBlockMarker != "" || marker != "" {
+				raw.Write(data[line+indentIndex : i])
+				line = i
+				continue gatherlines
+			}
+		}
+
+		// evaluate how this line fits in
+		switch {
+		// is this a nested list item?
+		case (p.uliPrefix(chunk) > 0 && !p.isHRule(chunk)) ||
+			p.oliPrefix(chunk) > 0 ||
+			p.dliPrefix(chunk) > 0:
+
+			// to be a nested list, it must be indented more
+			// if not, it is either a different kind of list
+			// or the next item in the same list
+			if indent <= itemIndent {
+				if p.listTypeChanged(chunk, flags) {
+					*flags |= ListItemEndOfList
+				} else if containsBlankLine {
+					*flags |= ListItemContainsBlock
+				}
+
+				break gatherlines
+			}
+
+			if containsBlankLine {
+				*flags |= ListItemContainsBlock
+			}
+
+			// is this the first item in the nested list?
+			if sublist == 0 {
+				sublist = raw.Len()
+			}
+
+		// is this a nested prefix heading?
+		case p.isPrefixHeading(chunk):
+			// if the heading is not indented, it is not nested in the list
+			// and thus ends the list
+			if containsBlankLine && indent < 4 {
+				*flags |= ListItemEndOfList
+				break gatherlines
+			}
+			*flags |= ListItemContainsBlock
+
+		// anything following an empty line is only part
+		// of this item if it is indented 4 spaces
+		// (regardless of the indentation of the beginning of the item)
+		case containsBlankLine && indent < 4:
+			if *flags&ListTypeDefinition != 0 && i < len(data)-1 {
+				// is the next item still a part of this list?
+				next := i
+				for next < len(data) && data[next] != '\n' {
+					next++
+				}
+				for next < len(data)-1 && data[next] == '\n' {
+					next++
+				}
+				if i < len(data)-1 && data[i] != ':' && data[next] != ':' {
+					*flags |= ListItemEndOfList
+				}
+			} else {
+				*flags |= ListItemEndOfList
+			}
+			break gatherlines
+
+		// a blank line means this should be parsed as a block
+		case containsBlankLine:
+			raw.WriteByte('\n')
+			*flags |= ListItemContainsBlock
+		}
+
+		// if this line was preceded by one or more blanks,
+		// re-introduce the blank into the buffer
+		if containsBlankLine {
+			containsBlankLine = false
+			raw.WriteByte('\n')
+		}
+
+		// add the line into the working buffer without prefix
+		raw.Write(data[line+indentIndex : i])
+
+		line = i
+	}
+
+	rawBytes := raw.Bytes()
+
+	block := p.addBlock(Item, nil)
+	block.ListFlags = *flags
+	block.Tight = false
+	block.BulletChar = bulletChar
+	block.Delimiter = '.' // Only '.' is possible in Markdown, but ')' will also be possible in CommonMark
+
+	// render the contents of the list item
+	if *flags&ListItemContainsBlock != 0 && *flags&ListTypeTerm == 0 {
+		// intermediate render of block item, except for definition term
+		if sublist > 0 {
+			p.block(rawBytes[:sublist])
+			p.block(rawBytes[sublist:])
+		} else {
+			p.block(rawBytes)
+		}
+	} else {
+		// intermediate render of inline item
+		if sublist > 0 {
+			child := p.addChild(Paragraph, 0)
+			child.content = rawBytes[:sublist]
+			p.block(rawBytes[sublist:])
+		} else {
+			child := p.addChild(Paragraph, 0)
+			child.content = rawBytes
+		}
+	}
+	return line
+}
+
+// render a single paragraph that has already been parsed out
+func (p *Markdown) renderParagraph(data []byte) {
+	if len(data) == 0 {
+		return
+	}
+
+	// trim leading spaces
+	beg := 0
+	for data[beg] == ' ' {
+		beg++
+	}
+
+	end := len(data)
+	// trim trailing newline
+	if data[len(data)-1] == '\n' {
+		end--
+	}
+
+	// trim trailing spaces
+	for end > beg && data[end-1] == ' ' {
+		end--
+	}
+
+	p.addBlock(Paragraph, data[beg:end])
+}
+
+func (p *Markdown) paragraph(data []byte) int {
+	// prev: index of 1st char of previous line
+	// line: index of 1st char of current line
+	// i: index of cursor/end of current line
+	var prev, line, i int
+	tabSize := TabSizeDefault
+	if p.extensions&TabSizeEight != 0 {
+		tabSize = TabSizeDouble
+	}
+	// keep going until we find something to mark the end of the paragraph
+	for i < len(data) {
+		// mark the beginning of the current line
+		prev = line
+		current := data[i:]
+		line = i
+
+		// did we find a reference or a footnote? If so, end a paragraph
+		// preceding it and report that we have consumed up to the end of that
+		// reference:
+		if refEnd := isReference(p, current, tabSize); refEnd > 0 {
+			p.renderParagraph(data[:i])
+			return i + refEnd
+		}
+
+		// did we find a blank line marking the end of the paragraph?
+		if n := p.isEmpty(current); n > 0 {
+			// did this blank line followed by a definition list item?
+			if p.extensions&DefinitionLists != 0 {
+				if i < len(data)-1 && data[i+1] == ':' {
+					return p.list(data[prev:], ListTypeDefinition)
+				}
+			}
+
+			p.renderParagraph(data[:i])
+			return i + n
+		}
+
+		// an underline under some text marks a heading, so our paragraph ended on prev line
+		if i > 0 {
+			if level := p.isUnderlinedHeading(current); level > 0 {
+				// render the paragraph
+				p.renderParagraph(data[:prev])
+
+				// ignore leading and trailing whitespace
+				eol := i - 1
+				for prev < eol && data[prev] == ' ' {
+					prev++
+				}
+				for eol > prev && data[eol-1] == ' ' {
+					eol--
+				}
+
+				id := ""
+				if p.extensions&AutoHeadingIDs != 0 {
+					id = SanitizedAnchorName(string(data[prev:eol]))
+				}
+
+				block := p.addBlock(Heading, data[prev:eol])
+				block.Level = level
+				block.HeadingID = id
+
+				// find the end of the underline
+				for i < len(data) && data[i] != '\n' {
+					i++
+				}
+				return i
+			}
+		}
+
+		// if the next line starts a block of HTML, then the paragraph ends here
+		if p.extensions&LaxHTMLBlocks != 0 {
+			if data[i] == '<' && p.html(current, false) > 0 {
+				// rewind to before the HTML block
+				p.renderParagraph(data[:i])
+				return i
+			}
+		}
+
+		// if there's a prefixed heading or a horizontal rule after this, paragraph is over
+		if p.isPrefixHeading(current) || p.isHRule(current) {
+			p.renderParagraph(data[:i])
+			return i
+		}
+
+		// if there's a fenced code block, paragraph is over
+		if p.extensions&FencedCode != 0 {
+			if p.fencedCodeBlock(current, false) > 0 {
+				p.renderParagraph(data[:i])
+				return i
+			}
+		}
+
+		// if there's a definition list item, prev line is a definition term
+		if p.extensions&DefinitionLists != 0 {
+			if p.dliPrefix(current) != 0 {
+				ret := p.list(data[prev:], ListTypeDefinition)
+				return ret
+			}
+		}
+
+		// if there's a list after this, paragraph is over
+		if p.extensions&NoEmptyLineBeforeBlock != 0 {
+			if p.uliPrefix(current) != 0 ||
+				p.oliPrefix(current) != 0 ||
+				p.quotePrefix(current) != 0 ||
+				p.codePrefix(current) != 0 {
+				p.renderParagraph(data[:i])
+				return i
+			}
+		}
+
+		// otherwise, scan to the beginning of the next line
+		nl := bytes.IndexByte(data[i:], '\n')
+		if nl >= 0 {
+			i += nl + 1
+		} else {
+			i += len(data[i:])
+		}
+	}
+
+	p.renderParagraph(data[:i])
+	return i
+}
+
+func skipChar(data []byte, start int, char byte) int {
+	i := start
+	for i < len(data) && data[i] == char {
+		i++
+	}
+	return i
+}
+
+func skipUntilChar(text []byte, start int, char byte) int {
+	i := start
+	for i < len(text) && text[i] != char {
+		i++
+	}
+	return i
+}
+
+// SanitizedAnchorName returns a sanitized anchor name for the given text.
+//
+// It implements the algorithm specified in the package comment.
+func SanitizedAnchorName(text string) string {
+	var anchorName []rune
+	futureDash := false
+	for _, r := range text {
+		switch {
+		case unicode.IsLetter(r) || unicode.IsNumber(r):
+			if futureDash && len(anchorName) > 0 {
+				anchorName = append(anchorName, '-')
+			}
+			futureDash = false
+			anchorName = append(anchorName, unicode.ToLower(r))
+		default:
+			futureDash = true
+		}
+	}
+	return string(anchorName)
+}
diff --git a/vendor/github.com/russross/blackfriday/v2/doc.go b/vendor/github.com/russross/blackfriday/v2/doc.go
new file mode 100644
index 0000000000..57ff152a05
--- /dev/null
+++ b/vendor/github.com/russross/blackfriday/v2/doc.go
@@ -0,0 +1,46 @@
+// Package blackfriday is a markdown processor.
+//
+// It translates plain text with simple formatting rules into an AST, which can
+// then be further processed to HTML (provided by Blackfriday itself) or other
+// formats (provided by the community).
+//
+// The simplest way to invoke Blackfriday is to call the Run function. It will
+// take a text input and produce a text output in HTML (or other format).
+//
+// A slightly more sophisticated way to use Blackfriday is to create a Markdown
+// processor and to call Parse, which returns a syntax tree for the input
+// document. You can leverage Blackfriday's parsing for content extraction from
+// markdown documents. You can assign a custom renderer and set various options
+// to the Markdown processor.
+//
+// If you're interested in calling Blackfriday from command line, see
+// https://github.com/russross/blackfriday-tool.
+//
+// Sanitized Anchor Names
+//
+// Blackfriday includes an algorithm for creating sanitized anchor names
+// corresponding to a given input text. This algorithm is used to create
+// anchors for headings when AutoHeadingIDs extension is enabled. The
+// algorithm is specified below, so that other packages can create
+// compatible anchor names and links to those anchors.
+//
+// The algorithm iterates over the input text, interpreted as UTF-8,
+// one Unicode code point (rune) at a time. All runes that are letters (category L)
+// or numbers (category N) are considered valid characters. They are mapped to
+// lower case, and included in the output. All other runes are considered
+// invalid characters. Invalid characters that precede the first valid character,
+// as well as invalid character that follow the last valid character
+// are dropped completely. All other sequences of invalid characters
+// between two valid characters are replaced with a single dash character '-'.
+//
+// SanitizedAnchorName exposes this functionality, and can be used to
+// create compatible links to the anchor names generated by blackfriday.
+// This algorithm is also implemented in a small standalone package at
+// github.com/shurcooL/sanitized_anchor_name. It can be useful for clients
+// that want a small package and don't need full functionality of blackfriday.
+package blackfriday
+
+// NOTE: Keep Sanitized Anchor Name algorithm in sync with package
+//       github.com/shurcooL/sanitized_anchor_name.
+//       Otherwise, users of sanitized_anchor_name will get anchor names
+//       that are incompatible with those generated by blackfriday.
diff --git a/vendor/github.com/russross/blackfriday/v2/entities.go b/vendor/github.com/russross/blackfriday/v2/entities.go
new file mode 100644
index 0000000000..a2c3edb691
--- /dev/null
+++ b/vendor/github.com/russross/blackfriday/v2/entities.go
@@ -0,0 +1,2236 @@
+package blackfriday
+
+// Extracted from https://html.spec.whatwg.org/multipage/entities.json
+var entities = map[string]bool{
+	"&AElig":                            true,
+	"&AElig;":                           true,
+	"&AMP":                              true,
+	"&AMP;":                             true,
+	"&Aacute":                           true,
+	"&Aacute;":                          true,
+	"&Abreve;":                          true,
+	"&Acirc":                            true,
+	"&Acirc;":                           true,
+	"&Acy;":                             true,
+	"&Afr;":                             true,
+	"&Agrave":                           true,
+	"&Agrave;":                          true,
+	"&Alpha;":                           true,
+	"&Amacr;":                           true,
+	"&And;":                             true,
+	"&Aogon;":                           true,
+	"&Aopf;":                            true,
+	"&ApplyFunction;":                   true,
+	"&Aring":                            true,
+	"&Aring;":                           true,
+	"&Ascr;":                            true,
+	"&Assign;":                          true,
+	"&Atilde":                           true,
+	"&Atilde;":                          true,
+	"&Auml":                             true,
+	"&Auml;":                            true,
+	"&Backslash;":                       true,
+	"&Barv;":                            true,
+	"&Barwed;":                          true,
+	"&Bcy;":                             true,
+	"&Because;":                         true,
+	"&Bernoullis;":                      true,
+	"&Beta;":                            true,
+	"&Bfr;":                             true,
+	"&Bopf;":                            true,
+	"&Breve;":                           true,
+	"&Bscr;":                            true,
+	"&Bumpeq;":                          true,
+	"&CHcy;":                            true,
+	"&COPY":                             true,
+	"&COPY;":                            true,
+	"&Cacute;":                          true,
+	"&Cap;":                             true,
+	"&CapitalDifferentialD;":            true,
+	"&Cayleys;":                         true,
+	"&Ccaron;":                          true,
+	"&Ccedil":                           true,
+	"&Ccedil;":                          true,
+	"&Ccirc;":                           true,
+	"&Cconint;":                         true,
+	"&Cdot;":                            true,
+	"&Cedilla;":                         true,
+	"&CenterDot;":                       true,
+	"&Cfr;":                             true,
+	"&Chi;":                             true,
+	"&CircleDot;":                       true,
+	"&CircleMinus;":                     true,
+	"&CirclePlus;":                      true,
+	"&CircleTimes;":                     true,
+	"&ClockwiseContourIntegral;":        true,
+	"&CloseCurlyDoubleQuote;":           true,
+	"&CloseCurlyQuote;":                 true,
+	"&Colon;":                           true,
+	"&Colone;":                          true,
+	"&Congruent;":                       true,
+	"&Conint;":                          true,
+	"&ContourIntegral;":                 true,
+	"&Copf;":                            true,
+	"&Coproduct;":                       true,
+	"&CounterClockwiseContourIntegral;": true,
+	"&Cross;":                           true,
+	"&Cscr;":                            true,
+	"&Cup;":                             true,
+	"&CupCap;":                          true,
+	"&DD;":                              true,
+	"&DDotrahd;":                        true,
+	"&DJcy;":                            true,
+	"&DScy;":                            true,
+	"&DZcy;":                            true,
+	"&Dagger;":                          true,
+	"&Darr;":                            true,
+	"&Dashv;":                           true,
+	"&Dcaron;":                          true,
+	"&Dcy;":                             true,
+	"&Del;":                             true,
+	"&Delta;":                           true,
+	"&Dfr;":                             true,
+	"&DiacriticalAcute;":                true,
+	"&DiacriticalDot;":                  true,
+	"&DiacriticalDoubleAcute;":          true,
+	"&DiacriticalGrave;":                true,
+	"&DiacriticalTilde;":                true,
+	"&Diamond;":                         true,
+	"&DifferentialD;":                   true,
+	"&Dopf;":                            true,
+	"&Dot;":                             true,
+	"&DotDot;":                          true,
+	"&DotEqual;":                        true,
+	"&DoubleContourIntegral;":           true,
+	"&DoubleDot;":                       true,
+	"&DoubleDownArrow;":                 true,
+	"&DoubleLeftArrow;":                 true,
+	"&DoubleLeftRightArrow;":            true,
+	"&DoubleLeftTee;":                   true,
+	"&DoubleLongLeftArrow;":             true,
+	"&DoubleLongLeftRightArrow;":        true,
+	"&DoubleLongRightArrow;":            true,
+	"&DoubleRightArrow;":                true,
+	"&DoubleRightTee;":                  true,
+	"&DoubleUpArrow;":                   true,
+	"&DoubleUpDownArrow;":               true,
+	"&DoubleVerticalBar;":               true,
+	"&DownArrow;":                       true,
+	"&DownArrowBar;":                    true,
+	"&DownArrowUpArrow;":                true,
+	"&DownBreve;":                       true,
+	"&DownLeftRightVector;":             true,
+	"&DownLeftTeeVector;":               true,
+	"&DownLeftVector;":                  true,
+	"&DownLeftVectorBar;":               true,
+	"&DownRightTeeVector;":              true,
+	"&DownRightVector;":                 true,
+	"&DownRightVectorBar;":              true,
+	"&DownTee;":                         true,
+	"&DownTeeArrow;":                    true,
+	"&Downarrow;":                       true,
+	"&Dscr;":                            true,
+	"&Dstrok;":                          true,
+	"&ENG;":                             true,
+	"&ETH":                              true,
+	"&ETH;":                             true,
+	"&Eacute":                           true,
+	"&Eacute;":                          true,
+	"&Ecaron;":                          true,
+	"&Ecirc":                            true,
+	"&Ecirc;":                           true,
+	"&Ecy;":                             true,
+	"&Edot;":                            true,
+	"&Efr;":                             true,
+	"&Egrave":                           true,
+	"&Egrave;":                          true,
+	"&Element;":                         true,
+	"&Emacr;":                           true,
+	"&EmptySmallSquare;":                true,
+	"&EmptyVerySmallSquare;":            true,
+	"&Eogon;":                           true,
+	"&Eopf;":                            true,
+	"&Epsilon;":                         true,
+	"&Equal;":                           true,
+	"&EqualTilde;":                      true,
+	"&Equilibrium;":                     true,
+	"&Escr;":                            true,
+	"&Esim;":                            true,
+	"&Eta;":                             true,
+	"&Euml":                             true,
+	"&Euml;":                            true,
+	"&Exists;":                          true,
+	"&ExponentialE;":                    true,
+	"&Fcy;":                             true,
+	"&Ffr;":                             true,
+	"&FilledSmallSquare;":               true,
+	"&FilledVerySmallSquare;":           true,
+	"&Fopf;":                            true,
+	"&ForAll;":                          true,
+	"&Fouriertrf;":                      true,
+	"&Fscr;":                            true,
+	"&GJcy;":                            true,
+	"&GT":                               true,
+	"&GT;":                              true,
+	"&Gamma;":                           true,
+	"&Gammad;":                          true,
+	"&Gbreve;":                          true,
+	"&Gcedil;":                          true,
+	"&Gcirc;":                           true,
+	"&Gcy;":                             true,
+	"&Gdot;":                            true,
+	"&Gfr;":                             true,
+	"&Gg;":                              true,
+	"&Gopf;":                            true,
+	"&GreaterEqual;":                    true,
+	"&GreaterEqualLess;":                true,
+	"&GreaterFullEqual;":                true,
+	"&GreaterGreater;":                  true,
+	"&GreaterLess;":                     true,
+	"&GreaterSlantEqual;":               true,
+	"&GreaterTilde;":                    true,
+	"&Gscr;":                            true,
+	"&Gt;":                              true,
+	"&HARDcy;":                          true,
+	"&Hacek;":                           true,
+	"&Hat;":                             true,
+	"&Hcirc;":                           true,
+	"&Hfr;":                             true,
+	"&HilbertSpace;":                    true,
+	"&Hopf;":                            true,
+	"&HorizontalLine;":                  true,
+	"&Hscr;":                            true,
+	"&Hstrok;":                          true,
+	"&HumpDownHump;":                    true,
+	"&HumpEqual;":                       true,
+	"&IEcy;":                            true,
+	"&IJlig;":                           true,
+	"&IOcy;":                            true,
+	"&Iacute":                           true,
+	"&Iacute;":                          true,
+	"&Icirc":                            true,
+	"&Icirc;":                           true,
+	"&Icy;":                             true,
+	"&Idot;":                            true,
+	"&Ifr;":                             true,
+	"&Igrave":                           true,
+	"&Igrave;":                          true,
+	"&Im;":                              true,
+	"&Imacr;":                           true,
+	"&ImaginaryI;":                      true,
+	"&Implies;":                         true,
+	"&Int;":                             true,
+	"&Integral;":                        true,
+	"&Intersection;":                    true,
+	"&InvisibleComma;":                  true,
+	"&InvisibleTimes;":                  true,
+	"&Iogon;":                           true,
+	"&Iopf;":                            true,
+	"&Iota;":                            true,
+	"&Iscr;":                            true,
+	"&Itilde;":                          true,
+	"&Iukcy;":                           true,
+	"&Iuml":                             true,
+	"&Iuml;":                            true,
+	"&Jcirc;":                           true,
+	"&Jcy;":                             true,
+	"&Jfr;":                             true,
+	"&Jopf;":                            true,
+	"&Jscr;":                            true,
+	"&Jsercy;":                          true,
+	"&Jukcy;":                           true,
+	"&KHcy;":                            true,
+	"&KJcy;":                            true,
+	"&Kappa;":                           true,
+	"&Kcedil;":                          true,
+	"&Kcy;":                             true,
+	"&Kfr;":                             true,
+	"&Kopf;":                            true,
+	"&Kscr;":                            true,
+	"&LJcy;":                            true,
+	"&LT":                               true,
+	"&LT;":                              true,
+	"&Lacute;":                          true,
+	"&Lambda;":                          true,
+	"&Lang;":                            true,
+	"&Laplacetrf;":                      true,
+	"&Larr;":                            true,
+	"&Lcaron;":                          true,
+	"&Lcedil;":                          true,
+	"&Lcy;":                             true,
+	"&LeftAngleBracket;":                true,
+	"&LeftArrow;":                       true,
+	"&LeftArrowBar;":                    true,
+	"&LeftArrowRightArrow;":             true,
+	"&LeftCeiling;":                     true,
+	"&LeftDoubleBracket;":               true,
+	"&LeftDownTeeVector;":               true,
+	"&LeftDownVector;":                  true,
+	"&LeftDownVectorBar;":               true,
+	"&LeftFloor;":                       true,
+	"&LeftRightArrow;":                  true,
+	"&LeftRightVector;":                 true,
+	"&LeftTee;":                         true,
+	"&LeftTeeArrow;":                    true,
+	"&LeftTeeVector;":                   true,
+	"&LeftTriangle;":                    true,
+	"&LeftTriangleBar;":                 true,
+	"&LeftTriangleEqual;":               true,
+	"&LeftUpDownVector;":                true,
+	"&LeftUpTeeVector;":                 true,
+	"&LeftUpVector;":                    true,
+	"&LeftUpVectorBar;":                 true,
+	"&LeftVector;":                      true,
+	"&LeftVectorBar;":                   true,
+	"&Leftarrow;":                       true,
+	"&Leftrightarrow;":                  true,
+	"&LessEqualGreater;":                true,
+	"&LessFullEqual;":                   true,
+	"&LessGreater;":                     true,
+	"&LessLess;":                        true,
+	"&LessSlantEqual;":                  true,
+	"&LessTilde;":                       true,
+	"&Lfr;":                             true,
+	"&Ll;":                              true,
+	"&Lleftarrow;":                      true,
+	"&Lmidot;":                          true,
+	"&LongLeftArrow;":                   true,
+	"&LongLeftRightArrow;":              true,
+	"&LongRightArrow;":                  true,
+	"&Longleftarrow;":                   true,
+	"&Longleftrightarrow;":              true,
+	"&Longrightarrow;":                  true,
+	"&Lopf;":                            true,
+	"&LowerLeftArrow;":                  true,
+	"&LowerRightArrow;":                 true,
+	"&Lscr;":                            true,
+	"&Lsh;":                             true,
+	"&Lstrok;":                          true,
+	"&Lt;":                              true,
+	"&Map;":                             true,
+	"&Mcy;":                             true,
+	"&MediumSpace;":                     true,
+	"&Mellintrf;":                       true,
+	"&Mfr;":                             true,
+	"&MinusPlus;":                       true,
+	"&Mopf;":                            true,
+	"&Mscr;":                            true,
+	"&Mu;":                              true,
+	"&NJcy;":                            true,
+	"&Nacute;":                          true,
+	"&Ncaron;":                          true,
+	"&Ncedil;":                          true,
+	"&Ncy;":                             true,
+	"&NegativeMediumSpace;":             true,
+	"&NegativeThickSpace;":              true,
+	"&NegativeThinSpace;":               true,
+	"&NegativeVeryThinSpace;":           true,
+	"&NestedGreaterGreater;":            true,
+	"&NestedLessLess;":                  true,
+	"&NewLine;":                         true,
+	"&Nfr;":                             true,
+	"&NoBreak;":                         true,
+	"&NonBreakingSpace;":                true,
+	"&Nopf;":                            true,
+	"&Not;":                             true,
+	"&NotCongruent;":                    true,
+	"&NotCupCap;":                       true,
+	"&NotDoubleVerticalBar;":            true,
+	"&NotElement;":                      true,
+	"&NotEqual;":                        true,
+	"&NotEqualTilde;":                   true,
+	"&NotExists;":                       true,
+	"&NotGreater;":                      true,
+	"&NotGreaterEqual;":                 true,
+	"&NotGreaterFullEqual;":             true,
+	"&NotGreaterGreater;":               true,
+	"&NotGreaterLess;":                  true,
+	"&NotGreaterSlantEqual;":            true,
+	"&NotGreaterTilde;":                 true,
+	"&NotHumpDownHump;":                 true,
+	"&NotHumpEqual;":                    true,
+	"&NotLeftTriangle;":                 true,
+	"&NotLeftTriangleBar;":              true,
+	"&NotLeftTriangleEqual;":            true,
+	"&NotLess;":                         true,
+	"&NotLessEqual;":                    true,
+	"&NotLessGreater;":                  true,
+	"&NotLessLess;":                     true,
+	"&NotLessSlantEqual;":               true,
+	"&NotLessTilde;":                    true,
+	"&NotNestedGreaterGreater;":         true,
+	"&NotNestedLessLess;":               true,
+	"&NotPrecedes;":                     true,
+	"&NotPrecedesEqual;":                true,
+	"&NotPrecedesSlantEqual;":           true,
+	"&NotReverseElement;":               true,
+	"&NotRightTriangle;":                true,
+	"&NotRightTriangleBar;":             true,
+	"&NotRightTriangleEqual;":           true,
+	"&NotSquareSubset;":                 true,
+	"&NotSquareSubsetEqual;":            true,
+	"&NotSquareSuperset;":               true,
+	"&NotSquareSupersetEqual;":          true,
+	"&NotSubset;":                       true,
+	"&NotSubsetEqual;":                  true,
+	"&NotSucceeds;":                     true,
+	"&NotSucceedsEqual;":                true,
+	"&NotSucceedsSlantEqual;":           true,
+	"&NotSucceedsTilde;":                true,
+	"&NotSuperset;":                     true,
+	"&NotSupersetEqual;":                true,
+	"&NotTilde;":                        true,
+	"&NotTildeEqual;":                   true,
+	"&NotTildeFullEqual;":               true,
+	"&NotTildeTilde;":                   true,
+	"&NotVerticalBar;":                  true,
+	"&Nscr;":                            true,
+	"&Ntilde":                           true,
+	"&Ntilde;":                          true,
+	"&Nu;":                              true,
+	"&OElig;":                           true,
+	"&Oacute":                           true,
+	"&Oacute;":                          true,
+	"&Ocirc":                            true,
+	"&Ocirc;":                           true,
+	"&Ocy;":                             true,
+	"&Odblac;":                          true,
+	"&Ofr;":                             true,
+	"&Ograve":                           true,
+	"&Ograve;":                          true,
+	"&Omacr;":                           true,
+	"&Omega;":                           true,
+	"&Omicron;":                         true,
+	"&Oopf;":                            true,
+	"&OpenCurlyDoubleQuote;":            true,
+	"&OpenCurlyQuote;":                  true,
+	"&Or;":                              true,
+	"&Oscr;":                            true,
+	"&Oslash":                           true,
+	"&Oslash;":                          true,
+	"&Otilde":                           true,
+	"&Otilde;":                          true,
+	"&Otimes;":                          true,
+	"&Ouml":                             true,
+	"&Ouml;":                            true,
+	"&OverBar;":                         true,
+	"&OverBrace;":                       true,
+	"&OverBracket;":                     true,
+	"&OverParenthesis;":                 true,
+	"&PartialD;":                        true,
+	"&Pcy;":                             true,
+	"&Pfr;":                             true,
+	"&Phi;":                             true,
+	"&Pi;":                              true,
+	"&PlusMinus;":                       true,
+	"&Poincareplane;":                   true,
+	"&Popf;":                            true,
+	"&Pr;":                              true,
+	"&Precedes;":                        true,
+	"&PrecedesEqual;":                   true,
+	"&PrecedesSlantEqual;":              true,
+	"&PrecedesTilde;":                   true,
+	"&Prime;":                           true,
+	"&Product;":                         true,
+	"&Proportion;":                      true,
+	"&Proportional;":                    true,
+	"&Pscr;":                            true,
+	"&Psi;":                             true,
+	"&QUOT":                             true,
+	"&QUOT;":                            true,
+	"&Qfr;":                             true,
+	"&Qopf;":                            true,
+	"&Qscr;":                            true,
+	"&RBarr;":                           true,
+	"&REG":                              true,
+	"&REG;":                             true,
+	"&Racute;":                          true,
+	"&Rang;":                            true,
+	"&Rarr;":                            true,
+	"&Rarrtl;":                          true,
+	"&Rcaron;":                          true,
+	"&Rcedil;":                          true,
+	"&Rcy;":                             true,
+	"&Re;":                              true,
+	"&ReverseElement;":                  true,
+	"&ReverseEquilibrium;":              true,
+	"&ReverseUpEquilibrium;":            true,
+	"&Rfr;":                             true,
+	"&Rho;":                             true,
+	"&RightAngleBracket;":               true,
+	"&RightArrow;":                      true,
+	"&RightArrowBar;":                   true,
+	"&RightArrowLeftArrow;":             true,
+	"&RightCeiling;":                    true,
+	"&RightDoubleBracket;":              true,
+	"&RightDownTeeVector;":              true,
+	"&RightDownVector;":                 true,
+	"&RightDownVectorBar;":              true,
+	"&RightFloor;":                      true,
+	"&RightTee;":                        true,
+	"&RightTeeArrow;":                   true,
+	"&RightTeeVector;":                  true,
+	"&RightTriangle;":                   true,
+	"&RightTriangleBar;":                true,
+	"&RightTriangleEqual;":              true,
+	"&RightUpDownVector;":               true,
+	"&RightUpTeeVector;":                true,
+	"&RightUpVector;":                   true,
+	"&RightUpVectorBar;":                true,
+	"&RightVector;":                     true,
+	"&RightVectorBar;":                  true,
+	"&Rightarrow;":                      true,
+	"&Ropf;":                            true,
+	"&RoundImplies;":                    true,
+	"&Rrightarrow;":                     true,
+	"&Rscr;":                            true,
+	"&Rsh;":                             true,
+	"&RuleDelayed;":                     true,
+	"&SHCHcy;":                          true,
+	"&SHcy;":                            true,
+	"&SOFTcy;":                          true,
+	"&Sacute;":                          true,
+	"&Sc;":                              true,
+	"&Scaron;":                          true,
+	"&Scedil;":                          true,
+	"&Scirc;":                           true,
+	"&Scy;":                             true,
+	"&Sfr;":                             true,
+	"&ShortDownArrow;":                  true,
+	"&ShortLeftArrow;":                  true,
+	"&ShortRightArrow;":                 true,
+	"&ShortUpArrow;":                    true,
+	"&Sigma;":                           true,
+	"&SmallCircle;":                     true,
+	"&Sopf;":                            true,
+	"&Sqrt;":                            true,
+	"&Square;":                          true,
+	"&SquareIntersection;":              true,
+	"&SquareSubset;":                    true,
+	"&SquareSubsetEqual;":               true,
+	"&SquareSuperset;":                  true,
+	"&SquareSupersetEqual;":             true,
+	"&SquareUnion;":                     true,
+	"&Sscr;":                            true,
+	"&Star;":                            true,
+	"&Sub;":                             true,
+	"&Subset;":                          true,
+	"&SubsetEqual;":                     true,
+	"&Succeeds;":                        true,
+	"&SucceedsEqual;":                   true,
+	"&SucceedsSlantEqual;":              true,
+	"&SucceedsTilde;":                   true,
+	"&SuchThat;":                        true,
+	"&Sum;":                             true,
+	"&Sup;":                             true,
+	"&Superset;":                        true,
+	"&SupersetEqual;":                   true,
+	"&Supset;":                          true,
+	"&THORN":                            true,
+	"&THORN;":                           true,
+	"&TRADE;":                           true,
+	"&TSHcy;":                           true,
+	"&TScy;":                            true,
+	"&Tab;":                             true,
+	"&Tau;":                             true,
+	"&Tcaron;":                          true,
+	"&Tcedil;":                          true,
+	"&Tcy;":                             true,
+	"&Tfr;":                             true,
+	"&Therefore;":                       true,
+	"&Theta;":                           true,
+	"&ThickSpace;":                      true,
+	"&ThinSpace;":                       true,
+	"&Tilde;":                           true,
+	"&TildeEqual;":                      true,
+	"&TildeFullEqual;":                  true,
+	"&TildeTilde;":                      true,
+	"&Topf;":                            true,
+	"&TripleDot;":                       true,
+	"&Tscr;":                            true,
+	"&Tstrok;":                          true,
+	"&Uacute":                           true,
+	"&Uacute;":                          true,
+	"&Uarr;":                            true,
+	"&Uarrocir;":                        true,
+	"&Ubrcy;":                           true,
+	"&Ubreve;":                          true,
+	"&Ucirc":                            true,
+	"&Ucirc;":                           true,
+	"&Ucy;":                             true,
+	"&Udblac;":                          true,
+	"&Ufr;":                             true,
+	"&Ugrave":                           true,
+	"&Ugrave;":                          true,
+	"&Umacr;":                           true,
+	"&UnderBar;":                        true,
+	"&UnderBrace;":                      true,
+	"&UnderBracket;":                    true,
+	"&UnderParenthesis;":                true,
+	"&Union;":                           true,
+	"&UnionPlus;":                       true,
+	"&Uogon;":                           true,
+	"&Uopf;":                            true,
+	"&UpArrow;":                         true,
+	"&UpArrowBar;":                      true,
+	"&UpArrowDownArrow;":                true,
+	"&UpDownArrow;":                     true,
+	"&UpEquilibrium;":                   true,
+	"&UpTee;":                           true,
+	"&UpTeeArrow;":                      true,
+	"&Uparrow;":                         true,
+	"&Updownarrow;":                     true,
+	"&UpperLeftArrow;":                  true,
+	"&UpperRightArrow;":                 true,
+	"&Upsi;":                            true,
+	"&Upsilon;":                         true,
+	"&Uring;":                           true,
+	"&Uscr;":                            true,
+	"&Utilde;":                          true,
+	"&Uuml":                             true,
+	"&Uuml;":                            true,
+	"&VDash;":                           true,
+	"&Vbar;":                            true,
+	"&Vcy;":                             true,
+	"&Vdash;":                           true,
+	"&Vdashl;":                          true,
+	"&Vee;":                             true,
+	"&Verbar;":                          true,
+	"&Vert;":                            true,
+	"&VerticalBar;":                     true,
+	"&VerticalLine;":                    true,
+	"&VerticalSeparator;":               true,
+	"&VerticalTilde;":                   true,
+	"&VeryThinSpace;":                   true,
+	"&Vfr;":                             true,
+	"&Vopf;":                            true,
+	"&Vscr;":                            true,
+	"&Vvdash;":                          true,
+	"&Wcirc;":                           true,
+	"&Wedge;":                           true,
+	"&Wfr;":                             true,
+	"&Wopf;":                            true,
+	"&Wscr;":                            true,
+	"&Xfr;":                             true,
+	"&Xi;":                              true,
+	"&Xopf;":                            true,
+	"&Xscr;":                            true,
+	"&YAcy;":                            true,
+	"&YIcy;":                            true,
+	"&YUcy;":                            true,
+	"&Yacute":                           true,
+	"&Yacute;":                          true,
+	"&Ycirc;":                           true,
+	"&Ycy;":                             true,
+	"&Yfr;":                             true,
+	"&Yopf;":                            true,
+	"&Yscr;":                            true,
+	"&Yuml;":                            true,
+	"&ZHcy;":                            true,
+	"&Zacute;":                          true,
+	"&Zcaron;":                          true,
+	"&Zcy;":                             true,
+	"&Zdot;":                            true,
+	"&ZeroWidthSpace;":                  true,
+	"&Zeta;":                            true,
+	"&Zfr;":                             true,
+	"&Zopf;":                            true,
+	"&Zscr;":                            true,
+	"&aacute":                           true,
+	"&aacute;":                          true,
+	"&abreve;":                          true,
+	"&ac;":                              true,
+	"&acE;":                             true,
+	"&acd;":                             true,
+	"&acirc":                            true,
+	"&acirc;":                           true,
+	"&acute":                            true,
+	"&acute;":                           true,
+	"&acy;":                             true,
+	"&aelig":                            true,
+	"&aelig;":                           true,
+	"&af;":                              true,
+	"&afr;":                             true,
+	"&agrave":                           true,
+	"&agrave;":                          true,
+	"&alefsym;":                         true,
+	"&aleph;":                           true,
+	"&alpha;":                           true,
+	"&amacr;":                           true,
+	"&amalg;":                           true,
+	"&amp":                              true,
+	"&amp;":                             true,
+	"&and;":                             true,
+	"&andand;":                          true,
+	"&andd;":                            true,
+	"&andslope;":                        true,
+	"&andv;":                            true,
+	"&ang;":                             true,
+	"&ange;":                            true,
+	"&angle;":                           true,
+	"&angmsd;":                          true,
+	"&angmsdaa;":                        true,
+	"&angmsdab;":                        true,
+	"&angmsdac;":                        true,
+	"&angmsdad;":                        true,
+	"&angmsdae;":                        true,
+	"&angmsdaf;":                        true,
+	"&angmsdag;":                        true,
+	"&angmsdah;":                        true,
+	"&angrt;":                           true,
+	"&angrtvb;":                         true,
+	"&angrtvbd;":                        true,
+	"&angsph;":                          true,
+	"&angst;":                           true,
+	"&angzarr;":                         true,
+	"&aogon;":                           true,
+	"&aopf;":                            true,
+	"&ap;":                              true,
+	"&apE;":                             true,
+	"&apacir;":                          true,
+	"&ape;":                             true,
+	"&apid;":                            true,
+	"&apos;":                            true,
+	"&approx;":                          true,
+	"&approxeq;":                        true,
+	"&aring":                            true,
+	"&aring;":                           true,
+	"&ascr;":                            true,
+	"&ast;":                             true,
+	"&asymp;":                           true,
+	"&asympeq;":                         true,
+	"&atilde":                           true,
+	"&atilde;":                          true,
+	"&auml":                             true,
+	"&auml;":                            true,
+	"&awconint;":                        true,
+	"&awint;":                           true,
+	"&bNot;":                            true,
+	"&backcong;":                        true,
+	"&backepsilon;":                     true,
+	"&backprime;":                       true,
+	"&backsim;":                         true,
+	"&backsimeq;":                       true,
+	"&barvee;":                          true,
+	"&barwed;":                          true,
+	"&barwedge;":                        true,
+	"&bbrk;":                            true,
+	"&bbrktbrk;":                        true,
+	"&bcong;":                           true,
+	"&bcy;":                             true,
+	"&bdquo;":                           true,
+	"&becaus;":                          true,
+	"&because;":                         true,
+	"&bemptyv;":                         true,
+	"&bepsi;":                           true,
+	"&bernou;":                          true,
+	"&beta;":                            true,
+	"&beth;":                            true,
+	"&between;":                         true,
+	"&bfr;":                             true,
+	"&bigcap;":                          true,
+	"&bigcirc;":                         true,
+	"&bigcup;":                          true,
+	"&bigodot;":                         true,
+	"&bigoplus;":                        true,
+	"&bigotimes;":                       true,
+	"&bigsqcup;":                        true,
+	"&bigstar;":                         true,
+	"&bigtriangledown;":                 true,
+	"&bigtriangleup;":                   true,
+	"&biguplus;":                        true,
+	"&bigvee;":                          true,
+	"&bigwedge;":                        true,
+	"&bkarow;":                          true,
+	"&blacklozenge;":                    true,
+	"&blacksquare;":                     true,
+	"&blacktriangle;":                   true,
+	"&blacktriangledown;":               true,
+	"&blacktriangleleft;":               true,
+	"&blacktriangleright;":              true,
+	"&blank;":                           true,
+	"&blk12;":                           true,
+	"&blk14;":                           true,
+	"&blk34;":                           true,
+	"&block;":                           true,
+	"&bne;":                             true,
+	"&bnequiv;":                         true,
+	"&bnot;":                            true,
+	"&bopf;":                            true,
+	"&bot;":                             true,
+	"&bottom;":                          true,
+	"&bowtie;":                          true,
+	"&boxDL;":                           true,
+	"&boxDR;":                           true,
+	"&boxDl;":                           true,
+	"&boxDr;":                           true,
+	"&boxH;":                            true,
+	"&boxHD;":                           true,
+	"&boxHU;":                           true,
+	"&boxHd;":                           true,
+	"&boxHu;":                           true,
+	"&boxUL;":                           true,
+	"&boxUR;":                           true,
+	"&boxUl;":                           true,
+	"&boxUr;":                           true,
+	"&boxV;":                            true,
+	"&boxVH;":                           true,
+	"&boxVL;":                           true,
+	"&boxVR;":                           true,
+	"&boxVh;":                           true,
+	"&boxVl;":                           true,
+	"&boxVr;":                           true,
+	"&boxbox;":                          true,
+	"&boxdL;":                           true,
+	"&boxdR;":                           true,
+	"&boxdl;":                           true,
+	"&boxdr;":                           true,
+	"&boxh;":                            true,
+	"&boxhD;":                           true,
+	"&boxhU;":                           true,
+	"&boxhd;":                           true,
+	"&boxhu;":                           true,
+	"&boxminus;":                        true,
+	"&boxplus;":                         true,
+	"&boxtimes;":                        true,
+	"&boxuL;":                           true,
+	"&boxuR;":                           true,
+	"&boxul;":                           true,
+	"&boxur;":                           true,
+	"&boxv;":                            true,
+	"&boxvH;":                           true,
+	"&boxvL;":                           true,
+	"&boxvR;":                           true,
+	"&boxvh;":                           true,
+	"&boxvl;":                           true,
+	"&boxvr;":                           true,
+	"&bprime;":                          true,
+	"&breve;":                           true,
+	"&brvbar":                           true,
+	"&brvbar;":                          true,
+	"&bscr;":                            true,
+	"&bsemi;":                           true,
+	"&bsim;":                            true,
+	"&bsime;":                           true,
+	"&bsol;":                            true,
+	"&bsolb;":                           true,
+	"&bsolhsub;":                        true,
+	"&bull;":                            true,
+	"&bullet;":                          true,
+	"&bump;":                            true,
+	"&bumpE;":                           true,
+	"&bumpe;":                           true,
+	"&bumpeq;":                          true,
+	"&cacute;":                          true,
+	"&cap;":                             true,
+	"&capand;":                          true,
+	"&capbrcup;":                        true,
+	"&capcap;":                          true,
+	"&capcup;":                          true,
+	"&capdot;":                          true,
+	"&caps;":                            true,
+	"&caret;":                           true,
+	"&caron;":                           true,
+	"&ccaps;":                           true,
+	"&ccaron;":                          true,
+	"&ccedil":                           true,
+	"&ccedil;":                          true,
+	"&ccirc;":                           true,
+	"&ccups;":                           true,
+	"&ccupssm;":                         true,
+	"&cdot;":                            true,
+	"&cedil":                            true,
+	"&cedil;":                           true,
+	"&cemptyv;":                         true,
+	"&cent":                             true,
+	"&cent;":                            true,
+	"&centerdot;":                       true,
+	"&cfr;":                             true,
+	"&chcy;":                            true,
+	"&check;":                           true,
+	"&checkmark;":                       true,
+	"&chi;":                             true,
+	"&cir;":                             true,
+	"&cirE;":                            true,
+	"&circ;":                            true,
+	"&circeq;":                          true,
+	"&circlearrowleft;":                 true,
+	"&circlearrowright;":                true,
+	"&circledR;":                        true,
+	"&circledS;":                        true,
+	"&circledast;":                      true,
+	"&circledcirc;":                     true,
+	"&circleddash;":                     true,
+	"&cire;":                            true,
+	"&cirfnint;":                        true,
+	"&cirmid;":                          true,
+	"&cirscir;":                         true,
+	"&clubs;":                           true,
+	"&clubsuit;":                        true,
+	"&colon;":                           true,
+	"&colone;":                          true,
+	"&coloneq;":                         true,
+	"&comma;":                           true,
+	"&commat;":                          true,
+	"&comp;":                            true,
+	"&compfn;":                          true,
+	"&complement;":                      true,
+	"&complexes;":                       true,
+	"&cong;":                            true,
+	"&congdot;":                         true,
+	"&conint;":                          true,
+	"&copf;":                            true,
+	"&coprod;":                          true,
+	"&copy":                             true,
+	"&copy;":                            true,
+	"&copysr;":                          true,
+	"&crarr;":                           true,
+	"&cross;":                           true,
+	"&cscr;":                            true,
+	"&csub;":                            true,
+	"&csube;":                           true,
+	"&csup;":                            true,
+	"&csupe;":                           true,
+	"&ctdot;":                           true,
+	"&cudarrl;":                         true,
+	"&cudarrr;":                         true,
+	"&cuepr;":                           true,
+	"&cuesc;":                           true,
+	"&cularr;":                          true,
+	"&cularrp;":                         true,
+	"&cup;":                             true,
+	"&cupbrcap;":                        true,
+	"&cupcap;":                          true,
+	"&cupcup;":                          true,
+	"&cupdot;":                          true,
+	"&cupor;":                           true,
+	"&cups;":                            true,
+	"&curarr;":                          true,
+	"&curarrm;":                         true,
+	"&curlyeqprec;":                     true,
+	"&curlyeqsucc;":                     true,
+	"&curlyvee;":                        true,
+	"&curlywedge;":                      true,
+	"&curren":                           true,
+	"&curren;":                          true,
+	"&curvearrowleft;":                  true,
+	"&curvearrowright;":                 true,
+	"&cuvee;":                           true,
+	"&cuwed;":                           true,
+	"&cwconint;":                        true,
+	"&cwint;":                           true,
+	"&cylcty;":                          true,
+	"&dArr;":                            true,
+	"&dHar;":                            true,
+	"&dagger;":                          true,
+	"&daleth;":                          true,
+	"&darr;":                            true,
+	"&dash;":                            true,
+	"&dashv;":                           true,
+	"&dbkarow;":                         true,
+	"&dblac;":                           true,
+	"&dcaron;":                          true,
+	"&dcy;":                             true,
+	"&dd;":                              true,
+	"&ddagger;":                         true,
+	"&ddarr;":                           true,
+	"&ddotseq;":                         true,
+	"&deg":                              true,
+	"&deg;":                             true,
+	"&delta;":                           true,
+	"&demptyv;":                         true,
+	"&dfisht;":                          true,
+	"&dfr;":                             true,
+	"&dharl;":                           true,
+	"&dharr;":                           true,
+	"&diam;":                            true,
+	"&diamond;":                         true,
+	"&diamondsuit;":                     true,
+	"&diams;":                           true,
+	"&die;":                             true,
+	"&digamma;":                         true,
+	"&disin;":                           true,
+	"&div;":                             true,
+	"&divide":                           true,
+	"&divide;":                          true,
+	"&divideontimes;":                   true,
+	"&divonx;":                          true,
+	"&djcy;":                            true,
+	"&dlcorn;":                          true,
+	"&dlcrop;":                          true,
+	"&dollar;":                          true,
+	"&dopf;":                            true,
+	"&dot;":                             true,
+	"&doteq;":                           true,
+	"&doteqdot;":                        true,
+	"&dotminus;":                        true,
+	"&dotplus;":                         true,
+	"&dotsquare;":                       true,
+	"&doublebarwedge;":                  true,
+	"&downarrow;":                       true,
+	"&downdownarrows;":                  true,
+	"&downharpoonleft;":                 true,
+	"&downharpoonright;":                true,
+	"&drbkarow;":                        true,
+	"&drcorn;":                          true,
+	"&drcrop;":                          true,
+	"&dscr;":                            true,
+	"&dscy;":                            true,
+	"&dsol;":                            true,
+	"&dstrok;":                          true,
+	"&dtdot;":                           true,
+	"&dtri;":                            true,
+	"&dtrif;":                           true,
+	"&duarr;":                           true,
+	"&duhar;":                           true,
+	"&dwangle;":                         true,
+	"&dzcy;":                            true,
+	"&dzigrarr;":                        true,
+	"&eDDot;":                           true,
+	"&eDot;":                            true,
+	"&eacute":                           true,
+	"&eacute;":                          true,
+	"&easter;":                          true,
+	"&ecaron;":                          true,
+	"&ecir;":                            true,
+	"&ecirc":                            true,
+	"&ecirc;":                           true,
+	"&ecolon;":                          true,
+	"&ecy;":                             true,
+	"&edot;":                            true,
+	"&ee;":                              true,
+	"&efDot;":                           true,
+	"&efr;":                             true,
+	"&eg;":                              true,
+	"&egrave":                           true,
+	"&egrave;":                          true,
+	"&egs;":                             true,
+	"&egsdot;":                          true,
+	"&el;":                              true,
+	"&elinters;":                        true,
+	"&ell;":                             true,
+	"&els;":                             true,
+	"&elsdot;":                          true,
+	"&emacr;":                           true,
+	"&empty;":                           true,
+	"&emptyset;":                        true,
+	"&emptyv;":                          true,
+	"&emsp13;":                          true,
+	"&emsp14;":                          true,
+	"&emsp;":                            true,
+	"&eng;":                             true,
+	"&ensp;":                            true,
+	"&eogon;":                           true,
+	"&eopf;":                            true,
+	"&epar;":                            true,
+	"&eparsl;":                          true,
+	"&eplus;":                           true,
+	"&epsi;":                            true,
+	"&epsilon;":                         true,
+	"&epsiv;":                           true,
+	"&eqcirc;":                          true,
+	"&eqcolon;":                         true,
+	"&eqsim;":                           true,
+	"&eqslantgtr;":                      true,
+	"&eqslantless;":                     true,
+	"&equals;":                          true,
+	"&equest;":                          true,
+	"&equiv;":                           true,
+	"&equivDD;":                         true,
+	"&eqvparsl;":                        true,
+	"&erDot;":                           true,
+	"&erarr;":                           true,
+	"&escr;":                            true,
+	"&esdot;":                           true,
+	"&esim;":                            true,
+	"&eta;":                             true,
+	"&eth":                              true,
+	"&eth;":                             true,
+	"&euml":                             true,
+	"&euml;":                            true,
+	"&euro;":                            true,
+	"&excl;":                            true,
+	"&exist;":                           true,
+	"&expectation;":                     true,
+	"&exponentiale;":                    true,
+	"&fallingdotseq;":                   true,
+	"&fcy;":                             true,
+	"&female;":                          true,
+	"&ffilig;":                          true,
+	"&fflig;":                           true,
+	"&ffllig;":                          true,
+	"&ffr;":                             true,
+	"&filig;":                           true,
+	"&fjlig;":                           true,
+	"&flat;":                            true,
+	"&fllig;":                           true,
+	"&fltns;":                           true,
+	"&fnof;":                            true,
+	"&fopf;":                            true,
+	"&forall;":                          true,
+	"&fork;":                            true,
+	"&forkv;":                           true,
+	"&fpartint;":                        true,
+	"&frac12":                           true,
+	"&frac12;":                          true,
+	"&frac13;":                          true,
+	"&frac14":                           true,
+	"&frac14;":                          true,
+	"&frac15;":                          true,
+	"&frac16;":                          true,
+	"&frac18;":                          true,
+	"&frac23;":                          true,
+	"&frac25;":                          true,
+	"&frac34":                           true,
+	"&frac34;":                          true,
+	"&frac35;":                          true,
+	"&frac38;":                          true,
+	"&frac45;":                          true,
+	"&frac56;":                          true,
+	"&frac58;":                          true,
+	"&frac78;":                          true,
+	"&frasl;":                           true,
+	"&frown;":                           true,
+	"&fscr;":                            true,
+	"&gE;":                              true,
+	"&gEl;":                             true,
+	"&gacute;":                          true,
+	"&gamma;":                           true,
+	"&gammad;":                          true,
+	"&gap;":                             true,
+	"&gbreve;":                          true,
+	"&gcirc;":                           true,
+	"&gcy;":                             true,
+	"&gdot;":                            true,
+	"&ge;":                              true,
+	"&gel;":                             true,
+	"&geq;":                             true,
+	"&geqq;":                            true,
+	"&geqslant;":                        true,
+	"&ges;":                             true,
+	"&gescc;":                           true,
+	"&gesdot;":                          true,
+	"&gesdoto;":                         true,
+	"&gesdotol;":                        true,
+	"&gesl;":                            true,
+	"&gesles;":                          true,
+	"&gfr;":                             true,
+	"&gg;":                              true,
+	"&ggg;":                             true,
+	"&gimel;":                           true,
+	"&gjcy;":                            true,
+	"&gl;":                              true,
+	"&glE;":                             true,
+	"&gla;":                             true,
+	"&glj;":                             true,
+	"&gnE;":                             true,
+	"&gnap;":                            true,
+	"&gnapprox;":                        true,
+	"&gne;":                             true,
+	"&gneq;":                            true,
+	"&gneqq;":                           true,
+	"&gnsim;":                           true,
+	"&gopf;":                            true,
+	"&grave;":                           true,
+	"&gscr;":                            true,
+	"&gsim;":                            true,
+	"&gsime;":                           true,
+	"&gsiml;":                           true,
+	"&gt":                               true,
+	"&gt;":                              true,
+	"&gtcc;":                            true,
+	"&gtcir;":                           true,
+	"&gtdot;":                           true,
+	"&gtlPar;":                          true,
+	"&gtquest;":                         true,
+	"&gtrapprox;":                       true,
+	"&gtrarr;":                          true,
+	"&gtrdot;":                          true,
+	"&gtreqless;":                       true,
+	"&gtreqqless;":                      true,
+	"&gtrless;":                         true,
+	"&gtrsim;":                          true,
+	"&gvertneqq;":                       true,
+	"&gvnE;":                            true,
+	"&hArr;":                            true,
+	"&hairsp;":                          true,
+	"&half;":                            true,
+	"&hamilt;":                          true,
+	"&hardcy;":                          true,
+	"&harr;":                            true,
+	"&harrcir;":                         true,
+	"&harrw;":                           true,
+	"&hbar;":                            true,
+	"&hcirc;":                           true,
+	"&hearts;":                          true,
+	"&heartsuit;":                       true,
+	"&hellip;":                          true,
+	"&hercon;":                          true,
+	"&hfr;":                             true,
+	"&hksearow;":                        true,
+	"&hkswarow;":                        true,
+	"&hoarr;":                           true,
+	"&homtht;":                          true,
+	"&hookleftarrow;":                   true,
+	"&hookrightarrow;":                  true,
+	"&hopf;":                            true,
+	"&horbar;":                          true,
+	"&hscr;":                            true,
+	"&hslash;":                          true,
+	"&hstrok;":                          true,
+	"&hybull;":                          true,
+	"&hyphen;":                          true,
+	"&iacute":                           true,
+	"&iacute;":                          true,
+	"&ic;":                              true,
+	"&icirc":                            true,
+	"&icirc;":                           true,
+	"&icy;":                             true,
+	"&iecy;":                            true,
+	"&iexcl":                            true,
+	"&iexcl;":                           true,
+	"&iff;":                             true,
+	"&ifr;":                             true,
+	"&igrave":                           true,
+	"&igrave;":                          true,
+	"&ii;":                              true,
+	"&iiiint;":                          true,
+	"&iiint;":                           true,
+	"&iinfin;":                          true,
+	"&iiota;":                           true,
+	"&ijlig;":                           true,
+	"&imacr;":                           true,
+	"&image;":                           true,
+	"&imagline;":                        true,
+	"&imagpart;":                        true,
+	"&imath;":                           true,
+	"&imof;":                            true,
+	"&imped;":                           true,
+	"&in;":                              true,
+	"&incare;":                          true,
+	"&infin;":                           true,
+	"&infintie;":                        true,
+	"&inodot;":                          true,
+	"&int;":                             true,
+	"&intcal;":                          true,
+	"&integers;":                        true,
+	"&intercal;":                        true,
+	"&intlarhk;":                        true,
+	"&intprod;":                         true,
+	"&iocy;":                            true,
+	"&iogon;":                           true,
+	"&iopf;":                            true,
+	"&iota;":                            true,
+	"&iprod;":                           true,
+	"&iquest":                           true,
+	"&iquest;":                          true,
+	"&iscr;":                            true,
+	"&isin;":                            true,
+	"&isinE;":                           true,
+	"&isindot;":                         true,
+	"&isins;":                           true,
+	"&isinsv;":                          true,
+	"&isinv;":                           true,
+	"&it;":                              true,
+	"&itilde;":                          true,
+	"&iukcy;":                           true,
+	"&iuml":                             true,
+	"&iuml;":                            true,
+	"&jcirc;":                           true,
+	"&jcy;":                             true,
+	"&jfr;":                             true,
+	"&jmath;":                           true,
+	"&jopf;":                            true,
+	"&jscr;":                            true,
+	"&jsercy;":                          true,
+	"&jukcy;":                           true,
+	"&kappa;":                           true,
+	"&kappav;":                          true,
+	"&kcedil;":                          true,
+	"&kcy;":                             true,
+	"&kfr;":                             true,
+	"&kgreen;":                          true,
+	"&khcy;":                            true,
+	"&kjcy;":                            true,
+	"&kopf;":                            true,
+	"&kscr;":                            true,
+	"&lAarr;":                           true,
+	"&lArr;":                            true,
+	"&lAtail;":                          true,
+	"&lBarr;":                           true,
+	"&lE;":                              true,
+	"&lEg;":                             true,
+	"&lHar;":                            true,
+	"&lacute;":                          true,
+	"&laemptyv;":                        true,
+	"&lagran;":                          true,
+	"&lambda;":                          true,
+	"&lang;":                            true,
+	"&langd;":                           true,
+	"&langle;":                          true,
+	"&lap;":                             true,
+	"&laquo":                            true,
+	"&laquo;":                           true,
+	"&larr;":                            true,
+	"&larrb;":                           true,
+	"&larrbfs;":                         true,
+	"&larrfs;":                          true,
+	"&larrhk;":                          true,
+	"&larrlp;":                          true,
+	"&larrpl;":                          true,
+	"&larrsim;":                         true,
+	"&larrtl;":                          true,
+	"&lat;":                             true,
+	"&latail;":                          true,
+	"&late;":                            true,
+	"&lates;":                           true,
+	"&lbarr;":                           true,
+	"&lbbrk;":                           true,
+	"&lbrace;":                          true,
+	"&lbrack;":                          true,
+	"&lbrke;":                           true,
+	"&lbrksld;":                         true,
+	"&lbrkslu;":                         true,
+	"&lcaron;":                          true,
+	"&lcedil;":                          true,
+	"&lceil;":                           true,
+	"&lcub;":                            true,
+	"&lcy;":                             true,
+	"&ldca;":                            true,
+	"&ldquo;":                           true,
+	"&ldquor;":                          true,
+	"&ldrdhar;":                         true,
+	"&ldrushar;":                        true,
+	"&ldsh;":                            true,
+	"&le;":                              true,
+	"&leftarrow;":                       true,
+	"&leftarrowtail;":                   true,
+	"&leftharpoondown;":                 true,
+	"&leftharpoonup;":                   true,
+	"&leftleftarrows;":                  true,
+	"&leftrightarrow;":                  true,
+	"&leftrightarrows;":                 true,
+	"&leftrightharpoons;":               true,
+	"&leftrightsquigarrow;":             true,
+	"&leftthreetimes;":                  true,
+	"&leg;":                             true,
+	"&leq;":                             true,
+	"&leqq;":                            true,
+	"&leqslant;":                        true,
+	"&les;":                             true,
+	"&lescc;":                           true,
+	"&lesdot;":                          true,
+	"&lesdoto;":                         true,
+	"&lesdotor;":                        true,
+	"&lesg;":                            true,
+	"&lesges;":                          true,
+	"&lessapprox;":                      true,
+	"&lessdot;":                         true,
+	"&lesseqgtr;":                       true,
+	"&lesseqqgtr;":                      true,
+	"&lessgtr;":                         true,
+	"&lesssim;":                         true,
+	"&lfisht;":                          true,
+	"&lfloor;":                          true,
+	"&lfr;":                             true,
+	"&lg;":                              true,
+	"&lgE;":                             true,
+	"&lhard;":                           true,
+	"&lharu;":                           true,
+	"&lharul;":                          true,
+	"&lhblk;":                           true,
+	"&ljcy;":                            true,
+	"&ll;":                              true,
+	"&llarr;":                           true,
+	"&llcorner;":                        true,
+	"&llhard;":                          true,
+	"&lltri;":                           true,
+	"&lmidot;":                          true,
+	"&lmoust;":                          true,
+	"&lmoustache;":                      true,
+	"&lnE;":                             true,
+	"&lnap;":                            true,
+	"&lnapprox;":                        true,
+	"&lne;":                             true,
+	"&lneq;":                            true,
+	"&lneqq;":                           true,
+	"&lnsim;":                           true,
+	"&loang;":                           true,
+	"&loarr;":                           true,
+	"&lobrk;":                           true,
+	"&longleftarrow;":                   true,
+	"&longleftrightarrow;":              true,
+	"&longmapsto;":                      true,
+	"&longrightarrow;":                  true,
+	"&looparrowleft;":                   true,
+	"&looparrowright;":                  true,
+	"&lopar;":                           true,
+	"&lopf;":                            true,
+	"&loplus;":                          true,
+	"&lotimes;":                         true,
+	"&lowast;":                          true,
+	"&lowbar;":                          true,
+	"&loz;":                             true,
+	"&lozenge;":                         true,
+	"&lozf;":                            true,
+	"&lpar;":                            true,
+	"&lparlt;":                          true,
+	"&lrarr;":                           true,
+	"&lrcorner;":                        true,
+	"&lrhar;":                           true,
+	"&lrhard;":                          true,
+	"&lrm;":                             true,
+	"&lrtri;":                           true,
+	"&lsaquo;":                          true,
+	"&lscr;":                            true,
+	"&lsh;":                             true,
+	"&lsim;":                            true,
+	"&lsime;":                           true,
+	"&lsimg;":                           true,
+	"&lsqb;":                            true,
+	"&lsquo;":                           true,
+	"&lsquor;":                          true,
+	"&lstrok;":                          true,
+	"&lt":                               true,
+	"&lt;":                              true,
+	"&ltcc;":                            true,
+	"&ltcir;":                           true,
+	"&ltdot;":                           true,
+	"&lthree;":                          true,
+	"&ltimes;":                          true,
+	"&ltlarr;":                          true,
+	"&ltquest;":                         true,
+	"&ltrPar;":                          true,
+	"&ltri;":                            true,
+	"&ltrie;":                           true,
+	"&ltrif;":                           true,
+	"&lurdshar;":                        true,
+	"&luruhar;":                         true,
+	"&lvertneqq;":                       true,
+	"&lvnE;":                            true,
+	"&mDDot;":                           true,
+	"&macr":                             true,
+	"&macr;":                            true,
+	"&male;":                            true,
+	"&malt;":                            true,
+	"&maltese;":                         true,
+	"&map;":                             true,
+	"&mapsto;":                          true,
+	"&mapstodown;":                      true,
+	"&mapstoleft;":                      true,
+	"&mapstoup;":                        true,
+	"&marker;":                          true,
+	"&mcomma;":                          true,
+	"&mcy;":                             true,
+	"&mdash;":                           true,
+	"&measuredangle;":                   true,
+	"&mfr;":                             true,
+	"&mho;":                             true,
+	"&micro":                            true,
+	"&micro;":                           true,
+	"&mid;":                             true,
+	"&midast;":                          true,
+	"&midcir;":                          true,
+	"&middot":                           true,
+	"&middot;":                          true,
+	"&minus;":                           true,
+	"&minusb;":                          true,
+	"&minusd;":                          true,
+	"&minusdu;":                         true,
+	"&mlcp;":                            true,
+	"&mldr;":                            true,
+	"&mnplus;":                          true,
+	"&models;":                          true,
+	"&mopf;":                            true,
+	"&mp;":                              true,
+	"&mscr;":                            true,
+	"&mstpos;":                          true,
+	"&mu;":                              true,
+	"&multimap;":                        true,
+	"&mumap;":                           true,
+	"&nGg;":                             true,
+	"&nGt;":                             true,
+	"&nGtv;":                            true,
+	"&nLeftarrow;":                      true,
+	"&nLeftrightarrow;":                 true,
+	"&nLl;":                             true,
+	"&nLt;":                             true,
+	"&nLtv;":                            true,
+	"&nRightarrow;":                     true,
+	"&nVDash;":                          true,
+	"&nVdash;":                          true,
+	"&nabla;":                           true,
+	"&nacute;":                          true,
+	"&nang;":                            true,
+	"&nap;":                             true,
+	"&napE;":                            true,
+	"&napid;":                           true,
+	"&napos;":                           true,
+	"&napprox;":                         true,
+	"&natur;":                           true,
+	"&natural;":                         true,
+	"&naturals;":                        true,
+	"&nbsp":                             true,
+	"&nbsp;":                            true,
+	"&nbump;":                           true,
+	"&nbumpe;":                          true,
+	"&ncap;":                            true,
+	"&ncaron;":                          true,
+	"&ncedil;":                          true,
+	"&ncong;":                           true,
+	"&ncongdot;":                        true,
+	"&ncup;":                            true,
+	"&ncy;":                             true,
+	"&ndash;":                           true,
+	"&ne;":                              true,
+	"&neArr;":                           true,
+	"&nearhk;":                          true,
+	"&nearr;":                           true,
+	"&nearrow;":                         true,
+	"&nedot;":                           true,
+	"&nequiv;":                          true,
+	"&nesear;":                          true,
+	"&nesim;":                           true,
+	"&nexist;":                          true,
+	"&nexists;":                         true,
+	"&nfr;":                             true,
+	"&ngE;":                             true,
+	"&nge;":                             true,
+	"&ngeq;":                            true,
+	"&ngeqq;":                           true,
+	"&ngeqslant;":                       true,
+	"&nges;":                            true,
+	"&ngsim;":                           true,
+	"&ngt;":                             true,
+	"&ngtr;":                            true,
+	"&nhArr;":                           true,
+	"&nharr;":                           true,
+	"&nhpar;":                           true,
+	"&ni;":                              true,
+	"&nis;":                             true,
+	"&nisd;":                            true,
+	"&niv;":                             true,
+	"&njcy;":                            true,
+	"&nlArr;":                           true,
+	"&nlE;":                             true,
+	"&nlarr;":                           true,
+	"&nldr;":                            true,
+	"&nle;":                             true,
+	"&nleftarrow;":                      true,
+	"&nleftrightarrow;":                 true,
+	"&nleq;":                            true,
+	"&nleqq;":                           true,
+	"&nleqslant;":                       true,
+	"&nles;":                            true,
+	"&nless;":                           true,
+	"&nlsim;":                           true,
+	"&nlt;":                             true,
+	"&nltri;":                           true,
+	"&nltrie;":                          true,
+	"&nmid;":                            true,
+	"&nopf;":                            true,
+	"&not":                              true,
+	"&not;":                             true,
+	"&notin;":                           true,
+	"&notinE;":                          true,
+	"&notindot;":                        true,
+	"&notinva;":                         true,
+	"&notinvb;":                         true,
+	"&notinvc;":                         true,
+	"&notni;":                           true,
+	"&notniva;":                         true,
+	"&notnivb;":                         true,
+	"&notnivc;":                         true,
+	"&npar;":                            true,
+	"&nparallel;":                       true,
+	"&nparsl;":                          true,
+	"&npart;":                           true,
+	"&npolint;":                         true,
+	"&npr;":                             true,
+	"&nprcue;":                          true,
+	"&npre;":                            true,
+	"&nprec;":                           true,
+	"&npreceq;":                         true,
+	"&nrArr;":                           true,
+	"&nrarr;":                           true,
+	"&nrarrc;":                          true,
+	"&nrarrw;":                          true,
+	"&nrightarrow;":                     true,
+	"&nrtri;":                           true,
+	"&nrtrie;":                          true,
+	"&nsc;":                             true,
+	"&nsccue;":                          true,
+	"&nsce;":                            true,
+	"&nscr;":                            true,
+	"&nshortmid;":                       true,
+	"&nshortparallel;":                  true,
+	"&nsim;":                            true,
+	"&nsime;":                           true,
+	"&nsimeq;":                          true,
+	"&nsmid;":                           true,
+	"&nspar;":                           true,
+	"&nsqsube;":                         true,
+	"&nsqsupe;":                         true,
+	"&nsub;":                            true,
+	"&nsubE;":                           true,
+	"&nsube;":                           true,
+	"&nsubset;":                         true,
+	"&nsubseteq;":                       true,
+	"&nsubseteqq;":                      true,
+	"&nsucc;":                           true,
+	"&nsucceq;":                         true,
+	"&nsup;":                            true,
+	"&nsupE;":                           true,
+	"&nsupe;":                           true,
+	"&nsupset;":                         true,
+	"&nsupseteq;":                       true,
+	"&nsupseteqq;":                      true,
+	"&ntgl;":                            true,
+	"&ntilde":                           true,
+	"&ntilde;":                          true,
+	"&ntlg;":                            true,
+	"&ntriangleleft;":                   true,
+	"&ntrianglelefteq;":                 true,
+	"&ntriangleright;":                  true,
+	"&ntrianglerighteq;":                true,
+	"&nu;":                              true,
+	"&num;":                             true,
+	"&numero;":                          true,
+	"&numsp;":                           true,
+	"&nvDash;":                          true,
+	"&nvHarr;":                          true,
+	"&nvap;":                            true,
+	"&nvdash;":                          true,
+	"&nvge;":                            true,
+	"&nvgt;":                            true,
+	"&nvinfin;":                         true,
+	"&nvlArr;":                          true,
+	"&nvle;":                            true,
+	"&nvlt;":                            true,
+	"&nvltrie;":                         true,
+	"&nvrArr;":                          true,
+	"&nvrtrie;":                         true,
+	"&nvsim;":                           true,
+	"&nwArr;":                           true,
+	"&nwarhk;":                          true,
+	"&nwarr;":                           true,
+	"&nwarrow;":                         true,
+	"&nwnear;":                          true,
+	"&oS;":                              true,
+	"&oacute":                           true,
+	"&oacute;":                          true,
+	"&oast;":                            true,
+	"&ocir;":                            true,
+	"&ocirc":                            true,
+	"&ocirc;":                           true,
+	"&ocy;":                             true,
+	"&odash;":                           true,
+	"&odblac;":                          true,
+	"&odiv;":                            true,
+	"&odot;":                            true,
+	"&odsold;":                          true,
+	"&oelig;":                           true,
+	"&ofcir;":                           true,
+	"&ofr;":                             true,
+	"&ogon;":                            true,
+	"&ograve":                           true,
+	"&ograve;":                          true,
+	"&ogt;":                             true,
+	"&ohbar;":                           true,
+	"&ohm;":                             true,
+	"&oint;":                            true,
+	"&olarr;":                           true,
+	"&olcir;":                           true,
+	"&olcross;":                         true,
+	"&oline;":                           true,
+	"&olt;":                             true,
+	"&omacr;":                           true,
+	"&omega;":                           true,
+	"&omicron;":                         true,
+	"&omid;":                            true,
+	"&ominus;":                          true,
+	"&oopf;":                            true,
+	"&opar;":                            true,
+	"&operp;":                           true,
+	"&oplus;":                           true,
+	"&or;":                              true,
+	"&orarr;":                           true,
+	"&ord;":                             true,
+	"&order;":                           true,
+	"&orderof;":                         true,
+	"&ordf":                             true,
+	"&ordf;":                            true,
+	"&ordm":                             true,
+	"&ordm;":                            true,
+	"&origof;":                          true,
+	"&oror;":                            true,
+	"&orslope;":                         true,
+	"&orv;":                             true,
+	"&oscr;":                            true,
+	"&oslash":                           true,
+	"&oslash;":                          true,
+	"&osol;":                            true,
+	"&otilde":                           true,
+	"&otilde;":                          true,
+	"&otimes;":                          true,
+	"&otimesas;":                        true,
+	"&ouml":                             true,
+	"&ouml;":                            true,
+	"&ovbar;":                           true,
+	"&par;":                             true,
+	"&para":                             true,
+	"&para;":                            true,
+	"&parallel;":                        true,
+	"&parsim;":                          true,
+	"&parsl;":                           true,
+	"&part;":                            true,
+	"&pcy;":                             true,
+	"&percnt;":                          true,
+	"&period;":                          true,
+	"&permil;":                          true,
+	"&perp;":                            true,
+	"&pertenk;":                         true,
+	"&pfr;":                             true,
+	"&phi;":                             true,
+	"&phiv;":                            true,
+	"&phmmat;":                          true,
+	"&phone;":                           true,
+	"&pi;":                              true,
+	"&pitchfork;":                       true,
+	"&piv;":                             true,
+	"&planck;":                          true,
+	"&planckh;":                         true,
+	"&plankv;":                          true,
+	"&plus;":                            true,
+	"&plusacir;":                        true,
+	"&plusb;":                           true,
+	"&pluscir;":                         true,
+	"&plusdo;":                          true,
+	"&plusdu;":                          true,
+	"&pluse;":                           true,
+	"&plusmn":                           true,
+	"&plusmn;":                          true,
+	"&plussim;":                         true,
+	"&plustwo;":                         true,
+	"&pm;":                              true,
+	"&pointint;":                        true,
+	"&popf;":                            true,
+	"&pound":                            true,
+	"&pound;":                           true,
+	"&pr;":                              true,
+	"&prE;":                             true,
+	"&prap;":                            true,
+	"&prcue;":                           true,
+	"&pre;":                             true,
+	"&prec;":                            true,
+	"&precapprox;":                      true,
+	"&preccurlyeq;":                     true,
+	"&preceq;":                          true,
+	"&precnapprox;":                     true,
+	"&precneqq;":                        true,
+	"&precnsim;":                        true,
+	"&precsim;":                         true,
+	"&prime;":                           true,
+	"&primes;":                          true,
+	"&prnE;":                            true,
+	"&prnap;":                           true,
+	"&prnsim;":                          true,
+	"&prod;":                            true,
+	"&profalar;":                        true,
+	"&profline;":                        true,
+	"&profsurf;":                        true,
+	"&prop;":                            true,
+	"&propto;":                          true,
+	"&prsim;":                           true,
+	"&prurel;":                          true,
+	"&pscr;":                            true,
+	"&psi;":                             true,
+	"&puncsp;":                          true,
+	"&qfr;":                             true,
+	"&qint;":                            true,
+	"&qopf;":                            true,
+	"&qprime;":                          true,
+	"&qscr;":                            true,
+	"&quaternions;":                     true,
+	"&quatint;":                         true,
+	"&quest;":                           true,
+	"&questeq;":                         true,
+	"&quot":                             true,
+	"&quot;":                            true,
+	"&rAarr;":                           true,
+	"&rArr;":                            true,
+	"&rAtail;":                          true,
+	"&rBarr;":                           true,
+	"&rHar;":                            true,
+	"&race;":                            true,
+	"&racute;":                          true,
+	"&radic;":                           true,
+	"&raemptyv;":                        true,
+	"&rang;":                            true,
+	"&rangd;":                           true,
+	"&range;":                           true,
+	"&rangle;":                          true,
+	"&raquo":                            true,
+	"&raquo;":                           true,
+	"&rarr;":                            true,
+	"&rarrap;":                          true,
+	"&rarrb;":                           true,
+	"&rarrbfs;":                         true,
+	"&rarrc;":                           true,
+	"&rarrfs;":                          true,
+	"&rarrhk;":                          true,
+	"&rarrlp;":                          true,
+	"&rarrpl;":                          true,
+	"&rarrsim;":                         true,
+	"&rarrtl;":                          true,
+	"&rarrw;":                           true,
+	"&ratail;":                          true,
+	"&ratio;":                           true,
+	"&rationals;":                       true,
+	"&rbarr;":                           true,
+	"&rbbrk;":                           true,
+	"&rbrace;":                          true,
+	"&rbrack;":                          true,
+	"&rbrke;":                           true,
+	"&rbrksld;":                         true,
+	"&rbrkslu;":                         true,
+	"&rcaron;":                          true,
+	"&rcedil;":                          true,
+	"&rceil;":                           true,
+	"&rcub;":                            true,
+	"&rcy;":                             true,
+	"&rdca;":                            true,
+	"&rdldhar;":                         true,
+	"&rdquo;":                           true,
+	"&rdquor;":                          true,
+	"&rdsh;":                            true,
+	"&real;":                            true,
+	"&realine;":                         true,
+	"&realpart;":                        true,
+	"&reals;":                           true,
+	"&rect;":                            true,
+	"&reg":                              true,
+	"&reg;":                             true,
+	"&rfisht;":                          true,
+	"&rfloor;":                          true,
+	"&rfr;":                             true,
+	"&rhard;":                           true,
+	"&rharu;":                           true,
+	"&rharul;":                          true,
+	"&rho;":                             true,
+	"&rhov;":                            true,
+	"&rightarrow;":                      true,
+	"&rightarrowtail;":                  true,
+	"&rightharpoondown;":                true,
+	"&rightharpoonup;":                  true,
+	"&rightleftarrows;":                 true,
+	"&rightleftharpoons;":               true,
+	"&rightrightarrows;":                true,
+	"&rightsquigarrow;":                 true,
+	"&rightthreetimes;":                 true,
+	"&ring;":                            true,
+	"&risingdotseq;":                    true,
+	"&rlarr;":                           true,
+	"&rlhar;":                           true,
+	"&rlm;":                             true,
+	"&rmoust;":                          true,
+	"&rmoustache;":                      true,
+	"&rnmid;":                           true,
+	"&roang;":                           true,
+	"&roarr;":                           true,
+	"&robrk;":                           true,
+	"&ropar;":                           true,
+	"&ropf;":                            true,
+	"&roplus;":                          true,
+	"&rotimes;":                         true,
+	"&rpar;":                            true,
+	"&rpargt;":                          true,
+	"&rppolint;":                        true,
+	"&rrarr;":                           true,
+	"&rsaquo;":                          true,
+	"&rscr;":                            true,
+	"&rsh;":                             true,
+	"&rsqb;":                            true,
+	"&rsquo;":                           true,
+	"&rsquor;":                          true,
+	"&rthree;":                          true,
+	"&rtimes;":                          true,
+	"&rtri;":                            true,
+	"&rtrie;":                           true,
+	"&rtrif;":                           true,
+	"&rtriltri;":                        true,
+	"&ruluhar;":                         true,
+	"&rx;":                              true,
+	"&sacute;":                          true,
+	"&sbquo;":                           true,
+	"&sc;":                              true,
+	"&scE;":                             true,
+	"&scap;":                            true,
+	"&scaron;":                          true,
+	"&sccue;":                           true,
+	"&sce;":                             true,
+	"&scedil;":                          true,
+	"&scirc;":                           true,
+	"&scnE;":                            true,
+	"&scnap;":                           true,
+	"&scnsim;":                          true,
+	"&scpolint;":                        true,
+	"&scsim;":                           true,
+	"&scy;":                             true,
+	"&sdot;":                            true,
+	"&sdotb;":                           true,
+	"&sdote;":                           true,
+	"&seArr;":                           true,
+	"&searhk;":                          true,
+	"&searr;":                           true,
+	"&searrow;":                         true,
+	"&sect":                             true,
+	"&sect;":                            true,
+	"&semi;":                            true,
+	"&seswar;":                          true,
+	"&setminus;":                        true,
+	"&setmn;":                           true,
+	"&sext;":                            true,
+	"&sfr;":                             true,
+	"&sfrown;":                          true,
+	"&sharp;":                           true,
+	"&shchcy;":                          true,
+	"&shcy;":                            true,
+	"&shortmid;":                        true,
+	"&shortparallel;":                   true,
+	"&shy":                              true,
+	"&shy;":                             true,
+	"&sigma;":                           true,
+	"&sigmaf;":                          true,
+	"&sigmav;":                          true,
+	"&sim;":                             true,
+	"&simdot;":                          true,
+	"&sime;":                            true,
+	"&simeq;":                           true,
+	"&simg;":                            true,
+	"&simgE;":                           true,
+	"&siml;":                            true,
+	"&simlE;":                           true,
+	"&simne;":                           true,
+	"&simplus;":                         true,
+	"&simrarr;":                         true,
+	"&slarr;":                           true,
+	"&smallsetminus;":                   true,
+	"&smashp;":                          true,
+	"&smeparsl;":                        true,
+	"&smid;":                            true,
+	"&smile;":                           true,
+	"&smt;":                             true,
+	"&smte;":                            true,
+	"&smtes;":                           true,
+	"&softcy;":                          true,
+	"&sol;":                             true,
+	"&solb;":                            true,
+	"&solbar;":                          true,
+	"&sopf;":                            true,
+	"&spades;":                          true,
+	"&spadesuit;":                       true,
+	"&spar;":                            true,
+	"&sqcap;":                           true,
+	"&sqcaps;":                          true,
+	"&sqcup;":                           true,
+	"&sqcups;":                          true,
+	"&sqsub;":                           true,
+	"&sqsube;":                          true,
+	"&sqsubset;":                        true,
+	"&sqsubseteq;":                      true,
+	"&sqsup;":                           true,
+	"&sqsupe;":                          true,
+	"&sqsupset;":                        true,
+	"&sqsupseteq;":                      true,
+	"&squ;":                             true,
+	"&square;":                          true,
+	"&squarf;":                          true,
+	"&squf;":                            true,
+	"&srarr;":                           true,
+	"&sscr;":                            true,
+	"&ssetmn;":                          true,
+	"&ssmile;":                          true,
+	"&sstarf;":                          true,
+	"&star;":                            true,
+	"&starf;":                           true,
+	"&straightepsilon;":                 true,
+	"&straightphi;":                     true,
+	"&strns;":                           true,
+	"&sub;":                             true,
+	"&subE;":                            true,
+	"&subdot;":                          true,
+	"&sube;":                            true,
+	"&subedot;":                         true,
+	"&submult;":                         true,
+	"&subnE;":                           true,
+	"&subne;":                           true,
+	"&subplus;":                         true,
+	"&subrarr;":                         true,
+	"&subset;":                          true,
+	"&subseteq;":                        true,
+	"&subseteqq;":                       true,
+	"&subsetneq;":                       true,
+	"&subsetneqq;":                      true,
+	"&subsim;":                          true,
+	"&subsub;":                          true,
+	"&subsup;":                          true,
+	"&succ;":                            true,
+	"&succapprox;":                      true,
+	"&succcurlyeq;":                     true,
+	"&succeq;":                          true,
+	"&succnapprox;":                     true,
+	"&succneqq;":                        true,
+	"&succnsim;":                        true,
+	"&succsim;":                         true,
+	"&sum;":                             true,
+	"&sung;":                            true,
+	"&sup1":                             true,
+	"&sup1;":                            true,
+	"&sup2":                             true,
+	"&sup2;":                            true,
+	"&sup3":                             true,
+	"&sup3;":                            true,
+	"&sup;":                             true,
+	"&supE;":                            true,
+	"&supdot;":                          true,
+	"&supdsub;":                         true,
+	"&supe;":                            true,
+	"&supedot;":                         true,
+	"&suphsol;":                         true,
+	"&suphsub;":                         true,
+	"&suplarr;":                         true,
+	"&supmult;":                         true,
+	"&supnE;":                           true,
+	"&supne;":                           true,
+	"&supplus;":                         true,
+	"&supset;":                          true,
+	"&supseteq;":                        true,
+	"&supseteqq;":                       true,
+	"&supsetneq;":                       true,
+	"&supsetneqq;":                      true,
+	"&supsim;":                          true,
+	"&supsub;":                          true,
+	"&supsup;":                          true,
+	"&swArr;":                           true,
+	"&swarhk;":                          true,
+	"&swarr;":                           true,
+	"&swarrow;":                         true,
+	"&swnwar;":                          true,
+	"&szlig":                            true,
+	"&szlig;":                           true,
+	"&target;":                          true,
+	"&tau;":                             true,
+	"&tbrk;":                            true,
+	"&tcaron;":                          true,
+	"&tcedil;":                          true,
+	"&tcy;":                             true,
+	"&tdot;":                            true,
+	"&telrec;":                          true,
+	"&tfr;":                             true,
+	"&there4;":                          true,
+	"&therefore;":                       true,
+	"&theta;":                           true,
+	"&thetasym;":                        true,
+	"&thetav;":                          true,
+	"&thickapprox;":                     true,
+	"&thicksim;":                        true,
+	"&thinsp;":                          true,
+	"&thkap;":                           true,
+	"&thksim;":                          true,
+	"&thorn":                            true,
+	"&thorn;":                           true,
+	"&tilde;":                           true,
+	"&times":                            true,
+	"&times;":                           true,
+	"&timesb;":                          true,
+	"&timesbar;":                        true,
+	"&timesd;":                          true,
+	"&tint;":                            true,
+	"&toea;":                            true,
+	"&top;":                             true,
+	"&topbot;":                          true,
+	"&topcir;":                          true,
+	"&topf;":                            true,
+	"&topfork;":                         true,
+	"&tosa;":                            true,
+	"&tprime;":                          true,
+	"&trade;":                           true,
+	"&triangle;":                        true,
+	"&triangledown;":                    true,
+	"&triangleleft;":                    true,
+	"&trianglelefteq;":                  true,
+	"&triangleq;":                       true,
+	"&triangleright;":                   true,
+	"&trianglerighteq;":                 true,
+	"&tridot;":                          true,
+	"&trie;":                            true,
+	"&triminus;":                        true,
+	"&triplus;":                         true,
+	"&trisb;":                           true,
+	"&tritime;":                         true,
+	"&trpezium;":                        true,
+	"&tscr;":                            true,
+	"&tscy;":                            true,
+	"&tshcy;":                           true,
+	"&tstrok;":                          true,
+	"&twixt;":                           true,
+	"&twoheadleftarrow;":                true,
+	"&twoheadrightarrow;":               true,
+	"&uArr;":                            true,
+	"&uHar;":                            true,
+	"&uacute":                           true,
+	"&uacute;":                          true,
+	"&uarr;":                            true,
+	"&ubrcy;":                           true,
+	"&ubreve;":                          true,
+	"&ucirc":                            true,
+	"&ucirc;":                           true,
+	"&ucy;":                             true,
+	"&udarr;":                           true,
+	"&udblac;":                          true,
+	"&udhar;":                           true,
+	"&ufisht;":                          true,
+	"&ufr;":                             true,
+	"&ugrave":                           true,
+	"&ugrave;":                          true,
+	"&uharl;":                           true,
+	"&uharr;":                           true,
+	"&uhblk;":                           true,
+	"&ulcorn;":                          true,
+	"&ulcorner;":                        true,
+	"&ulcrop;":                          true,
+	"&ultri;":                           true,
+	"&umacr;":                           true,
+	"&uml":                              true,
+	"&uml;":                             true,
+	"&uogon;":                           true,
+	"&uopf;":                            true,
+	"&uparrow;":                         true,
+	"&updownarrow;":                     true,
+	"&upharpoonleft;":                   true,
+	"&upharpoonright;":                  true,
+	"&uplus;":                           true,
+	"&upsi;":                            true,
+	"&upsih;":                           true,
+	"&upsilon;":                         true,
+	"&upuparrows;":                      true,
+	"&urcorn;":                          true,
+	"&urcorner;":                        true,
+	"&urcrop;":                          true,
+	"&uring;":                           true,
+	"&urtri;":                           true,
+	"&uscr;":                            true,
+	"&utdot;":                           true,
+	"&utilde;":                          true,
+	"&utri;":                            true,
+	"&utrif;":                           true,
+	"&uuarr;":                           true,
+	"&uuml":                             true,
+	"&uuml;":                            true,
+	"&uwangle;":                         true,
+	"&vArr;":                            true,
+	"&vBar;":                            true,
+	"&vBarv;":                           true,
+	"&vDash;":                           true,
+	"&vangrt;":                          true,
+	"&varepsilon;":                      true,
+	"&varkappa;":                        true,
+	"&varnothing;":                      true,
+	"&varphi;":                          true,
+	"&varpi;":                           true,
+	"&varpropto;":                       true,
+	"&varr;":                            true,
+	"&varrho;":                          true,
+	"&varsigma;":                        true,
+	"&varsubsetneq;":                    true,
+	"&varsubsetneqq;":                   true,
+	"&varsupsetneq;":                    true,
+	"&varsupsetneqq;":                   true,
+	"&vartheta;":                        true,
+	"&vartriangleleft;":                 true,
+	"&vartriangleright;":                true,
+	"&vcy;":                             true,
+	"&vdash;":                           true,
+	"&vee;":                             true,
+	"&veebar;":                          true,
+	"&veeeq;":                           true,
+	"&vellip;":                          true,
+	"&verbar;":                          true,
+	"&vert;":                            true,
+	"&vfr;":                             true,
+	"&vltri;":                           true,
+	"&vnsub;":                           true,
+	"&vnsup;":                           true,
+	"&vopf;":                            true,
+	"&vprop;":                           true,
+	"&vrtri;":                           true,
+	"&vscr;":                            true,
+	"&vsubnE;":                          true,
+	"&vsubne;":                          true,
+	"&vsupnE;":                          true,
+	"&vsupne;":                          true,
+	"&vzigzag;":                         true,
+	"&wcirc;":                           true,
+	"&wedbar;":                          true,
+	"&wedge;":                           true,
+	"&wedgeq;":                          true,
+	"&weierp;":                          true,
+	"&wfr;":                             true,
+	"&wopf;":                            true,
+	"&wp;":                              true,
+	"&wr;":                              true,
+	"&wreath;":                          true,
+	"&wscr;":                            true,
+	"&xcap;":                            true,
+	"&xcirc;":                           true,
+	"&xcup;":                            true,
+	"&xdtri;":                           true,
+	"&xfr;":                             true,
+	"&xhArr;":                           true,
+	"&xharr;":                           true,
+	"&xi;":                              true,
+	"&xlArr;":                           true,
+	"&xlarr;":                           true,
+	"&xmap;":                            true,
+	"&xnis;":                            true,
+	"&xodot;":                           true,
+	"&xopf;":                            true,
+	"&xoplus;":                          true,
+	"&xotime;":                          true,
+	"&xrArr;":                           true,
+	"&xrarr;":                           true,
+	"&xscr;":                            true,
+	"&xsqcup;":                          true,
+	"&xuplus;":                          true,
+	"&xutri;":                           true,
+	"&xvee;":                            true,
+	"&xwedge;":                          true,
+	"&yacute":                           true,
+	"&yacute;":                          true,
+	"&yacy;":                            true,
+	"&ycirc;":                           true,
+	"&ycy;":                             true,
+	"&yen":                              true,
+	"&yen;":                             true,
+	"&yfr;":                             true,
+	"&yicy;":                            true,
+	"&yopf;":                            true,
+	"&yscr;":                            true,
+	"&yucy;":                            true,
+	"&yuml":                             true,
+	"&yuml;":                            true,
+	"&zacute;":                          true,
+	"&zcaron;":                          true,
+	"&zcy;":                             true,
+	"&zdot;":                            true,
+	"&zeetrf;":                          true,
+	"&zeta;":                            true,
+	"&zfr;":                             true,
+	"&zhcy;":                            true,
+	"&zigrarr;":                         true,
+	"&zopf;":                            true,
+	"&zscr;":                            true,
+	"&zwj;":                             true,
+	"&zwnj;":                            true,
+}
diff --git a/vendor/github.com/russross/blackfriday/v2/esc.go b/vendor/github.com/russross/blackfriday/v2/esc.go
new file mode 100644
index 0000000000..6ab60102c9
--- /dev/null
+++ b/vendor/github.com/russross/blackfriday/v2/esc.go
@@ -0,0 +1,70 @@
+package blackfriday
+
+import (
+	"html"
+	"io"
+)
+
+var htmlEscaper = [256][]byte{
+	'&': []byte("&amp;"),
+	'<': []byte("&lt;"),
+	'>': []byte("&gt;"),
+	'"': []byte("&quot;"),
+}
+
+func escapeHTML(w io.Writer, s []byte) {
+	escapeEntities(w, s, false)
+}
+
+func escapeAllHTML(w io.Writer, s []byte) {
+	escapeEntities(w, s, true)
+}
+
+func escapeEntities(w io.Writer, s []byte, escapeValidEntities bool) {
+	var start, end int
+	for end < len(s) {
+		escSeq := htmlEscaper[s[end]]
+		if escSeq != nil {
+			isEntity, entityEnd := nodeIsEntity(s, end)
+			if isEntity && !escapeValidEntities {
+				w.Write(s[start : entityEnd+1])
+				start = entityEnd + 1
+			} else {
+				w.Write(s[start:end])
+				w.Write(escSeq)
+				start = end + 1
+			}
+		}
+		end++
+	}
+	if start < len(s) && end <= len(s) {
+		w.Write(s[start:end])
+	}
+}
+
+func nodeIsEntity(s []byte, end int) (isEntity bool, endEntityPos int) {
+	isEntity = false
+	endEntityPos = end + 1
+
+	if s[end] == '&' {
+		for endEntityPos < len(s) {
+			if s[endEntityPos] == ';' {
+				if entities[string(s[end:endEntityPos+1])] {
+					isEntity = true
+					break
+				}
+			}
+			if !isalnum(s[endEntityPos]) && s[endEntityPos] != '&' && s[endEntityPos] != '#' {
+				break
+			}
+			endEntityPos++
+		}
+	}
+
+	return isEntity, endEntityPos
+}
+
+func escLink(w io.Writer, text []byte) {
+	unesc := html.UnescapeString(string(text))
+	escapeHTML(w, []byte(unesc))
+}
diff --git a/vendor/github.com/russross/blackfriday/v2/html.go b/vendor/github.com/russross/blackfriday/v2/html.go
new file mode 100644
index 0000000000..cb4f26e30f
--- /dev/null
+++ b/vendor/github.com/russross/blackfriday/v2/html.go
@@ -0,0 +1,952 @@
+//
+// Blackfriday Markdown Processor
+// Available at http://github.com/russross/blackfriday
+//
+// Copyright © 2011 Russ Ross <russ@russross.com>.
+// Distributed under the Simplified BSD License.
+// See README.md for details.
+//
+
+//
+//
+// HTML rendering backend
+//
+//
+
+package blackfriday
+
+import (
+	"bytes"
+	"fmt"
+	"io"
+	"regexp"
+	"strings"
+)
+
+// HTMLFlags control optional behavior of HTML renderer.
+type HTMLFlags int
+
+// HTML renderer configuration options.
+const (
+	HTMLFlagsNone           HTMLFlags = 0
+	SkipHTML                HTMLFlags = 1 << iota // Skip preformatted HTML blocks
+	SkipImages                                    // Skip embedded images
+	SkipLinks                                     // Skip all links
+	Safelink                                      // Only link to trusted protocols
+	NofollowLinks                                 // Only link with rel="nofollow"
+	NoreferrerLinks                               // Only link with rel="noreferrer"
+	NoopenerLinks                                 // Only link with rel="noopener"
+	HrefTargetBlank                               // Add a blank target
+	CompletePage                                  // Generate a complete HTML page
+	UseXHTML                                      // Generate XHTML output instead of HTML
+	FootnoteReturnLinks                           // Generate a link at the end of a footnote to return to the source
+	Smartypants                                   // Enable smart punctuation substitutions
+	SmartypantsFractions                          // Enable smart fractions (with Smartypants)
+	SmartypantsDashes                             // Enable smart dashes (with Smartypants)
+	SmartypantsLatexDashes                        // Enable LaTeX-style dashes (with Smartypants)
+	SmartypantsAngledQuotes                       // Enable angled double quotes (with Smartypants) for double quotes rendering
+	SmartypantsQuotesNBSP                         // Enable « French guillemets » (with Smartypants)
+	TOC                                           // Generate a table of contents
+)
+
+var (
+	htmlTagRe = regexp.MustCompile("(?i)^" + htmlTag)
+)
+
+const (
+	htmlTag = "(?:" + openTag + "|" + closeTag + "|" + htmlComment + "|" +
+		processingInstruction + "|" + declaration + "|" + cdata + ")"
+	closeTag              = "</" + tagName + "\\s*[>]"
+	openTag               = "<" + tagName + attribute + "*" + "\\s*/?>"
+	attribute             = "(?:" + "\\s+" + attributeName + attributeValueSpec + "?)"
+	attributeValue        = "(?:" + unquotedValue + "|" + singleQuotedValue + "|" + doubleQuotedValue + ")"
+	attributeValueSpec    = "(?:" + "\\s*=" + "\\s*" + attributeValue + ")"
+	attributeName         = "[a-zA-Z_:][a-zA-Z0-9:._-]*"
+	cdata                 = "<!\\[CDATA\\[[\\s\\S]*?\\]\\]>"
+	declaration           = "<![A-Z]+" + "\\s+[^>]*>"
+	doubleQuotedValue     = "\"[^\"]*\""
+	htmlComment           = "<!---->|<!--(?:-?[^>-])(?:-?[^-])*-->"
+	processingInstruction = "[<][?].*?[?][>]"
+	singleQuotedValue     = "'[^']*'"
+	tagName               = "[A-Za-z][A-Za-z0-9-]*"
+	unquotedValue         = "[^\"'=<>`\\x00-\\x20]+"
+)
+
+// HTMLRendererParameters is a collection of supplementary parameters tweaking
+// the behavior of various parts of HTML renderer.
+type HTMLRendererParameters struct {
+	// Prepend this text to each relative URL.
+	AbsolutePrefix string
+	// Add this text to each footnote anchor, to ensure uniqueness.
+	FootnoteAnchorPrefix string
+	// Show this text inside the <a> tag for a footnote return link, if the
+	// HTML_FOOTNOTE_RETURN_LINKS flag is enabled. If blank, the string
+	// <sup>[return]</sup> is used.
+	FootnoteReturnLinkContents string
+	// If set, add this text to the front of each Heading ID, to ensure
+	// uniqueness.
+	HeadingIDPrefix string
+	// If set, add this text to the back of each Heading ID, to ensure uniqueness.
+	HeadingIDSuffix string
+	// Increase heading levels: if the offset is 1, <h1> becomes <h2> etc.
+	// Negative offset is also valid.
+	// Resulting levels are clipped between 1 and 6.
+	HeadingLevelOffset int
+
+	Title string // Document title (used if CompletePage is set)
+	CSS   string // Optional CSS file URL (used if CompletePage is set)
+	Icon  string // Optional icon file URL (used if CompletePage is set)
+
+	Flags HTMLFlags // Flags allow customizing this renderer's behavior
+}
+
+// HTMLRenderer is a type that implements the Renderer interface for HTML output.
+//
+// Do not create this directly, instead use the NewHTMLRenderer function.
+type HTMLRenderer struct {
+	HTMLRendererParameters
+
+	closeTag string // how to end singleton tags: either " />" or ">"
+
+	// Track heading IDs to prevent ID collision in a single generation.
+	headingIDs map[string]int
+
+	lastOutputLen int
+	disableTags   int
+
+	sr *SPRenderer
+}
+
+const (
+	xhtmlClose = " />"
+	htmlClose  = ">"
+)
+
+// NewHTMLRenderer creates and configures an HTMLRenderer object, which
+// satisfies the Renderer interface.
+func NewHTMLRenderer(params HTMLRendererParameters) *HTMLRenderer {
+	// configure the rendering engine
+	closeTag := htmlClose
+	if params.Flags&UseXHTML != 0 {
+		closeTag = xhtmlClose
+	}
+
+	if params.FootnoteReturnLinkContents == "" {
+		// U+FE0E is VARIATION SELECTOR-15.
+		// It suppresses automatic emoji presentation of the preceding
+		// U+21A9 LEFTWARDS ARROW WITH HOOK on iOS and iPadOS.
+		params.FootnoteReturnLinkContents = "<span aria-label='Return'>↩\ufe0e</span>"
+	}
+
+	return &HTMLRenderer{
+		HTMLRendererParameters: params,
+
+		closeTag:   closeTag,
+		headingIDs: make(map[string]int),
+
+		sr: NewSmartypantsRenderer(params.Flags),
+	}
+}
+
+func isHTMLTag(tag []byte, tagname string) bool {
+	found, _ := findHTMLTagPos(tag, tagname)
+	return found
+}
+
+// Look for a character, but ignore it when it's in any kind of quotes, it
+// might be JavaScript
+func skipUntilCharIgnoreQuotes(html []byte, start int, char byte) int {
+	inSingleQuote := false
+	inDoubleQuote := false
+	inGraveQuote := false
+	i := start
+	for i < len(html) {
+		switch {
+		case html[i] == char && !inSingleQuote && !inDoubleQuote && !inGraveQuote:
+			return i
+		case html[i] == '\'':
+			inSingleQuote = !inSingleQuote
+		case html[i] == '"':
+			inDoubleQuote = !inDoubleQuote
+		case html[i] == '`':
+			inGraveQuote = !inGraveQuote
+		}
+		i++
+	}
+	return start
+}
+
+func findHTMLTagPos(tag []byte, tagname string) (bool, int) {
+	i := 0
+	if i < len(tag) && tag[0] != '<' {
+		return false, -1
+	}
+	i++
+	i = skipSpace(tag, i)
+
+	if i < len(tag) && tag[i] == '/' {
+		i++
+	}
+
+	i = skipSpace(tag, i)
+	j := 0
+	for ; i < len(tag); i, j = i+1, j+1 {
+		if j >= len(tagname) {
+			break
+		}
+
+		if strings.ToLower(string(tag[i]))[0] != tagname[j] {
+			return false, -1
+		}
+	}
+
+	if i == len(tag) {
+		return false, -1
+	}
+
+	rightAngle := skipUntilCharIgnoreQuotes(tag, i, '>')
+	if rightAngle >= i {
+		return true, rightAngle
+	}
+
+	return false, -1
+}
+
+func skipSpace(tag []byte, i int) int {
+	for i < len(tag) && isspace(tag[i]) {
+		i++
+	}
+	return i
+}
+
+func isRelativeLink(link []byte) (yes bool) {
+	// a tag begin with '#'
+	if link[0] == '#' {
+		return true
+	}
+
+	// link begin with '/' but not '//', the second maybe a protocol relative link
+	if len(link) >= 2 && link[0] == '/' && link[1] != '/' {
+		return true
+	}
+
+	// only the root '/'
+	if len(link) == 1 && link[0] == '/' {
+		return true
+	}
+
+	// current directory : begin with "./"
+	if bytes.HasPrefix(link, []byte("./")) {
+		return true
+	}
+
+	// parent directory : begin with "../"
+	if bytes.HasPrefix(link, []byte("../")) {
+		return true
+	}
+
+	return false
+}
+
+func (r *HTMLRenderer) ensureUniqueHeadingID(id string) string {
+	for count, found := r.headingIDs[id]; found; count, found = r.headingIDs[id] {
+		tmp := fmt.Sprintf("%s-%d", id, count+1)
+
+		if _, tmpFound := r.headingIDs[tmp]; !tmpFound {
+			r.headingIDs[id] = count + 1
+			id = tmp
+		} else {
+			id = id + "-1"
+		}
+	}
+
+	if _, found := r.headingIDs[id]; !found {
+		r.headingIDs[id] = 0
+	}
+
+	return id
+}
+
+func (r *HTMLRenderer) addAbsPrefix(link []byte) []byte {
+	if r.AbsolutePrefix != "" && isRelativeLink(link) && link[0] != '.' {
+		newDest := r.AbsolutePrefix
+		if link[0] != '/' {
+			newDest += "/"
+		}
+		newDest += string(link)
+		return []byte(newDest)
+	}
+	return link
+}
+
+func appendLinkAttrs(attrs []string, flags HTMLFlags, link []byte) []string {
+	if isRelativeLink(link) {
+		return attrs
+	}
+	val := []string{}
+	if flags&NofollowLinks != 0 {
+		val = append(val, "nofollow")
+	}
+	if flags&NoreferrerLinks != 0 {
+		val = append(val, "noreferrer")
+	}
+	if flags&NoopenerLinks != 0 {
+		val = append(val, "noopener")
+	}
+	if flags&HrefTargetBlank != 0 {
+		attrs = append(attrs, "target=\"_blank\"")
+	}
+	if len(val) == 0 {
+		return attrs
+	}
+	attr := fmt.Sprintf("rel=%q", strings.Join(val, " "))
+	return append(attrs, attr)
+}
+
+func isMailto(link []byte) bool {
+	return bytes.HasPrefix(link, []byte("mailto:"))
+}
+
+func needSkipLink(flags HTMLFlags, dest []byte) bool {
+	if flags&SkipLinks != 0 {
+		return true
+	}
+	return flags&Safelink != 0 && !isSafeLink(dest) && !isMailto(dest)
+}
+
+func isSmartypantable(node *Node) bool {
+	pt := node.Parent.Type
+	return pt != Link && pt != CodeBlock && pt != Code
+}
+
+func appendLanguageAttr(attrs []string, info []byte) []string {
+	if len(info) == 0 {
+		return attrs
+	}
+	endOfLang := bytes.IndexAny(info, "\t ")
+	if endOfLang < 0 {
+		endOfLang = len(info)
+	}
+	return append(attrs, fmt.Sprintf("class=\"language-%s\"", info[:endOfLang]))
+}
+
+func (r *HTMLRenderer) tag(w io.Writer, name []byte, attrs []string) {
+	w.Write(name)
+	if len(attrs) > 0 {
+		w.Write(spaceBytes)
+		w.Write([]byte(strings.Join(attrs, " ")))
+	}
+	w.Write(gtBytes)
+	r.lastOutputLen = 1
+}
+
+func footnoteRef(prefix string, node *Node) []byte {
+	urlFrag := prefix + string(slugify(node.Destination))
+	anchor := fmt.Sprintf(`<a href="#fn:%s">%d</a>`, urlFrag, node.NoteID)
+	return []byte(fmt.Sprintf(`<sup class="footnote-ref" id="fnref:%s">%s</sup>`, urlFrag, anchor))
+}
+
+func footnoteItem(prefix string, slug []byte) []byte {
+	return []byte(fmt.Sprintf(`<li id="fn:%s%s">`, prefix, slug))
+}
+
+func footnoteReturnLink(prefix, returnLink string, slug []byte) []byte {
+	const format = ` <a class="footnote-return" href="#fnref:%s%s">%s</a>`
+	return []byte(fmt.Sprintf(format, prefix, slug, returnLink))
+}
+
+func itemOpenCR(node *Node) bool {
+	if node.Prev == nil {
+		return false
+	}
+	ld := node.Parent.ListData
+	return !ld.Tight && ld.ListFlags&ListTypeDefinition == 0
+}
+
+func skipParagraphTags(node *Node) bool {
+	grandparent := node.Parent.Parent
+	if grandparent == nil || grandparent.Type != List {
+		return false
+	}
+	tightOrTerm := grandparent.Tight || node.Parent.ListFlags&ListTypeTerm != 0
+	return grandparent.Type == List && tightOrTerm
+}
+
+func cellAlignment(align CellAlignFlags) string {
+	switch align {
+	case TableAlignmentLeft:
+		return "left"
+	case TableAlignmentRight:
+		return "right"
+	case TableAlignmentCenter:
+		return "center"
+	default:
+		return ""
+	}
+}
+
+func (r *HTMLRenderer) out(w io.Writer, text []byte) {
+	if r.disableTags > 0 {
+		w.Write(htmlTagRe.ReplaceAll(text, []byte{}))
+	} else {
+		w.Write(text)
+	}
+	r.lastOutputLen = len(text)
+}
+
+func (r *HTMLRenderer) cr(w io.Writer) {
+	if r.lastOutputLen > 0 {
+		r.out(w, nlBytes)
+	}
+}
+
+var (
+	nlBytes    = []byte{'\n'}
+	gtBytes    = []byte{'>'}
+	spaceBytes = []byte{' '}
+)
+
+var (
+	brTag              = []byte("<br>")
+	brXHTMLTag         = []byte("<br />")
+	emTag              = []byte("<em>")
+	emCloseTag         = []byte("</em>")
+	strongTag          = []byte("<strong>")
+	strongCloseTag     = []byte("</strong>")
+	delTag             = []byte("<del>")
+	delCloseTag        = []byte("</del>")
+	ttTag              = []byte("<tt>")
+	ttCloseTag         = []byte("</tt>")
+	aTag               = []byte("<a")
+	aCloseTag          = []byte("</a>")
+	preTag             = []byte("<pre>")
+	preCloseTag        = []byte("</pre>")
+	codeTag            = []byte("<code>")
+	codeCloseTag       = []byte("</code>")
+	pTag               = []byte("<p>")
+	pCloseTag          = []byte("</p>")
+	blockquoteTag      = []byte("<blockquote>")
+	blockquoteCloseTag = []byte("</blockquote>")
+	hrTag              = []byte("<hr>")
+	hrXHTMLTag         = []byte("<hr />")
+	ulTag              = []byte("<ul>")
+	ulCloseTag         = []byte("</ul>")
+	olTag              = []byte("<ol>")
+	olCloseTag         = []byte("</ol>")
+	dlTag              = []byte("<dl>")
+	dlCloseTag         = []byte("</dl>")
+	liTag              = []byte("<li>")
+	liCloseTag         = []byte("</li>")
+	ddTag              = []byte("<dd>")
+	ddCloseTag         = []byte("</dd>")
+	dtTag              = []byte("<dt>")
+	dtCloseTag         = []byte("</dt>")
+	tableTag           = []byte("<table>")
+	tableCloseTag      = []byte("</table>")
+	tdTag              = []byte("<td")
+	tdCloseTag         = []byte("</td>")
+	thTag              = []byte("<th")
+	thCloseTag         = []byte("</th>")
+	theadTag           = []byte("<thead>")
+	theadCloseTag      = []byte("</thead>")
+	tbodyTag           = []byte("<tbody>")
+	tbodyCloseTag      = []byte("</tbody>")
+	trTag              = []byte("<tr>")
+	trCloseTag         = []byte("</tr>")
+	h1Tag              = []byte("<h1")
+	h1CloseTag         = []byte("</h1>")
+	h2Tag              = []byte("<h2")
+	h2CloseTag         = []byte("</h2>")
+	h3Tag              = []byte("<h3")
+	h3CloseTag         = []byte("</h3>")
+	h4Tag              = []byte("<h4")
+	h4CloseTag         = []byte("</h4>")
+	h5Tag              = []byte("<h5")
+	h5CloseTag         = []byte("</h5>")
+	h6Tag              = []byte("<h6")
+	h6CloseTag         = []byte("</h6>")
+
+	footnotesDivBytes      = []byte("\n<div class=\"footnotes\">\n\n")
+	footnotesCloseDivBytes = []byte("\n</div>\n")
+)
+
+func headingTagsFromLevel(level int) ([]byte, []byte) {
+	if level <= 1 {
+		return h1Tag, h1CloseTag
+	}
+	switch level {
+	case 2:
+		return h2Tag, h2CloseTag
+	case 3:
+		return h3Tag, h3CloseTag
+	case 4:
+		return h4Tag, h4CloseTag
+	case 5:
+		return h5Tag, h5CloseTag
+	}
+	return h6Tag, h6CloseTag
+}
+
+func (r *HTMLRenderer) outHRTag(w io.Writer) {
+	if r.Flags&UseXHTML == 0 {
+		r.out(w, hrTag)
+	} else {
+		r.out(w, hrXHTMLTag)
+	}
+}
+
+// RenderNode is a default renderer of a single node of a syntax tree. For
+// block nodes it will be called twice: first time with entering=true, second
+// time with entering=false, so that it could know when it's working on an open
+// tag and when on close. It writes the result to w.
+//
+// The return value is a way to tell the calling walker to adjust its walk
+// pattern: e.g. it can terminate the traversal by returning Terminate. Or it
+// can ask the walker to skip a subtree of this node by returning SkipChildren.
+// The typical behavior is to return GoToNext, which asks for the usual
+// traversal to the next node.
+func (r *HTMLRenderer) RenderNode(w io.Writer, node *Node, entering bool) WalkStatus {
+	attrs := []string{}
+	switch node.Type {
+	case Text:
+		if r.Flags&Smartypants != 0 {
+			var tmp bytes.Buffer
+			escapeHTML(&tmp, node.Literal)
+			r.sr.Process(w, tmp.Bytes())
+		} else {
+			if node.Parent.Type == Link {
+				escLink(w, node.Literal)
+			} else {
+				escapeHTML(w, node.Literal)
+			}
+		}
+	case Softbreak:
+		r.cr(w)
+		// TODO: make it configurable via out(renderer.softbreak)
+	case Hardbreak:
+		if r.Flags&UseXHTML == 0 {
+			r.out(w, brTag)
+		} else {
+			r.out(w, brXHTMLTag)
+		}
+		r.cr(w)
+	case Emph:
+		if entering {
+			r.out(w, emTag)
+		} else {
+			r.out(w, emCloseTag)
+		}
+	case Strong:
+		if entering {
+			r.out(w, strongTag)
+		} else {
+			r.out(w, strongCloseTag)
+		}
+	case Del:
+		if entering {
+			r.out(w, delTag)
+		} else {
+			r.out(w, delCloseTag)
+		}
+	case HTMLSpan:
+		if r.Flags&SkipHTML != 0 {
+			break
+		}
+		r.out(w, node.Literal)
+	case Link:
+		// mark it but don't link it if it is not a safe link: no smartypants
+		dest := node.LinkData.Destination
+		if needSkipLink(r.Flags, dest) {
+			if entering {
+				r.out(w, ttTag)
+			} else {
+				r.out(w, ttCloseTag)
+			}
+		} else {
+			if entering {
+				dest = r.addAbsPrefix(dest)
+				var hrefBuf bytes.Buffer
+				hrefBuf.WriteString("href=\"")
+				escLink(&hrefBuf, dest)
+				hrefBuf.WriteByte('"')
+				attrs = append(attrs, hrefBuf.String())
+				if node.NoteID != 0 {
+					r.out(w, footnoteRef(r.FootnoteAnchorPrefix, node))
+					break
+				}
+				attrs = appendLinkAttrs(attrs, r.Flags, dest)
+				if len(node.LinkData.Title) > 0 {
+					var titleBuff bytes.Buffer
+					titleBuff.WriteString("title=\"")
+					escapeHTML(&titleBuff, node.LinkData.Title)
+					titleBuff.WriteByte('"')
+					attrs = append(attrs, titleBuff.String())
+				}
+				r.tag(w, aTag, attrs)
+			} else {
+				if node.NoteID != 0 {
+					break
+				}
+				r.out(w, aCloseTag)
+			}
+		}
+	case Image:
+		if r.Flags&SkipImages != 0 {
+			return SkipChildren
+		}
+		if entering {
+			dest := node.LinkData.Destination
+			dest = r.addAbsPrefix(dest)
+			if r.disableTags == 0 {
+				//if options.safe && potentiallyUnsafe(dest) {
+				//out(w, `<img src="" alt="`)
+				//} else {
+				r.out(w, []byte(`<img src="`))
+				escLink(w, dest)
+				r.out(w, []byte(`" alt="`))
+				//}
+			}
+			r.disableTags++
+		} else {
+			r.disableTags--
+			if r.disableTags == 0 {
+				if node.LinkData.Title != nil {
+					r.out(w, []byte(`" title="`))
+					escapeHTML(w, node.LinkData.Title)
+				}
+				r.out(w, []byte(`" />`))
+			}
+		}
+	case Code:
+		r.out(w, codeTag)
+		escapeAllHTML(w, node.Literal)
+		r.out(w, codeCloseTag)
+	case Document:
+		break
+	case Paragraph:
+		if skipParagraphTags(node) {
+			break
+		}
+		if entering {
+			// TODO: untangle this clusterfuck about when the newlines need
+			// to be added and when not.
+			if node.Prev != nil {
+				switch node.Prev.Type {
+				case HTMLBlock, List, Paragraph, Heading, CodeBlock, BlockQuote, HorizontalRule:
+					r.cr(w)
+				}
+			}
+			if node.Parent.Type == BlockQuote && node.Prev == nil {
+				r.cr(w)
+			}
+			r.out(w, pTag)
+		} else {
+			r.out(w, pCloseTag)
+			if !(node.Parent.Type == Item && node.Next == nil) {
+				r.cr(w)
+			}
+		}
+	case BlockQuote:
+		if entering {
+			r.cr(w)
+			r.out(w, blockquoteTag)
+		} else {
+			r.out(w, blockquoteCloseTag)
+			r.cr(w)
+		}
+	case HTMLBlock:
+		if r.Flags&SkipHTML != 0 {
+			break
+		}
+		r.cr(w)
+		r.out(w, node.Literal)
+		r.cr(w)
+	case Heading:
+		headingLevel := r.HTMLRendererParameters.HeadingLevelOffset + node.Level
+		openTag, closeTag := headingTagsFromLevel(headingLevel)
+		if entering {
+			if node.IsTitleblock {
+				attrs = append(attrs, `class="title"`)
+			}
+			if node.HeadingID != "" {
+				id := r.ensureUniqueHeadingID(node.HeadingID)
+				if r.HeadingIDPrefix != "" {
+					id = r.HeadingIDPrefix + id
+				}
+				if r.HeadingIDSuffix != "" {
+					id = id + r.HeadingIDSuffix
+				}
+				attrs = append(attrs, fmt.Sprintf(`id="%s"`, id))
+			}
+			r.cr(w)
+			r.tag(w, openTag, attrs)
+		} else {
+			r.out(w, closeTag)
+			if !(node.Parent.Type == Item && node.Next == nil) {
+				r.cr(w)
+			}
+		}
+	case HorizontalRule:
+		r.cr(w)
+		r.outHRTag(w)
+		r.cr(w)
+	case List:
+		openTag := ulTag
+		closeTag := ulCloseTag
+		if node.ListFlags&ListTypeOrdered != 0 {
+			openTag = olTag
+			closeTag = olCloseTag
+		}
+		if node.ListFlags&ListTypeDefinition != 0 {
+			openTag = dlTag
+			closeTag = dlCloseTag
+		}
+		if entering {
+			if node.IsFootnotesList {
+				r.out(w, footnotesDivBytes)
+				r.outHRTag(w)
+				r.cr(w)
+			}
+			r.cr(w)
+			if node.Parent.Type == Item && node.Parent.Parent.Tight {
+				r.cr(w)
+			}
+			r.tag(w, openTag[:len(openTag)-1], attrs)
+			r.cr(w)
+		} else {
+			r.out(w, closeTag)
+			//cr(w)
+			//if node.parent.Type != Item {
+			//	cr(w)
+			//}
+			if node.Parent.Type == Item && node.Next != nil {
+				r.cr(w)
+			}
+			if node.Parent.Type == Document || node.Parent.Type == BlockQuote {
+				r.cr(w)
+			}
+			if node.IsFootnotesList {
+				r.out(w, footnotesCloseDivBytes)
+			}
+		}
+	case Item:
+		openTag := liTag
+		closeTag := liCloseTag
+		if node.ListFlags&ListTypeDefinition != 0 {
+			openTag = ddTag
+			closeTag = ddCloseTag
+		}
+		if node.ListFlags&ListTypeTerm != 0 {
+			openTag = dtTag
+			closeTag = dtCloseTag
+		}
+		if entering {
+			if itemOpenCR(node) {
+				r.cr(w)
+			}
+			if node.ListData.RefLink != nil {
+				slug := slugify(node.ListData.RefLink)
+				r.out(w, footnoteItem(r.FootnoteAnchorPrefix, slug))
+				break
+			}
+			r.out(w, openTag)
+		} else {
+			if node.ListData.RefLink != nil {
+				slug := slugify(node.ListData.RefLink)
+				if r.Flags&FootnoteReturnLinks != 0 {
+					r.out(w, footnoteReturnLink(r.FootnoteAnchorPrefix, r.FootnoteReturnLinkContents, slug))
+				}
+			}
+			r.out(w, closeTag)
+			r.cr(w)
+		}
+	case CodeBlock:
+		attrs = appendLanguageAttr(attrs, node.Info)
+		r.cr(w)
+		r.out(w, preTag)
+		r.tag(w, codeTag[:len(codeTag)-1], attrs)
+		escapeAllHTML(w, node.Literal)
+		r.out(w, codeCloseTag)
+		r.out(w, preCloseTag)
+		if node.Parent.Type != Item {
+			r.cr(w)
+		}
+	case Table:
+		if entering {
+			r.cr(w)
+			r.out(w, tableTag)
+		} else {
+			r.out(w, tableCloseTag)
+			r.cr(w)
+		}
+	case TableCell:
+		openTag := tdTag
+		closeTag := tdCloseTag
+		if node.IsHeader {
+			openTag = thTag
+			closeTag = thCloseTag
+		}
+		if entering {
+			align := cellAlignment(node.Align)
+			if align != "" {
+				attrs = append(attrs, fmt.Sprintf(`align="%s"`, align))
+			}
+			if node.Prev == nil {
+				r.cr(w)
+			}
+			r.tag(w, openTag, attrs)
+		} else {
+			r.out(w, closeTag)
+			r.cr(w)
+		}
+	case TableHead:
+		if entering {
+			r.cr(w)
+			r.out(w, theadTag)
+		} else {
+			r.out(w, theadCloseTag)
+			r.cr(w)
+		}
+	case TableBody:
+		if entering {
+			r.cr(w)
+			r.out(w, tbodyTag)
+			// XXX: this is to adhere to a rather silly test. Should fix test.
+			if node.FirstChild == nil {
+				r.cr(w)
+			}
+		} else {
+			r.out(w, tbodyCloseTag)
+			r.cr(w)
+		}
+	case TableRow:
+		if entering {
+			r.cr(w)
+			r.out(w, trTag)
+		} else {
+			r.out(w, trCloseTag)
+			r.cr(w)
+		}
+	default:
+		panic("Unknown node type " + node.Type.String())
+	}
+	return GoToNext
+}
+
+// RenderHeader writes HTML document preamble and TOC if requested.
+func (r *HTMLRenderer) RenderHeader(w io.Writer, ast *Node) {
+	r.writeDocumentHeader(w)
+	if r.Flags&TOC != 0 {
+		r.writeTOC(w, ast)
+	}
+}
+
+// RenderFooter writes HTML document footer.
+func (r *HTMLRenderer) RenderFooter(w io.Writer, ast *Node) {
+	if r.Flags&CompletePage == 0 {
+		return
+	}
+	io.WriteString(w, "\n</body>\n</html>\n")
+}
+
+func (r *HTMLRenderer) writeDocumentHeader(w io.Writer) {
+	if r.Flags&CompletePage == 0 {
+		return
+	}
+	ending := ""
+	if r.Flags&UseXHTML != 0 {
+		io.WriteString(w, "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" ")
+		io.WriteString(w, "\"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\n")
+		io.WriteString(w, "<html xmlns=\"http://www.w3.org/1999/xhtml\">\n")
+		ending = " /"
+	} else {
+		io.WriteString(w, "<!DOCTYPE html>\n")
+		io.WriteString(w, "<html>\n")
+	}
+	io.WriteString(w, "<head>\n")
+	io.WriteString(w, "  <title>")
+	if r.Flags&Smartypants != 0 {
+		r.sr.Process(w, []byte(r.Title))
+	} else {
+		escapeHTML(w, []byte(r.Title))
+	}
+	io.WriteString(w, "</title>\n")
+	io.WriteString(w, "  <meta name=\"GENERATOR\" content=\"Blackfriday Markdown Processor v")
+	io.WriteString(w, Version)
+	io.WriteString(w, "\"")
+	io.WriteString(w, ending)
+	io.WriteString(w, ">\n")
+	io.WriteString(w, "  <meta charset=\"utf-8\"")
+	io.WriteString(w, ending)
+	io.WriteString(w, ">\n")
+	if r.CSS != "" {
+		io.WriteString(w, "  <link rel=\"stylesheet\" type=\"text/css\" href=\"")
+		escapeHTML(w, []byte(r.CSS))
+		io.WriteString(w, "\"")
+		io.WriteString(w, ending)
+		io.WriteString(w, ">\n")
+	}
+	if r.Icon != "" {
+		io.WriteString(w, "  <link rel=\"icon\" type=\"image/x-icon\" href=\"")
+		escapeHTML(w, []byte(r.Icon))
+		io.WriteString(w, "\"")
+		io.WriteString(w, ending)
+		io.WriteString(w, ">\n")
+	}
+	io.WriteString(w, "</head>\n")
+	io.WriteString(w, "<body>\n\n")
+}
+
+func (r *HTMLRenderer) writeTOC(w io.Writer, ast *Node) {
+	buf := bytes.Buffer{}
+
+	inHeading := false
+	tocLevel := 0
+	headingCount := 0
+
+	ast.Walk(func(node *Node, entering bool) WalkStatus {
+		if node.Type == Heading && !node.HeadingData.IsTitleblock {
+			inHeading = entering
+			if entering {
+				node.HeadingID = fmt.Sprintf("toc_%d", headingCount)
+				if node.Level == tocLevel {
+					buf.WriteString("</li>\n\n<li>")
+				} else if node.Level < tocLevel {
+					for node.Level < tocLevel {
+						tocLevel--
+						buf.WriteString("</li>\n</ul>")
+					}
+					buf.WriteString("</li>\n\n<li>")
+				} else {
+					for node.Level > tocLevel {
+						tocLevel++
+						buf.WriteString("\n<ul>\n<li>")
+					}
+				}
+
+				fmt.Fprintf(&buf, `<a href="#toc_%d">`, headingCount)
+				headingCount++
+			} else {
+				buf.WriteString("</a>")
+			}
+			return GoToNext
+		}
+
+		if inHeading {
+			return r.RenderNode(&buf, node, entering)
+		}
+
+		return GoToNext
+	})
+
+	for ; tocLevel > 0; tocLevel-- {
+		buf.WriteString("</li>\n</ul>")
+	}
+
+	if buf.Len() > 0 {
+		io.WriteString(w, "<nav>\n")
+		w.Write(buf.Bytes())
+		io.WriteString(w, "\n\n</nav>\n")
+	}
+	r.lastOutputLen = buf.Len()
+}
diff --git a/vendor/github.com/russross/blackfriday/v2/inline.go b/vendor/github.com/russross/blackfriday/v2/inline.go
new file mode 100644
index 0000000000..d45bd94172
--- /dev/null
+++ b/vendor/github.com/russross/blackfriday/v2/inline.go
@@ -0,0 +1,1228 @@
+//
+// Blackfriday Markdown Processor
+// Available at http://github.com/russross/blackfriday
+//
+// Copyright © 2011 Russ Ross <russ@russross.com>.
+// Distributed under the Simplified BSD License.
+// See README.md for details.
+//
+
+//
+// Functions to parse inline elements.
+//
+
+package blackfriday
+
+import (
+	"bytes"
+	"regexp"
+	"strconv"
+)
+
+var (
+	urlRe    = `((https?|ftp):\/\/|\/)[-A-Za-z0-9+&@#\/%?=~_|!:,.;\(\)]+`
+	anchorRe = regexp.MustCompile(`^(<a\shref="` + urlRe + `"(\stitle="[^"<>]+")?\s?>` + urlRe + `<\/a>)`)
+
+	// https://www.w3.org/TR/html5/syntax.html#character-references
+	// highest unicode code point in 17 planes (2^20): 1,114,112d =
+	// 7 dec digits or 6 hex digits
+	// named entity references can be 2-31 characters with stuff like &lt;
+	// at one end and &CounterClockwiseContourIntegral; at the other. There
+	// are also sometimes numbers at the end, although this isn't inherent
+	// in the specification; there are never numbers anywhere else in
+	// current character references, though; see &frac34; and &blk12;, etc.
+	// https://www.w3.org/TR/html5/syntax.html#named-character-references
+	//
+	// entity := "&" (named group | number ref) ";"
+	// named group := [a-zA-Z]{2,31}[0-9]{0,2}
+	// number ref := "#" (dec ref | hex ref)
+	// dec ref := [0-9]{1,7}
+	// hex ref := ("x" | "X") [0-9a-fA-F]{1,6}
+	htmlEntityRe = regexp.MustCompile(`&([a-zA-Z]{2,31}[0-9]{0,2}|#([0-9]{1,7}|[xX][0-9a-fA-F]{1,6}));`)
+)
+
+// Functions to parse text within a block
+// Each function returns the number of chars taken care of
+// data is the complete block being rendered
+// offset is the number of valid chars before the current cursor
+
+func (p *Markdown) inline(currBlock *Node, data []byte) {
+	// handlers might call us recursively: enforce a maximum depth
+	if p.nesting >= p.maxNesting || len(data) == 0 {
+		return
+	}
+	p.nesting++
+	beg, end := 0, 0
+	for end < len(data) {
+		handler := p.inlineCallback[data[end]]
+		if handler != nil {
+			if consumed, node := handler(p, data, end); consumed == 0 {
+				// No action from the callback.
+				end++
+			} else {
+				// Copy inactive chars into the output.
+				currBlock.AppendChild(text(data[beg:end]))
+				if node != nil {
+					currBlock.AppendChild(node)
+				}
+				// Skip past whatever the callback used.
+				beg = end + consumed
+				end = beg
+			}
+		} else {
+			end++
+		}
+	}
+	if beg < len(data) {
+		if data[end-1] == '\n' {
+			end--
+		}
+		currBlock.AppendChild(text(data[beg:end]))
+	}
+	p.nesting--
+}
+
+// single and double emphasis parsing
+func emphasis(p *Markdown, data []byte, offset int) (int, *Node) {
+	data = data[offset:]
+	c := data[0]
+
+	if len(data) > 2 && data[1] != c {
+		// whitespace cannot follow an opening emphasis;
+		// strikethrough only takes two characters '~~'
+		if c == '~' || isspace(data[1]) {
+			return 0, nil
+		}
+		ret, node := helperEmphasis(p, data[1:], c)
+		if ret == 0 {
+			return 0, nil
+		}
+
+		return ret + 1, node
+	}
+
+	if len(data) > 3 && data[1] == c && data[2] != c {
+		if isspace(data[2]) {
+			return 0, nil
+		}
+		ret, node := helperDoubleEmphasis(p, data[2:], c)
+		if ret == 0 {
+			return 0, nil
+		}
+
+		return ret + 2, node
+	}
+
+	if len(data) > 4 && data[1] == c && data[2] == c && data[3] != c {
+		if c == '~' || isspace(data[3]) {
+			return 0, nil
+		}
+		ret, node := helperTripleEmphasis(p, data, 3, c)
+		if ret == 0 {
+			return 0, nil
+		}
+
+		return ret + 3, node
+	}
+
+	return 0, nil
+}
+
+func codeSpan(p *Markdown, data []byte, offset int) (int, *Node) {
+	data = data[offset:]
+
+	nb := 0
+
+	// count the number of backticks in the delimiter
+	for nb < len(data) && data[nb] == '`' {
+		nb++
+	}
+
+	// find the next delimiter
+	i, end := 0, 0
+	for end = nb; end < len(data) && i < nb; end++ {
+		if data[end] == '`' {
+			i++
+		} else {
+			i = 0
+		}
+	}
+
+	// no matching delimiter?
+	if i < nb && end >= len(data) {
+		return 0, nil
+	}
+
+	// trim outside whitespace
+	fBegin := nb
+	for fBegin < end && data[fBegin] == ' ' {
+		fBegin++
+	}
+
+	fEnd := end - nb
+	for fEnd > fBegin && data[fEnd-1] == ' ' {
+		fEnd--
+	}
+
+	// render the code span
+	if fBegin != fEnd {
+		code := NewNode(Code)
+		code.Literal = data[fBegin:fEnd]
+		return end, code
+	}
+
+	return end, nil
+}
+
+// newline preceded by two spaces becomes <br>
+func maybeLineBreak(p *Markdown, data []byte, offset int) (int, *Node) {
+	origOffset := offset
+	for offset < len(data) && data[offset] == ' ' {
+		offset++
+	}
+
+	if offset < len(data) && data[offset] == '\n' {
+		if offset-origOffset >= 2 {
+			return offset - origOffset + 1, NewNode(Hardbreak)
+		}
+		return offset - origOffset, nil
+	}
+	return 0, nil
+}
+
+// newline without two spaces works when HardLineBreak is enabled
+func lineBreak(p *Markdown, data []byte, offset int) (int, *Node) {
+	if p.extensions&HardLineBreak != 0 {
+		return 1, NewNode(Hardbreak)
+	}
+	return 0, nil
+}
+
+type linkType int
+
+const (
+	linkNormal linkType = iota
+	linkImg
+	linkDeferredFootnote
+	linkInlineFootnote
+)
+
+func isReferenceStyleLink(data []byte, pos int, t linkType) bool {
+	if t == linkDeferredFootnote {
+		return false
+	}
+	return pos < len(data)-1 && data[pos] == '[' && data[pos+1] != '^'
+}
+
+func maybeImage(p *Markdown, data []byte, offset int) (int, *Node) {
+	if offset < len(data)-1 && data[offset+1] == '[' {
+		return link(p, data, offset)
+	}
+	return 0, nil
+}
+
+func maybeInlineFootnote(p *Markdown, data []byte, offset int) (int, *Node) {
+	if offset < len(data)-1 && data[offset+1] == '[' {
+		return link(p, data, offset)
+	}
+	return 0, nil
+}
+
+// '[': parse a link or an image or a footnote
+func link(p *Markdown, data []byte, offset int) (int, *Node) {
+	// no links allowed inside regular links, footnote, and deferred footnotes
+	if p.insideLink && (offset > 0 && data[offset-1] == '[' || len(data)-1 > offset && data[offset+1] == '^') {
+		return 0, nil
+	}
+
+	var t linkType
+	switch {
+	// special case: ![^text] == deferred footnote (that follows something with
+	// an exclamation point)
+	case p.extensions&Footnotes != 0 && len(data)-1 > offset && data[offset+1] == '^':
+		t = linkDeferredFootnote
+	// ![alt] == image
+	case offset >= 0 && data[offset] == '!':
+		t = linkImg
+		offset++
+	// ^[text] == inline footnote
+	// [^refId] == deferred footnote
+	case p.extensions&Footnotes != 0:
+		if offset >= 0 && data[offset] == '^' {
+			t = linkInlineFootnote
+			offset++
+		} else if len(data)-1 > offset && data[offset+1] == '^' {
+			t = linkDeferredFootnote
+		}
+	// [text] == regular link
+	default:
+		t = linkNormal
+	}
+
+	data = data[offset:]
+
+	var (
+		i                       = 1
+		noteID                  int
+		title, link, altContent []byte
+		textHasNl               = false
+	)
+
+	if t == linkDeferredFootnote {
+		i++
+	}
+
+	// look for the matching closing bracket
+	for level := 1; level > 0 && i < len(data); i++ {
+		switch {
+		case data[i] == '\n':
+			textHasNl = true
+
+		case isBackslashEscaped(data, i):
+			continue
+
+		case data[i] == '[':
+			level++
+
+		case data[i] == ']':
+			level--
+			if level <= 0 {
+				i-- // compensate for extra i++ in for loop
+			}
+		}
+	}
+
+	if i >= len(data) {
+		return 0, nil
+	}
+
+	txtE := i
+	i++
+	var footnoteNode *Node
+
+	// skip any amount of whitespace or newline
+	// (this is much more lax than original markdown syntax)
+	for i < len(data) && isspace(data[i]) {
+		i++
+	}
+
+	// inline style link
+	switch {
+	case i < len(data) && data[i] == '(':
+		// skip initial whitespace
+		i++
+
+		for i < len(data) && isspace(data[i]) {
+			i++
+		}
+
+		linkB := i
+
+		// look for link end: ' " )
+	findlinkend:
+		for i < len(data) {
+			switch {
+			case data[i] == '\\':
+				i += 2
+
+			case data[i] == ')' || data[i] == '\'' || data[i] == '"':
+				break findlinkend
+
+			default:
+				i++
+			}
+		}
+
+		if i >= len(data) {
+			return 0, nil
+		}
+		linkE := i
+
+		// look for title end if present
+		titleB, titleE := 0, 0
+		if data[i] == '\'' || data[i] == '"' {
+			i++
+			titleB = i
+
+		findtitleend:
+			for i < len(data) {
+				switch {
+				case data[i] == '\\':
+					i += 2
+
+				case data[i] == ')':
+					break findtitleend
+
+				default:
+					i++
+				}
+			}
+
+			if i >= len(data) {
+				return 0, nil
+			}
+
+			// skip whitespace after title
+			titleE = i - 1
+			for titleE > titleB && isspace(data[titleE]) {
+				titleE--
+			}
+
+			// check for closing quote presence
+			if data[titleE] != '\'' && data[titleE] != '"' {
+				titleB, titleE = 0, 0
+				linkE = i
+			}
+		}
+
+		// remove whitespace at the end of the link
+		for linkE > linkB && isspace(data[linkE-1]) {
+			linkE--
+		}
+
+		// remove optional angle brackets around the link
+		if data[linkB] == '<' {
+			linkB++
+		}
+		if data[linkE-1] == '>' {
+			linkE--
+		}
+
+		// build escaped link and title
+		if linkE > linkB {
+			link = data[linkB:linkE]
+		}
+
+		if titleE > titleB {
+			title = data[titleB:titleE]
+		}
+
+		i++
+
+	// reference style link
+	case isReferenceStyleLink(data, i, t):
+		var id []byte
+		altContentConsidered := false
+
+		// look for the id
+		i++
+		linkB := i
+		for i < len(data) && data[i] != ']' {
+			i++
+		}
+		if i >= len(data) {
+			return 0, nil
+		}
+		linkE := i
+
+		// find the reference
+		if linkB == linkE {
+			if textHasNl {
+				var b bytes.Buffer
+
+				for j := 1; j < txtE; j++ {
+					switch {
+					case data[j] != '\n':
+						b.WriteByte(data[j])
+					case data[j-1] != ' ':
+						b.WriteByte(' ')
+					}
+				}
+
+				id = b.Bytes()
+			} else {
+				id = data[1:txtE]
+				altContentConsidered = true
+			}
+		} else {
+			id = data[linkB:linkE]
+		}
+
+		// find the reference with matching id
+		lr, ok := p.getRef(string(id))
+		if !ok {
+			return 0, nil
+		}
+
+		// keep link and title from reference
+		link = lr.link
+		title = lr.title
+		if altContentConsidered {
+			altContent = lr.text
+		}
+		i++
+
+	// shortcut reference style link or reference or inline footnote
+	default:
+		var id []byte
+
+		// craft the id
+		if textHasNl {
+			var b bytes.Buffer
+
+			for j := 1; j < txtE; j++ {
+				switch {
+				case data[j] != '\n':
+					b.WriteByte(data[j])
+				case data[j-1] != ' ':
+					b.WriteByte(' ')
+				}
+			}
+
+			id = b.Bytes()
+		} else {
+			if t == linkDeferredFootnote {
+				id = data[2:txtE] // get rid of the ^
+			} else {
+				id = data[1:txtE]
+			}
+		}
+
+		footnoteNode = NewNode(Item)
+		if t == linkInlineFootnote {
+			// create a new reference
+			noteID = len(p.notes) + 1
+
+			var fragment []byte
+			if len(id) > 0 {
+				if len(id) < 16 {
+					fragment = make([]byte, len(id))
+				} else {
+					fragment = make([]byte, 16)
+				}
+				copy(fragment, slugify(id))
+			} else {
+				fragment = append([]byte("footnote-"), []byte(strconv.Itoa(noteID))...)
+			}
+
+			ref := &reference{
+				noteID:   noteID,
+				hasBlock: false,
+				link:     fragment,
+				title:    id,
+				footnote: footnoteNode,
+			}
+
+			p.notes = append(p.notes, ref)
+
+			link = ref.link
+			title = ref.title
+		} else {
+			// find the reference with matching id
+			lr, ok := p.getRef(string(id))
+			if !ok {
+				return 0, nil
+			}
+
+			if t == linkDeferredFootnote {
+				lr.noteID = len(p.notes) + 1
+				lr.footnote = footnoteNode
+				p.notes = append(p.notes, lr)
+			}
+
+			// keep link and title from reference
+			link = lr.link
+			// if inline footnote, title == footnote contents
+			title = lr.title
+			noteID = lr.noteID
+		}
+
+		// rewind the whitespace
+		i = txtE + 1
+	}
+
+	var uLink []byte
+	if t == linkNormal || t == linkImg {
+		if len(link) > 0 {
+			var uLinkBuf bytes.Buffer
+			unescapeText(&uLinkBuf, link)
+			uLink = uLinkBuf.Bytes()
+		}
+
+		// links need something to click on and somewhere to go
+		if len(uLink) == 0 || (t == linkNormal && txtE <= 1) {
+			return 0, nil
+		}
+	}
+
+	// call the relevant rendering function
+	var linkNode *Node
+	switch t {
+	case linkNormal:
+		linkNode = NewNode(Link)
+		linkNode.Destination = normalizeURI(uLink)
+		linkNode.Title = title
+		if len(altContent) > 0 {
+			linkNode.AppendChild(text(altContent))
+		} else {
+			// links cannot contain other links, so turn off link parsing
+			// temporarily and recurse
+			insideLink := p.insideLink
+			p.insideLink = true
+			p.inline(linkNode, data[1:txtE])
+			p.insideLink = insideLink
+		}
+
+	case linkImg:
+		linkNode = NewNode(Image)
+		linkNode.Destination = uLink
+		linkNode.Title = title
+		linkNode.AppendChild(text(data[1:txtE]))
+		i++
+
+	case linkInlineFootnote, linkDeferredFootnote:
+		linkNode = NewNode(Link)
+		linkNode.Destination = link
+		linkNode.Title = title
+		linkNode.NoteID = noteID
+		linkNode.Footnote = footnoteNode
+		if t == linkInlineFootnote {
+			i++
+		}
+
+	default:
+		return 0, nil
+	}
+
+	return i, linkNode
+}
+
+func (p *Markdown) inlineHTMLComment(data []byte) int {
+	if len(data) < 5 {
+		return 0
+	}
+	if data[0] != '<' || data[1] != '!' || data[2] != '-' || data[3] != '-' {
+		return 0
+	}
+	i := 5
+	// scan for an end-of-comment marker, across lines if necessary
+	for i < len(data) && !(data[i-2] == '-' && data[i-1] == '-' && data[i] == '>') {
+		i++
+	}
+	// no end-of-comment marker
+	if i >= len(data) {
+		return 0
+	}
+	return i + 1
+}
+
+func stripMailto(link []byte) []byte {
+	if bytes.HasPrefix(link, []byte("mailto://")) {
+		return link[9:]
+	} else if bytes.HasPrefix(link, []byte("mailto:")) {
+		return link[7:]
+	} else {
+		return link
+	}
+}
+
+// autolinkType specifies a kind of autolink that gets detected.
+type autolinkType int
+
+// These are the possible flag values for the autolink renderer.
+const (
+	notAutolink autolinkType = iota
+	normalAutolink
+	emailAutolink
+)
+
+// '<' when tags or autolinks are allowed
+func leftAngle(p *Markdown, data []byte, offset int) (int, *Node) {
+	data = data[offset:]
+	altype, end := tagLength(data)
+	if size := p.inlineHTMLComment(data); size > 0 {
+		end = size
+	}
+	if end > 2 {
+		if altype != notAutolink {
+			var uLink bytes.Buffer
+			unescapeText(&uLink, data[1:end+1-2])
+			if uLink.Len() > 0 {
+				link := uLink.Bytes()
+				node := NewNode(Link)
+				node.Destination = link
+				if altype == emailAutolink {
+					node.Destination = append([]byte("mailto:"), link...)
+				}
+				node.AppendChild(text(stripMailto(link)))
+				return end, node
+			}
+		} else {
+			htmlTag := NewNode(HTMLSpan)
+			htmlTag.Literal = data[:end]
+			return end, htmlTag
+		}
+	}
+
+	return end, nil
+}
+
+// '\\' backslash escape
+var escapeChars = []byte("\\`*_{}[]()#+-.!:|&<>~")
+
+func escape(p *Markdown, data []byte, offset int) (int, *Node) {
+	data = data[offset:]
+
+	if len(data) > 1 {
+		if p.extensions&BackslashLineBreak != 0 && data[1] == '\n' {
+			return 2, NewNode(Hardbreak)
+		}
+		if bytes.IndexByte(escapeChars, data[1]) < 0 {
+			return 0, nil
+		}
+
+		return 2, text(data[1:2])
+	}
+
+	return 2, nil
+}
+
+func unescapeText(ob *bytes.Buffer, src []byte) {
+	i := 0
+	for i < len(src) {
+		org := i
+		for i < len(src) && src[i] != '\\' {
+			i++
+		}
+
+		if i > org {
+			ob.Write(src[org:i])
+		}
+
+		if i+1 >= len(src) {
+			break
+		}
+
+		ob.WriteByte(src[i+1])
+		i += 2
+	}
+}
+
+// '&' escaped when it doesn't belong to an entity
+// valid entities are assumed to be anything matching &#?[A-Za-z0-9]+;
+func entity(p *Markdown, data []byte, offset int) (int, *Node) {
+	data = data[offset:]
+
+	end := 1
+
+	if end < len(data) && data[end] == '#' {
+		end++
+	}
+
+	for end < len(data) && isalnum(data[end]) {
+		end++
+	}
+
+	if end < len(data) && data[end] == ';' {
+		end++ // real entity
+	} else {
+		return 0, nil // lone '&'
+	}
+
+	ent := data[:end]
+	// undo &amp; escaping or it will be converted to &amp;amp; by another
+	// escaper in the renderer
+	if bytes.Equal(ent, []byte("&amp;")) {
+		ent = []byte{'&'}
+	}
+
+	return end, text(ent)
+}
+
+func linkEndsWithEntity(data []byte, linkEnd int) bool {
+	entityRanges := htmlEntityRe.FindAllIndex(data[:linkEnd], -1)
+	return entityRanges != nil && entityRanges[len(entityRanges)-1][1] == linkEnd
+}
+
+// hasPrefixCaseInsensitive is a custom implementation of
+//     strings.HasPrefix(strings.ToLower(s), prefix)
+// we rolled our own because ToLower pulls in a huge machinery of lowercasing
+// anything from Unicode and that's very slow. Since this func will only be
+// used on ASCII protocol prefixes, we can take shortcuts.
+func hasPrefixCaseInsensitive(s, prefix []byte) bool {
+	if len(s) < len(prefix) {
+		return false
+	}
+	delta := byte('a' - 'A')
+	for i, b := range prefix {
+		if b != s[i] && b != s[i]+delta {
+			return false
+		}
+	}
+	return true
+}
+
+var protocolPrefixes = [][]byte{
+	[]byte("http://"),
+	[]byte("https://"),
+	[]byte("ftp://"),
+	[]byte("file://"),
+	[]byte("mailto:"),
+}
+
+const shortestPrefix = 6 // len("ftp://"), the shortest of the above
+
+func maybeAutoLink(p *Markdown, data []byte, offset int) (int, *Node) {
+	// quick check to rule out most false hits
+	if p.insideLink || len(data) < offset+shortestPrefix {
+		return 0, nil
+	}
+	for _, prefix := range protocolPrefixes {
+		endOfHead := offset + 8 // 8 is the len() of the longest prefix
+		if endOfHead > len(data) {
+			endOfHead = len(data)
+		}
+		if hasPrefixCaseInsensitive(data[offset:endOfHead], prefix) {
+			return autoLink(p, data, offset)
+		}
+	}
+	return 0, nil
+}
+
+func autoLink(p *Markdown, data []byte, offset int) (int, *Node) {
+	// Now a more expensive check to see if we're not inside an anchor element
+	anchorStart := offset
+	offsetFromAnchor := 0
+	for anchorStart > 0 && data[anchorStart] != '<' {
+		anchorStart--
+		offsetFromAnchor++
+	}
+
+	anchorStr := anchorRe.Find(data[anchorStart:])
+	if anchorStr != nil {
+		anchorClose := NewNode(HTMLSpan)
+		anchorClose.Literal = anchorStr[offsetFromAnchor:]
+		return len(anchorStr) - offsetFromAnchor, anchorClose
+	}
+
+	// scan backward for a word boundary
+	rewind := 0
+	for offset-rewind > 0 && rewind <= 7 && isletter(data[offset-rewind-1]) {
+		rewind++
+	}
+	if rewind > 6 { // longest supported protocol is "mailto" which has 6 letters
+		return 0, nil
+	}
+
+	origData := data
+	data = data[offset-rewind:]
+
+	if !isSafeLink(data) {
+		return 0, nil
+	}
+
+	linkEnd := 0
+	for linkEnd < len(data) && !isEndOfLink(data[linkEnd]) {
+		linkEnd++
+	}
+
+	// Skip punctuation at the end of the link
+	if (data[linkEnd-1] == '.' || data[linkEnd-1] == ',') && data[linkEnd-2] != '\\' {
+		linkEnd--
+	}
+
+	// But don't skip semicolon if it's a part of escaped entity:
+	if data[linkEnd-1] == ';' && data[linkEnd-2] != '\\' && !linkEndsWithEntity(data, linkEnd) {
+		linkEnd--
+	}
+
+	// See if the link finishes with a punctuation sign that can be closed.
+	var copen byte
+	switch data[linkEnd-1] {
+	case '"':
+		copen = '"'
+	case '\'':
+		copen = '\''
+	case ')':
+		copen = '('
+	case ']':
+		copen = '['
+	case '}':
+		copen = '{'
+	default:
+		copen = 0
+	}
+
+	if copen != 0 {
+		bufEnd := offset - rewind + linkEnd - 2
+
+		openDelim := 1
+
+		/* Try to close the final punctuation sign in this same line;
+		 * if we managed to close it outside of the URL, that means that it's
+		 * not part of the URL. If it closes inside the URL, that means it
+		 * is part of the URL.
+		 *
+		 * Examples:
+		 *
+		 *      foo http://www.pokemon.com/Pikachu_(Electric) bar
+		 *              => http://www.pokemon.com/Pikachu_(Electric)
+		 *
+		 *      foo (http://www.pokemon.com/Pikachu_(Electric)) bar
+		 *              => http://www.pokemon.com/Pikachu_(Electric)
+		 *
+		 *      foo http://www.pokemon.com/Pikachu_(Electric)) bar
+		 *              => http://www.pokemon.com/Pikachu_(Electric))
+		 *
+		 *      (foo http://www.pokemon.com/Pikachu_(Electric)) bar
+		 *              => foo http://www.pokemon.com/Pikachu_(Electric)
+		 */
+
+		for bufEnd >= 0 && origData[bufEnd] != '\n' && openDelim != 0 {
+			if origData[bufEnd] == data[linkEnd-1] {
+				openDelim++
+			}
+
+			if origData[bufEnd] == copen {
+				openDelim--
+			}
+
+			bufEnd--
+		}
+
+		if openDelim == 0 {
+			linkEnd--
+		}
+	}
+
+	var uLink bytes.Buffer
+	unescapeText(&uLink, data[:linkEnd])
+
+	if uLink.Len() > 0 {
+		node := NewNode(Link)
+		node.Destination = uLink.Bytes()
+		node.AppendChild(text(uLink.Bytes()))
+		return linkEnd, node
+	}
+
+	return linkEnd, nil
+}
+
+func isEndOfLink(char byte) bool {
+	return isspace(char) || char == '<'
+}
+
+var validUris = [][]byte{[]byte("http://"), []byte("https://"), []byte("ftp://"), []byte("mailto://")}
+var validPaths = [][]byte{[]byte("/"), []byte("./"), []byte("../")}
+
+func isSafeLink(link []byte) bool {
+	for _, path := range validPaths {
+		if len(link) >= len(path) && bytes.Equal(link[:len(path)], path) {
+			if len(link) == len(path) {
+				return true
+			} else if isalnum(link[len(path)]) {
+				return true
+			}
+		}
+	}
+
+	for _, prefix := range validUris {
+		// TODO: handle unicode here
+		// case-insensitive prefix test
+		if len(link) > len(prefix) && bytes.Equal(bytes.ToLower(link[:len(prefix)]), prefix) && isalnum(link[len(prefix)]) {
+			return true
+		}
+	}
+
+	return false
+}
+
+// return the length of the given tag, or 0 is it's not valid
+func tagLength(data []byte) (autolink autolinkType, end int) {
+	var i, j int
+
+	// a valid tag can't be shorter than 3 chars
+	if len(data) < 3 {
+		return notAutolink, 0
+	}
+
+	// begins with a '<' optionally followed by '/', followed by letter or number
+	if data[0] != '<' {
+		return notAutolink, 0
+	}
+	if data[1] == '/' {
+		i = 2
+	} else {
+		i = 1
+	}
+
+	if !isalnum(data[i]) {
+		return notAutolink, 0
+	}
+
+	// scheme test
+	autolink = notAutolink
+
+	// try to find the beginning of an URI
+	for i < len(data) && (isalnum(data[i]) || data[i] == '.' || data[i] == '+' || data[i] == '-') {
+		i++
+	}
+
+	if i > 1 && i < len(data) && data[i] == '@' {
+		if j = isMailtoAutoLink(data[i:]); j != 0 {
+			return emailAutolink, i + j
+		}
+	}
+
+	if i > 2 && i < len(data) && data[i] == ':' {
+		autolink = normalAutolink
+		i++
+	}
+
+	// complete autolink test: no whitespace or ' or "
+	switch {
+	case i >= len(data):
+		autolink = notAutolink
+	case autolink != notAutolink:
+		j = i
+
+		for i < len(data) {
+			if data[i] == '\\' {
+				i += 2
+			} else if data[i] == '>' || data[i] == '\'' || data[i] == '"' || isspace(data[i]) {
+				break
+			} else {
+				i++
+			}
+
+		}
+
+		if i >= len(data) {
+			return autolink, 0
+		}
+		if i > j && data[i] == '>' {
+			return autolink, i + 1
+		}
+
+		// one of the forbidden chars has been found
+		autolink = notAutolink
+	}
+	i += bytes.IndexByte(data[i:], '>')
+	if i < 0 {
+		return autolink, 0
+	}
+	return autolink, i + 1
+}
+
+// look for the address part of a mail autolink and '>'
+// this is less strict than the original markdown e-mail address matching
+func isMailtoAutoLink(data []byte) int {
+	nb := 0
+
+	// address is assumed to be: [-@._a-zA-Z0-9]+ with exactly one '@'
+	for i := 0; i < len(data); i++ {
+		if isalnum(data[i]) {
+			continue
+		}
+
+		switch data[i] {
+		case '@':
+			nb++
+
+		case '-', '.', '_':
+			break
+
+		case '>':
+			if nb == 1 {
+				return i + 1
+			}
+			return 0
+		default:
+			return 0
+		}
+	}
+
+	return 0
+}
+
+// look for the next emph char, skipping other constructs
+func helperFindEmphChar(data []byte, c byte) int {
+	i := 0
+
+	for i < len(data) {
+		for i < len(data) && data[i] != c && data[i] != '`' && data[i] != '[' {
+			i++
+		}
+		if i >= len(data) {
+			return 0
+		}
+		// do not count escaped chars
+		if i != 0 && data[i-1] == '\\' {
+			i++
+			continue
+		}
+		if data[i] == c {
+			return i
+		}
+
+		if data[i] == '`' {
+			// skip a code span
+			tmpI := 0
+			i++
+			for i < len(data) && data[i] != '`' {
+				if tmpI == 0 && data[i] == c {
+					tmpI = i
+				}
+				i++
+			}
+			if i >= len(data) {
+				return tmpI
+			}
+			i++
+		} else if data[i] == '[' {
+			// skip a link
+			tmpI := 0
+			i++
+			for i < len(data) && data[i] != ']' {
+				if tmpI == 0 && data[i] == c {
+					tmpI = i
+				}
+				i++
+			}
+			i++
+			for i < len(data) && (data[i] == ' ' || data[i] == '\n') {
+				i++
+			}
+			if i >= len(data) {
+				return tmpI
+			}
+			if data[i] != '[' && data[i] != '(' { // not a link
+				if tmpI > 0 {
+					return tmpI
+				}
+				continue
+			}
+			cc := data[i]
+			i++
+			for i < len(data) && data[i] != cc {
+				if tmpI == 0 && data[i] == c {
+					return i
+				}
+				i++
+			}
+			if i >= len(data) {
+				return tmpI
+			}
+			i++
+		}
+	}
+	return 0
+}
+
+func helperEmphasis(p *Markdown, data []byte, c byte) (int, *Node) {
+	i := 0
+
+	// skip one symbol if coming from emph3
+	if len(data) > 1 && data[0] == c && data[1] == c {
+		i = 1
+	}
+
+	for i < len(data) {
+		length := helperFindEmphChar(data[i:], c)
+		if length == 0 {
+			return 0, nil
+		}
+		i += length
+		if i >= len(data) {
+			return 0, nil
+		}
+
+		if i+1 < len(data) && data[i+1] == c {
+			i++
+			continue
+		}
+
+		if data[i] == c && !isspace(data[i-1]) {
+
+			if p.extensions&NoIntraEmphasis != 0 {
+				if !(i+1 == len(data) || isspace(data[i+1]) || ispunct(data[i+1])) {
+					continue
+				}
+			}
+
+			emph := NewNode(Emph)
+			p.inline(emph, data[:i])
+			return i + 1, emph
+		}
+	}
+
+	return 0, nil
+}
+
+func helperDoubleEmphasis(p *Markdown, data []byte, c byte) (int, *Node) {
+	i := 0
+
+	for i < len(data) {
+		length := helperFindEmphChar(data[i:], c)
+		if length == 0 {
+			return 0, nil
+		}
+		i += length
+
+		if i+1 < len(data) && data[i] == c && data[i+1] == c && i > 0 && !isspace(data[i-1]) {
+			nodeType := Strong
+			if c == '~' {
+				nodeType = Del
+			}
+			node := NewNode(nodeType)
+			p.inline(node, data[:i])
+			return i + 2, node
+		}
+		i++
+	}
+	return 0, nil
+}
+
+func helperTripleEmphasis(p *Markdown, data []byte, offset int, c byte) (int, *Node) {
+	i := 0
+	origData := data
+	data = data[offset:]
+
+	for i < len(data) {
+		length := helperFindEmphChar(data[i:], c)
+		if length == 0 {
+			return 0, nil
+		}
+		i += length
+
+		// skip whitespace preceded symbols
+		if data[i] != c || isspace(data[i-1]) {
+			continue
+		}
+
+		switch {
+		case i+2 < len(data) && data[i+1] == c && data[i+2] == c:
+			// triple symbol found
+			strong := NewNode(Strong)
+			em := NewNode(Emph)
+			strong.AppendChild(em)
+			p.inline(em, data[:i])
+			return i + 3, strong
+		case (i+1 < len(data) && data[i+1] == c):
+			// double symbol found, hand over to emph1
+			length, node := helperEmphasis(p, origData[offset-2:], c)
+			if length == 0 {
+				return 0, nil
+			}
+			return length - 2, node
+		default:
+			// single symbol found, hand over to emph2
+			length, node := helperDoubleEmphasis(p, origData[offset-1:], c)
+			if length == 0 {
+				return 0, nil
+			}
+			return length - 1, node
+		}
+	}
+	return 0, nil
+}
+
+func text(s []byte) *Node {
+	node := NewNode(Text)
+	node.Literal = s
+	return node
+}
+
+func normalizeURI(s []byte) []byte {
+	return s // TODO: implement
+}
diff --git a/vendor/github.com/russross/blackfriday/v2/markdown.go b/vendor/github.com/russross/blackfriday/v2/markdown.go
new file mode 100644
index 0000000000..58d2e4538c
--- /dev/null
+++ b/vendor/github.com/russross/blackfriday/v2/markdown.go
@@ -0,0 +1,950 @@
+// Blackfriday Markdown Processor
+// Available at http://github.com/russross/blackfriday
+//
+// Copyright © 2011 Russ Ross <russ@russross.com>.
+// Distributed under the Simplified BSD License.
+// See README.md for details.
+
+package blackfriday
+
+import (
+	"bytes"
+	"fmt"
+	"io"
+	"strings"
+	"unicode/utf8"
+)
+
+//
+// Markdown parsing and processing
+//
+
+// Version string of the package. Appears in the rendered document when
+// CompletePage flag is on.
+const Version = "2.0"
+
+// Extensions is a bitwise or'ed collection of enabled Blackfriday's
+// extensions.
+type Extensions int
+
+// These are the supported markdown parsing extensions.
+// OR these values together to select multiple extensions.
+const (
+	NoExtensions           Extensions = 0
+	NoIntraEmphasis        Extensions = 1 << iota // Ignore emphasis markers inside words
+	Tables                                        // Render tables
+	FencedCode                                    // Render fenced code blocks
+	Autolink                                      // Detect embedded URLs that are not explicitly marked
+	Strikethrough                                 // Strikethrough text using ~~test~~
+	LaxHTMLBlocks                                 // Loosen up HTML block parsing rules
+	SpaceHeadings                                 // Be strict about prefix heading rules
+	HardLineBreak                                 // Translate newlines into line breaks
+	TabSizeEight                                  // Expand tabs to eight spaces instead of four
+	Footnotes                                     // Pandoc-style footnotes
+	NoEmptyLineBeforeBlock                        // No need to insert an empty line to start a (code, quote, ordered list, unordered list) block
+	HeadingIDs                                    // specify heading IDs  with {#id}
+	Titleblock                                    // Titleblock ala pandoc
+	AutoHeadingIDs                                // Create the heading ID from the text
+	BackslashLineBreak                            // Translate trailing backslashes into line breaks
+	DefinitionLists                               // Render definition lists
+
+	CommonHTMLFlags HTMLFlags = UseXHTML | Smartypants |
+		SmartypantsFractions | SmartypantsDashes | SmartypantsLatexDashes
+
+	CommonExtensions Extensions = NoIntraEmphasis | Tables | FencedCode |
+		Autolink | Strikethrough | SpaceHeadings | HeadingIDs |
+		BackslashLineBreak | DefinitionLists
+)
+
+// ListType contains bitwise or'ed flags for list and list item objects.
+type ListType int
+
+// These are the possible flag values for the ListItem renderer.
+// Multiple flag values may be ORed together.
+// These are mostly of interest if you are writing a new output format.
+const (
+	ListTypeOrdered ListType = 1 << iota
+	ListTypeDefinition
+	ListTypeTerm
+
+	ListItemContainsBlock
+	ListItemBeginningOfList // TODO: figure out if this is of any use now
+	ListItemEndOfList
+)
+
+// CellAlignFlags holds a type of alignment in a table cell.
+type CellAlignFlags int
+
+// These are the possible flag values for the table cell renderer.
+// Only a single one of these values will be used; they are not ORed together.
+// These are mostly of interest if you are writing a new output format.
+const (
+	TableAlignmentLeft CellAlignFlags = 1 << iota
+	TableAlignmentRight
+	TableAlignmentCenter = (TableAlignmentLeft | TableAlignmentRight)
+)
+
+// The size of a tab stop.
+const (
+	TabSizeDefault = 4
+	TabSizeDouble  = 8
+)
+
+// blockTags is a set of tags that are recognized as HTML block tags.
+// Any of these can be included in markdown text without special escaping.
+var blockTags = map[string]struct{}{
+	"blockquote": {},
+	"del":        {},
+	"div":        {},
+	"dl":         {},
+	"fieldset":   {},
+	"form":       {},
+	"h1":         {},
+	"h2":         {},
+	"h3":         {},
+	"h4":         {},
+	"h5":         {},
+	"h6":         {},
+	"iframe":     {},
+	"ins":        {},
+	"math":       {},
+	"noscript":   {},
+	"ol":         {},
+	"pre":        {},
+	"p":          {},
+	"script":     {},
+	"style":      {},
+	"table":      {},
+	"ul":         {},
+
+	// HTML5
+	"address":    {},
+	"article":    {},
+	"aside":      {},
+	"canvas":     {},
+	"figcaption": {},
+	"figure":     {},
+	"footer":     {},
+	"header":     {},
+	"hgroup":     {},
+	"main":       {},
+	"nav":        {},
+	"output":     {},
+	"progress":   {},
+	"section":    {},
+	"video":      {},
+}
+
+// Renderer is the rendering interface. This is mostly of interest if you are
+// implementing a new rendering format.
+//
+// Only an HTML implementation is provided in this repository, see the README
+// for external implementations.
+type Renderer interface {
+	// RenderNode is the main rendering method. It will be called once for
+	// every leaf node and twice for every non-leaf node (first with
+	// entering=true, then with entering=false). The method should write its
+	// rendition of the node to the supplied writer w.
+	RenderNode(w io.Writer, node *Node, entering bool) WalkStatus
+
+	// RenderHeader is a method that allows the renderer to produce some
+	// content preceding the main body of the output document. The header is
+	// understood in the broad sense here. For example, the default HTML
+	// renderer will write not only the HTML document preamble, but also the
+	// table of contents if it was requested.
+	//
+	// The method will be passed an entire document tree, in case a particular
+	// implementation needs to inspect it to produce output.
+	//
+	// The output should be written to the supplied writer w. If your
+	// implementation has no header to write, supply an empty implementation.
+	RenderHeader(w io.Writer, ast *Node)
+
+	// RenderFooter is a symmetric counterpart of RenderHeader.
+	RenderFooter(w io.Writer, ast *Node)
+}
+
+// Callback functions for inline parsing. One such function is defined
+// for each character that triggers a response when parsing inline data.
+type inlineParser func(p *Markdown, data []byte, offset int) (int, *Node)
+
+// Markdown is a type that holds extensions and the runtime state used by
+// Parse, and the renderer. You can not use it directly, construct it with New.
+type Markdown struct {
+	renderer          Renderer
+	referenceOverride ReferenceOverrideFunc
+	refs              map[string]*reference
+	inlineCallback    [256]inlineParser
+	extensions        Extensions
+	nesting           int
+	maxNesting        int
+	insideLink        bool
+
+	// Footnotes need to be ordered as well as available to quickly check for
+	// presence. If a ref is also a footnote, it's stored both in refs and here
+	// in notes. Slice is nil if footnotes not enabled.
+	notes []*reference
+
+	doc                  *Node
+	tip                  *Node // = doc
+	oldTip               *Node
+	lastMatchedContainer *Node // = doc
+	allClosed            bool
+}
+
+func (p *Markdown) getRef(refid string) (ref *reference, found bool) {
+	if p.referenceOverride != nil {
+		r, overridden := p.referenceOverride(refid)
+		if overridden {
+			if r == nil {
+				return nil, false
+			}
+			return &reference{
+				link:     []byte(r.Link),
+				title:    []byte(r.Title),
+				noteID:   0,
+				hasBlock: false,
+				text:     []byte(r.Text)}, true
+		}
+	}
+	// refs are case insensitive
+	ref, found = p.refs[strings.ToLower(refid)]
+	return ref, found
+}
+
+func (p *Markdown) finalize(block *Node) {
+	above := block.Parent
+	block.open = false
+	p.tip = above
+}
+
+func (p *Markdown) addChild(node NodeType, offset uint32) *Node {
+	return p.addExistingChild(NewNode(node), offset)
+}
+
+func (p *Markdown) addExistingChild(node *Node, offset uint32) *Node {
+	for !p.tip.canContain(node.Type) {
+		p.finalize(p.tip)
+	}
+	p.tip.AppendChild(node)
+	p.tip = node
+	return node
+}
+
+func (p *Markdown) closeUnmatchedBlocks() {
+	if !p.allClosed {
+		for p.oldTip != p.lastMatchedContainer {
+			parent := p.oldTip.Parent
+			p.finalize(p.oldTip)
+			p.oldTip = parent
+		}
+		p.allClosed = true
+	}
+}
+
+//
+//
+// Public interface
+//
+//
+
+// Reference represents the details of a link.
+// See the documentation in Options for more details on use-case.
+type Reference struct {
+	// Link is usually the URL the reference points to.
+	Link string
+	// Title is the alternate text describing the link in more detail.
+	Title string
+	// Text is the optional text to override the ref with if the syntax used was
+	// [refid][]
+	Text string
+}
+
+// ReferenceOverrideFunc is expected to be called with a reference string and
+// return either a valid Reference type that the reference string maps to or
+// nil. If overridden is false, the default reference logic will be executed.
+// See the documentation in Options for more details on use-case.
+type ReferenceOverrideFunc func(reference string) (ref *Reference, overridden bool)
+
+// New constructs a Markdown processor. You can use the same With* functions as
+// for Run() to customize parser's behavior and the renderer.
+func New(opts ...Option) *Markdown {
+	var p Markdown
+	for _, opt := range opts {
+		opt(&p)
+	}
+	p.refs = make(map[string]*reference)
+	p.maxNesting = 16
+	p.insideLink = false
+	docNode := NewNode(Document)
+	p.doc = docNode
+	p.tip = docNode
+	p.oldTip = docNode
+	p.lastMatchedContainer = docNode
+	p.allClosed = true
+	// register inline parsers
+	p.inlineCallback[' '] = maybeLineBreak
+	p.inlineCallback['*'] = emphasis
+	p.inlineCallback['_'] = emphasis
+	if p.extensions&Strikethrough != 0 {
+		p.inlineCallback['~'] = emphasis
+	}
+	p.inlineCallback['`'] = codeSpan
+	p.inlineCallback['\n'] = lineBreak
+	p.inlineCallback['['] = link
+	p.inlineCallback['<'] = leftAngle
+	p.inlineCallback['\\'] = escape
+	p.inlineCallback['&'] = entity
+	p.inlineCallback['!'] = maybeImage
+	p.inlineCallback['^'] = maybeInlineFootnote
+	if p.extensions&Autolink != 0 {
+		p.inlineCallback['h'] = maybeAutoLink
+		p.inlineCallback['m'] = maybeAutoLink
+		p.inlineCallback['f'] = maybeAutoLink
+		p.inlineCallback['H'] = maybeAutoLink
+		p.inlineCallback['M'] = maybeAutoLink
+		p.inlineCallback['F'] = maybeAutoLink
+	}
+	if p.extensions&Footnotes != 0 {
+		p.notes = make([]*reference, 0)
+	}
+	return &p
+}
+
+// Option customizes the Markdown processor's default behavior.
+type Option func(*Markdown)
+
+// WithRenderer allows you to override the default renderer.
+func WithRenderer(r Renderer) Option {
+	return func(p *Markdown) {
+		p.renderer = r
+	}
+}
+
+// WithExtensions allows you to pick some of the many extensions provided by
+// Blackfriday. You can bitwise OR them.
+func WithExtensions(e Extensions) Option {
+	return func(p *Markdown) {
+		p.extensions = e
+	}
+}
+
+// WithNoExtensions turns off all extensions and custom behavior.
+func WithNoExtensions() Option {
+	return func(p *Markdown) {
+		p.extensions = NoExtensions
+		p.renderer = NewHTMLRenderer(HTMLRendererParameters{
+			Flags: HTMLFlagsNone,
+		})
+	}
+}
+
+// WithRefOverride sets an optional function callback that is called every
+// time a reference is resolved.
+//
+// In Markdown, the link reference syntax can be made to resolve a link to
+// a reference instead of an inline URL, in one of the following ways:
+//
+//  * [link text][refid]
+//  * [refid][]
+//
+// Usually, the refid is defined at the bottom of the Markdown document. If
+// this override function is provided, the refid is passed to the override
+// function first, before consulting the defined refids at the bottom. If
+// the override function indicates an override did not occur, the refids at
+// the bottom will be used to fill in the link details.
+func WithRefOverride(o ReferenceOverrideFunc) Option {
+	return func(p *Markdown) {
+		p.referenceOverride = o
+	}
+}
+
+// Run is the main entry point to Blackfriday. It parses and renders a
+// block of markdown-encoded text.
+//
+// The simplest invocation of Run takes one argument, input:
+//     output := Run(input)
+// This will parse the input with CommonExtensions enabled and render it with
+// the default HTMLRenderer (with CommonHTMLFlags).
+//
+// Variadic arguments opts can customize the default behavior. Since Markdown
+// type does not contain exported fields, you can not use it directly. Instead,
+// use the With* functions. For example, this will call the most basic
+// functionality, with no extensions:
+//     output := Run(input, WithNoExtensions())
+//
+// You can use any number of With* arguments, even contradicting ones. They
+// will be applied in order of appearance and the latter will override the
+// former:
+//     output := Run(input, WithNoExtensions(), WithExtensions(exts),
+//         WithRenderer(yourRenderer))
+func Run(input []byte, opts ...Option) []byte {
+	r := NewHTMLRenderer(HTMLRendererParameters{
+		Flags: CommonHTMLFlags,
+	})
+	optList := []Option{WithRenderer(r), WithExtensions(CommonExtensions)}
+	optList = append(optList, opts...)
+	parser := New(optList...)
+	ast := parser.Parse(input)
+	var buf bytes.Buffer
+	parser.renderer.RenderHeader(&buf, ast)
+	ast.Walk(func(node *Node, entering bool) WalkStatus {
+		return parser.renderer.RenderNode(&buf, node, entering)
+	})
+	parser.renderer.RenderFooter(&buf, ast)
+	return buf.Bytes()
+}
+
+// Parse is an entry point to the parsing part of Blackfriday. It takes an
+// input markdown document and produces a syntax tree for its contents. This
+// tree can then be rendered with a default or custom renderer, or
+// analyzed/transformed by the caller to whatever non-standard needs they have.
+// The return value is the root node of the syntax tree.
+func (p *Markdown) Parse(input []byte) *Node {
+	p.block(input)
+	// Walk the tree and finish up some of unfinished blocks
+	for p.tip != nil {
+		p.finalize(p.tip)
+	}
+	// Walk the tree again and process inline markdown in each block
+	p.doc.Walk(func(node *Node, entering bool) WalkStatus {
+		if node.Type == Paragraph || node.Type == Heading || node.Type == TableCell {
+			p.inline(node, node.content)
+			node.content = nil
+		}
+		return GoToNext
+	})
+	p.parseRefsToAST()
+	return p.doc
+}
+
+func (p *Markdown) parseRefsToAST() {
+	if p.extensions&Footnotes == 0 || len(p.notes) == 0 {
+		return
+	}
+	p.tip = p.doc
+	block := p.addBlock(List, nil)
+	block.IsFootnotesList = true
+	block.ListFlags = ListTypeOrdered
+	flags := ListItemBeginningOfList
+	// Note: this loop is intentionally explicit, not range-form. This is
+	// because the body of the loop will append nested footnotes to p.notes and
+	// we need to process those late additions. Range form would only walk over
+	// the fixed initial set.
+	for i := 0; i < len(p.notes); i++ {
+		ref := p.notes[i]
+		p.addExistingChild(ref.footnote, 0)
+		block := ref.footnote
+		block.ListFlags = flags | ListTypeOrdered
+		block.RefLink = ref.link
+		if ref.hasBlock {
+			flags |= ListItemContainsBlock
+			p.block(ref.title)
+		} else {
+			p.inline(block, ref.title)
+		}
+		flags &^= ListItemBeginningOfList | ListItemContainsBlock
+	}
+	above := block.Parent
+	finalizeList(block)
+	p.tip = above
+	block.Walk(func(node *Node, entering bool) WalkStatus {
+		if node.Type == Paragraph || node.Type == Heading {
+			p.inline(node, node.content)
+			node.content = nil
+		}
+		return GoToNext
+	})
+}
+
+//
+// Link references
+//
+// This section implements support for references that (usually) appear
+// as footnotes in a document, and can be referenced anywhere in the document.
+// The basic format is:
+//
+//    [1]: http://www.google.com/ "Google"
+//    [2]: http://www.github.com/ "Github"
+//
+// Anywhere in the document, the reference can be linked by referring to its
+// label, i.e., 1 and 2 in this example, as in:
+//
+//    This library is hosted on [Github][2], a git hosting site.
+//
+// Actual footnotes as specified in Pandoc and supported by some other Markdown
+// libraries such as php-markdown are also taken care of. They look like this:
+//
+//    This sentence needs a bit of further explanation.[^note]
+//
+//    [^note]: This is the explanation.
+//
+// Footnotes should be placed at the end of the document in an ordered list.
+// Finally, there are inline footnotes such as:
+//
+//    Inline footnotes^[Also supported.] provide a quick inline explanation,
+//    but are rendered at the bottom of the document.
+//
+
+// reference holds all information necessary for a reference-style links or
+// footnotes.
+//
+// Consider this markdown with reference-style links:
+//
+//     [link][ref]
+//
+//     [ref]: /url/ "tooltip title"
+//
+// It will be ultimately converted to this HTML:
+//
+//     <p><a href=\"/url/\" title=\"title\">link</a></p>
+//
+// And a reference structure will be populated as follows:
+//
+//     p.refs["ref"] = &reference{
+//         link: "/url/",
+//         title: "tooltip title",
+//     }
+//
+// Alternatively, reference can contain information about a footnote. Consider
+// this markdown:
+//
+//     Text needing a footnote.[^a]
+//
+//     [^a]: This is the note
+//
+// A reference structure will be populated as follows:
+//
+//     p.refs["a"] = &reference{
+//         link: "a",
+//         title: "This is the note",
+//         noteID: <some positive int>,
+//     }
+//
+// TODO: As you can see, it begs for splitting into two dedicated structures
+// for refs and for footnotes.
+type reference struct {
+	link     []byte
+	title    []byte
+	noteID   int // 0 if not a footnote ref
+	hasBlock bool
+	footnote *Node // a link to the Item node within a list of footnotes
+
+	text []byte // only gets populated by refOverride feature with Reference.Text
+}
+
+func (r *reference) String() string {
+	return fmt.Sprintf("{link: %q, title: %q, text: %q, noteID: %d, hasBlock: %v}",
+		r.link, r.title, r.text, r.noteID, r.hasBlock)
+}
+
+// Check whether or not data starts with a reference link.
+// If so, it is parsed and stored in the list of references
+// (in the render struct).
+// Returns the number of bytes to skip to move past it,
+// or zero if the first line is not a reference.
+func isReference(p *Markdown, data []byte, tabSize int) int {
+	// up to 3 optional leading spaces
+	if len(data) < 4 {
+		return 0
+	}
+	i := 0
+	for i < 3 && data[i] == ' ' {
+		i++
+	}
+
+	noteID := 0
+
+	// id part: anything but a newline between brackets
+	if data[i] != '[' {
+		return 0
+	}
+	i++
+	if p.extensions&Footnotes != 0 {
+		if i < len(data) && data[i] == '^' {
+			// we can set it to anything here because the proper noteIds will
+			// be assigned later during the second pass. It just has to be != 0
+			noteID = 1
+			i++
+		}
+	}
+	idOffset := i
+	for i < len(data) && data[i] != '\n' && data[i] != '\r' && data[i] != ']' {
+		i++
+	}
+	if i >= len(data) || data[i] != ']' {
+		return 0
+	}
+	idEnd := i
+	// footnotes can have empty ID, like this: [^], but a reference can not be
+	// empty like this: []. Break early if it's not a footnote and there's no ID
+	if noteID == 0 && idOffset == idEnd {
+		return 0
+	}
+	// spacer: colon (space | tab)* newline? (space | tab)*
+	i++
+	if i >= len(data) || data[i] != ':' {
+		return 0
+	}
+	i++
+	for i < len(data) && (data[i] == ' ' || data[i] == '\t') {
+		i++
+	}
+	if i < len(data) && (data[i] == '\n' || data[i] == '\r') {
+		i++
+		if i < len(data) && data[i] == '\n' && data[i-1] == '\r' {
+			i++
+		}
+	}
+	for i < len(data) && (data[i] == ' ' || data[i] == '\t') {
+		i++
+	}
+	if i >= len(data) {
+		return 0
+	}
+
+	var (
+		linkOffset, linkEnd   int
+		titleOffset, titleEnd int
+		lineEnd               int
+		raw                   []byte
+		hasBlock              bool
+	)
+
+	if p.extensions&Footnotes != 0 && noteID != 0 {
+		linkOffset, linkEnd, raw, hasBlock = scanFootnote(p, data, i, tabSize)
+		lineEnd = linkEnd
+	} else {
+		linkOffset, linkEnd, titleOffset, titleEnd, lineEnd = scanLinkRef(p, data, i)
+	}
+	if lineEnd == 0 {
+		return 0
+	}
+
+	// a valid ref has been found
+
+	ref := &reference{
+		noteID:   noteID,
+		hasBlock: hasBlock,
+	}
+
+	if noteID > 0 {
+		// reusing the link field for the id since footnotes don't have links
+		ref.link = data[idOffset:idEnd]
+		// if footnote, it's not really a title, it's the contained text
+		ref.title = raw
+	} else {
+		ref.link = data[linkOffset:linkEnd]
+		ref.title = data[titleOffset:titleEnd]
+	}
+
+	// id matches are case-insensitive
+	id := string(bytes.ToLower(data[idOffset:idEnd]))
+
+	p.refs[id] = ref
+
+	return lineEnd
+}
+
+func scanLinkRef(p *Markdown, data []byte, i int) (linkOffset, linkEnd, titleOffset, titleEnd, lineEnd int) {
+	// link: whitespace-free sequence, optionally between angle brackets
+	if data[i] == '<' {
+		i++
+	}
+	linkOffset = i
+	for i < len(data) && data[i] != ' ' && data[i] != '\t' && data[i] != '\n' && data[i] != '\r' {
+		i++
+	}
+	linkEnd = i
+	if data[linkOffset] == '<' && data[linkEnd-1] == '>' {
+		linkOffset++
+		linkEnd--
+	}
+
+	// optional spacer: (space | tab)* (newline | '\'' | '"' | '(' )
+	for i < len(data) && (data[i] == ' ' || data[i] == '\t') {
+		i++
+	}
+	if i < len(data) && data[i] != '\n' && data[i] != '\r' && data[i] != '\'' && data[i] != '"' && data[i] != '(' {
+		return
+	}
+
+	// compute end-of-line
+	if i >= len(data) || data[i] == '\r' || data[i] == '\n' {
+		lineEnd = i
+	}
+	if i+1 < len(data) && data[i] == '\r' && data[i+1] == '\n' {
+		lineEnd++
+	}
+
+	// optional (space|tab)* spacer after a newline
+	if lineEnd > 0 {
+		i = lineEnd + 1
+		for i < len(data) && (data[i] == ' ' || data[i] == '\t') {
+			i++
+		}
+	}
+
+	// optional title: any non-newline sequence enclosed in '"() alone on its line
+	if i+1 < len(data) && (data[i] == '\'' || data[i] == '"' || data[i] == '(') {
+		i++
+		titleOffset = i
+
+		// look for EOL
+		for i < len(data) && data[i] != '\n' && data[i] != '\r' {
+			i++
+		}
+		if i+1 < len(data) && data[i] == '\n' && data[i+1] == '\r' {
+			titleEnd = i + 1
+		} else {
+			titleEnd = i
+		}
+
+		// step back
+		i--
+		for i > titleOffset && (data[i] == ' ' || data[i] == '\t') {
+			i--
+		}
+		if i > titleOffset && (data[i] == '\'' || data[i] == '"' || data[i] == ')') {
+			lineEnd = titleEnd
+			titleEnd = i
+		}
+	}
+
+	return
+}
+
+// The first bit of this logic is the same as Parser.listItem, but the rest
+// is much simpler. This function simply finds the entire block and shifts it
+// over by one tab if it is indeed a block (just returns the line if it's not).
+// blockEnd is the end of the section in the input buffer, and contents is the
+// extracted text that was shifted over one tab. It will need to be rendered at
+// the end of the document.
+func scanFootnote(p *Markdown, data []byte, i, indentSize int) (blockStart, blockEnd int, contents []byte, hasBlock bool) {
+	if i == 0 || len(data) == 0 {
+		return
+	}
+
+	// skip leading whitespace on first line
+	for i < len(data) && data[i] == ' ' {
+		i++
+	}
+
+	blockStart = i
+
+	// find the end of the line
+	blockEnd = i
+	for i < len(data) && data[i-1] != '\n' {
+		i++
+	}
+
+	// get working buffer
+	var raw bytes.Buffer
+
+	// put the first line into the working buffer
+	raw.Write(data[blockEnd:i])
+	blockEnd = i
+
+	// process the following lines
+	containsBlankLine := false
+
+gatherLines:
+	for blockEnd < len(data) {
+		i++
+
+		// find the end of this line
+		for i < len(data) && data[i-1] != '\n' {
+			i++
+		}
+
+		// if it is an empty line, guess that it is part of this item
+		// and move on to the next line
+		if p.isEmpty(data[blockEnd:i]) > 0 {
+			containsBlankLine = true
+			blockEnd = i
+			continue
+		}
+
+		n := 0
+		if n = isIndented(data[blockEnd:i], indentSize); n == 0 {
+			// this is the end of the block.
+			// we don't want to include this last line in the index.
+			break gatherLines
+		}
+
+		// if there were blank lines before this one, insert a new one now
+		if containsBlankLine {
+			raw.WriteByte('\n')
+			containsBlankLine = false
+		}
+
+		// get rid of that first tab, write to buffer
+		raw.Write(data[blockEnd+n : i])
+		hasBlock = true
+
+		blockEnd = i
+	}
+
+	if data[blockEnd-1] != '\n' {
+		raw.WriteByte('\n')
+	}
+
+	contents = raw.Bytes()
+
+	return
+}
+
+//
+//
+// Miscellaneous helper functions
+//
+//
+
+// Test if a character is a punctuation symbol.
+// Taken from a private function in regexp in the stdlib.
+func ispunct(c byte) bool {
+	for _, r := range []byte("!\"#$%&'()*+,-./:;<=>?@[\\]^_`{|}~") {
+		if c == r {
+			return true
+		}
+	}
+	return false
+}
+
+// Test if a character is a whitespace character.
+func isspace(c byte) bool {
+	return ishorizontalspace(c) || isverticalspace(c)
+}
+
+// Test if a character is a horizontal whitespace character.
+func ishorizontalspace(c byte) bool {
+	return c == ' ' || c == '\t'
+}
+
+// Test if a character is a vertical character.
+func isverticalspace(c byte) bool {
+	return c == '\n' || c == '\r' || c == '\f' || c == '\v'
+}
+
+// Test if a character is letter.
+func isletter(c byte) bool {
+	return (c >= 'a' && c <= 'z') || (c >= 'A' && c <= 'Z')
+}
+
+// Test if a character is a letter or a digit.
+// TODO: check when this is looking for ASCII alnum and when it should use unicode
+func isalnum(c byte) bool {
+	return (c >= '0' && c <= '9') || isletter(c)
+}
+
+// Replace tab characters with spaces, aligning to the next TAB_SIZE column.
+// always ends output with a newline
+func expandTabs(out *bytes.Buffer, line []byte, tabSize int) {
+	// first, check for common cases: no tabs, or only tabs at beginning of line
+	i, prefix := 0, 0
+	slowcase := false
+	for i = 0; i < len(line); i++ {
+		if line[i] == '\t' {
+			if prefix == i {
+				prefix++
+			} else {
+				slowcase = true
+				break
+			}
+		}
+	}
+
+	// no need to decode runes if all tabs are at the beginning of the line
+	if !slowcase {
+		for i = 0; i < prefix*tabSize; i++ {
+			out.WriteByte(' ')
+		}
+		out.Write(line[prefix:])
+		return
+	}
+
+	// the slow case: we need to count runes to figure out how
+	// many spaces to insert for each tab
+	column := 0
+	i = 0
+	for i < len(line) {
+		start := i
+		for i < len(line) && line[i] != '\t' {
+			_, size := utf8.DecodeRune(line[i:])
+			i += size
+			column++
+		}
+
+		if i > start {
+			out.Write(line[start:i])
+		}
+
+		if i >= len(line) {
+			break
+		}
+
+		for {
+			out.WriteByte(' ')
+			column++
+			if column%tabSize == 0 {
+				break
+			}
+		}
+
+		i++
+	}
+}
+
+// Find if a line counts as indented or not.
+// Returns number of characters the indent is (0 = not indented).
+func isIndented(data []byte, indentSize int) int {
+	if len(data) == 0 {
+		return 0
+	}
+	if data[0] == '\t' {
+		return 1
+	}
+	if len(data) < indentSize {
+		return 0
+	}
+	for i := 0; i < indentSize; i++ {
+		if data[i] != ' ' {
+			return 0
+		}
+	}
+	return indentSize
+}
+
+// Create a url-safe slug for fragments
+func slugify(in []byte) []byte {
+	if len(in) == 0 {
+		return in
+	}
+	out := make([]byte, 0, len(in))
+	sym := false
+
+	for _, ch := range in {
+		if isalnum(ch) {
+			sym = false
+			out = append(out, ch)
+		} else if sym {
+			continue
+		} else {
+			out = append(out, '-')
+			sym = true
+		}
+	}
+	var a, b int
+	var ch byte
+	for a, ch = range out {
+		if ch != '-' {
+			break
+		}
+	}
+	for b = len(out) - 1; b > 0; b-- {
+		if out[b] != '-' {
+			break
+		}
+	}
+	return out[a : b+1]
+}
diff --git a/vendor/github.com/russross/blackfriday/v2/node.go b/vendor/github.com/russross/blackfriday/v2/node.go
new file mode 100644
index 0000000000..04e6050cee
--- /dev/null
+++ b/vendor/github.com/russross/blackfriday/v2/node.go
@@ -0,0 +1,360 @@
+package blackfriday
+
+import (
+	"bytes"
+	"fmt"
+)
+
+// NodeType specifies a type of a single node of a syntax tree. Usually one
+// node (and its type) corresponds to a single markdown feature, e.g. emphasis
+// or code block.
+type NodeType int
+
+// Constants for identifying different types of nodes. See NodeType.
+const (
+	Document NodeType = iota
+	BlockQuote
+	List
+	Item
+	Paragraph
+	Heading
+	HorizontalRule
+	Emph
+	Strong
+	Del
+	Link
+	Image
+	Text
+	HTMLBlock
+	CodeBlock
+	Softbreak
+	Hardbreak
+	Code
+	HTMLSpan
+	Table
+	TableCell
+	TableHead
+	TableBody
+	TableRow
+)
+
+var nodeTypeNames = []string{
+	Document:       "Document",
+	BlockQuote:     "BlockQuote",
+	List:           "List",
+	Item:           "Item",
+	Paragraph:      "Paragraph",
+	Heading:        "Heading",
+	HorizontalRule: "HorizontalRule",
+	Emph:           "Emph",
+	Strong:         "Strong",
+	Del:            "Del",
+	Link:           "Link",
+	Image:          "Image",
+	Text:           "Text",
+	HTMLBlock:      "HTMLBlock",
+	CodeBlock:      "CodeBlock",
+	Softbreak:      "Softbreak",
+	Hardbreak:      "Hardbreak",
+	Code:           "Code",
+	HTMLSpan:       "HTMLSpan",
+	Table:          "Table",
+	TableCell:      "TableCell",
+	TableHead:      "TableHead",
+	TableBody:      "TableBody",
+	TableRow:       "TableRow",
+}
+
+func (t NodeType) String() string {
+	return nodeTypeNames[t]
+}
+
+// ListData contains fields relevant to a List and Item node type.
+type ListData struct {
+	ListFlags       ListType
+	Tight           bool   // Skip <p>s around list item data if true
+	BulletChar      byte   // '*', '+' or '-' in bullet lists
+	Delimiter       byte   // '.' or ')' after the number in ordered lists
+	RefLink         []byte // If not nil, turns this list item into a footnote item and triggers different rendering
+	IsFootnotesList bool   // This is a list of footnotes
+}
+
+// LinkData contains fields relevant to a Link node type.
+type LinkData struct {
+	Destination []byte // Destination is what goes into a href
+	Title       []byte // Title is the tooltip thing that goes in a title attribute
+	NoteID      int    // NoteID contains a serial number of a footnote, zero if it's not a footnote
+	Footnote    *Node  // If it's a footnote, this is a direct link to the footnote Node. Otherwise nil.
+}
+
+// CodeBlockData contains fields relevant to a CodeBlock node type.
+type CodeBlockData struct {
+	IsFenced    bool   // Specifies whether it's a fenced code block or an indented one
+	Info        []byte // This holds the info string
+	FenceChar   byte
+	FenceLength int
+	FenceOffset int
+}
+
+// TableCellData contains fields relevant to a TableCell node type.
+type TableCellData struct {
+	IsHeader bool           // This tells if it's under the header row
+	Align    CellAlignFlags // This holds the value for align attribute
+}
+
+// HeadingData contains fields relevant to a Heading node type.
+type HeadingData struct {
+	Level        int    // This holds the heading level number
+	HeadingID    string // This might hold heading ID, if present
+	IsTitleblock bool   // Specifies whether it's a title block
+}
+
+// Node is a single element in the abstract syntax tree of the parsed document.
+// It holds connections to the structurally neighboring nodes and, for certain
+// types of nodes, additional information that might be needed when rendering.
+type Node struct {
+	Type       NodeType // Determines the type of the node
+	Parent     *Node    // Points to the parent
+	FirstChild *Node    // Points to the first child, if any
+	LastChild  *Node    // Points to the last child, if any
+	Prev       *Node    // Previous sibling; nil if it's the first child
+	Next       *Node    // Next sibling; nil if it's the last child
+
+	Literal []byte // Text contents of the leaf nodes
+
+	HeadingData   // Populated if Type is Heading
+	ListData      // Populated if Type is List
+	CodeBlockData // Populated if Type is CodeBlock
+	LinkData      // Populated if Type is Link
+	TableCellData // Populated if Type is TableCell
+
+	content []byte // Markdown content of the block nodes
+	open    bool   // Specifies an open block node that has not been finished to process yet
+}
+
+// NewNode allocates a node of a specified type.
+func NewNode(typ NodeType) *Node {
+	return &Node{
+		Type: typ,
+		open: true,
+	}
+}
+
+func (n *Node) String() string {
+	ellipsis := ""
+	snippet := n.Literal
+	if len(snippet) > 16 {
+		snippet = snippet[:16]
+		ellipsis = "..."
+	}
+	return fmt.Sprintf("%s: '%s%s'", n.Type, snippet, ellipsis)
+}
+
+// Unlink removes node 'n' from the tree.
+// It panics if the node is nil.
+func (n *Node) Unlink() {
+	if n.Prev != nil {
+		n.Prev.Next = n.Next
+	} else if n.Parent != nil {
+		n.Parent.FirstChild = n.Next
+	}
+	if n.Next != nil {
+		n.Next.Prev = n.Prev
+	} else if n.Parent != nil {
+		n.Parent.LastChild = n.Prev
+	}
+	n.Parent = nil
+	n.Next = nil
+	n.Prev = nil
+}
+
+// AppendChild adds a node 'child' as a child of 'n'.
+// It panics if either node is nil.
+func (n *Node) AppendChild(child *Node) {
+	child.Unlink()
+	child.Parent = n
+	if n.LastChild != nil {
+		n.LastChild.Next = child
+		child.Prev = n.LastChild
+		n.LastChild = child
+	} else {
+		n.FirstChild = child
+		n.LastChild = child
+	}
+}
+
+// InsertBefore inserts 'sibling' immediately before 'n'.
+// It panics if either node is nil.
+func (n *Node) InsertBefore(sibling *Node) {
+	sibling.Unlink()
+	sibling.Prev = n.Prev
+	if sibling.Prev != nil {
+		sibling.Prev.Next = sibling
+	}
+	sibling.Next = n
+	n.Prev = sibling
+	sibling.Parent = n.Parent
+	if sibling.Prev == nil {
+		sibling.Parent.FirstChild = sibling
+	}
+}
+
+// IsContainer returns true if 'n' can contain children.
+func (n *Node) IsContainer() bool {
+	switch n.Type {
+	case Document:
+		fallthrough
+	case BlockQuote:
+		fallthrough
+	case List:
+		fallthrough
+	case Item:
+		fallthrough
+	case Paragraph:
+		fallthrough
+	case Heading:
+		fallthrough
+	case Emph:
+		fallthrough
+	case Strong:
+		fallthrough
+	case Del:
+		fallthrough
+	case Link:
+		fallthrough
+	case Image:
+		fallthrough
+	case Table:
+		fallthrough
+	case TableHead:
+		fallthrough
+	case TableBody:
+		fallthrough
+	case TableRow:
+		fallthrough
+	case TableCell:
+		return true
+	default:
+		return false
+	}
+}
+
+// IsLeaf returns true if 'n' is a leaf node.
+func (n *Node) IsLeaf() bool {
+	return !n.IsContainer()
+}
+
+func (n *Node) canContain(t NodeType) bool {
+	if n.Type == List {
+		return t == Item
+	}
+	if n.Type == Document || n.Type == BlockQuote || n.Type == Item {
+		return t != Item
+	}
+	if n.Type == Table {
+		return t == TableHead || t == TableBody
+	}
+	if n.Type == TableHead || n.Type == TableBody {
+		return t == TableRow
+	}
+	if n.Type == TableRow {
+		return t == TableCell
+	}
+	return false
+}
+
+// WalkStatus allows NodeVisitor to have some control over the tree traversal.
+// It is returned from NodeVisitor and different values allow Node.Walk to
+// decide which node to go to next.
+type WalkStatus int
+
+const (
+	// GoToNext is the default traversal of every node.
+	GoToNext WalkStatus = iota
+	// SkipChildren tells walker to skip all children of current node.
+	SkipChildren
+	// Terminate tells walker to terminate the traversal.
+	Terminate
+)
+
+// NodeVisitor is a callback to be called when traversing the syntax tree.
+// Called twice for every node: once with entering=true when the branch is
+// first visited, then with entering=false after all the children are done.
+type NodeVisitor func(node *Node, entering bool) WalkStatus
+
+// Walk is a convenience method that instantiates a walker and starts a
+// traversal of subtree rooted at n.
+func (n *Node) Walk(visitor NodeVisitor) {
+	w := newNodeWalker(n)
+	for w.current != nil {
+		status := visitor(w.current, w.entering)
+		switch status {
+		case GoToNext:
+			w.next()
+		case SkipChildren:
+			w.entering = false
+			w.next()
+		case Terminate:
+			return
+		}
+	}
+}
+
+type nodeWalker struct {
+	current  *Node
+	root     *Node
+	entering bool
+}
+
+func newNodeWalker(root *Node) *nodeWalker {
+	return &nodeWalker{
+		current:  root,
+		root:     root,
+		entering: true,
+	}
+}
+
+func (nw *nodeWalker) next() {
+	if (!nw.current.IsContainer() || !nw.entering) && nw.current == nw.root {
+		nw.current = nil
+		return
+	}
+	if nw.entering && nw.current.IsContainer() {
+		if nw.current.FirstChild != nil {
+			nw.current = nw.current.FirstChild
+			nw.entering = true
+		} else {
+			nw.entering = false
+		}
+	} else if nw.current.Next == nil {
+		nw.current = nw.current.Parent
+		nw.entering = false
+	} else {
+		nw.current = nw.current.Next
+		nw.entering = true
+	}
+}
+
+func dump(ast *Node) {
+	fmt.Println(dumpString(ast))
+}
+
+func dumpR(ast *Node, depth int) string {
+	if ast == nil {
+		return ""
+	}
+	indent := bytes.Repeat([]byte("\t"), depth)
+	content := ast.Literal
+	if content == nil {
+		content = ast.content
+	}
+	result := fmt.Sprintf("%s%s(%q)\n", indent, ast.Type, content)
+	for n := ast.FirstChild; n != nil; n = n.Next {
+		result += dumpR(n, depth+1)
+	}
+	return result
+}
+
+func dumpString(ast *Node) string {
+	return dumpR(ast, 0)
+}
diff --git a/vendor/github.com/russross/blackfriday/v2/smartypants.go b/vendor/github.com/russross/blackfriday/v2/smartypants.go
new file mode 100644
index 0000000000..3a220e9424
--- /dev/null
+++ b/vendor/github.com/russross/blackfriday/v2/smartypants.go
@@ -0,0 +1,457 @@
+//
+// Blackfriday Markdown Processor
+// Available at http://github.com/russross/blackfriday
+//
+// Copyright © 2011 Russ Ross <russ@russross.com>.
+// Distributed under the Simplified BSD License.
+// See README.md for details.
+//
+
+//
+//
+// SmartyPants rendering
+//
+//
+
+package blackfriday
+
+import (
+	"bytes"
+	"io"
+)
+
+// SPRenderer is a struct containing state of a Smartypants renderer.
+type SPRenderer struct {
+	inSingleQuote bool
+	inDoubleQuote bool
+	callbacks     [256]smartCallback
+}
+
+func wordBoundary(c byte) bool {
+	return c == 0 || isspace(c) || ispunct(c)
+}
+
+func tolower(c byte) byte {
+	if c >= 'A' && c <= 'Z' {
+		return c - 'A' + 'a'
+	}
+	return c
+}
+
+func isdigit(c byte) bool {
+	return c >= '0' && c <= '9'
+}
+
+func smartQuoteHelper(out *bytes.Buffer, previousChar byte, nextChar byte, quote byte, isOpen *bool, addNBSP bool) bool {
+	// edge of the buffer is likely to be a tag that we don't get to see,
+	// so we treat it like text sometimes
+
+	// enumerate all sixteen possibilities for (previousChar, nextChar)
+	// each can be one of {0, space, punct, other}
+	switch {
+	case previousChar == 0 && nextChar == 0:
+		// context is not any help here, so toggle
+		*isOpen = !*isOpen
+	case isspace(previousChar) && nextChar == 0:
+		// [ "] might be [ "<code>foo...]
+		*isOpen = true
+	case ispunct(previousChar) && nextChar == 0:
+		// [!"] hmm... could be [Run!"] or [("<code>...]
+		*isOpen = false
+	case /* isnormal(previousChar) && */ nextChar == 0:
+		// [a"] is probably a close
+		*isOpen = false
+	case previousChar == 0 && isspace(nextChar):
+		// [" ] might be [...foo</code>" ]
+		*isOpen = false
+	case isspace(previousChar) && isspace(nextChar):
+		// [ " ] context is not any help here, so toggle
+		*isOpen = !*isOpen
+	case ispunct(previousChar) && isspace(nextChar):
+		// [!" ] is probably a close
+		*isOpen = false
+	case /* isnormal(previousChar) && */ isspace(nextChar):
+		// [a" ] this is one of the easy cases
+		*isOpen = false
+	case previousChar == 0 && ispunct(nextChar):
+		// ["!] hmm... could be ["$1.95] or [</code>"!...]
+		*isOpen = false
+	case isspace(previousChar) && ispunct(nextChar):
+		// [ "!] looks more like [ "$1.95]
+		*isOpen = true
+	case ispunct(previousChar) && ispunct(nextChar):
+		// [!"!] context is not any help here, so toggle
+		*isOpen = !*isOpen
+	case /* isnormal(previousChar) && */ ispunct(nextChar):
+		// [a"!] is probably a close
+		*isOpen = false
+	case previousChar == 0 /* && isnormal(nextChar) */ :
+		// ["a] is probably an open
+		*isOpen = true
+	case isspace(previousChar) /* && isnormal(nextChar) */ :
+		// [ "a] this is one of the easy cases
+		*isOpen = true
+	case ispunct(previousChar) /* && isnormal(nextChar) */ :
+		// [!"a] is probably an open
+		*isOpen = true
+	default:
+		// [a'b] maybe a contraction?
+		*isOpen = false
+	}
+
+	// Note that with the limited lookahead, this non-breaking
+	// space will also be appended to single double quotes.
+	if addNBSP && !*isOpen {
+		out.WriteString("&nbsp;")
+	}
+
+	out.WriteByte('&')
+	if *isOpen {
+		out.WriteByte('l')
+	} else {
+		out.WriteByte('r')
+	}
+	out.WriteByte(quote)
+	out.WriteString("quo;")
+
+	if addNBSP && *isOpen {
+		out.WriteString("&nbsp;")
+	}
+
+	return true
+}
+
+func (r *SPRenderer) smartSingleQuote(out *bytes.Buffer, previousChar byte, text []byte) int {
+	if len(text) >= 2 {
+		t1 := tolower(text[1])
+
+		if t1 == '\'' {
+			nextChar := byte(0)
+			if len(text) >= 3 {
+				nextChar = text[2]
+			}
+			if smartQuoteHelper(out, previousChar, nextChar, 'd', &r.inDoubleQuote, false) {
+				return 1
+			}
+		}
+
+		if (t1 == 's' || t1 == 't' || t1 == 'm' || t1 == 'd') && (len(text) < 3 || wordBoundary(text[2])) {
+			out.WriteString("&rsquo;")
+			return 0
+		}
+
+		if len(text) >= 3 {
+			t2 := tolower(text[2])
+
+			if ((t1 == 'r' && t2 == 'e') || (t1 == 'l' && t2 == 'l') || (t1 == 'v' && t2 == 'e')) &&
+				(len(text) < 4 || wordBoundary(text[3])) {
+				out.WriteString("&rsquo;")
+				return 0
+			}
+		}
+	}
+
+	nextChar := byte(0)
+	if len(text) > 1 {
+		nextChar = text[1]
+	}
+	if smartQuoteHelper(out, previousChar, nextChar, 's', &r.inSingleQuote, false) {
+		return 0
+	}
+
+	out.WriteByte(text[0])
+	return 0
+}
+
+func (r *SPRenderer) smartParens(out *bytes.Buffer, previousChar byte, text []byte) int {
+	if len(text) >= 3 {
+		t1 := tolower(text[1])
+		t2 := tolower(text[2])
+
+		if t1 == 'c' && t2 == ')' {
+			out.WriteString("&copy;")
+			return 2
+		}
+
+		if t1 == 'r' && t2 == ')' {
+			out.WriteString("&reg;")
+			return 2
+		}
+
+		if len(text) >= 4 && t1 == 't' && t2 == 'm' && text[3] == ')' {
+			out.WriteString("&trade;")
+			return 3
+		}
+	}
+
+	out.WriteByte(text[0])
+	return 0
+}
+
+func (r *SPRenderer) smartDash(out *bytes.Buffer, previousChar byte, text []byte) int {
+	if len(text) >= 2 {
+		if text[1] == '-' {
+			out.WriteString("&mdash;")
+			return 1
+		}
+
+		if wordBoundary(previousChar) && wordBoundary(text[1]) {
+			out.WriteString("&ndash;")
+			return 0
+		}
+	}
+
+	out.WriteByte(text[0])
+	return 0
+}
+
+func (r *SPRenderer) smartDashLatex(out *bytes.Buffer, previousChar byte, text []byte) int {
+	if len(text) >= 3 && text[1] == '-' && text[2] == '-' {
+		out.WriteString("&mdash;")
+		return 2
+	}
+	if len(text) >= 2 && text[1] == '-' {
+		out.WriteString("&ndash;")
+		return 1
+	}
+
+	out.WriteByte(text[0])
+	return 0
+}
+
+func (r *SPRenderer) smartAmpVariant(out *bytes.Buffer, previousChar byte, text []byte, quote byte, addNBSP bool) int {
+	if bytes.HasPrefix(text, []byte("&quot;")) {
+		nextChar := byte(0)
+		if len(text) >= 7 {
+			nextChar = text[6]
+		}
+		if smartQuoteHelper(out, previousChar, nextChar, quote, &r.inDoubleQuote, addNBSP) {
+			return 5
+		}
+	}
+
+	if bytes.HasPrefix(text, []byte("&#0;")) {
+		return 3
+	}
+
+	out.WriteByte('&')
+	return 0
+}
+
+func (r *SPRenderer) smartAmp(angledQuotes, addNBSP bool) func(*bytes.Buffer, byte, []byte) int {
+	var quote byte = 'd'
+	if angledQuotes {
+		quote = 'a'
+	}
+
+	return func(out *bytes.Buffer, previousChar byte, text []byte) int {
+		return r.smartAmpVariant(out, previousChar, text, quote, addNBSP)
+	}
+}
+
+func (r *SPRenderer) smartPeriod(out *bytes.Buffer, previousChar byte, text []byte) int {
+	if len(text) >= 3 && text[1] == '.' && text[2] == '.' {
+		out.WriteString("&hellip;")
+		return 2
+	}
+
+	if len(text) >= 5 && text[1] == ' ' && text[2] == '.' && text[3] == ' ' && text[4] == '.' {
+		out.WriteString("&hellip;")
+		return 4
+	}
+
+	out.WriteByte(text[0])
+	return 0
+}
+
+func (r *SPRenderer) smartBacktick(out *bytes.Buffer, previousChar byte, text []byte) int {
+	if len(text) >= 2 && text[1] == '`' {
+		nextChar := byte(0)
+		if len(text) >= 3 {
+			nextChar = text[2]
+		}
+		if smartQuoteHelper(out, previousChar, nextChar, 'd', &r.inDoubleQuote, false) {
+			return 1
+		}
+	}
+
+	out.WriteByte(text[0])
+	return 0
+}
+
+func (r *SPRenderer) smartNumberGeneric(out *bytes.Buffer, previousChar byte, text []byte) int {
+	if wordBoundary(previousChar) && previousChar != '/' && len(text) >= 3 {
+		// is it of the form digits/digits(word boundary)?, i.e., \d+/\d+\b
+		// note: check for regular slash (/) or fraction slash (�, 0x2044, or 0xe2 81 84 in utf-8)
+		//       and avoid changing dates like 1/23/2005 into fractions.
+		numEnd := 0
+		for len(text) > numEnd && isdigit(text[numEnd]) {
+			numEnd++
+		}
+		if numEnd == 0 {
+			out.WriteByte(text[0])
+			return 0
+		}
+		denStart := numEnd + 1
+		if len(text) > numEnd+3 && text[numEnd] == 0xe2 && text[numEnd+1] == 0x81 && text[numEnd+2] == 0x84 {
+			denStart = numEnd + 3
+		} else if len(text) < numEnd+2 || text[numEnd] != '/' {
+			out.WriteByte(text[0])
+			return 0
+		}
+		denEnd := denStart
+		for len(text) > denEnd && isdigit(text[denEnd]) {
+			denEnd++
+		}
+		if denEnd == denStart {
+			out.WriteByte(text[0])
+			return 0
+		}
+		if len(text) == denEnd || wordBoundary(text[denEnd]) && text[denEnd] != '/' {
+			out.WriteString("<sup>")
+			out.Write(text[:numEnd])
+			out.WriteString("</sup>&frasl;<sub>")
+			out.Write(text[denStart:denEnd])
+			out.WriteString("</sub>")
+			return denEnd - 1
+		}
+	}
+
+	out.WriteByte(text[0])
+	return 0
+}
+
+func (r *SPRenderer) smartNumber(out *bytes.Buffer, previousChar byte, text []byte) int {
+	if wordBoundary(previousChar) && previousChar != '/' && len(text) >= 3 {
+		if text[0] == '1' && text[1] == '/' && text[2] == '2' {
+			if len(text) < 4 || wordBoundary(text[3]) && text[3] != '/' {
+				out.WriteString("&frac12;")
+				return 2
+			}
+		}
+
+		if text[0] == '1' && text[1] == '/' && text[2] == '4' {
+			if len(text) < 4 || wordBoundary(text[3]) && text[3] != '/' || (len(text) >= 5 && tolower(text[3]) == 't' && tolower(text[4]) == 'h') {
+				out.WriteString("&frac14;")
+				return 2
+			}
+		}
+
+		if text[0] == '3' && text[1] == '/' && text[2] == '4' {
+			if len(text) < 4 || wordBoundary(text[3]) && text[3] != '/' || (len(text) >= 6 && tolower(text[3]) == 't' && tolower(text[4]) == 'h' && tolower(text[5]) == 's') {
+				out.WriteString("&frac34;")
+				return 2
+			}
+		}
+	}
+
+	out.WriteByte(text[0])
+	return 0
+}
+
+func (r *SPRenderer) smartDoubleQuoteVariant(out *bytes.Buffer, previousChar byte, text []byte, quote byte) int {
+	nextChar := byte(0)
+	if len(text) > 1 {
+		nextChar = text[1]
+	}
+	if !smartQuoteHelper(out, previousChar, nextChar, quote, &r.inDoubleQuote, false) {
+		out.WriteString("&quot;")
+	}
+
+	return 0
+}
+
+func (r *SPRenderer) smartDoubleQuote(out *bytes.Buffer, previousChar byte, text []byte) int {
+	return r.smartDoubleQuoteVariant(out, previousChar, text, 'd')
+}
+
+func (r *SPRenderer) smartAngledDoubleQuote(out *bytes.Buffer, previousChar byte, text []byte) int {
+	return r.smartDoubleQuoteVariant(out, previousChar, text, 'a')
+}
+
+func (r *SPRenderer) smartLeftAngle(out *bytes.Buffer, previousChar byte, text []byte) int {
+	i := 0
+
+	for i < len(text) && text[i] != '>' {
+		i++
+	}
+
+	out.Write(text[:i+1])
+	return i
+}
+
+type smartCallback func(out *bytes.Buffer, previousChar byte, text []byte) int
+
+// NewSmartypantsRenderer constructs a Smartypants renderer object.
+func NewSmartypantsRenderer(flags HTMLFlags) *SPRenderer {
+	var (
+		r SPRenderer
+
+		smartAmpAngled      = r.smartAmp(true, false)
+		smartAmpAngledNBSP  = r.smartAmp(true, true)
+		smartAmpRegular     = r.smartAmp(false, false)
+		smartAmpRegularNBSP = r.smartAmp(false, true)
+
+		addNBSP = flags&SmartypantsQuotesNBSP != 0
+	)
+
+	if flags&SmartypantsAngledQuotes == 0 {
+		r.callbacks['"'] = r.smartDoubleQuote
+		if !addNBSP {
+			r.callbacks['&'] = smartAmpRegular
+		} else {
+			r.callbacks['&'] = smartAmpRegularNBSP
+		}
+	} else {
+		r.callbacks['"'] = r.smartAngledDoubleQuote
+		if !addNBSP {
+			r.callbacks['&'] = smartAmpAngled
+		} else {
+			r.callbacks['&'] = smartAmpAngledNBSP
+		}
+	}
+	r.callbacks['\''] = r.smartSingleQuote
+	r.callbacks['('] = r.smartParens
+	if flags&SmartypantsDashes != 0 {
+		if flags&SmartypantsLatexDashes == 0 {
+			r.callbacks['-'] = r.smartDash
+		} else {
+			r.callbacks['-'] = r.smartDashLatex
+		}
+	}
+	r.callbacks['.'] = r.smartPeriod
+	if flags&SmartypantsFractions == 0 {
+		r.callbacks['1'] = r.smartNumber
+		r.callbacks['3'] = r.smartNumber
+	} else {
+		for ch := '1'; ch <= '9'; ch++ {
+			r.callbacks[ch] = r.smartNumberGeneric
+		}
+	}
+	r.callbacks['<'] = r.smartLeftAngle
+	r.callbacks['`'] = r.smartBacktick
+	return &r
+}
+
+// Process is the entry point of the Smartypants renderer.
+func (r *SPRenderer) Process(w io.Writer, text []byte) {
+	mark := 0
+	for i := 0; i < len(text); i++ {
+		if action := r.callbacks[text[i]]; action != nil {
+			if i > mark {
+				w.Write(text[mark:i])
+			}
+			previousChar := byte(0)
+			if i > 0 {
+				previousChar = text[i-1]
+			}
+			var tmp bytes.Buffer
+			i += action(&tmp, previousChar, text[i:])
+			w.Write(tmp.Bytes())
+			mark = i + 1
+		}
+	}
+	if mark < len(text) {
+		w.Write(text[mark:])
+	}
+}
diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/.gitmodules b/vendor/github.com/santhosh-tekuri/jsonschema/v6/.gitmodules
new file mode 100644
index 0000000000..d14f5ea70f
--- /dev/null
+++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/.gitmodules
@@ -0,0 +1,4 @@
+[submodule "testdata/JSON-Schema-Test-Suite"]
+	path = testdata/JSON-Schema-Test-Suite
+	url = https://github.com/json-schema-org/JSON-Schema-Test-Suite.git
+	branch = main
diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/.golangci.yml b/vendor/github.com/santhosh-tekuri/jsonschema/v6/.golangci.yml
new file mode 100644
index 0000000000..6534d53166
--- /dev/null
+++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/.golangci.yml
@@ -0,0 +1,7 @@
+version: "2"
+linters:
+  enable:
+    - nakedret
+    - errname
+    - godot
+    - misspell
diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/.pre-commit-hooks.yaml b/vendor/github.com/santhosh-tekuri/jsonschema/v6/.pre-commit-hooks.yaml
new file mode 100644
index 0000000000..695b502ed9
--- /dev/null
+++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/.pre-commit-hooks.yaml
@@ -0,0 +1,7 @@
+- id: jsonschema-validate
+  name: Validate JSON against JSON Schema
+  description: ensure json files follow specified JSON Schema
+  entry: jv
+  language: golang
+  additional_dependencies:
+  - ./cmd/jv
diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/LICENSE b/vendor/github.com/santhosh-tekuri/jsonschema/v6/LICENSE
new file mode 100644
index 0000000000..19dc35b243
--- /dev/null
+++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/LICENSE
@@ -0,0 +1,175 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
\ No newline at end of file
diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/README.md b/vendor/github.com/santhosh-tekuri/jsonschema/v6/README.md
new file mode 100644
index 0000000000..1243b66c5a
--- /dev/null
+++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/README.md
@@ -0,0 +1,88 @@
+# jsonschema v6.0.2
+
+[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
+[![GoDoc](https://godoc.org/github.com/santhosh-tekuri/jsonschema?status.svg)](https://pkg.go.dev/github.com/santhosh-tekuri/jsonschema/v6)
+[![Go Report Card](https://goreportcard.com/badge/github.com/santhosh-tekuri/jsonschema/v6)](https://goreportcard.com/report/github.com/santhosh-tekuri/jsonschema/v6)
+[![Build Status](https://github.com/santhosh-tekuri/jsonschema/actions/workflows/go.yaml/badge.svg?branch=boon)](https://github.com/santhosh-tekuri/jsonschema/actions/workflows/go.yaml)
+[![codecov](https://codecov.io/gh/santhosh-tekuri/jsonschema/branch/boon/graph/badge.svg?token=JMVj1pFT2l)](https://codecov.io/gh/santhosh-tekuri/jsonschema/tree/boon)
+
+see [godoc](https://pkg.go.dev/github.com/santhosh-tekuri/jsonschema/v6) for examples
+
+## Library Features
+
+- [x] pass [JSON-Schema-Test-Suite](https://github.com/json-schema-org/JSON-Schema-Test-Suite) excluding optional(compare with other impls at [bowtie](https://bowtie-json-schema.github.io/bowtie/#))
+  - [x] [![draft-04](https://img.shields.io/endpoint?url=https://bowtie.report/badges/go-jsonschema/compliance/draft4.json)](https://bowtie.report/#/dialects/draft4)
+  - [x] [![draft-06](https://img.shields.io/endpoint?url=https://bowtie.report/badges/go-jsonschema/compliance/draft6.json)](https://bowtie.report/#/dialects/draft6)
+  - [x] [![draft-07](https://img.shields.io/endpoint?url=https://bowtie.report/badges/go-jsonschema/compliance/draft7.json)](https://bowtie.report/#/dialects/draft7)
+  - [x] [![draft/2019-09](https://img.shields.io/endpoint?url=https://bowtie.report/badges/go-jsonschema/compliance/draft2019-09.json)](https://bowtie.report/#/dialects/draft2019-09)
+  - [x] [![draft/2020-12](https://img.shields.io/endpoint?url=https://bowtie.report/badges/go-jsonschema/compliance/draft2020-12.json)](https://bowtie.report/#/dialects/draft2020-12)
+- [x] detect infinite loop traps
+  - [x] `$schema` cycle
+  - [x] validation cycle
+- [x] custom `$schema` url
+- [x] vocabulary based validation
+- [x] custom regex engine
+- [x] format assertions
+  - [x] flag to enable in draft >= 2019-09
+  - [x] custom format registration
+  - [x] built-in formats
+    - [x] regex, uuid
+    - [x] ipv4, ipv6
+    - [x] hostname, email
+    - [x] date, time, date-time, duration
+    - [x] json-pointer, relative-json-pointer
+    - [x] uri, uri-reference, uri-template
+    - [x] iri, iri-reference
+    - [x] period, semver
+- [x] content assertions
+  - [x] flag to enable in draft >= 7
+  - [x] contentEncoding
+    - [x] base64
+    - [x] custom
+  - [x] contentMediaType
+    - [x] application/json
+    - [x] custom
+  - [x] contentSchema
+- [x] errors
+  - [x] introspectable
+  - [x] hierarchy
+    - [x] alternative display with `#`
+  - [x] output
+    - [x] flag
+    - [x] basic
+    - [x] detailed
+- [x] custom vocabulary
+    - enable via `$vocabulary` for draft >=2019-19
+    - enable via flag for draft <= 7
+- [x] mixed dialect support
+
+## CLI v0.7.0
+
+to install: `go install github.com/santhosh-tekuri/jsonschema/cmd/jv@latest`
+
+Note that the cli is versioned independently. you can see it in git tags `cmd/jv/v0.7.0`
+
+```
+Usage: jv [OPTIONS] SCHEMA [INSTANCE...]
+
+Options:
+  -c, --assert-content    Enable content assertions with draft >= 7
+  -f, --assert-format     Enable format assertions with draft >= 2019
+      --cacert pem-file   Use the specified pem-file to verify the peer. The file may contain multiple CA certificates
+  -d, --draft version     Draft version used when '$schema' is missing. Valid values 4, 6, 7, 2019, 2020 (default 2020)
+  -h, --help              Print help information
+  -k, --insecure          Use insecure TLS connection
+  -o, --output format     Output format. Valid values simple, alt, flag, basic, detailed (default "simple")
+  -q, --quiet             Do not print errors
+  -v, --version           Print build information
+```
+
+- [x] exit code `1` for validation errors, `2` for usage errors
+- [x] validate both schema and multiple instances
+- [x] support both json and yaml files
+- [x] support standard input, use `-`
+- [x] quite mode with parsable output
+- [x] http(s) url support
+  - [x] custom certs for validation, use `--cacert`
+  - [x] flag to skip certificate verification, use `--insecure`
+
diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/compiler.go b/vendor/github.com/santhosh-tekuri/jsonschema/v6/compiler.go
new file mode 100644
index 0000000000..4da7361038
--- /dev/null
+++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/compiler.go
@@ -0,0 +1,332 @@
+package jsonschema
+
+import (
+	"fmt"
+	"regexp"
+	"slices"
+)
+
+// Compiler compiles json schema into *Schema.
+type Compiler struct {
+	schemas       map[urlPtr]*Schema
+	roots         *roots
+	formats       map[string]*Format
+	decoders      map[string]*Decoder
+	mediaTypes    map[string]*MediaType
+	assertFormat  bool
+	assertContent bool
+}
+
+// NewCompiler create Compiler Object.
+func NewCompiler() *Compiler {
+	return &Compiler{
+		schemas:       map[urlPtr]*Schema{},
+		roots:         newRoots(),
+		formats:       map[string]*Format{},
+		decoders:      map[string]*Decoder{},
+		mediaTypes:    map[string]*MediaType{},
+		assertFormat:  false,
+		assertContent: false,
+	}
+}
+
+// DefaultDraft overrides the draft used to
+// compile schemas without `$schema` field.
+//
+// By default, this library uses the latest
+// draft supported.
+//
+// The use of this option is HIGHLY encouraged
+// to ensure continued correct operation of your
+// schema. The current default value will not stay
+// the same overtime.
+func (c *Compiler) DefaultDraft(d *Draft) {
+	c.roots.defaultDraft = d
+}
+
+// AssertFormat always enables format assertions.
+//
+// Default Behavior:
+// for draft-07: enabled.
+// for draft/2019-09: disabled unless metaschema says `format` vocabulary is required.
+// for draft/2020-12: disabled unless metaschema says `format-assertion` vocabulary is required.
+func (c *Compiler) AssertFormat() {
+	c.assertFormat = true
+}
+
+// AssertContent enables content assertions.
+//
+// Content assertions include keywords:
+//   - contentEncoding
+//   - contentMediaType
+//   - contentSchema
+//
+// Default behavior is always disabled.
+func (c *Compiler) AssertContent() {
+	c.assertContent = true
+}
+
+// RegisterFormat registers custom format.
+//
+// NOTE:
+//   - "regex" format can not be overridden
+//   - format assertions are disabled for draft >= 2019-09
+//     see [Compiler.AssertFormat]
+func (c *Compiler) RegisterFormat(f *Format) {
+	if f.Name != "regex" {
+		c.formats[f.Name] = f
+	}
+}
+
+// RegisterContentEncoding registers custom contentEncoding.
+//
+// NOTE: content assertions are disabled by default.
+// see [Compiler.AssertContent].
+func (c *Compiler) RegisterContentEncoding(d *Decoder) {
+	c.decoders[d.Name] = d
+}
+
+// RegisterContentMediaType registers custom contentMediaType.
+//
+// NOTE: content assertions are disabled by default.
+// see [Compiler.AssertContent].
+func (c *Compiler) RegisterContentMediaType(mt *MediaType) {
+	c.mediaTypes[mt.Name] = mt
+}
+
+// RegisterVocabulary registers custom vocabulary.
+//
+// NOTE:
+//   - vocabularies are disabled for draft >= 2019-09
+//     see [Compiler.AssertVocabs]
+func (c *Compiler) RegisterVocabulary(vocab *Vocabulary) {
+	c.roots.vocabularies[vocab.URL] = vocab
+}
+
+// AssertVocabs always enables user-defined vocabularies assertions.
+//
+// Default Behavior:
+// for draft-07: enabled.
+// for draft/2019-09: disabled unless metaschema enables a vocabulary.
+// for draft/2020-12: disabled unless metaschema enables a vocabulary.
+func (c *Compiler) AssertVocabs() {
+	c.roots.assertVocabs = true
+}
+
+// AddResource adds schema resource which gets used later in reference
+// resolution.
+//
+// The argument url can be file path or url. Any fragment in url is ignored.
+// The argument doc must be valid json value.
+func (c *Compiler) AddResource(url string, doc any) error {
+	uf, err := absolute(url)
+	if err != nil {
+		return err
+	}
+	if isMeta(string(uf.url)) {
+		return &ResourceExistsError{string(uf.url)}
+	}
+	if !c.roots.loader.add(uf.url, doc) {
+		return &ResourceExistsError{string(uf.url)}
+	}
+	return nil
+}
+
+// UseLoader overrides the default [URLLoader] used
+// to load schema resources.
+func (c *Compiler) UseLoader(loader URLLoader) {
+	c.roots.loader.loader = loader
+}
+
+// UseRegexpEngine changes the regexp-engine used.
+// By default it uses regexp package from go standard
+// library.
+//
+// NOTE: must be called before compiling any schemas.
+func (c *Compiler) UseRegexpEngine(engine RegexpEngine) {
+	if engine == nil {
+		engine = goRegexpCompile
+	}
+	c.roots.regexpEngine = engine
+}
+
+func (c *Compiler) enqueue(q *queue, up urlPtr) *Schema {
+	if sch, ok := c.schemas[up]; ok {
+		// already got compiled
+		return sch
+	}
+	if sch := q.get(up); sch != nil {
+		return sch
+	}
+	sch := newSchema(up)
+	q.append(sch)
+	return sch
+}
+
+// MustCompile is like [Compile] but panics if compilation fails.
+// It simplifies safe initialization of global variables holding
+// compiled schema.
+func (c *Compiler) MustCompile(loc string) *Schema {
+	sch, err := c.Compile(loc)
+	if err != nil {
+		panic(fmt.Sprintf("jsonschema: Compile(%q): %v", loc, err))
+	}
+	return sch
+}
+
+// Compile compiles json-schema at given loc.
+func (c *Compiler) Compile(loc string) (*Schema, error) {
+	uf, err := absolute(loc)
+	if err != nil {
+		return nil, err
+	}
+	up, err := c.roots.resolveFragment(*uf)
+	if err != nil {
+		return nil, err
+	}
+	return c.doCompile(up)
+}
+
+func (c *Compiler) doCompile(up urlPtr) (*Schema, error) {
+	q := &queue{}
+	compiled := 0
+
+	c.enqueue(q, up)
+	for q.len() > compiled {
+		sch := q.at(compiled)
+		if err := c.roots.ensureSubschema(sch.up); err != nil {
+			return nil, err
+		}
+		r := c.roots.roots[sch.up.url]
+		v, err := sch.up.lookup(r.doc)
+		if err != nil {
+			return nil, err
+		}
+		if err := c.compileValue(v, sch, r, q); err != nil {
+			return nil, err
+		}
+		compiled++
+	}
+	for _, sch := range *q {
+		c.schemas[sch.up] = sch
+	}
+	return c.schemas[up], nil
+}
+
+func (c *Compiler) compileValue(v any, sch *Schema, r *root, q *queue) error {
+	res := r.resource(sch.up.ptr)
+	sch.DraftVersion = res.dialect.draft.version
+
+	base := urlPtr{sch.up.url, res.ptr}
+	sch.resource = c.enqueue(q, base)
+
+	// if resource, enqueue dynamic anchors for compilation
+	if sch.DraftVersion >= 2020 && sch.up == sch.resource.up {
+		res := r.resource(sch.up.ptr)
+		for anchor, anchorPtr := range res.anchors {
+			if slices.Contains(res.dynamicAnchors, anchor) {
+				up := urlPtr{sch.up.url, anchorPtr}
+				danchorSch := c.enqueue(q, up)
+				if sch.dynamicAnchors == nil {
+					sch.dynamicAnchors = map[string]*Schema{}
+				}
+				sch.dynamicAnchors[string(anchor)] = danchorSch
+			}
+		}
+	}
+
+	switch v := v.(type) {
+	case bool:
+		sch.Bool = &v
+	case map[string]any:
+		if err := c.compileObject(v, sch, r, q); err != nil {
+			return err
+		}
+	}
+
+	sch.allPropsEvaluated = sch.AdditionalProperties != nil
+	if sch.DraftVersion < 2020 {
+		sch.allItemsEvaluated = sch.AdditionalItems != nil
+		switch items := sch.Items.(type) {
+		case *Schema:
+			sch.allItemsEvaluated = true
+		case []*Schema:
+			sch.numItemsEvaluated = len(items)
+		}
+	} else {
+		sch.allItemsEvaluated = sch.Items2020 != nil
+		sch.numItemsEvaluated = len(sch.PrefixItems)
+	}
+
+	return nil
+}
+
+func (c *Compiler) compileObject(obj map[string]any, sch *Schema, r *root, q *queue) error {
+	if len(obj) == 0 {
+		b := true
+		sch.Bool = &b
+		return nil
+	}
+	oc := objCompiler{
+		c:   c,
+		obj: obj,
+		up:  sch.up,
+		r:   r,
+		res: r.resource(sch.up.ptr),
+		q:   q,
+	}
+	return oc.compile(sch)
+}
+
+// queue --
+
+type queue []*Schema
+
+func (q *queue) append(sch *Schema) {
+	*q = append(*q, sch)
+}
+
+func (q *queue) at(i int) *Schema {
+	return (*q)[i]
+}
+
+func (q *queue) len() int {
+	return len(*q)
+}
+
+func (q *queue) get(up urlPtr) *Schema {
+	i := slices.IndexFunc(*q, func(sch *Schema) bool { return sch.up == up })
+	if i != -1 {
+		return (*q)[i]
+	}
+	return nil
+}
+
+// regexp --
+
+// Regexp is the representation of compiled regular expression.
+type Regexp interface {
+	fmt.Stringer
+
+	// MatchString reports whether the string s contains
+	// any match of the regular expression.
+	MatchString(string) bool
+}
+
+// RegexpEngine parses a regular expression and returns,
+// if successful, a Regexp object that can be used to
+// match against text.
+type RegexpEngine func(string) (Regexp, error)
+
+func (re RegexpEngine) validate(v any) error {
+	s, ok := v.(string)
+	if !ok {
+		return nil
+	}
+	_, err := re(s)
+	return err
+}
+
+func goRegexpCompile(s string) (Regexp, error) {
+	return regexp.Compile(s)
+}
diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/content.go b/vendor/github.com/santhosh-tekuri/jsonschema/v6/content.go
new file mode 100644
index 0000000000..8d62e58b09
--- /dev/null
+++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/content.go
@@ -0,0 +1,51 @@
+package jsonschema
+
+import (
+	"bytes"
+	"encoding/base64"
+	"encoding/json"
+)
+
+// Decoder specifies how to decode specific contentEncoding.
+type Decoder struct {
+	// Name of contentEncoding.
+	Name string
+	// Decode given string to byte array.
+	Decode func(string) ([]byte, error)
+}
+
+var decoders = map[string]*Decoder{
+	"base64": {
+		Name: "base64",
+		Decode: func(s string) ([]byte, error) {
+			return base64.StdEncoding.DecodeString(s)
+		},
+	},
+}
+
+// MediaType specified how to validate bytes against specific contentMediaType.
+type MediaType struct {
+	// Name of contentMediaType.
+	Name string
+
+	// Validate checks whether bytes conform to this mediatype.
+	Validate func([]byte) error
+
+	// UnmarshalJSON unmarshals bytes into json value.
+	// This must be nil if this mediatype is not compatible
+	// with json.
+	UnmarshalJSON func([]byte) (any, error)
+}
+
+var mediaTypes = map[string]*MediaType{
+	"application/json": {
+		Name: "application/json",
+		Validate: func(b []byte) error {
+			var v any
+			return json.Unmarshal(b, &v)
+		},
+		UnmarshalJSON: func(b []byte) (any, error) {
+			return UnmarshalJSON(bytes.NewReader(b))
+		},
+	},
+}
diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/draft.go b/vendor/github.com/santhosh-tekuri/jsonschema/v6/draft.go
new file mode 100644
index 0000000000..fd09bae8d3
--- /dev/null
+++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/draft.go
@@ -0,0 +1,360 @@
+package jsonschema
+
+import (
+	"fmt"
+	"slices"
+	"strings"
+)
+
+// A Draft represents json-schema specification.
+type Draft struct {
+	version       int
+	url           string
+	sch           *Schema
+	id            string             // property name used to represent id
+	subschemas    []SchemaPath       // locations of subschemas
+	vocabPrefix   string             // prefix used for vocabulary
+	allVocabs     map[string]*Schema // names of supported vocabs with its schemas
+	defaultVocabs []string           // names of default vocabs
+}
+
+// String returns the specification url.
+func (d *Draft) String() string {
+	return d.url
+}
+
+var (
+	Draft4 = &Draft{
+		version: 4,
+		url:     "http://json-schema.org/draft-04/schema",
+		id:      "id",
+		subschemas: []SchemaPath{
+			// type agonistic
+			schemaPath("definitions/*"),
+			schemaPath("not"),
+			schemaPath("allOf/[]"),
+			schemaPath("anyOf/[]"),
+			schemaPath("oneOf/[]"),
+			// object
+			schemaPath("properties/*"),
+			schemaPath("additionalProperties"),
+			schemaPath("patternProperties/*"),
+			// array
+			schemaPath("items"),
+			schemaPath("items/[]"),
+			schemaPath("additionalItems"),
+			schemaPath("dependencies/*"),
+		},
+		vocabPrefix:   "",
+		allVocabs:     map[string]*Schema{},
+		defaultVocabs: []string{},
+	}
+
+	Draft6 = &Draft{
+		version: 6,
+		url:     "http://json-schema.org/draft-06/schema",
+		id:      "$id",
+		subschemas: joinSubschemas(Draft4.subschemas,
+			schemaPath("propertyNames"),
+			schemaPath("contains"),
+		),
+		vocabPrefix:   "",
+		allVocabs:     map[string]*Schema{},
+		defaultVocabs: []string{},
+	}
+
+	Draft7 = &Draft{
+		version: 7,
+		url:     "http://json-schema.org/draft-07/schema",
+		id:      "$id",
+		subschemas: joinSubschemas(Draft6.subschemas,
+			schemaPath("if"),
+			schemaPath("then"),
+			schemaPath("else"),
+		),
+		vocabPrefix:   "",
+		allVocabs:     map[string]*Schema{},
+		defaultVocabs: []string{},
+	}
+
+	Draft2019 = &Draft{
+		version: 2019,
+		url:     "https://json-schema.org/draft/2019-09/schema",
+		id:      "$id",
+		subschemas: joinSubschemas(Draft7.subschemas,
+			schemaPath("$defs/*"),
+			schemaPath("dependentSchemas/*"),
+			schemaPath("unevaluatedProperties"),
+			schemaPath("unevaluatedItems"),
+			schemaPath("contentSchema"),
+		),
+		vocabPrefix: "https://json-schema.org/draft/2019-09/vocab/",
+		allVocabs: map[string]*Schema{
+			"core":       nil,
+			"applicator": nil,
+			"validation": nil,
+			"meta-data":  nil,
+			"format":     nil,
+			"content":    nil,
+		},
+		defaultVocabs: []string{"core", "applicator", "validation"},
+	}
+
+	Draft2020 = &Draft{
+		version: 2020,
+		url:     "https://json-schema.org/draft/2020-12/schema",
+		id:      "$id",
+		subschemas: joinSubschemas(Draft2019.subschemas,
+			schemaPath("prefixItems/[]"),
+		),
+		vocabPrefix: "https://json-schema.org/draft/2020-12/vocab/",
+		allVocabs: map[string]*Schema{
+			"core":              nil,
+			"applicator":        nil,
+			"unevaluated":       nil,
+			"validation":        nil,
+			"meta-data":         nil,
+			"format-annotation": nil,
+			"format-assertion":  nil,
+			"content":           nil,
+		},
+		defaultVocabs: []string{"core", "applicator", "unevaluated", "validation"},
+	}
+
+	draftLatest = Draft2020
+)
+
+func init() {
+	c := NewCompiler()
+	c.AssertFormat()
+	for _, d := range []*Draft{Draft4, Draft6, Draft7, Draft2019, Draft2020} {
+		d.sch = c.MustCompile(d.url)
+		for name := range d.allVocabs {
+			d.allVocabs[name] = c.MustCompile(strings.TrimSuffix(d.url, "schema") + "meta/" + name)
+		}
+	}
+}
+
+func draftFromURL(url string) *Draft {
+	u, frag := split(url)
+	if frag != "" {
+		return nil
+	}
+	u, ok := strings.CutPrefix(u, "http://")
+	if !ok {
+		u, _ = strings.CutPrefix(u, "https://")
+	}
+	switch u {
+	case "json-schema.org/schema":
+		return draftLatest
+	case "json-schema.org/draft/2020-12/schema":
+		return Draft2020
+	case "json-schema.org/draft/2019-09/schema":
+		return Draft2019
+	case "json-schema.org/draft-07/schema":
+		return Draft7
+	case "json-schema.org/draft-06/schema":
+		return Draft6
+	case "json-schema.org/draft-04/schema":
+		return Draft4
+	default:
+		return nil
+	}
+}
+
+func (d *Draft) getID(obj map[string]any) string {
+	if d.version < 2019 {
+		if _, ok := obj["$ref"]; ok {
+			// All other properties in a "$ref" object MUST be ignored
+			return ""
+		}
+	}
+
+	id, ok := strVal(obj, d.id)
+	if !ok {
+		return ""
+	}
+	id, _ = split(id) // ignore fragment
+	return id
+}
+
+func (d *Draft) getVocabs(url url, doc any, vocabularies map[string]*Vocabulary) ([]string, error) {
+	if d.version < 2019 {
+		return nil, nil
+	}
+	obj, ok := doc.(map[string]any)
+	if !ok {
+		return nil, nil
+	}
+	v, ok := obj["$vocabulary"]
+	if !ok {
+		return nil, nil
+	}
+	obj, ok = v.(map[string]any)
+	if !ok {
+		return nil, nil
+	}
+
+	var vocabs []string
+	for vocab, reqd := range obj {
+		if reqd, ok := reqd.(bool); !ok || !reqd {
+			continue
+		}
+		name, ok := strings.CutPrefix(vocab, d.vocabPrefix)
+		if ok {
+			if _, ok := d.allVocabs[name]; ok {
+				if !slices.Contains(vocabs, name) {
+					vocabs = append(vocabs, name)
+					continue
+				}
+			}
+		}
+		if _, ok := vocabularies[vocab]; !ok {
+			return nil, &UnsupportedVocabularyError{url.String(), vocab}
+		}
+		if !slices.Contains(vocabs, vocab) {
+			vocabs = append(vocabs, vocab)
+		}
+	}
+	if !slices.Contains(vocabs, "core") {
+		vocabs = append(vocabs, "core")
+	}
+	return vocabs, nil
+}
+
+// --
+
+type dialect struct {
+	draft  *Draft
+	vocabs []string // nil means use draft.defaultVocabs
+}
+
+func (d *dialect) hasVocab(name string) bool {
+	if name == "core" || d.draft.version < 2019 {
+		return true
+	}
+	if d.vocabs != nil {
+		return slices.Contains(d.vocabs, name)
+	}
+	return slices.Contains(d.draft.defaultVocabs, name)
+}
+
+func (d *dialect) activeVocabs(assertVocabs bool, vocabularies map[string]*Vocabulary) []string {
+	if len(vocabularies) == 0 {
+		return d.vocabs
+	}
+	if d.draft.version < 2019 {
+		assertVocabs = true
+	}
+	if !assertVocabs {
+		return d.vocabs
+	}
+	var vocabs []string
+	if d.vocabs == nil {
+		vocabs = slices.Clone(d.draft.defaultVocabs)
+	} else {
+		vocabs = slices.Clone(d.vocabs)
+	}
+	for vocab := range vocabularies {
+		if !slices.Contains(vocabs, vocab) {
+			vocabs = append(vocabs, vocab)
+		}
+	}
+	return vocabs
+}
+
+func (d *dialect) getSchema(assertVocabs bool, vocabularies map[string]*Vocabulary) *Schema {
+	vocabs := d.activeVocabs(assertVocabs, vocabularies)
+	if vocabs == nil {
+		return d.draft.sch
+	}
+
+	var allOf []*Schema
+	for _, vocab := range vocabs {
+		sch := d.draft.allVocabs[vocab]
+		if sch == nil {
+			if v, ok := vocabularies[vocab]; ok {
+				sch = v.Schema
+			}
+		}
+		if sch != nil {
+			allOf = append(allOf, sch)
+		}
+	}
+	if !slices.Contains(vocabs, "core") {
+		sch := d.draft.allVocabs["core"]
+		if sch == nil {
+			sch = d.draft.sch
+		}
+		allOf = append(allOf, sch)
+	}
+	sch := &Schema{
+		Location:     "urn:mem:metaschema",
+		up:           urlPtr{url("urn:mem:metaschema"), ""},
+		DraftVersion: d.draft.version,
+		AllOf:        allOf,
+	}
+	sch.resource = sch
+	if sch.DraftVersion >= 2020 {
+		sch.DynamicAnchor = "meta"
+		sch.dynamicAnchors = map[string]*Schema{
+			"meta": sch,
+		}
+	}
+	return sch
+}
+
+// --
+
+type ParseIDError struct {
+	URL string
+}
+
+func (e *ParseIDError) Error() string {
+	return fmt.Sprintf("error in parsing id at %q", e.URL)
+}
+
+// --
+
+type ParseAnchorError struct {
+	URL string
+}
+
+func (e *ParseAnchorError) Error() string {
+	return fmt.Sprintf("error in parsing anchor at %q", e.URL)
+}
+
+// --
+
+type DuplicateIDError struct {
+	ID   string
+	URL  string
+	Ptr1 string
+	Ptr2 string
+}
+
+func (e *DuplicateIDError) Error() string {
+	return fmt.Sprintf("duplicate id %q in %q at %q and %q", e.ID, e.URL, e.Ptr1, e.Ptr2)
+}
+
+// --
+
+type DuplicateAnchorError struct {
+	Anchor string
+	URL    string
+	Ptr1   string
+	Ptr2   string
+}
+
+func (e *DuplicateAnchorError) Error() string {
+	return fmt.Sprintf("duplicate anchor %q in %q at %q and %q", e.Anchor, e.URL, e.Ptr1, e.Ptr2)
+}
+
+// --
+
+func joinSubschemas(a1 []SchemaPath, a2 ...SchemaPath) []SchemaPath {
+	var a []SchemaPath
+	a = append(a, a1...)
+	a = append(a, a2...)
+	return a
+}
diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/format.go b/vendor/github.com/santhosh-tekuri/jsonschema/v6/format.go
new file mode 100644
index 0000000000..b78b22e2a5
--- /dev/null
+++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/format.go
@@ -0,0 +1,708 @@
+package jsonschema
+
+import (
+	"net/netip"
+	gourl "net/url"
+	"strconv"
+	"strings"
+	"time"
+)
+
+// Format defined specific format.
+type Format struct {
+	// Name of format.
+	Name string
+
+	// Validate checks if given value is of this format.
+	Validate func(v any) error
+}
+
+var formats = map[string]*Format{
+	"json-pointer":          {"json-pointer", validateJSONPointer},
+	"relative-json-pointer": {"relative-json-pointer", validateRelativeJSONPointer},
+	"uuid":                  {"uuid", validateUUID},
+	"duration":              {"duration", validateDuration},
+	"period":                {"period", validatePeriod},
+	"ipv4":                  {"ipv4", validateIPV4},
+	"ipv6":                  {"ipv6", validateIPV6},
+	"hostname":              {"hostname", validateHostname},
+	"email":                 {"email", validateEmail},
+	"date":                  {"date", validateDate},
+	"time":                  {"time", validateTime},
+	"date-time":             {"date-time", validateDateTime},
+	"uri":                   {"uri", validateURI},
+	"iri":                   {"iri", validateURI},
+	"uri-reference":         {"uri-reference", validateURIReference},
+	"iri-reference":         {"iri-reference", validateURIReference},
+	"uri-template":          {"uri-template", validateURITemplate},
+	"semver":                {"semver", validateSemver},
+}
+
+// see https://www.rfc-editor.org/rfc/rfc6901#section-3
+func validateJSONPointer(v any) error {
+	s, ok := v.(string)
+	if !ok {
+		return nil
+	}
+	if s == "" {
+		return nil
+	}
+	if !strings.HasPrefix(s, "/") {
+		return LocalizableError("not starting with /")
+	}
+	for _, tok := range strings.Split(s, "/")[1:] {
+		escape := false
+		for _, ch := range tok {
+			if escape {
+				escape = false
+				if ch != '0' && ch != '1' {
+					return LocalizableError("~ must be followed by 0 or 1")
+				}
+				continue
+			}
+			if ch == '~' {
+				escape = true
+				continue
+			}
+			switch {
+			case ch >= '\x00' && ch <= '\x2E':
+			case ch >= '\x30' && ch <= '\x7D':
+			case ch >= '\x7F' && ch <= '\U0010FFFF':
+			default:
+				return LocalizableError("invalid character %q", ch)
+			}
+		}
+		if escape {
+			return LocalizableError("~ must be followed by 0 or 1")
+		}
+	}
+	return nil
+}
+
+// see https://tools.ietf.org/html/draft-handrews-relative-json-pointer-01#section-3
+func validateRelativeJSONPointer(v any) error {
+	s, ok := v.(string)
+	if !ok {
+		return nil
+	}
+
+	// start with non-negative-integer
+	numDigits := 0
+	for _, ch := range s {
+		if ch >= '0' && ch <= '9' {
+			numDigits++
+		} else {
+			break
+		}
+	}
+	if numDigits == 0 {
+		return LocalizableError("must start with non-negative integer")
+	}
+	if numDigits > 1 && strings.HasPrefix(s, "0") {
+		return LocalizableError("starts with zero")
+	}
+	s = s[numDigits:]
+
+	// followed by either json-pointer or '#'
+	if s == "#" {
+		return nil
+	}
+	return validateJSONPointer(s)
+}
+
+// see https://datatracker.ietf.org/doc/html/rfc4122#page-4
+func validateUUID(v any) error {
+	s, ok := v.(string)
+	if !ok {
+		return nil
+	}
+
+	hexGroups := []int{8, 4, 4, 4, 12}
+	groups := strings.Split(s, "-")
+	if len(groups) != len(hexGroups) {
+		return LocalizableError("must have %d elements", len(hexGroups))
+	}
+	for i, group := range groups {
+		if len(group) != hexGroups[i] {
+			return LocalizableError("element %d must be %d characters long", i+1, hexGroups[i])
+		}
+		for _, ch := range group {
+			switch {
+			case ch >= '0' && ch <= '9':
+			case ch >= 'a' && ch <= 'f':
+			case ch >= 'A' && ch <= 'F':
+			default:
+				return LocalizableError("non-hex character %q", ch)
+			}
+		}
+	}
+	return nil
+}
+
+// see https://datatracker.ietf.org/doc/html/rfc3339#appendix-A
+func validateDuration(v any) error {
+	s, ok := v.(string)
+	if !ok {
+		return nil
+	}
+
+	// must start with 'P'
+	s, ok = strings.CutPrefix(s, "P")
+	if !ok {
+		return LocalizableError("must start with P")
+	}
+	if s == "" {
+		return LocalizableError("nothing after P")
+	}
+
+	// dur-week
+	if s, ok := strings.CutSuffix(s, "W"); ok {
+		if s == "" {
+			return LocalizableError("no number in week")
+		}
+		for _, ch := range s {
+			if ch < '0' || ch > '9' {
+				return LocalizableError("invalid week")
+			}
+		}
+		return nil
+	}
+
+	allUnits := []string{"YMD", "HMS"}
+	for i, s := range strings.Split(s, "T") {
+		if i != 0 && s == "" {
+			return LocalizableError("no time elements")
+		}
+		if i >= len(allUnits) {
+			return LocalizableError("more than one T")
+		}
+		units := allUnits[i]
+		for s != "" {
+			digitCount := 0
+			for _, ch := range s {
+				if ch >= '0' && ch <= '9' {
+					digitCount++
+				} else {
+					break
+				}
+			}
+			if digitCount == 0 {
+				return LocalizableError("missing number")
+			}
+			s = s[digitCount:]
+			if s == "" {
+				return LocalizableError("missing unit")
+			}
+			unit := s[0]
+			j := strings.IndexByte(units, unit)
+			if j == -1 {
+				if strings.IndexByte(allUnits[i], unit) != -1 {
+					return LocalizableError("unit %q out of order", unit)
+				}
+				return LocalizableError("invalid unit %q", unit)
+			}
+			units = units[j+1:]
+			s = s[1:]
+		}
+	}
+
+	return nil
+}
+
+func validateIPV4(v any) error {
+	s, ok := v.(string)
+	if !ok {
+		return nil
+	}
+	groups := strings.Split(s, ".")
+	if len(groups) != 4 {
+		return LocalizableError("expected four decimals")
+	}
+	for _, group := range groups {
+		if len(group) > 1 && group[0] == '0' {
+			return LocalizableError("leading zeros")
+		}
+		n, err := strconv.Atoi(group)
+		if err != nil {
+			return err
+		}
+		if n < 0 || n > 255 {
+			return LocalizableError("decimal must be between 0 and 255")
+		}
+	}
+	return nil
+}
+
+func validateIPV6(v any) error {
+	s, ok := v.(string)
+	if !ok {
+		return nil
+	}
+	if !strings.Contains(s, ":") {
+		return LocalizableError("missing colon")
+	}
+	addr, err := netip.ParseAddr(s)
+	if err != nil {
+		return err
+	}
+	if addr.Zone() != "" {
+		return LocalizableError("zone id is not a part of ipv6 address")
+	}
+	return nil
+}
+
+// see https://en.wikipedia.org/wiki/Hostname#Restrictions_on_valid_host_names
+func validateHostname(v any) error {
+	s, ok := v.(string)
+	if !ok {
+		return nil
+	}
+
+	// entire hostname (including the delimiting dots but not a trailing dot) has a maximum of 253 ASCII characters
+	s = strings.TrimSuffix(s, ".")
+	if len(s) > 253 {
+		return LocalizableError("more than 253 characters long")
+	}
+
+	// Hostnames are composed of series of labels concatenated with dots, as are all domain names
+	for _, label := range strings.Split(s, ".") {
+		// Each label must be from 1 to 63 characters long
+		if len(label) < 1 || len(label) > 63 {
+			return LocalizableError("label must be 1 to 63 characters long")
+		}
+
+		// labels must not start or end with a hyphen
+		if strings.HasPrefix(label, "-") {
+			return LocalizableError("label starts with hyphen")
+		}
+		if strings.HasSuffix(label, "-") {
+			return LocalizableError("label ends with hyphen")
+		}
+
+		// labels may contain only the ASCII letters 'a' through 'z' (in a case-insensitive manner),
+		// the digits '0' through '9', and the hyphen ('-')
+		for _, ch := range label {
+			switch {
+			case ch >= 'a' && ch <= 'z':
+			case ch >= 'A' && ch <= 'Z':
+			case ch >= '0' && ch <= '9':
+			case ch == '-':
+			default:
+				return LocalizableError("invalid character %q", ch)
+			}
+		}
+	}
+	return nil
+}
+
+// see https://en.wikipedia.org/wiki/Email_address
+func validateEmail(v any) error {
+	s, ok := v.(string)
+	if !ok {
+		return nil
+	}
+	// entire email address to be no more than 254 characters long
+	if len(s) > 254 {
+		return LocalizableError("more than 255 characters long")
+	}
+
+	// email address is generally recognized as having two parts joined with an at-sign
+	at := strings.LastIndexByte(s, '@')
+	if at == -1 {
+		return LocalizableError("missing @")
+	}
+	local, domain := s[:at], s[at+1:]
+
+	// local part may be up to 64 characters long
+	if len(local) > 64 {
+		return LocalizableError("local part more than 64 characters long")
+	}
+
+	if len(local) > 1 && strings.HasPrefix(local, `"`) && strings.HasPrefix(local, `"`) {
+		// quoted
+		local := local[1 : len(local)-1]
+		if strings.IndexByte(local, '\\') != -1 || strings.IndexByte(local, '"') != -1 {
+			return LocalizableError("backslash and quote are not allowed within quoted local part")
+		}
+	} else {
+		// unquoted
+		if strings.HasPrefix(local, ".") {
+			return LocalizableError("starts with dot")
+		}
+		if strings.HasSuffix(local, ".") {
+			return LocalizableError("ends with dot")
+		}
+
+		// consecutive dots not allowed
+		if strings.Contains(local, "..") {
+			return LocalizableError("consecutive dots")
+		}
+
+		// check allowed chars
+		for _, ch := range local {
+			switch {
+			case ch >= 'a' && ch <= 'z':
+			case ch >= 'A' && ch <= 'Z':
+			case ch >= '0' && ch <= '9':
+			case strings.ContainsRune(".!#$%&'*+-/=?^_`{|}~", ch):
+			default:
+				return LocalizableError("invalid character %q", ch)
+			}
+		}
+	}
+
+	// domain if enclosed in brackets, must match an IP address
+	if strings.HasPrefix(domain, "[") && strings.HasSuffix(domain, "]") {
+		domain = domain[1 : len(domain)-1]
+		if rem, ok := strings.CutPrefix(domain, "IPv6:"); ok {
+			if err := validateIPV6(rem); err != nil {
+				return LocalizableError("invalid ipv6 address: %v", err)
+			}
+			return nil
+		}
+		if err := validateIPV4(domain); err != nil {
+			return LocalizableError("invalid ipv4 address: %v", err)
+		}
+		return nil
+	}
+
+	// domain must match the requirements for a hostname
+	if err := validateHostname(domain); err != nil {
+		return LocalizableError("invalid domain: %v", err)
+	}
+
+	return nil
+}
+
+// see see https://datatracker.ietf.org/doc/html/rfc3339#section-5.6
+func validateDate(v any) error {
+	s, ok := v.(string)
+	if !ok {
+		return nil
+	}
+	_, err := time.Parse("2006-01-02", s)
+	return err
+}
+
+// see https://datatracker.ietf.org/doc/html/rfc3339#section-5.6
+// NOTE: golang time package does not support leap seconds.
+func validateTime(v any) error {
+	str, ok := v.(string)
+	if !ok {
+		return nil
+	}
+
+	// min: hh:mm:ssZ
+	if len(str) < 9 {
+		return LocalizableError("less than 9 characters long")
+	}
+	if str[2] != ':' || str[5] != ':' {
+		return LocalizableError("missing colon in correct place")
+	}
+
+	// parse hh:mm:ss
+	var hms []int
+	for _, tok := range strings.SplitN(str[:8], ":", 3) {
+		i, err := strconv.Atoi(tok)
+		if err != nil {
+			return LocalizableError("invalid hour/min/sec")
+		}
+		if i < 0 {
+			return LocalizableError("non-positive hour/min/sec")
+		}
+		hms = append(hms, i)
+	}
+	if len(hms) != 3 {
+		return LocalizableError("missing hour/min/sec")
+	}
+	h, m, s := hms[0], hms[1], hms[2]
+	if h > 23 || m > 59 || s > 60 {
+		return LocalizableError("hour/min/sec out of range")
+	}
+	str = str[8:]
+
+	// parse sec-frac if present
+	if rem, ok := strings.CutPrefix(str, "."); ok {
+		numDigits := 0
+		for _, ch := range rem {
+			if ch >= '0' && ch <= '9' {
+				numDigits++
+			} else {
+				break
+			}
+		}
+		if numDigits == 0 {
+			return LocalizableError("no digits in second fraction")
+		}
+		str = rem[numDigits:]
+	}
+
+	if str != "z" && str != "Z" {
+		// parse time-numoffset
+		if len(str) != 6 {
+			return LocalizableError("offset must be 6 characters long")
+		}
+		var sign int
+		switch str[0] {
+		case '+':
+			sign = -1
+		case '-':
+			sign = +1
+		default:
+			return LocalizableError("offset must begin with plus/minus")
+		}
+		str = str[1:]
+		if str[2] != ':' {
+			return LocalizableError("missing colon in offset in correct place")
+		}
+
+		var zhm []int
+		for _, tok := range strings.SplitN(str, ":", 2) {
+			i, err := strconv.Atoi(tok)
+			if err != nil {
+				return LocalizableError("invalid hour/min in offset")
+			}
+			if i < 0 {
+				return LocalizableError("non-positive hour/min in offset")
+			}
+			zhm = append(zhm, i)
+		}
+		zh, zm := zhm[0], zhm[1]
+		if zh > 23 || zm > 59 {
+			return LocalizableError("hour/min in offset out of range")
+		}
+
+		// apply timezone
+		hm := (h*60 + m) + sign*(zh*60+zm)
+		if hm < 0 {
+			hm += 24 * 60
+		}
+		h, m = hm/60, hm%60
+	}
+
+	// check leap second
+	if s >= 60 && (h != 23 || m != 59) {
+		return LocalizableError("invalid leap second")
+	}
+
+	return nil
+}
+
+// see https://datatracker.ietf.org/doc/html/rfc3339#section-5.6
+func validateDateTime(v any) error {
+	s, ok := v.(string)
+	if !ok {
+		return nil
+	}
+
+	// min: yyyy-mm-ddThh:mm:ssZ
+	if len(s) < 20 {
+		return LocalizableError("less than 20 characters long")
+	}
+
+	if s[10] != 't' && s[10] != 'T' {
+		return LocalizableError("11th character must be t or T")
+	}
+	if err := validateDate(s[:10]); err != nil {
+		return LocalizableError("invalid date element: %v", err)
+	}
+	if err := validateTime(s[11:]); err != nil {
+		return LocalizableError("invalid time element: %v", err)
+	}
+	return nil
+}
+
+func parseURL(s string) (*gourl.URL, error) {
+	u, err := gourl.Parse(s)
+	if err != nil {
+		return nil, err
+	}
+
+	// gourl does not validate ipv6 host address
+	hostName := u.Hostname()
+	if strings.Contains(hostName, ":") {
+		if !strings.Contains(u.Host, "[") || !strings.Contains(u.Host, "]") {
+			return nil, LocalizableError("ipv6 address not enclosed in brackets")
+		}
+		if err := validateIPV6(hostName); err != nil {
+			return nil, LocalizableError("invalid ipv6 address: %v", err)
+		}
+	}
+
+	return u, nil
+}
+
+func validateURI(v any) error {
+	s, ok := v.(string)
+	if !ok {
+		return nil
+	}
+	u, err := parseURL(s)
+	if err != nil {
+		return err
+	}
+	if !u.IsAbs() {
+		return LocalizableError("relative url")
+	}
+	return nil
+}
+
+func validateURIReference(v any) error {
+	s, ok := v.(string)
+	if !ok {
+		return nil
+	}
+	if strings.Contains(s, `\`) {
+		return LocalizableError(`contains \`)
+	}
+	_, err := parseURL(s)
+	return err
+}
+
+func validateURITemplate(v any) error {
+	s, ok := v.(string)
+	if !ok {
+		return nil
+	}
+	u, err := parseURL(s)
+	if err != nil {
+		return err
+	}
+	for _, tok := range strings.Split(u.RawPath, "/") {
+		tok, err = decode(tok)
+		if err != nil {
+			return LocalizableError("percent decode failed: %v", err)
+		}
+		want := true
+		for _, ch := range tok {
+			var got bool
+			switch ch {
+			case '{':
+				got = true
+			case '}':
+				got = false
+			default:
+				continue
+			}
+			if got != want {
+				return LocalizableError("nested curly braces")
+			}
+			want = !want
+		}
+		if !want {
+			return LocalizableError("no matching closing brace")
+		}
+	}
+	return nil
+}
+
+func validatePeriod(v any) error {
+	s, ok := v.(string)
+	if !ok {
+		return nil
+	}
+
+	slash := strings.IndexByte(s, '/')
+	if slash == -1 {
+		return LocalizableError("missing slash")
+	}
+
+	start, end := s[:slash], s[slash+1:]
+	if strings.HasPrefix(start, "P") {
+		if err := validateDuration(start); err != nil {
+			return LocalizableError("invalid start duration: %v", err)
+		}
+		if err := validateDateTime(end); err != nil {
+			return LocalizableError("invalid end date-time: %v", err)
+		}
+	} else {
+		if err := validateDateTime(start); err != nil {
+			return LocalizableError("invalid start date-time: %v", err)
+		}
+		if strings.HasPrefix(end, "P") {
+			if err := validateDuration(end); err != nil {
+				return LocalizableError("invalid end duration: %v", err)
+			}
+		} else if err := validateDateTime(end); err != nil {
+			return LocalizableError("invalid end date-time: %v", err)
+		}
+	}
+
+	return nil
+}
+
+// see https://semver.org/#backusnaur-form-grammar-for-valid-semver-versions
+func validateSemver(v any) error {
+	s, ok := v.(string)
+	if !ok {
+		return nil
+	}
+
+	// build --
+	if i := strings.IndexByte(s, '+'); i != -1 {
+		build := s[i+1:]
+		if build == "" {
+			return LocalizableError("build is empty")
+		}
+		for _, buildID := range strings.Split(build, ".") {
+			if buildID == "" {
+				return LocalizableError("build identifier is empty")
+			}
+			for _, ch := range buildID {
+				switch {
+				case ch >= '0' && ch <= '9':
+				case (ch >= 'a' && ch <= 'z') || (ch >= 'A' && ch <= 'Z') || ch == '-':
+				default:
+					return LocalizableError("invalid character %q in build identifier", ch)
+				}
+			}
+		}
+		s = s[:i]
+	}
+
+	// pre-release --
+	if i := strings.IndexByte(s, '-'); i != -1 {
+		preRelease := s[i+1:]
+		for _, preReleaseID := range strings.Split(preRelease, ".") {
+			if preReleaseID == "" {
+				return LocalizableError("pre-release identifier is empty")
+			}
+			allDigits := true
+			for _, ch := range preReleaseID {
+				switch {
+				case ch >= '0' && ch <= '9':
+				case (ch >= 'a' && ch <= 'z') || (ch >= 'A' && ch <= 'Z') || ch == '-':
+					allDigits = false
+				default:
+					return LocalizableError("invalid character %q in pre-release identifier", ch)
+				}
+			}
+			if allDigits && len(preReleaseID) > 1 && preReleaseID[0] == '0' {
+				return LocalizableError("pre-release numeric identifier starts with zero")
+			}
+		}
+		s = s[:i]
+	}
+
+	// versionCore --
+	versions := strings.Split(s, ".")
+	if len(versions) != 3 {
+		return LocalizableError("versionCore must have 3 numbers separated by dot")
+	}
+	names := []string{"major", "minor", "patch"}
+	for i, version := range versions {
+		if version == "" {
+			return LocalizableError("%s is empty", names[i])
+		}
+		if len(version) > 1 && version[0] == '0' {
+			return LocalizableError("%s starts with zero", names[i])
+		}
+		for _, ch := range version {
+			if ch < '0' || ch > '9' {
+				return LocalizableError("%s contains non-digit", names[i])
+			}
+		}
+	}
+
+	return nil
+}
diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/go.work b/vendor/github.com/santhosh-tekuri/jsonschema/v6/go.work
new file mode 100644
index 0000000000..e7f4d93de4
--- /dev/null
+++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/go.work
@@ -0,0 +1,8 @@
+go 1.21.1
+
+use (
+	.
+	./cmd/jv
+)
+
+// replace github.com/santhosh-tekuri/jsonschema/v6 v6.0.2 => ./
diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/go.work.sum b/vendor/github.com/santhosh-tekuri/jsonschema/v6/go.work.sum
new file mode 100644
index 0000000000..2b5b811d99
--- /dev/null
+++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/go.work.sum
@@ -0,0 +1,4 @@
+github.com/santhosh-tekuri/jsonschema/v6 v6.0.1/go.mod h1:JXeL+ps8p7/KNMjDQk3TCwPpBy0wYklyWTfbkIzdIFU=
+golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/kind/kind.go b/vendor/github.com/santhosh-tekuri/jsonschema/v6/kind/kind.go
new file mode 100644
index 0000000000..a37fb0b978
--- /dev/null
+++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/kind/kind.go
@@ -0,0 +1,651 @@
+package kind
+
+import (
+	"fmt"
+	"math/big"
+	"strings"
+
+	"golang.org/x/text/message"
+)
+
+// --
+
+type InvalidJsonValue struct {
+	Value any
+}
+
+func (*InvalidJsonValue) KeywordPath() []string {
+	return nil
+}
+
+func (k *InvalidJsonValue) LocalizedString(p *message.Printer) string {
+	return p.Sprintf("invalid jsonType %T", k.Value)
+}
+
+// --
+
+type Schema struct {
+	Location string
+}
+
+func (*Schema) KeywordPath() []string {
+	return nil
+}
+
+func (k *Schema) LocalizedString(p *message.Printer) string {
+	return p.Sprintf("jsonschema validation failed with %s", quote(k.Location))
+}
+
+// --
+
+type Group struct{}
+
+func (*Group) KeywordPath() []string {
+	return nil
+}
+
+func (*Group) LocalizedString(p *message.Printer) string {
+	return p.Sprintf("validation failed")
+}
+
+// --
+
+type Not struct{}
+
+func (*Not) KeywordPath() []string {
+	return nil
+}
+
+func (*Not) LocalizedString(p *message.Printer) string {
+	return p.Sprintf("'not' failed")
+}
+
+// --
+
+type AllOf struct{}
+
+func (*AllOf) KeywordPath() []string {
+	return []string{"allOf"}
+}
+
+func (*AllOf) LocalizedString(p *message.Printer) string {
+	return p.Sprintf("'allOf' failed")
+}
+
+// --
+
+type AnyOf struct{}
+
+func (*AnyOf) KeywordPath() []string {
+	return []string{"anyOf"}
+}
+
+func (*AnyOf) LocalizedString(p *message.Printer) string {
+	return p.Sprintf("'anyOf' failed")
+}
+
+// --
+
+type OneOf struct {
+	// Subschemas gives indexes of Subschemas that have matched.
+	// Value nil, means none of the subschemas matched.
+	Subschemas []int
+}
+
+func (*OneOf) KeywordPath() []string {
+	return []string{"oneOf"}
+}
+
+func (k *OneOf) LocalizedString(p *message.Printer) string {
+	if len(k.Subschemas) == 0 {
+		return p.Sprintf("'oneOf' failed, none matched")
+	}
+	return p.Sprintf("'oneOf' failed, subschemas %d, %d matched", k.Subschemas[0], k.Subschemas[1])
+}
+
+//--
+
+type FalseSchema struct{}
+
+func (*FalseSchema) KeywordPath() []string {
+	return nil
+}
+
+func (*FalseSchema) LocalizedString(p *message.Printer) string {
+	return p.Sprintf("false schema")
+}
+
+// --
+
+type RefCycle struct {
+	URL              string
+	KeywordLocation1 string
+	KeywordLocation2 string
+}
+
+func (*RefCycle) KeywordPath() []string {
+	return nil
+}
+
+func (k *RefCycle) LocalizedString(p *message.Printer) string {
+	return p.Sprintf("both %s and %s resolve to %q causing reference cycle", k.KeywordLocation1, k.KeywordLocation2, k.URL)
+}
+
+// --
+
+type Type struct {
+	Got  string
+	Want []string
+}
+
+func (*Type) KeywordPath() []string {
+	return []string{"type"}
+}
+
+func (k *Type) LocalizedString(p *message.Printer) string {
+	want := strings.Join(k.Want, " or ")
+	return p.Sprintf("got %s, want %s", k.Got, want)
+}
+
+// --
+
+type Enum struct {
+	Got  any
+	Want []any
+}
+
+// KeywordPath implements jsonschema.ErrorKind.
+func (*Enum) KeywordPath() []string {
+	return []string{"enum"}
+}
+
+func (k *Enum) LocalizedString(p *message.Printer) string {
+	allPrimitive := true
+loop:
+	for _, item := range k.Want {
+		switch item.(type) {
+		case []any, map[string]any:
+			allPrimitive = false
+			break loop
+		}
+	}
+	if allPrimitive {
+		if len(k.Want) == 1 {
+			return p.Sprintf("value must be %s", display(k.Want[0]))
+		}
+		var want []string
+		for _, v := range k.Want {
+			want = append(want, display(v))
+		}
+		return p.Sprintf("value must be one of %s", strings.Join(want, ", "))
+	}
+	return p.Sprintf("'enum' failed")
+}
+
+// --
+
+type Const struct {
+	Got  any
+	Want any
+}
+
+func (*Const) KeywordPath() []string {
+	return []string{"const"}
+}
+
+func (k *Const) LocalizedString(p *message.Printer) string {
+	switch want := k.Want.(type) {
+	case []any, map[string]any:
+		return p.Sprintf("'const' failed")
+	default:
+		return p.Sprintf("value must be %s", display(want))
+	}
+}
+
+// --
+
+type Format struct {
+	Got  any
+	Want string
+	Err  error
+}
+
+func (*Format) KeywordPath() []string {
+	return []string{"format"}
+}
+
+func (k *Format) LocalizedString(p *message.Printer) string {
+	return p.Sprintf("%s is not valid %s: %v", display(k.Got), k.Want, localizedError(k.Err, p))
+}
+
+// --
+
+type Reference struct {
+	Keyword string
+	URL     string
+}
+
+func (k *Reference) KeywordPath() []string {
+	return []string{k.Keyword}
+}
+
+func (*Reference) LocalizedString(p *message.Printer) string {
+	return p.Sprintf("validation failed")
+}
+
+// --
+
+type MinProperties struct {
+	Got, Want int
+}
+
+func (*MinProperties) KeywordPath() []string {
+	return []string{"minProperties"}
+}
+
+func (k *MinProperties) LocalizedString(p *message.Printer) string {
+	return p.Sprintf("minProperties: got %d, want %d", k.Got, k.Want)
+}
+
+// --
+
+type MaxProperties struct {
+	Got, Want int
+}
+
+func (*MaxProperties) KeywordPath() []string {
+	return []string{"maxProperties"}
+}
+
+func (k *MaxProperties) LocalizedString(p *message.Printer) string {
+	return p.Sprintf("maxProperties: got %d, want %d", k.Got, k.Want)
+}
+
+// --
+
+type MinItems struct {
+	Got, Want int
+}
+
+func (*MinItems) KeywordPath() []string {
+	return []string{"minItems"}
+}
+
+func (k *MinItems) LocalizedString(p *message.Printer) string {
+	return p.Sprintf("minItems: got %d, want %d", k.Got, k.Want)
+}
+
+// --
+
+type MaxItems struct {
+	Got, Want int
+}
+
+func (*MaxItems) KeywordPath() []string {
+	return []string{"maxItems"}
+}
+
+func (k *MaxItems) LocalizedString(p *message.Printer) string {
+	return p.Sprintf("maxItems: got %d, want %d", k.Got, k.Want)
+}
+
+// --
+
+type AdditionalItems struct {
+	Count int
+}
+
+func (*AdditionalItems) KeywordPath() []string {
+	return []string{"additionalItems"}
+}
+
+func (k *AdditionalItems) LocalizedString(p *message.Printer) string {
+	return p.Sprintf("last %d additionalItem(s) not allowed", k.Count)
+}
+
+// --
+
+type Required struct {
+	Missing []string
+}
+
+func (*Required) KeywordPath() []string {
+	return []string{"required"}
+}
+
+func (k *Required) LocalizedString(p *message.Printer) string {
+	if len(k.Missing) == 1 {
+		return p.Sprintf("missing property %s", quote(k.Missing[0]))
+	}
+	return p.Sprintf("missing properties %s", joinQuoted(k.Missing, ", "))
+}
+
+// --
+
+type Dependency struct {
+	Prop    string   // dependency of prop that failed
+	Missing []string // missing props
+}
+
+func (k *Dependency) KeywordPath() []string {
+	return []string{"dependency", k.Prop}
+}
+
+func (k *Dependency) LocalizedString(p *message.Printer) string {
+	return p.Sprintf("properties %s required, if %s exists", joinQuoted(k.Missing, ", "), quote(k.Prop))
+}
+
+// --
+
+type DependentRequired struct {
+	Prop    string   // dependency of prop that failed
+	Missing []string // missing props
+}
+
+func (k *DependentRequired) KeywordPath() []string {
+	return []string{"dependentRequired", k.Prop}
+}
+
+func (k *DependentRequired) LocalizedString(p *message.Printer) string {
+	return p.Sprintf("properties %s required, if %s exists", joinQuoted(k.Missing, ", "), quote(k.Prop))
+}
+
+// --
+
+type AdditionalProperties struct {
+	Properties []string
+}
+
+func (*AdditionalProperties) KeywordPath() []string {
+	return []string{"additionalProperties"}
+}
+
+func (k *AdditionalProperties) LocalizedString(p *message.Printer) string {
+	return p.Sprintf("additional properties %s not allowed", joinQuoted(k.Properties, ", "))
+}
+
+// --
+
+type PropertyNames struct {
+	Property string
+}
+
+func (*PropertyNames) KeywordPath() []string {
+	return []string{"propertyNames"}
+}
+
+func (k *PropertyNames) LocalizedString(p *message.Printer) string {
+	return p.Sprintf("invalid propertyName %s", quote(k.Property))
+}
+
+// --
+
+type UniqueItems struct {
+	Duplicates [2]int
+}
+
+func (*UniqueItems) KeywordPath() []string {
+	return []string{"uniqueItems"}
+}
+
+func (k *UniqueItems) LocalizedString(p *message.Printer) string {
+	return p.Sprintf("items at %d and %d are equal", k.Duplicates[0], k.Duplicates[1])
+}
+
+// --
+
+type Contains struct{}
+
+func (*Contains) KeywordPath() []string {
+	return []string{"contains"}
+}
+
+func (*Contains) LocalizedString(p *message.Printer) string {
+	return p.Sprintf("no items match contains schema")
+}
+
+// --
+
+type MinContains struct {
+	Got  []int
+	Want int
+}
+
+func (*MinContains) KeywordPath() []string {
+	return []string{"minContains"}
+}
+
+func (k *MinContains) LocalizedString(p *message.Printer) string {
+	if len(k.Got) == 0 {
+		return p.Sprintf("min %d items required to match contains schema, but none matched", k.Want)
+	} else {
+		got := fmt.Sprintf("%v", k.Got)
+		return p.Sprintf("min %d items required to match contains schema, but matched %d items at %v", k.Want, len(k.Got), got[1:len(got)-1])
+	}
+}
+
+// --
+
+type MaxContains struct {
+	Got  []int
+	Want int
+}
+
+func (*MaxContains) KeywordPath() []string {
+	return []string{"maxContains"}
+}
+
+func (k *MaxContains) LocalizedString(p *message.Printer) string {
+	got := fmt.Sprintf("%v", k.Got)
+	return p.Sprintf("max %d items required to match contains schema, but matched %d items at %v", k.Want, len(k.Got), got[1:len(got)-1])
+}
+
+// --
+
+type MinLength struct {
+	Got, Want int
+}
+
+func (*MinLength) KeywordPath() []string {
+	return []string{"minLength"}
+}
+
+func (k *MinLength) LocalizedString(p *message.Printer) string {
+	return p.Sprintf("minLength: got %d, want %d", k.Got, k.Want)
+}
+
+// --
+
+type MaxLength struct {
+	Got, Want int
+}
+
+func (*MaxLength) KeywordPath() []string {
+	return []string{"maxLength"}
+}
+
+func (k *MaxLength) LocalizedString(p *message.Printer) string {
+	return p.Sprintf("maxLength: got %d, want %d", k.Got, k.Want)
+}
+
+// --
+
+type Pattern struct {
+	Got  string
+	Want string
+}
+
+func (*Pattern) KeywordPath() []string {
+	return []string{"pattern"}
+}
+
+func (k *Pattern) LocalizedString(p *message.Printer) string {
+	return p.Sprintf("%s does not match pattern %s", quote(k.Got), quote(k.Want))
+}
+
+// --
+
+type ContentEncoding struct {
+	Want string
+	Err  error
+}
+
+func (*ContentEncoding) KeywordPath() []string {
+	return []string{"contentEncoding"}
+}
+
+func (k *ContentEncoding) LocalizedString(p *message.Printer) string {
+	return p.Sprintf("value is not %s encoded: %v", quote(k.Want), localizedError(k.Err, p))
+}
+
+// --
+
+type ContentMediaType struct {
+	Got  []byte
+	Want string
+	Err  error
+}
+
+func (*ContentMediaType) KeywordPath() []string {
+	return []string{"contentMediaType"}
+}
+
+func (k *ContentMediaType) LocalizedString(p *message.Printer) string {
+	return p.Sprintf("value if not of mediatype %s: %v", quote(k.Want), k.Err)
+}
+
+// --
+
+type ContentSchema struct{}
+
+func (*ContentSchema) KeywordPath() []string {
+	return []string{"contentSchema"}
+}
+
+func (*ContentSchema) LocalizedString(p *message.Printer) string {
+	return p.Sprintf("'contentSchema' failed")
+}
+
+// --
+
+type Minimum struct {
+	Got  *big.Rat
+	Want *big.Rat
+}
+
+func (*Minimum) KeywordPath() []string {
+	return []string{"minimum"}
+}
+
+func (k *Minimum) LocalizedString(p *message.Printer) string {
+	got, _ := k.Got.Float64()
+	want, _ := k.Want.Float64()
+	return p.Sprintf("minimum: got %v, want %v", got, want)
+}
+
+// --
+
+type Maximum struct {
+	Got  *big.Rat
+	Want *big.Rat
+}
+
+func (*Maximum) KeywordPath() []string {
+	return []string{"maximum"}
+}
+
+func (k *Maximum) LocalizedString(p *message.Printer) string {
+	got, _ := k.Got.Float64()
+	want, _ := k.Want.Float64()
+	return p.Sprintf("maximum: got %v, want %v", got, want)
+}
+
+// --
+
+type ExclusiveMinimum struct {
+	Got  *big.Rat
+	Want *big.Rat
+}
+
+func (*ExclusiveMinimum) KeywordPath() []string {
+	return []string{"exclusiveMinimum"}
+}
+
+func (k *ExclusiveMinimum) LocalizedString(p *message.Printer) string {
+	got, _ := k.Got.Float64()
+	want, _ := k.Want.Float64()
+	return p.Sprintf("exclusiveMinimum: got %v, want %v", got, want)
+}
+
+// --
+
+type ExclusiveMaximum struct {
+	Got  *big.Rat
+	Want *big.Rat
+}
+
+func (*ExclusiveMaximum) KeywordPath() []string {
+	return []string{"exclusiveMaximum"}
+}
+
+func (k *ExclusiveMaximum) LocalizedString(p *message.Printer) string {
+	got, _ := k.Got.Float64()
+	want, _ := k.Want.Float64()
+	return p.Sprintf("exclusiveMaximum: got %v, want %v", got, want)
+}
+
+// --
+
+type MultipleOf struct {
+	Got  *big.Rat
+	Want *big.Rat
+}
+
+func (*MultipleOf) KeywordPath() []string {
+	return []string{"multipleOf"}
+}
+
+func (k *MultipleOf) LocalizedString(p *message.Printer) string {
+	got, _ := k.Got.Float64()
+	want, _ := k.Want.Float64()
+	return p.Sprintf("multipleOf: got %v, want %v", got, want)
+}
+
+// --
+
+func quote(s string) string {
+	s = fmt.Sprintf("%q", s)
+	s = strings.ReplaceAll(s, `\"`, `"`)
+	s = strings.ReplaceAll(s, `'`, `\'`)
+	return "'" + s[1:len(s)-1] + "'"
+}
+
+func joinQuoted(arr []string, sep string) string {
+	var sb strings.Builder
+	for _, s := range arr {
+		if sb.Len() > 0 {
+			sb.WriteString(sep)
+		}
+		sb.WriteString(quote(s))
+	}
+	return sb.String()
+}
+
+// to be used only for primitive.
+func display(v any) string {
+	switch v := v.(type) {
+	case string:
+		return quote(v)
+	case []any, map[string]any:
+		return "value"
+	default:
+		return fmt.Sprintf("%v", v)
+	}
+}
+
+func localizedError(err error, p *message.Printer) string {
+	if err, ok := err.(interface{ LocalizedError(*message.Printer) string }); ok {
+		return err.LocalizedError(p)
+	}
+	return err.Error()
+}
diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/loader.go b/vendor/github.com/santhosh-tekuri/jsonschema/v6/loader.go
new file mode 100644
index 0000000000..ce0170e20a
--- /dev/null
+++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/loader.go
@@ -0,0 +1,266 @@
+package jsonschema
+
+import (
+	"embed"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"io/fs"
+	gourl "net/url"
+	"os"
+	"path/filepath"
+	"runtime"
+	"strings"
+)
+
+// URLLoader knows how to load json from given url.
+type URLLoader interface {
+	// Load loads json from given absolute url.
+	Load(url string) (any, error)
+}
+
+// --
+
+// FileLoader loads json file url.
+type FileLoader struct{}
+
+func (l FileLoader) Load(url string) (any, error) {
+	path, err := l.ToFile(url)
+	if err != nil {
+		return nil, err
+	}
+	f, err := os.Open(path)
+	if err != nil {
+		return nil, err
+	}
+	defer f.Close()
+	return UnmarshalJSON(f)
+}
+
+// ToFile is helper method to convert file url to file path.
+func (l FileLoader) ToFile(url string) (string, error) {
+	u, err := gourl.Parse(url)
+	if err != nil {
+		return "", err
+	}
+	if u.Scheme != "file" {
+		return "", fmt.Errorf("invalid file url: %s", u)
+	}
+	path := u.Path
+	if runtime.GOOS == "windows" {
+		path = strings.TrimPrefix(path, "/")
+		path = filepath.FromSlash(path)
+	}
+	return path, nil
+}
+
+// --
+
+// SchemeURLLoader delegates to other [URLLoaders]
+// based on url scheme.
+type SchemeURLLoader map[string]URLLoader
+
+func (l SchemeURLLoader) Load(url string) (any, error) {
+	u, err := gourl.Parse(url)
+	if err != nil {
+		return nil, err
+	}
+	ll, ok := l[u.Scheme]
+	if !ok {
+		return nil, &UnsupportedURLSchemeError{u.String()}
+	}
+	return ll.Load(url)
+}
+
+// --
+
+//go:embed metaschemas
+var metaFS embed.FS
+
+func openMeta(url string) (fs.File, error) {
+	u, meta := strings.CutPrefix(url, "http://json-schema.org/")
+	if !meta {
+		u, meta = strings.CutPrefix(url, "https://json-schema.org/")
+	}
+	if meta {
+		if u == "schema" {
+			return openMeta(draftLatest.url)
+		}
+		f, err := metaFS.Open("metaschemas/" + u)
+		if err != nil {
+			if errors.Is(err, fs.ErrNotExist) {
+				return nil, nil
+			}
+			return nil, err
+		}
+		return f, err
+	}
+	return nil, nil
+
+}
+
+func isMeta(url string) bool {
+	f, err := openMeta(url)
+	if err != nil {
+		return true
+	}
+	if f != nil {
+		f.Close()
+		return true
+	}
+	return false
+}
+
+func loadMeta(url string) (any, error) {
+	f, err := openMeta(url)
+	if err != nil {
+		return nil, err
+	}
+	if f == nil {
+		return nil, nil
+	}
+	defer f.Close()
+	return UnmarshalJSON(f)
+}
+
+// --
+
+type defaultLoader struct {
+	docs   map[url]any // docs loaded so far
+	loader URLLoader
+}
+
+func (l *defaultLoader) add(url url, doc any) bool {
+	if _, ok := l.docs[url]; ok {
+		return false
+	}
+	l.docs[url] = doc
+	return true
+}
+
+func (l *defaultLoader) load(url url) (any, error) {
+	if doc, ok := l.docs[url]; ok {
+		return doc, nil
+	}
+	doc, err := loadMeta(url.String())
+	if err != nil {
+		return nil, err
+	}
+	if doc != nil {
+		l.add(url, doc)
+		return doc, nil
+	}
+	if l.loader == nil {
+		return nil, &LoadURLError{url.String(), errors.New("no URLLoader set")}
+	}
+	doc, err = l.loader.Load(url.String())
+	if err != nil {
+		return nil, &LoadURLError{URL: url.String(), Err: err}
+	}
+	l.add(url, doc)
+	return doc, nil
+}
+
+func (l *defaultLoader) getDraft(up urlPtr, doc any, defaultDraft *Draft, cycle map[url]struct{}) (*Draft, error) {
+	obj, ok := doc.(map[string]any)
+	if !ok {
+		return defaultDraft, nil
+	}
+	sch, ok := strVal(obj, "$schema")
+	if !ok {
+		return defaultDraft, nil
+	}
+	if draft := draftFromURL(sch); draft != nil {
+		return draft, nil
+	}
+	sch, _ = split(sch)
+	if _, err := gourl.Parse(sch); err != nil {
+		return nil, &InvalidMetaSchemaURLError{up.String(), err}
+	}
+	schUrl := url(sch)
+	if up.ptr.isEmpty() && schUrl == up.url {
+		return nil, &UnsupportedDraftError{schUrl.String()}
+	}
+	if _, ok := cycle[schUrl]; ok {
+		return nil, &MetaSchemaCycleError{schUrl.String()}
+	}
+	cycle[schUrl] = struct{}{}
+	doc, err := l.load(schUrl)
+	if err != nil {
+		return nil, err
+	}
+	return l.getDraft(urlPtr{schUrl, ""}, doc, defaultDraft, cycle)
+}
+
+func (l *defaultLoader) getMetaVocabs(doc any, draft *Draft, vocabularies map[string]*Vocabulary) ([]string, error) {
+	obj, ok := doc.(map[string]any)
+	if !ok {
+		return nil, nil
+	}
+	sch, ok := strVal(obj, "$schema")
+	if !ok {
+		return nil, nil
+	}
+	if draft := draftFromURL(sch); draft != nil {
+		return nil, nil
+	}
+	sch, _ = split(sch)
+	if _, err := gourl.Parse(sch); err != nil {
+		return nil, &ParseURLError{sch, err}
+	}
+	schUrl := url(sch)
+	doc, err := l.load(schUrl)
+	if err != nil {
+		return nil, err
+	}
+	return draft.getVocabs(schUrl, doc, vocabularies)
+}
+
+// --
+
+type LoadURLError struct {
+	URL string
+	Err error
+}
+
+func (e *LoadURLError) Error() string {
+	return fmt.Sprintf("failing loading %q: %v", e.URL, e.Err)
+}
+
+// --
+
+type UnsupportedURLSchemeError struct {
+	url string
+}
+
+func (e *UnsupportedURLSchemeError) Error() string {
+	return fmt.Sprintf("no URLLoader registered for %q", e.url)
+}
+
+// --
+
+type ResourceExistsError struct {
+	url string
+}
+
+func (e *ResourceExistsError) Error() string {
+	return fmt.Sprintf("resource for %q already exists", e.url)
+}
+
+// --
+
+// UnmarshalJSON unmarshals into [any] without losing
+// number precision using [json.Number].
+func UnmarshalJSON(r io.Reader) (any, error) {
+	decoder := json.NewDecoder(r)
+	decoder.UseNumber()
+	var doc any
+	if err := decoder.Decode(&doc); err != nil {
+		return nil, err
+	}
+	if _, err := decoder.Token(); err == nil || err != io.EOF {
+		return nil, fmt.Errorf("invalid character after top-level value")
+	}
+	return doc, nil
+}
diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft-04/schema b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft-04/schema
new file mode 100644
index 0000000000..b2a7ff0f54
--- /dev/null
+++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft-04/schema
@@ -0,0 +1,151 @@
+{
+	"$schema": "http://json-schema.org/draft-04/schema#",
+	"description": "Core schema meta-schema",
+	"definitions": {
+		"schemaArray": {
+			"type": "array",
+			"minItems": 1,
+			"items": { "$ref": "#" }
+		},
+		"positiveInteger": {
+			"type": "integer",
+			"minimum": 0
+		},
+		"positiveIntegerDefault0": {
+			"allOf": [ { "$ref": "#/definitions/positiveInteger" }, { "default": 0 } ]
+		},
+		"simpleTypes": {
+			"enum": [ "array", "boolean", "integer", "null", "number", "object", "string" ]
+		},
+		"stringArray": {
+			"type": "array",
+			"items": { "type": "string" },
+			"minItems": 1,
+			"uniqueItems": true
+		}
+	},
+	"type": "object",
+	"properties": {
+		"id": {
+			"type": "string",
+			"format": "uriref"
+		},
+		"$schema": {
+			"type": "string",
+			"format": "uri"
+		},
+		"title": {
+			"type": "string"
+		},
+		"description": {
+			"type": "string"
+		},
+		"default": {},
+		"multipleOf": {
+			"type": "number",
+			"minimum": 0,
+			"exclusiveMinimum": true
+		},
+		"maximum": {
+			"type": "number"
+		},
+		"exclusiveMaximum": {
+			"type": "boolean",
+			"default": false
+		},
+		"minimum": {
+			"type": "number"
+		},
+		"exclusiveMinimum": {
+			"type": "boolean",
+			"default": false
+		},
+		"maxLength": { "$ref": "#/definitions/positiveInteger" },
+		"minLength": { "$ref": "#/definitions/positiveIntegerDefault0" },
+		"pattern": {
+			"type": "string",
+			"format": "regex"
+		},
+		"additionalItems": {
+			"anyOf": [
+				{ "type": "boolean" },
+				{ "$ref": "#" }
+			],
+			"default": {}
+		},
+		"items": {
+			"anyOf": [
+				{ "$ref": "#" },
+				{ "$ref": "#/definitions/schemaArray" }
+			],
+			"default": {}
+		},
+		"maxItems": { "$ref": "#/definitions/positiveInteger" },
+		"minItems": { "$ref": "#/definitions/positiveIntegerDefault0" },
+		"uniqueItems": {
+			"type": "boolean",
+			"default": false
+		},
+		"maxProperties": { "$ref": "#/definitions/positiveInteger" },
+		"minProperties": { "$ref": "#/definitions/positiveIntegerDefault0" },
+		"required": { "$ref": "#/definitions/stringArray" },
+		"additionalProperties": {
+			"anyOf": [
+				{ "type": "boolean" },
+				{ "$ref": "#" }
+			],
+			"default": {}
+		},
+		"definitions": {
+			"type": "object",
+			"additionalProperties": { "$ref": "#" },
+			"default": {}
+		},
+		"properties": {
+			"type": "object",
+			"additionalProperties": { "$ref": "#" },
+			"default": {}
+		},
+		"patternProperties": {
+			"type": "object",
+			"additionalProperties": { "$ref": "#" },
+			"default": {}
+		},
+		"dependencies": {
+			"type": "object",
+			"additionalProperties": {
+				"anyOf": [
+					{ "$ref": "#" },
+					{ "$ref": "#/definitions/stringArray" }
+				]
+			}
+		},
+		"enum": {
+			"type": "array",
+			"minItems": 1,
+			"uniqueItems": true
+		},
+		"type": {
+			"anyOf": [
+				{ "$ref": "#/definitions/simpleTypes" },
+				{
+					"type": "array",
+					"items": { "$ref": "#/definitions/simpleTypes" },
+					"minItems": 1,
+					"uniqueItems": true
+				}
+			]
+		},
+		"allOf": { "$ref": "#/definitions/schemaArray" },
+		"anyOf": { "$ref": "#/definitions/schemaArray" },
+		"oneOf": { "$ref": "#/definitions/schemaArray" },
+		"not": { "$ref": "#" },
+		"format": { "type": "string" },
+		"$ref": { "type": "string" }
+	},
+	"dependencies": {
+		"exclusiveMaximum": [ "maximum" ],
+		"exclusiveMinimum": [ "minimum" ]
+	},
+	"default": {}
+}
diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft-06/schema b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft-06/schema
new file mode 100644
index 0000000000..fa22ad1b06
--- /dev/null
+++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft-06/schema
@@ -0,0 +1,150 @@
+{
+	"$schema": "http://json-schema.org/draft-06/schema#",
+	"$id": "http://json-schema.org/draft-06/schema#",
+	"title": "Core schema meta-schema",
+	"definitions": {
+		"schemaArray": {
+			"type": "array",
+			"minItems": 1,
+			"items": { "$ref": "#" }
+		},
+		"nonNegativeInteger": {
+			"type": "integer",
+			"minimum": 0
+		},
+		"nonNegativeIntegerDefault0": {
+			"allOf": [
+				{ "$ref": "#/definitions/nonNegativeInteger" },
+				{ "default": 0 }
+			]
+		},
+		"simpleTypes": {
+			"enum": [
+				"array",
+				"boolean",
+				"integer",
+				"null",
+				"number",
+				"object",
+				"string"
+			]
+		},
+		"stringArray": {
+			"type": "array",
+			"items": { "type": "string" },
+			"uniqueItems": true,
+			"default": []
+		}
+	},
+	"type": ["object", "boolean"],
+	"properties": {
+		"$id": {
+			"type": "string",
+			"format": "uri-reference"
+		},
+		"$schema": {
+			"type": "string",
+			"format": "uri"
+		},
+		"$ref": {
+			"type": "string",
+			"format": "uri-reference"
+		},
+		"title": {
+			"type": "string"
+		},
+		"description": {
+			"type": "string"
+		},
+		"default": {},
+		"multipleOf": {
+			"type": "number",
+			"exclusiveMinimum": 0
+		},
+		"maximum": {
+			"type": "number"
+		},
+		"exclusiveMaximum": {
+			"type": "number"
+		},
+		"minimum": {
+			"type": "number"
+		},
+		"exclusiveMinimum": {
+			"type": "number"
+		},
+		"maxLength": { "$ref": "#/definitions/nonNegativeInteger" },
+		"minLength": { "$ref": "#/definitions/nonNegativeIntegerDefault0" },
+		"pattern": {
+			"type": "string",
+			"format": "regex"
+		},
+		"additionalItems": { "$ref": "#" },
+		"items": {
+			"anyOf": [
+				{ "$ref": "#" },
+				{ "$ref": "#/definitions/schemaArray" }
+			],
+			"default": {}
+		},
+		"maxItems": { "$ref": "#/definitions/nonNegativeInteger" },
+		"minItems": { "$ref": "#/definitions/nonNegativeIntegerDefault0" },
+		"uniqueItems": {
+			"type": "boolean",
+			"default": false
+		},
+		"contains": { "$ref": "#" },
+		"maxProperties": { "$ref": "#/definitions/nonNegativeInteger" },
+		"minProperties": { "$ref": "#/definitions/nonNegativeIntegerDefault0" },
+		"required": { "$ref": "#/definitions/stringArray" },
+		"additionalProperties": { "$ref": "#" },
+		"definitions": {
+			"type": "object",
+			"additionalProperties": { "$ref": "#" },
+			"default": {}
+		},
+		"properties": {
+			"type": "object",
+			"additionalProperties": { "$ref": "#" },
+			"default": {}
+		},
+		"patternProperties": {
+			"type": "object",
+			"additionalProperties": { "$ref": "#" },
+			"default": {}
+		},
+		"dependencies": {
+			"type": "object",
+			"additionalProperties": {
+				"anyOf": [
+					{ "$ref": "#" },
+					{ "$ref": "#/definitions/stringArray" }
+				]
+			}
+		},
+		"propertyNames": { "$ref": "#" },
+		"const": {},
+		"enum": {
+			"type": "array",
+			"minItems": 1,
+			"uniqueItems": true
+		},
+		"type": {
+			"anyOf": [
+				{ "$ref": "#/definitions/simpleTypes" },
+				{
+					"type": "array",
+					"items": { "$ref": "#/definitions/simpleTypes" },
+					"minItems": 1,
+					"uniqueItems": true
+				}
+			]
+		},
+		"format": { "type": "string" },
+		"allOf": { "$ref": "#/definitions/schemaArray" },
+		"anyOf": { "$ref": "#/definitions/schemaArray" },
+		"oneOf": { "$ref": "#/definitions/schemaArray" },
+		"not": { "$ref": "#" }
+	},
+	"default": {}
+}
diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft-07/schema b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft-07/schema
new file mode 100644
index 0000000000..326759a622
--- /dev/null
+++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft-07/schema
@@ -0,0 +1,172 @@
+{
+	"$schema": "http://json-schema.org/draft-07/schema#",
+	"$id": "http://json-schema.org/draft-07/schema#",
+	"title": "Core schema meta-schema",
+	"definitions": {
+		"schemaArray": {
+			"type": "array",
+			"minItems": 1,
+			"items": { "$ref": "#" }
+		},
+		"nonNegativeInteger": {
+			"type": "integer",
+			"minimum": 0
+		},
+		"nonNegativeIntegerDefault0": {
+			"allOf": [
+				{ "$ref": "#/definitions/nonNegativeInteger" },
+				{ "default": 0 }
+			]
+		},
+		"simpleTypes": {
+			"enum": [
+				"array",
+				"boolean",
+				"integer",
+				"null",
+				"number",
+				"object",
+				"string"
+			]
+		},
+		"stringArray": {
+			"type": "array",
+			"items": { "type": "string" },
+			"uniqueItems": true,
+			"default": []
+		}
+	},
+	"type": ["object", "boolean"],
+	"properties": {
+		"$id": {
+			"type": "string",
+			"format": "uri-reference"
+		},
+		"$schema": {
+			"type": "string",
+			"format": "uri"
+		},
+		"$ref": {
+			"type": "string",
+			"format": "uri-reference"
+		},
+		"$comment": {
+			"type": "string"
+		},
+		"title": {
+			"type": "string"
+		},
+		"description": {
+			"type": "string"
+		},
+		"default": true,
+		"readOnly": {
+			"type": "boolean",
+			"default": false
+		},
+		"writeOnly": {
+			"type": "boolean",
+			"default": false
+		},
+		"examples": {
+			"type": "array",
+			"items": true
+		},
+		"multipleOf": {
+			"type": "number",
+			"exclusiveMinimum": 0
+		},
+		"maximum": {
+			"type": "number"
+		},
+		"exclusiveMaximum": {
+			"type": "number"
+		},
+		"minimum": {
+			"type": "number"
+		},
+		"exclusiveMinimum": {
+			"type": "number"
+		},
+		"maxLength": { "$ref": "#/definitions/nonNegativeInteger" },
+		"minLength": { "$ref": "#/definitions/nonNegativeIntegerDefault0" },
+		"pattern": {
+			"type": "string",
+			"format": "regex"
+		},
+		"additionalItems": { "$ref": "#" },
+		"items": {
+			"anyOf": [
+				{ "$ref": "#" },
+				{ "$ref": "#/definitions/schemaArray" }
+			],
+			"default": true
+		},
+		"maxItems": { "$ref": "#/definitions/nonNegativeInteger" },
+		"minItems": { "$ref": "#/definitions/nonNegativeIntegerDefault0" },
+		"uniqueItems": {
+			"type": "boolean",
+			"default": false
+		},
+		"contains": { "$ref": "#" },
+		"maxProperties": { "$ref": "#/definitions/nonNegativeInteger" },
+		"minProperties": { "$ref": "#/definitions/nonNegativeIntegerDefault0" },
+		"required": { "$ref": "#/definitions/stringArray" },
+		"additionalProperties": { "$ref": "#" },
+		"definitions": {
+			"type": "object",
+			"additionalProperties": { "$ref": "#" },
+			"default": {}
+		},
+		"properties": {
+			"type": "object",
+			"additionalProperties": { "$ref": "#" },
+			"default": {}
+		},
+		"patternProperties": {
+			"type": "object",
+			"additionalProperties": { "$ref": "#" },
+			"propertyNames": { "format": "regex" },
+			"default": {}
+		},
+		"dependencies": {
+			"type": "object",
+			"additionalProperties": {
+				"anyOf": [
+					{ "$ref": "#" },
+					{ "$ref": "#/definitions/stringArray" }
+				]
+			}
+		},
+		"propertyNames": { "$ref": "#" },
+		"const": true,
+		"enum": {
+			"type": "array",
+			"items": true,
+			"minItems": 1,
+			"uniqueItems": true
+		},
+		"type": {
+			"anyOf": [
+				{ "$ref": "#/definitions/simpleTypes" },
+				{
+					"type": "array",
+					"items": { "$ref": "#/definitions/simpleTypes" },
+					"minItems": 1,
+					"uniqueItems": true
+				}
+			]
+		},
+		"format": { "type": "string" },
+		"contentMediaType": { "type": "string" },
+		"contentEncoding": { "type": "string" },
+		"if": { "$ref": "#" },
+		"then": { "$ref": "#" },
+		"else": { "$ref": "#" },
+		"allOf": { "$ref": "#/definitions/schemaArray" },
+		"anyOf": { "$ref": "#/definitions/schemaArray" },
+		"oneOf": { "$ref": "#/definitions/schemaArray" },
+		"not": { "$ref": "#" }
+	},
+	"default": true
+}
diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2019-09/meta/applicator b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2019-09/meta/applicator
new file mode 100644
index 0000000000..857d2d4955
--- /dev/null
+++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2019-09/meta/applicator
@@ -0,0 +1,55 @@
+{
+	"$schema": "https://json-schema.org/draft/2019-09/schema",
+	"$id": "https://json-schema.org/draft/2019-09/meta/applicator",
+	"$vocabulary": {
+		"https://json-schema.org/draft/2019-09/vocab/applicator": true
+	},
+	"$recursiveAnchor": true,
+	"title": "Applicator vocabulary meta-schema",
+	"type": ["object", "boolean"],
+	"properties": {
+		"additionalItems": { "$recursiveRef": "#" },
+		"unevaluatedItems": { "$recursiveRef": "#" },
+		"items": {
+			"anyOf": [
+				{ "$recursiveRef": "#" },
+				{ "$ref": "#/$defs/schemaArray" }
+			]
+		},
+		"contains": { "$recursiveRef": "#" },
+		"additionalProperties": { "$recursiveRef": "#" },
+		"unevaluatedProperties": { "$recursiveRef": "#" },
+		"properties": {
+			"type": "object",
+			"additionalProperties": { "$recursiveRef": "#" },
+			"default": {}
+		},
+		"patternProperties": {
+			"type": "object",
+			"additionalProperties": { "$recursiveRef": "#" },
+			"propertyNames": { "format": "regex" },
+			"default": {}
+		},
+		"dependentSchemas": {
+			"type": "object",
+			"additionalProperties": {
+				"$recursiveRef": "#"
+			}
+		},
+		"propertyNames": { "$recursiveRef": "#" },
+		"if": { "$recursiveRef": "#" },
+		"then": { "$recursiveRef": "#" },
+		"else": { "$recursiveRef": "#" },
+		"allOf": { "$ref": "#/$defs/schemaArray" },
+		"anyOf": { "$ref": "#/$defs/schemaArray" },
+		"oneOf": { "$ref": "#/$defs/schemaArray" },
+		"not": { "$recursiveRef": "#" }
+	},
+	"$defs": {
+		"schemaArray": {
+			"type": "array",
+			"minItems": 1,
+			"items": { "$recursiveRef": "#" }
+		}
+	}
+}
diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2019-09/meta/content b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2019-09/meta/content
new file mode 100644
index 0000000000..fa5d20b8d6
--- /dev/null
+++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2019-09/meta/content
@@ -0,0 +1,15 @@
+{
+	"$schema": "https://json-schema.org/draft/2019-09/schema",
+	"$id": "https://json-schema.org/draft/2019-09/meta/content",
+	"$vocabulary": {
+		"https://json-schema.org/draft/2019-09/vocab/content": true
+	},
+	"$recursiveAnchor": true,
+	"title": "Content vocabulary meta-schema",
+	"type": ["object", "boolean"],
+	"properties": {
+		"contentMediaType": { "type": "string" },
+		"contentEncoding": { "type": "string" },
+		"contentSchema": { "$recursiveRef": "#" }
+	}
+}
diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2019-09/meta/core b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2019-09/meta/core
new file mode 100644
index 0000000000..bf5731985d
--- /dev/null
+++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2019-09/meta/core
@@ -0,0 +1,56 @@
+{
+	"$schema": "https://json-schema.org/draft/2019-09/schema",
+	"$id": "https://json-schema.org/draft/2019-09/meta/core",
+	"$vocabulary": {
+		"https://json-schema.org/draft/2019-09/vocab/core": true
+	},
+	"$recursiveAnchor": true,
+	"title": "Core vocabulary meta-schema",
+	"type": ["object", "boolean"],
+	"properties": {
+		"$id": {
+			"type": "string",
+			"format": "uri-reference",
+			"$comment": "Non-empty fragments not allowed.",
+			"pattern": "^[^#]*#?$"
+		},
+		"$schema": {
+			"type": "string",
+			"format": "uri"
+		},
+		"$anchor": {
+			"type": "string",
+			"pattern": "^[A-Za-z][-A-Za-z0-9.:_]*$"
+		},
+		"$ref": {
+			"type": "string",
+			"format": "uri-reference"
+		},
+		"$recursiveRef": {
+			"type": "string",
+			"format": "uri-reference"
+		},
+		"$recursiveAnchor": {
+			"type": "boolean",
+			"default": false
+		},
+		"$vocabulary": {
+			"type": "object",
+			"propertyNames": {
+				"type": "string",
+				"format": "uri"
+			},
+			"additionalProperties": {
+				"type": "boolean"
+			}
+		},
+		"$comment": {
+			"type": "string"
+		},
+		"$defs": {
+			"type": "object",
+			"additionalProperties": { "$recursiveRef": "#" },
+			"default": {}
+		}
+	}
+}
diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2019-09/meta/format b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2019-09/meta/format
new file mode 100644
index 0000000000..fe553c2397
--- /dev/null
+++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2019-09/meta/format
@@ -0,0 +1,13 @@
+{
+	"$schema": "https://json-schema.org/draft/2019-09/schema",
+	"$id": "https://json-schema.org/draft/2019-09/meta/format",
+	"$vocabulary": {
+		"https://json-schema.org/draft/2019-09/vocab/format": true
+	},
+	"$recursiveAnchor": true,
+	"title": "Format vocabulary meta-schema",
+	"type": ["object", "boolean"],
+	"properties": {
+		"format": { "type": "string" }
+	}
+}
diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2019-09/meta/meta-data b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2019-09/meta/meta-data
new file mode 100644
index 0000000000..5c95715c4a
--- /dev/null
+++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2019-09/meta/meta-data
@@ -0,0 +1,35 @@
+{
+	"$schema": "https://json-schema.org/draft/2019-09/schema",
+	"$id": "https://json-schema.org/draft/2019-09/meta/meta-data",
+	"$vocabulary": {
+		"https://json-schema.org/draft/2019-09/vocab/meta-data": true
+	},
+	"$recursiveAnchor": true,
+	"title": "Meta-data vocabulary meta-schema",
+	"type": ["object", "boolean"],
+	"properties": {
+		"title": {
+			"type": "string"
+		},
+		"description": {
+			"type": "string"
+		},
+		"default": true,
+		"deprecated": {
+			"type": "boolean",
+			"default": false
+		},
+		"readOnly": {
+			"type": "boolean",
+			"default": false
+		},
+		"writeOnly": {
+			"type": "boolean",
+			"default": false
+		},
+		"examples": {
+			"type": "array",
+			"items": true
+		}
+	}
+}
diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2019-09/meta/validation b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2019-09/meta/validation
new file mode 100644
index 0000000000..f3525e0760
--- /dev/null
+++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2019-09/meta/validation
@@ -0,0 +1,97 @@
+{
+	"$schema": "https://json-schema.org/draft/2019-09/schema",
+	"$id": "https://json-schema.org/draft/2019-09/meta/validation",
+	"$vocabulary": {
+		"https://json-schema.org/draft/2019-09/vocab/validation": true
+	},
+	"$recursiveAnchor": true,
+	"title": "Validation vocabulary meta-schema",
+	"type": ["object", "boolean"],
+	"properties": {
+		"multipleOf": {
+			"type": "number",
+			"exclusiveMinimum": 0
+		},
+		"maximum": {
+			"type": "number"
+		},
+		"exclusiveMaximum": {
+			"type": "number"
+		},
+		"minimum": {
+			"type": "number"
+		},
+		"exclusiveMinimum": {
+			"type": "number"
+		},
+		"maxLength": { "$ref": "#/$defs/nonNegativeInteger" },
+		"minLength": { "$ref": "#/$defs/nonNegativeIntegerDefault0" },
+		"pattern": {
+			"type": "string",
+			"format": "regex"
+		},
+		"maxItems": { "$ref": "#/$defs/nonNegativeInteger" },
+		"minItems": { "$ref": "#/$defs/nonNegativeIntegerDefault0" },
+		"uniqueItems": {
+			"type": "boolean",
+			"default": false
+		},
+		"maxContains": { "$ref": "#/$defs/nonNegativeInteger" },
+		"minContains": {
+			"$ref": "#/$defs/nonNegativeInteger",
+			"default": 1
+		},
+		"maxProperties": { "$ref": "#/$defs/nonNegativeInteger" },
+		"minProperties": { "$ref": "#/$defs/nonNegativeIntegerDefault0" },
+		"required": { "$ref": "#/$defs/stringArray" },
+		"dependentRequired": {
+			"type": "object",
+			"additionalProperties": {
+				"$ref": "#/$defs/stringArray"
+			}
+		},
+		"const": true,
+		"enum": {
+			"type": "array",
+			"items": true
+		},
+		"type": {
+			"anyOf": [
+				{ "$ref": "#/$defs/simpleTypes" },
+				{
+					"type": "array",
+					"items": { "$ref": "#/$defs/simpleTypes" },
+					"minItems": 1,
+					"uniqueItems": true
+				}
+			]
+		}
+	},
+	"$defs": {
+		"nonNegativeInteger": {
+			"type": "integer",
+			"minimum": 0
+		},
+		"nonNegativeIntegerDefault0": {
+			"$ref": "#/$defs/nonNegativeInteger",
+			"default": 0
+		},
+		"simpleTypes": {
+			"enum": [
+				"array",
+				"boolean",
+				"integer",
+				"null",
+				"number",
+				"object",
+				"string"
+			]
+		},
+		"stringArray": {
+			"type": "array",
+			"items": { "type": "string" },
+			"uniqueItems": true,
+			"default": []
+		}
+	}
+}
diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2019-09/schema b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2019-09/schema
new file mode 100644
index 0000000000..f433389be6
--- /dev/null
+++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2019-09/schema
@@ -0,0 +1,41 @@
+{
+	"$schema": "https://json-schema.org/draft/2019-09/schema",
+	"$id": "https://json-schema.org/draft/2019-09/schema",
+	"$vocabulary": {
+		"https://json-schema.org/draft/2019-09/vocab/core": true,
+		"https://json-schema.org/draft/2019-09/vocab/applicator": true,
+		"https://json-schema.org/draft/2019-09/vocab/validation": true,
+		"https://json-schema.org/draft/2019-09/vocab/meta-data": true,
+		"https://json-schema.org/draft/2019-09/vocab/format": false,
+		"https://json-schema.org/draft/2019-09/vocab/content": true
+	},
+	"$recursiveAnchor": true,
+	"title": "Core and Validation specifications meta-schema",
+	"allOf": [
+		{"$ref": "meta/core"},
+		{"$ref": "meta/applicator"},
+		{"$ref": "meta/validation"},
+		{"$ref": "meta/meta-data"},
+		{"$ref": "meta/format"},
+		{"$ref": "meta/content"}
+	],
+	"type": ["object", "boolean"],
+	"properties": {
+		"definitions": {
+			"$comment": "While no longer an official keyword as it is replaced by $defs, this keyword is retained in the meta-schema to prevent incompatible extensions as it remains in common use.",
+			"type": "object",
+			"additionalProperties": { "$recursiveRef": "#" },
+			"default": {}
+		},
+		"dependencies": {
+			"$comment": "\"dependencies\" is no longer a keyword, but schema authors should avoid redefining it to facilitate a smooth transition to \"dependentSchemas\" and \"dependentRequired\"",
+			"type": "object",
+			"additionalProperties": {
+				"anyOf": [
+					{ "$recursiveRef": "#" },
+					{ "$ref": "meta/validation#/$defs/stringArray" }
+				]
+			}
+		}
+	}
+}
diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2020-12/meta/applicator b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2020-12/meta/applicator
new file mode 100644
index 0000000000..0ef24edc81
--- /dev/null
+++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2020-12/meta/applicator
@@ -0,0 +1,47 @@
+{
+		"$schema": "https://json-schema.org/draft/2020-12/schema",
+		"$id": "https://json-schema.org/draft/2020-12/meta/applicator",
+		"$vocabulary": {
+			"https://json-schema.org/draft/2020-12/vocab/applicator": true
+		},
+		"$dynamicAnchor": "meta",
+		"title": "Applicator vocabulary meta-schema",
+		"type": ["object", "boolean"],
+		"properties": {
+			"prefixItems": { "$ref": "#/$defs/schemaArray" },
+			"items": { "$dynamicRef": "#meta" },
+			"contains": { "$dynamicRef": "#meta" },
+			"additionalProperties": { "$dynamicRef": "#meta" },
+			"properties": {
+				"type": "object",
+				"additionalProperties": { "$dynamicRef": "#meta" },
+				"default": {}
+			},
+			"patternProperties": {
+				"type": "object",
+				"additionalProperties": { "$dynamicRef": "#meta" },
+				"propertyNames": { "format": "regex" },
+				"default": {}
+			},
+			"dependentSchemas": {
+				"type": "object",
+				"additionalProperties": { "$dynamicRef": "#meta" },
+				"default": {}
+			},
+			"propertyNames": { "$dynamicRef": "#meta" },
+			"if": { "$dynamicRef": "#meta" },
+			"then": { "$dynamicRef": "#meta" },
+			"else": { "$dynamicRef": "#meta" },
+			"allOf": { "$ref": "#/$defs/schemaArray" },
+			"anyOf": { "$ref": "#/$defs/schemaArray" },
+			"oneOf": { "$ref": "#/$defs/schemaArray" },
+			"not": { "$dynamicRef": "#meta" }
+		},
+		"$defs": {
+			"schemaArray": {
+				"type": "array",
+				"minItems": 1,
+				"items": { "$dynamicRef": "#meta" }
+			}
+		}
+}
diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2020-12/meta/content b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2020-12/meta/content
new file mode 100644
index 0000000000..0330ff0a81
--- /dev/null
+++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2020-12/meta/content
@@ -0,0 +1,15 @@
+{
+		"$schema": "https://json-schema.org/draft/2020-12/schema",
+		"$id": "https://json-schema.org/draft/2020-12/meta/content",
+		"$vocabulary": {
+			"https://json-schema.org/draft/2020-12/vocab/content": true
+		},
+		"$dynamicAnchor": "meta",
+		"title": "Content vocabulary meta-schema",
+		"type": ["object", "boolean"],
+		"properties": {
+			"contentEncoding": { "type": "string" },
+			"contentMediaType": { "type": "string" },
+			"contentSchema": { "$dynamicRef": "#meta" }
+		}
+}
diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2020-12/meta/core b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2020-12/meta/core
new file mode 100644
index 0000000000..c4de7005ab
--- /dev/null
+++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2020-12/meta/core
@@ -0,0 +1,50 @@
+{
+		"$schema": "https://json-schema.org/draft/2020-12/schema",
+		"$id": "https://json-schema.org/draft/2020-12/meta/core",
+		"$vocabulary": {
+			"https://json-schema.org/draft/2020-12/vocab/core": true
+		},
+		"$dynamicAnchor": "meta",
+		"title": "Core vocabulary meta-schema",
+		"type": ["object", "boolean"],
+		"properties": {
+			"$id": {
+				"$ref": "#/$defs/uriReferenceString",
+				"$comment": "Non-empty fragments not allowed.",
+				"pattern": "^[^#]*#?$"
+			},
+			"$schema": { "$ref": "#/$defs/uriString" },
+			"$ref": { "$ref": "#/$defs/uriReferenceString" },
+			"$anchor": { "$ref": "#/$defs/anchorString" },
+			"$dynamicRef": { "$ref": "#/$defs/uriReferenceString" },
+			"$dynamicAnchor": { "$ref": "#/$defs/anchorString" },
+			"$vocabulary": {
+				"type": "object",
+				"propertyNames": { "$ref": "#/$defs/uriString" },
+				"additionalProperties": {
+					"type": "boolean"
+				}
+			},
+			"$comment": {
+				"type": "string"
+			},
+			"$defs": {
+				"type": "object",
+				"additionalProperties": { "$dynamicRef": "#meta" }
+			}
+		},
+		"$defs": {
+			"anchorString": {
+				"type": "string",
+				"pattern": "^[A-Za-z_][-A-Za-z0-9._]*$"
+			},
+			"uriString": {
+				"type": "string",
+				"format": "uri"
+			},
+			"uriReferenceString": {
+				"type": "string",
+				"format": "uri-reference"
+			}
+		}
+}
diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2020-12/meta/format-annotation b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2020-12/meta/format-annotation
new file mode 100644
index 0000000000..0aa07d1c15
--- /dev/null
+++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2020-12/meta/format-annotation
@@ -0,0 +1,13 @@
+{
+		"$schema": "https://json-schema.org/draft/2020-12/schema",
+		"$id": "https://json-schema.org/draft/2020-12/meta/format-annotation",
+		"$vocabulary": {
+			"https://json-schema.org/draft/2020-12/vocab/format-annotation": true
+		},
+		"$dynamicAnchor": "meta",
+		"title": "Format vocabulary meta-schema for annotation results",
+		"type": ["object", "boolean"],
+		"properties": {
+			"format": { "type": "string" }
+		}
+}
diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2020-12/meta/format-assertion b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2020-12/meta/format-assertion
new file mode 100644
index 0000000000..38613bff6e
--- /dev/null
+++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2020-12/meta/format-assertion
@@ -0,0 +1,13 @@
+{
+		"$schema": "https://json-schema.org/draft/2020-12/schema",
+		"$id": "https://json-schema.org/draft/2020-12/meta/format-assertion",
+		"$vocabulary": {
+			"https://json-schema.org/draft/2020-12/vocab/format-assertion": true
+		},
+		"$dynamicAnchor": "meta",
+		"title": "Format vocabulary meta-schema for assertion results",
+		"type": ["object", "boolean"],
+		"properties": {
+			"format": { "type": "string" }
+		}
+}
diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2020-12/meta/meta-data b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2020-12/meta/meta-data
new file mode 100644
index 0000000000..30e2837140
--- /dev/null
+++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2020-12/meta/meta-data
@@ -0,0 +1,35 @@
+{
+		"$schema": "https://json-schema.org/draft/2020-12/schema",
+		"$id": "https://json-schema.org/draft/2020-12/meta/meta-data",
+		"$vocabulary": {
+			"https://json-schema.org/draft/2020-12/vocab/meta-data": true
+		},
+		"$dynamicAnchor": "meta",
+		"title": "Meta-data vocabulary meta-schema",
+		"type": ["object", "boolean"],
+		"properties": {
+			"title": {
+				"type": "string"
+			},
+			"description": {
+				"type": "string"
+			},
+			"default": true,
+			"deprecated": {
+				"type": "boolean",
+				"default": false
+			},
+			"readOnly": {
+				"type": "boolean",
+				"default": false
+			},
+			"writeOnly": {
+				"type": "boolean",
+				"default": false
+			},
+			"examples": {
+				"type": "array",
+				"items": true
+			}
+		}
+}
diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2020-12/meta/unevaluated b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2020-12/meta/unevaluated
new file mode 100644
index 0000000000..e9e093d12a
--- /dev/null
+++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2020-12/meta/unevaluated
@@ -0,0 +1,14 @@
+{
+		"$schema": "https://json-schema.org/draft/2020-12/schema",
+		"$id": "https://json-schema.org/draft/2020-12/meta/unevaluated",
+		"$vocabulary": {
+			"https://json-schema.org/draft/2020-12/vocab/unevaluated": true
+		},
+		"$dynamicAnchor": "meta",
+		"title": "Unevaluated applicator vocabulary meta-schema",
+		"type": ["object", "boolean"],
+		"properties": {
+			"unevaluatedItems": { "$dynamicRef": "#meta" },
+			"unevaluatedProperties": { "$dynamicRef": "#meta" }
+		}
+}
diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2020-12/meta/validation b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2020-12/meta/validation
new file mode 100644
index 0000000000..4e016ed2b7
--- /dev/null
+++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2020-12/meta/validation
@@ -0,0 +1,97 @@
+{
+		"$schema": "https://json-schema.org/draft/2020-12/schema",
+		"$id": "https://json-schema.org/draft/2020-12/meta/validation",
+		"$vocabulary": {
+			"https://json-schema.org/draft/2020-12/vocab/validation": true
+		},
+		"$dynamicAnchor": "meta",
+		"title": "Validation vocabulary meta-schema",
+		"type": ["object", "boolean"],
+		"properties": {
+			"type": {
+				"anyOf": [
+					{ "$ref": "#/$defs/simpleTypes" },
+					{
+						"type": "array",
+						"items": { "$ref": "#/$defs/simpleTypes" },
+						"minItems": 1,
+						"uniqueItems": true
+					}
+				]
+			},
+			"const": true,
+			"enum": {
+				"type": "array",
+				"items": true
+			},
+			"multipleOf": {
+				"type": "number",
+				"exclusiveMinimum": 0
+			},
+			"maximum": {
+				"type": "number"
+			},
+			"exclusiveMaximum": {
+				"type": "number"
+			},
+			"minimum": {
+				"type": "number"
+			},
+			"exclusiveMinimum": {
+				"type": "number"
+			},
+			"maxLength": { "$ref": "#/$defs/nonNegativeInteger" },
+			"minLength": { "$ref": "#/$defs/nonNegativeIntegerDefault0" },
+			"pattern": {
+				"type": "string",
+				"format": "regex"
+			},
+			"maxItems": { "$ref": "#/$defs/nonNegativeInteger" },
+			"minItems": { "$ref": "#/$defs/nonNegativeIntegerDefault0" },
+			"uniqueItems": {
+				"type": "boolean",
+				"default": false
+			},
+			"maxContains": { "$ref": "#/$defs/nonNegativeInteger" },
+			"minContains": {
+				"$ref": "#/$defs/nonNegativeInteger",
+				"default": 1
+			},
+			"maxProperties": { "$ref": "#/$defs/nonNegativeInteger" },
+			"minProperties": { "$ref": "#/$defs/nonNegativeIntegerDefault0" },
+			"required": { "$ref": "#/$defs/stringArray" },
+			"dependentRequired": {
+				"type": "object",
+				"additionalProperties": {
+					"$ref": "#/$defs/stringArray"
+				}
+			}
+		},
+		"$defs": {
+			"nonNegativeInteger": {
+				"type": "integer",
+				"minimum": 0
+			},
+			"nonNegativeIntegerDefault0": {
+				"$ref": "#/$defs/nonNegativeInteger",
+				"default": 0
+			},
+			"simpleTypes": {
+				"enum": [
+					"array",
+					"boolean",
+					"integer",
+					"null",
+					"number",
+					"object",
+					"string"
+				]
+			},
+			"stringArray": {
+				"type": "array",
+				"items": { "type": "string" },
+				"uniqueItems": true,
+				"default": []
+			}
+		}
+}
diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2020-12/schema b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2020-12/schema
new file mode 100644
index 0000000000..364f8ada6c
--- /dev/null
+++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2020-12/schema
@@ -0,0 +1,57 @@
+{
+	"$schema": "https://json-schema.org/draft/2020-12/schema",
+	"$id": "https://json-schema.org/draft/2020-12/schema",
+	"$vocabulary": {
+		"https://json-schema.org/draft/2020-12/vocab/core": true,
+		"https://json-schema.org/draft/2020-12/vocab/applicator": true,
+		"https://json-schema.org/draft/2020-12/vocab/unevaluated": true,
+		"https://json-schema.org/draft/2020-12/vocab/validation": true,
+		"https://json-schema.org/draft/2020-12/vocab/meta-data": true,
+		"https://json-schema.org/draft/2020-12/vocab/format-annotation": true,
+		"https://json-schema.org/draft/2020-12/vocab/content": true
+	},
+	"$dynamicAnchor": "meta",
+	"title": "Core and Validation specifications meta-schema",
+	"allOf": [
+		{"$ref": "meta/core"},
+		{"$ref": "meta/applicator"},
+		{"$ref": "meta/unevaluated"},
+		{"$ref": "meta/validation"},
+		{"$ref": "meta/meta-data"},
+		{"$ref": "meta/format-annotation"},
+		{"$ref": "meta/content"}
+	],
+	"type": ["object", "boolean"],
+	"$comment": "This meta-schema also defines keywords that have appeared in previous drafts in order to prevent incompatible extensions as they remain in common use.",
+	"properties": {
+		"definitions": {
+			"$comment": "\"definitions\" has been replaced by \"$defs\".",
+			"type": "object",
+			"additionalProperties": { "$dynamicRef": "#meta" },
+			"deprecated": true,
+			"default": {}
+		},
+		"dependencies": {
+			"$comment": "\"dependencies\" has been split and replaced by \"dependentSchemas\" and \"dependentRequired\" in order to serve their differing semantics.",
+			"type": "object",
+			"additionalProperties": {
+				"anyOf": [
+					{ "$dynamicRef": "#meta" },
+					{ "$ref": "meta/validation#/$defs/stringArray" }
+				]
+			},
+			"deprecated": true,
+			"default": {}
+		},
+		"$recursiveAnchor": {
+			"$comment": "\"$recursiveAnchor\" has been replaced by \"$dynamicAnchor\".",
+			"$ref": "meta/core#/$defs/anchorString",
+			"deprecated": true
+		},
+		"$recursiveRef": {
+			"$comment": "\"$recursiveRef\" has been replaced by \"$dynamicRef\".",
+			"$ref": "meta/core#/$defs/uriReferenceString",
+			"deprecated": true
+		}
+	}
+}
diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/objcompiler.go b/vendor/github.com/santhosh-tekuri/jsonschema/v6/objcompiler.go
new file mode 100644
index 0000000000..f1494b13a8
--- /dev/null
+++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/objcompiler.go
@@ -0,0 +1,549 @@
+package jsonschema
+
+import (
+	"encoding/json"
+	"fmt"
+	"math/big"
+	"strconv"
+)
+
+type objCompiler struct {
+	c   *Compiler
+	obj map[string]any
+	up  urlPtr
+	r   *root
+	res *resource
+	q   *queue
+}
+
+func (c *objCompiler) compile(s *Schema) error {
+	// id --
+	if id := c.res.dialect.draft.getID(c.obj); id != "" {
+		s.ID = id
+	}
+
+	// anchor --
+	if s.DraftVersion < 2019 {
+		// anchor is specified in id
+		id := c.string(c.res.dialect.draft.id)
+		if id != "" {
+			_, f := split(id)
+			if f != "" {
+				var err error
+				s.Anchor, err = decode(f)
+				if err != nil {
+					return &ParseAnchorError{URL: s.Location}
+				}
+			}
+		}
+	} else {
+		s.Anchor = c.string("$anchor")
+	}
+
+	if err := c.compileDraft4(s); err != nil {
+		return err
+	}
+	if s.DraftVersion >= 6 {
+		if err := c.compileDraft6(s); err != nil {
+			return err
+		}
+	}
+	if s.DraftVersion >= 7 {
+		if err := c.compileDraft7(s); err != nil {
+			return err
+		}
+	}
+	if s.DraftVersion >= 2019 {
+		if err := c.compileDraft2019(s); err != nil {
+			return err
+		}
+	}
+	if s.DraftVersion >= 2020 {
+		if err := c.compileDraft2020(s); err != nil {
+			return err
+		}
+	}
+
+	// vocabularies
+	vocabs := c.res.dialect.activeVocabs(c.c.roots.assertVocabs, c.c.roots.vocabularies)
+	for _, vocab := range vocabs {
+		v := c.c.roots.vocabularies[vocab]
+		if v == nil {
+			continue
+		}
+		ext, err := v.Compile(&CompilerContext{c}, c.obj)
+		if err != nil {
+			return err
+		}
+		if ext != nil {
+			s.Extensions = append(s.Extensions, ext)
+		}
+	}
+
+	return nil
+}
+
+func (c *objCompiler) compileDraft4(s *Schema) error {
+	var err error
+
+	if c.hasVocab("core") {
+		if s.Ref, err = c.enqueueRef("$ref"); err != nil {
+			return err
+		}
+		if s.DraftVersion < 2019 && s.Ref != nil {
+			// All other properties in a "$ref" object MUST be ignored
+			return nil
+		}
+	}
+
+	if c.hasVocab("applicator") {
+		s.AllOf = c.enqueueArr("allOf")
+		s.AnyOf = c.enqueueArr("anyOf")
+		s.OneOf = c.enqueueArr("oneOf")
+		s.Not = c.enqueueProp("not")
+
+		if s.DraftVersion < 2020 {
+			if items, ok := c.obj["items"]; ok {
+				if _, ok := items.([]any); ok {
+					s.Items = c.enqueueArr("items")
+					s.AdditionalItems = c.enqueueAdditional("additionalItems")
+				} else {
+					s.Items = c.enqueueProp("items")
+				}
+			}
+		}
+
+		s.Properties = c.enqueueMap("properties")
+		if m := c.enqueueMap("patternProperties"); m != nil {
+			s.PatternProperties = map[Regexp]*Schema{}
+			for pname, sch := range m {
+				re, err := c.c.roots.regexpEngine(pname)
+				if err != nil {
+					return &InvalidRegexError{c.up.format("patternProperties"), pname, err}
+				}
+				s.PatternProperties[re] = sch
+			}
+		}
+		s.AdditionalProperties = c.enqueueAdditional("additionalProperties")
+
+		if m := c.objVal("dependencies"); m != nil {
+			s.Dependencies = map[string]any{}
+			for pname, pvalue := range m {
+				if arr, ok := pvalue.([]any); ok {
+					s.Dependencies[pname] = toStrings(arr)
+				} else {
+					ptr := c.up.ptr.append2("dependencies", pname)
+					s.Dependencies[pname] = c.enqueuePtr(ptr)
+				}
+			}
+		}
+	}
+
+	if c.hasVocab("validation") {
+		if t, ok := c.obj["type"]; ok {
+			s.Types = newTypes(t)
+		}
+		if arr := c.arrVal("enum"); arr != nil {
+			s.Enum = newEnum(arr)
+		}
+		s.MultipleOf = c.numVal("multipleOf")
+		s.Maximum = c.numVal("maximum")
+		if c.boolean("exclusiveMaximum") {
+			s.ExclusiveMaximum = s.Maximum
+			s.Maximum = nil
+		} else {
+			s.ExclusiveMaximum = c.numVal("exclusiveMaximum")
+		}
+		s.Minimum = c.numVal("minimum")
+		if c.boolean("exclusiveMinimum") {
+			s.ExclusiveMinimum = s.Minimum
+			s.Minimum = nil
+		} else {
+			s.ExclusiveMinimum = c.numVal("exclusiveMinimum")
+		}
+
+		s.MinLength = c.intVal("minLength")
+		s.MaxLength = c.intVal("maxLength")
+		if pat := c.strVal("pattern"); pat != nil {
+			s.Pattern, err = c.c.roots.regexpEngine(*pat)
+			if err != nil {
+				return &InvalidRegexError{c.up.format("pattern"), *pat, err}
+			}
+		}
+
+		s.MinItems = c.intVal("minItems")
+		s.MaxItems = c.intVal("maxItems")
+		s.UniqueItems = c.boolean("uniqueItems")
+
+		s.MaxProperties = c.intVal("maxProperties")
+		s.MinProperties = c.intVal("minProperties")
+		if arr := c.arrVal("required"); arr != nil {
+			s.Required = toStrings(arr)
+		}
+	}
+
+	// format --
+	if c.assertFormat(s.DraftVersion) {
+		if f := c.strVal("format"); f != nil {
+			if *f == "regex" {
+				s.Format = &Format{
+					Name:     "regex",
+					Validate: c.c.roots.regexpEngine.validate,
+				}
+			} else {
+				s.Format = c.c.formats[*f]
+				if s.Format == nil {
+					s.Format = formats[*f]
+				}
+			}
+		}
+	}
+
+	// annotations --
+	s.Title = c.string("title")
+	s.Description = c.string("description")
+	if v, ok := c.obj["default"]; ok {
+		s.Default = &v
+	}
+
+	return nil
+}
+
+func (c *objCompiler) compileDraft6(s *Schema) error {
+	if c.hasVocab("applicator") {
+		s.Contains = c.enqueueProp("contains")
+		s.PropertyNames = c.enqueueProp("propertyNames")
+	}
+	if c.hasVocab("validation") {
+		if v, ok := c.obj["const"]; ok {
+			s.Const = &v
+		}
+	}
+	return nil
+}
+
+func (c *objCompiler) compileDraft7(s *Schema) error {
+	if c.hasVocab("applicator") {
+		s.If = c.enqueueProp("if")
+		if s.If != nil {
+			b := c.boolVal("if")
+			if b == nil || *b {
+				s.Then = c.enqueueProp("then")
+			}
+			if b == nil || !*b {
+				s.Else = c.enqueueProp("else")
+			}
+		}
+	}
+
+	if c.c.assertContent {
+		if ce := c.strVal("contentEncoding"); ce != nil {
+			s.ContentEncoding = c.c.decoders[*ce]
+			if s.ContentEncoding == nil {
+				s.ContentEncoding = decoders[*ce]
+			}
+		}
+		if cm := c.strVal("contentMediaType"); cm != nil {
+			s.ContentMediaType = c.c.mediaTypes[*cm]
+			if s.ContentMediaType == nil {
+				s.ContentMediaType = mediaTypes[*cm]
+			}
+		}
+	}
+
+	// annotations --
+	s.Comment = c.string("$comment")
+	s.ReadOnly = c.boolean("readOnly")
+	s.WriteOnly = c.boolean("writeOnly")
+	if arr, ok := c.obj["examples"].([]any); ok {
+		s.Examples = arr
+	}
+
+	return nil
+}
+
+func (c *objCompiler) compileDraft2019(s *Schema) error {
+	var err error
+
+	if c.hasVocab("core") {
+		if s.RecursiveRef, err = c.enqueueRef("$recursiveRef"); err != nil {
+			return err
+		}
+		s.RecursiveAnchor = c.boolean("$recursiveAnchor")
+	}
+
+	if c.hasVocab("validation") {
+		if s.Contains != nil {
+			s.MinContains = c.intVal("minContains")
+			s.MaxContains = c.intVal("maxContains")
+		}
+		if m := c.objVal("dependentRequired"); m != nil {
+			s.DependentRequired = map[string][]string{}
+			for pname, pvalue := range m {
+				if arr, ok := pvalue.([]any); ok {
+					s.DependentRequired[pname] = toStrings(arr)
+				}
+			}
+		}
+	}
+
+	if c.hasVocab("applicator") {
+		s.DependentSchemas = c.enqueueMap("dependentSchemas")
+	}
+
+	var unevaluated bool
+	if s.DraftVersion == 2019 {
+		unevaluated = c.hasVocab("applicator")
+	} else {
+		unevaluated = c.hasVocab("unevaluated")
+	}
+	if unevaluated {
+		s.UnevaluatedItems = c.enqueueProp("unevaluatedItems")
+		s.UnevaluatedProperties = c.enqueueProp("unevaluatedProperties")
+	}
+
+	if c.c.assertContent {
+		if s.ContentMediaType != nil && s.ContentMediaType.UnmarshalJSON != nil {
+			s.ContentSchema = c.enqueueProp("contentSchema")
+		}
+	}
+
+	// annotations --
+	s.Deprecated = c.boolean("deprecated")
+
+	return nil
+}
+
+func (c *objCompiler) compileDraft2020(s *Schema) error {
+	if c.hasVocab("core") {
+		sch, err := c.enqueueRef("$dynamicRef")
+		if err != nil {
+			return err
+		}
+		if sch != nil {
+			dref := c.strVal("$dynamicRef")
+			_, frag, err := splitFragment(*dref)
+			if err != nil {
+				return err
+			}
+			var anch string
+			if anchor, ok := frag.convert().(anchor); ok {
+				anch = string(anchor)
+			}
+			s.DynamicRef = &DynamicRef{sch, anch}
+		}
+		s.DynamicAnchor = c.string("$dynamicAnchor")
+	}
+
+	if c.hasVocab("applicator") {
+		s.PrefixItems = c.enqueueArr("prefixItems")
+		s.Items2020 = c.enqueueProp("items")
+	}
+
+	return nil
+}
+
+// enqueue helpers --
+
+func (c *objCompiler) enqueuePtr(ptr jsonPointer) *Schema {
+	up := urlPtr{c.up.url, ptr}
+	return c.c.enqueue(c.q, up)
+}
+
+func (c *objCompiler) enqueueRef(pname string) (*Schema, error) {
+	ref := c.strVal(pname)
+	if ref == nil {
+		return nil, nil
+	}
+	baseURL := c.res.id
+	// baseURL := c.r.baseURL(c.up.ptr)
+	uf, err := baseURL.join(*ref)
+	if err != nil {
+		return nil, err
+	}
+
+	up, err := c.r.resolve(*uf)
+	if err != nil {
+		return nil, err
+	}
+	if up != nil {
+		// local ref
+		return c.enqueuePtr(up.ptr), nil
+	}
+
+	// remote ref
+	up_, err := c.c.roots.resolveFragment(*uf)
+	if err != nil {
+		return nil, err
+	}
+	return c.c.enqueue(c.q, up_), nil
+}
+
+func (c *objCompiler) enqueueProp(pname string) *Schema {
+	if _, ok := c.obj[pname]; !ok {
+		return nil
+	}
+	ptr := c.up.ptr.append(pname)
+	return c.enqueuePtr(ptr)
+}
+
+func (c *objCompiler) enqueueArr(pname string) []*Schema {
+	arr := c.arrVal(pname)
+	if arr == nil {
+		return nil
+	}
+	sch := make([]*Schema, len(arr))
+	for i := range arr {
+		ptr := c.up.ptr.append2(pname, strconv.Itoa(i))
+		sch[i] = c.enqueuePtr(ptr)
+	}
+	return sch
+}
+
+func (c *objCompiler) enqueueMap(pname string) map[string]*Schema {
+	obj := c.objVal(pname)
+	if obj == nil {
+		return nil
+	}
+	sch := make(map[string]*Schema)
+	for k := range obj {
+		ptr := c.up.ptr.append2(pname, k)
+		sch[k] = c.enqueuePtr(ptr)
+	}
+	return sch
+}
+
+func (c *objCompiler) enqueueAdditional(pname string) any {
+	if b := c.boolVal(pname); b != nil {
+		return *b
+	}
+	if sch := c.enqueueProp(pname); sch != nil {
+		return sch
+	}
+	return nil
+}
+
+// --
+
+func (c *objCompiler) hasVocab(name string) bool {
+	return c.res.dialect.hasVocab(name)
+}
+
+func (c *objCompiler) assertFormat(draftVersion int) bool {
+	if c.c.assertFormat || draftVersion < 2019 {
+		return true
+	}
+	if draftVersion == 2019 {
+		return c.hasVocab("format")
+	} else {
+		return c.hasVocab("format-assertion")
+	}
+}
+
+// value helpers --
+
+func (c *objCompiler) boolVal(pname string) *bool {
+	v, ok := c.obj[pname]
+	if !ok {
+		return nil
+	}
+	b, ok := v.(bool)
+	if !ok {
+		return nil
+	}
+	return &b
+}
+
+func (c *objCompiler) boolean(pname string) bool {
+	b := c.boolVal(pname)
+	return b != nil && *b
+}
+
+func (c *objCompiler) strVal(pname string) *string {
+	v, ok := c.obj[pname]
+	if !ok {
+		return nil
+	}
+	s, ok := v.(string)
+	if !ok {
+		return nil
+	}
+	return &s
+}
+
+func (c *objCompiler) string(pname string) string {
+	if s := c.strVal(pname); s != nil {
+		return *s
+	}
+	return ""
+}
+
+func (c *objCompiler) numVal(pname string) *big.Rat {
+	v, ok := c.obj[pname]
+	if !ok {
+		return nil
+	}
+	switch v.(type) {
+	case json.Number, float32, float64, int, int8, int16, int32, int64, uint, uint8, uint16, uint32, uint64:
+		if n, ok := new(big.Rat).SetString(fmt.Sprint(v)); ok {
+			return n
+		}
+	}
+	return nil
+}
+
+func (c *objCompiler) intVal(pname string) *int {
+	if n := c.numVal(pname); n != nil && n.IsInt() {
+		n := int(n.Num().Int64())
+		return &n
+	}
+	return nil
+}
+
+func (c *objCompiler) objVal(pname string) map[string]any {
+	v, ok := c.obj[pname]
+	if !ok {
+		return nil
+	}
+	obj, ok := v.(map[string]any)
+	if !ok {
+		return nil
+	}
+	return obj
+}
+
+func (c *objCompiler) arrVal(pname string) []any {
+	v, ok := c.obj[pname]
+	if !ok {
+		return nil
+	}
+	arr, ok := v.([]any)
+	if !ok {
+		return nil
+	}
+	return arr
+}
+
+// --
+
+type InvalidRegexError struct {
+	URL   string
+	Regex string
+	Err   error
+}
+
+func (e *InvalidRegexError) Error() string {
+	return fmt.Sprintf("invalid regex %q at %q: %v", e.Regex, e.URL, e.Err)
+}
+
+// --
+
+func toStrings(arr []any) []string {
+	var strings []string
+	for _, item := range arr {
+		if s, ok := item.(string); ok {
+			strings = append(strings, s)
+		}
+	}
+	return strings
+}
diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/output.go b/vendor/github.com/santhosh-tekuri/jsonschema/v6/output.go
new file mode 100644
index 0000000000..69d3f26de5
--- /dev/null
+++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/output.go
@@ -0,0 +1,216 @@
+package jsonschema
+
+import (
+	"encoding/json"
+	"fmt"
+	"strings"
+
+	"github.com/santhosh-tekuri/jsonschema/v6/kind"
+	"golang.org/x/text/language"
+	"golang.org/x/text/message"
+)
+
+var defaultPrinter = message.NewPrinter(language.English)
+
+// format ---
+
+func (e *ValidationError) schemaURL() string {
+	if ref, ok := e.ErrorKind.(*kind.Reference); ok {
+		return ref.URL
+	} else {
+		return e.SchemaURL
+	}
+}
+
+func (e *ValidationError) absoluteKeywordLocation() string {
+	var schemaURL string
+	var keywordPath []string
+	if ref, ok := e.ErrorKind.(*kind.Reference); ok {
+		schemaURL = ref.URL
+		keywordPath = nil
+	} else {
+		schemaURL = e.SchemaURL
+		keywordPath = e.ErrorKind.KeywordPath()
+	}
+	return fmt.Sprintf("%s%s", schemaURL, encode(jsonPtr(keywordPath)))
+}
+
+func (e *ValidationError) skip() bool {
+	if len(e.Causes) == 1 {
+		_, ok := e.ErrorKind.(*kind.Reference)
+		return ok
+	}
+	return false
+}
+
+func (e *ValidationError) display(sb *strings.Builder, verbose bool, indent int, absKwLoc string, p *message.Printer) {
+	if !e.skip() {
+		if indent > 0 {
+			sb.WriteByte('\n')
+			for i := 0; i < indent-1; i++ {
+				sb.WriteString("  ")
+			}
+			sb.WriteString("- ")
+		}
+		indent = indent + 1
+
+		prevAbsKwLoc := absKwLoc
+		absKwLoc = e.absoluteKeywordLocation()
+
+		if _, ok := e.ErrorKind.(*kind.Schema); ok {
+			sb.WriteString(e.ErrorKind.LocalizedString(p))
+		} else {
+			sb.WriteString(p.Sprintf("at %s", quote(jsonPtr(e.InstanceLocation))))
+			if verbose {
+				schLoc := absKwLoc
+				if prevAbsKwLoc != "" {
+					pu, _ := split(prevAbsKwLoc)
+					u, f := split(absKwLoc)
+					if u == pu {
+						schLoc = fmt.Sprintf("S#%s", f)
+					}
+				}
+				fmt.Fprintf(sb, " [%s]", schLoc)
+			}
+			fmt.Fprintf(sb, ": %s", e.ErrorKind.LocalizedString(p))
+		}
+	}
+	for _, cause := range e.Causes {
+		cause.display(sb, verbose, indent, absKwLoc, p)
+	}
+}
+
+func (e *ValidationError) Error() string {
+	return e.LocalizedError(defaultPrinter)
+}
+
+func (e *ValidationError) LocalizedError(p *message.Printer) string {
+	var sb strings.Builder
+	e.display(&sb, false, 0, "", p)
+	return sb.String()
+}
+
+func (e *ValidationError) GoString() string {
+	return e.LocalizedGoString(defaultPrinter)
+}
+
+func (e *ValidationError) LocalizedGoString(p *message.Printer) string {
+	var sb strings.Builder
+	e.display(&sb, true, 0, "", p)
+	return sb.String()
+}
+
+func jsonPtr(tokens []string) string {
+	var sb strings.Builder
+	for _, tok := range tokens {
+		sb.WriteByte('/')
+		sb.WriteString(escape(tok))
+	}
+	return sb.String()
+}
+
+// --
+
+// Flag is output format with simple boolean property valid.
+type FlagOutput struct {
+	Valid bool `json:"valid"`
+}
+
+// The `Flag` output format, merely the boolean result.
+func (e *ValidationError) FlagOutput() *FlagOutput {
+	return &FlagOutput{Valid: false}
+}
+
+// --
+
+type OutputUnit struct {
+	Valid                   bool         `json:"valid"`
+	KeywordLocation         string       `json:"keywordLocation"`
+	AbsoluteKeywordLocation string       `json:"AbsoluteKeywordLocation,omitempty"`
+	InstanceLocation        string       `json:"instanceLocation"`
+	Error                   *OutputError `json:"error,omitempty"`
+	Errors                  []OutputUnit `json:"errors,omitempty"`
+}
+
+type OutputError struct {
+	Kind ErrorKind
+	p    *message.Printer
+}
+
+func (k OutputError) String() string {
+	return k.Kind.LocalizedString(k.p)
+}
+
+func (k OutputError) MarshalJSON() ([]byte, error) {
+	return json.Marshal(k.Kind.LocalizedString(k.p))
+}
+
+// The `Basic` structure, a flat list of output units.
+func (e *ValidationError) BasicOutput() *OutputUnit {
+	return e.LocalizedBasicOutput(defaultPrinter)
+}
+
+func (e *ValidationError) LocalizedBasicOutput(p *message.Printer) *OutputUnit {
+	out := e.output(true, false, "", "", p)
+	return &out
+}
+
+// The `Detailed` structure, based on the schema.
+func (e *ValidationError) DetailedOutput() *OutputUnit {
+	return e.LocalizedDetailedOutput(defaultPrinter)
+}
+
+func (e *ValidationError) LocalizedDetailedOutput(p *message.Printer) *OutputUnit {
+	out := e.output(false, false, "", "", p)
+	return &out
+}
+
+func (e *ValidationError) output(flatten, inRef bool, schemaURL, kwLoc string, p *message.Printer) OutputUnit {
+	if !inRef {
+		if _, ok := e.ErrorKind.(*kind.Reference); ok {
+			inRef = true
+		}
+	}
+	if schemaURL != "" {
+		kwLoc += e.SchemaURL[len(schemaURL):]
+		if ref, ok := e.ErrorKind.(*kind.Reference); ok {
+			kwLoc += jsonPtr(ref.KeywordPath())
+		}
+	}
+	schemaURL = e.schemaURL()
+
+	keywordLocation := kwLoc
+	if _, ok := e.ErrorKind.(*kind.Reference); !ok {
+		keywordLocation += jsonPtr(e.ErrorKind.KeywordPath())
+	}
+
+	out := OutputUnit{
+		Valid:            false,
+		InstanceLocation: jsonPtr(e.InstanceLocation),
+		KeywordLocation:  keywordLocation,
+	}
+	if inRef {
+		out.AbsoluteKeywordLocation = e.absoluteKeywordLocation()
+	}
+	for _, cause := range e.Causes {
+		causeOut := cause.output(flatten, inRef, schemaURL, kwLoc, p)
+		if cause.skip() {
+			causeOut = causeOut.Errors[0]
+		}
+		if flatten {
+			errors := causeOut.Errors
+			causeOut.Errors = nil
+			causeOut.Error = &OutputError{cause.ErrorKind, p}
+			out.Errors = append(out.Errors, causeOut)
+			if len(errors) > 0 {
+				out.Errors = append(out.Errors, errors...)
+			}
+		} else {
+			out.Errors = append(out.Errors, causeOut)
+		}
+	}
+	if len(out.Errors) == 0 {
+		out.Error = &OutputError{e.ErrorKind, p}
+	}
+	return out
+}
diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/position.go b/vendor/github.com/santhosh-tekuri/jsonschema/v6/position.go
new file mode 100644
index 0000000000..576a2a47f7
--- /dev/null
+++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/position.go
@@ -0,0 +1,142 @@
+package jsonschema
+
+import (
+	"strconv"
+	"strings"
+)
+
+// Position tells possible tokens in json.
+type Position interface {
+	collect(v any, ptr jsonPointer) map[jsonPointer]any
+}
+
+// --
+
+type AllProp struct{}
+
+func (AllProp) collect(v any, ptr jsonPointer) map[jsonPointer]any {
+	obj, ok := v.(map[string]any)
+	if !ok {
+		return nil
+	}
+	m := map[jsonPointer]any{}
+	for pname, pvalue := range obj {
+		m[ptr.append(pname)] = pvalue
+	}
+	return m
+}
+
+// --
+
+type AllItem struct{}
+
+func (AllItem) collect(v any, ptr jsonPointer) map[jsonPointer]any {
+	arr, ok := v.([]any)
+	if !ok {
+		return nil
+	}
+	m := map[jsonPointer]any{}
+	for i, item := range arr {
+		m[ptr.append(strconv.Itoa(i))] = item
+	}
+	return m
+}
+
+// --
+
+type Prop string
+
+func (p Prop) collect(v any, ptr jsonPointer) map[jsonPointer]any {
+	obj, ok := v.(map[string]any)
+	if !ok {
+		return nil
+	}
+	pvalue, ok := obj[string(p)]
+	if !ok {
+		return nil
+	}
+	return map[jsonPointer]any{
+		ptr.append(string(p)): pvalue,
+	}
+}
+
+// --
+
+type Item int
+
+func (i Item) collect(v any, ptr jsonPointer) map[jsonPointer]any {
+	arr, ok := v.([]any)
+	if !ok {
+		return nil
+	}
+	if i < 0 || int(i) >= len(arr) {
+		return nil
+	}
+	return map[jsonPointer]any{
+		ptr.append(strconv.Itoa(int(i))): arr[int(i)],
+	}
+}
+
+// --
+
+// SchemaPath tells where to look for subschema inside keyword.
+type SchemaPath []Position
+
+func schemaPath(path string) SchemaPath {
+	var sp SchemaPath
+	for _, tok := range strings.Split(path, "/") {
+		var pos Position
+		switch tok {
+		case "*":
+			pos = AllProp{}
+		case "[]":
+			pos = AllItem{}
+		default:
+			if i, err := strconv.Atoi(tok); err == nil {
+				pos = Item(i)
+			} else {
+				pos = Prop(tok)
+			}
+		}
+		sp = append(sp, pos)
+	}
+	return sp
+}
+
+func (sp SchemaPath) collect(v any, ptr jsonPointer) map[jsonPointer]any {
+	if len(sp) == 0 {
+		return map[jsonPointer]any{
+			ptr: v,
+		}
+	}
+	p, sp := sp[0], sp[1:]
+	m := p.collect(v, ptr)
+	mm := map[jsonPointer]any{}
+	for ptr, v := range m {
+		m = sp.collect(v, ptr)
+		for k, v := range m {
+			mm[k] = v
+		}
+	}
+	return mm
+}
+
+func (sp SchemaPath) String() string {
+	var sb strings.Builder
+	for _, pos := range sp {
+		if sb.Len() != 0 {
+			sb.WriteByte('/')
+		}
+		switch pos := pos.(type) {
+		case AllProp:
+			sb.WriteString("*")
+		case AllItem:
+			sb.WriteString("[]")
+		case Prop:
+			sb.WriteString(string(pos))
+		case Item:
+			sb.WriteString(strconv.Itoa(int(pos)))
+		}
+	}
+	return sb.String()
+}
diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/root.go b/vendor/github.com/santhosh-tekuri/jsonschema/v6/root.go
new file mode 100644
index 0000000000..a8b819bab0
--- /dev/null
+++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/root.go
@@ -0,0 +1,202 @@
+package jsonschema
+
+import (
+	"fmt"
+	"slices"
+	"strings"
+)
+
+type root struct {
+	url                 url
+	doc                 any
+	resources           map[jsonPointer]*resource
+	subschemasProcessed map[jsonPointer]struct{}
+}
+
+func (r *root) rootResource() *resource {
+	return r.resources[""]
+}
+
+func (r *root) resource(ptr jsonPointer) *resource {
+	for {
+		if res, ok := r.resources[ptr]; ok {
+			return res
+		}
+		slash := strings.LastIndexByte(string(ptr), '/')
+		if slash == -1 {
+			break
+		}
+		ptr = ptr[:slash]
+	}
+	return r.rootResource()
+}
+
+func (r *root) resolveFragmentIn(frag fragment, res *resource) (urlPtr, error) {
+	var ptr jsonPointer
+	switch f := frag.convert().(type) {
+	case jsonPointer:
+		ptr = res.ptr.concat(f)
+	case anchor:
+		aptr, ok := res.anchors[f]
+		if !ok {
+			return urlPtr{}, &AnchorNotFoundError{
+				URL:       r.url.String(),
+				Reference: (&urlFrag{res.id, frag}).String(),
+			}
+		}
+		ptr = aptr
+	}
+	return urlPtr{r.url, ptr}, nil
+}
+
+func (r *root) resolveFragment(frag fragment) (urlPtr, error) {
+	return r.resolveFragmentIn(frag, r.rootResource())
+}
+
+// resolves urlFrag to urlPtr from root.
+// returns nil if it is external.
+func (r *root) resolve(uf urlFrag) (*urlPtr, error) {
+	var res *resource
+	if uf.url == r.url {
+		res = r.rootResource()
+	} else {
+		// look for resource with id==uf.url
+		for _, v := range r.resources {
+			if v.id == uf.url {
+				res = v
+				break
+			}
+		}
+		if res == nil {
+			return nil, nil // external url
+		}
+	}
+	up, err := r.resolveFragmentIn(uf.frag, res)
+	return &up, err
+}
+
+func (r *root) collectAnchors(sch any, schPtr jsonPointer, res *resource) error {
+	obj, ok := sch.(map[string]any)
+	if !ok {
+		return nil
+	}
+
+	addAnchor := func(anchor anchor) error {
+		ptr1, ok := res.anchors[anchor]
+		if ok {
+			if ptr1 == schPtr {
+				// anchor with same root_ptr already exists
+				return nil
+			}
+			return &DuplicateAnchorError{
+				string(anchor), r.url.String(), string(ptr1), string(schPtr),
+			}
+		}
+		res.anchors[anchor] = schPtr
+		return nil
+	}
+
+	if res.dialect.draft.version < 2019 {
+		if _, ok := obj["$ref"]; ok {
+			// All other properties in a "$ref" object MUST be ignored
+			return nil
+		}
+		// anchor is specified in id
+		if id, ok := strVal(obj, res.dialect.draft.id); ok {
+			_, frag, err := splitFragment(id)
+			if err != nil {
+				loc := urlPtr{r.url, schPtr}
+				return &ParseAnchorError{loc.String()}
+			}
+			if anchor, ok := frag.convert().(anchor); ok {
+				if err := addAnchor(anchor); err != nil {
+					return err
+				}
+			}
+		}
+	}
+	if res.dialect.draft.version >= 2019 {
+		if s, ok := strVal(obj, "$anchor"); ok {
+			if err := addAnchor(anchor(s)); err != nil {
+				return err
+			}
+		}
+	}
+	if res.dialect.draft.version >= 2020 {
+		if s, ok := strVal(obj, "$dynamicAnchor"); ok {
+			if err := addAnchor(anchor(s)); err != nil {
+				return err
+			}
+			res.dynamicAnchors = append(res.dynamicAnchors, anchor(s))
+		}
+	}
+
+	return nil
+}
+
+func (r *root) clone() *root {
+	processed := map[jsonPointer]struct{}{}
+	for k := range r.subschemasProcessed {
+		processed[k] = struct{}{}
+	}
+	resources := map[jsonPointer]*resource{}
+	for k, v := range r.resources {
+		resources[k] = v.clone()
+	}
+	return &root{
+		url:                 r.url,
+		doc:                 r.doc,
+		resources:           resources,
+		subschemasProcessed: processed,
+	}
+}
+
+// --
+
+type resource struct {
+	ptr            jsonPointer
+	id             url
+	dialect        dialect
+	anchors        map[anchor]jsonPointer
+	dynamicAnchors []anchor
+}
+
+func newResource(ptr jsonPointer, id url) *resource {
+	return &resource{ptr: ptr, id: id, anchors: make(map[anchor]jsonPointer)}
+}
+
+func (res *resource) clone() *resource {
+	anchors := map[anchor]jsonPointer{}
+	for k, v := range res.anchors {
+		anchors[k] = v
+	}
+	return &resource{
+		ptr:            res.ptr,
+		id:             res.id,
+		dialect:        res.dialect,
+		anchors:        anchors,
+		dynamicAnchors: slices.Clone(res.dynamicAnchors),
+	}
+}
+
+//--
+
+type UnsupportedVocabularyError struct {
+	URL        string
+	Vocabulary string
+}
+
+func (e *UnsupportedVocabularyError) Error() string {
+	return fmt.Sprintf("unsupported vocabulary %q in %q", e.Vocabulary, e.URL)
+}
+
+// --
+
+type AnchorNotFoundError struct {
+	URL       string
+	Reference string
+}
+
+func (e *AnchorNotFoundError) Error() string {
+	return fmt.Sprintf("anchor in %q not found in schema %q", e.Reference, e.URL)
+}
diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/roots.go b/vendor/github.com/santhosh-tekuri/jsonschema/v6/roots.go
new file mode 100644
index 0000000000..a8d0ef0ce2
--- /dev/null
+++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/roots.go
@@ -0,0 +1,286 @@
+package jsonschema
+
+import (
+	"fmt"
+	"strings"
+)
+
+type roots struct {
+	defaultDraft *Draft
+	roots        map[url]*root
+	loader       defaultLoader
+	regexpEngine RegexpEngine
+	vocabularies map[string]*Vocabulary
+	assertVocabs bool
+}
+
+func newRoots() *roots {
+	return &roots{
+		defaultDraft: draftLatest,
+		roots:        map[url]*root{},
+		loader: defaultLoader{
+			docs:   map[url]any{},
+			loader: FileLoader{},
+		},
+		regexpEngine: goRegexpCompile,
+		vocabularies: map[string]*Vocabulary{},
+	}
+}
+
+func (rr *roots) orLoad(u url) (*root, error) {
+	if r, ok := rr.roots[u]; ok {
+		return r, nil
+	}
+	doc, err := rr.loader.load(u)
+	if err != nil {
+		return nil, err
+	}
+	return rr.addRoot(u, doc)
+}
+
+func (rr *roots) addRoot(u url, doc any) (*root, error) {
+	r := &root{
+		url:                 u,
+		doc:                 doc,
+		resources:           map[jsonPointer]*resource{},
+		subschemasProcessed: map[jsonPointer]struct{}{},
+	}
+	if err := rr.collectResources(r, doc, u, "", dialect{rr.defaultDraft, nil}); err != nil {
+		return nil, err
+	}
+	if !strings.HasPrefix(u.String(), "http://json-schema.org/") &&
+		!strings.HasPrefix(u.String(), "https://json-schema.org/") {
+		if err := rr.validate(r, doc, ""); err != nil {
+			return nil, err
+		}
+	}
+
+	rr.roots[u] = r
+	return r, nil
+}
+
+func (rr *roots) resolveFragment(uf urlFrag) (urlPtr, error) {
+	r, err := rr.orLoad(uf.url)
+	if err != nil {
+		return urlPtr{}, err
+	}
+	return r.resolveFragment(uf.frag)
+}
+
+func (rr *roots) collectResources(r *root, sch any, base url, schPtr jsonPointer, fallback dialect) error {
+	if _, ok := r.subschemasProcessed[schPtr]; ok {
+		return nil
+	}
+	if err := rr._collectResources(r, sch, base, schPtr, fallback); err != nil {
+		return err
+	}
+	r.subschemasProcessed[schPtr] = struct{}{}
+	return nil
+}
+
+func (rr *roots) _collectResources(r *root, sch any, base url, schPtr jsonPointer, fallback dialect) error {
+	obj, ok := sch.(map[string]any)
+	if !ok {
+		if schPtr.isEmpty() {
+			// root resource
+			res := newResource(schPtr, base)
+			res.dialect = fallback
+			r.resources[schPtr] = res
+		}
+		return nil
+	}
+
+	hasSchema := false
+	if sch, ok := obj["$schema"]; ok {
+		if _, ok := sch.(string); ok {
+			hasSchema = true
+		}
+	}
+
+	draft, err := rr.loader.getDraft(urlPtr{r.url, schPtr}, sch, fallback.draft, map[url]struct{}{})
+	if err != nil {
+		return err
+	}
+	id := draft.getID(obj)
+	if id == "" && !schPtr.isEmpty() {
+		// ignore $schema
+		draft = fallback.draft
+		hasSchema = false
+		id = draft.getID(obj)
+	}
+
+	var res *resource
+	if id != "" {
+		uf, err := base.join(id)
+		if err != nil {
+			loc := urlPtr{r.url, schPtr}
+			return &ParseIDError{loc.String()}
+		}
+		base = uf.url
+		res = newResource(schPtr, base)
+	} else if schPtr.isEmpty() {
+		// root resource
+		res = newResource(schPtr, base)
+	}
+
+	if res != nil {
+		found := false
+		for _, res := range r.resources {
+			if res.id == base {
+				found = true
+				if res.ptr != schPtr {
+					return &DuplicateIDError{base.String(), r.url.String(), string(schPtr), string(res.ptr)}
+				}
+			}
+		}
+		if !found {
+			if hasSchema {
+				vocabs, err := rr.loader.getMetaVocabs(sch, draft, rr.vocabularies)
+				if err != nil {
+					return err
+				}
+				res.dialect = dialect{draft, vocabs}
+			} else {
+				res.dialect = fallback
+			}
+			r.resources[schPtr] = res
+		}
+	}
+
+	var baseRes *resource
+	for _, res := range r.resources {
+		if res.id == base {
+			baseRes = res
+			break
+		}
+	}
+	if baseRes == nil {
+		panic("baseres is nil")
+	}
+
+	// found base resource
+	if err := r.collectAnchors(sch, schPtr, baseRes); err != nil {
+		return err
+	}
+
+	// process subschemas
+	subschemas := map[jsonPointer]any{}
+	for _, sp := range draft.subschemas {
+		ss := sp.collect(obj, schPtr)
+		for k, v := range ss {
+			subschemas[k] = v
+		}
+	}
+	for _, vocab := range baseRes.dialect.activeVocabs(true, rr.vocabularies) {
+		if v := rr.vocabularies[vocab]; v != nil {
+			for _, sp := range v.Subschemas {
+				ss := sp.collect(obj, schPtr)
+				for k, v := range ss {
+					subschemas[k] = v
+				}
+			}
+		}
+	}
+	for ptr, v := range subschemas {
+		if err := rr.collectResources(r, v, base, ptr, baseRes.dialect); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (rr *roots) ensureSubschema(up urlPtr) error {
+	r, err := rr.orLoad(up.url)
+	if err != nil {
+		return err
+	}
+	if _, ok := r.subschemasProcessed[up.ptr]; ok {
+		return nil
+	}
+	v, err := up.lookup(r.doc)
+	if err != nil {
+		return err
+	}
+	rClone := r.clone()
+	if err := rr.addSubschema(rClone, up.ptr); err != nil {
+		return err
+	}
+	if err := rr.validate(rClone, v, up.ptr); err != nil {
+		return err
+	}
+	rr.roots[r.url] = rClone
+	return nil
+}
+
+func (rr *roots) addSubschema(r *root, ptr jsonPointer) error {
+	v, err := (&urlPtr{r.url, ptr}).lookup(r.doc)
+	if err != nil {
+		return err
+	}
+	base := r.resource(ptr)
+	baseURL := base.id
+	if err := rr.collectResources(r, v, baseURL, ptr, base.dialect); err != nil {
+		return err
+	}
+
+	// collect anchors
+	if _, ok := r.resources[ptr]; !ok {
+		res := r.resource(ptr)
+		if err := r.collectAnchors(v, ptr, res); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (rr *roots) validate(r *root, v any, ptr jsonPointer) error {
+	dialect := r.resource(ptr).dialect
+	meta := dialect.getSchema(rr.assertVocabs, rr.vocabularies)
+	if err := meta.validate(v, rr.regexpEngine, meta, r.resources, rr.assertVocabs, rr.vocabularies); err != nil {
+		up := urlPtr{r.url, ptr}
+		return &SchemaValidationError{URL: up.String(), Err: err}
+	}
+	return nil
+}
+
+// --
+
+type InvalidMetaSchemaURLError struct {
+	URL string
+	Err error
+}
+
+func (e *InvalidMetaSchemaURLError) Error() string {
+	return fmt.Sprintf("invalid $schema in %q: %v", e.URL, e.Err)
+}
+
+// --
+
+type UnsupportedDraftError struct {
+	URL string
+}
+
+func (e *UnsupportedDraftError) Error() string {
+	return fmt.Sprintf("draft %q is not supported", e.URL)
+}
+
+// --
+
+type MetaSchemaCycleError struct {
+	URL string
+}
+
+func (e *MetaSchemaCycleError) Error() string {
+	return fmt.Sprintf("cycle in resolving $schema in %q", e.URL)
+}
+
+// --
+
+type MetaSchemaMismatchError struct {
+	URL string
+}
+
+func (e *MetaSchemaMismatchError) Error() string {
+	return fmt.Sprintf("$schema in %q does not match with $schema in root", e.URL)
+}
diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/schema.go b/vendor/github.com/santhosh-tekuri/jsonschema/v6/schema.go
new file mode 100644
index 0000000000..b4c1f37afb
--- /dev/null
+++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/schema.go
@@ -0,0 +1,254 @@
+package jsonschema
+
+import (
+	"encoding/json"
+	"fmt"
+	"math/big"
+)
+
+// Schema is the representation of a compiled
+// jsonschema.
+type Schema struct {
+	up                urlPtr
+	resource          *Schema
+	dynamicAnchors    map[string]*Schema
+	allPropsEvaluated bool
+	allItemsEvaluated bool
+	numItemsEvaluated int
+
+	DraftVersion int
+	Location     string
+
+	// type agnostic --
+	Bool            *bool // boolean schema
+	ID              string
+	Ref             *Schema
+	Anchor          string
+	RecursiveRef    *Schema
+	RecursiveAnchor bool
+	DynamicRef      *DynamicRef
+	DynamicAnchor   string // "" if not specified
+	Types           *Types
+	Enum            *Enum
+	Const           *any
+	Not             *Schema
+	AllOf           []*Schema
+	AnyOf           []*Schema
+	OneOf           []*Schema
+	If              *Schema
+	Then            *Schema
+	Else            *Schema
+	Format          *Format
+
+	// object --
+	MaxProperties         *int
+	MinProperties         *int
+	Required              []string
+	PropertyNames         *Schema
+	Properties            map[string]*Schema
+	PatternProperties     map[Regexp]*Schema
+	AdditionalProperties  any            // nil or bool or *Schema
+	Dependencies          map[string]any // value is []string or *Schema
+	DependentRequired     map[string][]string
+	DependentSchemas      map[string]*Schema
+	UnevaluatedProperties *Schema
+
+	// array --
+	MinItems         *int
+	MaxItems         *int
+	UniqueItems      bool
+	Contains         *Schema
+	MinContains      *int
+	MaxContains      *int
+	Items            any // nil or []*Schema or *Schema
+	AdditionalItems  any // nil or bool or *Schema
+	PrefixItems      []*Schema
+	Items2020        *Schema
+	UnevaluatedItems *Schema
+
+	// string --
+	MinLength        *int
+	MaxLength        *int
+	Pattern          Regexp
+	ContentEncoding  *Decoder
+	ContentMediaType *MediaType
+	ContentSchema    *Schema
+
+	// number --
+	Maximum          *big.Rat
+	Minimum          *big.Rat
+	ExclusiveMaximum *big.Rat
+	ExclusiveMinimum *big.Rat
+	MultipleOf       *big.Rat
+
+	Extensions []SchemaExt
+
+	// annotations --
+	Title       string
+	Description string
+	Default     *any
+	Comment     string
+	ReadOnly    bool
+	WriteOnly   bool
+	Examples    []any
+	Deprecated  bool
+}
+
+// --
+
+type jsonType int
+
+const (
+	invalidType jsonType = 0
+	nullType    jsonType = 1 << iota
+	booleanType
+	numberType
+	integerType
+	stringType
+	arrayType
+	objectType
+)
+
+func typeOf(v any) jsonType {
+	switch v.(type) {
+	case nil:
+		return nullType
+	case bool:
+		return booleanType
+	case json.Number, float32, float64, int, int8, int16, int32, int64, uint, uint8, uint16, uint32, uint64:
+		return numberType
+	case string:
+		return stringType
+	case []any:
+		return arrayType
+	case map[string]any:
+		return objectType
+	default:
+		return invalidType
+	}
+}
+
+func typeFromString(s string) jsonType {
+	switch s {
+	case "null":
+		return nullType
+	case "boolean":
+		return booleanType
+	case "number":
+		return numberType
+	case "integer":
+		return integerType
+	case "string":
+		return stringType
+	case "array":
+		return arrayType
+	case "object":
+		return objectType
+	}
+	return invalidType
+}
+
+func (jt jsonType) String() string {
+	switch jt {
+	case nullType:
+		return "null"
+	case booleanType:
+		return "boolean"
+	case numberType:
+		return "number"
+	case integerType:
+		return "integer"
+	case stringType:
+		return "string"
+	case arrayType:
+		return "array"
+	case objectType:
+		return "object"
+	}
+	return ""
+}
+
+// --
+
+// Types encapsulates list of json value types.
+type Types int
+
+func newTypes(v any) *Types {
+	var types Types
+	switch v := v.(type) {
+	case string:
+		types.Add(v)
+	case []any:
+		for _, item := range v {
+			if s, ok := item.(string); ok {
+				types.Add(s)
+			}
+		}
+	}
+	if types.IsEmpty() {
+		return nil
+	}
+	return &types
+}
+
+func (tt Types) IsEmpty() bool {
+	return tt == 0
+}
+
+// Add specified json type. If typ is
+// not valid json type it is ignored.
+func (tt *Types) Add(typ string) {
+	tt.add(typeFromString(typ))
+}
+
+func (tt *Types) add(t jsonType) {
+	*tt = Types(int(*tt) | int(t))
+}
+
+func (tt Types) contains(t jsonType) bool {
+	return int(tt)&int(t) != 0
+}
+
+func (tt Types) ToStrings() []string {
+	types := []jsonType{
+		nullType, booleanType, numberType, integerType,
+		stringType, arrayType, objectType,
+	}
+	var arr []string
+	for _, t := range types {
+		if tt.contains(t) {
+			arr = append(arr, t.String())
+		}
+	}
+	return arr
+}
+
+func (tt Types) String() string {
+	return fmt.Sprintf("%v", tt.ToStrings())
+}
+
+// --
+
+type Enum struct {
+	Values []any
+	types  Types
+}
+
+func newEnum(arr []any) *Enum {
+	var types Types
+	for _, item := range arr {
+		types.add(typeOf(item))
+	}
+	return &Enum{arr, types}
+}
+
+// --
+
+type DynamicRef struct {
+	Ref    *Schema
+	Anchor string // "" if not specified
+}
+
+func newSchema(up urlPtr) *Schema {
+	return &Schema{up: up, Location: up.String()}
+}
diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/util.go b/vendor/github.com/santhosh-tekuri/jsonschema/v6/util.go
new file mode 100644
index 0000000000..c6f8e77526
--- /dev/null
+++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/util.go
@@ -0,0 +1,464 @@
+package jsonschema
+
+import (
+	"encoding/json"
+	"fmt"
+	"hash/maphash"
+	"math/big"
+	gourl "net/url"
+	"path/filepath"
+	"runtime"
+	"slices"
+	"strconv"
+	"strings"
+
+	"github.com/santhosh-tekuri/jsonschema/v6/kind"
+	"golang.org/x/text/message"
+)
+
+// --
+
+type url (string)
+
+func (u url) String() string {
+	return string(u)
+}
+
+func (u url) join(ref string) (*urlFrag, error) {
+	base, err := gourl.Parse(string(u))
+	if err != nil {
+		return nil, &ParseURLError{URL: u.String(), Err: err}
+	}
+
+	ref, frag, err := splitFragment(ref)
+	if err != nil {
+		return nil, err
+	}
+	refURL, err := gourl.Parse(ref)
+	if err != nil {
+		return nil, &ParseURLError{URL: ref, Err: err}
+	}
+	resolved := base.ResolveReference(refURL)
+
+	// see https://github.com/golang/go/issues/66084 (net/url: ResolveReference ignores Opaque value)
+	if !refURL.IsAbs() && base.Opaque != "" {
+		resolved.Opaque = base.Opaque
+	}
+
+	return &urlFrag{url: url(resolved.String()), frag: frag}, nil
+}
+
+// --
+
+type jsonPointer string
+
+func escape(tok string) string {
+	tok = strings.ReplaceAll(tok, "~", "~0")
+	tok = strings.ReplaceAll(tok, "/", "~1")
+	return tok
+}
+
+func unescape(tok string) (string, bool) {
+	tilde := strings.IndexByte(tok, '~')
+	if tilde == -1 {
+		return tok, true
+	}
+	sb := new(strings.Builder)
+	for {
+		sb.WriteString(tok[:tilde])
+		tok = tok[tilde+1:]
+		if tok == "" {
+			return "", false
+		}
+		switch tok[0] {
+		case '0':
+			sb.WriteByte('~')
+		case '1':
+			sb.WriteByte('/')
+		default:
+			return "", false
+		}
+		tok = tok[1:]
+		tilde = strings.IndexByte(tok, '~')
+		if tilde == -1 {
+			sb.WriteString(tok)
+			break
+		}
+	}
+	return sb.String(), true
+}
+
+func (ptr jsonPointer) isEmpty() bool {
+	return string(ptr) == ""
+}
+
+func (ptr jsonPointer) concat(next jsonPointer) jsonPointer {
+	return jsonPointer(fmt.Sprintf("%s%s", ptr, next))
+}
+
+func (ptr jsonPointer) append(tok string) jsonPointer {
+	return jsonPointer(fmt.Sprintf("%s/%s", ptr, escape(tok)))
+}
+
+func (ptr jsonPointer) append2(tok1, tok2 string) jsonPointer {
+	return jsonPointer(fmt.Sprintf("%s/%s/%s", ptr, escape(tok1), escape(tok2)))
+}
+
+// --
+
+type anchor string
+
+// --
+
+type fragment string
+
+func decode(frag string) (string, error) {
+	return gourl.PathUnescape(frag)
+}
+
+// avoids escaping /.
+func encode(frag string) string {
+	var sb strings.Builder
+	for i, tok := range strings.Split(frag, "/") {
+		if i > 0 {
+			sb.WriteByte('/')
+		}
+		sb.WriteString(gourl.PathEscape(tok))
+	}
+	return sb.String()
+}
+
+func splitFragment(str string) (string, fragment, error) {
+	u, f := split(str)
+	f, err := decode(f)
+	if err != nil {
+		return "", fragment(""), &ParseURLError{URL: str, Err: err}
+	}
+	return u, fragment(f), nil
+}
+
+func split(str string) (string, string) {
+	hash := strings.IndexByte(str, '#')
+	if hash == -1 {
+		return str, ""
+	}
+	return str[:hash], str[hash+1:]
+}
+
+func (frag fragment) convert() any {
+	str := string(frag)
+	if str == "" || strings.HasPrefix(str, "/") {
+		return jsonPointer(str)
+	}
+	return anchor(str)
+}
+
+// --
+
+type urlFrag struct {
+	url  url
+	frag fragment
+}
+
+func startsWithWindowsDrive(s string) bool {
+	if s != "" && strings.HasPrefix(s[1:], `:\`) {
+		return (s[0] >= 'a' && s[0] <= 'z') || (s[0] >= 'A' && s[0] <= 'Z')
+	}
+	return false
+}
+
+func absolute(input string) (*urlFrag, error) {
+	u, frag, err := splitFragment(input)
+	if err != nil {
+		return nil, err
+	}
+
+	// if windows absolute file path, convert to file url
+	// because: net/url parses driver name as scheme
+	if runtime.GOOS == "windows" && startsWithWindowsDrive(u) {
+		u = "file:///" + filepath.ToSlash(u)
+	}
+
+	gourl, err := gourl.Parse(u)
+	if err != nil {
+		return nil, &ParseURLError{URL: input, Err: err}
+	}
+	if gourl.IsAbs() {
+		return &urlFrag{url(u), frag}, nil
+	}
+
+	// avoid filesystem api in wasm
+	if runtime.GOOS != "js" {
+		abs, err := filepath.Abs(u)
+		if err != nil {
+			return nil, &ParseURLError{URL: input, Err: err}
+		}
+		u = abs
+	}
+	if !strings.HasPrefix(u, "/") {
+		u = "/" + u
+	}
+	u = "file://" + filepath.ToSlash(u)
+
+	_, err = gourl.Parse(u)
+	if err != nil {
+		return nil, &ParseURLError{URL: input, Err: err}
+	}
+	return &urlFrag{url: url(u), frag: frag}, nil
+}
+
+func (uf *urlFrag) String() string {
+	return fmt.Sprintf("%s#%s", uf.url, encode(string(uf.frag)))
+}
+
+// --
+
+type urlPtr struct {
+	url url
+	ptr jsonPointer
+}
+
+func (up *urlPtr) lookup(v any) (any, error) {
+	for _, tok := range strings.Split(string(up.ptr), "/")[1:] {
+		tok, ok := unescape(tok)
+		if !ok {
+			return nil, &InvalidJsonPointerError{up.String()}
+		}
+		switch val := v.(type) {
+		case map[string]any:
+			if pvalue, ok := val[tok]; ok {
+				v = pvalue
+				continue
+			}
+		case []any:
+			if index, err := strconv.Atoi(tok); err == nil {
+				if index >= 0 && index < len(val) {
+					v = val[index]
+					continue
+				}
+			}
+		}
+		return nil, &JSONPointerNotFoundError{up.String()}
+	}
+	return v, nil
+}
+
+func (up *urlPtr) format(tok string) string {
+	return fmt.Sprintf("%s#%s/%s", up.url, encode(string(up.ptr)), encode(escape(tok)))
+}
+
+func (up *urlPtr) String() string {
+	return fmt.Sprintf("%s#%s", up.url, encode(string(up.ptr)))
+}
+
+// --
+
+func minInt(i, j int) int {
+	if i < j {
+		return i
+	}
+	return j
+}
+
+func strVal(obj map[string]any, prop string) (string, bool) {
+	v, ok := obj[prop]
+	if !ok {
+		return "", false
+	}
+	s, ok := v.(string)
+	return s, ok
+}
+
+func isInteger(num any) bool {
+	rat, ok := new(big.Rat).SetString(fmt.Sprint(num))
+	return ok && rat.IsInt()
+}
+
+// quote returns single-quoted string.
+// used for embedding quoted strings in json.
+func quote(s string) string {
+	s = fmt.Sprintf("%q", s)
+	s = strings.ReplaceAll(s, `\"`, `"`)
+	s = strings.ReplaceAll(s, `'`, `\'`)
+	return "'" + s[1:len(s)-1] + "'"
+}
+
+func equals(v1, v2 any) (bool, ErrorKind) {
+	switch v1 := v1.(type) {
+	case map[string]any:
+		v2, ok := v2.(map[string]any)
+		if !ok || len(v1) != len(v2) {
+			return false, nil
+		}
+		for k, val1 := range v1 {
+			val2, ok := v2[k]
+			if !ok {
+				return false, nil
+			}
+			if ok, k := equals(val1, val2); !ok || k != nil {
+				return ok, k
+			}
+		}
+		return true, nil
+	case []any:
+		v2, ok := v2.([]any)
+		if !ok || len(v1) != len(v2) {
+			return false, nil
+		}
+		for i := range v1 {
+			if ok, k := equals(v1[i], v2[i]); !ok || k != nil {
+				return ok, k
+			}
+		}
+		return true, nil
+	case nil:
+		return v2 == nil, nil
+	case bool:
+		v2, ok := v2.(bool)
+		return ok && v1 == v2, nil
+	case string:
+		v2, ok := v2.(string)
+		return ok && v1 == v2, nil
+	case json.Number, float32, float64, int, int8, int16, int32, int64, uint, uint8, uint16, uint32, uint64:
+		num1, ok1 := new(big.Rat).SetString(fmt.Sprint(v1))
+		num2, ok2 := new(big.Rat).SetString(fmt.Sprint(v2))
+		return ok1 && ok2 && num1.Cmp(num2) == 0, nil
+	default:
+		return false, &kind.InvalidJsonValue{Value: v1}
+	}
+}
+
+func duplicates(arr []any) (int, int, ErrorKind) {
+	if len(arr) <= 20 {
+		for i := 1; i < len(arr); i++ {
+			for j := 0; j < i; j++ {
+				if ok, k := equals(arr[i], arr[j]); ok || k != nil {
+					return j, i, k
+				}
+			}
+		}
+		return -1, -1, nil
+	}
+
+	m := make(map[uint64][]int)
+	h := new(maphash.Hash)
+	for i, item := range arr {
+		h.Reset()
+		writeHash(item, h)
+		hash := h.Sum64()
+		indexes, ok := m[hash]
+		if ok {
+			for _, j := range indexes {
+				if ok, k := equals(item, arr[j]); ok || k != nil {
+					return j, i, k
+				}
+			}
+		}
+		indexes = append(indexes, i)
+		m[hash] = indexes
+	}
+	return -1, -1, nil
+}
+
+func writeHash(v any, h *maphash.Hash) ErrorKind {
+	switch v := v.(type) {
+	case map[string]any:
+		_ = h.WriteByte(0)
+		props := make([]string, 0, len(v))
+		for prop := range v {
+			props = append(props, prop)
+		}
+		slices.Sort(props)
+		for _, prop := range props {
+			writeHash(prop, h)
+			writeHash(v[prop], h)
+		}
+	case []any:
+		_ = h.WriteByte(1)
+		for _, item := range v {
+			writeHash(item, h)
+		}
+	case nil:
+		_ = h.WriteByte(2)
+	case bool:
+		_ = h.WriteByte(3)
+		if v {
+			_ = h.WriteByte(1)
+		} else {
+			_ = h.WriteByte(0)
+		}
+	case string:
+		_ = h.WriteByte(4)
+		_, _ = h.WriteString(v)
+	case json.Number, float32, float64, int, int8, int16, int32, int64, uint, uint8, uint16, uint32, uint64:
+		_ = h.WriteByte(5)
+		num, _ := new(big.Rat).SetString(fmt.Sprint(v))
+		_, _ = h.Write(num.Num().Bytes())
+		_, _ = h.Write(num.Denom().Bytes())
+	default:
+		return &kind.InvalidJsonValue{Value: v}
+	}
+	return nil
+}
+
+// --
+
+type ParseURLError struct {
+	URL string
+	Err error
+}
+
+func (e *ParseURLError) Error() string {
+	return fmt.Sprintf("error in parsing %q: %v", e.URL, e.Err)
+}
+
+// --
+
+type InvalidJsonPointerError struct {
+	URL string
+}
+
+func (e *InvalidJsonPointerError) Error() string {
+	return fmt.Sprintf("invalid json-pointer %q", e.URL)
+}
+
+// --
+
+type JSONPointerNotFoundError struct {
+	URL string
+}
+
+func (e *JSONPointerNotFoundError) Error() string {
+	return fmt.Sprintf("json-pointer in %q not found", e.URL)
+}
+
+// --
+
+type SchemaValidationError struct {
+	URL string
+	Err error
+}
+
+func (e *SchemaValidationError) Error() string {
+	return fmt.Sprintf("%q is not valid against metaschema: %v", e.URL, e.Err)
+}
+
+// --
+
+// LocalizableError is an error whose message is localizable.
+func LocalizableError(format string, args ...any) error {
+	return &localizableError{format, args}
+}
+
+type localizableError struct {
+	msg  string
+	args []any
+}
+
+func (e *localizableError) Error() string {
+	return fmt.Sprintf(e.msg, e.args...)
+}
+
+func (e *localizableError) LocalizedError(p *message.Printer) string {
+	return p.Sprintf(e.msg, e.args...)
+}
diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/validator.go b/vendor/github.com/santhosh-tekuri/jsonschema/v6/validator.go
new file mode 100644
index 0000000000..e2ace37a9f
--- /dev/null
+++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/validator.go
@@ -0,0 +1,975 @@
+package jsonschema
+
+import (
+	"encoding/json"
+	"fmt"
+	"math/big"
+	"slices"
+	"strconv"
+	"unicode/utf8"
+
+	"github.com/santhosh-tekuri/jsonschema/v6/kind"
+	"golang.org/x/text/message"
+)
+
+func (sch *Schema) Validate(v any) error {
+	return sch.validate(v, nil, nil, nil, false, nil)
+}
+
+func (sch *Schema) validate(v any, regexpEngine RegexpEngine, meta *Schema, resources map[jsonPointer]*resource, assertVocabs bool, vocabularies map[string]*Vocabulary) error {
+	vd := validator{
+		v:            v,
+		vloc:         make([]string, 0, 8),
+		sch:          sch,
+		scp:          &scope{sch, "", 0, nil},
+		uneval:       unevalFrom(v, sch, false),
+		errors:       nil,
+		boolResult:   false,
+		regexpEngine: regexpEngine,
+		meta:         meta,
+		resources:    resources,
+		assertVocabs: assertVocabs,
+		vocabularies: vocabularies,
+	}
+	if _, err := vd.validate(); err != nil {
+		verr := err.(*ValidationError)
+		var causes []*ValidationError
+		if _, ok := verr.ErrorKind.(*kind.Group); ok {
+			causes = verr.Causes
+		} else {
+			causes = []*ValidationError{verr}
+		}
+		return &ValidationError{
+			SchemaURL:        sch.Location,
+			InstanceLocation: nil,
+			ErrorKind:        &kind.Schema{Location: sch.Location},
+			Causes:           causes,
+		}
+	}
+
+	return nil
+}
+
+type validator struct {
+	v            any
+	vloc         []string
+	sch          *Schema
+	scp          *scope
+	uneval       *uneval
+	errors       []*ValidationError
+	boolResult   bool // is interested to know valid or not (but not actuall error)
+	regexpEngine RegexpEngine
+
+	// meta validation
+	meta         *Schema                   // set only when validating with metaschema
+	resources    map[jsonPointer]*resource // resources which should be validated with their dialect
+	assertVocabs bool
+	vocabularies map[string]*Vocabulary
+}
+
+func (vd *validator) validate() (*uneval, error) {
+	s := vd.sch
+	v := vd.v
+
+	// boolean --
+	if s.Bool != nil {
+		if *s.Bool {
+			return vd.uneval, nil
+		} else {
+			return nil, vd.error(&kind.FalseSchema{})
+		}
+	}
+
+	// check cycle --
+	if scp := vd.scp.checkCycle(); scp != nil {
+		return nil, vd.error(&kind.RefCycle{
+			URL:              s.Location,
+			KeywordLocation1: vd.scp.kwLoc(),
+			KeywordLocation2: scp.kwLoc(),
+		})
+	}
+
+	t := typeOf(v)
+	if t == invalidType {
+		return nil, vd.error(&kind.InvalidJsonValue{Value: v})
+	}
+
+	// type --
+	if s.Types != nil && !s.Types.IsEmpty() {
+		matched := s.Types.contains(t) || (s.Types.contains(integerType) && t == numberType && isInteger(v))
+		if !matched {
+			return nil, vd.error(&kind.Type{Got: t.String(), Want: s.Types.ToStrings()})
+		}
+	}
+
+	// const --
+	if s.Const != nil {
+		ok, k := equals(v, *s.Const)
+		if k != nil {
+			return nil, vd.error(k)
+		} else if !ok {
+			return nil, vd.error(&kind.Const{Got: v, Want: *s.Const})
+		}
+	}
+
+	// enum --
+	if s.Enum != nil {
+		matched := s.Enum.types.contains(typeOf(v))
+		if matched {
+			matched = false
+			for _, item := range s.Enum.Values {
+				ok, k := equals(v, item)
+				if k != nil {
+					return nil, vd.error(k)
+				} else if ok {
+					matched = true
+					break
+				}
+			}
+		}
+		if !matched {
+			return nil, vd.error(&kind.Enum{Got: v, Want: s.Enum.Values})
+		}
+	}
+
+	// format --
+	if s.Format != nil {
+		var err error
+		if s.Format.Name == "regex" && vd.regexpEngine != nil {
+			err = vd.regexpEngine.validate(v)
+		} else {
+			err = s.Format.Validate(v)
+		}
+		if err != nil {
+			return nil, vd.error(&kind.Format{Got: v, Want: s.Format.Name, Err: err})
+		}
+	}
+
+	// $ref --
+	if s.Ref != nil {
+		err := vd.validateRef(s.Ref, "$ref")
+		if s.DraftVersion < 2019 {
+			return vd.uneval, err
+		}
+		if err != nil {
+			vd.addErr(err)
+		}
+	}
+
+	// type specific validations --
+	switch v := v.(type) {
+	case map[string]any:
+		vd.objValidate(v)
+	case []any:
+		vd.arrValidate(v)
+	case string:
+		vd.strValidate(v)
+	case json.Number, float32, float64, int, int8, int16, int32, int64, uint, uint8, uint16, uint32, uint64:
+		vd.numValidate(v)
+	}
+
+	if len(vd.errors) == 0 || !vd.boolResult {
+		if s.DraftVersion >= 2019 {
+			vd.validateRefs()
+		}
+		vd.condValidate()
+
+		for _, ext := range s.Extensions {
+			ext.Validate(&ValidatorContext{vd}, v)
+		}
+
+		if s.DraftVersion >= 2019 {
+			vd.unevalValidate()
+		}
+	}
+
+	switch len(vd.errors) {
+	case 0:
+		return vd.uneval, nil
+	case 1:
+		return nil, vd.errors[0]
+	default:
+		verr := vd.error(&kind.Group{})
+		verr.Causes = vd.errors
+		return nil, verr
+	}
+}
+
+func (vd *validator) objValidate(obj map[string]any) {
+	s := vd.sch
+
+	// minProperties --
+	if s.MinProperties != nil {
+		if len(obj) < *s.MinProperties {
+			vd.addError(&kind.MinProperties{Got: len(obj), Want: *s.MinProperties})
+		}
+	}
+
+	// maxProperties --
+	if s.MaxProperties != nil {
+		if len(obj) > *s.MaxProperties {
+			vd.addError(&kind.MaxProperties{Got: len(obj), Want: *s.MaxProperties})
+		}
+	}
+
+	// required --
+	if len(s.Required) > 0 {
+		if missing := vd.findMissing(obj, s.Required); missing != nil {
+			vd.addError(&kind.Required{Missing: missing})
+		}
+	}
+
+	if vd.boolResult && len(vd.errors) > 0 {
+		return
+	}
+
+	// dependencies --
+	for pname, dep := range s.Dependencies {
+		if _, ok := obj[pname]; ok {
+			switch dep := dep.(type) {
+			case []string:
+				if missing := vd.findMissing(obj, dep); missing != nil {
+					vd.addError(&kind.Dependency{Prop: pname, Missing: missing})
+				}
+			case *Schema:
+				vd.addErr(vd.validateSelf(dep, "", false))
+			}
+		}
+	}
+
+	var additionalPros []string
+	for pname, pvalue := range obj {
+		if vd.boolResult && len(vd.errors) > 0 {
+			return
+		}
+		evaluated := false
+
+		// properties --
+		if sch, ok := s.Properties[pname]; ok {
+			evaluated = true
+			vd.addErr(vd.validateVal(sch, pvalue, pname))
+		}
+
+		// patternProperties --
+		for regex, sch := range s.PatternProperties {
+			if regex.MatchString(pname) {
+				evaluated = true
+				vd.addErr(vd.validateVal(sch, pvalue, pname))
+			}
+		}
+
+		if !evaluated && s.AdditionalProperties != nil {
+			evaluated = true
+			switch additional := s.AdditionalProperties.(type) {
+			case bool:
+				if !additional {
+					additionalPros = append(additionalPros, pname)
+				}
+			case *Schema:
+				vd.addErr(vd.validateVal(additional, pvalue, pname))
+			}
+		}
+
+		if evaluated {
+			delete(vd.uneval.props, pname)
+		}
+	}
+	if len(additionalPros) > 0 {
+		vd.addError(&kind.AdditionalProperties{Properties: additionalPros})
+	}
+
+	if s.DraftVersion == 4 {
+		return
+	}
+
+	// propertyNames --
+	if s.PropertyNames != nil {
+		for pname := range obj {
+			sch, meta, resources := s.PropertyNames, vd.meta, vd.resources
+			res := vd.metaResource(sch)
+			if res != nil {
+				meta = res.dialect.getSchema(vd.assertVocabs, vd.vocabularies)
+				sch = meta
+			}
+			if err := sch.validate(pname, vd.regexpEngine, meta, resources, vd.assertVocabs, vd.vocabularies); err != nil {
+				verr := err.(*ValidationError)
+				verr.SchemaURL = s.PropertyNames.Location
+				verr.ErrorKind = &kind.PropertyNames{Property: pname}
+				vd.addErr(verr)
+			}
+		}
+	}
+
+	if s.DraftVersion == 6 {
+		return
+	}
+
+	// dependentSchemas --
+	for pname, sch := range s.DependentSchemas {
+		if _, ok := obj[pname]; ok {
+			vd.addErr(vd.validateSelf(sch, "", false))
+		}
+	}
+
+	// dependentRequired --
+	for pname, reqd := range s.DependentRequired {
+		if _, ok := obj[pname]; ok {
+			if missing := vd.findMissing(obj, reqd); missing != nil {
+				vd.addError(&kind.DependentRequired{Prop: pname, Missing: missing})
+			}
+		}
+	}
+}
+
+func (vd *validator) arrValidate(arr []any) {
+	s := vd.sch
+
+	// minItems --
+	if s.MinItems != nil {
+		if len(arr) < *s.MinItems {
+			vd.addError(&kind.MinItems{Got: len(arr), Want: *s.MinItems})
+		}
+	}
+
+	// maxItems --
+	if s.MaxItems != nil {
+		if len(arr) > *s.MaxItems {
+			vd.addError(&kind.MaxItems{Got: len(arr), Want: *s.MaxItems})
+		}
+	}
+
+	// uniqueItems --
+	if s.UniqueItems && len(arr) > 1 {
+		i, j, k := duplicates(arr)
+		if k != nil {
+			vd.addError(k)
+		} else if i != -1 {
+			vd.addError(&kind.UniqueItems{Duplicates: [2]int{i, j}})
+		}
+	}
+
+	if s.DraftVersion < 2020 {
+		evaluated := 0
+
+		// items --
+		switch items := s.Items.(type) {
+		case *Schema:
+			for i, item := range arr {
+				vd.addErr(vd.validateVal(items, item, strconv.Itoa(i)))
+			}
+			evaluated = len(arr)
+		case []*Schema:
+			min := minInt(len(arr), len(items))
+			for i, item := range arr[:min] {
+				vd.addErr(vd.validateVal(items[i], item, strconv.Itoa(i)))
+			}
+			evaluated = min
+		}
+
+		// additionalItems --
+		if s.AdditionalItems != nil {
+			switch additional := s.AdditionalItems.(type) {
+			case bool:
+				if !additional && evaluated != len(arr) {
+					vd.addError(&kind.AdditionalItems{Count: len(arr) - evaluated})
+				}
+			case *Schema:
+				for i, item := range arr[evaluated:] {
+					vd.addErr(vd.validateVal(additional, item, strconv.Itoa(i)))
+				}
+			}
+		}
+	} else {
+		evaluated := minInt(len(s.PrefixItems), len(arr))
+
+		// prefixItems --
+		for i, item := range arr[:evaluated] {
+			vd.addErr(vd.validateVal(s.PrefixItems[i], item, strconv.Itoa(i)))
+		}
+
+		// items2020 --
+		if s.Items2020 != nil {
+			for i, item := range arr[evaluated:] {
+				vd.addErr(vd.validateVal(s.Items2020, item, strconv.Itoa(i)))
+			}
+		}
+	}
+
+	// contains --
+	if s.Contains != nil {
+		var errors []*ValidationError
+		var matched []int
+
+		for i, item := range arr {
+			if err := vd.validateVal(s.Contains, item, strconv.Itoa(i)); err != nil {
+				errors = append(errors, err.(*ValidationError))
+			} else {
+				matched = append(matched, i)
+				if s.DraftVersion >= 2020 {
+					delete(vd.uneval.items, i)
+				}
+			}
+		}
+
+		// minContains --
+		if s.MinContains != nil {
+			if len(matched) < *s.MinContains {
+				vd.addErrors(errors, &kind.MinContains{Got: matched, Want: *s.MinContains})
+			}
+		} else if len(matched) == 0 {
+			vd.addErrors(errors, &kind.Contains{})
+		}
+
+		// maxContains --
+		if s.MaxContains != nil {
+			if len(matched) > *s.MaxContains {
+				vd.addError(&kind.MaxContains{Got: matched, Want: *s.MaxContains})
+			}
+		}
+	}
+}
+
+func (vd *validator) strValidate(str string) {
+	s := vd.sch
+
+	strLen := -1
+	if s.MinLength != nil || s.MaxLength != nil {
+		strLen = utf8.RuneCount([]byte(str))
+	}
+
+	// minLength --
+	if s.MinLength != nil {
+		if strLen < *s.MinLength {
+			vd.addError(&kind.MinLength{Got: strLen, Want: *s.MinLength})
+		}
+	}
+
+	// maxLength --
+	if s.MaxLength != nil {
+		if strLen > *s.MaxLength {
+			vd.addError(&kind.MaxLength{Got: strLen, Want: *s.MaxLength})
+		}
+	}
+
+	// pattern --
+	if s.Pattern != nil {
+		if !s.Pattern.MatchString(str) {
+			vd.addError(&kind.Pattern{Got: str, Want: s.Pattern.String()})
+		}
+	}
+
+	if s.DraftVersion == 6 {
+		return
+	}
+
+	var err error
+
+	// contentEncoding --
+	decoded := []byte(str)
+	if s.ContentEncoding != nil {
+		decoded, err = s.ContentEncoding.Decode(str)
+		if err != nil {
+			decoded = nil
+			vd.addError(&kind.ContentEncoding{Want: s.ContentEncoding.Name, Err: err})
+		}
+	}
+
+	var deserialized *any
+	if decoded != nil && s.ContentMediaType != nil {
+		if s.ContentSchema == nil {
+			err = s.ContentMediaType.Validate(decoded)
+		} else {
+			var value any
+			value, err = s.ContentMediaType.UnmarshalJSON(decoded)
+			if err == nil {
+				deserialized = &value
+			}
+		}
+		if err != nil {
+			vd.addError(&kind.ContentMediaType{
+				Got:  decoded,
+				Want: s.ContentMediaType.Name,
+				Err:  err,
+			})
+		}
+	}
+
+	if deserialized != nil && s.ContentSchema != nil {
+		sch, meta, resources := s.ContentSchema, vd.meta, vd.resources
+		res := vd.metaResource(sch)
+		if res != nil {
+			meta = res.dialect.getSchema(vd.assertVocabs, vd.vocabularies)
+			sch = meta
+		}
+		if err = sch.validate(*deserialized, vd.regexpEngine, meta, resources, vd.assertVocabs, vd.vocabularies); err != nil {
+			verr := err.(*ValidationError)
+			verr.SchemaURL = s.Location
+			verr.ErrorKind = &kind.ContentSchema{}
+			vd.addErr(verr)
+		}
+	}
+}
+
+func (vd *validator) numValidate(v any) {
+	s := vd.sch
+
+	var numVal *big.Rat
+	num := func() *big.Rat {
+		if numVal == nil {
+			numVal, _ = new(big.Rat).SetString(fmt.Sprintf("%v", v))
+		}
+		return numVal
+	}
+
+	// minimum --
+	if s.Minimum != nil && num().Cmp(s.Minimum) < 0 {
+		vd.addError(&kind.Minimum{Got: num(), Want: s.Minimum})
+	}
+
+	// maximum --
+	if s.Maximum != nil && num().Cmp(s.Maximum) > 0 {
+		vd.addError(&kind.Maximum{Got: num(), Want: s.Maximum})
+	}
+
+	// exclusiveMinimum
+	if s.ExclusiveMinimum != nil && num().Cmp(s.ExclusiveMinimum) <= 0 {
+		vd.addError(&kind.ExclusiveMinimum{Got: num(), Want: s.ExclusiveMinimum})
+	}
+
+	// exclusiveMaximum
+	if s.ExclusiveMaximum != nil && num().Cmp(s.ExclusiveMaximum) >= 0 {
+		vd.addError(&kind.ExclusiveMaximum{Got: num(), Want: s.ExclusiveMaximum})
+	}
+
+	// multipleOf
+	if s.MultipleOf != nil {
+		if q := new(big.Rat).Quo(num(), s.MultipleOf); !q.IsInt() {
+			vd.addError(&kind.MultipleOf{Got: num(), Want: s.MultipleOf})
+		}
+	}
+}
+
+func (vd *validator) condValidate() {
+	s := vd.sch
+
+	// not --
+	if s.Not != nil {
+		if vd.validateSelf(s.Not, "", true) == nil {
+			vd.addError(&kind.Not{})
+		}
+	}
+
+	// allOf --
+	if len(s.AllOf) > 0 {
+		var errors []*ValidationError
+		for _, sch := range s.AllOf {
+			if err := vd.validateSelf(sch, "", false); err != nil {
+				errors = append(errors, err.(*ValidationError))
+				if vd.boolResult {
+					break
+				}
+			}
+		}
+		if len(errors) != 0 {
+			vd.addErrors(errors, &kind.AllOf{})
+		}
+	}
+
+	// anyOf
+	if len(s.AnyOf) > 0 {
+		var matched bool
+		var errors []*ValidationError
+		for _, sch := range s.AnyOf {
+			if err := vd.validateSelf(sch, "", false); err != nil {
+				errors = append(errors, err.(*ValidationError))
+			} else {
+				matched = true
+				// for uneval, all schemas must be evaluated
+				if vd.uneval.isEmpty() {
+					break
+				}
+			}
+		}
+		if !matched {
+			vd.addErrors(errors, &kind.AnyOf{})
+		}
+	}
+
+	// oneOf
+	if len(s.OneOf) > 0 {
+		var matched = -1
+		var errors []*ValidationError
+		for i, sch := range s.OneOf {
+			if err := vd.validateSelf(sch, "", matched != -1); err != nil {
+				if matched == -1 {
+					errors = append(errors, err.(*ValidationError))
+				}
+			} else {
+				if matched == -1 {
+					matched = i
+				} else {
+					vd.addError(&kind.OneOf{Subschemas: []int{matched, i}})
+					break
+				}
+			}
+		}
+		if matched == -1 {
+			vd.addErrors(errors, &kind.OneOf{Subschemas: nil})
+		}
+	}
+
+	// if, then, else --
+	if s.If != nil {
+		if vd.validateSelf(s.If, "", true) == nil {
+			if s.Then != nil {
+				vd.addErr(vd.validateSelf(s.Then, "", false))
+			}
+		} else if s.Else != nil {
+			vd.addErr(vd.validateSelf(s.Else, "", false))
+		}
+	}
+}
+
+func (vd *validator) unevalValidate() {
+	s := vd.sch
+
+	// unevaluatedProperties
+	if obj, ok := vd.v.(map[string]any); ok && s.UnevaluatedProperties != nil {
+		for pname := range vd.uneval.props {
+			if pvalue, ok := obj[pname]; ok {
+				vd.addErr(vd.validateVal(s.UnevaluatedProperties, pvalue, pname))
+			}
+		}
+		vd.uneval.props = nil
+	}
+
+	// unevaluatedItems
+	if arr, ok := vd.v.([]any); ok && s.UnevaluatedItems != nil {
+		for i := range vd.uneval.items {
+			vd.addErr(vd.validateVal(s.UnevaluatedItems, arr[i], strconv.Itoa(i)))
+		}
+		vd.uneval.items = nil
+	}
+}
+
+// validation helpers --
+
+func (vd *validator) validateSelf(sch *Schema, refKw string, boolResult bool) error {
+	scp := vd.scp.child(sch, refKw, vd.scp.vid)
+	uneval := unevalFrom(vd.v, sch, !vd.uneval.isEmpty())
+	subvd := validator{
+		v:            vd.v,
+		vloc:         vd.vloc,
+		sch:          sch,
+		scp:          scp,
+		uneval:       uneval,
+		errors:       nil,
+		boolResult:   vd.boolResult || boolResult,
+		regexpEngine: vd.regexpEngine,
+		meta:         vd.meta,
+		resources:    vd.resources,
+		assertVocabs: vd.assertVocabs,
+		vocabularies: vd.vocabularies,
+	}
+	subvd.handleMeta()
+	uneval, err := subvd.validate()
+	if err == nil {
+		vd.uneval.merge(uneval)
+	}
+	return err
+}
+
+func (vd *validator) validateVal(sch *Schema, v any, vtok string) error {
+	vloc := append(vd.vloc, vtok)
+	scp := vd.scp.child(sch, "", vd.scp.vid+1)
+	uneval := unevalFrom(v, sch, false)
+	subvd := validator{
+		v:            v,
+		vloc:         vloc,
+		sch:          sch,
+		scp:          scp,
+		uneval:       uneval,
+		errors:       nil,
+		boolResult:   vd.boolResult,
+		regexpEngine: vd.regexpEngine,
+		meta:         vd.meta,
+		resources:    vd.resources,
+		assertVocabs: vd.assertVocabs,
+		vocabularies: vd.vocabularies,
+	}
+	subvd.handleMeta()
+	_, err := subvd.validate()
+	return err
+}
+
+func (vd *validator) validateValue(sch *Schema, v any, vpath []string) error {
+	vloc := append(vd.vloc, vpath...)
+	scp := vd.scp.child(sch, "", vd.scp.vid+1)
+	uneval := unevalFrom(v, sch, false)
+	subvd := validator{
+		v:            v,
+		vloc:         vloc,
+		sch:          sch,
+		scp:          scp,
+		uneval:       uneval,
+		errors:       nil,
+		boolResult:   vd.boolResult,
+		regexpEngine: vd.regexpEngine,
+		meta:         vd.meta,
+		resources:    vd.resources,
+		assertVocabs: vd.assertVocabs,
+		vocabularies: vd.vocabularies,
+	}
+	subvd.handleMeta()
+	_, err := subvd.validate()
+	return err
+}
+
+func (vd *validator) metaResource(sch *Schema) *resource {
+	if sch != vd.meta {
+		return nil
+	}
+	ptr := ""
+	for _, tok := range vd.instanceLocation() {
+		ptr += "/"
+		ptr += escape(tok)
+	}
+	return vd.resources[jsonPointer(ptr)]
+}
+
+func (vd *validator) handleMeta() {
+	res := vd.metaResource(vd.sch)
+	if res == nil {
+		return
+	}
+	sch := res.dialect.getSchema(vd.assertVocabs, vd.vocabularies)
+	vd.meta = sch
+	vd.sch = sch
+}
+
+// reference validation --
+
+func (vd *validator) validateRef(sch *Schema, kw string) error {
+	err := vd.validateSelf(sch, kw, false)
+	if err != nil {
+		refErr := vd.error(&kind.Reference{Keyword: kw, URL: sch.Location})
+		verr := err.(*ValidationError)
+		if _, ok := verr.ErrorKind.(*kind.Group); ok {
+			refErr.Causes = verr.Causes
+		} else {
+			refErr.Causes = append(refErr.Causes, verr)
+		}
+		return refErr
+	}
+	return nil
+}
+
+func (vd *validator) resolveRecursiveAnchor(fallback *Schema) *Schema {
+	sch := fallback
+	scp := vd.scp
+	for scp != nil {
+		if scp.sch.resource.RecursiveAnchor {
+			sch = scp.sch
+		}
+		scp = scp.parent
+	}
+	return sch
+}
+
+func (vd *validator) resolveDynamicAnchor(name string, fallback *Schema) *Schema {
+	sch := fallback
+	scp := vd.scp
+	for scp != nil {
+		if dsch, ok := scp.sch.resource.dynamicAnchors[name]; ok {
+			sch = dsch
+		}
+		scp = scp.parent
+	}
+	return sch
+}
+
+func (vd *validator) validateRefs() {
+	// $recursiveRef --
+	if sch := vd.sch.RecursiveRef; sch != nil {
+		if sch.RecursiveAnchor {
+			sch = vd.resolveRecursiveAnchor(sch)
+		}
+		vd.addErr(vd.validateRef(sch, "$recursiveRef"))
+	}
+
+	// $dynamicRef --
+	if dref := vd.sch.DynamicRef; dref != nil {
+		sch := dref.Ref // initial target
+		if dref.Anchor != "" {
+			// $dynamicRef includes anchor
+			if sch.DynamicAnchor == dref.Anchor {
+				// initial target has matching $dynamicAnchor
+				sch = vd.resolveDynamicAnchor(dref.Anchor, sch)
+			}
+		}
+		vd.addErr(vd.validateRef(sch, "$dynamicRef"))
+	}
+}
+
+// error helpers --
+
+func (vd *validator) instanceLocation() []string {
+	return slices.Clone(vd.vloc)
+}
+
+func (vd *validator) error(kind ErrorKind) *ValidationError {
+	if vd.boolResult {
+		return &ValidationError{}
+	}
+	return &ValidationError{
+		SchemaURL:        vd.sch.Location,
+		InstanceLocation: vd.instanceLocation(),
+		ErrorKind:        kind,
+		Causes:           nil,
+	}
+}
+
+func (vd *validator) addErr(err error) {
+	if err != nil {
+		vd.errors = append(vd.errors, err.(*ValidationError))
+	}
+}
+
+func (vd *validator) addError(kind ErrorKind) {
+	vd.errors = append(vd.errors, vd.error(kind))
+}
+
+func (vd *validator) addErrors(errors []*ValidationError, kind ErrorKind) {
+	err := vd.error(kind)
+	err.Causes = errors
+	vd.errors = append(vd.errors, err)
+}
+
+func (vd *validator) findMissing(obj map[string]any, reqd []string) []string {
+	var missing []string
+	for _, pname := range reqd {
+		if _, ok := obj[pname]; !ok {
+			if vd.boolResult {
+				return []string{} // non-nil
+			}
+			missing = append(missing, pname)
+		}
+	}
+	return missing
+}
+
+// --
+
+type scope struct {
+	sch *Schema
+
+	// if empty, compute from self.sch and self.parent.sch.
+	// not empty, only when there is a jump i.e, $ref, $XXXRef
+	refKeyword string
+
+	// unique id of value being validated
+	// if two scopes validate same value, they will have
+	// same vid
+	vid int
+
+	parent *scope
+}
+
+func (sc *scope) child(sch *Schema, refKeyword string, vid int) *scope {
+	return &scope{sch, refKeyword, vid, sc}
+}
+
+func (sc *scope) checkCycle() *scope {
+	scp := sc.parent
+	for scp != nil {
+		if scp.vid != sc.vid {
+			break
+		}
+		if scp.sch == sc.sch {
+			return scp
+		}
+		scp = scp.parent
+	}
+	return nil
+}
+
+func (sc *scope) kwLoc() string {
+	var loc string
+	for sc.parent != nil {
+		if sc.refKeyword != "" {
+			loc = fmt.Sprintf("/%s%s", escape(sc.refKeyword), loc)
+		} else {
+			cur := sc.sch.Location
+			parent := sc.parent.sch.Location
+			loc = fmt.Sprintf("%s%s", cur[len(parent):], loc)
+		}
+		sc = sc.parent
+	}
+	return loc
+}
+
+// --
+
+type uneval struct {
+	props map[string]struct{}
+	items map[int]struct{}
+}
+
+func unevalFrom(v any, sch *Schema, callerNeeds bool) *uneval {
+	uneval := &uneval{}
+	switch v := v.(type) {
+	case map[string]any:
+		if !sch.allPropsEvaluated && (callerNeeds || sch.UnevaluatedProperties != nil) {
+			uneval.props = map[string]struct{}{}
+			for k := range v {
+				uneval.props[k] = struct{}{}
+			}
+		}
+	case []any:
+		if !sch.allItemsEvaluated && (callerNeeds || sch.UnevaluatedItems != nil) && sch.numItemsEvaluated < len(v) {
+			uneval.items = map[int]struct{}{}
+			for i := sch.numItemsEvaluated; i < len(v); i++ {
+				uneval.items[i] = struct{}{}
+			}
+		}
+	}
+	return uneval
+}
+
+func (ue *uneval) merge(other *uneval) {
+	for k := range ue.props {
+		if _, ok := other.props[k]; !ok {
+			delete(ue.props, k)
+		}
+	}
+	for i := range ue.items {
+		if _, ok := other.items[i]; !ok {
+			delete(ue.items, i)
+		}
+	}
+}
+
+func (ue *uneval) isEmpty() bool {
+	return len(ue.props) == 0 && len(ue.items) == 0
+}
+
+// --
+
+type ValidationError struct {
+	// absolute, dereferenced schema location.
+	SchemaURL string
+
+	// location of the JSON value within the instance being validated.
+	InstanceLocation []string
+
+	// kind of error
+	ErrorKind ErrorKind
+
+	// holds nested errors
+	Causes []*ValidationError
+}
+
+type ErrorKind interface {
+	KeywordPath() []string
+	LocalizedString(*message.Printer) string
+}
diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/vocab.go b/vendor/github.com/santhosh-tekuri/jsonschema/v6/vocab.go
new file mode 100644
index 0000000000..c81cb700f1
--- /dev/null
+++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/vocab.go
@@ -0,0 +1,111 @@
+package jsonschema
+
+// CompilerContext provides helpers for
+// compiling a [Vocabulary].
+type CompilerContext struct {
+	c *objCompiler
+}
+
+func (ctx *CompilerContext) Enqueue(schPath []string) *Schema {
+	ptr := ctx.c.up.ptr
+	for _, tok := range schPath {
+		ptr = ptr.append(tok)
+	}
+	return ctx.c.enqueuePtr(ptr)
+}
+
+// Vocabulary defines a set of keywords, their syntax and
+// their semantics.
+type Vocabulary struct {
+	// URL identifier for this Vocabulary.
+	URL string
+
+	// Schema that is used to validate the keywords that is introduced by this
+	// vocabulary.
+	Schema *Schema
+
+	// Subschemas lists the possible locations of subschemas introduced by
+	// this vocabulary.
+	Subschemas []SchemaPath
+
+	// Compile compiles the keywords(introduced by this vocabulary) in obj into [SchemaExt].
+	// If obj does not contain any keywords introduced by this vocabulary, nil SchemaExt must
+	// be returned.
+	Compile func(ctx *CompilerContext, obj map[string]any) (SchemaExt, error)
+}
+
+// --
+
+// SchemaExt is compled form of vocabulary.
+type SchemaExt interface {
+	// Validate validates v against and errors if any are reported
+	// to ctx.
+	Validate(ctx *ValidatorContext, v any)
+}
+
+// ValidatorContext provides helpers for
+// validating with [SchemaExt].
+type ValidatorContext struct {
+	vd *validator
+}
+
+// ValueLocation returns location of value as jsonpath token array.
+func (ctx *ValidatorContext) ValueLocation() []string {
+	return ctx.vd.vloc
+}
+
+// Validate validates v with sch. vpath gives path of v from current context value.
+func (ctx *ValidatorContext) Validate(sch *Schema, v any, vpath []string) error {
+	switch len(vpath) {
+	case 0:
+		return ctx.vd.validateSelf(sch, "", false)
+	case 1:
+		return ctx.vd.validateVal(sch, v, vpath[0])
+	default:
+		return ctx.vd.validateValue(sch, v, vpath)
+	}
+}
+
+// EvaluatedProp marks given property of current object as evaluated.
+func (ctx *ValidatorContext) EvaluatedProp(pname string) {
+	delete(ctx.vd.uneval.props, pname)
+}
+
+// EvaluatedItem marks items at given index of current array as evaluated.
+func (ctx *ValidatorContext) EvaluatedItem(index int) {
+	delete(ctx.vd.uneval.items, index)
+}
+
+// AddError reports validation-error of given kind.
+func (ctx *ValidatorContext) AddError(k ErrorKind) {
+	ctx.vd.addError(k)
+}
+
+// AddErrors reports validation-errors of given kind.
+func (ctx *ValidatorContext) AddErrors(errors []*ValidationError, k ErrorKind) {
+	ctx.vd.addErrors(errors, k)
+}
+
+// AddErr reports the given err. This is typically used to report
+// the error created by subschema validation.
+//
+// NOTE that err must be of type *ValidationError.
+func (ctx *ValidatorContext) AddErr(err error) {
+	ctx.vd.addErr(err)
+}
+
+func (ctx *ValidatorContext) Equals(v1, v2 any) (bool, error) {
+	b, k := equals(v1, v2)
+	if k != nil {
+		return false, ctx.vd.error(k)
+	}
+	return b, nil
+}
+
+func (ctx *ValidatorContext) Duplicates(arr []any) (int, int, error) {
+	i, j, k := duplicates(arr)
+	if k != nil {
+		return -1, -1, ctx.vd.error(k)
+	}
+	return i, j, nil
+}
diff --git a/vendor/github.com/shopspring/decimal/.gitignore b/vendor/github.com/shopspring/decimal/.gitignore
new file mode 100644
index 0000000000..ff36b987f0
--- /dev/null
+++ b/vendor/github.com/shopspring/decimal/.gitignore
@@ -0,0 +1,9 @@
+.git
+*.swp
+
+# IntelliJ
+.idea/
+*.iml
+
+# VS code
+*.code-workspace
diff --git a/vendor/github.com/shopspring/decimal/CHANGELOG.md b/vendor/github.com/shopspring/decimal/CHANGELOG.md
new file mode 100644
index 0000000000..432d0fd4ea
--- /dev/null
+++ b/vendor/github.com/shopspring/decimal/CHANGELOG.md
@@ -0,0 +1,76 @@
+## Decimal v1.4.0
+#### BREAKING
+- Drop support for Go version older than 1.10 [#361](https://github.com/shopspring/decimal/pull/361)
+
+#### FEATURES
+- Add implementation of natural logarithm [#339](https://github.com/shopspring/decimal/pull/339) [#357](https://github.com/shopspring/decimal/pull/357)
+- Add improved implementation of power operation [#358](https://github.com/shopspring/decimal/pull/358)
+- Add Compare method which forwards calls to Cmp [#346](https://github.com/shopspring/decimal/pull/346)
+- Add NewFromBigRat constructor [#288](https://github.com/shopspring/decimal/pull/288)
+- Add NewFromUint64 constructor [#352](https://github.com/shopspring/decimal/pull/352)
+
+#### ENHANCEMENTS
+- Migrate to Github Actions [#245](https://github.com/shopspring/decimal/pull/245) [#340](https://github.com/shopspring/decimal/pull/340)
+- Fix examples for RoundDown, RoundFloor, RoundUp, and RoundCeil [#285](https://github.com/shopspring/decimal/pull/285) [#328](https://github.com/shopspring/decimal/pull/328) [#341](https://github.com/shopspring/decimal/pull/341)
+- Use Godoc standard to mark deprecated Equals and StringScaled methods [#342](https://github.com/shopspring/decimal/pull/342)
+- Removed unnecessary min function for RescalePair method [#265](https://github.com/shopspring/decimal/pull/265)
+- Avoid reallocation of initial slice in MarshalBinary (GobEncode) [#355](https://github.com/shopspring/decimal/pull/355)
+- Optimize NumDigits method [#301](https://github.com/shopspring/decimal/pull/301) [#356](https://github.com/shopspring/decimal/pull/356)
+- Optimize BigInt method [#359](https://github.com/shopspring/decimal/pull/359)
+- Support scanning uint64 [#131](https://github.com/shopspring/decimal/pull/131) [#364](https://github.com/shopspring/decimal/pull/364)
+- Add docs section with alternative libraries [#363](https://github.com/shopspring/decimal/pull/363)
+
+#### BUGFIXES
+- Fix incorrect calculation of decimal modulo [#258](https://github.com/shopspring/decimal/pull/258) [#317](https://github.com/shopspring/decimal/pull/317)
+- Allocate new(big.Int) in Copy method to deeply clone it [#278](https://github.com/shopspring/decimal/pull/278)
+- Fix overflow edge case in QuoRem method [#322](https://github.com/shopspring/decimal/pull/322)
+
+## Decimal v1.3.1
+
+#### ENHANCEMENTS
+- Reduce memory allocation in case of initialization from big.Int [#252](https://github.com/shopspring/decimal/pull/252)
+
+#### BUGFIXES
+- Fix binary marshalling of decimal zero value  [#253](https://github.com/shopspring/decimal/pull/253)
+
+## Decimal v1.3.0
+
+#### FEATURES
+- Add NewFromFormattedString initializer [#184](https://github.com/shopspring/decimal/pull/184)
+- Add NewNullDecimal initializer [#234](https://github.com/shopspring/decimal/pull/234)
+- Add implementation of natural exponent function (Taylor, Hull-Abraham) [#229](https://github.com/shopspring/decimal/pull/229)
+- Add RoundUp, RoundDown, RoundCeil, RoundFloor methods [#196](https://github.com/shopspring/decimal/pull/196) [#202](https://github.com/shopspring/decimal/pull/202) [#220](https://github.com/shopspring/decimal/pull/220)
+- Add XML support for NullDecimal [#192](https://github.com/shopspring/decimal/pull/192)
+- Add IsInteger method [#179](https://github.com/shopspring/decimal/pull/179)
+- Add Copy helper method [#123](https://github.com/shopspring/decimal/pull/123)
+- Add InexactFloat64 helper method [#205](https://github.com/shopspring/decimal/pull/205)
+- Add CoefficientInt64 helper method [#244](https://github.com/shopspring/decimal/pull/244)
+
+#### ENHANCEMENTS
+- Performance optimization of NewFromString init method [#198](https://github.com/shopspring/decimal/pull/198)
+- Performance optimization of Abs and Round methods [#240](https://github.com/shopspring/decimal/pull/240)
+- Additional tests (CI) for ppc64le architecture [#188](https://github.com/shopspring/decimal/pull/188)
+
+#### BUGFIXES
+- Fix rounding in FormatFloat fallback path (roundShortest method, fix taken from Go main repository) [#161](https://github.com/shopspring/decimal/pull/161)
+- Add slice range checks to UnmarshalBinary method [#232](https://github.com/shopspring/decimal/pull/232)
+
+## Decimal v1.2.0
+
+#### BREAKING
+- Drop support for Go version older than 1.7 [#172](https://github.com/shopspring/decimal/pull/172)
+
+#### FEATURES
+- Add NewFromInt and NewFromInt32 initializers [#72](https://github.com/shopspring/decimal/pull/72)
+- Add support for Go modules [#157](https://github.com/shopspring/decimal/pull/157)
+- Add BigInt, BigFloat helper methods [#171](https://github.com/shopspring/decimal/pull/171)
+
+#### ENHANCEMENTS
+- Memory usage optimization [#160](https://github.com/shopspring/decimal/pull/160)
+- Updated travis CI golang versions [#156](https://github.com/shopspring/decimal/pull/156)
+- Update documentation [#173](https://github.com/shopspring/decimal/pull/173)
+- Improve code quality [#174](https://github.com/shopspring/decimal/pull/174)
+
+#### BUGFIXES
+- Revert remove insignificant digits [#159](https://github.com/shopspring/decimal/pull/159)
+- Remove 15 interval for RoundCash [#166](https://github.com/shopspring/decimal/pull/166)
diff --git a/vendor/github.com/shopspring/decimal/LICENSE b/vendor/github.com/shopspring/decimal/LICENSE
new file mode 100644
index 0000000000..ad2148aaf9
--- /dev/null
+++ b/vendor/github.com/shopspring/decimal/LICENSE
@@ -0,0 +1,45 @@
+The MIT License (MIT)
+
+Copyright (c) 2015 Spring, Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+
+- Based on https://github.com/oguzbilgic/fpd, which has the following license:
+"""
+The MIT License (MIT)
+
+Copyright (c) 2013 Oguz Bilgic
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+"""
diff --git a/vendor/github.com/shopspring/decimal/README.md b/vendor/github.com/shopspring/decimal/README.md
new file mode 100644
index 0000000000..318c9df581
--- /dev/null
+++ b/vendor/github.com/shopspring/decimal/README.md
@@ -0,0 +1,139 @@
+# decimal
+
+[![ci](https://github.com/shopspring/decimal/actions/workflows/ci.yml/badge.svg?branch=master)](https://github.com/shopspring/decimal/actions/workflows/ci.yml)
+[![GoDoc](https://godoc.org/github.com/shopspring/decimal?status.svg)](https://godoc.org/github.com/shopspring/decimal) 
+[![Go Report Card](https://goreportcard.com/badge/github.com/shopspring/decimal)](https://goreportcard.com/report/github.com/shopspring/decimal)
+
+Arbitrary-precision fixed-point decimal numbers in go.
+
+_Note:_ Decimal library can "only" represent numbers with a maximum of 2^31 digits after the decimal point.
+
+## Features
+
+ * The zero-value is 0, and is safe to use without initialization
+ * Addition, subtraction, multiplication with no loss of precision
+ * Division with specified precision
+ * Database/sql serialization/deserialization
+ * JSON and XML serialization/deserialization
+
+## Install
+
+Run `go get github.com/shopspring/decimal`
+
+## Requirements 
+
+Decimal library requires Go version `>=1.10`
+
+## Documentation
+
+http://godoc.org/github.com/shopspring/decimal
+
+
+## Usage
+
+```go
+package main
+
+import (
+	"fmt"
+	"github.com/shopspring/decimal"
+)
+
+func main() {
+	price, err := decimal.NewFromString("136.02")
+	if err != nil {
+		panic(err)
+	}
+
+	quantity := decimal.NewFromInt(3)
+
+	fee, _ := decimal.NewFromString(".035")
+	taxRate, _ := decimal.NewFromString(".08875")
+
+	subtotal := price.Mul(quantity)
+
+	preTax := subtotal.Mul(fee.Add(decimal.NewFromFloat(1)))
+
+	total := preTax.Mul(taxRate.Add(decimal.NewFromFloat(1)))
+
+	fmt.Println("Subtotal:", subtotal)                      // Subtotal: 408.06
+	fmt.Println("Pre-tax:", preTax)                         // Pre-tax: 422.3421
+	fmt.Println("Taxes:", total.Sub(preTax))                // Taxes: 37.482861375
+	fmt.Println("Total:", total)                            // Total: 459.824961375
+	fmt.Println("Tax rate:", total.Sub(preTax).Div(preTax)) // Tax rate: 0.08875
+}
+```
+
+## Alternative libraries
+
+When working with decimal numbers, you might face problems this library is not perfectly suited for. 
+Fortunately, thanks to the wonderful community we have a dozen other libraries that you can choose from.  
+Explore other alternatives to find the one that best fits your needs :)  
+
+* [cockroachdb/apd](https://github.com/cockroachdb/apd) - arbitrary precision, mutable and rich API similar to `big.Int`, more performant than this library 
+* [alpacahq/alpacadecimal](https://github.com/alpacahq/alpacadecimal) - high performance, low precision (12 digits), fully compatible API with this library 
+* [govalues/decimal](https://github.com/govalues/decimal) - high performance, zero-allocation, low precision (19 digits)
+* [greatcloak/decimal](https://github.com/greatcloak/decimal) - fork focusing on billing and e-commerce web application related use cases, includes out-of-the-box BSON marshaling support
+
+## FAQ
+
+#### Why don't you just use float64?
+
+Because float64 (or any binary floating point type, actually) can't represent
+numbers such as `0.1` exactly.
+
+Consider this code: http://play.golang.org/p/TQBd4yJe6B You might expect that
+it prints out `10`, but it actually prints `9.999999999999831`. Over time,
+these small errors can really add up!
+
+#### Why don't you just use big.Rat?
+
+big.Rat is fine for representing rational numbers, but Decimal is better for
+representing money. Why? Here's a (contrived) example:
+
+Let's say you use big.Rat, and you have two numbers, x and y, both
+representing 1/3, and you have `z = 1 - x - y = 1/3`. If you print each one
+out, the string output has to stop somewhere (let's say it stops at 3 decimal
+digits, for simplicity), so you'll get 0.333, 0.333, and 0.333. But where did
+the other 0.001 go?
+
+Here's the above example as code: http://play.golang.org/p/lCZZs0w9KE
+
+With Decimal, the strings being printed out represent the number exactly. So,
+if you have `x = y = 1/3` (with precision 3), they will actually be equal to
+0.333, and when you do `z = 1 - x - y`, `z` will be equal to .334. No money is
+unaccounted for!
+
+You still have to be careful. If you want to split a number `N` 3 ways, you
+can't just send `N/3` to three different people. You have to pick one to send
+`N - (2/3*N)` to. That person will receive the fraction of a penny remainder.
+
+But, it is much easier to be careful with Decimal than with big.Rat.
+
+#### Why isn't the API similar to big.Int's?
+
+big.Int's API is built to reduce the number of memory allocations for maximal
+performance. This makes sense for its use-case, but the trade-off is that the
+API is awkward and easy to misuse.
+
+For example, to add two big.Ints, you do: `z := new(big.Int).Add(x, y)`. A
+developer unfamiliar with this API might try to do `z := a.Add(a, b)`. This
+modifies `a` and sets `z` as an alias for `a`, which they might not expect. It
+also modifies any other aliases to `a`.
+
+Here's an example of the subtle bugs you can introduce with big.Int's API:
+https://play.golang.org/p/x2R_78pa8r
+
+In contrast, it's difficult to make such mistakes with decimal. Decimals
+behave like other go numbers types: even though `a = b` will not deep copy
+`b` into `a`, it is impossible to modify a Decimal, since all Decimal methods
+return new Decimals and do not modify the originals. The downside is that
+this causes extra allocations, so Decimal is less performant.  My assumption
+is that if you're using Decimals, you probably care more about correctness
+than performance.
+
+## License
+
+The MIT License (MIT)
+
+This is a heavily modified fork of [fpd.Decimal](https://github.com/oguzbilgic/fpd), which was also released under the MIT License.
diff --git a/vendor/github.com/shopspring/decimal/const.go b/vendor/github.com/shopspring/decimal/const.go
new file mode 100644
index 0000000000..e5d6fa87e8
--- /dev/null
+++ b/vendor/github.com/shopspring/decimal/const.go
@@ -0,0 +1,63 @@
+package decimal
+
+import (
+	"strings"
+)
+
+const (
+	strLn10 = "2.302585092994045684017991454684364207601101488628772976033327900967572609677352480235997205089598298341967784042286248633409525465082806756666287369098781689482907208325554680843799894826233198528393505308965377732628846163366222287698219886746543667474404243274365155048934314939391479619404400222105101714174800368808401264708068556774321622835522011480466371565912137345074785694768346361679210180644507064800027750268491674655058685693567342067058113642922455440575892572420824131469568901675894025677631135691929203337658714166023010570308963457207544037084746994016826928280848118428931484852494864487192780967627127577539702766860595249671667418348570442250719796500471495105049221477656763693866297697952211071826454973477266242570942932258279850258550978526538320760672631716430950599508780752371033310119785754733154142180842754386359177811705430982748238504564801909561029929182431823752535770975053956518769751037497088869218020518933950723853920514463419726528728696511086257149219884997874887377134568620916705849807828059751193854445009978131146915934666241071846692310107598438319191292230792503747298650929009880391941702654416816335727555703151596113564846546190897042819763365836983716328982174407366009162177850541779276367731145041782137660111010731042397832521894898817597921798666394319523936855916447118246753245630912528778330963604262982153040874560927760726641354787576616262926568298704957954913954918049209069438580790032763017941503117866862092408537949861264933479354871737451675809537088281067452440105892444976479686075120275724181874989395971643105518848195288330746699317814634930000321200327765654130472621883970596794457943468343218395304414844803701305753674262153675579814770458031413637793236291560128185336498466942261465206459942072917119370602444929358037007718981097362533224548366988505528285966192805098447175198503666680874970496982273220244823343097169111136813588418696549323714996941979687803008850408979618598756579894836445212043698216415292987811742973332588607915912510967187510929248475023930572665446276200923068791518135803477701295593646298412366497023355174586195564772461857717369368404676577047874319780573853271810933883496338813069945569399346101090745616033312247949360455361849123333063704751724871276379140924398331810164737823379692265637682071706935846394531616949411701841938119405416449466111274712819705817783293841742231409930022911502362192186723337268385688273533371925103412930705632544426611429765388301822384091026198582888433587455960453004548370789052578473166283701953392231047527564998119228742789713715713228319641003422124210082180679525276689858180956119208391760721080919923461516952599099473782780648128058792731993893453415320185969711021407542282796298237068941764740642225757212455392526179373652434440560595336591539160312524480149313234572453879524389036839236450507881731359711238145323701508413491122324390927681724749607955799151363982881058285740538000653371655553014196332241918087621018204919492651483892"
+)
+
+var (
+	ln10 = newConstApproximation(strLn10)
+)
+
+type constApproximation struct {
+	exact          Decimal
+	approximations []Decimal
+}
+
+func newConstApproximation(value string) constApproximation {
+	parts := strings.Split(value, ".")
+	coeff, fractional := parts[0], parts[1]
+
+	coeffLen := len(coeff)
+	maxPrecision := len(fractional)
+
+	var approximations []Decimal
+	for p := 1; p < maxPrecision; p *= 2 {
+		r := RequireFromString(value[:coeffLen+p])
+		approximations = append(approximations, r)
+	}
+
+	return constApproximation{
+		RequireFromString(value),
+		approximations,
+	}
+}
+
+// Returns the smallest approximation available that's at least as precise
+// as the passed precision (places after decimal point), i.e. Floor[ log2(precision) ] + 1
+func (c constApproximation) withPrecision(precision int32) Decimal {
+	i := 0
+
+	if precision >= 1 {
+		i++
+	}
+
+	for precision >= 16 {
+		precision /= 16
+		i += 4
+	}
+
+	for precision >= 2 {
+		precision /= 2
+		i++
+	}
+
+	if i >= len(c.approximations) {
+		return c.exact
+	}
+
+	return c.approximations[i]
+}
diff --git a/vendor/github.com/shopspring/decimal/decimal-go.go b/vendor/github.com/shopspring/decimal/decimal-go.go
new file mode 100644
index 0000000000..9958d69020
--- /dev/null
+++ b/vendor/github.com/shopspring/decimal/decimal-go.go
@@ -0,0 +1,415 @@
+// Copyright 2009 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Multiprecision decimal numbers.
+// For floating-point formatting only; not general purpose.
+// Only operations are assign and (binary) left/right shift.
+// Can do binary floating point in multiprecision decimal precisely
+// because 2 divides 10; cannot do decimal floating point
+// in multiprecision binary precisely.
+
+package decimal
+
+type decimal struct {
+	d     [800]byte // digits, big-endian representation
+	nd    int       // number of digits used
+	dp    int       // decimal point
+	neg   bool      // negative flag
+	trunc bool      // discarded nonzero digits beyond d[:nd]
+}
+
+func (a *decimal) String() string {
+	n := 10 + a.nd
+	if a.dp > 0 {
+		n += a.dp
+	}
+	if a.dp < 0 {
+		n += -a.dp
+	}
+
+	buf := make([]byte, n)
+	w := 0
+	switch {
+	case a.nd == 0:
+		return "0"
+
+	case a.dp <= 0:
+		// zeros fill space between decimal point and digits
+		buf[w] = '0'
+		w++
+		buf[w] = '.'
+		w++
+		w += digitZero(buf[w : w+-a.dp])
+		w += copy(buf[w:], a.d[0:a.nd])
+
+	case a.dp < a.nd:
+		// decimal point in middle of digits
+		w += copy(buf[w:], a.d[0:a.dp])
+		buf[w] = '.'
+		w++
+		w += copy(buf[w:], a.d[a.dp:a.nd])
+
+	default:
+		// zeros fill space between digits and decimal point
+		w += copy(buf[w:], a.d[0:a.nd])
+		w += digitZero(buf[w : w+a.dp-a.nd])
+	}
+	return string(buf[0:w])
+}
+
+func digitZero(dst []byte) int {
+	for i := range dst {
+		dst[i] = '0'
+	}
+	return len(dst)
+}
+
+// trim trailing zeros from number.
+// (They are meaningless; the decimal point is tracked
+// independent of the number of digits.)
+func trim(a *decimal) {
+	for a.nd > 0 && a.d[a.nd-1] == '0' {
+		a.nd--
+	}
+	if a.nd == 0 {
+		a.dp = 0
+	}
+}
+
+// Assign v to a.
+func (a *decimal) Assign(v uint64) {
+	var buf [24]byte
+
+	// Write reversed decimal in buf.
+	n := 0
+	for v > 0 {
+		v1 := v / 10
+		v -= 10 * v1
+		buf[n] = byte(v + '0')
+		n++
+		v = v1
+	}
+
+	// Reverse again to produce forward decimal in a.d.
+	a.nd = 0
+	for n--; n >= 0; n-- {
+		a.d[a.nd] = buf[n]
+		a.nd++
+	}
+	a.dp = a.nd
+	trim(a)
+}
+
+// Maximum shift that we can do in one pass without overflow.
+// A uint has 32 or 64 bits, and we have to be able to accommodate 9<<k.
+const uintSize = 32 << (^uint(0) >> 63)
+const maxShift = uintSize - 4
+
+// Binary shift right (/ 2) by k bits.  k <= maxShift to avoid overflow.
+func rightShift(a *decimal, k uint) {
+	r := 0 // read pointer
+	w := 0 // write pointer
+
+	// Pick up enough leading digits to cover first shift.
+	var n uint
+	for ; n>>k == 0; r++ {
+		if r >= a.nd {
+			if n == 0 {
+				// a == 0; shouldn't get here, but handle anyway.
+				a.nd = 0
+				return
+			}
+			for n>>k == 0 {
+				n = n * 10
+				r++
+			}
+			break
+		}
+		c := uint(a.d[r])
+		n = n*10 + c - '0'
+	}
+	a.dp -= r - 1
+
+	var mask uint = (1 << k) - 1
+
+	// Pick up a digit, put down a digit.
+	for ; r < a.nd; r++ {
+		c := uint(a.d[r])
+		dig := n >> k
+		n &= mask
+		a.d[w] = byte(dig + '0')
+		w++
+		n = n*10 + c - '0'
+	}
+
+	// Put down extra digits.
+	for n > 0 {
+		dig := n >> k
+		n &= mask
+		if w < len(a.d) {
+			a.d[w] = byte(dig + '0')
+			w++
+		} else if dig > 0 {
+			a.trunc = true
+		}
+		n = n * 10
+	}
+
+	a.nd = w
+	trim(a)
+}
+
+// Cheat sheet for left shift: table indexed by shift count giving
+// number of new digits that will be introduced by that shift.
+//
+// For example, leftcheats[4] = {2, "625"}.  That means that
+// if we are shifting by 4 (multiplying by 16), it will add 2 digits
+// when the string prefix is "625" through "999", and one fewer digit
+// if the string prefix is "000" through "624".
+//
+// Credit for this trick goes to Ken.
+
+type leftCheat struct {
+	delta  int    // number of new digits
+	cutoff string // minus one digit if original < a.
+}
+
+var leftcheats = []leftCheat{
+	// Leading digits of 1/2^i = 5^i.
+	// 5^23 is not an exact 64-bit floating point number,
+	// so have to use bc for the math.
+	// Go up to 60 to be large enough for 32bit and 64bit platforms.
+	/*
+		seq 60 | sed 's/^/5^/' | bc |
+		awk 'BEGIN{ print "\t{ 0, \"\" }," }
+		{
+			log2 = log(2)/log(10)
+			printf("\t{ %d, \"%s\" },\t// * %d\n",
+				int(log2*NR+1), $0, 2**NR)
+		}'
+	*/
+	{0, ""},
+	{1, "5"},                                           // * 2
+	{1, "25"},                                          // * 4
+	{1, "125"},                                         // * 8
+	{2, "625"},                                         // * 16
+	{2, "3125"},                                        // * 32
+	{2, "15625"},                                       // * 64
+	{3, "78125"},                                       // * 128
+	{3, "390625"},                                      // * 256
+	{3, "1953125"},                                     // * 512
+	{4, "9765625"},                                     // * 1024
+	{4, "48828125"},                                    // * 2048
+	{4, "244140625"},                                   // * 4096
+	{4, "1220703125"},                                  // * 8192
+	{5, "6103515625"},                                  // * 16384
+	{5, "30517578125"},                                 // * 32768
+	{5, "152587890625"},                                // * 65536
+	{6, "762939453125"},                                // * 131072
+	{6, "3814697265625"},                               // * 262144
+	{6, "19073486328125"},                              // * 524288
+	{7, "95367431640625"},                              // * 1048576
+	{7, "476837158203125"},                             // * 2097152
+	{7, "2384185791015625"},                            // * 4194304
+	{7, "11920928955078125"},                           // * 8388608
+	{8, "59604644775390625"},                           // * 16777216
+	{8, "298023223876953125"},                          // * 33554432
+	{8, "1490116119384765625"},                         // * 67108864
+	{9, "7450580596923828125"},                         // * 134217728
+	{9, "37252902984619140625"},                        // * 268435456
+	{9, "186264514923095703125"},                       // * 536870912
+	{10, "931322574615478515625"},                      // * 1073741824
+	{10, "4656612873077392578125"},                     // * 2147483648
+	{10, "23283064365386962890625"},                    // * 4294967296
+	{10, "116415321826934814453125"},                   // * 8589934592
+	{11, "582076609134674072265625"},                   // * 17179869184
+	{11, "2910383045673370361328125"},                  // * 34359738368
+	{11, "14551915228366851806640625"},                 // * 68719476736
+	{12, "72759576141834259033203125"},                 // * 137438953472
+	{12, "363797880709171295166015625"},                // * 274877906944
+	{12, "1818989403545856475830078125"},               // * 549755813888
+	{13, "9094947017729282379150390625"},               // * 1099511627776
+	{13, "45474735088646411895751953125"},              // * 2199023255552
+	{13, "227373675443232059478759765625"},             // * 4398046511104
+	{13, "1136868377216160297393798828125"},            // * 8796093022208
+	{14, "5684341886080801486968994140625"},            // * 17592186044416
+	{14, "28421709430404007434844970703125"},           // * 35184372088832
+	{14, "142108547152020037174224853515625"},          // * 70368744177664
+	{15, "710542735760100185871124267578125"},          // * 140737488355328
+	{15, "3552713678800500929355621337890625"},         // * 281474976710656
+	{15, "17763568394002504646778106689453125"},        // * 562949953421312
+	{16, "88817841970012523233890533447265625"},        // * 1125899906842624
+	{16, "444089209850062616169452667236328125"},       // * 2251799813685248
+	{16, "2220446049250313080847263336181640625"},      // * 4503599627370496
+	{16, "11102230246251565404236316680908203125"},     // * 9007199254740992
+	{17, "55511151231257827021181583404541015625"},     // * 18014398509481984
+	{17, "277555756156289135105907917022705078125"},    // * 36028797018963968
+	{17, "1387778780781445675529539585113525390625"},   // * 72057594037927936
+	{18, "6938893903907228377647697925567626953125"},   // * 144115188075855872
+	{18, "34694469519536141888238489627838134765625"},  // * 288230376151711744
+	{18, "173472347597680709441192448139190673828125"}, // * 576460752303423488
+	{19, "867361737988403547205962240695953369140625"}, // * 1152921504606846976
+}
+
+// Is the leading prefix of b lexicographically less than s?
+func prefixIsLessThan(b []byte, s string) bool {
+	for i := 0; i < len(s); i++ {
+		if i >= len(b) {
+			return true
+		}
+		if b[i] != s[i] {
+			return b[i] < s[i]
+		}
+	}
+	return false
+}
+
+// Binary shift left (* 2) by k bits.  k <= maxShift to avoid overflow.
+func leftShift(a *decimal, k uint) {
+	delta := leftcheats[k].delta
+	if prefixIsLessThan(a.d[0:a.nd], leftcheats[k].cutoff) {
+		delta--
+	}
+
+	r := a.nd         // read index
+	w := a.nd + delta // write index
+
+	// Pick up a digit, put down a digit.
+	var n uint
+	for r--; r >= 0; r-- {
+		n += (uint(a.d[r]) - '0') << k
+		quo := n / 10
+		rem := n - 10*quo
+		w--
+		if w < len(a.d) {
+			a.d[w] = byte(rem + '0')
+		} else if rem != 0 {
+			a.trunc = true
+		}
+		n = quo
+	}
+
+	// Put down extra digits.
+	for n > 0 {
+		quo := n / 10
+		rem := n - 10*quo
+		w--
+		if w < len(a.d) {
+			a.d[w] = byte(rem + '0')
+		} else if rem != 0 {
+			a.trunc = true
+		}
+		n = quo
+	}
+
+	a.nd += delta
+	if a.nd >= len(a.d) {
+		a.nd = len(a.d)
+	}
+	a.dp += delta
+	trim(a)
+}
+
+// Binary shift left (k > 0) or right (k < 0).
+func (a *decimal) Shift(k int) {
+	switch {
+	case a.nd == 0:
+		// nothing to do: a == 0
+	case k > 0:
+		for k > maxShift {
+			leftShift(a, maxShift)
+			k -= maxShift
+		}
+		leftShift(a, uint(k))
+	case k < 0:
+		for k < -maxShift {
+			rightShift(a, maxShift)
+			k += maxShift
+		}
+		rightShift(a, uint(-k))
+	}
+}
+
+// If we chop a at nd digits, should we round up?
+func shouldRoundUp(a *decimal, nd int) bool {
+	if nd < 0 || nd >= a.nd {
+		return false
+	}
+	if a.d[nd] == '5' && nd+1 == a.nd { // exactly halfway - round to even
+		// if we truncated, a little higher than what's recorded - always round up
+		if a.trunc {
+			return true
+		}
+		return nd > 0 && (a.d[nd-1]-'0')%2 != 0
+	}
+	// not halfway - digit tells all
+	return a.d[nd] >= '5'
+}
+
+// Round a to nd digits (or fewer).
+// If nd is zero, it means we're rounding
+// just to the left of the digits, as in
+// 0.09 -> 0.1.
+func (a *decimal) Round(nd int) {
+	if nd < 0 || nd >= a.nd {
+		return
+	}
+	if shouldRoundUp(a, nd) {
+		a.RoundUp(nd)
+	} else {
+		a.RoundDown(nd)
+	}
+}
+
+// Round a down to nd digits (or fewer).
+func (a *decimal) RoundDown(nd int) {
+	if nd < 0 || nd >= a.nd {
+		return
+	}
+	a.nd = nd
+	trim(a)
+}
+
+// Round a up to nd digits (or fewer).
+func (a *decimal) RoundUp(nd int) {
+	if nd < 0 || nd >= a.nd {
+		return
+	}
+
+	// round up
+	for i := nd - 1; i >= 0; i-- {
+		c := a.d[i]
+		if c < '9' { // can stop after this digit
+			a.d[i]++
+			a.nd = i + 1
+			return
+		}
+	}
+
+	// Number is all 9s.
+	// Change to single 1 with adjusted decimal point.
+	a.d[0] = '1'
+	a.nd = 1
+	a.dp++
+}
+
+// Extract integer part, rounded appropriately.
+// No guarantees about overflow.
+func (a *decimal) RoundedInteger() uint64 {
+	if a.dp > 20 {
+		return 0xFFFFFFFFFFFFFFFF
+	}
+	var i int
+	n := uint64(0)
+	for i = 0; i < a.dp && i < a.nd; i++ {
+		n = n*10 + uint64(a.d[i]-'0')
+	}
+	for ; i < a.dp; i++ {
+		n *= 10
+	}
+	if shouldRoundUp(a, a.dp) {
+		n++
+	}
+	return n
+}
diff --git a/vendor/github.com/shopspring/decimal/decimal.go b/vendor/github.com/shopspring/decimal/decimal.go
new file mode 100644
index 0000000000..a37a2301ef
--- /dev/null
+++ b/vendor/github.com/shopspring/decimal/decimal.go
@@ -0,0 +1,2339 @@
+// Package decimal implements an arbitrary precision fixed-point decimal.
+//
+// The zero-value of a Decimal is 0, as you would expect.
+//
+// The best way to create a new Decimal is to use decimal.NewFromString, ex:
+//
+//	n, err := decimal.NewFromString("-123.4567")
+//	n.String() // output: "-123.4567"
+//
+// To use Decimal as part of a struct:
+//
+//	type StructName struct {
+//	    Number Decimal
+//	}
+//
+// Note: This can "only" represent numbers with a maximum of 2^31 digits after the decimal point.
+package decimal
+
+import (
+	"database/sql/driver"
+	"encoding/binary"
+	"fmt"
+	"math"
+	"math/big"
+	"regexp"
+	"strconv"
+	"strings"
+)
+
+// DivisionPrecision is the number of decimal places in the result when it
+// doesn't divide exactly.
+//
+// Example:
+//
+//	d1 := decimal.NewFromFloat(2).Div(decimal.NewFromFloat(3))
+//	d1.String() // output: "0.6666666666666667"
+//	d2 := decimal.NewFromFloat(2).Div(decimal.NewFromFloat(30000))
+//	d2.String() // output: "0.0000666666666667"
+//	d3 := decimal.NewFromFloat(20000).Div(decimal.NewFromFloat(3))
+//	d3.String() // output: "6666.6666666666666667"
+//	decimal.DivisionPrecision = 3
+//	d4 := decimal.NewFromFloat(2).Div(decimal.NewFromFloat(3))
+//	d4.String() // output: "0.667"
+var DivisionPrecision = 16
+
+// PowPrecisionNegativeExponent specifies the maximum precision of the result (digits after decimal point)
+// when calculating decimal power. Only used for cases where the exponent is a negative number.
+// This constant applies to Pow, PowInt32 and PowBigInt methods, PowWithPrecision method is not constrained by it.
+//
+// Example:
+//
+//	d1, err := decimal.NewFromFloat(15.2).PowInt32(-2)
+//	d1.String() // output: "0.0043282548476454"
+//
+//	decimal.PowPrecisionNegativeExponent = 24
+//	d2, err := decimal.NewFromFloat(15.2).PowInt32(-2)
+//	d2.String() // output: "0.004328254847645429362881"
+var PowPrecisionNegativeExponent = 16
+
+// MarshalJSONWithoutQuotes should be set to true if you want the decimal to
+// be JSON marshaled as a number, instead of as a string.
+// WARNING: this is dangerous for decimals with many digits, since many JSON
+// unmarshallers (ex: Javascript's) will unmarshal JSON numbers to IEEE 754
+// double-precision floating point numbers, which means you can potentially
+// silently lose precision.
+var MarshalJSONWithoutQuotes = false
+
+// ExpMaxIterations specifies the maximum number of iterations needed to calculate
+// precise natural exponent value using ExpHullAbrham method.
+var ExpMaxIterations = 1000
+
+// Zero constant, to make computations faster.
+// Zero should never be compared with == or != directly, please use decimal.Equal or decimal.Cmp instead.
+var Zero = New(0, 1)
+
+var zeroInt = big.NewInt(0)
+var oneInt = big.NewInt(1)
+var twoInt = big.NewInt(2)
+var fourInt = big.NewInt(4)
+var fiveInt = big.NewInt(5)
+var tenInt = big.NewInt(10)
+var twentyInt = big.NewInt(20)
+
+var factorials = []Decimal{New(1, 0)}
+
+// Decimal represents a fixed-point decimal. It is immutable.
+// number = value * 10 ^ exp
+type Decimal struct {
+	value *big.Int
+
+	// NOTE(vadim): this must be an int32, because we cast it to float64 during
+	// calculations. If exp is 64 bit, we might lose precision.
+	// If we cared about being able to represent every possible decimal, we
+	// could make exp a *big.Int but it would hurt performance and numbers
+	// like that are unrealistic.
+	exp int32
+}
+
+// New returns a new fixed-point decimal, value * 10 ^ exp.
+func New(value int64, exp int32) Decimal {
+	return Decimal{
+		value: big.NewInt(value),
+		exp:   exp,
+	}
+}
+
+// NewFromInt converts an int64 to Decimal.
+//
+// Example:
+//
+//	NewFromInt(123).String() // output: "123"
+//	NewFromInt(-10).String() // output: "-10"
+func NewFromInt(value int64) Decimal {
+	return Decimal{
+		value: big.NewInt(value),
+		exp:   0,
+	}
+}
+
+// NewFromInt32 converts an int32 to Decimal.
+//
+// Example:
+//
+//	NewFromInt(123).String() // output: "123"
+//	NewFromInt(-10).String() // output: "-10"
+func NewFromInt32(value int32) Decimal {
+	return Decimal{
+		value: big.NewInt(int64(value)),
+		exp:   0,
+	}
+}
+
+// NewFromUint64 converts an uint64 to Decimal.
+//
+// Example:
+//
+//	NewFromUint64(123).String() // output: "123"
+func NewFromUint64(value uint64) Decimal {
+	return Decimal{
+		value: new(big.Int).SetUint64(value),
+		exp:   0,
+	}
+}
+
+// NewFromBigInt returns a new Decimal from a big.Int, value * 10 ^ exp
+func NewFromBigInt(value *big.Int, exp int32) Decimal {
+	return Decimal{
+		value: new(big.Int).Set(value),
+		exp:   exp,
+	}
+}
+
+// NewFromBigRat returns a new Decimal from a big.Rat. The numerator and
+// denominator are divided and rounded to the given precision.
+//
+// Example:
+//
+//	d1 := NewFromBigRat(big.NewRat(0, 1), 0)    // output: "0"
+//	d2 := NewFromBigRat(big.NewRat(4, 5), 1)    // output: "0.8"
+//	d3 := NewFromBigRat(big.NewRat(1000, 3), 3) // output: "333.333"
+//	d4 := NewFromBigRat(big.NewRat(2, 7), 4)    // output: "0.2857"
+func NewFromBigRat(value *big.Rat, precision int32) Decimal {
+	return Decimal{
+		value: new(big.Int).Set(value.Num()),
+		exp:   0,
+	}.DivRound(Decimal{
+		value: new(big.Int).Set(value.Denom()),
+		exp:   0,
+	}, precision)
+}
+
+// NewFromString returns a new Decimal from a string representation.
+// Trailing zeroes are not trimmed.
+//
+// Example:
+//
+//	d, err := NewFromString("-123.45")
+//	d2, err := NewFromString(".0001")
+//	d3, err := NewFromString("1.47000")
+func NewFromString(value string) (Decimal, error) {
+	originalInput := value
+	var intString string
+	var exp int64
+
+	// Check if number is using scientific notation
+	eIndex := strings.IndexAny(value, "Ee")
+	if eIndex != -1 {
+		expInt, err := strconv.ParseInt(value[eIndex+1:], 10, 32)
+		if err != nil {
+			if e, ok := err.(*strconv.NumError); ok && e.Err == strconv.ErrRange {
+				return Decimal{}, fmt.Errorf("can't convert %s to decimal: fractional part too long", value)
+			}
+			return Decimal{}, fmt.Errorf("can't convert %s to decimal: exponent is not numeric", value)
+		}
+		value = value[:eIndex]
+		exp = expInt
+	}
+
+	pIndex := -1
+	vLen := len(value)
+	for i := 0; i < vLen; i++ {
+		if value[i] == '.' {
+			if pIndex > -1 {
+				return Decimal{}, fmt.Errorf("can't convert %s to decimal: too many .s", value)
+			}
+			pIndex = i
+		}
+	}
+
+	if pIndex == -1 {
+		// There is no decimal point, we can just parse the original string as
+		// an int
+		intString = value
+	} else {
+		if pIndex+1 < vLen {
+			intString = value[:pIndex] + value[pIndex+1:]
+		} else {
+			intString = value[:pIndex]
+		}
+		expInt := -len(value[pIndex+1:])
+		exp += int64(expInt)
+	}
+
+	var dValue *big.Int
+	// strconv.ParseInt is faster than new(big.Int).SetString so this is just a shortcut for strings we know won't overflow
+	if len(intString) <= 18 {
+		parsed64, err := strconv.ParseInt(intString, 10, 64)
+		if err != nil {
+			return Decimal{}, fmt.Errorf("can't convert %s to decimal", value)
+		}
+		dValue = big.NewInt(parsed64)
+	} else {
+		dValue = new(big.Int)
+		_, ok := dValue.SetString(intString, 10)
+		if !ok {
+			return Decimal{}, fmt.Errorf("can't convert %s to decimal", value)
+		}
+	}
+
+	if exp < math.MinInt32 || exp > math.MaxInt32 {
+		// NOTE(vadim): I doubt a string could realistically be this long
+		return Decimal{}, fmt.Errorf("can't convert %s to decimal: fractional part too long", originalInput)
+	}
+
+	return Decimal{
+		value: dValue,
+		exp:   int32(exp),
+	}, nil
+}
+
+// NewFromFormattedString returns a new Decimal from a formatted string representation.
+// The second argument - replRegexp, is a regular expression that is used to find characters that should be
+// removed from given decimal string representation. All matched characters will be replaced with an empty string.
+//
+// Example:
+//
+//	r := regexp.MustCompile("[$,]")
+//	d1, err := NewFromFormattedString("$5,125.99", r)
+//
+//	r2 := regexp.MustCompile("[_]")
+//	d2, err := NewFromFormattedString("1_000_000", r2)
+//
+//	r3 := regexp.MustCompile("[USD\\s]")
+//	d3, err := NewFromFormattedString("5000 USD", r3)
+func NewFromFormattedString(value string, replRegexp *regexp.Regexp) (Decimal, error) {
+	parsedValue := replRegexp.ReplaceAllString(value, "")
+	d, err := NewFromString(parsedValue)
+	if err != nil {
+		return Decimal{}, err
+	}
+	return d, nil
+}
+
+// RequireFromString returns a new Decimal from a string representation
+// or panics if NewFromString had returned an error.
+//
+// Example:
+//
+//	d := RequireFromString("-123.45")
+//	d2 := RequireFromString(".0001")
+func RequireFromString(value string) Decimal {
+	dec, err := NewFromString(value)
+	if err != nil {
+		panic(err)
+	}
+	return dec
+}
+
+// NewFromFloat converts a float64 to Decimal.
+//
+// The converted number will contain the number of significant digits that can be
+// represented in a float with reliable roundtrip.
+// This is typically 15 digits, but may be more in some cases.
+// See https://www.exploringbinary.com/decimal-precision-of-binary-floating-point-numbers/ for more information.
+//
+// For slightly faster conversion, use NewFromFloatWithExponent where you can specify the precision in absolute terms.
+//
+// NOTE: this will panic on NaN, +/-inf
+func NewFromFloat(value float64) Decimal {
+	if value == 0 {
+		return New(0, 0)
+	}
+	return newFromFloat(value, math.Float64bits(value), &float64info)
+}
+
+// NewFromFloat32 converts a float32 to Decimal.
+//
+// The converted number will contain the number of significant digits that can be
+// represented in a float with reliable roundtrip.
+// This is typically 6-8 digits depending on the input.
+// See https://www.exploringbinary.com/decimal-precision-of-binary-floating-point-numbers/ for more information.
+//
+// For slightly faster conversion, use NewFromFloatWithExponent where you can specify the precision in absolute terms.
+//
+// NOTE: this will panic on NaN, +/-inf
+func NewFromFloat32(value float32) Decimal {
+	if value == 0 {
+		return New(0, 0)
+	}
+	// XOR is workaround for https://github.com/golang/go/issues/26285
+	a := math.Float32bits(value) ^ 0x80808080
+	return newFromFloat(float64(value), uint64(a)^0x80808080, &float32info)
+}
+
+func newFromFloat(val float64, bits uint64, flt *floatInfo) Decimal {
+	if math.IsNaN(val) || math.IsInf(val, 0) {
+		panic(fmt.Sprintf("Cannot create a Decimal from %v", val))
+	}
+	exp := int(bits>>flt.mantbits) & (1<<flt.expbits - 1)
+	mant := bits & (uint64(1)<<flt.mantbits - 1)
+
+	switch exp {
+	case 0:
+		// denormalized
+		exp++
+
+	default:
+		// add implicit top bit
+		mant |= uint64(1) << flt.mantbits
+	}
+	exp += flt.bias
+
+	var d decimal
+	d.Assign(mant)
+	d.Shift(exp - int(flt.mantbits))
+	d.neg = bits>>(flt.expbits+flt.mantbits) != 0
+
+	roundShortest(&d, mant, exp, flt)
+	// If less than 19 digits, we can do calculation in an int64.
+	if d.nd < 19 {
+		tmp := int64(0)
+		m := int64(1)
+		for i := d.nd - 1; i >= 0; i-- {
+			tmp += m * int64(d.d[i]-'0')
+			m *= 10
+		}
+		if d.neg {
+			tmp *= -1
+		}
+		return Decimal{value: big.NewInt(tmp), exp: int32(d.dp) - int32(d.nd)}
+	}
+	dValue := new(big.Int)
+	dValue, ok := dValue.SetString(string(d.d[:d.nd]), 10)
+	if ok {
+		return Decimal{value: dValue, exp: int32(d.dp) - int32(d.nd)}
+	}
+
+	return NewFromFloatWithExponent(val, int32(d.dp)-int32(d.nd))
+}
+
+// NewFromFloatWithExponent converts a float64 to Decimal, with an arbitrary
+// number of fractional digits.
+//
+// Example:
+//
+//	NewFromFloatWithExponent(123.456, -2).String() // output: "123.46"
+func NewFromFloatWithExponent(value float64, exp int32) Decimal {
+	if math.IsNaN(value) || math.IsInf(value, 0) {
+		panic(fmt.Sprintf("Cannot create a Decimal from %v", value))
+	}
+
+	bits := math.Float64bits(value)
+	mant := bits & (1<<52 - 1)
+	exp2 := int32((bits >> 52) & (1<<11 - 1))
+	sign := bits >> 63
+
+	if exp2 == 0 {
+		// specials
+		if mant == 0 {
+			return Decimal{}
+		}
+		// subnormal
+		exp2++
+	} else {
+		// normal
+		mant |= 1 << 52
+	}
+
+	exp2 -= 1023 + 52
+
+	// normalizing base-2 values
+	for mant&1 == 0 {
+		mant = mant >> 1
+		exp2++
+	}
+
+	// maximum number of fractional base-10 digits to represent 2^N exactly cannot be more than -N if N<0
+	if exp < 0 && exp < exp2 {
+		if exp2 < 0 {
+			exp = exp2
+		} else {
+			exp = 0
+		}
+	}
+
+	// representing 10^M * 2^N as 5^M * 2^(M+N)
+	exp2 -= exp
+
+	temp := big.NewInt(1)
+	dMant := big.NewInt(int64(mant))
+
+	// applying 5^M
+	if exp > 0 {
+		temp = temp.SetInt64(int64(exp))
+		temp = temp.Exp(fiveInt, temp, nil)
+	} else if exp < 0 {
+		temp = temp.SetInt64(-int64(exp))
+		temp = temp.Exp(fiveInt, temp, nil)
+		dMant = dMant.Mul(dMant, temp)
+		temp = temp.SetUint64(1)
+	}
+
+	// applying 2^(M+N)
+	if exp2 > 0 {
+		dMant = dMant.Lsh(dMant, uint(exp2))
+	} else if exp2 < 0 {
+		temp = temp.Lsh(temp, uint(-exp2))
+	}
+
+	// rounding and downscaling
+	if exp > 0 || exp2 < 0 {
+		halfDown := new(big.Int).Rsh(temp, 1)
+		dMant = dMant.Add(dMant, halfDown)
+		dMant = dMant.Quo(dMant, temp)
+	}
+
+	if sign == 1 {
+		dMant = dMant.Neg(dMant)
+	}
+
+	return Decimal{
+		value: dMant,
+		exp:   exp,
+	}
+}
+
+// Copy returns a copy of decimal with the same value and exponent, but a different pointer to value.
+func (d Decimal) Copy() Decimal {
+	d.ensureInitialized()
+	return Decimal{
+		value: new(big.Int).Set(d.value),
+		exp:   d.exp,
+	}
+}
+
+// rescale returns a rescaled version of the decimal. Returned
+// decimal may be less precise if the given exponent is bigger
+// than the initial exponent of the Decimal.
+// NOTE: this will truncate, NOT round
+//
+// Example:
+//
+//	d := New(12345, -4)
+//	d2 := d.rescale(-1)
+//	d3 := d2.rescale(-4)
+//	println(d1)
+//	println(d2)
+//	println(d3)
+//
+// Output:
+//
+//	1.2345
+//	1.2
+//	1.2000
+func (d Decimal) rescale(exp int32) Decimal {
+	d.ensureInitialized()
+
+	if d.exp == exp {
+		return Decimal{
+			new(big.Int).Set(d.value),
+			d.exp,
+		}
+	}
+
+	// NOTE(vadim): must convert exps to float64 before - to prevent overflow
+	diff := math.Abs(float64(exp) - float64(d.exp))
+	value := new(big.Int).Set(d.value)
+
+	expScale := new(big.Int).Exp(tenInt, big.NewInt(int64(diff)), nil)
+	if exp > d.exp {
+		value = value.Quo(value, expScale)
+	} else if exp < d.exp {
+		value = value.Mul(value, expScale)
+	}
+
+	return Decimal{
+		value: value,
+		exp:   exp,
+	}
+}
+
+// Abs returns the absolute value of the decimal.
+func (d Decimal) Abs() Decimal {
+	if !d.IsNegative() {
+		return d
+	}
+	d.ensureInitialized()
+	d2Value := new(big.Int).Abs(d.value)
+	return Decimal{
+		value: d2Value,
+		exp:   d.exp,
+	}
+}
+
+// Add returns d + d2.
+func (d Decimal) Add(d2 Decimal) Decimal {
+	rd, rd2 := RescalePair(d, d2)
+
+	d3Value := new(big.Int).Add(rd.value, rd2.value)
+	return Decimal{
+		value: d3Value,
+		exp:   rd.exp,
+	}
+}
+
+// Sub returns d - d2.
+func (d Decimal) Sub(d2 Decimal) Decimal {
+	rd, rd2 := RescalePair(d, d2)
+
+	d3Value := new(big.Int).Sub(rd.value, rd2.value)
+	return Decimal{
+		value: d3Value,
+		exp:   rd.exp,
+	}
+}
+
+// Neg returns -d.
+func (d Decimal) Neg() Decimal {
+	d.ensureInitialized()
+	val := new(big.Int).Neg(d.value)
+	return Decimal{
+		value: val,
+		exp:   d.exp,
+	}
+}
+
+// Mul returns d * d2.
+func (d Decimal) Mul(d2 Decimal) Decimal {
+	d.ensureInitialized()
+	d2.ensureInitialized()
+
+	expInt64 := int64(d.exp) + int64(d2.exp)
+	if expInt64 > math.MaxInt32 || expInt64 < math.MinInt32 {
+		// NOTE(vadim): better to panic than give incorrect results, as
+		// Decimals are usually used for money
+		panic(fmt.Sprintf("exponent %v overflows an int32!", expInt64))
+	}
+
+	d3Value := new(big.Int).Mul(d.value, d2.value)
+	return Decimal{
+		value: d3Value,
+		exp:   int32(expInt64),
+	}
+}
+
+// Shift shifts the decimal in base 10.
+// It shifts left when shift is positive and right if shift is negative.
+// In simpler terms, the given value for shift is added to the exponent
+// of the decimal.
+func (d Decimal) Shift(shift int32) Decimal {
+	d.ensureInitialized()
+	return Decimal{
+		value: new(big.Int).Set(d.value),
+		exp:   d.exp + shift,
+	}
+}
+
+// Div returns d / d2. If it doesn't divide exactly, the result will have
+// DivisionPrecision digits after the decimal point.
+func (d Decimal) Div(d2 Decimal) Decimal {
+	return d.DivRound(d2, int32(DivisionPrecision))
+}
+
+// QuoRem does division with remainder
+// d.QuoRem(d2,precision) returns quotient q and remainder r such that
+//
+//	d = d2 * q + r, q an integer multiple of 10^(-precision)
+//	0 <= r < abs(d2) * 10 ^(-precision) if d>=0
+//	0 >= r > -abs(d2) * 10 ^(-precision) if d<0
+//
+// Note that precision<0 is allowed as input.
+func (d Decimal) QuoRem(d2 Decimal, precision int32) (Decimal, Decimal) {
+	d.ensureInitialized()
+	d2.ensureInitialized()
+	if d2.value.Sign() == 0 {
+		panic("decimal division by 0")
+	}
+	scale := -precision
+	e := int64(d.exp) - int64(d2.exp) - int64(scale)
+	if e > math.MaxInt32 || e < math.MinInt32 {
+		panic("overflow in decimal QuoRem")
+	}
+	var aa, bb, expo big.Int
+	var scalerest int32
+	// d = a 10^ea
+	// d2 = b 10^eb
+	if e < 0 {
+		aa = *d.value
+		expo.SetInt64(-e)
+		bb.Exp(tenInt, &expo, nil)
+		bb.Mul(d2.value, &bb)
+		scalerest = d.exp
+		// now aa = a
+		//     bb = b 10^(scale + eb - ea)
+	} else {
+		expo.SetInt64(e)
+		aa.Exp(tenInt, &expo, nil)
+		aa.Mul(d.value, &aa)
+		bb = *d2.value
+		scalerest = scale + d2.exp
+		// now aa = a ^ (ea - eb - scale)
+		//     bb = b
+	}
+	var q, r big.Int
+	q.QuoRem(&aa, &bb, &r)
+	dq := Decimal{value: &q, exp: scale}
+	dr := Decimal{value: &r, exp: scalerest}
+	return dq, dr
+}
+
+// DivRound divides and rounds to a given precision
+// i.e. to an integer multiple of 10^(-precision)
+//
+//	for a positive quotient digit 5 is rounded up, away from 0
+//	if the quotient is negative then digit 5 is rounded down, away from 0
+//
+// Note that precision<0 is allowed as input.
+func (d Decimal) DivRound(d2 Decimal, precision int32) Decimal {
+	// QuoRem already checks initialization
+	q, r := d.QuoRem(d2, precision)
+	// the actual rounding decision is based on comparing r*10^precision and d2/2
+	// instead compare 2 r 10 ^precision and d2
+	var rv2 big.Int
+	rv2.Abs(r.value)
+	rv2.Lsh(&rv2, 1)
+	// now rv2 = abs(r.value) * 2
+	r2 := Decimal{value: &rv2, exp: r.exp + precision}
+	// r2 is now 2 * r * 10 ^ precision
+	var c = r2.Cmp(d2.Abs())
+
+	if c < 0 {
+		return q
+	}
+
+	if d.value.Sign()*d2.value.Sign() < 0 {
+		return q.Sub(New(1, -precision))
+	}
+
+	return q.Add(New(1, -precision))
+}
+
+// Mod returns d % d2.
+func (d Decimal) Mod(d2 Decimal) Decimal {
+	_, r := d.QuoRem(d2, 0)
+	return r
+}
+
+// Pow returns d to the power of d2.
+// When exponent is negative the returned decimal will have maximum precision of PowPrecisionNegativeExponent places after decimal point.
+//
+// Pow returns 0 (zero-value of Decimal) instead of error for power operation edge cases, to handle those edge cases use PowWithPrecision
+// Edge cases not handled by Pow:
+//   - 0 ** 0 => undefined value
+//   - 0 ** y, where y < 0 => infinity
+//   - x ** y, where x < 0 and y is non-integer decimal => imaginary value
+//
+// Example:
+//
+//	d1 := decimal.NewFromFloat(4.0)
+//	d2 := decimal.NewFromFloat(4.0)
+//	res1 := d1.Pow(d2)
+//	res1.String() // output: "256"
+//
+//	d3 := decimal.NewFromFloat(5.0)
+//	d4 := decimal.NewFromFloat(5.73)
+//	res2 := d3.Pow(d4)
+//	res2.String() // output: "10118.08037125"
+func (d Decimal) Pow(d2 Decimal) Decimal {
+	baseSign := d.Sign()
+	expSign := d2.Sign()
+
+	if baseSign == 0 {
+		if expSign == 0 {
+			return Decimal{}
+		}
+		if expSign == 1 {
+			return Decimal{zeroInt, 0}
+		}
+		if expSign == -1 {
+			return Decimal{}
+		}
+	}
+
+	if expSign == 0 {
+		return Decimal{oneInt, 0}
+	}
+
+	// TODO: optimize extraction of fractional part
+	one := Decimal{oneInt, 0}
+	expIntPart, expFracPart := d2.QuoRem(one, 0)
+
+	if baseSign == -1 && !expFracPart.IsZero() {
+		return Decimal{}
+	}
+
+	intPartPow, _ := d.PowBigInt(expIntPart.value)
+
+	// if exponent is an integer we don't need to calculate d1**frac(d2)
+	if expFracPart.value.Sign() == 0 {
+		return intPartPow
+	}
+
+	// TODO: optimize NumDigits for more performant precision adjustment
+	digitsBase := d.NumDigits()
+	digitsExponent := d2.NumDigits()
+
+	precision := digitsBase
+
+	if digitsExponent > precision {
+		precision += digitsExponent
+	}
+
+	precision += 6
+
+	// Calculate x ** frac(y), where
+	// x ** frac(y) = exp(ln(x ** frac(y)) = exp(ln(x) * frac(y))
+	fracPartPow, err := d.Abs().Ln(-d.exp + int32(precision))
+	if err != nil {
+		return Decimal{}
+	}
+
+	fracPartPow = fracPartPow.Mul(expFracPart)
+
+	fracPartPow, err = fracPartPow.ExpTaylor(-d.exp + int32(precision))
+	if err != nil {
+		return Decimal{}
+	}
+
+	// Join integer and fractional part,
+	// base ** (expBase + expFrac) = base ** expBase * base ** expFrac
+	res := intPartPow.Mul(fracPartPow)
+
+	return res
+}
+
+// PowWithPrecision returns d to the power of d2.
+// Precision parameter specifies minimum precision of the result (digits after decimal point).
+// Returned decimal is not rounded to 'precision' places after decimal point.
+//
+// PowWithPrecision returns error when:
+//   - 0 ** 0 => undefined value
+//   - 0 ** y, where y < 0 => infinity
+//   - x ** y, where x < 0 and y is non-integer decimal => imaginary value
+//
+// Example:
+//
+//	d1 := decimal.NewFromFloat(4.0)
+//	d2 := decimal.NewFromFloat(4.0)
+//	res1, err := d1.PowWithPrecision(d2, 2)
+//	res1.String() // output: "256"
+//
+//	d3 := decimal.NewFromFloat(5.0)
+//	d4 := decimal.NewFromFloat(5.73)
+//	res2, err := d3.PowWithPrecision(d4, 5)
+//	res2.String() // output: "10118.080371595015625"
+//
+//	d5 := decimal.NewFromFloat(-3.0)
+//	d6 := decimal.NewFromFloat(-6.0)
+//	res3, err := d5.PowWithPrecision(d6, 10)
+//	res3.String() // output: "0.0013717421"
+func (d Decimal) PowWithPrecision(d2 Decimal, precision int32) (Decimal, error) {
+	baseSign := d.Sign()
+	expSign := d2.Sign()
+
+	if baseSign == 0 {
+		if expSign == 0 {
+			return Decimal{}, fmt.Errorf("cannot represent undefined value of 0**0")
+		}
+		if expSign == 1 {
+			return Decimal{zeroInt, 0}, nil
+		}
+		if expSign == -1 {
+			return Decimal{}, fmt.Errorf("cannot represent infinity value of 0 ** y, where y < 0")
+		}
+	}
+
+	if expSign == 0 {
+		return Decimal{oneInt, 0}, nil
+	}
+
+	// TODO: optimize extraction of fractional part
+	one := Decimal{oneInt, 0}
+	expIntPart, expFracPart := d2.QuoRem(one, 0)
+
+	if baseSign == -1 && !expFracPart.IsZero() {
+		return Decimal{}, fmt.Errorf("cannot represent imaginary value of x ** y, where x < 0 and y is non-integer decimal")
+	}
+
+	intPartPow, _ := d.powBigIntWithPrecision(expIntPart.value, precision)
+
+	// if exponent is an integer we don't need to calculate d1**frac(d2)
+	if expFracPart.value.Sign() == 0 {
+		return intPartPow, nil
+	}
+
+	// TODO: optimize NumDigits for more performant precision adjustment
+	digitsBase := d.NumDigits()
+	digitsExponent := d2.NumDigits()
+
+	if int32(digitsBase) > precision {
+		precision = int32(digitsBase)
+	}
+	if int32(digitsExponent) > precision {
+		precision += int32(digitsExponent)
+	}
+	// increase precision by 10 to compensate for errors in further calculations
+	precision += 10
+
+	// Calculate x ** frac(y), where
+	// x ** frac(y) = exp(ln(x ** frac(y)) = exp(ln(x) * frac(y))
+	fracPartPow, err := d.Abs().Ln(precision)
+	if err != nil {
+		return Decimal{}, err
+	}
+
+	fracPartPow = fracPartPow.Mul(expFracPart)
+
+	fracPartPow, err = fracPartPow.ExpTaylor(precision)
+	if err != nil {
+		return Decimal{}, err
+	}
+
+	// Join integer and fractional part,
+	// base ** (expBase + expFrac) = base ** expBase * base ** expFrac
+	res := intPartPow.Mul(fracPartPow)
+
+	return res, nil
+}
+
+// PowInt32 returns d to the power of exp, where exp is int32.
+// Only returns error when d and exp is 0, thus result is undefined.
+//
+// When exponent is negative the returned decimal will have maximum precision of PowPrecisionNegativeExponent places after decimal point.
+//
+// Example:
+//
+//	d1, err := decimal.NewFromFloat(4.0).PowInt32(4)
+//	d1.String() // output: "256"
+//
+//	d2, err := decimal.NewFromFloat(3.13).PowInt32(5)
+//	d2.String() // output: "300.4150512793"
+func (d Decimal) PowInt32(exp int32) (Decimal, error) {
+	if d.IsZero() && exp == 0 {
+		return Decimal{}, fmt.Errorf("cannot represent undefined value of 0**0")
+	}
+
+	isExpNeg := exp < 0
+	exp = abs(exp)
+
+	n, result := d, New(1, 0)
+
+	for exp > 0 {
+		if exp%2 == 1 {
+			result = result.Mul(n)
+		}
+		exp /= 2
+
+		if exp > 0 {
+			n = n.Mul(n)
+		}
+	}
+
+	if isExpNeg {
+		return New(1, 0).DivRound(result, int32(PowPrecisionNegativeExponent)), nil
+	}
+
+	return result, nil
+}
+
+// PowBigInt returns d to the power of exp, where exp is big.Int.
+// Only returns error when d and exp is 0, thus result is undefined.
+//
+// When exponent is negative the returned decimal will have maximum precision of PowPrecisionNegativeExponent places after decimal point.
+//
+// Example:
+//
+//	d1, err := decimal.NewFromFloat(3.0).PowBigInt(big.NewInt(3))
+//	d1.String() // output: "27"
+//
+//	d2, err := decimal.NewFromFloat(629.25).PowBigInt(big.NewInt(5))
+//	d2.String() // output: "98654323103449.5673828125"
+func (d Decimal) PowBigInt(exp *big.Int) (Decimal, error) {
+	return d.powBigIntWithPrecision(exp, int32(PowPrecisionNegativeExponent))
+}
+
+func (d Decimal) powBigIntWithPrecision(exp *big.Int, precision int32) (Decimal, error) {
+	if d.IsZero() && exp.Sign() == 0 {
+		return Decimal{}, fmt.Errorf("cannot represent undefined value of 0**0")
+	}
+
+	tmpExp := new(big.Int).Set(exp)
+	isExpNeg := exp.Sign() < 0
+
+	if isExpNeg {
+		tmpExp.Abs(tmpExp)
+	}
+
+	n, result := d, New(1, 0)
+
+	for tmpExp.Sign() > 0 {
+		if tmpExp.Bit(0) == 1 {
+			result = result.Mul(n)
+		}
+		tmpExp.Rsh(tmpExp, 1)
+
+		if tmpExp.Sign() > 0 {
+			n = n.Mul(n)
+		}
+	}
+
+	if isExpNeg {
+		return New(1, 0).DivRound(result, precision), nil
+	}
+
+	return result, nil
+}
+
+// ExpHullAbrham calculates the natural exponent of decimal (e to the power of d) using Hull-Abraham algorithm.
+// OverallPrecision argument specifies the overall precision of the result (integer part + decimal part).
+//
+// ExpHullAbrham is faster than ExpTaylor for small precision values, but it is much slower for large precision values.
+//
+// Example:
+//
+//	NewFromFloat(26.1).ExpHullAbrham(2).String()    // output: "220000000000"
+//	NewFromFloat(26.1).ExpHullAbrham(20).String()   // output: "216314672147.05767284"
+func (d Decimal) ExpHullAbrham(overallPrecision uint32) (Decimal, error) {
+	// Algorithm based on Variable precision exponential function.
+	// ACM Transactions on Mathematical Software by T. E. Hull & A. Abrham.
+	if d.IsZero() {
+		return Decimal{oneInt, 0}, nil
+	}
+
+	currentPrecision := overallPrecision
+
+	// Algorithm does not work if currentPrecision * 23 < |x|.
+	// Precision is automatically increased in such cases, so the value can be calculated precisely.
+	// If newly calculated precision is higher than ExpMaxIterations the currentPrecision will not be changed.
+	f := d.Abs().InexactFloat64()
+	if ncp := f / 23; ncp > float64(currentPrecision) && ncp < float64(ExpMaxIterations) {
+		currentPrecision = uint32(math.Ceil(ncp))
+	}
+
+	// fail if abs(d) beyond an over/underflow threshold
+	overflowThreshold := New(23*int64(currentPrecision), 0)
+	if d.Abs().Cmp(overflowThreshold) > 0 {
+		return Decimal{}, fmt.Errorf("over/underflow threshold, exp(x) cannot be calculated precisely")
+	}
+
+	// Return 1 if abs(d) small enough; this also avoids later over/underflow
+	overflowThreshold2 := New(9, -int32(currentPrecision)-1)
+	if d.Abs().Cmp(overflowThreshold2) <= 0 {
+		return Decimal{oneInt, d.exp}, nil
+	}
+
+	// t is the smallest integer >= 0 such that the corresponding abs(d/k) < 1
+	t := d.exp + int32(d.NumDigits()) // Add d.NumDigits because the paper assumes that d.value [0.1, 1)
+
+	if t < 0 {
+		t = 0
+	}
+
+	k := New(1, t)                                     // reduction factor
+	r := Decimal{new(big.Int).Set(d.value), d.exp - t} // reduced argument
+	p := int32(currentPrecision) + t + 2               // precision for calculating the sum
+
+	// Determine n, the number of therms for calculating sum
+	// use first Newton step (1.435p - 1.182) / log10(p/abs(r))
+	// for solving appropriate equation, along with directed
+	// roundings and simple rational bound for log10(p/abs(r))
+	rf := r.Abs().InexactFloat64()
+	pf := float64(p)
+	nf := math.Ceil((1.453*pf - 1.182) / math.Log10(pf/rf))
+	if nf > float64(ExpMaxIterations) || math.IsNaN(nf) {
+		return Decimal{}, fmt.Errorf("exact value cannot be calculated in <=ExpMaxIterations iterations")
+	}
+	n := int64(nf)
+
+	tmp := New(0, 0)
+	sum := New(1, 0)
+	one := New(1, 0)
+	for i := n - 1; i > 0; i-- {
+		tmp.value.SetInt64(i)
+		sum = sum.Mul(r.DivRound(tmp, p))
+		sum = sum.Add(one)
+	}
+
+	ki := k.IntPart()
+	res := New(1, 0)
+	for i := ki; i > 0; i-- {
+		res = res.Mul(sum)
+	}
+
+	resNumDigits := int32(res.NumDigits())
+
+	var roundDigits int32
+	if resNumDigits > abs(res.exp) {
+		roundDigits = int32(currentPrecision) - resNumDigits - res.exp
+	} else {
+		roundDigits = int32(currentPrecision)
+	}
+
+	res = res.Round(roundDigits)
+
+	return res, nil
+}
+
+// ExpTaylor calculates the natural exponent of decimal (e to the power of d) using Taylor series expansion.
+// Precision argument specifies how precise the result must be (number of digits after decimal point).
+// Negative precision is allowed.
+//
+// ExpTaylor is much faster for large precision values than ExpHullAbrham.
+//
+// Example:
+//
+//	d, err := NewFromFloat(26.1).ExpTaylor(2).String()
+//	d.String()  // output: "216314672147.06"
+//
+//	NewFromFloat(26.1).ExpTaylor(20).String()
+//	d.String()  // output: "216314672147.05767284062928674083"
+//
+//	NewFromFloat(26.1).ExpTaylor(-10).String()
+//	d.String()  // output: "220000000000"
+func (d Decimal) ExpTaylor(precision int32) (Decimal, error) {
+	// Note(mwoss): Implementation can be optimized by exclusively using big.Int API only
+	if d.IsZero() {
+		return Decimal{oneInt, 0}.Round(precision), nil
+	}
+
+	var epsilon Decimal
+	var divPrecision int32
+	if precision < 0 {
+		epsilon = New(1, -1)
+		divPrecision = 8
+	} else {
+		epsilon = New(1, -precision-1)
+		divPrecision = precision + 1
+	}
+
+	decAbs := d.Abs()
+	pow := d.Abs()
+	factorial := New(1, 0)
+
+	result := New(1, 0)
+
+	for i := int64(1); ; {
+		step := pow.DivRound(factorial, divPrecision)
+		result = result.Add(step)
+
+		// Stop Taylor series when current step is smaller than epsilon
+		if step.Cmp(epsilon) < 0 {
+			break
+		}
+
+		pow = pow.Mul(decAbs)
+
+		i++
+
+		// Calculate next factorial number or retrieve cached value
+		if len(factorials) >= int(i) && !factorials[i-1].IsZero() {
+			factorial = factorials[i-1]
+		} else {
+			// To avoid any race conditions, firstly the zero value is appended to a slice to create
+			// a spot for newly calculated factorial. After that, the zero value is replaced by calculated
+			// factorial using the index notation.
+			factorial = factorials[i-2].Mul(New(i, 0))
+			factorials = append(factorials, Zero)
+			factorials[i-1] = factorial
+		}
+	}
+
+	if d.Sign() < 0 {
+		result = New(1, 0).DivRound(result, precision+1)
+	}
+
+	result = result.Round(precision)
+	return result, nil
+}
+
+// Ln calculates natural logarithm of d.
+// Precision argument specifies how precise the result must be (number of digits after decimal point).
+// Negative precision is allowed.
+//
+// Example:
+//
+//	d1, err := NewFromFloat(13.3).Ln(2)
+//	d1.String()  // output: "2.59"
+//
+//	d2, err := NewFromFloat(579.161).Ln(10)
+//	d2.String()  // output: "6.3615805046"
+func (d Decimal) Ln(precision int32) (Decimal, error) {
+	// Algorithm based on The Use of Iteration Methods for Approximating the Natural Logarithm,
+	// James F. Epperson, The American Mathematical Monthly, Vol. 96, No. 9, November 1989, pp. 831-835.
+	if d.IsNegative() {
+		return Decimal{}, fmt.Errorf("cannot calculate natural logarithm for negative decimals")
+	}
+
+	if d.IsZero() {
+		return Decimal{}, fmt.Errorf("cannot represent natural logarithm of 0, result: -infinity")
+	}
+
+	calcPrecision := precision + 2
+	z := d.Copy()
+
+	var comp1, comp3, comp2, comp4, reduceAdjust Decimal
+	comp1 = z.Sub(Decimal{oneInt, 0})
+	comp3 = Decimal{oneInt, -1}
+
+	// for decimal in range [0.9, 1.1] where ln(d) is close to 0
+	usePowerSeries := false
+
+	if comp1.Abs().Cmp(comp3) <= 0 {
+		usePowerSeries = true
+	} else {
+		// reduce input decimal to range [0.1, 1)
+		expDelta := int32(z.NumDigits()) + z.exp
+		z.exp -= expDelta
+
+		// Input decimal was reduced by factor of 10^expDelta, thus we will need to add
+		// ln(10^expDelta) = expDelta * ln(10)
+		// to the result to compensate that
+		ln10 := ln10.withPrecision(calcPrecision)
+		reduceAdjust = NewFromInt32(expDelta)
+		reduceAdjust = reduceAdjust.Mul(ln10)
+
+		comp1 = z.Sub(Decimal{oneInt, 0})
+
+		if comp1.Abs().Cmp(comp3) <= 0 {
+			usePowerSeries = true
+		} else {
+			// initial estimate using floats
+			zFloat := z.InexactFloat64()
+			comp1 = NewFromFloat(math.Log(zFloat))
+		}
+	}
+
+	epsilon := Decimal{oneInt, -calcPrecision}
+
+	if usePowerSeries {
+		// Power Series - https://en.wikipedia.org/wiki/Logarithm#Power_series
+		// Calculating n-th term of formula: ln(z+1) = 2 sum [ 1 / (2n+1) * (z / (z+2))^(2n+1) ]
+		// until the difference between current and next term is smaller than epsilon.
+		// Coverage quite fast for decimals close to 1.0
+
+		// z + 2
+		comp2 = comp1.Add(Decimal{twoInt, 0})
+		// z / (z + 2)
+		comp3 = comp1.DivRound(comp2, calcPrecision)
+		// 2 * (z / (z + 2))
+		comp1 = comp3.Add(comp3)
+		comp2 = comp1.Copy()
+
+		for n := 1; ; n++ {
+			// 2 * (z / (z+2))^(2n+1)
+			comp2 = comp2.Mul(comp3).Mul(comp3)
+
+			// 1 / (2n+1) * 2 * (z / (z+2))^(2n+1)
+			comp4 = NewFromInt(int64(2*n + 1))
+			comp4 = comp2.DivRound(comp4, calcPrecision)
+
+			// comp1 = 2 sum [ 1 / (2n+1) * (z / (z+2))^(2n+1) ]
+			comp1 = comp1.Add(comp4)
+
+			if comp4.Abs().Cmp(epsilon) <= 0 {
+				break
+			}
+		}
+	} else {
+		// Halley's Iteration.
+		// Calculating n-th term of formula: a_(n+1) = a_n - 2 * (exp(a_n) - z) / (exp(a_n) + z),
+		// until the difference between current and next term is smaller than epsilon
+		var prevStep Decimal
+		maxIters := calcPrecision*2 + 10
+
+		for i := int32(0); i < maxIters; i++ {
+			// exp(a_n)
+			comp3, _ = comp1.ExpTaylor(calcPrecision)
+			// exp(a_n) - z
+			comp2 = comp3.Sub(z)
+			// 2 * (exp(a_n) - z)
+			comp2 = comp2.Add(comp2)
+			// exp(a_n) + z
+			comp4 = comp3.Add(z)
+			// 2 * (exp(a_n) - z) / (exp(a_n) + z)
+			comp3 = comp2.DivRound(comp4, calcPrecision)
+			// comp1 = a_(n+1) = a_n - 2 * (exp(a_n) - z) / (exp(a_n) + z)
+			comp1 = comp1.Sub(comp3)
+
+			if prevStep.Add(comp3).IsZero() {
+				// If iteration steps oscillate we should return early and prevent an infinity loop
+				// NOTE(mwoss): This should be quite a rare case, returning error is not necessary
+				break
+			}
+
+			if comp3.Abs().Cmp(epsilon) <= 0 {
+				break
+			}
+
+			prevStep = comp3
+		}
+	}
+
+	comp1 = comp1.Add(reduceAdjust)
+
+	return comp1.Round(precision), nil
+}
+
+// NumDigits returns the number of digits of the decimal coefficient (d.Value)
+func (d Decimal) NumDigits() int {
+	if d.value == nil {
+		return 1
+	}
+
+	if d.value.IsInt64() {
+		i64 := d.value.Int64()
+		// restrict fast path to integers with exact conversion to float64
+		if i64 <= (1<<53) && i64 >= -(1<<53) {
+			if i64 == 0 {
+				return 1
+			}
+			return int(math.Log10(math.Abs(float64(i64)))) + 1
+		}
+	}
+
+	estimatedNumDigits := int(float64(d.value.BitLen()) / math.Log2(10))
+
+	// estimatedNumDigits (lg10) may be off by 1, need to verify
+	digitsBigInt := big.NewInt(int64(estimatedNumDigits))
+	errorCorrectionUnit := digitsBigInt.Exp(tenInt, digitsBigInt, nil)
+
+	if d.value.CmpAbs(errorCorrectionUnit) >= 0 {
+		return estimatedNumDigits + 1
+	}
+
+	return estimatedNumDigits
+}
+
+// IsInteger returns true when decimal can be represented as an integer value, otherwise, it returns false.
+func (d Decimal) IsInteger() bool {
+	// The most typical case, all decimal with exponent higher or equal 0 can be represented as integer
+	if d.exp >= 0 {
+		return true
+	}
+	// When the exponent is negative we have to check every number after the decimal place
+	// If all of them are zeroes, we are sure that given decimal can be represented as an integer
+	var r big.Int
+	q := new(big.Int).Set(d.value)
+	for z := abs(d.exp); z > 0; z-- {
+		q.QuoRem(q, tenInt, &r)
+		if r.Cmp(zeroInt) != 0 {
+			return false
+		}
+	}
+	return true
+}
+
+// Abs calculates absolute value of any int32. Used for calculating absolute value of decimal's exponent.
+func abs(n int32) int32 {
+	if n < 0 {
+		return -n
+	}
+	return n
+}
+
+// Cmp compares the numbers represented by d and d2 and returns:
+//
+//	-1 if d <  d2
+//	 0 if d == d2
+//	+1 if d >  d2
+func (d Decimal) Cmp(d2 Decimal) int {
+	d.ensureInitialized()
+	d2.ensureInitialized()
+
+	if d.exp == d2.exp {
+		return d.value.Cmp(d2.value)
+	}
+
+	rd, rd2 := RescalePair(d, d2)
+
+	return rd.value.Cmp(rd2.value)
+}
+
+// Compare compares the numbers represented by d and d2 and returns:
+//
+//	-1 if d <  d2
+//	 0 if d == d2
+//	+1 if d >  d2
+func (d Decimal) Compare(d2 Decimal) int {
+	return d.Cmp(d2)
+}
+
+// Equal returns whether the numbers represented by d and d2 are equal.
+func (d Decimal) Equal(d2 Decimal) bool {
+	return d.Cmp(d2) == 0
+}
+
+// Deprecated: Equals is deprecated, please use Equal method instead.
+func (d Decimal) Equals(d2 Decimal) bool {
+	return d.Equal(d2)
+}
+
+// GreaterThan (GT) returns true when d is greater than d2.
+func (d Decimal) GreaterThan(d2 Decimal) bool {
+	return d.Cmp(d2) == 1
+}
+
+// GreaterThanOrEqual (GTE) returns true when d is greater than or equal to d2.
+func (d Decimal) GreaterThanOrEqual(d2 Decimal) bool {
+	cmp := d.Cmp(d2)
+	return cmp == 1 || cmp == 0
+}
+
+// LessThan (LT) returns true when d is less than d2.
+func (d Decimal) LessThan(d2 Decimal) bool {
+	return d.Cmp(d2) == -1
+}
+
+// LessThanOrEqual (LTE) returns true when d is less than or equal to d2.
+func (d Decimal) LessThanOrEqual(d2 Decimal) bool {
+	cmp := d.Cmp(d2)
+	return cmp == -1 || cmp == 0
+}
+
+// Sign returns:
+//
+//	-1 if d <  0
+//	 0 if d == 0
+//	+1 if d >  0
+func (d Decimal) Sign() int {
+	if d.value == nil {
+		return 0
+	}
+	return d.value.Sign()
+}
+
+// IsPositive return
+//
+//	true if d > 0
+//	false if d == 0
+//	false if d < 0
+func (d Decimal) IsPositive() bool {
+	return d.Sign() == 1
+}
+
+// IsNegative return
+//
+//	true if d < 0
+//	false if d == 0
+//	false if d > 0
+func (d Decimal) IsNegative() bool {
+	return d.Sign() == -1
+}
+
+// IsZero return
+//
+//	true if d == 0
+//	false if d > 0
+//	false if d < 0
+func (d Decimal) IsZero() bool {
+	return d.Sign() == 0
+}
+
+// Exponent returns the exponent, or scale component of the decimal.
+func (d Decimal) Exponent() int32 {
+	return d.exp
+}
+
+// Coefficient returns the coefficient of the decimal. It is scaled by 10^Exponent()
+func (d Decimal) Coefficient() *big.Int {
+	d.ensureInitialized()
+	// we copy the coefficient so that mutating the result does not mutate the Decimal.
+	return new(big.Int).Set(d.value)
+}
+
+// CoefficientInt64 returns the coefficient of the decimal as int64. It is scaled by 10^Exponent()
+// If coefficient cannot be represented in an int64, the result will be undefined.
+func (d Decimal) CoefficientInt64() int64 {
+	d.ensureInitialized()
+	return d.value.Int64()
+}
+
+// IntPart returns the integer component of the decimal.
+func (d Decimal) IntPart() int64 {
+	scaledD := d.rescale(0)
+	return scaledD.value.Int64()
+}
+
+// BigInt returns integer component of the decimal as a BigInt.
+func (d Decimal) BigInt() *big.Int {
+	scaledD := d.rescale(0)
+	return scaledD.value
+}
+
+// BigFloat returns decimal as BigFloat.
+// Be aware that casting decimal to BigFloat might cause a loss of precision.
+func (d Decimal) BigFloat() *big.Float {
+	f := &big.Float{}
+	f.SetString(d.String())
+	return f
+}
+
+// Rat returns a rational number representation of the decimal.
+func (d Decimal) Rat() *big.Rat {
+	d.ensureInitialized()
+	if d.exp <= 0 {
+		// NOTE(vadim): must negate after casting to prevent int32 overflow
+		denom := new(big.Int).Exp(tenInt, big.NewInt(-int64(d.exp)), nil)
+		return new(big.Rat).SetFrac(d.value, denom)
+	}
+
+	mul := new(big.Int).Exp(tenInt, big.NewInt(int64(d.exp)), nil)
+	num := new(big.Int).Mul(d.value, mul)
+	return new(big.Rat).SetFrac(num, oneInt)
+}
+
+// Float64 returns the nearest float64 value for d and a bool indicating
+// whether f represents d exactly.
+// For more details, see the documentation for big.Rat.Float64
+func (d Decimal) Float64() (f float64, exact bool) {
+	return d.Rat().Float64()
+}
+
+// InexactFloat64 returns the nearest float64 value for d.
+// It doesn't indicate if the returned value represents d exactly.
+func (d Decimal) InexactFloat64() float64 {
+	f, _ := d.Float64()
+	return f
+}
+
+// String returns the string representation of the decimal
+// with the fixed point.
+//
+// Example:
+//
+//	d := New(-12345, -3)
+//	println(d.String())
+//
+// Output:
+//
+//	-12.345
+func (d Decimal) String() string {
+	return d.string(true)
+}
+
+// StringFixed returns a rounded fixed-point string with places digits after
+// the decimal point.
+//
+// Example:
+//
+//	NewFromFloat(0).StringFixed(2) // output: "0.00"
+//	NewFromFloat(0).StringFixed(0) // output: "0"
+//	NewFromFloat(5.45).StringFixed(0) // output: "5"
+//	NewFromFloat(5.45).StringFixed(1) // output: "5.5"
+//	NewFromFloat(5.45).StringFixed(2) // output: "5.45"
+//	NewFromFloat(5.45).StringFixed(3) // output: "5.450"
+//	NewFromFloat(545).StringFixed(-1) // output: "550"
+func (d Decimal) StringFixed(places int32) string {
+	rounded := d.Round(places)
+	return rounded.string(false)
+}
+
+// StringFixedBank returns a banker rounded fixed-point string with places digits
+// after the decimal point.
+//
+// Example:
+//
+//	NewFromFloat(0).StringFixedBank(2) // output: "0.00"
+//	NewFromFloat(0).StringFixedBank(0) // output: "0"
+//	NewFromFloat(5.45).StringFixedBank(0) // output: "5"
+//	NewFromFloat(5.45).StringFixedBank(1) // output: "5.4"
+//	NewFromFloat(5.45).StringFixedBank(2) // output: "5.45"
+//	NewFromFloat(5.45).StringFixedBank(3) // output: "5.450"
+//	NewFromFloat(545).StringFixedBank(-1) // output: "540"
+func (d Decimal) StringFixedBank(places int32) string {
+	rounded := d.RoundBank(places)
+	return rounded.string(false)
+}
+
+// StringFixedCash returns a Swedish/Cash rounded fixed-point string. For
+// more details see the documentation at function RoundCash.
+func (d Decimal) StringFixedCash(interval uint8) string {
+	rounded := d.RoundCash(interval)
+	return rounded.string(false)
+}
+
+// Round rounds the decimal to places decimal places.
+// If places < 0, it will round the integer part to the nearest 10^(-places).
+//
+// Example:
+//
+//	NewFromFloat(5.45).Round(1).String() // output: "5.5"
+//	NewFromFloat(545).Round(-1).String() // output: "550"
+func (d Decimal) Round(places int32) Decimal {
+	if d.exp == -places {
+		return d
+	}
+	// truncate to places + 1
+	ret := d.rescale(-places - 1)
+
+	// add sign(d) * 0.5
+	if ret.value.Sign() < 0 {
+		ret.value.Sub(ret.value, fiveInt)
+	} else {
+		ret.value.Add(ret.value, fiveInt)
+	}
+
+	// floor for positive numbers, ceil for negative numbers
+	_, m := ret.value.DivMod(ret.value, tenInt, new(big.Int))
+	ret.exp++
+	if ret.value.Sign() < 0 && m.Cmp(zeroInt) != 0 {
+		ret.value.Add(ret.value, oneInt)
+	}
+
+	return ret
+}
+
+// RoundCeil rounds the decimal towards +infinity.
+//
+// Example:
+//
+//	NewFromFloat(545).RoundCeil(-2).String()   // output: "600"
+//	NewFromFloat(500).RoundCeil(-2).String()   // output: "500"
+//	NewFromFloat(1.1001).RoundCeil(2).String() // output: "1.11"
+//	NewFromFloat(-1.454).RoundCeil(1).String() // output: "-1.4"
+func (d Decimal) RoundCeil(places int32) Decimal {
+	if d.exp >= -places {
+		return d
+	}
+
+	rescaled := d.rescale(-places)
+	if d.Equal(rescaled) {
+		return d
+	}
+
+	if d.value.Sign() > 0 {
+		rescaled.value.Add(rescaled.value, oneInt)
+	}
+
+	return rescaled
+}
+
+// RoundFloor rounds the decimal towards -infinity.
+//
+// Example:
+//
+//	NewFromFloat(545).RoundFloor(-2).String()   // output: "500"
+//	NewFromFloat(-500).RoundFloor(-2).String()   // output: "-500"
+//	NewFromFloat(1.1001).RoundFloor(2).String() // output: "1.1"
+//	NewFromFloat(-1.454).RoundFloor(1).String() // output: "-1.5"
+func (d Decimal) RoundFloor(places int32) Decimal {
+	if d.exp >= -places {
+		return d
+	}
+
+	rescaled := d.rescale(-places)
+	if d.Equal(rescaled) {
+		return d
+	}
+
+	if d.value.Sign() < 0 {
+		rescaled.value.Sub(rescaled.value, oneInt)
+	}
+
+	return rescaled
+}
+
+// RoundUp rounds the decimal away from zero.
+//
+// Example:
+//
+//	NewFromFloat(545).RoundUp(-2).String()   // output: "600"
+//	NewFromFloat(500).RoundUp(-2).String()   // output: "500"
+//	NewFromFloat(1.1001).RoundUp(2).String() // output: "1.11"
+//	NewFromFloat(-1.454).RoundUp(1).String() // output: "-1.5"
+func (d Decimal) RoundUp(places int32) Decimal {
+	if d.exp >= -places {
+		return d
+	}
+
+	rescaled := d.rescale(-places)
+	if d.Equal(rescaled) {
+		return d
+	}
+
+	if d.value.Sign() > 0 {
+		rescaled.value.Add(rescaled.value, oneInt)
+	} else if d.value.Sign() < 0 {
+		rescaled.value.Sub(rescaled.value, oneInt)
+	}
+
+	return rescaled
+}
+
+// RoundDown rounds the decimal towards zero.
+//
+// Example:
+//
+//	NewFromFloat(545).RoundDown(-2).String()   // output: "500"
+//	NewFromFloat(-500).RoundDown(-2).String()   // output: "-500"
+//	NewFromFloat(1.1001).RoundDown(2).String() // output: "1.1"
+//	NewFromFloat(-1.454).RoundDown(1).String() // output: "-1.4"
+func (d Decimal) RoundDown(places int32) Decimal {
+	if d.exp >= -places {
+		return d
+	}
+
+	rescaled := d.rescale(-places)
+	if d.Equal(rescaled) {
+		return d
+	}
+	return rescaled
+}
+
+// RoundBank rounds the decimal to places decimal places.
+// If the final digit to round is equidistant from the nearest two integers the
+// rounded value is taken as the even number
+//
+// If places < 0, it will round the integer part to the nearest 10^(-places).
+//
+// Examples:
+//
+//	NewFromFloat(5.45).RoundBank(1).String() // output: "5.4"
+//	NewFromFloat(545).RoundBank(-1).String() // output: "540"
+//	NewFromFloat(5.46).RoundBank(1).String() // output: "5.5"
+//	NewFromFloat(546).RoundBank(-1).String() // output: "550"
+//	NewFromFloat(5.55).RoundBank(1).String() // output: "5.6"
+//	NewFromFloat(555).RoundBank(-1).String() // output: "560"
+func (d Decimal) RoundBank(places int32) Decimal {
+
+	round := d.Round(places)
+	remainder := d.Sub(round).Abs()
+
+	half := New(5, -places-1)
+	if remainder.Cmp(half) == 0 && round.value.Bit(0) != 0 {
+		if round.value.Sign() < 0 {
+			round.value.Add(round.value, oneInt)
+		} else {
+			round.value.Sub(round.value, oneInt)
+		}
+	}
+
+	return round
+}
+
+// RoundCash aka Cash/Penny/öre rounding rounds decimal to a specific
+// interval. The amount payable for a cash transaction is rounded to the nearest
+// multiple of the minimum currency unit available. The following intervals are
+// available: 5, 10, 25, 50 and 100; any other number throws a panic.
+//
+//	  5:   5 cent rounding 3.43 => 3.45
+//	 10:  10 cent rounding 3.45 => 3.50 (5 gets rounded up)
+//	 25:  25 cent rounding 3.41 => 3.50
+//	 50:  50 cent rounding 3.75 => 4.00
+//	100: 100 cent rounding 3.50 => 4.00
+//
+// For more details: https://en.wikipedia.org/wiki/Cash_rounding
+func (d Decimal) RoundCash(interval uint8) Decimal {
+	var iVal *big.Int
+	switch interval {
+	case 5:
+		iVal = twentyInt
+	case 10:
+		iVal = tenInt
+	case 25:
+		iVal = fourInt
+	case 50:
+		iVal = twoInt
+	case 100:
+		iVal = oneInt
+	default:
+		panic(fmt.Sprintf("Decimal does not support this Cash rounding interval `%d`. Supported: 5, 10, 25, 50, 100", interval))
+	}
+	dVal := Decimal{
+		value: iVal,
+	}
+
+	// TODO: optimize those calculations to reduce the high allocations (~29 allocs).
+	return d.Mul(dVal).Round(0).Div(dVal).Truncate(2)
+}
+
+// Floor returns the nearest integer value less than or equal to d.
+func (d Decimal) Floor() Decimal {
+	d.ensureInitialized()
+
+	if d.exp >= 0 {
+		return d
+	}
+
+	exp := big.NewInt(10)
+
+	// NOTE(vadim): must negate after casting to prevent int32 overflow
+	exp.Exp(exp, big.NewInt(-int64(d.exp)), nil)
+
+	z := new(big.Int).Div(d.value, exp)
+	return Decimal{value: z, exp: 0}
+}
+
+// Ceil returns the nearest integer value greater than or equal to d.
+func (d Decimal) Ceil() Decimal {
+	d.ensureInitialized()
+
+	if d.exp >= 0 {
+		return d
+	}
+
+	exp := big.NewInt(10)
+
+	// NOTE(vadim): must negate after casting to prevent int32 overflow
+	exp.Exp(exp, big.NewInt(-int64(d.exp)), nil)
+
+	z, m := new(big.Int).DivMod(d.value, exp, new(big.Int))
+	if m.Cmp(zeroInt) != 0 {
+		z.Add(z, oneInt)
+	}
+	return Decimal{value: z, exp: 0}
+}
+
+// Truncate truncates off digits from the number, without rounding.
+//
+// NOTE: precision is the last digit that will not be truncated (must be >= 0).
+//
+// Example:
+//
+//	decimal.NewFromString("123.456").Truncate(2).String() // "123.45"
+func (d Decimal) Truncate(precision int32) Decimal {
+	d.ensureInitialized()
+	if precision >= 0 && -precision > d.exp {
+		return d.rescale(-precision)
+	}
+	return d
+}
+
+// UnmarshalJSON implements the json.Unmarshaler interface.
+func (d *Decimal) UnmarshalJSON(decimalBytes []byte) error {
+	if string(decimalBytes) == "null" {
+		return nil
+	}
+
+	str, err := unquoteIfQuoted(decimalBytes)
+	if err != nil {
+		return fmt.Errorf("error decoding string '%s': %s", decimalBytes, err)
+	}
+
+	decimal, err := NewFromString(str)
+	*d = decimal
+	if err != nil {
+		return fmt.Errorf("error decoding string '%s': %s", str, err)
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaler interface.
+func (d Decimal) MarshalJSON() ([]byte, error) {
+	var str string
+	if MarshalJSONWithoutQuotes {
+		str = d.String()
+	} else {
+		str = "\"" + d.String() + "\""
+	}
+	return []byte(str), nil
+}
+
+// UnmarshalBinary implements the encoding.BinaryUnmarshaler interface. As a string representation
+// is already used when encoding to text, this method stores that string as []byte
+func (d *Decimal) UnmarshalBinary(data []byte) error {
+	// Verify we have at least 4 bytes for the exponent. The GOB encoded value
+	// may be empty.
+	if len(data) < 4 {
+		return fmt.Errorf("error decoding binary %v: expected at least 4 bytes, got %d", data, len(data))
+	}
+
+	// Extract the exponent
+	d.exp = int32(binary.BigEndian.Uint32(data[:4]))
+
+	// Extract the value
+	d.value = new(big.Int)
+	if err := d.value.GobDecode(data[4:]); err != nil {
+		return fmt.Errorf("error decoding binary %v: %s", data, err)
+	}
+
+	return nil
+}
+
+// MarshalBinary implements the encoding.BinaryMarshaler interface.
+func (d Decimal) MarshalBinary() (data []byte, err error) {
+	// exp is written first, but encode value first to know output size
+	var valueData []byte
+	if valueData, err = d.value.GobEncode(); err != nil {
+		return nil, err
+	}
+
+	// Write the exponent in front, since it's a fixed size
+	expData := make([]byte, 4, len(valueData)+4)
+	binary.BigEndian.PutUint32(expData, uint32(d.exp))
+
+	// Return the byte array
+	return append(expData, valueData...), nil
+}
+
+// Scan implements the sql.Scanner interface for database deserialization.
+func (d *Decimal) Scan(value interface{}) error {
+	// first try to see if the data is stored in database as a Numeric datatype
+	switch v := value.(type) {
+
+	case float32:
+		*d = NewFromFloat(float64(v))
+		return nil
+
+	case float64:
+		// numeric in sqlite3 sends us float64
+		*d = NewFromFloat(v)
+		return nil
+
+	case int64:
+		// at least in sqlite3 when the value is 0 in db, the data is sent
+		// to us as an int64 instead of a float64 ...
+		*d = New(v, 0)
+		return nil
+
+	case uint64:
+		// while clickhouse may send 0 in db as uint64
+		*d = NewFromUint64(v)
+		return nil
+
+	default:
+		// default is trying to interpret value stored as string
+		str, err := unquoteIfQuoted(v)
+		if err != nil {
+			return err
+		}
+		*d, err = NewFromString(str)
+		return err
+	}
+}
+
+// Value implements the driver.Valuer interface for database serialization.
+func (d Decimal) Value() (driver.Value, error) {
+	return d.String(), nil
+}
+
+// UnmarshalText implements the encoding.TextUnmarshaler interface for XML
+// deserialization.
+func (d *Decimal) UnmarshalText(text []byte) error {
+	str := string(text)
+
+	dec, err := NewFromString(str)
+	*d = dec
+	if err != nil {
+		return fmt.Errorf("error decoding string '%s': %s", str, err)
+	}
+
+	return nil
+}
+
+// MarshalText implements the encoding.TextMarshaler interface for XML
+// serialization.
+func (d Decimal) MarshalText() (text []byte, err error) {
+	return []byte(d.String()), nil
+}
+
+// GobEncode implements the gob.GobEncoder interface for gob serialization.
+func (d Decimal) GobEncode() ([]byte, error) {
+	return d.MarshalBinary()
+}
+
+// GobDecode implements the gob.GobDecoder interface for gob serialization.
+func (d *Decimal) GobDecode(data []byte) error {
+	return d.UnmarshalBinary(data)
+}
+
+// StringScaled first scales the decimal then calls .String() on it.
+//
+// Deprecated: buggy and unintuitive. Use StringFixed instead.
+func (d Decimal) StringScaled(exp int32) string {
+	return d.rescale(exp).String()
+}
+
+func (d Decimal) string(trimTrailingZeros bool) string {
+	if d.exp >= 0 {
+		return d.rescale(0).value.String()
+	}
+
+	abs := new(big.Int).Abs(d.value)
+	str := abs.String()
+
+	var intPart, fractionalPart string
+
+	// NOTE(vadim): this cast to int will cause bugs if d.exp == INT_MIN
+	// and you are on a 32-bit machine. Won't fix this super-edge case.
+	dExpInt := int(d.exp)
+	if len(str) > -dExpInt {
+		intPart = str[:len(str)+dExpInt]
+		fractionalPart = str[len(str)+dExpInt:]
+	} else {
+		intPart = "0"
+
+		num0s := -dExpInt - len(str)
+		fractionalPart = strings.Repeat("0", num0s) + str
+	}
+
+	if trimTrailingZeros {
+		i := len(fractionalPart) - 1
+		for ; i >= 0; i-- {
+			if fractionalPart[i] != '0' {
+				break
+			}
+		}
+		fractionalPart = fractionalPart[:i+1]
+	}
+
+	number := intPart
+	if len(fractionalPart) > 0 {
+		number += "." + fractionalPart
+	}
+
+	if d.value.Sign() < 0 {
+		return "-" + number
+	}
+
+	return number
+}
+
+func (d *Decimal) ensureInitialized() {
+	if d.value == nil {
+		d.value = new(big.Int)
+	}
+}
+
+// Min returns the smallest Decimal that was passed in the arguments.
+//
+// To call this function with an array, you must do:
+//
+//	Min(arr[0], arr[1:]...)
+//
+// This makes it harder to accidentally call Min with 0 arguments.
+func Min(first Decimal, rest ...Decimal) Decimal {
+	ans := first
+	for _, item := range rest {
+		if item.Cmp(ans) < 0 {
+			ans = item
+		}
+	}
+	return ans
+}
+
+// Max returns the largest Decimal that was passed in the arguments.
+//
+// To call this function with an array, you must do:
+//
+//	Max(arr[0], arr[1:]...)
+//
+// This makes it harder to accidentally call Max with 0 arguments.
+func Max(first Decimal, rest ...Decimal) Decimal {
+	ans := first
+	for _, item := range rest {
+		if item.Cmp(ans) > 0 {
+			ans = item
+		}
+	}
+	return ans
+}
+
+// Sum returns the combined total of the provided first and rest Decimals
+func Sum(first Decimal, rest ...Decimal) Decimal {
+	total := first
+	for _, item := range rest {
+		total = total.Add(item)
+	}
+
+	return total
+}
+
+// Avg returns the average value of the provided first and rest Decimals
+func Avg(first Decimal, rest ...Decimal) Decimal {
+	count := New(int64(len(rest)+1), 0)
+	sum := Sum(first, rest...)
+	return sum.Div(count)
+}
+
+// RescalePair rescales two decimals to common exponential value (minimal exp of both decimals)
+func RescalePair(d1 Decimal, d2 Decimal) (Decimal, Decimal) {
+	d1.ensureInitialized()
+	d2.ensureInitialized()
+
+	if d1.exp < d2.exp {
+		return d1, d2.rescale(d1.exp)
+	} else if d1.exp > d2.exp {
+		return d1.rescale(d2.exp), d2
+	}
+
+	return d1, d2
+}
+
+func unquoteIfQuoted(value interface{}) (string, error) {
+	var bytes []byte
+
+	switch v := value.(type) {
+	case string:
+		bytes = []byte(v)
+	case []byte:
+		bytes = v
+	default:
+		return "", fmt.Errorf("could not convert value '%+v' to byte array of type '%T'", value, value)
+	}
+
+	// If the amount is quoted, strip the quotes
+	if len(bytes) > 2 && bytes[0] == '"' && bytes[len(bytes)-1] == '"' {
+		bytes = bytes[1 : len(bytes)-1]
+	}
+	return string(bytes), nil
+}
+
+// NullDecimal represents a nullable decimal with compatibility for
+// scanning null values from the database.
+type NullDecimal struct {
+	Decimal Decimal
+	Valid   bool
+}
+
+func NewNullDecimal(d Decimal) NullDecimal {
+	return NullDecimal{
+		Decimal: d,
+		Valid:   true,
+	}
+}
+
+// Scan implements the sql.Scanner interface for database deserialization.
+func (d *NullDecimal) Scan(value interface{}) error {
+	if value == nil {
+		d.Valid = false
+		return nil
+	}
+	d.Valid = true
+	return d.Decimal.Scan(value)
+}
+
+// Value implements the driver.Valuer interface for database serialization.
+func (d NullDecimal) Value() (driver.Value, error) {
+	if !d.Valid {
+		return nil, nil
+	}
+	return d.Decimal.Value()
+}
+
+// UnmarshalJSON implements the json.Unmarshaler interface.
+func (d *NullDecimal) UnmarshalJSON(decimalBytes []byte) error {
+	if string(decimalBytes) == "null" {
+		d.Valid = false
+		return nil
+	}
+	d.Valid = true
+	return d.Decimal.UnmarshalJSON(decimalBytes)
+}
+
+// MarshalJSON implements the json.Marshaler interface.
+func (d NullDecimal) MarshalJSON() ([]byte, error) {
+	if !d.Valid {
+		return []byte("null"), nil
+	}
+	return d.Decimal.MarshalJSON()
+}
+
+// UnmarshalText implements the encoding.TextUnmarshaler interface for XML
+// deserialization
+func (d *NullDecimal) UnmarshalText(text []byte) error {
+	str := string(text)
+
+	// check for empty XML or XML without body e.g., <tag></tag>
+	if str == "" {
+		d.Valid = false
+		return nil
+	}
+	if err := d.Decimal.UnmarshalText(text); err != nil {
+		d.Valid = false
+		return err
+	}
+	d.Valid = true
+	return nil
+}
+
+// MarshalText implements the encoding.TextMarshaler interface for XML
+// serialization.
+func (d NullDecimal) MarshalText() (text []byte, err error) {
+	if !d.Valid {
+		return []byte{}, nil
+	}
+	return d.Decimal.MarshalText()
+}
+
+// Trig functions
+
+// Atan returns the arctangent, in radians, of x.
+func (d Decimal) Atan() Decimal {
+	if d.Equal(NewFromFloat(0.0)) {
+		return d
+	}
+	if d.GreaterThan(NewFromFloat(0.0)) {
+		return d.satan()
+	}
+	return d.Neg().satan().Neg()
+}
+
+func (d Decimal) xatan() Decimal {
+	P0 := NewFromFloat(-8.750608600031904122785e-01)
+	P1 := NewFromFloat(-1.615753718733365076637e+01)
+	P2 := NewFromFloat(-7.500855792314704667340e+01)
+	P3 := NewFromFloat(-1.228866684490136173410e+02)
+	P4 := NewFromFloat(-6.485021904942025371773e+01)
+	Q0 := NewFromFloat(2.485846490142306297962e+01)
+	Q1 := NewFromFloat(1.650270098316988542046e+02)
+	Q2 := NewFromFloat(4.328810604912902668951e+02)
+	Q3 := NewFromFloat(4.853903996359136964868e+02)
+	Q4 := NewFromFloat(1.945506571482613964425e+02)
+	z := d.Mul(d)
+	b1 := P0.Mul(z).Add(P1).Mul(z).Add(P2).Mul(z).Add(P3).Mul(z).Add(P4).Mul(z)
+	b2 := z.Add(Q0).Mul(z).Add(Q1).Mul(z).Add(Q2).Mul(z).Add(Q3).Mul(z).Add(Q4)
+	z = b1.Div(b2)
+	z = d.Mul(z).Add(d)
+	return z
+}
+
+// satan reduces its argument (known to be positive)
+// to the range [0, 0.66] and calls xatan.
+func (d Decimal) satan() Decimal {
+	Morebits := NewFromFloat(6.123233995736765886130e-17) // pi/2 = PIO2 + Morebits
+	Tan3pio8 := NewFromFloat(2.41421356237309504880)      // tan(3*pi/8)
+	pi := NewFromFloat(3.14159265358979323846264338327950288419716939937510582097494459)
+
+	if d.LessThanOrEqual(NewFromFloat(0.66)) {
+		return d.xatan()
+	}
+	if d.GreaterThan(Tan3pio8) {
+		return pi.Div(NewFromFloat(2.0)).Sub(NewFromFloat(1.0).Div(d).xatan()).Add(Morebits)
+	}
+	return pi.Div(NewFromFloat(4.0)).Add((d.Sub(NewFromFloat(1.0)).Div(d.Add(NewFromFloat(1.0)))).xatan()).Add(NewFromFloat(0.5).Mul(Morebits))
+}
+
+// sin coefficients
+var _sin = [...]Decimal{
+	NewFromFloat(1.58962301576546568060e-10), // 0x3de5d8fd1fd19ccd
+	NewFromFloat(-2.50507477628578072866e-8), // 0xbe5ae5e5a9291f5d
+	NewFromFloat(2.75573136213857245213e-6),  // 0x3ec71de3567d48a1
+	NewFromFloat(-1.98412698295895385996e-4), // 0xbf2a01a019bfdf03
+	NewFromFloat(8.33333333332211858878e-3),  // 0x3f8111111110f7d0
+	NewFromFloat(-1.66666666666666307295e-1), // 0xbfc5555555555548
+}
+
+// Sin returns the sine of the radian argument x.
+func (d Decimal) Sin() Decimal {
+	PI4A := NewFromFloat(7.85398125648498535156e-1)                             // 0x3fe921fb40000000, Pi/4 split into three parts
+	PI4B := NewFromFloat(3.77489470793079817668e-8)                             // 0x3e64442d00000000,
+	PI4C := NewFromFloat(2.69515142907905952645e-15)                            // 0x3ce8469898cc5170,
+	M4PI := NewFromFloat(1.273239544735162542821171882678754627704620361328125) // 4/pi
+
+	if d.Equal(NewFromFloat(0.0)) {
+		return d
+	}
+	// make argument positive but save the sign
+	sign := false
+	if d.LessThan(NewFromFloat(0.0)) {
+		d = d.Neg()
+		sign = true
+	}
+
+	j := d.Mul(M4PI).IntPart()    // integer part of x/(Pi/4), as integer for tests on the phase angle
+	y := NewFromFloat(float64(j)) // integer part of x/(Pi/4), as float
+
+	// map zeros to origin
+	if j&1 == 1 {
+		j++
+		y = y.Add(NewFromFloat(1.0))
+	}
+	j &= 7 // octant modulo 2Pi radians (360 degrees)
+	// reflect in x axis
+	if j > 3 {
+		sign = !sign
+		j -= 4
+	}
+	z := d.Sub(y.Mul(PI4A)).Sub(y.Mul(PI4B)).Sub(y.Mul(PI4C)) // Extended precision modular arithmetic
+	zz := z.Mul(z)
+
+	if j == 1 || j == 2 {
+		w := zz.Mul(zz).Mul(_cos[0].Mul(zz).Add(_cos[1]).Mul(zz).Add(_cos[2]).Mul(zz).Add(_cos[3]).Mul(zz).Add(_cos[4]).Mul(zz).Add(_cos[5]))
+		y = NewFromFloat(1.0).Sub(NewFromFloat(0.5).Mul(zz)).Add(w)
+	} else {
+		y = z.Add(z.Mul(zz).Mul(_sin[0].Mul(zz).Add(_sin[1]).Mul(zz).Add(_sin[2]).Mul(zz).Add(_sin[3]).Mul(zz).Add(_sin[4]).Mul(zz).Add(_sin[5])))
+	}
+	if sign {
+		y = y.Neg()
+	}
+	return y
+}
+
+// cos coefficients
+var _cos = [...]Decimal{
+	NewFromFloat(-1.13585365213876817300e-11), // 0xbda8fa49a0861a9b
+	NewFromFloat(2.08757008419747316778e-9),   // 0x3e21ee9d7b4e3f05
+	NewFromFloat(-2.75573141792967388112e-7),  // 0xbe927e4f7eac4bc6
+	NewFromFloat(2.48015872888517045348e-5),   // 0x3efa01a019c844f5
+	NewFromFloat(-1.38888888888730564116e-3),  // 0xbf56c16c16c14f91
+	NewFromFloat(4.16666666666665929218e-2),   // 0x3fa555555555554b
+}
+
+// Cos returns the cosine of the radian argument x.
+func (d Decimal) Cos() Decimal {
+
+	PI4A := NewFromFloat(7.85398125648498535156e-1)                             // 0x3fe921fb40000000, Pi/4 split into three parts
+	PI4B := NewFromFloat(3.77489470793079817668e-8)                             // 0x3e64442d00000000,
+	PI4C := NewFromFloat(2.69515142907905952645e-15)                            // 0x3ce8469898cc5170,
+	M4PI := NewFromFloat(1.273239544735162542821171882678754627704620361328125) // 4/pi
+
+	// make argument positive
+	sign := false
+	if d.LessThan(NewFromFloat(0.0)) {
+		d = d.Neg()
+	}
+
+	j := d.Mul(M4PI).IntPart()    // integer part of x/(Pi/4), as integer for tests on the phase angle
+	y := NewFromFloat(float64(j)) // integer part of x/(Pi/4), as float
+
+	// map zeros to origin
+	if j&1 == 1 {
+		j++
+		y = y.Add(NewFromFloat(1.0))
+	}
+	j &= 7 // octant modulo 2Pi radians (360 degrees)
+	// reflect in x axis
+	if j > 3 {
+		sign = !sign
+		j -= 4
+	}
+	if j > 1 {
+		sign = !sign
+	}
+
+	z := d.Sub(y.Mul(PI4A)).Sub(y.Mul(PI4B)).Sub(y.Mul(PI4C)) // Extended precision modular arithmetic
+	zz := z.Mul(z)
+
+	if j == 1 || j == 2 {
+		y = z.Add(z.Mul(zz).Mul(_sin[0].Mul(zz).Add(_sin[1]).Mul(zz).Add(_sin[2]).Mul(zz).Add(_sin[3]).Mul(zz).Add(_sin[4]).Mul(zz).Add(_sin[5])))
+	} else {
+		w := zz.Mul(zz).Mul(_cos[0].Mul(zz).Add(_cos[1]).Mul(zz).Add(_cos[2]).Mul(zz).Add(_cos[3]).Mul(zz).Add(_cos[4]).Mul(zz).Add(_cos[5]))
+		y = NewFromFloat(1.0).Sub(NewFromFloat(0.5).Mul(zz)).Add(w)
+	}
+	if sign {
+		y = y.Neg()
+	}
+	return y
+}
+
+var _tanP = [...]Decimal{
+	NewFromFloat(-1.30936939181383777646e+4), // 0xc0c992d8d24f3f38
+	NewFromFloat(1.15351664838587416140e+6),  // 0x413199eca5fc9ddd
+	NewFromFloat(-1.79565251976484877988e+7), // 0xc1711fead3299176
+}
+var _tanQ = [...]Decimal{
+	NewFromFloat(1.00000000000000000000e+0),
+	NewFromFloat(1.36812963470692954678e+4),  //0x40cab8a5eeb36572
+	NewFromFloat(-1.32089234440210967447e+6), //0xc13427bc582abc96
+	NewFromFloat(2.50083801823357915839e+7),  //0x4177d98fc2ead8ef
+	NewFromFloat(-5.38695755929454629881e+7), //0xc189afe03cbe5a31
+}
+
+// Tan returns the tangent of the radian argument x.
+func (d Decimal) Tan() Decimal {
+
+	PI4A := NewFromFloat(7.85398125648498535156e-1)                             // 0x3fe921fb40000000, Pi/4 split into three parts
+	PI4B := NewFromFloat(3.77489470793079817668e-8)                             // 0x3e64442d00000000,
+	PI4C := NewFromFloat(2.69515142907905952645e-15)                            // 0x3ce8469898cc5170,
+	M4PI := NewFromFloat(1.273239544735162542821171882678754627704620361328125) // 4/pi
+
+	if d.Equal(NewFromFloat(0.0)) {
+		return d
+	}
+
+	// make argument positive but save the sign
+	sign := false
+	if d.LessThan(NewFromFloat(0.0)) {
+		d = d.Neg()
+		sign = true
+	}
+
+	j := d.Mul(M4PI).IntPart()    // integer part of x/(Pi/4), as integer for tests on the phase angle
+	y := NewFromFloat(float64(j)) // integer part of x/(Pi/4), as float
+
+	// map zeros to origin
+	if j&1 == 1 {
+		j++
+		y = y.Add(NewFromFloat(1.0))
+	}
+
+	z := d.Sub(y.Mul(PI4A)).Sub(y.Mul(PI4B)).Sub(y.Mul(PI4C)) // Extended precision modular arithmetic
+	zz := z.Mul(z)
+
+	if zz.GreaterThan(NewFromFloat(1e-14)) {
+		w := zz.Mul(_tanP[0].Mul(zz).Add(_tanP[1]).Mul(zz).Add(_tanP[2]))
+		x := zz.Add(_tanQ[1]).Mul(zz).Add(_tanQ[2]).Mul(zz).Add(_tanQ[3]).Mul(zz).Add(_tanQ[4])
+		y = z.Add(z.Mul(w.Div(x)))
+	} else {
+		y = z
+	}
+	if j&2 == 2 {
+		y = NewFromFloat(-1.0).Div(y)
+	}
+	if sign {
+		y = y.Neg()
+	}
+	return y
+}
diff --git a/vendor/github.com/shopspring/decimal/rounding.go b/vendor/github.com/shopspring/decimal/rounding.go
new file mode 100644
index 0000000000..d4b0cd0079
--- /dev/null
+++ b/vendor/github.com/shopspring/decimal/rounding.go
@@ -0,0 +1,160 @@
+// Copyright 2009 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Multiprecision decimal numbers.
+// For floating-point formatting only; not general purpose.
+// Only operations are assign and (binary) left/right shift.
+// Can do binary floating point in multiprecision decimal precisely
+// because 2 divides 10; cannot do decimal floating point
+// in multiprecision binary precisely.
+
+package decimal
+
+type floatInfo struct {
+	mantbits uint
+	expbits  uint
+	bias     int
+}
+
+var float32info = floatInfo{23, 8, -127}
+var float64info = floatInfo{52, 11, -1023}
+
+// roundShortest rounds d (= mant * 2^exp) to the shortest number of digits
+// that will let the original floating point value be precisely reconstructed.
+func roundShortest(d *decimal, mant uint64, exp int, flt *floatInfo) {
+	// If mantissa is zero, the number is zero; stop now.
+	if mant == 0 {
+		d.nd = 0
+		return
+	}
+
+	// Compute upper and lower such that any decimal number
+	// between upper and lower (possibly inclusive)
+	// will round to the original floating point number.
+
+	// We may see at once that the number is already shortest.
+	//
+	// Suppose d is not denormal, so that 2^exp <= d < 10^dp.
+	// The closest shorter number is at least 10^(dp-nd) away.
+	// The lower/upper bounds computed below are at distance
+	// at most 2^(exp-mantbits).
+	//
+	// So the number is already shortest if 10^(dp-nd) > 2^(exp-mantbits),
+	// or equivalently log2(10)*(dp-nd) > exp-mantbits.
+	// It is true if 332/100*(dp-nd) >= exp-mantbits (log2(10) > 3.32).
+	minexp := flt.bias + 1 // minimum possible exponent
+	if exp > minexp && 332*(d.dp-d.nd) >= 100*(exp-int(flt.mantbits)) {
+		// The number is already shortest.
+		return
+	}
+
+	// d = mant << (exp - mantbits)
+	// Next highest floating point number is mant+1 << exp-mantbits.
+	// Our upper bound is halfway between, mant*2+1 << exp-mantbits-1.
+	upper := new(decimal)
+	upper.Assign(mant*2 + 1)
+	upper.Shift(exp - int(flt.mantbits) - 1)
+
+	// d = mant << (exp - mantbits)
+	// Next lowest floating point number is mant-1 << exp-mantbits,
+	// unless mant-1 drops the significant bit and exp is not the minimum exp,
+	// in which case the next lowest is mant*2-1 << exp-mantbits-1.
+	// Either way, call it mantlo << explo-mantbits.
+	// Our lower bound is halfway between, mantlo*2+1 << explo-mantbits-1.
+	var mantlo uint64
+	var explo int
+	if mant > 1<<flt.mantbits || exp == minexp {
+		mantlo = mant - 1
+		explo = exp
+	} else {
+		mantlo = mant*2 - 1
+		explo = exp - 1
+	}
+	lower := new(decimal)
+	lower.Assign(mantlo*2 + 1)
+	lower.Shift(explo - int(flt.mantbits) - 1)
+
+	// The upper and lower bounds are possible outputs only if
+	// the original mantissa is even, so that IEEE round-to-even
+	// would round to the original mantissa and not the neighbors.
+	inclusive := mant%2 == 0
+
+	// As we walk the digits we want to know whether rounding up would fall
+	// within the upper bound. This is tracked by upperdelta:
+	//
+	// If upperdelta == 0, the digits of d and upper are the same so far.
+	//
+	// If upperdelta == 1, we saw a difference of 1 between d and upper on a
+	// previous digit and subsequently only 9s for d and 0s for upper.
+	// (Thus rounding up may fall outside the bound, if it is exclusive.)
+	//
+	// If upperdelta == 2, then the difference is greater than 1
+	// and we know that rounding up falls within the bound.
+	var upperdelta uint8
+
+	// Now we can figure out the minimum number of digits required.
+	// Walk along until d has distinguished itself from upper and lower.
+	for ui := 0; ; ui++ {
+		// lower, d, and upper may have the decimal points at different
+		// places. In this case upper is the longest, so we iterate from
+		// ui==0 and start li and mi at (possibly) -1.
+		mi := ui - upper.dp + d.dp
+		if mi >= d.nd {
+			break
+		}
+		li := ui - upper.dp + lower.dp
+		l := byte('0') // lower digit
+		if li >= 0 && li < lower.nd {
+			l = lower.d[li]
+		}
+		m := byte('0') // middle digit
+		if mi >= 0 {
+			m = d.d[mi]
+		}
+		u := byte('0') // upper digit
+		if ui < upper.nd {
+			u = upper.d[ui]
+		}
+
+		// Okay to round down (truncate) if lower has a different digit
+		// or if lower is inclusive and is exactly the result of rounding
+		// down (i.e., and we have reached the final digit of lower).
+		okdown := l != m || inclusive && li+1 == lower.nd
+
+		switch {
+		case upperdelta == 0 && m+1 < u:
+			// Example:
+			// m = 12345xxx
+			// u = 12347xxx
+			upperdelta = 2
+		case upperdelta == 0 && m != u:
+			// Example:
+			// m = 12345xxx
+			// u = 12346xxx
+			upperdelta = 1
+		case upperdelta == 1 && (m != '9' || u != '0'):
+			// Example:
+			// m = 1234598x
+			// u = 1234600x
+			upperdelta = 2
+		}
+		// Okay to round up if upper has a different digit and either upper
+		// is inclusive or upper is bigger than the result of rounding up.
+		okup := upperdelta > 0 && (inclusive || upperdelta > 1 || ui+1 < upper.nd)
+
+		// If it's okay to do either, then round to the nearest one.
+		// If it's okay to do only one, do it.
+		switch {
+		case okdown && okup:
+			d.Round(mi + 1)
+			return
+		case okdown:
+			d.RoundDown(mi + 1)
+			return
+		case okup:
+			d.RoundUp(mi + 1)
+			return
+		}
+	}
+}
diff --git a/vendor/github.com/spf13/cast/.editorconfig b/vendor/github.com/spf13/cast/.editorconfig
new file mode 100644
index 0000000000..a85749f190
--- /dev/null
+++ b/vendor/github.com/spf13/cast/.editorconfig
@@ -0,0 +1,15 @@
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+indent_size = 4
+indent_style = space
+insert_final_newline = true
+trim_trailing_whitespace = true
+
+[*.go]
+indent_style = tab
+
+[{*.yml,*.yaml}]
+indent_size = 2
diff --git a/vendor/github.com/spf13/cast/.gitignore b/vendor/github.com/spf13/cast/.gitignore
new file mode 100644
index 0000000000..53053a8ac5
--- /dev/null
+++ b/vendor/github.com/spf13/cast/.gitignore
@@ -0,0 +1,25 @@
+# Compiled Object files, Static and Dynamic libs (Shared Objects)
+*.o
+*.a
+*.so
+
+# Folders
+_obj
+_test
+
+# Architecture specific extensions/prefixes
+*.[568vq]
+[568vq].out
+
+*.cgo1.go
+*.cgo2.c
+_cgo_defun.c
+_cgo_gotypes.go
+_cgo_export.*
+
+_testmain.go
+
+*.exe
+*.test
+
+*.bench
diff --git a/vendor/github.com/spf13/cast/.golangci.yaml b/vendor/github.com/spf13/cast/.golangci.yaml
new file mode 100644
index 0000000000..e00fd47aa2
--- /dev/null
+++ b/vendor/github.com/spf13/cast/.golangci.yaml
@@ -0,0 +1,39 @@
+version: "2"
+
+run:
+  timeout: 10m
+
+linters:
+  enable:
+    - errcheck
+    - govet
+    - ineffassign
+    - misspell
+    - nolintlint
+    # - revive
+    - unused
+
+  disable:
+    - staticcheck
+
+  settings:
+    misspell:
+      locale: US
+    nolintlint:
+      allow-unused: false # report any unused nolint directives
+      require-specific: false # don't require nolint directives to be specific about which linter is being skipped
+
+formatters:
+  enable:
+    - gci
+    - gofmt
+    # - gofumpt
+    - goimports
+    # - golines
+
+  settings:
+    gci:
+      sections:
+        - standard
+        - default
+        - localmodule
diff --git a/vendor/github.com/spf13/cast/LICENSE b/vendor/github.com/spf13/cast/LICENSE
new file mode 100644
index 0000000000..4527efb9c0
--- /dev/null
+++ b/vendor/github.com/spf13/cast/LICENSE
@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2014 Steve Francia
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
\ No newline at end of file
diff --git a/vendor/github.com/spf13/cast/Makefile b/vendor/github.com/spf13/cast/Makefile
new file mode 100644
index 0000000000..f01a5dbb6e
--- /dev/null
+++ b/vendor/github.com/spf13/cast/Makefile
@@ -0,0 +1,40 @@
+GOVERSION := $(shell go version | cut -d ' ' -f 3 | cut -d '.' -f 2)
+
+.PHONY: check fmt lint test test-race vet test-cover-html help
+.DEFAULT_GOAL := help
+
+check: test-race fmt vet lint ## Run tests and linters
+
+test: ## Run tests
+	go test ./...
+
+test-race: ## Run tests with race detector
+	go test -race ./...
+
+fmt: ## Run gofmt linter
+ifeq "$(GOVERSION)" "12"
+	@for d in `go list` ; do \
+		if [ "`gofmt -l -s $$GOPATH/src/$$d | tee /dev/stderr`" ]; then \
+			echo "^ improperly formatted go files" && echo && exit 1; \
+		fi \
+	done
+endif
+
+lint: ## Run golint linter
+	@for d in `go list` ; do \
+		if [ "`golint $$d | tee /dev/stderr`" ]; then \
+			echo "^ golint errors!" && echo && exit 1; \
+		fi \
+	done
+
+vet: ## Run go vet linter
+	@if [ "`go vet | tee /dev/stderr`" ]; then \
+		echo "^ go vet errors!" && echo && exit 1; \
+	fi
+
+test-cover-html: ## Generate test coverage report
+	go test -coverprofile=coverage.out -covermode=count
+	go tool cover -func=coverage.out
+
+help:
+	@grep -E '^[a-zA-Z0-9_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
diff --git a/vendor/github.com/spf13/cast/README.md b/vendor/github.com/spf13/cast/README.md
new file mode 100644
index 0000000000..c58eccb3fd
--- /dev/null
+++ b/vendor/github.com/spf13/cast/README.md
@@ -0,0 +1,79 @@
+# cast
+
+[![GitHub Workflow Status](https://img.shields.io/github/actions/workflow/status/spf13/cast/ci.yaml?style=flat-square)](https://github.com/spf13/cast/actions/workflows/ci.yaml)
+[![go.dev reference](https://img.shields.io/badge/go.dev-reference-007d9c?logo=go&logoColor=white&style=flat-square)](https://pkg.go.dev/mod/github.com/spf13/cast)
+![GitHub go.mod Go version](https://img.shields.io/github/go-mod/go-version/spf13/cast?style=flat-square&color=61CFDD)
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/spf13/cast/badge?style=flat-square)](https://deps.dev/go/github.com%252Fspf13%252Fcast)
+
+Easy and safe casting from one type to another in Go
+
+Don’t Panic! ... Cast
+
+## What is Cast?
+
+Cast is a library to convert between different go types in a consistent and easy way.
+
+Cast provides simple functions to easily convert a number to a string, an
+interface into a bool, etc. Cast does this intelligently when an obvious
+conversion is possible. It doesn’t make any attempts to guess what you meant,
+for example you can only convert a string to an int when it is a string
+representation of an int such as “8�. Cast was developed for use in
+[Hugo](https://gohugo.io), a website engine which uses YAML, TOML or JSON
+for meta data.
+
+## Why use Cast?
+
+When working with dynamic data in Go you often need to cast or convert the data
+from one type into another. Cast goes beyond just using type assertion (though
+it uses that when possible) to provide a very straightforward and convenient
+library.
+
+If you are working with interfaces to handle things like dynamic content
+you’ll need an easy way to convert an interface into a given type. This
+is the library for you.
+
+If you are taking in data from YAML, TOML or JSON or other formats which lack
+full types, then Cast is the library for you.
+
+## Usage
+
+Cast provides a handful of To_____ methods. These methods will always return
+the desired type. **If input is provided that will not convert to that type, the
+0 or nil value for that type will be returned**.
+
+Cast also provides identical methods To_____E. These return the same result as
+the To_____ methods, plus an additional error which tells you if it successfully
+converted. Using these methods you can tell the difference between when the
+input matched the zero value or when the conversion failed and the zero value
+was returned.
+
+The following examples are merely a sample of what is available. Please review
+the code for a complete set.
+
+### Example ‘ToString’:
+
+    cast.ToString("mayonegg")         // "mayonegg"
+    cast.ToString(8)                  // "8"
+    cast.ToString(8.31)               // "8.31"
+    cast.ToString([]byte("one time")) // "one time"
+    cast.ToString(nil)                // ""
+
+	var foo interface{} = "one more time"
+    cast.ToString(foo)                // "one more time"
+
+
+### Example ‘ToInt’:
+
+    cast.ToInt(8)                  // 8
+    cast.ToInt(8.31)               // 8
+    cast.ToInt("8")                // 8
+    cast.ToInt(true)               // 1
+    cast.ToInt(false)              // 0
+
+	var eight interface{} = 8
+    cast.ToInt(eight)              // 8
+    cast.ToInt(nil)                // 0
+
+## License
+
+The project is licensed under the [MIT License](LICENSE).
diff --git a/vendor/github.com/spf13/cast/cast.go b/vendor/github.com/spf13/cast/cast.go
new file mode 100644
index 0000000000..386ba80a99
--- /dev/null
+++ b/vendor/github.com/spf13/cast/cast.go
@@ -0,0 +1,194 @@
+// Copyright © 2014 Steve Francia <spf@spf13.com>.
+//
+// Use of this source code is governed by an MIT-style
+// license that can be found in the LICENSE file.
+
+// Package cast provides easy and safe casting in Go.
+package cast
+
+import "time"
+
+// ToBool casts an interface to a bool type.
+func ToBool(i interface{}) bool {
+	v, _ := ToBoolE(i)
+	return v
+}
+
+// ToTime casts an interface to a time.Time type.
+func ToTime(i interface{}) time.Time {
+	v, _ := ToTimeE(i)
+	return v
+}
+
+func ToTimeInDefaultLocation(i interface{}, location *time.Location) time.Time {
+	v, _ := ToTimeInDefaultLocationE(i, location)
+	return v
+}
+
+// ToDuration casts an interface to a time.Duration type.
+func ToDuration(i interface{}) time.Duration {
+	v, _ := ToDurationE(i)
+	return v
+}
+
+// ToFloat64 casts an interface to a float64 type.
+func ToFloat64(i interface{}) float64 {
+	v, _ := ToFloat64E(i)
+	return v
+}
+
+// ToFloat32 casts an interface to a float32 type.
+func ToFloat32(i interface{}) float32 {
+	v, _ := ToFloat32E(i)
+	return v
+}
+
+// ToInt64 casts an interface to an int64 type.
+func ToInt64(i interface{}) int64 {
+	v, _ := ToInt64E(i)
+	return v
+}
+
+// ToInt32 casts an interface to an int32 type.
+func ToInt32(i interface{}) int32 {
+	v, _ := ToInt32E(i)
+	return v
+}
+
+// ToInt16 casts an interface to an int16 type.
+func ToInt16(i interface{}) int16 {
+	v, _ := ToInt16E(i)
+	return v
+}
+
+// ToInt8 casts an interface to an int8 type.
+func ToInt8(i interface{}) int8 {
+	v, _ := ToInt8E(i)
+	return v
+}
+
+// ToInt casts an interface to an int type.
+func ToInt(i interface{}) int {
+	v, _ := ToIntE(i)
+	return v
+}
+
+// ToUint casts an interface to a uint type.
+func ToUint(i interface{}) uint {
+	v, _ := ToUintE(i)
+	return v
+}
+
+// ToUint64 casts an interface to a uint64 type.
+func ToUint64(i interface{}) uint64 {
+	v, _ := ToUint64E(i)
+	return v
+}
+
+// ToUint32 casts an interface to a uint32 type.
+func ToUint32(i interface{}) uint32 {
+	v, _ := ToUint32E(i)
+	return v
+}
+
+// ToUint16 casts an interface to a uint16 type.
+func ToUint16(i interface{}) uint16 {
+	v, _ := ToUint16E(i)
+	return v
+}
+
+// ToUint8 casts an interface to a uint8 type.
+func ToUint8(i interface{}) uint8 {
+	v, _ := ToUint8E(i)
+	return v
+}
+
+// ToString casts an interface to a string type.
+func ToString(i interface{}) string {
+	v, _ := ToStringE(i)
+	return v
+}
+
+// ToStringMapString casts an interface to a map[string]string type.
+func ToStringMapString(i interface{}) map[string]string {
+	v, _ := ToStringMapStringE(i)
+	return v
+}
+
+// ToStringMapStringSlice casts an interface to a map[string][]string type.
+func ToStringMapStringSlice(i interface{}) map[string][]string {
+	v, _ := ToStringMapStringSliceE(i)
+	return v
+}
+
+// ToStringMapBool casts an interface to a map[string]bool type.
+func ToStringMapBool(i interface{}) map[string]bool {
+	v, _ := ToStringMapBoolE(i)
+	return v
+}
+
+// ToStringMapInt casts an interface to a map[string]int type.
+func ToStringMapInt(i interface{}) map[string]int {
+	v, _ := ToStringMapIntE(i)
+	return v
+}
+
+// ToStringMapInt64 casts an interface to a map[string]int64 type.
+func ToStringMapInt64(i interface{}) map[string]int64 {
+	v, _ := ToStringMapInt64E(i)
+	return v
+}
+
+// ToStringMap casts an interface to a map[string]interface{} type.
+func ToStringMap(i interface{}) map[string]interface{} {
+	v, _ := ToStringMapE(i)
+	return v
+}
+
+// ToSlice casts an interface to a []interface{} type.
+func ToSlice(i interface{}) []interface{} {
+	v, _ := ToSliceE(i)
+	return v
+}
+
+// ToBoolSlice casts an interface to a []bool type.
+func ToBoolSlice(i interface{}) []bool {
+	v, _ := ToBoolSliceE(i)
+	return v
+}
+
+// ToStringSlice casts an interface to a []string type.
+func ToStringSlice(i interface{}) []string {
+	v, _ := ToStringSliceE(i)
+	return v
+}
+
+// ToIntSlice casts an interface to a []int type.
+func ToIntSlice(i interface{}) []int {
+	v, _ := ToIntSliceE(i)
+	return v
+}
+
+// ToInt64Slice casts an interface to a []int64 type.
+func ToInt64Slice(i interface{}) []int64 {
+	v, _ := ToInt64SliceE(i)
+	return v
+}
+
+// ToUintSlice casts an interface to a []uint type.
+func ToUintSlice(i interface{}) []uint {
+	v, _ := ToUintSliceE(i)
+	return v
+}
+
+// ToFloat64Slice casts an interface to a []float64 type.
+func ToFloat64Slice(i interface{}) []float64 {
+	v, _ := ToFloat64SliceE(i)
+	return v
+}
+
+// ToDurationSlice casts an interface to a []time.Duration type.
+func ToDurationSlice(i interface{}) []time.Duration {
+	v, _ := ToDurationSliceE(i)
+	return v
+}
diff --git a/vendor/github.com/spf13/cast/caste.go b/vendor/github.com/spf13/cast/caste.go
new file mode 100644
index 0000000000..4d4ca8db15
--- /dev/null
+++ b/vendor/github.com/spf13/cast/caste.go
@@ -0,0 +1,1472 @@
+// Copyright © 2014 Steve Francia <spf@spf13.com>.
+//
+// Use of this source code is governed by an MIT-style
+// license that can be found in the LICENSE file.
+
+package cast
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"html/template"
+	"reflect"
+	"strconv"
+	"strings"
+	"time"
+)
+
+var errNegativeNotAllowed = errors.New("unable to cast negative value")
+
+type float64EProvider interface {
+	Float64() (float64, error)
+}
+
+type float64Provider interface {
+	Float64() float64
+}
+
+// ToTimeE casts an interface to a time.Time type.
+func ToTimeE(i interface{}) (tim time.Time, err error) {
+	return ToTimeInDefaultLocationE(i, time.UTC)
+}
+
+// ToTimeInDefaultLocationE casts an empty interface to time.Time,
+// interpreting inputs without a timezone to be in the given location,
+// or the local timezone if nil.
+func ToTimeInDefaultLocationE(i interface{}, location *time.Location) (tim time.Time, err error) {
+	i = indirect(i)
+
+	switch v := i.(type) {
+	case time.Time:
+		return v, nil
+	case string:
+		return StringToDateInDefaultLocation(v, location)
+	case json.Number:
+		s, err1 := ToInt64E(v)
+		if err1 != nil {
+			return time.Time{}, fmt.Errorf("unable to cast %#v of type %T to Time", i, i)
+		}
+		return time.Unix(s, 0), nil
+	case int:
+		return time.Unix(int64(v), 0), nil
+	case int64:
+		return time.Unix(v, 0), nil
+	case int32:
+		return time.Unix(int64(v), 0), nil
+	case uint:
+		return time.Unix(int64(v), 0), nil
+	case uint64:
+		return time.Unix(int64(v), 0), nil
+	case uint32:
+		return time.Unix(int64(v), 0), nil
+	default:
+		return time.Time{}, fmt.Errorf("unable to cast %#v of type %T to Time", i, i)
+	}
+}
+
+// ToDurationE casts an interface to a time.Duration type.
+func ToDurationE(i interface{}) (d time.Duration, err error) {
+	i = indirect(i)
+
+	switch s := i.(type) {
+	case time.Duration:
+		return s, nil
+	case int, int64, int32, int16, int8, uint, uint64, uint32, uint16, uint8:
+		d = time.Duration(ToInt64(s))
+		return
+	case float32, float64:
+		d = time.Duration(ToFloat64(s))
+		return
+	case string:
+		if strings.ContainsAny(s, "nsuµmh") {
+			d, err = time.ParseDuration(s)
+		} else {
+			d, err = time.ParseDuration(s + "ns")
+		}
+		return
+	case float64EProvider:
+		var v float64
+		v, err = s.Float64()
+		d = time.Duration(v)
+		return
+	case float64Provider:
+		d = time.Duration(s.Float64())
+		return
+	default:
+		err = fmt.Errorf("unable to cast %#v of type %T to Duration", i, i)
+		return
+	}
+}
+
+// ToBoolE casts an interface to a bool type.
+func ToBoolE(i interface{}) (bool, error) {
+	i = indirect(i)
+
+	switch b := i.(type) {
+	case bool:
+		return b, nil
+	case nil:
+		return false, nil
+	case int:
+		return b != 0, nil
+	case int64:
+		return b != 0, nil
+	case int32:
+		return b != 0, nil
+	case int16:
+		return b != 0, nil
+	case int8:
+		return b != 0, nil
+	case uint:
+		return b != 0, nil
+	case uint64:
+		return b != 0, nil
+	case uint32:
+		return b != 0, nil
+	case uint16:
+		return b != 0, nil
+	case uint8:
+		return b != 0, nil
+	case float64:
+		return b != 0, nil
+	case float32:
+		return b != 0, nil
+	case time.Duration:
+		return b != 0, nil
+	case string:
+		return strconv.ParseBool(i.(string))
+	case json.Number:
+		v, err := ToInt64E(b)
+		if err == nil {
+			return v != 0, nil
+		}
+		return false, fmt.Errorf("unable to cast %#v of type %T to bool", i, i)
+	default:
+		return false, fmt.Errorf("unable to cast %#v of type %T to bool", i, i)
+	}
+}
+
+// ToFloat64E casts an interface to a float64 type.
+func ToFloat64E(i interface{}) (float64, error) {
+	i = indirect(i)
+
+	intv, ok := toInt(i)
+	if ok {
+		return float64(intv), nil
+	}
+
+	switch s := i.(type) {
+	case float64:
+		return s, nil
+	case float32:
+		return float64(s), nil
+	case int64:
+		return float64(s), nil
+	case int32:
+		return float64(s), nil
+	case int16:
+		return float64(s), nil
+	case int8:
+		return float64(s), nil
+	case uint:
+		return float64(s), nil
+	case uint64:
+		return float64(s), nil
+	case uint32:
+		return float64(s), nil
+	case uint16:
+		return float64(s), nil
+	case uint8:
+		return float64(s), nil
+	case string:
+		v, err := strconv.ParseFloat(s, 64)
+		if err == nil {
+			return v, nil
+		}
+		return 0, fmt.Errorf("unable to cast %#v of type %T to float64", i, i)
+	case float64EProvider:
+		v, err := s.Float64()
+		if err == nil {
+			return v, nil
+		}
+		return 0, fmt.Errorf("unable to cast %#v of type %T to float64", i, i)
+	case float64Provider:
+		return s.Float64(), nil
+	case bool:
+		if s {
+			return 1, nil
+		}
+		return 0, nil
+	case nil:
+		return 0, nil
+	default:
+		return 0, fmt.Errorf("unable to cast %#v of type %T to float64", i, i)
+	}
+}
+
+// ToFloat32E casts an interface to a float32 type.
+func ToFloat32E(i interface{}) (float32, error) {
+	i = indirect(i)
+
+	intv, ok := toInt(i)
+	if ok {
+		return float32(intv), nil
+	}
+
+	switch s := i.(type) {
+	case float64:
+		return float32(s), nil
+	case float32:
+		return s, nil
+	case int64:
+		return float32(s), nil
+	case int32:
+		return float32(s), nil
+	case int16:
+		return float32(s), nil
+	case int8:
+		return float32(s), nil
+	case uint:
+		return float32(s), nil
+	case uint64:
+		return float32(s), nil
+	case uint32:
+		return float32(s), nil
+	case uint16:
+		return float32(s), nil
+	case uint8:
+		return float32(s), nil
+	case string:
+		v, err := strconv.ParseFloat(s, 32)
+		if err == nil {
+			return float32(v), nil
+		}
+		return 0, fmt.Errorf("unable to cast %#v of type %T to float32", i, i)
+	case float64EProvider:
+		v, err := s.Float64()
+		if err == nil {
+			return float32(v), nil
+		}
+		return 0, fmt.Errorf("unable to cast %#v of type %T to float32", i, i)
+	case float64Provider:
+		return float32(s.Float64()), nil
+	case bool:
+		if s {
+			return 1, nil
+		}
+		return 0, nil
+	case nil:
+		return 0, nil
+	default:
+		return 0, fmt.Errorf("unable to cast %#v of type %T to float32", i, i)
+	}
+}
+
+// ToInt64E casts an interface to an int64 type.
+func ToInt64E(i interface{}) (int64, error) {
+	i = indirect(i)
+
+	intv, ok := toInt(i)
+	if ok {
+		return int64(intv), nil
+	}
+
+	switch s := i.(type) {
+	case int64:
+		return s, nil
+	case int32:
+		return int64(s), nil
+	case int16:
+		return int64(s), nil
+	case int8:
+		return int64(s), nil
+	case uint:
+		return int64(s), nil
+	case uint64:
+		return int64(s), nil
+	case uint32:
+		return int64(s), nil
+	case uint16:
+		return int64(s), nil
+	case uint8:
+		return int64(s), nil
+	case float64:
+		return int64(s), nil
+	case float32:
+		return int64(s), nil
+	case string:
+		v, err := strconv.ParseInt(trimZeroDecimal(s), 0, 0)
+		if err == nil {
+			return v, nil
+		}
+		return 0, fmt.Errorf("unable to cast %#v of type %T to int64", i, i)
+	case json.Number:
+		return ToInt64E(string(s))
+	case bool:
+		if s {
+			return 1, nil
+		}
+		return 0, nil
+	case nil:
+		return 0, nil
+	default:
+		return 0, fmt.Errorf("unable to cast %#v of type %T to int64", i, i)
+	}
+}
+
+// ToInt32E casts an interface to an int32 type.
+func ToInt32E(i interface{}) (int32, error) {
+	i = indirect(i)
+
+	intv, ok := toInt(i)
+	if ok {
+		return int32(intv), nil
+	}
+
+	switch s := i.(type) {
+	case int64:
+		return int32(s), nil
+	case int32:
+		return s, nil
+	case int16:
+		return int32(s), nil
+	case int8:
+		return int32(s), nil
+	case uint:
+		return int32(s), nil
+	case uint64:
+		return int32(s), nil
+	case uint32:
+		return int32(s), nil
+	case uint16:
+		return int32(s), nil
+	case uint8:
+		return int32(s), nil
+	case float64:
+		return int32(s), nil
+	case float32:
+		return int32(s), nil
+	case string:
+		v, err := strconv.ParseInt(trimZeroDecimal(s), 0, 0)
+		if err == nil {
+			return int32(v), nil
+		}
+		return 0, fmt.Errorf("unable to cast %#v of type %T to int32", i, i)
+	case json.Number:
+		return ToInt32E(string(s))
+	case bool:
+		if s {
+			return 1, nil
+		}
+		return 0, nil
+	case nil:
+		return 0, nil
+	default:
+		return 0, fmt.Errorf("unable to cast %#v of type %T to int32", i, i)
+	}
+}
+
+// ToInt16E casts an interface to an int16 type.
+func ToInt16E(i interface{}) (int16, error) {
+	i = indirect(i)
+
+	intv, ok := toInt(i)
+	if ok {
+		return int16(intv), nil
+	}
+
+	switch s := i.(type) {
+	case int64:
+		return int16(s), nil
+	case int32:
+		return int16(s), nil
+	case int16:
+		return s, nil
+	case int8:
+		return int16(s), nil
+	case uint:
+		return int16(s), nil
+	case uint64:
+		return int16(s), nil
+	case uint32:
+		return int16(s), nil
+	case uint16:
+		return int16(s), nil
+	case uint8:
+		return int16(s), nil
+	case float64:
+		return int16(s), nil
+	case float32:
+		return int16(s), nil
+	case string:
+		v, err := strconv.ParseInt(trimZeroDecimal(s), 0, 0)
+		if err == nil {
+			return int16(v), nil
+		}
+		return 0, fmt.Errorf("unable to cast %#v of type %T to int16", i, i)
+	case json.Number:
+		return ToInt16E(string(s))
+	case bool:
+		if s {
+			return 1, nil
+		}
+		return 0, nil
+	case nil:
+		return 0, nil
+	default:
+		return 0, fmt.Errorf("unable to cast %#v of type %T to int16", i, i)
+	}
+}
+
+// ToInt8E casts an interface to an int8 type.
+func ToInt8E(i interface{}) (int8, error) {
+	i = indirect(i)
+
+	intv, ok := toInt(i)
+	if ok {
+		return int8(intv), nil
+	}
+
+	switch s := i.(type) {
+	case int64:
+		return int8(s), nil
+	case int32:
+		return int8(s), nil
+	case int16:
+		return int8(s), nil
+	case int8:
+		return s, nil
+	case uint:
+		return int8(s), nil
+	case uint64:
+		return int8(s), nil
+	case uint32:
+		return int8(s), nil
+	case uint16:
+		return int8(s), nil
+	case uint8:
+		return int8(s), nil
+	case float64:
+		return int8(s), nil
+	case float32:
+		return int8(s), nil
+	case string:
+		v, err := strconv.ParseInt(trimZeroDecimal(s), 0, 0)
+		if err == nil {
+			return int8(v), nil
+		}
+		return 0, fmt.Errorf("unable to cast %#v of type %T to int8", i, i)
+	case json.Number:
+		return ToInt8E(string(s))
+	case bool:
+		if s {
+			return 1, nil
+		}
+		return 0, nil
+	case nil:
+		return 0, nil
+	default:
+		return 0, fmt.Errorf("unable to cast %#v of type %T to int8", i, i)
+	}
+}
+
+// ToIntE casts an interface to an int type.
+func ToIntE(i interface{}) (int, error) {
+	i = indirect(i)
+
+	intv, ok := toInt(i)
+	if ok {
+		return intv, nil
+	}
+
+	switch s := i.(type) {
+	case int64:
+		return int(s), nil
+	case int32:
+		return int(s), nil
+	case int16:
+		return int(s), nil
+	case int8:
+		return int(s), nil
+	case uint:
+		return int(s), nil
+	case uint64:
+		return int(s), nil
+	case uint32:
+		return int(s), nil
+	case uint16:
+		return int(s), nil
+	case uint8:
+		return int(s), nil
+	case float64:
+		return int(s), nil
+	case float32:
+		return int(s), nil
+	case string:
+		v, err := strconv.ParseInt(trimZeroDecimal(s), 0, 0)
+		if err == nil {
+			return int(v), nil
+		}
+		return 0, fmt.Errorf("unable to cast %#v of type %T to int64", i, i)
+	case json.Number:
+		return ToIntE(string(s))
+	case bool:
+		if s {
+			return 1, nil
+		}
+		return 0, nil
+	case nil:
+		return 0, nil
+	default:
+		return 0, fmt.Errorf("unable to cast %#v of type %T to int", i, i)
+	}
+}
+
+// ToUintE casts an interface to a uint type.
+func ToUintE(i interface{}) (uint, error) {
+	i = indirect(i)
+
+	intv, ok := toInt(i)
+	if ok {
+		if intv < 0 {
+			return 0, errNegativeNotAllowed
+		}
+		return uint(intv), nil
+	}
+
+	switch s := i.(type) {
+	case string:
+		v, err := strconv.ParseInt(trimZeroDecimal(s), 0, 0)
+		if err == nil {
+			if v < 0 {
+				return 0, errNegativeNotAllowed
+			}
+			return uint(v), nil
+		}
+		return 0, fmt.Errorf("unable to cast %#v of type %T to uint", i, i)
+	case json.Number:
+		return ToUintE(string(s))
+	case int64:
+		if s < 0 {
+			return 0, errNegativeNotAllowed
+		}
+		return uint(s), nil
+	case int32:
+		if s < 0 {
+			return 0, errNegativeNotAllowed
+		}
+		return uint(s), nil
+	case int16:
+		if s < 0 {
+			return 0, errNegativeNotAllowed
+		}
+		return uint(s), nil
+	case int8:
+		if s < 0 {
+			return 0, errNegativeNotAllowed
+		}
+		return uint(s), nil
+	case uint:
+		return s, nil
+	case uint64:
+		return uint(s), nil
+	case uint32:
+		return uint(s), nil
+	case uint16:
+		return uint(s), nil
+	case uint8:
+		return uint(s), nil
+	case float64:
+		if s < 0 {
+			return 0, errNegativeNotAllowed
+		}
+		return uint(s), nil
+	case float32:
+		if s < 0 {
+			return 0, errNegativeNotAllowed
+		}
+		return uint(s), nil
+	case bool:
+		if s {
+			return 1, nil
+		}
+		return 0, nil
+	case nil:
+		return 0, nil
+	default:
+		return 0, fmt.Errorf("unable to cast %#v of type %T to uint", i, i)
+	}
+}
+
+// ToUint64E casts an interface to a uint64 type.
+func ToUint64E(i interface{}) (uint64, error) {
+	i = indirect(i)
+
+	intv, ok := toInt(i)
+	if ok {
+		if intv < 0 {
+			return 0, errNegativeNotAllowed
+		}
+		return uint64(intv), nil
+	}
+
+	switch s := i.(type) {
+	case string:
+		v, err := strconv.ParseUint(trimZeroDecimal(s), 0, 0)
+		if err == nil {
+			return v, nil
+		}
+		return 0, fmt.Errorf("unable to cast %#v of type %T to uint64", i, i)
+	case json.Number:
+		return ToUint64E(string(s))
+	case int64:
+		if s < 0 {
+			return 0, errNegativeNotAllowed
+		}
+		return uint64(s), nil
+	case int32:
+		if s < 0 {
+			return 0, errNegativeNotAllowed
+		}
+		return uint64(s), nil
+	case int16:
+		if s < 0 {
+			return 0, errNegativeNotAllowed
+		}
+		return uint64(s), nil
+	case int8:
+		if s < 0 {
+			return 0, errNegativeNotAllowed
+		}
+		return uint64(s), nil
+	case uint:
+		return uint64(s), nil
+	case uint64:
+		return s, nil
+	case uint32:
+		return uint64(s), nil
+	case uint16:
+		return uint64(s), nil
+	case uint8:
+		return uint64(s), nil
+	case float32:
+		if s < 0 {
+			return 0, errNegativeNotAllowed
+		}
+		return uint64(s), nil
+	case float64:
+		if s < 0 {
+			return 0, errNegativeNotAllowed
+		}
+		return uint64(s), nil
+	case bool:
+		if s {
+			return 1, nil
+		}
+		return 0, nil
+	case nil:
+		return 0, nil
+	default:
+		return 0, fmt.Errorf("unable to cast %#v of type %T to uint64", i, i)
+	}
+}
+
+// ToUint32E casts an interface to a uint32 type.
+func ToUint32E(i interface{}) (uint32, error) {
+	i = indirect(i)
+
+	intv, ok := toInt(i)
+	if ok {
+		if intv < 0 {
+			return 0, errNegativeNotAllowed
+		}
+		return uint32(intv), nil
+	}
+
+	switch s := i.(type) {
+	case string:
+		v, err := strconv.ParseInt(trimZeroDecimal(s), 0, 0)
+		if err == nil {
+			if v < 0 {
+				return 0, errNegativeNotAllowed
+			}
+			return uint32(v), nil
+		}
+		return 0, fmt.Errorf("unable to cast %#v of type %T to uint32", i, i)
+	case json.Number:
+		return ToUint32E(string(s))
+	case int64:
+		if s < 0 {
+			return 0, errNegativeNotAllowed
+		}
+		return uint32(s), nil
+	case int32:
+		if s < 0 {
+			return 0, errNegativeNotAllowed
+		}
+		return uint32(s), nil
+	case int16:
+		if s < 0 {
+			return 0, errNegativeNotAllowed
+		}
+		return uint32(s), nil
+	case int8:
+		if s < 0 {
+			return 0, errNegativeNotAllowed
+		}
+		return uint32(s), nil
+	case uint:
+		return uint32(s), nil
+	case uint64:
+		return uint32(s), nil
+	case uint32:
+		return s, nil
+	case uint16:
+		return uint32(s), nil
+	case uint8:
+		return uint32(s), nil
+	case float64:
+		if s < 0 {
+			return 0, errNegativeNotAllowed
+		}
+		return uint32(s), nil
+	case float32:
+		if s < 0 {
+			return 0, errNegativeNotAllowed
+		}
+		return uint32(s), nil
+	case bool:
+		if s {
+			return 1, nil
+		}
+		return 0, nil
+	case nil:
+		return 0, nil
+	default:
+		return 0, fmt.Errorf("unable to cast %#v of type %T to uint32", i, i)
+	}
+}
+
+// ToUint16E casts an interface to a uint16 type.
+func ToUint16E(i interface{}) (uint16, error) {
+	i = indirect(i)
+
+	intv, ok := toInt(i)
+	if ok {
+		if intv < 0 {
+			return 0, errNegativeNotAllowed
+		}
+		return uint16(intv), nil
+	}
+
+	switch s := i.(type) {
+	case string:
+		v, err := strconv.ParseInt(trimZeroDecimal(s), 0, 0)
+		if err == nil {
+			if v < 0 {
+				return 0, errNegativeNotAllowed
+			}
+			return uint16(v), nil
+		}
+		return 0, fmt.Errorf("unable to cast %#v of type %T to uint16", i, i)
+	case json.Number:
+		return ToUint16E(string(s))
+	case int64:
+		if s < 0 {
+			return 0, errNegativeNotAllowed
+		}
+		return uint16(s), nil
+	case int32:
+		if s < 0 {
+			return 0, errNegativeNotAllowed
+		}
+		return uint16(s), nil
+	case int16:
+		if s < 0 {
+			return 0, errNegativeNotAllowed
+		}
+		return uint16(s), nil
+	case int8:
+		if s < 0 {
+			return 0, errNegativeNotAllowed
+		}
+		return uint16(s), nil
+	case uint:
+		return uint16(s), nil
+	case uint64:
+		return uint16(s), nil
+	case uint32:
+		return uint16(s), nil
+	case uint16:
+		return s, nil
+	case uint8:
+		return uint16(s), nil
+	case float64:
+		if s < 0 {
+			return 0, errNegativeNotAllowed
+		}
+		return uint16(s), nil
+	case float32:
+		if s < 0 {
+			return 0, errNegativeNotAllowed
+		}
+		return uint16(s), nil
+	case bool:
+		if s {
+			return 1, nil
+		}
+		return 0, nil
+	case nil:
+		return 0, nil
+	default:
+		return 0, fmt.Errorf("unable to cast %#v of type %T to uint16", i, i)
+	}
+}
+
+// ToUint8E casts an interface to a uint type.
+func ToUint8E(i interface{}) (uint8, error) {
+	i = indirect(i)
+
+	intv, ok := toInt(i)
+	if ok {
+		if intv < 0 {
+			return 0, errNegativeNotAllowed
+		}
+		return uint8(intv), nil
+	}
+
+	switch s := i.(type) {
+	case string:
+		v, err := strconv.ParseInt(trimZeroDecimal(s), 0, 0)
+		if err == nil {
+			if v < 0 {
+				return 0, errNegativeNotAllowed
+			}
+			return uint8(v), nil
+		}
+		return 0, fmt.Errorf("unable to cast %#v of type %T to uint8", i, i)
+	case json.Number:
+		return ToUint8E(string(s))
+	case int64:
+		if s < 0 {
+			return 0, errNegativeNotAllowed
+		}
+		return uint8(s), nil
+	case int32:
+		if s < 0 {
+			return 0, errNegativeNotAllowed
+		}
+		return uint8(s), nil
+	case int16:
+		if s < 0 {
+			return 0, errNegativeNotAllowed
+		}
+		return uint8(s), nil
+	case int8:
+		if s < 0 {
+			return 0, errNegativeNotAllowed
+		}
+		return uint8(s), nil
+	case uint:
+		return uint8(s), nil
+	case uint64:
+		return uint8(s), nil
+	case uint32:
+		return uint8(s), nil
+	case uint16:
+		return uint8(s), nil
+	case uint8:
+		return s, nil
+	case float64:
+		if s < 0 {
+			return 0, errNegativeNotAllowed
+		}
+		return uint8(s), nil
+	case float32:
+		if s < 0 {
+			return 0, errNegativeNotAllowed
+		}
+		return uint8(s), nil
+	case bool:
+		if s {
+			return 1, nil
+		}
+		return 0, nil
+	case nil:
+		return 0, nil
+	default:
+		return 0, fmt.Errorf("unable to cast %#v of type %T to uint8", i, i)
+	}
+}
+
+// From html/template/content.go
+// Copyright 2011 The Go Authors. All rights reserved.
+// indirect returns the value, after dereferencing as many times
+// as necessary to reach the base type (or nil).
+func indirect(a interface{}) interface{} {
+	if a == nil {
+		return nil
+	}
+	if t := reflect.TypeOf(a); t.Kind() != reflect.Ptr {
+		// Avoid creating a reflect.Value if it's not a pointer.
+		return a
+	}
+	v := reflect.ValueOf(a)
+	for v.Kind() == reflect.Ptr && !v.IsNil() {
+		v = v.Elem()
+	}
+	return v.Interface()
+}
+
+// From html/template/content.go
+// Copyright 2011 The Go Authors. All rights reserved.
+// indirectToStringerOrError returns the value, after dereferencing as many times
+// as necessary to reach the base type (or nil) or an implementation of fmt.Stringer
+// or error,
+func indirectToStringerOrError(a interface{}) interface{} {
+	if a == nil {
+		return nil
+	}
+
+	errorType := reflect.TypeOf((*error)(nil)).Elem()
+	fmtStringerType := reflect.TypeOf((*fmt.Stringer)(nil)).Elem()
+
+	v := reflect.ValueOf(a)
+	for !v.Type().Implements(fmtStringerType) && !v.Type().Implements(errorType) && v.Kind() == reflect.Ptr && !v.IsNil() {
+		v = v.Elem()
+	}
+	return v.Interface()
+}
+
+// ToStringE casts an interface to a string type.
+func ToStringE(i interface{}) (string, error) {
+	i = indirectToStringerOrError(i)
+
+	switch s := i.(type) {
+	case string:
+		return s, nil
+	case bool:
+		return strconv.FormatBool(s), nil
+	case float64:
+		return strconv.FormatFloat(s, 'f', -1, 64), nil
+	case float32:
+		return strconv.FormatFloat(float64(s), 'f', -1, 32), nil
+	case int:
+		return strconv.Itoa(s), nil
+	case int64:
+		return strconv.FormatInt(s, 10), nil
+	case int32:
+		return strconv.Itoa(int(s)), nil
+	case int16:
+		return strconv.FormatInt(int64(s), 10), nil
+	case int8:
+		return strconv.FormatInt(int64(s), 10), nil
+	case uint:
+		return strconv.FormatUint(uint64(s), 10), nil
+	case uint64:
+		return strconv.FormatUint(uint64(s), 10), nil
+	case uint32:
+		return strconv.FormatUint(uint64(s), 10), nil
+	case uint16:
+		return strconv.FormatUint(uint64(s), 10), nil
+	case uint8:
+		return strconv.FormatUint(uint64(s), 10), nil
+	case json.Number:
+		return s.String(), nil
+	case []byte:
+		return string(s), nil
+	case template.HTML:
+		return string(s), nil
+	case template.URL:
+		return string(s), nil
+	case template.JS:
+		return string(s), nil
+	case template.CSS:
+		return string(s), nil
+	case template.HTMLAttr:
+		return string(s), nil
+	case nil:
+		return "", nil
+	case fmt.Stringer:
+		return s.String(), nil
+	case error:
+		return s.Error(), nil
+	default:
+		return "", fmt.Errorf("unable to cast %#v of type %T to string", i, i)
+	}
+}
+
+func toMapE[K comparable, V any](i any, keyFn func(any) K, valFn func(any) V) (map[K]V, error) {
+	m := map[K]V{}
+
+	if i == nil {
+		return m, fmt.Errorf("unable to cast %#v of type %T to %T", i, i, m)
+	}
+
+	switch v := i.(type) {
+	case map[K]V:
+		return v, nil
+
+	case map[K]any:
+		for k, val := range v {
+			m[k] = valFn(val)
+		}
+
+		return m, nil
+
+	case map[any]V:
+		for k, val := range v {
+			m[keyFn(k)] = val
+		}
+
+		return m, nil
+
+	case map[any]any:
+		for k, val := range v {
+			m[keyFn(k)] = valFn(val)
+		}
+
+		return m, nil
+
+	case string:
+		err := jsonStringToObject(v, &m)
+
+		return m, err
+
+	default:
+		return m, fmt.Errorf("unable to cast %#v of type %T to %T", i, i, m)
+	}
+}
+
+func toStringMapE[T any](i any, fn func(any) T) (map[string]T, error) {
+	return toMapE(i, ToString, fn)
+}
+
+// ToStringMapStringE casts an interface to a map[string]string type.
+func ToStringMapStringE(i any) (map[string]string, error) {
+	return toStringMapE(i, ToString)
+}
+
+// ToStringMapStringSliceE casts an interface to a map[string][]string type.
+func ToStringMapStringSliceE(i interface{}) (map[string][]string, error) {
+	m := map[string][]string{}
+
+	switch v := i.(type) {
+	case map[string][]string:
+		return v, nil
+	case map[string][]interface{}:
+		for k, val := range v {
+			m[ToString(k)] = ToStringSlice(val)
+		}
+		return m, nil
+	case map[string]string:
+		for k, val := range v {
+			m[ToString(k)] = []string{val}
+		}
+	case map[string]interface{}:
+		for k, val := range v {
+			switch vt := val.(type) {
+			case []interface{}:
+				m[ToString(k)] = ToStringSlice(vt)
+			case []string:
+				m[ToString(k)] = vt
+			default:
+				m[ToString(k)] = []string{ToString(val)}
+			}
+		}
+		return m, nil
+	case map[interface{}][]string:
+		for k, val := range v {
+			m[ToString(k)] = ToStringSlice(val)
+		}
+		return m, nil
+	case map[interface{}]string:
+		for k, val := range v {
+			m[ToString(k)] = ToStringSlice(val)
+		}
+		return m, nil
+	case map[interface{}][]interface{}:
+		for k, val := range v {
+			m[ToString(k)] = ToStringSlice(val)
+		}
+		return m, nil
+	case map[interface{}]interface{}:
+		for k, val := range v {
+			key, err := ToStringE(k)
+			if err != nil {
+				return m, fmt.Errorf("unable to cast %#v of type %T to map[string][]string", i, i)
+			}
+			value, err := ToStringSliceE(val)
+			if err != nil {
+				return m, fmt.Errorf("unable to cast %#v of type %T to map[string][]string", i, i)
+			}
+			m[key] = value
+		}
+	case string:
+		err := jsonStringToObject(v, &m)
+		return m, err
+	default:
+		return m, fmt.Errorf("unable to cast %#v of type %T to map[string][]string", i, i)
+	}
+	return m, nil
+}
+
+// ToStringMapBoolE casts an interface to a map[string]bool type.
+func ToStringMapBoolE(i interface{}) (map[string]bool, error) {
+	return toStringMapE(i, ToBool)
+}
+
+// ToStringMapE casts an interface to a map[string]interface{} type.
+func ToStringMapE(i interface{}) (map[string]interface{}, error) {
+	fn := func(i any) any { return i }
+
+	return toStringMapE(i, fn)
+}
+
+func toStringMapIntE[T int | int64](i any, fn func(any) T, fnE func(any) (T, error)) (map[string]T, error) {
+	m := map[string]T{}
+
+	if i == nil {
+		return m, fmt.Errorf("unable to cast %#v of type %T to %T", i, i, m)
+	}
+
+	switch v := i.(type) {
+	case map[string]T:
+		return v, nil
+
+	case map[string]any:
+		for k, val := range v {
+			m[k] = fn(val)
+		}
+
+		return m, nil
+
+	case map[any]T:
+		for k, val := range v {
+			m[ToString(k)] = val
+		}
+
+		return m, nil
+
+	case map[any]any:
+		for k, val := range v {
+			m[ToString(k)] = fn(val)
+		}
+
+		return m, nil
+
+	case string:
+		err := jsonStringToObject(v, &m)
+
+		return m, err
+	}
+
+	if reflect.TypeOf(i).Kind() != reflect.Map {
+		return m, fmt.Errorf("unable to cast %#v of type %T to %T", i, i, m)
+	}
+
+	mVal := reflect.ValueOf(m)
+	v := reflect.ValueOf(i)
+
+	for _, keyVal := range v.MapKeys() {
+		val, err := fnE(v.MapIndex(keyVal).Interface())
+		if err != nil {
+			return m, fmt.Errorf("unable to cast %#v of type %T to %T", i, i, m)
+		}
+
+		mVal.SetMapIndex(keyVal, reflect.ValueOf(val))
+	}
+
+	return m, nil
+}
+
+// ToStringMapIntE casts an interface to a map[string]int{} type.
+func ToStringMapIntE(i any) (map[string]int, error) {
+	return toStringMapIntE(i, ToInt, ToIntE)
+}
+
+// ToStringMapInt64E casts an interface to a map[string]int64{} type.
+func ToStringMapInt64E(i interface{}) (map[string]int64, error) {
+	return toStringMapIntE(i, ToInt64, ToInt64E)
+}
+
+// ToSliceE casts an interface to a []interface{} type.
+func ToSliceE(i interface{}) ([]interface{}, error) {
+	var s []interface{}
+
+	switch v := i.(type) {
+	case []interface{}:
+		return append(s, v...), nil
+	case []map[string]interface{}:
+		for _, u := range v {
+			s = append(s, u)
+		}
+		return s, nil
+	default:
+		return s, fmt.Errorf("unable to cast %#v of type %T to []interface{}", i, i)
+	}
+}
+
+func toSliceE[T any](i any, fn func(any) (T, error)) ([]T, error) {
+	if i == nil {
+		return []T{}, fmt.Errorf("unable to cast %#v of type %T to %T", i, i, []T{})
+	}
+
+	switch v := i.(type) {
+	case []T:
+		return v, nil
+	}
+
+	kind := reflect.TypeOf(i).Kind()
+	switch kind {
+	case reflect.Slice, reflect.Array:
+		s := reflect.ValueOf(i)
+		a := make([]T, s.Len())
+		for j := 0; j < s.Len(); j++ {
+			val, err := fn(s.Index(j).Interface())
+			if err != nil {
+				return []T{}, fmt.Errorf("unable to cast %#v of type %T to %T", i, i, []T{})
+			}
+			a[j] = val
+		}
+		return a, nil
+	default:
+		return []T{}, fmt.Errorf("unable to cast %#v of type %T to %T", i, i, []T{})
+	}
+}
+
+// ToBoolSliceE casts an interface to a []bool type.
+func ToBoolSliceE(i interface{}) ([]bool, error) {
+	return toSliceE(i, ToBoolE)
+}
+
+// ToStringSliceE casts an interface to a []string type.
+func ToStringSliceE(i interface{}) ([]string, error) {
+	var a []string
+
+	switch v := i.(type) {
+	case []interface{}:
+		for _, u := range v {
+			a = append(a, ToString(u))
+		}
+		return a, nil
+	case []string:
+		return v, nil
+	case []int8:
+		for _, u := range v {
+			a = append(a, ToString(u))
+		}
+		return a, nil
+	case []int:
+		for _, u := range v {
+			a = append(a, ToString(u))
+		}
+		return a, nil
+	case []int32:
+		for _, u := range v {
+			a = append(a, ToString(u))
+		}
+		return a, nil
+	case []int64:
+		for _, u := range v {
+			a = append(a, ToString(u))
+		}
+		return a, nil
+	case []uint8:
+		for _, u := range v {
+			a = append(a, ToString(u))
+		}
+		return a, nil
+	case []uint:
+		for _, u := range v {
+			a = append(a, ToString(u))
+		}
+		return a, nil
+	case []uint32:
+		for _, u := range v {
+			a = append(a, ToString(u))
+		}
+		return a, nil
+	case []uint64:
+		for _, u := range v {
+			a = append(a, ToString(u))
+		}
+		return a, nil
+	case []float32:
+		for _, u := range v {
+			a = append(a, ToString(u))
+		}
+		return a, nil
+	case []float64:
+		for _, u := range v {
+			a = append(a, ToString(u))
+		}
+		return a, nil
+	case string:
+		return strings.Fields(v), nil
+	case []error:
+		for _, err := range i.([]error) {
+			a = append(a, err.Error())
+		}
+		return a, nil
+	case interface{}:
+		str, err := ToStringE(v)
+		if err != nil {
+			return a, fmt.Errorf("unable to cast %#v of type %T to []string", i, i)
+		}
+		return []string{str}, nil
+	default:
+		return a, fmt.Errorf("unable to cast %#v of type %T to []string", i, i)
+	}
+}
+
+// ToIntSliceE casts an interface to a []int type.
+func ToIntSliceE(i interface{}) ([]int, error) {
+	return toSliceE(i, ToIntE)
+}
+
+// ToUintSliceE casts an interface to a []uint type.
+func ToUintSliceE(i interface{}) ([]uint, error) {
+	return toSliceE(i, ToUintE)
+}
+
+// ToFloat64SliceE casts an interface to a []float64 type.
+func ToFloat64SliceE(i interface{}) ([]float64, error) {
+	return toSliceE(i, ToFloat64E)
+}
+
+// ToInt64SliceE casts an interface to a []int64 type.
+func ToInt64SliceE(i interface{}) ([]int64, error) {
+	return toSliceE(i, ToInt64E)
+}
+
+// ToDurationSliceE casts an interface to a []time.Duration type.
+func ToDurationSliceE(i interface{}) ([]time.Duration, error) {
+	return toSliceE(i, ToDurationE)
+}
+
+// StringToDate attempts to parse a string into a time.Time type using a
+// predefined list of formats.  If no suitable format is found, an error is
+// returned.
+func StringToDate(s string) (time.Time, error) {
+	return parseDateWith(s, time.UTC, timeFormats)
+}
+
+// StringToDateInDefaultLocation casts an empty interface to a time.Time,
+// interpreting inputs without a timezone to be in the given location,
+// or the local timezone if nil.
+func StringToDateInDefaultLocation(s string, location *time.Location) (time.Time, error) {
+	return parseDateWith(s, location, timeFormats)
+}
+
+type timeFormatType int
+
+const (
+	timeFormatNoTimezone timeFormatType = iota
+	timeFormatNamedTimezone
+	timeFormatNumericTimezone
+	timeFormatNumericAndNamedTimezone
+	timeFormatTimeOnly
+)
+
+type timeFormat struct {
+	format string
+	typ    timeFormatType
+}
+
+func (f timeFormat) hasTimezone() bool {
+	// We don't include the formats with only named timezones, see
+	// https://github.com/golang/go/issues/19694#issuecomment-289103522
+	return f.typ >= timeFormatNumericTimezone && f.typ <= timeFormatNumericAndNamedTimezone
+}
+
+var timeFormats = []timeFormat{
+	// Keep common formats at the top.
+	{"2006-01-02", timeFormatNoTimezone},
+	{time.RFC3339, timeFormatNumericTimezone},
+	{"2006-01-02T15:04:05", timeFormatNoTimezone}, // iso8601 without timezone
+	{time.RFC1123Z, timeFormatNumericTimezone},
+	{time.RFC1123, timeFormatNamedTimezone},
+	{time.RFC822Z, timeFormatNumericTimezone},
+	{time.RFC822, timeFormatNamedTimezone},
+	{time.RFC850, timeFormatNamedTimezone},
+	{"2006-01-02 15:04:05.999999999 -0700 MST", timeFormatNumericAndNamedTimezone}, // Time.String()
+	{"2006-01-02T15:04:05-0700", timeFormatNumericTimezone},                        // RFC3339 without timezone hh:mm colon
+	{"2006-01-02 15:04:05Z0700", timeFormatNumericTimezone},                        // RFC3339 without T or timezone hh:mm colon
+	{"2006-01-02 15:04:05", timeFormatNoTimezone},
+	{time.ANSIC, timeFormatNoTimezone},
+	{time.UnixDate, timeFormatNamedTimezone},
+	{time.RubyDate, timeFormatNumericTimezone},
+	{"2006-01-02 15:04:05Z07:00", timeFormatNumericTimezone},
+	{"02 Jan 2006", timeFormatNoTimezone},
+	{"2006-01-02 15:04:05 -07:00", timeFormatNumericTimezone},
+	{"2006-01-02 15:04:05 -0700", timeFormatNumericTimezone},
+	{time.Kitchen, timeFormatTimeOnly},
+	{time.Stamp, timeFormatTimeOnly},
+	{time.StampMilli, timeFormatTimeOnly},
+	{time.StampMicro, timeFormatTimeOnly},
+	{time.StampNano, timeFormatTimeOnly},
+}
+
+func parseDateWith(s string, location *time.Location, formats []timeFormat) (d time.Time, e error) {
+	for _, format := range formats {
+		if d, e = time.Parse(format.format, s); e == nil {
+
+			// Some time formats have a zone name, but no offset, so it gets
+			// put in that zone name (not the default one passed in to us), but
+			// without that zone's offset. So set the location manually.
+			if format.typ <= timeFormatNamedTimezone {
+				if location == nil {
+					location = time.Local
+				}
+				year, month, day := d.Date()
+				hour, min, sec := d.Clock()
+				d = time.Date(year, month, day, hour, min, sec, d.Nanosecond(), location)
+			}
+
+			return
+		}
+	}
+	return d, fmt.Errorf("unable to parse date: %s", s)
+}
+
+// jsonStringToObject attempts to unmarshall a string as JSON into
+// the object passed as pointer.
+func jsonStringToObject(s string, v interface{}) error {
+	data := []byte(s)
+	return json.Unmarshal(data, v)
+}
+
+// toInt returns the int value of v if v or v's underlying type
+// is an int.
+// Note that this will return false for int64 etc. types.
+func toInt(v interface{}) (int, bool) {
+	switch v := v.(type) {
+	case int:
+		return v, true
+	case time.Weekday:
+		return int(v), true
+	case time.Month:
+		return int(v), true
+	default:
+		return 0, false
+	}
+}
+
+func trimZeroDecimal(s string) string {
+	var foundZero bool
+	for i := len(s); i > 0; i-- {
+		switch s[i-1] {
+		case '.':
+			if foundZero {
+				return s[:i-1]
+			}
+		case '0':
+			foundZero = true
+		default:
+			return s
+		}
+	}
+	return s
+}
diff --git a/vendor/github.com/spf13/cast/timeformattype_string.go b/vendor/github.com/spf13/cast/timeformattype_string.go
new file mode 100644
index 0000000000..1524fc82ce
--- /dev/null
+++ b/vendor/github.com/spf13/cast/timeformattype_string.go
@@ -0,0 +1,27 @@
+// Code generated by "stringer -type timeFormatType"; DO NOT EDIT.
+
+package cast
+
+import "strconv"
+
+func _() {
+	// An "invalid array index" compiler error signifies that the constant values have changed.
+	// Re-run the stringer command to generate them again.
+	var x [1]struct{}
+	_ = x[timeFormatNoTimezone-0]
+	_ = x[timeFormatNamedTimezone-1]
+	_ = x[timeFormatNumericTimezone-2]
+	_ = x[timeFormatNumericAndNamedTimezone-3]
+	_ = x[timeFormatTimeOnly-4]
+}
+
+const _timeFormatType_name = "timeFormatNoTimezonetimeFormatNamedTimezonetimeFormatNumericTimezonetimeFormatNumericAndNamedTimezonetimeFormatTimeOnly"
+
+var _timeFormatType_index = [...]uint8{0, 20, 43, 68, 101, 119}
+
+func (i timeFormatType) String() string {
+	if i < 0 || i >= timeFormatType(len(_timeFormatType_index)-1) {
+		return "timeFormatType(" + strconv.FormatInt(int64(i), 10) + ")"
+	}
+	return _timeFormatType_name[_timeFormatType_index[i]:_timeFormatType_index[i+1]]
+}
diff --git a/vendor/github.com/spf13/pflag/flag.go b/vendor/github.com/spf13/pflag/flag.go
index eeed1e92b0..2fd3c57597 100644
--- a/vendor/github.com/spf13/pflag/flag.go
+++ b/vendor/github.com/spf13/pflag/flag.go
@@ -143,8 +143,9 @@ type ParseErrorsAllowlist struct {
 	UnknownFlags bool
 }
 
-// DEPRECATED: please use ParseErrorsAllowlist instead
-// This type will be removed in a future release
+// ParseErrorsWhitelist defines the parsing errors that can be ignored.
+//
+// Deprecated: use [ParseErrorsAllowlist] instead. This type will be removed in a future release.
 type ParseErrorsWhitelist = ParseErrorsAllowlist
 
 // NormalizedName is a flag name that has been normalized according to rules
@@ -165,8 +166,9 @@ type FlagSet struct {
 	// ParseErrorsAllowlist is used to configure an allowlist of errors
 	ParseErrorsAllowlist ParseErrorsAllowlist
 
-	// DEPRECATED: please use ParseErrorsAllowlist instead
-	// This field will be removed in a future release
+	// ParseErrorsAllowlist is used to configure an allowlist of errors.
+	//
+	// Deprecated: use [FlagSet.ParseErrorsAllowlist] instead. This field will be removed in a future release.
 	ParseErrorsWhitelist ParseErrorsAllowlist
 
 	name              string
@@ -1185,7 +1187,7 @@ func (f *FlagSet) Parse(arguments []string) error {
 		case ContinueOnError:
 			return err
 		case ExitOnError:
-			if errors.Is(err, ErrHelp) {
+			if err == ErrHelp {
 				os.Exit(0)
 			}
 			fmt.Fprintln(f.Output(), err)
@@ -1214,7 +1216,7 @@ func (f *FlagSet) ParseAll(arguments []string, fn func(flag *Flag, value string)
 		case ContinueOnError:
 			return err
 		case ExitOnError:
-			if errors.Is(err, ErrHelp) {
+			if err == ErrHelp {
 				os.Exit(0)
 			}
 			fmt.Fprintln(f.Output(), err)
diff --git a/vendor/github.com/stretchr/testify/require/doc.go b/vendor/github.com/stretchr/testify/require/doc.go
new file mode 100644
index 0000000000..c8e3f94a80
--- /dev/null
+++ b/vendor/github.com/stretchr/testify/require/doc.go
@@ -0,0 +1,31 @@
+// Package require implements the same assertions as the `assert` package but
+// stops test execution when a test fails.
+//
+// # Example Usage
+//
+// The following is a complete example using require in a standard test function:
+//
+//	import (
+//	  "testing"
+//	  "github.com/stretchr/testify/require"
+//	)
+//
+//	func TestSomething(t *testing.T) {
+//
+//	  var a string = "Hello"
+//	  var b string = "Hello"
+//
+//	  require.Equal(t, a, b, "The two words should be the same.")
+//
+//	}
+//
+// # Assertions
+//
+// The `require` package have same global functions as in the `assert` package,
+// but instead of returning a boolean result they call `t.FailNow()`.
+// A consequence of this is that it must be called from the goroutine running
+// the test function, not from other goroutines created during the test.
+//
+// Every assertion function also takes an optional string message as the final argument,
+// allowing custom error messages to be appended to the message the assertion method outputs.
+package require
diff --git a/vendor/github.com/stretchr/testify/require/forward_requirements.go b/vendor/github.com/stretchr/testify/require/forward_requirements.go
new file mode 100644
index 0000000000..1dcb2338c4
--- /dev/null
+++ b/vendor/github.com/stretchr/testify/require/forward_requirements.go
@@ -0,0 +1,16 @@
+package require
+
+// Assertions provides assertion methods around the
+// TestingT interface.
+type Assertions struct {
+	t TestingT
+}
+
+// New makes a new Assertions object for the specified TestingT.
+func New(t TestingT) *Assertions {
+	return &Assertions{
+		t: t,
+	}
+}
+
+//go:generate sh -c "cd ../_codegen && go build && cd - && ../_codegen/_codegen -output-package=require -template=require_forward.go.tmpl -include-format-funcs"
diff --git a/vendor/github.com/stretchr/testify/require/require.go b/vendor/github.com/stretchr/testify/require/require.go
new file mode 100644
index 0000000000..2d02f9bcef
--- /dev/null
+++ b/vendor/github.com/stretchr/testify/require/require.go
@@ -0,0 +1,2180 @@
+// Code generated with github.com/stretchr/testify/_codegen; DO NOT EDIT.
+
+package require
+
+import (
+	assert "github.com/stretchr/testify/assert"
+	http "net/http"
+	url "net/url"
+	time "time"
+)
+
+// Condition uses a Comparison to assert a complex condition.
+func Condition(t TestingT, comp assert.Comparison, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.Condition(t, comp, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// Conditionf uses a Comparison to assert a complex condition.
+func Conditionf(t TestingT, comp assert.Comparison, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.Conditionf(t, comp, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// Contains asserts that the specified string, list(array, slice...) or map contains the
+// specified substring or element.
+//
+//	require.Contains(t, "Hello World", "World")
+//	require.Contains(t, ["Hello", "World"], "World")
+//	require.Contains(t, {"Hello": "World"}, "Hello")
+func Contains(t TestingT, s interface{}, contains interface{}, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.Contains(t, s, contains, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// Containsf asserts that the specified string, list(array, slice...) or map contains the
+// specified substring or element.
+//
+//	require.Containsf(t, "Hello World", "World", "error message %s", "formatted")
+//	require.Containsf(t, ["Hello", "World"], "World", "error message %s", "formatted")
+//	require.Containsf(t, {"Hello": "World"}, "Hello", "error message %s", "formatted")
+func Containsf(t TestingT, s interface{}, contains interface{}, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.Containsf(t, s, contains, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// DirExists checks whether a directory exists in the given path. It also fails
+// if the path is a file rather a directory or there is an error checking whether it exists.
+func DirExists(t TestingT, path string, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.DirExists(t, path, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// DirExistsf checks whether a directory exists in the given path. It also fails
+// if the path is a file rather a directory or there is an error checking whether it exists.
+func DirExistsf(t TestingT, path string, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.DirExistsf(t, path, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// ElementsMatch asserts that the specified listA(array, slice...) is equal to specified
+// listB(array, slice...) ignoring the order of the elements. If there are duplicate elements,
+// the number of appearances of each of them in both lists should match.
+//
+// require.ElementsMatch(t, [1, 3, 2, 3], [1, 3, 3, 2])
+func ElementsMatch(t TestingT, listA interface{}, listB interface{}, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.ElementsMatch(t, listA, listB, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// ElementsMatchf asserts that the specified listA(array, slice...) is equal to specified
+// listB(array, slice...) ignoring the order of the elements. If there are duplicate elements,
+// the number of appearances of each of them in both lists should match.
+//
+// require.ElementsMatchf(t, [1, 3, 2, 3], [1, 3, 3, 2], "error message %s", "formatted")
+func ElementsMatchf(t TestingT, listA interface{}, listB interface{}, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.ElementsMatchf(t, listA, listB, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// Empty asserts that the given value is "empty".
+//
+// [Zero values] are "empty".
+//
+// Arrays are "empty" if every element is the zero value of the type (stricter than "empty").
+//
+// Slices, maps and channels with zero length are "empty".
+//
+// Pointer values are "empty" if the pointer is nil or if the pointed value is "empty".
+//
+//	require.Empty(t, obj)
+//
+// [Zero values]: https://go.dev/ref/spec#The_zero_value
+func Empty(t TestingT, object interface{}, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.Empty(t, object, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// Emptyf asserts that the given value is "empty".
+//
+// [Zero values] are "empty".
+//
+// Arrays are "empty" if every element is the zero value of the type (stricter than "empty").
+//
+// Slices, maps and channels with zero length are "empty".
+//
+// Pointer values are "empty" if the pointer is nil or if the pointed value is "empty".
+//
+//	require.Emptyf(t, obj, "error message %s", "formatted")
+//
+// [Zero values]: https://go.dev/ref/spec#The_zero_value
+func Emptyf(t TestingT, object interface{}, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.Emptyf(t, object, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// Equal asserts that two objects are equal.
+//
+//	require.Equal(t, 123, 123)
+//
+// Pointer variable equality is determined based on the equality of the
+// referenced values (as opposed to the memory addresses). Function equality
+// cannot be determined and will always fail.
+func Equal(t TestingT, expected interface{}, actual interface{}, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.Equal(t, expected, actual, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// EqualError asserts that a function returned an error (i.e. not `nil`)
+// and that it is equal to the provided error.
+//
+//	actualObj, err := SomeFunction()
+//	require.EqualError(t, err,  expectedErrorString)
+func EqualError(t TestingT, theError error, errString string, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.EqualError(t, theError, errString, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// EqualErrorf asserts that a function returned an error (i.e. not `nil`)
+// and that it is equal to the provided error.
+//
+//	actualObj, err := SomeFunction()
+//	require.EqualErrorf(t, err,  expectedErrorString, "error message %s", "formatted")
+func EqualErrorf(t TestingT, theError error, errString string, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.EqualErrorf(t, theError, errString, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// EqualExportedValues asserts that the types of two objects are equal and their public
+// fields are also equal. This is useful for comparing structs that have private fields
+// that could potentially differ.
+//
+//	 type S struct {
+//		Exported     	int
+//		notExported   	int
+//	 }
+//	 require.EqualExportedValues(t, S{1, 2}, S{1, 3}) => true
+//	 require.EqualExportedValues(t, S{1, 2}, S{2, 3}) => false
+func EqualExportedValues(t TestingT, expected interface{}, actual interface{}, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.EqualExportedValues(t, expected, actual, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// EqualExportedValuesf asserts that the types of two objects are equal and their public
+// fields are also equal. This is useful for comparing structs that have private fields
+// that could potentially differ.
+//
+//	 type S struct {
+//		Exported     	int
+//		notExported   	int
+//	 }
+//	 require.EqualExportedValuesf(t, S{1, 2}, S{1, 3}, "error message %s", "formatted") => true
+//	 require.EqualExportedValuesf(t, S{1, 2}, S{2, 3}, "error message %s", "formatted") => false
+func EqualExportedValuesf(t TestingT, expected interface{}, actual interface{}, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.EqualExportedValuesf(t, expected, actual, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// EqualValues asserts that two objects are equal or convertible to the larger
+// type and equal.
+//
+//	require.EqualValues(t, uint32(123), int32(123))
+func EqualValues(t TestingT, expected interface{}, actual interface{}, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.EqualValues(t, expected, actual, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// EqualValuesf asserts that two objects are equal or convertible to the larger
+// type and equal.
+//
+//	require.EqualValuesf(t, uint32(123), int32(123), "error message %s", "formatted")
+func EqualValuesf(t TestingT, expected interface{}, actual interface{}, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.EqualValuesf(t, expected, actual, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// Equalf asserts that two objects are equal.
+//
+//	require.Equalf(t, 123, 123, "error message %s", "formatted")
+//
+// Pointer variable equality is determined based on the equality of the
+// referenced values (as opposed to the memory addresses). Function equality
+// cannot be determined and will always fail.
+func Equalf(t TestingT, expected interface{}, actual interface{}, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.Equalf(t, expected, actual, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// Error asserts that a function returned an error (i.e. not `nil`).
+//
+//	actualObj, err := SomeFunction()
+//	require.Error(t, err)
+func Error(t TestingT, err error, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.Error(t, err, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// ErrorAs asserts that at least one of the errors in err's chain matches target, and if so, sets target to that error value.
+// This is a wrapper for errors.As.
+func ErrorAs(t TestingT, err error, target interface{}, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.ErrorAs(t, err, target, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// ErrorAsf asserts that at least one of the errors in err's chain matches target, and if so, sets target to that error value.
+// This is a wrapper for errors.As.
+func ErrorAsf(t TestingT, err error, target interface{}, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.ErrorAsf(t, err, target, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// ErrorContains asserts that a function returned an error (i.e. not `nil`)
+// and that the error contains the specified substring.
+//
+//	actualObj, err := SomeFunction()
+//	require.ErrorContains(t, err,  expectedErrorSubString)
+func ErrorContains(t TestingT, theError error, contains string, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.ErrorContains(t, theError, contains, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// ErrorContainsf asserts that a function returned an error (i.e. not `nil`)
+// and that the error contains the specified substring.
+//
+//	actualObj, err := SomeFunction()
+//	require.ErrorContainsf(t, err,  expectedErrorSubString, "error message %s", "formatted")
+func ErrorContainsf(t TestingT, theError error, contains string, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.ErrorContainsf(t, theError, contains, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// ErrorIs asserts that at least one of the errors in err's chain matches target.
+// This is a wrapper for errors.Is.
+func ErrorIs(t TestingT, err error, target error, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.ErrorIs(t, err, target, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// ErrorIsf asserts that at least one of the errors in err's chain matches target.
+// This is a wrapper for errors.Is.
+func ErrorIsf(t TestingT, err error, target error, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.ErrorIsf(t, err, target, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// Errorf asserts that a function returned an error (i.e. not `nil`).
+//
+//	actualObj, err := SomeFunction()
+//	require.Errorf(t, err, "error message %s", "formatted")
+func Errorf(t TestingT, err error, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.Errorf(t, err, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// Eventually asserts that given condition will be met in waitFor time,
+// periodically checking target function each tick.
+//
+//	require.Eventually(t, func() bool { return true; }, time.Second, 10*time.Millisecond)
+func Eventually(t TestingT, condition func() bool, waitFor time.Duration, tick time.Duration, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.Eventually(t, condition, waitFor, tick, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// EventuallyWithT asserts that given condition will be met in waitFor time,
+// periodically checking target function each tick. In contrast to Eventually,
+// it supplies a CollectT to the condition function, so that the condition
+// function can use the CollectT to call other assertions.
+// The condition is considered "met" if no errors are raised in a tick.
+// The supplied CollectT collects all errors from one tick (if there are any).
+// If the condition is not met before waitFor, the collected errors of
+// the last tick are copied to t.
+//
+//	externalValue := false
+//	go func() {
+//		time.Sleep(8*time.Second)
+//		externalValue = true
+//	}()
+//	require.EventuallyWithT(t, func(c *require.CollectT) {
+//		// add assertions as needed; any assertion failure will fail the current tick
+//		require.True(c, externalValue, "expected 'externalValue' to be true")
+//	}, 10*time.Second, 1*time.Second, "external state has not changed to 'true'; still false")
+func EventuallyWithT(t TestingT, condition func(collect *assert.CollectT), waitFor time.Duration, tick time.Duration, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.EventuallyWithT(t, condition, waitFor, tick, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// EventuallyWithTf asserts that given condition will be met in waitFor time,
+// periodically checking target function each tick. In contrast to Eventually,
+// it supplies a CollectT to the condition function, so that the condition
+// function can use the CollectT to call other assertions.
+// The condition is considered "met" if no errors are raised in a tick.
+// The supplied CollectT collects all errors from one tick (if there are any).
+// If the condition is not met before waitFor, the collected errors of
+// the last tick are copied to t.
+//
+//	externalValue := false
+//	go func() {
+//		time.Sleep(8*time.Second)
+//		externalValue = true
+//	}()
+//	require.EventuallyWithTf(t, func(c *require.CollectT, "error message %s", "formatted") {
+//		// add assertions as needed; any assertion failure will fail the current tick
+//		require.True(c, externalValue, "expected 'externalValue' to be true")
+//	}, 10*time.Second, 1*time.Second, "external state has not changed to 'true'; still false")
+func EventuallyWithTf(t TestingT, condition func(collect *assert.CollectT), waitFor time.Duration, tick time.Duration, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.EventuallyWithTf(t, condition, waitFor, tick, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// Eventuallyf asserts that given condition will be met in waitFor time,
+// periodically checking target function each tick.
+//
+//	require.Eventuallyf(t, func() bool { return true; }, time.Second, 10*time.Millisecond, "error message %s", "formatted")
+func Eventuallyf(t TestingT, condition func() bool, waitFor time.Duration, tick time.Duration, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.Eventuallyf(t, condition, waitFor, tick, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// Exactly asserts that two objects are equal in value and type.
+//
+//	require.Exactly(t, int32(123), int64(123))
+func Exactly(t TestingT, expected interface{}, actual interface{}, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.Exactly(t, expected, actual, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// Exactlyf asserts that two objects are equal in value and type.
+//
+//	require.Exactlyf(t, int32(123), int64(123), "error message %s", "formatted")
+func Exactlyf(t TestingT, expected interface{}, actual interface{}, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.Exactlyf(t, expected, actual, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// Fail reports a failure through
+func Fail(t TestingT, failureMessage string, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.Fail(t, failureMessage, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// FailNow fails test
+func FailNow(t TestingT, failureMessage string, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.FailNow(t, failureMessage, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// FailNowf fails test
+func FailNowf(t TestingT, failureMessage string, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.FailNowf(t, failureMessage, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// Failf reports a failure through
+func Failf(t TestingT, failureMessage string, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.Failf(t, failureMessage, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// False asserts that the specified value is false.
+//
+//	require.False(t, myBool)
+func False(t TestingT, value bool, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.False(t, value, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// Falsef asserts that the specified value is false.
+//
+//	require.Falsef(t, myBool, "error message %s", "formatted")
+func Falsef(t TestingT, value bool, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.Falsef(t, value, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// FileExists checks whether a file exists in the given path. It also fails if
+// the path points to a directory or there is an error when trying to check the file.
+func FileExists(t TestingT, path string, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.FileExists(t, path, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// FileExistsf checks whether a file exists in the given path. It also fails if
+// the path points to a directory or there is an error when trying to check the file.
+func FileExistsf(t TestingT, path string, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.FileExistsf(t, path, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// Greater asserts that the first element is greater than the second
+//
+//	require.Greater(t, 2, 1)
+//	require.Greater(t, float64(2), float64(1))
+//	require.Greater(t, "b", "a")
+func Greater(t TestingT, e1 interface{}, e2 interface{}, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.Greater(t, e1, e2, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// GreaterOrEqual asserts that the first element is greater than or equal to the second
+//
+//	require.GreaterOrEqual(t, 2, 1)
+//	require.GreaterOrEqual(t, 2, 2)
+//	require.GreaterOrEqual(t, "b", "a")
+//	require.GreaterOrEqual(t, "b", "b")
+func GreaterOrEqual(t TestingT, e1 interface{}, e2 interface{}, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.GreaterOrEqual(t, e1, e2, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// GreaterOrEqualf asserts that the first element is greater than or equal to the second
+//
+//	require.GreaterOrEqualf(t, 2, 1, "error message %s", "formatted")
+//	require.GreaterOrEqualf(t, 2, 2, "error message %s", "formatted")
+//	require.GreaterOrEqualf(t, "b", "a", "error message %s", "formatted")
+//	require.GreaterOrEqualf(t, "b", "b", "error message %s", "formatted")
+func GreaterOrEqualf(t TestingT, e1 interface{}, e2 interface{}, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.GreaterOrEqualf(t, e1, e2, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// Greaterf asserts that the first element is greater than the second
+//
+//	require.Greaterf(t, 2, 1, "error message %s", "formatted")
+//	require.Greaterf(t, float64(2), float64(1), "error message %s", "formatted")
+//	require.Greaterf(t, "b", "a", "error message %s", "formatted")
+func Greaterf(t TestingT, e1 interface{}, e2 interface{}, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.Greaterf(t, e1, e2, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// HTTPBodyContains asserts that a specified handler returns a
+// body that contains a string.
+//
+//	require.HTTPBodyContains(t, myHandler, "GET", "www.google.com", nil, "I'm Feeling Lucky")
+//
+// Returns whether the assertion was successful (true) or not (false).
+func HTTPBodyContains(t TestingT, handler http.HandlerFunc, method string, url string, values url.Values, str interface{}, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.HTTPBodyContains(t, handler, method, url, values, str, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// HTTPBodyContainsf asserts that a specified handler returns a
+// body that contains a string.
+//
+//	require.HTTPBodyContainsf(t, myHandler, "GET", "www.google.com", nil, "I'm Feeling Lucky", "error message %s", "formatted")
+//
+// Returns whether the assertion was successful (true) or not (false).
+func HTTPBodyContainsf(t TestingT, handler http.HandlerFunc, method string, url string, values url.Values, str interface{}, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.HTTPBodyContainsf(t, handler, method, url, values, str, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// HTTPBodyNotContains asserts that a specified handler returns a
+// body that does not contain a string.
+//
+//	require.HTTPBodyNotContains(t, myHandler, "GET", "www.google.com", nil, "I'm Feeling Lucky")
+//
+// Returns whether the assertion was successful (true) or not (false).
+func HTTPBodyNotContains(t TestingT, handler http.HandlerFunc, method string, url string, values url.Values, str interface{}, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.HTTPBodyNotContains(t, handler, method, url, values, str, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// HTTPBodyNotContainsf asserts that a specified handler returns a
+// body that does not contain a string.
+//
+//	require.HTTPBodyNotContainsf(t, myHandler, "GET", "www.google.com", nil, "I'm Feeling Lucky", "error message %s", "formatted")
+//
+// Returns whether the assertion was successful (true) or not (false).
+func HTTPBodyNotContainsf(t TestingT, handler http.HandlerFunc, method string, url string, values url.Values, str interface{}, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.HTTPBodyNotContainsf(t, handler, method, url, values, str, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// HTTPError asserts that a specified handler returns an error status code.
+//
+//	require.HTTPError(t, myHandler, "POST", "/a/b/c", url.Values{"a": []string{"b", "c"}}
+//
+// Returns whether the assertion was successful (true) or not (false).
+func HTTPError(t TestingT, handler http.HandlerFunc, method string, url string, values url.Values, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.HTTPError(t, handler, method, url, values, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// HTTPErrorf asserts that a specified handler returns an error status code.
+//
+//	require.HTTPErrorf(t, myHandler, "POST", "/a/b/c", url.Values{"a": []string{"b", "c"}}
+//
+// Returns whether the assertion was successful (true) or not (false).
+func HTTPErrorf(t TestingT, handler http.HandlerFunc, method string, url string, values url.Values, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.HTTPErrorf(t, handler, method, url, values, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// HTTPRedirect asserts that a specified handler returns a redirect status code.
+//
+//	require.HTTPRedirect(t, myHandler, "GET", "/a/b/c", url.Values{"a": []string{"b", "c"}}
+//
+// Returns whether the assertion was successful (true) or not (false).
+func HTTPRedirect(t TestingT, handler http.HandlerFunc, method string, url string, values url.Values, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.HTTPRedirect(t, handler, method, url, values, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// HTTPRedirectf asserts that a specified handler returns a redirect status code.
+//
+//	require.HTTPRedirectf(t, myHandler, "GET", "/a/b/c", url.Values{"a": []string{"b", "c"}}
+//
+// Returns whether the assertion was successful (true) or not (false).
+func HTTPRedirectf(t TestingT, handler http.HandlerFunc, method string, url string, values url.Values, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.HTTPRedirectf(t, handler, method, url, values, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// HTTPStatusCode asserts that a specified handler returns a specified status code.
+//
+//	require.HTTPStatusCode(t, myHandler, "GET", "/notImplemented", nil, 501)
+//
+// Returns whether the assertion was successful (true) or not (false).
+func HTTPStatusCode(t TestingT, handler http.HandlerFunc, method string, url string, values url.Values, statuscode int, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.HTTPStatusCode(t, handler, method, url, values, statuscode, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// HTTPStatusCodef asserts that a specified handler returns a specified status code.
+//
+//	require.HTTPStatusCodef(t, myHandler, "GET", "/notImplemented", nil, 501, "error message %s", "formatted")
+//
+// Returns whether the assertion was successful (true) or not (false).
+func HTTPStatusCodef(t TestingT, handler http.HandlerFunc, method string, url string, values url.Values, statuscode int, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.HTTPStatusCodef(t, handler, method, url, values, statuscode, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// HTTPSuccess asserts that a specified handler returns a success status code.
+//
+//	require.HTTPSuccess(t, myHandler, "POST", "http://www.google.com", nil)
+//
+// Returns whether the assertion was successful (true) or not (false).
+func HTTPSuccess(t TestingT, handler http.HandlerFunc, method string, url string, values url.Values, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.HTTPSuccess(t, handler, method, url, values, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// HTTPSuccessf asserts that a specified handler returns a success status code.
+//
+//	require.HTTPSuccessf(t, myHandler, "POST", "http://www.google.com", nil, "error message %s", "formatted")
+//
+// Returns whether the assertion was successful (true) or not (false).
+func HTTPSuccessf(t TestingT, handler http.HandlerFunc, method string, url string, values url.Values, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.HTTPSuccessf(t, handler, method, url, values, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// Implements asserts that an object is implemented by the specified interface.
+//
+//	require.Implements(t, (*MyInterface)(nil), new(MyObject))
+func Implements(t TestingT, interfaceObject interface{}, object interface{}, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.Implements(t, interfaceObject, object, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// Implementsf asserts that an object is implemented by the specified interface.
+//
+//	require.Implementsf(t, (*MyInterface)(nil), new(MyObject), "error message %s", "formatted")
+func Implementsf(t TestingT, interfaceObject interface{}, object interface{}, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.Implementsf(t, interfaceObject, object, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// InDelta asserts that the two numerals are within delta of each other.
+//
+//	require.InDelta(t, math.Pi, 22/7.0, 0.01)
+func InDelta(t TestingT, expected interface{}, actual interface{}, delta float64, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.InDelta(t, expected, actual, delta, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// InDeltaMapValues is the same as InDelta, but it compares all values between two maps. Both maps must have exactly the same keys.
+func InDeltaMapValues(t TestingT, expected interface{}, actual interface{}, delta float64, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.InDeltaMapValues(t, expected, actual, delta, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// InDeltaMapValuesf is the same as InDelta, but it compares all values between two maps. Both maps must have exactly the same keys.
+func InDeltaMapValuesf(t TestingT, expected interface{}, actual interface{}, delta float64, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.InDeltaMapValuesf(t, expected, actual, delta, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// InDeltaSlice is the same as InDelta, except it compares two slices.
+func InDeltaSlice(t TestingT, expected interface{}, actual interface{}, delta float64, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.InDeltaSlice(t, expected, actual, delta, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// InDeltaSlicef is the same as InDelta, except it compares two slices.
+func InDeltaSlicef(t TestingT, expected interface{}, actual interface{}, delta float64, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.InDeltaSlicef(t, expected, actual, delta, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// InDeltaf asserts that the two numerals are within delta of each other.
+//
+//	require.InDeltaf(t, math.Pi, 22/7.0, 0.01, "error message %s", "formatted")
+func InDeltaf(t TestingT, expected interface{}, actual interface{}, delta float64, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.InDeltaf(t, expected, actual, delta, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// InEpsilon asserts that expected and actual have a relative error less than epsilon
+func InEpsilon(t TestingT, expected interface{}, actual interface{}, epsilon float64, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.InEpsilon(t, expected, actual, epsilon, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// InEpsilonSlice is the same as InEpsilon, except it compares each value from two slices.
+func InEpsilonSlice(t TestingT, expected interface{}, actual interface{}, epsilon float64, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.InEpsilonSlice(t, expected, actual, epsilon, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// InEpsilonSlicef is the same as InEpsilon, except it compares each value from two slices.
+func InEpsilonSlicef(t TestingT, expected interface{}, actual interface{}, epsilon float64, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.InEpsilonSlicef(t, expected, actual, epsilon, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// InEpsilonf asserts that expected and actual have a relative error less than epsilon
+func InEpsilonf(t TestingT, expected interface{}, actual interface{}, epsilon float64, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.InEpsilonf(t, expected, actual, epsilon, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// IsDecreasing asserts that the collection is decreasing
+//
+//	require.IsDecreasing(t, []int{2, 1, 0})
+//	require.IsDecreasing(t, []float{2, 1})
+//	require.IsDecreasing(t, []string{"b", "a"})
+func IsDecreasing(t TestingT, object interface{}, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.IsDecreasing(t, object, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// IsDecreasingf asserts that the collection is decreasing
+//
+//	require.IsDecreasingf(t, []int{2, 1, 0}, "error message %s", "formatted")
+//	require.IsDecreasingf(t, []float{2, 1}, "error message %s", "formatted")
+//	require.IsDecreasingf(t, []string{"b", "a"}, "error message %s", "formatted")
+func IsDecreasingf(t TestingT, object interface{}, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.IsDecreasingf(t, object, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// IsIncreasing asserts that the collection is increasing
+//
+//	require.IsIncreasing(t, []int{1, 2, 3})
+//	require.IsIncreasing(t, []float{1, 2})
+//	require.IsIncreasing(t, []string{"a", "b"})
+func IsIncreasing(t TestingT, object interface{}, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.IsIncreasing(t, object, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// IsIncreasingf asserts that the collection is increasing
+//
+//	require.IsIncreasingf(t, []int{1, 2, 3}, "error message %s", "formatted")
+//	require.IsIncreasingf(t, []float{1, 2}, "error message %s", "formatted")
+//	require.IsIncreasingf(t, []string{"a", "b"}, "error message %s", "formatted")
+func IsIncreasingf(t TestingT, object interface{}, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.IsIncreasingf(t, object, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// IsNonDecreasing asserts that the collection is not decreasing
+//
+//	require.IsNonDecreasing(t, []int{1, 1, 2})
+//	require.IsNonDecreasing(t, []float{1, 2})
+//	require.IsNonDecreasing(t, []string{"a", "b"})
+func IsNonDecreasing(t TestingT, object interface{}, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.IsNonDecreasing(t, object, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// IsNonDecreasingf asserts that the collection is not decreasing
+//
+//	require.IsNonDecreasingf(t, []int{1, 1, 2}, "error message %s", "formatted")
+//	require.IsNonDecreasingf(t, []float{1, 2}, "error message %s", "formatted")
+//	require.IsNonDecreasingf(t, []string{"a", "b"}, "error message %s", "formatted")
+func IsNonDecreasingf(t TestingT, object interface{}, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.IsNonDecreasingf(t, object, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// IsNonIncreasing asserts that the collection is not increasing
+//
+//	require.IsNonIncreasing(t, []int{2, 1, 1})
+//	require.IsNonIncreasing(t, []float{2, 1})
+//	require.IsNonIncreasing(t, []string{"b", "a"})
+func IsNonIncreasing(t TestingT, object interface{}, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.IsNonIncreasing(t, object, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// IsNonIncreasingf asserts that the collection is not increasing
+//
+//	require.IsNonIncreasingf(t, []int{2, 1, 1}, "error message %s", "formatted")
+//	require.IsNonIncreasingf(t, []float{2, 1}, "error message %s", "formatted")
+//	require.IsNonIncreasingf(t, []string{"b", "a"}, "error message %s", "formatted")
+func IsNonIncreasingf(t TestingT, object interface{}, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.IsNonIncreasingf(t, object, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// IsNotType asserts that the specified objects are not of the same type.
+//
+//	require.IsNotType(t, &NotMyStruct{}, &MyStruct{})
+func IsNotType(t TestingT, theType interface{}, object interface{}, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.IsNotType(t, theType, object, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// IsNotTypef asserts that the specified objects are not of the same type.
+//
+//	require.IsNotTypef(t, &NotMyStruct{}, &MyStruct{}, "error message %s", "formatted")
+func IsNotTypef(t TestingT, theType interface{}, object interface{}, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.IsNotTypef(t, theType, object, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// IsType asserts that the specified objects are of the same type.
+//
+//	require.IsType(t, &MyStruct{}, &MyStruct{})
+func IsType(t TestingT, expectedType interface{}, object interface{}, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.IsType(t, expectedType, object, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// IsTypef asserts that the specified objects are of the same type.
+//
+//	require.IsTypef(t, &MyStruct{}, &MyStruct{}, "error message %s", "formatted")
+func IsTypef(t TestingT, expectedType interface{}, object interface{}, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.IsTypef(t, expectedType, object, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// JSONEq asserts that two JSON strings are equivalent.
+//
+//	require.JSONEq(t, `{"hello": "world", "foo": "bar"}`, `{"foo": "bar", "hello": "world"}`)
+func JSONEq(t TestingT, expected string, actual string, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.JSONEq(t, expected, actual, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// JSONEqf asserts that two JSON strings are equivalent.
+//
+//	require.JSONEqf(t, `{"hello": "world", "foo": "bar"}`, `{"foo": "bar", "hello": "world"}`, "error message %s", "formatted")
+func JSONEqf(t TestingT, expected string, actual string, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.JSONEqf(t, expected, actual, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// Len asserts that the specified object has specific length.
+// Len also fails if the object has a type that len() not accept.
+//
+//	require.Len(t, mySlice, 3)
+func Len(t TestingT, object interface{}, length int, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.Len(t, object, length, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// Lenf asserts that the specified object has specific length.
+// Lenf also fails if the object has a type that len() not accept.
+//
+//	require.Lenf(t, mySlice, 3, "error message %s", "formatted")
+func Lenf(t TestingT, object interface{}, length int, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.Lenf(t, object, length, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// Less asserts that the first element is less than the second
+//
+//	require.Less(t, 1, 2)
+//	require.Less(t, float64(1), float64(2))
+//	require.Less(t, "a", "b")
+func Less(t TestingT, e1 interface{}, e2 interface{}, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.Less(t, e1, e2, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// LessOrEqual asserts that the first element is less than or equal to the second
+//
+//	require.LessOrEqual(t, 1, 2)
+//	require.LessOrEqual(t, 2, 2)
+//	require.LessOrEqual(t, "a", "b")
+//	require.LessOrEqual(t, "b", "b")
+func LessOrEqual(t TestingT, e1 interface{}, e2 interface{}, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.LessOrEqual(t, e1, e2, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// LessOrEqualf asserts that the first element is less than or equal to the second
+//
+//	require.LessOrEqualf(t, 1, 2, "error message %s", "formatted")
+//	require.LessOrEqualf(t, 2, 2, "error message %s", "formatted")
+//	require.LessOrEqualf(t, "a", "b", "error message %s", "formatted")
+//	require.LessOrEqualf(t, "b", "b", "error message %s", "formatted")
+func LessOrEqualf(t TestingT, e1 interface{}, e2 interface{}, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.LessOrEqualf(t, e1, e2, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// Lessf asserts that the first element is less than the second
+//
+//	require.Lessf(t, 1, 2, "error message %s", "formatted")
+//	require.Lessf(t, float64(1), float64(2), "error message %s", "formatted")
+//	require.Lessf(t, "a", "b", "error message %s", "formatted")
+func Lessf(t TestingT, e1 interface{}, e2 interface{}, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.Lessf(t, e1, e2, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// Negative asserts that the specified element is negative
+//
+//	require.Negative(t, -1)
+//	require.Negative(t, -1.23)
+func Negative(t TestingT, e interface{}, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.Negative(t, e, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// Negativef asserts that the specified element is negative
+//
+//	require.Negativef(t, -1, "error message %s", "formatted")
+//	require.Negativef(t, -1.23, "error message %s", "formatted")
+func Negativef(t TestingT, e interface{}, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.Negativef(t, e, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// Never asserts that the given condition doesn't satisfy in waitFor time,
+// periodically checking the target function each tick.
+//
+//	require.Never(t, func() bool { return false; }, time.Second, 10*time.Millisecond)
+func Never(t TestingT, condition func() bool, waitFor time.Duration, tick time.Duration, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.Never(t, condition, waitFor, tick, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// Neverf asserts that the given condition doesn't satisfy in waitFor time,
+// periodically checking the target function each tick.
+//
+//	require.Neverf(t, func() bool { return false; }, time.Second, 10*time.Millisecond, "error message %s", "formatted")
+func Neverf(t TestingT, condition func() bool, waitFor time.Duration, tick time.Duration, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.Neverf(t, condition, waitFor, tick, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// Nil asserts that the specified object is nil.
+//
+//	require.Nil(t, err)
+func Nil(t TestingT, object interface{}, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.Nil(t, object, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// Nilf asserts that the specified object is nil.
+//
+//	require.Nilf(t, err, "error message %s", "formatted")
+func Nilf(t TestingT, object interface{}, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.Nilf(t, object, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// NoDirExists checks whether a directory does not exist in the given path.
+// It fails if the path points to an existing _directory_ only.
+func NoDirExists(t TestingT, path string, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.NoDirExists(t, path, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// NoDirExistsf checks whether a directory does not exist in the given path.
+// It fails if the path points to an existing _directory_ only.
+func NoDirExistsf(t TestingT, path string, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.NoDirExistsf(t, path, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// NoError asserts that a function returned no error (i.e. `nil`).
+//
+//	  actualObj, err := SomeFunction()
+//	  if require.NoError(t, err) {
+//		   require.Equal(t, expectedObj, actualObj)
+//	  }
+func NoError(t TestingT, err error, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.NoError(t, err, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// NoErrorf asserts that a function returned no error (i.e. `nil`).
+//
+//	  actualObj, err := SomeFunction()
+//	  if require.NoErrorf(t, err, "error message %s", "formatted") {
+//		   require.Equal(t, expectedObj, actualObj)
+//	  }
+func NoErrorf(t TestingT, err error, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.NoErrorf(t, err, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// NoFileExists checks whether a file does not exist in a given path. It fails
+// if the path points to an existing _file_ only.
+func NoFileExists(t TestingT, path string, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.NoFileExists(t, path, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// NoFileExistsf checks whether a file does not exist in a given path. It fails
+// if the path points to an existing _file_ only.
+func NoFileExistsf(t TestingT, path string, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.NoFileExistsf(t, path, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// NotContains asserts that the specified string, list(array, slice...) or map does NOT contain the
+// specified substring or element.
+//
+//	require.NotContains(t, "Hello World", "Earth")
+//	require.NotContains(t, ["Hello", "World"], "Earth")
+//	require.NotContains(t, {"Hello": "World"}, "Earth")
+func NotContains(t TestingT, s interface{}, contains interface{}, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.NotContains(t, s, contains, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// NotContainsf asserts that the specified string, list(array, slice...) or map does NOT contain the
+// specified substring or element.
+//
+//	require.NotContainsf(t, "Hello World", "Earth", "error message %s", "formatted")
+//	require.NotContainsf(t, ["Hello", "World"], "Earth", "error message %s", "formatted")
+//	require.NotContainsf(t, {"Hello": "World"}, "Earth", "error message %s", "formatted")
+func NotContainsf(t TestingT, s interface{}, contains interface{}, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.NotContainsf(t, s, contains, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// NotElementsMatch asserts that the specified listA(array, slice...) is NOT equal to specified
+// listB(array, slice...) ignoring the order of the elements. If there are duplicate elements,
+// the number of appearances of each of them in both lists should not match.
+// This is an inverse of ElementsMatch.
+//
+// require.NotElementsMatch(t, [1, 1, 2, 3], [1, 1, 2, 3]) -> false
+//
+// require.NotElementsMatch(t, [1, 1, 2, 3], [1, 2, 3]) -> true
+//
+// require.NotElementsMatch(t, [1, 2, 3], [1, 2, 4]) -> true
+func NotElementsMatch(t TestingT, listA interface{}, listB interface{}, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.NotElementsMatch(t, listA, listB, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// NotElementsMatchf asserts that the specified listA(array, slice...) is NOT equal to specified
+// listB(array, slice...) ignoring the order of the elements. If there are duplicate elements,
+// the number of appearances of each of them in both lists should not match.
+// This is an inverse of ElementsMatch.
+//
+// require.NotElementsMatchf(t, [1, 1, 2, 3], [1, 1, 2, 3], "error message %s", "formatted") -> false
+//
+// require.NotElementsMatchf(t, [1, 1, 2, 3], [1, 2, 3], "error message %s", "formatted") -> true
+//
+// require.NotElementsMatchf(t, [1, 2, 3], [1, 2, 4], "error message %s", "formatted") -> true
+func NotElementsMatchf(t TestingT, listA interface{}, listB interface{}, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.NotElementsMatchf(t, listA, listB, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// NotEmpty asserts that the specified object is NOT [Empty].
+//
+//	if require.NotEmpty(t, obj) {
+//	  require.Equal(t, "two", obj[1])
+//	}
+func NotEmpty(t TestingT, object interface{}, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.NotEmpty(t, object, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// NotEmptyf asserts that the specified object is NOT [Empty].
+//
+//	if require.NotEmptyf(t, obj, "error message %s", "formatted") {
+//	  require.Equal(t, "two", obj[1])
+//	}
+func NotEmptyf(t TestingT, object interface{}, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.NotEmptyf(t, object, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// NotEqual asserts that the specified values are NOT equal.
+//
+//	require.NotEqual(t, obj1, obj2)
+//
+// Pointer variable equality is determined based on the equality of the
+// referenced values (as opposed to the memory addresses).
+func NotEqual(t TestingT, expected interface{}, actual interface{}, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.NotEqual(t, expected, actual, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// NotEqualValues asserts that two objects are not equal even when converted to the same type
+//
+//	require.NotEqualValues(t, obj1, obj2)
+func NotEqualValues(t TestingT, expected interface{}, actual interface{}, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.NotEqualValues(t, expected, actual, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// NotEqualValuesf asserts that two objects are not equal even when converted to the same type
+//
+//	require.NotEqualValuesf(t, obj1, obj2, "error message %s", "formatted")
+func NotEqualValuesf(t TestingT, expected interface{}, actual interface{}, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.NotEqualValuesf(t, expected, actual, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// NotEqualf asserts that the specified values are NOT equal.
+//
+//	require.NotEqualf(t, obj1, obj2, "error message %s", "formatted")
+//
+// Pointer variable equality is determined based on the equality of the
+// referenced values (as opposed to the memory addresses).
+func NotEqualf(t TestingT, expected interface{}, actual interface{}, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.NotEqualf(t, expected, actual, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// NotErrorAs asserts that none of the errors in err's chain matches target,
+// but if so, sets target to that error value.
+func NotErrorAs(t TestingT, err error, target interface{}, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.NotErrorAs(t, err, target, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// NotErrorAsf asserts that none of the errors in err's chain matches target,
+// but if so, sets target to that error value.
+func NotErrorAsf(t TestingT, err error, target interface{}, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.NotErrorAsf(t, err, target, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// NotErrorIs asserts that none of the errors in err's chain matches target.
+// This is a wrapper for errors.Is.
+func NotErrorIs(t TestingT, err error, target error, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.NotErrorIs(t, err, target, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// NotErrorIsf asserts that none of the errors in err's chain matches target.
+// This is a wrapper for errors.Is.
+func NotErrorIsf(t TestingT, err error, target error, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.NotErrorIsf(t, err, target, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// NotImplements asserts that an object does not implement the specified interface.
+//
+//	require.NotImplements(t, (*MyInterface)(nil), new(MyObject))
+func NotImplements(t TestingT, interfaceObject interface{}, object interface{}, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.NotImplements(t, interfaceObject, object, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// NotImplementsf asserts that an object does not implement the specified interface.
+//
+//	require.NotImplementsf(t, (*MyInterface)(nil), new(MyObject), "error message %s", "formatted")
+func NotImplementsf(t TestingT, interfaceObject interface{}, object interface{}, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.NotImplementsf(t, interfaceObject, object, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// NotNil asserts that the specified object is not nil.
+//
+//	require.NotNil(t, err)
+func NotNil(t TestingT, object interface{}, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.NotNil(t, object, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// NotNilf asserts that the specified object is not nil.
+//
+//	require.NotNilf(t, err, "error message %s", "formatted")
+func NotNilf(t TestingT, object interface{}, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.NotNilf(t, object, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// NotPanics asserts that the code inside the specified PanicTestFunc does NOT panic.
+//
+//	require.NotPanics(t, func(){ RemainCalm() })
+func NotPanics(t TestingT, f assert.PanicTestFunc, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.NotPanics(t, f, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// NotPanicsf asserts that the code inside the specified PanicTestFunc does NOT panic.
+//
+//	require.NotPanicsf(t, func(){ RemainCalm() }, "error message %s", "formatted")
+func NotPanicsf(t TestingT, f assert.PanicTestFunc, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.NotPanicsf(t, f, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// NotRegexp asserts that a specified regexp does not match a string.
+//
+//	require.NotRegexp(t, regexp.MustCompile("starts"), "it's starting")
+//	require.NotRegexp(t, "^start", "it's not starting")
+func NotRegexp(t TestingT, rx interface{}, str interface{}, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.NotRegexp(t, rx, str, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// NotRegexpf asserts that a specified regexp does not match a string.
+//
+//	require.NotRegexpf(t, regexp.MustCompile("starts"), "it's starting", "error message %s", "formatted")
+//	require.NotRegexpf(t, "^start", "it's not starting", "error message %s", "formatted")
+func NotRegexpf(t TestingT, rx interface{}, str interface{}, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.NotRegexpf(t, rx, str, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// NotSame asserts that two pointers do not reference the same object.
+//
+//	require.NotSame(t, ptr1, ptr2)
+//
+// Both arguments must be pointer variables. Pointer variable sameness is
+// determined based on the equality of both type and value.
+func NotSame(t TestingT, expected interface{}, actual interface{}, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.NotSame(t, expected, actual, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// NotSamef asserts that two pointers do not reference the same object.
+//
+//	require.NotSamef(t, ptr1, ptr2, "error message %s", "formatted")
+//
+// Both arguments must be pointer variables. Pointer variable sameness is
+// determined based on the equality of both type and value.
+func NotSamef(t TestingT, expected interface{}, actual interface{}, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.NotSamef(t, expected, actual, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// NotSubset asserts that the list (array, slice, or map) does NOT contain all
+// elements given in the subset (array, slice, or map).
+// Map elements are key-value pairs unless compared with an array or slice where
+// only the map key is evaluated.
+//
+//	require.NotSubset(t, [1, 3, 4], [1, 2])
+//	require.NotSubset(t, {"x": 1, "y": 2}, {"z": 3})
+//	require.NotSubset(t, [1, 3, 4], {1: "one", 2: "two"})
+//	require.NotSubset(t, {"x": 1, "y": 2}, ["z"])
+func NotSubset(t TestingT, list interface{}, subset interface{}, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.NotSubset(t, list, subset, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// NotSubsetf asserts that the list (array, slice, or map) does NOT contain all
+// elements given in the subset (array, slice, or map).
+// Map elements are key-value pairs unless compared with an array or slice where
+// only the map key is evaluated.
+//
+//	require.NotSubsetf(t, [1, 3, 4], [1, 2], "error message %s", "formatted")
+//	require.NotSubsetf(t, {"x": 1, "y": 2}, {"z": 3}, "error message %s", "formatted")
+//	require.NotSubsetf(t, [1, 3, 4], {1: "one", 2: "two"}, "error message %s", "formatted")
+//	require.NotSubsetf(t, {"x": 1, "y": 2}, ["z"], "error message %s", "formatted")
+func NotSubsetf(t TestingT, list interface{}, subset interface{}, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.NotSubsetf(t, list, subset, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// NotZero asserts that i is not the zero value for its type.
+func NotZero(t TestingT, i interface{}, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.NotZero(t, i, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// NotZerof asserts that i is not the zero value for its type.
+func NotZerof(t TestingT, i interface{}, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.NotZerof(t, i, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// Panics asserts that the code inside the specified PanicTestFunc panics.
+//
+//	require.Panics(t, func(){ GoCrazy() })
+func Panics(t TestingT, f assert.PanicTestFunc, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.Panics(t, f, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// PanicsWithError asserts that the code inside the specified PanicTestFunc
+// panics, and that the recovered panic value is an error that satisfies the
+// EqualError comparison.
+//
+//	require.PanicsWithError(t, "crazy error", func(){ GoCrazy() })
+func PanicsWithError(t TestingT, errString string, f assert.PanicTestFunc, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.PanicsWithError(t, errString, f, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// PanicsWithErrorf asserts that the code inside the specified PanicTestFunc
+// panics, and that the recovered panic value is an error that satisfies the
+// EqualError comparison.
+//
+//	require.PanicsWithErrorf(t, "crazy error", func(){ GoCrazy() }, "error message %s", "formatted")
+func PanicsWithErrorf(t TestingT, errString string, f assert.PanicTestFunc, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.PanicsWithErrorf(t, errString, f, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// PanicsWithValue asserts that the code inside the specified PanicTestFunc panics, and that
+// the recovered panic value equals the expected panic value.
+//
+//	require.PanicsWithValue(t, "crazy error", func(){ GoCrazy() })
+func PanicsWithValue(t TestingT, expected interface{}, f assert.PanicTestFunc, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.PanicsWithValue(t, expected, f, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// PanicsWithValuef asserts that the code inside the specified PanicTestFunc panics, and that
+// the recovered panic value equals the expected panic value.
+//
+//	require.PanicsWithValuef(t, "crazy error", func(){ GoCrazy() }, "error message %s", "formatted")
+func PanicsWithValuef(t TestingT, expected interface{}, f assert.PanicTestFunc, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.PanicsWithValuef(t, expected, f, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// Panicsf asserts that the code inside the specified PanicTestFunc panics.
+//
+//	require.Panicsf(t, func(){ GoCrazy() }, "error message %s", "formatted")
+func Panicsf(t TestingT, f assert.PanicTestFunc, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.Panicsf(t, f, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// Positive asserts that the specified element is positive
+//
+//	require.Positive(t, 1)
+//	require.Positive(t, 1.23)
+func Positive(t TestingT, e interface{}, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.Positive(t, e, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// Positivef asserts that the specified element is positive
+//
+//	require.Positivef(t, 1, "error message %s", "formatted")
+//	require.Positivef(t, 1.23, "error message %s", "formatted")
+func Positivef(t TestingT, e interface{}, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.Positivef(t, e, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// Regexp asserts that a specified regexp matches a string.
+//
+//	require.Regexp(t, regexp.MustCompile("start"), "it's starting")
+//	require.Regexp(t, "start...$", "it's not starting")
+func Regexp(t TestingT, rx interface{}, str interface{}, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.Regexp(t, rx, str, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// Regexpf asserts that a specified regexp matches a string.
+//
+//	require.Regexpf(t, regexp.MustCompile("start"), "it's starting", "error message %s", "formatted")
+//	require.Regexpf(t, "start...$", "it's not starting", "error message %s", "formatted")
+func Regexpf(t TestingT, rx interface{}, str interface{}, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.Regexpf(t, rx, str, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// Same asserts that two pointers reference the same object.
+//
+//	require.Same(t, ptr1, ptr2)
+//
+// Both arguments must be pointer variables. Pointer variable sameness is
+// determined based on the equality of both type and value.
+func Same(t TestingT, expected interface{}, actual interface{}, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.Same(t, expected, actual, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// Samef asserts that two pointers reference the same object.
+//
+//	require.Samef(t, ptr1, ptr2, "error message %s", "formatted")
+//
+// Both arguments must be pointer variables. Pointer variable sameness is
+// determined based on the equality of both type and value.
+func Samef(t TestingT, expected interface{}, actual interface{}, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.Samef(t, expected, actual, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// Subset asserts that the list (array, slice, or map) contains all elements
+// given in the subset (array, slice, or map).
+// Map elements are key-value pairs unless compared with an array or slice where
+// only the map key is evaluated.
+//
+//	require.Subset(t, [1, 2, 3], [1, 2])
+//	require.Subset(t, {"x": 1, "y": 2}, {"x": 1})
+//	require.Subset(t, [1, 2, 3], {1: "one", 2: "two"})
+//	require.Subset(t, {"x": 1, "y": 2}, ["x"])
+func Subset(t TestingT, list interface{}, subset interface{}, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.Subset(t, list, subset, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// Subsetf asserts that the list (array, slice, or map) contains all elements
+// given in the subset (array, slice, or map).
+// Map elements are key-value pairs unless compared with an array or slice where
+// only the map key is evaluated.
+//
+//	require.Subsetf(t, [1, 2, 3], [1, 2], "error message %s", "formatted")
+//	require.Subsetf(t, {"x": 1, "y": 2}, {"x": 1}, "error message %s", "formatted")
+//	require.Subsetf(t, [1, 2, 3], {1: "one", 2: "two"}, "error message %s", "formatted")
+//	require.Subsetf(t, {"x": 1, "y": 2}, ["x"], "error message %s", "formatted")
+func Subsetf(t TestingT, list interface{}, subset interface{}, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.Subsetf(t, list, subset, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// True asserts that the specified value is true.
+//
+//	require.True(t, myBool)
+func True(t TestingT, value bool, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.True(t, value, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// Truef asserts that the specified value is true.
+//
+//	require.Truef(t, myBool, "error message %s", "formatted")
+func Truef(t TestingT, value bool, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.Truef(t, value, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// WithinDuration asserts that the two times are within duration delta of each other.
+//
+//	require.WithinDuration(t, time.Now(), time.Now(), 10*time.Second)
+func WithinDuration(t TestingT, expected time.Time, actual time.Time, delta time.Duration, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.WithinDuration(t, expected, actual, delta, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// WithinDurationf asserts that the two times are within duration delta of each other.
+//
+//	require.WithinDurationf(t, time.Now(), time.Now(), 10*time.Second, "error message %s", "formatted")
+func WithinDurationf(t TestingT, expected time.Time, actual time.Time, delta time.Duration, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.WithinDurationf(t, expected, actual, delta, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// WithinRange asserts that a time is within a time range (inclusive).
+//
+//	require.WithinRange(t, time.Now(), time.Now().Add(-time.Second), time.Now().Add(time.Second))
+func WithinRange(t TestingT, actual time.Time, start time.Time, end time.Time, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.WithinRange(t, actual, start, end, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// WithinRangef asserts that a time is within a time range (inclusive).
+//
+//	require.WithinRangef(t, time.Now(), time.Now().Add(-time.Second), time.Now().Add(time.Second), "error message %s", "formatted")
+func WithinRangef(t TestingT, actual time.Time, start time.Time, end time.Time, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.WithinRangef(t, actual, start, end, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// YAMLEq asserts that two YAML strings are equivalent.
+func YAMLEq(t TestingT, expected string, actual string, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.YAMLEq(t, expected, actual, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// YAMLEqf asserts that two YAML strings are equivalent.
+func YAMLEqf(t TestingT, expected string, actual string, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.YAMLEqf(t, expected, actual, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
+// Zero asserts that i is the zero value for its type.
+func Zero(t TestingT, i interface{}, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.Zero(t, i, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// Zerof asserts that i is the zero value for its type.
+func Zerof(t TestingT, i interface{}, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.Zerof(t, i, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
diff --git a/vendor/github.com/stretchr/testify/require/require.go.tmpl b/vendor/github.com/stretchr/testify/require/require.go.tmpl
new file mode 100644
index 0000000000..8b32836850
--- /dev/null
+++ b/vendor/github.com/stretchr/testify/require/require.go.tmpl
@@ -0,0 +1,6 @@
+{{ replace .Comment "assert." "require."}}
+func {{.DocInfo.Name}}(t TestingT, {{.Params}}) {
+	if h, ok := t.(tHelper); ok { h.Helper() }
+	if assert.{{.DocInfo.Name}}(t, {{.ForwardedParams}}) { return }
+	t.FailNow()
+}
diff --git a/vendor/github.com/stretchr/testify/require/require_forward.go b/vendor/github.com/stretchr/testify/require/require_forward.go
new file mode 100644
index 0000000000..e6f7e94468
--- /dev/null
+++ b/vendor/github.com/stretchr/testify/require/require_forward.go
@@ -0,0 +1,1724 @@
+// Code generated with github.com/stretchr/testify/_codegen; DO NOT EDIT.
+
+package require
+
+import (
+	assert "github.com/stretchr/testify/assert"
+	http "net/http"
+	url "net/url"
+	time "time"
+)
+
+// Condition uses a Comparison to assert a complex condition.
+func (a *Assertions) Condition(comp assert.Comparison, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	Condition(a.t, comp, msgAndArgs...)
+}
+
+// Conditionf uses a Comparison to assert a complex condition.
+func (a *Assertions) Conditionf(comp assert.Comparison, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	Conditionf(a.t, comp, msg, args...)
+}
+
+// Contains asserts that the specified string, list(array, slice...) or map contains the
+// specified substring or element.
+//
+//	a.Contains("Hello World", "World")
+//	a.Contains(["Hello", "World"], "World")
+//	a.Contains({"Hello": "World"}, "Hello")
+func (a *Assertions) Contains(s interface{}, contains interface{}, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	Contains(a.t, s, contains, msgAndArgs...)
+}
+
+// Containsf asserts that the specified string, list(array, slice...) or map contains the
+// specified substring or element.
+//
+//	a.Containsf("Hello World", "World", "error message %s", "formatted")
+//	a.Containsf(["Hello", "World"], "World", "error message %s", "formatted")
+//	a.Containsf({"Hello": "World"}, "Hello", "error message %s", "formatted")
+func (a *Assertions) Containsf(s interface{}, contains interface{}, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	Containsf(a.t, s, contains, msg, args...)
+}
+
+// DirExists checks whether a directory exists in the given path. It also fails
+// if the path is a file rather a directory or there is an error checking whether it exists.
+func (a *Assertions) DirExists(path string, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	DirExists(a.t, path, msgAndArgs...)
+}
+
+// DirExistsf checks whether a directory exists in the given path. It also fails
+// if the path is a file rather a directory or there is an error checking whether it exists.
+func (a *Assertions) DirExistsf(path string, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	DirExistsf(a.t, path, msg, args...)
+}
+
+// ElementsMatch asserts that the specified listA(array, slice...) is equal to specified
+// listB(array, slice...) ignoring the order of the elements. If there are duplicate elements,
+// the number of appearances of each of them in both lists should match.
+//
+// a.ElementsMatch([1, 3, 2, 3], [1, 3, 3, 2])
+func (a *Assertions) ElementsMatch(listA interface{}, listB interface{}, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	ElementsMatch(a.t, listA, listB, msgAndArgs...)
+}
+
+// ElementsMatchf asserts that the specified listA(array, slice...) is equal to specified
+// listB(array, slice...) ignoring the order of the elements. If there are duplicate elements,
+// the number of appearances of each of them in both lists should match.
+//
+// a.ElementsMatchf([1, 3, 2, 3], [1, 3, 3, 2], "error message %s", "formatted")
+func (a *Assertions) ElementsMatchf(listA interface{}, listB interface{}, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	ElementsMatchf(a.t, listA, listB, msg, args...)
+}
+
+// Empty asserts that the given value is "empty".
+//
+// [Zero values] are "empty".
+//
+// Arrays are "empty" if every element is the zero value of the type (stricter than "empty").
+//
+// Slices, maps and channels with zero length are "empty".
+//
+// Pointer values are "empty" if the pointer is nil or if the pointed value is "empty".
+//
+//	a.Empty(obj)
+//
+// [Zero values]: https://go.dev/ref/spec#The_zero_value
+func (a *Assertions) Empty(object interface{}, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	Empty(a.t, object, msgAndArgs...)
+}
+
+// Emptyf asserts that the given value is "empty".
+//
+// [Zero values] are "empty".
+//
+// Arrays are "empty" if every element is the zero value of the type (stricter than "empty").
+//
+// Slices, maps and channels with zero length are "empty".
+//
+// Pointer values are "empty" if the pointer is nil or if the pointed value is "empty".
+//
+//	a.Emptyf(obj, "error message %s", "formatted")
+//
+// [Zero values]: https://go.dev/ref/spec#The_zero_value
+func (a *Assertions) Emptyf(object interface{}, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	Emptyf(a.t, object, msg, args...)
+}
+
+// Equal asserts that two objects are equal.
+//
+//	a.Equal(123, 123)
+//
+// Pointer variable equality is determined based on the equality of the
+// referenced values (as opposed to the memory addresses). Function equality
+// cannot be determined and will always fail.
+func (a *Assertions) Equal(expected interface{}, actual interface{}, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	Equal(a.t, expected, actual, msgAndArgs...)
+}
+
+// EqualError asserts that a function returned an error (i.e. not `nil`)
+// and that it is equal to the provided error.
+//
+//	actualObj, err := SomeFunction()
+//	a.EqualError(err,  expectedErrorString)
+func (a *Assertions) EqualError(theError error, errString string, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	EqualError(a.t, theError, errString, msgAndArgs...)
+}
+
+// EqualErrorf asserts that a function returned an error (i.e. not `nil`)
+// and that it is equal to the provided error.
+//
+//	actualObj, err := SomeFunction()
+//	a.EqualErrorf(err,  expectedErrorString, "error message %s", "formatted")
+func (a *Assertions) EqualErrorf(theError error, errString string, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	EqualErrorf(a.t, theError, errString, msg, args...)
+}
+
+// EqualExportedValues asserts that the types of two objects are equal and their public
+// fields are also equal. This is useful for comparing structs that have private fields
+// that could potentially differ.
+//
+//	 type S struct {
+//		Exported     	int
+//		notExported   	int
+//	 }
+//	 a.EqualExportedValues(S{1, 2}, S{1, 3}) => true
+//	 a.EqualExportedValues(S{1, 2}, S{2, 3}) => false
+func (a *Assertions) EqualExportedValues(expected interface{}, actual interface{}, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	EqualExportedValues(a.t, expected, actual, msgAndArgs...)
+}
+
+// EqualExportedValuesf asserts that the types of two objects are equal and their public
+// fields are also equal. This is useful for comparing structs that have private fields
+// that could potentially differ.
+//
+//	 type S struct {
+//		Exported     	int
+//		notExported   	int
+//	 }
+//	 a.EqualExportedValuesf(S{1, 2}, S{1, 3}, "error message %s", "formatted") => true
+//	 a.EqualExportedValuesf(S{1, 2}, S{2, 3}, "error message %s", "formatted") => false
+func (a *Assertions) EqualExportedValuesf(expected interface{}, actual interface{}, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	EqualExportedValuesf(a.t, expected, actual, msg, args...)
+}
+
+// EqualValues asserts that two objects are equal or convertible to the larger
+// type and equal.
+//
+//	a.EqualValues(uint32(123), int32(123))
+func (a *Assertions) EqualValues(expected interface{}, actual interface{}, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	EqualValues(a.t, expected, actual, msgAndArgs...)
+}
+
+// EqualValuesf asserts that two objects are equal or convertible to the larger
+// type and equal.
+//
+//	a.EqualValuesf(uint32(123), int32(123), "error message %s", "formatted")
+func (a *Assertions) EqualValuesf(expected interface{}, actual interface{}, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	EqualValuesf(a.t, expected, actual, msg, args...)
+}
+
+// Equalf asserts that two objects are equal.
+//
+//	a.Equalf(123, 123, "error message %s", "formatted")
+//
+// Pointer variable equality is determined based on the equality of the
+// referenced values (as opposed to the memory addresses). Function equality
+// cannot be determined and will always fail.
+func (a *Assertions) Equalf(expected interface{}, actual interface{}, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	Equalf(a.t, expected, actual, msg, args...)
+}
+
+// Error asserts that a function returned an error (i.e. not `nil`).
+//
+//	actualObj, err := SomeFunction()
+//	a.Error(err)
+func (a *Assertions) Error(err error, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	Error(a.t, err, msgAndArgs...)
+}
+
+// ErrorAs asserts that at least one of the errors in err's chain matches target, and if so, sets target to that error value.
+// This is a wrapper for errors.As.
+func (a *Assertions) ErrorAs(err error, target interface{}, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	ErrorAs(a.t, err, target, msgAndArgs...)
+}
+
+// ErrorAsf asserts that at least one of the errors in err's chain matches target, and if so, sets target to that error value.
+// This is a wrapper for errors.As.
+func (a *Assertions) ErrorAsf(err error, target interface{}, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	ErrorAsf(a.t, err, target, msg, args...)
+}
+
+// ErrorContains asserts that a function returned an error (i.e. not `nil`)
+// and that the error contains the specified substring.
+//
+//	actualObj, err := SomeFunction()
+//	a.ErrorContains(err,  expectedErrorSubString)
+func (a *Assertions) ErrorContains(theError error, contains string, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	ErrorContains(a.t, theError, contains, msgAndArgs...)
+}
+
+// ErrorContainsf asserts that a function returned an error (i.e. not `nil`)
+// and that the error contains the specified substring.
+//
+//	actualObj, err := SomeFunction()
+//	a.ErrorContainsf(err,  expectedErrorSubString, "error message %s", "formatted")
+func (a *Assertions) ErrorContainsf(theError error, contains string, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	ErrorContainsf(a.t, theError, contains, msg, args...)
+}
+
+// ErrorIs asserts that at least one of the errors in err's chain matches target.
+// This is a wrapper for errors.Is.
+func (a *Assertions) ErrorIs(err error, target error, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	ErrorIs(a.t, err, target, msgAndArgs...)
+}
+
+// ErrorIsf asserts that at least one of the errors in err's chain matches target.
+// This is a wrapper for errors.Is.
+func (a *Assertions) ErrorIsf(err error, target error, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	ErrorIsf(a.t, err, target, msg, args...)
+}
+
+// Errorf asserts that a function returned an error (i.e. not `nil`).
+//
+//	actualObj, err := SomeFunction()
+//	a.Errorf(err, "error message %s", "formatted")
+func (a *Assertions) Errorf(err error, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	Errorf(a.t, err, msg, args...)
+}
+
+// Eventually asserts that given condition will be met in waitFor time,
+// periodically checking target function each tick.
+//
+//	a.Eventually(func() bool { return true; }, time.Second, 10*time.Millisecond)
+func (a *Assertions) Eventually(condition func() bool, waitFor time.Duration, tick time.Duration, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	Eventually(a.t, condition, waitFor, tick, msgAndArgs...)
+}
+
+// EventuallyWithT asserts that given condition will be met in waitFor time,
+// periodically checking target function each tick. In contrast to Eventually,
+// it supplies a CollectT to the condition function, so that the condition
+// function can use the CollectT to call other assertions.
+// The condition is considered "met" if no errors are raised in a tick.
+// The supplied CollectT collects all errors from one tick (if there are any).
+// If the condition is not met before waitFor, the collected errors of
+// the last tick are copied to t.
+//
+//	externalValue := false
+//	go func() {
+//		time.Sleep(8*time.Second)
+//		externalValue = true
+//	}()
+//	a.EventuallyWithT(func(c *assert.CollectT) {
+//		// add assertions as needed; any assertion failure will fail the current tick
+//		assert.True(c, externalValue, "expected 'externalValue' to be true")
+//	}, 10*time.Second, 1*time.Second, "external state has not changed to 'true'; still false")
+func (a *Assertions) EventuallyWithT(condition func(collect *assert.CollectT), waitFor time.Duration, tick time.Duration, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	EventuallyWithT(a.t, condition, waitFor, tick, msgAndArgs...)
+}
+
+// EventuallyWithTf asserts that given condition will be met in waitFor time,
+// periodically checking target function each tick. In contrast to Eventually,
+// it supplies a CollectT to the condition function, so that the condition
+// function can use the CollectT to call other assertions.
+// The condition is considered "met" if no errors are raised in a tick.
+// The supplied CollectT collects all errors from one tick (if there are any).
+// If the condition is not met before waitFor, the collected errors of
+// the last tick are copied to t.
+//
+//	externalValue := false
+//	go func() {
+//		time.Sleep(8*time.Second)
+//		externalValue = true
+//	}()
+//	a.EventuallyWithTf(func(c *assert.CollectT, "error message %s", "formatted") {
+//		// add assertions as needed; any assertion failure will fail the current tick
+//		assert.True(c, externalValue, "expected 'externalValue' to be true")
+//	}, 10*time.Second, 1*time.Second, "external state has not changed to 'true'; still false")
+func (a *Assertions) EventuallyWithTf(condition func(collect *assert.CollectT), waitFor time.Duration, tick time.Duration, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	EventuallyWithTf(a.t, condition, waitFor, tick, msg, args...)
+}
+
+// Eventuallyf asserts that given condition will be met in waitFor time,
+// periodically checking target function each tick.
+//
+//	a.Eventuallyf(func() bool { return true; }, time.Second, 10*time.Millisecond, "error message %s", "formatted")
+func (a *Assertions) Eventuallyf(condition func() bool, waitFor time.Duration, tick time.Duration, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	Eventuallyf(a.t, condition, waitFor, tick, msg, args...)
+}
+
+// Exactly asserts that two objects are equal in value and type.
+//
+//	a.Exactly(int32(123), int64(123))
+func (a *Assertions) Exactly(expected interface{}, actual interface{}, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	Exactly(a.t, expected, actual, msgAndArgs...)
+}
+
+// Exactlyf asserts that two objects are equal in value and type.
+//
+//	a.Exactlyf(int32(123), int64(123), "error message %s", "formatted")
+func (a *Assertions) Exactlyf(expected interface{}, actual interface{}, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	Exactlyf(a.t, expected, actual, msg, args...)
+}
+
+// Fail reports a failure through
+func (a *Assertions) Fail(failureMessage string, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	Fail(a.t, failureMessage, msgAndArgs...)
+}
+
+// FailNow fails test
+func (a *Assertions) FailNow(failureMessage string, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	FailNow(a.t, failureMessage, msgAndArgs...)
+}
+
+// FailNowf fails test
+func (a *Assertions) FailNowf(failureMessage string, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	FailNowf(a.t, failureMessage, msg, args...)
+}
+
+// Failf reports a failure through
+func (a *Assertions) Failf(failureMessage string, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	Failf(a.t, failureMessage, msg, args...)
+}
+
+// False asserts that the specified value is false.
+//
+//	a.False(myBool)
+func (a *Assertions) False(value bool, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	False(a.t, value, msgAndArgs...)
+}
+
+// Falsef asserts that the specified value is false.
+//
+//	a.Falsef(myBool, "error message %s", "formatted")
+func (a *Assertions) Falsef(value bool, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	Falsef(a.t, value, msg, args...)
+}
+
+// FileExists checks whether a file exists in the given path. It also fails if
+// the path points to a directory or there is an error when trying to check the file.
+func (a *Assertions) FileExists(path string, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	FileExists(a.t, path, msgAndArgs...)
+}
+
+// FileExistsf checks whether a file exists in the given path. It also fails if
+// the path points to a directory or there is an error when trying to check the file.
+func (a *Assertions) FileExistsf(path string, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	FileExistsf(a.t, path, msg, args...)
+}
+
+// Greater asserts that the first element is greater than the second
+//
+//	a.Greater(2, 1)
+//	a.Greater(float64(2), float64(1))
+//	a.Greater("b", "a")
+func (a *Assertions) Greater(e1 interface{}, e2 interface{}, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	Greater(a.t, e1, e2, msgAndArgs...)
+}
+
+// GreaterOrEqual asserts that the first element is greater than or equal to the second
+//
+//	a.GreaterOrEqual(2, 1)
+//	a.GreaterOrEqual(2, 2)
+//	a.GreaterOrEqual("b", "a")
+//	a.GreaterOrEqual("b", "b")
+func (a *Assertions) GreaterOrEqual(e1 interface{}, e2 interface{}, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	GreaterOrEqual(a.t, e1, e2, msgAndArgs...)
+}
+
+// GreaterOrEqualf asserts that the first element is greater than or equal to the second
+//
+//	a.GreaterOrEqualf(2, 1, "error message %s", "formatted")
+//	a.GreaterOrEqualf(2, 2, "error message %s", "formatted")
+//	a.GreaterOrEqualf("b", "a", "error message %s", "formatted")
+//	a.GreaterOrEqualf("b", "b", "error message %s", "formatted")
+func (a *Assertions) GreaterOrEqualf(e1 interface{}, e2 interface{}, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	GreaterOrEqualf(a.t, e1, e2, msg, args...)
+}
+
+// Greaterf asserts that the first element is greater than the second
+//
+//	a.Greaterf(2, 1, "error message %s", "formatted")
+//	a.Greaterf(float64(2), float64(1), "error message %s", "formatted")
+//	a.Greaterf("b", "a", "error message %s", "formatted")
+func (a *Assertions) Greaterf(e1 interface{}, e2 interface{}, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	Greaterf(a.t, e1, e2, msg, args...)
+}
+
+// HTTPBodyContains asserts that a specified handler returns a
+// body that contains a string.
+//
+//	a.HTTPBodyContains(myHandler, "GET", "www.google.com", nil, "I'm Feeling Lucky")
+//
+// Returns whether the assertion was successful (true) or not (false).
+func (a *Assertions) HTTPBodyContains(handler http.HandlerFunc, method string, url string, values url.Values, str interface{}, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	HTTPBodyContains(a.t, handler, method, url, values, str, msgAndArgs...)
+}
+
+// HTTPBodyContainsf asserts that a specified handler returns a
+// body that contains a string.
+//
+//	a.HTTPBodyContainsf(myHandler, "GET", "www.google.com", nil, "I'm Feeling Lucky", "error message %s", "formatted")
+//
+// Returns whether the assertion was successful (true) or not (false).
+func (a *Assertions) HTTPBodyContainsf(handler http.HandlerFunc, method string, url string, values url.Values, str interface{}, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	HTTPBodyContainsf(a.t, handler, method, url, values, str, msg, args...)
+}
+
+// HTTPBodyNotContains asserts that a specified handler returns a
+// body that does not contain a string.
+//
+//	a.HTTPBodyNotContains(myHandler, "GET", "www.google.com", nil, "I'm Feeling Lucky")
+//
+// Returns whether the assertion was successful (true) or not (false).
+func (a *Assertions) HTTPBodyNotContains(handler http.HandlerFunc, method string, url string, values url.Values, str interface{}, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	HTTPBodyNotContains(a.t, handler, method, url, values, str, msgAndArgs...)
+}
+
+// HTTPBodyNotContainsf asserts that a specified handler returns a
+// body that does not contain a string.
+//
+//	a.HTTPBodyNotContainsf(myHandler, "GET", "www.google.com", nil, "I'm Feeling Lucky", "error message %s", "formatted")
+//
+// Returns whether the assertion was successful (true) or not (false).
+func (a *Assertions) HTTPBodyNotContainsf(handler http.HandlerFunc, method string, url string, values url.Values, str interface{}, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	HTTPBodyNotContainsf(a.t, handler, method, url, values, str, msg, args...)
+}
+
+// HTTPError asserts that a specified handler returns an error status code.
+//
+//	a.HTTPError(myHandler, "POST", "/a/b/c", url.Values{"a": []string{"b", "c"}}
+//
+// Returns whether the assertion was successful (true) or not (false).
+func (a *Assertions) HTTPError(handler http.HandlerFunc, method string, url string, values url.Values, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	HTTPError(a.t, handler, method, url, values, msgAndArgs...)
+}
+
+// HTTPErrorf asserts that a specified handler returns an error status code.
+//
+//	a.HTTPErrorf(myHandler, "POST", "/a/b/c", url.Values{"a": []string{"b", "c"}}
+//
+// Returns whether the assertion was successful (true) or not (false).
+func (a *Assertions) HTTPErrorf(handler http.HandlerFunc, method string, url string, values url.Values, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	HTTPErrorf(a.t, handler, method, url, values, msg, args...)
+}
+
+// HTTPRedirect asserts that a specified handler returns a redirect status code.
+//
+//	a.HTTPRedirect(myHandler, "GET", "/a/b/c", url.Values{"a": []string{"b", "c"}}
+//
+// Returns whether the assertion was successful (true) or not (false).
+func (a *Assertions) HTTPRedirect(handler http.HandlerFunc, method string, url string, values url.Values, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	HTTPRedirect(a.t, handler, method, url, values, msgAndArgs...)
+}
+
+// HTTPRedirectf asserts that a specified handler returns a redirect status code.
+//
+//	a.HTTPRedirectf(myHandler, "GET", "/a/b/c", url.Values{"a": []string{"b", "c"}}
+//
+// Returns whether the assertion was successful (true) or not (false).
+func (a *Assertions) HTTPRedirectf(handler http.HandlerFunc, method string, url string, values url.Values, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	HTTPRedirectf(a.t, handler, method, url, values, msg, args...)
+}
+
+// HTTPStatusCode asserts that a specified handler returns a specified status code.
+//
+//	a.HTTPStatusCode(myHandler, "GET", "/notImplemented", nil, 501)
+//
+// Returns whether the assertion was successful (true) or not (false).
+func (a *Assertions) HTTPStatusCode(handler http.HandlerFunc, method string, url string, values url.Values, statuscode int, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	HTTPStatusCode(a.t, handler, method, url, values, statuscode, msgAndArgs...)
+}
+
+// HTTPStatusCodef asserts that a specified handler returns a specified status code.
+//
+//	a.HTTPStatusCodef(myHandler, "GET", "/notImplemented", nil, 501, "error message %s", "formatted")
+//
+// Returns whether the assertion was successful (true) or not (false).
+func (a *Assertions) HTTPStatusCodef(handler http.HandlerFunc, method string, url string, values url.Values, statuscode int, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	HTTPStatusCodef(a.t, handler, method, url, values, statuscode, msg, args...)
+}
+
+// HTTPSuccess asserts that a specified handler returns a success status code.
+//
+//	a.HTTPSuccess(myHandler, "POST", "http://www.google.com", nil)
+//
+// Returns whether the assertion was successful (true) or not (false).
+func (a *Assertions) HTTPSuccess(handler http.HandlerFunc, method string, url string, values url.Values, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	HTTPSuccess(a.t, handler, method, url, values, msgAndArgs...)
+}
+
+// HTTPSuccessf asserts that a specified handler returns a success status code.
+//
+//	a.HTTPSuccessf(myHandler, "POST", "http://www.google.com", nil, "error message %s", "formatted")
+//
+// Returns whether the assertion was successful (true) or not (false).
+func (a *Assertions) HTTPSuccessf(handler http.HandlerFunc, method string, url string, values url.Values, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	HTTPSuccessf(a.t, handler, method, url, values, msg, args...)
+}
+
+// Implements asserts that an object is implemented by the specified interface.
+//
+//	a.Implements((*MyInterface)(nil), new(MyObject))
+func (a *Assertions) Implements(interfaceObject interface{}, object interface{}, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	Implements(a.t, interfaceObject, object, msgAndArgs...)
+}
+
+// Implementsf asserts that an object is implemented by the specified interface.
+//
+//	a.Implementsf((*MyInterface)(nil), new(MyObject), "error message %s", "formatted")
+func (a *Assertions) Implementsf(interfaceObject interface{}, object interface{}, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	Implementsf(a.t, interfaceObject, object, msg, args...)
+}
+
+// InDelta asserts that the two numerals are within delta of each other.
+//
+//	a.InDelta(math.Pi, 22/7.0, 0.01)
+func (a *Assertions) InDelta(expected interface{}, actual interface{}, delta float64, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	InDelta(a.t, expected, actual, delta, msgAndArgs...)
+}
+
+// InDeltaMapValues is the same as InDelta, but it compares all values between two maps. Both maps must have exactly the same keys.
+func (a *Assertions) InDeltaMapValues(expected interface{}, actual interface{}, delta float64, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	InDeltaMapValues(a.t, expected, actual, delta, msgAndArgs...)
+}
+
+// InDeltaMapValuesf is the same as InDelta, but it compares all values between two maps. Both maps must have exactly the same keys.
+func (a *Assertions) InDeltaMapValuesf(expected interface{}, actual interface{}, delta float64, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	InDeltaMapValuesf(a.t, expected, actual, delta, msg, args...)
+}
+
+// InDeltaSlice is the same as InDelta, except it compares two slices.
+func (a *Assertions) InDeltaSlice(expected interface{}, actual interface{}, delta float64, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	InDeltaSlice(a.t, expected, actual, delta, msgAndArgs...)
+}
+
+// InDeltaSlicef is the same as InDelta, except it compares two slices.
+func (a *Assertions) InDeltaSlicef(expected interface{}, actual interface{}, delta float64, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	InDeltaSlicef(a.t, expected, actual, delta, msg, args...)
+}
+
+// InDeltaf asserts that the two numerals are within delta of each other.
+//
+//	a.InDeltaf(math.Pi, 22/7.0, 0.01, "error message %s", "formatted")
+func (a *Assertions) InDeltaf(expected interface{}, actual interface{}, delta float64, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	InDeltaf(a.t, expected, actual, delta, msg, args...)
+}
+
+// InEpsilon asserts that expected and actual have a relative error less than epsilon
+func (a *Assertions) InEpsilon(expected interface{}, actual interface{}, epsilon float64, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	InEpsilon(a.t, expected, actual, epsilon, msgAndArgs...)
+}
+
+// InEpsilonSlice is the same as InEpsilon, except it compares each value from two slices.
+func (a *Assertions) InEpsilonSlice(expected interface{}, actual interface{}, epsilon float64, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	InEpsilonSlice(a.t, expected, actual, epsilon, msgAndArgs...)
+}
+
+// InEpsilonSlicef is the same as InEpsilon, except it compares each value from two slices.
+func (a *Assertions) InEpsilonSlicef(expected interface{}, actual interface{}, epsilon float64, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	InEpsilonSlicef(a.t, expected, actual, epsilon, msg, args...)
+}
+
+// InEpsilonf asserts that expected and actual have a relative error less than epsilon
+func (a *Assertions) InEpsilonf(expected interface{}, actual interface{}, epsilon float64, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	InEpsilonf(a.t, expected, actual, epsilon, msg, args...)
+}
+
+// IsDecreasing asserts that the collection is decreasing
+//
+//	a.IsDecreasing([]int{2, 1, 0})
+//	a.IsDecreasing([]float{2, 1})
+//	a.IsDecreasing([]string{"b", "a"})
+func (a *Assertions) IsDecreasing(object interface{}, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	IsDecreasing(a.t, object, msgAndArgs...)
+}
+
+// IsDecreasingf asserts that the collection is decreasing
+//
+//	a.IsDecreasingf([]int{2, 1, 0}, "error message %s", "formatted")
+//	a.IsDecreasingf([]float{2, 1}, "error message %s", "formatted")
+//	a.IsDecreasingf([]string{"b", "a"}, "error message %s", "formatted")
+func (a *Assertions) IsDecreasingf(object interface{}, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	IsDecreasingf(a.t, object, msg, args...)
+}
+
+// IsIncreasing asserts that the collection is increasing
+//
+//	a.IsIncreasing([]int{1, 2, 3})
+//	a.IsIncreasing([]float{1, 2})
+//	a.IsIncreasing([]string{"a", "b"})
+func (a *Assertions) IsIncreasing(object interface{}, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	IsIncreasing(a.t, object, msgAndArgs...)
+}
+
+// IsIncreasingf asserts that the collection is increasing
+//
+//	a.IsIncreasingf([]int{1, 2, 3}, "error message %s", "formatted")
+//	a.IsIncreasingf([]float{1, 2}, "error message %s", "formatted")
+//	a.IsIncreasingf([]string{"a", "b"}, "error message %s", "formatted")
+func (a *Assertions) IsIncreasingf(object interface{}, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	IsIncreasingf(a.t, object, msg, args...)
+}
+
+// IsNonDecreasing asserts that the collection is not decreasing
+//
+//	a.IsNonDecreasing([]int{1, 1, 2})
+//	a.IsNonDecreasing([]float{1, 2})
+//	a.IsNonDecreasing([]string{"a", "b"})
+func (a *Assertions) IsNonDecreasing(object interface{}, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	IsNonDecreasing(a.t, object, msgAndArgs...)
+}
+
+// IsNonDecreasingf asserts that the collection is not decreasing
+//
+//	a.IsNonDecreasingf([]int{1, 1, 2}, "error message %s", "formatted")
+//	a.IsNonDecreasingf([]float{1, 2}, "error message %s", "formatted")
+//	a.IsNonDecreasingf([]string{"a", "b"}, "error message %s", "formatted")
+func (a *Assertions) IsNonDecreasingf(object interface{}, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	IsNonDecreasingf(a.t, object, msg, args...)
+}
+
+// IsNonIncreasing asserts that the collection is not increasing
+//
+//	a.IsNonIncreasing([]int{2, 1, 1})
+//	a.IsNonIncreasing([]float{2, 1})
+//	a.IsNonIncreasing([]string{"b", "a"})
+func (a *Assertions) IsNonIncreasing(object interface{}, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	IsNonIncreasing(a.t, object, msgAndArgs...)
+}
+
+// IsNonIncreasingf asserts that the collection is not increasing
+//
+//	a.IsNonIncreasingf([]int{2, 1, 1}, "error message %s", "formatted")
+//	a.IsNonIncreasingf([]float{2, 1}, "error message %s", "formatted")
+//	a.IsNonIncreasingf([]string{"b", "a"}, "error message %s", "formatted")
+func (a *Assertions) IsNonIncreasingf(object interface{}, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	IsNonIncreasingf(a.t, object, msg, args...)
+}
+
+// IsNotType asserts that the specified objects are not of the same type.
+//
+//	a.IsNotType(&NotMyStruct{}, &MyStruct{})
+func (a *Assertions) IsNotType(theType interface{}, object interface{}, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	IsNotType(a.t, theType, object, msgAndArgs...)
+}
+
+// IsNotTypef asserts that the specified objects are not of the same type.
+//
+//	a.IsNotTypef(&NotMyStruct{}, &MyStruct{}, "error message %s", "formatted")
+func (a *Assertions) IsNotTypef(theType interface{}, object interface{}, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	IsNotTypef(a.t, theType, object, msg, args...)
+}
+
+// IsType asserts that the specified objects are of the same type.
+//
+//	a.IsType(&MyStruct{}, &MyStruct{})
+func (a *Assertions) IsType(expectedType interface{}, object interface{}, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	IsType(a.t, expectedType, object, msgAndArgs...)
+}
+
+// IsTypef asserts that the specified objects are of the same type.
+//
+//	a.IsTypef(&MyStruct{}, &MyStruct{}, "error message %s", "formatted")
+func (a *Assertions) IsTypef(expectedType interface{}, object interface{}, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	IsTypef(a.t, expectedType, object, msg, args...)
+}
+
+// JSONEq asserts that two JSON strings are equivalent.
+//
+//	a.JSONEq(`{"hello": "world", "foo": "bar"}`, `{"foo": "bar", "hello": "world"}`)
+func (a *Assertions) JSONEq(expected string, actual string, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	JSONEq(a.t, expected, actual, msgAndArgs...)
+}
+
+// JSONEqf asserts that two JSON strings are equivalent.
+//
+//	a.JSONEqf(`{"hello": "world", "foo": "bar"}`, `{"foo": "bar", "hello": "world"}`, "error message %s", "formatted")
+func (a *Assertions) JSONEqf(expected string, actual string, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	JSONEqf(a.t, expected, actual, msg, args...)
+}
+
+// Len asserts that the specified object has specific length.
+// Len also fails if the object has a type that len() not accept.
+//
+//	a.Len(mySlice, 3)
+func (a *Assertions) Len(object interface{}, length int, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	Len(a.t, object, length, msgAndArgs...)
+}
+
+// Lenf asserts that the specified object has specific length.
+// Lenf also fails if the object has a type that len() not accept.
+//
+//	a.Lenf(mySlice, 3, "error message %s", "formatted")
+func (a *Assertions) Lenf(object interface{}, length int, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	Lenf(a.t, object, length, msg, args...)
+}
+
+// Less asserts that the first element is less than the second
+//
+//	a.Less(1, 2)
+//	a.Less(float64(1), float64(2))
+//	a.Less("a", "b")
+func (a *Assertions) Less(e1 interface{}, e2 interface{}, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	Less(a.t, e1, e2, msgAndArgs...)
+}
+
+// LessOrEqual asserts that the first element is less than or equal to the second
+//
+//	a.LessOrEqual(1, 2)
+//	a.LessOrEqual(2, 2)
+//	a.LessOrEqual("a", "b")
+//	a.LessOrEqual("b", "b")
+func (a *Assertions) LessOrEqual(e1 interface{}, e2 interface{}, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	LessOrEqual(a.t, e1, e2, msgAndArgs...)
+}
+
+// LessOrEqualf asserts that the first element is less than or equal to the second
+//
+//	a.LessOrEqualf(1, 2, "error message %s", "formatted")
+//	a.LessOrEqualf(2, 2, "error message %s", "formatted")
+//	a.LessOrEqualf("a", "b", "error message %s", "formatted")
+//	a.LessOrEqualf("b", "b", "error message %s", "formatted")
+func (a *Assertions) LessOrEqualf(e1 interface{}, e2 interface{}, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	LessOrEqualf(a.t, e1, e2, msg, args...)
+}
+
+// Lessf asserts that the first element is less than the second
+//
+//	a.Lessf(1, 2, "error message %s", "formatted")
+//	a.Lessf(float64(1), float64(2), "error message %s", "formatted")
+//	a.Lessf("a", "b", "error message %s", "formatted")
+func (a *Assertions) Lessf(e1 interface{}, e2 interface{}, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	Lessf(a.t, e1, e2, msg, args...)
+}
+
+// Negative asserts that the specified element is negative
+//
+//	a.Negative(-1)
+//	a.Negative(-1.23)
+func (a *Assertions) Negative(e interface{}, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	Negative(a.t, e, msgAndArgs...)
+}
+
+// Negativef asserts that the specified element is negative
+//
+//	a.Negativef(-1, "error message %s", "formatted")
+//	a.Negativef(-1.23, "error message %s", "formatted")
+func (a *Assertions) Negativef(e interface{}, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	Negativef(a.t, e, msg, args...)
+}
+
+// Never asserts that the given condition doesn't satisfy in waitFor time,
+// periodically checking the target function each tick.
+//
+//	a.Never(func() bool { return false; }, time.Second, 10*time.Millisecond)
+func (a *Assertions) Never(condition func() bool, waitFor time.Duration, tick time.Duration, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	Never(a.t, condition, waitFor, tick, msgAndArgs...)
+}
+
+// Neverf asserts that the given condition doesn't satisfy in waitFor time,
+// periodically checking the target function each tick.
+//
+//	a.Neverf(func() bool { return false; }, time.Second, 10*time.Millisecond, "error message %s", "formatted")
+func (a *Assertions) Neverf(condition func() bool, waitFor time.Duration, tick time.Duration, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	Neverf(a.t, condition, waitFor, tick, msg, args...)
+}
+
+// Nil asserts that the specified object is nil.
+//
+//	a.Nil(err)
+func (a *Assertions) Nil(object interface{}, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	Nil(a.t, object, msgAndArgs...)
+}
+
+// Nilf asserts that the specified object is nil.
+//
+//	a.Nilf(err, "error message %s", "formatted")
+func (a *Assertions) Nilf(object interface{}, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	Nilf(a.t, object, msg, args...)
+}
+
+// NoDirExists checks whether a directory does not exist in the given path.
+// It fails if the path points to an existing _directory_ only.
+func (a *Assertions) NoDirExists(path string, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	NoDirExists(a.t, path, msgAndArgs...)
+}
+
+// NoDirExistsf checks whether a directory does not exist in the given path.
+// It fails if the path points to an existing _directory_ only.
+func (a *Assertions) NoDirExistsf(path string, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	NoDirExistsf(a.t, path, msg, args...)
+}
+
+// NoError asserts that a function returned no error (i.e. `nil`).
+//
+//	  actualObj, err := SomeFunction()
+//	  if a.NoError(err) {
+//		   assert.Equal(t, expectedObj, actualObj)
+//	  }
+func (a *Assertions) NoError(err error, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	NoError(a.t, err, msgAndArgs...)
+}
+
+// NoErrorf asserts that a function returned no error (i.e. `nil`).
+//
+//	  actualObj, err := SomeFunction()
+//	  if a.NoErrorf(err, "error message %s", "formatted") {
+//		   assert.Equal(t, expectedObj, actualObj)
+//	  }
+func (a *Assertions) NoErrorf(err error, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	NoErrorf(a.t, err, msg, args...)
+}
+
+// NoFileExists checks whether a file does not exist in a given path. It fails
+// if the path points to an existing _file_ only.
+func (a *Assertions) NoFileExists(path string, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	NoFileExists(a.t, path, msgAndArgs...)
+}
+
+// NoFileExistsf checks whether a file does not exist in a given path. It fails
+// if the path points to an existing _file_ only.
+func (a *Assertions) NoFileExistsf(path string, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	NoFileExistsf(a.t, path, msg, args...)
+}
+
+// NotContains asserts that the specified string, list(array, slice...) or map does NOT contain the
+// specified substring or element.
+//
+//	a.NotContains("Hello World", "Earth")
+//	a.NotContains(["Hello", "World"], "Earth")
+//	a.NotContains({"Hello": "World"}, "Earth")
+func (a *Assertions) NotContains(s interface{}, contains interface{}, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	NotContains(a.t, s, contains, msgAndArgs...)
+}
+
+// NotContainsf asserts that the specified string, list(array, slice...) or map does NOT contain the
+// specified substring or element.
+//
+//	a.NotContainsf("Hello World", "Earth", "error message %s", "formatted")
+//	a.NotContainsf(["Hello", "World"], "Earth", "error message %s", "formatted")
+//	a.NotContainsf({"Hello": "World"}, "Earth", "error message %s", "formatted")
+func (a *Assertions) NotContainsf(s interface{}, contains interface{}, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	NotContainsf(a.t, s, contains, msg, args...)
+}
+
+// NotElementsMatch asserts that the specified listA(array, slice...) is NOT equal to specified
+// listB(array, slice...) ignoring the order of the elements. If there are duplicate elements,
+// the number of appearances of each of them in both lists should not match.
+// This is an inverse of ElementsMatch.
+//
+// a.NotElementsMatch([1, 1, 2, 3], [1, 1, 2, 3]) -> false
+//
+// a.NotElementsMatch([1, 1, 2, 3], [1, 2, 3]) -> true
+//
+// a.NotElementsMatch([1, 2, 3], [1, 2, 4]) -> true
+func (a *Assertions) NotElementsMatch(listA interface{}, listB interface{}, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	NotElementsMatch(a.t, listA, listB, msgAndArgs...)
+}
+
+// NotElementsMatchf asserts that the specified listA(array, slice...) is NOT equal to specified
+// listB(array, slice...) ignoring the order of the elements. If there are duplicate elements,
+// the number of appearances of each of them in both lists should not match.
+// This is an inverse of ElementsMatch.
+//
+// a.NotElementsMatchf([1, 1, 2, 3], [1, 1, 2, 3], "error message %s", "formatted") -> false
+//
+// a.NotElementsMatchf([1, 1, 2, 3], [1, 2, 3], "error message %s", "formatted") -> true
+//
+// a.NotElementsMatchf([1, 2, 3], [1, 2, 4], "error message %s", "formatted") -> true
+func (a *Assertions) NotElementsMatchf(listA interface{}, listB interface{}, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	NotElementsMatchf(a.t, listA, listB, msg, args...)
+}
+
+// NotEmpty asserts that the specified object is NOT [Empty].
+//
+//	if a.NotEmpty(obj) {
+//	  assert.Equal(t, "two", obj[1])
+//	}
+func (a *Assertions) NotEmpty(object interface{}, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	NotEmpty(a.t, object, msgAndArgs...)
+}
+
+// NotEmptyf asserts that the specified object is NOT [Empty].
+//
+//	if a.NotEmptyf(obj, "error message %s", "formatted") {
+//	  assert.Equal(t, "two", obj[1])
+//	}
+func (a *Assertions) NotEmptyf(object interface{}, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	NotEmptyf(a.t, object, msg, args...)
+}
+
+// NotEqual asserts that the specified values are NOT equal.
+//
+//	a.NotEqual(obj1, obj2)
+//
+// Pointer variable equality is determined based on the equality of the
+// referenced values (as opposed to the memory addresses).
+func (a *Assertions) NotEqual(expected interface{}, actual interface{}, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	NotEqual(a.t, expected, actual, msgAndArgs...)
+}
+
+// NotEqualValues asserts that two objects are not equal even when converted to the same type
+//
+//	a.NotEqualValues(obj1, obj2)
+func (a *Assertions) NotEqualValues(expected interface{}, actual interface{}, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	NotEqualValues(a.t, expected, actual, msgAndArgs...)
+}
+
+// NotEqualValuesf asserts that two objects are not equal even when converted to the same type
+//
+//	a.NotEqualValuesf(obj1, obj2, "error message %s", "formatted")
+func (a *Assertions) NotEqualValuesf(expected interface{}, actual interface{}, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	NotEqualValuesf(a.t, expected, actual, msg, args...)
+}
+
+// NotEqualf asserts that the specified values are NOT equal.
+//
+//	a.NotEqualf(obj1, obj2, "error message %s", "formatted")
+//
+// Pointer variable equality is determined based on the equality of the
+// referenced values (as opposed to the memory addresses).
+func (a *Assertions) NotEqualf(expected interface{}, actual interface{}, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	NotEqualf(a.t, expected, actual, msg, args...)
+}
+
+// NotErrorAs asserts that none of the errors in err's chain matches target,
+// but if so, sets target to that error value.
+func (a *Assertions) NotErrorAs(err error, target interface{}, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	NotErrorAs(a.t, err, target, msgAndArgs...)
+}
+
+// NotErrorAsf asserts that none of the errors in err's chain matches target,
+// but if so, sets target to that error value.
+func (a *Assertions) NotErrorAsf(err error, target interface{}, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	NotErrorAsf(a.t, err, target, msg, args...)
+}
+
+// NotErrorIs asserts that none of the errors in err's chain matches target.
+// This is a wrapper for errors.Is.
+func (a *Assertions) NotErrorIs(err error, target error, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	NotErrorIs(a.t, err, target, msgAndArgs...)
+}
+
+// NotErrorIsf asserts that none of the errors in err's chain matches target.
+// This is a wrapper for errors.Is.
+func (a *Assertions) NotErrorIsf(err error, target error, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	NotErrorIsf(a.t, err, target, msg, args...)
+}
+
+// NotImplements asserts that an object does not implement the specified interface.
+//
+//	a.NotImplements((*MyInterface)(nil), new(MyObject))
+func (a *Assertions) NotImplements(interfaceObject interface{}, object interface{}, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	NotImplements(a.t, interfaceObject, object, msgAndArgs...)
+}
+
+// NotImplementsf asserts that an object does not implement the specified interface.
+//
+//	a.NotImplementsf((*MyInterface)(nil), new(MyObject), "error message %s", "formatted")
+func (a *Assertions) NotImplementsf(interfaceObject interface{}, object interface{}, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	NotImplementsf(a.t, interfaceObject, object, msg, args...)
+}
+
+// NotNil asserts that the specified object is not nil.
+//
+//	a.NotNil(err)
+func (a *Assertions) NotNil(object interface{}, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	NotNil(a.t, object, msgAndArgs...)
+}
+
+// NotNilf asserts that the specified object is not nil.
+//
+//	a.NotNilf(err, "error message %s", "formatted")
+func (a *Assertions) NotNilf(object interface{}, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	NotNilf(a.t, object, msg, args...)
+}
+
+// NotPanics asserts that the code inside the specified PanicTestFunc does NOT panic.
+//
+//	a.NotPanics(func(){ RemainCalm() })
+func (a *Assertions) NotPanics(f assert.PanicTestFunc, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	NotPanics(a.t, f, msgAndArgs...)
+}
+
+// NotPanicsf asserts that the code inside the specified PanicTestFunc does NOT panic.
+//
+//	a.NotPanicsf(func(){ RemainCalm() }, "error message %s", "formatted")
+func (a *Assertions) NotPanicsf(f assert.PanicTestFunc, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	NotPanicsf(a.t, f, msg, args...)
+}
+
+// NotRegexp asserts that a specified regexp does not match a string.
+//
+//	a.NotRegexp(regexp.MustCompile("starts"), "it's starting")
+//	a.NotRegexp("^start", "it's not starting")
+func (a *Assertions) NotRegexp(rx interface{}, str interface{}, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	NotRegexp(a.t, rx, str, msgAndArgs...)
+}
+
+// NotRegexpf asserts that a specified regexp does not match a string.
+//
+//	a.NotRegexpf(regexp.MustCompile("starts"), "it's starting", "error message %s", "formatted")
+//	a.NotRegexpf("^start", "it's not starting", "error message %s", "formatted")
+func (a *Assertions) NotRegexpf(rx interface{}, str interface{}, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	NotRegexpf(a.t, rx, str, msg, args...)
+}
+
+// NotSame asserts that two pointers do not reference the same object.
+//
+//	a.NotSame(ptr1, ptr2)
+//
+// Both arguments must be pointer variables. Pointer variable sameness is
+// determined based on the equality of both type and value.
+func (a *Assertions) NotSame(expected interface{}, actual interface{}, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	NotSame(a.t, expected, actual, msgAndArgs...)
+}
+
+// NotSamef asserts that two pointers do not reference the same object.
+//
+//	a.NotSamef(ptr1, ptr2, "error message %s", "formatted")
+//
+// Both arguments must be pointer variables. Pointer variable sameness is
+// determined based on the equality of both type and value.
+func (a *Assertions) NotSamef(expected interface{}, actual interface{}, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	NotSamef(a.t, expected, actual, msg, args...)
+}
+
+// NotSubset asserts that the list (array, slice, or map) does NOT contain all
+// elements given in the subset (array, slice, or map).
+// Map elements are key-value pairs unless compared with an array or slice where
+// only the map key is evaluated.
+//
+//	a.NotSubset([1, 3, 4], [1, 2])
+//	a.NotSubset({"x": 1, "y": 2}, {"z": 3})
+//	a.NotSubset([1, 3, 4], {1: "one", 2: "two"})
+//	a.NotSubset({"x": 1, "y": 2}, ["z"])
+func (a *Assertions) NotSubset(list interface{}, subset interface{}, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	NotSubset(a.t, list, subset, msgAndArgs...)
+}
+
+// NotSubsetf asserts that the list (array, slice, or map) does NOT contain all
+// elements given in the subset (array, slice, or map).
+// Map elements are key-value pairs unless compared with an array or slice where
+// only the map key is evaluated.
+//
+//	a.NotSubsetf([1, 3, 4], [1, 2], "error message %s", "formatted")
+//	a.NotSubsetf({"x": 1, "y": 2}, {"z": 3}, "error message %s", "formatted")
+//	a.NotSubsetf([1, 3, 4], {1: "one", 2: "two"}, "error message %s", "formatted")
+//	a.NotSubsetf({"x": 1, "y": 2}, ["z"], "error message %s", "formatted")
+func (a *Assertions) NotSubsetf(list interface{}, subset interface{}, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	NotSubsetf(a.t, list, subset, msg, args...)
+}
+
+// NotZero asserts that i is not the zero value for its type.
+func (a *Assertions) NotZero(i interface{}, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	NotZero(a.t, i, msgAndArgs...)
+}
+
+// NotZerof asserts that i is not the zero value for its type.
+func (a *Assertions) NotZerof(i interface{}, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	NotZerof(a.t, i, msg, args...)
+}
+
+// Panics asserts that the code inside the specified PanicTestFunc panics.
+//
+//	a.Panics(func(){ GoCrazy() })
+func (a *Assertions) Panics(f assert.PanicTestFunc, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	Panics(a.t, f, msgAndArgs...)
+}
+
+// PanicsWithError asserts that the code inside the specified PanicTestFunc
+// panics, and that the recovered panic value is an error that satisfies the
+// EqualError comparison.
+//
+//	a.PanicsWithError("crazy error", func(){ GoCrazy() })
+func (a *Assertions) PanicsWithError(errString string, f assert.PanicTestFunc, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	PanicsWithError(a.t, errString, f, msgAndArgs...)
+}
+
+// PanicsWithErrorf asserts that the code inside the specified PanicTestFunc
+// panics, and that the recovered panic value is an error that satisfies the
+// EqualError comparison.
+//
+//	a.PanicsWithErrorf("crazy error", func(){ GoCrazy() }, "error message %s", "formatted")
+func (a *Assertions) PanicsWithErrorf(errString string, f assert.PanicTestFunc, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	PanicsWithErrorf(a.t, errString, f, msg, args...)
+}
+
+// PanicsWithValue asserts that the code inside the specified PanicTestFunc panics, and that
+// the recovered panic value equals the expected panic value.
+//
+//	a.PanicsWithValue("crazy error", func(){ GoCrazy() })
+func (a *Assertions) PanicsWithValue(expected interface{}, f assert.PanicTestFunc, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	PanicsWithValue(a.t, expected, f, msgAndArgs...)
+}
+
+// PanicsWithValuef asserts that the code inside the specified PanicTestFunc panics, and that
+// the recovered panic value equals the expected panic value.
+//
+//	a.PanicsWithValuef("crazy error", func(){ GoCrazy() }, "error message %s", "formatted")
+func (a *Assertions) PanicsWithValuef(expected interface{}, f assert.PanicTestFunc, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	PanicsWithValuef(a.t, expected, f, msg, args...)
+}
+
+// Panicsf asserts that the code inside the specified PanicTestFunc panics.
+//
+//	a.Panicsf(func(){ GoCrazy() }, "error message %s", "formatted")
+func (a *Assertions) Panicsf(f assert.PanicTestFunc, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	Panicsf(a.t, f, msg, args...)
+}
+
+// Positive asserts that the specified element is positive
+//
+//	a.Positive(1)
+//	a.Positive(1.23)
+func (a *Assertions) Positive(e interface{}, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	Positive(a.t, e, msgAndArgs...)
+}
+
+// Positivef asserts that the specified element is positive
+//
+//	a.Positivef(1, "error message %s", "formatted")
+//	a.Positivef(1.23, "error message %s", "formatted")
+func (a *Assertions) Positivef(e interface{}, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	Positivef(a.t, e, msg, args...)
+}
+
+// Regexp asserts that a specified regexp matches a string.
+//
+//	a.Regexp(regexp.MustCompile("start"), "it's starting")
+//	a.Regexp("start...$", "it's not starting")
+func (a *Assertions) Regexp(rx interface{}, str interface{}, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	Regexp(a.t, rx, str, msgAndArgs...)
+}
+
+// Regexpf asserts that a specified regexp matches a string.
+//
+//	a.Regexpf(regexp.MustCompile("start"), "it's starting", "error message %s", "formatted")
+//	a.Regexpf("start...$", "it's not starting", "error message %s", "formatted")
+func (a *Assertions) Regexpf(rx interface{}, str interface{}, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	Regexpf(a.t, rx, str, msg, args...)
+}
+
+// Same asserts that two pointers reference the same object.
+//
+//	a.Same(ptr1, ptr2)
+//
+// Both arguments must be pointer variables. Pointer variable sameness is
+// determined based on the equality of both type and value.
+func (a *Assertions) Same(expected interface{}, actual interface{}, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	Same(a.t, expected, actual, msgAndArgs...)
+}
+
+// Samef asserts that two pointers reference the same object.
+//
+//	a.Samef(ptr1, ptr2, "error message %s", "formatted")
+//
+// Both arguments must be pointer variables. Pointer variable sameness is
+// determined based on the equality of both type and value.
+func (a *Assertions) Samef(expected interface{}, actual interface{}, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	Samef(a.t, expected, actual, msg, args...)
+}
+
+// Subset asserts that the list (array, slice, or map) contains all elements
+// given in the subset (array, slice, or map).
+// Map elements are key-value pairs unless compared with an array or slice where
+// only the map key is evaluated.
+//
+//	a.Subset([1, 2, 3], [1, 2])
+//	a.Subset({"x": 1, "y": 2}, {"x": 1})
+//	a.Subset([1, 2, 3], {1: "one", 2: "two"})
+//	a.Subset({"x": 1, "y": 2}, ["x"])
+func (a *Assertions) Subset(list interface{}, subset interface{}, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	Subset(a.t, list, subset, msgAndArgs...)
+}
+
+// Subsetf asserts that the list (array, slice, or map) contains all elements
+// given in the subset (array, slice, or map).
+// Map elements are key-value pairs unless compared with an array or slice where
+// only the map key is evaluated.
+//
+//	a.Subsetf([1, 2, 3], [1, 2], "error message %s", "formatted")
+//	a.Subsetf({"x": 1, "y": 2}, {"x": 1}, "error message %s", "formatted")
+//	a.Subsetf([1, 2, 3], {1: "one", 2: "two"}, "error message %s", "formatted")
+//	a.Subsetf({"x": 1, "y": 2}, ["x"], "error message %s", "formatted")
+func (a *Assertions) Subsetf(list interface{}, subset interface{}, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	Subsetf(a.t, list, subset, msg, args...)
+}
+
+// True asserts that the specified value is true.
+//
+//	a.True(myBool)
+func (a *Assertions) True(value bool, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	True(a.t, value, msgAndArgs...)
+}
+
+// Truef asserts that the specified value is true.
+//
+//	a.Truef(myBool, "error message %s", "formatted")
+func (a *Assertions) Truef(value bool, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	Truef(a.t, value, msg, args...)
+}
+
+// WithinDuration asserts that the two times are within duration delta of each other.
+//
+//	a.WithinDuration(time.Now(), time.Now(), 10*time.Second)
+func (a *Assertions) WithinDuration(expected time.Time, actual time.Time, delta time.Duration, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	WithinDuration(a.t, expected, actual, delta, msgAndArgs...)
+}
+
+// WithinDurationf asserts that the two times are within duration delta of each other.
+//
+//	a.WithinDurationf(time.Now(), time.Now(), 10*time.Second, "error message %s", "formatted")
+func (a *Assertions) WithinDurationf(expected time.Time, actual time.Time, delta time.Duration, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	WithinDurationf(a.t, expected, actual, delta, msg, args...)
+}
+
+// WithinRange asserts that a time is within a time range (inclusive).
+//
+//	a.WithinRange(time.Now(), time.Now().Add(-time.Second), time.Now().Add(time.Second))
+func (a *Assertions) WithinRange(actual time.Time, start time.Time, end time.Time, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	WithinRange(a.t, actual, start, end, msgAndArgs...)
+}
+
+// WithinRangef asserts that a time is within a time range (inclusive).
+//
+//	a.WithinRangef(time.Now(), time.Now().Add(-time.Second), time.Now().Add(time.Second), "error message %s", "formatted")
+func (a *Assertions) WithinRangef(actual time.Time, start time.Time, end time.Time, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	WithinRangef(a.t, actual, start, end, msg, args...)
+}
+
+// YAMLEq asserts that two YAML strings are equivalent.
+func (a *Assertions) YAMLEq(expected string, actual string, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	YAMLEq(a.t, expected, actual, msgAndArgs...)
+}
+
+// YAMLEqf asserts that two YAML strings are equivalent.
+func (a *Assertions) YAMLEqf(expected string, actual string, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	YAMLEqf(a.t, expected, actual, msg, args...)
+}
+
+// Zero asserts that i is the zero value for its type.
+func (a *Assertions) Zero(i interface{}, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	Zero(a.t, i, msgAndArgs...)
+}
+
+// Zerof asserts that i is the zero value for its type.
+func (a *Assertions) Zerof(i interface{}, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	Zerof(a.t, i, msg, args...)
+}
diff --git a/vendor/github.com/stretchr/testify/require/require_forward.go.tmpl b/vendor/github.com/stretchr/testify/require/require_forward.go.tmpl
new file mode 100644
index 0000000000..54124df1d3
--- /dev/null
+++ b/vendor/github.com/stretchr/testify/require/require_forward.go.tmpl
@@ -0,0 +1,5 @@
+{{.CommentWithoutT "a"}}
+func (a *Assertions) {{.DocInfo.Name}}({{.Params}}) {
+	if h, ok := a.t.(tHelper); ok { h.Helper() }
+	{{.DocInfo.Name}}(a.t, {{.ForwardedParams}})
+}
diff --git a/vendor/github.com/stretchr/testify/require/requirements.go b/vendor/github.com/stretchr/testify/require/requirements.go
new file mode 100644
index 0000000000..6b7ce929eb
--- /dev/null
+++ b/vendor/github.com/stretchr/testify/require/requirements.go
@@ -0,0 +1,29 @@
+package require
+
+// TestingT is an interface wrapper around *testing.T
+type TestingT interface {
+	Errorf(format string, args ...interface{})
+	FailNow()
+}
+
+type tHelper = interface {
+	Helper()
+}
+
+// ComparisonAssertionFunc is a common function prototype when comparing two values.  Can be useful
+// for table driven tests.
+type ComparisonAssertionFunc func(TestingT, interface{}, interface{}, ...interface{})
+
+// ValueAssertionFunc is a common function prototype when validating a single value.  Can be useful
+// for table driven tests.
+type ValueAssertionFunc func(TestingT, interface{}, ...interface{})
+
+// BoolAssertionFunc is a common function prototype when validating a bool value.  Can be useful
+// for table driven tests.
+type BoolAssertionFunc func(TestingT, bool, ...interface{})
+
+// ErrorAssertionFunc is a common function prototype when validating an error value.  Can be useful
+// for table driven tests.
+type ErrorAssertionFunc func(TestingT, error, ...interface{})
+
+//go:generate sh -c "cd ../_codegen && go build && cd - && ../_codegen/_codegen -output-package=require -template=require.go.tmpl -include-format-funcs"
diff --git a/vendor/github.com/xlab/treeprint/.gitignore b/vendor/github.com/xlab/treeprint/.gitignore
new file mode 100644
index 0000000000..7c9305d664
--- /dev/null
+++ b/vendor/github.com/xlab/treeprint/.gitignore
@@ -0,0 +1,3 @@
+vendor/**
+.idea
+**/**.iml
diff --git a/vendor/github.com/xlab/treeprint/LICENSE b/vendor/github.com/xlab/treeprint/LICENSE
new file mode 100644
index 0000000000..5ab533ad2f
--- /dev/null
+++ b/vendor/github.com/xlab/treeprint/LICENSE
@@ -0,0 +1,20 @@
+The MIT License (MIT)
+Copyright © 2016 Maxim Kupriianov <max@kc.vc>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the “Software�), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED “AS IS�, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
diff --git a/vendor/github.com/xlab/treeprint/README.md b/vendor/github.com/xlab/treeprint/README.md
new file mode 100644
index 0000000000..59fb121fcf
--- /dev/null
+++ b/vendor/github.com/xlab/treeprint/README.md
@@ -0,0 +1,154 @@
+treeprint [![GoDoc](https://godoc.org/github.com/xlab/treeprint?status.svg)](https://godoc.org/github.com/xlab/treeprint) ![test coverage](https://img.shields.io/badge/coverage-68.6%25-green.svg)
+=========
+
+Package `treeprint` provides a simple ASCII tree composing tool.
+
+<a href="https://upload.wikimedia.org/wikipedia/commons/5/58/ENC_SYSTEME_FIGURE.jpeg"><img alt="SYSTEME FIGURE" src="https://upload.wikimedia.org/wikipedia/commons/thumb/5/58/ENC_SYSTEME_FIGURE.jpeg/896px-ENC_SYSTEME_FIGURE.jpeg" align="left" width="300"></a>
+
+If you are familiar with the [tree](http://mama.indstate.edu/users/ice/tree/) utility that is a recursive directory listing command that produces a depth indented listing of files, then you have the idea of what it would look like.
+
+On my system the command yields the following
+
+```
+ $ tree
+.
+├── LICENSE
+├── README.md
+├── treeprint.go
+└── treeprint_test.go
+
+0 directories, 4 files
+```
+
+and I'd like to have the same format for my Go data structures when I print them.
+
+## Installation
+
+```
+$ go get github.com/xlab/treeprint
+```
+
+## Concept of work
+
+The general idea is that you initialise a new tree with `treeprint.New()` and then add nodes and
+branches into it. Use `AddNode()` when you want add a node on the same level as the target or
+use `AddBranch()` when you want to go a level deeper. So `tree.AddBranch().AddNode().AddNode()` would
+create a new level with two distinct nodes on it. So `tree.AddNode().AddNode()` is a flat thing and
+`tree.AddBranch().AddBranch().AddBranch()` is a high thing. Use `String()` or `Bytes()` on a branch
+to render a subtree, or use it on the root to print the whole tree.
+
+The utility will yield Unicode-friendly trees. The output is predictable and there is no platform-dependent exceptions, so if you have issues with displaying the tree in the console, all platform-related transformations can be done after the tree has been rendered: [an example](https://github.com/xlab/treeprint/issues/2#issuecomment-324944141) for Asian locales.
+
+## Use cases
+
+### When you want to render a complex data structure:
+
+```go
+func main() {
+    // to add a custom root name use `treeprint.NewWithRoot()` instead
+    tree := treeprint.New()
+
+    // create a new branch in the root
+    one := tree.AddBranch("one")
+
+    // add some nodes
+    one.AddNode("subnode1").AddNode("subnode2")
+
+    // create a new sub-branch
+    one.AddBranch("two").
+        AddNode("subnode1").AddNode("subnode2"). // add some nodes
+        AddBranch("three"). // add a new sub-branch
+        AddNode("subnode1").AddNode("subnode2") // add some nodes too
+
+    // add one more node that should surround the inner branch
+    one.AddNode("subnode3")
+
+    // add a new node to the root
+    tree.AddNode("outernode")
+
+    fmt.Println(tree.String())
+}
+```
+
+Will give you:
+
+```
+.
+├── one
+│   ├── subnode1
+│   ├── subnode2
+│   ├── two
+│   │   ├── subnode1
+│   │   ├── subnode2
+│   │   └── three
+│   │       ├── subnode1
+│   │       └── subnode2
+│   └── subnode3
+└── outernode
+```
+
+### Another case, when you have to make a tree where any leaf may have some meta-data (as `tree` is capable of it):
+
+```go
+func main {
+    // to add a custom root name use `treeprint.NewWithRoot()` instead
+    tree := treeprint.New()
+
+    tree.AddNode("Dockerfile")
+    tree.AddNode("Makefile")
+    tree.AddNode("aws.sh")
+    tree.AddMetaBranch(" 204", "bin").
+        AddNode("dbmaker").AddNode("someserver").AddNode("testtool")
+    tree.AddMetaBranch(" 374", "deploy").
+        AddNode("Makefile").AddNode("bootstrap.sh")
+    tree.AddMetaNode("122K", "testtool.a")
+
+    fmt.Println(tree.String())
+}
+```
+
+Output:
+
+```
+.
+├── Dockerfile
+├── Makefile
+├── aws.sh
+├── [ 204]  bin
+│   ├── dbmaker
+│   ├── someserver
+│   └── testtool
+├── [ 374]  deploy
+│   ├── Makefile
+│   └── bootstrap.sh
+└── [122K]  testtool.a
+```
+
+### Iterating over the tree nodes
+
+```go
+tree := New()
+
+one := tree.AddBranch("one")
+one.AddNode("one-subnode1").AddNode("one-subnode2")
+one.AddBranch("two").AddNode("two-subnode1").AddNode("two-subnode2").
+    AddBranch("three").AddNode("three-subnode1").AddNode("three-subnode2")
+tree.AddNode("outernode")
+
+// if you need to iterate over the whole tree
+// call `VisitAll` from your top root node.
+tree.VisitAll(func(item *node) {
+    if len(item.Nodes) > 0 {
+        // branch nodes
+        fmt.Println(item.Value) // will output one, two, three
+    } else {
+        // leaf nodes
+        fmt.Println(item.Value) // will output one-*, two-*, three-* and outernode
+    }
+})
+
+```
+Yay! So it works.
+
+## License
+MIT
diff --git a/vendor/github.com/xlab/treeprint/helpers.go b/vendor/github.com/xlab/treeprint/helpers.go
new file mode 100644
index 0000000000..a091a5a0f0
--- /dev/null
+++ b/vendor/github.com/xlab/treeprint/helpers.go
@@ -0,0 +1,47 @@
+package treeprint
+
+import (
+	"reflect"
+	"strings"
+)
+
+func isEmpty(v *reflect.Value) bool {
+	switch v.Kind() {
+	case reflect.Array, reflect.Map, reflect.Slice, reflect.String:
+		return v.Len() == 0
+	case reflect.Bool:
+		return !v.Bool()
+	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
+		return v.Int() == 0
+	case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr:
+		return v.Uint() == 0
+	case reflect.Float32, reflect.Float64:
+		return v.Float() == 0
+	case reflect.Interface, reflect.Ptr:
+		return v.IsNil()
+	}
+	return false
+}
+
+func tagSpec(tag string) (name string, omit bool) {
+	parts := strings.Split(tag, ",")
+	if len(parts) < 2 {
+		return tag, false
+	}
+	if parts[1] == "omitempty" {
+		return parts[0], true
+	}
+	return parts[0], false
+}
+
+func filterTags(tag reflect.StructTag) string {
+	tags := strings.Split(string(tag), " ")
+	filtered := make([]string, 0, len(tags))
+	for i := range tags {
+		if strings.HasPrefix(tags[i], "tree:") {
+			continue
+		}
+		filtered = append(filtered, tags[i])
+	}
+	return strings.Join(filtered, " ")
+}
diff --git a/vendor/github.com/xlab/treeprint/struct.go b/vendor/github.com/xlab/treeprint/struct.go
new file mode 100644
index 0000000000..4d5cc82540
--- /dev/null
+++ b/vendor/github.com/xlab/treeprint/struct.go
@@ -0,0 +1,322 @@
+package treeprint
+
+import (
+	"fmt"
+	"reflect"
+	"strings"
+)
+
+type StructTreeOption int
+
+const (
+	StructNameTree StructTreeOption = iota
+	StructValueTree
+	StructTagTree
+	StructTypeTree
+	StructTypeSizeTree
+)
+
+func FromStruct(v interface{}, opt ...StructTreeOption) (Tree, error) {
+	var treeOpt StructTreeOption
+	if len(opt) > 0 {
+		treeOpt = opt[0]
+	}
+	switch treeOpt {
+	case StructNameTree:
+		tree := New()
+		err := nameTree(tree, v)
+		return tree, err
+	case StructValueTree:
+		tree := New()
+		err := valueTree(tree, v)
+		return tree, err
+	case StructTagTree:
+		tree := New()
+		err := tagTree(tree, v)
+		return tree, err
+	case StructTypeTree:
+		tree := New()
+		err := typeTree(tree, v)
+		return tree, err
+	case StructTypeSizeTree:
+		tree := New()
+		err := typeSizeTree(tree, v)
+		return tree, err
+	default:
+		err := fmt.Errorf("treeprint: invalid StructTreeOption %v", treeOpt)
+		return nil, err
+	}
+}
+
+type FmtFunc func(name string, v interface{}) (string, bool)
+
+func FromStructWithMeta(v interface{}, fmtFunc FmtFunc) (Tree, error) {
+	if fmtFunc == nil {
+		tree := New()
+		err := nameTree(tree, v)
+		return tree, err
+	}
+	tree := New()
+	err := metaTree(tree, v, fmtFunc)
+	return tree, err
+}
+
+func Repr(v interface{}) string {
+	tree := New()
+	vType := reflect.TypeOf(v)
+	vValue := reflect.ValueOf(v)
+	_, val, isStruct := getValue(vType, &vValue)
+	if !isStruct {
+		return fmt.Sprintf("%+v", val.Interface())
+	}
+	err := valueTree(tree, val.Interface())
+	if err != nil {
+		return err.Error()
+	}
+	return tree.String()
+}
+
+func nameTree(tree Tree, v interface{}) error {
+	typ, val, err := checkType(v)
+	if err != nil {
+		return err
+	}
+	fields := typ.NumField()
+	for i := 0; i < fields; i++ {
+		field := typ.Field(i)
+		fieldValue := val.Field(i)
+		name, skip, omit := getMeta(field.Name, field.Tag)
+		if skip || omit && isEmpty(&fieldValue) {
+			continue
+		}
+		typ, val, isStruct := getValue(field.Type, &fieldValue)
+		if !isStruct {
+			tree.AddNode(name)
+			continue
+		} else if subNum := typ.NumField(); subNum == 0 {
+			tree.AddNode(name)
+			continue
+		}
+		branch := tree.AddBranch(name)
+		if err := nameTree(branch, val.Interface()); err != nil {
+			err := fmt.Errorf("%v on struct branch %s", err, name)
+			return err
+		}
+	}
+	return nil
+}
+
+func getMeta(fieldName string, tag reflect.StructTag) (name string, skip, omit bool) {
+	if tagStr := tag.Get("tree"); len(tagStr) > 0 {
+		name, omit = tagSpec(tagStr)
+	}
+	if name == "-" {
+		return fieldName, true, omit
+	}
+	if len(name) == 0 {
+		name = fieldName
+	} else if trimmed := strings.TrimSpace(name); len(trimmed) == 0 {
+		name = fieldName
+	}
+	return
+}
+
+func valueTree(tree Tree, v interface{}) error {
+	typ, val, err := checkType(v)
+	if err != nil {
+		return err
+	}
+	fields := typ.NumField()
+	for i := 0; i < fields; i++ {
+		field := typ.Field(i)
+		fieldValue := val.Field(i)
+		name, skip, omit := getMeta(field.Name, field.Tag)
+		if skip || omit && isEmpty(&fieldValue) {
+			continue
+		}
+		typ, val, isStruct := getValue(field.Type, &fieldValue)
+		if !isStruct {
+			tree.AddMetaNode(val.Interface(), name)
+			continue
+		} else if subNum := typ.NumField(); subNum == 0 {
+			tree.AddMetaNode(val.Interface(), name)
+			continue
+		}
+		branch := tree.AddBranch(name)
+		if err := valueTree(branch, val.Interface()); err != nil {
+			err := fmt.Errorf("%v on struct branch %s", err, name)
+			return err
+		}
+	}
+	return nil
+}
+
+func tagTree(tree Tree, v interface{}) error {
+	typ, val, err := checkType(v)
+	if err != nil {
+		return err
+	}
+	fields := typ.NumField()
+	for i := 0; i < fields; i++ {
+		field := typ.Field(i)
+		fieldValue := val.Field(i)
+		name, skip, omit := getMeta(field.Name, field.Tag)
+		if skip || omit && isEmpty(&fieldValue) {
+			continue
+		}
+		filteredTag := filterTags(field.Tag)
+		typ, val, isStruct := getValue(field.Type, &fieldValue)
+		if !isStruct {
+			tree.AddMetaNode(filteredTag, name)
+			continue
+		} else if subNum := typ.NumField(); subNum == 0 {
+			tree.AddMetaNode(filteredTag, name)
+			continue
+		}
+		branch := tree.AddMetaBranch(filteredTag, name)
+		if err := tagTree(branch, val.Interface()); err != nil {
+			err := fmt.Errorf("%v on struct branch %s", err, name)
+			return err
+		}
+	}
+	return nil
+}
+
+func typeTree(tree Tree, v interface{}) error {
+	typ, val, err := checkType(v)
+	if err != nil {
+		return err
+	}
+	fields := typ.NumField()
+	for i := 0; i < fields; i++ {
+		field := typ.Field(i)
+		fieldValue := val.Field(i)
+		name, skip, omit := getMeta(field.Name, field.Tag)
+		if skip || omit && isEmpty(&fieldValue) {
+			continue
+		}
+		typ, val, isStruct := getValue(field.Type, &fieldValue)
+		typename := fmt.Sprintf("%T", val.Interface())
+		if !isStruct {
+			tree.AddMetaNode(typename, name)
+			continue
+		} else if subNum := typ.NumField(); subNum == 0 {
+			tree.AddMetaNode(typename, name)
+			continue
+		}
+		branch := tree.AddMetaBranch(typename, name)
+		if err := typeTree(branch, val.Interface()); err != nil {
+			err := fmt.Errorf("%v on struct branch %s", err, name)
+			return err
+		}
+	}
+	return nil
+}
+
+func typeSizeTree(tree Tree, v interface{}) error {
+	typ, val, err := checkType(v)
+	if err != nil {
+		return err
+	}
+	fields := typ.NumField()
+	for i := 0; i < fields; i++ {
+		field := typ.Field(i)
+		fieldValue := val.Field(i)
+		name, skip, omit := getMeta(field.Name, field.Tag)
+		if skip || omit && isEmpty(&fieldValue) {
+			continue
+		}
+		typ, val, isStruct := getValue(field.Type, &fieldValue)
+		typesize := typ.Size()
+		if !isStruct {
+			tree.AddMetaNode(typesize, name)
+			continue
+		} else if subNum := typ.NumField(); subNum == 0 {
+			tree.AddMetaNode(typesize, name)
+			continue
+		}
+		branch := tree.AddMetaBranch(typesize, name)
+		if err := typeSizeTree(branch, val.Interface()); err != nil {
+			err := fmt.Errorf("%v on struct branch %s", err, name)
+			return err
+		}
+	}
+	return nil
+}
+
+func metaTree(tree Tree, v interface{}, fmtFunc FmtFunc) error {
+	typ, val, err := checkType(v)
+	if err != nil {
+		return err
+	}
+	fields := typ.NumField()
+	for i := 0; i < fields; i++ {
+		field := typ.Field(i)
+		fieldValue := val.Field(i)
+		name, skip, omit := getMeta(field.Name, field.Tag)
+		if skip || omit && isEmpty(&fieldValue) {
+			continue
+		}
+		typ, val, isStruct := getValue(field.Type, &fieldValue)
+		formatted, show := fmtFunc(name, val.Interface())
+		if !isStruct {
+			if show {
+				tree.AddMetaNode(formatted, name)
+				continue
+			}
+			tree.AddNode(name)
+			continue
+		} else if subNum := typ.NumField(); subNum == 0 {
+			if show {
+				tree.AddMetaNode(formatted, name)
+				continue
+			}
+			tree.AddNode(name)
+			continue
+		}
+		var branch Tree
+		if show {
+			branch = tree.AddMetaBranch(formatted, name)
+		} else {
+			branch = tree.AddBranch(name)
+		}
+		if err := metaTree(branch, val.Interface(), fmtFunc); err != nil {
+			err := fmt.Errorf("%v on struct branch %s", err, name)
+			return err
+		}
+	}
+	return nil
+}
+
+func getValue(typ reflect.Type, val *reflect.Value) (reflect.Type, *reflect.Value, bool) {
+	switch typ.Kind() {
+	case reflect.Ptr:
+		typ = typ.Elem()
+		if typ.Kind() == reflect.Struct {
+			elem := val.Elem()
+			return typ, &elem, true
+		}
+	case reflect.Struct:
+		return typ, val, true
+	}
+	return typ, val, false
+}
+
+func checkType(v interface{}) (reflect.Type, *reflect.Value, error) {
+	typ := reflect.TypeOf(v)
+	val := reflect.ValueOf(v)
+	switch typ.Kind() {
+	case reflect.Ptr:
+		typ = typ.Elem()
+		if typ.Kind() != reflect.Struct {
+			err := fmt.Errorf("treeprint: %T is not a struct we could work with", v)
+			return nil, nil, err
+		}
+		val = val.Elem()
+	case reflect.Struct:
+	default:
+		err := fmt.Errorf("treeprint: %T is not a struct we could work with", v)
+		return nil, nil, err
+	}
+	return typ, &val, nil
+}
diff --git a/vendor/github.com/xlab/treeprint/treeprint.go b/vendor/github.com/xlab/treeprint/treeprint.go
new file mode 100644
index 0000000000..fc8204b710
--- /dev/null
+++ b/vendor/github.com/xlab/treeprint/treeprint.go
@@ -0,0 +1,294 @@
+// Package treeprint provides a simple ASCII tree composing tool.
+package treeprint
+
+import (
+	"bytes"
+	"fmt"
+	"io"
+	"reflect"
+	"strings"
+)
+
+// Value defines any value
+type Value interface{}
+
+// MetaValue defines any meta value
+type MetaValue interface{}
+
+// NodeVisitor function type for iterating over nodes
+type NodeVisitor func(item *Node)
+
+// Tree represents a tree structure with leaf-nodes and branch-nodes.
+type Tree interface {
+	// AddNode adds a new Node to a branch.
+	AddNode(v Value) Tree
+	// AddMetaNode adds a new Node with meta value provided to a branch.
+	AddMetaNode(meta MetaValue, v Value) Tree
+	// AddBranch adds a new branch Node (a level deeper).
+	AddBranch(v Value) Tree
+	// AddMetaBranch adds a new branch Node (a level deeper) with meta value provided.
+	AddMetaBranch(meta MetaValue, v Value) Tree
+	// Branch converts a leaf-Node to a branch-Node,
+	// applying this on a branch-Node does no effect.
+	Branch() Tree
+	// FindByMeta finds a Node whose meta value matches the provided one by reflect.DeepEqual,
+	// returns nil if not found.
+	FindByMeta(meta MetaValue) Tree
+	// FindByValue finds a Node whose value matches the provided one by reflect.DeepEqual,
+	// returns nil if not found.
+	FindByValue(value Value) Tree
+	//  returns the last Node of a tree
+	FindLastNode() Tree
+	// String renders the tree or subtree as a string.
+	String() string
+	// Bytes renders the tree or subtree as byteslice.
+	Bytes() []byte
+
+	SetValue(value Value)
+	SetMetaValue(meta MetaValue)
+
+	// VisitAll iterates over the tree, branches and nodes.
+	// If need to iterate over the whole tree, use the root Node.
+	// Note this method uses a breadth-first approach.
+	VisitAll(fn NodeVisitor)
+}
+
+type Node struct {
+	Root  *Node
+	Meta  MetaValue
+	Value Value
+	Nodes []*Node
+}
+
+func (n *Node) FindLastNode() Tree {
+	ns := n.Nodes
+	if len(ns) == 0 {
+		return nil
+	}
+	return ns[len(ns)-1]
+}
+
+func (n *Node) AddNode(v Value) Tree {
+	n.Nodes = append(n.Nodes, &Node{
+		Root:  n,
+		Value: v,
+	})
+	return n
+}
+
+func (n *Node) AddMetaNode(meta MetaValue, v Value) Tree {
+	n.Nodes = append(n.Nodes, &Node{
+		Root:  n,
+		Meta:  meta,
+		Value: v,
+	})
+	return n
+}
+
+func (n *Node) AddBranch(v Value) Tree {
+	branch := &Node{
+		Root:  n,
+		Value: v,
+	}
+	n.Nodes = append(n.Nodes, branch)
+	return branch
+}
+
+func (n *Node) AddMetaBranch(meta MetaValue, v Value) Tree {
+	branch := &Node{
+		Root:  n,
+		Meta:  meta,
+		Value: v,
+	}
+	n.Nodes = append(n.Nodes, branch)
+	return branch
+}
+
+func (n *Node) Branch() Tree {
+	n.Root = nil
+	return n
+}
+
+func (n *Node) FindByMeta(meta MetaValue) Tree {
+	for _, node := range n.Nodes {
+		if reflect.DeepEqual(node.Meta, meta) {
+			return node
+		}
+		if v := node.FindByMeta(meta); v != nil {
+			return v
+		}
+	}
+	return nil
+}
+
+func (n *Node) FindByValue(value Value) Tree {
+	for _, node := range n.Nodes {
+		if reflect.DeepEqual(node.Value, value) {
+			return node
+		}
+		if v := node.FindByMeta(value); v != nil {
+			return v
+		}
+	}
+	return nil
+}
+
+func (n *Node) Bytes() []byte {
+	buf := new(bytes.Buffer)
+	level := 0
+	var levelsEnded []int
+	if n.Root == nil {
+		if n.Meta != nil {
+			buf.WriteString(fmt.Sprintf("[%v]  %v", n.Meta, n.Value))
+		} else {
+			buf.WriteString(fmt.Sprintf("%v", n.Value))
+		}
+		buf.WriteByte('\n')
+	} else {
+		edge := EdgeTypeMid
+		if len(n.Nodes) == 0 {
+			edge = EdgeTypeEnd
+			levelsEnded = append(levelsEnded, level)
+		}
+		printValues(buf, 0, levelsEnded, edge, n)
+	}
+	if len(n.Nodes) > 0 {
+		printNodes(buf, level, levelsEnded, n.Nodes)
+	}
+	return buf.Bytes()
+}
+
+func (n *Node) String() string {
+	return string(n.Bytes())
+}
+
+func (n *Node) SetValue(value Value) {
+	n.Value = value
+}
+
+func (n *Node) SetMetaValue(meta MetaValue) {
+	n.Meta = meta
+}
+
+func (n *Node) VisitAll(fn NodeVisitor) {
+	for _, node := range n.Nodes {
+		fn(node)
+
+		if len(node.Nodes) > 0 {
+			node.VisitAll(fn)
+			continue
+		}
+	}
+}
+
+func printNodes(wr io.Writer,
+	level int, levelsEnded []int, nodes []*Node) {
+
+	for i, node := range nodes {
+		edge := EdgeTypeMid
+		if i == len(nodes)-1 {
+			levelsEnded = append(levelsEnded, level)
+			edge = EdgeTypeEnd
+		}
+		printValues(wr, level, levelsEnded, edge, node)
+		if len(node.Nodes) > 0 {
+			printNodes(wr, level+1, levelsEnded, node.Nodes)
+		}
+	}
+}
+
+func printValues(wr io.Writer,
+	level int, levelsEnded []int, edge EdgeType, node *Node) {
+
+	for i := 0; i < level; i++ {
+		if isEnded(levelsEnded, i) {
+			fmt.Fprint(wr, strings.Repeat(" ", IndentSize+1))
+			continue
+		}
+		fmt.Fprintf(wr, "%s%s", EdgeTypeLink, strings.Repeat(" ", IndentSize))
+	}
+
+	val := renderValue(level, node)
+	meta := node.Meta
+
+	if meta != nil {
+		fmt.Fprintf(wr, "%s [%v]  %v\n", edge, meta, val)
+		return
+	}
+	fmt.Fprintf(wr, "%s %v\n", edge, val)
+}
+
+func isEnded(levelsEnded []int, level int) bool {
+	for _, l := range levelsEnded {
+		if l == level {
+			return true
+		}
+	}
+	return false
+}
+
+func renderValue(level int, node *Node) Value {
+	lines := strings.Split(fmt.Sprintf("%v", node.Value), "\n")
+
+	// If value does not contain multiple lines, return itself.
+	if len(lines) < 2 {
+		return node.Value
+	}
+
+	// If value contains multiple lines,
+	// generate a padding and prefix each line with it.
+	pad := padding(level, node)
+
+	for i := 1; i < len(lines); i++ {
+		lines[i] = fmt.Sprintf("%s%s", pad, lines[i])
+	}
+
+	return strings.Join(lines, "\n")
+}
+
+// padding returns a padding for the multiline values with correctly placed link edges.
+// It is generated by traversing the tree upwards (from leaf to the root of the tree)
+// and, on each level, checking if the Node the last one of its siblings.
+// If a Node is the last one, the padding on that level should be empty (there's nothing to link to below it).
+// If a Node is not the last one, the padding on that level should be the link edge so the sibling below is correctly connected.
+func padding(level int, node *Node) string {
+	links := make([]string, level+1)
+
+	for node.Root != nil {
+		if isLast(node) {
+			links[level] = strings.Repeat(" ", IndentSize+1)
+		} else {
+			links[level] = fmt.Sprintf("%s%s", EdgeTypeLink, strings.Repeat(" ", IndentSize))
+		}
+		level--
+		node = node.Root
+	}
+
+	return strings.Join(links, "")
+}
+
+// isLast checks if the Node is the last one in the slice of its parent children
+func isLast(n *Node) bool {
+	return n == n.Root.FindLastNode()
+}
+
+type EdgeType string
+
+var (
+	EdgeTypeLink EdgeType = "│"
+	EdgeTypeMid  EdgeType = "├──"
+	EdgeTypeEnd  EdgeType = "└──"
+)
+
+// IndentSize is the number of spaces per tree level.
+var IndentSize = 3
+
+// New Generates new tree
+func New() Tree {
+	return &Node{Value: "."}
+}
+
+// NewWithRoot Generates new tree with the given root value
+func NewWithRoot(root Value) Tree {
+	return &Node{Value: root}
+}
diff --git a/vendor/go.opentelemetry.io/otel/LICENSE b/vendor/go.opentelemetry.io/otel/LICENSE
index 261eeb9e9f..f1aee0f110 100644
--- a/vendor/go.opentelemetry.io/otel/LICENSE
+++ b/vendor/go.opentelemetry.io/otel/LICENSE
@@ -199,3 +199,33 @@
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
    limitations under the License.
+
+--------------------------------------------------------------------------------
+
+Copyright 2009 The Go Authors.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+   * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+   * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+   * Neither the name of Google LLC nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
\ No newline at end of file
diff --git a/vendor/go.opentelemetry.io/otel/attribute/encoder.go b/vendor/go.opentelemetry.io/otel/attribute/encoder.go
index 318e42fcab..6333d34b31 100644
--- a/vendor/go.opentelemetry.io/otel/attribute/encoder.go
+++ b/vendor/go.opentelemetry.io/otel/attribute/encoder.go
@@ -78,7 +78,7 @@ func DefaultEncoder() Encoder {
 	defaultEncoderOnce.Do(func() {
 		defaultEncoderInstance = &defaultAttrEncoder{
 			pool: sync.Pool{
-				New: func() interface{} {
+				New: func() any {
 					return &bytes.Buffer{}
 				},
 			},
@@ -96,11 +96,11 @@ func (d *defaultAttrEncoder) Encode(iter Iterator) string {
 	for iter.Next() {
 		i, keyValue := iter.IndexedAttribute()
 		if i > 0 {
-			_, _ = buf.WriteRune(',')
+			_ = buf.WriteByte(',')
 		}
 		copyAndEscape(buf, string(keyValue.Key))
 
-		_, _ = buf.WriteRune('=')
+		_ = buf.WriteByte('=')
 
 		if keyValue.Value.Type() == STRING {
 			copyAndEscape(buf, keyValue.Value.AsString())
@@ -122,14 +122,14 @@ func copyAndEscape(buf *bytes.Buffer, val string) {
 	for _, ch := range val {
 		switch ch {
 		case '=', ',', escapeChar:
-			_, _ = buf.WriteRune(escapeChar)
+			_ = buf.WriteByte(escapeChar)
 		}
 		_, _ = buf.WriteRune(ch)
 	}
 }
 
-// Valid returns true if this encoder ID was allocated by
-// `NewEncoderID`.  Invalid encoder IDs will not be cached.
+// Valid reports whether this encoder ID was allocated by
+// [NewEncoderID]. Invalid encoder IDs will not be cached.
 func (id EncoderID) Valid() bool {
 	return id.value != 0
 }
diff --git a/vendor/go.opentelemetry.io/otel/attribute/filter.go b/vendor/go.opentelemetry.io/otel/attribute/filter.go
index 3eeaa5d442..624ebbe381 100644
--- a/vendor/go.opentelemetry.io/otel/attribute/filter.go
+++ b/vendor/go.opentelemetry.io/otel/attribute/filter.go
@@ -15,8 +15,8 @@ type Filter func(KeyValue) bool
 //
 // If keys is empty a deny-all filter is returned.
 func NewAllowKeysFilter(keys ...Key) Filter {
-	if len(keys) <= 0 {
-		return func(kv KeyValue) bool { return false }
+	if len(keys) == 0 {
+		return func(KeyValue) bool { return false }
 	}
 
 	allowed := make(map[Key]struct{}, len(keys))
@@ -34,8 +34,8 @@ func NewAllowKeysFilter(keys ...Key) Filter {
 //
 // If keys is empty an allow-all filter is returned.
 func NewDenyKeysFilter(keys ...Key) Filter {
-	if len(keys) <= 0 {
-		return func(kv KeyValue) bool { return true }
+	if len(keys) == 0 {
+		return func(KeyValue) bool { return true }
 	}
 
 	forbid := make(map[Key]struct{}, len(keys))
diff --git a/vendor/go.opentelemetry.io/otel/attribute/internal/attribute.go b/vendor/go.opentelemetry.io/otel/attribute/internal/attribute.go
index b76d2bbfdb..0875504302 100644
--- a/vendor/go.opentelemetry.io/otel/attribute/internal/attribute.go
+++ b/vendor/go.opentelemetry.io/otel/attribute/internal/attribute.go
@@ -12,7 +12,7 @@ import (
 )
 
 // BoolSliceValue converts a bool slice into an array with same elements as slice.
-func BoolSliceValue(v []bool) interface{} {
+func BoolSliceValue(v []bool) any {
 	var zero bool
 	cp := reflect.New(reflect.ArrayOf(len(v), reflect.TypeOf(zero))).Elem()
 	reflect.Copy(cp, reflect.ValueOf(v))
@@ -20,7 +20,7 @@ func BoolSliceValue(v []bool) interface{} {
 }
 
 // Int64SliceValue converts an int64 slice into an array with same elements as slice.
-func Int64SliceValue(v []int64) interface{} {
+func Int64SliceValue(v []int64) any {
 	var zero int64
 	cp := reflect.New(reflect.ArrayOf(len(v), reflect.TypeOf(zero))).Elem()
 	reflect.Copy(cp, reflect.ValueOf(v))
@@ -28,7 +28,7 @@ func Int64SliceValue(v []int64) interface{} {
 }
 
 // Float64SliceValue converts a float64 slice into an array with same elements as slice.
-func Float64SliceValue(v []float64) interface{} {
+func Float64SliceValue(v []float64) any {
 	var zero float64
 	cp := reflect.New(reflect.ArrayOf(len(v), reflect.TypeOf(zero))).Elem()
 	reflect.Copy(cp, reflect.ValueOf(v))
@@ -36,7 +36,7 @@ func Float64SliceValue(v []float64) interface{} {
 }
 
 // StringSliceValue converts a string slice into an array with same elements as slice.
-func StringSliceValue(v []string) interface{} {
+func StringSliceValue(v []string) any {
 	var zero string
 	cp := reflect.New(reflect.ArrayOf(len(v), reflect.TypeOf(zero))).Elem()
 	reflect.Copy(cp, reflect.ValueOf(v))
@@ -44,7 +44,7 @@ func StringSliceValue(v []string) interface{} {
 }
 
 // AsBoolSlice converts a bool array into a slice into with same elements as array.
-func AsBoolSlice(v interface{}) []bool {
+func AsBoolSlice(v any) []bool {
 	rv := reflect.ValueOf(v)
 	if rv.Type().Kind() != reflect.Array {
 		return nil
@@ -57,7 +57,7 @@ func AsBoolSlice(v interface{}) []bool {
 }
 
 // AsInt64Slice converts an int64 array into a slice into with same elements as array.
-func AsInt64Slice(v interface{}) []int64 {
+func AsInt64Slice(v any) []int64 {
 	rv := reflect.ValueOf(v)
 	if rv.Type().Kind() != reflect.Array {
 		return nil
@@ -70,7 +70,7 @@ func AsInt64Slice(v interface{}) []int64 {
 }
 
 // AsFloat64Slice converts a float64 array into a slice into with same elements as array.
-func AsFloat64Slice(v interface{}) []float64 {
+func AsFloat64Slice(v any) []float64 {
 	rv := reflect.ValueOf(v)
 	if rv.Type().Kind() != reflect.Array {
 		return nil
@@ -83,7 +83,7 @@ func AsFloat64Slice(v interface{}) []float64 {
 }
 
 // AsStringSlice converts a string array into a slice into with same elements as array.
-func AsStringSlice(v interface{}) []string {
+func AsStringSlice(v any) []string {
 	rv := reflect.ValueOf(v)
 	if rv.Type().Kind() != reflect.Array {
 		return nil
diff --git a/vendor/go.opentelemetry.io/otel/attribute/iterator.go b/vendor/go.opentelemetry.io/otel/attribute/iterator.go
index f2ba89ce4b..8df6249f02 100644
--- a/vendor/go.opentelemetry.io/otel/attribute/iterator.go
+++ b/vendor/go.opentelemetry.io/otel/attribute/iterator.go
@@ -25,8 +25,8 @@ type oneIterator struct {
 	attr KeyValue
 }
 
-// Next moves the iterator to the next position. Returns false if there are no
-// more attributes.
+// Next moves the iterator to the next position.
+// Next reports whether there are more attributes.
 func (i *Iterator) Next() bool {
 	i.idx++
 	return i.idx < i.Len()
@@ -106,7 +106,8 @@ func (oi *oneIterator) advance() {
 	}
 }
 
-// Next returns true if there is another attribute available.
+// Next moves the iterator to the next position.
+// Next reports whether there is another attribute available.
 func (m *MergeIterator) Next() bool {
 	if m.one.done && m.two.done {
 		return false
diff --git a/vendor/go.opentelemetry.io/otel/attribute/key.go b/vendor/go.opentelemetry.io/otel/attribute/key.go
index d9a22c6502..80a9e5643f 100644
--- a/vendor/go.opentelemetry.io/otel/attribute/key.go
+++ b/vendor/go.opentelemetry.io/otel/attribute/key.go
@@ -117,7 +117,7 @@ func (k Key) StringSlice(v []string) KeyValue {
 	}
 }
 
-// Defined returns true for non-empty keys.
+// Defined reports whether the key is not empty.
 func (k Key) Defined() bool {
 	return len(k) != 0
 }
diff --git a/vendor/go.opentelemetry.io/otel/attribute/kv.go b/vendor/go.opentelemetry.io/otel/attribute/kv.go
index 3028f9a40f..8c6928ca79 100644
--- a/vendor/go.opentelemetry.io/otel/attribute/kv.go
+++ b/vendor/go.opentelemetry.io/otel/attribute/kv.go
@@ -13,7 +13,7 @@ type KeyValue struct {
 	Value Value
 }
 
-// Valid returns if kv is a valid OpenTelemetry attribute.
+// Valid reports whether kv is a valid OpenTelemetry attribute.
 func (kv KeyValue) Valid() bool {
 	return kv.Key.Defined() && kv.Value.Type() != INVALID
 }
diff --git a/vendor/go.opentelemetry.io/otel/attribute/set.go b/vendor/go.opentelemetry.io/otel/attribute/set.go
index 6cbefceadf..64735d382e 100644
--- a/vendor/go.opentelemetry.io/otel/attribute/set.go
+++ b/vendor/go.opentelemetry.io/otel/attribute/set.go
@@ -31,11 +31,11 @@ type (
 
 	// Distinct is a unique identifier of a Set.
 	//
-	// Distinct is designed to be ensures equivalence stability: comparisons
-	// will return the save value across versions. For this reason, Distinct
-	// should always be used as a map key instead of a Set.
+	// Distinct is designed to ensure equivalence stability: comparisons will
+	// return the same value across versions. For this reason, Distinct should
+	// always be used as a map key instead of a Set.
 	Distinct struct {
-		iface interface{}
+		iface any
 	}
 
 	// Sortable implements sort.Interface, used for sorting KeyValue.
@@ -70,7 +70,7 @@ func (d Distinct) reflectValue() reflect.Value {
 	return reflect.ValueOf(d.iface)
 }
 
-// Valid returns true if this value refers to a valid Set.
+// Valid reports whether this value refers to a valid Set.
 func (d Distinct) Valid() bool {
 	return d.iface != nil
 }
@@ -120,7 +120,7 @@ func (l *Set) Value(k Key) (Value, bool) {
 	return Value{}, false
 }
 
-// HasValue tests whether a key is defined in this set.
+// HasValue reports whether a key is defined in this set.
 func (l *Set) HasValue(k Key) bool {
 	if l == nil {
 		return false
@@ -155,7 +155,7 @@ func (l *Set) Equivalent() Distinct {
 	return l.equivalent
 }
 
-// Equals returns true if the argument set is equivalent to this set.
+// Equals reports whether the argument set is equivalent to this set.
 func (l *Set) Equals(o *Set) bool {
 	return l.Equivalent() == o.Equivalent()
 }
@@ -344,7 +344,7 @@ func computeDistinct(kvs []KeyValue) Distinct {
 
 // computeDistinctFixed computes a Distinct for small slices. It returns nil
 // if the input is too large for this code path.
-func computeDistinctFixed(kvs []KeyValue) interface{} {
+func computeDistinctFixed(kvs []KeyValue) any {
 	switch len(kvs) {
 	case 1:
 		return [1]KeyValue(kvs)
@@ -373,7 +373,7 @@ func computeDistinctFixed(kvs []KeyValue) interface{} {
 
 // computeDistinctReflect computes a Distinct using reflection, works for any
 // size input.
-func computeDistinctReflect(kvs []KeyValue) interface{} {
+func computeDistinctReflect(kvs []KeyValue) any {
 	at := reflect.New(reflect.ArrayOf(len(kvs), keyValueType)).Elem()
 	for i, keyValue := range kvs {
 		*(at.Index(i).Addr().Interface().(*KeyValue)) = keyValue
@@ -387,7 +387,7 @@ func (l *Set) MarshalJSON() ([]byte, error) {
 }
 
 // MarshalLog is the marshaling function used by the logging system to represent this Set.
-func (l Set) MarshalLog() interface{} {
+func (l Set) MarshalLog() any {
 	kvs := make(map[string]string)
 	for _, kv := range l.ToSlice() {
 		kvs[string(kv.Key)] = kv.Value.Emit()
diff --git a/vendor/go.opentelemetry.io/otel/attribute/value.go b/vendor/go.opentelemetry.io/otel/attribute/value.go
index 817eecacf1..653c33a861 100644
--- a/vendor/go.opentelemetry.io/otel/attribute/value.go
+++ b/vendor/go.opentelemetry.io/otel/attribute/value.go
@@ -22,7 +22,7 @@ type Value struct {
 	vtype    Type
 	numeric  uint64
 	stringly string
-	slice    interface{}
+	slice    any
 }
 
 const (
@@ -199,8 +199,8 @@ func (v Value) asStringSlice() []string {
 
 type unknownValueType struct{}
 
-// AsInterface returns Value's data as interface{}.
-func (v Value) AsInterface() interface{} {
+// AsInterface returns Value's data as any.
+func (v Value) AsInterface() any {
 	switch v.Type() {
 	case BOOL:
 		return v.AsBool()
@@ -262,7 +262,7 @@ func (v Value) Emit() string {
 func (v Value) MarshalJSON() ([]byte, error) {
 	var jsonVal struct {
 		Type  string
-		Value interface{}
+		Value any
 	}
 	jsonVal.Type = v.Type().String()
 	jsonVal.Value = v.AsInterface()
diff --git a/vendor/go.opentelemetry.io/otel/codes/codes.go b/vendor/go.opentelemetry.io/otel/codes/codes.go
index 49a35b1225..d48847ed86 100644
--- a/vendor/go.opentelemetry.io/otel/codes/codes.go
+++ b/vendor/go.opentelemetry.io/otel/codes/codes.go
@@ -67,7 +67,7 @@ func (c *Code) UnmarshalJSON(b []byte) error {
 		return errors.New("nil receiver passed to UnmarshalJSON")
 	}
 
-	var x interface{}
+	var x any
 	if err := json.Unmarshal(b, &x); err != nil {
 		return err
 	}
@@ -102,5 +102,5 @@ func (c *Code) MarshalJSON() ([]byte, error) {
 	if !ok {
 		return nil, fmt.Errorf("invalid code: %d", *c)
 	}
-	return []byte(fmt.Sprintf("%q", str)), nil
+	return fmt.Appendf(nil, "%q", str), nil
 }
diff --git a/vendor/go.opentelemetry.io/otel/semconv/v1.34.0/MIGRATION.md b/vendor/go.opentelemetry.io/otel/semconv/v1.34.0/MIGRATION.md
deleted file mode 100644
index 02b56115e3..0000000000
--- a/vendor/go.opentelemetry.io/otel/semconv/v1.34.0/MIGRATION.md
+++ /dev/null
@@ -1,4 +0,0 @@
-<!-- Generated. DO NOT MODIFY. -->
-# Migration from v1.33.0 to v1.34.0
-
-The `go.opentelemetry.io/otel/semconv/v1.34.0` package should be a drop-in replacement for `go.opentelemetry.io/otel/semconv/v1.33.0`.
diff --git a/vendor/go.opentelemetry.io/otel/semconv/v1.34.0/README.md b/vendor/go.opentelemetry.io/otel/semconv/v1.34.0/README.md
deleted file mode 100644
index fab06c9752..0000000000
--- a/vendor/go.opentelemetry.io/otel/semconv/v1.34.0/README.md
+++ /dev/null
@@ -1,3 +0,0 @@
-# Semconv v1.34.0
-
-[![PkgGoDev](https://pkg.go.dev/badge/go.opentelemetry.io/otel/semconv/v1.34.0)](https://pkg.go.dev/go.opentelemetry.io/otel/semconv/v1.34.0)
diff --git a/vendor/go.opentelemetry.io/otel/semconv/v1.37.0/MIGRATION.md b/vendor/go.opentelemetry.io/otel/semconv/v1.37.0/MIGRATION.md
new file mode 100644
index 0000000000..2480547895
--- /dev/null
+++ b/vendor/go.opentelemetry.io/otel/semconv/v1.37.0/MIGRATION.md
@@ -0,0 +1,41 @@
+<!-- Generated. DO NOT MODIFY. -->
+# Migration from v1.36.0 to v1.37.0
+
+The `go.opentelemetry.io/otel/semconv/v1.37.0` package should be a drop-in replacement for `go.opentelemetry.io/otel/semconv/v1.36.0` with the following exceptions.
+
+## Removed
+
+The following declarations have been removed.
+Refer to the [OpenTelemetry Semantic Conventions documentation] for deprecation instructions.
+
+If the type is not listed in the documentation as deprecated, it has been removed in this version due to lack of applicability or use.
+If you use any of these non-deprecated declarations in your Go application, please [open an issue] describing your use-case.
+
+- `ContainerRuntime`
+- `ContainerRuntimeKey`
+- `GenAIOpenAIRequestServiceTierAuto`
+- `GenAIOpenAIRequestServiceTierDefault`
+- `GenAIOpenAIRequestServiceTierKey`
+- `GenAIOpenAIResponseServiceTier`
+- `GenAIOpenAIResponseServiceTierKey`
+- `GenAIOpenAIResponseSystemFingerprint`
+- `GenAIOpenAIResponseSystemFingerprintKey`
+- `GenAISystemAWSBedrock`
+- `GenAISystemAnthropic`
+- `GenAISystemAzureAIInference`
+- `GenAISystemAzureAIOpenAI`
+- `GenAISystemCohere`
+- `GenAISystemDeepseek`
+- `GenAISystemGCPGemini`
+- `GenAISystemGCPGenAI`
+- `GenAISystemGCPVertexAI`
+- `GenAISystemGroq`
+- `GenAISystemIBMWatsonxAI`
+- `GenAISystemKey`
+- `GenAISystemMistralAI`
+- `GenAISystemOpenAI`
+- `GenAISystemPerplexity`
+- `GenAISystemXai`
+
+[OpenTelemetry Semantic Conventions documentation]: https://github.com/open-telemetry/semantic-conventions
+[open an issue]: https://github.com/open-telemetry/opentelemetry-go/issues/new?template=Blank+issue
diff --git a/vendor/go.opentelemetry.io/otel/semconv/v1.37.0/README.md b/vendor/go.opentelemetry.io/otel/semconv/v1.37.0/README.md
new file mode 100644
index 0000000000..d795247f32
--- /dev/null
+++ b/vendor/go.opentelemetry.io/otel/semconv/v1.37.0/README.md
@@ -0,0 +1,3 @@
+# Semconv v1.37.0
+
+[![PkgGoDev](https://pkg.go.dev/badge/go.opentelemetry.io/otel/semconv/v1.37.0)](https://pkg.go.dev/go.opentelemetry.io/otel/semconv/v1.37.0)
diff --git a/vendor/go.opentelemetry.io/otel/semconv/v1.34.0/attribute_group.go b/vendor/go.opentelemetry.io/otel/semconv/v1.37.0/attribute_group.go
similarity index 89%
rename from vendor/go.opentelemetry.io/otel/semconv/v1.34.0/attribute_group.go
rename to vendor/go.opentelemetry.io/otel/semconv/v1.37.0/attribute_group.go
index 5b56662573..b6b27498f2 100644
--- a/vendor/go.opentelemetry.io/otel/semconv/v1.34.0/attribute_group.go
+++ b/vendor/go.opentelemetry.io/otel/semconv/v1.37.0/attribute_group.go
@@ -3,7 +3,7 @@
 
 // Code generated from semantic convention specification. DO NOT EDIT.
 
-package semconv // import "go.opentelemetry.io/otel/semconv/v1.34.0"
+package semconv // import "go.opentelemetry.io/otel/semconv/v1.37.0"
 
 import "go.opentelemetry.io/otel/attribute"
 
@@ -28,7 +28,8 @@ const (
 	// AndroidOSAPILevelKey is the attribute Key conforming to the
 	// "android.os.api_level" semantic conventions. It represents the uniquely
 	// identifies the framework API revision offered by a version (`os.version`) of
-	// the android operating system. More information can be found [here].
+	// the android operating system. More information can be found in the
+	// [Android API levels documentation].
 	//
 	// Type: string
 	// RequirementLevel: Recommended
@@ -36,16 +37,17 @@ const (
 	//
 	// Examples: "33", "32"
 	//
-	// [here]: https://developer.android.com/guide/topics/manifest/uses-sdk-element#ApiLevels
+	// [Android API levels documentation]: https://developer.android.com/guide/topics/manifest/uses-sdk-element#ApiLevels
 	AndroidOSAPILevelKey = attribute.Key("android.os.api_level")
 )
 
 // AndroidOSAPILevel returns an attribute KeyValue conforming to the
 // "android.os.api_level" semantic conventions. It represents the uniquely
 // identifies the framework API revision offered by a version (`os.version`) of
-// the android operating system. More information can be found [here].
+// the android operating system. More information can be found in the
+// [Android API levels documentation].
 //
-// [here]: https://developer.android.com/guide/topics/manifest/uses-sdk-element#ApiLevels
+// [Android API levels documentation]: https://developer.android.com/guide/topics/manifest/uses-sdk-element#ApiLevels
 func AndroidOSAPILevel(val string) attribute.KeyValue {
 	return AndroidOSAPILevelKey.String(val)
 }
@@ -73,6 +75,18 @@ var (
 
 // Namespace: app
 const (
+	// AppBuildIDKey is the attribute Key conforming to the "app.build_id" semantic
+	// conventions. It represents the unique identifier for a particular build or
+	// compilation of the application.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "6cff0a7e-cefc-4668-96f5-1273d8b334d0",
+	// "9f2b833506aa6973a92fde9733e6271f", "my-app-1.0.0-code-123"
+	AppBuildIDKey = attribute.Key("app.build_id")
+
 	// AppInstallationIDKey is the attribute Key conforming to the
 	// "app.installation.id" semantic conventions. It represents a unique identifier
 	// representing the installation of an application on a specific device.
@@ -106,16 +120,51 @@ const (
 	//   - [App set ID].
 	//   - [`Settings.getString(Settings.Secure.ANDROID_ID)`].
 	//
-	// More information about Android identifier best practices can be found [here]
-	// .
+	// More information about Android identifier best practices can be found in the
+	// [Android user data IDs guide].
 	//
 	// [vendor identifier]: https://developer.apple.com/documentation/uikit/uidevice/identifierforvendor
 	// [Firebase Installation ID]: https://firebase.google.com/docs/projects/manage-installations
 	// [App set ID]: https://developer.android.com/identity/app-set-id
 	// [`Settings.getString(Settings.Secure.ANDROID_ID)`]: https://developer.android.com/reference/android/provider/Settings.Secure#ANDROID_ID
-	// [here]: https://developer.android.com/training/articles/user-data-ids
+	// [Android user data IDs guide]: https://developer.android.com/training/articles/user-data-ids
 	AppInstallationIDKey = attribute.Key("app.installation.id")
 
+	// AppJankFrameCountKey is the attribute Key conforming to the
+	// "app.jank.frame_count" semantic conventions. It represents a number of frame
+	// renders that experienced jank.
+	//
+	// Type: int
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: 9, 42
+	// Note: Depending on platform limitations, the value provided MAY be
+	// approximation.
+	AppJankFrameCountKey = attribute.Key("app.jank.frame_count")
+
+	// AppJankPeriodKey is the attribute Key conforming to the "app.jank.period"
+	// semantic conventions. It represents the time period, in seconds, for which
+	// this jank is being reported.
+	//
+	// Type: double
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: 1.0, 5.0, 10.24
+	AppJankPeriodKey = attribute.Key("app.jank.period")
+
+	// AppJankThresholdKey is the attribute Key conforming to the
+	// "app.jank.threshold" semantic conventions. It represents the minimum
+	// rendering threshold for this jank, in seconds.
+	//
+	// Type: double
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: 0.016, 0.7, 1.024
+	AppJankThresholdKey = attribute.Key("app.jank.threshold")
+
 	// AppScreenCoordinateXKey is the attribute Key conforming to the
 	// "app.screen.coordinate.x" semantic conventions. It represents the x
 	// (horizontal) coordinate of a screen coordinate, in screen pixels.
@@ -164,6 +213,13 @@ const (
 	AppWidgetNameKey = attribute.Key("app.widget.name")
 )
 
+// AppBuildID returns an attribute KeyValue conforming to the "app.build_id"
+// semantic conventions. It represents the unique identifier for a particular
+// build or compilation of the application.
+func AppBuildID(val string) attribute.KeyValue {
+	return AppBuildIDKey.String(val)
+}
+
 // AppInstallationID returns an attribute KeyValue conforming to the
 // "app.installation.id" semantic conventions. It represents a unique identifier
 // representing the installation of an application on a specific device.
@@ -171,6 +227,27 @@ func AppInstallationID(val string) attribute.KeyValue {
 	return AppInstallationIDKey.String(val)
 }
 
+// AppJankFrameCount returns an attribute KeyValue conforming to the
+// "app.jank.frame_count" semantic conventions. It represents a number of frame
+// renders that experienced jank.
+func AppJankFrameCount(val int) attribute.KeyValue {
+	return AppJankFrameCountKey.Int(val)
+}
+
+// AppJankPeriod returns an attribute KeyValue conforming to the
+// "app.jank.period" semantic conventions. It represents the time period, in
+// seconds, for which this jank is being reported.
+func AppJankPeriod(val float64) attribute.KeyValue {
+	return AppJankPeriodKey.Float64(val)
+}
+
+// AppJankThreshold returns an attribute KeyValue conforming to the
+// "app.jank.threshold" semantic conventions. It represents the minimum rendering
+// threshold for this jank, in seconds.
+func AppJankThreshold(val float64) attribute.KeyValue {
+	return AppJankThresholdKey.Float64(val)
+}
+
 // AppScreenCoordinateX returns an attribute KeyValue conforming to the
 // "app.screen.coordinate.x" semantic conventions. It represents the x
 // (horizontal) coordinate of a screen coordinate, in screen pixels.
@@ -1525,59 +1602,14 @@ func AWSStepFunctionsStateMachineARN(val string) attribute.KeyValue {
 
 // Enum values for aws.ecs.launchtype
 var (
-	// ec2
+	// Amazon EC2
 	// Stability: development
 	AWSECSLaunchtypeEC2 = AWSECSLaunchtypeKey.String("ec2")
-	// fargate
+	// Amazon Fargate
 	// Stability: development
 	AWSECSLaunchtypeFargate = AWSECSLaunchtypeKey.String("fargate")
 )
 
-// Namespace: az
-const (
-	// AzNamespaceKey is the attribute Key conforming to the "az.namespace" semantic
-	// conventions. It represents the [Azure Resource Provider Namespace] as
-	// recognized by the client.
-	//
-	// Type: string
-	// RequirementLevel: Recommended
-	// Stability: Development
-	//
-	// Examples: "Microsoft.Storage", "Microsoft.KeyVault", "Microsoft.ServiceBus"
-	//
-	// [Azure Resource Provider Namespace]: https://learn.microsoft.com/azure/azure-resource-manager/management/azure-services-resource-providers
-	AzNamespaceKey = attribute.Key("az.namespace")
-
-	// AzServiceRequestIDKey is the attribute Key conforming to the
-	// "az.service_request_id" semantic conventions. It represents the unique
-	// identifier of the service request. It's generated by the Azure service and
-	// returned with the response.
-	//
-	// Type: string
-	// RequirementLevel: Recommended
-	// Stability: Development
-	//
-	// Examples: "00000000-0000-0000-0000-000000000000"
-	AzServiceRequestIDKey = attribute.Key("az.service_request_id")
-)
-
-// AzNamespace returns an attribute KeyValue conforming to the "az.namespace"
-// semantic conventions. It represents the [Azure Resource Provider Namespace] as
-// recognized by the client.
-//
-// [Azure Resource Provider Namespace]: https://learn.microsoft.com/azure/azure-resource-manager/management/azure-services-resource-providers
-func AzNamespace(val string) attribute.KeyValue {
-	return AzNamespaceKey.String(val)
-}
-
-// AzServiceRequestID returns an attribute KeyValue conforming to the
-// "az.service_request_id" semantic conventions. It represents the unique
-// identifier of the service request. It's generated by the Azure service and
-// returned with the response.
-func AzServiceRequestID(val string) attribute.KeyValue {
-	return AzServiceRequestIDKey.String(val)
-}
-
 // Namespace: azure
 const (
 	// AzureClientIDKey is the attribute Key conforming to the "azure.client.id"
@@ -1665,6 +1697,31 @@ const (
 	//
 	// Examples: 1000, 1002
 	AzureCosmosDBResponseSubStatusCodeKey = attribute.Key("azure.cosmosdb.response.sub_status_code")
+
+	// AzureResourceProviderNamespaceKey is the attribute Key conforming to the
+	// "azure.resource_provider.namespace" semantic conventions. It represents the
+	// [Azure Resource Provider Namespace] as recognized by the client.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "Microsoft.Storage", "Microsoft.KeyVault", "Microsoft.ServiceBus"
+	//
+	// [Azure Resource Provider Namespace]: https://learn.microsoft.com/azure/azure-resource-manager/management/azure-services-resource-providers
+	AzureResourceProviderNamespaceKey = attribute.Key("azure.resource_provider.namespace")
+
+	// AzureServiceRequestIDKey is the attribute Key conforming to the
+	// "azure.service.request.id" semantic conventions. It represents the unique
+	// identifier of the service request. It's generated by the Azure service and
+	// returned with the response.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "00000000-0000-0000-0000-000000000000"
+	AzureServiceRequestIDKey = attribute.Key("azure.service.request.id")
 )
 
 // AzureClientID returns an attribute KeyValue conforming to the
@@ -1705,6 +1762,23 @@ func AzureCosmosDBResponseSubStatusCode(val int) attribute.KeyValue {
 	return AzureCosmosDBResponseSubStatusCodeKey.Int(val)
 }
 
+// AzureResourceProviderNamespace returns an attribute KeyValue conforming to the
+// "azure.resource_provider.namespace" semantic conventions. It represents the
+// [Azure Resource Provider Namespace] as recognized by the client.
+//
+// [Azure Resource Provider Namespace]: https://learn.microsoft.com/azure/azure-resource-manager/management/azure-services-resource-providers
+func AzureResourceProviderNamespace(val string) attribute.KeyValue {
+	return AzureResourceProviderNamespaceKey.String(val)
+}
+
+// AzureServiceRequestID returns an attribute KeyValue conforming to the
+// "azure.service.request.id" semantic conventions. It represents the unique
+// identifier of the service request. It's generated by the Azure service and
+// returned with the response.
+func AzureServiceRequestID(val string) attribute.KeyValue {
+	return AzureServiceRequestIDKey.String(val)
+}
+
 // Enum values for azure.cosmosdb.connection.mode
 var (
 	// Gateway (HTTP) connection.
@@ -1717,19 +1791,19 @@ var (
 
 // Enum values for azure.cosmosdb.consistency.level
 var (
-	// strong
+	// Strong
 	// Stability: development
 	AzureCosmosDBConsistencyLevelStrong = AzureCosmosDBConsistencyLevelKey.String("Strong")
-	// bounded_staleness
+	// Bounded Staleness
 	// Stability: development
 	AzureCosmosDBConsistencyLevelBoundedStaleness = AzureCosmosDBConsistencyLevelKey.String("BoundedStaleness")
-	// session
+	// Session
 	// Stability: development
 	AzureCosmosDBConsistencyLevelSession = AzureCosmosDBConsistencyLevelKey.String("Session")
-	// eventual
+	// Eventual
 	// Stability: development
 	AzureCosmosDBConsistencyLevelEventual = AzureCosmosDBConsistencyLevelKey.String("Eventual")
-	// consistent_prefix
+	// Consistent Prefix
 	// Stability: development
 	AzureCosmosDBConsistencyLevelConsistentPrefix = AzureCosmosDBConsistencyLevelKey.String("ConsistentPrefix")
 )
@@ -1944,37 +2018,37 @@ func CassandraSpeculativeExecutionCount(val int) attribute.KeyValue {
 
 // Enum values for cassandra.consistency.level
 var (
-	// all
+	// All
 	// Stability: development
 	CassandraConsistencyLevelAll = CassandraConsistencyLevelKey.String("all")
-	// each_quorum
+	// Each Quorum
 	// Stability: development
 	CassandraConsistencyLevelEachQuorum = CassandraConsistencyLevelKey.String("each_quorum")
-	// quorum
+	// Quorum
 	// Stability: development
 	CassandraConsistencyLevelQuorum = CassandraConsistencyLevelKey.String("quorum")
-	// local_quorum
+	// Local Quorum
 	// Stability: development
 	CassandraConsistencyLevelLocalQuorum = CassandraConsistencyLevelKey.String("local_quorum")
-	// one
+	// One
 	// Stability: development
 	CassandraConsistencyLevelOne = CassandraConsistencyLevelKey.String("one")
-	// two
+	// Two
 	// Stability: development
 	CassandraConsistencyLevelTwo = CassandraConsistencyLevelKey.String("two")
-	// three
+	// Three
 	// Stability: development
 	CassandraConsistencyLevelThree = CassandraConsistencyLevelKey.String("three")
-	// local_one
+	// Local One
 	// Stability: development
 	CassandraConsistencyLevelLocalOne = CassandraConsistencyLevelKey.String("local_one")
-	// any
+	// Any
 	// Stability: development
 	CassandraConsistencyLevelAny = CassandraConsistencyLevelKey.String("any")
-	// serial
+	// Serial
 	// Stability: development
 	CassandraConsistencyLevelSerial = CassandraConsistencyLevelKey.String("serial")
-	// local_serial
+	// Local Serial
 	// Stability: development
 	CassandraConsistencyLevelLocalSerial = CassandraConsistencyLevelKey.String("local_serial")
 )
@@ -2527,7 +2601,7 @@ const (
 	// [ARN]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
 	// [alias suffix]: https://docs.aws.amazon.com/lambda/latest/dg/configuration-aliases.html
 	// [URI of the resource]: https://cloud.google.com/iam/docs/full-resource-names
-	// [Fully Qualified Resource ID]: https://docs.microsoft.com/rest/api/resources/resources/get-by-id
+	// [Fully Qualified Resource ID]: https://learn.microsoft.com/rest/api/resources/resources/get-by-id
 	CloudResourceIDKey = attribute.Key("cloud.resource_id")
 )
 
@@ -2604,25 +2678,25 @@ var (
 	CloudPlatformAWSOpenShift = CloudPlatformKey.String("aws_openshift")
 	// Azure Virtual Machines
 	// Stability: development
-	CloudPlatformAzureVM = CloudPlatformKey.String("azure_vm")
+	CloudPlatformAzureVM = CloudPlatformKey.String("azure.vm")
 	// Azure Container Apps
 	// Stability: development
-	CloudPlatformAzureContainerApps = CloudPlatformKey.String("azure_container_apps")
+	CloudPlatformAzureContainerApps = CloudPlatformKey.String("azure.container_apps")
 	// Azure Container Instances
 	// Stability: development
-	CloudPlatformAzureContainerInstances = CloudPlatformKey.String("azure_container_instances")
+	CloudPlatformAzureContainerInstances = CloudPlatformKey.String("azure.container_instances")
 	// Azure Kubernetes Service
 	// Stability: development
-	CloudPlatformAzureAKS = CloudPlatformKey.String("azure_aks")
+	CloudPlatformAzureAKS = CloudPlatformKey.String("azure.aks")
 	// Azure Functions
 	// Stability: development
-	CloudPlatformAzureFunctions = CloudPlatformKey.String("azure_functions")
+	CloudPlatformAzureFunctions = CloudPlatformKey.String("azure.functions")
 	// Azure App Service
 	// Stability: development
-	CloudPlatformAzureAppService = CloudPlatformKey.String("azure_app_service")
+	CloudPlatformAzureAppService = CloudPlatformKey.String("azure.app_service")
 	// Azure Red Hat OpenShift
 	// Stability: development
-	CloudPlatformAzureOpenShift = CloudPlatformKey.String("azure_openshift")
+	CloudPlatformAzureOpenShift = CloudPlatformKey.String("azure.openshift")
 	// Google Bare Metal Solution (BMS)
 	// Stability: development
 	CloudPlatformGCPBareMetalSolution = CloudPlatformKey.String("gcp_bare_metal_solution")
@@ -3374,16 +3448,40 @@ const (
 	// Examples: "opentelemetry-autoconf"
 	ContainerNameKey = attribute.Key("container.name")
 
-	// ContainerRuntimeKey is the attribute Key conforming to the
-	// "container.runtime" semantic conventions. It represents the container runtime
-	// managing this container.
+	// ContainerRuntimeDescriptionKey is the attribute Key conforming to the
+	// "container.runtime.description" semantic conventions. It represents a
+	// description about the runtime which could include, for example details about
+	// the CRI/API version being used or other customisations.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "docker://19.3.1 - CRI: 1.22.0"
+	ContainerRuntimeDescriptionKey = attribute.Key("container.runtime.description")
+
+	// ContainerRuntimeNameKey is the attribute Key conforming to the
+	// "container.runtime.name" semantic conventions. It represents the container
+	// runtime managing this container.
 	//
 	// Type: string
 	// RequirementLevel: Recommended
 	// Stability: Development
 	//
 	// Examples: "docker", "containerd", "rkt"
-	ContainerRuntimeKey = attribute.Key("container.runtime")
+	ContainerRuntimeNameKey = attribute.Key("container.runtime.name")
+
+	// ContainerRuntimeVersionKey is the attribute Key conforming to the
+	// "container.runtime.version" semantic conventions. It represents the version
+	// of the runtime of this process, as returned by the runtime without
+	// modification.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: 1.0.0
+	ContainerRuntimeVersionKey = attribute.Key("container.runtime.version")
 )
 
 // ContainerCommand returns an attribute KeyValue conforming to the
@@ -3467,6 +3565,13 @@ func ContainerImageTags(val ...string) attribute.KeyValue {
 	return ContainerImageTagsKey.StringSlice(val)
 }
 
+// ContainerLabel returns an attribute KeyValue conforming to the
+// "container.label" semantic conventions. It represents the container labels,
+// `<key>` being the label name, the value being the label value.
+func ContainerLabel(key string, val string) attribute.KeyValue {
+	return attribute.String("container.label."+key, val)
+}
+
 // ContainerName returns an attribute KeyValue conforming to the "container.name"
 // semantic conventions. It represents the container name used by container
 // runtime.
@@ -3474,11 +3579,26 @@ func ContainerName(val string) attribute.KeyValue {
 	return ContainerNameKey.String(val)
 }
 
-// ContainerRuntime returns an attribute KeyValue conforming to the
-// "container.runtime" semantic conventions. It represents the container runtime
-// managing this container.
-func ContainerRuntime(val string) attribute.KeyValue {
-	return ContainerRuntimeKey.String(val)
+// ContainerRuntimeDescription returns an attribute KeyValue conforming to the
+// "container.runtime.description" semantic conventions. It represents a
+// description about the runtime which could include, for example details about
+// the CRI/API version being used or other customisations.
+func ContainerRuntimeDescription(val string) attribute.KeyValue {
+	return ContainerRuntimeDescriptionKey.String(val)
+}
+
+// ContainerRuntimeName returns an attribute KeyValue conforming to the
+// "container.runtime.name" semantic conventions. It represents the container
+// runtime managing this container.
+func ContainerRuntimeName(val string) attribute.KeyValue {
+	return ContainerRuntimeNameKey.String(val)
+}
+
+// ContainerRuntimeVersion returns an attribute KeyValue conforming to the
+// "container.runtime.version" semantic conventions. It represents the version of
+// the runtime of this process, as returned by the runtime without modification.
+func ContainerRuntimeVersion(val string) attribute.KeyValue {
+	return ContainerRuntimeVersionKey.String(val)
 }
 
 // Namespace: cpu
@@ -3514,28 +3634,28 @@ func CPULogicalNumber(val int) attribute.KeyValue {
 
 // Enum values for cpu.mode
 var (
-	// user
+	// User
 	// Stability: development
 	CPUModeUser = CPUModeKey.String("user")
-	// system
+	// System
 	// Stability: development
 	CPUModeSystem = CPUModeKey.String("system")
-	// nice
+	// Nice
 	// Stability: development
 	CPUModeNice = CPUModeKey.String("nice")
-	// idle
+	// Idle
 	// Stability: development
 	CPUModeIdle = CPUModeKey.String("idle")
-	// iowait
+	// IO Wait
 	// Stability: development
 	CPUModeIOWait = CPUModeKey.String("iowait")
-	// interrupt
+	// Interrupt
 	// Stability: development
 	CPUModeInterrupt = CPUModeKey.String("interrupt")
-	// steal
+	// Steal
 	// Stability: development
 	CPUModeSteal = CPUModeKey.String("steal")
-	// kernel
+	// Kernel
 	// Stability: development
 	CPUModeKernel = CPUModeKey.String("kernel")
 )
@@ -3794,6 +3914,22 @@ func DBOperationName(val string) attribute.KeyValue {
 	return DBOperationNameKey.String(val)
 }
 
+// DBOperationParameter returns an attribute KeyValue conforming to the
+// "db.operation.parameter" semantic conventions. It represents a database
+// operation parameter, with `<key>` being the parameter name, and the attribute
+// value being a string representation of the parameter value.
+func DBOperationParameter(key string, val string) attribute.KeyValue {
+	return attribute.String("db.operation.parameter."+key, val)
+}
+
+// DBQueryParameter returns an attribute KeyValue conforming to the
+// "db.query.parameter" semantic conventions. It represents a database query
+// parameter, with `<key>` being the parameter name, and the attribute value
+// being a string representation of the parameter value.
+func DBQueryParameter(key string, val string) attribute.KeyValue {
+	return attribute.String("db.query.parameter."+key, val)
+}
+
 // DBQuerySummary returns an attribute KeyValue conforming to the
 // "db.query.summary" semantic conventions. It represents the low cardinality
 // summary of a database query.
@@ -4194,8 +4330,8 @@ const (
 	// Hardware IDs (e.g. vendor-specific serial number, IMEI or MAC address) MAY be
 	// used as values.
 	//
-	// More information about Android identifier best practices can be found [here]
-	// .
+	// More information about Android identifier best practices can be found in the
+	// [Android user data IDs guide].
 	//
 	// > [!WARNING]> This attribute may contain sensitive (PII) information. Caution
 	// > should be taken when storing personal data or anything which can identify a
@@ -4210,7 +4346,7 @@ const (
 	// > opt-in feature.> See [`app.installation.id`]>  for a more
 	// > privacy-preserving alternative.
 	//
-	// [here]: https://developer.android.com/training/articles/user-data-ids
+	// [Android user data IDs guide]: https://developer.android.com/training/articles/user-data-ids
 	// [`app.installation.id`]: /docs/registry/attributes/app.md#app-installation-id
 	DeviceIDKey = attribute.Key("device.id")
 
@@ -4308,6 +4444,17 @@ var (
 
 // Namespace: dns
 const (
+	// DNSAnswersKey is the attribute Key conforming to the "dns.answers" semantic
+	// conventions. It represents the list of IPv4 or IPv6 addresses resolved during
+	// DNS lookup.
+	//
+	// Type: string[]
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "10.0.0.1", "2001:0db8:85a3:0000:0000:8a2e:0370:7334"
+	DNSAnswersKey = attribute.Key("dns.answers")
+
 	// DNSQuestionNameKey is the attribute Key conforming to the "dns.question.name"
 	// semantic conventions. It represents the name being queried.
 	//
@@ -4323,6 +4470,13 @@ const (
 	DNSQuestionNameKey = attribute.Key("dns.question.name")
 )
 
+// DNSAnswers returns an attribute KeyValue conforming to the "dns.answers"
+// semantic conventions. It represents the list of IPv4 or IPv6 addresses
+// resolved during DNS lookup.
+func DNSAnswers(val ...string) attribute.KeyValue {
+	return DNSAnswersKey.StringSlice(val)
+}
+
 // DNSQuestionName returns an attribute KeyValue conforming to the
 // "dns.question.name" semantic conventions. It represents the name being
 // queried.
@@ -4941,7 +5095,7 @@ const (
 	//
 	// Type: string
 	// RequirementLevel: Recommended
-	// Stability: Development
+	// Stability: Release_Candidate
 	//
 	// Examples: "5157782b-2203-4c80-a857-dbbd5e7761db"
 	FeatureFlagContextIDKey = attribute.Key("feature_flag.context.id")
@@ -4951,7 +5105,7 @@ const (
 	//
 	// Type: string
 	// RequirementLevel: Recommended
-	// Stability: Development
+	// Stability: Release_Candidate
 	//
 	// Examples: "logo-color"
 	FeatureFlagKeyKey = attribute.Key("feature_flag.key")
@@ -4962,7 +5116,7 @@ const (
 	//
 	// Type: string
 	// RequirementLevel: Recommended
-	// Stability: Development
+	// Stability: Release_Candidate
 	//
 	// Examples: "Flag Manager"
 	FeatureFlagProviderNameKey = attribute.Key("feature_flag.provider.name")
@@ -4973,7 +5127,7 @@ const (
 	//
 	// Type: Enum
 	// RequirementLevel: Recommended
-	// Stability: Development
+	// Stability: Release_Candidate
 	//
 	// Examples: "static", "targeting_match", "error", "default"
 	FeatureFlagResultReasonKey = attribute.Key("feature_flag.result.reason")
@@ -4984,7 +5138,7 @@ const (
 	//
 	// Type: any
 	// RequirementLevel: Recommended
-	// Stability: Development
+	// Stability: Release_Candidate
 	//
 	// Examples: "#ff0000", true, 3
 	// Note: With some feature flag providers, feature flag results can be quite
@@ -5004,7 +5158,7 @@ const (
 	//
 	// Type: string
 	// RequirementLevel: Recommended
-	// Stability: Development
+	// Stability: Release_Candidate
 	//
 	// Examples: "red", "true", "on"
 	// Note: A semantic identifier, commonly referred to as a variant, provides a
@@ -5020,7 +5174,7 @@ const (
 	//
 	// Type: string
 	// RequirementLevel: Recommended
-	// Stability: Development
+	// Stability: Release_Candidate
 	//
 	// Examples: "proj-1", "ab98sgs", "service1/dev"
 	//
@@ -5034,7 +5188,7 @@ const (
 	//
 	// Type: string
 	// RequirementLevel: Recommended
-	// Stability: Development
+	// Stability: Release_Candidate
 	//
 	// Examples: "1", "01ABCDEF"
 	FeatureFlagVersionKey = attribute.Key("feature_flag.version")
@@ -5088,34 +5242,34 @@ func FeatureFlagVersion(val string) attribute.KeyValue {
 // Enum values for feature_flag.result.reason
 var (
 	// The resolved value is static (no dynamic evaluation).
-	// Stability: development
+	// Stability: release_candidate
 	FeatureFlagResultReasonStatic = FeatureFlagResultReasonKey.String("static")
 	// The resolved value fell back to a pre-configured value (no dynamic evaluation
 	// occurred or dynamic evaluation yielded no result).
-	// Stability: development
+	// Stability: release_candidate
 	FeatureFlagResultReasonDefault = FeatureFlagResultReasonKey.String("default")
 	// The resolved value was the result of a dynamic evaluation, such as a rule or
 	// specific user-targeting.
-	// Stability: development
+	// Stability: release_candidate
 	FeatureFlagResultReasonTargetingMatch = FeatureFlagResultReasonKey.String("targeting_match")
 	// The resolved value was the result of pseudorandom assignment.
-	// Stability: development
+	// Stability: release_candidate
 	FeatureFlagResultReasonSplit = FeatureFlagResultReasonKey.String("split")
 	// The resolved value was retrieved from cache.
-	// Stability: development
+	// Stability: release_candidate
 	FeatureFlagResultReasonCached = FeatureFlagResultReasonKey.String("cached")
 	// The resolved value was the result of the flag being disabled in the
 	// management system.
-	// Stability: development
+	// Stability: release_candidate
 	FeatureFlagResultReasonDisabled = FeatureFlagResultReasonKey.String("disabled")
 	// The reason for the resolved value could not be determined.
-	// Stability: development
+	// Stability: release_candidate
 	FeatureFlagResultReasonUnknown = FeatureFlagResultReasonKey.String("unknown")
 	// The resolved value is non-authoritative or possibly out of date
-	// Stability: development
+	// Stability: release_candidate
 	FeatureFlagResultReasonStale = FeatureFlagResultReasonKey.String("stale")
 	// The resolved value was the result of an error.
-	// Stability: development
+	// Stability: release_candidate
 	FeatureFlagResultReasonError = FeatureFlagResultReasonKey.String("error")
 )
 
@@ -5208,7 +5362,7 @@ const (
 	// RequirementLevel: Recommended
 	// Stability: Development
 	//
-	// Examples: "Zone.Identifer"
+	// Examples: "Zone.Identifier"
 	// Note: On Linux, a resource fork is used to store additional data with a
 	// filesystem object. A file always has at least one fork for the data portion,
 	// and additional forks may exist.
@@ -5863,39 +6017,41 @@ const (
 	// `db.*`, to further identify and describe the data source.
 	GenAIDataSourceIDKey = attribute.Key("gen_ai.data_source.id")
 
-	// GenAIOpenAIRequestServiceTierKey is the attribute Key conforming to the
-	// "gen_ai.openai.request.service_tier" semantic conventions. It represents the
-	// service tier requested. May be a specific tier, default, or auto.
+	// GenAIInputMessagesKey is the attribute Key conforming to the
+	// "gen_ai.input.messages" semantic conventions. It represents the chat history
+	// provided to the model as an input.
 	//
-	// Type: Enum
+	// Type: any
 	// RequirementLevel: Recommended
 	// Stability: Development
 	//
-	// Examples: "auto", "default"
-	GenAIOpenAIRequestServiceTierKey = attribute.Key("gen_ai.openai.request.service_tier")
-
-	// GenAIOpenAIResponseServiceTierKey is the attribute Key conforming to the
-	// "gen_ai.openai.response.service_tier" semantic conventions. It represents the
-	// service tier used for the response.
+	// Examples: "[\n {\n "role": "user",\n "parts": [\n {\n "type": "text",\n
+	// "content": "Weather in Paris?"\n }\n ]\n },\n {\n "role": "assistant",\n
+	// "parts": [\n {\n "type": "tool_call",\n "id":
+	// "call_VSPygqKTWdrhaFErNvMV18Yl",\n "name": "get_weather",\n "arguments": {\n
+	// "location": "Paris"\n }\n }\n ]\n },\n {\n "role": "tool",\n "parts": [\n {\n
+	// "type": "tool_call_response",\n "id": " call_VSPygqKTWdrhaFErNvMV18Yl",\n
+	// "result": "rainy, 57°F"\n }\n ]\n }\n]\n"
+	// Note: Instrumentations MUST follow [Input messages JSON schema].
+	// When the attribute is recorded on events, it MUST be recorded in structured
+	// form. When recorded on spans, it MAY be recorded as a JSON string if
+	// structured
+	// format is not supported and SHOULD be recorded in structured form otherwise.
 	//
-	// Type: string
-	// RequirementLevel: Recommended
-	// Stability: Development
+	// Messages MUST be provided in the order they were sent to the model.
+	// Instrumentations MAY provide a way for users to filter or truncate
+	// input messages.
 	//
-	// Examples: "scale", "default"
-	GenAIOpenAIResponseServiceTierKey = attribute.Key("gen_ai.openai.response.service_tier")
-
-	// GenAIOpenAIResponseSystemFingerprintKey is the attribute Key conforming to
-	// the "gen_ai.openai.response.system_fingerprint" semantic conventions. It
-	// represents a fingerprint to track any eventual change in the Generative AI
-	// environment.
+	// > [!Warning]
+	// > This attribute is likely to contain sensitive information including
+	// > user/PII data.
 	//
-	// Type: string
-	// RequirementLevel: Recommended
-	// Stability: Development
+	// See [Recording content on attributes]
+	// section for more details.
 	//
-	// Examples: "fp_44709d6fcb"
-	GenAIOpenAIResponseSystemFingerprintKey = attribute.Key("gen_ai.openai.response.system_fingerprint")
+	// [Input messages JSON schema]: /docs/gen-ai/gen-ai-input-messages.json
+	// [Recording content on attributes]: /docs/gen-ai/gen-ai-spans.md#recording-content-on-attributes
+	GenAIInputMessagesKey = attribute.Key("gen_ai.input.messages")
 
 	// GenAIOperationNameKey is the attribute Key conforming to the
 	// "gen_ai.operation.name" semantic conventions. It represents the name of the
@@ -5913,6 +6069,44 @@ const (
 	// libraries SHOULD use applicable predefined value.
 	GenAIOperationNameKey = attribute.Key("gen_ai.operation.name")
 
+	// GenAIOutputMessagesKey is the attribute Key conforming to the
+	// "gen_ai.output.messages" semantic conventions. It represents the messages
+	// returned by the model where each message represents a specific model response
+	// (choice, candidate).
+	//
+	// Type: any
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "[\n {\n "role": "assistant",\n "parts": [\n {\n "type": "text",\n
+	// "content": "The weather in Paris is currently rainy with a temperature of
+	// 57°F."\n }\n ],\n "finish_reason": "stop"\n }\n]\n"
+	// Note: Instrumentations MUST follow [Output messages JSON schema]
+	//
+	// Each message represents a single output choice/candidate generated by
+	// the model. Each message corresponds to exactly one generation
+	// (choice/candidate) and vice versa - one choice cannot be split across
+	// multiple messages or one message cannot contain parts from multiple choices.
+	//
+	// When the attribute is recorded on events, it MUST be recorded in structured
+	// form. When recorded on spans, it MAY be recorded as a JSON string if
+	// structured
+	// format is not supported and SHOULD be recorded in structured form otherwise.
+	//
+	// Instrumentations MAY provide a way for users to filter or truncate
+	// output messages.
+	//
+	// > [!Warning]
+	// > This attribute is likely to contain sensitive information including
+	// > user/PII data.
+	//
+	// See [Recording content on attributes]
+	// section for more details.
+	//
+	// [Output messages JSON schema]: /docs/gen-ai/gen-ai-output-messages.json
+	// [Recording content on attributes]: /docs/gen-ai/gen-ai-spans.md#recording-content-on-attributes
+	GenAIOutputMessagesKey = attribute.Key("gen_ai.output.messages")
+
 	// GenAIOutputTypeKey is the attribute Key conforming to the
 	// "gen_ai.output.type" semantic conventions. It represents the represents the
 	// content type requested by the client.
@@ -5931,6 +6125,35 @@ const (
 	// `gen_ai.output.{type}.*` attributes.
 	GenAIOutputTypeKey = attribute.Key("gen_ai.output.type")
 
+	// GenAIProviderNameKey is the attribute Key conforming to the
+	// "gen_ai.provider.name" semantic conventions. It represents the Generative AI
+	// provider as identified by the client or server instrumentation.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	// Note: The attribute SHOULD be set based on the instrumentation's best
+	// knowledge and may differ from the actual model provider.
+	//
+	// Multiple providers, including Azure OpenAI, Gemini, and AI hosting platforms
+	// are accessible using the OpenAI REST API and corresponding client libraries,
+	// but may proxy or host models from different providers.
+	//
+	// The `gen_ai.request.model`, `gen_ai.response.model`, and `server.address`
+	// attributes may help identify the actual system in use.
+	//
+	// The `gen_ai.provider.name` attribute acts as a discriminator that
+	// identifies the GenAI telemetry format flavor specific to that provider
+	// within GenAI semantic conventions.
+	// It SHOULD be set consistently with provider-specific attributes and signals.
+	// For example, GenAI spans, metrics, and events related to AWS Bedrock
+	// should have the `gen_ai.provider.name` set to `aws.bedrock` and include
+	// applicable `aws.bedrock.*` attributes and are not expected to include
+	// `openai.*` attributes.
+	GenAIProviderNameKey = attribute.Key("gen_ai.provider.name")
+
 	// GenAIRequestChoiceCountKey is the attribute Key conforming to the
 	// "gen_ai.request.choice.count" semantic conventions. It represents the target
 	// number of candidate completions to return.
@@ -6088,31 +6311,44 @@ const (
 	// Examples: "gpt-4-0613"
 	GenAIResponseModelKey = attribute.Key("gen_ai.response.model")
 
-	// GenAISystemKey is the attribute Key conforming to the "gen_ai.system"
-	// semantic conventions. It represents the Generative AI product as identified
-	// by the client or server instrumentation.
+	// GenAISystemInstructionsKey is the attribute Key conforming to the
+	// "gen_ai.system_instructions" semantic conventions. It represents the system
+	// message or instructions provided to the GenAI model separately from the chat
+	// history.
 	//
-	// Type: Enum
+	// Type: any
 	// RequirementLevel: Recommended
 	// Stability: Development
 	//
-	// Examples: openai
-	// Note: The `gen_ai.system` describes a family of GenAI models with specific
-	// model identified
-	// by `gen_ai.request.model` and `gen_ai.response.model` attributes.
+	// Examples: "[\n {\n "type": "text",\n "content": "You are an Agent that greet
+	// users, always use greetings tool to respond"\n }\n]\n", "[\n {\n "type":
+	// "text",\n "content": "You are a language translator."\n },\n {\n "type":
+	// "text",\n "content": "Your mission is to translate text in English to
+	// French."\n }\n]\n"
+	// Note: This attribute SHOULD be used when the corresponding provider or API
+	// allows to provide system instructions or messages separately from the
+	// chat history.
 	//
-	// The actual GenAI product may differ from the one identified by the client.
-	// Multiple systems, including Azure OpenAI and Gemini, are accessible by OpenAI
-	// client
-	// libraries. In such cases, the `gen_ai.system` is set to `openai` based on the
-	// instrumentation's best knowledge, instead of the actual system. The
-	// `server.address`
-	// attribute may help identify the actual system in use for `openai`.
+	// Instructions that are part of the chat history SHOULD be recorded in
+	// `gen_ai.input.messages` attribute instead.
 	//
-	// For custom model, a custom friendly name SHOULD be used.
-	// If none of these options apply, the `gen_ai.system` SHOULD be set to `_OTHER`
-	// .
-	GenAISystemKey = attribute.Key("gen_ai.system")
+	// Instrumentations MUST follow [System instructions JSON schema].
+	//
+	// When recorded on spans, it MAY be recorded as a JSON string if structured
+	// format is not supported and SHOULD be recorded in structured form otherwise.
+	//
+	// Instrumentations MAY provide a way for users to filter or truncate
+	// system instructions.
+	//
+	// > [!Warning]
+	// > This attribute may contain sensitive information.
+	//
+	// See [Recording content on attributes]
+	// section for more details.
+	//
+	// [System instructions JSON schema]: /docs/gen-ai/gen-ai-system-instructions.json
+	// [Recording content on attributes]: /docs/gen-ai/gen-ai-spans.md#recording-content-on-attributes
+	GenAISystemInstructionsKey = attribute.Key("gen_ai.system_instructions")
 
 	// GenAITokenTypeKey is the attribute Key conforming to the "gen_ai.token.type"
 	// semantic conventions. It represents the type of token being counted.
@@ -6237,21 +6473,6 @@ func GenAIDataSourceID(val string) attribute.KeyValue {
 	return GenAIDataSourceIDKey.String(val)
 }
 
-// GenAIOpenAIResponseServiceTier returns an attribute KeyValue conforming to the
-// "gen_ai.openai.response.service_tier" semantic conventions. It represents the
-// service tier used for the response.
-func GenAIOpenAIResponseServiceTier(val string) attribute.KeyValue {
-	return GenAIOpenAIResponseServiceTierKey.String(val)
-}
-
-// GenAIOpenAIResponseSystemFingerprint returns an attribute KeyValue conforming
-// to the "gen_ai.openai.response.system_fingerprint" semantic conventions. It
-// represents a fingerprint to track any eventual change in the Generative AI
-// environment.
-func GenAIOpenAIResponseSystemFingerprint(val string) attribute.KeyValue {
-	return GenAIOpenAIResponseSystemFingerprintKey.String(val)
-}
-
 // GenAIRequestChoiceCount returns an attribute KeyValue conforming to the
 // "gen_ai.request.choice.count" semantic conventions. It represents the target
 // number of candidate completions to return.
@@ -6393,16 +6614,6 @@ func GenAIUsageOutputTokens(val int) attribute.KeyValue {
 	return GenAIUsageOutputTokensKey.Int(val)
 }
 
-// Enum values for gen_ai.openai.request.service_tier
-var (
-	// The system will utilize scale tier credits until they are exhausted.
-	// Stability: development
-	GenAIOpenAIRequestServiceTierAuto = GenAIOpenAIRequestServiceTierKey.String("auto")
-	// The system will utilize the default scale tier.
-	// Stability: development
-	GenAIOpenAIRequestServiceTierDefault = GenAIOpenAIRequestServiceTierKey.String("default")
-)
-
 // Enum values for gen_ai.operation.name
 var (
 	// Chat completion operation such as [OpenAI Chat API]
@@ -6452,57 +6663,79 @@ var (
 	GenAIOutputTypeSpeech = GenAIOutputTypeKey.String("speech")
 )
 
-// Enum values for gen_ai.system
+// Enum values for gen_ai.provider.name
 var (
-	// OpenAI
+	// [OpenAI]
 	// Stability: development
-	GenAISystemOpenAI = GenAISystemKey.String("openai")
+	//
+	// [OpenAI]: https://openai.com/
+	GenAIProviderNameOpenAI = GenAIProviderNameKey.String("openai")
 	// Any Google generative AI endpoint
 	// Stability: development
-	GenAISystemGCPGenAI = GenAISystemKey.String("gcp.gen_ai")
-	// Vertex AI
+	GenAIProviderNameGCPGenAI = GenAIProviderNameKey.String("gcp.gen_ai")
+	// [Vertex AI]
 	// Stability: development
-	GenAISystemGCPVertexAI = GenAISystemKey.String("gcp.vertex_ai")
-	// Gemini
+	//
+	// [Vertex AI]: https://cloud.google.com/vertex-ai
+	GenAIProviderNameGCPVertexAI = GenAIProviderNameKey.String("gcp.vertex_ai")
+	// [Gemini]
 	// Stability: development
-	GenAISystemGCPGemini = GenAISystemKey.String("gcp.gemini")
-	// Deprecated: Use 'gcp.vertex_ai' instead.
-	GenAISystemVertexAI = GenAISystemKey.String("vertex_ai")
-	// Deprecated: Use 'gcp.gemini' instead.
-	GenAISystemGemini = GenAISystemKey.String("gemini")
-	// Anthropic
+	//
+	// [Gemini]: https://cloud.google.com/products/gemini
+	GenAIProviderNameGCPGemini = GenAIProviderNameKey.String("gcp.gemini")
+	// [Anthropic]
 	// Stability: development
-	GenAISystemAnthropic = GenAISystemKey.String("anthropic")
-	// Cohere
+	//
+	// [Anthropic]: https://www.anthropic.com/
+	GenAIProviderNameAnthropic = GenAIProviderNameKey.String("anthropic")
+	// [Cohere]
 	// Stability: development
-	GenAISystemCohere = GenAISystemKey.String("cohere")
+	//
+	// [Cohere]: https://cohere.com/
+	GenAIProviderNameCohere = GenAIProviderNameKey.String("cohere")
 	// Azure AI Inference
 	// Stability: development
-	GenAISystemAzAIInference = GenAISystemKey.String("az.ai.inference")
-	// Azure OpenAI
+	GenAIProviderNameAzureAIInference = GenAIProviderNameKey.String("azure.ai.inference")
+	// [Azure OpenAI]
 	// Stability: development
-	GenAISystemAzAIOpenAI = GenAISystemKey.String("az.ai.openai")
-	// IBM Watsonx AI
+	//
+	// [Azure OpenAI]: https://azure.microsoft.com/products/ai-services/openai-service/
+	GenAIProviderNameAzureAIOpenAI = GenAIProviderNameKey.String("azure.ai.openai")
+	// [IBM Watsonx AI]
 	// Stability: development
-	GenAISystemIBMWatsonxAI = GenAISystemKey.String("ibm.watsonx.ai")
-	// AWS Bedrock
+	//
+	// [IBM Watsonx AI]: https://www.ibm.com/products/watsonx-ai
+	GenAIProviderNameIBMWatsonxAI = GenAIProviderNameKey.String("ibm.watsonx.ai")
+	// [AWS Bedrock]
 	// Stability: development
-	GenAISystemAWSBedrock = GenAISystemKey.String("aws.bedrock")
-	// Perplexity
+	//
+	// [AWS Bedrock]: https://aws.amazon.com/bedrock
+	GenAIProviderNameAWSBedrock = GenAIProviderNameKey.String("aws.bedrock")
+	// [Perplexity]
 	// Stability: development
-	GenAISystemPerplexity = GenAISystemKey.String("perplexity")
-	// xAI
+	//
+	// [Perplexity]: https://www.perplexity.ai/
+	GenAIProviderNamePerplexity = GenAIProviderNameKey.String("perplexity")
+	// [xAI]
 	// Stability: development
-	GenAISystemXai = GenAISystemKey.String("xai")
-	// DeepSeek
+	//
+	// [xAI]: https://x.ai/
+	GenAIProviderNameXAI = GenAIProviderNameKey.String("x_ai")
+	// [DeepSeek]
 	// Stability: development
-	GenAISystemDeepseek = GenAISystemKey.String("deepseek")
-	// Groq
+	//
+	// [DeepSeek]: https://www.deepseek.com/
+	GenAIProviderNameDeepseek = GenAIProviderNameKey.String("deepseek")
+	// [Groq]
 	// Stability: development
-	GenAISystemGroq = GenAISystemKey.String("groq")
-	// Mistral AI
+	//
+	// [Groq]: https://groq.com/
+	GenAIProviderNameGroq = GenAIProviderNameKey.String("groq")
+	// [Mistral AI]
 	// Stability: development
-	GenAISystemMistralAI = GenAISystemKey.String("mistral_ai")
+	//
+	// [Mistral AI]: https://mistral.ai/
+	GenAIProviderNameMistralAI = GenAIProviderNameKey.String("mistral_ai")
 )
 
 // Enum values for gen_ai.token.type
@@ -6510,8 +6743,6 @@ var (
 	// Input tokens (prompt, input, etc.)
 	// Stability: development
 	GenAITokenTypeInput = GenAITokenTypeKey.String("input")
-	// Deprecated: Replaced by `output`.
-	GenAITokenTypeCompletion = GenAITokenTypeKey.String("output")
 	// Output tokens (completion, response, etc.)
 	// Stability: development
 	GenAITokenTypeOutput = GenAITokenTypeKey.String("output")
@@ -7312,6 +7543,14 @@ func HTTPRequestBodySize(val int) attribute.KeyValue {
 	return HTTPRequestBodySizeKey.Int(val)
 }
 
+// HTTPRequestHeader returns an attribute KeyValue conforming to the
+// "http.request.header" semantic conventions. It represents the HTTP request
+// headers, `<key>` being the normalized HTTP Header name (lowercase), the value
+// being the header values.
+func HTTPRequestHeader(key string, val ...string) attribute.KeyValue {
+	return attribute.StringSlice("http.request.header."+key, val)
+}
+
 // HTTPRequestMethodOriginal returns an attribute KeyValue conforming to the
 // "http.request.method_original" semantic conventions. It represents the
 // original HTTP method sent by the client in the request line.
@@ -7347,6 +7586,14 @@ func HTTPResponseBodySize(val int) attribute.KeyValue {
 	return HTTPResponseBodySizeKey.Int(val)
 }
 
+// HTTPResponseHeader returns an attribute KeyValue conforming to the
+// "http.response.header" semantic conventions. It represents the HTTP response
+// headers, `<key>` being the normalized HTTP Header name (lowercase), the value
+// being the header values.
+func HTTPResponseHeader(key string, val ...string) attribute.KeyValue {
+	return attribute.StringSlice("http.response.header."+key, val)
+}
+
 // HTTPResponseSize returns an attribute KeyValue conforming to the
 // "http.response.size" semantic conventions. It represents the total size of the
 // response in bytes. This should be the total number of bytes sent over the
@@ -7418,64 +7665,352 @@ var (
 
 // Namespace: hw
 const (
-	// HwIDKey is the attribute Key conforming to the "hw.id" semantic conventions.
-	// It represents an identifier for the hardware component, unique within the
-	// monitored host.
+	// HwBatteryCapacityKey is the attribute Key conforming to the
+	// "hw.battery.capacity" semantic conventions. It represents the design capacity
+	// in Watts-hours or Amper-hours.
 	//
 	// Type: string
 	// RequirementLevel: Recommended
 	// Stability: Development
 	//
-	// Examples: "win32battery_battery_testsysa33_1"
-	HwIDKey = attribute.Key("hw.id")
+	// Examples: "9.3Ah", "50Wh"
+	HwBatteryCapacityKey = attribute.Key("hw.battery.capacity")
 
-	// HwNameKey is the attribute Key conforming to the "hw.name" semantic
-	// conventions. It represents an easily-recognizable name for the hardware
+	// HwBatteryChemistryKey is the attribute Key conforming to the
+	// "hw.battery.chemistry" semantic conventions. It represents the battery
+	// [chemistry], e.g. Lithium-Ion, Nickel-Cadmium, etc.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "Li-ion", "NiMH"
+	//
+	// [chemistry]: https://schemas.dmtf.org/wbem/cim-html/2.31.0/CIM_Battery.html
+	HwBatteryChemistryKey = attribute.Key("hw.battery.chemistry")
+
+	// HwBatteryStateKey is the attribute Key conforming to the "hw.battery.state"
+	// semantic conventions. It represents the current state of the battery.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	HwBatteryStateKey = attribute.Key("hw.battery.state")
+
+	// HwBiosVersionKey is the attribute Key conforming to the "hw.bios_version"
+	// semantic conventions. It represents the BIOS version of the hardware
 	// component.
 	//
 	// Type: string
 	// RequirementLevel: Recommended
 	// Stability: Development
 	//
-	// Examples: "eth0"
-	HwNameKey = attribute.Key("hw.name")
+	// Examples: "1.2.3"
+	HwBiosVersionKey = attribute.Key("hw.bios_version")
 
-	// HwParentKey is the attribute Key conforming to the "hw.parent" semantic
-	// conventions. It represents the unique identifier of the parent component
-	// (typically the `hw.id` attribute of the enclosure, or disk controller).
+	// HwDriverVersionKey is the attribute Key conforming to the "hw.driver_version"
+	// semantic conventions. It represents the driver version for the hardware
+	// component.
 	//
 	// Type: string
 	// RequirementLevel: Recommended
 	// Stability: Development
 	//
-	// Examples: "dellStorage_perc_0"
-	HwParentKey = attribute.Key("hw.parent")
+	// Examples: "10.2.1-3"
+	HwDriverVersionKey = attribute.Key("hw.driver_version")
 
-	// HwStateKey is the attribute Key conforming to the "hw.state" semantic
-	// conventions. It represents the current state of the component.
+	// HwEnclosureTypeKey is the attribute Key conforming to the "hw.enclosure.type"
+	// semantic conventions. It represents the type of the enclosure (useful for
+	// modular systems).
 	//
-	// Type: Enum
+	// Type: string
 	// RequirementLevel: Recommended
 	// Stability: Development
 	//
-	// Examples:
-	HwStateKey = attribute.Key("hw.state")
+	// Examples: "Computer", "Storage", "Switch"
+	HwEnclosureTypeKey = attribute.Key("hw.enclosure.type")
 
-	// HwTypeKey is the attribute Key conforming to the "hw.type" semantic
-	// conventions. It represents the type of the component.
+	// HwFirmwareVersionKey is the attribute Key conforming to the
+	// "hw.firmware_version" semantic conventions. It represents the firmware
+	// version of the hardware component.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "2.0.1"
+	HwFirmwareVersionKey = attribute.Key("hw.firmware_version")
+
+	// HwGpuTaskKey is the attribute Key conforming to the "hw.gpu.task" semantic
+	// conventions. It represents the type of task the GPU is performing.
 	//
 	// Type: Enum
 	// RequirementLevel: Recommended
 	// Stability: Development
 	//
 	// Examples:
-	// Note: Describes the category of the hardware component for which `hw.state`
+	HwGpuTaskKey = attribute.Key("hw.gpu.task")
+
+	// HwIDKey is the attribute Key conforming to the "hw.id" semantic conventions.
+	// It represents an identifier for the hardware component, unique within the
+	// monitored host.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "win32battery_battery_testsysa33_1"
+	HwIDKey = attribute.Key("hw.id")
+
+	// HwLimitTypeKey is the attribute Key conforming to the "hw.limit_type"
+	// semantic conventions. It represents the type of limit for hardware
+	// components.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	HwLimitTypeKey = attribute.Key("hw.limit_type")
+
+	// HwLogicalDiskRaidLevelKey is the attribute Key conforming to the
+	// "hw.logical_disk.raid_level" semantic conventions. It represents the RAID
+	// Level of the logical disk.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "RAID0+1", "RAID5", "RAID10"
+	HwLogicalDiskRaidLevelKey = attribute.Key("hw.logical_disk.raid_level")
+
+	// HwLogicalDiskStateKey is the attribute Key conforming to the
+	// "hw.logical_disk.state" semantic conventions. It represents the state of the
+	// logical disk space usage.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	HwLogicalDiskStateKey = attribute.Key("hw.logical_disk.state")
+
+	// HwMemoryTypeKey is the attribute Key conforming to the "hw.memory.type"
+	// semantic conventions. It represents the type of the memory module.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "DDR4", "DDR5", "LPDDR5"
+	HwMemoryTypeKey = attribute.Key("hw.memory.type")
+
+	// HwModelKey is the attribute Key conforming to the "hw.model" semantic
+	// conventions. It represents the descriptive model name of the hardware
+	// component.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "PERC H740P", "Intel(R) Core(TM) i7-10700K", "Dell XPS 15 Battery"
+	HwModelKey = attribute.Key("hw.model")
+
+	// HwNameKey is the attribute Key conforming to the "hw.name" semantic
+	// conventions. It represents an easily-recognizable name for the hardware
+	// component.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "eth0"
+	HwNameKey = attribute.Key("hw.name")
+
+	// HwNetworkLogicalAddressesKey is the attribute Key conforming to the
+	// "hw.network.logical_addresses" semantic conventions. It represents the
+	// logical addresses of the adapter (e.g. IP address, or WWPN).
+	//
+	// Type: string[]
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "172.16.8.21", "57.11.193.42"
+	HwNetworkLogicalAddressesKey = attribute.Key("hw.network.logical_addresses")
+
+	// HwNetworkPhysicalAddressKey is the attribute Key conforming to the
+	// "hw.network.physical_address" semantic conventions. It represents the
+	// physical address of the adapter (e.g. MAC address, or WWNN).
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "00-90-F5-E9-7B-36"
+	HwNetworkPhysicalAddressKey = attribute.Key("hw.network.physical_address")
+
+	// HwParentKey is the attribute Key conforming to the "hw.parent" semantic
+	// conventions. It represents the unique identifier of the parent component
+	// (typically the `hw.id` attribute of the enclosure, or disk controller).
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "dellStorage_perc_0"
+	HwParentKey = attribute.Key("hw.parent")
+
+	// HwPhysicalDiskSmartAttributeKey is the attribute Key conforming to the
+	// "hw.physical_disk.smart_attribute" semantic conventions. It represents the
+	// [S.M.A.R.T.] (Self-Monitoring, Analysis, and Reporting Technology) attribute
+	// of the physical disk.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "Spin Retry Count", "Seek Error Rate", "Raw Read Error Rate"
+	//
+	// [S.M.A.R.T.]: https://wikipedia.org/wiki/S.M.A.R.T.
+	HwPhysicalDiskSmartAttributeKey = attribute.Key("hw.physical_disk.smart_attribute")
+
+	// HwPhysicalDiskStateKey is the attribute Key conforming to the
+	// "hw.physical_disk.state" semantic conventions. It represents the state of the
+	// physical disk endurance utilization.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	HwPhysicalDiskStateKey = attribute.Key("hw.physical_disk.state")
+
+	// HwPhysicalDiskTypeKey is the attribute Key conforming to the
+	// "hw.physical_disk.type" semantic conventions. It represents the type of the
+	// physical disk.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "HDD", "SSD", "10K"
+	HwPhysicalDiskTypeKey = attribute.Key("hw.physical_disk.type")
+
+	// HwSensorLocationKey is the attribute Key conforming to the
+	// "hw.sensor_location" semantic conventions. It represents the location of the
+	// sensor.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "cpu0", "ps1", "INLET", "CPU0_DIE", "AMBIENT", "MOTHERBOARD", "PS0
+	// V3_3", "MAIN_12V", "CPU_VCORE"
+	HwSensorLocationKey = attribute.Key("hw.sensor_location")
+
+	// HwSerialNumberKey is the attribute Key conforming to the "hw.serial_number"
+	// semantic conventions. It represents the serial number of the hardware
+	// component.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "CNFCP0123456789"
+	HwSerialNumberKey = attribute.Key("hw.serial_number")
+
+	// HwStateKey is the attribute Key conforming to the "hw.state" semantic
+	// conventions. It represents the current state of the component.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	HwStateKey = attribute.Key("hw.state")
+
+	// HwTapeDriveOperationTypeKey is the attribute Key conforming to the
+	// "hw.tape_drive.operation_type" semantic conventions. It represents the type
+	// of tape drive operation.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	HwTapeDriveOperationTypeKey = attribute.Key("hw.tape_drive.operation_type")
+
+	// HwTypeKey is the attribute Key conforming to the "hw.type" semantic
+	// conventions. It represents the type of the component.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	// Note: Describes the category of the hardware component for which `hw.state`
 	// is being reported. For example, `hw.type=temperature` along with
 	// `hw.state=degraded` would indicate that the temperature of the hardware
 	// component has been reported as `degraded`.
 	HwTypeKey = attribute.Key("hw.type")
+
+	// HwVendorKey is the attribute Key conforming to the "hw.vendor" semantic
+	// conventions. It represents the vendor name of the hardware component.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "Dell", "HP", "Intel", "AMD", "LSI", "Lenovo"
+	HwVendorKey = attribute.Key("hw.vendor")
 )
 
+// HwBatteryCapacity returns an attribute KeyValue conforming to the
+// "hw.battery.capacity" semantic conventions. It represents the design capacity
+// in Watts-hours or Amper-hours.
+func HwBatteryCapacity(val string) attribute.KeyValue {
+	return HwBatteryCapacityKey.String(val)
+}
+
+// HwBatteryChemistry returns an attribute KeyValue conforming to the
+// "hw.battery.chemistry" semantic conventions. It represents the battery
+// [chemistry], e.g. Lithium-Ion, Nickel-Cadmium, etc.
+//
+// [chemistry]: https://schemas.dmtf.org/wbem/cim-html/2.31.0/CIM_Battery.html
+func HwBatteryChemistry(val string) attribute.KeyValue {
+	return HwBatteryChemistryKey.String(val)
+}
+
+// HwBiosVersion returns an attribute KeyValue conforming to the
+// "hw.bios_version" semantic conventions. It represents the BIOS version of the
+// hardware component.
+func HwBiosVersion(val string) attribute.KeyValue {
+	return HwBiosVersionKey.String(val)
+}
+
+// HwDriverVersion returns an attribute KeyValue conforming to the
+// "hw.driver_version" semantic conventions. It represents the driver version for
+// the hardware component.
+func HwDriverVersion(val string) attribute.KeyValue {
+	return HwDriverVersionKey.String(val)
+}
+
+// HwEnclosureType returns an attribute KeyValue conforming to the
+// "hw.enclosure.type" semantic conventions. It represents the type of the
+// enclosure (useful for modular systems).
+func HwEnclosureType(val string) attribute.KeyValue {
+	return HwEnclosureTypeKey.String(val)
+}
+
+// HwFirmwareVersion returns an attribute KeyValue conforming to the
+// "hw.firmware_version" semantic conventions. It represents the firmware version
+// of the hardware component.
+func HwFirmwareVersion(val string) attribute.KeyValue {
+	return HwFirmwareVersionKey.String(val)
+}
+
 // HwID returns an attribute KeyValue conforming to the "hw.id" semantic
 // conventions. It represents an identifier for the hardware component, unique
 // within the monitored host.
@@ -7483,6 +8018,26 @@ func HwID(val string) attribute.KeyValue {
 	return HwIDKey.String(val)
 }
 
+// HwLogicalDiskRaidLevel returns an attribute KeyValue conforming to the
+// "hw.logical_disk.raid_level" semantic conventions. It represents the RAID
+// Level of the logical disk.
+func HwLogicalDiskRaidLevel(val string) attribute.KeyValue {
+	return HwLogicalDiskRaidLevelKey.String(val)
+}
+
+// HwMemoryType returns an attribute KeyValue conforming to the "hw.memory.type"
+// semantic conventions. It represents the type of the memory module.
+func HwMemoryType(val string) attribute.KeyValue {
+	return HwMemoryTypeKey.String(val)
+}
+
+// HwModel returns an attribute KeyValue conforming to the "hw.model" semantic
+// conventions. It represents the descriptive model name of the hardware
+// component.
+func HwModel(val string) attribute.KeyValue {
+	return HwModelKey.String(val)
+}
+
 // HwName returns an attribute KeyValue conforming to the "hw.name" semantic
 // conventions. It represents an easily-recognizable name for the hardware
 // component.
@@ -7490,6 +8045,20 @@ func HwName(val string) attribute.KeyValue {
 	return HwNameKey.String(val)
 }
 
+// HwNetworkLogicalAddresses returns an attribute KeyValue conforming to the
+// "hw.network.logical_addresses" semantic conventions. It represents the logical
+// addresses of the adapter (e.g. IP address, or WWPN).
+func HwNetworkLogicalAddresses(val ...string) attribute.KeyValue {
+	return HwNetworkLogicalAddressesKey.StringSlice(val)
+}
+
+// HwNetworkPhysicalAddress returns an attribute KeyValue conforming to the
+// "hw.network.physical_address" semantic conventions. It represents the physical
+// address of the adapter (e.g. MAC address, or WWNN).
+func HwNetworkPhysicalAddress(val string) attribute.KeyValue {
+	return HwNetworkPhysicalAddressKey.String(val)
+}
+
 // HwParent returns an attribute KeyValue conforming to the "hw.parent" semantic
 // conventions. It represents the unique identifier of the parent component
 // (typically the `hw.id` attribute of the enclosure, or disk controller).
@@ -7497,17 +8066,144 @@ func HwParent(val string) attribute.KeyValue {
 	return HwParentKey.String(val)
 }
 
-// Enum values for hw.state
+// HwPhysicalDiskSmartAttribute returns an attribute KeyValue conforming to the
+// "hw.physical_disk.smart_attribute" semantic conventions. It represents the
+// [S.M.A.R.T.] (Self-Monitoring, Analysis, and Reporting Technology) attribute
+// of the physical disk.
+//
+// [S.M.A.R.T.]: https://wikipedia.org/wiki/S.M.A.R.T.
+func HwPhysicalDiskSmartAttribute(val string) attribute.KeyValue {
+	return HwPhysicalDiskSmartAttributeKey.String(val)
+}
+
+// HwPhysicalDiskType returns an attribute KeyValue conforming to the
+// "hw.physical_disk.type" semantic conventions. It represents the type of the
+// physical disk.
+func HwPhysicalDiskType(val string) attribute.KeyValue {
+	return HwPhysicalDiskTypeKey.String(val)
+}
+
+// HwSensorLocation returns an attribute KeyValue conforming to the
+// "hw.sensor_location" semantic conventions. It represents the location of the
+// sensor.
+func HwSensorLocation(val string) attribute.KeyValue {
+	return HwSensorLocationKey.String(val)
+}
+
+// HwSerialNumber returns an attribute KeyValue conforming to the
+// "hw.serial_number" semantic conventions. It represents the serial number of
+// the hardware component.
+func HwSerialNumber(val string) attribute.KeyValue {
+	return HwSerialNumberKey.String(val)
+}
+
+// HwVendor returns an attribute KeyValue conforming to the "hw.vendor" semantic
+// conventions. It represents the vendor name of the hardware component.
+func HwVendor(val string) attribute.KeyValue {
+	return HwVendorKey.String(val)
+}
+
+// Enum values for hw.battery.state
 var (
-	// Ok
+	// Charging
 	// Stability: development
-	HwStateOk = HwStateKey.String("ok")
+	HwBatteryStateCharging = HwBatteryStateKey.String("charging")
+	// Discharging
+	// Stability: development
+	HwBatteryStateDischarging = HwBatteryStateKey.String("discharging")
+)
+
+// Enum values for hw.gpu.task
+var (
+	// Decoder
+	// Stability: development
+	HwGpuTaskDecoder = HwGpuTaskKey.String("decoder")
+	// Encoder
+	// Stability: development
+	HwGpuTaskEncoder = HwGpuTaskKey.String("encoder")
+	// General
+	// Stability: development
+	HwGpuTaskGeneral = HwGpuTaskKey.String("general")
+)
+
+// Enum values for hw.limit_type
+var (
+	// Critical
+	// Stability: development
+	HwLimitTypeCritical = HwLimitTypeKey.String("critical")
+	// Degraded
+	// Stability: development
+	HwLimitTypeDegraded = HwLimitTypeKey.String("degraded")
+	// High Critical
+	// Stability: development
+	HwLimitTypeHighCritical = HwLimitTypeKey.String("high.critical")
+	// High Degraded
+	// Stability: development
+	HwLimitTypeHighDegraded = HwLimitTypeKey.String("high.degraded")
+	// Low Critical
+	// Stability: development
+	HwLimitTypeLowCritical = HwLimitTypeKey.String("low.critical")
+	// Low Degraded
+	// Stability: development
+	HwLimitTypeLowDegraded = HwLimitTypeKey.String("low.degraded")
+	// Maximum
+	// Stability: development
+	HwLimitTypeMax = HwLimitTypeKey.String("max")
+	// Throttled
+	// Stability: development
+	HwLimitTypeThrottled = HwLimitTypeKey.String("throttled")
+	// Turbo
+	// Stability: development
+	HwLimitTypeTurbo = HwLimitTypeKey.String("turbo")
+)
+
+// Enum values for hw.logical_disk.state
+var (
+	// Used
+	// Stability: development
+	HwLogicalDiskStateUsed = HwLogicalDiskStateKey.String("used")
+	// Free
+	// Stability: development
+	HwLogicalDiskStateFree = HwLogicalDiskStateKey.String("free")
+)
+
+// Enum values for hw.physical_disk.state
+var (
+	// Remaining
+	// Stability: development
+	HwPhysicalDiskStateRemaining = HwPhysicalDiskStateKey.String("remaining")
+)
+
+// Enum values for hw.state
+var (
 	// Degraded
 	// Stability: development
 	HwStateDegraded = HwStateKey.String("degraded")
 	// Failed
 	// Stability: development
 	HwStateFailed = HwStateKey.String("failed")
+	// Needs Cleaning
+	// Stability: development
+	HwStateNeedsCleaning = HwStateKey.String("needs_cleaning")
+	// OK
+	// Stability: development
+	HwStateOk = HwStateKey.String("ok")
+	// Predicted Failure
+	// Stability: development
+	HwStatePredictedFailure = HwStateKey.String("predicted_failure")
+)
+
+// Enum values for hw.tape_drive.operation_type
+var (
+	// Mount
+	// Stability: development
+	HwTapeDriveOperationTypeMount = HwTapeDriveOperationTypeKey.String("mount")
+	// Unmount
+	// Stability: development
+	HwTapeDriveOperationTypeUnmount = HwTapeDriveOperationTypeKey.String("unmount")
+	// Clean
+	// Stability: development
+	HwTapeDriveOperationTypeClean = HwTapeDriveOperationTypeKey.String("clean")
 )
 
 // Enum values for hw.type
@@ -7686,6 +8382,36 @@ const (
 	// Examples: "Evicted", "Error"
 	K8SContainerStatusLastTerminatedReasonKey = attribute.Key("k8s.container.status.last_terminated_reason")
 
+	// K8SContainerStatusReasonKey is the attribute Key conforming to the
+	// "k8s.container.status.reason" semantic conventions. It represents the reason
+	// for the container state. Corresponds to the `reason` field of the:
+	// [K8s ContainerStateWaiting] or [K8s ContainerStateTerminated].
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "ContainerCreating", "CrashLoopBackOff",
+	// "CreateContainerConfigError", "ErrImagePull", "ImagePullBackOff",
+	// "OOMKilled", "Completed", "Error", "ContainerCannotRun"
+	//
+	// [K8s ContainerStateWaiting]: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#containerstatewaiting-v1-core
+	// [K8s ContainerStateTerminated]: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#containerstateterminated-v1-core
+	K8SContainerStatusReasonKey = attribute.Key("k8s.container.status.reason")
+
+	// K8SContainerStatusStateKey is the attribute Key conforming to the
+	// "k8s.container.status.state" semantic conventions. It represents the state of
+	// the container. [K8s ContainerState].
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "terminated", "running", "waiting"
+	//
+	// [K8s ContainerState]: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#containerstate-v1-core
+	K8SContainerStatusStateKey = attribute.Key("k8s.container.status.state")
+
 	// K8SCronJobNameKey is the attribute Key conforming to the "k8s.cronjob.name"
 	// semantic conventions. It represents the name of the CronJob.
 	//
@@ -7749,6 +8475,18 @@ const (
 	// Examples: "275ecb36-5aa8-4c2a-9c47-d8bb681b9aff"
 	K8SDeploymentUIDKey = attribute.Key("k8s.deployment.uid")
 
+	// K8SHPAMetricTypeKey is the attribute Key conforming to the
+	// "k8s.hpa.metric.type" semantic conventions. It represents the type of metric
+	// source for the horizontal pod autoscaler.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "Resource", "ContainerResource"
+	// Note: This attribute reflects the `type` field of spec.metrics[] in the HPA.
+	K8SHPAMetricTypeKey = attribute.Key("k8s.hpa.metric.type")
+
 	// K8SHPANameKey is the attribute Key conforming to the "k8s.hpa.name" semantic
 	// conventions. It represents the name of the horizontal pod autoscaler.
 	//
@@ -7759,6 +8497,43 @@ const (
 	// Examples: "opentelemetry"
 	K8SHPANameKey = attribute.Key("k8s.hpa.name")
 
+	// K8SHPAScaletargetrefAPIVersionKey is the attribute Key conforming to the
+	// "k8s.hpa.scaletargetref.api_version" semantic conventions. It represents the
+	// API version of the target resource to scale for the HorizontalPodAutoscaler.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "apps/v1", "autoscaling/v2"
+	// Note: This maps to the `apiVersion` field in the `scaleTargetRef` of the HPA
+	// spec.
+	K8SHPAScaletargetrefAPIVersionKey = attribute.Key("k8s.hpa.scaletargetref.api_version")
+
+	// K8SHPAScaletargetrefKindKey is the attribute Key conforming to the
+	// "k8s.hpa.scaletargetref.kind" semantic conventions. It represents the kind of
+	// the target resource to scale for the HorizontalPodAutoscaler.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "Deployment", "StatefulSet"
+	// Note: This maps to the `kind` field in the `scaleTargetRef` of the HPA spec.
+	K8SHPAScaletargetrefKindKey = attribute.Key("k8s.hpa.scaletargetref.kind")
+
+	// K8SHPAScaletargetrefNameKey is the attribute Key conforming to the
+	// "k8s.hpa.scaletargetref.name" semantic conventions. It represents the name of
+	// the target resource to scale for the HorizontalPodAutoscaler.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "my-deployment", "my-statefulset"
+	// Note: This maps to the `name` field in the `scaleTargetRef` of the HPA spec.
+	K8SHPAScaletargetrefNameKey = attribute.Key("k8s.hpa.scaletargetref.name")
+
 	// K8SHPAUIDKey is the attribute Key conforming to the "k8s.hpa.uid" semantic
 	// conventions. It represents the UID of the horizontal pod autoscaler.
 	//
@@ -7769,6 +8544,17 @@ const (
 	// Examples: "275ecb36-5aa8-4c2a-9c47-d8bb681b9aff"
 	K8SHPAUIDKey = attribute.Key("k8s.hpa.uid")
 
+	// K8SHugepageSizeKey is the attribute Key conforming to the "k8s.hugepage.size"
+	// semantic conventions. It represents the size (identifier) of the K8s huge
+	// page.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "2Mi"
+	K8SHugepageSizeKey = attribute.Key("k8s.hugepage.size")
+
 	// K8SJobNameKey is the attribute Key conforming to the "k8s.job.name" semantic
 	// conventions. It represents the name of the Job.
 	//
@@ -7815,6 +8601,46 @@ const (
 	// [K8s NamespaceStatus]: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#namespacestatus-v1-core
 	K8SNamespacePhaseKey = attribute.Key("k8s.namespace.phase")
 
+	// K8SNodeConditionStatusKey is the attribute Key conforming to the
+	// "k8s.node.condition.status" semantic conventions. It represents the status of
+	// the condition, one of True, False, Unknown.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "true", "false", "unknown"
+	// Note: This attribute aligns with the `status` field of the
+	// [NodeCondition]
+	//
+	// [NodeCondition]: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#nodecondition-v1-core
+	K8SNodeConditionStatusKey = attribute.Key("k8s.node.condition.status")
+
+	// K8SNodeConditionTypeKey is the attribute Key conforming to the
+	// "k8s.node.condition.type" semantic conventions. It represents the condition
+	// type of a K8s Node.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "Ready", "DiskPressure"
+	// Note: K8s Node conditions as described
+	// by [K8s documentation].
+	//
+	// This attribute aligns with the `type` field of the
+	// [NodeCondition]
+	//
+	// The set of possible values is not limited to those listed here. Managed
+	// Kubernetes environments,
+	// or custom controllers MAY introduce additional node condition types.
+	// When this occurs, the exact value as reported by the Kubernetes API SHOULD be
+	// used.
+	//
+	// [K8s documentation]: https://v1-32.docs.kubernetes.io/docs/reference/node/node-status/#condition
+	// [NodeCondition]: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#nodecondition-v1-core
+	K8SNodeConditionTypeKey = attribute.Key("k8s.node.condition.type")
+
 	// K8SNodeNameKey is the attribute Key conforming to the "k8s.node.name"
 	// semantic conventions. It represents the name of the Node.
 	//
@@ -7910,6 +8736,25 @@ const (
 	// Examples: "opentelemetry"
 	K8SResourceQuotaNameKey = attribute.Key("k8s.resourcequota.name")
 
+	// K8SResourceQuotaResourceNameKey is the attribute Key conforming to the
+	// "k8s.resourcequota.resource_name" semantic conventions. It represents the
+	// name of the K8s resource a resource quota defines.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "count/replicationcontrollers"
+	// Note: The value for this attribute can be either the full
+	// `count/<resource>[.<group>]` string (e.g., count/deployments.apps,
+	// count/pods), or, for certain core Kubernetes resources, just the resource
+	// name (e.g., pods, services, configmaps). Both forms are supported by
+	// Kubernetes for object count quotas. See
+	// [Kubernetes Resource Quotas documentation] for more details.
+	//
+	// [Kubernetes Resource Quotas documentation]: https://kubernetes.io/docs/concepts/policy/resource-quotas/#object-count-quota
+	K8SResourceQuotaResourceNameKey = attribute.Key("k8s.resourcequota.resource_name")
+
 	// K8SResourceQuotaUIDKey is the attribute Key conforming to the
 	// "k8s.resourcequota.uid" semantic conventions. It represents the UID of the
 	// resource quota.
@@ -7943,6 +8788,19 @@ const (
 	// Examples: "275ecb36-5aa8-4c2a-9c47-d8bb681b9aff"
 	K8SStatefulSetUIDKey = attribute.Key("k8s.statefulset.uid")
 
+	// K8SStorageclassNameKey is the attribute Key conforming to the
+	// "k8s.storageclass.name" semantic conventions. It represents the name of K8s
+	// [StorageClass] object.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "gold.storageclass.storage.k8s.io"
+	//
+	// [StorageClass]: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#storageclass-v1-storage-k8s-io
+	K8SStorageclassNameKey = attribute.Key("k8s.storageclass.name")
+
 	// K8SVolumeNameKey is the attribute Key conforming to the "k8s.volume.name"
 	// semantic conventions. It represents the name of the K8s volume.
 	//
@@ -8001,6 +8859,22 @@ func K8SContainerStatusLastTerminatedReason(val string) attribute.KeyValue {
 	return K8SContainerStatusLastTerminatedReasonKey.String(val)
 }
 
+// K8SCronJobAnnotation returns an attribute KeyValue conforming to the
+// "k8s.cronjob.annotation" semantic conventions. It represents the cronjob
+// annotation placed on the CronJob, the `<key>` being the annotation name, the
+// value being the annotation value.
+func K8SCronJobAnnotation(key string, val string) attribute.KeyValue {
+	return attribute.String("k8s.cronjob.annotation."+key, val)
+}
+
+// K8SCronJobLabel returns an attribute KeyValue conforming to the
+// "k8s.cronjob.label" semantic conventions. It represents the label placed on
+// the CronJob, the `<key>` being the label name, the value being the label
+// value.
+func K8SCronJobLabel(key string, val string) attribute.KeyValue {
+	return attribute.String("k8s.cronjob.label."+key, val)
+}
+
 // K8SCronJobName returns an attribute KeyValue conforming to the
 // "k8s.cronjob.name" semantic conventions. It represents the name of the
 // CronJob.
@@ -8014,6 +8888,22 @@ func K8SCronJobUID(val string) attribute.KeyValue {
 	return K8SCronJobUIDKey.String(val)
 }
 
+// K8SDaemonSetAnnotation returns an attribute KeyValue conforming to the
+// "k8s.daemonset.annotation" semantic conventions. It represents the annotation
+// placed on the DaemonSet, the `<key>` being the annotation name, the value
+// being the annotation value, even if the value is empty.
+func K8SDaemonSetAnnotation(key string, val string) attribute.KeyValue {
+	return attribute.String("k8s.daemonset.annotation."+key, val)
+}
+
+// K8SDaemonSetLabel returns an attribute KeyValue conforming to the
+// "k8s.daemonset.label" semantic conventions. It represents the label placed on
+// the DaemonSet, the `<key>` being the label name, the value being the label
+// value, even if the value is empty.
+func K8SDaemonSetLabel(key string, val string) attribute.KeyValue {
+	return attribute.String("k8s.daemonset.label."+key, val)
+}
+
 // K8SDaemonSetName returns an attribute KeyValue conforming to the
 // "k8s.daemonset.name" semantic conventions. It represents the name of the
 // DaemonSet.
@@ -8028,6 +8918,22 @@ func K8SDaemonSetUID(val string) attribute.KeyValue {
 	return K8SDaemonSetUIDKey.String(val)
 }
 
+// K8SDeploymentAnnotation returns an attribute KeyValue conforming to the
+// "k8s.deployment.annotation" semantic conventions. It represents the annotation
+// placed on the Deployment, the `<key>` being the annotation name, the value
+// being the annotation value, even if the value is empty.
+func K8SDeploymentAnnotation(key string, val string) attribute.KeyValue {
+	return attribute.String("k8s.deployment.annotation."+key, val)
+}
+
+// K8SDeploymentLabel returns an attribute KeyValue conforming to the
+// "k8s.deployment.label" semantic conventions. It represents the label placed on
+// the Deployment, the `<key>` being the label name, the value being the label
+// value, even if the value is empty.
+func K8SDeploymentLabel(key string, val string) attribute.KeyValue {
+	return attribute.String("k8s.deployment.label."+key, val)
+}
+
 // K8SDeploymentName returns an attribute KeyValue conforming to the
 // "k8s.deployment.name" semantic conventions. It represents the name of the
 // Deployment.
@@ -8042,18 +8948,69 @@ func K8SDeploymentUID(val string) attribute.KeyValue {
 	return K8SDeploymentUIDKey.String(val)
 }
 
+// K8SHPAMetricType returns an attribute KeyValue conforming to the
+// "k8s.hpa.metric.type" semantic conventions. It represents the type of metric
+// source for the horizontal pod autoscaler.
+func K8SHPAMetricType(val string) attribute.KeyValue {
+	return K8SHPAMetricTypeKey.String(val)
+}
+
 // K8SHPAName returns an attribute KeyValue conforming to the "k8s.hpa.name"
 // semantic conventions. It represents the name of the horizontal pod autoscaler.
 func K8SHPAName(val string) attribute.KeyValue {
 	return K8SHPANameKey.String(val)
 }
 
+// K8SHPAScaletargetrefAPIVersion returns an attribute KeyValue conforming to the
+// "k8s.hpa.scaletargetref.api_version" semantic conventions. It represents the
+// API version of the target resource to scale for the HorizontalPodAutoscaler.
+func K8SHPAScaletargetrefAPIVersion(val string) attribute.KeyValue {
+	return K8SHPAScaletargetrefAPIVersionKey.String(val)
+}
+
+// K8SHPAScaletargetrefKind returns an attribute KeyValue conforming to the
+// "k8s.hpa.scaletargetref.kind" semantic conventions. It represents the kind of
+// the target resource to scale for the HorizontalPodAutoscaler.
+func K8SHPAScaletargetrefKind(val string) attribute.KeyValue {
+	return K8SHPAScaletargetrefKindKey.String(val)
+}
+
+// K8SHPAScaletargetrefName returns an attribute KeyValue conforming to the
+// "k8s.hpa.scaletargetref.name" semantic conventions. It represents the name of
+// the target resource to scale for the HorizontalPodAutoscaler.
+func K8SHPAScaletargetrefName(val string) attribute.KeyValue {
+	return K8SHPAScaletargetrefNameKey.String(val)
+}
+
 // K8SHPAUID returns an attribute KeyValue conforming to the "k8s.hpa.uid"
 // semantic conventions. It represents the UID of the horizontal pod autoscaler.
 func K8SHPAUID(val string) attribute.KeyValue {
 	return K8SHPAUIDKey.String(val)
 }
 
+// K8SHugepageSize returns an attribute KeyValue conforming to the
+// "k8s.hugepage.size" semantic conventions. It represents the size (identifier)
+// of the K8s huge page.
+func K8SHugepageSize(val string) attribute.KeyValue {
+	return K8SHugepageSizeKey.String(val)
+}
+
+// K8SJobAnnotation returns an attribute KeyValue conforming to the
+// "k8s.job.annotation" semantic conventions. It represents the annotation placed
+// on the Job, the `<key>` being the annotation name, the value being the
+// annotation value, even if the value is empty.
+func K8SJobAnnotation(key string, val string) attribute.KeyValue {
+	return attribute.String("k8s.job.annotation."+key, val)
+}
+
+// K8SJobLabel returns an attribute KeyValue conforming to the "k8s.job.label"
+// semantic conventions. It represents the label placed on the Job, the `<key>`
+// being the label name, the value being the label value, even if the value is
+// empty.
+func K8SJobLabel(key string, val string) attribute.KeyValue {
+	return attribute.String("k8s.job.label."+key, val)
+}
+
 // K8SJobName returns an attribute KeyValue conforming to the "k8s.job.name"
 // semantic conventions. It represents the name of the Job.
 func K8SJobName(val string) attribute.KeyValue {
@@ -8066,6 +9023,22 @@ func K8SJobUID(val string) attribute.KeyValue {
 	return K8SJobUIDKey.String(val)
 }
 
+// K8SNamespaceAnnotation returns an attribute KeyValue conforming to the
+// "k8s.namespace.annotation" semantic conventions. It represents the annotation
+// placed on the Namespace, the `<key>` being the annotation name, the value
+// being the annotation value, even if the value is empty.
+func K8SNamespaceAnnotation(key string, val string) attribute.KeyValue {
+	return attribute.String("k8s.namespace.annotation."+key, val)
+}
+
+// K8SNamespaceLabel returns an attribute KeyValue conforming to the
+// "k8s.namespace.label" semantic conventions. It represents the label placed on
+// the Namespace, the `<key>` being the label name, the value being the label
+// value, even if the value is empty.
+func K8SNamespaceLabel(key string, val string) attribute.KeyValue {
+	return attribute.String("k8s.namespace.label."+key, val)
+}
+
 // K8SNamespaceName returns an attribute KeyValue conforming to the
 // "k8s.namespace.name" semantic conventions. It represents the name of the
 // namespace that the pod is running in.
@@ -8073,6 +9046,22 @@ func K8SNamespaceName(val string) attribute.KeyValue {
 	return K8SNamespaceNameKey.String(val)
 }
 
+// K8SNodeAnnotation returns an attribute KeyValue conforming to the
+// "k8s.node.annotation" semantic conventions. It represents the annotation
+// placed on the Node, the `<key>` being the annotation name, the value being the
+// annotation value, even if the value is empty.
+func K8SNodeAnnotation(key string, val string) attribute.KeyValue {
+	return attribute.String("k8s.node.annotation."+key, val)
+}
+
+// K8SNodeLabel returns an attribute KeyValue conforming to the "k8s.node.label"
+// semantic conventions. It represents the label placed on the Node, the `<key>`
+// being the label name, the value being the label value, even if the value is
+// empty.
+func K8SNodeLabel(key string, val string) attribute.KeyValue {
+	return attribute.String("k8s.node.label."+key, val)
+}
+
 // K8SNodeName returns an attribute KeyValue conforming to the "k8s.node.name"
 // semantic conventions. It represents the name of the Node.
 func K8SNodeName(val string) attribute.KeyValue {
@@ -8085,6 +9074,21 @@ func K8SNodeUID(val string) attribute.KeyValue {
 	return K8SNodeUIDKey.String(val)
 }
 
+// K8SPodAnnotation returns an attribute KeyValue conforming to the
+// "k8s.pod.annotation" semantic conventions. It represents the annotation placed
+// on the Pod, the `<key>` being the annotation name, the value being the
+// annotation value.
+func K8SPodAnnotation(key string, val string) attribute.KeyValue {
+	return attribute.String("k8s.pod.annotation."+key, val)
+}
+
+// K8SPodLabel returns an attribute KeyValue conforming to the "k8s.pod.label"
+// semantic conventions. It represents the label placed on the Pod, the `<key>`
+// being the label name, the value being the label value.
+func K8SPodLabel(key string, val string) attribute.KeyValue {
+	return attribute.String("k8s.pod.label."+key, val)
+}
+
 // K8SPodName returns an attribute KeyValue conforming to the "k8s.pod.name"
 // semantic conventions. It represents the name of the Pod.
 func K8SPodName(val string) attribute.KeyValue {
@@ -8097,6 +9101,22 @@ func K8SPodUID(val string) attribute.KeyValue {
 	return K8SPodUIDKey.String(val)
 }
 
+// K8SReplicaSetAnnotation returns an attribute KeyValue conforming to the
+// "k8s.replicaset.annotation" semantic conventions. It represents the annotation
+// placed on the ReplicaSet, the `<key>` being the annotation name, the value
+// being the annotation value, even if the value is empty.
+func K8SReplicaSetAnnotation(key string, val string) attribute.KeyValue {
+	return attribute.String("k8s.replicaset.annotation."+key, val)
+}
+
+// K8SReplicaSetLabel returns an attribute KeyValue conforming to the
+// "k8s.replicaset.label" semantic conventions. It represents the label placed on
+// the ReplicaSet, the `<key>` being the label name, the value being the label
+// value, even if the value is empty.
+func K8SReplicaSetLabel(key string, val string) attribute.KeyValue {
+	return attribute.String("k8s.replicaset.label."+key, val)
+}
+
 // K8SReplicaSetName returns an attribute KeyValue conforming to the
 // "k8s.replicaset.name" semantic conventions. It represents the name of the
 // ReplicaSet.
@@ -8132,6 +9152,13 @@ func K8SResourceQuotaName(val string) attribute.KeyValue {
 	return K8SResourceQuotaNameKey.String(val)
 }
 
+// K8SResourceQuotaResourceName returns an attribute KeyValue conforming to the
+// "k8s.resourcequota.resource_name" semantic conventions. It represents the name
+// of the K8s resource a resource quota defines.
+func K8SResourceQuotaResourceName(val string) attribute.KeyValue {
+	return K8SResourceQuotaResourceNameKey.String(val)
+}
+
 // K8SResourceQuotaUID returns an attribute KeyValue conforming to the
 // "k8s.resourcequota.uid" semantic conventions. It represents the UID of the
 // resource quota.
@@ -8139,6 +9166,22 @@ func K8SResourceQuotaUID(val string) attribute.KeyValue {
 	return K8SResourceQuotaUIDKey.String(val)
 }
 
+// K8SStatefulSetAnnotation returns an attribute KeyValue conforming to the
+// "k8s.statefulset.annotation" semantic conventions. It represents the
+// annotation placed on the StatefulSet, the `<key>` being the annotation name,
+// the value being the annotation value, even if the value is empty.
+func K8SStatefulSetAnnotation(key string, val string) attribute.KeyValue {
+	return attribute.String("k8s.statefulset.annotation."+key, val)
+}
+
+// K8SStatefulSetLabel returns an attribute KeyValue conforming to the
+// "k8s.statefulset.label" semantic conventions. It represents the label placed
+// on the StatefulSet, the `<key>` being the label name, the value being the
+// label value, even if the value is empty.
+func K8SStatefulSetLabel(key string, val string) attribute.KeyValue {
+	return attribute.String("k8s.statefulset.label."+key, val)
+}
+
 // K8SStatefulSetName returns an attribute KeyValue conforming to the
 // "k8s.statefulset.name" semantic conventions. It represents the name of the
 // StatefulSet.
@@ -8153,6 +9196,15 @@ func K8SStatefulSetUID(val string) attribute.KeyValue {
 	return K8SStatefulSetUIDKey.String(val)
 }
 
+// K8SStorageclassName returns an attribute KeyValue conforming to the
+// "k8s.storageclass.name" semantic conventions. It represents the name of K8s
+// [StorageClass] object.
+//
+// [StorageClass]: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#storageclass-v1-storage-k8s-io
+func K8SStorageclassName(val string) attribute.KeyValue {
+	return K8SStorageclassNameKey.String(val)
+}
+
 // K8SVolumeName returns an attribute KeyValue conforming to the
 // "k8s.volume.name" semantic conventions. It represents the name of the K8s
 // volume.
@@ -8160,6 +9212,50 @@ func K8SVolumeName(val string) attribute.KeyValue {
 	return K8SVolumeNameKey.String(val)
 }
 
+// Enum values for k8s.container.status.reason
+var (
+	// The container is being created.
+	// Stability: development
+	K8SContainerStatusReasonContainerCreating = K8SContainerStatusReasonKey.String("ContainerCreating")
+	// The container is in a crash loop back off state.
+	// Stability: development
+	K8SContainerStatusReasonCrashLoopBackOff = K8SContainerStatusReasonKey.String("CrashLoopBackOff")
+	// There was an error creating the container configuration.
+	// Stability: development
+	K8SContainerStatusReasonCreateContainerConfigError = K8SContainerStatusReasonKey.String("CreateContainerConfigError")
+	// There was an error pulling the container image.
+	// Stability: development
+	K8SContainerStatusReasonErrImagePull = K8SContainerStatusReasonKey.String("ErrImagePull")
+	// The container image pull is in back off state.
+	// Stability: development
+	K8SContainerStatusReasonImagePullBackOff = K8SContainerStatusReasonKey.String("ImagePullBackOff")
+	// The container was killed due to out of memory.
+	// Stability: development
+	K8SContainerStatusReasonOomKilled = K8SContainerStatusReasonKey.String("OOMKilled")
+	// The container has completed execution.
+	// Stability: development
+	K8SContainerStatusReasonCompleted = K8SContainerStatusReasonKey.String("Completed")
+	// There was an error with the container.
+	// Stability: development
+	K8SContainerStatusReasonError = K8SContainerStatusReasonKey.String("Error")
+	// The container cannot run.
+	// Stability: development
+	K8SContainerStatusReasonContainerCannotRun = K8SContainerStatusReasonKey.String("ContainerCannotRun")
+)
+
+// Enum values for k8s.container.status.state
+var (
+	// The container has terminated.
+	// Stability: development
+	K8SContainerStatusStateTerminated = K8SContainerStatusStateKey.String("terminated")
+	// The container is running.
+	// Stability: development
+	K8SContainerStatusStateRunning = K8SContainerStatusStateKey.String("running")
+	// The container is waiting.
+	// Stability: development
+	K8SContainerStatusStateWaiting = K8SContainerStatusStateKey.String("waiting")
+)
+
 // Enum values for k8s.namespace.phase
 var (
 	// Active namespace phase as described by [K8s API]
@@ -8174,6 +9270,39 @@ var (
 	K8SNamespacePhaseTerminating = K8SNamespacePhaseKey.String("terminating")
 )
 
+// Enum values for k8s.node.condition.status
+var (
+	// condition_true
+	// Stability: development
+	K8SNodeConditionStatusConditionTrue = K8SNodeConditionStatusKey.String("true")
+	// condition_false
+	// Stability: development
+	K8SNodeConditionStatusConditionFalse = K8SNodeConditionStatusKey.String("false")
+	// condition_unknown
+	// Stability: development
+	K8SNodeConditionStatusConditionUnknown = K8SNodeConditionStatusKey.String("unknown")
+)
+
+// Enum values for k8s.node.condition.type
+var (
+	// The node is healthy and ready to accept pods
+	// Stability: development
+	K8SNodeConditionTypeReady = K8SNodeConditionTypeKey.String("Ready")
+	// Pressure exists on the disk size—that is, if the disk capacity is low
+	// Stability: development
+	K8SNodeConditionTypeDiskPressure = K8SNodeConditionTypeKey.String("DiskPressure")
+	// Pressure exists on the node memory—that is, if the node memory is low
+	// Stability: development
+	K8SNodeConditionTypeMemoryPressure = K8SNodeConditionTypeKey.String("MemoryPressure")
+	// Pressure exists on the processes—that is, if there are too many processes
+	// on the node
+	// Stability: development
+	K8SNodeConditionTypePIDPressure = K8SNodeConditionTypeKey.String("PIDPressure")
+	// The network for the node is not correctly configured
+	// Stability: development
+	K8SNodeConditionTypeNetworkUnavailable = K8SNodeConditionTypeKey.String("NetworkUnavailable")
+)
+
 // Enum values for k8s.volume.type
 var (
 	// A [persistentVolumeClaim] volume
@@ -8371,6 +9500,27 @@ var (
 	LogIostreamStderr = LogIostreamKey.String("stderr")
 )
 
+// Namespace: mainframe
+const (
+	// MainframeLparNameKey is the attribute Key conforming to the
+	// "mainframe.lpar.name" semantic conventions. It represents the name of the
+	// logical partition that hosts a systems with a mainframe operating system.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "LPAR01"
+	MainframeLparNameKey = attribute.Key("mainframe.lpar.name")
+)
+
+// MainframeLparName returns an attribute KeyValue conforming to the
+// "mainframe.lpar.name" semantic conventions. It represents the name of the
+// logical partition that hosts a systems with a mainframe operating system.
+func MainframeLparName(val string) attribute.KeyValue {
+	return MainframeLparNameKey.String(val)
+}
+
 // Namespace: messaging
 const (
 	// MessagingBatchMessageCountKey is the attribute Key conforming to the
@@ -9084,10 +10234,6 @@ var (
 	//
 	// Stability: development
 	MessagingOperationTypeSettle = MessagingOperationTypeKey.String("settle")
-	// Deprecated: Replaced by `process`.
-	MessagingOperationTypeDeliver = MessagingOperationTypeKey.String("deliver")
-	// Deprecated: Replaced by `send`.
-	MessagingOperationTypePublish = MessagingOperationTypeKey.String("publish")
 )
 
 // Enum values for messaging.rocketmq.consumption_model
@@ -9137,6 +10283,9 @@ var (
 	// Apache ActiveMQ
 	// Stability: development
 	MessagingSystemActiveMQ = MessagingSystemKey.String("activemq")
+	// Amazon Simple Notification Service (SNS)
+	// Stability: development
+	MessagingSystemAWSSNS = MessagingSystemKey.String("aws.sns")
 	// Amazon Simple Queue Service (SQS)
 	// Stability: development
 	MessagingSystemAWSSQS = MessagingSystemKey.String("aws_sqs")
@@ -9654,6 +10803,66 @@ func OCIManifestDigest(val string) attribute.KeyValue {
 	return OCIManifestDigestKey.String(val)
 }
 
+// Namespace: openai
+const (
+	// OpenAIRequestServiceTierKey is the attribute Key conforming to the
+	// "openai.request.service_tier" semantic conventions. It represents the service
+	// tier requested. May be a specific tier, default, or auto.
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "auto", "default"
+	OpenAIRequestServiceTierKey = attribute.Key("openai.request.service_tier")
+
+	// OpenAIResponseServiceTierKey is the attribute Key conforming to the
+	// "openai.response.service_tier" semantic conventions. It represents the
+	// service tier used for the response.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "scale", "default"
+	OpenAIResponseServiceTierKey = attribute.Key("openai.response.service_tier")
+
+	// OpenAIResponseSystemFingerprintKey is the attribute Key conforming to the
+	// "openai.response.system_fingerprint" semantic conventions. It represents a
+	// fingerprint to track any eventual change in the Generative AI environment.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "fp_44709d6fcb"
+	OpenAIResponseSystemFingerprintKey = attribute.Key("openai.response.system_fingerprint")
+)
+
+// OpenAIResponseServiceTier returns an attribute KeyValue conforming to the
+// "openai.response.service_tier" semantic conventions. It represents the service
+// tier used for the response.
+func OpenAIResponseServiceTier(val string) attribute.KeyValue {
+	return OpenAIResponseServiceTierKey.String(val)
+}
+
+// OpenAIResponseSystemFingerprint returns an attribute KeyValue conforming to
+// the "openai.response.system_fingerprint" semantic conventions. It represents a
+// fingerprint to track any eventual change in the Generative AI environment.
+func OpenAIResponseSystemFingerprint(val string) attribute.KeyValue {
+	return OpenAIResponseSystemFingerprintKey.String(val)
+}
+
+// Enum values for openai.request.service_tier
+var (
+	// The system will utilize scale tier credits until they are exhausted.
+	// Stability: development
+	OpenAIRequestServiceTierAuto = OpenAIRequestServiceTierKey.String("auto")
+	// The system will utilize the default scale tier.
+	// Stability: development
+	OpenAIRequestServiceTierDefault = OpenAIRequestServiceTierKey.String("default")
+)
+
 // Namespace: opentracing
 const (
 	// OpenTracingRefTypeKey is the attribute Key conforming to the
@@ -9802,7 +11011,7 @@ var (
 	OSTypeSolaris = OSTypeKey.String("solaris")
 	// IBM z/OS
 	// Stability: development
-	OSTypeZOS = OSTypeKey.String("z_os")
+	OSTypeZOS = OSTypeKey.String("zos")
 )
 
 // Namespace: otel
@@ -9866,6 +11075,17 @@ const (
 	// Examples: "io.opentelemetry.contrib.mongodb"
 	OTelScopeNameKey = attribute.Key("otel.scope.name")
 
+	// OTelScopeSchemaURLKey is the attribute Key conforming to the
+	// "otel.scope.schema_url" semantic conventions. It represents the schema URL of
+	// the instrumentation scope.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "https://opentelemetry.io/schemas/1.31.0"
+	OTelScopeSchemaURLKey = attribute.Key("otel.scope.schema_url")
+
 	// OTelScopeVersionKey is the attribute Key conforming to the
 	// "otel.scope.version" semantic conventions. It represents the version of the
 	// instrumentation scope - (`InstrumentationScope.Version` in OTLP).
@@ -9877,6 +11097,20 @@ const (
 	// Examples: "1.0.0"
 	OTelScopeVersionKey = attribute.Key("otel.scope.version")
 
+	// OTelSpanParentOriginKey is the attribute Key conforming to the
+	// "otel.span.parent.origin" semantic conventions. It represents the determines
+	// whether the span has a parent span, and if so,
+	// [whether it is a remote parent].
+	//
+	// Type: Enum
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples:
+	//
+	// [whether it is a remote parent]: https://opentelemetry.io/docs/specs/otel/trace/api/#isremote
+	OTelSpanParentOriginKey = attribute.Key("otel.span.parent.origin")
+
 	// OTelSpanSamplingResultKey is the attribute Key conforming to the
 	// "otel.span.sampling_result" semantic conventions. It represents the result
 	// value of the sampler for this span.
@@ -9926,6 +11160,13 @@ func OTelScopeName(val string) attribute.KeyValue {
 	return OTelScopeNameKey.String(val)
 }
 
+// OTelScopeSchemaURL returns an attribute KeyValue conforming to the
+// "otel.scope.schema_url" semantic conventions. It represents the schema URL of
+// the instrumentation scope.
+func OTelScopeSchemaURL(val string) attribute.KeyValue {
+	return OTelScopeSchemaURLKey.String(val)
+}
+
 // OTelScopeVersion returns an attribute KeyValue conforming to the
 // "otel.scope.version" semantic conventions. It represents the version of the
 // instrumentation scope - (`InstrumentationScope.Version` in OTLP).
@@ -9970,6 +11211,10 @@ var (
 	//
 	// Stability: development
 	OTelComponentTypeOtlpHTTPJSONSpanExporter = OTelComponentTypeKey.String("otlp_http_json_span_exporter")
+	// Zipkin span exporter over HTTP
+	//
+	// Stability: development
+	OTelComponentTypeZipkinHTTPSpanExporter = OTelComponentTypeKey.String("zipkin_http_span_exporter")
 	// OTLP log record exporter over gRPC with protobuf serialization
 	//
 	// Stability: development
@@ -9998,6 +11243,27 @@ var (
 	//
 	// Stability: development
 	OTelComponentTypeOtlpHTTPJSONMetricExporter = OTelComponentTypeKey.String("otlp_http_json_metric_exporter")
+	// Prometheus metric exporter over HTTP with the default text-based format
+	//
+	// Stability: development
+	OTelComponentTypePrometheusHTTPTextMetricExporter = OTelComponentTypeKey.String("prometheus_http_text_metric_exporter")
+)
+
+// Enum values for otel.span.parent.origin
+var (
+	// The span does not have a parent, it is a root span
+	// Stability: development
+	OTelSpanParentOriginNone = OTelSpanParentOriginKey.String("none")
+	// The span has a parent and the parent's span context [isRemote()] is false
+	// Stability: development
+	//
+	// [isRemote()]: https://opentelemetry.io/docs/specs/otel/trace/api/#isremote
+	OTelSpanParentOriginLocal = OTelSpanParentOriginKey.String("local")
+	// The span has a parent and the parent's span context [isRemote()] is true
+	// Stability: development
+	//
+	// [isRemote()]: https://opentelemetry.io/docs/specs/otel/trace/api/#isremote
+	OTelSpanParentOriginRemote = OTelSpanParentOriginKey.String("remote")
 )
 
 // Enum values for otel.span.sampling_result
@@ -10497,6 +11763,14 @@ func ProcessCreationTime(val string) attribute.KeyValue {
 	return ProcessCreationTimeKey.String(val)
 }
 
+// ProcessEnvironmentVariable returns an attribute KeyValue conforming to the
+// "process.environment_variable" semantic conventions. It represents the process
+// environment variables, `<key>` being the environment variable name, the value
+// being the environment variable value.
+func ProcessEnvironmentVariable(key string, val string) attribute.KeyValue {
+	return attribute.String("process.environment_variable."+key, val)
+}
+
 // ProcessExecutableBuildIDGNU returns an attribute KeyValue conforming to the
 // "process.executable.build_id.gnu" semantic conventions. It represents the GNU
 // build ID as found in the `.note.gnu.build-id` ELF section (hex string).
@@ -10965,6 +12239,38 @@ const (
 	RPCSystemKey = attribute.Key("rpc.system")
 )
 
+// RPCConnectRPCRequestMetadata returns an attribute KeyValue conforming to the
+// "rpc.connect_rpc.request.metadata" semantic conventions. It represents the
+// connect request metadata, `<key>` being the normalized Connect Metadata key
+// (lowercase), the value being the metadata values.
+func RPCConnectRPCRequestMetadata(key string, val ...string) attribute.KeyValue {
+	return attribute.StringSlice("rpc.connect_rpc.request.metadata."+key, val)
+}
+
+// RPCConnectRPCResponseMetadata returns an attribute KeyValue conforming to the
+// "rpc.connect_rpc.response.metadata" semantic conventions. It represents the
+// connect response metadata, `<key>` being the normalized Connect Metadata key
+// (lowercase), the value being the metadata values.
+func RPCConnectRPCResponseMetadata(key string, val ...string) attribute.KeyValue {
+	return attribute.StringSlice("rpc.connect_rpc.response.metadata."+key, val)
+}
+
+// RPCGRPCRequestMetadata returns an attribute KeyValue conforming to the
+// "rpc.grpc.request.metadata" semantic conventions. It represents the gRPC
+// request metadata, `<key>` being the normalized gRPC Metadata key (lowercase),
+// the value being the metadata values.
+func RPCGRPCRequestMetadata(key string, val ...string) attribute.KeyValue {
+	return attribute.StringSlice("rpc.grpc.request.metadata."+key, val)
+}
+
+// RPCGRPCResponseMetadata returns an attribute KeyValue conforming to the
+// "rpc.grpc.response.metadata" semantic conventions. It represents the gRPC
+// response metadata, `<key>` being the normalized gRPC Metadata key (lowercase),
+// the value being the metadata values.
+func RPCGRPCResponseMetadata(key string, val ...string) attribute.KeyValue {
+	return attribute.StringSlice("rpc.grpc.response.metadata."+key, val)
+}
+
 // RPCJSONRPCErrorCode returns an attribute KeyValue conforming to the
 // "rpc.jsonrpc.error_code" semantic conventions. It represents the `error.code`
 // property of response if it is an error response.
@@ -11820,15 +13126,12 @@ var (
 
 // Enum values for system.memory.state
 var (
-	// used
+	// Actual used virtual memory in bytes.
 	// Stability: development
 	SystemMemoryStateUsed = SystemMemoryStateKey.String("used")
 	// free
 	// Stability: development
 	SystemMemoryStateFree = SystemMemoryStateKey.String("free")
-	// Deprecated: Removed, report shared memory usage with
-	// `metric.system.memory.shared` metric.
-	SystemMemoryStateShared = SystemMemoryStateKey.String("shared")
 	// buffers
 	// Stability: development
 	SystemMemoryStateBuffers = SystemMemoryStateKey.String("buffers")
@@ -13727,8 +15030,6 @@ var (
 	//
 	// [GitLab]: https://gitlab.com
 	VCSProviderNameGitlab = VCSProviderNameKey.String("gitlab")
-	// Deprecated: Replaced by `gitea`.
-	VCSProviderNameGittea = VCSProviderNameKey.String("gittea")
 	// [Gitea]
 	// Stability: development
 	//
@@ -13848,4 +15149,45 @@ func WebEngineName(val string) attribute.KeyValue {
 // engine.
 func WebEngineVersion(val string) attribute.KeyValue {
 	return WebEngineVersionKey.String(val)
+}
+
+// Namespace: zos
+const (
+	// ZOSSmfIDKey is the attribute Key conforming to the "zos.smf.id" semantic
+	// conventions. It represents the System Management Facility (SMF) Identifier
+	// uniquely identified a z/OS system within a SYSPLEX or mainframe environment
+	// and is used for system and performance analysis.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "SYS1"
+	ZOSSmfIDKey = attribute.Key("zos.smf.id")
+
+	// ZOSSysplexNameKey is the attribute Key conforming to the "zos.sysplex.name"
+	// semantic conventions. It represents the name of the SYSPLEX to which the z/OS
+	// system belongs too.
+	//
+	// Type: string
+	// RequirementLevel: Recommended
+	// Stability: Development
+	//
+	// Examples: "SYSPLEX1"
+	ZOSSysplexNameKey = attribute.Key("zos.sysplex.name")
+)
+
+// ZOSSmfID returns an attribute KeyValue conforming to the "zos.smf.id" semantic
+// conventions. It represents the System Management Facility (SMF) Identifier
+// uniquely identified a z/OS system within a SYSPLEX or mainframe environment
+// and is used for system and performance analysis.
+func ZOSSmfID(val string) attribute.KeyValue {
+	return ZOSSmfIDKey.String(val)
+}
+
+// ZOSSysplexName returns an attribute KeyValue conforming to the
+// "zos.sysplex.name" semantic conventions. It represents the name of the SYSPLEX
+// to which the z/OS system belongs too.
+func ZOSSysplexName(val string) attribute.KeyValue {
+	return ZOSSysplexNameKey.String(val)
 }
\ No newline at end of file
diff --git a/vendor/go.opentelemetry.io/otel/semconv/v1.34.0/doc.go b/vendor/go.opentelemetry.io/otel/semconv/v1.37.0/doc.go
similarity index 96%
rename from vendor/go.opentelemetry.io/otel/semconv/v1.34.0/doc.go
rename to vendor/go.opentelemetry.io/otel/semconv/v1.37.0/doc.go
index 2c5c7ebd04..1110103210 100644
--- a/vendor/go.opentelemetry.io/otel/semconv/v1.34.0/doc.go
+++ b/vendor/go.opentelemetry.io/otel/semconv/v1.37.0/doc.go
@@ -4,6 +4,6 @@
 // Package semconv implements OpenTelemetry semantic conventions.
 //
 // OpenTelemetry semantic conventions are agreed standardized naming
-// patterns for OpenTelemetry things. This package represents the v1.34.0
+// patterns for OpenTelemetry things. This package represents the v1.37.0
 // version of the OpenTelemetry semantic conventions.
-package semconv // import "go.opentelemetry.io/otel/semconv/v1.34.0"
+package semconv // import "go.opentelemetry.io/otel/semconv/v1.37.0"
diff --git a/vendor/go.opentelemetry.io/otel/semconv/v1.37.0/error_type.go b/vendor/go.opentelemetry.io/otel/semconv/v1.37.0/error_type.go
new file mode 100644
index 0000000000..666bded4ba
--- /dev/null
+++ b/vendor/go.opentelemetry.io/otel/semconv/v1.37.0/error_type.go
@@ -0,0 +1,31 @@
+// Copyright The OpenTelemetry Authors
+// SPDX-License-Identifier: Apache-2.0
+
+package semconv // import "go.opentelemetry.io/otel/semconv/v1.37.0"
+
+import (
+	"fmt"
+	"reflect"
+
+	"go.opentelemetry.io/otel/attribute"
+)
+
+// ErrorType returns an [attribute.KeyValue] identifying the error type of err.
+func ErrorType(err error) attribute.KeyValue {
+	if err == nil {
+		return ErrorTypeOther
+	}
+	t := reflect.TypeOf(err)
+	var value string
+	if t.PkgPath() == "" && t.Name() == "" {
+		// Likely a builtin type.
+		value = t.String()
+	} else {
+		value = fmt.Sprintf("%s.%s", t.PkgPath(), t.Name())
+	}
+
+	if value == "" {
+		return ErrorTypeOther
+	}
+	return ErrorTypeKey.String(value)
+}
diff --git a/vendor/go.opentelemetry.io/otel/semconv/v1.34.0/exception.go b/vendor/go.opentelemetry.io/otel/semconv/v1.37.0/exception.go
similarity index 98%
rename from vendor/go.opentelemetry.io/otel/semconv/v1.34.0/exception.go
rename to vendor/go.opentelemetry.io/otel/semconv/v1.37.0/exception.go
index 88a998f1e5..e67469a4f6 100644
--- a/vendor/go.opentelemetry.io/otel/semconv/v1.34.0/exception.go
+++ b/vendor/go.opentelemetry.io/otel/semconv/v1.37.0/exception.go
@@ -1,7 +1,7 @@
 // Copyright The OpenTelemetry Authors
 // SPDX-License-Identifier: Apache-2.0
 
-package semconv // import "go.opentelemetry.io/otel/semconv/v1.34.0"
+package semconv // import "go.opentelemetry.io/otel/semconv/v1.37.0"
 
 const (
 	// ExceptionEventName is the name of the Span event representing an exception.
diff --git a/vendor/go.opentelemetry.io/otel/semconv/v1.34.0/schema.go b/vendor/go.opentelemetry.io/otel/semconv/v1.37.0/schema.go
similarity index 85%
rename from vendor/go.opentelemetry.io/otel/semconv/v1.34.0/schema.go
rename to vendor/go.opentelemetry.io/otel/semconv/v1.37.0/schema.go
index 3c23d45925..f8a0b70441 100644
--- a/vendor/go.opentelemetry.io/otel/semconv/v1.34.0/schema.go
+++ b/vendor/go.opentelemetry.io/otel/semconv/v1.37.0/schema.go
@@ -1,9 +1,9 @@
 // Copyright The OpenTelemetry Authors
 // SPDX-License-Identifier: Apache-2.0
 
-package semconv // import "go.opentelemetry.io/otel/semconv/v1.34.0"
+package semconv // import "go.opentelemetry.io/otel/semconv/v1.37.0"
 
 // SchemaURL is the schema URL that matches the version of the semantic conventions
 // that this package defines. Semconv packages starting from v1.4.0 must declare
 // non-empty schema URL in the form https://opentelemetry.io/schemas/<version>
-const SchemaURL = "https://opentelemetry.io/schemas/1.34.0"
+const SchemaURL = "https://opentelemetry.io/schemas/1.37.0"
diff --git a/vendor/go.opentelemetry.io/otel/trace/LICENSE b/vendor/go.opentelemetry.io/otel/trace/LICENSE
index 261eeb9e9f..f1aee0f110 100644
--- a/vendor/go.opentelemetry.io/otel/trace/LICENSE
+++ b/vendor/go.opentelemetry.io/otel/trace/LICENSE
@@ -199,3 +199,33 @@
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
    limitations under the License.
+
+--------------------------------------------------------------------------------
+
+Copyright 2009 The Go Authors.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+   * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+   * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+   * Neither the name of Google LLC nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
\ No newline at end of file
diff --git a/vendor/go.opentelemetry.io/otel/trace/auto.go b/vendor/go.opentelemetry.io/otel/trace/auto.go
index f3aa398138..8763936a84 100644
--- a/vendor/go.opentelemetry.io/otel/trace/auto.go
+++ b/vendor/go.opentelemetry.io/otel/trace/auto.go
@@ -20,7 +20,7 @@ import (
 
 	"go.opentelemetry.io/otel/attribute"
 	"go.opentelemetry.io/otel/codes"
-	semconv "go.opentelemetry.io/otel/semconv/v1.34.0"
+	semconv "go.opentelemetry.io/otel/semconv/v1.37.0"
 	"go.opentelemetry.io/otel/trace/embedded"
 	"go.opentelemetry.io/otel/trace/internal/telemetry"
 )
@@ -39,7 +39,7 @@ type autoTracerProvider struct{ embedded.TracerProvider }
 
 var _ TracerProvider = autoTracerProvider{}
 
-func (p autoTracerProvider) Tracer(name string, opts ...TracerOption) Tracer {
+func (autoTracerProvider) Tracer(name string, opts ...TracerOption) Tracer {
 	cfg := NewTracerConfig(opts...)
 	return autoTracer{
 		name:      name,
@@ -81,7 +81,7 @@ func (t autoTracer) Start(ctx context.Context, name string, opts ...SpanStartOpt
 // Expected to be implemented in eBPF.
 //
 //go:noinline
-func (t *autoTracer) start(
+func (*autoTracer) start(
 	ctx context.Context,
 	spanPtr *autoSpan,
 	psc *SpanContext,
diff --git a/vendor/go.opentelemetry.io/otel/trace/config.go b/vendor/go.opentelemetry.io/otel/trace/config.go
index 9c0b720a4d..aea11a2b52 100644
--- a/vendor/go.opentelemetry.io/otel/trace/config.go
+++ b/vendor/go.opentelemetry.io/otel/trace/config.go
@@ -73,7 +73,7 @@ func (cfg *SpanConfig) Timestamp() time.Time {
 	return cfg.timestamp
 }
 
-// StackTrace checks whether stack trace capturing is enabled.
+// StackTrace reports whether stack trace capturing is enabled.
 func (cfg *SpanConfig) StackTrace() bool {
 	return cfg.stackTrace
 }
@@ -154,7 +154,7 @@ func (cfg *EventConfig) Timestamp() time.Time {
 	return cfg.timestamp
 }
 
-// StackTrace checks whether stack trace capturing is enabled.
+// StackTrace reports whether stack trace capturing is enabled.
 func (cfg *EventConfig) StackTrace() bool {
 	return cfg.stackTrace
 }
diff --git a/vendor/go.opentelemetry.io/otel/trace/hex.go b/vendor/go.opentelemetry.io/otel/trace/hex.go
new file mode 100644
index 0000000000..1cbef1d4b9
--- /dev/null
+++ b/vendor/go.opentelemetry.io/otel/trace/hex.go
@@ -0,0 +1,38 @@
+// Copyright The OpenTelemetry Authors
+// SPDX-License-Identifier: Apache-2.0
+
+package trace // import "go.opentelemetry.io/otel/trace"
+
+const (
+	// hexLU is a hex lookup table of the 16 lowercase hex digits.
+	// The character values of the string are indexed at the equivalent
+	// hexadecimal value they represent. This table efficiently encodes byte data
+	// into a string representation of hexadecimal.
+	hexLU = "0123456789abcdef"
+
+	// hexRev is a reverse hex lookup table for lowercase hex digits.
+	// The table is efficiently decodes a hexadecimal string into bytes.
+	// Valid hexadecimal characters are indexed at their respective values. All
+	// other invalid ASCII characters are represented with '\xff'.
+	//
+	// The '\xff' character is used as invalid because no valid character has
+	// the upper 4 bits set. Meaning, an efficient validation can be performed
+	// over multiple character parsing by checking these bits remain zero.
+	hexRev = "" +
+		"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" +
+		"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" +
+		"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" +
+		"\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\xff\xff\xff\xff\xff\xff" +
+		"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" +
+		"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" +
+		"\xff\x0a\x0b\x0c\x0d\x0e\x0f\xff\xff\xff\xff\xff\xff\xff\xff\xff" +
+		"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" +
+		"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" +
+		"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" +
+		"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" +
+		"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" +
+		"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" +
+		"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" +
+		"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" +
+		"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+)
diff --git a/vendor/go.opentelemetry.io/otel/trace/internal/telemetry/attr.go b/vendor/go.opentelemetry.io/otel/trace/internal/telemetry/attr.go
index f663547b4e..ff0f6eac62 100644
--- a/vendor/go.opentelemetry.io/otel/trace/internal/telemetry/attr.go
+++ b/vendor/go.opentelemetry.io/otel/trace/internal/telemetry/attr.go
@@ -52,7 +52,7 @@ func Map(key string, value ...Attr) Attr {
 	return Attr{key, MapValue(value...)}
 }
 
-// Equal returns if a is equal to b.
+// Equal reports whether a is equal to b.
 func (a Attr) Equal(b Attr) bool {
 	return a.Key == b.Key && a.Value.Equal(b.Value)
 }
diff --git a/vendor/go.opentelemetry.io/otel/trace/internal/telemetry/id.go b/vendor/go.opentelemetry.io/otel/trace/internal/telemetry/id.go
index 7b1ae3c4ea..bea56f2e7d 100644
--- a/vendor/go.opentelemetry.io/otel/trace/internal/telemetry/id.go
+++ b/vendor/go.opentelemetry.io/otel/trace/internal/telemetry/id.go
@@ -22,7 +22,7 @@ func (tid TraceID) String() string {
 	return hex.EncodeToString(tid[:])
 }
 
-// IsEmpty returns false if id contains at least one non-zero byte.
+// IsEmpty reports whether the TraceID contains only zero bytes.
 func (tid TraceID) IsEmpty() bool {
 	return tid == [traceIDSize]byte{}
 }
@@ -50,7 +50,7 @@ func (sid SpanID) String() string {
 	return hex.EncodeToString(sid[:])
 }
 
-// IsEmpty returns true if the span ID contains at least one non-zero byte.
+// IsEmpty reports whether the SpanID contains only zero bytes.
 func (sid SpanID) IsEmpty() bool {
 	return sid == [spanIDSize]byte{}
 }
@@ -82,7 +82,7 @@ func marshalJSON(id []byte) ([]byte, error) {
 }
 
 // unmarshalJSON inflates trace id from hex string, possibly enclosed in quotes.
-func unmarshalJSON(dst []byte, src []byte) error {
+func unmarshalJSON(dst, src []byte) error {
 	if l := len(src); l >= 2 && src[0] == '"' && src[l-1] == '"' {
 		src = src[1 : l-1]
 	}
diff --git a/vendor/go.opentelemetry.io/otel/trace/internal/telemetry/value.go b/vendor/go.opentelemetry.io/otel/trace/internal/telemetry/value.go
index ae9ce102a9..cb7927b816 100644
--- a/vendor/go.opentelemetry.io/otel/trace/internal/telemetry/value.go
+++ b/vendor/go.opentelemetry.io/otel/trace/internal/telemetry/value.go
@@ -257,10 +257,10 @@ func (v Value) Kind() ValueKind {
 	}
 }
 
-// Empty returns if v does not hold any value.
+// Empty reports whether v does not hold any value.
 func (v Value) Empty() bool { return v.Kind() == ValueKindEmpty }
 
-// Equal returns if v is equal to w.
+// Equal reports whether v is equal to w.
 func (v Value) Equal(w Value) bool {
 	k1 := v.Kind()
 	k2 := w.Kind()
diff --git a/vendor/go.opentelemetry.io/otel/trace/noop.go b/vendor/go.opentelemetry.io/otel/trace/noop.go
index 0f56e4dbb3..400fab1238 100644
--- a/vendor/go.opentelemetry.io/otel/trace/noop.go
+++ b/vendor/go.opentelemetry.io/otel/trace/noop.go
@@ -26,7 +26,7 @@ type noopTracerProvider struct{ embedded.TracerProvider }
 var _ TracerProvider = noopTracerProvider{}
 
 // Tracer returns noop implementation of Tracer.
-func (p noopTracerProvider) Tracer(string, ...TracerOption) Tracer {
+func (noopTracerProvider) Tracer(string, ...TracerOption) Tracer {
 	return noopTracer{}
 }
 
@@ -37,7 +37,7 @@ var _ Tracer = noopTracer{}
 
 // Start carries forward a non-recording Span, if one is present in the context, otherwise it
 // creates a no-op Span.
-func (t noopTracer) Start(ctx context.Context, name string, _ ...SpanStartOption) (context.Context, Span) {
+func (noopTracer) Start(ctx context.Context, _ string, _ ...SpanStartOption) (context.Context, Span) {
 	span := SpanFromContext(ctx)
 	if _, ok := span.(nonRecordingSpan); !ok {
 		// span is likely already a noopSpan, but let's be sure
diff --git a/vendor/go.opentelemetry.io/otel/trace/trace.go b/vendor/go.opentelemetry.io/otel/trace/trace.go
index d49adf671b..ee6f4bcb2a 100644
--- a/vendor/go.opentelemetry.io/otel/trace/trace.go
+++ b/vendor/go.opentelemetry.io/otel/trace/trace.go
@@ -4,8 +4,6 @@
 package trace // import "go.opentelemetry.io/otel/trace"
 
 import (
-	"bytes"
-	"encoding/hex"
 	"encoding/json"
 )
 
@@ -38,21 +36,47 @@ var (
 	_          json.Marshaler = nilTraceID
 )
 
-// IsValid checks whether the trace TraceID is valid. A valid trace ID does
+// IsValid reports whether the trace TraceID is valid. A valid trace ID does
 // not consist of zeros only.
 func (t TraceID) IsValid() bool {
-	return !bytes.Equal(t[:], nilTraceID[:])
+	return t != nilTraceID
 }
 
 // MarshalJSON implements a custom marshal function to encode TraceID
 // as a hex string.
 func (t TraceID) MarshalJSON() ([]byte, error) {
-	return json.Marshal(t.String())
+	b := [32 + 2]byte{0: '"', 33: '"'}
+	h := t.hexBytes()
+	copy(b[1:], h[:])
+	return b[:], nil
 }
 
 // String returns the hex string representation form of a TraceID.
 func (t TraceID) String() string {
-	return hex.EncodeToString(t[:])
+	h := t.hexBytes()
+	return string(h[:])
+}
+
+// hexBytes returns the hex string representation form of a TraceID.
+func (t TraceID) hexBytes() [32]byte {
+	return [32]byte{
+		hexLU[t[0x0]>>4], hexLU[t[0x0]&0xf],
+		hexLU[t[0x1]>>4], hexLU[t[0x1]&0xf],
+		hexLU[t[0x2]>>4], hexLU[t[0x2]&0xf],
+		hexLU[t[0x3]>>4], hexLU[t[0x3]&0xf],
+		hexLU[t[0x4]>>4], hexLU[t[0x4]&0xf],
+		hexLU[t[0x5]>>4], hexLU[t[0x5]&0xf],
+		hexLU[t[0x6]>>4], hexLU[t[0x6]&0xf],
+		hexLU[t[0x7]>>4], hexLU[t[0x7]&0xf],
+		hexLU[t[0x8]>>4], hexLU[t[0x8]&0xf],
+		hexLU[t[0x9]>>4], hexLU[t[0x9]&0xf],
+		hexLU[t[0xa]>>4], hexLU[t[0xa]&0xf],
+		hexLU[t[0xb]>>4], hexLU[t[0xb]&0xf],
+		hexLU[t[0xc]>>4], hexLU[t[0xc]&0xf],
+		hexLU[t[0xd]>>4], hexLU[t[0xd]&0xf],
+		hexLU[t[0xe]>>4], hexLU[t[0xe]&0xf],
+		hexLU[t[0xf]>>4], hexLU[t[0xf]&0xf],
+	}
 }
 
 // SpanID is a unique identity of a span in a trace.
@@ -63,21 +87,38 @@ var (
 	_         json.Marshaler = nilSpanID
 )
 
-// IsValid checks whether the SpanID is valid. A valid SpanID does not consist
+// IsValid reports whether the SpanID is valid. A valid SpanID does not consist
 // of zeros only.
 func (s SpanID) IsValid() bool {
-	return !bytes.Equal(s[:], nilSpanID[:])
+	return s != nilSpanID
 }
 
 // MarshalJSON implements a custom marshal function to encode SpanID
 // as a hex string.
 func (s SpanID) MarshalJSON() ([]byte, error) {
-	return json.Marshal(s.String())
+	b := [16 + 2]byte{0: '"', 17: '"'}
+	h := s.hexBytes()
+	copy(b[1:], h[:])
+	return b[:], nil
 }
 
 // String returns the hex string representation form of a SpanID.
 func (s SpanID) String() string {
-	return hex.EncodeToString(s[:])
+	b := s.hexBytes()
+	return string(b[:])
+}
+
+func (s SpanID) hexBytes() [16]byte {
+	return [16]byte{
+		hexLU[s[0]>>4], hexLU[s[0]&0xf],
+		hexLU[s[1]>>4], hexLU[s[1]&0xf],
+		hexLU[s[2]>>4], hexLU[s[2]&0xf],
+		hexLU[s[3]>>4], hexLU[s[3]&0xf],
+		hexLU[s[4]>>4], hexLU[s[4]&0xf],
+		hexLU[s[5]>>4], hexLU[s[5]&0xf],
+		hexLU[s[6]>>4], hexLU[s[6]&0xf],
+		hexLU[s[7]>>4], hexLU[s[7]&0xf],
+	}
 }
 
 // TraceIDFromHex returns a TraceID from a hex string if it is compliant with
@@ -85,65 +126,58 @@ func (s SpanID) String() string {
 // https://www.w3.org/TR/trace-context/#trace-id
 // nolint:revive // revive complains about stutter of `trace.TraceIDFromHex`.
 func TraceIDFromHex(h string) (TraceID, error) {
-	t := TraceID{}
 	if len(h) != 32 {
-		return t, errInvalidTraceIDLength
+		return [16]byte{}, errInvalidTraceIDLength
 	}
-
-	if err := decodeHex(h, t[:]); err != nil {
-		return t, err
+	var b [16]byte
+	invalidMark := byte(0)
+	for i := 0; i < len(h); i += 4 {
+		b[i/2] = (hexRev[h[i]] << 4) | hexRev[h[i+1]]
+		b[i/2+1] = (hexRev[h[i+2]] << 4) | hexRev[h[i+3]]
+		invalidMark |= hexRev[h[i]] | hexRev[h[i+1]] | hexRev[h[i+2]] | hexRev[h[i+3]]
 	}
-
-	if !t.IsValid() {
-		return t, errNilTraceID
+	// If the upper 4 bits of any byte are not zero, there was an invalid hex
+	// character since invalid hex characters are 0xff in hexRev.
+	if invalidMark&0xf0 != 0 {
+		return [16]byte{}, errInvalidHexID
+	}
+	// If we didn't set any bits, then h was all zeros.
+	if invalidMark == 0 {
+		return [16]byte{}, errNilTraceID
 	}
-	return t, nil
+	return b, nil
 }
 
 // SpanIDFromHex returns a SpanID from a hex string if it is compliant
 // with the w3c trace-context specification.
 // See more at https://www.w3.org/TR/trace-context/#parent-id
 func SpanIDFromHex(h string) (SpanID, error) {
-	s := SpanID{}
 	if len(h) != 16 {
-		return s, errInvalidSpanIDLength
-	}
-
-	if err := decodeHex(h, s[:]); err != nil {
-		return s, err
+		return [8]byte{}, errInvalidSpanIDLength
 	}
-
-	if !s.IsValid() {
-		return s, errNilSpanID
+	var b [8]byte
+	invalidMark := byte(0)
+	for i := 0; i < len(h); i += 4 {
+		b[i/2] = (hexRev[h[i]] << 4) | hexRev[h[i+1]]
+		b[i/2+1] = (hexRev[h[i+2]] << 4) | hexRev[h[i+3]]
+		invalidMark |= hexRev[h[i]] | hexRev[h[i+1]] | hexRev[h[i+2]] | hexRev[h[i+3]]
 	}
-	return s, nil
-}
-
-func decodeHex(h string, b []byte) error {
-	for _, r := range h {
-		switch {
-		case 'a' <= r && r <= 'f':
-			continue
-		case '0' <= r && r <= '9':
-			continue
-		default:
-			return errInvalidHexID
-		}
+	// If the upper 4 bits of any byte are not zero, there was an invalid hex
+	// character since invalid hex characters are 0xff in hexRev.
+	if invalidMark&0xf0 != 0 {
+		return [8]byte{}, errInvalidHexID
 	}
-
-	decoded, err := hex.DecodeString(h)
-	if err != nil {
-		return err
+	// If we didn't set any bits, then h was all zeros.
+	if invalidMark == 0 {
+		return [8]byte{}, errNilSpanID
 	}
-
-	copy(b, decoded)
-	return nil
+	return b, nil
 }
 
 // TraceFlags contains flags that can be set on a SpanContext.
 type TraceFlags byte //nolint:revive // revive complains about stutter of `trace.TraceFlags`.
 
-// IsSampled returns if the sampling bit is set in the TraceFlags.
+// IsSampled reports whether the sampling bit is set in the TraceFlags.
 func (tf TraceFlags) IsSampled() bool {
 	return tf&FlagsSampled == FlagsSampled
 }
@@ -160,12 +194,20 @@ func (tf TraceFlags) WithSampled(sampled bool) TraceFlags { // nolint:revive  //
 // MarshalJSON implements a custom marshal function to encode TraceFlags
 // as a hex string.
 func (tf TraceFlags) MarshalJSON() ([]byte, error) {
-	return json.Marshal(tf.String())
+	b := [2 + 2]byte{0: '"', 3: '"'}
+	h := tf.hexBytes()
+	copy(b[1:], h[:])
+	return b[:], nil
 }
 
 // String returns the hex string representation form of TraceFlags.
 func (tf TraceFlags) String() string {
-	return hex.EncodeToString([]byte{byte(tf)}[:])
+	h := tf.hexBytes()
+	return string(h[:])
+}
+
+func (tf TraceFlags) hexBytes() [2]byte {
+	return [2]byte{hexLU[tf>>4], hexLU[tf&0xf]}
 }
 
 // SpanContextConfig contains mutable fields usable for constructing
@@ -201,13 +243,13 @@ type SpanContext struct {
 
 var _ json.Marshaler = SpanContext{}
 
-// IsValid returns if the SpanContext is valid. A valid span context has a
+// IsValid reports whether the SpanContext is valid. A valid span context has a
 // valid TraceID and SpanID.
 func (sc SpanContext) IsValid() bool {
 	return sc.HasTraceID() && sc.HasSpanID()
 }
 
-// IsRemote indicates whether the SpanContext represents a remotely-created Span.
+// IsRemote reports whether the SpanContext represents a remotely-created Span.
 func (sc SpanContext) IsRemote() bool {
 	return sc.remote
 }
@@ -228,7 +270,7 @@ func (sc SpanContext) TraceID() TraceID {
 	return sc.traceID
 }
 
-// HasTraceID checks if the SpanContext has a valid TraceID.
+// HasTraceID reports whether the SpanContext has a valid TraceID.
 func (sc SpanContext) HasTraceID() bool {
 	return sc.traceID.IsValid()
 }
@@ -249,7 +291,7 @@ func (sc SpanContext) SpanID() SpanID {
 	return sc.spanID
 }
 
-// HasSpanID checks if the SpanContext has a valid SpanID.
+// HasSpanID reports whether the SpanContext has a valid SpanID.
 func (sc SpanContext) HasSpanID() bool {
 	return sc.spanID.IsValid()
 }
@@ -270,7 +312,7 @@ func (sc SpanContext) TraceFlags() TraceFlags {
 	return sc.traceFlags
 }
 
-// IsSampled returns if the sampling bit is set in the SpanContext's TraceFlags.
+// IsSampled reports whether the sampling bit is set in the SpanContext's TraceFlags.
 func (sc SpanContext) IsSampled() bool {
 	return sc.traceFlags.IsSampled()
 }
@@ -302,7 +344,7 @@ func (sc SpanContext) WithTraceState(state TraceState) SpanContext {
 	}
 }
 
-// Equal is a predicate that determines whether two SpanContext values are equal.
+// Equal reports whether two SpanContext values are equal.
 func (sc SpanContext) Equal(other SpanContext) bool {
 	return sc.traceID == other.traceID &&
 		sc.spanID == other.spanID &&
diff --git a/vendor/go.opentelemetry.io/otel/trace/tracestate.go b/vendor/go.opentelemetry.io/otel/trace/tracestate.go
index dc5e34cad0..073adae2fa 100644
--- a/vendor/go.opentelemetry.io/otel/trace/tracestate.go
+++ b/vendor/go.opentelemetry.io/otel/trace/tracestate.go
@@ -80,7 +80,7 @@ func checkKeyRemain(key string) bool {
 //
 // param n is remain part length, should be 255 in simple-key or 13 in system-id.
 func checkKeyPart(key string, n int) bool {
-	if len(key) == 0 {
+	if key == "" {
 		return false
 	}
 	first := key[0] // key's first char
@@ -102,7 +102,7 @@ func isAlphaNum(c byte) bool {
 //
 // param n is remain part length, should be 240 exactly.
 func checkKeyTenant(key string, n int) bool {
-	if len(key) == 0 {
+	if key == "" {
 		return false
 	}
 	return isAlphaNum(key[0]) && len(key[1:]) <= n && checkKeyRemain(key[1:])
@@ -191,7 +191,7 @@ func ParseTraceState(ts string) (TraceState, error) {
 	for ts != "" {
 		var memberStr string
 		memberStr, ts, _ = strings.Cut(ts, listDelimiters)
-		if len(memberStr) == 0 {
+		if memberStr == "" {
 			continue
 		}
 
diff --git a/vendor/go.uber.org/zap/zapgrpc/zapgrpc.go b/vendor/go.uber.org/zap/zapgrpc/zapgrpc.go
new file mode 100644
index 0000000000..682de254de
--- /dev/null
+++ b/vendor/go.uber.org/zap/zapgrpc/zapgrpc.go
@@ -0,0 +1,243 @@
+// Copyright (c) 2016 Uber Technologies, Inc.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+
+// Package zapgrpc provides a logger that is compatible with grpclog.
+package zapgrpc // import "go.uber.org/zap/zapgrpc"
+
+import (
+	"fmt"
+
+	"go.uber.org/zap"
+	"go.uber.org/zap/zapcore"
+)
+
+// See https://github.com/grpc/grpc-go/blob/v1.35.0/grpclog/loggerv2.go#L77-L86
+const (
+	grpcLvlInfo int = iota
+	grpcLvlWarn
+	grpcLvlError
+	grpcLvlFatal
+)
+
+// _grpcToZapLevel maps gRPC log levels to zap log levels.
+// See https://pkg.go.dev/go.uber.org/zap@v1.16.0/zapcore#Level
+var _grpcToZapLevel = map[int]zapcore.Level{
+	grpcLvlInfo:  zapcore.InfoLevel,
+	grpcLvlWarn:  zapcore.WarnLevel,
+	grpcLvlError: zapcore.ErrorLevel,
+	grpcLvlFatal: zapcore.FatalLevel,
+}
+
+// An Option overrides a Logger's default configuration.
+type Option interface {
+	apply(*Logger)
+}
+
+type optionFunc func(*Logger)
+
+func (f optionFunc) apply(log *Logger) {
+	f(log)
+}
+
+// WithDebug configures a Logger to print at zap's DebugLevel instead of
+// InfoLevel.
+// It only affects the Printf, Println and Print methods, which are only used in the gRPC v1 grpclog.Logger API.
+//
+// Deprecated: use grpclog.SetLoggerV2() for v2 API.
+func WithDebug() Option {
+	return optionFunc(func(logger *Logger) {
+		logger.print = &printer{
+			enab:   logger.levelEnabler,
+			level:  zapcore.DebugLevel,
+			print:  logger.delegate.Debug,
+			printf: logger.delegate.Debugf,
+		}
+	})
+}
+
+// withWarn redirects the fatal level to the warn level, which makes testing
+// easier. This is intentionally unexported.
+func withWarn() Option {
+	return optionFunc(func(logger *Logger) {
+		logger.fatal = &printer{
+			enab:   logger.levelEnabler,
+			level:  zapcore.WarnLevel,
+			print:  logger.delegate.Warn,
+			printf: logger.delegate.Warnf,
+		}
+	})
+}
+
+// NewLogger returns a new Logger.
+func NewLogger(l *zap.Logger, options ...Option) *Logger {
+	logger := &Logger{
+		delegate:     l.Sugar(),
+		levelEnabler: l.Core(),
+	}
+	logger.print = &printer{
+		enab:   logger.levelEnabler,
+		level:  zapcore.InfoLevel,
+		print:  logger.delegate.Info,
+		printf: logger.delegate.Infof,
+	}
+	logger.fatal = &printer{
+		enab:   logger.levelEnabler,
+		level:  zapcore.FatalLevel,
+		print:  logger.delegate.Fatal,
+		printf: logger.delegate.Fatalf,
+	}
+	for _, option := range options {
+		option.apply(logger)
+	}
+	return logger
+}
+
+// printer implements Print, Printf, and Println operations for a Zap level.
+//
+// We use it to customize Debug vs Info, and Warn vs Fatal for Print and Fatal
+// respectively.
+type printer struct {
+	enab   zapcore.LevelEnabler
+	level  zapcore.Level
+	print  func(...interface{})
+	printf func(string, ...interface{})
+}
+
+func (v *printer) Print(args ...interface{}) {
+	v.print(args...)
+}
+
+func (v *printer) Printf(format string, args ...interface{}) {
+	v.printf(format, args...)
+}
+
+func (v *printer) Println(args ...interface{}) {
+	if v.enab.Enabled(v.level) {
+		v.print(sprintln(args))
+	}
+}
+
+// Logger adapts zap's Logger to be compatible with grpclog.LoggerV2 and the deprecated grpclog.Logger.
+type Logger struct {
+	delegate     *zap.SugaredLogger
+	levelEnabler zapcore.LevelEnabler
+	print        *printer
+	fatal        *printer
+	// printToDebug bool
+	// fatalToWarn  bool
+}
+
+// Print implements grpclog.Logger.
+//
+// Deprecated: use [Logger.Info].
+func (l *Logger) Print(args ...interface{}) {
+	l.print.Print(args...)
+}
+
+// Printf implements grpclog.Logger.
+//
+// Deprecated: use [Logger.Infof].
+func (l *Logger) Printf(format string, args ...interface{}) {
+	l.print.Printf(format, args...)
+}
+
+// Println implements grpclog.Logger.
+//
+// Deprecated: use [Logger.Info].
+func (l *Logger) Println(args ...interface{}) {
+	l.print.Println(args...)
+}
+
+// Info implements grpclog.LoggerV2.
+func (l *Logger) Info(args ...interface{}) {
+	l.delegate.Info(args...)
+}
+
+// Infoln implements grpclog.LoggerV2.
+func (l *Logger) Infoln(args ...interface{}) {
+	if l.levelEnabler.Enabled(zapcore.InfoLevel) {
+		l.delegate.Info(sprintln(args))
+	}
+}
+
+// Infof implements grpclog.LoggerV2.
+func (l *Logger) Infof(format string, args ...interface{}) {
+	l.delegate.Infof(format, args...)
+}
+
+// Warning implements grpclog.LoggerV2.
+func (l *Logger) Warning(args ...interface{}) {
+	l.delegate.Warn(args...)
+}
+
+// Warningln implements grpclog.LoggerV2.
+func (l *Logger) Warningln(args ...interface{}) {
+	if l.levelEnabler.Enabled(zapcore.WarnLevel) {
+		l.delegate.Warn(sprintln(args))
+	}
+}
+
+// Warningf implements grpclog.LoggerV2.
+func (l *Logger) Warningf(format string, args ...interface{}) {
+	l.delegate.Warnf(format, args...)
+}
+
+// Error implements grpclog.LoggerV2.
+func (l *Logger) Error(args ...interface{}) {
+	l.delegate.Error(args...)
+}
+
+// Errorln implements grpclog.LoggerV2.
+func (l *Logger) Errorln(args ...interface{}) {
+	if l.levelEnabler.Enabled(zapcore.ErrorLevel) {
+		l.delegate.Error(sprintln(args))
+	}
+}
+
+// Errorf implements grpclog.LoggerV2.
+func (l *Logger) Errorf(format string, args ...interface{}) {
+	l.delegate.Errorf(format, args...)
+}
+
+// Fatal implements grpclog.LoggerV2.
+func (l *Logger) Fatal(args ...interface{}) {
+	l.fatal.Print(args...)
+}
+
+// Fatalln implements grpclog.LoggerV2.
+func (l *Logger) Fatalln(args ...interface{}) {
+	l.fatal.Println(args...)
+}
+
+// Fatalf implements grpclog.LoggerV2.
+func (l *Logger) Fatalf(format string, args ...interface{}) {
+	l.fatal.Printf(format, args...)
+}
+
+// V implements grpclog.LoggerV2.
+func (l *Logger) V(level int) bool {
+	return l.levelEnabler.Enabled(_grpcToZapLevel[level])
+}
+
+func sprintln(args []interface{}) string {
+	s := fmt.Sprintln(args...)
+	// Drop the new line character added by Sprintln
+	return s[:len(s)-1]
+}
diff --git a/vendor/golang.org/x/crypto/bcrypt/base64.go b/vendor/golang.org/x/crypto/bcrypt/base64.go
new file mode 100644
index 0000000000..fc31160908
--- /dev/null
+++ b/vendor/golang.org/x/crypto/bcrypt/base64.go
@@ -0,0 +1,35 @@
+// Copyright 2011 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package bcrypt
+
+import "encoding/base64"
+
+const alphabet = "./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"
+
+var bcEncoding = base64.NewEncoding(alphabet)
+
+func base64Encode(src []byte) []byte {
+	n := bcEncoding.EncodedLen(len(src))
+	dst := make([]byte, n)
+	bcEncoding.Encode(dst, src)
+	for dst[n-1] == '=' {
+		n--
+	}
+	return dst[:n]
+}
+
+func base64Decode(src []byte) ([]byte, error) {
+	numOfEquals := 4 - (len(src) % 4)
+	for i := 0; i < numOfEquals; i++ {
+		src = append(src, '=')
+	}
+
+	dst := make([]byte, bcEncoding.DecodedLen(len(src)))
+	n, err := bcEncoding.Decode(dst, src)
+	if err != nil {
+		return nil, err
+	}
+	return dst[:n], nil
+}
diff --git a/vendor/golang.org/x/crypto/bcrypt/bcrypt.go b/vendor/golang.org/x/crypto/bcrypt/bcrypt.go
new file mode 100644
index 0000000000..3e7f8df871
--- /dev/null
+++ b/vendor/golang.org/x/crypto/bcrypt/bcrypt.go
@@ -0,0 +1,304 @@
+// Copyright 2011 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package bcrypt implements Provos and Mazières's bcrypt adaptive hashing
+// algorithm. See http://www.usenix.org/event/usenix99/provos/provos.pdf
+package bcrypt
+
+// The code is a port of Provos and Mazières's C implementation.
+import (
+	"crypto/rand"
+	"crypto/subtle"
+	"errors"
+	"fmt"
+	"io"
+	"strconv"
+
+	"golang.org/x/crypto/blowfish"
+)
+
+const (
+	MinCost     int = 4  // the minimum allowable cost as passed in to GenerateFromPassword
+	MaxCost     int = 31 // the maximum allowable cost as passed in to GenerateFromPassword
+	DefaultCost int = 10 // the cost that will actually be set if a cost below MinCost is passed into GenerateFromPassword
+)
+
+// The error returned from CompareHashAndPassword when a password and hash do
+// not match.
+var ErrMismatchedHashAndPassword = errors.New("crypto/bcrypt: hashedPassword is not the hash of the given password")
+
+// The error returned from CompareHashAndPassword when a hash is too short to
+// be a bcrypt hash.
+var ErrHashTooShort = errors.New("crypto/bcrypt: hashedSecret too short to be a bcrypted password")
+
+// The error returned from CompareHashAndPassword when a hash was created with
+// a bcrypt algorithm newer than this implementation.
+type HashVersionTooNewError byte
+
+func (hv HashVersionTooNewError) Error() string {
+	return fmt.Sprintf("crypto/bcrypt: bcrypt algorithm version '%c' requested is newer than current version '%c'", byte(hv), majorVersion)
+}
+
+// The error returned from CompareHashAndPassword when a hash starts with something other than '$'
+type InvalidHashPrefixError byte
+
+func (ih InvalidHashPrefixError) Error() string {
+	return fmt.Sprintf("crypto/bcrypt: bcrypt hashes must start with '$', but hashedSecret started with '%c'", byte(ih))
+}
+
+type InvalidCostError int
+
+func (ic InvalidCostError) Error() string {
+	return fmt.Sprintf("crypto/bcrypt: cost %d is outside allowed inclusive range %d..%d", int(ic), MinCost, MaxCost)
+}
+
+const (
+	majorVersion       = '2'
+	minorVersion       = 'a'
+	maxSaltSize        = 16
+	maxCryptedHashSize = 23
+	encodedSaltSize    = 22
+	encodedHashSize    = 31
+	minHashSize        = 59
+)
+
+// magicCipherData is an IV for the 64 Blowfish encryption calls in
+// bcrypt(). It's the string "OrpheanBeholderScryDoubt" in big-endian bytes.
+var magicCipherData = []byte{
+	0x4f, 0x72, 0x70, 0x68,
+	0x65, 0x61, 0x6e, 0x42,
+	0x65, 0x68, 0x6f, 0x6c,
+	0x64, 0x65, 0x72, 0x53,
+	0x63, 0x72, 0x79, 0x44,
+	0x6f, 0x75, 0x62, 0x74,
+}
+
+type hashed struct {
+	hash  []byte
+	salt  []byte
+	cost  int // allowed range is MinCost to MaxCost
+	major byte
+	minor byte
+}
+
+// ErrPasswordTooLong is returned when the password passed to
+// GenerateFromPassword is too long (i.e. > 72 bytes).
+var ErrPasswordTooLong = errors.New("bcrypt: password length exceeds 72 bytes")
+
+// GenerateFromPassword returns the bcrypt hash of the password at the given
+// cost. If the cost given is less than MinCost, the cost will be set to
+// DefaultCost, instead. Use CompareHashAndPassword, as defined in this package,
+// to compare the returned hashed password with its cleartext version.
+// GenerateFromPassword does not accept passwords longer than 72 bytes, which
+// is the longest password bcrypt will operate on.
+func GenerateFromPassword(password []byte, cost int) ([]byte, error) {
+	if len(password) > 72 {
+		return nil, ErrPasswordTooLong
+	}
+	p, err := newFromPassword(password, cost)
+	if err != nil {
+		return nil, err
+	}
+	return p.Hash(), nil
+}
+
+// CompareHashAndPassword compares a bcrypt hashed password with its possible
+// plaintext equivalent. Returns nil on success, or an error on failure.
+func CompareHashAndPassword(hashedPassword, password []byte) error {
+	p, err := newFromHash(hashedPassword)
+	if err != nil {
+		return err
+	}
+
+	otherHash, err := bcrypt(password, p.cost, p.salt)
+	if err != nil {
+		return err
+	}
+
+	otherP := &hashed{otherHash, p.salt, p.cost, p.major, p.minor}
+	if subtle.ConstantTimeCompare(p.Hash(), otherP.Hash()) == 1 {
+		return nil
+	}
+
+	return ErrMismatchedHashAndPassword
+}
+
+// Cost returns the hashing cost used to create the given hashed
+// password. When, in the future, the hashing cost of a password system needs
+// to be increased in order to adjust for greater computational power, this
+// function allows one to establish which passwords need to be updated.
+func Cost(hashedPassword []byte) (int, error) {
+	p, err := newFromHash(hashedPassword)
+	if err != nil {
+		return 0, err
+	}
+	return p.cost, nil
+}
+
+func newFromPassword(password []byte, cost int) (*hashed, error) {
+	if cost < MinCost {
+		cost = DefaultCost
+	}
+	p := new(hashed)
+	p.major = majorVersion
+	p.minor = minorVersion
+
+	err := checkCost(cost)
+	if err != nil {
+		return nil, err
+	}
+	p.cost = cost
+
+	unencodedSalt := make([]byte, maxSaltSize)
+	_, err = io.ReadFull(rand.Reader, unencodedSalt)
+	if err != nil {
+		return nil, err
+	}
+
+	p.salt = base64Encode(unencodedSalt)
+	hash, err := bcrypt(password, p.cost, p.salt)
+	if err != nil {
+		return nil, err
+	}
+	p.hash = hash
+	return p, err
+}
+
+func newFromHash(hashedSecret []byte) (*hashed, error) {
+	if len(hashedSecret) < minHashSize {
+		return nil, ErrHashTooShort
+	}
+	p := new(hashed)
+	n, err := p.decodeVersion(hashedSecret)
+	if err != nil {
+		return nil, err
+	}
+	hashedSecret = hashedSecret[n:]
+	n, err = p.decodeCost(hashedSecret)
+	if err != nil {
+		return nil, err
+	}
+	hashedSecret = hashedSecret[n:]
+
+	// The "+2" is here because we'll have to append at most 2 '=' to the salt
+	// when base64 decoding it in expensiveBlowfishSetup().
+	p.salt = make([]byte, encodedSaltSize, encodedSaltSize+2)
+	copy(p.salt, hashedSecret[:encodedSaltSize])
+
+	hashedSecret = hashedSecret[encodedSaltSize:]
+	p.hash = make([]byte, len(hashedSecret))
+	copy(p.hash, hashedSecret)
+
+	return p, nil
+}
+
+func bcrypt(password []byte, cost int, salt []byte) ([]byte, error) {
+	cipherData := make([]byte, len(magicCipherData))
+	copy(cipherData, magicCipherData)
+
+	c, err := expensiveBlowfishSetup(password, uint32(cost), salt)
+	if err != nil {
+		return nil, err
+	}
+
+	for i := 0; i < 24; i += 8 {
+		for j := 0; j < 64; j++ {
+			c.Encrypt(cipherData[i:i+8], cipherData[i:i+8])
+		}
+	}
+
+	// Bug compatibility with C bcrypt implementations. We only encode 23 of
+	// the 24 bytes encrypted.
+	hsh := base64Encode(cipherData[:maxCryptedHashSize])
+	return hsh, nil
+}
+
+func expensiveBlowfishSetup(key []byte, cost uint32, salt []byte) (*blowfish.Cipher, error) {
+	csalt, err := base64Decode(salt)
+	if err != nil {
+		return nil, err
+	}
+
+	// Bug compatibility with C bcrypt implementations. They use the trailing
+	// NULL in the key string during expansion.
+	// We copy the key to prevent changing the underlying array.
+	ckey := append(key[:len(key):len(key)], 0)
+
+	c, err := blowfish.NewSaltedCipher(ckey, csalt)
+	if err != nil {
+		return nil, err
+	}
+
+	var i, rounds uint64
+	rounds = 1 << cost
+	for i = 0; i < rounds; i++ {
+		blowfish.ExpandKey(ckey, c)
+		blowfish.ExpandKey(csalt, c)
+	}
+
+	return c, nil
+}
+
+func (p *hashed) Hash() []byte {
+	arr := make([]byte, 60)
+	arr[0] = '$'
+	arr[1] = p.major
+	n := 2
+	if p.minor != 0 {
+		arr[2] = p.minor
+		n = 3
+	}
+	arr[n] = '$'
+	n++
+	copy(arr[n:], []byte(fmt.Sprintf("%02d", p.cost)))
+	n += 2
+	arr[n] = '$'
+	n++
+	copy(arr[n:], p.salt)
+	n += encodedSaltSize
+	copy(arr[n:], p.hash)
+	n += encodedHashSize
+	return arr[:n]
+}
+
+func (p *hashed) decodeVersion(sbytes []byte) (int, error) {
+	if sbytes[0] != '$' {
+		return -1, InvalidHashPrefixError(sbytes[0])
+	}
+	if sbytes[1] > majorVersion {
+		return -1, HashVersionTooNewError(sbytes[1])
+	}
+	p.major = sbytes[1]
+	n := 3
+	if sbytes[2] != '$' {
+		p.minor = sbytes[2]
+		n++
+	}
+	return n, nil
+}
+
+// sbytes should begin where decodeVersion left off.
+func (p *hashed) decodeCost(sbytes []byte) (int, error) {
+	cost, err := strconv.Atoi(string(sbytes[0:2]))
+	if err != nil {
+		return -1, err
+	}
+	err = checkCost(cost)
+	if err != nil {
+		return -1, err
+	}
+	p.cost = cost
+	return 3, nil
+}
+
+func (p *hashed) String() string {
+	return fmt.Sprintf("&{hash: %#v, salt: %#v, cost: %d, major: %c, minor: %c}", string(p.hash), p.salt, p.cost, p.major, p.minor)
+}
+
+func checkCost(cost int) error {
+	if cost < MinCost || cost > MaxCost {
+		return InvalidCostError(cost)
+	}
+	return nil
+}
diff --git a/vendor/golang.org/x/crypto/blowfish/block.go b/vendor/golang.org/x/crypto/blowfish/block.go
new file mode 100644
index 0000000000..9d80f19521
--- /dev/null
+++ b/vendor/golang.org/x/crypto/blowfish/block.go
@@ -0,0 +1,159 @@
+// Copyright 2010 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package blowfish
+
+// getNextWord returns the next big-endian uint32 value from the byte slice
+// at the given position in a circular manner, updating the position.
+func getNextWord(b []byte, pos *int) uint32 {
+	var w uint32
+	j := *pos
+	for i := 0; i < 4; i++ {
+		w = w<<8 | uint32(b[j])
+		j++
+		if j >= len(b) {
+			j = 0
+		}
+	}
+	*pos = j
+	return w
+}
+
+// ExpandKey performs a key expansion on the given *Cipher. Specifically, it
+// performs the Blowfish algorithm's key schedule which sets up the *Cipher's
+// pi and substitution tables for calls to Encrypt. This is used, primarily,
+// by the bcrypt package to reuse the Blowfish key schedule during its
+// set up. It's unlikely that you need to use this directly.
+func ExpandKey(key []byte, c *Cipher) {
+	j := 0
+	for i := 0; i < 18; i++ {
+		// Using inlined getNextWord for performance.
+		var d uint32
+		for k := 0; k < 4; k++ {
+			d = d<<8 | uint32(key[j])
+			j++
+			if j >= len(key) {
+				j = 0
+			}
+		}
+		c.p[i] ^= d
+	}
+
+	var l, r uint32
+	for i := 0; i < 18; i += 2 {
+		l, r = encryptBlock(l, r, c)
+		c.p[i], c.p[i+1] = l, r
+	}
+
+	for i := 0; i < 256; i += 2 {
+		l, r = encryptBlock(l, r, c)
+		c.s0[i], c.s0[i+1] = l, r
+	}
+	for i := 0; i < 256; i += 2 {
+		l, r = encryptBlock(l, r, c)
+		c.s1[i], c.s1[i+1] = l, r
+	}
+	for i := 0; i < 256; i += 2 {
+		l, r = encryptBlock(l, r, c)
+		c.s2[i], c.s2[i+1] = l, r
+	}
+	for i := 0; i < 256; i += 2 {
+		l, r = encryptBlock(l, r, c)
+		c.s3[i], c.s3[i+1] = l, r
+	}
+}
+
+// This is similar to ExpandKey, but folds the salt during the key
+// schedule. While ExpandKey is essentially expandKeyWithSalt with an all-zero
+// salt passed in, reusing ExpandKey turns out to be a place of inefficiency
+// and specializing it here is useful.
+func expandKeyWithSalt(key []byte, salt []byte, c *Cipher) {
+	j := 0
+	for i := 0; i < 18; i++ {
+		c.p[i] ^= getNextWord(key, &j)
+	}
+
+	j = 0
+	var l, r uint32
+	for i := 0; i < 18; i += 2 {
+		l ^= getNextWord(salt, &j)
+		r ^= getNextWord(salt, &j)
+		l, r = encryptBlock(l, r, c)
+		c.p[i], c.p[i+1] = l, r
+	}
+
+	for i := 0; i < 256; i += 2 {
+		l ^= getNextWord(salt, &j)
+		r ^= getNextWord(salt, &j)
+		l, r = encryptBlock(l, r, c)
+		c.s0[i], c.s0[i+1] = l, r
+	}
+
+	for i := 0; i < 256; i += 2 {
+		l ^= getNextWord(salt, &j)
+		r ^= getNextWord(salt, &j)
+		l, r = encryptBlock(l, r, c)
+		c.s1[i], c.s1[i+1] = l, r
+	}
+
+	for i := 0; i < 256; i += 2 {
+		l ^= getNextWord(salt, &j)
+		r ^= getNextWord(salt, &j)
+		l, r = encryptBlock(l, r, c)
+		c.s2[i], c.s2[i+1] = l, r
+	}
+
+	for i := 0; i < 256; i += 2 {
+		l ^= getNextWord(salt, &j)
+		r ^= getNextWord(salt, &j)
+		l, r = encryptBlock(l, r, c)
+		c.s3[i], c.s3[i+1] = l, r
+	}
+}
+
+func encryptBlock(l, r uint32, c *Cipher) (uint32, uint32) {
+	xl, xr := l, r
+	xl ^= c.p[0]
+	xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[1]
+	xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[2]
+	xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[3]
+	xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[4]
+	xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[5]
+	xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[6]
+	xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[7]
+	xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[8]
+	xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[9]
+	xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[10]
+	xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[11]
+	xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[12]
+	xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[13]
+	xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[14]
+	xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[15]
+	xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[16]
+	xr ^= c.p[17]
+	return xr, xl
+}
+
+func decryptBlock(l, r uint32, c *Cipher) (uint32, uint32) {
+	xl, xr := l, r
+	xl ^= c.p[17]
+	xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[16]
+	xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[15]
+	xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[14]
+	xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[13]
+	xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[12]
+	xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[11]
+	xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[10]
+	xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[9]
+	xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[8]
+	xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[7]
+	xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[6]
+	xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[5]
+	xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[4]
+	xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[3]
+	xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[2]
+	xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[1]
+	xr ^= c.p[0]
+	return xr, xl
+}
diff --git a/vendor/golang.org/x/crypto/blowfish/cipher.go b/vendor/golang.org/x/crypto/blowfish/cipher.go
new file mode 100644
index 0000000000..0898956807
--- /dev/null
+++ b/vendor/golang.org/x/crypto/blowfish/cipher.go
@@ -0,0 +1,99 @@
+// Copyright 2010 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package blowfish implements Bruce Schneier's Blowfish encryption algorithm.
+//
+// Blowfish is a legacy cipher and its short block size makes it vulnerable to
+// birthday bound attacks (see https://sweet32.info). It should only be used
+// where compatibility with legacy systems, not security, is the goal.
+//
+// Deprecated: any new system should use AES (from crypto/aes, if necessary in
+// an AEAD mode like crypto/cipher.NewGCM) or XChaCha20-Poly1305 (from
+// golang.org/x/crypto/chacha20poly1305).
+package blowfish
+
+// The code is a port of Bruce Schneier's C implementation.
+// See https://www.schneier.com/blowfish.html.
+
+import "strconv"
+
+// The Blowfish block size in bytes.
+const BlockSize = 8
+
+// A Cipher is an instance of Blowfish encryption using a particular key.
+type Cipher struct {
+	p              [18]uint32
+	s0, s1, s2, s3 [256]uint32
+}
+
+type KeySizeError int
+
+func (k KeySizeError) Error() string {
+	return "crypto/blowfish: invalid key size " + strconv.Itoa(int(k))
+}
+
+// NewCipher creates and returns a Cipher.
+// The key argument should be the Blowfish key, from 1 to 56 bytes.
+func NewCipher(key []byte) (*Cipher, error) {
+	var result Cipher
+	if k := len(key); k < 1 || k > 56 {
+		return nil, KeySizeError(k)
+	}
+	initCipher(&result)
+	ExpandKey(key, &result)
+	return &result, nil
+}
+
+// NewSaltedCipher creates a returns a Cipher that folds a salt into its key
+// schedule. For most purposes, NewCipher, instead of NewSaltedCipher, is
+// sufficient and desirable. For bcrypt compatibility, the key can be over 56
+// bytes.
+func NewSaltedCipher(key, salt []byte) (*Cipher, error) {
+	if len(salt) == 0 {
+		return NewCipher(key)
+	}
+	var result Cipher
+	if k := len(key); k < 1 {
+		return nil, KeySizeError(k)
+	}
+	initCipher(&result)
+	expandKeyWithSalt(key, salt, &result)
+	return &result, nil
+}
+
+// BlockSize returns the Blowfish block size, 8 bytes.
+// It is necessary to satisfy the Block interface in the
+// package "crypto/cipher".
+func (c *Cipher) BlockSize() int { return BlockSize }
+
+// Encrypt encrypts the 8-byte buffer src using the key k
+// and stores the result in dst.
+// Note that for amounts of data larger than a block,
+// it is not safe to just call Encrypt on successive blocks;
+// instead, use an encryption mode like CBC (see crypto/cipher/cbc.go).
+func (c *Cipher) Encrypt(dst, src []byte) {
+	l := uint32(src[0])<<24 | uint32(src[1])<<16 | uint32(src[2])<<8 | uint32(src[3])
+	r := uint32(src[4])<<24 | uint32(src[5])<<16 | uint32(src[6])<<8 | uint32(src[7])
+	l, r = encryptBlock(l, r, c)
+	dst[0], dst[1], dst[2], dst[3] = byte(l>>24), byte(l>>16), byte(l>>8), byte(l)
+	dst[4], dst[5], dst[6], dst[7] = byte(r>>24), byte(r>>16), byte(r>>8), byte(r)
+}
+
+// Decrypt decrypts the 8-byte buffer src using the key k
+// and stores the result in dst.
+func (c *Cipher) Decrypt(dst, src []byte) {
+	l := uint32(src[0])<<24 | uint32(src[1])<<16 | uint32(src[2])<<8 | uint32(src[3])
+	r := uint32(src[4])<<24 | uint32(src[5])<<16 | uint32(src[6])<<8 | uint32(src[7])
+	l, r = decryptBlock(l, r, c)
+	dst[0], dst[1], dst[2], dst[3] = byte(l>>24), byte(l>>16), byte(l>>8), byte(l)
+	dst[4], dst[5], dst[6], dst[7] = byte(r>>24), byte(r>>16), byte(r>>8), byte(r)
+}
+
+func initCipher(c *Cipher) {
+	copy(c.p[0:], p[0:])
+	copy(c.s0[0:], s0[0:])
+	copy(c.s1[0:], s1[0:])
+	copy(c.s2[0:], s2[0:])
+	copy(c.s3[0:], s3[0:])
+}
diff --git a/vendor/golang.org/x/crypto/blowfish/const.go b/vendor/golang.org/x/crypto/blowfish/const.go
new file mode 100644
index 0000000000..d04077595a
--- /dev/null
+++ b/vendor/golang.org/x/crypto/blowfish/const.go
@@ -0,0 +1,199 @@
+// Copyright 2010 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// The startup permutation array and substitution boxes.
+// They are the hexadecimal digits of PI; see:
+// https://www.schneier.com/code/constants.txt.
+
+package blowfish
+
+var s0 = [256]uint32{
+	0xd1310ba6, 0x98dfb5ac, 0x2ffd72db, 0xd01adfb7, 0xb8e1afed, 0x6a267e96,
+	0xba7c9045, 0xf12c7f99, 0x24a19947, 0xb3916cf7, 0x0801f2e2, 0x858efc16,
+	0x636920d8, 0x71574e69, 0xa458fea3, 0xf4933d7e, 0x0d95748f, 0x728eb658,
+	0x718bcd58, 0x82154aee, 0x7b54a41d, 0xc25a59b5, 0x9c30d539, 0x2af26013,
+	0xc5d1b023, 0x286085f0, 0xca417918, 0xb8db38ef, 0x8e79dcb0, 0x603a180e,
+	0x6c9e0e8b, 0xb01e8a3e, 0xd71577c1, 0xbd314b27, 0x78af2fda, 0x55605c60,
+	0xe65525f3, 0xaa55ab94, 0x57489862, 0x63e81440, 0x55ca396a, 0x2aab10b6,
+	0xb4cc5c34, 0x1141e8ce, 0xa15486af, 0x7c72e993, 0xb3ee1411, 0x636fbc2a,
+	0x2ba9c55d, 0x741831f6, 0xce5c3e16, 0x9b87931e, 0xafd6ba33, 0x6c24cf5c,
+	0x7a325381, 0x28958677, 0x3b8f4898, 0x6b4bb9af, 0xc4bfe81b, 0x66282193,
+	0x61d809cc, 0xfb21a991, 0x487cac60, 0x5dec8032, 0xef845d5d, 0xe98575b1,
+	0xdc262302, 0xeb651b88, 0x23893e81, 0xd396acc5, 0x0f6d6ff3, 0x83f44239,
+	0x2e0b4482, 0xa4842004, 0x69c8f04a, 0x9e1f9b5e, 0x21c66842, 0xf6e96c9a,
+	0x670c9c61, 0xabd388f0, 0x6a51a0d2, 0xd8542f68, 0x960fa728, 0xab5133a3,
+	0x6eef0b6c, 0x137a3be4, 0xba3bf050, 0x7efb2a98, 0xa1f1651d, 0x39af0176,
+	0x66ca593e, 0x82430e88, 0x8cee8619, 0x456f9fb4, 0x7d84a5c3, 0x3b8b5ebe,
+	0xe06f75d8, 0x85c12073, 0x401a449f, 0x56c16aa6, 0x4ed3aa62, 0x363f7706,
+	0x1bfedf72, 0x429b023d, 0x37d0d724, 0xd00a1248, 0xdb0fead3, 0x49f1c09b,
+	0x075372c9, 0x80991b7b, 0x25d479d8, 0xf6e8def7, 0xe3fe501a, 0xb6794c3b,
+	0x976ce0bd, 0x04c006ba, 0xc1a94fb6, 0x409f60c4, 0x5e5c9ec2, 0x196a2463,
+	0x68fb6faf, 0x3e6c53b5, 0x1339b2eb, 0x3b52ec6f, 0x6dfc511f, 0x9b30952c,
+	0xcc814544, 0xaf5ebd09, 0xbee3d004, 0xde334afd, 0x660f2807, 0x192e4bb3,
+	0xc0cba857, 0x45c8740f, 0xd20b5f39, 0xb9d3fbdb, 0x5579c0bd, 0x1a60320a,
+	0xd6a100c6, 0x402c7279, 0x679f25fe, 0xfb1fa3cc, 0x8ea5e9f8, 0xdb3222f8,
+	0x3c7516df, 0xfd616b15, 0x2f501ec8, 0xad0552ab, 0x323db5fa, 0xfd238760,
+	0x53317b48, 0x3e00df82, 0x9e5c57bb, 0xca6f8ca0, 0x1a87562e, 0xdf1769db,
+	0xd542a8f6, 0x287effc3, 0xac6732c6, 0x8c4f5573, 0x695b27b0, 0xbbca58c8,
+	0xe1ffa35d, 0xb8f011a0, 0x10fa3d98, 0xfd2183b8, 0x4afcb56c, 0x2dd1d35b,
+	0x9a53e479, 0xb6f84565, 0xd28e49bc, 0x4bfb9790, 0xe1ddf2da, 0xa4cb7e33,
+	0x62fb1341, 0xcee4c6e8, 0xef20cada, 0x36774c01, 0xd07e9efe, 0x2bf11fb4,
+	0x95dbda4d, 0xae909198, 0xeaad8e71, 0x6b93d5a0, 0xd08ed1d0, 0xafc725e0,
+	0x8e3c5b2f, 0x8e7594b7, 0x8ff6e2fb, 0xf2122b64, 0x8888b812, 0x900df01c,
+	0x4fad5ea0, 0x688fc31c, 0xd1cff191, 0xb3a8c1ad, 0x2f2f2218, 0xbe0e1777,
+	0xea752dfe, 0x8b021fa1, 0xe5a0cc0f, 0xb56f74e8, 0x18acf3d6, 0xce89e299,
+	0xb4a84fe0, 0xfd13e0b7, 0x7cc43b81, 0xd2ada8d9, 0x165fa266, 0x80957705,
+	0x93cc7314, 0x211a1477, 0xe6ad2065, 0x77b5fa86, 0xc75442f5, 0xfb9d35cf,
+	0xebcdaf0c, 0x7b3e89a0, 0xd6411bd3, 0xae1e7e49, 0x00250e2d, 0x2071b35e,
+	0x226800bb, 0x57b8e0af, 0x2464369b, 0xf009b91e, 0x5563911d, 0x59dfa6aa,
+	0x78c14389, 0xd95a537f, 0x207d5ba2, 0x02e5b9c5, 0x83260376, 0x6295cfa9,
+	0x11c81968, 0x4e734a41, 0xb3472dca, 0x7b14a94a, 0x1b510052, 0x9a532915,
+	0xd60f573f, 0xbc9bc6e4, 0x2b60a476, 0x81e67400, 0x08ba6fb5, 0x571be91f,
+	0xf296ec6b, 0x2a0dd915, 0xb6636521, 0xe7b9f9b6, 0xff34052e, 0xc5855664,
+	0x53b02d5d, 0xa99f8fa1, 0x08ba4799, 0x6e85076a,
+}
+
+var s1 = [256]uint32{
+	0x4b7a70e9, 0xb5b32944, 0xdb75092e, 0xc4192623, 0xad6ea6b0, 0x49a7df7d,
+	0x9cee60b8, 0x8fedb266, 0xecaa8c71, 0x699a17ff, 0x5664526c, 0xc2b19ee1,
+	0x193602a5, 0x75094c29, 0xa0591340, 0xe4183a3e, 0x3f54989a, 0x5b429d65,
+	0x6b8fe4d6, 0x99f73fd6, 0xa1d29c07, 0xefe830f5, 0x4d2d38e6, 0xf0255dc1,
+	0x4cdd2086, 0x8470eb26, 0x6382e9c6, 0x021ecc5e, 0x09686b3f, 0x3ebaefc9,
+	0x3c971814, 0x6b6a70a1, 0x687f3584, 0x52a0e286, 0xb79c5305, 0xaa500737,
+	0x3e07841c, 0x7fdeae5c, 0x8e7d44ec, 0x5716f2b8, 0xb03ada37, 0xf0500c0d,
+	0xf01c1f04, 0x0200b3ff, 0xae0cf51a, 0x3cb574b2, 0x25837a58, 0xdc0921bd,
+	0xd19113f9, 0x7ca92ff6, 0x94324773, 0x22f54701, 0x3ae5e581, 0x37c2dadc,
+	0xc8b57634, 0x9af3dda7, 0xa9446146, 0x0fd0030e, 0xecc8c73e, 0xa4751e41,
+	0xe238cd99, 0x3bea0e2f, 0x3280bba1, 0x183eb331, 0x4e548b38, 0x4f6db908,
+	0x6f420d03, 0xf60a04bf, 0x2cb81290, 0x24977c79, 0x5679b072, 0xbcaf89af,
+	0xde9a771f, 0xd9930810, 0xb38bae12, 0xdccf3f2e, 0x5512721f, 0x2e6b7124,
+	0x501adde6, 0x9f84cd87, 0x7a584718, 0x7408da17, 0xbc9f9abc, 0xe94b7d8c,
+	0xec7aec3a, 0xdb851dfa, 0x63094366, 0xc464c3d2, 0xef1c1847, 0x3215d908,
+	0xdd433b37, 0x24c2ba16, 0x12a14d43, 0x2a65c451, 0x50940002, 0x133ae4dd,
+	0x71dff89e, 0x10314e55, 0x81ac77d6, 0x5f11199b, 0x043556f1, 0xd7a3c76b,
+	0x3c11183b, 0x5924a509, 0xf28fe6ed, 0x97f1fbfa, 0x9ebabf2c, 0x1e153c6e,
+	0x86e34570, 0xeae96fb1, 0x860e5e0a, 0x5a3e2ab3, 0x771fe71c, 0x4e3d06fa,
+	0x2965dcb9, 0x99e71d0f, 0x803e89d6, 0x5266c825, 0x2e4cc978, 0x9c10b36a,
+	0xc6150eba, 0x94e2ea78, 0xa5fc3c53, 0x1e0a2df4, 0xf2f74ea7, 0x361d2b3d,
+	0x1939260f, 0x19c27960, 0x5223a708, 0xf71312b6, 0xebadfe6e, 0xeac31f66,
+	0xe3bc4595, 0xa67bc883, 0xb17f37d1, 0x018cff28, 0xc332ddef, 0xbe6c5aa5,
+	0x65582185, 0x68ab9802, 0xeecea50f, 0xdb2f953b, 0x2aef7dad, 0x5b6e2f84,
+	0x1521b628, 0x29076170, 0xecdd4775, 0x619f1510, 0x13cca830, 0xeb61bd96,
+	0x0334fe1e, 0xaa0363cf, 0xb5735c90, 0x4c70a239, 0xd59e9e0b, 0xcbaade14,
+	0xeecc86bc, 0x60622ca7, 0x9cab5cab, 0xb2f3846e, 0x648b1eaf, 0x19bdf0ca,
+	0xa02369b9, 0x655abb50, 0x40685a32, 0x3c2ab4b3, 0x319ee9d5, 0xc021b8f7,
+	0x9b540b19, 0x875fa099, 0x95f7997e, 0x623d7da8, 0xf837889a, 0x97e32d77,
+	0x11ed935f, 0x16681281, 0x0e358829, 0xc7e61fd6, 0x96dedfa1, 0x7858ba99,
+	0x57f584a5, 0x1b227263, 0x9b83c3ff, 0x1ac24696, 0xcdb30aeb, 0x532e3054,
+	0x8fd948e4, 0x6dbc3128, 0x58ebf2ef, 0x34c6ffea, 0xfe28ed61, 0xee7c3c73,
+	0x5d4a14d9, 0xe864b7e3, 0x42105d14, 0x203e13e0, 0x45eee2b6, 0xa3aaabea,
+	0xdb6c4f15, 0xfacb4fd0, 0xc742f442, 0xef6abbb5, 0x654f3b1d, 0x41cd2105,
+	0xd81e799e, 0x86854dc7, 0xe44b476a, 0x3d816250, 0xcf62a1f2, 0x5b8d2646,
+	0xfc8883a0, 0xc1c7b6a3, 0x7f1524c3, 0x69cb7492, 0x47848a0b, 0x5692b285,
+	0x095bbf00, 0xad19489d, 0x1462b174, 0x23820e00, 0x58428d2a, 0x0c55f5ea,
+	0x1dadf43e, 0x233f7061, 0x3372f092, 0x8d937e41, 0xd65fecf1, 0x6c223bdb,
+	0x7cde3759, 0xcbee7460, 0x4085f2a7, 0xce77326e, 0xa6078084, 0x19f8509e,
+	0xe8efd855, 0x61d99735, 0xa969a7aa, 0xc50c06c2, 0x5a04abfc, 0x800bcadc,
+	0x9e447a2e, 0xc3453484, 0xfdd56705, 0x0e1e9ec9, 0xdb73dbd3, 0x105588cd,
+	0x675fda79, 0xe3674340, 0xc5c43465, 0x713e38d8, 0x3d28f89e, 0xf16dff20,
+	0x153e21e7, 0x8fb03d4a, 0xe6e39f2b, 0xdb83adf7,
+}
+
+var s2 = [256]uint32{
+	0xe93d5a68, 0x948140f7, 0xf64c261c, 0x94692934, 0x411520f7, 0x7602d4f7,
+	0xbcf46b2e, 0xd4a20068, 0xd4082471, 0x3320f46a, 0x43b7d4b7, 0x500061af,
+	0x1e39f62e, 0x97244546, 0x14214f74, 0xbf8b8840, 0x4d95fc1d, 0x96b591af,
+	0x70f4ddd3, 0x66a02f45, 0xbfbc09ec, 0x03bd9785, 0x7fac6dd0, 0x31cb8504,
+	0x96eb27b3, 0x55fd3941, 0xda2547e6, 0xabca0a9a, 0x28507825, 0x530429f4,
+	0x0a2c86da, 0xe9b66dfb, 0x68dc1462, 0xd7486900, 0x680ec0a4, 0x27a18dee,
+	0x4f3ffea2, 0xe887ad8c, 0xb58ce006, 0x7af4d6b6, 0xaace1e7c, 0xd3375fec,
+	0xce78a399, 0x406b2a42, 0x20fe9e35, 0xd9f385b9, 0xee39d7ab, 0x3b124e8b,
+	0x1dc9faf7, 0x4b6d1856, 0x26a36631, 0xeae397b2, 0x3a6efa74, 0xdd5b4332,
+	0x6841e7f7, 0xca7820fb, 0xfb0af54e, 0xd8feb397, 0x454056ac, 0xba489527,
+	0x55533a3a, 0x20838d87, 0xfe6ba9b7, 0xd096954b, 0x55a867bc, 0xa1159a58,
+	0xcca92963, 0x99e1db33, 0xa62a4a56, 0x3f3125f9, 0x5ef47e1c, 0x9029317c,
+	0xfdf8e802, 0x04272f70, 0x80bb155c, 0x05282ce3, 0x95c11548, 0xe4c66d22,
+	0x48c1133f, 0xc70f86dc, 0x07f9c9ee, 0x41041f0f, 0x404779a4, 0x5d886e17,
+	0x325f51eb, 0xd59bc0d1, 0xf2bcc18f, 0x41113564, 0x257b7834, 0x602a9c60,
+	0xdff8e8a3, 0x1f636c1b, 0x0e12b4c2, 0x02e1329e, 0xaf664fd1, 0xcad18115,
+	0x6b2395e0, 0x333e92e1, 0x3b240b62, 0xeebeb922, 0x85b2a20e, 0xe6ba0d99,
+	0xde720c8c, 0x2da2f728, 0xd0127845, 0x95b794fd, 0x647d0862, 0xe7ccf5f0,
+	0x5449a36f, 0x877d48fa, 0xc39dfd27, 0xf33e8d1e, 0x0a476341, 0x992eff74,
+	0x3a6f6eab, 0xf4f8fd37, 0xa812dc60, 0xa1ebddf8, 0x991be14c, 0xdb6e6b0d,
+	0xc67b5510, 0x6d672c37, 0x2765d43b, 0xdcd0e804, 0xf1290dc7, 0xcc00ffa3,
+	0xb5390f92, 0x690fed0b, 0x667b9ffb, 0xcedb7d9c, 0xa091cf0b, 0xd9155ea3,
+	0xbb132f88, 0x515bad24, 0x7b9479bf, 0x763bd6eb, 0x37392eb3, 0xcc115979,
+	0x8026e297, 0xf42e312d, 0x6842ada7, 0xc66a2b3b, 0x12754ccc, 0x782ef11c,
+	0x6a124237, 0xb79251e7, 0x06a1bbe6, 0x4bfb6350, 0x1a6b1018, 0x11caedfa,
+	0x3d25bdd8, 0xe2e1c3c9, 0x44421659, 0x0a121386, 0xd90cec6e, 0xd5abea2a,
+	0x64af674e, 0xda86a85f, 0xbebfe988, 0x64e4c3fe, 0x9dbc8057, 0xf0f7c086,
+	0x60787bf8, 0x6003604d, 0xd1fd8346, 0xf6381fb0, 0x7745ae04, 0xd736fccc,
+	0x83426b33, 0xf01eab71, 0xb0804187, 0x3c005e5f, 0x77a057be, 0xbde8ae24,
+	0x55464299, 0xbf582e61, 0x4e58f48f, 0xf2ddfda2, 0xf474ef38, 0x8789bdc2,
+	0x5366f9c3, 0xc8b38e74, 0xb475f255, 0x46fcd9b9, 0x7aeb2661, 0x8b1ddf84,
+	0x846a0e79, 0x915f95e2, 0x466e598e, 0x20b45770, 0x8cd55591, 0xc902de4c,
+	0xb90bace1, 0xbb8205d0, 0x11a86248, 0x7574a99e, 0xb77f19b6, 0xe0a9dc09,
+	0x662d09a1, 0xc4324633, 0xe85a1f02, 0x09f0be8c, 0x4a99a025, 0x1d6efe10,
+	0x1ab93d1d, 0x0ba5a4df, 0xa186f20f, 0x2868f169, 0xdcb7da83, 0x573906fe,
+	0xa1e2ce9b, 0x4fcd7f52, 0x50115e01, 0xa70683fa, 0xa002b5c4, 0x0de6d027,
+	0x9af88c27, 0x773f8641, 0xc3604c06, 0x61a806b5, 0xf0177a28, 0xc0f586e0,
+	0x006058aa, 0x30dc7d62, 0x11e69ed7, 0x2338ea63, 0x53c2dd94, 0xc2c21634,
+	0xbbcbee56, 0x90bcb6de, 0xebfc7da1, 0xce591d76, 0x6f05e409, 0x4b7c0188,
+	0x39720a3d, 0x7c927c24, 0x86e3725f, 0x724d9db9, 0x1ac15bb4, 0xd39eb8fc,
+	0xed545578, 0x08fca5b5, 0xd83d7cd3, 0x4dad0fc4, 0x1e50ef5e, 0xb161e6f8,
+	0xa28514d9, 0x6c51133c, 0x6fd5c7e7, 0x56e14ec4, 0x362abfce, 0xddc6c837,
+	0xd79a3234, 0x92638212, 0x670efa8e, 0x406000e0,
+}
+
+var s3 = [256]uint32{
+	0x3a39ce37, 0xd3faf5cf, 0xabc27737, 0x5ac52d1b, 0x5cb0679e, 0x4fa33742,
+	0xd3822740, 0x99bc9bbe, 0xd5118e9d, 0xbf0f7315, 0xd62d1c7e, 0xc700c47b,
+	0xb78c1b6b, 0x21a19045, 0xb26eb1be, 0x6a366eb4, 0x5748ab2f, 0xbc946e79,
+	0xc6a376d2, 0x6549c2c8, 0x530ff8ee, 0x468dde7d, 0xd5730a1d, 0x4cd04dc6,
+	0x2939bbdb, 0xa9ba4650, 0xac9526e8, 0xbe5ee304, 0xa1fad5f0, 0x6a2d519a,
+	0x63ef8ce2, 0x9a86ee22, 0xc089c2b8, 0x43242ef6, 0xa51e03aa, 0x9cf2d0a4,
+	0x83c061ba, 0x9be96a4d, 0x8fe51550, 0xba645bd6, 0x2826a2f9, 0xa73a3ae1,
+	0x4ba99586, 0xef5562e9, 0xc72fefd3, 0xf752f7da, 0x3f046f69, 0x77fa0a59,
+	0x80e4a915, 0x87b08601, 0x9b09e6ad, 0x3b3ee593, 0xe990fd5a, 0x9e34d797,
+	0x2cf0b7d9, 0x022b8b51, 0x96d5ac3a, 0x017da67d, 0xd1cf3ed6, 0x7c7d2d28,
+	0x1f9f25cf, 0xadf2b89b, 0x5ad6b472, 0x5a88f54c, 0xe029ac71, 0xe019a5e6,
+	0x47b0acfd, 0xed93fa9b, 0xe8d3c48d, 0x283b57cc, 0xf8d56629, 0x79132e28,
+	0x785f0191, 0xed756055, 0xf7960e44, 0xe3d35e8c, 0x15056dd4, 0x88f46dba,
+	0x03a16125, 0x0564f0bd, 0xc3eb9e15, 0x3c9057a2, 0x97271aec, 0xa93a072a,
+	0x1b3f6d9b, 0x1e6321f5, 0xf59c66fb, 0x26dcf319, 0x7533d928, 0xb155fdf5,
+	0x03563482, 0x8aba3cbb, 0x28517711, 0xc20ad9f8, 0xabcc5167, 0xccad925f,
+	0x4de81751, 0x3830dc8e, 0x379d5862, 0x9320f991, 0xea7a90c2, 0xfb3e7bce,
+	0x5121ce64, 0x774fbe32, 0xa8b6e37e, 0xc3293d46, 0x48de5369, 0x6413e680,
+	0xa2ae0810, 0xdd6db224, 0x69852dfd, 0x09072166, 0xb39a460a, 0x6445c0dd,
+	0x586cdecf, 0x1c20c8ae, 0x5bbef7dd, 0x1b588d40, 0xccd2017f, 0x6bb4e3bb,
+	0xdda26a7e, 0x3a59ff45, 0x3e350a44, 0xbcb4cdd5, 0x72eacea8, 0xfa6484bb,
+	0x8d6612ae, 0xbf3c6f47, 0xd29be463, 0x542f5d9e, 0xaec2771b, 0xf64e6370,
+	0x740e0d8d, 0xe75b1357, 0xf8721671, 0xaf537d5d, 0x4040cb08, 0x4eb4e2cc,
+	0x34d2466a, 0x0115af84, 0xe1b00428, 0x95983a1d, 0x06b89fb4, 0xce6ea048,
+	0x6f3f3b82, 0x3520ab82, 0x011a1d4b, 0x277227f8, 0x611560b1, 0xe7933fdc,
+	0xbb3a792b, 0x344525bd, 0xa08839e1, 0x51ce794b, 0x2f32c9b7, 0xa01fbac9,
+	0xe01cc87e, 0xbcc7d1f6, 0xcf0111c3, 0xa1e8aac7, 0x1a908749, 0xd44fbd9a,
+	0xd0dadecb, 0xd50ada38, 0x0339c32a, 0xc6913667, 0x8df9317c, 0xe0b12b4f,
+	0xf79e59b7, 0x43f5bb3a, 0xf2d519ff, 0x27d9459c, 0xbf97222c, 0x15e6fc2a,
+	0x0f91fc71, 0x9b941525, 0xfae59361, 0xceb69ceb, 0xc2a86459, 0x12baa8d1,
+	0xb6c1075e, 0xe3056a0c, 0x10d25065, 0xcb03a442, 0xe0ec6e0e, 0x1698db3b,
+	0x4c98a0be, 0x3278e964, 0x9f1f9532, 0xe0d392df, 0xd3a0342b, 0x8971f21e,
+	0x1b0a7441, 0x4ba3348c, 0xc5be7120, 0xc37632d8, 0xdf359f8d, 0x9b992f2e,
+	0xe60b6f47, 0x0fe3f11d, 0xe54cda54, 0x1edad891, 0xce6279cf, 0xcd3e7e6f,
+	0x1618b166, 0xfd2c1d05, 0x848fd2c5, 0xf6fb2299, 0xf523f357, 0xa6327623,
+	0x93a83531, 0x56cccd02, 0xacf08162, 0x5a75ebb5, 0x6e163697, 0x88d273cc,
+	0xde966292, 0x81b949d0, 0x4c50901b, 0x71c65614, 0xe6c6c7bd, 0x327a140a,
+	0x45e1d006, 0xc3f27b9a, 0xc9aa53fd, 0x62a80f00, 0xbb25bfe2, 0x35bdd2f6,
+	0x71126905, 0xb2040222, 0xb6cbcf7c, 0xcd769c2b, 0x53113ec0, 0x1640e3d3,
+	0x38abbd60, 0x2547adf0, 0xba38209c, 0xf746ce76, 0x77afa1c5, 0x20756060,
+	0x85cbfe4e, 0x8ae88dd8, 0x7aaaf9b0, 0x4cf9aa7e, 0x1948c25c, 0x02fb8a8c,
+	0x01c36ae4, 0xd6ebe1f9, 0x90d4f869, 0xa65cdea0, 0x3f09252d, 0xc208e69f,
+	0xb74e6132, 0xce77e25b, 0x578fdfe3, 0x3ac372e6,
+}
+
+var p = [18]uint32{
+	0x243f6a88, 0x85a308d3, 0x13198a2e, 0x03707344, 0xa4093822, 0x299f31d0,
+	0x082efa98, 0xec4e6c89, 0x452821e6, 0x38d01377, 0xbe5466cf, 0x34e90c6c,
+	0xc0ac29b7, 0xc97c50dd, 0x3f84d5b5, 0xb5470917, 0x9216d5d9, 0x8979fb1b,
+}
diff --git a/vendor/golang.org/x/crypto/cast5/cast5.go b/vendor/golang.org/x/crypto/cast5/cast5.go
new file mode 100644
index 0000000000..016e90215c
--- /dev/null
+++ b/vendor/golang.org/x/crypto/cast5/cast5.go
@@ -0,0 +1,536 @@
+// Copyright 2010 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package cast5 implements CAST5, as defined in RFC 2144.
+//
+// CAST5 is a legacy cipher and its short block size makes it vulnerable to
+// birthday bound attacks (see https://sweet32.info). It should only be used
+// where compatibility with legacy systems, not security, is the goal.
+//
+// Deprecated: any new system should use AES (from crypto/aes, if necessary in
+// an AEAD mode like crypto/cipher.NewGCM) or XChaCha20-Poly1305 (from
+// golang.org/x/crypto/chacha20poly1305).
+package cast5
+
+import (
+	"errors"
+	"math/bits"
+)
+
+const BlockSize = 8
+const KeySize = 16
+
+type Cipher struct {
+	masking [16]uint32
+	rotate  [16]uint8
+}
+
+func NewCipher(key []byte) (c *Cipher, err error) {
+	if len(key) != KeySize {
+		return nil, errors.New("CAST5: keys must be 16 bytes")
+	}
+
+	c = new(Cipher)
+	c.keySchedule(key)
+	return
+}
+
+func (c *Cipher) BlockSize() int {
+	return BlockSize
+}
+
+func (c *Cipher) Encrypt(dst, src []byte) {
+	l := uint32(src[0])<<24 | uint32(src[1])<<16 | uint32(src[2])<<8 | uint32(src[3])
+	r := uint32(src[4])<<24 | uint32(src[5])<<16 | uint32(src[6])<<8 | uint32(src[7])
+
+	l, r = r, l^f1(r, c.masking[0], c.rotate[0])
+	l, r = r, l^f2(r, c.masking[1], c.rotate[1])
+	l, r = r, l^f3(r, c.masking[2], c.rotate[2])
+	l, r = r, l^f1(r, c.masking[3], c.rotate[3])
+
+	l, r = r, l^f2(r, c.masking[4], c.rotate[4])
+	l, r = r, l^f3(r, c.masking[5], c.rotate[5])
+	l, r = r, l^f1(r, c.masking[6], c.rotate[6])
+	l, r = r, l^f2(r, c.masking[7], c.rotate[7])
+
+	l, r = r, l^f3(r, c.masking[8], c.rotate[8])
+	l, r = r, l^f1(r, c.masking[9], c.rotate[9])
+	l, r = r, l^f2(r, c.masking[10], c.rotate[10])
+	l, r = r, l^f3(r, c.masking[11], c.rotate[11])
+
+	l, r = r, l^f1(r, c.masking[12], c.rotate[12])
+	l, r = r, l^f2(r, c.masking[13], c.rotate[13])
+	l, r = r, l^f3(r, c.masking[14], c.rotate[14])
+	l, r = r, l^f1(r, c.masking[15], c.rotate[15])
+
+	dst[0] = uint8(r >> 24)
+	dst[1] = uint8(r >> 16)
+	dst[2] = uint8(r >> 8)
+	dst[3] = uint8(r)
+	dst[4] = uint8(l >> 24)
+	dst[5] = uint8(l >> 16)
+	dst[6] = uint8(l >> 8)
+	dst[7] = uint8(l)
+}
+
+func (c *Cipher) Decrypt(dst, src []byte) {
+	l := uint32(src[0])<<24 | uint32(src[1])<<16 | uint32(src[2])<<8 | uint32(src[3])
+	r := uint32(src[4])<<24 | uint32(src[5])<<16 | uint32(src[6])<<8 | uint32(src[7])
+
+	l, r = r, l^f1(r, c.masking[15], c.rotate[15])
+	l, r = r, l^f3(r, c.masking[14], c.rotate[14])
+	l, r = r, l^f2(r, c.masking[13], c.rotate[13])
+	l, r = r, l^f1(r, c.masking[12], c.rotate[12])
+
+	l, r = r, l^f3(r, c.masking[11], c.rotate[11])
+	l, r = r, l^f2(r, c.masking[10], c.rotate[10])
+	l, r = r, l^f1(r, c.masking[9], c.rotate[9])
+	l, r = r, l^f3(r, c.masking[8], c.rotate[8])
+
+	l, r = r, l^f2(r, c.masking[7], c.rotate[7])
+	l, r = r, l^f1(r, c.masking[6], c.rotate[6])
+	l, r = r, l^f3(r, c.masking[5], c.rotate[5])
+	l, r = r, l^f2(r, c.masking[4], c.rotate[4])
+
+	l, r = r, l^f1(r, c.masking[3], c.rotate[3])
+	l, r = r, l^f3(r, c.masking[2], c.rotate[2])
+	l, r = r, l^f2(r, c.masking[1], c.rotate[1])
+	l, r = r, l^f1(r, c.masking[0], c.rotate[0])
+
+	dst[0] = uint8(r >> 24)
+	dst[1] = uint8(r >> 16)
+	dst[2] = uint8(r >> 8)
+	dst[3] = uint8(r)
+	dst[4] = uint8(l >> 24)
+	dst[5] = uint8(l >> 16)
+	dst[6] = uint8(l >> 8)
+	dst[7] = uint8(l)
+}
+
+type keyScheduleA [4][7]uint8
+type keyScheduleB [4][5]uint8
+
+// keyScheduleRound contains the magic values for a round of the key schedule.
+// The keyScheduleA deals with the lines like:
+//   z0z1z2z3 = x0x1x2x3 ^ S5[xD] ^ S6[xF] ^ S7[xC] ^ S8[xE] ^ S7[x8]
+// Conceptually, both x and z are in the same array, x first. The first
+// element describes which word of this array gets written to and the
+// second, which word gets read. So, for the line above, it's "4, 0", because
+// it's writing to the first word of z, which, being after x, is word 4, and
+// reading from the first word of x: word 0.
+//
+// Next are the indexes into the S-boxes. Now the array is treated as bytes. So
+// "xD" is 0xd. The first byte of z is written as "16 + 0", just to be clear
+// that it's z that we're indexing.
+//
+// keyScheduleB deals with lines like:
+//   K1 = S5[z8] ^ S6[z9] ^ S7[z7] ^ S8[z6] ^ S5[z2]
+// "K1" is ignored because key words are always written in order. So the five
+// elements are the S-box indexes. They use the same form as in keyScheduleA,
+// above.
+
+type keyScheduleRound struct{}
+type keySchedule []keyScheduleRound
+
+var schedule = []struct {
+	a keyScheduleA
+	b keyScheduleB
+}{
+	{
+		keyScheduleA{
+			{4, 0, 0xd, 0xf, 0xc, 0xe, 0x8},
+			{5, 2, 16 + 0, 16 + 2, 16 + 1, 16 + 3, 0xa},
+			{6, 3, 16 + 7, 16 + 6, 16 + 5, 16 + 4, 9},
+			{7, 1, 16 + 0xa, 16 + 9, 16 + 0xb, 16 + 8, 0xb},
+		},
+		keyScheduleB{
+			{16 + 8, 16 + 9, 16 + 7, 16 + 6, 16 + 2},
+			{16 + 0xa, 16 + 0xb, 16 + 5, 16 + 4, 16 + 6},
+			{16 + 0xc, 16 + 0xd, 16 + 3, 16 + 2, 16 + 9},
+			{16 + 0xe, 16 + 0xf, 16 + 1, 16 + 0, 16 + 0xc},
+		},
+	},
+	{
+		keyScheduleA{
+			{0, 6, 16 + 5, 16 + 7, 16 + 4, 16 + 6, 16 + 0},
+			{1, 4, 0, 2, 1, 3, 16 + 2},
+			{2, 5, 7, 6, 5, 4, 16 + 1},
+			{3, 7, 0xa, 9, 0xb, 8, 16 + 3},
+		},
+		keyScheduleB{
+			{3, 2, 0xc, 0xd, 8},
+			{1, 0, 0xe, 0xf, 0xd},
+			{7, 6, 8, 9, 3},
+			{5, 4, 0xa, 0xb, 7},
+		},
+	},
+	{
+		keyScheduleA{
+			{4, 0, 0xd, 0xf, 0xc, 0xe, 8},
+			{5, 2, 16 + 0, 16 + 2, 16 + 1, 16 + 3, 0xa},
+			{6, 3, 16 + 7, 16 + 6, 16 + 5, 16 + 4, 9},
+			{7, 1, 16 + 0xa, 16 + 9, 16 + 0xb, 16 + 8, 0xb},
+		},
+		keyScheduleB{
+			{16 + 3, 16 + 2, 16 + 0xc, 16 + 0xd, 16 + 9},
+			{16 + 1, 16 + 0, 16 + 0xe, 16 + 0xf, 16 + 0xc},
+			{16 + 7, 16 + 6, 16 + 8, 16 + 9, 16 + 2},
+			{16 + 5, 16 + 4, 16 + 0xa, 16 + 0xb, 16 + 6},
+		},
+	},
+	{
+		keyScheduleA{
+			{0, 6, 16 + 5, 16 + 7, 16 + 4, 16 + 6, 16 + 0},
+			{1, 4, 0, 2, 1, 3, 16 + 2},
+			{2, 5, 7, 6, 5, 4, 16 + 1},
+			{3, 7, 0xa, 9, 0xb, 8, 16 + 3},
+		},
+		keyScheduleB{
+			{8, 9, 7, 6, 3},
+			{0xa, 0xb, 5, 4, 7},
+			{0xc, 0xd, 3, 2, 8},
+			{0xe, 0xf, 1, 0, 0xd},
+		},
+	},
+}
+
+func (c *Cipher) keySchedule(in []byte) {
+	var t [8]uint32
+	var k [32]uint32
+
+	for i := 0; i < 4; i++ {
+		j := i * 4
+		t[i] = uint32(in[j])<<24 | uint32(in[j+1])<<16 | uint32(in[j+2])<<8 | uint32(in[j+3])
+	}
+
+	x := []byte{6, 7, 4, 5}
+	ki := 0
+
+	for half := 0; half < 2; half++ {
+		for _, round := range schedule {
+			for j := 0; j < 4; j++ {
+				var a [7]uint8
+				copy(a[:], round.a[j][:])
+				w := t[a[1]]
+				w ^= sBox[4][(t[a[2]>>2]>>(24-8*(a[2]&3)))&0xff]
+				w ^= sBox[5][(t[a[3]>>2]>>(24-8*(a[3]&3)))&0xff]
+				w ^= sBox[6][(t[a[4]>>2]>>(24-8*(a[4]&3)))&0xff]
+				w ^= sBox[7][(t[a[5]>>2]>>(24-8*(a[5]&3)))&0xff]
+				w ^= sBox[x[j]][(t[a[6]>>2]>>(24-8*(a[6]&3)))&0xff]
+				t[a[0]] = w
+			}
+
+			for j := 0; j < 4; j++ {
+				var b [5]uint8
+				copy(b[:], round.b[j][:])
+				w := sBox[4][(t[b[0]>>2]>>(24-8*(b[0]&3)))&0xff]
+				w ^= sBox[5][(t[b[1]>>2]>>(24-8*(b[1]&3)))&0xff]
+				w ^= sBox[6][(t[b[2]>>2]>>(24-8*(b[2]&3)))&0xff]
+				w ^= sBox[7][(t[b[3]>>2]>>(24-8*(b[3]&3)))&0xff]
+				w ^= sBox[4+j][(t[b[4]>>2]>>(24-8*(b[4]&3)))&0xff]
+				k[ki] = w
+				ki++
+			}
+		}
+	}
+
+	for i := 0; i < 16; i++ {
+		c.masking[i] = k[i]
+		c.rotate[i] = uint8(k[16+i] & 0x1f)
+	}
+}
+
+// These are the three 'f' functions. See RFC 2144, section 2.2.
+func f1(d, m uint32, r uint8) uint32 {
+	t := m + d
+	I := bits.RotateLeft32(t, int(r))
+	return ((sBox[0][I>>24] ^ sBox[1][(I>>16)&0xff]) - sBox[2][(I>>8)&0xff]) + sBox[3][I&0xff]
+}
+
+func f2(d, m uint32, r uint8) uint32 {
+	t := m ^ d
+	I := bits.RotateLeft32(t, int(r))
+	return ((sBox[0][I>>24] - sBox[1][(I>>16)&0xff]) + sBox[2][(I>>8)&0xff]) ^ sBox[3][I&0xff]
+}
+
+func f3(d, m uint32, r uint8) uint32 {
+	t := m - d
+	I := bits.RotateLeft32(t, int(r))
+	return ((sBox[0][I>>24] + sBox[1][(I>>16)&0xff]) ^ sBox[2][(I>>8)&0xff]) - sBox[3][I&0xff]
+}
+
+var sBox = [8][256]uint32{
+	{
+		0x30fb40d4, 0x9fa0ff0b, 0x6beccd2f, 0x3f258c7a, 0x1e213f2f, 0x9c004dd3, 0x6003e540, 0xcf9fc949,
+		0xbfd4af27, 0x88bbbdb5, 0xe2034090, 0x98d09675, 0x6e63a0e0, 0x15c361d2, 0xc2e7661d, 0x22d4ff8e,
+		0x28683b6f, 0xc07fd059, 0xff2379c8, 0x775f50e2, 0x43c340d3, 0xdf2f8656, 0x887ca41a, 0xa2d2bd2d,
+		0xa1c9e0d6, 0x346c4819, 0x61b76d87, 0x22540f2f, 0x2abe32e1, 0xaa54166b, 0x22568e3a, 0xa2d341d0,
+		0x66db40c8, 0xa784392f, 0x004dff2f, 0x2db9d2de, 0x97943fac, 0x4a97c1d8, 0x527644b7, 0xb5f437a7,
+		0xb82cbaef, 0xd751d159, 0x6ff7f0ed, 0x5a097a1f, 0x827b68d0, 0x90ecf52e, 0x22b0c054, 0xbc8e5935,
+		0x4b6d2f7f, 0x50bb64a2, 0xd2664910, 0xbee5812d, 0xb7332290, 0xe93b159f, 0xb48ee411, 0x4bff345d,
+		0xfd45c240, 0xad31973f, 0xc4f6d02e, 0x55fc8165, 0xd5b1caad, 0xa1ac2dae, 0xa2d4b76d, 0xc19b0c50,
+		0x882240f2, 0x0c6e4f38, 0xa4e4bfd7, 0x4f5ba272, 0x564c1d2f, 0xc59c5319, 0xb949e354, 0xb04669fe,
+		0xb1b6ab8a, 0xc71358dd, 0x6385c545, 0x110f935d, 0x57538ad5, 0x6a390493, 0xe63d37e0, 0x2a54f6b3,
+		0x3a787d5f, 0x6276a0b5, 0x19a6fcdf, 0x7a42206a, 0x29f9d4d5, 0xf61b1891, 0xbb72275e, 0xaa508167,
+		0x38901091, 0xc6b505eb, 0x84c7cb8c, 0x2ad75a0f, 0x874a1427, 0xa2d1936b, 0x2ad286af, 0xaa56d291,
+		0xd7894360, 0x425c750d, 0x93b39e26, 0x187184c9, 0x6c00b32d, 0x73e2bb14, 0xa0bebc3c, 0x54623779,
+		0x64459eab, 0x3f328b82, 0x7718cf82, 0x59a2cea6, 0x04ee002e, 0x89fe78e6, 0x3fab0950, 0x325ff6c2,
+		0x81383f05, 0x6963c5c8, 0x76cb5ad6, 0xd49974c9, 0xca180dcf, 0x380782d5, 0xc7fa5cf6, 0x8ac31511,
+		0x35e79e13, 0x47da91d0, 0xf40f9086, 0xa7e2419e, 0x31366241, 0x051ef495, 0xaa573b04, 0x4a805d8d,
+		0x548300d0, 0x00322a3c, 0xbf64cddf, 0xba57a68e, 0x75c6372b, 0x50afd341, 0xa7c13275, 0x915a0bf5,
+		0x6b54bfab, 0x2b0b1426, 0xab4cc9d7, 0x449ccd82, 0xf7fbf265, 0xab85c5f3, 0x1b55db94, 0xaad4e324,
+		0xcfa4bd3f, 0x2deaa3e2, 0x9e204d02, 0xc8bd25ac, 0xeadf55b3, 0xd5bd9e98, 0xe31231b2, 0x2ad5ad6c,
+		0x954329de, 0xadbe4528, 0xd8710f69, 0xaa51c90f, 0xaa786bf6, 0x22513f1e, 0xaa51a79b, 0x2ad344cc,
+		0x7b5a41f0, 0xd37cfbad, 0x1b069505, 0x41ece491, 0xb4c332e6, 0x032268d4, 0xc9600acc, 0xce387e6d,
+		0xbf6bb16c, 0x6a70fb78, 0x0d03d9c9, 0xd4df39de, 0xe01063da, 0x4736f464, 0x5ad328d8, 0xb347cc96,
+		0x75bb0fc3, 0x98511bfb, 0x4ffbcc35, 0xb58bcf6a, 0xe11f0abc, 0xbfc5fe4a, 0xa70aec10, 0xac39570a,
+		0x3f04442f, 0x6188b153, 0xe0397a2e, 0x5727cb79, 0x9ceb418f, 0x1cacd68d, 0x2ad37c96, 0x0175cb9d,
+		0xc69dff09, 0xc75b65f0, 0xd9db40d8, 0xec0e7779, 0x4744ead4, 0xb11c3274, 0xdd24cb9e, 0x7e1c54bd,
+		0xf01144f9, 0xd2240eb1, 0x9675b3fd, 0xa3ac3755, 0xd47c27af, 0x51c85f4d, 0x56907596, 0xa5bb15e6,
+		0x580304f0, 0xca042cf1, 0x011a37ea, 0x8dbfaadb, 0x35ba3e4a, 0x3526ffa0, 0xc37b4d09, 0xbc306ed9,
+		0x98a52666, 0x5648f725, 0xff5e569d, 0x0ced63d0, 0x7c63b2cf, 0x700b45e1, 0xd5ea50f1, 0x85a92872,
+		0xaf1fbda7, 0xd4234870, 0xa7870bf3, 0x2d3b4d79, 0x42e04198, 0x0cd0ede7, 0x26470db8, 0xf881814c,
+		0x474d6ad7, 0x7c0c5e5c, 0xd1231959, 0x381b7298, 0xf5d2f4db, 0xab838653, 0x6e2f1e23, 0x83719c9e,
+		0xbd91e046, 0x9a56456e, 0xdc39200c, 0x20c8c571, 0x962bda1c, 0xe1e696ff, 0xb141ab08, 0x7cca89b9,
+		0x1a69e783, 0x02cc4843, 0xa2f7c579, 0x429ef47d, 0x427b169c, 0x5ac9f049, 0xdd8f0f00, 0x5c8165bf,
+	},
+	{
+		0x1f201094, 0xef0ba75b, 0x69e3cf7e, 0x393f4380, 0xfe61cf7a, 0xeec5207a, 0x55889c94, 0x72fc0651,
+		0xada7ef79, 0x4e1d7235, 0xd55a63ce, 0xde0436ba, 0x99c430ef, 0x5f0c0794, 0x18dcdb7d, 0xa1d6eff3,
+		0xa0b52f7b, 0x59e83605, 0xee15b094, 0xe9ffd909, 0xdc440086, 0xef944459, 0xba83ccb3, 0xe0c3cdfb,
+		0xd1da4181, 0x3b092ab1, 0xf997f1c1, 0xa5e6cf7b, 0x01420ddb, 0xe4e7ef5b, 0x25a1ff41, 0xe180f806,
+		0x1fc41080, 0x179bee7a, 0xd37ac6a9, 0xfe5830a4, 0x98de8b7f, 0x77e83f4e, 0x79929269, 0x24fa9f7b,
+		0xe113c85b, 0xacc40083, 0xd7503525, 0xf7ea615f, 0x62143154, 0x0d554b63, 0x5d681121, 0xc866c359,
+		0x3d63cf73, 0xcee234c0, 0xd4d87e87, 0x5c672b21, 0x071f6181, 0x39f7627f, 0x361e3084, 0xe4eb573b,
+		0x602f64a4, 0xd63acd9c, 0x1bbc4635, 0x9e81032d, 0x2701f50c, 0x99847ab4, 0xa0e3df79, 0xba6cf38c,
+		0x10843094, 0x2537a95e, 0xf46f6ffe, 0xa1ff3b1f, 0x208cfb6a, 0x8f458c74, 0xd9e0a227, 0x4ec73a34,
+		0xfc884f69, 0x3e4de8df, 0xef0e0088, 0x3559648d, 0x8a45388c, 0x1d804366, 0x721d9bfd, 0xa58684bb,
+		0xe8256333, 0x844e8212, 0x128d8098, 0xfed33fb4, 0xce280ae1, 0x27e19ba5, 0xd5a6c252, 0xe49754bd,
+		0xc5d655dd, 0xeb667064, 0x77840b4d, 0xa1b6a801, 0x84db26a9, 0xe0b56714, 0x21f043b7, 0xe5d05860,
+		0x54f03084, 0x066ff472, 0xa31aa153, 0xdadc4755, 0xb5625dbf, 0x68561be6, 0x83ca6b94, 0x2d6ed23b,
+		0xeccf01db, 0xa6d3d0ba, 0xb6803d5c, 0xaf77a709, 0x33b4a34c, 0x397bc8d6, 0x5ee22b95, 0x5f0e5304,
+		0x81ed6f61, 0x20e74364, 0xb45e1378, 0xde18639b, 0x881ca122, 0xb96726d1, 0x8049a7e8, 0x22b7da7b,
+		0x5e552d25, 0x5272d237, 0x79d2951c, 0xc60d894c, 0x488cb402, 0x1ba4fe5b, 0xa4b09f6b, 0x1ca815cf,
+		0xa20c3005, 0x8871df63, 0xb9de2fcb, 0x0cc6c9e9, 0x0beeff53, 0xe3214517, 0xb4542835, 0x9f63293c,
+		0xee41e729, 0x6e1d2d7c, 0x50045286, 0x1e6685f3, 0xf33401c6, 0x30a22c95, 0x31a70850, 0x60930f13,
+		0x73f98417, 0xa1269859, 0xec645c44, 0x52c877a9, 0xcdff33a6, 0xa02b1741, 0x7cbad9a2, 0x2180036f,
+		0x50d99c08, 0xcb3f4861, 0xc26bd765, 0x64a3f6ab, 0x80342676, 0x25a75e7b, 0xe4e6d1fc, 0x20c710e6,
+		0xcdf0b680, 0x17844d3b, 0x31eef84d, 0x7e0824e4, 0x2ccb49eb, 0x846a3bae, 0x8ff77888, 0xee5d60f6,
+		0x7af75673, 0x2fdd5cdb, 0xa11631c1, 0x30f66f43, 0xb3faec54, 0x157fd7fa, 0xef8579cc, 0xd152de58,
+		0xdb2ffd5e, 0x8f32ce19, 0x306af97a, 0x02f03ef8, 0x99319ad5, 0xc242fa0f, 0xa7e3ebb0, 0xc68e4906,
+		0xb8da230c, 0x80823028, 0xdcdef3c8, 0xd35fb171, 0x088a1bc8, 0xbec0c560, 0x61a3c9e8, 0xbca8f54d,
+		0xc72feffa, 0x22822e99, 0x82c570b4, 0xd8d94e89, 0x8b1c34bc, 0x301e16e6, 0x273be979, 0xb0ffeaa6,
+		0x61d9b8c6, 0x00b24869, 0xb7ffce3f, 0x08dc283b, 0x43daf65a, 0xf7e19798, 0x7619b72f, 0x8f1c9ba4,
+		0xdc8637a0, 0x16a7d3b1, 0x9fc393b7, 0xa7136eeb, 0xc6bcc63e, 0x1a513742, 0xef6828bc, 0x520365d6,
+		0x2d6a77ab, 0x3527ed4b, 0x821fd216, 0x095c6e2e, 0xdb92f2fb, 0x5eea29cb, 0x145892f5, 0x91584f7f,
+		0x5483697b, 0x2667a8cc, 0x85196048, 0x8c4bacea, 0x833860d4, 0x0d23e0f9, 0x6c387e8a, 0x0ae6d249,
+		0xb284600c, 0xd835731d, 0xdcb1c647, 0xac4c56ea, 0x3ebd81b3, 0x230eabb0, 0x6438bc87, 0xf0b5b1fa,
+		0x8f5ea2b3, 0xfc184642, 0x0a036b7a, 0x4fb089bd, 0x649da589, 0xa345415e, 0x5c038323, 0x3e5d3bb9,
+		0x43d79572, 0x7e6dd07c, 0x06dfdf1e, 0x6c6cc4ef, 0x7160a539, 0x73bfbe70, 0x83877605, 0x4523ecf1,
+	},
+	{
+		0x8defc240, 0x25fa5d9f, 0xeb903dbf, 0xe810c907, 0x47607fff, 0x369fe44b, 0x8c1fc644, 0xaececa90,
+		0xbeb1f9bf, 0xeefbcaea, 0xe8cf1950, 0x51df07ae, 0x920e8806, 0xf0ad0548, 0xe13c8d83, 0x927010d5,
+		0x11107d9f, 0x07647db9, 0xb2e3e4d4, 0x3d4f285e, 0xb9afa820, 0xfade82e0, 0xa067268b, 0x8272792e,
+		0x553fb2c0, 0x489ae22b, 0xd4ef9794, 0x125e3fbc, 0x21fffcee, 0x825b1bfd, 0x9255c5ed, 0x1257a240,
+		0x4e1a8302, 0xbae07fff, 0x528246e7, 0x8e57140e, 0x3373f7bf, 0x8c9f8188, 0xa6fc4ee8, 0xc982b5a5,
+		0xa8c01db7, 0x579fc264, 0x67094f31, 0xf2bd3f5f, 0x40fff7c1, 0x1fb78dfc, 0x8e6bd2c1, 0x437be59b,
+		0x99b03dbf, 0xb5dbc64b, 0x638dc0e6, 0x55819d99, 0xa197c81c, 0x4a012d6e, 0xc5884a28, 0xccc36f71,
+		0xb843c213, 0x6c0743f1, 0x8309893c, 0x0feddd5f, 0x2f7fe850, 0xd7c07f7e, 0x02507fbf, 0x5afb9a04,
+		0xa747d2d0, 0x1651192e, 0xaf70bf3e, 0x58c31380, 0x5f98302e, 0x727cc3c4, 0x0a0fb402, 0x0f7fef82,
+		0x8c96fdad, 0x5d2c2aae, 0x8ee99a49, 0x50da88b8, 0x8427f4a0, 0x1eac5790, 0x796fb449, 0x8252dc15,
+		0xefbd7d9b, 0xa672597d, 0xada840d8, 0x45f54504, 0xfa5d7403, 0xe83ec305, 0x4f91751a, 0x925669c2,
+		0x23efe941, 0xa903f12e, 0x60270df2, 0x0276e4b6, 0x94fd6574, 0x927985b2, 0x8276dbcb, 0x02778176,
+		0xf8af918d, 0x4e48f79e, 0x8f616ddf, 0xe29d840e, 0x842f7d83, 0x340ce5c8, 0x96bbb682, 0x93b4b148,
+		0xef303cab, 0x984faf28, 0x779faf9b, 0x92dc560d, 0x224d1e20, 0x8437aa88, 0x7d29dc96, 0x2756d3dc,
+		0x8b907cee, 0xb51fd240, 0xe7c07ce3, 0xe566b4a1, 0xc3e9615e, 0x3cf8209d, 0x6094d1e3, 0xcd9ca341,
+		0x5c76460e, 0x00ea983b, 0xd4d67881, 0xfd47572c, 0xf76cedd9, 0xbda8229c, 0x127dadaa, 0x438a074e,
+		0x1f97c090, 0x081bdb8a, 0x93a07ebe, 0xb938ca15, 0x97b03cff, 0x3dc2c0f8, 0x8d1ab2ec, 0x64380e51,
+		0x68cc7bfb, 0xd90f2788, 0x12490181, 0x5de5ffd4, 0xdd7ef86a, 0x76a2e214, 0xb9a40368, 0x925d958f,
+		0x4b39fffa, 0xba39aee9, 0xa4ffd30b, 0xfaf7933b, 0x6d498623, 0x193cbcfa, 0x27627545, 0x825cf47a,
+		0x61bd8ba0, 0xd11e42d1, 0xcead04f4, 0x127ea392, 0x10428db7, 0x8272a972, 0x9270c4a8, 0x127de50b,
+		0x285ba1c8, 0x3c62f44f, 0x35c0eaa5, 0xe805d231, 0x428929fb, 0xb4fcdf82, 0x4fb66a53, 0x0e7dc15b,
+		0x1f081fab, 0x108618ae, 0xfcfd086d, 0xf9ff2889, 0x694bcc11, 0x236a5cae, 0x12deca4d, 0x2c3f8cc5,
+		0xd2d02dfe, 0xf8ef5896, 0xe4cf52da, 0x95155b67, 0x494a488c, 0xb9b6a80c, 0x5c8f82bc, 0x89d36b45,
+		0x3a609437, 0xec00c9a9, 0x44715253, 0x0a874b49, 0xd773bc40, 0x7c34671c, 0x02717ef6, 0x4feb5536,
+		0xa2d02fff, 0xd2bf60c4, 0xd43f03c0, 0x50b4ef6d, 0x07478cd1, 0x006e1888, 0xa2e53f55, 0xb9e6d4bc,
+		0xa2048016, 0x97573833, 0xd7207d67, 0xde0f8f3d, 0x72f87b33, 0xabcc4f33, 0x7688c55d, 0x7b00a6b0,
+		0x947b0001, 0x570075d2, 0xf9bb88f8, 0x8942019e, 0x4264a5ff, 0x856302e0, 0x72dbd92b, 0xee971b69,
+		0x6ea22fde, 0x5f08ae2b, 0xaf7a616d, 0xe5c98767, 0xcf1febd2, 0x61efc8c2, 0xf1ac2571, 0xcc8239c2,
+		0x67214cb8, 0xb1e583d1, 0xb7dc3e62, 0x7f10bdce, 0xf90a5c38, 0x0ff0443d, 0x606e6dc6, 0x60543a49,
+		0x5727c148, 0x2be98a1d, 0x8ab41738, 0x20e1be24, 0xaf96da0f, 0x68458425, 0x99833be5, 0x600d457d,
+		0x282f9350, 0x8334b362, 0xd91d1120, 0x2b6d8da0, 0x642b1e31, 0x9c305a00, 0x52bce688, 0x1b03588a,
+		0xf7baefd5, 0x4142ed9c, 0xa4315c11, 0x83323ec5, 0xdfef4636, 0xa133c501, 0xe9d3531c, 0xee353783,
+	},
+	{
+		0x9db30420, 0x1fb6e9de, 0xa7be7bef, 0xd273a298, 0x4a4f7bdb, 0x64ad8c57, 0x85510443, 0xfa020ed1,
+		0x7e287aff, 0xe60fb663, 0x095f35a1, 0x79ebf120, 0xfd059d43, 0x6497b7b1, 0xf3641f63, 0x241e4adf,
+		0x28147f5f, 0x4fa2b8cd, 0xc9430040, 0x0cc32220, 0xfdd30b30, 0xc0a5374f, 0x1d2d00d9, 0x24147b15,
+		0xee4d111a, 0x0fca5167, 0x71ff904c, 0x2d195ffe, 0x1a05645f, 0x0c13fefe, 0x081b08ca, 0x05170121,
+		0x80530100, 0xe83e5efe, 0xac9af4f8, 0x7fe72701, 0xd2b8ee5f, 0x06df4261, 0xbb9e9b8a, 0x7293ea25,
+		0xce84ffdf, 0xf5718801, 0x3dd64b04, 0xa26f263b, 0x7ed48400, 0x547eebe6, 0x446d4ca0, 0x6cf3d6f5,
+		0x2649abdf, 0xaea0c7f5, 0x36338cc1, 0x503f7e93, 0xd3772061, 0x11b638e1, 0x72500e03, 0xf80eb2bb,
+		0xabe0502e, 0xec8d77de, 0x57971e81, 0xe14f6746, 0xc9335400, 0x6920318f, 0x081dbb99, 0xffc304a5,
+		0x4d351805, 0x7f3d5ce3, 0xa6c866c6, 0x5d5bcca9, 0xdaec6fea, 0x9f926f91, 0x9f46222f, 0x3991467d,
+		0xa5bf6d8e, 0x1143c44f, 0x43958302, 0xd0214eeb, 0x022083b8, 0x3fb6180c, 0x18f8931e, 0x281658e6,
+		0x26486e3e, 0x8bd78a70, 0x7477e4c1, 0xb506e07c, 0xf32d0a25, 0x79098b02, 0xe4eabb81, 0x28123b23,
+		0x69dead38, 0x1574ca16, 0xdf871b62, 0x211c40b7, 0xa51a9ef9, 0x0014377b, 0x041e8ac8, 0x09114003,
+		0xbd59e4d2, 0xe3d156d5, 0x4fe876d5, 0x2f91a340, 0x557be8de, 0x00eae4a7, 0x0ce5c2ec, 0x4db4bba6,
+		0xe756bdff, 0xdd3369ac, 0xec17b035, 0x06572327, 0x99afc8b0, 0x56c8c391, 0x6b65811c, 0x5e146119,
+		0x6e85cb75, 0xbe07c002, 0xc2325577, 0x893ff4ec, 0x5bbfc92d, 0xd0ec3b25, 0xb7801ab7, 0x8d6d3b24,
+		0x20c763ef, 0xc366a5fc, 0x9c382880, 0x0ace3205, 0xaac9548a, 0xeca1d7c7, 0x041afa32, 0x1d16625a,
+		0x6701902c, 0x9b757a54, 0x31d477f7, 0x9126b031, 0x36cc6fdb, 0xc70b8b46, 0xd9e66a48, 0x56e55a79,
+		0x026a4ceb, 0x52437eff, 0x2f8f76b4, 0x0df980a5, 0x8674cde3, 0xedda04eb, 0x17a9be04, 0x2c18f4df,
+		0xb7747f9d, 0xab2af7b4, 0xefc34d20, 0x2e096b7c, 0x1741a254, 0xe5b6a035, 0x213d42f6, 0x2c1c7c26,
+		0x61c2f50f, 0x6552daf9, 0xd2c231f8, 0x25130f69, 0xd8167fa2, 0x0418f2c8, 0x001a96a6, 0x0d1526ab,
+		0x63315c21, 0x5e0a72ec, 0x49bafefd, 0x187908d9, 0x8d0dbd86, 0x311170a7, 0x3e9b640c, 0xcc3e10d7,
+		0xd5cad3b6, 0x0caec388, 0xf73001e1, 0x6c728aff, 0x71eae2a1, 0x1f9af36e, 0xcfcbd12f, 0xc1de8417,
+		0xac07be6b, 0xcb44a1d8, 0x8b9b0f56, 0x013988c3, 0xb1c52fca, 0xb4be31cd, 0xd8782806, 0x12a3a4e2,
+		0x6f7de532, 0x58fd7eb6, 0xd01ee900, 0x24adffc2, 0xf4990fc5, 0x9711aac5, 0x001d7b95, 0x82e5e7d2,
+		0x109873f6, 0x00613096, 0xc32d9521, 0xada121ff, 0x29908415, 0x7fbb977f, 0xaf9eb3db, 0x29c9ed2a,
+		0x5ce2a465, 0xa730f32c, 0xd0aa3fe8, 0x8a5cc091, 0xd49e2ce7, 0x0ce454a9, 0xd60acd86, 0x015f1919,
+		0x77079103, 0xdea03af6, 0x78a8565e, 0xdee356df, 0x21f05cbe, 0x8b75e387, 0xb3c50651, 0xb8a5c3ef,
+		0xd8eeb6d2, 0xe523be77, 0xc2154529, 0x2f69efdf, 0xafe67afb, 0xf470c4b2, 0xf3e0eb5b, 0xd6cc9876,
+		0x39e4460c, 0x1fda8538, 0x1987832f, 0xca007367, 0xa99144f8, 0x296b299e, 0x492fc295, 0x9266beab,
+		0xb5676e69, 0x9bd3ddda, 0xdf7e052f, 0xdb25701c, 0x1b5e51ee, 0xf65324e6, 0x6afce36c, 0x0316cc04,
+		0x8644213e, 0xb7dc59d0, 0x7965291f, 0xccd6fd43, 0x41823979, 0x932bcdf6, 0xb657c34d, 0x4edfd282,
+		0x7ae5290c, 0x3cb9536b, 0x851e20fe, 0x9833557e, 0x13ecf0b0, 0xd3ffb372, 0x3f85c5c1, 0x0aef7ed2,
+	},
+	{
+		0x7ec90c04, 0x2c6e74b9, 0x9b0e66df, 0xa6337911, 0xb86a7fff, 0x1dd358f5, 0x44dd9d44, 0x1731167f,
+		0x08fbf1fa, 0xe7f511cc, 0xd2051b00, 0x735aba00, 0x2ab722d8, 0x386381cb, 0xacf6243a, 0x69befd7a,
+		0xe6a2e77f, 0xf0c720cd, 0xc4494816, 0xccf5c180, 0x38851640, 0x15b0a848, 0xe68b18cb, 0x4caadeff,
+		0x5f480a01, 0x0412b2aa, 0x259814fc, 0x41d0efe2, 0x4e40b48d, 0x248eb6fb, 0x8dba1cfe, 0x41a99b02,
+		0x1a550a04, 0xba8f65cb, 0x7251f4e7, 0x95a51725, 0xc106ecd7, 0x97a5980a, 0xc539b9aa, 0x4d79fe6a,
+		0xf2f3f763, 0x68af8040, 0xed0c9e56, 0x11b4958b, 0xe1eb5a88, 0x8709e6b0, 0xd7e07156, 0x4e29fea7,
+		0x6366e52d, 0x02d1c000, 0xc4ac8e05, 0x9377f571, 0x0c05372a, 0x578535f2, 0x2261be02, 0xd642a0c9,
+		0xdf13a280, 0x74b55bd2, 0x682199c0, 0xd421e5ec, 0x53fb3ce8, 0xc8adedb3, 0x28a87fc9, 0x3d959981,
+		0x5c1ff900, 0xfe38d399, 0x0c4eff0b, 0x062407ea, 0xaa2f4fb1, 0x4fb96976, 0x90c79505, 0xb0a8a774,
+		0xef55a1ff, 0xe59ca2c2, 0xa6b62d27, 0xe66a4263, 0xdf65001f, 0x0ec50966, 0xdfdd55bc, 0x29de0655,
+		0x911e739a, 0x17af8975, 0x32c7911c, 0x89f89468, 0x0d01e980, 0x524755f4, 0x03b63cc9, 0x0cc844b2,
+		0xbcf3f0aa, 0x87ac36e9, 0xe53a7426, 0x01b3d82b, 0x1a9e7449, 0x64ee2d7e, 0xcddbb1da, 0x01c94910,
+		0xb868bf80, 0x0d26f3fd, 0x9342ede7, 0x04a5c284, 0x636737b6, 0x50f5b616, 0xf24766e3, 0x8eca36c1,
+		0x136e05db, 0xfef18391, 0xfb887a37, 0xd6e7f7d4, 0xc7fb7dc9, 0x3063fcdf, 0xb6f589de, 0xec2941da,
+		0x26e46695, 0xb7566419, 0xf654efc5, 0xd08d58b7, 0x48925401, 0xc1bacb7f, 0xe5ff550f, 0xb6083049,
+		0x5bb5d0e8, 0x87d72e5a, 0xab6a6ee1, 0x223a66ce, 0xc62bf3cd, 0x9e0885f9, 0x68cb3e47, 0x086c010f,
+		0xa21de820, 0xd18b69de, 0xf3f65777, 0xfa02c3f6, 0x407edac3, 0xcbb3d550, 0x1793084d, 0xb0d70eba,
+		0x0ab378d5, 0xd951fb0c, 0xded7da56, 0x4124bbe4, 0x94ca0b56, 0x0f5755d1, 0xe0e1e56e, 0x6184b5be,
+		0x580a249f, 0x94f74bc0, 0xe327888e, 0x9f7b5561, 0xc3dc0280, 0x05687715, 0x646c6bd7, 0x44904db3,
+		0x66b4f0a3, 0xc0f1648a, 0x697ed5af, 0x49e92ff6, 0x309e374f, 0x2cb6356a, 0x85808573, 0x4991f840,
+		0x76f0ae02, 0x083be84d, 0x28421c9a, 0x44489406, 0x736e4cb8, 0xc1092910, 0x8bc95fc6, 0x7d869cf4,
+		0x134f616f, 0x2e77118d, 0xb31b2be1, 0xaa90b472, 0x3ca5d717, 0x7d161bba, 0x9cad9010, 0xaf462ba2,
+		0x9fe459d2, 0x45d34559, 0xd9f2da13, 0xdbc65487, 0xf3e4f94e, 0x176d486f, 0x097c13ea, 0x631da5c7,
+		0x445f7382, 0x175683f4, 0xcdc66a97, 0x70be0288, 0xb3cdcf72, 0x6e5dd2f3, 0x20936079, 0x459b80a5,
+		0xbe60e2db, 0xa9c23101, 0xeba5315c, 0x224e42f2, 0x1c5c1572, 0xf6721b2c, 0x1ad2fff3, 0x8c25404e,
+		0x324ed72f, 0x4067b7fd, 0x0523138e, 0x5ca3bc78, 0xdc0fd66e, 0x75922283, 0x784d6b17, 0x58ebb16e,
+		0x44094f85, 0x3f481d87, 0xfcfeae7b, 0x77b5ff76, 0x8c2302bf, 0xaaf47556, 0x5f46b02a, 0x2b092801,
+		0x3d38f5f7, 0x0ca81f36, 0x52af4a8a, 0x66d5e7c0, 0xdf3b0874, 0x95055110, 0x1b5ad7a8, 0xf61ed5ad,
+		0x6cf6e479, 0x20758184, 0xd0cefa65, 0x88f7be58, 0x4a046826, 0x0ff6f8f3, 0xa09c7f70, 0x5346aba0,
+		0x5ce96c28, 0xe176eda3, 0x6bac307f, 0x376829d2, 0x85360fa9, 0x17e3fe2a, 0x24b79767, 0xf5a96b20,
+		0xd6cd2595, 0x68ff1ebf, 0x7555442c, 0xf19f06be, 0xf9e0659a, 0xeeb9491d, 0x34010718, 0xbb30cab8,
+		0xe822fe15, 0x88570983, 0x750e6249, 0xda627e55, 0x5e76ffa8, 0xb1534546, 0x6d47de08, 0xefe9e7d4,
+	},
+	{
+		0xf6fa8f9d, 0x2cac6ce1, 0x4ca34867, 0xe2337f7c, 0x95db08e7, 0x016843b4, 0xeced5cbc, 0x325553ac,
+		0xbf9f0960, 0xdfa1e2ed, 0x83f0579d, 0x63ed86b9, 0x1ab6a6b8, 0xde5ebe39, 0xf38ff732, 0x8989b138,
+		0x33f14961, 0xc01937bd, 0xf506c6da, 0xe4625e7e, 0xa308ea99, 0x4e23e33c, 0x79cbd7cc, 0x48a14367,
+		0xa3149619, 0xfec94bd5, 0xa114174a, 0xeaa01866, 0xa084db2d, 0x09a8486f, 0xa888614a, 0x2900af98,
+		0x01665991, 0xe1992863, 0xc8f30c60, 0x2e78ef3c, 0xd0d51932, 0xcf0fec14, 0xf7ca07d2, 0xd0a82072,
+		0xfd41197e, 0x9305a6b0, 0xe86be3da, 0x74bed3cd, 0x372da53c, 0x4c7f4448, 0xdab5d440, 0x6dba0ec3,
+		0x083919a7, 0x9fbaeed9, 0x49dbcfb0, 0x4e670c53, 0x5c3d9c01, 0x64bdb941, 0x2c0e636a, 0xba7dd9cd,
+		0xea6f7388, 0xe70bc762, 0x35f29adb, 0x5c4cdd8d, 0xf0d48d8c, 0xb88153e2, 0x08a19866, 0x1ae2eac8,
+		0x284caf89, 0xaa928223, 0x9334be53, 0x3b3a21bf, 0x16434be3, 0x9aea3906, 0xefe8c36e, 0xf890cdd9,
+		0x80226dae, 0xc340a4a3, 0xdf7e9c09, 0xa694a807, 0x5b7c5ecc, 0x221db3a6, 0x9a69a02f, 0x68818a54,
+		0xceb2296f, 0x53c0843a, 0xfe893655, 0x25bfe68a, 0xb4628abc, 0xcf222ebf, 0x25ac6f48, 0xa9a99387,
+		0x53bddb65, 0xe76ffbe7, 0xe967fd78, 0x0ba93563, 0x8e342bc1, 0xe8a11be9, 0x4980740d, 0xc8087dfc,
+		0x8de4bf99, 0xa11101a0, 0x7fd37975, 0xda5a26c0, 0xe81f994f, 0x9528cd89, 0xfd339fed, 0xb87834bf,
+		0x5f04456d, 0x22258698, 0xc9c4c83b, 0x2dc156be, 0x4f628daa, 0x57f55ec5, 0xe2220abe, 0xd2916ebf,
+		0x4ec75b95, 0x24f2c3c0, 0x42d15d99, 0xcd0d7fa0, 0x7b6e27ff, 0xa8dc8af0, 0x7345c106, 0xf41e232f,
+		0x35162386, 0xe6ea8926, 0x3333b094, 0x157ec6f2, 0x372b74af, 0x692573e4, 0xe9a9d848, 0xf3160289,
+		0x3a62ef1d, 0xa787e238, 0xf3a5f676, 0x74364853, 0x20951063, 0x4576698d, 0xb6fad407, 0x592af950,
+		0x36f73523, 0x4cfb6e87, 0x7da4cec0, 0x6c152daa, 0xcb0396a8, 0xc50dfe5d, 0xfcd707ab, 0x0921c42f,
+		0x89dff0bb, 0x5fe2be78, 0x448f4f33, 0x754613c9, 0x2b05d08d, 0x48b9d585, 0xdc049441, 0xc8098f9b,
+		0x7dede786, 0xc39a3373, 0x42410005, 0x6a091751, 0x0ef3c8a6, 0x890072d6, 0x28207682, 0xa9a9f7be,
+		0xbf32679d, 0xd45b5b75, 0xb353fd00, 0xcbb0e358, 0x830f220a, 0x1f8fb214, 0xd372cf08, 0xcc3c4a13,
+		0x8cf63166, 0x061c87be, 0x88c98f88, 0x6062e397, 0x47cf8e7a, 0xb6c85283, 0x3cc2acfb, 0x3fc06976,
+		0x4e8f0252, 0x64d8314d, 0xda3870e3, 0x1e665459, 0xc10908f0, 0x513021a5, 0x6c5b68b7, 0x822f8aa0,
+		0x3007cd3e, 0x74719eef, 0xdc872681, 0x073340d4, 0x7e432fd9, 0x0c5ec241, 0x8809286c, 0xf592d891,
+		0x08a930f6, 0x957ef305, 0xb7fbffbd, 0xc266e96f, 0x6fe4ac98, 0xb173ecc0, 0xbc60b42a, 0x953498da,
+		0xfba1ae12, 0x2d4bd736, 0x0f25faab, 0xa4f3fceb, 0xe2969123, 0x257f0c3d, 0x9348af49, 0x361400bc,
+		0xe8816f4a, 0x3814f200, 0xa3f94043, 0x9c7a54c2, 0xbc704f57, 0xda41e7f9, 0xc25ad33a, 0x54f4a084,
+		0xb17f5505, 0x59357cbe, 0xedbd15c8, 0x7f97c5ab, 0xba5ac7b5, 0xb6f6deaf, 0x3a479c3a, 0x5302da25,
+		0x653d7e6a, 0x54268d49, 0x51a477ea, 0x5017d55b, 0xd7d25d88, 0x44136c76, 0x0404a8c8, 0xb8e5a121,
+		0xb81a928a, 0x60ed5869, 0x97c55b96, 0xeaec991b, 0x29935913, 0x01fdb7f1, 0x088e8dfa, 0x9ab6f6f5,
+		0x3b4cbf9f, 0x4a5de3ab, 0xe6051d35, 0xa0e1d855, 0xd36b4cf1, 0xf544edeb, 0xb0e93524, 0xbebb8fbd,
+		0xa2d762cf, 0x49c92f54, 0x38b5f331, 0x7128a454, 0x48392905, 0xa65b1db8, 0x851c97bd, 0xd675cf2f,
+	},
+	{
+		0x85e04019, 0x332bf567, 0x662dbfff, 0xcfc65693, 0x2a8d7f6f, 0xab9bc912, 0xde6008a1, 0x2028da1f,
+		0x0227bce7, 0x4d642916, 0x18fac300, 0x50f18b82, 0x2cb2cb11, 0xb232e75c, 0x4b3695f2, 0xb28707de,
+		0xa05fbcf6, 0xcd4181e9, 0xe150210c, 0xe24ef1bd, 0xb168c381, 0xfde4e789, 0x5c79b0d8, 0x1e8bfd43,
+		0x4d495001, 0x38be4341, 0x913cee1d, 0x92a79c3f, 0x089766be, 0xbaeeadf4, 0x1286becf, 0xb6eacb19,
+		0x2660c200, 0x7565bde4, 0x64241f7a, 0x8248dca9, 0xc3b3ad66, 0x28136086, 0x0bd8dfa8, 0x356d1cf2,
+		0x107789be, 0xb3b2e9ce, 0x0502aa8f, 0x0bc0351e, 0x166bf52a, 0xeb12ff82, 0xe3486911, 0xd34d7516,
+		0x4e7b3aff, 0x5f43671b, 0x9cf6e037, 0x4981ac83, 0x334266ce, 0x8c9341b7, 0xd0d854c0, 0xcb3a6c88,
+		0x47bc2829, 0x4725ba37, 0xa66ad22b, 0x7ad61f1e, 0x0c5cbafa, 0x4437f107, 0xb6e79962, 0x42d2d816,
+		0x0a961288, 0xe1a5c06e, 0x13749e67, 0x72fc081a, 0xb1d139f7, 0xf9583745, 0xcf19df58, 0xbec3f756,
+		0xc06eba30, 0x07211b24, 0x45c28829, 0xc95e317f, 0xbc8ec511, 0x38bc46e9, 0xc6e6fa14, 0xbae8584a,
+		0xad4ebc46, 0x468f508b, 0x7829435f, 0xf124183b, 0x821dba9f, 0xaff60ff4, 0xea2c4e6d, 0x16e39264,
+		0x92544a8b, 0x009b4fc3, 0xaba68ced, 0x9ac96f78, 0x06a5b79a, 0xb2856e6e, 0x1aec3ca9, 0xbe838688,
+		0x0e0804e9, 0x55f1be56, 0xe7e5363b, 0xb3a1f25d, 0xf7debb85, 0x61fe033c, 0x16746233, 0x3c034c28,
+		0xda6d0c74, 0x79aac56c, 0x3ce4e1ad, 0x51f0c802, 0x98f8f35a, 0x1626a49f, 0xeed82b29, 0x1d382fe3,
+		0x0c4fb99a, 0xbb325778, 0x3ec6d97b, 0x6e77a6a9, 0xcb658b5c, 0xd45230c7, 0x2bd1408b, 0x60c03eb7,
+		0xb9068d78, 0xa33754f4, 0xf430c87d, 0xc8a71302, 0xb96d8c32, 0xebd4e7be, 0xbe8b9d2d, 0x7979fb06,
+		0xe7225308, 0x8b75cf77, 0x11ef8da4, 0xe083c858, 0x8d6b786f, 0x5a6317a6, 0xfa5cf7a0, 0x5dda0033,
+		0xf28ebfb0, 0xf5b9c310, 0xa0eac280, 0x08b9767a, 0xa3d9d2b0, 0x79d34217, 0x021a718d, 0x9ac6336a,
+		0x2711fd60, 0x438050e3, 0x069908a8, 0x3d7fedc4, 0x826d2bef, 0x4eeb8476, 0x488dcf25, 0x36c9d566,
+		0x28e74e41, 0xc2610aca, 0x3d49a9cf, 0xbae3b9df, 0xb65f8de6, 0x92aeaf64, 0x3ac7d5e6, 0x9ea80509,
+		0xf22b017d, 0xa4173f70, 0xdd1e16c3, 0x15e0d7f9, 0x50b1b887, 0x2b9f4fd5, 0x625aba82, 0x6a017962,
+		0x2ec01b9c, 0x15488aa9, 0xd716e740, 0x40055a2c, 0x93d29a22, 0xe32dbf9a, 0x058745b9, 0x3453dc1e,
+		0xd699296e, 0x496cff6f, 0x1c9f4986, 0xdfe2ed07, 0xb87242d1, 0x19de7eae, 0x053e561a, 0x15ad6f8c,
+		0x66626c1c, 0x7154c24c, 0xea082b2a, 0x93eb2939, 0x17dcb0f0, 0x58d4f2ae, 0x9ea294fb, 0x52cf564c,
+		0x9883fe66, 0x2ec40581, 0x763953c3, 0x01d6692e, 0xd3a0c108, 0xa1e7160e, 0xe4f2dfa6, 0x693ed285,
+		0x74904698, 0x4c2b0edd, 0x4f757656, 0x5d393378, 0xa132234f, 0x3d321c5d, 0xc3f5e194, 0x4b269301,
+		0xc79f022f, 0x3c997e7e, 0x5e4f9504, 0x3ffafbbd, 0x76f7ad0e, 0x296693f4, 0x3d1fce6f, 0xc61e45be,
+		0xd3b5ab34, 0xf72bf9b7, 0x1b0434c0, 0x4e72b567, 0x5592a33d, 0xb5229301, 0xcfd2a87f, 0x60aeb767,
+		0x1814386b, 0x30bcc33d, 0x38a0c07d, 0xfd1606f2, 0xc363519b, 0x589dd390, 0x5479f8e6, 0x1cb8d647,
+		0x97fd61a9, 0xea7759f4, 0x2d57539d, 0x569a58cf, 0xe84e63ad, 0x462e1b78, 0x6580f87e, 0xf3817914,
+		0x91da55f4, 0x40a230f3, 0xd1988f35, 0xb6e318d2, 0x3ffa50bc, 0x3d40f021, 0xc3c0bdae, 0x4958c24c,
+		0x518f36b2, 0x84b1d370, 0x0fedce83, 0x878ddada, 0xf2a279c7, 0x94e01be8, 0x90716f4b, 0x954b8aa3,
+	},
+	{
+		0xe216300d, 0xbbddfffc, 0xa7ebdabd, 0x35648095, 0x7789f8b7, 0xe6c1121b, 0x0e241600, 0x052ce8b5,
+		0x11a9cfb0, 0xe5952f11, 0xece7990a, 0x9386d174, 0x2a42931c, 0x76e38111, 0xb12def3a, 0x37ddddfc,
+		0xde9adeb1, 0x0a0cc32c, 0xbe197029, 0x84a00940, 0xbb243a0f, 0xb4d137cf, 0xb44e79f0, 0x049eedfd,
+		0x0b15a15d, 0x480d3168, 0x8bbbde5a, 0x669ded42, 0xc7ece831, 0x3f8f95e7, 0x72df191b, 0x7580330d,
+		0x94074251, 0x5c7dcdfa, 0xabbe6d63, 0xaa402164, 0xb301d40a, 0x02e7d1ca, 0x53571dae, 0x7a3182a2,
+		0x12a8ddec, 0xfdaa335d, 0x176f43e8, 0x71fb46d4, 0x38129022, 0xce949ad4, 0xb84769ad, 0x965bd862,
+		0x82f3d055, 0x66fb9767, 0x15b80b4e, 0x1d5b47a0, 0x4cfde06f, 0xc28ec4b8, 0x57e8726e, 0x647a78fc,
+		0x99865d44, 0x608bd593, 0x6c200e03, 0x39dc5ff6, 0x5d0b00a3, 0xae63aff2, 0x7e8bd632, 0x70108c0c,
+		0xbbd35049, 0x2998df04, 0x980cf42a, 0x9b6df491, 0x9e7edd53, 0x06918548, 0x58cb7e07, 0x3b74ef2e,
+		0x522fffb1, 0xd24708cc, 0x1c7e27cd, 0xa4eb215b, 0x3cf1d2e2, 0x19b47a38, 0x424f7618, 0x35856039,
+		0x9d17dee7, 0x27eb35e6, 0xc9aff67b, 0x36baf5b8, 0x09c467cd, 0xc18910b1, 0xe11dbf7b, 0x06cd1af8,
+		0x7170c608, 0x2d5e3354, 0xd4de495a, 0x64c6d006, 0xbcc0c62c, 0x3dd00db3, 0x708f8f34, 0x77d51b42,
+		0x264f620f, 0x24b8d2bf, 0x15c1b79e, 0x46a52564, 0xf8d7e54e, 0x3e378160, 0x7895cda5, 0x859c15a5,
+		0xe6459788, 0xc37bc75f, 0xdb07ba0c, 0x0676a3ab, 0x7f229b1e, 0x31842e7b, 0x24259fd7, 0xf8bef472,
+		0x835ffcb8, 0x6df4c1f2, 0x96f5b195, 0xfd0af0fc, 0xb0fe134c, 0xe2506d3d, 0x4f9b12ea, 0xf215f225,
+		0xa223736f, 0x9fb4c428, 0x25d04979, 0x34c713f8, 0xc4618187, 0xea7a6e98, 0x7cd16efc, 0x1436876c,
+		0xf1544107, 0xbedeee14, 0x56e9af27, 0xa04aa441, 0x3cf7c899, 0x92ecbae6, 0xdd67016d, 0x151682eb,
+		0xa842eedf, 0xfdba60b4, 0xf1907b75, 0x20e3030f, 0x24d8c29e, 0xe139673b, 0xefa63fb8, 0x71873054,
+		0xb6f2cf3b, 0x9f326442, 0xcb15a4cc, 0xb01a4504, 0xf1e47d8d, 0x844a1be5, 0xbae7dfdc, 0x42cbda70,
+		0xcd7dae0a, 0x57e85b7a, 0xd53f5af6, 0x20cf4d8c, 0xcea4d428, 0x79d130a4, 0x3486ebfb, 0x33d3cddc,
+		0x77853b53, 0x37effcb5, 0xc5068778, 0xe580b3e6, 0x4e68b8f4, 0xc5c8b37e, 0x0d809ea2, 0x398feb7c,
+		0x132a4f94, 0x43b7950e, 0x2fee7d1c, 0x223613bd, 0xdd06caa2, 0x37df932b, 0xc4248289, 0xacf3ebc3,
+		0x5715f6b7, 0xef3478dd, 0xf267616f, 0xc148cbe4, 0x9052815e, 0x5e410fab, 0xb48a2465, 0x2eda7fa4,
+		0xe87b40e4, 0xe98ea084, 0x5889e9e1, 0xefd390fc, 0xdd07d35b, 0xdb485694, 0x38d7e5b2, 0x57720101,
+		0x730edebc, 0x5b643113, 0x94917e4f, 0x503c2fba, 0x646f1282, 0x7523d24a, 0xe0779695, 0xf9c17a8f,
+		0x7a5b2121, 0xd187b896, 0x29263a4d, 0xba510cdf, 0x81f47c9f, 0xad1163ed, 0xea7b5965, 0x1a00726e,
+		0x11403092, 0x00da6d77, 0x4a0cdd61, 0xad1f4603, 0x605bdfb0, 0x9eedc364, 0x22ebe6a8, 0xcee7d28a,
+		0xa0e736a0, 0x5564a6b9, 0x10853209, 0xc7eb8f37, 0x2de705ca, 0x8951570f, 0xdf09822b, 0xbd691a6c,
+		0xaa12e4f2, 0x87451c0f, 0xe0f6a27a, 0x3ada4819, 0x4cf1764f, 0x0d771c2b, 0x67cdb156, 0x350d8384,
+		0x5938fa0f, 0x42399ef3, 0x36997b07, 0x0e84093d, 0x4aa93e61, 0x8360d87b, 0x1fa98b0c, 0x1149382c,
+		0xe97625a5, 0x0614d1b7, 0x0e25244b, 0x0c768347, 0x589e8d82, 0x0d2059d1, 0xa466bb1e, 0xf8da0a82,
+		0x04f19130, 0xba6e4ec0, 0x99265164, 0x1ee7230d, 0x50b2ad80, 0xeaee6801, 0x8db2a283, 0xea8bf59e,
+	},
+}
diff --git a/vendor/golang.org/x/crypto/openpgp/armor/armor.go b/vendor/golang.org/x/crypto/openpgp/armor/armor.go
new file mode 100644
index 0000000000..e664d127cb
--- /dev/null
+++ b/vendor/golang.org/x/crypto/openpgp/armor/armor.go
@@ -0,0 +1,233 @@
+// Copyright 2010 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package armor implements OpenPGP ASCII Armor, see RFC 4880. OpenPGP Armor is
+// very similar to PEM except that it has an additional CRC checksum.
+//
+// Deprecated: this package is unmaintained except for security fixes. New
+// applications should consider a more focused, modern alternative to OpenPGP
+// for their specific task. If you are required to interoperate with OpenPGP
+// systems and need a maintained package, consider a community fork.
+// See https://golang.org/issue/44226.
+package armor
+
+import (
+	"bufio"
+	"bytes"
+	"encoding/base64"
+	"io"
+
+	"golang.org/x/crypto/openpgp/errors"
+)
+
+// A Block represents an OpenPGP armored structure.
+//
+// The encoded form is:
+//
+//	-----BEGIN Type-----
+//	Headers
+//
+//	base64-encoded Bytes
+//	'=' base64 encoded checksum
+//	-----END Type-----
+//
+// where Headers is a possibly empty sequence of Key: Value lines.
+//
+// Since the armored data can be very large, this package presents a streaming
+// interface.
+type Block struct {
+	Type    string            // The type, taken from the preamble (i.e. "PGP SIGNATURE").
+	Header  map[string]string // Optional headers.
+	Body    io.Reader         // A Reader from which the contents can be read
+	lReader lineReader
+	oReader openpgpReader
+}
+
+var ArmorCorrupt error = errors.StructuralError("armor invalid")
+
+const crc24Init = 0xb704ce
+const crc24Poly = 0x1864cfb
+const crc24Mask = 0xffffff
+
+// crc24 calculates the OpenPGP checksum as specified in RFC 4880, section 6.1
+func crc24(crc uint32, d []byte) uint32 {
+	for _, b := range d {
+		crc ^= uint32(b) << 16
+		for i := 0; i < 8; i++ {
+			crc <<= 1
+			if crc&0x1000000 != 0 {
+				crc ^= crc24Poly
+			}
+		}
+	}
+	return crc
+}
+
+var armorStart = []byte("-----BEGIN ")
+var armorEnd = []byte("-----END ")
+var armorEndOfLine = []byte("-----")
+
+// lineReader wraps a line based reader. It watches for the end of an armor
+// block and records the expected CRC value.
+type lineReader struct {
+	in     *bufio.Reader
+	buf    []byte
+	eof    bool
+	crc    uint32
+	crcSet bool
+}
+
+func (l *lineReader) Read(p []byte) (n int, err error) {
+	if l.eof {
+		return 0, io.EOF
+	}
+
+	if len(l.buf) > 0 {
+		n = copy(p, l.buf)
+		l.buf = l.buf[n:]
+		return
+	}
+
+	line, isPrefix, err := l.in.ReadLine()
+	if err != nil {
+		return
+	}
+	if isPrefix {
+		return 0, ArmorCorrupt
+	}
+
+	if bytes.HasPrefix(line, armorEnd) {
+		l.eof = true
+		return 0, io.EOF
+	}
+
+	if len(line) == 5 && line[0] == '=' {
+		// This is the checksum line
+		var expectedBytes [3]byte
+		var m int
+		m, err = base64.StdEncoding.Decode(expectedBytes[0:], line[1:])
+		if m != 3 || err != nil {
+			return
+		}
+		l.crc = uint32(expectedBytes[0])<<16 |
+			uint32(expectedBytes[1])<<8 |
+			uint32(expectedBytes[2])
+
+		line, _, err = l.in.ReadLine()
+		if err != nil && err != io.EOF {
+			return
+		}
+		if !bytes.HasPrefix(line, armorEnd) {
+			return 0, ArmorCorrupt
+		}
+
+		l.eof = true
+		l.crcSet = true
+		return 0, io.EOF
+	}
+
+	if len(line) > 96 {
+		return 0, ArmorCorrupt
+	}
+
+	n = copy(p, line)
+	bytesToSave := len(line) - n
+	if bytesToSave > 0 {
+		if cap(l.buf) < bytesToSave {
+			l.buf = make([]byte, 0, bytesToSave)
+		}
+		l.buf = l.buf[0:bytesToSave]
+		copy(l.buf, line[n:])
+	}
+
+	return
+}
+
+// openpgpReader passes Read calls to the underlying base64 decoder, but keeps
+// a running CRC of the resulting data and checks the CRC against the value
+// found by the lineReader at EOF.
+type openpgpReader struct {
+	lReader    *lineReader
+	b64Reader  io.Reader
+	currentCRC uint32
+}
+
+func (r *openpgpReader) Read(p []byte) (n int, err error) {
+	n, err = r.b64Reader.Read(p)
+	r.currentCRC = crc24(r.currentCRC, p[:n])
+
+	if err == io.EOF && r.lReader.crcSet && r.lReader.crc != r.currentCRC&crc24Mask {
+		return 0, ArmorCorrupt
+	}
+
+	return
+}
+
+// Decode reads a PGP armored block from the given Reader. It will ignore
+// leading garbage. If it doesn't find a block, it will return nil, io.EOF. The
+// given Reader is not usable after calling this function: an arbitrary amount
+// of data may have been read past the end of the block.
+func Decode(in io.Reader) (p *Block, err error) {
+	r := bufio.NewReaderSize(in, 100)
+	var line []byte
+	ignoreNext := false
+
+TryNextBlock:
+	p = nil
+
+	// Skip leading garbage
+	for {
+		ignoreThis := ignoreNext
+		line, ignoreNext, err = r.ReadLine()
+		if err != nil {
+			return
+		}
+		if ignoreNext || ignoreThis {
+			continue
+		}
+		line = bytes.TrimSpace(line)
+		if len(line) > len(armorStart)+len(armorEndOfLine) && bytes.HasPrefix(line, armorStart) {
+			break
+		}
+	}
+
+	p = new(Block)
+	p.Type = string(line[len(armorStart) : len(line)-len(armorEndOfLine)])
+	p.Header = make(map[string]string)
+	nextIsContinuation := false
+	var lastKey string
+
+	// Read headers
+	for {
+		isContinuation := nextIsContinuation
+		line, nextIsContinuation, err = r.ReadLine()
+		if err != nil {
+			p = nil
+			return
+		}
+		if isContinuation {
+			p.Header[lastKey] += string(line)
+			continue
+		}
+		line = bytes.TrimSpace(line)
+		if len(line) == 0 {
+			break
+		}
+
+		i := bytes.Index(line, []byte(": "))
+		if i == -1 {
+			goto TryNextBlock
+		}
+		lastKey = string(line[:i])
+		p.Header[lastKey] = string(line[i+2:])
+	}
+
+	p.lReader.in = r
+	p.oReader.currentCRC = crc24Init
+	p.oReader.lReader = &p.lReader
+	p.oReader.b64Reader = base64.NewDecoder(base64.StdEncoding, &p.lReader)
+	p.Body = &p.oReader
+
+	return
+}
diff --git a/vendor/golang.org/x/crypto/openpgp/armor/encode.go b/vendor/golang.org/x/crypto/openpgp/armor/encode.go
new file mode 100644
index 0000000000..5b6e16c19d
--- /dev/null
+++ b/vendor/golang.org/x/crypto/openpgp/armor/encode.go
@@ -0,0 +1,161 @@
+// Copyright 2010 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package armor
+
+import (
+	"encoding/base64"
+	"io"
+)
+
+var armorHeaderSep = []byte(": ")
+var blockEnd = []byte("\n=")
+var newline = []byte("\n")
+var armorEndOfLineOut = []byte("-----\n")
+
+// writeSlices writes its arguments to the given Writer.
+func writeSlices(out io.Writer, slices ...[]byte) (err error) {
+	for _, s := range slices {
+		_, err = out.Write(s)
+		if err != nil {
+			return err
+		}
+	}
+	return
+}
+
+// lineBreaker breaks data across several lines, all of the same byte length
+// (except possibly the last). Lines are broken with a single '\n'.
+type lineBreaker struct {
+	lineLength  int
+	line        []byte
+	used        int
+	out         io.Writer
+	haveWritten bool
+}
+
+func newLineBreaker(out io.Writer, lineLength int) *lineBreaker {
+	return &lineBreaker{
+		lineLength: lineLength,
+		line:       make([]byte, lineLength),
+		used:       0,
+		out:        out,
+	}
+}
+
+func (l *lineBreaker) Write(b []byte) (n int, err error) {
+	n = len(b)
+
+	if n == 0 {
+		return
+	}
+
+	if l.used == 0 && l.haveWritten {
+		_, err = l.out.Write([]byte{'\n'})
+		if err != nil {
+			return
+		}
+	}
+
+	if l.used+len(b) < l.lineLength {
+		l.used += copy(l.line[l.used:], b)
+		return
+	}
+
+	l.haveWritten = true
+	_, err = l.out.Write(l.line[0:l.used])
+	if err != nil {
+		return
+	}
+	excess := l.lineLength - l.used
+	l.used = 0
+
+	_, err = l.out.Write(b[0:excess])
+	if err != nil {
+		return
+	}
+
+	_, err = l.Write(b[excess:])
+	return
+}
+
+func (l *lineBreaker) Close() (err error) {
+	if l.used > 0 {
+		_, err = l.out.Write(l.line[0:l.used])
+		if err != nil {
+			return
+		}
+	}
+
+	return
+}
+
+// encoding keeps track of a running CRC24 over the data which has been written
+// to it and outputs a OpenPGP checksum when closed, followed by an armor
+// trailer.
+//
+// It's built into a stack of io.Writers:
+//
+//	encoding -> base64 encoder -> lineBreaker -> out
+type encoding struct {
+	out       io.Writer
+	breaker   *lineBreaker
+	b64       io.WriteCloser
+	crc       uint32
+	blockType []byte
+}
+
+func (e *encoding) Write(data []byte) (n int, err error) {
+	e.crc = crc24(e.crc, data)
+	return e.b64.Write(data)
+}
+
+func (e *encoding) Close() (err error) {
+	err = e.b64.Close()
+	if err != nil {
+		return
+	}
+	e.breaker.Close()
+
+	var checksumBytes [3]byte
+	checksumBytes[0] = byte(e.crc >> 16)
+	checksumBytes[1] = byte(e.crc >> 8)
+	checksumBytes[2] = byte(e.crc)
+
+	var b64ChecksumBytes [4]byte
+	base64.StdEncoding.Encode(b64ChecksumBytes[:], checksumBytes[:])
+
+	return writeSlices(e.out, blockEnd, b64ChecksumBytes[:], newline, armorEnd, e.blockType, armorEndOfLine)
+}
+
+// Encode returns a WriteCloser which will encode the data written to it in
+// OpenPGP armor.
+func Encode(out io.Writer, blockType string, headers map[string]string) (w io.WriteCloser, err error) {
+	bType := []byte(blockType)
+	err = writeSlices(out, armorStart, bType, armorEndOfLineOut)
+	if err != nil {
+		return
+	}
+
+	for k, v := range headers {
+		err = writeSlices(out, []byte(k), armorHeaderSep, []byte(v), newline)
+		if err != nil {
+			return
+		}
+	}
+
+	_, err = out.Write(newline)
+	if err != nil {
+		return
+	}
+
+	e := &encoding{
+		out:       out,
+		breaker:   newLineBreaker(out, 64),
+		crc:       crc24Init,
+		blockType: bType,
+	}
+	e.b64 = base64.NewEncoder(base64.StdEncoding, e.breaker)
+	return e, nil
+}
diff --git a/vendor/golang.org/x/crypto/openpgp/canonical_text.go b/vendor/golang.org/x/crypto/openpgp/canonical_text.go
new file mode 100644
index 0000000000..e601e389f1
--- /dev/null
+++ b/vendor/golang.org/x/crypto/openpgp/canonical_text.go
@@ -0,0 +1,59 @@
+// Copyright 2011 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package openpgp
+
+import "hash"
+
+// NewCanonicalTextHash reformats text written to it into the canonical
+// form and then applies the hash h.  See RFC 4880, section 5.2.1.
+func NewCanonicalTextHash(h hash.Hash) hash.Hash {
+	return &canonicalTextHash{h, 0}
+}
+
+type canonicalTextHash struct {
+	h hash.Hash
+	s int
+}
+
+var newline = []byte{'\r', '\n'}
+
+func (cth *canonicalTextHash) Write(buf []byte) (int, error) {
+	start := 0
+
+	for i, c := range buf {
+		switch cth.s {
+		case 0:
+			if c == '\r' {
+				cth.s = 1
+			} else if c == '\n' {
+				cth.h.Write(buf[start:i])
+				cth.h.Write(newline)
+				start = i + 1
+			}
+		case 1:
+			cth.s = 0
+		}
+	}
+
+	cth.h.Write(buf[start:])
+	return len(buf), nil
+}
+
+func (cth *canonicalTextHash) Sum(in []byte) []byte {
+	return cth.h.Sum(in)
+}
+
+func (cth *canonicalTextHash) Reset() {
+	cth.h.Reset()
+	cth.s = 0
+}
+
+func (cth *canonicalTextHash) Size() int {
+	return cth.h.Size()
+}
+
+func (cth *canonicalTextHash) BlockSize() int {
+	return cth.h.BlockSize()
+}
diff --git a/vendor/golang.org/x/crypto/openpgp/clearsign/clearsign.go b/vendor/golang.org/x/crypto/openpgp/clearsign/clearsign.go
new file mode 100644
index 0000000000..cea48efdcd
--- /dev/null
+++ b/vendor/golang.org/x/crypto/openpgp/clearsign/clearsign.go
@@ -0,0 +1,424 @@
+// Copyright 2012 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package clearsign generates and processes OpenPGP, clear-signed data. See
+// RFC 4880, section 7.
+//
+// Clearsigned messages are cryptographically signed, but the contents of the
+// message are kept in plaintext so that it can be read without special tools.
+//
+// Deprecated: this package is unmaintained except for security fixes. New
+// applications should consider a more focused, modern alternative to OpenPGP
+// for their specific task. If you are required to interoperate with OpenPGP
+// systems and need a maintained package, consider a community fork.
+// See https://golang.org/issue/44226.
+package clearsign
+
+import (
+	"bufio"
+	"bytes"
+	"crypto"
+	"fmt"
+	"hash"
+	"io"
+	"net/textproto"
+	"strconv"
+	"strings"
+
+	"golang.org/x/crypto/openpgp/armor"
+	"golang.org/x/crypto/openpgp/errors"
+	"golang.org/x/crypto/openpgp/packet"
+)
+
+// A Block represents a clearsigned message. A signature on a Block can
+// be checked by passing Bytes into openpgp.CheckDetachedSignature.
+type Block struct {
+	Headers          textproto.MIMEHeader // Optional unverified Hash headers
+	Plaintext        []byte               // The original message text
+	Bytes            []byte               // The signed message
+	ArmoredSignature *armor.Block         // The signature block
+}
+
+// start is the marker which denotes the beginning of a clearsigned message.
+var start = []byte("\n-----BEGIN PGP SIGNED MESSAGE-----")
+
+// dashEscape is prefixed to any lines that begin with a hyphen so that they
+// can't be confused with endText.
+var dashEscape = []byte("- ")
+
+// endText is a marker which denotes the end of the message and the start of
+// an armored signature.
+var endText = []byte("-----BEGIN PGP SIGNATURE-----")
+
+// end is a marker which denotes the end of the armored signature.
+var end = []byte("\n-----END PGP SIGNATURE-----")
+
+var crlf = []byte("\r\n")
+var lf = byte('\n')
+
+// getLine returns the first \r\n or \n delineated line from the given byte
+// array. The line does not include the \r\n or \n. The remainder of the byte
+// array (also not including the new line bytes) is also returned and this will
+// always be smaller than the original argument.
+func getLine(data []byte) (line, rest []byte) {
+	i := bytes.Index(data, []byte{'\n'})
+	var j int
+	if i < 0 {
+		i = len(data)
+		j = i
+	} else {
+		j = i + 1
+		if i > 0 && data[i-1] == '\r' {
+			i--
+		}
+	}
+	return data[0:i], data[j:]
+}
+
+// Decode finds the first clearsigned message in data and returns it, as well as
+// the suffix of data which remains after the message. Any prefix data is
+// discarded.
+//
+// If no message is found, or if the message is invalid, Decode returns nil and
+// the whole data slice. The only allowed header type is Hash, and it is not
+// verified against the signature hash.
+func Decode(data []byte) (b *Block, rest []byte) {
+	// start begins with a newline. However, at the very beginning of
+	// the byte array, we'll accept the start string without it.
+	rest = data
+	if bytes.HasPrefix(data, start[1:]) {
+		rest = rest[len(start)-1:]
+	} else if i := bytes.Index(data, start); i >= 0 {
+		rest = rest[i+len(start):]
+	} else {
+		return nil, data
+	}
+
+	// Consume the start line and check it does not have a suffix.
+	suffix, rest := getLine(rest)
+	if len(suffix) != 0 {
+		return nil, data
+	}
+
+	var line []byte
+	b = &Block{
+		Headers: make(textproto.MIMEHeader),
+	}
+
+	// Next come a series of header lines.
+	for {
+		// This loop terminates because getLine's second result is
+		// always smaller than its argument.
+		if len(rest) == 0 {
+			return nil, data
+		}
+		// An empty line marks the end of the headers.
+		if line, rest = getLine(rest); len(line) == 0 {
+			break
+		}
+
+		// Reject headers with control or Unicode characters.
+		if i := bytes.IndexFunc(line, func(r rune) bool {
+			return r < 0x20 || r > 0x7e
+		}); i != -1 {
+			return nil, data
+		}
+
+		i := bytes.Index(line, []byte{':'})
+		if i == -1 {
+			return nil, data
+		}
+
+		key, val := string(line[0:i]), string(line[i+1:])
+		key = strings.TrimSpace(key)
+		if key != "Hash" {
+			return nil, data
+		}
+		val = strings.TrimSpace(val)
+		b.Headers.Add(key, val)
+	}
+
+	firstLine := true
+	for {
+		start := rest
+
+		line, rest = getLine(rest)
+		if len(line) == 0 && len(rest) == 0 {
+			// No armored data was found, so this isn't a complete message.
+			return nil, data
+		}
+		if bytes.Equal(line, endText) {
+			// Back up to the start of the line because armor expects to see the
+			// header line.
+			rest = start
+			break
+		}
+
+		// The final CRLF isn't included in the hash so we don't write it until
+		// we've seen the next line.
+		if firstLine {
+			firstLine = false
+		} else {
+			b.Bytes = append(b.Bytes, crlf...)
+		}
+
+		if bytes.HasPrefix(line, dashEscape) {
+			line = line[2:]
+		}
+		line = bytes.TrimRight(line, " \t")
+		b.Bytes = append(b.Bytes, line...)
+
+		b.Plaintext = append(b.Plaintext, line...)
+		b.Plaintext = append(b.Plaintext, lf)
+	}
+
+	// We want to find the extent of the armored data (including any newlines at
+	// the end).
+	i := bytes.Index(rest, end)
+	if i == -1 {
+		return nil, data
+	}
+	i += len(end)
+	for i < len(rest) && (rest[i] == '\r' || rest[i] == '\n') {
+		i++
+	}
+	armored := rest[:i]
+	rest = rest[i:]
+
+	var err error
+	b.ArmoredSignature, err = armor.Decode(bytes.NewBuffer(armored))
+	if err != nil {
+		return nil, data
+	}
+
+	return b, rest
+}
+
+// A dashEscaper is an io.WriteCloser which processes the body of a clear-signed
+// message. The clear-signed message is written to buffered and a hash, suitable
+// for signing, is maintained in h.
+//
+// When closed, an armored signature is created and written to complete the
+// message.
+type dashEscaper struct {
+	buffered *bufio.Writer
+	hashers  []hash.Hash // one per key in privateKeys
+	hashType crypto.Hash
+	toHash   io.Writer // writes to all the hashes in hashers
+
+	atBeginningOfLine bool
+	isFirstLine       bool
+
+	whitespace []byte
+	byteBuf    []byte // a one byte buffer to save allocations
+
+	privateKeys []*packet.PrivateKey
+	config      *packet.Config
+}
+
+func (d *dashEscaper) Write(data []byte) (n int, err error) {
+	for _, b := range data {
+		d.byteBuf[0] = b
+
+		if d.atBeginningOfLine {
+			// The final CRLF isn't included in the hash so we have to wait
+			// until this point (the start of the next line) before writing it.
+			if !d.isFirstLine {
+				d.toHash.Write(crlf)
+			}
+			d.isFirstLine = false
+		}
+
+		// Any whitespace at the end of the line has to be removed so we
+		// buffer it until we find out whether there's more on this line.
+		if b == ' ' || b == '\t' || b == '\r' {
+			d.whitespace = append(d.whitespace, b)
+			d.atBeginningOfLine = false
+			continue
+		}
+
+		if d.atBeginningOfLine {
+			// At the beginning of a line, hyphens have to be escaped.
+			if b == '-' {
+				// The signature isn't calculated over the dash-escaped text so
+				// the escape is only written to buffered.
+				if _, err = d.buffered.Write(dashEscape); err != nil {
+					return
+				}
+				d.toHash.Write(d.byteBuf)
+				d.atBeginningOfLine = false
+			} else if b == '\n' {
+				// Nothing to do because we delay writing CRLF to the hash.
+			} else {
+				d.toHash.Write(d.byteBuf)
+				d.atBeginningOfLine = false
+			}
+			if err = d.buffered.WriteByte(b); err != nil {
+				return
+			}
+		} else {
+			if b == '\n' {
+				// We got a raw \n. Drop any trailing whitespace and write a
+				// CRLF.
+				d.whitespace = d.whitespace[:0]
+				// We delay writing CRLF to the hash until the start of the
+				// next line.
+				if err = d.buffered.WriteByte(b); err != nil {
+					return
+				}
+				d.atBeginningOfLine = true
+			} else {
+				// Any buffered whitespace wasn't at the end of the line so
+				// we need to write it out.
+				if len(d.whitespace) > 0 {
+					d.toHash.Write(d.whitespace)
+					if _, err = d.buffered.Write(d.whitespace); err != nil {
+						return
+					}
+					d.whitespace = d.whitespace[:0]
+				}
+				d.toHash.Write(d.byteBuf)
+				if err = d.buffered.WriteByte(b); err != nil {
+					return
+				}
+			}
+		}
+	}
+
+	n = len(data)
+	return
+}
+
+func (d *dashEscaper) Close() (err error) {
+	if !d.atBeginningOfLine {
+		if err = d.buffered.WriteByte(lf); err != nil {
+			return
+		}
+	}
+
+	out, err := armor.Encode(d.buffered, "PGP SIGNATURE", nil)
+	if err != nil {
+		return
+	}
+
+	t := d.config.Now()
+	for i, k := range d.privateKeys {
+		sig := new(packet.Signature)
+		sig.SigType = packet.SigTypeText
+		sig.PubKeyAlgo = k.PubKeyAlgo
+		sig.Hash = d.hashType
+		sig.CreationTime = t
+		sig.IssuerKeyId = &k.KeyId
+
+		if err = sig.Sign(d.hashers[i], k, d.config); err != nil {
+			return
+		}
+		if err = sig.Serialize(out); err != nil {
+			return
+		}
+	}
+
+	if err = out.Close(); err != nil {
+		return
+	}
+	if err = d.buffered.Flush(); err != nil {
+		return
+	}
+	return
+}
+
+// Encode returns a WriteCloser which will clear-sign a message with privateKey
+// and write it to w. If config is nil, sensible defaults are used.
+func Encode(w io.Writer, privateKey *packet.PrivateKey, config *packet.Config) (plaintext io.WriteCloser, err error) {
+	return EncodeMulti(w, []*packet.PrivateKey{privateKey}, config)
+}
+
+// EncodeMulti returns a WriteCloser which will clear-sign a message with all the
+// private keys indicated and write it to w. If config is nil, sensible defaults
+// are used.
+func EncodeMulti(w io.Writer, privateKeys []*packet.PrivateKey, config *packet.Config) (plaintext io.WriteCloser, err error) {
+	for _, k := range privateKeys {
+		if k.Encrypted {
+			return nil, errors.InvalidArgumentError(fmt.Sprintf("signing key %s is encrypted", k.KeyIdString()))
+		}
+	}
+
+	hashType := config.Hash()
+	name := nameOfHash(hashType)
+	if len(name) == 0 {
+		return nil, errors.UnsupportedError("unknown hash type: " + strconv.Itoa(int(hashType)))
+	}
+
+	if !hashType.Available() {
+		return nil, errors.UnsupportedError("unsupported hash type: " + strconv.Itoa(int(hashType)))
+	}
+	var hashers []hash.Hash
+	var ws []io.Writer
+	for range privateKeys {
+		h := hashType.New()
+		hashers = append(hashers, h)
+		ws = append(ws, h)
+	}
+	toHash := io.MultiWriter(ws...)
+
+	buffered := bufio.NewWriter(w)
+	// start has a \n at the beginning that we don't want here.
+	if _, err = buffered.Write(start[1:]); err != nil {
+		return
+	}
+	if err = buffered.WriteByte(lf); err != nil {
+		return
+	}
+	if _, err = buffered.WriteString("Hash: "); err != nil {
+		return
+	}
+	if _, err = buffered.WriteString(name); err != nil {
+		return
+	}
+	if err = buffered.WriteByte(lf); err != nil {
+		return
+	}
+	if err = buffered.WriteByte(lf); err != nil {
+		return
+	}
+
+	plaintext = &dashEscaper{
+		buffered: buffered,
+		hashers:  hashers,
+		hashType: hashType,
+		toHash:   toHash,
+
+		atBeginningOfLine: true,
+		isFirstLine:       true,
+
+		byteBuf: make([]byte, 1),
+
+		privateKeys: privateKeys,
+		config:      config,
+	}
+
+	return
+}
+
+// nameOfHash returns the OpenPGP name for the given hash, or the empty string
+// if the name isn't known. See RFC 4880, section 9.4.
+func nameOfHash(h crypto.Hash) string {
+	switch h {
+	case crypto.MD5:
+		return "MD5"
+	case crypto.SHA1:
+		return "SHA1"
+	case crypto.RIPEMD160:
+		return "RIPEMD160"
+	case crypto.SHA224:
+		return "SHA224"
+	case crypto.SHA256:
+		return "SHA256"
+	case crypto.SHA384:
+		return "SHA384"
+	case crypto.SHA512:
+		return "SHA512"
+	}
+	return ""
+}
diff --git a/vendor/golang.org/x/crypto/openpgp/elgamal/elgamal.go b/vendor/golang.org/x/crypto/openpgp/elgamal/elgamal.go
new file mode 100644
index 0000000000..f922bdbcaa
--- /dev/null
+++ b/vendor/golang.org/x/crypto/openpgp/elgamal/elgamal.go
@@ -0,0 +1,130 @@
+// Copyright 2011 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package elgamal implements ElGamal encryption, suitable for OpenPGP,
+// as specified in "A Public-Key Cryptosystem and a Signature Scheme Based on
+// Discrete Logarithms," IEEE Transactions on Information Theory, v. IT-31,
+// n. 4, 1985, pp. 469-472.
+//
+// This form of ElGamal embeds PKCS#1 v1.5 padding, which may make it
+// unsuitable for other protocols. RSA should be used in preference in any
+// case.
+//
+// Deprecated: this package was only provided to support ElGamal encryption in
+// OpenPGP. The golang.org/x/crypto/openpgp package is now deprecated (see
+// https://golang.org/issue/44226), and ElGamal in the OpenPGP ecosystem has
+// compatibility and security issues (see https://eprint.iacr.org/2021/923).
+// Moreover, this package doesn't protect against side-channel attacks.
+package elgamal
+
+import (
+	"crypto/rand"
+	"crypto/subtle"
+	"errors"
+	"io"
+	"math/big"
+)
+
+// PublicKey represents an ElGamal public key.
+type PublicKey struct {
+	G, P, Y *big.Int
+}
+
+// PrivateKey represents an ElGamal private key.
+type PrivateKey struct {
+	PublicKey
+	X *big.Int
+}
+
+// Encrypt encrypts the given message to the given public key. The result is a
+// pair of integers. Errors can result from reading random, or because msg is
+// too large to be encrypted to the public key.
+func Encrypt(random io.Reader, pub *PublicKey, msg []byte) (c1, c2 *big.Int, err error) {
+	pLen := (pub.P.BitLen() + 7) / 8
+	if len(msg) > pLen-11 {
+		err = errors.New("elgamal: message too long")
+		return
+	}
+
+	// EM = 0x02 || PS || 0x00 || M
+	em := make([]byte, pLen-1)
+	em[0] = 2
+	ps, mm := em[1:len(em)-len(msg)-1], em[len(em)-len(msg):]
+	err = nonZeroRandomBytes(ps, random)
+	if err != nil {
+		return
+	}
+	em[len(em)-len(msg)-1] = 0
+	copy(mm, msg)
+
+	m := new(big.Int).SetBytes(em)
+
+	k, err := rand.Int(random, pub.P)
+	if err != nil {
+		return
+	}
+
+	c1 = new(big.Int).Exp(pub.G, k, pub.P)
+	s := new(big.Int).Exp(pub.Y, k, pub.P)
+	c2 = s.Mul(s, m)
+	c2.Mod(c2, pub.P)
+
+	return
+}
+
+// Decrypt takes two integers, resulting from an ElGamal encryption, and
+// returns the plaintext of the message. An error can result only if the
+// ciphertext is invalid. Users should keep in mind that this is a padding
+// oracle and thus, if exposed to an adaptive chosen ciphertext attack, can
+// be used to break the cryptosystem.  See “Chosen Ciphertext Attacks
+// Against Protocols Based on the RSA Encryption Standard PKCS #1�, Daniel
+// Bleichenbacher, Advances in Cryptology (Crypto '98),
+func Decrypt(priv *PrivateKey, c1, c2 *big.Int) (msg []byte, err error) {
+	s := new(big.Int).Exp(c1, priv.X, priv.P)
+	if s.ModInverse(s, priv.P) == nil {
+		return nil, errors.New("elgamal: invalid private key")
+	}
+	s.Mul(s, c2)
+	s.Mod(s, priv.P)
+	em := s.Bytes()
+
+	firstByteIsTwo := subtle.ConstantTimeByteEq(em[0], 2)
+
+	// The remainder of the plaintext must be a string of non-zero random
+	// octets, followed by a 0, followed by the message.
+	//   lookingForIndex: 1 iff we are still looking for the zero.
+	//   index: the offset of the first zero byte.
+	var lookingForIndex, index int
+	lookingForIndex = 1
+
+	for i := 1; i < len(em); i++ {
+		equals0 := subtle.ConstantTimeByteEq(em[i], 0)
+		index = subtle.ConstantTimeSelect(lookingForIndex&equals0, i, index)
+		lookingForIndex = subtle.ConstantTimeSelect(equals0, 0, lookingForIndex)
+	}
+
+	if firstByteIsTwo != 1 || lookingForIndex != 0 || index < 9 {
+		return nil, errors.New("elgamal: decryption error")
+	}
+	return em[index+1:], nil
+}
+
+// nonZeroRandomBytes fills the given slice with non-zero random octets.
+func nonZeroRandomBytes(s []byte, rand io.Reader) (err error) {
+	_, err = io.ReadFull(rand, s)
+	if err != nil {
+		return
+	}
+
+	for i := 0; i < len(s); i++ {
+		for s[i] == 0 {
+			_, err = io.ReadFull(rand, s[i:i+1])
+			if err != nil {
+				return
+			}
+		}
+	}
+
+	return
+}
diff --git a/vendor/golang.org/x/crypto/openpgp/errors/errors.go b/vendor/golang.org/x/crypto/openpgp/errors/errors.go
new file mode 100644
index 0000000000..a328749471
--- /dev/null
+++ b/vendor/golang.org/x/crypto/openpgp/errors/errors.go
@@ -0,0 +1,78 @@
+// Copyright 2010 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package errors contains common error types for the OpenPGP packages.
+//
+// Deprecated: this package is unmaintained except for security fixes. New
+// applications should consider a more focused, modern alternative to OpenPGP
+// for their specific task. If you are required to interoperate with OpenPGP
+// systems and need a maintained package, consider a community fork.
+// See https://golang.org/issue/44226.
+package errors
+
+import (
+	"strconv"
+)
+
+// A StructuralError is returned when OpenPGP data is found to be syntactically
+// invalid.
+type StructuralError string
+
+func (s StructuralError) Error() string {
+	return "openpgp: invalid data: " + string(s)
+}
+
+// UnsupportedError indicates that, although the OpenPGP data is valid, it
+// makes use of currently unimplemented features.
+type UnsupportedError string
+
+func (s UnsupportedError) Error() string {
+	return "openpgp: unsupported feature: " + string(s)
+}
+
+// InvalidArgumentError indicates that the caller is in error and passed an
+// incorrect value.
+type InvalidArgumentError string
+
+func (i InvalidArgumentError) Error() string {
+	return "openpgp: invalid argument: " + string(i)
+}
+
+// SignatureError indicates that a syntactically valid signature failed to
+// validate.
+type SignatureError string
+
+func (b SignatureError) Error() string {
+	return "openpgp: invalid signature: " + string(b)
+}
+
+type keyIncorrectError int
+
+func (ki keyIncorrectError) Error() string {
+	return "openpgp: incorrect key"
+}
+
+var ErrKeyIncorrect error = keyIncorrectError(0)
+
+type unknownIssuerError int
+
+func (unknownIssuerError) Error() string {
+	return "openpgp: signature made by unknown entity"
+}
+
+var ErrUnknownIssuer error = unknownIssuerError(0)
+
+type keyRevokedError int
+
+func (keyRevokedError) Error() string {
+	return "openpgp: signature made by revoked key"
+}
+
+var ErrKeyRevoked error = keyRevokedError(0)
+
+type UnknownPacketTypeError uint8
+
+func (upte UnknownPacketTypeError) Error() string {
+	return "openpgp: unknown packet type: " + strconv.Itoa(int(upte))
+}
diff --git a/vendor/golang.org/x/crypto/openpgp/keys.go b/vendor/golang.org/x/crypto/openpgp/keys.go
new file mode 100644
index 0000000000..d62f787e9d
--- /dev/null
+++ b/vendor/golang.org/x/crypto/openpgp/keys.go
@@ -0,0 +1,693 @@
+// Copyright 2011 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package openpgp
+
+import (
+	"crypto/rsa"
+	"io"
+	"time"
+
+	"golang.org/x/crypto/openpgp/armor"
+	"golang.org/x/crypto/openpgp/errors"
+	"golang.org/x/crypto/openpgp/packet"
+)
+
+// PublicKeyType is the armor type for a PGP public key.
+var PublicKeyType = "PGP PUBLIC KEY BLOCK"
+
+// PrivateKeyType is the armor type for a PGP private key.
+var PrivateKeyType = "PGP PRIVATE KEY BLOCK"
+
+// An Entity represents the components of an OpenPGP key: a primary public key
+// (which must be a signing key), one or more identities claimed by that key,
+// and zero or more subkeys, which may be encryption keys.
+type Entity struct {
+	PrimaryKey  *packet.PublicKey
+	PrivateKey  *packet.PrivateKey
+	Identities  map[string]*Identity // indexed by Identity.Name
+	Revocations []*packet.Signature
+	Subkeys     []Subkey
+}
+
+// An Identity represents an identity claimed by an Entity and zero or more
+// assertions by other entities about that claim.
+type Identity struct {
+	Name          string // by convention, has the form "Full Name (comment) <email@example.com>"
+	UserId        *packet.UserId
+	SelfSignature *packet.Signature
+	Signatures    []*packet.Signature
+}
+
+// A Subkey is an additional public key in an Entity. Subkeys can be used for
+// encryption.
+type Subkey struct {
+	PublicKey  *packet.PublicKey
+	PrivateKey *packet.PrivateKey
+	Sig        *packet.Signature
+}
+
+// A Key identifies a specific public key in an Entity. This is either the
+// Entity's primary key or a subkey.
+type Key struct {
+	Entity        *Entity
+	PublicKey     *packet.PublicKey
+	PrivateKey    *packet.PrivateKey
+	SelfSignature *packet.Signature
+}
+
+// A KeyRing provides access to public and private keys.
+type KeyRing interface {
+	// KeysById returns the set of keys that have the given key id.
+	KeysById(id uint64) []Key
+	// KeysByIdUsage returns the set of keys with the given id
+	// that also meet the key usage given by requiredUsage.
+	// The requiredUsage is expressed as the bitwise-OR of
+	// packet.KeyFlag* values.
+	KeysByIdUsage(id uint64, requiredUsage byte) []Key
+	// DecryptionKeys returns all private keys that are valid for
+	// decryption.
+	DecryptionKeys() []Key
+}
+
+// primaryIdentity returns the Identity marked as primary or the first identity
+// if none are so marked.
+func (e *Entity) primaryIdentity() *Identity {
+	var firstIdentity *Identity
+	for _, ident := range e.Identities {
+		if firstIdentity == nil {
+			firstIdentity = ident
+		}
+		if ident.SelfSignature.IsPrimaryId != nil && *ident.SelfSignature.IsPrimaryId {
+			return ident
+		}
+	}
+	return firstIdentity
+}
+
+// encryptionKey returns the best candidate Key for encrypting a message to the
+// given Entity.
+func (e *Entity) encryptionKey(now time.Time) (Key, bool) {
+	candidateSubkey := -1
+
+	// Iterate the keys to find the newest key
+	var maxTime time.Time
+	for i, subkey := range e.Subkeys {
+		if subkey.Sig.FlagsValid &&
+			subkey.Sig.FlagEncryptCommunications &&
+			subkey.PublicKey.PubKeyAlgo.CanEncrypt() &&
+			!subkey.Sig.KeyExpired(now) &&
+			(maxTime.IsZero() || subkey.Sig.CreationTime.After(maxTime)) {
+			candidateSubkey = i
+			maxTime = subkey.Sig.CreationTime
+		}
+	}
+
+	if candidateSubkey != -1 {
+		subkey := e.Subkeys[candidateSubkey]
+		return Key{e, subkey.PublicKey, subkey.PrivateKey, subkey.Sig}, true
+	}
+
+	// If we don't have any candidate subkeys for encryption and
+	// the primary key doesn't have any usage metadata then we
+	// assume that the primary key is ok. Or, if the primary key is
+	// marked as ok to encrypt to, then we can obviously use it.
+	i := e.primaryIdentity()
+	if !i.SelfSignature.FlagsValid || i.SelfSignature.FlagEncryptCommunications &&
+		e.PrimaryKey.PubKeyAlgo.CanEncrypt() &&
+		!i.SelfSignature.KeyExpired(now) {
+		return Key{e, e.PrimaryKey, e.PrivateKey, i.SelfSignature}, true
+	}
+
+	// This Entity appears to be signing only.
+	return Key{}, false
+}
+
+// signingKey return the best candidate Key for signing a message with this
+// Entity.
+func (e *Entity) signingKey(now time.Time) (Key, bool) {
+	candidateSubkey := -1
+
+	for i, subkey := range e.Subkeys {
+		if subkey.Sig.FlagsValid &&
+			subkey.Sig.FlagSign &&
+			subkey.PublicKey.PubKeyAlgo.CanSign() &&
+			!subkey.Sig.KeyExpired(now) {
+			candidateSubkey = i
+			break
+		}
+	}
+
+	if candidateSubkey != -1 {
+		subkey := e.Subkeys[candidateSubkey]
+		return Key{e, subkey.PublicKey, subkey.PrivateKey, subkey.Sig}, true
+	}
+
+	// If we have no candidate subkey then we assume that it's ok to sign
+	// with the primary key.
+	i := e.primaryIdentity()
+	if !i.SelfSignature.FlagsValid || i.SelfSignature.FlagSign &&
+		!i.SelfSignature.KeyExpired(now) {
+		return Key{e, e.PrimaryKey, e.PrivateKey, i.SelfSignature}, true
+	}
+
+	return Key{}, false
+}
+
+// An EntityList contains one or more Entities.
+type EntityList []*Entity
+
+// KeysById returns the set of keys that have the given key id.
+func (el EntityList) KeysById(id uint64) (keys []Key) {
+	for _, e := range el {
+		if e.PrimaryKey.KeyId == id {
+			var selfSig *packet.Signature
+			for _, ident := range e.Identities {
+				if selfSig == nil {
+					selfSig = ident.SelfSignature
+				} else if ident.SelfSignature.IsPrimaryId != nil && *ident.SelfSignature.IsPrimaryId {
+					selfSig = ident.SelfSignature
+					break
+				}
+			}
+			keys = append(keys, Key{e, e.PrimaryKey, e.PrivateKey, selfSig})
+		}
+
+		for _, subKey := range e.Subkeys {
+			if subKey.PublicKey.KeyId == id {
+				keys = append(keys, Key{e, subKey.PublicKey, subKey.PrivateKey, subKey.Sig})
+			}
+		}
+	}
+	return
+}
+
+// KeysByIdUsage returns the set of keys with the given id that also meet
+// the key usage given by requiredUsage.  The requiredUsage is expressed as
+// the bitwise-OR of packet.KeyFlag* values.
+func (el EntityList) KeysByIdUsage(id uint64, requiredUsage byte) (keys []Key) {
+	for _, key := range el.KeysById(id) {
+		if len(key.Entity.Revocations) > 0 {
+			continue
+		}
+
+		if key.SelfSignature.RevocationReason != nil {
+			continue
+		}
+
+		if key.SelfSignature.FlagsValid && requiredUsage != 0 {
+			var usage byte
+			if key.SelfSignature.FlagCertify {
+				usage |= packet.KeyFlagCertify
+			}
+			if key.SelfSignature.FlagSign {
+				usage |= packet.KeyFlagSign
+			}
+			if key.SelfSignature.FlagEncryptCommunications {
+				usage |= packet.KeyFlagEncryptCommunications
+			}
+			if key.SelfSignature.FlagEncryptStorage {
+				usage |= packet.KeyFlagEncryptStorage
+			}
+			if usage&requiredUsage != requiredUsage {
+				continue
+			}
+		}
+
+		keys = append(keys, key)
+	}
+	return
+}
+
+// DecryptionKeys returns all private keys that are valid for decryption.
+func (el EntityList) DecryptionKeys() (keys []Key) {
+	for _, e := range el {
+		for _, subKey := range e.Subkeys {
+			if subKey.PrivateKey != nil && (!subKey.Sig.FlagsValid || subKey.Sig.FlagEncryptStorage || subKey.Sig.FlagEncryptCommunications) {
+				keys = append(keys, Key{e, subKey.PublicKey, subKey.PrivateKey, subKey.Sig})
+			}
+		}
+	}
+	return
+}
+
+// ReadArmoredKeyRing reads one or more public/private keys from an armor keyring file.
+func ReadArmoredKeyRing(r io.Reader) (EntityList, error) {
+	block, err := armor.Decode(r)
+	if err == io.EOF {
+		return nil, errors.InvalidArgumentError("no armored data found")
+	}
+	if err != nil {
+		return nil, err
+	}
+	if block.Type != PublicKeyType && block.Type != PrivateKeyType {
+		return nil, errors.InvalidArgumentError("expected public or private key block, got: " + block.Type)
+	}
+
+	return ReadKeyRing(block.Body)
+}
+
+// ReadKeyRing reads one or more public/private keys. Unsupported keys are
+// ignored as long as at least a single valid key is found.
+func ReadKeyRing(r io.Reader) (el EntityList, err error) {
+	packets := packet.NewReader(r)
+	var lastUnsupportedError error
+
+	for {
+		var e *Entity
+		e, err = ReadEntity(packets)
+		if err != nil {
+			// TODO: warn about skipped unsupported/unreadable keys
+			if _, ok := err.(errors.UnsupportedError); ok {
+				lastUnsupportedError = err
+				err = readToNextPublicKey(packets)
+			} else if _, ok := err.(errors.StructuralError); ok {
+				// Skip unreadable, badly-formatted keys
+				lastUnsupportedError = err
+				err = readToNextPublicKey(packets)
+			}
+			if err == io.EOF {
+				err = nil
+				break
+			}
+			if err != nil {
+				el = nil
+				break
+			}
+		} else {
+			el = append(el, e)
+		}
+	}
+
+	if len(el) == 0 && err == nil {
+		err = lastUnsupportedError
+	}
+	return
+}
+
+// readToNextPublicKey reads packets until the start of the entity and leaves
+// the first packet of the new entity in the Reader.
+func readToNextPublicKey(packets *packet.Reader) (err error) {
+	var p packet.Packet
+	for {
+		p, err = packets.Next()
+		if err == io.EOF {
+			return
+		} else if err != nil {
+			if _, ok := err.(errors.UnsupportedError); ok {
+				err = nil
+				continue
+			}
+			return
+		}
+
+		if pk, ok := p.(*packet.PublicKey); ok && !pk.IsSubkey {
+			packets.Unread(p)
+			return
+		}
+	}
+}
+
+// ReadEntity reads an entity (public key, identities, subkeys etc) from the
+// given Reader.
+func ReadEntity(packets *packet.Reader) (*Entity, error) {
+	e := new(Entity)
+	e.Identities = make(map[string]*Identity)
+
+	p, err := packets.Next()
+	if err != nil {
+		return nil, err
+	}
+
+	var ok bool
+	if e.PrimaryKey, ok = p.(*packet.PublicKey); !ok {
+		if e.PrivateKey, ok = p.(*packet.PrivateKey); !ok {
+			packets.Unread(p)
+			return nil, errors.StructuralError("first packet was not a public/private key")
+		}
+		e.PrimaryKey = &e.PrivateKey.PublicKey
+	}
+
+	if !e.PrimaryKey.PubKeyAlgo.CanSign() {
+		return nil, errors.StructuralError("primary key cannot be used for signatures")
+	}
+
+	var revocations []*packet.Signature
+EachPacket:
+	for {
+		p, err := packets.Next()
+		if err == io.EOF {
+			break
+		} else if err != nil {
+			return nil, err
+		}
+
+		switch pkt := p.(type) {
+		case *packet.UserId:
+			if err := addUserID(e, packets, pkt); err != nil {
+				return nil, err
+			}
+		case *packet.Signature:
+			if pkt.SigType == packet.SigTypeKeyRevocation {
+				revocations = append(revocations, pkt)
+			} else if pkt.SigType == packet.SigTypeDirectSignature {
+				// TODO: RFC4880 5.2.1 permits signatures
+				// directly on keys (eg. to bind additional
+				// revocation keys).
+			}
+			// Else, ignoring the signature as it does not follow anything
+			// we would know to attach it to.
+		case *packet.PrivateKey:
+			if pkt.IsSubkey == false {
+				packets.Unread(p)
+				break EachPacket
+			}
+			err = addSubkey(e, packets, &pkt.PublicKey, pkt)
+			if err != nil {
+				return nil, err
+			}
+		case *packet.PublicKey:
+			if pkt.IsSubkey == false {
+				packets.Unread(p)
+				break EachPacket
+			}
+			err = addSubkey(e, packets, pkt, nil)
+			if err != nil {
+				return nil, err
+			}
+		default:
+			// we ignore unknown packets
+		}
+	}
+
+	if len(e.Identities) == 0 {
+		return nil, errors.StructuralError("entity without any identities")
+	}
+
+	for _, revocation := range revocations {
+		err = e.PrimaryKey.VerifyRevocationSignature(revocation)
+		if err == nil {
+			e.Revocations = append(e.Revocations, revocation)
+		} else {
+			// TODO: RFC 4880 5.2.3.15 defines revocation keys.
+			return nil, errors.StructuralError("revocation signature signed by alternate key")
+		}
+	}
+
+	return e, nil
+}
+
+func addUserID(e *Entity, packets *packet.Reader, pkt *packet.UserId) error {
+	// Make a new Identity object, that we might wind up throwing away.
+	// We'll only add it if we get a valid self-signature over this
+	// userID.
+	identity := new(Identity)
+	identity.Name = pkt.Id
+	identity.UserId = pkt
+
+	for {
+		p, err := packets.Next()
+		if err == io.EOF {
+			break
+		} else if err != nil {
+			return err
+		}
+
+		sig, ok := p.(*packet.Signature)
+		if !ok {
+			packets.Unread(p)
+			break
+		}
+
+		if (sig.SigType == packet.SigTypePositiveCert || sig.SigType == packet.SigTypeGenericCert) && sig.IssuerKeyId != nil && *sig.IssuerKeyId == e.PrimaryKey.KeyId {
+			if err = e.PrimaryKey.VerifyUserIdSignature(pkt.Id, e.PrimaryKey, sig); err != nil {
+				return errors.StructuralError("user ID self-signature invalid: " + err.Error())
+			}
+			identity.SelfSignature = sig
+			e.Identities[pkt.Id] = identity
+		} else {
+			identity.Signatures = append(identity.Signatures, sig)
+		}
+	}
+
+	return nil
+}
+
+func addSubkey(e *Entity, packets *packet.Reader, pub *packet.PublicKey, priv *packet.PrivateKey) error {
+	var subKey Subkey
+	subKey.PublicKey = pub
+	subKey.PrivateKey = priv
+
+	for {
+		p, err := packets.Next()
+		if err == io.EOF {
+			break
+		} else if err != nil {
+			return errors.StructuralError("subkey signature invalid: " + err.Error())
+		}
+
+		sig, ok := p.(*packet.Signature)
+		if !ok {
+			packets.Unread(p)
+			break
+		}
+
+		if sig.SigType != packet.SigTypeSubkeyBinding && sig.SigType != packet.SigTypeSubkeyRevocation {
+			return errors.StructuralError("subkey signature with wrong type")
+		}
+
+		if err := e.PrimaryKey.VerifyKeySignature(subKey.PublicKey, sig); err != nil {
+			return errors.StructuralError("subkey signature invalid: " + err.Error())
+		}
+
+		switch sig.SigType {
+		case packet.SigTypeSubkeyRevocation:
+			subKey.Sig = sig
+		case packet.SigTypeSubkeyBinding:
+
+			if shouldReplaceSubkeySig(subKey.Sig, sig) {
+				subKey.Sig = sig
+			}
+		}
+	}
+
+	if subKey.Sig == nil {
+		return errors.StructuralError("subkey packet not followed by signature")
+	}
+
+	e.Subkeys = append(e.Subkeys, subKey)
+
+	return nil
+}
+
+func shouldReplaceSubkeySig(existingSig, potentialNewSig *packet.Signature) bool {
+	if potentialNewSig == nil {
+		return false
+	}
+
+	if existingSig == nil {
+		return true
+	}
+
+	if existingSig.SigType == packet.SigTypeSubkeyRevocation {
+		return false // never override a revocation signature
+	}
+
+	return potentialNewSig.CreationTime.After(existingSig.CreationTime)
+}
+
+const defaultRSAKeyBits = 2048
+
+// NewEntity returns an Entity that contains a fresh RSA/RSA keypair with a
+// single identity composed of the given full name, comment and email, any of
+// which may be empty but must not contain any of "()<>\x00".
+// If config is nil, sensible defaults will be used.
+func NewEntity(name, comment, email string, config *packet.Config) (*Entity, error) {
+	creationTime := config.Now()
+
+	bits := defaultRSAKeyBits
+	if config != nil && config.RSABits != 0 {
+		bits = config.RSABits
+	}
+
+	uid := packet.NewUserId(name, comment, email)
+	if uid == nil {
+		return nil, errors.InvalidArgumentError("user id field contained invalid characters")
+	}
+	signingPriv, err := rsa.GenerateKey(config.Random(), bits)
+	if err != nil {
+		return nil, err
+	}
+	encryptingPriv, err := rsa.GenerateKey(config.Random(), bits)
+	if err != nil {
+		return nil, err
+	}
+
+	e := &Entity{
+		PrimaryKey: packet.NewRSAPublicKey(creationTime, &signingPriv.PublicKey),
+		PrivateKey: packet.NewRSAPrivateKey(creationTime, signingPriv),
+		Identities: make(map[string]*Identity),
+	}
+	isPrimaryId := true
+	e.Identities[uid.Id] = &Identity{
+		Name:   uid.Id,
+		UserId: uid,
+		SelfSignature: &packet.Signature{
+			CreationTime: creationTime,
+			SigType:      packet.SigTypePositiveCert,
+			PubKeyAlgo:   packet.PubKeyAlgoRSA,
+			Hash:         config.Hash(),
+			IsPrimaryId:  &isPrimaryId,
+			FlagsValid:   true,
+			FlagSign:     true,
+			FlagCertify:  true,
+			IssuerKeyId:  &e.PrimaryKey.KeyId,
+		},
+	}
+	err = e.Identities[uid.Id].SelfSignature.SignUserId(uid.Id, e.PrimaryKey, e.PrivateKey, config)
+	if err != nil {
+		return nil, err
+	}
+
+	// If the user passes in a DefaultHash via packet.Config,
+	// set the PreferredHash for the SelfSignature.
+	if config != nil && config.DefaultHash != 0 {
+		e.Identities[uid.Id].SelfSignature.PreferredHash = []uint8{hashToHashId(config.DefaultHash)}
+	}
+
+	// Likewise for DefaultCipher.
+	if config != nil && config.DefaultCipher != 0 {
+		e.Identities[uid.Id].SelfSignature.PreferredSymmetric = []uint8{uint8(config.DefaultCipher)}
+	}
+
+	e.Subkeys = make([]Subkey, 1)
+	e.Subkeys[0] = Subkey{
+		PublicKey:  packet.NewRSAPublicKey(creationTime, &encryptingPriv.PublicKey),
+		PrivateKey: packet.NewRSAPrivateKey(creationTime, encryptingPriv),
+		Sig: &packet.Signature{
+			CreationTime:              creationTime,
+			SigType:                   packet.SigTypeSubkeyBinding,
+			PubKeyAlgo:                packet.PubKeyAlgoRSA,
+			Hash:                      config.Hash(),
+			FlagsValid:                true,
+			FlagEncryptStorage:        true,
+			FlagEncryptCommunications: true,
+			IssuerKeyId:               &e.PrimaryKey.KeyId,
+		},
+	}
+	e.Subkeys[0].PublicKey.IsSubkey = true
+	e.Subkeys[0].PrivateKey.IsSubkey = true
+	err = e.Subkeys[0].Sig.SignKey(e.Subkeys[0].PublicKey, e.PrivateKey, config)
+	if err != nil {
+		return nil, err
+	}
+	return e, nil
+}
+
+// SerializePrivate serializes an Entity, including private key material, but
+// excluding signatures from other entities, to the given Writer.
+// Identities and subkeys are re-signed in case they changed since NewEntry.
+// If config is nil, sensible defaults will be used.
+func (e *Entity) SerializePrivate(w io.Writer, config *packet.Config) (err error) {
+	err = e.PrivateKey.Serialize(w)
+	if err != nil {
+		return
+	}
+	for _, ident := range e.Identities {
+		err = ident.UserId.Serialize(w)
+		if err != nil {
+			return
+		}
+		err = ident.SelfSignature.SignUserId(ident.UserId.Id, e.PrimaryKey, e.PrivateKey, config)
+		if err != nil {
+			return
+		}
+		err = ident.SelfSignature.Serialize(w)
+		if err != nil {
+			return
+		}
+	}
+	for _, subkey := range e.Subkeys {
+		err = subkey.PrivateKey.Serialize(w)
+		if err != nil {
+			return
+		}
+		err = subkey.Sig.SignKey(subkey.PublicKey, e.PrivateKey, config)
+		if err != nil {
+			return
+		}
+		err = subkey.Sig.Serialize(w)
+		if err != nil {
+			return
+		}
+	}
+	return nil
+}
+
+// Serialize writes the public part of the given Entity to w, including
+// signatures from other entities. No private key material will be output.
+func (e *Entity) Serialize(w io.Writer) error {
+	err := e.PrimaryKey.Serialize(w)
+	if err != nil {
+		return err
+	}
+	for _, ident := range e.Identities {
+		err = ident.UserId.Serialize(w)
+		if err != nil {
+			return err
+		}
+		err = ident.SelfSignature.Serialize(w)
+		if err != nil {
+			return err
+		}
+		for _, sig := range ident.Signatures {
+			err = sig.Serialize(w)
+			if err != nil {
+				return err
+			}
+		}
+	}
+	for _, subkey := range e.Subkeys {
+		err = subkey.PublicKey.Serialize(w)
+		if err != nil {
+			return err
+		}
+		err = subkey.Sig.Serialize(w)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// SignIdentity adds a signature to e, from signer, attesting that identity is
+// associated with e. The provided identity must already be an element of
+// e.Identities and the private key of signer must have been decrypted if
+// necessary.
+// If config is nil, sensible defaults will be used.
+func (e *Entity) SignIdentity(identity string, signer *Entity, config *packet.Config) error {
+	if signer.PrivateKey == nil {
+		return errors.InvalidArgumentError("signing Entity must have a private key")
+	}
+	if signer.PrivateKey.Encrypted {
+		return errors.InvalidArgumentError("signing Entity's private key must be decrypted")
+	}
+	ident, ok := e.Identities[identity]
+	if !ok {
+		return errors.InvalidArgumentError("given identity string not found in Entity")
+	}
+
+	sig := &packet.Signature{
+		SigType:      packet.SigTypeGenericCert,
+		PubKeyAlgo:   signer.PrivateKey.PubKeyAlgo,
+		Hash:         config.Hash(),
+		CreationTime: config.Now(),
+		IssuerKeyId:  &signer.PrivateKey.KeyId,
+	}
+	if err := sig.SignUserId(identity, e.PrimaryKey, signer.PrivateKey, config); err != nil {
+		return err
+	}
+	ident.Signatures = append(ident.Signatures, sig)
+	return nil
+}
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/compressed.go b/vendor/golang.org/x/crypto/openpgp/packet/compressed.go
new file mode 100644
index 0000000000..353f945247
--- /dev/null
+++ b/vendor/golang.org/x/crypto/openpgp/packet/compressed.go
@@ -0,0 +1,123 @@
+// Copyright 2011 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package packet
+
+import (
+	"compress/bzip2"
+	"compress/flate"
+	"compress/zlib"
+	"golang.org/x/crypto/openpgp/errors"
+	"io"
+	"strconv"
+)
+
+// Compressed represents a compressed OpenPGP packet. The decompressed contents
+// will contain more OpenPGP packets. See RFC 4880, section 5.6.
+type Compressed struct {
+	Body io.Reader
+}
+
+const (
+	NoCompression      = flate.NoCompression
+	BestSpeed          = flate.BestSpeed
+	BestCompression    = flate.BestCompression
+	DefaultCompression = flate.DefaultCompression
+)
+
+// CompressionConfig contains compressor configuration settings.
+type CompressionConfig struct {
+	// Level is the compression level to use. It must be set to
+	// between -1 and 9, with -1 causing the compressor to use the
+	// default compression level, 0 causing the compressor to use
+	// no compression and 1 to 9 representing increasing (better,
+	// slower) compression levels. If Level is less than -1 or
+	// more then 9, a non-nil error will be returned during
+	// encryption. See the constants above for convenient common
+	// settings for Level.
+	Level int
+}
+
+func (c *Compressed) parse(r io.Reader) error {
+	var buf [1]byte
+	_, err := readFull(r, buf[:])
+	if err != nil {
+		return err
+	}
+
+	switch buf[0] {
+	case 1:
+		c.Body = flate.NewReader(r)
+	case 2:
+		c.Body, err = zlib.NewReader(r)
+	case 3:
+		c.Body = bzip2.NewReader(r)
+	default:
+		err = errors.UnsupportedError("unknown compression algorithm: " + strconv.Itoa(int(buf[0])))
+	}
+
+	return err
+}
+
+// compressedWriteCloser represents the serialized compression stream
+// header and the compressor. Its Close() method ensures that both the
+// compressor and serialized stream header are closed. Its Write()
+// method writes to the compressor.
+type compressedWriteCloser struct {
+	sh io.Closer      // Stream Header
+	c  io.WriteCloser // Compressor
+}
+
+func (cwc compressedWriteCloser) Write(p []byte) (int, error) {
+	return cwc.c.Write(p)
+}
+
+func (cwc compressedWriteCloser) Close() (err error) {
+	err = cwc.c.Close()
+	if err != nil {
+		return err
+	}
+
+	return cwc.sh.Close()
+}
+
+// SerializeCompressed serializes a compressed data packet to w and
+// returns a WriteCloser to which the literal data packets themselves
+// can be written and which MUST be closed on completion. If cc is
+// nil, sensible defaults will be used to configure the compression
+// algorithm.
+func SerializeCompressed(w io.WriteCloser, algo CompressionAlgo, cc *CompressionConfig) (literaldata io.WriteCloser, err error) {
+	compressed, err := serializeStreamHeader(w, packetTypeCompressed)
+	if err != nil {
+		return
+	}
+
+	_, err = compressed.Write([]byte{uint8(algo)})
+	if err != nil {
+		return
+	}
+
+	level := DefaultCompression
+	if cc != nil {
+		level = cc.Level
+	}
+
+	var compressor io.WriteCloser
+	switch algo {
+	case CompressionZIP:
+		compressor, err = flate.NewWriter(compressed, level)
+	case CompressionZLIB:
+		compressor, err = zlib.NewWriterLevel(compressed, level)
+	default:
+		s := strconv.Itoa(int(algo))
+		err = errors.UnsupportedError("Unsupported compression algorithm: " + s)
+	}
+	if err != nil {
+		return
+	}
+
+	literaldata = compressedWriteCloser{compressed, compressor}
+
+	return
+}
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/config.go b/vendor/golang.org/x/crypto/openpgp/packet/config.go
new file mode 100644
index 0000000000..c76eecc963
--- /dev/null
+++ b/vendor/golang.org/x/crypto/openpgp/packet/config.go
@@ -0,0 +1,91 @@
+// Copyright 2012 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package packet
+
+import (
+	"crypto"
+	"crypto/rand"
+	"io"
+	"time"
+)
+
+// Config collects a number of parameters along with sensible defaults.
+// A nil *Config is valid and results in all default values.
+type Config struct {
+	// Rand provides the source of entropy.
+	// If nil, the crypto/rand Reader is used.
+	Rand io.Reader
+	// DefaultHash is the default hash function to be used.
+	// If zero, SHA-256 is used.
+	DefaultHash crypto.Hash
+	// DefaultCipher is the cipher to be used.
+	// If zero, AES-128 is used.
+	DefaultCipher CipherFunction
+	// Time returns the current time as the number of seconds since the
+	// epoch. If Time is nil, time.Now is used.
+	Time func() time.Time
+	// DefaultCompressionAlgo is the compression algorithm to be
+	// applied to the plaintext before encryption. If zero, no
+	// compression is done.
+	DefaultCompressionAlgo CompressionAlgo
+	// CompressionConfig configures the compression settings.
+	CompressionConfig *CompressionConfig
+	// S2KCount is only used for symmetric encryption. It
+	// determines the strength of the passphrase stretching when
+	// the said passphrase is hashed to produce a key. S2KCount
+	// should be between 1024 and 65011712, inclusive. If Config
+	// is nil or S2KCount is 0, the value 65536 used. Not all
+	// values in the above range can be represented. S2KCount will
+	// be rounded up to the next representable value if it cannot
+	// be encoded exactly. When set, it is strongly encrouraged to
+	// use a value that is at least 65536. See RFC 4880 Section
+	// 3.7.1.3.
+	S2KCount int
+	// RSABits is the number of bits in new RSA keys made with NewEntity.
+	// If zero, then 2048 bit keys are created.
+	RSABits int
+}
+
+func (c *Config) Random() io.Reader {
+	if c == nil || c.Rand == nil {
+		return rand.Reader
+	}
+	return c.Rand
+}
+
+func (c *Config) Hash() crypto.Hash {
+	if c == nil || uint(c.DefaultHash) == 0 {
+		return crypto.SHA256
+	}
+	return c.DefaultHash
+}
+
+func (c *Config) Cipher() CipherFunction {
+	if c == nil || uint8(c.DefaultCipher) == 0 {
+		return CipherAES128
+	}
+	return c.DefaultCipher
+}
+
+func (c *Config) Now() time.Time {
+	if c == nil || c.Time == nil {
+		return time.Now()
+	}
+	return c.Time()
+}
+
+func (c *Config) Compression() CompressionAlgo {
+	if c == nil {
+		return CompressionNone
+	}
+	return c.DefaultCompressionAlgo
+}
+
+func (c *Config) PasswordHashIterations() int {
+	if c == nil || c.S2KCount == 0 {
+		return 0
+	}
+	return c.S2KCount
+}
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/encrypted_key.go b/vendor/golang.org/x/crypto/openpgp/packet/encrypted_key.go
new file mode 100644
index 0000000000..6d7639722c
--- /dev/null
+++ b/vendor/golang.org/x/crypto/openpgp/packet/encrypted_key.go
@@ -0,0 +1,208 @@
+// Copyright 2011 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package packet
+
+import (
+	"crypto"
+	"crypto/rsa"
+	"encoding/binary"
+	"io"
+	"math/big"
+	"strconv"
+
+	"golang.org/x/crypto/openpgp/elgamal"
+	"golang.org/x/crypto/openpgp/errors"
+)
+
+const encryptedKeyVersion = 3
+
+// EncryptedKey represents a public-key encrypted session key. See RFC 4880,
+// section 5.1.
+type EncryptedKey struct {
+	KeyId      uint64
+	Algo       PublicKeyAlgorithm
+	CipherFunc CipherFunction // only valid after a successful Decrypt
+	Key        []byte         // only valid after a successful Decrypt
+
+	encryptedMPI1, encryptedMPI2 parsedMPI
+}
+
+func (e *EncryptedKey) parse(r io.Reader) (err error) {
+	var buf [10]byte
+	_, err = readFull(r, buf[:])
+	if err != nil {
+		return
+	}
+	if buf[0] != encryptedKeyVersion {
+		return errors.UnsupportedError("unknown EncryptedKey version " + strconv.Itoa(int(buf[0])))
+	}
+	e.KeyId = binary.BigEndian.Uint64(buf[1:9])
+	e.Algo = PublicKeyAlgorithm(buf[9])
+	switch e.Algo {
+	case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly:
+		e.encryptedMPI1.bytes, e.encryptedMPI1.bitLength, err = readMPI(r)
+		if err != nil {
+			return
+		}
+	case PubKeyAlgoElGamal:
+		e.encryptedMPI1.bytes, e.encryptedMPI1.bitLength, err = readMPI(r)
+		if err != nil {
+			return
+		}
+		e.encryptedMPI2.bytes, e.encryptedMPI2.bitLength, err = readMPI(r)
+		if err != nil {
+			return
+		}
+	}
+	_, err = consumeAll(r)
+	return
+}
+
+func checksumKeyMaterial(key []byte) uint16 {
+	var checksum uint16
+	for _, v := range key {
+		checksum += uint16(v)
+	}
+	return checksum
+}
+
+// Decrypt decrypts an encrypted session key with the given private key. The
+// private key must have been decrypted first.
+// If config is nil, sensible defaults will be used.
+func (e *EncryptedKey) Decrypt(priv *PrivateKey, config *Config) error {
+	var err error
+	var b []byte
+
+	// TODO(agl): use session key decryption routines here to avoid
+	// padding oracle attacks.
+	switch priv.PubKeyAlgo {
+	case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly:
+		// Supports both *rsa.PrivateKey and crypto.Decrypter
+		k := priv.PrivateKey.(crypto.Decrypter)
+		b, err = k.Decrypt(config.Random(), padToKeySize(k.Public().(*rsa.PublicKey), e.encryptedMPI1.bytes), nil)
+	case PubKeyAlgoElGamal:
+		c1 := new(big.Int).SetBytes(e.encryptedMPI1.bytes)
+		c2 := new(big.Int).SetBytes(e.encryptedMPI2.bytes)
+		b, err = elgamal.Decrypt(priv.PrivateKey.(*elgamal.PrivateKey), c1, c2)
+	default:
+		err = errors.InvalidArgumentError("cannot decrypted encrypted session key with private key of type " + strconv.Itoa(int(priv.PubKeyAlgo)))
+	}
+
+	if err != nil {
+		return err
+	}
+
+	e.CipherFunc = CipherFunction(b[0])
+	e.Key = b[1 : len(b)-2]
+	expectedChecksum := uint16(b[len(b)-2])<<8 | uint16(b[len(b)-1])
+	checksum := checksumKeyMaterial(e.Key)
+	if checksum != expectedChecksum {
+		return errors.StructuralError("EncryptedKey checksum incorrect")
+	}
+
+	return nil
+}
+
+// Serialize writes the encrypted key packet, e, to w.
+func (e *EncryptedKey) Serialize(w io.Writer) error {
+	var mpiLen int
+	switch e.Algo {
+	case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly:
+		mpiLen = 2 + len(e.encryptedMPI1.bytes)
+	case PubKeyAlgoElGamal:
+		mpiLen = 2 + len(e.encryptedMPI1.bytes) + 2 + len(e.encryptedMPI2.bytes)
+	default:
+		return errors.InvalidArgumentError("don't know how to serialize encrypted key type " + strconv.Itoa(int(e.Algo)))
+	}
+
+	serializeHeader(w, packetTypeEncryptedKey, 1 /* version */ +8 /* key id */ +1 /* algo */ +mpiLen)
+
+	w.Write([]byte{encryptedKeyVersion})
+	binary.Write(w, binary.BigEndian, e.KeyId)
+	w.Write([]byte{byte(e.Algo)})
+
+	switch e.Algo {
+	case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly:
+		writeMPIs(w, e.encryptedMPI1)
+	case PubKeyAlgoElGamal:
+		writeMPIs(w, e.encryptedMPI1, e.encryptedMPI2)
+	default:
+		panic("internal error")
+	}
+
+	return nil
+}
+
+// SerializeEncryptedKey serializes an encrypted key packet to w that contains
+// key, encrypted to pub.
+// If config is nil, sensible defaults will be used.
+func SerializeEncryptedKey(w io.Writer, pub *PublicKey, cipherFunc CipherFunction, key []byte, config *Config) error {
+	var buf [10]byte
+	buf[0] = encryptedKeyVersion
+	binary.BigEndian.PutUint64(buf[1:9], pub.KeyId)
+	buf[9] = byte(pub.PubKeyAlgo)
+
+	keyBlock := make([]byte, 1 /* cipher type */ +len(key)+2 /* checksum */)
+	keyBlock[0] = byte(cipherFunc)
+	copy(keyBlock[1:], key)
+	checksum := checksumKeyMaterial(key)
+	keyBlock[1+len(key)] = byte(checksum >> 8)
+	keyBlock[1+len(key)+1] = byte(checksum)
+
+	switch pub.PubKeyAlgo {
+	case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly:
+		return serializeEncryptedKeyRSA(w, config.Random(), buf, pub.PublicKey.(*rsa.PublicKey), keyBlock)
+	case PubKeyAlgoElGamal:
+		return serializeEncryptedKeyElGamal(w, config.Random(), buf, pub.PublicKey.(*elgamal.PublicKey), keyBlock)
+	case PubKeyAlgoDSA, PubKeyAlgoRSASignOnly:
+		return errors.InvalidArgumentError("cannot encrypt to public key of type " + strconv.Itoa(int(pub.PubKeyAlgo)))
+	}
+
+	return errors.UnsupportedError("encrypting a key to public key of type " + strconv.Itoa(int(pub.PubKeyAlgo)))
+}
+
+func serializeEncryptedKeyRSA(w io.Writer, rand io.Reader, header [10]byte, pub *rsa.PublicKey, keyBlock []byte) error {
+	cipherText, err := rsa.EncryptPKCS1v15(rand, pub, keyBlock)
+	if err != nil {
+		return errors.InvalidArgumentError("RSA encryption failed: " + err.Error())
+	}
+
+	packetLen := 10 /* header length */ + 2 /* mpi size */ + len(cipherText)
+
+	err = serializeHeader(w, packetTypeEncryptedKey, packetLen)
+	if err != nil {
+		return err
+	}
+	_, err = w.Write(header[:])
+	if err != nil {
+		return err
+	}
+	return writeMPI(w, 8*uint16(len(cipherText)), cipherText)
+}
+
+func serializeEncryptedKeyElGamal(w io.Writer, rand io.Reader, header [10]byte, pub *elgamal.PublicKey, keyBlock []byte) error {
+	c1, c2, err := elgamal.Encrypt(rand, pub, keyBlock)
+	if err != nil {
+		return errors.InvalidArgumentError("ElGamal encryption failed: " + err.Error())
+	}
+
+	packetLen := 10 /* header length */
+	packetLen += 2 /* mpi size */ + (c1.BitLen()+7)/8
+	packetLen += 2 /* mpi size */ + (c2.BitLen()+7)/8
+
+	err = serializeHeader(w, packetTypeEncryptedKey, packetLen)
+	if err != nil {
+		return err
+	}
+	_, err = w.Write(header[:])
+	if err != nil {
+		return err
+	}
+	err = writeBig(w, c1)
+	if err != nil {
+		return err
+	}
+	return writeBig(w, c2)
+}
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/literal.go b/vendor/golang.org/x/crypto/openpgp/packet/literal.go
new file mode 100644
index 0000000000..1a9ec6e51e
--- /dev/null
+++ b/vendor/golang.org/x/crypto/openpgp/packet/literal.go
@@ -0,0 +1,89 @@
+// Copyright 2011 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package packet
+
+import (
+	"encoding/binary"
+	"io"
+)
+
+// LiteralData represents an encrypted file. See RFC 4880, section 5.9.
+type LiteralData struct {
+	IsBinary bool
+	FileName string
+	Time     uint32 // Unix epoch time. Either creation time or modification time. 0 means undefined.
+	Body     io.Reader
+}
+
+// ForEyesOnly returns whether the contents of the LiteralData have been marked
+// as especially sensitive.
+func (l *LiteralData) ForEyesOnly() bool {
+	return l.FileName == "_CONSOLE"
+}
+
+func (l *LiteralData) parse(r io.Reader) (err error) {
+	var buf [256]byte
+
+	_, err = readFull(r, buf[:2])
+	if err != nil {
+		return
+	}
+
+	l.IsBinary = buf[0] == 'b'
+	fileNameLen := int(buf[1])
+
+	_, err = readFull(r, buf[:fileNameLen])
+	if err != nil {
+		return
+	}
+
+	l.FileName = string(buf[:fileNameLen])
+
+	_, err = readFull(r, buf[:4])
+	if err != nil {
+		return
+	}
+
+	l.Time = binary.BigEndian.Uint32(buf[:4])
+	l.Body = r
+	return
+}
+
+// SerializeLiteral serializes a literal data packet to w and returns a
+// WriteCloser to which the data itself can be written and which MUST be closed
+// on completion. The fileName is truncated to 255 bytes.
+func SerializeLiteral(w io.WriteCloser, isBinary bool, fileName string, time uint32) (plaintext io.WriteCloser, err error) {
+	var buf [4]byte
+	buf[0] = 't'
+	if isBinary {
+		buf[0] = 'b'
+	}
+	if len(fileName) > 255 {
+		fileName = fileName[:255]
+	}
+	buf[1] = byte(len(fileName))
+
+	inner, err := serializeStreamHeader(w, packetTypeLiteralData)
+	if err != nil {
+		return
+	}
+
+	_, err = inner.Write(buf[:2])
+	if err != nil {
+		return
+	}
+	_, err = inner.Write([]byte(fileName))
+	if err != nil {
+		return
+	}
+	binary.BigEndian.PutUint32(buf[:], time)
+	_, err = inner.Write(buf[:])
+	if err != nil {
+		return
+	}
+
+	plaintext = inner
+	return
+}
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/ocfb.go b/vendor/golang.org/x/crypto/openpgp/packet/ocfb.go
new file mode 100644
index 0000000000..ce2a33a547
--- /dev/null
+++ b/vendor/golang.org/x/crypto/openpgp/packet/ocfb.go
@@ -0,0 +1,143 @@
+// Copyright 2010 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// OpenPGP CFB Mode. http://tools.ietf.org/html/rfc4880#section-13.9
+
+package packet
+
+import (
+	"crypto/cipher"
+)
+
+type ocfbEncrypter struct {
+	b       cipher.Block
+	fre     []byte
+	outUsed int
+}
+
+// An OCFBResyncOption determines if the "resynchronization step" of OCFB is
+// performed.
+type OCFBResyncOption bool
+
+const (
+	OCFBResync   OCFBResyncOption = true
+	OCFBNoResync OCFBResyncOption = false
+)
+
+// NewOCFBEncrypter returns a cipher.Stream which encrypts data with OpenPGP's
+// cipher feedback mode using the given cipher.Block, and an initial amount of
+// ciphertext.  randData must be random bytes and be the same length as the
+// cipher.Block's block size. Resync determines if the "resynchronization step"
+// from RFC 4880, 13.9 step 7 is performed. Different parts of OpenPGP vary on
+// this point.
+func NewOCFBEncrypter(block cipher.Block, randData []byte, resync OCFBResyncOption) (cipher.Stream, []byte) {
+	blockSize := block.BlockSize()
+	if len(randData) != blockSize {
+		return nil, nil
+	}
+
+	x := &ocfbEncrypter{
+		b:       block,
+		fre:     make([]byte, blockSize),
+		outUsed: 0,
+	}
+	prefix := make([]byte, blockSize+2)
+
+	block.Encrypt(x.fre, x.fre)
+	for i := 0; i < blockSize; i++ {
+		prefix[i] = randData[i] ^ x.fre[i]
+	}
+
+	block.Encrypt(x.fre, prefix[:blockSize])
+	prefix[blockSize] = x.fre[0] ^ randData[blockSize-2]
+	prefix[blockSize+1] = x.fre[1] ^ randData[blockSize-1]
+
+	if resync {
+		block.Encrypt(x.fre, prefix[2:])
+	} else {
+		x.fre[0] = prefix[blockSize]
+		x.fre[1] = prefix[blockSize+1]
+		x.outUsed = 2
+	}
+	return x, prefix
+}
+
+func (x *ocfbEncrypter) XORKeyStream(dst, src []byte) {
+	for i := 0; i < len(src); i++ {
+		if x.outUsed == len(x.fre) {
+			x.b.Encrypt(x.fre, x.fre)
+			x.outUsed = 0
+		}
+
+		x.fre[x.outUsed] ^= src[i]
+		dst[i] = x.fre[x.outUsed]
+		x.outUsed++
+	}
+}
+
+type ocfbDecrypter struct {
+	b       cipher.Block
+	fre     []byte
+	outUsed int
+}
+
+// NewOCFBDecrypter returns a cipher.Stream which decrypts data with OpenPGP's
+// cipher feedback mode using the given cipher.Block. Prefix must be the first
+// blockSize + 2 bytes of the ciphertext, where blockSize is the cipher.Block's
+// block size. If an incorrect key is detected then nil is returned. On
+// successful exit, blockSize+2 bytes of decrypted data are written into
+// prefix. Resync determines if the "resynchronization step" from RFC 4880,
+// 13.9 step 7 is performed. Different parts of OpenPGP vary on this point.
+func NewOCFBDecrypter(block cipher.Block, prefix []byte, resync OCFBResyncOption) cipher.Stream {
+	blockSize := block.BlockSize()
+	if len(prefix) != blockSize+2 {
+		return nil
+	}
+
+	x := &ocfbDecrypter{
+		b:       block,
+		fre:     make([]byte, blockSize),
+		outUsed: 0,
+	}
+	prefixCopy := make([]byte, len(prefix))
+	copy(prefixCopy, prefix)
+
+	block.Encrypt(x.fre, x.fre)
+	for i := 0; i < blockSize; i++ {
+		prefixCopy[i] ^= x.fre[i]
+	}
+
+	block.Encrypt(x.fre, prefix[:blockSize])
+	prefixCopy[blockSize] ^= x.fre[0]
+	prefixCopy[blockSize+1] ^= x.fre[1]
+
+	if prefixCopy[blockSize-2] != prefixCopy[blockSize] ||
+		prefixCopy[blockSize-1] != prefixCopy[blockSize+1] {
+		return nil
+	}
+
+	if resync {
+		block.Encrypt(x.fre, prefix[2:])
+	} else {
+		x.fre[0] = prefix[blockSize]
+		x.fre[1] = prefix[blockSize+1]
+		x.outUsed = 2
+	}
+	copy(prefix, prefixCopy)
+	return x
+}
+
+func (x *ocfbDecrypter) XORKeyStream(dst, src []byte) {
+	for i := 0; i < len(src); i++ {
+		if x.outUsed == len(x.fre) {
+			x.b.Encrypt(x.fre, x.fre)
+			x.outUsed = 0
+		}
+
+		c := src[i]
+		dst[i] = x.fre[x.outUsed] ^ src[i]
+		x.fre[x.outUsed] = c
+		x.outUsed++
+	}
+}
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/one_pass_signature.go b/vendor/golang.org/x/crypto/openpgp/packet/one_pass_signature.go
new file mode 100644
index 0000000000..1713503395
--- /dev/null
+++ b/vendor/golang.org/x/crypto/openpgp/packet/one_pass_signature.go
@@ -0,0 +1,73 @@
+// Copyright 2011 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package packet
+
+import (
+	"crypto"
+	"encoding/binary"
+	"golang.org/x/crypto/openpgp/errors"
+	"golang.org/x/crypto/openpgp/s2k"
+	"io"
+	"strconv"
+)
+
+// OnePassSignature represents a one-pass signature packet. See RFC 4880,
+// section 5.4.
+type OnePassSignature struct {
+	SigType    SignatureType
+	Hash       crypto.Hash
+	PubKeyAlgo PublicKeyAlgorithm
+	KeyId      uint64
+	IsLast     bool
+}
+
+const onePassSignatureVersion = 3
+
+func (ops *OnePassSignature) parse(r io.Reader) (err error) {
+	var buf [13]byte
+
+	_, err = readFull(r, buf[:])
+	if err != nil {
+		return
+	}
+	if buf[0] != onePassSignatureVersion {
+		err = errors.UnsupportedError("one-pass-signature packet version " + strconv.Itoa(int(buf[0])))
+	}
+
+	var ok bool
+	ops.Hash, ok = s2k.HashIdToHash(buf[2])
+	if !ok {
+		return errors.UnsupportedError("hash function: " + strconv.Itoa(int(buf[2])))
+	}
+
+	ops.SigType = SignatureType(buf[1])
+	ops.PubKeyAlgo = PublicKeyAlgorithm(buf[3])
+	ops.KeyId = binary.BigEndian.Uint64(buf[4:12])
+	ops.IsLast = buf[12] != 0
+	return
+}
+
+// Serialize marshals the given OnePassSignature to w.
+func (ops *OnePassSignature) Serialize(w io.Writer) error {
+	var buf [13]byte
+	buf[0] = onePassSignatureVersion
+	buf[1] = uint8(ops.SigType)
+	var ok bool
+	buf[2], ok = s2k.HashToHashId(ops.Hash)
+	if !ok {
+		return errors.UnsupportedError("hash type: " + strconv.Itoa(int(ops.Hash)))
+	}
+	buf[3] = uint8(ops.PubKeyAlgo)
+	binary.BigEndian.PutUint64(buf[4:12], ops.KeyId)
+	if ops.IsLast {
+		buf[12] = 1
+	}
+
+	if err := serializeHeader(w, packetTypeOnePassSignature, len(buf)); err != nil {
+		return err
+	}
+	_, err := w.Write(buf[:])
+	return err
+}
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/opaque.go b/vendor/golang.org/x/crypto/openpgp/packet/opaque.go
new file mode 100644
index 0000000000..3984477310
--- /dev/null
+++ b/vendor/golang.org/x/crypto/openpgp/packet/opaque.go
@@ -0,0 +1,161 @@
+// Copyright 2012 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package packet
+
+import (
+	"bytes"
+	"io"
+
+	"golang.org/x/crypto/openpgp/errors"
+)
+
+// OpaquePacket represents an OpenPGP packet as raw, unparsed data. This is
+// useful for splitting and storing the original packet contents separately,
+// handling unsupported packet types or accessing parts of the packet not yet
+// implemented by this package.
+type OpaquePacket struct {
+	// Packet type
+	Tag uint8
+	// Reason why the packet was parsed opaquely
+	Reason error
+	// Binary contents of the packet data
+	Contents []byte
+}
+
+func (op *OpaquePacket) parse(r io.Reader) (err error) {
+	op.Contents, err = io.ReadAll(r)
+	return
+}
+
+// Serialize marshals the packet to a writer in its original form, including
+// the packet header.
+func (op *OpaquePacket) Serialize(w io.Writer) (err error) {
+	err = serializeHeader(w, packetType(op.Tag), len(op.Contents))
+	if err == nil {
+		_, err = w.Write(op.Contents)
+	}
+	return
+}
+
+// Parse attempts to parse the opaque contents into a structure supported by
+// this package. If the packet is not known then the result will be another
+// OpaquePacket.
+func (op *OpaquePacket) Parse() (p Packet, err error) {
+	hdr := bytes.NewBuffer(nil)
+	err = serializeHeader(hdr, packetType(op.Tag), len(op.Contents))
+	if err != nil {
+		op.Reason = err
+		return op, err
+	}
+	p, err = Read(io.MultiReader(hdr, bytes.NewBuffer(op.Contents)))
+	if err != nil {
+		op.Reason = err
+		p = op
+	}
+	return
+}
+
+// OpaqueReader reads OpaquePackets from an io.Reader.
+type OpaqueReader struct {
+	r io.Reader
+}
+
+func NewOpaqueReader(r io.Reader) *OpaqueReader {
+	return &OpaqueReader{r: r}
+}
+
+// Read the next OpaquePacket.
+func (or *OpaqueReader) Next() (op *OpaquePacket, err error) {
+	tag, _, contents, err := readHeader(or.r)
+	if err != nil {
+		return
+	}
+	op = &OpaquePacket{Tag: uint8(tag), Reason: err}
+	err = op.parse(contents)
+	if err != nil {
+		consumeAll(contents)
+	}
+	return
+}
+
+// OpaqueSubpacket represents an unparsed OpenPGP subpacket,
+// as found in signature and user attribute packets.
+type OpaqueSubpacket struct {
+	SubType  uint8
+	Contents []byte
+}
+
+// OpaqueSubpackets extracts opaque, unparsed OpenPGP subpackets from
+// their byte representation.
+func OpaqueSubpackets(contents []byte) (result []*OpaqueSubpacket, err error) {
+	var (
+		subHeaderLen int
+		subPacket    *OpaqueSubpacket
+	)
+	for len(contents) > 0 {
+		subHeaderLen, subPacket, err = nextSubpacket(contents)
+		if err != nil {
+			break
+		}
+		result = append(result, subPacket)
+		contents = contents[subHeaderLen+len(subPacket.Contents):]
+	}
+	return
+}
+
+func nextSubpacket(contents []byte) (subHeaderLen int, subPacket *OpaqueSubpacket, err error) {
+	// RFC 4880, section 5.2.3.1
+	var subLen uint32
+	if len(contents) < 1 {
+		goto Truncated
+	}
+	subPacket = &OpaqueSubpacket{}
+	switch {
+	case contents[0] < 192:
+		subHeaderLen = 2 // 1 length byte, 1 subtype byte
+		if len(contents) < subHeaderLen {
+			goto Truncated
+		}
+		subLen = uint32(contents[0])
+		contents = contents[1:]
+	case contents[0] < 255:
+		subHeaderLen = 3 // 2 length bytes, 1 subtype
+		if len(contents) < subHeaderLen {
+			goto Truncated
+		}
+		subLen = uint32(contents[0]-192)<<8 + uint32(contents[1]) + 192
+		contents = contents[2:]
+	default:
+		subHeaderLen = 6 // 5 length bytes, 1 subtype
+		if len(contents) < subHeaderLen {
+			goto Truncated
+		}
+		subLen = uint32(contents[1])<<24 |
+			uint32(contents[2])<<16 |
+			uint32(contents[3])<<8 |
+			uint32(contents[4])
+		contents = contents[5:]
+	}
+	if subLen > uint32(len(contents)) || subLen == 0 {
+		goto Truncated
+	}
+	subPacket.SubType = contents[0]
+	subPacket.Contents = contents[1:subLen]
+	return
+Truncated:
+	err = errors.StructuralError("subpacket truncated")
+	return
+}
+
+func (osp *OpaqueSubpacket) Serialize(w io.Writer) (err error) {
+	buf := make([]byte, 6)
+	n := serializeSubpacketLength(buf, len(osp.Contents)+1)
+	buf[n] = osp.SubType
+	if _, err = w.Write(buf[:n+1]); err != nil {
+		return
+	}
+	_, err = w.Write(osp.Contents)
+	return
+}
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/packet.go b/vendor/golang.org/x/crypto/openpgp/packet/packet.go
new file mode 100644
index 0000000000..a84a1a214e
--- /dev/null
+++ b/vendor/golang.org/x/crypto/openpgp/packet/packet.go
@@ -0,0 +1,590 @@
+// Copyright 2011 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package packet implements parsing and serialization of OpenPGP packets, as
+// specified in RFC 4880.
+//
+// Deprecated: this package is unmaintained except for security fixes. New
+// applications should consider a more focused, modern alternative to OpenPGP
+// for their specific task. If you are required to interoperate with OpenPGP
+// systems and need a maintained package, consider a community fork.
+// See https://golang.org/issue/44226.
+package packet
+
+import (
+	"bufio"
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/des"
+	"crypto/rsa"
+	"io"
+	"math/big"
+	"math/bits"
+
+	"golang.org/x/crypto/cast5"
+	"golang.org/x/crypto/openpgp/errors"
+)
+
+// readFull is the same as io.ReadFull except that reading zero bytes returns
+// ErrUnexpectedEOF rather than EOF.
+func readFull(r io.Reader, buf []byte) (n int, err error) {
+	n, err = io.ReadFull(r, buf)
+	if err == io.EOF {
+		err = io.ErrUnexpectedEOF
+	}
+	return
+}
+
+// readLength reads an OpenPGP length from r. See RFC 4880, section 4.2.2.
+func readLength(r io.Reader) (length int64, isPartial bool, err error) {
+	var buf [4]byte
+	_, err = readFull(r, buf[:1])
+	if err != nil {
+		return
+	}
+	switch {
+	case buf[0] < 192:
+		length = int64(buf[0])
+	case buf[0] < 224:
+		length = int64(buf[0]-192) << 8
+		_, err = readFull(r, buf[0:1])
+		if err != nil {
+			return
+		}
+		length += int64(buf[0]) + 192
+	case buf[0] < 255:
+		length = int64(1) << (buf[0] & 0x1f)
+		isPartial = true
+	default:
+		_, err = readFull(r, buf[0:4])
+		if err != nil {
+			return
+		}
+		length = int64(buf[0])<<24 |
+			int64(buf[1])<<16 |
+			int64(buf[2])<<8 |
+			int64(buf[3])
+	}
+	return
+}
+
+// partialLengthReader wraps an io.Reader and handles OpenPGP partial lengths.
+// The continuation lengths are parsed and removed from the stream and EOF is
+// returned at the end of the packet. See RFC 4880, section 4.2.2.4.
+type partialLengthReader struct {
+	r         io.Reader
+	remaining int64
+	isPartial bool
+}
+
+func (r *partialLengthReader) Read(p []byte) (n int, err error) {
+	for r.remaining == 0 {
+		if !r.isPartial {
+			return 0, io.EOF
+		}
+		r.remaining, r.isPartial, err = readLength(r.r)
+		if err != nil {
+			return 0, err
+		}
+	}
+
+	toRead := int64(len(p))
+	if toRead > r.remaining {
+		toRead = r.remaining
+	}
+
+	n, err = r.r.Read(p[:int(toRead)])
+	r.remaining -= int64(n)
+	if n < int(toRead) && err == io.EOF {
+		err = io.ErrUnexpectedEOF
+	}
+	return
+}
+
+// partialLengthWriter writes a stream of data using OpenPGP partial lengths.
+// See RFC 4880, section 4.2.2.4.
+type partialLengthWriter struct {
+	w          io.WriteCloser
+	lengthByte [1]byte
+	sentFirst  bool
+	buf        []byte
+}
+
+// RFC 4880 4.2.2.4: the first partial length MUST be at least 512 octets long.
+const minFirstPartialWrite = 512
+
+func (w *partialLengthWriter) Write(p []byte) (n int, err error) {
+	off := 0
+	if !w.sentFirst {
+		if len(w.buf) > 0 || len(p) < minFirstPartialWrite {
+			off = len(w.buf)
+			w.buf = append(w.buf, p...)
+			if len(w.buf) < minFirstPartialWrite {
+				return len(p), nil
+			}
+			p = w.buf
+			w.buf = nil
+		}
+		w.sentFirst = true
+	}
+
+	power := uint8(30)
+	for len(p) > 0 {
+		l := 1 << power
+		if len(p) < l {
+			power = uint8(bits.Len32(uint32(len(p)))) - 1
+			l = 1 << power
+		}
+		w.lengthByte[0] = 224 + power
+		_, err = w.w.Write(w.lengthByte[:])
+		if err == nil {
+			var m int
+			m, err = w.w.Write(p[:l])
+			n += m
+		}
+		if err != nil {
+			if n < off {
+				return 0, err
+			}
+			return n - off, err
+		}
+		p = p[l:]
+	}
+	return n - off, nil
+}
+
+func (w *partialLengthWriter) Close() error {
+	if len(w.buf) > 0 {
+		// In this case we can't send a 512 byte packet.
+		// Just send what we have.
+		p := w.buf
+		w.sentFirst = true
+		w.buf = nil
+		if _, err := w.Write(p); err != nil {
+			return err
+		}
+	}
+
+	w.lengthByte[0] = 0
+	_, err := w.w.Write(w.lengthByte[:])
+	if err != nil {
+		return err
+	}
+	return w.w.Close()
+}
+
+// A spanReader is an io.LimitReader, but it returns ErrUnexpectedEOF if the
+// underlying Reader returns EOF before the limit has been reached.
+type spanReader struct {
+	r io.Reader
+	n int64
+}
+
+func (l *spanReader) Read(p []byte) (n int, err error) {
+	if l.n <= 0 {
+		return 0, io.EOF
+	}
+	if int64(len(p)) > l.n {
+		p = p[0:l.n]
+	}
+	n, err = l.r.Read(p)
+	l.n -= int64(n)
+	if l.n > 0 && err == io.EOF {
+		err = io.ErrUnexpectedEOF
+	}
+	return
+}
+
+// readHeader parses a packet header and returns an io.Reader which will return
+// the contents of the packet. See RFC 4880, section 4.2.
+func readHeader(r io.Reader) (tag packetType, length int64, contents io.Reader, err error) {
+	var buf [4]byte
+	_, err = io.ReadFull(r, buf[:1])
+	if err != nil {
+		return
+	}
+	if buf[0]&0x80 == 0 {
+		err = errors.StructuralError("tag byte does not have MSB set")
+		return
+	}
+	if buf[0]&0x40 == 0 {
+		// Old format packet
+		tag = packetType((buf[0] & 0x3f) >> 2)
+		lengthType := buf[0] & 3
+		if lengthType == 3 {
+			length = -1
+			contents = r
+			return
+		}
+		lengthBytes := 1 << lengthType
+		_, err = readFull(r, buf[0:lengthBytes])
+		if err != nil {
+			return
+		}
+		for i := 0; i < lengthBytes; i++ {
+			length <<= 8
+			length |= int64(buf[i])
+		}
+		contents = &spanReader{r, length}
+		return
+	}
+
+	// New format packet
+	tag = packetType(buf[0] & 0x3f)
+	length, isPartial, err := readLength(r)
+	if err != nil {
+		return
+	}
+	if isPartial {
+		contents = &partialLengthReader{
+			remaining: length,
+			isPartial: true,
+			r:         r,
+		}
+		length = -1
+	} else {
+		contents = &spanReader{r, length}
+	}
+	return
+}
+
+// serializeHeader writes an OpenPGP packet header to w. See RFC 4880, section
+// 4.2.
+func serializeHeader(w io.Writer, ptype packetType, length int) (err error) {
+	var buf [6]byte
+	var n int
+
+	buf[0] = 0x80 | 0x40 | byte(ptype)
+	if length < 192 {
+		buf[1] = byte(length)
+		n = 2
+	} else if length < 8384 {
+		length -= 192
+		buf[1] = 192 + byte(length>>8)
+		buf[2] = byte(length)
+		n = 3
+	} else {
+		buf[1] = 255
+		buf[2] = byte(length >> 24)
+		buf[3] = byte(length >> 16)
+		buf[4] = byte(length >> 8)
+		buf[5] = byte(length)
+		n = 6
+	}
+
+	_, err = w.Write(buf[:n])
+	return
+}
+
+// serializeStreamHeader writes an OpenPGP packet header to w where the
+// length of the packet is unknown. It returns a io.WriteCloser which can be
+// used to write the contents of the packet. See RFC 4880, section 4.2.
+func serializeStreamHeader(w io.WriteCloser, ptype packetType) (out io.WriteCloser, err error) {
+	var buf [1]byte
+	buf[0] = 0x80 | 0x40 | byte(ptype)
+	_, err = w.Write(buf[:])
+	if err != nil {
+		return
+	}
+	out = &partialLengthWriter{w: w}
+	return
+}
+
+// Packet represents an OpenPGP packet. Users are expected to try casting
+// instances of this interface to specific packet types.
+type Packet interface {
+	parse(io.Reader) error
+}
+
+// consumeAll reads from the given Reader until error, returning the number of
+// bytes read.
+func consumeAll(r io.Reader) (n int64, err error) {
+	var m int
+	var buf [1024]byte
+
+	for {
+		m, err = r.Read(buf[:])
+		n += int64(m)
+		if err == io.EOF {
+			err = nil
+			return
+		}
+		if err != nil {
+			return
+		}
+	}
+}
+
+// packetType represents the numeric ids of the different OpenPGP packet types. See
+// http://www.iana.org/assignments/pgp-parameters/pgp-parameters.xhtml#pgp-parameters-2
+type packetType uint8
+
+const (
+	packetTypeEncryptedKey              packetType = 1
+	packetTypeSignature                 packetType = 2
+	packetTypeSymmetricKeyEncrypted     packetType = 3
+	packetTypeOnePassSignature          packetType = 4
+	packetTypePrivateKey                packetType = 5
+	packetTypePublicKey                 packetType = 6
+	packetTypePrivateSubkey             packetType = 7
+	packetTypeCompressed                packetType = 8
+	packetTypeSymmetricallyEncrypted    packetType = 9
+	packetTypeLiteralData               packetType = 11
+	packetTypeUserId                    packetType = 13
+	packetTypePublicSubkey              packetType = 14
+	packetTypeUserAttribute             packetType = 17
+	packetTypeSymmetricallyEncryptedMDC packetType = 18
+)
+
+// peekVersion detects the version of a public key packet about to
+// be read. A bufio.Reader at the original position of the io.Reader
+// is returned.
+func peekVersion(r io.Reader) (bufr *bufio.Reader, ver byte, err error) {
+	bufr = bufio.NewReader(r)
+	var verBuf []byte
+	if verBuf, err = bufr.Peek(1); err != nil {
+		return
+	}
+	ver = verBuf[0]
+	return
+}
+
+// Read reads a single OpenPGP packet from the given io.Reader. If there is an
+// error parsing a packet, the whole packet is consumed from the input.
+func Read(r io.Reader) (p Packet, err error) {
+	tag, _, contents, err := readHeader(r)
+	if err != nil {
+		return
+	}
+
+	switch tag {
+	case packetTypeEncryptedKey:
+		p = new(EncryptedKey)
+	case packetTypeSignature:
+		var version byte
+		// Detect signature version
+		if contents, version, err = peekVersion(contents); err != nil {
+			return
+		}
+		if version < 4 {
+			p = new(SignatureV3)
+		} else {
+			p = new(Signature)
+		}
+	case packetTypeSymmetricKeyEncrypted:
+		p = new(SymmetricKeyEncrypted)
+	case packetTypeOnePassSignature:
+		p = new(OnePassSignature)
+	case packetTypePrivateKey, packetTypePrivateSubkey:
+		pk := new(PrivateKey)
+		if tag == packetTypePrivateSubkey {
+			pk.IsSubkey = true
+		}
+		p = pk
+	case packetTypePublicKey, packetTypePublicSubkey:
+		var version byte
+		if contents, version, err = peekVersion(contents); err != nil {
+			return
+		}
+		isSubkey := tag == packetTypePublicSubkey
+		if version < 4 {
+			p = &PublicKeyV3{IsSubkey: isSubkey}
+		} else {
+			p = &PublicKey{IsSubkey: isSubkey}
+		}
+	case packetTypeCompressed:
+		p = new(Compressed)
+	case packetTypeSymmetricallyEncrypted:
+		p = new(SymmetricallyEncrypted)
+	case packetTypeLiteralData:
+		p = new(LiteralData)
+	case packetTypeUserId:
+		p = new(UserId)
+	case packetTypeUserAttribute:
+		p = new(UserAttribute)
+	case packetTypeSymmetricallyEncryptedMDC:
+		se := new(SymmetricallyEncrypted)
+		se.MDC = true
+		p = se
+	default:
+		err = errors.UnknownPacketTypeError(tag)
+	}
+	if p != nil {
+		err = p.parse(contents)
+	}
+	if err != nil {
+		consumeAll(contents)
+	}
+	return
+}
+
+// SignatureType represents the different semantic meanings of an OpenPGP
+// signature. See RFC 4880, section 5.2.1.
+type SignatureType uint8
+
+const (
+	SigTypeBinary            SignatureType = 0
+	SigTypeText                            = 1
+	SigTypeGenericCert                     = 0x10
+	SigTypePersonaCert                     = 0x11
+	SigTypeCasualCert                      = 0x12
+	SigTypePositiveCert                    = 0x13
+	SigTypeSubkeyBinding                   = 0x18
+	SigTypePrimaryKeyBinding               = 0x19
+	SigTypeDirectSignature                 = 0x1F
+	SigTypeKeyRevocation                   = 0x20
+	SigTypeSubkeyRevocation                = 0x28
+)
+
+// PublicKeyAlgorithm represents the different public key system specified for
+// OpenPGP. See
+// http://www.iana.org/assignments/pgp-parameters/pgp-parameters.xhtml#pgp-parameters-12
+type PublicKeyAlgorithm uint8
+
+const (
+	PubKeyAlgoRSA     PublicKeyAlgorithm = 1
+	PubKeyAlgoElGamal PublicKeyAlgorithm = 16
+	PubKeyAlgoDSA     PublicKeyAlgorithm = 17
+	// RFC 6637, Section 5.
+	PubKeyAlgoECDH  PublicKeyAlgorithm = 18
+	PubKeyAlgoECDSA PublicKeyAlgorithm = 19
+
+	// Deprecated in RFC 4880, Section 13.5. Use key flags instead.
+	PubKeyAlgoRSAEncryptOnly PublicKeyAlgorithm = 2
+	PubKeyAlgoRSASignOnly    PublicKeyAlgorithm = 3
+)
+
+// CanEncrypt returns true if it's possible to encrypt a message to a public
+// key of the given type.
+func (pka PublicKeyAlgorithm) CanEncrypt() bool {
+	switch pka {
+	case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly, PubKeyAlgoElGamal:
+		return true
+	}
+	return false
+}
+
+// CanSign returns true if it's possible for a public key of the given type to
+// sign a message.
+func (pka PublicKeyAlgorithm) CanSign() bool {
+	switch pka {
+	case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly, PubKeyAlgoDSA, PubKeyAlgoECDSA:
+		return true
+	}
+	return false
+}
+
+// CipherFunction represents the different block ciphers specified for OpenPGP. See
+// http://www.iana.org/assignments/pgp-parameters/pgp-parameters.xhtml#pgp-parameters-13
+type CipherFunction uint8
+
+const (
+	Cipher3DES   CipherFunction = 2
+	CipherCAST5  CipherFunction = 3
+	CipherAES128 CipherFunction = 7
+	CipherAES192 CipherFunction = 8
+	CipherAES256 CipherFunction = 9
+)
+
+// KeySize returns the key size, in bytes, of cipher.
+func (cipher CipherFunction) KeySize() int {
+	switch cipher {
+	case Cipher3DES:
+		return 24
+	case CipherCAST5:
+		return cast5.KeySize
+	case CipherAES128:
+		return 16
+	case CipherAES192:
+		return 24
+	case CipherAES256:
+		return 32
+	}
+	return 0
+}
+
+// blockSize returns the block size, in bytes, of cipher.
+func (cipher CipherFunction) blockSize() int {
+	switch cipher {
+	case Cipher3DES:
+		return des.BlockSize
+	case CipherCAST5:
+		return 8
+	case CipherAES128, CipherAES192, CipherAES256:
+		return 16
+	}
+	return 0
+}
+
+// new returns a fresh instance of the given cipher.
+func (cipher CipherFunction) new(key []byte) (block cipher.Block) {
+	switch cipher {
+	case Cipher3DES:
+		block, _ = des.NewTripleDESCipher(key)
+	case CipherCAST5:
+		block, _ = cast5.NewCipher(key)
+	case CipherAES128, CipherAES192, CipherAES256:
+		block, _ = aes.NewCipher(key)
+	}
+	return
+}
+
+// readMPI reads a big integer from r. The bit length returned is the bit
+// length that was specified in r. This is preserved so that the integer can be
+// reserialized exactly.
+func readMPI(r io.Reader) (mpi []byte, bitLength uint16, err error) {
+	var buf [2]byte
+	_, err = readFull(r, buf[0:])
+	if err != nil {
+		return
+	}
+	bitLength = uint16(buf[0])<<8 | uint16(buf[1])
+	numBytes := (int(bitLength) + 7) / 8
+	mpi = make([]byte, numBytes)
+	_, err = readFull(r, mpi)
+	// According to RFC 4880 3.2. we should check that the MPI has no leading
+	// zeroes (at least when not an encrypted MPI?), but this implementation
+	// does generate leading zeroes, so we keep accepting them.
+	return
+}
+
+// writeMPI serializes a big integer to w.
+func writeMPI(w io.Writer, bitLength uint16, mpiBytes []byte) (err error) {
+	// Note that we can produce leading zeroes, in violation of RFC 4880 3.2.
+	// Implementations seem to be tolerant of them, and stripping them would
+	// make it complex to guarantee matching re-serialization.
+	_, err = w.Write([]byte{byte(bitLength >> 8), byte(bitLength)})
+	if err == nil {
+		_, err = w.Write(mpiBytes)
+	}
+	return
+}
+
+// writeBig serializes a *big.Int to w.
+func writeBig(w io.Writer, i *big.Int) error {
+	return writeMPI(w, uint16(i.BitLen()), i.Bytes())
+}
+
+// padToKeySize left-pads a MPI with zeroes to match the length of the
+// specified RSA public.
+func padToKeySize(pub *rsa.PublicKey, b []byte) []byte {
+	k := (pub.N.BitLen() + 7) / 8
+	if len(b) >= k {
+		return b
+	}
+	bb := make([]byte, k)
+	copy(bb[len(bb)-len(b):], b)
+	return bb
+}
+
+// CompressionAlgo Represents the different compression algorithms
+// supported by OpenPGP (except for BZIP2, which is not currently
+// supported). See Section 9.3 of RFC 4880.
+type CompressionAlgo uint8
+
+const (
+	CompressionNone CompressionAlgo = 0
+	CompressionZIP  CompressionAlgo = 1
+	CompressionZLIB CompressionAlgo = 2
+)
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/private_key.go b/vendor/golang.org/x/crypto/openpgp/packet/private_key.go
new file mode 100644
index 0000000000..192aac376d
--- /dev/null
+++ b/vendor/golang.org/x/crypto/openpgp/packet/private_key.go
@@ -0,0 +1,384 @@
+// Copyright 2011 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package packet
+
+import (
+	"bytes"
+	"crypto"
+	"crypto/cipher"
+	"crypto/dsa"
+	"crypto/ecdsa"
+	"crypto/rsa"
+	"crypto/sha1"
+	"io"
+	"math/big"
+	"strconv"
+	"time"
+
+	"golang.org/x/crypto/openpgp/elgamal"
+	"golang.org/x/crypto/openpgp/errors"
+	"golang.org/x/crypto/openpgp/s2k"
+)
+
+// PrivateKey represents a possibly encrypted private key. See RFC 4880,
+// section 5.5.3.
+type PrivateKey struct {
+	PublicKey
+	Encrypted     bool // if true then the private key is unavailable until Decrypt has been called.
+	encryptedData []byte
+	cipher        CipherFunction
+	s2k           func(out, in []byte)
+	PrivateKey    interface{} // An *{rsa|dsa|ecdsa}.PrivateKey or crypto.Signer/crypto.Decrypter (Decryptor RSA only).
+	sha1Checksum  bool
+	iv            []byte
+}
+
+func NewRSAPrivateKey(creationTime time.Time, priv *rsa.PrivateKey) *PrivateKey {
+	pk := new(PrivateKey)
+	pk.PublicKey = *NewRSAPublicKey(creationTime, &priv.PublicKey)
+	pk.PrivateKey = priv
+	return pk
+}
+
+func NewDSAPrivateKey(creationTime time.Time, priv *dsa.PrivateKey) *PrivateKey {
+	pk := new(PrivateKey)
+	pk.PublicKey = *NewDSAPublicKey(creationTime, &priv.PublicKey)
+	pk.PrivateKey = priv
+	return pk
+}
+
+func NewElGamalPrivateKey(creationTime time.Time, priv *elgamal.PrivateKey) *PrivateKey {
+	pk := new(PrivateKey)
+	pk.PublicKey = *NewElGamalPublicKey(creationTime, &priv.PublicKey)
+	pk.PrivateKey = priv
+	return pk
+}
+
+func NewECDSAPrivateKey(creationTime time.Time, priv *ecdsa.PrivateKey) *PrivateKey {
+	pk := new(PrivateKey)
+	pk.PublicKey = *NewECDSAPublicKey(creationTime, &priv.PublicKey)
+	pk.PrivateKey = priv
+	return pk
+}
+
+// NewSignerPrivateKey creates a PrivateKey from a crypto.Signer that
+// implements RSA or ECDSA.
+func NewSignerPrivateKey(creationTime time.Time, signer crypto.Signer) *PrivateKey {
+	pk := new(PrivateKey)
+	// In general, the public Keys should be used as pointers. We still
+	// type-switch on the values, for backwards-compatibility.
+	switch pubkey := signer.Public().(type) {
+	case *rsa.PublicKey:
+		pk.PublicKey = *NewRSAPublicKey(creationTime, pubkey)
+	case rsa.PublicKey:
+		pk.PublicKey = *NewRSAPublicKey(creationTime, &pubkey)
+	case *ecdsa.PublicKey:
+		pk.PublicKey = *NewECDSAPublicKey(creationTime, pubkey)
+	case ecdsa.PublicKey:
+		pk.PublicKey = *NewECDSAPublicKey(creationTime, &pubkey)
+	default:
+		panic("openpgp: unknown crypto.Signer type in NewSignerPrivateKey")
+	}
+	pk.PrivateKey = signer
+	return pk
+}
+
+func (pk *PrivateKey) parse(r io.Reader) (err error) {
+	err = (&pk.PublicKey).parse(r)
+	if err != nil {
+		return
+	}
+	var buf [1]byte
+	_, err = readFull(r, buf[:])
+	if err != nil {
+		return
+	}
+
+	s2kType := buf[0]
+
+	switch s2kType {
+	case 0:
+		pk.s2k = nil
+		pk.Encrypted = false
+	case 254, 255:
+		_, err = readFull(r, buf[:])
+		if err != nil {
+			return
+		}
+		pk.cipher = CipherFunction(buf[0])
+		pk.Encrypted = true
+		pk.s2k, err = s2k.Parse(r)
+		if err != nil {
+			return
+		}
+		if s2kType == 254 {
+			pk.sha1Checksum = true
+		}
+	default:
+		return errors.UnsupportedError("deprecated s2k function in private key")
+	}
+
+	if pk.Encrypted {
+		blockSize := pk.cipher.blockSize()
+		if blockSize == 0 {
+			return errors.UnsupportedError("unsupported cipher in private key: " + strconv.Itoa(int(pk.cipher)))
+		}
+		pk.iv = make([]byte, blockSize)
+		_, err = readFull(r, pk.iv)
+		if err != nil {
+			return
+		}
+	}
+
+	pk.encryptedData, err = io.ReadAll(r)
+	if err != nil {
+		return
+	}
+
+	if !pk.Encrypted {
+		return pk.parsePrivateKey(pk.encryptedData)
+	}
+
+	return
+}
+
+func mod64kHash(d []byte) uint16 {
+	var h uint16
+	for _, b := range d {
+		h += uint16(b)
+	}
+	return h
+}
+
+func (pk *PrivateKey) Serialize(w io.Writer) (err error) {
+	// TODO(agl): support encrypted private keys
+	buf := bytes.NewBuffer(nil)
+	err = pk.PublicKey.serializeWithoutHeaders(buf)
+	if err != nil {
+		return
+	}
+	buf.WriteByte(0 /* no encryption */)
+
+	privateKeyBuf := bytes.NewBuffer(nil)
+
+	switch priv := pk.PrivateKey.(type) {
+	case *rsa.PrivateKey:
+		err = serializeRSAPrivateKey(privateKeyBuf, priv)
+	case *dsa.PrivateKey:
+		err = serializeDSAPrivateKey(privateKeyBuf, priv)
+	case *elgamal.PrivateKey:
+		err = serializeElGamalPrivateKey(privateKeyBuf, priv)
+	case *ecdsa.PrivateKey:
+		err = serializeECDSAPrivateKey(privateKeyBuf, priv)
+	default:
+		err = errors.InvalidArgumentError("unknown private key type")
+	}
+	if err != nil {
+		return
+	}
+
+	ptype := packetTypePrivateKey
+	contents := buf.Bytes()
+	privateKeyBytes := privateKeyBuf.Bytes()
+	if pk.IsSubkey {
+		ptype = packetTypePrivateSubkey
+	}
+	err = serializeHeader(w, ptype, len(contents)+len(privateKeyBytes)+2)
+	if err != nil {
+		return
+	}
+	_, err = w.Write(contents)
+	if err != nil {
+		return
+	}
+	_, err = w.Write(privateKeyBytes)
+	if err != nil {
+		return
+	}
+
+	checksum := mod64kHash(privateKeyBytes)
+	var checksumBytes [2]byte
+	checksumBytes[0] = byte(checksum >> 8)
+	checksumBytes[1] = byte(checksum)
+	_, err = w.Write(checksumBytes[:])
+
+	return
+}
+
+func serializeRSAPrivateKey(w io.Writer, priv *rsa.PrivateKey) error {
+	err := writeBig(w, priv.D)
+	if err != nil {
+		return err
+	}
+	err = writeBig(w, priv.Primes[1])
+	if err != nil {
+		return err
+	}
+	err = writeBig(w, priv.Primes[0])
+	if err != nil {
+		return err
+	}
+	return writeBig(w, priv.Precomputed.Qinv)
+}
+
+func serializeDSAPrivateKey(w io.Writer, priv *dsa.PrivateKey) error {
+	return writeBig(w, priv.X)
+}
+
+func serializeElGamalPrivateKey(w io.Writer, priv *elgamal.PrivateKey) error {
+	return writeBig(w, priv.X)
+}
+
+func serializeECDSAPrivateKey(w io.Writer, priv *ecdsa.PrivateKey) error {
+	return writeBig(w, priv.D)
+}
+
+// Decrypt decrypts an encrypted private key using a passphrase.
+func (pk *PrivateKey) Decrypt(passphrase []byte) error {
+	if !pk.Encrypted {
+		return nil
+	}
+
+	key := make([]byte, pk.cipher.KeySize())
+	pk.s2k(key, passphrase)
+	block := pk.cipher.new(key)
+	cfb := cipher.NewCFBDecrypter(block, pk.iv)
+
+	data := make([]byte, len(pk.encryptedData))
+	cfb.XORKeyStream(data, pk.encryptedData)
+
+	if pk.sha1Checksum {
+		if len(data) < sha1.Size {
+			return errors.StructuralError("truncated private key data")
+		}
+		h := sha1.New()
+		h.Write(data[:len(data)-sha1.Size])
+		sum := h.Sum(nil)
+		if !bytes.Equal(sum, data[len(data)-sha1.Size:]) {
+			return errors.StructuralError("private key checksum failure")
+		}
+		data = data[:len(data)-sha1.Size]
+	} else {
+		if len(data) < 2 {
+			return errors.StructuralError("truncated private key data")
+		}
+		var sum uint16
+		for i := 0; i < len(data)-2; i++ {
+			sum += uint16(data[i])
+		}
+		if data[len(data)-2] != uint8(sum>>8) ||
+			data[len(data)-1] != uint8(sum) {
+			return errors.StructuralError("private key checksum failure")
+		}
+		data = data[:len(data)-2]
+	}
+
+	return pk.parsePrivateKey(data)
+}
+
+func (pk *PrivateKey) parsePrivateKey(data []byte) (err error) {
+	switch pk.PublicKey.PubKeyAlgo {
+	case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly, PubKeyAlgoRSAEncryptOnly:
+		return pk.parseRSAPrivateKey(data)
+	case PubKeyAlgoDSA:
+		return pk.parseDSAPrivateKey(data)
+	case PubKeyAlgoElGamal:
+		return pk.parseElGamalPrivateKey(data)
+	case PubKeyAlgoECDSA:
+		return pk.parseECDSAPrivateKey(data)
+	}
+	panic("impossible")
+}
+
+func (pk *PrivateKey) parseRSAPrivateKey(data []byte) (err error) {
+	rsaPub := pk.PublicKey.PublicKey.(*rsa.PublicKey)
+	rsaPriv := new(rsa.PrivateKey)
+	rsaPriv.PublicKey = *rsaPub
+
+	buf := bytes.NewBuffer(data)
+	d, _, err := readMPI(buf)
+	if err != nil {
+		return
+	}
+	p, _, err := readMPI(buf)
+	if err != nil {
+		return
+	}
+	q, _, err := readMPI(buf)
+	if err != nil {
+		return
+	}
+
+	rsaPriv.D = new(big.Int).SetBytes(d)
+	rsaPriv.Primes = make([]*big.Int, 2)
+	rsaPriv.Primes[0] = new(big.Int).SetBytes(p)
+	rsaPriv.Primes[1] = new(big.Int).SetBytes(q)
+	if err := rsaPriv.Validate(); err != nil {
+		return err
+	}
+	rsaPriv.Precompute()
+	pk.PrivateKey = rsaPriv
+	pk.Encrypted = false
+	pk.encryptedData = nil
+
+	return nil
+}
+
+func (pk *PrivateKey) parseDSAPrivateKey(data []byte) (err error) {
+	dsaPub := pk.PublicKey.PublicKey.(*dsa.PublicKey)
+	dsaPriv := new(dsa.PrivateKey)
+	dsaPriv.PublicKey = *dsaPub
+
+	buf := bytes.NewBuffer(data)
+	x, _, err := readMPI(buf)
+	if err != nil {
+		return
+	}
+
+	dsaPriv.X = new(big.Int).SetBytes(x)
+	pk.PrivateKey = dsaPriv
+	pk.Encrypted = false
+	pk.encryptedData = nil
+
+	return nil
+}
+
+func (pk *PrivateKey) parseElGamalPrivateKey(data []byte) (err error) {
+	pub := pk.PublicKey.PublicKey.(*elgamal.PublicKey)
+	priv := new(elgamal.PrivateKey)
+	priv.PublicKey = *pub
+
+	buf := bytes.NewBuffer(data)
+	x, _, err := readMPI(buf)
+	if err != nil {
+		return
+	}
+
+	priv.X = new(big.Int).SetBytes(x)
+	pk.PrivateKey = priv
+	pk.Encrypted = false
+	pk.encryptedData = nil
+
+	return nil
+}
+
+func (pk *PrivateKey) parseECDSAPrivateKey(data []byte) (err error) {
+	ecdsaPub := pk.PublicKey.PublicKey.(*ecdsa.PublicKey)
+
+	buf := bytes.NewBuffer(data)
+	d, _, err := readMPI(buf)
+	if err != nil {
+		return
+	}
+
+	pk.PrivateKey = &ecdsa.PrivateKey{
+		PublicKey: *ecdsaPub,
+		D:         new(big.Int).SetBytes(d),
+	}
+	pk.Encrypted = false
+	pk.encryptedData = nil
+
+	return nil
+}
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/public_key.go b/vendor/golang.org/x/crypto/openpgp/packet/public_key.go
new file mode 100644
index 0000000000..fcd5f52519
--- /dev/null
+++ b/vendor/golang.org/x/crypto/openpgp/packet/public_key.go
@@ -0,0 +1,753 @@
+// Copyright 2011 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package packet
+
+import (
+	"bytes"
+	"crypto"
+	"crypto/dsa"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rsa"
+	"crypto/sha1"
+	_ "crypto/sha256"
+	_ "crypto/sha512"
+	"encoding/binary"
+	"fmt"
+	"hash"
+	"io"
+	"math/big"
+	"strconv"
+	"time"
+
+	"golang.org/x/crypto/openpgp/elgamal"
+	"golang.org/x/crypto/openpgp/errors"
+)
+
+var (
+	// NIST curve P-256
+	oidCurveP256 []byte = []byte{0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07}
+	// NIST curve P-384
+	oidCurveP384 []byte = []byte{0x2B, 0x81, 0x04, 0x00, 0x22}
+	// NIST curve P-521
+	oidCurveP521 []byte = []byte{0x2B, 0x81, 0x04, 0x00, 0x23}
+)
+
+const maxOIDLength = 8
+
+// ecdsaKey stores the algorithm-specific fields for ECDSA keys.
+// as defined in RFC 6637, Section 9.
+type ecdsaKey struct {
+	// oid contains the OID byte sequence identifying the elliptic curve used
+	oid []byte
+	// p contains the elliptic curve point that represents the public key
+	p parsedMPI
+}
+
+// parseOID reads the OID for the curve as defined in RFC 6637, Section 9.
+func parseOID(r io.Reader) (oid []byte, err error) {
+	buf := make([]byte, maxOIDLength)
+	if _, err = readFull(r, buf[:1]); err != nil {
+		return
+	}
+	oidLen := buf[0]
+	if int(oidLen) > len(buf) {
+		err = errors.UnsupportedError("invalid oid length: " + strconv.Itoa(int(oidLen)))
+		return
+	}
+	oid = buf[:oidLen]
+	_, err = readFull(r, oid)
+	return
+}
+
+func (f *ecdsaKey) parse(r io.Reader) (err error) {
+	if f.oid, err = parseOID(r); err != nil {
+		return err
+	}
+	f.p.bytes, f.p.bitLength, err = readMPI(r)
+	return
+}
+
+func (f *ecdsaKey) serialize(w io.Writer) (err error) {
+	buf := make([]byte, maxOIDLength+1)
+	buf[0] = byte(len(f.oid))
+	copy(buf[1:], f.oid)
+	if _, err = w.Write(buf[:len(f.oid)+1]); err != nil {
+		return
+	}
+	return writeMPIs(w, f.p)
+}
+
+func (f *ecdsaKey) newECDSA() (*ecdsa.PublicKey, error) {
+	var c elliptic.Curve
+	if bytes.Equal(f.oid, oidCurveP256) {
+		c = elliptic.P256()
+	} else if bytes.Equal(f.oid, oidCurveP384) {
+		c = elliptic.P384()
+	} else if bytes.Equal(f.oid, oidCurveP521) {
+		c = elliptic.P521()
+	} else {
+		return nil, errors.UnsupportedError(fmt.Sprintf("unsupported oid: %x", f.oid))
+	}
+	x, y := elliptic.Unmarshal(c, f.p.bytes)
+	if x == nil {
+		return nil, errors.UnsupportedError("failed to parse EC point")
+	}
+	return &ecdsa.PublicKey{Curve: c, X: x, Y: y}, nil
+}
+
+func (f *ecdsaKey) byteLen() int {
+	return 1 + len(f.oid) + 2 + len(f.p.bytes)
+}
+
+type kdfHashFunction byte
+type kdfAlgorithm byte
+
+// ecdhKdf stores key derivation function parameters
+// used for ECDH encryption. See RFC 6637, Section 9.
+type ecdhKdf struct {
+	KdfHash kdfHashFunction
+	KdfAlgo kdfAlgorithm
+}
+
+func (f *ecdhKdf) parse(r io.Reader) (err error) {
+	buf := make([]byte, 1)
+	if _, err = readFull(r, buf); err != nil {
+		return
+	}
+	kdfLen := int(buf[0])
+	if kdfLen < 3 {
+		return errors.UnsupportedError("Unsupported ECDH KDF length: " + strconv.Itoa(kdfLen))
+	}
+	buf = make([]byte, kdfLen)
+	if _, err = readFull(r, buf); err != nil {
+		return
+	}
+	reserved := int(buf[0])
+	f.KdfHash = kdfHashFunction(buf[1])
+	f.KdfAlgo = kdfAlgorithm(buf[2])
+	if reserved != 0x01 {
+		return errors.UnsupportedError("Unsupported KDF reserved field: " + strconv.Itoa(reserved))
+	}
+	return
+}
+
+func (f *ecdhKdf) serialize(w io.Writer) (err error) {
+	buf := make([]byte, 4)
+	// See RFC 6637, Section 9, Algorithm-Specific Fields for ECDH keys.
+	buf[0] = byte(0x03) // Length of the following fields
+	buf[1] = byte(0x01) // Reserved for future extensions, must be 1 for now
+	buf[2] = byte(f.KdfHash)
+	buf[3] = byte(f.KdfAlgo)
+	_, err = w.Write(buf[:])
+	return
+}
+
+func (f *ecdhKdf) byteLen() int {
+	return 4
+}
+
+// PublicKey represents an OpenPGP public key. See RFC 4880, section 5.5.2.
+type PublicKey struct {
+	CreationTime time.Time
+	PubKeyAlgo   PublicKeyAlgorithm
+	PublicKey    interface{} // *rsa.PublicKey, *dsa.PublicKey or *ecdsa.PublicKey
+	Fingerprint  [20]byte
+	KeyId        uint64
+	IsSubkey     bool
+
+	n, e, p, q, g, y parsedMPI
+
+	// RFC 6637 fields
+	ec   *ecdsaKey
+	ecdh *ecdhKdf
+}
+
+// signingKey provides a convenient abstraction over signature verification
+// for v3 and v4 public keys.
+type signingKey interface {
+	SerializeSignaturePrefix(io.Writer)
+	serializeWithoutHeaders(io.Writer) error
+}
+
+func fromBig(n *big.Int) parsedMPI {
+	return parsedMPI{
+		bytes:     n.Bytes(),
+		bitLength: uint16(n.BitLen()),
+	}
+}
+
+// NewRSAPublicKey returns a PublicKey that wraps the given rsa.PublicKey.
+func NewRSAPublicKey(creationTime time.Time, pub *rsa.PublicKey) *PublicKey {
+	pk := &PublicKey{
+		CreationTime: creationTime,
+		PubKeyAlgo:   PubKeyAlgoRSA,
+		PublicKey:    pub,
+		n:            fromBig(pub.N),
+		e:            fromBig(big.NewInt(int64(pub.E))),
+	}
+
+	pk.setFingerPrintAndKeyId()
+	return pk
+}
+
+// NewDSAPublicKey returns a PublicKey that wraps the given dsa.PublicKey.
+func NewDSAPublicKey(creationTime time.Time, pub *dsa.PublicKey) *PublicKey {
+	pk := &PublicKey{
+		CreationTime: creationTime,
+		PubKeyAlgo:   PubKeyAlgoDSA,
+		PublicKey:    pub,
+		p:            fromBig(pub.P),
+		q:            fromBig(pub.Q),
+		g:            fromBig(pub.G),
+		y:            fromBig(pub.Y),
+	}
+
+	pk.setFingerPrintAndKeyId()
+	return pk
+}
+
+// NewElGamalPublicKey returns a PublicKey that wraps the given elgamal.PublicKey.
+func NewElGamalPublicKey(creationTime time.Time, pub *elgamal.PublicKey) *PublicKey {
+	pk := &PublicKey{
+		CreationTime: creationTime,
+		PubKeyAlgo:   PubKeyAlgoElGamal,
+		PublicKey:    pub,
+		p:            fromBig(pub.P),
+		g:            fromBig(pub.G),
+		y:            fromBig(pub.Y),
+	}
+
+	pk.setFingerPrintAndKeyId()
+	return pk
+}
+
+func NewECDSAPublicKey(creationTime time.Time, pub *ecdsa.PublicKey) *PublicKey {
+	pk := &PublicKey{
+		CreationTime: creationTime,
+		PubKeyAlgo:   PubKeyAlgoECDSA,
+		PublicKey:    pub,
+		ec:           new(ecdsaKey),
+	}
+
+	switch pub.Curve {
+	case elliptic.P256():
+		pk.ec.oid = oidCurveP256
+	case elliptic.P384():
+		pk.ec.oid = oidCurveP384
+	case elliptic.P521():
+		pk.ec.oid = oidCurveP521
+	default:
+		panic("unknown elliptic curve")
+	}
+
+	pk.ec.p.bytes = elliptic.Marshal(pub.Curve, pub.X, pub.Y)
+
+	// The bit length is 3 (for the 0x04 specifying an uncompressed key)
+	// plus two field elements (for x and y), which are rounded up to the
+	// nearest byte. See https://tools.ietf.org/html/rfc6637#section-6
+	fieldBytes := (pub.Curve.Params().BitSize + 7) & ^7
+	pk.ec.p.bitLength = uint16(3 + fieldBytes + fieldBytes)
+
+	pk.setFingerPrintAndKeyId()
+	return pk
+}
+
+func (pk *PublicKey) parse(r io.Reader) (err error) {
+	// RFC 4880, section 5.5.2
+	var buf [6]byte
+	_, err = readFull(r, buf[:])
+	if err != nil {
+		return
+	}
+	if buf[0] != 4 {
+		return errors.UnsupportedError("public key version")
+	}
+	pk.CreationTime = time.Unix(int64(uint32(buf[1])<<24|uint32(buf[2])<<16|uint32(buf[3])<<8|uint32(buf[4])), 0)
+	pk.PubKeyAlgo = PublicKeyAlgorithm(buf[5])
+	switch pk.PubKeyAlgo {
+	case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly, PubKeyAlgoRSASignOnly:
+		err = pk.parseRSA(r)
+	case PubKeyAlgoDSA:
+		err = pk.parseDSA(r)
+	case PubKeyAlgoElGamal:
+		err = pk.parseElGamal(r)
+	case PubKeyAlgoECDSA:
+		pk.ec = new(ecdsaKey)
+		if err = pk.ec.parse(r); err != nil {
+			return err
+		}
+		pk.PublicKey, err = pk.ec.newECDSA()
+	case PubKeyAlgoECDH:
+		pk.ec = new(ecdsaKey)
+		if err = pk.ec.parse(r); err != nil {
+			return
+		}
+		pk.ecdh = new(ecdhKdf)
+		if err = pk.ecdh.parse(r); err != nil {
+			return
+		}
+		// The ECDH key is stored in an ecdsa.PublicKey for convenience.
+		pk.PublicKey, err = pk.ec.newECDSA()
+	default:
+		err = errors.UnsupportedError("public key type: " + strconv.Itoa(int(pk.PubKeyAlgo)))
+	}
+	if err != nil {
+		return
+	}
+
+	pk.setFingerPrintAndKeyId()
+	return
+}
+
+func (pk *PublicKey) setFingerPrintAndKeyId() {
+	// RFC 4880, section 12.2
+	fingerPrint := sha1.New()
+	pk.SerializeSignaturePrefix(fingerPrint)
+	pk.serializeWithoutHeaders(fingerPrint)
+	copy(pk.Fingerprint[:], fingerPrint.Sum(nil))
+	pk.KeyId = binary.BigEndian.Uint64(pk.Fingerprint[12:20])
+}
+
+// parseRSA parses RSA public key material from the given Reader. See RFC 4880,
+// section 5.5.2.
+func (pk *PublicKey) parseRSA(r io.Reader) (err error) {
+	pk.n.bytes, pk.n.bitLength, err = readMPI(r)
+	if err != nil {
+		return
+	}
+	pk.e.bytes, pk.e.bitLength, err = readMPI(r)
+	if err != nil {
+		return
+	}
+
+	if len(pk.e.bytes) > 3 {
+		err = errors.UnsupportedError("large public exponent")
+		return
+	}
+	rsa := &rsa.PublicKey{
+		N: new(big.Int).SetBytes(pk.n.bytes),
+		E: 0,
+	}
+	for i := 0; i < len(pk.e.bytes); i++ {
+		rsa.E <<= 8
+		rsa.E |= int(pk.e.bytes[i])
+	}
+	pk.PublicKey = rsa
+	return
+}
+
+// parseDSA parses DSA public key material from the given Reader. See RFC 4880,
+// section 5.5.2.
+func (pk *PublicKey) parseDSA(r io.Reader) (err error) {
+	pk.p.bytes, pk.p.bitLength, err = readMPI(r)
+	if err != nil {
+		return
+	}
+	pk.q.bytes, pk.q.bitLength, err = readMPI(r)
+	if err != nil {
+		return
+	}
+	pk.g.bytes, pk.g.bitLength, err = readMPI(r)
+	if err != nil {
+		return
+	}
+	pk.y.bytes, pk.y.bitLength, err = readMPI(r)
+	if err != nil {
+		return
+	}
+
+	dsa := new(dsa.PublicKey)
+	dsa.P = new(big.Int).SetBytes(pk.p.bytes)
+	dsa.Q = new(big.Int).SetBytes(pk.q.bytes)
+	dsa.G = new(big.Int).SetBytes(pk.g.bytes)
+	dsa.Y = new(big.Int).SetBytes(pk.y.bytes)
+	pk.PublicKey = dsa
+	return
+}
+
+// parseElGamal parses ElGamal public key material from the given Reader. See
+// RFC 4880, section 5.5.2.
+func (pk *PublicKey) parseElGamal(r io.Reader) (err error) {
+	pk.p.bytes, pk.p.bitLength, err = readMPI(r)
+	if err != nil {
+		return
+	}
+	pk.g.bytes, pk.g.bitLength, err = readMPI(r)
+	if err != nil {
+		return
+	}
+	pk.y.bytes, pk.y.bitLength, err = readMPI(r)
+	if err != nil {
+		return
+	}
+
+	elgamal := new(elgamal.PublicKey)
+	elgamal.P = new(big.Int).SetBytes(pk.p.bytes)
+	elgamal.G = new(big.Int).SetBytes(pk.g.bytes)
+	elgamal.Y = new(big.Int).SetBytes(pk.y.bytes)
+	pk.PublicKey = elgamal
+	return
+}
+
+// SerializeSignaturePrefix writes the prefix for this public key to the given Writer.
+// The prefix is used when calculating a signature over this public key. See
+// RFC 4880, section 5.2.4.
+func (pk *PublicKey) SerializeSignaturePrefix(h io.Writer) {
+	var pLength uint16
+	switch pk.PubKeyAlgo {
+	case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly, PubKeyAlgoRSASignOnly:
+		pLength += 2 + uint16(len(pk.n.bytes))
+		pLength += 2 + uint16(len(pk.e.bytes))
+	case PubKeyAlgoDSA:
+		pLength += 2 + uint16(len(pk.p.bytes))
+		pLength += 2 + uint16(len(pk.q.bytes))
+		pLength += 2 + uint16(len(pk.g.bytes))
+		pLength += 2 + uint16(len(pk.y.bytes))
+	case PubKeyAlgoElGamal:
+		pLength += 2 + uint16(len(pk.p.bytes))
+		pLength += 2 + uint16(len(pk.g.bytes))
+		pLength += 2 + uint16(len(pk.y.bytes))
+	case PubKeyAlgoECDSA:
+		pLength += uint16(pk.ec.byteLen())
+	case PubKeyAlgoECDH:
+		pLength += uint16(pk.ec.byteLen())
+		pLength += uint16(pk.ecdh.byteLen())
+	default:
+		panic("unknown public key algorithm")
+	}
+	pLength += 6
+	h.Write([]byte{0x99, byte(pLength >> 8), byte(pLength)})
+	return
+}
+
+func (pk *PublicKey) Serialize(w io.Writer) (err error) {
+	length := 6 // 6 byte header
+
+	switch pk.PubKeyAlgo {
+	case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly, PubKeyAlgoRSASignOnly:
+		length += 2 + len(pk.n.bytes)
+		length += 2 + len(pk.e.bytes)
+	case PubKeyAlgoDSA:
+		length += 2 + len(pk.p.bytes)
+		length += 2 + len(pk.q.bytes)
+		length += 2 + len(pk.g.bytes)
+		length += 2 + len(pk.y.bytes)
+	case PubKeyAlgoElGamal:
+		length += 2 + len(pk.p.bytes)
+		length += 2 + len(pk.g.bytes)
+		length += 2 + len(pk.y.bytes)
+	case PubKeyAlgoECDSA:
+		length += pk.ec.byteLen()
+	case PubKeyAlgoECDH:
+		length += pk.ec.byteLen()
+		length += pk.ecdh.byteLen()
+	default:
+		panic("unknown public key algorithm")
+	}
+
+	packetType := packetTypePublicKey
+	if pk.IsSubkey {
+		packetType = packetTypePublicSubkey
+	}
+	err = serializeHeader(w, packetType, length)
+	if err != nil {
+		return
+	}
+	return pk.serializeWithoutHeaders(w)
+}
+
+// serializeWithoutHeaders marshals the PublicKey to w in the form of an
+// OpenPGP public key packet, not including the packet header.
+func (pk *PublicKey) serializeWithoutHeaders(w io.Writer) (err error) {
+	var buf [6]byte
+	buf[0] = 4
+	t := uint32(pk.CreationTime.Unix())
+	buf[1] = byte(t >> 24)
+	buf[2] = byte(t >> 16)
+	buf[3] = byte(t >> 8)
+	buf[4] = byte(t)
+	buf[5] = byte(pk.PubKeyAlgo)
+
+	_, err = w.Write(buf[:])
+	if err != nil {
+		return
+	}
+
+	switch pk.PubKeyAlgo {
+	case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly, PubKeyAlgoRSASignOnly:
+		return writeMPIs(w, pk.n, pk.e)
+	case PubKeyAlgoDSA:
+		return writeMPIs(w, pk.p, pk.q, pk.g, pk.y)
+	case PubKeyAlgoElGamal:
+		return writeMPIs(w, pk.p, pk.g, pk.y)
+	case PubKeyAlgoECDSA:
+		return pk.ec.serialize(w)
+	case PubKeyAlgoECDH:
+		if err = pk.ec.serialize(w); err != nil {
+			return
+		}
+		return pk.ecdh.serialize(w)
+	}
+	return errors.InvalidArgumentError("bad public-key algorithm")
+}
+
+// CanSign returns true iff this public key can generate signatures
+func (pk *PublicKey) CanSign() bool {
+	return pk.PubKeyAlgo != PubKeyAlgoRSAEncryptOnly && pk.PubKeyAlgo != PubKeyAlgoElGamal
+}
+
+// VerifySignature returns nil iff sig is a valid signature, made by this
+// public key, of the data hashed into signed. signed is mutated by this call.
+func (pk *PublicKey) VerifySignature(signed hash.Hash, sig *Signature) (err error) {
+	if !pk.CanSign() {
+		return errors.InvalidArgumentError("public key cannot generate signatures")
+	}
+
+	signed.Write(sig.HashSuffix)
+	hashBytes := signed.Sum(nil)
+
+	if hashBytes[0] != sig.HashTag[0] || hashBytes[1] != sig.HashTag[1] {
+		return errors.SignatureError("hash tag doesn't match")
+	}
+
+	if pk.PubKeyAlgo != sig.PubKeyAlgo {
+		return errors.InvalidArgumentError("public key and signature use different algorithms")
+	}
+
+	switch pk.PubKeyAlgo {
+	case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly:
+		rsaPublicKey, _ := pk.PublicKey.(*rsa.PublicKey)
+		err = rsa.VerifyPKCS1v15(rsaPublicKey, sig.Hash, hashBytes, padToKeySize(rsaPublicKey, sig.RSASignature.bytes))
+		if err != nil {
+			return errors.SignatureError("RSA verification failure")
+		}
+		return nil
+	case PubKeyAlgoDSA:
+		dsaPublicKey, _ := pk.PublicKey.(*dsa.PublicKey)
+		// Need to truncate hashBytes to match FIPS 186-3 section 4.6.
+		subgroupSize := (dsaPublicKey.Q.BitLen() + 7) / 8
+		if len(hashBytes) > subgroupSize {
+			hashBytes = hashBytes[:subgroupSize]
+		}
+		if !dsa.Verify(dsaPublicKey, hashBytes, new(big.Int).SetBytes(sig.DSASigR.bytes), new(big.Int).SetBytes(sig.DSASigS.bytes)) {
+			return errors.SignatureError("DSA verification failure")
+		}
+		return nil
+	case PubKeyAlgoECDSA:
+		ecdsaPublicKey := pk.PublicKey.(*ecdsa.PublicKey)
+		if !ecdsa.Verify(ecdsaPublicKey, hashBytes, new(big.Int).SetBytes(sig.ECDSASigR.bytes), new(big.Int).SetBytes(sig.ECDSASigS.bytes)) {
+			return errors.SignatureError("ECDSA verification failure")
+		}
+		return nil
+	default:
+		return errors.SignatureError("Unsupported public key algorithm used in signature")
+	}
+}
+
+// VerifySignatureV3 returns nil iff sig is a valid signature, made by this
+// public key, of the data hashed into signed. signed is mutated by this call.
+func (pk *PublicKey) VerifySignatureV3(signed hash.Hash, sig *SignatureV3) (err error) {
+	if !pk.CanSign() {
+		return errors.InvalidArgumentError("public key cannot generate signatures")
+	}
+
+	suffix := make([]byte, 5)
+	suffix[0] = byte(sig.SigType)
+	binary.BigEndian.PutUint32(suffix[1:], uint32(sig.CreationTime.Unix()))
+	signed.Write(suffix)
+	hashBytes := signed.Sum(nil)
+
+	if hashBytes[0] != sig.HashTag[0] || hashBytes[1] != sig.HashTag[1] {
+		return errors.SignatureError("hash tag doesn't match")
+	}
+
+	if pk.PubKeyAlgo != sig.PubKeyAlgo {
+		return errors.InvalidArgumentError("public key and signature use different algorithms")
+	}
+
+	switch pk.PubKeyAlgo {
+	case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly:
+		rsaPublicKey := pk.PublicKey.(*rsa.PublicKey)
+		if err = rsa.VerifyPKCS1v15(rsaPublicKey, sig.Hash, hashBytes, padToKeySize(rsaPublicKey, sig.RSASignature.bytes)); err != nil {
+			return errors.SignatureError("RSA verification failure")
+		}
+		return
+	case PubKeyAlgoDSA:
+		dsaPublicKey := pk.PublicKey.(*dsa.PublicKey)
+		// Need to truncate hashBytes to match FIPS 186-3 section 4.6.
+		subgroupSize := (dsaPublicKey.Q.BitLen() + 7) / 8
+		if len(hashBytes) > subgroupSize {
+			hashBytes = hashBytes[:subgroupSize]
+		}
+		if !dsa.Verify(dsaPublicKey, hashBytes, new(big.Int).SetBytes(sig.DSASigR.bytes), new(big.Int).SetBytes(sig.DSASigS.bytes)) {
+			return errors.SignatureError("DSA verification failure")
+		}
+		return nil
+	default:
+		panic("shouldn't happen")
+	}
+}
+
+// keySignatureHash returns a Hash of the message that needs to be signed for
+// pk to assert a subkey relationship to signed.
+func keySignatureHash(pk, signed signingKey, hashFunc crypto.Hash) (h hash.Hash, err error) {
+	if !hashFunc.Available() {
+		return nil, errors.UnsupportedError("hash function")
+	}
+	h = hashFunc.New()
+
+	// RFC 4880, section 5.2.4
+	pk.SerializeSignaturePrefix(h)
+	pk.serializeWithoutHeaders(h)
+	signed.SerializeSignaturePrefix(h)
+	signed.serializeWithoutHeaders(h)
+	return
+}
+
+// VerifyKeySignature returns nil iff sig is a valid signature, made by this
+// public key, of signed.
+func (pk *PublicKey) VerifyKeySignature(signed *PublicKey, sig *Signature) error {
+	h, err := keySignatureHash(pk, signed, sig.Hash)
+	if err != nil {
+		return err
+	}
+	if err = pk.VerifySignature(h, sig); err != nil {
+		return err
+	}
+
+	if sig.FlagSign {
+		// Signing subkeys must be cross-signed. See
+		// https://www.gnupg.org/faq/subkey-cross-certify.html.
+		if sig.EmbeddedSignature == nil {
+			return errors.StructuralError("signing subkey is missing cross-signature")
+		}
+		// Verify the cross-signature. This is calculated over the same
+		// data as the main signature, so we cannot just recursively
+		// call signed.VerifyKeySignature(...)
+		if h, err = keySignatureHash(pk, signed, sig.EmbeddedSignature.Hash); err != nil {
+			return errors.StructuralError("error while hashing for cross-signature: " + err.Error())
+		}
+		if err := signed.VerifySignature(h, sig.EmbeddedSignature); err != nil {
+			return errors.StructuralError("error while verifying cross-signature: " + err.Error())
+		}
+	}
+
+	return nil
+}
+
+func keyRevocationHash(pk signingKey, hashFunc crypto.Hash) (h hash.Hash, err error) {
+	if !hashFunc.Available() {
+		return nil, errors.UnsupportedError("hash function")
+	}
+	h = hashFunc.New()
+
+	// RFC 4880, section 5.2.4
+	pk.SerializeSignaturePrefix(h)
+	pk.serializeWithoutHeaders(h)
+
+	return
+}
+
+// VerifyRevocationSignature returns nil iff sig is a valid signature, made by this
+// public key.
+func (pk *PublicKey) VerifyRevocationSignature(sig *Signature) (err error) {
+	h, err := keyRevocationHash(pk, sig.Hash)
+	if err != nil {
+		return err
+	}
+	return pk.VerifySignature(h, sig)
+}
+
+// userIdSignatureHash returns a Hash of the message that needs to be signed
+// to assert that pk is a valid key for id.
+func userIdSignatureHash(id string, pk *PublicKey, hashFunc crypto.Hash) (h hash.Hash, err error) {
+	if !hashFunc.Available() {
+		return nil, errors.UnsupportedError("hash function")
+	}
+	h = hashFunc.New()
+
+	// RFC 4880, section 5.2.4
+	pk.SerializeSignaturePrefix(h)
+	pk.serializeWithoutHeaders(h)
+
+	var buf [5]byte
+	buf[0] = 0xb4
+	buf[1] = byte(len(id) >> 24)
+	buf[2] = byte(len(id) >> 16)
+	buf[3] = byte(len(id) >> 8)
+	buf[4] = byte(len(id))
+	h.Write(buf[:])
+	h.Write([]byte(id))
+
+	return
+}
+
+// VerifyUserIdSignature returns nil iff sig is a valid signature, made by this
+// public key, that id is the identity of pub.
+func (pk *PublicKey) VerifyUserIdSignature(id string, pub *PublicKey, sig *Signature) (err error) {
+	h, err := userIdSignatureHash(id, pub, sig.Hash)
+	if err != nil {
+		return err
+	}
+	return pk.VerifySignature(h, sig)
+}
+
+// VerifyUserIdSignatureV3 returns nil iff sig is a valid signature, made by this
+// public key, that id is the identity of pub.
+func (pk *PublicKey) VerifyUserIdSignatureV3(id string, pub *PublicKey, sig *SignatureV3) (err error) {
+	h, err := userIdSignatureV3Hash(id, pub, sig.Hash)
+	if err != nil {
+		return err
+	}
+	return pk.VerifySignatureV3(h, sig)
+}
+
+// KeyIdString returns the public key's fingerprint in capital hex
+// (e.g. "6C7EE1B8621CC013").
+func (pk *PublicKey) KeyIdString() string {
+	return fmt.Sprintf("%X", pk.Fingerprint[12:20])
+}
+
+// KeyIdShortString returns the short form of public key's fingerprint
+// in capital hex, as shown by gpg --list-keys (e.g. "621CC013").
+func (pk *PublicKey) KeyIdShortString() string {
+	return fmt.Sprintf("%X", pk.Fingerprint[16:20])
+}
+
+// A parsedMPI is used to store the contents of a big integer, along with the
+// bit length that was specified in the original input. This allows the MPI to
+// be reserialized exactly.
+type parsedMPI struct {
+	bytes     []byte
+	bitLength uint16
+}
+
+// writeMPIs is a utility function for serializing several big integers to the
+// given Writer.
+func writeMPIs(w io.Writer, mpis ...parsedMPI) (err error) {
+	for _, mpi := range mpis {
+		err = writeMPI(w, mpi.bitLength, mpi.bytes)
+		if err != nil {
+			return
+		}
+	}
+	return
+}
+
+// BitLength returns the bit length for the given public key.
+func (pk *PublicKey) BitLength() (bitLength uint16, err error) {
+	switch pk.PubKeyAlgo {
+	case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly, PubKeyAlgoRSASignOnly:
+		bitLength = pk.n.bitLength
+	case PubKeyAlgoDSA:
+		bitLength = pk.p.bitLength
+	case PubKeyAlgoElGamal:
+		bitLength = pk.p.bitLength
+	default:
+		err = errors.InvalidArgumentError("bad public-key algorithm")
+	}
+	return
+}
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/public_key_v3.go b/vendor/golang.org/x/crypto/openpgp/packet/public_key_v3.go
new file mode 100644
index 0000000000..5daf7b6cfd
--- /dev/null
+++ b/vendor/golang.org/x/crypto/openpgp/packet/public_key_v3.go
@@ -0,0 +1,279 @@
+// Copyright 2013 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package packet
+
+import (
+	"crypto"
+	"crypto/md5"
+	"crypto/rsa"
+	"encoding/binary"
+	"fmt"
+	"hash"
+	"io"
+	"math/big"
+	"strconv"
+	"time"
+
+	"golang.org/x/crypto/openpgp/errors"
+)
+
+// PublicKeyV3 represents older, version 3 public keys. These keys are less secure and
+// should not be used for signing or encrypting. They are supported here only for
+// parsing version 3 key material and validating signatures.
+// See RFC 4880, section 5.5.2.
+type PublicKeyV3 struct {
+	CreationTime time.Time
+	DaysToExpire uint16
+	PubKeyAlgo   PublicKeyAlgorithm
+	PublicKey    *rsa.PublicKey
+	Fingerprint  [16]byte
+	KeyId        uint64
+	IsSubkey     bool
+
+	n, e parsedMPI
+}
+
+// newRSAPublicKeyV3 returns a PublicKey that wraps the given rsa.PublicKey.
+// Included here for testing purposes only. RFC 4880, section 5.5.2:
+// "an implementation MUST NOT generate a V3 key, but MAY accept it."
+func newRSAPublicKeyV3(creationTime time.Time, pub *rsa.PublicKey) *PublicKeyV3 {
+	pk := &PublicKeyV3{
+		CreationTime: creationTime,
+		PublicKey:    pub,
+		n:            fromBig(pub.N),
+		e:            fromBig(big.NewInt(int64(pub.E))),
+	}
+
+	pk.setFingerPrintAndKeyId()
+	return pk
+}
+
+func (pk *PublicKeyV3) parse(r io.Reader) (err error) {
+	// RFC 4880, section 5.5.2
+	var buf [8]byte
+	if _, err = readFull(r, buf[:]); err != nil {
+		return
+	}
+	if buf[0] < 2 || buf[0] > 3 {
+		return errors.UnsupportedError("public key version")
+	}
+	pk.CreationTime = time.Unix(int64(uint32(buf[1])<<24|uint32(buf[2])<<16|uint32(buf[3])<<8|uint32(buf[4])), 0)
+	pk.DaysToExpire = binary.BigEndian.Uint16(buf[5:7])
+	pk.PubKeyAlgo = PublicKeyAlgorithm(buf[7])
+	switch pk.PubKeyAlgo {
+	case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly, PubKeyAlgoRSASignOnly:
+		err = pk.parseRSA(r)
+	default:
+		err = errors.UnsupportedError("public key type: " + strconv.Itoa(int(pk.PubKeyAlgo)))
+	}
+	if err != nil {
+		return
+	}
+
+	pk.setFingerPrintAndKeyId()
+	return
+}
+
+func (pk *PublicKeyV3) setFingerPrintAndKeyId() {
+	// RFC 4880, section 12.2
+	fingerPrint := md5.New()
+	fingerPrint.Write(pk.n.bytes)
+	fingerPrint.Write(pk.e.bytes)
+	fingerPrint.Sum(pk.Fingerprint[:0])
+	pk.KeyId = binary.BigEndian.Uint64(pk.n.bytes[len(pk.n.bytes)-8:])
+}
+
+// parseRSA parses RSA public key material from the given Reader. See RFC 4880,
+// section 5.5.2.
+func (pk *PublicKeyV3) parseRSA(r io.Reader) (err error) {
+	if pk.n.bytes, pk.n.bitLength, err = readMPI(r); err != nil {
+		return
+	}
+	if pk.e.bytes, pk.e.bitLength, err = readMPI(r); err != nil {
+		return
+	}
+
+	// RFC 4880 Section 12.2 requires the low 8 bytes of the
+	// modulus to form the key id.
+	if len(pk.n.bytes) < 8 {
+		return errors.StructuralError("v3 public key modulus is too short")
+	}
+	if len(pk.e.bytes) > 3 {
+		err = errors.UnsupportedError("large public exponent")
+		return
+	}
+	rsa := &rsa.PublicKey{N: new(big.Int).SetBytes(pk.n.bytes)}
+	for i := 0; i < len(pk.e.bytes); i++ {
+		rsa.E <<= 8
+		rsa.E |= int(pk.e.bytes[i])
+	}
+	pk.PublicKey = rsa
+	return
+}
+
+// SerializeSignaturePrefix writes the prefix for this public key to the given Writer.
+// The prefix is used when calculating a signature over this public key. See
+// RFC 4880, section 5.2.4.
+func (pk *PublicKeyV3) SerializeSignaturePrefix(w io.Writer) {
+	var pLength uint16
+	switch pk.PubKeyAlgo {
+	case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly, PubKeyAlgoRSASignOnly:
+		pLength += 2 + uint16(len(pk.n.bytes))
+		pLength += 2 + uint16(len(pk.e.bytes))
+	default:
+		panic("unknown public key algorithm")
+	}
+	pLength += 6
+	w.Write([]byte{0x99, byte(pLength >> 8), byte(pLength)})
+	return
+}
+
+func (pk *PublicKeyV3) Serialize(w io.Writer) (err error) {
+	length := 8 // 8 byte header
+
+	switch pk.PubKeyAlgo {
+	case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly, PubKeyAlgoRSASignOnly:
+		length += 2 + len(pk.n.bytes)
+		length += 2 + len(pk.e.bytes)
+	default:
+		panic("unknown public key algorithm")
+	}
+
+	packetType := packetTypePublicKey
+	if pk.IsSubkey {
+		packetType = packetTypePublicSubkey
+	}
+	if err = serializeHeader(w, packetType, length); err != nil {
+		return
+	}
+	return pk.serializeWithoutHeaders(w)
+}
+
+// serializeWithoutHeaders marshals the PublicKey to w in the form of an
+// OpenPGP public key packet, not including the packet header.
+func (pk *PublicKeyV3) serializeWithoutHeaders(w io.Writer) (err error) {
+	var buf [8]byte
+	// Version 3
+	buf[0] = 3
+	// Creation time
+	t := uint32(pk.CreationTime.Unix())
+	buf[1] = byte(t >> 24)
+	buf[2] = byte(t >> 16)
+	buf[3] = byte(t >> 8)
+	buf[4] = byte(t)
+	// Days to expire
+	buf[5] = byte(pk.DaysToExpire >> 8)
+	buf[6] = byte(pk.DaysToExpire)
+	// Public key algorithm
+	buf[7] = byte(pk.PubKeyAlgo)
+
+	if _, err = w.Write(buf[:]); err != nil {
+		return
+	}
+
+	switch pk.PubKeyAlgo {
+	case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly, PubKeyAlgoRSASignOnly:
+		return writeMPIs(w, pk.n, pk.e)
+	}
+	return errors.InvalidArgumentError("bad public-key algorithm")
+}
+
+// CanSign returns true iff this public key can generate signatures
+func (pk *PublicKeyV3) CanSign() bool {
+	return pk.PubKeyAlgo != PubKeyAlgoRSAEncryptOnly
+}
+
+// VerifySignatureV3 returns nil iff sig is a valid signature, made by this
+// public key, of the data hashed into signed. signed is mutated by this call.
+func (pk *PublicKeyV3) VerifySignatureV3(signed hash.Hash, sig *SignatureV3) (err error) {
+	if !pk.CanSign() {
+		return errors.InvalidArgumentError("public key cannot generate signatures")
+	}
+
+	suffix := make([]byte, 5)
+	suffix[0] = byte(sig.SigType)
+	binary.BigEndian.PutUint32(suffix[1:], uint32(sig.CreationTime.Unix()))
+	signed.Write(suffix)
+	hashBytes := signed.Sum(nil)
+
+	if hashBytes[0] != sig.HashTag[0] || hashBytes[1] != sig.HashTag[1] {
+		return errors.SignatureError("hash tag doesn't match")
+	}
+
+	if pk.PubKeyAlgo != sig.PubKeyAlgo {
+		return errors.InvalidArgumentError("public key and signature use different algorithms")
+	}
+
+	switch pk.PubKeyAlgo {
+	case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly:
+		if err = rsa.VerifyPKCS1v15(pk.PublicKey, sig.Hash, hashBytes, sig.RSASignature.bytes); err != nil {
+			return errors.SignatureError("RSA verification failure")
+		}
+		return
+	default:
+		// V3 public keys only support RSA.
+		panic("shouldn't happen")
+	}
+}
+
+// VerifyUserIdSignatureV3 returns nil iff sig is a valid signature, made by this
+// public key, that id is the identity of pub.
+func (pk *PublicKeyV3) VerifyUserIdSignatureV3(id string, pub *PublicKeyV3, sig *SignatureV3) (err error) {
+	h, err := userIdSignatureV3Hash(id, pk, sig.Hash)
+	if err != nil {
+		return err
+	}
+	return pk.VerifySignatureV3(h, sig)
+}
+
+// VerifyKeySignatureV3 returns nil iff sig is a valid signature, made by this
+// public key, of signed.
+func (pk *PublicKeyV3) VerifyKeySignatureV3(signed *PublicKeyV3, sig *SignatureV3) (err error) {
+	h, err := keySignatureHash(pk, signed, sig.Hash)
+	if err != nil {
+		return err
+	}
+	return pk.VerifySignatureV3(h, sig)
+}
+
+// userIdSignatureV3Hash returns a Hash of the message that needs to be signed
+// to assert that pk is a valid key for id.
+func userIdSignatureV3Hash(id string, pk signingKey, hfn crypto.Hash) (h hash.Hash, err error) {
+	if !hfn.Available() {
+		return nil, errors.UnsupportedError("hash function")
+	}
+	h = hfn.New()
+
+	// RFC 4880, section 5.2.4
+	pk.SerializeSignaturePrefix(h)
+	pk.serializeWithoutHeaders(h)
+
+	h.Write([]byte(id))
+
+	return
+}
+
+// KeyIdString returns the public key's fingerprint in capital hex
+// (e.g. "6C7EE1B8621CC013").
+func (pk *PublicKeyV3) KeyIdString() string {
+	return fmt.Sprintf("%X", pk.KeyId)
+}
+
+// KeyIdShortString returns the short form of public key's fingerprint
+// in capital hex, as shown by gpg --list-keys (e.g. "621CC013").
+func (pk *PublicKeyV3) KeyIdShortString() string {
+	return fmt.Sprintf("%X", pk.KeyId&0xFFFFFFFF)
+}
+
+// BitLength returns the bit length for the given public key.
+func (pk *PublicKeyV3) BitLength() (bitLength uint16, err error) {
+	switch pk.PubKeyAlgo {
+	case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly, PubKeyAlgoRSASignOnly:
+		bitLength = pk.n.bitLength
+	default:
+		err = errors.InvalidArgumentError("bad public-key algorithm")
+	}
+	return
+}
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/reader.go b/vendor/golang.org/x/crypto/openpgp/packet/reader.go
new file mode 100644
index 0000000000..34bc7c613e
--- /dev/null
+++ b/vendor/golang.org/x/crypto/openpgp/packet/reader.go
@@ -0,0 +1,76 @@
+// Copyright 2011 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package packet
+
+import (
+	"golang.org/x/crypto/openpgp/errors"
+	"io"
+)
+
+// Reader reads packets from an io.Reader and allows packets to be 'unread' so
+// that they result from the next call to Next.
+type Reader struct {
+	q       []Packet
+	readers []io.Reader
+}
+
+// New io.Readers are pushed when a compressed or encrypted packet is processed
+// and recursively treated as a new source of packets. However, a carefully
+// crafted packet can trigger an infinite recursive sequence of packets. See
+// http://mumble.net/~campbell/misc/pgp-quine
+// https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4402
+// This constant limits the number of recursive packets that may be pushed.
+const maxReaders = 32
+
+// Next returns the most recently unread Packet, or reads another packet from
+// the top-most io.Reader. Unknown packet types are skipped.
+func (r *Reader) Next() (p Packet, err error) {
+	if len(r.q) > 0 {
+		p = r.q[len(r.q)-1]
+		r.q = r.q[:len(r.q)-1]
+		return
+	}
+
+	for len(r.readers) > 0 {
+		p, err = Read(r.readers[len(r.readers)-1])
+		if err == nil {
+			return
+		}
+		if err == io.EOF {
+			r.readers = r.readers[:len(r.readers)-1]
+			continue
+		}
+		if _, ok := err.(errors.UnknownPacketTypeError); !ok {
+			return nil, err
+		}
+	}
+
+	return nil, io.EOF
+}
+
+// Push causes the Reader to start reading from a new io.Reader. When an EOF
+// error is seen from the new io.Reader, it is popped and the Reader continues
+// to read from the next most recent io.Reader. Push returns a StructuralError
+// if pushing the reader would exceed the maximum recursion level, otherwise it
+// returns nil.
+func (r *Reader) Push(reader io.Reader) (err error) {
+	if len(r.readers) >= maxReaders {
+		return errors.StructuralError("too many layers of packets")
+	}
+	r.readers = append(r.readers, reader)
+	return nil
+}
+
+// Unread causes the given Packet to be returned from the next call to Next.
+func (r *Reader) Unread(p Packet) {
+	r.q = append(r.q, p)
+}
+
+func NewReader(r io.Reader) *Reader {
+	return &Reader{
+		q:       nil,
+		readers: []io.Reader{r},
+	}
+}
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/signature.go b/vendor/golang.org/x/crypto/openpgp/packet/signature.go
new file mode 100644
index 0000000000..b2a24a5323
--- /dev/null
+++ b/vendor/golang.org/x/crypto/openpgp/packet/signature.go
@@ -0,0 +1,731 @@
+// Copyright 2011 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package packet
+
+import (
+	"bytes"
+	"crypto"
+	"crypto/dsa"
+	"crypto/ecdsa"
+	"encoding/asn1"
+	"encoding/binary"
+	"hash"
+	"io"
+	"math/big"
+	"strconv"
+	"time"
+
+	"golang.org/x/crypto/openpgp/errors"
+	"golang.org/x/crypto/openpgp/s2k"
+)
+
+const (
+	// See RFC 4880, section 5.2.3.21 for details.
+	KeyFlagCertify = 1 << iota
+	KeyFlagSign
+	KeyFlagEncryptCommunications
+	KeyFlagEncryptStorage
+)
+
+// Signature represents a signature. See RFC 4880, section 5.2.
+type Signature struct {
+	SigType    SignatureType
+	PubKeyAlgo PublicKeyAlgorithm
+	Hash       crypto.Hash
+
+	// HashSuffix is extra data that is hashed in after the signed data.
+	HashSuffix []byte
+	// HashTag contains the first two bytes of the hash for fast rejection
+	// of bad signed data.
+	HashTag      [2]byte
+	CreationTime time.Time
+
+	RSASignature         parsedMPI
+	DSASigR, DSASigS     parsedMPI
+	ECDSASigR, ECDSASigS parsedMPI
+
+	// rawSubpackets contains the unparsed subpackets, in order.
+	rawSubpackets []outputSubpacket
+
+	// The following are optional so are nil when not included in the
+	// signature.
+
+	SigLifetimeSecs, KeyLifetimeSecs                        *uint32
+	PreferredSymmetric, PreferredHash, PreferredCompression []uint8
+	IssuerKeyId                                             *uint64
+	IsPrimaryId                                             *bool
+
+	// FlagsValid is set if any flags were given. See RFC 4880, section
+	// 5.2.3.21 for details.
+	FlagsValid                                                           bool
+	FlagCertify, FlagSign, FlagEncryptCommunications, FlagEncryptStorage bool
+
+	// RevocationReason is set if this signature has been revoked.
+	// See RFC 4880, section 5.2.3.23 for details.
+	RevocationReason     *uint8
+	RevocationReasonText string
+
+	// MDC is set if this signature has a feature packet that indicates
+	// support for MDC subpackets.
+	MDC bool
+
+	// EmbeddedSignature, if non-nil, is a signature of the parent key, by
+	// this key. This prevents an attacker from claiming another's signing
+	// subkey as their own.
+	EmbeddedSignature *Signature
+
+	outSubpackets []outputSubpacket
+}
+
+func (sig *Signature) parse(r io.Reader) (err error) {
+	// RFC 4880, section 5.2.3
+	var buf [5]byte
+	_, err = readFull(r, buf[:1])
+	if err != nil {
+		return
+	}
+	if buf[0] != 4 {
+		err = errors.UnsupportedError("signature packet version " + strconv.Itoa(int(buf[0])))
+		return
+	}
+
+	_, err = readFull(r, buf[:5])
+	if err != nil {
+		return
+	}
+	sig.SigType = SignatureType(buf[0])
+	sig.PubKeyAlgo = PublicKeyAlgorithm(buf[1])
+	switch sig.PubKeyAlgo {
+	case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly, PubKeyAlgoDSA, PubKeyAlgoECDSA:
+	default:
+		err = errors.UnsupportedError("public key algorithm " + strconv.Itoa(int(sig.PubKeyAlgo)))
+		return
+	}
+
+	var ok bool
+	sig.Hash, ok = s2k.HashIdToHash(buf[2])
+	if !ok {
+		return errors.UnsupportedError("hash function " + strconv.Itoa(int(buf[2])))
+	}
+
+	hashedSubpacketsLength := int(buf[3])<<8 | int(buf[4])
+	l := 6 + hashedSubpacketsLength
+	sig.HashSuffix = make([]byte, l+6)
+	sig.HashSuffix[0] = 4
+	copy(sig.HashSuffix[1:], buf[:5])
+	hashedSubpackets := sig.HashSuffix[6:l]
+	_, err = readFull(r, hashedSubpackets)
+	if err != nil {
+		return
+	}
+	// See RFC 4880, section 5.2.4
+	trailer := sig.HashSuffix[l:]
+	trailer[0] = 4
+	trailer[1] = 0xff
+	trailer[2] = uint8(l >> 24)
+	trailer[3] = uint8(l >> 16)
+	trailer[4] = uint8(l >> 8)
+	trailer[5] = uint8(l)
+
+	err = parseSignatureSubpackets(sig, hashedSubpackets, true)
+	if err != nil {
+		return
+	}
+
+	_, err = readFull(r, buf[:2])
+	if err != nil {
+		return
+	}
+	unhashedSubpacketsLength := int(buf[0])<<8 | int(buf[1])
+	unhashedSubpackets := make([]byte, unhashedSubpacketsLength)
+	_, err = readFull(r, unhashedSubpackets)
+	if err != nil {
+		return
+	}
+	err = parseSignatureSubpackets(sig, unhashedSubpackets, false)
+	if err != nil {
+		return
+	}
+
+	_, err = readFull(r, sig.HashTag[:2])
+	if err != nil {
+		return
+	}
+
+	switch sig.PubKeyAlgo {
+	case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly:
+		sig.RSASignature.bytes, sig.RSASignature.bitLength, err = readMPI(r)
+	case PubKeyAlgoDSA:
+		sig.DSASigR.bytes, sig.DSASigR.bitLength, err = readMPI(r)
+		if err == nil {
+			sig.DSASigS.bytes, sig.DSASigS.bitLength, err = readMPI(r)
+		}
+	case PubKeyAlgoECDSA:
+		sig.ECDSASigR.bytes, sig.ECDSASigR.bitLength, err = readMPI(r)
+		if err == nil {
+			sig.ECDSASigS.bytes, sig.ECDSASigS.bitLength, err = readMPI(r)
+		}
+	default:
+		panic("unreachable")
+	}
+	return
+}
+
+// parseSignatureSubpackets parses subpackets of the main signature packet. See
+// RFC 4880, section 5.2.3.1.
+func parseSignatureSubpackets(sig *Signature, subpackets []byte, isHashed bool) (err error) {
+	for len(subpackets) > 0 {
+		subpackets, err = parseSignatureSubpacket(sig, subpackets, isHashed)
+		if err != nil {
+			return
+		}
+	}
+
+	if sig.CreationTime.IsZero() {
+		err = errors.StructuralError("no creation time in signature")
+	}
+
+	return
+}
+
+type signatureSubpacketType uint8
+
+const (
+	creationTimeSubpacket        signatureSubpacketType = 2
+	signatureExpirationSubpacket signatureSubpacketType = 3
+	keyExpirationSubpacket       signatureSubpacketType = 9
+	prefSymmetricAlgosSubpacket  signatureSubpacketType = 11
+	issuerSubpacket              signatureSubpacketType = 16
+	prefHashAlgosSubpacket       signatureSubpacketType = 21
+	prefCompressionSubpacket     signatureSubpacketType = 22
+	primaryUserIdSubpacket       signatureSubpacketType = 25
+	keyFlagsSubpacket            signatureSubpacketType = 27
+	reasonForRevocationSubpacket signatureSubpacketType = 29
+	featuresSubpacket            signatureSubpacketType = 30
+	embeddedSignatureSubpacket   signatureSubpacketType = 32
+)
+
+// parseSignatureSubpacket parses a single subpacket. len(subpacket) is >= 1.
+func parseSignatureSubpacket(sig *Signature, subpacket []byte, isHashed bool) (rest []byte, err error) {
+	// RFC 4880, section 5.2.3.1
+	var (
+		length     uint32
+		packetType signatureSubpacketType
+		isCritical bool
+	)
+	switch {
+	case subpacket[0] < 192:
+		length = uint32(subpacket[0])
+		subpacket = subpacket[1:]
+	case subpacket[0] < 255:
+		if len(subpacket) < 2 {
+			goto Truncated
+		}
+		length = uint32(subpacket[0]-192)<<8 + uint32(subpacket[1]) + 192
+		subpacket = subpacket[2:]
+	default:
+		if len(subpacket) < 5 {
+			goto Truncated
+		}
+		length = uint32(subpacket[1])<<24 |
+			uint32(subpacket[2])<<16 |
+			uint32(subpacket[3])<<8 |
+			uint32(subpacket[4])
+		subpacket = subpacket[5:]
+	}
+	if length > uint32(len(subpacket)) {
+		goto Truncated
+	}
+	rest = subpacket[length:]
+	subpacket = subpacket[:length]
+	if len(subpacket) == 0 {
+		err = errors.StructuralError("zero length signature subpacket")
+		return
+	}
+	packetType = signatureSubpacketType(subpacket[0] & 0x7f)
+	isCritical = subpacket[0]&0x80 == 0x80
+	subpacket = subpacket[1:]
+	sig.rawSubpackets = append(sig.rawSubpackets, outputSubpacket{isHashed, packetType, isCritical, subpacket})
+	switch packetType {
+	case creationTimeSubpacket:
+		if !isHashed {
+			err = errors.StructuralError("signature creation time in non-hashed area")
+			return
+		}
+		if len(subpacket) != 4 {
+			err = errors.StructuralError("signature creation time not four bytes")
+			return
+		}
+		t := binary.BigEndian.Uint32(subpacket)
+		sig.CreationTime = time.Unix(int64(t), 0)
+	case signatureExpirationSubpacket:
+		// Signature expiration time, section 5.2.3.10
+		if !isHashed {
+			return
+		}
+		if len(subpacket) != 4 {
+			err = errors.StructuralError("expiration subpacket with bad length")
+			return
+		}
+		sig.SigLifetimeSecs = new(uint32)
+		*sig.SigLifetimeSecs = binary.BigEndian.Uint32(subpacket)
+	case keyExpirationSubpacket:
+		// Key expiration time, section 5.2.3.6
+		if !isHashed {
+			return
+		}
+		if len(subpacket) != 4 {
+			err = errors.StructuralError("key expiration subpacket with bad length")
+			return
+		}
+		sig.KeyLifetimeSecs = new(uint32)
+		*sig.KeyLifetimeSecs = binary.BigEndian.Uint32(subpacket)
+	case prefSymmetricAlgosSubpacket:
+		// Preferred symmetric algorithms, section 5.2.3.7
+		if !isHashed {
+			return
+		}
+		sig.PreferredSymmetric = make([]byte, len(subpacket))
+		copy(sig.PreferredSymmetric, subpacket)
+	case issuerSubpacket:
+		// Issuer, section 5.2.3.5
+		if len(subpacket) != 8 {
+			err = errors.StructuralError("issuer subpacket with bad length")
+			return
+		}
+		sig.IssuerKeyId = new(uint64)
+		*sig.IssuerKeyId = binary.BigEndian.Uint64(subpacket)
+	case prefHashAlgosSubpacket:
+		// Preferred hash algorithms, section 5.2.3.8
+		if !isHashed {
+			return
+		}
+		sig.PreferredHash = make([]byte, len(subpacket))
+		copy(sig.PreferredHash, subpacket)
+	case prefCompressionSubpacket:
+		// Preferred compression algorithms, section 5.2.3.9
+		if !isHashed {
+			return
+		}
+		sig.PreferredCompression = make([]byte, len(subpacket))
+		copy(sig.PreferredCompression, subpacket)
+	case primaryUserIdSubpacket:
+		// Primary User ID, section 5.2.3.19
+		if !isHashed {
+			return
+		}
+		if len(subpacket) != 1 {
+			err = errors.StructuralError("primary user id subpacket with bad length")
+			return
+		}
+		sig.IsPrimaryId = new(bool)
+		if subpacket[0] > 0 {
+			*sig.IsPrimaryId = true
+		}
+	case keyFlagsSubpacket:
+		// Key flags, section 5.2.3.21
+		if !isHashed {
+			return
+		}
+		if len(subpacket) == 0 {
+			err = errors.StructuralError("empty key flags subpacket")
+			return
+		}
+		sig.FlagsValid = true
+		if subpacket[0]&KeyFlagCertify != 0 {
+			sig.FlagCertify = true
+		}
+		if subpacket[0]&KeyFlagSign != 0 {
+			sig.FlagSign = true
+		}
+		if subpacket[0]&KeyFlagEncryptCommunications != 0 {
+			sig.FlagEncryptCommunications = true
+		}
+		if subpacket[0]&KeyFlagEncryptStorage != 0 {
+			sig.FlagEncryptStorage = true
+		}
+	case reasonForRevocationSubpacket:
+		// Reason For Revocation, section 5.2.3.23
+		if !isHashed {
+			return
+		}
+		if len(subpacket) == 0 {
+			err = errors.StructuralError("empty revocation reason subpacket")
+			return
+		}
+		sig.RevocationReason = new(uint8)
+		*sig.RevocationReason = subpacket[0]
+		sig.RevocationReasonText = string(subpacket[1:])
+	case featuresSubpacket:
+		// Features subpacket, section 5.2.3.24 specifies a very general
+		// mechanism for OpenPGP implementations to signal support for new
+		// features. In practice, the subpacket is used exclusively to
+		// indicate support for MDC-protected encryption.
+		sig.MDC = len(subpacket) >= 1 && subpacket[0]&1 == 1
+	case embeddedSignatureSubpacket:
+		// Only usage is in signatures that cross-certify
+		// signing subkeys. section 5.2.3.26 describes the
+		// format, with its usage described in section 11.1
+		if sig.EmbeddedSignature != nil {
+			err = errors.StructuralError("Cannot have multiple embedded signatures")
+			return
+		}
+		sig.EmbeddedSignature = new(Signature)
+		// Embedded signatures are required to be v4 signatures see
+		// section 12.1. However, we only parse v4 signatures in this
+		// file anyway.
+		if err := sig.EmbeddedSignature.parse(bytes.NewBuffer(subpacket)); err != nil {
+			return nil, err
+		}
+		if sigType := sig.EmbeddedSignature.SigType; sigType != SigTypePrimaryKeyBinding {
+			return nil, errors.StructuralError("cross-signature has unexpected type " + strconv.Itoa(int(sigType)))
+		}
+	default:
+		if isCritical {
+			err = errors.UnsupportedError("unknown critical signature subpacket type " + strconv.Itoa(int(packetType)))
+			return
+		}
+	}
+	return
+
+Truncated:
+	err = errors.StructuralError("signature subpacket truncated")
+	return
+}
+
+// subpacketLengthLength returns the length, in bytes, of an encoded length value.
+func subpacketLengthLength(length int) int {
+	if length < 192 {
+		return 1
+	}
+	if length < 16320 {
+		return 2
+	}
+	return 5
+}
+
+// serializeSubpacketLength marshals the given length into to.
+func serializeSubpacketLength(to []byte, length int) int {
+	// RFC 4880, Section 4.2.2.
+	if length < 192 {
+		to[0] = byte(length)
+		return 1
+	}
+	if length < 16320 {
+		length -= 192
+		to[0] = byte((length >> 8) + 192)
+		to[1] = byte(length)
+		return 2
+	}
+	to[0] = 255
+	to[1] = byte(length >> 24)
+	to[2] = byte(length >> 16)
+	to[3] = byte(length >> 8)
+	to[4] = byte(length)
+	return 5
+}
+
+// subpacketsLength returns the serialized length, in bytes, of the given
+// subpackets.
+func subpacketsLength(subpackets []outputSubpacket, hashed bool) (length int) {
+	for _, subpacket := range subpackets {
+		if subpacket.hashed == hashed {
+			length += subpacketLengthLength(len(subpacket.contents) + 1)
+			length += 1 // type byte
+			length += len(subpacket.contents)
+		}
+	}
+	return
+}
+
+// serializeSubpackets marshals the given subpackets into to.
+func serializeSubpackets(to []byte, subpackets []outputSubpacket, hashed bool) {
+	for _, subpacket := range subpackets {
+		if subpacket.hashed == hashed {
+			n := serializeSubpacketLength(to, len(subpacket.contents)+1)
+			to[n] = byte(subpacket.subpacketType)
+			to = to[1+n:]
+			n = copy(to, subpacket.contents)
+			to = to[n:]
+		}
+	}
+	return
+}
+
+// KeyExpired returns whether sig is a self-signature of a key that has
+// expired.
+func (sig *Signature) KeyExpired(currentTime time.Time) bool {
+	if sig.KeyLifetimeSecs == nil {
+		return false
+	}
+	expiry := sig.CreationTime.Add(time.Duration(*sig.KeyLifetimeSecs) * time.Second)
+	return currentTime.After(expiry)
+}
+
+// buildHashSuffix constructs the HashSuffix member of sig in preparation for signing.
+func (sig *Signature) buildHashSuffix() (err error) {
+	hashedSubpacketsLen := subpacketsLength(sig.outSubpackets, true)
+
+	var ok bool
+	l := 6 + hashedSubpacketsLen
+	sig.HashSuffix = make([]byte, l+6)
+	sig.HashSuffix[0] = 4
+	sig.HashSuffix[1] = uint8(sig.SigType)
+	sig.HashSuffix[2] = uint8(sig.PubKeyAlgo)
+	sig.HashSuffix[3], ok = s2k.HashToHashId(sig.Hash)
+	if !ok {
+		sig.HashSuffix = nil
+		return errors.InvalidArgumentError("hash cannot be represented in OpenPGP: " + strconv.Itoa(int(sig.Hash)))
+	}
+	sig.HashSuffix[4] = byte(hashedSubpacketsLen >> 8)
+	sig.HashSuffix[5] = byte(hashedSubpacketsLen)
+	serializeSubpackets(sig.HashSuffix[6:l], sig.outSubpackets, true)
+	trailer := sig.HashSuffix[l:]
+	trailer[0] = 4
+	trailer[1] = 0xff
+	trailer[2] = byte(l >> 24)
+	trailer[3] = byte(l >> 16)
+	trailer[4] = byte(l >> 8)
+	trailer[5] = byte(l)
+	return
+}
+
+func (sig *Signature) signPrepareHash(h hash.Hash) (digest []byte, err error) {
+	err = sig.buildHashSuffix()
+	if err != nil {
+		return
+	}
+
+	h.Write(sig.HashSuffix)
+	digest = h.Sum(nil)
+	copy(sig.HashTag[:], digest)
+	return
+}
+
+// Sign signs a message with a private key. The hash, h, must contain
+// the hash of the message to be signed and will be mutated by this function.
+// On success, the signature is stored in sig. Call Serialize to write it out.
+// If config is nil, sensible defaults will be used.
+func (sig *Signature) Sign(h hash.Hash, priv *PrivateKey, config *Config) (err error) {
+	sig.outSubpackets = sig.buildSubpackets()
+	digest, err := sig.signPrepareHash(h)
+	if err != nil {
+		return
+	}
+
+	switch priv.PubKeyAlgo {
+	case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly:
+		// supports both *rsa.PrivateKey and crypto.Signer
+		sig.RSASignature.bytes, err = priv.PrivateKey.(crypto.Signer).Sign(config.Random(), digest, sig.Hash)
+		sig.RSASignature.bitLength = uint16(8 * len(sig.RSASignature.bytes))
+	case PubKeyAlgoDSA:
+		dsaPriv := priv.PrivateKey.(*dsa.PrivateKey)
+
+		// Need to truncate hashBytes to match FIPS 186-3 section 4.6.
+		subgroupSize := (dsaPriv.Q.BitLen() + 7) / 8
+		if len(digest) > subgroupSize {
+			digest = digest[:subgroupSize]
+		}
+		r, s, err := dsa.Sign(config.Random(), dsaPriv, digest)
+		if err == nil {
+			sig.DSASigR.bytes = r.Bytes()
+			sig.DSASigR.bitLength = uint16(8 * len(sig.DSASigR.bytes))
+			sig.DSASigS.bytes = s.Bytes()
+			sig.DSASigS.bitLength = uint16(8 * len(sig.DSASigS.bytes))
+		}
+	case PubKeyAlgoECDSA:
+		var r, s *big.Int
+		if pk, ok := priv.PrivateKey.(*ecdsa.PrivateKey); ok {
+			// direct support, avoid asn1 wrapping/unwrapping
+			r, s, err = ecdsa.Sign(config.Random(), pk, digest)
+		} else {
+			var b []byte
+			b, err = priv.PrivateKey.(crypto.Signer).Sign(config.Random(), digest, sig.Hash)
+			if err == nil {
+				r, s, err = unwrapECDSASig(b)
+			}
+		}
+		if err == nil {
+			sig.ECDSASigR = fromBig(r)
+			sig.ECDSASigS = fromBig(s)
+		}
+	default:
+		err = errors.UnsupportedError("public key algorithm: " + strconv.Itoa(int(sig.PubKeyAlgo)))
+	}
+
+	return
+}
+
+// unwrapECDSASig parses the two integer components of an ASN.1-encoded ECDSA
+// signature.
+func unwrapECDSASig(b []byte) (r, s *big.Int, err error) {
+	var ecsdaSig struct {
+		R, S *big.Int
+	}
+	_, err = asn1.Unmarshal(b, &ecsdaSig)
+	if err != nil {
+		return
+	}
+	return ecsdaSig.R, ecsdaSig.S, nil
+}
+
+// SignUserId computes a signature from priv, asserting that pub is a valid
+// key for the identity id.  On success, the signature is stored in sig. Call
+// Serialize to write it out.
+// If config is nil, sensible defaults will be used.
+func (sig *Signature) SignUserId(id string, pub *PublicKey, priv *PrivateKey, config *Config) error {
+	h, err := userIdSignatureHash(id, pub, sig.Hash)
+	if err != nil {
+		return err
+	}
+	return sig.Sign(h, priv, config)
+}
+
+// SignKey computes a signature from priv, asserting that pub is a subkey. On
+// success, the signature is stored in sig. Call Serialize to write it out.
+// If config is nil, sensible defaults will be used.
+func (sig *Signature) SignKey(pub *PublicKey, priv *PrivateKey, config *Config) error {
+	h, err := keySignatureHash(&priv.PublicKey, pub, sig.Hash)
+	if err != nil {
+		return err
+	}
+	return sig.Sign(h, priv, config)
+}
+
+// Serialize marshals sig to w. Sign, SignUserId or SignKey must have been
+// called first.
+func (sig *Signature) Serialize(w io.Writer) (err error) {
+	if len(sig.outSubpackets) == 0 {
+		sig.outSubpackets = sig.rawSubpackets
+	}
+	if sig.RSASignature.bytes == nil && sig.DSASigR.bytes == nil && sig.ECDSASigR.bytes == nil {
+		return errors.InvalidArgumentError("Signature: need to call Sign, SignUserId or SignKey before Serialize")
+	}
+
+	sigLength := 0
+	switch sig.PubKeyAlgo {
+	case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly:
+		sigLength = 2 + len(sig.RSASignature.bytes)
+	case PubKeyAlgoDSA:
+		sigLength = 2 + len(sig.DSASigR.bytes)
+		sigLength += 2 + len(sig.DSASigS.bytes)
+	case PubKeyAlgoECDSA:
+		sigLength = 2 + len(sig.ECDSASigR.bytes)
+		sigLength += 2 + len(sig.ECDSASigS.bytes)
+	default:
+		panic("impossible")
+	}
+
+	unhashedSubpacketsLen := subpacketsLength(sig.outSubpackets, false)
+	length := len(sig.HashSuffix) - 6 /* trailer not included */ +
+		2 /* length of unhashed subpackets */ + unhashedSubpacketsLen +
+		2 /* hash tag */ + sigLength
+	err = serializeHeader(w, packetTypeSignature, length)
+	if err != nil {
+		return
+	}
+
+	_, err = w.Write(sig.HashSuffix[:len(sig.HashSuffix)-6])
+	if err != nil {
+		return
+	}
+
+	unhashedSubpackets := make([]byte, 2+unhashedSubpacketsLen)
+	unhashedSubpackets[0] = byte(unhashedSubpacketsLen >> 8)
+	unhashedSubpackets[1] = byte(unhashedSubpacketsLen)
+	serializeSubpackets(unhashedSubpackets[2:], sig.outSubpackets, false)
+
+	_, err = w.Write(unhashedSubpackets)
+	if err != nil {
+		return
+	}
+	_, err = w.Write(sig.HashTag[:])
+	if err != nil {
+		return
+	}
+
+	switch sig.PubKeyAlgo {
+	case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly:
+		err = writeMPIs(w, sig.RSASignature)
+	case PubKeyAlgoDSA:
+		err = writeMPIs(w, sig.DSASigR, sig.DSASigS)
+	case PubKeyAlgoECDSA:
+		err = writeMPIs(w, sig.ECDSASigR, sig.ECDSASigS)
+	default:
+		panic("impossible")
+	}
+	return
+}
+
+// outputSubpacket represents a subpacket to be marshaled.
+type outputSubpacket struct {
+	hashed        bool // true if this subpacket is in the hashed area.
+	subpacketType signatureSubpacketType
+	isCritical    bool
+	contents      []byte
+}
+
+func (sig *Signature) buildSubpackets() (subpackets []outputSubpacket) {
+	creationTime := make([]byte, 4)
+	binary.BigEndian.PutUint32(creationTime, uint32(sig.CreationTime.Unix()))
+	subpackets = append(subpackets, outputSubpacket{true, creationTimeSubpacket, false, creationTime})
+
+	if sig.IssuerKeyId != nil {
+		keyId := make([]byte, 8)
+		binary.BigEndian.PutUint64(keyId, *sig.IssuerKeyId)
+		subpackets = append(subpackets, outputSubpacket{true, issuerSubpacket, false, keyId})
+	}
+
+	if sig.SigLifetimeSecs != nil && *sig.SigLifetimeSecs != 0 {
+		sigLifetime := make([]byte, 4)
+		binary.BigEndian.PutUint32(sigLifetime, *sig.SigLifetimeSecs)
+		subpackets = append(subpackets, outputSubpacket{true, signatureExpirationSubpacket, true, sigLifetime})
+	}
+
+	// Key flags may only appear in self-signatures or certification signatures.
+
+	if sig.FlagsValid {
+		var flags byte
+		if sig.FlagCertify {
+			flags |= KeyFlagCertify
+		}
+		if sig.FlagSign {
+			flags |= KeyFlagSign
+		}
+		if sig.FlagEncryptCommunications {
+			flags |= KeyFlagEncryptCommunications
+		}
+		if sig.FlagEncryptStorage {
+			flags |= KeyFlagEncryptStorage
+		}
+		subpackets = append(subpackets, outputSubpacket{true, keyFlagsSubpacket, false, []byte{flags}})
+	}
+
+	// The following subpackets may only appear in self-signatures
+
+	if sig.KeyLifetimeSecs != nil && *sig.KeyLifetimeSecs != 0 {
+		keyLifetime := make([]byte, 4)
+		binary.BigEndian.PutUint32(keyLifetime, *sig.KeyLifetimeSecs)
+		subpackets = append(subpackets, outputSubpacket{true, keyExpirationSubpacket, true, keyLifetime})
+	}
+
+	if sig.IsPrimaryId != nil && *sig.IsPrimaryId {
+		subpackets = append(subpackets, outputSubpacket{true, primaryUserIdSubpacket, false, []byte{1}})
+	}
+
+	if len(sig.PreferredSymmetric) > 0 {
+		subpackets = append(subpackets, outputSubpacket{true, prefSymmetricAlgosSubpacket, false, sig.PreferredSymmetric})
+	}
+
+	if len(sig.PreferredHash) > 0 {
+		subpackets = append(subpackets, outputSubpacket{true, prefHashAlgosSubpacket, false, sig.PreferredHash})
+	}
+
+	if len(sig.PreferredCompression) > 0 {
+		subpackets = append(subpackets, outputSubpacket{true, prefCompressionSubpacket, false, sig.PreferredCompression})
+	}
+
+	return
+}
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/signature_v3.go b/vendor/golang.org/x/crypto/openpgp/packet/signature_v3.go
new file mode 100644
index 0000000000..6edff88934
--- /dev/null
+++ b/vendor/golang.org/x/crypto/openpgp/packet/signature_v3.go
@@ -0,0 +1,146 @@
+// Copyright 2013 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package packet
+
+import (
+	"crypto"
+	"encoding/binary"
+	"fmt"
+	"io"
+	"strconv"
+	"time"
+
+	"golang.org/x/crypto/openpgp/errors"
+	"golang.org/x/crypto/openpgp/s2k"
+)
+
+// SignatureV3 represents older version 3 signatures. These signatures are less secure
+// than version 4 and should not be used to create new signatures. They are included
+// here for backwards compatibility to read and validate with older key material.
+// See RFC 4880, section 5.2.2.
+type SignatureV3 struct {
+	SigType      SignatureType
+	CreationTime time.Time
+	IssuerKeyId  uint64
+	PubKeyAlgo   PublicKeyAlgorithm
+	Hash         crypto.Hash
+	HashTag      [2]byte
+
+	RSASignature     parsedMPI
+	DSASigR, DSASigS parsedMPI
+}
+
+func (sig *SignatureV3) parse(r io.Reader) (err error) {
+	// RFC 4880, section 5.2.2
+	var buf [8]byte
+	if _, err = readFull(r, buf[:1]); err != nil {
+		return
+	}
+	if buf[0] < 2 || buf[0] > 3 {
+		err = errors.UnsupportedError("signature packet version " + strconv.Itoa(int(buf[0])))
+		return
+	}
+	if _, err = readFull(r, buf[:1]); err != nil {
+		return
+	}
+	if buf[0] != 5 {
+		err = errors.UnsupportedError(
+			"invalid hashed material length " + strconv.Itoa(int(buf[0])))
+		return
+	}
+
+	// Read hashed material: signature type + creation time
+	if _, err = readFull(r, buf[:5]); err != nil {
+		return
+	}
+	sig.SigType = SignatureType(buf[0])
+	t := binary.BigEndian.Uint32(buf[1:5])
+	sig.CreationTime = time.Unix(int64(t), 0)
+
+	// Eight-octet Key ID of signer.
+	if _, err = readFull(r, buf[:8]); err != nil {
+		return
+	}
+	sig.IssuerKeyId = binary.BigEndian.Uint64(buf[:])
+
+	// Public-key and hash algorithm
+	if _, err = readFull(r, buf[:2]); err != nil {
+		return
+	}
+	sig.PubKeyAlgo = PublicKeyAlgorithm(buf[0])
+	switch sig.PubKeyAlgo {
+	case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly, PubKeyAlgoDSA:
+	default:
+		err = errors.UnsupportedError("public key algorithm " + strconv.Itoa(int(sig.PubKeyAlgo)))
+		return
+	}
+	var ok bool
+	if sig.Hash, ok = s2k.HashIdToHash(buf[1]); !ok {
+		return errors.UnsupportedError("hash function " + strconv.Itoa(int(buf[2])))
+	}
+
+	// Two-octet field holding left 16 bits of signed hash value.
+	if _, err = readFull(r, sig.HashTag[:2]); err != nil {
+		return
+	}
+
+	switch sig.PubKeyAlgo {
+	case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly:
+		sig.RSASignature.bytes, sig.RSASignature.bitLength, err = readMPI(r)
+	case PubKeyAlgoDSA:
+		if sig.DSASigR.bytes, sig.DSASigR.bitLength, err = readMPI(r); err != nil {
+			return
+		}
+		sig.DSASigS.bytes, sig.DSASigS.bitLength, err = readMPI(r)
+	default:
+		panic("unreachable")
+	}
+	return
+}
+
+// Serialize marshals sig to w. Sign, SignUserId or SignKey must have been
+// called first.
+func (sig *SignatureV3) Serialize(w io.Writer) (err error) {
+	buf := make([]byte, 8)
+
+	// Write the sig type and creation time
+	buf[0] = byte(sig.SigType)
+	binary.BigEndian.PutUint32(buf[1:5], uint32(sig.CreationTime.Unix()))
+	if _, err = w.Write(buf[:5]); err != nil {
+		return
+	}
+
+	// Write the issuer long key ID
+	binary.BigEndian.PutUint64(buf[:8], sig.IssuerKeyId)
+	if _, err = w.Write(buf[:8]); err != nil {
+		return
+	}
+
+	// Write public key algorithm, hash ID, and hash value
+	buf[0] = byte(sig.PubKeyAlgo)
+	hashId, ok := s2k.HashToHashId(sig.Hash)
+	if !ok {
+		return errors.UnsupportedError(fmt.Sprintf("hash function %v", sig.Hash))
+	}
+	buf[1] = hashId
+	copy(buf[2:4], sig.HashTag[:])
+	if _, err = w.Write(buf[:4]); err != nil {
+		return
+	}
+
+	if sig.RSASignature.bytes == nil && sig.DSASigR.bytes == nil {
+		return errors.InvalidArgumentError("Signature: need to call Sign, SignUserId or SignKey before Serialize")
+	}
+
+	switch sig.PubKeyAlgo {
+	case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly:
+		err = writeMPIs(w, sig.RSASignature)
+	case PubKeyAlgoDSA:
+		err = writeMPIs(w, sig.DSASigR, sig.DSASigS)
+	default:
+		panic("impossible")
+	}
+	return
+}
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/symmetric_key_encrypted.go b/vendor/golang.org/x/crypto/openpgp/packet/symmetric_key_encrypted.go
new file mode 100644
index 0000000000..744c2d2c42
--- /dev/null
+++ b/vendor/golang.org/x/crypto/openpgp/packet/symmetric_key_encrypted.go
@@ -0,0 +1,155 @@
+// Copyright 2011 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package packet
+
+import (
+	"bytes"
+	"crypto/cipher"
+	"io"
+	"strconv"
+
+	"golang.org/x/crypto/openpgp/errors"
+	"golang.org/x/crypto/openpgp/s2k"
+)
+
+// This is the largest session key that we'll support. Since no 512-bit cipher
+// has even been seriously used, this is comfortably large.
+const maxSessionKeySizeInBytes = 64
+
+// SymmetricKeyEncrypted represents a passphrase protected session key. See RFC
+// 4880, section 5.3.
+type SymmetricKeyEncrypted struct {
+	CipherFunc   CipherFunction
+	s2k          func(out, in []byte)
+	encryptedKey []byte
+}
+
+const symmetricKeyEncryptedVersion = 4
+
+func (ske *SymmetricKeyEncrypted) parse(r io.Reader) error {
+	// RFC 4880, section 5.3.
+	var buf [2]byte
+	if _, err := readFull(r, buf[:]); err != nil {
+		return err
+	}
+	if buf[0] != symmetricKeyEncryptedVersion {
+		return errors.UnsupportedError("SymmetricKeyEncrypted version")
+	}
+	ske.CipherFunc = CipherFunction(buf[1])
+
+	if ske.CipherFunc.KeySize() == 0 {
+		return errors.UnsupportedError("unknown cipher: " + strconv.Itoa(int(buf[1])))
+	}
+
+	var err error
+	ske.s2k, err = s2k.Parse(r)
+	if err != nil {
+		return err
+	}
+
+	encryptedKey := make([]byte, maxSessionKeySizeInBytes)
+	// The session key may follow. We just have to try and read to find
+	// out. If it exists then we limit it to maxSessionKeySizeInBytes.
+	n, err := readFull(r, encryptedKey)
+	if err != nil && err != io.ErrUnexpectedEOF {
+		return err
+	}
+
+	if n != 0 {
+		if n == maxSessionKeySizeInBytes {
+			return errors.UnsupportedError("oversized encrypted session key")
+		}
+		ske.encryptedKey = encryptedKey[:n]
+	}
+
+	return nil
+}
+
+// Decrypt attempts to decrypt an encrypted session key and returns the key and
+// the cipher to use when decrypting a subsequent Symmetrically Encrypted Data
+// packet.
+func (ske *SymmetricKeyEncrypted) Decrypt(passphrase []byte) ([]byte, CipherFunction, error) {
+	key := make([]byte, ske.CipherFunc.KeySize())
+	ske.s2k(key, passphrase)
+
+	if len(ske.encryptedKey) == 0 {
+		return key, ske.CipherFunc, nil
+	}
+
+	// the IV is all zeros
+	iv := make([]byte, ske.CipherFunc.blockSize())
+	c := cipher.NewCFBDecrypter(ske.CipherFunc.new(key), iv)
+	plaintextKey := make([]byte, len(ske.encryptedKey))
+	c.XORKeyStream(plaintextKey, ske.encryptedKey)
+	cipherFunc := CipherFunction(plaintextKey[0])
+	if cipherFunc.blockSize() == 0 {
+		return nil, ske.CipherFunc, errors.UnsupportedError("unknown cipher: " + strconv.Itoa(int(cipherFunc)))
+	}
+	plaintextKey = plaintextKey[1:]
+	if l, cipherKeySize := len(plaintextKey), cipherFunc.KeySize(); l != cipherFunc.KeySize() {
+		return nil, cipherFunc, errors.StructuralError("length of decrypted key (" + strconv.Itoa(l) + ") " +
+			"not equal to cipher keysize (" + strconv.Itoa(cipherKeySize) + ")")
+	}
+	return plaintextKey, cipherFunc, nil
+}
+
+// SerializeSymmetricKeyEncrypted serializes a symmetric key packet to w. The
+// packet contains a random session key, encrypted by a key derived from the
+// given passphrase. The session key is returned and must be passed to
+// SerializeSymmetricallyEncrypted.
+// If config is nil, sensible defaults will be used.
+func SerializeSymmetricKeyEncrypted(w io.Writer, passphrase []byte, config *Config) (key []byte, err error) {
+	cipherFunc := config.Cipher()
+	keySize := cipherFunc.KeySize()
+	if keySize == 0 {
+		return nil, errors.UnsupportedError("unknown cipher: " + strconv.Itoa(int(cipherFunc)))
+	}
+
+	s2kBuf := new(bytes.Buffer)
+	keyEncryptingKey := make([]byte, keySize)
+	// s2k.Serialize salts and stretches the passphrase, and writes the
+	// resulting key to keyEncryptingKey and the s2k descriptor to s2kBuf.
+	err = s2k.Serialize(s2kBuf, keyEncryptingKey, config.Random(), passphrase, &s2k.Config{Hash: config.Hash(), S2KCount: config.PasswordHashIterations()})
+	if err != nil {
+		return
+	}
+	s2kBytes := s2kBuf.Bytes()
+
+	packetLength := 2 /* header */ + len(s2kBytes) + 1 /* cipher type */ + keySize
+	err = serializeHeader(w, packetTypeSymmetricKeyEncrypted, packetLength)
+	if err != nil {
+		return
+	}
+
+	var buf [2]byte
+	buf[0] = symmetricKeyEncryptedVersion
+	buf[1] = byte(cipherFunc)
+	_, err = w.Write(buf[:])
+	if err != nil {
+		return
+	}
+	_, err = w.Write(s2kBytes)
+	if err != nil {
+		return
+	}
+
+	sessionKey := make([]byte, keySize)
+	_, err = io.ReadFull(config.Random(), sessionKey)
+	if err != nil {
+		return
+	}
+	iv := make([]byte, cipherFunc.blockSize())
+	c := cipher.NewCFBEncrypter(cipherFunc.new(keyEncryptingKey), iv)
+	encryptedCipherAndKey := make([]byte, keySize+1)
+	c.XORKeyStream(encryptedCipherAndKey, buf[1:])
+	c.XORKeyStream(encryptedCipherAndKey[1:], sessionKey)
+	_, err = w.Write(encryptedCipherAndKey)
+	if err != nil {
+		return
+	}
+
+	key = sessionKey
+	return
+}
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/symmetrically_encrypted.go b/vendor/golang.org/x/crypto/openpgp/packet/symmetrically_encrypted.go
new file mode 100644
index 0000000000..1a1a62964f
--- /dev/null
+++ b/vendor/golang.org/x/crypto/openpgp/packet/symmetrically_encrypted.go
@@ -0,0 +1,290 @@
+// Copyright 2011 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package packet
+
+import (
+	"crypto/cipher"
+	"crypto/sha1"
+	"crypto/subtle"
+	"golang.org/x/crypto/openpgp/errors"
+	"hash"
+	"io"
+	"strconv"
+)
+
+// SymmetricallyEncrypted represents a symmetrically encrypted byte string. The
+// encrypted contents will consist of more OpenPGP packets. See RFC 4880,
+// sections 5.7 and 5.13.
+type SymmetricallyEncrypted struct {
+	MDC      bool // true iff this is a type 18 packet and thus has an embedded MAC.
+	contents io.Reader
+	prefix   []byte
+}
+
+const symmetricallyEncryptedVersion = 1
+
+func (se *SymmetricallyEncrypted) parse(r io.Reader) error {
+	if se.MDC {
+		// See RFC 4880, section 5.13.
+		var buf [1]byte
+		_, err := readFull(r, buf[:])
+		if err != nil {
+			return err
+		}
+		if buf[0] != symmetricallyEncryptedVersion {
+			return errors.UnsupportedError("unknown SymmetricallyEncrypted version")
+		}
+	}
+	se.contents = r
+	return nil
+}
+
+// Decrypt returns a ReadCloser, from which the decrypted contents of the
+// packet can be read. An incorrect key can, with high probability, be detected
+// immediately and this will result in a KeyIncorrect error being returned.
+func (se *SymmetricallyEncrypted) Decrypt(c CipherFunction, key []byte) (io.ReadCloser, error) {
+	keySize := c.KeySize()
+	if keySize == 0 {
+		return nil, errors.UnsupportedError("unknown cipher: " + strconv.Itoa(int(c)))
+	}
+	if len(key) != keySize {
+		return nil, errors.InvalidArgumentError("SymmetricallyEncrypted: incorrect key length")
+	}
+
+	if se.prefix == nil {
+		se.prefix = make([]byte, c.blockSize()+2)
+		_, err := readFull(se.contents, se.prefix)
+		if err != nil {
+			return nil, err
+		}
+	} else if len(se.prefix) != c.blockSize()+2 {
+		return nil, errors.InvalidArgumentError("can't try ciphers with different block lengths")
+	}
+
+	ocfbResync := OCFBResync
+	if se.MDC {
+		// MDC packets use a different form of OCFB mode.
+		ocfbResync = OCFBNoResync
+	}
+
+	s := NewOCFBDecrypter(c.new(key), se.prefix, ocfbResync)
+	if s == nil {
+		return nil, errors.ErrKeyIncorrect
+	}
+
+	plaintext := cipher.StreamReader{S: s, R: se.contents}
+
+	if se.MDC {
+		// MDC packets have an embedded hash that we need to check.
+		h := sha1.New()
+		h.Write(se.prefix)
+		return &seMDCReader{in: plaintext, h: h}, nil
+	}
+
+	// Otherwise, we just need to wrap plaintext so that it's a valid ReadCloser.
+	return seReader{plaintext}, nil
+}
+
+// seReader wraps an io.Reader with a no-op Close method.
+type seReader struct {
+	in io.Reader
+}
+
+func (ser seReader) Read(buf []byte) (int, error) {
+	return ser.in.Read(buf)
+}
+
+func (ser seReader) Close() error {
+	return nil
+}
+
+const mdcTrailerSize = 1 /* tag byte */ + 1 /* length byte */ + sha1.Size
+
+// An seMDCReader wraps an io.Reader, maintains a running hash and keeps hold
+// of the most recent 22 bytes (mdcTrailerSize). Upon EOF, those bytes form an
+// MDC packet containing a hash of the previous contents which is checked
+// against the running hash. See RFC 4880, section 5.13.
+type seMDCReader struct {
+	in          io.Reader
+	h           hash.Hash
+	trailer     [mdcTrailerSize]byte
+	scratch     [mdcTrailerSize]byte
+	trailerUsed int
+	error       bool
+	eof         bool
+}
+
+func (ser *seMDCReader) Read(buf []byte) (n int, err error) {
+	if ser.error {
+		err = io.ErrUnexpectedEOF
+		return
+	}
+	if ser.eof {
+		err = io.EOF
+		return
+	}
+
+	// If we haven't yet filled the trailer buffer then we must do that
+	// first.
+	for ser.trailerUsed < mdcTrailerSize {
+		n, err = ser.in.Read(ser.trailer[ser.trailerUsed:])
+		ser.trailerUsed += n
+		if err == io.EOF {
+			if ser.trailerUsed != mdcTrailerSize {
+				n = 0
+				err = io.ErrUnexpectedEOF
+				ser.error = true
+				return
+			}
+			ser.eof = true
+			n = 0
+			return
+		}
+
+		if err != nil {
+			n = 0
+			return
+		}
+	}
+
+	// If it's a short read then we read into a temporary buffer and shift
+	// the data into the caller's buffer.
+	if len(buf) <= mdcTrailerSize {
+		n, err = readFull(ser.in, ser.scratch[:len(buf)])
+		copy(buf, ser.trailer[:n])
+		ser.h.Write(buf[:n])
+		copy(ser.trailer[:], ser.trailer[n:])
+		copy(ser.trailer[mdcTrailerSize-n:], ser.scratch[:])
+		if n < len(buf) {
+			ser.eof = true
+			err = io.EOF
+		}
+		return
+	}
+
+	n, err = ser.in.Read(buf[mdcTrailerSize:])
+	copy(buf, ser.trailer[:])
+	ser.h.Write(buf[:n])
+	copy(ser.trailer[:], buf[n:])
+
+	if err == io.EOF {
+		ser.eof = true
+	}
+	return
+}
+
+// This is a new-format packet tag byte for a type 19 (MDC) packet.
+const mdcPacketTagByte = byte(0x80) | 0x40 | 19
+
+func (ser *seMDCReader) Close() error {
+	if ser.error {
+		return errors.SignatureError("error during reading")
+	}
+
+	for !ser.eof {
+		// We haven't seen EOF so we need to read to the end
+		var buf [1024]byte
+		_, err := ser.Read(buf[:])
+		if err == io.EOF {
+			break
+		}
+		if err != nil {
+			return errors.SignatureError("error during reading")
+		}
+	}
+
+	if ser.trailer[0] != mdcPacketTagByte || ser.trailer[1] != sha1.Size {
+		return errors.SignatureError("MDC packet not found")
+	}
+	ser.h.Write(ser.trailer[:2])
+
+	final := ser.h.Sum(nil)
+	if subtle.ConstantTimeCompare(final, ser.trailer[2:]) != 1 {
+		return errors.SignatureError("hash mismatch")
+	}
+	return nil
+}
+
+// An seMDCWriter writes through to an io.WriteCloser while maintains a running
+// hash of the data written. On close, it emits an MDC packet containing the
+// running hash.
+type seMDCWriter struct {
+	w io.WriteCloser
+	h hash.Hash
+}
+
+func (w *seMDCWriter) Write(buf []byte) (n int, err error) {
+	w.h.Write(buf)
+	return w.w.Write(buf)
+}
+
+func (w *seMDCWriter) Close() (err error) {
+	var buf [mdcTrailerSize]byte
+
+	buf[0] = mdcPacketTagByte
+	buf[1] = sha1.Size
+	w.h.Write(buf[:2])
+	digest := w.h.Sum(nil)
+	copy(buf[2:], digest)
+
+	_, err = w.w.Write(buf[:])
+	if err != nil {
+		return
+	}
+	return w.w.Close()
+}
+
+// noOpCloser is like an io.NopCloser, but for an io.Writer.
+type noOpCloser struct {
+	w io.Writer
+}
+
+func (c noOpCloser) Write(data []byte) (n int, err error) {
+	return c.w.Write(data)
+}
+
+func (c noOpCloser) Close() error {
+	return nil
+}
+
+// SerializeSymmetricallyEncrypted serializes a symmetrically encrypted packet
+// to w and returns a WriteCloser to which the to-be-encrypted packets can be
+// written.
+// If config is nil, sensible defaults will be used.
+func SerializeSymmetricallyEncrypted(w io.Writer, c CipherFunction, key []byte, config *Config) (contents io.WriteCloser, err error) {
+	if c.KeySize() != len(key) {
+		return nil, errors.InvalidArgumentError("SymmetricallyEncrypted.Serialize: bad key length")
+	}
+	writeCloser := noOpCloser{w}
+	ciphertext, err := serializeStreamHeader(writeCloser, packetTypeSymmetricallyEncryptedMDC)
+	if err != nil {
+		return
+	}
+
+	_, err = ciphertext.Write([]byte{symmetricallyEncryptedVersion})
+	if err != nil {
+		return
+	}
+
+	block := c.new(key)
+	blockSize := block.BlockSize()
+	iv := make([]byte, blockSize)
+	_, err = config.Random().Read(iv)
+	if err != nil {
+		return
+	}
+	s, prefix := NewOCFBEncrypter(block, iv, OCFBNoResync)
+	_, err = ciphertext.Write(prefix)
+	if err != nil {
+		return
+	}
+	plaintext := cipher.StreamWriter{S: s, W: ciphertext}
+
+	h := sha1.New()
+	h.Write(iv)
+	h.Write(iv[blockSize-2:])
+	contents = &seMDCWriter{w: plaintext, h: h}
+	return
+}
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/userattribute.go b/vendor/golang.org/x/crypto/openpgp/packet/userattribute.go
new file mode 100644
index 0000000000..ff7ef53075
--- /dev/null
+++ b/vendor/golang.org/x/crypto/openpgp/packet/userattribute.go
@@ -0,0 +1,90 @@
+// Copyright 2013 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package packet
+
+import (
+	"bytes"
+	"image"
+	"image/jpeg"
+	"io"
+)
+
+const UserAttrImageSubpacket = 1
+
+// UserAttribute is capable of storing other types of data about a user
+// beyond name, email and a text comment. In practice, user attributes are typically used
+// to store a signed thumbnail photo JPEG image of the user.
+// See RFC 4880, section 5.12.
+type UserAttribute struct {
+	Contents []*OpaqueSubpacket
+}
+
+// NewUserAttributePhoto creates a user attribute packet
+// containing the given images.
+func NewUserAttributePhoto(photos ...image.Image) (uat *UserAttribute, err error) {
+	uat = new(UserAttribute)
+	for _, photo := range photos {
+		var buf bytes.Buffer
+		// RFC 4880, Section 5.12.1.
+		data := []byte{
+			0x10, 0x00, // Little-endian image header length (16 bytes)
+			0x01,       // Image header version 1
+			0x01,       // JPEG
+			0, 0, 0, 0, // 12 reserved octets, must be all zero.
+			0, 0, 0, 0,
+			0, 0, 0, 0}
+		if _, err = buf.Write(data); err != nil {
+			return
+		}
+		if err = jpeg.Encode(&buf, photo, nil); err != nil {
+			return
+		}
+		uat.Contents = append(uat.Contents, &OpaqueSubpacket{
+			SubType:  UserAttrImageSubpacket,
+			Contents: buf.Bytes()})
+	}
+	return
+}
+
+// NewUserAttribute creates a new user attribute packet containing the given subpackets.
+func NewUserAttribute(contents ...*OpaqueSubpacket) *UserAttribute {
+	return &UserAttribute{Contents: contents}
+}
+
+func (uat *UserAttribute) parse(r io.Reader) (err error) {
+	// RFC 4880, section 5.13
+	b, err := io.ReadAll(r)
+	if err != nil {
+		return
+	}
+	uat.Contents, err = OpaqueSubpackets(b)
+	return
+}
+
+// Serialize marshals the user attribute to w in the form of an OpenPGP packet, including
+// header.
+func (uat *UserAttribute) Serialize(w io.Writer) (err error) {
+	var buf bytes.Buffer
+	for _, sp := range uat.Contents {
+		sp.Serialize(&buf)
+	}
+	if err = serializeHeader(w, packetTypeUserAttribute, buf.Len()); err != nil {
+		return err
+	}
+	_, err = w.Write(buf.Bytes())
+	return
+}
+
+// ImageData returns zero or more byte slices, each containing
+// JPEG File Interchange Format (JFIF), for each photo in the
+// user attribute packet.
+func (uat *UserAttribute) ImageData() (imageData [][]byte) {
+	for _, sp := range uat.Contents {
+		if sp.SubType == UserAttrImageSubpacket && len(sp.Contents) > 16 {
+			imageData = append(imageData, sp.Contents[16:])
+		}
+	}
+	return
+}
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/userid.go b/vendor/golang.org/x/crypto/openpgp/packet/userid.go
new file mode 100644
index 0000000000..359a462eb8
--- /dev/null
+++ b/vendor/golang.org/x/crypto/openpgp/packet/userid.go
@@ -0,0 +1,159 @@
+// Copyright 2011 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package packet
+
+import (
+	"io"
+	"strings"
+)
+
+// UserId contains text that is intended to represent the name and email
+// address of the key holder. See RFC 4880, section 5.11. By convention, this
+// takes the form "Full Name (Comment) <email@example.com>"
+type UserId struct {
+	Id string // By convention, this takes the form "Full Name (Comment) <email@example.com>" which is split out in the fields below.
+
+	Name, Comment, Email string
+}
+
+func hasInvalidCharacters(s string) bool {
+	for _, c := range s {
+		switch c {
+		case '(', ')', '<', '>', 0:
+			return true
+		}
+	}
+	return false
+}
+
+// NewUserId returns a UserId or nil if any of the arguments contain invalid
+// characters. The invalid characters are '\x00', '(', ')', '<' and '>'
+func NewUserId(name, comment, email string) *UserId {
+	// RFC 4880 doesn't deal with the structure of userid strings; the
+	// name, comment and email form is just a convention. However, there's
+	// no convention about escaping the metacharacters and GPG just refuses
+	// to create user ids where, say, the name contains a '('. We mirror
+	// this behaviour.
+
+	if hasInvalidCharacters(name) || hasInvalidCharacters(comment) || hasInvalidCharacters(email) {
+		return nil
+	}
+
+	uid := new(UserId)
+	uid.Name, uid.Comment, uid.Email = name, comment, email
+	uid.Id = name
+	if len(comment) > 0 {
+		if len(uid.Id) > 0 {
+			uid.Id += " "
+		}
+		uid.Id += "("
+		uid.Id += comment
+		uid.Id += ")"
+	}
+	if len(email) > 0 {
+		if len(uid.Id) > 0 {
+			uid.Id += " "
+		}
+		uid.Id += "<"
+		uid.Id += email
+		uid.Id += ">"
+	}
+	return uid
+}
+
+func (uid *UserId) parse(r io.Reader) (err error) {
+	// RFC 4880, section 5.11
+	b, err := io.ReadAll(r)
+	if err != nil {
+		return
+	}
+	uid.Id = string(b)
+	uid.Name, uid.Comment, uid.Email = parseUserId(uid.Id)
+	return
+}
+
+// Serialize marshals uid to w in the form of an OpenPGP packet, including
+// header.
+func (uid *UserId) Serialize(w io.Writer) error {
+	err := serializeHeader(w, packetTypeUserId, len(uid.Id))
+	if err != nil {
+		return err
+	}
+	_, err = w.Write([]byte(uid.Id))
+	return err
+}
+
+// parseUserId extracts the name, comment and email from a user id string that
+// is formatted as "Full Name (Comment) <email@example.com>".
+func parseUserId(id string) (name, comment, email string) {
+	var n, c, e struct {
+		start, end int
+	}
+	var state int
+
+	for offset, rune := range id {
+		switch state {
+		case 0:
+			// Entering name
+			n.start = offset
+			state = 1
+			fallthrough
+		case 1:
+			// In name
+			if rune == '(' {
+				state = 2
+				n.end = offset
+			} else if rune == '<' {
+				state = 5
+				n.end = offset
+			}
+		case 2:
+			// Entering comment
+			c.start = offset
+			state = 3
+			fallthrough
+		case 3:
+			// In comment
+			if rune == ')' {
+				state = 4
+				c.end = offset
+			}
+		case 4:
+			// Between comment and email
+			if rune == '<' {
+				state = 5
+			}
+		case 5:
+			// Entering email
+			e.start = offset
+			state = 6
+			fallthrough
+		case 6:
+			// In email
+			if rune == '>' {
+				state = 7
+				e.end = offset
+			}
+		default:
+			// After email
+		}
+	}
+	switch state {
+	case 1:
+		// ended in the name
+		n.end = len(id)
+	case 3:
+		// ended in comment
+		c.end = len(id)
+	case 6:
+		// ended in email
+		e.end = len(id)
+	}
+
+	name = strings.TrimSpace(id[n.start:n.end])
+	comment = strings.TrimSpace(id[c.start:c.end])
+	email = strings.TrimSpace(id[e.start:e.end])
+	return
+}
diff --git a/vendor/golang.org/x/crypto/openpgp/read.go b/vendor/golang.org/x/crypto/openpgp/read.go
new file mode 100644
index 0000000000..cff3db9196
--- /dev/null
+++ b/vendor/golang.org/x/crypto/openpgp/read.go
@@ -0,0 +1,448 @@
+// Copyright 2011 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package openpgp implements high level operations on OpenPGP messages.
+//
+// Deprecated: this package is unmaintained except for security fixes. New
+// applications should consider a more focused, modern alternative to OpenPGP
+// for their specific task. If you are required to interoperate with OpenPGP
+// systems and need a maintained package, consider a community fork.
+// See https://golang.org/issue/44226.
+package openpgp
+
+import (
+	"crypto"
+	_ "crypto/sha256"
+	"hash"
+	"io"
+	"strconv"
+
+	"golang.org/x/crypto/openpgp/armor"
+	"golang.org/x/crypto/openpgp/errors"
+	"golang.org/x/crypto/openpgp/packet"
+)
+
+// SignatureType is the armor type for a PGP signature.
+var SignatureType = "PGP SIGNATURE"
+
+// readArmored reads an armored block with the given type.
+func readArmored(r io.Reader, expectedType string) (body io.Reader, err error) {
+	block, err := armor.Decode(r)
+	if err != nil {
+		return
+	}
+
+	if block.Type != expectedType {
+		return nil, errors.InvalidArgumentError("expected '" + expectedType + "', got: " + block.Type)
+	}
+
+	return block.Body, nil
+}
+
+// MessageDetails contains the result of parsing an OpenPGP encrypted and/or
+// signed message.
+type MessageDetails struct {
+	IsEncrypted              bool                // true if the message was encrypted.
+	EncryptedToKeyIds        []uint64            // the list of recipient key ids.
+	IsSymmetricallyEncrypted bool                // true if a passphrase could have decrypted the message.
+	DecryptedWith            Key                 // the private key used to decrypt the message, if any.
+	IsSigned                 bool                // true if the message is signed.
+	SignedByKeyId            uint64              // the key id of the signer, if any.
+	SignedBy                 *Key                // the key of the signer, if available.
+	LiteralData              *packet.LiteralData // the metadata of the contents
+	UnverifiedBody           io.Reader           // the contents of the message.
+
+	// If IsSigned is true and SignedBy is non-zero then the signature will
+	// be verified as UnverifiedBody is read. The signature cannot be
+	// checked until the whole of UnverifiedBody is read so UnverifiedBody
+	// must be consumed until EOF before the data can be trusted. Even if a
+	// message isn't signed (or the signer is unknown) the data may contain
+	// an authentication code that is only checked once UnverifiedBody has
+	// been consumed. Once EOF has been seen, the following fields are
+	// valid. (An authentication code failure is reported as a
+	// SignatureError error when reading from UnverifiedBody.)
+	SignatureError error               // nil if the signature is good.
+	Signature      *packet.Signature   // the signature packet itself, if v4 (default)
+	SignatureV3    *packet.SignatureV3 // the signature packet if it is a v2 or v3 signature
+
+	decrypted io.ReadCloser
+}
+
+// A PromptFunction is used as a callback by functions that may need to decrypt
+// a private key, or prompt for a passphrase. It is called with a list of
+// acceptable, encrypted private keys and a boolean that indicates whether a
+// passphrase is usable. It should either decrypt a private key or return a
+// passphrase to try. If the decrypted private key or given passphrase isn't
+// correct, the function will be called again, forever. Any error returned will
+// be passed up.
+type PromptFunction func(keys []Key, symmetric bool) ([]byte, error)
+
+// A keyEnvelopePair is used to store a private key with the envelope that
+// contains a symmetric key, encrypted with that key.
+type keyEnvelopePair struct {
+	key          Key
+	encryptedKey *packet.EncryptedKey
+}
+
+// ReadMessage parses an OpenPGP message that may be signed and/or encrypted.
+// The given KeyRing should contain both public keys (for signature
+// verification) and, possibly encrypted, private keys for decrypting.
+// If config is nil, sensible defaults will be used.
+func ReadMessage(r io.Reader, keyring KeyRing, prompt PromptFunction, config *packet.Config) (md *MessageDetails, err error) {
+	var p packet.Packet
+
+	var symKeys []*packet.SymmetricKeyEncrypted
+	var pubKeys []keyEnvelopePair
+	var se *packet.SymmetricallyEncrypted
+
+	packets := packet.NewReader(r)
+	md = new(MessageDetails)
+	md.IsEncrypted = true
+
+	// The message, if encrypted, starts with a number of packets
+	// containing an encrypted decryption key. The decryption key is either
+	// encrypted to a public key, or with a passphrase. This loop
+	// collects these packets.
+ParsePackets:
+	for {
+		p, err = packets.Next()
+		if err != nil {
+			return nil, err
+		}
+		switch p := p.(type) {
+		case *packet.SymmetricKeyEncrypted:
+			// This packet contains the decryption key encrypted with a passphrase.
+			md.IsSymmetricallyEncrypted = true
+			symKeys = append(symKeys, p)
+		case *packet.EncryptedKey:
+			// This packet contains the decryption key encrypted to a public key.
+			md.EncryptedToKeyIds = append(md.EncryptedToKeyIds, p.KeyId)
+			switch p.Algo {
+			case packet.PubKeyAlgoRSA, packet.PubKeyAlgoRSAEncryptOnly, packet.PubKeyAlgoElGamal:
+				break
+			default:
+				continue
+			}
+			var keys []Key
+			if p.KeyId == 0 {
+				keys = keyring.DecryptionKeys()
+			} else {
+				keys = keyring.KeysById(p.KeyId)
+			}
+			for _, k := range keys {
+				pubKeys = append(pubKeys, keyEnvelopePair{k, p})
+			}
+		case *packet.SymmetricallyEncrypted:
+			se = p
+			break ParsePackets
+		case *packet.Compressed, *packet.LiteralData, *packet.OnePassSignature:
+			// This message isn't encrypted.
+			if len(symKeys) != 0 || len(pubKeys) != 0 {
+				return nil, errors.StructuralError("key material not followed by encrypted message")
+			}
+			packets.Unread(p)
+			return readSignedMessage(packets, nil, keyring)
+		}
+	}
+
+	var candidates []Key
+	var decrypted io.ReadCloser
+
+	// Now that we have the list of encrypted keys we need to decrypt at
+	// least one of them or, if we cannot, we need to call the prompt
+	// function so that it can decrypt a key or give us a passphrase.
+FindKey:
+	for {
+		// See if any of the keys already have a private key available
+		candidates = candidates[:0]
+		candidateFingerprints := make(map[string]bool)
+
+		for _, pk := range pubKeys {
+			if pk.key.PrivateKey == nil {
+				continue
+			}
+			if !pk.key.PrivateKey.Encrypted {
+				if len(pk.encryptedKey.Key) == 0 {
+					pk.encryptedKey.Decrypt(pk.key.PrivateKey, config)
+				}
+				if len(pk.encryptedKey.Key) == 0 {
+					continue
+				}
+				decrypted, err = se.Decrypt(pk.encryptedKey.CipherFunc, pk.encryptedKey.Key)
+				if err != nil && err != errors.ErrKeyIncorrect {
+					return nil, err
+				}
+				if decrypted != nil {
+					md.DecryptedWith = pk.key
+					break FindKey
+				}
+			} else {
+				fpr := string(pk.key.PublicKey.Fingerprint[:])
+				if v := candidateFingerprints[fpr]; v {
+					continue
+				}
+				candidates = append(candidates, pk.key)
+				candidateFingerprints[fpr] = true
+			}
+		}
+
+		if len(candidates) == 0 && len(symKeys) == 0 {
+			return nil, errors.ErrKeyIncorrect
+		}
+
+		if prompt == nil {
+			return nil, errors.ErrKeyIncorrect
+		}
+
+		passphrase, err := prompt(candidates, len(symKeys) != 0)
+		if err != nil {
+			return nil, err
+		}
+
+		// Try the symmetric passphrase first
+		if len(symKeys) != 0 && passphrase != nil {
+			for _, s := range symKeys {
+				key, cipherFunc, err := s.Decrypt(passphrase)
+				if err == nil {
+					decrypted, err = se.Decrypt(cipherFunc, key)
+					if err != nil && err != errors.ErrKeyIncorrect {
+						return nil, err
+					}
+					if decrypted != nil {
+						break FindKey
+					}
+				}
+
+			}
+		}
+	}
+
+	md.decrypted = decrypted
+	if err := packets.Push(decrypted); err != nil {
+		return nil, err
+	}
+	return readSignedMessage(packets, md, keyring)
+}
+
+// readSignedMessage reads a possibly signed message if mdin is non-zero then
+// that structure is updated and returned. Otherwise a fresh MessageDetails is
+// used.
+func readSignedMessage(packets *packet.Reader, mdin *MessageDetails, keyring KeyRing) (md *MessageDetails, err error) {
+	if mdin == nil {
+		mdin = new(MessageDetails)
+	}
+	md = mdin
+
+	var p packet.Packet
+	var h hash.Hash
+	var wrappedHash hash.Hash
+FindLiteralData:
+	for {
+		p, err = packets.Next()
+		if err != nil {
+			return nil, err
+		}
+		switch p := p.(type) {
+		case *packet.Compressed:
+			if err := packets.Push(p.Body); err != nil {
+				return nil, err
+			}
+		case *packet.OnePassSignature:
+			if !p.IsLast {
+				return nil, errors.UnsupportedError("nested signatures")
+			}
+
+			h, wrappedHash, err = hashForSignature(p.Hash, p.SigType)
+			if err != nil {
+				md = nil
+				return
+			}
+
+			md.IsSigned = true
+			md.SignedByKeyId = p.KeyId
+			keys := keyring.KeysByIdUsage(p.KeyId, packet.KeyFlagSign)
+			if len(keys) > 0 {
+				md.SignedBy = &keys[0]
+			}
+		case *packet.LiteralData:
+			md.LiteralData = p
+			break FindLiteralData
+		}
+	}
+
+	if md.SignedBy != nil {
+		md.UnverifiedBody = &signatureCheckReader{packets, h, wrappedHash, md}
+	} else if md.decrypted != nil {
+		md.UnverifiedBody = checkReader{md}
+	} else {
+		md.UnverifiedBody = md.LiteralData.Body
+	}
+
+	return md, nil
+}
+
+// hashForSignature returns a pair of hashes that can be used to verify a
+// signature. The signature may specify that the contents of the signed message
+// should be preprocessed (i.e. to normalize line endings). Thus this function
+// returns two hashes. The second should be used to hash the message itself and
+// performs any needed preprocessing.
+func hashForSignature(hashId crypto.Hash, sigType packet.SignatureType) (hash.Hash, hash.Hash, error) {
+	if !hashId.Available() {
+		return nil, nil, errors.UnsupportedError("hash not available: " + strconv.Itoa(int(hashId)))
+	}
+	h := hashId.New()
+
+	switch sigType {
+	case packet.SigTypeBinary:
+		return h, h, nil
+	case packet.SigTypeText:
+		return h, NewCanonicalTextHash(h), nil
+	}
+
+	return nil, nil, errors.UnsupportedError("unsupported signature type: " + strconv.Itoa(int(sigType)))
+}
+
+// checkReader wraps an io.Reader from a LiteralData packet. When it sees EOF
+// it closes the ReadCloser from any SymmetricallyEncrypted packet to trigger
+// MDC checks.
+type checkReader struct {
+	md *MessageDetails
+}
+
+func (cr checkReader) Read(buf []byte) (n int, err error) {
+	n, err = cr.md.LiteralData.Body.Read(buf)
+	if err == io.EOF {
+		mdcErr := cr.md.decrypted.Close()
+		if mdcErr != nil {
+			err = mdcErr
+		}
+	}
+	return
+}
+
+// signatureCheckReader wraps an io.Reader from a LiteralData packet and hashes
+// the data as it is read. When it sees an EOF from the underlying io.Reader
+// it parses and checks a trailing Signature packet and triggers any MDC checks.
+type signatureCheckReader struct {
+	packets        *packet.Reader
+	h, wrappedHash hash.Hash
+	md             *MessageDetails
+}
+
+func (scr *signatureCheckReader) Read(buf []byte) (n int, err error) {
+	n, err = scr.md.LiteralData.Body.Read(buf)
+	scr.wrappedHash.Write(buf[:n])
+	if err == io.EOF {
+		var p packet.Packet
+		p, scr.md.SignatureError = scr.packets.Next()
+		if scr.md.SignatureError != nil {
+			return
+		}
+
+		var ok bool
+		if scr.md.Signature, ok = p.(*packet.Signature); ok {
+			scr.md.SignatureError = scr.md.SignedBy.PublicKey.VerifySignature(scr.h, scr.md.Signature)
+		} else if scr.md.SignatureV3, ok = p.(*packet.SignatureV3); ok {
+			scr.md.SignatureError = scr.md.SignedBy.PublicKey.VerifySignatureV3(scr.h, scr.md.SignatureV3)
+		} else {
+			scr.md.SignatureError = errors.StructuralError("LiteralData not followed by Signature")
+			return
+		}
+
+		// The SymmetricallyEncrypted packet, if any, might have an
+		// unsigned hash of its own. In order to check this we need to
+		// close that Reader.
+		if scr.md.decrypted != nil {
+			mdcErr := scr.md.decrypted.Close()
+			if mdcErr != nil {
+				err = mdcErr
+			}
+		}
+	}
+	return
+}
+
+// CheckDetachedSignature takes a signed file and a detached signature and
+// returns the signer if the signature is valid. If the signer isn't known,
+// ErrUnknownIssuer is returned.
+func CheckDetachedSignature(keyring KeyRing, signed, signature io.Reader) (signer *Entity, err error) {
+	var issuerKeyId uint64
+	var hashFunc crypto.Hash
+	var sigType packet.SignatureType
+	var keys []Key
+	var p packet.Packet
+
+	packets := packet.NewReader(signature)
+	for {
+		p, err = packets.Next()
+		if err == io.EOF {
+			return nil, errors.ErrUnknownIssuer
+		}
+		if err != nil {
+			return nil, err
+		}
+
+		switch sig := p.(type) {
+		case *packet.Signature:
+			if sig.IssuerKeyId == nil {
+				return nil, errors.StructuralError("signature doesn't have an issuer")
+			}
+			issuerKeyId = *sig.IssuerKeyId
+			hashFunc = sig.Hash
+			sigType = sig.SigType
+		case *packet.SignatureV3:
+			issuerKeyId = sig.IssuerKeyId
+			hashFunc = sig.Hash
+			sigType = sig.SigType
+		default:
+			return nil, errors.StructuralError("non signature packet found")
+		}
+
+		keys = keyring.KeysByIdUsage(issuerKeyId, packet.KeyFlagSign)
+		if len(keys) > 0 {
+			break
+		}
+	}
+
+	if len(keys) == 0 {
+		panic("unreachable")
+	}
+
+	h, wrappedHash, err := hashForSignature(hashFunc, sigType)
+	if err != nil {
+		return nil, err
+	}
+
+	if _, err := io.Copy(wrappedHash, signed); err != nil && err != io.EOF {
+		return nil, err
+	}
+
+	for _, key := range keys {
+		switch sig := p.(type) {
+		case *packet.Signature:
+			err = key.PublicKey.VerifySignature(h, sig)
+		case *packet.SignatureV3:
+			err = key.PublicKey.VerifySignatureV3(h, sig)
+		default:
+			panic("unreachable")
+		}
+
+		if err == nil {
+			return key.Entity, nil
+		}
+	}
+
+	return nil, err
+}
+
+// CheckArmoredDetachedSignature performs the same actions as
+// CheckDetachedSignature but expects the signature to be armored.
+func CheckArmoredDetachedSignature(keyring KeyRing, signed, signature io.Reader) (signer *Entity, err error) {
+	body, err := readArmored(signature, SignatureType)
+	if err != nil {
+		return
+	}
+
+	return CheckDetachedSignature(keyring, signed, body)
+}
diff --git a/vendor/golang.org/x/crypto/openpgp/s2k/s2k.go b/vendor/golang.org/x/crypto/openpgp/s2k/s2k.go
new file mode 100644
index 0000000000..490cb633ce
--- /dev/null
+++ b/vendor/golang.org/x/crypto/openpgp/s2k/s2k.go
@@ -0,0 +1,279 @@
+// Copyright 2011 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package s2k implements the various OpenPGP string-to-key transforms as
+// specified in RFC 4800 section 3.7.1.
+//
+// Deprecated: this package is unmaintained except for security fixes. New
+// applications should consider a more focused, modern alternative to OpenPGP
+// for their specific task. If you are required to interoperate with OpenPGP
+// systems and need a maintained package, consider a community fork.
+// See https://golang.org/issue/44226.
+package s2k
+
+import (
+	"crypto"
+	"hash"
+	"io"
+	"strconv"
+
+	"golang.org/x/crypto/openpgp/errors"
+)
+
+// Config collects configuration parameters for s2k key-stretching
+// transformatioms. A nil *Config is valid and results in all default
+// values. Currently, Config is used only by the Serialize function in
+// this package.
+type Config struct {
+	// Hash is the default hash function to be used. If
+	// nil, SHA1 is used.
+	Hash crypto.Hash
+	// S2KCount is only used for symmetric encryption. It
+	// determines the strength of the passphrase stretching when
+	// the said passphrase is hashed to produce a key. S2KCount
+	// should be between 1024 and 65011712, inclusive. If Config
+	// is nil or S2KCount is 0, the value 65536 used. Not all
+	// values in the above range can be represented. S2KCount will
+	// be rounded up to the next representable value if it cannot
+	// be encoded exactly. When set, it is strongly encrouraged to
+	// use a value that is at least 65536. See RFC 4880 Section
+	// 3.7.1.3.
+	S2KCount int
+}
+
+func (c *Config) hash() crypto.Hash {
+	if c == nil || uint(c.Hash) == 0 {
+		// SHA1 is the historical default in this package.
+		return crypto.SHA1
+	}
+
+	return c.Hash
+}
+
+func (c *Config) encodedCount() uint8 {
+	if c == nil || c.S2KCount == 0 {
+		return 96 // The common case. Corresponding to 65536
+	}
+
+	i := c.S2KCount
+	switch {
+	// Behave like GPG. Should we make 65536 the lowest value used?
+	case i < 1024:
+		i = 1024
+	case i > 65011712:
+		i = 65011712
+	}
+
+	return encodeCount(i)
+}
+
+// encodeCount converts an iterative "count" in the range 1024 to
+// 65011712, inclusive, to an encoded count. The return value is the
+// octet that is actually stored in the GPG file. encodeCount panics
+// if i is not in the above range (encodedCount above takes care to
+// pass i in the correct range). See RFC 4880 Section 3.7.7.1.
+func encodeCount(i int) uint8 {
+	if i < 1024 || i > 65011712 {
+		panic("count arg i outside the required range")
+	}
+
+	for encoded := 0; encoded < 256; encoded++ {
+		count := decodeCount(uint8(encoded))
+		if count >= i {
+			return uint8(encoded)
+		}
+	}
+
+	return 255
+}
+
+// decodeCount returns the s2k mode 3 iterative "count" corresponding to
+// the encoded octet c.
+func decodeCount(c uint8) int {
+	return (16 + int(c&15)) << (uint32(c>>4) + 6)
+}
+
+// Simple writes to out the result of computing the Simple S2K function (RFC
+// 4880, section 3.7.1.1) using the given hash and input passphrase.
+func Simple(out []byte, h hash.Hash, in []byte) {
+	Salted(out, h, in, nil)
+}
+
+var zero [1]byte
+
+// Salted writes to out the result of computing the Salted S2K function (RFC
+// 4880, section 3.7.1.2) using the given hash, input passphrase and salt.
+func Salted(out []byte, h hash.Hash, in []byte, salt []byte) {
+	done := 0
+	var digest []byte
+
+	for i := 0; done < len(out); i++ {
+		h.Reset()
+		for j := 0; j < i; j++ {
+			h.Write(zero[:])
+		}
+		h.Write(salt)
+		h.Write(in)
+		digest = h.Sum(digest[:0])
+		n := copy(out[done:], digest)
+		done += n
+	}
+}
+
+// Iterated writes to out the result of computing the Iterated and Salted S2K
+// function (RFC 4880, section 3.7.1.3) using the given hash, input passphrase,
+// salt and iteration count.
+func Iterated(out []byte, h hash.Hash, in []byte, salt []byte, count int) {
+	combined := make([]byte, len(in)+len(salt))
+	copy(combined, salt)
+	copy(combined[len(salt):], in)
+
+	if count < len(combined) {
+		count = len(combined)
+	}
+
+	done := 0
+	var digest []byte
+	for i := 0; done < len(out); i++ {
+		h.Reset()
+		for j := 0; j < i; j++ {
+			h.Write(zero[:])
+		}
+		written := 0
+		for written < count {
+			if written+len(combined) > count {
+				todo := count - written
+				h.Write(combined[:todo])
+				written = count
+			} else {
+				h.Write(combined)
+				written += len(combined)
+			}
+		}
+		digest = h.Sum(digest[:0])
+		n := copy(out[done:], digest)
+		done += n
+	}
+}
+
+// Parse reads a binary specification for a string-to-key transformation from r
+// and returns a function which performs that transform.
+func Parse(r io.Reader) (f func(out, in []byte), err error) {
+	var buf [9]byte
+
+	_, err = io.ReadFull(r, buf[:2])
+	if err != nil {
+		return
+	}
+
+	hash, ok := HashIdToHash(buf[1])
+	if !ok {
+		return nil, errors.UnsupportedError("hash for S2K function: " + strconv.Itoa(int(buf[1])))
+	}
+	if !hash.Available() {
+		return nil, errors.UnsupportedError("hash not available: " + strconv.Itoa(int(hash)))
+	}
+	h := hash.New()
+
+	switch buf[0] {
+	case 0:
+		f := func(out, in []byte) {
+			Simple(out, h, in)
+		}
+		return f, nil
+	case 1:
+		_, err = io.ReadFull(r, buf[:8])
+		if err != nil {
+			return
+		}
+		f := func(out, in []byte) {
+			Salted(out, h, in, buf[:8])
+		}
+		return f, nil
+	case 3:
+		_, err = io.ReadFull(r, buf[:9])
+		if err != nil {
+			return
+		}
+		count := decodeCount(buf[8])
+		f := func(out, in []byte) {
+			Iterated(out, h, in, buf[:8], count)
+		}
+		return f, nil
+	}
+
+	return nil, errors.UnsupportedError("S2K function")
+}
+
+// Serialize salts and stretches the given passphrase and writes the
+// resulting key into key. It also serializes an S2K descriptor to
+// w. The key stretching can be configured with c, which may be
+// nil. In that case, sensible defaults will be used.
+func Serialize(w io.Writer, key []byte, rand io.Reader, passphrase []byte, c *Config) error {
+	var buf [11]byte
+	buf[0] = 3 /* iterated and salted */
+	buf[1], _ = HashToHashId(c.hash())
+	salt := buf[2:10]
+	if _, err := io.ReadFull(rand, salt); err != nil {
+		return err
+	}
+	encodedCount := c.encodedCount()
+	count := decodeCount(encodedCount)
+	buf[10] = encodedCount
+	if _, err := w.Write(buf[:]); err != nil {
+		return err
+	}
+
+	Iterated(key, c.hash().New(), passphrase, salt, count)
+	return nil
+}
+
+// hashToHashIdMapping contains pairs relating OpenPGP's hash identifier with
+// Go's crypto.Hash type. See RFC 4880, section 9.4.
+var hashToHashIdMapping = []struct {
+	id   byte
+	hash crypto.Hash
+	name string
+}{
+	{1, crypto.MD5, "MD5"},
+	{2, crypto.SHA1, "SHA1"},
+	{3, crypto.RIPEMD160, "RIPEMD160"},
+	{8, crypto.SHA256, "SHA256"},
+	{9, crypto.SHA384, "SHA384"},
+	{10, crypto.SHA512, "SHA512"},
+	{11, crypto.SHA224, "SHA224"},
+}
+
+// HashIdToHash returns a crypto.Hash which corresponds to the given OpenPGP
+// hash id.
+func HashIdToHash(id byte) (h crypto.Hash, ok bool) {
+	for _, m := range hashToHashIdMapping {
+		if m.id == id {
+			return m.hash, true
+		}
+	}
+	return 0, false
+}
+
+// HashIdToString returns the name of the hash function corresponding to the
+// given OpenPGP hash id.
+func HashIdToString(id byte) (name string, ok bool) {
+	for _, m := range hashToHashIdMapping {
+		if m.id == id {
+			return m.name, true
+		}
+	}
+
+	return "", false
+}
+
+// HashToHashId returns an OpenPGP hash id which corresponds the given Hash.
+func HashToHashId(h crypto.Hash) (id byte, ok bool) {
+	for _, m := range hashToHashIdMapping {
+		if m.hash == h {
+			return m.id, true
+		}
+	}
+	return 0, false
+}
diff --git a/vendor/golang.org/x/crypto/openpgp/write.go b/vendor/golang.org/x/crypto/openpgp/write.go
new file mode 100644
index 0000000000..b89d48b81d
--- /dev/null
+++ b/vendor/golang.org/x/crypto/openpgp/write.go
@@ -0,0 +1,418 @@
+// Copyright 2011 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package openpgp
+
+import (
+	"crypto"
+	"hash"
+	"io"
+	"strconv"
+	"time"
+
+	"golang.org/x/crypto/openpgp/armor"
+	"golang.org/x/crypto/openpgp/errors"
+	"golang.org/x/crypto/openpgp/packet"
+	"golang.org/x/crypto/openpgp/s2k"
+)
+
+// DetachSign signs message with the private key from signer (which must
+// already have been decrypted) and writes the signature to w.
+// If config is nil, sensible defaults will be used.
+func DetachSign(w io.Writer, signer *Entity, message io.Reader, config *packet.Config) error {
+	return detachSign(w, signer, message, packet.SigTypeBinary, config)
+}
+
+// ArmoredDetachSign signs message with the private key from signer (which
+// must already have been decrypted) and writes an armored signature to w.
+// If config is nil, sensible defaults will be used.
+func ArmoredDetachSign(w io.Writer, signer *Entity, message io.Reader, config *packet.Config) (err error) {
+	return armoredDetachSign(w, signer, message, packet.SigTypeBinary, config)
+}
+
+// DetachSignText signs message (after canonicalising the line endings) with
+// the private key from signer (which must already have been decrypted) and
+// writes the signature to w.
+// If config is nil, sensible defaults will be used.
+func DetachSignText(w io.Writer, signer *Entity, message io.Reader, config *packet.Config) error {
+	return detachSign(w, signer, message, packet.SigTypeText, config)
+}
+
+// ArmoredDetachSignText signs message (after canonicalising the line endings)
+// with the private key from signer (which must already have been decrypted)
+// and writes an armored signature to w.
+// If config is nil, sensible defaults will be used.
+func ArmoredDetachSignText(w io.Writer, signer *Entity, message io.Reader, config *packet.Config) error {
+	return armoredDetachSign(w, signer, message, packet.SigTypeText, config)
+}
+
+func armoredDetachSign(w io.Writer, signer *Entity, message io.Reader, sigType packet.SignatureType, config *packet.Config) (err error) {
+	out, err := armor.Encode(w, SignatureType, nil)
+	if err != nil {
+		return
+	}
+	err = detachSign(out, signer, message, sigType, config)
+	if err != nil {
+		return
+	}
+	return out.Close()
+}
+
+func detachSign(w io.Writer, signer *Entity, message io.Reader, sigType packet.SignatureType, config *packet.Config) (err error) {
+	if signer.PrivateKey == nil {
+		return errors.InvalidArgumentError("signing key doesn't have a private key")
+	}
+	if signer.PrivateKey.Encrypted {
+		return errors.InvalidArgumentError("signing key is encrypted")
+	}
+
+	sig := new(packet.Signature)
+	sig.SigType = sigType
+	sig.PubKeyAlgo = signer.PrivateKey.PubKeyAlgo
+	sig.Hash = config.Hash()
+	sig.CreationTime = config.Now()
+	sig.IssuerKeyId = &signer.PrivateKey.KeyId
+
+	h, wrappedHash, err := hashForSignature(sig.Hash, sig.SigType)
+	if err != nil {
+		return
+	}
+	io.Copy(wrappedHash, message)
+
+	err = sig.Sign(h, signer.PrivateKey, config)
+	if err != nil {
+		return
+	}
+
+	return sig.Serialize(w)
+}
+
+// FileHints contains metadata about encrypted files. This metadata is, itself,
+// encrypted.
+type FileHints struct {
+	// IsBinary can be set to hint that the contents are binary data.
+	IsBinary bool
+	// FileName hints at the name of the file that should be written. It's
+	// truncated to 255 bytes if longer. It may be empty to suggest that the
+	// file should not be written to disk. It may be equal to "_CONSOLE" to
+	// suggest the data should not be written to disk.
+	FileName string
+	// ModTime contains the modification time of the file, or the zero time if not applicable.
+	ModTime time.Time
+}
+
+// SymmetricallyEncrypt acts like gpg -c: it encrypts a file with a passphrase.
+// The resulting WriteCloser must be closed after the contents of the file have
+// been written.
+// If config is nil, sensible defaults will be used.
+func SymmetricallyEncrypt(ciphertext io.Writer, passphrase []byte, hints *FileHints, config *packet.Config) (plaintext io.WriteCloser, err error) {
+	if hints == nil {
+		hints = &FileHints{}
+	}
+
+	key, err := packet.SerializeSymmetricKeyEncrypted(ciphertext, passphrase, config)
+	if err != nil {
+		return
+	}
+	w, err := packet.SerializeSymmetricallyEncrypted(ciphertext, config.Cipher(), key, config)
+	if err != nil {
+		return
+	}
+
+	literaldata := w
+	if algo := config.Compression(); algo != packet.CompressionNone {
+		var compConfig *packet.CompressionConfig
+		if config != nil {
+			compConfig = config.CompressionConfig
+		}
+		literaldata, err = packet.SerializeCompressed(w, algo, compConfig)
+		if err != nil {
+			return
+		}
+	}
+
+	var epochSeconds uint32
+	if !hints.ModTime.IsZero() {
+		epochSeconds = uint32(hints.ModTime.Unix())
+	}
+	return packet.SerializeLiteral(literaldata, hints.IsBinary, hints.FileName, epochSeconds)
+}
+
+// intersectPreferences mutates and returns a prefix of a that contains only
+// the values in the intersection of a and b. The order of a is preserved.
+func intersectPreferences(a []uint8, b []uint8) (intersection []uint8) {
+	var j int
+	for _, v := range a {
+		for _, v2 := range b {
+			if v == v2 {
+				a[j] = v
+				j++
+				break
+			}
+		}
+	}
+
+	return a[:j]
+}
+
+func hashToHashId(h crypto.Hash) uint8 {
+	v, ok := s2k.HashToHashId(h)
+	if !ok {
+		panic("tried to convert unknown hash")
+	}
+	return v
+}
+
+// writeAndSign writes the data as a payload package and, optionally, signs
+// it. hints contains optional information, that is also encrypted,
+// that aids the recipients in processing the message. The resulting
+// WriteCloser must be closed after the contents of the file have been
+// written. If config is nil, sensible defaults will be used.
+func writeAndSign(payload io.WriteCloser, candidateHashes []uint8, signed *Entity, hints *FileHints, config *packet.Config) (plaintext io.WriteCloser, err error) {
+	var signer *packet.PrivateKey
+	if signed != nil {
+		signKey, ok := signed.signingKey(config.Now())
+		if !ok {
+			return nil, errors.InvalidArgumentError("no valid signing keys")
+		}
+		signer = signKey.PrivateKey
+		if signer == nil {
+			return nil, errors.InvalidArgumentError("no private key in signing key")
+		}
+		if signer.Encrypted {
+			return nil, errors.InvalidArgumentError("signing key must be decrypted")
+		}
+	}
+
+	var hash crypto.Hash
+	for _, hashId := range candidateHashes {
+		if h, ok := s2k.HashIdToHash(hashId); ok && h.Available() {
+			hash = h
+			break
+		}
+	}
+
+	// If the hash specified by config is a candidate, we'll use that.
+	if configuredHash := config.Hash(); configuredHash.Available() {
+		for _, hashId := range candidateHashes {
+			if h, ok := s2k.HashIdToHash(hashId); ok && h == configuredHash {
+				hash = h
+				break
+			}
+		}
+	}
+
+	if hash == 0 {
+		hashId := candidateHashes[0]
+		name, ok := s2k.HashIdToString(hashId)
+		if !ok {
+			name = "#" + strconv.Itoa(int(hashId))
+		}
+		return nil, errors.InvalidArgumentError("cannot encrypt because no candidate hash functions are compiled in. (Wanted " + name + " in this case.)")
+	}
+
+	if signer != nil {
+		ops := &packet.OnePassSignature{
+			SigType:    packet.SigTypeBinary,
+			Hash:       hash,
+			PubKeyAlgo: signer.PubKeyAlgo,
+			KeyId:      signer.KeyId,
+			IsLast:     true,
+		}
+		if err := ops.Serialize(payload); err != nil {
+			return nil, err
+		}
+	}
+
+	if hints == nil {
+		hints = &FileHints{}
+	}
+
+	w := payload
+	if signer != nil {
+		// If we need to write a signature packet after the literal
+		// data then we need to stop literalData from closing
+		// encryptedData.
+		w = noOpCloser{w}
+
+	}
+	var epochSeconds uint32
+	if !hints.ModTime.IsZero() {
+		epochSeconds = uint32(hints.ModTime.Unix())
+	}
+	literalData, err := packet.SerializeLiteral(w, hints.IsBinary, hints.FileName, epochSeconds)
+	if err != nil {
+		return nil, err
+	}
+
+	if signer != nil {
+		return signatureWriter{payload, literalData, hash, hash.New(), signer, config}, nil
+	}
+	return literalData, nil
+}
+
+// Encrypt encrypts a message to a number of recipients and, optionally, signs
+// it. hints contains optional information, that is also encrypted, that aids
+// the recipients in processing the message. The resulting WriteCloser must
+// be closed after the contents of the file have been written.
+// If config is nil, sensible defaults will be used.
+func Encrypt(ciphertext io.Writer, to []*Entity, signed *Entity, hints *FileHints, config *packet.Config) (plaintext io.WriteCloser, err error) {
+	if len(to) == 0 {
+		return nil, errors.InvalidArgumentError("no encryption recipient provided")
+	}
+
+	// These are the possible ciphers that we'll use for the message.
+	candidateCiphers := []uint8{
+		uint8(packet.CipherAES128),
+		uint8(packet.CipherAES256),
+		uint8(packet.CipherCAST5),
+	}
+	// These are the possible hash functions that we'll use for the signature.
+	candidateHashes := []uint8{
+		hashToHashId(crypto.SHA256),
+		hashToHashId(crypto.SHA384),
+		hashToHashId(crypto.SHA512),
+		hashToHashId(crypto.SHA1),
+		hashToHashId(crypto.RIPEMD160),
+	}
+	// In the event that a recipient doesn't specify any supported ciphers
+	// or hash functions, these are the ones that we assume that every
+	// implementation supports.
+	defaultCiphers := candidateCiphers[len(candidateCiphers)-1:]
+	defaultHashes := candidateHashes[len(candidateHashes)-1:]
+
+	encryptKeys := make([]Key, len(to))
+	for i := range to {
+		var ok bool
+		encryptKeys[i], ok = to[i].encryptionKey(config.Now())
+		if !ok {
+			return nil, errors.InvalidArgumentError("cannot encrypt a message to key id " + strconv.FormatUint(to[i].PrimaryKey.KeyId, 16) + " because it has no encryption keys")
+		}
+
+		sig := to[i].primaryIdentity().SelfSignature
+
+		preferredSymmetric := sig.PreferredSymmetric
+		if len(preferredSymmetric) == 0 {
+			preferredSymmetric = defaultCiphers
+		}
+		preferredHashes := sig.PreferredHash
+		if len(preferredHashes) == 0 {
+			preferredHashes = defaultHashes
+		}
+		candidateCiphers = intersectPreferences(candidateCiphers, preferredSymmetric)
+		candidateHashes = intersectPreferences(candidateHashes, preferredHashes)
+	}
+
+	if len(candidateCiphers) == 0 || len(candidateHashes) == 0 {
+		return nil, errors.InvalidArgumentError("cannot encrypt because recipient set shares no common algorithms")
+	}
+
+	cipher := packet.CipherFunction(candidateCiphers[0])
+	// If the cipher specified by config is a candidate, we'll use that.
+	configuredCipher := config.Cipher()
+	for _, c := range candidateCiphers {
+		cipherFunc := packet.CipherFunction(c)
+		if cipherFunc == configuredCipher {
+			cipher = cipherFunc
+			break
+		}
+	}
+
+	symKey := make([]byte, cipher.KeySize())
+	if _, err := io.ReadFull(config.Random(), symKey); err != nil {
+		return nil, err
+	}
+
+	for _, key := range encryptKeys {
+		if err := packet.SerializeEncryptedKey(ciphertext, key.PublicKey, cipher, symKey, config); err != nil {
+			return nil, err
+		}
+	}
+
+	payload, err := packet.SerializeSymmetricallyEncrypted(ciphertext, cipher, symKey, config)
+	if err != nil {
+		return
+	}
+
+	return writeAndSign(payload, candidateHashes, signed, hints, config)
+}
+
+// Sign signs a message. The resulting WriteCloser must be closed after the
+// contents of the file have been written.  hints contains optional information
+// that aids the recipients in processing the message.
+// If config is nil, sensible defaults will be used.
+func Sign(output io.Writer, signed *Entity, hints *FileHints, config *packet.Config) (input io.WriteCloser, err error) {
+	if signed == nil {
+		return nil, errors.InvalidArgumentError("no signer provided")
+	}
+
+	// These are the possible hash functions that we'll use for the signature.
+	candidateHashes := []uint8{
+		hashToHashId(crypto.SHA256),
+		hashToHashId(crypto.SHA384),
+		hashToHashId(crypto.SHA512),
+		hashToHashId(crypto.SHA1),
+		hashToHashId(crypto.RIPEMD160),
+	}
+	defaultHashes := candidateHashes[len(candidateHashes)-1:]
+	preferredHashes := signed.primaryIdentity().SelfSignature.PreferredHash
+	if len(preferredHashes) == 0 {
+		preferredHashes = defaultHashes
+	}
+	candidateHashes = intersectPreferences(candidateHashes, preferredHashes)
+	return writeAndSign(noOpCloser{output}, candidateHashes, signed, hints, config)
+}
+
+// signatureWriter hashes the contents of a message while passing it along to
+// literalData. When closed, it closes literalData, writes a signature packet
+// to encryptedData and then also closes encryptedData.
+type signatureWriter struct {
+	encryptedData io.WriteCloser
+	literalData   io.WriteCloser
+	hashType      crypto.Hash
+	h             hash.Hash
+	signer        *packet.PrivateKey
+	config        *packet.Config
+}
+
+func (s signatureWriter) Write(data []byte) (int, error) {
+	s.h.Write(data)
+	return s.literalData.Write(data)
+}
+
+func (s signatureWriter) Close() error {
+	sig := &packet.Signature{
+		SigType:      packet.SigTypeBinary,
+		PubKeyAlgo:   s.signer.PubKeyAlgo,
+		Hash:         s.hashType,
+		CreationTime: s.config.Now(),
+		IssuerKeyId:  &s.signer.KeyId,
+	}
+
+	if err := sig.Sign(s.h, s.signer, s.config); err != nil {
+		return err
+	}
+	if err := s.literalData.Close(); err != nil {
+		return err
+	}
+	if err := sig.Serialize(s.encryptedData); err != nil {
+		return err
+	}
+	return s.encryptedData.Close()
+}
+
+// noOpCloser is like an io.NopCloser, but for an io.Writer.
+// TODO: we have two of these in OpenPGP packages alone. This probably needs
+// to be promoted somewhere more common.
+type noOpCloser struct {
+	w io.Writer
+}
+
+func (c noOpCloser) Write(data []byte) (n int, err error) {
+	return c.w.Write(data)
+}
+
+func (c noOpCloser) Close() error {
+	return nil
+}
diff --git a/vendor/golang.org/x/crypto/pbkdf2/pbkdf2.go b/vendor/golang.org/x/crypto/pbkdf2/pbkdf2.go
new file mode 100644
index 0000000000..28cd99c7f3
--- /dev/null
+++ b/vendor/golang.org/x/crypto/pbkdf2/pbkdf2.go
@@ -0,0 +1,77 @@
+// Copyright 2012 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+/*
+Package pbkdf2 implements the key derivation function PBKDF2 as defined in RFC
+2898 / PKCS #5 v2.0.
+
+A key derivation function is useful when encrypting data based on a password
+or any other not-fully-random data. It uses a pseudorandom function to derive
+a secure encryption key based on the password.
+
+While v2.0 of the standard defines only one pseudorandom function to use,
+HMAC-SHA1, the drafted v2.1 specification allows use of all five FIPS Approved
+Hash Functions SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512 for HMAC. To
+choose, you can pass the `New` functions from the different SHA packages to
+pbkdf2.Key.
+*/
+package pbkdf2
+
+import (
+	"crypto/hmac"
+	"hash"
+)
+
+// Key derives a key from the password, salt and iteration count, returning a
+// []byte of length keylen that can be used as cryptographic key. The key is
+// derived based on the method described as PBKDF2 with the HMAC variant using
+// the supplied hash function.
+//
+// For example, to use a HMAC-SHA-1 based PBKDF2 key derivation function, you
+// can get a derived key for e.g. AES-256 (which needs a 32-byte key) by
+// doing:
+//
+//	dk := pbkdf2.Key([]byte("some password"), salt, 4096, 32, sha1.New)
+//
+// Remember to get a good random salt. At least 8 bytes is recommended by the
+// RFC.
+//
+// Using a higher iteration count will increase the cost of an exhaustive
+// search but will also make derivation proportionally slower.
+func Key(password, salt []byte, iter, keyLen int, h func() hash.Hash) []byte {
+	prf := hmac.New(h, password)
+	hashLen := prf.Size()
+	numBlocks := (keyLen + hashLen - 1) / hashLen
+
+	var buf [4]byte
+	dk := make([]byte, 0, numBlocks*hashLen)
+	U := make([]byte, hashLen)
+	for block := 1; block <= numBlocks; block++ {
+		// N.B.: || means concatenation, ^ means XOR
+		// for each block T_i = U_1 ^ U_2 ^ ... ^ U_iter
+		// U_1 = PRF(password, salt || uint(i))
+		prf.Reset()
+		prf.Write(salt)
+		buf[0] = byte(block >> 24)
+		buf[1] = byte(block >> 16)
+		buf[2] = byte(block >> 8)
+		buf[3] = byte(block)
+		prf.Write(buf[:4])
+		dk = prf.Sum(dk)
+		T := dk[len(dk)-hashLen:]
+		copy(U, T)
+
+		// U_n = PRF(password, U_(n-1))
+		for n := 2; n <= iter; n++ {
+			prf.Reset()
+			prf.Write(U)
+			U = U[:0]
+			U = prf.Sum(U)
+			for x := range U {
+				T[x] ^= U[x]
+			}
+		}
+	}
+	return dk[:keyLen]
+}
diff --git a/vendor/golang.org/x/crypto/scrypt/scrypt.go b/vendor/golang.org/x/crypto/scrypt/scrypt.go
new file mode 100644
index 0000000000..76fa40fb20
--- /dev/null
+++ b/vendor/golang.org/x/crypto/scrypt/scrypt.go
@@ -0,0 +1,212 @@
+// Copyright 2012 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package scrypt implements the scrypt key derivation function as defined in
+// Colin Percival's paper "Stronger Key Derivation via Sequential Memory-Hard
+// Functions" (https://www.tarsnap.com/scrypt/scrypt.pdf).
+package scrypt
+
+import (
+	"crypto/sha256"
+	"encoding/binary"
+	"errors"
+	"math/bits"
+
+	"golang.org/x/crypto/pbkdf2"
+)
+
+const maxInt = int(^uint(0) >> 1)
+
+// blockCopy copies n numbers from src into dst.
+func blockCopy(dst, src []uint32, n int) {
+	copy(dst, src[:n])
+}
+
+// blockXOR XORs numbers from dst with n numbers from src.
+func blockXOR(dst, src []uint32, n int) {
+	for i, v := range src[:n] {
+		dst[i] ^= v
+	}
+}
+
+// salsaXOR applies Salsa20/8 to the XOR of 16 numbers from tmp and in,
+// and puts the result into both tmp and out.
+func salsaXOR(tmp *[16]uint32, in, out []uint32) {
+	w0 := tmp[0] ^ in[0]
+	w1 := tmp[1] ^ in[1]
+	w2 := tmp[2] ^ in[2]
+	w3 := tmp[3] ^ in[3]
+	w4 := tmp[4] ^ in[4]
+	w5 := tmp[5] ^ in[5]
+	w6 := tmp[6] ^ in[6]
+	w7 := tmp[7] ^ in[7]
+	w8 := tmp[8] ^ in[8]
+	w9 := tmp[9] ^ in[9]
+	w10 := tmp[10] ^ in[10]
+	w11 := tmp[11] ^ in[11]
+	w12 := tmp[12] ^ in[12]
+	w13 := tmp[13] ^ in[13]
+	w14 := tmp[14] ^ in[14]
+	w15 := tmp[15] ^ in[15]
+
+	x0, x1, x2, x3, x4, x5, x6, x7, x8 := w0, w1, w2, w3, w4, w5, w6, w7, w8
+	x9, x10, x11, x12, x13, x14, x15 := w9, w10, w11, w12, w13, w14, w15
+
+	for i := 0; i < 8; i += 2 {
+		x4 ^= bits.RotateLeft32(x0+x12, 7)
+		x8 ^= bits.RotateLeft32(x4+x0, 9)
+		x12 ^= bits.RotateLeft32(x8+x4, 13)
+		x0 ^= bits.RotateLeft32(x12+x8, 18)
+
+		x9 ^= bits.RotateLeft32(x5+x1, 7)
+		x13 ^= bits.RotateLeft32(x9+x5, 9)
+		x1 ^= bits.RotateLeft32(x13+x9, 13)
+		x5 ^= bits.RotateLeft32(x1+x13, 18)
+
+		x14 ^= bits.RotateLeft32(x10+x6, 7)
+		x2 ^= bits.RotateLeft32(x14+x10, 9)
+		x6 ^= bits.RotateLeft32(x2+x14, 13)
+		x10 ^= bits.RotateLeft32(x6+x2, 18)
+
+		x3 ^= bits.RotateLeft32(x15+x11, 7)
+		x7 ^= bits.RotateLeft32(x3+x15, 9)
+		x11 ^= bits.RotateLeft32(x7+x3, 13)
+		x15 ^= bits.RotateLeft32(x11+x7, 18)
+
+		x1 ^= bits.RotateLeft32(x0+x3, 7)
+		x2 ^= bits.RotateLeft32(x1+x0, 9)
+		x3 ^= bits.RotateLeft32(x2+x1, 13)
+		x0 ^= bits.RotateLeft32(x3+x2, 18)
+
+		x6 ^= bits.RotateLeft32(x5+x4, 7)
+		x7 ^= bits.RotateLeft32(x6+x5, 9)
+		x4 ^= bits.RotateLeft32(x7+x6, 13)
+		x5 ^= bits.RotateLeft32(x4+x7, 18)
+
+		x11 ^= bits.RotateLeft32(x10+x9, 7)
+		x8 ^= bits.RotateLeft32(x11+x10, 9)
+		x9 ^= bits.RotateLeft32(x8+x11, 13)
+		x10 ^= bits.RotateLeft32(x9+x8, 18)
+
+		x12 ^= bits.RotateLeft32(x15+x14, 7)
+		x13 ^= bits.RotateLeft32(x12+x15, 9)
+		x14 ^= bits.RotateLeft32(x13+x12, 13)
+		x15 ^= bits.RotateLeft32(x14+x13, 18)
+	}
+	x0 += w0
+	x1 += w1
+	x2 += w2
+	x3 += w3
+	x4 += w4
+	x5 += w5
+	x6 += w6
+	x7 += w7
+	x8 += w8
+	x9 += w9
+	x10 += w10
+	x11 += w11
+	x12 += w12
+	x13 += w13
+	x14 += w14
+	x15 += w15
+
+	out[0], tmp[0] = x0, x0
+	out[1], tmp[1] = x1, x1
+	out[2], tmp[2] = x2, x2
+	out[3], tmp[3] = x3, x3
+	out[4], tmp[4] = x4, x4
+	out[5], tmp[5] = x5, x5
+	out[6], tmp[6] = x6, x6
+	out[7], tmp[7] = x7, x7
+	out[8], tmp[8] = x8, x8
+	out[9], tmp[9] = x9, x9
+	out[10], tmp[10] = x10, x10
+	out[11], tmp[11] = x11, x11
+	out[12], tmp[12] = x12, x12
+	out[13], tmp[13] = x13, x13
+	out[14], tmp[14] = x14, x14
+	out[15], tmp[15] = x15, x15
+}
+
+func blockMix(tmp *[16]uint32, in, out []uint32, r int) {
+	blockCopy(tmp[:], in[(2*r-1)*16:], 16)
+	for i := 0; i < 2*r; i += 2 {
+		salsaXOR(tmp, in[i*16:], out[i*8:])
+		salsaXOR(tmp, in[i*16+16:], out[i*8+r*16:])
+	}
+}
+
+func integer(b []uint32, r int) uint64 {
+	j := (2*r - 1) * 16
+	return uint64(b[j]) | uint64(b[j+1])<<32
+}
+
+func smix(b []byte, r, N int, v, xy []uint32) {
+	var tmp [16]uint32
+	R := 32 * r
+	x := xy
+	y := xy[R:]
+
+	j := 0
+	for i := 0; i < R; i++ {
+		x[i] = binary.LittleEndian.Uint32(b[j:])
+		j += 4
+	}
+	for i := 0; i < N; i += 2 {
+		blockCopy(v[i*R:], x, R)
+		blockMix(&tmp, x, y, r)
+
+		blockCopy(v[(i+1)*R:], y, R)
+		blockMix(&tmp, y, x, r)
+	}
+	for i := 0; i < N; i += 2 {
+		j := int(integer(x, r) & uint64(N-1))
+		blockXOR(x, v[j*R:], R)
+		blockMix(&tmp, x, y, r)
+
+		j = int(integer(y, r) & uint64(N-1))
+		blockXOR(y, v[j*R:], R)
+		blockMix(&tmp, y, x, r)
+	}
+	j = 0
+	for _, v := range x[:R] {
+		binary.LittleEndian.PutUint32(b[j:], v)
+		j += 4
+	}
+}
+
+// Key derives a key from the password, salt, and cost parameters, returning
+// a byte slice of length keyLen that can be used as cryptographic key.
+//
+// N is a CPU/memory cost parameter, which must be a power of two greater than 1.
+// r and p must satisfy r * p < 2³�. If the parameters do not satisfy the
+// limits, the function returns a nil byte slice and an error.
+//
+// For example, you can get a derived key for e.g. AES-256 (which needs a
+// 32-byte key) by doing:
+//
+//	dk, err := scrypt.Key([]byte("some password"), salt, 32768, 8, 1, 32)
+//
+// The recommended parameters for interactive logins as of 2017 are N=32768, r=8
+// and p=1. The parameters N, r, and p should be increased as memory latency and
+// CPU parallelism increases; consider setting N to the highest power of 2 you
+// can derive within 100 milliseconds. Remember to get a good random salt.
+func Key(password, salt []byte, N, r, p, keyLen int) ([]byte, error) {
+	if N <= 1 || N&(N-1) != 0 {
+		return nil, errors.New("scrypt: N must be > 1 and a power of 2")
+	}
+	if uint64(r)*uint64(p) >= 1<<30 || r > maxInt/128/p || r > maxInt/256 || N > maxInt/128/r {
+		return nil, errors.New("scrypt: parameters are too large")
+	}
+
+	xy := make([]uint32, 64*r)
+	v := make([]uint32, 32*N*r)
+	b := pbkdf2.Key(password, salt, 1, p*128*r, sha256.New)
+
+	for i := 0; i < p; i++ {
+		smix(b[i*128*r:], r, N, v, xy)
+	}
+
+	return pbkdf2.Key(password, b, 1, keyLen, sha256.New), nil
+}
diff --git a/vendor/golang.org/x/net/http2/transport.go b/vendor/golang.org/x/net/http2/transport.go
index 1965913e54..ccb87e6da3 100644
--- a/vendor/golang.org/x/net/http2/transport.go
+++ b/vendor/golang.org/x/net/http2/transport.go
@@ -376,11 +376,24 @@ type ClientConn struct {
 	// completely unresponsive connection.
 	pendingResets int
 
+	// readBeforeStreamID is the smallest stream ID that has not been followed by
+	// a frame read from the peer. We use this to determine when a request may
+	// have been sent to a completely unresponsive connection:
+	// If the request ID is less than readBeforeStreamID, then we have had some
+	// indication of life on the connection since sending the request.
+	readBeforeStreamID uint32
+
 	// reqHeaderMu is a 1-element semaphore channel controlling access to sending new requests.
 	// Write to reqHeaderMu to lock it, read from it to unlock.
 	// Lock reqmu BEFORE mu or wmu.
 	reqHeaderMu chan struct{}
 
+	// internalStateHook reports state changes back to the net/http.ClientConn.
+	// Note that this is different from the user state hook registered by
+	// net/http.ClientConn.SetStateHook: The internal hook calls ClientConn,
+	// which calls the user hook.
+	internalStateHook func()
+
 	// wmu is held while writing.
 	// Acquire BEFORE mu when holding both, to avoid blocking mu on network writes.
 	// Only acquire both at the same time when changing peer settings.
@@ -710,7 +723,7 @@ func canRetryError(err error) bool {
 
 func (t *Transport) dialClientConn(ctx context.Context, addr string, singleUse bool) (*ClientConn, error) {
 	if t.transportTestHooks != nil {
-		return t.newClientConn(nil, singleUse)
+		return t.newClientConn(nil, singleUse, nil)
 	}
 	host, _, err := net.SplitHostPort(addr)
 	if err != nil {
@@ -720,7 +733,7 @@ func (t *Transport) dialClientConn(ctx context.Context, addr string, singleUse b
 	if err != nil {
 		return nil, err
 	}
-	return t.newClientConn(tconn, singleUse)
+	return t.newClientConn(tconn, singleUse, nil)
 }
 
 func (t *Transport) newTLSConfig(host string) *tls.Config {
@@ -772,10 +785,10 @@ func (t *Transport) expectContinueTimeout() time.Duration {
 }
 
 func (t *Transport) NewClientConn(c net.Conn) (*ClientConn, error) {
-	return t.newClientConn(c, t.disableKeepAlives())
+	return t.newClientConn(c, t.disableKeepAlives(), nil)
 }
 
-func (t *Transport) newClientConn(c net.Conn, singleUse bool) (*ClientConn, error) {
+func (t *Transport) newClientConn(c net.Conn, singleUse bool, internalStateHook func()) (*ClientConn, error) {
 	conf := configFromTransport(t)
 	cc := &ClientConn{
 		t:                           t,
@@ -797,6 +810,7 @@ func (t *Transport) newClientConn(c net.Conn, singleUse bool) (*ClientConn, erro
 		pings:                       make(map[[8]byte]chan struct{}),
 		reqHeaderMu:                 make(chan struct{}, 1),
 		lastActive:                  time.Now(),
+		internalStateHook:           internalStateHook,
 	}
 	if t.transportTestHooks != nil {
 		t.transportTestHooks.newclientconn(cc)
@@ -1037,10 +1051,7 @@ func (cc *ClientConn) idleStateLocked() (st clientConnIdleState) {
 		maxConcurrentOkay = cc.currentRequestCountLocked() < int(cc.maxConcurrentStreams)
 	}
 
-	st.canTakeNewRequest = cc.goAway == nil && !cc.closed && !cc.closing && maxConcurrentOkay &&
-		!cc.doNotReuse &&
-		int64(cc.nextStreamID)+2*int64(cc.pendingRequests) < math.MaxInt32 &&
-		!cc.tooIdleLocked()
+	st.canTakeNewRequest = maxConcurrentOkay && cc.isUsableLocked()
 
 	// If this connection has never been used for a request and is closed,
 	// then let it take a request (which will fail).
@@ -1056,6 +1067,31 @@ func (cc *ClientConn) idleStateLocked() (st clientConnIdleState) {
 	return
 }
 
+func (cc *ClientConn) isUsableLocked() bool {
+	return cc.goAway == nil &&
+		!cc.closed &&
+		!cc.closing &&
+		!cc.doNotReuse &&
+		int64(cc.nextStreamID)+2*int64(cc.pendingRequests) < math.MaxInt32 &&
+		!cc.tooIdleLocked()
+}
+
+// canReserveLocked reports whether a net/http.ClientConn can reserve a slot on this conn.
+//
+// This follows slightly different rules than clientConnIdleState.canTakeNewRequest.
+// We only permit reservations up to the conn's concurrency limit.
+// This differs from ClientConn.ReserveNewRequest, which permits reservations
+// past the limit when StrictMaxConcurrentStreams is set.
+func (cc *ClientConn) canReserveLocked() bool {
+	if cc.currentRequestCountLocked() >= int(cc.maxConcurrentStreams) {
+		return false
+	}
+	if !cc.isUsableLocked() {
+		return false
+	}
+	return true
+}
+
 // currentRequestCountLocked reports the number of concurrency slots currently in use,
 // including active streams, reserved slots, and reset streams waiting for acknowledgement.
 func (cc *ClientConn) currentRequestCountLocked() int {
@@ -1067,6 +1103,14 @@ func (cc *ClientConn) canTakeNewRequestLocked() bool {
 	return st.canTakeNewRequest
 }
 
+// availableLocked reports the number of concurrency slots available.
+func (cc *ClientConn) availableLocked() int {
+	if !cc.canTakeNewRequestLocked() {
+		return 0
+	}
+	return max(0, int(cc.maxConcurrentStreams)-cc.currentRequestCountLocked())
+}
+
 // tooIdleLocked reports whether this connection has been been sitting idle
 // for too much wall time.
 func (cc *ClientConn) tooIdleLocked() bool {
@@ -1091,6 +1135,7 @@ func (cc *ClientConn) closeConn() {
 	t := time.AfterFunc(250*time.Millisecond, cc.forceCloseConn)
 	defer t.Stop()
 	cc.tconn.Close()
+	cc.maybeCallStateHook()
 }
 
 // A tls.Conn.Close can hang for a long time if the peer is unresponsive.
@@ -1616,6 +1661,8 @@ func (cs *clientStream) cleanupWriteRequest(err error) {
 	}
 	bodyClosed := cs.reqBodyClosed
 	closeOnIdle := cc.singleUse || cc.doNotReuse || cc.t.disableKeepAlives() || cc.goAway != nil
+	// Have we read any frames from the connection since sending this request?
+	readSinceStream := cc.readBeforeStreamID > cs.ID
 	cc.mu.Unlock()
 	if mustCloseBody {
 		cs.reqBody.Close()
@@ -1647,8 +1694,10 @@ func (cs *clientStream) cleanupWriteRequest(err error) {
 				//
 				// This could be due to the server becoming unresponsive.
 				// To avoid sending too many requests on a dead connection,
-				// we let the request continue to consume a concurrency slot
-				// until we can confirm the server is still responding.
+				// if we haven't read any frames from the connection since
+				// sending this request, we let it continue to consume
+				// a concurrency slot until we can confirm the server is
+				// still responding.
 				// We do this by sending a PING frame along with the RST_STREAM
 				// (unless a ping is already in flight).
 				//
@@ -1659,7 +1708,7 @@ func (cs *clientStream) cleanupWriteRequest(err error) {
 				// because it's short lived and will probably be closed before
 				// we get the ping response.
 				ping := false
-				if !closeOnIdle {
+				if !closeOnIdle && !readSinceStream {
 					cc.mu.Lock()
 					// rstStreamPingsBlocked works around a gRPC behavior:
 					// see comment on the field for details.
@@ -1693,6 +1742,7 @@ func (cs *clientStream) cleanupWriteRequest(err error) {
 	}
 
 	close(cs.donec)
+	cc.maybeCallStateHook()
 }
 
 // awaitOpenSlotForStreamLocked waits until len(streams) < maxConcurrentStreams.
@@ -2745,6 +2795,7 @@ func (rl *clientConnReadLoop) streamByID(id uint32, headerOrData bool) *clientSt
 		// See comment on ClientConn.rstStreamPingsBlocked for details.
 		rl.cc.rstStreamPingsBlocked = false
 	}
+	rl.cc.readBeforeStreamID = rl.cc.nextStreamID
 	cs := rl.cc.streams[id]
 	if cs != nil && !cs.readAborted {
 		return cs
@@ -2795,6 +2846,7 @@ func (rl *clientConnReadLoop) processSettings(f *SettingsFrame) error {
 
 func (rl *clientConnReadLoop) processSettingsNoWrite(f *SettingsFrame) error {
 	cc := rl.cc
+	defer cc.maybeCallStateHook()
 	cc.mu.Lock()
 	defer cc.mu.Unlock()
 
@@ -2975,6 +3027,7 @@ func (cc *ClientConn) Ping(ctx context.Context) error {
 func (rl *clientConnReadLoop) processPing(f *PingFrame) error {
 	if f.IsAck() {
 		cc := rl.cc
+		defer cc.maybeCallStateHook()
 		cc.mu.Lock()
 		defer cc.mu.Unlock()
 		// If ack, notify listener if any
@@ -3198,9 +3251,13 @@ func registerHTTPSProtocol(t *http.Transport, rt noDialH2RoundTripper) (err erro
 }
 
 // noDialH2RoundTripper is a RoundTripper which only tries to complete the request
-// if there's already has a cached connection to the host.
+// if there's already a cached connection to the host.
 // (The field is exported so it can be accessed via reflect from net/http; tested
 // by TestNoDialH2RoundTripperType)
+//
+// A noDialH2RoundTripper is registered with http1.Transport.RegisterProtocol,
+// and the http1.Transport can use type assertions to call non-RoundTrip methods on it.
+// This lets us expose, for example, NewClientConn to net/http.
 type noDialH2RoundTripper struct{ *Transport }
 
 func (rt noDialH2RoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
@@ -3211,6 +3268,85 @@ func (rt noDialH2RoundTripper) RoundTrip(req *http.Request) (*http.Response, err
 	return res, err
 }
 
+func (rt noDialH2RoundTripper) NewClientConn(conn net.Conn, internalStateHook func()) (http.RoundTripper, error) {
+	tr := rt.Transport
+	cc, err := tr.newClientConn(conn, tr.disableKeepAlives(), internalStateHook)
+	if err != nil {
+		return nil, err
+	}
+
+	// RoundTrip should block when the conn is at its concurrency limit,
+	// not return an error. Setting strictMaxConcurrentStreams enables this.
+	cc.strictMaxConcurrentStreams = true
+
+	return netHTTPClientConn{cc}, nil
+}
+
+// netHTTPClientConn wraps ClientConn and implements the interface net/http expects from
+// the RoundTripper returned by NewClientConn.
+type netHTTPClientConn struct {
+	cc *ClientConn
+}
+
+func (cc netHTTPClientConn) RoundTrip(req *http.Request) (*http.Response, error) {
+	return cc.cc.RoundTrip(req)
+}
+
+func (cc netHTTPClientConn) Close() error {
+	return cc.cc.Close()
+}
+
+func (cc netHTTPClientConn) Err() error {
+	cc.cc.mu.Lock()
+	defer cc.cc.mu.Unlock()
+	if cc.cc.closed {
+		return errors.New("connection closed")
+	}
+	return nil
+}
+
+func (cc netHTTPClientConn) Reserve() error {
+	defer cc.cc.maybeCallStateHook()
+	cc.cc.mu.Lock()
+	defer cc.cc.mu.Unlock()
+	if !cc.cc.canReserveLocked() {
+		return errors.New("connection is unavailable")
+	}
+	cc.cc.streamsReserved++
+	return nil
+}
+
+func (cc netHTTPClientConn) Release() {
+	defer cc.cc.maybeCallStateHook()
+	cc.cc.mu.Lock()
+	defer cc.cc.mu.Unlock()
+	// We don't complain if streamsReserved is 0.
+	//
+	// This is consistent with RoundTrip: both Release and RoundTrip will
+	// consume a reservation iff one exists.
+	if cc.cc.streamsReserved > 0 {
+		cc.cc.streamsReserved--
+	}
+}
+
+func (cc netHTTPClientConn) Available() int {
+	cc.cc.mu.Lock()
+	defer cc.cc.mu.Unlock()
+	return cc.cc.availableLocked()
+}
+
+func (cc netHTTPClientConn) InFlight() int {
+	cc.cc.mu.Lock()
+	defer cc.cc.mu.Unlock()
+	return cc.cc.currentRequestCountLocked()
+}
+
+func (cc *ClientConn) maybeCallStateHook() {
+	if cc.internalStateHook != nil {
+		cc.internalStateHook()
+	}
+}
+
 func (t *Transport) idleConnTimeout() time.Duration {
 	// to keep things backwards compatible, we use non-zero values of
 	// IdleConnTimeout, followed by using the IdleConnTimeout on the underlying
diff --git a/vendor/golang.org/x/net/trace/events.go b/vendor/golang.org/x/net/trace/events.go
index 3aaffdd1f7..c2b3c00980 100644
--- a/vendor/golang.org/x/net/trace/events.go
+++ b/vendor/golang.org/x/net/trace/events.go
@@ -58,8 +58,8 @@ func RenderEvents(w http.ResponseWriter, req *http.Request, sensitive bool) {
 		Buckets: buckets,
 	}
 
-	data.Families = make([]string, 0, len(families))
 	famMu.RLock()
+	data.Families = make([]string, 0, len(families))
 	for name := range families {
 		data.Families = append(data.Families, name)
 	}
diff --git a/vendor/golang.org/x/oauth2/deviceauth.go b/vendor/golang.org/x/oauth2/deviceauth.go
index e99c92f39c..e783a94374 100644
--- a/vendor/golang.org/x/oauth2/deviceauth.go
+++ b/vendor/golang.org/x/oauth2/deviceauth.go
@@ -6,6 +6,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"mime"
 	"net/http"
 	"net/url"
 	"strings"
@@ -116,10 +117,38 @@ func retrieveDeviceAuth(ctx context.Context, c *Config, v url.Values) (*DeviceAu
 		return nil, fmt.Errorf("oauth2: cannot auth device: %v", err)
 	}
 	if code := r.StatusCode; code < 200 || code > 299 {
-		return nil, &RetrieveError{
+		retrieveError := &RetrieveError{
 			Response: r,
 			Body:     body,
 		}
+
+		content, _, _ := mime.ParseMediaType(r.Header.Get("Content-Type"))
+		switch content {
+		case "application/x-www-form-urlencoded", "text/plain":
+			// some endpoints return a query string
+			vals, err := url.ParseQuery(string(body))
+			if err != nil {
+				return nil, retrieveError
+			}
+			retrieveError.ErrorCode = vals.Get("error")
+			retrieveError.ErrorDescription = vals.Get("error_description")
+			retrieveError.ErrorURI = vals.Get("error_uri")
+		default:
+			var tj struct {
+				// https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
+				ErrorCode        string `json:"error"`
+				ErrorDescription string `json:"error_description"`
+				ErrorURI         string `json:"error_uri"`
+			}
+			if json.Unmarshal(body, &tj) != nil {
+				return nil, retrieveError
+			}
+			retrieveError.ErrorCode = tj.ErrorCode
+			retrieveError.ErrorDescription = tj.ErrorDescription
+			retrieveError.ErrorURI = tj.ErrorURI
+		}
+
+		return nil, retrieveError
 	}
 
 	da := &DeviceAuthResponse{}
diff --git a/vendor/golang.org/x/oauth2/google/externalaccount/aws.go b/vendor/golang.org/x/oauth2/google/externalaccount/aws.go
index e1a735e01b..f62ec99a5f 100644
--- a/vendor/golang.org/x/oauth2/google/externalaccount/aws.go
+++ b/vendor/golang.org/x/oauth2/google/externalaccount/aws.go
@@ -5,7 +5,6 @@
 package externalaccount
 
 import (
-	"bytes"
 	"context"
 	"crypto/hmac"
 	"crypto/sha256"
@@ -148,13 +147,13 @@ func canonicalHeaders(req *http.Request) (string, string) {
 	}
 	sort.Strings(headers)
 
-	var fullHeaders bytes.Buffer
+	var fullHeaders strings.Builder
 	for _, header := range headers {
 		headerValue := strings.Join(lowerCaseHeaders[header], ",")
 		fullHeaders.WriteString(header)
-		fullHeaders.WriteRune(':')
+		fullHeaders.WriteByte(':')
 		fullHeaders.WriteString(headerValue)
-		fullHeaders.WriteRune('\n')
+		fullHeaders.WriteByte('\n')
 	}
 
 	return strings.Join(headers, ";"), fullHeaders.String()
diff --git a/vendor/golang.org/x/oauth2/google/google.go b/vendor/golang.org/x/oauth2/google/google.go
index e2eb9c9272..7d1fdd31d3 100644
--- a/vendor/golang.org/x/oauth2/google/google.go
+++ b/vendor/golang.org/x/oauth2/google/google.go
@@ -252,7 +252,7 @@ func (f *credentialsFile) tokenSource(ctx context.Context, params CredentialsPar
 // Further information about retrieving access tokens from the GCE metadata
 // server can be found at https://cloud.google.com/compute/docs/authentication.
 func ComputeTokenSource(account string, scope ...string) oauth2.TokenSource {
-	// refresh 3 minutes and 45 seconds early. The shortest MDS cache is currently 4 minutes, so any
+	// Refresh 3 minutes and 45 seconds early. The shortest MDS cache is currently 4 minutes, so any
 	// refreshes earlier are a waste of compute.
 	earlyExpirySecs := 225 * time.Second
 	return computeTokenSource(account, earlyExpirySecs, scope...)
diff --git a/vendor/golang.org/x/oauth2/oauth2.go b/vendor/golang.org/x/oauth2/oauth2.go
index de34feb844..5c527d31fd 100644
--- a/vendor/golang.org/x/oauth2/oauth2.go
+++ b/vendor/golang.org/x/oauth2/oauth2.go
@@ -9,7 +9,6 @@
 package oauth2 // import "golang.org/x/oauth2"
 
 import (
-	"bytes"
 	"context"
 	"errors"
 	"net/http"
@@ -99,7 +98,7 @@ const (
 	// in the POST body as application/x-www-form-urlencoded parameters.
 	AuthStyleInParams AuthStyle = 1
 
-	// AuthStyleInHeader sends the client_id and client_password
+	// AuthStyleInHeader sends the client_id and client_secret
 	// using HTTP Basic Authorization. This is an optional style
 	// described in the OAuth2 RFC 6749 section 2.3.1.
 	AuthStyleInHeader AuthStyle = 2
@@ -158,7 +157,7 @@ func SetAuthURLParam(key, value string) AuthCodeOption {
 // PKCE), https://www.oauth.com/oauth2-servers/pkce/ and
 // https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-09.html#name-cross-site-request-forgery (describing both approaches)
 func (c *Config) AuthCodeURL(state string, opts ...AuthCodeOption) string {
-	var buf bytes.Buffer
+	var buf strings.Builder
 	buf.WriteString(c.Endpoint.AuthURL)
 	v := url.Values{
 		"response_type": {"code"},
diff --git a/vendor/golang.org/x/oauth2/pkce.go b/vendor/golang.org/x/oauth2/pkce.go
index cea8374d51..f99384f0f5 100644
--- a/vendor/golang.org/x/oauth2/pkce.go
+++ b/vendor/golang.org/x/oauth2/pkce.go
@@ -51,7 +51,7 @@ func S256ChallengeFromVerifier(verifier string) string {
 	return base64.RawURLEncoding.EncodeToString(sha[:])
 }
 
-// S256ChallengeOption derives a PKCE code challenge derived from verifier with
+// S256ChallengeOption derives a PKCE code challenge from the verifier with
 // method S256. It should be passed to [Config.AuthCodeURL] or [Config.DeviceAuth]
 // only.
 func S256ChallengeOption(verifier string) AuthCodeOption {
diff --git a/vendor/golang.org/x/oauth2/token.go b/vendor/golang.org/x/oauth2/token.go
index 239ec32962..e995eebb5e 100644
--- a/vendor/golang.org/x/oauth2/token.go
+++ b/vendor/golang.org/x/oauth2/token.go
@@ -103,7 +103,7 @@ func (t *Token) WithExtra(extra any) *Token {
 }
 
 // Extra returns an extra field.
-// Extra fields are key-value pairs returned by the server as a
+// Extra fields are key-value pairs returned by the server as
 // part of the token retrieval response.
 func (t *Token) Extra(key string) any {
 	if raw, ok := t.raw.(map[string]any); ok {
diff --git a/vendor/golang.org/x/oauth2/transport.go b/vendor/golang.org/x/oauth2/transport.go
index 8bbebbac9e..9922ec3316 100644
--- a/vendor/golang.org/x/oauth2/transport.go
+++ b/vendor/golang.org/x/oauth2/transport.go
@@ -58,7 +58,7 @@ func (t *Transport) RoundTrip(req *http.Request) (*http.Response, error) {
 var cancelOnce sync.Once
 
 // CancelRequest does nothing. It used to be a legacy cancellation mechanism
-// but now only it only logs on first use to warn that it's deprecated.
+// but now only logs on first use to warn that it's deprecated.
 //
 // Deprecated: use contexts for cancellation instead.
 func (t *Transport) CancelRequest(req *http.Request) {
diff --git a/vendor/golang.org/x/sync/errgroup/errgroup.go b/vendor/golang.org/x/sync/errgroup/errgroup.go
index 2f45dbc86e..f69fd75468 100644
--- a/vendor/golang.org/x/sync/errgroup/errgroup.go
+++ b/vendor/golang.org/x/sync/errgroup/errgroup.go
@@ -144,8 +144,8 @@ func (g *Group) SetLimit(n int) {
 		g.sem = nil
 		return
 	}
-	if len(g.sem) != 0 {
-		panic(fmt.Errorf("errgroup: modify limit while %v goroutines in the group are still active", len(g.sem)))
+	if active := len(g.sem); active != 0 {
+		panic(fmt.Errorf("errgroup: modify limit while %v goroutines in the group are still active", active))
 	}
 	g.sem = make(chan token, n)
 }
diff --git a/vendor/golang.org/x/sync/semaphore/semaphore.go b/vendor/golang.org/x/sync/semaphore/semaphore.go
new file mode 100644
index 0000000000..b618162aab
--- /dev/null
+++ b/vendor/golang.org/x/sync/semaphore/semaphore.go
@@ -0,0 +1,160 @@
+// Copyright 2017 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package semaphore provides a weighted semaphore implementation.
+package semaphore // import "golang.org/x/sync/semaphore"
+
+import (
+	"container/list"
+	"context"
+	"sync"
+)
+
+type waiter struct {
+	n     int64
+	ready chan<- struct{} // Closed when semaphore acquired.
+}
+
+// NewWeighted creates a new weighted semaphore with the given
+// maximum combined weight for concurrent access.
+func NewWeighted(n int64) *Weighted {
+	w := &Weighted{size: n}
+	return w
+}
+
+// Weighted provides a way to bound concurrent access to a resource.
+// The callers can request access with a given weight.
+type Weighted struct {
+	size    int64
+	cur     int64
+	mu      sync.Mutex
+	waiters list.List
+}
+
+// Acquire acquires the semaphore with a weight of n, blocking until resources
+// are available or ctx is done. On success, returns nil. On failure, returns
+// ctx.Err() and leaves the semaphore unchanged.
+func (s *Weighted) Acquire(ctx context.Context, n int64) error {
+	done := ctx.Done()
+
+	s.mu.Lock()
+	select {
+	case <-done:
+		// ctx becoming done has "happened before" acquiring the semaphore,
+		// whether it became done before the call began or while we were
+		// waiting for the mutex. We prefer to fail even if we could acquire
+		// the mutex without blocking.
+		s.mu.Unlock()
+		return ctx.Err()
+	default:
+	}
+	if s.size-s.cur >= n && s.waiters.Len() == 0 {
+		// Since we hold s.mu and haven't synchronized since checking done, if
+		// ctx becomes done before we return here, it becoming done must have
+		// "happened concurrently" with this call - it cannot "happen before"
+		// we return in this branch. So, we're ok to always acquire here.
+		s.cur += n
+		s.mu.Unlock()
+		return nil
+	}
+
+	if n > s.size {
+		// Don't make other Acquire calls block on one that's doomed to fail.
+		s.mu.Unlock()
+		<-done
+		return ctx.Err()
+	}
+
+	ready := make(chan struct{})
+	w := waiter{n: n, ready: ready}
+	elem := s.waiters.PushBack(w)
+	s.mu.Unlock()
+
+	select {
+	case <-done:
+		s.mu.Lock()
+		select {
+		case <-ready:
+			// Acquired the semaphore after we were canceled.
+			// Pretend we didn't and put the tokens back.
+			s.cur -= n
+			s.notifyWaiters()
+		default:
+			isFront := s.waiters.Front() == elem
+			s.waiters.Remove(elem)
+			// If we're at the front and there're extra tokens left, notify other waiters.
+			if isFront && s.size > s.cur {
+				s.notifyWaiters()
+			}
+		}
+		s.mu.Unlock()
+		return ctx.Err()
+
+	case <-ready:
+		// Acquired the semaphore. Check that ctx isn't already done.
+		// We check the done channel instead of calling ctx.Err because we
+		// already have the channel, and ctx.Err is O(n) with the nesting
+		// depth of ctx.
+		select {
+		case <-done:
+			s.Release(n)
+			return ctx.Err()
+		default:
+		}
+		return nil
+	}
+}
+
+// TryAcquire acquires the semaphore with a weight of n without blocking.
+// On success, returns true. On failure, returns false and leaves the semaphore unchanged.
+func (s *Weighted) TryAcquire(n int64) bool {
+	s.mu.Lock()
+	success := s.size-s.cur >= n && s.waiters.Len() == 0
+	if success {
+		s.cur += n
+	}
+	s.mu.Unlock()
+	return success
+}
+
+// Release releases the semaphore with a weight of n.
+func (s *Weighted) Release(n int64) {
+	s.mu.Lock()
+	s.cur -= n
+	if s.cur < 0 {
+		s.mu.Unlock()
+		panic("semaphore: released more than held")
+	}
+	s.notifyWaiters()
+	s.mu.Unlock()
+}
+
+func (s *Weighted) notifyWaiters() {
+	for {
+		next := s.waiters.Front()
+		if next == nil {
+			break // No more waiters blocked.
+		}
+
+		w := next.Value.(waiter)
+		if s.size-s.cur < w.n {
+			// Not enough tokens for the next waiter.  We could keep going (to try to
+			// find a waiter with a smaller request), but under load that could cause
+			// starvation for large requests; instead, we leave all remaining waiters
+			// blocked.
+			//
+			// Consider a semaphore used as a read-write lock, with N tokens, N
+			// readers, and one writer.  Each reader can Acquire(1) to obtain a read
+			// lock.  The writer can Acquire(N) to obtain a write lock, excluding all
+			// of the readers.  If we allow the readers to jump ahead in the queue,
+			// the writer will starve — there is always one token available for every
+			// reader.
+			break
+		}
+
+		s.cur += w.n
+		s.waiters.Remove(next)
+		close(w.ready)
+	}
+}
diff --git a/vendor/golang.org/x/sys/cpu/cpu.go b/vendor/golang.org/x/sys/cpu/cpu.go
index 34c9ae76ef..63541994ef 100644
--- a/vendor/golang.org/x/sys/cpu/cpu.go
+++ b/vendor/golang.org/x/sys/cpu/cpu.go
@@ -92,9 +92,6 @@ var ARM64 struct {
 	HasSHA2     bool // SHA2 hardware implementation
 	HasCRC32    bool // CRC32 hardware implementation
 	HasATOMICS  bool // Atomic memory operation instruction set
-	HasHPDS     bool // Hierarchical permission disables in translations tables
-	HasLOR      bool // Limited ordering regions
-	HasPAN      bool // Privileged access never
 	HasFPHP     bool // Half precision floating-point instruction set
 	HasASIMDHP  bool // Advanced SIMD half precision instruction set
 	HasCPUID    bool // CPUID identification scheme registers
diff --git a/vendor/golang.org/x/sys/cpu/cpu_arm64.go b/vendor/golang.org/x/sys/cpu/cpu_arm64.go
index f449c679fe..af2aa99f9f 100644
--- a/vendor/golang.org/x/sys/cpu/cpu_arm64.go
+++ b/vendor/golang.org/x/sys/cpu/cpu_arm64.go
@@ -65,10 +65,10 @@ func setMinimalFeatures() {
 func readARM64Registers() {
 	Initialized = true
 
-	parseARM64SystemRegisters(getisar0(), getisar1(), getmmfr1(), getpfr0())
+	parseARM64SystemRegisters(getisar0(), getisar1(), getpfr0())
 }
 
-func parseARM64SystemRegisters(isar0, isar1, mmfr1, pfr0 uint64) {
+func parseARM64SystemRegisters(isar0, isar1, pfr0 uint64) {
 	// ID_AA64ISAR0_EL1
 	switch extractBits(isar0, 4, 7) {
 	case 1:
@@ -152,22 +152,6 @@ func parseARM64SystemRegisters(isar0, isar1, mmfr1, pfr0 uint64) {
 		ARM64.HasI8MM = true
 	}
 
-	// ID_AA64MMFR1_EL1
-	switch extractBits(mmfr1, 12, 15) {
-	case 1, 2:
-		ARM64.HasHPDS = true
-	}
-
-	switch extractBits(mmfr1, 16, 19) {
-	case 1:
-		ARM64.HasLOR = true
-	}
-
-	switch extractBits(mmfr1, 20, 23) {
-	case 1, 2, 3:
-		ARM64.HasPAN = true
-	}
-
 	// ID_AA64PFR0_EL1
 	switch extractBits(pfr0, 16, 19) {
 	case 0:
diff --git a/vendor/golang.org/x/sys/cpu/cpu_arm64.s b/vendor/golang.org/x/sys/cpu/cpu_arm64.s
index a4f24b3b0c..3b0450a06a 100644
--- a/vendor/golang.org/x/sys/cpu/cpu_arm64.s
+++ b/vendor/golang.org/x/sys/cpu/cpu_arm64.s
@@ -20,13 +20,6 @@ TEXT ·getisar1(SB),NOSPLIT,$0-8
 	MOVD	R0, ret+0(FP)
 	RET
 
-// func getmmfr1() uint64
-TEXT ·getmmfr1(SB),NOSPLIT,$0-8
-	// get Memory Model Feature Register 1 into x0
-	MRS	ID_AA64MMFR1_EL1, R0
-	MOVD	R0, ret+0(FP)
-	RET
-
 // func getpfr0() uint64
 TEXT ·getpfr0(SB),NOSPLIT,$0-8
 	// get Processor Feature Register 0 into x0
diff --git a/vendor/golang.org/x/sys/cpu/cpu_gc_arm64.go b/vendor/golang.org/x/sys/cpu/cpu_gc_arm64.go
index e3fc5a8d31..6ac6e1efb2 100644
--- a/vendor/golang.org/x/sys/cpu/cpu_gc_arm64.go
+++ b/vendor/golang.org/x/sys/cpu/cpu_gc_arm64.go
@@ -8,6 +8,5 @@ package cpu
 
 func getisar0() uint64
 func getisar1() uint64
-func getmmfr1() uint64
 func getpfr0() uint64
 func getzfr0() uint64
diff --git a/vendor/golang.org/x/sys/cpu/cpu_gccgo_arm64.go b/vendor/golang.org/x/sys/cpu/cpu_gccgo_arm64.go
index 8df2079e15..7f1946780b 100644
--- a/vendor/golang.org/x/sys/cpu/cpu_gccgo_arm64.go
+++ b/vendor/golang.org/x/sys/cpu/cpu_gccgo_arm64.go
@@ -8,5 +8,4 @@ package cpu
 
 func getisar0() uint64 { return 0 }
 func getisar1() uint64 { return 0 }
-func getmmfr1() uint64 { return 0 }
 func getpfr0() uint64  { return 0 }
diff --git a/vendor/golang.org/x/sys/cpu/cpu_netbsd_arm64.go b/vendor/golang.org/x/sys/cpu/cpu_netbsd_arm64.go
index 19aea0633e..ebfb3fc8e7 100644
--- a/vendor/golang.org/x/sys/cpu/cpu_netbsd_arm64.go
+++ b/vendor/golang.org/x/sys/cpu/cpu_netbsd_arm64.go
@@ -167,7 +167,7 @@ func doinit() {
 		setMinimalFeatures()
 		return
 	}
-	parseARM64SystemRegisters(cpuid.aa64isar0, cpuid.aa64isar1, cpuid.aa64mmfr1, cpuid.aa64pfr0)
+	parseARM64SystemRegisters(cpuid.aa64isar0, cpuid.aa64isar1, cpuid.aa64pfr0)
 
 	Initialized = true
 }
diff --git a/vendor/golang.org/x/sys/cpu/cpu_openbsd_arm64.go b/vendor/golang.org/x/sys/cpu/cpu_openbsd_arm64.go
index 87fd3a7780..85b64d5ccb 100644
--- a/vendor/golang.org/x/sys/cpu/cpu_openbsd_arm64.go
+++ b/vendor/golang.org/x/sys/cpu/cpu_openbsd_arm64.go
@@ -59,7 +59,7 @@ func doinit() {
 	if !ok {
 		return
 	}
-	parseARM64SystemRegisters(isar0, isar1, 0, 0)
+	parseARM64SystemRegisters(isar0, isar1, 0)
 
 	Initialized = true
 }
diff --git a/vendor/golang.org/x/sys/unix/mkerrors.sh b/vendor/golang.org/x/sys/unix/mkerrors.sh
index 42517077c4..fd39be4efd 100644
--- a/vendor/golang.org/x/sys/unix/mkerrors.sh
+++ b/vendor/golang.org/x/sys/unix/mkerrors.sh
@@ -256,6 +256,7 @@ struct ltchars {
 #include <linux/loop.h>
 #include <linux/lwtunnel.h>
 #include <linux/magic.h>
+#include <linux/mei.h>
 #include <linux/memfd.h>
 #include <linux/module.h>
 #include <linux/mount.h>
@@ -613,7 +614,7 @@ ccflags="$@"
 		$2 !~ /IOC_MAGIC/ &&
 		$2 ~ /^[A-Z][A-Z0-9_]+_MAGIC2?$/ ||
 		$2 ~ /^(VM|VMADDR)_/ ||
-		$2 ~ /^IOCTL_VM_SOCKETS_/ ||
+		$2 ~ /^(IOCTL_VM_SOCKETS_|IOCTL_MEI_)/ ||
 		$2 ~ /^(TASKSTATS|TS)_/ ||
 		$2 ~ /^CGROUPSTATS_/ ||
 		$2 ~ /^GENL_/ ||
diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux.go b/vendor/golang.org/x/sys/unix/zerrors_linux.go
index d0a75da572..120a7b35d1 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_linux.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux.go
@@ -1615,6 +1615,8 @@ const (
 	IN_OPEN                                     = 0x20
 	IN_Q_OVERFLOW                               = 0x4000
 	IN_UNMOUNT                                  = 0x2000
+	IOCTL_MEI_CONNECT_CLIENT                    = 0xc0104801
+	IOCTL_MEI_CONNECT_CLIENT_VTAG               = 0xc0144804
 	IPPROTO_AH                                  = 0x33
 	IPPROTO_BEETPH                              = 0x5e
 	IPPROTO_COMP                                = 0x6c
diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_386.go b/vendor/golang.org/x/sys/unix/zerrors_linux_386.go
index 1c37f9fbc4..97a61fc5b8 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_386.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_386.go
@@ -116,6 +116,8 @@ const (
 	IEXTEN                           = 0x8000
 	IN_CLOEXEC                       = 0x80000
 	IN_NONBLOCK                      = 0x800
+	IOCTL_MEI_NOTIFY_GET             = 0x80044803
+	IOCTL_MEI_NOTIFY_SET             = 0x40044802
 	IOCTL_VM_SOCKETS_GET_LOCAL_CID   = 0x7b9
 	IPV6_FLOWINFO_MASK               = 0xffffff0f
 	IPV6_FLOWLABEL_MASK              = 0xffff0f00
diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go b/vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go
index 6f54d34aef..a0d6d498c4 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go
@@ -116,6 +116,8 @@ const (
 	IEXTEN                           = 0x8000
 	IN_CLOEXEC                       = 0x80000
 	IN_NONBLOCK                      = 0x800
+	IOCTL_MEI_NOTIFY_GET             = 0x80044803
+	IOCTL_MEI_NOTIFY_SET             = 0x40044802
 	IOCTL_VM_SOCKETS_GET_LOCAL_CID   = 0x7b9
 	IPV6_FLOWINFO_MASK               = 0xffffff0f
 	IPV6_FLOWLABEL_MASK              = 0xffff0f00
diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_arm.go b/vendor/golang.org/x/sys/unix/zerrors_linux_arm.go
index 783ec5c126..dd9c903f9a 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_arm.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_arm.go
@@ -115,6 +115,8 @@ const (
 	IEXTEN                           = 0x8000
 	IN_CLOEXEC                       = 0x80000
 	IN_NONBLOCK                      = 0x800
+	IOCTL_MEI_NOTIFY_GET             = 0x80044803
+	IOCTL_MEI_NOTIFY_SET             = 0x40044802
 	IOCTL_VM_SOCKETS_GET_LOCAL_CID   = 0x7b9
 	IPV6_FLOWINFO_MASK               = 0xffffff0f
 	IPV6_FLOWLABEL_MASK              = 0xffff0f00
diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go b/vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go
index ca83d3ba16..384c61ca3a 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go
@@ -120,6 +120,8 @@ const (
 	IEXTEN                           = 0x8000
 	IN_CLOEXEC                       = 0x80000
 	IN_NONBLOCK                      = 0x800
+	IOCTL_MEI_NOTIFY_GET             = 0x80044803
+	IOCTL_MEI_NOTIFY_SET             = 0x40044802
 	IOCTL_VM_SOCKETS_GET_LOCAL_CID   = 0x7b9
 	IPV6_FLOWINFO_MASK               = 0xffffff0f
 	IPV6_FLOWLABEL_MASK              = 0xffff0f00
diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go b/vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go
index 607e611c0c..6384c9831f 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go
@@ -116,6 +116,8 @@ const (
 	IEXTEN                           = 0x8000
 	IN_CLOEXEC                       = 0x80000
 	IN_NONBLOCK                      = 0x800
+	IOCTL_MEI_NOTIFY_GET             = 0x80044803
+	IOCTL_MEI_NOTIFY_SET             = 0x40044802
 	IOCTL_VM_SOCKETS_GET_LOCAL_CID   = 0x7b9
 	IPV6_FLOWINFO_MASK               = 0xffffff0f
 	IPV6_FLOWLABEL_MASK              = 0xffff0f00
diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_mips.go b/vendor/golang.org/x/sys/unix/zerrors_linux_mips.go
index b9cb5bd3c0..553c1c6f15 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_mips.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_mips.go
@@ -115,6 +115,8 @@ const (
 	IEXTEN                           = 0x100
 	IN_CLOEXEC                       = 0x80000
 	IN_NONBLOCK                      = 0x80
+	IOCTL_MEI_NOTIFY_GET             = 0x40044803
+	IOCTL_MEI_NOTIFY_SET             = 0x80044802
 	IOCTL_VM_SOCKETS_GET_LOCAL_CID   = 0x200007b9
 	IPV6_FLOWINFO_MASK               = 0xfffffff
 	IPV6_FLOWLABEL_MASK              = 0xfffff
diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go b/vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go
index 65b078a638..b3339f2099 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go
@@ -115,6 +115,8 @@ const (
 	IEXTEN                           = 0x100
 	IN_CLOEXEC                       = 0x80000
 	IN_NONBLOCK                      = 0x80
+	IOCTL_MEI_NOTIFY_GET             = 0x40044803
+	IOCTL_MEI_NOTIFY_SET             = 0x80044802
 	IOCTL_VM_SOCKETS_GET_LOCAL_CID   = 0x200007b9
 	IPV6_FLOWINFO_MASK               = 0xfffffff
 	IPV6_FLOWLABEL_MASK              = 0xfffff
diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go b/vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go
index 5298a3033d..177091d2bc 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go
@@ -115,6 +115,8 @@ const (
 	IEXTEN                           = 0x100
 	IN_CLOEXEC                       = 0x80000
 	IN_NONBLOCK                      = 0x80
+	IOCTL_MEI_NOTIFY_GET             = 0x40044803
+	IOCTL_MEI_NOTIFY_SET             = 0x80044802
 	IOCTL_VM_SOCKETS_GET_LOCAL_CID   = 0x200007b9
 	IPV6_FLOWINFO_MASK               = 0xffffff0f
 	IPV6_FLOWLABEL_MASK              = 0xffff0f00
diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go b/vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go
index 7bc557c876..c5abf156d0 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go
@@ -115,6 +115,8 @@ const (
 	IEXTEN                           = 0x100
 	IN_CLOEXEC                       = 0x80000
 	IN_NONBLOCK                      = 0x80
+	IOCTL_MEI_NOTIFY_GET             = 0x40044803
+	IOCTL_MEI_NOTIFY_SET             = 0x80044802
 	IOCTL_VM_SOCKETS_GET_LOCAL_CID   = 0x200007b9
 	IPV6_FLOWINFO_MASK               = 0xffffff0f
 	IPV6_FLOWLABEL_MASK              = 0xffff0f00
diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go b/vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go
index 152399bb04..f1f3fadf57 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go
@@ -115,6 +115,8 @@ const (
 	IEXTEN                           = 0x400
 	IN_CLOEXEC                       = 0x80000
 	IN_NONBLOCK                      = 0x800
+	IOCTL_MEI_NOTIFY_GET             = 0x40044803
+	IOCTL_MEI_NOTIFY_SET             = 0x80044802
 	IOCTL_VM_SOCKETS_GET_LOCAL_CID   = 0x200007b9
 	IPV6_FLOWINFO_MASK               = 0xfffffff
 	IPV6_FLOWLABEL_MASK              = 0xfffff
diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go b/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go
index 1a1ce2409c..203ad9c54a 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go
@@ -115,6 +115,8 @@ const (
 	IEXTEN                           = 0x400
 	IN_CLOEXEC                       = 0x80000
 	IN_NONBLOCK                      = 0x800
+	IOCTL_MEI_NOTIFY_GET             = 0x40044803
+	IOCTL_MEI_NOTIFY_SET             = 0x80044802
 	IOCTL_VM_SOCKETS_GET_LOCAL_CID   = 0x200007b9
 	IPV6_FLOWINFO_MASK               = 0xfffffff
 	IPV6_FLOWLABEL_MASK              = 0xfffff
diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go b/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go
index 4231a1fb57..4b9abcb21a 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go
@@ -115,6 +115,8 @@ const (
 	IEXTEN                           = 0x400
 	IN_CLOEXEC                       = 0x80000
 	IN_NONBLOCK                      = 0x800
+	IOCTL_MEI_NOTIFY_GET             = 0x40044803
+	IOCTL_MEI_NOTIFY_SET             = 0x80044802
 	IOCTL_VM_SOCKETS_GET_LOCAL_CID   = 0x200007b9
 	IPV6_FLOWINFO_MASK               = 0xffffff0f
 	IPV6_FLOWLABEL_MASK              = 0xffff0f00
diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go b/vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go
index 21c0e95266..f87983037d 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go
@@ -115,6 +115,8 @@ const (
 	IEXTEN                           = 0x8000
 	IN_CLOEXEC                       = 0x80000
 	IN_NONBLOCK                      = 0x800
+	IOCTL_MEI_NOTIFY_GET             = 0x80044803
+	IOCTL_MEI_NOTIFY_SET             = 0x40044802
 	IOCTL_VM_SOCKETS_GET_LOCAL_CID   = 0x7b9
 	IPV6_FLOWINFO_MASK               = 0xffffff0f
 	IPV6_FLOWLABEL_MASK              = 0xffff0f00
diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go b/vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go
index f00d1cd7cf..64347eb354 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go
@@ -115,6 +115,8 @@ const (
 	IEXTEN                           = 0x8000
 	IN_CLOEXEC                       = 0x80000
 	IN_NONBLOCK                      = 0x800
+	IOCTL_MEI_NOTIFY_GET             = 0x80044803
+	IOCTL_MEI_NOTIFY_SET             = 0x40044802
 	IOCTL_VM_SOCKETS_GET_LOCAL_CID   = 0x7b9
 	IPV6_FLOWINFO_MASK               = 0xfffffff
 	IPV6_FLOWLABEL_MASK              = 0xfffff
diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go b/vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go
index bc8d539e6a..7d71911718 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go
@@ -119,6 +119,8 @@ const (
 	IEXTEN                           = 0x8000
 	IN_CLOEXEC                       = 0x400000
 	IN_NONBLOCK                      = 0x4000
+	IOCTL_MEI_NOTIFY_GET             = 0x40044803
+	IOCTL_MEI_NOTIFY_SET             = 0x80044802
 	IOCTL_VM_SOCKETS_GET_LOCAL_CID   = 0x200007b9
 	IPV6_FLOWINFO_MASK               = 0xfffffff
 	IPV6_FLOWLABEL_MASK              = 0xfffff
diff --git a/vendor/golang.org/x/sys/unix/ztypes_netbsd_arm.go b/vendor/golang.org/x/sys/unix/ztypes_netbsd_arm.go
index 439548ec9a..50e8e64497 100644
--- a/vendor/golang.org/x/sys/unix/ztypes_netbsd_arm.go
+++ b/vendor/golang.org/x/sys/unix/ztypes_netbsd_arm.go
@@ -104,7 +104,7 @@ type Statvfs_t struct {
 	Fsid        uint32
 	Namemax     uint32
 	Owner       uint32
-	Spare       [4]uint32
+	Spare       [4]uint64
 	Fstypename  [32]byte
 	Mntonname   [1024]byte
 	Mntfromname [1024]byte
diff --git a/vendor/golang.org/x/text/encoding/encoding.go b/vendor/golang.org/x/text/encoding/encoding.go
new file mode 100644
index 0000000000..a0bd7cd4d0
--- /dev/null
+++ b/vendor/golang.org/x/text/encoding/encoding.go
@@ -0,0 +1,335 @@
+// Copyright 2013 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package encoding defines an interface for character encodings, such as Shift
+// JIS and Windows 1252, that can convert to and from UTF-8.
+//
+// Encoding implementations are provided in other packages, such as
+// golang.org/x/text/encoding/charmap and
+// golang.org/x/text/encoding/japanese.
+package encoding // import "golang.org/x/text/encoding"
+
+import (
+	"errors"
+	"io"
+	"strconv"
+	"unicode/utf8"
+
+	"golang.org/x/text/encoding/internal/identifier"
+	"golang.org/x/text/transform"
+)
+
+// TODO:
+// - There seems to be some inconsistency in when decoders return errors
+//   and when not. Also documentation seems to suggest they shouldn't return
+//   errors at all (except for UTF-16).
+// - Encoders seem to rely on or at least benefit from the input being in NFC
+//   normal form. Perhaps add an example how users could prepare their output.
+
+// Encoding is a character set encoding that can be transformed to and from
+// UTF-8.
+type Encoding interface {
+	// NewDecoder returns a Decoder.
+	NewDecoder() *Decoder
+
+	// NewEncoder returns an Encoder.
+	NewEncoder() *Encoder
+}
+
+// A Decoder converts bytes to UTF-8. It implements transform.Transformer.
+//
+// Transforming source bytes that are not of that encoding will not result in an
+// error per se. Each byte that cannot be transcoded will be represented in the
+// output by the UTF-8 encoding of '\uFFFD', the replacement rune.
+type Decoder struct {
+	transform.Transformer
+
+	// This forces external creators of Decoders to use names in struct
+	// initializers, allowing for future extendibility without having to break
+	// code.
+	_ struct{}
+}
+
+// Bytes converts the given encoded bytes to UTF-8. It returns the converted
+// bytes or nil, err if any error occurred.
+func (d *Decoder) Bytes(b []byte) ([]byte, error) {
+	b, _, err := transform.Bytes(d, b)
+	if err != nil {
+		return nil, err
+	}
+	return b, nil
+}
+
+// String converts the given encoded string to UTF-8. It returns the converted
+// string or "", err if any error occurred.
+func (d *Decoder) String(s string) (string, error) {
+	s, _, err := transform.String(d, s)
+	if err != nil {
+		return "", err
+	}
+	return s, nil
+}
+
+// Reader wraps another Reader to decode its bytes.
+//
+// The Decoder may not be used for any other operation as long as the returned
+// Reader is in use.
+func (d *Decoder) Reader(r io.Reader) io.Reader {
+	return transform.NewReader(r, d)
+}
+
+// An Encoder converts bytes from UTF-8. It implements transform.Transformer.
+//
+// Each rune that cannot be transcoded will result in an error. In this case,
+// the transform will consume all source byte up to, not including the offending
+// rune. Transforming source bytes that are not valid UTF-8 will be replaced by
+// `\uFFFD`. To return early with an error instead, use transform.Chain to
+// preprocess the data with a UTF8Validator.
+type Encoder struct {
+	transform.Transformer
+
+	// This forces external creators of Encoders to use names in struct
+	// initializers, allowing for future extendibility without having to break
+	// code.
+	_ struct{}
+}
+
+// Bytes converts bytes from UTF-8. It returns the converted bytes or nil, err if
+// any error occurred.
+func (e *Encoder) Bytes(b []byte) ([]byte, error) {
+	b, _, err := transform.Bytes(e, b)
+	if err != nil {
+		return nil, err
+	}
+	return b, nil
+}
+
+// String converts a string from UTF-8. It returns the converted string or
+// "", err if any error occurred.
+func (e *Encoder) String(s string) (string, error) {
+	s, _, err := transform.String(e, s)
+	if err != nil {
+		return "", err
+	}
+	return s, nil
+}
+
+// Writer wraps another Writer to encode its UTF-8 output.
+//
+// The Encoder may not be used for any other operation as long as the returned
+// Writer is in use.
+func (e *Encoder) Writer(w io.Writer) io.Writer {
+	return transform.NewWriter(w, e)
+}
+
+// ASCIISub is the ASCII substitute character, as recommended by
+// https://unicode.org/reports/tr36/#Text_Comparison
+const ASCIISub = '\x1a'
+
+// Nop is the nop encoding. Its transformed bytes are the same as the source
+// bytes; it does not replace invalid UTF-8 sequences.
+var Nop Encoding = nop{}
+
+type nop struct{}
+
+func (nop) NewDecoder() *Decoder {
+	return &Decoder{Transformer: transform.Nop}
+}
+func (nop) NewEncoder() *Encoder {
+	return &Encoder{Transformer: transform.Nop}
+}
+
+// Replacement is the replacement encoding. Decoding from the replacement
+// encoding yields a single '\uFFFD' replacement rune. Encoding from UTF-8 to
+// the replacement encoding yields the same as the source bytes except that
+// invalid UTF-8 is converted to '\uFFFD'.
+//
+// It is defined at http://encoding.spec.whatwg.org/#replacement
+var Replacement Encoding = replacement{}
+
+type replacement struct{}
+
+func (replacement) NewDecoder() *Decoder {
+	return &Decoder{Transformer: replacementDecoder{}}
+}
+
+func (replacement) NewEncoder() *Encoder {
+	return &Encoder{Transformer: replacementEncoder{}}
+}
+
+func (replacement) ID() (mib identifier.MIB, other string) {
+	return identifier.Replacement, ""
+}
+
+type replacementDecoder struct{ transform.NopResetter }
+
+func (replacementDecoder) Transform(dst, src []byte, atEOF bool) (nDst, nSrc int, err error) {
+	if len(dst) < 3 {
+		return 0, 0, transform.ErrShortDst
+	}
+	if atEOF {
+		const fffd = "\ufffd"
+		dst[0] = fffd[0]
+		dst[1] = fffd[1]
+		dst[2] = fffd[2]
+		nDst = 3
+	}
+	return nDst, len(src), nil
+}
+
+type replacementEncoder struct{ transform.NopResetter }
+
+func (replacementEncoder) Transform(dst, src []byte, atEOF bool) (nDst, nSrc int, err error) {
+	r, size := rune(0), 0
+
+	for ; nSrc < len(src); nSrc += size {
+		r = rune(src[nSrc])
+
+		// Decode a 1-byte rune.
+		if r < utf8.RuneSelf {
+			size = 1
+
+		} else {
+			// Decode a multi-byte rune.
+			r, size = utf8.DecodeRune(src[nSrc:])
+			if size == 1 {
+				// All valid runes of size 1 (those below utf8.RuneSelf) were
+				// handled above. We have invalid UTF-8 or we haven't seen the
+				// full character yet.
+				if !atEOF && !utf8.FullRune(src[nSrc:]) {
+					err = transform.ErrShortSrc
+					break
+				}
+				r = '\ufffd'
+			}
+		}
+
+		if nDst+utf8.RuneLen(r) > len(dst) {
+			err = transform.ErrShortDst
+			break
+		}
+		nDst += utf8.EncodeRune(dst[nDst:], r)
+	}
+	return nDst, nSrc, err
+}
+
+// HTMLEscapeUnsupported wraps encoders to replace source runes outside the
+// repertoire of the destination encoding with HTML escape sequences.
+//
+// This wrapper exists to comply to URL and HTML forms requiring a
+// non-terminating legacy encoder. The produced sequences may lead to data
+// loss as they are indistinguishable from legitimate input. To avoid this
+// issue, use UTF-8 encodings whenever possible.
+func HTMLEscapeUnsupported(e *Encoder) *Encoder {
+	return &Encoder{Transformer: &errorHandler{e, errorToHTML}}
+}
+
+// ReplaceUnsupported wraps encoders to replace source runes outside the
+// repertoire of the destination encoding with an encoding-specific
+// replacement.
+//
+// This wrapper is only provided for backwards compatibility and legacy
+// handling. Its use is strongly discouraged. Use UTF-8 whenever possible.
+func ReplaceUnsupported(e *Encoder) *Encoder {
+	return &Encoder{Transformer: &errorHandler{e, errorToReplacement}}
+}
+
+type errorHandler struct {
+	*Encoder
+	handler func(dst []byte, r rune, err repertoireError) (n int, ok bool)
+}
+
+// TODO: consider making this error public in some form.
+type repertoireError interface {
+	Replacement() byte
+}
+
+func (h errorHandler) Transform(dst, src []byte, atEOF bool) (nDst, nSrc int, err error) {
+	nDst, nSrc, err = h.Transformer.Transform(dst, src, atEOF)
+	for err != nil {
+		rerr, ok := err.(repertoireError)
+		if !ok {
+			return nDst, nSrc, err
+		}
+		r, sz := utf8.DecodeRune(src[nSrc:])
+		n, ok := h.handler(dst[nDst:], r, rerr)
+		if !ok {
+			return nDst, nSrc, transform.ErrShortDst
+		}
+		err = nil
+		nDst += n
+		if nSrc += sz; nSrc < len(src) {
+			var dn, sn int
+			dn, sn, err = h.Transformer.Transform(dst[nDst:], src[nSrc:], atEOF)
+			nDst += dn
+			nSrc += sn
+		}
+	}
+	return nDst, nSrc, err
+}
+
+func errorToHTML(dst []byte, r rune, err repertoireError) (n int, ok bool) {
+	buf := [8]byte{}
+	b := strconv.AppendUint(buf[:0], uint64(r), 10)
+	if n = len(b) + len("&#;"); n >= len(dst) {
+		return 0, false
+	}
+	dst[0] = '&'
+	dst[1] = '#'
+	dst[copy(dst[2:], b)+2] = ';'
+	return n, true
+}
+
+func errorToReplacement(dst []byte, r rune, err repertoireError) (n int, ok bool) {
+	if len(dst) == 0 {
+		return 0, false
+	}
+	dst[0] = err.Replacement()
+	return 1, true
+}
+
+// ErrInvalidUTF8 means that a transformer encountered invalid UTF-8.
+var ErrInvalidUTF8 = errors.New("encoding: invalid UTF-8")
+
+// UTF8Validator is a transformer that returns ErrInvalidUTF8 on the first
+// input byte that is not valid UTF-8.
+var UTF8Validator transform.Transformer = utf8Validator{}
+
+type utf8Validator struct{ transform.NopResetter }
+
+func (utf8Validator) Transform(dst, src []byte, atEOF bool) (nDst, nSrc int, err error) {
+	n := len(src)
+	if n > len(dst) {
+		n = len(dst)
+	}
+	for i := 0; i < n; {
+		if c := src[i]; c < utf8.RuneSelf {
+			dst[i] = c
+			i++
+			continue
+		}
+		_, size := utf8.DecodeRune(src[i:])
+		if size == 1 {
+			// All valid runes of size 1 (those below utf8.RuneSelf) were
+			// handled above. We have invalid UTF-8 or we haven't seen the
+			// full character yet.
+			err = ErrInvalidUTF8
+			if !atEOF && !utf8.FullRune(src[i:]) {
+				err = transform.ErrShortSrc
+			}
+			return i, i, err
+		}
+		if i+size > len(dst) {
+			return i, i, transform.ErrShortDst
+		}
+		for ; size > 0; size-- {
+			dst[i] = src[i]
+			i++
+		}
+	}
+	if len(src) > len(dst) {
+		err = transform.ErrShortDst
+	}
+	return n, n, err
+}
diff --git a/vendor/golang.org/x/text/encoding/internal/identifier/identifier.go b/vendor/golang.org/x/text/encoding/internal/identifier/identifier.go
new file mode 100644
index 0000000000..5c9b85c280
--- /dev/null
+++ b/vendor/golang.org/x/text/encoding/internal/identifier/identifier.go
@@ -0,0 +1,81 @@
+// Copyright 2015 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:generate go run gen.go
+
+// Package identifier defines the contract between implementations of Encoding
+// and Index by defining identifiers that uniquely identify standardized coded
+// character sets (CCS) and character encoding schemes (CES), which we will
+// together refer to as encodings, for which Encoding implementations provide
+// converters to and from UTF-8. This package is typically only of concern to
+// implementers of Indexes and Encodings.
+//
+// One part of the identifier is the MIB code, which is defined by IANA and
+// uniquely identifies a CCS or CES. Each code is associated with data that
+// references authorities, official documentation as well as aliases and MIME
+// names.
+//
+// Not all CESs are covered by the IANA registry. The "other" string that is
+// returned by ID can be used to identify other character sets or versions of
+// existing ones.
+//
+// It is recommended that each package that provides a set of Encodings provide
+// the All and Common variables to reference all supported encodings and
+// commonly used subset. This allows Index implementations to include all
+// available encodings without explicitly referencing or knowing about them.
+package identifier
+
+// Note: this package is internal, but could be made public if there is a need
+// for writing third-party Indexes and Encodings.
+
+// References:
+// - http://source.icu-project.org/repos/icu/icu/trunk/source/data/mappings/convrtrs.txt
+// - http://www.iana.org/assignments/character-sets/character-sets.xhtml
+// - http://www.iana.org/assignments/ianacharset-mib/ianacharset-mib
+// - http://www.ietf.org/rfc/rfc2978.txt
+// - https://www.unicode.org/reports/tr22/
+// - http://www.w3.org/TR/encoding/
+// - https://encoding.spec.whatwg.org/
+// - https://encoding.spec.whatwg.org/encodings.json
+// - https://tools.ietf.org/html/rfc6657#section-5
+
+// Interface can be implemented by Encodings to define the CCS or CES for which
+// it implements conversions.
+type Interface interface {
+	// ID returns an encoding identifier. Exactly one of the mib and other
+	// values should be non-zero.
+	//
+	// In the usual case it is only necessary to indicate the MIB code. The
+	// other string can be used to specify encodings for which there is no MIB,
+	// such as "x-mac-dingbat".
+	//
+	// The other string may only contain the characters a-z, A-Z, 0-9, - and _.
+	ID() (mib MIB, other string)
+
+	// NOTE: the restrictions on the encoding are to allow extending the syntax
+	// with additional information such as versions, vendors and other variants.
+}
+
+// A MIB identifies an encoding. It is derived from the IANA MIB codes and adds
+// some identifiers for some encodings that are not covered by the IANA
+// standard.
+//
+// See http://www.iana.org/assignments/ianacharset-mib.
+type MIB uint16
+
+// These additional MIB types are not defined in IANA. They are added because
+// they are common and defined within the text repo.
+const (
+	// Unofficial marks the start of encodings not registered by IANA.
+	Unofficial MIB = 10000 + iota
+
+	// Replacement is the WhatWG replacement encoding.
+	Replacement
+
+	// XUserDefined is the code for x-user-defined.
+	XUserDefined
+
+	// MacintoshCyrillic is the code for x-mac-cyrillic.
+	MacintoshCyrillic
+)
diff --git a/vendor/golang.org/x/text/encoding/internal/identifier/mib.go b/vendor/golang.org/x/text/encoding/internal/identifier/mib.go
new file mode 100644
index 0000000000..351fb86e29
--- /dev/null
+++ b/vendor/golang.org/x/text/encoding/internal/identifier/mib.go
@@ -0,0 +1,1627 @@
+// Code generated by running "go generate" in golang.org/x/text. DO NOT EDIT.
+
+package identifier
+
+const (
+	// ASCII is the MIB identifier with IANA name US-ASCII (MIME: US-ASCII).
+	//
+	// ANSI X3.4-1986
+	// Reference: RFC2046
+	ASCII MIB = 3
+
+	// ISOLatin1 is the MIB identifier with IANA name ISO_8859-1:1987 (MIME: ISO-8859-1).
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISOLatin1 MIB = 4
+
+	// ISOLatin2 is the MIB identifier with IANA name ISO_8859-2:1987 (MIME: ISO-8859-2).
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISOLatin2 MIB = 5
+
+	// ISOLatin3 is the MIB identifier with IANA name ISO_8859-3:1988 (MIME: ISO-8859-3).
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISOLatin3 MIB = 6
+
+	// ISOLatin4 is the MIB identifier with IANA name ISO_8859-4:1988 (MIME: ISO-8859-4).
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISOLatin4 MIB = 7
+
+	// ISOLatinCyrillic is the MIB identifier with IANA name ISO_8859-5:1988 (MIME: ISO-8859-5).
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISOLatinCyrillic MIB = 8
+
+	// ISOLatinArabic is the MIB identifier with IANA name ISO_8859-6:1987 (MIME: ISO-8859-6).
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISOLatinArabic MIB = 9
+
+	// ISOLatinGreek is the MIB identifier with IANA name ISO_8859-7:1987 (MIME: ISO-8859-7).
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1947
+	// Reference: RFC1345
+	ISOLatinGreek MIB = 10
+
+	// ISOLatinHebrew is the MIB identifier with IANA name ISO_8859-8:1988 (MIME: ISO-8859-8).
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISOLatinHebrew MIB = 11
+
+	// ISOLatin5 is the MIB identifier with IANA name ISO_8859-9:1989 (MIME: ISO-8859-9).
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISOLatin5 MIB = 12
+
+	// ISOLatin6 is the MIB identifier with IANA name ISO-8859-10 (MIME: ISO-8859-10).
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISOLatin6 MIB = 13
+
+	// ISOTextComm is the MIB identifier with IANA name ISO_6937-2-add.
+	//
+	// ISO-IR: International Register of Escape Sequences and ISO 6937-2:1983
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISOTextComm MIB = 14
+
+	// HalfWidthKatakana is the MIB identifier with IANA name JIS_X0201.
+	//
+	// JIS X 0201-1976.   One byte only, this is equivalent to
+	// JIS/Roman (similar to ASCII) plus eight-bit half-width
+	// Katakana
+	// Reference: RFC1345
+	HalfWidthKatakana MIB = 15
+
+	// JISEncoding is the MIB identifier with IANA name JIS_Encoding.
+	//
+	// JIS X 0202-1991.  Uses ISO 2022 escape sequences to
+	// shift code sets as documented in JIS X 0202-1991.
+	JISEncoding MIB = 16
+
+	// ShiftJIS is the MIB identifier with IANA name Shift_JIS (MIME: Shift_JIS).
+	//
+	// This charset is an extension of csHalfWidthKatakana by
+	// adding graphic characters in JIS X 0208.  The CCS's are
+	// JIS X0201:1997 and JIS X0208:1997.  The
+	// complete definition is shown in Appendix 1 of JIS
+	// X0208:1997.
+	// This charset can be used for the top-level media type "text".
+	ShiftJIS MIB = 17
+
+	// EUCPkdFmtJapanese is the MIB identifier with IANA name Extended_UNIX_Code_Packed_Format_for_Japanese (MIME: EUC-JP).
+	//
+	// Standardized by OSF, UNIX International, and UNIX Systems
+	// Laboratories Pacific.  Uses ISO 2022 rules to select
+	// code set 0: US-ASCII (a single 7-bit byte set)
+	// code set 1: JIS X0208-1990 (a double 8-bit byte set)
+	// restricted to A0-FF in both bytes
+	// code set 2: Half Width Katakana (a single 7-bit byte set)
+	// requiring SS2 as the character prefix
+	// code set 3: JIS X0212-1990 (a double 7-bit byte set)
+	// restricted to A0-FF in both bytes
+	// requiring SS3 as the character prefix
+	EUCPkdFmtJapanese MIB = 18
+
+	// EUCFixWidJapanese is the MIB identifier with IANA name Extended_UNIX_Code_Fixed_Width_for_Japanese.
+	//
+	// Used in Japan.  Each character is 2 octets.
+	// code set 0: US-ASCII (a single 7-bit byte set)
+	// 1st byte = 00
+	// 2nd byte = 20-7E
+	// code set 1: JIS X0208-1990 (a double 7-bit byte set)
+	// restricted  to A0-FF in both bytes
+	// code set 2: Half Width Katakana (a single 7-bit byte set)
+	// 1st byte = 00
+	// 2nd byte = A0-FF
+	// code set 3: JIS X0212-1990 (a double 7-bit byte set)
+	// restricted to A0-FF in
+	// the first byte
+	// and 21-7E in the second byte
+	EUCFixWidJapanese MIB = 19
+
+	// ISO4UnitedKingdom is the MIB identifier with IANA name BS_4730.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO4UnitedKingdom MIB = 20
+
+	// ISO11SwedishForNames is the MIB identifier with IANA name SEN_850200_C.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO11SwedishForNames MIB = 21
+
+	// ISO15Italian is the MIB identifier with IANA name IT.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO15Italian MIB = 22
+
+	// ISO17Spanish is the MIB identifier with IANA name ES.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO17Spanish MIB = 23
+
+	// ISO21German is the MIB identifier with IANA name DIN_66003.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO21German MIB = 24
+
+	// ISO60Norwegian1 is the MIB identifier with IANA name NS_4551-1.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO60Norwegian1 MIB = 25
+
+	// ISO69French is the MIB identifier with IANA name NF_Z_62-010.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO69French MIB = 26
+
+	// ISO10646UTF1 is the MIB identifier with IANA name ISO-10646-UTF-1.
+	//
+	// Universal Transfer Format (1), this is the multibyte
+	// encoding, that subsets ASCII-7. It does not have byte
+	// ordering issues.
+	ISO10646UTF1 MIB = 27
+
+	// ISO646basic1983 is the MIB identifier with IANA name ISO_646.basic:1983.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO646basic1983 MIB = 28
+
+	// INVARIANT is the MIB identifier with IANA name INVARIANT.
+	//
+	// Reference: RFC1345
+	INVARIANT MIB = 29
+
+	// ISO2IntlRefVersion is the MIB identifier with IANA name ISO_646.irv:1983.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO2IntlRefVersion MIB = 30
+
+	// NATSSEFI is the MIB identifier with IANA name NATS-SEFI.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	NATSSEFI MIB = 31
+
+	// NATSSEFIADD is the MIB identifier with IANA name NATS-SEFI-ADD.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	NATSSEFIADD MIB = 32
+
+	// NATSDANO is the MIB identifier with IANA name NATS-DANO.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	NATSDANO MIB = 33
+
+	// NATSDANOADD is the MIB identifier with IANA name NATS-DANO-ADD.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	NATSDANOADD MIB = 34
+
+	// ISO10Swedish is the MIB identifier with IANA name SEN_850200_B.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO10Swedish MIB = 35
+
+	// KSC56011987 is the MIB identifier with IANA name KS_C_5601-1987.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	KSC56011987 MIB = 36
+
+	// ISO2022KR is the MIB identifier with IANA name ISO-2022-KR (MIME: ISO-2022-KR).
+	//
+	// rfc1557 (see also KS_C_5601-1987)
+	// Reference: RFC1557
+	ISO2022KR MIB = 37
+
+	// EUCKR is the MIB identifier with IANA name EUC-KR (MIME: EUC-KR).
+	//
+	// rfc1557 (see also KS_C_5861-1992)
+	// Reference: RFC1557
+	EUCKR MIB = 38
+
+	// ISO2022JP is the MIB identifier with IANA name ISO-2022-JP (MIME: ISO-2022-JP).
+	//
+	// rfc1468 (see also rfc2237 )
+	// Reference: RFC1468
+	ISO2022JP MIB = 39
+
+	// ISO2022JP2 is the MIB identifier with IANA name ISO-2022-JP-2 (MIME: ISO-2022-JP-2).
+	//
+	// rfc1554
+	// Reference: RFC1554
+	ISO2022JP2 MIB = 40
+
+	// ISO13JISC6220jp is the MIB identifier with IANA name JIS_C6220-1969-jp.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO13JISC6220jp MIB = 41
+
+	// ISO14JISC6220ro is the MIB identifier with IANA name JIS_C6220-1969-ro.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO14JISC6220ro MIB = 42
+
+	// ISO16Portuguese is the MIB identifier with IANA name PT.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO16Portuguese MIB = 43
+
+	// ISO18Greek7Old is the MIB identifier with IANA name greek7-old.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO18Greek7Old MIB = 44
+
+	// ISO19LatinGreek is the MIB identifier with IANA name latin-greek.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO19LatinGreek MIB = 45
+
+	// ISO25French is the MIB identifier with IANA name NF_Z_62-010_(1973).
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO25French MIB = 46
+
+	// ISO27LatinGreek1 is the MIB identifier with IANA name Latin-greek-1.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO27LatinGreek1 MIB = 47
+
+	// ISO5427Cyrillic is the MIB identifier with IANA name ISO_5427.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO5427Cyrillic MIB = 48
+
+	// ISO42JISC62261978 is the MIB identifier with IANA name JIS_C6226-1978.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO42JISC62261978 MIB = 49
+
+	// ISO47BSViewdata is the MIB identifier with IANA name BS_viewdata.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO47BSViewdata MIB = 50
+
+	// ISO49INIS is the MIB identifier with IANA name INIS.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO49INIS MIB = 51
+
+	// ISO50INIS8 is the MIB identifier with IANA name INIS-8.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO50INIS8 MIB = 52
+
+	// ISO51INISCyrillic is the MIB identifier with IANA name INIS-cyrillic.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO51INISCyrillic MIB = 53
+
+	// ISO54271981 is the MIB identifier with IANA name ISO_5427:1981.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO54271981 MIB = 54
+
+	// ISO5428Greek is the MIB identifier with IANA name ISO_5428:1980.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO5428Greek MIB = 55
+
+	// ISO57GB1988 is the MIB identifier with IANA name GB_1988-80.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO57GB1988 MIB = 56
+
+	// ISO58GB231280 is the MIB identifier with IANA name GB_2312-80.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO58GB231280 MIB = 57
+
+	// ISO61Norwegian2 is the MIB identifier with IANA name NS_4551-2.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO61Norwegian2 MIB = 58
+
+	// ISO70VideotexSupp1 is the MIB identifier with IANA name videotex-suppl.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO70VideotexSupp1 MIB = 59
+
+	// ISO84Portuguese2 is the MIB identifier with IANA name PT2.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO84Portuguese2 MIB = 60
+
+	// ISO85Spanish2 is the MIB identifier with IANA name ES2.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO85Spanish2 MIB = 61
+
+	// ISO86Hungarian is the MIB identifier with IANA name MSZ_7795.3.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO86Hungarian MIB = 62
+
+	// ISO87JISX0208 is the MIB identifier with IANA name JIS_C6226-1983.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO87JISX0208 MIB = 63
+
+	// ISO88Greek7 is the MIB identifier with IANA name greek7.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO88Greek7 MIB = 64
+
+	// ISO89ASMO449 is the MIB identifier with IANA name ASMO_449.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO89ASMO449 MIB = 65
+
+	// ISO90 is the MIB identifier with IANA name iso-ir-90.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO90 MIB = 66
+
+	// ISO91JISC62291984a is the MIB identifier with IANA name JIS_C6229-1984-a.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO91JISC62291984a MIB = 67
+
+	// ISO92JISC62991984b is the MIB identifier with IANA name JIS_C6229-1984-b.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO92JISC62991984b MIB = 68
+
+	// ISO93JIS62291984badd is the MIB identifier with IANA name JIS_C6229-1984-b-add.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO93JIS62291984badd MIB = 69
+
+	// ISO94JIS62291984hand is the MIB identifier with IANA name JIS_C6229-1984-hand.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO94JIS62291984hand MIB = 70
+
+	// ISO95JIS62291984handadd is the MIB identifier with IANA name JIS_C6229-1984-hand-add.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO95JIS62291984handadd MIB = 71
+
+	// ISO96JISC62291984kana is the MIB identifier with IANA name JIS_C6229-1984-kana.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO96JISC62291984kana MIB = 72
+
+	// ISO2033 is the MIB identifier with IANA name ISO_2033-1983.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO2033 MIB = 73
+
+	// ISO99NAPLPS is the MIB identifier with IANA name ANSI_X3.110-1983.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO99NAPLPS MIB = 74
+
+	// ISO102T617bit is the MIB identifier with IANA name T.61-7bit.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO102T617bit MIB = 75
+
+	// ISO103T618bit is the MIB identifier with IANA name T.61-8bit.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO103T618bit MIB = 76
+
+	// ISO111ECMACyrillic is the MIB identifier with IANA name ECMA-cyrillic.
+	//
+	// ISO registry
+	ISO111ECMACyrillic MIB = 77
+
+	// ISO121Canadian1 is the MIB identifier with IANA name CSA_Z243.4-1985-1.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO121Canadian1 MIB = 78
+
+	// ISO122Canadian2 is the MIB identifier with IANA name CSA_Z243.4-1985-2.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO122Canadian2 MIB = 79
+
+	// ISO123CSAZ24341985gr is the MIB identifier with IANA name CSA_Z243.4-1985-gr.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO123CSAZ24341985gr MIB = 80
+
+	// ISO88596E is the MIB identifier with IANA name ISO_8859-6-E (MIME: ISO-8859-6-E).
+	//
+	// rfc1556
+	// Reference: RFC1556
+	ISO88596E MIB = 81
+
+	// ISO88596I is the MIB identifier with IANA name ISO_8859-6-I (MIME: ISO-8859-6-I).
+	//
+	// rfc1556
+	// Reference: RFC1556
+	ISO88596I MIB = 82
+
+	// ISO128T101G2 is the MIB identifier with IANA name T.101-G2.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO128T101G2 MIB = 83
+
+	// ISO88598E is the MIB identifier with IANA name ISO_8859-8-E (MIME: ISO-8859-8-E).
+	//
+	// rfc1556
+	// Reference: RFC1556
+	ISO88598E MIB = 84
+
+	// ISO88598I is the MIB identifier with IANA name ISO_8859-8-I (MIME: ISO-8859-8-I).
+	//
+	// rfc1556
+	// Reference: RFC1556
+	ISO88598I MIB = 85
+
+	// ISO139CSN369103 is the MIB identifier with IANA name CSN_369103.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO139CSN369103 MIB = 86
+
+	// ISO141JUSIB1002 is the MIB identifier with IANA name JUS_I.B1.002.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO141JUSIB1002 MIB = 87
+
+	// ISO143IECP271 is the MIB identifier with IANA name IEC_P27-1.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO143IECP271 MIB = 88
+
+	// ISO146Serbian is the MIB identifier with IANA name JUS_I.B1.003-serb.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO146Serbian MIB = 89
+
+	// ISO147Macedonian is the MIB identifier with IANA name JUS_I.B1.003-mac.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO147Macedonian MIB = 90
+
+	// ISO150GreekCCITT is the MIB identifier with IANA name greek-ccitt.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO150GreekCCITT MIB = 91
+
+	// ISO151Cuba is the MIB identifier with IANA name NC_NC00-10:81.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO151Cuba MIB = 92
+
+	// ISO6937Add is the MIB identifier with IANA name ISO_6937-2-25.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO6937Add MIB = 93
+
+	// ISO153GOST1976874 is the MIB identifier with IANA name GOST_19768-74.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO153GOST1976874 MIB = 94
+
+	// ISO8859Supp is the MIB identifier with IANA name ISO_8859-supp.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO8859Supp MIB = 95
+
+	// ISO10367Box is the MIB identifier with IANA name ISO_10367-box.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO10367Box MIB = 96
+
+	// ISO158Lap is the MIB identifier with IANA name latin-lap.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO158Lap MIB = 97
+
+	// ISO159JISX02121990 is the MIB identifier with IANA name JIS_X0212-1990.
+	//
+	// ISO-IR: International Register of Escape Sequences
+	// Note: The current registration authority is IPSJ/ITSCJ, Japan.
+	// Reference: RFC1345
+	ISO159JISX02121990 MIB = 98
+
+	// ISO646Danish is the MIB identifier with IANA name DS_2089.
+	//
+	// Danish Standard, DS 2089, February 1974
+	// Reference: RFC1345
+	ISO646Danish MIB = 99
+
+	// USDK is the MIB identifier with IANA name us-dk.
+	//
+	// Reference: RFC1345
+	USDK MIB = 100
+
+	// DKUS is the MIB identifier with IANA name dk-us.
+	//
+	// Reference: RFC1345
+	DKUS MIB = 101
+
+	// KSC5636 is the MIB identifier with IANA name KSC5636.
+	//
+	// Reference: RFC1345
+	KSC5636 MIB = 102
+
+	// Unicode11UTF7 is the MIB identifier with IANA name UNICODE-1-1-UTF-7.
+	//
+	// rfc1642
+	// Reference: RFC1642
+	Unicode11UTF7 MIB = 103
+
+	// ISO2022CN is the MIB identifier with IANA name ISO-2022-CN.
+	//
+	// rfc1922
+	// Reference: RFC1922
+	ISO2022CN MIB = 104
+
+	// ISO2022CNEXT is the MIB identifier with IANA name ISO-2022-CN-EXT.
+	//
+	// rfc1922
+	// Reference: RFC1922
+	ISO2022CNEXT MIB = 105
+
+	// UTF8 is the MIB identifier with IANA name UTF-8.
+	//
+	// rfc3629
+	// Reference: RFC3629
+	UTF8 MIB = 106
+
+	// ISO885913 is the MIB identifier with IANA name ISO-8859-13.
+	//
+	// ISO See https://www.iana.org/assignments/charset-reg/ISO-8859-13 https://www.iana.org/assignments/charset-reg/ISO-8859-13
+	ISO885913 MIB = 109
+
+	// ISO885914 is the MIB identifier with IANA name ISO-8859-14.
+	//
+	// ISO See https://www.iana.org/assignments/charset-reg/ISO-8859-14
+	ISO885914 MIB = 110
+
+	// ISO885915 is the MIB identifier with IANA name ISO-8859-15.
+	//
+	// ISO
+	// Please see: https://www.iana.org/assignments/charset-reg/ISO-8859-15
+	ISO885915 MIB = 111
+
+	// ISO885916 is the MIB identifier with IANA name ISO-8859-16.
+	//
+	// ISO
+	ISO885916 MIB = 112
+
+	// GBK is the MIB identifier with IANA name GBK.
+	//
+	// Chinese IT Standardization Technical Committee
+	// Please see: https://www.iana.org/assignments/charset-reg/GBK
+	GBK MIB = 113
+
+	// GB18030 is the MIB identifier with IANA name GB18030.
+	//
+	// Chinese IT Standardization Technical Committee
+	// Please see: https://www.iana.org/assignments/charset-reg/GB18030
+	GB18030 MIB = 114
+
+	// OSDEBCDICDF0415 is the MIB identifier with IANA name OSD_EBCDIC_DF04_15.
+	//
+	// Fujitsu-Siemens standard mainframe EBCDIC encoding
+	// Please see: https://www.iana.org/assignments/charset-reg/OSD-EBCDIC-DF04-15
+	OSDEBCDICDF0415 MIB = 115
+
+	// OSDEBCDICDF03IRV is the MIB identifier with IANA name OSD_EBCDIC_DF03_IRV.
+	//
+	// Fujitsu-Siemens standard mainframe EBCDIC encoding
+	// Please see: https://www.iana.org/assignments/charset-reg/OSD-EBCDIC-DF03-IRV
+	OSDEBCDICDF03IRV MIB = 116
+
+	// OSDEBCDICDF041 is the MIB identifier with IANA name OSD_EBCDIC_DF04_1.
+	//
+	// Fujitsu-Siemens standard mainframe EBCDIC encoding
+	// Please see: https://www.iana.org/assignments/charset-reg/OSD-EBCDIC-DF04-1
+	OSDEBCDICDF041 MIB = 117
+
+	// ISO115481 is the MIB identifier with IANA name ISO-11548-1.
+	//
+	// See https://www.iana.org/assignments/charset-reg/ISO-11548-1
+	ISO115481 MIB = 118
+
+	// KZ1048 is the MIB identifier with IANA name KZ-1048.
+	//
+	// See https://www.iana.org/assignments/charset-reg/KZ-1048
+	KZ1048 MIB = 119
+
+	// Unicode is the MIB identifier with IANA name ISO-10646-UCS-2.
+	//
+	// the 2-octet Basic Multilingual Plane, aka Unicode
+	// this needs to specify network byte order: the standard
+	// does not specify (it is a 16-bit integer space)
+	Unicode MIB = 1000
+
+	// UCS4 is the MIB identifier with IANA name ISO-10646-UCS-4.
+	//
+	// the full code space. (same comment about byte order,
+	// these are 31-bit numbers.
+	UCS4 MIB = 1001
+
+	// UnicodeASCII is the MIB identifier with IANA name ISO-10646-UCS-Basic.
+	//
+	// ASCII subset of Unicode.  Basic Latin = collection 1
+	// See ISO 10646, Appendix A
+	UnicodeASCII MIB = 1002
+
+	// UnicodeLatin1 is the MIB identifier with IANA name ISO-10646-Unicode-Latin1.
+	//
+	// ISO Latin-1 subset of Unicode. Basic Latin and Latin-1
+	// Supplement  = collections 1 and 2.  See ISO 10646,
+	// Appendix A.  See rfc1815 .
+	UnicodeLatin1 MIB = 1003
+
+	// UnicodeJapanese is the MIB identifier with IANA name ISO-10646-J-1.
+	//
+	// ISO 10646 Japanese, see rfc1815 .
+	UnicodeJapanese MIB = 1004
+
+	// UnicodeIBM1261 is the MIB identifier with IANA name ISO-Unicode-IBM-1261.
+	//
+	// IBM Latin-2, -3, -5, Extended Presentation Set, GCSGID: 1261
+	UnicodeIBM1261 MIB = 1005
+
+	// UnicodeIBM1268 is the MIB identifier with IANA name ISO-Unicode-IBM-1268.
+	//
+	// IBM Latin-4 Extended Presentation Set, GCSGID: 1268
+	UnicodeIBM1268 MIB = 1006
+
+	// UnicodeIBM1276 is the MIB identifier with IANA name ISO-Unicode-IBM-1276.
+	//
+	// IBM Cyrillic Greek Extended Presentation Set, GCSGID: 1276
+	UnicodeIBM1276 MIB = 1007
+
+	// UnicodeIBM1264 is the MIB identifier with IANA name ISO-Unicode-IBM-1264.
+	//
+	// IBM Arabic Presentation Set, GCSGID: 1264
+	UnicodeIBM1264 MIB = 1008
+
+	// UnicodeIBM1265 is the MIB identifier with IANA name ISO-Unicode-IBM-1265.
+	//
+	// IBM Hebrew Presentation Set, GCSGID: 1265
+	UnicodeIBM1265 MIB = 1009
+
+	// Unicode11 is the MIB identifier with IANA name UNICODE-1-1.
+	//
+	// rfc1641
+	// Reference: RFC1641
+	Unicode11 MIB = 1010
+
+	// SCSU is the MIB identifier with IANA name SCSU.
+	//
+	// SCSU See https://www.iana.org/assignments/charset-reg/SCSU
+	SCSU MIB = 1011
+
+	// UTF7 is the MIB identifier with IANA name UTF-7.
+	//
+	// rfc2152
+	// Reference: RFC2152
+	UTF7 MIB = 1012
+
+	// UTF16BE is the MIB identifier with IANA name UTF-16BE.
+	//
+	// rfc2781
+	// Reference: RFC2781
+	UTF16BE MIB = 1013
+
+	// UTF16LE is the MIB identifier with IANA name UTF-16LE.
+	//
+	// rfc2781
+	// Reference: RFC2781
+	UTF16LE MIB = 1014
+
+	// UTF16 is the MIB identifier with IANA name UTF-16.
+	//
+	// rfc2781
+	// Reference: RFC2781
+	UTF16 MIB = 1015
+
+	// CESU8 is the MIB identifier with IANA name CESU-8.
+	//
+	// https://www.unicode.org/reports/tr26
+	CESU8 MIB = 1016
+
+	// UTF32 is the MIB identifier with IANA name UTF-32.
+	//
+	// https://www.unicode.org/reports/tr19/
+	UTF32 MIB = 1017
+
+	// UTF32BE is the MIB identifier with IANA name UTF-32BE.
+	//
+	// https://www.unicode.org/reports/tr19/
+	UTF32BE MIB = 1018
+
+	// UTF32LE is the MIB identifier with IANA name UTF-32LE.
+	//
+	// https://www.unicode.org/reports/tr19/
+	UTF32LE MIB = 1019
+
+	// BOCU1 is the MIB identifier with IANA name BOCU-1.
+	//
+	// https://www.unicode.org/notes/tn6/
+	BOCU1 MIB = 1020
+
+	// UTF7IMAP is the MIB identifier with IANA name UTF-7-IMAP.
+	//
+	// Note: This charset is used to encode Unicode in IMAP mailbox names;
+	// see section 5.1.3 of rfc3501 . It should never be used
+	// outside this context. A name has been assigned so that charset processing
+	// implementations can refer to it in a consistent way.
+	UTF7IMAP MIB = 1021
+
+	// Windows30Latin1 is the MIB identifier with IANA name ISO-8859-1-Windows-3.0-Latin-1.
+	//
+	// Extended ISO 8859-1 Latin-1 for Windows 3.0.
+	// PCL Symbol Set id: 9U
+	Windows30Latin1 MIB = 2000
+
+	// Windows31Latin1 is the MIB identifier with IANA name ISO-8859-1-Windows-3.1-Latin-1.
+	//
+	// Extended ISO 8859-1 Latin-1 for Windows 3.1.
+	// PCL Symbol Set id: 19U
+	Windows31Latin1 MIB = 2001
+
+	// Windows31Latin2 is the MIB identifier with IANA name ISO-8859-2-Windows-Latin-2.
+	//
+	// Extended ISO 8859-2.  Latin-2 for Windows 3.1.
+	// PCL Symbol Set id: 9E
+	Windows31Latin2 MIB = 2002
+
+	// Windows31Latin5 is the MIB identifier with IANA name ISO-8859-9-Windows-Latin-5.
+	//
+	// Extended ISO 8859-9.  Latin-5 for Windows 3.1
+	// PCL Symbol Set id: 5T
+	Windows31Latin5 MIB = 2003
+
+	// HPRoman8 is the MIB identifier with IANA name hp-roman8.
+	//
+	// LaserJet IIP Printer User's Manual,
+	// HP part no 33471-90901, Hewlet-Packard, June 1989.
+	// Reference: RFC1345
+	HPRoman8 MIB = 2004
+
+	// AdobeStandardEncoding is the MIB identifier with IANA name Adobe-Standard-Encoding.
+	//
+	// PostScript Language Reference Manual
+	// PCL Symbol Set id: 10J
+	AdobeStandardEncoding MIB = 2005
+
+	// VenturaUS is the MIB identifier with IANA name Ventura-US.
+	//
+	// Ventura US.  ASCII plus characters typically used in
+	// publishing, like pilcrow, copyright, registered, trade mark,
+	// section, dagger, and double dagger in the range A0 (hex)
+	// to FF (hex).
+	// PCL Symbol Set id: 14J
+	VenturaUS MIB = 2006
+
+	// VenturaInternational is the MIB identifier with IANA name Ventura-International.
+	//
+	// Ventura International.  ASCII plus coded characters similar
+	// to Roman8.
+	// PCL Symbol Set id: 13J
+	VenturaInternational MIB = 2007
+
+	// DECMCS is the MIB identifier with IANA name DEC-MCS.
+	//
+	// VAX/VMS User's Manual,
+	// Order Number: AI-Y517A-TE, April 1986.
+	// Reference: RFC1345
+	DECMCS MIB = 2008
+
+	// PC850Multilingual is the MIB identifier with IANA name IBM850.
+	//
+	// IBM NLS RM Vol2 SE09-8002-01, March 1990
+	// Reference: RFC1345
+	PC850Multilingual MIB = 2009
+
+	// PC8DanishNorwegian is the MIB identifier with IANA name PC8-Danish-Norwegian.
+	//
+	// PC Danish Norwegian
+	// 8-bit PC set for Danish Norwegian
+	// PCL Symbol Set id: 11U
+	PC8DanishNorwegian MIB = 2012
+
+	// PC862LatinHebrew is the MIB identifier with IANA name IBM862.
+	//
+	// IBM NLS RM Vol2 SE09-8002-01, March 1990
+	// Reference: RFC1345
+	PC862LatinHebrew MIB = 2013
+
+	// PC8Turkish is the MIB identifier with IANA name PC8-Turkish.
+	//
+	// PC Latin Turkish.  PCL Symbol Set id: 9T
+	PC8Turkish MIB = 2014
+
+	// IBMSymbols is the MIB identifier with IANA name IBM-Symbols.
+	//
+	// Presentation Set, CPGID: 259
+	IBMSymbols MIB = 2015
+
+	// IBMThai is the MIB identifier with IANA name IBM-Thai.
+	//
+	// Presentation Set, CPGID: 838
+	IBMThai MIB = 2016
+
+	// HPLegal is the MIB identifier with IANA name HP-Legal.
+	//
+	// PCL 5 Comparison Guide, Hewlett-Packard,
+	// HP part number 5961-0510, October 1992
+	// PCL Symbol Set id: 1U
+	HPLegal MIB = 2017
+
+	// HPPiFont is the MIB identifier with IANA name HP-Pi-font.
+	//
+	// PCL 5 Comparison Guide, Hewlett-Packard,
+	// HP part number 5961-0510, October 1992
+	// PCL Symbol Set id: 15U
+	HPPiFont MIB = 2018
+
+	// HPMath8 is the MIB identifier with IANA name HP-Math8.
+	//
+	// PCL 5 Comparison Guide, Hewlett-Packard,
+	// HP part number 5961-0510, October 1992
+	// PCL Symbol Set id: 8M
+	HPMath8 MIB = 2019
+
+	// HPPSMath is the MIB identifier with IANA name Adobe-Symbol-Encoding.
+	//
+	// PostScript Language Reference Manual
+	// PCL Symbol Set id: 5M
+	HPPSMath MIB = 2020
+
+	// HPDesktop is the MIB identifier with IANA name HP-DeskTop.
+	//
+	// PCL 5 Comparison Guide, Hewlett-Packard,
+	// HP part number 5961-0510, October 1992
+	// PCL Symbol Set id: 7J
+	HPDesktop MIB = 2021
+
+	// VenturaMath is the MIB identifier with IANA name Ventura-Math.
+	//
+	// PCL 5 Comparison Guide, Hewlett-Packard,
+	// HP part number 5961-0510, October 1992
+	// PCL Symbol Set id: 6M
+	VenturaMath MIB = 2022
+
+	// MicrosoftPublishing is the MIB identifier with IANA name Microsoft-Publishing.
+	//
+	// PCL 5 Comparison Guide, Hewlett-Packard,
+	// HP part number 5961-0510, October 1992
+	// PCL Symbol Set id: 6J
+	MicrosoftPublishing MIB = 2023
+
+	// Windows31J is the MIB identifier with IANA name Windows-31J.
+	//
+	// Windows Japanese.  A further extension of Shift_JIS
+	// to include NEC special characters (Row 13), NEC
+	// selection of IBM extensions (Rows 89 to 92), and IBM
+	// extensions (Rows 115 to 119).  The CCS's are
+	// JIS X0201:1997, JIS X0208:1997, and these extensions.
+	// This charset can be used for the top-level media type "text",
+	// but it is of limited or specialized use (see rfc2278 ).
+	// PCL Symbol Set id: 19K
+	Windows31J MIB = 2024
+
+	// GB2312 is the MIB identifier with IANA name GB2312 (MIME: GB2312).
+	//
+	// Chinese for People's Republic of China (PRC) mixed one byte,
+	// two byte set:
+	// 20-7E = one byte ASCII
+	// A1-FE = two byte PRC Kanji
+	// See GB 2312-80
+	// PCL Symbol Set Id: 18C
+	GB2312 MIB = 2025
+
+	// Big5 is the MIB identifier with IANA name Big5 (MIME: Big5).
+	//
+	// Chinese for Taiwan Multi-byte set.
+	// PCL Symbol Set Id: 18T
+	Big5 MIB = 2026
+
+	// Macintosh is the MIB identifier with IANA name macintosh.
+	//
+	// The Unicode Standard ver1.0, ISBN 0-201-56788-1, Oct 1991
+	// Reference: RFC1345
+	Macintosh MIB = 2027
+
+	// IBM037 is the MIB identifier with IANA name IBM037.
+	//
+	// IBM NLS RM Vol2 SE09-8002-01, March 1990
+	// Reference: RFC1345
+	IBM037 MIB = 2028
+
+	// IBM038 is the MIB identifier with IANA name IBM038.
+	//
+	// IBM 3174 Character Set Ref, GA27-3831-02, March 1990
+	// Reference: RFC1345
+	IBM038 MIB = 2029
+
+	// IBM273 is the MIB identifier with IANA name IBM273.
+	//
+	// IBM NLS RM Vol2 SE09-8002-01, March 1990
+	// Reference: RFC1345
+	IBM273 MIB = 2030
+
+	// IBM274 is the MIB identifier with IANA name IBM274.
+	//
+	// IBM 3174 Character Set Ref, GA27-3831-02, March 1990
+	// Reference: RFC1345
+	IBM274 MIB = 2031
+
+	// IBM275 is the MIB identifier with IANA name IBM275.
+	//
+	// IBM NLS RM Vol2 SE09-8002-01, March 1990
+	// Reference: RFC1345
+	IBM275 MIB = 2032
+
+	// IBM277 is the MIB identifier with IANA name IBM277.
+	//
+	// IBM NLS RM Vol2 SE09-8002-01, March 1990
+	// Reference: RFC1345
+	IBM277 MIB = 2033
+
+	// IBM278 is the MIB identifier with IANA name IBM278.
+	//
+	// IBM NLS RM Vol2 SE09-8002-01, March 1990
+	// Reference: RFC1345
+	IBM278 MIB = 2034
+
+	// IBM280 is the MIB identifier with IANA name IBM280.
+	//
+	// IBM NLS RM Vol2 SE09-8002-01, March 1990
+	// Reference: RFC1345
+	IBM280 MIB = 2035
+
+	// IBM281 is the MIB identifier with IANA name IBM281.
+	//
+	// IBM 3174 Character Set Ref, GA27-3831-02, March 1990
+	// Reference: RFC1345
+	IBM281 MIB = 2036
+
+	// IBM284 is the MIB identifier with IANA name IBM284.
+	//
+	// IBM NLS RM Vol2 SE09-8002-01, March 1990
+	// Reference: RFC1345
+	IBM284 MIB = 2037
+
+	// IBM285 is the MIB identifier with IANA name IBM285.
+	//
+	// IBM NLS RM Vol2 SE09-8002-01, March 1990
+	// Reference: RFC1345
+	IBM285 MIB = 2038
+
+	// IBM290 is the MIB identifier with IANA name IBM290.
+	//
+	// IBM 3174 Character Set Ref, GA27-3831-02, March 1990
+	// Reference: RFC1345
+	IBM290 MIB = 2039
+
+	// IBM297 is the MIB identifier with IANA name IBM297.
+	//
+	// IBM NLS RM Vol2 SE09-8002-01, March 1990
+	// Reference: RFC1345
+	IBM297 MIB = 2040
+
+	// IBM420 is the MIB identifier with IANA name IBM420.
+	//
+	// IBM NLS RM Vol2 SE09-8002-01, March 1990,
+	// IBM NLS RM p 11-11
+	// Reference: RFC1345
+	IBM420 MIB = 2041
+
+	// IBM423 is the MIB identifier with IANA name IBM423.
+	//
+	// IBM NLS RM Vol2 SE09-8002-01, March 1990
+	// Reference: RFC1345
+	IBM423 MIB = 2042
+
+	// IBM424 is the MIB identifier with IANA name IBM424.
+	//
+	// IBM NLS RM Vol2 SE09-8002-01, March 1990
+	// Reference: RFC1345
+	IBM424 MIB = 2043
+
+	// PC8CodePage437 is the MIB identifier with IANA name IBM437.
+	//
+	// IBM NLS RM Vol2 SE09-8002-01, March 1990
+	// Reference: RFC1345
+	PC8CodePage437 MIB = 2011
+
+	// IBM500 is the MIB identifier with IANA name IBM500.
+	//
+	// IBM NLS RM Vol2 SE09-8002-01, March 1990
+	// Reference: RFC1345
+	IBM500 MIB = 2044
+
+	// IBM851 is the MIB identifier with IANA name IBM851.
+	//
+	// IBM NLS RM Vol2 SE09-8002-01, March 1990
+	// Reference: RFC1345
+	IBM851 MIB = 2045
+
+	// PCp852 is the MIB identifier with IANA name IBM852.
+	//
+	// IBM NLS RM Vol2 SE09-8002-01, March 1990
+	// Reference: RFC1345
+	PCp852 MIB = 2010
+
+	// IBM855 is the MIB identifier with IANA name IBM855.
+	//
+	// IBM NLS RM Vol2 SE09-8002-01, March 1990
+	// Reference: RFC1345
+	IBM855 MIB = 2046
+
+	// IBM857 is the MIB identifier with IANA name IBM857.
+	//
+	// IBM NLS RM Vol2 SE09-8002-01, March 1990
+	// Reference: RFC1345
+	IBM857 MIB = 2047
+
+	// IBM860 is the MIB identifier with IANA name IBM860.
+	//
+	// IBM NLS RM Vol2 SE09-8002-01, March 1990
+	// Reference: RFC1345
+	IBM860 MIB = 2048
+
+	// IBM861 is the MIB identifier with IANA name IBM861.
+	//
+	// IBM NLS RM Vol2 SE09-8002-01, March 1990
+	// Reference: RFC1345
+	IBM861 MIB = 2049
+
+	// IBM863 is the MIB identifier with IANA name IBM863.
+	//
+	// IBM Keyboard layouts and code pages, PN 07G4586 June 1991
+	// Reference: RFC1345
+	IBM863 MIB = 2050
+
+	// IBM864 is the MIB identifier with IANA name IBM864.
+	//
+	// IBM Keyboard layouts and code pages, PN 07G4586 June 1991
+	// Reference: RFC1345
+	IBM864 MIB = 2051
+
+	// IBM865 is the MIB identifier with IANA name IBM865.
+	//
+	// IBM DOS 3.3 Ref (Abridged), 94X9575 (Feb 1987)
+	// Reference: RFC1345
+	IBM865 MIB = 2052
+
+	// IBM868 is the MIB identifier with IANA name IBM868.
+	//
+	// IBM NLS RM Vol2 SE09-8002-01, March 1990
+	// Reference: RFC1345
+	IBM868 MIB = 2053
+
+	// IBM869 is the MIB identifier with IANA name IBM869.
+	//
+	// IBM Keyboard layouts and code pages, PN 07G4586 June 1991
+	// Reference: RFC1345
+	IBM869 MIB = 2054
+
+	// IBM870 is the MIB identifier with IANA name IBM870.
+	//
+	// IBM NLS RM Vol2 SE09-8002-01, March 1990
+	// Reference: RFC1345
+	IBM870 MIB = 2055
+
+	// IBM871 is the MIB identifier with IANA name IBM871.
+	//
+	// IBM NLS RM Vol2 SE09-8002-01, March 1990
+	// Reference: RFC1345
+	IBM871 MIB = 2056
+
+	// IBM880 is the MIB identifier with IANA name IBM880.
+	//
+	// IBM NLS RM Vol2 SE09-8002-01, March 1990
+	// Reference: RFC1345
+	IBM880 MIB = 2057
+
+	// IBM891 is the MIB identifier with IANA name IBM891.
+	//
+	// IBM NLS RM Vol2 SE09-8002-01, March 1990
+	// Reference: RFC1345
+	IBM891 MIB = 2058
+
+	// IBM903 is the MIB identifier with IANA name IBM903.
+	//
+	// IBM NLS RM Vol2 SE09-8002-01, March 1990
+	// Reference: RFC1345
+	IBM903 MIB = 2059
+
+	// IBBM904 is the MIB identifier with IANA name IBM904.
+	//
+	// IBM NLS RM Vol2 SE09-8002-01, March 1990
+	// Reference: RFC1345
+	IBBM904 MIB = 2060
+
+	// IBM905 is the MIB identifier with IANA name IBM905.
+	//
+	// IBM 3174 Character Set Ref, GA27-3831-02, March 1990
+	// Reference: RFC1345
+	IBM905 MIB = 2061
+
+	// IBM918 is the MIB identifier with IANA name IBM918.
+	//
+	// IBM NLS RM Vol2 SE09-8002-01, March 1990
+	// Reference: RFC1345
+	IBM918 MIB = 2062
+
+	// IBM1026 is the MIB identifier with IANA name IBM1026.
+	//
+	// IBM NLS RM Vol2 SE09-8002-01, March 1990
+	// Reference: RFC1345
+	IBM1026 MIB = 2063
+
+	// IBMEBCDICATDE is the MIB identifier with IANA name EBCDIC-AT-DE.
+	//
+	// IBM 3270 Char Set Ref Ch 10, GA27-2837-9, April 1987
+	// Reference: RFC1345
+	IBMEBCDICATDE MIB = 2064
+
+	// EBCDICATDEA is the MIB identifier with IANA name EBCDIC-AT-DE-A.
+	//
+	// IBM 3270 Char Set Ref Ch 10, GA27-2837-9, April 1987
+	// Reference: RFC1345
+	EBCDICATDEA MIB = 2065
+
+	// EBCDICCAFR is the MIB identifier with IANA name EBCDIC-CA-FR.
+	//
+	// IBM 3270 Char Set Ref Ch 10, GA27-2837-9, April 1987
+	// Reference: RFC1345
+	EBCDICCAFR MIB = 2066
+
+	// EBCDICDKNO is the MIB identifier with IANA name EBCDIC-DK-NO.
+	//
+	// IBM 3270 Char Set Ref Ch 10, GA27-2837-9, April 1987
+	// Reference: RFC1345
+	EBCDICDKNO MIB = 2067
+
+	// EBCDICDKNOA is the MIB identifier with IANA name EBCDIC-DK-NO-A.
+	//
+	// IBM 3270 Char Set Ref Ch 10, GA27-2837-9, April 1987
+	// Reference: RFC1345
+	EBCDICDKNOA MIB = 2068
+
+	// EBCDICFISE is the MIB identifier with IANA name EBCDIC-FI-SE.
+	//
+	// IBM 3270 Char Set Ref Ch 10, GA27-2837-9, April 1987
+	// Reference: RFC1345
+	EBCDICFISE MIB = 2069
+
+	// EBCDICFISEA is the MIB identifier with IANA name EBCDIC-FI-SE-A.
+	//
+	// IBM 3270 Char Set Ref Ch 10, GA27-2837-9, April 1987
+	// Reference: RFC1345
+	EBCDICFISEA MIB = 2070
+
+	// EBCDICFR is the MIB identifier with IANA name EBCDIC-FR.
+	//
+	// IBM 3270 Char Set Ref Ch 10, GA27-2837-9, April 1987
+	// Reference: RFC1345
+	EBCDICFR MIB = 2071
+
+	// EBCDICIT is the MIB identifier with IANA name EBCDIC-IT.
+	//
+	// IBM 3270 Char Set Ref Ch 10, GA27-2837-9, April 1987
+	// Reference: RFC1345
+	EBCDICIT MIB = 2072
+
+	// EBCDICPT is the MIB identifier with IANA name EBCDIC-PT.
+	//
+	// IBM 3270 Char Set Ref Ch 10, GA27-2837-9, April 1987
+	// Reference: RFC1345
+	EBCDICPT MIB = 2073
+
+	// EBCDICES is the MIB identifier with IANA name EBCDIC-ES.
+	//
+	// IBM 3270 Char Set Ref Ch 10, GA27-2837-9, April 1987
+	// Reference: RFC1345
+	EBCDICES MIB = 2074
+
+	// EBCDICESA is the MIB identifier with IANA name EBCDIC-ES-A.
+	//
+	// IBM 3270 Char Set Ref Ch 10, GA27-2837-9, April 1987
+	// Reference: RFC1345
+	EBCDICESA MIB = 2075
+
+	// EBCDICESS is the MIB identifier with IANA name EBCDIC-ES-S.
+	//
+	// IBM 3270 Char Set Ref Ch 10, GA27-2837-9, April 1987
+	// Reference: RFC1345
+	EBCDICESS MIB = 2076
+
+	// EBCDICUK is the MIB identifier with IANA name EBCDIC-UK.
+	//
+	// IBM 3270 Char Set Ref Ch 10, GA27-2837-9, April 1987
+	// Reference: RFC1345
+	EBCDICUK MIB = 2077
+
+	// EBCDICUS is the MIB identifier with IANA name EBCDIC-US.
+	//
+	// IBM 3270 Char Set Ref Ch 10, GA27-2837-9, April 1987
+	// Reference: RFC1345
+	EBCDICUS MIB = 2078
+
+	// Unknown8BiT is the MIB identifier with IANA name UNKNOWN-8BIT.
+	//
+	// Reference: RFC1428
+	Unknown8BiT MIB = 2079
+
+	// Mnemonic is the MIB identifier with IANA name MNEMONIC.
+	//
+	// rfc1345 , also known as "mnemonic+ascii+38"
+	// Reference: RFC1345
+	Mnemonic MIB = 2080
+
+	// Mnem is the MIB identifier with IANA name MNEM.
+	//
+	// rfc1345 , also known as "mnemonic+ascii+8200"
+	// Reference: RFC1345
+	Mnem MIB = 2081
+
+	// VISCII is the MIB identifier with IANA name VISCII.
+	//
+	// rfc1456
+	// Reference: RFC1456
+	VISCII MIB = 2082
+
+	// VIQR is the MIB identifier with IANA name VIQR.
+	//
+	// rfc1456
+	// Reference: RFC1456
+	VIQR MIB = 2083
+
+	// KOI8R is the MIB identifier with IANA name KOI8-R (MIME: KOI8-R).
+	//
+	// rfc1489 , based on GOST-19768-74, ISO-6937/8,
+	// INIS-Cyrillic, ISO-5427.
+	// Reference: RFC1489
+	KOI8R MIB = 2084
+
+	// HZGB2312 is the MIB identifier with IANA name HZ-GB-2312.
+	//
+	// rfc1842 , rfc1843 rfc1843 rfc1842
+	HZGB2312 MIB = 2085
+
+	// IBM866 is the MIB identifier with IANA name IBM866.
+	//
+	// IBM NLDG Volume 2 (SE09-8002-03) August 1994
+	IBM866 MIB = 2086
+
+	// PC775Baltic is the MIB identifier with IANA name IBM775.
+	//
+	// HP PCL 5 Comparison Guide (P/N 5021-0329) pp B-13, 1996
+	PC775Baltic MIB = 2087
+
+	// KOI8U is the MIB identifier with IANA name KOI8-U.
+	//
+	// rfc2319
+	// Reference: RFC2319
+	KOI8U MIB = 2088
+
+	// IBM00858 is the MIB identifier with IANA name IBM00858.
+	//
+	// IBM See https://www.iana.org/assignments/charset-reg/IBM00858
+	IBM00858 MIB = 2089
+
+	// IBM00924 is the MIB identifier with IANA name IBM00924.
+	//
+	// IBM See https://www.iana.org/assignments/charset-reg/IBM00924
+	IBM00924 MIB = 2090
+
+	// IBM01140 is the MIB identifier with IANA name IBM01140.
+	//
+	// IBM See https://www.iana.org/assignments/charset-reg/IBM01140
+	IBM01140 MIB = 2091
+
+	// IBM01141 is the MIB identifier with IANA name IBM01141.
+	//
+	// IBM See https://www.iana.org/assignments/charset-reg/IBM01141
+	IBM01141 MIB = 2092
+
+	// IBM01142 is the MIB identifier with IANA name IBM01142.
+	//
+	// IBM See https://www.iana.org/assignments/charset-reg/IBM01142
+	IBM01142 MIB = 2093
+
+	// IBM01143 is the MIB identifier with IANA name IBM01143.
+	//
+	// IBM See https://www.iana.org/assignments/charset-reg/IBM01143
+	IBM01143 MIB = 2094
+
+	// IBM01144 is the MIB identifier with IANA name IBM01144.
+	//
+	// IBM See https://www.iana.org/assignments/charset-reg/IBM01144
+	IBM01144 MIB = 2095
+
+	// IBM01145 is the MIB identifier with IANA name IBM01145.
+	//
+	// IBM See https://www.iana.org/assignments/charset-reg/IBM01145
+	IBM01145 MIB = 2096
+
+	// IBM01146 is the MIB identifier with IANA name IBM01146.
+	//
+	// IBM See https://www.iana.org/assignments/charset-reg/IBM01146
+	IBM01146 MIB = 2097
+
+	// IBM01147 is the MIB identifier with IANA name IBM01147.
+	//
+	// IBM See https://www.iana.org/assignments/charset-reg/IBM01147
+	IBM01147 MIB = 2098
+
+	// IBM01148 is the MIB identifier with IANA name IBM01148.
+	//
+	// IBM See https://www.iana.org/assignments/charset-reg/IBM01148
+	IBM01148 MIB = 2099
+
+	// IBM01149 is the MIB identifier with IANA name IBM01149.
+	//
+	// IBM See https://www.iana.org/assignments/charset-reg/IBM01149
+	IBM01149 MIB = 2100
+
+	// Big5HKSCS is the MIB identifier with IANA name Big5-HKSCS.
+	//
+	// See https://www.iana.org/assignments/charset-reg/Big5-HKSCS
+	Big5HKSCS MIB = 2101
+
+	// IBM1047 is the MIB identifier with IANA name IBM1047.
+	//
+	// IBM1047 (EBCDIC Latin 1/Open Systems) https://www-1.ibm.com/servers/eserver/iseries/software/globalization/pdf/cp01047z.pdf
+	IBM1047 MIB = 2102
+
+	// PTCP154 is the MIB identifier with IANA name PTCP154.
+	//
+	// See https://www.iana.org/assignments/charset-reg/PTCP154
+	PTCP154 MIB = 2103
+
+	// Amiga1251 is the MIB identifier with IANA name Amiga-1251.
+	//
+	// See https://www.amiga.ultranet.ru/Amiga-1251.html
+	Amiga1251 MIB = 2104
+
+	// KOI7switched is the MIB identifier with IANA name KOI7-switched.
+	//
+	// See https://www.iana.org/assignments/charset-reg/KOI7-switched
+	KOI7switched MIB = 2105
+
+	// BRF is the MIB identifier with IANA name BRF.
+	//
+	// See https://www.iana.org/assignments/charset-reg/BRF
+	BRF MIB = 2106
+
+	// TSCII is the MIB identifier with IANA name TSCII.
+	//
+	// See https://www.iana.org/assignments/charset-reg/TSCII
+	TSCII MIB = 2107
+
+	// CP51932 is the MIB identifier with IANA name CP51932.
+	//
+	// See https://www.iana.org/assignments/charset-reg/CP51932
+	CP51932 MIB = 2108
+
+	// Windows874 is the MIB identifier with IANA name windows-874.
+	//
+	// See https://www.iana.org/assignments/charset-reg/windows-874
+	Windows874 MIB = 2109
+
+	// Windows1250 is the MIB identifier with IANA name windows-1250.
+	//
+	// Microsoft https://www.iana.org/assignments/charset-reg/windows-1250
+	Windows1250 MIB = 2250
+
+	// Windows1251 is the MIB identifier with IANA name windows-1251.
+	//
+	// Microsoft https://www.iana.org/assignments/charset-reg/windows-1251
+	Windows1251 MIB = 2251
+
+	// Windows1252 is the MIB identifier with IANA name windows-1252.
+	//
+	// Microsoft https://www.iana.org/assignments/charset-reg/windows-1252
+	Windows1252 MIB = 2252
+
+	// Windows1253 is the MIB identifier with IANA name windows-1253.
+	//
+	// Microsoft https://www.iana.org/assignments/charset-reg/windows-1253
+	Windows1253 MIB = 2253
+
+	// Windows1254 is the MIB identifier with IANA name windows-1254.
+	//
+	// Microsoft https://www.iana.org/assignments/charset-reg/windows-1254
+	Windows1254 MIB = 2254
+
+	// Windows1255 is the MIB identifier with IANA name windows-1255.
+	//
+	// Microsoft https://www.iana.org/assignments/charset-reg/windows-1255
+	Windows1255 MIB = 2255
+
+	// Windows1256 is the MIB identifier with IANA name windows-1256.
+	//
+	// Microsoft https://www.iana.org/assignments/charset-reg/windows-1256
+	Windows1256 MIB = 2256
+
+	// Windows1257 is the MIB identifier with IANA name windows-1257.
+	//
+	// Microsoft https://www.iana.org/assignments/charset-reg/windows-1257
+	Windows1257 MIB = 2257
+
+	// Windows1258 is the MIB identifier with IANA name windows-1258.
+	//
+	// Microsoft https://www.iana.org/assignments/charset-reg/windows-1258
+	Windows1258 MIB = 2258
+
+	// TIS620 is the MIB identifier with IANA name TIS-620.
+	//
+	// Thai Industrial Standards Institute (TISI)
+	TIS620 MIB = 2259
+
+	// CP50220 is the MIB identifier with IANA name CP50220.
+	//
+	// See https://www.iana.org/assignments/charset-reg/CP50220
+	CP50220 MIB = 2260
+)
diff --git a/vendor/golang.org/x/text/encoding/internal/internal.go b/vendor/golang.org/x/text/encoding/internal/internal.go
new file mode 100644
index 0000000000..413e6fc6d7
--- /dev/null
+++ b/vendor/golang.org/x/text/encoding/internal/internal.go
@@ -0,0 +1,75 @@
+// Copyright 2015 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package internal contains code that is shared among encoding implementations.
+package internal
+
+import (
+	"golang.org/x/text/encoding"
+	"golang.org/x/text/encoding/internal/identifier"
+	"golang.org/x/text/transform"
+)
+
+// Encoding is an implementation of the Encoding interface that adds the String
+// and ID methods to an existing encoding.
+type Encoding struct {
+	encoding.Encoding
+	Name string
+	MIB  identifier.MIB
+}
+
+// _ verifies that Encoding implements identifier.Interface.
+var _ identifier.Interface = (*Encoding)(nil)
+
+func (e *Encoding) String() string {
+	return e.Name
+}
+
+func (e *Encoding) ID() (mib identifier.MIB, other string) {
+	return e.MIB, ""
+}
+
+// SimpleEncoding is an Encoding that combines two Transformers.
+type SimpleEncoding struct {
+	Decoder transform.Transformer
+	Encoder transform.Transformer
+}
+
+func (e *SimpleEncoding) NewDecoder() *encoding.Decoder {
+	return &encoding.Decoder{Transformer: e.Decoder}
+}
+
+func (e *SimpleEncoding) NewEncoder() *encoding.Encoder {
+	return &encoding.Encoder{Transformer: e.Encoder}
+}
+
+// FuncEncoding is an Encoding that combines two functions returning a new
+// Transformer.
+type FuncEncoding struct {
+	Decoder func() transform.Transformer
+	Encoder func() transform.Transformer
+}
+
+func (e FuncEncoding) NewDecoder() *encoding.Decoder {
+	return &encoding.Decoder{Transformer: e.Decoder()}
+}
+
+func (e FuncEncoding) NewEncoder() *encoding.Encoder {
+	return &encoding.Encoder{Transformer: e.Encoder()}
+}
+
+// A RepertoireError indicates a rune is not in the repertoire of a destination
+// encoding. It is associated with an encoding-specific suggested replacement
+// byte.
+type RepertoireError byte
+
+// Error implements the error interface.
+func (r RepertoireError) Error() string {
+	return "encoding: rune not supported by encoding."
+}
+
+// Replacement returns the replacement string associated with this error.
+func (r RepertoireError) Replacement() byte { return byte(r) }
+
+var ErrASCIIReplacement = RepertoireError(encoding.ASCIISub)
diff --git a/vendor/golang.org/x/text/encoding/unicode/override.go b/vendor/golang.org/x/text/encoding/unicode/override.go
new file mode 100644
index 0000000000..35d62fcc99
--- /dev/null
+++ b/vendor/golang.org/x/text/encoding/unicode/override.go
@@ -0,0 +1,82 @@
+// Copyright 2015 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package unicode
+
+import (
+	"golang.org/x/text/transform"
+)
+
+// BOMOverride returns a new decoder transformer that is identical to fallback,
+// except that the presence of a Byte Order Mark at the start of the input
+// causes it to switch to the corresponding Unicode decoding. It will only
+// consider BOMs for UTF-8, UTF-16BE, and UTF-16LE.
+//
+// This differs from using ExpectBOM by allowing a BOM to switch to UTF-8, not
+// just UTF-16 variants, and allowing falling back to any encoding scheme.
+//
+// This technique is recommended by the W3C for use in HTML 5: "For
+// compatibility with deployed content, the byte order mark (also known as BOM)
+// is considered more authoritative than anything else."
+// http://www.w3.org/TR/encoding/#specification-hooks
+//
+// Using BOMOverride is mostly intended for use cases where the first characters
+// of a fallback encoding are known to not be a BOM, for example, for valid HTML
+// and most encodings.
+func BOMOverride(fallback transform.Transformer) transform.Transformer {
+	// TODO: possibly allow a variadic argument of unicode encodings to allow
+	// specifying details of which fallbacks are supported as well as
+	// specifying the details of the implementations. This would also allow for
+	// support for UTF-32, which should not be supported by default.
+	return &bomOverride{fallback: fallback}
+}
+
+type bomOverride struct {
+	fallback transform.Transformer
+	current  transform.Transformer
+}
+
+func (d *bomOverride) Reset() {
+	d.current = nil
+	d.fallback.Reset()
+}
+
+var (
+	// TODO: we could use decode functions here, instead of allocating a new
+	// decoder on every NewDecoder as IgnoreBOM decoders can be stateless.
+	utf16le = UTF16(LittleEndian, IgnoreBOM)
+	utf16be = UTF16(BigEndian, IgnoreBOM)
+)
+
+const utf8BOM = "\ufeff"
+
+func (d *bomOverride) Transform(dst, src []byte, atEOF bool) (nDst, nSrc int, err error) {
+	if d.current != nil {
+		return d.current.Transform(dst, src, atEOF)
+	}
+	if len(src) < 3 && !atEOF {
+		return 0, 0, transform.ErrShortSrc
+	}
+	d.current = d.fallback
+	bomSize := 0
+	if len(src) >= 2 {
+		if src[0] == 0xFF && src[1] == 0xFE {
+			d.current = utf16le.NewDecoder()
+			bomSize = 2
+		} else if src[0] == 0xFE && src[1] == 0xFF {
+			d.current = utf16be.NewDecoder()
+			bomSize = 2
+		} else if len(src) >= 3 &&
+			src[0] == utf8BOM[0] &&
+			src[1] == utf8BOM[1] &&
+			src[2] == utf8BOM[2] {
+			d.current = transform.Nop
+			bomSize = 3
+		}
+	}
+	if bomSize < len(src) {
+		nDst, nSrc, err = d.current.Transform(dst, src[bomSize:], atEOF)
+	}
+	return nDst, nSrc + bomSize, err
+}
diff --git a/vendor/golang.org/x/text/encoding/unicode/unicode.go b/vendor/golang.org/x/text/encoding/unicode/unicode.go
new file mode 100644
index 0000000000..ce28c90628
--- /dev/null
+++ b/vendor/golang.org/x/text/encoding/unicode/unicode.go
@@ -0,0 +1,512 @@
+// Copyright 2013 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package unicode provides Unicode encodings such as UTF-16.
+package unicode // import "golang.org/x/text/encoding/unicode"
+
+import (
+	"bytes"
+	"errors"
+	"unicode/utf16"
+	"unicode/utf8"
+
+	"golang.org/x/text/encoding"
+	"golang.org/x/text/encoding/internal"
+	"golang.org/x/text/encoding/internal/identifier"
+	"golang.org/x/text/internal/utf8internal"
+	"golang.org/x/text/runes"
+	"golang.org/x/text/transform"
+)
+
+// TODO: I think the Transformers really should return errors on unmatched
+// surrogate pairs and odd numbers of bytes. This is not required by RFC 2781,
+// which leaves it open, but is suggested by WhatWG. It will allow for all error
+// modes as defined by WhatWG: fatal, HTML and Replacement. This would require
+// the introduction of some kind of error type for conveying the erroneous code
+// point.
+
+// UTF8 is the UTF-8 encoding. It neither removes nor adds byte order marks.
+var UTF8 encoding.Encoding = utf8enc
+
+// UTF8BOM is an UTF-8 encoding where the decoder strips a leading byte order
+// mark while the encoder adds one.
+//
+// Some editors add a byte order mark as a signature to UTF-8 files. Although
+// the byte order mark is not useful for detecting byte order in UTF-8, it is
+// sometimes used as a convention to mark UTF-8-encoded files. This relies on
+// the observation that the UTF-8 byte order mark is either an illegal or at
+// least very unlikely sequence in any other character encoding.
+var UTF8BOM encoding.Encoding = utf8bomEncoding{}
+
+type utf8bomEncoding struct{}
+
+func (utf8bomEncoding) String() string {
+	return "UTF-8-BOM"
+}
+
+func (utf8bomEncoding) ID() (identifier.MIB, string) {
+	return identifier.Unofficial, "x-utf8bom"
+}
+
+func (utf8bomEncoding) NewEncoder() *encoding.Encoder {
+	return &encoding.Encoder{
+		Transformer: &utf8bomEncoder{t: runes.ReplaceIllFormed()},
+	}
+}
+
+func (utf8bomEncoding) NewDecoder() *encoding.Decoder {
+	return &encoding.Decoder{Transformer: &utf8bomDecoder{}}
+}
+
+var utf8enc = &internal.Encoding{
+	Encoding: &internal.SimpleEncoding{Decoder: utf8Decoder{}, Encoder: runes.ReplaceIllFormed()},
+	Name:     "UTF-8",
+	MIB:      identifier.UTF8,
+}
+
+type utf8bomDecoder struct {
+	checked bool
+}
+
+func (t *utf8bomDecoder) Reset() {
+	t.checked = false
+}
+
+func (t *utf8bomDecoder) Transform(dst, src []byte, atEOF bool) (nDst, nSrc int, err error) {
+	if !t.checked {
+		if !atEOF && len(src) < len(utf8BOM) {
+			if len(src) == 0 {
+				return 0, 0, nil
+			}
+			return 0, 0, transform.ErrShortSrc
+		}
+		if bytes.HasPrefix(src, []byte(utf8BOM)) {
+			nSrc += len(utf8BOM)
+			src = src[len(utf8BOM):]
+		}
+		t.checked = true
+	}
+	nDst, n, err := utf8Decoder.Transform(utf8Decoder{}, dst[nDst:], src, atEOF)
+	nSrc += n
+	return nDst, nSrc, err
+}
+
+type utf8bomEncoder struct {
+	written bool
+	t       transform.Transformer
+}
+
+func (t *utf8bomEncoder) Reset() {
+	t.written = false
+	t.t.Reset()
+}
+
+func (t *utf8bomEncoder) Transform(dst, src []byte, atEOF bool) (nDst, nSrc int, err error) {
+	if !t.written {
+		if len(dst) < len(utf8BOM) {
+			return nDst, 0, transform.ErrShortDst
+		}
+		nDst = copy(dst, utf8BOM)
+		t.written = true
+	}
+	n, nSrc, err := utf8Decoder.Transform(utf8Decoder{}, dst[nDst:], src, atEOF)
+	nDst += n
+	return nDst, nSrc, err
+}
+
+type utf8Decoder struct{ transform.NopResetter }
+
+func (utf8Decoder) Transform(dst, src []byte, atEOF bool) (nDst, nSrc int, err error) {
+	var pSrc int // point from which to start copy in src
+	var accept utf8internal.AcceptRange
+
+	// The decoder can only make the input larger, not smaller.
+	n := len(src)
+	if len(dst) < n {
+		err = transform.ErrShortDst
+		n = len(dst)
+		atEOF = false
+	}
+	for nSrc < n {
+		c := src[nSrc]
+		if c < utf8.RuneSelf {
+			nSrc++
+			continue
+		}
+		first := utf8internal.First[c]
+		size := int(first & utf8internal.SizeMask)
+		if first == utf8internal.FirstInvalid {
+			goto handleInvalid // invalid starter byte
+		}
+		accept = utf8internal.AcceptRanges[first>>utf8internal.AcceptShift]
+		if nSrc+size > n {
+			if !atEOF {
+				// We may stop earlier than necessary here if the short sequence
+				// has invalid bytes. Not checking for this simplifies the code
+				// and may avoid duplicate computations in certain conditions.
+				if err == nil {
+					err = transform.ErrShortSrc
+				}
+				break
+			}
+			// Determine the maximal subpart of an ill-formed subsequence.
+			switch {
+			case nSrc+1 >= n || src[nSrc+1] < accept.Lo || accept.Hi < src[nSrc+1]:
+				size = 1
+			case nSrc+2 >= n || src[nSrc+2] < utf8internal.LoCB || utf8internal.HiCB < src[nSrc+2]:
+				size = 2
+			default:
+				size = 3 // As we are short, the maximum is 3.
+			}
+			goto handleInvalid
+		}
+		if c = src[nSrc+1]; c < accept.Lo || accept.Hi < c {
+			size = 1
+			goto handleInvalid // invalid continuation byte
+		} else if size == 2 {
+		} else if c = src[nSrc+2]; c < utf8internal.LoCB || utf8internal.HiCB < c {
+			size = 2
+			goto handleInvalid // invalid continuation byte
+		} else if size == 3 {
+		} else if c = src[nSrc+3]; c < utf8internal.LoCB || utf8internal.HiCB < c {
+			size = 3
+			goto handleInvalid // invalid continuation byte
+		}
+		nSrc += size
+		continue
+
+	handleInvalid:
+		// Copy the scanned input so far.
+		nDst += copy(dst[nDst:], src[pSrc:nSrc])
+
+		// Append RuneError to the destination.
+		const runeError = "\ufffd"
+		if nDst+len(runeError) > len(dst) {
+			return nDst, nSrc, transform.ErrShortDst
+		}
+		nDst += copy(dst[nDst:], runeError)
+
+		// Skip the maximal subpart of an ill-formed subsequence according to
+		// the W3C standard way instead of the Go way. This Transform is
+		// probably the only place in the text repo where it is warranted.
+		nSrc += size
+		pSrc = nSrc
+
+		// Recompute the maximum source length.
+		if sz := len(dst) - nDst; sz < len(src)-nSrc {
+			err = transform.ErrShortDst
+			n = nSrc + sz
+			atEOF = false
+		}
+	}
+	return nDst + copy(dst[nDst:], src[pSrc:nSrc]), nSrc, err
+}
+
+// UTF16 returns a UTF-16 Encoding for the given default endianness and byte
+// order mark (BOM) policy.
+//
+// When decoding from UTF-16 to UTF-8, if the BOMPolicy is IgnoreBOM then
+// neither BOMs U+FEFF nor noncharacters U+FFFE in the input stream will affect
+// the endianness used for decoding, and will instead be output as their
+// standard UTF-8 encodings: "\xef\xbb\xbf" and "\xef\xbf\xbe". If the BOMPolicy
+// is UseBOM or ExpectBOM a staring BOM is not written to the UTF-8 output.
+// Instead, it overrides the default endianness e for the remainder of the
+// transformation. Any subsequent BOMs U+FEFF or noncharacters U+FFFE will not
+// affect the endianness used, and will instead be output as their standard
+// UTF-8 encodings. For UseBOM, if there is no starting BOM, it will proceed
+// with the default Endianness. For ExpectBOM, in that case, the transformation
+// will return early with an ErrMissingBOM error.
+//
+// When encoding from UTF-8 to UTF-16, a BOM will be inserted at the start of
+// the output if the BOMPolicy is UseBOM or ExpectBOM. Otherwise, a BOM will not
+// be inserted. The UTF-8 input does not need to contain a BOM.
+//
+// There is no concept of a 'native' endianness. If the UTF-16 data is produced
+// and consumed in a greater context that implies a certain endianness, use
+// IgnoreBOM. Otherwise, use ExpectBOM and always produce and consume a BOM.
+//
+// In the language of https://www.unicode.org/faq/utf_bom.html#bom10, IgnoreBOM
+// corresponds to "Where the precise type of the data stream is known... the
+// BOM should not be used" and ExpectBOM corresponds to "A particular
+// protocol... may require use of the BOM".
+func UTF16(e Endianness, b BOMPolicy) encoding.Encoding {
+	return utf16Encoding{config{e, b}, mibValue[e][b&bomMask]}
+}
+
+// mibValue maps Endianness and BOMPolicy settings to MIB constants. Note that
+// some configurations map to the same MIB identifier. RFC 2781 has requirements
+// and recommendations. Some of the "configurations" are merely recommendations,
+// so multiple configurations could match.
+var mibValue = map[Endianness][numBOMValues]identifier.MIB{
+	BigEndian: [numBOMValues]identifier.MIB{
+		IgnoreBOM: identifier.UTF16BE,
+		UseBOM:    identifier.UTF16, // BigEnding default is preferred by RFC 2781.
+		// TODO: acceptBOM | strictBOM would map to UTF16BE as well.
+	},
+	LittleEndian: [numBOMValues]identifier.MIB{
+		IgnoreBOM: identifier.UTF16LE,
+		UseBOM:    identifier.UTF16, // LittleEndian default is allowed and preferred on Windows.
+		// TODO: acceptBOM | strictBOM would map to UTF16LE as well.
+	},
+	// ExpectBOM is not widely used and has no valid MIB identifier.
+}
+
+// All lists a configuration for each IANA-defined UTF-16 variant.
+var All = []encoding.Encoding{
+	UTF8,
+	UTF16(BigEndian, UseBOM),
+	UTF16(BigEndian, IgnoreBOM),
+	UTF16(LittleEndian, IgnoreBOM),
+}
+
+// BOMPolicy is a UTF-16 encoding's byte order mark policy.
+type BOMPolicy uint8
+
+const (
+	writeBOM   BOMPolicy = 0x01
+	acceptBOM  BOMPolicy = 0x02
+	requireBOM BOMPolicy = 0x04
+	bomMask    BOMPolicy = 0x07
+
+	// HACK: numBOMValues == 8 triggers a bug in the 1.4 compiler (cannot have a
+	// map of an array of length 8 of a type that is also used as a key or value
+	// in another map). See golang.org/issue/11354.
+	// TODO: consider changing this value back to 8 if the use of 1.4.* has
+	// been minimized.
+	numBOMValues = 8 + 1
+
+	// IgnoreBOM means to ignore any byte order marks.
+	IgnoreBOM BOMPolicy = 0
+	// Common and RFC 2781-compliant interpretation for UTF-16BE/LE.
+
+	// UseBOM means that the UTF-16 form may start with a byte order mark, which
+	// will be used to override the default encoding.
+	UseBOM BOMPolicy = writeBOM | acceptBOM
+	// Common and RFC 2781-compliant interpretation for UTF-16.
+
+	// ExpectBOM means that the UTF-16 form must start with a byte order mark,
+	// which will be used to override the default encoding.
+	ExpectBOM BOMPolicy = writeBOM | acceptBOM | requireBOM
+	// Used in Java as Unicode (not to be confused with Java's UTF-16) and
+	// ICU's UTF-16,version=1. Not compliant with RFC 2781.
+
+	// TODO (maybe): strictBOM: BOM must match Endianness. This would allow:
+	// - UTF-16(B|L)E,version=1: writeBOM | acceptBOM | requireBOM | strictBOM
+	//    (UnicodeBig and UnicodeLittle in Java)
+	// - RFC 2781-compliant, but less common interpretation for UTF-16(B|L)E:
+	//    acceptBOM | strictBOM (e.g. assigned to CheckBOM).
+	// This addition would be consistent with supporting ExpectBOM.
+)
+
+// Endianness is a UTF-16 encoding's default endianness.
+type Endianness bool
+
+const (
+	// BigEndian is UTF-16BE.
+	BigEndian Endianness = false
+	// LittleEndian is UTF-16LE.
+	LittleEndian Endianness = true
+)
+
+// ErrMissingBOM means that decoding UTF-16 input with ExpectBOM did not find a
+// starting byte order mark.
+var ErrMissingBOM = errors.New("encoding: missing byte order mark")
+
+type utf16Encoding struct {
+	config
+	mib identifier.MIB
+}
+
+type config struct {
+	endianness Endianness
+	bomPolicy  BOMPolicy
+}
+
+func (u utf16Encoding) NewDecoder() *encoding.Decoder {
+	return &encoding.Decoder{Transformer: &utf16Decoder{
+		initial: u.config,
+		current: u.config,
+	}}
+}
+
+func (u utf16Encoding) NewEncoder() *encoding.Encoder {
+	return &encoding.Encoder{Transformer: &utf16Encoder{
+		endianness:       u.endianness,
+		initialBOMPolicy: u.bomPolicy,
+		currentBOMPolicy: u.bomPolicy,
+	}}
+}
+
+func (u utf16Encoding) ID() (mib identifier.MIB, other string) {
+	return u.mib, ""
+}
+
+func (u utf16Encoding) String() string {
+	e, b := "B", ""
+	if u.endianness == LittleEndian {
+		e = "L"
+	}
+	switch u.bomPolicy {
+	case ExpectBOM:
+		b = "Expect"
+	case UseBOM:
+		b = "Use"
+	case IgnoreBOM:
+		b = "Ignore"
+	}
+	return "UTF-16" + e + "E (" + b + " BOM)"
+}
+
+type utf16Decoder struct {
+	initial config
+	current config
+}
+
+func (u *utf16Decoder) Reset() {
+	u.current = u.initial
+}
+
+func (u *utf16Decoder) Transform(dst, src []byte, atEOF bool) (nDst, nSrc int, err error) {
+	if len(src) < 2 && atEOF && u.current.bomPolicy&requireBOM != 0 {
+		return 0, 0, ErrMissingBOM
+	}
+	if len(src) == 0 {
+		return 0, 0, nil
+	}
+	if len(src) >= 2 && u.current.bomPolicy&acceptBOM != 0 {
+		switch {
+		case src[0] == 0xfe && src[1] == 0xff:
+			u.current.endianness = BigEndian
+			nSrc = 2
+		case src[0] == 0xff && src[1] == 0xfe:
+			u.current.endianness = LittleEndian
+			nSrc = 2
+		default:
+			if u.current.bomPolicy&requireBOM != 0 {
+				return 0, 0, ErrMissingBOM
+			}
+		}
+		u.current.bomPolicy = IgnoreBOM
+	}
+
+	var r rune
+	var dSize, sSize int
+	for nSrc < len(src) {
+		if nSrc+1 < len(src) {
+			x := uint16(src[nSrc+0])<<8 | uint16(src[nSrc+1])
+			if u.current.endianness == LittleEndian {
+				x = x>>8 | x<<8
+			}
+			r, sSize = rune(x), 2
+			if utf16.IsSurrogate(r) {
+				if nSrc+3 < len(src) {
+					x = uint16(src[nSrc+2])<<8 | uint16(src[nSrc+3])
+					if u.current.endianness == LittleEndian {
+						x = x>>8 | x<<8
+					}
+					// Save for next iteration if it is not a high surrogate.
+					if isHighSurrogate(rune(x)) {
+						r, sSize = utf16.DecodeRune(r, rune(x)), 4
+					}
+				} else if !atEOF {
+					err = transform.ErrShortSrc
+					break
+				}
+			}
+			if dSize = utf8.RuneLen(r); dSize < 0 {
+				r, dSize = utf8.RuneError, 3
+			}
+		} else if atEOF {
+			// Single trailing byte.
+			r, dSize, sSize = utf8.RuneError, 3, 1
+		} else {
+			err = transform.ErrShortSrc
+			break
+		}
+		if nDst+dSize > len(dst) {
+			err = transform.ErrShortDst
+			break
+		}
+		nDst += utf8.EncodeRune(dst[nDst:], r)
+		nSrc += sSize
+	}
+	return nDst, nSrc, err
+}
+
+func isHighSurrogate(r rune) bool {
+	return 0xDC00 <= r && r <= 0xDFFF
+}
+
+type utf16Encoder struct {
+	endianness       Endianness
+	initialBOMPolicy BOMPolicy
+	currentBOMPolicy BOMPolicy
+}
+
+func (u *utf16Encoder) Reset() {
+	u.currentBOMPolicy = u.initialBOMPolicy
+}
+
+func (u *utf16Encoder) Transform(dst, src []byte, atEOF bool) (nDst, nSrc int, err error) {
+	if u.currentBOMPolicy&writeBOM != 0 {
+		if len(dst) < 2 {
+			return 0, 0, transform.ErrShortDst
+		}
+		dst[0], dst[1] = 0xfe, 0xff
+		u.currentBOMPolicy = IgnoreBOM
+		nDst = 2
+	}
+
+	r, size := rune(0), 0
+	for nSrc < len(src) {
+		r = rune(src[nSrc])
+
+		// Decode a 1-byte rune.
+		if r < utf8.RuneSelf {
+			size = 1
+
+		} else {
+			// Decode a multi-byte rune.
+			r, size = utf8.DecodeRune(src[nSrc:])
+			if size == 1 {
+				// All valid runes of size 1 (those below utf8.RuneSelf) were
+				// handled above. We have invalid UTF-8 or we haven't seen the
+				// full character yet.
+				if !atEOF && !utf8.FullRune(src[nSrc:]) {
+					err = transform.ErrShortSrc
+					break
+				}
+			}
+		}
+
+		if r <= 0xffff {
+			if nDst+2 > len(dst) {
+				err = transform.ErrShortDst
+				break
+			}
+			dst[nDst+0] = uint8(r >> 8)
+			dst[nDst+1] = uint8(r)
+			nDst += 2
+		} else {
+			if nDst+4 > len(dst) {
+				err = transform.ErrShortDst
+				break
+			}
+			r1, r2 := utf16.EncodeRune(r)
+			dst[nDst+0] = uint8(r1 >> 8)
+			dst[nDst+1] = uint8(r1)
+			dst[nDst+2] = uint8(r2 >> 8)
+			dst[nDst+3] = uint8(r2)
+			nDst += 4
+		}
+		nSrc += size
+	}
+
+	if u.endianness == LittleEndian {
+		for i := 0; i < nDst; i += 2 {
+			dst[i], dst[i+1] = dst[i+1], dst[i]
+		}
+	}
+	return nDst, nSrc, err
+}
diff --git a/vendor/golang.org/x/text/feature/plural/common.go b/vendor/golang.org/x/text/feature/plural/common.go
new file mode 100644
index 0000000000..fdcb373fdf
--- /dev/null
+++ b/vendor/golang.org/x/text/feature/plural/common.go
@@ -0,0 +1,70 @@
+// Code generated by running "go generate" in golang.org/x/text. DO NOT EDIT.
+
+package plural
+
+// Form defines a plural form.
+//
+// Not all languages support all forms. Also, the meaning of each form varies
+// per language. It is important to note that the name of a form does not
+// necessarily correspond one-to-one with the set of numbers. For instance,
+// for Croation, One matches not only 1, but also 11, 21, etc.
+//
+// Each language must at least support the form "other".
+type Form byte
+
+const (
+	Other Form = iota
+	Zero
+	One
+	Two
+	Few
+	Many
+)
+
+var countMap = map[string]Form{
+	"other": Other,
+	"zero":  Zero,
+	"one":   One,
+	"two":   Two,
+	"few":   Few,
+	"many":  Many,
+}
+
+type pluralCheck struct {
+	// category:
+	// 3..7: opID
+	// 0..2: category
+	cat   byte
+	setID byte
+}
+
+// opID identifies the type of operand in the plural rule, being i, n or f.
+// (v, w, and t are treated as filters in our implementation.)
+type opID byte
+
+const (
+	opMod           opID = 0x1    // is '%' used?
+	opNotEqual      opID = 0x2    // using "!=" to compare
+	opI             opID = 0 << 2 // integers after taking the absolute value
+	opN             opID = 1 << 2 // full number (must be integer)
+	opF             opID = 2 << 2 // fraction
+	opV             opID = 3 << 2 // number of visible digits
+	opW             opID = 4 << 2 // number of visible digits without trailing zeros
+	opBretonM       opID = 5 << 2 // hard-wired rule for Breton
+	opItalian800    opID = 6 << 2 // hard-wired rule for Italian
+	opAzerbaijan00s opID = 7 << 2 // hard-wired rule for Azerbaijan
+)
+const (
+	// Use this plural form to indicate the next rule needs to match as well.
+	// The last condition in the list will have the correct plural form.
+	andNext  = 0x7
+	formMask = 0x7
+
+	opShift = 3
+
+	// numN indicates the maximum integer, or maximum mod value, for which we
+	// have inclusion masks.
+	numN = 100
+	// The common denominator of the modulo that is taken.
+	maxMod = 100
+)
diff --git a/vendor/golang.org/x/text/feature/plural/message.go b/vendor/golang.org/x/text/feature/plural/message.go
new file mode 100644
index 0000000000..56d518cc34
--- /dev/null
+++ b/vendor/golang.org/x/text/feature/plural/message.go
@@ -0,0 +1,244 @@
+// Copyright 2017 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package plural
+
+import (
+	"fmt"
+	"io"
+	"reflect"
+	"strconv"
+
+	"golang.org/x/text/internal/catmsg"
+	"golang.org/x/text/internal/number"
+	"golang.org/x/text/language"
+	"golang.org/x/text/message/catalog"
+)
+
+// TODO: consider deleting this interface. Maybe VisibleDigits is always
+// sufficient and practical.
+
+// Interface is used for types that can determine their own plural form.
+type Interface interface {
+	// PluralForm reports the plural form for the given language of the
+	// underlying value. It also returns the integer value. If the integer value
+	// is larger than fits in n, PluralForm may return a value modulo
+	// 10,000,000.
+	PluralForm(t language.Tag, scale int) (f Form, n int)
+}
+
+// Selectf returns the first case for which its selector is a match for the
+// arg-th substitution argument to a formatting call, formatting it as indicated
+// by format.
+//
+// The cases argument are pairs of selectors and messages. Selectors are of type
+// string or Form. Messages are of type string or catalog.Message. A selector
+// matches an argument if:
+//   - it is "other" or Other
+//   - it matches the plural form of the argument: "zero", "one", "two", "few",
+//     or "many", or the equivalent Form
+//   - it is of the form "=x" where x is an integer that matches the value of
+//     the argument.
+//   - it is of the form "<x" where x is an integer that is larger than the
+//     argument.
+//
+// The format argument determines the formatting parameters for which to
+// determine the plural form. This is especially relevant for non-integer
+// values.
+//
+// The format string may be "", in which case a best-effort attempt is made to
+// find a reasonable representation on which to base the plural form. Examples
+// of format strings are:
+//   - %.2f   decimal with scale 2
+//   - %.2e   scientific notation with precision 3 (scale + 1)
+//   - %d     integer
+func Selectf(arg int, format string, cases ...interface{}) catalog.Message {
+	var p parser
+	// Intercept the formatting parameters of format by doing a dummy print.
+	fmt.Fprintf(io.Discard, format, &p)
+	m := &message{arg, kindDefault, 0, cases}
+	switch p.verb {
+	case 'g':
+		m.kind = kindPrecision
+		m.scale = p.scale
+	case 'f':
+		m.kind = kindScale
+		m.scale = p.scale
+	case 'e':
+		m.kind = kindScientific
+		m.scale = p.scale
+	case 'd':
+		m.kind = kindScale
+		m.scale = 0
+	default:
+		// TODO: do we need to handle errors?
+	}
+	return m
+}
+
+type parser struct {
+	verb  rune
+	scale int
+}
+
+func (p *parser) Format(s fmt.State, verb rune) {
+	p.verb = verb
+	p.scale = -1
+	if prec, ok := s.Precision(); ok {
+		p.scale = prec
+	}
+}
+
+type message struct {
+	arg   int
+	kind  int
+	scale int
+	cases []interface{}
+}
+
+const (
+	// Start with non-ASCII to allow skipping values.
+	kindDefault    = 0x80 + iota
+	kindScale      // verb f, number of fraction digits follows
+	kindScientific // verb e, number of fraction digits follows
+	kindPrecision  // verb g, number of significant digits follows
+)
+
+var handle = catmsg.Register("golang.org/x/text/feature/plural:plural", execute)
+
+func (m *message) Compile(e *catmsg.Encoder) error {
+	e.EncodeMessageType(handle)
+
+	e.EncodeUint(uint64(m.arg))
+
+	e.EncodeUint(uint64(m.kind))
+	if m.kind > kindDefault {
+		e.EncodeUint(uint64(m.scale))
+	}
+
+	forms := validForms(cardinal, e.Language())
+
+	for i := 0; i < len(m.cases); {
+		if err := compileSelector(e, forms, m.cases[i]); err != nil {
+			return err
+		}
+		if i++; i >= len(m.cases) {
+			return fmt.Errorf("plural: no message defined for selector %v", m.cases[i-1])
+		}
+		var msg catalog.Message
+		switch x := m.cases[i].(type) {
+		case string:
+			msg = catalog.String(x)
+		case catalog.Message:
+			msg = x
+		default:
+			return fmt.Errorf("plural: message of type %T; must be string or catalog.Message", x)
+		}
+		if err := e.EncodeMessage(msg); err != nil {
+			return err
+		}
+		i++
+	}
+	return nil
+}
+
+func compileSelector(e *catmsg.Encoder, valid []Form, selector interface{}) error {
+	form := Other
+	switch x := selector.(type) {
+	case string:
+		if x == "" {
+			return fmt.Errorf("plural: empty selector")
+		}
+		if c := x[0]; c == '=' || c == '<' {
+			val, err := strconv.ParseUint(x[1:], 10, 16)
+			if err != nil {
+				return fmt.Errorf("plural: invalid number in selector %q: %v", selector, err)
+			}
+			e.EncodeUint(uint64(c))
+			e.EncodeUint(val)
+			return nil
+		}
+		var ok bool
+		form, ok = countMap[x]
+		if !ok {
+			return fmt.Errorf("plural: invalid plural form %q", selector)
+		}
+	case Form:
+		form = x
+	default:
+		return fmt.Errorf("plural: selector of type %T; want string or Form", selector)
+	}
+
+	ok := false
+	for _, f := range valid {
+		if f == form {
+			ok = true
+			break
+		}
+	}
+	if !ok {
+		return fmt.Errorf("plural: form %q not supported for language %q", selector, e.Language())
+	}
+	e.EncodeUint(uint64(form))
+	return nil
+}
+
+func execute(d *catmsg.Decoder) bool {
+	lang := d.Language()
+	argN := int(d.DecodeUint())
+	kind := int(d.DecodeUint())
+	scale := -1 // default
+	if kind > kindDefault {
+		scale = int(d.DecodeUint())
+	}
+	form := Other
+	n := -1
+	if arg := d.Arg(argN); arg == nil {
+		// Default to Other.
+	} else if x, ok := arg.(number.VisibleDigits); ok {
+		d := x.Digits(nil, lang, scale)
+		form, n = cardinal.matchDisplayDigits(lang, &d)
+	} else if x, ok := arg.(Interface); ok {
+		// This covers lists and formatters from the number package.
+		form, n = x.PluralForm(lang, scale)
+	} else {
+		var f number.Formatter
+		switch kind {
+		case kindScale:
+			f.InitDecimal(lang)
+			f.SetScale(scale)
+		case kindScientific:
+			f.InitScientific(lang)
+			f.SetScale(scale)
+		case kindPrecision:
+			f.InitDecimal(lang)
+			f.SetPrecision(scale)
+		case kindDefault:
+			// sensible default
+			f.InitDecimal(lang)
+			if k := reflect.TypeOf(arg).Kind(); reflect.Int <= k && k <= reflect.Uintptr {
+				f.SetScale(0)
+			} else {
+				f.SetScale(2)
+			}
+		}
+		var dec number.Decimal // TODO: buffer in Printer
+		dec.Convert(f.RoundingContext, arg)
+		v := number.FormatDigits(&dec, f.RoundingContext)
+		if !v.NaN && !v.Inf {
+			form, n = cardinal.matchDisplayDigits(d.Language(), &v)
+		}
+	}
+	for !d.Done() {
+		f := d.DecodeUint()
+		if (f == '=' && n == int(d.DecodeUint())) ||
+			(f == '<' && 0 <= n && n < int(d.DecodeUint())) ||
+			form == Form(f) ||
+			Other == Form(f) {
+			return d.ExecuteMessage()
+		}
+		d.SkipMessage()
+	}
+	return false
+}
diff --git a/vendor/golang.org/x/text/feature/plural/plural.go b/vendor/golang.org/x/text/feature/plural/plural.go
new file mode 100644
index 0000000000..e9f2d42e04
--- /dev/null
+++ b/vendor/golang.org/x/text/feature/plural/plural.go
@@ -0,0 +1,262 @@
+// Copyright 2016 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:generate go run gen.go gen_common.go
+
+// Package plural provides utilities for handling linguistic plurals in text.
+//
+// The definitions in this package are based on the plural rule handling defined
+// in CLDR. See
+// https://unicode.org/reports/tr35/tr35-numbers.html#Language_Plural_Rules for
+// details.
+package plural
+
+import (
+	"golang.org/x/text/internal/language/compact"
+	"golang.org/x/text/internal/number"
+	"golang.org/x/text/language"
+)
+
+// Rules defines the plural rules for all languages for a certain plural type.
+//
+// This package is UNDER CONSTRUCTION and its API may change.
+type Rules struct {
+	rules          []pluralCheck
+	index          []byte
+	langToIndex    []byte
+	inclusionMasks []uint64
+}
+
+var (
+	// Cardinal defines the plural rules for numbers indicating quantities.
+	Cardinal *Rules = cardinal
+
+	// Ordinal defines the plural rules for numbers indicating position
+	// (first, second, etc.).
+	Ordinal *Rules = ordinal
+
+	ordinal = &Rules{
+		ordinalRules,
+		ordinalIndex,
+		ordinalLangToIndex,
+		ordinalInclusionMasks[:],
+	}
+
+	cardinal = &Rules{
+		cardinalRules,
+		cardinalIndex,
+		cardinalLangToIndex,
+		cardinalInclusionMasks[:],
+	}
+)
+
+// getIntApprox converts the digits in slice digits[start:end] to an integer
+// according to the following rules:
+//   - Let i be asInt(digits[start:end]), where out-of-range digits are assumed
+//     to be zero.
+//   - Result n is big if i / 10^nMod > 1.
+//   - Otherwise the result is i % 10^nMod.
+//
+// For example, if digits is {1, 2, 3} and start:end is 0:5, then the result
+// for various values of nMod is:
+//   - when nMod == 2, n == big
+//   - when nMod == 3, n == big
+//   - when nMod == 4, n == big
+//   - when nMod == 5, n == 12300
+//   - when nMod == 6, n == 12300
+//   - when nMod == 7, n == 12300
+func getIntApprox(digits []byte, start, end, nMod, big int) (n int) {
+	// Leading 0 digits just result in 0.
+	p := start
+	if p < 0 {
+		p = 0
+	}
+	// Range only over the part for which we have digits.
+	mid := end
+	if mid >= len(digits) {
+		mid = len(digits)
+	}
+	// Check digits more significant that nMod.
+	if q := end - nMod; q > 0 {
+		if q > mid {
+			q = mid
+		}
+		for ; p < q; p++ {
+			if digits[p] != 0 {
+				return big
+			}
+		}
+	}
+	for ; p < mid; p++ {
+		n = 10*n + int(digits[p])
+	}
+	// Multiply for trailing zeros.
+	for ; p < end; p++ {
+		n *= 10
+	}
+	return n
+}
+
+// MatchDigits computes the plural form for the given language and the given
+// decimal floating point digits. The digits are stored in big-endian order and
+// are of value byte(0) - byte(9). The floating point position is indicated by
+// exp and the number of visible decimals is scale. All leading and trailing
+// zeros may be omitted from digits.
+//
+// The following table contains examples of possible arguments to represent
+// the given numbers.
+//
+//	decimal    digits              exp    scale
+//	123        []byte{1, 2, 3}     3      0
+//	123.4      []byte{1, 2, 3, 4}  3      1
+//	123.40     []byte{1, 2, 3, 4}  3      2
+//	100000     []byte{1}           6      0
+//	100000.00  []byte{1}           6      3
+func (p *Rules) MatchDigits(t language.Tag, digits []byte, exp, scale int) Form {
+	index := tagToID(t)
+
+	// Differentiate up to including mod 1000000 for the integer part.
+	n := getIntApprox(digits, 0, exp, 6, 1000000)
+
+	// Differentiate up to including mod 100 for the fractional part.
+	f := getIntApprox(digits, exp, exp+scale, 2, 100)
+
+	return matchPlural(p, index, n, f, scale)
+}
+
+func (p *Rules) matchDisplayDigits(t language.Tag, d *number.Digits) (Form, int) {
+	n := getIntApprox(d.Digits, 0, int(d.Exp), 6, 1000000)
+	return p.MatchDigits(t, d.Digits, int(d.Exp), d.NumFracDigits()), n
+}
+
+func validForms(p *Rules, t language.Tag) (forms []Form) {
+	offset := p.langToIndex[tagToID(t)]
+	rules := p.rules[p.index[offset]:p.index[offset+1]]
+
+	forms = append(forms, Other)
+	last := Other
+	for _, r := range rules {
+		if cat := Form(r.cat & formMask); cat != andNext && last != cat {
+			forms = append(forms, cat)
+			last = cat
+		}
+	}
+	return forms
+}
+
+func (p *Rules) matchComponents(t language.Tag, n, f, scale int) Form {
+	return matchPlural(p, tagToID(t), n, f, scale)
+}
+
+// MatchPlural returns the plural form for the given language and plural
+// operands (as defined in
+// https://unicode.org/reports/tr35/tr35-numbers.html#Language_Plural_Rules):
+//
+//	where
+//		n  absolute value of the source number (integer and decimals)
+//	input
+//		i  integer digits of n.
+//		v  number of visible fraction digits in n, with trailing zeros.
+//		w  number of visible fraction digits in n, without trailing zeros.
+//		f  visible fractional digits in n, with trailing zeros (f = t * 10^(v-w))
+//		t  visible fractional digits in n, without trailing zeros.
+//
+// If any of the operand values is too large to fit in an int, it is okay to
+// pass the value modulo 10,000,000.
+func (p *Rules) MatchPlural(lang language.Tag, i, v, w, f, t int) Form {
+	return matchPlural(p, tagToID(lang), i, f, v)
+}
+
+func matchPlural(p *Rules, index compact.ID, n, f, v int) Form {
+	nMask := p.inclusionMasks[n%maxMod]
+	// Compute the fMask inline in the rules below, as it is relatively rare.
+	// fMask := p.inclusionMasks[f%maxMod]
+	vMask := p.inclusionMasks[v%maxMod]
+
+	// Do the matching
+	offset := p.langToIndex[index]
+	rules := p.rules[p.index[offset]:p.index[offset+1]]
+	for i := 0; i < len(rules); i++ {
+		rule := rules[i]
+		setBit := uint64(1 << rule.setID)
+		var skip bool
+		switch op := opID(rule.cat >> opShift); op {
+		case opI: // i = x
+			skip = n >= numN || nMask&setBit == 0
+
+		case opI | opNotEqual: // i != x
+			skip = n < numN && nMask&setBit != 0
+
+		case opI | opMod: // i % m = x
+			skip = nMask&setBit == 0
+
+		case opI | opMod | opNotEqual: // i % m != x
+			skip = nMask&setBit != 0
+
+		case opN: // n = x
+			skip = f != 0 || n >= numN || nMask&setBit == 0
+
+		case opN | opNotEqual: // n != x
+			skip = f == 0 && n < numN && nMask&setBit != 0
+
+		case opN | opMod: // n % m = x
+			skip = f != 0 || nMask&setBit == 0
+
+		case opN | opMod | opNotEqual: // n % m != x
+			skip = f == 0 && nMask&setBit != 0
+
+		case opF: // f = x
+			skip = f >= numN || p.inclusionMasks[f%maxMod]&setBit == 0
+
+		case opF | opNotEqual: // f != x
+			skip = f < numN && p.inclusionMasks[f%maxMod]&setBit != 0
+
+		case opF | opMod: // f % m = x
+			skip = p.inclusionMasks[f%maxMod]&setBit == 0
+
+		case opF | opMod | opNotEqual: // f % m != x
+			skip = p.inclusionMasks[f%maxMod]&setBit != 0
+
+		case opV: // v = x
+			skip = v < numN && vMask&setBit == 0
+
+		case opV | opNotEqual: // v != x
+			skip = v < numN && vMask&setBit != 0
+
+		case opW: // w == 0
+			skip = f != 0
+
+		case opW | opNotEqual: // w != 0
+			skip = f == 0
+
+		// Hard-wired rules that cannot be handled by our algorithm.
+
+		case opBretonM:
+			skip = f != 0 || n == 0 || n%1000000 != 0
+
+		case opAzerbaijan00s:
+			// 100,200,300,400,500,600,700,800,900
+			skip = n == 0 || n >= 1000 || n%100 != 0
+
+		case opItalian800:
+			skip = (f != 0 || n >= numN || nMask&setBit == 0) && n != 800
+		}
+		if skip {
+			// advance over AND entries.
+			for ; i < len(rules) && rules[i].cat&formMask == andNext; i++ {
+			}
+			continue
+		}
+		// return if we have a final entry.
+		if cat := rule.cat & formMask; cat != andNext {
+			return Form(cat)
+		}
+	}
+	return Other
+}
+
+func tagToID(t language.Tag) compact.ID {
+	id, _ := compact.RegionalID(compact.Tag(t))
+	return id
+}
diff --git a/vendor/golang.org/x/text/feature/plural/tables.go b/vendor/golang.org/x/text/feature/plural/tables.go
new file mode 100644
index 0000000000..b06b9cb4ea
--- /dev/null
+++ b/vendor/golang.org/x/text/feature/plural/tables.go
@@ -0,0 +1,552 @@
+// Code generated by running "go generate" in golang.org/x/text. DO NOT EDIT.
+
+package plural
+
+// CLDRVersion is the CLDR version from which the tables in this package are derived.
+const CLDRVersion = "32"
+
+var ordinalRules = []pluralCheck{ // 64 elements
+	0:  {cat: 0x2f, setID: 0x4},
+	1:  {cat: 0x3a, setID: 0x5},
+	2:  {cat: 0x22, setID: 0x1},
+	3:  {cat: 0x22, setID: 0x6},
+	4:  {cat: 0x22, setID: 0x7},
+	5:  {cat: 0x2f, setID: 0x8},
+	6:  {cat: 0x3c, setID: 0x9},
+	7:  {cat: 0x2f, setID: 0xa},
+	8:  {cat: 0x3c, setID: 0xb},
+	9:  {cat: 0x2c, setID: 0xc},
+	10: {cat: 0x24, setID: 0xd},
+	11: {cat: 0x2d, setID: 0xe},
+	12: {cat: 0x2d, setID: 0xf},
+	13: {cat: 0x2f, setID: 0x10},
+	14: {cat: 0x35, setID: 0x3},
+	15: {cat: 0xc5, setID: 0x11},
+	16: {cat: 0x2, setID: 0x1},
+	17: {cat: 0x5, setID: 0x3},
+	18: {cat: 0xd, setID: 0x12},
+	19: {cat: 0x22, setID: 0x1},
+	20: {cat: 0x2f, setID: 0x13},
+	21: {cat: 0x3d, setID: 0x14},
+	22: {cat: 0x2f, setID: 0x15},
+	23: {cat: 0x3a, setID: 0x16},
+	24: {cat: 0x2f, setID: 0x17},
+	25: {cat: 0x3b, setID: 0x18},
+	26: {cat: 0x2f, setID: 0xa},
+	27: {cat: 0x3c, setID: 0xb},
+	28: {cat: 0x22, setID: 0x1},
+	29: {cat: 0x23, setID: 0x19},
+	30: {cat: 0x24, setID: 0x1a},
+	31: {cat: 0x22, setID: 0x1b},
+	32: {cat: 0x23, setID: 0x2},
+	33: {cat: 0x24, setID: 0x1a},
+	34: {cat: 0xf, setID: 0x15},
+	35: {cat: 0x1a, setID: 0x16},
+	36: {cat: 0xf, setID: 0x17},
+	37: {cat: 0x1b, setID: 0x18},
+	38: {cat: 0xf, setID: 0x1c},
+	39: {cat: 0x1d, setID: 0x1d},
+	40: {cat: 0xa, setID: 0x1e},
+	41: {cat: 0xa, setID: 0x1f},
+	42: {cat: 0xc, setID: 0x20},
+	43: {cat: 0xe4, setID: 0x0},
+	44: {cat: 0x5, setID: 0x3},
+	45: {cat: 0xd, setID: 0xe},
+	46: {cat: 0xd, setID: 0x21},
+	47: {cat: 0x22, setID: 0x1},
+	48: {cat: 0x23, setID: 0x19},
+	49: {cat: 0x24, setID: 0x1a},
+	50: {cat: 0x25, setID: 0x22},
+	51: {cat: 0x22, setID: 0x23},
+	52: {cat: 0x23, setID: 0x19},
+	53: {cat: 0x24, setID: 0x1a},
+	54: {cat: 0x25, setID: 0x22},
+	55: {cat: 0x22, setID: 0x24},
+	56: {cat: 0x23, setID: 0x19},
+	57: {cat: 0x24, setID: 0x1a},
+	58: {cat: 0x25, setID: 0x22},
+	59: {cat: 0x21, setID: 0x25},
+	60: {cat: 0x22, setID: 0x1},
+	61: {cat: 0x23, setID: 0x2},
+	62: {cat: 0x24, setID: 0x26},
+	63: {cat: 0x25, setID: 0x27},
+} // Size: 152 bytes
+
+var ordinalIndex = []uint8{ // 22 elements
+	0x00, 0x00, 0x02, 0x03, 0x04, 0x05, 0x07, 0x09,
+	0x0b, 0x0f, 0x10, 0x13, 0x16, 0x1c, 0x1f, 0x22,
+	0x28, 0x2f, 0x33, 0x37, 0x3b, 0x40,
+} // Size: 46 bytes
+
+var ordinalLangToIndex = []uint8{ // 775 elements
+	// Entry 0 - 3F
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x12, 0x12, 0x00, 0x00, 0x00, 0x00, 0x10, 0x10,
+	0x10, 0x10, 0x10, 0x00, 0x00, 0x05, 0x05, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	// Entry 40 - 7F
+	0x12, 0x12, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0e,
+	0x0e, 0x0e, 0x0e, 0x0e, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x14, 0x14, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	// Entry 80 - BF
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0c, 0x0c,
+	0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c,
+	0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c,
+	0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c,
+	0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c,
+	0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c,
+	0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c,
+	0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c,
+	// Entry C0 - FF
+	0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c,
+	0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c,
+	0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c,
+	0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c,
+	0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c,
+	0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	// Entry 100 - 13F
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x02,
+	0x00, 0x00, 0x00, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	// Entry 140 - 17F
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x00, 0x00, 0x00, 0x00, 0x02, 0x02,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x11, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11,
+	0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x03,
+	0x02, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	// Entry 180 - 1BF
+	0x00, 0x00, 0x00, 0x00, 0x09, 0x09, 0x09, 0x09,
+	0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x0a, 0x0a, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x08, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	// Entry 1C0 - 1FF
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x02, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x0f, 0x0f, 0x00, 0x00,
+	0x00, 0x00, 0x02, 0x0d, 0x0d, 0x02, 0x02, 0x02,
+	0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	// Entry 200 - 23F
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x04, 0x04, 0x04, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x13, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	// Entry 240 - 27F
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02,
+	0x02, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	// Entry 280 - 2BF
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x0b, 0x0b, 0x0b, 0x0b, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x01, 0x01,
+	0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x07, 0x07, 0x02, 0x00, 0x00, 0x00, 0x00,
+	// Entry 2C0 - 2FF
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x06, 0x06, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x02, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	// Entry 300 - 33F
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x0e, 0x0c,
+} // Size: 799 bytes
+
+var ordinalInclusionMasks = []uint64{ // 100 elements
+	// Entry 0 - 1F
+	0x0000002000010009, 0x00000018482000d3, 0x0000000042840195, 0x000000410a040581,
+	0x00000041040c0081, 0x0000009840040041, 0x0000008400045001, 0x0000003850040001,
+	0x0000003850060001, 0x0000003800049001, 0x0000000800052001, 0x0000000040660031,
+	0x0000000041840331, 0x0000000100040f01, 0x00000001001c0001, 0x0000000040040001,
+	0x0000000000045001, 0x0000000070040001, 0x0000000070040001, 0x0000000000049001,
+	0x0000000080050001, 0x0000000040200011, 0x0000000040800111, 0x0000000100000501,
+	0x0000000100080001, 0x0000000040000001, 0x0000000000005001, 0x0000000050000001,
+	0x0000000050000001, 0x0000000000009001, 0x0000000000010001, 0x0000000040200011,
+	// Entry 20 - 3F
+	0x0000000040800111, 0x0000000100000501, 0x0000000100080001, 0x0000000040000001,
+	0x0000000000005001, 0x0000000050000001, 0x0000000050000001, 0x0000000000009001,
+	0x0000000200050001, 0x0000000040200011, 0x0000000040800111, 0x0000000100000501,
+	0x0000000100080001, 0x0000000040000001, 0x0000000000005001, 0x0000000050000001,
+	0x0000000050000001, 0x0000000000009001, 0x0000000080010001, 0x0000000040200011,
+	0x0000000040800111, 0x0000000100000501, 0x0000000100080001, 0x0000000040000001,
+	0x0000000000005001, 0x0000000050000001, 0x0000000050000001, 0x0000000000009001,
+	0x0000000200050001, 0x0000000040200011, 0x0000000040800111, 0x0000000100000501,
+	// Entry 40 - 5F
+	0x0000000100080001, 0x0000000040000001, 0x0000000000005001, 0x0000000050000001,
+	0x0000000050000001, 0x0000000000009001, 0x0000000080010001, 0x0000000040200011,
+	0x0000000040800111, 0x0000000100000501, 0x0000000100080001, 0x0000000040000001,
+	0x0000000000005001, 0x0000000050000001, 0x0000000050000001, 0x0000000000009001,
+	0x0000000080070001, 0x0000000040200011, 0x0000000040800111, 0x0000000100000501,
+	0x0000000100080001, 0x0000000040000001, 0x0000000000005001, 0x0000000050000001,
+	0x0000000050000001, 0x0000000000009001, 0x0000000200010001, 0x0000000040200011,
+	0x0000000040800111, 0x0000000100000501, 0x0000000100080001, 0x0000000040000001,
+	// Entry 60 - 7F
+	0x0000000000005001, 0x0000000050000001, 0x0000000050000001, 0x0000000000009001,
+} // Size: 824 bytes
+
+// Slots used for ordinal: 40 of 0xFF rules; 16 of 0xFF indexes; 40 of 64 sets
+
+var cardinalRules = []pluralCheck{ // 166 elements
+	0:   {cat: 0x2, setID: 0x3},
+	1:   {cat: 0x22, setID: 0x1},
+	2:   {cat: 0x2, setID: 0x4},
+	3:   {cat: 0x2, setID: 0x4},
+	4:   {cat: 0x7, setID: 0x1},
+	5:   {cat: 0x62, setID: 0x3},
+	6:   {cat: 0x22, setID: 0x4},
+	7:   {cat: 0x7, setID: 0x3},
+	8:   {cat: 0x42, setID: 0x1},
+	9:   {cat: 0x22, setID: 0x4},
+	10:  {cat: 0x22, setID: 0x4},
+	11:  {cat: 0x22, setID: 0x5},
+	12:  {cat: 0x22, setID: 0x1},
+	13:  {cat: 0x22, setID: 0x1},
+	14:  {cat: 0x7, setID: 0x4},
+	15:  {cat: 0x92, setID: 0x3},
+	16:  {cat: 0xf, setID: 0x6},
+	17:  {cat: 0x1f, setID: 0x7},
+	18:  {cat: 0x82, setID: 0x3},
+	19:  {cat: 0x92, setID: 0x3},
+	20:  {cat: 0xf, setID: 0x6},
+	21:  {cat: 0x62, setID: 0x3},
+	22:  {cat: 0x4a, setID: 0x6},
+	23:  {cat: 0x7, setID: 0x8},
+	24:  {cat: 0x62, setID: 0x3},
+	25:  {cat: 0x1f, setID: 0x9},
+	26:  {cat: 0x62, setID: 0x3},
+	27:  {cat: 0x5f, setID: 0x9},
+	28:  {cat: 0x72, setID: 0x3},
+	29:  {cat: 0x29, setID: 0xa},
+	30:  {cat: 0x29, setID: 0xb},
+	31:  {cat: 0x4f, setID: 0xb},
+	32:  {cat: 0x61, setID: 0x2},
+	33:  {cat: 0x2f, setID: 0x6},
+	34:  {cat: 0x3a, setID: 0x7},
+	35:  {cat: 0x4f, setID: 0x6},
+	36:  {cat: 0x5f, setID: 0x7},
+	37:  {cat: 0x62, setID: 0x2},
+	38:  {cat: 0x4f, setID: 0x6},
+	39:  {cat: 0x72, setID: 0x2},
+	40:  {cat: 0x21, setID: 0x3},
+	41:  {cat: 0x7, setID: 0x4},
+	42:  {cat: 0x32, setID: 0x3},
+	43:  {cat: 0x21, setID: 0x3},
+	44:  {cat: 0x22, setID: 0x1},
+	45:  {cat: 0x22, setID: 0x1},
+	46:  {cat: 0x23, setID: 0x2},
+	47:  {cat: 0x2, setID: 0x3},
+	48:  {cat: 0x22, setID: 0x1},
+	49:  {cat: 0x24, setID: 0xc},
+	50:  {cat: 0x7, setID: 0x1},
+	51:  {cat: 0x62, setID: 0x3},
+	52:  {cat: 0x74, setID: 0x3},
+	53:  {cat: 0x24, setID: 0x3},
+	54:  {cat: 0x2f, setID: 0xd},
+	55:  {cat: 0x34, setID: 0x1},
+	56:  {cat: 0xf, setID: 0x6},
+	57:  {cat: 0x1f, setID: 0x7},
+	58:  {cat: 0x62, setID: 0x3},
+	59:  {cat: 0x4f, setID: 0x6},
+	60:  {cat: 0x5a, setID: 0x7},
+	61:  {cat: 0xf, setID: 0xe},
+	62:  {cat: 0x1f, setID: 0xf},
+	63:  {cat: 0x64, setID: 0x3},
+	64:  {cat: 0x4f, setID: 0xe},
+	65:  {cat: 0x5c, setID: 0xf},
+	66:  {cat: 0x22, setID: 0x10},
+	67:  {cat: 0x23, setID: 0x11},
+	68:  {cat: 0x24, setID: 0x12},
+	69:  {cat: 0xf, setID: 0x1},
+	70:  {cat: 0x62, setID: 0x3},
+	71:  {cat: 0xf, setID: 0x2},
+	72:  {cat: 0x63, setID: 0x3},
+	73:  {cat: 0xf, setID: 0x13},
+	74:  {cat: 0x64, setID: 0x3},
+	75:  {cat: 0x74, setID: 0x3},
+	76:  {cat: 0xf, setID: 0x1},
+	77:  {cat: 0x62, setID: 0x3},
+	78:  {cat: 0x4a, setID: 0x1},
+	79:  {cat: 0xf, setID: 0x2},
+	80:  {cat: 0x63, setID: 0x3},
+	81:  {cat: 0x4b, setID: 0x2},
+	82:  {cat: 0xf, setID: 0x13},
+	83:  {cat: 0x64, setID: 0x3},
+	84:  {cat: 0x4c, setID: 0x13},
+	85:  {cat: 0x7, setID: 0x1},
+	86:  {cat: 0x62, setID: 0x3},
+	87:  {cat: 0x7, setID: 0x2},
+	88:  {cat: 0x63, setID: 0x3},
+	89:  {cat: 0x2f, setID: 0xa},
+	90:  {cat: 0x37, setID: 0x14},
+	91:  {cat: 0x65, setID: 0x3},
+	92:  {cat: 0x7, setID: 0x1},
+	93:  {cat: 0x62, setID: 0x3},
+	94:  {cat: 0x7, setID: 0x15},
+	95:  {cat: 0x64, setID: 0x3},
+	96:  {cat: 0x75, setID: 0x3},
+	97:  {cat: 0x7, setID: 0x1},
+	98:  {cat: 0x62, setID: 0x3},
+	99:  {cat: 0xf, setID: 0xe},
+	100: {cat: 0x1f, setID: 0xf},
+	101: {cat: 0x64, setID: 0x3},
+	102: {cat: 0xf, setID: 0x16},
+	103: {cat: 0x17, setID: 0x1},
+	104: {cat: 0x65, setID: 0x3},
+	105: {cat: 0xf, setID: 0x17},
+	106: {cat: 0x65, setID: 0x3},
+	107: {cat: 0xf, setID: 0xf},
+	108: {cat: 0x65, setID: 0x3},
+	109: {cat: 0x2f, setID: 0x6},
+	110: {cat: 0x3a, setID: 0x7},
+	111: {cat: 0x2f, setID: 0xe},
+	112: {cat: 0x3c, setID: 0xf},
+	113: {cat: 0x2d, setID: 0xa},
+	114: {cat: 0x2d, setID: 0x17},
+	115: {cat: 0x2d, setID: 0x18},
+	116: {cat: 0x2f, setID: 0x6},
+	117: {cat: 0x3a, setID: 0xb},
+	118: {cat: 0x2f, setID: 0x19},
+	119: {cat: 0x3c, setID: 0xb},
+	120: {cat: 0x55, setID: 0x3},
+	121: {cat: 0x22, setID: 0x1},
+	122: {cat: 0x24, setID: 0x3},
+	123: {cat: 0x2c, setID: 0xc},
+	124: {cat: 0x2d, setID: 0xb},
+	125: {cat: 0xf, setID: 0x6},
+	126: {cat: 0x1f, setID: 0x7},
+	127: {cat: 0x62, setID: 0x3},
+	128: {cat: 0xf, setID: 0xe},
+	129: {cat: 0x1f, setID: 0xf},
+	130: {cat: 0x64, setID: 0x3},
+	131: {cat: 0xf, setID: 0xa},
+	132: {cat: 0x65, setID: 0x3},
+	133: {cat: 0xf, setID: 0x17},
+	134: {cat: 0x65, setID: 0x3},
+	135: {cat: 0xf, setID: 0x18},
+	136: {cat: 0x65, setID: 0x3},
+	137: {cat: 0x2f, setID: 0x6},
+	138: {cat: 0x3a, setID: 0x1a},
+	139: {cat: 0x2f, setID: 0x1b},
+	140: {cat: 0x3b, setID: 0x1c},
+	141: {cat: 0x2f, setID: 0x1d},
+	142: {cat: 0x3c, setID: 0x1e},
+	143: {cat: 0x37, setID: 0x3},
+	144: {cat: 0xa5, setID: 0x0},
+	145: {cat: 0x22, setID: 0x1},
+	146: {cat: 0x23, setID: 0x2},
+	147: {cat: 0x24, setID: 0x1f},
+	148: {cat: 0x25, setID: 0x20},
+	149: {cat: 0xf, setID: 0x6},
+	150: {cat: 0x62, setID: 0x3},
+	151: {cat: 0xf, setID: 0x1b},
+	152: {cat: 0x63, setID: 0x3},
+	153: {cat: 0xf, setID: 0x21},
+	154: {cat: 0x64, setID: 0x3},
+	155: {cat: 0x75, setID: 0x3},
+	156: {cat: 0x21, setID: 0x3},
+	157: {cat: 0x22, setID: 0x1},
+	158: {cat: 0x23, setID: 0x2},
+	159: {cat: 0x2c, setID: 0x22},
+	160: {cat: 0x2d, setID: 0x5},
+	161: {cat: 0x21, setID: 0x3},
+	162: {cat: 0x22, setID: 0x1},
+	163: {cat: 0x23, setID: 0x2},
+	164: {cat: 0x24, setID: 0x23},
+	165: {cat: 0x25, setID: 0x24},
+} // Size: 356 bytes
+
+var cardinalIndex = []uint8{ // 36 elements
+	0x00, 0x00, 0x02, 0x03, 0x04, 0x06, 0x09, 0x0a,
+	0x0c, 0x0d, 0x10, 0x14, 0x17, 0x1d, 0x28, 0x2b,
+	0x2d, 0x2f, 0x32, 0x38, 0x42, 0x45, 0x4c, 0x55,
+	0x5c, 0x61, 0x6d, 0x74, 0x79, 0x7d, 0x89, 0x91,
+	0x95, 0x9c, 0xa1, 0xa6,
+} // Size: 60 bytes
+
+var cardinalLangToIndex = []uint8{ // 775 elements
+	// Entry 0 - 3F
+	0x00, 0x08, 0x08, 0x08, 0x00, 0x00, 0x06, 0x06,
+	0x01, 0x01, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21,
+	0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21,
+	0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21,
+	0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21,
+	0x01, 0x01, 0x08, 0x08, 0x04, 0x04, 0x08, 0x08,
+	0x08, 0x08, 0x08, 0x00, 0x00, 0x1a, 0x1a, 0x08,
+	0x08, 0x08, 0x08, 0x08, 0x08, 0x06, 0x00, 0x00,
+	// Entry 40 - 7F
+	0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x1e, 0x1e,
+	0x08, 0x08, 0x13, 0x13, 0x13, 0x13, 0x13, 0x04,
+	0x04, 0x04, 0x04, 0x04, 0x00, 0x00, 0x00, 0x08,
+	0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08,
+	0x18, 0x18, 0x00, 0x00, 0x22, 0x22, 0x09, 0x09,
+	0x09, 0x00, 0x00, 0x04, 0x04, 0x04, 0x04, 0x04,
+	0x04, 0x04, 0x04, 0x00, 0x00, 0x16, 0x16, 0x00,
+	0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	// Entry 80 - BF
+	0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x04, 0x04,
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
+	// Entry C0 - FF
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x08,
+	0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08,
+	0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08,
+	// Entry 100 - 13F
+	0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08,
+	0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x04, 0x04,
+	0x08, 0x08, 0x00, 0x00, 0x01, 0x01, 0x01, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x04, 0x04, 0x0c, 0x0c,
+	0x08, 0x08, 0x08, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	// Entry 140 - 17F
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x08, 0x08, 0x04, 0x04, 0x1f, 0x1f,
+	0x14, 0x14, 0x04, 0x04, 0x08, 0x08, 0x08, 0x08,
+	0x01, 0x01, 0x06, 0x00, 0x00, 0x20, 0x20, 0x08,
+	0x08, 0x08, 0x08, 0x08, 0x08, 0x17, 0x17, 0x01,
+	0x01, 0x13, 0x13, 0x13, 0x16, 0x16, 0x08, 0x08,
+	0x02, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	// Entry 180 - 1BF
+	0x00, 0x04, 0x0a, 0x0a, 0x04, 0x04, 0x04, 0x04,
+	0x04, 0x10, 0x17, 0x00, 0x00, 0x00, 0x08, 0x08,
+	0x04, 0x08, 0x08, 0x00, 0x00, 0x08, 0x08, 0x02,
+	0x02, 0x08, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x08, 0x08,
+	0x08, 0x08, 0x08, 0x00, 0x00, 0x00, 0x00, 0x01,
+	0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x08,
+	0x08, 0x08, 0x00, 0x00, 0x0f, 0x0f, 0x08, 0x10,
+	// Entry 1C0 - 1FF
+	0x10, 0x08, 0x08, 0x0e, 0x0e, 0x08, 0x08, 0x08,
+	0x08, 0x00, 0x00, 0x06, 0x06, 0x06, 0x06, 0x06,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x1b, 0x1b, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x0d, 0x0d, 0x08,
+	0x08, 0x08, 0x00, 0x00, 0x00, 0x00, 0x06, 0x06,
+	0x00, 0x00, 0x08, 0x08, 0x0b, 0x0b, 0x08, 0x08,
+	0x08, 0x08, 0x12, 0x01, 0x01, 0x00, 0x00, 0x00,
+	0x00, 0x1c, 0x1c, 0x00, 0x00, 0x00, 0x00, 0x00,
+	// Entry 200 - 23F
+	0x00, 0x08, 0x10, 0x10, 0x08, 0x08, 0x08, 0x08,
+	0x08, 0x00, 0x00, 0x00, 0x08, 0x08, 0x08, 0x04,
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x00,
+	0x00, 0x08, 0x08, 0x08, 0x08, 0x08, 0x00, 0x08,
+	0x06, 0x00, 0x00, 0x08, 0x08, 0x08, 0x08, 0x08,
+	0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x06, 0x06,
+	0x06, 0x06, 0x06, 0x08, 0x19, 0x19, 0x0d, 0x0d,
+	0x08, 0x08, 0x03, 0x04, 0x03, 0x04, 0x04, 0x04,
+	// Entry 240 - 27F
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x00,
+	0x00, 0x00, 0x00, 0x08, 0x08, 0x00, 0x00, 0x12,
+	0x12, 0x12, 0x08, 0x08, 0x1d, 0x1d, 0x1d, 0x1d,
+	0x1d, 0x1d, 0x1d, 0x00, 0x00, 0x08, 0x08, 0x00,
+	0x00, 0x08, 0x08, 0x00, 0x00, 0x08, 0x08, 0x08,
+	0x10, 0x10, 0x10, 0x10, 0x08, 0x08, 0x00, 0x00,
+	0x00, 0x00, 0x13, 0x11, 0x11, 0x11, 0x11, 0x11,
+	0x05, 0x05, 0x18, 0x18, 0x15, 0x15, 0x10, 0x10,
+	// Entry 280 - 2BF
+	0x10, 0x10, 0x10, 0x10, 0x08, 0x08, 0x08, 0x08,
+	0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x13,
+	0x13, 0x13, 0x13, 0x13, 0x13, 0x13, 0x13, 0x13,
+	0x13, 0x13, 0x08, 0x08, 0x08, 0x04, 0x04, 0x04,
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x08, 0x08,
+	0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08,
+	0x08, 0x00, 0x00, 0x00, 0x00, 0x06, 0x06, 0x06,
+	0x08, 0x08, 0x08, 0x0c, 0x08, 0x00, 0x00, 0x08,
+	// Entry 2C0 - 2FF
+	0x08, 0x08, 0x08, 0x00, 0x00, 0x00, 0x00, 0x07,
+	0x07, 0x08, 0x08, 0x1d, 0x1d, 0x04, 0x04, 0x04,
+	0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x08,
+	0x08, 0x08, 0x08, 0x06, 0x08, 0x08, 0x00, 0x00,
+	0x08, 0x08, 0x08, 0x00, 0x00, 0x04, 0x04, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	// Entry 300 - 33F
+	0x00, 0x00, 0x00, 0x01, 0x01, 0x04, 0x04,
+} // Size: 799 bytes
+
+var cardinalInclusionMasks = []uint64{ // 100 elements
+	// Entry 0 - 1F
+	0x0000000200500419, 0x0000000000512153, 0x000000000a327105, 0x0000000ca23c7101,
+	0x00000004a23c7201, 0x0000000482943001, 0x0000001482943201, 0x0000000502943001,
+	0x0000000502943001, 0x0000000522943201, 0x0000000540543401, 0x00000000454128e1,
+	0x000000005b02e821, 0x000000006304e821, 0x000000006304ea21, 0x0000000042842821,
+	0x0000000042842a21, 0x0000000042842821, 0x0000000042842821, 0x0000000062842a21,
+	0x0000000200400421, 0x0000000000400061, 0x000000000a004021, 0x0000000022004021,
+	0x0000000022004221, 0x0000000002800021, 0x0000000002800221, 0x0000000002800021,
+	0x0000000002800021, 0x0000000022800221, 0x0000000000400421, 0x0000000000400061,
+	// Entry 20 - 3F
+	0x000000000a004021, 0x0000000022004021, 0x0000000022004221, 0x0000000002800021,
+	0x0000000002800221, 0x0000000002800021, 0x0000000002800021, 0x0000000022800221,
+	0x0000000200400421, 0x0000000000400061, 0x000000000a004021, 0x0000000022004021,
+	0x0000000022004221, 0x0000000002800021, 0x0000000002800221, 0x0000000002800021,
+	0x0000000002800021, 0x0000000022800221, 0x0000000000400421, 0x0000000000400061,
+	0x000000000a004021, 0x0000000022004021, 0x0000000022004221, 0x0000000002800021,
+	0x0000000002800221, 0x0000000002800021, 0x0000000002800021, 0x0000000022800221,
+	0x0000000200400421, 0x0000000000400061, 0x000000000a004021, 0x0000000022004021,
+	// Entry 40 - 5F
+	0x0000000022004221, 0x0000000002800021, 0x0000000002800221, 0x0000000002800021,
+	0x0000000002800021, 0x0000000022800221, 0x0000000040400421, 0x0000000044400061,
+	0x000000005a004021, 0x0000000062004021, 0x0000000062004221, 0x0000000042800021,
+	0x0000000042800221, 0x0000000042800021, 0x0000000042800021, 0x0000000062800221,
+	0x0000000200400421, 0x0000000000400061, 0x000000000a004021, 0x0000000022004021,
+	0x0000000022004221, 0x0000000002800021, 0x0000000002800221, 0x0000000002800021,
+	0x0000000002800021, 0x0000000022800221, 0x0000000040400421, 0x0000000044400061,
+	0x000000005a004021, 0x0000000062004021, 0x0000000062004221, 0x0000000042800021,
+	// Entry 60 - 7F
+	0x0000000042800221, 0x0000000042800021, 0x0000000042800021, 0x0000000062800221,
+} // Size: 824 bytes
+
+// Slots used for cardinal: A6 of 0xFF rules; 24 of 0xFF indexes; 37 of 64 sets
+
+// Total table size 3860 bytes (3KiB); checksum: AAFBF21
diff --git a/vendor/golang.org/x/text/internal/catmsg/catmsg.go b/vendor/golang.org/x/text/internal/catmsg/catmsg.go
new file mode 100644
index 0000000000..1b257a7b4d
--- /dev/null
+++ b/vendor/golang.org/x/text/internal/catmsg/catmsg.go
@@ -0,0 +1,417 @@
+// Copyright 2017 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package catmsg contains support types for package x/text/message/catalog.
+//
+// This package contains the low-level implementations of Message used by the
+// catalog package and provides primitives for other packages to implement their
+// own. For instance, the plural package provides functionality for selecting
+// translation strings based on the plural category of substitution arguments.
+//
+// # Encoding and Decoding
+//
+// Catalogs store Messages encoded as a single string. Compiling a message into
+// a string both results in compacter representation and speeds up evaluation.
+//
+// A Message must implement a Compile method to convert its arbitrary
+// representation to a string. The Compile method takes an Encoder which
+// facilitates serializing the message. Encoders also provide more context of
+// the messages's creation (such as for which language the message is intended),
+// which may not be known at the time of the creation of the message.
+//
+// Each message type must also have an accompanying decoder registered to decode
+// the message. This decoder takes a Decoder argument which provides the
+// counterparts for the decoding.
+//
+// # Renderers
+//
+// A Decoder must be initialized with a Renderer implementation. These
+// implementations must be provided by packages that use Catalogs, typically
+// formatting packages such as x/text/message. A typical user will not need to
+// worry about this type; it is only relevant to packages that do string
+// formatting and want to use the catalog package to handle localized strings.
+//
+// A package that uses catalogs for selecting strings receives selection results
+// as sequence of substrings passed to the Renderer. The following snippet shows
+// how to express the above example using the message package.
+//
+//	message.Set(language.English, "You are %d minute(s) late.",
+//		catalog.Var("minutes", plural.Select(1, "one", "minute")),
+//		catalog.String("You are %[1]d ${minutes} late."))
+//
+//	p := message.NewPrinter(language.English)
+//	p.Printf("You are %d minute(s) late.", 5) // always 5 minutes late.
+//
+// To evaluate the Printf, package message wraps the arguments in a Renderer
+// that is passed to the catalog for message decoding. The call sequence that
+// results from evaluating the above message, assuming the person is rather
+// tardy, is:
+//
+//	Render("You are %[1]d ")
+//	Arg(1)
+//	Render("minutes")
+//	Render(" late.")
+//
+// The calls to Arg is caused by the plural.Select execution, which evaluates
+// the argument to determine whether the singular or plural message form should
+// be selected. The calls to Render reports the partial results to the message
+// package for further evaluation.
+package catmsg
+
+import (
+	"errors"
+	"fmt"
+	"strconv"
+	"strings"
+	"sync"
+
+	"golang.org/x/text/language"
+)
+
+// A Handle refers to a registered message type.
+type Handle int
+
+// A Handler decodes and evaluates data compiled by a Message and sends the
+// result to the Decoder. The output may depend on the value of the substitution
+// arguments, accessible by the Decoder's Arg method. The Handler returns false
+// if there is no translation for the given substitution arguments.
+type Handler func(d *Decoder) bool
+
+// Register records the existence of a message type and returns a Handle that
+// can be used in the Encoder's EncodeMessageType method to create such
+// messages. The prefix of the name should be the package path followed by
+// an optional disambiguating string.
+// Register will panic if a handle for the same name was already registered.
+func Register(name string, handler Handler) Handle {
+	mutex.Lock()
+	defer mutex.Unlock()
+
+	if _, ok := names[name]; ok {
+		panic(fmt.Errorf("catmsg: handler for %q already exists", name))
+	}
+	h := Handle(len(handlers))
+	names[name] = h
+	handlers = append(handlers, handler)
+	return h
+}
+
+// These handlers require fixed positions in the handlers slice.
+const (
+	msgVars Handle = iota
+	msgFirst
+	msgRaw
+	msgString
+	msgAffix
+	// Leave some arbitrary room for future expansion: 20 should suffice.
+	numInternal = 20
+)
+
+const prefix = "golang.org/x/text/internal/catmsg."
+
+var (
+	// TODO: find a more stable way to link handles to message types.
+	mutex sync.Mutex
+	names = map[string]Handle{
+		prefix + "Vars":   msgVars,
+		prefix + "First":  msgFirst,
+		prefix + "Raw":    msgRaw,
+		prefix + "String": msgString,
+		prefix + "Affix":  msgAffix,
+	}
+	handlers = make([]Handler, numInternal)
+)
+
+func init() {
+	// This handler is a message type wrapper that initializes a decoder
+	// with a variable block. This message type, if present, is always at the
+	// start of an encoded message.
+	handlers[msgVars] = func(d *Decoder) bool {
+		blockSize := int(d.DecodeUint())
+		d.vars = d.data[:blockSize]
+		d.data = d.data[blockSize:]
+		return d.executeMessage()
+	}
+
+	// First takes the first message in a sequence that results in a match for
+	// the given substitution arguments.
+	handlers[msgFirst] = func(d *Decoder) bool {
+		for !d.Done() {
+			if d.ExecuteMessage() {
+				return true
+			}
+		}
+		return false
+	}
+
+	handlers[msgRaw] = func(d *Decoder) bool {
+		d.Render(d.data)
+		return true
+	}
+
+	// A String message alternates between a string constant and a variable
+	// substitution.
+	handlers[msgString] = func(d *Decoder) bool {
+		for !d.Done() {
+			if str := d.DecodeString(); str != "" {
+				d.Render(str)
+			}
+			if d.Done() {
+				break
+			}
+			d.ExecuteSubstitution()
+		}
+		return true
+	}
+
+	handlers[msgAffix] = func(d *Decoder) bool {
+		// TODO: use an alternative method for common cases.
+		prefix := d.DecodeString()
+		suffix := d.DecodeString()
+		if prefix != "" {
+			d.Render(prefix)
+		}
+		ret := d.ExecuteMessage()
+		if suffix != "" {
+			d.Render(suffix)
+		}
+		return ret
+	}
+}
+
+var (
+	// ErrIncomplete indicates a compiled message does not define translations
+	// for all possible argument values. If this message is returned, evaluating
+	// a message may result in the ErrNoMatch error.
+	ErrIncomplete = errors.New("catmsg: incomplete message; may not give result for all inputs")
+
+	// ErrNoMatch indicates no translation message matched the given input
+	// parameters when evaluating a message.
+	ErrNoMatch = errors.New("catmsg: no translation for inputs")
+)
+
+// A Message holds a collection of translations for the same phrase that may
+// vary based on the values of substitution arguments.
+type Message interface {
+	// Compile encodes the format string(s) of the message as a string for later
+	// evaluation.
+	//
+	// The first call Compile makes on the encoder must be EncodeMessageType.
+	// The handle passed to this call may either be a handle returned by
+	// Register to encode a single custom message, or HandleFirst followed by
+	// a sequence of calls to EncodeMessage.
+	//
+	// Compile must return ErrIncomplete if it is possible for evaluation to
+	// not match any translation for a given set of formatting parameters.
+	// For example, selecting a translation based on plural form may not yield
+	// a match if the form "Other" is not one of the selectors.
+	//
+	// Compile may return any other application-specific error. For backwards
+	// compatibility with package like fmt, which often do not do sanity
+	// checking of format strings ahead of time, Compile should still make an
+	// effort to have some sensible fallback in case of an error.
+	Compile(e *Encoder) error
+}
+
+// Compile converts a Message to a data string that can be stored in a Catalog.
+// The resulting string can subsequently be decoded by passing to the Execute
+// method of a Decoder.
+func Compile(tag language.Tag, macros Dictionary, m Message) (data string, err error) {
+	// TODO: pass macros so they can be used for validation.
+	v := &Encoder{inBody: true} // encoder for variables
+	v.root = v
+	e := &Encoder{root: v, parent: v, tag: tag} // encoder for messages
+	err = m.Compile(e)
+	// This package serves te message package, which in turn is meant to be a
+	// drop-in replacement for fmt.  With the fmt package, format strings are
+	// evaluated lazily and errors are handled by substituting strings in the
+	// result, rather then returning an error. Dealing with multiple languages
+	// makes it more important to check errors ahead of time. We chose to be
+	// consistent and compatible and allow graceful degradation in case of
+	// errors.
+	buf := e.buf[stripPrefix(e.buf):]
+	if len(v.buf) > 0 {
+		// Prepend variable block.
+		b := make([]byte, 1+maxVarintBytes+len(v.buf)+len(buf))
+		b[0] = byte(msgVars)
+		b = b[:1+encodeUint(b[1:], uint64(len(v.buf)))]
+		b = append(b, v.buf...)
+		b = append(b, buf...)
+		buf = b
+	}
+	if err == nil {
+		err = v.err
+	}
+	return string(buf), err
+}
+
+// FirstOf is a message type that prints the first message in the sequence that
+// resolves to a match for the given substitution arguments.
+type FirstOf []Message
+
+// Compile implements Message.
+func (s FirstOf) Compile(e *Encoder) error {
+	e.EncodeMessageType(msgFirst)
+	err := ErrIncomplete
+	for i, m := range s {
+		if err == nil {
+			return fmt.Errorf("catalog: message argument %d is complete and blocks subsequent messages", i-1)
+		}
+		err = e.EncodeMessage(m)
+	}
+	return err
+}
+
+// Var defines a message that can be substituted for a placeholder of the same
+// name. If an expression does not result in a string after evaluation, Name is
+// used as the substitution. For example:
+//
+//	Var{
+//	  Name:    "minutes",
+//	  Message: plural.Select(1, "one", "minute"),
+//	}
+//
+// will resolve to minute for singular and minutes for plural forms.
+type Var struct {
+	Name    string
+	Message Message
+}
+
+var errIsVar = errors.New("catmsg: variable used as message")
+
+// Compile implements Message.
+//
+// Note that this method merely registers a variable; it does not create an
+// encoded message.
+func (v *Var) Compile(e *Encoder) error {
+	if err := e.addVar(v.Name, v.Message); err != nil {
+		return err
+	}
+	// Using a Var by itself is an error. If it is in a sequence followed by
+	// other messages referring to it, this error will be ignored.
+	return errIsVar
+}
+
+// Raw is a message consisting of a single format string that is passed as is
+// to the Renderer.
+//
+// Note that a Renderer may still do its own variable substitution.
+type Raw string
+
+// Compile implements Message.
+func (r Raw) Compile(e *Encoder) (err error) {
+	e.EncodeMessageType(msgRaw)
+	// Special case: raw strings don't have a size encoding and so don't use
+	// EncodeString.
+	e.buf = append(e.buf, r...)
+	return nil
+}
+
+// String is a message consisting of a single format string which contains
+// placeholders that may be substituted with variables.
+//
+// Variable substitutions are marked with placeholders and a variable name of
+// the form ${name}. Any other substitutions such as Go templates or
+// printf-style substitutions are left to be done by the Renderer.
+//
+// When evaluation a string interpolation, a Renderer will receive separate
+// calls for each placeholder and interstitial string. For example, for the
+// message: "%[1]v ${invites} %[2]v to ${their} party." The sequence of calls
+// is:
+//
+//	d.Render("%[1]v ")
+//	d.Arg(1)
+//	d.Render(resultOfInvites)
+//	d.Render(" %[2]v to ")
+//	d.Arg(2)
+//	d.Render(resultOfTheir)
+//	d.Render(" party.")
+//
+// where the messages for "invites" and "their" both use a plural.Select
+// referring to the first argument.
+//
+// Strings may also invoke macros. Macros are essentially variables that can be
+// reused. Macros may, for instance, be used to make selections between
+// different conjugations of a verb. See the catalog package description for an
+// overview of macros.
+type String string
+
+// Compile implements Message. It parses the placeholder formats and returns
+// any error.
+func (s String) Compile(e *Encoder) (err error) {
+	msg := string(s)
+	const subStart = "${"
+	hasHeader := false
+	p := 0
+	b := []byte{}
+	for {
+		i := strings.Index(msg[p:], subStart)
+		if i == -1 {
+			break
+		}
+		b = append(b, msg[p:p+i]...)
+		p += i + len(subStart)
+		if i = strings.IndexByte(msg[p:], '}'); i == -1 {
+			b = append(b, "$!(MISSINGBRACE)"...)
+			err = fmt.Errorf("catmsg: missing '}'")
+			p = len(msg)
+			break
+		}
+		name := strings.TrimSpace(msg[p : p+i])
+		if q := strings.IndexByte(name, '('); q == -1 {
+			if !hasHeader {
+				hasHeader = true
+				e.EncodeMessageType(msgString)
+			}
+			e.EncodeString(string(b))
+			e.EncodeSubstitution(name)
+			b = b[:0]
+		} else if j := strings.IndexByte(name[q:], ')'); j == -1 {
+			// TODO: what should the error be?
+			b = append(b, "$!(MISSINGPAREN)"...)
+			err = fmt.Errorf("catmsg: missing ')'")
+		} else if x, sErr := strconv.ParseUint(strings.TrimSpace(name[q+1:q+j]), 10, 32); sErr != nil {
+			// TODO: handle more than one argument
+			b = append(b, "$!(BADNUM)"...)
+			err = fmt.Errorf("catmsg: invalid number %q", strings.TrimSpace(name[q+1:q+j]))
+		} else {
+			if !hasHeader {
+				hasHeader = true
+				e.EncodeMessageType(msgString)
+			}
+			e.EncodeString(string(b))
+			e.EncodeSubstitution(name[:q], int(x))
+			b = b[:0]
+		}
+		p += i + 1
+	}
+	b = append(b, msg[p:]...)
+	if !hasHeader {
+		// Simplify string to a raw string.
+		Raw(string(b)).Compile(e)
+	} else if len(b) > 0 {
+		e.EncodeString(string(b))
+	}
+	return err
+}
+
+// Affix is a message that adds a prefix and suffix to another message.
+// This is mostly used add back whitespace to a translation that was stripped
+// before sending it out.
+type Affix struct {
+	Message Message
+	Prefix  string
+	Suffix  string
+}
+
+// Compile implements Message.
+func (a Affix) Compile(e *Encoder) (err error) {
+	// TODO: consider adding a special message type that just adds a single
+	// return. This is probably common enough to handle the majority of cases.
+	// Get some stats first, though.
+	e.EncodeMessageType(msgAffix)
+	e.EncodeString(a.Prefix)
+	e.EncodeString(a.Suffix)
+	e.EncodeMessage(a.Message)
+	return nil
+}
diff --git a/vendor/golang.org/x/text/internal/catmsg/codec.go b/vendor/golang.org/x/text/internal/catmsg/codec.go
new file mode 100644
index 0000000000..547802b0f3
--- /dev/null
+++ b/vendor/golang.org/x/text/internal/catmsg/codec.go
@@ -0,0 +1,407 @@
+// Copyright 2017 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package catmsg
+
+import (
+	"errors"
+	"fmt"
+
+	"golang.org/x/text/language"
+)
+
+// A Renderer renders a Message.
+type Renderer interface {
+	// Render renders the given string. The given string may be interpreted as a
+	// format string, such as the one used by the fmt package or a template.
+	Render(s string)
+
+	// Arg returns the i-th argument passed to format a message. This method
+	// should return nil if there is no such argument. Messages need access to
+	// arguments to allow selecting a message based on linguistic features of
+	// those arguments.
+	Arg(i int) interface{}
+}
+
+// A Dictionary specifies a source of messages, including variables or macros.
+type Dictionary interface {
+	// Lookup returns the message for the given key. It returns false for ok if
+	// such a message could not be found.
+	Lookup(key string) (data string, ok bool)
+
+	// TODO: consider returning an interface, instead of a string. This will
+	// allow implementations to do their own message type decoding.
+}
+
+// An Encoder serializes a Message to a string.
+type Encoder struct {
+	// The root encoder is used for storing encoded variables.
+	root *Encoder
+	// The parent encoder provides the surrounding scopes for resolving variable
+	// names.
+	parent *Encoder
+
+	tag language.Tag
+
+	// buf holds the encoded message so far. After a message completes encoding,
+	// the contents of buf, prefixed by the encoded length, are flushed to the
+	// parent buffer.
+	buf []byte
+
+	// vars is the lookup table of variables in the current scope.
+	vars []keyVal
+
+	err    error
+	inBody bool // if false next call must be EncodeMessageType
+}
+
+type keyVal struct {
+	key    string
+	offset int
+}
+
+// Language reports the language for which the encoded message will be stored
+// in the Catalog.
+func (e *Encoder) Language() language.Tag { return e.tag }
+
+func (e *Encoder) setError(err error) {
+	if e.root.err == nil {
+		e.root.err = err
+	}
+}
+
+// EncodeUint encodes x.
+func (e *Encoder) EncodeUint(x uint64) {
+	e.checkInBody()
+	var buf [maxVarintBytes]byte
+	n := encodeUint(buf[:], x)
+	e.buf = append(e.buf, buf[:n]...)
+}
+
+// EncodeString encodes s.
+func (e *Encoder) EncodeString(s string) {
+	e.checkInBody()
+	e.EncodeUint(uint64(len(s)))
+	e.buf = append(e.buf, s...)
+}
+
+// EncodeMessageType marks the current message to be of type h.
+//
+// It must be the first call of a Message's Compile method.
+func (e *Encoder) EncodeMessageType(h Handle) {
+	if e.inBody {
+		panic("catmsg: EncodeMessageType not the first method called")
+	}
+	e.inBody = true
+	e.EncodeUint(uint64(h))
+}
+
+// EncodeMessage serializes the given message inline at the current position.
+func (e *Encoder) EncodeMessage(m Message) error {
+	e = &Encoder{root: e.root, parent: e, tag: e.tag}
+	err := m.Compile(e)
+	if _, ok := m.(*Var); !ok {
+		e.flushTo(e.parent)
+	}
+	return err
+}
+
+func (e *Encoder) checkInBody() {
+	if !e.inBody {
+		panic("catmsg: expected prior call to EncodeMessageType")
+	}
+}
+
+// stripPrefix indicates the number of prefix bytes that must be stripped to
+// turn a single-element sequence into a message that is just this single member
+// without its size prefix. If the message can be stripped, b[1:n] contains the
+// size prefix.
+func stripPrefix(b []byte) (n int) {
+	if len(b) > 0 && Handle(b[0]) == msgFirst {
+		x, n, _ := decodeUint(b[1:])
+		if 1+n+int(x) == len(b) {
+			return 1 + n
+		}
+	}
+	return 0
+}
+
+func (e *Encoder) flushTo(dst *Encoder) {
+	data := e.buf
+	p := stripPrefix(data)
+	if p > 0 {
+		data = data[1:]
+	} else {
+		// Prefix the size.
+		dst.EncodeUint(uint64(len(data)))
+	}
+	dst.buf = append(dst.buf, data...)
+}
+
+func (e *Encoder) addVar(key string, m Message) error {
+	for _, v := range e.parent.vars {
+		if v.key == key {
+			err := fmt.Errorf("catmsg: duplicate variable %q", key)
+			e.setError(err)
+			return err
+		}
+	}
+	scope := e.parent
+	// If a variable message is Incomplete, and does not evaluate to a message
+	// during execution, we fall back to the variable name. We encode this by
+	// appending the variable name if the message reports it's incomplete.
+
+	err := m.Compile(e)
+	if err != ErrIncomplete {
+		e.setError(err)
+	}
+	switch {
+	case len(e.buf) == 1 && Handle(e.buf[0]) == msgFirst: // empty sequence
+		e.buf = e.buf[:0]
+		e.inBody = false
+		fallthrough
+	case len(e.buf) == 0:
+		// Empty message.
+		if err := String(key).Compile(e); err != nil {
+			e.setError(err)
+		}
+	case err == ErrIncomplete:
+		if Handle(e.buf[0]) != msgFirst {
+			seq := &Encoder{root: e.root, parent: e}
+			seq.EncodeMessageType(msgFirst)
+			e.flushTo(seq)
+			e = seq
+		}
+		// e contains a sequence; append the fallback string.
+		e.EncodeMessage(String(key))
+	}
+
+	// Flush result to variable heap.
+	offset := len(e.root.buf)
+	e.flushTo(e.root)
+	e.buf = e.buf[:0]
+
+	// Record variable offset in current scope.
+	scope.vars = append(scope.vars, keyVal{key: key, offset: offset})
+	return err
+}
+
+const (
+	substituteVar = iota
+	substituteMacro
+	substituteError
+)
+
+// EncodeSubstitution inserts a resolved reference to a variable or macro.
+//
+// This call must be matched with a call to ExecuteSubstitution at decoding
+// time.
+func (e *Encoder) EncodeSubstitution(name string, arguments ...int) {
+	if arity := len(arguments); arity > 0 {
+		// TODO: also resolve macros.
+		e.EncodeUint(substituteMacro)
+		e.EncodeString(name)
+		for _, a := range arguments {
+			e.EncodeUint(uint64(a))
+		}
+		return
+	}
+	for scope := e; scope != nil; scope = scope.parent {
+		for _, v := range scope.vars {
+			if v.key != name {
+				continue
+			}
+			e.EncodeUint(substituteVar) // TODO: support arity > 0
+			e.EncodeUint(uint64(v.offset))
+			return
+		}
+	}
+	// TODO: refer to dictionary-wide scoped variables.
+	e.EncodeUint(substituteError)
+	e.EncodeString(name)
+	e.setError(fmt.Errorf("catmsg: unknown var %q", name))
+}
+
+// A Decoder deserializes and evaluates messages that are encoded by an encoder.
+type Decoder struct {
+	tag    language.Tag
+	dst    Renderer
+	macros Dictionary
+
+	err  error
+	vars string
+	data string
+
+	macroArg int // TODO: allow more than one argument
+}
+
+// NewDecoder returns a new Decoder.
+//
+// Decoders are designed to be reused for multiple invocations of Execute.
+// Only one goroutine may call Execute concurrently.
+func NewDecoder(tag language.Tag, r Renderer, macros Dictionary) *Decoder {
+	return &Decoder{
+		tag:    tag,
+		dst:    r,
+		macros: macros,
+	}
+}
+
+func (d *Decoder) setError(err error) {
+	if d.err == nil {
+		d.err = err
+	}
+}
+
+// Language returns the language in which the message is being rendered.
+//
+// The destination language may be a child language of the language used for
+// encoding. For instance, a decoding language of "pt-PT" is consistent with an
+// encoding language of "pt".
+func (d *Decoder) Language() language.Tag { return d.tag }
+
+// Done reports whether there are more bytes to process in this message.
+func (d *Decoder) Done() bool { return len(d.data) == 0 }
+
+// Render implements Renderer.
+func (d *Decoder) Render(s string) { d.dst.Render(s) }
+
+// Arg implements Renderer.
+//
+// During evaluation of macros, the argument positions may be mapped to
+// arguments that differ from the original call.
+func (d *Decoder) Arg(i int) interface{} {
+	if d.macroArg != 0 {
+		if i != 1 {
+			panic("catmsg: only macros with single argument supported")
+		}
+		i = d.macroArg
+	}
+	return d.dst.Arg(i)
+}
+
+// DecodeUint decodes a number that was encoded with EncodeUint and advances the
+// position.
+func (d *Decoder) DecodeUint() uint64 {
+	x, n, err := decodeUintString(d.data)
+	d.data = d.data[n:]
+	if err != nil {
+		d.setError(err)
+	}
+	return x
+}
+
+// DecodeString decodes a string that was encoded with EncodeString and advances
+// the position.
+func (d *Decoder) DecodeString() string {
+	size := d.DecodeUint()
+	s := d.data[:size]
+	d.data = d.data[size:]
+	return s
+}
+
+// SkipMessage skips the message at the current location and advances the
+// position.
+func (d *Decoder) SkipMessage() {
+	n := int(d.DecodeUint())
+	d.data = d.data[n:]
+}
+
+// Execute decodes and evaluates msg.
+//
+// Only one goroutine may call execute.
+func (d *Decoder) Execute(msg string) error {
+	d.err = nil
+	if !d.execute(msg) {
+		return ErrNoMatch
+	}
+	return d.err
+}
+
+func (d *Decoder) execute(msg string) bool {
+	saved := d.data
+	d.data = msg
+	ok := d.executeMessage()
+	d.data = saved
+	return ok
+}
+
+// executeMessageFromData is like execute, but also decodes a leading message
+// size and clips the given string accordingly.
+//
+// It reports the number of bytes consumed and whether a message was selected.
+func (d *Decoder) executeMessageFromData(s string) (n int, ok bool) {
+	saved := d.data
+	d.data = s
+	size := int(d.DecodeUint())
+	n = len(s) - len(d.data)
+	// Sanitize the setting. This allows skipping a size argument for
+	// RawString and method Done.
+	d.data = d.data[:size]
+	ok = d.executeMessage()
+	n += size - len(d.data)
+	d.data = saved
+	return n, ok
+}
+
+var errUnknownHandler = errors.New("catmsg: string contains unsupported handler")
+
+// executeMessage reads the handle id, initializes the decoder and executes the
+// message. It is assumed that all of d.data[d.p:] is the single message.
+func (d *Decoder) executeMessage() bool {
+	if d.Done() {
+		// We interpret no data as a valid empty message.
+		return true
+	}
+	handle := d.DecodeUint()
+
+	var fn Handler
+	mutex.Lock()
+	if int(handle) < len(handlers) {
+		fn = handlers[handle]
+	}
+	mutex.Unlock()
+	if fn == nil {
+		d.setError(errUnknownHandler)
+		d.execute(fmt.Sprintf("\x02$!(UNKNOWNMSGHANDLER=%#x)", handle))
+		return true
+	}
+	return fn(d)
+}
+
+// ExecuteMessage decodes and executes the message at the current position.
+func (d *Decoder) ExecuteMessage() bool {
+	n, ok := d.executeMessageFromData(d.data)
+	d.data = d.data[n:]
+	return ok
+}
+
+// ExecuteSubstitution executes the message corresponding to the substitution
+// as encoded by EncodeSubstitution.
+func (d *Decoder) ExecuteSubstitution() {
+	switch x := d.DecodeUint(); x {
+	case substituteVar:
+		offset := d.DecodeUint()
+		d.executeMessageFromData(d.vars[offset:])
+	case substituteMacro:
+		name := d.DecodeString()
+		data, ok := d.macros.Lookup(name)
+		old := d.macroArg
+		// TODO: support macros of arity other than 1.
+		d.macroArg = int(d.DecodeUint())
+		switch {
+		case !ok:
+			// TODO: detect this at creation time.
+			d.setError(fmt.Errorf("catmsg: undefined macro %q", name))
+			fallthrough
+		case !d.execute(data):
+			d.dst.Render(name) // fall back to macro name.
+		}
+		d.macroArg = old
+	case substituteError:
+		d.dst.Render(d.DecodeString())
+	default:
+		panic("catmsg: unreachable")
+	}
+}
diff --git a/vendor/golang.org/x/text/internal/catmsg/varint.go b/vendor/golang.org/x/text/internal/catmsg/varint.go
new file mode 100644
index 0000000000..a2cee2cf5b
--- /dev/null
+++ b/vendor/golang.org/x/text/internal/catmsg/varint.go
@@ -0,0 +1,62 @@
+// Copyright 2017 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package catmsg
+
+// This file implements varint encoding analogous to the one in encoding/binary.
+// We need a string version of this function, so we add that here and then add
+// the rest for consistency.
+
+import "errors"
+
+var (
+	errIllegalVarint  = errors.New("catmsg: illegal varint")
+	errVarintTooLarge = errors.New("catmsg: varint too large for uint64")
+)
+
+const maxVarintBytes = 10 // maximum length of a varint
+
+// encodeUint encodes x as a variable-sized integer into buf and returns the
+// number of bytes written. buf must be at least maxVarintBytes long
+func encodeUint(buf []byte, x uint64) (n int) {
+	for ; x > 127; n++ {
+		buf[n] = 0x80 | uint8(x&0x7F)
+		x >>= 7
+	}
+	buf[n] = uint8(x)
+	n++
+	return n
+}
+
+func decodeUintString(s string) (x uint64, size int, err error) {
+	i := 0
+	for shift := uint(0); shift < 64; shift += 7 {
+		if i >= len(s) {
+			return 0, i, errIllegalVarint
+		}
+		b := uint64(s[i])
+		i++
+		x |= (b & 0x7F) << shift
+		if b&0x80 == 0 {
+			return x, i, nil
+		}
+	}
+	return 0, i, errVarintTooLarge
+}
+
+func decodeUint(b []byte) (x uint64, size int, err error) {
+	i := 0
+	for shift := uint(0); shift < 64; shift += 7 {
+		if i >= len(b) {
+			return 0, i, errIllegalVarint
+		}
+		c := uint64(b[i])
+		i++
+		x |= (c & 0x7F) << shift
+		if c&0x80 == 0 {
+			return x, i, nil
+		}
+	}
+	return 0, i, errVarintTooLarge
+}
diff --git a/vendor/golang.org/x/text/internal/format/format.go b/vendor/golang.org/x/text/internal/format/format.go
new file mode 100644
index 0000000000..ee1c57a3c5
--- /dev/null
+++ b/vendor/golang.org/x/text/internal/format/format.go
@@ -0,0 +1,41 @@
+// Copyright 2015 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package format contains types for defining language-specific formatting of
+// values.
+//
+// This package is internal now, but will eventually be exposed after the API
+// settles.
+package format // import "golang.org/x/text/internal/format"
+
+import (
+	"fmt"
+
+	"golang.org/x/text/language"
+)
+
+// State represents the printer state passed to custom formatters. It provides
+// access to the fmt.State interface and the sentence and language-related
+// context.
+type State interface {
+	fmt.State
+
+	// Language reports the requested language in which to render a message.
+	Language() language.Tag
+
+	// TODO: consider this and removing rune from the Format method in the
+	// Formatter interface.
+	//
+	// Verb returns the format variant to render, analogous to the types used
+	// in fmt. Use 'v' for the default or only variant.
+	// Verb() rune
+
+	// TODO: more info:
+	// - sentence context such as linguistic features passed by the translator.
+}
+
+// Formatter is analogous to fmt.Formatter.
+type Formatter interface {
+	Format(state State, verb rune)
+}
diff --git a/vendor/golang.org/x/text/internal/format/parser.go b/vendor/golang.org/x/text/internal/format/parser.go
new file mode 100644
index 0000000000..855aed71db
--- /dev/null
+++ b/vendor/golang.org/x/text/internal/format/parser.go
@@ -0,0 +1,358 @@
+// Copyright 2017 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package format
+
+import (
+	"reflect"
+	"unicode/utf8"
+)
+
+// A Parser parses a format string. The result from the parse are set in the
+// struct fields.
+type Parser struct {
+	Verb rune
+
+	WidthPresent bool
+	PrecPresent  bool
+	Minus        bool
+	Plus         bool
+	Sharp        bool
+	Space        bool
+	Zero         bool
+
+	// For the formats %+v %#v, we set the plusV/sharpV flags
+	// and clear the plus/sharp flags since %+v and %#v are in effect
+	// different, flagless formats set at the top level.
+	PlusV  bool
+	SharpV bool
+
+	HasIndex bool
+
+	Width int
+	Prec  int // precision
+
+	// retain arguments across calls.
+	Args []interface{}
+	// retain current argument number across calls
+	ArgNum int
+
+	// reordered records whether the format string used argument reordering.
+	Reordered bool
+	// goodArgNum records whether the most recent reordering directive was valid.
+	goodArgNum bool
+
+	// position info
+	format   string
+	startPos int
+	endPos   int
+	Status   Status
+}
+
+// Reset initializes a parser to scan format strings for the given args.
+func (p *Parser) Reset(args []interface{}) {
+	p.Args = args
+	p.ArgNum = 0
+	p.startPos = 0
+	p.Reordered = false
+}
+
+// Text returns the part of the format string that was parsed by the last call
+// to Scan. It returns the original substitution clause if the current scan
+// parsed a substitution.
+func (p *Parser) Text() string { return p.format[p.startPos:p.endPos] }
+
+// SetFormat sets a new format string to parse. It does not reset the argument
+// count.
+func (p *Parser) SetFormat(format string) {
+	p.format = format
+	p.startPos = 0
+	p.endPos = 0
+}
+
+// Status indicates the result type of a call to Scan.
+type Status int
+
+const (
+	StatusText Status = iota
+	StatusSubstitution
+	StatusBadWidthSubstitution
+	StatusBadPrecSubstitution
+	StatusNoVerb
+	StatusBadArgNum
+	StatusMissingArg
+)
+
+// ClearFlags reset the parser to default behavior.
+func (p *Parser) ClearFlags() {
+	p.WidthPresent = false
+	p.PrecPresent = false
+	p.Minus = false
+	p.Plus = false
+	p.Sharp = false
+	p.Space = false
+	p.Zero = false
+
+	p.PlusV = false
+	p.SharpV = false
+
+	p.HasIndex = false
+}
+
+// Scan scans the next part of the format string and sets the status to
+// indicate whether it scanned a string literal, substitution or error.
+func (p *Parser) Scan() bool {
+	p.Status = StatusText
+	format := p.format
+	end := len(format)
+	if p.endPos >= end {
+		return false
+	}
+	afterIndex := false // previous item in format was an index like [3].
+
+	p.startPos = p.endPos
+	p.goodArgNum = true
+	i := p.startPos
+	for i < end && format[i] != '%' {
+		i++
+	}
+	if i > p.startPos {
+		p.endPos = i
+		return true
+	}
+	// Process one verb
+	i++
+
+	p.Status = StatusSubstitution
+
+	// Do we have flags?
+	p.ClearFlags()
+
+simpleFormat:
+	for ; i < end; i++ {
+		c := p.format[i]
+		switch c {
+		case '#':
+			p.Sharp = true
+		case '0':
+			p.Zero = !p.Minus // Only allow zero padding to the left.
+		case '+':
+			p.Plus = true
+		case '-':
+			p.Minus = true
+			p.Zero = false // Do not pad with zeros to the right.
+		case ' ':
+			p.Space = true
+		default:
+			// Fast path for common case of ascii lower case simple verbs
+			// without precision or width or argument indices.
+			if 'a' <= c && c <= 'z' && p.ArgNum < len(p.Args) {
+				if c == 'v' {
+					// Go syntax
+					p.SharpV = p.Sharp
+					p.Sharp = false
+					// Struct-field syntax
+					p.PlusV = p.Plus
+					p.Plus = false
+				}
+				p.Verb = rune(c)
+				p.ArgNum++
+				p.endPos = i + 1
+				return true
+			}
+			// Format is more complex than simple flags and a verb or is malformed.
+			break simpleFormat
+		}
+	}
+
+	// Do we have an explicit argument index?
+	i, afterIndex = p.updateArgNumber(format, i)
+
+	// Do we have width?
+	if i < end && format[i] == '*' {
+		i++
+		p.Width, p.WidthPresent = p.intFromArg()
+
+		if !p.WidthPresent {
+			p.Status = StatusBadWidthSubstitution
+		}
+
+		// We have a negative width, so take its value and ensure
+		// that the minus flag is set
+		if p.Width < 0 {
+			p.Width = -p.Width
+			p.Minus = true
+			p.Zero = false // Do not pad with zeros to the right.
+		}
+		afterIndex = false
+	} else {
+		p.Width, p.WidthPresent, i = parsenum(format, i, end)
+		if afterIndex && p.WidthPresent { // "%[3]2d"
+			p.goodArgNum = false
+		}
+	}
+
+	// Do we have precision?
+	if i+1 < end && format[i] == '.' {
+		i++
+		if afterIndex { // "%[3].2d"
+			p.goodArgNum = false
+		}
+		i, afterIndex = p.updateArgNumber(format, i)
+		if i < end && format[i] == '*' {
+			i++
+			p.Prec, p.PrecPresent = p.intFromArg()
+			// Negative precision arguments don't make sense
+			if p.Prec < 0 {
+				p.Prec = 0
+				p.PrecPresent = false
+			}
+			if !p.PrecPresent {
+				p.Status = StatusBadPrecSubstitution
+			}
+			afterIndex = false
+		} else {
+			p.Prec, p.PrecPresent, i = parsenum(format, i, end)
+			if !p.PrecPresent {
+				p.Prec = 0
+				p.PrecPresent = true
+			}
+		}
+	}
+
+	if !afterIndex {
+		i, afterIndex = p.updateArgNumber(format, i)
+	}
+	p.HasIndex = afterIndex
+
+	if i >= end {
+		p.endPos = i
+		p.Status = StatusNoVerb
+		return true
+	}
+
+	verb, w := utf8.DecodeRuneInString(format[i:])
+	p.endPos = i + w
+	p.Verb = verb
+
+	switch {
+	case verb == '%': // Percent does not absorb operands and ignores f.wid and f.prec.
+		p.startPos = p.endPos - 1
+		p.Status = StatusText
+	case !p.goodArgNum:
+		p.Status = StatusBadArgNum
+	case p.ArgNum >= len(p.Args): // No argument left over to print for the current verb.
+		p.Status = StatusMissingArg
+		p.ArgNum++
+	case verb == 'v':
+		// Go syntax
+		p.SharpV = p.Sharp
+		p.Sharp = false
+		// Struct-field syntax
+		p.PlusV = p.Plus
+		p.Plus = false
+		fallthrough
+	default:
+		p.ArgNum++
+	}
+	return true
+}
+
+// intFromArg gets the ArgNumth element of Args. On return, isInt reports
+// whether the argument has integer type.
+func (p *Parser) intFromArg() (num int, isInt bool) {
+	if p.ArgNum < len(p.Args) {
+		arg := p.Args[p.ArgNum]
+		num, isInt = arg.(int) // Almost always OK.
+		if !isInt {
+			// Work harder.
+			switch v := reflect.ValueOf(arg); v.Kind() {
+			case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
+				n := v.Int()
+				if int64(int(n)) == n {
+					num = int(n)
+					isInt = true
+				}
+			case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr:
+				n := v.Uint()
+				if int64(n) >= 0 && uint64(int(n)) == n {
+					num = int(n)
+					isInt = true
+				}
+			default:
+				// Already 0, false.
+			}
+		}
+		p.ArgNum++
+		if tooLarge(num) {
+			num = 0
+			isInt = false
+		}
+	}
+	return
+}
+
+// parseArgNumber returns the value of the bracketed number, minus 1
+// (explicit argument numbers are one-indexed but we want zero-indexed).
+// The opening bracket is known to be present at format[0].
+// The returned values are the index, the number of bytes to consume
+// up to the closing paren, if present, and whether the number parsed
+// ok. The bytes to consume will be 1 if no closing paren is present.
+func parseArgNumber(format string) (index int, wid int, ok bool) {
+	// There must be at least 3 bytes: [n].
+	if len(format) < 3 {
+		return 0, 1, false
+	}
+
+	// Find closing bracket.
+	for i := 1; i < len(format); i++ {
+		if format[i] == ']' {
+			width, ok, newi := parsenum(format, 1, i)
+			if !ok || newi != i {
+				return 0, i + 1, false
+			}
+			return width - 1, i + 1, true // arg numbers are one-indexed and skip paren.
+		}
+	}
+	return 0, 1, false
+}
+
+// updateArgNumber returns the next argument to evaluate, which is either the value of the passed-in
+// argNum or the value of the bracketed integer that begins format[i:]. It also returns
+// the new value of i, that is, the index of the next byte of the format to process.
+func (p *Parser) updateArgNumber(format string, i int) (newi int, found bool) {
+	if len(format) <= i || format[i] != '[' {
+		return i, false
+	}
+	p.Reordered = true
+	index, wid, ok := parseArgNumber(format[i:])
+	if ok && 0 <= index && index < len(p.Args) {
+		p.ArgNum = index
+		return i + wid, true
+	}
+	p.goodArgNum = false
+	return i + wid, ok
+}
+
+// tooLarge reports whether the magnitude of the integer is
+// too large to be used as a formatting width or precision.
+func tooLarge(x int) bool {
+	const max int = 1e6
+	return x > max || x < -max
+}
+
+// parsenum converts ASCII to integer.  num is 0 (and isnum is false) if no number present.
+func parsenum(s string, start, end int) (num int, isnum bool, newi int) {
+	if start >= end {
+		return 0, false, end
+	}
+	for newi = start; newi < end && '0' <= s[newi] && s[newi] <= '9'; newi++ {
+		if tooLarge(num) {
+			return 0, false, end // Overflow; crazy long number most likely.
+		}
+		num = num*10 + int(s[newi]-'0')
+		isnum = true
+	}
+	return
+}
diff --git a/vendor/golang.org/x/text/internal/internal.go b/vendor/golang.org/x/text/internal/internal.go
new file mode 100644
index 0000000000..3cddbbdda8
--- /dev/null
+++ b/vendor/golang.org/x/text/internal/internal.go
@@ -0,0 +1,49 @@
+// Copyright 2015 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package internal contains non-exported functionality that are used by
+// packages in the text repository.
+package internal // import "golang.org/x/text/internal"
+
+import (
+	"sort"
+
+	"golang.org/x/text/language"
+)
+
+// SortTags sorts tags in place.
+func SortTags(tags []language.Tag) {
+	sort.Sort(sorter(tags))
+}
+
+type sorter []language.Tag
+
+func (s sorter) Len() int {
+	return len(s)
+}
+
+func (s sorter) Swap(i, j int) {
+	s[i], s[j] = s[j], s[i]
+}
+
+func (s sorter) Less(i, j int) bool {
+	return s[i].String() < s[j].String()
+}
+
+// UniqueTags sorts and filters duplicate tags in place and returns a slice with
+// only unique tags.
+func UniqueTags(tags []language.Tag) []language.Tag {
+	if len(tags) <= 1 {
+		return tags
+	}
+	SortTags(tags)
+	k := 0
+	for i := 1; i < len(tags); i++ {
+		if tags[k].String() < tags[i].String() {
+			k++
+			tags[k] = tags[i]
+		}
+	}
+	return tags[:k+1]
+}
diff --git a/vendor/golang.org/x/text/internal/match.go b/vendor/golang.org/x/text/internal/match.go
new file mode 100644
index 0000000000..1cc004a6d5
--- /dev/null
+++ b/vendor/golang.org/x/text/internal/match.go
@@ -0,0 +1,67 @@
+// Copyright 2015 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package internal
+
+// This file contains matchers that implement CLDR inheritance.
+//
+//     See https://unicode.org/reports/tr35/#Locale_Inheritance.
+//
+// Some of the inheritance described in this document is already handled by
+// the cldr package.
+
+import (
+	"golang.org/x/text/language"
+)
+
+// TODO: consider if (some of the) matching algorithm needs to be public after
+// getting some feel about what is generic and what is specific.
+
+// NewInheritanceMatcher returns a matcher that matches based on the inheritance
+// chain.
+//
+// The matcher uses canonicalization and the parent relationship to find a
+// match. The resulting match will always be either Und or a language with the
+// same language and script as the requested language. It will not match
+// languages for which there is understood to be mutual or one-directional
+// intelligibility.
+//
+// A Match will indicate an Exact match if the language matches after
+// canonicalization and High if the matched tag is a parent.
+func NewInheritanceMatcher(t []language.Tag) *InheritanceMatcher {
+	tags := &InheritanceMatcher{make(map[language.Tag]int)}
+	for i, tag := range t {
+		ct, err := language.All.Canonicalize(tag)
+		if err != nil {
+			ct = tag
+		}
+		tags.index[ct] = i
+	}
+	return tags
+}
+
+type InheritanceMatcher struct {
+	index map[language.Tag]int
+}
+
+func (m InheritanceMatcher) Match(want ...language.Tag) (language.Tag, int, language.Confidence) {
+	for _, t := range want {
+		ct, err := language.All.Canonicalize(t)
+		if err != nil {
+			ct = t
+		}
+		conf := language.Exact
+		for {
+			if index, ok := m.index[ct]; ok {
+				return ct, index, conf
+			}
+			if ct == language.Und {
+				break
+			}
+			ct = ct.Parent()
+			conf = language.High
+		}
+	}
+	return language.Und, 0, language.No
+}
diff --git a/vendor/golang.org/x/text/internal/number/common.go b/vendor/golang.org/x/text/internal/number/common.go
new file mode 100644
index 0000000000..a6e9c8e0d5
--- /dev/null
+++ b/vendor/golang.org/x/text/internal/number/common.go
@@ -0,0 +1,55 @@
+// Code generated by running "go generate" in golang.org/x/text. DO NOT EDIT.
+
+package number
+
+import (
+	"unicode/utf8"
+
+	"golang.org/x/text/internal/language/compact"
+)
+
+// A system identifies a CLDR numbering system.
+type system byte
+
+type systemData struct {
+	id        system
+	digitSize byte              // number of UTF-8 bytes per digit
+	zero      [utf8.UTFMax]byte // UTF-8 sequence of zero digit.
+}
+
+// A SymbolType identifies a symbol of a specific kind.
+type SymbolType int
+
+const (
+	SymDecimal SymbolType = iota
+	SymGroup
+	SymList
+	SymPercentSign
+	SymPlusSign
+	SymMinusSign
+	SymExponential
+	SymSuperscriptingExponent
+	SymPerMille
+	SymInfinity
+	SymNan
+	SymTimeSeparator
+
+	NumSymbolTypes
+)
+
+const hasNonLatnMask = 0x8000
+
+// symOffset is an offset into altSymData if the bit indicated by hasNonLatnMask
+// is not 0 (with this bit masked out), and an offset into symIndex otherwise.
+//
+// TODO: this type can be a byte again if we use an indirection into altsymData
+// and introduce an alt -> offset slice (the length of this will be number of
+// alternatives plus 1). This also allows getting rid of the compactTag field
+// in altSymData. In total this will save about 1K.
+type symOffset uint16
+
+type altSymData struct {
+	compactTag compact.ID
+	symIndex   symOffset
+	system     system
+}
diff --git a/vendor/golang.org/x/text/internal/number/decimal.go b/vendor/golang.org/x/text/internal/number/decimal.go
new file mode 100644
index 0000000000..e128cf3437
--- /dev/null
+++ b/vendor/golang.org/x/text/internal/number/decimal.go
@@ -0,0 +1,500 @@
+// Copyright 2017 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:generate stringer -type RoundingMode
+
+package number
+
+import (
+	"math"
+	"strconv"
+)
+
+// RoundingMode determines how a number is rounded to the desired precision.
+type RoundingMode byte
+
+const (
+	ToNearestEven RoundingMode = iota // towards the nearest integer, or towards an even number if equidistant.
+	ToNearestZero                     // towards the nearest integer, or towards zero if equidistant.
+	ToNearestAway                     // towards the nearest integer, or away from zero if equidistant.
+	ToPositiveInf                     // towards infinity
+	ToNegativeInf                     // towards negative infinity
+	ToZero                            // towards zero
+	AwayFromZero                      // away from zero
+	numModes
+)
+
+const maxIntDigits = 20
+
+// A Decimal represents a floating point number in decimal format.
+// Digits represents a number [0, 1.0), and the absolute value represented by
+// Decimal is Digits * 10^Exp. Leading and trailing zeros may be omitted and Exp
+// may point outside a valid position in Digits.
+//
+// Examples:
+//
+//	Number     Decimal
+//	12345      Digits: [1, 2, 3, 4, 5], Exp: 5
+//	12.345     Digits: [1, 2, 3, 4, 5], Exp: 2
+//	12000      Digits: [1, 2],          Exp: 5
+//	12000.00   Digits: [1, 2],          Exp: 5
+//	0.00123    Digits: [1, 2, 3],       Exp: -2
+//	0          Digits: [],              Exp: 0
+type Decimal struct {
+	digits
+
+	buf [maxIntDigits]byte
+}
+
+type digits struct {
+	Digits []byte // mantissa digits, big-endian
+	Exp    int32  // exponent
+	Neg    bool
+	Inf    bool // Takes precedence over Digits and Exp.
+	NaN    bool // Takes precedence over Inf.
+}
+
+// Digits represents a floating point number represented in digits of the
+// base in which a number is to be displayed. It is similar to Decimal, but
+// keeps track of trailing fraction zeros and the comma placement for
+// engineering notation. Digits must have at least one digit.
+//
+// Examples:
+//
+//	  Number     Decimal
+//	decimal
+//	  12345      Digits: [1, 2, 3, 4, 5], Exp: 5  End: 5
+//	  12.345     Digits: [1, 2, 3, 4, 5], Exp: 2  End: 5
+//	  12000      Digits: [1, 2],          Exp: 5  End: 5
+//	  12000.00   Digits: [1, 2],          Exp: 5  End: 7
+//	  0.00123    Digits: [1, 2, 3],       Exp: -2 End: 3
+//	  0          Digits: [],              Exp: 0  End: 1
+//	scientific (actual exp is Exp - Comma)
+//	  0e0        Digits: [0],             Exp: 1, End: 1, Comma: 1
+//	  .0e0       Digits: [0],             Exp: 0, End: 1, Comma: 0
+//	  0.0e0      Digits: [0],             Exp: 1, End: 2, Comma: 1
+//	  1.23e4     Digits: [1, 2, 3],       Exp: 5, End: 3, Comma: 1
+//	  .123e5     Digits: [1, 2, 3],       Exp: 5, End: 3, Comma: 0
+//	engineering
+//	  12.3e3     Digits: [1, 2, 3],       Exp: 5, End: 3, Comma: 2
+type Digits struct {
+	digits
+	// End indicates the end position of the number.
+	End int32 // For decimals Exp <= End. For scientific len(Digits) <= End.
+	// Comma is used for the comma position for scientific (always 0 or 1) and
+	// engineering notation (always 0, 1, 2, or 3).
+	Comma uint8
+	// IsScientific indicates whether this number is to be rendered as a
+	// scientific number.
+	IsScientific bool
+}
+
+func (d *Digits) NumFracDigits() int {
+	if d.Exp >= d.End {
+		return 0
+	}
+	return int(d.End - d.Exp)
+}
+
+// normalize returns a new Decimal with leading and trailing zeros removed.
+func (d *Decimal) normalize() (n Decimal) {
+	n = *d
+	b := n.Digits
+	// Strip leading zeros. Resulting number of digits is significant digits.
+	for len(b) > 0 && b[0] == 0 {
+		b = b[1:]
+		n.Exp--
+	}
+	// Strip trailing zeros
+	for len(b) > 0 && b[len(b)-1] == 0 {
+		b = b[:len(b)-1]
+	}
+	if len(b) == 0 {
+		n.Exp = 0
+	}
+	n.Digits = b
+	return n
+}
+
+func (d *Decimal) clear() {
+	b := d.Digits
+	if b == nil {
+		b = d.buf[:0]
+	}
+	*d = Decimal{}
+	d.Digits = b[:0]
+}
+
+func (x *Decimal) String() string {
+	if x.NaN {
+		return "NaN"
+	}
+	var buf []byte
+	if x.Neg {
+		buf = append(buf, '-')
+	}
+	if x.Inf {
+		buf = append(buf, "Inf"...)
+		return string(buf)
+	}
+	switch {
+	case len(x.Digits) == 0:
+		buf = append(buf, '0')
+	case x.Exp <= 0:
+		// 0.00ddd
+		buf = append(buf, "0."...)
+		buf = appendZeros(buf, -int(x.Exp))
+		buf = appendDigits(buf, x.Digits)
+
+	case /* 0 < */ int(x.Exp) < len(x.Digits):
+		// dd.ddd
+		buf = appendDigits(buf, x.Digits[:x.Exp])
+		buf = append(buf, '.')
+		buf = appendDigits(buf, x.Digits[x.Exp:])
+
+	default: // len(x.Digits) <= x.Exp
+		// ddd00
+		buf = appendDigits(buf, x.Digits)
+		buf = appendZeros(buf, int(x.Exp)-len(x.Digits))
+	}
+	return string(buf)
+}
+
+func appendDigits(buf []byte, digits []byte) []byte {
+	for _, c := range digits {
+		buf = append(buf, c+'0')
+	}
+	return buf
+}
+
+// appendZeros appends n 0 digits to buf and returns buf.
+func appendZeros(buf []byte, n int) []byte {
+	for ; n > 0; n-- {
+		buf = append(buf, '0')
+	}
+	return buf
+}
+
+func (d *digits) round(mode RoundingMode, n int) {
+	if n >= len(d.Digits) {
+		return
+	}
+	// Make rounding decision: The result mantissa is truncated ("rounded down")
+	// by default. Decide if we need to increment, or "round up", the (unsigned)
+	// mantissa.
+	inc := false
+	switch mode {
+	case ToNegativeInf:
+		inc = d.Neg
+	case ToPositiveInf:
+		inc = !d.Neg
+	case ToZero:
+		// nothing to do
+	case AwayFromZero:
+		inc = true
+	case ToNearestEven:
+		inc = d.Digits[n] > 5 || d.Digits[n] == 5 &&
+			(len(d.Digits) > n+1 || n == 0 || d.Digits[n-1]&1 != 0)
+	case ToNearestAway:
+		inc = d.Digits[n] >= 5
+	case ToNearestZero:
+		inc = d.Digits[n] > 5 || d.Digits[n] == 5 && len(d.Digits) > n+1
+	default:
+		panic("unreachable")
+	}
+	if inc {
+		d.roundUp(n)
+	} else {
+		d.roundDown(n)
+	}
+}
+
+// roundFloat rounds a floating point number.
+func (r RoundingMode) roundFloat(x float64) float64 {
+	// Make rounding decision: The result mantissa is truncated ("rounded down")
+	// by default. Decide if we need to increment, or "round up", the (unsigned)
+	// mantissa.
+	abs := x
+	if x < 0 {
+		abs = -x
+	}
+	i, f := math.Modf(abs)
+	if f == 0.0 {
+		return x
+	}
+	inc := false
+	switch r {
+	case ToNegativeInf:
+		inc = x < 0
+	case ToPositiveInf:
+		inc = x >= 0
+	case ToZero:
+		// nothing to do
+	case AwayFromZero:
+		inc = true
+	case ToNearestEven:
+		// TODO: check overflow
+		inc = f > 0.5 || f == 0.5 && int64(i)&1 != 0
+	case ToNearestAway:
+		inc = f >= 0.5
+	case ToNearestZero:
+		inc = f > 0.5
+	default:
+		panic("unreachable")
+	}
+	if inc {
+		i += 1
+	}
+	if abs != x {
+		i = -i
+	}
+	return i
+}
+
+func (x *digits) roundUp(n int) {
+	if n < 0 || n >= len(x.Digits) {
+		return // nothing to do
+	}
+	// find first digit < 9
+	for n > 0 && x.Digits[n-1] >= 9 {
+		n--
+	}
+
+	if n == 0 {
+		// all digits are 9s => round up to 1 and update exponent
+		x.Digits[0] = 1 // ok since len(x.Digits) > n
+		x.Digits = x.Digits[:1]
+		x.Exp++
+		return
+	}
+	x.Digits[n-1]++
+	x.Digits = x.Digits[:n]
+	// x already trimmed
+}
+
+func (x *digits) roundDown(n int) {
+	if n < 0 || n >= len(x.Digits) {
+		return // nothing to do
+	}
+	x.Digits = x.Digits[:n]
+	trim(x)
+}
+
+// trim cuts off any trailing zeros from x's mantissa;
+// they are meaningless for the value of x.
+func trim(x *digits) {
+	i := len(x.Digits)
+	for i > 0 && x.Digits[i-1] == 0 {
+		i--
+	}
+	x.Digits = x.Digits[:i]
+	if i == 0 {
+		x.Exp = 0
+	}
+}
+
+// A Converter converts a number into decimals according to the given rounding
+// criteria.
+type Converter interface {
+	Convert(d *Decimal, r RoundingContext)
+}
+
+const (
+	signed   = true
+	unsigned = false
+)
+
+// Convert converts the given number to the decimal representation using the
+// supplied RoundingContext.
+func (d *Decimal) Convert(r RoundingContext, number interface{}) {
+	switch f := number.(type) {
+	case Converter:
+		d.clear()
+		f.Convert(d, r)
+	case float32:
+		d.ConvertFloat(r, float64(f), 32)
+	case float64:
+		d.ConvertFloat(r, f, 64)
+	case int:
+		d.ConvertInt(r, signed, uint64(f))
+	case int8:
+		d.ConvertInt(r, signed, uint64(f))
+	case int16:
+		d.ConvertInt(r, signed, uint64(f))
+	case int32:
+		d.ConvertInt(r, signed, uint64(f))
+	case int64:
+		d.ConvertInt(r, signed, uint64(f))
+	case uint:
+		d.ConvertInt(r, unsigned, uint64(f))
+	case uint8:
+		d.ConvertInt(r, unsigned, uint64(f))
+	case uint16:
+		d.ConvertInt(r, unsigned, uint64(f))
+	case uint32:
+		d.ConvertInt(r, unsigned, uint64(f))
+	case uint64:
+		d.ConvertInt(r, unsigned, f)
+
+	default:
+		d.NaN = true
+		// TODO:
+		// case string: if produced by strconv, allows for easy arbitrary pos.
+		// case reflect.Value:
+		// case big.Float
+		// case big.Int
+		// case big.Rat?
+		// catch underlyings using reflect or will this already be done by the
+		//    message package?
+	}
+}
+
+// ConvertInt converts an integer to decimals.
+func (d *Decimal) ConvertInt(r RoundingContext, signed bool, x uint64) {
+	if r.Increment > 0 {
+		// TODO: if uint64 is too large, fall back to float64
+		if signed {
+			d.ConvertFloat(r, float64(int64(x)), 64)
+		} else {
+			d.ConvertFloat(r, float64(x), 64)
+		}
+		return
+	}
+	d.clear()
+	if signed && int64(x) < 0 {
+		x = uint64(-int64(x))
+		d.Neg = true
+	}
+	d.fillIntDigits(x)
+	d.Exp = int32(len(d.Digits))
+}
+
+// ConvertFloat converts a floating point number to decimals.
+func (d *Decimal) ConvertFloat(r RoundingContext, x float64, size int) {
+	d.clear()
+	if math.IsNaN(x) {
+		d.NaN = true
+		return
+	}
+	// Simple case: decimal notation
+	if r.Increment > 0 {
+		scale := int(r.IncrementScale)
+		mult := 1.0
+		if scale >= len(scales) {
+			mult = math.Pow(10, float64(scale))
+		} else {
+			mult = scales[scale]
+		}
+		// We multiply x instead of dividing inc as it gives less rounding
+		// issues.
+		x *= mult
+		x /= float64(r.Increment)
+		x = r.Mode.roundFloat(x)
+		x *= float64(r.Increment)
+		x /= mult
+	}
+
+	abs := x
+	if x < 0 {
+		d.Neg = true
+		abs = -x
+	}
+	if math.IsInf(abs, 1) {
+		d.Inf = true
+		return
+	}
+
+	// By default we get the exact decimal representation.
+	verb := byte('g')
+	prec := -1
+	// As the strconv API does not return the rounding accuracy, we can only
+	// round using ToNearestEven.
+	if r.Mode == ToNearestEven {
+		if n := r.RoundSignificantDigits(); n >= 0 {
+			prec = n
+		} else if n = r.RoundFractionDigits(); n >= 0 {
+			prec = n
+			verb = 'f'
+		}
+	} else {
+		// TODO: At this point strconv's rounding is imprecise to the point that
+		// it is not usable for this purpose.
+		// See https://github.com/golang/go/issues/21714
+		// If rounding is requested, we ask for a large number of digits and
+		// round from there to simulate rounding only once.
+		// Ideally we would have strconv export an AppendDigits that would take
+		// a rounding mode and/or return an accuracy. Something like this would
+		// work:
+		// AppendDigits(dst []byte, x float64, base, size, prec int) (digits []byte, exp, accuracy int)
+		hasPrec := r.RoundSignificantDigits() >= 0
+		hasScale := r.RoundFractionDigits() >= 0
+		if hasPrec || hasScale {
+			// prec is the number of mantissa bits plus some extra for safety.
+			// We need at least the number of mantissa bits as decimals to
+			// accurately represent the floating point without rounding, as each
+			// bit requires one more decimal to represent: 0.5, 0.25, 0.125, ...
+			prec = 60
+		}
+	}
+
+	b := strconv.AppendFloat(d.Digits[:0], abs, verb, prec, size)
+	i := 0
+	k := 0
+	beforeDot := 1
+	for i < len(b) {
+		if c := b[i]; '0' <= c && c <= '9' {
+			b[k] = c - '0'
+			k++
+			d.Exp += int32(beforeDot)
+		} else if c == '.' {
+			beforeDot = 0
+			d.Exp = int32(k)
+		} else {
+			break
+		}
+		i++
+	}
+	d.Digits = b[:k]
+	if i != len(b) {
+		i += len("e")
+		pSign := i
+		exp := 0
+		for i++; i < len(b); i++ {
+			exp *= 10
+			exp += int(b[i] - '0')
+		}
+		if b[pSign] == '-' {
+			exp = -exp
+		}
+		d.Exp = int32(exp) + 1
+	}
+}
+
+func (d *Decimal) fillIntDigits(x uint64) {
+	if cap(d.Digits) < maxIntDigits {
+		d.Digits = d.buf[:]
+	} else {
+		d.Digits = d.buf[:maxIntDigits]
+	}
+	i := 0
+	for ; x > 0; x /= 10 {
+		d.Digits[i] = byte(x % 10)
+		i++
+	}
+	d.Digits = d.Digits[:i]
+	for p := 0; p < i; p++ {
+		i--
+		d.Digits[p], d.Digits[i] = d.Digits[i], d.Digits[p]
+	}
+}
+
+var scales [70]float64
+
+func init() {
+	x := 1.0
+	for i := range scales {
+		scales[i] = x
+		x *= 10
+	}
+}
diff --git a/vendor/golang.org/x/text/internal/number/format.go b/vendor/golang.org/x/text/internal/number/format.go
new file mode 100644
index 0000000000..1aadcf4077
--- /dev/null
+++ b/vendor/golang.org/x/text/internal/number/format.go
@@ -0,0 +1,533 @@
+// Copyright 2017 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package number
+
+import (
+	"strconv"
+	"unicode/utf8"
+
+	"golang.org/x/text/language"
+)
+
+// TODO:
+// - grouping of fractions
+// - allow user-defined superscript notation (such as <sup>4</sup>)
+// - same for non-breaking spaces, like &nbsp;
+
+// A VisibleDigits computes digits, comma placement and trailing zeros as they
+// will be shown to the user.
+type VisibleDigits interface {
+	Digits(buf []byte, t language.Tag, scale int) Digits
+	// TODO: Do we also need to add the verb or pass a format.State?
+}
+
+// Formatting proceeds along the following lines:
+// 0) Compose rounding information from format and context.
+// 1) Convert a number into a Decimal.
+// 2) Sanitize Decimal by adding trailing zeros, removing leading digits, and
+//    (non-increment) rounding. The Decimal that results from this is suitable
+//    for determining the plural form.
+// 3) Render the Decimal in the localized form.
+
+// Formatter contains all the information needed to render a number.
+type Formatter struct {
+	Pattern
+	Info
+}
+
+func (f *Formatter) init(t language.Tag, index []uint8) {
+	f.Info = InfoFromTag(t)
+	f.Pattern = formats[index[tagToID(t)]]
+}
+
+// InitPattern initializes a Formatter for the given Pattern.
+func (f *Formatter) InitPattern(t language.Tag, pat *Pattern) {
+	f.Info = InfoFromTag(t)
+	f.Pattern = *pat
+}
+
+// InitDecimal initializes a Formatter using the default Pattern for the given
+// language.
+func (f *Formatter) InitDecimal(t language.Tag) {
+	f.init(t, tagToDecimal)
+}
+
+// InitScientific initializes a Formatter using the default Pattern for the
+// given language.
+func (f *Formatter) InitScientific(t language.Tag) {
+	f.init(t, tagToScientific)
+	f.Pattern.MinFractionDigits = 0
+	f.Pattern.MaxFractionDigits = -1
+}
+
+// InitEngineering initializes a Formatter using the default Pattern for the
+// given language.
+func (f *Formatter) InitEngineering(t language.Tag) {
+	f.init(t, tagToScientific)
+	f.Pattern.MinFractionDigits = 0
+	f.Pattern.MaxFractionDigits = -1
+	f.Pattern.MaxIntegerDigits = 3
+	f.Pattern.MinIntegerDigits = 1
+}
+
+// InitPercent initializes a Formatter using the default Pattern for the given
+// language.
+func (f *Formatter) InitPercent(t language.Tag) {
+	f.init(t, tagToPercent)
+}
+
+// InitPerMille initializes a Formatter using the default Pattern for the given
+// language.
+func (f *Formatter) InitPerMille(t language.Tag) {
+	f.init(t, tagToPercent)
+	f.Pattern.DigitShift = 3
+}
+
+func (f *Formatter) Append(dst []byte, x interface{}) []byte {
+	var d Decimal
+	r := f.RoundingContext
+	d.Convert(r, x)
+	return f.Render(dst, FormatDigits(&d, r))
+}
+
+func FormatDigits(d *Decimal, r RoundingContext) Digits {
+	if r.isScientific() {
+		return scientificVisibleDigits(r, d)
+	}
+	return decimalVisibleDigits(r, d)
+}
+
+func (f *Formatter) Format(dst []byte, d *Decimal) []byte {
+	return f.Render(dst, FormatDigits(d, f.RoundingContext))
+}
+
+func (f *Formatter) Render(dst []byte, d Digits) []byte {
+	var result []byte
+	var postPrefix, preSuffix int
+	if d.IsScientific {
+		result, postPrefix, preSuffix = appendScientific(dst, f, &d)
+	} else {
+		result, postPrefix, preSuffix = appendDecimal(dst, f, &d)
+	}
+	if f.PadRune == 0 {
+		return result
+	}
+	width := int(f.FormatWidth)
+	if count := utf8.RuneCount(result); count < width {
+		insertPos := 0
+		switch f.Flags & PadMask {
+		case PadAfterPrefix:
+			insertPos = postPrefix
+		case PadBeforeSuffix:
+			insertPos = preSuffix
+		case PadAfterSuffix:
+			insertPos = len(result)
+		}
+		num := width - count
+		pad := [utf8.UTFMax]byte{' '}
+		sz := 1
+		if r := f.PadRune; r != 0 {
+			sz = utf8.EncodeRune(pad[:], r)
+		}
+		extra := sz * num
+		if n := len(result) + extra; n < cap(result) {
+			result = result[:n]
+			copy(result[insertPos+extra:], result[insertPos:])
+		} else {
+			buf := make([]byte, n)
+			copy(buf, result[:insertPos])
+			copy(buf[insertPos+extra:], result[insertPos:])
+			result = buf
+		}
+		for ; num > 0; num-- {
+			insertPos += copy(result[insertPos:], pad[:sz])
+		}
+	}
+	return result
+}
+
+// decimalVisibleDigits converts d according to the RoundingContext. Note that
+// the exponent may change as a result of this operation.
+func decimalVisibleDigits(r RoundingContext, d *Decimal) Digits {
+	if d.NaN || d.Inf {
+		return Digits{digits: digits{Neg: d.Neg, NaN: d.NaN, Inf: d.Inf}}
+	}
+	n := Digits{digits: d.normalize().digits}
+
+	exp := n.Exp
+	exp += int32(r.DigitShift)
+
+	// Cap integer digits. Remove *most-significant* digits.
+	if r.MaxIntegerDigits > 0 {
+		if p := int(exp) - int(r.MaxIntegerDigits); p > 0 {
+			if p > len(n.Digits) {
+				p = len(n.Digits)
+			}
+			if n.Digits = n.Digits[p:]; len(n.Digits) == 0 {
+				exp = 0
+			} else {
+				exp -= int32(p)
+			}
+			// Strip leading zeros.
+			for len(n.Digits) > 0 && n.Digits[0] == 0 {
+				n.Digits = n.Digits[1:]
+				exp--
+			}
+		}
+	}
+
+	// Rounding if not already done by Convert.
+	p := len(n.Digits)
+	if maxSig := int(r.MaxSignificantDigits); maxSig > 0 {
+		p = maxSig
+	}
+	if maxFrac := int(r.MaxFractionDigits); maxFrac >= 0 {
+		if cap := int(exp) + maxFrac; cap < p {
+			p = int(exp) + maxFrac
+		}
+		if p < 0 {
+			p = 0
+		}
+	}
+	n.round(r.Mode, p)
+
+	// set End (trailing zeros)
+	n.End = int32(len(n.Digits))
+	if n.End == 0 {
+		exp = 0
+		if r.MinFractionDigits > 0 {
+			n.End = int32(r.MinFractionDigits)
+		}
+		if p := int32(r.MinSignificantDigits) - 1; p > n.End {
+			n.End = p
+		}
+	} else {
+		if end := exp + int32(r.MinFractionDigits); end > n.End {
+			n.End = end
+		}
+		if n.End < int32(r.MinSignificantDigits) {
+			n.End = int32(r.MinSignificantDigits)
+		}
+	}
+	n.Exp = exp
+	return n
+}
+
+// appendDecimal appends a formatted number to dst. It returns two possible
+// insertion points for padding.
+func appendDecimal(dst []byte, f *Formatter, n *Digits) (b []byte, postPre, preSuf int) {
+	if dst, ok := f.renderSpecial(dst, n); ok {
+		return dst, 0, len(dst)
+	}
+	digits := n.Digits
+	exp := n.Exp
+
+	// Split in integer and fraction part.
+	var intDigits, fracDigits []byte
+	numInt := 0
+	numFrac := int(n.End - n.Exp)
+	if exp > 0 {
+		numInt = int(exp)
+		if int(exp) >= len(digits) { // ddddd | ddddd00
+			intDigits = digits
+		} else { // ddd.dd
+			intDigits = digits[:exp]
+			fracDigits = digits[exp:]
+		}
+	} else {
+		fracDigits = digits
+	}
+
+	neg := n.Neg
+	affix, suffix := f.getAffixes(neg)
+	dst = appendAffix(dst, f, affix, neg)
+	savedLen := len(dst)
+
+	minInt := int(f.MinIntegerDigits)
+	if minInt == 0 && f.MinSignificantDigits > 0 {
+		minInt = 1
+	}
+	// add leading zeros
+	for i := minInt; i > numInt; i-- {
+		dst = f.AppendDigit(dst, 0)
+		if f.needsSep(i) {
+			dst = append(dst, f.Symbol(SymGroup)...)
+		}
+	}
+	i := 0
+	for ; i < len(intDigits); i++ {
+		dst = f.AppendDigit(dst, intDigits[i])
+		if f.needsSep(numInt - i) {
+			dst = append(dst, f.Symbol(SymGroup)...)
+		}
+	}
+	for ; i < numInt; i++ {
+		dst = f.AppendDigit(dst, 0)
+		if f.needsSep(numInt - i) {
+			dst = append(dst, f.Symbol(SymGroup)...)
+		}
+	}
+
+	if numFrac > 0 || f.Flags&AlwaysDecimalSeparator != 0 {
+		dst = append(dst, f.Symbol(SymDecimal)...)
+	}
+	// Add trailing zeros
+	i = 0
+	for n := -int(n.Exp); i < n; i++ {
+		dst = f.AppendDigit(dst, 0)
+	}
+	for _, d := range fracDigits {
+		i++
+		dst = f.AppendDigit(dst, d)
+	}
+	for ; i < numFrac; i++ {
+		dst = f.AppendDigit(dst, 0)
+	}
+	return appendAffix(dst, f, suffix, neg), savedLen, len(dst)
+}
+
+func scientificVisibleDigits(r RoundingContext, d *Decimal) Digits {
+	if d.NaN || d.Inf {
+		return Digits{digits: digits{Neg: d.Neg, NaN: d.NaN, Inf: d.Inf}}
+	}
+	n := Digits{digits: d.normalize().digits, IsScientific: true}
+
+	// Normalize to have at least one digit. This simplifies engineering
+	// notation.
+	if len(n.Digits) == 0 {
+		n.Digits = append(n.Digits, 0)
+		n.Exp = 1
+	}
+
+	// Significant digits are transformed by the parser for scientific notation
+	// and do not need to be handled here.
+	maxInt, numInt := int(r.MaxIntegerDigits), int(r.MinIntegerDigits)
+	if numInt == 0 {
+		numInt = 1
+	}
+
+	// If a maximum number of integers is specified, the minimum must be 1
+	// and the exponent is grouped by this number (e.g. for engineering)
+	if maxInt > numInt {
+		// Correct the exponent to reflect a single integer digit.
+		numInt = 1
+		// engineering
+		// 0.01234 ([12345]e-1) -> 1.2345e-2  12.345e-3
+		// 12345   ([12345]e+5) -> 1.2345e4  12.345e3
+		d := int(n.Exp-1) % maxInt
+		if d < 0 {
+			d += maxInt
+		}
+		numInt += d
+	}
+
+	p := len(n.Digits)
+	if maxSig := int(r.MaxSignificantDigits); maxSig > 0 {
+		p = maxSig
+	}
+	if maxFrac := int(r.MaxFractionDigits); maxFrac >= 0 && numInt+maxFrac < p {
+		p = numInt + maxFrac
+	}
+	n.round(r.Mode, p)
+
+	n.Comma = uint8(numInt)
+	n.End = int32(len(n.Digits))
+	if minSig := int32(r.MinFractionDigits) + int32(numInt); n.End < minSig {
+		n.End = minSig
+	}
+	return n
+}
+
+// appendScientific appends a formatted number to dst. It returns two possible
+// insertion points for padding.
+func appendScientific(dst []byte, f *Formatter, n *Digits) (b []byte, postPre, preSuf int) {
+	if dst, ok := f.renderSpecial(dst, n); ok {
+		return dst, 0, 0
+	}
+	digits := n.Digits
+	numInt := int(n.Comma)
+	numFrac := int(n.End) - int(n.Comma)
+
+	var intDigits, fracDigits []byte
+	if numInt <= len(digits) {
+		intDigits = digits[:numInt]
+		fracDigits = digits[numInt:]
+	} else {
+		intDigits = digits
+	}
+	neg := n.Neg
+	affix, suffix := f.getAffixes(neg)
+	dst = appendAffix(dst, f, affix, neg)
+	savedLen := len(dst)
+
+	i := 0
+	for ; i < len(intDigits); i++ {
+		dst = f.AppendDigit(dst, intDigits[i])
+		if f.needsSep(numInt - i) {
+			dst = append(dst, f.Symbol(SymGroup)...)
+		}
+	}
+	for ; i < numInt; i++ {
+		dst = f.AppendDigit(dst, 0)
+		if f.needsSep(numInt - i) {
+			dst = append(dst, f.Symbol(SymGroup)...)
+		}
+	}
+
+	if numFrac > 0 || f.Flags&AlwaysDecimalSeparator != 0 {
+		dst = append(dst, f.Symbol(SymDecimal)...)
+	}
+	i = 0
+	for ; i < len(fracDigits); i++ {
+		dst = f.AppendDigit(dst, fracDigits[i])
+	}
+	for ; i < numFrac; i++ {
+		dst = f.AppendDigit(dst, 0)
+	}
+
+	// exp
+	buf := [12]byte{}
+	// TODO: use exponential if superscripting is not available (no Latin
+	// numbers or no tags) and use exponential in all other cases.
+	exp := n.Exp - int32(n.Comma)
+	exponential := f.Symbol(SymExponential)
+	if exponential == "E" {
+		dst = append(dst, f.Symbol(SymSuperscriptingExponent)...)
+		dst = f.AppendDigit(dst, 1)
+		dst = f.AppendDigit(dst, 0)
+		switch {
+		case exp < 0:
+			dst = append(dst, superMinus...)
+			exp = -exp
+		case f.Flags&AlwaysExpSign != 0:
+			dst = append(dst, superPlus...)
+		}
+		b = strconv.AppendUint(buf[:0], uint64(exp), 10)
+		for i := len(b); i < int(f.MinExponentDigits); i++ {
+			dst = append(dst, superDigits[0]...)
+		}
+		for _, c := range b {
+			dst = append(dst, superDigits[c-'0']...)
+		}
+	} else {
+		dst = append(dst, exponential...)
+		switch {
+		case exp < 0:
+			dst = append(dst, f.Symbol(SymMinusSign)...)
+			exp = -exp
+		case f.Flags&AlwaysExpSign != 0:
+			dst = append(dst, f.Symbol(SymPlusSign)...)
+		}
+		b = strconv.AppendUint(buf[:0], uint64(exp), 10)
+		for i := len(b); i < int(f.MinExponentDigits); i++ {
+			dst = f.AppendDigit(dst, 0)
+		}
+		for _, c := range b {
+			dst = f.AppendDigit(dst, c-'0')
+		}
+	}
+	return appendAffix(dst, f, suffix, neg), savedLen, len(dst)
+}
+
+const (
+	superMinus = "\u207B" // SUPERSCRIPT HYPHEN-MINUS
+	superPlus  = "\u207A" // SUPERSCRIPT PLUS SIGN
+)
+
+var (
+	// Note: the digits are not sequential!!!
+	superDigits = []string{
+		"\u2070", // SUPERSCRIPT DIGIT ZERO
+		"\u00B9", // SUPERSCRIPT DIGIT ONE
+		"\u00B2", // SUPERSCRIPT DIGIT TWO
+		"\u00B3", // SUPERSCRIPT DIGIT THREE
+		"\u2074", // SUPERSCRIPT DIGIT FOUR
+		"\u2075", // SUPERSCRIPT DIGIT FIVE
+		"\u2076", // SUPERSCRIPT DIGIT SIX
+		"\u2077", // SUPERSCRIPT DIGIT SEVEN
+		"\u2078", // SUPERSCRIPT DIGIT EIGHT
+		"\u2079", // SUPERSCRIPT DIGIT NINE
+	}
+)
+
+func (f *Formatter) getAffixes(neg bool) (affix, suffix string) {
+	str := f.Affix
+	if str != "" {
+		if f.NegOffset > 0 {
+			if neg {
+				str = str[f.NegOffset:]
+			} else {
+				str = str[:f.NegOffset]
+			}
+		}
+		sufStart := 1 + str[0]
+		affix = str[1:sufStart]
+		suffix = str[sufStart+1:]
+	}
+	// TODO: introduce a NeedNeg sign to indicate if the left pattern already
+	// has a sign marked?
+	if f.NegOffset == 0 && (neg || f.Flags&AlwaysSign != 0) {
+		affix = "-" + affix
+	}
+	return affix, suffix
+}
+
+func (f *Formatter) renderSpecial(dst []byte, d *Digits) (b []byte, ok bool) {
+	if d.NaN {
+		return fmtNaN(dst, f), true
+	}
+	if d.Inf {
+		return fmtInfinite(dst, f, d), true
+	}
+	return dst, false
+}
+
+func fmtNaN(dst []byte, f *Formatter) []byte {
+	return append(dst, f.Symbol(SymNan)...)
+}
+
+func fmtInfinite(dst []byte, f *Formatter, d *Digits) []byte {
+	affix, suffix := f.getAffixes(d.Neg)
+	dst = appendAffix(dst, f, affix, d.Neg)
+	dst = append(dst, f.Symbol(SymInfinity)...)
+	dst = appendAffix(dst, f, suffix, d.Neg)
+	return dst
+}
+
+func appendAffix(dst []byte, f *Formatter, affix string, neg bool) []byte {
+	quoting := false
+	escaping := false
+	for _, r := range affix {
+		switch {
+		case escaping:
+			// escaping occurs both inside and outside of quotes
+			dst = append(dst, string(r)...)
+			escaping = false
+		case r == '\\':
+			escaping = true
+		case r == '\'':
+			quoting = !quoting
+		case quoting:
+			dst = append(dst, string(r)...)
+		case r == '%':
+			if f.DigitShift == 3 {
+				dst = append(dst, f.Symbol(SymPerMille)...)
+			} else {
+				dst = append(dst, f.Symbol(SymPercentSign)...)
+			}
+		case r == '-' || r == '+':
+			if neg {
+				dst = append(dst, f.Symbol(SymMinusSign)...)
+			} else if f.Flags&ElideSign == 0 {
+				dst = append(dst, f.Symbol(SymPlusSign)...)
+			} else {
+				dst = append(dst, ' ')
+			}
+		default:
+			dst = append(dst, string(r)...)
+		}
+	}
+	return dst
+}
diff --git a/vendor/golang.org/x/text/internal/number/number.go b/vendor/golang.org/x/text/internal/number/number.go
new file mode 100644
index 0000000000..e1d933c3f7
--- /dev/null
+++ b/vendor/golang.org/x/text/internal/number/number.go
@@ -0,0 +1,152 @@
+// Copyright 2016 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:generate go run gen.go gen_common.go
+
+// Package number contains tools and data for formatting numbers.
+package number
+
+import (
+	"unicode/utf8"
+
+	"golang.org/x/text/internal/language/compact"
+	"golang.org/x/text/language"
+)
+
+// Info holds number formatting configuration data.
+type Info struct {
+	system   systemData // numbering system information
+	symIndex symOffset  // index to symbols
+}
+
+// InfoFromLangID returns a Info for the given compact language identifier and
+// numbering system identifier. If system is the empty string, the default
+// numbering system will be taken for that language.
+func InfoFromLangID(compactIndex compact.ID, numberSystem string) Info {
+	p := langToDefaults[compactIndex]
+	// Lookup the entry for the language.
+	pSymIndex := symOffset(0) // Default: Latin, default symbols
+	system, ok := systemMap[numberSystem]
+	if !ok {
+		// Take the value for the default numbering system. This is by far the
+		// most common case as an alternative numbering system is hardly used.
+		if p&hasNonLatnMask == 0 { // Latn digits.
+			pSymIndex = p
+		} else { // Non-Latn or multiple numbering systems.
+			// Take the first entry from the alternatives list.
+			data := langToAlt[p&^hasNonLatnMask]
+			pSymIndex = data.symIndex
+			system = data.system
+		}
+	} else {
+		langIndex := compactIndex
+		ns := system
+	outerLoop:
+		for ; ; p = langToDefaults[langIndex] {
+			if p&hasNonLatnMask == 0 {
+				if ns == 0 {
+					// The index directly points to the symbol data.
+					pSymIndex = p
+					break
+				}
+				// Move to the parent and retry.
+				langIndex = langIndex.Parent()
+			} else {
+				// The index points to a list of symbol data indexes.
+				for _, e := range langToAlt[p&^hasNonLatnMask:] {
+					if e.compactTag != langIndex {
+						if langIndex == 0 {
+							// The CLDR root defines full symbol information for
+							// all numbering systems (even though mostly by
+							// means of aliases). Fall back to the default entry
+							// for Latn if there is no data for the numbering
+							// system of this language.
+							if ns == 0 {
+								break
+							}
+							// Fall back to Latin and start from the original
+							// language. See
+							// https://unicode.org/reports/tr35/#Locale_Inheritance.
+							ns = numLatn
+							langIndex = compactIndex
+							continue outerLoop
+						}
+						// Fall back to parent.
+						langIndex = langIndex.Parent()
+					} else if e.system == ns {
+						pSymIndex = e.symIndex
+						break outerLoop
+					}
+				}
+			}
+		}
+	}
+	if int(system) >= len(numSysData) { // algorithmic
+		// Will generate ASCII digits in case the user inadvertently calls
+		// WriteDigit or Digit on it.
+		d := numSysData[0]
+		d.id = system
+		return Info{
+			system:   d,
+			symIndex: pSymIndex,
+		}
+	}
+	return Info{
+		system:   numSysData[system],
+		symIndex: pSymIndex,
+	}
+}
+
+// InfoFromTag returns a Info for the given language tag.
+func InfoFromTag(t language.Tag) Info {
+	return InfoFromLangID(tagToID(t), t.TypeForKey("nu"))
+}
+
+// IsDecimal reports if the numbering system can convert decimal to native
+// symbols one-to-one.
+func (n Info) IsDecimal() bool {
+	return int(n.system.id) < len(numSysData)
+}
+
+// WriteDigit writes the UTF-8 sequence for n corresponding to the given ASCII
+// digit to dst and reports the number of bytes written. dst must be large
+// enough to hold the rune (can be up to utf8.UTFMax bytes).
+func (n Info) WriteDigit(dst []byte, asciiDigit rune) int {
+	copy(dst, n.system.zero[:n.system.digitSize])
+	dst[n.system.digitSize-1] += byte(asciiDigit - '0')
+	return int(n.system.digitSize)
+}
+
+// AppendDigit appends the UTF-8 sequence for n corresponding to the given digit
+// to dst and reports the number of bytes written. dst must be large enough to
+// hold the rune (can be up to utf8.UTFMax bytes).
+func (n Info) AppendDigit(dst []byte, digit byte) []byte {
+	dst = append(dst, n.system.zero[:n.system.digitSize]...)
+	dst[len(dst)-1] += digit
+	return dst
+}
+
+// Digit returns the digit for the numbering system for the corresponding ASCII
+// value. For example, ni.Digit('3') could return '三'. Note that the argument
+// is the rune constant '3', which equals 51, not the integer constant 3.
+func (n Info) Digit(asciiDigit rune) rune {
+	var x [utf8.UTFMax]byte
+	n.WriteDigit(x[:], asciiDigit)
+	r, _ := utf8.DecodeRune(x[:])
+	return r
+}
+
+// Symbol returns the string for the given symbol type.
+func (n Info) Symbol(t SymbolType) string {
+	return symData.Elem(int(symIndex[n.symIndex][t]))
+}
+
+func formatForLang(t language.Tag, index []byte) *Pattern {
+	return &formats[index[tagToID(t)]]
+}
+
+func tagToID(t language.Tag) compact.ID {
+	id, _ := compact.RegionalID(compact.Tag(t))
+	return id
+}
diff --git a/vendor/golang.org/x/text/internal/number/pattern.go b/vendor/golang.org/x/text/internal/number/pattern.go
new file mode 100644
index 0000000000..06e59559a9
--- /dev/null
+++ b/vendor/golang.org/x/text/internal/number/pattern.go
@@ -0,0 +1,485 @@
+// Copyright 2015 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package number
+
+import (
+	"errors"
+	"unicode/utf8"
+)
+
+// This file contains a parser for the CLDR number patterns as described in
+// https://unicode.org/reports/tr35/tr35-numbers.html#Number_Format_Patterns.
+//
+// The following BNF is derived from this standard.
+//
+// pattern    := subpattern (';' subpattern)?
+// subpattern := affix? number exponent? affix?
+// number     := decimal | sigDigits
+// decimal    := '#'* '0'* ('.' fraction)? | '#' | '0'
+// fraction   := '0'* '#'*
+// sigDigits  := '#'* '@' '@'* '#'*
+// exponent   := 'E' '+'? '0'* '0'
+// padSpec    := '*' \L
+//
+// Notes:
+// - An affix pattern may contain any runes, but runes with special meaning
+//   should be escaped.
+// - Sequences of digits, '#', and '@' in decimal and sigDigits may have
+//   interstitial commas.
+
+// TODO: replace special characters in affixes (-, +, ¤) with control codes.
+
+// Pattern holds information for formatting numbers. It is designed to hold
+// information from CLDR number patterns.
+//
+// This pattern is precompiled  for all patterns for all languages. Even though
+// the number of patterns is not very large, we want to keep this small.
+//
+// This type is only intended for internal use.
+type Pattern struct {
+	RoundingContext
+
+	Affix       string // includes prefix and suffix. First byte is prefix length.
+	Offset      uint16 // Offset into Affix for prefix and suffix
+	NegOffset   uint16 // Offset into Affix for negative prefix and suffix or 0.
+	PadRune     rune
+	FormatWidth uint16
+
+	GroupingSize [2]uint8
+	Flags        PatternFlag
+}
+
+// A RoundingContext indicates how a number should be converted to digits.
+// It contains all information needed to determine the "visible digits" as
+// required by the pluralization rules.
+type RoundingContext struct {
+	// TODO: unify these two fields so that there is a more unambiguous meaning
+	// of how precision is handled.
+	MaxSignificantDigits int16 // -1 is unlimited
+	MaxFractionDigits    int16 // -1 is unlimited
+
+	Increment      uint32
+	IncrementScale uint8 // May differ from printed scale.
+
+	Mode RoundingMode
+
+	DigitShift uint8 // Number of decimals to shift. Used for % and ‰.
+
+	// Number of digits.
+	MinIntegerDigits uint8
+
+	MaxIntegerDigits     uint8
+	MinFractionDigits    uint8
+	MinSignificantDigits uint8
+
+	MinExponentDigits uint8
+}
+
+// RoundSignificantDigits returns the number of significant digits an
+// implementation of Convert may round to or n < 0 if there is no maximum or
+// a maximum is not recommended.
+func (r *RoundingContext) RoundSignificantDigits() (n int) {
+	if r.MaxFractionDigits == 0 && r.MaxSignificantDigits > 0 {
+		return int(r.MaxSignificantDigits)
+	} else if r.isScientific() && r.MaxIntegerDigits == 1 {
+		if r.MaxSignificantDigits == 0 ||
+			int(r.MaxFractionDigits+1) == int(r.MaxSignificantDigits) {
+			// Note: don't add DigitShift: it is only used for decimals.
+			return int(r.MaxFractionDigits) + 1
+		}
+	}
+	return -1
+}
+
+// RoundFractionDigits returns the number of fraction digits an implementation
+// of Convert may round to or n < 0 if there is no maximum or a maximum is not
+// recommended.
+func (r *RoundingContext) RoundFractionDigits() (n int) {
+	if r.MinExponentDigits == 0 &&
+		r.MaxSignificantDigits == 0 &&
+		r.MaxFractionDigits >= 0 {
+		return int(r.MaxFractionDigits) + int(r.DigitShift)
+	}
+	return -1
+}
+
+// SetScale fixes the RoundingContext to a fixed number of fraction digits.
+func (r *RoundingContext) SetScale(scale int) {
+	r.MinFractionDigits = uint8(scale)
+	r.MaxFractionDigits = int16(scale)
+}
+
+func (r *RoundingContext) SetPrecision(prec int) {
+	r.MaxSignificantDigits = int16(prec)
+}
+
+func (r *RoundingContext) isScientific() bool {
+	return r.MinExponentDigits > 0
+}
+
+func (f *Pattern) needsSep(pos int) bool {
+	p := pos - 1
+	size := int(f.GroupingSize[0])
+	if size == 0 || p == 0 {
+		return false
+	}
+	if p == size {
+		return true
+	}
+	if p -= size; p < 0 {
+		return false
+	}
+	// TODO: make second groupingsize the same as first if 0 so that we can
+	// avoid this check.
+	if x := int(f.GroupingSize[1]); x != 0 {
+		size = x
+	}
+	return p%size == 0
+}
+
+// A PatternFlag is a bit mask for the flag field of a Pattern.
+type PatternFlag uint8
+
+const (
+	AlwaysSign PatternFlag = 1 << iota
+	ElideSign              // Use space instead of plus sign. AlwaysSign must be true.
+	AlwaysExpSign
+	AlwaysDecimalSeparator
+	ParenthesisForNegative // Common pattern. Saves space.
+
+	PadAfterNumber
+	PadAfterAffix
+
+	PadBeforePrefix = 0 // Default
+	PadAfterPrefix  = PadAfterAffix
+	PadBeforeSuffix = PadAfterNumber
+	PadAfterSuffix  = PadAfterNumber | PadAfterAffix
+	PadMask         = PadAfterNumber | PadAfterAffix
+)
+
+type parser struct {
+	*Pattern
+
+	leadingSharps int
+
+	pos            int
+	err            error
+	doNotTerminate bool
+	groupingCount  uint
+	hasGroup       bool
+	buf            []byte
+}
+
+func (p *parser) setError(err error) {
+	if p.err == nil {
+		p.err = err
+	}
+}
+
+func (p *parser) updateGrouping() {
+	if p.hasGroup &&
+		0 < p.groupingCount && p.groupingCount < 255 {
+		p.GroupingSize[1] = p.GroupingSize[0]
+		p.GroupingSize[0] = uint8(p.groupingCount)
+	}
+	p.groupingCount = 0
+	p.hasGroup = true
+}
+
+var (
+	// TODO: more sensible and localizeable error messages.
+	errMultiplePadSpecifiers = errors.New("format: pattern has multiple pad specifiers")
+	errInvalidPadSpecifier   = errors.New("format: invalid pad specifier")
+	errInvalidQuote          = errors.New("format: invalid quote")
+	errAffixTooLarge         = errors.New("format: prefix or suffix exceeds maximum UTF-8 length of 256 bytes")
+	errDuplicatePercentSign  = errors.New("format: duplicate percent sign")
+	errDuplicatePermilleSign = errors.New("format: duplicate permille sign")
+	errUnexpectedEnd         = errors.New("format: unexpected end of pattern")
+)
+
+// ParsePattern extracts formatting information from a CLDR number pattern.
+//
+// See https://unicode.org/reports/tr35/tr35-numbers.html#Number_Format_Patterns.
+func ParsePattern(s string) (f *Pattern, err error) {
+	p := parser{Pattern: &Pattern{}}
+
+	s = p.parseSubPattern(s)
+
+	if s != "" {
+		// Parse negative sub pattern.
+		if s[0] != ';' {
+			p.setError(errors.New("format: error parsing first sub pattern"))
+			return nil, p.err
+		}
+		neg := parser{Pattern: &Pattern{}} // just for extracting the affixes.
+		s = neg.parseSubPattern(s[len(";"):])
+		p.NegOffset = uint16(len(p.buf))
+		p.buf = append(p.buf, neg.buf...)
+	}
+	if s != "" {
+		p.setError(errors.New("format: spurious characters at end of pattern"))
+	}
+	if p.err != nil {
+		return nil, p.err
+	}
+	if affix := string(p.buf); affix == "\x00\x00" || affix == "\x00\x00\x00\x00" {
+		// No prefix or suffixes.
+		p.NegOffset = 0
+	} else {
+		p.Affix = affix
+	}
+	if p.Increment == 0 {
+		p.IncrementScale = 0
+	}
+	return p.Pattern, nil
+}
+
+func (p *parser) parseSubPattern(s string) string {
+	s = p.parsePad(s, PadBeforePrefix)
+	s = p.parseAffix(s)
+	s = p.parsePad(s, PadAfterPrefix)
+
+	s = p.parse(p.number, s)
+	p.updateGrouping()
+
+	s = p.parsePad(s, PadBeforeSuffix)
+	s = p.parseAffix(s)
+	s = p.parsePad(s, PadAfterSuffix)
+	return s
+}
+
+func (p *parser) parsePad(s string, f PatternFlag) (tail string) {
+	if len(s) >= 2 && s[0] == '*' {
+		r, sz := utf8.DecodeRuneInString(s[1:])
+		if p.PadRune != 0 {
+			p.err = errMultiplePadSpecifiers
+		} else {
+			p.Flags |= f
+			p.PadRune = r
+		}
+		return s[1+sz:]
+	}
+	return s
+}
+
+func (p *parser) parseAffix(s string) string {
+	x := len(p.buf)
+	p.buf = append(p.buf, 0) // placeholder for affix length
+
+	s = p.parse(p.affix, s)
+
+	n := len(p.buf) - x - 1
+	if n > 0xFF {
+		p.setError(errAffixTooLarge)
+	}
+	p.buf[x] = uint8(n)
+	return s
+}
+
+// state implements a state transition. It returns the new state. A state
+// function may set an error on the parser or may simply return on an incorrect
+// token and let the next phase fail.
+type state func(r rune) state
+
+// parse repeatedly applies a state function on the given string until a
+// termination condition is reached.
+func (p *parser) parse(fn state, s string) (tail string) {
+	for i, r := range s {
+		p.doNotTerminate = false
+		if fn = fn(r); fn == nil || p.err != nil {
+			return s[i:]
+		}
+		p.FormatWidth++
+	}
+	if p.doNotTerminate {
+		p.setError(errUnexpectedEnd)
+	}
+	return ""
+}
+
+func (p *parser) affix(r rune) state {
+	switch r {
+	case '0', '1', '2', '3', '4', '5', '6', '7', '8', '9',
+		'#', '@', '.', '*', ',', ';':
+		return nil
+	case '\'':
+		p.FormatWidth--
+		return p.escapeFirst
+	case '%':
+		if p.DigitShift != 0 {
+			p.setError(errDuplicatePercentSign)
+		}
+		p.DigitShift = 2
+	case '\u2030': // ‰ Per mille
+		if p.DigitShift != 0 {
+			p.setError(errDuplicatePermilleSign)
+		}
+		p.DigitShift = 3
+		// TODO: handle currency somehow: ¤, ¤¤, ¤¤¤, ¤¤¤¤
+	}
+	p.buf = append(p.buf, string(r)...)
+	return p.affix
+}
+
+func (p *parser) escapeFirst(r rune) state {
+	switch r {
+	case '\'':
+		p.buf = append(p.buf, "\\'"...)
+		return p.affix
+	default:
+		p.buf = append(p.buf, '\'')
+		p.buf = append(p.buf, string(r)...)
+	}
+	return p.escape
+}
+
+func (p *parser) escape(r rune) state {
+	switch r {
+	case '\'':
+		p.FormatWidth--
+		p.buf = append(p.buf, '\'')
+		return p.affix
+	default:
+		p.buf = append(p.buf, string(r)...)
+	}
+	return p.escape
+}
+
+// number parses a number. The BNF says the integer part should always have
+// a '0', but that does not appear to be the case according to the rest of the
+// documentation. We will allow having only '#' numbers.
+func (p *parser) number(r rune) state {
+	switch r {
+	case '#':
+		p.groupingCount++
+		p.leadingSharps++
+	case '@':
+		p.groupingCount++
+		p.leadingSharps = 0
+		p.MaxFractionDigits = -1
+		return p.sigDigits(r)
+	case ',':
+		if p.leadingSharps == 0 { // no leading commas
+			return nil
+		}
+		p.updateGrouping()
+	case 'E':
+		p.MaxIntegerDigits = uint8(p.leadingSharps)
+		return p.exponent
+	case '.': // allow ".##" etc.
+		p.updateGrouping()
+		return p.fraction
+	case '0', '1', '2', '3', '4', '5', '6', '7', '8', '9':
+		return p.integer(r)
+	default:
+		return nil
+	}
+	return p.number
+}
+
+func (p *parser) integer(r rune) state {
+	if !('0' <= r && r <= '9') {
+		var next state
+		switch r {
+		case 'E':
+			if p.leadingSharps > 0 {
+				p.MaxIntegerDigits = uint8(p.leadingSharps) + p.MinIntegerDigits
+			}
+			next = p.exponent
+		case '.':
+			next = p.fraction
+		case ',':
+			next = p.integer
+		}
+		p.updateGrouping()
+		return next
+	}
+	p.Increment = p.Increment*10 + uint32(r-'0')
+	p.groupingCount++
+	p.MinIntegerDigits++
+	return p.integer
+}
+
+func (p *parser) sigDigits(r rune) state {
+	switch r {
+	case '@':
+		p.groupingCount++
+		p.MaxSignificantDigits++
+		p.MinSignificantDigits++
+	case '#':
+		return p.sigDigitsFinal(r)
+	case 'E':
+		p.updateGrouping()
+		return p.normalizeSigDigitsWithExponent()
+	default:
+		p.updateGrouping()
+		return nil
+	}
+	return p.sigDigits
+}
+
+func (p *parser) sigDigitsFinal(r rune) state {
+	switch r {
+	case '#':
+		p.groupingCount++
+		p.MaxSignificantDigits++
+	case 'E':
+		p.updateGrouping()
+		return p.normalizeSigDigitsWithExponent()
+	default:
+		p.updateGrouping()
+		return nil
+	}
+	return p.sigDigitsFinal
+}
+
+func (p *parser) normalizeSigDigitsWithExponent() state {
+	p.MinIntegerDigits, p.MaxIntegerDigits = 1, 1
+	p.MinFractionDigits = p.MinSignificantDigits - 1
+	p.MaxFractionDigits = p.MaxSignificantDigits - 1
+	p.MinSignificantDigits, p.MaxSignificantDigits = 0, 0
+	return p.exponent
+}
+
+func (p *parser) fraction(r rune) state {
+	switch r {
+	case '0', '1', '2', '3', '4', '5', '6', '7', '8', '9':
+		p.Increment = p.Increment*10 + uint32(r-'0')
+		p.IncrementScale++
+		p.MinFractionDigits++
+		p.MaxFractionDigits++
+	case '#':
+		p.MaxFractionDigits++
+	case 'E':
+		if p.leadingSharps > 0 {
+			p.MaxIntegerDigits = uint8(p.leadingSharps) + p.MinIntegerDigits
+		}
+		return p.exponent
+	default:
+		return nil
+	}
+	return p.fraction
+}
+
+func (p *parser) exponent(r rune) state {
+	switch r {
+	case '+':
+		// Set mode and check it wasn't already set.
+		if p.Flags&AlwaysExpSign != 0 || p.MinExponentDigits > 0 {
+			break
+		}
+		p.Flags |= AlwaysExpSign
+		p.doNotTerminate = true
+		return p.exponent
+	case '0':
+		p.MinExponentDigits++
+		return p.exponent
+	}
+	// termination condition
+	if p.MinExponentDigits == 0 {
+		p.setError(errors.New("format: need at least one digit"))
+	}
+	return nil
+}
diff --git a/vendor/golang.org/x/text/internal/number/roundingmode_string.go b/vendor/golang.org/x/text/internal/number/roundingmode_string.go
new file mode 100644
index 0000000000..bcc22471db
--- /dev/null
+++ b/vendor/golang.org/x/text/internal/number/roundingmode_string.go
@@ -0,0 +1,30 @@
+// Code generated by "stringer -type RoundingMode"; DO NOT EDIT.
+
+package number
+
+import "strconv"
+
+func _() {
+	// An "invalid array index" compiler error signifies that the constant values have changed.
+	// Re-run the stringer command to generate them again.
+	var x [1]struct{}
+	_ = x[ToNearestEven-0]
+	_ = x[ToNearestZero-1]
+	_ = x[ToNearestAway-2]
+	_ = x[ToPositiveInf-3]
+	_ = x[ToNegativeInf-4]
+	_ = x[ToZero-5]
+	_ = x[AwayFromZero-6]
+	_ = x[numModes-7]
+}
+
+const _RoundingMode_name = "ToNearestEvenToNearestZeroToNearestAwayToPositiveInfToNegativeInfToZeroAwayFromZeronumModes"
+
+var _RoundingMode_index = [...]uint8{0, 13, 26, 39, 52, 65, 71, 83, 91}
+
+func (i RoundingMode) String() string {
+	if i >= RoundingMode(len(_RoundingMode_index)-1) {
+		return "RoundingMode(" + strconv.FormatInt(int64(i), 10) + ")"
+	}
+	return _RoundingMode_name[_RoundingMode_index[i]:_RoundingMode_index[i+1]]
+}
diff --git a/vendor/golang.org/x/text/internal/number/tables.go b/vendor/golang.org/x/text/internal/number/tables.go
new file mode 100644
index 0000000000..8efce81b56
--- /dev/null
+++ b/vendor/golang.org/x/text/internal/number/tables.go
@@ -0,0 +1,1219 @@
+// Code generated by running "go generate" in golang.org/x/text. DO NOT EDIT.
+
+package number
+
+import "golang.org/x/text/internal/stringset"
+
+// CLDRVersion is the CLDR version from which the tables in this package are derived.
+const CLDRVersion = "32"
+
+var numSysData = []systemData{ // 59 elements
+	0:  {id: 0x0, digitSize: 0x1, zero: [4]uint8{0x30, 0x0, 0x0, 0x0}},
+	1:  {id: 0x1, digitSize: 0x4, zero: [4]uint8{0xf0, 0x9e, 0xa5, 0x90}},
+	2:  {id: 0x2, digitSize: 0x4, zero: [4]uint8{0xf0, 0x91, 0x9c, 0xb0}},
+	3:  {id: 0x3, digitSize: 0x2, zero: [4]uint8{0xd9, 0xa0, 0x0, 0x0}},
+	4:  {id: 0x4, digitSize: 0x2, zero: [4]uint8{0xdb, 0xb0, 0x0, 0x0}},
+	5:  {id: 0x5, digitSize: 0x3, zero: [4]uint8{0xe1, 0xad, 0x90, 0x0}},
+	6:  {id: 0x6, digitSize: 0x3, zero: [4]uint8{0xe0, 0xa7, 0xa6, 0x0}},
+	7:  {id: 0x7, digitSize: 0x4, zero: [4]uint8{0xf0, 0x91, 0xb1, 0x90}},
+	8:  {id: 0x8, digitSize: 0x4, zero: [4]uint8{0xf0, 0x91, 0x81, 0xa6}},
+	9:  {id: 0x9, digitSize: 0x4, zero: [4]uint8{0xf0, 0x91, 0x84, 0xb6}},
+	10: {id: 0xa, digitSize: 0x3, zero: [4]uint8{0xea, 0xa9, 0x90, 0x0}},
+	11: {id: 0xb, digitSize: 0x3, zero: [4]uint8{0xe0, 0xa5, 0xa6, 0x0}},
+	12: {id: 0xc, digitSize: 0x3, zero: [4]uint8{0xef, 0xbc, 0x90, 0x0}},
+	13: {id: 0xd, digitSize: 0x4, zero: [4]uint8{0xf0, 0x91, 0xb5, 0x90}},
+	14: {id: 0xe, digitSize: 0x3, zero: [4]uint8{0xe0, 0xab, 0xa6, 0x0}},
+	15: {id: 0xf, digitSize: 0x3, zero: [4]uint8{0xe0, 0xa9, 0xa6, 0x0}},
+	16: {id: 0x10, digitSize: 0x4, zero: [4]uint8{0xf0, 0x96, 0xad, 0x90}},
+	17: {id: 0x11, digitSize: 0x3, zero: [4]uint8{0xea, 0xa7, 0x90, 0x0}},
+	18: {id: 0x12, digitSize: 0x3, zero: [4]uint8{0xea, 0xa4, 0x80, 0x0}},
+	19: {id: 0x13, digitSize: 0x3, zero: [4]uint8{0xe1, 0x9f, 0xa0, 0x0}},
+	20: {id: 0x14, digitSize: 0x3, zero: [4]uint8{0xe0, 0xb3, 0xa6, 0x0}},
+	21: {id: 0x15, digitSize: 0x3, zero: [4]uint8{0xe1, 0xaa, 0x80, 0x0}},
+	22: {id: 0x16, digitSize: 0x3, zero: [4]uint8{0xe1, 0xaa, 0x90, 0x0}},
+	23: {id: 0x17, digitSize: 0x3, zero: [4]uint8{0xe0, 0xbb, 0x90, 0x0}},
+	24: {id: 0x18, digitSize: 0x3, zero: [4]uint8{0xe1, 0xb1, 0x80, 0x0}},
+	25: {id: 0x19, digitSize: 0x3, zero: [4]uint8{0xe1, 0xa5, 0x86, 0x0}},
+	26: {id: 0x1a, digitSize: 0x4, zero: [4]uint8{0xf0, 0x9d, 0x9f, 0x8e}},
+	27: {id: 0x1b, digitSize: 0x4, zero: [4]uint8{0xf0, 0x9d, 0x9f, 0x98}},
+	28: {id: 0x1c, digitSize: 0x4, zero: [4]uint8{0xf0, 0x9d, 0x9f, 0xb6}},
+	29: {id: 0x1d, digitSize: 0x4, zero: [4]uint8{0xf0, 0x9d, 0x9f, 0xac}},
+	30: {id: 0x1e, digitSize: 0x4, zero: [4]uint8{0xf0, 0x9d, 0x9f, 0xa2}},
+	31: {id: 0x1f, digitSize: 0x3, zero: [4]uint8{0xe0, 0xb5, 0xa6, 0x0}},
+	32: {id: 0x20, digitSize: 0x4, zero: [4]uint8{0xf0, 0x91, 0x99, 0x90}},
+	33: {id: 0x21, digitSize: 0x3, zero: [4]uint8{0xe1, 0xa0, 0x90, 0x0}},
+	34: {id: 0x22, digitSize: 0x4, zero: [4]uint8{0xf0, 0x96, 0xa9, 0xa0}},
+	35: {id: 0x23, digitSize: 0x3, zero: [4]uint8{0xea, 0xaf, 0xb0, 0x0}},
+	36: {id: 0x24, digitSize: 0x3, zero: [4]uint8{0xe1, 0x81, 0x80, 0x0}},
+	37: {id: 0x25, digitSize: 0x3, zero: [4]uint8{0xe1, 0x82, 0x90, 0x0}},
+	38: {id: 0x26, digitSize: 0x3, zero: [4]uint8{0xea, 0xa7, 0xb0, 0x0}},
+	39: {id: 0x27, digitSize: 0x4, zero: [4]uint8{0xf0, 0x91, 0x91, 0x90}},
+	40: {id: 0x28, digitSize: 0x2, zero: [4]uint8{0xdf, 0x80, 0x0, 0x0}},
+	41: {id: 0x29, digitSize: 0x3, zero: [4]uint8{0xe1, 0xb1, 0x90, 0x0}},
+	42: {id: 0x2a, digitSize: 0x3, zero: [4]uint8{0xe0, 0xad, 0xa6, 0x0}},
+	43: {id: 0x2b, digitSize: 0x4, zero: [4]uint8{0xf0, 0x90, 0x92, 0xa0}},
+	44: {id: 0x2c, digitSize: 0x3, zero: [4]uint8{0xea, 0xa3, 0x90, 0x0}},
+	45: {id: 0x2d, digitSize: 0x4, zero: [4]uint8{0xf0, 0x91, 0x87, 0x90}},
+	46: {id: 0x2e, digitSize: 0x4, zero: [4]uint8{0xf0, 0x91, 0x8b, 0xb0}},
+	47: {id: 0x2f, digitSize: 0x3, zero: [4]uint8{0xe0, 0xb7, 0xa6, 0x0}},
+	48: {id: 0x30, digitSize: 0x4, zero: [4]uint8{0xf0, 0x91, 0x83, 0xb0}},
+	49: {id: 0x31, digitSize: 0x3, zero: [4]uint8{0xe1, 0xae, 0xb0, 0x0}},
+	50: {id: 0x32, digitSize: 0x4, zero: [4]uint8{0xf0, 0x91, 0x9b, 0x80}},
+	51: {id: 0x33, digitSize: 0x3, zero: [4]uint8{0xe1, 0xa7, 0x90, 0x0}},
+	52: {id: 0x34, digitSize: 0x3, zero: [4]uint8{0xe0, 0xaf, 0xa6, 0x0}},
+	53: {id: 0x35, digitSize: 0x3, zero: [4]uint8{0xe0, 0xb1, 0xa6, 0x0}},
+	54: {id: 0x36, digitSize: 0x3, zero: [4]uint8{0xe0, 0xb9, 0x90, 0x0}},
+	55: {id: 0x37, digitSize: 0x3, zero: [4]uint8{0xe0, 0xbc, 0xa0, 0x0}},
+	56: {id: 0x38, digitSize: 0x4, zero: [4]uint8{0xf0, 0x91, 0x93, 0x90}},
+	57: {id: 0x39, digitSize: 0x3, zero: [4]uint8{0xea, 0x98, 0xa0, 0x0}},
+	58: {id: 0x3a, digitSize: 0x4, zero: [4]uint8{0xf0, 0x91, 0xa3, 0xa0}},
+} // Size: 378 bytes
+
+const (
+	numAdlm     = 0x1
+	numAhom     = 0x2
+	numArab     = 0x3
+	numArabext  = 0x4
+	numArmn     = 0x3b
+	numArmnlow  = 0x3c
+	numBali     = 0x5
+	numBeng     = 0x6
+	numBhks     = 0x7
+	numBrah     = 0x8
+	numCakm     = 0x9
+	numCham     = 0xa
+	numCyrl     = 0x3d
+	numDeva     = 0xb
+	numEthi     = 0x3e
+	numFullwide = 0xc
+	numGeor     = 0x3f
+	numGonm     = 0xd
+	numGrek     = 0x40
+	numGreklow  = 0x41
+	numGujr     = 0xe
+	numGuru     = 0xf
+	numHanidays = 0x42
+	numHanidec  = 0x43
+	numHans     = 0x44
+	numHansfin  = 0x45
+	numHant     = 0x46
+	numHantfin  = 0x47
+	numHebr     = 0x48
+	numHmng     = 0x10
+	numJava     = 0x11
+	numJpan     = 0x49
+	numJpanfin  = 0x4a
+	numKali     = 0x12
+	numKhmr     = 0x13
+	numKnda     = 0x14
+	numLana     = 0x15
+	numLanatham = 0x16
+	numLaoo     = 0x17
+	numLatn     = 0x0
+	numLepc     = 0x18
+	numLimb     = 0x19
+	numMathbold = 0x1a
+	numMathdbl  = 0x1b
+	numMathmono = 0x1c
+	numMathsanb = 0x1d
+	numMathsans = 0x1e
+	numMlym     = 0x1f
+	numModi     = 0x20
+	numMong     = 0x21
+	numMroo     = 0x22
+	numMtei     = 0x23
+	numMymr     = 0x24
+	numMymrshan = 0x25
+	numMymrtlng = 0x26
+	numNewa     = 0x27
+	numNkoo     = 0x28
+	numOlck     = 0x29
+	numOrya     = 0x2a
+	numOsma     = 0x2b
+	numRoman    = 0x4b
+	numRomanlow = 0x4c
+	numSaur     = 0x2c
+	numShrd     = 0x2d
+	numSind     = 0x2e
+	numSinh     = 0x2f
+	numSora     = 0x30
+	numSund     = 0x31
+	numTakr     = 0x32
+	numTalu     = 0x33
+	numTaml     = 0x4d
+	numTamldec  = 0x34
+	numTelu     = 0x35
+	numThai     = 0x36
+	numTibt     = 0x37
+	numTirh     = 0x38
+	numVaii     = 0x39
+	numWara     = 0x3a
+	numNumberSystems
+)
+
+var systemMap = map[string]system{
+	"adlm":     numAdlm,
+	"ahom":     numAhom,
+	"arab":     numArab,
+	"arabext":  numArabext,
+	"armn":     numArmn,
+	"armnlow":  numArmnlow,
+	"bali":     numBali,
+	"beng":     numBeng,
+	"bhks":     numBhks,
+	"brah":     numBrah,
+	"cakm":     numCakm,
+	"cham":     numCham,
+	"cyrl":     numCyrl,
+	"deva":     numDeva,
+	"ethi":     numEthi,
+	"fullwide": numFullwide,
+	"geor":     numGeor,
+	"gonm":     numGonm,
+	"grek":     numGrek,
+	"greklow":  numGreklow,
+	"gujr":     numGujr,
+	"guru":     numGuru,
+	"hanidays": numHanidays,
+	"hanidec":  numHanidec,
+	"hans":     numHans,
+	"hansfin":  numHansfin,
+	"hant":     numHant,
+	"hantfin":  numHantfin,
+	"hebr":     numHebr,
+	"hmng":     numHmng,
+	"java":     numJava,
+	"jpan":     numJpan,
+	"jpanfin":  numJpanfin,
+	"kali":     numKali,
+	"khmr":     numKhmr,
+	"knda":     numKnda,
+	"lana":     numLana,
+	"lanatham": numLanatham,
+	"laoo":     numLaoo,
+	"latn":     numLatn,
+	"lepc":     numLepc,
+	"limb":     numLimb,
+	"mathbold": numMathbold,
+	"mathdbl":  numMathdbl,
+	"mathmono": numMathmono,
+	"mathsanb": numMathsanb,
+	"mathsans": numMathsans,
+	"mlym":     numMlym,
+	"modi":     numModi,
+	"mong":     numMong,
+	"mroo":     numMroo,
+	"mtei":     numMtei,
+	"mymr":     numMymr,
+	"mymrshan": numMymrshan,
+	"mymrtlng": numMymrtlng,
+	"newa":     numNewa,
+	"nkoo":     numNkoo,
+	"olck":     numOlck,
+	"orya":     numOrya,
+	"osma":     numOsma,
+	"roman":    numRoman,
+	"romanlow": numRomanlow,
+	"saur":     numSaur,
+	"shrd":     numShrd,
+	"sind":     numSind,
+	"sinh":     numSinh,
+	"sora":     numSora,
+	"sund":     numSund,
+	"takr":     numTakr,
+	"talu":     numTalu,
+	"taml":     numTaml,
+	"tamldec":  numTamldec,
+	"telu":     numTelu,
+	"thai":     numThai,
+	"tibt":     numTibt,
+	"tirh":     numTirh,
+	"vaii":     numVaii,
+	"wara":     numWara,
+}
+
+var symIndex = [][12]uint8{ // 81 elements
+	0:  [12]uint8{0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0xa, 0xb},
+	1:  [12]uint8{0x1, 0xc, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0xa, 0xb},
+	2:  [12]uint8{0x0, 0x1, 0x2, 0xd, 0xe, 0xf, 0x6, 0x7, 0x8, 0x9, 0x10, 0xb},
+	3:  [12]uint8{0x1, 0x0, 0x2, 0xd, 0xe, 0xf, 0x6, 0x7, 0x8, 0x9, 0x10, 0xb},
+	4:  [12]uint8{0x0, 0x1, 0x2, 0x11, 0xe, 0xf, 0x6, 0x7, 0x8, 0x9, 0x10, 0xb},
+	5:  [12]uint8{0x1, 0x0, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0x12, 0xb},
+	6:  [12]uint8{0x1, 0x0, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0xa, 0xb},
+	7:  [12]uint8{0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0x13, 0xb},
+	8:  [12]uint8{0x0, 0x1, 0x2, 0x3, 0xe, 0x5, 0x6, 0x7, 0x8, 0x9, 0xa, 0xb},
+	9:  [12]uint8{0x1, 0x0, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0xa, 0x0},
+	10: [12]uint8{0x1, 0x0, 0x2, 0x3, 0x4, 0x5, 0x6, 0x14, 0x8, 0x9, 0xa, 0xb},
+	11: [12]uint8{0x1, 0xc, 0x2, 0x3, 0x4, 0x5, 0x6, 0x14, 0x8, 0x9, 0xa, 0xb},
+	12: [12]uint8{0x0, 0x15, 0x2, 0x3, 0x4, 0x5, 0x6, 0x14, 0x8, 0x9, 0xa, 0xb},
+	13: [12]uint8{0x0, 0xc, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0xa, 0xb},
+	14: [12]uint8{0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0x16, 0xb},
+	15: [12]uint8{0x1, 0x0, 0x2, 0x3, 0x4, 0x5, 0x17, 0x7, 0x8, 0x9, 0xa, 0xb},
+	16: [12]uint8{0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x17, 0x7, 0x8, 0x9, 0xa, 0x0},
+	17: [12]uint8{0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x17, 0x7, 0x8, 0x9, 0xa, 0xb},
+	18: [12]uint8{0x1, 0xc, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0xa, 0x0},
+	19: [12]uint8{0x1, 0xc, 0x2, 0x3, 0x4, 0x5, 0x18, 0x7, 0x8, 0x9, 0xa, 0xb},
+	20: [12]uint8{0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x19, 0x1a, 0xa, 0xb},
+	21: [12]uint8{0x1, 0xc, 0x2, 0x3, 0x4, 0x1b, 0x6, 0x7, 0x8, 0x9, 0xa, 0xb},
+	22: [12]uint8{0x1, 0xc, 0x2, 0x3, 0x4, 0x1b, 0x18, 0x7, 0x8, 0x9, 0xa, 0xb},
+	23: [12]uint8{0x1, 0x0, 0x2, 0x3, 0x4, 0x1b, 0x6, 0x7, 0x8, 0x9, 0xa, 0xb},
+	24: [12]uint8{0x0, 0x1, 0x2, 0x3, 0xe, 0x1c, 0x6, 0x7, 0x8, 0x9, 0x1d, 0xb},
+	25: [12]uint8{0x1, 0xc, 0x2, 0x3, 0x4, 0x1b, 0x6, 0x7, 0x8, 0x9, 0x1e, 0x0},
+	26: [12]uint8{0x0, 0x15, 0x2, 0x3, 0x4, 0x1b, 0x6, 0x7, 0x8, 0x9, 0xa, 0xb},
+	27: [12]uint8{0x0, 0x1, 0x2, 0x3, 0xe, 0xf, 0x6, 0x7, 0x8, 0x9, 0xa, 0xb},
+	28: [12]uint8{0x1, 0xc, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0x1f, 0xb},
+	29: [12]uint8{0x0, 0x15, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0xa, 0xb},
+	30: [12]uint8{0x1, 0xc, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0x20, 0xb},
+	31: [12]uint8{0x1, 0xc, 0x2, 0x3, 0x4, 0x5, 0x21, 0x7, 0x8, 0x9, 0x22, 0xb},
+	32: [12]uint8{0x1, 0xc, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0x23, 0xb},
+	33: [12]uint8{0x1, 0x0, 0x2, 0x3, 0x4, 0x1b, 0x18, 0x14, 0x8, 0x9, 0x24, 0xb},
+	34: [12]uint8{0x1, 0xc, 0x2, 0x3, 0x4, 0x1b, 0x18, 0x7, 0x8, 0x9, 0x24, 0xb},
+	35: [12]uint8{0x1, 0xc, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0x25, 0xb},
+	36: [12]uint8{0x1, 0x0, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0x26, 0xb},
+	37: [12]uint8{0x1, 0xc, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0x27, 0xb},
+	38: [12]uint8{0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0x28, 0xb},
+	39: [12]uint8{0x1, 0xc, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0x29, 0xb},
+	40: [12]uint8{0x1, 0x0, 0x2, 0x3, 0xe, 0x1c, 0x6, 0x7, 0x8, 0x9, 0xa, 0xb},
+	41: [12]uint8{0x1, 0xc, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0x2a, 0xb},
+	42: [12]uint8{0x1, 0xc, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0x2b, 0xb},
+	43: [12]uint8{0x1, 0xc, 0x2, 0x3, 0x4, 0x1b, 0x2c, 0x14, 0x8, 0x9, 0x24, 0xb},
+	44: [12]uint8{0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0xa, 0x0},
+	45: [12]uint8{0x1, 0xc, 0x2, 0x3, 0x4, 0x5, 0x17, 0x7, 0x8, 0x9, 0xa, 0xb},
+	46: [12]uint8{0x1, 0x0, 0x2, 0x3, 0x4, 0x1b, 0x17, 0x7, 0x8, 0x9, 0xa, 0xb},
+	47: [12]uint8{0x1, 0xc, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0x2d, 0x0},
+	48: [12]uint8{0x1, 0xc, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0x2e, 0xb},
+	49: [12]uint8{0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0x2f, 0xb},
+	50: [12]uint8{0x1, 0xc, 0x2, 0x3, 0x4, 0x5, 0x30, 0x7, 0x8, 0x9, 0xa, 0xb},
+	51: [12]uint8{0x1, 0xc, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0x31, 0xb},
+	52: [12]uint8{0x1, 0xc, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0x32, 0xb},
+	53: [12]uint8{0x1, 0x15, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0xa, 0xb},
+	54: [12]uint8{0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0x33, 0xb},
+	55: [12]uint8{0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0x34, 0xb},
+	56: [12]uint8{0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b, 0x7, 0x3c, 0x9, 0xa, 0xb},
+	57: [12]uint8{0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b, 0x7, 0x3c, 0x9, 0x3d, 0xb},
+	58: [12]uint8{0x35, 0x36, 0x37, 0x11, 0x3e, 0x3f, 0x3b, 0x7, 0x3c, 0x9, 0xa, 0xb},
+	59: [12]uint8{0x35, 0x36, 0x37, 0x11, 0x39, 0x3a, 0x3b, 0x7, 0x3c, 0x9, 0xa, 0xb},
+	60: [12]uint8{0x35, 0x36, 0x37, 0x11, 0x39, 0x40, 0x3b, 0x7, 0x3c, 0x9, 0xa, 0xb},
+	61: [12]uint8{0x35, 0x36, 0x37, 0x41, 0x3e, 0x3f, 0x3b, 0x7, 0x3c, 0x9, 0xa, 0xb},
+	62: [12]uint8{0x35, 0x36, 0x37, 0x38, 0x3e, 0x3f, 0x3b, 0x7, 0x3c, 0x9, 0xa, 0xb},
+	63: [12]uint8{0x35, 0xc, 0x37, 0x38, 0x39, 0x42, 0x3b, 0x7, 0x3c, 0x9, 0xa, 0x0},
+	64: [12]uint8{0x35, 0xc, 0x37, 0x38, 0x39, 0x42, 0x43, 0x7, 0x44, 0x9, 0x24, 0xb},
+	65: [12]uint8{0x35, 0x36, 0x37, 0x38, 0x39, 0x5, 0x3b, 0x7, 0x3c, 0x9, 0x33, 0xb},
+	66: [12]uint8{0x35, 0x36, 0x37, 0x11, 0x45, 0x46, 0x43, 0x7, 0x3c, 0x9, 0xa, 0x35},
+	67: [12]uint8{0x35, 0x36, 0x37, 0x11, 0xe, 0x1c, 0x43, 0x7, 0x3c, 0x9, 0x1d, 0xb},
+	68: [12]uint8{0x35, 0x36, 0x37, 0x11, 0xe, 0x1c, 0x43, 0x7, 0x3c, 0x9, 0xa, 0x35},
+	69: [12]uint8{0x35, 0x36, 0x37, 0x11, 0x45, 0x5, 0x43, 0x7, 0x3c, 0x9, 0xa, 0x35},
+	70: [12]uint8{0x1, 0xc, 0x37, 0x11, 0x45, 0x47, 0x43, 0x7, 0x3c, 0x9, 0xa, 0x0},
+	71: [12]uint8{0x35, 0x1, 0x37, 0x11, 0x4, 0x5, 0x43, 0x7, 0x3c, 0x9, 0xa, 0x35},
+	72: [12]uint8{0x1, 0xc, 0x37, 0x11, 0x45, 0x47, 0x43, 0x7, 0x3c, 0x9, 0x24, 0xb},
+	73: [12]uint8{0x35, 0x36, 0x2, 0x3, 0x45, 0x46, 0x43, 0x7, 0x8, 0x9, 0xa, 0x35},
+	74: [12]uint8{0x35, 0x36, 0x37, 0x11, 0x4, 0x5, 0x43, 0x7, 0x3c, 0x9, 0x31, 0x35},
+	75: [12]uint8{0x35, 0x36, 0x37, 0x11, 0x4, 0x5, 0x43, 0x7, 0x3c, 0x9, 0x32, 0x35},
+	76: [12]uint8{0x35, 0x36, 0x37, 0x11, 0x48, 0x46, 0x43, 0x7, 0x3c, 0x9, 0x33, 0x35},
+	77: [12]uint8{0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0xa, 0x49},
+	78: [12]uint8{0x0, 0x1, 0x4a, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0x28, 0xb},
+	79: [12]uint8{0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0x4b, 0xb},
+	80: [12]uint8{0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x4c, 0x4d, 0xb},
+} // Size: 996 bytes
+
+var symData = stringset.Set{
+	Data: "" + // Size: 599 bytes
+		".,;%+-E׉∞NaN:\u00a0\u200e%\u200e\u200e+\u200e-ليس\u00a0رقمًا٪NDТерхьаш" +
+		"\u00a0дац·’mnne×10^0/00INF−\u200e−ناعددepälukuՈչԹ�რ\u00a0�რის\u00a0რიცხვ" +
+		"იZMdM�ан\u00a0еме�¤¤¤�ан\u00a0�ме�ບ�່\u200b�ມ່ນ\u200bໂຕ\u200bເລ�NSဂ�န်" +
+		"းမဟု�်သော��не\u00a0чи�лочыыһыла\u00a0буотах·10^epilohosan\u00a0dälTFЕs" +
+		"on\u00a0emasҳақиқий\u00a0�он\u00a0�ма��數值�数值٫٬؛٪\u061c\u061c+\u061c-اس؉ل" +
+		"يس\u00a0رقم\u200f+\u200f-\u200f−٪\u200f\u061c−×۱۰^؉\u200f\u200e+\u200e" +
+		"\u200e-\u200e\u200e−\u200e+\u200e：�ཨང་མེན་གྲངས་མེདཨང་མད",
+	Index: []uint16{ // 79 elements
+		// Entry 0 - 3F
+		0x0000, 0x0001, 0x0002, 0x0003, 0x0004, 0x0005, 0x0006, 0x0007,
+		0x0009, 0x000c, 0x000f, 0x0012, 0x0013, 0x0015, 0x001c, 0x0020,
+		0x0024, 0x0036, 0x0038, 0x003a, 0x0050, 0x0052, 0x0055, 0x0058,
+		0x0059, 0x005e, 0x0062, 0x0065, 0x0068, 0x006e, 0x0078, 0x0080,
+		0x0086, 0x00ae, 0x00af, 0x00b2, 0x00c2, 0x00c8, 0x00d8, 0x0105,
+		0x0107, 0x012e, 0x0132, 0x0142, 0x015e, 0x0163, 0x016a, 0x0173,
+		0x0175, 0x0177, 0x0180, 0x01a0, 0x01a9, 0x01b2, 0x01b4, 0x01b6,
+		0x01b8, 0x01bc, 0x01bf, 0x01c2, 0x01c6, 0x01c8, 0x01d6, 0x01da,
+		// Entry 40 - 7F
+		0x01de, 0x01e4, 0x01e9, 0x01ee, 0x01f5, 0x01fa, 0x0201, 0x0208,
+		0x0211, 0x0215, 0x0218, 0x021b, 0x0230, 0x0248, 0x0257,
+	},
+} // Size: 797 bytes
+
+// langToDefaults maps a compact language index to the default numbering system
+// and default symbol set
+var langToDefaults = [775]symOffset{
+	// Entry 0 - 3F
+	0x8000, 0x0001, 0x0001, 0x0001, 0x0001, 0x0001, 0x0000, 0x0000,
+	0x0000, 0x0000, 0x8003, 0x0002, 0x0002, 0x0002, 0x0002, 0x0003,
+	0x0002, 0x0002, 0x0002, 0x0002, 0x0002, 0x0002, 0x0002, 0x0002,
+	0x0003, 0x0003, 0x0003, 0x0003, 0x0002, 0x0002, 0x0002, 0x0004,
+	0x0002, 0x0004, 0x0002, 0x0002, 0x0002, 0x0003, 0x0002, 0x0000,
+	0x8005, 0x0000, 0x0000, 0x0000, 0x8006, 0x0005, 0x0006, 0x0006,
+	0x0006, 0x0006, 0x0006, 0x0001, 0x0001, 0x0001, 0x0001, 0x0000,
+	0x0000, 0x0000, 0x0000, 0x0001, 0x0001, 0x0000, 0x0000, 0x0000,
+	// Entry 40 - 7F
+	0x8009, 0x0000, 0x0000, 0x800a, 0x0000, 0x0000, 0x800c, 0x0001,
+	0x0000, 0x0000, 0x0006, 0x0006, 0x0006, 0x0006, 0x0006, 0x0006,
+	0x0006, 0x0006, 0x0006, 0x0006, 0x800e, 0x0000, 0x0000, 0x0007,
+	0x0007, 0x0000, 0x0000, 0x0000, 0x0000, 0x800f, 0x0008, 0x0008,
+	0x8011, 0x0001, 0x0001, 0x0001, 0x803c, 0x0000, 0x0009, 0x0009,
+	0x0009, 0x0000, 0x0000, 0x000a, 0x000b, 0x000a, 0x000c, 0x000a,
+	0x000a, 0x000c, 0x000a, 0x000d, 0x000d, 0x000a, 0x000a, 0x0001,
+	0x0001, 0x0000, 0x0001, 0x0001, 0x803f, 0x0000, 0x0000, 0x0000,
+	// Entry 80 - BF
+	0x000e, 0x000e, 0x000e, 0x000f, 0x000f, 0x000f, 0x0000, 0x0000,
+	0x0006, 0x0000, 0x0000, 0x0000, 0x000a, 0x0010, 0x0000, 0x0006,
+	0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0011, 0x0000, 0x000a,
+	0x0000, 0x0000, 0x0000, 0x0000, 0x000a, 0x0000, 0x0009, 0x0000,
+	0x0000, 0x0012, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
+	0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
+	0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
+	0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
+	// Entry C0 - FF
+	0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
+	0x0006, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
+	0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0013, 0x0000,
+	0x0000, 0x000f, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
+	0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
+	0x0000, 0x0000, 0x0000, 0x0000, 0x0001, 0x0000, 0x0000, 0x0015,
+	0x0015, 0x0006, 0x0000, 0x0006, 0x0006, 0x0000, 0x0000, 0x0006,
+	0x0006, 0x0001, 0x0000, 0x0000, 0x0006, 0x0006, 0x0006, 0x0006,
+	// Entry 100 - 13F
+	0x0000, 0x0000, 0x0006, 0x0000, 0x0000, 0x0000, 0x0000, 0x0006,
+	0x0000, 0x0006, 0x0000, 0x0000, 0x0006, 0x0006, 0x0016, 0x0016,
+	0x0017, 0x0017, 0x0001, 0x0001, 0x8041, 0x0018, 0x0018, 0x0001,
+	0x0001, 0x0001, 0x0001, 0x0001, 0x0019, 0x0019, 0x0000, 0x0000,
+	0x0017, 0x0017, 0x0017, 0x8044, 0x0001, 0x0001, 0x0001, 0x0001,
+	0x0001, 0x0001, 0x0001, 0x0001, 0x0001, 0x0001, 0x0001, 0x0001,
+	0x0001, 0x0001, 0x0001, 0x0001, 0x0001, 0x0001, 0x0001, 0x0001,
+	0x0001, 0x0001, 0x0006, 0x0006, 0x0001, 0x0001, 0x0001, 0x0001,
+	// Entry 140 - 17F
+	0x0001, 0x0001, 0x0001, 0x0001, 0x0001, 0x0001, 0x0001, 0x0001,
+	0x0001, 0x0001, 0x0001, 0x0001, 0x0001, 0x0001, 0x0001, 0x0001,
+	0x0001, 0x0001, 0x0006, 0x0006, 0x0006, 0x0006, 0x0000, 0x0000,
+	0x8047, 0x0000, 0x0006, 0x0006, 0x001a, 0x001a, 0x001a, 0x001a,
+	0x804a, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
+	0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x804c, 0x001b, 0x0000,
+	0x0000, 0x0006, 0x0006, 0x0006, 0x000a, 0x000a, 0x0001, 0x0001,
+	0x001c, 0x001c, 0x0009, 0x0009, 0x804f, 0x0000, 0x0000, 0x0000,
+	// Entry 180 - 1BF
+	0x0000, 0x0000, 0x8052, 0x0006, 0x0006, 0x001d, 0x0006, 0x0006,
+	0x0006, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0006, 0x0006,
+	0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x001e, 0x001e, 0x001f,
+	0x001f, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0001,
+	0x0001, 0x000d, 0x000d, 0x0000, 0x0000, 0x0020, 0x0020, 0x0006,
+	0x0006, 0x0021, 0x0021, 0x0000, 0x0000, 0x0006, 0x0006, 0x0000,
+	0x0000, 0x8054, 0x0000, 0x0000, 0x0000, 0x0000, 0x8056, 0x001b,
+	0x0000, 0x0000, 0x0001, 0x0001, 0x0022, 0x0022, 0x0000, 0x0000,
+	// Entry 1C0 - 1FF
+	0x0000, 0x0023, 0x0023, 0x0000, 0x0000, 0x0006, 0x0006, 0x0000,
+	0x0000, 0x0000, 0x0000, 0x0006, 0x0006, 0x0006, 0x0006, 0x0006,
+	0x0024, 0x0024, 0x8058, 0x0000, 0x0000, 0x0016, 0x0016, 0x0006,
+	0x0006, 0x0000, 0x0000, 0x0000, 0x0000, 0x0025, 0x0025, 0x0000,
+	0x0000, 0x0000, 0x0000, 0x0000, 0x000d, 0x000d, 0x0000, 0x0000,
+	0x0006, 0x0006, 0x0000, 0x0000, 0x0006, 0x0006, 0x0000, 0x0000,
+	0x0000, 0x0000, 0x0000, 0x805a, 0x0000, 0x0000, 0x0006, 0x0000,
+	0x0000, 0x0000, 0x0000, 0x0006, 0x0006, 0x805b, 0x0026, 0x805d,
+	// Entry 200 - 23F
+	0x0000, 0x0000, 0x0000, 0x0000, 0x805e, 0x0015, 0x0015, 0x0000,
+	0x0000, 0x0006, 0x0006, 0x0006, 0x8061, 0x0000, 0x0000, 0x8062,
+	0x0006, 0x0006, 0x0006, 0x0006, 0x0006, 0x0006, 0x0006, 0x0001,
+	0x0001, 0x0015, 0x0015, 0x0006, 0x0006, 0x0000, 0x0000, 0x0000,
+	0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
+	0x0000, 0x0000, 0x0000, 0x0027, 0x0027, 0x0027, 0x8065, 0x8067,
+	0x001b, 0x0000, 0x0000, 0x0000, 0x0001, 0x0001, 0x0001, 0x0001,
+	0x8069, 0x0028, 0x0006, 0x0001, 0x0006, 0x0001, 0x0001, 0x0001,
+	// Entry 240 - 27F
+	0x0001, 0x0001, 0x0001, 0x0001, 0x0001, 0x0001, 0x0001, 0x0000,
+	0x0006, 0x0000, 0x0000, 0x001a, 0x001a, 0x0006, 0x0006, 0x0006,
+	0x0006, 0x0006, 0x0000, 0x0000, 0x0029, 0x0029, 0x0029, 0x0029,
+	0x0029, 0x0029, 0x0029, 0x0006, 0x0006, 0x0000, 0x0000, 0x002a,
+	0x002a, 0x0000, 0x0000, 0x0000, 0x0000, 0x806b, 0x0000, 0x0000,
+	0x002b, 0x002b, 0x002b, 0x002b, 0x0006, 0x0006, 0x000d, 0x000d,
+	0x0006, 0x0006, 0x0000, 0x0001, 0x0001, 0x0001, 0x0001, 0x0001,
+	0x002c, 0x002c, 0x002d, 0x002d, 0x002e, 0x002e, 0x0000, 0x0000,
+	// Entry 280 - 2BF
+	0x0000, 0x002f, 0x002f, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
+	0x0000, 0x0000, 0x0000, 0x0001, 0x0001, 0x0001, 0x0001, 0x0006,
+	0x0006, 0x0006, 0x0006, 0x0006, 0x0006, 0x0006, 0x0006, 0x0006,
+	0x0006, 0x0006, 0x0000, 0x0000, 0x0000, 0x806d, 0x0022, 0x0022,
+	0x0022, 0x0000, 0x0006, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
+	0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
+	0x0000, 0x0001, 0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
+	0x0000, 0x0030, 0x0030, 0x0000, 0x0000, 0x8071, 0x0031, 0x0006,
+	// Entry 2C0 - 2FF
+	0x0006, 0x0006, 0x0000, 0x0001, 0x0001, 0x000d, 0x000d, 0x0001,
+	0x0001, 0x0000, 0x0000, 0x0032, 0x0032, 0x8074, 0x8076, 0x001b,
+	0x8077, 0x8079, 0x0028, 0x807b, 0x0034, 0x0033, 0x0033, 0x0000,
+	0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0006, 0x0006, 0x0000,
+	0x0000, 0x0000, 0x0000, 0x0000, 0x0035, 0x0035, 0x0006, 0x0006,
+	0x0000, 0x0000, 0x0000, 0x0001, 0x0001, 0x0000, 0x0000, 0x0000,
+	0x0000, 0x0000, 0x0036, 0x0037, 0x0037, 0x0036, 0x0036, 0x0001,
+	0x0001, 0x807d, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x8080,
+	// Entry 300 - 33F
+	0x0036, 0x0036, 0x0036, 0x0000, 0x0000, 0x0006, 0x0014,
+} // Size: 1550 bytes
+
+// langToAlt is a list of numbering system and symbol set pairs, sorted and
+// marked by compact language index.
+var langToAlt = []altSymData{ // 131 elements
+	1:   {compactTag: 0x0, symIndex: 0x38, system: 0x3},
+	2:   {compactTag: 0x0, symIndex: 0x42, system: 0x4},
+	3:   {compactTag: 0xa, symIndex: 0x39, system: 0x3},
+	4:   {compactTag: 0xa, symIndex: 0x2, system: 0x0},
+	5:   {compactTag: 0x28, symIndex: 0x0, system: 0x6},
+	6:   {compactTag: 0x2c, symIndex: 0x5, system: 0x0},
+	7:   {compactTag: 0x2c, symIndex: 0x3a, system: 0x3},
+	8:   {compactTag: 0x2c, symIndex: 0x42, system: 0x4},
+	9:   {compactTag: 0x40, symIndex: 0x0, system: 0x6},
+	10:  {compactTag: 0x43, symIndex: 0x0, system: 0x0},
+	11:  {compactTag: 0x43, symIndex: 0x4f, system: 0x37},
+	12:  {compactTag: 0x46, symIndex: 0x1, system: 0x0},
+	13:  {compactTag: 0x46, symIndex: 0x38, system: 0x3},
+	14:  {compactTag: 0x54, symIndex: 0x0, system: 0x9},
+	15:  {compactTag: 0x5d, symIndex: 0x3a, system: 0x3},
+	16:  {compactTag: 0x5d, symIndex: 0x8, system: 0x0},
+	17:  {compactTag: 0x60, symIndex: 0x1, system: 0x0},
+	18:  {compactTag: 0x60, symIndex: 0x38, system: 0x3},
+	19:  {compactTag: 0x60, symIndex: 0x42, system: 0x4},
+	20:  {compactTag: 0x60, symIndex: 0x0, system: 0x5},
+	21:  {compactTag: 0x60, symIndex: 0x0, system: 0x6},
+	22:  {compactTag: 0x60, symIndex: 0x0, system: 0x8},
+	23:  {compactTag: 0x60, symIndex: 0x0, system: 0x9},
+	24:  {compactTag: 0x60, symIndex: 0x0, system: 0xa},
+	25:  {compactTag: 0x60, symIndex: 0x0, system: 0xb},
+	26:  {compactTag: 0x60, symIndex: 0x0, system: 0xc},
+	27:  {compactTag: 0x60, symIndex: 0x0, system: 0xd},
+	28:  {compactTag: 0x60, symIndex: 0x0, system: 0xe},
+	29:  {compactTag: 0x60, symIndex: 0x0, system: 0xf},
+	30:  {compactTag: 0x60, symIndex: 0x0, system: 0x11},
+	31:  {compactTag: 0x60, symIndex: 0x0, system: 0x12},
+	32:  {compactTag: 0x60, symIndex: 0x0, system: 0x13},
+	33:  {compactTag: 0x60, symIndex: 0x0, system: 0x14},
+	34:  {compactTag: 0x60, symIndex: 0x0, system: 0x15},
+	35:  {compactTag: 0x60, symIndex: 0x0, system: 0x16},
+	36:  {compactTag: 0x60, symIndex: 0x0, system: 0x17},
+	37:  {compactTag: 0x60, symIndex: 0x0, system: 0x18},
+	38:  {compactTag: 0x60, symIndex: 0x0, system: 0x19},
+	39:  {compactTag: 0x60, symIndex: 0x0, system: 0x1f},
+	40:  {compactTag: 0x60, symIndex: 0x0, system: 0x21},
+	41:  {compactTag: 0x60, symIndex: 0x0, system: 0x23},
+	42:  {compactTag: 0x60, symIndex: 0x0, system: 0x24},
+	43:  {compactTag: 0x60, symIndex: 0x0, system: 0x25},
+	44:  {compactTag: 0x60, symIndex: 0x0, system: 0x28},
+	45:  {compactTag: 0x60, symIndex: 0x0, system: 0x29},
+	46:  {compactTag: 0x60, symIndex: 0x0, system: 0x2a},
+	47:  {compactTag: 0x60, symIndex: 0x0, system: 0x2b},
+	48:  {compactTag: 0x60, symIndex: 0x0, system: 0x2c},
+	49:  {compactTag: 0x60, symIndex: 0x0, system: 0x2d},
+	50:  {compactTag: 0x60, symIndex: 0x0, system: 0x30},
+	51:  {compactTag: 0x60, symIndex: 0x0, system: 0x31},
+	52:  {compactTag: 0x60, symIndex: 0x0, system: 0x32},
+	53:  {compactTag: 0x60, symIndex: 0x0, system: 0x33},
+	54:  {compactTag: 0x60, symIndex: 0x0, system: 0x34},
+	55:  {compactTag: 0x60, symIndex: 0x0, system: 0x35},
+	56:  {compactTag: 0x60, symIndex: 0x0, system: 0x36},
+	57:  {compactTag: 0x60, symIndex: 0x0, system: 0x37},
+	58:  {compactTag: 0x60, symIndex: 0x0, system: 0x39},
+	59:  {compactTag: 0x60, symIndex: 0x0, system: 0x43},
+	60:  {compactTag: 0x64, symIndex: 0x0, system: 0x0},
+	61:  {compactTag: 0x64, symIndex: 0x38, system: 0x3},
+	62:  {compactTag: 0x64, symIndex: 0x42, system: 0x4},
+	63:  {compactTag: 0x7c, symIndex: 0x50, system: 0x37},
+	64:  {compactTag: 0x7c, symIndex: 0x0, system: 0x0},
+	65:  {compactTag: 0x114, symIndex: 0x43, system: 0x4},
+	66:  {compactTag: 0x114, symIndex: 0x18, system: 0x0},
+	67:  {compactTag: 0x114, symIndex: 0x3b, system: 0x3},
+	68:  {compactTag: 0x123, symIndex: 0x1, system: 0x0},
+	69:  {compactTag: 0x123, symIndex: 0x3c, system: 0x3},
+	70:  {compactTag: 0x123, symIndex: 0x44, system: 0x4},
+	71:  {compactTag: 0x158, symIndex: 0x0, system: 0x0},
+	72:  {compactTag: 0x158, symIndex: 0x3b, system: 0x3},
+	73:  {compactTag: 0x158, symIndex: 0x45, system: 0x4},
+	74:  {compactTag: 0x160, symIndex: 0x0, system: 0x0},
+	75:  {compactTag: 0x160, symIndex: 0x38, system: 0x3},
+	76:  {compactTag: 0x16d, symIndex: 0x1b, system: 0x0},
+	77:  {compactTag: 0x16d, symIndex: 0x0, system: 0x9},
+	78:  {compactTag: 0x16d, symIndex: 0x0, system: 0xa},
+	79:  {compactTag: 0x17c, symIndex: 0x0, system: 0x0},
+	80:  {compactTag: 0x17c, symIndex: 0x3d, system: 0x3},
+	81:  {compactTag: 0x17c, symIndex: 0x42, system: 0x4},
+	82:  {compactTag: 0x182, symIndex: 0x6, system: 0x0},
+	83:  {compactTag: 0x182, symIndex: 0x38, system: 0x3},
+	84:  {compactTag: 0x1b1, symIndex: 0x0, system: 0x0},
+	85:  {compactTag: 0x1b1, symIndex: 0x3e, system: 0x3},
+	86:  {compactTag: 0x1b6, symIndex: 0x42, system: 0x4},
+	87:  {compactTag: 0x1b6, symIndex: 0x1b, system: 0x0},
+	88:  {compactTag: 0x1d2, symIndex: 0x42, system: 0x4},
+	89:  {compactTag: 0x1d2, symIndex: 0x0, system: 0x0},
+	90:  {compactTag: 0x1f3, symIndex: 0x0, system: 0xb},
+	91:  {compactTag: 0x1fd, symIndex: 0x4e, system: 0x24},
+	92:  {compactTag: 0x1fd, symIndex: 0x26, system: 0x0},
+	93:  {compactTag: 0x1ff, symIndex: 0x42, system: 0x4},
+	94:  {compactTag: 0x204, symIndex: 0x15, system: 0x0},
+	95:  {compactTag: 0x204, symIndex: 0x3f, system: 0x3},
+	96:  {compactTag: 0x204, symIndex: 0x46, system: 0x4},
+	97:  {compactTag: 0x20c, symIndex: 0x0, system: 0xb},
+	98:  {compactTag: 0x20f, symIndex: 0x6, system: 0x0},
+	99:  {compactTag: 0x20f, symIndex: 0x38, system: 0x3},
+	100: {compactTag: 0x20f, symIndex: 0x42, system: 0x4},
+	101: {compactTag: 0x22e, symIndex: 0x0, system: 0x0},
+	102: {compactTag: 0x22e, symIndex: 0x47, system: 0x4},
+	103: {compactTag: 0x22f, symIndex: 0x42, system: 0x4},
+	104: {compactTag: 0x22f, symIndex: 0x1b, system: 0x0},
+	105: {compactTag: 0x238, symIndex: 0x42, system: 0x4},
+	106: {compactTag: 0x238, symIndex: 0x28, system: 0x0},
+	107: {compactTag: 0x265, symIndex: 0x38, system: 0x3},
+	108: {compactTag: 0x265, symIndex: 0x0, system: 0x0},
+	109: {compactTag: 0x29d, symIndex: 0x22, system: 0x0},
+	110: {compactTag: 0x29d, symIndex: 0x40, system: 0x3},
+	111: {compactTag: 0x29d, symIndex: 0x48, system: 0x4},
+	112: {compactTag: 0x29d, symIndex: 0x4d, system: 0xc},
+	113: {compactTag: 0x2bd, symIndex: 0x31, system: 0x0},
+	114: {compactTag: 0x2bd, symIndex: 0x3e, system: 0x3},
+	115: {compactTag: 0x2bd, symIndex: 0x42, system: 0x4},
+	116: {compactTag: 0x2cd, symIndex: 0x1b, system: 0x0},
+	117: {compactTag: 0x2cd, symIndex: 0x49, system: 0x4},
+	118: {compactTag: 0x2ce, symIndex: 0x49, system: 0x4},
+	119: {compactTag: 0x2d0, symIndex: 0x33, system: 0x0},
+	120: {compactTag: 0x2d0, symIndex: 0x4a, system: 0x4},
+	121: {compactTag: 0x2d1, symIndex: 0x42, system: 0x4},
+	122: {compactTag: 0x2d1, symIndex: 0x28, system: 0x0},
+	123: {compactTag: 0x2d3, symIndex: 0x34, system: 0x0},
+	124: {compactTag: 0x2d3, symIndex: 0x4b, system: 0x4},
+	125: {compactTag: 0x2f9, symIndex: 0x0, system: 0x0},
+	126: {compactTag: 0x2f9, symIndex: 0x38, system: 0x3},
+	127: {compactTag: 0x2f9, symIndex: 0x42, system: 0x4},
+	128: {compactTag: 0x2ff, symIndex: 0x36, system: 0x0},
+	129: {compactTag: 0x2ff, symIndex: 0x41, system: 0x3},
+	130: {compactTag: 0x2ff, symIndex: 0x4c, system: 0x4},
+} // Size: 810 bytes
+
+var tagToDecimal = []uint8{ // 775 elements
+	// Entry 0 - 3F
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x05, 0x05, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	// Entry 40 - 7F
+	0x05, 0x05, 0x05, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x05, 0x05, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x05, 0x05, 0x05, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x05, 0x05, 0x01, 0x01,
+	// Entry 80 - BF
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x05, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	// Entry C0 - FF
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	// Entry 100 - 13F
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	// Entry 140 - 17F
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x05, 0x05, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x05,
+	0x05, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	// Entry 180 - 1BF
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x05, 0x05, 0x05, 0x05,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	// Entry 1C0 - 1FF
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x05, 0x05,
+	0x01, 0x01, 0x01, 0x05, 0x05, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	// Entry 200 - 23F
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x05, 0x05, 0x01, 0x01, 0x01, 0x05, 0x01,
+	0x01, 0x05, 0x05, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	// Entry 240 - 27F
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	// Entry 280 - 2BF
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x05,
+	0x05, 0x05, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	// Entry 2C0 - 2FF
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+	// Entry 300 - 33F
+	0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x08,
+} // Size: 799 bytes
+
+var tagToScientific = []uint8{ // 775 elements
+	// Entry 0 - 3F
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	// Entry 40 - 7F
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	// Entry 80 - BF
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	// Entry C0 - FF
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	// Entry 100 - 13F
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	// Entry 140 - 17F
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x0c, 0x0c, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x0c,
+	0x0c, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	// Entry 180 - 1BF
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	// Entry 1C0 - 1FF
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x0d, 0x0d, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x0c, 0x0c, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	// Entry 200 - 23F
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x0c, 0x02,
+	0x02, 0x0c, 0x0c, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	// Entry 240 - 27F
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x0d, 0x0d, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	// Entry 280 - 2BF
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	// Entry 2C0 - 2FF
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+	// Entry 300 - 33F
+	0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x09,
+} // Size: 799 bytes
+
+var tagToPercent = []uint8{ // 775 elements
+	// Entry 0 - 3F
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
+	0x06, 0x06, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
+	0x04, 0x04, 0x04, 0x03, 0x03, 0x03, 0x03, 0x04,
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
+	// Entry 40 - 7F
+	0x06, 0x06, 0x06, 0x04, 0x04, 0x04, 0x03, 0x03,
+	0x06, 0x06, 0x03, 0x04, 0x04, 0x03, 0x03, 0x04,
+	0x04, 0x04, 0x04, 0x04, 0x06, 0x06, 0x06, 0x03,
+	0x03, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
+	0x03, 0x03, 0x04, 0x04, 0x04, 0x04, 0x03, 0x03,
+	0x03, 0x04, 0x04, 0x03, 0x03, 0x03, 0x04, 0x03,
+	0x03, 0x04, 0x03, 0x04, 0x04, 0x03, 0x03, 0x03,
+	0x03, 0x04, 0x04, 0x04, 0x07, 0x07, 0x04, 0x04,
+	// Entry 80 - BF
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
+	0x04, 0x04, 0x04, 0x04, 0x03, 0x04, 0x04, 0x04,
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
+	0x04, 0x04, 0x04, 0x04, 0x03, 0x04, 0x03, 0x04,
+	0x04, 0x03, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
+	0x04, 0x06, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
+	// Entry C0 - FF
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x03, 0x04,
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
+	0x04, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
+	0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
+	// Entry 100 - 13F
+	0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
+	0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x04, 0x04,
+	0x0b, 0x0b, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
+	0x04, 0x04, 0x04, 0x04, 0x03, 0x03, 0x04, 0x04,
+	0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
+	0x03, 0x03, 0x03, 0x03, 0x03, 0x04, 0x03, 0x03,
+	0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
+	0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
+	// Entry 140 - 17F
+	0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
+	0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
+	0x03, 0x03, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
+	0x04, 0x04, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
+	0x06, 0x06, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x06,
+	0x06, 0x04, 0x04, 0x04, 0x03, 0x03, 0x04, 0x04,
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
+	// Entry 180 - 1BF
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
+	0x04, 0x03, 0x03, 0x04, 0x04, 0x04, 0x04, 0x04,
+	0x04, 0x04, 0x04, 0x04, 0x06, 0x06, 0x06, 0x06,
+	0x04, 0x04, 0x04, 0x04, 0x03, 0x03, 0x04, 0x04,
+	// Entry 1C0 - 1FF
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x03, 0x03, 0x04,
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x03, 0x03, 0x04,
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
+	// Entry 200 - 23F
+	0x04, 0x04, 0x04, 0x04, 0x03, 0x03, 0x03, 0x04,
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
+	0x04, 0x03, 0x03, 0x04, 0x04, 0x04, 0x04, 0x04,
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
+	0x04, 0x06, 0x06, 0x04, 0x04, 0x04, 0x06, 0x04,
+	0x04, 0x06, 0x06, 0x04, 0x04, 0x04, 0x04, 0x04,
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
+	// Entry 240 - 27F
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x03,
+	0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
+	0x03, 0x03, 0x04, 0x04, 0x03, 0x03, 0x03, 0x03,
+	0x03, 0x03, 0x03, 0x04, 0x04, 0x04, 0x04, 0x04,
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
+	0x03, 0x03, 0x03, 0x03, 0x04, 0x04, 0x04, 0x04,
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
+	0x04, 0x04, 0x03, 0x03, 0x03, 0x03, 0x04, 0x04,
+	// Entry 280 - 2BF
+	0x04, 0x03, 0x03, 0x04, 0x04, 0x04, 0x04, 0x04,
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x03, 0x03, 0x03,
+	0x03, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x06,
+	0x06, 0x06, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
+	0x04, 0x03, 0x03, 0x04, 0x04, 0x04, 0x04, 0x0e,
+	// Entry 2C0 - 2FF
+	0x0e, 0x0e, 0x04, 0x03, 0x03, 0x04, 0x04, 0x04,
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x03,
+	0x03, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
+	// Entry 300 - 33F
+	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x0a,
+} // Size: 799 bytes
+
+var formats = []Pattern{Pattern{RoundingContext: RoundingContext{MaxSignificantDigits: 0,
+	MaxFractionDigits:    0,
+	Increment:            0x0,
+	IncrementScale:       0x0,
+	Mode:                 0x0,
+	DigitShift:           0x0,
+	MinIntegerDigits:     0x0,
+	MaxIntegerDigits:     0x0,
+	MinFractionDigits:    0x0,
+	MinSignificantDigits: 0x0,
+	MinExponentDigits:    0x0},
+	Affix:       "",
+	Offset:      0x0,
+	NegOffset:   0x0,
+	PadRune:     0,
+	FormatWidth: 0x0,
+	GroupingSize: [2]uint8{0x0,
+		0x0},
+	Flags: 0x0},
+	Pattern{RoundingContext: RoundingContext{MaxSignificantDigits: 0,
+		MaxFractionDigits:    3,
+		Increment:            0x0,
+		IncrementScale:       0x0,
+		Mode:                 0x0,
+		DigitShift:           0x0,
+		MinIntegerDigits:     0x1,
+		MaxIntegerDigits:     0x0,
+		MinFractionDigits:    0x0,
+		MinSignificantDigits: 0x0,
+		MinExponentDigits:    0x0},
+		Affix:       "",
+		Offset:      0x0,
+		NegOffset:   0x0,
+		PadRune:     0,
+		FormatWidth: 0x9,
+		GroupingSize: [2]uint8{0x3,
+			0x0},
+		Flags: 0x0},
+	Pattern{RoundingContext: RoundingContext{MaxSignificantDigits: 0,
+		MaxFractionDigits:    0,
+		Increment:            0x0,
+		IncrementScale:       0x0,
+		Mode:                 0x0,
+		DigitShift:           0x0,
+		MinIntegerDigits:     0x0,
+		MaxIntegerDigits:     0x1,
+		MinFractionDigits:    0x0,
+		MinSignificantDigits: 0x0,
+		MinExponentDigits:    0x1},
+		Affix:       "",
+		Offset:      0x0,
+		NegOffset:   0x0,
+		PadRune:     0,
+		FormatWidth: 0x3,
+		GroupingSize: [2]uint8{0x0,
+			0x0},
+		Flags: 0x0},
+	Pattern{RoundingContext: RoundingContext{MaxSignificantDigits: 0,
+		MaxFractionDigits:    0,
+		Increment:            0x0,
+		IncrementScale:       0x0,
+		Mode:                 0x0,
+		DigitShift:           0x2,
+		MinIntegerDigits:     0x1,
+		MaxIntegerDigits:     0x0,
+		MinFractionDigits:    0x0,
+		MinSignificantDigits: 0x0,
+		MinExponentDigits:    0x0},
+		Affix:       "\x00\x03\u00a0%",
+		Offset:      0x0,
+		NegOffset:   0x0,
+		PadRune:     0,
+		FormatWidth: 0x7,
+		GroupingSize: [2]uint8{0x3,
+			0x0},
+		Flags: 0x0},
+	Pattern{RoundingContext: RoundingContext{MaxSignificantDigits: 0,
+		MaxFractionDigits:    0,
+		Increment:            0x0,
+		IncrementScale:       0x0,
+		Mode:                 0x0,
+		DigitShift:           0x2,
+		MinIntegerDigits:     0x1,
+		MaxIntegerDigits:     0x0,
+		MinFractionDigits:    0x0,
+		MinSignificantDigits: 0x0,
+		MinExponentDigits:    0x0},
+		Affix:       "\x00\x01%",
+		Offset:      0x0,
+		NegOffset:   0x0,
+		PadRune:     0,
+		FormatWidth: 0x6,
+		GroupingSize: [2]uint8{0x3,
+			0x0},
+		Flags: 0x0},
+	Pattern{RoundingContext: RoundingContext{MaxSignificantDigits: 0,
+		MaxFractionDigits:    3,
+		Increment:            0x0,
+		IncrementScale:       0x0,
+		Mode:                 0x0,
+		DigitShift:           0x0,
+		MinIntegerDigits:     0x1,
+		MaxIntegerDigits:     0x0,
+		MinFractionDigits:    0x0,
+		MinSignificantDigits: 0x0,
+		MinExponentDigits:    0x0},
+		Affix:       "",
+		Offset:      0x0,
+		NegOffset:   0x0,
+		PadRune:     0,
+		FormatWidth: 0xc,
+		GroupingSize: [2]uint8{0x3,
+			0x2},
+		Flags: 0x0},
+	Pattern{RoundingContext: RoundingContext{MaxSignificantDigits: 0,
+		MaxFractionDigits:    0,
+		Increment:            0x0,
+		IncrementScale:       0x0,
+		Mode:                 0x0,
+		DigitShift:           0x2,
+		MinIntegerDigits:     0x1,
+		MaxIntegerDigits:     0x0,
+		MinFractionDigits:    0x0,
+		MinSignificantDigits: 0x0,
+		MinExponentDigits:    0x0},
+		Affix:       "\x00\x01%",
+		Offset:      0x0,
+		NegOffset:   0x0,
+		PadRune:     0,
+		FormatWidth: 0x9,
+		GroupingSize: [2]uint8{0x3,
+			0x2},
+		Flags: 0x0},
+	Pattern{RoundingContext: RoundingContext{MaxSignificantDigits: 0,
+		MaxFractionDigits:    0,
+		Increment:            0x0,
+		IncrementScale:       0x0,
+		Mode:                 0x0,
+		DigitShift:           0x2,
+		MinIntegerDigits:     0x1,
+		MaxIntegerDigits:     0x0,
+		MinFractionDigits:    0x0,
+		MinSignificantDigits: 0x0,
+		MinExponentDigits:    0x0},
+		Affix:       "\x00\x03\u00a0%",
+		Offset:      0x0,
+		NegOffset:   0x0,
+		PadRune:     0,
+		FormatWidth: 0xa,
+		GroupingSize: [2]uint8{0x3,
+			0x2},
+		Flags: 0x0},
+	Pattern{RoundingContext: RoundingContext{MaxSignificantDigits: 0,
+		MaxFractionDigits:    6,
+		Increment:            0x0,
+		IncrementScale:       0x0,
+		Mode:                 0x0,
+		DigitShift:           0x0,
+		MinIntegerDigits:     0x1,
+		MaxIntegerDigits:     0x0,
+		MinFractionDigits:    0x0,
+		MinSignificantDigits: 0x0,
+		MinExponentDigits:    0x0},
+		Affix:       "",
+		Offset:      0x0,
+		NegOffset:   0x0,
+		PadRune:     0,
+		FormatWidth: 0x8,
+		GroupingSize: [2]uint8{0x0,
+			0x0},
+		Flags: 0x0},
+	Pattern{RoundingContext: RoundingContext{MaxSignificantDigits: 0,
+		MaxFractionDigits:    6,
+		Increment:            0x0,
+		IncrementScale:       0x0,
+		Mode:                 0x0,
+		DigitShift:           0x0,
+		MinIntegerDigits:     0x1,
+		MaxIntegerDigits:     0x0,
+		MinFractionDigits:    0x6,
+		MinSignificantDigits: 0x0,
+		MinExponentDigits:    0x3},
+		Affix:       "",
+		Offset:      0x0,
+		NegOffset:   0x0,
+		PadRune:     0,
+		FormatWidth: 0xd,
+		GroupingSize: [2]uint8{0x0,
+			0x0},
+		Flags: 0x4},
+	Pattern{RoundingContext: RoundingContext{MaxSignificantDigits: 0,
+		MaxFractionDigits:    0,
+		Increment:            0x0,
+		IncrementScale:       0x0,
+		Mode:                 0x0,
+		DigitShift:           0x2,
+		MinIntegerDigits:     0x1,
+		MaxIntegerDigits:     0x0,
+		MinFractionDigits:    0x0,
+		MinSignificantDigits: 0x0,
+		MinExponentDigits:    0x0},
+		Affix:       "\x00\x01%",
+		Offset:      0x0,
+		NegOffset:   0x0,
+		PadRune:     0,
+		FormatWidth: 0x2,
+		GroupingSize: [2]uint8{0x0,
+			0x0},
+		Flags: 0x0},
+	Pattern{RoundingContext: RoundingContext{MaxSignificantDigits: 0,
+		MaxFractionDigits:    0,
+		Increment:            0x0,
+		IncrementScale:       0x0,
+		Mode:                 0x0,
+		DigitShift:           0x2,
+		MinIntegerDigits:     0x1,
+		MaxIntegerDigits:     0x0,
+		MinFractionDigits:    0x0,
+		MinSignificantDigits: 0x0,
+		MinExponentDigits:    0x0},
+		Affix:       "\x03%\u00a0\x00",
+		Offset:      0x0,
+		NegOffset:   0x0,
+		PadRune:     0,
+		FormatWidth: 0x7,
+		GroupingSize: [2]uint8{0x3,
+			0x0},
+		Flags: 0x0},
+	Pattern{RoundingContext: RoundingContext{MaxSignificantDigits: 0,
+		MaxFractionDigits:    0,
+		Increment:            0x0,
+		IncrementScale:       0x0,
+		Mode:                 0x0,
+		DigitShift:           0x0,
+		MinIntegerDigits:     0x0,
+		MaxIntegerDigits:     0x1,
+		MinFractionDigits:    0x0,
+		MinSignificantDigits: 0x0,
+		MinExponentDigits:    0x1},
+		Affix:       "\x01[\x01]",
+		Offset:      0x0,
+		NegOffset:   0x0,
+		PadRune:     0,
+		FormatWidth: 0x5,
+		GroupingSize: [2]uint8{0x0,
+			0x0},
+		Flags: 0x0},
+	Pattern{RoundingContext: RoundingContext{MaxSignificantDigits: 0,
+		MaxFractionDigits:    0,
+		Increment:            0x0,
+		IncrementScale:       0x0,
+		Mode:                 0x0,
+		DigitShift:           0x0,
+		MinIntegerDigits:     0x0,
+		MaxIntegerDigits:     0x0,
+		MinFractionDigits:    0x0,
+		MinSignificantDigits: 0x0,
+		MinExponentDigits:    0x0},
+		Affix:       "",
+		Offset:      0x0,
+		NegOffset:   0x0,
+		PadRune:     0,
+		FormatWidth: 0x1,
+		GroupingSize: [2]uint8{0x0,
+			0x0},
+		Flags: 0x0},
+	Pattern{RoundingContext: RoundingContext{MaxSignificantDigits: 0,
+		MaxFractionDigits:    0,
+		Increment:            0x0,
+		IncrementScale:       0x0,
+		Mode:                 0x0,
+		DigitShift:           0x2,
+		MinIntegerDigits:     0x1,
+		MaxIntegerDigits:     0x0,
+		MinFractionDigits:    0x0,
+		MinSignificantDigits: 0x0,
+		MinExponentDigits:    0x0},
+		Affix:       "\x01%\x00",
+		Offset:      0x0,
+		NegOffset:   0x0,
+		PadRune:     0,
+		FormatWidth: 0x6,
+		GroupingSize: [2]uint8{0x3,
+			0x0},
+		Flags: 0x0}}
+
+// Total table size 8634 bytes (8KiB); checksum: 8F23386D
diff --git a/vendor/golang.org/x/text/internal/stringset/set.go b/vendor/golang.org/x/text/internal/stringset/set.go
new file mode 100644
index 0000000000..bb2fffbc75
--- /dev/null
+++ b/vendor/golang.org/x/text/internal/stringset/set.go
@@ -0,0 +1,86 @@
+// Copyright 2016 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package stringset provides a way to represent a collection of strings
+// compactly.
+package stringset
+
+import "sort"
+
+// A Set holds a collection of strings that can be looked up by an index number.
+type Set struct {
+	// These fields are exported to allow for code generation.
+
+	Data  string
+	Index []uint16
+}
+
+// Elem returns the string with index i. It panics if i is out of range.
+func (s *Set) Elem(i int) string {
+	return s.Data[s.Index[i]:s.Index[i+1]]
+}
+
+// Len returns the number of strings in the set.
+func (s *Set) Len() int {
+	return len(s.Index) - 1
+}
+
+// Search returns the index of the given string or -1 if it is not in the set.
+// The Set must have been created with strings in sorted order.
+func Search(s *Set, str string) int {
+	// TODO: optimize this if it gets used a lot.
+	n := len(s.Index) - 1
+	p := sort.Search(n, func(i int) bool {
+		return s.Elem(i) >= str
+	})
+	if p == n || str != s.Elem(p) {
+		return -1
+	}
+	return p
+}
+
+// A Builder constructs Sets.
+type Builder struct {
+	set   Set
+	index map[string]int
+}
+
+// NewBuilder returns a new and initialized Builder.
+func NewBuilder() *Builder {
+	return &Builder{
+		set: Set{
+			Index: []uint16{0},
+		},
+		index: map[string]int{},
+	}
+}
+
+// Set creates the set created so far.
+func (b *Builder) Set() Set {
+	return b.set
+}
+
+// Index returns the index for the given string, which must have been added
+// before.
+func (b *Builder) Index(s string) int {
+	return b.index[s]
+}
+
+// Add adds a string to the index. Strings that are added by a single Add will
+// be stored together, unless they match an existing string.
+func (b *Builder) Add(ss ...string) {
+	// First check if the string already exists.
+	for _, s := range ss {
+		if _, ok := b.index[s]; ok {
+			continue
+		}
+		b.index[s] = len(b.set.Index) - 1
+		b.set.Data += s
+		x := len(b.set.Data)
+		if x > 0xFFFF {
+			panic("Index too > 0xFFFF")
+		}
+		b.set.Index = append(b.set.Index, uint16(x))
+	}
+}
diff --git a/vendor/golang.org/x/text/internal/utf8internal/utf8internal.go b/vendor/golang.org/x/text/internal/utf8internal/utf8internal.go
new file mode 100644
index 0000000000..e5c53b1b3e
--- /dev/null
+++ b/vendor/golang.org/x/text/internal/utf8internal/utf8internal.go
@@ -0,0 +1,87 @@
+// Copyright 2015 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package utf8internal contains low-level utf8-related constants, tables, etc.
+// that are used internally by the text package.
+package utf8internal
+
+// The default lowest and highest continuation byte.
+const (
+	LoCB = 0x80 // 1000 0000
+	HiCB = 0xBF // 1011 1111
+)
+
+// Constants related to getting information of first bytes of UTF-8 sequences.
+const (
+	// ASCII identifies a UTF-8 byte as ASCII.
+	ASCII = as
+
+	// FirstInvalid indicates a byte is invalid as a first byte of a UTF-8
+	// sequence.
+	FirstInvalid = xx
+
+	// SizeMask is a mask for the size bits. Use use x&SizeMask to get the size.
+	SizeMask = 7
+
+	// AcceptShift is the right-shift count for the first byte info byte to get
+	// the index into the AcceptRanges table. See AcceptRanges.
+	AcceptShift = 4
+
+	// The names of these constants are chosen to give nice alignment in the
+	// table below. The first nibble is an index into acceptRanges or F for
+	// special one-byte cases. The second nibble is the Rune length or the
+	// Status for the special one-byte case.
+	xx = 0xF1 // invalid: size 1
+	as = 0xF0 // ASCII: size 1
+	s1 = 0x02 // accept 0, size 2
+	s2 = 0x13 // accept 1, size 3
+	s3 = 0x03 // accept 0, size 3
+	s4 = 0x23 // accept 2, size 3
+	s5 = 0x34 // accept 3, size 4
+	s6 = 0x04 // accept 0, size 4
+	s7 = 0x44 // accept 4, size 4
+)
+
+// First is information about the first byte in a UTF-8 sequence.
+var First = [256]uint8{
+	//   1   2   3   4   5   6   7   8   9   A   B   C   D   E   F
+	as, as, as, as, as, as, as, as, as, as, as, as, as, as, as, as, // 0x00-0x0F
+	as, as, as, as, as, as, as, as, as, as, as, as, as, as, as, as, // 0x10-0x1F
+	as, as, as, as, as, as, as, as, as, as, as, as, as, as, as, as, // 0x20-0x2F
+	as, as, as, as, as, as, as, as, as, as, as, as, as, as, as, as, // 0x30-0x3F
+	as, as, as, as, as, as, as, as, as, as, as, as, as, as, as, as, // 0x40-0x4F
+	as, as, as, as, as, as, as, as, as, as, as, as, as, as, as, as, // 0x50-0x5F
+	as, as, as, as, as, as, as, as, as, as, as, as, as, as, as, as, // 0x60-0x6F
+	as, as, as, as, as, as, as, as, as, as, as, as, as, as, as, as, // 0x70-0x7F
+	//   1   2   3   4   5   6   7   8   9   A   B   C   D   E   F
+	xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, // 0x80-0x8F
+	xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, // 0x90-0x9F
+	xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, // 0xA0-0xAF
+	xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, // 0xB0-0xBF
+	xx, xx, s1, s1, s1, s1, s1, s1, s1, s1, s1, s1, s1, s1, s1, s1, // 0xC0-0xCF
+	s1, s1, s1, s1, s1, s1, s1, s1, s1, s1, s1, s1, s1, s1, s1, s1, // 0xD0-0xDF
+	s2, s3, s3, s3, s3, s3, s3, s3, s3, s3, s3, s3, s3, s4, s3, s3, // 0xE0-0xEF
+	s5, s6, s6, s6, s7, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, // 0xF0-0xFF
+}
+
+// AcceptRange gives the range of valid values for the second byte in a UTF-8
+// sequence for any value for First that is not ASCII or FirstInvalid.
+type AcceptRange struct {
+	Lo uint8 // lowest value for second byte.
+	Hi uint8 // highest value for second byte.
+}
+
+// AcceptRanges is a slice of AcceptRange values. For a given byte sequence b
+//
+//	AcceptRanges[First[b[0]]>>AcceptShift]
+//
+// will give the value of AcceptRange for the multi-byte UTF-8 sequence starting
+// at b[0].
+var AcceptRanges = [...]AcceptRange{
+	0: {LoCB, HiCB},
+	1: {0xA0, HiCB},
+	2: {LoCB, 0x9F},
+	3: {0x90, HiCB},
+	4: {LoCB, 0x8F},
+}
diff --git a/vendor/golang.org/x/text/message/catalog.go b/vendor/golang.org/x/text/message/catalog.go
new file mode 100644
index 0000000000..068271def4
--- /dev/null
+++ b/vendor/golang.org/x/text/message/catalog.go
@@ -0,0 +1,36 @@
+// Copyright 2015 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package message
+
+// TODO: some types in this file will need to be made public at some time.
+// Documentation and method names will reflect this by using the exported name.
+
+import (
+	"golang.org/x/text/language"
+	"golang.org/x/text/message/catalog"
+)
+
+// MatchLanguage reports the matched tag obtained from language.MatchStrings for
+// the Matcher of the DefaultCatalog.
+func MatchLanguage(preferred ...string) language.Tag {
+	c := DefaultCatalog
+	tag, _ := language.MatchStrings(c.Matcher(), preferred...)
+	return tag
+}
+
+// DefaultCatalog is used by SetString.
+var DefaultCatalog catalog.Catalog = defaultCatalog
+
+var defaultCatalog = catalog.NewBuilder()
+
+// SetString calls SetString on the initial default Catalog.
+func SetString(tag language.Tag, key string, msg string) error {
+	return defaultCatalog.SetString(tag, key, msg)
+}
+
+// Set calls Set on the initial default Catalog.
+func Set(tag language.Tag, key string, msg ...catalog.Message) error {
+	return defaultCatalog.Set(tag, key, msg...)
+}
diff --git a/vendor/golang.org/x/text/message/catalog/catalog.go b/vendor/golang.org/x/text/message/catalog/catalog.go
new file mode 100644
index 0000000000..96955d0752
--- /dev/null
+++ b/vendor/golang.org/x/text/message/catalog/catalog.go
@@ -0,0 +1,365 @@
+// Copyright 2017 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package catalog defines collections of translated format strings.
+//
+// This package mostly defines types for populating catalogs with messages. The
+// catmsg package contains further definitions for creating custom message and
+// dictionary types as well as packages that use Catalogs.
+//
+// Package catalog defines various interfaces: Dictionary, Loader, and Message.
+// A Dictionary maintains a set of translations of format strings for a single
+// language. The Loader interface defines a source of dictionaries. A
+// translation of a format string is represented by a Message.
+//
+// # Catalogs
+//
+// A Catalog defines a programmatic interface for setting message translations.
+// It maintains a set of per-language dictionaries with translations for a set
+// of keys. For message translation to function properly, a translation should
+// be defined for each key for each supported language. A dictionary may be
+// underspecified, though, if there is a parent language that already defines
+// the key. For example, a Dictionary for "en-GB" could leave out entries that
+// are identical to those in a dictionary for "en".
+//
+// # Messages
+//
+// A Message is a format string which varies on the value of substitution
+// variables. For instance, to indicate the number of results one could want "no
+// results" if there are none, "1 result" if there is 1, and "%d results" for
+// any other number. Catalog is agnostic to the kind of format strings that are
+// used: for instance, messages can follow either the printf-style substitution
+// from package fmt or use templates.
+//
+// A Message does not substitute arguments in the format string. This job is
+// reserved for packages that render strings, such as message, that use Catalogs
+// to selected string. This separation of concerns allows Catalog to be used to
+// store any kind of formatting strings.
+//
+// # Selecting messages based on linguistic features of substitution arguments
+//
+// Messages may vary based on any linguistic features of the argument values.
+// The most common one is plural form, but others exist.
+//
+// Selection messages are provided in packages that provide support for a
+// specific linguistic feature. The following snippet uses plural.Selectf:
+//
+//	catalog.Set(language.English, "You are %d minute(s) late.",
+//		plural.Selectf(1, "",
+//			plural.One, "You are 1 minute late.",
+//			plural.Other, "You are %d minutes late."))
+//
+// In this example, a message is stored in the Catalog where one of two messages
+// is selected based on the first argument, a number. The first message is
+// selected if the argument is singular (identified by the selector "one") and
+// the second message is selected in all other cases. The selectors are defined
+// by the plural rules defined in CLDR. The selector "other" is special and will
+// always match. Each language always defines one of the linguistic categories
+// to be "other." For English, singular is "one" and plural is "other".
+//
+// Selects can be nested. This allows selecting sentences based on features of
+// multiple arguments or multiple linguistic properties of a single argument.
+//
+// # String interpolation
+//
+// There is often a lot of commonality between the possible variants of a
+// message. For instance, in the example above the word "minute" varies based on
+// the plural catogory of the argument, but the rest of the sentence is
+// identical. Using interpolation the above message can be rewritten as:
+//
+//	catalog.Set(language.English, "You are %d minute(s) late.",
+//		catalog.Var("minutes",
+//			plural.Selectf(1, "", plural.One, "minute", plural.Other, "minutes")),
+//		catalog.String("You are %[1]d ${minutes} late."))
+//
+// Var is defined to return the variable name if the message does not yield a
+// match. This allows us to further simplify this snippet to
+//
+//	catalog.Set(language.English, "You are %d minute(s) late.",
+//		catalog.Var("minutes", plural.Selectf(1, "", plural.One, "minute")),
+//		catalog.String("You are %d ${minutes} late."))
+//
+// Overall this is still only a minor improvement, but things can get a lot more
+// unwieldy if more than one linguistic feature is used to determine a message
+// variant. Consider the following example:
+//
+//	// argument 1: list of hosts, argument 2: list of guests
+//	catalog.Set(language.English, "%[1]v invite(s) %[2]v to their party.",
+//		catalog.Var("their",
+//			plural.Selectf(1, ""
+//				plural.One, gender.Select(1, "female", "her", "other", "his"))),
+//		catalog.Var("invites", plural.Selectf(1, "", plural.One, "invite"))
+//		catalog.String("%[1]v ${invites} %[2]v to ${their} party.")),
+//
+// Without variable substitution, this would have to be written as
+//
+//	// argument 1: list of hosts, argument 2: list of guests
+//	catalog.Set(language.English, "%[1]v invite(s) %[2]v to their party.",
+//		plural.Selectf(1, "",
+//			plural.One, gender.Select(1,
+//				"female", "%[1]v invites %[2]v to her party."
+//				"other", "%[1]v invites %[2]v to his party."),
+//			plural.Other, "%[1]v invites %[2]v to their party."))
+//
+// Not necessarily shorter, but using variables there is less duplication and
+// the messages are more maintenance friendly. Moreover, languages may have up
+// to six plural forms. This makes the use of variables more welcome.
+//
+// Different messages using the same inflections can reuse variables by moving
+// them to macros. Using macros we can rewrite the message as:
+//
+//	// argument 1: list of hosts, argument 2: list of guests
+//	catalog.SetString(language.English, "%[1]v invite(s) %[2]v to their party.",
+//		"%[1]v ${invites(1)} %[2]v to ${their(1)} party.")
+//
+// Where the following macros were defined separately.
+//
+//	catalog.SetMacro(language.English, "invites", plural.Selectf(1, "",
+//		plural.One, "invite"))
+//	catalog.SetMacro(language.English, "their", plural.Selectf(1, "",
+//		plural.One, gender.Select(1, "female", "her", "other", "his"))),
+//
+// Placeholders use parentheses and the arguments to invoke a macro.
+//
+// # Looking up messages
+//
+// Message lookup using Catalogs is typically only done by specialized packages
+// and is not something the user should be concerned with. For instance, to
+// express the tardiness of a user using the related message we defined earlier,
+// the user may use the package message like so:
+//
+//	p := message.NewPrinter(language.English)
+//	p.Printf("You are %d minute(s) late.", 5)
+//
+// Which would print:
+//
+//	You are 5 minutes late.
+//
+// This package is UNDER CONSTRUCTION and its API may change.
+package catalog // import "golang.org/x/text/message/catalog"
+
+// TODO:
+// Some way to freeze a catalog.
+// - Locking on each lockup turns out to be about 50% of the total running time
+//   for some of the benchmarks in the message package.
+// Consider these:
+// - Sequence type to support sequences in user-defined messages.
+// - Garbage collection: Remove dictionaries that can no longer be reached
+//   as other dictionaries have been added that cover all possible keys.
+
+import (
+	"errors"
+	"fmt"
+
+	"golang.org/x/text/internal"
+
+	"golang.org/x/text/internal/catmsg"
+	"golang.org/x/text/language"
+)
+
+// A Catalog allows lookup of translated messages.
+type Catalog interface {
+	// Languages returns all languages for which the Catalog contains variants.
+	Languages() []language.Tag
+
+	// Matcher returns a Matcher for languages from this Catalog.
+	Matcher() language.Matcher
+
+	// A Context is used for evaluating Messages.
+	Context(tag language.Tag, r catmsg.Renderer) *Context
+
+	// This method also makes Catalog a private interface.
+	lookup(tag language.Tag, key string) (data string, ok bool)
+}
+
+// NewFromMap creates a Catalog from the given map. If a Dictionary is
+// underspecified the entry is retrieved from a parent language.
+func NewFromMap(dictionaries map[string]Dictionary, opts ...Option) (Catalog, error) {
+	options := options{}
+	for _, o := range opts {
+		o(&options)
+	}
+	c := &catalog{
+		dicts: map[language.Tag]Dictionary{},
+	}
+	_, hasFallback := dictionaries[options.fallback.String()]
+	if hasFallback {
+		// TODO: Should it be okay to not have a fallback language?
+		// Catalog generators could enforce there is always a fallback.
+		c.langs = append(c.langs, options.fallback)
+	}
+	for lang, dict := range dictionaries {
+		tag, err := language.Parse(lang)
+		if err != nil {
+			return nil, fmt.Errorf("catalog: invalid language tag %q", lang)
+		}
+		if _, ok := c.dicts[tag]; ok {
+			return nil, fmt.Errorf("catalog: duplicate entry for tag %q after normalization", tag)
+		}
+		c.dicts[tag] = dict
+		if !hasFallback || tag != options.fallback {
+			c.langs = append(c.langs, tag)
+		}
+	}
+	if hasFallback {
+		internal.SortTags(c.langs[1:])
+	} else {
+		internal.SortTags(c.langs)
+	}
+	c.matcher = language.NewMatcher(c.langs)
+	return c, nil
+}
+
+// A Dictionary is a source of translations for a single language.
+type Dictionary interface {
+	// Lookup returns a message compiled with catmsg.Compile for the given key.
+	// It returns false for ok if such a message could not be found.
+	Lookup(key string) (data string, ok bool)
+}
+
+type catalog struct {
+	langs   []language.Tag
+	dicts   map[language.Tag]Dictionary
+	macros  store
+	matcher language.Matcher
+}
+
+func (c *catalog) Languages() []language.Tag { return c.langs }
+func (c *catalog) Matcher() language.Matcher { return c.matcher }
+
+func (c *catalog) lookup(tag language.Tag, key string) (data string, ok bool) {
+	for ; ; tag = tag.Parent() {
+		if dict, ok := c.dicts[tag]; ok {
+			if data, ok := dict.Lookup(key); ok {
+				return data, true
+			}
+		}
+		if tag == language.Und {
+			break
+		}
+	}
+	return "", false
+}
+
+// Context returns a Context for formatting messages.
+// Only one Message may be formatted per context at any given time.
+func (c *catalog) Context(tag language.Tag, r catmsg.Renderer) *Context {
+	return &Context{
+		cat: c,
+		tag: tag,
+		dec: catmsg.NewDecoder(tag, r, &dict{&c.macros, tag}),
+	}
+}
+
+// A Builder allows building a Catalog programmatically.
+type Builder struct {
+	options
+	matcher language.Matcher
+
+	index  store
+	macros store
+}
+
+type options struct {
+	fallback language.Tag
+}
+
+// An Option configures Catalog behavior.
+type Option func(*options)
+
+// Fallback specifies the default fallback language. The default is Und.
+func Fallback(tag language.Tag) Option {
+	return func(o *options) { o.fallback = tag }
+}
+
+// TODO:
+// // Catalogs specifies one or more sources for a Catalog.
+// // Lookups are in order.
+// // This can be changed inserting a Catalog used for setting, which implements
+// // Loader, used for setting in the chain.
+// func Catalogs(d ...Loader) Option {
+// 	return nil
+// }
+//
+// func Delims(start, end string) Option {}
+//
+// func Dict(tag language.Tag, d ...Dictionary) Option
+
+// NewBuilder returns an empty mutable Catalog.
+func NewBuilder(opts ...Option) *Builder {
+	c := &Builder{}
+	for _, o := range opts {
+		o(&c.options)
+	}
+	return c
+}
+
+// SetString is shorthand for Set(tag, key, String(msg)).
+func (c *Builder) SetString(tag language.Tag, key string, msg string) error {
+	return c.set(tag, key, &c.index, String(msg))
+}
+
+// Set sets the translation for the given language and key.
+//
+// When evaluation this message, the first Message in the sequence to msgs to
+// evaluate to a string will be the message returned.
+func (c *Builder) Set(tag language.Tag, key string, msg ...Message) error {
+	return c.set(tag, key, &c.index, msg...)
+}
+
+// SetMacro defines a Message that may be substituted in another message.
+// The arguments to a macro Message are passed as arguments in the
+// placeholder the form "${foo(arg1, arg2)}".
+func (c *Builder) SetMacro(tag language.Tag, name string, msg ...Message) error {
+	return c.set(tag, name, &c.macros, msg...)
+}
+
+// ErrNotFound indicates there was no message for the given key.
+var ErrNotFound = errors.New("catalog: message not found")
+
+// String specifies a plain message string. It can be used as fallback if no
+// other strings match or as a simple standalone message.
+//
+// It is an error to pass more than one String in a message sequence.
+func String(name string) Message {
+	return catmsg.String(name)
+}
+
+// Var sets a variable that may be substituted in formatting patterns using
+// named substitution of the form "${name}". The name argument is used as a
+// fallback if the statements do not produce a match. The statement sequence may
+// not contain any Var calls.
+//
+// The name passed to a Var must be unique within message sequence.
+func Var(name string, msg ...Message) Message {
+	return &catmsg.Var{Name: name, Message: firstInSequence(msg)}
+}
+
+// Context returns a Context for formatting messages.
+// Only one Message may be formatted per context at any given time.
+func (b *Builder) Context(tag language.Tag, r catmsg.Renderer) *Context {
+	return &Context{
+		cat: b,
+		tag: tag,
+		dec: catmsg.NewDecoder(tag, r, &dict{&b.macros, tag}),
+	}
+}
+
+// A Context is used for evaluating Messages.
+// Only one Message may be formatted per context at any given time.
+type Context struct {
+	cat Catalog
+	tag language.Tag // TODO: use compact index.
+	dec *catmsg.Decoder
+}
+
+// Execute looks up and executes the message with the given key.
+// It returns ErrNotFound if no message could be found in the index.
+func (c *Context) Execute(key string) error {
+	data, ok := c.cat.lookup(c.tag, key)
+	if !ok {
+		return ErrNotFound
+	}
+	return c.dec.Execute(data)
+}
diff --git a/vendor/golang.org/x/text/message/catalog/dict.go b/vendor/golang.org/x/text/message/catalog/dict.go
new file mode 100644
index 0000000000..a0eb81810b
--- /dev/null
+++ b/vendor/golang.org/x/text/message/catalog/dict.go
@@ -0,0 +1,129 @@
+// Copyright 2017 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package catalog
+
+import (
+	"sync"
+
+	"golang.org/x/text/internal"
+	"golang.org/x/text/internal/catmsg"
+	"golang.org/x/text/language"
+)
+
+// TODO:
+// Dictionary returns a Dictionary that returns the first Message, using the
+// given language tag, that matches:
+//   1. the last one registered by one of the Set methods
+//   2. returned by one of the Loaders
+//   3. repeat from 1. using the parent language
+// This approach allows messages to be underspecified.
+// func (c *Catalog) Dictionary(tag language.Tag) (Dictionary, error) {
+// 	// TODO: verify dictionary exists.
+// 	return &dict{&c.index, tag}, nil
+// }
+
+type dict struct {
+	s   *store
+	tag language.Tag // TODO: make compact tag.
+}
+
+func (d *dict) Lookup(key string) (data string, ok bool) {
+	return d.s.lookup(d.tag, key)
+}
+
+func (b *Builder) lookup(tag language.Tag, key string) (data string, ok bool) {
+	return b.index.lookup(tag, key)
+}
+
+func (c *Builder) set(tag language.Tag, key string, s *store, msg ...Message) error {
+	data, err := catmsg.Compile(tag, &dict{&c.macros, tag}, firstInSequence(msg))
+
+	s.mutex.Lock()
+	defer s.mutex.Unlock()
+
+	m := s.index[tag]
+	if m == nil {
+		m = msgMap{}
+		if s.index == nil {
+			s.index = map[language.Tag]msgMap{}
+		}
+		c.matcher = nil
+		s.index[tag] = m
+	}
+
+	m[key] = data
+	return err
+}
+
+func (c *Builder) Matcher() language.Matcher {
+	c.index.mutex.RLock()
+	m := c.matcher
+	c.index.mutex.RUnlock()
+	if m != nil {
+		return m
+	}
+
+	c.index.mutex.Lock()
+	if c.matcher == nil {
+		c.matcher = language.NewMatcher(c.unlockedLanguages())
+	}
+	m = c.matcher
+	c.index.mutex.Unlock()
+	return m
+}
+
+type store struct {
+	mutex sync.RWMutex
+	index map[language.Tag]msgMap
+}
+
+type msgMap map[string]string
+
+func (s *store) lookup(tag language.Tag, key string) (data string, ok bool) {
+	s.mutex.RLock()
+	defer s.mutex.RUnlock()
+
+	for ; ; tag = tag.Parent() {
+		if msgs, ok := s.index[tag]; ok {
+			if msg, ok := msgs[key]; ok {
+				return msg, true
+			}
+		}
+		if tag == language.Und {
+			break
+		}
+	}
+	return "", false
+}
+
+// Languages returns all languages for which the Catalog contains variants.
+func (b *Builder) Languages() []language.Tag {
+	s := &b.index
+	s.mutex.RLock()
+	defer s.mutex.RUnlock()
+
+	return b.unlockedLanguages()
+}
+
+func (b *Builder) unlockedLanguages() []language.Tag {
+	s := &b.index
+	if len(s.index) == 0 {
+		return nil
+	}
+	tags := make([]language.Tag, 0, len(s.index))
+	_, hasFallback := s.index[b.options.fallback]
+	offset := 0
+	if hasFallback {
+		tags = append(tags, b.options.fallback)
+		offset = 1
+	}
+	for t := range s.index {
+		if t != b.options.fallback {
+			tags = append(tags, t)
+		}
+	}
+	internal.SortTags(tags[offset:])
+	return tags
+}
diff --git a/vendor/golang.org/x/text/message/catalog/go19.go b/vendor/golang.org/x/text/message/catalog/go19.go
new file mode 100644
index 0000000000..291a4df949
--- /dev/null
+++ b/vendor/golang.org/x/text/message/catalog/go19.go
@@ -0,0 +1,15 @@
+// Copyright 2017 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build go1.9
+
+package catalog
+
+import "golang.org/x/text/internal/catmsg"
+
+// A Message holds a collection of translations for the same phrase that may
+// vary based on the values of substitution arguments.
+type Message = catmsg.Message
+
+type firstInSequence = catmsg.FirstOf
diff --git a/vendor/golang.org/x/text/message/catalog/gopre19.go b/vendor/golang.org/x/text/message/catalog/gopre19.go
new file mode 100644
index 0000000000..da44ebb8be
--- /dev/null
+++ b/vendor/golang.org/x/text/message/catalog/gopre19.go
@@ -0,0 +1,23 @@
+// Copyright 2017 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build !go1.9
+
+package catalog
+
+import "golang.org/x/text/internal/catmsg"
+
+// A Message holds a collection of translations for the same phrase that may
+// vary based on the values of substitution arguments.
+type Message interface {
+	catmsg.Message
+}
+
+func firstInSequence(m []Message) catmsg.Message {
+	a := []catmsg.Message{}
+	for _, m := range m {
+		a = append(a, m)
+	}
+	return catmsg.FirstOf(a)
+}
diff --git a/vendor/golang.org/x/text/message/doc.go b/vendor/golang.org/x/text/message/doc.go
new file mode 100644
index 0000000000..4bf7bdcac3
--- /dev/null
+++ b/vendor/golang.org/x/text/message/doc.go
@@ -0,0 +1,99 @@
+// Copyright 2017 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package message implements formatted I/O for localized strings with functions
+// analogous to the fmt's print functions. It is a drop-in replacement for fmt.
+//
+// # Localized Formatting
+//
+// A format string can be localized by replacing any of the print functions of
+// fmt with an equivalent call to a Printer.
+//
+//	p := message.NewPrinter(message.MatchLanguage("en"))
+//	p.Println(123456.78) // Prints 123,456.78
+//
+//	p.Printf("%d ducks in a row", 4331) // Prints 4,331 ducks in a row
+//
+//	p := message.NewPrinter(message.MatchLanguage("nl"))
+//	p.Printf("Hoogte: %.1f meter", 1244.9) // Prints Hoogte: 1,244.9 meter
+//
+//	p := message.NewPrinter(message.MatchLanguage("bn"))
+//	p.Println(123456.78) // Prints ১,২৩,৪৫৬.৭৮
+//
+// Printer currently supports numbers and specialized types for which packages
+// exist in x/text. Other builtin types such as time.Time and slices are
+// planned.
+//
+// Format strings largely have the same meaning as with fmt with the following
+// notable exceptions:
+//   - flag # always resorts to fmt for printing
+//   - verb 'f', 'e', 'g', 'd' use localized formatting unless the '#' flag is
+//     specified.
+//   - verb 'm' inserts a translation of a string argument.
+//
+// See package fmt for more options.
+//
+// # Translation
+//
+// The format strings that are passed to Printf, Sprintf, Fprintf, or Errorf
+// are used as keys to look up translations for the specified languages.
+// More on how these need to be specified below.
+//
+// One can use arbitrary keys to distinguish between otherwise ambiguous
+// strings:
+//
+//	p := message.NewPrinter(language.English)
+//	p.Printf("archive(noun)")  // Prints "archive"
+//	p.Printf("archive(verb)")  // Prints "archive"
+//
+//	p := message.NewPrinter(language.German)
+//	p.Printf("archive(noun)")  // Prints "Archiv"
+//	p.Printf("archive(verb)")  // Prints "archivieren"
+//
+// To retain the fallback functionality, use Key:
+//
+//	p.Printf(message.Key("archive(noun)", "archive"))
+//	p.Printf(message.Key("archive(verb)", "archive"))
+//
+// # Translation Pipeline
+//
+// Format strings that contain text need to be translated to support different
+// locales. The first step is to extract strings that need to be translated.
+//
+// 1. Install gotext
+//
+//	go get -u golang.org/x/text/cmd/gotext
+//	gotext -help
+//
+// 2. Mark strings in your source to be translated by using message.Printer,
+// instead of the functions of the fmt package.
+//
+// 3. Extract the strings from your source
+//
+//	gotext extract
+//
+// The output will be written to the textdata directory.
+//
+// 4. Send the files for translation
+//
+// It is planned to support multiple formats, but for now one will have to
+// rewrite the JSON output to the desired format.
+//
+// 5. Inject translations into program
+//
+// 6. Repeat from 2
+//
+// Right now this has to be done programmatically with calls to Set or
+// SetString. These functions as well as the methods defined in
+// see also package golang.org/x/text/message/catalog can be used to implement
+// either dynamic or static loading of messages.
+//
+// # Plural and Gender Forms
+//
+// Translated messages can vary based on the plural and gender forms of
+// substitution values. In general, it is up to the translators to provide
+// alternative translations for such forms. See the packages in
+// golang.org/x/text/feature and golang.org/x/text/message/catalog for more
+// information.
+package message
diff --git a/vendor/golang.org/x/text/message/format.go b/vendor/golang.org/x/text/message/format.go
new file mode 100644
index 0000000000..a47d17dd4d
--- /dev/null
+++ b/vendor/golang.org/x/text/message/format.go
@@ -0,0 +1,510 @@
+// Copyright 2017 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package message
+
+import (
+	"bytes"
+	"strconv"
+	"unicode/utf8"
+
+	"golang.org/x/text/internal/format"
+)
+
+const (
+	ldigits = "0123456789abcdefx"
+	udigits = "0123456789ABCDEFX"
+)
+
+const (
+	signed   = true
+	unsigned = false
+)
+
+// A formatInfo is the raw formatter used by Printf etc.
+// It prints into a buffer that must be set up separately.
+type formatInfo struct {
+	buf *bytes.Buffer
+
+	format.Parser
+
+	// intbuf is large enough to store %b of an int64 with a sign and
+	// avoids padding at the end of the struct on 32 bit architectures.
+	intbuf [68]byte
+}
+
+func (f *formatInfo) init(buf *bytes.Buffer) {
+	f.ClearFlags()
+	f.buf = buf
+}
+
+// writePadding generates n bytes of padding.
+func (f *formatInfo) writePadding(n int) {
+	if n <= 0 { // No padding bytes needed.
+		return
+	}
+	f.buf.Grow(n)
+	// Decide which byte the padding should be filled with.
+	padByte := byte(' ')
+	if f.Zero {
+		padByte = byte('0')
+	}
+	// Fill padding with padByte.
+	for i := 0; i < n; i++ {
+		f.buf.WriteByte(padByte) // TODO: make more efficient.
+	}
+}
+
+// pad appends b to f.buf, padded on left (!f.minus) or right (f.minus).
+func (f *formatInfo) pad(b []byte) {
+	if !f.WidthPresent || f.Width == 0 {
+		f.buf.Write(b)
+		return
+	}
+	width := f.Width - utf8.RuneCount(b)
+	if !f.Minus {
+		// left padding
+		f.writePadding(width)
+		f.buf.Write(b)
+	} else {
+		// right padding
+		f.buf.Write(b)
+		f.writePadding(width)
+	}
+}
+
+// padString appends s to f.buf, padded on left (!f.minus) or right (f.minus).
+func (f *formatInfo) padString(s string) {
+	if !f.WidthPresent || f.Width == 0 {
+		f.buf.WriteString(s)
+		return
+	}
+	width := f.Width - utf8.RuneCountInString(s)
+	if !f.Minus {
+		// left padding
+		f.writePadding(width)
+		f.buf.WriteString(s)
+	} else {
+		// right padding
+		f.buf.WriteString(s)
+		f.writePadding(width)
+	}
+}
+
+// fmt_boolean formats a boolean.
+func (f *formatInfo) fmt_boolean(v bool) {
+	if v {
+		f.padString("true")
+	} else {
+		f.padString("false")
+	}
+}
+
+// fmt_unicode formats a uint64 as "U+0078" or with f.sharp set as "U+0078 'x'".
+func (f *formatInfo) fmt_unicode(u uint64) {
+	buf := f.intbuf[0:]
+
+	// With default precision set the maximum needed buf length is 18
+	// for formatting -1 with %#U ("U+FFFFFFFFFFFFFFFF") which fits
+	// into the already allocated intbuf with a capacity of 68 bytes.
+	prec := 4
+	if f.PrecPresent && f.Prec > 4 {
+		prec = f.Prec
+		// Compute space needed for "U+" , number, " '", character, "'".
+		width := 2 + prec + 2 + utf8.UTFMax + 1
+		if width > len(buf) {
+			buf = make([]byte, width)
+		}
+	}
+
+	// Format into buf, ending at buf[i]. Formatting numbers is easier right-to-left.
+	i := len(buf)
+
+	// For %#U we want to add a space and a quoted character at the end of the buffer.
+	if f.Sharp && u <= utf8.MaxRune && strconv.IsPrint(rune(u)) {
+		i--
+		buf[i] = '\''
+		i -= utf8.RuneLen(rune(u))
+		utf8.EncodeRune(buf[i:], rune(u))
+		i--
+		buf[i] = '\''
+		i--
+		buf[i] = ' '
+	}
+	// Format the Unicode code point u as a hexadecimal number.
+	for u >= 16 {
+		i--
+		buf[i] = udigits[u&0xF]
+		prec--
+		u >>= 4
+	}
+	i--
+	buf[i] = udigits[u]
+	prec--
+	// Add zeros in front of the number until requested precision is reached.
+	for prec > 0 {
+		i--
+		buf[i] = '0'
+		prec--
+	}
+	// Add a leading "U+".
+	i--
+	buf[i] = '+'
+	i--
+	buf[i] = 'U'
+
+	oldZero := f.Zero
+	f.Zero = false
+	f.pad(buf[i:])
+	f.Zero = oldZero
+}
+
+// fmt_integer formats signed and unsigned integers.
+func (f *formatInfo) fmt_integer(u uint64, base int, isSigned bool, digits string) {
+	negative := isSigned && int64(u) < 0
+	if negative {
+		u = -u
+	}
+
+	buf := f.intbuf[0:]
+	// The already allocated f.intbuf with a capacity of 68 bytes
+	// is large enough for integer formatting when no precision or width is set.
+	if f.WidthPresent || f.PrecPresent {
+		// Account 3 extra bytes for possible addition of a sign and "0x".
+		width := 3 + f.Width + f.Prec // wid and prec are always positive.
+		if width > len(buf) {
+			// We're going to need a bigger boat.
+			buf = make([]byte, width)
+		}
+	}
+
+	// Two ways to ask for extra leading zero digits: %.3d or %03d.
+	// If both are specified the f.zero flag is ignored and
+	// padding with spaces is used instead.
+	prec := 0
+	if f.PrecPresent {
+		prec = f.Prec
+		// Precision of 0 and value of 0 means "print nothing" but padding.
+		if prec == 0 && u == 0 {
+			oldZero := f.Zero
+			f.Zero = false
+			f.writePadding(f.Width)
+			f.Zero = oldZero
+			return
+		}
+	} else if f.Zero && f.WidthPresent {
+		prec = f.Width
+		if negative || f.Plus || f.Space {
+			prec-- // leave room for sign
+		}
+	}
+
+	// Because printing is easier right-to-left: format u into buf, ending at buf[i].
+	// We could make things marginally faster by splitting the 32-bit case out
+	// into a separate block but it's not worth the duplication, so u has 64 bits.
+	i := len(buf)
+	// Use constants for the division and modulo for more efficient code.
+	// Switch cases ordered by popularity.
+	switch base {
+	case 10:
+		for u >= 10 {
+			i--
+			next := u / 10
+			buf[i] = byte('0' + u - next*10)
+			u = next
+		}
+	case 16:
+		for u >= 16 {
+			i--
+			buf[i] = digits[u&0xF]
+			u >>= 4
+		}
+	case 8:
+		for u >= 8 {
+			i--
+			buf[i] = byte('0' + u&7)
+			u >>= 3
+		}
+	case 2:
+		for u >= 2 {
+			i--
+			buf[i] = byte('0' + u&1)
+			u >>= 1
+		}
+	default:
+		panic("fmt: unknown base; can't happen")
+	}
+	i--
+	buf[i] = digits[u]
+	for i > 0 && prec > len(buf)-i {
+		i--
+		buf[i] = '0'
+	}
+
+	// Various prefixes: 0x, -, etc.
+	if f.Sharp {
+		switch base {
+		case 8:
+			if buf[i] != '0' {
+				i--
+				buf[i] = '0'
+			}
+		case 16:
+			// Add a leading 0x or 0X.
+			i--
+			buf[i] = digits[16]
+			i--
+			buf[i] = '0'
+		}
+	}
+
+	if negative {
+		i--
+		buf[i] = '-'
+	} else if f.Plus {
+		i--
+		buf[i] = '+'
+	} else if f.Space {
+		i--
+		buf[i] = ' '
+	}
+
+	// Left padding with zeros has already been handled like precision earlier
+	// or the f.zero flag is ignored due to an explicitly set precision.
+	oldZero := f.Zero
+	f.Zero = false
+	f.pad(buf[i:])
+	f.Zero = oldZero
+}
+
+// truncate truncates the string to the specified precision, if present.
+func (f *formatInfo) truncate(s string) string {
+	if f.PrecPresent {
+		n := f.Prec
+		for i := range s {
+			n--
+			if n < 0 {
+				return s[:i]
+			}
+		}
+	}
+	return s
+}
+
+// fmt_s formats a string.
+func (f *formatInfo) fmt_s(s string) {
+	s = f.truncate(s)
+	f.padString(s)
+}
+
+// fmt_sbx formats a string or byte slice as a hexadecimal encoding of its bytes.
+func (f *formatInfo) fmt_sbx(s string, b []byte, digits string) {
+	length := len(b)
+	if b == nil {
+		// No byte slice present. Assume string s should be encoded.
+		length = len(s)
+	}
+	// Set length to not process more bytes than the precision demands.
+	if f.PrecPresent && f.Prec < length {
+		length = f.Prec
+	}
+	// Compute width of the encoding taking into account the f.sharp and f.space flag.
+	width := 2 * length
+	if width > 0 {
+		if f.Space {
+			// Each element encoded by two hexadecimals will get a leading 0x or 0X.
+			if f.Sharp {
+				width *= 2
+			}
+			// Elements will be separated by a space.
+			width += length - 1
+		} else if f.Sharp {
+			// Only a leading 0x or 0X will be added for the whole string.
+			width += 2
+		}
+	} else { // The byte slice or string that should be encoded is empty.
+		if f.WidthPresent {
+			f.writePadding(f.Width)
+		}
+		return
+	}
+	// Handle padding to the left.
+	if f.WidthPresent && f.Width > width && !f.Minus {
+		f.writePadding(f.Width - width)
+	}
+	// Write the encoding directly into the output buffer.
+	buf := f.buf
+	if f.Sharp {
+		// Add leading 0x or 0X.
+		buf.WriteByte('0')
+		buf.WriteByte(digits[16])
+	}
+	var c byte
+	for i := 0; i < length; i++ {
+		if f.Space && i > 0 {
+			// Separate elements with a space.
+			buf.WriteByte(' ')
+			if f.Sharp {
+				// Add leading 0x or 0X for each element.
+				buf.WriteByte('0')
+				buf.WriteByte(digits[16])
+			}
+		}
+		if b != nil {
+			c = b[i] // Take a byte from the input byte slice.
+		} else {
+			c = s[i] // Take a byte from the input string.
+		}
+		// Encode each byte as two hexadecimal digits.
+		buf.WriteByte(digits[c>>4])
+		buf.WriteByte(digits[c&0xF])
+	}
+	// Handle padding to the right.
+	if f.WidthPresent && f.Width > width && f.Minus {
+		f.writePadding(f.Width - width)
+	}
+}
+
+// fmt_sx formats a string as a hexadecimal encoding of its bytes.
+func (f *formatInfo) fmt_sx(s, digits string) {
+	f.fmt_sbx(s, nil, digits)
+}
+
+// fmt_bx formats a byte slice as a hexadecimal encoding of its bytes.
+func (f *formatInfo) fmt_bx(b []byte, digits string) {
+	f.fmt_sbx("", b, digits)
+}
+
+// fmt_q formats a string as a double-quoted, escaped Go string constant.
+// If f.sharp is set a raw (backquoted) string may be returned instead
+// if the string does not contain any control characters other than tab.
+func (f *formatInfo) fmt_q(s string) {
+	s = f.truncate(s)
+	if f.Sharp && strconv.CanBackquote(s) {
+		f.padString("`" + s + "`")
+		return
+	}
+	buf := f.intbuf[:0]
+	if f.Plus {
+		f.pad(strconv.AppendQuoteToASCII(buf, s))
+	} else {
+		f.pad(strconv.AppendQuote(buf, s))
+	}
+}
+
+// fmt_c formats an integer as a Unicode character.
+// If the character is not valid Unicode, it will print '\ufffd'.
+func (f *formatInfo) fmt_c(c uint64) {
+	r := rune(c)
+	if c > utf8.MaxRune {
+		r = utf8.RuneError
+	}
+	buf := f.intbuf[:0]
+	w := utf8.EncodeRune(buf[:utf8.UTFMax], r)
+	f.pad(buf[:w])
+}
+
+// fmt_qc formats an integer as a single-quoted, escaped Go character constant.
+// If the character is not valid Unicode, it will print '\ufffd'.
+func (f *formatInfo) fmt_qc(c uint64) {
+	r := rune(c)
+	if c > utf8.MaxRune {
+		r = utf8.RuneError
+	}
+	buf := f.intbuf[:0]
+	if f.Plus {
+		f.pad(strconv.AppendQuoteRuneToASCII(buf, r))
+	} else {
+		f.pad(strconv.AppendQuoteRune(buf, r))
+	}
+}
+
+// fmt_float formats a float64. It assumes that verb is a valid format specifier
+// for strconv.AppendFloat and therefore fits into a byte.
+func (f *formatInfo) fmt_float(v float64, size int, verb rune, prec int) {
+	// Explicit precision in format specifier overrules default precision.
+	if f.PrecPresent {
+		prec = f.Prec
+	}
+	// Format number, reserving space for leading + sign if needed.
+	num := strconv.AppendFloat(f.intbuf[:1], v, byte(verb), prec, size)
+	if num[1] == '-' || num[1] == '+' {
+		num = num[1:]
+	} else {
+		num[0] = '+'
+	}
+	// f.space means to add a leading space instead of a "+" sign unless
+	// the sign is explicitly asked for by f.plus.
+	if f.Space && num[0] == '+' && !f.Plus {
+		num[0] = ' '
+	}
+	// Special handling for infinities and NaN,
+	// which don't look like a number so shouldn't be padded with zeros.
+	if num[1] == 'I' || num[1] == 'N' {
+		oldZero := f.Zero
+		f.Zero = false
+		// Remove sign before NaN if not asked for.
+		if num[1] == 'N' && !f.Space && !f.Plus {
+			num = num[1:]
+		}
+		f.pad(num)
+		f.Zero = oldZero
+		return
+	}
+	// The sharp flag forces printing a decimal point for non-binary formats
+	// and retains trailing zeros, which we may need to restore.
+	if f.Sharp && verb != 'b' {
+		digits := 0
+		switch verb {
+		case 'v', 'g', 'G':
+			digits = prec
+			// If no precision is set explicitly use a precision of 6.
+			if digits == -1 {
+				digits = 6
+			}
+		}
+
+		// Buffer pre-allocated with enough room for
+		// exponent notations of the form "e+123".
+		var tailBuf [5]byte
+		tail := tailBuf[:0]
+
+		hasDecimalPoint := false
+		// Starting from i = 1 to skip sign at num[0].
+		for i := 1; i < len(num); i++ {
+			switch num[i] {
+			case '.':
+				hasDecimalPoint = true
+			case 'e', 'E':
+				tail = append(tail, num[i:]...)
+				num = num[:i]
+			default:
+				digits--
+			}
+		}
+		if !hasDecimalPoint {
+			num = append(num, '.')
+		}
+		for digits > 0 {
+			num = append(num, '0')
+			digits--
+		}
+		num = append(num, tail...)
+	}
+	// We want a sign if asked for and if the sign is not positive.
+	if f.Plus || num[0] != '+' {
+		// If we're zero padding to the left we want the sign before the leading zeros.
+		// Achieve this by writing the sign out and then padding the unsigned number.
+		if f.Zero && f.WidthPresent && f.Width > len(num) {
+			f.buf.WriteByte(num[0])
+			f.writePadding(f.Width - len(num))
+			f.buf.Write(num[1:])
+			return
+		}
+		f.pad(num)
+		return
+	}
+	// No sign to show and the number is positive; just print the unsigned number.
+	f.pad(num[1:])
+}
diff --git a/vendor/golang.org/x/text/message/message.go b/vendor/golang.org/x/text/message/message.go
new file mode 100644
index 0000000000..91a9726421
--- /dev/null
+++ b/vendor/golang.org/x/text/message/message.go
@@ -0,0 +1,192 @@
+// Copyright 2015 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package message // import "golang.org/x/text/message"
+
+import (
+	"io"
+	"os"
+
+	// Include features to facilitate generated catalogs.
+	_ "golang.org/x/text/feature/plural"
+
+	"golang.org/x/text/internal/number"
+	"golang.org/x/text/language"
+	"golang.org/x/text/message/catalog"
+)
+
+// A Printer implements language-specific formatted I/O analogous to the fmt
+// package.
+type Printer struct {
+	// the language
+	tag language.Tag
+
+	toDecimal    number.Formatter
+	toScientific number.Formatter
+
+	cat catalog.Catalog
+}
+
+type options struct {
+	cat catalog.Catalog
+	// TODO:
+	// - allow %s to print integers in written form (tables are likely too large
+	//   to enable this by default).
+	// - list behavior
+	//
+}
+
+// An Option defines an option of a Printer.
+type Option func(o *options)
+
+// Catalog defines the catalog to be used.
+func Catalog(c catalog.Catalog) Option {
+	return func(o *options) { o.cat = c }
+}
+
+// NewPrinter returns a Printer that formats messages tailored to language t.
+func NewPrinter(t language.Tag, opts ...Option) *Printer {
+	options := &options{
+		cat: DefaultCatalog,
+	}
+	for _, o := range opts {
+		o(options)
+	}
+	p := &Printer{
+		tag: t,
+		cat: options.cat,
+	}
+	p.toDecimal.InitDecimal(t)
+	p.toScientific.InitScientific(t)
+	return p
+}
+
+// Sprint is like fmt.Sprint, but using language-specific formatting.
+func (p *Printer) Sprint(a ...interface{}) string {
+	pp := newPrinter(p)
+	pp.doPrint(a)
+	s := pp.String()
+	pp.free()
+	return s
+}
+
+// Fprint is like fmt.Fprint, but using language-specific formatting.
+func (p *Printer) Fprint(w io.Writer, a ...interface{}) (n int, err error) {
+	pp := newPrinter(p)
+	pp.doPrint(a)
+	n64, err := io.Copy(w, &pp.Buffer)
+	pp.free()
+	return int(n64), err
+}
+
+// Print is like fmt.Print, but using language-specific formatting.
+func (p *Printer) Print(a ...interface{}) (n int, err error) {
+	return p.Fprint(os.Stdout, a...)
+}
+
+// Sprintln is like fmt.Sprintln, but using language-specific formatting.
+func (p *Printer) Sprintln(a ...interface{}) string {
+	pp := newPrinter(p)
+	pp.doPrintln(a)
+	s := pp.String()
+	pp.free()
+	return s
+}
+
+// Fprintln is like fmt.Fprintln, but using language-specific formatting.
+func (p *Printer) Fprintln(w io.Writer, a ...interface{}) (n int, err error) {
+	pp := newPrinter(p)
+	pp.doPrintln(a)
+	n64, err := io.Copy(w, &pp.Buffer)
+	pp.free()
+	return int(n64), err
+}
+
+// Println is like fmt.Println, but using language-specific formatting.
+func (p *Printer) Println(a ...interface{}) (n int, err error) {
+	return p.Fprintln(os.Stdout, a...)
+}
+
+// Sprintf is like fmt.Sprintf, but using language-specific formatting.
+func (p *Printer) Sprintf(key Reference, a ...interface{}) string {
+	pp := newPrinter(p)
+	lookupAndFormat(pp, key, a)
+	s := pp.String()
+	pp.free()
+	return s
+}
+
+// Fprintf is like fmt.Fprintf, but using language-specific formatting.
+func (p *Printer) Fprintf(w io.Writer, key Reference, a ...interface{}) (n int, err error) {
+	pp := newPrinter(p)
+	lookupAndFormat(pp, key, a)
+	n, err = w.Write(pp.Bytes())
+	pp.free()
+	return n, err
+
+}
+
+// Printf is like fmt.Printf, but using language-specific formatting.
+func (p *Printer) Printf(key Reference, a ...interface{}) (n int, err error) {
+	pp := newPrinter(p)
+	lookupAndFormat(pp, key, a)
+	n, err = os.Stdout.Write(pp.Bytes())
+	pp.free()
+	return n, err
+}
+
+func lookupAndFormat(p *printer, r Reference, a []interface{}) {
+	p.fmt.Reset(a)
+	switch v := r.(type) {
+	case string:
+		if p.catContext.Execute(v) == catalog.ErrNotFound {
+			p.Render(v)
+			return
+		}
+	case key:
+		if p.catContext.Execute(v.id) == catalog.ErrNotFound &&
+			p.catContext.Execute(v.fallback) == catalog.ErrNotFound {
+			p.Render(v.fallback)
+			return
+		}
+	default:
+		panic("key argument is not a Reference")
+	}
+}
+
+type rawPrinter struct {
+	p *printer
+}
+
+func (p rawPrinter) Render(msg string)     { p.p.WriteString(msg) }
+func (p rawPrinter) Arg(i int) interface{} { return nil }
+
+// Arg implements catmsg.Renderer.
+func (p *printer) Arg(i int) interface{} { // TODO, also return "ok" bool
+	i--
+	if uint(i) < uint(len(p.fmt.Args)) {
+		return p.fmt.Args[i]
+	}
+	return nil
+}
+
+// Render implements catmsg.Renderer.
+func (p *printer) Render(msg string) {
+	p.doPrintf(msg)
+}
+
+// A Reference is a string or a message reference.
+type Reference interface {
+	// TODO: also allow []string
+}
+
+// Key creates a message Reference for a message where the given id is used for
+// message lookup and the fallback is returned when no matches are found.
+func Key(id string, fallback string) Reference {
+	return key{id, fallback}
+}
+
+type key struct {
+	id, fallback string
+}
diff --git a/vendor/golang.org/x/text/message/print.go b/vendor/golang.org/x/text/message/print.go
new file mode 100644
index 0000000000..da304cc0ed
--- /dev/null
+++ b/vendor/golang.org/x/text/message/print.go
@@ -0,0 +1,984 @@
+// Copyright 2017 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package message
+
+import (
+	"bytes"
+	"fmt" // TODO: consider copying interfaces from package fmt to avoid dependency.
+	"math"
+	"reflect"
+	"sync"
+	"unicode/utf8"
+
+	"golang.org/x/text/internal/format"
+	"golang.org/x/text/internal/number"
+	"golang.org/x/text/language"
+	"golang.org/x/text/message/catalog"
+)
+
+// Strings for use with buffer.WriteString.
+// This is less overhead than using buffer.Write with byte arrays.
+const (
+	commaSpaceString  = ", "
+	nilAngleString    = "<nil>"
+	nilParenString    = "(nil)"
+	nilString         = "nil"
+	mapString         = "map["
+	percentBangString = "%!"
+	missingString     = "(MISSING)"
+	badIndexString    = "(BADINDEX)"
+	panicString       = "(PANIC="
+	extraString       = "%!(EXTRA "
+	badWidthString    = "%!(BADWIDTH)"
+	badPrecString     = "%!(BADPREC)"
+	noVerbString      = "%!(NOVERB)"
+
+	invReflectString = "<invalid reflect.Value>"
+)
+
+var printerPool = sync.Pool{
+	New: func() interface{} { return new(printer) },
+}
+
+// newPrinter allocates a new printer struct or grabs a cached one.
+func newPrinter(pp *Printer) *printer {
+	p := printerPool.Get().(*printer)
+	p.Printer = *pp
+	// TODO: cache most of the following call.
+	p.catContext = pp.cat.Context(pp.tag, p)
+
+	p.panicking = false
+	p.erroring = false
+	p.fmt.init(&p.Buffer)
+	return p
+}
+
+// free saves used printer structs in printerFree; avoids an allocation per invocation.
+func (p *printer) free() {
+	p.Buffer.Reset()
+	p.arg = nil
+	p.value = reflect.Value{}
+	printerPool.Put(p)
+}
+
+// printer is used to store a printer's state.
+// It implements "golang.org/x/text/internal/format".State.
+type printer struct {
+	Printer
+
+	// the context for looking up message translations
+	catContext *catalog.Context
+
+	// buffer for accumulating output.
+	bytes.Buffer
+
+	// arg holds the current item, as an interface{}.
+	arg interface{}
+	// value is used instead of arg for reflect values.
+	value reflect.Value
+
+	// fmt is used to format basic items such as integers or strings.
+	fmt formatInfo
+
+	// panicking is set by catchPanic to avoid infinite panic, recover, panic, ... recursion.
+	panicking bool
+	// erroring is set when printing an error string to guard against calling handleMethods.
+	erroring bool
+}
+
+// Language implements "golang.org/x/text/internal/format".State.
+func (p *printer) Language() language.Tag { return p.tag }
+
+func (p *printer) Width() (wid int, ok bool) { return p.fmt.Width, p.fmt.WidthPresent }
+
+func (p *printer) Precision() (prec int, ok bool) { return p.fmt.Prec, p.fmt.PrecPresent }
+
+func (p *printer) Flag(b int) bool {
+	switch b {
+	case '-':
+		return p.fmt.Minus
+	case '+':
+		return p.fmt.Plus || p.fmt.PlusV
+	case '#':
+		return p.fmt.Sharp || p.fmt.SharpV
+	case ' ':
+		return p.fmt.Space
+	case '0':
+		return p.fmt.Zero
+	}
+	return false
+}
+
+// getField gets the i'th field of the struct value.
+// If the field is itself is an interface, return a value for
+// the thing inside the interface, not the interface itself.
+func getField(v reflect.Value, i int) reflect.Value {
+	val := v.Field(i)
+	if val.Kind() == reflect.Interface && !val.IsNil() {
+		val = val.Elem()
+	}
+	return val
+}
+
+func (p *printer) unknownType(v reflect.Value) {
+	if !v.IsValid() {
+		p.WriteString(nilAngleString)
+		return
+	}
+	p.WriteByte('?')
+	p.WriteString(v.Type().String())
+	p.WriteByte('?')
+}
+
+func (p *printer) badVerb(verb rune) {
+	p.erroring = true
+	p.WriteString(percentBangString)
+	p.WriteRune(verb)
+	p.WriteByte('(')
+	switch {
+	case p.arg != nil:
+		p.WriteString(reflect.TypeOf(p.arg).String())
+		p.WriteByte('=')
+		p.printArg(p.arg, 'v')
+	case p.value.IsValid():
+		p.WriteString(p.value.Type().String())
+		p.WriteByte('=')
+		p.printValue(p.value, 'v', 0)
+	default:
+		p.WriteString(nilAngleString)
+	}
+	p.WriteByte(')')
+	p.erroring = false
+}
+
+func (p *printer) fmtBool(v bool, verb rune) {
+	switch verb {
+	case 't', 'v':
+		p.fmt.fmt_boolean(v)
+	default:
+		p.badVerb(verb)
+	}
+}
+
+// fmt0x64 formats a uint64 in hexadecimal and prefixes it with 0x or
+// not, as requested, by temporarily setting the sharp flag.
+func (p *printer) fmt0x64(v uint64, leading0x bool) {
+	sharp := p.fmt.Sharp
+	p.fmt.Sharp = leading0x
+	p.fmt.fmt_integer(v, 16, unsigned, ldigits)
+	p.fmt.Sharp = sharp
+}
+
+// fmtInteger formats a signed or unsigned integer.
+func (p *printer) fmtInteger(v uint64, isSigned bool, verb rune) {
+	switch verb {
+	case 'v':
+		if p.fmt.SharpV && !isSigned {
+			p.fmt0x64(v, true)
+			return
+		}
+		fallthrough
+	case 'd':
+		if p.fmt.Sharp || p.fmt.SharpV {
+			p.fmt.fmt_integer(v, 10, isSigned, ldigits)
+		} else {
+			p.fmtDecimalInt(v, isSigned)
+		}
+	case 'b':
+		p.fmt.fmt_integer(v, 2, isSigned, ldigits)
+	case 'o':
+		p.fmt.fmt_integer(v, 8, isSigned, ldigits)
+	case 'x':
+		p.fmt.fmt_integer(v, 16, isSigned, ldigits)
+	case 'X':
+		p.fmt.fmt_integer(v, 16, isSigned, udigits)
+	case 'c':
+		p.fmt.fmt_c(v)
+	case 'q':
+		if v <= utf8.MaxRune {
+			p.fmt.fmt_qc(v)
+		} else {
+			p.badVerb(verb)
+		}
+	case 'U':
+		p.fmt.fmt_unicode(v)
+	default:
+		p.badVerb(verb)
+	}
+}
+
+// fmtFloat formats a float. The default precision for each verb
+// is specified as last argument in the call to fmt_float.
+func (p *printer) fmtFloat(v float64, size int, verb rune) {
+	switch verb {
+	case 'b':
+		p.fmt.fmt_float(v, size, verb, -1)
+	case 'v':
+		verb = 'g'
+		fallthrough
+	case 'g', 'G':
+		if p.fmt.Sharp || p.fmt.SharpV {
+			p.fmt.fmt_float(v, size, verb, -1)
+		} else {
+			p.fmtVariableFloat(v, size)
+		}
+	case 'e', 'E':
+		if p.fmt.Sharp || p.fmt.SharpV {
+			p.fmt.fmt_float(v, size, verb, 6)
+		} else {
+			p.fmtScientific(v, size, 6)
+		}
+	case 'f', 'F':
+		if p.fmt.Sharp || p.fmt.SharpV {
+			p.fmt.fmt_float(v, size, verb, 6)
+		} else {
+			p.fmtDecimalFloat(v, size, 6)
+		}
+	default:
+		p.badVerb(verb)
+	}
+}
+
+func (p *printer) setFlags(f *number.Formatter) {
+	f.Flags &^= number.ElideSign
+	if p.fmt.Plus || p.fmt.Space {
+		f.Flags |= number.AlwaysSign
+		if !p.fmt.Plus {
+			f.Flags |= number.ElideSign
+		}
+	} else {
+		f.Flags &^= number.AlwaysSign
+	}
+}
+
+func (p *printer) updatePadding(f *number.Formatter) {
+	f.Flags &^= number.PadMask
+	if p.fmt.Minus {
+		f.Flags |= number.PadAfterSuffix
+	} else {
+		f.Flags |= number.PadBeforePrefix
+	}
+	f.PadRune = ' '
+	f.FormatWidth = uint16(p.fmt.Width)
+}
+
+func (p *printer) initDecimal(minFrac, maxFrac int) {
+	f := &p.toDecimal
+	f.MinIntegerDigits = 1
+	f.MaxIntegerDigits = 0
+	f.MinFractionDigits = uint8(minFrac)
+	f.MaxFractionDigits = int16(maxFrac)
+	p.setFlags(f)
+	f.PadRune = 0
+	if p.fmt.WidthPresent {
+		if p.fmt.Zero {
+			wid := p.fmt.Width
+			// Use significant integers for this.
+			// TODO: this is not the same as width, but so be it.
+			if f.MinFractionDigits > 0 {
+				wid -= 1 + int(f.MinFractionDigits)
+			}
+			if p.fmt.Plus || p.fmt.Space {
+				wid--
+			}
+			if wid > 0 && wid > int(f.MinIntegerDigits) {
+				f.MinIntegerDigits = uint8(wid)
+			}
+		}
+		p.updatePadding(f)
+	}
+}
+
+func (p *printer) initScientific(minFrac, maxFrac int) {
+	f := &p.toScientific
+	if maxFrac < 0 {
+		f.SetPrecision(maxFrac)
+	} else {
+		f.SetPrecision(maxFrac + 1)
+		f.MinFractionDigits = uint8(minFrac)
+		f.MaxFractionDigits = int16(maxFrac)
+	}
+	f.MinExponentDigits = 2
+	p.setFlags(f)
+	f.PadRune = 0
+	if p.fmt.WidthPresent {
+		f.Flags &^= number.PadMask
+		if p.fmt.Zero {
+			f.PadRune = f.Digit(0)
+			f.Flags |= number.PadAfterPrefix
+		} else {
+			f.PadRune = ' '
+			f.Flags |= number.PadBeforePrefix
+		}
+		p.updatePadding(f)
+	}
+}
+
+func (p *printer) fmtDecimalInt(v uint64, isSigned bool) {
+	var d number.Decimal
+
+	f := &p.toDecimal
+	if p.fmt.PrecPresent {
+		p.setFlags(f)
+		f.MinIntegerDigits = uint8(p.fmt.Prec)
+		f.MaxIntegerDigits = 0
+		f.MinFractionDigits = 0
+		f.MaxFractionDigits = 0
+		if p.fmt.WidthPresent {
+			p.updatePadding(f)
+		}
+	} else {
+		p.initDecimal(0, 0)
+	}
+	d.ConvertInt(p.toDecimal.RoundingContext, isSigned, v)
+
+	out := p.toDecimal.Format([]byte(nil), &d)
+	p.Buffer.Write(out)
+}
+
+func (p *printer) fmtDecimalFloat(v float64, size, prec int) {
+	var d number.Decimal
+	if p.fmt.PrecPresent {
+		prec = p.fmt.Prec
+	}
+	p.initDecimal(prec, prec)
+	d.ConvertFloat(p.toDecimal.RoundingContext, v, size)
+
+	out := p.toDecimal.Format([]byte(nil), &d)
+	p.Buffer.Write(out)
+}
+
+func (p *printer) fmtVariableFloat(v float64, size int) {
+	prec := -1
+	if p.fmt.PrecPresent {
+		prec = p.fmt.Prec
+	}
+	var d number.Decimal
+	p.initScientific(0, prec)
+	d.ConvertFloat(p.toScientific.RoundingContext, v, size)
+
+	// Copy logic of 'g' formatting from strconv. It is simplified a bit as
+	// we don't have to mind having prec > len(d.Digits).
+	shortest := prec < 0
+	ePrec := prec
+	if shortest {
+		prec = len(d.Digits)
+		ePrec = 6
+	} else if prec == 0 {
+		prec = 1
+		ePrec = 1
+	}
+	exp := int(d.Exp) - 1
+	if exp < -4 || exp >= ePrec {
+		p.initScientific(0, prec)
+
+		out := p.toScientific.Format([]byte(nil), &d)
+		p.Buffer.Write(out)
+	} else {
+		if prec > int(d.Exp) {
+			prec = len(d.Digits)
+		}
+		if prec -= int(d.Exp); prec < 0 {
+			prec = 0
+		}
+		p.initDecimal(0, prec)
+
+		out := p.toDecimal.Format([]byte(nil), &d)
+		p.Buffer.Write(out)
+	}
+}
+
+func (p *printer) fmtScientific(v float64, size, prec int) {
+	var d number.Decimal
+	if p.fmt.PrecPresent {
+		prec = p.fmt.Prec
+	}
+	p.initScientific(prec, prec)
+	rc := p.toScientific.RoundingContext
+	d.ConvertFloat(rc, v, size)
+
+	out := p.toScientific.Format([]byte(nil), &d)
+	p.Buffer.Write(out)
+
+}
+
+// fmtComplex formats a complex number v with
+// r = real(v) and j = imag(v) as (r+ji) using
+// fmtFloat for r and j formatting.
+func (p *printer) fmtComplex(v complex128, size int, verb rune) {
+	// Make sure any unsupported verbs are found before the
+	// calls to fmtFloat to not generate an incorrect error string.
+	switch verb {
+	case 'v', 'b', 'g', 'G', 'f', 'F', 'e', 'E':
+		p.WriteByte('(')
+		p.fmtFloat(real(v), size/2, verb)
+		// Imaginary part always has a sign.
+		if math.IsNaN(imag(v)) {
+			// By CLDR's rules, NaNs do not use patterns or signs. As this code
+			// relies on AlwaysSign working for imaginary parts, we need to
+			// manually handle NaNs.
+			f := &p.toScientific
+			p.setFlags(f)
+			p.updatePadding(f)
+			p.setFlags(f)
+			nan := f.Symbol(number.SymNan)
+			extra := 0
+			if w, ok := p.Width(); ok {
+				extra = w - utf8.RuneCountInString(nan) - 1
+			}
+			if f.Flags&number.PadAfterNumber == 0 {
+				for ; extra > 0; extra-- {
+					p.WriteRune(f.PadRune)
+				}
+			}
+			p.WriteString(f.Symbol(number.SymPlusSign))
+			p.WriteString(nan)
+			for ; extra > 0; extra-- {
+				p.WriteRune(f.PadRune)
+			}
+			p.WriteString("i)")
+			return
+		}
+		oldPlus := p.fmt.Plus
+		p.fmt.Plus = true
+		p.fmtFloat(imag(v), size/2, verb)
+		p.WriteString("i)") // TODO: use symbol?
+		p.fmt.Plus = oldPlus
+	default:
+		p.badVerb(verb)
+	}
+}
+
+func (p *printer) fmtString(v string, verb rune) {
+	switch verb {
+	case 'v':
+		if p.fmt.SharpV {
+			p.fmt.fmt_q(v)
+		} else {
+			p.fmt.fmt_s(v)
+		}
+	case 's':
+		p.fmt.fmt_s(v)
+	case 'x':
+		p.fmt.fmt_sx(v, ldigits)
+	case 'X':
+		p.fmt.fmt_sx(v, udigits)
+	case 'q':
+		p.fmt.fmt_q(v)
+	case 'm':
+		ctx := p.cat.Context(p.tag, rawPrinter{p})
+		if ctx.Execute(v) == catalog.ErrNotFound {
+			p.WriteString(v)
+		}
+	default:
+		p.badVerb(verb)
+	}
+}
+
+func (p *printer) fmtBytes(v []byte, verb rune, typeString string) {
+	switch verb {
+	case 'v', 'd':
+		if p.fmt.SharpV {
+			p.WriteString(typeString)
+			if v == nil {
+				p.WriteString(nilParenString)
+				return
+			}
+			p.WriteByte('{')
+			for i, c := range v {
+				if i > 0 {
+					p.WriteString(commaSpaceString)
+				}
+				p.fmt0x64(uint64(c), true)
+			}
+			p.WriteByte('}')
+		} else {
+			p.WriteByte('[')
+			for i, c := range v {
+				if i > 0 {
+					p.WriteByte(' ')
+				}
+				p.fmt.fmt_integer(uint64(c), 10, unsigned, ldigits)
+			}
+			p.WriteByte(']')
+		}
+	case 's':
+		p.fmt.fmt_s(string(v))
+	case 'x':
+		p.fmt.fmt_bx(v, ldigits)
+	case 'X':
+		p.fmt.fmt_bx(v, udigits)
+	case 'q':
+		p.fmt.fmt_q(string(v))
+	default:
+		p.printValue(reflect.ValueOf(v), verb, 0)
+	}
+}
+
+func (p *printer) fmtPointer(value reflect.Value, verb rune) {
+	var u uintptr
+	switch value.Kind() {
+	case reflect.Chan, reflect.Func, reflect.Map, reflect.Ptr, reflect.Slice, reflect.UnsafePointer:
+		u = value.Pointer()
+	default:
+		p.badVerb(verb)
+		return
+	}
+
+	switch verb {
+	case 'v':
+		if p.fmt.SharpV {
+			p.WriteByte('(')
+			p.WriteString(value.Type().String())
+			p.WriteString(")(")
+			if u == 0 {
+				p.WriteString(nilString)
+			} else {
+				p.fmt0x64(uint64(u), true)
+			}
+			p.WriteByte(')')
+		} else {
+			if u == 0 {
+				p.fmt.padString(nilAngleString)
+			} else {
+				p.fmt0x64(uint64(u), !p.fmt.Sharp)
+			}
+		}
+	case 'p':
+		p.fmt0x64(uint64(u), !p.fmt.Sharp)
+	case 'b', 'o', 'd', 'x', 'X':
+		if verb == 'd' {
+			p.fmt.Sharp = true // Print as standard go. TODO: does this make sense?
+		}
+		p.fmtInteger(uint64(u), unsigned, verb)
+	default:
+		p.badVerb(verb)
+	}
+}
+
+func (p *printer) catchPanic(arg interface{}, verb rune) {
+	if err := recover(); err != nil {
+		// If it's a nil pointer, just say "<nil>". The likeliest causes are a
+		// Stringer that fails to guard against nil or a nil pointer for a
+		// value receiver, and in either case, "<nil>" is a nice result.
+		if v := reflect.ValueOf(arg); v.Kind() == reflect.Ptr && v.IsNil() {
+			p.WriteString(nilAngleString)
+			return
+		}
+		// Otherwise print a concise panic message. Most of the time the panic
+		// value will print itself nicely.
+		if p.panicking {
+			// Nested panics; the recursion in printArg cannot succeed.
+			panic(err)
+		}
+
+		oldFlags := p.fmt.Parser
+		// For this output we want default behavior.
+		p.fmt.ClearFlags()
+
+		p.WriteString(percentBangString)
+		p.WriteRune(verb)
+		p.WriteString(panicString)
+		p.panicking = true
+		p.printArg(err, 'v')
+		p.panicking = false
+		p.WriteByte(')')
+
+		p.fmt.Parser = oldFlags
+	}
+}
+
+func (p *printer) handleMethods(verb rune) (handled bool) {
+	if p.erroring {
+		return
+	}
+	// Is it a Formatter?
+	if formatter, ok := p.arg.(format.Formatter); ok {
+		handled = true
+		defer p.catchPanic(p.arg, verb)
+		formatter.Format(p, verb)
+		return
+	}
+	if formatter, ok := p.arg.(fmt.Formatter); ok {
+		handled = true
+		defer p.catchPanic(p.arg, verb)
+		formatter.Format(p, verb)
+		return
+	}
+
+	// If we're doing Go syntax and the argument knows how to supply it, take care of it now.
+	if p.fmt.SharpV {
+		if stringer, ok := p.arg.(fmt.GoStringer); ok {
+			handled = true
+			defer p.catchPanic(p.arg, verb)
+			// Print the result of GoString unadorned.
+			p.fmt.fmt_s(stringer.GoString())
+			return
+		}
+	} else {
+		// If a string is acceptable according to the format, see if
+		// the value satisfies one of the string-valued interfaces.
+		// Println etc. set verb to %v, which is "stringable".
+		switch verb {
+		case 'v', 's', 'x', 'X', 'q':
+			// Is it an error or Stringer?
+			// The duplication in the bodies is necessary:
+			// setting handled and deferring catchPanic
+			// must happen before calling the method.
+			switch v := p.arg.(type) {
+			case error:
+				handled = true
+				defer p.catchPanic(p.arg, verb)
+				p.fmtString(v.Error(), verb)
+				return
+
+			case fmt.Stringer:
+				handled = true
+				defer p.catchPanic(p.arg, verb)
+				p.fmtString(v.String(), verb)
+				return
+			}
+		}
+	}
+	return false
+}
+
+func (p *printer) printArg(arg interface{}, verb rune) {
+	p.arg = arg
+	p.value = reflect.Value{}
+
+	if arg == nil {
+		switch verb {
+		case 'T', 'v':
+			p.fmt.padString(nilAngleString)
+		default:
+			p.badVerb(verb)
+		}
+		return
+	}
+
+	// Special processing considerations.
+	// %T (the value's type) and %p (its address) are special; we always do them first.
+	switch verb {
+	case 'T':
+		p.fmt.fmt_s(reflect.TypeOf(arg).String())
+		return
+	case 'p':
+		p.fmtPointer(reflect.ValueOf(arg), 'p')
+		return
+	}
+
+	// Some types can be done without reflection.
+	switch f := arg.(type) {
+	case bool:
+		p.fmtBool(f, verb)
+	case float32:
+		p.fmtFloat(float64(f), 32, verb)
+	case float64:
+		p.fmtFloat(f, 64, verb)
+	case complex64:
+		p.fmtComplex(complex128(f), 64, verb)
+	case complex128:
+		p.fmtComplex(f, 128, verb)
+	case int:
+		p.fmtInteger(uint64(f), signed, verb)
+	case int8:
+		p.fmtInteger(uint64(f), signed, verb)
+	case int16:
+		p.fmtInteger(uint64(f), signed, verb)
+	case int32:
+		p.fmtInteger(uint64(f), signed, verb)
+	case int64:
+		p.fmtInteger(uint64(f), signed, verb)
+	case uint:
+		p.fmtInteger(uint64(f), unsigned, verb)
+	case uint8:
+		p.fmtInteger(uint64(f), unsigned, verb)
+	case uint16:
+		p.fmtInteger(uint64(f), unsigned, verb)
+	case uint32:
+		p.fmtInteger(uint64(f), unsigned, verb)
+	case uint64:
+		p.fmtInteger(f, unsigned, verb)
+	case uintptr:
+		p.fmtInteger(uint64(f), unsigned, verb)
+	case string:
+		p.fmtString(f, verb)
+	case []byte:
+		p.fmtBytes(f, verb, "[]byte")
+	case reflect.Value:
+		// Handle extractable values with special methods
+		// since printValue does not handle them at depth 0.
+		if f.IsValid() && f.CanInterface() {
+			p.arg = f.Interface()
+			if p.handleMethods(verb) {
+				return
+			}
+		}
+		p.printValue(f, verb, 0)
+	default:
+		// If the type is not simple, it might have methods.
+		if !p.handleMethods(verb) {
+			// Need to use reflection, since the type had no
+			// interface methods that could be used for formatting.
+			p.printValue(reflect.ValueOf(f), verb, 0)
+		}
+	}
+}
+
+// printValue is similar to printArg but starts with a reflect value, not an interface{} value.
+// It does not handle 'p' and 'T' verbs because these should have been already handled by printArg.
+func (p *printer) printValue(value reflect.Value, verb rune, depth int) {
+	// Handle values with special methods if not already handled by printArg (depth == 0).
+	if depth > 0 && value.IsValid() && value.CanInterface() {
+		p.arg = value.Interface()
+		if p.handleMethods(verb) {
+			return
+		}
+	}
+	p.arg = nil
+	p.value = value
+
+	switch f := value; value.Kind() {
+	case reflect.Invalid:
+		if depth == 0 {
+			p.WriteString(invReflectString)
+		} else {
+			switch verb {
+			case 'v':
+				p.WriteString(nilAngleString)
+			default:
+				p.badVerb(verb)
+			}
+		}
+	case reflect.Bool:
+		p.fmtBool(f.Bool(), verb)
+	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
+		p.fmtInteger(uint64(f.Int()), signed, verb)
+	case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr:
+		p.fmtInteger(f.Uint(), unsigned, verb)
+	case reflect.Float32:
+		p.fmtFloat(f.Float(), 32, verb)
+	case reflect.Float64:
+		p.fmtFloat(f.Float(), 64, verb)
+	case reflect.Complex64:
+		p.fmtComplex(f.Complex(), 64, verb)
+	case reflect.Complex128:
+		p.fmtComplex(f.Complex(), 128, verb)
+	case reflect.String:
+		p.fmtString(f.String(), verb)
+	case reflect.Map:
+		if p.fmt.SharpV {
+			p.WriteString(f.Type().String())
+			if f.IsNil() {
+				p.WriteString(nilParenString)
+				return
+			}
+			p.WriteByte('{')
+		} else {
+			p.WriteString(mapString)
+		}
+		keys := f.MapKeys()
+		for i, key := range keys {
+			if i > 0 {
+				if p.fmt.SharpV {
+					p.WriteString(commaSpaceString)
+				} else {
+					p.WriteByte(' ')
+				}
+			}
+			p.printValue(key, verb, depth+1)
+			p.WriteByte(':')
+			p.printValue(f.MapIndex(key), verb, depth+1)
+		}
+		if p.fmt.SharpV {
+			p.WriteByte('}')
+		} else {
+			p.WriteByte(']')
+		}
+	case reflect.Struct:
+		if p.fmt.SharpV {
+			p.WriteString(f.Type().String())
+		}
+		p.WriteByte('{')
+		for i := 0; i < f.NumField(); i++ {
+			if i > 0 {
+				if p.fmt.SharpV {
+					p.WriteString(commaSpaceString)
+				} else {
+					p.WriteByte(' ')
+				}
+			}
+			if p.fmt.PlusV || p.fmt.SharpV {
+				if name := f.Type().Field(i).Name; name != "" {
+					p.WriteString(name)
+					p.WriteByte(':')
+				}
+			}
+			p.printValue(getField(f, i), verb, depth+1)
+		}
+		p.WriteByte('}')
+	case reflect.Interface:
+		value := f.Elem()
+		if !value.IsValid() {
+			if p.fmt.SharpV {
+				p.WriteString(f.Type().String())
+				p.WriteString(nilParenString)
+			} else {
+				p.WriteString(nilAngleString)
+			}
+		} else {
+			p.printValue(value, verb, depth+1)
+		}
+	case reflect.Array, reflect.Slice:
+		switch verb {
+		case 's', 'q', 'x', 'X':
+			// Handle byte and uint8 slices and arrays special for the above verbs.
+			t := f.Type()
+			if t.Elem().Kind() == reflect.Uint8 {
+				var bytes []byte
+				if f.Kind() == reflect.Slice {
+					bytes = f.Bytes()
+				} else if f.CanAddr() {
+					bytes = f.Slice(0, f.Len()).Bytes()
+				} else {
+					// We have an array, but we cannot Slice() a non-addressable array,
+					// so we build a slice by hand. This is a rare case but it would be nice
+					// if reflection could help a little more.
+					bytes = make([]byte, f.Len())
+					for i := range bytes {
+						bytes[i] = byte(f.Index(i).Uint())
+					}
+				}
+				p.fmtBytes(bytes, verb, t.String())
+				return
+			}
+		}
+		if p.fmt.SharpV {
+			p.WriteString(f.Type().String())
+			if f.Kind() == reflect.Slice && f.IsNil() {
+				p.WriteString(nilParenString)
+				return
+			}
+			p.WriteByte('{')
+			for i := 0; i < f.Len(); i++ {
+				if i > 0 {
+					p.WriteString(commaSpaceString)
+				}
+				p.printValue(f.Index(i), verb, depth+1)
+			}
+			p.WriteByte('}')
+		} else {
+			p.WriteByte('[')
+			for i := 0; i < f.Len(); i++ {
+				if i > 0 {
+					p.WriteByte(' ')
+				}
+				p.printValue(f.Index(i), verb, depth+1)
+			}
+			p.WriteByte(']')
+		}
+	case reflect.Ptr:
+		// pointer to array or slice or struct?  ok at top level
+		// but not embedded (avoid loops)
+		if depth == 0 && f.Pointer() != 0 {
+			switch a := f.Elem(); a.Kind() {
+			case reflect.Array, reflect.Slice, reflect.Struct, reflect.Map:
+				p.WriteByte('&')
+				p.printValue(a, verb, depth+1)
+				return
+			}
+		}
+		fallthrough
+	case reflect.Chan, reflect.Func, reflect.UnsafePointer:
+		p.fmtPointer(f, verb)
+	default:
+		p.unknownType(f)
+	}
+}
+
+func (p *printer) badArgNum(verb rune) {
+	p.WriteString(percentBangString)
+	p.WriteRune(verb)
+	p.WriteString(badIndexString)
+}
+
+func (p *printer) missingArg(verb rune) {
+	p.WriteString(percentBangString)
+	p.WriteRune(verb)
+	p.WriteString(missingString)
+}
+
+func (p *printer) doPrintf(fmt string) {
+	for p.fmt.Parser.SetFormat(fmt); p.fmt.Scan(); {
+		switch p.fmt.Status {
+		case format.StatusText:
+			p.WriteString(p.fmt.Text())
+		case format.StatusSubstitution:
+			p.printArg(p.Arg(p.fmt.ArgNum), p.fmt.Verb)
+		case format.StatusBadWidthSubstitution:
+			p.WriteString(badWidthString)
+			p.printArg(p.Arg(p.fmt.ArgNum), p.fmt.Verb)
+		case format.StatusBadPrecSubstitution:
+			p.WriteString(badPrecString)
+			p.printArg(p.Arg(p.fmt.ArgNum), p.fmt.Verb)
+		case format.StatusNoVerb:
+			p.WriteString(noVerbString)
+		case format.StatusBadArgNum:
+			p.badArgNum(p.fmt.Verb)
+		case format.StatusMissingArg:
+			p.missingArg(p.fmt.Verb)
+		default:
+			panic("unreachable")
+		}
+	}
+
+	// Check for extra arguments, but only if there was at least one ordered
+	// argument. Note that this behavior is necessarily different from fmt:
+	// different variants of messages may opt to drop some or all of the
+	// arguments.
+	if !p.fmt.Reordered && p.fmt.ArgNum < len(p.fmt.Args) && p.fmt.ArgNum != 0 {
+		p.fmt.ClearFlags()
+		p.WriteString(extraString)
+		for i, arg := range p.fmt.Args[p.fmt.ArgNum:] {
+			if i > 0 {
+				p.WriteString(commaSpaceString)
+			}
+			if arg == nil {
+				p.WriteString(nilAngleString)
+			} else {
+				p.WriteString(reflect.TypeOf(arg).String())
+				p.WriteString("=")
+				p.printArg(arg, 'v')
+			}
+		}
+		p.WriteByte(')')
+	}
+}
+
+func (p *printer) doPrint(a []interface{}) {
+	prevString := false
+	for argNum, arg := range a {
+		isString := arg != nil && reflect.TypeOf(arg).Kind() == reflect.String
+		// Add a space between two non-string arguments.
+		if argNum > 0 && !isString && !prevString {
+			p.WriteByte(' ')
+		}
+		p.printArg(arg, 'v')
+		prevString = isString
+	}
+}
+
+// doPrintln is like doPrint but always adds a space between arguments
+// and a newline after the last argument.
+func (p *printer) doPrintln(a []interface{}) {
+	for argNum, arg := range a {
+		if argNum > 0 {
+			p.WriteByte(' ')
+		}
+		p.printArg(arg, 'v')
+	}
+	p.WriteByte('\n')
+}
diff --git a/vendor/golang.org/x/text/runes/cond.go b/vendor/golang.org/x/text/runes/cond.go
new file mode 100644
index 0000000000..df7aa02db6
--- /dev/null
+++ b/vendor/golang.org/x/text/runes/cond.go
@@ -0,0 +1,187 @@
+// Copyright 2015 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package runes
+
+import (
+	"unicode/utf8"
+
+	"golang.org/x/text/transform"
+)
+
+// Note: below we pass invalid UTF-8 to the tIn and tNotIn transformers as is.
+// This is done for various reasons:
+// - To retain the semantics of the Nop transformer: if input is passed to a Nop
+//   one would expect it to be unchanged.
+// - It would be very expensive to pass a converted RuneError to a transformer:
+//   a transformer might need more source bytes after RuneError, meaning that
+//   the only way to pass it safely is to create a new buffer and manage the
+//   intermingling of RuneErrors and normal input.
+// - Many transformers leave ill-formed UTF-8 as is, so this is not
+//   inconsistent. Generally ill-formed UTF-8 is only replaced if it is a
+//   logical consequence of the operation (as for Map) or if it otherwise would
+//   pose security concerns (as for Remove).
+// - An alternative would be to return an error on ill-formed UTF-8, but this
+//   would be inconsistent with other operations.
+
+// If returns a transformer that applies tIn to consecutive runes for which
+// s.Contains(r) and tNotIn to consecutive runes for which !s.Contains(r). Reset
+// is called on tIn and tNotIn at the start of each run. A Nop transformer will
+// substitute a nil value passed to tIn or tNotIn. Invalid UTF-8 is translated
+// to RuneError to determine which transformer to apply, but is passed as is to
+// the respective transformer.
+func If(s Set, tIn, tNotIn transform.Transformer) Transformer {
+	if tIn == nil && tNotIn == nil {
+		return Transformer{transform.Nop}
+	}
+	if tIn == nil {
+		tIn = transform.Nop
+	}
+	if tNotIn == nil {
+		tNotIn = transform.Nop
+	}
+	sIn, ok := tIn.(transform.SpanningTransformer)
+	if !ok {
+		sIn = dummySpan{tIn}
+	}
+	sNotIn, ok := tNotIn.(transform.SpanningTransformer)
+	if !ok {
+		sNotIn = dummySpan{tNotIn}
+	}
+
+	a := &cond{
+		tIn:    sIn,
+		tNotIn: sNotIn,
+		f:      s.Contains,
+	}
+	a.Reset()
+	return Transformer{a}
+}
+
+type dummySpan struct{ transform.Transformer }
+
+func (d dummySpan) Span(src []byte, atEOF bool) (n int, err error) {
+	return 0, transform.ErrEndOfSpan
+}
+
+type cond struct {
+	tIn, tNotIn transform.SpanningTransformer
+	f           func(rune) bool
+	check       func(rune) bool               // current check to perform
+	t           transform.SpanningTransformer // current transformer to use
+}
+
+// Reset implements transform.Transformer.
+func (t *cond) Reset() {
+	t.check = t.is
+	t.t = t.tIn
+	t.t.Reset() // notIn will be reset on first usage.
+}
+
+func (t *cond) is(r rune) bool {
+	if t.f(r) {
+		return true
+	}
+	t.check = t.isNot
+	t.t = t.tNotIn
+	t.tNotIn.Reset()
+	return false
+}
+
+func (t *cond) isNot(r rune) bool {
+	if !t.f(r) {
+		return true
+	}
+	t.check = t.is
+	t.t = t.tIn
+	t.tIn.Reset()
+	return false
+}
+
+// This implementation of Span doesn't help all too much, but it needs to be
+// there to satisfy this package's Transformer interface.
+// TODO: there are certainly room for improvements, though. For example, if
+// t.t == transform.Nop (which will a common occurrence) it will save a bundle
+// to special-case that loop.
+func (t *cond) Span(src []byte, atEOF bool) (n int, err error) {
+	p := 0
+	for n < len(src) && err == nil {
+		// Don't process too much at a time as the Spanner that will be
+		// called on this block may terminate early.
+		const maxChunk = 4096
+		max := len(src)
+		if v := n + maxChunk; v < max {
+			max = v
+		}
+		atEnd := false
+		size := 0
+		current := t.t
+		for ; p < max; p += size {
+			r := rune(src[p])
+			if r < utf8.RuneSelf {
+				size = 1
+			} else if r, size = utf8.DecodeRune(src[p:]); size == 1 {
+				if !atEOF && !utf8.FullRune(src[p:]) {
+					err = transform.ErrShortSrc
+					break
+				}
+			}
+			if !t.check(r) {
+				// The next rune will be the start of a new run.
+				atEnd = true
+				break
+			}
+		}
+		n2, err2 := current.Span(src[n:p], atEnd || (atEOF && p == len(src)))
+		n += n2
+		if err2 != nil {
+			return n, err2
+		}
+		// At this point either err != nil or t.check will pass for the rune at p.
+		p = n + size
+	}
+	return n, err
+}
+
+func (t *cond) Transform(dst, src []byte, atEOF bool) (nDst, nSrc int, err error) {
+	p := 0
+	for nSrc < len(src) && err == nil {
+		// Don't process too much at a time, as the work might be wasted if the
+		// destination buffer isn't large enough to hold the result or a
+		// transform returns an error early.
+		const maxChunk = 4096
+		max := len(src)
+		if n := nSrc + maxChunk; n < len(src) {
+			max = n
+		}
+		atEnd := false
+		size := 0
+		current := t.t
+		for ; p < max; p += size {
+			r := rune(src[p])
+			if r < utf8.RuneSelf {
+				size = 1
+			} else if r, size = utf8.DecodeRune(src[p:]); size == 1 {
+				if !atEOF && !utf8.FullRune(src[p:]) {
+					err = transform.ErrShortSrc
+					break
+				}
+			}
+			if !t.check(r) {
+				// The next rune will be the start of a new run.
+				atEnd = true
+				break
+			}
+		}
+		nDst2, nSrc2, err2 := current.Transform(dst[nDst:], src[nSrc:p], atEnd || (atEOF && p == len(src)))
+		nDst += nDst2
+		nSrc += nSrc2
+		if err2 != nil {
+			return nDst, nSrc, err2
+		}
+		// At this point either err != nil or t.check will pass for the rune at p.
+		p = nSrc + size
+	}
+	return nDst, nSrc, err
+}
diff --git a/vendor/golang.org/x/text/runes/runes.go b/vendor/golang.org/x/text/runes/runes.go
new file mode 100644
index 0000000000..930e87fedb
--- /dev/null
+++ b/vendor/golang.org/x/text/runes/runes.go
@@ -0,0 +1,355 @@
+// Copyright 2014 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package runes provide transforms for UTF-8 encoded text.
+package runes // import "golang.org/x/text/runes"
+
+import (
+	"unicode"
+	"unicode/utf8"
+
+	"golang.org/x/text/transform"
+)
+
+// A Set is a collection of runes.
+type Set interface {
+	// Contains returns true if r is contained in the set.
+	Contains(r rune) bool
+}
+
+type setFunc func(rune) bool
+
+func (s setFunc) Contains(r rune) bool {
+	return s(r)
+}
+
+// Note: using funcs here instead of wrapping types result in cleaner
+// documentation and a smaller API.
+
+// In creates a Set with a Contains method that returns true for all runes in
+// the given RangeTable.
+func In(rt *unicode.RangeTable) Set {
+	return setFunc(func(r rune) bool { return unicode.Is(rt, r) })
+}
+
+// NotIn creates a Set with a Contains method that returns true for all runes not
+// in the given RangeTable.
+func NotIn(rt *unicode.RangeTable) Set {
+	return setFunc(func(r rune) bool { return !unicode.Is(rt, r) })
+}
+
+// Predicate creates a Set with a Contains method that returns f(r).
+func Predicate(f func(rune) bool) Set {
+	return setFunc(f)
+}
+
+// Transformer implements the transform.Transformer interface.
+type Transformer struct {
+	t transform.SpanningTransformer
+}
+
+func (t Transformer) Transform(dst, src []byte, atEOF bool) (nDst, nSrc int, err error) {
+	return t.t.Transform(dst, src, atEOF)
+}
+
+func (t Transformer) Span(b []byte, atEOF bool) (n int, err error) {
+	return t.t.Span(b, atEOF)
+}
+
+func (t Transformer) Reset() { t.t.Reset() }
+
+// Bytes returns a new byte slice with the result of converting b using t.  It
+// calls Reset on t. It returns nil if any error was found. This can only happen
+// if an error-producing Transformer is passed to If.
+func (t Transformer) Bytes(b []byte) []byte {
+	b, _, err := transform.Bytes(t, b)
+	if err != nil {
+		return nil
+	}
+	return b
+}
+
+// String returns a string with the result of converting s using t. It calls
+// Reset on t. It returns the empty string if any error was found. This can only
+// happen if an error-producing Transformer is passed to If.
+func (t Transformer) String(s string) string {
+	s, _, err := transform.String(t, s)
+	if err != nil {
+		return ""
+	}
+	return s
+}
+
+// TODO:
+// - Copy: copying strings and bytes in whole-rune units.
+// - Validation (maybe)
+// - Well-formed-ness (maybe)
+
+const runeErrorString = string(utf8.RuneError)
+
+// Remove returns a Transformer that removes runes r for which s.Contains(r).
+// Illegal input bytes are replaced by RuneError before being passed to f.
+func Remove(s Set) Transformer {
+	if f, ok := s.(setFunc); ok {
+		// This little trick cuts the running time of BenchmarkRemove for sets
+		// created by Predicate roughly in half.
+		// TODO: special-case RangeTables as well.
+		return Transformer{remove(f)}
+	}
+	return Transformer{remove(s.Contains)}
+}
+
+// TODO: remove transform.RemoveFunc.
+
+type remove func(r rune) bool
+
+func (remove) Reset() {}
+
+// Span implements transform.Spanner.
+func (t remove) Span(src []byte, atEOF bool) (n int, err error) {
+	for r, size := rune(0), 0; n < len(src); {
+		if r = rune(src[n]); r < utf8.RuneSelf {
+			size = 1
+		} else if r, size = utf8.DecodeRune(src[n:]); size == 1 {
+			// Invalid rune.
+			if !atEOF && !utf8.FullRune(src[n:]) {
+				err = transform.ErrShortSrc
+			} else {
+				err = transform.ErrEndOfSpan
+			}
+			break
+		}
+		if t(r) {
+			err = transform.ErrEndOfSpan
+			break
+		}
+		n += size
+	}
+	return
+}
+
+// Transform implements transform.Transformer.
+func (t remove) Transform(dst, src []byte, atEOF bool) (nDst, nSrc int, err error) {
+	for r, size := rune(0), 0; nSrc < len(src); {
+		if r = rune(src[nSrc]); r < utf8.RuneSelf {
+			size = 1
+		} else if r, size = utf8.DecodeRune(src[nSrc:]); size == 1 {
+			// Invalid rune.
+			if !atEOF && !utf8.FullRune(src[nSrc:]) {
+				err = transform.ErrShortSrc
+				break
+			}
+			// We replace illegal bytes with RuneError. Not doing so might
+			// otherwise turn a sequence of invalid UTF-8 into valid UTF-8.
+			// The resulting byte sequence may subsequently contain runes
+			// for which t(r) is true that were passed unnoticed.
+			if !t(utf8.RuneError) {
+				if nDst+3 > len(dst) {
+					err = transform.ErrShortDst
+					break
+				}
+				dst[nDst+0] = runeErrorString[0]
+				dst[nDst+1] = runeErrorString[1]
+				dst[nDst+2] = runeErrorString[2]
+				nDst += 3
+			}
+			nSrc++
+			continue
+		}
+		if t(r) {
+			nSrc += size
+			continue
+		}
+		if nDst+size > len(dst) {
+			err = transform.ErrShortDst
+			break
+		}
+		for i := 0; i < size; i++ {
+			dst[nDst] = src[nSrc]
+			nDst++
+			nSrc++
+		}
+	}
+	return
+}
+
+// Map returns a Transformer that maps the runes in the input using the given
+// mapping. Illegal bytes in the input are converted to utf8.RuneError before
+// being passed to the mapping func.
+func Map(mapping func(rune) rune) Transformer {
+	return Transformer{mapper(mapping)}
+}
+
+type mapper func(rune) rune
+
+func (mapper) Reset() {}
+
+// Span implements transform.Spanner.
+func (t mapper) Span(src []byte, atEOF bool) (n int, err error) {
+	for r, size := rune(0), 0; n < len(src); n += size {
+		if r = rune(src[n]); r < utf8.RuneSelf {
+			size = 1
+		} else if r, size = utf8.DecodeRune(src[n:]); size == 1 {
+			// Invalid rune.
+			if !atEOF && !utf8.FullRune(src[n:]) {
+				err = transform.ErrShortSrc
+			} else {
+				err = transform.ErrEndOfSpan
+			}
+			break
+		}
+		if t(r) != r {
+			err = transform.ErrEndOfSpan
+			break
+		}
+	}
+	return n, err
+}
+
+// Transform implements transform.Transformer.
+func (t mapper) Transform(dst, src []byte, atEOF bool) (nDst, nSrc int, err error) {
+	var replacement rune
+	var b [utf8.UTFMax]byte
+
+	for r, size := rune(0), 0; nSrc < len(src); {
+		if r = rune(src[nSrc]); r < utf8.RuneSelf {
+			if replacement = t(r); replacement < utf8.RuneSelf {
+				if nDst == len(dst) {
+					err = transform.ErrShortDst
+					break
+				}
+				dst[nDst] = byte(replacement)
+				nDst++
+				nSrc++
+				continue
+			}
+			size = 1
+		} else if r, size = utf8.DecodeRune(src[nSrc:]); size == 1 {
+			// Invalid rune.
+			if !atEOF && !utf8.FullRune(src[nSrc:]) {
+				err = transform.ErrShortSrc
+				break
+			}
+
+			if replacement = t(utf8.RuneError); replacement == utf8.RuneError {
+				if nDst+3 > len(dst) {
+					err = transform.ErrShortDst
+					break
+				}
+				dst[nDst+0] = runeErrorString[0]
+				dst[nDst+1] = runeErrorString[1]
+				dst[nDst+2] = runeErrorString[2]
+				nDst += 3
+				nSrc++
+				continue
+			}
+		} else if replacement = t(r); replacement == r {
+			if nDst+size > len(dst) {
+				err = transform.ErrShortDst
+				break
+			}
+			for i := 0; i < size; i++ {
+				dst[nDst] = src[nSrc]
+				nDst++
+				nSrc++
+			}
+			continue
+		}
+
+		n := utf8.EncodeRune(b[:], replacement)
+
+		if nDst+n > len(dst) {
+			err = transform.ErrShortDst
+			break
+		}
+		for i := 0; i < n; i++ {
+			dst[nDst] = b[i]
+			nDst++
+		}
+		nSrc += size
+	}
+	return
+}
+
+// ReplaceIllFormed returns a transformer that replaces all input bytes that are
+// not part of a well-formed UTF-8 code sequence with utf8.RuneError.
+func ReplaceIllFormed() Transformer {
+	return Transformer{&replaceIllFormed{}}
+}
+
+type replaceIllFormed struct{ transform.NopResetter }
+
+func (t replaceIllFormed) Span(src []byte, atEOF bool) (n int, err error) {
+	for n < len(src) {
+		// ASCII fast path.
+		if src[n] < utf8.RuneSelf {
+			n++
+			continue
+		}
+
+		r, size := utf8.DecodeRune(src[n:])
+
+		// Look for a valid non-ASCII rune.
+		if r != utf8.RuneError || size != 1 {
+			n += size
+			continue
+		}
+
+		// Look for short source data.
+		if !atEOF && !utf8.FullRune(src[n:]) {
+			err = transform.ErrShortSrc
+			break
+		}
+
+		// We have an invalid rune.
+		err = transform.ErrEndOfSpan
+		break
+	}
+	return n, err
+}
+
+func (t replaceIllFormed) Transform(dst, src []byte, atEOF bool) (nDst, nSrc int, err error) {
+	for nSrc < len(src) {
+		// ASCII fast path.
+		if r := src[nSrc]; r < utf8.RuneSelf {
+			if nDst == len(dst) {
+				err = transform.ErrShortDst
+				break
+			}
+			dst[nDst] = r
+			nDst++
+			nSrc++
+			continue
+		}
+
+		// Look for a valid non-ASCII rune.
+		if _, size := utf8.DecodeRune(src[nSrc:]); size != 1 {
+			if size != copy(dst[nDst:], src[nSrc:nSrc+size]) {
+				err = transform.ErrShortDst
+				break
+			}
+			nDst += size
+			nSrc += size
+			continue
+		}
+
+		// Look for short source data.
+		if !atEOF && !utf8.FullRune(src[nSrc:]) {
+			err = transform.ErrShortSrc
+			break
+		}
+
+		// We have an invalid rune.
+		if nDst+3 > len(dst) {
+			err = transform.ErrShortDst
+			break
+		}
+		dst[nDst+0] = runeErrorString[0]
+		dst[nDst+1] = runeErrorString[1]
+		dst[nDst+2] = runeErrorString[2]
+		nDst += 3
+		nSrc++
+	}
+	return nDst, nSrc, err
+}
diff --git a/vendor/golang.org/x/time/rate/rate.go b/vendor/golang.org/x/time/rate/rate.go
index 794b2e32bf..563270c154 100644
--- a/vendor/golang.org/x/time/rate/rate.go
+++ b/vendor/golang.org/x/time/rate/rate.go
@@ -195,7 +195,7 @@ func (r *Reservation) CancelAt(t time.Time) {
 	// update state
 	r.lim.last = t
 	r.lim.tokens = tokens
-	if r.timeToAct == r.lim.lastEvent {
+	if r.timeToAct.Equal(r.lim.lastEvent) {
 		prevEvent := r.timeToAct.Add(r.limit.durationFromTokens(float64(-r.tokens)))
 		if !prevEvent.Before(t) {
 			r.lim.lastEvent = prevEvent
diff --git a/vendor/google.golang.org/grpc/CONTRIBUTING.md b/vendor/google.golang.org/grpc/CONTRIBUTING.md
index 1de0ce6669..2079de7b0e 100644
--- a/vendor/google.golang.org/grpc/CONTRIBUTING.md
+++ b/vendor/google.golang.org/grpc/CONTRIBUTING.md
@@ -33,17 +33,21 @@ guidelines, there may be valid reasons to do so, but it should be rare.
 
 ## Guidelines for Pull Requests
 
-How to get your contributions merged smoothly and quickly:
+Please read the following carefully to ensure your contributions can be merged
+smoothly and quickly.
+
+### PR Contents
 
 - Create **small PRs** that are narrowly focused on **addressing a single
   concern**. We often receive PRs that attempt to fix several things at the same
   time, and if one part of the PR has a problem, that will hold up the entire
   PR.
 
-- For **speculative changes**, consider opening an issue and discussing it
-  first. If you are suggesting a behavioral or API change, consider starting
-  with a [gRFC proposal](https://github.com/grpc/proposal). Many new features
-  that are not bug fixes will require cross-language agreement.
+- If your change does not address an **open issue** with an **agreed
+  resolution**, consider opening an issue and discussing it first. If you are
+  suggesting a behavioral or API change, consider starting with a [gRFC
+  proposal](https://github.com/grpc/proposal). Many new features that are not
+  bug fixes will require cross-language agreement.
 
 - If you want to fix **formatting or style**, consider whether your changes are
   an obvious improvement or might be considered a personal preference. If a
@@ -56,16 +60,6 @@ How to get your contributions merged smoothly and quickly:
   often written as "iff". Please do not make spelling correction changes unless
   you are certain they are misspellings.
 
-- Provide a good **PR description** as a record of **what** change is being made
-  and **why** it was made. Link to a GitHub issue if it exists.
-
-- Maintain a **clean commit history** and use **meaningful commit messages**.
-  PRs with messy commit histories are difficult to review and won't be merged.
-  Before sending your PR, ensure your changes are based on top of the latest
-  `upstream/master` commits, and avoid rebasing in the middle of a code review.
-  You should **never use `git push -f`** unless absolutely necessary during a
-  review, as it can interfere with GitHub's tracking of comments.
-
 - **All tests need to be passing** before your change can be merged. We
   recommend you run tests locally before creating your PR to catch breakages
   early on:
@@ -81,15 +75,80 @@ How to get your contributions merged smoothly and quickly:
   GitHub, which will trigger a GitHub Actions run that you can use to verify
   everything is passing.
 
-- If you are adding a new file, make sure it has the **copyright message**
+- Note that there are two GitHub actions checks that need not be green:
+
+  1. We test the freshness of the generated proto code we maintain via the
+     `vet-proto` check. If the source proto files are updated, but our repo is
+     not updated, an optional checker will fail. This will be fixed by our team
+     in a separate PR and will not prevent the merge of your PR.
+
+  2. We run a checker that will fail if there is any change in dependencies of
+     an exported package via the `dependencies` check. If new dependencies are
+     added that are not appropriate, we may not accept your PR (see below).
+
+- If you are adding a **new file**, make sure it has the **copyright message**
   template at the top as a comment. You can copy the message from an existing
   file and update the year.
 
 - The grpc package should only depend on standard Go packages and a small number
   of exceptions. **If your contribution introduces new dependencies**, you will
-  need a discussion with gRPC-Go maintainers. A GitHub action check will run on
-  every PR, and will flag any transitive dependency changes from any public
-  package.
+  need a discussion with gRPC-Go maintainers.
+
+### PR Descriptions
+
+- **PR titles** should start with the name of the component being addressed, or
+  the type of change. Examples: transport, client, server, round_robin, xds,
+  cleanup, deps.
+
+- Read and follow the **guidelines for PR titles and descriptions** here:
+  https://google.github.io/eng-practices/review/developer/cl-descriptions.html
+
+  *particularly* the sections "First Line" and "Body is Informative".
+
+  Note: your PR description will be used as the git commit message in a
+  squash-and-merge if your PR is approved. We may make changes to this as
+  necessary.
+
+- **Does this PR relate to an open issue?** On the first line, please use the
+  tag `Fixes #<issue>` to ensure the issue is closed when the PR is merged. Or
+  use `Updates #<issue>` if the PR is related to an open issue, but does not fix
+  it. Consider filing an issue if one does not already exist.
+
+- PR descriptions *must* conclude with **release notes** as follows:
+
+  ```
+  RELEASE NOTES:
+  * <component>: <summary>
+  ```
+
+  This need not match the PR title.
+
+  The summary must:
+
+  * be something that gRPC users will understand.
+
+  * clearly explain the feature being added, the issue being fixed, or the
+    behavior being changed, etc. If fixing a bug, be clear about how the bug
+    can be triggered by an end-user.
+
+  * begin with a capital letter and use complete sentences.
+
+  * be as short as possible to describe the change being made.
+
+  If a PR is *not* end-user visible -- e.g. a cleanup, testing change, or
+  GitHub-related, use `RELEASE NOTES: n/a`.
+
+### PR Process
+
+- Please **self-review** your code changes before sending your PR. This will
+  prevent simple, obvious errors from causing delays.
+
+- Maintain a **clean commit history** and use **meaningful commit messages**.
+  PRs with messy commit histories are difficult to review and won't be merged.
+  Before sending your PR, ensure your changes are based on top of the latest
+  `upstream/master` commits, and avoid rebasing in the middle of a code review.
+  You should **never use `git push -f`** unless absolutely necessary during a
+  review, as it can interfere with GitHub's tracking of comments.
 
 - Unless your PR is trivial, you should **expect reviewer comments** that you
   will need to address before merging. We'll label the PR as `Status: Requires
@@ -98,5 +157,3 @@ How to get your contributions merged smoothly and quickly:
   `stale`, and we will automatically close it after 7 days if we don't hear back
   from you. Please feel free to ping issues or bugs if you do not get a response
   within a week.
-
-- Exceptions to the rules can be made if there's a compelling reason to do so.
diff --git a/vendor/google.golang.org/grpc/balancer/pickfirst/pickfirst.go b/vendor/google.golang.org/grpc/balancer/pickfirst/pickfirst.go
index ea8899818c..b4bc3a2bf3 100644
--- a/vendor/google.golang.org/grpc/balancer/pickfirst/pickfirst.go
+++ b/vendor/google.golang.org/grpc/balancer/pickfirst/pickfirst.go
@@ -16,55 +16,124 @@
  *
  */
 
-// Package pickfirst contains the pick_first load balancing policy.
+// Package pickfirst contains the pick_first load balancing policy which
+// is the universal leaf policy.
 package pickfirst
 
 import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	rand "math/rand/v2"
+	"net"
+	"net/netip"
+	"sync"
+	"time"
 
 	"google.golang.org/grpc/balancer"
 	"google.golang.org/grpc/balancer/pickfirst/internal"
 	"google.golang.org/grpc/connectivity"
+	expstats "google.golang.org/grpc/experimental/stats"
 	"google.golang.org/grpc/grpclog"
-	"google.golang.org/grpc/internal/envconfig"
 	internalgrpclog "google.golang.org/grpc/internal/grpclog"
 	"google.golang.org/grpc/internal/pretty"
 	"google.golang.org/grpc/resolver"
 	"google.golang.org/grpc/serviceconfig"
-
-	_ "google.golang.org/grpc/balancer/pickfirst/pickfirstleaf" // For automatically registering the new pickfirst if required.
 )
 
 func init() {
-	if envconfig.NewPickFirstEnabled {
-		return
-	}
 	balancer.Register(pickfirstBuilder{})
 }
 
-var logger = grpclog.Component("pick-first-lb")
+// Name is the name of the pick_first balancer.
+const Name = "pick_first"
+
+// enableHealthListenerKeyType is a unique key type used in resolver
+// attributes to indicate whether the health listener usage is enabled.
+type enableHealthListenerKeyType struct{}
+
+var (
+	logger               = grpclog.Component("pick-first-leaf-lb")
+	disconnectionsMetric = expstats.RegisterInt64Count(expstats.MetricDescriptor{
+		Name:        "grpc.lb.pick_first.disconnections",
+		Description: "EXPERIMENTAL. Number of times the selected subchannel becomes disconnected.",
+		Unit:        "{disconnection}",
+		Labels:      []string{"grpc.target"},
+		Default:     false,
+	})
+	connectionAttemptsSucceededMetric = expstats.RegisterInt64Count(expstats.MetricDescriptor{
+		Name:        "grpc.lb.pick_first.connection_attempts_succeeded",
+		Description: "EXPERIMENTAL. Number of successful connection attempts.",
+		Unit:        "{attempt}",
+		Labels:      []string{"grpc.target"},
+		Default:     false,
+	})
+	connectionAttemptsFailedMetric = expstats.RegisterInt64Count(expstats.MetricDescriptor{
+		Name:        "grpc.lb.pick_first.connection_attempts_failed",
+		Description: "EXPERIMENTAL. Number of failed connection attempts.",
+		Unit:        "{attempt}",
+		Labels:      []string{"grpc.target"},
+		Default:     false,
+	})
+)
 
 const (
-	// Name is the name of the pick_first balancer.
-	Name      = "pick_first"
-	logPrefix = "[pick-first-lb %p] "
+	// TODO: change to pick-first when this becomes the default pick_first policy.
+	logPrefix = "[pick-first-leaf-lb %p] "
+	// connectionDelayInterval is the time to wait for during the happy eyeballs
+	// pass before starting the next connection attempt.
+	connectionDelayInterval = 250 * time.Millisecond
+)
+
+type ipAddrFamily int
+
+const (
+	// ipAddrFamilyUnknown represents strings that can't be parsed as an IP
+	// address.
+	ipAddrFamilyUnknown ipAddrFamily = iota
+	ipAddrFamilyV4
+	ipAddrFamilyV6
 )
 
 type pickfirstBuilder struct{}
 
-func (pickfirstBuilder) Build(cc balancer.ClientConn, _ balancer.BuildOptions) balancer.Balancer {
-	b := &pickfirstBalancer{cc: cc}
+func (pickfirstBuilder) Build(cc balancer.ClientConn, bo balancer.BuildOptions) balancer.Balancer {
+	b := &pickfirstBalancer{
+		cc:              cc,
+		target:          bo.Target.String(),
+		metricsRecorder: cc.MetricsRecorder(),
+
+		subConns:              resolver.NewAddressMapV2[*scData](),
+		state:                 connectivity.Connecting,
+		cancelConnectionTimer: func() {},
+	}
 	b.logger = internalgrpclog.NewPrefixLogger(logger, fmt.Sprintf(logPrefix, b))
 	return b
 }
 
-func (pickfirstBuilder) Name() string {
+func (b pickfirstBuilder) Name() string {
 	return Name
 }
 
+func (pickfirstBuilder) ParseConfig(js json.RawMessage) (serviceconfig.LoadBalancingConfig, error) {
+	var cfg pfConfig
+	if err := json.Unmarshal(js, &cfg); err != nil {
+		return nil, fmt.Errorf("pickfirst: unable to unmarshal LB policy config: %s, error: %v", string(js), err)
+	}
+	return cfg, nil
+}
+
+// EnableHealthListener updates the state to configure pickfirst for using a
+// generic health listener.
+//
+// # Experimental
+//
+// Notice: This API is EXPERIMENTAL and may be changed or removed in a later
+// release.
+func EnableHealthListener(state resolver.State) resolver.State {
+	state.Attributes = state.Attributes.WithValue(enableHealthListenerKeyType{}, true)
+	return state
+}
+
 type pfConfig struct {
 	serviceconfig.LoadBalancingConfig `json:"-"`
 
@@ -74,90 +143,129 @@ type pfConfig struct {
 	ShuffleAddressList bool `json:"shuffleAddressList"`
 }
 
-func (pickfirstBuilder) ParseConfig(js json.RawMessage) (serviceconfig.LoadBalancingConfig, error) {
-	var cfg pfConfig
-	if err := json.Unmarshal(js, &cfg); err != nil {
-		return nil, fmt.Errorf("pickfirst: unable to unmarshal LB policy config: %s, error: %v", string(js), err)
+// scData keeps track of the current state of the subConn.
+// It is not safe for concurrent access.
+type scData struct {
+	// The following fields are initialized at build time and read-only after
+	// that.
+	subConn balancer.SubConn
+	addr    resolver.Address
+
+	rawConnectivityState connectivity.State
+	// The effective connectivity state based on raw connectivity, health state
+	// and after following sticky TransientFailure behaviour defined in A62.
+	effectiveState              connectivity.State
+	lastErr                     error
+	connectionFailedInFirstPass bool
+}
+
+func (b *pickfirstBalancer) newSCData(addr resolver.Address) (*scData, error) {
+	sd := &scData{
+		rawConnectivityState: connectivity.Idle,
+		effectiveState:       connectivity.Idle,
+		addr:                 addr,
 	}
-	return cfg, nil
+	sc, err := b.cc.NewSubConn([]resolver.Address{addr}, balancer.NewSubConnOptions{
+		StateListener: func(state balancer.SubConnState) {
+			b.updateSubConnState(sd, state)
+		},
+	})
+	if err != nil {
+		return nil, err
+	}
+	sd.subConn = sc
+	return sd, nil
 }
 
 type pickfirstBalancer struct {
-	logger  *internalgrpclog.PrefixLogger
-	state   connectivity.State
-	cc      balancer.ClientConn
-	subConn balancer.SubConn
+	// The following fields are initialized at build time and read-only after
+	// that and therefore do not need to be guarded by a mutex.
+	logger          *internalgrpclog.PrefixLogger
+	cc              balancer.ClientConn
+	target          string
+	metricsRecorder expstats.MetricsRecorder // guaranteed to be non nil
+
+	// The mutex is used to ensure synchronization of updates triggered
+	// from the idle picker and the already serialized resolver,
+	// SubConn state updates.
+	mu sync.Mutex
+	// State reported to the channel based on SubConn states and resolver
+	// updates.
+	state connectivity.State
+	// scData for active subonns mapped by address.
+	subConns              *resolver.AddressMapV2[*scData]
+	addressList           addressList
+	firstPass             bool
+	numTF                 int
+	cancelConnectionTimer func()
+	healthCheckingEnabled bool
 }
 
+// ResolverError is called by the ClientConn when the name resolver produces
+// an error or when pickfirst determined the resolver update to be invalid.
 func (b *pickfirstBalancer) ResolverError(err error) {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+	b.resolverErrorLocked(err)
+}
+
+func (b *pickfirstBalancer) resolverErrorLocked(err error) {
 	if b.logger.V(2) {
 		b.logger.Infof("Received error from the name resolver: %v", err)
 	}
-	if b.subConn == nil {
-		b.state = connectivity.TransientFailure
-	}
 
-	if b.state != connectivity.TransientFailure {
-		// The picker will not change since the balancer does not currently
-		// report an error.
+	// The picker will not change since the balancer does not currently
+	// report an error. If the balancer hasn't received a single good resolver
+	// update yet, transition to TRANSIENT_FAILURE.
+	if b.state != connectivity.TransientFailure && b.addressList.size() > 0 {
+		if b.logger.V(2) {
+			b.logger.Infof("Ignoring resolver error because balancer is using a previous good update.")
+		}
 		return
 	}
-	b.cc.UpdateState(balancer.State{
+
+	b.updateBalancerState(balancer.State{
 		ConnectivityState: connectivity.TransientFailure,
 		Picker:            &picker{err: fmt.Errorf("name resolver error: %v", err)},
 	})
 }
 
-// Shuffler is an interface for shuffling an address list.
-type Shuffler interface {
-	ShuffleAddressListForTesting(n int, swap func(i, j int))
-}
-
-// ShuffleAddressListForTesting pseudo-randomizes the order of addresses.  n
-// is the number of elements.  swap swaps the elements with indexes i and j.
-func ShuffleAddressListForTesting(n int, swap func(i, j int)) { rand.Shuffle(n, swap) }
-
 func (b *pickfirstBalancer) UpdateClientConnState(state balancer.ClientConnState) error {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+	b.cancelConnectionTimer()
 	if len(state.ResolverState.Addresses) == 0 && len(state.ResolverState.Endpoints) == 0 {
-		// The resolver reported an empty address list. Treat it like an error by
-		// calling b.ResolverError.
-		if b.subConn != nil {
-			// Shut down the old subConn. All addresses were removed, so it is
-			// no longer valid.
-			b.subConn.Shutdown()
-			b.subConn = nil
-		}
-		b.ResolverError(errors.New("produced zero addresses"))
+		// Cleanup state pertaining to the previous resolver state.
+		// Treat an empty address list like an error by calling b.ResolverError.
+		b.closeSubConnsLocked()
+		b.addressList.updateAddrs(nil)
+		b.resolverErrorLocked(errors.New("produced zero addresses"))
 		return balancer.ErrBadResolverState
 	}
-	// We don't have to guard this block with the env var because ParseConfig
-	// already does so.
+	b.healthCheckingEnabled = state.ResolverState.Attributes.Value(enableHealthListenerKeyType{}) != nil
 	cfg, ok := state.BalancerConfig.(pfConfig)
 	if state.BalancerConfig != nil && !ok {
-		return fmt.Errorf("pickfirst: received illegal BalancerConfig (type %T): %v", state.BalancerConfig, state.BalancerConfig)
+		return fmt.Errorf("pickfirst: received illegal BalancerConfig (type %T): %v: %w", state.BalancerConfig, state.BalancerConfig, balancer.ErrBadResolverState)
 	}
 
 	if b.logger.V(2) {
 		b.logger.Infof("Received new config %s, resolver state %s", pretty.ToJSON(cfg), pretty.ToJSON(state.ResolverState))
 	}
 
-	var addrs []resolver.Address
+	var newAddrs []resolver.Address
 	if endpoints := state.ResolverState.Endpoints; len(endpoints) != 0 {
-		// Perform the optional shuffling described in gRFC A62. The shuffling will
-		// change the order of endpoints but not touch the order of the addresses
-		// within each endpoint. - A61
+		// Perform the optional shuffling described in gRFC A62. The shuffling
+		// will change the order of endpoints but not touch the order of the
+		// addresses within each endpoint. - A61
 		if cfg.ShuffleAddressList {
 			endpoints = append([]resolver.Endpoint{}, endpoints...)
 			internal.RandShuffle(len(endpoints), func(i, j int) { endpoints[i], endpoints[j] = endpoints[j], endpoints[i] })
 		}
 
-		// "Flatten the list by concatenating the ordered list of addresses for each
-		// of the endpoints, in order." - A61
+		// "Flatten the list by concatenating the ordered list of addresses for
+		// each of the endpoints, in order." - A61
 		for _, endpoint := range endpoints {
-			// "In the flattened list, interleave addresses from the two address
-			// families, as per RFC-8304 section 4." - A61
-			// TODO: support the above language.
-			addrs = append(addrs, endpoint.Addresses...)
+			newAddrs = append(newAddrs, endpoint.Addresses...)
 		}
 	} else {
 		// Endpoints not set, process addresses until we migrate resolver
@@ -166,42 +274,53 @@ func (b *pickfirstBalancer) UpdateClientConnState(state balancer.ClientConnState
 		// target do not forward the corresponding correct endpoints down/split
 		// endpoints properly. Once all balancers correctly forward endpoints
 		// down, can delete this else conditional.
-		addrs = state.ResolverState.Addresses
+		newAddrs = state.ResolverState.Addresses
 		if cfg.ShuffleAddressList {
-			addrs = append([]resolver.Address{}, addrs...)
-			rand.Shuffle(len(addrs), func(i, j int) { addrs[i], addrs[j] = addrs[j], addrs[i] })
+			newAddrs = append([]resolver.Address{}, newAddrs...)
+			internal.RandShuffle(len(newAddrs), func(i, j int) { newAddrs[i], newAddrs[j] = newAddrs[j], newAddrs[i] })
 		}
 	}
 
-	if b.subConn != nil {
-		b.cc.UpdateAddresses(b.subConn, addrs)
+	// If an address appears in multiple endpoints or in the same endpoint
+	// multiple times, we keep it only once. We will create only one SubConn
+	// for the address because an AddressMap is used to store SubConns.
+	// Not de-duplicating would result in attempting to connect to the same
+	// SubConn multiple times in the same pass. We don't want this.
+	newAddrs = deDupAddresses(newAddrs)
+	newAddrs = interleaveAddresses(newAddrs)
+
+	prevAddr := b.addressList.currentAddress()
+	prevSCData, found := b.subConns.Get(prevAddr)
+	prevAddrsCount := b.addressList.size()
+	isPrevRawConnectivityStateReady := found && prevSCData.rawConnectivityState == connectivity.Ready
+	b.addressList.updateAddrs(newAddrs)
+
+	// If the previous ready SubConn exists in new address list,
+	// keep this connection and don't create new SubConns.
+	if isPrevRawConnectivityStateReady && b.addressList.seekTo(prevAddr) {
 		return nil
 	}
 
-	var subConn balancer.SubConn
-	subConn, err := b.cc.NewSubConn(addrs, balancer.NewSubConnOptions{
-		StateListener: func(state balancer.SubConnState) {
-			b.updateSubConnState(subConn, state)
-		},
-	})
-	if err != nil {
-		if b.logger.V(2) {
-			b.logger.Infof("Failed to create new SubConn: %v", err)
-		}
-		b.state = connectivity.TransientFailure
-		b.cc.UpdateState(balancer.State{
-			ConnectivityState: connectivity.TransientFailure,
-			Picker:            &picker{err: fmt.Errorf("error creating connection: %v", err)},
+	b.reconcileSubConnsLocked(newAddrs)
+	// If it's the first resolver update or the balancer was already READY
+	// (but the new address list does not contain the ready SubConn) or
+	// CONNECTING, enter CONNECTING.
+	// We may be in TRANSIENT_FAILURE due to a previous empty address list,
+	// we should still enter CONNECTING because the sticky TF behaviour
+	//  mentioned in A62 applies only when the TRANSIENT_FAILURE is reported
+	// due to connectivity failures.
+	if isPrevRawConnectivityStateReady || b.state == connectivity.Connecting || prevAddrsCount == 0 {
+		// Start connection attempt at first address.
+		b.forceUpdateConcludedStateLocked(balancer.State{
+			ConnectivityState: connectivity.Connecting,
+			Picker:            &picker{err: balancer.ErrNoSubConnAvailable},
 		})
-		return balancer.ErrBadResolverState
+		b.startFirstPassLocked()
+	} else if b.state == connectivity.TransientFailure {
+		// If we're in TRANSIENT_FAILURE, we stay in TRANSIENT_FAILURE until
+		// we're READY. See A62.
+		b.startFirstPassLocked()
 	}
-	b.subConn = subConn
-	b.state = connectivity.Idle
-	b.cc.UpdateState(balancer.State{
-		ConnectivityState: connectivity.Connecting,
-		Picker:            &picker{err: balancer.ErrNoSubConnAvailable},
-	})
-	b.subConn.Connect()
 	return nil
 }
 
@@ -211,63 +330,484 @@ func (b *pickfirstBalancer) UpdateSubConnState(subConn balancer.SubConn, state b
 	b.logger.Errorf("UpdateSubConnState(%v, %+v) called unexpectedly", subConn, state)
 }
 
-func (b *pickfirstBalancer) updateSubConnState(subConn balancer.SubConn, state balancer.SubConnState) {
-	if b.logger.V(2) {
-		b.logger.Infof("Received SubConn state update: %p, %+v", subConn, state)
+func (b *pickfirstBalancer) Close() {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+	b.closeSubConnsLocked()
+	b.cancelConnectionTimer()
+	b.state = connectivity.Shutdown
+}
+
+// ExitIdle moves the balancer out of idle state. It can be called concurrently
+// by the idlePicker and clientConn so access to variables should be
+// synchronized.
+func (b *pickfirstBalancer) ExitIdle() {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+	if b.state == connectivity.Idle {
+		// Move the balancer into CONNECTING state immediately. This is done to
+		// avoid staying in IDLE if a resolver update arrives before the first
+		// SubConn reports CONNECTING.
+		b.updateBalancerState(balancer.State{
+			ConnectivityState: connectivity.Connecting,
+			Picker:            &picker{err: balancer.ErrNoSubConnAvailable},
+		})
+		b.startFirstPassLocked()
+	}
+}
+
+func (b *pickfirstBalancer) startFirstPassLocked() {
+	b.firstPass = true
+	b.numTF = 0
+	// Reset the connection attempt record for existing SubConns.
+	for _, sd := range b.subConns.Values() {
+		sd.connectionFailedInFirstPass = false
+	}
+	b.requestConnectionLocked()
+}
+
+func (b *pickfirstBalancer) closeSubConnsLocked() {
+	for _, sd := range b.subConns.Values() {
+		sd.subConn.Shutdown()
+	}
+	b.subConns = resolver.NewAddressMapV2[*scData]()
+}
+
+// deDupAddresses ensures that each address appears only once in the slice.
+func deDupAddresses(addrs []resolver.Address) []resolver.Address {
+	seenAddrs := resolver.NewAddressMapV2[bool]()
+	retAddrs := []resolver.Address{}
+
+	for _, addr := range addrs {
+		if _, ok := seenAddrs.Get(addr); ok {
+			continue
+		}
+		seenAddrs.Set(addr, true)
+		retAddrs = append(retAddrs, addr)
+	}
+	return retAddrs
+}
+
+// interleaveAddresses interleaves addresses of both families (IPv4 and IPv6)
+// as per RFC-8305 section 4.
+// Whichever address family is first in the list is followed by an address of
+// the other address family; that is, if the first address in the list is IPv6,
+// then the first IPv4 address should be moved up in the list to be second in
+// the list. It doesn't support configuring "First Address Family Count", i.e.
+// there will always be a single member of the first address family at the
+// beginning of the interleaved list.
+// Addresses that are neither IPv4 nor IPv6 are treated as part of a third
+// "unknown" family for interleaving.
+// See: https://datatracker.ietf.org/doc/html/rfc8305#autoid-6
+func interleaveAddresses(addrs []resolver.Address) []resolver.Address {
+	familyAddrsMap := map[ipAddrFamily][]resolver.Address{}
+	interleavingOrder := []ipAddrFamily{}
+	for _, addr := range addrs {
+		family := addressFamily(addr.Addr)
+		if _, found := familyAddrsMap[family]; !found {
+			interleavingOrder = append(interleavingOrder, family)
+		}
+		familyAddrsMap[family] = append(familyAddrsMap[family], addr)
+	}
+
+	interleavedAddrs := make([]resolver.Address, 0, len(addrs))
+
+	for curFamilyIdx := 0; len(interleavedAddrs) < len(addrs); curFamilyIdx = (curFamilyIdx + 1) % len(interleavingOrder) {
+		// Some IP types may have fewer addresses than others, so we look for
+		// the next type that has a remaining member to add to the interleaved
+		// list.
+		family := interleavingOrder[curFamilyIdx]
+		remainingMembers := familyAddrsMap[family]
+		if len(remainingMembers) > 0 {
+			interleavedAddrs = append(interleavedAddrs, remainingMembers[0])
+			familyAddrsMap[family] = remainingMembers[1:]
+		}
+	}
+
+	return interleavedAddrs
+}
+
+// addressFamily returns the ipAddrFamily after parsing the address string.
+// If the address isn't of the format "ip-address:port", it returns
+// ipAddrFamilyUnknown. The address may be valid even if it's not an IP when
+// using a resolver like passthrough where the address may be a hostname in
+// some format that the dialer can resolve.
+func addressFamily(address string) ipAddrFamily {
+	// Parse the IP after removing the port.
+	host, _, err := net.SplitHostPort(address)
+	if err != nil {
+		return ipAddrFamilyUnknown
+	}
+	ip, err := netip.ParseAddr(host)
+	if err != nil {
+		return ipAddrFamilyUnknown
+	}
+	switch {
+	case ip.Is4() || ip.Is4In6():
+		return ipAddrFamilyV4
+	case ip.Is6():
+		return ipAddrFamilyV6
+	default:
+		return ipAddrFamilyUnknown
+	}
+}
+
+// reconcileSubConnsLocked updates the active subchannels based on a new address
+// list from the resolver. It does this by:
+//   - closing subchannels: any existing subchannels associated with addresses
+//     that are no longer in the updated list are shut down.
+//   - removing subchannels: entries for these closed subchannels are removed
+//     from the subchannel map.
+//
+// This ensures that the subchannel map accurately reflects the current set of
+// addresses received from the name resolver.
+func (b *pickfirstBalancer) reconcileSubConnsLocked(newAddrs []resolver.Address) {
+	newAddrsMap := resolver.NewAddressMapV2[bool]()
+	for _, addr := range newAddrs {
+		newAddrsMap.Set(addr, true)
+	}
+
+	for _, oldAddr := range b.subConns.Keys() {
+		if _, ok := newAddrsMap.Get(oldAddr); ok {
+			continue
+		}
+		val, _ := b.subConns.Get(oldAddr)
+		val.subConn.Shutdown()
+		b.subConns.Delete(oldAddr)
+	}
+}
+
+// shutdownRemainingLocked shuts down remaining subConns. Called when a subConn
+// becomes ready, which means that all other subConn must be shutdown.
+func (b *pickfirstBalancer) shutdownRemainingLocked(selected *scData) {
+	b.cancelConnectionTimer()
+	for _, sd := range b.subConns.Values() {
+		if sd.subConn != selected.subConn {
+			sd.subConn.Shutdown()
+		}
+	}
+	b.subConns = resolver.NewAddressMapV2[*scData]()
+	b.subConns.Set(selected.addr, selected)
+}
+
+// requestConnectionLocked starts connecting on the subchannel corresponding to
+// the current address. If no subchannel exists, one is created. If the current
+// subchannel is in TransientFailure, a connection to the next address is
+// attempted until a subchannel is found.
+func (b *pickfirstBalancer) requestConnectionLocked() {
+	if !b.addressList.isValid() {
+		return
+	}
+	var lastErr error
+	for valid := true; valid; valid = b.addressList.increment() {
+		curAddr := b.addressList.currentAddress()
+		sd, ok := b.subConns.Get(curAddr)
+		if !ok {
+			var err error
+			// We want to assign the new scData to sd from the outer scope,
+			// hence we can't use := below.
+			sd, err = b.newSCData(curAddr)
+			if err != nil {
+				// This should never happen, unless the clientConn is being shut
+				// down.
+				if b.logger.V(2) {
+					b.logger.Infof("Failed to create a subConn for address %v: %v", curAddr.String(), err)
+				}
+				// Do nothing, the LB policy will be closed soon.
+				return
+			}
+			b.subConns.Set(curAddr, sd)
+		}
+
+		switch sd.rawConnectivityState {
+		case connectivity.Idle:
+			sd.subConn.Connect()
+			b.scheduleNextConnectionLocked()
+			return
+		case connectivity.TransientFailure:
+			// The SubConn is being re-used and failed during a previous pass
+			// over the addressList. It has not completed backoff yet.
+			// Mark it as having failed and try the next address.
+			sd.connectionFailedInFirstPass = true
+			lastErr = sd.lastErr
+			continue
+		case connectivity.Connecting:
+			// Wait for the connection attempt to complete or the timer to fire
+			// before attempting the next address.
+			b.scheduleNextConnectionLocked()
+			return
+		default:
+			b.logger.Errorf("SubConn with unexpected state %v present in SubConns map.", sd.rawConnectivityState)
+			return
+
+		}
+	}
+
+	// All the remaining addresses in the list are in TRANSIENT_FAILURE, end the
+	// first pass if possible.
+	b.endFirstPassIfPossibleLocked(lastErr)
+}
+
+func (b *pickfirstBalancer) scheduleNextConnectionLocked() {
+	b.cancelConnectionTimer()
+	if !b.addressList.hasNext() {
+		return
 	}
-	if b.subConn != subConn {
+	curAddr := b.addressList.currentAddress()
+	cancelled := false // Access to this is protected by the balancer's mutex.
+	closeFn := internal.TimeAfterFunc(connectionDelayInterval, func() {
+		b.mu.Lock()
+		defer b.mu.Unlock()
+		// If the scheduled task is cancelled while acquiring the mutex, return.
+		if cancelled {
+			return
+		}
 		if b.logger.V(2) {
-			b.logger.Infof("Ignored state change because subConn is not recognized")
+			b.logger.Infof("Happy Eyeballs timer expired while waiting for connection to %q.", curAddr.Addr)
+		}
+		if b.addressList.increment() {
+			b.requestConnectionLocked()
 		}
+	})
+	// Access to the cancellation callback held by the balancer is guarded by
+	// the balancer's mutex, so it's safe to set the boolean from the callback.
+	b.cancelConnectionTimer = sync.OnceFunc(func() {
+		cancelled = true
+		closeFn()
+	})
+}
+
+func (b *pickfirstBalancer) updateSubConnState(sd *scData, newState balancer.SubConnState) {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+	oldState := sd.rawConnectivityState
+	sd.rawConnectivityState = newState.ConnectivityState
+	// Previously relevant SubConns can still callback with state updates.
+	// To prevent pickers from returning these obsolete SubConns, this logic
+	// is included to check if the current list of active SubConns includes this
+	// SubConn.
+	if !b.isActiveSCData(sd) {
 		return
 	}
-	if state.ConnectivityState == connectivity.Shutdown {
-		b.subConn = nil
+	if newState.ConnectivityState == connectivity.Shutdown {
+		sd.effectiveState = connectivity.Shutdown
 		return
 	}
 
-	switch state.ConnectivityState {
-	case connectivity.Ready:
-		b.cc.UpdateState(balancer.State{
-			ConnectivityState: state.ConnectivityState,
-			Picker:            &picker{result: balancer.PickResult{SubConn: subConn}},
-		})
-	case connectivity.Connecting:
-		if b.state == connectivity.TransientFailure {
-			// We stay in TransientFailure until we are Ready. See A62.
+	// Record a connection attempt when exiting CONNECTING.
+	if newState.ConnectivityState == connectivity.TransientFailure {
+		sd.connectionFailedInFirstPass = true
+		connectionAttemptsFailedMetric.Record(b.metricsRecorder, 1, b.target)
+	}
+
+	if newState.ConnectivityState == connectivity.Ready {
+		connectionAttemptsSucceededMetric.Record(b.metricsRecorder, 1, b.target)
+		b.shutdownRemainingLocked(sd)
+		if !b.addressList.seekTo(sd.addr) {
+			// This should not fail as we should have only one SubConn after
+			// entering READY. The SubConn should be present in the addressList.
+			b.logger.Errorf("Address %q not found address list in %v", sd.addr, b.addressList.addresses)
 			return
 		}
-		b.cc.UpdateState(balancer.State{
-			ConnectivityState: state.ConnectivityState,
+		if !b.healthCheckingEnabled {
+			if b.logger.V(2) {
+				b.logger.Infof("SubConn %p reported connectivity state READY and the health listener is disabled. Transitioning SubConn to READY.", sd.subConn)
+			}
+
+			sd.effectiveState = connectivity.Ready
+			b.updateBalancerState(balancer.State{
+				ConnectivityState: connectivity.Ready,
+				Picker:            &picker{result: balancer.PickResult{SubConn: sd.subConn}},
+			})
+			return
+		}
+		if b.logger.V(2) {
+			b.logger.Infof("SubConn %p reported connectivity state READY. Registering health listener.", sd.subConn)
+		}
+		// Send a CONNECTING update to take the SubConn out of sticky-TF if
+		// required.
+		sd.effectiveState = connectivity.Connecting
+		b.updateBalancerState(balancer.State{
+			ConnectivityState: connectivity.Connecting,
 			Picker:            &picker{err: balancer.ErrNoSubConnAvailable},
 		})
+		sd.subConn.RegisterHealthListener(func(scs balancer.SubConnState) {
+			b.updateSubConnHealthState(sd, scs)
+		})
+		return
+	}
+
+	// If the LB policy is READY, and it receives a subchannel state change,
+	// it means that the READY subchannel has failed.
+	// A SubConn can also transition from CONNECTING directly to IDLE when
+	// a transport is successfully created, but the connection fails
+	// before the SubConn can send the notification for READY. We treat
+	// this as a successful connection and transition to IDLE.
+	// TODO: https://github.com/grpc/grpc-go/issues/7862 - Remove the second
+	// part of the if condition below once the issue is fixed.
+	if oldState == connectivity.Ready || (oldState == connectivity.Connecting && newState.ConnectivityState == connectivity.Idle) {
+		// Once a transport fails, the balancer enters IDLE and starts from
+		// the first address when the picker is used.
+		b.shutdownRemainingLocked(sd)
+		sd.effectiveState = newState.ConnectivityState
+		// READY SubConn interspliced in between CONNECTING and IDLE, need to
+		// account for that.
+		if oldState == connectivity.Connecting {
+			// A known issue (https://github.com/grpc/grpc-go/issues/7862)
+			// causes a race that prevents the READY state change notification.
+			// This works around it.
+			connectionAttemptsSucceededMetric.Record(b.metricsRecorder, 1, b.target)
+		}
+		disconnectionsMetric.Record(b.metricsRecorder, 1, b.target)
+		b.addressList.reset()
+		b.updateBalancerState(balancer.State{
+			ConnectivityState: connectivity.Idle,
+			Picker:            &idlePicker{exitIdle: sync.OnceFunc(b.ExitIdle)},
+		})
+		return
+	}
+
+	if b.firstPass {
+		switch newState.ConnectivityState {
+		case connectivity.Connecting:
+			// The effective state can be in either IDLE, CONNECTING or
+			// TRANSIENT_FAILURE. If it's  TRANSIENT_FAILURE, stay in
+			// TRANSIENT_FAILURE until it's READY. See A62.
+			if sd.effectiveState != connectivity.TransientFailure {
+				sd.effectiveState = connectivity.Connecting
+				b.updateBalancerState(balancer.State{
+					ConnectivityState: connectivity.Connecting,
+					Picker:            &picker{err: balancer.ErrNoSubConnAvailable},
+				})
+			}
+		case connectivity.TransientFailure:
+			sd.lastErr = newState.ConnectionError
+			sd.effectiveState = connectivity.TransientFailure
+			// Since we're re-using common SubConns while handling resolver
+			// updates, we could receive an out of turn TRANSIENT_FAILURE from
+			// a pass over the previous address list. Happy Eyeballs will also
+			// cause out of order updates to arrive.
+
+			if curAddr := b.addressList.currentAddress(); equalAddressIgnoringBalAttributes(&curAddr, &sd.addr) {
+				b.cancelConnectionTimer()
+				if b.addressList.increment() {
+					b.requestConnectionLocked()
+					return
+				}
+			}
+
+			// End the first pass if we've seen a TRANSIENT_FAILURE from all
+			// SubConns once.
+			b.endFirstPassIfPossibleLocked(newState.ConnectionError)
+		}
+		return
+	}
+
+	// We have finished the first pass, keep re-connecting failing SubConns.
+	switch newState.ConnectivityState {
+	case connectivity.TransientFailure:
+		b.numTF = (b.numTF + 1) % b.subConns.Len()
+		sd.lastErr = newState.ConnectionError
+		if b.numTF%b.subConns.Len() == 0 {
+			b.updateBalancerState(balancer.State{
+				ConnectivityState: connectivity.TransientFailure,
+				Picker:            &picker{err: newState.ConnectionError},
+			})
+		}
+		// We don't need to request re-resolution since the SubConn already
+		// does that before reporting TRANSIENT_FAILURE.
+		// TODO: #7534 - Move re-resolution requests from SubConn into
+		// pick_first.
 	case connectivity.Idle:
-		if b.state == connectivity.TransientFailure {
-			// We stay in TransientFailure until we are Ready. Also kick the
-			// subConn out of Idle into Connecting. See A62.
-			b.subConn.Connect()
+		sd.subConn.Connect()
+	}
+}
+
+// endFirstPassIfPossibleLocked ends the first happy-eyeballs pass if all the
+// addresses are tried and their SubConns have reported a failure.
+func (b *pickfirstBalancer) endFirstPassIfPossibleLocked(lastErr error) {
+	// An optimization to avoid iterating over the entire SubConn map.
+	if b.addressList.isValid() {
+		return
+	}
+	// Connect() has been called on all the SubConns. The first pass can be
+	// ended if all the SubConns have reported a failure.
+	for _, sd := range b.subConns.Values() {
+		if !sd.connectionFailedInFirstPass {
 			return
 		}
-		b.cc.UpdateState(balancer.State{
-			ConnectivityState: state.ConnectivityState,
-			Picker:            &idlePicker{subConn: subConn},
+	}
+	b.firstPass = false
+	b.updateBalancerState(balancer.State{
+		ConnectivityState: connectivity.TransientFailure,
+		Picker:            &picker{err: lastErr},
+	})
+	// Start re-connecting all the SubConns that are already in IDLE.
+	for _, sd := range b.subConns.Values() {
+		if sd.rawConnectivityState == connectivity.Idle {
+			sd.subConn.Connect()
+		}
+	}
+}
+
+func (b *pickfirstBalancer) isActiveSCData(sd *scData) bool {
+	activeSD, found := b.subConns.Get(sd.addr)
+	return found && activeSD == sd
+}
+
+func (b *pickfirstBalancer) updateSubConnHealthState(sd *scData, state balancer.SubConnState) {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+	// Previously relevant SubConns can still callback with state updates.
+	// To prevent pickers from returning these obsolete SubConns, this logic
+	// is included to check if the current list of active SubConns includes
+	// this SubConn.
+	if !b.isActiveSCData(sd) {
+		return
+	}
+	sd.effectiveState = state.ConnectivityState
+	switch state.ConnectivityState {
+	case connectivity.Ready:
+		b.updateBalancerState(balancer.State{
+			ConnectivityState: connectivity.Ready,
+			Picker:            &picker{result: balancer.PickResult{SubConn: sd.subConn}},
 		})
 	case connectivity.TransientFailure:
-		b.cc.UpdateState(balancer.State{
-			ConnectivityState: state.ConnectivityState,
-			Picker:            &picker{err: state.ConnectionError},
+		b.updateBalancerState(balancer.State{
+			ConnectivityState: connectivity.TransientFailure,
+			Picker:            &picker{err: fmt.Errorf("pickfirst: health check failure: %v", state.ConnectionError)},
+		})
+	case connectivity.Connecting:
+		b.updateBalancerState(balancer.State{
+			ConnectivityState: connectivity.Connecting,
+			Picker:            &picker{err: balancer.ErrNoSubConnAvailable},
 		})
+	default:
+		b.logger.Errorf("Got unexpected health update for SubConn %p: %v", state)
 	}
-	b.state = state.ConnectivityState
 }
 
-func (b *pickfirstBalancer) Close() {
+// updateBalancerState stores the state reported to the channel and calls
+// ClientConn.UpdateState(). As an optimization, it avoids sending duplicate
+// updates to the channel.
+func (b *pickfirstBalancer) updateBalancerState(newState balancer.State) {
+	// In case of TransientFailures allow the picker to be updated to update
+	// the connectivity error, in all other cases don't send duplicate state
+	// updates.
+	if newState.ConnectivityState == b.state && b.state != connectivity.TransientFailure {
+		return
+	}
+	b.forceUpdateConcludedStateLocked(newState)
 }
 
-func (b *pickfirstBalancer) ExitIdle() {
-	if b.subConn != nil && b.state == connectivity.Idle {
-		b.subConn.Connect()
-	}
+// forceUpdateConcludedStateLocked stores the state reported to the channel and
+// calls ClientConn.UpdateState().
+// A separate function is defined to force update the ClientConn state since the
+// channel doesn't correctly assume that LB policies start in CONNECTING and
+// relies on LB policy to send an initial CONNECTING update.
+func (b *pickfirstBalancer) forceUpdateConcludedStateLocked(newState balancer.State) {
+	b.state = newState.ConnectivityState
+	b.cc.UpdateState(newState)
 }
 
 type picker struct {
@@ -282,10 +822,87 @@ func (p *picker) Pick(balancer.PickInfo) (balancer.PickResult, error) {
 // idlePicker is used when the SubConn is IDLE and kicks the SubConn into
 // CONNECTING when Pick is called.
 type idlePicker struct {
-	subConn balancer.SubConn
+	exitIdle func()
 }
 
 func (i *idlePicker) Pick(balancer.PickInfo) (balancer.PickResult, error) {
-	i.subConn.Connect()
+	i.exitIdle()
 	return balancer.PickResult{}, balancer.ErrNoSubConnAvailable
 }
+
+// addressList manages sequentially iterating over addresses present in a list
+// of endpoints. It provides a 1 dimensional view of the addresses present in
+// the endpoints.
+// This type is not safe for concurrent access.
+type addressList struct {
+	addresses []resolver.Address
+	idx       int
+}
+
+func (al *addressList) isValid() bool {
+	return al.idx < len(al.addresses)
+}
+
+func (al *addressList) size() int {
+	return len(al.addresses)
+}
+
+// increment moves to the next index in the address list.
+// This method returns false if it went off the list, true otherwise.
+func (al *addressList) increment() bool {
+	if !al.isValid() {
+		return false
+	}
+	al.idx++
+	return al.idx < len(al.addresses)
+}
+
+// currentAddress returns the current address pointed to in the addressList.
+// If the list is in an invalid state, it returns an empty address instead.
+func (al *addressList) currentAddress() resolver.Address {
+	if !al.isValid() {
+		return resolver.Address{}
+	}
+	return al.addresses[al.idx]
+}
+
+func (al *addressList) reset() {
+	al.idx = 0
+}
+
+func (al *addressList) updateAddrs(addrs []resolver.Address) {
+	al.addresses = addrs
+	al.reset()
+}
+
+// seekTo returns false if the needle was not found and the current index was
+// left unchanged.
+func (al *addressList) seekTo(needle resolver.Address) bool {
+	for ai, addr := range al.addresses {
+		if !equalAddressIgnoringBalAttributes(&addr, &needle) {
+			continue
+		}
+		al.idx = ai
+		return true
+	}
+	return false
+}
+
+// hasNext returns whether incrementing the addressList will result in moving
+// past the end of the list. If the list has already moved past the end, it
+// returns false.
+func (al *addressList) hasNext() bool {
+	if !al.isValid() {
+		return false
+	}
+	return al.idx+1 < len(al.addresses)
+}
+
+// equalAddressIgnoringBalAttributes returns true is a and b are considered
+// equal. This is different from the Equal method on the resolver.Address type
+// which considers all fields to determine equality. Here, we only consider
+// fields that are meaningful to the SubConn.
+func equalAddressIgnoringBalAttributes(a, b *resolver.Address) bool {
+	return a.Addr == b.Addr && a.ServerName == b.ServerName &&
+		a.Attributes.Equal(b.Attributes)
+}
diff --git a/vendor/google.golang.org/grpc/balancer/pickfirst/pickfirstleaf/pickfirstleaf.go b/vendor/google.golang.org/grpc/balancer/pickfirst/pickfirstleaf/pickfirstleaf.go
deleted file mode 100644
index 67f315a0db..0000000000
--- a/vendor/google.golang.org/grpc/balancer/pickfirst/pickfirstleaf/pickfirstleaf.go
+++ /dev/null
@@ -1,906 +0,0 @@
-/*
- *
- * Copyright 2024 gRPC authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- */
-
-// Package pickfirstleaf contains the pick_first load balancing policy which
-// will be the universal leaf policy after dualstack changes are implemented.
-//
-// # Experimental
-//
-// Notice: This package is EXPERIMENTAL and may be changed or removed in a
-// later release.
-package pickfirstleaf
-
-import (
-	"encoding/json"
-	"errors"
-	"fmt"
-	"net"
-	"net/netip"
-	"sync"
-	"time"
-
-	"google.golang.org/grpc/balancer"
-	"google.golang.org/grpc/balancer/pickfirst/internal"
-	"google.golang.org/grpc/connectivity"
-	expstats "google.golang.org/grpc/experimental/stats"
-	"google.golang.org/grpc/grpclog"
-	"google.golang.org/grpc/internal/envconfig"
-	internalgrpclog "google.golang.org/grpc/internal/grpclog"
-	"google.golang.org/grpc/internal/pretty"
-	"google.golang.org/grpc/resolver"
-	"google.golang.org/grpc/serviceconfig"
-)
-
-func init() {
-	if envconfig.NewPickFirstEnabled {
-		// Register as the default pick_first balancer.
-		Name = "pick_first"
-	}
-	balancer.Register(pickfirstBuilder{})
-}
-
-// enableHealthListenerKeyType is a unique key type used in resolver
-// attributes to indicate whether the health listener usage is enabled.
-type enableHealthListenerKeyType struct{}
-
-var (
-	logger = grpclog.Component("pick-first-leaf-lb")
-	// Name is the name of the pick_first_leaf balancer.
-	// It is changed to "pick_first" in init() if this balancer is to be
-	// registered as the default pickfirst.
-	Name                 = "pick_first_leaf"
-	disconnectionsMetric = expstats.RegisterInt64Count(expstats.MetricDescriptor{
-		Name:        "grpc.lb.pick_first.disconnections",
-		Description: "EXPERIMENTAL. Number of times the selected subchannel becomes disconnected.",
-		Unit:        "{disconnection}",
-		Labels:      []string{"grpc.target"},
-		Default:     false,
-	})
-	connectionAttemptsSucceededMetric = expstats.RegisterInt64Count(expstats.MetricDescriptor{
-		Name:        "grpc.lb.pick_first.connection_attempts_succeeded",
-		Description: "EXPERIMENTAL. Number of successful connection attempts.",
-		Unit:        "{attempt}",
-		Labels:      []string{"grpc.target"},
-		Default:     false,
-	})
-	connectionAttemptsFailedMetric = expstats.RegisterInt64Count(expstats.MetricDescriptor{
-		Name:        "grpc.lb.pick_first.connection_attempts_failed",
-		Description: "EXPERIMENTAL. Number of failed connection attempts.",
-		Unit:        "{attempt}",
-		Labels:      []string{"grpc.target"},
-		Default:     false,
-	})
-)
-
-const (
-	// TODO: change to pick-first when this becomes the default pick_first policy.
-	logPrefix = "[pick-first-leaf-lb %p] "
-	// connectionDelayInterval is the time to wait for during the happy eyeballs
-	// pass before starting the next connection attempt.
-	connectionDelayInterval = 250 * time.Millisecond
-)
-
-type ipAddrFamily int
-
-const (
-	// ipAddrFamilyUnknown represents strings that can't be parsed as an IP
-	// address.
-	ipAddrFamilyUnknown ipAddrFamily = iota
-	ipAddrFamilyV4
-	ipAddrFamilyV6
-)
-
-type pickfirstBuilder struct{}
-
-func (pickfirstBuilder) Build(cc balancer.ClientConn, bo balancer.BuildOptions) balancer.Balancer {
-	b := &pickfirstBalancer{
-		cc:              cc,
-		target:          bo.Target.String(),
-		metricsRecorder: cc.MetricsRecorder(),
-
-		subConns:              resolver.NewAddressMapV2[*scData](),
-		state:                 connectivity.Connecting,
-		cancelConnectionTimer: func() {},
-	}
-	b.logger = internalgrpclog.NewPrefixLogger(logger, fmt.Sprintf(logPrefix, b))
-	return b
-}
-
-func (b pickfirstBuilder) Name() string {
-	return Name
-}
-
-func (pickfirstBuilder) ParseConfig(js json.RawMessage) (serviceconfig.LoadBalancingConfig, error) {
-	var cfg pfConfig
-	if err := json.Unmarshal(js, &cfg); err != nil {
-		return nil, fmt.Errorf("pickfirst: unable to unmarshal LB policy config: %s, error: %v", string(js), err)
-	}
-	return cfg, nil
-}
-
-// EnableHealthListener updates the state to configure pickfirst for using a
-// generic health listener.
-func EnableHealthListener(state resolver.State) resolver.State {
-	state.Attributes = state.Attributes.WithValue(enableHealthListenerKeyType{}, true)
-	return state
-}
-
-type pfConfig struct {
-	serviceconfig.LoadBalancingConfig `json:"-"`
-
-	// If set to true, instructs the LB policy to shuffle the order of the list
-	// of endpoints received from the name resolver before attempting to
-	// connect to them.
-	ShuffleAddressList bool `json:"shuffleAddressList"`
-}
-
-// scData keeps track of the current state of the subConn.
-// It is not safe for concurrent access.
-type scData struct {
-	// The following fields are initialized at build time and read-only after
-	// that.
-	subConn balancer.SubConn
-	addr    resolver.Address
-
-	rawConnectivityState connectivity.State
-	// The effective connectivity state based on raw connectivity, health state
-	// and after following sticky TransientFailure behaviour defined in A62.
-	effectiveState              connectivity.State
-	lastErr                     error
-	connectionFailedInFirstPass bool
-}
-
-func (b *pickfirstBalancer) newSCData(addr resolver.Address) (*scData, error) {
-	sd := &scData{
-		rawConnectivityState: connectivity.Idle,
-		effectiveState:       connectivity.Idle,
-		addr:                 addr,
-	}
-	sc, err := b.cc.NewSubConn([]resolver.Address{addr}, balancer.NewSubConnOptions{
-		StateListener: func(state balancer.SubConnState) {
-			b.updateSubConnState(sd, state)
-		},
-	})
-	if err != nil {
-		return nil, err
-	}
-	sd.subConn = sc
-	return sd, nil
-}
-
-type pickfirstBalancer struct {
-	// The following fields are initialized at build time and read-only after
-	// that and therefore do not need to be guarded by a mutex.
-	logger          *internalgrpclog.PrefixLogger
-	cc              balancer.ClientConn
-	target          string
-	metricsRecorder expstats.MetricsRecorder // guaranteed to be non nil
-
-	// The mutex is used to ensure synchronization of updates triggered
-	// from the idle picker and the already serialized resolver,
-	// SubConn state updates.
-	mu sync.Mutex
-	// State reported to the channel based on SubConn states and resolver
-	// updates.
-	state connectivity.State
-	// scData for active subonns mapped by address.
-	subConns              *resolver.AddressMapV2[*scData]
-	addressList           addressList
-	firstPass             bool
-	numTF                 int
-	cancelConnectionTimer func()
-	healthCheckingEnabled bool
-}
-
-// ResolverError is called by the ClientConn when the name resolver produces
-// an error or when pickfirst determined the resolver update to be invalid.
-func (b *pickfirstBalancer) ResolverError(err error) {
-	b.mu.Lock()
-	defer b.mu.Unlock()
-	b.resolverErrorLocked(err)
-}
-
-func (b *pickfirstBalancer) resolverErrorLocked(err error) {
-	if b.logger.V(2) {
-		b.logger.Infof("Received error from the name resolver: %v", err)
-	}
-
-	// The picker will not change since the balancer does not currently
-	// report an error. If the balancer hasn't received a single good resolver
-	// update yet, transition to TRANSIENT_FAILURE.
-	if b.state != connectivity.TransientFailure && b.addressList.size() > 0 {
-		if b.logger.V(2) {
-			b.logger.Infof("Ignoring resolver error because balancer is using a previous good update.")
-		}
-		return
-	}
-
-	b.updateBalancerState(balancer.State{
-		ConnectivityState: connectivity.TransientFailure,
-		Picker:            &picker{err: fmt.Errorf("name resolver error: %v", err)},
-	})
-}
-
-func (b *pickfirstBalancer) UpdateClientConnState(state balancer.ClientConnState) error {
-	b.mu.Lock()
-	defer b.mu.Unlock()
-	b.cancelConnectionTimer()
-	if len(state.ResolverState.Addresses) == 0 && len(state.ResolverState.Endpoints) == 0 {
-		// Cleanup state pertaining to the previous resolver state.
-		// Treat an empty address list like an error by calling b.ResolverError.
-		b.closeSubConnsLocked()
-		b.addressList.updateAddrs(nil)
-		b.resolverErrorLocked(errors.New("produced zero addresses"))
-		return balancer.ErrBadResolverState
-	}
-	b.healthCheckingEnabled = state.ResolverState.Attributes.Value(enableHealthListenerKeyType{}) != nil
-	cfg, ok := state.BalancerConfig.(pfConfig)
-	if state.BalancerConfig != nil && !ok {
-		return fmt.Errorf("pickfirst: received illegal BalancerConfig (type %T): %v: %w", state.BalancerConfig, state.BalancerConfig, balancer.ErrBadResolverState)
-	}
-
-	if b.logger.V(2) {
-		b.logger.Infof("Received new config %s, resolver state %s", pretty.ToJSON(cfg), pretty.ToJSON(state.ResolverState))
-	}
-
-	var newAddrs []resolver.Address
-	if endpoints := state.ResolverState.Endpoints; len(endpoints) != 0 {
-		// Perform the optional shuffling described in gRFC A62. The shuffling
-		// will change the order of endpoints but not touch the order of the
-		// addresses within each endpoint. - A61
-		if cfg.ShuffleAddressList {
-			endpoints = append([]resolver.Endpoint{}, endpoints...)
-			internal.RandShuffle(len(endpoints), func(i, j int) { endpoints[i], endpoints[j] = endpoints[j], endpoints[i] })
-		}
-
-		// "Flatten the list by concatenating the ordered list of addresses for
-		// each of the endpoints, in order." - A61
-		for _, endpoint := range endpoints {
-			newAddrs = append(newAddrs, endpoint.Addresses...)
-		}
-	} else {
-		// Endpoints not set, process addresses until we migrate resolver
-		// emissions fully to Endpoints. The top channel does wrap emitted
-		// addresses with endpoints, however some balancers such as weighted
-		// target do not forward the corresponding correct endpoints down/split
-		// endpoints properly. Once all balancers correctly forward endpoints
-		// down, can delete this else conditional.
-		newAddrs = state.ResolverState.Addresses
-		if cfg.ShuffleAddressList {
-			newAddrs = append([]resolver.Address{}, newAddrs...)
-			internal.RandShuffle(len(endpoints), func(i, j int) { endpoints[i], endpoints[j] = endpoints[j], endpoints[i] })
-		}
-	}
-
-	// If an address appears in multiple endpoints or in the same endpoint
-	// multiple times, we keep it only once. We will create only one SubConn
-	// for the address because an AddressMap is used to store SubConns.
-	// Not de-duplicating would result in attempting to connect to the same
-	// SubConn multiple times in the same pass. We don't want this.
-	newAddrs = deDupAddresses(newAddrs)
-	newAddrs = interleaveAddresses(newAddrs)
-
-	prevAddr := b.addressList.currentAddress()
-	prevSCData, found := b.subConns.Get(prevAddr)
-	prevAddrsCount := b.addressList.size()
-	isPrevRawConnectivityStateReady := found && prevSCData.rawConnectivityState == connectivity.Ready
-	b.addressList.updateAddrs(newAddrs)
-
-	// If the previous ready SubConn exists in new address list,
-	// keep this connection and don't create new SubConns.
-	if isPrevRawConnectivityStateReady && b.addressList.seekTo(prevAddr) {
-		return nil
-	}
-
-	b.reconcileSubConnsLocked(newAddrs)
-	// If it's the first resolver update or the balancer was already READY
-	// (but the new address list does not contain the ready SubConn) or
-	// CONNECTING, enter CONNECTING.
-	// We may be in TRANSIENT_FAILURE due to a previous empty address list,
-	// we should still enter CONNECTING because the sticky TF behaviour
-	//  mentioned in A62 applies only when the TRANSIENT_FAILURE is reported
-	// due to connectivity failures.
-	if isPrevRawConnectivityStateReady || b.state == connectivity.Connecting || prevAddrsCount == 0 {
-		// Start connection attempt at first address.
-		b.forceUpdateConcludedStateLocked(balancer.State{
-			ConnectivityState: connectivity.Connecting,
-			Picker:            &picker{err: balancer.ErrNoSubConnAvailable},
-		})
-		b.startFirstPassLocked()
-	} else if b.state == connectivity.TransientFailure {
-		// If we're in TRANSIENT_FAILURE, we stay in TRANSIENT_FAILURE until
-		// we're READY. See A62.
-		b.startFirstPassLocked()
-	}
-	return nil
-}
-
-// UpdateSubConnState is unused as a StateListener is always registered when
-// creating SubConns.
-func (b *pickfirstBalancer) UpdateSubConnState(subConn balancer.SubConn, state balancer.SubConnState) {
-	b.logger.Errorf("UpdateSubConnState(%v, %+v) called unexpectedly", subConn, state)
-}
-
-func (b *pickfirstBalancer) Close() {
-	b.mu.Lock()
-	defer b.mu.Unlock()
-	b.closeSubConnsLocked()
-	b.cancelConnectionTimer()
-	b.state = connectivity.Shutdown
-}
-
-// ExitIdle moves the balancer out of idle state. It can be called concurrently
-// by the idlePicker and clientConn so access to variables should be
-// synchronized.
-func (b *pickfirstBalancer) ExitIdle() {
-	b.mu.Lock()
-	defer b.mu.Unlock()
-	if b.state == connectivity.Idle {
-		b.startFirstPassLocked()
-	}
-}
-
-func (b *pickfirstBalancer) startFirstPassLocked() {
-	b.firstPass = true
-	b.numTF = 0
-	// Reset the connection attempt record for existing SubConns.
-	for _, sd := range b.subConns.Values() {
-		sd.connectionFailedInFirstPass = false
-	}
-	b.requestConnectionLocked()
-}
-
-func (b *pickfirstBalancer) closeSubConnsLocked() {
-	for _, sd := range b.subConns.Values() {
-		sd.subConn.Shutdown()
-	}
-	b.subConns = resolver.NewAddressMapV2[*scData]()
-}
-
-// deDupAddresses ensures that each address appears only once in the slice.
-func deDupAddresses(addrs []resolver.Address) []resolver.Address {
-	seenAddrs := resolver.NewAddressMapV2[*scData]()
-	retAddrs := []resolver.Address{}
-
-	for _, addr := range addrs {
-		if _, ok := seenAddrs.Get(addr); ok {
-			continue
-		}
-		retAddrs = append(retAddrs, addr)
-	}
-	return retAddrs
-}
-
-// interleaveAddresses interleaves addresses of both families (IPv4 and IPv6)
-// as per RFC-8305 section 4.
-// Whichever address family is first in the list is followed by an address of
-// the other address family; that is, if the first address in the list is IPv6,
-// then the first IPv4 address should be moved up in the list to be second in
-// the list. It doesn't support configuring "First Address Family Count", i.e.
-// there will always be a single member of the first address family at the
-// beginning of the interleaved list.
-// Addresses that are neither IPv4 nor IPv6 are treated as part of a third
-// "unknown" family for interleaving.
-// See: https://datatracker.ietf.org/doc/html/rfc8305#autoid-6
-func interleaveAddresses(addrs []resolver.Address) []resolver.Address {
-	familyAddrsMap := map[ipAddrFamily][]resolver.Address{}
-	interleavingOrder := []ipAddrFamily{}
-	for _, addr := range addrs {
-		family := addressFamily(addr.Addr)
-		if _, found := familyAddrsMap[family]; !found {
-			interleavingOrder = append(interleavingOrder, family)
-		}
-		familyAddrsMap[family] = append(familyAddrsMap[family], addr)
-	}
-
-	interleavedAddrs := make([]resolver.Address, 0, len(addrs))
-
-	for curFamilyIdx := 0; len(interleavedAddrs) < len(addrs); curFamilyIdx = (curFamilyIdx + 1) % len(interleavingOrder) {
-		// Some IP types may have fewer addresses than others, so we look for
-		// the next type that has a remaining member to add to the interleaved
-		// list.
-		family := interleavingOrder[curFamilyIdx]
-		remainingMembers := familyAddrsMap[family]
-		if len(remainingMembers) > 0 {
-			interleavedAddrs = append(interleavedAddrs, remainingMembers[0])
-			familyAddrsMap[family] = remainingMembers[1:]
-		}
-	}
-
-	return interleavedAddrs
-}
-
-// addressFamily returns the ipAddrFamily after parsing the address string.
-// If the address isn't of the format "ip-address:port", it returns
-// ipAddrFamilyUnknown. The address may be valid even if it's not an IP when
-// using a resolver like passthrough where the address may be a hostname in
-// some format that the dialer can resolve.
-func addressFamily(address string) ipAddrFamily {
-	// Parse the IP after removing the port.
-	host, _, err := net.SplitHostPort(address)
-	if err != nil {
-		return ipAddrFamilyUnknown
-	}
-	ip, err := netip.ParseAddr(host)
-	if err != nil {
-		return ipAddrFamilyUnknown
-	}
-	switch {
-	case ip.Is4() || ip.Is4In6():
-		return ipAddrFamilyV4
-	case ip.Is6():
-		return ipAddrFamilyV6
-	default:
-		return ipAddrFamilyUnknown
-	}
-}
-
-// reconcileSubConnsLocked updates the active subchannels based on a new address
-// list from the resolver. It does this by:
-//   - closing subchannels: any existing subchannels associated with addresses
-//     that are no longer in the updated list are shut down.
-//   - removing subchannels: entries for these closed subchannels are removed
-//     from the subchannel map.
-//
-// This ensures that the subchannel map accurately reflects the current set of
-// addresses received from the name resolver.
-func (b *pickfirstBalancer) reconcileSubConnsLocked(newAddrs []resolver.Address) {
-	newAddrsMap := resolver.NewAddressMapV2[bool]()
-	for _, addr := range newAddrs {
-		newAddrsMap.Set(addr, true)
-	}
-
-	for _, oldAddr := range b.subConns.Keys() {
-		if _, ok := newAddrsMap.Get(oldAddr); ok {
-			continue
-		}
-		val, _ := b.subConns.Get(oldAddr)
-		val.subConn.Shutdown()
-		b.subConns.Delete(oldAddr)
-	}
-}
-
-// shutdownRemainingLocked shuts down remaining subConns. Called when a subConn
-// becomes ready, which means that all other subConn must be shutdown.
-func (b *pickfirstBalancer) shutdownRemainingLocked(selected *scData) {
-	b.cancelConnectionTimer()
-	for _, sd := range b.subConns.Values() {
-		if sd.subConn != selected.subConn {
-			sd.subConn.Shutdown()
-		}
-	}
-	b.subConns = resolver.NewAddressMapV2[*scData]()
-	b.subConns.Set(selected.addr, selected)
-}
-
-// requestConnectionLocked starts connecting on the subchannel corresponding to
-// the current address. If no subchannel exists, one is created. If the current
-// subchannel is in TransientFailure, a connection to the next address is
-// attempted until a subchannel is found.
-func (b *pickfirstBalancer) requestConnectionLocked() {
-	if !b.addressList.isValid() {
-		return
-	}
-	var lastErr error
-	for valid := true; valid; valid = b.addressList.increment() {
-		curAddr := b.addressList.currentAddress()
-		sd, ok := b.subConns.Get(curAddr)
-		if !ok {
-			var err error
-			// We want to assign the new scData to sd from the outer scope,
-			// hence we can't use := below.
-			sd, err = b.newSCData(curAddr)
-			if err != nil {
-				// This should never happen, unless the clientConn is being shut
-				// down.
-				if b.logger.V(2) {
-					b.logger.Infof("Failed to create a subConn for address %v: %v", curAddr.String(), err)
-				}
-				// Do nothing, the LB policy will be closed soon.
-				return
-			}
-			b.subConns.Set(curAddr, sd)
-		}
-
-		switch sd.rawConnectivityState {
-		case connectivity.Idle:
-			sd.subConn.Connect()
-			b.scheduleNextConnectionLocked()
-			return
-		case connectivity.TransientFailure:
-			// The SubConn is being re-used and failed during a previous pass
-			// over the addressList. It has not completed backoff yet.
-			// Mark it as having failed and try the next address.
-			sd.connectionFailedInFirstPass = true
-			lastErr = sd.lastErr
-			continue
-		case connectivity.Connecting:
-			// Wait for the connection attempt to complete or the timer to fire
-			// before attempting the next address.
-			b.scheduleNextConnectionLocked()
-			return
-		default:
-			b.logger.Errorf("SubConn with unexpected state %v present in SubConns map.", sd.rawConnectivityState)
-			return
-
-		}
-	}
-
-	// All the remaining addresses in the list are in TRANSIENT_FAILURE, end the
-	// first pass if possible.
-	b.endFirstPassIfPossibleLocked(lastErr)
-}
-
-func (b *pickfirstBalancer) scheduleNextConnectionLocked() {
-	b.cancelConnectionTimer()
-	if !b.addressList.hasNext() {
-		return
-	}
-	curAddr := b.addressList.currentAddress()
-	cancelled := false // Access to this is protected by the balancer's mutex.
-	closeFn := internal.TimeAfterFunc(connectionDelayInterval, func() {
-		b.mu.Lock()
-		defer b.mu.Unlock()
-		// If the scheduled task is cancelled while acquiring the mutex, return.
-		if cancelled {
-			return
-		}
-		if b.logger.V(2) {
-			b.logger.Infof("Happy Eyeballs timer expired while waiting for connection to %q.", curAddr.Addr)
-		}
-		if b.addressList.increment() {
-			b.requestConnectionLocked()
-		}
-	})
-	// Access to the cancellation callback held by the balancer is guarded by
-	// the balancer's mutex, so it's safe to set the boolean from the callback.
-	b.cancelConnectionTimer = sync.OnceFunc(func() {
-		cancelled = true
-		closeFn()
-	})
-}
-
-func (b *pickfirstBalancer) updateSubConnState(sd *scData, newState balancer.SubConnState) {
-	b.mu.Lock()
-	defer b.mu.Unlock()
-	oldState := sd.rawConnectivityState
-	sd.rawConnectivityState = newState.ConnectivityState
-	// Previously relevant SubConns can still callback with state updates.
-	// To prevent pickers from returning these obsolete SubConns, this logic
-	// is included to check if the current list of active SubConns includes this
-	// SubConn.
-	if !b.isActiveSCData(sd) {
-		return
-	}
-	if newState.ConnectivityState == connectivity.Shutdown {
-		sd.effectiveState = connectivity.Shutdown
-		return
-	}
-
-	// Record a connection attempt when exiting CONNECTING.
-	if newState.ConnectivityState == connectivity.TransientFailure {
-		sd.connectionFailedInFirstPass = true
-		connectionAttemptsFailedMetric.Record(b.metricsRecorder, 1, b.target)
-	}
-
-	if newState.ConnectivityState == connectivity.Ready {
-		connectionAttemptsSucceededMetric.Record(b.metricsRecorder, 1, b.target)
-		b.shutdownRemainingLocked(sd)
-		if !b.addressList.seekTo(sd.addr) {
-			// This should not fail as we should have only one SubConn after
-			// entering READY. The SubConn should be present in the addressList.
-			b.logger.Errorf("Address %q not found address list in  %v", sd.addr, b.addressList.addresses)
-			return
-		}
-		if !b.healthCheckingEnabled {
-			if b.logger.V(2) {
-				b.logger.Infof("SubConn %p reported connectivity state READY and the health listener is disabled. Transitioning SubConn to READY.", sd.subConn)
-			}
-
-			sd.effectiveState = connectivity.Ready
-			b.updateBalancerState(balancer.State{
-				ConnectivityState: connectivity.Ready,
-				Picker:            &picker{result: balancer.PickResult{SubConn: sd.subConn}},
-			})
-			return
-		}
-		if b.logger.V(2) {
-			b.logger.Infof("SubConn %p reported connectivity state READY. Registering health listener.", sd.subConn)
-		}
-		// Send a CONNECTING update to take the SubConn out of sticky-TF if
-		// required.
-		sd.effectiveState = connectivity.Connecting
-		b.updateBalancerState(balancer.State{
-			ConnectivityState: connectivity.Connecting,
-			Picker:            &picker{err: balancer.ErrNoSubConnAvailable},
-		})
-		sd.subConn.RegisterHealthListener(func(scs balancer.SubConnState) {
-			b.updateSubConnHealthState(sd, scs)
-		})
-		return
-	}
-
-	// If the LB policy is READY, and it receives a subchannel state change,
-	// it means that the READY subchannel has failed.
-	// A SubConn can also transition from CONNECTING directly to IDLE when
-	// a transport is successfully created, but the connection fails
-	// before the SubConn can send the notification for READY. We treat
-	// this as a successful connection and transition to IDLE.
-	// TODO: https://github.com/grpc/grpc-go/issues/7862 - Remove the second
-	// part of the if condition below once the issue is fixed.
-	if oldState == connectivity.Ready || (oldState == connectivity.Connecting && newState.ConnectivityState == connectivity.Idle) {
-		// Once a transport fails, the balancer enters IDLE and starts from
-		// the first address when the picker is used.
-		b.shutdownRemainingLocked(sd)
-		sd.effectiveState = newState.ConnectivityState
-		// READY SubConn interspliced in between CONNECTING and IDLE, need to
-		// account for that.
-		if oldState == connectivity.Connecting {
-			// A known issue (https://github.com/grpc/grpc-go/issues/7862)
-			// causes a race that prevents the READY state change notification.
-			// This works around it.
-			connectionAttemptsSucceededMetric.Record(b.metricsRecorder, 1, b.target)
-		}
-		disconnectionsMetric.Record(b.metricsRecorder, 1, b.target)
-		b.addressList.reset()
-		b.updateBalancerState(balancer.State{
-			ConnectivityState: connectivity.Idle,
-			Picker:            &idlePicker{exitIdle: sync.OnceFunc(b.ExitIdle)},
-		})
-		return
-	}
-
-	if b.firstPass {
-		switch newState.ConnectivityState {
-		case connectivity.Connecting:
-			// The effective state can be in either IDLE, CONNECTING or
-			// TRANSIENT_FAILURE. If it's  TRANSIENT_FAILURE, stay in
-			// TRANSIENT_FAILURE until it's READY. See A62.
-			if sd.effectiveState != connectivity.TransientFailure {
-				sd.effectiveState = connectivity.Connecting
-				b.updateBalancerState(balancer.State{
-					ConnectivityState: connectivity.Connecting,
-					Picker:            &picker{err: balancer.ErrNoSubConnAvailable},
-				})
-			}
-		case connectivity.TransientFailure:
-			sd.lastErr = newState.ConnectionError
-			sd.effectiveState = connectivity.TransientFailure
-			// Since we're re-using common SubConns while handling resolver
-			// updates, we could receive an out of turn TRANSIENT_FAILURE from
-			// a pass over the previous address list. Happy Eyeballs will also
-			// cause out of order updates to arrive.
-
-			if curAddr := b.addressList.currentAddress(); equalAddressIgnoringBalAttributes(&curAddr, &sd.addr) {
-				b.cancelConnectionTimer()
-				if b.addressList.increment() {
-					b.requestConnectionLocked()
-					return
-				}
-			}
-
-			// End the first pass if we've seen a TRANSIENT_FAILURE from all
-			// SubConns once.
-			b.endFirstPassIfPossibleLocked(newState.ConnectionError)
-		}
-		return
-	}
-
-	// We have finished the first pass, keep re-connecting failing SubConns.
-	switch newState.ConnectivityState {
-	case connectivity.TransientFailure:
-		b.numTF = (b.numTF + 1) % b.subConns.Len()
-		sd.lastErr = newState.ConnectionError
-		if b.numTF%b.subConns.Len() == 0 {
-			b.updateBalancerState(balancer.State{
-				ConnectivityState: connectivity.TransientFailure,
-				Picker:            &picker{err: newState.ConnectionError},
-			})
-		}
-		// We don't need to request re-resolution since the SubConn already
-		// does that before reporting TRANSIENT_FAILURE.
-		// TODO: #7534 - Move re-resolution requests from SubConn into
-		// pick_first.
-	case connectivity.Idle:
-		sd.subConn.Connect()
-	}
-}
-
-// endFirstPassIfPossibleLocked ends the first happy-eyeballs pass if all the
-// addresses are tried and their SubConns have reported a failure.
-func (b *pickfirstBalancer) endFirstPassIfPossibleLocked(lastErr error) {
-	// An optimization to avoid iterating over the entire SubConn map.
-	if b.addressList.isValid() {
-		return
-	}
-	// Connect() has been called on all the SubConns. The first pass can be
-	// ended if all the SubConns have reported a failure.
-	for _, sd := range b.subConns.Values() {
-		if !sd.connectionFailedInFirstPass {
-			return
-		}
-	}
-	b.firstPass = false
-	b.updateBalancerState(balancer.State{
-		ConnectivityState: connectivity.TransientFailure,
-		Picker:            &picker{err: lastErr},
-	})
-	// Start re-connecting all the SubConns that are already in IDLE.
-	for _, sd := range b.subConns.Values() {
-		if sd.rawConnectivityState == connectivity.Idle {
-			sd.subConn.Connect()
-		}
-	}
-}
-
-func (b *pickfirstBalancer) isActiveSCData(sd *scData) bool {
-	activeSD, found := b.subConns.Get(sd.addr)
-	return found && activeSD == sd
-}
-
-func (b *pickfirstBalancer) updateSubConnHealthState(sd *scData, state balancer.SubConnState) {
-	b.mu.Lock()
-	defer b.mu.Unlock()
-	// Previously relevant SubConns can still callback with state updates.
-	// To prevent pickers from returning these obsolete SubConns, this logic
-	// is included to check if the current list of active SubConns includes
-	// this SubConn.
-	if !b.isActiveSCData(sd) {
-		return
-	}
-	sd.effectiveState = state.ConnectivityState
-	switch state.ConnectivityState {
-	case connectivity.Ready:
-		b.updateBalancerState(balancer.State{
-			ConnectivityState: connectivity.Ready,
-			Picker:            &picker{result: balancer.PickResult{SubConn: sd.subConn}},
-		})
-	case connectivity.TransientFailure:
-		b.updateBalancerState(balancer.State{
-			ConnectivityState: connectivity.TransientFailure,
-			Picker:            &picker{err: fmt.Errorf("pickfirst: health check failure: %v", state.ConnectionError)},
-		})
-	case connectivity.Connecting:
-		b.updateBalancerState(balancer.State{
-			ConnectivityState: connectivity.Connecting,
-			Picker:            &picker{err: balancer.ErrNoSubConnAvailable},
-		})
-	default:
-		b.logger.Errorf("Got unexpected health update for SubConn %p: %v", state)
-	}
-}
-
-// updateBalancerState stores the state reported to the channel and calls
-// ClientConn.UpdateState(). As an optimization, it avoids sending duplicate
-// updates to the channel.
-func (b *pickfirstBalancer) updateBalancerState(newState balancer.State) {
-	// In case of TransientFailures allow the picker to be updated to update
-	// the connectivity error, in all other cases don't send duplicate state
-	// updates.
-	if newState.ConnectivityState == b.state && b.state != connectivity.TransientFailure {
-		return
-	}
-	b.forceUpdateConcludedStateLocked(newState)
-}
-
-// forceUpdateConcludedStateLocked stores the state reported to the channel and
-// calls ClientConn.UpdateState().
-// A separate function is defined to force update the ClientConn state since the
-// channel doesn't correctly assume that LB policies start in CONNECTING and
-// relies on LB policy to send an initial CONNECTING update.
-func (b *pickfirstBalancer) forceUpdateConcludedStateLocked(newState balancer.State) {
-	b.state = newState.ConnectivityState
-	b.cc.UpdateState(newState)
-}
-
-type picker struct {
-	result balancer.PickResult
-	err    error
-}
-
-func (p *picker) Pick(balancer.PickInfo) (balancer.PickResult, error) {
-	return p.result, p.err
-}
-
-// idlePicker is used when the SubConn is IDLE and kicks the SubConn into
-// CONNECTING when Pick is called.
-type idlePicker struct {
-	exitIdle func()
-}
-
-func (i *idlePicker) Pick(balancer.PickInfo) (balancer.PickResult, error) {
-	i.exitIdle()
-	return balancer.PickResult{}, balancer.ErrNoSubConnAvailable
-}
-
-// addressList manages sequentially iterating over addresses present in a list
-// of endpoints. It provides a 1 dimensional view of the addresses present in
-// the endpoints.
-// This type is not safe for concurrent access.
-type addressList struct {
-	addresses []resolver.Address
-	idx       int
-}
-
-func (al *addressList) isValid() bool {
-	return al.idx < len(al.addresses)
-}
-
-func (al *addressList) size() int {
-	return len(al.addresses)
-}
-
-// increment moves to the next index in the address list.
-// This method returns false if it went off the list, true otherwise.
-func (al *addressList) increment() bool {
-	if !al.isValid() {
-		return false
-	}
-	al.idx++
-	return al.idx < len(al.addresses)
-}
-
-// currentAddress returns the current address pointed to in the addressList.
-// If the list is in an invalid state, it returns an empty address instead.
-func (al *addressList) currentAddress() resolver.Address {
-	if !al.isValid() {
-		return resolver.Address{}
-	}
-	return al.addresses[al.idx]
-}
-
-func (al *addressList) reset() {
-	al.idx = 0
-}
-
-func (al *addressList) updateAddrs(addrs []resolver.Address) {
-	al.addresses = addrs
-	al.reset()
-}
-
-// seekTo returns false if the needle was not found and the current index was
-// left unchanged.
-func (al *addressList) seekTo(needle resolver.Address) bool {
-	for ai, addr := range al.addresses {
-		if !equalAddressIgnoringBalAttributes(&addr, &needle) {
-			continue
-		}
-		al.idx = ai
-		return true
-	}
-	return false
-}
-
-// hasNext returns whether incrementing the addressList will result in moving
-// past the end of the list. If the list has already moved past the end, it
-// returns false.
-func (al *addressList) hasNext() bool {
-	if !al.isValid() {
-		return false
-	}
-	return al.idx+1 < len(al.addresses)
-}
-
-// equalAddressIgnoringBalAttributes returns true is a and b are considered
-// equal. This is different from the Equal method on the resolver.Address type
-// which considers all fields to determine equality. Here, we only consider
-// fields that are meaningful to the SubConn.
-func equalAddressIgnoringBalAttributes(a, b *resolver.Address) bool {
-	return a.Addr == b.Addr && a.ServerName == b.ServerName &&
-		a.Attributes.Equal(b.Attributes)
-}
diff --git a/vendor/google.golang.org/grpc/balancer/roundrobin/roundrobin.go b/vendor/google.golang.org/grpc/balancer/roundrobin/roundrobin.go
index 22045bf394..22e6e32679 100644
--- a/vendor/google.golang.org/grpc/balancer/roundrobin/roundrobin.go
+++ b/vendor/google.golang.org/grpc/balancer/roundrobin/roundrobin.go
@@ -26,7 +26,7 @@ import (
 
 	"google.golang.org/grpc/balancer"
 	"google.golang.org/grpc/balancer/endpointsharding"
-	"google.golang.org/grpc/balancer/pickfirst/pickfirstleaf"
+	"google.golang.org/grpc/balancer/pickfirst"
 	"google.golang.org/grpc/grpclog"
 	internalgrpclog "google.golang.org/grpc/internal/grpclog"
 )
@@ -47,7 +47,7 @@ func (bb builder) Name() string {
 }
 
 func (bb builder) Build(cc balancer.ClientConn, opts balancer.BuildOptions) balancer.Balancer {
-	childBuilder := balancer.Get(pickfirstleaf.Name).Build
+	childBuilder := balancer.Get(pickfirst.Name).Build
 	bal := &rrBalancer{
 		cc:       cc,
 		Balancer: endpointsharding.NewBalancer(cc, opts, childBuilder, endpointsharding.Options{}),
@@ -67,6 +67,6 @@ func (b *rrBalancer) UpdateClientConnState(ccs balancer.ClientConnState) error {
 	return b.Balancer.UpdateClientConnState(balancer.ClientConnState{
 		// Enable the health listener in pickfirst children for client side health
 		// checks and outlier detection, if configured.
-		ResolverState: pickfirstleaf.EnableHealthListener(ccs.ResolverState),
+		ResolverState: pickfirst.EnableHealthListener(ccs.ResolverState),
 	})
 }
diff --git a/vendor/google.golang.org/grpc/balancer_wrapper.go b/vendor/google.golang.org/grpc/balancer_wrapper.go
index 948a21ef68..2c760e623f 100644
--- a/vendor/google.golang.org/grpc/balancer_wrapper.go
+++ b/vendor/google.golang.org/grpc/balancer_wrapper.go
@@ -450,13 +450,14 @@ func (acbw *acBalancerWrapper) healthListenerRegFn() func(context.Context, func(
 	if acbw.ccb.cc.dopts.disableHealthCheck {
 		return noOpRegisterHealthListenerFn
 	}
+	cfg := acbw.ac.cc.healthCheckConfig()
+	if cfg == nil {
+		return noOpRegisterHealthListenerFn
+	}
 	regHealthLisFn := internal.RegisterClientHealthCheckListener
 	if regHealthLisFn == nil {
 		// The health package is not imported.
-		return noOpRegisterHealthListenerFn
-	}
-	cfg := acbw.ac.cc.healthCheckConfig()
-	if cfg == nil {
+		channelz.Error(logger, acbw.ac.channelz, "Health check is requested but health package is not imported.")
 		return noOpRegisterHealthListenerFn
 	}
 	return func(ctx context.Context, listener func(balancer.SubConnState)) func() {
diff --git a/vendor/google.golang.org/grpc/binarylog/grpc_binarylog_v1/binarylog.pb.go b/vendor/google.golang.org/grpc/binarylog/grpc_binarylog_v1/binarylog.pb.go
index b1364a0325..42c61cf9fe 100644
--- a/vendor/google.golang.org/grpc/binarylog/grpc_binarylog_v1/binarylog.pb.go
+++ b/vendor/google.golang.org/grpc/binarylog/grpc_binarylog_v1/binarylog.pb.go
@@ -18,7 +18,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.6
+// 	protoc-gen-go v1.36.10
 // 	protoc        v5.27.1
 // source: grpc/binlog/v1/binarylog.proto
 
diff --git a/vendor/google.golang.org/grpc/clientconn.go b/vendor/google.golang.org/grpc/clientconn.go
index 3f762285db..b767d3e33e 100644
--- a/vendor/google.golang.org/grpc/clientconn.go
+++ b/vendor/google.golang.org/grpc/clientconn.go
@@ -35,16 +35,19 @@ import (
 	"google.golang.org/grpc/balancer/pickfirst"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/connectivity"
+	"google.golang.org/grpc/credentials"
+	expstats "google.golang.org/grpc/experimental/stats"
 	"google.golang.org/grpc/internal"
 	"google.golang.org/grpc/internal/channelz"
 	"google.golang.org/grpc/internal/grpcsync"
 	"google.golang.org/grpc/internal/idle"
 	iresolver "google.golang.org/grpc/internal/resolver"
-	"google.golang.org/grpc/internal/stats"
+	istats "google.golang.org/grpc/internal/stats"
 	"google.golang.org/grpc/internal/transport"
 	"google.golang.org/grpc/keepalive"
 	"google.golang.org/grpc/resolver"
 	"google.golang.org/grpc/serviceconfig"
+	"google.golang.org/grpc/stats"
 	"google.golang.org/grpc/status"
 
 	_ "google.golang.org/grpc/balancer/roundrobin"           // To register roundrobin.
@@ -97,6 +100,41 @@ var (
 	errTransportCredentialsMissing = errors.New("grpc: the credentials require transport level security (use grpc.WithTransportCredentials() to set)")
 )
 
+var (
+	disconnectionsMetric = expstats.RegisterInt64Count(expstats.MetricDescriptor{
+		Name:           "grpc.subchannel.disconnections",
+		Description:    "EXPERIMENTAL. Number of times the selected subchannel becomes disconnected.",
+		Unit:           "{disconnection}",
+		Labels:         []string{"grpc.target"},
+		OptionalLabels: []string{"grpc.lb.backend_service", "grpc.lb.locality", "grpc.disconnect_error"},
+		Default:        false,
+	})
+	connectionAttemptsSucceededMetric = expstats.RegisterInt64Count(expstats.MetricDescriptor{
+		Name:           "grpc.subchannel.connection_attempts_succeeded",
+		Description:    "EXPERIMENTAL. Number of successful connection attempts.",
+		Unit:           "{attempt}",
+		Labels:         []string{"grpc.target"},
+		OptionalLabels: []string{"grpc.lb.backend_service", "grpc.lb.locality"},
+		Default:        false,
+	})
+	connectionAttemptsFailedMetric = expstats.RegisterInt64Count(expstats.MetricDescriptor{
+		Name:           "grpc.subchannel.connection_attempts_failed",
+		Description:    "EXPERIMENTAL. Number of failed connection attempts.",
+		Unit:           "{attempt}",
+		Labels:         []string{"grpc.target"},
+		OptionalLabels: []string{"grpc.lb.backend_service", "grpc.lb.locality"},
+		Default:        false,
+	})
+	openConnectionsMetric = expstats.RegisterInt64UpDownCount(expstats.MetricDescriptor{
+		Name:           "grpc.subchannel.open_connections",
+		Description:    "EXPERIMENTAL. Number of open connections.",
+		Unit:           "{attempt}",
+		Labels:         []string{"grpc.target"},
+		OptionalLabels: []string{"grpc.lb.backend_service", "grpc.security_level", "grpc.lb.locality"},
+		Default:        false,
+	})
+)
+
 const (
 	defaultClientMaxReceiveMessageSize = 1024 * 1024 * 4
 	defaultClientMaxSendMessageSize    = math.MaxInt32
@@ -210,7 +248,8 @@ func NewClient(target string, opts ...DialOption) (conn *ClientConn, err error)
 	cc.csMgr = newConnectivityStateManager(cc.ctx, cc.channelz)
 	cc.pickerWrapper = newPickerWrapper()
 
-	cc.metricsRecorderList = stats.NewMetricsRecorderList(cc.dopts.copts.StatsHandlers)
+	cc.metricsRecorderList = istats.NewMetricsRecorderList(cc.dopts.copts.StatsHandlers)
+	cc.statsHandler = istats.NewCombinedHandler(cc.dopts.copts.StatsHandlers...)
 
 	cc.initIdleStateLocked() // Safe to call without the lock, since nothing else has a reference to cc.
 	cc.idlenessMgr = idle.NewManager((*idler)(cc), cc.dopts.idleTimeout)
@@ -260,9 +299,10 @@ func DialContext(ctx context.Context, target string, opts ...DialOption) (conn *
 	}()
 
 	// This creates the name resolver, load balancer, etc.
-	if err := cc.idlenessMgr.ExitIdleMode(); err != nil {
-		return nil, err
+	if err := cc.exitIdleMode(); err != nil {
+		return nil, fmt.Errorf("failed to exit idle mode: %w", err)
 	}
+	cc.idlenessMgr.UnsafeSetNotIdle()
 
 	// Return now for non-blocking dials.
 	if !cc.dopts.block {
@@ -330,7 +370,7 @@ func (cc *ClientConn) addTraceEvent(msg string) {
 			Severity: channelz.CtInfo,
 		}
 	}
-	channelz.AddTraceEvent(logger, cc.channelz, 0, ted)
+	channelz.AddTraceEvent(logger, cc.channelz, 1, ted)
 }
 
 type idler ClientConn
@@ -339,14 +379,17 @@ func (i *idler) EnterIdleMode() {
 	(*ClientConn)(i).enterIdleMode()
 }
 
-func (i *idler) ExitIdleMode() error {
-	return (*ClientConn)(i).exitIdleMode()
+func (i *idler) ExitIdleMode() {
+	// Ignore the error returned from this method, because from the perspective
+	// of the caller (idleness manager), the channel would have always moved out
+	// of IDLE by the time this method returns.
+	(*ClientConn)(i).exitIdleMode()
 }
 
 // exitIdleMode moves the channel out of idle mode by recreating the name
 // resolver and load balancer.  This should never be called directly; use
 // cc.idlenessMgr.ExitIdleMode instead.
-func (cc *ClientConn) exitIdleMode() (err error) {
+func (cc *ClientConn) exitIdleMode() error {
 	cc.mu.Lock()
 	if cc.conns == nil {
 		cc.mu.Unlock()
@@ -354,11 +397,23 @@ func (cc *ClientConn) exitIdleMode() (err error) {
 	}
 	cc.mu.Unlock()
 
+	// Set state to CONNECTING before building the name resolver
+	// so the channel does not remain in IDLE.
+	cc.csMgr.updateState(connectivity.Connecting)
+
 	// This needs to be called without cc.mu because this builds a new resolver
 	// which might update state or report error inline, which would then need to
 	// acquire cc.mu.
 	if err := cc.resolverWrapper.start(); err != nil {
-		return err
+		// If resolver creation fails, treat it like an error reported by the
+		// resolver before any valid updates. Set channel's state to
+		// TransientFailure, and set an erroring picker with the resolver build
+		// error, which will returned as part of any subsequent RPCs.
+		logger.Warningf("Failed to start resolver: %v", err)
+		cc.csMgr.updateState(connectivity.TransientFailure)
+		cc.mu.Lock()
+		cc.updateResolverStateAndUnlock(resolver.State{}, err)
+		return fmt.Errorf("failed to start resolver: %w", err)
 	}
 
 	cc.addTraceEvent("exiting idle mode")
@@ -456,7 +511,7 @@ func (cc *ClientConn) validateTransportCredentials() error {
 func (cc *ClientConn) channelzRegistration(target string) {
 	parentChannel, _ := cc.dopts.channelzParent.(*channelz.Channel)
 	cc.channelz = channelz.RegisterChannel(parentChannel, target)
-	cc.addTraceEvent("created")
+	cc.addTraceEvent(fmt.Sprintf("created for target %q", target))
 }
 
 // chainUnaryClientInterceptors chains all unary client interceptors into one.
@@ -621,7 +676,8 @@ type ClientConn struct {
 	channelz            *channelz.Channel // Channelz object.
 	resolverBuilder     resolver.Builder  // See initParsedTargetAndResolverBuilder().
 	idlenessMgr         *idle.Manager
-	metricsRecorderList *stats.MetricsRecorderList
+	metricsRecorderList *istats.MetricsRecorderList
+	statsHandler        stats.Handler
 
 	// The following provide their own synchronization, and therefore don't
 	// require cc.mu to be held to access them.
@@ -678,10 +734,8 @@ func (cc *ClientConn) GetState() connectivity.State {
 // Notice: This API is EXPERIMENTAL and may be changed or removed in a later
 // release.
 func (cc *ClientConn) Connect() {
-	if err := cc.idlenessMgr.ExitIdleMode(); err != nil {
-		cc.addTraceEvent(err.Error())
-		return
-	}
+	cc.idlenessMgr.ExitIdleMode()
+
 	// If the ClientConn was not in idle mode, we need to call ExitIdle on the
 	// LB policy so that connections can be created.
 	cc.mu.Lock()
@@ -732,8 +786,8 @@ func init() {
 	internal.EnterIdleModeForTesting = func(cc *ClientConn) {
 		cc.idlenessMgr.EnterIdleModeForTesting()
 	}
-	internal.ExitIdleModeForTesting = func(cc *ClientConn) error {
-		return cc.idlenessMgr.ExitIdleMode()
+	internal.ExitIdleModeForTesting = func(cc *ClientConn) {
+		cc.idlenessMgr.ExitIdleMode()
 	}
 }
 
@@ -858,6 +912,7 @@ func (cc *ClientConn) newAddrConnLocked(addrs []resolver.Address, opts balancer.
 		channelz:     channelz.RegisterSubChannel(cc.channelz, ""),
 		resetBackoff: make(chan struct{}),
 	}
+	ac.updateTelemetryLabelsLocked()
 	ac.ctx, ac.cancel = context.WithCancel(cc.ctx)
 	// Start with our address set to the first address; this may be updated if
 	// we connect to different addresses.
@@ -974,7 +1029,7 @@ func (ac *addrConn) updateAddrs(addrs []resolver.Address) {
 	}
 
 	ac.addrs = addrs
-
+	ac.updateTelemetryLabelsLocked()
 	if ac.state == connectivity.Shutdown ||
 		ac.state == connectivity.TransientFailure ||
 		ac.state == connectivity.Idle {
@@ -1213,6 +1268,9 @@ type addrConn struct {
 	resetBackoff chan struct{}
 
 	channelz *channelz.SubChannel
+
+	localityLabel       string
+	backendServiceLabel string
 }
 
 // Note: this requires a lock on ac.mu.
@@ -1220,6 +1278,18 @@ func (ac *addrConn) updateConnectivityState(s connectivity.State, lastErr error)
 	if ac.state == s {
 		return
 	}
+
+	// If we are transitioning out of Ready, it means there is a disconnection.
+	// A SubConn can also transition from CONNECTING directly to IDLE when
+	// a transport is successfully created, but the connection fails
+	// before the SubConn can send the notification for READY. We treat
+	// this as a successful connection and transition to IDLE.
+	// TODO: https://github.com/grpc/grpc-go/issues/7862 - Remove the second
+	// part of the if condition below once the issue is fixed.
+	if ac.state == connectivity.Ready || (ac.state == connectivity.Connecting && s == connectivity.Idle) {
+		disconnectionsMetric.Record(ac.cc.metricsRecorderList, 1, ac.cc.target, ac.backendServiceLabel, ac.localityLabel, "unknown")
+		openConnectionsMetric.Record(ac.cc.metricsRecorderList, -1, ac.cc.target, ac.backendServiceLabel, ac.securityLevelLocked(), ac.localityLabel)
+	}
 	ac.state = s
 	ac.channelz.ChannelMetrics.State.Store(&s)
 	if lastErr == nil {
@@ -1277,6 +1347,15 @@ func (ac *addrConn) resetTransportAndUnlock() {
 	ac.mu.Unlock()
 
 	if err := ac.tryAllAddrs(acCtx, addrs, connectDeadline); err != nil {
+		if !errors.Is(err, context.Canceled) {
+			connectionAttemptsFailedMetric.Record(ac.cc.metricsRecorderList, 1, ac.cc.target, ac.backendServiceLabel, ac.localityLabel)
+		} else {
+			if logger.V(2) {
+				// This records cancelled connection attempts which can be later
+				// replaced by a metric.
+				logger.Infof("Context cancellation detected; not recording this as a failed connection attempt.")
+			}
+		}
 		// TODO: #7534 - Move re-resolution requests into the pick_first LB policy
 		// to ensure one resolution request per pass instead of per subconn failure.
 		ac.cc.resolveNow(resolver.ResolveNowOptions{})
@@ -1316,10 +1395,50 @@ func (ac *addrConn) resetTransportAndUnlock() {
 	}
 	// Success; reset backoff.
 	ac.mu.Lock()
+	connectionAttemptsSucceededMetric.Record(ac.cc.metricsRecorderList, 1, ac.cc.target, ac.backendServiceLabel, ac.localityLabel)
+	openConnectionsMetric.Record(ac.cc.metricsRecorderList, 1, ac.cc.target, ac.backendServiceLabel, ac.securityLevelLocked(), ac.localityLabel)
 	ac.backoffIdx = 0
 	ac.mu.Unlock()
 }
 
+// updateTelemetryLabelsLocked calculates and caches the telemetry labels based on the
+// first address in addrConn.
+func (ac *addrConn) updateTelemetryLabelsLocked() {
+	labelsFunc, ok := internal.AddressToTelemetryLabels.(func(resolver.Address) map[string]string)
+	if !ok || len(ac.addrs) == 0 {
+		// Reset defaults
+		ac.localityLabel = ""
+		ac.backendServiceLabel = ""
+		return
+	}
+	labels := labelsFunc(ac.addrs[0])
+	ac.localityLabel = labels["grpc.lb.locality"]
+	ac.backendServiceLabel = labels["grpc.lb.backend_service"]
+}
+
+type securityLevelKey struct{}
+
+func (ac *addrConn) securityLevelLocked() string {
+	var secLevel string
+	// During disconnection, ac.transport is nil. Fall back to the security level
+	// stored in the current address during connection.
+	if ac.transport == nil {
+		secLevel, _ = ac.curAddr.Attributes.Value(securityLevelKey{}).(string)
+		return secLevel
+	}
+	authInfo := ac.transport.Peer().AuthInfo
+	if ci, ok := authInfo.(interface {
+		GetCommonAuthInfo() credentials.CommonAuthInfo
+	}); ok {
+		secLevel = ci.GetCommonAuthInfo().SecurityLevel.String()
+		// Store the security level in the current address' attributes so
+		// that it remains available for disconnection metrics after the
+		// transport is closed.
+		ac.curAddr.Attributes = ac.curAddr.Attributes.WithValue(securityLevelKey{}, secLevel)
+	}
+	return secLevel
+}
+
 // tryAllAddrs tries to create a connection to the addresses, and stop when at
 // the first successful one. It returns an error if no address was successfully
 // connected, or updates ac appropriately with the new transport.
diff --git a/vendor/google.golang.org/grpc/credentials/credentials.go b/vendor/google.golang.org/grpc/credentials/credentials.go
index c8e337cdda..06f6c6c70a 100644
--- a/vendor/google.golang.org/grpc/credentials/credentials.go
+++ b/vendor/google.golang.org/grpc/credentials/credentials.go
@@ -44,8 +44,7 @@ type PerRPCCredentials interface {
 	// A54). uri is the URI of the entry point for the request.  When supported
 	// by the underlying implementation, ctx can be used for timeout and
 	// cancellation. Additionally, RequestInfo data will be available via ctx
-	// to this call.  TODO(zhaoq): Define the set of the qualified keys instead
-	// of leaving it as an arbitrary string.
+	// to this call.
 	GetRequestMetadata(ctx context.Context, uri ...string) (map[string]string, error)
 	// RequireTransportSecurity indicates whether the credentials requires
 	// transport security.
diff --git a/vendor/google.golang.org/grpc/encoding/encoding.go b/vendor/google.golang.org/grpc/encoding/encoding.go
index 11d0ae142c..dadd21e40f 100644
--- a/vendor/google.golang.org/grpc/encoding/encoding.go
+++ b/vendor/google.golang.org/grpc/encoding/encoding.go
@@ -27,8 +27,10 @@ package encoding
 
 import (
 	"io"
+	"slices"
 	"strings"
 
+	"google.golang.org/grpc/encoding/internal"
 	"google.golang.org/grpc/internal/grpcutil"
 )
 
@@ -36,6 +38,24 @@ import (
 // It is intended for grpc internal use only.
 const Identity = "identity"
 
+func init() {
+	internal.RegisterCompressorForTesting = func(c Compressor) func() {
+		name := c.Name()
+		curCompressor, found := registeredCompressor[name]
+		RegisterCompressor(c)
+		return func() {
+			if found {
+				registeredCompressor[name] = curCompressor
+				return
+			}
+			delete(registeredCompressor, name)
+			grpcutil.RegisteredCompressorNames = slices.DeleteFunc(grpcutil.RegisteredCompressorNames, func(s string) bool {
+				return s == name
+			})
+		}
+	}
+}
+
 // Compressor is used for compressing and decompressing when sending or
 // receiving messages.
 //
diff --git a/vendor/google.golang.org/grpc/encoding/internal/internal.go b/vendor/google.golang.org/grpc/encoding/internal/internal.go
new file mode 100644
index 0000000000..ee9acb4377
--- /dev/null
+++ b/vendor/google.golang.org/grpc/encoding/internal/internal.go
@@ -0,0 +1,28 @@
+/*
+ *
+ * Copyright 2025 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+// Package internal contains code internal to the encoding package.
+package internal
+
+// RegisterCompressorForTesting registers a compressor in the global compressor
+// registry. It returns a cleanup function that should be called at the end
+// of the test to unregister the compressor.
+//
+// This prevents compressors registered in one test from appearing in the
+// encoding headers of subsequent tests.
+var RegisterCompressorForTesting any // func RegisterCompressor(c Compressor) func()
diff --git a/vendor/google.golang.org/grpc/encoding/proto/proto.go b/vendor/google.golang.org/grpc/encoding/proto/proto.go
index ceec319dd2..1ab874c7ad 100644
--- a/vendor/google.golang.org/grpc/encoding/proto/proto.go
+++ b/vendor/google.golang.org/grpc/encoding/proto/proto.go
@@ -46,9 +46,25 @@ func (c *codecV2) Marshal(v any) (data mem.BufferSlice, err error) {
 		return nil, fmt.Errorf("proto: failed to marshal, message is %T, want proto.Message", v)
 	}
 
+	// Important: if we remove this Size call then we cannot use
+	// UseCachedSize in MarshalOptions below.
 	size := proto.Size(vv)
+
+	// MarshalOptions with UseCachedSize allows reusing the result from the
+	// previous Size call. This is safe here because:
+	//
+	// 1. We just computed the size.
+	// 2. We assume the message is not being mutated concurrently.
+	//
+	// Important: If the proto.Size call above is removed, using UseCachedSize
+	// becomes unsafe and may lead to incorrect marshaling.
+	//
+	// For more details, see the doc of UseCachedSize:
+	// https://pkg.go.dev/google.golang.org/protobuf/proto#MarshalOptions
+	marshalOptions := proto.MarshalOptions{UseCachedSize: true}
+
 	if mem.IsBelowBufferPoolingThreshold(size) {
-		buf, err := proto.Marshal(vv)
+		buf, err := marshalOptions.Marshal(vv)
 		if err != nil {
 			return nil, err
 		}
@@ -56,7 +72,7 @@ func (c *codecV2) Marshal(v any) (data mem.BufferSlice, err error) {
 	} else {
 		pool := mem.DefaultBufferPool()
 		buf := pool.Get(size)
-		if _, err := (proto.MarshalOptions{}).MarshalAppend((*buf)[:0], vv); err != nil {
+		if _, err := marshalOptions.MarshalAppend((*buf)[:0], vv); err != nil {
 			pool.Put(buf)
 			return nil, err
 		}
diff --git a/vendor/google.golang.org/grpc/experimental/stats/metricregistry.go b/vendor/google.golang.org/grpc/experimental/stats/metricregistry.go
index ad75313a18..472813f58f 100644
--- a/vendor/google.golang.org/grpc/experimental/stats/metricregistry.go
+++ b/vendor/google.golang.org/grpc/experimental/stats/metricregistry.go
@@ -75,6 +75,8 @@ const (
 	MetricTypeIntHisto
 	MetricTypeFloatHisto
 	MetricTypeIntGauge
+	MetricTypeIntUpDownCount
+	MetricTypeIntAsyncGauge
 )
 
 // Int64CountHandle is a typed handle for a int count metric. This handle
@@ -93,6 +95,23 @@ func (h *Int64CountHandle) Record(recorder MetricsRecorder, incr int64, labels .
 	recorder.RecordInt64Count(h, incr, labels...)
 }
 
+// Int64UpDownCountHandle is a typed handle for an int up-down counter metric.
+// This handle is passed at the recording point in order to know which metric
+// to record on.
+type Int64UpDownCountHandle MetricDescriptor
+
+// Descriptor returns the int64 up-down counter handle typecast to a pointer to a
+// MetricDescriptor.
+func (h *Int64UpDownCountHandle) Descriptor() *MetricDescriptor {
+	return (*MetricDescriptor)(h)
+}
+
+// Record records the int64 up-down counter value on the metrics recorder provided.
+// The value 'v' can be positive to increment or negative to decrement.
+func (h *Int64UpDownCountHandle) Record(recorder MetricsRecorder, v int64, labels ...string) {
+	recorder.RecordInt64UpDownCount(h, v, labels...)
+}
+
 // Float64CountHandle is a typed handle for a float count metric. This handle is
 // passed at the recording point in order to know which metric to record on.
 type Float64CountHandle MetricDescriptor
@@ -154,6 +173,30 @@ func (h *Int64GaugeHandle) Record(recorder MetricsRecorder, incr int64, labels .
 	recorder.RecordInt64Gauge(h, incr, labels...)
 }
 
+// AsyncMetric is a marker interface for asynchronous metric types.
+type AsyncMetric interface {
+	isAsync()
+	Descriptor() *MetricDescriptor
+}
+
+// Int64AsyncGaugeHandle is a typed handle for an int gauge metric. This handle is
+// passed at the recording point in order to know which metric to record on.
+type Int64AsyncGaugeHandle MetricDescriptor
+
+// isAsync implements the AsyncMetric interface.
+func (h *Int64AsyncGaugeHandle) isAsync() {}
+
+// Descriptor returns the int64 gauge handle typecast to a pointer to a
+// MetricDescriptor.
+func (h *Int64AsyncGaugeHandle) Descriptor() *MetricDescriptor {
+	return (*MetricDescriptor)(h)
+}
+
+// Record records the int64 gauge value on the metrics recorder provided.
+func (h *Int64AsyncGaugeHandle) Record(recorder AsyncMetricsRecorder, value int64, labels ...string) {
+	recorder.RecordInt64AsyncGauge(h, value, labels...)
+}
+
 // registeredMetrics are the registered metric descriptor names.
 var registeredMetrics = make(map[string]bool)
 
@@ -249,6 +292,35 @@ func RegisterInt64Gauge(descriptor MetricDescriptor) *Int64GaugeHandle {
 	return (*Int64GaugeHandle)(descPtr)
 }
 
+// RegisterInt64UpDownCount registers the metric description onto the global registry.
+// It returns a typed handle to use for recording data.
+//
+// NOTE: this function must only be called during initialization time (i.e. in
+// an init() function), and is not thread-safe. If multiple metrics are
+// registered with the same name, this function will panic.
+func RegisterInt64UpDownCount(descriptor MetricDescriptor) *Int64UpDownCountHandle {
+	registerMetric(descriptor.Name, descriptor.Default)
+	// Set the specific metric type for the up-down counter
+	descriptor.Type = MetricTypeIntUpDownCount
+	descPtr := &descriptor
+	metricsRegistry[descriptor.Name] = descPtr
+	return (*Int64UpDownCountHandle)(descPtr)
+}
+
+// RegisterInt64AsyncGauge registers the metric description onto the global registry.
+// It returns a typed handle to use for recording data.
+//
+// NOTE: this function must only be called during initialization time (i.e. in
+// an init() function), and is not thread-safe. If multiple metrics are
+// registered with the same name, this function will panic.
+func RegisterInt64AsyncGauge(descriptor MetricDescriptor) *Int64AsyncGaugeHandle {
+	registerMetric(descriptor.Name, descriptor.Default)
+	descriptor.Type = MetricTypeIntAsyncGauge
+	descPtr := &descriptor
+	metricsRegistry[descriptor.Name] = descPtr
+	return (*Int64AsyncGaugeHandle)(descPtr)
+}
+
 // snapshotMetricsRegistryForTesting snapshots the global data of the metrics
 // registry. Returns a cleanup function that sets the metrics registry to its
 // original state.
diff --git a/vendor/google.golang.org/grpc/experimental/stats/metrics.go b/vendor/google.golang.org/grpc/experimental/stats/metrics.go
index ee1423605a..d7d404cbe4 100644
--- a/vendor/google.golang.org/grpc/experimental/stats/metrics.go
+++ b/vendor/google.golang.org/grpc/experimental/stats/metrics.go
@@ -38,6 +38,16 @@ type MetricsRecorder interface {
 	// RecordInt64Gauge records the measurement alongside labels on the int
 	// gauge associated with the provided handle.
 	RecordInt64Gauge(handle *Int64GaugeHandle, incr int64, labels ...string)
+	// RecordInt64UpDownCounter records the measurement alongside labels on the int
+	// count associated with the provided handle.
+	RecordInt64UpDownCount(handle *Int64UpDownCountHandle, incr int64, labels ...string)
+}
+
+// AsyncMetricsRecorder records on asynchronous metrics derived from metric registry.
+type AsyncMetricsRecorder interface {
+	// RecordInt64AsyncGauge records the measurement alongside labels on the int
+	// count associated with the provided handle asynchronously
+	RecordInt64AsyncGauge(handle *Int64AsyncGaugeHandle, incr int64, labels ...string)
 }
 
 // Metrics is an experimental legacy alias of the now-stable stats.MetricSet.
diff --git a/vendor/google.golang.org/grpc/internal/balancer/gracefulswitch/gracefulswitch.go b/vendor/google.golang.org/grpc/internal/balancer/gracefulswitch/gracefulswitch.go
index ba25b89887..f38de74a49 100644
--- a/vendor/google.golang.org/grpc/internal/balancer/gracefulswitch/gracefulswitch.go
+++ b/vendor/google.golang.org/grpc/internal/balancer/gracefulswitch/gracefulswitch.go
@@ -67,6 +67,10 @@ type Balancer struct {
 	// balancerCurrent before the UpdateSubConnState is called on the
 	// balancerCurrent.
 	currentMu sync.Mutex
+
+	// activeGoroutines tracks all the goroutines that this balancer has started
+	// and that should be waited on when the balancer closes.
+	activeGoroutines sync.WaitGroup
 }
 
 // swap swaps out the current lb with the pending lb and updates the ClientConn.
@@ -76,7 +80,9 @@ func (gsb *Balancer) swap() {
 	cur := gsb.balancerCurrent
 	gsb.balancerCurrent = gsb.balancerPending
 	gsb.balancerPending = nil
+	gsb.activeGoroutines.Add(1)
 	go func() {
+		defer gsb.activeGoroutines.Done()
 		gsb.currentMu.Lock()
 		defer gsb.currentMu.Unlock()
 		cur.Close()
@@ -274,6 +280,7 @@ func (gsb *Balancer) Close() {
 
 	currentBalancerToClose.Close()
 	pendingBalancerToClose.Close()
+	gsb.activeGoroutines.Wait()
 }
 
 // balancerWrapper wraps a balancer.Balancer, and overrides some Balancer
@@ -324,7 +331,12 @@ func (bw *balancerWrapper) UpdateState(state balancer.State) {
 	defer bw.gsb.mu.Unlock()
 	bw.lastState = state
 
+	// If Close() acquires the mutex before UpdateState(), the balancer
+	// will already have been removed from the current or pending state when
+	// reaching this point.
 	if !bw.gsb.balancerCurrentOrPending(bw) {
+		// Returning here ensures that (*Balancer).swap() is not invoked after
+		// (*Balancer).Close() and therefore prevents "use after close".
 		return
 	}
 
diff --git a/vendor/google.golang.org/grpc/internal/buffer/unbounded.go b/vendor/google.golang.org/grpc/internal/buffer/unbounded.go
index 11f91668ac..467392b8d4 100644
--- a/vendor/google.golang.org/grpc/internal/buffer/unbounded.go
+++ b/vendor/google.golang.org/grpc/internal/buffer/unbounded.go
@@ -83,6 +83,7 @@ func (b *Unbounded) Load() {
 		default:
 		}
 	} else if b.closing && !b.closed {
+		b.closed = true
 		close(b.c)
 	}
 }
diff --git a/vendor/google.golang.org/grpc/internal/channelz/trace.go b/vendor/google.golang.org/grpc/internal/channelz/trace.go
index 2bffe47776..3b7ba59662 100644
--- a/vendor/google.golang.org/grpc/internal/channelz/trace.go
+++ b/vendor/google.golang.org/grpc/internal/channelz/trace.go
@@ -194,7 +194,7 @@ func (r RefChannelType) String() string {
 // If channelz is not turned ON, this will simply log the event descriptions.
 func AddTraceEvent(l grpclog.DepthLoggerV2, e Entity, depth int, desc *TraceEvent) {
 	// Log only the trace description associated with the bottom most entity.
-	d := fmt.Sprintf("[%s]%s", e, desc.Desc)
+	d := fmt.Sprintf("[%s] %s", e, desc.Desc)
 	switch desc.Severity {
 	case CtUnknown, CtInfo:
 		l.InfoDepth(depth+1, d)
diff --git a/vendor/google.golang.org/grpc/internal/envconfig/envconfig.go b/vendor/google.golang.org/grpc/internal/envconfig/envconfig.go
index 7e060f5ed1..6414ee4bbe 100644
--- a/vendor/google.golang.org/grpc/internal/envconfig/envconfig.go
+++ b/vendor/google.golang.org/grpc/internal/envconfig/envconfig.go
@@ -52,12 +52,6 @@ var (
 	// or "false".
 	EnforceALPNEnabled = boolFromEnv("GRPC_ENFORCE_ALPN_ENABLED", true)
 
-	// NewPickFirstEnabled is set if the new pickfirst leaf policy is to be used
-	// instead of the exiting pickfirst implementation. This can be disabled by
-	// setting the environment variable "GRPC_EXPERIMENTAL_ENABLE_NEW_PICK_FIRST"
-	// to "false".
-	NewPickFirstEnabled = boolFromEnv("GRPC_EXPERIMENTAL_ENABLE_NEW_PICK_FIRST", true)
-
 	// XDSEndpointHashKeyBackwardCompat controls the parsing of the endpoint hash
 	// key from EDS LbEndpoint metadata. Endpoint hash keys can be disabled by
 	// setting "GRPC_XDS_ENDPOINT_HASH_KEY_BACKWARD_COMPAT" to "true". When the
@@ -75,6 +69,19 @@ var (
 	// ALTSHandshakerKeepaliveParams is set if we should add the
 	// KeepaliveParams when dial the ALTS handshaker service.
 	ALTSHandshakerKeepaliveParams = boolFromEnv("GRPC_EXPERIMENTAL_ALTS_HANDSHAKER_KEEPALIVE_PARAMS", false)
+
+	// EnableDefaultPortForProxyTarget controls whether the resolver adds a default port 443
+	// to a target address that lacks one. This flag only has an effect when all of
+	// the following conditions are met:
+	//   - A connect proxy is being used.
+	//   - Target resolution is disabled.
+	//   - The DNS resolver is being used.
+	EnableDefaultPortForProxyTarget = boolFromEnv("GRPC_EXPERIMENTAL_ENABLE_DEFAULT_PORT_FOR_PROXY_TARGET", true)
+
+	// XDSAuthorityRewrite indicates whether xDS authority rewriting is enabled.
+	// This feature is defined in gRFC A81 and is enabled by setting the
+	// environment variable GRPC_EXPERIMENTAL_XDS_AUTHORITY_REWRITE to "true".
+	XDSAuthorityRewrite = boolFromEnv("GRPC_EXPERIMENTAL_XDS_AUTHORITY_REWRITE", false)
 )
 
 func boolFromEnv(envVar string, def bool) bool {
diff --git a/vendor/google.golang.org/grpc/internal/envconfig/xds.go b/vendor/google.golang.org/grpc/internal/envconfig/xds.go
index e87551552a..7685d08b54 100644
--- a/vendor/google.golang.org/grpc/internal/envconfig/xds.go
+++ b/vendor/google.golang.org/grpc/internal/envconfig/xds.go
@@ -68,4 +68,15 @@ var (
 	// trust.  For more details, see:
 	// https://github.com/grpc/proposal/blob/master/A87-mtls-spiffe-support.md
 	XDSSPIFFEEnabled = boolFromEnv("GRPC_EXPERIMENTAL_XDS_MTLS_SPIFFE", false)
+
+	// XDSHTTPConnectEnabled is true if gRPC should parse custom Metadata
+	// configuring use of an HTTP CONNECT proxy via xDS from cluster resources.
+	// For more details, see:
+	// https://github.com/grpc/proposal/blob/master/A86-xds-http-connect.md
+	XDSHTTPConnectEnabled = boolFromEnv("GRPC_EXPERIMENTAL_XDS_HTTP_CONNECT", false)
+
+	// XDSBootstrapCallCredsEnabled controls if call credentials can be used in
+	// xDS bootstrap configuration via the `call_creds` field. For more details,
+	// see: https://github.com/grpc/proposal/blob/master/A97-xds-jwt-call-creds.md
+	XDSBootstrapCallCredsEnabled = boolFromEnv("GRPC_EXPERIMENTAL_XDS_BOOTSTRAP_CALL_CREDS", false)
 )
diff --git a/vendor/google.golang.org/grpc/internal/experimental.go b/vendor/google.golang.org/grpc/internal/experimental.go
index 7617be2158..c90cc51bdd 100644
--- a/vendor/google.golang.org/grpc/internal/experimental.go
+++ b/vendor/google.golang.org/grpc/internal/experimental.go
@@ -25,4 +25,8 @@ var (
 	// BufferPool is implemented by the grpc package and returns a server
 	// option to configure a shared buffer pool for a grpc.Server.
 	BufferPool any // func (grpc.SharedBufferPool) grpc.ServerOption
+
+	// AcceptCompressors is implemented by the grpc package and returns
+	// a call option that restricts the grpc-accept-encoding header for a call.
+	AcceptCompressors any // func(...string) grpc.CallOption
 )
diff --git a/vendor/google.golang.org/grpc/internal/grpcsync/callback_serializer.go b/vendor/google.golang.org/grpc/internal/grpcsync/callback_serializer.go
index 8e8e861280..9b6d8a1fa3 100644
--- a/vendor/google.golang.org/grpc/internal/grpcsync/callback_serializer.go
+++ b/vendor/google.golang.org/grpc/internal/grpcsync/callback_serializer.go
@@ -80,25 +80,11 @@ func (cs *CallbackSerializer) ScheduleOr(f func(ctx context.Context), onFailure
 func (cs *CallbackSerializer) run(ctx context.Context) {
 	defer close(cs.done)
 
-	// TODO: when Go 1.21 is the oldest supported version, this loop and Close
-	// can be replaced with:
-	//
-	// context.AfterFunc(ctx, cs.callbacks.Close)
-	for ctx.Err() == nil {
-		select {
-		case <-ctx.Done():
-			// Do nothing here. Next iteration of the for loop will not happen,
-			// since ctx.Err() would be non-nil.
-		case cb := <-cs.callbacks.Get():
-			cs.callbacks.Load()
-			cb.(func(context.Context))(ctx)
-		}
-	}
-
-	// Close the buffer to prevent new callbacks from being added.
-	cs.callbacks.Close()
+	// Close the buffer when the context is canceled
+	// to prevent new callbacks from being added.
+	context.AfterFunc(ctx, cs.callbacks.Close)
 
-	// Run all pending callbacks.
+	// Run all callbacks.
 	for cb := range cs.callbacks.Get() {
 		cs.callbacks.Load()
 		cb.(func(context.Context))(ctx)
diff --git a/vendor/google.golang.org/grpc/internal/idle/idle.go b/vendor/google.golang.org/grpc/internal/idle/idle.go
index 2c13ee9dac..d3cd24f80b 100644
--- a/vendor/google.golang.org/grpc/internal/idle/idle.go
+++ b/vendor/google.golang.org/grpc/internal/idle/idle.go
@@ -21,7 +21,6 @@
 package idle
 
 import (
-	"fmt"
 	"math"
 	"sync"
 	"sync/atomic"
@@ -33,15 +32,15 @@ var timeAfterFunc = func(d time.Duration, f func()) *time.Timer {
 	return time.AfterFunc(d, f)
 }
 
-// Enforcer is the functionality provided by grpc.ClientConn to enter
-// and exit from idle mode.
-type Enforcer interface {
-	ExitIdleMode() error
+// ClientConn is the functionality provided by grpc.ClientConn to enter and exit
+// from idle mode.
+type ClientConn interface {
+	ExitIdleMode()
 	EnterIdleMode()
 }
 
-// Manager implements idleness detection and calls the configured Enforcer to
-// enter/exit idle mode when appropriate.  Must be created by NewManager.
+// Manager implements idleness detection and calls the ClientConn to enter/exit
+// idle mode when appropriate. Must be created by NewManager.
 type Manager struct {
 	// State accessed atomically.
 	lastCallEndTime           int64 // Unix timestamp in nanos; time when the most recent RPC completed.
@@ -51,8 +50,8 @@ type Manager struct {
 
 	// Can be accessed without atomics or mutex since these are set at creation
 	// time and read-only after that.
-	enforcer Enforcer // Functionality provided by grpc.ClientConn.
-	timeout  time.Duration
+	cc      ClientConn // Functionality provided by grpc.ClientConn.
+	timeout time.Duration
 
 	// idleMu is used to guarantee mutual exclusion in two scenarios:
 	// - Opposing intentions:
@@ -72,9 +71,9 @@ type Manager struct {
 
 // NewManager creates a new idleness manager implementation for the
 // given idle timeout.  It begins in idle mode.
-func NewManager(enforcer Enforcer, timeout time.Duration) *Manager {
+func NewManager(cc ClientConn, timeout time.Duration) *Manager {
 	return &Manager{
-		enforcer:         enforcer,
+		cc:               cc,
 		timeout:          timeout,
 		actuallyIdle:     true,
 		activeCallsCount: -math.MaxInt32,
@@ -127,7 +126,7 @@ func (m *Manager) handleIdleTimeout() {
 
 	// Now that we've checked that there has been no activity, attempt to enter
 	// idle mode, which is very likely to succeed.
-	if m.tryEnterIdleMode() {
+	if m.tryEnterIdleMode(true) {
 		// Successfully entered idle mode. No timer needed until we exit idle.
 		return
 	}
@@ -142,10 +141,13 @@ func (m *Manager) handleIdleTimeout() {
 // that, it performs a last minute check to ensure that no new RPC has come in,
 // making the channel active.
 //
+// checkActivity controls if a check for RPC activity, since the last time the
+// idle_timeout fired, is made.
+
 // Return value indicates whether or not the channel moved to idle mode.
 //
 // Holds idleMu which ensures mutual exclusion with exitIdleMode.
-func (m *Manager) tryEnterIdleMode() bool {
+func (m *Manager) tryEnterIdleMode(checkActivity bool) bool {
 	// Setting the activeCallsCount to -math.MaxInt32 indicates to OnCallBegin()
 	// that the channel is either in idle mode or is trying to get there.
 	if !atomic.CompareAndSwapInt32(&m.activeCallsCount, 0, -math.MaxInt32) {
@@ -166,7 +168,7 @@ func (m *Manager) tryEnterIdleMode() bool {
 		atomic.AddInt32(&m.activeCallsCount, math.MaxInt32)
 		return false
 	}
-	if atomic.LoadInt32(&m.activeSinceLastTimerCheck) == 1 {
+	if checkActivity && atomic.LoadInt32(&m.activeSinceLastTimerCheck) == 1 {
 		// A very short RPC could have come in (and also finished) after we
 		// checked for calls count and activity in handleIdleTimeout(), but
 		// before the CAS operation. So, we need to check for activity again.
@@ -177,44 +179,37 @@ func (m *Manager) tryEnterIdleMode() bool {
 	// No new RPCs have come in since we set the active calls count value to
 	// -math.MaxInt32. And since we have the lock, it is safe to enter idle mode
 	// unconditionally now.
-	m.enforcer.EnterIdleMode()
+	m.cc.EnterIdleMode()
 	m.actuallyIdle = true
 	return true
 }
 
 // EnterIdleModeForTesting instructs the channel to enter idle mode.
 func (m *Manager) EnterIdleModeForTesting() {
-	m.tryEnterIdleMode()
+	m.tryEnterIdleMode(false)
 }
 
 // OnCallBegin is invoked at the start of every RPC.
-func (m *Manager) OnCallBegin() error {
+func (m *Manager) OnCallBegin() {
 	if m.isClosed() {
-		return nil
+		return
 	}
 
 	if atomic.AddInt32(&m.activeCallsCount, 1) > 0 {
 		// Channel is not idle now. Set the activity bit and allow the call.
 		atomic.StoreInt32(&m.activeSinceLastTimerCheck, 1)
-		return nil
+		return
 	}
 
 	// Channel is either in idle mode or is in the process of moving to idle
 	// mode. Attempt to exit idle mode to allow this RPC.
-	if err := m.ExitIdleMode(); err != nil {
-		// Undo the increment to calls count, and return an error causing the
-		// RPC to fail.
-		atomic.AddInt32(&m.activeCallsCount, -1)
-		return err
-	}
-
+	m.ExitIdleMode()
 	atomic.StoreInt32(&m.activeSinceLastTimerCheck, 1)
-	return nil
 }
 
-// ExitIdleMode instructs m to call the enforcer's ExitIdleMode and update m's
+// ExitIdleMode instructs m to call the ClientConn's ExitIdleMode and update its
 // internal state.
-func (m *Manager) ExitIdleMode() error {
+func (m *Manager) ExitIdleMode() {
 	// Holds idleMu which ensures mutual exclusion with tryEnterIdleMode.
 	m.idleMu.Lock()
 	defer m.idleMu.Unlock()
@@ -231,12 +226,10 @@ func (m *Manager) ExitIdleMode() error {
 		//   m.ExitIdleMode.
 		//
 		// In any case, there is nothing to do here.
-		return nil
+		return
 	}
 
-	if err := m.enforcer.ExitIdleMode(); err != nil {
-		return fmt.Errorf("failed to exit idle mode: %w", err)
-	}
+	m.cc.ExitIdleMode()
 
 	// Undo the idle entry process. This also respects any new RPC attempts.
 	atomic.AddInt32(&m.activeCallsCount, math.MaxInt32)
@@ -244,7 +237,23 @@ func (m *Manager) ExitIdleMode() error {
 
 	// Start a new timer to fire after the configured idle timeout.
 	m.resetIdleTimerLocked(m.timeout)
-	return nil
+}
+
+// UnsafeSetNotIdle instructs the Manager to update its internal state to
+// reflect the reality that the channel is no longer in IDLE mode.
+//
+// N.B. This method is intended only for internal use by the gRPC client
+// when it exits IDLE mode **manually** from `Dial`. The callsite must ensure:
+//   - The channel was **actually in IDLE mode** immediately prior to the call.
+//   - There is **no concurrent activity** that could cause the channel to exit
+//     IDLE mode *naturally* at the same time.
+func (m *Manager) UnsafeSetNotIdle() {
+	m.idleMu.Lock()
+	defer m.idleMu.Unlock()
+
+	atomic.AddInt32(&m.activeCallsCount, math.MaxInt32)
+	m.actuallyIdle = false
+	m.resetIdleTimerLocked(m.timeout)
 }
 
 // OnCallEnd is invoked at the end of every RPC.
diff --git a/vendor/google.golang.org/grpc/internal/internal.go b/vendor/google.golang.org/grpc/internal/internal.go
index 2699223a27..27bef83d97 100644
--- a/vendor/google.golang.org/grpc/internal/internal.go
+++ b/vendor/google.golang.org/grpc/internal/internal.go
@@ -244,6 +244,10 @@ var (
 	// When set, the function will be called before the stream enters
 	// the blocking state.
 	NewStreamWaitingForResolver = func() {}
+
+	// AddressToTelemetryLabels is an xDS-provided function to extract telemetry
+	// labels from a resolver.Address. Callers must assert its type before calling.
+	AddressToTelemetryLabels any // func(addr resolver.Address) map[string]string
 )
 
 // HealthChecker defines the signature of the client-side LB channel health
diff --git a/vendor/google.golang.org/grpc/internal/resolver/delegatingresolver/delegatingresolver.go b/vendor/google.golang.org/grpc/internal/resolver/delegatingresolver/delegatingresolver.go
index 20b8fb098a..5bfa67b726 100644
--- a/vendor/google.golang.org/grpc/internal/resolver/delegatingresolver/delegatingresolver.go
+++ b/vendor/google.golang.org/grpc/internal/resolver/delegatingresolver/delegatingresolver.go
@@ -22,11 +22,13 @@ package delegatingresolver
 
 import (
 	"fmt"
+	"net"
 	"net/http"
 	"net/url"
 	"sync"
 
 	"google.golang.org/grpc/grpclog"
+	"google.golang.org/grpc/internal/envconfig"
 	"google.golang.org/grpc/internal/proxyattributes"
 	"google.golang.org/grpc/internal/transport"
 	"google.golang.org/grpc/internal/transport/networktype"
@@ -40,6 +42,8 @@ var (
 	HTTPSProxyFromEnvironment = http.ProxyFromEnvironment
 )
 
+const defaultPort = "443"
+
 // delegatingResolver manages both target URI and proxy address resolution by
 // delegating these tasks to separate child resolvers. Essentially, it acts as
 // an intermediary between the gRPC ClientConn and the child resolvers.
@@ -107,10 +111,18 @@ func New(target resolver.Target, cc resolver.ClientConn, opts resolver.BuildOpti
 		targetResolver: nopResolver{},
 	}
 
+	addr := target.Endpoint()
 	var err error
-	r.proxyURL, err = proxyURLForTarget(target.Endpoint())
+	if target.URL.Scheme == "dns" && !targetResolutionEnabled && envconfig.EnableDefaultPortForProxyTarget {
+		addr, err = parseTarget(addr)
+		if err != nil {
+			return nil, fmt.Errorf("delegating_resolver: invalid target address %q: %v", target.Endpoint(), err)
+		}
+	}
+
+	r.proxyURL, err = proxyURLForTarget(addr)
 	if err != nil {
-		return nil, fmt.Errorf("delegating_resolver: failed to determine proxy URL for target %s: %v", target, err)
+		return nil, fmt.Errorf("delegating_resolver: failed to determine proxy URL for target %q: %v", target, err)
 	}
 
 	// proxy is not configured or proxy address excluded using `NO_PROXY` env
@@ -132,8 +144,8 @@ func New(target resolver.Target, cc resolver.ClientConn, opts resolver.BuildOpti
 	// bypass the target resolver and store the unresolved target address.
 	if target.URL.Scheme == "dns" && !targetResolutionEnabled {
 		r.targetResolverState = &resolver.State{
-			Addresses: []resolver.Address{{Addr: target.Endpoint()}},
-			Endpoints: []resolver.Endpoint{{Addresses: []resolver.Address{{Addr: target.Endpoint()}}}},
+			Addresses: []resolver.Address{{Addr: addr}},
+			Endpoints: []resolver.Endpoint{{Addresses: []resolver.Address{{Addr: addr}}}},
 		}
 		r.updateTargetResolverState(*r.targetResolverState)
 		return r, nil
@@ -202,6 +214,44 @@ func needsProxyResolver(state *resolver.State) bool {
 	return false
 }
 
+// parseTarget takes a target string and ensures it is a valid "host:port" target.
+//
+// It does the following:
+//  1. If the target already has a port (e.g., "host:port", "[ipv6]:port"),
+//     it is returned as is.
+//  2. If the host part is empty (e.g., ":80"), it defaults to "localhost",
+//     returning "localhost:80".
+//  3. If the target is missing a port (e.g., "host", "ipv6"), the defaultPort
+//     is added.
+//
+// An error is returned for empty targets or targets with a trailing colon
+// but no port (e.g., "host:").
+func parseTarget(target string) (string, error) {
+	if target == "" {
+		return "", fmt.Errorf("missing address")
+	}
+
+	host, port, err := net.SplitHostPort(target)
+	if err != nil {
+		// If SplitHostPort fails, it's likely because the port is missing.
+		// We append the default port and return the result.
+		return net.JoinHostPort(target, defaultPort), nil
+	}
+
+	// If SplitHostPort succeeds, we check for edge cases.
+	if port == "" {
+		// A success with an empty port means the target had a trailing colon,
+		// e.g., "host:", which is an error.
+		return "", fmt.Errorf("missing port after port-separator colon")
+	}
+	if host == "" {
+		// A success with an empty host means the target was like ":80".
+		// We default the host to "localhost".
+		host = "localhost"
+	}
+	return net.JoinHostPort(host, port), nil
+}
+
 func skipProxy(address resolver.Address) bool {
 	// Avoid proxy when network is not tcp.
 	networkType, ok := networktype.Get(address)
diff --git a/vendor/google.golang.org/grpc/internal/stats/metrics_recorder_list.go b/vendor/google.golang.org/grpc/internal/stats/metrics_recorder_list.go
index 79044657be..d5f7e4d62d 100644
--- a/vendor/google.golang.org/grpc/internal/stats/metrics_recorder_list.go
+++ b/vendor/google.golang.org/grpc/internal/stats/metrics_recorder_list.go
@@ -64,6 +64,16 @@ func (l *MetricsRecorderList) RecordInt64Count(handle *estats.Int64CountHandle,
 	}
 }
 
+// RecordInt64UpDownCount records the measurement alongside labels on the int
+// count associated with the provided handle.
+func (l *MetricsRecorderList) RecordInt64UpDownCount(handle *estats.Int64UpDownCountHandle, incr int64, labels ...string) {
+	verifyLabels(handle.Descriptor(), labels...)
+
+	for _, metricRecorder := range l.metricsRecorders {
+		metricRecorder.RecordInt64UpDownCount(handle, incr, labels...)
+	}
+}
+
 // RecordFloat64Count records the measurement alongside labels on the float
 // count associated with the provided handle.
 func (l *MetricsRecorderList) RecordFloat64Count(handle *estats.Float64CountHandle, incr float64, labels ...string) {
diff --git a/vendor/google.golang.org/grpc/internal/stats/stats.go b/vendor/google.golang.org/grpc/internal/stats/stats.go
new file mode 100644
index 0000000000..49019b80d1
--- /dev/null
+++ b/vendor/google.golang.org/grpc/internal/stats/stats.go
@@ -0,0 +1,70 @@
+/*
+ *
+ * Copyright 2025 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package stats
+
+import (
+	"context"
+
+	"google.golang.org/grpc/stats"
+)
+
+type combinedHandler struct {
+	handlers []stats.Handler
+}
+
+// NewCombinedHandler combines multiple stats.Handlers into a single handler.
+//
+// It returns nil if no handlers are provided. If only one handler is
+// provided, it is returned directly without wrapping.
+func NewCombinedHandler(handlers ...stats.Handler) stats.Handler {
+	switch len(handlers) {
+	case 0:
+		return nil
+	case 1:
+		return handlers[0]
+	default:
+		return &combinedHandler{handlers: handlers}
+	}
+}
+
+func (ch *combinedHandler) TagRPC(ctx context.Context, info *stats.RPCTagInfo) context.Context {
+	for _, h := range ch.handlers {
+		ctx = h.TagRPC(ctx, info)
+	}
+	return ctx
+}
+
+func (ch *combinedHandler) HandleRPC(ctx context.Context, stats stats.RPCStats) {
+	for _, h := range ch.handlers {
+		h.HandleRPC(ctx, stats)
+	}
+}
+
+func (ch *combinedHandler) TagConn(ctx context.Context, info *stats.ConnTagInfo) context.Context {
+	for _, h := range ch.handlers {
+		ctx = h.TagConn(ctx, info)
+	}
+	return ctx
+}
+
+func (ch *combinedHandler) HandleConn(ctx context.Context, stats stats.ConnStats) {
+	for _, h := range ch.handlers {
+		h.HandleConn(ctx, stats)
+	}
+}
diff --git a/vendor/google.golang.org/grpc/internal/transport/client_stream.go b/vendor/google.golang.org/grpc/internal/transport/client_stream.go
index ccc0e017e5..980452519e 100644
--- a/vendor/google.golang.org/grpc/internal/transport/client_stream.go
+++ b/vendor/google.golang.org/grpc/internal/transport/client_stream.go
@@ -29,25 +29,27 @@ import (
 
 // ClientStream implements streaming functionality for a gRPC client.
 type ClientStream struct {
-	*Stream // Embed for common stream functionality.
+	Stream // Embed for common stream functionality.
 
 	ct       *http2Client
 	done     chan struct{} // closed at the end of stream to unblock writers.
 	doneFunc func()        // invoked at the end of stream.
 
-	headerChan       chan struct{} // closed to indicate the end of header metadata.
-	headerChanClosed uint32        // set when headerChan is closed. Used to avoid closing headerChan multiple times.
+	headerChan chan struct{} // closed to indicate the end of header metadata.
+	header     metadata.MD   // the received header metadata
+
+	status *status.Status // the status error received from the server
+
+	// Non-pointer fields are at the end to optimize GC allocations.
+
 	// headerValid indicates whether a valid header was received.  Only
 	// meaningful after headerChan is closed (always call waitOnHeader() before
 	// reading its value).
-	headerValid bool
-	header      metadata.MD // the received header metadata
-	noHeaders   bool        // set if the client never received headers (set only after the stream is done).
-
-	bytesReceived atomic.Bool // indicates whether any bytes have been received on this stream
-	unprocessed   atomic.Bool // set if the server sends a refused stream or GOAWAY including this stream
-
-	status *status.Status // the status error received from the server
+	headerValid      bool
+	noHeaders        bool        // set if the client never received headers (set only after the stream is done).
+	headerChanClosed uint32      // set when headerChan is closed. Used to avoid closing headerChan multiple times.
+	bytesReceived    atomic.Bool // indicates whether any bytes have been received on this stream
+	unprocessed      atomic.Bool // set if the server sends a refused stream or GOAWAY including this stream
 }
 
 // Read reads an n byte message from the input stream.
@@ -142,3 +144,11 @@ func (s *ClientStream) TrailersOnly() bool {
 func (s *ClientStream) Status() *status.Status {
 	return s.status
 }
+
+func (s *ClientStream) requestRead(n int) {
+	s.ct.adjustWindow(s, uint32(n))
+}
+
+func (s *ClientStream) updateWindow(n int) {
+	s.ct.updateWindow(s, uint32(n))
+}
diff --git a/vendor/google.golang.org/grpc/internal/transport/controlbuf.go b/vendor/google.golang.org/grpc/internal/transport/controlbuf.go
index a2831e5d01..2dcd1e63bd 100644
--- a/vendor/google.golang.org/grpc/internal/transport/controlbuf.go
+++ b/vendor/google.golang.org/grpc/internal/transport/controlbuf.go
@@ -496,6 +496,16 @@ const (
 	serverSide
 )
 
+// maxWriteBufSize is the maximum length (number of elements) the cached
+// writeBuf can grow to. The length depends on the number of buffers
+// contained within the BufferSlice produced by the codec, which is
+// generally small.
+//
+// If a writeBuf larger than this limit is required, it will be allocated
+// and freed after use, rather than being cached. This avoids holding
+// on to large amounts of memory.
+const maxWriteBufSize = 64
+
 // Loopy receives frames from the control buffer.
 // Each frame is handled individually; most of the work done by loopy goes
 // into handling data frames. Loopy maintains a queue of active streams, and each
@@ -530,6 +540,8 @@ type loopyWriter struct {
 
 	// Side-specific handlers
 	ssGoAwayHandler func(*goAway) (bool, error)
+
+	writeBuf [][]byte // cached slice to avoid heap allocations for calls to mem.Reader.Peek.
 }
 
 func newLoopyWriter(s side, fr *framer, cbuf *controlBuffer, bdpEst *bdpEstimator, conn net.Conn, logger *grpclog.PrefixLogger, goAwayHandler func(*goAway) (bool, error), bufferPool mem.BufferPool) *loopyWriter {
@@ -665,11 +677,10 @@ func (l *loopyWriter) incomingSettingsHandler(s *incomingSettings) error {
 
 func (l *loopyWriter) registerStreamHandler(h *registerStream) {
 	str := &outStream{
-		id:     h.streamID,
-		state:  empty,
-		itl:    &itemList{},
-		wq:     h.wq,
-		reader: mem.BufferSlice{}.Reader(),
+		id:    h.streamID,
+		state: empty,
+		itl:   &itemList{},
+		wq:    h.wq,
 	}
 	l.estdStreams[h.streamID] = str
 }
@@ -701,11 +712,10 @@ func (l *loopyWriter) headerHandler(h *headerFrame) error {
 	}
 	// Case 2: Client wants to originate stream.
 	str := &outStream{
-		id:     h.streamID,
-		state:  empty,
-		itl:    &itemList{},
-		wq:     h.wq,
-		reader: mem.BufferSlice{}.Reader(),
+		id:    h.streamID,
+		state: empty,
+		itl:   &itemList{},
+		wq:    h.wq,
 	}
 	return l.originateStream(str, h)
 }
@@ -948,11 +958,11 @@ func (l *loopyWriter) processData() (bool, error) {
 	if str == nil {
 		return true, nil
 	}
-	reader := str.reader
+	reader := &str.reader
 	dataItem := str.itl.peek().(*dataFrame) // Peek at the first data item this stream.
 	if !dataItem.processing {
 		dataItem.processing = true
-		str.reader.Reset(dataItem.data)
+		reader.Reset(dataItem.data)
 		dataItem.data.Free()
 	}
 	// A data item is represented by a dataFrame, since it later translates into
@@ -964,11 +974,11 @@ func (l *loopyWriter) processData() (bool, error) {
 
 	if len(dataItem.h) == 0 && reader.Remaining() == 0 { // Empty data frame
 		// Client sends out empty data frame with endStream = true
-		if err := l.framer.fr.WriteData(dataItem.streamID, dataItem.endStream, nil); err != nil {
+		if err := l.framer.writeData(dataItem.streamID, dataItem.endStream, nil); err != nil {
 			return false, err
 		}
 		str.itl.dequeue() // remove the empty data item from stream
-		_ = reader.Close()
+		reader.Close()
 		if str.itl.isEmpty() {
 			str.state = empty
 		} else if trailer, ok := str.itl.peek().(*headerFrame); ok { // the next item is trailers.
@@ -1001,25 +1011,20 @@ func (l *loopyWriter) processData() (bool, error) {
 	remainingBytes := len(dataItem.h) + reader.Remaining() - hSize - dSize
 	size := hSize + dSize
 
-	var buf *[]byte
-
-	if hSize != 0 && dSize == 0 {
-		buf = &dataItem.h
-	} else {
-		// Note: this is only necessary because the http2.Framer does not support
-		// partially writing a frame, so the sequence must be materialized into a buffer.
-		// TODO: Revisit once https://github.com/golang/go/issues/66655 is addressed.
-		pool := l.bufferPool
-		if pool == nil {
-			// Note that this is only supposed to be nil in tests. Otherwise, stream is
-			// always initialized with a BufferPool.
-			pool = mem.DefaultBufferPool()
+	l.writeBuf = l.writeBuf[:0]
+	if hSize > 0 {
+		l.writeBuf = append(l.writeBuf, dataItem.h[:hSize])
+	}
+	if dSize > 0 {
+		var err error
+		l.writeBuf, err = reader.Peek(dSize, l.writeBuf)
+		if err != nil {
+			// This must never happen since the reader must have at least dSize
+			// bytes.
+			// Log an error to fail tests.
+			l.logger.Errorf("unexpected error while reading Data frame payload: %v", err)
+			return false, err
 		}
-		buf = pool.Get(size)
-		defer pool.Put(buf)
-
-		copy((*buf)[:hSize], dataItem.h)
-		_, _ = reader.Read((*buf)[hSize:])
 	}
 
 	// Now that outgoing flow controls are checked we can replenish str's write quota
@@ -1032,7 +1037,14 @@ func (l *loopyWriter) processData() (bool, error) {
 	if dataItem.onEachWrite != nil {
 		dataItem.onEachWrite()
 	}
-	if err := l.framer.fr.WriteData(dataItem.streamID, endStream, (*buf)[:size]); err != nil {
+	err := l.framer.writeData(dataItem.streamID, endStream, l.writeBuf)
+	reader.Discard(dSize)
+	if cap(l.writeBuf) > maxWriteBufSize {
+		l.writeBuf = nil
+	} else {
+		clear(l.writeBuf)
+	}
+	if err != nil {
 		return false, err
 	}
 	str.bytesOutStanding += size
@@ -1040,7 +1052,7 @@ func (l *loopyWriter) processData() (bool, error) {
 	dataItem.h = dataItem.h[hSize:]
 
 	if remainingBytes == 0 { // All the data from that message was written out.
-		_ = reader.Close()
+		reader.Close()
 		str.itl.dequeue()
 	}
 	if str.itl.isEmpty() {
diff --git a/vendor/google.golang.org/grpc/internal/transport/flowcontrol.go b/vendor/google.golang.org/grpc/internal/transport/flowcontrol.go
index dfc0f224ec..7cfbc9637b 100644
--- a/vendor/google.golang.org/grpc/internal/transport/flowcontrol.go
+++ b/vendor/google.golang.org/grpc/internal/transport/flowcontrol.go
@@ -28,7 +28,7 @@ import (
 // writeQuota is a soft limit on the amount of data a stream can
 // schedule before some of it is written out.
 type writeQuota struct {
-	quota int32
+	_ noCopy
 	// get waits on read from when quota goes less than or equal to zero.
 	// replenish writes on it when quota goes positive again.
 	ch chan struct{}
@@ -38,16 +38,17 @@ type writeQuota struct {
 	// It is implemented as a field so that it can be updated
 	// by tests.
 	replenish func(n int)
+	quota     int32
 }
 
-func newWriteQuota(sz int32, done <-chan struct{}) *writeQuota {
-	w := &writeQuota{
-		quota: sz,
-		ch:    make(chan struct{}, 1),
-		done:  done,
-	}
+// init allows a writeQuota to be initialized in-place, which is useful for
+// resetting a buffer or for avoiding a heap allocation when the buffer is
+// embedded in another struct.
+func (w *writeQuota) init(sz int32, done <-chan struct{}) {
+	w.quota = sz
+	w.ch = make(chan struct{}, 1)
+	w.done = done
 	w.replenish = w.realReplenish
-	return w
 }
 
 func (w *writeQuota) get(sz int32) error {
@@ -67,9 +68,9 @@ func (w *writeQuota) get(sz int32) error {
 
 func (w *writeQuota) realReplenish(n int) {
 	sz := int32(n)
-	a := atomic.AddInt32(&w.quota, sz)
-	b := a - sz
-	if b <= 0 && a > 0 {
+	newQuota := atomic.AddInt32(&w.quota, sz)
+	previousQuota := newQuota - sz
+	if previousQuota <= 0 && newQuota > 0 {
 		select {
 		case w.ch <- struct{}{}:
 		default:
diff --git a/vendor/google.golang.org/grpc/internal/transport/handler_server.go b/vendor/google.golang.org/grpc/internal/transport/handler_server.go
index d954a64c38..7ab3422b8a 100644
--- a/vendor/google.golang.org/grpc/internal/transport/handler_server.go
+++ b/vendor/google.golang.org/grpc/internal/transport/handler_server.go
@@ -50,7 +50,7 @@ import (
 // NewServerHandlerTransport returns a ServerTransport handling gRPC from
 // inside an http.Handler, or writes an HTTP error to w and returns an error.
 // It requires that the http Server supports HTTP/2.
-func NewServerHandlerTransport(w http.ResponseWriter, r *http.Request, stats []stats.Handler, bufferPool mem.BufferPool) (ServerTransport, error) {
+func NewServerHandlerTransport(w http.ResponseWriter, r *http.Request, stats stats.Handler, bufferPool mem.BufferPool) (ServerTransport, error) {
 	if r.Method != http.MethodPost {
 		w.Header().Set("Allow", http.MethodPost)
 		msg := fmt.Sprintf("invalid gRPC request method %q", r.Method)
@@ -170,7 +170,7 @@ type serverHandlerTransport struct {
 	// TODO make sure this is consistent across handler_server and http2_server
 	contentSubtype string
 
-	stats  []stats.Handler
+	stats  stats.Handler
 	logger *grpclog.PrefixLogger
 
 	bufferPool mem.BufferPool
@@ -274,15 +274,13 @@ func (ht *serverHandlerTransport) writeStatus(s *ServerStream, st *status.Status
 		}
 	})
 
-	if err == nil { // transport has not been closed
+	if err == nil && ht.stats != nil { // transport has not been closed
 		// Note: The trailer fields are compressed with hpack after this call returns.
 		// No WireLength field is set here.
 		s.hdrMu.Lock()
-		for _, sh := range ht.stats {
-			sh.HandleRPC(s.Context(), &stats.OutTrailer{
-				Trailer: s.trailer.Copy(),
-			})
-		}
+		ht.stats.HandleRPC(s.Context(), &stats.OutTrailer{
+			Trailer: s.trailer.Copy(),
+		})
 		s.hdrMu.Unlock()
 	}
 	ht.Close(errors.New("finished writing status"))
@@ -374,19 +372,23 @@ func (ht *serverHandlerTransport) writeHeader(s *ServerStream, md metadata.MD) e
 		ht.rw.(http.Flusher).Flush()
 	})
 
-	if err == nil {
-		for _, sh := range ht.stats {
-			// Note: The header fields are compressed with hpack after this call returns.
-			// No WireLength field is set here.
-			sh.HandleRPC(s.Context(), &stats.OutHeader{
-				Header:      md.Copy(),
-				Compression: s.sendCompress,
-			})
-		}
+	if err == nil && ht.stats != nil {
+		// Note: The header fields are compressed with hpack after this call returns.
+		// No WireLength field is set here.
+		ht.stats.HandleRPC(s.Context(), &stats.OutHeader{
+			Header:      md.Copy(),
+			Compression: s.sendCompress,
+		})
 	}
 	return err
 }
 
+func (ht *serverHandlerTransport) adjustWindow(*ServerStream, uint32) {
+}
+
+func (ht *serverHandlerTransport) updateWindow(*ServerStream, uint32) {
+}
+
 func (ht *serverHandlerTransport) HandleStreams(ctx context.Context, startStream func(*ServerStream)) {
 	// With this transport type there will be exactly 1 stream: this HTTP request.
 	var cancel context.CancelFunc
@@ -411,11 +413,9 @@ func (ht *serverHandlerTransport) HandleStreams(ctx context.Context, startStream
 	ctx = metadata.NewIncomingContext(ctx, ht.headerMD)
 	req := ht.req
 	s := &ServerStream{
-		Stream: &Stream{
+		Stream: Stream{
 			id:             0, // irrelevant
 			ctx:            ctx,
-			requestRead:    func(int) {},
-			buf:            newRecvBuffer(),
 			method:         req.URL.Path,
 			recvCompress:   req.Header.Get("grpc-encoding"),
 			contentSubtype: ht.contentSubtype,
@@ -424,9 +424,11 @@ func (ht *serverHandlerTransport) HandleStreams(ctx context.Context, startStream
 		st:               ht,
 		headerWireLength: 0, // won't have access to header wire length until golang/go#18997.
 	}
-	s.trReader = &transportReader{
-		reader:        &recvBufferReader{ctx: s.ctx, ctxDone: s.ctx.Done(), recv: s.buf},
-		windowHandler: func(int) {},
+	s.Stream.buf.init()
+	s.readRequester = s
+	s.trReader = transportReader{
+		reader:        recvBufferReader{ctx: s.ctx, ctxDone: s.ctx.Done(), recv: &s.buf},
+		windowHandler: s,
 	}
 
 	// readerDone is closed when the Body.Read-ing goroutine exits.
diff --git a/vendor/google.golang.org/grpc/internal/transport/http2_client.go b/vendor/google.golang.org/grpc/internal/transport/http2_client.go
index 5467fe9715..38ca031af6 100644
--- a/vendor/google.golang.org/grpc/internal/transport/http2_client.go
+++ b/vendor/google.golang.org/grpc/internal/transport/http2_client.go
@@ -44,6 +44,7 @@ import (
 	"google.golang.org/grpc/internal/grpcutil"
 	imetadata "google.golang.org/grpc/internal/metadata"
 	"google.golang.org/grpc/internal/proxyattributes"
+	istats "google.golang.org/grpc/internal/stats"
 	istatus "google.golang.org/grpc/internal/status"
 	isyscall "google.golang.org/grpc/internal/syscall"
 	"google.golang.org/grpc/internal/transport/networktype"
@@ -105,7 +106,7 @@ type http2Client struct {
 	kp               keepalive.ClientParameters
 	keepaliveEnabled bool
 
-	statsHandlers []stats.Handler
+	statsHandler stats.Handler
 
 	initialWindowSize int32
 
@@ -335,14 +336,14 @@ func NewHTTP2Client(connectCtx, ctx context.Context, addr resolver.Address, opts
 		writerDone:            make(chan struct{}),
 		goAway:                make(chan struct{}),
 		keepaliveDone:         make(chan struct{}),
-		framer:                newFramer(conn, writeBufSize, readBufSize, opts.SharedWriteBuffer, maxHeaderListSize),
+		framer:                newFramer(conn, writeBufSize, readBufSize, opts.SharedWriteBuffer, maxHeaderListSize, opts.BufferPool),
 		fc:                    &trInFlow{limit: uint32(icwz)},
 		scheme:                scheme,
 		activeStreams:         make(map[uint32]*ClientStream),
 		isSecure:              isSecure,
 		perRPCCreds:           perRPCCreds,
 		kp:                    kp,
-		statsHandlers:         opts.StatsHandlers,
+		statsHandler:          istats.NewCombinedHandler(opts.StatsHandlers...),
 		initialWindowSize:     initialWindowSize,
 		nextID:                1,
 		maxConcurrentStreams:  defaultMaxStreamsClient,
@@ -369,7 +370,7 @@ func NewHTTP2Client(connectCtx, ctx context.Context, addr resolver.Address, opts
 		})
 	t.logger = prefixLoggerForClientTransport(t)
 	// Add peer information to the http2client context.
-	t.ctx = peer.NewContext(t.ctx, t.getPeer())
+	t.ctx = peer.NewContext(t.ctx, t.Peer())
 
 	if md, ok := addr.Metadata.(*metadata.MD); ok {
 		t.md = *md
@@ -386,15 +387,14 @@ func NewHTTP2Client(connectCtx, ctx context.Context, addr resolver.Address, opts
 			updateFlowControl: t.updateFlowControl,
 		}
 	}
-	for _, sh := range t.statsHandlers {
-		t.ctx = sh.TagConn(t.ctx, &stats.ConnTagInfo{
+	if t.statsHandler != nil {
+		t.ctx = t.statsHandler.TagConn(t.ctx, &stats.ConnTagInfo{
 			RemoteAddr: t.remoteAddr,
 			LocalAddr:  t.localAddr,
 		})
-		connBegin := &stats.ConnBegin{
+		t.statsHandler.HandleConn(t.ctx, &stats.ConnBegin{
 			Client: true,
-		}
-		sh.HandleConn(t.ctx, connBegin)
+		})
 	}
 	if t.keepaliveEnabled {
 		t.kpDormancyCond = sync.NewCond(&t.mu)
@@ -481,10 +481,9 @@ func NewHTTP2Client(connectCtx, ctx context.Context, addr resolver.Address, opts
 func (t *http2Client) newStream(ctx context.Context, callHdr *CallHdr) *ClientStream {
 	// TODO(zhaoq): Handle uint32 overflow of Stream.id.
 	s := &ClientStream{
-		Stream: &Stream{
+		Stream: Stream{
 			method:         callHdr.Method,
 			sendCompress:   callHdr.SendCompress,
-			buf:            newRecvBuffer(),
 			contentSubtype: callHdr.ContentSubtype,
 		},
 		ct:         t,
@@ -492,31 +491,26 @@ func (t *http2Client) newStream(ctx context.Context, callHdr *CallHdr) *ClientSt
 		headerChan: make(chan struct{}),
 		doneFunc:   callHdr.DoneFunc,
 	}
-	s.wq = newWriteQuota(defaultWriteQuota, s.done)
-	s.requestRead = func(n int) {
-		t.adjustWindow(s, uint32(n))
-	}
+	s.Stream.buf.init()
+	s.Stream.wq.init(defaultWriteQuota, s.done)
+	s.readRequester = s
 	// The client side stream context should have exactly the same life cycle with the user provided context.
 	// That means, s.ctx should be read-only. And s.ctx is done iff ctx is done.
 	// So we use the original context here instead of creating a copy.
 	s.ctx = ctx
-	s.trReader = &transportReader{
-		reader: &recvBufferReader{
-			ctx:     s.ctx,
-			ctxDone: s.ctx.Done(),
-			recv:    s.buf,
-			closeStream: func(err error) {
-				s.Close(err)
-			},
-		},
-		windowHandler: func(n int) {
-			t.updateWindow(s, uint32(n))
+	s.trReader = transportReader{
+		reader: recvBufferReader{
+			ctx:          s.ctx,
+			ctxDone:      s.ctx.Done(),
+			recv:         &s.buf,
+			clientStream: s,
 		},
+		windowHandler: s,
 	}
 	return s
 }
 
-func (t *http2Client) getPeer() *peer.Peer {
+func (t *http2Client) Peer() *peer.Peer {
 	return &peer.Peer{
 		Addr:      t.remoteAddr,
 		AuthInfo:  t.authInfo, // Can be nil
@@ -556,6 +550,22 @@ func (t *http2Client) createHeaderFields(ctx context.Context, callHdr *CallHdr)
 	// Make the slice of certain predictable size to reduce allocations made by append.
 	hfLen := 7 // :method, :scheme, :path, :authority, content-type, user-agent, te
 	hfLen += len(authData) + len(callAuthData)
+	registeredCompressors := t.registeredCompressors
+	if callHdr.AcceptedCompressors != nil {
+		registeredCompressors = *callHdr.AcceptedCompressors
+	}
+	if callHdr.PreviousAttempts > 0 {
+		hfLen++
+	}
+	if callHdr.SendCompress != "" {
+		hfLen++
+	}
+	if registeredCompressors != "" {
+		hfLen++
+	}
+	if _, ok := ctx.Deadline(); ok {
+		hfLen++
+	}
 	headerFields := make([]hpack.HeaderField, 0, hfLen)
 	headerFields = append(headerFields, hpack.HeaderField{Name: ":method", Value: "POST"})
 	headerFields = append(headerFields, hpack.HeaderField{Name: ":scheme", Value: t.scheme})
@@ -568,7 +578,6 @@ func (t *http2Client) createHeaderFields(ctx context.Context, callHdr *CallHdr)
 		headerFields = append(headerFields, hpack.HeaderField{Name: "grpc-previous-rpc-attempts", Value: strconv.Itoa(callHdr.PreviousAttempts)})
 	}
 
-	registeredCompressors := t.registeredCompressors
 	if callHdr.SendCompress != "" {
 		headerFields = append(headerFields, hpack.HeaderField{Name: "grpc-encoding", Value: callHdr.SendCompress})
 		// Include the outgoing compressor name when compressor is not registered
@@ -736,7 +745,7 @@ func (e NewStreamError) Error() string {
 // NewStream creates a stream and registers it into the transport as "active"
 // streams.  All non-nil errors returned will be *NewStreamError.
 func (t *http2Client) NewStream(ctx context.Context, callHdr *CallHdr) (*ClientStream, error) {
-	ctx = peer.NewContext(ctx, t.getPeer())
+	ctx = peer.NewContext(ctx, t.Peer())
 
 	// ServerName field of the resolver returned address takes precedence over
 	// Host field of CallHdr to determine the :authority header. This is because,
@@ -811,7 +820,7 @@ func (t *http2Client) NewStream(ctx context.Context, callHdr *CallHdr) (*ClientS
 			return nil
 		},
 		onOrphaned: cleanup,
-		wq:         s.wq,
+		wq:         &s.wq,
 	}
 	firstTry := true
 	var ch chan struct{}
@@ -842,7 +851,7 @@ func (t *http2Client) NewStream(ctx context.Context, callHdr *CallHdr) (*ClientS
 		transportDrainRequired = t.nextID > MaxStreamID
 
 		s.id = hdr.streamID
-		s.fc = &inFlow{limit: uint32(t.initialWindowSize)}
+		s.fc = inFlow{limit: uint32(t.initialWindowSize)}
 		t.activeStreams[s.id] = s
 		t.mu.Unlock()
 
@@ -893,27 +902,23 @@ func (t *http2Client) NewStream(ctx context.Context, callHdr *CallHdr) (*ClientS
 			return nil, &NewStreamError{Err: ErrConnClosing, AllowTransparentRetry: true}
 		}
 	}
-	if len(t.statsHandlers) != 0 {
+	if t.statsHandler != nil {
 		header, ok := metadata.FromOutgoingContext(ctx)
 		if ok {
 			header.Set("user-agent", t.userAgent)
 		} else {
 			header = metadata.Pairs("user-agent", t.userAgent)
 		}
-		for _, sh := range t.statsHandlers {
-			// Note: The header fields are compressed with hpack after this call returns.
-			// No WireLength field is set here.
-			// Note: Creating a new stats object to prevent pollution.
-			outHeader := &stats.OutHeader{
-				Client:      true,
-				FullMethod:  callHdr.Method,
-				RemoteAddr:  t.remoteAddr,
-				LocalAddr:   t.localAddr,
-				Compression: callHdr.SendCompress,
-				Header:      header,
-			}
-			sh.HandleRPC(s.ctx, outHeader)
-		}
+		// Note: The header fields are compressed with hpack after this call returns.
+		// No WireLength field is set here.
+		t.statsHandler.HandleRPC(s.ctx, &stats.OutHeader{
+			Client:      true,
+			FullMethod:  callHdr.Method,
+			RemoteAddr:  t.remoteAddr,
+			LocalAddr:   t.localAddr,
+			Compression: callHdr.SendCompress,
+			Header:      header,
+		})
 	}
 	if transportDrainRequired {
 		if t.logger.V(logLevel) {
@@ -990,6 +995,9 @@ func (t *http2Client) closeStream(s *ClientStream, err error, rst bool, rstCode
 // accessed anymore.
 func (t *http2Client) Close(err error) {
 	t.conn.SetWriteDeadline(time.Now().Add(time.Second * 10))
+	// For background on the deadline value chosen here, see
+	// https://github.com/grpc/grpc-go/issues/8425#issuecomment-3057938248 .
+	t.conn.SetReadDeadline(time.Now().Add(time.Second))
 	t.mu.Lock()
 	// Make sure we only close once.
 	if t.state == closing {
@@ -1051,11 +1059,10 @@ func (t *http2Client) Close(err error) {
 	for _, s := range streams {
 		t.closeStream(s, err, false, http2.ErrCodeNo, st, nil, false)
 	}
-	for _, sh := range t.statsHandlers {
-		connEnd := &stats.ConnEnd{
+	if t.statsHandler != nil {
+		t.statsHandler.HandleConn(t.ctx, &stats.ConnEnd{
 			Client: true,
-		}
-		sh.HandleConn(t.ctx, connEnd)
+		})
 	}
 }
 
@@ -1166,7 +1173,7 @@ func (t *http2Client) updateFlowControl(n uint32) {
 	})
 }
 
-func (t *http2Client) handleData(f *http2.DataFrame) {
+func (t *http2Client) handleData(f *parsedDataFrame) {
 	size := f.Header().Length
 	var sendBDPPing bool
 	if t.bdpEst != nil {
@@ -1210,22 +1217,15 @@ func (t *http2Client) handleData(f *http2.DataFrame) {
 			t.closeStream(s, io.EOF, true, http2.ErrCodeFlowControl, status.New(codes.Internal, err.Error()), nil, false)
 			return
 		}
+		dataLen := f.data.Len()
 		if f.Header().Flags.Has(http2.FlagDataPadded) {
-			if w := s.fc.onRead(size - uint32(len(f.Data()))); w > 0 {
+			if w := s.fc.onRead(size - uint32(dataLen)); w > 0 {
 				t.controlBuf.put(&outgoingWindowUpdate{s.id, w})
 			}
 		}
-		// TODO(bradfitz, zhaoq): A copy is required here because there is no
-		// guarantee f.Data() is consumed before the arrival of next frame.
-		// Can this copy be eliminated?
-		if len(f.Data()) > 0 {
-			pool := t.bufferPool
-			if pool == nil {
-				// Note that this is only supposed to be nil in tests. Otherwise, stream is
-				// always initialized with a BufferPool.
-				pool = mem.DefaultBufferPool()
-			}
-			s.write(recvMsg{buffer: mem.Copy(f.Data(), pool)})
+		if dataLen > 0 {
+			f.data.Ref()
+			s.write(recvMsg{buffer: f.data})
 		}
 	}
 	// The server has closed the stream without sending trailers.  Record that
@@ -1465,17 +1465,14 @@ func (t *http2Client) operateHeaders(frame *http2.MetaHeadersFrame) {
 		contentTypeErr = "malformed header: missing HTTP content-type"
 		grpcMessage    string
 		recvCompress   string
-		httpStatusCode *int
 		httpStatusErr  string
-		rawStatusCode  = codes.Unknown
+		// the code from the grpc-status header, if present
+		grpcStatusCode = codes.Unknown
 		// headerError is set if an error is encountered while parsing the headers
 		headerError string
+		httpStatus  string
 	)
 
-	if initialHeader {
-		httpStatusErr = "malformed header: missing HTTP status"
-	}
-
 	for _, hf := range frame.Fields {
 		switch hf.Name {
 		case "content-type":
@@ -1491,35 +1488,15 @@ func (t *http2Client) operateHeaders(frame *http2.MetaHeadersFrame) {
 		case "grpc-status":
 			code, err := strconv.ParseInt(hf.Value, 10, 32)
 			if err != nil {
-				se := status.New(codes.Internal, fmt.Sprintf("transport: malformed grpc-status: %v", err))
+				se := status.New(codes.Unknown, fmt.Sprintf("transport: malformed grpc-status: %v", err))
 				t.closeStream(s, se.Err(), true, http2.ErrCodeProtocol, se, nil, endStream)
 				return
 			}
-			rawStatusCode = codes.Code(uint32(code))
+			grpcStatusCode = codes.Code(uint32(code))
 		case "grpc-message":
 			grpcMessage = decodeGrpcMessage(hf.Value)
 		case ":status":
-			if hf.Value == "200" {
-				httpStatusErr = ""
-				statusCode := 200
-				httpStatusCode = &statusCode
-				break
-			}
-
-			c, err := strconv.ParseInt(hf.Value, 10, 32)
-			if err != nil {
-				se := status.New(codes.Internal, fmt.Sprintf("transport: malformed http-status: %v", err))
-				t.closeStream(s, se.Err(), true, http2.ErrCodeProtocol, se, nil, endStream)
-				return
-			}
-			statusCode := int(c)
-			httpStatusCode = &statusCode
-
-			httpStatusErr = fmt.Sprintf(
-				"unexpected HTTP status code received from server: %d (%s)",
-				statusCode,
-				http.StatusText(statusCode),
-			)
+			httpStatus = hf.Value
 		default:
 			if isReservedHeader(hf.Name) && !isWhitelistedHeader(hf.Name) {
 				break
@@ -1534,25 +1511,52 @@ func (t *http2Client) operateHeaders(frame *http2.MetaHeadersFrame) {
 		}
 	}
 
-	if !isGRPC || httpStatusErr != "" {
-		var code = codes.Internal // when header does not include HTTP status, return INTERNAL
-
-		if httpStatusCode != nil {
+	// If a non-gRPC response is received, then evaluate the HTTP status to
+	// process the response and close the stream.
+	// In case http status doesn't provide any error information (status : 200),
+	// then evalute response code to be Unknown.
+	if !isGRPC {
+		var grpcErrorCode = codes.Internal
+		if httpStatus == "" {
+			httpStatusErr = "malformed header: missing HTTP status"
+		} else {
+			// Parse the status codes (e.g. "200", 404").
+			statusCode, err := strconv.Atoi(httpStatus)
+			if err != nil {
+				se := status.New(grpcErrorCode, fmt.Sprintf("transport: malformed http-status: %v", err))
+				t.closeStream(s, se.Err(), true, http2.ErrCodeProtocol, se, nil, endStream)
+				return
+			}
+			if statusCode >= 100 && statusCode < 200 {
+				if endStream {
+					se := status.New(codes.Internal, fmt.Sprintf(
+						"protocol error: informational header with status code %d must not have END_STREAM set", statusCode))
+					t.closeStream(s, se.Err(), true, http2.ErrCodeProtocol, se, nil, endStream)
+				}
+				// In case of informational headers, return.
+				return
+			}
+			httpStatusErr = fmt.Sprintf(
+				"unexpected HTTP status code received from server: %d (%s)",
+				statusCode,
+				http.StatusText(statusCode),
+			)
 			var ok bool
-			code, ok = HTTPStatusConvTab[*httpStatusCode]
+			grpcErrorCode, ok = HTTPStatusConvTab[statusCode]
 			if !ok {
-				code = codes.Unknown
+				grpcErrorCode = codes.Unknown
 			}
 		}
 		var errs []string
 		if httpStatusErr != "" {
 			errs = append(errs, httpStatusErr)
 		}
+
 		if contentTypeErr != "" {
 			errs = append(errs, contentTypeErr)
 		}
-		// Verify the HTTP response is a 200.
-		se := status.New(code, strings.Join(errs, "; "))
+
+		se := status.New(grpcErrorCode, strings.Join(errs, "; "))
 		t.closeStream(s, se.Err(), true, http2.ErrCodeProtocol, se, nil, endStream)
 		return
 	}
@@ -1583,22 +1587,20 @@ func (t *http2Client) operateHeaders(frame *http2.MetaHeadersFrame) {
 		}
 	}
 
-	for _, sh := range t.statsHandlers {
+	if t.statsHandler != nil {
 		if !endStream {
-			inHeader := &stats.InHeader{
+			t.statsHandler.HandleRPC(s.ctx, &stats.InHeader{
 				Client:      true,
 				WireLength:  int(frame.Header().Length),
 				Header:      metadata.MD(mdata).Copy(),
 				Compression: s.recvCompress,
-			}
-			sh.HandleRPC(s.ctx, inHeader)
+			})
 		} else {
-			inTrailer := &stats.InTrailer{
+			t.statsHandler.HandleRPC(s.ctx, &stats.InTrailer{
 				Client:     true,
 				WireLength: int(frame.Header().Length),
 				Trailer:    metadata.MD(mdata).Copy(),
-			}
-			sh.HandleRPC(s.ctx, inTrailer)
+			})
 		}
 	}
 
@@ -1606,7 +1608,7 @@ func (t *http2Client) operateHeaders(frame *http2.MetaHeadersFrame) {
 		return
 	}
 
-	status := istatus.NewWithProto(rawStatusCode, grpcMessage, mdata[grpcStatusDetailsBinHeader])
+	status := istatus.NewWithProto(grpcStatusCode, grpcMessage, mdata[grpcStatusDetailsBinHeader])
 
 	// If client received END_STREAM from server while stream was still active,
 	// send RST_STREAM.
@@ -1653,7 +1655,7 @@ func (t *http2Client) reader(errCh chan<- error) {
 	// loop to keep reading incoming messages on this transport.
 	for {
 		t.controlBuf.throttle()
-		frame, err := t.framer.fr.ReadFrame()
+		frame, err := t.framer.readFrame()
 		if t.keepaliveEnabled {
 			atomic.StoreInt64(&t.lastRead, time.Now().UnixNano())
 		}
@@ -1668,7 +1670,7 @@ func (t *http2Client) reader(errCh chan<- error) {
 				if s != nil {
 					// use error detail to provide better err message
 					code := http2ErrConvTab[se.Code]
-					errorDetail := t.framer.fr.ErrorDetail()
+					errorDetail := t.framer.errorDetail()
 					var msg string
 					if errorDetail != nil {
 						msg = errorDetail.Error()
@@ -1686,8 +1688,9 @@ func (t *http2Client) reader(errCh chan<- error) {
 		switch frame := frame.(type) {
 		case *http2.MetaHeadersFrame:
 			t.operateHeaders(frame)
-		case *http2.DataFrame:
+		case *parsedDataFrame:
 			t.handleData(frame)
+			frame.data.Free()
 		case *http2.RSTStreamFrame:
 			t.handleRSTStream(frame)
 		case *http2.SettingsFrame:
@@ -1807,8 +1810,6 @@ func (t *http2Client) socketMetrics() *channelz.EphemeralSocketMetrics {
 	}
 }
 
-func (t *http2Client) RemoteAddr() net.Addr { return t.remoteAddr }
-
 func (t *http2Client) incrMsgSent() {
 	if channelz.IsOn() {
 		t.channelz.SocketMetrics.MessagesSent.Add(1)
diff --git a/vendor/google.golang.org/grpc/internal/transport/http2_server.go b/vendor/google.golang.org/grpc/internal/transport/http2_server.go
index 83cee314c8..6f78a6b0c8 100644
--- a/vendor/google.golang.org/grpc/internal/transport/http2_server.go
+++ b/vendor/google.golang.org/grpc/internal/transport/http2_server.go
@@ -35,6 +35,8 @@ import (
 
 	"golang.org/x/net/http2"
 	"golang.org/x/net/http2/hpack"
+	"google.golang.org/protobuf/proto"
+
 	"google.golang.org/grpc/internal"
 	"google.golang.org/grpc/internal/grpclog"
 	"google.golang.org/grpc/internal/grpcutil"
@@ -42,7 +44,6 @@ import (
 	istatus "google.golang.org/grpc/internal/status"
 	"google.golang.org/grpc/internal/syscall"
 	"google.golang.org/grpc/mem"
-	"google.golang.org/protobuf/proto"
 
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/credentials"
@@ -86,7 +87,7 @@ type http2Server struct {
 	// updates, reset streams, and various settings) to the controller.
 	controlBuf *controlBuffer
 	fc         *trInFlow
-	stats      []stats.Handler
+	stats      stats.Handler
 	// Keepalive and max-age parameters for the server.
 	kp keepalive.ServerParameters
 	// Keepalive enforcement policy.
@@ -168,7 +169,7 @@ func NewServerTransport(conn net.Conn, config *ServerConfig) (_ ServerTransport,
 	if config.MaxHeaderListSize != nil {
 		maxHeaderListSize = *config.MaxHeaderListSize
 	}
-	framer := newFramer(conn, writeBufSize, readBufSize, config.SharedWriteBuffer, maxHeaderListSize)
+	framer := newFramer(conn, writeBufSize, readBufSize, config.SharedWriteBuffer, maxHeaderListSize, config.BufferPool)
 	// Send initial settings as connection preface to client.
 	isettings := []http2.Setting{{
 		ID:  http2.SettingMaxFrameSize,
@@ -260,7 +261,7 @@ func NewServerTransport(conn net.Conn, config *ServerConfig) (_ ServerTransport,
 		fc:                &trInFlow{limit: uint32(icwz)},
 		state:             reachable,
 		activeStreams:     make(map[uint32]*ServerStream),
-		stats:             config.StatsHandlers,
+		stats:             config.StatsHandler,
 		kp:                kp,
 		idle:              time.Now(),
 		kep:               kep,
@@ -390,16 +391,15 @@ func (t *http2Server) operateHeaders(ctx context.Context, frame *http2.MetaHeade
 	}
 	t.maxStreamID = streamID
 
-	buf := newRecvBuffer()
 	s := &ServerStream{
-		Stream: &Stream{
-			id:  streamID,
-			buf: buf,
-			fc:  &inFlow{limit: uint32(t.initialWindowSize)},
+		Stream: Stream{
+			id: streamID,
+			fc: inFlow{limit: uint32(t.initialWindowSize)},
 		},
 		st:               t,
 		headerWireLength: int(frame.Header().Length),
 	}
+	s.Stream.buf.init()
 	var (
 		// if false, content-type was missing or invalid
 		isGRPC      = false
@@ -640,25 +640,21 @@ func (t *http2Server) operateHeaders(ctx context.Context, frame *http2.MetaHeade
 		t.channelz.SocketMetrics.StreamsStarted.Add(1)
 		t.channelz.SocketMetrics.LastRemoteStreamCreatedTimestamp.Store(time.Now().UnixNano())
 	}
-	s.requestRead = func(n int) {
-		t.adjustWindow(s, uint32(n))
-	}
+	s.readRequester = s
 	s.ctxDone = s.ctx.Done()
-	s.wq = newWriteQuota(defaultWriteQuota, s.ctxDone)
-	s.trReader = &transportReader{
-		reader: &recvBufferReader{
+	s.Stream.wq.init(defaultWriteQuota, s.ctxDone)
+	s.trReader = transportReader{
+		reader: recvBufferReader{
 			ctx:     s.ctx,
 			ctxDone: s.ctxDone,
-			recv:    s.buf,
-		},
-		windowHandler: func(n int) {
-			t.updateWindow(s, uint32(n))
+			recv:    &s.buf,
 		},
+		windowHandler: s,
 	}
 	// Register the stream with loopy.
 	t.controlBuf.put(&registerStream{
 		streamID: s.id,
-		wq:       s.wq,
+		wq:       &s.wq,
 	})
 	handle(s)
 	return nil
@@ -674,7 +670,7 @@ func (t *http2Server) HandleStreams(ctx context.Context, handle func(*ServerStre
 	}()
 	for {
 		t.controlBuf.throttle()
-		frame, err := t.framer.fr.ReadFrame()
+		frame, err := t.framer.readFrame()
 		atomic.StoreInt64(&t.lastRead, time.Now().UnixNano())
 		if err != nil {
 			if se, ok := err.(http2.StreamError); ok {
@@ -711,8 +707,9 @@ func (t *http2Server) HandleStreams(ctx context.Context, handle func(*ServerStre
 				})
 				continue
 			}
-		case *http2.DataFrame:
+		case *parsedDataFrame:
 			t.handleData(frame)
+			frame.data.Free()
 		case *http2.RSTStreamFrame:
 			t.handleRSTStream(frame)
 		case *http2.SettingsFrame:
@@ -792,7 +789,7 @@ func (t *http2Server) updateFlowControl(n uint32) {
 
 }
 
-func (t *http2Server) handleData(f *http2.DataFrame) {
+func (t *http2Server) handleData(f *parsedDataFrame) {
 	size := f.Header().Length
 	var sendBDPPing bool
 	if t.bdpEst != nil {
@@ -837,22 +834,15 @@ func (t *http2Server) handleData(f *http2.DataFrame) {
 			t.closeStream(s, true, http2.ErrCodeFlowControl, false)
 			return
 		}
+		dataLen := f.data.Len()
 		if f.Header().Flags.Has(http2.FlagDataPadded) {
-			if w := s.fc.onRead(size - uint32(len(f.Data()))); w > 0 {
+			if w := s.fc.onRead(size - uint32(dataLen)); w > 0 {
 				t.controlBuf.put(&outgoingWindowUpdate{s.id, w})
 			}
 		}
-		// TODO(bradfitz, zhaoq): A copy is required here because there is no
-		// guarantee f.Data() is consumed before the arrival of next frame.
-		// Can this copy be eliminated?
-		if len(f.Data()) > 0 {
-			pool := t.bufferPool
-			if pool == nil {
-				// Note that this is only supposed to be nil in tests. Otherwise, stream is
-				// always initialized with a BufferPool.
-				pool = mem.DefaultBufferPool()
-			}
-			s.write(recvMsg{buffer: mem.Copy(f.Data(), pool)})
+		if dataLen > 0 {
+			f.data.Ref()
+			s.write(recvMsg{buffer: f.data})
 		}
 	}
 	if f.StreamEnded() {
@@ -1059,14 +1049,13 @@ func (t *http2Server) writeHeaderLocked(s *ServerStream) error {
 		t.closeStream(s, true, http2.ErrCodeInternal, false)
 		return ErrHeaderListSizeLimitViolation
 	}
-	for _, sh := range t.stats {
+	if t.stats != nil {
 		// Note: Headers are compressed with hpack after this call returns.
 		// No WireLength field is set here.
-		outHeader := &stats.OutHeader{
+		t.stats.HandleRPC(s.Context(), &stats.OutHeader{
 			Header:      s.header.Copy(),
 			Compression: s.sendCompress,
-		}
-		sh.HandleRPC(s.Context(), outHeader)
+		})
 	}
 	return nil
 }
@@ -1134,10 +1123,10 @@ func (t *http2Server) writeStatus(s *ServerStream, st *status.Status) error {
 	// Send a RST_STREAM after the trailers if the client has not already half-closed.
 	rst := s.getState() == streamActive
 	t.finishStream(s, rst, http2.ErrCodeNo, trailingHeader, true)
-	for _, sh := range t.stats {
+	if t.stats != nil {
 		// Note: The trailer fields are compressed with hpack after this call returns.
 		// No WireLength field is set here.
-		sh.HandleRPC(s.Context(), &stats.OutTrailer{
+		t.stats.HandleRPC(s.Context(), &stats.OutTrailer{
 			Trailer: s.trailer.Copy(),
 		})
 	}
@@ -1305,7 +1294,8 @@ func (t *http2Server) Close(err error) {
 // deleteStream deletes the stream s from transport's active streams.
 func (t *http2Server) deleteStream(s *ServerStream, eosReceived bool) {
 	t.mu.Lock()
-	if _, ok := t.activeStreams[s.id]; ok {
+	_, isActive := t.activeStreams[s.id]
+	if isActive {
 		delete(t.activeStreams, s.id)
 		if len(t.activeStreams) == 0 {
 			t.idle = time.Now()
@@ -1313,7 +1303,7 @@ func (t *http2Server) deleteStream(s *ServerStream, eosReceived bool) {
 	}
 	t.mu.Unlock()
 
-	if channelz.IsOn() {
+	if isActive && channelz.IsOn() {
 		if eosReceived {
 			t.channelz.SocketMetrics.StreamsSucceeded.Add(1)
 		} else {
diff --git a/vendor/google.golang.org/grpc/internal/transport/http_util.go b/vendor/google.golang.org/grpc/internal/transport/http_util.go
index e3663f87f3..5bbb641ad9 100644
--- a/vendor/google.golang.org/grpc/internal/transport/http_util.go
+++ b/vendor/google.golang.org/grpc/internal/transport/http_util.go
@@ -25,7 +25,6 @@ import (
 	"fmt"
 	"io"
 	"math"
-	"net"
 	"net/http"
 	"net/url"
 	"strconv"
@@ -37,6 +36,7 @@ import (
 	"golang.org/x/net/http2"
 	"golang.org/x/net/http2/hpack"
 	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/mem"
 )
 
 const (
@@ -300,11 +300,11 @@ type bufWriter struct {
 	buf       []byte
 	offset    int
 	batchSize int
-	conn      net.Conn
+	conn      io.Writer
 	err       error
 }
 
-func newBufWriter(conn net.Conn, batchSize int, pool *sync.Pool) *bufWriter {
+func newBufWriter(conn io.Writer, batchSize int, pool *sync.Pool) *bufWriter {
 	w := &bufWriter{
 		batchSize: batchSize,
 		conn:      conn,
@@ -388,15 +388,29 @@ func toIOError(err error) error {
 	return ioError{error: err}
 }
 
+type parsedDataFrame struct {
+	http2.FrameHeader
+	data mem.Buffer
+}
+
+func (df *parsedDataFrame) StreamEnded() bool {
+	return df.FrameHeader.Flags.Has(http2.FlagDataEndStream)
+}
+
 type framer struct {
-	writer *bufWriter
-	fr     *http2.Framer
+	writer    *bufWriter
+	fr        *http2.Framer
+	headerBuf []byte // cached slice for framer headers to reduce heap allocs.
+	reader    io.Reader
+	dataFrame parsedDataFrame // Cached data frame to avoid heap allocations.
+	pool      mem.BufferPool
+	errDetail error
 }
 
 var writeBufferPoolMap = make(map[int]*sync.Pool)
 var writeBufferMutex sync.Mutex
 
-func newFramer(conn net.Conn, writeBufferSize, readBufferSize int, sharedWriteBuffer bool, maxHeaderListSize uint32) *framer {
+func newFramer(conn io.ReadWriter, writeBufferSize, readBufferSize int, sharedWriteBuffer bool, maxHeaderListSize uint32, memPool mem.BufferPool) *framer {
 	if writeBufferSize < 0 {
 		writeBufferSize = 0
 	}
@@ -412,6 +426,8 @@ func newFramer(conn net.Conn, writeBufferSize, readBufferSize int, sharedWriteBu
 	f := &framer{
 		writer: w,
 		fr:     http2.NewFramer(w, r),
+		reader: r,
+		pool:   memPool,
 	}
 	f.fr.SetMaxReadFrameSize(http2MaxFrameLen)
 	// Opt-in to Frame reuse API on framer to reduce garbage.
@@ -422,6 +438,146 @@ func newFramer(conn net.Conn, writeBufferSize, readBufferSize int, sharedWriteBu
 	return f
 }
 
+// writeData writes a DATA frame.
+//
+// It is the caller's responsibility not to violate the maximum frame size.
+func (f *framer) writeData(streamID uint32, endStream bool, data [][]byte) error {
+	var flags http2.Flags
+	if endStream {
+		flags = http2.FlagDataEndStream
+	}
+	length := uint32(0)
+	for _, d := range data {
+		length += uint32(len(d))
+	}
+	// TODO: Replace the header write with the framer API being added in
+	// https://github.com/golang/go/issues/66655.
+	f.headerBuf = append(f.headerBuf[:0],
+		byte(length>>16),
+		byte(length>>8),
+		byte(length),
+		byte(http2.FrameData),
+		byte(flags),
+		byte(streamID>>24),
+		byte(streamID>>16),
+		byte(streamID>>8),
+		byte(streamID))
+	if _, err := f.writer.Write(f.headerBuf); err != nil {
+		return err
+	}
+	for _, d := range data {
+		if _, err := f.writer.Write(d); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// readFrame reads a single frame. The returned Frame is only valid
+// until the next call to readFrame.
+func (f *framer) readFrame() (any, error) {
+	f.errDetail = nil
+	fh, err := f.fr.ReadFrameHeader()
+	if err != nil {
+		f.errDetail = f.fr.ErrorDetail()
+		return nil, err
+	}
+	// Read the data frame directly from the underlying io.Reader to avoid
+	// copies.
+	if fh.Type == http2.FrameData {
+		err = f.readDataFrame(fh)
+		return &f.dataFrame, err
+	}
+	fr, err := f.fr.ReadFrameForHeader(fh)
+	if err != nil {
+		f.errDetail = f.fr.ErrorDetail()
+		return nil, err
+	}
+	return fr, err
+}
+
+// errorDetail returns a more detailed error of the last error
+// returned by framer.readFrame. For instance, if readFrame
+// returns a StreamError with code PROTOCOL_ERROR, errorDetail
+// will say exactly what was invalid. errorDetail is not guaranteed
+// to return a non-nil value.
+// errorDetail is reset after the next call to readFrame.
+func (f *framer) errorDetail() error {
+	return f.errDetail
+}
+
+func (f *framer) readDataFrame(fh http2.FrameHeader) (err error) {
+	if fh.StreamID == 0 {
+		// DATA frames MUST be associated with a stream. If a
+		// DATA frame is received whose stream identifier
+		// field is 0x0, the recipient MUST respond with a
+		// connection error (Section 5.4.1) of type
+		// PROTOCOL_ERROR.
+		f.errDetail = errors.New("DATA frame with stream ID 0")
+		return http2.ConnectionError(http2.ErrCodeProtocol)
+	}
+	// Converting a *[]byte to a mem.SliceBuffer incurs a heap allocation. This
+	// conversion is performed by mem.NewBuffer. To avoid the extra allocation
+	// a []byte is allocated directly if required and cast to a mem.SliceBuffer.
+	var buf []byte
+	// poolHandle is the pointer returned by the buffer pool (if it's used.).
+	var poolHandle *[]byte
+	useBufferPool := !mem.IsBelowBufferPoolingThreshold(int(fh.Length))
+	if useBufferPool {
+		poolHandle = f.pool.Get(int(fh.Length))
+		buf = *poolHandle
+		defer func() {
+			if err != nil {
+				f.pool.Put(poolHandle)
+			}
+		}()
+	} else {
+		buf = make([]byte, int(fh.Length))
+	}
+	if fh.Flags.Has(http2.FlagDataPadded) {
+		if fh.Length == 0 {
+			return io.ErrUnexpectedEOF
+		}
+		// This initial 1-byte read can be inefficient for unbuffered readers,
+		// but it allows the rest of the payload to be read directly to the
+		// start of the destination slice. This makes it easy to return the
+		// original slice back to the buffer pool.
+		if _, err := io.ReadFull(f.reader, buf[:1]); err != nil {
+			return err
+		}
+		padSize := buf[0]
+		buf = buf[:len(buf)-1]
+		if int(padSize) > len(buf) {
+			// If the length of the padding is greater than the
+			// length of the frame payload, the recipient MUST
+			// treat this as a connection error.
+			// Filed: https://github.com/http2/http2-spec/issues/610
+			f.errDetail = errors.New("pad size larger than data payload")
+			return http2.ConnectionError(http2.ErrCodeProtocol)
+		}
+		if _, err := io.ReadFull(f.reader, buf); err != nil {
+			return err
+		}
+		buf = buf[:len(buf)-int(padSize)]
+	} else if _, err := io.ReadFull(f.reader, buf); err != nil {
+		return err
+	}
+
+	f.dataFrame.FrameHeader = fh
+	if useBufferPool {
+		// Update the handle to point to the (potentially re-sliced) buf.
+		*poolHandle = buf
+		f.dataFrame.data = mem.NewBuffer(poolHandle, f.pool)
+	} else {
+		f.dataFrame.data = mem.SliceBuffer(buf)
+	}
+	return nil
+}
+
+func (df *parsedDataFrame) Header() http2.FrameHeader {
+	return df.FrameHeader
+}
+
 func getWriteBufferPool(size int) *sync.Pool {
 	writeBufferMutex.Lock()
 	defer writeBufferMutex.Unlock()
diff --git a/vendor/google.golang.org/grpc/internal/transport/server_stream.go b/vendor/google.golang.org/grpc/internal/transport/server_stream.go
index cf8da0b52d..ed6a13b750 100644
--- a/vendor/google.golang.org/grpc/internal/transport/server_stream.go
+++ b/vendor/google.golang.org/grpc/internal/transport/server_stream.go
@@ -32,7 +32,7 @@ import (
 
 // ServerStream implements streaming functionality for a gRPC server.
 type ServerStream struct {
-	*Stream // Embed for common stream functionality.
+	Stream // Embed for common stream functionality.
 
 	st      internalServerTransport
 	ctxDone <-chan struct{} // closed at the end of stream.  Cache of ctx.Done() (for performance)
@@ -43,12 +43,13 @@ type ServerStream struct {
 	// Holds compressor names passed in grpc-accept-encoding metadata from the
 	// client.
 	clientAdvertisedCompressors string
-	headerWireLength            int
 
 	// hdrMu protects outgoing header and trailer metadata.
 	hdrMu      sync.Mutex
 	header     metadata.MD // the outgoing header metadata.  Updated by WriteHeader.
 	headerSent atomic.Bool // atomically set when the headers are sent out.
+
+	headerWireLength int
 }
 
 // Read reads an n byte message from the input stream.
@@ -178,3 +179,11 @@ func (s *ServerStream) SetTrailer(md metadata.MD) error {
 	s.hdrMu.Unlock()
 	return nil
 }
+
+func (s *ServerStream) requestRead(n int) {
+	s.st.adjustWindow(s, uint32(n))
+}
+
+func (s *ServerStream) updateWindow(n int) {
+	s.st.updateWindow(s, uint32(n))
+}
diff --git a/vendor/google.golang.org/grpc/internal/transport/transport.go b/vendor/google.golang.org/grpc/internal/transport/transport.go
index 7dd53e80a7..6daf1e002d 100644
--- a/vendor/google.golang.org/grpc/internal/transport/transport.go
+++ b/vendor/google.golang.org/grpc/internal/transport/transport.go
@@ -68,11 +68,11 @@ type recvBuffer struct {
 	err     error
 }
 
-func newRecvBuffer() *recvBuffer {
-	b := &recvBuffer{
-		c: make(chan recvMsg, 1),
-	}
-	return b
+// init allows a recvBuffer to be initialized in-place, which is useful
+// for resetting a buffer or for avoiding a heap allocation when the buffer
+// is embedded in another struct.
+func (b *recvBuffer) init() {
+	b.c = make(chan recvMsg, 1)
 }
 
 func (b *recvBuffer) put(r recvMsg) {
@@ -123,12 +123,13 @@ func (b *recvBuffer) get() <-chan recvMsg {
 // recvBufferReader implements io.Reader interface to read the data from
 // recvBuffer.
 type recvBufferReader struct {
-	closeStream func(error) // Closes the client transport stream with the given error and nil trailer metadata.
-	ctx         context.Context
-	ctxDone     <-chan struct{} // cache of ctx.Done() (for performance).
-	recv        *recvBuffer
-	last        mem.Buffer // Stores the remaining data in the previous calls.
-	err         error
+	_            noCopy
+	clientStream *ClientStream // The client transport stream is closed with a status representing ctx.Err() and nil trailer metadata.
+	ctx          context.Context
+	ctxDone      <-chan struct{} // cache of ctx.Done() (for performance).
+	recv         *recvBuffer
+	last         mem.Buffer // Stores the remaining data in the previous calls.
+	err          error
 }
 
 func (r *recvBufferReader) ReadMessageHeader(header []byte) (n int, err error) {
@@ -139,7 +140,7 @@ func (r *recvBufferReader) ReadMessageHeader(header []byte) (n int, err error) {
 		n, r.last = mem.ReadUnsafe(header, r.last)
 		return n, nil
 	}
-	if r.closeStream != nil {
+	if r.clientStream != nil {
 		n, r.err = r.readMessageHeaderClient(header)
 	} else {
 		n, r.err = r.readMessageHeader(header)
@@ -164,7 +165,7 @@ func (r *recvBufferReader) Read(n int) (buf mem.Buffer, err error) {
 		}
 		return buf, nil
 	}
-	if r.closeStream != nil {
+	if r.clientStream != nil {
 		buf, r.err = r.readClient(n)
 	} else {
 		buf, r.err = r.read(n)
@@ -209,7 +210,7 @@ func (r *recvBufferReader) readMessageHeaderClient(header []byte) (n int, err er
 		// TODO: delaying ctx error seems like a unnecessary side effect. What
 		// we really want is to mark the stream as done, and return ctx error
 		// faster.
-		r.closeStream(ContextErr(r.ctx.Err()))
+		r.clientStream.Close(ContextErr(r.ctx.Err()))
 		m := <-r.recv.get()
 		return r.readMessageHeaderAdditional(m, header)
 	case m := <-r.recv.get():
@@ -236,7 +237,7 @@ func (r *recvBufferReader) readClient(n int) (buf mem.Buffer, err error) {
 		// TODO: delaying ctx error seems like a unnecessary side effect. What
 		// we really want is to mark the stream as done, and return ctx error
 		// faster.
-		r.closeStream(ContextErr(r.ctx.Err()))
+		r.clientStream.Close(ContextErr(r.ctx.Err()))
 		m := <-r.recv.get()
 		return r.readAdditional(m, n)
 	case m := <-r.recv.get():
@@ -285,27 +286,32 @@ const (
 
 // Stream represents an RPC in the transport layer.
 type Stream struct {
-	id           uint32
 	ctx          context.Context // the associated context of the stream
 	method       string          // the associated RPC method of the stream
 	recvCompress string
 	sendCompress string
-	buf          *recvBuffer
-	trReader     *transportReader
-	fc           *inFlow
-	wq           *writeQuota
-
-	// Callback to state application's intentions to read data. This
-	// is used to adjust flow control, if needed.
-	requestRead func(int)
 
-	state streamState
+	readRequester readRequester
 
 	// contentSubtype is the content-subtype for requests.
 	// this must be lowercase or the behavior is undefined.
 	contentSubtype string
 
 	trailer metadata.MD // the key-value map of trailer metadata.
+
+	// Non-pointer fields are at the end to optimize GC performance.
+	state    streamState
+	id       uint32
+	buf      recvBuffer
+	trReader transportReader
+	fc       inFlow
+	wq       writeQuota
+}
+
+// readRequester is used to state application's intentions to read data. This
+// is used to adjust flow control, if needed.
+type readRequester interface {
+	requestRead(int)
 }
 
 func (s *Stream) swapState(st streamState) streamState {
@@ -355,7 +361,7 @@ func (s *Stream) ReadMessageHeader(header []byte) (err error) {
 	if er := s.trReader.er; er != nil {
 		return er
 	}
-	s.requestRead(len(header))
+	s.readRequester.requestRead(len(header))
 	for len(header) != 0 {
 		n, err := s.trReader.ReadMessageHeader(header)
 		header = header[n:]
@@ -378,7 +384,7 @@ func (s *Stream) read(n int) (data mem.BufferSlice, err error) {
 	if er := s.trReader.er; er != nil {
 		return nil, er
 	}
-	s.requestRead(n)
+	s.readRequester.requestRead(n)
 	for n != 0 {
 		buf, err := s.trReader.Read(n)
 		var bufLen int
@@ -401,16 +407,34 @@ func (s *Stream) read(n int) (data mem.BufferSlice, err error) {
 	return data, nil
 }
 
+// noCopy may be embedded into structs which must not be copied
+// after the first use.
+//
+// See https://golang.org/issues/8005#issuecomment-190753527
+// for details.
+type noCopy struct {
+}
+
+func (*noCopy) Lock()   {}
+func (*noCopy) Unlock() {}
+
 // transportReader reads all the data available for this Stream from the transport and
 // passes them into the decoder, which converts them into a gRPC message stream.
 // The error is io.EOF when the stream is done or another non-nil error if
 // the stream broke.
 type transportReader struct {
-	reader *recvBufferReader
+	_ noCopy
 	// The handler to control the window update procedure for both this
 	// particular stream and the associated transport.
-	windowHandler func(int)
+	windowHandler windowHandler
 	er            error
+	reader        recvBufferReader
+}
+
+// The handler to control the window update procedure for both this
+// particular stream and the associated transport.
+type windowHandler interface {
+	updateWindow(int)
 }
 
 func (t *transportReader) ReadMessageHeader(header []byte) (int, error) {
@@ -419,7 +443,7 @@ func (t *transportReader) ReadMessageHeader(header []byte) (int, error) {
 		t.er = err
 		return 0, err
 	}
-	t.windowHandler(n)
+	t.windowHandler.updateWindow(n)
 	return n, nil
 }
 
@@ -429,7 +453,7 @@ func (t *transportReader) Read(n int) (mem.Buffer, error) {
 		t.er = err
 		return buf, err
 	}
-	t.windowHandler(buf.Len())
+	t.windowHandler.updateWindow(buf.Len())
 	return buf, nil
 }
 
@@ -454,7 +478,7 @@ type ServerConfig struct {
 	ConnectionTimeout     time.Duration
 	Credentials           credentials.TransportCredentials
 	InTapHandle           tap.ServerInHandle
-	StatsHandlers         []stats.Handler
+	StatsHandler          stats.Handler
 	KeepaliveParams       keepalive.ServerParameters
 	KeepalivePolicy       keepalive.EnforcementPolicy
 	InitialWindowSize     int32
@@ -529,6 +553,12 @@ type CallHdr struct {
 	// outbound message.
 	SendCompress string
 
+	// AcceptedCompressors overrides the grpc-accept-encoding header for this
+	// call. When nil, the transport advertises the default set of registered
+	// compressors. A non-nil pointer overrides that value (including the empty
+	// string to advertise none).
+	AcceptedCompressors *string
+
 	// Creds specifies credentials.PerRPCCredentials for a call.
 	Creds credentials.PerRPCCredentials
 
@@ -584,8 +614,9 @@ type ClientTransport interface {
 	// with a human readable string with debug info.
 	GetGoAwayReason() (GoAwayReason, string)
 
-	// RemoteAddr returns the remote network address.
-	RemoteAddr() net.Addr
+	// Peer returns information about the peer associated with the Transport.
+	// The returned information includes authentication and network address details.
+	Peer() *peer.Peer
 }
 
 // ServerTransport is the common interface for all gRPC server-side transport
@@ -615,6 +646,8 @@ type internalServerTransport interface {
 	write(s *ServerStream, hdr []byte, data mem.BufferSlice, opts *WriteOptions) error
 	writeStatus(s *ServerStream, st *status.Status) error
 	incrMsgRecv()
+	adjustWindow(s *ServerStream, n uint32)
+	updateWindow(s *ServerStream, n uint32)
 }
 
 // connectionErrorf creates an ConnectionError with the specified error description.
diff --git a/vendor/google.golang.org/grpc/interop/grpc_testing/benchmark_service.pb.go b/vendor/google.golang.org/grpc/interop/grpc_testing/benchmark_service.pb.go
index aba544968f..bcefec69b7 100644
--- a/vendor/google.golang.org/grpc/interop/grpc_testing/benchmark_service.pb.go
+++ b/vendor/google.golang.org/grpc/interop/grpc_testing/benchmark_service.pb.go
@@ -17,7 +17,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.6
+// 	protoc-gen-go v1.36.10
 // 	protoc        v5.27.1
 // source: grpc/testing/benchmark_service.proto
 
diff --git a/vendor/google.golang.org/grpc/interop/grpc_testing/benchmark_service_grpc.pb.go b/vendor/google.golang.org/grpc/interop/grpc_testing/benchmark_service_grpc.pb.go
index f6424a57e4..2b1b78cf81 100644
--- a/vendor/google.golang.org/grpc/interop/grpc_testing/benchmark_service_grpc.pb.go
+++ b/vendor/google.golang.org/grpc/interop/grpc_testing/benchmark_service_grpc.pb.go
@@ -17,7 +17,7 @@
 
 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
-// - protoc-gen-go-grpc v1.5.1
+// - protoc-gen-go-grpc v1.6.0
 // - protoc             v5.27.1
 // source: grpc/testing/benchmark_service.proto
 
diff --git a/vendor/google.golang.org/grpc/interop/grpc_testing/control.pb.go b/vendor/google.golang.org/grpc/interop/grpc_testing/control.pb.go
index 7be6870d9d..fbe5632f7b 100644
--- a/vendor/google.golang.org/grpc/interop/grpc_testing/control.pb.go
+++ b/vendor/google.golang.org/grpc/interop/grpc_testing/control.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.6
+// 	protoc-gen-go v1.36.10
 // 	protoc        v5.27.1
 // source: grpc/testing/control.proto
 
diff --git a/vendor/google.golang.org/grpc/interop/grpc_testing/core/stats.pb.go b/vendor/google.golang.org/grpc/interop/grpc_testing/core/stats.pb.go
index f1859cc459..9bbdf3c2b2 100644
--- a/vendor/google.golang.org/grpc/interop/grpc_testing/core/stats.pb.go
+++ b/vendor/google.golang.org/grpc/interop/grpc_testing/core/stats.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.6
+// 	protoc-gen-go v1.36.10
 // 	protoc        v5.27.1
 // source: grpc/core/stats.proto
 
diff --git a/vendor/google.golang.org/grpc/interop/grpc_testing/empty.pb.go b/vendor/google.golang.org/grpc/interop/grpc_testing/empty.pb.go
index 4f0398766c..621ce27630 100644
--- a/vendor/google.golang.org/grpc/interop/grpc_testing/empty.pb.go
+++ b/vendor/google.golang.org/grpc/interop/grpc_testing/empty.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.6
+// 	protoc-gen-go v1.36.10
 // 	protoc        v5.27.1
 // source: grpc/testing/empty.proto
 
diff --git a/vendor/google.golang.org/grpc/interop/grpc_testing/messages.pb.go b/vendor/google.golang.org/grpc/interop/grpc_testing/messages.pb.go
index 1fa224d018..fd1cf8d578 100644
--- a/vendor/google.golang.org/grpc/interop/grpc_testing/messages.pb.go
+++ b/vendor/google.golang.org/grpc/interop/grpc_testing/messages.pb.go
@@ -16,7 +16,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.6
+// 	protoc-gen-go v1.36.10
 // 	protoc        v5.27.1
 // source: grpc/testing/messages.proto
 
diff --git a/vendor/google.golang.org/grpc/interop/grpc_testing/payloads.pb.go b/vendor/google.golang.org/grpc/interop/grpc_testing/payloads.pb.go
index 69fc874033..8dc7bddbbe 100644
--- a/vendor/google.golang.org/grpc/interop/grpc_testing/payloads.pb.go
+++ b/vendor/google.golang.org/grpc/interop/grpc_testing/payloads.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.6
+// 	protoc-gen-go v1.36.10
 // 	protoc        v5.27.1
 // source: grpc/testing/payloads.proto
 
diff --git a/vendor/google.golang.org/grpc/interop/grpc_testing/report_qps_scenario_service.pb.go b/vendor/google.golang.org/grpc/interop/grpc_testing/report_qps_scenario_service.pb.go
index c518b69f9e..1dbdecd2be 100644
--- a/vendor/google.golang.org/grpc/interop/grpc_testing/report_qps_scenario_service.pb.go
+++ b/vendor/google.golang.org/grpc/interop/grpc_testing/report_qps_scenario_service.pb.go
@@ -17,7 +17,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.6
+// 	protoc-gen-go v1.36.10
 // 	protoc        v5.27.1
 // source: grpc/testing/report_qps_scenario_service.proto
 
diff --git a/vendor/google.golang.org/grpc/interop/grpc_testing/report_qps_scenario_service_grpc.pb.go b/vendor/google.golang.org/grpc/interop/grpc_testing/report_qps_scenario_service_grpc.pb.go
index 864762a3b9..7f10b0ec0a 100644
--- a/vendor/google.golang.org/grpc/interop/grpc_testing/report_qps_scenario_service_grpc.pb.go
+++ b/vendor/google.golang.org/grpc/interop/grpc_testing/report_qps_scenario_service_grpc.pb.go
@@ -17,7 +17,7 @@
 
 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
-// - protoc-gen-go-grpc v1.5.1
+// - protoc-gen-go-grpc v1.6.0
 // - protoc             v5.27.1
 // source: grpc/testing/report_qps_scenario_service.proto
 
diff --git a/vendor/google.golang.org/grpc/interop/grpc_testing/stats.pb.go b/vendor/google.golang.org/grpc/interop/grpc_testing/stats.pb.go
index b21404eeec..23564bfff4 100644
--- a/vendor/google.golang.org/grpc/interop/grpc_testing/stats.pb.go
+++ b/vendor/google.golang.org/grpc/interop/grpc_testing/stats.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.6
+// 	protoc-gen-go v1.36.10
 // 	protoc        v5.27.1
 // source: grpc/testing/stats.proto
 
diff --git a/vendor/google.golang.org/grpc/interop/grpc_testing/test.pb.go b/vendor/google.golang.org/grpc/interop/grpc_testing/test.pb.go
index 03e824d9a6..629601cf69 100644
--- a/vendor/google.golang.org/grpc/interop/grpc_testing/test.pb.go
+++ b/vendor/google.golang.org/grpc/interop/grpc_testing/test.pb.go
@@ -17,7 +17,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.6
+// 	protoc-gen-go v1.36.10
 // 	protoc        v5.27.1
 // source: grpc/testing/test.proto
 
diff --git a/vendor/google.golang.org/grpc/interop/grpc_testing/test_grpc.pb.go b/vendor/google.golang.org/grpc/interop/grpc_testing/test_grpc.pb.go
index 32d683433d..6dc85dd27c 100644
--- a/vendor/google.golang.org/grpc/interop/grpc_testing/test_grpc.pb.go
+++ b/vendor/google.golang.org/grpc/interop/grpc_testing/test_grpc.pb.go
@@ -17,7 +17,7 @@
 
 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
-// - protoc-gen-go-grpc v1.5.1
+// - protoc-gen-go-grpc v1.6.0
 // - protoc             v5.27.1
 // source: grpc/testing/test.proto
 
diff --git a/vendor/google.golang.org/grpc/interop/grpc_testing/worker_service.pb.go b/vendor/google.golang.org/grpc/interop/grpc_testing/worker_service.pb.go
index 8b5d482829..d9cc8b376e 100644
--- a/vendor/google.golang.org/grpc/interop/grpc_testing/worker_service.pb.go
+++ b/vendor/google.golang.org/grpc/interop/grpc_testing/worker_service.pb.go
@@ -17,7 +17,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.6
+// 	protoc-gen-go v1.36.10
 // 	protoc        v5.27.1
 // source: grpc/testing/worker_service.proto
 
diff --git a/vendor/google.golang.org/grpc/interop/grpc_testing/worker_service_grpc.pb.go b/vendor/google.golang.org/grpc/interop/grpc_testing/worker_service_grpc.pb.go
index dca4069d5b..32a8216366 100644
--- a/vendor/google.golang.org/grpc/interop/grpc_testing/worker_service_grpc.pb.go
+++ b/vendor/google.golang.org/grpc/interop/grpc_testing/worker_service_grpc.pb.go
@@ -17,7 +17,7 @@
 
 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
-// - protoc-gen-go-grpc v1.5.1
+// - protoc-gen-go-grpc v1.6.0
 // - protoc             v5.27.1
 // source: grpc/testing/worker_service.proto
 
diff --git a/vendor/google.golang.org/grpc/mem/buffer_pool.go b/vendor/google.golang.org/grpc/mem/buffer_pool.go
index c37c58c023..e37afdd198 100644
--- a/vendor/google.golang.org/grpc/mem/buffer_pool.go
+++ b/vendor/google.golang.org/grpc/mem/buffer_pool.go
@@ -32,12 +32,17 @@ type BufferPool interface {
 	Get(length int) *[]byte
 
 	// Put returns a buffer to the pool.
+	//
+	// The provided pointer must hold a prefix of the buffer obtained via
+	// BufferPool.Get to ensure the buffer's entire capacity can be re-used.
 	Put(*[]byte)
 }
 
+const goPageSize = 4 << 10 // 4KiB. N.B. this must be a power of 2.
+
 var defaultBufferPoolSizes = []int{
 	256,
-	4 << 10,  // 4KB (go page size)
+	goPageSize,
 	16 << 10, // 16KB (max HTTP/2 frame size used by gRPC)
 	32 << 10, // 32KB (default buffer size for io.Copy)
 	1 << 20,  // 1MB
@@ -118,7 +123,11 @@ type sizedBufferPool struct {
 }
 
 func (p *sizedBufferPool) Get(size int) *[]byte {
-	buf := p.pool.Get().(*[]byte)
+	buf, ok := p.pool.Get().(*[]byte)
+	if !ok {
+		buf := make([]byte, size, p.defaultSize)
+		return &buf
+	}
 	b := *buf
 	clear(b[:cap(b)])
 	*buf = b[:size]
@@ -137,12 +146,6 @@ func (p *sizedBufferPool) Put(buf *[]byte) {
 
 func newSizedBufferPool(size int) *sizedBufferPool {
 	return &sizedBufferPool{
-		pool: sync.Pool{
-			New: func() any {
-				buf := make([]byte, size)
-				return &buf
-			},
-		},
 		defaultSize: size,
 	}
 }
@@ -160,6 +163,7 @@ type simpleBufferPool struct {
 func (p *simpleBufferPool) Get(size int) *[]byte {
 	bs, ok := p.pool.Get().(*[]byte)
 	if ok && cap(*bs) >= size {
+		clear((*bs)[:cap(*bs)])
 		*bs = (*bs)[:size]
 		return bs
 	}
@@ -170,7 +174,14 @@ func (p *simpleBufferPool) Get(size int) *[]byte {
 		p.pool.Put(bs)
 	}
 
-	b := make([]byte, size)
+	// If we're going to allocate, round up to the nearest page. This way if
+	// requests frequently arrive with small variation we don't allocate
+	// repeatedly if we get unlucky and they increase over time. By default we
+	// only allocate here if size > 1MiB. Because goPageSize is a power of 2, we
+	// can round up efficiently.
+	allocSize := (size + goPageSize - 1) & ^(goPageSize - 1)
+
+	b := make([]byte, size, allocSize)
 	return &b
 }
 
diff --git a/vendor/google.golang.org/grpc/mem/buffer_slice.go b/vendor/google.golang.org/grpc/mem/buffer_slice.go
index af510d20c5..084fb19c6d 100644
--- a/vendor/google.golang.org/grpc/mem/buffer_slice.go
+++ b/vendor/google.golang.org/grpc/mem/buffer_slice.go
@@ -19,6 +19,7 @@
 package mem
 
 import (
+	"fmt"
 	"io"
 )
 
@@ -117,43 +118,36 @@ func (s BufferSlice) MaterializeToBuffer(pool BufferPool) Buffer {
 
 // Reader returns a new Reader for the input slice after taking references to
 // each underlying buffer.
-func (s BufferSlice) Reader() Reader {
+func (s BufferSlice) Reader() *Reader {
 	s.Ref()
-	return &sliceReader{
+	return &Reader{
 		data: s,
 		len:  s.Len(),
 	}
 }
 
 // Reader exposes a BufferSlice's data as an io.Reader, allowing it to interface
-// with other parts systems. It also provides an additional convenience method
-// Remaining(), which returns the number of unread bytes remaining in the slice.
+// with other systems.
+//
 // Buffers will be freed as they are read.
-type Reader interface {
-	io.Reader
-	io.ByteReader
-	// Close frees the underlying BufferSlice and never returns an error. Subsequent
-	// calls to Read will return (0, io.EOF).
-	Close() error
-	// Remaining returns the number of unread bytes remaining in the slice.
-	Remaining() int
-	// Reset frees the currently held buffer slice and starts reading from the
-	// provided slice. This allows reusing the reader object.
-	Reset(s BufferSlice)
-}
-
-type sliceReader struct {
+//
+// A Reader can be constructed from a BufferSlice; alternatively the zero value
+// of a Reader may be used after calling Reset on it.
+type Reader struct {
 	data BufferSlice
 	len  int
 	// The index into data[0].ReadOnlyData().
 	bufferIdx int
 }
 
-func (r *sliceReader) Remaining() int {
+// Remaining returns the number of unread bytes remaining in the slice.
+func (r *Reader) Remaining() int {
 	return r.len
 }
 
-func (r *sliceReader) Reset(s BufferSlice) {
+// Reset frees the currently held buffer slice and starts reading from the
+// provided slice. This allows reusing the reader object.
+func (r *Reader) Reset(s BufferSlice) {
 	r.data.Free()
 	s.Ref()
 	r.data = s
@@ -161,14 +155,16 @@ func (r *sliceReader) Reset(s BufferSlice) {
 	r.bufferIdx = 0
 }
 
-func (r *sliceReader) Close() error {
+// Close frees the underlying BufferSlice and never returns an error. Subsequent
+// calls to Read will return (0, io.EOF).
+func (r *Reader) Close() error {
 	r.data.Free()
 	r.data = nil
 	r.len = 0
 	return nil
 }
 
-func (r *sliceReader) freeFirstBufferIfEmpty() bool {
+func (r *Reader) freeFirstBufferIfEmpty() bool {
 	if len(r.data) == 0 || r.bufferIdx != len(r.data[0].ReadOnlyData()) {
 		return false
 	}
@@ -179,7 +175,7 @@ func (r *sliceReader) freeFirstBufferIfEmpty() bool {
 	return true
 }
 
-func (r *sliceReader) Read(buf []byte) (n int, _ error) {
+func (r *Reader) Read(buf []byte) (n int, _ error) {
 	if r.len == 0 {
 		return 0, io.EOF
 	}
@@ -202,7 +198,8 @@ func (r *sliceReader) Read(buf []byte) (n int, _ error) {
 	return n, nil
 }
 
-func (r *sliceReader) ReadByte() (byte, error) {
+// ReadByte reads a single byte.
+func (r *Reader) ReadByte() (byte, error) {
 	if r.len == 0 {
 		return 0, io.EOF
 	}
@@ -290,3 +287,59 @@ nextBuffer:
 		}
 	}
 }
+
+// Discard skips the next n bytes, returning the number of bytes discarded.
+//
+// It frees buffers as they are fully consumed.
+//
+// If Discard skips fewer than n bytes, it also returns an error.
+func (r *Reader) Discard(n int) (discarded int, err error) {
+	total := n
+	for n > 0 && r.len > 0 {
+		curData := r.data[0].ReadOnlyData()
+		curSize := min(n, len(curData)-r.bufferIdx)
+		n -= curSize
+		r.len -= curSize
+		r.bufferIdx += curSize
+		if r.bufferIdx >= len(curData) {
+			r.data[0].Free()
+			r.data = r.data[1:]
+			r.bufferIdx = 0
+		}
+	}
+	discarded = total - n
+	if n > 0 {
+		return discarded, fmt.Errorf("insufficient bytes in reader")
+	}
+	return discarded, nil
+}
+
+// Peek returns the next n bytes without advancing the reader.
+//
+// Peek appends results to the provided res slice and returns the updated slice.
+// This pattern allows re-using the storage of res if it has sufficient
+// capacity.
+//
+// The returned subslices are views into the underlying buffers and are only
+// valid until the reader is advanced past the corresponding buffer.
+//
+// If Peek returns fewer than n bytes, it also returns an error.
+func (r *Reader) Peek(n int, res [][]byte) ([][]byte, error) {
+	for i := 0; n > 0 && i < len(r.data); i++ {
+		curData := r.data[i].ReadOnlyData()
+		start := 0
+		if i == 0 {
+			start = r.bufferIdx
+		}
+		curSize := min(n, len(curData)-start)
+		if curSize == 0 {
+			continue
+		}
+		res = append(res, curData[start:start+curSize])
+		n -= curSize
+	}
+	if n > 0 {
+		return nil, fmt.Errorf("insufficient bytes in reader")
+	}
+	return res, nil
+}
diff --git a/vendor/google.golang.org/grpc/preloader.go b/vendor/google.golang.org/grpc/preloader.go
index ee0ff969af..1e783febf9 100644
--- a/vendor/google.golang.org/grpc/preloader.go
+++ b/vendor/google.golang.org/grpc/preloader.go
@@ -47,9 +47,6 @@ func (p *PreparedMsg) Encode(s Stream, msg any) error {
 	}
 
 	// check if the context has the relevant information to prepareMsg
-	if rpcInfo.preloaderInfo == nil {
-		return status.Errorf(codes.Internal, "grpc: rpcInfo.preloaderInfo is nil")
-	}
 	if rpcInfo.preloaderInfo.codec == nil {
 		return status.Errorf(codes.Internal, "grpc: rpcInfo.preloaderInfo.codec is nil")
 	}
diff --git a/vendor/google.golang.org/grpc/resolver_wrapper.go b/vendor/google.golang.org/grpc/resolver_wrapper.go
index 80e16a327c..6e61376437 100644
--- a/vendor/google.golang.org/grpc/resolver_wrapper.go
+++ b/vendor/google.golang.org/grpc/resolver_wrapper.go
@@ -69,6 +69,7 @@ func (ccr *ccResolverWrapper) start() error {
 	errCh := make(chan error)
 	ccr.serializer.TrySchedule(func(ctx context.Context) {
 		if ctx.Err() != nil {
+			errCh <- ctx.Err()
 			return
 		}
 		opts := resolver.BuildOptions{
diff --git a/vendor/google.golang.org/grpc/rpc_util.go b/vendor/google.golang.org/grpc/rpc_util.go
index 47ea09f5c9..8160f94304 100644
--- a/vendor/google.golang.org/grpc/rpc_util.go
+++ b/vendor/google.golang.org/grpc/rpc_util.go
@@ -33,6 +33,8 @@ import (
 	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/encoding"
 	"google.golang.org/grpc/encoding/proto"
+	"google.golang.org/grpc/internal"
+	"google.golang.org/grpc/internal/grpcutil"
 	"google.golang.org/grpc/internal/transport"
 	"google.golang.org/grpc/mem"
 	"google.golang.org/grpc/metadata"
@@ -41,6 +43,10 @@ import (
 	"google.golang.org/grpc/status"
 )
 
+func init() {
+	internal.AcceptCompressors = acceptCompressors
+}
+
 // Compressor defines the interface gRPC uses to compress a message.
 //
 // Deprecated: use package encoding.
@@ -151,16 +157,32 @@ func (d *gzipDecompressor) Type() string {
 
 // callInfo contains all related configuration and information about an RPC.
 type callInfo struct {
-	compressorName        string
-	failFast              bool
-	maxReceiveMessageSize *int
-	maxSendMessageSize    *int
-	creds                 credentials.PerRPCCredentials
-	contentSubtype        string
-	codec                 baseCodec
-	maxRetryRPCBufferSize int
-	onFinish              []func(err error)
-	authority             string
+	compressorName              string
+	failFast                    bool
+	maxReceiveMessageSize       *int
+	maxSendMessageSize          *int
+	creds                       credentials.PerRPCCredentials
+	contentSubtype              string
+	codec                       baseCodec
+	maxRetryRPCBufferSize       int
+	onFinish                    []func(err error)
+	authority                   string
+	acceptedResponseCompressors []string
+}
+
+func acceptedCompressorAllows(allowed []string, name string) bool {
+	if allowed == nil {
+		return true
+	}
+	if name == "" || name == encoding.Identity {
+		return true
+	}
+	for _, a := range allowed {
+		if a == name {
+			return true
+		}
+	}
+	return false
 }
 
 func defaultCallInfo() *callInfo {
@@ -170,6 +192,29 @@ func defaultCallInfo() *callInfo {
 	}
 }
 
+func newAcceptedCompressionConfig(names []string) ([]string, error) {
+	if len(names) == 0 {
+		return nil, nil
+	}
+	var allowed []string
+	seen := make(map[string]struct{}, len(names))
+	for _, name := range names {
+		name = strings.TrimSpace(name)
+		if name == "" || name == encoding.Identity {
+			continue
+		}
+		if !grpcutil.IsCompressorNameRegistered(name) {
+			return nil, status.Errorf(codes.InvalidArgument, "grpc: compressor %q is not registered", name)
+		}
+		if _, dup := seen[name]; dup {
+			continue
+		}
+		seen[name] = struct{}{}
+		allowed = append(allowed, name)
+	}
+	return allowed, nil
+}
+
 // CallOption configures a Call before it starts or extracts information from
 // a Call after it completes.
 type CallOption interface {
@@ -471,6 +516,31 @@ func (o CompressorCallOption) before(c *callInfo) error {
 }
 func (o CompressorCallOption) after(*callInfo, *csAttempt) {}
 
+// acceptCompressors returns a CallOption that limits the compression algorithms
+// advertised in the grpc-accept-encoding header for response messages.
+// Compression algorithms not in the provided list will not be advertised, and
+// responses compressed with non-listed algorithms will be rejected.
+func acceptCompressors(names ...string) CallOption {
+	cp := append([]string(nil), names...)
+	return acceptCompressorsCallOption{names: cp}
+}
+
+// acceptCompressorsCallOption is a CallOption that limits response compression.
+type acceptCompressorsCallOption struct {
+	names []string
+}
+
+func (o acceptCompressorsCallOption) before(c *callInfo) error {
+	allowed, err := newAcceptedCompressionConfig(o.names)
+	if err != nil {
+		return err
+	}
+	c.acceptedResponseCompressors = allowed
+	return nil
+}
+
+func (acceptCompressorsCallOption) after(*callInfo, *csAttempt) {}
+
 // CallContentSubtype returns a CallOption that will set the content-subtype
 // for a call. For example, if content-subtype is "json", the Content-Type over
 // the wire will be "application/grpc+json". The content-subtype is converted
@@ -657,8 +727,20 @@ type streamReader interface {
 	Read(n int) (mem.BufferSlice, error)
 }
 
+// noCopy may be embedded into structs which must not be copied
+// after the first use.
+//
+// See https://golang.org/issues/8005#issuecomment-190753527
+// for details.
+type noCopy struct {
+}
+
+func (*noCopy) Lock()   {}
+func (*noCopy) Unlock() {}
+
 // parser reads complete gRPC messages from the underlying reader.
 type parser struct {
+	_ noCopy
 	// r is the underlying reader.
 	// See the comment on recvMsg for the permissible
 	// error types.
@@ -845,8 +927,7 @@ func (p *payloadInfo) free() {
 // the buffer is no longer needed.
 // TODO: Refactor this function to reduce the number of arguments.
 // See: https://google.github.io/styleguide/go/best-practices.html#function-argument-lists
-func recvAndDecompress(p *parser, s recvCompressor, dc Decompressor, maxReceiveMessageSize int, payInfo *payloadInfo, compressor encoding.Compressor, isServer bool,
-) (out mem.BufferSlice, err error) {
+func recvAndDecompress(p *parser, s recvCompressor, dc Decompressor, maxReceiveMessageSize int, payInfo *payloadInfo, compressor encoding.Compressor, isServer bool) (out mem.BufferSlice, err error) {
 	pf, compressed, err := p.recvMsg(maxReceiveMessageSize)
 	if err != nil {
 		return nil, err
@@ -949,7 +1030,7 @@ func recv(p *parser, c baseCodec, s recvCompressor, dc Decompressor, m any, maxR
 // Information about RPC
 type rpcInfo struct {
 	failfast      bool
-	preloaderInfo *compressorInfo
+	preloaderInfo compressorInfo
 }
 
 // Information about Preloader
@@ -968,7 +1049,7 @@ type rpcInfoContextKey struct{}
 func newContextWithRPCInfo(ctx context.Context, failfast bool, codec baseCodec, cp Compressor, comp encoding.Compressor) context.Context {
 	return context.WithValue(ctx, rpcInfoContextKey{}, &rpcInfo{
 		failfast: failfast,
-		preloaderInfo: &compressorInfo{
+		preloaderInfo: compressorInfo{
 			codec: codec,
 			cp:    cp,
 			comp:  comp,
diff --git a/vendor/google.golang.org/grpc/server.go b/vendor/google.golang.org/grpc/server.go
index 1da2a542ac..ddd3773411 100644
--- a/vendor/google.golang.org/grpc/server.go
+++ b/vendor/google.golang.org/grpc/server.go
@@ -124,7 +124,8 @@ type serviceInfo struct {
 
 // Server is a gRPC server to serve RPC requests.
 type Server struct {
-	opts serverOptions
+	opts         serverOptions
+	statsHandler stats.Handler
 
 	mu  sync.Mutex // guards following
 	lis map[net.Listener]bool
@@ -692,13 +693,14 @@ func NewServer(opt ...ServerOption) *Server {
 		o.apply(&opts)
 	}
 	s := &Server{
-		lis:      make(map[net.Listener]bool),
-		opts:     opts,
-		conns:    make(map[string]map[transport.ServerTransport]bool),
-		services: make(map[string]*serviceInfo),
-		quit:     grpcsync.NewEvent(),
-		done:     grpcsync.NewEvent(),
-		channelz: channelz.RegisterServer(""),
+		lis:          make(map[net.Listener]bool),
+		opts:         opts,
+		statsHandler: istats.NewCombinedHandler(opts.statsHandlers...),
+		conns:        make(map[string]map[transport.ServerTransport]bool),
+		services:     make(map[string]*serviceInfo),
+		quit:         grpcsync.NewEvent(),
+		done:         grpcsync.NewEvent(),
+		channelz:     channelz.RegisterServer(""),
 	}
 	chainUnaryServerInterceptors(s)
 	chainStreamServerInterceptors(s)
@@ -999,7 +1001,7 @@ func (s *Server) newHTTP2Transport(c net.Conn) transport.ServerTransport {
 		ConnectionTimeout:     s.opts.connectionTimeout,
 		Credentials:           s.opts.creds,
 		InTapHandle:           s.opts.inTapHandle,
-		StatsHandlers:         s.opts.statsHandlers,
+		StatsHandler:          s.statsHandler,
 		KeepaliveParams:       s.opts.keepaliveParams,
 		KeepalivePolicy:       s.opts.keepalivePolicy,
 		InitialWindowSize:     s.opts.initialWindowSize,
@@ -1036,18 +1038,18 @@ func (s *Server) newHTTP2Transport(c net.Conn) transport.ServerTransport {
 func (s *Server) serveStreams(ctx context.Context, st transport.ServerTransport, rawConn net.Conn) {
 	ctx = transport.SetConnection(ctx, rawConn)
 	ctx = peer.NewContext(ctx, st.Peer())
-	for _, sh := range s.opts.statsHandlers {
-		ctx = sh.TagConn(ctx, &stats.ConnTagInfo{
+	if s.statsHandler != nil {
+		ctx = s.statsHandler.TagConn(ctx, &stats.ConnTagInfo{
 			RemoteAddr: st.Peer().Addr,
 			LocalAddr:  st.Peer().LocalAddr,
 		})
-		sh.HandleConn(ctx, &stats.ConnBegin{})
+		s.statsHandler.HandleConn(ctx, &stats.ConnBegin{})
 	}
 
 	defer func() {
 		st.Close(errors.New("finished serving streams for the server transport"))
-		for _, sh := range s.opts.statsHandlers {
-			sh.HandleConn(ctx, &stats.ConnEnd{})
+		if s.statsHandler != nil {
+			s.statsHandler.HandleConn(ctx, &stats.ConnEnd{})
 		}
 	}()
 
@@ -1104,7 +1106,7 @@ var _ http.Handler = (*Server)(nil)
 // Notice: This API is EXPERIMENTAL and may be changed or removed in a
 // later release.
 func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	st, err := transport.NewServerHandlerTransport(w, r, s.opts.statsHandlers, s.opts.bufferPool)
+	st, err := transport.NewServerHandlerTransport(w, r, s.statsHandler, s.opts.bufferPool)
 	if err != nil {
 		// Errors returned from transport.NewServerHandlerTransport have
 		// already been written to w.
@@ -1198,12 +1200,8 @@ func (s *Server) sendResponse(ctx context.Context, stream *transport.ServerStrea
 		return status.Errorf(codes.ResourceExhausted, "grpc: trying to send message larger than max (%d vs. %d)", payloadLen, s.opts.maxSendMessageSize)
 	}
 	err = stream.Write(hdr, payload, opts)
-	if err == nil {
-		if len(s.opts.statsHandlers) != 0 {
-			for _, sh := range s.opts.statsHandlers {
-				sh.HandleRPC(ctx, outPayload(false, msg, dataLen, payloadLen, time.Now()))
-			}
-		}
+	if err == nil && s.statsHandler != nil {
+		s.statsHandler.HandleRPC(ctx, outPayload(false, msg, dataLen, payloadLen, time.Now()))
 	}
 	return err
 }
@@ -1245,16 +1243,15 @@ func getChainUnaryHandler(interceptors []UnaryServerInterceptor, curr int, info
 }
 
 func (s *Server) processUnaryRPC(ctx context.Context, stream *transport.ServerStream, info *serviceInfo, md *MethodDesc, trInfo *traceInfo) (err error) {
-	shs := s.opts.statsHandlers
-	if len(shs) != 0 || trInfo != nil || channelz.IsOn() {
+	sh := s.statsHandler
+	if sh != nil || trInfo != nil || channelz.IsOn() {
 		if channelz.IsOn() {
 			s.incrCallsStarted()
 		}
 		var statsBegin *stats.Begin
-		for _, sh := range shs {
-			beginTime := time.Now()
+		if sh != nil {
 			statsBegin = &stats.Begin{
-				BeginTime:      beginTime,
+				BeginTime:      time.Now(),
 				IsClientStream: false,
 				IsServerStream: false,
 			}
@@ -1282,7 +1279,7 @@ func (s *Server) processUnaryRPC(ctx context.Context, stream *transport.ServerSt
 				trInfo.tr.Finish()
 			}
 
-			for _, sh := range shs {
+			if sh != nil {
 				end := &stats.End{
 					BeginTime: statsBegin.BeginTime,
 					EndTime:   time.Now(),
@@ -1379,7 +1376,7 @@ func (s *Server) processUnaryRPC(ctx context.Context, stream *transport.ServerSt
 	}
 
 	var payInfo *payloadInfo
-	if len(shs) != 0 || len(binlogs) != 0 {
+	if sh != nil || len(binlogs) != 0 {
 		payInfo = &payloadInfo{}
 		defer payInfo.free()
 	}
@@ -1405,7 +1402,7 @@ func (s *Server) processUnaryRPC(ctx context.Context, stream *transport.ServerSt
 			return status.Errorf(codes.Internal, "grpc: error unmarshalling request: %v", err)
 		}
 
-		for _, sh := range shs {
+		if sh != nil {
 			sh.HandleRPC(ctx, &stats.InPayload{
 				RecvTime:         time.Now(),
 				Payload:          v,
@@ -1579,33 +1576,30 @@ func (s *Server) processStreamingRPC(ctx context.Context, stream *transport.Serv
 	if channelz.IsOn() {
 		s.incrCallsStarted()
 	}
-	shs := s.opts.statsHandlers
+	sh := s.statsHandler
 	var statsBegin *stats.Begin
-	if len(shs) != 0 {
-		beginTime := time.Now()
+	if sh != nil {
 		statsBegin = &stats.Begin{
-			BeginTime:      beginTime,
+			BeginTime:      time.Now(),
 			IsClientStream: sd.ClientStreams,
 			IsServerStream: sd.ServerStreams,
 		}
-		for _, sh := range shs {
-			sh.HandleRPC(ctx, statsBegin)
-		}
+		sh.HandleRPC(ctx, statsBegin)
 	}
 	ctx = NewContextWithServerTransportStream(ctx, stream)
 	ss := &serverStream{
 		ctx:                   ctx,
 		s:                     stream,
-		p:                     &parser{r: stream, bufferPool: s.opts.bufferPool},
+		p:                     parser{r: stream, bufferPool: s.opts.bufferPool},
 		codec:                 s.getCodec(stream.ContentSubtype()),
 		desc:                  sd,
 		maxReceiveMessageSize: s.opts.maxReceiveMessageSize,
 		maxSendMessageSize:    s.opts.maxSendMessageSize,
 		trInfo:                trInfo,
-		statsHandler:          shs,
+		statsHandler:          sh,
 	}
 
-	if len(shs) != 0 || trInfo != nil || channelz.IsOn() {
+	if sh != nil || trInfo != nil || channelz.IsOn() {
 		// See comment in processUnaryRPC on defers.
 		defer func() {
 			if trInfo != nil {
@@ -1619,7 +1613,7 @@ func (s *Server) processStreamingRPC(ctx context.Context, stream *transport.Serv
 				ss.mu.Unlock()
 			}
 
-			if len(shs) != 0 {
+			if sh != nil {
 				end := &stats.End{
 					BeginTime: statsBegin.BeginTime,
 					EndTime:   time.Now(),
@@ -1627,9 +1621,7 @@ func (s *Server) processStreamingRPC(ctx context.Context, stream *transport.Serv
 				if err != nil && err != io.EOF {
 					end.Error = toRPCErr(err)
 				}
-				for _, sh := range shs {
-					sh.HandleRPC(ctx, end)
-				}
+				sh.HandleRPC(ctx, end)
 			}
 
 			if channelz.IsOn() {
@@ -1818,19 +1810,17 @@ func (s *Server) handleStream(t transport.ServerTransport, stream *transport.Ser
 	method := sm[pos+1:]
 
 	// FromIncomingContext is expensive: skip if there are no statsHandlers
-	if len(s.opts.statsHandlers) > 0 {
+	if s.statsHandler != nil {
 		md, _ := metadata.FromIncomingContext(ctx)
-		for _, sh := range s.opts.statsHandlers {
-			ctx = sh.TagRPC(ctx, &stats.RPCTagInfo{FullMethodName: stream.Method()})
-			sh.HandleRPC(ctx, &stats.InHeader{
-				FullMethod:  stream.Method(),
-				RemoteAddr:  t.Peer().Addr,
-				LocalAddr:   t.Peer().LocalAddr,
-				Compression: stream.RecvCompress(),
-				WireLength:  stream.HeaderWireLength(),
-				Header:      md,
-			})
-		}
+		ctx = s.statsHandler.TagRPC(ctx, &stats.RPCTagInfo{FullMethodName: stream.Method()})
+		s.statsHandler.HandleRPC(ctx, &stats.InHeader{
+			FullMethod:  stream.Method(),
+			RemoteAddr:  t.Peer().Addr,
+			LocalAddr:   t.Peer().LocalAddr,
+			Compression: stream.RecvCompress(),
+			WireLength:  stream.HeaderWireLength(),
+			Header:      md,
+		})
 	}
 	// To have calls in stream callouts work. Will delete once all stats handler
 	// calls come from the gRPC layer.
diff --git a/vendor/google.golang.org/grpc/stream.go b/vendor/google.golang.org/grpc/stream.go
index d9bbd4c57c..ec9577b278 100644
--- a/vendor/google.golang.org/grpc/stream.go
+++ b/vendor/google.golang.org/grpc/stream.go
@@ -25,6 +25,7 @@ import (
 	"math"
 	rand "math/rand/v2"
 	"strconv"
+	"strings"
 	"sync"
 	"time"
 
@@ -177,13 +178,43 @@ func NewClientStream(ctx context.Context, desc *StreamDesc, cc *ClientConn, meth
 	return cc.NewStream(ctx, desc, method, opts...)
 }
 
+var emptyMethodConfig = serviceconfig.MethodConfig{}
+
+// endOfClientStream performs cleanup actions required for both successful and
+// failed streams. This includes incrementing channelz stats and invoking all
+// registered OnFinish call options.
+func endOfClientStream(cc *ClientConn, err error, opts ...CallOption) {
+	if channelz.IsOn() {
+		if err != nil {
+			cc.incrCallsFailed()
+		} else {
+			cc.incrCallsSucceeded()
+		}
+	}
+
+	for _, o := range opts {
+		if o, ok := o.(OnFinishCallOption); ok {
+			o.OnFinish(err)
+		}
+	}
+}
+
 func newClientStream(ctx context.Context, desc *StreamDesc, cc *ClientConn, method string, opts ...CallOption) (_ ClientStream, err error) {
+	if channelz.IsOn() {
+		cc.incrCallsStarted()
+	}
+	defer func() {
+		if err != nil {
+			// Ensure cleanup when stream creation fails.
+			endOfClientStream(cc, err, opts...)
+		}
+	}()
+
 	// Start tracking the RPC for idleness purposes. This is where a stream is
 	// created for both streaming and unary RPCs, and hence is a good place to
 	// track active RPC count.
-	if err := cc.idlenessMgr.OnCallBegin(); err != nil {
-		return nil, err
-	}
+	cc.idlenessMgr.OnCallBegin()
+
 	// Add a calloption, to decrement the active call count, that gets executed
 	// when the RPC completes.
 	opts = append([]CallOption{OnFinish(func(error) { cc.idlenessMgr.OnCallEnd() })}, opts...)
@@ -202,14 +233,6 @@ func newClientStream(ctx context.Context, desc *StreamDesc, cc *ClientConn, meth
 			}
 		}
 	}
-	if channelz.IsOn() {
-		cc.incrCallsStarted()
-		defer func() {
-			if err != nil {
-				cc.incrCallsFailed()
-			}
-		}()
-	}
 	// Provide an opportunity for the first RPC to see the first service config
 	// provided by the resolver.
 	nameResolutionDelayed, err := cc.waitForResolvedAddrs(ctx)
@@ -217,7 +240,7 @@ func newClientStream(ctx context.Context, desc *StreamDesc, cc *ClientConn, meth
 		return nil, err
 	}
 
-	var mc serviceconfig.MethodConfig
+	mc := &emptyMethodConfig
 	var onCommit func()
 	newStream := func(ctx context.Context, done func()) (iresolver.ClientStream, error) {
 		return newClientStreamWithParams(ctx, desc, cc, method, mc, onCommit, done, nameResolutionDelayed, opts...)
@@ -240,7 +263,7 @@ func newClientStream(ctx context.Context, desc *StreamDesc, cc *ClientConn, meth
 		if rpcConfig.Context != nil {
 			ctx = rpcConfig.Context
 		}
-		mc = rpcConfig.MethodConfig
+		mc = &rpcConfig.MethodConfig
 		onCommit = rpcConfig.OnCommitted
 		if rpcConfig.Interceptor != nil {
 			rpcInfo.Context = nil
@@ -258,7 +281,7 @@ func newClientStream(ctx context.Context, desc *StreamDesc, cc *ClientConn, meth
 	return newStream(ctx, func() {})
 }
 
-func newClientStreamWithParams(ctx context.Context, desc *StreamDesc, cc *ClientConn, method string, mc serviceconfig.MethodConfig, onCommit, doneFunc func(), nameResolutionDelayed bool, opts ...CallOption) (_ iresolver.ClientStream, err error) {
+func newClientStreamWithParams(ctx context.Context, desc *StreamDesc, cc *ClientConn, method string, mc *serviceconfig.MethodConfig, onCommit, doneFunc func(), nameResolutionDelayed bool, opts ...CallOption) (_ iresolver.ClientStream, err error) {
 	callInfo := defaultCallInfo()
 	if mc.WaitForReady != nil {
 		callInfo.failFast = !*mc.WaitForReady
@@ -299,6 +322,10 @@ func newClientStreamWithParams(ctx context.Context, desc *StreamDesc, cc *Client
 		DoneFunc:       doneFunc,
 		Authority:      callInfo.authority,
 	}
+	if allowed := callInfo.acceptedResponseCompressors; len(allowed) > 0 {
+		headerValue := strings.Join(allowed, ",")
+		callHdr.AcceptedCompressors = &headerValue
+	}
 
 	// Set our outgoing compression according to the UseCompressor CallOption, if
 	// set.  In that case, also find the compressor from the encoding package.
@@ -325,7 +352,7 @@ func newClientStreamWithParams(ctx context.Context, desc *StreamDesc, cc *Client
 	cs := &clientStream{
 		callHdr:             callHdr,
 		ctx:                 ctx,
-		methodConfig:        &mc,
+		methodConfig:        mc,
 		opts:                opts,
 		callInfo:            callInfo,
 		cc:                  cc,
@@ -418,19 +445,21 @@ func (cs *clientStream) newAttemptLocked(isTransparent bool) (*csAttempt, error)
 	ctx := newContextWithRPCInfo(cs.ctx, cs.callInfo.failFast, cs.callInfo.codec, cs.compressorV0, cs.compressorV1)
 	method := cs.callHdr.Method
 	var beginTime time.Time
-	shs := cs.cc.dopts.copts.StatsHandlers
-	for _, sh := range shs {
-		ctx = sh.TagRPC(ctx, &stats.RPCTagInfo{FullMethodName: method, FailFast: cs.callInfo.failFast, NameResolutionDelay: cs.nameResolutionDelay})
+	sh := cs.cc.statsHandler
+	if sh != nil {
 		beginTime = time.Now()
-		begin := &stats.Begin{
+		ctx = sh.TagRPC(ctx, &stats.RPCTagInfo{
+			FullMethodName: method, FailFast: cs.callInfo.failFast,
+			NameResolutionDelay: cs.nameResolutionDelay,
+		})
+		sh.HandleRPC(ctx, &stats.Begin{
 			Client:                    true,
 			BeginTime:                 beginTime,
 			FailFast:                  cs.callInfo.failFast,
 			IsClientStream:            cs.desc.ClientStreams,
 			IsServerStream:            cs.desc.ServerStreams,
 			IsTransparentRetryAttempt: isTransparent,
-		}
-		sh.HandleRPC(ctx, begin)
+		})
 	}
 
 	var trInfo *traceInfo
@@ -461,7 +490,7 @@ func (cs *clientStream) newAttemptLocked(isTransparent bool) (*csAttempt, error)
 		beginTime:      beginTime,
 		cs:             cs,
 		decompressorV0: cs.cc.dopts.dc,
-		statsHandlers:  shs,
+		statsHandler:   sh,
 		trInfo:         trInfo,
 	}, nil
 }
@@ -480,12 +509,10 @@ func (a *csAttempt) getTransport() error {
 		return err
 	}
 	if a.trInfo != nil {
-		a.trInfo.firstLine.SetRemoteAddr(a.transport.RemoteAddr())
+		a.trInfo.firstLine.SetRemoteAddr(a.transport.Peer().Addr)
 	}
-	if pick.blocked {
-		for _, sh := range a.statsHandlers {
-			sh.HandleRPC(a.ctx, &stats.DelayedPickComplete{})
-		}
+	if pick.blocked && a.statsHandler != nil {
+		a.statsHandler.HandleRPC(a.ctx, &stats.DelayedPickComplete{})
 	}
 	return nil
 }
@@ -529,7 +556,7 @@ func (a *csAttempt) newStream() error {
 	}
 	a.transportStream = s
 	a.ctx = s.Context()
-	a.parser = &parser{r: s, bufferPool: a.cs.cc.dopts.copts.BufferPool}
+	a.parser = parser{r: s, bufferPool: a.cs.cc.dopts.copts.BufferPool}
 	return nil
 }
 
@@ -549,6 +576,8 @@ type clientStream struct {
 
 	sentLast bool // sent an end stream
 
+	receivedFirstMsg bool // set after the first message is received
+
 	methodConfig *MethodConfig
 
 	ctx context.Context // the application's context, wrapped by stats/tracing
@@ -599,7 +628,7 @@ type csAttempt struct {
 	cs              *clientStream
 	transport       transport.ClientTransport
 	transportStream *transport.ClientStream
-	parser          *parser
+	parser          parser
 	pickResult      balancer.PickResult
 
 	finished        bool
@@ -613,8 +642,8 @@ type csAttempt struct {
 	// and cleared when the finish method is called.
 	trInfo *traceInfo
 
-	statsHandlers []stats.Handler
-	beginTime     time.Time
+	statsHandler stats.Handler
+	beginTime    time.Time
 
 	// set for newStream errors that may be transparently retried
 	allowTransparentRetry bool
@@ -1038,9 +1067,6 @@ func (cs *clientStream) finish(err error) {
 		return
 	}
 	cs.finished = true
-	for _, onFinish := range cs.callInfo.onFinish {
-		onFinish(err)
-	}
 	cs.commitAttemptLocked()
 	if cs.attempt != nil {
 		cs.attempt.finish(err)
@@ -1080,13 +1106,7 @@ func (cs *clientStream) finish(err error) {
 	if err == nil {
 		cs.retryThrottler.successfulRPC()
 	}
-	if channelz.IsOn() {
-		if err != nil {
-			cs.cc.incrCallsFailed()
-		} else {
-			cs.cc.incrCallsSucceeded()
-		}
-	}
+	endOfClientStream(cs.cc, err, cs.opts...)
 	cs.cancel()
 }
 
@@ -1108,17 +1128,15 @@ func (a *csAttempt) sendMsg(m any, hdr []byte, payld mem.BufferSlice, dataLength
 		}
 		return io.EOF
 	}
-	if len(a.statsHandlers) != 0 {
-		for _, sh := range a.statsHandlers {
-			sh.HandleRPC(a.ctx, outPayload(true, m, dataLength, payloadLength, time.Now()))
-		}
+	if a.statsHandler != nil {
+		a.statsHandler.HandleRPC(a.ctx, outPayload(true, m, dataLength, payloadLength, time.Now()))
 	}
 	return nil
 }
 
 func (a *csAttempt) recvMsg(m any, payInfo *payloadInfo) (err error) {
 	cs := a.cs
-	if len(a.statsHandlers) != 0 && payInfo == nil {
+	if a.statsHandler != nil && payInfo == nil {
 		payInfo = &payloadInfo{}
 		defer payInfo.free()
 	}
@@ -1132,6 +1150,10 @@ func (a *csAttempt) recvMsg(m any, payInfo *payloadInfo) (err error) {
 				a.decompressorV0 = nil
 				a.decompressorV1 = encoding.GetCompressor(ct)
 			}
+			// Validate that the compression method is acceptable for this call.
+			if !acceptedCompressorAllows(cs.callInfo.acceptedResponseCompressors, ct) {
+				return status.Errorf(codes.Internal, "grpc: peer compressed the response with %q which is not allowed by AcceptCompressors", ct)
+			}
 		} else {
 			// No compression is used; disable our decompressor.
 			a.decompressorV0 = nil
@@ -1139,16 +1161,21 @@ func (a *csAttempt) recvMsg(m any, payInfo *payloadInfo) (err error) {
 		// Only initialize this state once per stream.
 		a.decompressorSet = true
 	}
-	if err := recv(a.parser, cs.codec, a.transportStream, a.decompressorV0, m, *cs.callInfo.maxReceiveMessageSize, payInfo, a.decompressorV1, false); err != nil {
+	if err := recv(&a.parser, cs.codec, a.transportStream, a.decompressorV0, m, *cs.callInfo.maxReceiveMessageSize, payInfo, a.decompressorV1, false); err != nil {
 		if err == io.EOF {
 			if statusErr := a.transportStream.Status().Err(); statusErr != nil {
 				return statusErr
 			}
+			// Received no msg and status OK for non-server streaming rpcs.
+			if !cs.desc.ServerStreams && !cs.receivedFirstMsg {
+				return status.Error(codes.Internal, "cardinality violation: received no response message from non-server-streaming RPC")
+			}
 			return io.EOF // indicates successful end of stream.
 		}
 
 		return toRPCErr(err)
 	}
+	cs.receivedFirstMsg = true
 	if a.trInfo != nil {
 		a.mu.Lock()
 		if a.trInfo.tr != nil {
@@ -1156,8 +1183,8 @@ func (a *csAttempt) recvMsg(m any, payInfo *payloadInfo) (err error) {
 		}
 		a.mu.Unlock()
 	}
-	for _, sh := range a.statsHandlers {
-		sh.HandleRPC(a.ctx, &stats.InPayload{
+	if a.statsHandler != nil {
+		a.statsHandler.HandleRPC(a.ctx, &stats.InPayload{
 			Client:           true,
 			RecvTime:         time.Now(),
 			Payload:          m,
@@ -1172,12 +1199,12 @@ func (a *csAttempt) recvMsg(m any, payInfo *payloadInfo) (err error) {
 	}
 	// Special handling for non-server-stream rpcs.
 	// This recv expects EOF or errors, so we don't collect inPayload.
-	if err := recv(a.parser, cs.codec, a.transportStream, a.decompressorV0, m, *cs.callInfo.maxReceiveMessageSize, nil, a.decompressorV1, false); err == io.EOF {
+	if err := recv(&a.parser, cs.codec, a.transportStream, a.decompressorV0, m, *cs.callInfo.maxReceiveMessageSize, nil, a.decompressorV1, false); err == io.EOF {
 		return a.transportStream.Status().Err() // non-server streaming Recv returns nil on success
 	} else if err != nil {
 		return toRPCErr(err)
 	}
-	return status.Errorf(codes.Internal, "cardinality violation: expected <EOF> for non server-streaming RPCs, but received another message")
+	return status.Error(codes.Internal, "cardinality violation: expected <EOF> for non server-streaming RPCs, but received another message")
 }
 
 func (a *csAttempt) finish(err error) {
@@ -1210,15 +1237,14 @@ func (a *csAttempt) finish(err error) {
 			ServerLoad:    balancerload.Parse(tr),
 		})
 	}
-	for _, sh := range a.statsHandlers {
-		end := &stats.End{
+	if a.statsHandler != nil {
+		a.statsHandler.HandleRPC(a.ctx, &stats.End{
 			Client:    true,
 			BeginTime: a.beginTime,
 			EndTime:   time.Now(),
 			Trailer:   tr,
 			Error:     err,
-		}
-		sh.HandleRPC(a.ctx, end)
+		})
 	}
 	if a.trInfo != nil && a.trInfo.tr != nil {
 		if err == nil {
@@ -1324,7 +1350,7 @@ func newNonRetryClientStream(ctx context.Context, desc *StreamDesc, method strin
 		return nil, err
 	}
 	as.transportStream = s
-	as.parser = &parser{r: s, bufferPool: ac.dopts.copts.BufferPool}
+	as.parser = parser{r: s, bufferPool: ac.dopts.copts.BufferPool}
 	ac.incrCallsStarted()
 	if desc != unaryStreamDesc {
 		// Listen on stream context to cleanup when the stream context is
@@ -1359,6 +1385,7 @@ type addrConnStream struct {
 	transport        transport.ClientTransport
 	ctx              context.Context
 	sentLast         bool
+	receivedFirstMsg bool
 	desc             *StreamDesc
 	codec            baseCodec
 	sendCompressorV0 Compressor
@@ -1366,7 +1393,7 @@ type addrConnStream struct {
 	decompressorSet  bool
 	decompressorV0   Decompressor
 	decompressorV1   encoding.Compressor
-	parser           *parser
+	parser           parser
 
 	// mu guards finished and is held for the entire finish method.
 	mu       sync.Mutex
@@ -1472,6 +1499,10 @@ func (as *addrConnStream) RecvMsg(m any) (err error) {
 				as.decompressorV0 = nil
 				as.decompressorV1 = encoding.GetCompressor(ct)
 			}
+			// Validate that the compression method is acceptable for this call.
+			if !acceptedCompressorAllows(as.callInfo.acceptedResponseCompressors, ct) {
+				return status.Errorf(codes.Internal, "grpc: peer compressed the response with %q which is not allowed by AcceptCompressors", ct)
+			}
 		} else {
 			// No compression is used; disable our decompressor.
 			as.decompressorV0 = nil
@@ -1479,15 +1510,20 @@ func (as *addrConnStream) RecvMsg(m any) (err error) {
 		// Only initialize this state once per stream.
 		as.decompressorSet = true
 	}
-	if err := recv(as.parser, as.codec, as.transportStream, as.decompressorV0, m, *as.callInfo.maxReceiveMessageSize, nil, as.decompressorV1, false); err != nil {
+	if err := recv(&as.parser, as.codec, as.transportStream, as.decompressorV0, m, *as.callInfo.maxReceiveMessageSize, nil, as.decompressorV1, false); err != nil {
 		if err == io.EOF {
 			if statusErr := as.transportStream.Status().Err(); statusErr != nil {
 				return statusErr
 			}
+			// Received no msg and status OK for non-server streaming rpcs.
+			if !as.desc.ServerStreams && !as.receivedFirstMsg {
+				return status.Error(codes.Internal, "cardinality violation: received no response message from non-server-streaming RPC")
+			}
 			return io.EOF // indicates successful end of stream.
 		}
 		return toRPCErr(err)
 	}
+	as.receivedFirstMsg = true
 
 	if as.desc.ServerStreams {
 		// Subsequent messages should be received by subsequent RecvMsg calls.
@@ -1496,12 +1532,12 @@ func (as *addrConnStream) RecvMsg(m any) (err error) {
 
 	// Special handling for non-server-stream rpcs.
 	// This recv expects EOF or errors, so we don't collect inPayload.
-	if err := recv(as.parser, as.codec, as.transportStream, as.decompressorV0, m, *as.callInfo.maxReceiveMessageSize, nil, as.decompressorV1, false); err == io.EOF {
+	if err := recv(&as.parser, as.codec, as.transportStream, as.decompressorV0, m, *as.callInfo.maxReceiveMessageSize, nil, as.decompressorV1, false); err == io.EOF {
 		return as.transportStream.Status().Err() // non-server streaming Recv returns nil on success
 	} else if err != nil {
 		return toRPCErr(err)
 	}
-	return status.Errorf(codes.Internal, "cardinality violation: expected <EOF> for non server-streaming RPCs, but received another message")
+	return status.Error(codes.Internal, "cardinality violation: expected <EOF> for non server-streaming RPCs, but received another message")
 }
 
 func (as *addrConnStream) finish(err error) {
@@ -1584,7 +1620,7 @@ type ServerStream interface {
 type serverStream struct {
 	ctx   context.Context
 	s     *transport.ServerStream
-	p     *parser
+	p     parser
 	codec baseCodec
 	desc  *StreamDesc
 
@@ -1601,7 +1637,7 @@ type serverStream struct {
 	maxSendMessageSize    int
 	trInfo                *traceInfo
 
-	statsHandler []stats.Handler
+	statsHandler stats.Handler
 
 	binlogs []binarylog.MethodLogger
 	// serverHeaderBinlogged indicates whether server header has been logged. It
@@ -1737,10 +1773,8 @@ func (ss *serverStream) SendMsg(m any) (err error) {
 			binlog.Log(ss.ctx, sm)
 		}
 	}
-	if len(ss.statsHandler) != 0 {
-		for _, sh := range ss.statsHandler {
-			sh.HandleRPC(ss.s.Context(), outPayload(false, m, dataLen, payloadLen, time.Now()))
-		}
+	if ss.statsHandler != nil {
+		ss.statsHandler.HandleRPC(ss.s.Context(), outPayload(false, m, dataLen, payloadLen, time.Now()))
 	}
 	return nil
 }
@@ -1771,11 +1805,11 @@ func (ss *serverStream) RecvMsg(m any) (err error) {
 		}
 	}()
 	var payInfo *payloadInfo
-	if len(ss.statsHandler) != 0 || len(ss.binlogs) != 0 {
+	if ss.statsHandler != nil || len(ss.binlogs) != 0 {
 		payInfo = &payloadInfo{}
 		defer payInfo.free()
 	}
-	if err := recv(ss.p, ss.codec, ss.s, ss.decompressorV0, m, ss.maxReceiveMessageSize, payInfo, ss.decompressorV1, true); err != nil {
+	if err := recv(&ss.p, ss.codec, ss.s, ss.decompressorV0, m, ss.maxReceiveMessageSize, payInfo, ss.decompressorV1, true); err != nil {
 		if err == io.EOF {
 			if len(ss.binlogs) != 0 {
 				chc := &binarylog.ClientHalfClose{}
@@ -1795,16 +1829,14 @@ func (ss *serverStream) RecvMsg(m any) (err error) {
 		return toRPCErr(err)
 	}
 	ss.recvFirstMsg = true
-	if len(ss.statsHandler) != 0 {
-		for _, sh := range ss.statsHandler {
-			sh.HandleRPC(ss.s.Context(), &stats.InPayload{
-				RecvTime:         time.Now(),
-				Payload:          m,
-				Length:           payInfo.uncompressedBytes.Len(),
-				WireLength:       payInfo.compressedLength + headerLen,
-				CompressedLength: payInfo.compressedLength,
-			})
-		}
+	if ss.statsHandler != nil {
+		ss.statsHandler.HandleRPC(ss.s.Context(), &stats.InPayload{
+			RecvTime:         time.Now(),
+			Payload:          m,
+			Length:           payInfo.uncompressedBytes.Len(),
+			WireLength:       payInfo.compressedLength + headerLen,
+			CompressedLength: payInfo.compressedLength,
+		})
 	}
 	if len(ss.binlogs) != 0 {
 		cm := &binarylog.ClientMessage{
@@ -1821,7 +1853,7 @@ func (ss *serverStream) RecvMsg(m any) (err error) {
 	}
 	// Special handling for non-client-stream rpcs.
 	// This recv expects EOF or errors, so we don't collect inPayload.
-	if err := recv(ss.p, ss.codec, ss.s, ss.decompressorV0, m, ss.maxReceiveMessageSize, nil, ss.decompressorV1, true); err == io.EOF {
+	if err := recv(&ss.p, ss.codec, ss.s, ss.decompressorV0, m, ss.maxReceiveMessageSize, nil, ss.decompressorV1, true); err == io.EOF {
 		return nil
 	} else if err != nil {
 		return err
diff --git a/vendor/google.golang.org/grpc/version.go b/vendor/google.golang.org/grpc/version.go
index 468f110658..ff7840fd8e 100644
--- a/vendor/google.golang.org/grpc/version.go
+++ b/vendor/google.golang.org/grpc/version.go
@@ -19,4 +19,4 @@
 package grpc
 
 // Version is the current grpc version.
-const Version = "1.75.1"
+const Version = "1.78.0"
diff --git a/vendor/google.golang.org/protobuf/internal/editionssupport/editions.go b/vendor/google.golang.org/protobuf/internal/editionssupport/editions.go
index bf1aba0e85..7b9f01afb0 100644
--- a/vendor/google.golang.org/protobuf/internal/editionssupport/editions.go
+++ b/vendor/google.golang.org/protobuf/internal/editionssupport/editions.go
@@ -9,7 +9,7 @@ import "google.golang.org/protobuf/types/descriptorpb"
 
 const (
 	Minimum = descriptorpb.Edition_EDITION_PROTO2
-	Maximum = descriptorpb.Edition_EDITION_2023
+	Maximum = descriptorpb.Edition_EDITION_2024
 
 	// MaximumKnown is the maximum edition that is known to Go Protobuf, but not
 	// declared as supported. In other words: end users cannot use it, but
diff --git a/vendor/google.golang.org/protobuf/internal/encoding/tag/tag.go b/vendor/google.golang.org/protobuf/internal/encoding/tag/tag.go
index 669133d04d..c96e448346 100644
--- a/vendor/google.golang.org/protobuf/internal/encoding/tag/tag.go
+++ b/vendor/google.golang.org/protobuf/internal/encoding/tag/tag.go
@@ -32,7 +32,7 @@ var byteType = reflect.TypeOf(byte(0))
 func Unmarshal(tag string, goType reflect.Type, evs protoreflect.EnumValueDescriptors) protoreflect.FieldDescriptor {
 	f := new(filedesc.Field)
 	f.L0.ParentFile = filedesc.SurrogateProto2
-	f.L1.EditionFeatures = f.L0.ParentFile.L1.EditionFeatures
+	packed := false
 	for len(tag) > 0 {
 		i := strings.IndexByte(tag, ',')
 		if i < 0 {
@@ -108,7 +108,7 @@ func Unmarshal(tag string, goType reflect.Type, evs protoreflect.EnumValueDescri
 				f.L1.StringName.InitJSON(jsonName)
 			}
 		case s == "packed":
-			f.L1.EditionFeatures.IsPacked = true
+			packed = true
 		case strings.HasPrefix(s, "def="):
 			// The default tag is special in that everything afterwards is the
 			// default regardless of the presence of commas.
@@ -121,6 +121,13 @@ func Unmarshal(tag string, goType reflect.Type, evs protoreflect.EnumValueDescri
 		tag = strings.TrimPrefix(tag[i:], ",")
 	}
 
+	// Update EditionFeatures after the loop and after we know whether this is
+	// a proto2 or proto3 field.
+	f.L1.EditionFeatures = f.L0.ParentFile.L1.EditionFeatures
+	if packed {
+		f.L1.EditionFeatures.IsPacked = true
+	}
+
 	// The generator uses the group message name instead of the field name.
 	// We obtain the real field name by lowercasing the group name.
 	if f.L1.Kind == protoreflect.GroupKind {
diff --git a/vendor/google.golang.org/protobuf/internal/encoding/text/decode.go b/vendor/google.golang.org/protobuf/internal/encoding/text/decode.go
index 099b2bf451..9aa7a9bb77 100644
--- a/vendor/google.golang.org/protobuf/internal/encoding/text/decode.go
+++ b/vendor/google.golang.org/protobuf/internal/encoding/text/decode.go
@@ -424,27 +424,34 @@ func (d *Decoder) parseFieldName() (tok Token, err error) {
 	return Token{}, d.newSyntaxError("invalid field name: %s", errId(d.in))
 }
 
-// parseTypeName parses Any type URL or extension field name. The name is
-// enclosed in [ and ] characters. The C++ parser does not handle many legal URL
-// strings. This implementation is more liberal and allows for the pattern
-// ^[-_a-zA-Z0-9]+([./][-_a-zA-Z0-9]+)*`). Whitespaces and comments are allowed
-// in between [ ], '.', '/' and the sub names.
+// parseTypeName parses an Any type URL or an extension field name. The name is
+// enclosed in [ and ] characters. We allow almost arbitrary type URL prefixes,
+// closely following the text-format spec [1,2]. We implement "ExtensionName |
+// AnyName" as follows (with some exceptions for backwards compatibility):
+//
+// char      = [-_a-zA-Z0-9]
+// url_char  = char | [.~!$&'()*+,;=] | "%", hex, hex
+//
+// Ident         = char, { char }
+// TypeName      = Ident, { ".", Ident } ;
+// UrlPrefix     = url_char, { url_char | "/" } ;
+// ExtensionName = "[", TypeName, "]" ;
+// AnyName       = "[", UrlPrefix, "/", TypeName, "]" ;
+//
+// Additionally, we allow arbitrary whitespace and comments between [ and ].
+//
+// [1] https://protobuf.dev/reference/protobuf/textformat-spec/#characters
+// [2] https://protobuf.dev/reference/protobuf/textformat-spec/#field-names
 func (d *Decoder) parseTypeName() (Token, error) {
-	startPos := len(d.orig) - len(d.in)
 	// Use alias s to advance first in order to use d.in for error handling.
-	// Caller already checks for [ as first character.
+	// Caller already checks for [ as first character (d.in[0] == '[').
 	s := consume(d.in[1:], 0)
 	if len(s) == 0 {
 		return Token{}, ErrUnexpectedEOF
 	}
 
+	// Collect everything between [ and ] in name.
 	var name []byte
-	for len(s) > 0 && isTypeNameChar(s[0]) {
-		name = append(name, s[0])
-		s = s[1:]
-	}
-	s = consume(s, 0)
-
 	var closed bool
 	for len(s) > 0 && !closed {
 		switch {
@@ -452,23 +459,20 @@ func (d *Decoder) parseTypeName() (Token, error) {
 			s = s[1:]
 			closed = true
 
-		case s[0] == '/', s[0] == '.':
-			if len(name) > 0 && (name[len(name)-1] == '/' || name[len(name)-1] == '.') {
-				return Token{}, d.newSyntaxError("invalid type URL/extension field name: %s",
-					d.orig[startPos:len(d.orig)-len(s)+1])
-			}
+		case s[0] == '/' || isTypeNameChar(s[0]) || isUrlExtraChar(s[0]):
 			name = append(name, s[0])
-			s = s[1:]
-			s = consume(s, 0)
-			for len(s) > 0 && isTypeNameChar(s[0]) {
-				name = append(name, s[0])
-				s = s[1:]
+			s = consume(s[1:], 0)
+
+		// URL percent-encoded chars
+		case s[0] == '%':
+			if len(s) < 3 || !isHexChar(s[1]) || !isHexChar(s[2]) {
+				return Token{}, d.parseTypeNameError(s, 3)
 			}
-			s = consume(s, 0)
+			name = append(name, s[0], s[1], s[2])
+			s = consume(s[3:], 0)
 
 		default:
-			return Token{}, d.newSyntaxError(
-				"invalid type URL/extension field name: %s", d.orig[startPos:len(d.orig)-len(s)+1])
+			return Token{}, d.parseTypeNameError(s, 1)
 		}
 	}
 
@@ -476,15 +480,38 @@ func (d *Decoder) parseTypeName() (Token, error) {
 		return Token{}, ErrUnexpectedEOF
 	}
 
-	// First character cannot be '.'. Last character cannot be '.' or '/'.
-	size := len(name)
-	if size == 0 || name[0] == '.' || name[size-1] == '.' || name[size-1] == '/' {
-		return Token{}, d.newSyntaxError("invalid type URL/extension field name: %s",
-			d.orig[startPos:len(d.orig)-len(s)])
+	// Split collected name on last '/' into urlPrefix and typeName (if '/' is
+	// present).
+	typeName := name
+	if i := bytes.LastIndexByte(name, '/'); i != -1 {
+		urlPrefix := name[:i]
+		typeName = name[i+1:]
+
+		// urlPrefix may be empty (for backwards compatibility).
+		// If non-empty, it must not start with '/'.
+		if len(urlPrefix) > 0 && urlPrefix[0] == '/' {
+			return Token{}, d.parseTypeNameError(s, 0)
+		}
 	}
 
+	// typeName must not be empty (note: "" splits to [""]) and all identifier
+	// parts must not be empty.
+	for _, ident := range bytes.Split(typeName, []byte{'.'}) {
+		if len(ident) == 0 {
+			return Token{}, d.parseTypeNameError(s, 0)
+		}
+	}
+
+	// typeName must not contain any percent-encoded or special URL chars.
+	for _, b := range typeName {
+		if b == '%' || (b != '.' && isUrlExtraChar(b)) {
+			return Token{}, d.parseTypeNameError(s, 0)
+		}
+	}
+
+	startPos := len(d.orig) - len(d.in)
+	endPos := len(d.orig) - len(s)
 	d.in = s
-	endPos := len(d.orig) - len(d.in)
 	d.consume(0)
 
 	return Token{
@@ -496,16 +523,32 @@ func (d *Decoder) parseTypeName() (Token, error) {
 	}, nil
 }
 
+func (d *Decoder) parseTypeNameError(s []byte, numUnconsumedChars int) error {
+	return d.newSyntaxError(
+		"invalid type URL/extension field name: %s",
+		d.in[:len(d.in)-len(s)+min(numUnconsumedChars, len(s))],
+	)
+}
+
+func isHexChar(b byte) bool {
+	return ('0' <= b && b <= '9') ||
+		('a' <= b && b <= 'f') ||
+		('A' <= b && b <= 'F')
+}
+
 func isTypeNameChar(b byte) bool {
-	return (b == '-' || b == '_' ||
+	return b == '-' || b == '_' ||
 		('0' <= b && b <= '9') ||
 		('a' <= b && b <= 'z') ||
-		('A' <= b && b <= 'Z'))
+		('A' <= b && b <= 'Z')
 }
 
-func isWhiteSpace(b byte) bool {
+// isUrlExtraChar complements isTypeNameChar with extra characters that we allow
+// in URLs but not in type names. Note that '/' is not included so that it can
+// be treated specially.
+func isUrlExtraChar(b byte) bool {
 	switch b {
-	case ' ', '\n', '\r', '\t':
+	case '.', '~', '!', '$', '&', '(', ')', '*', '+', ',', ';', '=':
 		return true
 	default:
 		return false
diff --git a/vendor/google.golang.org/protobuf/internal/filedesc/desc.go b/vendor/google.golang.org/protobuf/internal/filedesc/desc.go
index 688aabe434..c775e5832f 100644
--- a/vendor/google.golang.org/protobuf/internal/filedesc/desc.go
+++ b/vendor/google.golang.org/protobuf/internal/filedesc/desc.go
@@ -32,6 +32,7 @@ const (
 	EditionProto3      Edition = 999
 	Edition2023        Edition = 1000
 	Edition2024        Edition = 1001
+	EditionUnstable    Edition = 9999
 	EditionUnsupported Edition = 100000
 )
 
@@ -72,9 +73,10 @@ type (
 		EditionFeatures EditionFeatures
 	}
 	FileL2 struct {
-		Options   func() protoreflect.ProtoMessage
-		Imports   FileImports
-		Locations SourceLocations
+		Options       func() protoreflect.ProtoMessage
+		Imports       FileImports
+		OptionImports func() protoreflect.FileImports
+		Locations     SourceLocations
 	}
 
 	// EditionFeatures is a frequently-instantiated struct, so please take care
@@ -126,12 +128,9 @@ func (fd *File) ParentFile() protoreflect.FileDescriptor { return fd }
 func (fd *File) Parent() protoreflect.Descriptor         { return nil }
 func (fd *File) Index() int                              { return 0 }
 func (fd *File) Syntax() protoreflect.Syntax             { return fd.L1.Syntax }
-
-// Not exported and just used to reconstruct the original FileDescriptor proto
-func (fd *File) Edition() int32                  { return int32(fd.L1.Edition) }
-func (fd *File) Name() protoreflect.Name         { return fd.L1.Package.Name() }
-func (fd *File) FullName() protoreflect.FullName { return fd.L1.Package }
-func (fd *File) IsPlaceholder() bool             { return false }
+func (fd *File) Name() protoreflect.Name                 { return fd.L1.Package.Name() }
+func (fd *File) FullName() protoreflect.FullName         { return fd.L1.Package }
+func (fd *File) IsPlaceholder() bool                     { return false }
 func (fd *File) Options() protoreflect.ProtoMessage {
 	if f := fd.lazyInit().Options; f != nil {
 		return f()
@@ -150,6 +149,16 @@ func (fd *File) Format(s fmt.State, r rune)                    { descfmt.FormatD
 func (fd *File) ProtoType(protoreflect.FileDescriptor)         {}
 func (fd *File) ProtoInternal(pragma.DoNotImplement)           {}
 
+// The next two are not part of the FileDescriptor interface. They are just used to reconstruct
+// the original FileDescriptor proto.
+func (fd *File) Edition() int32 { return int32(fd.L1.Edition) }
+func (fd *File) OptionImports() protoreflect.FileImports {
+	if f := fd.lazyInit().OptionImports; f != nil {
+		return f()
+	}
+	return emptyFiles
+}
+
 func (fd *File) lazyInit() *FileL2 {
 	if atomic.LoadUint32(&fd.once) == 0 {
 		fd.lazyInitOnce()
@@ -182,9 +191,9 @@ type (
 		L2 *EnumL2 // protected by fileDesc.once
 	}
 	EnumL1 struct {
-		eagerValues bool // controls whether EnumL2.Values is already populated
-
 		EditionFeatures EditionFeatures
+		Visibility      int32
+		eagerValues     bool // controls whether EnumL2.Values is already populated
 	}
 	EnumL2 struct {
 		Options        func() protoreflect.ProtoMessage
@@ -219,6 +228,11 @@ func (ed *Enum) ReservedNames() protoreflect.Names       { return &ed.lazyInit()
 func (ed *Enum) ReservedRanges() protoreflect.EnumRanges { return &ed.lazyInit().ReservedRanges }
 func (ed *Enum) Format(s fmt.State, r rune)              { descfmt.FormatDesc(s, r, ed) }
 func (ed *Enum) ProtoType(protoreflect.EnumDescriptor)   {}
+
+// This is not part of the EnumDescriptor interface. It is just used to reconstruct
+// the original FileDescriptor proto.
+func (ed *Enum) Visibility() int32 { return ed.L1.Visibility }
+
 func (ed *Enum) lazyInit() *EnumL2 {
 	ed.L0.ParentFile.lazyInit() // implicitly initializes L2
 	return ed.L2
@@ -244,13 +258,13 @@ type (
 		L2 *MessageL2 // protected by fileDesc.once
 	}
 	MessageL1 struct {
-		Enums        Enums
-		Messages     Messages
-		Extensions   Extensions
-		IsMapEntry   bool // promoted from google.protobuf.MessageOptions
-		IsMessageSet bool // promoted from google.protobuf.MessageOptions
-
+		Enums           Enums
+		Messages        Messages
+		Extensions      Extensions
 		EditionFeatures EditionFeatures
+		Visibility      int32
+		IsMapEntry      bool // promoted from google.protobuf.MessageOptions
+		IsMessageSet    bool // promoted from google.protobuf.MessageOptions
 	}
 	MessageL2 struct {
 		Options               func() protoreflect.ProtoMessage
@@ -319,6 +333,11 @@ func (md *Message) Messages() protoreflect.MessageDescriptors     { return &md.L
 func (md *Message) Extensions() protoreflect.ExtensionDescriptors { return &md.L1.Extensions }
 func (md *Message) ProtoType(protoreflect.MessageDescriptor)      {}
 func (md *Message) Format(s fmt.State, r rune)                    { descfmt.FormatDesc(s, r, md) }
+
+// This is not part of the MessageDescriptor interface. It is just used to reconstruct
+// the original FileDescriptor proto.
+func (md *Message) Visibility() int32 { return md.L1.Visibility }
+
 func (md *Message) lazyInit() *MessageL2 {
 	md.L0.ParentFile.lazyInit() // implicitly initializes L2
 	return md.L2
diff --git a/vendor/google.golang.org/protobuf/internal/filedesc/desc_init.go b/vendor/google.golang.org/protobuf/internal/filedesc/desc_init.go
index d2f549497e..e91860f5a2 100644
--- a/vendor/google.golang.org/protobuf/internal/filedesc/desc_init.go
+++ b/vendor/google.golang.org/protobuf/internal/filedesc/desc_init.go
@@ -284,6 +284,13 @@ func (ed *Enum) unmarshalSeed(b []byte, sb *strs.Builder, pf *File, pd protorefl
 			case genid.EnumDescriptorProto_Value_field_number:
 				numValues++
 			}
+		case protowire.VarintType:
+			v, m := protowire.ConsumeVarint(b)
+			b = b[m:]
+			switch num {
+			case genid.EnumDescriptorProto_Visibility_field_number:
+				ed.L1.Visibility = int32(v)
+			}
 		default:
 			m := protowire.ConsumeFieldValue(num, typ, b)
 			b = b[m:]
@@ -365,6 +372,13 @@ func (md *Message) unmarshalSeed(b []byte, sb *strs.Builder, pf *File, pd protor
 				md.unmarshalSeedOptions(v)
 			}
 			prevField = num
+		case protowire.VarintType:
+			v, m := protowire.ConsumeVarint(b)
+			b = b[m:]
+			switch num {
+			case genid.DescriptorProto_Visibility_field_number:
+				md.L1.Visibility = int32(v)
+			}
 		default:
 			m := protowire.ConsumeFieldValue(num, typ, b)
 			b = b[m:]
diff --git a/vendor/google.golang.org/protobuf/internal/filedesc/desc_lazy.go b/vendor/google.golang.org/protobuf/internal/filedesc/desc_lazy.go
index d4c94458bd..78f02b1b49 100644
--- a/vendor/google.golang.org/protobuf/internal/filedesc/desc_lazy.go
+++ b/vendor/google.golang.org/protobuf/internal/filedesc/desc_lazy.go
@@ -134,6 +134,7 @@ func (fd *File) unmarshalFull(b []byte) {
 
 	var enumIdx, messageIdx, extensionIdx, serviceIdx int
 	var rawOptions []byte
+	var optionImports []string
 	fd.L2 = new(FileL2)
 	for len(b) > 0 {
 		num, typ, n := protowire.ConsumeTag(b)
@@ -157,6 +158,8 @@ func (fd *File) unmarshalFull(b []byte) {
 					imp = PlaceholderFile(path)
 				}
 				fd.L2.Imports = append(fd.L2.Imports, protoreflect.FileImport{FileDescriptor: imp})
+			case genid.FileDescriptorProto_OptionDependency_field_number:
+				optionImports = append(optionImports, sb.MakeString(v))
 			case genid.FileDescriptorProto_EnumType_field_number:
 				fd.L1.Enums.List[enumIdx].unmarshalFull(v, sb)
 				enumIdx++
@@ -178,6 +181,23 @@ func (fd *File) unmarshalFull(b []byte) {
 		}
 	}
 	fd.L2.Options = fd.builder.optionsUnmarshaler(&descopts.File, rawOptions)
+	if len(optionImports) > 0 {
+		var imps FileImports
+		var once sync.Once
+		fd.L2.OptionImports = func() protoreflect.FileImports {
+			once.Do(func() {
+				imps = make(FileImports, len(optionImports))
+				for i, path := range optionImports {
+					imp, _ := fd.builder.FileRegistry.FindFileByPath(path)
+					if imp == nil {
+						imp = PlaceholderFile(path)
+					}
+					imps[i] = protoreflect.FileImport{FileDescriptor: imp}
+				}
+			})
+			return &imps
+		}
+	}
 }
 
 func (ed *Enum) unmarshalFull(b []byte, sb *strs.Builder) {
@@ -310,7 +330,6 @@ func (md *Message) unmarshalFull(b []byte, sb *strs.Builder) {
 				md.L1.Extensions.List[extensionIdx].unmarshalFull(v, sb)
 				extensionIdx++
 			case genid.DescriptorProto_Options_field_number:
-				md.unmarshalOptions(v)
 				rawOptions = appendOptions(rawOptions, v)
 			}
 		default:
@@ -336,27 +355,6 @@ func (md *Message) unmarshalFull(b []byte, sb *strs.Builder) {
 	md.L2.Options = md.L0.ParentFile.builder.optionsUnmarshaler(&descopts.Message, rawOptions)
 }
 
-func (md *Message) unmarshalOptions(b []byte) {
-	for len(b) > 0 {
-		num, typ, n := protowire.ConsumeTag(b)
-		b = b[n:]
-		switch typ {
-		case protowire.VarintType:
-			v, m := protowire.ConsumeVarint(b)
-			b = b[m:]
-			switch num {
-			case genid.MessageOptions_MapEntry_field_number:
-				md.L1.IsMapEntry = protowire.DecodeBool(v)
-			case genid.MessageOptions_MessageSetWireFormat_field_number:
-				md.L1.IsMessageSet = protowire.DecodeBool(v)
-			}
-		default:
-			m := protowire.ConsumeFieldValue(num, typ, b)
-			b = b[m:]
-		}
-	}
-}
-
 func unmarshalMessageReservedRange(b []byte) (r [2]protoreflect.FieldNumber) {
 	for len(b) > 0 {
 		num, typ, n := protowire.ConsumeTag(b)
diff --git a/vendor/google.golang.org/protobuf/internal/filedesc/editions.go b/vendor/google.golang.org/protobuf/internal/filedesc/editions.go
index a0aad2777f..66ba906806 100644
--- a/vendor/google.golang.org/protobuf/internal/filedesc/editions.go
+++ b/vendor/google.golang.org/protobuf/internal/filedesc/editions.go
@@ -13,8 +13,10 @@ import (
 	"google.golang.org/protobuf/reflect/protoreflect"
 )
 
-var defaultsCache = make(map[Edition]EditionFeatures)
-var defaultsKeys = []Edition{}
+var (
+	defaultsCache = make(map[Edition]EditionFeatures)
+	defaultsKeys  = []Edition{}
+)
 
 func init() {
 	unmarshalEditionDefaults(editiondefaults.Defaults)
@@ -41,7 +43,7 @@ func unmarshalGoFeature(b []byte, parent EditionFeatures) EditionFeatures {
 			b = b[m:]
 			parent.StripEnumPrefix = int(v)
 		default:
-			panic(fmt.Sprintf("unkown field number %d while unmarshalling GoFeatures", num))
+			panic(fmt.Sprintf("unknown field number %d while unmarshalling GoFeatures", num))
 		}
 	}
 	return parent
@@ -76,7 +78,7 @@ func unmarshalFeatureSet(b []byte, parent EditionFeatures) EditionFeatures {
 				// DefaultSymbolVisibility is enforced in protoc, runtimes should not
 				// inspect this value.
 			default:
-				panic(fmt.Sprintf("unkown field number %d while unmarshalling FeatureSet", num))
+				panic(fmt.Sprintf("unknown field number %d while unmarshalling FeatureSet", num))
 			}
 		case protowire.BytesType:
 			v, m := protowire.ConsumeBytes(b)
@@ -150,7 +152,7 @@ func unmarshalEditionDefaults(b []byte) {
 			_, m := protowire.ConsumeVarint(b)
 			b = b[m:]
 		default:
-			panic(fmt.Sprintf("unkown field number %d while unmarshalling EditionDefault", num))
+			panic(fmt.Sprintf("unknown field number %d while unmarshalling EditionDefault", num))
 		}
 	}
 }
diff --git a/vendor/google.golang.org/protobuf/internal/genid/descriptor_gen.go b/vendor/google.golang.org/protobuf/internal/genid/descriptor_gen.go
index 950a6a325a..65aaf4d210 100644
--- a/vendor/google.golang.org/protobuf/internal/genid/descriptor_gen.go
+++ b/vendor/google.golang.org/protobuf/internal/genid/descriptor_gen.go
@@ -26,6 +26,7 @@ const (
 	Edition_EDITION_PROTO3_enum_value          = 999
 	Edition_EDITION_2023_enum_value            = 1000
 	Edition_EDITION_2024_enum_value            = 1001
+	Edition_EDITION_UNSTABLE_enum_value        = 9999
 	Edition_EDITION_1_TEST_ONLY_enum_value     = 1
 	Edition_EDITION_2_TEST_ONLY_enum_value     = 2
 	Edition_EDITION_99997_TEST_ONLY_enum_value = 99997
diff --git a/vendor/google.golang.org/protobuf/internal/impl/codec_map.go b/vendor/google.golang.org/protobuf/internal/impl/codec_map.go
index 229c698013..4a3bf393ef 100644
--- a/vendor/google.golang.org/protobuf/internal/impl/codec_map.go
+++ b/vendor/google.golang.org/protobuf/internal/impl/codec_map.go
@@ -113,6 +113,9 @@ func sizeMap(mapv reflect.Value, mapi *mapInfo, f *coderFieldInfo, opts marshalO
 }
 
 func consumeMap(b []byte, mapv reflect.Value, wtyp protowire.Type, mapi *mapInfo, f *coderFieldInfo, opts unmarshalOptions) (out unmarshalOutput, err error) {
+	if opts.depth--; opts.depth < 0 {
+		return out, errRecursionDepth
+	}
 	if wtyp != protowire.BytesType {
 		return out, errUnknown
 	}
@@ -170,6 +173,9 @@ func consumeMap(b []byte, mapv reflect.Value, wtyp protowire.Type, mapi *mapInfo
 }
 
 func consumeMapOfMessage(b []byte, mapv reflect.Value, wtyp protowire.Type, mapi *mapInfo, f *coderFieldInfo, opts unmarshalOptions) (out unmarshalOutput, err error) {
+	if opts.depth--; opts.depth < 0 {
+		return out, errRecursionDepth
+	}
 	if wtyp != protowire.BytesType {
 		return out, errUnknown
 	}
diff --git a/vendor/google.golang.org/protobuf/internal/impl/decode.go b/vendor/google.golang.org/protobuf/internal/impl/decode.go
index e0dd21fa5f..1228b5c8c2 100644
--- a/vendor/google.golang.org/protobuf/internal/impl/decode.go
+++ b/vendor/google.golang.org/protobuf/internal/impl/decode.go
@@ -102,8 +102,7 @@ var errUnknown = errors.New("unknown")
 
 func (mi *MessageInfo) unmarshalPointer(b []byte, p pointer, groupTag protowire.Number, opts unmarshalOptions) (out unmarshalOutput, err error) {
 	mi.init()
-	opts.depth--
-	if opts.depth < 0 {
+	if opts.depth--; opts.depth < 0 {
 		return out, errRecursionDepth
 	}
 	if flags.ProtoLegacy && mi.isMessageSet {
diff --git a/vendor/google.golang.org/protobuf/internal/impl/validate.go b/vendor/google.golang.org/protobuf/internal/impl/validate.go
index 7b2995dde5..99a1eb95f7 100644
--- a/vendor/google.golang.org/protobuf/internal/impl/validate.go
+++ b/vendor/google.golang.org/protobuf/internal/impl/validate.go
@@ -68,9 +68,13 @@ func Validate(mt protoreflect.MessageType, in protoiface.UnmarshalInput) (out pr
 	if in.Resolver == nil {
 		in.Resolver = protoregistry.GlobalTypes
 	}
+	if in.Depth == 0 {
+		in.Depth = protowire.DefaultRecursionLimit
+	}
 	o, st := mi.validate(in.Buf, 0, unmarshalOptions{
 		flags:    in.Flags,
 		resolver: in.Resolver,
+		depth:    in.Depth,
 	})
 	if o.initialized {
 		out.Flags |= protoiface.UnmarshalInitialized
@@ -257,6 +261,9 @@ func (mi *MessageInfo) validate(b []byte, groupTag protowire.Number, opts unmars
 		states[0].typ = validationTypeGroup
 		states[0].endGroup = groupTag
 	}
+	if opts.depth--; opts.depth < 0 {
+		return out, ValidationInvalid
+	}
 	initialized := true
 	start := len(b)
 State:
@@ -451,6 +458,13 @@ State:
 						mi:      vi.mi,
 						tail:    b,
 					})
+					if vi.typ == validationTypeMessage ||
+						vi.typ == validationTypeGroup ||
+						vi.typ == validationTypeMap {
+						if opts.depth--; opts.depth < 0 {
+							return out, ValidationInvalid
+						}
+					}
 					b = v
 					continue State
 				case validationTypeRepeatedVarint:
@@ -499,6 +513,9 @@ State:
 						mi:       vi.mi,
 						endGroup: num,
 					})
+					if opts.depth--; opts.depth < 0 {
+						return out, ValidationInvalid
+					}
 					continue State
 				case flags.ProtoLegacy && vi.typ == validationTypeMessageSetItem:
 					typeid, v, n, err := messageset.ConsumeFieldValue(b, false)
@@ -521,6 +538,13 @@ State:
 							mi:   xvi.mi,
 							tail: b[n:],
 						})
+						if xvi.typ == validationTypeMessage ||
+							xvi.typ == validationTypeGroup ||
+							xvi.typ == validationTypeMap {
+							if opts.depth--; opts.depth < 0 {
+								return out, ValidationInvalid
+							}
+						}
 						b = v
 						continue State
 					}
@@ -547,12 +571,14 @@ State:
 		switch st.typ {
 		case validationTypeMessage, validationTypeGroup:
 			numRequiredFields = int(st.mi.numRequiredFields)
+			opts.depth++
 		case validationTypeMap:
 			// If this is a map field with a message value that contains
 			// required fields, require that the value be present.
 			if st.mi != nil && st.mi.numRequiredFields > 0 {
 				numRequiredFields = 1
 			}
+			opts.depth++
 		}
 		// If there are more than 64 required fields, this check will
 		// always fail and we will report that the message is potentially
diff --git a/vendor/google.golang.org/protobuf/internal/version/version.go b/vendor/google.golang.org/protobuf/internal/version/version.go
index 697d1c14f3..763fd82841 100644
--- a/vendor/google.golang.org/protobuf/internal/version/version.go
+++ b/vendor/google.golang.org/protobuf/internal/version/version.go
@@ -52,7 +52,7 @@ import (
 const (
 	Major      = 1
 	Minor      = 36
-	Patch      = 8
+	Patch      = 11
 	PreRelease = ""
 )
 
diff --git a/vendor/google.golang.org/protobuf/proto/decode.go b/vendor/google.golang.org/protobuf/proto/decode.go
index 4cbf1aeaf7..889d8511d2 100644
--- a/vendor/google.golang.org/protobuf/proto/decode.go
+++ b/vendor/google.golang.org/protobuf/proto/decode.go
@@ -121,9 +121,8 @@ func (o UnmarshalOptions) unmarshal(b []byte, m protoreflect.Message) (out proto
 
 		out, err = methods.Unmarshal(in)
 	} else {
-		o.RecursionLimit--
-		if o.RecursionLimit < 0 {
-			return out, errors.New("exceeded max recursion depth")
+		if o.RecursionLimit--; o.RecursionLimit < 0 {
+			return out, errRecursionDepth
 		}
 		err = o.unmarshalMessageSlow(b, m)
 	}
@@ -220,6 +219,9 @@ func (o UnmarshalOptions) unmarshalSingular(b []byte, wtyp protowire.Type, m pro
 }
 
 func (o UnmarshalOptions) unmarshalMap(b []byte, wtyp protowire.Type, mapv protoreflect.Map, fd protoreflect.FieldDescriptor) (n int, err error) {
+	if o.RecursionLimit--; o.RecursionLimit < 0 {
+		return 0, errRecursionDepth
+	}
 	if wtyp != protowire.BytesType {
 		return 0, errUnknown
 	}
@@ -305,3 +307,5 @@ func (o UnmarshalOptions) unmarshalMap(b []byte, wtyp protowire.Type, mapv proto
 var errUnknown = errors.New("BUG: internal error (unknown)")
 
 var errDecode = errors.New("cannot parse invalid wire-format data")
+
+var errRecursionDepth = errors.New("exceeded maximum recursion depth")
diff --git a/vendor/google.golang.org/protobuf/reflect/protodesc/desc.go b/vendor/google.golang.org/protobuf/reflect/protodesc/desc.go
index 823dbf3ba6..40f17af4e3 100644
--- a/vendor/google.golang.org/protobuf/reflect/protodesc/desc.go
+++ b/vendor/google.golang.org/protobuf/reflect/protodesc/desc.go
@@ -108,7 +108,9 @@ func (o FileOptions) New(fd *descriptorpb.FileDescriptorProto, r Resolver) (prot
 	if f.L1.Path == "" {
 		return nil, errors.New("file path must be populated")
 	}
-	if f.L1.Syntax == protoreflect.Editions && (fd.GetEdition() < editionssupport.Minimum || fd.GetEdition() > editionssupport.Maximum) {
+	if f.L1.Syntax == protoreflect.Editions &&
+		(fd.GetEdition() < editionssupport.Minimum || fd.GetEdition() > editionssupport.Maximum) &&
+		fd.GetEdition() != descriptorpb.Edition_EDITION_UNSTABLE {
 		// Allow cmd/protoc-gen-go/testdata to use any edition for easier
 		// testing of upcoming edition features.
 		if !strings.HasPrefix(fd.GetName(), "cmd/protoc-gen-go/testdata/") {
@@ -152,6 +154,31 @@ func (o FileOptions) New(fd *descriptorpb.FileDescriptorProto, r Resolver) (prot
 		imp := &f.L2.Imports[i]
 		imps.importPublic(imp.Imports())
 	}
+	optionImps := importSet{f.Path(): true}
+	if len(fd.GetOptionDependency()) > 0 {
+		optionImports := make(filedesc.FileImports, len(fd.GetOptionDependency()))
+		for i, path := range fd.GetOptionDependency() {
+			imp := &optionImports[i]
+			f, err := r.FindFileByPath(path)
+			if err == protoregistry.NotFound {
+				// We always allow option imports to be unresolvable.
+				f = filedesc.PlaceholderFile(path)
+			} else if err != nil {
+				return nil, errors.New("could not resolve import %q: %v", path, err)
+			}
+			imp.FileDescriptor = f
+
+			if imps[imp.Path()] || optionImps[imp.Path()] {
+				return nil, errors.New("already imported %q", path)
+			}
+			// This needs to be a separate map so that we don't recognize non-options
+			// symbols coming from option imports.
+			optionImps[imp.Path()] = true
+		}
+		f.L2.OptionImports = func() protoreflect.FileImports {
+			return &optionImports
+		}
+	}
 
 	// Handle source locations.
 	f.L2.Locations.File = f
diff --git a/vendor/google.golang.org/protobuf/reflect/protodesc/desc_init.go b/vendor/google.golang.org/protobuf/reflect/protodesc/desc_init.go
index 9da34998b1..c826ad0430 100644
--- a/vendor/google.golang.org/protobuf/reflect/protodesc/desc_init.go
+++ b/vendor/google.golang.org/protobuf/reflect/protodesc/desc_init.go
@@ -29,6 +29,7 @@ func (r descsByName) initEnumDeclarations(eds []*descriptorpb.EnumDescriptorProt
 			e.L2.Options = func() protoreflect.ProtoMessage { return opts }
 		}
 		e.L1.EditionFeatures = mergeEditionFeatures(parent, ed.GetOptions().GetFeatures())
+		e.L1.Visibility = int32(ed.GetVisibility())
 		for _, s := range ed.GetReservedName() {
 			e.L2.ReservedNames.List = append(e.L2.ReservedNames.List, protoreflect.Name(s))
 		}
@@ -70,6 +71,7 @@ func (r descsByName) initMessagesDeclarations(mds []*descriptorpb.DescriptorProt
 			return nil, err
 		}
 		m.L1.EditionFeatures = mergeEditionFeatures(parent, md.GetOptions().GetFeatures())
+		m.L1.Visibility = int32(md.GetVisibility())
 		if opts := md.GetOptions(); opts != nil {
 			opts = proto.Clone(opts).(*descriptorpb.MessageOptions)
 			m.L2.Options = func() protoreflect.ProtoMessage { return opts }
diff --git a/vendor/google.golang.org/protobuf/reflect/protodesc/editions.go b/vendor/google.golang.org/protobuf/reflect/protodesc/editions.go
index 697a61b290..147b8c7398 100644
--- a/vendor/google.golang.org/protobuf/reflect/protodesc/editions.go
+++ b/vendor/google.golang.org/protobuf/reflect/protodesc/editions.go
@@ -46,6 +46,8 @@ func toEditionProto(ed filedesc.Edition) descriptorpb.Edition {
 		return descriptorpb.Edition_EDITION_2023
 	case filedesc.Edition2024:
 		return descriptorpb.Edition_EDITION_2024
+	case filedesc.EditionUnstable:
+		return descriptorpb.Edition_EDITION_UNSTABLE
 	default:
 		panic(fmt.Sprintf("unknown value for edition: %v", ed))
 	}
@@ -58,7 +60,7 @@ func getFeatureSetFor(ed filedesc.Edition) *descriptorpb.FeatureSet {
 		return def
 	}
 	edpb := toEditionProto(ed)
-	if defaults.GetMinimumEdition() > edpb || defaults.GetMaximumEdition() < edpb {
+	if (defaults.GetMinimumEdition() > edpb || defaults.GetMaximumEdition() < edpb) && edpb != descriptorpb.Edition_EDITION_UNSTABLE {
 		// This should never happen protodesc.(FileOptions).New would fail when
 		// initializing the file descriptor.
 		// This most likely means the embedded defaults were not updated.
diff --git a/vendor/google.golang.org/protobuf/reflect/protodesc/proto.go b/vendor/google.golang.org/protobuf/reflect/protodesc/proto.go
index 9b880aa8c9..6f91074e36 100644
--- a/vendor/google.golang.org/protobuf/reflect/protodesc/proto.go
+++ b/vendor/google.golang.org/protobuf/reflect/protodesc/proto.go
@@ -70,16 +70,27 @@ func ToFileDescriptorProto(file protoreflect.FileDescriptor) *descriptorpb.FileD
 	if syntax := file.Syntax(); syntax != protoreflect.Proto2 && syntax.IsValid() {
 		p.Syntax = proto.String(file.Syntax().String())
 	}
+	desc := file
+	if fileImportDesc, ok := file.(protoreflect.FileImport); ok {
+		desc = fileImportDesc.FileDescriptor
+	}
 	if file.Syntax() == protoreflect.Editions {
-		desc := file
-		if fileImportDesc, ok := file.(protoreflect.FileImport); ok {
-			desc = fileImportDesc.FileDescriptor
-		}
-
 		if editionsInterface, ok := desc.(interface{ Edition() int32 }); ok {
 			p.Edition = descriptorpb.Edition(editionsInterface.Edition()).Enum()
 		}
 	}
+	type hasOptionImports interface {
+		OptionImports() protoreflect.FileImports
+	}
+	if opts, ok := desc.(hasOptionImports); ok {
+		if optionImports := opts.OptionImports(); optionImports.Len() > 0 {
+			optionDeps := make([]string, optionImports.Len())
+			for i := range optionImports.Len() {
+				optionDeps[i] = optionImports.Get(i).Path()
+			}
+			p.OptionDependency = optionDeps
+		}
+	}
 	return p
 }
 
@@ -123,6 +134,14 @@ func ToDescriptorProto(message protoreflect.MessageDescriptor) *descriptorpb.Des
 	for i, names := 0, message.ReservedNames(); i < names.Len(); i++ {
 		p.ReservedName = append(p.ReservedName, string(names.Get(i)))
 	}
+	type hasVisibility interface {
+		Visibility() int32
+	}
+	if vis, ok := message.(hasVisibility); ok {
+		if visibility := vis.Visibility(); visibility > 0 {
+			p.Visibility = descriptorpb.SymbolVisibility(visibility).Enum()
+		}
+	}
 	return p
 }
 
@@ -216,6 +235,14 @@ func ToEnumDescriptorProto(enum protoreflect.EnumDescriptor) *descriptorpb.EnumD
 	for i, names := 0, enum.ReservedNames(); i < names.Len(); i++ {
 		p.ReservedName = append(p.ReservedName, string(names.Get(i)))
 	}
+	type hasVisibility interface {
+		Visibility() int32
+	}
+	if vis, ok := enum.(hasVisibility); ok {
+		if visibility := vis.Visibility(); visibility > 0 {
+			p.Visibility = descriptorpb.SymbolVisibility(visibility).Enum()
+		}
+	}
 	return p
 }
 
diff --git a/vendor/google.golang.org/protobuf/types/descriptorpb/descriptor.pb.go b/vendor/google.golang.org/protobuf/types/descriptorpb/descriptor.pb.go
index 4eacb523c3..0b23faa957 100644
--- a/vendor/google.golang.org/protobuf/types/descriptorpb/descriptor.pb.go
+++ b/vendor/google.golang.org/protobuf/types/descriptorpb/descriptor.pb.go
@@ -69,6 +69,8 @@ const (
 	// comparison.
 	Edition_EDITION_2023 Edition = 1000
 	Edition_EDITION_2024 Edition = 1001
+	// A placeholder edition for developing and testing unscheduled features.
+	Edition_EDITION_UNSTABLE Edition = 9999
 	// Placeholder editions for testing feature resolution.  These should not be
 	// used or relied on outside of tests.
 	Edition_EDITION_1_TEST_ONLY     Edition = 1
@@ -91,6 +93,7 @@ var (
 		999:        "EDITION_PROTO3",
 		1000:       "EDITION_2023",
 		1001:       "EDITION_2024",
+		9999:       "EDITION_UNSTABLE",
 		1:          "EDITION_1_TEST_ONLY",
 		2:          "EDITION_2_TEST_ONLY",
 		99997:      "EDITION_99997_TEST_ONLY",
@@ -105,6 +108,7 @@ var (
 		"EDITION_PROTO3":          999,
 		"EDITION_2023":            1000,
 		"EDITION_2024":            1001,
+		"EDITION_UNSTABLE":        9999,
 		"EDITION_1_TEST_ONLY":     1,
 		"EDITION_2_TEST_ONLY":     2,
 		"EDITION_99997_TEST_ONLY": 99997,
@@ -4793,11 +4797,11 @@ const file_google_protobuf_descriptor_proto_rawDesc = "" +
 	"\x18EnumValueDescriptorProto\x12\x12\n" +
 	"\x04name\x18\x01 \x01(\tR\x04name\x12\x16\n" +
 	"\x06number\x18\x02 \x01(\x05R\x06number\x12;\n" +
-	"\aoptions\x18\x03 \x01(\v2!.google.protobuf.EnumValueOptionsR\aoptions\"\xa7\x01\n" +
+	"\aoptions\x18\x03 \x01(\v2!.google.protobuf.EnumValueOptionsR\aoptions\"\xb5\x01\n" +
 	"\x16ServiceDescriptorProto\x12\x12\n" +
 	"\x04name\x18\x01 \x01(\tR\x04name\x12>\n" +
 	"\x06method\x18\x02 \x03(\v2&.google.protobuf.MethodDescriptorProtoR\x06method\x129\n" +
-	"\aoptions\x18\x03 \x01(\v2\x1f.google.protobuf.ServiceOptionsR\aoptions\"\x89\x02\n" +
+	"\aoptions\x18\x03 \x01(\v2\x1f.google.protobuf.ServiceOptionsR\aoptionsJ\x04\b\x04\x10\x05R\x06stream\"\x89\x02\n" +
 	"\x15MethodDescriptorProto\x12\x12\n" +
 	"\x04name\x18\x01 \x01(\tR\x04name\x12\x1d\n" +
 	"\n" +
@@ -5033,14 +5037,15 @@ const file_google_protobuf_descriptor_proto_rawDesc = "" +
 	"\bSemantic\x12\b\n" +
 	"\x04NONE\x10\x00\x12\a\n" +
 	"\x03SET\x10\x01\x12\t\n" +
-	"\x05ALIAS\x10\x02*\xa7\x02\n" +
+	"\x05ALIAS\x10\x02*\xbe\x02\n" +
 	"\aEdition\x12\x13\n" +
 	"\x0fEDITION_UNKNOWN\x10\x00\x12\x13\n" +
 	"\x0eEDITION_LEGACY\x10\x84\a\x12\x13\n" +
 	"\x0eEDITION_PROTO2\x10\xe6\a\x12\x13\n" +
 	"\x0eEDITION_PROTO3\x10\xe7\a\x12\x11\n" +
 	"\fEDITION_2023\x10\xe8\a\x12\x11\n" +
-	"\fEDITION_2024\x10\xe9\a\x12\x17\n" +
+	"\fEDITION_2024\x10\xe9\a\x12\x15\n" +
+	"\x10EDITION_UNSTABLE\x10\x8fN\x12\x17\n" +
 	"\x13EDITION_1_TEST_ONLY\x10\x01\x12\x17\n" +
 	"\x13EDITION_2_TEST_ONLY\x10\x02\x12\x1d\n" +
 	"\x17EDITION_99997_TEST_ONLY\x10\x9d\x8d\x06\x12\x1d\n" +
diff --git a/vendor/google.golang.org/protobuf/types/known/timestamppb/timestamp.pb.go b/vendor/google.golang.org/protobuf/types/known/timestamppb/timestamp.pb.go
index 06d584c14b..484c21fd53 100644
--- a/vendor/google.golang.org/protobuf/types/known/timestamppb/timestamp.pb.go
+++ b/vendor/google.golang.org/protobuf/types/known/timestamppb/timestamp.pb.go
@@ -172,13 +172,14 @@ import (
 // ) to obtain a formatter capable of generating timestamps in this format.
 type Timestamp struct {
 	state protoimpl.MessageState `protogen:"open.v1"`
-	// Represents seconds of UTC time since Unix epoch
-	// 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
-	// 9999-12-31T23:59:59Z inclusive.
+	// Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must
+	// be between -315576000000 and 315576000000 inclusive (which corresponds to
+	// 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z).
 	Seconds int64 `protobuf:"varint,1,opt,name=seconds,proto3" json:"seconds,omitempty"`
-	// Non-negative fractions of a second at nanosecond resolution. Negative
-	// second values with fractions must still have non-negative nanos values
-	// that count forward in time. Must be from 0 to 999,999,999
+	// Non-negative fractions of a second at nanosecond resolution. This field is
+	// the nanosecond portion of the duration, not an alternative to seconds.
+	// Negative second values with fractions must still have non-negative nanos
+	// values that count forward in time. Must be between 0 and 999,999,999
 	// inclusive.
 	Nanos         int32 `protobuf:"varint,2,opt,name=nanos,proto3" json:"nanos,omitempty"`
 	unknownFields protoimpl.UnknownFields
diff --git a/vendor/gopkg.in/natefinch/lumberjack.v2/.gitignore b/vendor/gopkg.in/natefinch/lumberjack.v2/.gitignore
new file mode 100644
index 0000000000..836562412f
--- /dev/null
+++ b/vendor/gopkg.in/natefinch/lumberjack.v2/.gitignore
@@ -0,0 +1,23 @@
+# Compiled Object files, Static and Dynamic libs (Shared Objects)
+*.o
+*.a
+*.so
+
+# Folders
+_obj
+_test
+
+# Architecture specific extensions/prefixes
+*.[568vq]
+[568vq].out
+
+*.cgo1.go
+*.cgo2.c
+_cgo_defun.c
+_cgo_gotypes.go
+_cgo_export.*
+
+_testmain.go
+
+*.exe
+*.test
diff --git a/vendor/gopkg.in/natefinch/lumberjack.v2/.travis.yml b/vendor/gopkg.in/natefinch/lumberjack.v2/.travis.yml
new file mode 100644
index 0000000000..21166f5c7d
--- /dev/null
+++ b/vendor/gopkg.in/natefinch/lumberjack.v2/.travis.yml
@@ -0,0 +1,11 @@
+language: go
+
+go:
+  - tip
+  - 1.15.x
+  - 1.14.x
+  - 1.13.x
+  - 1.12.x
+  
+env:
+  - GO111MODULE=on
diff --git a/vendor/gopkg.in/natefinch/lumberjack.v2/LICENSE b/vendor/gopkg.in/natefinch/lumberjack.v2/LICENSE
new file mode 100644
index 0000000000..c3d4cc307d
--- /dev/null
+++ b/vendor/gopkg.in/natefinch/lumberjack.v2/LICENSE
@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2014 Nate Finch 
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
\ No newline at end of file
diff --git a/vendor/gopkg.in/natefinch/lumberjack.v2/README.md b/vendor/gopkg.in/natefinch/lumberjack.v2/README.md
new file mode 100644
index 0000000000..060eae52a2
--- /dev/null
+++ b/vendor/gopkg.in/natefinch/lumberjack.v2/README.md
@@ -0,0 +1,179 @@
+# lumberjack  [![GoDoc](https://godoc.org/gopkg.in/natefinch/lumberjack.v2?status.png)](https://godoc.org/gopkg.in/natefinch/lumberjack.v2) [![Build Status](https://travis-ci.org/natefinch/lumberjack.svg?branch=v2.0)](https://travis-ci.org/natefinch/lumberjack) [![Build status](https://ci.appveyor.com/api/projects/status/00gchpxtg4gkrt5d)](https://ci.appveyor.com/project/natefinch/lumberjack) [![Coverage Status](https://coveralls.io/repos/natefinch/lumberjack/badge.svg?branch=v2.0)](https://coveralls.io/r/natefinch/lumberjack?branch=v2.0)
+
+### Lumberjack is a Go package for writing logs to rolling files.
+
+Package lumberjack provides a rolling logger.
+
+Note that this is v2.0 of lumberjack, and should be imported using gopkg.in
+thusly:
+
+    import "gopkg.in/natefinch/lumberjack.v2"
+
+The package name remains simply lumberjack, and the code resides at
+https://github.com/natefinch/lumberjack under the v2.0 branch.
+
+Lumberjack is intended to be one part of a logging infrastructure.
+It is not an all-in-one solution, but instead is a pluggable
+component at the bottom of the logging stack that simply controls the files
+to which logs are written.
+
+Lumberjack plays well with any logging package that can write to an
+io.Writer, including the standard library's log package.
+
+Lumberjack assumes that only one process is writing to the output files.
+Using the same lumberjack configuration from multiple processes on the same
+machine will result in improper behavior.
+
+
+**Example**
+
+To use lumberjack with the standard library's log package, just pass it into the SetOutput function when your application starts.
+
+Code:
+
+```go
+log.SetOutput(&lumberjack.Logger{
+    Filename:   "/var/log/myapp/foo.log",
+    MaxSize:    500, // megabytes
+    MaxBackups: 3,
+    MaxAge:     28, //days
+    Compress:   true, // disabled by default
+})
+```
+
+
+
+## type Logger
+``` go
+type Logger struct {
+    // Filename is the file to write logs to.  Backup log files will be retained
+    // in the same directory.  It uses <processname>-lumberjack.log in
+    // os.TempDir() if empty.
+    Filename string `json:"filename" yaml:"filename"`
+
+    // MaxSize is the maximum size in megabytes of the log file before it gets
+    // rotated. It defaults to 100 megabytes.
+    MaxSize int `json:"maxsize" yaml:"maxsize"`
+
+    // MaxAge is the maximum number of days to retain old log files based on the
+    // timestamp encoded in their filename.  Note that a day is defined as 24
+    // hours and may not exactly correspond to calendar days due to daylight
+    // savings, leap seconds, etc. The default is not to remove old log files
+    // based on age.
+    MaxAge int `json:"maxage" yaml:"maxage"`
+
+    // MaxBackups is the maximum number of old log files to retain.  The default
+    // is to retain all old log files (though MaxAge may still cause them to get
+    // deleted.)
+    MaxBackups int `json:"maxbackups" yaml:"maxbackups"`
+
+    // LocalTime determines if the time used for formatting the timestamps in
+    // backup files is the computer's local time.  The default is to use UTC
+    // time.
+    LocalTime bool `json:"localtime" yaml:"localtime"`
+
+    // Compress determines if the rotated log files should be compressed
+    // using gzip. The default is not to perform compression.
+    Compress bool `json:"compress" yaml:"compress"`
+    // contains filtered or unexported fields
+}
+```
+Logger is an io.WriteCloser that writes to the specified filename.
+
+Logger opens or creates the logfile on first Write.  If the file exists and
+is less than MaxSize megabytes, lumberjack will open and append to that file.
+If the file exists and its size is >= MaxSize megabytes, the file is renamed
+by putting the current time in a timestamp in the name immediately before the
+file's extension (or the end of the filename if there's no extension). A new
+log file is then created using original filename.
+
+Whenever a write would cause the current log file exceed MaxSize megabytes,
+the current file is closed, renamed, and a new log file created with the
+original name. Thus, the filename you give Logger is always the "current" log
+file.
+
+Backups use the log file name given to Logger, in the form `name-timestamp.ext`
+where name is the filename without the extension, timestamp is the time at which
+the log was rotated formatted with the time.Time format of
+`2006-01-02T15-04-05.000` and the extension is the original extension.  For
+example, if your Logger.Filename is `/var/log/foo/server.log`, a backup created
+at 6:30pm on Nov 11 2016 would use the filename
+`/var/log/foo/server-2016-11-04T18-30-00.000.log`
+
+### Cleaning Up Old Log Files
+Whenever a new logfile gets created, old log files may be deleted.  The most
+recent files according to the encoded timestamp will be retained, up to a
+number equal to MaxBackups (or all of them if MaxBackups is 0).  Any files
+with an encoded timestamp older than MaxAge days are deleted, regardless of
+MaxBackups.  Note that the time encoded in the timestamp is the rotation
+time, which may differ from the last time that file was written to.
+
+If MaxBackups and MaxAge are both 0, no old log files will be deleted.
+
+
+
+
+
+
+
+
+
+
+
+### func (\*Logger) Close
+``` go
+func (l *Logger) Close() error
+```
+Close implements io.Closer, and closes the current logfile.
+
+
+
+### func (\*Logger) Rotate
+``` go
+func (l *Logger) Rotate() error
+```
+Rotate causes Logger to close the existing log file and immediately create a
+new one.  This is a helper function for applications that want to initiate
+rotations outside of the normal rotation rules, such as in response to
+SIGHUP.  After rotating, this initiates a cleanup of old log files according
+to the normal rules.
+
+**Example**
+
+Example of how to rotate in response to SIGHUP.
+
+Code:
+
+```go
+l := &lumberjack.Logger{}
+log.SetOutput(l)
+c := make(chan os.Signal, 1)
+signal.Notify(c, syscall.SIGHUP)
+
+go func() {
+    for {
+        <-c
+        l.Rotate()
+    }
+}()
+```
+
+### func (\*Logger) Write
+``` go
+func (l *Logger) Write(p []byte) (n int, err error)
+```
+Write implements io.Writer.  If a write would cause the log file to be larger
+than MaxSize, the file is closed, renamed to include a timestamp of the
+current time, and a new log file is created using the original log file name.
+If the length of the write is greater than MaxSize, an error is returned.
+
+
+
+
+
+
+
+
+
+- - -
+Generated by [godoc2md](http://godoc.org/github.com/davecheney/godoc2md)
diff --git a/vendor/gopkg.in/natefinch/lumberjack.v2/chown.go b/vendor/gopkg.in/natefinch/lumberjack.v2/chown.go
new file mode 100644
index 0000000000..11d0669723
--- /dev/null
+++ b/vendor/gopkg.in/natefinch/lumberjack.v2/chown.go
@@ -0,0 +1,11 @@
+// +build !linux
+
+package lumberjack
+
+import (
+	"os"
+)
+
+func chown(_ string, _ os.FileInfo) error {
+	return nil
+}
diff --git a/vendor/gopkg.in/natefinch/lumberjack.v2/chown_linux.go b/vendor/gopkg.in/natefinch/lumberjack.v2/chown_linux.go
new file mode 100644
index 0000000000..465f569270
--- /dev/null
+++ b/vendor/gopkg.in/natefinch/lumberjack.v2/chown_linux.go
@@ -0,0 +1,19 @@
+package lumberjack
+
+import (
+	"os"
+	"syscall"
+)
+
+// osChown is a var so we can mock it out during tests.
+var osChown = os.Chown
+
+func chown(name string, info os.FileInfo) error {
+	f, err := os.OpenFile(name, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, info.Mode())
+	if err != nil {
+		return err
+	}
+	f.Close()
+	stat := info.Sys().(*syscall.Stat_t)
+	return osChown(name, int(stat.Uid), int(stat.Gid))
+}
diff --git a/vendor/gopkg.in/natefinch/lumberjack.v2/lumberjack.go b/vendor/gopkg.in/natefinch/lumberjack.v2/lumberjack.go
new file mode 100644
index 0000000000..3447cdc056
--- /dev/null
+++ b/vendor/gopkg.in/natefinch/lumberjack.v2/lumberjack.go
@@ -0,0 +1,541 @@
+// Package lumberjack provides a rolling logger.
+//
+// Note that this is v2.0 of lumberjack, and should be imported using gopkg.in
+// thusly:
+//
+//   import "gopkg.in/natefinch/lumberjack.v2"
+//
+// The package name remains simply lumberjack, and the code resides at
+// https://github.com/natefinch/lumberjack under the v2.0 branch.
+//
+// Lumberjack is intended to be one part of a logging infrastructure.
+// It is not an all-in-one solution, but instead is a pluggable
+// component at the bottom of the logging stack that simply controls the files
+// to which logs are written.
+//
+// Lumberjack plays well with any logging package that can write to an
+// io.Writer, including the standard library's log package.
+//
+// Lumberjack assumes that only one process is writing to the output files.
+// Using the same lumberjack configuration from multiple processes on the same
+// machine will result in improper behavior.
+package lumberjack
+
+import (
+	"compress/gzip"
+	"errors"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"sort"
+	"strings"
+	"sync"
+	"time"
+)
+
+const (
+	backupTimeFormat = "2006-01-02T15-04-05.000"
+	compressSuffix   = ".gz"
+	defaultMaxSize   = 100
+)
+
+// ensure we always implement io.WriteCloser
+var _ io.WriteCloser = (*Logger)(nil)
+
+// Logger is an io.WriteCloser that writes to the specified filename.
+//
+// Logger opens or creates the logfile on first Write.  If the file exists and
+// is less than MaxSize megabytes, lumberjack will open and append to that file.
+// If the file exists and its size is >= MaxSize megabytes, the file is renamed
+// by putting the current time in a timestamp in the name immediately before the
+// file's extension (or the end of the filename if there's no extension). A new
+// log file is then created using original filename.
+//
+// Whenever a write would cause the current log file exceed MaxSize megabytes,
+// the current file is closed, renamed, and a new log file created with the
+// original name. Thus, the filename you give Logger is always the "current" log
+// file.
+//
+// Backups use the log file name given to Logger, in the form
+// `name-timestamp.ext` where name is the filename without the extension,
+// timestamp is the time at which the log was rotated formatted with the
+// time.Time format of `2006-01-02T15-04-05.000` and the extension is the
+// original extension.  For example, if your Logger.Filename is
+// `/var/log/foo/server.log`, a backup created at 6:30pm on Nov 11 2016 would
+// use the filename `/var/log/foo/server-2016-11-04T18-30-00.000.log`
+//
+// Cleaning Up Old Log Files
+//
+// Whenever a new logfile gets created, old log files may be deleted.  The most
+// recent files according to the encoded timestamp will be retained, up to a
+// number equal to MaxBackups (or all of them if MaxBackups is 0).  Any files
+// with an encoded timestamp older than MaxAge days are deleted, regardless of
+// MaxBackups.  Note that the time encoded in the timestamp is the rotation
+// time, which may differ from the last time that file was written to.
+//
+// If MaxBackups and MaxAge are both 0, no old log files will be deleted.
+type Logger struct {
+	// Filename is the file to write logs to.  Backup log files will be retained
+	// in the same directory.  It uses <processname>-lumberjack.log in
+	// os.TempDir() if empty.
+	Filename string `json:"filename" yaml:"filename"`
+
+	// MaxSize is the maximum size in megabytes of the log file before it gets
+	// rotated. It defaults to 100 megabytes.
+	MaxSize int `json:"maxsize" yaml:"maxsize"`
+
+	// MaxAge is the maximum number of days to retain old log files based on the
+	// timestamp encoded in their filename.  Note that a day is defined as 24
+	// hours and may not exactly correspond to calendar days due to daylight
+	// savings, leap seconds, etc. The default is not to remove old log files
+	// based on age.
+	MaxAge int `json:"maxage" yaml:"maxage"`
+
+	// MaxBackups is the maximum number of old log files to retain.  The default
+	// is to retain all old log files (though MaxAge may still cause them to get
+	// deleted.)
+	MaxBackups int `json:"maxbackups" yaml:"maxbackups"`
+
+	// LocalTime determines if the time used for formatting the timestamps in
+	// backup files is the computer's local time.  The default is to use UTC
+	// time.
+	LocalTime bool `json:"localtime" yaml:"localtime"`
+
+	// Compress determines if the rotated log files should be compressed
+	// using gzip. The default is not to perform compression.
+	Compress bool `json:"compress" yaml:"compress"`
+
+	size int64
+	file *os.File
+	mu   sync.Mutex
+
+	millCh    chan bool
+	startMill sync.Once
+}
+
+var (
+	// currentTime exists so it can be mocked out by tests.
+	currentTime = time.Now
+
+	// os_Stat exists so it can be mocked out by tests.
+	osStat = os.Stat
+
+	// megabyte is the conversion factor between MaxSize and bytes.  It is a
+	// variable so tests can mock it out and not need to write megabytes of data
+	// to disk.
+	megabyte = 1024 * 1024
+)
+
+// Write implements io.Writer.  If a write would cause the log file to be larger
+// than MaxSize, the file is closed, renamed to include a timestamp of the
+// current time, and a new log file is created using the original log file name.
+// If the length of the write is greater than MaxSize, an error is returned.
+func (l *Logger) Write(p []byte) (n int, err error) {
+	l.mu.Lock()
+	defer l.mu.Unlock()
+
+	writeLen := int64(len(p))
+	if writeLen > l.max() {
+		return 0, fmt.Errorf(
+			"write length %d exceeds maximum file size %d", writeLen, l.max(),
+		)
+	}
+
+	if l.file == nil {
+		if err = l.openExistingOrNew(len(p)); err != nil {
+			return 0, err
+		}
+	}
+
+	if l.size+writeLen > l.max() {
+		if err := l.rotate(); err != nil {
+			return 0, err
+		}
+	}
+
+	n, err = l.file.Write(p)
+	l.size += int64(n)
+
+	return n, err
+}
+
+// Close implements io.Closer, and closes the current logfile.
+func (l *Logger) Close() error {
+	l.mu.Lock()
+	defer l.mu.Unlock()
+	return l.close()
+}
+
+// close closes the file if it is open.
+func (l *Logger) close() error {
+	if l.file == nil {
+		return nil
+	}
+	err := l.file.Close()
+	l.file = nil
+	return err
+}
+
+// Rotate causes Logger to close the existing log file and immediately create a
+// new one.  This is a helper function for applications that want to initiate
+// rotations outside of the normal rotation rules, such as in response to
+// SIGHUP.  After rotating, this initiates compression and removal of old log
+// files according to the configuration.
+func (l *Logger) Rotate() error {
+	l.mu.Lock()
+	defer l.mu.Unlock()
+	return l.rotate()
+}
+
+// rotate closes the current file, moves it aside with a timestamp in the name,
+// (if it exists), opens a new file with the original filename, and then runs
+// post-rotation processing and removal.
+func (l *Logger) rotate() error {
+	if err := l.close(); err != nil {
+		return err
+	}
+	if err := l.openNew(); err != nil {
+		return err
+	}
+	l.mill()
+	return nil
+}
+
+// openNew opens a new log file for writing, moving any old log file out of the
+// way.  This methods assumes the file has already been closed.
+func (l *Logger) openNew() error {
+	err := os.MkdirAll(l.dir(), 0755)
+	if err != nil {
+		return fmt.Errorf("can't make directories for new logfile: %s", err)
+	}
+
+	name := l.filename()
+	mode := os.FileMode(0600)
+	info, err := osStat(name)
+	if err == nil {
+		// Copy the mode off the old logfile.
+		mode = info.Mode()
+		// move the existing file
+		newname := backupName(name, l.LocalTime)
+		if err := os.Rename(name, newname); err != nil {
+			return fmt.Errorf("can't rename log file: %s", err)
+		}
+
+		// this is a no-op anywhere but linux
+		if err := chown(name, info); err != nil {
+			return err
+		}
+	}
+
+	// we use truncate here because this should only get called when we've moved
+	// the file ourselves. if someone else creates the file in the meantime,
+	// just wipe out the contents.
+	f, err := os.OpenFile(name, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, mode)
+	if err != nil {
+		return fmt.Errorf("can't open new logfile: %s", err)
+	}
+	l.file = f
+	l.size = 0
+	return nil
+}
+
+// backupName creates a new filename from the given name, inserting a timestamp
+// between the filename and the extension, using the local time if requested
+// (otherwise UTC).
+func backupName(name string, local bool) string {
+	dir := filepath.Dir(name)
+	filename := filepath.Base(name)
+	ext := filepath.Ext(filename)
+	prefix := filename[:len(filename)-len(ext)]
+	t := currentTime()
+	if !local {
+		t = t.UTC()
+	}
+
+	timestamp := t.Format(backupTimeFormat)
+	return filepath.Join(dir, fmt.Sprintf("%s-%s%s", prefix, timestamp, ext))
+}
+
+// openExistingOrNew opens the logfile if it exists and if the current write
+// would not put it over MaxSize.  If there is no such file or the write would
+// put it over the MaxSize, a new file is created.
+func (l *Logger) openExistingOrNew(writeLen int) error {
+	l.mill()
+
+	filename := l.filename()
+	info, err := osStat(filename)
+	if os.IsNotExist(err) {
+		return l.openNew()
+	}
+	if err != nil {
+		return fmt.Errorf("error getting log file info: %s", err)
+	}
+
+	if info.Size()+int64(writeLen) >= l.max() {
+		return l.rotate()
+	}
+
+	file, err := os.OpenFile(filename, os.O_APPEND|os.O_WRONLY, 0644)
+	if err != nil {
+		// if we fail to open the old log file for some reason, just ignore
+		// it and open a new log file.
+		return l.openNew()
+	}
+	l.file = file
+	l.size = info.Size()
+	return nil
+}
+
+// filename generates the name of the logfile from the current time.
+func (l *Logger) filename() string {
+	if l.Filename != "" {
+		return l.Filename
+	}
+	name := filepath.Base(os.Args[0]) + "-lumberjack.log"
+	return filepath.Join(os.TempDir(), name)
+}
+
+// millRunOnce performs compression and removal of stale log files.
+// Log files are compressed if enabled via configuration and old log
+// files are removed, keeping at most l.MaxBackups files, as long as
+// none of them are older than MaxAge.
+func (l *Logger) millRunOnce() error {
+	if l.MaxBackups == 0 && l.MaxAge == 0 && !l.Compress {
+		return nil
+	}
+
+	files, err := l.oldLogFiles()
+	if err != nil {
+		return err
+	}
+
+	var compress, remove []logInfo
+
+	if l.MaxBackups > 0 && l.MaxBackups < len(files) {
+		preserved := make(map[string]bool)
+		var remaining []logInfo
+		for _, f := range files {
+			// Only count the uncompressed log file or the
+			// compressed log file, not both.
+			fn := f.Name()
+			if strings.HasSuffix(fn, compressSuffix) {
+				fn = fn[:len(fn)-len(compressSuffix)]
+			}
+			preserved[fn] = true
+
+			if len(preserved) > l.MaxBackups {
+				remove = append(remove, f)
+			} else {
+				remaining = append(remaining, f)
+			}
+		}
+		files = remaining
+	}
+	if l.MaxAge > 0 {
+		diff := time.Duration(int64(24*time.Hour) * int64(l.MaxAge))
+		cutoff := currentTime().Add(-1 * diff)
+
+		var remaining []logInfo
+		for _, f := range files {
+			if f.timestamp.Before(cutoff) {
+				remove = append(remove, f)
+			} else {
+				remaining = append(remaining, f)
+			}
+		}
+		files = remaining
+	}
+
+	if l.Compress {
+		for _, f := range files {
+			if !strings.HasSuffix(f.Name(), compressSuffix) {
+				compress = append(compress, f)
+			}
+		}
+	}
+
+	for _, f := range remove {
+		errRemove := os.Remove(filepath.Join(l.dir(), f.Name()))
+		if err == nil && errRemove != nil {
+			err = errRemove
+		}
+	}
+	for _, f := range compress {
+		fn := filepath.Join(l.dir(), f.Name())
+		errCompress := compressLogFile(fn, fn+compressSuffix)
+		if err == nil && errCompress != nil {
+			err = errCompress
+		}
+	}
+
+	return err
+}
+
+// millRun runs in a goroutine to manage post-rotation compression and removal
+// of old log files.
+func (l *Logger) millRun() {
+	for range l.millCh {
+		// what am I going to do, log this?
+		_ = l.millRunOnce()
+	}
+}
+
+// mill performs post-rotation compression and removal of stale log files,
+// starting the mill goroutine if necessary.
+func (l *Logger) mill() {
+	l.startMill.Do(func() {
+		l.millCh = make(chan bool, 1)
+		go l.millRun()
+	})
+	select {
+	case l.millCh <- true:
+	default:
+	}
+}
+
+// oldLogFiles returns the list of backup log files stored in the same
+// directory as the current log file, sorted by ModTime
+func (l *Logger) oldLogFiles() ([]logInfo, error) {
+	files, err := ioutil.ReadDir(l.dir())
+	if err != nil {
+		return nil, fmt.Errorf("can't read log file directory: %s", err)
+	}
+	logFiles := []logInfo{}
+
+	prefix, ext := l.prefixAndExt()
+
+	for _, f := range files {
+		if f.IsDir() {
+			continue
+		}
+		if t, err := l.timeFromName(f.Name(), prefix, ext); err == nil {
+			logFiles = append(logFiles, logInfo{t, f})
+			continue
+		}
+		if t, err := l.timeFromName(f.Name(), prefix, ext+compressSuffix); err == nil {
+			logFiles = append(logFiles, logInfo{t, f})
+			continue
+		}
+		// error parsing means that the suffix at the end was not generated
+		// by lumberjack, and therefore it's not a backup file.
+	}
+
+	sort.Sort(byFormatTime(logFiles))
+
+	return logFiles, nil
+}
+
+// timeFromName extracts the formatted time from the filename by stripping off
+// the filename's prefix and extension. This prevents someone's filename from
+// confusing time.parse.
+func (l *Logger) timeFromName(filename, prefix, ext string) (time.Time, error) {
+	if !strings.HasPrefix(filename, prefix) {
+		return time.Time{}, errors.New("mismatched prefix")
+	}
+	if !strings.HasSuffix(filename, ext) {
+		return time.Time{}, errors.New("mismatched extension")
+	}
+	ts := filename[len(prefix) : len(filename)-len(ext)]
+	return time.Parse(backupTimeFormat, ts)
+}
+
+// max returns the maximum size in bytes of log files before rolling.
+func (l *Logger) max() int64 {
+	if l.MaxSize == 0 {
+		return int64(defaultMaxSize * megabyte)
+	}
+	return int64(l.MaxSize) * int64(megabyte)
+}
+
+// dir returns the directory for the current filename.
+func (l *Logger) dir() string {
+	return filepath.Dir(l.filename())
+}
+
+// prefixAndExt returns the filename part and extension part from the Logger's
+// filename.
+func (l *Logger) prefixAndExt() (prefix, ext string) {
+	filename := filepath.Base(l.filename())
+	ext = filepath.Ext(filename)
+	prefix = filename[:len(filename)-len(ext)] + "-"
+	return prefix, ext
+}
+
+// compressLogFile compresses the given log file, removing the
+// uncompressed log file if successful.
+func compressLogFile(src, dst string) (err error) {
+	f, err := os.Open(src)
+	if err != nil {
+		return fmt.Errorf("failed to open log file: %v", err)
+	}
+	defer f.Close()
+
+	fi, err := osStat(src)
+	if err != nil {
+		return fmt.Errorf("failed to stat log file: %v", err)
+	}
+
+	if err := chown(dst, fi); err != nil {
+		return fmt.Errorf("failed to chown compressed log file: %v", err)
+	}
+
+	// If this file already exists, we presume it was created by
+	// a previous attempt to compress the log file.
+	gzf, err := os.OpenFile(dst, os.O_CREATE|os.O_TRUNC|os.O_WRONLY, fi.Mode())
+	if err != nil {
+		return fmt.Errorf("failed to open compressed log file: %v", err)
+	}
+	defer gzf.Close()
+
+	gz := gzip.NewWriter(gzf)
+
+	defer func() {
+		if err != nil {
+			os.Remove(dst)
+			err = fmt.Errorf("failed to compress log file: %v", err)
+		}
+	}()
+
+	if _, err := io.Copy(gz, f); err != nil {
+		return err
+	}
+	if err := gz.Close(); err != nil {
+		return err
+	}
+	if err := gzf.Close(); err != nil {
+		return err
+	}
+
+	if err := f.Close(); err != nil {
+		return err
+	}
+	if err := os.Remove(src); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// logInfo is a convenience struct to return the filename and its embedded
+// timestamp.
+type logInfo struct {
+	timestamp time.Time
+	os.FileInfo
+}
+
+// byFormatTime sorts by newest time formatted in the name.
+type byFormatTime []logInfo
+
+func (b byFormatTime) Less(i, j int) bool {
+	return b[i].timestamp.After(b[j].timestamp)
+}
+
+func (b byFormatTime) Swap(i, j int) {
+	b[i], b[j] = b[j], b[i]
+}
+
+func (b byFormatTime) Len() int {
+	return len(b)
+}
diff --git a/vendor/helm.sh/helm/v3/LICENSE b/vendor/helm.sh/helm/v3/LICENSE
new file mode 100644
index 0000000000..21c57fae21
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/LICENSE
@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright 2016 The Kubernetes Authors All Rights Reserved
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/vendor/helm.sh/helm/v3/internal/fileutil/fileutil.go b/vendor/helm.sh/helm/v3/internal/fileutil/fileutil.go
new file mode 100644
index 0000000000..4ea09cca48
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/internal/fileutil/fileutil.go
@@ -0,0 +1,50 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package fileutil
+
+import (
+	"io"
+	"os"
+	"path/filepath"
+
+	"helm.sh/helm/v3/internal/third_party/dep/fs"
+)
+
+// AtomicWriteFile atomically (as atomic as os.Rename allows) writes a file to a
+// disk.
+func AtomicWriteFile(filename string, reader io.Reader, mode os.FileMode) error {
+	tempFile, err := os.CreateTemp(filepath.Split(filename))
+	if err != nil {
+		return err
+	}
+	tempName := tempFile.Name()
+
+	if _, err := io.Copy(tempFile, reader); err != nil {
+		tempFile.Close() // return value is ignored as we are already on error path
+		return err
+	}
+
+	if err := tempFile.Close(); err != nil {
+		return err
+	}
+
+	if err := os.Chmod(tempName, mode); err != nil {
+		return err
+	}
+
+	return fs.RenameWithFallback(tempName, filename)
+}
diff --git a/vendor/helm.sh/helm/v3/internal/resolver/resolver.go b/vendor/helm.sh/helm/v3/internal/resolver/resolver.go
new file mode 100644
index 0000000000..b6f45da9e2
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/internal/resolver/resolver.go
@@ -0,0 +1,262 @@
+/*
+Copyright The Helm Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package resolver
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"github.com/Masterminds/semver/v3"
+	"github.com/pkg/errors"
+
+	"helm.sh/helm/v3/pkg/chart"
+	"helm.sh/helm/v3/pkg/chart/loader"
+	"helm.sh/helm/v3/pkg/helmpath"
+	"helm.sh/helm/v3/pkg/provenance"
+	"helm.sh/helm/v3/pkg/registry"
+	"helm.sh/helm/v3/pkg/repo"
+)
+
+// Resolver resolves dependencies from semantic version ranges to a particular version.
+type Resolver struct {
+	chartpath      string
+	cachepath      string
+	registryClient *registry.Client
+}
+
+// New creates a new resolver for a given chart, helm home and registry client.
+func New(chartpath, cachepath string, registryClient *registry.Client) *Resolver {
+	return &Resolver{
+		chartpath:      chartpath,
+		cachepath:      cachepath,
+		registryClient: registryClient,
+	}
+}
+
+// Resolve resolves dependencies and returns a lock file with the resolution.
+func (r *Resolver) Resolve(reqs []*chart.Dependency, repoNames map[string]string) (*chart.Lock, error) {
+
+	// Now we clone the dependencies, locking as we go.
+	locked := make([]*chart.Dependency, len(reqs))
+	missing := []string{}
+	for i, d := range reqs {
+		constraint, err := semver.NewConstraint(d.Version)
+		if err != nil {
+			return nil, errors.Wrapf(err, "dependency %q has an invalid version/constraint format", d.Name)
+		}
+
+		if d.Repository == "" {
+			// Local chart subfolder
+			if _, err := GetLocalPath(filepath.Join("charts", d.Name), r.chartpath); err != nil {
+				return nil, err
+			}
+
+			locked[i] = &chart.Dependency{
+				Name:       d.Name,
+				Repository: "",
+				Version:    d.Version,
+			}
+			continue
+		}
+		if strings.HasPrefix(d.Repository, "file://") {
+			chartpath, err := GetLocalPath(d.Repository, r.chartpath)
+			if err != nil {
+				return nil, err
+			}
+
+			ch, err := loader.LoadDir(chartpath)
+			if err != nil {
+				return nil, err
+			}
+
+			v, err := semver.NewVersion(ch.Metadata.Version)
+			if err != nil {
+				// Not a legit entry.
+				continue
+			}
+
+			if !constraint.Check(v) {
+				missing = append(missing, fmt.Sprintf("%q (repository %q, version %q)", d.Name, d.Repository, d.Version))
+				continue
+			}
+
+			locked[i] = &chart.Dependency{
+				Name:       d.Name,
+				Repository: d.Repository,
+				Version:    ch.Metadata.Version,
+			}
+			continue
+		}
+
+		repoName := repoNames[d.Name]
+		// if the repository was not defined, but the dependency defines a repository url, bypass the cache
+		if repoName == "" && d.Repository != "" {
+			locked[i] = &chart.Dependency{
+				Name:       d.Name,
+				Repository: d.Repository,
+				Version:    d.Version,
+			}
+			continue
+		}
+
+		var vs repo.ChartVersions
+		var version string
+		var ok bool
+		found := true
+		if !registry.IsOCI(d.Repository) {
+			repoIndex, err := repo.LoadIndexFile(filepath.Join(r.cachepath, helmpath.CacheIndexFile(repoName)))
+			if err != nil {
+				return nil, errors.Wrapf(err, "no cached repository for %s found. (try 'helm repo update')", repoName)
+			}
+
+			vs, ok = repoIndex.Entries[d.Name]
+			if !ok {
+				return nil, errors.Errorf("%s chart not found in repo %s", d.Name, d.Repository)
+			}
+			found = false
+		} else {
+			version = d.Version
+
+			// Check to see if an explicit version has been provided
+			_, err := semver.NewVersion(version)
+
+			// Use an explicit version, otherwise search for tags
+			if err == nil {
+				vs = []*repo.ChartVersion{{
+					Metadata: &chart.Metadata{
+						Version: version,
+					},
+				}}
+
+			} else {
+				// Retrieve list of tags for repository
+				ref := fmt.Sprintf("%s/%s", strings.TrimPrefix(d.Repository, fmt.Sprintf("%s://", registry.OCIScheme)), d.Name)
+				tags, err := r.registryClient.Tags(ref)
+				if err != nil {
+					return nil, errors.Wrapf(err, "could not retrieve list of tags for repository %s", d.Repository)
+				}
+
+				vs = make(repo.ChartVersions, len(tags))
+				for ti, t := range tags {
+					// Mock chart version objects
+					version := &repo.ChartVersion{
+						Metadata: &chart.Metadata{
+							Version: t,
+						},
+					}
+					vs[ti] = version
+				}
+			}
+		}
+
+		locked[i] = &chart.Dependency{
+			Name:       d.Name,
+			Repository: d.Repository,
+			Version:    version,
+		}
+		// The versions are already sorted and hence the first one to satisfy the constraint is used
+		for _, ver := range vs {
+			v, err := semver.NewVersion(ver.Version)
+			// OCI does not need URLs
+			if err != nil || (!registry.IsOCI(d.Repository) && len(ver.URLs) == 0) {
+				// Not a legit entry.
+				continue
+			}
+			if constraint.Check(v) {
+				found = true
+				locked[i].Version = v.Original()
+				break
+			}
+		}
+
+		if !found {
+			missing = append(missing, fmt.Sprintf("%q (repository %q, version %q)", d.Name, d.Repository, d.Version))
+		}
+	}
+	if len(missing) > 0 {
+		return nil, errors.Errorf("can't get a valid version for %d subchart(s): %s. Make sure a matching chart version exists in the repo, or change the version constraint in Chart.yaml", len(missing), strings.Join(missing, ", "))
+	}
+
+	digest, err := HashReq(reqs, locked)
+	if err != nil {
+		return nil, err
+	}
+
+	return &chart.Lock{
+		Generated:    time.Now(),
+		Digest:       digest,
+		Dependencies: locked,
+	}, nil
+}
+
+// HashReq generates a hash of the dependencies.
+//
+// This should be used only to compare against another hash generated by this
+// function.
+func HashReq(req, lock []*chart.Dependency) (string, error) {
+	data, err := json.Marshal([2][]*chart.Dependency{req, lock})
+	if err != nil {
+		return "", err
+	}
+	s, err := provenance.Digest(bytes.NewBuffer(data))
+	return "sha256:" + s, err
+}
+
+// HashV2Req generates a hash of requirements generated in Helm v2.
+//
+// This should be used only to compare against another hash generated by the
+// Helm v2 hash function. It is to handle issue:
+// https://github.com/helm/helm/issues/7233
+func HashV2Req(req []*chart.Dependency) (string, error) {
+	dep := make(map[string][]*chart.Dependency)
+	dep["dependencies"] = req
+	data, err := json.Marshal(dep)
+	if err != nil {
+		return "", err
+	}
+	s, err := provenance.Digest(bytes.NewBuffer(data))
+	return "sha256:" + s, err
+}
+
+// GetLocalPath generates absolute local path when use
+// "file://" in repository of dependencies
+func GetLocalPath(repo, chartpath string) (string, error) {
+	var depPath string
+	var err error
+	p := strings.TrimPrefix(repo, "file://")
+
+	// root path is absolute
+	if strings.HasPrefix(p, "/") {
+		if depPath, err = filepath.Abs(p); err != nil {
+			return "", err
+		}
+	} else {
+		depPath = filepath.Join(chartpath, p)
+	}
+
+	if _, err = os.Stat(depPath); os.IsNotExist(err) {
+		return "", errors.Errorf("directory %s not found", depPath)
+	} else if err != nil {
+		return "", err
+	}
+
+	return depPath, nil
+}
diff --git a/vendor/helm.sh/helm/v3/internal/sympath/walk.go b/vendor/helm.sh/helm/v3/internal/sympath/walk.go
new file mode 100644
index 0000000000..6b221fb6cc
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/internal/sympath/walk.go
@@ -0,0 +1,120 @@
+/*
+Copyright (c) for portions of walk.go are held by The Go Authors, 2009 and are
+provided under the BSD license.
+
+https://github.com/golang/go/blob/master/LICENSE
+
+Copyright The Helm Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package sympath
+
+import (
+	"log"
+	"os"
+	"path/filepath"
+	"sort"
+
+	"github.com/pkg/errors"
+)
+
+// Walk walks the file tree rooted at root, calling walkFn for each file or directory
+// in the tree, including root. All errors that arise visiting files and directories
+// are filtered by walkFn. The files are walked in lexical order, which makes the
+// output deterministic but means that for very large directories Walk can be
+// inefficient. Walk follows symbolic links.
+func Walk(root string, walkFn filepath.WalkFunc) error {
+	info, err := os.Lstat(root)
+	if err != nil {
+		err = walkFn(root, nil, err)
+	} else {
+		err = symwalk(root, info, walkFn)
+	}
+	if err == filepath.SkipDir {
+		return nil
+	}
+	return err
+}
+
+// readDirNames reads the directory named by dirname and returns
+// a sorted list of directory entries.
+func readDirNames(dirname string) ([]string, error) {
+	f, err := os.Open(dirname)
+	if err != nil {
+		return nil, err
+	}
+	names, err := f.Readdirnames(-1)
+	f.Close()
+	if err != nil {
+		return nil, err
+	}
+	sort.Strings(names)
+	return names, nil
+}
+
+// symwalk recursively descends path, calling walkFn.
+func symwalk(path string, info os.FileInfo, walkFn filepath.WalkFunc) error {
+	// Recursively walk symlinked directories.
+	if IsSymlink(info) {
+		resolved, err := filepath.EvalSymlinks(path)
+		if err != nil {
+			return errors.Wrapf(err, "error evaluating symlink %s", path)
+		}
+		//This log message is to highlight a symlink that is being used within a chart, symlinks can be used for nefarious reasons.
+		log.Printf("found symbolic link in path: %s resolves to %s. Contents of linked file included and used", path, resolved)
+		if info, err = os.Lstat(resolved); err != nil {
+			return err
+		}
+		if err := symwalk(path, info, walkFn); err != nil && err != filepath.SkipDir {
+			return err
+		}
+		return nil
+	}
+
+	if err := walkFn(path, info, nil); err != nil {
+		return err
+	}
+
+	if !info.IsDir() {
+		return nil
+	}
+
+	names, err := readDirNames(path)
+	if err != nil {
+		return walkFn(path, info, err)
+	}
+
+	for _, name := range names {
+		filename := filepath.Join(path, name)
+		fileInfo, err := os.Lstat(filename)
+		if err != nil {
+			if err := walkFn(filename, fileInfo, err); err != nil && err != filepath.SkipDir {
+				return err
+			}
+		} else {
+			err = symwalk(filename, fileInfo, walkFn)
+			if err != nil {
+				if (!fileInfo.IsDir() && !IsSymlink(fileInfo)) || err != filepath.SkipDir {
+					return err
+				}
+			}
+		}
+	}
+	return nil
+}
+
+// IsSymlink is used to determine if the fileinfo is a symbolic link.
+func IsSymlink(fi os.FileInfo) bool {
+	return fi.Mode()&os.ModeSymlink != 0
+}
diff --git a/vendor/helm.sh/helm/v3/internal/third_party/dep/fs/fs.go b/vendor/helm.sh/helm/v3/internal/third_party/dep/fs/fs.go
new file mode 100644
index 0000000000..d29bb5f871
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/internal/third_party/dep/fs/fs.go
@@ -0,0 +1,372 @@
+/*
+Copyright (c) for portions of fs.go are held by The Go Authors, 2016 and are provided under
+the BSD license.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+   * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+   * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+   * Neither the name of Google Inc. nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
+package fs
+
+import (
+	"io"
+	"os"
+	"path/filepath"
+	"runtime"
+	"syscall"
+
+	"github.com/pkg/errors"
+)
+
+// fs contains a copy of a few functions from dep tool code to avoid a dependency on golang/dep.
+// This code is copied from https://github.com/golang/dep/blob/37d6c560cdf407be7b6cd035b23dba89df9275cf/internal/fs/fs.go
+// No changes to the code were made other than removing some unused functions
+
+// RenameWithFallback attempts to rename a file or directory, but falls back to
+// copying in the event of a cross-device link error. If the fallback copy
+// succeeds, src is still removed, emulating normal rename behavior.
+func RenameWithFallback(src, dst string) error {
+	_, err := os.Stat(src)
+	if err != nil {
+		return errors.Wrapf(err, "cannot stat %s", src)
+	}
+
+	err = os.Rename(src, dst)
+	if err == nil {
+		return nil
+	}
+
+	return renameFallback(err, src, dst)
+}
+
+// renameByCopy attempts to rename a file or directory by copying it to the
+// destination and then removing the src thus emulating the rename behavior.
+func renameByCopy(src, dst string) error {
+	var cerr error
+	if dir, _ := IsDir(src); dir {
+		cerr = CopyDir(src, dst)
+		if cerr != nil {
+			cerr = errors.Wrap(cerr, "copying directory failed")
+		}
+	} else {
+		cerr = copyFile(src, dst)
+		if cerr != nil {
+			cerr = errors.Wrap(cerr, "copying file failed")
+		}
+	}
+
+	if cerr != nil {
+		return errors.Wrapf(cerr, "rename fallback failed: cannot rename %s to %s", src, dst)
+	}
+
+	return errors.Wrapf(os.RemoveAll(src), "cannot delete %s", src)
+}
+
+var (
+	errSrcNotDir = errors.New("source is not a directory")
+	errDstExist  = errors.New("destination already exists")
+)
+
+// CopyDir recursively copies a directory tree, attempting to preserve permissions.
+// Source directory must exist, destination directory must *not* exist.
+func CopyDir(src, dst string) error {
+	src = filepath.Clean(src)
+	dst = filepath.Clean(dst)
+
+	// We use os.Lstat() here to ensure we don't fall in a loop where a symlink
+	// actually links to a one of its parent directories.
+	fi, err := os.Lstat(src)
+	if err != nil {
+		return err
+	}
+	if !fi.IsDir() {
+		return errSrcNotDir
+	}
+
+	_, err = os.Stat(dst)
+	if err != nil && !os.IsNotExist(err) {
+		return err
+	}
+	if err == nil {
+		return errDstExist
+	}
+
+	if err = os.MkdirAll(dst, fi.Mode()); err != nil {
+		return errors.Wrapf(err, "cannot mkdir %s", dst)
+	}
+
+	entries, err := os.ReadDir(src)
+	if err != nil {
+		return errors.Wrapf(err, "cannot read directory %s", dst)
+	}
+
+	for _, entry := range entries {
+		srcPath := filepath.Join(src, entry.Name())
+		dstPath := filepath.Join(dst, entry.Name())
+
+		if entry.IsDir() {
+			if err = CopyDir(srcPath, dstPath); err != nil {
+				return errors.Wrap(err, "copying directory failed")
+			}
+		} else {
+			// This will include symlinks, which is what we want when
+			// copying things.
+			if err = copyFile(srcPath, dstPath); err != nil {
+				return errors.Wrap(err, "copying file failed")
+			}
+		}
+	}
+
+	return nil
+}
+
+// copyFile copies the contents of the file named src to the file named
+// by dst. The file will be created if it does not already exist. If the
+// destination file exists, all its contents will be replaced by the contents
+// of the source file. The file mode will be copied from the source.
+func copyFile(src, dst string) (err error) {
+	if sym, err := IsSymlink(src); err != nil {
+		return errors.Wrap(err, "symlink check failed")
+	} else if sym {
+		if err := cloneSymlink(src, dst); err != nil {
+			if runtime.GOOS == "windows" {
+				// If cloning the symlink fails on Windows because the user
+				// does not have the required privileges, ignore the error and
+				// fall back to copying the file contents.
+				//
+				// ERROR_PRIVILEGE_NOT_HELD is 1314 (0x522):
+				// https://msdn.microsoft.com/en-us/library/windows/desktop/ms681385(v=vs.85).aspx
+				if lerr, ok := err.(*os.LinkError); ok && lerr.Err != syscall.Errno(1314) {
+					return err
+				}
+			} else {
+				return err
+			}
+		} else {
+			return nil
+		}
+	}
+
+	in, err := os.Open(src)
+	if err != nil {
+		return
+	}
+	defer in.Close()
+
+	out, err := os.Create(dst)
+	if err != nil {
+		return
+	}
+
+	if _, err = io.Copy(out, in); err != nil {
+		out.Close()
+		return
+	}
+
+	// Check for write errors on Close
+	if err = out.Close(); err != nil {
+		return
+	}
+
+	si, err := os.Stat(src)
+	if err != nil {
+		return
+	}
+
+	// Temporary fix for Go < 1.9
+	//
+	// See: https://github.com/golang/dep/issues/774
+	// and https://github.com/golang/go/issues/20829
+	if runtime.GOOS == "windows" {
+		dst = fixLongPath(dst)
+	}
+	err = os.Chmod(dst, si.Mode())
+
+	return
+}
+
+// cloneSymlink will create a new symlink that points to the resolved path of sl.
+// If sl is a relative symlink, dst will also be a relative symlink.
+func cloneSymlink(sl, dst string) error {
+	resolved, err := os.Readlink(sl)
+	if err != nil {
+		return err
+	}
+
+	return os.Symlink(resolved, dst)
+}
+
+// IsDir determines is the path given is a directory or not.
+func IsDir(name string) (bool, error) {
+	fi, err := os.Stat(name)
+	if err != nil {
+		return false, err
+	}
+	if !fi.IsDir() {
+		return false, errors.Errorf("%q is not a directory", name)
+	}
+	return true, nil
+}
+
+// IsSymlink determines if the given path is a symbolic link.
+func IsSymlink(path string) (bool, error) {
+	l, err := os.Lstat(path)
+	if err != nil {
+		return false, err
+	}
+
+	return l.Mode()&os.ModeSymlink == os.ModeSymlink, nil
+}
+
+// fixLongPath returns the extended-length (\\?\-prefixed) form of
+// path when needed, in order to avoid the default 260 character file
+// path limit imposed by Windows. If path is not easily converted to
+// the extended-length form (for example, if path is a relative path
+// or contains .. elements), or is short enough, fixLongPath returns
+// path unmodified.
+//
+// See https://msdn.microsoft.com/en-us/library/windows/desktop/aa365247(v=vs.85).aspx#maxpath
+func fixLongPath(path string) string {
+	// Do nothing (and don't allocate) if the path is "short".
+	// Empirically (at least on the Windows Server 2013 builder),
+	// the kernel is arbitrarily okay with < 248 bytes. That
+	// matches what the docs above say:
+	// "When using an API to create a directory, the specified
+	// path cannot be so long that you cannot append an 8.3 file
+	// name (that is, the directory name cannot exceed MAX_PATH
+	// minus 12)." Since MAX_PATH is 260, 260 - 12 = 248.
+	//
+	// The MSDN docs appear to say that a normal path that is 248 bytes long
+	// will work; empirically the path must be less than 248 bytes long.
+	if len(path) < 248 {
+		// Don't fix. (This is how Go 1.7 and earlier worked,
+		// not automatically generating the \\?\ form)
+		return path
+	}
+
+	// The extended form begins with \\?\, as in
+	// \\?\c:\windows\foo.txt or \\?\UNC\server\share\foo.txt.
+	// The extended form disables evaluation of . and .. path
+	// elements and disables the interpretation of / as equivalent
+	// to \. The conversion here rewrites / to \ and elides
+	// . elements as well as trailing or duplicate separators. For
+	// simplicity it avoids the conversion entirely for relative
+	// paths or paths containing .. elements. For now,
+	// \\server\share paths are not converted to
+	// \\?\UNC\server\share paths because the rules for doing so
+	// are less well-specified.
+	if len(path) >= 2 && path[:2] == `\\` {
+		// Don't canonicalize UNC paths.
+		return path
+	}
+	if !isAbs(path) {
+		// Relative path
+		return path
+	}
+
+	const prefix = `\\?`
+
+	pathbuf := make([]byte, len(prefix)+len(path)+len(`\`))
+	copy(pathbuf, prefix)
+	n := len(path)
+	r, w := 0, len(prefix)
+	for r < n {
+		switch {
+		case os.IsPathSeparator(path[r]):
+			// empty block
+			r++
+		case path[r] == '.' && (r+1 == n || os.IsPathSeparator(path[r+1])):
+			// /./
+			r++
+		case r+1 < n && path[r] == '.' && path[r+1] == '.' && (r+2 == n || os.IsPathSeparator(path[r+2])):
+			// /../ is currently unhandled
+			return path
+		default:
+			pathbuf[w] = '\\'
+			w++
+			for ; r < n && !os.IsPathSeparator(path[r]); r++ {
+				pathbuf[w] = path[r]
+				w++
+			}
+		}
+	}
+	// A drive's root directory needs a trailing \
+	if w == len(`\\?\c:`) {
+		pathbuf[w] = '\\'
+		w++
+	}
+	return string(pathbuf[:w])
+}
+
+func isAbs(path string) (b bool) {
+	v := volumeName(path)
+	if v == "" {
+		return false
+	}
+	path = path[len(v):]
+	if path == "" {
+		return false
+	}
+	return os.IsPathSeparator(path[0])
+}
+
+func volumeName(path string) (v string) {
+	if len(path) < 2 {
+		return ""
+	}
+	// with drive letter
+	c := path[0]
+	if path[1] == ':' &&
+		('0' <= c && c <= '9' || 'a' <= c && c <= 'z' ||
+			'A' <= c && c <= 'Z') {
+		return path[:2]
+	}
+	// is it UNC
+	if l := len(path); l >= 5 && os.IsPathSeparator(path[0]) && os.IsPathSeparator(path[1]) &&
+		!os.IsPathSeparator(path[2]) && path[2] != '.' {
+		// first, leading `\\` and next shouldn't be `\`. its server name.
+		for n := 3; n < l-1; n++ {
+			// second, next '\' shouldn't be repeated.
+			if os.IsPathSeparator(path[n]) {
+				n++
+				// third, following something characters. its share name.
+				if !os.IsPathSeparator(path[n]) {
+					if path[n] == '.' {
+						break
+					}
+					for ; n < l; n++ {
+						if os.IsPathSeparator(path[n]) {
+							break
+						}
+					}
+					return path[:n]
+				}
+				break
+			}
+		}
+	}
+	return ""
+}
diff --git a/vendor/helm.sh/helm/v3/internal/third_party/dep/fs/rename.go b/vendor/helm.sh/helm/v3/internal/third_party/dep/fs/rename.go
new file mode 100644
index 0000000000..a3e5e56a61
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/internal/third_party/dep/fs/rename.go
@@ -0,0 +1,58 @@
+//go:build !windows
+
+/*
+Copyright (c) for portions of rename.go are held by The Go Authors, 2016 and are provided under
+the BSD license.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+   * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+   * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+   * Neither the name of Google Inc. nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
+package fs
+
+import (
+	"os"
+	"syscall"
+
+	"github.com/pkg/errors"
+)
+
+// renameFallback attempts to determine the appropriate fallback to failed rename
+// operation depending on the resulting error.
+func renameFallback(err error, src, dst string) error {
+	// Rename may fail if src and dst are on different devices; fall back to
+	// copy if we detect that case. syscall.EXDEV is the common name for the
+	// cross device link error which has varying output text across different
+	// operating systems.
+	terr, ok := err.(*os.LinkError)
+	if !ok {
+		return err
+	} else if terr.Err != syscall.EXDEV {
+		return errors.Wrapf(terr, "link error: cannot rename %s to %s", src, dst)
+	}
+
+	return renameByCopy(src, dst)
+}
diff --git a/vendor/helm.sh/helm/v3/internal/third_party/dep/fs/rename_windows.go b/vendor/helm.sh/helm/v3/internal/third_party/dep/fs/rename_windows.go
new file mode 100644
index 0000000000..a377720a6f
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/internal/third_party/dep/fs/rename_windows.go
@@ -0,0 +1,69 @@
+//go:build windows
+
+/*
+Copyright (c) for portions of rename_windows.go are held by The Go Authors, 2016 and are provided under
+the BSD license.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+   * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+   * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+   * Neither the name of Google Inc. nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
+package fs
+
+import (
+	"os"
+	"syscall"
+
+	"github.com/pkg/errors"
+)
+
+// renameFallback attempts to determine the appropriate fallback to failed rename
+// operation depending on the resulting error.
+func renameFallback(err error, src, dst string) error {
+	// Rename may fail if src and dst are on different devices; fall back to
+	// copy if we detect that case. syscall.EXDEV is the common name for the
+	// cross device link error which has varying output text across different
+	// operating systems.
+	terr, ok := err.(*os.LinkError)
+	if !ok {
+		return err
+	}
+
+	if terr.Err != syscall.EXDEV {
+		// In windows it can drop down to an operating system call that
+		// returns an operating system error with a different number and
+		// message. Checking for that as a fall back.
+		noerr, ok := terr.Err.(syscall.Errno)
+
+		// 0x11 (ERROR_NOT_SAME_DEVICE) is the windows error.
+		// See https://msdn.microsoft.com/en-us/library/cc231199.aspx
+		if ok && noerr != 0x11 {
+			return errors.Wrapf(terr, "link error: cannot rename %s to %s", src, dst)
+		}
+	}
+
+	return renameByCopy(src, dst)
+}
diff --git a/vendor/helm.sh/helm/v3/internal/third_party/k8s.io/kubernetes/deployment/util/deploymentutil.go b/vendor/helm.sh/helm/v3/internal/third_party/k8s.io/kubernetes/deployment/util/deploymentutil.go
new file mode 100644
index 0000000000..ae62d0e6f8
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/internal/third_party/k8s.io/kubernetes/deployment/util/deploymentutil.go
@@ -0,0 +1,178 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package util
+
+import (
+	"context"
+	"sort"
+
+	apps "k8s.io/api/apps/v1"
+	v1 "k8s.io/api/core/v1"
+	apiequality "k8s.io/apimachinery/pkg/api/equality"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	intstrutil "k8s.io/apimachinery/pkg/util/intstr"
+	appsclient "k8s.io/client-go/kubernetes/typed/apps/v1"
+)
+
+// deploymentutil contains a copy of a few functions from Kubernetes controller code to avoid a dependency on k8s.io/kubernetes.
+// This code is copied from https://github.com/kubernetes/kubernetes/blob/e856613dd5bb00bcfaca6974431151b5c06cbed5/pkg/controller/deployment/util/deployment_util.go
+// No changes to the code were made other than removing some unused functions
+
+// RsListFunc returns the ReplicaSet from the ReplicaSet namespace and the List metav1.ListOptions.
+type RsListFunc func(string, metav1.ListOptions) ([]*apps.ReplicaSet, error)
+
+// ListReplicaSets returns a slice of RSes the given deployment targets.
+// Note that this does NOT attempt to reconcile ControllerRef (adopt/orphan),
+// because only the controller itself should do that.
+// However, it does filter out anything whose ControllerRef doesn't match.
+func ListReplicaSets(deployment *apps.Deployment, getRSList RsListFunc) ([]*apps.ReplicaSet, error) {
+	// TODO: Right now we list replica sets by their labels. We should list them by selector, i.e. the replica set's selector
+	//       should be a superset of the deployment's selector, see https://github.com/kubernetes/kubernetes/issues/19830.
+	namespace := deployment.Namespace
+	selector, err := metav1.LabelSelectorAsSelector(deployment.Spec.Selector)
+	if err != nil {
+		return nil, err
+	}
+	options := metav1.ListOptions{LabelSelector: selector.String()}
+	all, err := getRSList(namespace, options)
+	if err != nil {
+		return nil, err
+	}
+	// Only include those whose ControllerRef matches the Deployment.
+	owned := make([]*apps.ReplicaSet, 0, len(all))
+	for _, rs := range all {
+		if metav1.IsControlledBy(rs, deployment) {
+			owned = append(owned, rs)
+		}
+	}
+	return owned, nil
+}
+
+// ReplicaSetsByCreationTimestamp sorts a list of ReplicaSet by creation timestamp, using their names as a tie breaker.
+type ReplicaSetsByCreationTimestamp []*apps.ReplicaSet
+
+func (o ReplicaSetsByCreationTimestamp) Len() int      { return len(o) }
+func (o ReplicaSetsByCreationTimestamp) Swap(i, j int) { o[i], o[j] = o[j], o[i] }
+func (o ReplicaSetsByCreationTimestamp) Less(i, j int) bool {
+	if o[i].CreationTimestamp.Equal(&o[j].CreationTimestamp) {
+		return o[i].Name < o[j].Name
+	}
+	return o[i].CreationTimestamp.Before(&o[j].CreationTimestamp)
+}
+
+// FindNewReplicaSet returns the new RS this given deployment targets (the one with the same pod template).
+func FindNewReplicaSet(deployment *apps.Deployment, rsList []*apps.ReplicaSet) *apps.ReplicaSet {
+	sort.Sort(ReplicaSetsByCreationTimestamp(rsList))
+	for i := range rsList {
+		if EqualIgnoreHash(&rsList[i].Spec.Template, &deployment.Spec.Template) {
+			// In rare cases, such as after cluster upgrades, Deployment may end up with
+			// having more than one new ReplicaSets that have the same template as its template,
+			// see https://github.com/kubernetes/kubernetes/issues/40415
+			// We deterministically choose the oldest new ReplicaSet.
+			return rsList[i]
+		}
+	}
+	// new ReplicaSet does not exist.
+	return nil
+}
+
+// EqualIgnoreHash returns true if two given podTemplateSpec are equal, ignoring the diff in value of Labels[pod-template-hash]
+// We ignore pod-template-hash because:
+//  1. The hash result would be different upon podTemplateSpec API changes
+//     (e.g. the addition of a new field will cause the hash code to change)
+//  2. The deployment template won't have hash labels
+func EqualIgnoreHash(template1, template2 *v1.PodTemplateSpec) bool {
+	t1Copy := template1.DeepCopy()
+	t2Copy := template2.DeepCopy()
+	// Remove hash labels from template.Labels before comparing
+	delete(t1Copy.Labels, apps.DefaultDeploymentUniqueLabelKey)
+	delete(t2Copy.Labels, apps.DefaultDeploymentUniqueLabelKey)
+	return apiequality.Semantic.DeepEqual(t1Copy, t2Copy)
+}
+
+// GetNewReplicaSet returns a replica set that matches the intent of the given deployment; get ReplicaSetList from client interface.
+// Returns nil if the new replica set doesn't exist yet.
+func GetNewReplicaSet(deployment *apps.Deployment, c appsclient.AppsV1Interface) (*apps.ReplicaSet, error) {
+	rsList, err := ListReplicaSets(deployment, RsListFromClient(c))
+	if err != nil {
+		return nil, err
+	}
+	return FindNewReplicaSet(deployment, rsList), nil
+}
+
+// RsListFromClient returns an rsListFunc that wraps the given client.
+func RsListFromClient(c appsclient.AppsV1Interface) RsListFunc {
+	return func(namespace string, options metav1.ListOptions) ([]*apps.ReplicaSet, error) {
+		rsList, err := c.ReplicaSets(namespace).List(context.Background(), options)
+		if err != nil {
+			return nil, err
+		}
+		var ret []*apps.ReplicaSet
+		for i := range rsList.Items {
+			ret = append(ret, &rsList.Items[i])
+		}
+		return ret, err
+	}
+}
+
+// IsRollingUpdate returns true if the strategy type is a rolling update.
+func IsRollingUpdate(deployment *apps.Deployment) bool {
+	return deployment.Spec.Strategy.Type == apps.RollingUpdateDeploymentStrategyType
+}
+
+// MaxUnavailable returns the maximum unavailable pods a rolling deployment can take.
+func MaxUnavailable(deployment apps.Deployment) int32 {
+	if !IsRollingUpdate(&deployment) || *(deployment.Spec.Replicas) == 0 {
+		return int32(0)
+	}
+	// Error caught by validation
+	_, maxUnavailable, _ := ResolveFenceposts(deployment.Spec.Strategy.RollingUpdate.MaxSurge, deployment.Spec.Strategy.RollingUpdate.MaxUnavailable, *(deployment.Spec.Replicas))
+	if maxUnavailable > *deployment.Spec.Replicas {
+		return *deployment.Spec.Replicas
+	}
+	return maxUnavailable
+}
+
+// ResolveFenceposts resolves both maxSurge and maxUnavailable. This needs to happen in one
+// step. For example:
+//
+// 2 desired, max unavailable 1%, surge 0% - should scale old(-1), then new(+1), then old(-1), then new(+1)
+// 1 desired, max unavailable 1%, surge 0% - should scale old(-1), then new(+1)
+// 2 desired, max unavailable 25%, surge 1% - should scale new(+1), then old(-1), then new(+1), then old(-1)
+// 1 desired, max unavailable 25%, surge 1% - should scale new(+1), then old(-1)
+// 2 desired, max unavailable 0%, surge 1% - should scale new(+1), then old(-1), then new(+1), then old(-1)
+// 1 desired, max unavailable 0%, surge 1% - should scale new(+1), then old(-1)
+func ResolveFenceposts(maxSurge, maxUnavailable *intstrutil.IntOrString, desired int32) (int32, int32, error) {
+	surge, err := intstrutil.GetValueFromIntOrPercent(intstrutil.ValueOrDefault(maxSurge, intstrutil.FromInt(0)), int(desired), true)
+	if err != nil {
+		return 0, 0, err
+	}
+	unavailable, err := intstrutil.GetValueFromIntOrPercent(intstrutil.ValueOrDefault(maxUnavailable, intstrutil.FromInt(0)), int(desired), false)
+	if err != nil {
+		return 0, 0, err
+	}
+
+	if surge == 0 && unavailable == 0 {
+		// Validation should never allow the user to explicitly use zero values for both maxSurge
+		// maxUnavailable. Due to rounding down maxUnavailable though, it may resolve to zero.
+		// If both fenceposts resolve to zero, then we should set maxUnavailable to 1 on the
+		// theory that surge might not work due to quota.
+		unavailable = 1
+	}
+
+	return int32(surge), int32(unavailable), nil
+}
diff --git a/vendor/helm.sh/helm/v3/internal/tlsutil/cfg.go b/vendor/helm.sh/helm/v3/internal/tlsutil/cfg.go
new file mode 100644
index 0000000000..8b9d4329fe
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/internal/tlsutil/cfg.go
@@ -0,0 +1,58 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package tlsutil
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"os"
+
+	"github.com/pkg/errors"
+)
+
+// Options represents configurable options used to create client and server TLS configurations.
+type Options struct {
+	CaCertFile string
+	// If either the KeyFile or CertFile is empty, ClientConfig() will not load them.
+	KeyFile  string
+	CertFile string
+	// Client-only options
+	InsecureSkipVerify bool
+}
+
+// ClientConfig returns a TLS configuration for use by a Helm client.
+func ClientConfig(opts Options) (cfg *tls.Config, err error) {
+	var cert *tls.Certificate
+	var pool *x509.CertPool
+
+	if opts.CertFile != "" || opts.KeyFile != "" {
+		if cert, err = CertFromFilePair(opts.CertFile, opts.KeyFile); err != nil {
+			if os.IsNotExist(err) {
+				return nil, errors.Wrapf(err, "could not load x509 key pair (cert: %q, key: %q)", opts.CertFile, opts.KeyFile)
+			}
+			return nil, errors.Wrapf(err, "could not read x509 key pair (cert: %q, key: %q)", opts.CertFile, opts.KeyFile)
+		}
+	}
+	if !opts.InsecureSkipVerify && opts.CaCertFile != "" {
+		if pool, err = CertPoolFromFile(opts.CaCertFile); err != nil {
+			return nil, err
+		}
+	}
+
+	cfg = &tls.Config{InsecureSkipVerify: opts.InsecureSkipVerify, Certificates: []tls.Certificate{*cert}, RootCAs: pool}
+	return cfg, nil
+}
diff --git a/vendor/helm.sh/helm/v3/internal/tlsutil/tls.go b/vendor/helm.sh/helm/v3/internal/tlsutil/tls.go
new file mode 100644
index 0000000000..7cd1dace96
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/internal/tlsutil/tls.go
@@ -0,0 +1,78 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package tlsutil
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"os"
+
+	"github.com/pkg/errors"
+)
+
+// NewClientTLS returns tls.Config appropriate for client auth.
+func NewClientTLS(certFile, keyFile, caFile string, insecureSkipTLSverify bool) (*tls.Config, error) {
+	config := tls.Config{
+		InsecureSkipVerify: insecureSkipTLSverify,
+	}
+
+	if certFile != "" && keyFile != "" {
+		cert, err := CertFromFilePair(certFile, keyFile)
+		if err != nil {
+			return nil, err
+		}
+		config.Certificates = []tls.Certificate{*cert}
+	}
+
+	if caFile != "" {
+		cp, err := CertPoolFromFile(caFile)
+		if err != nil {
+			return nil, err
+		}
+		config.RootCAs = cp
+	}
+
+	return &config, nil
+}
+
+// CertPoolFromFile returns an x509.CertPool containing the certificates
+// in the given PEM-encoded file.
+// Returns an error if the file could not be read, a certificate could not
+// be parsed, or if the file does not contain any certificates
+func CertPoolFromFile(filename string) (*x509.CertPool, error) {
+	b, err := os.ReadFile(filename)
+	if err != nil {
+		return nil, errors.Errorf("can't read CA file: %v", filename)
+	}
+	cp := x509.NewCertPool()
+	if !cp.AppendCertsFromPEM(b) {
+		return nil, errors.Errorf("failed to append certificates from file: %s", filename)
+	}
+	return cp, nil
+}
+
+// CertFromFilePair returns a tls.Certificate containing the
+// certificates public/private key pair from a pair of given PEM-encoded files.
+// Returns an error if the file could not be read, a certificate could not
+// be parsed, or if the file does not contain any certificates
+func CertFromFilePair(certFile, keyFile string) (*tls.Certificate, error) {
+	cert, err := tls.LoadX509KeyPair(certFile, keyFile)
+	if err != nil {
+		return nil, errors.Wrapf(err, "can't load key pair from cert %s and key %s", certFile, keyFile)
+	}
+	return &cert, err
+}
diff --git a/vendor/helm.sh/helm/v3/internal/urlutil/urlutil.go b/vendor/helm.sh/helm/v3/internal/urlutil/urlutil.go
new file mode 100644
index 0000000000..a8cf7398c0
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/internal/urlutil/urlutil.go
@@ -0,0 +1,73 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package urlutil
+
+import (
+	"net/url"
+	"path"
+	"path/filepath"
+)
+
+// URLJoin joins a base URL to one or more path components.
+//
+// It's like filepath.Join for URLs. If the baseURL is pathish, this will still
+// perform a join.
+//
+// If the URL is unparsable, this returns an error.
+func URLJoin(baseURL string, paths ...string) (string, error) {
+	u, err := url.Parse(baseURL)
+	if err != nil {
+		return "", err
+	}
+	// We want path instead of filepath because path always uses /.
+	all := []string{u.Path}
+	all = append(all, paths...)
+	u.Path = path.Join(all...)
+	return u.String(), nil
+}
+
+// Equal normalizes two URLs and then compares for equality.
+func Equal(a, b string) bool {
+	au, err := url.Parse(a)
+	if err != nil {
+		a = filepath.Clean(a)
+		b = filepath.Clean(b)
+		// If urls are paths, return true only if they are an exact match
+		return a == b
+	}
+	bu, err := url.Parse(b)
+	if err != nil {
+		return false
+	}
+
+	for _, u := range []*url.URL{au, bu} {
+		if u.Path == "" {
+			u.Path = "/"
+		}
+		u.Path = filepath.Clean(u.Path)
+	}
+	return au.String() == bu.String()
+}
+
+// ExtractHostname returns hostname from URL
+func ExtractHostname(addr string) (string, error) {
+	u, err := url.Parse(addr)
+	if err != nil {
+		return "", err
+	}
+	return u.Hostname(), nil
+}
diff --git a/vendor/helm.sh/helm/v3/internal/version/version.go b/vendor/helm.sh/helm/v3/internal/version/version.go
new file mode 100644
index 0000000000..6f6f319b01
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/internal/version/version.go
@@ -0,0 +1,81 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package version // import "helm.sh/helm/v3/internal/version"
+
+import (
+	"flag"
+	"runtime"
+	"strings"
+)
+
+var (
+	// version is the current version of Helm.
+	// Update this whenever making a new release.
+	// The version is of the format Major.Minor.Patch[-Prerelease][+BuildMetadata]
+	//
+	// Increment major number for new feature additions and behavioral changes.
+	// Increment minor number for bug fixes and performance enhancements.
+	version = "v3.18"
+
+	// metadata is extra build time data
+	metadata = ""
+	// gitCommit is the git sha1
+	gitCommit = ""
+	// gitTreeState is the state of the git tree
+	gitTreeState = ""
+)
+
+// BuildInfo describes the compile time information.
+type BuildInfo struct {
+	// Version is the current semver.
+	Version string `json:"version,omitempty"`
+	// GitCommit is the git sha1.
+	GitCommit string `json:"git_commit,omitempty"`
+	// GitTreeState is the state of the git tree.
+	GitTreeState string `json:"git_tree_state,omitempty"`
+	// GoVersion is the version of the Go compiler used.
+	GoVersion string `json:"go_version,omitempty"`
+}
+
+// GetVersion returns the semver string of the version
+func GetVersion() string {
+	if metadata == "" {
+		return version
+	}
+	return version + "+" + metadata
+}
+
+// GetUserAgent returns a user agent for user with an HTTP client
+func GetUserAgent() string {
+	return "Helm/" + strings.TrimPrefix(GetVersion(), "v")
+}
+
+// Get returns build info
+func Get() BuildInfo {
+	v := BuildInfo{
+		Version:      GetVersion(),
+		GitCommit:    gitCommit,
+		GitTreeState: gitTreeState,
+		GoVersion:    runtime.Version(),
+	}
+
+	// HACK(bacongobbler): strip out GoVersion during a test run for consistent test output
+	if flag.Lookup("test.v") != nil {
+		v.GoVersion = ""
+	}
+	return v
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/action/action.go b/vendor/helm.sh/helm/v3/pkg/action/action.go
new file mode 100644
index 0000000000..9aaf64ca46
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/action/action.go
@@ -0,0 +1,437 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package action
+
+import (
+	"bytes"
+	"fmt"
+	"io"
+	"os"
+	"path"
+	"path/filepath"
+	"regexp"
+	"strings"
+
+	"github.com/pkg/errors"
+	"k8s.io/apimachinery/pkg/api/meta"
+	"k8s.io/cli-runtime/pkg/genericclioptions"
+	"k8s.io/client-go/discovery"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
+
+	"helm.sh/helm/v3/pkg/chart"
+	"helm.sh/helm/v3/pkg/chartutil"
+	"helm.sh/helm/v3/pkg/engine"
+	"helm.sh/helm/v3/pkg/kube"
+	"helm.sh/helm/v3/pkg/postrender"
+	"helm.sh/helm/v3/pkg/registry"
+	"helm.sh/helm/v3/pkg/release"
+	"helm.sh/helm/v3/pkg/releaseutil"
+	"helm.sh/helm/v3/pkg/storage"
+	"helm.sh/helm/v3/pkg/storage/driver"
+	"helm.sh/helm/v3/pkg/time"
+)
+
+// Timestamper is a function capable of producing a timestamp.Timestamper.
+//
+// By default, this is a time.Time function from the Helm time package. This can
+// be overridden for testing though, so that timestamps are predictable.
+var Timestamper = time.Now
+
+var (
+	// errMissingChart indicates that a chart was not provided.
+	errMissingChart = errors.New("no chart provided")
+	// errMissingRelease indicates that a release (name) was not provided.
+	errMissingRelease = errors.New("no release provided")
+	// errInvalidRevision indicates that an invalid release revision number was provided.
+	errInvalidRevision = errors.New("invalid release revision")
+	// errPending indicates that another instance of Helm is already applying an operation on a release.
+	errPending = errors.New("another operation (install/upgrade/rollback) is in progress")
+)
+
+// ValidName is a regular expression for resource names.
+//
+// DEPRECATED: This will be removed in Helm 4, and is no longer used here. See
+// pkg/lint/rules.validateMetadataNameFunc for the replacement.
+//
+// According to the Kubernetes help text, the regular expression it uses is:
+//
+//	[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*
+//
+// This follows the above regular expression (but requires a full string match, not partial).
+//
+// The Kubernetes documentation is here, though it is not entirely correct:
+// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+var ValidName = regexp.MustCompile(`^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$`)
+
+// Configuration injects the dependencies that all actions share.
+type Configuration struct {
+	// RESTClientGetter is an interface that loads Kubernetes clients.
+	RESTClientGetter RESTClientGetter
+
+	// Releases stores records of releases.
+	Releases *storage.Storage
+
+	// KubeClient is a Kubernetes API client.
+	KubeClient kube.Interface
+
+	// RegistryClient is a client for working with registries
+	RegistryClient *registry.Client
+
+	// Capabilities describes the capabilities of the Kubernetes cluster.
+	Capabilities *chartutil.Capabilities
+
+	Log func(string, ...interface{})
+
+	// HookOutputFunc called with container name and returns and expects writer that will receive the log output.
+	HookOutputFunc func(namespace, pod, container string) io.Writer
+}
+
+// renderResources renders the templates in a chart
+//
+// TODO: This function is badly in need of a refactor.
+// TODO: As part of the refactor the duplicate code in cmd/helm/template.go should be removed
+//
+//	This code has to do with writing files to disk.
+func (cfg *Configuration) renderResources(ch *chart.Chart, values chartutil.Values, releaseName, outputDir string, subNotes, useReleaseName, includeCrds bool, pr postrender.PostRenderer, interactWithRemote, enableDNS, hideSecret bool) ([]*release.Hook, *bytes.Buffer, string, error) {
+	hs := []*release.Hook{}
+	b := bytes.NewBuffer(nil)
+
+	caps, err := cfg.getCapabilities()
+	if err != nil {
+		return hs, b, "", err
+	}
+
+	if ch.Metadata.KubeVersion != "" {
+		if !chartutil.IsCompatibleRange(ch.Metadata.KubeVersion, caps.KubeVersion.String()) {
+			return hs, b, "", errors.Errorf("chart requires kubeVersion: %s which is incompatible with Kubernetes %s", ch.Metadata.KubeVersion, caps.KubeVersion.String())
+		}
+	}
+
+	var files map[string]string
+	var err2 error
+
+	// A `helm template` should not talk to the remote cluster. However, commands with the flag
+	// `--dry-run` with the value of `false`, `none`, or `server` should try to interact with the cluster.
+	// It may break in interesting and exotic ways because other data (e.g. discovery) is mocked.
+	if interactWithRemote && cfg.RESTClientGetter != nil {
+		restConfig, err := cfg.RESTClientGetter.ToRESTConfig()
+		if err != nil {
+			return hs, b, "", err
+		}
+		e := engine.New(restConfig)
+		e.EnableDNS = enableDNS
+		files, err2 = e.Render(ch, values)
+	} else {
+		var e engine.Engine
+		e.EnableDNS = enableDNS
+		files, err2 = e.Render(ch, values)
+	}
+
+	if err2 != nil {
+		return hs, b, "", err2
+	}
+
+	// NOTES.txt gets rendered like all the other files, but because it's not a hook nor a resource,
+	// pull it out of here into a separate file so that we can actually use the output of the rendered
+	// text file. We have to spin through this map because the file contains path information, so we
+	// look for terminating NOTES.txt. We also remove it from the files so that we don't have to skip
+	// it in the sortHooks.
+	var notesBuffer bytes.Buffer
+	for k, v := range files {
+		if strings.HasSuffix(k, notesFileSuffix) {
+			if subNotes || (k == path.Join(ch.Name(), "templates", notesFileSuffix)) {
+				// If buffer contains data, add newline before adding more
+				if notesBuffer.Len() > 0 {
+					notesBuffer.WriteString("\n")
+				}
+				notesBuffer.WriteString(v)
+			}
+			delete(files, k)
+		}
+	}
+	notes := notesBuffer.String()
+
+	// Sort hooks, manifests, and partials. Only hooks and manifests are returned,
+	// as partials are not used after renderer.Render. Empty manifests are also
+	// removed here.
+	hs, manifests, err := releaseutil.SortManifests(files, nil, releaseutil.InstallOrder)
+	if err != nil {
+		// By catching parse errors here, we can prevent bogus releases from going
+		// to Kubernetes.
+		//
+		// We return the files as a big blob of data to help the user debug parser
+		// errors.
+		for name, content := range files {
+			if strings.TrimSpace(content) == "" {
+				continue
+			}
+			fmt.Fprintf(b, "---\n# Source: %s\n%s\n", name, content)
+		}
+		return hs, b, "", err
+	}
+
+	// Aggregate all valid manifests into one big doc.
+	fileWritten := make(map[string]bool)
+
+	if includeCrds {
+		for _, crd := range ch.CRDObjects() {
+			if outputDir == "" {
+				fmt.Fprintf(b, "---\n# Source: %s\n%s\n", crd.Filename, string(crd.File.Data[:]))
+			} else {
+				err = writeToFile(outputDir, crd.Filename, string(crd.File.Data[:]), fileWritten[crd.Filename])
+				if err != nil {
+					return hs, b, "", err
+				}
+				fileWritten[crd.Filename] = true
+			}
+		}
+	}
+
+	for _, m := range manifests {
+		if outputDir == "" {
+			if hideSecret && m.Head.Kind == "Secret" && m.Head.Version == "v1" {
+				fmt.Fprintf(b, "---\n# Source: %s\n# HIDDEN: The Secret output has been suppressed\n", m.Name)
+			} else {
+				fmt.Fprintf(b, "---\n# Source: %s\n%s\n", m.Name, m.Content)
+			}
+		} else {
+			newDir := outputDir
+			if useReleaseName {
+				newDir = filepath.Join(outputDir, releaseName)
+			}
+			// NOTE: We do not have to worry about the post-renderer because
+			// output dir is only used by `helm template`. In the next major
+			// release, we should move this logic to template only as it is not
+			// used by install or upgrade
+			err = writeToFile(newDir, m.Name, m.Content, fileWritten[m.Name])
+			if err != nil {
+				return hs, b, "", err
+			}
+			fileWritten[m.Name] = true
+		}
+	}
+
+	if pr != nil {
+		b, err = pr.Run(b)
+		if err != nil {
+			return hs, b, notes, errors.Wrap(err, "error while running post render on files")
+		}
+	}
+
+	return hs, b, notes, nil
+}
+
+// RESTClientGetter gets the rest client
+type RESTClientGetter interface {
+	ToRESTConfig() (*rest.Config, error)
+	ToDiscoveryClient() (discovery.CachedDiscoveryInterface, error)
+	ToRESTMapper() (meta.RESTMapper, error)
+}
+
+// DebugLog sets the logger that writes debug strings
+type DebugLog func(format string, v ...interface{})
+
+// capabilities builds a Capabilities from discovery information.
+func (cfg *Configuration) getCapabilities() (*chartutil.Capabilities, error) {
+	if cfg.Capabilities != nil {
+		return cfg.Capabilities, nil
+	}
+	dc, err := cfg.RESTClientGetter.ToDiscoveryClient()
+	if err != nil {
+		return nil, errors.Wrap(err, "could not get Kubernetes discovery client")
+	}
+	// force a discovery cache invalidation to always fetch the latest server version/capabilities.
+	dc.Invalidate()
+	kubeVersion, err := dc.ServerVersion()
+	if err != nil {
+		return nil, errors.Wrap(err, "could not get server version from Kubernetes")
+	}
+	// Issue #6361:
+	// Client-Go emits an error when an API service is registered but unimplemented.
+	// We trap that error here and print a warning. But since the discovery client continues
+	// building the API object, it is correctly populated with all valid APIs.
+	// See https://github.com/kubernetes/kubernetes/issues/72051#issuecomment-521157642
+	apiVersions, err := GetVersionSet(dc)
+	if err != nil {
+		if discovery.IsGroupDiscoveryFailedError(err) {
+			cfg.Log("WARNING: The Kubernetes server has an orphaned API service. Server reports: %s", err)
+			cfg.Log("WARNING: To fix this, kubectl delete apiservice <service-name>")
+		} else {
+			return nil, errors.Wrap(err, "could not get apiVersions from Kubernetes")
+		}
+	}
+
+	cfg.Capabilities = &chartutil.Capabilities{
+		APIVersions: apiVersions,
+		KubeVersion: chartutil.KubeVersion{
+			Version: kubeVersion.GitVersion,
+			Major:   kubeVersion.Major,
+			Minor:   kubeVersion.Minor,
+		},
+		HelmVersion: chartutil.DefaultCapabilities.HelmVersion,
+	}
+	return cfg.Capabilities, nil
+}
+
+// KubernetesClientSet creates a new kubernetes ClientSet based on the configuration
+func (cfg *Configuration) KubernetesClientSet() (kubernetes.Interface, error) {
+	conf, err := cfg.RESTClientGetter.ToRESTConfig()
+	if err != nil {
+		return nil, errors.Wrap(err, "unable to generate config for kubernetes client")
+	}
+
+	return kubernetes.NewForConfig(conf)
+}
+
+// Now generates a timestamp
+//
+// If the configuration has a Timestamper on it, that will be used.
+// Otherwise, this will use time.Now().
+func (cfg *Configuration) Now() time.Time {
+	return Timestamper()
+}
+
+func (cfg *Configuration) releaseContent(name string, version int) (*release.Release, error) {
+	if err := chartutil.ValidateReleaseName(name); err != nil {
+		return nil, errors.Errorf("releaseContent: Release name is invalid: %s", name)
+	}
+
+	if version <= 0 {
+		return cfg.Releases.Last(name)
+	}
+
+	return cfg.Releases.Get(name, version)
+}
+
+// GetVersionSet retrieves a set of available k8s API versions
+func GetVersionSet(client discovery.ServerResourcesInterface) (chartutil.VersionSet, error) {
+	groups, resources, err := client.ServerGroupsAndResources()
+	if err != nil && !discovery.IsGroupDiscoveryFailedError(err) {
+		return chartutil.DefaultVersionSet, errors.Wrap(err, "could not get apiVersions from Kubernetes")
+	}
+
+	// FIXME: The Kubernetes test fixture for cli appears to always return nil
+	// for calls to Discovery().ServerGroupsAndResources(). So in this case, we
+	// return the default API list. This is also a safe value to return in any
+	// other odd-ball case.
+	if len(groups) == 0 && len(resources) == 0 {
+		return chartutil.DefaultVersionSet, nil
+	}
+
+	versionMap := make(map[string]interface{})
+	var versions []string
+
+	// Extract the groups
+	for _, g := range groups {
+		for _, gv := range g.Versions {
+			versionMap[gv.GroupVersion] = struct{}{}
+		}
+	}
+
+	// Extract the resources
+	var id string
+	var ok bool
+	for _, r := range resources {
+		for _, rl := range r.APIResources {
+
+			// A Kind at a GroupVersion can show up more than once. We only want
+			// it displayed once in the final output.
+			id = path.Join(r.GroupVersion, rl.Kind)
+			if _, ok = versionMap[id]; !ok {
+				versionMap[id] = struct{}{}
+			}
+		}
+	}
+
+	// Convert to a form that NewVersionSet can use
+	for k := range versionMap {
+		versions = append(versions, k)
+	}
+
+	return chartutil.VersionSet(versions), nil
+}
+
+// recordRelease with an update operation in case reuse has been set.
+func (cfg *Configuration) recordRelease(r *release.Release) {
+	if err := cfg.Releases.Update(r); err != nil {
+		cfg.Log("warning: Failed to update release %s: %s", r.Name, err)
+	}
+}
+
+// Init initializes the action configuration
+func (cfg *Configuration) Init(getter genericclioptions.RESTClientGetter, namespace, helmDriver string, log DebugLog) error {
+	kc := kube.New(getter)
+	kc.Log = log
+
+	lazyClient := &lazyClient{
+		namespace: namespace,
+		clientFn:  kc.Factory.KubernetesClientSet,
+	}
+
+	var store *storage.Storage
+	switch helmDriver {
+	case "secret", "secrets", "":
+		d := driver.NewSecrets(newSecretClient(lazyClient))
+		d.Log = log
+		store = storage.Init(d)
+	case "configmap", "configmaps":
+		d := driver.NewConfigMaps(newConfigMapClient(lazyClient))
+		d.Log = log
+		store = storage.Init(d)
+	case "memory":
+		var d *driver.Memory
+		if cfg.Releases != nil {
+			if mem, ok := cfg.Releases.Driver.(*driver.Memory); ok {
+				// This function can be called more than once (e.g., helm list --all-namespaces).
+				// If a memory driver was already initialized, re-use it but set the possibly new namespace.
+				// We re-use it in case some releases where already created in the existing memory driver.
+				d = mem
+			}
+		}
+		if d == nil {
+			d = driver.NewMemory()
+		}
+		d.SetNamespace(namespace)
+		store = storage.Init(d)
+	case "sql":
+		d, err := driver.NewSQL(
+			os.Getenv("HELM_DRIVER_SQL_CONNECTION_STRING"),
+			log,
+			namespace,
+		)
+		if err != nil {
+			return errors.Wrap(err, "unable to instantiate SQL driver")
+		}
+		store = storage.Init(d)
+	default:
+		return errors.Errorf("unknown driver %q", helmDriver)
+	}
+
+	cfg.RESTClientGetter = getter
+	cfg.KubeClient = kc
+	cfg.Releases = store
+	cfg.Log = log
+	cfg.HookOutputFunc = func(_, _, _ string) io.Writer { return io.Discard }
+
+	return nil
+}
+
+// SetHookOutputFunc sets the HookOutputFunc on the Configuration.
+func (cfg *Configuration) SetHookOutputFunc(hookOutputFunc func(_, _, _ string) io.Writer) {
+	cfg.HookOutputFunc = hookOutputFunc
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/action/dependency.go b/vendor/helm.sh/helm/v3/pkg/action/dependency.go
new file mode 100644
index 0000000000..19305fee88
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/action/dependency.go
@@ -0,0 +1,237 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package action
+
+import (
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/Masterminds/semver/v3"
+	"github.com/gosuri/uitable"
+
+	"helm.sh/helm/v3/pkg/chart"
+	"helm.sh/helm/v3/pkg/chart/loader"
+)
+
+// Dependency is the action for building a given chart's dependency tree.
+//
+// It provides the implementation of 'helm dependency' and its respective subcommands.
+type Dependency struct {
+	Verify                bool
+	Keyring               string
+	SkipRefresh           bool
+	ColumnWidth           uint
+	Username              string
+	Password              string
+	CertFile              string
+	KeyFile               string
+	CaFile                string
+	InsecureSkipTLSverify bool
+	PlainHTTP             bool
+}
+
+// NewDependency creates a new Dependency object with the given configuration.
+func NewDependency() *Dependency {
+	return &Dependency{
+		ColumnWidth: 80,
+	}
+}
+
+// List executes 'helm dependency list'.
+func (d *Dependency) List(chartpath string, out io.Writer) error {
+	c, err := loader.Load(chartpath)
+	if err != nil {
+		return err
+	}
+
+	if c.Metadata.Dependencies == nil {
+		fmt.Fprintf(out, "WARNING: no dependencies at %s\n", filepath.Join(chartpath, "charts"))
+		return nil
+	}
+
+	d.printDependencies(chartpath, out, c)
+	fmt.Fprintln(out)
+	d.printMissing(chartpath, out, c.Metadata.Dependencies)
+	return nil
+}
+
+// dependencyStatus returns a string describing the status of a dependency viz a viz the parent chart.
+func (d *Dependency) dependencyStatus(chartpath string, dep *chart.Dependency, parent *chart.Chart) string {
+	filename := fmt.Sprintf("%s-%s.tgz", dep.Name, "*")
+
+	// If a chart is unpacked, this will check the unpacked chart's `charts/` directory for tarballs.
+	// Technically, this is COMPLETELY unnecessary, and should be removed in Helm 4. It is here
+	// to preserved backward compatibility. In Helm 2/3, there is a "difference" between
+	// the tgz version (which outputs "ok" if it unpacks) and the loaded version (which outputs
+	// "unpacked"). Early in Helm 2's history, this would have made a difference. But it no
+	// longer does. However, since this code shipped with Helm 3, the output must remain stable
+	// until Helm 4.
+	switch archives, err := filepath.Glob(filepath.Join(chartpath, "charts", filename)); {
+	case err != nil:
+		return "bad pattern"
+	case len(archives) > 1:
+		// See if the second part is a SemVer
+		found := []string{}
+		for _, arc := range archives {
+			// we need to trip the prefix dirs and the extension off.
+			filename = strings.TrimSuffix(filepath.Base(arc), ".tgz")
+			maybeVersion := strings.TrimPrefix(filename, fmt.Sprintf("%s-", dep.Name))
+
+			if _, err := semver.StrictNewVersion(maybeVersion); err == nil {
+				// If the version parsed without an error, it is possibly a valid
+				// version.
+				found = append(found, arc)
+			}
+		}
+
+		if l := len(found); l == 1 {
+			// If we get here, we do the same thing as in len(archives) == 1.
+			if r := statArchiveForStatus(found[0], dep); r != "" {
+				return r
+			}
+
+			// Fall through and look for directories
+		} else if l > 1 {
+			return "too many matches"
+		}
+
+		// The sanest thing to do here is to fall through and see if we have any directory
+		// matches.
+
+	case len(archives) == 1:
+		archive := archives[0]
+		if r := statArchiveForStatus(archive, dep); r != "" {
+			return r
+		}
+
+	}
+	// End unnecessary code.
+
+	var depChart *chart.Chart
+	for _, item := range parent.Dependencies() {
+		if item.Name() == dep.Name {
+			depChart = item
+		}
+	}
+
+	if depChart == nil {
+		return "missing"
+	}
+
+	if depChart.Metadata.Version != dep.Version {
+		constraint, err := semver.NewConstraint(dep.Version)
+		if err != nil {
+			return "invalid version"
+		}
+
+		v, err := semver.NewVersion(depChart.Metadata.Version)
+		if err != nil {
+			return "invalid version"
+		}
+
+		if !constraint.Check(v) {
+			return "wrong version"
+		}
+	}
+
+	return "unpacked"
+}
+
+// stat an archive and return a message if the stat is successful
+//
+// This is a refactor of the code originally in dependencyStatus. It is here to
+// support legacy behavior, and should be removed in Helm 4.
+func statArchiveForStatus(archive string, dep *chart.Dependency) string {
+	if _, err := os.Stat(archive); err == nil {
+		c, err := loader.Load(archive)
+		if err != nil {
+			return "corrupt"
+		}
+		if c.Name() != dep.Name {
+			return "misnamed"
+		}
+
+		if c.Metadata.Version != dep.Version {
+			constraint, err := semver.NewConstraint(dep.Version)
+			if err != nil {
+				return "invalid version"
+			}
+
+			v, err := semver.NewVersion(c.Metadata.Version)
+			if err != nil {
+				return "invalid version"
+			}
+
+			if !constraint.Check(v) {
+				return "wrong version"
+			}
+		}
+		return "ok"
+	}
+	return ""
+}
+
+// printDependencies prints all of the dependencies in the yaml file.
+func (d *Dependency) printDependencies(chartpath string, out io.Writer, c *chart.Chart) {
+	table := uitable.New()
+	table.MaxColWidth = d.ColumnWidth
+	table.AddRow("NAME", "VERSION", "REPOSITORY", "STATUS")
+	for _, row := range c.Metadata.Dependencies {
+		table.AddRow(row.Name, row.Version, row.Repository, d.dependencyStatus(chartpath, row, c))
+	}
+	fmt.Fprintln(out, table)
+}
+
+// printMissing prints warnings about charts that are present on disk, but are
+// not in Chart.yaml.
+func (d *Dependency) printMissing(chartpath string, out io.Writer, reqs []*chart.Dependency) {
+	folder := filepath.Join(chartpath, "charts/*")
+	files, err := filepath.Glob(folder)
+	if err != nil {
+		fmt.Fprintln(out, err)
+		return
+	}
+
+	for _, f := range files {
+		fi, err := os.Stat(f)
+		if err != nil {
+			fmt.Fprintf(out, "Warning: %s\n", err)
+		}
+		// Skip anything that is not a directory and not a tgz file.
+		if !fi.IsDir() && filepath.Ext(f) != ".tgz" {
+			continue
+		}
+		c, err := loader.Load(f)
+		if err != nil {
+			fmt.Fprintf(out, "WARNING: %q is not a chart.\n", f)
+			continue
+		}
+		found := false
+		for _, d := range reqs {
+			if d.Name == c.Name() {
+				found = true
+				break
+			}
+		}
+		if !found {
+			fmt.Fprintf(out, "WARNING: %q is not in Chart.yaml.\n", f)
+		}
+	}
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/action/doc.go b/vendor/helm.sh/helm/v3/pkg/action/doc.go
new file mode 100644
index 0000000000..3c91bd6184
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/action/doc.go
@@ -0,0 +1,22 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package action contains the logic for each action that Helm can perform.
+//
+// This is a library for calling top-level Helm actions like 'install',
+// 'upgrade', or 'list'. Actions approximately match the command line
+// invocations that the Helm client uses.
+package action
diff --git a/vendor/helm.sh/helm/v3/pkg/action/get.go b/vendor/helm.sh/helm/v3/pkg/action/get.go
new file mode 100644
index 0000000000..f44b53307f
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/action/get.go
@@ -0,0 +1,47 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package action
+
+import (
+	"helm.sh/helm/v3/pkg/release"
+)
+
+// Get is the action for checking a given release's information.
+//
+// It provides the implementation of 'helm get' and its respective subcommands (except `helm get values`).
+type Get struct {
+	cfg *Configuration
+
+	// Initializing Version to 0 will get the latest revision of the release.
+	Version int
+}
+
+// NewGet creates a new Get object with the given configuration.
+func NewGet(cfg *Configuration) *Get {
+	return &Get{
+		cfg: cfg,
+	}
+}
+
+// Run executes 'helm get' against the given release.
+func (g *Get) Run(name string) (*release.Release, error) {
+	if err := g.cfg.KubeClient.IsReachable(); err != nil {
+		return nil, err
+	}
+
+	return g.cfg.releaseContent(name, g.Version)
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/action/get_metadata.go b/vendor/helm.sh/helm/v3/pkg/action/get_metadata.go
new file mode 100644
index 0000000000..f79788c3bb
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/action/get_metadata.go
@@ -0,0 +1,90 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package action
+
+import (
+	"sort"
+	"strings"
+	"time"
+
+	"helm.sh/helm/v3/pkg/chart"
+)
+
+// GetMetadata is the action for checking a given release's metadata.
+//
+// It provides the implementation of 'helm get metadata'.
+type GetMetadata struct {
+	cfg *Configuration
+
+	Version int
+}
+
+type Metadata struct {
+	Name         string              `json:"name" yaml:"name"`
+	Chart        string              `json:"chart" yaml:"chart"`
+	Version      string              `json:"version" yaml:"version"`
+	AppVersion   string              `json:"appVersion" yaml:"appVersion"`
+	Annotations  map[string]string   `json:"annotations,omitempty" yaml:"annotations,omitempty"`
+	Dependencies []*chart.Dependency `json:"dependencies,omitempty" yaml:"dependencies,omitempty"`
+	Namespace    string              `json:"namespace" yaml:"namespace"`
+	Revision     int                 `json:"revision" yaml:"revision"`
+	Status       string              `json:"status" yaml:"status"`
+	DeployedAt   string              `json:"deployedAt" yaml:"deployedAt"`
+}
+
+// NewGetMetadata creates a new GetMetadata object with the given configuration.
+func NewGetMetadata(cfg *Configuration) *GetMetadata {
+	return &GetMetadata{
+		cfg: cfg,
+	}
+}
+
+// Run executes 'helm get metadata' against the given release.
+func (g *GetMetadata) Run(name string) (*Metadata, error) {
+	if err := g.cfg.KubeClient.IsReachable(); err != nil {
+		return nil, err
+	}
+
+	rel, err := g.cfg.releaseContent(name, g.Version)
+	if err != nil {
+		return nil, err
+	}
+
+	return &Metadata{
+		Name:         rel.Name,
+		Chart:        rel.Chart.Metadata.Name,
+		Version:      rel.Chart.Metadata.Version,
+		AppVersion:   rel.Chart.Metadata.AppVersion,
+		Dependencies: rel.Chart.Metadata.Dependencies,
+		Annotations:  rel.Chart.Metadata.Annotations,
+		Namespace:    rel.Namespace,
+		Revision:     rel.Version,
+		Status:       rel.Info.Status.String(),
+		DeployedAt:   rel.Info.LastDeployed.Format(time.RFC3339),
+	}, nil
+}
+
+// FormattedDepNames formats metadata.dependencies names into a comma-separated list.
+func (m *Metadata) FormattedDepNames() string {
+	depsNames := make([]string, 0, len(m.Dependencies))
+	for _, dep := range m.Dependencies {
+		depsNames = append(depsNames, dep.Name)
+	}
+	sort.StringSlice(depsNames).Sort()
+
+	return strings.Join(depsNames, ",")
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/action/get_values.go b/vendor/helm.sh/helm/v3/pkg/action/get_values.go
new file mode 100644
index 0000000000..9c32db2132
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/action/get_values.go
@@ -0,0 +1,60 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package action
+
+import (
+	"helm.sh/helm/v3/pkg/chartutil"
+)
+
+// GetValues is the action for checking a given release's values.
+//
+// It provides the implementation of 'helm get values'.
+type GetValues struct {
+	cfg *Configuration
+
+	Version   int
+	AllValues bool
+}
+
+// NewGetValues creates a new GetValues object with the given configuration.
+func NewGetValues(cfg *Configuration) *GetValues {
+	return &GetValues{
+		cfg: cfg,
+	}
+}
+
+// Run executes 'helm get values' against the given release.
+func (g *GetValues) Run(name string) (map[string]interface{}, error) {
+	if err := g.cfg.KubeClient.IsReachable(); err != nil {
+		return nil, err
+	}
+
+	rel, err := g.cfg.releaseContent(name, g.Version)
+	if err != nil {
+		return nil, err
+	}
+
+	// If the user wants all values, compute the values and return.
+	if g.AllValues {
+		cfg, err := chartutil.CoalesceValues(rel.Chart, rel.Config)
+		if err != nil {
+			return nil, err
+		}
+		return cfg, nil
+	}
+	return rel.Config, nil
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/action/history.go b/vendor/helm.sh/helm/v3/pkg/action/history.go
new file mode 100644
index 0000000000..0430aaf7a5
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/action/history.go
@@ -0,0 +1,58 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package action
+
+import (
+	"github.com/pkg/errors"
+
+	"helm.sh/helm/v3/pkg/chartutil"
+	"helm.sh/helm/v3/pkg/release"
+)
+
+// History is the action for checking the release's ledger.
+//
+// It provides the implementation of 'helm history'.
+// It returns all the revisions for a specific release.
+// To list up to one revision of every release in one specific, or in all,
+// namespaces, see the List action.
+type History struct {
+	cfg *Configuration
+
+	Max     int
+	Version int
+}
+
+// NewHistory creates a new History object with the given configuration.
+func NewHistory(cfg *Configuration) *History {
+	return &History{
+		cfg: cfg,
+	}
+}
+
+// Run executes 'helm history' against the given release.
+func (h *History) Run(name string) ([]*release.Release, error) {
+	if err := h.cfg.KubeClient.IsReachable(); err != nil {
+		return nil, err
+	}
+
+	if err := chartutil.ValidateReleaseName(name); err != nil {
+		return nil, errors.Errorf("release name is invalid: %s", name)
+	}
+
+	h.cfg.Log("getting history for release %s", name)
+	return h.cfg.Releases.History(name)
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/action/hooks.go b/vendor/helm.sh/helm/v3/pkg/action/hooks.go
new file mode 100644
index 0000000000..16cc13bdd5
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/action/hooks.go
@@ -0,0 +1,230 @@
+/*
+Copyright The Helm Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package action
+
+import (
+	"bytes"
+	"fmt"
+	"log"
+	"slices"
+	"sort"
+	"time"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/pkg/errors"
+	"gopkg.in/yaml.v3"
+
+	"helm.sh/helm/v3/pkg/kube"
+	"helm.sh/helm/v3/pkg/release"
+	helmtime "helm.sh/helm/v3/pkg/time"
+)
+
+// execHook executes all of the hooks for the given hook event.
+func (cfg *Configuration) execHook(rl *release.Release, hook release.HookEvent, timeout time.Duration) error {
+	executingHooks := []*release.Hook{}
+
+	for _, h := range rl.Hooks {
+		for _, e := range h.Events {
+			if e == hook {
+				executingHooks = append(executingHooks, h)
+			}
+		}
+	}
+
+	// hooke are pre-ordered by kind, so keep order stable
+	sort.Stable(hookByWeight(executingHooks))
+
+	for _, h := range executingHooks {
+		// Set default delete policy to before-hook-creation
+		if len(h.DeletePolicies) == 0 {
+			// TODO(jlegrone): Only apply before-hook-creation delete policy to run to completion
+			//                 resources. For all other resource types update in place if a
+			//                 resource with the same name already exists and is owned by the
+			//                 current release.
+			h.DeletePolicies = []release.HookDeletePolicy{release.HookBeforeHookCreation}
+		}
+
+		if err := cfg.deleteHookByPolicy(h, release.HookBeforeHookCreation, timeout); err != nil {
+			return err
+		}
+
+		resources, err := cfg.KubeClient.Build(bytes.NewBufferString(h.Manifest), true)
+		if err != nil {
+			return errors.Wrapf(err, "unable to build kubernetes object for %s hook %s", hook, h.Path)
+		}
+
+		// Record the time at which the hook was applied to the cluster
+		h.LastRun = release.HookExecution{
+			StartedAt: helmtime.Now(),
+			Phase:     release.HookPhaseRunning,
+		}
+		cfg.recordRelease(rl)
+
+		// As long as the implementation of WatchUntilReady does not panic, HookPhaseFailed or HookPhaseSucceeded
+		// should always be set by this function. If we fail to do that for any reason, then HookPhaseUnknown is
+		// the most appropriate value to surface.
+		h.LastRun.Phase = release.HookPhaseUnknown
+
+		// Create hook resources
+		if _, err := cfg.KubeClient.Create(resources); err != nil {
+			h.LastRun.CompletedAt = helmtime.Now()
+			h.LastRun.Phase = release.HookPhaseFailed
+			return errors.Wrapf(err, "warning: Hook %s %s failed", hook, h.Path)
+		}
+
+		// Watch hook resources until they have completed
+		err = cfg.KubeClient.WatchUntilReady(resources, timeout)
+		// Note the time of success/failure
+		h.LastRun.CompletedAt = helmtime.Now()
+		// Mark hook as succeeded or failed
+		if err != nil {
+			h.LastRun.Phase = release.HookPhaseFailed
+			// If a hook is failed, check the annotation of the hook to determine if we should copy the logs client side
+			if errOutputting := cfg.outputLogsByPolicy(h, rl.Namespace, release.HookOutputOnFailed); errOutputting != nil {
+				// We log the error here as we want to propagate the hook failure upwards to the release object.
+				log.Printf("error outputting logs for hook failure: %v", errOutputting)
+			}
+			// If a hook is failed, check the annotation of the hook to determine whether the hook should be deleted
+			// under failed condition. If so, then clear the corresponding resource object in the hook
+			if errDeleting := cfg.deleteHookByPolicy(h, release.HookFailed, timeout); errDeleting != nil {
+				// We log the error here as we want to propagate the hook failure upwards to the release object.
+				log.Printf("error deleting the hook resource on hook failure: %v", errDeleting)
+			}
+			return err
+		}
+		h.LastRun.Phase = release.HookPhaseSucceeded
+	}
+
+	// If all hooks are successful, check the annotation of each hook to determine whether the hook should be deleted
+	// or output should be logged under succeeded condition. If so, then clear the corresponding resource object in each hook
+	for i := len(executingHooks) - 1; i >= 0; i-- {
+		h := executingHooks[i]
+		if err := cfg.outputLogsByPolicy(h, rl.Namespace, release.HookOutputOnSucceeded); err != nil {
+			// We log here as we still want to attempt hook resource deletion even if output logging fails.
+			log.Printf("error outputting logs for hook failure: %v", err)
+		}
+		if err := cfg.deleteHookByPolicy(h, release.HookSucceeded, timeout); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// hookByWeight is a sorter for hooks
+type hookByWeight []*release.Hook
+
+func (x hookByWeight) Len() int      { return len(x) }
+func (x hookByWeight) Swap(i, j int) { x[i], x[j] = x[j], x[i] }
+func (x hookByWeight) Less(i, j int) bool {
+	if x[i].Weight == x[j].Weight {
+		return x[i].Name < x[j].Name
+	}
+	return x[i].Weight < x[j].Weight
+}
+
+// deleteHookByPolicy deletes a hook if the hook policy instructs it to
+func (cfg *Configuration) deleteHookByPolicy(h *release.Hook, policy release.HookDeletePolicy, timeout time.Duration) error {
+	// Never delete CustomResourceDefinitions; this could cause lots of
+	// cascading garbage collection.
+	if h.Kind == "CustomResourceDefinition" {
+		return nil
+	}
+	if hookHasDeletePolicy(h, policy) {
+		resources, err := cfg.KubeClient.Build(bytes.NewBufferString(h.Manifest), false)
+		if err != nil {
+			return errors.Wrapf(err, "unable to build kubernetes object for deleting hook %s", h.Path)
+		}
+		_, errs := cfg.KubeClient.Delete(resources)
+		if len(errs) > 0 {
+			return errors.New(joinErrors(errs))
+		}
+
+		// wait for resources until they are deleted to avoid conflicts
+		if kubeClient, ok := cfg.KubeClient.(kube.InterfaceExt); ok {
+			if err := kubeClient.WaitForDelete(resources, timeout); err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+// hookHasDeletePolicy determines whether the defined hook deletion policy matches the hook deletion polices
+// supported by helm. If so, mark the hook as one should be deleted.
+func hookHasDeletePolicy(h *release.Hook, policy release.HookDeletePolicy) bool {
+	for _, v := range h.DeletePolicies {
+		if policy == v {
+			return true
+		}
+	}
+	return false
+}
+
+// outputLogsByPolicy outputs a pods logs if the hook policy instructs it to
+func (cfg *Configuration) outputLogsByPolicy(h *release.Hook, releaseNamespace string, policy release.HookOutputLogPolicy) error {
+	if !hookHasOutputLogPolicy(h, policy) {
+		return nil
+	}
+	namespace, err := cfg.deriveNamespace(h, releaseNamespace)
+	if err != nil {
+		return err
+	}
+	switch h.Kind {
+	case "Job":
+		return cfg.outputContainerLogsForListOptions(namespace, metav1.ListOptions{LabelSelector: fmt.Sprintf("job-name=%s", h.Name)})
+	case "Pod":
+		return cfg.outputContainerLogsForListOptions(namespace, metav1.ListOptions{FieldSelector: fmt.Sprintf("metadata.name=%s", h.Name)})
+	default:
+		return nil
+	}
+}
+
+func (cfg *Configuration) outputContainerLogsForListOptions(namespace string, listOptions metav1.ListOptions) error {
+	// TODO Helm 4: Remove this check when GetPodList and OutputContainerLogsForPodList are moved from InterfaceLogs to Interface
+	if kubeClient, ok := cfg.KubeClient.(kube.InterfaceLogs); ok {
+		podList, err := kubeClient.GetPodList(namespace, listOptions)
+		if err != nil {
+			return err
+		}
+		err = kubeClient.OutputContainerLogsForPodList(podList, namespace, cfg.HookOutputFunc)
+		return err
+	}
+	return nil
+}
+
+func (cfg *Configuration) deriveNamespace(h *release.Hook, namespace string) (string, error) {
+	tmp := struct {
+		Metadata struct {
+			Namespace string
+		}
+	}{}
+	err := yaml.Unmarshal([]byte(h.Manifest), &tmp)
+	if err != nil {
+		return "", errors.Wrapf(err, "unable to parse metadata.namespace from kubernetes manifest for output logs hook %s", h.Path)
+	}
+	if tmp.Metadata.Namespace == "" {
+		return namespace, nil
+	}
+	return tmp.Metadata.Namespace, nil
+}
+
+// hookHasOutputLogPolicy determines whether the defined hook output log policy matches the hook output log policies
+// supported by helm.
+func hookHasOutputLogPolicy(h *release.Hook, policy release.HookOutputLogPolicy) bool {
+	return slices.Contains(h.OutputLogPolicies, policy)
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/action/install.go b/vendor/helm.sh/helm/v3/pkg/action/install.go
new file mode 100644
index 0000000000..7bdfc2ab52
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/action/install.go
@@ -0,0 +1,836 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package action
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io"
+	"net/url"
+	"os"
+	"path"
+	"path/filepath"
+	"strings"
+	"sync"
+	"text/template"
+	"time"
+
+	"github.com/Masterminds/sprig/v3"
+	"github.com/pkg/errors"
+	v1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/cli-runtime/pkg/resource"
+	"sigs.k8s.io/yaml"
+
+	"helm.sh/helm/v3/pkg/chart"
+	"helm.sh/helm/v3/pkg/chartutil"
+	"helm.sh/helm/v3/pkg/cli"
+	"helm.sh/helm/v3/pkg/downloader"
+	"helm.sh/helm/v3/pkg/getter"
+	"helm.sh/helm/v3/pkg/kube"
+	kubefake "helm.sh/helm/v3/pkg/kube/fake"
+	"helm.sh/helm/v3/pkg/postrender"
+	"helm.sh/helm/v3/pkg/registry"
+	"helm.sh/helm/v3/pkg/release"
+	"helm.sh/helm/v3/pkg/releaseutil"
+	"helm.sh/helm/v3/pkg/repo"
+	"helm.sh/helm/v3/pkg/storage"
+	"helm.sh/helm/v3/pkg/storage/driver"
+)
+
+// notesFileSuffix that we want to treat special. It goes through the templating engine
+// but it's not a yaml file (resource) hence can't have hooks, etc. And the user actually
+// wants to see this file after rendering in the status command. However, it must be a suffix
+// since there can be filepath in front of it.
+const notesFileSuffix = "NOTES.txt"
+
+const defaultDirectoryPermission = 0755
+
+// Install performs an installation operation.
+type Install struct {
+	cfg *Configuration
+
+	ChartPathOptions
+
+	ClientOnly      bool
+	Force           bool
+	CreateNamespace bool
+	DryRun          bool
+	DryRunOption    string
+	// HideSecret can be set to true when DryRun is enabled in order to hide
+	// Kubernetes Secrets in the output. It cannot be used outside of DryRun.
+	HideSecret               bool
+	DisableHooks             bool
+	Replace                  bool
+	Wait                     bool
+	WaitForJobs              bool
+	Devel                    bool
+	DependencyUpdate         bool
+	Timeout                  time.Duration
+	Namespace                string
+	ReleaseName              string
+	GenerateName             bool
+	NameTemplate             string
+	Description              string
+	OutputDir                string
+	Atomic                   bool
+	SkipCRDs                 bool
+	SubNotes                 bool
+	HideNotes                bool
+	SkipSchemaValidation     bool
+	DisableOpenAPIValidation bool
+	IncludeCRDs              bool
+	Labels                   map[string]string
+	// KubeVersion allows specifying a custom kubernetes version to use and
+	// APIVersions allows a manual set of supported API Versions to be passed
+	// (for things like templating). These are ignored if ClientOnly is false
+	KubeVersion *chartutil.KubeVersion
+	APIVersions chartutil.VersionSet
+	// Used by helm template to render charts with .Release.IsUpgrade. Ignored if Dry-Run is false
+	IsUpgrade bool
+	// Enable DNS lookups when rendering templates
+	EnableDNS bool
+	// Used by helm template to add the release as part of OutputDir path
+	// OutputDir/<ReleaseName>
+	UseReleaseName bool
+	// TakeOwnership will ignore the check for helm annotations and take ownership of the resources.
+	TakeOwnership bool
+	PostRenderer  postrender.PostRenderer
+	// Lock to control raceconditions when the process receives a SIGTERM
+	Lock sync.Mutex
+}
+
+// ChartPathOptions captures common options used for controlling chart paths
+type ChartPathOptions struct {
+	CaFile                string // --ca-file
+	CertFile              string // --cert-file
+	KeyFile               string // --key-file
+	InsecureSkipTLSverify bool   // --insecure-skip-verify
+	PlainHTTP             bool   // --plain-http
+	Keyring               string // --keyring
+	Password              string // --password
+	PassCredentialsAll    bool   // --pass-credentials
+	RepoURL               string // --repo
+	Username              string // --username
+	Verify                bool   // --verify
+	Version               string // --version
+
+	// registryClient provides a registry client but is not added with
+	// options from a flag
+	registryClient *registry.Client
+}
+
+// NewInstall creates a new Install object with the given configuration.
+func NewInstall(cfg *Configuration) *Install {
+	in := &Install{
+		cfg: cfg,
+	}
+	in.ChartPathOptions.registryClient = cfg.RegistryClient
+
+	return in
+}
+
+// SetRegistryClient sets the registry client for the install action
+func (i *Install) SetRegistryClient(registryClient *registry.Client) {
+	i.ChartPathOptions.registryClient = registryClient
+}
+
+// GetRegistryClient get the registry client.
+func (i *Install) GetRegistryClient() *registry.Client {
+	return i.ChartPathOptions.registryClient
+}
+
+func (i *Install) installCRDs(crds []chart.CRD) error {
+	// We do these one file at a time in the order they were read.
+	totalItems := []*resource.Info{}
+	for _, obj := range crds {
+		// Read in the resources
+		res, err := i.cfg.KubeClient.Build(bytes.NewBuffer(obj.File.Data), false)
+		if err != nil {
+			return errors.Wrapf(err, "failed to install CRD %s", obj.Name)
+		}
+
+		// Send them to Kube
+		if _, err := i.cfg.KubeClient.Create(res); err != nil {
+			// If the error is CRD already exists, continue.
+			if apierrors.IsAlreadyExists(err) {
+				crdName := res[0].Name
+				i.cfg.Log("CRD %s is already present. Skipping.", crdName)
+				continue
+			}
+			return errors.Wrapf(err, "failed to install CRD %s", obj.Name)
+		}
+		totalItems = append(totalItems, res...)
+	}
+	if len(totalItems) > 0 {
+		// Give time for the CRD to be recognized.
+		if err := i.cfg.KubeClient.Wait(totalItems, 60*time.Second); err != nil {
+			return err
+		}
+
+		// If we have already gathered the capabilities, we need to invalidate
+		// the cache so that the new CRDs are recognized. This should only be
+		// the case when an action configuration is reused for multiple actions,
+		// as otherwise it is later loaded by ourselves when getCapabilities
+		// is called later on in the installation process.
+		if i.cfg.Capabilities != nil {
+			discoveryClient, err := i.cfg.RESTClientGetter.ToDiscoveryClient()
+			if err != nil {
+				return err
+			}
+
+			i.cfg.Log("Clearing discovery cache")
+			discoveryClient.Invalidate()
+
+			_, _ = discoveryClient.ServerGroups()
+		}
+
+		// Invalidate the REST mapper, since it will not have the new CRDs
+		// present.
+		restMapper, err := i.cfg.RESTClientGetter.ToRESTMapper()
+		if err != nil {
+			return err
+		}
+		if resettable, ok := restMapper.(meta.ResettableRESTMapper); ok {
+			i.cfg.Log("Clearing REST mapper cache")
+			resettable.Reset()
+		}
+	}
+	return nil
+}
+
+// Run executes the installation
+//
+// If DryRun is set to true, this will prepare the release, but not install it
+
+func (i *Install) Run(chrt *chart.Chart, vals map[string]interface{}) (*release.Release, error) {
+	ctx := context.Background()
+	return i.RunWithContext(ctx, chrt, vals)
+}
+
+// Run executes the installation with Context
+//
+// When the task is cancelled through ctx, the function returns and the install
+// proceeds in the background.
+func (i *Install) RunWithContext(ctx context.Context, chrt *chart.Chart, vals map[string]interface{}) (*release.Release, error) {
+	// Check reachability of cluster unless in client-only mode (e.g. `helm template` without `--validate`)
+	if !i.ClientOnly {
+		if err := i.cfg.KubeClient.IsReachable(); err != nil {
+			return nil, err
+		}
+	}
+
+	// HideSecret must be used with dry run. Otherwise, return an error.
+	if !i.isDryRun() && i.HideSecret {
+		return nil, errors.New("Hiding Kubernetes secrets requires a dry-run mode")
+	}
+
+	if err := i.availableName(); err != nil {
+		return nil, err
+	}
+
+	if err := chartutil.ProcessDependenciesWithMerge(chrt, vals); err != nil {
+		return nil, err
+	}
+
+	var interactWithRemote bool
+	if !i.isDryRun() || i.DryRunOption == "server" || i.DryRunOption == "none" || i.DryRunOption == "false" {
+		interactWithRemote = true
+	}
+
+	// Pre-install anything in the crd/ directory. We do this before Helm
+	// contacts the upstream server and builds the capabilities object.
+	if crds := chrt.CRDObjects(); !i.ClientOnly && !i.SkipCRDs && len(crds) > 0 {
+		// On dry run, bail here
+		if i.isDryRun() {
+			i.cfg.Log("WARNING: This chart or one of its subcharts contains CRDs. Rendering may fail or contain inaccuracies.")
+		} else if err := i.installCRDs(crds); err != nil {
+			return nil, err
+		}
+	}
+
+	if i.ClientOnly {
+		// Add mock objects in here so it doesn't use Kube API server
+		// NOTE(bacongobbler): used for `helm template`
+		i.cfg.Capabilities = chartutil.DefaultCapabilities.Copy()
+		if i.KubeVersion != nil {
+			i.cfg.Capabilities.KubeVersion = *i.KubeVersion
+		}
+		i.cfg.Capabilities.APIVersions = append(i.cfg.Capabilities.APIVersions, i.APIVersions...)
+		i.cfg.KubeClient = &kubefake.PrintingKubeClient{Out: io.Discard}
+
+		mem := driver.NewMemory()
+		mem.SetNamespace(i.Namespace)
+		i.cfg.Releases = storage.Init(mem)
+	} else if !i.ClientOnly && len(i.APIVersions) > 0 {
+		i.cfg.Log("API Version list given outside of client only mode, this list will be ignored")
+	}
+
+	// Make sure if Atomic is set, that wait is set as well. This makes it so
+	// the user doesn't have to specify both
+	i.Wait = i.Wait || i.Atomic
+
+	caps, err := i.cfg.getCapabilities()
+	if err != nil {
+		return nil, err
+	}
+
+	// special case for helm template --is-upgrade
+	isUpgrade := i.IsUpgrade && i.isDryRun()
+	options := chartutil.ReleaseOptions{
+		Name:      i.ReleaseName,
+		Namespace: i.Namespace,
+		Revision:  1,
+		IsInstall: !isUpgrade,
+		IsUpgrade: isUpgrade,
+	}
+	valuesToRender, err := chartutil.ToRenderValuesWithSchemaValidation(chrt, vals, options, caps, i.SkipSchemaValidation)
+	if err != nil {
+		return nil, err
+	}
+
+	if driver.ContainsSystemLabels(i.Labels) {
+		return nil, fmt.Errorf("user supplied labels contains system reserved label name. System labels: %+v", driver.GetSystemLabels())
+	}
+
+	rel := i.createRelease(chrt, vals, i.Labels)
+
+	var manifestDoc *bytes.Buffer
+	rel.Hooks, manifestDoc, rel.Info.Notes, err = i.cfg.renderResources(chrt, valuesToRender, i.ReleaseName, i.OutputDir, i.SubNotes, i.UseReleaseName, i.IncludeCRDs, i.PostRenderer, interactWithRemote, i.EnableDNS, i.HideSecret)
+	// Even for errors, attach this if available
+	if manifestDoc != nil {
+		rel.Manifest = manifestDoc.String()
+	}
+	// Check error from render
+	if err != nil {
+		rel.SetStatus(release.StatusFailed, fmt.Sprintf("failed to render resource: %s", err.Error()))
+		// Return a release with partial data so that the client can show debugging information.
+		return rel, err
+	}
+
+	// Mark this release as in-progress
+	rel.SetStatus(release.StatusPendingInstall, "Initial install underway")
+
+	var toBeAdopted kube.ResourceList
+	resources, err := i.cfg.KubeClient.Build(bytes.NewBufferString(rel.Manifest), !i.DisableOpenAPIValidation)
+	if err != nil {
+		return nil, errors.Wrap(err, "unable to build kubernetes objects from release manifest")
+	}
+
+	// It is safe to use "force" here because these are resources currently rendered by the chart.
+	err = resources.Visit(setMetadataVisitor(rel.Name, rel.Namespace, true))
+	if err != nil {
+		return nil, err
+	}
+
+	// Install requires an extra validation step of checking that resources
+	// don't already exist before we actually create resources. If we continue
+	// forward and create the release object with resources that already exist,
+	// we'll end up in a state where we will delete those resources upon
+	// deleting the release because the manifest will be pointing at that
+	// resource
+	if !i.ClientOnly && !isUpgrade && len(resources) > 0 {
+		if i.TakeOwnership {
+			toBeAdopted, err = requireAdoption(resources)
+		} else {
+			toBeAdopted, err = existingResourceConflict(resources, rel.Name, rel.Namespace)
+		}
+		if err != nil {
+			return nil, errors.Wrap(err, "Unable to continue with install")
+		}
+	}
+
+	// Bail out here if it is a dry run
+	if i.isDryRun() {
+		rel.Info.Description = "Dry run complete"
+		return rel, nil
+	}
+
+	if i.CreateNamespace {
+		ns := &v1.Namespace{
+			TypeMeta: metav1.TypeMeta{
+				APIVersion: "v1",
+				Kind:       "Namespace",
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name: i.Namespace,
+				Labels: map[string]string{
+					"name": i.Namespace,
+				},
+			},
+		}
+		buf, err := yaml.Marshal(ns)
+		if err != nil {
+			return nil, err
+		}
+		resourceList, err := i.cfg.KubeClient.Build(bytes.NewBuffer(buf), true)
+		if err != nil {
+			return nil, err
+		}
+		if _, err := i.cfg.KubeClient.Create(resourceList); err != nil && !apierrors.IsAlreadyExists(err) {
+			return nil, err
+		}
+	}
+
+	// If Replace is true, we need to supersede the last release.
+	if i.Replace {
+		if err := i.replaceRelease(rel); err != nil {
+			return nil, err
+		}
+	}
+
+	// Store the release in history before continuing (new in Helm 3). We always know
+	// that this is a create operation.
+	if err := i.cfg.Releases.Create(rel); err != nil {
+		// We could try to recover gracefully here, but since nothing has been installed
+		// yet, this is probably safer than trying to continue when we know storage is
+		// not working.
+		return rel, err
+	}
+
+	rel, err = i.performInstallCtx(ctx, rel, toBeAdopted, resources)
+	if err != nil {
+		rel, err = i.failRelease(rel, err)
+	}
+	return rel, err
+}
+
+func (i *Install) performInstallCtx(ctx context.Context, rel *release.Release, toBeAdopted kube.ResourceList, resources kube.ResourceList) (*release.Release, error) {
+	type Msg struct {
+		r *release.Release
+		e error
+	}
+	resultChan := make(chan Msg, 1)
+
+	go func() {
+		rel, err := i.performInstall(rel, toBeAdopted, resources)
+		resultChan <- Msg{rel, err}
+	}()
+	select {
+	case <-ctx.Done():
+		err := ctx.Err()
+		return rel, err
+	case msg := <-resultChan:
+		return msg.r, msg.e
+	}
+}
+
+// isDryRun returns true if Upgrade is set to run as a DryRun
+func (i *Install) isDryRun() bool {
+	if i.DryRun || i.DryRunOption == "client" || i.DryRunOption == "server" || i.DryRunOption == "true" {
+		return true
+	}
+	return false
+}
+
+func (i *Install) performInstall(rel *release.Release, toBeAdopted kube.ResourceList, resources kube.ResourceList) (*release.Release, error) {
+	var err error
+	// pre-install hooks
+	if !i.DisableHooks {
+		if err := i.cfg.execHook(rel, release.HookPreInstall, i.Timeout); err != nil {
+			return rel, fmt.Errorf("failed pre-install: %s", err)
+		}
+	}
+
+	// At this point, we can do the install. Note that before we were detecting whether to
+	// do an update, but it's not clear whether we WANT to do an update if the re-use is set
+	// to true, since that is basically an upgrade operation.
+	if len(toBeAdopted) == 0 && len(resources) > 0 {
+		_, err = i.cfg.KubeClient.Create(resources)
+	} else if len(resources) > 0 {
+		if i.TakeOwnership {
+			_, err = i.cfg.KubeClient.(kube.InterfaceThreeWayMerge).UpdateThreeWayMerge(toBeAdopted, resources, i.Force)
+		} else {
+			_, err = i.cfg.KubeClient.Update(toBeAdopted, resources, i.Force)
+		}
+	}
+	if err != nil {
+		return rel, err
+	}
+
+	if i.Wait {
+		if i.WaitForJobs {
+			err = i.cfg.KubeClient.WaitWithJobs(resources, i.Timeout)
+		} else {
+			err = i.cfg.KubeClient.Wait(resources, i.Timeout)
+		}
+		if err != nil {
+			return rel, err
+		}
+	}
+
+	if !i.DisableHooks {
+		if err := i.cfg.execHook(rel, release.HookPostInstall, i.Timeout); err != nil {
+			return rel, fmt.Errorf("failed post-install: %s", err)
+		}
+	}
+
+	if len(i.Description) > 0 {
+		rel.SetStatus(release.StatusDeployed, i.Description)
+	} else {
+		rel.SetStatus(release.StatusDeployed, "Install complete")
+	}
+
+	// This is a tricky case. The release has been created, but the result
+	// cannot be recorded. The truest thing to tell the user is that the
+	// release was created. However, the user will not be able to do anything
+	// further with this release.
+	//
+	// One possible strategy would be to do a timed retry to see if we can get
+	// this stored in the future.
+	if err := i.recordRelease(rel); err != nil {
+		i.cfg.Log("failed to record the release: %s", err)
+	}
+
+	return rel, nil
+}
+
+func (i *Install) failRelease(rel *release.Release, err error) (*release.Release, error) {
+	rel.SetStatus(release.StatusFailed, fmt.Sprintf("Release %q failed: %s", i.ReleaseName, err.Error()))
+	if i.Atomic {
+		i.cfg.Log("Install failed and atomic is set, uninstalling release")
+		uninstall := NewUninstall(i.cfg)
+		uninstall.DisableHooks = i.DisableHooks
+		uninstall.KeepHistory = false
+		uninstall.Timeout = i.Timeout
+		if _, uninstallErr := uninstall.Run(i.ReleaseName); uninstallErr != nil {
+			return rel, errors.Wrapf(uninstallErr, "an error occurred while uninstalling the release. original install error: %s", err)
+		}
+		return rel, errors.Wrapf(err, "release %s failed, and has been uninstalled due to atomic being set", i.ReleaseName)
+	}
+	i.recordRelease(rel) // Ignore the error, since we have another error to deal with.
+	return rel, err
+}
+
+// availableName tests whether a name is available
+//
+// Roughly, this will return an error if name is
+//
+//   - empty
+//   - too long
+//   - already in use, and not deleted
+//   - used by a deleted release, and i.Replace is false
+func (i *Install) availableName() error {
+	start := i.ReleaseName
+
+	if err := chartutil.ValidateReleaseName(start); err != nil {
+		return errors.Wrapf(err, "release name %q", start)
+	}
+	// On dry run, bail here
+	if i.isDryRun() {
+		return nil
+	}
+
+	h, err := i.cfg.Releases.History(start)
+	if err != nil || len(h) < 1 {
+		return nil
+	}
+	releaseutil.Reverse(h, releaseutil.SortByRevision)
+	rel := h[0]
+
+	if st := rel.Info.Status; i.Replace && (st == release.StatusUninstalled || st == release.StatusFailed) {
+		return nil
+	}
+	return errors.New("cannot re-use a name that is still in use")
+}
+
+// createRelease creates a new release object
+func (i *Install) createRelease(chrt *chart.Chart, rawVals map[string]interface{}, labels map[string]string) *release.Release {
+	ts := i.cfg.Now()
+	return &release.Release{
+		Name:      i.ReleaseName,
+		Namespace: i.Namespace,
+		Chart:     chrt,
+		Config:    rawVals,
+		Info: &release.Info{
+			FirstDeployed: ts,
+			LastDeployed:  ts,
+			Status:        release.StatusUnknown,
+		},
+		Version: 1,
+		Labels:  labels,
+	}
+}
+
+// recordRelease with an update operation in case reuse has been set.
+func (i *Install) recordRelease(r *release.Release) error {
+	// This is a legacy function which has been reduced to a oneliner. Could probably
+	// refactor it out.
+	return i.cfg.Releases.Update(r)
+}
+
+// replaceRelease replaces an older release with this one
+//
+// This allows us to re-use names by superseding an existing release with a new one
+func (i *Install) replaceRelease(rel *release.Release) error {
+	hist, err := i.cfg.Releases.History(rel.Name)
+	if err != nil || len(hist) == 0 {
+		// No releases exist for this name, so we can return early
+		return nil
+	}
+
+	releaseutil.Reverse(hist, releaseutil.SortByRevision)
+	last := hist[0]
+
+	// Update version to the next available
+	rel.Version = last.Version + 1
+
+	// Do not change the status of a failed release.
+	if last.Info.Status == release.StatusFailed {
+		return nil
+	}
+
+	// For any other status, mark it as superseded and store the old record
+	last.SetStatus(release.StatusSuperseded, "superseded by new release")
+	return i.recordRelease(last)
+}
+
+// write the <data> to <output-dir>/<name>. <append> controls if the file is created or content will be appended
+func writeToFile(outputDir string, name string, data string, append bool) error {
+	outfileName := strings.Join([]string{outputDir, name}, string(filepath.Separator))
+
+	err := ensureDirectoryForFile(outfileName)
+	if err != nil {
+		return err
+	}
+
+	f, err := createOrOpenFile(outfileName, append)
+	if err != nil {
+		return err
+	}
+
+	defer f.Close()
+
+	_, err = f.WriteString(fmt.Sprintf("---\n# Source: %s\n%s\n", name, data))
+
+	if err != nil {
+		return err
+	}
+
+	fmt.Printf("wrote %s\n", outfileName)
+	return nil
+}
+
+func createOrOpenFile(filename string, append bool) (*os.File, error) {
+	if append {
+		return os.OpenFile(filename, os.O_APPEND|os.O_WRONLY, 0600)
+	}
+	return os.Create(filename)
+}
+
+// check if the directory exists to create file. creates if doesn't exist
+func ensureDirectoryForFile(file string) error {
+	baseDir := path.Dir(file)
+	_, err := os.Stat(baseDir)
+	if err != nil && !os.IsNotExist(err) {
+		return err
+	}
+
+	return os.MkdirAll(baseDir, defaultDirectoryPermission)
+}
+
+// NameAndChart returns the name and chart that should be used.
+//
+// This will read the flags and handle name generation if necessary.
+func (i *Install) NameAndChart(args []string) (string, string, error) {
+	flagsNotSet := func() error {
+		if i.GenerateName {
+			return errors.New("cannot set --generate-name and also specify a name")
+		}
+		if i.NameTemplate != "" {
+			return errors.New("cannot set --name-template and also specify a name")
+		}
+		return nil
+	}
+
+	if len(args) > 2 {
+		return args[0], args[1], errors.Errorf("expected at most two arguments, unexpected arguments: %v", strings.Join(args[2:], ", "))
+	}
+
+	if len(args) == 2 {
+		return args[0], args[1], flagsNotSet()
+	}
+
+	if i.NameTemplate != "" {
+		name, err := TemplateName(i.NameTemplate)
+		return name, args[0], err
+	}
+
+	if i.ReleaseName != "" {
+		return i.ReleaseName, args[0], nil
+	}
+
+	if !i.GenerateName {
+		return "", args[0], errors.New("must either provide a name or specify --generate-name")
+	}
+
+	base := filepath.Base(args[0])
+	if base == "." || base == "" {
+		base = "chart"
+	}
+	// if present, strip out the file extension from the name
+	if idx := strings.Index(base, "."); idx != -1 {
+		base = base[0:idx]
+	}
+
+	return fmt.Sprintf("%s-%d", base, time.Now().Unix()), args[0], nil
+}
+
+// TemplateName renders a name template, returning the name or an error.
+func TemplateName(nameTemplate string) (string, error) {
+	if nameTemplate == "" {
+		return "", nil
+	}
+
+	t, err := template.New("name-template").Funcs(sprig.TxtFuncMap()).Parse(nameTemplate)
+	if err != nil {
+		return "", err
+	}
+	var b bytes.Buffer
+	if err := t.Execute(&b, nil); err != nil {
+		return "", err
+	}
+
+	return b.String(), nil
+}
+
+// CheckDependencies checks the dependencies for a chart.
+func CheckDependencies(ch *chart.Chart, reqs []*chart.Dependency) error {
+	var missing []string
+
+OUTER:
+	for _, r := range reqs {
+		for _, d := range ch.Dependencies() {
+			if d.Name() == r.Name {
+				continue OUTER
+			}
+		}
+		missing = append(missing, r.Name)
+	}
+
+	if len(missing) > 0 {
+		return errors.Errorf("found in Chart.yaml, but missing in charts/ directory: %s", strings.Join(missing, ", "))
+	}
+	return nil
+}
+
+// LocateChart looks for a chart directory in known places, and returns either the full path or an error.
+//
+// This does not ensure that the chart is well-formed; only that the requested filename exists.
+//
+// Order of resolution:
+// - relative to current working directory
+// - if path is absolute or begins with '.', error out here
+// - URL
+//
+// If 'verify' was set on ChartPathOptions, this will attempt to also verify the chart.
+func (c *ChartPathOptions) LocateChart(name string, settings *cli.EnvSettings) (string, error) {
+	if registry.IsOCI(name) && c.registryClient == nil {
+		return "", fmt.Errorf("unable to lookup chart %q, missing registry client", name)
+	}
+
+	name = strings.TrimSpace(name)
+	version := strings.TrimSpace(c.Version)
+
+	if _, err := os.Stat(name); err == nil {
+		abs, err := filepath.Abs(name)
+		if err != nil {
+			return abs, err
+		}
+		if c.Verify {
+			if _, err := downloader.VerifyChart(abs, c.Keyring); err != nil {
+				return "", err
+			}
+		}
+		return abs, nil
+	}
+	if filepath.IsAbs(name) || strings.HasPrefix(name, ".") {
+		return name, errors.Errorf("path %q not found", name)
+	}
+
+	dl := downloader.ChartDownloader{
+		Out:     os.Stdout,
+		Keyring: c.Keyring,
+		Getters: getter.All(settings),
+		Options: []getter.Option{
+			getter.WithPassCredentialsAll(c.PassCredentialsAll),
+			getter.WithTLSClientConfig(c.CertFile, c.KeyFile, c.CaFile),
+			getter.WithInsecureSkipVerifyTLS(c.InsecureSkipTLSverify),
+			getter.WithPlainHTTP(c.PlainHTTP),
+			getter.WithBasicAuth(c.Username, c.Password),
+		},
+		RepositoryConfig: settings.RepositoryConfig,
+		RepositoryCache:  settings.RepositoryCache,
+		RegistryClient:   c.registryClient,
+	}
+
+	if registry.IsOCI(name) {
+		dl.Options = append(dl.Options, getter.WithRegistryClient(c.registryClient))
+	}
+
+	if c.Verify {
+		dl.Verify = downloader.VerifyAlways
+	}
+	if c.RepoURL != "" {
+		chartURL, err := repo.FindChartInAuthAndTLSAndPassRepoURL(c.RepoURL, c.Username, c.Password, name, version,
+			c.CertFile, c.KeyFile, c.CaFile, c.InsecureSkipTLSverify, c.PassCredentialsAll, getter.All(settings))
+		if err != nil {
+			return "", err
+		}
+		name = chartURL
+
+		// Only pass the user/pass on when the user has said to or when the
+		// location of the chart repo and the chart are the same domain.
+		u1, err := url.Parse(c.RepoURL)
+		if err != nil {
+			return "", err
+		}
+		u2, err := url.Parse(chartURL)
+		if err != nil {
+			return "", err
+		}
+
+		// Host on URL (returned from url.Parse) contains the port if present.
+		// This check ensures credentials are not passed between different
+		// services on different ports.
+		if c.PassCredentialsAll || (u1.Scheme == u2.Scheme && u1.Host == u2.Host) {
+			dl.Options = append(dl.Options, getter.WithBasicAuth(c.Username, c.Password))
+		} else {
+			dl.Options = append(dl.Options, getter.WithBasicAuth("", ""))
+		}
+	} else {
+		dl.Options = append(dl.Options, getter.WithBasicAuth(c.Username, c.Password))
+	}
+
+	if err := os.MkdirAll(settings.RepositoryCache, 0755); err != nil {
+		return "", err
+	}
+
+	filename, _, err := dl.DownloadTo(name, version, settings.RepositoryCache)
+	if err != nil {
+		return "", err
+	}
+
+	lname, err := filepath.Abs(filename)
+	if err != nil {
+		return filename, err
+	}
+	return lname, nil
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/action/lazyclient.go b/vendor/helm.sh/helm/v3/pkg/action/lazyclient.go
new file mode 100644
index 0000000000..9037782bb5
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/action/lazyclient.go
@@ -0,0 +1,197 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package action
+
+import (
+	"context"
+	"sync"
+
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/watch"
+	applycorev1 "k8s.io/client-go/applyconfigurations/core/v1"
+	"k8s.io/client-go/kubernetes"
+	corev1 "k8s.io/client-go/kubernetes/typed/core/v1"
+)
+
+// lazyClient is a workaround to deal with Kubernetes having an unstable client API.
+// In Kubernetes v1.18 the defaults where removed which broke creating a
+// client without an explicit configuration. ಠ_ಠ
+type lazyClient struct {
+	// client caches an initialized kubernetes client
+	initClient sync.Once
+	client     kubernetes.Interface
+	clientErr  error
+
+	// clientFn loads a kubernetes client
+	clientFn func() (*kubernetes.Clientset, error)
+
+	// namespace passed to each client request
+	namespace string
+}
+
+func (s *lazyClient) init() error {
+	s.initClient.Do(func() {
+		s.client, s.clientErr = s.clientFn()
+	})
+	return s.clientErr
+}
+
+// secretClient implements a corev1.SecretsInterface
+type secretClient struct{ *lazyClient }
+
+var _ corev1.SecretInterface = (*secretClient)(nil)
+
+func newSecretClient(lc *lazyClient) *secretClient {
+	return &secretClient{lazyClient: lc}
+}
+
+func (s *secretClient) Create(ctx context.Context, secret *v1.Secret, opts metav1.CreateOptions) (result *v1.Secret, err error) {
+	if err := s.init(); err != nil {
+		return nil, err
+	}
+	return s.client.CoreV1().Secrets(s.namespace).Create(ctx, secret, opts)
+}
+
+func (s *secretClient) Update(ctx context.Context, secret *v1.Secret, opts metav1.UpdateOptions) (*v1.Secret, error) {
+	if err := s.init(); err != nil {
+		return nil, err
+	}
+	return s.client.CoreV1().Secrets(s.namespace).Update(ctx, secret, opts)
+}
+
+func (s *secretClient) Delete(ctx context.Context, name string, opts metav1.DeleteOptions) error {
+	if err := s.init(); err != nil {
+		return err
+	}
+	return s.client.CoreV1().Secrets(s.namespace).Delete(ctx, name, opts)
+}
+
+func (s *secretClient) DeleteCollection(ctx context.Context, opts metav1.DeleteOptions, listOpts metav1.ListOptions) error {
+	if err := s.init(); err != nil {
+		return err
+	}
+	return s.client.CoreV1().Secrets(s.namespace).DeleteCollection(ctx, opts, listOpts)
+}
+
+func (s *secretClient) Get(ctx context.Context, name string, opts metav1.GetOptions) (*v1.Secret, error) {
+	if err := s.init(); err != nil {
+		return nil, err
+	}
+	return s.client.CoreV1().Secrets(s.namespace).Get(ctx, name, opts)
+}
+
+func (s *secretClient) List(ctx context.Context, opts metav1.ListOptions) (*v1.SecretList, error) {
+	if err := s.init(); err != nil {
+		return nil, err
+	}
+	return s.client.CoreV1().Secrets(s.namespace).List(ctx, opts)
+}
+
+func (s *secretClient) Watch(ctx context.Context, opts metav1.ListOptions) (watch.Interface, error) {
+	if err := s.init(); err != nil {
+		return nil, err
+	}
+	return s.client.CoreV1().Secrets(s.namespace).Watch(ctx, opts)
+}
+
+func (s *secretClient) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts metav1.PatchOptions, subresources ...string) (*v1.Secret, error) {
+	if err := s.init(); err != nil {
+		return nil, err
+	}
+	return s.client.CoreV1().Secrets(s.namespace).Patch(ctx, name, pt, data, opts, subresources...)
+}
+
+func (s *secretClient) Apply(ctx context.Context, secretConfiguration *applycorev1.SecretApplyConfiguration, opts metav1.ApplyOptions) (*v1.Secret, error) {
+	if err := s.init(); err != nil {
+		return nil, err
+	}
+	return s.client.CoreV1().Secrets(s.namespace).Apply(ctx, secretConfiguration, opts)
+}
+
+// configMapClient implements a corev1.ConfigMapInterface
+type configMapClient struct{ *lazyClient }
+
+var _ corev1.ConfigMapInterface = (*configMapClient)(nil)
+
+func newConfigMapClient(lc *lazyClient) *configMapClient {
+	return &configMapClient{lazyClient: lc}
+}
+
+func (c *configMapClient) Create(ctx context.Context, configMap *v1.ConfigMap, opts metav1.CreateOptions) (*v1.ConfigMap, error) {
+	if err := c.init(); err != nil {
+		return nil, err
+	}
+	return c.client.CoreV1().ConfigMaps(c.namespace).Create(ctx, configMap, opts)
+}
+
+func (c *configMapClient) Update(ctx context.Context, configMap *v1.ConfigMap, opts metav1.UpdateOptions) (*v1.ConfigMap, error) {
+	if err := c.init(); err != nil {
+		return nil, err
+	}
+	return c.client.CoreV1().ConfigMaps(c.namespace).Update(ctx, configMap, opts)
+}
+
+func (c *configMapClient) Delete(ctx context.Context, name string, opts metav1.DeleteOptions) error {
+	if err := c.init(); err != nil {
+		return err
+	}
+	return c.client.CoreV1().ConfigMaps(c.namespace).Delete(ctx, name, opts)
+}
+
+func (c *configMapClient) DeleteCollection(ctx context.Context, opts metav1.DeleteOptions, listOpts metav1.ListOptions) error {
+	if err := c.init(); err != nil {
+		return err
+	}
+	return c.client.CoreV1().ConfigMaps(c.namespace).DeleteCollection(ctx, opts, listOpts)
+}
+
+func (c *configMapClient) Get(ctx context.Context, name string, opts metav1.GetOptions) (*v1.ConfigMap, error) {
+	if err := c.init(); err != nil {
+		return nil, err
+	}
+	return c.client.CoreV1().ConfigMaps(c.namespace).Get(ctx, name, opts)
+}
+
+func (c *configMapClient) List(ctx context.Context, opts metav1.ListOptions) (*v1.ConfigMapList, error) {
+	if err := c.init(); err != nil {
+		return nil, err
+	}
+	return c.client.CoreV1().ConfigMaps(c.namespace).List(ctx, opts)
+}
+
+func (c *configMapClient) Watch(ctx context.Context, opts metav1.ListOptions) (watch.Interface, error) {
+	if err := c.init(); err != nil {
+		return nil, err
+	}
+	return c.client.CoreV1().ConfigMaps(c.namespace).Watch(ctx, opts)
+}
+
+func (c *configMapClient) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts metav1.PatchOptions, subresources ...string) (*v1.ConfigMap, error) {
+	if err := c.init(); err != nil {
+		return nil, err
+	}
+	return c.client.CoreV1().ConfigMaps(c.namespace).Patch(ctx, name, pt, data, opts, subresources...)
+}
+
+func (c *configMapClient) Apply(ctx context.Context, configMap *applycorev1.ConfigMapApplyConfiguration, opts metav1.ApplyOptions) (*v1.ConfigMap, error) {
+	if err := c.init(); err != nil {
+		return nil, err
+	}
+	return c.client.CoreV1().ConfigMaps(c.namespace).Apply(ctx, configMap, opts)
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/action/lint.go b/vendor/helm.sh/helm/v3/pkg/action/lint.go
new file mode 100644
index 0000000000..63a1bf354e
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/action/lint.go
@@ -0,0 +1,130 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package action
+
+import (
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/pkg/errors"
+
+	"helm.sh/helm/v3/pkg/chartutil"
+	"helm.sh/helm/v3/pkg/lint"
+	"helm.sh/helm/v3/pkg/lint/support"
+)
+
+// Lint is the action for checking that the semantics of a chart are well-formed.
+//
+// It provides the implementation of 'helm lint'.
+type Lint struct {
+	Strict               bool
+	Namespace            string
+	WithSubcharts        bool
+	Quiet                bool
+	SkipSchemaValidation bool
+	KubeVersion          *chartutil.KubeVersion
+}
+
+// LintResult is the result of Lint
+type LintResult struct {
+	TotalChartsLinted int
+	Messages          []support.Message
+	Errors            []error
+}
+
+// NewLint creates a new Lint object with the given configuration.
+func NewLint() *Lint {
+	return &Lint{}
+}
+
+// Run executes 'helm Lint' against the given chart.
+func (l *Lint) Run(paths []string, vals map[string]interface{}) *LintResult {
+	lowestTolerance := support.ErrorSev
+	if l.Strict {
+		lowestTolerance = support.WarningSev
+	}
+	result := &LintResult{}
+	for _, path := range paths {
+		linter, err := lintChart(path, vals, l.Namespace, l.KubeVersion, l.SkipSchemaValidation)
+		if err != nil {
+			result.Errors = append(result.Errors, err)
+			continue
+		}
+
+		result.Messages = append(result.Messages, linter.Messages...)
+		result.TotalChartsLinted++
+		for _, msg := range linter.Messages {
+			if msg.Severity >= lowestTolerance {
+				result.Errors = append(result.Errors, msg.Err)
+			}
+		}
+	}
+	return result
+}
+
+// HasWarningsOrErrors checks is LintResult has any warnings or errors
+func HasWarningsOrErrors(result *LintResult) bool {
+	for _, msg := range result.Messages {
+		if msg.Severity > support.InfoSev {
+			return true
+		}
+	}
+	return len(result.Errors) > 0
+}
+
+func lintChart(path string, vals map[string]interface{}, namespace string, kubeVersion *chartutil.KubeVersion, skipSchemaValidation bool) (support.Linter, error) {
+	var chartPath string
+	linter := support.Linter{}
+
+	if strings.HasSuffix(path, ".tgz") || strings.HasSuffix(path, ".tar.gz") {
+		tempDir, err := os.MkdirTemp("", "helm-lint")
+		if err != nil {
+			return linter, errors.Wrap(err, "unable to create temp dir to extract tarball")
+		}
+		defer os.RemoveAll(tempDir)
+
+		file, err := os.Open(path)
+		if err != nil {
+			return linter, errors.Wrap(err, "unable to open tarball")
+		}
+		defer file.Close()
+
+		if err = chartutil.Expand(tempDir, file); err != nil {
+			return linter, errors.Wrap(err, "unable to extract tarball")
+		}
+
+		files, err := os.ReadDir(tempDir)
+		if err != nil {
+			return linter, errors.Wrapf(err, "unable to read temporary output directory %s", tempDir)
+		}
+		if !files[0].IsDir() {
+			return linter, errors.Errorf("unexpected file %s in temporary output directory %s", files[0].Name(), tempDir)
+		}
+
+		chartPath = filepath.Join(tempDir, files[0].Name())
+	} else {
+		chartPath = path
+	}
+
+	// Guard: Error out if this is not a chart.
+	if _, err := os.Stat(filepath.Join(chartPath, "Chart.yaml")); err != nil {
+		return linter, errors.Wrap(err, "unable to check Chart.yaml file in chart")
+	}
+
+	return lint.AllWithKubeVersionAndSchemaValidation(chartPath, vals, namespace, kubeVersion, skipSchemaValidation), nil
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/action/list.go b/vendor/helm.sh/helm/v3/pkg/action/list.go
new file mode 100644
index 0000000000..af0725c4a9
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/action/list.go
@@ -0,0 +1,324 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package action
+
+import (
+	"path"
+	"regexp"
+
+	"k8s.io/apimachinery/pkg/labels"
+
+	"helm.sh/helm/v3/pkg/release"
+	"helm.sh/helm/v3/pkg/releaseutil"
+)
+
+// ListStates represents zero or more status codes that a list item may have set
+//
+// Because this is used as a bitmask filter, more than one bit can be flipped
+// in the ListStates.
+type ListStates uint
+
+const (
+	// ListDeployed filters on status "deployed"
+	ListDeployed ListStates = 1 << iota
+	// ListUninstalled filters on status "uninstalled"
+	ListUninstalled
+	// ListUninstalling filters on status "uninstalling" (uninstall in progress)
+	ListUninstalling
+	// ListPendingInstall filters on status "pending" (deployment in progress)
+	ListPendingInstall
+	// ListPendingUpgrade filters on status "pending_upgrade" (upgrade in progress)
+	ListPendingUpgrade
+	// ListPendingRollback filters on status "pending_rollback" (rollback in progress)
+	ListPendingRollback
+	// ListSuperseded filters on status "superseded" (historical release version that is no longer deployed)
+	ListSuperseded
+	// ListFailed filters on status "failed" (release version not deployed because of error)
+	ListFailed
+	// ListUnknown filters on an unknown status
+	ListUnknown
+)
+
+// FromName takes a state name and returns a ListStates representation.
+//
+// Currently, there are only names for individual flipped bits, so the returned
+// ListStates will only match one of the constants. However, it is possible that
+// this behavior could change in the future.
+func (s ListStates) FromName(str string) ListStates {
+	switch str {
+	case "deployed":
+		return ListDeployed
+	case "uninstalled":
+		return ListUninstalled
+	case "superseded":
+		return ListSuperseded
+	case "failed":
+		return ListFailed
+	case "uninstalling":
+		return ListUninstalling
+	case "pending-install":
+		return ListPendingInstall
+	case "pending-upgrade":
+		return ListPendingUpgrade
+	case "pending-rollback":
+		return ListPendingRollback
+	}
+	return ListUnknown
+}
+
+// ListAll is a convenience for enabling all list filters
+const ListAll = ListDeployed | ListUninstalled | ListUninstalling | ListPendingInstall | ListPendingRollback | ListPendingUpgrade | ListSuperseded | ListFailed
+
+// Sorter is a top-level sort
+type Sorter uint
+
+const (
+	// ByNameDesc sorts by descending lexicographic order
+	ByNameDesc Sorter = iota + 1
+	// ByDateAsc sorts by ascending dates (oldest updated release first)
+	ByDateAsc
+	// ByDateDesc sorts by descending dates (latest updated release first)
+	ByDateDesc
+)
+
+// List is the action for listing releases.
+//
+// It provides, for example, the implementation of 'helm list'.
+// It returns no more than one revision of every release in one specific, or in
+// all, namespaces.
+// To list all the revisions of a specific release, see the History action.
+type List struct {
+	cfg *Configuration
+
+	// All ignores the limit/offset
+	All bool
+	// AllNamespaces searches across namespaces
+	AllNamespaces bool
+	// Sort indicates the sort to use
+	//
+	// see pkg/releaseutil for several useful sorters
+	Sort Sorter
+	// Overrides the default lexicographic sorting
+	ByDate      bool
+	SortReverse bool
+	// StateMask accepts a bitmask of states for items to show.
+	// The default is ListDeployed
+	StateMask ListStates
+	// Limit is the number of items to return per Run()
+	Limit int
+	// Offset is the starting index for the Run() call
+	Offset int
+	// Filter is a filter that is applied to the results
+	Filter       string
+	Short        bool
+	NoHeaders    bool
+	TimeFormat   string
+	Uninstalled  bool
+	Superseded   bool
+	Uninstalling bool
+	Deployed     bool
+	Failed       bool
+	Pending      bool
+	Selector     string
+}
+
+// NewList constructs a new *List
+func NewList(cfg *Configuration) *List {
+	return &List{
+		StateMask: ListDeployed | ListFailed,
+		cfg:       cfg,
+	}
+}
+
+// Run executes the list command, returning a set of matches.
+func (l *List) Run() ([]*release.Release, error) {
+	if err := l.cfg.KubeClient.IsReachable(); err != nil {
+		return nil, err
+	}
+
+	var filter *regexp.Regexp
+	if l.Filter != "" {
+		var err error
+		filter, err = regexp.Compile(l.Filter)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	results, err := l.cfg.Releases.List(func(rel *release.Release) bool {
+		// Skip anything that doesn't match the filter.
+		if filter != nil && !filter.MatchString(rel.Name) {
+			return false
+		}
+
+		return true
+	})
+
+	if err != nil {
+		return nil, err
+	}
+
+	if results == nil {
+		return results, nil
+	}
+
+	// by definition, superseded releases are never shown if
+	// only the latest releases are returned. so if requested statemask
+	// is _only_ ListSuperseded, skip the latest release filter
+	if l.StateMask != ListSuperseded {
+		results = filterLatestReleases(results)
+	}
+
+	// State mask application must occur after filtering to
+	// latest releases, otherwise outdated entries can be returned
+	results = l.filterStateMask(results)
+
+	// Skip anything that doesn't match the selector
+	selectorObj, err := labels.Parse(l.Selector)
+	if err != nil {
+		return nil, err
+	}
+	results = l.filterSelector(results, selectorObj)
+
+	// Unfortunately, we have to sort before truncating, which can incur substantial overhead
+	l.sort(results)
+
+	// Guard on offset
+	if l.Offset >= len(results) {
+		return []*release.Release{}, nil
+	}
+
+	// Calculate the limit and offset, and then truncate results if necessary.
+	limit := len(results)
+	if l.Limit > 0 && l.Limit < limit {
+		limit = l.Limit
+	}
+	last := l.Offset + limit
+	if l := len(results); l < last {
+		last = l
+	}
+	results = results[l.Offset:last]
+
+	return results, err
+}
+
+// sort is an in-place sort where order is based on the value of a.Sort
+func (l *List) sort(rels []*release.Release) {
+	if l.SortReverse {
+		l.Sort = ByNameDesc
+	}
+
+	if l.ByDate {
+		l.Sort = ByDateDesc
+		if l.SortReverse {
+			l.Sort = ByDateAsc
+		}
+	}
+
+	switch l.Sort {
+	case ByDateDesc:
+		releaseutil.SortByDate(rels)
+	case ByDateAsc:
+		releaseutil.Reverse(rels, releaseutil.SortByDate)
+	case ByNameDesc:
+		releaseutil.Reverse(rels, releaseutil.SortByName)
+	default:
+		releaseutil.SortByName(rels)
+	}
+}
+
+// filterLatestReleases returns a list scrubbed of old releases.
+func filterLatestReleases(releases []*release.Release) []*release.Release {
+	latestReleases := make(map[string]*release.Release)
+
+	for _, rls := range releases {
+		name, namespace := rls.Name, rls.Namespace
+		key := path.Join(namespace, name)
+		if latestRelease, exists := latestReleases[key]; exists && latestRelease.Version > rls.Version {
+			continue
+		}
+		latestReleases[key] = rls
+	}
+
+	var list = make([]*release.Release, 0, len(latestReleases))
+	for _, rls := range latestReleases {
+		list = append(list, rls)
+	}
+	return list
+}
+
+func (l *List) filterStateMask(releases []*release.Release) []*release.Release {
+	desiredStateReleases := make([]*release.Release, 0)
+
+	for _, rls := range releases {
+		currentStatus := l.StateMask.FromName(rls.Info.Status.String())
+		mask := l.StateMask & currentStatus
+		if mask == 0 {
+			continue
+		}
+		desiredStateReleases = append(desiredStateReleases, rls)
+	}
+
+	return desiredStateReleases
+}
+
+func (l *List) filterSelector(releases []*release.Release, selector labels.Selector) []*release.Release {
+	desiredStateReleases := make([]*release.Release, 0)
+
+	for _, rls := range releases {
+		if selector.Matches(labels.Set(rls.Labels)) {
+			desiredStateReleases = append(desiredStateReleases, rls)
+		}
+	}
+
+	return desiredStateReleases
+}
+
+// SetStateMask calculates the state mask based on parameters.
+func (l *List) SetStateMask() {
+	if l.All {
+		l.StateMask = ListAll
+		return
+	}
+
+	state := ListStates(0)
+	if l.Deployed {
+		state |= ListDeployed
+	}
+	if l.Uninstalled {
+		state |= ListUninstalled
+	}
+	if l.Uninstalling {
+		state |= ListUninstalling
+	}
+	if l.Pending {
+		state |= ListPendingInstall | ListPendingRollback | ListPendingUpgrade
+	}
+	if l.Failed {
+		state |= ListFailed
+	}
+	if l.Superseded {
+		state |= ListSuperseded
+	}
+
+	// Apply a default
+	if state == 0 {
+		state = ListDeployed | ListFailed
+	}
+
+	l.StateMask = state
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/action/package.go b/vendor/helm.sh/helm/v3/pkg/action/package.go
new file mode 100644
index 0000000000..2357e3882a
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/action/package.go
@@ -0,0 +1,188 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package action
+
+import (
+	"bufio"
+	"fmt"
+	"os"
+	"syscall"
+
+	"github.com/Masterminds/semver/v3"
+	"github.com/pkg/errors"
+	"golang.org/x/term"
+
+	"helm.sh/helm/v3/pkg/chart/loader"
+	"helm.sh/helm/v3/pkg/chartutil"
+	"helm.sh/helm/v3/pkg/provenance"
+)
+
+// Package is the action for packaging a chart.
+//
+// It provides the implementation of 'helm package'.
+type Package struct {
+	Sign             bool
+	Key              string
+	Keyring          string
+	PassphraseFile   string
+	Version          string
+	AppVersion       string
+	Destination      string
+	DependencyUpdate bool
+
+	RepositoryConfig      string
+	RepositoryCache       string
+	PlainHTTP             bool
+	Username              string
+	Password              string
+	CertFile              string
+	KeyFile               string
+	CaFile                string
+	InsecureSkipTLSverify bool
+}
+
+// NewPackage creates a new Package object with the given configuration.
+func NewPackage() *Package {
+	return &Package{}
+}
+
+// Run executes 'helm package' against the given chart and returns the path to the packaged chart.
+func (p *Package) Run(path string, _ map[string]interface{}) (string, error) {
+	ch, err := loader.LoadDir(path)
+	if err != nil {
+		return "", err
+	}
+
+	// If version is set, modify the version.
+	if p.Version != "" {
+		ch.Metadata.Version = p.Version
+	}
+
+	if err := validateVersion(ch.Metadata.Version); err != nil {
+		return "", err
+	}
+
+	if p.AppVersion != "" {
+		ch.Metadata.AppVersion = p.AppVersion
+	}
+
+	if reqs := ch.Metadata.Dependencies; reqs != nil {
+		if err := CheckDependencies(ch, reqs); err != nil {
+			return "", err
+		}
+	}
+
+	var dest string
+	if p.Destination == "." {
+		// Save to the current working directory.
+		dest, err = os.Getwd()
+		if err != nil {
+			return "", err
+		}
+	} else {
+		// Otherwise save to set destination
+		dest = p.Destination
+	}
+
+	name, err := chartutil.Save(ch, dest)
+	if err != nil {
+		return "", errors.Wrap(err, "failed to save")
+	}
+
+	if p.Sign {
+		err = p.Clearsign(name)
+	}
+
+	return name, err
+}
+
+// validateVersion Verify that version is a Version, and error out if it is not.
+func validateVersion(ver string) error {
+	if _, err := semver.NewVersion(ver); err != nil {
+		return err
+	}
+	return nil
+}
+
+// Clearsign signs a chart
+func (p *Package) Clearsign(filename string) error {
+	// Load keyring
+	signer, err := provenance.NewFromKeyring(p.Keyring, p.Key)
+	if err != nil {
+		return err
+	}
+
+	passphraseFetcher := promptUser
+	if p.PassphraseFile != "" {
+		passphraseFetcher, err = passphraseFileFetcher(p.PassphraseFile, os.Stdin)
+		if err != nil {
+			return err
+		}
+	}
+
+	if err := signer.DecryptKey(passphraseFetcher); err != nil {
+		return err
+	}
+
+	sig, err := signer.ClearSign(filename)
+	if err != nil {
+		return err
+	}
+
+	return os.WriteFile(filename+".prov", []byte(sig), 0644)
+}
+
+// promptUser implements provenance.PassphraseFetcher
+func promptUser(name string) ([]byte, error) {
+	fmt.Printf("Password for key %q >  ", name)
+	// syscall.Stdin is not an int in all environments and needs to be coerced
+	// into one there (e.g., Windows)
+	pw, err := term.ReadPassword(int(syscall.Stdin))
+	fmt.Println()
+	return pw, err
+}
+
+func passphraseFileFetcher(passphraseFile string, stdin *os.File) (provenance.PassphraseFetcher, error) {
+	file, err := openPassphraseFile(passphraseFile, stdin)
+	if err != nil {
+		return nil, err
+	}
+	defer file.Close()
+
+	reader := bufio.NewReader(file)
+	passphrase, _, err := reader.ReadLine()
+	if err != nil {
+		return nil, err
+	}
+	return func(_ string) ([]byte, error) {
+		return passphrase, nil
+	}, nil
+}
+
+func openPassphraseFile(passphraseFile string, stdin *os.File) (*os.File, error) {
+	if passphraseFile == "-" {
+		stat, err := stdin.Stat()
+		if err != nil {
+			return nil, err
+		}
+		if (stat.Mode() & os.ModeNamedPipe) == 0 {
+			return nil, errors.New("specified reading passphrase from stdin, without input on stdin")
+		}
+		return stdin, nil
+	}
+	return os.Open(passphraseFile)
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/action/pull.go b/vendor/helm.sh/helm/v3/pkg/action/pull.go
new file mode 100644
index 0000000000..7875531255
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/action/pull.go
@@ -0,0 +1,172 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package action
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/pkg/errors"
+
+	"helm.sh/helm/v3/pkg/chartutil"
+	"helm.sh/helm/v3/pkg/cli"
+	"helm.sh/helm/v3/pkg/downloader"
+	"helm.sh/helm/v3/pkg/getter"
+	"helm.sh/helm/v3/pkg/registry"
+	"helm.sh/helm/v3/pkg/repo"
+)
+
+// Pull is the action for checking a given release's information.
+//
+// It provides the implementation of 'helm pull'.
+type Pull struct {
+	ChartPathOptions
+
+	Settings *cli.EnvSettings // TODO: refactor this out of pkg/action
+
+	Devel       bool
+	Untar       bool
+	VerifyLater bool
+	UntarDir    string
+	DestDir     string
+	cfg         *Configuration
+}
+
+type PullOpt func(*Pull)
+
+func WithConfig(cfg *Configuration) PullOpt {
+	return func(p *Pull) {
+		p.cfg = cfg
+	}
+}
+
+// NewPull creates a new Pull object.
+func NewPull() *Pull {
+	return NewPullWithOpts()
+}
+
+// NewPullWithOpts creates a new pull, with configuration options.
+func NewPullWithOpts(opts ...PullOpt) *Pull {
+	p := &Pull{}
+	for _, fn := range opts {
+		fn(p)
+	}
+
+	return p
+}
+
+// SetRegistryClient sets the registry client on the pull configuration object.
+func (p *Pull) SetRegistryClient(client *registry.Client) {
+	p.cfg.RegistryClient = client
+}
+
+// Run executes 'helm pull' against the given release.
+func (p *Pull) Run(chartRef string) (string, error) {
+	var out strings.Builder
+
+	c := downloader.ChartDownloader{
+		Out:     &out,
+		Keyring: p.Keyring,
+		Verify:  downloader.VerifyNever,
+		Getters: getter.All(p.Settings),
+		Options: []getter.Option{
+			getter.WithBasicAuth(p.Username, p.Password),
+			getter.WithPassCredentialsAll(p.PassCredentialsAll),
+			getter.WithTLSClientConfig(p.CertFile, p.KeyFile, p.CaFile),
+			getter.WithInsecureSkipVerifyTLS(p.InsecureSkipTLSverify),
+			getter.WithPlainHTTP(p.PlainHTTP),
+		},
+		RegistryClient:   p.cfg.RegistryClient,
+		RepositoryConfig: p.Settings.RepositoryConfig,
+		RepositoryCache:  p.Settings.RepositoryCache,
+	}
+
+	if registry.IsOCI(chartRef) {
+		c.Options = append(c.Options,
+			getter.WithRegistryClient(p.cfg.RegistryClient))
+		c.RegistryClient = p.cfg.RegistryClient
+	}
+
+	if p.Verify {
+		c.Verify = downloader.VerifyAlways
+	} else if p.VerifyLater {
+		c.Verify = downloader.VerifyLater
+	}
+
+	// If untar is set, we fetch to a tempdir, then untar and copy after
+	// verification.
+	dest := p.DestDir
+	if p.Untar {
+		var err error
+		dest, err = os.MkdirTemp("", "helm-")
+		if err != nil {
+			return out.String(), errors.Wrap(err, "failed to untar")
+		}
+		defer os.RemoveAll(dest)
+	}
+
+	if p.RepoURL != "" {
+		chartURL, err := repo.FindChartInAuthAndTLSAndPassRepoURL(p.RepoURL, p.Username, p.Password, chartRef, p.Version, p.CertFile, p.KeyFile, p.CaFile, p.InsecureSkipTLSverify, p.PassCredentialsAll, getter.All(p.Settings))
+		if err != nil {
+			return out.String(), err
+		}
+		chartRef = chartURL
+	}
+
+	saved, v, err := c.DownloadTo(chartRef, p.Version, dest)
+	if err != nil {
+		return out.String(), err
+	}
+
+	if p.Verify {
+		for name := range v.SignedBy.Identities {
+			fmt.Fprintf(&out, "Signed by: %v\n", name)
+		}
+		fmt.Fprintf(&out, "Using Key With Fingerprint: %X\n", v.SignedBy.PrimaryKey.Fingerprint)
+		fmt.Fprintf(&out, "Chart Hash Verified: %s\n", v.FileHash)
+	}
+
+	// After verification, untar the chart into the requested directory.
+	if p.Untar {
+		ud := p.UntarDir
+		if !filepath.IsAbs(ud) {
+			ud = filepath.Join(p.DestDir, ud)
+		}
+		// Let udCheck to check conflict file/dir without replacing ud when untarDir is the current directory(.).
+		udCheck := ud
+		if udCheck == "." {
+			_, udCheck = filepath.Split(chartRef)
+		} else {
+			_, chartName := filepath.Split(chartRef)
+			udCheck = filepath.Join(udCheck, chartName)
+		}
+
+		if _, err := os.Stat(udCheck); err != nil {
+			if err := os.MkdirAll(udCheck, 0755); err != nil {
+				return out.String(), errors.Wrap(err, "failed to untar (mkdir)")
+			}
+
+		} else {
+			return out.String(), errors.Errorf("failed to untar: a file or directory with the name %s already exists", udCheck)
+		}
+
+		return out.String(), chartutil.ExpandFile(ud, saved)
+	}
+	return out.String(), nil
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/action/push.go b/vendor/helm.sh/helm/v3/pkg/action/push.go
new file mode 100644
index 0000000000..70e5c15823
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/action/push.go
@@ -0,0 +1,112 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package action
+
+import (
+	"io"
+	"strings"
+
+	"helm.sh/helm/v3/pkg/cli"
+	"helm.sh/helm/v3/pkg/pusher"
+	"helm.sh/helm/v3/pkg/registry"
+	"helm.sh/helm/v3/pkg/uploader"
+)
+
+// Push is the action for uploading a chart.
+//
+// It provides the implementation of 'helm push'.
+type Push struct {
+	Settings              *cli.EnvSettings
+	cfg                   *Configuration
+	certFile              string
+	keyFile               string
+	caFile                string
+	insecureSkipTLSverify bool
+	plainHTTP             bool
+	out                   io.Writer
+}
+
+// PushOpt is a type of function that sets options for a push action.
+type PushOpt func(*Push)
+
+// WithPushConfig sets the cfg field on the push configuration object.
+func WithPushConfig(cfg *Configuration) PushOpt {
+	return func(p *Push) {
+		p.cfg = cfg
+	}
+}
+
+// WithTLSClientConfig sets the certFile, keyFile, and caFile fields on the push configuration object.
+func WithTLSClientConfig(certFile, keyFile, caFile string) PushOpt {
+	return func(p *Push) {
+		p.certFile = certFile
+		p.keyFile = keyFile
+		p.caFile = caFile
+	}
+}
+
+// WithInsecureSkipTLSVerify determines if a TLS Certificate will be checked
+func WithInsecureSkipTLSVerify(insecureSkipTLSVerify bool) PushOpt {
+	return func(p *Push) {
+		p.insecureSkipTLSverify = insecureSkipTLSVerify
+	}
+}
+
+// WithPlainHTTP configures the use of plain HTTP connections.
+func WithPlainHTTP(plainHTTP bool) PushOpt {
+	return func(p *Push) {
+		p.plainHTTP = plainHTTP
+	}
+}
+
+// WithPushOptWriter sets the registryOut field on the push configuration object.
+func WithPushOptWriter(out io.Writer) PushOpt {
+	return func(p *Push) {
+		p.out = out
+	}
+}
+
+// NewPushWithOpts creates a new push, with configuration options.
+func NewPushWithOpts(opts ...PushOpt) *Push {
+	p := &Push{}
+	for _, fn := range opts {
+		fn(p)
+	}
+	return p
+}
+
+// Run executes 'helm push' against the given chart archive.
+func (p *Push) Run(chartRef string, remote string) (string, error) {
+	var out strings.Builder
+
+	c := uploader.ChartUploader{
+		Out:     &out,
+		Pushers: pusher.All(p.Settings),
+		Options: []pusher.Option{
+			pusher.WithTLSClientConfig(p.certFile, p.keyFile, p.caFile),
+			pusher.WithInsecureSkipTLSVerify(p.insecureSkipTLSverify),
+			pusher.WithPlainHTTP(p.plainHTTP),
+		},
+	}
+
+	if registry.IsOCI(remote) {
+		// Don't use the default registry client if tls options are set.
+		c.Options = append(c.Options, pusher.WithRegistryClient(p.cfg.RegistryClient))
+	}
+
+	return out.String(), c.UploadTo(chartRef, remote)
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/action/registry_login.go b/vendor/helm.sh/helm/v3/pkg/action/registry_login.go
new file mode 100644
index 0000000000..b4e038123a
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/action/registry_login.go
@@ -0,0 +1,99 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package action
+
+import (
+	"io"
+
+	"helm.sh/helm/v3/pkg/registry"
+)
+
+// RegistryLogin performs a registry login operation.
+type RegistryLogin struct {
+	cfg       *Configuration
+	certFile  string
+	keyFile   string
+	caFile    string
+	insecure  bool
+	plainHTTP bool
+}
+
+type RegistryLoginOpt func(*RegistryLogin) error
+
+// WithCertFile specifies the path to the certificate file to use for TLS.
+func WithCertFile(certFile string) RegistryLoginOpt {
+	return func(r *RegistryLogin) error {
+		r.certFile = certFile
+		return nil
+	}
+}
+
+// WithInsecure specifies whether to verify certificates.
+func WithInsecure(insecure bool) RegistryLoginOpt {
+	return func(r *RegistryLogin) error {
+		r.insecure = insecure
+		return nil
+	}
+}
+
+// WithKeyFile specifies the path to the key file to use for TLS.
+func WithKeyFile(keyFile string) RegistryLoginOpt {
+	return func(r *RegistryLogin) error {
+		r.keyFile = keyFile
+		return nil
+	}
+}
+
+// WithCAFile specifies the path to the CA file to use for TLS.
+func WithCAFile(caFile string) RegistryLoginOpt {
+	return func(r *RegistryLogin) error {
+		r.caFile = caFile
+		return nil
+	}
+}
+
+// WithPlainHTTPLogin use http rather than https for login.
+func WithPlainHTTPLogin(isPlain bool) RegistryLoginOpt {
+	return func(r *RegistryLogin) error {
+		r.plainHTTP = isPlain
+		return nil
+	}
+}
+
+// NewRegistryLogin creates a new RegistryLogin object with the given configuration.
+func NewRegistryLogin(cfg *Configuration) *RegistryLogin {
+	return &RegistryLogin{
+		cfg: cfg,
+	}
+}
+
+// Run executes the registry login operation
+func (a *RegistryLogin) Run(_ io.Writer, hostname string, username string, password string, opts ...RegistryLoginOpt) error {
+	for _, opt := range opts {
+		if err := opt(a); err != nil {
+			return err
+		}
+	}
+
+	return a.cfg.RegistryClient.Login(
+		hostname,
+		registry.LoginOptBasicAuth(username, password),
+		registry.LoginOptInsecure(a.insecure),
+		registry.LoginOptTLSClientConfig(a.certFile, a.keyFile, a.caFile),
+		registry.LoginOptPlainText(a.plainHTTP),
+	)
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/action/registry_logout.go b/vendor/helm.sh/helm/v3/pkg/action/registry_logout.go
new file mode 100644
index 0000000000..7ce92defcf
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/action/registry_logout.go
@@ -0,0 +1,38 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package action
+
+import (
+	"io"
+)
+
+// RegistryLogout performs a registry login operation.
+type RegistryLogout struct {
+	cfg *Configuration
+}
+
+// NewRegistryLogout creates a new RegistryLogout object with the given configuration.
+func NewRegistryLogout(cfg *Configuration) *RegistryLogout {
+	return &RegistryLogout{
+		cfg: cfg,
+	}
+}
+
+// Run executes the registry logout operation
+func (a *RegistryLogout) Run(_ io.Writer, hostname string) error {
+	return a.cfg.RegistryClient.Logout(hostname)
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/action/release_testing.go b/vendor/helm.sh/helm/v3/pkg/action/release_testing.go
new file mode 100644
index 0000000000..aaffe47cae
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/action/release_testing.go
@@ -0,0 +1,153 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package action
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"sort"
+	"time"
+
+	"github.com/pkg/errors"
+	v1 "k8s.io/api/core/v1"
+
+	"helm.sh/helm/v3/pkg/chartutil"
+	"helm.sh/helm/v3/pkg/release"
+)
+
+const (
+	ExcludeNameFilter = "!name"
+	IncludeNameFilter = "name"
+)
+
+// ReleaseTesting is the action for testing a release.
+//
+// It provides the implementation of 'helm test'.
+type ReleaseTesting struct {
+	cfg     *Configuration
+	Timeout time.Duration
+	// Used for fetching logs from test pods
+	Namespace string
+	Filters   map[string][]string
+	HideNotes bool
+}
+
+// NewReleaseTesting creates a new ReleaseTesting object with the given configuration.
+func NewReleaseTesting(cfg *Configuration) *ReleaseTesting {
+	return &ReleaseTesting{
+		cfg:     cfg,
+		Filters: map[string][]string{},
+	}
+}
+
+// Run executes 'helm test' against the given release.
+func (r *ReleaseTesting) Run(name string) (*release.Release, error) {
+	if err := r.cfg.KubeClient.IsReachable(); err != nil {
+		return nil, err
+	}
+
+	if err := chartutil.ValidateReleaseName(name); err != nil {
+		return nil, errors.Errorf("releaseTest: Release name is invalid: %s", name)
+	}
+
+	// finds the non-deleted release with the given name
+	rel, err := r.cfg.Releases.Last(name)
+	if err != nil {
+		return rel, err
+	}
+
+	skippedHooks := []*release.Hook{}
+	executingHooks := []*release.Hook{}
+	if len(r.Filters[ExcludeNameFilter]) != 0 {
+		for _, h := range rel.Hooks {
+			if contains(r.Filters[ExcludeNameFilter], h.Name) {
+				skippedHooks = append(skippedHooks, h)
+			} else {
+				executingHooks = append(executingHooks, h)
+			}
+		}
+		rel.Hooks = executingHooks
+	}
+	if len(r.Filters[IncludeNameFilter]) != 0 {
+		executingHooks = nil
+		for _, h := range rel.Hooks {
+			if contains(r.Filters[IncludeNameFilter], h.Name) {
+				executingHooks = append(executingHooks, h)
+			} else {
+				skippedHooks = append(skippedHooks, h)
+			}
+		}
+		rel.Hooks = executingHooks
+	}
+
+	if err := r.cfg.execHook(rel, release.HookTest, r.Timeout); err != nil {
+		rel.Hooks = append(skippedHooks, rel.Hooks...)
+		r.cfg.Releases.Update(rel)
+		return rel, err
+	}
+
+	rel.Hooks = append(skippedHooks, rel.Hooks...)
+	return rel, r.cfg.Releases.Update(rel)
+}
+
+// GetPodLogs will write the logs for all test pods in the given release into
+// the given writer. These can be immediately output to the user or captured for
+// other uses
+func (r *ReleaseTesting) GetPodLogs(out io.Writer, rel *release.Release) error {
+	client, err := r.cfg.KubernetesClientSet()
+	if err != nil {
+		return errors.Wrap(err, "unable to get kubernetes client to fetch pod logs")
+	}
+
+	hooksByWight := append([]*release.Hook{}, rel.Hooks...)
+	sort.Stable(hookByWeight(hooksByWight))
+	for _, h := range hooksByWight {
+		for _, e := range h.Events {
+			if e == release.HookTest {
+				if contains(r.Filters[ExcludeNameFilter], h.Name) {
+					continue
+				}
+				if len(r.Filters[IncludeNameFilter]) > 0 && !contains(r.Filters[IncludeNameFilter], h.Name) {
+					continue
+				}
+				req := client.CoreV1().Pods(r.Namespace).GetLogs(h.Name, &v1.PodLogOptions{})
+				logReader, err := req.Stream(context.Background())
+				if err != nil {
+					return errors.Wrapf(err, "unable to get pod logs for %s", h.Name)
+				}
+
+				fmt.Fprintf(out, "POD LOGS: %s\n", h.Name)
+				_, err = io.Copy(out, logReader)
+				fmt.Fprintln(out)
+				if err != nil {
+					return errors.Wrapf(err, "unable to write pod logs for %s", h.Name)
+				}
+			}
+		}
+	}
+	return nil
+}
+
+func contains(arr []string, value string) bool {
+	for _, item := range arr {
+		if item == value {
+			return true
+		}
+	}
+	return false
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/action/resource_policy.go b/vendor/helm.sh/helm/v3/pkg/action/resource_policy.go
new file mode 100644
index 0000000000..63e83f3d94
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/action/resource_policy.go
@@ -0,0 +1,46 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package action
+
+import (
+	"strings"
+
+	"helm.sh/helm/v3/pkg/kube"
+	"helm.sh/helm/v3/pkg/releaseutil"
+)
+
+func filterManifestsToKeep(manifests []releaseutil.Manifest) (keep, remaining []releaseutil.Manifest) {
+	for _, m := range manifests {
+		if m.Head.Metadata == nil || m.Head.Metadata.Annotations == nil || len(m.Head.Metadata.Annotations) == 0 {
+			remaining = append(remaining, m)
+			continue
+		}
+
+		resourcePolicyType, ok := m.Head.Metadata.Annotations[kube.ResourcePolicyAnno]
+		if !ok {
+			remaining = append(remaining, m)
+			continue
+		}
+
+		resourcePolicyType = strings.ToLower(strings.TrimSpace(resourcePolicyType))
+		if resourcePolicyType == kube.KeepPolicy {
+			keep = append(keep, m)
+		}
+
+	}
+	return keep, remaining
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/action/rollback.go b/vendor/helm.sh/helm/v3/pkg/action/rollback.go
new file mode 100644
index 0000000000..b0be17d130
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/action/rollback.go
@@ -0,0 +1,265 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package action
+
+import (
+	"bytes"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/pkg/errors"
+
+	"helm.sh/helm/v3/pkg/chartutil"
+	"helm.sh/helm/v3/pkg/release"
+	helmtime "helm.sh/helm/v3/pkg/time"
+)
+
+// Rollback is the action for rolling back to a given release.
+//
+// It provides the implementation of 'helm rollback'.
+type Rollback struct {
+	cfg *Configuration
+
+	Version       int
+	Timeout       time.Duration
+	Wait          bool
+	WaitForJobs   bool
+	DisableHooks  bool
+	DryRun        bool
+	Recreate      bool // will (if true) recreate pods after a rollback.
+	Force         bool // will (if true) force resource upgrade through uninstall/recreate if needed
+	CleanupOnFail bool
+	MaxHistory    int // MaxHistory limits the maximum number of revisions saved per release
+}
+
+// NewRollback creates a new Rollback object with the given configuration.
+func NewRollback(cfg *Configuration) *Rollback {
+	return &Rollback{
+		cfg: cfg,
+	}
+}
+
+// Run executes 'helm rollback' against the given release.
+func (r *Rollback) Run(name string) error {
+	if err := r.cfg.KubeClient.IsReachable(); err != nil {
+		return err
+	}
+
+	r.cfg.Releases.MaxHistory = r.MaxHistory
+
+	r.cfg.Log("preparing rollback of %s", name)
+	currentRelease, targetRelease, err := r.prepareRollback(name)
+	if err != nil {
+		return err
+	}
+
+	if !r.DryRun {
+		r.cfg.Log("creating rolled back release for %s", name)
+		if err := r.cfg.Releases.Create(targetRelease); err != nil {
+			return err
+		}
+	}
+
+	r.cfg.Log("performing rollback of %s", name)
+	if _, err := r.performRollback(currentRelease, targetRelease); err != nil {
+		return err
+	}
+
+	if !r.DryRun {
+		r.cfg.Log("updating status for rolled back release for %s", name)
+		if err := r.cfg.Releases.Update(targetRelease); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// prepareRollback finds the previous release and prepares a new release object with
+// the previous release's configuration
+func (r *Rollback) prepareRollback(name string) (*release.Release, *release.Release, error) {
+	if err := chartutil.ValidateReleaseName(name); err != nil {
+		return nil, nil, errors.Errorf("prepareRollback: Release name is invalid: %s", name)
+	}
+
+	if r.Version < 0 {
+		return nil, nil, errInvalidRevision
+	}
+
+	currentRelease, err := r.cfg.Releases.Last(name)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	previousVersion := r.Version
+	if r.Version == 0 {
+		previousVersion = currentRelease.Version - 1
+	}
+
+	historyReleases, err := r.cfg.Releases.History(name)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	// Check if the history version to be rolled back exists
+	previousVersionExist := false
+	for _, historyRelease := range historyReleases {
+		version := historyRelease.Version
+		if previousVersion == version {
+			previousVersionExist = true
+			break
+		}
+	}
+	if !previousVersionExist {
+		return nil, nil, errors.Errorf("release has no %d version", previousVersion)
+	}
+
+	r.cfg.Log("rolling back %s (current: v%d, target: v%d)", name, currentRelease.Version, previousVersion)
+
+	previousRelease, err := r.cfg.Releases.Get(name, previousVersion)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	// Store a new release object with previous release's configuration
+	targetRelease := &release.Release{
+		Name:      name,
+		Namespace: currentRelease.Namespace,
+		Chart:     previousRelease.Chart,
+		Config:    previousRelease.Config,
+		Info: &release.Info{
+			FirstDeployed: currentRelease.Info.FirstDeployed,
+			LastDeployed:  helmtime.Now(),
+			Status:        release.StatusPendingRollback,
+			Notes:         previousRelease.Info.Notes,
+			// Because we lose the reference to previous version elsewhere, we set the
+			// message here, and only override it later if we experience failure.
+			Description: fmt.Sprintf("Rollback to %d", previousVersion),
+		},
+		Version:  currentRelease.Version + 1,
+		Labels:   previousRelease.Labels,
+		Manifest: previousRelease.Manifest,
+		Hooks:    previousRelease.Hooks,
+	}
+
+	return currentRelease, targetRelease, nil
+}
+
+func (r *Rollback) performRollback(currentRelease, targetRelease *release.Release) (*release.Release, error) {
+	if r.DryRun {
+		r.cfg.Log("dry run for %s", targetRelease.Name)
+		return targetRelease, nil
+	}
+
+	current, err := r.cfg.KubeClient.Build(bytes.NewBufferString(currentRelease.Manifest), false)
+	if err != nil {
+		return targetRelease, errors.Wrap(err, "unable to build kubernetes objects from current release manifest")
+	}
+	target, err := r.cfg.KubeClient.Build(bytes.NewBufferString(targetRelease.Manifest), false)
+	if err != nil {
+		return targetRelease, errors.Wrap(err, "unable to build kubernetes objects from new release manifest")
+	}
+
+	// pre-rollback hooks
+	if !r.DisableHooks {
+		if err := r.cfg.execHook(targetRelease, release.HookPreRollback, r.Timeout); err != nil {
+			return targetRelease, err
+		}
+	} else {
+		r.cfg.Log("rollback hooks disabled for %s", targetRelease.Name)
+	}
+
+	// It is safe to use "force" here because these are resources currently rendered by the chart.
+	err = target.Visit(setMetadataVisitor(targetRelease.Name, targetRelease.Namespace, true))
+	if err != nil {
+		return targetRelease, errors.Wrap(err, "unable to set metadata visitor from target release")
+	}
+	results, err := r.cfg.KubeClient.Update(current, target, r.Force)
+
+	if err != nil {
+		msg := fmt.Sprintf("Rollback %q failed: %s", targetRelease.Name, err)
+		r.cfg.Log("warning: %s", msg)
+		currentRelease.Info.Status = release.StatusSuperseded
+		targetRelease.Info.Status = release.StatusFailed
+		targetRelease.Info.Description = msg
+		r.cfg.recordRelease(currentRelease)
+		r.cfg.recordRelease(targetRelease)
+		if r.CleanupOnFail {
+			r.cfg.Log("Cleanup on fail set, cleaning up %d resources", len(results.Created))
+			_, errs := r.cfg.KubeClient.Delete(results.Created)
+			if errs != nil {
+				var errorList []string
+				for _, e := range errs {
+					errorList = append(errorList, e.Error())
+				}
+				return targetRelease, errors.Wrapf(fmt.Errorf("unable to cleanup resources: %s", strings.Join(errorList, ", ")), "an error occurred while cleaning up resources. original rollback error: %s", err)
+			}
+			r.cfg.Log("Resource cleanup complete")
+		}
+		return targetRelease, err
+	}
+
+	if r.Recreate {
+		// NOTE: Because this is not critical for a release to succeed, we just
+		// log if an error occurs and continue onward. If we ever introduce log
+		// levels, we should make these error level logs so users are notified
+		// that they'll need to go do the cleanup on their own
+		if err := recreate(r.cfg, results.Updated); err != nil {
+			r.cfg.Log(err.Error())
+		}
+	}
+
+	if r.Wait {
+		if r.WaitForJobs {
+			if err := r.cfg.KubeClient.WaitWithJobs(target, r.Timeout); err != nil {
+				targetRelease.SetStatus(release.StatusFailed, fmt.Sprintf("Release %q failed: %s", targetRelease.Name, err.Error()))
+				r.cfg.recordRelease(currentRelease)
+				r.cfg.recordRelease(targetRelease)
+				return targetRelease, errors.Wrapf(err, "release %s failed", targetRelease.Name)
+			}
+		} else {
+			if err := r.cfg.KubeClient.Wait(target, r.Timeout); err != nil {
+				targetRelease.SetStatus(release.StatusFailed, fmt.Sprintf("Release %q failed: %s", targetRelease.Name, err.Error()))
+				r.cfg.recordRelease(currentRelease)
+				r.cfg.recordRelease(targetRelease)
+				return targetRelease, errors.Wrapf(err, "release %s failed", targetRelease.Name)
+			}
+		}
+	}
+
+	// post-rollback hooks
+	if !r.DisableHooks {
+		if err := r.cfg.execHook(targetRelease, release.HookPostRollback, r.Timeout); err != nil {
+			return targetRelease, err
+		}
+	}
+
+	deployed, err := r.cfg.Releases.DeployedAll(currentRelease.Name)
+	if err != nil && !strings.Contains(err.Error(), "has no deployed releases") {
+		return nil, err
+	}
+	// Supersede all previous deployments, see issue #2941.
+	for _, rel := range deployed {
+		r.cfg.Log("superseding previous deployment %d", rel.Version)
+		rel.Info.Status = release.StatusSuperseded
+		r.cfg.recordRelease(rel)
+	}
+
+	targetRelease.Info.Status = release.StatusDeployed
+
+	return targetRelease, nil
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/action/show.go b/vendor/helm.sh/helm/v3/pkg/action/show.go
new file mode 100644
index 0000000000..6ed855b83f
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/action/show.go
@@ -0,0 +1,165 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package action
+
+import (
+	"bytes"
+	"fmt"
+	"strings"
+
+	"github.com/pkg/errors"
+	"k8s.io/cli-runtime/pkg/printers"
+	"sigs.k8s.io/yaml"
+
+	"helm.sh/helm/v3/pkg/chart"
+	"helm.sh/helm/v3/pkg/chart/loader"
+	"helm.sh/helm/v3/pkg/chartutil"
+	"helm.sh/helm/v3/pkg/registry"
+)
+
+// ShowOutputFormat is the format of the output of `helm show`
+type ShowOutputFormat string
+
+const (
+	// ShowAll is the format which shows all the information of a chart
+	ShowAll ShowOutputFormat = "all"
+	// ShowChart is the format which only shows the chart's definition
+	ShowChart ShowOutputFormat = "chart"
+	// ShowValues is the format which only shows the chart's values
+	ShowValues ShowOutputFormat = "values"
+	// ShowReadme is the format which only shows the chart's README
+	ShowReadme ShowOutputFormat = "readme"
+	// ShowCRDs is the format which only shows the chart's CRDs
+	ShowCRDs ShowOutputFormat = "crds"
+)
+
+var readmeFileNames = []string{"readme.md", "readme.txt", "readme"}
+
+func (o ShowOutputFormat) String() string {
+	return string(o)
+}
+
+// Show is the action for checking a given release's information.
+//
+// It provides the implementation of 'helm show' and its respective subcommands.
+type Show struct {
+	ChartPathOptions
+	Devel            bool
+	OutputFormat     ShowOutputFormat
+	JSONPathTemplate string
+	chart            *chart.Chart // for testing
+}
+
+// NewShow creates a new Show object with the given configuration.
+// Deprecated: Use NewShowWithConfig
+// TODO Helm 4: Fold NewShowWithConfig back into NewShow
+func NewShow(output ShowOutputFormat) *Show {
+	return &Show{
+		OutputFormat: output,
+	}
+}
+
+// NewShowWithConfig creates a new Show object with the given configuration.
+func NewShowWithConfig(output ShowOutputFormat, cfg *Configuration) *Show {
+	sh := &Show{
+		OutputFormat: output,
+	}
+	sh.ChartPathOptions.registryClient = cfg.RegistryClient
+
+	return sh
+}
+
+// SetRegistryClient sets the registry client to use when pulling a chart from a registry.
+func (s *Show) SetRegistryClient(client *registry.Client) {
+	s.ChartPathOptions.registryClient = client
+}
+
+// Run executes 'helm show' against the given release.
+func (s *Show) Run(chartpath string) (string, error) {
+	if s.chart == nil {
+		chrt, err := loader.Load(chartpath)
+		if err != nil {
+			return "", err
+		}
+		s.chart = chrt
+	}
+	cf, err := yaml.Marshal(s.chart.Metadata)
+	if err != nil {
+		return "", err
+	}
+
+	var out strings.Builder
+	if s.OutputFormat == ShowChart || s.OutputFormat == ShowAll {
+		fmt.Fprintf(&out, "%s\n", cf)
+	}
+
+	if (s.OutputFormat == ShowValues || s.OutputFormat == ShowAll) && s.chart.Values != nil {
+		if s.OutputFormat == ShowAll {
+			fmt.Fprintln(&out, "---")
+		}
+		if s.JSONPathTemplate != "" {
+			printer, err := printers.NewJSONPathPrinter(s.JSONPathTemplate)
+			if err != nil {
+				return "", errors.Wrapf(err, "error parsing jsonpath %s", s.JSONPathTemplate)
+			}
+			printer.Execute(&out, s.chart.Values)
+		} else {
+			for _, f := range s.chart.Raw {
+				if f.Name == chartutil.ValuesfileName {
+					fmt.Fprintln(&out, string(f.Data))
+				}
+			}
+		}
+	}
+
+	if s.OutputFormat == ShowReadme || s.OutputFormat == ShowAll {
+		readme := findReadme(s.chart.Files)
+		if readme != nil {
+			if s.OutputFormat == ShowAll {
+				fmt.Fprintln(&out, "---")
+			}
+			fmt.Fprintf(&out, "%s\n", readme.Data)
+		}
+	}
+
+	if s.OutputFormat == ShowCRDs || s.OutputFormat == ShowAll {
+		crds := s.chart.CRDObjects()
+		if len(crds) > 0 {
+			if s.OutputFormat == ShowAll && !bytes.HasPrefix(crds[0].File.Data, []byte("---")) {
+				fmt.Fprintln(&out, "---")
+			}
+			for _, crd := range crds {
+				fmt.Fprintf(&out, "%s\n", string(crd.File.Data))
+			}
+		}
+	}
+	return out.String(), nil
+}
+
+func findReadme(files []*chart.File) (file *chart.File) {
+	for _, file := range files {
+		for _, n := range readmeFileNames {
+			if file == nil {
+				continue
+			}
+			if strings.EqualFold(file.Name, n) {
+				return file
+			}
+		}
+	}
+	return nil
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/action/status.go b/vendor/helm.sh/helm/v3/pkg/action/status.go
new file mode 100644
index 0000000000..ee1c9d6138
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/action/status.go
@@ -0,0 +1,95 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package action
+
+import (
+	"bytes"
+	"errors"
+
+	"helm.sh/helm/v3/pkg/kube"
+	"helm.sh/helm/v3/pkg/release"
+)
+
+// Status is the action for checking the deployment status of releases.
+//
+// It provides the implementation of 'helm status'.
+type Status struct {
+	cfg *Configuration
+
+	Version int
+
+	// If true, display description to output format,
+	// only affect print type table.
+	// TODO Helm 4: Remove this flag and output the description by default.
+	ShowDescription bool
+
+	// ShowResources sets if the resources should be retrieved with the status.
+	// TODO Helm 4: Remove this flag and output the resources by default.
+	ShowResources bool
+
+	// ShowResourcesTable is used with ShowResources. When true this will cause
+	// the resulting objects to be retrieved as a kind=table.
+	ShowResourcesTable bool
+}
+
+// NewStatus creates a new Status object with the given configuration.
+func NewStatus(cfg *Configuration) *Status {
+	return &Status{
+		cfg: cfg,
+	}
+}
+
+// Run executes 'helm status' against the given release.
+func (s *Status) Run(name string) (*release.Release, error) {
+	if err := s.cfg.KubeClient.IsReachable(); err != nil {
+		return nil, err
+	}
+
+	if !s.ShowResources {
+		return s.cfg.releaseContent(name, s.Version)
+	}
+
+	rel, err := s.cfg.releaseContent(name, s.Version)
+	if err != nil {
+		return nil, err
+	}
+
+	if kubeClient, ok := s.cfg.KubeClient.(kube.InterfaceResources); ok {
+		var resources kube.ResourceList
+		if s.ShowResourcesTable {
+			resources, err = kubeClient.BuildTable(bytes.NewBufferString(rel.Manifest), false)
+			if err != nil {
+				return nil, err
+			}
+		} else {
+			resources, err = s.cfg.KubeClient.Build(bytes.NewBufferString(rel.Manifest), false)
+			if err != nil {
+				return nil, err
+			}
+		}
+
+		resp, err := kubeClient.Get(resources, true)
+		if err != nil {
+			return nil, err
+		}
+
+		rel.Info.Resources = resp
+
+		return rel, nil
+	}
+	return nil, errors.New("unable to get kubeClient with interface InterfaceResources")
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/action/uninstall.go b/vendor/helm.sh/helm/v3/pkg/action/uninstall.go
new file mode 100644
index 0000000000..ac0c4fee8c
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/action/uninstall.go
@@ -0,0 +1,247 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package action
+
+import (
+	"strings"
+	"time"
+
+	"github.com/pkg/errors"
+
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"helm.sh/helm/v3/pkg/chartutil"
+	"helm.sh/helm/v3/pkg/kube"
+	"helm.sh/helm/v3/pkg/release"
+	"helm.sh/helm/v3/pkg/releaseutil"
+	helmtime "helm.sh/helm/v3/pkg/time"
+)
+
+// Uninstall is the action for uninstalling releases.
+//
+// It provides the implementation of 'helm uninstall'.
+type Uninstall struct {
+	cfg *Configuration
+
+	DisableHooks        bool
+	DryRun              bool
+	IgnoreNotFound      bool
+	KeepHistory         bool
+	Wait                bool
+	DeletionPropagation string
+	Timeout             time.Duration
+	Description         string
+}
+
+// NewUninstall creates a new Uninstall object with the given configuration.
+func NewUninstall(cfg *Configuration) *Uninstall {
+	return &Uninstall{
+		cfg: cfg,
+	}
+}
+
+// Run uninstalls the given release.
+func (u *Uninstall) Run(name string) (*release.UninstallReleaseResponse, error) {
+	if err := u.cfg.KubeClient.IsReachable(); err != nil {
+		return nil, err
+	}
+
+	if u.DryRun {
+		// In the dry run case, just see if the release exists
+		r, err := u.cfg.releaseContent(name, 0)
+		if err != nil {
+			return &release.UninstallReleaseResponse{}, err
+		}
+		return &release.UninstallReleaseResponse{Release: r}, nil
+	}
+
+	if err := chartutil.ValidateReleaseName(name); err != nil {
+		return nil, errors.Errorf("uninstall: Release name is invalid: %s", name)
+	}
+
+	rels, err := u.cfg.Releases.History(name)
+	if err != nil {
+		if u.IgnoreNotFound {
+			return nil, nil
+		}
+		return nil, errors.Wrapf(err, "uninstall: Release not loaded: %s", name)
+	}
+	if len(rels) < 1 {
+		return nil, errMissingRelease
+	}
+
+	releaseutil.SortByRevision(rels)
+	rel := rels[len(rels)-1]
+
+	// TODO: Are there any cases where we want to force a delete even if it's
+	// already marked deleted?
+	if rel.Info.Status == release.StatusUninstalled {
+		if !u.KeepHistory {
+			if err := u.purgeReleases(rels...); err != nil {
+				return nil, errors.Wrap(err, "uninstall: Failed to purge the release")
+			}
+			return &release.UninstallReleaseResponse{Release: rel}, nil
+		}
+		return nil, errors.Errorf("the release named %q is already deleted", name)
+	}
+
+	u.cfg.Log("uninstall: Deleting %s", name)
+	rel.Info.Status = release.StatusUninstalling
+	rel.Info.Deleted = helmtime.Now()
+	rel.Info.Description = "Deletion in progress (or silently failed)"
+	res := &release.UninstallReleaseResponse{Release: rel}
+
+	if !u.DisableHooks {
+		if err := u.cfg.execHook(rel, release.HookPreDelete, u.Timeout); err != nil {
+			return res, err
+		}
+	} else {
+		u.cfg.Log("delete hooks disabled for %s", name)
+	}
+
+	// From here on out, the release is currently considered to be in StatusUninstalling
+	// state.
+	if err := u.cfg.Releases.Update(rel); err != nil {
+		u.cfg.Log("uninstall: Failed to store updated release: %s", err)
+	}
+
+	deletedResources, kept, errs := u.deleteRelease(rel)
+	if errs != nil {
+		u.cfg.Log("uninstall: Failed to delete release: %s", errs)
+		return nil, errors.Errorf("failed to delete release: %s", name)
+	}
+
+	if kept != "" {
+		kept = "These resources were kept due to the resource policy:\n" + kept
+	}
+	res.Info = kept
+
+	if u.Wait {
+		if kubeClient, ok := u.cfg.KubeClient.(kube.InterfaceExt); ok {
+			if err := kubeClient.WaitForDelete(deletedResources, u.Timeout); err != nil {
+				errs = append(errs, err)
+			}
+		}
+	}
+
+	if !u.DisableHooks {
+		if err := u.cfg.execHook(rel, release.HookPostDelete, u.Timeout); err != nil {
+			errs = append(errs, err)
+		}
+	}
+
+	rel.Info.Status = release.StatusUninstalled
+	if len(u.Description) > 0 {
+		rel.Info.Description = u.Description
+	} else {
+		rel.Info.Description = "Uninstallation complete"
+	}
+
+	if !u.KeepHistory {
+		u.cfg.Log("purge requested for %s", name)
+		err := u.purgeReleases(rels...)
+		if err != nil {
+			errs = append(errs, errors.Wrap(err, "uninstall: Failed to purge the release"))
+		}
+
+		// Return the errors that occurred while deleting the release, if any
+		if len(errs) > 0 {
+			return res, errors.Errorf("uninstallation completed with %d error(s): %s", len(errs), joinErrors(errs))
+		}
+
+		return res, nil
+	}
+
+	if err := u.cfg.Releases.Update(rel); err != nil {
+		u.cfg.Log("uninstall: Failed to store updated release: %s", err)
+	}
+
+	if len(errs) > 0 {
+		return res, errors.Errorf("uninstallation completed with %d error(s): %s", len(errs), joinErrors(errs))
+	}
+	return res, nil
+}
+
+func (u *Uninstall) purgeReleases(rels ...*release.Release) error {
+	for _, rel := range rels {
+		if _, err := u.cfg.Releases.Delete(rel.Name, rel.Version); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func joinErrors(errs []error) string {
+	es := make([]string, 0, len(errs))
+	for _, e := range errs {
+		es = append(es, e.Error())
+	}
+	return strings.Join(es, "; ")
+}
+
+// deleteRelease deletes the release and returns list of delete resources and manifests that were kept in the deletion process
+func (u *Uninstall) deleteRelease(rel *release.Release) (kube.ResourceList, string, []error) {
+	var errs []error
+
+	manifests := releaseutil.SplitManifests(rel.Manifest)
+	_, files, err := releaseutil.SortManifests(manifests, nil, releaseutil.UninstallOrder)
+	if err != nil {
+		// We could instead just delete everything in no particular order.
+		// FIXME: One way to delete at this point would be to try a label-based
+		// deletion. The problem with this is that we could get a false positive
+		// and delete something that was not legitimately part of this release.
+		return nil, rel.Manifest, []error{errors.Wrap(err, "corrupted release record. You must manually delete the resources")}
+	}
+
+	filesToKeep, filesToDelete := filterManifestsToKeep(files)
+	var kept string
+	for _, f := range filesToKeep {
+		kept += "[" + f.Head.Kind + "] " + f.Head.Metadata.Name + "\n"
+	}
+
+	var builder strings.Builder
+	for _, file := range filesToDelete {
+		builder.WriteString("\n---\n" + file.Content)
+	}
+
+	resources, err := u.cfg.KubeClient.Build(strings.NewReader(builder.String()), false)
+	if err != nil {
+		return nil, "", []error{errors.Wrap(err, "unable to build kubernetes objects for delete")}
+	}
+	if len(resources) > 0 {
+		if kubeClient, ok := u.cfg.KubeClient.(kube.InterfaceDeletionPropagation); ok {
+			_, errs = kubeClient.DeleteWithPropagationPolicy(resources, parseCascadingFlag(u.cfg, u.DeletionPropagation))
+			return resources, kept, errs
+		}
+		_, errs = u.cfg.KubeClient.Delete(resources)
+	}
+	return resources, kept, errs
+}
+
+func parseCascadingFlag(cfg *Configuration, cascadingFlag string) v1.DeletionPropagation {
+	switch cascadingFlag {
+	case "orphan":
+		return v1.DeletePropagationOrphan
+	case "foreground":
+		return v1.DeletePropagationForeground
+	case "background":
+		return v1.DeletePropagationBackground
+	default:
+		cfg.Log("uninstall: given cascade value: %s, defaulting to delete propagation background", cascadingFlag)
+		return v1.DeletePropagationBackground
+	}
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/action/upgrade.go b/vendor/helm.sh/helm/v3/pkg/action/upgrade.go
new file mode 100644
index 0000000000..a08d68495f
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/action/upgrade.go
@@ -0,0 +1,646 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package action
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/pkg/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/cli-runtime/pkg/resource"
+
+	"helm.sh/helm/v3/pkg/chart"
+	"helm.sh/helm/v3/pkg/chartutil"
+	"helm.sh/helm/v3/pkg/kube"
+	"helm.sh/helm/v3/pkg/postrender"
+	"helm.sh/helm/v3/pkg/registry"
+	"helm.sh/helm/v3/pkg/release"
+	"helm.sh/helm/v3/pkg/releaseutil"
+	"helm.sh/helm/v3/pkg/storage/driver"
+)
+
+// Upgrade is the action for upgrading releases.
+//
+// It provides the implementation of 'helm upgrade'.
+type Upgrade struct {
+	cfg *Configuration
+
+	ChartPathOptions
+
+	// Install is a purely informative flag that indicates whether this upgrade was done in "install" mode.
+	//
+	// Applications may use this to determine whether this Upgrade operation was done as part of a
+	// pure upgrade (Upgrade.Install == false) or as part of an install-or-upgrade operation
+	// (Upgrade.Install == true).
+	//
+	// Setting this to `true` will NOT cause `Upgrade` to perform an install if the release does not exist.
+	// That process must be handled by creating an Install action directly. See cmd/upgrade.go for an
+	// example of how this flag is used.
+	Install bool
+	// Devel indicates that the operation is done in devel mode.
+	Devel bool
+	// Namespace is the namespace in which this operation should be performed.
+	Namespace string
+	// SkipCRDs skips installing CRDs when install flag is enabled during upgrade
+	SkipCRDs bool
+	// Timeout is the timeout for this operation
+	Timeout time.Duration
+	// Wait determines whether the wait operation should be performed after the upgrade is requested.
+	Wait bool
+	// WaitForJobs determines whether the wait operation for the Jobs should be performed after the upgrade is requested.
+	WaitForJobs bool
+	// DisableHooks disables hook processing if set to true.
+	DisableHooks bool
+	// DryRun controls whether the operation is prepared, but not executed.
+	DryRun bool
+	// DryRunOption controls whether the operation is prepared, but not executed with options on whether or not to interact with the remote cluster.
+	DryRunOption string
+	// HideSecret can be set to true when DryRun is enabled in order to hide
+	// Kubernetes Secrets in the output. It cannot be used outside of DryRun.
+	HideSecret bool
+	// Force will, if set to `true`, ignore certain warnings and perform the upgrade anyway.
+	//
+	// This should be used with caution.
+	Force bool
+	// ResetValues will reset the values to the chart's built-ins rather than merging with existing.
+	ResetValues bool
+	// ReuseValues will re-use the user's last supplied values.
+	ReuseValues bool
+	// ResetThenReuseValues will reset the values to the chart's built-ins then merge with user's last supplied values.
+	ResetThenReuseValues bool
+	// Recreate will (if true) recreate pods after a rollback.
+	Recreate bool
+	// MaxHistory limits the maximum number of revisions saved per release
+	MaxHistory int
+	// Atomic, if true, will roll back on failure.
+	Atomic bool
+	// CleanupOnFail will, if true, cause the upgrade to delete newly-created resources on a failed update.
+	CleanupOnFail bool
+	// SubNotes determines whether sub-notes are rendered in the chart.
+	SubNotes bool
+	// HideNotes determines whether notes are output during upgrade
+	HideNotes bool
+	// SkipSchemaValidation determines if JSON schema validation is disabled.
+	SkipSchemaValidation bool
+	// Description is the description of this operation
+	Description string
+	Labels      map[string]string
+	// PostRender is an optional post-renderer
+	//
+	// If this is non-nil, then after templates are rendered, they will be sent to the
+	// post renderer before sending to the Kubernetes API server.
+	PostRenderer postrender.PostRenderer
+	// DisableOpenAPIValidation controls whether OpenAPI validation is enforced.
+	DisableOpenAPIValidation bool
+	// Get missing dependencies
+	DependencyUpdate bool
+	// Lock to control raceconditions when the process receives a SIGTERM
+	Lock sync.Mutex
+	// Enable DNS lookups when rendering templates
+	EnableDNS bool
+	// TakeOwnership will skip the check for helm annotations and adopt all existing resources.
+	TakeOwnership bool
+}
+
+type resultMessage struct {
+	r *release.Release
+	e error
+}
+
+// NewUpgrade creates a new Upgrade object with the given configuration.
+func NewUpgrade(cfg *Configuration) *Upgrade {
+	up := &Upgrade{
+		cfg: cfg,
+	}
+	up.ChartPathOptions.registryClient = cfg.RegistryClient
+
+	return up
+}
+
+// SetRegistryClient sets the registry client to use when fetching charts.
+func (u *Upgrade) SetRegistryClient(client *registry.Client) {
+	u.ChartPathOptions.registryClient = client
+}
+
+// Run executes the upgrade on the given release.
+func (u *Upgrade) Run(name string, chart *chart.Chart, vals map[string]interface{}) (*release.Release, error) {
+	ctx := context.Background()
+	return u.RunWithContext(ctx, name, chart, vals)
+}
+
+// RunWithContext executes the upgrade on the given release with context.
+func (u *Upgrade) RunWithContext(ctx context.Context, name string, chart *chart.Chart, vals map[string]interface{}) (*release.Release, error) {
+	if err := u.cfg.KubeClient.IsReachable(); err != nil {
+		return nil, err
+	}
+
+	// Make sure if Atomic is set, that wait is set as well. This makes it so
+	// the user doesn't have to specify both
+	u.Wait = u.Wait || u.Atomic
+
+	if err := chartutil.ValidateReleaseName(name); err != nil {
+		return nil, errors.Errorf("release name is invalid: %s", name)
+	}
+
+	u.cfg.Log("preparing upgrade for %s", name)
+	currentRelease, upgradedRelease, err := u.prepareUpgrade(name, chart, vals)
+	if err != nil {
+		return nil, err
+	}
+
+	u.cfg.Releases.MaxHistory = u.MaxHistory
+
+	u.cfg.Log("performing update for %s", name)
+	res, err := u.performUpgrade(ctx, currentRelease, upgradedRelease)
+	if err != nil {
+		return res, err
+	}
+
+	// Do not update for dry runs
+	if !u.isDryRun() {
+		u.cfg.Log("updating status for upgraded release for %s", name)
+		if err := u.cfg.Releases.Update(upgradedRelease); err != nil {
+			return res, err
+		}
+	}
+
+	return res, nil
+}
+
+// isDryRun returns true if Upgrade is set to run as a DryRun
+func (u *Upgrade) isDryRun() bool {
+	if u.DryRun || u.DryRunOption == "client" || u.DryRunOption == "server" || u.DryRunOption == "true" {
+		return true
+	}
+	return false
+}
+
+// prepareUpgrade builds an upgraded release for an upgrade operation.
+func (u *Upgrade) prepareUpgrade(name string, chart *chart.Chart, vals map[string]interface{}) (*release.Release, *release.Release, error) {
+	if chart == nil {
+		return nil, nil, errMissingChart
+	}
+
+	// HideSecret must be used with dry run. Otherwise, return an error.
+	if !u.isDryRun() && u.HideSecret {
+		return nil, nil, errors.New("Hiding Kubernetes secrets requires a dry-run mode")
+	}
+
+	// finds the last non-deleted release with the given name
+	lastRelease, err := u.cfg.Releases.Last(name)
+	if err != nil {
+		// to keep existing behavior of returning the "%q has no deployed releases" error when an existing release does not exist
+		if errors.Is(err, driver.ErrReleaseNotFound) {
+			return nil, nil, driver.NewErrNoDeployedReleases(name)
+		}
+		return nil, nil, err
+	}
+
+	// Concurrent `helm upgrade`s will either fail here with `errPending` or when creating the release with "already exists". This should act as a pessimistic lock.
+	if lastRelease.Info.Status.IsPending() {
+		return nil, nil, errPending
+	}
+
+	var currentRelease *release.Release
+	if lastRelease.Info.Status == release.StatusDeployed {
+		// no need to retrieve the last deployed release from storage as the last release is deployed
+		currentRelease = lastRelease
+	} else {
+		// finds the deployed release with the given name
+		currentRelease, err = u.cfg.Releases.Deployed(name)
+		if err != nil {
+			if errors.Is(err, driver.ErrNoDeployedReleases) &&
+				(lastRelease.Info.Status == release.StatusFailed || lastRelease.Info.Status == release.StatusSuperseded) {
+				currentRelease = lastRelease
+			} else {
+				return nil, nil, err
+			}
+		}
+	}
+
+	// determine if values will be reused
+	vals, err = u.reuseValues(chart, currentRelease, vals)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	if err := chartutil.ProcessDependenciesWithMerge(chart, vals); err != nil {
+		return nil, nil, err
+	}
+
+	// Increment revision count. This is passed to templates, and also stored on
+	// the release object.
+	revision := lastRelease.Version + 1
+
+	options := chartutil.ReleaseOptions{
+		Name:      name,
+		Namespace: currentRelease.Namespace,
+		Revision:  revision,
+		IsUpgrade: true,
+	}
+
+	caps, err := u.cfg.getCapabilities()
+	if err != nil {
+		return nil, nil, err
+	}
+	valuesToRender, err := chartutil.ToRenderValuesWithSchemaValidation(chart, vals, options, caps, u.SkipSchemaValidation)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	// Determine whether or not to interact with remote
+	var interactWithRemote bool
+	if !u.isDryRun() || u.DryRunOption == "server" || u.DryRunOption == "none" || u.DryRunOption == "false" {
+		interactWithRemote = true
+	}
+
+	hooks, manifestDoc, notesTxt, err := u.cfg.renderResources(chart, valuesToRender, "", "", u.SubNotes, false, false, u.PostRenderer, interactWithRemote, u.EnableDNS, u.HideSecret)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	if driver.ContainsSystemLabels(u.Labels) {
+		return nil, nil, fmt.Errorf("user supplied labels contains system reserved label name. System labels: %+v", driver.GetSystemLabels())
+	}
+
+	// Store an upgraded release.
+	upgradedRelease := &release.Release{
+		Name:      name,
+		Namespace: currentRelease.Namespace,
+		Chart:     chart,
+		Config:    vals,
+		Info: &release.Info{
+			FirstDeployed: currentRelease.Info.FirstDeployed,
+			LastDeployed:  Timestamper(),
+			Status:        release.StatusPendingUpgrade,
+			Description:   "Preparing upgrade", // This should be overwritten later.
+		},
+		Version:  revision,
+		Manifest: manifestDoc.String(),
+		Hooks:    hooks,
+		Labels:   mergeCustomLabels(lastRelease.Labels, u.Labels),
+	}
+
+	if len(notesTxt) > 0 {
+		upgradedRelease.Info.Notes = notesTxt
+	}
+	err = validateManifest(u.cfg.KubeClient, manifestDoc.Bytes(), !u.DisableOpenAPIValidation)
+	return currentRelease, upgradedRelease, err
+}
+
+func (u *Upgrade) performUpgrade(ctx context.Context, originalRelease, upgradedRelease *release.Release) (*release.Release, error) {
+	current, err := u.cfg.KubeClient.Build(bytes.NewBufferString(originalRelease.Manifest), false)
+	if err != nil {
+		// Checking for removed Kubernetes API error so can provide a more informative error message to the user
+		// Ref: https://github.com/helm/helm/issues/7219
+		if strings.Contains(err.Error(), "unable to recognize \"\": no matches for kind") {
+			return upgradedRelease, errors.Wrap(err, "current release manifest contains removed kubernetes api(s) for this "+
+				"kubernetes version and it is therefore unable to build the kubernetes "+
+				"objects for performing the diff. error from kubernetes")
+		}
+		return upgradedRelease, errors.Wrap(err, "unable to build kubernetes objects from current release manifest")
+	}
+	target, err := u.cfg.KubeClient.Build(bytes.NewBufferString(upgradedRelease.Manifest), !u.DisableOpenAPIValidation)
+	if err != nil {
+		return upgradedRelease, errors.Wrap(err, "unable to build kubernetes objects from new release manifest")
+	}
+
+	// It is safe to use force only on target because these are resources currently rendered by the chart.
+	err = target.Visit(setMetadataVisitor(upgradedRelease.Name, upgradedRelease.Namespace, true))
+	if err != nil {
+		return upgradedRelease, err
+	}
+
+	// Do a basic diff using gvk + name to figure out what new resources are being created so we can validate they don't already exist
+	existingResources := make(map[string]bool)
+	for _, r := range current {
+		existingResources[objectKey(r)] = true
+	}
+
+	var toBeCreated kube.ResourceList
+	for _, r := range target {
+		if !existingResources[objectKey(r)] {
+			toBeCreated = append(toBeCreated, r)
+		}
+	}
+
+	var toBeUpdated kube.ResourceList
+	if u.TakeOwnership {
+		toBeUpdated, err = requireAdoption(toBeCreated)
+	} else {
+		toBeUpdated, err = existingResourceConflict(toBeCreated, upgradedRelease.Name, upgradedRelease.Namespace)
+	}
+	if err != nil {
+		return nil, errors.Wrap(err, "Unable to continue with update")
+	}
+
+	toBeUpdated.Visit(func(r *resource.Info, err error) error {
+		if err != nil {
+			return err
+		}
+		current.Append(r)
+		return nil
+	})
+
+	// Run if it is a dry run
+	if u.isDryRun() {
+		u.cfg.Log("dry run for %s", upgradedRelease.Name)
+		if len(u.Description) > 0 {
+			upgradedRelease.Info.Description = u.Description
+		} else {
+			upgradedRelease.Info.Description = "Dry run complete"
+		}
+		return upgradedRelease, nil
+	}
+
+	u.cfg.Log("creating upgraded release for %s", upgradedRelease.Name)
+	if err := u.cfg.Releases.Create(upgradedRelease); err != nil {
+		return nil, err
+	}
+	rChan := make(chan resultMessage)
+	ctxChan := make(chan resultMessage)
+	doneChan := make(chan interface{})
+	defer close(doneChan)
+	go u.releasingUpgrade(rChan, upgradedRelease, current, target, originalRelease)
+	go u.handleContext(ctx, doneChan, ctxChan, upgradedRelease)
+	select {
+	case result := <-rChan:
+		return result.r, result.e
+	case result := <-ctxChan:
+		return result.r, result.e
+	}
+}
+
+// Function used to lock the Mutex, this is important for the case when the atomic flag is set.
+// In that case the upgrade will finish before the rollback is finished so it is necessary to wait for the rollback to finish.
+// The rollback will be trigger by the function failRelease
+func (u *Upgrade) reportToPerformUpgrade(c chan<- resultMessage, rel *release.Release, created kube.ResourceList, err error) {
+	u.Lock.Lock()
+	if err != nil {
+		rel, err = u.failRelease(rel, created, err)
+	}
+	c <- resultMessage{r: rel, e: err}
+	u.Lock.Unlock()
+}
+
+// Setup listener for SIGINT and SIGTERM
+func (u *Upgrade) handleContext(ctx context.Context, done chan interface{}, c chan<- resultMessage, upgradedRelease *release.Release) {
+	select {
+	case <-ctx.Done():
+		err := ctx.Err()
+
+		// when the atomic flag is set the ongoing release finish first and doesn't give time for the rollback happens.
+		u.reportToPerformUpgrade(c, upgradedRelease, kube.ResourceList{}, err)
+	case <-done:
+		return
+	}
+}
+func (u *Upgrade) releasingUpgrade(c chan<- resultMessage, upgradedRelease *release.Release, current kube.ResourceList, target kube.ResourceList, originalRelease *release.Release) {
+	// pre-upgrade hooks
+
+	if !u.DisableHooks {
+		if err := u.cfg.execHook(upgradedRelease, release.HookPreUpgrade, u.Timeout); err != nil {
+			u.reportToPerformUpgrade(c, upgradedRelease, kube.ResourceList{}, fmt.Errorf("pre-upgrade hooks failed: %s", err))
+			return
+		}
+	} else {
+		u.cfg.Log("upgrade hooks disabled for %s", upgradedRelease.Name)
+	}
+
+	results, err := u.cfg.KubeClient.Update(current, target, u.Force)
+	if err != nil {
+		u.cfg.recordRelease(originalRelease)
+		u.reportToPerformUpgrade(c, upgradedRelease, results.Created, err)
+		return
+	}
+
+	if u.Recreate {
+		// NOTE: Because this is not critical for a release to succeed, we just
+		// log if an error occurs and continue onward. If we ever introduce log
+		// levels, we should make these error level logs so users are notified
+		// that they'll need to go do the cleanup on their own
+		if err := recreate(u.cfg, results.Updated); err != nil {
+			u.cfg.Log(err.Error())
+		}
+	}
+
+	if u.Wait {
+		u.cfg.Log(
+			"waiting for release %s resources (created: %d updated: %d  deleted: %d)",
+			upgradedRelease.Name, len(results.Created), len(results.Updated), len(results.Deleted))
+		if u.WaitForJobs {
+			if err := u.cfg.KubeClient.WaitWithJobs(target, u.Timeout); err != nil {
+				u.cfg.recordRelease(originalRelease)
+				u.reportToPerformUpgrade(c, upgradedRelease, results.Created, err)
+				return
+			}
+		} else {
+			if err := u.cfg.KubeClient.Wait(target, u.Timeout); err != nil {
+				u.cfg.recordRelease(originalRelease)
+				u.reportToPerformUpgrade(c, upgradedRelease, results.Created, err)
+				return
+			}
+		}
+	}
+
+	// post-upgrade hooks
+	if !u.DisableHooks {
+		if err := u.cfg.execHook(upgradedRelease, release.HookPostUpgrade, u.Timeout); err != nil {
+			u.reportToPerformUpgrade(c, upgradedRelease, results.Created, fmt.Errorf("post-upgrade hooks failed: %s", err))
+			return
+		}
+	}
+
+	originalRelease.Info.Status = release.StatusSuperseded
+	u.cfg.recordRelease(originalRelease)
+
+	upgradedRelease.Info.Status = release.StatusDeployed
+	if len(u.Description) > 0 {
+		upgradedRelease.Info.Description = u.Description
+	} else {
+		upgradedRelease.Info.Description = "Upgrade complete"
+	}
+	u.reportToPerformUpgrade(c, upgradedRelease, nil, nil)
+}
+
+func (u *Upgrade) failRelease(rel *release.Release, created kube.ResourceList, err error) (*release.Release, error) {
+	msg := fmt.Sprintf("Upgrade %q failed: %s", rel.Name, err)
+	u.cfg.Log("warning: %s", msg)
+
+	rel.Info.Status = release.StatusFailed
+	rel.Info.Description = msg
+	u.cfg.recordRelease(rel)
+	if u.CleanupOnFail && len(created) > 0 {
+		u.cfg.Log("Cleanup on fail set, cleaning up %d resources", len(created))
+		_, errs := u.cfg.KubeClient.Delete(created)
+		if errs != nil {
+			var errorList []string
+			for _, e := range errs {
+				errorList = append(errorList, e.Error())
+			}
+			return rel, errors.Wrapf(fmt.Errorf("unable to cleanup resources: %s", strings.Join(errorList, ", ")), "an error occurred while cleaning up resources. original upgrade error: %s", err)
+		}
+		u.cfg.Log("Resource cleanup complete")
+	}
+	if u.Atomic {
+		u.cfg.Log("Upgrade failed and atomic is set, rolling back to last successful release")
+
+		// As a protection, get the last successful release before rollback.
+		// If there are no successful releases, bail out
+		hist := NewHistory(u.cfg)
+		fullHistory, herr := hist.Run(rel.Name)
+		if herr != nil {
+			return rel, errors.Wrapf(herr, "an error occurred while finding last successful release. original upgrade error: %s", err)
+		}
+
+		// There isn't a way to tell if a previous release was successful, but
+		// generally failed releases do not get superseded unless the next
+		// release is successful, so this should be relatively safe
+		filteredHistory := releaseutil.FilterFunc(func(r *release.Release) bool {
+			return r.Info.Status == release.StatusSuperseded || r.Info.Status == release.StatusDeployed
+		}).Filter(fullHistory)
+		if len(filteredHistory) == 0 {
+			return rel, errors.Wrap(err, "unable to find a previously successful release when attempting to rollback. original upgrade error")
+		}
+
+		releaseutil.Reverse(filteredHistory, releaseutil.SortByRevision)
+
+		rollin := NewRollback(u.cfg)
+		rollin.Version = filteredHistory[0].Version
+		rollin.Wait = true
+		rollin.WaitForJobs = u.WaitForJobs
+		rollin.DisableHooks = u.DisableHooks
+		rollin.Recreate = u.Recreate
+		rollin.Force = u.Force
+		rollin.Timeout = u.Timeout
+		if rollErr := rollin.Run(rel.Name); rollErr != nil {
+			return rel, errors.Wrapf(rollErr, "an error occurred while rolling back the release. original upgrade error: %s", err)
+		}
+		return rel, errors.Wrapf(err, "release %s failed, and has been rolled back due to atomic being set", rel.Name)
+	}
+
+	return rel, err
+}
+
+// reuseValues copies values from the current release to a new release if the
+// new release does not have any values.
+//
+// If the request already has values, or if there are no values in the current
+// release, this does nothing.
+//
+// This is skipped if the u.ResetValues flag is set, in which case the
+// request values are not altered.
+func (u *Upgrade) reuseValues(chart *chart.Chart, current *release.Release, newVals map[string]interface{}) (map[string]interface{}, error) {
+	if u.ResetValues {
+		// If ResetValues is set, we completely ignore current.Config.
+		u.cfg.Log("resetting values to the chart's original version")
+		return newVals, nil
+	}
+
+	// If the ReuseValues flag is set, we always copy the old values over the new config's values.
+	if u.ReuseValues {
+		u.cfg.Log("reusing the old release's values")
+
+		// We have to regenerate the old coalesced values:
+		oldVals, err := chartutil.CoalesceValues(current.Chart, current.Config)
+		if err != nil {
+			return nil, errors.Wrap(err, "failed to rebuild old values")
+		}
+
+		newVals = chartutil.CoalesceTables(newVals, current.Config)
+
+		chart.Values = oldVals
+
+		return newVals, nil
+	}
+
+	// If the ResetThenReuseValues flag is set, we use the new chart's values, but we copy the old config's values over the new config's values.
+	if u.ResetThenReuseValues {
+		u.cfg.Log("merging values from old release to new values")
+
+		newVals = chartutil.CoalesceTables(newVals, current.Config)
+
+		return newVals, nil
+	}
+
+	if len(newVals) == 0 && len(current.Config) > 0 {
+		u.cfg.Log("copying values from %s (v%d) to new release.", current.Name, current.Version)
+		newVals = current.Config
+	}
+	return newVals, nil
+}
+
+func validateManifest(c kube.Interface, manifest []byte, openAPIValidation bool) error {
+	_, err := c.Build(bytes.NewReader(manifest), openAPIValidation)
+	return err
+}
+
+// recreate captures all the logic for recreating pods for both upgrade and
+// rollback. If we end up refactoring rollback to use upgrade, this can just be
+// made an unexported method on the upgrade action.
+func recreate(cfg *Configuration, resources kube.ResourceList) error {
+	for _, res := range resources {
+		versioned := kube.AsVersioned(res)
+		selector, err := kube.SelectorsForObject(versioned)
+		if err != nil {
+			// If no selector is returned, it means this object is
+			// definitely not a pod, so continue onward
+			continue
+		}
+
+		client, err := cfg.KubernetesClientSet()
+		if err != nil {
+			return errors.Wrapf(err, "unable to recreate pods for object %s/%s because an error occurred", res.Namespace, res.Name)
+		}
+
+		pods, err := client.CoreV1().Pods(res.Namespace).List(context.Background(), metav1.ListOptions{
+			LabelSelector: selector.String(),
+		})
+		if err != nil {
+			return errors.Wrapf(err, "unable to recreate pods for object %s/%s because an error occurred", res.Namespace, res.Name)
+		}
+
+		// Restart pods
+		for _, pod := range pods.Items {
+			// Delete each pod for get them restarted with changed spec.
+			if err := client.CoreV1().Pods(pod.Namespace).Delete(context.Background(), pod.Name, *metav1.NewPreconditionDeleteOptions(string(pod.UID))); err != nil {
+				return errors.Wrapf(err, "unable to recreate pods for object %s/%s because an error occurred", res.Namespace, res.Name)
+			}
+		}
+	}
+	return nil
+}
+
+func objectKey(r *resource.Info) string {
+	gvk := r.Object.GetObjectKind().GroupVersionKind()
+	return fmt.Sprintf("%s/%s/%s/%s", gvk.GroupVersion().String(), gvk.Kind, r.Namespace, r.Name)
+}
+
+func mergeCustomLabels(current, desired map[string]string) map[string]string {
+	labels := mergeStrStrMaps(current, desired)
+	for k, v := range labels {
+		if v == "null" {
+			delete(labels, k)
+		}
+	}
+	return labels
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/action/validate.go b/vendor/helm.sh/helm/v3/pkg/action/validate.go
new file mode 100644
index 0000000000..127e9bf962
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/action/validate.go
@@ -0,0 +1,209 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package action
+
+import (
+	"fmt"
+
+	"github.com/pkg/errors"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/api/meta"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/cli-runtime/pkg/resource"
+
+	"helm.sh/helm/v3/pkg/kube"
+)
+
+var accessor = meta.NewAccessor()
+
+const (
+	appManagedByLabel              = "app.kubernetes.io/managed-by"
+	appManagedByHelm               = "Helm"
+	helmReleaseNameAnnotation      = "meta.helm.sh/release-name"
+	helmReleaseNamespaceAnnotation = "meta.helm.sh/release-namespace"
+)
+
+// requireAdoption returns the subset of resources that already exist in the cluster.
+func requireAdoption(resources kube.ResourceList) (kube.ResourceList, error) {
+	var requireUpdate kube.ResourceList
+
+	err := resources.Visit(func(info *resource.Info, err error) error {
+		if err != nil {
+			return err
+		}
+
+		helper := resource.NewHelper(info.Client, info.Mapping)
+		_, err = helper.Get(info.Namespace, info.Name)
+		if err != nil {
+			if apierrors.IsNotFound(err) {
+				return nil
+			}
+			return errors.Wrapf(err, "could not get information about the resource %s", resourceString(info))
+		}
+
+		requireUpdate.Append(info)
+		return nil
+	})
+
+	return requireUpdate, err
+}
+
+func existingResourceConflict(resources kube.ResourceList, releaseName, releaseNamespace string) (kube.ResourceList, error) {
+	var requireUpdate kube.ResourceList
+
+	err := resources.Visit(func(info *resource.Info, err error) error {
+		if err != nil {
+			return err
+		}
+
+		helper := resource.NewHelper(info.Client, info.Mapping)
+		existing, err := helper.Get(info.Namespace, info.Name)
+		if err != nil {
+			if apierrors.IsNotFound(err) {
+				return nil
+			}
+			return errors.Wrapf(err, "could not get information about the resource %s", resourceString(info))
+		}
+
+		// Allow adoption of the resource if it is managed by Helm and is annotated with correct release name and namespace.
+		if err := checkOwnership(existing, releaseName, releaseNamespace); err != nil {
+			return fmt.Errorf("%s exists and cannot be imported into the current release: %s", resourceString(info), err)
+		}
+
+		requireUpdate.Append(info)
+		return nil
+	})
+
+	return requireUpdate, err
+}
+
+func checkOwnership(obj runtime.Object, releaseName, releaseNamespace string) error {
+	lbls, err := accessor.Labels(obj)
+	if err != nil {
+		return err
+	}
+	annos, err := accessor.Annotations(obj)
+	if err != nil {
+		return err
+	}
+
+	var errs []error
+	if err := requireValue(lbls, appManagedByLabel, appManagedByHelm); err != nil {
+		errs = append(errs, fmt.Errorf("label validation error: %s", err))
+	}
+	if err := requireValue(annos, helmReleaseNameAnnotation, releaseName); err != nil {
+		errs = append(errs, fmt.Errorf("annotation validation error: %s", err))
+	}
+	if err := requireValue(annos, helmReleaseNamespaceAnnotation, releaseNamespace); err != nil {
+		errs = append(errs, fmt.Errorf("annotation validation error: %s", err))
+	}
+
+	if len(errs) > 0 {
+		err := errors.New("invalid ownership metadata")
+		for _, e := range errs {
+			err = fmt.Errorf("%w; %s", err, e)
+		}
+		return err
+	}
+
+	return nil
+}
+
+func requireValue(meta map[string]string, k, v string) error {
+	actual, ok := meta[k]
+	if !ok {
+		return fmt.Errorf("missing key %q: must be set to %q", k, v)
+	}
+	if actual != v {
+		return fmt.Errorf("key %q must equal %q: current value is %q", k, v, actual)
+	}
+	return nil
+}
+
+// setMetadataVisitor adds release tracking metadata to all resources. If force is enabled, existing
+// ownership metadata will be overwritten. Otherwise an error will be returned if any resource has an
+// existing and conflicting value for the managed by label or Helm release/namespace annotations.
+func setMetadataVisitor(releaseName, releaseNamespace string, force bool) resource.VisitorFunc {
+	return func(info *resource.Info, err error) error {
+		if err != nil {
+			return err
+		}
+
+		if !force {
+			if err := checkOwnership(info.Object, releaseName, releaseNamespace); err != nil {
+				return fmt.Errorf("%s cannot be owned: %s", resourceString(info), err)
+			}
+		}
+
+		if err := mergeLabels(info.Object, map[string]string{
+			appManagedByLabel: appManagedByHelm,
+		}); err != nil {
+			return fmt.Errorf(
+				"%s labels could not be updated: %s",
+				resourceString(info), err,
+			)
+		}
+
+		if err := mergeAnnotations(info.Object, map[string]string{
+			helmReleaseNameAnnotation:      releaseName,
+			helmReleaseNamespaceAnnotation: releaseNamespace,
+		}); err != nil {
+			return fmt.Errorf(
+				"%s annotations could not be updated: %s",
+				resourceString(info), err,
+			)
+		}
+
+		return nil
+	}
+}
+
+func resourceString(info *resource.Info) string {
+	_, k := info.Mapping.GroupVersionKind.ToAPIVersionAndKind()
+	return fmt.Sprintf(
+		"%s %q in namespace %q",
+		k, info.Name, info.Namespace,
+	)
+}
+
+func mergeLabels(obj runtime.Object, labels map[string]string) error {
+	current, err := accessor.Labels(obj)
+	if err != nil {
+		return err
+	}
+	return accessor.SetLabels(obj, mergeStrStrMaps(current, labels))
+}
+
+func mergeAnnotations(obj runtime.Object, annotations map[string]string) error {
+	current, err := accessor.Annotations(obj)
+	if err != nil {
+		return err
+	}
+	return accessor.SetAnnotations(obj, mergeStrStrMaps(current, annotations))
+}
+
+// merge two maps, always taking the value on the right
+func mergeStrStrMaps(current, desired map[string]string) map[string]string {
+	result := make(map[string]string)
+	for k, v := range current {
+		result[k] = v
+	}
+	for k, desiredVal := range desired {
+		result[k] = desiredVal
+	}
+	return result
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/action/verify.go b/vendor/helm.sh/helm/v3/pkg/action/verify.go
new file mode 100644
index 0000000000..f362394962
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/action/verify.go
@@ -0,0 +1,59 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package action
+
+import (
+	"fmt"
+	"strings"
+
+	"helm.sh/helm/v3/pkg/downloader"
+)
+
+// Verify is the action for building a given chart's Verify tree.
+//
+// It provides the implementation of 'helm verify'.
+type Verify struct {
+	Keyring string
+	Out     string
+}
+
+// NewVerify creates a new Verify object with the given configuration.
+func NewVerify() *Verify {
+	return &Verify{}
+}
+
+// Run executes 'helm verify'.
+func (v *Verify) Run(chartfile string) error {
+	var out strings.Builder
+	p, err := downloader.VerifyChart(chartfile, v.Keyring)
+	if err != nil {
+		return err
+	}
+
+	for name := range p.SignedBy.Identities {
+		fmt.Fprintf(&out, "Signed by: %v\n", name)
+	}
+	fmt.Fprintf(&out, "Using Key With Fingerprint: %X\n", p.SignedBy.PrimaryKey.Fingerprint)
+	fmt.Fprintf(&out, "Chart Hash Verified: %s\n", p.FileHash)
+
+	// TODO(mattfarina): The output is set as a property rather than returned
+	// to maintain the Go API. In Helm v4 this function should return the out
+	// and the property on the struct can be removed.
+	v.Out = out.String()
+
+	return nil
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/chart/chart.go b/vendor/helm.sh/helm/v3/pkg/chart/chart.go
new file mode 100644
index 0000000000..a3bed63a38
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/chart/chart.go
@@ -0,0 +1,173 @@
+/*
+Copyright The Helm Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package chart
+
+import (
+	"path/filepath"
+	"regexp"
+	"strings"
+)
+
+// APIVersionV1 is the API version number for version 1.
+const APIVersionV1 = "v1"
+
+// APIVersionV2 is the API version number for version 2.
+const APIVersionV2 = "v2"
+
+// aliasNameFormat defines the characters that are legal in an alias name.
+var aliasNameFormat = regexp.MustCompile("^[a-zA-Z0-9_-]+$")
+
+// Chart is a helm package that contains metadata, a default config, zero or more
+// optionally parameterizable templates, and zero or more charts (dependencies).
+type Chart struct {
+	// Raw contains the raw contents of the files originally contained in the chart archive.
+	//
+	// This should not be used except in special cases like `helm show values`,
+	// where we want to display the raw values, comments and all.
+	Raw []*File `json:"-"`
+	// Metadata is the contents of the Chartfile.
+	Metadata *Metadata `json:"metadata"`
+	// Lock is the contents of Chart.lock.
+	Lock *Lock `json:"lock"`
+	// Templates for this chart.
+	Templates []*File `json:"templates"`
+	// Values are default config for this chart.
+	Values map[string]interface{} `json:"values"`
+	// Schema is an optional JSON schema for imposing structure on Values
+	Schema []byte `json:"schema"`
+	// Files are miscellaneous files in a chart archive,
+	// e.g. README, LICENSE, etc.
+	Files []*File `json:"files"`
+
+	parent       *Chart
+	dependencies []*Chart
+}
+
+type CRD struct {
+	// Name is the File.Name for the crd file
+	Name string
+	// Filename is the File obj Name including (sub-)chart.ChartFullPath
+	Filename string
+	// File is the File obj for the crd
+	File *File
+}
+
+// SetDependencies replaces the chart dependencies.
+func (ch *Chart) SetDependencies(charts ...*Chart) {
+	ch.dependencies = nil
+	ch.AddDependency(charts...)
+}
+
+// Name returns the name of the chart.
+func (ch *Chart) Name() string {
+	if ch.Metadata == nil {
+		return ""
+	}
+	return ch.Metadata.Name
+}
+
+// AddDependency determines if the chart is a subchart.
+func (ch *Chart) AddDependency(charts ...*Chart) {
+	for i, x := range charts {
+		charts[i].parent = ch
+		ch.dependencies = append(ch.dependencies, x)
+	}
+}
+
+// Root finds the root chart.
+func (ch *Chart) Root() *Chart {
+	if ch.IsRoot() {
+		return ch
+	}
+	return ch.Parent().Root()
+}
+
+// Dependencies are the charts that this chart depends on.
+func (ch *Chart) Dependencies() []*Chart { return ch.dependencies }
+
+// IsRoot determines if the chart is the root chart.
+func (ch *Chart) IsRoot() bool { return ch.parent == nil }
+
+// Parent returns a subchart's parent chart.
+func (ch *Chart) Parent() *Chart { return ch.parent }
+
+// ChartPath returns the full path to this chart in dot notation.
+func (ch *Chart) ChartPath() string {
+	if !ch.IsRoot() {
+		return ch.Parent().ChartPath() + "." + ch.Name()
+	}
+	return ch.Name()
+}
+
+// ChartFullPath returns the full path to this chart.
+func (ch *Chart) ChartFullPath() string {
+	if !ch.IsRoot() {
+		return ch.Parent().ChartFullPath() + "/charts/" + ch.Name()
+	}
+	return ch.Name()
+}
+
+// Validate validates the metadata.
+func (ch *Chart) Validate() error {
+	return ch.Metadata.Validate()
+}
+
+// AppVersion returns the appversion of the chart.
+func (ch *Chart) AppVersion() string {
+	if ch.Metadata == nil {
+		return ""
+	}
+	return ch.Metadata.AppVersion
+}
+
+// CRDs returns a list of File objects in the 'crds/' directory of a Helm chart.
+// Deprecated: use CRDObjects()
+func (ch *Chart) CRDs() []*File {
+	files := []*File{}
+	// Find all resources in the crds/ directory
+	for _, f := range ch.Files {
+		if strings.HasPrefix(f.Name, "crds/") && hasManifestExtension(f.Name) {
+			files = append(files, f)
+		}
+	}
+	// Get CRDs from dependencies, too.
+	for _, dep := range ch.Dependencies() {
+		files = append(files, dep.CRDs()...)
+	}
+	return files
+}
+
+// CRDObjects returns a list of CRD objects in the 'crds/' directory of a Helm chart & subcharts
+func (ch *Chart) CRDObjects() []CRD {
+	crds := []CRD{}
+	// Find all resources in the crds/ directory
+	for _, f := range ch.Files {
+		if strings.HasPrefix(f.Name, "crds/") && hasManifestExtension(f.Name) {
+			mycrd := CRD{Name: f.Name, Filename: filepath.Join(ch.ChartFullPath(), f.Name), File: f}
+			crds = append(crds, mycrd)
+		}
+	}
+	// Get CRDs from dependencies, too.
+	for _, dep := range ch.Dependencies() {
+		crds = append(crds, dep.CRDObjects()...)
+	}
+	return crds
+}
+
+func hasManifestExtension(fname string) bool {
+	ext := filepath.Ext(fname)
+	return strings.EqualFold(ext, ".yaml") || strings.EqualFold(ext, ".yml") || strings.EqualFold(ext, ".json")
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/chart/dependency.go b/vendor/helm.sh/helm/v3/pkg/chart/dependency.go
new file mode 100644
index 0000000000..eda0f5a89d
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/chart/dependency.go
@@ -0,0 +1,82 @@
+/*
+Copyright The Helm Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package chart
+
+import "time"
+
+// Dependency describes a chart upon which another chart depends.
+//
+// Dependencies can be used to express developer intent, or to capture the state
+// of a chart.
+type Dependency struct {
+	// Name is the name of the dependency.
+	//
+	// This must mach the name in the dependency's Chart.yaml.
+	Name string `json:"name" yaml:"name"`
+	// Version is the version (range) of this chart.
+	//
+	// A lock file will always produce a single version, while a dependency
+	// may contain a semantic version range.
+	Version string `json:"version,omitempty" yaml:"version,omitempty"`
+	// The URL to the repository.
+	//
+	// Appending `index.yaml` to this string should result in a URL that can be
+	// used to fetch the repository index.
+	Repository string `json:"repository" yaml:"repository"`
+	// A yaml path that resolves to a boolean, used for enabling/disabling charts (e.g. subchart1.enabled )
+	Condition string `json:"condition,omitempty" yaml:"condition,omitempty"`
+	// Tags can be used to group charts for enabling/disabling together
+	Tags []string `json:"tags,omitempty" yaml:"tags,omitempty"`
+	// Enabled bool determines if chart should be loaded
+	Enabled bool `json:"enabled,omitempty" yaml:"enabled,omitempty"`
+	// ImportValues holds the mapping of source values to parent key to be imported. Each item can be a
+	// string or pair of child/parent sublist items.
+	ImportValues []interface{} `json:"import-values,omitempty" yaml:"import-values,omitempty"`
+	// Alias usable alias to be used for the chart
+	Alias string `json:"alias,omitempty" yaml:"alias,omitempty"`
+}
+
+// Validate checks for common problems with the dependency datastructure in
+// the chart. This check must be done at load time before the dependency's charts are
+// loaded.
+func (d *Dependency) Validate() error {
+	if d == nil {
+		return ValidationError("dependencies must not contain empty or null nodes")
+	}
+	d.Name = sanitizeString(d.Name)
+	d.Version = sanitizeString(d.Version)
+	d.Repository = sanitizeString(d.Repository)
+	d.Condition = sanitizeString(d.Condition)
+	for i := range d.Tags {
+		d.Tags[i] = sanitizeString(d.Tags[i])
+	}
+	if d.Alias != "" && !aliasNameFormat.MatchString(d.Alias) {
+		return ValidationErrorf("dependency %q has disallowed characters in the alias", d.Name)
+	}
+	return nil
+}
+
+// Lock is a lock file for dependencies.
+//
+// It represents the state that the dependencies should be in.
+type Lock struct {
+	// Generated is the date the lock file was last generated.
+	Generated time.Time `json:"generated"`
+	// Digest is a hash of the dependencies in Chart.yaml.
+	Digest string `json:"digest"`
+	// Dependencies is the list of dependencies that this lock file has locked.
+	Dependencies []*Dependency `json:"dependencies"`
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/chart/errors.go b/vendor/helm.sh/helm/v3/pkg/chart/errors.go
new file mode 100644
index 0000000000..2fad5f3708
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/chart/errors.go
@@ -0,0 +1,30 @@
+/*
+Copyright The Helm Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package chart
+
+import "fmt"
+
+// ValidationError represents a data validation error.
+type ValidationError string
+
+func (v ValidationError) Error() string {
+	return "validation: " + string(v)
+}
+
+// ValidationErrorf takes a message and formatting options and creates a ValidationError
+func ValidationErrorf(msg string, args ...interface{}) ValidationError {
+	return ValidationError(fmt.Sprintf(msg, args...))
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/chart/file.go b/vendor/helm.sh/helm/v3/pkg/chart/file.go
new file mode 100644
index 0000000000..9dd7c08d52
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/chart/file.go
@@ -0,0 +1,27 @@
+/*
+Copyright The Helm Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package chart
+
+// File represents a file as a name/value pair.
+//
+// By convention, name is a relative path within the scope of the chart's
+// base directory.
+type File struct {
+	// Name is the path-like name of the template.
+	Name string `json:"name"`
+	// Data is the template as byte data.
+	Data []byte `json:"data"`
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/chart/loader/archive.go b/vendor/helm.sh/helm/v3/pkg/chart/loader/archive.go
new file mode 100644
index 0000000000..6272a564f8
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/chart/loader/archive.go
@@ -0,0 +1,235 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package loader
+
+import (
+	"archive/tar"
+	"bytes"
+	"compress/gzip"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"path"
+	"regexp"
+	"strings"
+
+	"github.com/pkg/errors"
+
+	"helm.sh/helm/v3/pkg/chart"
+)
+
+// MaxDecompressedChartSize is the maximum size of a chart archive that will be
+// decompressed. This is the decompressed size of all the files.
+// The default value is 100 MiB.
+var MaxDecompressedChartSize int64 = 100 * 1024 * 1024 // Default 100 MiB
+
+// MaxDecompressedFileSize is the size of the largest file that Helm will attempt to load.
+// The size of the file is the decompressed version of it when it is stored in an archive.
+var MaxDecompressedFileSize int64 = 5 * 1024 * 1024 // Default 5 MiB
+
+var drivePathPattern = regexp.MustCompile(`^[a-zA-Z]:/`)
+
+// FileLoader loads a chart from a file
+type FileLoader string
+
+// Load loads a chart
+func (l FileLoader) Load() (*chart.Chart, error) {
+	return LoadFile(string(l))
+}
+
+// LoadFile loads from an archive file.
+func LoadFile(name string) (*chart.Chart, error) {
+	if fi, err := os.Stat(name); err != nil {
+		return nil, err
+	} else if fi.IsDir() {
+		return nil, errors.New("cannot load a directory")
+	}
+
+	raw, err := os.Open(name)
+	if err != nil {
+		return nil, err
+	}
+	defer raw.Close()
+
+	err = ensureArchive(name, raw)
+	if err != nil {
+		return nil, err
+	}
+
+	c, err := LoadArchive(raw)
+	if err != nil {
+		if err == gzip.ErrHeader {
+			return nil, fmt.Errorf("file '%s' does not appear to be a valid chart file (details: %s)", name, err)
+		}
+	}
+	return c, err
+}
+
+// ensureArchive's job is to return an informative error if the file does not appear to be a gzipped archive.
+//
+// Sometimes users will provide a values.yaml for an argument where a chart is expected. One common occurrence
+// of this is invoking `helm template values.yaml mychart` which would otherwise produce a confusing error
+// if we didn't check for this.
+func ensureArchive(name string, raw *os.File) error {
+	defer raw.Seek(0, 0) // reset read offset to allow archive loading to proceed.
+
+	// Check the file format to give us a chance to provide the user with more actionable feedback.
+	buffer := make([]byte, 512)
+	_, err := raw.Read(buffer)
+	if err != nil && err != io.EOF {
+		return fmt.Errorf("file '%s' cannot be read: %s", name, err)
+	}
+
+	// Helm may identify achieve of the application/x-gzip as application/vnd.ms-fontobject.
+	// Fix for: https://github.com/helm/helm/issues/12261
+	if contentType := http.DetectContentType(buffer); contentType != "application/x-gzip" && !isGZipApplication(buffer) {
+		// TODO: Is there a way to reliably test if a file content is YAML? ghodss/yaml accepts a wide
+		//       variety of content (Makefile, .zshrc) as valid YAML without errors.
+
+		// Wrong content type. Let's check if it's yaml and give an extra hint?
+		if strings.HasSuffix(name, ".yml") || strings.HasSuffix(name, ".yaml") {
+			return fmt.Errorf("file '%s' seems to be a YAML file, but expected a gzipped archive", name)
+		}
+		return fmt.Errorf("file '%s' does not appear to be a gzipped archive; got '%s'", name, contentType)
+	}
+	return nil
+}
+
+// isGZipApplication checks whether the archive is of the application/x-gzip type.
+func isGZipApplication(data []byte) bool {
+	sig := []byte("\x1F\x8B\x08")
+	return bytes.HasPrefix(data, sig)
+}
+
+// LoadArchiveFiles reads in files out of an archive into memory. This function
+// performs important path security checks and should always be used before
+// expanding a tarball
+func LoadArchiveFiles(in io.Reader) ([]*BufferedFile, error) {
+	unzipped, err := gzip.NewReader(in)
+	if err != nil {
+		return nil, err
+	}
+	defer unzipped.Close()
+
+	files := []*BufferedFile{}
+	tr := tar.NewReader(unzipped)
+	remainingSize := MaxDecompressedChartSize
+	for {
+		b := bytes.NewBuffer(nil)
+		hd, err := tr.Next()
+		if err == io.EOF {
+			break
+		}
+		if err != nil {
+			return nil, err
+		}
+
+		if hd.FileInfo().IsDir() {
+			// Use this instead of hd.Typeflag because we don't have to do any
+			// inference chasing.
+			continue
+		}
+
+		switch hd.Typeflag {
+		// We don't want to process these extension header files.
+		case tar.TypeXGlobalHeader, tar.TypeXHeader:
+			continue
+		}
+
+		// Archive could contain \ if generated on Windows
+		delimiter := "/"
+		if strings.ContainsRune(hd.Name, '\\') {
+			delimiter = "\\"
+		}
+
+		parts := strings.Split(hd.Name, delimiter)
+		n := strings.Join(parts[1:], delimiter)
+
+		// Normalize the path to the / delimiter
+		n = strings.ReplaceAll(n, delimiter, "/")
+
+		if path.IsAbs(n) {
+			return nil, errors.New("chart illegally contains absolute paths")
+		}
+
+		n = path.Clean(n)
+		if n == "." {
+			// In this case, the original path was relative when it should have been absolute.
+			return nil, errors.Errorf("chart illegally contains content outside the base directory: %q", hd.Name)
+		}
+		if strings.HasPrefix(n, "..") {
+			return nil, errors.New("chart illegally references parent directory")
+		}
+
+		// In some particularly arcane acts of path creativity, it is possible to intermix
+		// UNIX and Windows style paths in such a way that you produce a result of the form
+		// c:/foo even after all the built-in absolute path checks. So we explicitly check
+		// for this condition.
+		if drivePathPattern.MatchString(n) {
+			return nil, errors.New("chart contains illegally named files")
+		}
+
+		if parts[0] == "Chart.yaml" {
+			return nil, errors.New("chart yaml not in base directory")
+		}
+
+		if hd.Size > remainingSize {
+			return nil, fmt.Errorf("decompressed chart is larger than the maximum file size %d", MaxDecompressedChartSize)
+		}
+
+		if hd.Size > MaxDecompressedFileSize {
+			return nil, fmt.Errorf("decompressed chart file %q is larger than the maximum file size %d", hd.Name, MaxDecompressedFileSize)
+		}
+
+		limitedReader := io.LimitReader(tr, remainingSize)
+
+		bytesWritten, err := io.Copy(b, limitedReader)
+		if err != nil {
+			return nil, err
+		}
+
+		remainingSize -= bytesWritten
+		// When the bytesWritten are less than the file size it means the limit reader ended
+		// copying early. Here we report that error. This is important if the last file extracted
+		// is the one that goes over the limit. It assumes the Size stored in the tar header
+		// is correct, something many applications do.
+		if bytesWritten < hd.Size || remainingSize <= 0 {
+			return nil, fmt.Errorf("decompressed chart is larger than the maximum file size %d", MaxDecompressedChartSize)
+		}
+
+		data := bytes.TrimPrefix(b.Bytes(), utf8bom)
+
+		files = append(files, &BufferedFile{Name: n, Data: data})
+		b.Reset()
+	}
+
+	if len(files) == 0 {
+		return nil, errors.New("no files in chart archive")
+	}
+	return files, nil
+}
+
+// LoadArchive loads from a reader containing a compressed tar archive.
+func LoadArchive(in io.Reader) (*chart.Chart, error) {
+	files, err := LoadArchiveFiles(in)
+	if err != nil {
+		return nil, err
+	}
+
+	return LoadFiles(files)
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/chart/loader/directory.go b/vendor/helm.sh/helm/v3/pkg/chart/loader/directory.go
new file mode 100644
index 0000000000..fd8e02e1ac
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/chart/loader/directory.go
@@ -0,0 +1,123 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package loader
+
+import (
+	"bytes"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/pkg/errors"
+
+	"helm.sh/helm/v3/internal/sympath"
+	"helm.sh/helm/v3/pkg/chart"
+	"helm.sh/helm/v3/pkg/ignore"
+)
+
+var utf8bom = []byte{0xEF, 0xBB, 0xBF}
+
+// DirLoader loads a chart from a directory
+type DirLoader string
+
+// Load loads the chart
+func (l DirLoader) Load() (*chart.Chart, error) {
+	return LoadDir(string(l))
+}
+
+// LoadDir loads from a directory.
+//
+// This loads charts only from directories.
+func LoadDir(dir string) (*chart.Chart, error) {
+	topdir, err := filepath.Abs(dir)
+	if err != nil {
+		return nil, err
+	}
+
+	// Just used for errors.
+	c := &chart.Chart{}
+
+	rules := ignore.Empty()
+	ifile := filepath.Join(topdir, ignore.HelmIgnore)
+	if _, err := os.Stat(ifile); err == nil {
+		r, err := ignore.ParseFile(ifile)
+		if err != nil {
+			return c, err
+		}
+		rules = r
+	}
+	rules.AddDefaults()
+
+	files := []*BufferedFile{}
+	topdir += string(filepath.Separator)
+
+	walk := func(name string, fi os.FileInfo, err error) error {
+		n := strings.TrimPrefix(name, topdir)
+		if n == "" {
+			// No need to process top level. Avoid bug with helmignore .* matching
+			// empty names. See issue 1779.
+			return nil
+		}
+
+		// Normalize to / since it will also work on Windows
+		n = filepath.ToSlash(n)
+
+		if err != nil {
+			return err
+		}
+		if fi.IsDir() {
+			// Directory-based ignore rules should involve skipping the entire
+			// contents of that directory.
+			if rules.Ignore(n, fi) {
+				return filepath.SkipDir
+			}
+			return nil
+		}
+
+		// If a .helmignore file matches, skip this file.
+		if rules.Ignore(n, fi) {
+			return nil
+		}
+
+		// Irregular files include devices, sockets, and other uses of files that
+		// are not regular files. In Go they have a file mode type bit set.
+		// See https://golang.org/pkg/os/#FileMode for examples.
+		if !fi.Mode().IsRegular() {
+			return fmt.Errorf("cannot load irregular file %s as it has file mode type bits set", name)
+		}
+
+		if fi.Size() > MaxDecompressedFileSize {
+			return fmt.Errorf("chart file %q is larger than the maximum file size %d", fi.Name(), MaxDecompressedFileSize)
+		}
+
+		data, err := os.ReadFile(name)
+		if err != nil {
+			return errors.Wrapf(err, "error reading %s", n)
+		}
+
+		data = bytes.TrimPrefix(data, utf8bom)
+
+		files = append(files, &BufferedFile{Name: n, Data: data})
+		return nil
+	}
+	if err = sympath.Walk(topdir, walk); err != nil {
+		return c, err
+	}
+
+	return LoadFiles(files)
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/chart/loader/load.go b/vendor/helm.sh/helm/v3/pkg/chart/loader/load.go
new file mode 100644
index 0000000000..a68a05aa9a
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/chart/loader/load.go
@@ -0,0 +1,203 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package loader
+
+import (
+	"bytes"
+	"log"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/pkg/errors"
+	"sigs.k8s.io/yaml"
+
+	"helm.sh/helm/v3/pkg/chart"
+)
+
+// ChartLoader loads a chart.
+type ChartLoader interface {
+	Load() (*chart.Chart, error)
+}
+
+// Loader returns a new ChartLoader appropriate for the given chart name
+func Loader(name string) (ChartLoader, error) {
+	fi, err := os.Stat(name)
+	if err != nil {
+		return nil, err
+	}
+	if fi.IsDir() {
+		return DirLoader(name), nil
+	}
+	return FileLoader(name), nil
+
+}
+
+// Load takes a string name, tries to resolve it to a file or directory, and then loads it.
+//
+// This is the preferred way to load a chart. It will discover the chart encoding
+// and hand off to the appropriate chart reader.
+//
+// If a .helmignore file is present, the directory loader will skip loading any files
+// matching it. But .helmignore is not evaluated when reading out of an archive.
+func Load(name string) (*chart.Chart, error) {
+	l, err := Loader(name)
+	if err != nil {
+		return nil, err
+	}
+	return l.Load()
+}
+
+// BufferedFile represents an archive file buffered for later processing.
+type BufferedFile struct {
+	Name string
+	Data []byte
+}
+
+// LoadFiles loads from in-memory files.
+func LoadFiles(files []*BufferedFile) (*chart.Chart, error) {
+	c := new(chart.Chart)
+	subcharts := make(map[string][]*BufferedFile)
+
+	// do not rely on assumed ordering of files in the chart and crash
+	// if Chart.yaml was not coming early enough to initialize metadata
+	for _, f := range files {
+		c.Raw = append(c.Raw, &chart.File{Name: f.Name, Data: f.Data})
+		if f.Name == "Chart.yaml" {
+			if c.Metadata == nil {
+				c.Metadata = new(chart.Metadata)
+			}
+			if err := yaml.Unmarshal(f.Data, c.Metadata); err != nil {
+				return c, errors.Wrap(err, "cannot load Chart.yaml")
+			}
+			// NOTE(bacongobbler): while the chart specification says that APIVersion must be set,
+			// Helm 2 accepted charts that did not provide an APIVersion in their chart metadata.
+			// Because of that, if APIVersion is unset, we should assume we're loading a v1 chart.
+			if c.Metadata.APIVersion == "" {
+				c.Metadata.APIVersion = chart.APIVersionV1
+			}
+		}
+	}
+	for _, f := range files {
+		switch {
+		case f.Name == "Chart.yaml":
+			// already processed
+			continue
+		case f.Name == "Chart.lock":
+			c.Lock = new(chart.Lock)
+			if err := yaml.Unmarshal(f.Data, &c.Lock); err != nil {
+				return c, errors.Wrap(err, "cannot load Chart.lock")
+			}
+		case f.Name == "values.yaml":
+			c.Values = make(map[string]interface{})
+			if err := yaml.Unmarshal(f.Data, &c.Values); err != nil {
+				return c, errors.Wrap(err, "cannot load values.yaml")
+			}
+		case f.Name == "values.schema.json":
+			c.Schema = f.Data
+
+		// Deprecated: requirements.yaml is deprecated use Chart.yaml.
+		// We will handle it for you because we are nice people
+		case f.Name == "requirements.yaml":
+			if c.Metadata == nil {
+				c.Metadata = new(chart.Metadata)
+			}
+			if c.Metadata.APIVersion != chart.APIVersionV1 {
+				log.Printf("Warning: Dependencies are handled in Chart.yaml since apiVersion \"v2\". We recommend migrating dependencies to Chart.yaml.")
+			}
+			if err := yaml.Unmarshal(f.Data, c.Metadata); err != nil {
+				return c, errors.Wrap(err, "cannot load requirements.yaml")
+			}
+			if c.Metadata.APIVersion == chart.APIVersionV1 {
+				c.Files = append(c.Files, &chart.File{Name: f.Name, Data: f.Data})
+			}
+		// Deprecated: requirements.lock is deprecated use Chart.lock.
+		case f.Name == "requirements.lock":
+			c.Lock = new(chart.Lock)
+			if err := yaml.Unmarshal(f.Data, &c.Lock); err != nil {
+				return c, errors.Wrap(err, "cannot load requirements.lock")
+			}
+			if c.Metadata == nil {
+				c.Metadata = new(chart.Metadata)
+			}
+			if c.Metadata.APIVersion != chart.APIVersionV1 {
+				log.Printf("Warning: Dependency locking is handled in Chart.lock since apiVersion \"v2\". We recommend migrating to Chart.lock.")
+			}
+			if c.Metadata.APIVersion == chart.APIVersionV1 {
+				c.Files = append(c.Files, &chart.File{Name: f.Name, Data: f.Data})
+			}
+
+		case strings.HasPrefix(f.Name, "templates/"):
+			c.Templates = append(c.Templates, &chart.File{Name: f.Name, Data: f.Data})
+		case strings.HasPrefix(f.Name, "charts/"):
+			if filepath.Ext(f.Name) == ".prov" {
+				c.Files = append(c.Files, &chart.File{Name: f.Name, Data: f.Data})
+				continue
+			}
+
+			fname := strings.TrimPrefix(f.Name, "charts/")
+			cname := strings.SplitN(fname, "/", 2)[0]
+			subcharts[cname] = append(subcharts[cname], &BufferedFile{Name: fname, Data: f.Data})
+		default:
+			c.Files = append(c.Files, &chart.File{Name: f.Name, Data: f.Data})
+		}
+	}
+
+	if c.Metadata == nil {
+		return c, errors.New("Chart.yaml file is missing")
+	}
+
+	if err := c.Validate(); err != nil {
+		return c, err
+	}
+
+	for n, files := range subcharts {
+		var sc *chart.Chart
+		var err error
+		switch {
+		case strings.IndexAny(n, "_.") == 0:
+			continue
+		case filepath.Ext(n) == ".tgz":
+			file := files[0]
+			if file.Name != n {
+				return c, errors.Errorf("error unpacking subchart tar in %s: expected %s, got %s", c.Name(), n, file.Name)
+			}
+			// Untar the chart and add to c.Dependencies
+			sc, err = LoadArchive(bytes.NewBuffer(file.Data))
+		default:
+			// We have to trim the prefix off of every file, and ignore any file
+			// that is in charts/, but isn't actually a chart.
+			buff := make([]*BufferedFile, 0, len(files))
+			for _, f := range files {
+				parts := strings.SplitN(f.Name, "/", 2)
+				if len(parts) < 2 {
+					continue
+				}
+				f.Name = parts[1]
+				buff = append(buff, f)
+			}
+			sc, err = LoadFiles(buff)
+		}
+
+		if err != nil {
+			return c, errors.Wrapf(err, "error unpacking subchart %s in %s", n, c.Name())
+		}
+		c.AddDependency(sc)
+	}
+
+	return c, nil
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/chart/metadata.go b/vendor/helm.sh/helm/v3/pkg/chart/metadata.go
new file mode 100644
index 0000000000..a08a97cd1d
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/chart/metadata.go
@@ -0,0 +1,178 @@
+/*
+Copyright The Helm Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package chart
+
+import (
+	"path/filepath"
+	"strings"
+	"unicode"
+
+	"github.com/Masterminds/semver/v3"
+)
+
+// Maintainer describes a Chart maintainer.
+type Maintainer struct {
+	// Name is a user name or organization name
+	Name string `json:"name,omitempty"`
+	// Email is an optional email address to contact the named maintainer
+	Email string `json:"email,omitempty"`
+	// URL is an optional URL to an address for the named maintainer
+	URL string `json:"url,omitempty"`
+}
+
+// Validate checks valid data and sanitizes string characters.
+func (m *Maintainer) Validate() error {
+	if m == nil {
+		return ValidationError("maintainers must not contain empty or null nodes")
+	}
+	m.Name = sanitizeString(m.Name)
+	m.Email = sanitizeString(m.Email)
+	m.URL = sanitizeString(m.URL)
+	return nil
+}
+
+// Metadata for a Chart file. This models the structure of a Chart.yaml file.
+type Metadata struct {
+	// The name of the chart. Required.
+	Name string `json:"name,omitempty"`
+	// The URL to a relevant project page, git repo, or contact person
+	Home string `json:"home,omitempty"`
+	// Source is the URL to the source code of this chart
+	Sources []string `json:"sources,omitempty"`
+	// A SemVer 2 conformant version string of the chart. Required.
+	Version string `json:"version,omitempty"`
+	// A one-sentence description of the chart
+	Description string `json:"description,omitempty"`
+	// A list of string keywords
+	Keywords []string `json:"keywords,omitempty"`
+	// A list of name and URL/email address combinations for the maintainer(s)
+	Maintainers []*Maintainer `json:"maintainers,omitempty"`
+	// The URL to an icon file.
+	Icon string `json:"icon,omitempty"`
+	// The API Version of this chart. Required.
+	APIVersion string `json:"apiVersion,omitempty"`
+	// The condition to check to enable chart
+	Condition string `json:"condition,omitempty"`
+	// The tags to check to enable chart
+	Tags string `json:"tags,omitempty"`
+	// The version of the application enclosed inside of this chart.
+	AppVersion string `json:"appVersion,omitempty"`
+	// Whether or not this chart is deprecated
+	Deprecated bool `json:"deprecated,omitempty"`
+	// Annotations are additional mappings uninterpreted by Helm,
+	// made available for inspection by other applications.
+	Annotations map[string]string `json:"annotations,omitempty"`
+	// KubeVersion is a SemVer constraint specifying the version of Kubernetes required.
+	KubeVersion string `json:"kubeVersion,omitempty"`
+	// Dependencies are a list of dependencies for a chart.
+	Dependencies []*Dependency `json:"dependencies,omitempty"`
+	// Specifies the chart type: application or library
+	Type string `json:"type,omitempty"`
+}
+
+// Validate checks the metadata for known issues and sanitizes string
+// characters.
+func (md *Metadata) Validate() error {
+	if md == nil {
+		return ValidationError("chart.metadata is required")
+	}
+
+	md.Name = sanitizeString(md.Name)
+	md.Description = sanitizeString(md.Description)
+	md.Home = sanitizeString(md.Home)
+	md.Icon = sanitizeString(md.Icon)
+	md.Condition = sanitizeString(md.Condition)
+	md.Tags = sanitizeString(md.Tags)
+	md.AppVersion = sanitizeString(md.AppVersion)
+	md.KubeVersion = sanitizeString(md.KubeVersion)
+	for i := range md.Sources {
+		md.Sources[i] = sanitizeString(md.Sources[i])
+	}
+	for i := range md.Keywords {
+		md.Keywords[i] = sanitizeString(md.Keywords[i])
+	}
+
+	if md.APIVersion == "" {
+		return ValidationError("chart.metadata.apiVersion is required")
+	}
+	if md.Name == "" {
+		return ValidationError("chart.metadata.name is required")
+	}
+
+	if md.Name != filepath.Base(md.Name) {
+		return ValidationErrorf("chart.metadata.name %q is invalid", md.Name)
+	}
+
+	if md.Version == "" {
+		return ValidationError("chart.metadata.version is required")
+	}
+	if !isValidSemver(md.Version) {
+		return ValidationErrorf("chart.metadata.version %q is invalid", md.Version)
+	}
+	if !isValidChartType(md.Type) {
+		return ValidationError("chart.metadata.type must be application or library")
+	}
+
+	for _, m := range md.Maintainers {
+		if err := m.Validate(); err != nil {
+			return err
+		}
+	}
+
+	// Aliases need to be validated here to make sure that the alias name does
+	// not contain any illegal characters.
+	dependencies := map[string]*Dependency{}
+	for _, dependency := range md.Dependencies {
+		if err := dependency.Validate(); err != nil {
+			return err
+		}
+		key := dependency.Name
+		if dependency.Alias != "" {
+			key = dependency.Alias
+		}
+		if dependencies[key] != nil {
+			return ValidationErrorf("more than one dependency with name or alias %q", key)
+		}
+		dependencies[key] = dependency
+	}
+	return nil
+}
+
+func isValidChartType(in string) bool {
+	switch in {
+	case "", "application", "library":
+		return true
+	}
+	return false
+}
+
+func isValidSemver(v string) bool {
+	_, err := semver.NewVersion(v)
+	return err == nil
+}
+
+// sanitizeString normalize spaces and removes non-printable characters.
+func sanitizeString(str string) string {
+	return strings.Map(func(r rune) rune {
+		if unicode.IsSpace(r) {
+			return ' '
+		}
+		if unicode.IsPrint(r) {
+			return r
+		}
+		return -1
+	}, str)
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/chartutil/capabilities.go b/vendor/helm.sh/helm/v3/pkg/chartutil/capabilities.go
new file mode 100644
index 0000000000..48fab0ea40
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/chartutil/capabilities.go
@@ -0,0 +1,126 @@
+/*
+Copyright The Helm Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package chartutil
+
+import (
+	"fmt"
+	"strconv"
+
+	"github.com/Masterminds/semver/v3"
+	"k8s.io/client-go/kubernetes/scheme"
+
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	apiextensionsv1beta1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1"
+
+	helmversion "helm.sh/helm/v3/internal/version"
+)
+
+var (
+	// The Kubernetes version can be set by LDFLAGS. In order to do that the value
+	// must be a string.
+	k8sVersionMajor = "1"
+	k8sVersionMinor = "20"
+
+	// DefaultVersionSet is the default version set, which includes only Core V1 ("v1").
+	DefaultVersionSet = allKnownVersions()
+
+	// DefaultCapabilities is the default set of capabilities.
+	DefaultCapabilities = &Capabilities{
+		KubeVersion: KubeVersion{
+			Version: fmt.Sprintf("v%s.%s.0", k8sVersionMajor, k8sVersionMinor),
+			Major:   k8sVersionMajor,
+			Minor:   k8sVersionMinor,
+		},
+		APIVersions: DefaultVersionSet,
+		HelmVersion: helmversion.Get(),
+	}
+)
+
+// Capabilities describes the capabilities of the Kubernetes cluster.
+type Capabilities struct {
+	// KubeVersion is the Kubernetes version.
+	KubeVersion KubeVersion
+	// APIVersions are supported Kubernetes API versions.
+	APIVersions VersionSet
+	// HelmVersion is the build information for this helm version
+	HelmVersion helmversion.BuildInfo
+}
+
+func (capabilities *Capabilities) Copy() *Capabilities {
+	return &Capabilities{
+		KubeVersion: capabilities.KubeVersion,
+		APIVersions: capabilities.APIVersions,
+		HelmVersion: capabilities.HelmVersion,
+	}
+}
+
+// KubeVersion is the Kubernetes version.
+type KubeVersion struct {
+	Version string // Kubernetes version
+	Major   string // Kubernetes major version
+	Minor   string // Kubernetes minor version
+}
+
+// String implements fmt.Stringer
+func (kv *KubeVersion) String() string { return kv.Version }
+
+// GitVersion returns the Kubernetes version string.
+//
+// Deprecated: use KubeVersion.Version.
+func (kv *KubeVersion) GitVersion() string { return kv.Version }
+
+// ParseKubeVersion parses kubernetes version from string
+func ParseKubeVersion(version string) (*KubeVersion, error) {
+	sv, err := semver.NewVersion(version)
+	if err != nil {
+		return nil, err
+	}
+	return &KubeVersion{
+		Version: "v" + sv.String(),
+		Major:   strconv.FormatUint(sv.Major(), 10),
+		Minor:   strconv.FormatUint(sv.Minor(), 10),
+	}, nil
+}
+
+// VersionSet is a set of Kubernetes API versions.
+type VersionSet []string
+
+// Has returns true if the version string is in the set.
+//
+//	vs.Has("apps/v1")
+func (v VersionSet) Has(apiVersion string) bool {
+	for _, x := range v {
+		if x == apiVersion {
+			return true
+		}
+	}
+	return false
+}
+
+func allKnownVersions() VersionSet {
+	// We should register the built in extension APIs as well so CRDs are
+	// supported in the default version set. This has caused problems with `helm
+	// template` in the past, so let's be safe
+	apiextensionsv1beta1.AddToScheme(scheme.Scheme)
+	apiextensionsv1.AddToScheme(scheme.Scheme)
+
+	groups := scheme.Scheme.PrioritizedVersionsAllGroups()
+	vs := make(VersionSet, 0, len(groups))
+	for _, gv := range groups {
+		vs = append(vs, gv.String())
+	}
+	return vs
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/chartutil/chartfile.go b/vendor/helm.sh/helm/v3/pkg/chartutil/chartfile.go
new file mode 100644
index 0000000000..4f537a6e76
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/chartutil/chartfile.go
@@ -0,0 +1,92 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package chartutil
+
+import (
+	"os"
+	"path/filepath"
+
+	"github.com/pkg/errors"
+	"sigs.k8s.io/yaml"
+
+	"helm.sh/helm/v3/pkg/chart"
+)
+
+// LoadChartfile loads a Chart.yaml file into a *chart.Metadata.
+func LoadChartfile(filename string) (*chart.Metadata, error) {
+	b, err := os.ReadFile(filename)
+	if err != nil {
+		return nil, err
+	}
+	y := new(chart.Metadata)
+	err = yaml.Unmarshal(b, y)
+	return y, err
+}
+
+// SaveChartfile saves the given metadata as a Chart.yaml file at the given path.
+//
+// 'filename' should be the complete path and filename ('foo/Chart.yaml')
+func SaveChartfile(filename string, cf *chart.Metadata) error {
+	// Pull out the dependencies of a v1 Chart, since there's no way
+	// to tell the serializer to skip a field for just this use case
+	savedDependencies := cf.Dependencies
+	if cf.APIVersion == chart.APIVersionV1 {
+		cf.Dependencies = nil
+	}
+	out, err := yaml.Marshal(cf)
+	if cf.APIVersion == chart.APIVersionV1 {
+		cf.Dependencies = savedDependencies
+	}
+	if err != nil {
+		return err
+	}
+	return os.WriteFile(filename, out, 0644)
+}
+
+// IsChartDir validate a chart directory.
+//
+// Checks for a valid Chart.yaml.
+func IsChartDir(dirName string) (bool, error) {
+	if fi, err := os.Stat(dirName); err != nil {
+		return false, err
+	} else if !fi.IsDir() {
+		return false, errors.Errorf("%q is not a directory", dirName)
+	}
+
+	chartYaml := filepath.Join(dirName, ChartfileName)
+	if _, err := os.Stat(chartYaml); os.IsNotExist(err) {
+		return false, errors.Errorf("no %s exists in directory %q", ChartfileName, dirName)
+	}
+
+	chartYamlContent, err := os.ReadFile(chartYaml)
+	if err != nil {
+		return false, errors.Errorf("cannot read %s in directory %q", ChartfileName, dirName)
+	}
+
+	chartContent := new(chart.Metadata)
+	if err := yaml.Unmarshal(chartYamlContent, &chartContent); err != nil {
+		return false, err
+	}
+	if chartContent == nil {
+		return false, errors.Errorf("chart metadata (%s) missing", ChartfileName)
+	}
+	if chartContent.Name == "" {
+		return false, errors.Errorf("invalid chart (%s): name must not be empty", ChartfileName)
+	}
+
+	return true, nil
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/chartutil/coalesce.go b/vendor/helm.sh/helm/v3/pkg/chartutil/coalesce.go
new file mode 100644
index 0000000000..40bce2a68e
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/chartutil/coalesce.go
@@ -0,0 +1,305 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package chartutil
+
+import (
+	"fmt"
+	"log"
+
+	"github.com/mitchellh/copystructure"
+	"github.com/pkg/errors"
+
+	"helm.sh/helm/v3/pkg/chart"
+)
+
+func concatPrefix(a, b string) string {
+	if a == "" {
+		return b
+	}
+	return fmt.Sprintf("%s.%s", a, b)
+}
+
+// CoalesceValues coalesces all of the values in a chart (and its subcharts).
+//
+// Values are coalesced together using the following rules:
+//
+//   - Values in a higher level chart always override values in a lower-level
+//     dependency chart
+//   - Scalar values and arrays are replaced, maps are merged
+//   - A chart has access to all of the variables for it, as well as all of
+//     the values destined for its dependencies.
+func CoalesceValues(chrt *chart.Chart, vals map[string]interface{}) (Values, error) {
+	valsCopy, err := copyValues(vals)
+	if err != nil {
+		return vals, err
+	}
+	return coalesce(log.Printf, chrt, valsCopy, "", false)
+}
+
+// MergeValues is used to merge the values in a chart and its subcharts. This
+// is different from Coalescing as nil/null values are preserved.
+//
+// Values are coalesced together using the following rules:
+//
+//   - Values in a higher level chart always override values in a lower-level
+//     dependency chart
+//   - Scalar values and arrays are replaced, maps are merged
+//   - A chart has access to all of the variables for it, as well as all of
+//     the values destined for its dependencies.
+//
+// Retaining Nils is useful when processes early in a Helm action or business
+// logic need to retain them for when Coalescing will happen again later in the
+// business logic.
+func MergeValues(chrt *chart.Chart, vals map[string]interface{}) (Values, error) {
+	valsCopy, err := copyValues(vals)
+	if err != nil {
+		return vals, err
+	}
+	return coalesce(log.Printf, chrt, valsCopy, "", true)
+}
+
+func copyValues(vals map[string]interface{}) (Values, error) {
+	v, err := copystructure.Copy(vals)
+	if err != nil {
+		return vals, err
+	}
+
+	valsCopy := v.(map[string]interface{})
+	// if we have an empty map, make sure it is initialized
+	if valsCopy == nil {
+		valsCopy = make(map[string]interface{})
+	}
+
+	return valsCopy, nil
+}
+
+type printFn func(format string, v ...interface{})
+
+// coalesce coalesces the dest values and the chart values, giving priority to the dest values.
+//
+// This is a helper function for CoalesceValues and MergeValues.
+//
+// Note, the merge argument specifies whether this is being used by MergeValues
+// or CoalesceValues. Coalescing removes null values and their keys in some
+// situations while merging keeps the null values.
+func coalesce(printf printFn, ch *chart.Chart, dest map[string]interface{}, prefix string, merge bool) (map[string]interface{}, error) {
+	coalesceValues(printf, ch, dest, prefix, merge)
+	return coalesceDeps(printf, ch, dest, prefix, merge)
+}
+
+// coalesceDeps coalesces the dependencies of the given chart.
+func coalesceDeps(printf printFn, chrt *chart.Chart, dest map[string]interface{}, prefix string, merge bool) (map[string]interface{}, error) {
+	for _, subchart := range chrt.Dependencies() {
+		if c, ok := dest[subchart.Name()]; !ok {
+			// If dest doesn't already have the key, create it.
+			dest[subchart.Name()] = make(map[string]interface{})
+		} else if !istable(c) {
+			return dest, errors.Errorf("type mismatch on %s: %t", subchart.Name(), c)
+		}
+		if dv, ok := dest[subchart.Name()]; ok {
+			dvmap := dv.(map[string]interface{})
+			subPrefix := concatPrefix(prefix, chrt.Metadata.Name)
+			// Get globals out of dest and merge them into dvmap.
+			coalesceGlobals(printf, dvmap, dest, subPrefix, merge)
+			// Now coalesce the rest of the values.
+			var err error
+			dest[subchart.Name()], err = coalesce(printf, subchart, dvmap, subPrefix, merge)
+			if err != nil {
+				return dest, err
+			}
+		}
+	}
+	return dest, nil
+}
+
+// coalesceGlobals copies the globals out of src and merges them into dest.
+//
+// For convenience, returns dest.
+func coalesceGlobals(printf printFn, dest, src map[string]interface{}, prefix string, _ bool) {
+	var dg, sg map[string]interface{}
+
+	if destglob, ok := dest[GlobalKey]; !ok {
+		dg = make(map[string]interface{})
+	} else if dg, ok = destglob.(map[string]interface{}); !ok {
+		printf("warning: skipping globals because destination %s is not a table.", GlobalKey)
+		return
+	}
+
+	if srcglob, ok := src[GlobalKey]; !ok {
+		sg = make(map[string]interface{})
+	} else if sg, ok = srcglob.(map[string]interface{}); !ok {
+		printf("warning: skipping globals because source %s is not a table.", GlobalKey)
+		return
+	}
+
+	// EXPERIMENTAL: In the past, we have disallowed globals to test tables. This
+	// reverses that decision. It may somehow be possible to introduce a loop
+	// here, but I haven't found a way. So for the time being, let's allow
+	// tables in globals.
+	for key, val := range sg {
+		if istable(val) {
+			vv := copyMap(val.(map[string]interface{}))
+			if destv, ok := dg[key]; !ok {
+				// Here there is no merge. We're just adding.
+				dg[key] = vv
+			} else {
+				if destvmap, ok := destv.(map[string]interface{}); !ok {
+					printf("Conflict: cannot merge map onto non-map for %q. Skipping.", key)
+				} else {
+					// Basically, we reverse order of coalesce here to merge
+					// top-down.
+					subPrefix := concatPrefix(prefix, key)
+					// In this location coalesceTablesFullKey should always have
+					// merge set to true. The output of coalesceGlobals is run
+					// through coalesce where any nils will be removed.
+					coalesceTablesFullKey(printf, vv, destvmap, subPrefix, true)
+					dg[key] = vv
+				}
+			}
+		} else if dv, ok := dg[key]; ok && istable(dv) {
+			// It's not clear if this condition can actually ever trigger.
+			printf("key %s is table. Skipping", key)
+		} else {
+			// TODO: Do we need to do any additional checking on the value?
+			dg[key] = val
+		}
+	}
+	dest[GlobalKey] = dg
+}
+
+func copyMap(src map[string]interface{}) map[string]interface{} {
+	m := make(map[string]interface{}, len(src))
+	for k, v := range src {
+		m[k] = v
+	}
+	return m
+}
+
+// coalesceValues builds up a values map for a particular chart.
+//
+// Values in v will override the values in the chart.
+func coalesceValues(printf printFn, c *chart.Chart, v map[string]interface{}, prefix string, merge bool) {
+	subPrefix := concatPrefix(prefix, c.Metadata.Name)
+
+	// Using c.Values directly when coalescing a table can cause problems where
+	// the original c.Values is altered. Creating a deep copy stops the problem.
+	// This section is fault-tolerant as there is no ability to return an error.
+	valuesCopy, err := copystructure.Copy(c.Values)
+	var vc map[string]interface{}
+	var ok bool
+	if err != nil {
+		// If there is an error something is wrong with copying c.Values it
+		// means there is a problem in the deep copying package or something
+		// wrong with c.Values. In this case we will use c.Values and report
+		// an error.
+		printf("warning: unable to copy values, err: %s", err)
+		vc = c.Values
+	} else {
+		vc, ok = valuesCopy.(map[string]interface{})
+		if !ok {
+			// c.Values has a map[string]interface{} structure. If the copy of
+			// it cannot be treated as map[string]interface{} there is something
+			// strangely wrong. Log it and use c.Values
+			printf("warning: unable to convert values copy to values type")
+			vc = c.Values
+		}
+	}
+
+	for key, val := range vc {
+		if value, ok := v[key]; ok {
+			if value == nil && !merge {
+				// When the YAML value is null and we are coalescing instead of
+				// merging, we remove the value's key.
+				// This allows Helm's various sources of values (value files or --set) to
+				// remove incompatible keys from any previous chart, file, or set values.
+				delete(v, key)
+			} else if dest, ok := value.(map[string]interface{}); ok {
+				// if v[key] is a table, merge nv's val table into v[key].
+				src, ok := val.(map[string]interface{})
+				if !ok {
+					// If the original value is nil, there is nothing to coalesce, so we don't print
+					// the warning
+					if val != nil {
+						printf("warning: skipped value for %s.%s: Not a table.", subPrefix, key)
+					}
+				} else {
+					// If the key is a child chart, coalesce tables with Merge set to true
+					merge := childChartMergeTrue(c, key, merge)
+
+					// Because v has higher precedence than nv, dest values override src
+					// values.
+					coalesceTablesFullKey(printf, dest, src, concatPrefix(subPrefix, key), merge)
+				}
+			}
+		} else {
+			// If the key is not in v, copy it from nv.
+			v[key] = val
+		}
+	}
+}
+
+func childChartMergeTrue(chrt *chart.Chart, key string, merge bool) bool {
+	for _, subchart := range chrt.Dependencies() {
+		if subchart.Name() == key {
+			return true
+		}
+	}
+	return merge
+}
+
+// CoalesceTables merges a source map into a destination map.
+//
+// dest is considered authoritative.
+func CoalesceTables(dst, src map[string]interface{}) map[string]interface{} {
+	return coalesceTablesFullKey(log.Printf, dst, src, "", false)
+}
+
+func MergeTables(dst, src map[string]interface{}) map[string]interface{} {
+	return coalesceTablesFullKey(log.Printf, dst, src, "", true)
+}
+
+// coalesceTablesFullKey merges a source map into a destination map.
+//
+// dest is considered authoritative.
+func coalesceTablesFullKey(printf printFn, dst, src map[string]interface{}, prefix string, merge bool) map[string]interface{} {
+	// When --reuse-values is set but there are no modifications yet, return new values
+	if src == nil {
+		return dst
+	}
+	if dst == nil {
+		return src
+	}
+	// Because dest has higher precedence than src, dest values override src
+	// values.
+	for key, val := range src {
+		fullkey := concatPrefix(prefix, key)
+		if dv, ok := dst[key]; ok && !merge && dv == nil {
+			delete(dst, key)
+		} else if !ok {
+			dst[key] = val
+		} else if istable(val) {
+			if istable(dv) {
+				coalesceTablesFullKey(printf, dv.(map[string]interface{}), val.(map[string]interface{}), fullkey, merge)
+			} else {
+				printf("warning: cannot overwrite table with non table for %s (%v)", fullkey, val)
+			}
+		} else if istable(dv) && val != nil {
+			printf("warning: destination for %s is a table. Ignoring non-table value (%v)", fullkey, val)
+		}
+	}
+	return dst
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/chartutil/compatible.go b/vendor/helm.sh/helm/v3/pkg/chartutil/compatible.go
new file mode 100644
index 0000000000..f4656c9135
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/chartutil/compatible.go
@@ -0,0 +1,34 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package chartutil
+
+import "github.com/Masterminds/semver/v3"
+
+// IsCompatibleRange compares a version to a constraint.
+// It returns true if the version matches the constraint, and false in all other cases.
+func IsCompatibleRange(constraint, ver string) bool {
+	sv, err := semver.NewVersion(ver)
+	if err != nil {
+		return false
+	}
+
+	c, err := semver.NewConstraint(constraint)
+	if err != nil {
+		return false
+	}
+	return c.Check(sv)
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/chartutil/create.go b/vendor/helm.sh/helm/v3/pkg/chartutil/create.go
new file mode 100644
index 0000000000..321d3d2c04
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/chartutil/create.go
@@ -0,0 +1,735 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package chartutil
+
+import (
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+	"regexp"
+	"strings"
+
+	"github.com/pkg/errors"
+	"sigs.k8s.io/yaml"
+
+	"helm.sh/helm/v3/pkg/chart"
+	"helm.sh/helm/v3/pkg/chart/loader"
+)
+
+// chartName is a regular expression for testing the supplied name of a chart.
+// This regular expression is probably stricter than it needs to be. We can relax it
+// somewhat. Newline characters, as well as $, quotes, +, parens, and % are known to be
+// problematic.
+var chartName = regexp.MustCompile("^[a-zA-Z0-9._-]+$")
+
+const (
+	// ChartfileName is the default Chart file name.
+	ChartfileName = "Chart.yaml"
+	// ValuesfileName is the default values file name.
+	ValuesfileName = "values.yaml"
+	// SchemafileName is the default values schema file name.
+	SchemafileName = "values.schema.json"
+	// TemplatesDir is the relative directory name for templates.
+	TemplatesDir = "templates"
+	// ChartsDir is the relative directory name for charts dependencies.
+	ChartsDir = "charts"
+	// TemplatesTestsDir is the relative directory name for tests.
+	TemplatesTestsDir = TemplatesDir + sep + "tests"
+	// IgnorefileName is the name of the Helm ignore file.
+	IgnorefileName = ".helmignore"
+	// IngressFileName is the name of the example ingress file.
+	IngressFileName = TemplatesDir + sep + "ingress.yaml"
+	// DeploymentName is the name of the example deployment file.
+	DeploymentName = TemplatesDir + sep + "deployment.yaml"
+	// ServiceName is the name of the example service file.
+	ServiceName = TemplatesDir + sep + "service.yaml"
+	// ServiceAccountName is the name of the example serviceaccount file.
+	ServiceAccountName = TemplatesDir + sep + "serviceaccount.yaml"
+	// HorizontalPodAutoscalerName is the name of the example hpa file.
+	HorizontalPodAutoscalerName = TemplatesDir + sep + "hpa.yaml"
+	// NotesName is the name of the example NOTES.txt file.
+	NotesName = TemplatesDir + sep + "NOTES.txt"
+	// HelpersName is the name of the example helpers file.
+	HelpersName = TemplatesDir + sep + "_helpers.tpl"
+	// TestConnectionName is the name of the example test file.
+	TestConnectionName = TemplatesTestsDir + sep + "test-connection.yaml"
+)
+
+// maxChartNameLength is lower than the limits we know of with certain file systems,
+// and with certain Kubernetes fields.
+const maxChartNameLength = 250
+
+const sep = string(filepath.Separator)
+
+const defaultChartfile = `apiVersion: v2
+name: %s
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.16.0"
+`
+
+const defaultValues = `# Default values for %s.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+# This will set the replicaset count more information can be found here: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/
+replicaCount: 1
+
+# This sets the container image more information can be found here: https://kubernetes.io/docs/concepts/containers/images/
+image:
+  repository: nginx
+  # This sets the pull policy for images.
+  pullPolicy: IfNotPresent
+  # Overrides the image tag whose default is the chart appVersion.
+  tag: ""
+
+# This is for the secrets for pulling an image from a private repository more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+imagePullSecrets: []
+# This is to override the chart name.
+nameOverride: ""
+fullnameOverride: ""
+
+# This section builds out the service account more information can be found here: https://kubernetes.io/docs/concepts/security/service-accounts/
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+  # Automatically mount a ServiceAccount's API credentials?
+  automount: true
+  # Annotations to add to the service account
+  annotations: {}
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+
+# This is for setting Kubernetes Annotations to a Pod.
+# For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+podAnnotations: {}
+# This is for setting Kubernetes Labels to a Pod.
+# For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+podLabels: {}
+
+podSecurityContext: {}
+  # fsGroup: 2000
+
+securityContext: {}
+  # capabilities:
+  #   drop:
+  #   - ALL
+  # readOnlyRootFilesystem: true
+  # runAsNonRoot: true
+  # runAsUser: 1000
+
+# This is for setting up a service more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/
+service:
+  # This sets the service type more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
+  type: ClusterIP
+  # This sets the ports more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#field-spec-ports
+  port: 80
+
+# This block is for setting up the ingress for more information can be found here: https://kubernetes.io/docs/concepts/services-networking/ingress/
+ingress:
+  enabled: false
+  className: ""
+  annotations: {}
+    # kubernetes.io/ingress.class: nginx
+    # kubernetes.io/tls-acme: "true"
+  hosts:
+    - host: chart-example.local
+      paths:
+        - path: /
+          pathType: ImplementationSpecific
+  tls: []
+  #  - secretName: chart-example-tls
+  #    hosts:
+  #      - chart-example.local
+
+resources: {}
+  # We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  # limits:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi
+
+# This is to setup the liveness and readiness probes more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
+livenessProbe:
+  httpGet:
+    path: /
+    port: http
+readinessProbe:
+  httpGet:
+    path: /
+    port: http
+
+# This section is for setting up autoscaling more information can be found here: https://kubernetes.io/docs/concepts/workloads/autoscaling/
+autoscaling:
+  enabled: false
+  minReplicas: 1
+  maxReplicas: 100
+  targetCPUUtilizationPercentage: 80
+  # targetMemoryUtilizationPercentage: 80
+
+# Additional volumes on the output Deployment definition.
+volumes: []
+# - name: foo
+#   secret:
+#     secretName: mysecret
+#     optional: false
+
+# Additional volumeMounts on the output Deployment definition.
+volumeMounts: []
+# - name: foo
+#   mountPath: "/etc/foo"
+#   readOnly: true
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}
+`
+
+const defaultIgnore = `# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
+`
+
+const defaultIngress = `{{- if .Values.ingress.enabled -}}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ include "<CHARTNAME>.fullname" . }}
+  labels:
+    {{- include "<CHARTNAME>.labels" . | nindent 4 }}
+  {{- with .Values.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- with .Values.ingress.className }}
+  ingressClassName: {{ . }}
+  {{- end }}
+  {{- if .Values.ingress.tls }}
+  tls:
+    {{- range .Values.ingress.tls }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ . | quote }}
+        {{- end }}
+      secretName: {{ .secretName }}
+    {{- end }}
+  {{- end }}
+  rules:
+    {{- range .Values.ingress.hosts }}
+    - host: {{ .host | quote }}
+      http:
+        paths:
+          {{- range .paths }}
+          - path: {{ .path }}
+            {{- with .pathType }}
+            pathType: {{ . }}
+            {{- end }}
+            backend:
+              service:
+                name: {{ include "<CHARTNAME>.fullname" $ }}
+                port:
+                  number: {{ $.Values.service.port }}
+          {{- end }}
+    {{- end }}
+{{- end }}
+`
+
+const defaultDeployment = `apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "<CHARTNAME>.fullname" . }}
+  labels:
+    {{- include "<CHARTNAME>.labels" . | nindent 4 }}
+spec:
+  {{- if not .Values.autoscaling.enabled }}
+  replicas: {{ .Values.replicaCount }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "<CHARTNAME>.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "<CHARTNAME>.labels" . | nindent 8 }}
+        {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "<CHARTNAME>.serviceAccountName" . }}
+      {{- with .Values.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: {{ .Chart.Name }}
+          {{- with .Values.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          ports:
+            - name: http
+              containerPort: {{ .Values.service.port }}
+              protocol: TCP
+          {{- with .Values.livenessProbe }}
+          livenessProbe:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.readinessProbe }}
+          readinessProbe:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.resources }}
+          resources:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.volumeMounts }}
+          volumeMounts:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+      {{- with .Values.volumes }}
+      volumes:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+`
+
+const defaultService = `apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "<CHARTNAME>.fullname" . }}
+  labels:
+    {{- include "<CHARTNAME>.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ .Values.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    {{- include "<CHARTNAME>.selectorLabels" . | nindent 4 }}
+`
+
+const defaultServiceAccount = `{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "<CHARTNAME>.serviceAccountName" . }}
+  labels:
+    {{- include "<CHARTNAME>.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+automountServiceAccountToken: {{ .Values.serviceAccount.automount }}
+{{- end }}
+`
+
+const defaultHorizontalPodAutoscaler = `{{- if .Values.autoscaling.enabled }}
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ include "<CHARTNAME>.fullname" . }}
+  labels:
+    {{- include "<CHARTNAME>.labels" . | nindent 4 }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: {{ include "<CHARTNAME>.fullname" . }}
+  minReplicas: {{ .Values.autoscaling.minReplicas }}
+  maxReplicas: {{ .Values.autoscaling.maxReplicas }}
+  metrics:
+    {{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
+    {{- end }}
+    {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: memory
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
+    {{- end }}
+{{- end }}
+`
+
+const defaultNotes = `1. Get the application URL by running these commands:
+{{- if .Values.ingress.enabled }}
+{{- range $host := .Values.ingress.hosts }}
+  {{- range .paths }}
+  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
+  {{- end }}
+{{- end }}
+{{- else if contains "NodePort" .Values.service.type }}
+  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "<CHARTNAME>.fullname" . }})
+  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+  echo http://$NODE_IP:$NODE_PORT
+{{- else if contains "LoadBalancer" .Values.service.type }}
+     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+           You can watch its status by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "<CHARTNAME>.fullname" . }}'
+  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "<CHARTNAME>.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
+  echo http://$SERVICE_IP:{{ .Values.service.port }}
+{{- else if contains "ClusterIP" .Values.service.type }}
+  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "<CHARTNAME>.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+  export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
+  echo "Visit http://127.0.0.1:8080 to use your application"
+  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
+{{- end }}
+`
+
+const defaultHelpers = `{{/*
+Expand the name of the chart.
+*/}}
+{{- define "<CHARTNAME>.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "<CHARTNAME>.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "<CHARTNAME>.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "<CHARTNAME>.labels" -}}
+helm.sh/chart: {{ include "<CHARTNAME>.chart" . }}
+{{ include "<CHARTNAME>.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "<CHARTNAME>.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "<CHARTNAME>.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "<CHARTNAME>.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "<CHARTNAME>.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+`
+
+const defaultTestConnection = `apiVersion: v1
+kind: Pod
+metadata:
+  name: "{{ include "<CHARTNAME>.fullname" . }}-test-connection"
+  labels:
+    {{- include "<CHARTNAME>.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": test
+spec:
+  containers:
+    - name: wget
+      image: busybox
+      command: ['wget']
+      args: ['{{ include "<CHARTNAME>.fullname" . }}:{{ .Values.service.port }}']
+  restartPolicy: Never
+`
+
+// Stderr is an io.Writer to which error messages can be written
+//
+// In Helm 4, this will be replaced. It is needed in Helm 3 to preserve API backward
+// compatibility.
+var Stderr io.Writer = os.Stderr
+
+// CreateFrom creates a new chart, but scaffolds it from the src chart.
+func CreateFrom(chartfile *chart.Metadata, dest, src string) error {
+	schart, err := loader.Load(src)
+	if err != nil {
+		return errors.Wrapf(err, "could not load %s", src)
+	}
+
+	schart.Metadata = chartfile
+
+	var updatedTemplates []*chart.File
+
+	for _, template := range schart.Templates {
+		newData := transform(string(template.Data), schart.Name())
+		updatedTemplates = append(updatedTemplates, &chart.File{Name: template.Name, Data: newData})
+	}
+
+	schart.Templates = updatedTemplates
+	b, err := yaml.Marshal(schart.Values)
+	if err != nil {
+		return errors.Wrap(err, "reading values file")
+	}
+
+	var m map[string]interface{}
+	if err := yaml.Unmarshal(transform(string(b), schart.Name()), &m); err != nil {
+		return errors.Wrap(err, "transforming values file")
+	}
+	schart.Values = m
+
+	// SaveDir looks for the file values.yaml when saving rather than the values
+	// key in order to preserve the comments in the YAML. The name placeholder
+	// needs to be replaced on that file.
+	for _, f := range schart.Raw {
+		if f.Name == ValuesfileName {
+			f.Data = transform(string(f.Data), schart.Name())
+		}
+	}
+
+	return SaveDir(schart, dest)
+}
+
+// Create creates a new chart in a directory.
+//
+// Inside of dir, this will create a directory based on the name of
+// chartfile.Name. It will then write the Chart.yaml into this directory and
+// create the (empty) appropriate directories.
+//
+// The returned string will point to the newly created directory. It will be
+// an absolute path, even if the provided base directory was relative.
+//
+// If dir does not exist, this will return an error.
+// If Chart.yaml or any directories cannot be created, this will return an
+// error. In such a case, this will attempt to clean up by removing the
+// new chart directory.
+func Create(name, dir string) (string, error) {
+
+	// Sanity-check the name of a chart so user doesn't create one that causes problems.
+	if err := validateChartName(name); err != nil {
+		return "", err
+	}
+
+	path, err := filepath.Abs(dir)
+	if err != nil {
+		return path, err
+	}
+
+	if fi, err := os.Stat(path); err != nil {
+		return path, err
+	} else if !fi.IsDir() {
+		return path, errors.Errorf("no such directory %s", path)
+	}
+
+	cdir := filepath.Join(path, name)
+	if fi, err := os.Stat(cdir); err == nil && !fi.IsDir() {
+		return cdir, errors.Errorf("file %s already exists and is not a directory", cdir)
+	}
+
+	// Note: If adding a new template below (i.e., to `helm create`) which is disabled by default (similar to hpa and
+	// ingress below); or making an existing template disabled by default, add the enabling condition in
+	// `TestHelmCreateChart_CheckDeprecatedWarnings` in `pkg/lint/lint_test.go` to make it run through deprecation checks
+	// with latest Kubernetes version.
+	files := []struct {
+		path    string
+		content []byte
+	}{
+		{
+			// Chart.yaml
+			path:    filepath.Join(cdir, ChartfileName),
+			content: []byte(fmt.Sprintf(defaultChartfile, name)),
+		},
+		{
+			// values.yaml
+			path:    filepath.Join(cdir, ValuesfileName),
+			content: []byte(fmt.Sprintf(defaultValues, name)),
+		},
+		{
+			// .helmignore
+			path:    filepath.Join(cdir, IgnorefileName),
+			content: []byte(defaultIgnore),
+		},
+		{
+			// ingress.yaml
+			path:    filepath.Join(cdir, IngressFileName),
+			content: transform(defaultIngress, name),
+		},
+		{
+			// deployment.yaml
+			path:    filepath.Join(cdir, DeploymentName),
+			content: transform(defaultDeployment, name),
+		},
+		{
+			// service.yaml
+			path:    filepath.Join(cdir, ServiceName),
+			content: transform(defaultService, name),
+		},
+		{
+			// serviceaccount.yaml
+			path:    filepath.Join(cdir, ServiceAccountName),
+			content: transform(defaultServiceAccount, name),
+		},
+		{
+			// hpa.yaml
+			path:    filepath.Join(cdir, HorizontalPodAutoscalerName),
+			content: transform(defaultHorizontalPodAutoscaler, name),
+		},
+		{
+			// NOTES.txt
+			path:    filepath.Join(cdir, NotesName),
+			content: transform(defaultNotes, name),
+		},
+		{
+			// _helpers.tpl
+			path:    filepath.Join(cdir, HelpersName),
+			content: transform(defaultHelpers, name),
+		},
+		{
+			// test-connection.yaml
+			path:    filepath.Join(cdir, TestConnectionName),
+			content: transform(defaultTestConnection, name),
+		},
+	}
+
+	for _, file := range files {
+		if _, err := os.Stat(file.path); err == nil {
+			// There is no handle to a preferred output stream here.
+			fmt.Fprintf(Stderr, "WARNING: File %q already exists. Overwriting.\n", file.path)
+		}
+		if err := writeFile(file.path, file.content); err != nil {
+			return cdir, err
+		}
+	}
+	// Need to add the ChartsDir explicitly as it does not contain any file OOTB
+	if err := os.MkdirAll(filepath.Join(cdir, ChartsDir), 0755); err != nil {
+		return cdir, err
+	}
+	return cdir, nil
+}
+
+// transform performs a string replacement of the specified source for
+// a given key with the replacement string
+func transform(src, replacement string) []byte {
+	return []byte(strings.ReplaceAll(src, "<CHARTNAME>", replacement))
+}
+
+func writeFile(name string, content []byte) error {
+	if err := os.MkdirAll(filepath.Dir(name), 0755); err != nil {
+		return err
+	}
+	return os.WriteFile(name, content, 0644)
+}
+
+func validateChartName(name string) error {
+	if name == "" || len(name) > maxChartNameLength {
+		return fmt.Errorf("chart name must be between 1 and %d characters", maxChartNameLength)
+	}
+	if !chartName.MatchString(name) {
+		return fmt.Errorf("chart name must match the regular expression %q", chartName.String())
+	}
+	return nil
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/chartutil/dependencies.go b/vendor/helm.sh/helm/v3/pkg/chartutil/dependencies.go
new file mode 100644
index 0000000000..37452cec7a
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/chartutil/dependencies.go
@@ -0,0 +1,357 @@
+/*
+Copyright The Helm Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package chartutil
+
+import (
+	"fmt"
+	"log"
+	"strings"
+
+	"github.com/mitchellh/copystructure"
+
+	"helm.sh/helm/v3/pkg/chart"
+)
+
+// ProcessDependencies checks through this chart's dependencies, processing accordingly.
+//
+// TODO: For Helm v4 this can be combined with or turned into ProcessDependenciesWithMerge
+func ProcessDependencies(c *chart.Chart, v Values) error {
+	if err := processDependencyEnabled(c, v, ""); err != nil {
+		return err
+	}
+	return processDependencyImportValues(c, false)
+}
+
+// ProcessDependenciesWithMerge checks through this chart's dependencies, processing accordingly.
+// It is similar to ProcessDependencies but it does not remove nil values during
+// the import/export handling process.
+func ProcessDependenciesWithMerge(c *chart.Chart, v Values) error {
+	if err := processDependencyEnabled(c, v, ""); err != nil {
+		return err
+	}
+	return processDependencyImportValues(c, true)
+}
+
+// processDependencyConditions disables charts based on condition path value in values
+func processDependencyConditions(reqs []*chart.Dependency, cvals Values, cpath string) {
+	if reqs == nil {
+		return
+	}
+	for _, r := range reqs {
+		for _, c := range strings.Split(strings.TrimSpace(r.Condition), ",") {
+			if len(c) > 0 {
+				// retrieve value
+				vv, err := cvals.PathValue(cpath + c)
+				if err == nil {
+					// if not bool, warn
+					if bv, ok := vv.(bool); ok {
+						r.Enabled = bv
+						break
+					}
+					log.Printf("Warning: Condition path '%s' for chart %s returned non-bool value", c, r.Name)
+				} else if _, ok := err.(ErrNoValue); !ok {
+					// this is a real error
+					log.Printf("Warning: PathValue returned error %v", err)
+				}
+			}
+		}
+	}
+}
+
+// processDependencyTags disables charts based on tags in values
+func processDependencyTags(reqs []*chart.Dependency, cvals Values) {
+	if reqs == nil {
+		return
+	}
+	vt, err := cvals.Table("tags")
+	if err != nil {
+		return
+	}
+	for _, r := range reqs {
+		var hasTrue, hasFalse bool
+		for _, k := range r.Tags {
+			if b, ok := vt[k]; ok {
+				// if not bool, warn
+				if bv, ok := b.(bool); ok {
+					if bv {
+						hasTrue = true
+					} else {
+						hasFalse = true
+					}
+				} else {
+					log.Printf("Warning: Tag '%s' for chart %s returned non-bool value", k, r.Name)
+				}
+			}
+		}
+		if !hasTrue && hasFalse {
+			r.Enabled = false
+		} else if hasTrue || !hasTrue && !hasFalse {
+			r.Enabled = true
+		}
+	}
+}
+
+func getAliasDependency(charts []*chart.Chart, dep *chart.Dependency) *chart.Chart {
+	for _, c := range charts {
+		if c == nil {
+			continue
+		}
+		if c.Name() != dep.Name {
+			continue
+		}
+		if !IsCompatibleRange(dep.Version, c.Metadata.Version) {
+			continue
+		}
+
+		out := *c
+		md := *c.Metadata
+		out.Metadata = &md
+
+		if dep.Alias != "" {
+			md.Name = dep.Alias
+		}
+		return &out
+	}
+	return nil
+}
+
+// processDependencyEnabled removes disabled charts from dependencies
+func processDependencyEnabled(c *chart.Chart, v map[string]interface{}, path string) error {
+	if c.Metadata.Dependencies == nil {
+		return nil
+	}
+
+	var chartDependencies []*chart.Chart
+	// If any dependency is not a part of Chart.yaml
+	// then this should be added to chartDependencies.
+	// However, if the dependency is already specified in Chart.yaml
+	// we should not add it, as it would be processed from Chart.yaml anyway.
+
+Loop:
+	for _, existing := range c.Dependencies() {
+		for _, req := range c.Metadata.Dependencies {
+			if existing.Name() == req.Name && IsCompatibleRange(req.Version, existing.Metadata.Version) {
+				continue Loop
+			}
+		}
+		chartDependencies = append(chartDependencies, existing)
+	}
+
+	for _, req := range c.Metadata.Dependencies {
+		if req == nil {
+			continue
+		}
+		if chartDependency := getAliasDependency(c.Dependencies(), req); chartDependency != nil {
+			chartDependencies = append(chartDependencies, chartDependency)
+		}
+		if req.Alias != "" {
+			req.Name = req.Alias
+		}
+	}
+	c.SetDependencies(chartDependencies...)
+
+	// set all to true
+	for _, lr := range c.Metadata.Dependencies {
+		lr.Enabled = true
+	}
+	cvals, err := CoalesceValues(c, v)
+	if err != nil {
+		return err
+	}
+	// flag dependencies as enabled/disabled
+	processDependencyTags(c.Metadata.Dependencies, cvals)
+	processDependencyConditions(c.Metadata.Dependencies, cvals, path)
+	// make a map of charts to remove
+	rm := map[string]struct{}{}
+	for _, r := range c.Metadata.Dependencies {
+		if !r.Enabled {
+			// remove disabled chart
+			rm[r.Name] = struct{}{}
+		}
+	}
+	// don't keep disabled charts in new slice
+	cd := []*chart.Chart{}
+	copy(cd, c.Dependencies()[:0])
+	for _, n := range c.Dependencies() {
+		if _, ok := rm[n.Metadata.Name]; !ok {
+			cd = append(cd, n)
+		}
+	}
+	// don't keep disabled charts in metadata
+	cdMetadata := []*chart.Dependency{}
+	copy(cdMetadata, c.Metadata.Dependencies[:0])
+	for _, n := range c.Metadata.Dependencies {
+		if _, ok := rm[n.Name]; !ok {
+			cdMetadata = append(cdMetadata, n)
+		}
+	}
+
+	// recursively call self to process sub dependencies
+	for _, t := range cd {
+		subpath := path + t.Metadata.Name + "."
+		if err := processDependencyEnabled(t, cvals, subpath); err != nil {
+			return err
+		}
+	}
+	// set the correct dependencies in metadata
+	c.Metadata.Dependencies = nil
+	c.Metadata.Dependencies = append(c.Metadata.Dependencies, cdMetadata...)
+	c.SetDependencies(cd...)
+
+	return nil
+}
+
+// pathToMap creates a nested map given a YAML path in dot notation.
+func pathToMap(path string, data map[string]interface{}) map[string]interface{} {
+	if path == "." {
+		return data
+	}
+	return set(parsePath(path), data)
+}
+
+func set(path []string, data map[string]interface{}) map[string]interface{} {
+	if len(path) == 0 {
+		return nil
+	}
+	cur := data
+	for i := len(path) - 1; i >= 0; i-- {
+		cur = map[string]interface{}{path[i]: cur}
+	}
+	return cur
+}
+
+// processImportValues merges values from child to parent based on the chart's dependencies' ImportValues field.
+func processImportValues(c *chart.Chart, merge bool) error {
+	if c.Metadata.Dependencies == nil {
+		return nil
+	}
+	// combine chart values and empty config to get Values
+	var cvals Values
+	var err error
+	if merge {
+		cvals, err = MergeValues(c, nil)
+	} else {
+		cvals, err = CoalesceValues(c, nil)
+	}
+	if err != nil {
+		return err
+	}
+	b := make(map[string]interface{})
+	// import values from each dependency if specified in import-values
+	for _, r := range c.Metadata.Dependencies {
+		var outiv []interface{}
+		for _, riv := range r.ImportValues {
+			switch iv := riv.(type) {
+			case map[string]interface{}:
+				child := fmt.Sprintf("%v", iv["child"])
+				parent := fmt.Sprintf("%v", iv["parent"])
+
+				outiv = append(outiv, map[string]string{
+					"child":  child,
+					"parent": parent,
+				})
+
+				// get child table
+				vv, err := cvals.Table(r.Name + "." + child)
+				if err != nil {
+					log.Printf("Warning: ImportValues missing table from chart %s: %v", r.Name, err)
+					continue
+				}
+				// create value map from child to be merged into parent
+				if merge {
+					b = MergeTables(b, pathToMap(parent, vv.AsMap()))
+				} else {
+					b = CoalesceTables(b, pathToMap(parent, vv.AsMap()))
+				}
+			case string:
+				child := "exports." + iv
+				outiv = append(outiv, map[string]string{
+					"child":  child,
+					"parent": ".",
+				})
+				vm, err := cvals.Table(r.Name + "." + child)
+				if err != nil {
+					log.Printf("Warning: ImportValues missing table: %v", err)
+					continue
+				}
+				if merge {
+					b = MergeTables(b, vm.AsMap())
+				} else {
+					b = CoalesceTables(b, vm.AsMap())
+				}
+			}
+		}
+		r.ImportValues = outiv
+	}
+
+	// Imported values from a child to a parent chart have a lower priority than
+	// the parents values. This enables parent charts to import a large section
+	// from a child and then override select parts. This is why b is merged into
+	// cvals in the code below and not the other way around.
+	if merge {
+		// deep copying the cvals as there are cases where pointers can end
+		// up in the cvals when they are copied onto b in ways that break things.
+		cvals = deepCopyMap(cvals)
+		c.Values = MergeTables(cvals, b)
+	} else {
+		// Trimming the nil values from cvals is needed for backwards compatibility.
+		// Previously, the b value had been populated with cvals along with some
+		// overrides. This caused the coalescing functionality to remove the
+		// nil/null values. This trimming is for backwards compat.
+		cvals = trimNilValues(cvals)
+		c.Values = CoalesceTables(cvals, b)
+	}
+
+	return nil
+}
+
+func deepCopyMap(vals map[string]interface{}) map[string]interface{} {
+	valsCopy, err := copystructure.Copy(vals)
+	if err != nil {
+		return vals
+	}
+	return valsCopy.(map[string]interface{})
+}
+
+func trimNilValues(vals map[string]interface{}) map[string]interface{} {
+	valsCopy, err := copystructure.Copy(vals)
+	if err != nil {
+		return vals
+	}
+	valsCopyMap := valsCopy.(map[string]interface{})
+	for key, val := range valsCopyMap {
+		if val == nil {
+			// Iterate over the values and remove nil keys
+			delete(valsCopyMap, key)
+		} else if istable(val) {
+			// Recursively call into ourselves to remove keys from inner tables
+			valsCopyMap[key] = trimNilValues(val.(map[string]interface{}))
+		}
+	}
+
+	return valsCopyMap
+}
+
+// processDependencyImportValues imports specified chart values from child to parent.
+func processDependencyImportValues(c *chart.Chart, merge bool) error {
+	for _, d := range c.Dependencies() {
+		// recurse
+		if err := processDependencyImportValues(d, merge); err != nil {
+			return err
+		}
+	}
+	return processImportValues(c, merge)
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/chartutil/doc.go b/vendor/helm.sh/helm/v3/pkg/chartutil/doc.go
new file mode 100644
index 0000000000..49c55ac521
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/chartutil/doc.go
@@ -0,0 +1,45 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+/*
+Package chartutil contains tools for working with charts.
+
+Charts are described in the chart package (pkg/chart).
+This package provides utilities for serializing and deserializing charts.
+
+A chart can be represented on the file system in one of two ways:
+
+  - As a directory that contains a Chart.yaml file and other chart things.
+  - As a tarred gzipped file containing a directory that then contains a
+    Chart.yaml file.
+
+This package provides utilities for working with those file formats.
+
+The preferred way of loading a chart is using 'loader.Load`:
+
+	chart, err := loader.Load(filename)
+
+This will attempt to discover whether the file at 'filename' is a directory or
+a chart archive. It will then load accordingly.
+
+For accepting raw compressed tar file data from an io.Reader, the
+'loader.LoadArchive()' will read in the data, uncompress it, and unpack it
+into a Chart.
+
+When creating charts in memory, use the 'helm.sh/helm/pkg/chart'
+package directly.
+*/
+package chartutil // import "helm.sh/helm/v3/pkg/chartutil"
diff --git a/vendor/helm.sh/helm/v3/pkg/chartutil/errors.go b/vendor/helm.sh/helm/v3/pkg/chartutil/errors.go
new file mode 100644
index 0000000000..0a4046d2e2
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/chartutil/errors.go
@@ -0,0 +1,43 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package chartutil
+
+import (
+	"fmt"
+)
+
+// ErrNoTable indicates that a chart does not have a matching table.
+type ErrNoTable struct {
+	Key string
+}
+
+func (e ErrNoTable) Error() string { return fmt.Sprintf("%q is not a table", e.Key) }
+
+// ErrNoValue indicates that Values does not contain a key with a value
+type ErrNoValue struct {
+	Key string
+}
+
+func (e ErrNoValue) Error() string { return fmt.Sprintf("%q is not a value", e.Key) }
+
+type ErrInvalidChartName struct {
+	Name string
+}
+
+func (e ErrInvalidChartName) Error() string {
+	return fmt.Sprintf("%q is not a valid chart name", e.Name)
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/chartutil/expand.go b/vendor/helm.sh/helm/v3/pkg/chartutil/expand.go
new file mode 100644
index 0000000000..ac59f25753
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/chartutil/expand.go
@@ -0,0 +1,93 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package chartutil
+
+import (
+	"io"
+	"os"
+	"path/filepath"
+
+	securejoin "github.com/cyphar/filepath-securejoin"
+	"github.com/pkg/errors"
+	"sigs.k8s.io/yaml"
+
+	"helm.sh/helm/v3/pkg/chart"
+	"helm.sh/helm/v3/pkg/chart/loader"
+)
+
+// Expand uncompresses and extracts a chart into the specified directory.
+func Expand(dir string, r io.Reader) error {
+	files, err := loader.LoadArchiveFiles(r)
+	if err != nil {
+		return err
+	}
+
+	// Get the name of the chart
+	var chartName string
+	for _, file := range files {
+		if file.Name == "Chart.yaml" {
+			ch := &chart.Metadata{}
+			if err := yaml.Unmarshal(file.Data, ch); err != nil {
+				return errors.Wrap(err, "cannot load Chart.yaml")
+			}
+			chartName = ch.Name
+		}
+	}
+	if chartName == "" {
+		return errors.New("chart name not specified")
+	}
+
+	// Find the base directory
+	// The directory needs to be cleaned prior to passing to SecureJoin or the location may end up
+	// being wrong or returning an error. This was introduced in v0.4.0.
+	dir = filepath.Clean(dir)
+	chartdir, err := securejoin.SecureJoin(dir, chartName)
+	if err != nil {
+		return err
+	}
+
+	// Copy all files verbatim. We don't parse these files because parsing can remove
+	// comments.
+	for _, file := range files {
+		outpath, err := securejoin.SecureJoin(chartdir, file.Name)
+		if err != nil {
+			return err
+		}
+
+		// Make sure the necessary subdirs get created.
+		basedir := filepath.Dir(outpath)
+		if err := os.MkdirAll(basedir, 0755); err != nil {
+			return err
+		}
+
+		if err := os.WriteFile(outpath, file.Data, 0644); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// ExpandFile expands the src file into the dest directory.
+func ExpandFile(dest, src string) error {
+	h, err := os.Open(src)
+	if err != nil {
+		return err
+	}
+	defer h.Close()
+	return Expand(dest, h)
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/chartutil/jsonschema.go b/vendor/helm.sh/helm/v3/pkg/chartutil/jsonschema.go
new file mode 100644
index 0000000000..d712316c59
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/chartutil/jsonschema.go
@@ -0,0 +1,150 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package chartutil
+
+import (
+	"bytes"
+	"crypto/tls"
+	"errors"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/santhosh-tekuri/jsonschema/v6"
+
+	"net/http"
+
+	"helm.sh/helm/v3/internal/version"
+	"helm.sh/helm/v3/pkg/chart"
+)
+
+// HTTPURLLoader implements a loader for HTTP/HTTPS URLs
+type HTTPURLLoader http.Client
+
+func (l *HTTPURLLoader) Load(urlStr string) (any, error) {
+	client := (*http.Client)(l)
+
+	req, err := http.NewRequest(http.MethodGet, urlStr, nil)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create HTTP request for %s: %w", urlStr, err)
+	}
+	req.Header.Set("User-Agent", version.GetUserAgent())
+
+	resp, err := client.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("HTTP request failed for %s: %w", urlStr, err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("HTTP request to %s returned status %d (%s)", urlStr, resp.StatusCode, http.StatusText(resp.StatusCode))
+	}
+
+	return jsonschema.UnmarshalJSON(resp.Body)
+}
+
+// newHTTPURLLoader creates a HTTP URL loader with proxy support.
+func newHTTPURLLoader() *HTTPURLLoader {
+	httpLoader := HTTPURLLoader(http.Client{
+		Timeout: 15 * time.Second,
+		Transport: &http.Transport{
+			Proxy:           http.ProxyFromEnvironment,
+			TLSClientConfig: &tls.Config{},
+		},
+	})
+	return &httpLoader
+}
+
+// ValidateAgainstSchema checks that values does not violate the structure laid out in schema
+func ValidateAgainstSchema(chrt *chart.Chart, values map[string]interface{}) error {
+	var sb strings.Builder
+	if chrt.Schema != nil {
+
+		err := ValidateAgainstSingleSchema(values, chrt.Schema)
+		if err != nil {
+			sb.WriteString(fmt.Sprintf("%s:\n", chrt.Name()))
+			sb.WriteString(err.Error())
+		}
+	}
+
+	for _, subchart := range chrt.Dependencies() {
+		subchartValues := values[subchart.Name()].(map[string]interface{})
+		if err := ValidateAgainstSchema(subchart, subchartValues); err != nil {
+			sb.WriteString(err.Error())
+		}
+	}
+
+	if sb.Len() > 0 {
+		return errors.New(sb.String())
+	}
+
+	return nil
+}
+
+// ValidateAgainstSingleSchema checks that values does not violate the structure laid out in this schema
+func ValidateAgainstSingleSchema(values Values, schemaJSON []byte) (reterr error) {
+	defer func() {
+		if r := recover(); r != nil {
+			reterr = fmt.Errorf("unable to validate schema: %s", r)
+		}
+	}()
+
+	// This unmarshal function leverages UseNumber() for number precision. The parser
+	// used for values does this as well.
+	schema, err := jsonschema.UnmarshalJSON(bytes.NewReader(schemaJSON))
+	if err != nil {
+		return err
+	}
+
+	// Configure compiler with loaders for different URL schemes
+	loader := jsonschema.SchemeURLLoader{
+		"file":  jsonschema.FileLoader{},
+		"http":  newHTTPURLLoader(),
+		"https": newHTTPURLLoader(),
+	}
+
+	compiler := jsonschema.NewCompiler()
+	compiler.UseLoader(loader)
+	err = compiler.AddResource("file:///values.schema.json", schema)
+	if err != nil {
+		return err
+	}
+
+	validator, err := compiler.Compile("file:///values.schema.json")
+	if err != nil {
+		return err
+	}
+
+	err = validator.Validate(values.AsMap())
+	if err != nil {
+		return JSONSchemaValidationError{err}
+	}
+
+	return nil
+}
+
+type JSONSchemaValidationError struct {
+	embeddedErr error
+}
+
+func (e JSONSchemaValidationError) Error() string {
+	errStr := e.embeddedErr.Error()
+
+	errStr = strings.TrimPrefix(errStr, "jsonschema validation failed with 'file:///values.schema.json#'\n")
+
+	return errStr + "\n"
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/chartutil/save.go b/vendor/helm.sh/helm/v3/pkg/chartutil/save.go
new file mode 100644
index 0000000000..4ee90709c9
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/chartutil/save.go
@@ -0,0 +1,264 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package chartutil
+
+import (
+	"archive/tar"
+	"compress/gzip"
+	"encoding/json"
+	"fmt"
+	"os"
+	"path/filepath"
+	"time"
+
+	"github.com/pkg/errors"
+	"sigs.k8s.io/yaml"
+
+	"helm.sh/helm/v3/pkg/chart"
+)
+
+var headerBytes = []byte("+aHR0cHM6Ly95b3V0dS5iZS96OVV6MWljandyTQo=")
+
+// SaveDir saves a chart as files in a directory.
+//
+// This takes the chart name, and creates a new subdirectory inside of the given dest
+// directory, writing the chart's contents to that subdirectory.
+func SaveDir(c *chart.Chart, dest string) error {
+	// Create the chart directory
+	err := validateName(c.Name())
+	if err != nil {
+		return err
+	}
+	outdir := filepath.Join(dest, c.Name())
+	if fi, err := os.Stat(outdir); err == nil && !fi.IsDir() {
+		return errors.Errorf("file %s already exists and is not a directory", outdir)
+	}
+	if err := os.MkdirAll(outdir, 0755); err != nil {
+		return err
+	}
+
+	// Save the chart file.
+	if err := SaveChartfile(filepath.Join(outdir, ChartfileName), c.Metadata); err != nil {
+		return err
+	}
+
+	// Save values.yaml
+	for _, f := range c.Raw {
+		if f.Name == ValuesfileName {
+			vf := filepath.Join(outdir, ValuesfileName)
+			if err := writeFile(vf, f.Data); err != nil {
+				return err
+			}
+		}
+	}
+
+	// Save values.schema.json if it exists
+	if c.Schema != nil {
+		filename := filepath.Join(outdir, SchemafileName)
+		if err := writeFile(filename, c.Schema); err != nil {
+			return err
+		}
+	}
+
+	// Save templates and files
+	for _, o := range [][]*chart.File{c.Templates, c.Files} {
+		for _, f := range o {
+			n := filepath.Join(outdir, f.Name)
+			if err := writeFile(n, f.Data); err != nil {
+				return err
+			}
+		}
+	}
+
+	// Save dependencies
+	base := filepath.Join(outdir, ChartsDir)
+	for _, dep := range c.Dependencies() {
+		// Here, we write each dependency as a tar file.
+		if _, err := Save(dep, base); err != nil {
+			return errors.Wrapf(err, "saving %s", dep.ChartFullPath())
+		}
+	}
+	return nil
+}
+
+// Save creates an archived chart to the given directory.
+//
+// This takes an existing chart and a destination directory.
+//
+// If the directory is /foo, and the chart is named bar, with version 1.0.0, this
+// will generate /foo/bar-1.0.0.tgz.
+//
+// This returns the absolute path to the chart archive file.
+func Save(c *chart.Chart, outDir string) (string, error) {
+	if err := c.Validate(); err != nil {
+		return "", errors.Wrap(err, "chart validation")
+	}
+
+	filename := fmt.Sprintf("%s-%s.tgz", c.Name(), c.Metadata.Version)
+	filename = filepath.Join(outDir, filename)
+	dir := filepath.Dir(filename)
+	if stat, err := os.Stat(dir); err != nil {
+		if os.IsNotExist(err) {
+			if err2 := os.MkdirAll(dir, 0755); err2 != nil {
+				return "", err2
+			}
+		} else {
+			return "", errors.Wrapf(err, "stat %s", dir)
+		}
+	} else if !stat.IsDir() {
+		return "", errors.Errorf("is not a directory: %s", dir)
+	}
+
+	f, err := os.Create(filename)
+	if err != nil {
+		return "", err
+	}
+
+	// Wrap in gzip writer
+	zipper := gzip.NewWriter(f)
+	zipper.Header.Extra = headerBytes
+	zipper.Header.Comment = "Helm"
+
+	// Wrap in tar writer
+	twriter := tar.NewWriter(zipper)
+	rollback := false
+	defer func() {
+		twriter.Close()
+		zipper.Close()
+		f.Close()
+		if rollback {
+			os.Remove(filename)
+		}
+	}()
+
+	if err := writeTarContents(twriter, c, ""); err != nil {
+		rollback = true
+		return filename, err
+	}
+	return filename, nil
+}
+
+func writeTarContents(out *tar.Writer, c *chart.Chart, prefix string) error {
+	err := validateName(c.Name())
+	if err != nil {
+		return err
+	}
+	base := filepath.Join(prefix, c.Name())
+
+	// Pull out the dependencies of a v1 Chart, since there's no way
+	// to tell the serializer to skip a field for just this use case
+	savedDependencies := c.Metadata.Dependencies
+	if c.Metadata.APIVersion == chart.APIVersionV1 {
+		c.Metadata.Dependencies = nil
+	}
+	// Save Chart.yaml
+	cdata, err := yaml.Marshal(c.Metadata)
+	if c.Metadata.APIVersion == chart.APIVersionV1 {
+		c.Metadata.Dependencies = savedDependencies
+	}
+	if err != nil {
+		return err
+	}
+	if err := writeToTar(out, filepath.Join(base, ChartfileName), cdata); err != nil {
+		return err
+	}
+
+	// Save Chart.lock
+	// TODO: remove the APIVersion check when APIVersionV1 is not used anymore
+	if c.Metadata.APIVersion == chart.APIVersionV2 {
+		if c.Lock != nil {
+			ldata, err := yaml.Marshal(c.Lock)
+			if err != nil {
+				return err
+			}
+			if err := writeToTar(out, filepath.Join(base, "Chart.lock"), ldata); err != nil {
+				return err
+			}
+		}
+	}
+
+	// Save values.yaml
+	for _, f := range c.Raw {
+		if f.Name == ValuesfileName {
+			if err := writeToTar(out, filepath.Join(base, ValuesfileName), f.Data); err != nil {
+				return err
+			}
+		}
+	}
+
+	// Save values.schema.json if it exists
+	if c.Schema != nil {
+		if !json.Valid(c.Schema) {
+			return errors.New("Invalid JSON in " + SchemafileName)
+		}
+		if err := writeToTar(out, filepath.Join(base, SchemafileName), c.Schema); err != nil {
+			return err
+		}
+	}
+
+	// Save templates
+	for _, f := range c.Templates {
+		n := filepath.Join(base, f.Name)
+		if err := writeToTar(out, n, f.Data); err != nil {
+			return err
+		}
+	}
+
+	// Save files
+	for _, f := range c.Files {
+		n := filepath.Join(base, f.Name)
+		if err := writeToTar(out, n, f.Data); err != nil {
+			return err
+		}
+	}
+
+	// Save dependencies
+	for _, dep := range c.Dependencies() {
+		if err := writeTarContents(out, dep, filepath.Join(base, ChartsDir)); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// writeToTar writes a single file to a tar archive.
+func writeToTar(out *tar.Writer, name string, body []byte) error {
+	// TODO: Do we need to create dummy parent directory names if none exist?
+	h := &tar.Header{
+		Name:    filepath.ToSlash(name),
+		Mode:    0644,
+		Size:    int64(len(body)),
+		ModTime: time.Now(),
+	}
+	if err := out.WriteHeader(h); err != nil {
+		return err
+	}
+	_, err := out.Write(body)
+	return err
+}
+
+// If the name has directory name has characters which would change the location
+// they need to be removed.
+func validateName(name string) error {
+	nname := filepath.Base(name)
+
+	if nname != name {
+		return ErrInvalidChartName{name}
+	}
+
+	return nil
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/chartutil/validate_name.go b/vendor/helm.sh/helm/v3/pkg/chartutil/validate_name.go
new file mode 100644
index 0000000000..05c090cb66
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/chartutil/validate_name.go
@@ -0,0 +1,112 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package chartutil
+
+import (
+	"fmt"
+	"regexp"
+
+	"github.com/pkg/errors"
+)
+
+// validName is a regular expression for resource names.
+//
+// According to the Kubernetes help text, the regular expression it uses is:
+//
+//	[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*
+//
+// This follows the above regular expression (but requires a full string match, not partial).
+//
+// The Kubernetes documentation is here, though it is not entirely correct:
+// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+var validName = regexp.MustCompile(`^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$`)
+
+var (
+	// errMissingName indicates that a release (name) was not provided.
+	errMissingName = errors.New("no name provided")
+
+	// errInvalidName indicates that an invalid release name was provided
+	errInvalidName = fmt.Errorf(
+		"invalid release name, must match regex %s and the length must not be longer than 53",
+		validName.String())
+
+	// errInvalidKubernetesName indicates that the name does not meet the Kubernetes
+	// restrictions on metadata names.
+	errInvalidKubernetesName = fmt.Errorf(
+		"invalid metadata name, must match regex %s and the length must not be longer than 253",
+		validName.String())
+)
+
+const (
+	// According to the Kubernetes docs (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#rfc-1035-label-names)
+	// some resource names have a max length of 63 characters while others have a max
+	// length of 253 characters. As we cannot be sure the resources used in a chart, we
+	// therefore need to limit it to 63 chars and reserve 10 chars for additional part to name
+	// of the resource. The reason is that chart maintainers can use release name as part of
+	// the resource name (and some additional chars).
+	maxReleaseNameLen = 53
+	// maxMetadataNameLen is the maximum length Kubernetes allows for any name.
+	maxMetadataNameLen = 253
+)
+
+// ValidateReleaseName performs checks for an entry for a Helm release name
+//
+// For Helm to allow a name, it must be below a certain character count (53) and also match
+// a regular expression.
+//
+// According to the Kubernetes help text, the regular expression it uses is:
+//
+//	[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*
+//
+// This follows the above regular expression (but requires a full string match, not partial).
+//
+// The Kubernetes documentation is here, though it is not entirely correct:
+// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+func ValidateReleaseName(name string) error {
+	// This case is preserved for backwards compatibility
+	if name == "" {
+		return errMissingName
+
+	}
+	if len(name) > maxReleaseNameLen || !validName.MatchString(name) {
+		return errInvalidName
+	}
+	return nil
+}
+
+// ValidateMetadataName validates the name field of a Kubernetes metadata object.
+//
+// Empty strings, strings longer than 253 chars, or strings that don't match the regexp
+// will fail.
+//
+// According to the Kubernetes help text, the regular expression it uses is:
+//
+//	[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*
+//
+// This follows the above regular expression (but requires a full string match, not partial).
+//
+// The Kubernetes documentation is here, though it is not entirely correct:
+// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+//
+// Deprecated: remove in Helm 4.  Name validation now uses rules defined in
+// pkg/lint/rules.validateMetadataNameFunc()
+func ValidateMetadataName(name string) error {
+	if name == "" || len(name) > maxMetadataNameLen || !validName.MatchString(name) {
+		return errInvalidKubernetesName
+	}
+	return nil
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/chartutil/values.go b/vendor/helm.sh/helm/v3/pkg/chartutil/values.go
new file mode 100644
index 0000000000..61c633a6d5
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/chartutil/values.go
@@ -0,0 +1,221 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package chartutil
+
+import (
+	"fmt"
+	"io"
+	"os"
+	"strings"
+
+	"github.com/pkg/errors"
+	"sigs.k8s.io/yaml"
+
+	"helm.sh/helm/v3/pkg/chart"
+)
+
+// GlobalKey is the name of the Values key that is used for storing global vars.
+const GlobalKey = "global"
+
+// Values represents a collection of chart values.
+type Values map[string]interface{}
+
+// YAML encodes the Values into a YAML string.
+func (v Values) YAML() (string, error) {
+	b, err := yaml.Marshal(v)
+	return string(b), err
+}
+
+// Table gets a table (YAML subsection) from a Values object.
+//
+// The table is returned as a Values.
+//
+// Compound table names may be specified with dots:
+//
+//	foo.bar
+//
+// The above will be evaluated as "The table bar inside the table
+// foo".
+//
+// An ErrNoTable is returned if the table does not exist.
+func (v Values) Table(name string) (Values, error) {
+	table := v
+	var err error
+
+	for _, n := range parsePath(name) {
+		if table, err = tableLookup(table, n); err != nil {
+			break
+		}
+	}
+	return table, err
+}
+
+// AsMap is a utility function for converting Values to a map[string]interface{}.
+//
+// It protects against nil map panics.
+func (v Values) AsMap() map[string]interface{} {
+	if len(v) == 0 {
+		return map[string]interface{}{}
+	}
+	return v
+}
+
+// Encode writes serialized Values information to the given io.Writer.
+func (v Values) Encode(w io.Writer) error {
+	out, err := yaml.Marshal(v)
+	if err != nil {
+		return err
+	}
+	_, err = w.Write(out)
+	return err
+}
+
+func tableLookup(v Values, simple string) (Values, error) {
+	v2, ok := v[simple]
+	if !ok {
+		return v, ErrNoTable{simple}
+	}
+	if vv, ok := v2.(map[string]interface{}); ok {
+		return vv, nil
+	}
+
+	// This catches a case where a value is of type Values, but doesn't (for some
+	// reason) match the map[string]interface{}. This has been observed in the
+	// wild, and might be a result of a nil map of type Values.
+	if vv, ok := v2.(Values); ok {
+		return vv, nil
+	}
+
+	return Values{}, ErrNoTable{simple}
+}
+
+// ReadValues will parse YAML byte data into a Values.
+func ReadValues(data []byte) (vals Values, err error) {
+	err = yaml.Unmarshal(data, &vals)
+	if len(vals) == 0 {
+		vals = Values{}
+	}
+	return vals, err
+}
+
+// ReadValuesFile will parse a YAML file into a map of values.
+func ReadValuesFile(filename string) (Values, error) {
+	data, err := os.ReadFile(filename)
+	if err != nil {
+		return map[string]interface{}{}, err
+	}
+	return ReadValues(data)
+}
+
+// ReleaseOptions represents the additional release options needed
+// for the composition of the final values struct
+type ReleaseOptions struct {
+	Name      string
+	Namespace string
+	Revision  int
+	IsUpgrade bool
+	IsInstall bool
+}
+
+// ToRenderValues composes the struct from the data coming from the Releases, Charts and Values files
+//
+// This takes both ReleaseOptions and Capabilities to merge into the render values.
+func ToRenderValues(chrt *chart.Chart, chrtVals map[string]interface{}, options ReleaseOptions, caps *Capabilities) (Values, error) {
+	return ToRenderValuesWithSchemaValidation(chrt, chrtVals, options, caps, false)
+}
+
+// ToRenderValuesWithSchemaValidation composes the struct from the data coming from the Releases, Charts and Values files
+//
+// This takes both ReleaseOptions and Capabilities to merge into the render values.
+func ToRenderValuesWithSchemaValidation(chrt *chart.Chart, chrtVals map[string]interface{}, options ReleaseOptions, caps *Capabilities, skipSchemaValidation bool) (Values, error) {
+	if caps == nil {
+		caps = DefaultCapabilities
+	}
+	top := map[string]interface{}{
+		"Chart":        chrt.Metadata,
+		"Capabilities": caps,
+		"Release": map[string]interface{}{
+			"Name":      options.Name,
+			"Namespace": options.Namespace,
+			"IsUpgrade": options.IsUpgrade,
+			"IsInstall": options.IsInstall,
+			"Revision":  options.Revision,
+			"Service":   "Helm",
+		},
+	}
+
+	vals, err := CoalesceValues(chrt, chrtVals)
+	if err != nil {
+		return top, err
+	}
+
+	if !skipSchemaValidation {
+		if err := ValidateAgainstSchema(chrt, vals); err != nil {
+			errFmt := "values don't meet the specifications of the schema(s) in the following chart(s):\n%s"
+			return top, fmt.Errorf(errFmt, err.Error())
+		}
+	}
+
+	top["Values"] = vals
+	return top, nil
+}
+
+// istable is a special-purpose function to see if the present thing matches the definition of a YAML table.
+func istable(v interface{}) bool {
+	_, ok := v.(map[string]interface{})
+	return ok
+}
+
+// PathValue takes a path that traverses a YAML structure and returns the value at the end of that path.
+// The path starts at the root of the YAML structure and is comprised of YAML keys separated by periods.
+// Given the following YAML data the value at path "chapter.one.title" is "Loomings".
+//
+//	chapter:
+//	  one:
+//	    title: "Loomings"
+func (v Values) PathValue(path string) (interface{}, error) {
+	if path == "" {
+		return nil, errors.New("YAML path cannot be empty")
+	}
+	return v.pathValue(parsePath(path))
+}
+
+func (v Values) pathValue(path []string) (interface{}, error) {
+	if len(path) == 1 {
+		// if exists must be root key not table
+		if _, ok := v[path[0]]; ok && !istable(v[path[0]]) {
+			return v[path[0]], nil
+		}
+		return nil, ErrNoValue{path[0]}
+	}
+
+	key, path := path[len(path)-1], path[:len(path)-1]
+	// get our table for table path
+	t, err := v.Table(joinPath(path...))
+	if err != nil {
+		return nil, ErrNoValue{key}
+	}
+	// check table for key and ensure value is not a table
+	if k, ok := t[key]; ok && !istable(k) {
+		return k, nil
+	}
+	return nil, ErrNoValue{key}
+}
+
+func parsePath(key string) []string { return strings.Split(key, ".") }
+
+func joinPath(path ...string) string { return strings.Join(path, ".") }
diff --git a/vendor/helm.sh/helm/v3/pkg/cli/environment.go b/vendor/helm.sh/helm/v3/pkg/cli/environment.go
new file mode 100644
index 0000000000..6358063442
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/cli/environment.go
@@ -0,0 +1,267 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+/*
+Package cli describes the operating environment for the Helm CLI.
+
+Helm's environment encapsulates all of the service dependencies Helm has.
+These dependencies are expressed as interfaces so that alternate implementations
+(mocks, etc.) can be easily generated.
+*/
+package cli
+
+import (
+	"fmt"
+	"net/http"
+	"os"
+	"strconv"
+	"strings"
+
+	"github.com/spf13/pflag"
+	"k8s.io/cli-runtime/pkg/genericclioptions"
+	"k8s.io/client-go/rest"
+
+	"helm.sh/helm/v3/internal/version"
+	"helm.sh/helm/v3/pkg/helmpath"
+	"helm.sh/helm/v3/pkg/kube"
+)
+
+// defaultMaxHistory sets the maximum number of releases to 0: unlimited
+const defaultMaxHistory = 10
+
+// defaultBurstLimit sets the default client-side throttling limit
+const defaultBurstLimit = 100
+
+// defaultQPS sets the default QPS value to 0 to use library defaults unless specified
+const defaultQPS = float32(0)
+
+// EnvSettings describes all of the environment settings.
+type EnvSettings struct {
+	namespace string
+	config    *genericclioptions.ConfigFlags
+
+	// KubeConfig is the path to the kubeconfig file
+	KubeConfig string
+	// KubeContext is the name of the kubeconfig context.
+	KubeContext string
+	// Bearer KubeToken used for authentication
+	KubeToken string
+	// Username to impersonate for the operation
+	KubeAsUser string
+	// Groups to impersonate for the operation, multiple groups parsed from a comma delimited list
+	KubeAsGroups []string
+	// Kubernetes API Server Endpoint for authentication
+	KubeAPIServer string
+	// Custom certificate authority file.
+	KubeCaFile string
+	// KubeInsecureSkipTLSVerify indicates if server's certificate will not be checked for validity.
+	// This makes the HTTPS connections insecure
+	KubeInsecureSkipTLSVerify bool
+	// KubeTLSServerName overrides the name to use for server certificate validation.
+	// If it is not provided, the hostname used to contact the server is used
+	KubeTLSServerName string
+	// Debug indicates whether or not Helm is running in Debug mode.
+	Debug bool
+	// RegistryConfig is the path to the registry config file.
+	RegistryConfig string
+	// RepositoryConfig is the path to the repositories file.
+	RepositoryConfig string
+	// RepositoryCache is the path to the repository cache directory.
+	RepositoryCache string
+	// PluginsDirectory is the path to the plugins directory.
+	PluginsDirectory string
+	// MaxHistory is the max release history maintained.
+	MaxHistory int
+	// BurstLimit is the default client-side throttling limit.
+	BurstLimit int
+	// QPS is queries per second which may be used to avoid throttling.
+	QPS float32
+}
+
+func New() *EnvSettings {
+	env := &EnvSettings{
+		namespace:                 os.Getenv("HELM_NAMESPACE"),
+		MaxHistory:                envIntOr("HELM_MAX_HISTORY", defaultMaxHistory),
+		KubeContext:               os.Getenv("HELM_KUBECONTEXT"),
+		KubeToken:                 os.Getenv("HELM_KUBETOKEN"),
+		KubeAsUser:                os.Getenv("HELM_KUBEASUSER"),
+		KubeAsGroups:              envCSV("HELM_KUBEASGROUPS"),
+		KubeAPIServer:             os.Getenv("HELM_KUBEAPISERVER"),
+		KubeCaFile:                os.Getenv("HELM_KUBECAFILE"),
+		KubeTLSServerName:         os.Getenv("HELM_KUBETLS_SERVER_NAME"),
+		KubeInsecureSkipTLSVerify: envBoolOr("HELM_KUBEINSECURE_SKIP_TLS_VERIFY", false),
+		PluginsDirectory:          envOr("HELM_PLUGINS", helmpath.DataPath("plugins")),
+		RegistryConfig:            envOr("HELM_REGISTRY_CONFIG", helmpath.ConfigPath("registry/config.json")),
+		RepositoryConfig:          envOr("HELM_REPOSITORY_CONFIG", helmpath.ConfigPath("repositories.yaml")),
+		RepositoryCache:           envOr("HELM_REPOSITORY_CACHE", helmpath.CachePath("repository")),
+		BurstLimit:                envIntOr("HELM_BURST_LIMIT", defaultBurstLimit),
+		QPS:                       envFloat32Or("HELM_QPS", defaultQPS),
+	}
+	env.Debug, _ = strconv.ParseBool(os.Getenv("HELM_DEBUG"))
+
+	// bind to kubernetes config flags
+	config := &genericclioptions.ConfigFlags{
+		Namespace:        &env.namespace,
+		Context:          &env.KubeContext,
+		BearerToken:      &env.KubeToken,
+		APIServer:        &env.KubeAPIServer,
+		CAFile:           &env.KubeCaFile,
+		KubeConfig:       &env.KubeConfig,
+		Impersonate:      &env.KubeAsUser,
+		Insecure:         &env.KubeInsecureSkipTLSVerify,
+		TLSServerName:    &env.KubeTLSServerName,
+		ImpersonateGroup: &env.KubeAsGroups,
+		WrapConfigFn: func(config *rest.Config) *rest.Config {
+			config.Burst = env.BurstLimit
+			config.QPS = env.QPS
+			config.Wrap(func(rt http.RoundTripper) http.RoundTripper {
+				return &kube.RetryingRoundTripper{Wrapped: rt}
+			})
+			config.UserAgent = version.GetUserAgent()
+			return config
+		},
+	}
+	if env.BurstLimit != defaultBurstLimit {
+		config = config.WithDiscoveryBurst(env.BurstLimit)
+	}
+	env.config = config
+
+	return env
+}
+
+// AddFlags binds flags to the given flagset.
+func (s *EnvSettings) AddFlags(fs *pflag.FlagSet) {
+	fs.StringVarP(&s.namespace, "namespace", "n", s.namespace, "namespace scope for this request")
+	fs.StringVar(&s.KubeConfig, "kubeconfig", "", "path to the kubeconfig file")
+	fs.StringVar(&s.KubeContext, "kube-context", s.KubeContext, "name of the kubeconfig context to use")
+	fs.StringVar(&s.KubeToken, "kube-token", s.KubeToken, "bearer token used for authentication")
+	fs.StringVar(&s.KubeAsUser, "kube-as-user", s.KubeAsUser, "username to impersonate for the operation")
+	fs.StringArrayVar(&s.KubeAsGroups, "kube-as-group", s.KubeAsGroups, "group to impersonate for the operation, this flag can be repeated to specify multiple groups.")
+	fs.StringVar(&s.KubeAPIServer, "kube-apiserver", s.KubeAPIServer, "the address and the port for the Kubernetes API server")
+	fs.StringVar(&s.KubeCaFile, "kube-ca-file", s.KubeCaFile, "the certificate authority file for the Kubernetes API server connection")
+	fs.StringVar(&s.KubeTLSServerName, "kube-tls-server-name", s.KubeTLSServerName, "server name to use for Kubernetes API server certificate validation. If it is not provided, the hostname used to contact the server is used")
+	fs.BoolVar(&s.KubeInsecureSkipTLSVerify, "kube-insecure-skip-tls-verify", s.KubeInsecureSkipTLSVerify, "if true, the Kubernetes API server's certificate will not be checked for validity. This will make your HTTPS connections insecure")
+	fs.BoolVar(&s.Debug, "debug", s.Debug, "enable verbose output")
+	fs.StringVar(&s.RegistryConfig, "registry-config", s.RegistryConfig, "path to the registry config file")
+	fs.StringVar(&s.RepositoryConfig, "repository-config", s.RepositoryConfig, "path to the file containing repository names and URLs")
+	fs.StringVar(&s.RepositoryCache, "repository-cache", s.RepositoryCache, "path to the directory containing cached repository indexes")
+	fs.IntVar(&s.BurstLimit, "burst-limit", s.BurstLimit, "client-side default throttling limit")
+	fs.Float32Var(&s.QPS, "qps", s.QPS, "queries per second used when communicating with the Kubernetes API, not including bursting")
+}
+
+func envOr(name, def string) string {
+	if v, ok := os.LookupEnv(name); ok {
+		return v
+	}
+	return def
+}
+
+func envBoolOr(name string, def bool) bool {
+	if name == "" {
+		return def
+	}
+	envVal := envOr(name, strconv.FormatBool(def))
+	ret, err := strconv.ParseBool(envVal)
+	if err != nil {
+		return def
+	}
+	return ret
+}
+
+func envIntOr(name string, def int) int {
+	if name == "" {
+		return def
+	}
+	envVal := envOr(name, strconv.Itoa(def))
+	ret, err := strconv.Atoi(envVal)
+	if err != nil {
+		return def
+	}
+	return ret
+}
+
+func envFloat32Or(name string, def float32) float32 {
+	if name == "" {
+		return def
+	}
+	envVal := envOr(name, strconv.FormatFloat(float64(def), 'f', 2, 32))
+	ret, err := strconv.ParseFloat(envVal, 32)
+	if err != nil {
+		return def
+	}
+	return float32(ret)
+}
+
+func envCSV(name string) (ls []string) {
+	trimmed := strings.Trim(os.Getenv(name), ", ")
+	if trimmed != "" {
+		ls = strings.Split(trimmed, ",")
+	}
+	return
+}
+
+func (s *EnvSettings) EnvVars() map[string]string {
+	envvars := map[string]string{
+		"HELM_BIN":               os.Args[0],
+		"HELM_CACHE_HOME":        helmpath.CachePath(""),
+		"HELM_CONFIG_HOME":       helmpath.ConfigPath(""),
+		"HELM_DATA_HOME":         helmpath.DataPath(""),
+		"HELM_DEBUG":             fmt.Sprint(s.Debug),
+		"HELM_PLUGINS":           s.PluginsDirectory,
+		"HELM_REGISTRY_CONFIG":   s.RegistryConfig,
+		"HELM_REPOSITORY_CACHE":  s.RepositoryCache,
+		"HELM_REPOSITORY_CONFIG": s.RepositoryConfig,
+		"HELM_NAMESPACE":         s.Namespace(),
+		"HELM_MAX_HISTORY":       strconv.Itoa(s.MaxHistory),
+		"HELM_BURST_LIMIT":       strconv.Itoa(s.BurstLimit),
+		"HELM_QPS":               strconv.FormatFloat(float64(s.QPS), 'f', 2, 32),
+
+		// broken, these are populated from helm flags and not kubeconfig.
+		"HELM_KUBECONTEXT":                  s.KubeContext,
+		"HELM_KUBETOKEN":                    s.KubeToken,
+		"HELM_KUBEASUSER":                   s.KubeAsUser,
+		"HELM_KUBEASGROUPS":                 strings.Join(s.KubeAsGroups, ","),
+		"HELM_KUBEAPISERVER":                s.KubeAPIServer,
+		"HELM_KUBECAFILE":                   s.KubeCaFile,
+		"HELM_KUBEINSECURE_SKIP_TLS_VERIFY": strconv.FormatBool(s.KubeInsecureSkipTLSVerify),
+		"HELM_KUBETLS_SERVER_NAME":          s.KubeTLSServerName,
+	}
+	if s.KubeConfig != "" {
+		envvars["KUBECONFIG"] = s.KubeConfig
+	}
+	return envvars
+}
+
+// Namespace gets the namespace from the configuration
+func (s *EnvSettings) Namespace() string {
+	if ns, _, err := s.config.ToRawKubeConfigLoader().Namespace(); err == nil {
+		return ns
+	}
+	if s.namespace != "" {
+		return s.namespace
+	}
+	return "default"
+}
+
+// SetNamespace sets the namespace in the configuration
+func (s *EnvSettings) SetNamespace(namespace string) {
+	s.namespace = namespace
+}
+
+// RESTClientGetter gets the kubeconfig from EnvSettings
+func (s *EnvSettings) RESTClientGetter() genericclioptions.RESTClientGetter {
+	return s.config
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/downloader/chart_downloader.go b/vendor/helm.sh/helm/v3/pkg/downloader/chart_downloader.go
new file mode 100644
index 0000000000..9e8e243b8c
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/downloader/chart_downloader.go
@@ -0,0 +1,374 @@
+/*
+Copyright The Helm Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package downloader
+
+import (
+	"fmt"
+	"io"
+	"net/url"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/pkg/errors"
+
+	"helm.sh/helm/v3/internal/fileutil"
+	"helm.sh/helm/v3/internal/urlutil"
+	"helm.sh/helm/v3/pkg/getter"
+	"helm.sh/helm/v3/pkg/helmpath"
+	"helm.sh/helm/v3/pkg/provenance"
+	"helm.sh/helm/v3/pkg/registry"
+	"helm.sh/helm/v3/pkg/repo"
+)
+
+// VerificationStrategy describes a strategy for determining whether to verify a chart.
+type VerificationStrategy int
+
+const (
+	// VerifyNever will skip all verification of a chart.
+	VerifyNever VerificationStrategy = iota
+	// VerifyIfPossible will attempt a verification, it will not error if verification
+	// data is missing. But it will not stop processing if verification fails.
+	VerifyIfPossible
+	// VerifyAlways will always attempt a verification, and will fail if the
+	// verification fails.
+	VerifyAlways
+	// VerifyLater will fetch verification data, but not do any verification.
+	// This is to accommodate the case where another step of the process will
+	// perform verification.
+	VerifyLater
+)
+
+// ErrNoOwnerRepo indicates that a given chart URL can't be found in any repos.
+var ErrNoOwnerRepo = errors.New("could not find a repo containing the given URL")
+
+// ChartDownloader handles downloading a chart.
+//
+// It is capable of performing verifications on charts as well.
+type ChartDownloader struct {
+	// Out is the location to write warning and info messages.
+	Out io.Writer
+	// Verify indicates what verification strategy to use.
+	Verify VerificationStrategy
+	// Keyring is the keyring file used for verification.
+	Keyring string
+	// Getter collection for the operation
+	Getters getter.Providers
+	// Options provide parameters to be passed along to the Getter being initialized.
+	Options          []getter.Option
+	RegistryClient   *registry.Client
+	RepositoryConfig string
+	RepositoryCache  string
+}
+
+// DownloadTo retrieves a chart. Depending on the settings, it may also download a provenance file.
+//
+// If Verify is set to VerifyNever, the verification will be nil.
+// If Verify is set to VerifyIfPossible, this will return a verification (or nil on failure), and print a warning on failure.
+// If Verify is set to VerifyAlways, this will return a verification or an error if the verification fails.
+// If Verify is set to VerifyLater, this will download the prov file (if it exists), but not verify it.
+//
+// For VerifyNever and VerifyIfPossible, the Verification may be empty.
+//
+// Returns a string path to the location where the file was downloaded and a verification
+// (if provenance was verified), or an error if something bad happened.
+func (c *ChartDownloader) DownloadTo(ref, version, dest string) (string, *provenance.Verification, error) {
+	u, err := c.ResolveChartVersion(ref, version)
+	if err != nil {
+		return "", nil, err
+	}
+
+	g, err := c.Getters.ByScheme(u.Scheme)
+	if err != nil {
+		return "", nil, err
+	}
+
+	c.Options = append(c.Options, getter.WithAcceptHeader("application/gzip,application/octet-stream"))
+
+	data, err := g.Get(u.String(), c.Options...)
+	if err != nil {
+		return "", nil, err
+	}
+
+	name := filepath.Base(u.Path)
+	if u.Scheme == registry.OCIScheme {
+		idx := strings.LastIndexByte(name, ':')
+		name = fmt.Sprintf("%s-%s.tgz", name[:idx], name[idx+1:])
+	}
+
+	destfile := filepath.Join(dest, name)
+	if err := fileutil.AtomicWriteFile(destfile, data, 0644); err != nil {
+		return destfile, nil, err
+	}
+
+	// If provenance is requested, verify it.
+	ver := &provenance.Verification{}
+	if c.Verify > VerifyNever {
+		body, err := g.Get(u.String() + ".prov")
+		if err != nil {
+			if c.Verify == VerifyAlways {
+				return destfile, ver, errors.Errorf("failed to fetch provenance %q", u.String()+".prov")
+			}
+			fmt.Fprintf(c.Out, "WARNING: Verification not found for %s: %s\n", ref, err)
+			return destfile, ver, nil
+		}
+		provfile := destfile + ".prov"
+		if err := fileutil.AtomicWriteFile(provfile, body, 0644); err != nil {
+			return destfile, nil, err
+		}
+
+		if c.Verify != VerifyLater {
+			ver, err = VerifyChart(destfile, c.Keyring)
+			if err != nil {
+				// Fail always in this case, since it means the verification step
+				// failed.
+				return destfile, ver, err
+			}
+		}
+	}
+	return destfile, ver, nil
+}
+
+// ResolveChartVersion resolves a chart reference to a URL.
+//
+// It returns the URL and sets the ChartDownloader's Options that can fetch
+// the URL using the appropriate Getter.
+//
+// A reference may be an HTTP URL, an oci reference URL, a 'reponame/chartname'
+// reference, or a local path.
+//
+// A version is a SemVer string (1.2.3-beta.1+f334a6789).
+//
+//   - For fully qualified URLs, the version will be ignored (since URLs aren't versioned)
+//   - For a chart reference
+//   - If version is non-empty, this will return the URL for that version
+//   - If version is empty, this will return the URL for the latest version
+//   - If no version can be found, an error is returned
+func (c *ChartDownloader) ResolveChartVersion(ref, version string) (*url.URL, error) {
+	u, err := url.Parse(ref)
+	if err != nil {
+		return nil, errors.Errorf("invalid chart URL format: %s", ref)
+	}
+
+	if registry.IsOCI(u.String()) {
+		return c.RegistryClient.ValidateReference(ref, version, u)
+	}
+
+	rf, err := loadRepoConfig(c.RepositoryConfig)
+	if err != nil {
+		return u, err
+	}
+
+	if u.IsAbs() && len(u.Host) > 0 && len(u.Path) > 0 {
+		// In this case, we have to find the parent repo that contains this chart
+		// URL. And this is an unfortunate problem, as it requires actually going
+		// through each repo cache file and finding a matching URL. But basically
+		// we want to find the repo in case we have special SSL cert config
+		// for that repo.
+
+		rc, err := c.scanReposForURL(ref, rf)
+		if err != nil {
+			// If there is no special config, return the default HTTP client and
+			// swallow the error.
+			if err == ErrNoOwnerRepo {
+				// Make sure to add the ref URL as the URL for the getter
+				c.Options = append(c.Options, getter.WithURL(ref))
+				return u, nil
+			}
+			return u, err
+		}
+
+		// If we get here, we don't need to go through the next phase of looking
+		// up the URL. We have it already. So we just set the parameters and return.
+		c.Options = append(
+			c.Options,
+			getter.WithURL(rc.URL),
+		)
+		if rc.CertFile != "" || rc.KeyFile != "" || rc.CAFile != "" {
+			c.Options = append(c.Options, getter.WithTLSClientConfig(rc.CertFile, rc.KeyFile, rc.CAFile))
+		}
+		if rc.Username != "" && rc.Password != "" {
+			c.Options = append(
+				c.Options,
+				getter.WithBasicAuth(rc.Username, rc.Password),
+				getter.WithPassCredentialsAll(rc.PassCredentialsAll),
+			)
+		}
+		return u, nil
+	}
+
+	// See if it's of the form: repo/path_to_chart
+	p := strings.SplitN(u.Path, "/", 2)
+	if len(p) < 2 {
+		return u, errors.Errorf("non-absolute URLs should be in form of repo_name/path_to_chart, got: %s", u)
+	}
+
+	repoName := p[0]
+	chartName := p[1]
+	rc, err := pickChartRepositoryConfigByName(repoName, rf.Repositories)
+
+	if err != nil {
+		return u, err
+	}
+
+	// Now that we have the chart repository information we can use that URL
+	// to set the URL for the getter.
+	c.Options = append(c.Options, getter.WithURL(rc.URL))
+
+	r, err := repo.NewChartRepository(rc, c.Getters)
+	if err != nil {
+		return u, err
+	}
+
+	if r != nil && r.Config != nil {
+		if r.Config.CertFile != "" || r.Config.KeyFile != "" || r.Config.CAFile != "" {
+			c.Options = append(c.Options, getter.WithTLSClientConfig(r.Config.CertFile, r.Config.KeyFile, r.Config.CAFile))
+		}
+		if r.Config.Username != "" && r.Config.Password != "" {
+			c.Options = append(c.Options,
+				getter.WithBasicAuth(r.Config.Username, r.Config.Password),
+				getter.WithPassCredentialsAll(r.Config.PassCredentialsAll),
+			)
+		}
+	}
+
+	// Next, we need to load the index, and actually look up the chart.
+	idxFile := filepath.Join(c.RepositoryCache, helmpath.CacheIndexFile(r.Config.Name))
+	i, err := repo.LoadIndexFile(idxFile)
+	if err != nil {
+		return u, errors.Wrap(err, "no cached repo found. (try 'helm repo update')")
+	}
+
+	cv, err := i.Get(chartName, version)
+	if err != nil {
+		return u, errors.Wrapf(err, "chart %q matching %s not found in %s index. (try 'helm repo update')", chartName, version, r.Config.Name)
+	}
+
+	if len(cv.URLs) == 0 {
+		return u, errors.Errorf("chart %q has no downloadable URLs", ref)
+	}
+
+	// TODO: Seems that picking first URL is not fully correct
+	resolvedURL, err := repo.ResolveReferenceURL(rc.URL, cv.URLs[0])
+
+	if err != nil {
+		return u, errors.Errorf("invalid chart URL format: %s", ref)
+	}
+
+	return url.Parse(resolvedURL)
+}
+
+// VerifyChart takes a path to a chart archive and a keyring, and verifies the chart.
+//
+// It assumes that a chart archive file is accompanied by a provenance file whose
+// name is the archive file name plus the ".prov" extension.
+func VerifyChart(path, keyring string) (*provenance.Verification, error) {
+	// For now, error out if it's not a tar file.
+	switch fi, err := os.Stat(path); {
+	case err != nil:
+		return nil, err
+	case fi.IsDir():
+		return nil, errors.New("unpacked charts cannot be verified")
+	case !isTar(path):
+		return nil, errors.New("chart must be a tgz file")
+	}
+
+	provfile := path + ".prov"
+	if _, err := os.Stat(provfile); err != nil {
+		return nil, errors.Wrapf(err, "could not load provenance file %s", provfile)
+	}
+
+	sig, err := provenance.NewFromKeyring(keyring, "")
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to load keyring")
+	}
+	return sig.Verify(path, provfile)
+}
+
+// isTar tests whether the given file is a tar file.
+//
+// Currently, this simply checks extension, since a subsequent function will
+// untar the file and validate its binary format.
+func isTar(filename string) bool {
+	return strings.EqualFold(filepath.Ext(filename), ".tgz")
+}
+
+func pickChartRepositoryConfigByName(name string, cfgs []*repo.Entry) (*repo.Entry, error) {
+	for _, rc := range cfgs {
+		if rc.Name == name {
+			if rc.URL == "" {
+				return nil, errors.Errorf("no URL found for repository %s", name)
+			}
+			return rc, nil
+		}
+	}
+	return nil, errors.Errorf("repo %s not found", name)
+}
+
+// scanReposForURL scans all repos to find which repo contains the given URL.
+//
+// This will attempt to find the given URL in all of the known repositories files.
+//
+// If the URL is found, this will return the repo entry that contained that URL.
+//
+// If all of the repos are checked, but the URL is not found, an ErrNoOwnerRepo
+// error is returned.
+//
+// Other errors may be returned when repositories cannot be loaded or searched.
+//
+// Technically, the fact that a URL is not found in a repo is not a failure indication.
+// Charts are not required to be included in an index before they are valid. So
+// be mindful of this case.
+//
+// The same URL can technically exist in two or more repositories. This algorithm
+// will return the first one it finds. Order is determined by the order of repositories
+// in the repositories.yaml file.
+func (c *ChartDownloader) scanReposForURL(u string, rf *repo.File) (*repo.Entry, error) {
+	// FIXME: This is far from optimal. Larger installations and index files will
+	// incur a performance hit for this type of scanning.
+	for _, rc := range rf.Repositories {
+		r, err := repo.NewChartRepository(rc, c.Getters)
+		if err != nil {
+			return nil, err
+		}
+
+		idxFile := filepath.Join(c.RepositoryCache, helmpath.CacheIndexFile(r.Config.Name))
+		i, err := repo.LoadIndexFile(idxFile)
+		if err != nil {
+			return nil, errors.Wrap(err, "no cached repo found. (try 'helm repo update')")
+		}
+
+		for _, entry := range i.Entries {
+			for _, ver := range entry {
+				for _, dl := range ver.URLs {
+					if urlutil.Equal(u, dl) {
+						return rc, nil
+					}
+				}
+			}
+		}
+	}
+	// This means that there is no repo file for the given URL.
+	return nil, ErrNoOwnerRepo
+}
+
+func loadRepoConfig(file string) (*repo.File, error) {
+	r, err := repo.LoadFile(file)
+	if err != nil && !os.IsNotExist(errors.Cause(err)) {
+		return nil, err
+	}
+	return r, nil
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/downloader/doc.go b/vendor/helm.sh/helm/v3/pkg/downloader/doc.go
new file mode 100644
index 0000000000..8484680907
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/downloader/doc.go
@@ -0,0 +1,24 @@
+/*
+Copyright The Helm Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+/*
+Package downloader provides a library for downloading charts.
+
+This package contains various tools for downloading charts from repository
+servers, and then storing them in Helm-specific directory structures. This
+library contains many functions that depend on a specific
+filesystem layout.
+*/
+package downloader
diff --git a/vendor/helm.sh/helm/v3/pkg/downloader/manager.go b/vendor/helm.sh/helm/v3/pkg/downloader/manager.go
new file mode 100644
index 0000000000..cc7850aae4
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/downloader/manager.go
@@ -0,0 +1,919 @@
+/*
+Copyright The Helm Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package downloader
+
+import (
+	"crypto"
+	"encoding/hex"
+	"fmt"
+	"io"
+	"log"
+	"net/url"
+	"os"
+	"path"
+	"path/filepath"
+	"regexp"
+	"strings"
+	"sync"
+
+	"github.com/Masterminds/semver/v3"
+	"github.com/pkg/errors"
+	"sigs.k8s.io/yaml"
+
+	"helm.sh/helm/v3/internal/resolver"
+	"helm.sh/helm/v3/internal/third_party/dep/fs"
+	"helm.sh/helm/v3/internal/urlutil"
+	"helm.sh/helm/v3/pkg/chart"
+	"helm.sh/helm/v3/pkg/chart/loader"
+	"helm.sh/helm/v3/pkg/chartutil"
+	"helm.sh/helm/v3/pkg/getter"
+	"helm.sh/helm/v3/pkg/helmpath"
+	"helm.sh/helm/v3/pkg/registry"
+	"helm.sh/helm/v3/pkg/repo"
+)
+
+// ErrRepoNotFound indicates that chart repositories can't be found in local repo cache.
+// The value of Repos is missing repos.
+type ErrRepoNotFound struct {
+	Repos []string
+}
+
+// Error implements the error interface.
+func (e ErrRepoNotFound) Error() string {
+	return fmt.Sprintf("no repository definition for %s", strings.Join(e.Repos, ", "))
+}
+
+// Manager handles the lifecycle of fetching, resolving, and storing dependencies.
+type Manager struct {
+	// Out is used to print warnings and notifications.
+	Out io.Writer
+	// ChartPath is the path to the unpacked base chart upon which this operates.
+	ChartPath string
+	// Verification indicates whether the chart should be verified.
+	Verify VerificationStrategy
+	// Debug is the global "--debug" flag
+	Debug bool
+	// Keyring is the key ring file.
+	Keyring string
+	// SkipUpdate indicates that the repository should not be updated first.
+	SkipUpdate bool
+	// Getter collection for the operation
+	Getters          []getter.Provider
+	RegistryClient   *registry.Client
+	RepositoryConfig string
+	RepositoryCache  string
+}
+
+// Build rebuilds a local charts directory from a lockfile.
+//
+// If the lockfile is not present, this will run a Manager.Update()
+//
+// If SkipUpdate is set, this will not update the repository.
+func (m *Manager) Build() error {
+	c, err := m.loadChartDir()
+	if err != nil {
+		return err
+	}
+
+	// If a lock file is found, run a build from that. Otherwise, just do
+	// an update.
+	lock := c.Lock
+	if lock == nil {
+		return m.Update()
+	}
+
+	// Check that all of the repos we're dependent on actually exist.
+	req := c.Metadata.Dependencies
+
+	// If using apiVersion v1, calculate the hash before resolve repo names
+	// because resolveRepoNames will change req if req uses repo alias
+	// and Helm 2 calculate the digest from the original req
+	// Fix for: https://github.com/helm/helm/issues/7619
+	var v2Sum string
+	if c.Metadata.APIVersion == chart.APIVersionV1 {
+		v2Sum, err = resolver.HashV2Req(req)
+		if err != nil {
+			return errors.New("the lock file (requirements.lock) is out of sync with the dependencies file (requirements.yaml). Please update the dependencies")
+		}
+	}
+
+	if _, err := m.resolveRepoNames(req); err != nil {
+		return err
+	}
+
+	if sum, err := resolver.HashReq(req, lock.Dependencies); err != nil || sum != lock.Digest {
+		// If lock digest differs and chart is apiVersion v1, it maybe because the lock was built
+		// with Helm 2 and therefore should be checked with Helm v2 hash
+		// Fix for: https://github.com/helm/helm/issues/7233
+		if c.Metadata.APIVersion == chart.APIVersionV1 {
+			log.Println("warning: a valid Helm v3 hash was not found. Checking against Helm v2 hash...")
+			if v2Sum != lock.Digest {
+				return errors.New("the lock file (requirements.lock) is out of sync with the dependencies file (requirements.yaml). Please update the dependencies")
+			}
+		} else {
+			return errors.New("the lock file (Chart.lock) is out of sync with the dependencies file (Chart.yaml). Please update the dependencies")
+		}
+	}
+
+	// Check that all of the repos we're dependent on actually exist.
+	if err := m.hasAllRepos(lock.Dependencies); err != nil {
+		return err
+	}
+
+	if !m.SkipUpdate {
+		// For each repo in the file, update the cached copy of that repo
+		if err := m.UpdateRepositories(); err != nil {
+			return err
+		}
+	}
+
+	// Now we need to fetch every package here into charts/
+	return m.downloadAll(lock.Dependencies)
+}
+
+// Update updates a local charts directory.
+//
+// It first reads the Chart.yaml file, and then attempts to
+// negotiate versions based on that. It will download the versions
+// from remote chart repositories unless SkipUpdate is true.
+func (m *Manager) Update() error {
+	c, err := m.loadChartDir()
+	if err != nil {
+		return err
+	}
+
+	// If no dependencies are found, we consider this a successful
+	// completion.
+	req := c.Metadata.Dependencies
+	if req == nil {
+		return nil
+	}
+
+	// Get the names of the repositories the dependencies need that Helm is
+	// configured to know about.
+	repoNames, err := m.resolveRepoNames(req)
+	if err != nil {
+		return err
+	}
+
+	// For the repositories Helm is not configured to know about, ensure Helm
+	// has some information about them and, when possible, the index files
+	// locally.
+	// TODO(mattfarina): Repositories should be explicitly added by end users
+	// rather than automatic. In Helm v4 require users to add repositories. They
+	// should have to add them in order to make sure they are aware of the
+	// repositories and opt-in to any locations, for security.
+	repoNames, err = m.ensureMissingRepos(repoNames, req)
+	if err != nil {
+		return err
+	}
+
+	// For each of the repositories Helm is configured to know about, update
+	// the index information locally.
+	if !m.SkipUpdate {
+		if err := m.UpdateRepositories(); err != nil {
+			return err
+		}
+	}
+
+	// Now we need to find out which version of a chart best satisfies the
+	// dependencies in the Chart.yaml
+	lock, err := m.resolve(req, repoNames)
+	if err != nil {
+		return err
+	}
+
+	// Now we need to fetch every package here into charts/
+	if err := m.downloadAll(lock.Dependencies); err != nil {
+		return err
+	}
+
+	// downloadAll might overwrite dependency version, recalculate lock digest
+	newDigest, err := resolver.HashReq(req, lock.Dependencies)
+	if err != nil {
+		return err
+	}
+	lock.Digest = newDigest
+
+	// If the lock file hasn't changed, don't write a new one.
+	oldLock := c.Lock
+	if oldLock != nil && oldLock.Digest == lock.Digest {
+		return nil
+	}
+
+	// Finally, we need to write the lockfile.
+	return writeLock(m.ChartPath, lock, c.Metadata.APIVersion == chart.APIVersionV1)
+}
+
+func (m *Manager) loadChartDir() (*chart.Chart, error) {
+	if fi, err := os.Stat(m.ChartPath); err != nil {
+		return nil, errors.Wrapf(err, "could not find %s", m.ChartPath)
+	} else if !fi.IsDir() {
+		return nil, errors.New("only unpacked charts can be updated")
+	}
+	return loader.LoadDir(m.ChartPath)
+}
+
+// resolve takes a list of dependencies and translates them into an exact version to download.
+//
+// This returns a lock file, which has all of the dependencies normalized to a specific version.
+func (m *Manager) resolve(req []*chart.Dependency, repoNames map[string]string) (*chart.Lock, error) {
+	res := resolver.New(m.ChartPath, m.RepositoryCache, m.RegistryClient)
+	return res.Resolve(req, repoNames)
+}
+
+// downloadAll takes a list of dependencies and downloads them into charts/
+//
+// It will delete versions of the chart that exist on disk and might cause
+// a conflict.
+func (m *Manager) downloadAll(deps []*chart.Dependency) error {
+	repos, err := m.loadChartRepositories()
+	if err != nil {
+		return err
+	}
+
+	destPath := filepath.Join(m.ChartPath, "charts")
+	tmpPath := filepath.Join(m.ChartPath, fmt.Sprintf("tmpcharts-%d", os.Getpid()))
+
+	// Check if 'charts' directory is not actually a directory. If it does not exist, create it.
+	if fi, err := os.Stat(destPath); err == nil {
+		if !fi.IsDir() {
+			return errors.Errorf("%q is not a directory", destPath)
+		}
+	} else if os.IsNotExist(err) {
+		if err := os.MkdirAll(destPath, 0755); err != nil {
+			return err
+		}
+	} else {
+		return fmt.Errorf("unable to retrieve file info for '%s': %v", destPath, err)
+	}
+
+	// Prepare tmpPath
+	if err := os.MkdirAll(tmpPath, 0755); err != nil {
+		return err
+	}
+	defer os.RemoveAll(tmpPath)
+
+	fmt.Fprintf(m.Out, "Saving %d charts\n", len(deps))
+	var saveError error
+	churls := make(map[string]struct{})
+	for _, dep := range deps {
+		// No repository means the chart is in charts directory
+		if dep.Repository == "" {
+			fmt.Fprintf(m.Out, "Dependency %s did not declare a repository. Assuming it exists in the charts directory\n", dep.Name)
+			// NOTE: we are only validating the local dependency conforms to the constraints. No copying to tmpPath is necessary.
+			chartPath := filepath.Join(destPath, dep.Name)
+			ch, err := loader.LoadDir(chartPath)
+			if err != nil {
+				return fmt.Errorf("unable to load chart '%s': %v", chartPath, err)
+			}
+
+			constraint, err := semver.NewConstraint(dep.Version)
+			if err != nil {
+				return fmt.Errorf("dependency %s has an invalid version/constraint format: %s", dep.Name, err)
+			}
+
+			v, err := semver.NewVersion(ch.Metadata.Version)
+			if err != nil {
+				return fmt.Errorf("invalid version %s for dependency %s: %s", dep.Version, dep.Name, err)
+			}
+
+			if !constraint.Check(v) {
+				saveError = fmt.Errorf("dependency %s at version %s does not satisfy the constraint %s", dep.Name, ch.Metadata.Version, dep.Version)
+				break
+			}
+			continue
+		}
+		if strings.HasPrefix(dep.Repository, "file://") {
+			if m.Debug {
+				fmt.Fprintf(m.Out, "Archiving %s from repo %s\n", dep.Name, dep.Repository)
+			}
+			ver, err := tarFromLocalDir(m.ChartPath, dep.Name, dep.Repository, dep.Version, tmpPath)
+			if err != nil {
+				saveError = err
+				break
+			}
+			dep.Version = ver
+			continue
+		}
+
+		// Any failure to resolve/download a chart should fail:
+		// https://github.com/helm/helm/issues/1439
+		churl, username, password, insecureskiptlsverify, passcredentialsall, caFile, certFile, keyFile, err := m.findChartURL(dep.Name, dep.Version, dep.Repository, repos)
+		if err != nil {
+			saveError = errors.Wrapf(err, "could not find %s", churl)
+			break
+		}
+
+		if _, ok := churls[churl]; ok {
+			fmt.Fprintf(m.Out, "Already downloaded %s from repo %s\n", dep.Name, dep.Repository)
+			continue
+		}
+
+		fmt.Fprintf(m.Out, "Downloading %s from repo %s\n", dep.Name, dep.Repository)
+
+		dl := ChartDownloader{
+			Out:              m.Out,
+			Verify:           m.Verify,
+			Keyring:          m.Keyring,
+			RepositoryConfig: m.RepositoryConfig,
+			RepositoryCache:  m.RepositoryCache,
+			RegistryClient:   m.RegistryClient,
+			Getters:          m.Getters,
+			Options: []getter.Option{
+				getter.WithBasicAuth(username, password),
+				getter.WithPassCredentialsAll(passcredentialsall),
+				getter.WithInsecureSkipVerifyTLS(insecureskiptlsverify),
+				getter.WithTLSClientConfig(certFile, keyFile, caFile),
+			},
+		}
+
+		version := ""
+		if registry.IsOCI(churl) {
+			churl, version, err = parseOCIRef(churl)
+			if err != nil {
+				return errors.Wrapf(err, "could not parse OCI reference")
+			}
+			dl.Options = append(dl.Options,
+				getter.WithRegistryClient(m.RegistryClient),
+				getter.WithTagName(version))
+		}
+
+		if _, _, err = dl.DownloadTo(churl, version, tmpPath); err != nil {
+			saveError = errors.Wrapf(err, "could not download %s", churl)
+			break
+		}
+
+		churls[churl] = struct{}{}
+	}
+
+	// TODO: this should probably be refactored to be a []error, so we can capture and provide more information rather than "last error wins".
+	if saveError == nil {
+		// now we can move all downloaded charts to destPath and delete outdated dependencies
+		if err := m.safeMoveDeps(deps, tmpPath, destPath); err != nil {
+			return err
+		}
+	} else {
+		fmt.Fprintln(m.Out, "Save error occurred: ", saveError)
+		return saveError
+	}
+	return nil
+}
+
+func parseOCIRef(chartRef string) (string, string, error) {
+	refTagRegexp := regexp.MustCompile(`^(oci://[^:]+(:[0-9]{1,5})?[^:]+):(.*)$`)
+	caps := refTagRegexp.FindStringSubmatch(chartRef)
+	if len(caps) != 4 {
+		return "", "", errors.Errorf("improperly formatted oci chart reference: %s", chartRef)
+	}
+	chartRef = caps[1]
+	tag := caps[3]
+
+	return chartRef, tag, nil
+}
+
+// safeMoveDep moves all dependencies in the source and moves them into dest.
+//
+// It does this by first matching the file name to an expected pattern, then loading
+// the file to verify that it is a chart.
+//
+// Any charts in dest that do not exist in source are removed (barring local dependencies)
+//
+// Because it requires tar file introspection, it is more intensive than a basic move.
+//
+// This will only return errors that should stop processing entirely. Other errors
+// will emit log messages or be ignored.
+func (m *Manager) safeMoveDeps(deps []*chart.Dependency, source, dest string) error {
+	existsInSourceDirectory := map[string]bool{}
+	isLocalDependency := map[string]bool{}
+	sourceFiles, err := os.ReadDir(source)
+	if err != nil {
+		return err
+	}
+	// attempt to read destFiles; fail fast if we can't
+	destFiles, err := os.ReadDir(dest)
+	if err != nil {
+		return err
+	}
+
+	for _, dep := range deps {
+		if dep.Repository == "" {
+			isLocalDependency[dep.Name] = true
+		}
+	}
+
+	for _, file := range sourceFiles {
+		if file.IsDir() {
+			continue
+		}
+		filename := file.Name()
+		sourcefile := filepath.Join(source, filename)
+		destfile := filepath.Join(dest, filename)
+		existsInSourceDirectory[filename] = true
+		if _, err := loader.LoadFile(sourcefile); err != nil {
+			fmt.Fprintf(m.Out, "Could not verify %s for moving: %s (Skipping)", sourcefile, err)
+			continue
+		}
+		// NOTE: no need to delete the dest; os.Rename replaces it.
+		if err := fs.RenameWithFallback(sourcefile, destfile); err != nil {
+			fmt.Fprintf(m.Out, "Unable to move %s to charts dir %s (Skipping)", sourcefile, err)
+			continue
+		}
+	}
+
+	fmt.Fprintln(m.Out, "Deleting outdated charts")
+	// find all files that exist in dest that do not exist in source; delete them (outdated dependencies)
+	for _, file := range destFiles {
+		if !file.IsDir() && !existsInSourceDirectory[file.Name()] {
+			fname := filepath.Join(dest, file.Name())
+			ch, err := loader.LoadFile(fname)
+			if err != nil {
+				fmt.Fprintf(m.Out, "Could not verify %s for deletion: %s (Skipping)\n", fname, err)
+				continue
+			}
+			// local dependency - skip
+			if isLocalDependency[ch.Name()] {
+				continue
+			}
+			if err := os.Remove(fname); err != nil {
+				fmt.Fprintf(m.Out, "Could not delete %s: %s (Skipping)", fname, err)
+				continue
+			}
+		}
+	}
+
+	return nil
+}
+
+// hasAllRepos ensures that all of the referenced deps are in the local repo cache.
+func (m *Manager) hasAllRepos(deps []*chart.Dependency) error {
+	rf, err := loadRepoConfig(m.RepositoryConfig)
+	if err != nil {
+		return err
+	}
+	repos := rf.Repositories
+
+	// Verify that all repositories referenced in the deps are actually known
+	// by Helm.
+	missing := []string{}
+Loop:
+	for _, dd := range deps {
+		// If repo is from local path or OCI, continue
+		if strings.HasPrefix(dd.Repository, "file://") || registry.IsOCI(dd.Repository) {
+			continue
+		}
+
+		if dd.Repository == "" {
+			continue
+		}
+		for _, repo := range repos {
+			if urlutil.Equal(repo.URL, strings.TrimSuffix(dd.Repository, "/")) {
+				continue Loop
+			}
+		}
+		missing = append(missing, dd.Repository)
+	}
+	if len(missing) > 0 {
+		return ErrRepoNotFound{missing}
+	}
+	return nil
+}
+
+// ensureMissingRepos attempts to ensure the repository information for repos
+// not managed by Helm is present. This takes in the repoNames Helm is configured
+// to work with along with the chart dependencies. It will find the deps not
+// in a known repo and attempt to ensure the data is present for steps like
+// version resolution.
+func (m *Manager) ensureMissingRepos(repoNames map[string]string, deps []*chart.Dependency) (map[string]string, error) {
+
+	var ru []*repo.Entry
+
+	for _, dd := range deps {
+
+		// If the chart is in the local charts directory no repository needs
+		// to be specified.
+		if dd.Repository == "" {
+			continue
+		}
+
+		// When the repoName for a dependency is known we can skip ensuring
+		if _, ok := repoNames[dd.Name]; ok {
+			continue
+		}
+
+		// The generated repository name, which will result in an index being
+		// locally cached, has a name pattern of "helm-manager-" followed by a
+		// sha256 of the repo name. This assumes end users will never create
+		// repositories with these names pointing to other repositories. Using
+		// this method of naming allows the existing repository pulling and
+		// resolution code to do most of the work.
+		rn, err := key(dd.Repository)
+		if err != nil {
+			return repoNames, err
+		}
+		rn = managerKeyPrefix + rn
+
+		repoNames[dd.Name] = rn
+
+		// Assuming the repository is generally available. For Helm managed
+		// access controls the repository needs to be added through the user
+		// managed system. This path will work for public charts, like those
+		// supplied by Bitnami, but not for protected charts, like corp ones
+		// behind a username and pass.
+		ri := &repo.Entry{
+			Name: rn,
+			URL:  dd.Repository,
+		}
+		ru = append(ru, ri)
+	}
+
+	// Calls to UpdateRepositories (a public function) will only update
+	// repositories configured by the user. Here we update repos found in
+	// the dependencies that are not known to the user if update skipping
+	// is not configured.
+	if !m.SkipUpdate && len(ru) > 0 {
+		fmt.Fprintln(m.Out, "Getting updates for unmanaged Helm repositories...")
+		if err := m.parallelRepoUpdate(ru); err != nil {
+			return repoNames, err
+		}
+	}
+
+	return repoNames, nil
+}
+
+// resolveRepoNames returns the repo names of the referenced deps which can be used to fetch the cached index file
+// and replaces aliased repository URLs into resolved URLs in dependencies.
+func (m *Manager) resolveRepoNames(deps []*chart.Dependency) (map[string]string, error) {
+	rf, err := loadRepoConfig(m.RepositoryConfig)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return make(map[string]string), nil
+		}
+		return nil, err
+	}
+	repos := rf.Repositories
+
+	reposMap := make(map[string]string)
+
+	// Verify that all repositories referenced in the deps are actually known
+	// by Helm.
+	missing := []string{}
+	for _, dd := range deps {
+		// Don't map the repository, we don't need to download chart from charts directory
+		if dd.Repository == "" {
+			continue
+		}
+		// if dep chart is from local path, verify the path is valid
+		if strings.HasPrefix(dd.Repository, "file://") {
+			if _, err := resolver.GetLocalPath(dd.Repository, m.ChartPath); err != nil {
+				return nil, err
+			}
+
+			if m.Debug {
+				fmt.Fprintf(m.Out, "Repository from local path: %s\n", dd.Repository)
+			}
+			reposMap[dd.Name] = dd.Repository
+			continue
+		}
+
+		if registry.IsOCI(dd.Repository) {
+			reposMap[dd.Name] = dd.Repository
+			continue
+		}
+
+		found := false
+
+		for _, repo := range repos {
+			if (strings.HasPrefix(dd.Repository, "@") && strings.TrimPrefix(dd.Repository, "@") == repo.Name) ||
+				(strings.HasPrefix(dd.Repository, "alias:") && strings.TrimPrefix(dd.Repository, "alias:") == repo.Name) {
+				found = true
+				dd.Repository = repo.URL
+				reposMap[dd.Name] = repo.Name
+				break
+			} else if urlutil.Equal(repo.URL, dd.Repository) {
+				found = true
+				reposMap[dd.Name] = repo.Name
+				break
+			}
+		}
+		if !found {
+			repository := dd.Repository
+			// Add if URL
+			_, err := url.ParseRequestURI(repository)
+			if err == nil {
+				reposMap[repository] = repository
+				continue
+			}
+			missing = append(missing, repository)
+		}
+	}
+	if len(missing) > 0 {
+		errorMessage := fmt.Sprintf("no repository definition for %s. Please add them via 'helm repo add'", strings.Join(missing, ", "))
+		// It is common for people to try to enter "stable" as a repository instead of the actual URL.
+		// For this case, let's give them a suggestion.
+		containsNonURL := false
+		for _, repo := range missing {
+			if !strings.Contains(repo, "//") && !strings.HasPrefix(repo, "@") && !strings.HasPrefix(repo, "alias:") {
+				containsNonURL = true
+			}
+		}
+		if containsNonURL {
+			errorMessage += `
+Note that repositories must be URLs or aliases. For example, to refer to the "example"
+repository, use "https://charts.example.com/" or "@example" instead of
+"example". Don't forget to add the repo, too ('helm repo add').`
+		}
+		return nil, errors.New(errorMessage)
+	}
+	return reposMap, nil
+}
+
+// UpdateRepositories updates all of the local repos to the latest.
+func (m *Manager) UpdateRepositories() error {
+	rf, err := loadRepoConfig(m.RepositoryConfig)
+	if err != nil {
+		return err
+	}
+	repos := rf.Repositories
+	if len(repos) > 0 {
+		fmt.Fprintln(m.Out, "Hang tight while we grab the latest from your chart repositories...")
+		// This prints warnings straight to out.
+		if err := m.parallelRepoUpdate(repos); err != nil {
+			return err
+		}
+		fmt.Fprintln(m.Out, "Update Complete. ⎈Happy Helming!⎈")
+	}
+	return nil
+}
+
+func (m *Manager) parallelRepoUpdate(repos []*repo.Entry) error {
+
+	var wg sync.WaitGroup
+	for _, c := range repos {
+		r, err := repo.NewChartRepository(c, m.Getters)
+		if err != nil {
+			return err
+		}
+		r.CachePath = m.RepositoryCache
+		wg.Add(1)
+		go func(r *repo.ChartRepository) {
+			if _, err := r.DownloadIndexFile(); err != nil {
+				// For those dependencies that are not known to helm and using a
+				// generated key name we display the repo url.
+				if strings.HasPrefix(r.Config.Name, managerKeyPrefix) {
+					fmt.Fprintf(m.Out, "...Unable to get an update from the %q chart repository:\n\t%s\n", r.Config.URL, err)
+				} else {
+					fmt.Fprintf(m.Out, "...Unable to get an update from the %q chart repository (%s):\n\t%s\n", r.Config.Name, r.Config.URL, err)
+				}
+			} else {
+				// For those dependencies that are not known to helm and using a
+				// generated key name we display the repo url.
+				if strings.HasPrefix(r.Config.Name, managerKeyPrefix) {
+					fmt.Fprintf(m.Out, "...Successfully got an update from the %q chart repository\n", r.Config.URL)
+				} else {
+					fmt.Fprintf(m.Out, "...Successfully got an update from the %q chart repository\n", r.Config.Name)
+				}
+			}
+			wg.Done()
+		}(r)
+	}
+	wg.Wait()
+
+	return nil
+}
+
+// findChartURL searches the cache of repo data for a chart that has the name and the repoURL specified.
+//
+// 'name' is the name of the chart. Version is an exact semver, or an empty string. If empty, the
+// newest version will be returned.
+//
+// repoURL is the repository to search
+//
+// If it finds a URL that is "relative", it will prepend the repoURL.
+func (m *Manager) findChartURL(name, version, repoURL string, repos map[string]*repo.ChartRepository) (url, username, password string, insecureskiptlsverify, passcredentialsall bool, caFile, certFile, keyFile string, err error) {
+	if registry.IsOCI(repoURL) {
+		return fmt.Sprintf("%s/%s:%s", repoURL, name, version), "", "", false, false, "", "", "", nil
+	}
+
+	for _, cr := range repos {
+
+		if urlutil.Equal(repoURL, cr.Config.URL) {
+			var entry repo.ChartVersions
+			entry, err = findEntryByName(name, cr)
+			if err != nil {
+				// TODO: Where linting is skipped in this function we should
+				// refactor to remove naked returns while ensuring the same
+				// behavior
+				//nolint:nakedret
+				return
+			}
+			var ve *repo.ChartVersion
+			ve, err = findVersionedEntry(version, entry)
+			if err != nil {
+				//nolint:nakedret
+				return
+			}
+			url, err = normalizeURL(repoURL, ve.URLs[0])
+			if err != nil {
+				//nolint:nakedret
+				return
+			}
+			username = cr.Config.Username
+			password = cr.Config.Password
+			passcredentialsall = cr.Config.PassCredentialsAll
+			insecureskiptlsverify = cr.Config.InsecureSkipTLSverify
+			caFile = cr.Config.CAFile
+			certFile = cr.Config.CertFile
+			keyFile = cr.Config.KeyFile
+			//nolint:nakedret
+			return
+		}
+	}
+	url, err = repo.FindChartInRepoURL(repoURL, name, version, certFile, keyFile, caFile, m.Getters)
+	if err == nil {
+		return url, username, password, false, false, "", "", "", err
+	}
+	err = errors.Errorf("chart %s not found in %s: %s", name, repoURL, err)
+	return url, username, password, false, false, "", "", "", err
+}
+
+// findEntryByName finds an entry in the chart repository whose name matches the given name.
+//
+// It returns the ChartVersions for that entry.
+func findEntryByName(name string, cr *repo.ChartRepository) (repo.ChartVersions, error) {
+	for ename, entry := range cr.IndexFile.Entries {
+		if ename == name {
+			return entry, nil
+		}
+	}
+	return nil, errors.New("entry not found")
+}
+
+// findVersionedEntry takes a ChartVersions list and returns a single chart version that satisfies the version constraints.
+//
+// If version is empty, the first chart found is returned.
+func findVersionedEntry(version string, vers repo.ChartVersions) (*repo.ChartVersion, error) {
+	for _, verEntry := range vers {
+		if len(verEntry.URLs) == 0 {
+			// Not a legit entry.
+			continue
+		}
+
+		if version == "" || versionEquals(version, verEntry.Version) {
+			return verEntry, nil
+		}
+	}
+	return nil, errors.New("no matching version")
+}
+
+func versionEquals(v1, v2 string) bool {
+	sv1, err := semver.NewVersion(v1)
+	if err != nil {
+		// Fallback to string comparison.
+		return v1 == v2
+	}
+	sv2, err := semver.NewVersion(v2)
+	if err != nil {
+		return false
+	}
+	return sv1.Equal(sv2)
+}
+
+func normalizeURL(baseURL, urlOrPath string) (string, error) {
+	u, err := url.Parse(urlOrPath)
+	if err != nil {
+		return urlOrPath, err
+	}
+	if u.IsAbs() {
+		return u.String(), nil
+	}
+	u2, err := url.Parse(baseURL)
+	if err != nil {
+		return urlOrPath, errors.Wrap(err, "base URL failed to parse")
+	}
+
+	u2.RawPath = path.Join(u2.RawPath, urlOrPath)
+	u2.Path = path.Join(u2.Path, urlOrPath)
+	return u2.String(), nil
+}
+
+// loadChartRepositories reads the repositories.yaml, and then builds a map of
+// ChartRepositories.
+//
+// The key is the local name (which is only present in the repositories.yaml).
+func (m *Manager) loadChartRepositories() (map[string]*repo.ChartRepository, error) {
+	indices := map[string]*repo.ChartRepository{}
+
+	// Load repositories.yaml file
+	rf, err := loadRepoConfig(m.RepositoryConfig)
+	if err != nil {
+		return indices, errors.Wrapf(err, "failed to load %s", m.RepositoryConfig)
+	}
+
+	for _, re := range rf.Repositories {
+		lname := re.Name
+		idxFile := filepath.Join(m.RepositoryCache, helmpath.CacheIndexFile(lname))
+		index, err := repo.LoadIndexFile(idxFile)
+		if err != nil {
+			return indices, err
+		}
+
+		// TODO: use constructor
+		cr := &repo.ChartRepository{
+			Config:    re,
+			IndexFile: index,
+		}
+		indices[lname] = cr
+	}
+	return indices, nil
+}
+
+// writeLock writes a lockfile to disk
+func writeLock(chartpath string, lock *chart.Lock, legacyLockfile bool) error {
+	data, err := yaml.Marshal(lock)
+	if err != nil {
+		return err
+	}
+	lockfileName := "Chart.lock"
+	if legacyLockfile {
+		lockfileName = "requirements.lock"
+	}
+	dest := filepath.Join(chartpath, lockfileName)
+
+	info, err := os.Lstat(dest)
+	if err != nil && !os.IsNotExist(err) {
+		return fmt.Errorf("error getting info for %q: %w", dest, err)
+	} else if err == nil {
+		if info.Mode()&os.ModeSymlink != 0 {
+			link, err := os.Readlink(dest)
+			if err != nil {
+				return fmt.Errorf("error reading symlink for %q: %w", dest, err)
+			}
+			return fmt.Errorf("the %s file is a symlink to %q", lockfileName, link)
+		}
+	}
+
+	return os.WriteFile(dest, data, 0644)
+}
+
+// archive a dep chart from local directory and save it into destPath
+func tarFromLocalDir(chartpath, name, repo, version, destPath string) (string, error) {
+	if !strings.HasPrefix(repo, "file://") {
+		return "", errors.Errorf("wrong format: chart %s repository %s", name, repo)
+	}
+
+	origPath, err := resolver.GetLocalPath(repo, chartpath)
+	if err != nil {
+		return "", err
+	}
+
+	ch, err := loader.LoadDir(origPath)
+	if err != nil {
+		return "", err
+	}
+
+	constraint, err := semver.NewConstraint(version)
+	if err != nil {
+		return "", errors.Wrapf(err, "dependency %s has an invalid version/constraint format", name)
+	}
+
+	v, err := semver.NewVersion(ch.Metadata.Version)
+	if err != nil {
+		return "", err
+	}
+
+	if constraint.Check(v) {
+		_, err = chartutil.Save(ch, destPath)
+		return ch.Metadata.Version, err
+	}
+
+	return "", errors.Errorf("can't get a valid version for dependency %s", name)
+}
+
+// The prefix to use for cache keys created by the manager for repo names
+const managerKeyPrefix = "helm-manager-"
+
+// key is used to turn a name, such as a repository url, into a filesystem
+// safe name that is unique for querying. To accomplish this a unique hash of
+// the string is used.
+func key(name string) (string, error) {
+	in := strings.NewReader(name)
+	hash := crypto.SHA256.New()
+	if _, err := io.Copy(hash, in); err != nil {
+		return "", nil
+	}
+	return hex.EncodeToString(hash.Sum(nil)), nil
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/engine/doc.go b/vendor/helm.sh/helm/v3/pkg/engine/doc.go
new file mode 100644
index 0000000000..6b3443aaf0
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/engine/doc.go
@@ -0,0 +1,24 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+/*
+Package engine implements the Go text template engine as needed for Helm.
+
+When Helm renders templates it does so with additional functions and different
+modes (e.g., strict, lint mode). This package handles the helm specific
+implementation.
+*/
+package engine // import "helm.sh/helm/v3/pkg/engine"
diff --git a/vendor/helm.sh/helm/v3/pkg/engine/engine.go b/vendor/helm.sh/helm/v3/pkg/engine/engine.go
new file mode 100644
index 0000000000..d8ee313e1e
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/engine/engine.go
@@ -0,0 +1,441 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package engine
+
+import (
+	"fmt"
+	"log"
+	"path"
+	"path/filepath"
+	"regexp"
+	"sort"
+	"strings"
+	"text/template"
+
+	"github.com/pkg/errors"
+	"k8s.io/client-go/rest"
+
+	"helm.sh/helm/v3/pkg/chart"
+	"helm.sh/helm/v3/pkg/chartutil"
+)
+
+// Engine is an implementation of the Helm rendering implementation for templates.
+type Engine struct {
+	// If strict is enabled, template rendering will fail if a template references
+	// a value that was not passed in.
+	Strict bool
+	// In LintMode, some 'required' template values may be missing, so don't fail
+	LintMode bool
+	// optional provider of clients to talk to the Kubernetes API
+	clientProvider *ClientProvider
+	// EnableDNS tells the engine to allow DNS lookups when rendering templates
+	EnableDNS bool
+}
+
+// New creates a new instance of Engine using the passed in rest config.
+func New(config *rest.Config) Engine {
+	var clientProvider ClientProvider = clientProviderFromConfig{config}
+	return Engine{
+		clientProvider: &clientProvider,
+	}
+}
+
+// Render takes a chart, optional values, and value overrides, and attempts to render the Go templates.
+//
+// Render can be called repeatedly on the same engine.
+//
+// This will look in the chart's 'templates' data (e.g. the 'templates/' directory)
+// and attempt to render the templates there using the values passed in.
+//
+// Values are scoped to their templates. A dependency template will not have
+// access to the values set for its parent. If chart "foo" includes chart "bar",
+// "bar" will not have access to the values for "foo".
+//
+// Values should be prepared with something like `chartutils.ReadValues`.
+//
+// Values are passed through the templates according to scope. If the top layer
+// chart includes the chart foo, which includes the chart bar, the values map
+// will be examined for a table called "foo". If "foo" is found in vals,
+// that section of the values will be passed into the "foo" chart. And if that
+// section contains a value named "bar", that value will be passed on to the
+// bar chart during render time.
+func (e Engine) Render(chrt *chart.Chart, values chartutil.Values) (map[string]string, error) {
+	tmap := allTemplates(chrt, values)
+	return e.render(tmap)
+}
+
+// Render takes a chart, optional values, and value overrides, and attempts to
+// render the Go templates using the default options.
+func Render(chrt *chart.Chart, values chartutil.Values) (map[string]string, error) {
+	return new(Engine).Render(chrt, values)
+}
+
+// RenderWithClient takes a chart, optional values, and value overrides, and attempts to
+// render the Go templates using the default options. This engine is client aware and so can have template
+// functions that interact with the client.
+func RenderWithClient(chrt *chart.Chart, values chartutil.Values, config *rest.Config) (map[string]string, error) {
+	var clientProvider ClientProvider = clientProviderFromConfig{config}
+	return Engine{
+		clientProvider: &clientProvider,
+	}.Render(chrt, values)
+}
+
+// RenderWithClientProvider takes a chart, optional values, and value overrides, and attempts to
+// render the Go templates using the default options. This engine is client aware and so can have template
+// functions that interact with the client.
+// This function differs from RenderWithClient in that it lets you customize the way a dynamic client is constructed.
+func RenderWithClientProvider(chrt *chart.Chart, values chartutil.Values, clientProvider ClientProvider) (map[string]string, error) {
+	return Engine{
+		clientProvider: &clientProvider,
+	}.Render(chrt, values)
+}
+
+// renderable is an object that can be rendered.
+type renderable struct {
+	// tpl is the current template.
+	tpl string
+	// vals are the values to be supplied to the template.
+	vals chartutil.Values
+	// namespace prefix to the templates of the current chart
+	basePath string
+}
+
+const warnStartDelim = "HELM_ERR_START"
+const warnEndDelim = "HELM_ERR_END"
+const recursionMaxNums = 1000
+
+var warnRegex = regexp.MustCompile(warnStartDelim + `((?s).*)` + warnEndDelim)
+
+func warnWrap(warn string) string {
+	return warnStartDelim + warn + warnEndDelim
+}
+
+// 'include' needs to be defined in the scope of a 'tpl' template as
+// well as regular file-loaded templates.
+func includeFun(t *template.Template, includedNames map[string]int) func(string, interface{}) (string, error) {
+	return func(name string, data interface{}) (string, error) {
+		var buf strings.Builder
+		if v, ok := includedNames[name]; ok {
+			if v > recursionMaxNums {
+				return "", errors.Wrapf(fmt.Errorf("unable to execute template"), "rendering template has a nested reference name: %s", name)
+			}
+			includedNames[name]++
+		} else {
+			includedNames[name] = 1
+		}
+		err := t.ExecuteTemplate(&buf, name, data)
+		includedNames[name]--
+		return buf.String(), err
+	}
+}
+
+// As does 'tpl', so that nested calls to 'tpl' see the templates
+// defined by their enclosing contexts.
+func tplFun(parent *template.Template, includedNames map[string]int, strict bool) func(string, interface{}) (string, error) {
+	return func(tpl string, vals interface{}) (string, error) {
+		t, err := parent.Clone()
+		if err != nil {
+			return "", errors.Wrapf(err, "cannot clone template")
+		}
+
+		// Re-inject the missingkey option, see text/template issue https://github.com/golang/go/issues/43022
+		// We have to go by strict from our engine configuration, as the option fields are private in Template.
+		// TODO: Remove workaround (and the strict parameter) once we build only with golang versions with a fix.
+		if strict {
+			t.Option("missingkey=error")
+		} else {
+			t.Option("missingkey=zero")
+		}
+
+		// Re-inject 'include' so that it can close over our clone of t;
+		// this lets any 'define's inside tpl be 'include'd.
+		t.Funcs(template.FuncMap{
+			"include": includeFun(t, includedNames),
+			"tpl":     tplFun(t, includedNames, strict),
+		})
+
+		// We need a .New template, as template text which is just blanks
+		// or comments after parsing out defines just adds new named
+		// template definitions without changing the main template.
+		// https://pkg.go.dev/text/template#Template.Parse
+		// Use the parent's name for lack of a better way to identify the tpl
+		// text string. (Maybe we could use a hash appended to the name?)
+		t, err = t.New(parent.Name()).Parse(tpl)
+		if err != nil {
+			return "", errors.Wrapf(err, "cannot parse template %q", tpl)
+		}
+
+		var buf strings.Builder
+		if err := t.Execute(&buf, vals); err != nil {
+			return "", errors.Wrapf(err, "error during tpl function execution for %q", tpl)
+		}
+
+		// See comment in renderWithReferences explaining the <no value> hack.
+		return strings.ReplaceAll(buf.String(), "<no value>", ""), nil
+	}
+}
+
+// initFunMap creates the Engine's FuncMap and adds context-specific functions.
+func (e Engine) initFunMap(t *template.Template) {
+	funcMap := funcMap()
+	includedNames := make(map[string]int)
+
+	// Add the template-rendering functions here so we can close over t.
+	funcMap["include"] = includeFun(t, includedNames)
+	funcMap["tpl"] = tplFun(t, includedNames, e.Strict)
+
+	// Add the `required` function here so we can use lintMode
+	funcMap["required"] = func(warn string, val interface{}) (interface{}, error) {
+		if val == nil {
+			if e.LintMode {
+				// Don't fail on missing required values when linting
+				log.Printf("[INFO] Missing required value: %s", warn)
+				return "", nil
+			}
+			return val, errors.New(warnWrap(warn))
+		} else if _, ok := val.(string); ok {
+			if val == "" {
+				if e.LintMode {
+					// Don't fail on missing required values when linting
+					log.Printf("[INFO] Missing required value: %s", warn)
+					return "", nil
+				}
+				return val, errors.New(warnWrap(warn))
+			}
+		}
+		return val, nil
+	}
+
+	// Override sprig fail function for linting and wrapping message
+	funcMap["fail"] = func(msg string) (string, error) {
+		if e.LintMode {
+			// Don't fail when linting
+			log.Printf("[INFO] Fail: %s", msg)
+			return "", nil
+		}
+		return "", errors.New(warnWrap(msg))
+	}
+
+	// If we are not linting and have a cluster connection, provide a Kubernetes-backed
+	// implementation.
+	if !e.LintMode && e.clientProvider != nil {
+		funcMap["lookup"] = newLookupFunction(*e.clientProvider)
+	}
+
+	// When DNS lookups are not enabled override the sprig function and return
+	// an empty string.
+	if !e.EnableDNS {
+		funcMap["getHostByName"] = func(_ string) string {
+			return ""
+		}
+	}
+
+	t.Funcs(funcMap)
+}
+
+// render takes a map of templates/values and renders them.
+func (e Engine) render(tpls map[string]renderable) (rendered map[string]string, err error) {
+	// Basically, what we do here is start with an empty parent template and then
+	// build up a list of templates -- one for each file. Once all of the templates
+	// have been parsed, we loop through again and execute every template.
+	//
+	// The idea with this process is to make it possible for more complex templates
+	// to share common blocks, but to make the entire thing feel like a file-based
+	// template engine.
+	defer func() {
+		if r := recover(); r != nil {
+			err = errors.Errorf("rendering template failed: %v", r)
+		}
+	}()
+	t := template.New("gotpl")
+	if e.Strict {
+		t.Option("missingkey=error")
+	} else {
+		// Not that zero will attempt to add default values for types it knows,
+		// but will still emit <no value> for others. We mitigate that later.
+		t.Option("missingkey=zero")
+	}
+
+	e.initFunMap(t)
+
+	// We want to parse the templates in a predictable order. The order favors
+	// higher-level (in file system) templates over deeply nested templates.
+	keys := sortTemplates(tpls)
+
+	for _, filename := range keys {
+		r := tpls[filename]
+		if _, err := t.New(filename).Parse(r.tpl); err != nil {
+			return map[string]string{}, cleanupParseError(filename, err)
+		}
+	}
+
+	rendered = make(map[string]string, len(keys))
+	for _, filename := range keys {
+		// Don't render partials. We don't care out the direct output of partials.
+		// They are only included from other templates.
+		if strings.HasPrefix(path.Base(filename), "_") {
+			continue
+		}
+		// At render time, add information about the template that is being rendered.
+		vals := tpls[filename].vals
+		vals["Template"] = chartutil.Values{"Name": filename, "BasePath": tpls[filename].basePath}
+		var buf strings.Builder
+		if err := t.ExecuteTemplate(&buf, filename, vals); err != nil {
+			return map[string]string{}, cleanupExecError(filename, err)
+		}
+
+		// Work around the issue where Go will emit "<no value>" even if Options(missing=zero)
+		// is set. Since missing=error will never get here, we do not need to handle
+		// the Strict case.
+		rendered[filename] = strings.ReplaceAll(buf.String(), "<no value>", "")
+	}
+
+	return rendered, nil
+}
+
+func cleanupParseError(filename string, err error) error {
+	tokens := strings.Split(err.Error(), ": ")
+	if len(tokens) == 1 {
+		// This might happen if a non-templating error occurs
+		return fmt.Errorf("parse error in (%s): %s", filename, err)
+	}
+	// The first token is "template"
+	// The second token is either "filename:lineno" or "filename:lineNo:columnNo"
+	location := tokens[1]
+	// The remaining tokens make up a stacktrace-like chain, ending with the relevant error
+	errMsg := tokens[len(tokens)-1]
+	return fmt.Errorf("parse error at (%s): %s", string(location), errMsg)
+}
+
+func cleanupExecError(filename string, err error) error {
+	if _, isExecError := err.(template.ExecError); !isExecError {
+		return err
+	}
+
+	tokens := strings.SplitN(err.Error(), ": ", 3)
+	if len(tokens) != 3 {
+		// This might happen if a non-templating error occurs
+		return fmt.Errorf("execution error in (%s): %s", filename, err)
+	}
+
+	// The first token is "template"
+	// The second token is either "filename:lineno" or "filename:lineNo:columnNo"
+	location := tokens[1]
+
+	parts := warnRegex.FindStringSubmatch(tokens[2])
+	if len(parts) >= 2 {
+		return fmt.Errorf("execution error at (%s): %s", string(location), parts[1])
+	}
+
+	return err
+}
+
+func sortTemplates(tpls map[string]renderable) []string {
+	keys := make([]string, len(tpls))
+	i := 0
+	for key := range tpls {
+		keys[i] = key
+		i++
+	}
+	sort.Sort(sort.Reverse(byPathLen(keys)))
+	return keys
+}
+
+type byPathLen []string
+
+func (p byPathLen) Len() int      { return len(p) }
+func (p byPathLen) Swap(i, j int) { p[j], p[i] = p[i], p[j] }
+func (p byPathLen) Less(i, j int) bool {
+	a, b := p[i], p[j]
+	ca, cb := strings.Count(a, "/"), strings.Count(b, "/")
+	if ca == cb {
+		return strings.Compare(a, b) == -1
+	}
+	return ca < cb
+}
+
+// allTemplates returns all templates for a chart and its dependencies.
+//
+// As it goes, it also prepares the values in a scope-sensitive manner.
+func allTemplates(c *chart.Chart, vals chartutil.Values) map[string]renderable {
+	templates := make(map[string]renderable)
+	recAllTpls(c, templates, vals)
+	return templates
+}
+
+// recAllTpls recurses through the templates in a chart.
+//
+// As it recurses, it also sets the values to be appropriate for the template
+// scope.
+func recAllTpls(c *chart.Chart, templates map[string]renderable, vals chartutil.Values) map[string]interface{} {
+	subCharts := make(map[string]interface{})
+	chartMetaData := struct {
+		chart.Metadata
+		IsRoot bool
+	}{*c.Metadata, c.IsRoot()}
+
+	next := map[string]interface{}{
+		"Chart":        chartMetaData,
+		"Files":        newFiles(c.Files),
+		"Release":      vals["Release"],
+		"Capabilities": vals["Capabilities"],
+		"Values":       make(chartutil.Values),
+		"Subcharts":    subCharts,
+	}
+
+	// If there is a {{.Values.ThisChart}} in the parent metadata,
+	// copy that into the {{.Values}} for this template.
+	if c.IsRoot() {
+		next["Values"] = vals["Values"]
+	} else if vs, err := vals.Table("Values." + c.Name()); err == nil {
+		next["Values"] = vs
+	}
+
+	for _, child := range c.Dependencies() {
+		subCharts[child.Name()] = recAllTpls(child, templates, next)
+	}
+
+	newParentID := c.ChartFullPath()
+	for _, t := range c.Templates {
+		if t == nil {
+			continue
+		}
+		if !isTemplateValid(c, t.Name) {
+			continue
+		}
+		templates[path.Join(newParentID, t.Name)] = renderable{
+			tpl:      string(t.Data),
+			vals:     next,
+			basePath: path.Join(newParentID, "templates"),
+		}
+	}
+
+	return next
+}
+
+// isTemplateValid returns true if the template is valid for the chart type
+func isTemplateValid(ch *chart.Chart, templateName string) bool {
+	if isLibraryChart(ch) {
+		return strings.HasPrefix(filepath.Base(templateName), "_")
+	}
+	return true
+}
+
+// isLibraryChart returns true if the chart is a library chart
+func isLibraryChart(c *chart.Chart) bool {
+	return strings.EqualFold(c.Metadata.Type, "library")
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/engine/files.go b/vendor/helm.sh/helm/v3/pkg/engine/files.go
new file mode 100644
index 0000000000..f2cfdb3f38
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/engine/files.go
@@ -0,0 +1,165 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package engine
+
+import (
+	"encoding/base64"
+	"path"
+	"strings"
+
+	"github.com/gobwas/glob"
+
+	"helm.sh/helm/v3/pkg/chart"
+)
+
+// files is a map of files in a chart that can be accessed from a template.
+type files map[string][]byte
+
+// NewFiles creates a new files from chart files.
+// Given an []*chart.File (the format for files in a chart.Chart), extract a map of files.
+func newFiles(from []*chart.File) files {
+	files := make(map[string][]byte)
+	for _, f := range from {
+		files[f.Name] = f.Data
+	}
+	return files
+}
+
+// GetBytes gets a file by path.
+//
+// The returned data is raw. In a template context, this is identical to calling
+// {{index .Files $path}}.
+//
+// This is intended to be accessed from within a template, so a missed key returns
+// an empty []byte.
+func (f files) GetBytes(name string) []byte {
+	if v, ok := f[name]; ok {
+		return v
+	}
+	return []byte{}
+}
+
+// Get returns a string representation of the given file.
+//
+// Fetch the contents of a file as a string. It is designed to be called in a
+// template.
+//
+//	{{.Files.Get "foo"}}
+func (f files) Get(name string) string {
+	return string(f.GetBytes(name))
+}
+
+// Glob takes a glob pattern and returns another files object only containing
+// matched  files.
+//
+// This is designed to be called from a template.
+//
+// {{ range $name, $content := .Files.Glob("foo/**") }}
+// {{ $name }}: |
+// {{ .Files.Get($name) | indent 4 }}{{ end }}
+func (f files) Glob(pattern string) files {
+	g, err := glob.Compile(pattern, '/')
+	if err != nil {
+		g, _ = glob.Compile("**")
+	}
+
+	nf := newFiles(nil)
+	for name, contents := range f {
+		if g.Match(name) {
+			nf[name] = contents
+		}
+	}
+
+	return nf
+}
+
+// AsConfig turns a Files group and flattens it to a YAML map suitable for
+// including in the 'data' section of a Kubernetes ConfigMap definition.
+// Duplicate keys will be overwritten, so be aware that your file names
+// (regardless of path) should be unique.
+//
+// This is designed to be called from a template, and will return empty string
+// (via toYAML function) if it cannot be serialized to YAML, or if the Files
+// object is nil.
+//
+// The output will not be indented, so you will want to pipe this to the
+// 'indent' template function.
+//
+//	data:
+//
+// {{ .Files.Glob("config/**").AsConfig() | indent 4 }}
+func (f files) AsConfig() string {
+	if f == nil {
+		return ""
+	}
+
+	m := make(map[string]string)
+
+	// Explicitly convert to strings, and file names
+	for k, v := range f {
+		m[path.Base(k)] = string(v)
+	}
+
+	return toYAML(m)
+}
+
+// AsSecrets returns the base64-encoded value of a Files object suitable for
+// including in the 'data' section of a Kubernetes Secret definition.
+// Duplicate keys will be overwritten, so be aware that your file names
+// (regardless of path) should be unique.
+//
+// This is designed to be called from a template, and will return empty string
+// (via toYAML function) if it cannot be serialized to YAML, or if the Files
+// object is nil.
+//
+// The output will not be indented, so you will want to pipe this to the
+// 'indent' template function.
+//
+//	data:
+//
+// {{ .Files.Glob("secrets/*").AsSecrets() | indent 4 }}
+func (f files) AsSecrets() string {
+	if f == nil {
+		return ""
+	}
+
+	m := make(map[string]string)
+
+	for k, v := range f {
+		m[path.Base(k)] = base64.StdEncoding.EncodeToString(v)
+	}
+
+	return toYAML(m)
+}
+
+// Lines returns each line of a named file (split by "\n") as a slice, so it can
+// be ranged over in your templates.
+//
+// This is designed to be called from a template.
+//
+// {{ range .Files.Lines "foo/bar.html" }}
+// {{ . }}{{ end }}
+func (f files) Lines(path string) []string {
+	if f == nil || f[path] == nil {
+		return []string{}
+	}
+	s := string(f[path])
+	if s[len(s)-1] == '\n' {
+		s = s[:len(s)-1]
+	}
+	return strings.Split(s, "\n")
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/engine/funcs.go b/vendor/helm.sh/helm/v3/pkg/engine/funcs.go
new file mode 100644
index 0000000000..d03a818c28
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/engine/funcs.go
@@ -0,0 +1,207 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package engine
+
+import (
+	"bytes"
+	"encoding/json"
+	"strings"
+	"text/template"
+
+	"github.com/BurntSushi/toml"
+	"github.com/Masterminds/sprig/v3"
+	"sigs.k8s.io/yaml"
+	goYaml "sigs.k8s.io/yaml/goyaml.v3"
+)
+
+// funcMap returns a mapping of all of the functions that Engine has.
+//
+// Because some functions are late-bound (e.g. contain context-sensitive
+// data), the functions may not all perform identically outside of an Engine
+// as they will inside of an Engine.
+//
+// Known late-bound functions:
+//
+//   - "include"
+//   - "tpl"
+//
+// These are late-bound in Engine.Render().  The
+// version included in the FuncMap is a placeholder.
+func funcMap() template.FuncMap {
+	f := sprig.TxtFuncMap()
+	delete(f, "env")
+	delete(f, "expandenv")
+
+	// Add some extra functionality
+	extra := template.FuncMap{
+		"toToml":        toTOML,
+		"fromToml":      fromTOML,
+		"toYaml":        toYAML,
+		"toYamlPretty":  toYAMLPretty,
+		"fromYaml":      fromYAML,
+		"fromYamlArray": fromYAMLArray,
+		"toJson":        toJSON,
+		"fromJson":      fromJSON,
+		"fromJsonArray": fromJSONArray,
+
+		// This is a placeholder for the "include" function, which is
+		// late-bound to a template. By declaring it here, we preserve the
+		// integrity of the linter.
+		"include":  func(string, interface{}) string { return "not implemented" },
+		"tpl":      func(string, interface{}) interface{} { return "not implemented" },
+		"required": func(string, interface{}) (interface{}, error) { return "not implemented", nil },
+		// Provide a placeholder for the "lookup" function, which requires a kubernetes
+		// connection.
+		"lookup": func(string, string, string, string) (map[string]interface{}, error) {
+			return map[string]interface{}{}, nil
+		},
+	}
+
+	for k, v := range extra {
+		f[k] = v
+	}
+
+	return f
+}
+
+// toYAML takes an interface, marshals it to yaml, and returns a string. It will
+// always return a string, even on marshal error (empty string).
+//
+// This is designed to be called from a template.
+func toYAML(v interface{}) string {
+	data, err := yaml.Marshal(v)
+	if err != nil {
+		// Swallow errors inside of a template.
+		return ""
+	}
+	return strings.TrimSuffix(string(data), "\n")
+}
+
+func toYAMLPretty(v interface{}) string {
+	var data bytes.Buffer
+	encoder := goYaml.NewEncoder(&data)
+	encoder.SetIndent(2)
+	err := encoder.Encode(v)
+
+	if err != nil {
+		// Swallow errors inside of a template.
+		return ""
+	}
+	return strings.TrimSuffix(data.String(), "\n")
+}
+
+// fromYAML converts a YAML document into a map[string]interface{}.
+//
+// This is not a general-purpose YAML parser, and will not parse all valid
+// YAML documents. Additionally, because its intended use is within templates
+// it tolerates errors. It will insert the returned error message string into
+// m["Error"] in the returned map.
+func fromYAML(str string) map[string]interface{} {
+	m := map[string]interface{}{}
+
+	if err := yaml.Unmarshal([]byte(str), &m); err != nil {
+		m["Error"] = err.Error()
+	}
+	return m
+}
+
+// fromYAMLArray converts a YAML array into a []interface{}.
+//
+// This is not a general-purpose YAML parser, and will not parse all valid
+// YAML documents. Additionally, because its intended use is within templates
+// it tolerates errors. It will insert the returned error message string as
+// the first and only item in the returned array.
+func fromYAMLArray(str string) []interface{} {
+	a := []interface{}{}
+
+	if err := yaml.Unmarshal([]byte(str), &a); err != nil {
+		a = []interface{}{err.Error()}
+	}
+	return a
+}
+
+// toTOML takes an interface, marshals it to toml, and returns a string. It will
+// always return a string, even on marshal error (empty string).
+//
+// This is designed to be called from a template.
+func toTOML(v interface{}) string {
+	b := bytes.NewBuffer(nil)
+	e := toml.NewEncoder(b)
+	err := e.Encode(v)
+	if err != nil {
+		return err.Error()
+	}
+	return b.String()
+}
+
+// fromTOML converts a TOML document into a map[string]interface{}.
+//
+// This is not a general-purpose TOML parser, and will not parse all valid
+// TOML documents. Additionally, because its intended use is within templates
+// it tolerates errors. It will insert the returned error message string into
+// m["Error"] in the returned map.
+func fromTOML(str string) map[string]interface{} {
+	m := make(map[string]interface{})
+
+	if err := toml.Unmarshal([]byte(str), &m); err != nil {
+		m["Error"] = err.Error()
+	}
+	return m
+}
+
+// toJSON takes an interface, marshals it to json, and returns a string. It will
+// always return a string, even on marshal error (empty string).
+//
+// This is designed to be called from a template.
+func toJSON(v interface{}) string {
+	data, err := json.Marshal(v)
+	if err != nil {
+		// Swallow errors inside of a template.
+		return ""
+	}
+	return string(data)
+}
+
+// fromJSON converts a JSON document into a map[string]interface{}.
+//
+// This is not a general-purpose JSON parser, and will not parse all valid
+// JSON documents. Additionally, because its intended use is within templates
+// it tolerates errors. It will insert the returned error message string into
+// m["Error"] in the returned map.
+func fromJSON(str string) map[string]interface{} {
+	m := make(map[string]interface{})
+
+	if err := json.Unmarshal([]byte(str), &m); err != nil {
+		m["Error"] = err.Error()
+	}
+	return m
+}
+
+// fromJSONArray converts a JSON array into a []interface{}.
+//
+// This is not a general-purpose JSON parser, and will not parse all valid
+// JSON documents. Additionally, because its intended use is within templates
+// it tolerates errors. It will insert the returned error message string as
+// the first and only item in the returned array.
+func fromJSONArray(str string) []interface{} {
+	a := []interface{}{}
+
+	if err := json.Unmarshal([]byte(str), &a); err != nil {
+		a = []interface{}{err.Error()}
+	}
+	return a
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/engine/lookup_func.go b/vendor/helm.sh/helm/v3/pkg/engine/lookup_func.go
new file mode 100644
index 0000000000..75e85098d1
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/engine/lookup_func.go
@@ -0,0 +1,143 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package engine
+
+import (
+	"context"
+	"log"
+	"strings"
+
+	"github.com/pkg/errors"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/client-go/discovery"
+	"k8s.io/client-go/dynamic"
+	"k8s.io/client-go/rest"
+)
+
+type lookupFunc = func(apiversion string, resource string, namespace string, name string) (map[string]interface{}, error)
+
+// NewLookupFunction returns a function for looking up objects in the cluster.
+//
+// If the resource does not exist, no error is raised.
+//
+// This function is considered deprecated, and will be renamed in Helm 4. It will no
+// longer be a public function.
+func NewLookupFunction(config *rest.Config) lookupFunc {
+	return newLookupFunction(clientProviderFromConfig{config: config})
+}
+
+type ClientProvider interface {
+	// GetClientFor returns a dynamic.NamespaceableResourceInterface suitable for interacting with resources
+	// corresponding to the provided apiVersion and kind, as well as a boolean indicating whether the resources
+	// are namespaced.
+	GetClientFor(apiVersion, kind string) (dynamic.NamespaceableResourceInterface, bool, error)
+}
+
+type clientProviderFromConfig struct {
+	config *rest.Config
+}
+
+func (c clientProviderFromConfig) GetClientFor(apiVersion, kind string) (dynamic.NamespaceableResourceInterface, bool, error) {
+	return getDynamicClientOnKind(apiVersion, kind, c.config)
+}
+
+func newLookupFunction(clientProvider ClientProvider) lookupFunc {
+	return func(apiversion string, kind string, namespace string, name string) (map[string]interface{}, error) {
+		var client dynamic.ResourceInterface
+		c, namespaced, err := clientProvider.GetClientFor(apiversion, kind)
+		if err != nil {
+			return map[string]interface{}{}, err
+		}
+		if namespaced && namespace != "" {
+			client = c.Namespace(namespace)
+		} else {
+			client = c
+		}
+		if name != "" {
+			// this will return a single object
+			obj, err := client.Get(context.Background(), name, metav1.GetOptions{})
+			if err != nil {
+				if apierrors.IsNotFound(err) {
+					// Just return an empty interface when the object was not found.
+					// That way, users can use `if not (lookup ...)` in their templates.
+					return map[string]interface{}{}, nil
+				}
+				return map[string]interface{}{}, err
+			}
+			return obj.UnstructuredContent(), nil
+		}
+		// this will return a list
+		obj, err := client.List(context.Background(), metav1.ListOptions{})
+		if err != nil {
+			if apierrors.IsNotFound(err) {
+				// Just return an empty interface when the object was not found.
+				// That way, users can use `if not (lookup ...)` in their templates.
+				return map[string]interface{}{}, nil
+			}
+			return map[string]interface{}{}, err
+		}
+		return obj.UnstructuredContent(), nil
+	}
+}
+
+// getDynamicClientOnKind returns a dynamic client on an Unstructured type. This client can be further namespaced.
+func getDynamicClientOnKind(apiversion string, kind string, config *rest.Config) (dynamic.NamespaceableResourceInterface, bool, error) {
+	gvk := schema.FromAPIVersionAndKind(apiversion, kind)
+	apiRes, err := getAPIResourceForGVK(gvk, config)
+	if err != nil {
+		log.Printf("[ERROR] unable to get apiresource from unstructured: %s , error %s", gvk.String(), err)
+		return nil, false, errors.Wrapf(err, "unable to get apiresource from unstructured: %s", gvk.String())
+	}
+	gvr := schema.GroupVersionResource{
+		Group:    apiRes.Group,
+		Version:  apiRes.Version,
+		Resource: apiRes.Name,
+	}
+	intf, err := dynamic.NewForConfig(config)
+	if err != nil {
+		log.Printf("[ERROR] unable to get dynamic client %s", err)
+		return nil, false, err
+	}
+	res := intf.Resource(gvr)
+	return res, apiRes.Namespaced, nil
+}
+
+func getAPIResourceForGVK(gvk schema.GroupVersionKind, config *rest.Config) (metav1.APIResource, error) {
+	res := metav1.APIResource{}
+	discoveryClient, err := discovery.NewDiscoveryClientForConfig(config)
+	if err != nil {
+		log.Printf("[ERROR] unable to create discovery client %s", err)
+		return res, err
+	}
+	resList, err := discoveryClient.ServerResourcesForGroupVersion(gvk.GroupVersion().String())
+	if err != nil {
+		log.Printf("[ERROR] unable to retrieve resource list for: %s , error: %s", gvk.GroupVersion().String(), err)
+		return res, err
+	}
+	for _, resource := range resList.APIResources {
+		// if a resource contains a "/" it's referencing a subresource. we don't support subresource for now.
+		if resource.Kind == gvk.Kind && !strings.Contains(resource.Name, "/") {
+			res = resource
+			res.Group = gvk.Group
+			res.Version = gvk.Version
+			break
+		}
+	}
+	return res, nil
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/getter/doc.go b/vendor/helm.sh/helm/v3/pkg/getter/doc.go
new file mode 100644
index 0000000000..11cf6153eb
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/getter/doc.go
@@ -0,0 +1,22 @@
+/*
+Copyright The Helm Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+/*
+Package getter provides a generalize tool for fetching data by scheme.
+
+This provides a method by which the plugin system can load arbitrary protocol
+handlers based upon a URL scheme.
+*/
+package getter
diff --git a/vendor/helm.sh/helm/v3/pkg/getter/getter.go b/vendor/helm.sh/helm/v3/pkg/getter/getter.go
new file mode 100644
index 0000000000..1acb2093dc
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/getter/getter.go
@@ -0,0 +1,220 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package getter
+
+import (
+	"bytes"
+	"net/http"
+	"time"
+
+	"github.com/pkg/errors"
+
+	"helm.sh/helm/v3/pkg/cli"
+	"helm.sh/helm/v3/pkg/registry"
+)
+
+// options are generic parameters to be provided to the getter during instantiation.
+//
+// Getters may or may not ignore these parameters as they are passed in.
+type options struct {
+	url                   string
+	certFile              string
+	keyFile               string
+	caFile                string
+	unTar                 bool
+	insecureSkipVerifyTLS bool
+	plainHTTP             bool
+	acceptHeader          string
+	username              string
+	password              string
+	passCredentialsAll    bool
+	userAgent             string
+	version               string
+	registryClient        *registry.Client
+	timeout               time.Duration
+	transport             *http.Transport
+}
+
+// Option allows specifying various settings configurable by the user for overriding the defaults
+// used when performing Get operations with the Getter.
+type Option func(*options)
+
+// WithURL informs the getter the server name that will be used when fetching objects. Used in conjunction with
+// WithTLSClientConfig to set the TLSClientConfig's server name.
+func WithURL(url string) Option {
+	return func(opts *options) {
+		opts.url = url
+	}
+}
+
+// WithAcceptHeader sets the request's Accept header as some REST APIs serve multiple content types
+func WithAcceptHeader(header string) Option {
+	return func(opts *options) {
+		opts.acceptHeader = header
+	}
+}
+
+// WithBasicAuth sets the request's Authorization header to use the provided credentials
+func WithBasicAuth(username, password string) Option {
+	return func(opts *options) {
+		opts.username = username
+		opts.password = password
+	}
+}
+
+func WithPassCredentialsAll(pass bool) Option {
+	return func(opts *options) {
+		opts.passCredentialsAll = pass
+	}
+}
+
+// WithUserAgent sets the request's User-Agent header to use the provided agent name.
+func WithUserAgent(userAgent string) Option {
+	return func(opts *options) {
+		opts.userAgent = userAgent
+	}
+}
+
+// WithInsecureSkipVerifyTLS determines if a TLS Certificate will be checked
+func WithInsecureSkipVerifyTLS(insecureSkipVerifyTLS bool) Option {
+	return func(opts *options) {
+		opts.insecureSkipVerifyTLS = insecureSkipVerifyTLS
+	}
+}
+
+// WithTLSClientConfig sets the client auth with the provided credentials.
+func WithTLSClientConfig(certFile, keyFile, caFile string) Option {
+	return func(opts *options) {
+		opts.certFile = certFile
+		opts.keyFile = keyFile
+		opts.caFile = caFile
+	}
+}
+
+func WithPlainHTTP(plainHTTP bool) Option {
+	return func(opts *options) {
+		opts.plainHTTP = plainHTTP
+	}
+}
+
+// WithTimeout sets the timeout for requests
+func WithTimeout(timeout time.Duration) Option {
+	return func(opts *options) {
+		opts.timeout = timeout
+	}
+}
+
+func WithTagName(tagname string) Option {
+	return func(opts *options) {
+		opts.version = tagname
+	}
+}
+
+func WithRegistryClient(client *registry.Client) Option {
+	return func(opts *options) {
+		opts.registryClient = client
+	}
+}
+
+func WithUntar() Option {
+	return func(opts *options) {
+		opts.unTar = true
+	}
+}
+
+// WithTransport sets the http.Transport to allow overwriting the HTTPGetter default.
+func WithTransport(transport *http.Transport) Option {
+	return func(opts *options) {
+		opts.transport = transport
+	}
+}
+
+// Getter is an interface to support GET to the specified URL.
+type Getter interface {
+	// Get file content by url string
+	Get(url string, options ...Option) (*bytes.Buffer, error)
+}
+
+// Constructor is the function for every getter which creates a specific instance
+// according to the configuration
+type Constructor func(options ...Option) (Getter, error)
+
+// Provider represents any getter and the schemes that it supports.
+//
+// For example, an HTTP provider may provide one getter that handles both
+// 'http' and 'https' schemes.
+type Provider struct {
+	Schemes []string
+	New     Constructor
+}
+
+// Provides returns true if the given scheme is supported by this Provider.
+func (p Provider) Provides(scheme string) bool {
+	for _, i := range p.Schemes {
+		if i == scheme {
+			return true
+		}
+	}
+	return false
+}
+
+// Providers is a collection of Provider objects.
+type Providers []Provider
+
+// ByScheme returns a Provider that handles the given scheme.
+//
+// If no provider handles this scheme, this will return an error.
+func (p Providers) ByScheme(scheme string) (Getter, error) {
+	for _, pp := range p {
+		if pp.Provides(scheme) {
+			return pp.New()
+		}
+	}
+	return nil, errors.Errorf("scheme %q not supported", scheme)
+}
+
+const (
+	// The cost timeout references curl's default connection timeout.
+	// https://github.com/curl/curl/blob/master/lib/connect.h#L40C21-L40C21
+	// The helm commands are usually executed manually. Considering the acceptable waiting time, we reduced the entire request time to 120s.
+	DefaultHTTPTimeout = 120
+)
+
+var defaultOptions = []Option{WithTimeout(time.Second * DefaultHTTPTimeout)}
+
+var httpProvider = Provider{
+	Schemes: []string{"http", "https"},
+	New: func(options ...Option) (Getter, error) {
+		options = append(options, defaultOptions...)
+		return NewHTTPGetter(options...)
+	},
+}
+
+var ociProvider = Provider{
+	Schemes: []string{registry.OCIScheme},
+	New:     NewOCIGetter,
+}
+
+// All finds all of the registered getters as a list of Provider instances.
+// Currently, the built-in getters and the discovered plugins with downloader
+// notations are collected.
+func All(settings *cli.EnvSettings) Providers {
+	result := Providers{httpProvider, ociProvider}
+	pluginDownloaders, _ := collectPlugins(settings)
+	result = append(result, pluginDownloaders...)
+	return result
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/getter/httpgetter.go b/vendor/helm.sh/helm/v3/pkg/getter/httpgetter.go
new file mode 100644
index 0000000000..df3dcd9109
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/getter/httpgetter.go
@@ -0,0 +1,161 @@
+/*
+Copyright The Helm Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package getter
+
+import (
+	"bytes"
+	"crypto/tls"
+	"io"
+	"net/http"
+	"net/url"
+	"sync"
+
+	"github.com/pkg/errors"
+
+	"helm.sh/helm/v3/internal/tlsutil"
+	"helm.sh/helm/v3/internal/urlutil"
+	"helm.sh/helm/v3/internal/version"
+)
+
+// HTTPGetter is the default HTTP(/S) backend handler
+type HTTPGetter struct {
+	opts      options
+	transport *http.Transport
+	once      sync.Once
+}
+
+// Get performs a Get from repo.Getter and returns the body.
+func (g *HTTPGetter) Get(href string, options ...Option) (*bytes.Buffer, error) {
+	for _, opt := range options {
+		opt(&g.opts)
+	}
+	return g.get(href)
+}
+
+func (g *HTTPGetter) get(href string) (*bytes.Buffer, error) {
+	// Set a helm specific user agent so that a repo server and metrics can
+	// separate helm calls from other tools interacting with repos.
+	req, err := http.NewRequest(http.MethodGet, href, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	if g.opts.acceptHeader != "" {
+		req.Header.Set("Accept", g.opts.acceptHeader)
+	}
+
+	req.Header.Set("User-Agent", version.GetUserAgent())
+	if g.opts.userAgent != "" {
+		req.Header.Set("User-Agent", g.opts.userAgent)
+	}
+
+	// Before setting the basic auth credentials, make sure the URL associated
+	// with the basic auth is the one being fetched.
+	u1, err := url.Parse(g.opts.url)
+	if err != nil {
+		return nil, errors.Wrap(err, "Unable to parse getter URL")
+	}
+	u2, err := url.Parse(href)
+	if err != nil {
+		return nil, errors.Wrap(err, "Unable to parse URL getting from")
+	}
+
+	// Host on URL (returned from url.Parse) contains the port if present.
+	// This check ensures credentials are not passed between different
+	// services on different ports.
+	if g.opts.passCredentialsAll || (u1.Scheme == u2.Scheme && u1.Host == u2.Host) {
+		if g.opts.username != "" && g.opts.password != "" {
+			req.SetBasicAuth(g.opts.username, g.opts.password)
+		}
+	}
+
+	client, err := g.httpClient()
+	if err != nil {
+		return nil, err
+	}
+
+	resp, err := client.Do(req)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		return nil, errors.Errorf("failed to fetch %s : %s", href, resp.Status)
+	}
+
+	buf := bytes.NewBuffer(nil)
+	_, err = io.Copy(buf, resp.Body)
+	return buf, err
+}
+
+// NewHTTPGetter constructs a valid http/https client as a Getter
+func NewHTTPGetter(options ...Option) (Getter, error) {
+	var client HTTPGetter
+
+	for _, opt := range options {
+		opt(&client.opts)
+	}
+
+	return &client, nil
+}
+
+func (g *HTTPGetter) httpClient() (*http.Client, error) {
+	if g.opts.transport != nil {
+		return &http.Client{
+			Transport: g.opts.transport,
+			Timeout:   g.opts.timeout,
+		}, nil
+	}
+
+	g.once.Do(func() {
+		g.transport = &http.Transport{
+			DisableCompression: true,
+			Proxy:              http.ProxyFromEnvironment,
+		}
+	})
+
+	if (g.opts.certFile != "" && g.opts.keyFile != "") || g.opts.caFile != "" || g.opts.insecureSkipVerifyTLS {
+		tlsConf, err := tlsutil.NewClientTLS(g.opts.certFile, g.opts.keyFile, g.opts.caFile, g.opts.insecureSkipVerifyTLS)
+		if err != nil {
+			return nil, errors.Wrap(err, "can't create TLS config for client")
+		}
+
+		sni, err := urlutil.ExtractHostname(g.opts.url)
+		if err != nil {
+			return nil, err
+		}
+		tlsConf.ServerName = sni
+
+		g.transport.TLSClientConfig = tlsConf
+	}
+
+	if g.opts.insecureSkipVerifyTLS {
+		if g.transport.TLSClientConfig == nil {
+			g.transport.TLSClientConfig = &tls.Config{
+				InsecureSkipVerify: true,
+			}
+		} else {
+			g.transport.TLSClientConfig.InsecureSkipVerify = true
+		}
+	}
+
+	client := &http.Client{
+		Transport: g.transport,
+		Timeout:   g.opts.timeout,
+	}
+
+	return client, nil
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/getter/ocigetter.go b/vendor/helm.sh/helm/v3/pkg/getter/ocigetter.go
new file mode 100644
index 0000000000..5b0522395c
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/getter/ocigetter.go
@@ -0,0 +1,160 @@
+/*
+Copyright The Helm Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package getter
+
+import (
+	"bytes"
+	"fmt"
+	"net"
+	"net/http"
+	"path"
+	"strings"
+	"sync"
+	"time"
+
+	"helm.sh/helm/v3/internal/tlsutil"
+	"helm.sh/helm/v3/internal/urlutil"
+	"helm.sh/helm/v3/pkg/registry"
+)
+
+// OCIGetter is the default HTTP(/S) backend handler
+type OCIGetter struct {
+	opts      options
+	transport *http.Transport
+	once      sync.Once
+}
+
+// Get performs a Get from repo.Getter and returns the body.
+func (g *OCIGetter) Get(href string, options ...Option) (*bytes.Buffer, error) {
+	for _, opt := range options {
+		opt(&g.opts)
+	}
+	return g.get(href)
+}
+
+func (g *OCIGetter) get(href string) (*bytes.Buffer, error) {
+	client := g.opts.registryClient
+	// if the user has already provided a configured registry client, use it,
+	// this is particularly true when user has his own way of handling the client credentials.
+	if client == nil {
+		c, err := g.newRegistryClient()
+		if err != nil {
+			return nil, err
+		}
+		client = c
+	}
+
+	ref := strings.TrimPrefix(href, fmt.Sprintf("%s://", registry.OCIScheme))
+
+	if version := g.opts.version; version != "" && !strings.Contains(path.Base(ref), ":") {
+		ref = fmt.Sprintf("%s:%s", ref, version)
+	}
+	var pullOpts []registry.PullOption
+	requestingProv := strings.HasSuffix(ref, ".prov")
+	if requestingProv {
+		ref = strings.TrimSuffix(ref, ".prov")
+		pullOpts = append(pullOpts,
+			registry.PullOptWithChart(false),
+			registry.PullOptWithProv(true))
+	}
+
+	result, err := client.Pull(ref, pullOpts...)
+	if err != nil {
+		return nil, err
+	}
+
+	if requestingProv {
+		return bytes.NewBuffer(result.Prov.Data), nil
+	}
+	return bytes.NewBuffer(result.Chart.Data), nil
+}
+
+// NewOCIGetter constructs a valid http/https client as a Getter
+func NewOCIGetter(ops ...Option) (Getter, error) {
+	var client OCIGetter
+
+	for _, opt := range ops {
+		opt(&client.opts)
+	}
+
+	return &client, nil
+}
+
+func (g *OCIGetter) newRegistryClient() (*registry.Client, error) {
+	if g.opts.transport != nil {
+		client, err := registry.NewClient(
+			registry.ClientOptHTTPClient(&http.Client{
+				Transport: g.opts.transport,
+				Timeout:   g.opts.timeout,
+			}),
+		)
+		if err != nil {
+			return nil, err
+		}
+		return client, nil
+	}
+
+	g.once.Do(func() {
+		g.transport = &http.Transport{
+			// From https://github.com/google/go-containerregistry/blob/31786c6cbb82d6ec4fb8eb79cd9387905130534e/pkg/v1/remote/options.go#L87
+			DisableCompression: true,
+			DialContext: (&net.Dialer{
+				// By default we wrap the transport in retries, so reduce the
+				// default dial timeout to 5s to avoid 5x 30s of connection
+				// timeouts when doing the "ping" on certain http registries.
+				Timeout:   5 * time.Second,
+				KeepAlive: 30 * time.Second,
+			}).DialContext,
+			ForceAttemptHTTP2:     true,
+			MaxIdleConns:          100,
+			IdleConnTimeout:       90 * time.Second,
+			TLSHandshakeTimeout:   10 * time.Second,
+			ExpectContinueTimeout: 1 * time.Second,
+			Proxy:                 http.ProxyFromEnvironment,
+		}
+	})
+
+	if (g.opts.certFile != "" && g.opts.keyFile != "") || g.opts.caFile != "" || g.opts.insecureSkipVerifyTLS {
+		tlsConf, err := tlsutil.NewClientTLS(g.opts.certFile, g.opts.keyFile, g.opts.caFile, g.opts.insecureSkipVerifyTLS)
+		if err != nil {
+			return nil, fmt.Errorf("can't create TLS config for client: %w", err)
+		}
+
+		sni, err := urlutil.ExtractHostname(g.opts.url)
+		if err != nil {
+			return nil, err
+		}
+		tlsConf.ServerName = sni
+
+		g.transport.TLSClientConfig = tlsConf
+	}
+
+	opts := []registry.ClientOption{registry.ClientOptHTTPClient(&http.Client{
+		Transport: g.transport,
+		Timeout:   g.opts.timeout,
+	})}
+	if g.opts.plainHTTP {
+		opts = append(opts, registry.ClientOptPlainHTTP())
+	}
+
+	client, err := registry.NewClient(opts...)
+
+	if err != nil {
+		return nil, err
+	}
+
+	return client, nil
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/getter/plugingetter.go b/vendor/helm.sh/helm/v3/pkg/getter/plugingetter.go
new file mode 100644
index 0000000000..a371b52eb8
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/getter/plugingetter.go
@@ -0,0 +1,110 @@
+/*
+Copyright The Helm Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package getter
+
+import (
+	"bytes"
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+
+	"github.com/pkg/errors"
+
+	"helm.sh/helm/v3/pkg/cli"
+	"helm.sh/helm/v3/pkg/plugin"
+)
+
+// collectPlugins scans for getter plugins.
+// This will load plugins according to the cli.
+func collectPlugins(settings *cli.EnvSettings) (Providers, error) {
+	plugins, err := plugin.FindPlugins(settings.PluginsDirectory)
+	if err != nil {
+		return nil, err
+	}
+	var result Providers
+	for _, plugin := range plugins {
+		for _, downloader := range plugin.Metadata.Downloaders {
+			result = append(result, Provider{
+				Schemes: downloader.Protocols,
+				New: NewPluginGetter(
+					downloader.Command,
+					settings,
+					plugin.Metadata.Name,
+					plugin.Dir,
+				),
+			})
+		}
+	}
+	return result, nil
+}
+
+// pluginGetter is a generic type to invoke custom downloaders,
+// implemented in plugins.
+type pluginGetter struct {
+	command  string
+	settings *cli.EnvSettings
+	name     string
+	base     string
+	opts     options
+}
+
+func (p *pluginGetter) setupOptionsEnv(env []string) []string {
+	env = append(env, fmt.Sprintf("HELM_PLUGIN_USERNAME=%s", p.opts.username))
+	env = append(env, fmt.Sprintf("HELM_PLUGIN_PASSWORD=%s", p.opts.password))
+	env = append(env, fmt.Sprintf("HELM_PLUGIN_PASS_CREDENTIALS_ALL=%t", p.opts.passCredentialsAll))
+	return env
+}
+
+// Get runs downloader plugin command
+func (p *pluginGetter) Get(href string, options ...Option) (*bytes.Buffer, error) {
+	for _, opt := range options {
+		opt(&p.opts)
+	}
+	commands := strings.Split(p.command, " ")
+	argv := append(commands[1:], p.opts.certFile, p.opts.keyFile, p.opts.caFile, href)
+	prog := exec.Command(filepath.Join(p.base, commands[0]), argv...)
+	plugin.SetupPluginEnv(p.settings, p.name, p.base)
+	prog.Env = p.setupOptionsEnv(os.Environ())
+	buf := bytes.NewBuffer(nil)
+	prog.Stdout = buf
+	prog.Stderr = os.Stderr
+	if err := prog.Run(); err != nil {
+		if eerr, ok := err.(*exec.ExitError); ok {
+			os.Stderr.Write(eerr.Stderr)
+			return nil, errors.Errorf("plugin %q exited with error", p.command)
+		}
+		return nil, err
+	}
+	return buf, nil
+}
+
+// NewPluginGetter constructs a valid plugin getter
+func NewPluginGetter(command string, settings *cli.EnvSettings, name, base string) Constructor {
+	return func(options ...Option) (Getter, error) {
+		result := &pluginGetter{
+			command:  command,
+			settings: settings,
+			name:     name,
+			base:     base,
+		}
+		for _, opt := range options {
+			opt(&result.opts)
+		}
+		return result, nil
+	}
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/helmpath/home.go b/vendor/helm.sh/helm/v3/pkg/helmpath/home.go
new file mode 100644
index 0000000000..bd43e8890c
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/helmpath/home.go
@@ -0,0 +1,44 @@
+// Copyright The Helm Authors.
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+
+// http://www.apache.org/licenses/LICENSE-2.0
+
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package helmpath calculates filesystem paths to Helm's configuration, cache and data.
+package helmpath
+
+// This helper builds paths to Helm's configuration, cache and data paths.
+const lp = lazypath("helm")
+
+// ConfigPath returns the path where Helm stores configuration.
+func ConfigPath(elem ...string) string { return lp.configPath(elem...) }
+
+// CachePath returns the path where Helm stores cached objects.
+func CachePath(elem ...string) string { return lp.cachePath(elem...) }
+
+// DataPath returns the path where Helm stores data.
+func DataPath(elem ...string) string { return lp.dataPath(elem...) }
+
+// CacheIndexFile returns the path to an index for the given named repository.
+func CacheIndexFile(name string) string {
+	if name != "" {
+		name += "-"
+	}
+	return name + "index.yaml"
+}
+
+// CacheChartsFile returns the path to a text file listing all the charts
+// within the given named repository.
+func CacheChartsFile(name string) string {
+	if name != "" {
+		name += "-"
+	}
+	return name + "charts.txt"
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/helmpath/lazypath.go b/vendor/helm.sh/helm/v3/pkg/helmpath/lazypath.go
new file mode 100644
index 0000000000..6b4f1fc770
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/helmpath/lazypath.go
@@ -0,0 +1,72 @@
+// Copyright The Helm Authors.
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+
+// http://www.apache.org/licenses/LICENSE-2.0
+
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package helmpath
+
+import (
+	"os"
+	"path/filepath"
+
+	"helm.sh/helm/v3/pkg/helmpath/xdg"
+)
+
+const (
+	// CacheHomeEnvVar is the environment variable used by Helm
+	// for the cache directory. When no value is set a default is used.
+	CacheHomeEnvVar = "HELM_CACHE_HOME"
+
+	// ConfigHomeEnvVar is the environment variable used by Helm
+	// for the config directory. When no value is set a default is used.
+	ConfigHomeEnvVar = "HELM_CONFIG_HOME"
+
+	// DataHomeEnvVar is the environment variable used by Helm
+	// for the data directory. When no value is set a default is used.
+	DataHomeEnvVar = "HELM_DATA_HOME"
+)
+
+// lazypath is a lazy-loaded path buffer for the XDG base directory specification.
+type lazypath string
+
+func (l lazypath) path(helmEnvVar, xdgEnvVar string, defaultFn func() string, elem ...string) string {
+
+	// There is an order to checking for a path.
+	// 1. See if a Helm specific environment variable has been set.
+	// 2. Check if an XDG environment variable is set
+	// 3. Fall back to a default
+	base := os.Getenv(helmEnvVar)
+	if base != "" {
+		return filepath.Join(base, filepath.Join(elem...))
+	}
+	base = os.Getenv(xdgEnvVar)
+	if base == "" {
+		base = defaultFn()
+	}
+	return filepath.Join(base, string(l), filepath.Join(elem...))
+}
+
+// cachePath defines the base directory relative to which user specific non-essential data files
+// should be stored.
+func (l lazypath) cachePath(elem ...string) string {
+	return l.path(CacheHomeEnvVar, xdg.CacheHomeEnvVar, cacheHome, filepath.Join(elem...))
+}
+
+// configPath defines the base directory relative to which user specific configuration files should
+// be stored.
+func (l lazypath) configPath(elem ...string) string {
+	return l.path(ConfigHomeEnvVar, xdg.ConfigHomeEnvVar, configHome, filepath.Join(elem...))
+}
+
+// dataPath defines the base directory relative to which user specific data files should be stored.
+func (l lazypath) dataPath(elem ...string) string {
+	return l.path(DataHomeEnvVar, xdg.DataHomeEnvVar, dataHome, filepath.Join(elem...))
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/helmpath/lazypath_darwin.go b/vendor/helm.sh/helm/v3/pkg/helmpath/lazypath_darwin.go
new file mode 100644
index 0000000000..eba6dde151
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/helmpath/lazypath_darwin.go
@@ -0,0 +1,34 @@
+// Copyright The Helm Authors.
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+
+// http://www.apache.org/licenses/LICENSE-2.0
+
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//go:build darwin
+
+package helmpath
+
+import (
+	"path/filepath"
+
+	"k8s.io/client-go/util/homedir"
+)
+
+func dataHome() string {
+	return filepath.Join(homedir.HomeDir(), "Library")
+}
+
+func configHome() string {
+	return filepath.Join(homedir.HomeDir(), "Library", "Preferences")
+}
+
+func cacheHome() string {
+	return filepath.Join(homedir.HomeDir(), "Library", "Caches")
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/helmpath/lazypath_unix.go b/vendor/helm.sh/helm/v3/pkg/helmpath/lazypath_unix.go
new file mode 100644
index 0000000000..82fb4b6f1f
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/helmpath/lazypath_unix.go
@@ -0,0 +1,45 @@
+// Copyright The Helm Authors.
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+
+// http://www.apache.org/licenses/LICENSE-2.0
+
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//go:build !windows && !darwin
+
+package helmpath
+
+import (
+	"path/filepath"
+
+	"k8s.io/client-go/util/homedir"
+)
+
+// dataHome defines the base directory relative to which user specific data files should be stored.
+//
+// If $XDG_DATA_HOME is either not set or empty, a default equal to $HOME/.local/share is used.
+func dataHome() string {
+	return filepath.Join(homedir.HomeDir(), ".local", "share")
+}
+
+// configHome defines the base directory relative to which user specific configuration files should
+// be stored.
+//
+// If $XDG_CONFIG_HOME is either not set or empty, a default equal to $HOME/.config is used.
+func configHome() string {
+	return filepath.Join(homedir.HomeDir(), ".config")
+}
+
+// cacheHome defines the base directory relative to which user specific non-essential data files
+// should be stored.
+//
+// If $XDG_CACHE_HOME is either not set or empty, a default equal to $HOME/.cache is used.
+func cacheHome() string {
+	return filepath.Join(homedir.HomeDir(), ".cache")
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/helmpath/lazypath_windows.go b/vendor/helm.sh/helm/v3/pkg/helmpath/lazypath_windows.go
new file mode 100644
index 0000000000..230aee2a93
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/helmpath/lazypath_windows.go
@@ -0,0 +1,24 @@
+// Copyright The Helm Authors.
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+
+// http://www.apache.org/licenses/LICENSE-2.0
+
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//go:build windows
+
+package helmpath
+
+import "os"
+
+func dataHome() string { return configHome() }
+
+func configHome() string { return os.Getenv("APPDATA") }
+
+func cacheHome() string { return os.Getenv("TEMP") }
diff --git a/vendor/helm.sh/helm/v3/pkg/helmpath/xdg/xdg.go b/vendor/helm.sh/helm/v3/pkg/helmpath/xdg/xdg.go
new file mode 100644
index 0000000000..eaa3e68643
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/helmpath/xdg/xdg.go
@@ -0,0 +1,34 @@
+/*
+Copyright The Helm Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package xdg holds constants pertaining to XDG Base Directory Specification.
+//
+// The XDG Base Directory Specification https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html
+// specifies the environment variables that define user-specific base directories for various categories of files.
+package xdg
+
+const (
+	// CacheHomeEnvVar is the environment variable used by the
+	// XDG base directory specification for the cache directory.
+	CacheHomeEnvVar = "XDG_CACHE_HOME"
+
+	// ConfigHomeEnvVar is the environment variable used by the
+	// XDG base directory specification for the config directory.
+	ConfigHomeEnvVar = "XDG_CONFIG_HOME"
+
+	// DataHomeEnvVar is the environment variable used by the
+	// XDG base directory specification for the data directory.
+	DataHomeEnvVar = "XDG_DATA_HOME"
+)
diff --git a/vendor/helm.sh/helm/v3/pkg/ignore/doc.go b/vendor/helm.sh/helm/v3/pkg/ignore/doc.go
new file mode 100644
index 0000000000..1f5e918477
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/ignore/doc.go
@@ -0,0 +1,68 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+/*
+Package ignore provides tools for writing ignore files (a la .gitignore).
+
+This provides both an ignore parser and a file-aware processor.
+
+The format of ignore files closely follows, but does not exactly match, the
+format for .gitignore files (https://git-scm.com/docs/gitignore).
+
+The formatting rules are as follows:
+
+  - Parsing is line-by-line
+  - Empty lines are ignored
+  - Lines that begin with # (comments) will be ignored
+  - Leading and trailing spaces are always ignored
+  - Inline comments are NOT supported ('foo* # Any foo' does not contain a comment)
+  - There is no support for multi-line patterns
+  - Shell glob patterns are supported. See Go's "path/filepath".Match
+  - If a pattern begins with a leading !, the match will be negated.
+  - If a pattern begins with a leading /, only paths relatively rooted will match.
+  - If the pattern ends with a trailing /, only directories will match
+  - If a pattern contains no slashes, file basenames are tested (not paths)
+  - The pattern sequence "**", while legal in a glob, will cause an error here
+    (to indicate incompatibility with .gitignore).
+
+Example:
+
+	# Match any file named foo.txt
+	foo.txt
+
+	# Match any text file
+	*.txt
+
+	# Match only directories named mydir
+	mydir/
+
+	# Match only text files in the top-level directory
+	/*.txt
+
+	# Match only the file foo.txt in the top-level directory
+	/foo.txt
+
+	# Match any file named ab.txt, ac.txt, or ad.txt
+	a[b-d].txt
+
+Notable differences from .gitignore:
+  - The '**' syntax is not supported.
+  - The globbing library is Go's 'filepath.Match', not fnmatch(3)
+  - Trailing spaces are always ignored (there is no supported escape sequence)
+  - The evaluation of escape sequences has not been tested for compatibility
+  - There is no support for '\!' as a special leading sequence.
+*/
+package ignore // import "helm.sh/helm/v3/pkg/ignore"
diff --git a/vendor/helm.sh/helm/v3/pkg/ignore/rules.go b/vendor/helm.sh/helm/v3/pkg/ignore/rules.go
new file mode 100644
index 0000000000..88de407ad8
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/ignore/rules.go
@@ -0,0 +1,228 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package ignore
+
+import (
+	"bufio"
+	"bytes"
+	"io"
+	"log"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/pkg/errors"
+)
+
+// HelmIgnore default name of an ignorefile.
+const HelmIgnore = ".helmignore"
+
+// Rules is a collection of path matching rules.
+//
+// Parse() and ParseFile() will construct and populate new Rules.
+// Empty() will create an immutable empty ruleset.
+type Rules struct {
+	patterns []*pattern
+}
+
+// Empty builds an empty ruleset.
+func Empty() *Rules {
+	return &Rules{patterns: []*pattern{}}
+}
+
+// AddDefaults adds default ignore patterns.
+//
+// Ignore all dotfiles in "templates/"
+func (r *Rules) AddDefaults() {
+	r.parseRule(`templates/.?*`)
+}
+
+// ParseFile parses a helmignore file and returns the *Rules.
+func ParseFile(file string) (*Rules, error) {
+	f, err := os.Open(file)
+	if err != nil {
+		return nil, err
+	}
+	defer f.Close()
+	return Parse(f)
+}
+
+// Parse parses a rules file
+func Parse(file io.Reader) (*Rules, error) {
+	r := &Rules{patterns: []*pattern{}}
+
+	s := bufio.NewScanner(file)
+	currentLine := 0
+	utf8bom := []byte{0xEF, 0xBB, 0xBF}
+	for s.Scan() {
+		scannedBytes := s.Bytes()
+		// We trim UTF8 BOM
+		if currentLine == 0 {
+			scannedBytes = bytes.TrimPrefix(scannedBytes, utf8bom)
+		}
+		line := string(scannedBytes)
+		currentLine++
+
+		if err := r.parseRule(line); err != nil {
+			return r, err
+		}
+	}
+	return r, s.Err()
+}
+
+// Ignore evaluates the file at the given path, and returns true if it should be ignored.
+//
+// Ignore evaluates path against the rules in order. Evaluation stops when a match
+// is found. Matching a negative rule will stop evaluation.
+func (r *Rules) Ignore(path string, fi os.FileInfo) bool {
+	// Don't match on empty dirs.
+	if path == "" {
+		return false
+	}
+
+	// Disallow ignoring the current working directory.
+	// See issue:
+	// 1776 (New York City) Hamilton: "Pardon me, are you Aaron Burr, sir?"
+	if path == "." || path == "./" {
+		return false
+	}
+	for _, p := range r.patterns {
+		if p.match == nil {
+			log.Printf("ignore: no matcher supplied for %q", p.raw)
+			return false
+		}
+
+		// For negative rules, we need to capture and return non-matches,
+		// and continue for matches.
+		if p.negate {
+			if p.mustDir && !fi.IsDir() {
+				return true
+			}
+			if !p.match(path, fi) {
+				return true
+			}
+			continue
+		}
+
+		// If the rule is looking for directories, and this is not a directory,
+		// skip it.
+		if p.mustDir && !fi.IsDir() {
+			continue
+		}
+		if p.match(path, fi) {
+			return true
+		}
+	}
+	return false
+}
+
+// parseRule parses a rule string and creates a pattern, which is then stored in the Rules object.
+func (r *Rules) parseRule(rule string) error {
+	rule = strings.TrimSpace(rule)
+
+	// Ignore blank lines
+	if rule == "" {
+		return nil
+	}
+	// Comment
+	if strings.HasPrefix(rule, "#") {
+		return nil
+	}
+
+	// Fail any rules that contain **
+	if strings.Contains(rule, "**") {
+		return errors.New("double-star (**) syntax is not supported")
+	}
+
+	// Fail any patterns that can't compile. A non-empty string must be
+	// given to Match() to avoid optimization that skips rule evaluation.
+	if _, err := filepath.Match(rule, "abc"); err != nil {
+		return err
+	}
+
+	p := &pattern{raw: rule}
+
+	// Negation is handled at a higher level, so strip the leading ! from the
+	// string.
+	if strings.HasPrefix(rule, "!") {
+		p.negate = true
+		rule = rule[1:]
+	}
+
+	// Directory verification is handled by a higher level, so the trailing /
+	// is removed from the rule. That way, a directory named "foo" matches,
+	// even if the supplied string does not contain a literal slash character.
+	if strings.HasSuffix(rule, "/") {
+		p.mustDir = true
+		rule = strings.TrimSuffix(rule, "/")
+	}
+
+	if strings.HasPrefix(rule, "/") {
+		// Require path matches the root path.
+		p.match = func(n string, _ os.FileInfo) bool {
+			rule = strings.TrimPrefix(rule, "/")
+			ok, err := filepath.Match(rule, n)
+			if err != nil {
+				log.Printf("Failed to compile %q: %s", rule, err)
+				return false
+			}
+			return ok
+		}
+	} else if strings.Contains(rule, "/") {
+		// require structural match.
+		p.match = func(n string, _ os.FileInfo) bool {
+			ok, err := filepath.Match(rule, n)
+			if err != nil {
+				log.Printf("Failed to compile %q: %s", rule, err)
+				return false
+			}
+			return ok
+		}
+	} else {
+		p.match = func(n string, _ os.FileInfo) bool {
+			// When there is no slash in the pattern, we evaluate ONLY the
+			// filename.
+			n = filepath.Base(n)
+			ok, err := filepath.Match(rule, n)
+			if err != nil {
+				log.Printf("Failed to compile %q: %s", rule, err)
+				return false
+			}
+			return ok
+		}
+	}
+
+	r.patterns = append(r.patterns, p)
+	return nil
+}
+
+// matcher is a function capable of computing a match.
+//
+// It returns true if the rule matches.
+type matcher func(name string, fi os.FileInfo) bool
+
+// pattern describes a pattern to be matched in a rule set.
+type pattern struct {
+	// raw is the unparsed string, with nothing stripped.
+	raw string
+	// match is the matcher function.
+	match matcher
+	// negate indicates that the rule's outcome should be negated.
+	negate bool
+	// mustDir indicates that the matched file must be a directory.
+	mustDir bool
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/kube/client.go b/vendor/helm.sh/helm/v3/pkg/kube/client.go
new file mode 100644
index 0000000000..6e71421199
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/kube/client.go
@@ -0,0 +1,933 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package kube // import "helm.sh/helm/v3/pkg/kube"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+	"reflect"
+	"strings"
+	"sync"
+	"time"
+
+	jsonpatch "github.com/evanphx/json-patch"
+	"github.com/pkg/errors"
+	batch "k8s.io/api/batch/v1"
+	v1 "k8s.io/api/core/v1"
+	apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	apiextv1beta1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+
+	multierror "github.com/hashicorp/go-multierror"
+	"k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	metav1beta1 "k8s.io/apimachinery/pkg/apis/meta/v1beta1"
+	"k8s.io/apimachinery/pkg/fields"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/jsonmergepatch"
+	"k8s.io/apimachinery/pkg/util/mergepatch"
+	"k8s.io/apimachinery/pkg/util/strategicpatch"
+	"k8s.io/apimachinery/pkg/watch"
+	"k8s.io/cli-runtime/pkg/genericclioptions"
+	"k8s.io/cli-runtime/pkg/resource"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/kubernetes/scheme"
+	"k8s.io/client-go/rest"
+	cachetools "k8s.io/client-go/tools/cache"
+	watchtools "k8s.io/client-go/tools/watch"
+	"k8s.io/client-go/util/retry"
+	cmdutil "k8s.io/kubectl/pkg/cmd/util"
+)
+
+// ErrNoObjectsVisited indicates that during a visit operation, no matching objects were found.
+var ErrNoObjectsVisited = errors.New("no objects visited")
+
+var metadataAccessor = meta.NewAccessor()
+
+// ManagedFieldsManager is the name of the manager of Kubernetes managedFields
+// first introduced in Kubernetes 1.18
+var ManagedFieldsManager string
+
+// Client represents a client capable of communicating with the Kubernetes API.
+type Client struct {
+	// Factory provides a minimal version of the kubectl Factory interface. If
+	// you need the full Factory you can type switch to the full interface.
+	// Since Kubernetes Go API does not provide backwards compatibility across
+	// minor versions, this API does not follow Helm backwards compatibility.
+	// Helm is exposing Kubernetes in this property and cannot guarantee this
+	// will not change. The minimal interface only has the functions that Helm
+	// needs. The smaller surface area of the interface means there is a lower
+	// chance of it changing.
+	Factory Factory
+	Log     func(string, ...interface{})
+	// Namespace allows to bypass the kubeconfig file for the choice of the namespace
+	Namespace string
+
+	kubeClient kubernetes.Interface
+}
+
+func init() {
+	// Add CRDs to the scheme. They are missing by default.
+	if err := apiextv1.AddToScheme(scheme.Scheme); err != nil {
+		// This should never happen.
+		panic(err)
+	}
+	if err := apiextv1beta1.AddToScheme(scheme.Scheme); err != nil {
+		panic(err)
+	}
+}
+
+// New creates a new Client.
+func New(getter genericclioptions.RESTClientGetter) *Client {
+	if getter == nil {
+		getter = genericclioptions.NewConfigFlags(true)
+	}
+	return &Client{
+		Factory: cmdutil.NewFactory(getter),
+		Log:     nopLogger,
+	}
+}
+
+var nopLogger = func(_ string, _ ...interface{}) {}
+
+// getKubeClient get or create a new KubernetesClientSet
+func (c *Client) getKubeClient() (kubernetes.Interface, error) {
+	var err error
+	if c.kubeClient == nil {
+		c.kubeClient, err = c.Factory.KubernetesClientSet()
+	}
+
+	return c.kubeClient, err
+}
+
+// IsReachable tests connectivity to the cluster.
+func (c *Client) IsReachable() error {
+	client, err := c.getKubeClient()
+	if err == genericclioptions.ErrEmptyConfig {
+		// re-replace kubernetes ErrEmptyConfig error with a friendly error
+		// moar workarounds for Kubernetes API breaking.
+		return errors.New("Kubernetes cluster unreachable")
+	}
+	if err != nil {
+		return errors.Wrap(err, "Kubernetes cluster unreachable")
+	}
+	if _, err := client.Discovery().ServerVersion(); err != nil {
+		return errors.Wrap(err, "Kubernetes cluster unreachable")
+	}
+	return nil
+}
+
+// Create creates Kubernetes resources specified in the resource list.
+func (c *Client) Create(resources ResourceList) (*Result, error) {
+	c.Log("creating %d resource(s)", len(resources))
+	if err := perform(resources, createResource); err != nil {
+		return nil, err
+	}
+	return &Result{Created: resources}, nil
+}
+
+func transformRequests(req *rest.Request) {
+	tableParam := strings.Join([]string{
+		fmt.Sprintf("application/json;as=Table;v=%s;g=%s", metav1.SchemeGroupVersion.Version, metav1.GroupName),
+		fmt.Sprintf("application/json;as=Table;v=%s;g=%s", metav1beta1.SchemeGroupVersion.Version, metav1beta1.GroupName),
+		"application/json",
+	}, ",")
+	req.SetHeader("Accept", tableParam)
+
+	// if sorting, ensure we receive the full object in order to introspect its fields via jsonpath
+	req.Param("includeObject", "Object")
+}
+
+// Get retrieves the resource objects supplied. If related is set to true the
+// related pods are fetched as well. If the passed in resources are a table kind
+// the related resources will also be fetched as kind=table.
+func (c *Client) Get(resources ResourceList, related bool) (map[string][]runtime.Object, error) {
+	buf := new(bytes.Buffer)
+	objs := make(map[string][]runtime.Object)
+
+	podSelectors := []map[string]string{}
+	err := resources.Visit(func(info *resource.Info, err error) error {
+		if err != nil {
+			return err
+		}
+
+		gvk := info.ResourceMapping().GroupVersionKind
+		vk := gvk.Version + "/" + gvk.Kind
+		obj, err := getResource(info)
+		if err != nil {
+			fmt.Fprintf(buf, "Get resource %s failed, err:%v\n", info.Name, err)
+		} else {
+			objs[vk] = append(objs[vk], obj)
+
+			// Only fetch related pods if they are requested
+			if related {
+				// Discover if the existing object is a table. If it is, request
+				// the pods as Tables. Otherwise request them normally.
+				objGVK := obj.GetObjectKind().GroupVersionKind()
+				var isTable bool
+				if objGVK.Kind == "Table" {
+					isTable = true
+				}
+
+				objs, err = c.getSelectRelationPod(info, objs, isTable, &podSelectors)
+				if err != nil {
+					c.Log("Warning: get the relation pod is failed, err:%s", err.Error())
+				}
+			}
+		}
+
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	return objs, nil
+}
+
+func (c *Client) getSelectRelationPod(info *resource.Info, objs map[string][]runtime.Object, table bool, podSelectors *[]map[string]string) (map[string][]runtime.Object, error) {
+	if info == nil {
+		return objs, nil
+	}
+	c.Log("get relation pod of object: %s/%s/%s", info.Namespace, info.Mapping.GroupVersionKind.Kind, info.Name)
+	selector, ok, _ := getSelectorFromObject(info.Object)
+	if !ok {
+		return objs, nil
+	}
+
+	for index := range *podSelectors {
+		if reflect.DeepEqual((*podSelectors)[index], selector) {
+			// check if pods for selectors are already added. This avoids duplicate printing of pods
+			return objs, nil
+		}
+	}
+
+	*podSelectors = append(*podSelectors, selector)
+
+	var infos []*resource.Info
+	var err error
+	if table {
+		infos, err = c.Factory.NewBuilder().
+			Unstructured().
+			ContinueOnError().
+			NamespaceParam(info.Namespace).
+			DefaultNamespace().
+			ResourceTypes("pods").
+			LabelSelector(labels.Set(selector).AsSelector().String()).
+			TransformRequests(transformRequests).
+			Do().Infos()
+		if err != nil {
+			return objs, err
+		}
+	} else {
+		infos, err = c.Factory.NewBuilder().
+			Unstructured().
+			ContinueOnError().
+			NamespaceParam(info.Namespace).
+			DefaultNamespace().
+			ResourceTypes("pods").
+			LabelSelector(labels.Set(selector).AsSelector().String()).
+			Do().Infos()
+		if err != nil {
+			return objs, err
+		}
+	}
+	vk := "v1/Pod(related)"
+
+	for _, info := range infos {
+		objs[vk] = append(objs[vk], info.Object)
+	}
+	return objs, nil
+}
+
+func getSelectorFromObject(obj runtime.Object) (map[string]string, bool, error) {
+	typed := obj.(*unstructured.Unstructured)
+	kind := typed.Object["kind"]
+	switch kind {
+	case "ReplicaSet", "Deployment", "StatefulSet", "DaemonSet", "Job":
+		return unstructured.NestedStringMap(typed.Object, "spec", "selector", "matchLabels")
+	case "ReplicationController":
+		return unstructured.NestedStringMap(typed.Object, "spec", "selector")
+	default:
+		return nil, false, nil
+	}
+}
+
+func getResource(info *resource.Info) (runtime.Object, error) {
+	obj, err := resource.NewHelper(info.Client, info.Mapping).Get(info.Namespace, info.Name)
+	if err != nil {
+		return nil, err
+	}
+	return obj, nil
+}
+
+// Wait waits up to the given timeout for the specified resources to be ready.
+func (c *Client) Wait(resources ResourceList, timeout time.Duration) error {
+	cs, err := c.getKubeClient()
+	if err != nil {
+		return err
+	}
+	checker := NewReadyChecker(cs, c.Log, PausedAsReady(true))
+	w := waiter{
+		c:       checker,
+		log:     c.Log,
+		timeout: timeout,
+	}
+	return w.waitForResources(resources)
+}
+
+// WaitWithJobs wait up to the given timeout for the specified resources to be ready, including jobs.
+func (c *Client) WaitWithJobs(resources ResourceList, timeout time.Duration) error {
+	cs, err := c.getKubeClient()
+	if err != nil {
+		return err
+	}
+	checker := NewReadyChecker(cs, c.Log, PausedAsReady(true), CheckJobs(true))
+	w := waiter{
+		c:       checker,
+		log:     c.Log,
+		timeout: timeout,
+	}
+	return w.waitForResources(resources)
+}
+
+// WaitForDelete wait up to the given timeout for the specified resources to be deleted.
+func (c *Client) WaitForDelete(resources ResourceList, timeout time.Duration) error {
+	w := waiter{
+		log:     c.Log,
+		timeout: timeout,
+	}
+	return w.waitForDeletedResources(resources)
+}
+
+func (c *Client) namespace() string {
+	if c.Namespace != "" {
+		return c.Namespace
+	}
+	if ns, _, err := c.Factory.ToRawKubeConfigLoader().Namespace(); err == nil {
+		return ns
+	}
+	return v1.NamespaceDefault
+}
+
+// newBuilder returns a new resource builder for structured api objects.
+func (c *Client) newBuilder() *resource.Builder {
+	return c.Factory.NewBuilder().
+		ContinueOnError().
+		NamespaceParam(c.namespace()).
+		DefaultNamespace().
+		Flatten()
+}
+
+// Build validates for Kubernetes objects and returns unstructured infos.
+func (c *Client) Build(reader io.Reader, validate bool) (ResourceList, error) {
+	validationDirective := metav1.FieldValidationIgnore
+	if validate {
+		validationDirective = metav1.FieldValidationStrict
+	}
+
+	schema, err := c.Factory.Validator(validationDirective)
+	if err != nil {
+		return nil, err
+	}
+	result, err := c.newBuilder().
+		Unstructured().
+		Schema(schema).
+		Stream(reader, "").
+		Do().Infos()
+	return result, scrubValidationError(err)
+}
+
+// BuildTable validates for Kubernetes objects and returns unstructured infos.
+// The returned kind is a Table.
+func (c *Client) BuildTable(reader io.Reader, validate bool) (ResourceList, error) {
+	validationDirective := metav1.FieldValidationIgnore
+	if validate {
+		validationDirective = metav1.FieldValidationStrict
+	}
+
+	schema, err := c.Factory.Validator(validationDirective)
+	if err != nil {
+		return nil, err
+	}
+	result, err := c.newBuilder().
+		Unstructured().
+		Schema(schema).
+		Stream(reader, "").
+		TransformRequests(transformRequests).
+		Do().Infos()
+	return result, scrubValidationError(err)
+}
+
+func (c *Client) update(original, target ResourceList, force, threeWayMerge bool) (*Result, error) {
+	updateErrors := []string{}
+	res := &Result{}
+
+	c.Log("checking %d resources for changes", len(target))
+	err := target.Visit(func(info *resource.Info, err error) error {
+		if err != nil {
+			return err
+		}
+
+		helper := resource.NewHelper(info.Client, info.Mapping).WithFieldManager(getManagedFieldsManager())
+		if _, err := helper.Get(info.Namespace, info.Name); err != nil {
+			if !apierrors.IsNotFound(err) {
+				return errors.Wrap(err, "could not get information about the resource")
+			}
+
+			// Append the created resource to the results, even if something fails
+			res.Created = append(res.Created, info)
+
+			// Since the resource does not exist, create it.
+			if err := createResource(info); err != nil {
+				return errors.Wrap(err, "failed to create resource")
+			}
+
+			kind := info.Mapping.GroupVersionKind.Kind
+			c.Log("Created a new %s called %q in %s\n", kind, info.Name, info.Namespace)
+			return nil
+		}
+
+		originalInfo := original.Get(info)
+		if originalInfo == nil {
+			kind := info.Mapping.GroupVersionKind.Kind
+			return errors.Errorf("no %s with the name %q found", kind, info.Name)
+		}
+
+		if err := updateResource(c, info, originalInfo.Object, force, threeWayMerge); err != nil {
+			c.Log("error updating the resource %q:\n\t %v", info.Name, err)
+			updateErrors = append(updateErrors, err.Error())
+		}
+		// Because we check for errors later, append the info regardless
+		res.Updated = append(res.Updated, info)
+
+		return nil
+	})
+
+	switch {
+	case err != nil:
+		return res, err
+	case len(updateErrors) != 0:
+		return res, errors.New(strings.Join(updateErrors, " && "))
+	}
+
+	for _, info := range original.Difference(target) {
+		c.Log("Deleting %s %q in namespace %s...", info.Mapping.GroupVersionKind.Kind, info.Name, info.Namespace)
+
+		if err := info.Get(); err != nil {
+			c.Log("Unable to get obj %q, err: %s", info.Name, err)
+			continue
+		}
+		annotations, err := metadataAccessor.Annotations(info.Object)
+		if err != nil {
+			c.Log("Unable to get annotations on %q, err: %s", info.Name, err)
+		}
+		if annotations != nil && annotations[ResourcePolicyAnno] == KeepPolicy {
+			c.Log("Skipping delete of %q due to annotation [%s=%s]", info.Name, ResourcePolicyAnno, KeepPolicy)
+			continue
+		}
+		if err := deleteResource(info, metav1.DeletePropagationBackground); err != nil {
+			c.Log("Failed to delete %q, err: %s", info.ObjectName(), err)
+			continue
+		}
+		res.Deleted = append(res.Deleted, info)
+	}
+	return res, nil
+}
+
+// Update takes the current list of objects and target list of objects and
+// creates resources that don't already exist, updates resources that have been
+// modified in the target configuration, and deletes resources from the current
+// configuration that are not present in the target configuration. If an error
+// occurs, a Result will still be returned with the error, containing all
+// resource updates, creations, and deletions that were attempted. These can be
+// used for cleanup or other logging purposes.
+//
+// The difference to Update is that UpdateThreeWayMerge does a three-way-merge
+// for unstructured objects.
+func (c *Client) UpdateThreeWayMerge(original, target ResourceList, force bool) (*Result, error) {
+	return c.update(original, target, force, true)
+}
+
+// Update takes the current list of objects and target list of objects and
+// creates resources that don't already exist, updates resources that have been
+// modified in the target configuration, and deletes resources from the current
+// configuration that are not present in the target configuration. If an error
+// occurs, a Result will still be returned with the error, containing all
+// resource updates, creations, and deletions that were attempted. These can be
+// used for cleanup or other logging purposes.
+func (c *Client) Update(original, target ResourceList, force bool) (*Result, error) {
+	return c.update(original, target, force, false)
+}
+
+// Delete deletes Kubernetes resources specified in the resources list with
+// background cascade deletion. It will attempt to delete all resources even
+// if one or more fail and collect any errors. All successfully deleted items
+// will be returned in the `Deleted` ResourceList that is part of the result.
+func (c *Client) Delete(resources ResourceList) (*Result, []error) {
+	return rdelete(c, resources, metav1.DeletePropagationBackground)
+}
+
+// Delete deletes Kubernetes resources specified in the resources list with
+// given deletion propagation policy. It will attempt to delete all resources even
+// if one or more fail and collect any errors. All successfully deleted items
+// will be returned in the `Deleted` ResourceList that is part of the result.
+func (c *Client) DeleteWithPropagationPolicy(resources ResourceList, policy metav1.DeletionPropagation) (*Result, []error) {
+	return rdelete(c, resources, policy)
+}
+
+func rdelete(c *Client, resources ResourceList, propagation metav1.DeletionPropagation) (*Result, []error) {
+	var errs []error
+	res := &Result{}
+	mtx := sync.Mutex{}
+	err := perform(resources, func(info *resource.Info) error {
+		c.Log("Starting delete for %q %s", info.Name, info.Mapping.GroupVersionKind.Kind)
+		err := deleteResource(info, propagation)
+		if err == nil || apierrors.IsNotFound(err) {
+			if err != nil {
+				c.Log("Ignoring delete failure for %q %s: %v", info.Name, info.Mapping.GroupVersionKind, err)
+			}
+			mtx.Lock()
+			defer mtx.Unlock()
+			res.Deleted = append(res.Deleted, info)
+			return nil
+		}
+		mtx.Lock()
+		defer mtx.Unlock()
+		// Collect the error and continue on
+		errs = append(errs, err)
+		return nil
+	})
+	if err != nil {
+		if errors.Is(err, ErrNoObjectsVisited) {
+			err = fmt.Errorf("object not found, skipping delete: %w", err)
+		}
+		errs = append(errs, err)
+	}
+	if errs != nil {
+		return nil, errs
+	}
+	return res, nil
+}
+
+func (c *Client) watchTimeout(t time.Duration) func(*resource.Info) error {
+	return func(info *resource.Info) error {
+		return c.watchUntilReady(t, info)
+	}
+}
+
+// WatchUntilReady watches the resources given and waits until it is ready.
+//
+// This method is mainly for hook implementations. It watches for a resource to
+// hit a particular milestone. The milestone depends on the Kind.
+//
+// For most kinds, it checks to see if the resource is marked as Added or Modified
+// by the Kubernetes event stream. For some kinds, it does more:
+//
+//   - Jobs: A job is marked "Ready" when it has successfully completed. This is
+//     ascertained by watching the Status fields in a job's output.
+//   - Pods: A pod is marked "Ready" when it has successfully completed. This is
+//     ascertained by watching the status.phase field in a pod's output.
+//
+// Handling for other kinds will be added as necessary.
+func (c *Client) WatchUntilReady(resources ResourceList, timeout time.Duration) error {
+	// For jobs, there's also the option to do poll c.Jobs(namespace).Get():
+	// https://github.com/adamreese/kubernetes/blob/master/test/e2e/job.go#L291-L300
+	return perform(resources, c.watchTimeout(timeout))
+}
+
+func perform(infos ResourceList, fn func(*resource.Info) error) error {
+	var result error
+
+	if len(infos) == 0 {
+		return ErrNoObjectsVisited
+	}
+
+	errs := make(chan error)
+	go batchPerform(infos, fn, errs)
+
+	for range infos {
+		err := <-errs
+		if err != nil {
+			result = multierror.Append(result, err)
+		}
+	}
+
+	return result
+}
+
+// getManagedFieldsManager returns the manager string. If one was set it will be returned.
+// Otherwise, one is calculated based on the name of the binary.
+func getManagedFieldsManager() string {
+
+	// When a manager is explicitly set use it
+	if ManagedFieldsManager != "" {
+		return ManagedFieldsManager
+	}
+
+	// When no manager is set and no calling application can be found it is unknown
+	if len(os.Args[0]) == 0 {
+		return "unknown"
+	}
+
+	// When there is an application that can be determined and no set manager
+	// use the base name. This is one of the ways Kubernetes libs handle figuring
+	// names out.
+	return filepath.Base(os.Args[0])
+}
+
+func batchPerform(infos ResourceList, fn func(*resource.Info) error, errs chan<- error) {
+	var kind string
+	var wg sync.WaitGroup
+	for _, info := range infos {
+		currentKind := info.Object.GetObjectKind().GroupVersionKind().Kind
+		if kind != currentKind {
+			wg.Wait()
+			kind = currentKind
+		}
+		wg.Add(1)
+		go func(i *resource.Info) {
+			errs <- fn(i)
+			wg.Done()
+		}(info)
+	}
+}
+
+func createResource(info *resource.Info) error {
+	return retry.RetryOnConflict(
+		retry.DefaultRetry,
+		func() error {
+			obj, err := resource.NewHelper(info.Client, info.Mapping).WithFieldManager(getManagedFieldsManager()).Create(info.Namespace, true, info.Object)
+			if err != nil {
+				return err
+			}
+			return info.Refresh(obj, true)
+		})
+}
+
+func deleteResource(info *resource.Info, policy metav1.DeletionPropagation) error {
+	return retry.RetryOnConflict(
+		retry.DefaultRetry,
+		func() error {
+			opts := &metav1.DeleteOptions{PropagationPolicy: &policy}
+			_, err := resource.NewHelper(info.Client, info.Mapping).WithFieldManager(getManagedFieldsManager()).DeleteWithOptions(info.Namespace, info.Name, opts)
+			return err
+		})
+}
+
+func createPatch(target *resource.Info, current runtime.Object, threeWayMergeForUnstructured bool) ([]byte, types.PatchType, error) {
+	oldData, err := json.Marshal(current)
+	if err != nil {
+		return nil, types.StrategicMergePatchType, errors.Wrap(err, "serializing current configuration")
+	}
+	newData, err := json.Marshal(target.Object)
+	if err != nil {
+		return nil, types.StrategicMergePatchType, errors.Wrap(err, "serializing target configuration")
+	}
+
+	// Fetch the current object for the three way merge
+	helper := resource.NewHelper(target.Client, target.Mapping).WithFieldManager(getManagedFieldsManager())
+	currentObj, err := helper.Get(target.Namespace, target.Name)
+	if err != nil && !apierrors.IsNotFound(err) {
+		return nil, types.StrategicMergePatchType, errors.Wrapf(err, "unable to get data for current object %s/%s", target.Namespace, target.Name)
+	}
+
+	// Even if currentObj is nil (because it was not found), it will marshal just fine
+	currentData, err := json.Marshal(currentObj)
+	if err != nil {
+		return nil, types.StrategicMergePatchType, errors.Wrap(err, "serializing live configuration")
+	}
+
+	// Get a versioned object
+	versionedObject := AsVersioned(target)
+
+	// Unstructured objects, such as CRDs, may not have a not registered error
+	// returned from ConvertToVersion. Anything that's unstructured should
+	// use generic JSON merge patch. Strategic Merge Patch is not supported
+	// on objects like CRDs.
+	_, isUnstructured := versionedObject.(runtime.Unstructured)
+
+	// On newer K8s versions, CRDs aren't unstructured but has this dedicated type
+	_, isCRD := versionedObject.(*apiextv1beta1.CustomResourceDefinition)
+
+	if isUnstructured || isCRD {
+		if threeWayMergeForUnstructured {
+			// from https://github.com/kubernetes/kubectl/blob/b83b2ec7d15f286720bccf7872b5c72372cb8e80/pkg/cmd/apply/patcher.go#L129
+			preconditions := []mergepatch.PreconditionFunc{
+				mergepatch.RequireKeyUnchanged("apiVersion"),
+				mergepatch.RequireKeyUnchanged("kind"),
+				mergepatch.RequireMetadataKeyUnchanged("name"),
+			}
+			patch, err := jsonmergepatch.CreateThreeWayJSONMergePatch(oldData, newData, currentData, preconditions...)
+			if err != nil && mergepatch.IsPreconditionFailed(err) {
+				err = fmt.Errorf("%w: at least one field was changed: apiVersion, kind or name", err)
+			}
+			return patch, types.MergePatchType, err
+		}
+		// fall back to generic JSON merge patch
+		patch, err := jsonpatch.CreateMergePatch(oldData, newData)
+		return patch, types.MergePatchType, err
+	}
+
+	patchMeta, err := strategicpatch.NewPatchMetaFromStruct(versionedObject)
+	if err != nil {
+		return nil, types.StrategicMergePatchType, errors.Wrap(err, "unable to create patch metadata from object")
+	}
+
+	patch, err := strategicpatch.CreateThreeWayMergePatch(oldData, newData, currentData, patchMeta, true)
+	return patch, types.StrategicMergePatchType, err
+}
+
+func updateResource(c *Client, target *resource.Info, currentObj runtime.Object, force, threeWayMergeForUnstructured bool) error {
+	var (
+		obj    runtime.Object
+		helper = resource.NewHelper(target.Client, target.Mapping).WithFieldManager(getManagedFieldsManager())
+		kind   = target.Mapping.GroupVersionKind.Kind
+	)
+
+	// if --force is applied, attempt to replace the existing resource with the new object.
+	if force {
+		var err error
+		obj, err = helper.Replace(target.Namespace, target.Name, true, target.Object)
+		if err != nil {
+			return errors.Wrap(err, "failed to replace object")
+		}
+		c.Log("Replaced %q with kind %s for kind %s", target.Name, currentObj.GetObjectKind().GroupVersionKind().Kind, kind)
+	} else {
+		patch, patchType, err := createPatch(target, currentObj, threeWayMergeForUnstructured)
+		if err != nil {
+			return errors.Wrap(err, "failed to create patch")
+		}
+
+		if patch == nil || string(patch) == "{}" {
+			c.Log("Looks like there are no changes for %s %q", kind, target.Name)
+			// This needs to happen to make sure that Helm has the latest info from the API
+			// Otherwise there will be no labels and other functions that use labels will panic
+			if err := target.Get(); err != nil {
+				return errors.Wrap(err, "failed to refresh resource information")
+			}
+			return nil
+		}
+		// send patch to server
+		c.Log("Patch %s %q in namespace %s", kind, target.Name, target.Namespace)
+		obj, err = helper.Patch(target.Namespace, target.Name, patchType, patch, nil)
+		if err != nil {
+			return errors.Wrapf(err, "cannot patch %q with kind %s", target.Name, kind)
+		}
+	}
+
+	target.Refresh(obj, true)
+	return nil
+}
+
+func (c *Client) watchUntilReady(timeout time.Duration, info *resource.Info) error {
+	kind := info.Mapping.GroupVersionKind.Kind
+	switch kind {
+	case "Job", "Pod":
+	default:
+		return nil
+	}
+
+	c.Log("Watching for changes to %s %s with timeout of %v", kind, info.Name, timeout)
+
+	// Use a selector on the name of the resource. This should be unique for the
+	// given version and kind
+	selector, err := fields.ParseSelector(fmt.Sprintf("metadata.name=%s", info.Name))
+	if err != nil {
+		return err
+	}
+	lw := cachetools.NewListWatchFromClient(info.Client, info.Mapping.Resource.Resource, info.Namespace, selector)
+
+	// What we watch for depends on the Kind.
+	// - For a Job, we watch for completion.
+	// - For all else, we watch until Ready.
+	// In the future, we might want to add some special logic for types
+	// like Ingress, Volume, etc.
+
+	ctx, cancel := watchtools.ContextWithOptionalTimeout(context.Background(), timeout)
+	defer cancel()
+	_, err = watchtools.UntilWithSync(ctx, lw, &unstructured.Unstructured{}, nil, func(e watch.Event) (bool, error) {
+		// Make sure the incoming object is versioned as we use unstructured
+		// objects when we build manifests
+		obj := convertWithMapper(e.Object, info.Mapping)
+		switch e.Type {
+		case watch.Added, watch.Modified:
+			// For things like a secret or a config map, this is the best indicator
+			// we get. We care mostly about jobs, where what we want to see is
+			// the status go into a good state. For other types, like ReplicaSet
+			// we don't really do anything to support these as hooks.
+			c.Log("Add/Modify event for %s: %v", info.Name, e.Type)
+			switch kind {
+			case "Job":
+				return c.waitForJob(obj, info.Name)
+			case "Pod":
+				return c.waitForPodSuccess(obj, info.Name)
+			}
+			return true, nil
+		case watch.Deleted:
+			c.Log("Deleted event for %s", info.Name)
+			return true, nil
+		case watch.Error:
+			// Handle error and return with an error.
+			c.Log("Error event for %s", info.Name)
+			return true, errors.Errorf("failed to deploy %s", info.Name)
+		default:
+			return false, nil
+		}
+	})
+	return err
+}
+
+// waitForJob is a helper that waits for a job to complete.
+//
+// This operates on an event returned from a watcher.
+func (c *Client) waitForJob(obj runtime.Object, name string) (bool, error) {
+	o, ok := obj.(*batch.Job)
+	if !ok {
+		return true, errors.Errorf("expected %s to be a *batch.Job, got %T", name, obj)
+	}
+
+	for _, c := range o.Status.Conditions {
+		if c.Type == batch.JobComplete && c.Status == "True" {
+			return true, nil
+		} else if c.Type == batch.JobFailed && c.Status == "True" {
+			return true, errors.Errorf("job %s failed: %s", name, c.Reason)
+		}
+	}
+
+	c.Log("%s: Jobs active: %d, jobs failed: %d, jobs succeeded: %d", name, o.Status.Active, o.Status.Failed, o.Status.Succeeded)
+	return false, nil
+}
+
+// waitForPodSuccess is a helper that waits for a pod to complete.
+//
+// This operates on an event returned from a watcher.
+func (c *Client) waitForPodSuccess(obj runtime.Object, name string) (bool, error) {
+	o, ok := obj.(*v1.Pod)
+	if !ok {
+		return true, errors.Errorf("expected %s to be a *v1.Pod, got %T", name, obj)
+	}
+
+	switch o.Status.Phase {
+	case v1.PodSucceeded:
+		c.Log("Pod %s succeeded", o.Name)
+		return true, nil
+	case v1.PodFailed:
+		return true, errors.Errorf("pod %s failed", o.Name)
+	case v1.PodPending:
+		c.Log("Pod %s pending", o.Name)
+	case v1.PodRunning:
+		c.Log("Pod %s running", o.Name)
+	}
+
+	return false, nil
+}
+
+// GetPodList uses the kubernetes interface to get the list of pods filtered by listOptions
+func (c *Client) GetPodList(namespace string, listOptions metav1.ListOptions) (*v1.PodList, error) {
+	podList, err := c.kubeClient.CoreV1().Pods(namespace).List(context.Background(), listOptions)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get pod list with options: %+v with error: %v", listOptions, err)
+	}
+	return podList, nil
+}
+
+// OutputContainerLogsForPodList is a helper that outputs logs for a list of pods
+func (c *Client) OutputContainerLogsForPodList(podList *v1.PodList, namespace string, writerFunc func(namespace, pod, container string) io.Writer) error {
+	for _, pod := range podList.Items {
+		for _, container := range pod.Spec.Containers {
+			options := &v1.PodLogOptions{
+				Container: container.Name,
+			}
+			request := c.kubeClient.CoreV1().Pods(namespace).GetLogs(pod.Name, options)
+			err2 := copyRequestStreamToWriter(request, pod.Name, container.Name, writerFunc(namespace, pod.Name, container.Name))
+			if err2 != nil {
+				return err2
+			}
+		}
+	}
+	return nil
+}
+
+func copyRequestStreamToWriter(request *rest.Request, podName, containerName string, writer io.Writer) error {
+	readCloser, err := request.Stream(context.Background())
+	if err != nil {
+		return errors.Errorf("Failed to stream pod logs for pod: %s, container: %s", podName, containerName)
+	}
+	defer readCloser.Close()
+	_, err = io.Copy(writer, readCloser)
+	if err != nil {
+		return errors.Errorf("Failed to copy IO from logs for pod: %s, container: %s", podName, containerName)
+	}
+	if err != nil {
+		return errors.Errorf("Failed to close reader for pod: %s, container: %s", podName, containerName)
+	}
+	return nil
+}
+
+// scrubValidationError removes kubectl info from the message.
+func scrubValidationError(err error) error {
+	if err == nil {
+		return nil
+	}
+	const stopValidateMessage = "if you choose to ignore these errors, turn validation off with --validate=false"
+
+	if strings.Contains(err.Error(), stopValidateMessage) {
+		return errors.New(strings.ReplaceAll(err.Error(), "; "+stopValidateMessage, ""))
+	}
+	return err
+}
+
+// WaitAndGetCompletedPodPhase waits up to a timeout until a pod enters a completed phase
+// and returns said phase (PodSucceeded or PodFailed qualify).
+func (c *Client) WaitAndGetCompletedPodPhase(name string, timeout time.Duration) (v1.PodPhase, error) {
+	client, err := c.getKubeClient()
+	if err != nil {
+		return v1.PodUnknown, err
+	}
+	to := int64(timeout)
+	watcher, err := client.CoreV1().Pods(c.namespace()).Watch(context.Background(), metav1.ListOptions{
+		FieldSelector:  fmt.Sprintf("metadata.name=%s", name),
+		TimeoutSeconds: &to,
+	})
+	if err != nil {
+		return v1.PodUnknown, err
+	}
+
+	for event := range watcher.ResultChan() {
+		p, ok := event.Object.(*v1.Pod)
+		if !ok {
+			return v1.PodUnknown, fmt.Errorf("%s not a pod", name)
+		}
+		switch p.Status.Phase {
+		case v1.PodFailed:
+			return v1.PodFailed, nil
+		case v1.PodSucceeded:
+			return v1.PodSucceeded, nil
+		}
+	}
+
+	return v1.PodUnknown, err
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/kube/config.go b/vendor/helm.sh/helm/v3/pkg/kube/config.go
new file mode 100644
index 0000000000..e00c9acb15
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/kube/config.go
@@ -0,0 +1,30 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package kube // import "helm.sh/helm/v3/pkg/kube"
+
+import "k8s.io/cli-runtime/pkg/genericclioptions"
+
+// GetConfig returns a Kubernetes client config.
+//
+// Deprecated
+func GetConfig(kubeconfig, context, namespace string) *genericclioptions.ConfigFlags {
+	cf := genericclioptions.NewConfigFlags(true)
+	cf.Namespace = &namespace
+	cf.Context = &context
+	cf.KubeConfig = &kubeconfig
+	return cf
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/kube/converter.go b/vendor/helm.sh/helm/v3/pkg/kube/converter.go
new file mode 100644
index 0000000000..3bf0e358c3
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/kube/converter.go
@@ -0,0 +1,69 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package kube // import "helm.sh/helm/v3/pkg/kube"
+
+import (
+	"sync"
+
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	apiextensionsv1beta1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1"
+	"k8s.io/apimachinery/pkg/api/meta"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/cli-runtime/pkg/resource"
+	"k8s.io/client-go/kubernetes/scheme"
+)
+
+var k8sNativeScheme *runtime.Scheme
+var k8sNativeSchemeOnce sync.Once
+
+// AsVersioned converts the given info into a runtime.Object with the correct
+// group and version set
+func AsVersioned(info *resource.Info) runtime.Object {
+	return convertWithMapper(info.Object, info.Mapping)
+}
+
+// convertWithMapper converts the given object with the optional provided
+// RESTMapping. If no mapping is provided, the default schema versioner is used
+func convertWithMapper(obj runtime.Object, mapping *meta.RESTMapping) runtime.Object {
+	s := kubernetesNativeScheme()
+	var gv = runtime.GroupVersioner(schema.GroupVersions(s.PrioritizedVersionsAllGroups()))
+	if mapping != nil {
+		gv = mapping.GroupVersionKind.GroupVersion()
+	}
+	if obj, err := runtime.ObjectConvertor(s).ConvertToVersion(obj, gv); err == nil {
+		return obj
+	}
+	return obj
+}
+
+// kubernetesNativeScheme returns a clean *runtime.Scheme with _only_ Kubernetes
+// native resources added to it. This is required to break free of custom resources
+// that may have been added to scheme.Scheme due to Helm being used as a package in
+// combination with e.g. a versioned kube client. If we would not do this, the client
+// may attempt to perform e.g. a 3-way-merge strategy patch for custom resources.
+func kubernetesNativeScheme() *runtime.Scheme {
+	k8sNativeSchemeOnce.Do(func() {
+		k8sNativeScheme = runtime.NewScheme()
+		scheme.AddToScheme(k8sNativeScheme)
+		// API extensions are not in the above scheme set,
+		// and must thus be added separately.
+		apiextensionsv1beta1.AddToScheme(k8sNativeScheme)
+		apiextensionsv1.AddToScheme(k8sNativeScheme)
+	})
+	return k8sNativeScheme
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/kube/factory.go b/vendor/helm.sh/helm/v3/pkg/kube/factory.go
new file mode 100644
index 0000000000..f19d62dc3c
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/kube/factory.go
@@ -0,0 +1,51 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package kube // import "helm.sh/helm/v3/pkg/kube"
+
+import (
+	"k8s.io/cli-runtime/pkg/resource"
+	"k8s.io/client-go/dynamic"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/tools/clientcmd"
+	"k8s.io/kubectl/pkg/validation"
+)
+
+// Factory provides abstractions that allow the Kubectl command to be extended across multiple types
+// of resources and different API sets.
+// This interface is a minimal copy of the kubectl Factory interface containing only the functions
+// needed by Helm. Since Kubernetes Go APIs, including interfaces, can change in any minor release
+// this interface is not covered by the Helm backwards compatibility guarantee. The reasons for the
+// minimal copy is that it does not include the full interface. Changes or additions to functions
+// Helm does not need are not impacted or exposed. This minimizes the impact of Kubernetes changes
+// being exposed.
+type Factory interface {
+	// ToRawKubeConfigLoader return kubeconfig loader as-is
+	ToRawKubeConfigLoader() clientcmd.ClientConfig
+
+	// DynamicClient returns a dynamic client ready for use
+	DynamicClient() (dynamic.Interface, error)
+
+	// KubernetesClientSet gives you back an external clientset
+	KubernetesClientSet() (*kubernetes.Clientset, error)
+
+	// NewBuilder returns an object that assists in loading objects from both disk and the server
+	// and which implements the common patterns for CLI interactions with generic resources.
+	NewBuilder() *resource.Builder
+
+	// Returns a schema that can validate objects stored on disk.
+	Validator(validationDirective string) (validation.Schema, error)
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/kube/fake/fake.go b/vendor/helm.sh/helm/v3/pkg/kube/fake/fake.go
new file mode 100644
index 0000000000..852a3e015d
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/kube/fake/fake.go
@@ -0,0 +1,172 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package fake implements various fake KubeClients for use in testing
+package fake
+
+import (
+	"io"
+	"time"
+
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/cli-runtime/pkg/resource"
+
+	"helm.sh/helm/v3/pkg/kube"
+)
+
+// FailingKubeClient implements KubeClient for testing purposes. It also has
+// additional errors you can set to fail different functions, otherwise it
+// delegates all its calls to `PrintingKubeClient`
+type FailingKubeClient struct {
+	PrintingKubeClient
+	CreateError                      error
+	GetError                         error
+	WaitError                        error
+	DeleteError                      error
+	DeleteWithPropagationError       error
+	WatchUntilReadyError             error
+	UpdateError                      error
+	BuildError                       error
+	BuildTableError                  error
+	BuildDummy                       bool
+	DummyResources                   kube.ResourceList
+	BuildUnstructuredError           error
+	WaitAndGetCompletedPodPhaseError error
+	WaitDuration                     time.Duration
+}
+
+// Create returns the configured error if set or prints
+func (f *FailingKubeClient) Create(resources kube.ResourceList) (*kube.Result, error) {
+	if f.CreateError != nil {
+		return nil, f.CreateError
+	}
+	return f.PrintingKubeClient.Create(resources)
+}
+
+// Get returns the configured error if set or prints
+func (f *FailingKubeClient) Get(resources kube.ResourceList, related bool) (map[string][]runtime.Object, error) {
+	if f.GetError != nil {
+		return nil, f.GetError
+	}
+	return f.PrintingKubeClient.Get(resources, related)
+}
+
+// Waits the amount of time defined on f.WaitDuration, then returns the configured error if set or prints.
+func (f *FailingKubeClient) Wait(resources kube.ResourceList, d time.Duration) error {
+	time.Sleep(f.WaitDuration)
+	if f.WaitError != nil {
+		return f.WaitError
+	}
+	return f.PrintingKubeClient.Wait(resources, d)
+}
+
+// WaitWithJobs returns the configured error if set or prints
+func (f *FailingKubeClient) WaitWithJobs(resources kube.ResourceList, d time.Duration) error {
+	if f.WaitError != nil {
+		return f.WaitError
+	}
+	return f.PrintingKubeClient.WaitWithJobs(resources, d)
+}
+
+// WaitForDelete returns the configured error if set or prints
+func (f *FailingKubeClient) WaitForDelete(resources kube.ResourceList, d time.Duration) error {
+	if f.WaitError != nil {
+		return f.WaitError
+	}
+	return f.PrintingKubeClient.WaitForDelete(resources, d)
+}
+
+// Delete returns the configured error if set or prints
+func (f *FailingKubeClient) Delete(resources kube.ResourceList) (*kube.Result, []error) {
+	if f.DeleteError != nil {
+		return nil, []error{f.DeleteError}
+	}
+	return f.PrintingKubeClient.Delete(resources)
+}
+
+// WatchUntilReady returns the configured error if set or prints
+func (f *FailingKubeClient) WatchUntilReady(resources kube.ResourceList, d time.Duration) error {
+	if f.WatchUntilReadyError != nil {
+		return f.WatchUntilReadyError
+	}
+	return f.PrintingKubeClient.WatchUntilReady(resources, d)
+}
+
+// Update returns the configured error if set or prints
+func (f *FailingKubeClient) Update(r, modified kube.ResourceList, ignoreMe bool) (*kube.Result, error) {
+	if f.UpdateError != nil {
+		return &kube.Result{}, f.UpdateError
+	}
+	return f.PrintingKubeClient.Update(r, modified, ignoreMe)
+}
+
+// Update returns the configured error if set or prints
+func (f *FailingKubeClient) UpdateThreeWayMerge(r, modified kube.ResourceList, ignoreMe bool) (*kube.Result, error) {
+	if f.UpdateError != nil {
+		return &kube.Result{}, f.UpdateError
+	}
+	return f.PrintingKubeClient.Update(r, modified, ignoreMe)
+}
+
+// Build returns the configured error if set or prints
+func (f *FailingKubeClient) Build(r io.Reader, _ bool) (kube.ResourceList, error) {
+	if f.BuildError != nil {
+		return []*resource.Info{}, f.BuildError
+	}
+	if f.DummyResources != nil {
+		return f.DummyResources, nil
+	}
+	if f.BuildDummy {
+		return createDummyResourceList(), nil
+	}
+	return f.PrintingKubeClient.Build(r, false)
+}
+
+// BuildTable returns the configured error if set or prints
+func (f *FailingKubeClient) BuildTable(r io.Reader, _ bool) (kube.ResourceList, error) {
+	if f.BuildTableError != nil {
+		return []*resource.Info{}, f.BuildTableError
+	}
+	return f.PrintingKubeClient.BuildTable(r, false)
+}
+
+// WaitAndGetCompletedPodPhase returns the configured error if set or prints
+func (f *FailingKubeClient) WaitAndGetCompletedPodPhase(s string, d time.Duration) (v1.PodPhase, error) {
+	if f.WaitAndGetCompletedPodPhaseError != nil {
+		return v1.PodSucceeded, f.WaitAndGetCompletedPodPhaseError
+	}
+	return f.PrintingKubeClient.WaitAndGetCompletedPodPhase(s, d)
+}
+
+// DeleteWithPropagationPolicy returns the configured error if set or prints
+func (f *FailingKubeClient) DeleteWithPropagationPolicy(resources kube.ResourceList, policy metav1.DeletionPropagation) (*kube.Result, []error) {
+	if f.DeleteWithPropagationError != nil {
+		return nil, []error{f.DeleteWithPropagationError}
+	}
+	return f.PrintingKubeClient.DeleteWithPropagationPolicy(resources, policy)
+}
+
+func createDummyResourceList() kube.ResourceList {
+	var resInfo resource.Info
+	resInfo.Name = "dummyName"
+	resInfo.Namespace = "dummyNamespace"
+	var resourceList kube.ResourceList
+	resourceList.Append(&resInfo)
+	return resourceList
+
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/kube/fake/printer.go b/vendor/helm.sh/helm/v3/pkg/kube/fake/printer.go
new file mode 100644
index 0000000000..95c89e0fd5
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/kube/fake/printer.go
@@ -0,0 +1,149 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package fake
+
+import (
+	"fmt"
+	"io"
+	"strings"
+	"time"
+
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/cli-runtime/pkg/resource"
+
+	"helm.sh/helm/v3/pkg/kube"
+)
+
+// PrintingKubeClient implements KubeClient, but simply prints the reader to
+// the given output.
+type PrintingKubeClient struct {
+	Out       io.Writer
+	LogOutput io.Writer
+}
+
+// IsReachable checks if the cluster is reachable
+func (p *PrintingKubeClient) IsReachable() error {
+	return nil
+}
+
+// Create prints the values of what would be created with a real KubeClient.
+func (p *PrintingKubeClient) Create(resources kube.ResourceList) (*kube.Result, error) {
+	_, err := io.Copy(p.Out, bufferize(resources))
+	if err != nil {
+		return nil, err
+	}
+	return &kube.Result{Created: resources}, nil
+}
+
+func (p *PrintingKubeClient) Get(resources kube.ResourceList, _ bool) (map[string][]runtime.Object, error) {
+	_, err := io.Copy(p.Out, bufferize(resources))
+	if err != nil {
+		return nil, err
+	}
+	return make(map[string][]runtime.Object), nil
+}
+
+func (p *PrintingKubeClient) Wait(resources kube.ResourceList, _ time.Duration) error {
+	_, err := io.Copy(p.Out, bufferize(resources))
+	return err
+}
+
+func (p *PrintingKubeClient) WaitWithJobs(resources kube.ResourceList, _ time.Duration) error {
+	_, err := io.Copy(p.Out, bufferize(resources))
+	return err
+}
+
+func (p *PrintingKubeClient) WaitForDelete(resources kube.ResourceList, _ time.Duration) error {
+	_, err := io.Copy(p.Out, bufferize(resources))
+	return err
+}
+
+// Delete implements KubeClient delete.
+//
+// It only prints out the content to be deleted.
+func (p *PrintingKubeClient) Delete(resources kube.ResourceList) (*kube.Result, []error) {
+	_, err := io.Copy(p.Out, bufferize(resources))
+	if err != nil {
+		return nil, []error{err}
+	}
+	return &kube.Result{Deleted: resources}, nil
+}
+
+// WatchUntilReady implements KubeClient WatchUntilReady.
+func (p *PrintingKubeClient) WatchUntilReady(resources kube.ResourceList, _ time.Duration) error {
+	_, err := io.Copy(p.Out, bufferize(resources))
+	return err
+}
+
+// Update implements KubeClient Update.
+func (p *PrintingKubeClient) Update(_, modified kube.ResourceList, _ bool) (*kube.Result, error) {
+	_, err := io.Copy(p.Out, bufferize(modified))
+	if err != nil {
+		return nil, err
+	}
+	// TODO: This doesn't completely mock out have some that get created,
+	// updated, and deleted. I don't think these are used in any unit tests, but
+	// we may want to refactor a way to handle future tests
+	return &kube.Result{Updated: modified}, nil
+}
+
+// Build implements KubeClient Build.
+func (p *PrintingKubeClient) Build(_ io.Reader, _ bool) (kube.ResourceList, error) {
+	return []*resource.Info{}, nil
+}
+
+// BuildTable implements KubeClient BuildTable.
+func (p *PrintingKubeClient) BuildTable(_ io.Reader, _ bool) (kube.ResourceList, error) {
+	return []*resource.Info{}, nil
+}
+
+// WaitAndGetCompletedPodPhase implements KubeClient WaitAndGetCompletedPodPhase.
+func (p *PrintingKubeClient) WaitAndGetCompletedPodPhase(_ string, _ time.Duration) (v1.PodPhase, error) {
+	return v1.PodSucceeded, nil
+}
+
+// GetPodList implements KubeClient GetPodList.
+func (p *PrintingKubeClient) GetPodList(_ string, _ metav1.ListOptions) (*v1.PodList, error) {
+	return &v1.PodList{}, nil
+}
+
+// OutputContainerLogsForPodList implements KubeClient OutputContainerLogsForPodList.
+func (p *PrintingKubeClient) OutputContainerLogsForPodList(_ *v1.PodList, someNamespace string, _ func(namespace, pod, container string) io.Writer) error {
+	_, err := io.Copy(p.LogOutput, strings.NewReader(fmt.Sprintf("attempted to output logs for namespace: %s", someNamespace)))
+	return err
+}
+
+// DeleteWithPropagationPolicy implements KubeClient delete.
+//
+// It only prints out the content to be deleted.
+func (p *PrintingKubeClient) DeleteWithPropagationPolicy(resources kube.ResourceList, _ metav1.DeletionPropagation) (*kube.Result, []error) {
+	_, err := io.Copy(p.Out, bufferize(resources))
+	if err != nil {
+		return nil, []error{err}
+	}
+	return &kube.Result{Deleted: resources}, nil
+}
+
+func bufferize(resources kube.ResourceList) io.Reader {
+	var builder strings.Builder
+	for _, info := range resources {
+		builder.WriteString(info.String() + "\n")
+	}
+	return strings.NewReader(builder.String())
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/kube/interface.go b/vendor/helm.sh/helm/v3/pkg/kube/interface.go
new file mode 100644
index 0000000000..db7591f650
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/kube/interface.go
@@ -0,0 +1,136 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package kube
+
+import (
+	"io"
+	"time"
+
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+// Interface represents a client capable of communicating with the Kubernetes API.
+//
+// A KubernetesClient must be concurrency safe.
+type Interface interface {
+	// Create creates one or more resources.
+	Create(resources ResourceList) (*Result, error)
+
+	// Wait waits up to the given timeout for the specified resources to be ready.
+	Wait(resources ResourceList, timeout time.Duration) error
+
+	// WaitWithJobs wait up to the given timeout for the specified resources to be ready, including jobs.
+	WaitWithJobs(resources ResourceList, timeout time.Duration) error
+
+	// Delete destroys one or more resources.
+	Delete(resources ResourceList) (*Result, []error)
+
+	// WatchUntilReady watches the resources given and waits until it is ready.
+	//
+	// This method is mainly for hook implementations. It watches for a resource to
+	// hit a particular milestone. The milestone depends on the Kind.
+	//
+	// For Jobs, "ready" means the Job ran to completion (exited without error).
+	// For Pods, "ready" means the Pod phase is marked "succeeded".
+	// For all other kinds, it means the kind was created or modified without
+	// error.
+	WatchUntilReady(resources ResourceList, timeout time.Duration) error
+
+	// Update updates one or more resources or creates the resource
+	// if it doesn't exist.
+	Update(original, target ResourceList, force bool) (*Result, error)
+
+	// Build creates a resource list from a Reader.
+	//
+	// Reader must contain a YAML stream (one or more YAML documents separated
+	// by "\n---\n")
+	//
+	// Validates against OpenAPI schema if validate is true.
+	Build(reader io.Reader, validate bool) (ResourceList, error)
+
+	// WaitAndGetCompletedPodPhase waits up to a timeout until a pod enters a completed phase
+	// and returns said phase (PodSucceeded or PodFailed qualify).
+	WaitAndGetCompletedPodPhase(name string, timeout time.Duration) (v1.PodPhase, error)
+
+	// IsReachable checks whether the client is able to connect to the cluster.
+	IsReachable() error
+}
+
+// InterfaceExt was introduced to avoid breaking backwards compatibility for Interface implementers.
+//
+// TODO Helm 4: Remove InterfaceExt and integrate its method(s) into the Interface.
+type InterfaceExt interface {
+	// WaitForDelete wait up to the given timeout for the specified resources to be deleted.
+	WaitForDelete(resources ResourceList, timeout time.Duration) error
+}
+
+// InterfaceThreeWayMerge was introduced to avoid breaking backwards compatibility for Interface implementers.
+//
+// TODO Helm 4: Remove InterfaceThreeWayMerge and integrate its method(s) into the Interface.
+type InterfaceThreeWayMerge interface {
+	UpdateThreeWayMerge(original, target ResourceList, force bool) (*Result, error)
+}
+
+// InterfaceLogs was introduced to avoid breaking backwards compatibility for Interface implementers.
+//
+// TODO Helm 4: Remove InterfaceLogs and integrate its method(s) into the Interface.
+type InterfaceLogs interface {
+	// GetPodList list all pods that match the specified listOptions
+	GetPodList(namespace string, listOptions metav1.ListOptions) (*v1.PodList, error)
+
+	// OutputContainerLogsForPodList output the logs for a pod list
+	OutputContainerLogsForPodList(podList *v1.PodList, namespace string, writerFunc func(namespace, pod, container string) io.Writer) error
+}
+
+// InterfaceDeletionPropagation is introduced to avoid breaking backwards compatibility for Interface implementers.
+//
+// TODO Helm 4: Remove InterfaceDeletionPropagation and integrate its method(s) into the Interface.
+type InterfaceDeletionPropagation interface {
+	// DeleteWithPropagationPolicy destroys one or more resources. The deletion propagation is handled as per the given deletion propagation value.
+	DeleteWithPropagationPolicy(resources ResourceList, policy metav1.DeletionPropagation) (*Result, []error)
+}
+
+// InterfaceResources is introduced to avoid breaking backwards compatibility for Interface implementers.
+//
+// TODO Helm 4: Remove InterfaceResources and integrate its method(s) into the Interface.
+type InterfaceResources interface {
+	// Get details of deployed resources.
+	// The first argument is a list of resources to get. The second argument
+	// specifies if related pods should be fetched. For example, the pods being
+	// managed by a deployment.
+	Get(resources ResourceList, related bool) (map[string][]runtime.Object, error)
+
+	// BuildTable creates a resource list from a Reader. This differs from
+	// Interface.Build() in that a table kind is returned. A table is useful
+	// if you want to use a printer to display the information.
+	//
+	// Reader must contain a YAML stream (one or more YAML documents separated
+	// by "\n---\n")
+	//
+	// Validates against OpenAPI schema if validate is true.
+	// TODO Helm 4: Integrate into Build with an argument
+	BuildTable(reader io.Reader, validate bool) (ResourceList, error)
+}
+
+var _ Interface = (*Client)(nil)
+var _ InterfaceExt = (*Client)(nil)
+var _ InterfaceThreeWayMerge = (*Client)(nil)
+var _ InterfaceLogs = (*Client)(nil)
+var _ InterfaceDeletionPropagation = (*Client)(nil)
+var _ InterfaceResources = (*Client)(nil)
diff --git a/vendor/helm.sh/helm/v3/pkg/kube/ready.go b/vendor/helm.sh/helm/v3/pkg/kube/ready.go
new file mode 100644
index 0000000000..55c4a39bf1
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/kube/ready.go
@@ -0,0 +1,463 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package kube // import "helm.sh/helm/v3/pkg/kube"
+
+import (
+	"context"
+	"fmt"
+
+	appsv1 "k8s.io/api/apps/v1"
+	appsv1beta1 "k8s.io/api/apps/v1beta1"
+	appsv1beta2 "k8s.io/api/apps/v1beta2"
+	batchv1 "k8s.io/api/batch/v1"
+	corev1 "k8s.io/api/core/v1"
+	extensionsv1beta1 "k8s.io/api/extensions/v1beta1"
+	apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	apiextv1beta1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/cli-runtime/pkg/resource"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/kubernetes/scheme"
+
+	deploymentutil "helm.sh/helm/v3/internal/third_party/k8s.io/kubernetes/deployment/util"
+)
+
+// ReadyCheckerOption is a function that configures a ReadyChecker.
+type ReadyCheckerOption func(*ReadyChecker)
+
+// PausedAsReady returns a ReadyCheckerOption that configures a ReadyChecker
+// to consider paused resources to be ready. For example a Deployment
+// with spec.paused equal to true would be considered ready.
+func PausedAsReady(pausedAsReady bool) ReadyCheckerOption {
+	return func(c *ReadyChecker) {
+		c.pausedAsReady = pausedAsReady
+	}
+}
+
+// CheckJobs returns a ReadyCheckerOption that configures a ReadyChecker
+// to consider readiness of Job resources.
+func CheckJobs(checkJobs bool) ReadyCheckerOption {
+	return func(c *ReadyChecker) {
+		c.checkJobs = checkJobs
+	}
+}
+
+// NewReadyChecker creates a new checker. Passed ReadyCheckerOptions can
+// be used to override defaults.
+func NewReadyChecker(cl kubernetes.Interface, log func(string, ...interface{}), opts ...ReadyCheckerOption) ReadyChecker {
+	c := ReadyChecker{
+		client: cl,
+		log:    log,
+	}
+	if c.log == nil {
+		c.log = nopLogger
+	}
+	for _, opt := range opts {
+		opt(&c)
+	}
+	return c
+}
+
+// ReadyChecker is a type that can check core Kubernetes types for readiness.
+type ReadyChecker struct {
+	client        kubernetes.Interface
+	log           func(string, ...interface{})
+	checkJobs     bool
+	pausedAsReady bool
+}
+
+// IsReady checks if v is ready. It supports checking readiness for pods,
+// deployments, persistent volume claims, services, daemon sets, custom
+// resource definitions, stateful sets, replication controllers, jobs (optional),
+// and replica sets. All other resource kinds are always considered ready.
+//
+// IsReady will fetch the latest state of the object from the server prior to
+// performing readiness checks, and it will return any error encountered.
+func (c *ReadyChecker) IsReady(ctx context.Context, v *resource.Info) (bool, error) {
+	switch value := AsVersioned(v).(type) {
+	case *corev1.Pod:
+		pod, err := c.client.CoreV1().Pods(v.Namespace).Get(ctx, v.Name, metav1.GetOptions{})
+		if err != nil || !c.isPodReady(pod) {
+			return false, err
+		}
+	case *batchv1.Job:
+		if c.checkJobs {
+			job, err := c.client.BatchV1().Jobs(v.Namespace).Get(ctx, v.Name, metav1.GetOptions{})
+			if err != nil {
+				return false, err
+			}
+			ready, err := c.jobReady(job)
+			return ready, err
+		}
+	case *appsv1.Deployment, *appsv1beta1.Deployment, *appsv1beta2.Deployment, *extensionsv1beta1.Deployment:
+		currentDeployment, err := c.client.AppsV1().Deployments(v.Namespace).Get(ctx, v.Name, metav1.GetOptions{})
+		if err != nil {
+			return false, err
+		}
+		// If paused deployment will never be ready
+		if currentDeployment.Spec.Paused {
+			return c.pausedAsReady, nil
+		}
+		// Find RS associated with deployment
+		newReplicaSet, err := deploymentutil.GetNewReplicaSet(currentDeployment, c.client.AppsV1())
+		if err != nil || newReplicaSet == nil {
+			return false, err
+		}
+		if !c.deploymentReady(newReplicaSet, currentDeployment) {
+			return false, nil
+		}
+	case *corev1.PersistentVolumeClaim:
+		claim, err := c.client.CoreV1().PersistentVolumeClaims(v.Namespace).Get(ctx, v.Name, metav1.GetOptions{})
+		if err != nil {
+			return false, err
+		}
+		if !c.volumeReady(claim) {
+			return false, nil
+		}
+	case *corev1.Service:
+		svc, err := c.client.CoreV1().Services(v.Namespace).Get(ctx, v.Name, metav1.GetOptions{})
+		if err != nil {
+			return false, err
+		}
+		if !c.serviceReady(svc) {
+			return false, nil
+		}
+	case *extensionsv1beta1.DaemonSet, *appsv1.DaemonSet, *appsv1beta2.DaemonSet:
+		ds, err := c.client.AppsV1().DaemonSets(v.Namespace).Get(ctx, v.Name, metav1.GetOptions{})
+		if err != nil {
+			return false, err
+		}
+		if !c.daemonSetReady(ds) {
+			return false, nil
+		}
+	case *apiextv1beta1.CustomResourceDefinition:
+		if err := v.Get(); err != nil {
+			return false, err
+		}
+		crd := &apiextv1beta1.CustomResourceDefinition{}
+		if err := scheme.Scheme.Convert(v.Object, crd, nil); err != nil {
+			return false, err
+		}
+		if !c.crdBetaReady(*crd) {
+			return false, nil
+		}
+	case *apiextv1.CustomResourceDefinition:
+		if err := v.Get(); err != nil {
+			return false, err
+		}
+		crd := &apiextv1.CustomResourceDefinition{}
+		if err := scheme.Scheme.Convert(v.Object, crd, nil); err != nil {
+			return false, err
+		}
+		if !c.crdReady(*crd) {
+			return false, nil
+		}
+	case *appsv1.StatefulSet, *appsv1beta1.StatefulSet, *appsv1beta2.StatefulSet:
+		sts, err := c.client.AppsV1().StatefulSets(v.Namespace).Get(ctx, v.Name, metav1.GetOptions{})
+		if err != nil {
+			return false, err
+		}
+		if !c.statefulSetReady(sts) {
+			return false, nil
+		}
+	case *corev1.ReplicationController:
+		rc, err := c.client.CoreV1().ReplicationControllers(v.Namespace).Get(ctx, v.Name, metav1.GetOptions{})
+		if err != nil {
+			return false, err
+		}
+		if !c.replicationControllerReady(rc) {
+			return false, nil
+		}
+		ready, err := c.podsReadyForObject(ctx, v.Namespace, value)
+		if !ready || err != nil {
+			return false, err
+		}
+	case *extensionsv1beta1.ReplicaSet, *appsv1beta2.ReplicaSet, *appsv1.ReplicaSet:
+		rs, err := c.client.AppsV1().ReplicaSets(v.Namespace).Get(ctx, v.Name, metav1.GetOptions{})
+		if err != nil {
+			return false, err
+		}
+		if !c.replicaSetReady(rs) {
+			return false, nil
+		}
+		ready, err := c.podsReadyForObject(ctx, v.Namespace, value)
+		if !ready || err != nil {
+			return false, err
+		}
+	}
+	return true, nil
+}
+
+func (c *ReadyChecker) podsReadyForObject(ctx context.Context, namespace string, obj runtime.Object) (bool, error) {
+	pods, err := c.podsforObject(ctx, namespace, obj)
+	if err != nil {
+		return false, err
+	}
+	for _, pod := range pods {
+		if !c.isPodReady(&pod) {
+			return false, nil
+		}
+	}
+	return true, nil
+}
+
+func (c *ReadyChecker) podsforObject(ctx context.Context, namespace string, obj runtime.Object) ([]corev1.Pod, error) {
+	selector, err := SelectorsForObject(obj)
+	if err != nil {
+		return nil, err
+	}
+	list, err := getPods(ctx, c.client, namespace, selector.String())
+	return list, err
+}
+
+// isPodReady returns true if a pod is ready; false otherwise.
+func (c *ReadyChecker) isPodReady(pod *corev1.Pod) bool {
+	for _, c := range pod.Status.Conditions {
+		if c.Type == corev1.PodReady && c.Status == corev1.ConditionTrue {
+			return true
+		}
+	}
+	c.log("Pod is not ready: %s/%s", pod.GetNamespace(), pod.GetName())
+	return false
+}
+
+func (c *ReadyChecker) jobReady(job *batchv1.Job) (bool, error) {
+	if job.Status.Failed > *job.Spec.BackoffLimit {
+		c.log("Job is failed: %s/%s", job.GetNamespace(), job.GetName())
+		// If a job is failed, it can't recover, so throw an error
+		return false, fmt.Errorf("job is failed: %s/%s", job.GetNamespace(), job.GetName())
+	}
+	if job.Spec.Completions != nil && job.Status.Succeeded < *job.Spec.Completions {
+		c.log("Job is not completed: %s/%s", job.GetNamespace(), job.GetName())
+		return false, nil
+	}
+	return true, nil
+}
+
+func (c *ReadyChecker) serviceReady(s *corev1.Service) bool {
+	// ExternalName Services are external to cluster so helm shouldn't be checking to see if they're 'ready' (i.e. have an IP Set)
+	if s.Spec.Type == corev1.ServiceTypeExternalName {
+		return true
+	}
+
+	// Ensure that the service cluster IP is not empty
+	if s.Spec.ClusterIP == "" {
+		c.log("Service does not have cluster IP address: %s/%s", s.GetNamespace(), s.GetName())
+		return false
+	}
+
+	// This checks if the service has a LoadBalancer and that balancer has an Ingress defined
+	if s.Spec.Type == corev1.ServiceTypeLoadBalancer {
+		// do not wait when at least 1 external IP is set
+		if len(s.Spec.ExternalIPs) > 0 {
+			c.log("Service %s/%s has external IP addresses (%v), marking as ready", s.GetNamespace(), s.GetName(), s.Spec.ExternalIPs)
+			return true
+		}
+
+		if s.Status.LoadBalancer.Ingress == nil {
+			c.log("Service does not have load balancer ingress IP address: %s/%s", s.GetNamespace(), s.GetName())
+			return false
+		}
+	}
+
+	return true
+}
+
+func (c *ReadyChecker) volumeReady(v *corev1.PersistentVolumeClaim) bool {
+	if v.Status.Phase != corev1.ClaimBound {
+		c.log("PersistentVolumeClaim is not bound: %s/%s", v.GetNamespace(), v.GetName())
+		return false
+	}
+	return true
+}
+
+func (c *ReadyChecker) deploymentReady(rs *appsv1.ReplicaSet, dep *appsv1.Deployment) bool {
+	// Verify the replicaset readiness
+	if !c.replicaSetReady(rs) {
+		return false
+	}
+	// Verify the generation observed by the deployment controller matches the spec generation
+	if dep.Status.ObservedGeneration != dep.ObjectMeta.Generation {
+		c.log("Deployment is not ready: %s/%s. observedGeneration (%d) does not match spec generation (%d).", dep.Namespace, dep.Name, dep.Status.ObservedGeneration, dep.ObjectMeta.Generation)
+		return false
+	}
+
+	expectedReady := *dep.Spec.Replicas - deploymentutil.MaxUnavailable(*dep)
+	if !(rs.Status.ReadyReplicas >= expectedReady) {
+		c.log("Deployment is not ready: %s/%s. %d out of %d expected pods are ready", dep.Namespace, dep.Name, rs.Status.ReadyReplicas, expectedReady)
+		return false
+	}
+	return true
+}
+
+func (c *ReadyChecker) daemonSetReady(ds *appsv1.DaemonSet) bool {
+	// Verify the generation observed by the daemonSet controller matches the spec generation
+	if ds.Status.ObservedGeneration != ds.ObjectMeta.Generation {
+		c.log("DaemonSet is not ready: %s/%s. observedGeneration (%d) does not match spec generation (%d).", ds.Namespace, ds.Name, ds.Status.ObservedGeneration, ds.ObjectMeta.Generation)
+		return false
+	}
+
+	// If the update strategy is not a rolling update, there will be nothing to wait for
+	if ds.Spec.UpdateStrategy.Type != appsv1.RollingUpdateDaemonSetStrategyType {
+		return true
+	}
+
+	// Make sure all the updated pods have been scheduled
+	if ds.Status.UpdatedNumberScheduled != ds.Status.DesiredNumberScheduled {
+		c.log("DaemonSet is not ready: %s/%s. %d out of %d expected pods have been scheduled", ds.Namespace, ds.Name, ds.Status.UpdatedNumberScheduled, ds.Status.DesiredNumberScheduled)
+		return false
+	}
+	maxUnavailable, err := intstr.GetScaledValueFromIntOrPercent(ds.Spec.UpdateStrategy.RollingUpdate.MaxUnavailable, int(ds.Status.DesiredNumberScheduled), true)
+	if err != nil {
+		// If for some reason the value is invalid, set max unavailable to the
+		// number of desired replicas. This is the same behavior as the
+		// `MaxUnavailable` function in deploymentutil
+		maxUnavailable = int(ds.Status.DesiredNumberScheduled)
+	}
+
+	expectedReady := int(ds.Status.DesiredNumberScheduled) - maxUnavailable
+	if !(int(ds.Status.NumberReady) >= expectedReady) {
+		c.log("DaemonSet is not ready: %s/%s. %d out of %d expected pods are ready", ds.Namespace, ds.Name, ds.Status.NumberReady, expectedReady)
+		return false
+	}
+	return true
+}
+
+// Because the v1 extensions API is not available on all supported k8s versions
+// yet and because Go doesn't support generics, we need to have a duplicate
+// function to support the v1beta1 types
+func (c *ReadyChecker) crdBetaReady(crd apiextv1beta1.CustomResourceDefinition) bool {
+	for _, cond := range crd.Status.Conditions {
+		switch cond.Type {
+		case apiextv1beta1.Established:
+			if cond.Status == apiextv1beta1.ConditionTrue {
+				return true
+			}
+		case apiextv1beta1.NamesAccepted:
+			if cond.Status == apiextv1beta1.ConditionFalse {
+				// This indicates a naming conflict, but it's probably not the
+				// job of this function to fail because of that. Instead,
+				// we treat it as a success, since the process should be able to
+				// continue.
+				return true
+			}
+		}
+	}
+	return false
+}
+
+func (c *ReadyChecker) crdReady(crd apiextv1.CustomResourceDefinition) bool {
+	for _, cond := range crd.Status.Conditions {
+		switch cond.Type {
+		case apiextv1.Established:
+			if cond.Status == apiextv1.ConditionTrue {
+				return true
+			}
+		case apiextv1.NamesAccepted:
+			if cond.Status == apiextv1.ConditionFalse {
+				// This indicates a naming conflict, but it's probably not the
+				// job of this function to fail because of that. Instead,
+				// we treat it as a success, since the process should be able to
+				// continue.
+				return true
+			}
+		}
+	}
+	return false
+}
+
+func (c *ReadyChecker) statefulSetReady(sts *appsv1.StatefulSet) bool {
+	// Verify the generation observed by the statefulSet controller matches the spec generation
+	if sts.Status.ObservedGeneration != sts.ObjectMeta.Generation {
+		c.log("StatefulSet is not ready: %s/%s. observedGeneration (%d) does not match spec generation (%d).", sts.Namespace, sts.Name, sts.Status.ObservedGeneration, sts.ObjectMeta.Generation)
+		return false
+	}
+
+	// If the update strategy is not a rolling update, there will be nothing to wait for
+	if sts.Spec.UpdateStrategy.Type != appsv1.RollingUpdateStatefulSetStrategyType {
+		c.log("StatefulSet skipped ready check: %s/%s. updateStrategy is %v", sts.Namespace, sts.Name, sts.Spec.UpdateStrategy.Type)
+		return true
+	}
+
+	// Dereference all the pointers because StatefulSets like them
+	var partition int
+	// 1 is the default for replicas if not set
+	replicas := 1
+	// For some reason, even if the update strategy is a rolling update, the
+	// actual rollingUpdate field can be nil. If it is, we can safely assume
+	// there is no partition value
+	if sts.Spec.UpdateStrategy.RollingUpdate != nil && sts.Spec.UpdateStrategy.RollingUpdate.Partition != nil {
+		partition = int(*sts.Spec.UpdateStrategy.RollingUpdate.Partition)
+	}
+	if sts.Spec.Replicas != nil {
+		replicas = int(*sts.Spec.Replicas)
+	}
+
+	// Because an update strategy can use partitioning, we need to calculate the
+	// number of updated replicas we should have. For example, if the replicas
+	// is set to 3 and the partition is 2, we'd expect only one pod to be
+	// updated
+	expectedReplicas := replicas - partition
+
+	// Make sure all the updated pods have been scheduled
+	if int(sts.Status.UpdatedReplicas) < expectedReplicas {
+		c.log("StatefulSet is not ready: %s/%s. %d out of %d expected pods have been scheduled", sts.Namespace, sts.Name, sts.Status.UpdatedReplicas, expectedReplicas)
+		return false
+	}
+
+	if int(sts.Status.ReadyReplicas) != replicas {
+		c.log("StatefulSet is not ready: %s/%s. %d out of %d expected pods are ready", sts.Namespace, sts.Name, sts.Status.ReadyReplicas, replicas)
+		return false
+	}
+	// This check only makes sense when all partitions are being upgraded otherwise during a
+	// partitioned rolling upgrade, this condition will never evaluate to true, leading to
+	// error.
+	if partition == 0 && sts.Status.CurrentRevision != sts.Status.UpdateRevision {
+		c.log("StatefulSet is not ready: %s/%s. currentRevision %s does not yet match updateRevision %s", sts.Namespace, sts.Name, sts.Status.CurrentRevision, sts.Status.UpdateRevision)
+		return false
+	}
+
+	c.log("StatefulSet is ready: %s/%s. %d out of %d expected pods are ready", sts.Namespace, sts.Name, sts.Status.ReadyReplicas, replicas)
+	return true
+}
+
+func (c *ReadyChecker) replicationControllerReady(rc *corev1.ReplicationController) bool {
+	// Verify the generation observed by the replicationController controller matches the spec generation
+	if rc.Status.ObservedGeneration != rc.ObjectMeta.Generation {
+		c.log("ReplicationController is not ready: %s/%s. observedGeneration (%d) does not match spec generation (%d).", rc.Namespace, rc.Name, rc.Status.ObservedGeneration, rc.ObjectMeta.Generation)
+		return false
+	}
+	return true
+}
+
+func (c *ReadyChecker) replicaSetReady(rs *appsv1.ReplicaSet) bool {
+	// Verify the generation observed by the replicaSet controller matches the spec generation
+	if rs.Status.ObservedGeneration != rs.ObjectMeta.Generation {
+		c.log("ReplicaSet is not ready: %s/%s. observedGeneration (%d) does not match spec generation (%d).", rs.Namespace, rs.Name, rs.Status.ObservedGeneration, rs.ObjectMeta.Generation)
+		return false
+	}
+	return true
+}
+
+func getPods(ctx context.Context, client kubernetes.Interface, namespace, selector string) ([]corev1.Pod, error) {
+	list, err := client.CoreV1().Pods(namespace).List(ctx, metav1.ListOptions{
+		LabelSelector: selector,
+	})
+	return list.Items, err
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/kube/resource.go b/vendor/helm.sh/helm/v3/pkg/kube/resource.go
new file mode 100644
index 0000000000..db8e9178e7
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/kube/resource.go
@@ -0,0 +1,85 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package kube // import "helm.sh/helm/v3/pkg/kube"
+
+import "k8s.io/cli-runtime/pkg/resource"
+
+// ResourceList provides convenience methods for comparing collections of Infos.
+type ResourceList []*resource.Info
+
+// Append adds an Info to the Result.
+func (r *ResourceList) Append(val *resource.Info) {
+	*r = append(*r, val)
+}
+
+// Visit implements resource.Visitor. The visitor stops if fn returns an error.
+func (r ResourceList) Visit(fn resource.VisitorFunc) error {
+	for _, i := range r {
+		if err := fn(i, nil); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// Filter returns a new Result with Infos that satisfy the predicate fn.
+func (r ResourceList) Filter(fn func(*resource.Info) bool) ResourceList {
+	var result ResourceList
+	for _, i := range r {
+		if fn(i) {
+			result.Append(i)
+		}
+	}
+	return result
+}
+
+// Get returns the Info from the result that matches the name and kind.
+func (r ResourceList) Get(info *resource.Info) *resource.Info {
+	for _, i := range r {
+		if isMatchingInfo(i, info) {
+			return i
+		}
+	}
+	return nil
+}
+
+// Contains checks to see if an object exists.
+func (r ResourceList) Contains(info *resource.Info) bool {
+	for _, i := range r {
+		if isMatchingInfo(i, info) {
+			return true
+		}
+	}
+	return false
+}
+
+// Difference will return a new Result with objects not contained in rs.
+func (r ResourceList) Difference(rs ResourceList) ResourceList {
+	return r.Filter(func(info *resource.Info) bool {
+		return !rs.Contains(info)
+	})
+}
+
+// Intersect will return a new Result with objects contained in both Results.
+func (r ResourceList) Intersect(rs ResourceList) ResourceList {
+	return r.Filter(rs.Contains)
+}
+
+// isMatchingInfo returns true if infos match on Name and GroupVersionKind.
+func isMatchingInfo(a, b *resource.Info) bool {
+	return a.Name == b.Name && a.Namespace == b.Namespace && a.Mapping.GroupVersionKind.Kind == b.Mapping.GroupVersionKind.Kind && a.Mapping.GroupVersionKind.Group == b.Mapping.GroupVersionKind.Group
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/kube/resource_policy.go b/vendor/helm.sh/helm/v3/pkg/kube/resource_policy.go
new file mode 100644
index 0000000000..46b8680dd2
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/kube/resource_policy.go
@@ -0,0 +1,27 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package kube // import "helm.sh/helm/v3/pkg/kube"
+
+// ResourcePolicyAnno is the annotation name for a resource policy
+const ResourcePolicyAnno = "helm.sh/resource-policy"
+
+// KeepPolicy is the resource policy type for keep
+//
+// This resource policy type allows resources to skip being deleted
+//
+//	during an uninstallRelease action.
+const KeepPolicy = "keep"
diff --git a/vendor/helm.sh/helm/v3/pkg/kube/result.go b/vendor/helm.sh/helm/v3/pkg/kube/result.go
new file mode 100644
index 0000000000..c3e171c2e4
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/kube/result.go
@@ -0,0 +1,28 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package kube
+
+// Result contains the information of created, updated, and deleted resources
+// for various kube API calls along with helper methods for using those
+// resources
+type Result struct {
+	Created ResourceList
+	Updated ResourceList
+	Deleted ResourceList
+}
+
+// If needed, we can add methods to the Result type for things like diffing
diff --git a/vendor/helm.sh/helm/v3/pkg/kube/roundtripper.go b/vendor/helm.sh/helm/v3/pkg/kube/roundtripper.go
new file mode 100644
index 0000000000..fdb1035291
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/kube/roundtripper.go
@@ -0,0 +1,80 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package kube
+
+import (
+	"bytes"
+	"encoding/json"
+	"io"
+	"net/http"
+	"strings"
+)
+
+type RetryingRoundTripper struct {
+	Wrapped http.RoundTripper
+}
+
+func (rt *RetryingRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
+	return rt.roundTrip(req, 1, nil)
+}
+
+func (rt *RetryingRoundTripper) roundTrip(req *http.Request, retry int, prevResp *http.Response) (*http.Response, error) {
+	if retry < 0 {
+		return prevResp, nil
+	}
+	resp, rtErr := rt.Wrapped.RoundTrip(req)
+	if rtErr != nil {
+		return resp, rtErr
+	}
+	if resp.StatusCode < 500 {
+		return resp, rtErr
+	}
+	if resp.Header.Get("content-type") != "application/json" {
+		return resp, rtErr
+	}
+	b, err := io.ReadAll(resp.Body)
+	resp.Body.Close()
+	if err != nil {
+		return resp, rtErr
+	}
+
+	var ke kubernetesError
+	r := bytes.NewReader(b)
+	err = json.NewDecoder(r).Decode(&ke)
+	r.Seek(0, io.SeekStart)
+	resp.Body = io.NopCloser(r)
+	if err != nil {
+		return resp, rtErr
+	}
+	if ke.Code < 500 {
+		return resp, rtErr
+	}
+	// Matches messages like "etcdserver: leader changed"
+	if strings.HasSuffix(ke.Message, "etcdserver: leader changed") {
+		return rt.roundTrip(req, retry-1, resp)
+	}
+	// Matches messages like "rpc error: code = Unknown desc = raft proposal dropped"
+	if strings.HasSuffix(ke.Message, "raft proposal dropped") {
+		return rt.roundTrip(req, retry-1, resp)
+	}
+	return resp, rtErr
+}
+
+type kubernetesError struct {
+	Message string `json:"message"`
+	Code    int    `json:"code"`
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/kube/wait.go b/vendor/helm.sh/helm/v3/pkg/kube/wait.go
new file mode 100644
index 0000000000..c602004ad4
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/kube/wait.go
@@ -0,0 +1,176 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package kube // import "helm.sh/helm/v3/pkg/kube"
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"time"
+
+	"github.com/pkg/errors"
+	appsv1 "k8s.io/api/apps/v1"
+	appsv1beta1 "k8s.io/api/apps/v1beta1"
+	appsv1beta2 "k8s.io/api/apps/v1beta2"
+	batchv1 "k8s.io/api/batch/v1"
+	corev1 "k8s.io/api/core/v1"
+	extensionsv1beta1 "k8s.io/api/extensions/v1beta1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/cli-runtime/pkg/resource"
+
+	"k8s.io/apimachinery/pkg/util/wait"
+)
+
+type waiter struct {
+	c       ReadyChecker
+	timeout time.Duration
+	log     func(string, ...interface{})
+}
+
+// waitForResources polls to get the current status of all pods, PVCs, Services and
+// Jobs(optional) until all are ready or a timeout is reached
+func (w *waiter) waitForResources(created ResourceList) error {
+	w.log("beginning wait for %d resources with timeout of %v", len(created), w.timeout)
+
+	startTime := time.Now()
+	ctx, cancel := context.WithTimeout(context.Background(), w.timeout)
+	defer cancel()
+
+	numberOfErrors := make([]int, len(created))
+	for i := range numberOfErrors {
+		numberOfErrors[i] = 0
+	}
+
+	err := wait.PollUntilContextCancel(ctx, 2*time.Second, true, func(ctx context.Context) (bool, error) {
+		waitRetries := 30
+		for i, v := range created {
+			ready, err := w.c.IsReady(ctx, v)
+
+			if waitRetries > 0 && w.isRetryableError(err, v) {
+				numberOfErrors[i]++
+				if numberOfErrors[i] > waitRetries {
+					w.log("Max number of retries reached")
+					return false, err
+				}
+				w.log("Retrying as current number of retries %d less than max number of retries %d", numberOfErrors[i]-1, waitRetries)
+				return false, nil
+			}
+			numberOfErrors[i] = 0
+			if !ready {
+				return false, err
+			}
+		}
+		return true, nil
+	})
+
+	elapsed := time.Since(startTime).Round(time.Second)
+	if err != nil {
+		w.log("wait for resources failed after %v: %v", elapsed, err)
+	} else {
+		w.log("wait for resources succeeded within %v", elapsed)
+	}
+
+	return err
+}
+
+func (w *waiter) isRetryableError(err error, resource *resource.Info) bool {
+	if err == nil {
+		return false
+	}
+	w.log("Error received when checking status of resource %s. Error: '%s', Resource details: '%s'", resource.Name, err, resource)
+	if ev, ok := err.(*apierrors.StatusError); ok {
+		statusCode := ev.Status().Code
+		retryable := w.isRetryableHTTPStatusCode(statusCode)
+		w.log("Status code received: %d. Retryable error? %t", statusCode, retryable)
+		return retryable
+	}
+	w.log("Retryable error? %t", true)
+	return true
+}
+
+func (w *waiter) isRetryableHTTPStatusCode(httpStatusCode int32) bool {
+	return httpStatusCode == 0 || httpStatusCode == http.StatusTooManyRequests || (httpStatusCode >= 500 && httpStatusCode != http.StatusNotImplemented)
+}
+
+// waitForDeletedResources polls to check if all the resources are deleted or a timeout is reached
+func (w *waiter) waitForDeletedResources(deleted ResourceList) error {
+	w.log("beginning wait for %d resources to be deleted with timeout of %v", len(deleted), w.timeout)
+
+	ctx, cancel := context.WithTimeout(context.Background(), w.timeout)
+	defer cancel()
+
+	return wait.PollUntilContextCancel(ctx, 2*time.Second, true, func(_ context.Context) (bool, error) {
+		for _, v := range deleted {
+			err := v.Get()
+			if err == nil || !apierrors.IsNotFound(err) {
+				return false, err
+			}
+		}
+		return true, nil
+	})
+}
+
+// SelectorsForObject returns the pod label selector for a given object
+//
+// Modified version of https://github.com/kubernetes/kubernetes/blob/v1.14.1/pkg/kubectl/polymorphichelpers/helpers.go#L84
+func SelectorsForObject(object runtime.Object) (selector labels.Selector, err error) {
+	switch t := object.(type) {
+	case *extensionsv1beta1.ReplicaSet:
+		selector, err = metav1.LabelSelectorAsSelector(t.Spec.Selector)
+	case *appsv1.ReplicaSet:
+		selector, err = metav1.LabelSelectorAsSelector(t.Spec.Selector)
+	case *appsv1beta2.ReplicaSet:
+		selector, err = metav1.LabelSelectorAsSelector(t.Spec.Selector)
+	case *corev1.ReplicationController:
+		selector = labels.SelectorFromSet(t.Spec.Selector)
+	case *appsv1.StatefulSet:
+		selector, err = metav1.LabelSelectorAsSelector(t.Spec.Selector)
+	case *appsv1beta1.StatefulSet:
+		selector, err = metav1.LabelSelectorAsSelector(t.Spec.Selector)
+	case *appsv1beta2.StatefulSet:
+		selector, err = metav1.LabelSelectorAsSelector(t.Spec.Selector)
+	case *extensionsv1beta1.DaemonSet:
+		selector, err = metav1.LabelSelectorAsSelector(t.Spec.Selector)
+	case *appsv1.DaemonSet:
+		selector, err = metav1.LabelSelectorAsSelector(t.Spec.Selector)
+	case *appsv1beta2.DaemonSet:
+		selector, err = metav1.LabelSelectorAsSelector(t.Spec.Selector)
+	case *extensionsv1beta1.Deployment:
+		selector, err = metav1.LabelSelectorAsSelector(t.Spec.Selector)
+	case *appsv1.Deployment:
+		selector, err = metav1.LabelSelectorAsSelector(t.Spec.Selector)
+	case *appsv1beta1.Deployment:
+		selector, err = metav1.LabelSelectorAsSelector(t.Spec.Selector)
+	case *appsv1beta2.Deployment:
+		selector, err = metav1.LabelSelectorAsSelector(t.Spec.Selector)
+	case *batchv1.Job:
+		selector, err = metav1.LabelSelectorAsSelector(t.Spec.Selector)
+	case *corev1.Service:
+		if len(t.Spec.Selector) == 0 {
+			return nil, fmt.Errorf("invalid service '%s': Service is defined without a selector", t.Name)
+		}
+		selector = labels.SelectorFromSet(t.Spec.Selector)
+
+	default:
+		return nil, fmt.Errorf("selector for %T not implemented", object)
+	}
+
+	return selector, errors.Wrap(err, "invalid label selector")
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/lint/lint.go b/vendor/helm.sh/helm/v3/pkg/lint/lint.go
new file mode 100644
index 0000000000..ef23ee7c89
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/lint/lint.go
@@ -0,0 +1,48 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package lint // import "helm.sh/helm/v3/pkg/lint"
+
+import (
+	"path/filepath"
+
+	"helm.sh/helm/v3/pkg/chartutil"
+	"helm.sh/helm/v3/pkg/lint/rules"
+	"helm.sh/helm/v3/pkg/lint/support"
+)
+
+// All runs all the available linters on the given base directory.
+func All(basedir string, values map[string]interface{}, namespace string, _ bool) support.Linter {
+	return AllWithKubeVersion(basedir, values, namespace, nil)
+}
+
+// AllWithKubeVersion runs all the available linters on the given base directory, allowing to specify the kubernetes version.
+func AllWithKubeVersion(basedir string, values map[string]interface{}, namespace string, kubeVersion *chartutil.KubeVersion) support.Linter {
+	return AllWithKubeVersionAndSchemaValidation(basedir, values, namespace, kubeVersion, false)
+}
+
+// AllWithKubeVersionAndSchemaValidation runs all the available linters on the given base directory, allowing to specify the kubernetes version and if schema validation is enabled or not.
+func AllWithKubeVersionAndSchemaValidation(basedir string, values map[string]interface{}, namespace string, kubeVersion *chartutil.KubeVersion, skipSchemaValidation bool) support.Linter {
+	// Using abs path to get directory context
+	chartDir, _ := filepath.Abs(basedir)
+
+	linter := support.Linter{ChartDir: chartDir}
+	rules.Chartfile(&linter)
+	rules.ValuesWithOverrides(&linter, values)
+	rules.TemplatesWithSkipSchemaValidation(&linter, values, namespace, kubeVersion, skipSchemaValidation)
+	rules.Dependencies(&linter)
+	return linter
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/lint/rules/chartfile.go b/vendor/helm.sh/helm/v3/pkg/lint/rules/chartfile.go
new file mode 100644
index 0000000000..555ec71baf
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/lint/rules/chartfile.go
@@ -0,0 +1,216 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package rules // import "helm.sh/helm/v3/pkg/lint/rules"
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"github.com/Masterminds/semver/v3"
+	"github.com/asaskevich/govalidator"
+	"github.com/pkg/errors"
+	"sigs.k8s.io/yaml"
+
+	"helm.sh/helm/v3/pkg/chart"
+	"helm.sh/helm/v3/pkg/chartutil"
+	"helm.sh/helm/v3/pkg/lint/support"
+)
+
+// Chartfile runs a set of linter rules related to Chart.yaml file
+func Chartfile(linter *support.Linter) {
+	chartFileName := "Chart.yaml"
+	chartPath := filepath.Join(linter.ChartDir, chartFileName)
+
+	linter.RunLinterRule(support.ErrorSev, chartFileName, validateChartYamlNotDirectory(chartPath))
+
+	chartFile, err := chartutil.LoadChartfile(chartPath)
+	validChartFile := linter.RunLinterRule(support.ErrorSev, chartFileName, validateChartYamlFormat(err))
+
+	// Guard clause. Following linter rules require a parsable ChartFile
+	if !validChartFile {
+		return
+	}
+
+	// type check for Chart.yaml . ignoring error as any parse
+	// errors would already be caught in the above load function
+	chartFileForTypeCheck, _ := loadChartFileForTypeCheck(chartPath)
+
+	linter.RunLinterRule(support.ErrorSev, chartFileName, validateChartName(chartFile))
+
+	// Chart metadata
+	linter.RunLinterRule(support.ErrorSev, chartFileName, validateChartAPIVersion(chartFile))
+
+	linter.RunLinterRule(support.ErrorSev, chartFileName, validateChartVersionType(chartFileForTypeCheck))
+	linter.RunLinterRule(support.ErrorSev, chartFileName, validateChartVersion(chartFile))
+	linter.RunLinterRule(support.ErrorSev, chartFileName, validateChartAppVersionType(chartFileForTypeCheck))
+	linter.RunLinterRule(support.ErrorSev, chartFileName, validateChartMaintainer(chartFile))
+	linter.RunLinterRule(support.ErrorSev, chartFileName, validateChartSources(chartFile))
+	linter.RunLinterRule(support.InfoSev, chartFileName, validateChartIconPresence(chartFile))
+	linter.RunLinterRule(support.ErrorSev, chartFileName, validateChartIconURL(chartFile))
+	linter.RunLinterRule(support.ErrorSev, chartFileName, validateChartType(chartFile))
+	linter.RunLinterRule(support.ErrorSev, chartFileName, validateChartDependencies(chartFile))
+}
+
+func validateChartVersionType(data map[string]interface{}) error {
+	return isStringValue(data, "version")
+}
+
+func validateChartAppVersionType(data map[string]interface{}) error {
+	return isStringValue(data, "appVersion")
+}
+
+func isStringValue(data map[string]interface{}, key string) error {
+	value, ok := data[key]
+	if !ok {
+		return nil
+	}
+	valueType := fmt.Sprintf("%T", value)
+	if valueType != "string" {
+		return errors.Errorf("%s should be of type string but it's of type %s", key, valueType)
+	}
+	return nil
+}
+
+func validateChartYamlNotDirectory(chartPath string) error {
+	fi, err := os.Stat(chartPath)
+
+	if err == nil && fi.IsDir() {
+		return errors.New("should be a file, not a directory")
+	}
+	return nil
+}
+
+func validateChartYamlFormat(chartFileError error) error {
+	if chartFileError != nil {
+		return errors.Errorf("unable to parse YAML\n\t%s", chartFileError.Error())
+	}
+	return nil
+}
+
+func validateChartName(cf *chart.Metadata) error {
+	if cf.Name == "" {
+		return errors.New("name is required")
+	}
+	name := filepath.Base(cf.Name)
+	if name != cf.Name {
+		return fmt.Errorf("chart name %q is invalid", cf.Name)
+	}
+	return nil
+}
+
+func validateChartAPIVersion(cf *chart.Metadata) error {
+	if cf.APIVersion == "" {
+		return errors.New("apiVersion is required. The value must be either \"v1\" or \"v2\"")
+	}
+
+	if cf.APIVersion != chart.APIVersionV1 && cf.APIVersion != chart.APIVersionV2 {
+		return fmt.Errorf("apiVersion '%s' is not valid. The value must be either \"v1\" or \"v2\"", cf.APIVersion)
+	}
+
+	return nil
+}
+
+func validateChartVersion(cf *chart.Metadata) error {
+	if cf.Version == "" {
+		return errors.New("version is required")
+	}
+
+	version, err := semver.NewVersion(cf.Version)
+
+	if err != nil {
+		return errors.Errorf("version '%s' is not a valid SemVer", cf.Version)
+	}
+
+	c, err := semver.NewConstraint(">0.0.0-0")
+	if err != nil {
+		return err
+	}
+	valid, msg := c.Validate(version)
+
+	if !valid && len(msg) > 0 {
+		return errors.Errorf("version %v", msg[0])
+	}
+
+	return nil
+}
+
+func validateChartMaintainer(cf *chart.Metadata) error {
+	for _, maintainer := range cf.Maintainers {
+		if maintainer == nil {
+			return errors.New("a maintainer entry is empty")
+		}
+		if maintainer.Name == "" {
+			return errors.New("each maintainer requires a name")
+		} else if maintainer.Email != "" && !govalidator.IsEmail(maintainer.Email) {
+			return errors.Errorf("invalid email '%s' for maintainer '%s'", maintainer.Email, maintainer.Name)
+		} else if maintainer.URL != "" && !govalidator.IsURL(maintainer.URL) {
+			return errors.Errorf("invalid url '%s' for maintainer '%s'", maintainer.URL, maintainer.Name)
+		}
+	}
+	return nil
+}
+
+func validateChartSources(cf *chart.Metadata) error {
+	for _, source := range cf.Sources {
+		if source == "" || !govalidator.IsRequestURL(source) {
+			return errors.Errorf("invalid source URL '%s'", source)
+		}
+	}
+	return nil
+}
+
+func validateChartIconPresence(cf *chart.Metadata) error {
+	if cf.Icon == "" {
+		return errors.New("icon is recommended")
+	}
+	return nil
+}
+
+func validateChartIconURL(cf *chart.Metadata) error {
+	if cf.Icon != "" && !govalidator.IsRequestURL(cf.Icon) {
+		return errors.Errorf("invalid icon URL '%s'", cf.Icon)
+	}
+	return nil
+}
+
+func validateChartDependencies(cf *chart.Metadata) error {
+	if len(cf.Dependencies) > 0 && cf.APIVersion != chart.APIVersionV2 {
+		return fmt.Errorf("dependencies are not valid in the Chart file with apiVersion '%s'. They are valid in apiVersion '%s'", cf.APIVersion, chart.APIVersionV2)
+	}
+	return nil
+}
+
+func validateChartType(cf *chart.Metadata) error {
+	if len(cf.Type) > 0 && cf.APIVersion != chart.APIVersionV2 {
+		return fmt.Errorf("chart type is not valid in apiVersion '%s'. It is valid in apiVersion '%s'", cf.APIVersion, chart.APIVersionV2)
+	}
+	return nil
+}
+
+// loadChartFileForTypeCheck loads the Chart.yaml
+// in a generic form of a map[string]interface{}, so that the type
+// of the values can be checked
+func loadChartFileForTypeCheck(filename string) (map[string]interface{}, error) {
+	b, err := os.ReadFile(filename)
+	if err != nil {
+		return nil, err
+	}
+	y := make(map[string]interface{})
+	err = yaml.Unmarshal(b, &y)
+	return y, err
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/lint/rules/dependencies.go b/vendor/helm.sh/helm/v3/pkg/lint/rules/dependencies.go
new file mode 100644
index 0000000000..f1ab1dcadc
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/lint/rules/dependencies.go
@@ -0,0 +1,103 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package rules // import "helm.sh/helm/v3/pkg/lint/rules"
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/pkg/errors"
+
+	"helm.sh/helm/v3/pkg/chart"
+	"helm.sh/helm/v3/pkg/chart/loader"
+	"helm.sh/helm/v3/pkg/lint/support"
+)
+
+// Dependencies runs lints against a chart's dependencies
+//
+// See https://github.com/helm/helm/issues/7910
+func Dependencies(linter *support.Linter) {
+	c, err := loader.LoadDir(linter.ChartDir)
+	if !linter.RunLinterRule(support.ErrorSev, "", validateChartFormat(err)) {
+		return
+	}
+
+	linter.RunLinterRule(support.ErrorSev, linter.ChartDir, validateDependencyInMetadata(c))
+	linter.RunLinterRule(support.ErrorSev, linter.ChartDir, validateDependenciesUnique(c))
+	linter.RunLinterRule(support.WarningSev, linter.ChartDir, validateDependencyInChartsDir(c))
+}
+
+func validateChartFormat(chartError error) error {
+	if chartError != nil {
+		return errors.Errorf("unable to load chart\n\t%s", chartError)
+	}
+	return nil
+}
+
+func validateDependencyInChartsDir(c *chart.Chart) (err error) {
+	dependencies := map[string]struct{}{}
+	missing := []string{}
+	for _, dep := range c.Dependencies() {
+		dependencies[dep.Metadata.Name] = struct{}{}
+	}
+	for _, dep := range c.Metadata.Dependencies {
+		if _, ok := dependencies[dep.Name]; !ok {
+			missing = append(missing, dep.Name)
+		}
+	}
+	if len(missing) > 0 {
+		err = fmt.Errorf("chart directory is missing these dependencies: %s", strings.Join(missing, ","))
+	}
+	return err
+}
+
+func validateDependencyInMetadata(c *chart.Chart) (err error) {
+	dependencies := map[string]struct{}{}
+	missing := []string{}
+	for _, dep := range c.Metadata.Dependencies {
+		dependencies[dep.Name] = struct{}{}
+	}
+	for _, dep := range c.Dependencies() {
+		if _, ok := dependencies[dep.Metadata.Name]; !ok {
+			missing = append(missing, dep.Metadata.Name)
+		}
+	}
+	if len(missing) > 0 {
+		err = fmt.Errorf("chart metadata is missing these dependencies: %s", strings.Join(missing, ","))
+	}
+	return err
+}
+
+func validateDependenciesUnique(c *chart.Chart) (err error) {
+	dependencies := map[string]*chart.Dependency{}
+	shadowing := []string{}
+
+	for _, dep := range c.Metadata.Dependencies {
+		key := dep.Name
+		if dep.Alias != "" {
+			key = dep.Alias
+		}
+		if dependencies[key] != nil {
+			shadowing = append(shadowing, key)
+		}
+		dependencies[key] = dep
+	}
+	if len(shadowing) > 0 {
+		err = fmt.Errorf("multiple dependencies with name or alias: %s", strings.Join(shadowing, ","))
+	}
+	return err
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/lint/rules/deprecations.go b/vendor/helm.sh/helm/v3/pkg/lint/rules/deprecations.go
new file mode 100644
index 0000000000..90e7748a42
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/lint/rules/deprecations.go
@@ -0,0 +1,106 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package rules // import "helm.sh/helm/v3/pkg/lint/rules"
+
+import (
+	"fmt"
+	"strconv"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apiserver/pkg/endpoints/deprecation"
+	kscheme "k8s.io/client-go/kubernetes/scheme"
+
+	"helm.sh/helm/v3/pkg/chartutil"
+)
+
+var (
+	// This should be set in the Makefile based on the version of client-go being imported.
+	// These constants will be overwritten with LDFLAGS. The version components must be
+	// strings in order for LDFLAGS to set them.
+	k8sVersionMajor = "1"
+	k8sVersionMinor = "20"
+)
+
+// deprecatedAPIError indicates than an API is deprecated in Kubernetes
+type deprecatedAPIError struct {
+	Deprecated string
+	Message    string
+}
+
+func (e deprecatedAPIError) Error() string {
+	msg := e.Message
+	return msg
+}
+
+func validateNoDeprecations(resource *K8sYamlStruct, kubeVersion *chartutil.KubeVersion) error {
+	// if `resource` does not have an APIVersion or Kind, we cannot test it for deprecation
+	if resource.APIVersion == "" {
+		return nil
+	}
+	if resource.Kind == "" {
+		return nil
+	}
+
+	majorVersion := k8sVersionMajor
+	minorVersion := k8sVersionMinor
+
+	if kubeVersion != nil {
+		majorVersion = kubeVersion.Major
+		minorVersion = kubeVersion.Minor
+	}
+
+	runtimeObject, err := resourceToRuntimeObject(resource)
+	if err != nil {
+		// do not error for non-kubernetes resources
+		if runtime.IsNotRegisteredError(err) {
+			return nil
+		}
+		return err
+	}
+
+	maj, err := strconv.Atoi(majorVersion)
+	if err != nil {
+		return err
+	}
+	min, err := strconv.Atoi(minorVersion)
+	if err != nil {
+		return err
+	}
+
+	if !deprecation.IsDeprecated(runtimeObject, maj, min) {
+		return nil
+	}
+	gvk := fmt.Sprintf("%s %s", resource.APIVersion, resource.Kind)
+	return deprecatedAPIError{
+		Deprecated: gvk,
+		Message:    deprecation.WarningMessage(runtimeObject),
+	}
+}
+
+func resourceToRuntimeObject(resource *K8sYamlStruct) (runtime.Object, error) {
+	scheme := runtime.NewScheme()
+	kscheme.AddToScheme(scheme)
+
+	gvk := schema.FromAPIVersionAndKind(resource.APIVersion, resource.Kind)
+	out, err := scheme.New(gvk)
+	if err != nil {
+		return nil, err
+	}
+	out.GetObjectKind().SetGroupVersionKind(gvk)
+	return out, nil
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/lint/rules/template.go b/vendor/helm.sh/helm/v3/pkg/lint/rules/template.go
new file mode 100644
index 0000000000..41d1a1bab2
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/lint/rules/template.go
@@ -0,0 +1,356 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package rules
+
+import (
+	"bufio"
+	"bytes"
+	"fmt"
+	"io"
+	"os"
+	"path"
+	"path/filepath"
+	"regexp"
+	"strings"
+
+	"github.com/pkg/errors"
+	"k8s.io/apimachinery/pkg/api/validation"
+	apipath "k8s.io/apimachinery/pkg/api/validation/path"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+	"k8s.io/apimachinery/pkg/util/yaml"
+
+	"helm.sh/helm/v3/pkg/chart/loader"
+	"helm.sh/helm/v3/pkg/chartutil"
+	"helm.sh/helm/v3/pkg/engine"
+	"helm.sh/helm/v3/pkg/lint/support"
+)
+
+var (
+	crdHookSearch     = regexp.MustCompile(`"?helm\.sh/hook"?:\s+crd-install`)
+	releaseTimeSearch = regexp.MustCompile(`\.Release\.Time`)
+)
+
+// Templates lints the templates in the Linter.
+func Templates(linter *support.Linter, values map[string]interface{}, namespace string, _ bool) {
+	TemplatesWithKubeVersion(linter, values, namespace, nil)
+}
+
+// TemplatesWithKubeVersion lints the templates in the Linter, allowing to specify the kubernetes version.
+func TemplatesWithKubeVersion(linter *support.Linter, values map[string]interface{}, namespace string, kubeVersion *chartutil.KubeVersion) {
+	TemplatesWithSkipSchemaValidation(linter, values, namespace, kubeVersion, false)
+}
+
+// TemplatesWithSkipSchemaValidation lints the templates in the Linter, allowing to specify the kubernetes version and if schema validation is enabled or not.
+func TemplatesWithSkipSchemaValidation(linter *support.Linter, values map[string]interface{}, namespace string, kubeVersion *chartutil.KubeVersion, skipSchemaValidation bool) {
+	fpath := "templates/"
+	templatesPath := filepath.Join(linter.ChartDir, fpath)
+
+	templatesDirExist := linter.RunLinterRule(support.WarningSev, fpath, validateTemplatesDir(templatesPath))
+
+	// Templates directory is optional for now
+	if !templatesDirExist {
+		return
+	}
+
+	// Load chart and parse templates
+	chart, err := loader.Load(linter.ChartDir)
+
+	chartLoaded := linter.RunLinterRule(support.ErrorSev, fpath, err)
+
+	if !chartLoaded {
+		return
+	}
+
+	options := chartutil.ReleaseOptions{
+		Name:      "test-release",
+		Namespace: namespace,
+	}
+
+	caps := chartutil.DefaultCapabilities.Copy()
+	if kubeVersion != nil {
+		caps.KubeVersion = *kubeVersion
+	}
+
+	// lint ignores import-values
+	// See https://github.com/helm/helm/issues/9658
+	if err := chartutil.ProcessDependenciesWithMerge(chart, values); err != nil {
+		return
+	}
+
+	cvals, err := chartutil.CoalesceValues(chart, values)
+	if err != nil {
+		return
+	}
+
+	valuesToRender, err := chartutil.ToRenderValuesWithSchemaValidation(chart, cvals, options, caps, skipSchemaValidation)
+	if err != nil {
+		linter.RunLinterRule(support.ErrorSev, fpath, err)
+		return
+	}
+	var e engine.Engine
+	e.LintMode = true
+	renderedContentMap, err := e.Render(chart, valuesToRender)
+
+	renderOk := linter.RunLinterRule(support.ErrorSev, fpath, err)
+
+	if !renderOk {
+		return
+	}
+
+	/* Iterate over all the templates to check:
+	- It is a .yaml file
+	- All the values in the template file is defined
+	- {{}} include | quote
+	- Generated content is a valid Yaml file
+	- Metadata.Namespace is not set
+	*/
+	for _, template := range chart.Templates {
+		fileName, data := template.Name, template.Data
+		fpath = fileName
+
+		linter.RunLinterRule(support.ErrorSev, fpath, validateAllowedExtension(fileName))
+		// These are v3 specific checks to make sure and warn people if their
+		// chart is not compatible with v3
+		linter.RunLinterRule(support.WarningSev, fpath, validateNoCRDHooks(data))
+		linter.RunLinterRule(support.ErrorSev, fpath, validateNoReleaseTime(data))
+
+		// We only apply the following lint rules to yaml files
+		if filepath.Ext(fileName) != ".yaml" || filepath.Ext(fileName) == ".yml" {
+			continue
+		}
+
+		// NOTE: disabled for now, Refs https://github.com/helm/helm/issues/1463
+		// Check that all the templates have a matching value
+		// linter.RunLinterRule(support.WarningSev, fpath, validateNoMissingValues(templatesPath, valuesToRender, preExecutedTemplate))
+
+		// NOTE: disabled for now, Refs https://github.com/helm/helm/issues/1037
+		// linter.RunLinterRule(support.WarningSev, fpath, validateQuotes(string(preExecutedTemplate)))
+
+		renderedContent := renderedContentMap[path.Join(chart.Name(), fileName)]
+		if strings.TrimSpace(renderedContent) != "" {
+			linter.RunLinterRule(support.WarningSev, fpath, validateTopIndentLevel(renderedContent))
+
+			decoder := yaml.NewYAMLOrJSONDecoder(strings.NewReader(renderedContent), 4096)
+
+			// Lint all resources if the file contains multiple documents separated by ---
+			for {
+				// Even though K8sYamlStruct only defines a few fields, an error in any other
+				// key will be raised as well
+				var yamlStruct *K8sYamlStruct
+
+				err := decoder.Decode(&yamlStruct)
+				if err == io.EOF {
+					break
+				}
+
+				//  If YAML linting fails here, it will always fail in the next block as well, so we should return here.
+				// fix https://github.com/helm/helm/issues/11391
+				if !linter.RunLinterRule(support.ErrorSev, fpath, validateYamlContent(err)) {
+					return
+				}
+				if yamlStruct != nil {
+					// NOTE: set to warnings to allow users to support out-of-date kubernetes
+					// Refs https://github.com/helm/helm/issues/8596
+					linter.RunLinterRule(support.WarningSev, fpath, validateMetadataName(yamlStruct))
+					linter.RunLinterRule(support.WarningSev, fpath, validateNoDeprecations(yamlStruct, kubeVersion))
+
+					linter.RunLinterRule(support.ErrorSev, fpath, validateMatchSelector(yamlStruct, renderedContent))
+					linter.RunLinterRule(support.ErrorSev, fpath, validateListAnnotations(yamlStruct, renderedContent))
+				}
+			}
+		}
+	}
+}
+
+// validateTopIndentLevel checks that the content does not start with an indent level > 0.
+//
+// This error can occur when a template accidentally inserts space. It can cause
+// unpredictable errors depending on whether the text is normalized before being passed
+// into the YAML parser. So we trap it here.
+//
+// See https://github.com/helm/helm/issues/8467
+func validateTopIndentLevel(content string) error {
+	// Read lines until we get to a non-empty one
+	scanner := bufio.NewScanner(bytes.NewBufferString(content))
+	for scanner.Scan() {
+		line := scanner.Text()
+		// If line is empty, skip
+		if strings.TrimSpace(line) == "" {
+			continue
+		}
+		// If it starts with one or more spaces, this is an error
+		if strings.HasPrefix(line, " ") || strings.HasPrefix(line, "\t") {
+			return fmt.Errorf("document starts with an illegal indent: %q, which may cause parsing problems", line)
+		}
+		// Any other condition passes.
+		return nil
+	}
+	return scanner.Err()
+}
+
+// Validation functions
+func validateTemplatesDir(templatesPath string) error {
+	if fi, err := os.Stat(templatesPath); err == nil {
+		if !fi.IsDir() {
+			return errors.New("not a directory")
+		}
+	}
+	return nil
+}
+
+func validateAllowedExtension(fileName string) error {
+	ext := filepath.Ext(fileName)
+	validExtensions := []string{".yaml", ".yml", ".tpl", ".txt"}
+
+	for _, b := range validExtensions {
+		if b == ext {
+			return nil
+		}
+	}
+
+	return errors.Errorf("file extension '%s' not valid. Valid extensions are .yaml, .yml, .tpl, or .txt", ext)
+}
+
+func validateYamlContent(err error) error {
+	return errors.Wrap(err, "unable to parse YAML")
+}
+
+// validateMetadataName uses the correct validation function for the object
+// Kind, or if not set, defaults to the standard definition of a subdomain in
+// DNS (RFC 1123), used by most resources.
+func validateMetadataName(obj *K8sYamlStruct) error {
+	fn := validateMetadataNameFunc(obj)
+	allErrs := field.ErrorList{}
+	for _, msg := range fn(obj.Metadata.Name, false) {
+		allErrs = append(allErrs, field.Invalid(field.NewPath("metadata").Child("name"), obj.Metadata.Name, msg))
+	}
+	if len(allErrs) > 0 {
+		return errors.Wrapf(allErrs.ToAggregate(), "object name does not conform to Kubernetes naming requirements: %q", obj.Metadata.Name)
+	}
+	return nil
+}
+
+// validateMetadataNameFunc will return a name validation function for the
+// object kind, if defined below.
+//
+// Rules should match those set in the various api validations:
+// https://github.com/kubernetes/kubernetes/blob/v1.20.0/pkg/apis/core/validation/validation.go#L205-L274
+// https://github.com/kubernetes/kubernetes/blob/v1.20.0/pkg/apis/apps/validation/validation.go#L39
+// ...
+//
+// Implementing here to avoid importing k/k.
+//
+// If no mapping is defined, returns NameIsDNSSubdomain.  This is used by object
+// kinds that don't have special requirements, so is the most likely to work if
+// new kinds are added.
+func validateMetadataNameFunc(obj *K8sYamlStruct) validation.ValidateNameFunc {
+	switch strings.ToLower(obj.Kind) {
+	case "pod", "node", "secret", "endpoints", "resourcequota", // core
+		"controllerrevision", "daemonset", "deployment", "replicaset", "statefulset", // apps
+		"autoscaler",     // autoscaler
+		"cronjob", "job", // batch
+		"lease",                    // coordination
+		"endpointslice",            // discovery
+		"networkpolicy", "ingress", // networking
+		"podsecuritypolicy",                           // policy
+		"priorityclass",                               // scheduling
+		"podpreset",                                   // settings
+		"storageclass", "volumeattachment", "csinode": // storage
+		return validation.NameIsDNSSubdomain
+	case "service":
+		return validation.NameIsDNS1035Label
+	case "namespace":
+		return validation.ValidateNamespaceName
+	case "serviceaccount":
+		return validation.ValidateServiceAccountName
+	case "certificatesigningrequest":
+		// No validation.
+		// https://github.com/kubernetes/kubernetes/blob/v1.20.0/pkg/apis/certificates/validation/validation.go#L137-L140
+		return func(_ string, _ bool) []string { return nil }
+	case "role", "clusterrole", "rolebinding", "clusterrolebinding":
+		// https://github.com/kubernetes/kubernetes/blob/v1.20.0/pkg/apis/rbac/validation/validation.go#L32-L34
+		return func(name string, _ bool) []string {
+			return apipath.IsValidPathSegmentName(name)
+		}
+	default:
+		return validation.NameIsDNSSubdomain
+	}
+}
+
+func validateNoCRDHooks(manifest []byte) error {
+	if crdHookSearch.Match(manifest) {
+		return errors.New("manifest is a crd-install hook. This hook is no longer supported in v3 and all CRDs should also exist the crds/ directory at the top level of the chart")
+	}
+	return nil
+}
+
+func validateNoReleaseTime(manifest []byte) error {
+	if releaseTimeSearch.Match(manifest) {
+		return errors.New(".Release.Time has been removed in v3, please replace with the `now` function in your templates")
+	}
+	return nil
+}
+
+// validateMatchSelector ensures that template specs have a selector declared.
+// See https://github.com/helm/helm/issues/1990
+func validateMatchSelector(yamlStruct *K8sYamlStruct, manifest string) error {
+	switch yamlStruct.Kind {
+	case "Deployment", "ReplicaSet", "DaemonSet", "StatefulSet":
+		// verify that matchLabels or matchExpressions is present
+		if !(strings.Contains(manifest, "matchLabels") || strings.Contains(manifest, "matchExpressions")) {
+			return fmt.Errorf("a %s must contain matchLabels or matchExpressions, and %q does not", yamlStruct.Kind, yamlStruct.Metadata.Name)
+		}
+	}
+	return nil
+}
+func validateListAnnotations(yamlStruct *K8sYamlStruct, manifest string) error {
+	if yamlStruct.Kind == "List" {
+		m := struct {
+			Items []struct {
+				Metadata struct {
+					Annotations map[string]string
+				}
+			}
+		}{}
+
+		if err := yaml.Unmarshal([]byte(manifest), &m); err != nil {
+			return validateYamlContent(err)
+		}
+
+		for _, i := range m.Items {
+			if _, ok := i.Metadata.Annotations["helm.sh/resource-policy"]; ok {
+				return errors.New("Annotation 'helm.sh/resource-policy' within List objects are ignored")
+			}
+		}
+	}
+	return nil
+}
+
+// K8sYamlStruct stubs a Kubernetes YAML file.
+//
+// DEPRECATED: In Helm 4, this will be made a private type, as it is for use only within
+// the rules package.
+type K8sYamlStruct struct {
+	APIVersion string `json:"apiVersion"`
+	Kind       string
+	Metadata   k8sYamlMetadata
+}
+
+type k8sYamlMetadata struct {
+	Namespace string
+	Name      string
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/lint/rules/values.go b/vendor/helm.sh/helm/v3/pkg/lint/rules/values.go
new file mode 100644
index 0000000000..538d8381b6
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/lint/rules/values.go
@@ -0,0 +1,86 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package rules
+
+import (
+	"os"
+	"path/filepath"
+
+	"github.com/pkg/errors"
+
+	"helm.sh/helm/v3/pkg/chartutil"
+	"helm.sh/helm/v3/pkg/lint/support"
+)
+
+// Values lints a chart's values.yaml file.
+//
+// This function is deprecated and will be removed in Helm 4.
+func Values(linter *support.Linter) {
+	ValuesWithOverrides(linter, map[string]interface{}{})
+}
+
+// ValuesWithOverrides tests the values.yaml file.
+//
+// If a schema is present in the chart, values are tested against that. Otherwise,
+// they are only tested for well-formedness.
+//
+// If additional values are supplied, they are coalesced into the values in values.yaml.
+func ValuesWithOverrides(linter *support.Linter, values map[string]interface{}) {
+	file := "values.yaml"
+	vf := filepath.Join(linter.ChartDir, file)
+	fileExists := linter.RunLinterRule(support.InfoSev, file, validateValuesFileExistence(vf))
+
+	if !fileExists {
+		return
+	}
+
+	linter.RunLinterRule(support.ErrorSev, file, validateValuesFile(vf, values))
+}
+
+func validateValuesFileExistence(valuesPath string) error {
+	_, err := os.Stat(valuesPath)
+	if err != nil {
+		return errors.Errorf("file does not exist")
+	}
+	return nil
+}
+
+func validateValuesFile(valuesPath string, overrides map[string]interface{}) error {
+	values, err := chartutil.ReadValuesFile(valuesPath)
+	if err != nil {
+		return errors.Wrap(err, "unable to parse YAML")
+	}
+
+	// Helm 3.0.0 carried over the values linting from Helm 2.x, which only tests the top
+	// level values against the top-level expectations. Subchart values are not linted.
+	// We could change that. For now, though, we retain that strategy, and thus can
+	// coalesce tables (like reuse-values does) instead of doing the full chart
+	// CoalesceValues
+	coalescedValues := chartutil.CoalesceTables(make(map[string]interface{}, len(overrides)), overrides)
+	coalescedValues = chartutil.CoalesceTables(coalescedValues, values)
+
+	ext := filepath.Ext(valuesPath)
+	schemaPath := valuesPath[:len(valuesPath)-len(ext)] + ".schema.json"
+	schema, err := os.ReadFile(schemaPath)
+	if len(schema) == 0 {
+		return nil
+	}
+	if err != nil {
+		return err
+	}
+	return chartutil.ValidateAgainstSingleSchema(coalescedValues, schema)
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/lint/support/doc.go b/vendor/helm.sh/helm/v3/pkg/lint/support/doc.go
new file mode 100644
index 0000000000..bffefe8ffd
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/lint/support/doc.go
@@ -0,0 +1,23 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+/*
+Package support contains tools for linting charts.
+
+Linting is the process of testing charts for errors or warnings regarding
+formatting, compilation, or standards compliance.
+*/
+package support // import "helm.sh/helm/v3/pkg/lint/support"
diff --git a/vendor/helm.sh/helm/v3/pkg/lint/support/message.go b/vendor/helm.sh/helm/v3/pkg/lint/support/message.go
new file mode 100644
index 0000000000..5efbc7a61c
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/lint/support/message.go
@@ -0,0 +1,76 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package support
+
+import "fmt"
+
+// Severity indicates the severity of a Message.
+const (
+	// UnknownSev indicates that the severity of the error is unknown, and should not stop processing.
+	UnknownSev = iota
+	// InfoSev indicates information, for example missing values.yaml file
+	InfoSev
+	// WarningSev indicates that something does not meet code standards, but will likely function.
+	WarningSev
+	// ErrorSev indicates that something will not likely function.
+	ErrorSev
+)
+
+// sev matches the *Sev states.
+var sev = []string{"UNKNOWN", "INFO", "WARNING", "ERROR"}
+
+// Linter encapsulates a linting run of a particular chart.
+type Linter struct {
+	Messages []Message
+	// The highest severity of all the failing lint rules
+	HighestSeverity int
+	ChartDir        string
+}
+
+// Message describes an error encountered while linting.
+type Message struct {
+	// Severity is one of the *Sev constants
+	Severity int
+	Path     string
+	Err      error
+}
+
+func (m Message) Error() string {
+	return fmt.Sprintf("[%s] %s: %s", sev[m.Severity], m.Path, m.Err.Error())
+}
+
+// NewMessage creates a new Message struct
+func NewMessage(severity int, path string, err error) Message {
+	return Message{Severity: severity, Path: path, Err: err}
+}
+
+// RunLinterRule returns true if the validation passed
+func (l *Linter) RunLinterRule(severity int, path string, err error) bool {
+	// severity is out of bound
+	if severity < 0 || severity >= len(sev) {
+		return false
+	}
+
+	if err != nil {
+		l.Messages = append(l.Messages, NewMessage(severity, path, err))
+
+		if severity > l.HighestSeverity {
+			l.HighestSeverity = severity
+		}
+	}
+	return err == nil
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/plugin/hooks.go b/vendor/helm.sh/helm/v3/pkg/plugin/hooks.go
new file mode 100644
index 0000000000..34d3163a40
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/plugin/hooks.go
@@ -0,0 +1,32 @@
+/*
+Copyright The Helm Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package plugin // import "helm.sh/helm/v3/pkg/plugin"
+
+// Types of hooks
+const (
+	// Install is executed after the plugin is added.
+	Install = "install"
+	// Delete is executed after the plugin is removed.
+	Delete = "delete"
+	// Update is executed after the plugin is updated.
+	Update = "update"
+)
+
+// PlatformHooks is a map of events to a command for a particular operating system and architecture.
+type PlatformHooks map[string][]PlatformCommand
+
+// Hooks is a map of events to commands.
+type Hooks map[string]string
diff --git a/vendor/helm.sh/helm/v3/pkg/plugin/plugin.go b/vendor/helm.sh/helm/v3/pkg/plugin/plugin.go
new file mode 100644
index 0000000000..e2fb78672e
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/plugin/plugin.go
@@ -0,0 +1,377 @@
+/*
+Copyright The Helm Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package plugin // import "helm.sh/helm/v3/pkg/plugin"
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"regexp"
+	"runtime"
+	"strings"
+	"unicode"
+
+	"github.com/pkg/errors"
+	"sigs.k8s.io/yaml"
+
+	"helm.sh/helm/v3/pkg/cli"
+)
+
+const PluginFileName = "plugin.yaml"
+
+// Downloaders represents the plugins capability if it can retrieve
+// charts from special sources
+type Downloaders struct {
+	// Protocols are the list of schemes from the charts URL.
+	Protocols []string `json:"protocols"`
+	// Command is the executable path with which the plugin performs
+	// the actual download for the corresponding Protocols
+	Command string `json:"command"`
+}
+
+// PlatformCommand represents a command for a particular operating system and architecture
+type PlatformCommand struct {
+	OperatingSystem string   `json:"os"`
+	Architecture    string   `json:"arch"`
+	Command         string   `json:"command"`
+	Args            []string `json:"args"`
+}
+
+// Metadata describes a plugin.
+//
+// This is the plugin equivalent of a chart.Metadata.
+type Metadata struct {
+	// Name is the name of the plugin
+	Name string `json:"name"`
+
+	// Version is a SemVer 2 version of the plugin.
+	Version string `json:"version"`
+
+	// Usage is the single-line usage text shown in help
+	Usage string `json:"usage"`
+
+	// Description is a long description shown in places like `helm help`
+	Description string `json:"description"`
+
+	// PlatformCommand is the plugin command, with a platform selector and support for args.
+	//
+	// The command and args will be passed through environment expansion, so env vars can
+	// be present in this command. Unless IgnoreFlags is set, this will
+	// also merge the flags passed from Helm.
+	//
+	// Note that the command is not executed in a shell. To do so, we suggest
+	// pointing the command to a shell script.
+	//
+	// The following rules will apply to processing platform commands:
+	// - If PlatformCommand is present, it will be used
+	// - If both OS and Arch match the current platform, search will stop and the command will be executed
+	// - If OS matches and Arch is empty, the command will be executed
+	// - If no OS/Arch match is found, the default command will be executed
+	// - If no matches are found in platformCommand, Helm will exit with an error
+	PlatformCommand []PlatformCommand `json:"platformCommand"`
+
+	// Command is the plugin command, as a single string.
+	// Providing a command will result in an deprecation warning if PlatformCommand is also set.
+	//
+	// The command will be passed through environment expansion, so env vars can
+	// be present in this command. Unless IgnoreFlags is set, this will
+	// also merge the flags passed from Helm.
+	//
+	// Note that command is not executed in a shell. To do so, we suggest
+	// pointing the command to a shell script.
+	//
+	// DEPRECATED: Use PlatformCommand instead. Remove in Helm 4.
+	Command string `json:"command"`
+
+	// IgnoreFlags ignores any flags passed in from Helm
+	//
+	// For example, if the plugin is invoked as `helm --debug myplugin`, if this
+	// is false, `--debug` will be appended to `--command`. If this is true,
+	// the `--debug` flag will be discarded.
+	IgnoreFlags bool `json:"ignoreFlags"`
+
+	// PlatformHooks are commands that will run on plugin events, with a platform selector and support for args.
+	//
+	// The command and args will be passed through environment expansion, so env vars can
+	// be present in the command.
+	//
+	// Note that the command is not executed in a shell. To do so, we suggest
+	// pointing the command to a shell script.
+	//
+	// The following rules will apply to processing platform hooks:
+	// - If PlatformHooks is present, it will be used
+	// - If both OS and Arch match the current platform, search will stop and the command will be executed
+	// - If OS matches and Arch is empty, the command will be executed
+	// - If no OS/Arch match is found, the default command will be executed
+	// - If no matches are found in platformHooks, Helm will skip the event
+	PlatformHooks PlatformHooks `json:"platformHooks"`
+
+	// Hooks are commands that will run on plugin events, as a single string.
+	// Providing a hooks will result in an error if PlatformHooks is also set.
+	//
+	// The command will be passed through environment expansion, so env vars can
+	// be present in this command.
+	//
+	// Note that the command is executed in the sh shell.
+	//
+	// DEPRECATED: Use PlatformHooks instead. Remove in Helm 4.
+	Hooks Hooks
+
+	// Downloaders field is used if the plugin supply downloader mechanism
+	// for special protocols.
+	Downloaders []Downloaders `json:"downloaders"`
+
+	// UseTunnelDeprecated indicates that this command needs a tunnel.
+	// Setting this will cause a number of side effects, such as the
+	// automatic setting of HELM_HOST.
+	// DEPRECATED and unused, but retained for backwards compatibility with Helm 2 plugins. Remove in Helm 4
+	UseTunnelDeprecated bool `json:"useTunnel,omitempty"`
+}
+
+// Plugin represents a plugin.
+type Plugin struct {
+	// Metadata is a parsed representation of a plugin.yaml
+	Metadata *Metadata
+	// Dir is the string path to the directory that holds the plugin.
+	Dir string
+}
+
+// Returns command and args strings based on the following rules in priority order:
+// - From the PlatformCommand where OS and Arch match the current platform
+// - From the PlatformCommand where OS matches the current platform and Arch is empty/unspecified
+// - From the PlatformCommand where OS is empty/unspecified and Arch matches the current platform
+// - From the PlatformCommand where OS and Arch are both empty/unspecified
+// - Return nil, nil
+func getPlatformCommand(cmds []PlatformCommand) ([]string, []string) {
+	var command, args []string
+	found := false
+	foundOs := false
+
+	eq := strings.EqualFold
+	for _, c := range cmds {
+		if eq(c.OperatingSystem, runtime.GOOS) && eq(c.Architecture, runtime.GOARCH) {
+			// Return early for an exact match
+			return strings.Split(c.Command, " "), c.Args
+		}
+
+		if (len(c.OperatingSystem) > 0 && !eq(c.OperatingSystem, runtime.GOOS)) || len(c.Architecture) > 0 {
+			// Skip if OS is not empty and doesn't match or if arch is set as a set arch requires an OS match
+			continue
+		}
+
+		if !foundOs && len(c.OperatingSystem) > 0 && eq(c.OperatingSystem, runtime.GOOS) {
+			// First OS match with empty arch, can only be overridden by a direct match
+			command = strings.Split(c.Command, " ")
+			args = c.Args
+			found = true
+			foundOs = true
+		} else if !found {
+			// First empty match, can be overridden by a direct match or an OS match
+			command = strings.Split(c.Command, " ")
+			args = c.Args
+			found = true
+		}
+	}
+
+	return command, args
+}
+
+// PrepareCommands takes a []Plugin.PlatformCommand
+// and prepares the command and arguments for execution.
+//
+// It merges extraArgs into any arguments supplied in the plugin. It
+// returns the main command and an args array.
+//
+// The result is suitable to pass to exec.Command.
+func PrepareCommands(cmds []PlatformCommand, expandArgs bool, extraArgs []string) (string, []string, error) {
+	cmdParts, args := getPlatformCommand(cmds)
+	if len(cmdParts) == 0 || cmdParts[0] == "" {
+		return "", nil, fmt.Errorf("no plugin command is applicable")
+	}
+
+	main := os.ExpandEnv(cmdParts[0])
+	baseArgs := []string{}
+	if len(cmdParts) > 1 {
+		for _, cmdPart := range cmdParts[1:] {
+			if expandArgs {
+				baseArgs = append(baseArgs, os.ExpandEnv(cmdPart))
+			} else {
+				baseArgs = append(baseArgs, cmdPart)
+			}
+		}
+	}
+
+	for _, arg := range args {
+		if expandArgs {
+			baseArgs = append(baseArgs, os.ExpandEnv(arg))
+		} else {
+			baseArgs = append(baseArgs, arg)
+		}
+	}
+
+	if len(extraArgs) > 0 {
+		baseArgs = append(baseArgs, extraArgs...)
+	}
+
+	return main, baseArgs, nil
+}
+
+// PrepareCommand gets the correct command and arguments for a plugin.
+//
+// It merges extraArgs into any arguments supplied in the plugin. It returns the name of the command and an args array.
+//
+// The result is suitable to pass to exec.Command.
+func (p *Plugin) PrepareCommand(extraArgs []string) (string, []string, error) {
+	var extraArgsIn []string
+
+	if !p.Metadata.IgnoreFlags {
+		extraArgsIn = extraArgs
+	}
+
+	cmds := p.Metadata.PlatformCommand
+	if len(cmds) == 0 && len(p.Metadata.Command) > 0 {
+		cmds = []PlatformCommand{{Command: p.Metadata.Command}}
+	}
+
+	return PrepareCommands(cmds, true, extraArgsIn)
+}
+
+// validPluginName is a regular expression that validates plugin names.
+//
+// Plugin names can only contain the ASCII characters a-z, A-Z, 0-9, ​_​ and ​-.
+var validPluginName = regexp.MustCompile("^[A-Za-z0-9_-]+$")
+
+// validatePluginData validates a plugin's YAML data.
+func validatePluginData(plug *Plugin, filepath string) error {
+	// When metadata section missing, initialize with no data
+	if plug.Metadata == nil {
+		plug.Metadata = &Metadata{}
+	}
+	if !validPluginName.MatchString(plug.Metadata.Name) {
+		return fmt.Errorf("invalid plugin name at %q", filepath)
+	}
+	plug.Metadata.Usage = sanitizeString(plug.Metadata.Usage)
+
+	if len(plug.Metadata.PlatformCommand) > 0 && len(plug.Metadata.Command) > 0 {
+		fmt.Printf("WARNING: both 'platformCommand' and 'command' are set in %q (this will become an error in a future Helm version)\n", filepath)
+	}
+
+	if len(plug.Metadata.PlatformHooks) > 0 && len(plug.Metadata.Hooks) > 0 {
+		fmt.Printf("WARNING: both 'platformHooks' and 'hooks' are set in %q (this will become an error in a future Helm version)\n", filepath)
+	}
+
+	// We could also validate SemVer, executable, and other fields should we so choose.
+	return nil
+}
+
+// sanitizeString normalize spaces and removes non-printable characters.
+func sanitizeString(str string) string {
+	return strings.Map(func(r rune) rune {
+		if unicode.IsSpace(r) {
+			return ' '
+		}
+		if unicode.IsPrint(r) {
+			return r
+		}
+		return -1
+	}, str)
+}
+
+func detectDuplicates(plugs []*Plugin) error {
+	names := map[string]string{}
+
+	for _, plug := range plugs {
+		if oldpath, ok := names[plug.Metadata.Name]; ok {
+			return fmt.Errorf(
+				"two plugins claim the name %q at %q and %q",
+				plug.Metadata.Name,
+				oldpath,
+				plug.Dir,
+			)
+		}
+		names[plug.Metadata.Name] = plug.Dir
+	}
+
+	return nil
+}
+
+// LoadDir loads a plugin from the given directory.
+func LoadDir(dirname string) (*Plugin, error) {
+	pluginfile := filepath.Join(dirname, PluginFileName)
+	data, err := os.ReadFile(pluginfile)
+	if err != nil {
+		return nil, errors.Wrapf(err, "failed to read plugin at %q", pluginfile)
+	}
+
+	plug := &Plugin{Dir: dirname}
+	if err := yaml.UnmarshalStrict(data, &plug.Metadata); err != nil {
+		return nil, errors.Wrapf(err, "failed to load plugin at %q", pluginfile)
+	}
+	return plug, validatePluginData(plug, pluginfile)
+}
+
+// LoadAll loads all plugins found beneath the base directory.
+//
+// This scans only one directory level.
+func LoadAll(basedir string) ([]*Plugin, error) {
+	plugins := []*Plugin{}
+	// We want basedir/*/plugin.yaml
+	scanpath := filepath.Join(basedir, "*", PluginFileName)
+	matches, err := filepath.Glob(scanpath)
+	if err != nil {
+		return plugins, errors.Wrapf(err, "failed to find plugins in %q", scanpath)
+	}
+
+	if matches == nil {
+		return plugins, nil
+	}
+
+	for _, yaml := range matches {
+		dir := filepath.Dir(yaml)
+		p, err := LoadDir(dir)
+		if err != nil {
+			return plugins, err
+		}
+		plugins = append(plugins, p)
+	}
+	return plugins, detectDuplicates(plugins)
+}
+
+// FindPlugins returns a list of YAML files that describe plugins.
+func FindPlugins(plugdirs string) ([]*Plugin, error) {
+	found := []*Plugin{}
+	// Let's get all UNIXy and allow path separators
+	for _, p := range filepath.SplitList(plugdirs) {
+		matches, err := LoadAll(p)
+		if err != nil {
+			return matches, err
+		}
+		found = append(found, matches...)
+	}
+	return found, nil
+}
+
+// SetupPluginEnv prepares os.Env for plugins. It operates on os.Env because
+// the plugin subsystem itself needs access to the environment variables
+// created here.
+func SetupPluginEnv(settings *cli.EnvSettings, name, base string) {
+	env := settings.EnvVars()
+	env["HELM_PLUGIN_NAME"] = name
+	env["HELM_PLUGIN_DIR"] = base
+	for key, val := range env {
+		os.Setenv(key, val)
+	}
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/postrender/exec.go b/vendor/helm.sh/helm/v3/pkg/postrender/exec.go
new file mode 100644
index 0000000000..167e737d65
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/postrender/exec.go
@@ -0,0 +1,109 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package postrender
+
+import (
+	"bytes"
+	"io"
+	"os/exec"
+	"path/filepath"
+
+	"github.com/pkg/errors"
+)
+
+type execRender struct {
+	binaryPath string
+	args       []string
+}
+
+// NewExec returns a PostRenderer implementation that calls the provided binary.
+// It returns an error if the binary cannot be found. If the path does not
+// contain any separators, it will search in $PATH, otherwise it will resolve
+// any relative paths to a fully qualified path
+func NewExec(binaryPath string, args ...string) (PostRenderer, error) {
+	fullPath, err := getFullPath(binaryPath)
+	if err != nil {
+		return nil, err
+	}
+	return &execRender{fullPath, args}, nil
+}
+
+// Run the configured binary for the post render
+func (p *execRender) Run(renderedManifests *bytes.Buffer) (*bytes.Buffer, error) {
+	cmd := exec.Command(p.binaryPath, p.args...)
+	stdin, err := cmd.StdinPipe()
+	if err != nil {
+		return nil, err
+	}
+
+	var postRendered = &bytes.Buffer{}
+	var stderr = &bytes.Buffer{}
+	cmd.Stdout = postRendered
+	cmd.Stderr = stderr
+
+	go func() {
+		defer stdin.Close()
+		io.Copy(stdin, renderedManifests)
+	}()
+	err = cmd.Run()
+	if err != nil {
+		return nil, errors.Wrapf(err, "error while running command %s. error output:\n%s", p.binaryPath, stderr.String())
+	}
+
+	return postRendered, nil
+}
+
+// getFullPath returns the full filepath to the binary to execute. If the path
+// does not contain any separators, it will search in $PATH, otherwise it will
+// resolve any relative paths to a fully qualified path
+func getFullPath(binaryPath string) (string, error) {
+	// NOTE(thomastaylor312): I am leaving this code commented out here. During
+	// the implementation of post-render, it was brought up that if we are
+	// relying on plugins, we should actually use the plugin system so it can
+	// properly handle multiple OSs. This will be a feature add in the future,
+	// so I left this code for reference. It can be deleted or reused once the
+	// feature is implemented
+
+	// Manually check the plugin dir first
+	// if !strings.Contains(binaryPath, string(filepath.Separator)) {
+	// 	// First check the plugin dir
+	// 	pluginDir := helmpath.DataPath("plugins") // Default location
+	// 	// If location for plugins is explicitly set, check there
+	// 	if v, ok := os.LookupEnv("HELM_PLUGINS"); ok {
+	// 		pluginDir = v
+	// 	}
+	// 	// The plugins variable can actually contain multiple paths, so loop through those
+	// 	for _, p := range filepath.SplitList(pluginDir) {
+	// 		_, err := os.Stat(filepath.Join(p, binaryPath))
+	// 		if err != nil && !os.IsNotExist(err) {
+	// 			return "", err
+	// 		} else if err == nil {
+	// 			binaryPath = filepath.Join(p, binaryPath)
+	// 			break
+	// 		}
+	// 	}
+	// }
+
+	// Now check for the binary using the given path or check if it exists in
+	// the path and is executable
+	checkedPath, err := exec.LookPath(binaryPath)
+	if err != nil {
+		return "", errors.Wrapf(err, "unable to find binary at %s", binaryPath)
+	}
+
+	return filepath.Abs(checkedPath)
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/postrender/postrender.go b/vendor/helm.sh/helm/v3/pkg/postrender/postrender.go
new file mode 100644
index 0000000000..3af3842907
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/postrender/postrender.go
@@ -0,0 +1,29 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package postrender contains an interface that can be implemented for custom
+// post-renderers and an exec implementation that can be used for arbitrary
+// binaries and scripts
+package postrender
+
+import "bytes"
+
+type PostRenderer interface {
+	// Run expects a single buffer filled with Helm rendered manifests. It
+	// expects the modified results to be returned on a separate buffer or an
+	// error if there was an issue or failure while running the post render step
+	Run(renderedManifests *bytes.Buffer) (modifiedManifests *bytes.Buffer, err error)
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/provenance/doc.go b/vendor/helm.sh/helm/v3/pkg/provenance/doc.go
new file mode 100644
index 0000000000..0c7ae06180
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/provenance/doc.go
@@ -0,0 +1,38 @@
+/*
+Copyright The Helm Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+/*
+Package provenance provides tools for establishing the authenticity of a chart.
+
+In Helm, provenance is established via several factors. The primary factor is the
+cryptographic signature of a chart. Chart authors may sign charts, which in turn
+provide the necessary metadata to ensure the integrity of the chart file, the
+Chart.yaml, and the referenced Docker images.
+
+A provenance file is clear-signed. This provides cryptographic verification that
+a particular block of information (Chart.yaml, archive file, images) have not
+been tampered with or altered. To learn more, read the GnuPG documentation on
+clear signatures:
+https://www.gnupg.org/gph/en/manual/x135.html
+
+The cryptography used by Helm should be compatible with OpenGPG. For example,
+you should be able to verify a signature by importing the desired public key
+and using `gpg --verify`, `keybase pgp verify`, or similar:
+
+	$  gpg --verify some.sig
+	gpg: Signature made Mon Jul 25 17:23:44 2016 MDT using RSA key ID 1FC18762
+	gpg: Good signature from "Helm Testing (This key should only be used for testing. DO NOT TRUST.) <helm-testing@helm.sh>" [ultimate]
+*/
+package provenance // import "helm.sh/helm/v3/pkg/provenance"
diff --git a/vendor/helm.sh/helm/v3/pkg/provenance/sign.go b/vendor/helm.sh/helm/v3/pkg/provenance/sign.go
new file mode 100644
index 0000000000..7f89ef3f53
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/provenance/sign.go
@@ -0,0 +1,427 @@
+/*
+Copyright The Helm Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package provenance
+
+import (
+	"bytes"
+	"crypto"
+	"encoding/hex"
+	"io"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/pkg/errors"
+	"golang.org/x/crypto/openpgp"           //nolint
+	"golang.org/x/crypto/openpgp/clearsign" //nolint
+	"golang.org/x/crypto/openpgp/packet"    //nolint
+	"sigs.k8s.io/yaml"
+
+	hapi "helm.sh/helm/v3/pkg/chart"
+	"helm.sh/helm/v3/pkg/chart/loader"
+)
+
+var defaultPGPConfig = packet.Config{
+	DefaultHash: crypto.SHA512,
+}
+
+// SumCollection represents a collection of file and image checksums.
+//
+// Files are of the form:
+//
+//	FILENAME: "sha256:SUM"
+//
+// Images are of the form:
+//
+//	"IMAGE:TAG": "sha256:SUM"
+//
+// Docker optionally supports sha512, and if this is the case, the hash marker
+// will be 'sha512' instead of 'sha256'.
+type SumCollection struct {
+	Files  map[string]string `json:"files"`
+	Images map[string]string `json:"images,omitempty"`
+}
+
+// Verification contains information about a verification operation.
+type Verification struct {
+	// SignedBy contains the entity that signed a chart.
+	SignedBy *openpgp.Entity
+	// FileHash is the hash, prepended with the scheme, for the file that was verified.
+	FileHash string
+	// FileName is the name of the file that FileHash verifies.
+	FileName string
+}
+
+// Signatory signs things.
+//
+// Signatories can be constructed from a PGP private key file using NewFromFiles
+// or they can be constructed manually by setting the Entity to a valid
+// PGP entity.
+//
+// The same Signatory can be used to sign or validate multiple charts.
+type Signatory struct {
+	// The signatory for this instance of Helm. This is used for signing.
+	Entity *openpgp.Entity
+	// The keyring for this instance of Helm. This is used for verification.
+	KeyRing openpgp.EntityList
+}
+
+// NewFromFiles constructs a new Signatory from the PGP key in the given filename.
+//
+// This will emit an error if it cannot find a valid GPG keyfile (entity) at the
+// given location.
+//
+// Note that the keyfile may have just a public key, just a private key, or
+// both. The Signatory methods may have different requirements of the keys. For
+// example, ClearSign must have a valid `openpgp.Entity.PrivateKey` before it
+// can sign something.
+func NewFromFiles(keyfile, keyringfile string) (*Signatory, error) {
+	e, err := loadKey(keyfile)
+	if err != nil {
+		return nil, err
+	}
+
+	ring, err := loadKeyRing(keyringfile)
+	if err != nil {
+		return nil, err
+	}
+
+	return &Signatory{
+		Entity:  e,
+		KeyRing: ring,
+	}, nil
+}
+
+// NewFromKeyring reads a keyring file and creates a Signatory.
+//
+// If id is not the empty string, this will also try to find an Entity in the
+// keyring whose name matches, and set that as the signing entity. It will return
+// an error if the id is not empty and also not found.
+func NewFromKeyring(keyringfile, id string) (*Signatory, error) {
+	ring, err := loadKeyRing(keyringfile)
+	if err != nil {
+		return nil, err
+	}
+
+	s := &Signatory{KeyRing: ring}
+
+	// If the ID is empty, we can return now.
+	if id == "" {
+		return s, nil
+	}
+
+	// We're gonna go all GnuPG on this and look for a string that _contains_. If
+	// two or more keys contain the string and none are a direct match, we error
+	// out.
+	var candidate *openpgp.Entity
+	vague := false
+	for _, e := range ring {
+		for n := range e.Identities {
+			if n == id {
+				s.Entity = e
+				return s, nil
+			}
+			if strings.Contains(n, id) {
+				if candidate != nil {
+					vague = true
+				}
+				candidate = e
+			}
+		}
+	}
+	if vague {
+		return s, errors.Errorf("more than one key contain the id %q", id)
+	}
+
+	s.Entity = candidate
+	return s, nil
+}
+
+// PassphraseFetcher returns a passphrase for decrypting keys.
+//
+// This is used as a callback to read a passphrase from some other location. The
+// given name is the Name field on the key, typically of the form:
+//
+//	USER_NAME (COMMENT) <EMAIL>
+type PassphraseFetcher func(name string) ([]byte, error)
+
+// DecryptKey decrypts a private key in the Signatory.
+//
+// If the key is not encrypted, this will return without error.
+//
+// If the key does not exist, this will return an error.
+//
+// If the key exists, but cannot be unlocked with the passphrase returned by
+// the PassphraseFetcher, this will return an error.
+//
+// If the key is successfully unlocked, it will return nil.
+func (s *Signatory) DecryptKey(fn PassphraseFetcher) error {
+	if s.Entity == nil {
+		return errors.New("private key not found")
+	} else if s.Entity.PrivateKey == nil {
+		return errors.New("provided key is not a private key. Try providing a keyring with secret keys")
+	}
+
+	// Nothing else to do if key is not encrypted.
+	if !s.Entity.PrivateKey.Encrypted {
+		return nil
+	}
+
+	fname := "Unknown"
+	for i := range s.Entity.Identities {
+		if i != "" {
+			fname = i
+			break
+		}
+	}
+
+	p, err := fn(fname)
+	if err != nil {
+		return err
+	}
+
+	return s.Entity.PrivateKey.Decrypt(p)
+}
+
+// ClearSign signs a chart with the given key.
+//
+// This takes the path to a chart archive file and a key, and it returns a clear signature.
+//
+// The Signatory must have a valid Entity.PrivateKey for this to work. If it does
+// not, an error will be returned.
+func (s *Signatory) ClearSign(chartpath string) (string, error) {
+	if s.Entity == nil {
+		return "", errors.New("private key not found")
+	} else if s.Entity.PrivateKey == nil {
+		return "", errors.New("provided key is not a private key. Try providing a keyring with secret keys")
+	}
+
+	if fi, err := os.Stat(chartpath); err != nil {
+		return "", err
+	} else if fi.IsDir() {
+		return "", errors.New("cannot sign a directory")
+	}
+
+	out := bytes.NewBuffer(nil)
+
+	b, err := messageBlock(chartpath)
+	if err != nil {
+		return "", err
+	}
+
+	// Sign the buffer
+	w, err := clearsign.Encode(out, s.Entity.PrivateKey, &defaultPGPConfig)
+	if err != nil {
+		return "", err
+	}
+
+	_, err = io.Copy(w, b)
+
+	if err != nil {
+		// NB: We intentionally don't call `w.Close()` here! `w.Close()` is the method which
+		// actually does the PGP signing, and therefore is the part which uses the private key.
+		// In other words, if we call Close here, there's a risk that there's an attempt to use the
+		// private key to sign garbage data (since we know that io.Copy failed, `w` won't contain
+		// anything useful).
+		return "", errors.Wrap(err, "failed to write to clearsign encoder")
+	}
+
+	err = w.Close()
+	if err != nil {
+		return "", errors.Wrap(err, "failed to either sign or armor message block")
+	}
+
+	return out.String(), nil
+}
+
+// Verify checks a signature and verifies that it is legit for a chart.
+func (s *Signatory) Verify(chartpath, sigpath string) (*Verification, error) {
+	ver := &Verification{}
+	for _, fname := range []string{chartpath, sigpath} {
+		if fi, err := os.Stat(fname); err != nil {
+			return ver, err
+		} else if fi.IsDir() {
+			return ver, errors.Errorf("%s cannot be a directory", fname)
+		}
+	}
+
+	// First verify the signature
+	sig, err := s.decodeSignature(sigpath)
+	if err != nil {
+		return ver, errors.Wrap(err, "failed to decode signature")
+	}
+
+	by, err := s.verifySignature(sig)
+	if err != nil {
+		return ver, err
+	}
+	ver.SignedBy = by
+
+	// Second, verify the hash of the tarball.
+	sum, err := DigestFile(chartpath)
+	if err != nil {
+		return ver, err
+	}
+	_, sums, err := parseMessageBlock(sig.Plaintext)
+	if err != nil {
+		return ver, err
+	}
+
+	sum = "sha256:" + sum
+	basename := filepath.Base(chartpath)
+	if sha, ok := sums.Files[basename]; !ok {
+		return ver, errors.Errorf("provenance does not contain a SHA for a file named %q", basename)
+	} else if sha != sum {
+		return ver, errors.Errorf("sha256 sum does not match for %s: %q != %q", basename, sha, sum)
+	}
+	ver.FileHash = sum
+	ver.FileName = basename
+
+	// TODO: when image signing is added, verify that here.
+
+	return ver, nil
+}
+
+func (s *Signatory) decodeSignature(filename string) (*clearsign.Block, error) {
+	data, err := os.ReadFile(filename)
+	if err != nil {
+		return nil, err
+	}
+
+	block, _ := clearsign.Decode(data)
+	if block == nil {
+		// There was no sig in the file.
+		return nil, errors.New("signature block not found")
+	}
+
+	return block, nil
+}
+
+// verifySignature verifies that the given block is validly signed, and returns the signer.
+func (s *Signatory) verifySignature(block *clearsign.Block) (*openpgp.Entity, error) {
+	return openpgp.CheckDetachedSignature(
+		s.KeyRing,
+		bytes.NewBuffer(block.Bytes),
+		block.ArmoredSignature.Body,
+	)
+}
+
+func messageBlock(chartpath string) (*bytes.Buffer, error) {
+	var b *bytes.Buffer
+	// Checksum the archive
+	chash, err := DigestFile(chartpath)
+	if err != nil {
+		return b, err
+	}
+
+	base := filepath.Base(chartpath)
+	sums := &SumCollection{
+		Files: map[string]string{
+			base: "sha256:" + chash,
+		},
+	}
+
+	// Load the archive into memory.
+	chart, err := loader.LoadFile(chartpath)
+	if err != nil {
+		return b, err
+	}
+
+	// Buffer a hash + checksums YAML file
+	data, err := yaml.Marshal(chart.Metadata)
+	if err != nil {
+		return b, err
+	}
+
+	// FIXME: YAML uses ---\n as a file start indicator, but this is not legal in a PGP
+	// clearsign block. So we use ...\n, which is the YAML document end marker.
+	// http://yaml.org/spec/1.2/spec.html#id2800168
+	b = bytes.NewBuffer(data)
+	b.WriteString("\n...\n")
+
+	data, err = yaml.Marshal(sums)
+	if err != nil {
+		return b, err
+	}
+	b.Write(data)
+
+	return b, nil
+}
+
+// parseMessageBlock
+func parseMessageBlock(data []byte) (*hapi.Metadata, *SumCollection, error) {
+	// This sucks.
+	parts := bytes.Split(data, []byte("\n...\n"))
+	if len(parts) < 2 {
+		return nil, nil, errors.New("message block must have at least two parts")
+	}
+
+	md := &hapi.Metadata{}
+	sc := &SumCollection{}
+
+	if err := yaml.Unmarshal(parts[0], md); err != nil {
+		return md, sc, err
+	}
+	err := yaml.Unmarshal(parts[1], sc)
+	return md, sc, err
+}
+
+// loadKey loads a GPG key found at a particular path.
+func loadKey(keypath string) (*openpgp.Entity, error) {
+	f, err := os.Open(keypath)
+	if err != nil {
+		return nil, err
+	}
+	defer f.Close()
+
+	pr := packet.NewReader(f)
+	return openpgp.ReadEntity(pr)
+}
+
+func loadKeyRing(ringpath string) (openpgp.EntityList, error) {
+	f, err := os.Open(ringpath)
+	if err != nil {
+		return nil, err
+	}
+	defer f.Close()
+	return openpgp.ReadKeyRing(f)
+}
+
+// DigestFile calculates a SHA256 hash (like Docker) for a given file.
+//
+// It takes the path to the archive file, and returns a string representation of
+// the SHA256 sum.
+//
+// The intended use of this function is to generate a sum of a chart TGZ file.
+func DigestFile(filename string) (string, error) {
+	f, err := os.Open(filename)
+	if err != nil {
+		return "", err
+	}
+	defer f.Close()
+	return Digest(f)
+}
+
+// Digest hashes a reader and returns a SHA256 digest.
+//
+// Helm uses SHA256 as its default hash for all non-cryptographic applications.
+func Digest(in io.Reader) (string, error) {
+	hash := crypto.SHA256.New()
+	if _, err := io.Copy(hash, in); err != nil {
+		return "", nil
+	}
+	return hex.EncodeToString(hash.Sum(nil)), nil
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/pusher/doc.go b/vendor/helm.sh/helm/v3/pkg/pusher/doc.go
new file mode 100644
index 0000000000..df89ab112b
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/pusher/doc.go
@@ -0,0 +1,21 @@
+/*
+Copyright The Helm Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+/*
+Package pusher provides a generalized tool for uploading data by scheme.
+This provides a method by which the plugin system can load arbitrary protocol
+handlers based upon a URL scheme.
+*/
+package pusher
diff --git a/vendor/helm.sh/helm/v3/pkg/pusher/ocipusher.go b/vendor/helm.sh/helm/v3/pkg/pusher/ocipusher.go
new file mode 100644
index 0000000000..33296aaddc
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/pusher/ocipusher.go
@@ -0,0 +1,157 @@
+/*
+Copyright The Helm Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package pusher
+
+import (
+	"fmt"
+	"net"
+	"net/http"
+	"os"
+	"path"
+	"strings"
+	"time"
+
+	"github.com/pkg/errors"
+
+	"helm.sh/helm/v3/internal/tlsutil"
+	"helm.sh/helm/v3/pkg/chart/loader"
+	"helm.sh/helm/v3/pkg/registry"
+	"helm.sh/helm/v3/pkg/time/ctime"
+)
+
+// OCIPusher is the default OCI backend handler
+type OCIPusher struct {
+	opts options
+}
+
+// Push performs a Push from repo.Pusher.
+func (pusher *OCIPusher) Push(chartRef, href string, options ...Option) error {
+	for _, opt := range options {
+		opt(&pusher.opts)
+	}
+	return pusher.push(chartRef, href)
+}
+
+func (pusher *OCIPusher) push(chartRef, href string) error {
+	stat, err := os.Stat(chartRef)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return errors.Errorf("%s: no such file", chartRef)
+		}
+		return err
+	}
+	if stat.IsDir() {
+		return errors.New("cannot push directory, must provide chart archive (.tgz)")
+	}
+
+	meta, err := loader.Load(chartRef)
+	if err != nil {
+		return err
+	}
+
+	client := pusher.opts.registryClient
+	if client == nil {
+		c, err := pusher.newRegistryClient()
+		if err != nil {
+			return err
+		}
+		client = c
+	}
+
+	chartBytes, err := os.ReadFile(chartRef)
+	if err != nil {
+		return err
+	}
+
+	var pushOpts []registry.PushOption
+	provRef := fmt.Sprintf("%s.prov", chartRef)
+	if _, err := os.Stat(provRef); err == nil {
+		provBytes, err := os.ReadFile(provRef)
+		if err != nil {
+			return err
+		}
+		pushOpts = append(pushOpts, registry.PushOptProvData(provBytes))
+	}
+
+	ref := fmt.Sprintf("%s:%s",
+		path.Join(strings.TrimPrefix(href, fmt.Sprintf("%s://", registry.OCIScheme)), meta.Metadata.Name),
+		meta.Metadata.Version)
+
+	// The time the chart was "created" is semantically the time the chart archive file was last written(modified)
+	chartArchiveFileCreatedTime := ctime.Modified(stat)
+	pushOpts = append(pushOpts, registry.PushOptCreationTime(chartArchiveFileCreatedTime.Format(time.RFC3339)))
+
+	_, err = client.Push(chartBytes, ref, pushOpts...)
+	return err
+}
+
+// NewOCIPusher constructs a valid OCI client as a Pusher
+func NewOCIPusher(ops ...Option) (Pusher, error) {
+	var client OCIPusher
+
+	for _, opt := range ops {
+		opt(&client.opts)
+	}
+
+	return &client, nil
+}
+
+func (pusher *OCIPusher) newRegistryClient() (*registry.Client, error) {
+	if (pusher.opts.certFile != "" && pusher.opts.keyFile != "") || pusher.opts.caFile != "" || pusher.opts.insecureSkipTLSverify {
+		tlsConf, err := tlsutil.NewClientTLS(pusher.opts.certFile, pusher.opts.keyFile, pusher.opts.caFile, pusher.opts.insecureSkipTLSverify)
+		if err != nil {
+			return nil, errors.Wrap(err, "can't create TLS config for client")
+		}
+
+		registryClient, err := registry.NewClient(
+			registry.ClientOptHTTPClient(&http.Client{
+				// From https://github.com/google/go-containerregistry/blob/31786c6cbb82d6ec4fb8eb79cd9387905130534e/pkg/v1/remote/options.go#L87
+				Transport: &http.Transport{
+					Proxy: http.ProxyFromEnvironment,
+					DialContext: (&net.Dialer{
+						// By default we wrap the transport in retries, so reduce the
+						// default dial timeout to 5s to avoid 5x 30s of connection
+						// timeouts when doing the "ping" on certain http registries.
+						Timeout:   5 * time.Second,
+						KeepAlive: 30 * time.Second,
+					}).DialContext,
+					ForceAttemptHTTP2:     true,
+					MaxIdleConns:          100,
+					IdleConnTimeout:       90 * time.Second,
+					TLSHandshakeTimeout:   10 * time.Second,
+					ExpectContinueTimeout: 1 * time.Second,
+					TLSClientConfig:       tlsConf,
+				},
+			}),
+			registry.ClientOptEnableCache(true),
+		)
+		if err != nil {
+			return nil, err
+		}
+		return registryClient, nil
+	}
+
+	opts := []registry.ClientOption{registry.ClientOptEnableCache(true)}
+	if pusher.opts.plainHTTP {
+		opts = append(opts, registry.ClientOptPlainHTTP())
+	}
+
+	registryClient, err := registry.NewClient(opts...)
+	if err != nil {
+		return nil, err
+	}
+	return registryClient, nil
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/pusher/pusher.go b/vendor/helm.sh/helm/v3/pkg/pusher/pusher.go
new file mode 100644
index 0000000000..5b8a9160f0
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/pusher/pusher.go
@@ -0,0 +1,122 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package pusher
+
+import (
+	"github.com/pkg/errors"
+
+	"helm.sh/helm/v3/pkg/cli"
+	"helm.sh/helm/v3/pkg/registry"
+)
+
+// options are generic parameters to be provided to the pusher during instantiation.
+//
+// Pushers may or may not ignore these parameters as they are passed in.
+type options struct {
+	registryClient        *registry.Client
+	certFile              string
+	keyFile               string
+	caFile                string
+	insecureSkipTLSverify bool
+	plainHTTP             bool
+}
+
+// Option allows specifying various settings configurable by the user for overriding the defaults
+// used when performing Push operations with the Pusher.
+type Option func(*options)
+
+// WithRegistryClient sets the registryClient option.
+func WithRegistryClient(client *registry.Client) Option {
+	return func(opts *options) {
+		opts.registryClient = client
+	}
+}
+
+// WithTLSClientConfig sets the client auth with the provided credentials.
+func WithTLSClientConfig(certFile, keyFile, caFile string) Option {
+	return func(opts *options) {
+		opts.certFile = certFile
+		opts.keyFile = keyFile
+		opts.caFile = caFile
+	}
+}
+
+// WithInsecureSkipTLSVerify determines if a TLS Certificate will be checked
+func WithInsecureSkipTLSVerify(insecureSkipTLSVerify bool) Option {
+	return func(opts *options) {
+		opts.insecureSkipTLSverify = insecureSkipTLSVerify
+	}
+}
+
+func WithPlainHTTP(plainHTTP bool) Option {
+	return func(opts *options) {
+		opts.plainHTTP = plainHTTP
+	}
+}
+
+// Pusher is an interface to support upload to the specified URL.
+type Pusher interface {
+	// Push file content by url string
+	Push(chartRef, url string, options ...Option) error
+}
+
+// Constructor is the function for every pusher which creates a specific instance
+// according to the configuration
+type Constructor func(options ...Option) (Pusher, error)
+
+// Provider represents any pusher and the schemes that it supports.
+type Provider struct {
+	Schemes []string
+	New     Constructor
+}
+
+// Provides returns true if the given scheme is supported by this Provider.
+func (p Provider) Provides(scheme string) bool {
+	for _, i := range p.Schemes {
+		if i == scheme {
+			return true
+		}
+	}
+	return false
+}
+
+// Providers is a collection of Provider objects.
+type Providers []Provider
+
+// ByScheme returns a Provider that handles the given scheme.
+//
+// If no provider handles this scheme, this will return an error.
+func (p Providers) ByScheme(scheme string) (Pusher, error) {
+	for _, pp := range p {
+		if pp.Provides(scheme) {
+			return pp.New()
+		}
+	}
+	return nil, errors.Errorf("scheme %q not supported", scheme)
+}
+
+var ociProvider = Provider{
+	Schemes: []string{registry.OCIScheme},
+	New:     NewOCIPusher,
+}
+
+// All finds all of the registered pushers as a list of Provider instances.
+// Currently, just the built-in pushers are collected.
+func All(_ *cli.EnvSettings) Providers {
+	result := Providers{ociProvider}
+	return result
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/registry/client.go b/vendor/helm.sh/helm/v3/pkg/registry/client.go
new file mode 100644
index 0000000000..8818f5763b
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/registry/client.go
@@ -0,0 +1,985 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package registry // import "helm.sh/helm/v3/pkg/registry"
+
+import (
+	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"os"
+	"sort"
+	"strings"
+	"sync"
+
+	"github.com/Masterminds/semver/v3"
+	"github.com/containerd/containerd/remotes"
+	"github.com/opencontainers/image-spec/specs-go"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+	"oras.land/oras-go/v2"
+	"oras.land/oras-go/v2/content"
+	"oras.land/oras-go/v2/content/memory"
+	"oras.land/oras-go/v2/registry"
+	"oras.land/oras-go/v2/registry/remote"
+	"oras.land/oras-go/v2/registry/remote/auth"
+	"oras.land/oras-go/v2/registry/remote/credentials"
+	"oras.land/oras-go/v2/registry/remote/retry"
+
+	"helm.sh/helm/v3/internal/version"
+	"helm.sh/helm/v3/pkg/chart"
+	"helm.sh/helm/v3/pkg/helmpath"
+)
+
+// See https://github.com/helm/helm/issues/10166
+const registryUnderscoreMessage = `
+OCI artifact references (e.g. tags) do not support the plus sign (+). To support
+storing semantic versions, Helm adopts the convention of changing plus (+) to
+an underscore (_) in chart version tags when pushing to a registry and back to
+a plus (+) when pulling from a registry.`
+
+var errDeprecatedRemote = errors.New("providing github.com/containerd/containerd/remotes.Resolver via ClientOptResolver is no longer suported")
+
+type (
+	// RemoteClient shadows the ORAS remote.Client interface
+	// (hiding the ORAS type from Helm client visibility)
+	// https://pkg.go.dev/oras.land/oras-go/pkg/registry/remote#Client
+	RemoteClient interface {
+		Do(req *http.Request) (*http.Response, error)
+	}
+
+	// Client works with OCI-compliant registries
+	Client struct {
+		debug       bool
+		enableCache bool
+		// path to repository config file e.g. ~/.docker/config.json
+		credentialsFile    string
+		username           string
+		password           string
+		out                io.Writer
+		authorizer         *auth.Client
+		registryAuthorizer RemoteClient
+		credentialsStore   credentials.Store
+		httpClient         *http.Client
+		plainHTTP          bool
+		err                error // pass any errors from the ClientOption functions
+
+		// credentialsFileTemp captures if the empty file / EOF work around is being used.
+		credentialsFileTemp bool
+	}
+
+	// ClientOption allows specifying various settings configurable by the user for overriding the defaults
+	// used when creating a new default client
+	ClientOption func(*Client)
+)
+
+// NewClient returns a new registry client with config
+func NewClient(options ...ClientOption) (*Client, error) {
+	client := &Client{
+		out: io.Discard,
+	}
+	for _, option := range options {
+		option(client)
+		if client.err != nil {
+			return nil, client.err
+		}
+	}
+	if client.credentialsFile == "" {
+		client.credentialsFile = helmpath.ConfigPath(CredentialsFileBasename)
+	}
+	if client.httpClient == nil {
+		transport := newTransport(client.debug)
+		client.httpClient = &http.Client{
+			Transport: transport,
+		}
+	}
+
+	storeOptions := credentials.StoreOptions{
+		AllowPlaintextPut:        true,
+		DetectDefaultNativeStore: true,
+	}
+	store, err := credentials.NewStore(client.credentialsFile, storeOptions)
+	if err != nil {
+		// If the file exists and is empty there will be an EOF error. This error is not wrapped so
+		// a check with errors.Is will not work. The only way to capture it is an EOF error is
+		// with string parsing.
+		// This handling passes no file location which will cause NewStore to invoke its
+		// fault tolerance for a file not existing. A bool records this bypass so that if the
+		// credential store needs to be written to it this work around can be handled. See the
+		// Login method for more details.
+		if strings.Contains(err.Error(), "invalid config format: EOF") {
+			var err2 error
+			store, err2 = credentials.NewStore("", storeOptions)
+			if err2 != nil {
+				return nil, err
+			}
+			client.credentialsFileTemp = true
+		} else {
+			return nil, err
+		}
+	}
+	dockerStore, err := credentials.NewStoreFromDocker(storeOptions)
+	if err != nil {
+		client.credentialsStore = store
+	} else {
+		// use Helm credentials with fallback to Docker
+		client.credentialsStore = credentials.NewStoreWithFallbacks(store, dockerStore)
+	}
+
+	if client.authorizer == nil {
+		authorizer := auth.Client{
+			Client: client.httpClient,
+		}
+		authorizer.SetUserAgent(version.GetUserAgent())
+
+		authorizer.Credential = credentials.Credential(client.credentialsStore)
+
+		if client.enableCache {
+			authorizer.Cache = auth.NewCache()
+		}
+
+		client.authorizer = &authorizer
+	}
+
+	return client, nil
+}
+
+// ClientOptDebug returns a function that sets the debug setting on client options set
+func ClientOptDebug(debug bool) ClientOption {
+	return func(client *Client) {
+		client.debug = debug
+	}
+}
+
+// ClientOptEnableCache returns a function that sets the enableCache setting on a client options set
+func ClientOptEnableCache(enableCache bool) ClientOption {
+	return func(client *Client) {
+		client.enableCache = enableCache
+	}
+}
+
+// ClientOptBasicAuth returns a function that sets the username and password setting on client options set
+func ClientOptBasicAuth(username, password string) ClientOption {
+	return func(client *Client) {
+		client.username = username
+		client.password = password
+	}
+}
+
+// ClientOptWriter returns a function that sets the writer setting on client options set
+func ClientOptWriter(out io.Writer) ClientOption {
+	return func(client *Client) {
+		client.out = out
+	}
+}
+
+// ClientOptAuthorizer returns a function that sets the authorizer setting on a client options set. This
+// can be used to override the default authorization mechanism.
+//
+// Depending on the use-case you may need to set both ClientOptAuthorizer and ClientOptRegistryAuthorizer.
+func ClientOptAuthorizer(authorizer auth.Client) ClientOption {
+	return func(client *Client) {
+		client.authorizer = &authorizer
+	}
+}
+
+// ClientOptRegistryAuthorizer returns a function that sets the registry authorizer setting on a client options set. This
+// can be used to override the default authorization mechanism.
+//
+// Depending on the use-case you may need to set both ClientOptAuthorizer and ClientOptRegistryAuthorizer.
+func ClientOptRegistryAuthorizer(registryAuthorizer RemoteClient) ClientOption {
+	return func(client *Client) {
+		client.registryAuthorizer = registryAuthorizer
+	}
+}
+
+// ClientOptCredentialsFile returns a function that sets the credentialsFile setting on a client options set
+func ClientOptCredentialsFile(credentialsFile string) ClientOption {
+	return func(client *Client) {
+		client.credentialsFile = credentialsFile
+	}
+}
+
+// ClientOptHTTPClient returns a function that sets the httpClient setting on a client options set
+func ClientOptHTTPClient(httpClient *http.Client) ClientOption {
+	return func(client *Client) {
+		client.httpClient = httpClient
+	}
+}
+
+func ClientOptPlainHTTP() ClientOption {
+	return func(c *Client) {
+		c.plainHTTP = true
+	}
+}
+
+func ClientOptResolver(_ remotes.Resolver) ClientOption {
+	return func(c *Client) {
+		c.err = errDeprecatedRemote
+	}
+}
+
+type (
+	// LoginOption allows specifying various settings on login
+	LoginOption func(*loginOperation)
+
+	loginOperation struct {
+		host   string
+		client *Client
+	}
+)
+
+// Deprecated: will be removed in Helm 4
+// Added for backwards compatibility for Helm < 3.18.0 after moving to ORAS v2
+// ref: https://github.com/helm/helm/issues/30873
+// TODO: document that Helm 4 `registry login` does accept full URLs
+func (c *Client) stripURL(host string) string {
+	// strip scheme from host in URL
+	for _, s := range []string{"oci://", "http://", "https://"} {
+		if strings.HasPrefix(host, s) {
+			plain := strings.TrimPrefix(host, s)
+			if c.debug {
+				fmt.Fprintf(c.out, "[WARNING] Invalid registry passed: registries should NOT be prefixed with a URL scheme. Use %q instead\n", plain)
+			}
+			host = plain
+			break
+		}
+	}
+	// strip repo from registry in URL
+	if idx := strings.Index(host, "/"); idx != -1 {
+		host = host[:idx]
+		if c.debug {
+			fmt.Fprintf(c.out, "[WARNING] Invalid registry passed: registries should NOT include a repository. Use %q instead\n", host)
+		}
+		return host
+	}
+
+	return host
+}
+
+// Login logs into a registry
+func (c *Client) Login(host string, options ...LoginOption) error {
+	// This is the lowest available point to strip incorrect URL parts
+	host = c.stripURL(host)
+
+	for _, option := range options {
+		option(&loginOperation{host, c})
+	}
+
+	reg, err := remote.NewRegistry(host)
+	if err != nil {
+		return err
+	}
+	reg.PlainHTTP = c.plainHTTP
+	cred := auth.Credential{Username: c.username, Password: c.password}
+	c.authorizer.ForceAttemptOAuth2 = true
+	reg.Client = c.authorizer
+
+	ctx := context.Background()
+	if err := reg.Ping(ctx); err != nil {
+		c.authorizer.ForceAttemptOAuth2 = false
+		if err := reg.Ping(ctx); err != nil {
+			return fmt.Errorf("authenticating to %q: %w", host, err)
+		}
+	}
+
+	// The credentialsStore loader does not handle empty files. So, there is a workaround.
+	// This can be removed when the credentials loader can handle empty files.
+	// When Helm catches an empty file error it causes the loader to trigger its fault
+	// tolerance for a file not existing and records it with a bool. If that bool is set and the
+	// file needs to be written, the file needs to be put into a usable state and loaded
+	// properly.
+	// See the NewClient function for the bypass setup.
+	if c.credentialsFileTemp {
+		err = os.WriteFile(c.credentialsFile, []byte("{}"), 0600)
+		if err != nil {
+			return err
+		}
+		storeOptions := credentials.StoreOptions{
+			AllowPlaintextPut:        true,
+			DetectDefaultNativeStore: true,
+		}
+		store, err := credentials.NewStore(c.credentialsFile, storeOptions)
+		if err != nil {
+			return err
+		}
+		c.credentialsStore = store
+		c.credentialsFileTemp = false
+	}
+
+	key := credentials.ServerAddressFromRegistry(host)
+	key = credentials.ServerAddressFromHostname(key)
+	if err := c.credentialsStore.Put(ctx, key, cred); err != nil {
+		return err
+	}
+
+	fmt.Fprintln(c.out, "Login Succeeded")
+	return nil
+}
+
+// LoginOptBasicAuth returns a function that sets the username/password settings on login
+func LoginOptBasicAuth(username string, password string) LoginOption {
+	return func(o *loginOperation) {
+		o.client.username = username
+		o.client.password = password
+		o.client.authorizer.Credential = auth.StaticCredential(o.host, auth.Credential{Username: username, Password: password})
+	}
+}
+
+// LoginOptPlainText returns a function that allows plaintext (HTTP) login
+func LoginOptPlainText(isPlainText bool) LoginOption {
+	return func(o *loginOperation) {
+		o.client.plainHTTP = isPlainText
+	}
+}
+
+func ensureTLSConfig(client *auth.Client) (*tls.Config, error) {
+	var transport *http.Transport
+
+	switch t := client.Client.Transport.(type) {
+	case *http.Transport:
+		transport = t
+	case *fallbackTransport:
+		switch t := t.Base.(type) {
+		case *http.Transport:
+			transport = t
+		case *retry.Transport:
+			switch t := t.Base.(type) {
+			case *http.Transport:
+				transport = t
+			case *LoggingTransport:
+				switch t := t.RoundTripper.(type) {
+				case *http.Transport:
+					transport = t
+				}
+			}
+		}
+	}
+
+	if transport == nil {
+		// we don't know how to access the http.Transport, most likely the
+		// auth.Client.Client was provided by API user
+		return nil, fmt.Errorf("unable to access TLS client configuration, the provided HTTP Transport is not supported, given: %T", client.Client.Transport)
+	}
+
+	if transport.TLSClientConfig == nil {
+		transport.TLSClientConfig = &tls.Config{}
+	}
+
+	return transport.TLSClientConfig, nil
+}
+
+// LoginOptInsecure returns a function that sets the insecure setting on login
+func LoginOptInsecure(insecure bool) LoginOption {
+	return func(o *loginOperation) {
+		tlsConfig, err := ensureTLSConfig(o.client.authorizer)
+
+		if err != nil {
+			panic(err)
+		}
+
+		tlsConfig.InsecureSkipVerify = insecure
+	}
+}
+
+// LoginOptTLSClientConfig returns a function that sets the TLS settings on login.
+func LoginOptTLSClientConfig(certFile, keyFile, caFile string) LoginOption {
+	return func(o *loginOperation) {
+		if (certFile == "" || keyFile == "") && caFile == "" {
+			return
+		}
+		tlsConfig, err := ensureTLSConfig(o.client.authorizer)
+		if err != nil {
+			panic(err)
+		}
+
+		if certFile != "" && keyFile != "" {
+			authCert, err := tls.LoadX509KeyPair(certFile, keyFile)
+			if err != nil {
+				panic(err)
+			}
+			tlsConfig.Certificates = []tls.Certificate{authCert}
+		}
+
+		if caFile != "" {
+			certPool := x509.NewCertPool()
+			ca, err := os.ReadFile(caFile)
+			if err != nil {
+				panic(err)
+			}
+			if !certPool.AppendCertsFromPEM(ca) {
+				panic(fmt.Errorf("unable to parse CA file: %q", caFile))
+			}
+			tlsConfig.RootCAs = certPool
+		}
+	}
+}
+
+type (
+	// LogoutOption allows specifying various settings on logout
+	LogoutOption func(*logoutOperation)
+
+	logoutOperation struct{}
+)
+
+// Logout logs out of a registry
+func (c *Client) Logout(host string, opts ...LogoutOption) error {
+	operation := &logoutOperation{}
+	for _, opt := range opts {
+		opt(operation)
+	}
+
+	if err := credentials.Logout(context.Background(), c.credentialsStore, host); err != nil {
+		return err
+	}
+	fmt.Fprintf(c.out, "Removing login credentials for %s\n", host)
+	return nil
+}
+
+type (
+	// PullOption allows specifying various settings on pull
+	PullOption func(*pullOperation)
+
+	// PullResult is the result returned upon successful pull.
+	PullResult struct {
+		Manifest *DescriptorPullSummary         `json:"manifest"`
+		Config   *DescriptorPullSummary         `json:"config"`
+		Chart    *DescriptorPullSummaryWithMeta `json:"chart"`
+		Prov     *DescriptorPullSummary         `json:"prov"`
+		Ref      string                         `json:"ref"`
+	}
+
+	DescriptorPullSummary struct {
+		Data   []byte `json:"-"`
+		Digest string `json:"digest"`
+		Size   int64  `json:"size"`
+	}
+
+	DescriptorPullSummaryWithMeta struct {
+		DescriptorPullSummary
+		Meta *chart.Metadata `json:"meta"`
+	}
+
+	pullOperation struct {
+		withChart         bool
+		withProv          bool
+		ignoreMissingProv bool
+	}
+)
+
+// Pull downloads a chart from a registry
+func (c *Client) Pull(ref string, options ...PullOption) (*PullResult, error) {
+	parsedRef, err := newReference(ref)
+	if err != nil {
+		return nil, err
+	}
+
+	operation := &pullOperation{
+		withChart: true, // By default, always download the chart layer
+	}
+	for _, option := range options {
+		option(operation)
+	}
+	if !operation.withChart && !operation.withProv {
+		return nil, errors.New(
+			"must specify at least one layer to pull (chart/prov)")
+	}
+	memoryStore := memory.New()
+	allowedMediaTypes := []string{
+		ocispec.MediaTypeImageManifest,
+		ConfigMediaType,
+	}
+	minNumDescriptors := 1 // 1 for the config
+	if operation.withChart {
+		minNumDescriptors++
+		allowedMediaTypes = append(allowedMediaTypes, ChartLayerMediaType, LegacyChartLayerMediaType)
+	}
+	if operation.withProv {
+		if !operation.ignoreMissingProv {
+			minNumDescriptors++
+		}
+		allowedMediaTypes = append(allowedMediaTypes, ProvLayerMediaType)
+	}
+
+	var descriptors, layers []ocispec.Descriptor
+
+	repository, err := remote.NewRepository(parsedRef.String())
+	if err != nil {
+		return nil, err
+	}
+	repository.PlainHTTP = c.plainHTTP
+	repository.Client = c.authorizer
+
+	ctx := context.Background()
+
+	sort.Strings(allowedMediaTypes)
+
+	var mu sync.Mutex
+	manifest, err := oras.Copy(ctx, repository, parsedRef.String(), memoryStore, "", oras.CopyOptions{
+		CopyGraphOptions: oras.CopyGraphOptions{
+			PreCopy: func(_ context.Context, desc ocispec.Descriptor) error {
+				mediaType := desc.MediaType
+				if i := sort.SearchStrings(allowedMediaTypes, mediaType); i >= len(allowedMediaTypes) || allowedMediaTypes[i] != mediaType {
+					return oras.SkipNode
+				}
+
+				mu.Lock()
+				layers = append(layers, desc)
+				mu.Unlock()
+				return nil
+			},
+		},
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	descriptors = append(descriptors, layers...)
+
+	numDescriptors := len(descriptors)
+	if numDescriptors < minNumDescriptors {
+		return nil, fmt.Errorf("manifest does not contain minimum number of descriptors (%d), descriptors found: %d",
+			minNumDescriptors, numDescriptors)
+	}
+	var configDescriptor *ocispec.Descriptor
+	var chartDescriptor *ocispec.Descriptor
+	var provDescriptor *ocispec.Descriptor
+	for _, descriptor := range descriptors {
+		d := descriptor
+		switch d.MediaType {
+		case ConfigMediaType:
+			configDescriptor = &d
+		case ChartLayerMediaType:
+			chartDescriptor = &d
+		case ProvLayerMediaType:
+			provDescriptor = &d
+		case LegacyChartLayerMediaType:
+			chartDescriptor = &d
+			fmt.Fprintf(c.out, "Warning: chart media type %s is deprecated\n", LegacyChartLayerMediaType)
+		}
+	}
+	if configDescriptor == nil {
+		return nil, fmt.Errorf("could not load config with mediatype %s", ConfigMediaType)
+	}
+	if operation.withChart && chartDescriptor == nil {
+		return nil, fmt.Errorf("manifest does not contain a layer with mediatype %s",
+			ChartLayerMediaType)
+	}
+	var provMissing bool
+	if operation.withProv && provDescriptor == nil {
+		if operation.ignoreMissingProv {
+			provMissing = true
+		} else {
+			return nil, fmt.Errorf("manifest does not contain a layer with mediatype %s",
+				ProvLayerMediaType)
+		}
+	}
+	result := &PullResult{
+		Manifest: &DescriptorPullSummary{
+			Digest: manifest.Digest.String(),
+			Size:   manifest.Size,
+		},
+		Config: &DescriptorPullSummary{
+			Digest: configDescriptor.Digest.String(),
+			Size:   configDescriptor.Size,
+		},
+		Chart: &DescriptorPullSummaryWithMeta{},
+		Prov:  &DescriptorPullSummary{},
+		Ref:   parsedRef.String(),
+	}
+
+	result.Manifest.Data, err = content.FetchAll(ctx, memoryStore, manifest)
+	if err != nil {
+		return nil, fmt.Errorf("unable to retrieve blob with digest %s: %w", manifest.Digest, err)
+	}
+
+	result.Config.Data, err = content.FetchAll(ctx, memoryStore, *configDescriptor)
+	if err != nil {
+		return nil, fmt.Errorf("unable to retrieve blob with digest %s: %w", configDescriptor.Digest, err)
+	}
+
+	if err := json.Unmarshal(result.Config.Data, &result.Chart.Meta); err != nil {
+		return nil, err
+	}
+
+	if operation.withChart {
+		result.Chart.Data, err = content.FetchAll(ctx, memoryStore, *chartDescriptor)
+		if err != nil {
+			return nil, fmt.Errorf("unable to retrieve blob with digest %s: %w", chartDescriptor.Digest, err)
+		}
+		result.Chart.Digest = chartDescriptor.Digest.String()
+		result.Chart.Size = chartDescriptor.Size
+	}
+
+	if operation.withProv && !provMissing {
+		result.Prov.Data, err = content.FetchAll(ctx, memoryStore, *provDescriptor)
+		if err != nil {
+			return nil, fmt.Errorf("unable to retrieve blob with digest %s: %w", provDescriptor.Digest, err)
+		}
+		result.Prov.Digest = provDescriptor.Digest.String()
+		result.Prov.Size = provDescriptor.Size
+	}
+
+	fmt.Fprintf(c.out, "Pulled: %s\n", result.Ref)
+	fmt.Fprintf(c.out, "Digest: %s\n", result.Manifest.Digest)
+
+	if strings.Contains(result.Ref, "_") {
+		fmt.Fprintf(c.out, "%s contains an underscore.\n", result.Ref)
+		fmt.Fprint(c.out, registryUnderscoreMessage+"\n")
+	}
+
+	return result, nil
+}
+
+// PullOptWithChart returns a function that sets the withChart setting on pull
+func PullOptWithChart(withChart bool) PullOption {
+	return func(operation *pullOperation) {
+		operation.withChart = withChart
+	}
+}
+
+// PullOptWithProv returns a function that sets the withProv setting on pull
+func PullOptWithProv(withProv bool) PullOption {
+	return func(operation *pullOperation) {
+		operation.withProv = withProv
+	}
+}
+
+// PullOptIgnoreMissingProv returns a function that sets the ignoreMissingProv setting on pull
+func PullOptIgnoreMissingProv(ignoreMissingProv bool) PullOption {
+	return func(operation *pullOperation) {
+		operation.ignoreMissingProv = ignoreMissingProv
+	}
+}
+
+type (
+	// PushOption allows specifying various settings on push
+	PushOption func(*pushOperation)
+
+	// PushResult is the result returned upon successful push.
+	PushResult struct {
+		Manifest *descriptorPushSummary         `json:"manifest"`
+		Config   *descriptorPushSummary         `json:"config"`
+		Chart    *descriptorPushSummaryWithMeta `json:"chart"`
+		Prov     *descriptorPushSummary         `json:"prov"`
+		Ref      string                         `json:"ref"`
+	}
+
+	descriptorPushSummary struct {
+		Digest string `json:"digest"`
+		Size   int64  `json:"size"`
+	}
+
+	descriptorPushSummaryWithMeta struct {
+		descriptorPushSummary
+		Meta *chart.Metadata `json:"meta"`
+	}
+
+	pushOperation struct {
+		provData     []byte
+		strictMode   bool
+		creationTime string
+	}
+)
+
+// Push uploads a chart to a registry.
+func (c *Client) Push(data []byte, ref string, options ...PushOption) (*PushResult, error) {
+	parsedRef, err := newReference(ref)
+	if err != nil {
+		return nil, err
+	}
+
+	operation := &pushOperation{
+		strictMode: true, // By default, enable strict mode
+	}
+	for _, option := range options {
+		option(operation)
+	}
+	meta, err := extractChartMeta(data)
+	if err != nil {
+		return nil, err
+	}
+	if operation.strictMode {
+		if !strings.HasSuffix(ref, fmt.Sprintf("/%s:%s", meta.Name, meta.Version)) {
+			return nil, errors.New(
+				"strict mode enabled, ref basename and tag must match the chart name and version")
+		}
+	}
+
+	ctx := context.Background()
+
+	memoryStore := memory.New()
+	chartDescriptor, err := oras.PushBytes(ctx, memoryStore, ChartLayerMediaType, data)
+	if err != nil {
+		return nil, err
+	}
+
+	configData, err := json.Marshal(meta)
+	if err != nil {
+		return nil, err
+	}
+
+	configDescriptor, err := oras.PushBytes(ctx, memoryStore, ConfigMediaType, configData)
+	if err != nil {
+		return nil, err
+	}
+
+	layers := []ocispec.Descriptor{chartDescriptor}
+	var provDescriptor ocispec.Descriptor
+	if operation.provData != nil {
+		provDescriptor, err = oras.PushBytes(ctx, memoryStore, ProvLayerMediaType, operation.provData)
+		if err != nil {
+			return nil, err
+		}
+
+		layers = append(layers, provDescriptor)
+	}
+
+	// sort layers for determinism, similar to how ORAS v1 does it
+	sort.Slice(layers, func(i, j int) bool {
+		return layers[i].Digest < layers[j].Digest
+	})
+
+	ociAnnotations := generateOCIAnnotations(meta, operation.creationTime)
+
+	manifestDescriptor, err := c.tagManifest(ctx, memoryStore, configDescriptor,
+		layers, ociAnnotations, parsedRef)
+	if err != nil {
+		return nil, err
+	}
+
+	repository, err := remote.NewRepository(parsedRef.String())
+	if err != nil {
+		return nil, err
+	}
+	repository.PlainHTTP = c.plainHTTP
+	repository.Client = c.authorizer
+
+	manifestDescriptor, err = oras.ExtendedCopy(ctx, memoryStore, parsedRef.String(), repository, parsedRef.String(), oras.DefaultExtendedCopyOptions)
+	if err != nil {
+		return nil, err
+	}
+
+	chartSummary := &descriptorPushSummaryWithMeta{
+		Meta: meta,
+	}
+	chartSummary.Digest = chartDescriptor.Digest.String()
+	chartSummary.Size = chartDescriptor.Size
+	result := &PushResult{
+		Manifest: &descriptorPushSummary{
+			Digest: manifestDescriptor.Digest.String(),
+			Size:   manifestDescriptor.Size,
+		},
+		Config: &descriptorPushSummary{
+			Digest: configDescriptor.Digest.String(),
+			Size:   configDescriptor.Size,
+		},
+		Chart: chartSummary,
+		Prov:  &descriptorPushSummary{}, // prevent nil references
+		Ref:   parsedRef.String(),
+	}
+	if operation.provData != nil {
+		result.Prov = &descriptorPushSummary{
+			Digest: provDescriptor.Digest.String(),
+			Size:   provDescriptor.Size,
+		}
+	}
+	fmt.Fprintf(c.out, "Pushed: %s\n", result.Ref)
+	fmt.Fprintf(c.out, "Digest: %s\n", result.Manifest.Digest)
+	if strings.Contains(parsedRef.orasReference.Reference, "_") {
+		fmt.Fprintf(c.out, "%s contains an underscore.\n", result.Ref)
+		fmt.Fprint(c.out, registryUnderscoreMessage+"\n")
+	}
+
+	return result, err
+}
+
+// PushOptProvData returns a function that sets the prov bytes setting on push
+func PushOptProvData(provData []byte) PushOption {
+	return func(operation *pushOperation) {
+		operation.provData = provData
+	}
+}
+
+// PushOptStrictMode returns a function that sets the strictMode setting on push
+func PushOptStrictMode(strictMode bool) PushOption {
+	return func(operation *pushOperation) {
+		operation.strictMode = strictMode
+	}
+}
+
+// PushOptCreationDate returns a function that sets the creation time
+func PushOptCreationTime(creationTime string) PushOption {
+	return func(operation *pushOperation) {
+		operation.creationTime = creationTime
+	}
+}
+
+// Tags provides a sorted list all semver compliant tags for a given repository
+func (c *Client) Tags(ref string) ([]string, error) {
+	parsedReference, err := registry.ParseReference(ref)
+	if err != nil {
+		return nil, err
+	}
+
+	ctx := context.Background()
+	repository, err := remote.NewRepository(parsedReference.String())
+	if err != nil {
+		return nil, err
+	}
+	repository.PlainHTTP = c.plainHTTP
+	repository.Client = c.authorizer
+
+	var tagVersions []*semver.Version
+	err = repository.Tags(ctx, "", func(tags []string) error {
+		for _, tag := range tags {
+			// Change underscore (_) back to plus (+) for Helm
+			// See https://github.com/helm/helm/issues/10166
+			tagVersion, err := semver.StrictNewVersion(strings.ReplaceAll(tag, "_", "+"))
+			if err == nil {
+				tagVersions = append(tagVersions, tagVersion)
+			}
+		}
+
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	// Sort the collection
+	sort.Sort(sort.Reverse(semver.Collection(tagVersions)))
+
+	tags := make([]string, len(tagVersions))
+
+	for iTv, tv := range tagVersions {
+		tags[iTv] = tv.String()
+	}
+
+	return tags, nil
+
+}
+
+// Resolve a reference to a descriptor.
+func (c *Client) Resolve(ref string) (desc ocispec.Descriptor, err error) {
+	remoteRepository, err := remote.NewRepository(ref)
+	if err != nil {
+		return desc, err
+	}
+	remoteRepository.PlainHTTP = c.plainHTTP
+
+	parsedReference, err := newReference(ref)
+	if err != nil {
+		return desc, err
+	}
+
+	ctx := context.Background()
+	parsedString := parsedReference.String()
+	return remoteRepository.Resolve(ctx, parsedString)
+}
+
+// ValidateReference for path and version
+func (c *Client) ValidateReference(ref, version string, u *url.URL) (*url.URL, error) {
+	var tag string
+
+	registryReference, err := newReference(u.Host + u.Path)
+	if err != nil {
+		return nil, err
+	}
+
+	if version == "" {
+		// Use OCI URI tag as default
+		version = registryReference.Tag
+	} else {
+		if registryReference.Tag != "" && registryReference.Tag != version {
+			return nil, errors.Errorf("chart reference and version mismatch: %s is not %s", version, registryReference.Tag)
+		}
+	}
+
+	if registryReference.Digest != "" {
+		if version == "" {
+			// Install by digest only
+			return u, nil
+		}
+		u.Path = fmt.Sprintf("%s@%s", registryReference.Repository, registryReference.Digest)
+
+		// Validate the tag if it was specified
+		path := registryReference.Registry + "/" + registryReference.Repository + ":" + version
+		desc, err := c.Resolve(path)
+		if err != nil {
+			// The resource does not have to be tagged when digest is specified
+			return u, nil
+		}
+		if desc.Digest.String() != registryReference.Digest {
+			return nil, errors.Errorf("chart reference digest mismatch: %s is not %s", desc.Digest.String(), registryReference.Digest)
+		}
+		return u, nil
+	}
+
+	// Evaluate whether an explicit version has been provided. Otherwise, determine version to use
+	_, errSemVer := semver.NewVersion(version)
+	if errSemVer == nil {
+		tag = version
+	} else {
+		// Retrieve list of repository tags
+		tags, err := c.Tags(strings.TrimPrefix(ref, fmt.Sprintf("%s://", OCIScheme)))
+		if err != nil {
+			return nil, err
+		}
+		if len(tags) == 0 {
+			return nil, errors.Errorf("Unable to locate any tags in provided repository: %s", ref)
+		}
+
+		// Determine if version provided
+		// If empty, try to get the highest available tag
+		// If exact version, try to find it
+		// If semver constraint string, try to find a match
+		tag, err = GetTagMatchingVersionOrConstraint(tags, version)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	u.Path = fmt.Sprintf("%s:%s", registryReference.Repository, tag)
+
+	return u, err
+}
+
+// tagManifest prepares and tags a manifest in memory storage
+func (c *Client) tagManifest(ctx context.Context, memoryStore *memory.Store,
+	configDescriptor ocispec.Descriptor, layers []ocispec.Descriptor,
+	ociAnnotations map[string]string, parsedRef reference) (ocispec.Descriptor, error) {
+
+	manifest := ocispec.Manifest{
+		Versioned:   specs.Versioned{SchemaVersion: 2},
+		Config:      configDescriptor,
+		Layers:      layers,
+		Annotations: ociAnnotations,
+	}
+
+	manifestData, err := json.Marshal(manifest)
+	if err != nil {
+		return ocispec.Descriptor{}, err
+	}
+
+	return oras.TagBytes(ctx, memoryStore, ocispec.MediaTypeImageManifest,
+		manifestData, parsedRef.String())
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/registry/constants.go b/vendor/helm.sh/helm/v3/pkg/registry/constants.go
new file mode 100644
index 0000000000..570b6f0d3f
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/registry/constants.go
@@ -0,0 +1,37 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package registry // import "helm.sh/helm/v3/pkg/registry"
+
+const (
+	// OCIScheme is the URL scheme for OCI-based requests
+	OCIScheme = "oci"
+
+	// CredentialsFileBasename is the filename for auth credentials file
+	CredentialsFileBasename = "registry/config.json"
+
+	// ConfigMediaType is the reserved media type for the Helm chart manifest config
+	ConfigMediaType = "application/vnd.cncf.helm.config.v1+json"
+
+	// ChartLayerMediaType is the reserved media type for Helm chart package content
+	ChartLayerMediaType = "application/vnd.cncf.helm.chart.content.v1.tar+gzip"
+
+	// ProvLayerMediaType is the reserved media type for Helm chart provenance files
+	ProvLayerMediaType = "application/vnd.cncf.helm.chart.provenance.v1.prov"
+
+	// LegacyChartLayerMediaType is the legacy reserved media type for Helm chart package content.
+	LegacyChartLayerMediaType = "application/tar+gzip"
+)
diff --git a/vendor/helm.sh/helm/v3/pkg/registry/fallback.go b/vendor/helm.sh/helm/v3/pkg/registry/fallback.go
new file mode 100644
index 0000000000..1db7295764
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/registry/fallback.go
@@ -0,0 +1,60 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package registry
+
+import (
+	"crypto/tls"
+	"net/http"
+	"sync/atomic"
+)
+
+// NOTE(terryhowe): This fallback feature is only provided in v3 for backward
+// compatibility. ORAS v1 had this feature and this code was added when helm
+// updated to ORAS v2. This will not be supported in helm v4.
+
+type fallbackTransport struct {
+	Base      http.RoundTripper
+	forceHTTP atomic.Bool
+}
+
+func newTransport(debug bool) *fallbackTransport {
+	baseTransport := NewTransport(debug)
+	return &fallbackTransport{
+		Base: baseTransport,
+	}
+}
+
+// RoundTrip wraps base round trip with conditional insecure retry.
+func (t *fallbackTransport) RoundTrip(req *http.Request) (*http.Response, error) {
+	if ok := t.forceHTTP.Load(); ok {
+		req.URL.Scheme = "http"
+		return t.Base.RoundTrip(req)
+	}
+	resp, err := t.Base.RoundTrip(req)
+	// We are falling back to http here for backward compatibility with Helm v3.
+	// ORAS v1 provided fallback automatically, but ORAS v2 does not.
+	if err != nil && req.URL.Scheme == "https" {
+		if tlsErr, ok := err.(tls.RecordHeaderError); ok {
+			if string(tlsErr.RecordHeader[:]) == "HTTP/" {
+				t.forceHTTP.Store(true)
+				req.URL.Scheme = "http"
+				return t.Base.RoundTrip(req)
+			}
+		}
+	}
+	return resp, err
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/registry/reference.go b/vendor/helm.sh/helm/v3/pkg/registry/reference.go
new file mode 100644
index 0000000000..b5677761da
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/registry/reference.go
@@ -0,0 +1,78 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package registry
+
+import (
+	"strings"
+
+	"oras.land/oras-go/v2/registry"
+)
+
+type reference struct {
+	orasReference registry.Reference
+	Registry      string
+	Repository    string
+	Tag           string
+	Digest        string
+}
+
+// newReference will parse and validate the reference, and clean tags when
+// applicable tags are only cleaned when plus (+) signs are present, and are
+// converted to underscores (_) before pushing
+// See https://github.com/helm/helm/issues/10166
+func newReference(raw string) (result reference, err error) {
+	// Remove oci:// prefix if it is there
+	raw = strings.TrimPrefix(raw, OCIScheme+"://")
+
+	// The sole possible reference modification is replacing plus (+) signs
+	// present in tags with underscores (_). To do this properly, we first
+	// need to identify a tag, and then pass it on to the reference parser
+	// NOTE: Passing immediately to the reference parser will fail since (+)
+	// signs are an invalid tag character, and simply replacing all plus (+)
+	// occurrences could invalidate other portions of the URI
+	lastIndex := strings.LastIndex(raw, "@")
+	if lastIndex >= 0 {
+		result.Digest = raw[(lastIndex + 1):]
+		raw = raw[:lastIndex]
+	}
+	parts := strings.Split(raw, ":")
+	if len(parts) > 1 && !strings.Contains(parts[len(parts)-1], "/") {
+		tag := parts[len(parts)-1]
+
+		if tag != "" {
+			// Replace any plus (+) signs with known underscore (_) conversion
+			newTag := strings.ReplaceAll(tag, "+", "_")
+			raw = strings.ReplaceAll(raw, tag, newTag)
+		}
+	}
+
+	result.orasReference, err = registry.ParseReference(raw)
+	if err != nil {
+		return result, err
+	}
+	result.Registry = result.orasReference.Registry
+	result.Repository = result.orasReference.Repository
+	result.Tag = result.orasReference.Reference
+	return result, nil
+}
+
+func (r *reference) String() string {
+	if r.Tag == "" {
+		return r.orasReference.String() + "@" + r.Digest
+	}
+	return r.orasReference.String()
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/registry/transport.go b/vendor/helm.sh/helm/v3/pkg/registry/transport.go
new file mode 100644
index 0000000000..4d8a59ac65
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/registry/transport.go
@@ -0,0 +1,187 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package registry
+
+import (
+	"bytes"
+	"fmt"
+	"io"
+	"log/slog"
+	"mime"
+	"net/http"
+	"os"
+	"strings"
+	"sync/atomic"
+
+	"oras.land/oras-go/v2/registry/remote/retry"
+)
+
+var (
+	// requestCount records the number of logged request-response pairs and will
+	// be used as the unique id for the next pair.
+	requestCount uint64
+
+	// toScrub is a set of headers that should be scrubbed from the log.
+	toScrub = []string{
+		"Authorization",
+		"Set-Cookie",
+	}
+)
+
+// payloadSizeLimit limits the maximum size of the response body to be printed.
+const payloadSizeLimit int64 = 16 * 1024 // 16 KiB
+
+// LoggingTransport is an http.RoundTripper that keeps track of the in-flight
+// request and add hooks to report HTTP tracing events.
+type LoggingTransport struct {
+	http.RoundTripper
+	logger *slog.Logger
+}
+
+// NewTransport creates and returns a new instance of LoggingTransport
+func NewTransport(debug bool) *retry.Transport {
+	type cloner[T any] interface {
+		Clone() T
+	}
+
+	// try to copy (clone) the http.DefaultTransport so any mutations we
+	// perform on it (e.g. TLS config) are not reflected globally
+	// follow https://github.com/golang/go/issues/39299 for a more elegant
+	// solution in the future
+	transport := http.DefaultTransport
+	if t, ok := transport.(cloner[*http.Transport]); ok {
+		transport = t.Clone()
+	} else if t, ok := transport.(cloner[http.RoundTripper]); ok {
+		// this branch will not be used with go 1.20, it was added
+		// optimistically to try to clone if the http.DefaultTransport
+		// implementation changes, still the Clone method in that case
+		// might not return http.RoundTripper...
+		transport = t.Clone()
+	}
+	if debug {
+		replace := func(groups []string, a slog.Attr) slog.Attr {
+			// Remove time.
+			if a.Key == slog.TimeKey && len(groups) == 0 {
+				return slog.Attr{}
+			}
+			return a
+		}
+		logger := slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{
+			ReplaceAttr: replace,
+			Level:       slog.LevelDebug}))
+		transport = &LoggingTransport{RoundTripper: transport, logger: logger}
+	}
+
+	return retry.NewTransport(transport)
+}
+
+// RoundTrip calls base round trip while keeping track of the current request.
+func (t *LoggingTransport) RoundTrip(req *http.Request) (resp *http.Response, err error) {
+	id := atomic.AddUint64(&requestCount, 1) - 1
+
+	t.logger.Debug("Request", "id", id, "url", req.URL, "method", req.Method, "header", logHeader(req.Header))
+	resp, err = t.RoundTripper.RoundTrip(req)
+	if err != nil {
+		t.logger.Debug("Response", "id", id, "error", err)
+	} else if resp != nil {
+		t.logger.Debug("Response", "id", id, "status", resp.Status, "header", logHeader(resp.Header), "body", logResponseBody(resp))
+	} else {
+		t.logger.Debug("Response", "id", id, "response", "nil")
+	}
+
+	return resp, err
+}
+
+// logHeader prints out the provided header keys and values, with auth header scrubbed.
+func logHeader(header http.Header) string {
+	if len(header) > 0 {
+		headers := []string{}
+		for k, v := range header {
+			for _, h := range toScrub {
+				if strings.EqualFold(k, h) {
+					v = []string{"*****"}
+				}
+			}
+			headers = append(headers, fmt.Sprintf("   %q: %q", k, strings.Join(v, ", ")))
+		}
+		return strings.Join(headers, "\n")
+	}
+	return "   Empty header"
+}
+
+// logResponseBody prints out the response body if it is printable and within size limit.
+func logResponseBody(resp *http.Response) string {
+	if resp.Body == nil || resp.Body == http.NoBody {
+		return "   No response body to print"
+	}
+
+	// non-applicable body is not printed and remains untouched for subsequent processing
+	contentType := resp.Header.Get("Content-Type")
+	if contentType == "" {
+		return "   Response body without a content type is not printed"
+	}
+	if !isPrintableContentType(contentType) {
+		return fmt.Sprintf("   Response body of content type %q is not printed", contentType)
+	}
+
+	buf := bytes.NewBuffer(nil)
+	body := resp.Body
+	// restore the body by concatenating the read body with the remaining body
+	resp.Body = struct {
+		io.Reader
+		io.Closer
+	}{
+		Reader: io.MultiReader(buf, body),
+		Closer: body,
+	}
+	// read the body up to limit+1 to check if the body exceeds the limit
+	if _, err := io.CopyN(buf, body, payloadSizeLimit+1); err != nil && err != io.EOF {
+		return fmt.Sprintf("   Error reading response body: %v", err)
+	}
+
+	readBody := buf.String()
+	if len(readBody) == 0 {
+		return "   Response body is empty"
+	}
+	if containsCredentials(readBody) {
+		return "   Response body redacted due to potential credentials"
+	}
+	if len(readBody) > int(payloadSizeLimit) {
+		return readBody[:payloadSizeLimit] + "\n...(truncated)"
+	}
+	return readBody
+}
+
+// isPrintableContentType returns true if the contentType is printable.
+func isPrintableContentType(contentType string) bool {
+	mediaType, _, err := mime.ParseMediaType(contentType)
+	if err != nil {
+		return false
+	}
+
+	switch mediaType {
+	case "application/json", // JSON types
+		"text/plain", "text/html": // text types
+		return true
+	}
+	return strings.HasSuffix(mediaType, "+json")
+}
+
+// containsCredentials returns true if the body contains potential credentials.
+func containsCredentials(body string) bool {
+	return strings.Contains(body, `"token"`) || strings.Contains(body, `"access_token"`)
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/registry/util.go b/vendor/helm.sh/helm/v3/pkg/registry/util.go
new file mode 100644
index 0000000000..84ee698072
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/registry/util.go
@@ -0,0 +1,208 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package registry // import "helm.sh/helm/v3/pkg/registry"
+
+import (
+	"bytes"
+	"fmt"
+	"io"
+	"net/http"
+	"strings"
+	"time"
+
+	"helm.sh/helm/v3/internal/tlsutil"
+	"helm.sh/helm/v3/pkg/chart"
+	"helm.sh/helm/v3/pkg/chart/loader"
+	helmtime "helm.sh/helm/v3/pkg/time"
+
+	"github.com/Masterminds/semver/v3"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+)
+
+var immutableOciAnnotations = []string{
+	ocispec.AnnotationVersion,
+	ocispec.AnnotationTitle,
+}
+
+// IsOCI determines whether a URL is to be treated as an OCI URL
+func IsOCI(url string) bool {
+	return strings.HasPrefix(url, fmt.Sprintf("%s://", OCIScheme))
+}
+
+// ContainsTag determines whether a tag is found in a provided list of tags
+func ContainsTag(tags []string, tag string) bool {
+	for _, t := range tags {
+		if tag == t {
+			return true
+		}
+	}
+	return false
+}
+
+func GetTagMatchingVersionOrConstraint(tags []string, versionString string) (string, error) {
+	var constraint *semver.Constraints
+	if versionString == "" {
+		// If string is empty, set wildcard constraint
+		constraint, _ = semver.NewConstraint("*")
+	} else {
+		// when customer inputs specific version, check whether there's an exact match first
+		for _, v := range tags {
+			if versionString == v {
+				return v, nil
+			}
+		}
+
+		// Otherwise set constraint to the string given
+		var err error
+		constraint, err = semver.NewConstraint(versionString)
+		if err != nil {
+			return "", err
+		}
+	}
+
+	// Otherwise try to find the first available version matching the string,
+	// in case it is a constraint
+	for _, v := range tags {
+		test, err := semver.NewVersion(v)
+		if err != nil {
+			continue
+		}
+		if constraint.Check(test) {
+			return v, nil
+		}
+	}
+
+	return "", errors.Errorf("Could not locate a version matching provided version string %s", versionString)
+}
+
+// extractChartMeta is used to extract a chart metadata from a byte array
+func extractChartMeta(chartData []byte) (*chart.Metadata, error) {
+	ch, err := loader.LoadArchive(bytes.NewReader(chartData))
+	if err != nil {
+		return nil, err
+	}
+	return ch.Metadata, nil
+}
+
+// NewRegistryClientWithTLS is a helper function to create a new registry client with TLS enabled.
+func NewRegistryClientWithTLS(out io.Writer, certFile, keyFile, caFile string, insecureSkipTLSverify bool, registryConfig string, debug bool) (*Client, error) {
+	tlsConf, err := tlsutil.NewClientTLS(certFile, keyFile, caFile, insecureSkipTLSverify)
+	if err != nil {
+		return nil, fmt.Errorf("can't create TLS config for client: %s", err)
+	}
+	// Create a new registry client
+	registryClient, err := NewClient(
+		ClientOptDebug(debug),
+		ClientOptEnableCache(true),
+		ClientOptWriter(out),
+		ClientOptCredentialsFile(registryConfig),
+		ClientOptHTTPClient(&http.Client{
+			Transport: &http.Transport{
+				TLSClientConfig: tlsConf,
+				Proxy:           http.ProxyFromEnvironment,
+			},
+		}),
+	)
+	if err != nil {
+		return nil, err
+	}
+	return registryClient, nil
+}
+
+// generateOCIAnnotations will generate OCI annotations to include within the OCI manifest
+func generateOCIAnnotations(meta *chart.Metadata, creationTime string) map[string]string {
+
+	// Get annotations from Chart attributes
+	ociAnnotations := generateChartOCIAnnotations(meta, creationTime)
+
+	// Copy Chart annotations
+annotations:
+	for chartAnnotationKey, chartAnnotationValue := range meta.Annotations {
+
+		// Avoid overriding key properties
+		for _, immutableOciKey := range immutableOciAnnotations {
+			if immutableOciKey == chartAnnotationKey {
+				continue annotations
+			}
+		}
+
+		// Add chart annotation
+		ociAnnotations[chartAnnotationKey] = chartAnnotationValue
+	}
+
+	return ociAnnotations
+}
+
+// getChartOCIAnnotations will generate OCI annotations from the provided chart
+func generateChartOCIAnnotations(meta *chart.Metadata, creationTime string) map[string]string {
+	chartOCIAnnotations := map[string]string{}
+
+	chartOCIAnnotations = addToMap(chartOCIAnnotations, ocispec.AnnotationDescription, meta.Description)
+	chartOCIAnnotations = addToMap(chartOCIAnnotations, ocispec.AnnotationTitle, meta.Name)
+	chartOCIAnnotations = addToMap(chartOCIAnnotations, ocispec.AnnotationVersion, meta.Version)
+	chartOCIAnnotations = addToMap(chartOCIAnnotations, ocispec.AnnotationURL, meta.Home)
+
+	if len(creationTime) == 0 {
+		creationTime = helmtime.Now().UTC().Format(time.RFC3339)
+	}
+
+	chartOCIAnnotations = addToMap(chartOCIAnnotations, ocispec.AnnotationCreated, creationTime)
+
+	if len(meta.Sources) > 0 {
+		chartOCIAnnotations = addToMap(chartOCIAnnotations, ocispec.AnnotationSource, meta.Sources[0])
+	}
+
+	if len(meta.Maintainers) > 0 {
+		var maintainerSb strings.Builder
+
+		for maintainerIdx, maintainer := range meta.Maintainers {
+
+			if len(maintainer.Name) > 0 {
+				maintainerSb.WriteString(maintainer.Name)
+			}
+
+			if len(maintainer.Email) > 0 {
+				maintainerSb.WriteString(" (")
+				maintainerSb.WriteString(maintainer.Email)
+				maintainerSb.WriteString(")")
+			}
+
+			if maintainerIdx < len(meta.Maintainers)-1 {
+				maintainerSb.WriteString(", ")
+			}
+
+		}
+
+		chartOCIAnnotations = addToMap(chartOCIAnnotations, ocispec.AnnotationAuthors, maintainerSb.String())
+
+	}
+
+	return chartOCIAnnotations
+}
+
+// addToMap takes an existing map and adds an item if the value is not empty
+func addToMap(inputMap map[string]string, newKey string, newValue string) map[string]string {
+
+	// Add item to map if its
+	if len(strings.TrimSpace(newValue)) > 0 {
+		inputMap[newKey] = newValue
+	}
+
+	return inputMap
+
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/release/hook.go b/vendor/helm.sh/helm/v3/pkg/release/hook.go
new file mode 100644
index 0000000000..425074ac1d
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/release/hook.go
@@ -0,0 +1,122 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package release
+
+import (
+	"helm.sh/helm/v3/pkg/time"
+)
+
+// HookEvent specifies the hook event
+type HookEvent string
+
+// Hook event types
+const (
+	HookPreInstall   HookEvent = "pre-install"
+	HookPostInstall  HookEvent = "post-install"
+	HookPreDelete    HookEvent = "pre-delete"
+	HookPostDelete   HookEvent = "post-delete"
+	HookPreUpgrade   HookEvent = "pre-upgrade"
+	HookPostUpgrade  HookEvent = "post-upgrade"
+	HookPreRollback  HookEvent = "pre-rollback"
+	HookPostRollback HookEvent = "post-rollback"
+	HookTest         HookEvent = "test"
+)
+
+func (x HookEvent) String() string { return string(x) }
+
+// HookDeletePolicy specifies the hook delete policy
+type HookDeletePolicy string
+
+// Hook delete policy types
+const (
+	HookSucceeded          HookDeletePolicy = "hook-succeeded"
+	HookFailed             HookDeletePolicy = "hook-failed"
+	HookBeforeHookCreation HookDeletePolicy = "before-hook-creation"
+)
+
+func (x HookDeletePolicy) String() string { return string(x) }
+
+// HookOutputLogPolicy specifies the hook output log policy
+type HookOutputLogPolicy string
+
+// Hook output log policy types
+const (
+	HookOutputOnSucceeded HookOutputLogPolicy = "hook-succeeded"
+	HookOutputOnFailed    HookOutputLogPolicy = "hook-failed"
+)
+
+func (x HookOutputLogPolicy) String() string { return string(x) }
+
+// HookAnnotation is the label name for a hook
+const HookAnnotation = "helm.sh/hook"
+
+// HookWeightAnnotation is the label name for a hook weight
+const HookWeightAnnotation = "helm.sh/hook-weight"
+
+// HookDeleteAnnotation is the label name for the delete policy for a hook
+const HookDeleteAnnotation = "helm.sh/hook-delete-policy"
+
+// HookOutputLogAnnotation is the label name for the output log policy for a hook
+const HookOutputLogAnnotation = "helm.sh/hook-output-log-policy"
+
+// Hook defines a hook object.
+type Hook struct {
+	Name string `json:"name,omitempty"`
+	// Kind is the Kubernetes kind.
+	Kind string `json:"kind,omitempty"`
+	// Path is the chart-relative path to the template.
+	Path string `json:"path,omitempty"`
+	// Manifest is the manifest contents.
+	Manifest string `json:"manifest,omitempty"`
+	// Events are the events that this hook fires on.
+	Events []HookEvent `json:"events,omitempty"`
+	// LastRun indicates the date/time this was last run.
+	LastRun HookExecution `json:"last_run,omitempty"`
+	// Weight indicates the sort order for execution among similar Hook type
+	Weight int `json:"weight,omitempty"`
+	// DeletePolicies are the policies that indicate when to delete the hook
+	DeletePolicies []HookDeletePolicy `json:"delete_policies,omitempty"`
+	// OutputLogPolicies defines whether we should copy hook logs back to main process
+	OutputLogPolicies []HookOutputLogPolicy `json:"output_log_policies,omitempty"`
+}
+
+// A HookExecution records the result for the last execution of a hook for a given release.
+type HookExecution struct {
+	// StartedAt indicates the date/time this hook was started
+	StartedAt time.Time `json:"started_at,omitempty"`
+	// CompletedAt indicates the date/time this hook was completed.
+	CompletedAt time.Time `json:"completed_at,omitempty"`
+	// Phase indicates whether the hook completed successfully
+	Phase HookPhase `json:"phase"`
+}
+
+// A HookPhase indicates the state of a hook execution
+type HookPhase string
+
+const (
+	// HookPhaseUnknown indicates that a hook is in an unknown state
+	HookPhaseUnknown HookPhase = "Unknown"
+	// HookPhaseRunning indicates that a hook is currently executing
+	HookPhaseRunning HookPhase = "Running"
+	// HookPhaseSucceeded indicates that hook execution succeeded
+	HookPhaseSucceeded HookPhase = "Succeeded"
+	// HookPhaseFailed indicates that hook execution failed
+	HookPhaseFailed HookPhase = "Failed"
+)
+
+// String converts a hook phase to a printable string
+func (x HookPhase) String() string { return string(x) }
diff --git a/vendor/helm.sh/helm/v3/pkg/release/info.go b/vendor/helm.sh/helm/v3/pkg/release/info.go
new file mode 100644
index 0000000000..b030a8a545
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/release/info.go
@@ -0,0 +1,40 @@
+/*
+Copyright The Helm Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package release
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+
+	"helm.sh/helm/v3/pkg/time"
+)
+
+// Info describes release information.
+type Info struct {
+	// FirstDeployed is when the release was first deployed.
+	FirstDeployed time.Time `json:"first_deployed,omitempty"`
+	// LastDeployed is when the release was last deployed.
+	LastDeployed time.Time `json:"last_deployed,omitempty"`
+	// Deleted tracks when this object was deleted.
+	Deleted time.Time `json:"deleted"`
+	// Description is human-friendly "log entry" about this release.
+	Description string `json:"description,omitempty"`
+	// Status is the current state of the release
+	Status Status `json:"status,omitempty"`
+	// Contains the rendered templates/NOTES.txt if available
+	Notes string `json:"notes,omitempty"`
+	// Contains the deployed resources information
+	Resources map[string][]runtime.Object `json:"resources,omitempty"`
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/release/mock.go b/vendor/helm.sh/helm/v3/pkg/release/mock.go
new file mode 100644
index 0000000000..eb0b5157df
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/release/mock.go
@@ -0,0 +1,134 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package release
+
+import (
+	"fmt"
+	"math/rand"
+
+	"helm.sh/helm/v3/pkg/chart"
+	"helm.sh/helm/v3/pkg/time"
+)
+
+// MockHookTemplate is the hook template used for all mock release objects.
+var MockHookTemplate = `apiVersion: v1
+kind: Job
+metadata:
+  annotations:
+    "helm.sh/hook": pre-install
+`
+
+// MockManifest is the manifest used for all mock release objects.
+var MockManifest = `apiVersion: v1
+kind: Secret
+metadata:
+  name: fixture
+`
+
+// MockReleaseOptions allows for user-configurable options on mock release objects.
+type MockReleaseOptions struct {
+	Name      string
+	Version   int
+	Chart     *chart.Chart
+	Status    Status
+	Namespace string
+}
+
+// Mock creates a mock release object based on options set by MockReleaseOptions. This function should typically not be used outside of testing.
+func Mock(opts *MockReleaseOptions) *Release {
+	date := time.Unix(242085845, 0).UTC()
+
+	name := opts.Name
+	if name == "" {
+		name = "testrelease-" + fmt.Sprint(rand.Intn(100))
+	}
+
+	version := 1
+	if opts.Version != 0 {
+		version = opts.Version
+	}
+
+	namespace := opts.Namespace
+	if namespace == "" {
+		namespace = "default"
+	}
+
+	ch := opts.Chart
+	if opts.Chart == nil {
+		ch = &chart.Chart{
+			Metadata: &chart.Metadata{
+				Name:       "foo",
+				Version:    "0.1.0-beta.1",
+				AppVersion: "1.0",
+				Annotations: map[string]string{
+					"category":  "web-apps",
+					"supported": "true",
+				},
+				Dependencies: []*chart.Dependency{
+					{
+						Name:       "cool-plugin",
+						Version:    "1.0.0",
+						Repository: "https://coolplugin.io/charts",
+						Condition:  "coolPlugin.enabled",
+						Enabled:    true,
+					},
+					{
+						Name:      "crds",
+						Version:   "2.7.1",
+						Condition: "crds.enabled",
+					},
+				},
+			},
+			Templates: []*chart.File{
+				{Name: "templates/foo.tpl", Data: []byte(MockManifest)},
+			},
+		}
+	}
+
+	scode := StatusDeployed
+	if len(opts.Status) > 0 {
+		scode = opts.Status
+	}
+
+	info := &Info{
+		FirstDeployed: date,
+		LastDeployed:  date,
+		Status:        scode,
+		Description:   "Release mock",
+		Notes:         "Some mock release notes!",
+	}
+
+	return &Release{
+		Name:      name,
+		Info:      info,
+		Chart:     ch,
+		Config:    map[string]interface{}{"name": "value"},
+		Version:   version,
+		Namespace: namespace,
+		Hooks: []*Hook{
+			{
+				Name:     "pre-install-hook",
+				Kind:     "Job",
+				Path:     "pre-install-hook.yaml",
+				Manifest: MockHookTemplate,
+				LastRun:  HookExecution{},
+				Events:   []HookEvent{HookPreInstall},
+			},
+		},
+		Manifest: MockManifest,
+	}
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/release/release.go b/vendor/helm.sh/helm/v3/pkg/release/release.go
new file mode 100644
index 0000000000..b906128736
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/release/release.go
@@ -0,0 +1,49 @@
+/*
+Copyright The Helm Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package release
+
+import "helm.sh/helm/v3/pkg/chart"
+
+// Release describes a deployment of a chart, together with the chart
+// and the variables used to deploy that chart.
+type Release struct {
+	// Name is the name of the release
+	Name string `json:"name,omitempty"`
+	// Info provides information about a release
+	Info *Info `json:"info,omitempty"`
+	// Chart is the chart that was released.
+	Chart *chart.Chart `json:"chart,omitempty"`
+	// Config is the set of extra Values added to the chart.
+	// These values override the default values inside of the chart.
+	Config map[string]interface{} `json:"config,omitempty"`
+	// Manifest is the string representation of the rendered template.
+	Manifest string `json:"manifest,omitempty"`
+	// Hooks are all of the hooks declared for this release.
+	Hooks []*Hook `json:"hooks,omitempty"`
+	// Version is an int which represents the revision of the release.
+	Version int `json:"version,omitempty"`
+	// Namespace is the kubernetes namespace of the release.
+	Namespace string `json:"namespace,omitempty"`
+	// Labels of the release.
+	// Disabled encoding into Json cause labels are stored in storage driver metadata field.
+	Labels map[string]string `json:"-"`
+}
+
+// SetStatus is a helper for setting the status on a release.
+func (r *Release) SetStatus(status Status, msg string) {
+	r.Info.Status = status
+	r.Info.Description = msg
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/release/responses.go b/vendor/helm.sh/helm/v3/pkg/release/responses.go
new file mode 100644
index 0000000000..7ee1fc2eee
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/release/responses.go
@@ -0,0 +1,24 @@
+/*
+Copyright The Helm Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package release
+
+// UninstallReleaseResponse represents a successful response to an uninstall request.
+type UninstallReleaseResponse struct {
+	// Release is the release that was marked deleted.
+	Release *Release `json:"release,omitempty"`
+	// Info is an uninstall message
+	Info string `json:"info,omitempty"`
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/release/status.go b/vendor/helm.sh/helm/v3/pkg/release/status.go
new file mode 100644
index 0000000000..edd27a5f14
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/release/status.go
@@ -0,0 +1,49 @@
+/*
+Copyright The Helm Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package release
+
+// Status is the status of a release
+type Status string
+
+// Describe the status of a release
+// NOTE: Make sure to update cmd/helm/status.go when adding or modifying any of these statuses.
+const (
+	// StatusUnknown indicates that a release is in an uncertain state.
+	StatusUnknown Status = "unknown"
+	// StatusDeployed indicates that the release has been pushed to Kubernetes.
+	StatusDeployed Status = "deployed"
+	// StatusUninstalled indicates that a release has been uninstalled from Kubernetes.
+	StatusUninstalled Status = "uninstalled"
+	// StatusSuperseded indicates that this release object is outdated and a newer one exists.
+	StatusSuperseded Status = "superseded"
+	// StatusFailed indicates that the release was not successfully deployed.
+	StatusFailed Status = "failed"
+	// StatusUninstalling indicates that an uninstall operation is underway.
+	StatusUninstalling Status = "uninstalling"
+	// StatusPendingInstall indicates that an install operation is underway.
+	StatusPendingInstall Status = "pending-install"
+	// StatusPendingUpgrade indicates that an upgrade operation is underway.
+	StatusPendingUpgrade Status = "pending-upgrade"
+	// StatusPendingRollback indicates that a rollback operation is underway.
+	StatusPendingRollback Status = "pending-rollback"
+)
+
+func (x Status) String() string { return string(x) }
+
+// IsPending determines if this status is a state or a transition.
+func (x Status) IsPending() bool {
+	return x == StatusPendingInstall || x == StatusPendingUpgrade || x == StatusPendingRollback
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/releaseutil/filter.go b/vendor/helm.sh/helm/v3/pkg/releaseutil/filter.go
new file mode 100644
index 0000000000..dbd0df8e2d
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/releaseutil/filter.go
@@ -0,0 +1,78 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package releaseutil // import "helm.sh/helm/v3/pkg/releaseutil"
+
+import rspb "helm.sh/helm/v3/pkg/release"
+
+// FilterFunc returns true if the release object satisfies
+// the predicate of the underlying filter func.
+type FilterFunc func(*rspb.Release) bool
+
+// Check applies the FilterFunc to the release object.
+func (fn FilterFunc) Check(rls *rspb.Release) bool {
+	if rls == nil {
+		return false
+	}
+	return fn(rls)
+}
+
+// Filter applies the filter(s) to the list of provided releases
+// returning the list that satisfies the filtering predicate.
+func (fn FilterFunc) Filter(rels []*rspb.Release) (rets []*rspb.Release) {
+	for _, rel := range rels {
+		if fn.Check(rel) {
+			rets = append(rets, rel)
+		}
+	}
+	return
+}
+
+// Any returns a FilterFunc that filters a list of releases
+// determined by the predicate 'f0 || f1 || ... || fn'.
+func Any(filters ...FilterFunc) FilterFunc {
+	return func(rls *rspb.Release) bool {
+		for _, filter := range filters {
+			if filter(rls) {
+				return true
+			}
+		}
+		return false
+	}
+}
+
+// All returns a FilterFunc that filters a list of releases
+// determined by the predicate 'f0 && f1 && ... && fn'.
+func All(filters ...FilterFunc) FilterFunc {
+	return func(rls *rspb.Release) bool {
+		for _, filter := range filters {
+			if !filter(rls) {
+				return false
+			}
+		}
+		return true
+	}
+}
+
+// StatusFilter filters a set of releases by status code.
+func StatusFilter(status rspb.Status) FilterFunc {
+	return FilterFunc(func(rls *rspb.Release) bool {
+		if rls == nil {
+			return true
+		}
+		return rls.Info.Status == status
+	})
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/releaseutil/kind_sorter.go b/vendor/helm.sh/helm/v3/pkg/releaseutil/kind_sorter.go
new file mode 100644
index 0000000000..bb8e84dda8
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/releaseutil/kind_sorter.go
@@ -0,0 +1,160 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package releaseutil
+
+import (
+	"sort"
+
+	"helm.sh/helm/v3/pkg/release"
+)
+
+// KindSortOrder is an ordering of Kinds.
+type KindSortOrder []string
+
+// InstallOrder is the order in which manifests should be installed (by Kind).
+//
+// Those occurring earlier in the list get installed before those occurring later in the list.
+var InstallOrder KindSortOrder = []string{
+	"PriorityClass",
+	"Namespace",
+	"NetworkPolicy",
+	"ResourceQuota",
+	"LimitRange",
+	"PodSecurityPolicy",
+	"PodDisruptionBudget",
+	"ServiceAccount",
+	"Secret",
+	"SecretList",
+	"ConfigMap",
+	"StorageClass",
+	"PersistentVolume",
+	"PersistentVolumeClaim",
+	"CustomResourceDefinition",
+	"ClusterRole",
+	"ClusterRoleList",
+	"ClusterRoleBinding",
+	"ClusterRoleBindingList",
+	"Role",
+	"RoleList",
+	"RoleBinding",
+	"RoleBindingList",
+	"Service",
+	"DaemonSet",
+	"Pod",
+	"ReplicationController",
+	"ReplicaSet",
+	"Deployment",
+	"HorizontalPodAutoscaler",
+	"StatefulSet",
+	"Job",
+	"CronJob",
+	"IngressClass",
+	"Ingress",
+	"APIService",
+}
+
+// UninstallOrder is the order in which manifests should be uninstalled (by Kind).
+//
+// Those occurring earlier in the list get uninstalled before those occurring later in the list.
+var UninstallOrder KindSortOrder = []string{
+	"APIService",
+	"Ingress",
+	"IngressClass",
+	"Service",
+	"CronJob",
+	"Job",
+	"StatefulSet",
+	"HorizontalPodAutoscaler",
+	"Deployment",
+	"ReplicaSet",
+	"ReplicationController",
+	"Pod",
+	"DaemonSet",
+	"RoleBindingList",
+	"RoleBinding",
+	"RoleList",
+	"Role",
+	"ClusterRoleBindingList",
+	"ClusterRoleBinding",
+	"ClusterRoleList",
+	"ClusterRole",
+	"CustomResourceDefinition",
+	"PersistentVolumeClaim",
+	"PersistentVolume",
+	"StorageClass",
+	"ConfigMap",
+	"SecretList",
+	"Secret",
+	"ServiceAccount",
+	"PodDisruptionBudget",
+	"PodSecurityPolicy",
+	"LimitRange",
+	"ResourceQuota",
+	"NetworkPolicy",
+	"Namespace",
+	"PriorityClass",
+}
+
+// sort manifests by kind.
+//
+// Results are sorted by 'ordering', keeping order of items with equal kind/priority
+func sortManifestsByKind(manifests []Manifest, ordering KindSortOrder) []Manifest {
+	sort.SliceStable(manifests, func(i, j int) bool {
+		return lessByKind(manifests[i], manifests[j], manifests[i].Head.Kind, manifests[j].Head.Kind, ordering)
+	})
+
+	return manifests
+}
+
+// sort hooks by kind, using an out-of-place sort to preserve the input parameters.
+//
+// Results are sorted by 'ordering', keeping order of items with equal kind/priority
+func sortHooksByKind(hooks []*release.Hook, ordering KindSortOrder) []*release.Hook {
+	h := hooks
+	sort.SliceStable(h, func(i, j int) bool {
+		return lessByKind(h[i], h[j], h[i].Kind, h[j].Kind, ordering)
+	})
+
+	return h
+}
+
+func lessByKind(_ interface{}, _ interface{}, kindA string, kindB string, o KindSortOrder) bool {
+	ordering := make(map[string]int, len(o))
+	for v, k := range o {
+		ordering[k] = v
+	}
+
+	first, aok := ordering[kindA]
+	second, bok := ordering[kindB]
+
+	if !aok && !bok {
+		// if both are unknown then sort alphabetically by kind, keep original order if same kind
+		if kindA != kindB {
+			return kindA < kindB
+		}
+		return first < second
+	}
+	// unknown kind is last
+	if !aok {
+		return false
+	}
+	if !bok {
+		return true
+	}
+	// sort different kinds, keep original order if same priority
+	return first < second
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/releaseutil/manifest.go b/vendor/helm.sh/helm/v3/pkg/releaseutil/manifest.go
new file mode 100644
index 0000000000..0b04a4599b
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/releaseutil/manifest.go
@@ -0,0 +1,72 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package releaseutil
+
+import (
+	"fmt"
+	"regexp"
+	"strconv"
+	"strings"
+)
+
+// SimpleHead defines what the structure of the head of a manifest file
+type SimpleHead struct {
+	Version  string `json:"apiVersion"`
+	Kind     string `json:"kind,omitempty"`
+	Metadata *struct {
+		Name        string            `json:"name"`
+		Annotations map[string]string `json:"annotations"`
+	} `json:"metadata,omitempty"`
+}
+
+var sep = regexp.MustCompile("(?:^|\\s*\n)---\\s*")
+
+// SplitManifests takes a string of manifest and returns a map contains individual manifests
+func SplitManifests(bigFile string) map[string]string {
+	// Basically, we're quickly splitting a stream of YAML documents into an
+	// array of YAML docs. The file name is just a place holder, but should be
+	// integer-sortable so that manifests get output in the same order as the
+	// input (see `BySplitManifestsOrder`).
+	tpl := "manifest-%d"
+	res := map[string]string{}
+	// Making sure that any extra whitespace in YAML stream doesn't interfere in splitting documents correctly.
+	bigFileTmp := strings.TrimSpace(bigFile)
+	docs := sep.Split(bigFileTmp, -1)
+	var count int
+	for _, d := range docs {
+		if d == "" {
+			continue
+		}
+
+		d = strings.TrimSpace(d)
+		res[fmt.Sprintf(tpl, count)] = d
+		count = count + 1
+	}
+	return res
+}
+
+// BySplitManifestsOrder sorts by in-file manifest order, as provided in function `SplitManifests`
+type BySplitManifestsOrder []string
+
+func (a BySplitManifestsOrder) Len() int { return len(a) }
+func (a BySplitManifestsOrder) Less(i, j int) bool {
+	// Split `manifest-%d`
+	anum, _ := strconv.ParseInt(a[i][len("manifest-"):], 10, 0)
+	bnum, _ := strconv.ParseInt(a[j][len("manifest-"):], 10, 0)
+	return anum < bnum
+}
+func (a BySplitManifestsOrder) Swap(i, j int) { a[i], a[j] = a[j], a[i] }
diff --git a/vendor/helm.sh/helm/v3/pkg/releaseutil/manifest_sorter.go b/vendor/helm.sh/helm/v3/pkg/releaseutil/manifest_sorter.go
new file mode 100644
index 0000000000..cf851baa81
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/releaseutil/manifest_sorter.go
@@ -0,0 +1,244 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package releaseutil
+
+import (
+	"log"
+	"path"
+	"sort"
+	"strconv"
+	"strings"
+
+	"github.com/pkg/errors"
+	"sigs.k8s.io/yaml"
+
+	"helm.sh/helm/v3/pkg/chartutil"
+	"helm.sh/helm/v3/pkg/release"
+)
+
+// Manifest represents a manifest file, which has a name and some content.
+type Manifest struct {
+	Name    string
+	Content string
+	Head    *SimpleHead
+}
+
+// manifestFile represents a file that contains a manifest.
+type manifestFile struct {
+	entries map[string]string
+	path    string
+}
+
+// result is an intermediate structure used during sorting.
+type result struct {
+	hooks   []*release.Hook
+	generic []Manifest
+}
+
+// TODO: Refactor this out. It's here because naming conventions were not followed through.
+// So fix the Test hook names and then remove this.
+var events = map[string]release.HookEvent{
+	release.HookPreInstall.String():   release.HookPreInstall,
+	release.HookPostInstall.String():  release.HookPostInstall,
+	release.HookPreDelete.String():    release.HookPreDelete,
+	release.HookPostDelete.String():   release.HookPostDelete,
+	release.HookPreUpgrade.String():   release.HookPreUpgrade,
+	release.HookPostUpgrade.String():  release.HookPostUpgrade,
+	release.HookPreRollback.String():  release.HookPreRollback,
+	release.HookPostRollback.String(): release.HookPostRollback,
+	release.HookTest.String():         release.HookTest,
+	// Support test-success for backward compatibility with Helm 2 tests
+	"test-success": release.HookTest,
+}
+
+// SortManifests takes a map of filename/YAML contents, splits the file
+// by manifest entries, and sorts the entries into hook types.
+//
+// The resulting hooks struct will be populated with all of the generated hooks.
+// Any file that does not declare one of the hook types will be placed in the
+// 'generic' bucket.
+//
+// Files that do not parse into the expected format are simply placed into a map and
+// returned.
+func SortManifests(files map[string]string, _ chartutil.VersionSet, ordering KindSortOrder) ([]*release.Hook, []Manifest, error) {
+	result := &result{}
+
+	var sortedFilePaths []string
+	for filePath := range files {
+		sortedFilePaths = append(sortedFilePaths, filePath)
+	}
+	sort.Strings(sortedFilePaths)
+
+	for _, filePath := range sortedFilePaths {
+		content := files[filePath]
+
+		// Skip partials. We could return these as a separate map, but there doesn't
+		// seem to be any need for that at this time.
+		if strings.HasPrefix(path.Base(filePath), "_") {
+			continue
+		}
+		// Skip empty files and log this.
+		if strings.TrimSpace(content) == "" {
+			continue
+		}
+
+		manifestFile := &manifestFile{
+			entries: SplitManifests(content),
+			path:    filePath,
+		}
+
+		if err := manifestFile.sort(result); err != nil {
+			return result.hooks, result.generic, err
+		}
+	}
+
+	return sortHooksByKind(result.hooks, ordering), sortManifestsByKind(result.generic, ordering), nil
+}
+
+// sort takes a manifestFile object which may contain multiple resource definition
+// entries and sorts each entry by hook types, and saves the resulting hooks and
+// generic manifests (or non-hooks) to the result struct.
+//
+// To determine hook type, it looks for a YAML structure like this:
+//
+//	 kind: SomeKind
+//	 apiVersion: v1
+//		metadata:
+//			annotations:
+//				helm.sh/hook: pre-install
+//
+// To determine the policy to delete the hook, it looks for a YAML structure like this:
+//
+//	 kind: SomeKind
+//	 apiVersion: v1
+//	 metadata:
+//			annotations:
+//				helm.sh/hook-delete-policy: hook-succeeded
+//
+// To determine the policy to output logs of the hook (for Pod and Job only), it looks for a YAML structure like this:
+//
+//	 kind: Pod
+//	 apiVersion: v1
+//	 metadata:
+//			annotations:
+//				helm.sh/hook-output-log-policy: hook-succeeded,hook-failed
+func (file *manifestFile) sort(result *result) error {
+	// Go through manifests in order found in file (function `SplitManifests` creates integer-sortable keys)
+	var sortedEntryKeys []string
+	for entryKey := range file.entries {
+		sortedEntryKeys = append(sortedEntryKeys, entryKey)
+	}
+	sort.Sort(BySplitManifestsOrder(sortedEntryKeys))
+
+	for _, entryKey := range sortedEntryKeys {
+		m := file.entries[entryKey]
+
+		var entry SimpleHead
+		if err := yaml.Unmarshal([]byte(m), &entry); err != nil {
+			return errors.Wrapf(err, "YAML parse error on %s", file.path)
+		}
+
+		if !hasAnyAnnotation(entry) {
+			result.generic = append(result.generic, Manifest{
+				Name:    file.path,
+				Content: m,
+				Head:    &entry,
+			})
+			continue
+		}
+
+		hookTypes, ok := entry.Metadata.Annotations[release.HookAnnotation]
+		if !ok {
+			result.generic = append(result.generic, Manifest{
+				Name:    file.path,
+				Content: m,
+				Head:    &entry,
+			})
+			continue
+		}
+
+		hw := calculateHookWeight(entry)
+
+		h := &release.Hook{
+			Name:              entry.Metadata.Name,
+			Kind:              entry.Kind,
+			Path:              file.path,
+			Manifest:          m,
+			Events:            []release.HookEvent{},
+			Weight:            hw,
+			DeletePolicies:    []release.HookDeletePolicy{},
+			OutputLogPolicies: []release.HookOutputLogPolicy{},
+		}
+
+		isUnknownHook := false
+		for _, hookType := range strings.Split(hookTypes, ",") {
+			hookType = strings.ToLower(strings.TrimSpace(hookType))
+			e, ok := events[hookType]
+			if !ok {
+				isUnknownHook = true
+				break
+			}
+			h.Events = append(h.Events, e)
+		}
+
+		if isUnknownHook {
+			log.Printf("info: skipping unknown hook: %q", hookTypes)
+			continue
+		}
+
+		result.hooks = append(result.hooks, h)
+
+		operateAnnotationValues(entry, release.HookDeleteAnnotation, func(value string) {
+			h.DeletePolicies = append(h.DeletePolicies, release.HookDeletePolicy(value))
+		})
+
+		operateAnnotationValues(entry, release.HookOutputLogAnnotation, func(value string) {
+			h.OutputLogPolicies = append(h.OutputLogPolicies, release.HookOutputLogPolicy(value))
+		})
+	}
+
+	return nil
+}
+
+// hasAnyAnnotation returns true if the given entry has any annotations at all.
+func hasAnyAnnotation(entry SimpleHead) bool {
+	return entry.Metadata != nil &&
+		entry.Metadata.Annotations != nil &&
+		len(entry.Metadata.Annotations) != 0
+}
+
+// calculateHookWeight finds the weight in the hook weight annotation.
+//
+// If no weight is found, the assigned weight is 0
+func calculateHookWeight(entry SimpleHead) int {
+	hws := entry.Metadata.Annotations[release.HookWeightAnnotation]
+	hw, err := strconv.Atoi(hws)
+	if err != nil {
+		hw = 0
+	}
+	return hw
+}
+
+// operateAnnotationValues finds the given annotation and runs the operate function with the value of that annotation
+func operateAnnotationValues(entry SimpleHead, annotation string, operate func(p string)) {
+	if dps, ok := entry.Metadata.Annotations[annotation]; ok {
+		for _, dp := range strings.Split(dps, ",") {
+			dp = strings.ToLower(strings.TrimSpace(dp))
+			operate(dp)
+		}
+	}
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/releaseutil/sorter.go b/vendor/helm.sh/helm/v3/pkg/releaseutil/sorter.go
new file mode 100644
index 0000000000..1a8aa78a62
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/releaseutil/sorter.go
@@ -0,0 +1,78 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package releaseutil // import "helm.sh/helm/v3/pkg/releaseutil"
+
+import (
+	"sort"
+
+	rspb "helm.sh/helm/v3/pkg/release"
+)
+
+type list []*rspb.Release
+
+func (s list) Len() int      { return len(s) }
+func (s list) Swap(i, j int) { s[i], s[j] = s[j], s[i] }
+
+// ByName sorts releases by name
+type ByName struct{ list }
+
+// Less compares to releases
+func (s ByName) Less(i, j int) bool { return s.list[i].Name < s.list[j].Name }
+
+// ByDate sorts releases by date
+type ByDate struct{ list }
+
+// Less compares to releases
+func (s ByDate) Less(i, j int) bool {
+	ti := s.list[i].Info.LastDeployed.Unix()
+	tj := s.list[j].Info.LastDeployed.Unix()
+	return ti < tj
+}
+
+// ByRevision sorts releases by revision number
+type ByRevision struct{ list }
+
+// Less compares to releases
+func (s ByRevision) Less(i, j int) bool {
+	return s.list[i].Version < s.list[j].Version
+}
+
+// Reverse reverses the list of releases sorted by the sort func.
+func Reverse(list []*rspb.Release, sortFn func([]*rspb.Release)) {
+	sortFn(list)
+	for i, j := 0, len(list)-1; i < j; i, j = i+1, j-1 {
+		list[i], list[j] = list[j], list[i]
+	}
+}
+
+// SortByName returns the list of releases sorted
+// in lexicographical order.
+func SortByName(list []*rspb.Release) {
+	sort.Sort(ByName{list})
+}
+
+// SortByDate returns the list of releases sorted by a
+// release's last deployed time (in seconds).
+func SortByDate(list []*rspb.Release) {
+	sort.Sort(ByDate{list})
+}
+
+// SortByRevision returns the list of releases sorted by a
+// release's revision number (release.Version).
+func SortByRevision(list []*rspb.Release) {
+	sort.Sort(ByRevision{list})
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/repo/chartrepo.go b/vendor/helm.sh/helm/v3/pkg/repo/chartrepo.go
new file mode 100644
index 0000000000..970e96da2d
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/repo/chartrepo.go
@@ -0,0 +1,317 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package repo // import "helm.sh/helm/v3/pkg/repo"
+
+import (
+	"crypto/rand"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"io"
+	"log"
+	"net/url"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/pkg/errors"
+	"sigs.k8s.io/yaml"
+
+	"helm.sh/helm/v3/pkg/chart/loader"
+	"helm.sh/helm/v3/pkg/getter"
+	"helm.sh/helm/v3/pkg/helmpath"
+	"helm.sh/helm/v3/pkg/provenance"
+)
+
+// Entry represents a collection of parameters for chart repository
+type Entry struct {
+	Name                  string `json:"name"`
+	URL                   string `json:"url"`
+	Username              string `json:"username"`
+	Password              string `json:"password"`
+	CertFile              string `json:"certFile"`
+	KeyFile               string `json:"keyFile"`
+	CAFile                string `json:"caFile"`
+	InsecureSkipTLSverify bool   `json:"insecure_skip_tls_verify"`
+	PassCredentialsAll    bool   `json:"pass_credentials_all"`
+}
+
+// ChartRepository represents a chart repository
+type ChartRepository struct {
+	Config     *Entry
+	ChartPaths []string
+	IndexFile  *IndexFile
+	Client     getter.Getter
+	CachePath  string
+}
+
+// NewChartRepository constructs ChartRepository
+func NewChartRepository(cfg *Entry, getters getter.Providers) (*ChartRepository, error) {
+	u, err := url.Parse(cfg.URL)
+	if err != nil {
+		return nil, errors.Errorf("invalid chart URL format: %s", cfg.URL)
+	}
+
+	client, err := getters.ByScheme(u.Scheme)
+	if err != nil {
+		return nil, errors.Errorf("could not find protocol handler for: %s", u.Scheme)
+	}
+
+	return &ChartRepository{
+		Config:    cfg,
+		IndexFile: NewIndexFile(),
+		Client:    client,
+		CachePath: helmpath.CachePath("repository"),
+	}, nil
+}
+
+// Load loads a directory of charts as if it were a repository.
+//
+// It requires the presence of an index.yaml file in the directory.
+//
+// Deprecated: remove in Helm 4.
+func (r *ChartRepository) Load() error {
+	dirInfo, err := os.Stat(r.Config.Name)
+	if err != nil {
+		return err
+	}
+	if !dirInfo.IsDir() {
+		return errors.Errorf("%q is not a directory", r.Config.Name)
+	}
+
+	// FIXME: Why are we recursively walking directories?
+	// FIXME: Why are we not reading the repositories.yaml to figure out
+	// what repos to use?
+	filepath.Walk(r.Config.Name, func(path string, f os.FileInfo, _ error) error {
+		if !f.IsDir() {
+			if strings.Contains(f.Name(), "-index.yaml") {
+				i, err := LoadIndexFile(path)
+				if err != nil {
+					return err
+				}
+				r.IndexFile = i
+			} else if strings.HasSuffix(f.Name(), ".tgz") {
+				r.ChartPaths = append(r.ChartPaths, path)
+			}
+		}
+		return nil
+	})
+	return nil
+}
+
+// DownloadIndexFile fetches the index from a repository.
+func (r *ChartRepository) DownloadIndexFile() (string, error) {
+	indexURL, err := ResolveReferenceURL(r.Config.URL, "index.yaml")
+	if err != nil {
+		return "", err
+	}
+
+	resp, err := r.Client.Get(indexURL,
+		getter.WithURL(r.Config.URL),
+		getter.WithInsecureSkipVerifyTLS(r.Config.InsecureSkipTLSverify),
+		getter.WithTLSClientConfig(r.Config.CertFile, r.Config.KeyFile, r.Config.CAFile),
+		getter.WithBasicAuth(r.Config.Username, r.Config.Password),
+		getter.WithPassCredentialsAll(r.Config.PassCredentialsAll),
+	)
+	if err != nil {
+		return "", err
+	}
+
+	index, err := io.ReadAll(resp)
+	if err != nil {
+		return "", err
+	}
+
+	indexFile, err := loadIndex(index, r.Config.URL)
+	if err != nil {
+		return "", err
+	}
+
+	// Create the chart list file in the cache directory
+	var charts strings.Builder
+	for name := range indexFile.Entries {
+		fmt.Fprintln(&charts, name)
+	}
+	chartsFile := filepath.Join(r.CachePath, helmpath.CacheChartsFile(r.Config.Name))
+	os.MkdirAll(filepath.Dir(chartsFile), 0755)
+	os.WriteFile(chartsFile, []byte(charts.String()), 0644)
+
+	// Create the index file in the cache directory
+	fname := filepath.Join(r.CachePath, helmpath.CacheIndexFile(r.Config.Name))
+	os.MkdirAll(filepath.Dir(fname), 0755)
+	return fname, os.WriteFile(fname, index, 0644)
+}
+
+// Index generates an index for the chart repository and writes an index.yaml file.
+func (r *ChartRepository) Index() error {
+	err := r.generateIndex()
+	if err != nil {
+		return err
+	}
+	return r.saveIndexFile()
+}
+
+func (r *ChartRepository) saveIndexFile() error {
+	index, err := yaml.Marshal(r.IndexFile)
+	if err != nil {
+		return err
+	}
+	return os.WriteFile(filepath.Join(r.Config.Name, indexPath), index, 0644)
+}
+
+func (r *ChartRepository) generateIndex() error {
+	for _, path := range r.ChartPaths {
+		ch, err := loader.Load(path)
+		if err != nil {
+			return err
+		}
+
+		digest, err := provenance.DigestFile(path)
+		if err != nil {
+			return err
+		}
+
+		if !r.IndexFile.Has(ch.Name(), ch.Metadata.Version) {
+			if err := r.IndexFile.MustAdd(ch.Metadata, path, r.Config.URL, digest); err != nil {
+				return errors.Wrapf(err, "failed adding to %s to index", path)
+			}
+		}
+		// TODO: If a chart exists, but has a different Digest, should we error?
+	}
+	r.IndexFile.SortEntries()
+	return nil
+}
+
+// FindChartInRepoURL finds chart in chart repository pointed by repoURL
+// without adding repo to repositories
+func FindChartInRepoURL(repoURL, chartName, chartVersion, certFile, keyFile, caFile string, getters getter.Providers) (string, error) {
+	return FindChartInAuthRepoURL(repoURL, "", "", chartName, chartVersion, certFile, keyFile, caFile, getters)
+}
+
+// FindChartInAuthRepoURL finds chart in chart repository pointed by repoURL
+// without adding repo to repositories, like FindChartInRepoURL,
+// but it also receives credentials for the chart repository.
+func FindChartInAuthRepoURL(repoURL, username, password, chartName, chartVersion, certFile, keyFile, caFile string, getters getter.Providers) (string, error) {
+	return FindChartInAuthAndTLSRepoURL(repoURL, username, password, chartName, chartVersion, certFile, keyFile, caFile, false, getters)
+}
+
+// FindChartInAuthAndTLSRepoURL finds chart in chart repository pointed by repoURL
+// without adding repo to repositories, like FindChartInRepoURL,
+// but it also receives credentials and TLS verify flag for the chart repository.
+// TODO Helm 4, FindChartInAuthAndTLSRepoURL should be integrated into FindChartInAuthRepoURL.
+func FindChartInAuthAndTLSRepoURL(repoURL, username, password, chartName, chartVersion, certFile, keyFile, caFile string, insecureSkipTLSverify bool, getters getter.Providers) (string, error) {
+	return FindChartInAuthAndTLSAndPassRepoURL(repoURL, username, password, chartName, chartVersion, certFile, keyFile, caFile, insecureSkipTLSverify, false, getters)
+}
+
+// FindChartInAuthAndTLSAndPassRepoURL finds chart in chart repository pointed by repoURL
+// without adding repo to repositories, like FindChartInRepoURL,
+// but it also receives credentials, TLS verify flag, and if credentials should
+// be passed on to other domains.
+// TODO Helm 4, FindChartInAuthAndTLSAndPassRepoURL should be integrated into FindChartInAuthRepoURL.
+func FindChartInAuthAndTLSAndPassRepoURL(repoURL, username, password, chartName, chartVersion, certFile, keyFile, caFile string, insecureSkipTLSverify, passCredentialsAll bool, getters getter.Providers) (string, error) {
+
+	// Download and write the index file to a temporary location
+	buf := make([]byte, 20)
+	rand.Read(buf)
+	name := strings.ReplaceAll(base64.StdEncoding.EncodeToString(buf), "/", "-")
+
+	c := Entry{
+		URL:                   repoURL,
+		Username:              username,
+		Password:              password,
+		PassCredentialsAll:    passCredentialsAll,
+		CertFile:              certFile,
+		KeyFile:               keyFile,
+		CAFile:                caFile,
+		Name:                  name,
+		InsecureSkipTLSverify: insecureSkipTLSverify,
+	}
+	r, err := NewChartRepository(&c, getters)
+	if err != nil {
+		return "", err
+	}
+	idx, err := r.DownloadIndexFile()
+	if err != nil {
+		return "", errors.Wrapf(err, "looks like %q is not a valid chart repository or cannot be reached", repoURL)
+	}
+	defer func() {
+		os.RemoveAll(filepath.Join(r.CachePath, helmpath.CacheChartsFile(r.Config.Name)))
+		os.RemoveAll(filepath.Join(r.CachePath, helmpath.CacheIndexFile(r.Config.Name)))
+	}()
+
+	// Read the index file for the repository to get chart information and return chart URL
+	repoIndex, err := LoadIndexFile(idx)
+	if err != nil {
+		return "", err
+	}
+
+	errMsg := fmt.Sprintf("chart %q", chartName)
+	if chartVersion != "" {
+		errMsg = fmt.Sprintf("%s version %q", errMsg, chartVersion)
+	}
+	cv, err := repoIndex.Get(chartName, chartVersion)
+	if err != nil {
+		return "", errors.Errorf("%s not found in %s repository", errMsg, repoURL)
+	}
+
+	if len(cv.URLs) == 0 {
+		return "", errors.Errorf("%s has no downloadable URLs", errMsg)
+	}
+
+	chartURL := cv.URLs[0]
+
+	absoluteChartURL, err := ResolveReferenceURL(repoURL, chartURL)
+	if err != nil {
+		return "", errors.Wrap(err, "failed to make chart URL absolute")
+	}
+
+	return absoluteChartURL, nil
+}
+
+// ResolveReferenceURL resolves refURL relative to baseURL.
+// If refURL is absolute, it simply returns refURL.
+func ResolveReferenceURL(baseURL, refURL string) (string, error) {
+	parsedRefURL, err := url.Parse(refURL)
+	if err != nil {
+		return "", errors.Wrapf(err, "failed to parse %s as URL", refURL)
+	}
+
+	if parsedRefURL.IsAbs() {
+		return refURL, nil
+	}
+
+	parsedBaseURL, err := url.Parse(baseURL)
+	if err != nil {
+		return "", errors.Wrapf(err, "failed to parse %s as URL", baseURL)
+	}
+
+	// We need a trailing slash for ResolveReference to work, but make sure there isn't already one
+	parsedBaseURL.RawPath = strings.TrimSuffix(parsedBaseURL.RawPath, "/") + "/"
+	parsedBaseURL.Path = strings.TrimSuffix(parsedBaseURL.Path, "/") + "/"
+
+	resolvedURL := parsedBaseURL.ResolveReference(parsedRefURL)
+	resolvedURL.RawQuery = parsedBaseURL.RawQuery
+	return resolvedURL.String(), nil
+}
+
+func (e *Entry) String() string {
+	buf, err := json.Marshal(e)
+	if err != nil {
+		log.Panic(err)
+	}
+	return string(buf)
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/repo/doc.go b/vendor/helm.sh/helm/v3/pkg/repo/doc.go
new file mode 100644
index 0000000000..fc54bbf7af
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/repo/doc.go
@@ -0,0 +1,94 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+/*
+Package repo implements the Helm Chart Repository.
+
+A chart repository is an HTTP server that provides information on charts. A local
+repository cache is an on-disk representation of a chart repository.
+
+There are two important file formats for chart repositories.
+
+The first is the 'index.yaml' format, which is expressed like this:
+
+	apiVersion: v1
+	entries:
+	  frobnitz:
+	  - created: 2016-09-29T12:14:34.830161306-06:00
+		description: This is a frobnitz.
+		digest: 587bd19a9bd9d2bc4a6d25ab91c8c8e7042c47b4ac246e37bf8e1e74386190f4
+		home: http://example.com
+		keywords:
+		- frobnitz
+		- sprocket
+		- dodad
+		maintainers:
+		- email: helm@example.com
+		  name: The Helm Team
+		- email: nobody@example.com
+		  name: Someone Else
+		name: frobnitz
+		urls:
+		- http://example-charts.com/testdata/repository/frobnitz-1.2.3.tgz
+		version: 1.2.3
+	  sprocket:
+	  - created: 2016-09-29T12:14:34.830507606-06:00
+		description: This is a sprocket"
+		digest: 8505ff813c39502cc849a38e1e4a8ac24b8e6e1dcea88f4c34ad9b7439685ae6
+		home: http://example.com
+		keywords:
+		- frobnitz
+		- sprocket
+		- dodad
+		maintainers:
+		- email: helm@example.com
+		  name: The Helm Team
+		- email: nobody@example.com
+		  name: Someone Else
+		name: sprocket
+		urls:
+		- http://example-charts.com/testdata/repository/sprocket-1.2.0.tgz
+		version: 1.2.0
+	generated: 2016-09-29T12:14:34.829721375-06:00
+
+An index.yaml file contains the necessary descriptive information about what
+charts are available in a repository, and how to get them.
+
+The second file format is the repositories.yaml file format. This file is for
+facilitating local cached copies of one or more chart repositories.
+
+The format of a repository.yaml file is:
+
+	apiVersion: v1
+	generated: TIMESTAMP
+	repositories:
+	  - name: stable
+	    url: http://example.com/charts
+		cache: stable-index.yaml
+	  - name: incubator
+	    url: http://example.com/incubator
+		cache: incubator-index.yaml
+
+This file maps three bits of information about a repository:
+
+  - The name the user uses to refer to it
+  - The fully qualified URL to the repository (index.yaml will be appended)
+  - The name of the local cachefile
+
+The format for both files was changed after Helm v2.0.0-Alpha.4. Helm is not
+backwards compatible with those earlier versions.
+*/
+package repo
diff --git a/vendor/helm.sh/helm/v3/pkg/repo/index.go b/vendor/helm.sh/helm/v3/pkg/repo/index.go
new file mode 100644
index 0000000000..a93314ab8b
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/repo/index.go
@@ -0,0 +1,417 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package repo
+
+import (
+	"bytes"
+	"encoding/json"
+	"log"
+	"os"
+	"path"
+	"path/filepath"
+	"sort"
+	"strings"
+	"time"
+
+	"github.com/Masterminds/semver/v3"
+	"github.com/pkg/errors"
+	"sigs.k8s.io/yaml"
+
+	"helm.sh/helm/v3/internal/fileutil"
+	"helm.sh/helm/v3/internal/urlutil"
+	"helm.sh/helm/v3/pkg/chart"
+	"helm.sh/helm/v3/pkg/chart/loader"
+	"helm.sh/helm/v3/pkg/provenance"
+)
+
+var indexPath = "index.yaml"
+
+// APIVersionV1 is the v1 API version for index and repository files.
+const APIVersionV1 = "v1"
+
+var (
+	// ErrNoAPIVersion indicates that an API version was not specified.
+	ErrNoAPIVersion = errors.New("no API version specified")
+	// ErrNoChartVersion indicates that a chart with the given version is not found.
+	ErrNoChartVersion = errors.New("no chart version found")
+	// ErrNoChartName indicates that a chart with the given name is not found.
+	ErrNoChartName = errors.New("no chart name found")
+	// ErrEmptyIndexYaml indicates that the content of index.yaml is empty.
+	ErrEmptyIndexYaml = errors.New("empty index.yaml file")
+)
+
+// ChartVersions is a list of versioned chart references.
+// Implements a sorter on Version.
+type ChartVersions []*ChartVersion
+
+// Len returns the length.
+func (c ChartVersions) Len() int { return len(c) }
+
+// Swap swaps the position of two items in the versions slice.
+func (c ChartVersions) Swap(i, j int) { c[i], c[j] = c[j], c[i] }
+
+// Less returns true if the version of entry a is less than the version of entry b.
+func (c ChartVersions) Less(a, b int) bool {
+	// Failed parse pushes to the back.
+	i, err := semver.NewVersion(c[a].Version)
+	if err != nil {
+		return true
+	}
+	j, err := semver.NewVersion(c[b].Version)
+	if err != nil {
+		return false
+	}
+	return i.LessThan(j)
+}
+
+// IndexFile represents the index file in a chart repository
+type IndexFile struct {
+	// This is used ONLY for validation against chartmuseum's index files and is discarded after validation.
+	ServerInfo map[string]interface{}   `json:"serverInfo,omitempty"`
+	APIVersion string                   `json:"apiVersion"`
+	Generated  time.Time                `json:"generated"`
+	Entries    map[string]ChartVersions `json:"entries"`
+	PublicKeys []string                 `json:"publicKeys,omitempty"`
+
+	// Annotations are additional mappings uninterpreted by Helm. They are made available for
+	// other applications to add information to the index file.
+	Annotations map[string]string `json:"annotations,omitempty"`
+}
+
+// NewIndexFile initializes an index.
+func NewIndexFile() *IndexFile {
+	return &IndexFile{
+		APIVersion: APIVersionV1,
+		Generated:  time.Now(),
+		Entries:    map[string]ChartVersions{},
+		PublicKeys: []string{},
+	}
+}
+
+// LoadIndexFile takes a file at the given path and returns an IndexFile object
+func LoadIndexFile(path string) (*IndexFile, error) {
+	b, err := os.ReadFile(path)
+	if err != nil {
+		return nil, err
+	}
+	i, err := loadIndex(b, path)
+	if err != nil {
+		return nil, errors.Wrapf(err, "error loading %s", path)
+	}
+	return i, nil
+}
+
+// MustAdd adds a file to the index
+// This can leave the index in an unsorted state
+func (i IndexFile) MustAdd(md *chart.Metadata, filename, baseURL, digest string) error {
+	if i.Entries == nil {
+		return errors.New("entries not initialized")
+	}
+
+	if md.APIVersion == "" {
+		md.APIVersion = chart.APIVersionV1
+	}
+	if err := md.Validate(); err != nil {
+		return errors.Wrapf(err, "validate failed for %s", filename)
+	}
+
+	u := filename
+	if baseURL != "" {
+		_, file := filepath.Split(filename)
+		var err error
+		u, err = urlutil.URLJoin(baseURL, file)
+		if err != nil {
+			u = path.Join(baseURL, file)
+		}
+	}
+	cr := &ChartVersion{
+		URLs:     []string{u},
+		Metadata: md,
+		Digest:   digest,
+		Created:  time.Now(),
+	}
+	ee := i.Entries[md.Name]
+	i.Entries[md.Name] = append(ee, cr)
+	return nil
+}
+
+// Add adds a file to the index and logs an error.
+//
+// Deprecated: Use index.MustAdd instead.
+func (i IndexFile) Add(md *chart.Metadata, filename, baseURL, digest string) {
+	if err := i.MustAdd(md, filename, baseURL, digest); err != nil {
+		log.Printf("skipping loading invalid entry for chart %q %q from %s: %s", md.Name, md.Version, filename, err)
+	}
+}
+
+// Has returns true if the index has an entry for a chart with the given name and exact version.
+func (i IndexFile) Has(name, version string) bool {
+	_, err := i.Get(name, version)
+	return err == nil
+}
+
+// SortEntries sorts the entries by version in descending order.
+//
+// In canonical form, the individual version records should be sorted so that
+// the most recent release for every version is in the 0th slot in the
+// Entries.ChartVersions array. That way, tooling can predict the newest
+// version without needing to parse SemVers.
+func (i IndexFile) SortEntries() {
+	for _, versions := range i.Entries {
+		sort.Sort(sort.Reverse(versions))
+	}
+}
+
+// Get returns the ChartVersion for the given name.
+//
+// If version is empty, this will return the chart with the latest stable version,
+// prerelease versions will be skipped.
+func (i IndexFile) Get(name, version string) (*ChartVersion, error) {
+	vs, ok := i.Entries[name]
+	if !ok {
+		return nil, ErrNoChartName
+	}
+	if len(vs) == 0 {
+		return nil, ErrNoChartVersion
+	}
+
+	var constraint *semver.Constraints
+	if version == "" {
+		constraint, _ = semver.NewConstraint("*")
+	} else {
+		var err error
+		constraint, err = semver.NewConstraint(version)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	// when customer inputs specific version, check whether there's an exact match first
+	if len(version) != 0 {
+		for _, ver := range vs {
+			if version == ver.Version {
+				return ver, nil
+			}
+		}
+	}
+
+	for _, ver := range vs {
+		test, err := semver.NewVersion(ver.Version)
+		if err != nil {
+			continue
+		}
+
+		if constraint.Check(test) {
+			return ver, nil
+		}
+	}
+	return nil, errors.Errorf("no chart version found for %s-%s", name, version)
+}
+
+// WriteFile writes an index file to the given destination path.
+//
+// The mode on the file is set to 'mode'.
+func (i IndexFile) WriteFile(dest string, mode os.FileMode) error {
+	b, err := yaml.Marshal(i)
+	if err != nil {
+		return err
+	}
+	return fileutil.AtomicWriteFile(dest, bytes.NewReader(b), mode)
+}
+
+// WriteJSONFile writes an index file in JSON format to the given destination
+// path.
+//
+// The mode on the file is set to 'mode'.
+func (i IndexFile) WriteJSONFile(dest string, mode os.FileMode) error {
+	b, err := json.MarshalIndent(i, "", "  ")
+	if err != nil {
+		return err
+	}
+	return fileutil.AtomicWriteFile(dest, bytes.NewReader(b), mode)
+}
+
+// Merge merges the given index file into this index.
+//
+// This merges by name and version.
+//
+// If one of the entries in the given index does _not_ already exist, it is added.
+// In all other cases, the existing record is preserved.
+//
+// This can leave the index in an unsorted state
+func (i *IndexFile) Merge(f *IndexFile) {
+	for _, cvs := range f.Entries {
+		for _, cv := range cvs {
+			if !i.Has(cv.Name, cv.Version) {
+				e := i.Entries[cv.Name]
+				i.Entries[cv.Name] = append(e, cv)
+			}
+		}
+	}
+}
+
+// ChartVersion represents a chart entry in the IndexFile
+type ChartVersion struct {
+	*chart.Metadata
+	URLs    []string  `json:"urls"`
+	Created time.Time `json:"created,omitempty"`
+	Removed bool      `json:"removed,omitempty"`
+	Digest  string    `json:"digest,omitempty"`
+
+	// ChecksumDeprecated is deprecated in Helm 3, and therefore ignored. Helm 3 replaced
+	// this with Digest. However, with a strict YAML parser enabled, a field must be
+	// present on the struct for backwards compatibility.
+	ChecksumDeprecated string `json:"checksum,omitempty"`
+
+	// EngineDeprecated is deprecated in Helm 3, and therefore ignored. However, with a strict
+	// YAML parser enabled, this field must be present.
+	EngineDeprecated string `json:"engine,omitempty"`
+
+	// TillerVersionDeprecated is deprecated in Helm 3, and therefore ignored. However, with a strict
+	// YAML parser enabled, this field must be present.
+	TillerVersionDeprecated string `json:"tillerVersion,omitempty"`
+
+	// URLDeprecated is deprecated in Helm 3, superseded by URLs. It is ignored. However,
+	// with a strict YAML parser enabled, this must be present on the struct.
+	URLDeprecated string `json:"url,omitempty"`
+}
+
+// IndexDirectory reads a (flat) directory and generates an index.
+//
+// It indexes only charts that have been packaged (*.tgz).
+//
+// The index returned will be in an unsorted state
+func IndexDirectory(dir, baseURL string) (*IndexFile, error) {
+	archives, err := filepath.Glob(filepath.Join(dir, "*.tgz"))
+	if err != nil {
+		return nil, err
+	}
+	moreArchives, err := filepath.Glob(filepath.Join(dir, "**/*.tgz"))
+	if err != nil {
+		return nil, err
+	}
+	archives = append(archives, moreArchives...)
+
+	index := NewIndexFile()
+	for _, arch := range archives {
+		fname, err := filepath.Rel(dir, arch)
+		if err != nil {
+			return index, err
+		}
+
+		var parentDir string
+		parentDir, fname = filepath.Split(fname)
+		// filepath.Split appends an extra slash to the end of parentDir. We want to strip that out.
+		parentDir = strings.TrimSuffix(parentDir, string(os.PathSeparator))
+		parentURL, err := urlutil.URLJoin(baseURL, parentDir)
+		if err != nil {
+			parentURL = path.Join(baseURL, parentDir)
+		}
+
+		c, err := loader.Load(arch)
+		if err != nil {
+			// Assume this is not a chart.
+			continue
+		}
+		hash, err := provenance.DigestFile(arch)
+		if err != nil {
+			return index, err
+		}
+		if err := index.MustAdd(c.Metadata, fname, parentURL, hash); err != nil {
+			return index, errors.Wrapf(err, "failed adding to %s to index", fname)
+		}
+	}
+	return index, nil
+}
+
+// loadIndex loads an index file and does minimal validity checking.
+//
+// The source parameter is only used for logging.
+// This will fail if API Version is not set (ErrNoAPIVersion) or if the unmarshal fails.
+func loadIndex(data []byte, source string) (*IndexFile, error) {
+	i := &IndexFile{}
+
+	if len(data) == 0 {
+		return i, ErrEmptyIndexYaml
+	}
+
+	if err := jsonOrYamlUnmarshal(data, i); err != nil {
+		return i, err
+	}
+
+	for name, cvs := range i.Entries {
+		for idx := len(cvs) - 1; idx >= 0; idx-- {
+			if cvs[idx] == nil {
+				log.Printf("skipping loading invalid entry for chart %q from %s: empty entry", name, source)
+				cvs = append(cvs[:idx], cvs[idx+1:]...)
+				continue
+			}
+			// When metadata section missing, initialize with no data
+			if cvs[idx].Metadata == nil {
+				cvs[idx].Metadata = &chart.Metadata{}
+			}
+			if cvs[idx].APIVersion == "" {
+				cvs[idx].APIVersion = chart.APIVersionV1
+			}
+			if err := cvs[idx].Validate(); ignoreSkippableChartValidationError(err) != nil {
+				log.Printf("skipping loading invalid entry for chart %q %q from %s: %s", name, cvs[idx].Version, source, err)
+				cvs = append(cvs[:idx], cvs[idx+1:]...)
+			}
+		}
+		// adjust slice to only contain a set of valid versions
+		i.Entries[name] = cvs
+	}
+	i.SortEntries()
+	if i.APIVersion == "" {
+		return i, ErrNoAPIVersion
+	}
+	return i, nil
+}
+
+// jsonOrYamlUnmarshal unmarshals the given byte slice containing JSON or YAML
+// into the provided interface.
+//
+// It automatically detects whether the data is in JSON or YAML format by
+// checking its validity as JSON. If the data is valid JSON, it will use the
+// `encoding/json` package to unmarshal it. Otherwise, it will use the
+// `sigs.k8s.io/yaml` package to unmarshal the YAML data.
+func jsonOrYamlUnmarshal(b []byte, i interface{}) error {
+	if json.Valid(b) {
+		return json.Unmarshal(b, i)
+	}
+	return yaml.UnmarshalStrict(b, i)
+}
+
+// ignoreSkippableChartValidationError inspect the given error and returns nil if
+// the error isn't important for index loading
+//
+// In particular, charts may introduce validations that don't impact repository indexes
+// And repository indexes may be generated by older/non-compliant software, which doesn't
+// conform to all validations.
+func ignoreSkippableChartValidationError(err error) error {
+	verr, ok := err.(chart.ValidationError)
+	if !ok {
+		return err
+	}
+
+	// https://github.com/helm/helm/issues/12748 (JFrog repository strips alias field)
+	if strings.HasPrefix(verr.Error(), "validation: more than one dependency with name or alias") {
+		return nil
+	}
+
+	return err
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/repo/repo.go b/vendor/helm.sh/helm/v3/pkg/repo/repo.go
new file mode 100644
index 0000000000..834d554bd9
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/repo/repo.go
@@ -0,0 +1,125 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package repo // import "helm.sh/helm/v3/pkg/repo"
+
+import (
+	"os"
+	"path/filepath"
+	"time"
+
+	"github.com/pkg/errors"
+	"sigs.k8s.io/yaml"
+)
+
+// File represents the repositories.yaml file
+type File struct {
+	APIVersion   string    `json:"apiVersion"`
+	Generated    time.Time `json:"generated"`
+	Repositories []*Entry  `json:"repositories"`
+}
+
+// NewFile generates an empty repositories file.
+//
+// Generated and APIVersion are automatically set.
+func NewFile() *File {
+	return &File{
+		APIVersion:   APIVersionV1,
+		Generated:    time.Now(),
+		Repositories: []*Entry{},
+	}
+}
+
+// LoadFile takes a file at the given path and returns a File object
+func LoadFile(path string) (*File, error) {
+	r := new(File)
+	b, err := os.ReadFile(path)
+	if err != nil {
+		return r, errors.Wrapf(err, "couldn't load repositories file (%s)", path)
+	}
+
+	err = yaml.Unmarshal(b, r)
+	return r, err
+}
+
+// Add adds one or more repo entries to a repo file.
+func (r *File) Add(re ...*Entry) {
+	r.Repositories = append(r.Repositories, re...)
+}
+
+// Update attempts to replace one or more repo entries in a repo file. If an
+// entry with the same name doesn't exist in the repo file it will add it.
+func (r *File) Update(re ...*Entry) {
+	for _, target := range re {
+		r.update(target)
+	}
+}
+
+func (r *File) update(e *Entry) {
+	for j, repo := range r.Repositories {
+		if repo.Name == e.Name {
+			r.Repositories[j] = e
+			return
+		}
+	}
+	r.Add(e)
+}
+
+// Has returns true if the given name is already a repository name.
+func (r *File) Has(name string) bool {
+	entry := r.Get(name)
+	return entry != nil
+}
+
+// Get returns an entry with the given name if it exists, otherwise returns nil
+func (r *File) Get(name string) *Entry {
+	for _, entry := range r.Repositories {
+		if entry.Name == name {
+			return entry
+		}
+	}
+	return nil
+}
+
+// Remove removes the entry from the list of repositories.
+func (r *File) Remove(name string) bool {
+	cp := []*Entry{}
+	found := false
+	for _, rf := range r.Repositories {
+		if rf == nil {
+			continue
+		}
+		if rf.Name == name {
+			found = true
+			continue
+		}
+		cp = append(cp, rf)
+	}
+	r.Repositories = cp
+	return found
+}
+
+// WriteFile writes a repositories file to the given path.
+func (r *File) WriteFile(path string, perm os.FileMode) error {
+	data, err := yaml.Marshal(r)
+	if err != nil {
+		return err
+	}
+	if err := os.MkdirAll(filepath.Dir(path), 0755); err != nil {
+		return err
+	}
+	return os.WriteFile(path, data, perm)
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/storage/driver/cfgmaps.go b/vendor/helm.sh/helm/v3/pkg/storage/driver/cfgmaps.go
new file mode 100644
index 0000000000..ce88c662b0
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/storage/driver/cfgmaps.go
@@ -0,0 +1,264 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package driver // import "helm.sh/helm/v3/pkg/storage/driver"
+
+import (
+	"context"
+	"fmt"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/pkg/errors"
+	v1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	kblabels "k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/util/validation"
+	corev1 "k8s.io/client-go/kubernetes/typed/core/v1"
+
+	rspb "helm.sh/helm/v3/pkg/release"
+)
+
+var _ Driver = (*ConfigMaps)(nil)
+
+// ConfigMapsDriverName is the string name of the driver.
+const ConfigMapsDriverName = "ConfigMap"
+
+// ConfigMaps is a wrapper around an implementation of a kubernetes
+// ConfigMapsInterface.
+type ConfigMaps struct {
+	impl corev1.ConfigMapInterface
+	Log  func(string, ...interface{})
+}
+
+// NewConfigMaps initializes a new ConfigMaps wrapping an implementation of
+// the kubernetes ConfigMapsInterface.
+func NewConfigMaps(impl corev1.ConfigMapInterface) *ConfigMaps {
+	return &ConfigMaps{
+		impl: impl,
+		Log:  func(_ string, _ ...interface{}) {},
+	}
+}
+
+// Name returns the name of the driver.
+func (cfgmaps *ConfigMaps) Name() string {
+	return ConfigMapsDriverName
+}
+
+// Get fetches the release named by key. The corresponding release is returned
+// or error if not found.
+func (cfgmaps *ConfigMaps) Get(key string) (*rspb.Release, error) {
+	// fetch the configmap holding the release named by key
+	obj, err := cfgmaps.impl.Get(context.Background(), key, metav1.GetOptions{})
+	if err != nil {
+		if apierrors.IsNotFound(err) {
+			return nil, ErrReleaseNotFound
+		}
+
+		cfgmaps.Log("get: failed to get %q: %s", key, err)
+		return nil, err
+	}
+	// found the configmap, decode the base64 data string
+	r, err := decodeRelease(obj.Data["release"])
+	if err != nil {
+		cfgmaps.Log("get: failed to decode data %q: %s", key, err)
+		return nil, err
+	}
+	r.Labels = filterSystemLabels(obj.ObjectMeta.Labels)
+	// return the release object
+	return r, nil
+}
+
+// List fetches all releases and returns the list releases such
+// that filter(release) == true. An error is returned if the
+// configmap fails to retrieve the releases.
+func (cfgmaps *ConfigMaps) List(filter func(*rspb.Release) bool) ([]*rspb.Release, error) {
+	lsel := kblabels.Set{"owner": "helm"}.AsSelector()
+	opts := metav1.ListOptions{LabelSelector: lsel.String()}
+
+	list, err := cfgmaps.impl.List(context.Background(), opts)
+	if err != nil {
+		cfgmaps.Log("list: failed to list: %s", err)
+		return nil, err
+	}
+
+	var results []*rspb.Release
+
+	// iterate over the configmaps object list
+	// and decode each release
+	for _, item := range list.Items {
+		rls, err := decodeRelease(item.Data["release"])
+		if err != nil {
+			cfgmaps.Log("list: failed to decode release: %v: %s", item, err)
+			continue
+		}
+
+		rls.Labels = item.ObjectMeta.Labels
+
+		if filter(rls) {
+			results = append(results, rls)
+		}
+	}
+	return results, nil
+}
+
+// Query fetches all releases that match the provided map of labels.
+// An error is returned if the configmap fails to retrieve the releases.
+func (cfgmaps *ConfigMaps) Query(labels map[string]string) ([]*rspb.Release, error) {
+	ls := kblabels.Set{}
+	for k, v := range labels {
+		if errs := validation.IsValidLabelValue(v); len(errs) != 0 {
+			return nil, errors.Errorf("invalid label value: %q: %s", v, strings.Join(errs, "; "))
+		}
+		ls[k] = v
+	}
+
+	opts := metav1.ListOptions{LabelSelector: ls.AsSelector().String()}
+
+	list, err := cfgmaps.impl.List(context.Background(), opts)
+	if err != nil {
+		cfgmaps.Log("query: failed to query with labels: %s", err)
+		return nil, err
+	}
+
+	if len(list.Items) == 0 {
+		return nil, ErrReleaseNotFound
+	}
+
+	var results []*rspb.Release
+	for _, item := range list.Items {
+		rls, err := decodeRelease(item.Data["release"])
+		if err != nil {
+			cfgmaps.Log("query: failed to decode release: %s", err)
+			continue
+		}
+		rls.Labels = item.ObjectMeta.Labels
+		results = append(results, rls)
+	}
+	return results, nil
+}
+
+// Create creates a new ConfigMap holding the release. If the
+// ConfigMap already exists, ErrReleaseExists is returned.
+func (cfgmaps *ConfigMaps) Create(key string, rls *rspb.Release) error {
+	// set labels for configmaps object meta data
+	var lbs labels
+
+	lbs.init()
+	lbs.fromMap(rls.Labels)
+	lbs.set("createdAt", fmt.Sprintf("%v", time.Now().Unix()))
+
+	// create a new configmap to hold the release
+	obj, err := newConfigMapsObject(key, rls, lbs)
+	if err != nil {
+		cfgmaps.Log("create: failed to encode release %q: %s", rls.Name, err)
+		return err
+	}
+	// push the configmap object out into the kubiverse
+	if _, err := cfgmaps.impl.Create(context.Background(), obj, metav1.CreateOptions{}); err != nil {
+		if apierrors.IsAlreadyExists(err) {
+			return ErrReleaseExists
+		}
+
+		cfgmaps.Log("create: failed to create: %s", err)
+		return err
+	}
+	return nil
+}
+
+// Update updates the ConfigMap holding the release. If not found
+// the ConfigMap is created to hold the release.
+func (cfgmaps *ConfigMaps) Update(key string, rls *rspb.Release) error {
+	// set labels for configmaps object meta data
+	var lbs labels
+
+	lbs.init()
+	lbs.fromMap(rls.Labels)
+	lbs.set("modifiedAt", fmt.Sprintf("%v", time.Now().Unix()))
+
+	// create a new configmap object to hold the release
+	obj, err := newConfigMapsObject(key, rls, lbs)
+	if err != nil {
+		cfgmaps.Log("update: failed to encode release %q: %s", rls.Name, err)
+		return err
+	}
+	// push the configmap object out into the kubiverse
+	_, err = cfgmaps.impl.Update(context.Background(), obj, metav1.UpdateOptions{})
+	if err != nil {
+		cfgmaps.Log("update: failed to update: %s", err)
+		return err
+	}
+	return nil
+}
+
+// Delete deletes the ConfigMap holding the release named by key.
+func (cfgmaps *ConfigMaps) Delete(key string) (rls *rspb.Release, err error) {
+	// fetch the release to check existence
+	if rls, err = cfgmaps.Get(key); err != nil {
+		return nil, err
+	}
+	// delete the release
+	if err = cfgmaps.impl.Delete(context.Background(), key, metav1.DeleteOptions{}); err != nil {
+		return rls, err
+	}
+	return rls, nil
+}
+
+// newConfigMapsObject constructs a kubernetes ConfigMap object
+// to store a release. Each configmap data entry is the base64
+// encoded gzipped string of a release.
+//
+// The following labels are used within each configmap:
+//
+//	"modifiedAt"     - timestamp indicating when this configmap was last modified. (set in Update)
+//	"createdAt"      - timestamp indicating when this configmap was created. (set in Create)
+//	"version"        - version of the release.
+//	"status"         - status of the release (see pkg/release/status.go for variants)
+//	"owner"          - owner of the configmap, currently "helm".
+//	"name"           - name of the release.
+func newConfigMapsObject(key string, rls *rspb.Release, lbs labels) (*v1.ConfigMap, error) {
+	const owner = "helm"
+
+	// encode the release
+	s, err := encodeRelease(rls)
+	if err != nil {
+		return nil, err
+	}
+
+	if lbs == nil {
+		lbs.init()
+	}
+
+	// apply custom labels
+	lbs.fromMap(rls.Labels)
+
+	// apply labels
+	lbs.set("name", rls.Name)
+	lbs.set("owner", owner)
+	lbs.set("status", rls.Info.Status.String())
+	lbs.set("version", strconv.Itoa(rls.Version))
+
+	// create and return configmap object
+	return &v1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:   key,
+			Labels: lbs.toMap(),
+		},
+		Data: map[string]string{"release": s},
+	}, nil
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/storage/driver/driver.go b/vendor/helm.sh/helm/v3/pkg/storage/driver/driver.go
new file mode 100644
index 0000000000..9c01f37660
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/storage/driver/driver.go
@@ -0,0 +1,105 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package driver // import "helm.sh/helm/v3/pkg/storage/driver"
+
+import (
+	"fmt"
+
+	"github.com/pkg/errors"
+
+	rspb "helm.sh/helm/v3/pkg/release"
+)
+
+var (
+	// ErrReleaseNotFound indicates that a release is not found.
+	ErrReleaseNotFound = errors.New("release: not found")
+	// ErrReleaseExists indicates that a release already exists.
+	ErrReleaseExists = errors.New("release: already exists")
+	// ErrInvalidKey indicates that a release key could not be parsed.
+	ErrInvalidKey = errors.New("release: invalid key")
+	// ErrNoDeployedReleases indicates that there are no releases with the given key in the deployed state
+	ErrNoDeployedReleases = errors.New("has no deployed releases")
+)
+
+// StorageDriverError records an error and the release name that caused it
+type StorageDriverError struct {
+	ReleaseName string
+	Err         error
+}
+
+func (e *StorageDriverError) Error() string {
+	return fmt.Sprintf("%q %s", e.ReleaseName, e.Err.Error())
+}
+
+func (e *StorageDriverError) Unwrap() error { return e.Err }
+
+func NewErrNoDeployedReleases(releaseName string) error {
+	return &StorageDriverError{
+		ReleaseName: releaseName,
+		Err:         ErrNoDeployedReleases,
+	}
+}
+
+// Creator is the interface that wraps the Create method.
+//
+// Create stores the release or returns ErrReleaseExists
+// if an identical release already exists.
+type Creator interface {
+	Create(key string, rls *rspb.Release) error
+}
+
+// Updator is the interface that wraps the Update method.
+//
+// Update updates an existing release or returns
+// ErrReleaseNotFound if the release does not exist.
+type Updator interface {
+	Update(key string, rls *rspb.Release) error
+}
+
+// Deletor is the interface that wraps the Delete method.
+//
+// Delete deletes the release named by key or returns
+// ErrReleaseNotFound if the release does not exist.
+type Deletor interface {
+	Delete(key string) (*rspb.Release, error)
+}
+
+// Queryor is the interface that wraps the Get and List methods.
+//
+// Get returns the release named by key or returns ErrReleaseNotFound
+// if the release does not exist.
+//
+// List returns the set of all releases that satisfy the filter predicate.
+//
+// Query returns the set of all releases that match the provided label set.
+type Queryor interface {
+	Get(key string) (*rspb.Release, error)
+	List(filter func(*rspb.Release) bool) ([]*rspb.Release, error)
+	Query(labels map[string]string) ([]*rspb.Release, error)
+}
+
+// Driver is the interface composed of Creator, Updator, Deletor, and Queryor
+// interfaces. It defines the behavior for storing, updating, deleted,
+// and retrieving Helm releases from some underlying storage mechanism,
+// e.g. memory, configmaps.
+type Driver interface {
+	Creator
+	Updator
+	Deletor
+	Queryor
+	Name() string
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/storage/driver/labels.go b/vendor/helm.sh/helm/v3/pkg/storage/driver/labels.go
new file mode 100644
index 0000000000..eb7118fe5f
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/storage/driver/labels.go
@@ -0,0 +1,48 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package driver
+
+// labels is a map of key value pairs to be included as metadata in a configmap object.
+type labels map[string]string
+
+func (lbs *labels) init()                { *lbs = labels(make(map[string]string)) }
+func (lbs labels) get(key string) string { return lbs[key] }
+func (lbs labels) set(key, val string)   { lbs[key] = val }
+
+func (lbs labels) keys() (ls []string) {
+	for key := range lbs {
+		ls = append(ls, key)
+	}
+	return
+}
+
+func (lbs labels) match(set labels) bool {
+	for _, key := range set.keys() {
+		if lbs.get(key) != set.get(key) {
+			return false
+		}
+	}
+	return true
+}
+
+func (lbs labels) toMap() map[string]string { return lbs }
+
+func (lbs *labels) fromMap(kvs map[string]string) {
+	for k, v := range kvs {
+		lbs.set(k, v)
+	}
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/storage/driver/memory.go b/vendor/helm.sh/helm/v3/pkg/storage/driver/memory.go
new file mode 100644
index 0000000000..91378f5885
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/storage/driver/memory.go
@@ -0,0 +1,240 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package driver
+
+import (
+	"strconv"
+	"strings"
+	"sync"
+
+	rspb "helm.sh/helm/v3/pkg/release"
+)
+
+var _ Driver = (*Memory)(nil)
+
+const (
+	// MemoryDriverName is the string name of this driver.
+	MemoryDriverName = "Memory"
+
+	defaultNamespace = "default"
+)
+
+// A map of release names to list of release records
+type memReleases map[string]records
+
+// Memory is the in-memory storage driver implementation.
+type Memory struct {
+	sync.RWMutex
+	namespace string
+	// A map of namespaces to releases
+	cache map[string]memReleases
+}
+
+// NewMemory initializes a new memory driver.
+func NewMemory() *Memory {
+	return &Memory{cache: map[string]memReleases{}, namespace: "default"}
+}
+
+// SetNamespace sets a specific namespace in which releases will be accessed.
+// An empty string indicates all namespaces (for the list operation)
+func (mem *Memory) SetNamespace(ns string) {
+	mem.namespace = ns
+}
+
+// Name returns the name of the driver.
+func (mem *Memory) Name() string {
+	return MemoryDriverName
+}
+
+// Get returns the release named by key or returns ErrReleaseNotFound.
+func (mem *Memory) Get(key string) (*rspb.Release, error) {
+	defer unlock(mem.rlock())
+
+	keyWithoutPrefix := strings.TrimPrefix(key, "sh.helm.release.v1.")
+	switch elems := strings.Split(keyWithoutPrefix, ".v"); len(elems) {
+	case 2:
+		name, ver := elems[0], elems[1]
+		if _, err := strconv.Atoi(ver); err != nil {
+			return nil, ErrInvalidKey
+		}
+		if recs, ok := mem.cache[mem.namespace][name]; ok {
+			if r := recs.Get(key); r != nil {
+				return r.rls, nil
+			}
+		}
+		return nil, ErrReleaseNotFound
+	default:
+		return nil, ErrInvalidKey
+	}
+}
+
+// List returns the list of all releases such that filter(release) == true
+func (mem *Memory) List(filter func(*rspb.Release) bool) ([]*rspb.Release, error) {
+	defer unlock(mem.rlock())
+
+	var ls []*rspb.Release
+	for namespace := range mem.cache {
+		if mem.namespace != "" {
+			// Should only list releases of this namespace
+			namespace = mem.namespace
+		}
+		for _, recs := range mem.cache[namespace] {
+			recs.Iter(func(_ int, rec *record) bool {
+				if filter(rec.rls) {
+					ls = append(ls, rec.rls)
+				}
+				return true
+			})
+		}
+		if mem.namespace != "" {
+			// Should only list releases of this namespace
+			break
+		}
+	}
+	return ls, nil
+}
+
+// Query returns the set of releases that match the provided set of labels
+func (mem *Memory) Query(keyvals map[string]string) ([]*rspb.Release, error) {
+	defer unlock(mem.rlock())
+
+	var lbs labels
+
+	lbs.init()
+	lbs.fromMap(keyvals)
+
+	var ls []*rspb.Release
+	for namespace := range mem.cache {
+		if mem.namespace != "" {
+			// Should only query releases of this namespace
+			namespace = mem.namespace
+		}
+		for _, recs := range mem.cache[namespace] {
+			recs.Iter(func(_ int, rec *record) bool {
+				// A query for a release name that doesn't exist (has been deleted)
+				// can cause rec to be nil.
+				if rec == nil {
+					return false
+				}
+				if rec.lbs.match(lbs) {
+					ls = append(ls, rec.rls)
+				}
+				return true
+			})
+		}
+		if mem.namespace != "" {
+			// Should only query releases of this namespace
+			break
+		}
+	}
+
+	if len(ls) == 0 {
+		return nil, ErrReleaseNotFound
+	}
+
+	return ls, nil
+}
+
+// Create creates a new release or returns ErrReleaseExists.
+func (mem *Memory) Create(key string, rls *rspb.Release) error {
+	defer unlock(mem.wlock())
+
+	// For backwards compatibility, we protect against an unset namespace
+	namespace := rls.Namespace
+	if namespace == "" {
+		namespace = defaultNamespace
+	}
+	mem.SetNamespace(namespace)
+
+	if _, ok := mem.cache[namespace]; !ok {
+		mem.cache[namespace] = memReleases{}
+	}
+
+	if recs, ok := mem.cache[namespace][rls.Name]; ok {
+		if err := recs.Add(newRecord(key, rls)); err != nil {
+			return err
+		}
+		mem.cache[namespace][rls.Name] = recs
+		return nil
+	}
+	mem.cache[namespace][rls.Name] = records{newRecord(key, rls)}
+	return nil
+}
+
+// Update updates a release or returns ErrReleaseNotFound.
+func (mem *Memory) Update(key string, rls *rspb.Release) error {
+	defer unlock(mem.wlock())
+
+	// For backwards compatibility, we protect against an unset namespace
+	namespace := rls.Namespace
+	if namespace == "" {
+		namespace = defaultNamespace
+	}
+	mem.SetNamespace(namespace)
+
+	if _, ok := mem.cache[namespace]; ok {
+		if rs, ok := mem.cache[namespace][rls.Name]; ok && rs.Exists(key) {
+			rs.Replace(key, newRecord(key, rls))
+			return nil
+		}
+	}
+	return ErrReleaseNotFound
+}
+
+// Delete deletes a release or returns ErrReleaseNotFound.
+func (mem *Memory) Delete(key string) (*rspb.Release, error) {
+	defer unlock(mem.wlock())
+
+	keyWithoutPrefix := strings.TrimPrefix(key, "sh.helm.release.v1.")
+	elems := strings.Split(keyWithoutPrefix, ".v")
+
+	if len(elems) != 2 {
+		return nil, ErrInvalidKey
+	}
+
+	name, ver := elems[0], elems[1]
+	if _, err := strconv.Atoi(ver); err != nil {
+		return nil, ErrInvalidKey
+	}
+	if _, ok := mem.cache[mem.namespace]; ok {
+		if recs, ok := mem.cache[mem.namespace][name]; ok {
+			if r := recs.Remove(key); r != nil {
+				// recs.Remove changes the slice reference, so we have to re-assign it.
+				mem.cache[mem.namespace][name] = recs
+				return r.rls, nil
+			}
+		}
+	}
+	return nil, ErrReleaseNotFound
+}
+
+// wlock locks mem for writing
+func (mem *Memory) wlock() func() {
+	mem.Lock()
+	return func() { mem.Unlock() }
+}
+
+// rlock locks mem for reading
+func (mem *Memory) rlock() func() {
+	mem.RLock()
+	return func() { mem.RUnlock() }
+}
+
+// unlock calls fn which reverses a mem.rlock or mem.wlock. e.g:
+// ```defer unlock(mem.rlock())```, locks mem for reading at the
+// call point of defer and unlocks upon exiting the block.
+func unlock(fn func()) { fn() }
diff --git a/vendor/helm.sh/helm/v3/pkg/storage/driver/records.go b/vendor/helm.sh/helm/v3/pkg/storage/driver/records.go
new file mode 100644
index 0000000000..9df173384c
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/storage/driver/records.go
@@ -0,0 +1,124 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package driver // import "helm.sh/helm/v3/pkg/storage/driver"
+
+import (
+	"sort"
+	"strconv"
+
+	rspb "helm.sh/helm/v3/pkg/release"
+)
+
+// records holds a list of in-memory release records
+type records []*record
+
+func (rs records) Len() int           { return len(rs) }
+func (rs records) Swap(i, j int)      { rs[i], rs[j] = rs[j], rs[i] }
+func (rs records) Less(i, j int) bool { return rs[i].rls.Version < rs[j].rls.Version }
+
+func (rs *records) Add(r *record) error {
+	if r == nil {
+		return nil
+	}
+
+	if rs.Exists(r.key) {
+		return ErrReleaseExists
+	}
+
+	*rs = append(*rs, r)
+	sort.Sort(*rs)
+
+	return nil
+}
+
+func (rs records) Get(key string) *record {
+	if i, ok := rs.Index(key); ok {
+		return rs[i]
+	}
+	return nil
+}
+
+func (rs *records) Iter(fn func(int, *record) bool) {
+	cp := make([]*record, len(*rs))
+	copy(cp, *rs)
+
+	for i, r := range cp {
+		if !fn(i, r) {
+			return
+		}
+	}
+}
+
+func (rs *records) Index(key string) (int, bool) {
+	for i, r := range *rs {
+		if r.key == key {
+			return i, true
+		}
+	}
+	return -1, false
+}
+
+func (rs records) Exists(key string) bool {
+	_, ok := rs.Index(key)
+	return ok
+}
+
+func (rs *records) Remove(key string) (r *record) {
+	if i, ok := rs.Index(key); ok {
+		return rs.removeAt(i)
+	}
+	return nil
+}
+
+func (rs *records) Replace(key string, rec *record) *record {
+	if i, ok := rs.Index(key); ok {
+		old := (*rs)[i]
+		(*rs)[i] = rec
+		return old
+	}
+	return nil
+}
+
+func (rs *records) removeAt(index int) *record {
+	r := (*rs)[index]
+	(*rs)[index] = nil
+	copy((*rs)[index:], (*rs)[index+1:])
+	*rs = (*rs)[:len(*rs)-1]
+	return r
+}
+
+// record is the data structure used to cache releases
+// for the in-memory storage driver
+type record struct {
+	key string
+	lbs labels
+	rls *rspb.Release
+}
+
+// newRecord creates a new in-memory release record
+func newRecord(key string, rls *rspb.Release) *record {
+	var lbs labels
+
+	lbs.init()
+	lbs.set("name", rls.Name)
+	lbs.set("owner", "helm")
+	lbs.set("status", rls.Info.Status.String())
+	lbs.set("version", strconv.Itoa(rls.Version))
+
+	// return &record{key: key, lbs: lbs, rls: proto.Clone(rls).(*rspb.Release)}
+	return &record{key: key, lbs: lbs, rls: rls}
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/storage/driver/secrets.go b/vendor/helm.sh/helm/v3/pkg/storage/driver/secrets.go
new file mode 100644
index 0000000000..95a7e90324
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/storage/driver/secrets.go
@@ -0,0 +1,257 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package driver // import "helm.sh/helm/v3/pkg/storage/driver"
+
+import (
+	"context"
+	"fmt"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/pkg/errors"
+	v1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	kblabels "k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/util/validation"
+	corev1 "k8s.io/client-go/kubernetes/typed/core/v1"
+
+	rspb "helm.sh/helm/v3/pkg/release"
+)
+
+var _ Driver = (*Secrets)(nil)
+
+// SecretsDriverName is the string name of the driver.
+const SecretsDriverName = "Secret"
+
+// Secrets is a wrapper around an implementation of a kubernetes
+// SecretsInterface.
+type Secrets struct {
+	impl corev1.SecretInterface
+	Log  func(string, ...interface{})
+}
+
+// NewSecrets initializes a new Secrets wrapping an implementation of
+// the kubernetes SecretsInterface.
+func NewSecrets(impl corev1.SecretInterface) *Secrets {
+	return &Secrets{
+		impl: impl,
+		Log:  func(_ string, _ ...interface{}) {},
+	}
+}
+
+// Name returns the name of the driver.
+func (secrets *Secrets) Name() string {
+	return SecretsDriverName
+}
+
+// Get fetches the release named by key. The corresponding release is returned
+// or error if not found.
+func (secrets *Secrets) Get(key string) (*rspb.Release, error) {
+	// fetch the secret holding the release named by key
+	obj, err := secrets.impl.Get(context.Background(), key, metav1.GetOptions{})
+	if err != nil {
+		if apierrors.IsNotFound(err) {
+			return nil, ErrReleaseNotFound
+		}
+		return nil, errors.Wrapf(err, "get: failed to get %q", key)
+	}
+	// found the secret, decode the base64 data string
+	r, err := decodeRelease(string(obj.Data["release"]))
+	r.Labels = filterSystemLabels(obj.ObjectMeta.Labels)
+	return r, errors.Wrapf(err, "get: failed to decode data %q", key)
+}
+
+// List fetches all releases and returns the list releases such
+// that filter(release) == true. An error is returned if the
+// secret fails to retrieve the releases.
+func (secrets *Secrets) List(filter func(*rspb.Release) bool) ([]*rspb.Release, error) {
+	lsel := kblabels.Set{"owner": "helm"}.AsSelector()
+	opts := metav1.ListOptions{LabelSelector: lsel.String()}
+
+	list, err := secrets.impl.List(context.Background(), opts)
+	if err != nil {
+		return nil, errors.Wrap(err, "list: failed to list")
+	}
+
+	var results []*rspb.Release
+
+	// iterate over the secrets object list
+	// and decode each release
+	for _, item := range list.Items {
+		rls, err := decodeRelease(string(item.Data["release"]))
+		if err != nil {
+			secrets.Log("list: failed to decode release: %v: %s", item, err)
+			continue
+		}
+
+		rls.Labels = item.ObjectMeta.Labels
+
+		if filter(rls) {
+			results = append(results, rls)
+		}
+	}
+	return results, nil
+}
+
+// Query fetches all releases that match the provided map of labels.
+// An error is returned if the secret fails to retrieve the releases.
+func (secrets *Secrets) Query(labels map[string]string) ([]*rspb.Release, error) {
+	ls := kblabels.Set{}
+	for k, v := range labels {
+		if errs := validation.IsValidLabelValue(v); len(errs) != 0 {
+			return nil, errors.Errorf("invalid label value: %q: %s", v, strings.Join(errs, "; "))
+		}
+		ls[k] = v
+	}
+
+	opts := metav1.ListOptions{LabelSelector: ls.AsSelector().String()}
+
+	list, err := secrets.impl.List(context.Background(), opts)
+	if err != nil {
+		return nil, errors.Wrap(err, "query: failed to query with labels")
+	}
+
+	if len(list.Items) == 0 {
+		return nil, ErrReleaseNotFound
+	}
+
+	var results []*rspb.Release
+	for _, item := range list.Items {
+		rls, err := decodeRelease(string(item.Data["release"]))
+		if err != nil {
+			secrets.Log("query: failed to decode release: %s", err)
+			continue
+		}
+		rls.Labels = item.ObjectMeta.Labels
+		results = append(results, rls)
+	}
+	return results, nil
+}
+
+// Create creates a new Secret holding the release. If the
+// Secret already exists, ErrReleaseExists is returned.
+func (secrets *Secrets) Create(key string, rls *rspb.Release) error {
+	// set labels for secrets object meta data
+	var lbs labels
+
+	lbs.init()
+	lbs.fromMap(rls.Labels)
+	lbs.set("createdAt", fmt.Sprintf("%v", time.Now().Unix()))
+
+	// create a new secret to hold the release
+	obj, err := newSecretsObject(key, rls, lbs)
+	if err != nil {
+		return errors.Wrapf(err, "create: failed to encode release %q", rls.Name)
+	}
+	// push the secret object out into the kubiverse
+	if _, err := secrets.impl.Create(context.Background(), obj, metav1.CreateOptions{}); err != nil {
+		if apierrors.IsAlreadyExists(err) {
+			return ErrReleaseExists
+		}
+
+		return errors.Wrap(err, "create: failed to create")
+	}
+	return nil
+}
+
+// Update updates the Secret holding the release. If not found
+// the Secret is created to hold the release.
+func (secrets *Secrets) Update(key string, rls *rspb.Release) error {
+	// set labels for secrets object meta data
+	var lbs labels
+
+	lbs.init()
+	lbs.fromMap(rls.Labels)
+	lbs.set("modifiedAt", fmt.Sprintf("%v", time.Now().Unix()))
+
+	// create a new secret object to hold the release
+	obj, err := newSecretsObject(key, rls, lbs)
+	if err != nil {
+		return errors.Wrapf(err, "update: failed to encode release %q", rls.Name)
+	}
+	// push the secret object out into the kubiverse
+	_, err = secrets.impl.Update(context.Background(), obj, metav1.UpdateOptions{})
+	return errors.Wrap(err, "update: failed to update")
+}
+
+// Delete deletes the Secret holding the release named by key.
+func (secrets *Secrets) Delete(key string) (rls *rspb.Release, err error) {
+	// fetch the release to check existence
+	if rls, err = secrets.Get(key); err != nil {
+		return nil, err
+	}
+	// delete the release
+	err = secrets.impl.Delete(context.Background(), key, metav1.DeleteOptions{})
+	return rls, err
+}
+
+// newSecretsObject constructs a kubernetes Secret object
+// to store a release. Each secret data entry is the base64
+// encoded gzipped string of a release.
+//
+// The following labels are used within each secret:
+//
+//	"modifiedAt"    - timestamp indicating when this secret was last modified. (set in Update)
+//	"createdAt"     - timestamp indicating when this secret was created. (set in Create)
+//	"version"        - version of the release.
+//	"status"         - status of the release (see pkg/release/status.go for variants)
+//	"owner"          - owner of the secret, currently "helm".
+//	"name"           - name of the release.
+func newSecretsObject(key string, rls *rspb.Release, lbs labels) (*v1.Secret, error) {
+	const owner = "helm"
+
+	// encode the release
+	s, err := encodeRelease(rls)
+	if err != nil {
+		return nil, err
+	}
+
+	if lbs == nil {
+		lbs.init()
+	}
+
+	// apply custom labels
+	lbs.fromMap(rls.Labels)
+
+	// apply labels
+	lbs.set("name", rls.Name)
+	lbs.set("owner", owner)
+	lbs.set("status", rls.Info.Status.String())
+	lbs.set("version", strconv.Itoa(rls.Version))
+
+	// create and return secret object.
+	// Helm 3 introduced setting the 'Type' field
+	// in the Kubernetes storage object.
+	// Helm defines the field content as follows:
+	// <helm_domain>/<helm_object>.v<helm_object_version>
+	// Type field for Helm 3: helm.sh/release.v1
+	// Note: Version starts at 'v1' for Helm 3 and
+	// should be incremented if the release object
+	// metadata is modified.
+	// This would potentially be a breaking change
+	// and should only happen between major versions.
+	return &v1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:   key,
+			Labels: lbs.toMap(),
+		},
+		Type: "helm.sh/release.v1",
+		Data: map[string][]byte{"release": []byte(s)},
+	}, nil
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/storage/driver/sql.go b/vendor/helm.sh/helm/v3/pkg/storage/driver/sql.go
new file mode 100644
index 0000000000..33bde9b6a4
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/storage/driver/sql.go
@@ -0,0 +1,697 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package driver // import "helm.sh/helm/v3/pkg/storage/driver"
+
+import (
+	"fmt"
+	"sort"
+	"strconv"
+	"time"
+
+	"github.com/jmoiron/sqlx"
+	migrate "github.com/rubenv/sql-migrate"
+
+	sq "github.com/Masterminds/squirrel"
+
+	// Import pq for postgres dialect
+	_ "github.com/lib/pq"
+
+	rspb "helm.sh/helm/v3/pkg/release"
+)
+
+var _ Driver = (*SQL)(nil)
+
+var labelMap = map[string]struct{}{
+	"modifiedAt": {},
+	"createdAt":  {},
+	"version":    {},
+	"status":     {},
+	"owner":      {},
+	"name":       {},
+}
+
+const postgreSQLDialect = "postgres"
+
+// SQLDriverName is the string name of this driver.
+const SQLDriverName = "SQL"
+
+const sqlReleaseTableName = "releases_v1"
+const sqlCustomLabelsTableName = "custom_labels_v1"
+
+const (
+	sqlReleaseTableKeyColumn        = "key"
+	sqlReleaseTableTypeColumn       = "type"
+	sqlReleaseTableBodyColumn       = "body"
+	sqlReleaseTableNameColumn       = "name"
+	sqlReleaseTableNamespaceColumn  = "namespace"
+	sqlReleaseTableVersionColumn    = "version"
+	sqlReleaseTableStatusColumn     = "status"
+	sqlReleaseTableOwnerColumn      = "owner"
+	sqlReleaseTableCreatedAtColumn  = "createdAt"
+	sqlReleaseTableModifiedAtColumn = "modifiedAt"
+
+	sqlCustomLabelsTableReleaseKeyColumn       = "releaseKey"
+	sqlCustomLabelsTableReleaseNamespaceColumn = "releaseNamespace"
+	sqlCustomLabelsTableKeyColumn              = "key"
+	sqlCustomLabelsTableValueColumn            = "value"
+)
+
+// Following limits based on k8s labels limits - https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set
+const (
+	sqlCustomLabelsTableKeyMaxLength   = 253 + 1 + 63
+	sqlCustomLabelsTableValueMaxLength = 63
+)
+
+const (
+	sqlReleaseDefaultOwner = "helm"
+	sqlReleaseDefaultType  = "helm.sh/release.v1"
+)
+
+// SQL is the sql storage driver implementation.
+type SQL struct {
+	db               *sqlx.DB
+	namespace        string
+	statementBuilder sq.StatementBuilderType
+
+	Log func(string, ...interface{})
+}
+
+// Name returns the name of the driver.
+func (s *SQL) Name() string {
+	return SQLDriverName
+}
+
+// Check if all migrations al
+func (s *SQL) checkAlreadyApplied(migrations []*migrate.Migration) bool {
+	// make map (set) of ids for fast search
+	migrationsIDs := make(map[string]struct{})
+	for _, migration := range migrations {
+		migrationsIDs[migration.Id] = struct{}{}
+	}
+
+	// get list of applied migrations
+	migrate.SetDisableCreateTable(true)
+	records, err := migrate.GetMigrationRecords(s.db.DB, postgreSQLDialect)
+	migrate.SetDisableCreateTable(false)
+	if err != nil {
+		s.Log("checkAlreadyApplied: failed to get migration records: %v", err)
+		return false
+	}
+
+	for _, record := range records {
+		if _, ok := migrationsIDs[record.Id]; ok {
+			s.Log("checkAlreadyApplied: found previous migration (Id: %v) applied at %v", record.Id, record.AppliedAt)
+			delete(migrationsIDs, record.Id)
+		}
+	}
+
+	// check if all migrations applied
+	if len(migrationsIDs) != 0 {
+		for id := range migrationsIDs {
+			s.Log("checkAlreadyApplied: find unapplied migration (id: %v)", id)
+		}
+		return false
+	}
+	return true
+}
+
+func (s *SQL) ensureDBSetup() error {
+
+	migrations := &migrate.MemoryMigrationSource{
+		Migrations: []*migrate.Migration{
+			{
+				Id: "init",
+				Up: []string{
+					fmt.Sprintf(`
+						CREATE TABLE %s (
+							%s VARCHAR(90),
+							%s VARCHAR(64) NOT NULL,
+							%s TEXT NOT NULL,
+							%s VARCHAR(64) NOT NULL,
+							%s VARCHAR(64) NOT NULL,
+							%s INTEGER NOT NULL,
+							%s TEXT NOT NULL,
+							%s TEXT NOT NULL,
+							%s INTEGER NOT NULL,
+							%s INTEGER NOT NULL DEFAULT 0,
+							PRIMARY KEY(%s, %s)
+						);
+						CREATE INDEX ON %s (%s, %s);
+						CREATE INDEX ON %s (%s);
+						CREATE INDEX ON %s (%s);
+						CREATE INDEX ON %s (%s);
+						CREATE INDEX ON %s (%s);
+						CREATE INDEX ON %s (%s);
+	
+						GRANT ALL ON %s TO PUBLIC;
+	
+						ALTER TABLE %s ENABLE ROW LEVEL SECURITY;
+					`,
+						sqlReleaseTableName,
+						sqlReleaseTableKeyColumn,
+						sqlReleaseTableTypeColumn,
+						sqlReleaseTableBodyColumn,
+						sqlReleaseTableNameColumn,
+						sqlReleaseTableNamespaceColumn,
+						sqlReleaseTableVersionColumn,
+						sqlReleaseTableStatusColumn,
+						sqlReleaseTableOwnerColumn,
+						sqlReleaseTableCreatedAtColumn,
+						sqlReleaseTableModifiedAtColumn,
+						sqlReleaseTableKeyColumn,
+						sqlReleaseTableNamespaceColumn,
+						sqlReleaseTableName,
+						sqlReleaseTableKeyColumn,
+						sqlReleaseTableNamespaceColumn,
+						sqlReleaseTableName,
+						sqlReleaseTableVersionColumn,
+						sqlReleaseTableName,
+						sqlReleaseTableStatusColumn,
+						sqlReleaseTableName,
+						sqlReleaseTableOwnerColumn,
+						sqlReleaseTableName,
+						sqlReleaseTableCreatedAtColumn,
+						sqlReleaseTableName,
+						sqlReleaseTableModifiedAtColumn,
+						sqlReleaseTableName,
+						sqlReleaseTableName,
+					),
+				},
+				Down: []string{
+					fmt.Sprintf(`
+						DROP TABLE %s;
+					`, sqlReleaseTableName),
+				},
+			},
+			{
+				Id: "custom_labels",
+				Up: []string{
+					fmt.Sprintf(`
+						CREATE TABLE %s (
+							%s VARCHAR(64),
+							%s VARCHAR(67),
+							%s VARCHAR(%d),
+							%s VARCHAR(%d)
+						);
+						CREATE INDEX ON %s (%s, %s);
+						
+						GRANT ALL ON %s TO PUBLIC;
+						ALTER TABLE %s ENABLE ROW LEVEL SECURITY;
+					`,
+						sqlCustomLabelsTableName,
+						sqlCustomLabelsTableReleaseKeyColumn,
+						sqlCustomLabelsTableReleaseNamespaceColumn,
+						sqlCustomLabelsTableKeyColumn,
+						sqlCustomLabelsTableKeyMaxLength,
+						sqlCustomLabelsTableValueColumn,
+						sqlCustomLabelsTableValueMaxLength,
+						sqlCustomLabelsTableName,
+						sqlCustomLabelsTableReleaseKeyColumn,
+						sqlCustomLabelsTableReleaseNamespaceColumn,
+						sqlCustomLabelsTableName,
+						sqlCustomLabelsTableName,
+					),
+				},
+				Down: []string{
+					fmt.Sprintf(`
+						DELETE TABLE %s;
+					`, sqlCustomLabelsTableName),
+				},
+			},
+		},
+	}
+
+	// Check that init migration already applied
+	if s.checkAlreadyApplied(migrations.Migrations) {
+		return nil
+	}
+
+	// Populate the database with the relations we need if they don't exist yet
+	_, err := migrate.Exec(s.db.DB, postgreSQLDialect, migrations, migrate.Up)
+	return err
+}
+
+// SQLReleaseWrapper describes how Helm releases are stored in an SQL database
+type SQLReleaseWrapper struct {
+	// The primary key, made of {release-name}.{release-version}
+	Key string `db:"key"`
+
+	// See https://github.com/helm/helm/blob/c9fe3d118caec699eb2565df9838673af379ce12/pkg/storage/driver/secrets.go#L231
+	Type string `db:"type"`
+
+	// The rspb.Release body, as a base64-encoded string
+	Body string `db:"body"`
+
+	// Release "labels" that can be used as filters in the storage.Query(labels map[string]string)
+	// we implemented. Note that allowing Helm users to filter against new dimensions will require a
+	// new migration to be added, and the Create and/or update functions to be updated accordingly.
+	Name       string `db:"name"`
+	Namespace  string `db:"namespace"`
+	Version    int    `db:"version"`
+	Status     string `db:"status"`
+	Owner      string `db:"owner"`
+	CreatedAt  int    `db:"createdAt"`
+	ModifiedAt int    `db:"modifiedAt"`
+}
+
+type SQLReleaseCustomLabelWrapper struct {
+	ReleaseKey       string `db:"release_key"`
+	ReleaseNamespace string `db:"release_namespace"`
+	Key              string `db:"key"`
+	Value            string `db:"value"`
+}
+
+// NewSQL initializes a new sql driver.
+func NewSQL(connectionString string, logger func(string, ...interface{}), namespace string) (*SQL, error) {
+	db, err := sqlx.Connect(postgreSQLDialect, connectionString)
+	if err != nil {
+		return nil, err
+	}
+
+	driver := &SQL{
+		db:               db,
+		Log:              logger,
+		statementBuilder: sq.StatementBuilder.PlaceholderFormat(sq.Dollar),
+	}
+
+	if err := driver.ensureDBSetup(); err != nil {
+		return nil, err
+	}
+
+	driver.namespace = namespace
+
+	return driver, nil
+}
+
+// Get returns the release named by key.
+func (s *SQL) Get(key string) (*rspb.Release, error) {
+	var record SQLReleaseWrapper
+
+	qb := s.statementBuilder.
+		Select(sqlReleaseTableBodyColumn).
+		From(sqlReleaseTableName).
+		Where(sq.Eq{sqlReleaseTableKeyColumn: key}).
+		Where(sq.Eq{sqlReleaseTableNamespaceColumn: s.namespace})
+
+	query, args, err := qb.ToSql()
+	if err != nil {
+		s.Log("failed to build query: %v", err)
+		return nil, err
+	}
+
+	// Get will return an error if the result is empty
+	if err := s.db.Get(&record, query, args...); err != nil {
+		s.Log("got SQL error when getting release %s: %v", key, err)
+		return nil, ErrReleaseNotFound
+	}
+
+	release, err := decodeRelease(record.Body)
+	if err != nil {
+		s.Log("get: failed to decode data %q: %v", key, err)
+		return nil, err
+	}
+
+	if release.Labels, err = s.getReleaseCustomLabels(key, s.namespace); err != nil {
+		s.Log("failed to get release %s/%s custom labels: %v", s.namespace, key, err)
+		return nil, err
+	}
+
+	return release, nil
+}
+
+// List returns the list of all releases such that filter(release) == true
+func (s *SQL) List(filter func(*rspb.Release) bool) ([]*rspb.Release, error) {
+	sb := s.statementBuilder.
+		Select(sqlReleaseTableKeyColumn, sqlReleaseTableNamespaceColumn, sqlReleaseTableBodyColumn).
+		From(sqlReleaseTableName).
+		Where(sq.Eq{sqlReleaseTableOwnerColumn: sqlReleaseDefaultOwner})
+
+	// If a namespace was specified, we only list releases from that namespace
+	if s.namespace != "" {
+		sb = sb.Where(sq.Eq{sqlReleaseTableNamespaceColumn: s.namespace})
+	}
+
+	query, args, err := sb.ToSql()
+	if err != nil {
+		s.Log("failed to build query: %v", err)
+		return nil, err
+	}
+
+	var records = []SQLReleaseWrapper{}
+	if err := s.db.Select(&records, query, args...); err != nil {
+		s.Log("list: failed to list: %v", err)
+		return nil, err
+	}
+
+	var releases []*rspb.Release
+	for _, record := range records {
+		release, err := decodeRelease(record.Body)
+		if err != nil {
+			s.Log("list: failed to decode release: %v: %v", record, err)
+			continue
+		}
+
+		if release.Labels, err = s.getReleaseCustomLabels(record.Key, record.Namespace); err != nil {
+			s.Log("failed to get release %s/%s custom labels: %v", record.Namespace, record.Key, err)
+			return nil, err
+		}
+		for k, v := range getReleaseSystemLabels(release) {
+			release.Labels[k] = v
+		}
+
+		if filter(release) {
+			releases = append(releases, release)
+		}
+	}
+
+	return releases, nil
+}
+
+// Query returns the set of releases that match the provided set of labels.
+func (s *SQL) Query(labels map[string]string) ([]*rspb.Release, error) {
+	sb := s.statementBuilder.
+		Select(sqlReleaseTableKeyColumn, sqlReleaseTableNamespaceColumn, sqlReleaseTableBodyColumn).
+		From(sqlReleaseTableName)
+
+	keys := make([]string, 0, len(labels))
+	for key := range labels {
+		keys = append(keys, key)
+	}
+	sort.Strings(keys)
+	for _, key := range keys {
+		if _, ok := labelMap[key]; ok {
+			sb = sb.Where(sq.Eq{key: labels[key]})
+		} else {
+			s.Log("unknown label %s", key)
+			return nil, fmt.Errorf("unknown label %s", key)
+		}
+	}
+
+	// If a namespace was specified, we only list releases from that namespace
+	if s.namespace != "" {
+		sb = sb.Where(sq.Eq{sqlReleaseTableNamespaceColumn: s.namespace})
+	}
+
+	// Build our query
+	query, args, err := sb.ToSql()
+	if err != nil {
+		s.Log("failed to build query: %v", err)
+		return nil, err
+	}
+
+	var records = []SQLReleaseWrapper{}
+	if err := s.db.Select(&records, query, args...); err != nil {
+		s.Log("list: failed to query with labels: %v", err)
+		return nil, err
+	}
+
+	if len(records) == 0 {
+		return nil, ErrReleaseNotFound
+	}
+
+	var releases []*rspb.Release
+	for _, record := range records {
+		release, err := decodeRelease(record.Body)
+		if err != nil {
+			s.Log("list: failed to decode release: %v: %v", record, err)
+			continue
+		}
+
+		if release.Labels, err = s.getReleaseCustomLabels(record.Key, record.Namespace); err != nil {
+			s.Log("failed to get release %s/%s custom labels: %v", record.Namespace, record.Key, err)
+			return nil, err
+		}
+
+		releases = append(releases, release)
+	}
+
+	if len(releases) == 0 {
+		return nil, ErrReleaseNotFound
+	}
+
+	return releases, nil
+}
+
+// Create creates a new release.
+func (s *SQL) Create(key string, rls *rspb.Release) error {
+	namespace := rls.Namespace
+	if namespace == "" {
+		namespace = defaultNamespace
+	}
+	s.namespace = namespace
+
+	body, err := encodeRelease(rls)
+	if err != nil {
+		s.Log("failed to encode release: %v", err)
+		return err
+	}
+
+	transaction, err := s.db.Beginx()
+	if err != nil {
+		s.Log("failed to start SQL transaction: %v", err)
+		return fmt.Errorf("error beginning transaction: %v", err)
+	}
+
+	insertQuery, args, err := s.statementBuilder.
+		Insert(sqlReleaseTableName).
+		Columns(
+			sqlReleaseTableKeyColumn,
+			sqlReleaseTableTypeColumn,
+			sqlReleaseTableBodyColumn,
+			sqlReleaseTableNameColumn,
+			sqlReleaseTableNamespaceColumn,
+			sqlReleaseTableVersionColumn,
+			sqlReleaseTableStatusColumn,
+			sqlReleaseTableOwnerColumn,
+			sqlReleaseTableCreatedAtColumn,
+		).
+		Values(
+			key,
+			sqlReleaseDefaultType,
+			body,
+			rls.Name,
+			namespace,
+			int(rls.Version),
+			rls.Info.Status.String(),
+			sqlReleaseDefaultOwner,
+			int(time.Now().Unix()),
+		).ToSql()
+	if err != nil {
+		s.Log("failed to build insert query: %v", err)
+		return err
+	}
+
+	if _, err := transaction.Exec(insertQuery, args...); err != nil {
+		defer transaction.Rollback()
+
+		selectQuery, args, buildErr := s.statementBuilder.
+			Select(sqlReleaseTableKeyColumn).
+			From(sqlReleaseTableName).
+			Where(sq.Eq{sqlReleaseTableKeyColumn: key}).
+			Where(sq.Eq{sqlReleaseTableNamespaceColumn: s.namespace}).
+			ToSql()
+		if buildErr != nil {
+			s.Log("failed to build select query: %v", buildErr)
+			return err
+		}
+
+		var record SQLReleaseWrapper
+		if err := transaction.Get(&record, selectQuery, args...); err == nil {
+			s.Log("release %s already exists", key)
+			return ErrReleaseExists
+		}
+
+		s.Log("failed to store release %s in SQL database: %v", key, err)
+		return err
+	}
+
+	// Filtering labels before insert cause in SQL storage driver system releases are stored in separate columns of release table
+	for k, v := range filterSystemLabels(rls.Labels) {
+		insertLabelsQuery, args, err := s.statementBuilder.
+			Insert(sqlCustomLabelsTableName).
+			Columns(
+				sqlCustomLabelsTableReleaseKeyColumn,
+				sqlCustomLabelsTableReleaseNamespaceColumn,
+				sqlCustomLabelsTableKeyColumn,
+				sqlCustomLabelsTableValueColumn,
+			).
+			Values(
+				key,
+				namespace,
+				k,
+				v,
+			).ToSql()
+
+		if err != nil {
+			defer transaction.Rollback()
+			s.Log("failed to build insert query: %v", err)
+			return err
+		}
+
+		if _, err := transaction.Exec(insertLabelsQuery, args...); err != nil {
+			defer transaction.Rollback()
+			s.Log("failed to write Labels: %v", err)
+			return err
+		}
+	}
+	defer transaction.Commit()
+
+	return nil
+}
+
+// Update updates a release.
+func (s *SQL) Update(key string, rls *rspb.Release) error {
+	namespace := rls.Namespace
+	if namespace == "" {
+		namespace = defaultNamespace
+	}
+	s.namespace = namespace
+
+	body, err := encodeRelease(rls)
+	if err != nil {
+		s.Log("failed to encode release: %v", err)
+		return err
+	}
+
+	query, args, err := s.statementBuilder.
+		Update(sqlReleaseTableName).
+		Set(sqlReleaseTableBodyColumn, body).
+		Set(sqlReleaseTableNameColumn, rls.Name).
+		Set(sqlReleaseTableVersionColumn, int(rls.Version)).
+		Set(sqlReleaseTableStatusColumn, rls.Info.Status.String()).
+		Set(sqlReleaseTableOwnerColumn, sqlReleaseDefaultOwner).
+		Set(sqlReleaseTableModifiedAtColumn, int(time.Now().Unix())).
+		Where(sq.Eq{sqlReleaseTableKeyColumn: key}).
+		Where(sq.Eq{sqlReleaseTableNamespaceColumn: namespace}).
+		ToSql()
+
+	if err != nil {
+		s.Log("failed to build update query: %v", err)
+		return err
+	}
+
+	if _, err := s.db.Exec(query, args...); err != nil {
+		s.Log("failed to update release %s in SQL database: %v", key, err)
+		return err
+	}
+
+	return nil
+}
+
+// Delete deletes a release or returns ErrReleaseNotFound.
+func (s *SQL) Delete(key string) (*rspb.Release, error) {
+	transaction, err := s.db.Beginx()
+	if err != nil {
+		s.Log("failed to start SQL transaction: %v", err)
+		return nil, fmt.Errorf("error beginning transaction: %v", err)
+	}
+
+	selectQuery, args, err := s.statementBuilder.
+		Select(sqlReleaseTableBodyColumn).
+		From(sqlReleaseTableName).
+		Where(sq.Eq{sqlReleaseTableKeyColumn: key}).
+		Where(sq.Eq{sqlReleaseTableNamespaceColumn: s.namespace}).
+		ToSql()
+	if err != nil {
+		s.Log("failed to build select query: %v", err)
+		return nil, err
+	}
+
+	var record SQLReleaseWrapper
+	err = transaction.Get(&record, selectQuery, args...)
+	if err != nil {
+		s.Log("release %s not found: %v", key, err)
+		return nil, ErrReleaseNotFound
+	}
+
+	release, err := decodeRelease(record.Body)
+	if err != nil {
+		s.Log("failed to decode release %s: %v", key, err)
+		transaction.Rollback()
+		return nil, err
+	}
+	defer transaction.Commit()
+
+	deleteQuery, args, err := s.statementBuilder.
+		Delete(sqlReleaseTableName).
+		Where(sq.Eq{sqlReleaseTableKeyColumn: key}).
+		Where(sq.Eq{sqlReleaseTableNamespaceColumn: s.namespace}).
+		ToSql()
+	if err != nil {
+		s.Log("failed to build delete query: %v", err)
+		return nil, err
+	}
+
+	_, err = transaction.Exec(deleteQuery, args...)
+	if err != nil {
+		s.Log("failed perform delete query: %v", err)
+		return release, err
+	}
+
+	if release.Labels, err = s.getReleaseCustomLabels(key, s.namespace); err != nil {
+		s.Log("failed to get release %s/%s custom labels: %v", s.namespace, key, err)
+		return nil, err
+	}
+
+	deleteCustomLabelsQuery, args, err := s.statementBuilder.
+		Delete(sqlCustomLabelsTableName).
+		Where(sq.Eq{sqlCustomLabelsTableReleaseKeyColumn: key}).
+		Where(sq.Eq{sqlCustomLabelsTableReleaseNamespaceColumn: s.namespace}).
+		ToSql()
+
+	if err != nil {
+		s.Log("failed to build delete Labels query: %v", err)
+		return nil, err
+	}
+	_, err = transaction.Exec(deleteCustomLabelsQuery, args...)
+	return release, err
+}
+
+// Get release custom labels from database
+func (s *SQL) getReleaseCustomLabels(key string, _ string) (map[string]string, error) {
+	query, args, err := s.statementBuilder.
+		Select(sqlCustomLabelsTableKeyColumn, sqlCustomLabelsTableValueColumn).
+		From(sqlCustomLabelsTableName).
+		Where(sq.Eq{sqlCustomLabelsTableReleaseKeyColumn: key,
+			sqlCustomLabelsTableReleaseNamespaceColumn: s.namespace}).
+		ToSql()
+	if err != nil {
+		return nil, err
+	}
+
+	var labelsList = []SQLReleaseCustomLabelWrapper{}
+	if err := s.db.Select(&labelsList, query, args...); err != nil {
+		return nil, err
+	}
+
+	labelsMap := make(map[string]string)
+	for _, i := range labelsList {
+		labelsMap[i.Key] = i.Value
+	}
+
+	return filterSystemLabels(labelsMap), nil
+}
+
+// Rebuild system labels from release object
+func getReleaseSystemLabels(rls *rspb.Release) map[string]string {
+	return map[string]string{
+		"name":    rls.Name,
+		"owner":   sqlReleaseDefaultOwner,
+		"status":  rls.Info.Status.String(),
+		"version": strconv.Itoa(rls.Version),
+	}
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/storage/driver/util.go b/vendor/helm.sh/helm/v3/pkg/storage/driver/util.go
new file mode 100644
index 0000000000..7bda5ec966
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/storage/driver/util.go
@@ -0,0 +1,122 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package driver // import "helm.sh/helm/v3/pkg/storage/driver"
+
+import (
+	"bytes"
+	"compress/gzip"
+	"encoding/base64"
+	"encoding/json"
+	"io"
+
+	rspb "helm.sh/helm/v3/pkg/release"
+)
+
+var b64 = base64.StdEncoding
+
+var magicGzip = []byte{0x1f, 0x8b, 0x08}
+
+var systemLabels = []string{"name", "owner", "status", "version", "createdAt", "modifiedAt"}
+
+// encodeRelease encodes a release returning a base64 encoded
+// gzipped string representation, or error.
+func encodeRelease(rls *rspb.Release) (string, error) {
+	b, err := json.Marshal(rls)
+	if err != nil {
+		return "", err
+	}
+	var buf bytes.Buffer
+	w, err := gzip.NewWriterLevel(&buf, gzip.BestCompression)
+	if err != nil {
+		return "", err
+	}
+	if _, err = w.Write(b); err != nil {
+		return "", err
+	}
+	w.Close()
+
+	return b64.EncodeToString(buf.Bytes()), nil
+}
+
+// decodeRelease decodes the bytes of data into a release
+// type. Data must contain a base64 encoded gzipped string of a
+// valid release, otherwise an error is returned.
+func decodeRelease(data string) (*rspb.Release, error) {
+	// base64 decode string
+	b, err := b64.DecodeString(data)
+	if err != nil {
+		return nil, err
+	}
+
+	// For backwards compatibility with releases that were stored before
+	// compression was introduced we skip decompression if the
+	// gzip magic header is not found
+	if len(b) > 3 && bytes.Equal(b[0:3], magicGzip) {
+		r, err := gzip.NewReader(bytes.NewReader(b))
+		if err != nil {
+			return nil, err
+		}
+		defer r.Close()
+		b2, err := io.ReadAll(r)
+		if err != nil {
+			return nil, err
+		}
+		b = b2
+	}
+
+	var rls rspb.Release
+	// unmarshal release object bytes
+	if err := json.Unmarshal(b, &rls); err != nil {
+		return nil, err
+	}
+	return &rls, nil
+}
+
+// Checks if label is system
+func isSystemLabel(key string) bool {
+	for _, v := range GetSystemLabels() {
+		if key == v {
+			return true
+		}
+	}
+	return false
+}
+
+// Removes system labels from labels map
+func filterSystemLabels(lbs map[string]string) map[string]string {
+	result := make(map[string]string)
+	for k, v := range lbs {
+		if !isSystemLabel(k) {
+			result[k] = v
+		}
+	}
+	return result
+}
+
+// Checks if labels array contains system labels
+func ContainsSystemLabels(lbs map[string]string) bool {
+	for k := range lbs {
+		if isSystemLabel(k) {
+			return true
+		}
+	}
+	return false
+}
+
+func GetSystemLabels() []string {
+	return systemLabels
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/storage/storage.go b/vendor/helm.sh/helm/v3/pkg/storage/storage.go
new file mode 100644
index 0000000000..0da0688fd6
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/storage/storage.go
@@ -0,0 +1,266 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package storage // import "helm.sh/helm/v3/pkg/storage"
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/pkg/errors"
+
+	rspb "helm.sh/helm/v3/pkg/release"
+	relutil "helm.sh/helm/v3/pkg/releaseutil"
+	"helm.sh/helm/v3/pkg/storage/driver"
+)
+
+// HelmStorageType is the type field of the Kubernetes storage object which stores the Helm release
+// version. It is modified slightly replacing the '/': sh.helm/release.v1
+// Note: The version 'v1' is incremented if the release object metadata is
+// modified between major releases.
+// This constant is used as a prefix for the Kubernetes storage object name.
+const HelmStorageType = "sh.helm.release.v1"
+
+// Storage represents a storage engine for a Release.
+type Storage struct {
+	driver.Driver
+
+	// MaxHistory specifies the maximum number of historical releases that will
+	// be retained, including the most recent release. Values of 0 or less are
+	// ignored (meaning no limits are imposed).
+	MaxHistory int
+
+	Log func(string, ...interface{})
+}
+
+// Get retrieves the release from storage. An error is returned
+// if the storage driver failed to fetch the release, or the
+// release identified by the key, version pair does not exist.
+func (s *Storage) Get(name string, version int) (*rspb.Release, error) {
+	s.Log("getting release %q", makeKey(name, version))
+	return s.Driver.Get(makeKey(name, version))
+}
+
+// Create creates a new storage entry holding the release. An
+// error is returned if the storage driver fails to store the
+// release, or a release with an identical key already exists.
+func (s *Storage) Create(rls *rspb.Release) error {
+	s.Log("creating release %q", makeKey(rls.Name, rls.Version))
+	if s.MaxHistory > 0 {
+		// Want to make space for one more release.
+		if err := s.removeLeastRecent(rls.Name, s.MaxHistory-1); err != nil &&
+			!errors.Is(err, driver.ErrReleaseNotFound) {
+			return err
+		}
+	}
+	return s.Driver.Create(makeKey(rls.Name, rls.Version), rls)
+}
+
+// Update updates the release in storage. An error is returned if the
+// storage backend fails to update the release or if the release
+// does not exist.
+func (s *Storage) Update(rls *rspb.Release) error {
+	s.Log("updating release %q", makeKey(rls.Name, rls.Version))
+	return s.Driver.Update(makeKey(rls.Name, rls.Version), rls)
+}
+
+// Delete deletes the release from storage. An error is returned if
+// the storage backend fails to delete the release or if the release
+// does not exist.
+func (s *Storage) Delete(name string, version int) (*rspb.Release, error) {
+	s.Log("deleting release %q", makeKey(name, version))
+	return s.Driver.Delete(makeKey(name, version))
+}
+
+// ListReleases returns all releases from storage. An error is returned if the
+// storage backend fails to retrieve the releases.
+func (s *Storage) ListReleases() ([]*rspb.Release, error) {
+	s.Log("listing all releases in storage")
+	return s.Driver.List(func(_ *rspb.Release) bool { return true })
+}
+
+// ListUninstalled returns all releases with Status == UNINSTALLED. An error is returned
+// if the storage backend fails to retrieve the releases.
+func (s *Storage) ListUninstalled() ([]*rspb.Release, error) {
+	s.Log("listing uninstalled releases in storage")
+	return s.Driver.List(func(rls *rspb.Release) bool {
+		return relutil.StatusFilter(rspb.StatusUninstalled).Check(rls)
+	})
+}
+
+// ListDeployed returns all releases with Status == DEPLOYED. An error is returned
+// if the storage backend fails to retrieve the releases.
+func (s *Storage) ListDeployed() ([]*rspb.Release, error) {
+	s.Log("listing all deployed releases in storage")
+	return s.Driver.List(func(rls *rspb.Release) bool {
+		return relutil.StatusFilter(rspb.StatusDeployed).Check(rls)
+	})
+}
+
+// Deployed returns the last deployed release with the provided release name, or
+// returns driver.NewErrNoDeployedReleases if not found.
+func (s *Storage) Deployed(name string) (*rspb.Release, error) {
+	ls, err := s.DeployedAll(name)
+	if err != nil {
+		return nil, err
+	}
+
+	if len(ls) == 0 {
+		return nil, driver.NewErrNoDeployedReleases(name)
+	}
+
+	// If executed concurrently, Helm's database gets corrupted
+	// and multiple releases are DEPLOYED. Take the latest.
+	relutil.Reverse(ls, relutil.SortByRevision)
+
+	return ls[0], nil
+}
+
+// DeployedAll returns all deployed releases with the provided name, or
+// returns driver.NewErrNoDeployedReleases if not found.
+func (s *Storage) DeployedAll(name string) ([]*rspb.Release, error) {
+	s.Log("getting deployed releases from %q history", name)
+
+	ls, err := s.Driver.Query(map[string]string{
+		"name":   name,
+		"owner":  "helm",
+		"status": "deployed",
+	})
+	if err == nil {
+		return ls, nil
+	}
+	if strings.Contains(err.Error(), "not found") {
+		return nil, driver.NewErrNoDeployedReleases(name)
+	}
+	return nil, err
+}
+
+// History returns the revision history for the release with the provided name, or
+// returns driver.ErrReleaseNotFound if no such release name exists.
+func (s *Storage) History(name string) ([]*rspb.Release, error) {
+	s.Log("getting release history for %q", name)
+
+	return s.Driver.Query(map[string]string{"name": name, "owner": "helm"})
+}
+
+// removeLeastRecent removes items from history until the length number of releases
+// does not exceed max.
+//
+// We allow max to be set explicitly so that calling functions can "make space"
+// for the new records they are going to write.
+func (s *Storage) removeLeastRecent(name string, max int) error {
+	if max < 0 {
+		return nil
+	}
+	h, err := s.History(name)
+	if err != nil {
+		return err
+	}
+	if len(h) <= max {
+		return nil
+	}
+
+	// We want oldest to newest
+	relutil.SortByRevision(h)
+
+	lastDeployed, err := s.Deployed(name)
+	if err != nil && !errors.Is(err, driver.ErrNoDeployedReleases) {
+		return err
+	}
+
+	var toDelete []*rspb.Release
+	for _, rel := range h {
+		// once we have enough releases to delete to reach the max, stop
+		if len(h)-len(toDelete) == max {
+			break
+		}
+		if lastDeployed != nil {
+			if rel.Version != lastDeployed.Version {
+				toDelete = append(toDelete, rel)
+			}
+		} else {
+			toDelete = append(toDelete, rel)
+		}
+	}
+
+	// Delete as many as possible. In the case of API throughput limitations,
+	// multiple invocations of this function will eventually delete them all.
+	errs := []error{}
+	for _, rel := range toDelete {
+		err = s.deleteReleaseVersion(name, rel.Version)
+		if err != nil {
+			errs = append(errs, err)
+		}
+	}
+
+	s.Log("Pruned %d record(s) from %s with %d error(s)", len(toDelete), name, len(errs))
+	switch c := len(errs); c {
+	case 0:
+		return nil
+	case 1:
+		return errs[0]
+	default:
+		return errors.Errorf("encountered %d deletion errors. First is: %s", c, errs[0])
+	}
+}
+
+func (s *Storage) deleteReleaseVersion(name string, version int) error {
+	key := makeKey(name, version)
+	_, err := s.Delete(name, version)
+	if err != nil {
+		s.Log("error pruning %s from release history: %s", key, err)
+		return err
+	}
+	return nil
+}
+
+// Last fetches the last revision of the named release.
+func (s *Storage) Last(name string) (*rspb.Release, error) {
+	s.Log("getting last revision of %q", name)
+	h, err := s.History(name)
+	if err != nil {
+		return nil, err
+	}
+	if len(h) == 0 {
+		return nil, errors.Errorf("no revision for release %q", name)
+	}
+
+	relutil.Reverse(h, relutil.SortByRevision)
+	return h[0], nil
+}
+
+// makeKey concatenates the Kubernetes storage object type, a release name and version
+// into a string with format:```<helm_storage_type>.<release_name>.v<release_version>```.
+// The storage type is prepended to keep name uniqueness between different
+// release storage types. An example of clash when not using the type:
+// https://github.com/helm/helm/issues/6435.
+// This key is used to uniquely identify storage objects.
+func makeKey(rlsname string, version int) string {
+	return fmt.Sprintf("%s.%s.v%d", HelmStorageType, rlsname, version)
+}
+
+// Init initializes a new storage backend with the driver d.
+// If d is nil, the default in-memory driver is used.
+func Init(d driver.Driver) *Storage {
+	// default driver is in memory
+	if d == nil {
+		d = driver.NewMemory()
+	}
+	return &Storage{
+		Driver: d,
+		Log:    func(_ string, _ ...interface{}) {},
+	}
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/time/ctime/ctime.go b/vendor/helm.sh/helm/v3/pkg/time/ctime/ctime.go
new file mode 100644
index 0000000000..63a41c0bf4
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/time/ctime/ctime.go
@@ -0,0 +1,29 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+package ctime
+
+import (
+	"os"
+	"time"
+)
+
+func Created(fi os.FileInfo) time.Time {
+	return modified(fi)
+}
+
+func Modified(fi os.FileInfo) time.Time {
+	return modified(fi)
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/time/ctime/ctime_linux.go b/vendor/helm.sh/helm/v3/pkg/time/ctime/ctime_linux.go
new file mode 100644
index 0000000000..d8a6ea1a17
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/time/ctime/ctime_linux.go
@@ -0,0 +1,30 @@
+//go:build linux
+
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+package ctime
+
+import (
+	"os"
+	"syscall"
+	"time"
+)
+
+func modified(fi os.FileInfo) time.Time {
+	st := fi.Sys().(*syscall.Stat_t)
+	//nolint
+	return time.Unix(int64(st.Mtim.Sec), int64(st.Mtim.Nsec))
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/time/ctime/ctime_other.go b/vendor/helm.sh/helm/v3/pkg/time/ctime/ctime_other.go
new file mode 100644
index 0000000000..12afc6df2e
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/time/ctime/ctime_other.go
@@ -0,0 +1,27 @@
+//go:build !linux
+
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+package ctime
+
+import (
+	"os"
+	"time"
+)
+
+func modified(fi os.FileInfo) time.Time {
+	return fi.ModTime()
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/time/time.go b/vendor/helm.sh/helm/v3/pkg/time/time.go
new file mode 100644
index 0000000000..1abe8ae3d8
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/time/time.go
@@ -0,0 +1,91 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package time contains a wrapper for time.Time in the standard library and
+// associated methods. This package mainly exists to work around an issue in Go
+// where the serializer doesn't omit an empty value for time:
+// https://github.com/golang/go/issues/11939. As such, this can be removed if a
+// proposal is ever accepted for Go
+package time
+
+import (
+	"bytes"
+	"time"
+)
+
+// emptyString contains an empty JSON string value to be used as output
+var emptyString = `""`
+
+// Time is a convenience wrapper around stdlib time, but with different
+// marshalling and unmarshaling for zero values
+type Time struct {
+	time.Time
+}
+
+// Now returns the current time. It is a convenience wrapper around time.Now()
+func Now() Time {
+	return Time{time.Now()}
+}
+
+func (t Time) MarshalJSON() ([]byte, error) {
+	if t.Time.IsZero() {
+		return []byte(emptyString), nil
+	}
+
+	return t.Time.MarshalJSON()
+}
+
+func (t *Time) UnmarshalJSON(b []byte) error {
+	if bytes.Equal(b, []byte("null")) {
+		return nil
+	}
+	// If it is empty, we don't have to set anything since time.Time is not a
+	// pointer and will be set to the zero value
+	if bytes.Equal([]byte(emptyString), b) {
+		return nil
+	}
+
+	return t.Time.UnmarshalJSON(b)
+}
+
+func Parse(layout, value string) (Time, error) {
+	t, err := time.Parse(layout, value)
+	return Time{Time: t}, err
+}
+func ParseInLocation(layout, value string, loc *time.Location) (Time, error) {
+	t, err := time.ParseInLocation(layout, value, loc)
+	return Time{Time: t}, err
+}
+
+func Date(year int, month time.Month, day, hour, min, sec, nsec int, loc *time.Location) Time {
+	return Time{Time: time.Date(year, month, day, hour, min, sec, nsec, loc)}
+}
+
+func Unix(sec int64, nsec int64) Time { return Time{Time: time.Unix(sec, nsec)} }
+
+func (t Time) Add(d time.Duration) Time { return Time{Time: t.Time.Add(d)} }
+func (t Time) AddDate(years int, months int, days int) Time {
+	return Time{Time: t.Time.AddDate(years, months, days)}
+}
+func (t Time) After(u Time) bool             { return t.Time.After(u.Time) }
+func (t Time) Before(u Time) bool            { return t.Time.Before(u.Time) }
+func (t Time) Equal(u Time) bool             { return t.Time.Equal(u.Time) }
+func (t Time) In(loc *time.Location) Time    { return Time{Time: t.Time.In(loc)} }
+func (t Time) Local() Time                   { return Time{Time: t.Time.Local()} }
+func (t Time) Round(d time.Duration) Time    { return Time{Time: t.Time.Round(d)} }
+func (t Time) Sub(u Time) time.Duration      { return t.Time.Sub(u.Time) }
+func (t Time) Truncate(d time.Duration) Time { return Time{Time: t.Time.Truncate(d)} }
+func (t Time) UTC() Time                     { return Time{Time: t.Time.UTC()} }
diff --git a/vendor/helm.sh/helm/v3/pkg/uploader/chart_uploader.go b/vendor/helm.sh/helm/v3/pkg/uploader/chart_uploader.go
new file mode 100644
index 0000000000..d7e9404066
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/uploader/chart_uploader.go
@@ -0,0 +1,58 @@
+/*
+Copyright The Helm Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package uploader
+
+import (
+	"fmt"
+	"io"
+	"net/url"
+
+	"github.com/pkg/errors"
+
+	"helm.sh/helm/v3/pkg/pusher"
+	"helm.sh/helm/v3/pkg/registry"
+)
+
+// ChartUploader handles uploading a chart.
+type ChartUploader struct {
+	// Out is the location to write warning and info messages.
+	Out io.Writer
+	// Pusher collection for the operation
+	Pushers pusher.Providers
+	// Options provide parameters to be passed along to the Pusher being initialized.
+	Options []pusher.Option
+	// RegistryClient is a client for interacting with registries.
+	RegistryClient *registry.Client
+}
+
+// UploadTo uploads a chart. Depending on the settings, it may also upload a provenance file.
+func (c *ChartUploader) UploadTo(ref, remote string) error {
+	u, err := url.Parse(remote)
+	if err != nil {
+		return errors.Errorf("invalid chart URL format: %s", remote)
+	}
+
+	if u.Scheme == "" {
+		return fmt.Errorf("scheme prefix missing from remote (e.g. \"%s://\")", registry.OCIScheme)
+	}
+
+	p, err := c.Pushers.ByScheme(u.Scheme)
+	if err != nil {
+		return err
+	}
+
+	return p.Push(ref, u.String(), c.Options...)
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/uploader/doc.go b/vendor/helm.sh/helm/v3/pkg/uploader/doc.go
new file mode 100644
index 0000000000..112ddbf2ce
--- /dev/null
+++ b/vendor/helm.sh/helm/v3/pkg/uploader/doc.go
@@ -0,0 +1,21 @@
+/*
+Copyright The Helm Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+/*
+Package uploader provides a library for uploading charts.
+
+This package contains tools for uploading charts to registries.
+*/
+package uploader
diff --git a/vendor/istio.io/istio/LICENSE b/vendor/istio.io/istio/LICENSE
new file mode 100644
index 0000000000..75bfd113b3
--- /dev/null
+++ b/vendor/istio.io/istio/LICENSE
@@ -0,0 +1,202 @@
+
+                                Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "{}"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright {yyyy} {name of copyright owner}
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/vendor/istio.io/istio/pkg/log/config.go b/vendor/istio.io/istio/pkg/log/config.go
new file mode 100644
index 0000000000..43b5bec76f
--- /dev/null
+++ b/vendor/istio.io/istio/pkg/log/config.go
@@ -0,0 +1,420 @@
+// Copyright 2017 Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package log provides the canonical logging functionality used by Go-based
+// Istio components.
+//
+// Istio's logging subsystem is built on top of the [Zap](https://godoc.org/go.uber.org/zap) package.
+// High performance scenarios should use the Error, Warn, Info, and Debug methods. Lower perf
+// scenarios can use the more expensive convenience methods such as Debugf and Warnw.
+//
+// The package provides direct integration with the Cobra command-line processor which makes it
+// easy to build programs that use a consistent interface for logging. Here's an example
+// of a simple Cobra-based program using this log package:
+//
+//			func main() {
+//				// get the default logging options
+//				options := log.DefaultOptions()
+//
+//				rootCmd := &cobra.Command{
+//					Run: func(cmd *cobra.Command, args []string) {
+//
+//						// configure the logging system
+//						if err := log.Configure(options); err != nil {
+//	                     // print an error and quit
+//	                 }
+//
+//						// output some logs
+//						log.Info("Hello")
+//						log.Sync()
+//					},
+//				}
+//
+//				// add logging-specific flags to the cobra command
+//				options.AttachCobraFlags(rootCmd)
+//				rootCmd.SetArgs(os.Args[1:])
+//				rootCmd.Execute()
+//			}
+//
+// Once configured, this package intercepts the output of the standard golang "log" package as well as anything
+// sent to the global zap logger (zap.L()).
+package log
+
+import (
+	"os"
+	"strings"
+	"sync/atomic"
+	"time"
+
+	"go.uber.org/zap"
+	"go.uber.org/zap/zapcore"
+	"go.uber.org/zap/zapgrpc"
+	"google.golang.org/grpc/grpclog"
+	"k8s.io/klog/v2"
+)
+
+const (
+	// none is used to disable logging output as well as to disable stack tracing.
+	none          zapcore.Level = 100
+	GrpcScopeName string        = "grpc"
+)
+
+var levelToZap = map[Level]zapcore.Level{
+	DebugLevel: zapcore.DebugLevel,
+	InfoLevel:  zapcore.InfoLevel,
+	WarnLevel:  zapcore.WarnLevel,
+	ErrorLevel: zapcore.ErrorLevel,
+	FatalLevel: zapcore.FatalLevel,
+	NoneLevel:  none,
+}
+
+var defaultEncoderConfig = zapcore.EncoderConfig{
+	TimeKey:        "time",
+	LevelKey:       "level",
+	NameKey:        "scope",
+	CallerKey:      "caller",
+	MessageKey:     "msg",
+	StacktraceKey:  "stack",
+	LineEnding:     zapcore.DefaultLineEnding,
+	EncodeLevel:    zapcore.LowercaseLevelEncoder,
+	EncodeCaller:   zapcore.ShortCallerEncoder,
+	EncodeDuration: zapcore.StringDurationEncoder,
+	EncodeTime:     formatDate,
+}
+
+// functions that can be replaced in a test setting
+type patchTable struct {
+	write       func(ent zapcore.Entry, fields []zapcore.Field) error
+	sync        func() error
+	exitProcess func(code int)
+	errorSink   zapcore.WriteSyncer
+	close       func() error
+}
+
+var (
+	// function table that can be replaced by tests
+	funcs = &atomic.Value{}
+	// controls whether all output is JSON or CLI style. This makes it easier to query how the zap encoder is configured
+	// vs. reading it's internal state.
+	useJSON atomic.Value
+)
+
+func init() {
+	// use our defaults for starters so that logging works even before everything is fully configured
+	_ = Configure(DefaultOptions())
+}
+
+// See: https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry#LogSeverity
+var stackdriverSeverityMapping = map[zapcore.Level]string{
+	zapcore.DebugLevel:  "Debug",
+	zapcore.InfoLevel:   "Info",
+	zapcore.WarnLevel:   "Warning",
+	zapcore.ErrorLevel:  "Error",
+	zapcore.DPanicLevel: "Critical",
+	zapcore.FatalLevel:  "Critical",
+	zapcore.PanicLevel:  "Critical",
+}
+
+func encodeStackdriverLevel(l zapcore.Level, enc zapcore.PrimitiveArrayEncoder) {
+	enc.AppendString(stackdriverSeverityMapping[l])
+}
+
+// prepZap sets up the core Zap loggers
+func prepZap(options *Options) (zapcore.Core, func(string) zapcore.Core, zapcore.WriteSyncer, error) {
+	var enc zapcore.Encoder
+	if options.useStackdriverFormat {
+		// See also: https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry
+		encCfg := zapcore.EncoderConfig{
+			TimeKey:        "timestamp",
+			LevelKey:       "severity",
+			NameKey:        "logger",
+			CallerKey:      "caller",
+			MessageKey:     "message",
+			StacktraceKey:  "stacktrace",
+			LineEnding:     zapcore.DefaultLineEnding,
+			EncodeLevel:    encodeStackdriverLevel,
+			EncodeTime:     zapcore.RFC3339NanoTimeEncoder,
+			EncodeDuration: zapcore.SecondsDurationEncoder,
+			EncodeCaller:   zapcore.ShortCallerEncoder,
+		}
+		enc = zapcore.NewJSONEncoder(encCfg)
+		useJSON.Store(true)
+	} else {
+		encCfg := defaultEncoderConfig
+
+		if options.JSONEncoding {
+			enc = zapcore.NewJSONEncoder(encCfg)
+			useJSON.Store(true)
+		} else {
+			enc = zapcore.NewConsoleEncoder(encCfg)
+			useJSON.Store(false)
+		}
+	}
+
+	errSink, closeErrorSink, err := zap.Open(options.ErrorOutputPaths...)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+
+	var outputSink zapcore.WriteSyncer
+	if len(options.OutputPaths) > 0 {
+		outputSink, _, err = zap.Open(options.OutputPaths...)
+		if err != nil {
+			closeErrorSink()
+			return nil, nil, nil, err
+		}
+	}
+
+	alwaysOn := zapcore.NewCore(enc, outputSink, zap.NewAtomicLevelAt(zapcore.DebugLevel))
+	conditionallyOn := func(scopeName string) zapcore.Core {
+		scope := FindScope(scopeName)
+		enabler := func(lvl zapcore.Level) bool {
+			switch lvl {
+			case zapcore.ErrorLevel:
+				return scope.ErrorEnabled()
+			case zapcore.WarnLevel:
+				return scope.WarnEnabled()
+			case zapcore.InfoLevel:
+				return scope.InfoEnabled()
+			}
+			return scope.DebugEnabled()
+		}
+		return zapcore.NewCore(enc, outputSink, zap.LevelEnablerFunc(enabler))
+	}
+	return alwaysOn,
+		conditionallyOn,
+		errSink, nil
+}
+
+func formatDate(t time.Time, enc zapcore.PrimitiveArrayEncoder) {
+	t = t.UTC()
+	year, month, day := t.Date()
+	hour, minute, second := t.Clock()
+	micros := t.Nanosecond() / 1000
+
+	buf := make([]byte, 27)
+
+	buf[0] = byte((year/1000)%10) + '0'
+	buf[1] = byte((year/100)%10) + '0'
+	buf[2] = byte((year/10)%10) + '0'
+	buf[3] = byte(year%10) + '0'
+	buf[4] = '-'
+	buf[5] = byte((month)/10) + '0'
+	buf[6] = byte((month)%10) + '0'
+	buf[7] = '-'
+	buf[8] = byte((day)/10) + '0'
+	buf[9] = byte((day)%10) + '0'
+	buf[10] = 'T'
+	buf[11] = byte((hour)/10) + '0'
+	buf[12] = byte((hour)%10) + '0'
+	buf[13] = ':'
+	buf[14] = byte((minute)/10) + '0'
+	buf[15] = byte((minute)%10) + '0'
+	buf[16] = ':'
+	buf[17] = byte((second)/10) + '0'
+	buf[18] = byte((second)%10) + '0'
+	buf[19] = '.'
+	buf[20] = byte((micros/100000)%10) + '0'
+	buf[21] = byte((micros/10000)%10) + '0'
+	buf[22] = byte((micros/1000)%10) + '0'
+	buf[23] = byte((micros/100)%10) + '0'
+	buf[24] = byte((micros/10)%10) + '0'
+	buf[25] = byte((micros)%10) + '0'
+	buf[26] = 'Z'
+
+	enc.AppendString(string(buf))
+}
+
+func updateScopes(options *Options) error {
+	// snapshot what's there
+	allScopes := Scopes()
+
+	// Join defaultOutputLevels and outputLevels
+	levels := options.defaultOutputLevels
+	if levels == "" {
+		levels = options.outputLevels
+	} else if options.outputLevels != "" {
+		levels = levels + "," + options.outputLevels
+	}
+
+	// update the output levels of all listed scopes
+	if err := processLevels(allScopes, levels, func(s *Scope, l Level) { s.SetOutputLevel(l) }); err != nil {
+		return err
+	}
+
+	// update the stack tracing levels of all listed scopes
+	if err := processLevels(allScopes, options.stackTraceLevels, func(s *Scope, l Level) { s.SetStackTraceLevel(l) }); err != nil {
+		return err
+	}
+
+	// update the caller location setting of all listed scopes
+	sc := strings.Split(options.logCallers, ",")
+	for _, s := range sc {
+		if s == "" {
+			continue
+		}
+
+		if s == OverrideScopeName {
+			// ignore everything else and just apply the override value
+			for _, scope := range allScopes {
+				scope.SetLogCallers(true)
+			}
+		}
+
+		if scope, ok := allScopes[s]; ok {
+			scope.SetLogCallers(true)
+		}
+	}
+
+	// If gRPC logging is enabled, turn on gRPC logging automatically
+	if grpcScope.GetOutputLevel() != NoneLevel {
+		options.logGRPC = true
+	}
+
+	return nil
+}
+
+// processLevels breaks down an argument string into a set of scope & levels and then
+// tries to apply the result to the scopes. It supports the use of a global override.
+func processLevels(allScopes map[string]*Scope, arg string, setter func(*Scope, Level)) error {
+	levels := strings.Split(arg, ",")
+	for _, sl := range levels {
+		s, l, err := convertScopedLevel(sl)
+		if err != nil {
+			return err
+		}
+
+		if scope, ok := allScopes[s]; ok {
+			setter(scope, l)
+		} else if s == OverrideScopeName {
+			// override replaces everything
+			for _, scope := range allScopes {
+				setter(scope, l)
+			}
+		}
+	}
+
+	return nil
+}
+
+// Configure initializes Istio's logging subsystem.
+//
+// You typically call this once at process startup.
+// Once this call returns, the logging system is ready to accept data.
+// nolint: staticcheck
+func Configure(options *Options) error {
+	if err := updateScopes(options); err != nil {
+		return err
+	}
+	baseLogger, logBuilder, errSink, err := prepZap(options)
+	if err != nil {
+		return err
+	}
+	defaultLogger := logBuilder(DefaultScopeName)
+	allLoggers := []*zapcore.Core{&baseLogger, &defaultLogger}
+
+	var grpcLogger zapcore.Core
+	if options.logGRPC {
+		grpcLogger = logBuilder(GrpcScopeName)
+		allLoggers = append(allLoggers, &grpcLogger)
+	}
+
+	closeFns := make([]func() error, 0)
+
+	for _, ext := range options.extensions {
+		for _, logger := range allLoggers {
+			newLogger, closeFn, err := ext(*logger)
+			if err != nil {
+				return err
+			}
+			*logger = newLogger
+			closeFns = append(closeFns, closeFn)
+		}
+	}
+
+	pt := patchTable{
+		write: func(ent zapcore.Entry, fields []zapcore.Field) error {
+			err := baseLogger.Write(ent, fields)
+			if ent.Level == zapcore.FatalLevel {
+				funcs.Load().(patchTable).exitProcess(1)
+			}
+
+			return err
+		},
+		sync:        baseLogger.Sync,
+		exitProcess: os.Exit,
+		errorSink:   errSink,
+		close: func() error {
+			// best-effort to sync
+			baseLogger.Sync() // nolint: errcheck
+			for _, f := range closeFns {
+				if err := f(); err != nil {
+					return err
+				}
+			}
+			return nil
+		},
+	}
+	funcs.Store(pt)
+
+	opts := []zap.Option{
+		zap.ErrorOutput(errSink),
+		zap.AddCallerSkip(1),
+	}
+
+	if defaultScope.GetLogCallers() {
+		opts = append(opts, zap.AddCaller())
+	}
+
+	l := defaultScope.GetStackTraceLevel()
+	if l != NoneLevel {
+		opts = append(opts, zap.AddStacktrace(levelToZap[l]))
+	}
+
+	defaultZapLogger := zap.New(defaultLogger, opts...)
+
+	// capture global zap logging and force it through our logger
+	_ = zap.ReplaceGlobals(defaultZapLogger)
+
+	// capture standard golang "log" package output and force it through our logger
+	_ = zap.RedirectStdLog(defaultZapLogger)
+
+	// capture gRPC logging
+	if options.logGRPC {
+		grpclog.SetLoggerV2(zapgrpc.NewLogger(zap.New(grpcLogger, opts...).WithOptions(zap.AddCallerSkip(3))))
+	}
+
+	// capture klog (Kubernetes logging) through our logging
+	configureKlog.Do(func() {
+		klog.SetLogger(NewLogrAdapter(KlogScope))
+	})
+	// --vklog is non zero then KlogScope should be increased.
+	// klog is a special case.
+	if klogVerbose() {
+		KlogScope.SetOutputLevel(DebugLevel)
+	}
+
+	return nil
+}
+
+// Sync flushes any buffered log entries.
+// Processes should normally take care to call Sync before exiting.
+func Sync() error {
+	return funcs.Load().(patchTable).sync()
+}
+
+// Close implements io.Closer.
+func Close() error {
+	return funcs.Load().(patchTable).close()
+}
diff --git a/vendor/istio.io/istio/pkg/log/default.go b/vendor/istio.io/istio/pkg/log/default.go
new file mode 100644
index 0000000000..d8debf8d7e
--- /dev/null
+++ b/vendor/istio.io/istio/pkg/log/default.go
@@ -0,0 +1,105 @@
+// Copyright 2017 Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package log
+
+// These functions enable logging using a global Scope. See scope.go for usage information.
+
+func registerDefaultScopes() (defaults *Scope, grpc *Scope) {
+	return registerScope(DefaultScopeName, "Unscoped logging messages.", 1),
+		registerScope(GrpcScopeName, "logs from gRPC", 3)
+}
+
+var defaultScope, grpcScope = registerDefaultScopes()
+
+// Fatal outputs a message at fatal level.
+func Fatal(fields any) {
+	defaultScope.Fatal(fields)
+}
+
+// Fatalf uses fmt.Sprintf to construct and log a message at fatal level.
+func Fatalf(format string, args ...any) {
+	defaultScope.Fatalf(format, args...)
+}
+
+// FatalEnabled returns whether output of messages using this scope is currently enabled for fatal-level output.
+func FatalEnabled() bool {
+	return defaultScope.FatalEnabled()
+}
+
+// Error outputs a message at error level.
+func Error(fields any) {
+	defaultScope.Error(fields)
+}
+
+// Errorf uses fmt.Sprintf to construct and log a message at error level.
+func Errorf(format string, args ...any) {
+	defaultScope.Errorf(format, args...)
+}
+
+// ErrorEnabled returns whether output of messages using this scope is currently enabled for error-level output.
+func ErrorEnabled() bool {
+	return defaultScope.ErrorEnabled()
+}
+
+// Warn outputs a message at warn level.
+func Warn(fields any) {
+	defaultScope.Warn(fields)
+}
+
+// Warnf uses fmt.Sprintf to construct and log a message at warn level.
+func Warnf(format string, args ...any) {
+	defaultScope.Warnf(format, args...)
+}
+
+// WarnEnabled returns whether output of messages using this scope is currently enabled for warn-level output.
+func WarnEnabled() bool {
+	return defaultScope.WarnEnabled()
+}
+
+// Info outputs a message at info level.
+func Info(fields any) {
+	defaultScope.Info(fields)
+}
+
+// Infof uses fmt.Sprintf to construct and log a message at info level.
+func Infof(format string, args ...any) {
+	defaultScope.Infof(format, args...)
+}
+
+// InfoEnabled returns whether output of messages using this scope is currently enabled for info-level output.
+func InfoEnabled() bool {
+	return defaultScope.InfoEnabled()
+}
+
+// Debug outputs a message at debug level.
+func Debug(fields any) {
+	defaultScope.Debug(fields)
+}
+
+// Debugf uses fmt.Sprintf to construct and log a message at debug level.
+func Debugf(format string, args ...any) {
+	defaultScope.Debugf(format, args...)
+}
+
+// DebugEnabled returns whether output of messages using this scope is currently enabled for debug-level output.
+func DebugEnabled() bool {
+	return defaultScope.DebugEnabled()
+}
+
+// WithLabels adds a key-value pairs to the labels in s. The key must be a string, while the value may be any type.
+// It returns a copy of the default scope, with the labels added.
+func WithLabels(kvlist ...any) *Scope {
+	return defaultScope.WithLabels(kvlist...)
+}
diff --git a/vendor/istio.io/istio/pkg/log/klog.go b/vendor/istio.io/istio/pkg/log/klog.go
new file mode 100644
index 0000000000..f2b502d111
--- /dev/null
+++ b/vendor/istio.io/istio/pkg/log/klog.go
@@ -0,0 +1,76 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package log
+
+import (
+	goflag "flag"
+	"fmt"
+	"sync"
+
+	"github.com/spf13/pflag"
+	"k8s.io/klog/v2"
+)
+
+var (
+	KlogScope     = RegisterScope("klog", "")
+	configureKlog = sync.Once{}
+)
+
+// EnableKlogWithCobra enables klog to work with cobra / pflags.
+// k8s libraries like client-go use klog.
+func EnableKlogWithCobra() {
+	gf := klogVerboseFlag()
+	pflag.CommandLine.AddFlag(pflag.PFlagFromGoFlag(
+		&goflag.Flag{
+			Name:     "vklog",
+			Value:    gf.Value,
+			DefValue: gf.DefValue,
+			Usage:    gf.Usage + ". Like -v flag. ex: --vklog=9",
+		}))
+}
+
+// EnableKlogWithCobra enables klog to work with go flags.
+// k8s libraries like client-go use klog.
+func EnableKlogWithGoFlag() {
+	gf := klogVerboseFlag()
+	goflag.CommandLine.Var(gf.Value, "vklog", gf.Usage+". Like -v flag. ex: --vklog=9")
+}
+
+// isKlogVerbose returns true if klog verbosity is non-zero.
+func klogVerbose() bool {
+	gf := klogVerboseFlag()
+	return gf.Value.String() != "0"
+}
+
+var (
+	klogFlagSet     = &goflag.FlagSet{}
+	klogFlagSetOnce = sync.Once{}
+)
+
+// KlogVerboseFlag returns verbose flag from the klog library.
+// After parsing it contains the parsed verbosity value.
+func klogVerboseFlag() *goflag.Flag {
+	klogFlagSetOnce.Do(func() {
+		klog.InitFlags(klogFlagSet)
+	})
+	// --v= flag of klog.
+	return klogFlagSet.Lookup("v")
+}
+
+// EnableKlogWithVerbosity sets the klog verbosity directly.
+// When using in an application, EnableKlogWithCobra is preferred to expose a --vklog flag.
+func EnableKlogWithVerbosity(v int) {
+	_ = klogFlagSet.Set("v", fmt.Sprint(v))
+}
diff --git a/vendor/istio.io/istio/pkg/log/logr.go b/vendor/istio.io/istio/pkg/log/logr.go
new file mode 100644
index 0000000000..b63edcacbf
--- /dev/null
+++ b/vendor/istio.io/istio/pkg/log/logr.go
@@ -0,0 +1,103 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package log
+
+import (
+	"fmt"
+
+	"github.com/go-logr/logr"
+)
+
+// zapLogger is a logr.Logger that uses Zap to log. This is needed to get
+// libraries, namely Kubernetes/klog, that use logr, to use our standard logging.
+// This enables standard formatting, scope filtering, and options. The logr
+// interface does not have a concept of Debug/Info/Warn/Error as we do. Instead,
+// logging is based on Verbosity levels, where 0 is the most important. We treat
+// levels 0-3 as info level and 4+ as debug; there are no warnings. This
+// threshold is fairly arbitrary based on inspection of Kubernetes usage and
+// https://kubernetes.io/docs/reference/kubectl/cheatsheet/#kubectl-output-verbosity-and-debugging.
+// Errors are passed through as errors.
+// Zap does come with its own logr implementation, but we have chosen to re-implement to allow usage of
+// our Scope - in particular, this allows changing the logging level of kubernetes logs by users.
+type zapLogger struct {
+	l *Scope
+}
+
+const debugLevelThreshold = 3
+
+func (zl *zapLogger) Enabled(level int) bool {
+	if level > debugLevelThreshold {
+		return zl.l.DebugEnabled()
+	}
+	return zl.l.InfoEnabled()
+}
+
+// Logs will come in with newlines, but our logger auto appends newline
+func trimNewline(msg string) string {
+	if len(msg) == 0 {
+		return msg
+	}
+	lc := len(msg) - 1
+	if msg[lc] == '\n' {
+		return msg[:lc]
+	}
+	return msg
+}
+
+func (zl *zapLogger) Init(logr.RuntimeInfo) {
+}
+
+func (zl *zapLogger) Info(level int, msg string, keysAndVals ...any) {
+	if level > debugLevelThreshold {
+		zl.l.WithLabels(keysAndVals...).Debug(trimNewline(msg))
+	} else {
+		zl.l.WithLabels(keysAndVals...).Info(trimNewline(msg))
+	}
+}
+
+func (zl *zapLogger) Error(err error, msg string, keysAndVals ...any) {
+	if zl.l.ErrorEnabled() {
+		if err == nil {
+			zl.l.WithLabels(keysAndVals...).Error(trimNewline(msg))
+		} else {
+			zl.l.WithLabels(keysAndVals...).Error(fmt.Sprintf("%v: %s", err.Error(), msg))
+		}
+	}
+}
+
+func (zl *zapLogger) V(int) logr.Logger {
+	zlog := &zapLogger{
+		l: zl.l,
+	}
+
+	return logr.New(zlog)
+}
+
+func (zl *zapLogger) WithValues(keysAndValues ...any) logr.LogSink {
+	return NewLogrAdapter(zl.l.WithLabels(keysAndValues...)).GetSink()
+}
+
+func (zl *zapLogger) WithName(string) logr.LogSink {
+	return zl
+}
+
+// NewLogrAdapter creates a new logr.Logger using the given Zap Logger to log.
+func NewLogrAdapter(l *Scope) logr.Logger {
+	zlog := &zapLogger{
+		l: l,
+	}
+
+	return logr.New(zlog)
+}
diff --git a/vendor/istio.io/istio/pkg/log/options.go b/vendor/istio.io/istio/pkg/log/options.go
new file mode 100644
index 0000000000..d3958fb0c3
--- /dev/null
+++ b/vendor/istio.io/istio/pkg/log/options.go
@@ -0,0 +1,276 @@
+// Copyright 2017 Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package log
+
+import (
+	"fmt"
+	"sort"
+	"strings"
+
+	"github.com/spf13/cobra"
+	"go.uber.org/zap/zapcore"
+)
+
+const (
+	DefaultScopeName       = "default"
+	OverrideScopeName      = "all"
+	defaultOutputLevel     = InfoLevel
+	defaultStackTraceLevel = NoneLevel
+	defaultOutputPath      = "stdout"
+	defaultErrorOutputPath = "stderr"
+)
+
+// Level is an enumeration of all supported log levels.
+type Level int
+
+const (
+	// NoneLevel disables logging
+	NoneLevel Level = iota
+	// FatalLevel enables fatal level logging
+	FatalLevel
+	// ErrorLevel enables error level logging
+	ErrorLevel
+	// WarnLevel enables warn level logging
+	WarnLevel
+	// InfoLevel enables info level logging
+	InfoLevel
+	// DebugLevel enables debug level logging
+	DebugLevel
+)
+
+var levelToString = map[Level]string{
+	DebugLevel: "debug",
+	InfoLevel:  "info",
+	WarnLevel:  "warn",
+	ErrorLevel: "error",
+	FatalLevel: "fatal",
+	NoneLevel:  "none",
+}
+
+var stringToLevel = map[string]Level{
+	"debug": DebugLevel,
+	"info":  InfoLevel,
+	"warn":  WarnLevel,
+	"error": ErrorLevel,
+	"fatal": FatalLevel,
+	"none":  NoneLevel,
+}
+
+func StringToLevel(level string) Level {
+	return stringToLevel[level]
+}
+
+func LevelToString(level Level) string {
+	return levelToString[level]
+}
+
+// Options defines the set of options supported by Istio's component logging package.
+type Options struct {
+	// OutputPaths is a list of file system paths to write the log data to.
+	// The special values stdout and stderr can be used to output to the
+	// standard I/O streams. This defaults to stdout.
+	OutputPaths []string
+
+	// ErrorOutputPaths is a list of file system paths to write logger errors to.
+	// The special values stdout and stderr can be used to output to the
+	// standard I/O streams. This defaults to stderr.
+	ErrorOutputPaths []string
+
+	// JSONEncoding controls whether the log is formatted as JSON.
+	JSONEncoding bool
+
+	// logGRPC indicates that Grpc logs should be captured.
+	// This is enabled by a --log_output_level=grpc:<level> typically
+	logGRPC bool
+
+	outputLevels        string
+	defaultOutputLevels string
+	logCallers          string
+	stackTraceLevels    string
+
+	useStackdriverFormat bool
+	extensions           []Extension
+}
+
+// DefaultOptions returns a new set of options, initialized to the defaults
+func DefaultOptions() *Options {
+	return &Options{
+		OutputPaths:          []string{defaultOutputPath},
+		ErrorOutputPaths:     []string{defaultErrorOutputPath},
+		defaultOutputLevels:  "default:info,grpc:none",
+		stackTraceLevels:     DefaultScopeName + ":" + levelToString[defaultStackTraceLevel],
+		logGRPC:              false,
+		useStackdriverFormat: false,
+	}
+}
+
+// WithStackdriverLoggingFormat configures logging output to match Stackdriver structured logging conventions.
+func (o *Options) WithStackdriverLoggingFormat() *Options {
+	o.useStackdriverFormat = true
+	return o
+}
+
+// WithTeeToUDS configures a parallel logging pipeline that writes logs to a server over UDS.
+// addr is the socket that the server listens on, and path is the HTTP path that process the log message.
+func (o *Options) WithTeeToUDS(addr, path string) *Options {
+	return o.WithExtension(func(c zapcore.Core) (zapcore.Core, func() error, error) {
+		return teeToUDSServer(c, addr, path), func() error { return nil }, nil
+	})
+}
+
+// WithTeeToRolling configures a parallel logging pipeline that writes logs to a local rolling log of fixed size.
+// This is mainly used by the CNI plugin, and so the size and rollover is intentionally kept small.
+// rollingPath is the path the rolling log(s) will be written to.
+func (o *Options) WithTeeToRollingLocal(rollingPath string, maxSizeInMB int) *Options {
+	return o.WithExtension(func(c zapcore.Core) (zapcore.Core, func() error, error) {
+		return teeToRollingLocal(c, rollingPath, maxSizeInMB), func() error { return nil }, nil
+	})
+}
+
+// Extension provides an extension mechanism for logs.
+// This is essentially like https://pkg.go.dev/golang.org/x/exp/slog#Handler.
+// This interface should be considered unstable; we will likely swap it for slog in the future and not expose zap internals.
+// Returns a modified Core interface, and a Close() function.
+type Extension func(c zapcore.Core) (zapcore.Core, func() error, error)
+
+func (o *Options) WithExtension(e Extension) *Options {
+	o.extensions = append(o.extensions, e)
+	return o
+}
+
+// SetDefaultOutputLevel sets the minimum log output level for a given scope.
+// This can be overwritten by flags
+func (o *Options) SetDefaultOutputLevel(scope string, level Level) {
+	sl := scope + ":" + levelToString[level]
+	levels := strings.Split(o.defaultOutputLevels, ",")
+	if scope == DefaultScopeName {
+		// see if we have an entry without a scope prefix (which represents the default scope)
+		for i, ol := range levels {
+			if !strings.Contains(ol, ":") {
+				levels[i] = sl
+				o.defaultOutputLevels = strings.Join(levels, ",")
+				return
+			}
+		}
+	}
+
+	prefix := scope + ":"
+	for i, ol := range levels {
+		if strings.HasPrefix(ol, prefix) {
+			levels[i] = sl
+			o.defaultOutputLevels = strings.Join(levels, ",")
+			return
+		}
+	}
+
+	levels = append(levels, sl)
+	o.defaultOutputLevels = strings.Join(levels, ",")
+}
+
+func convertScopedLevel(sl string) (string, Level, error) {
+	var s string
+	var l string
+
+	pieces := strings.Split(sl, ":")
+	if len(pieces) == 1 {
+		s = DefaultScopeName
+		l = pieces[0]
+	} else if len(pieces) == 2 {
+		s = pieces[0]
+		l = pieces[1]
+	} else {
+		return "", NoneLevel, fmt.Errorf("invalid output level format '%s'", sl)
+	}
+
+	level, ok := stringToLevel[l]
+	if !ok {
+		return "", NoneLevel, fmt.Errorf("invalid output level '%s'", l)
+	}
+
+	return s, level, nil
+}
+
+// AttachCobraFlags attaches a set of Cobra flags to the given Cobra command.
+//
+// Cobra is the command-line processor that Istio uses. This command attaches
+// the necessary set of flags to expose a CLI to let the user control all
+// logging options.
+func (o *Options) AttachCobraFlags(cmd *cobra.Command) {
+	o.AttachFlags(
+		cmd.PersistentFlags().StringArrayVar,
+		cmd.PersistentFlags().StringVar,
+		cmd.PersistentFlags().IntVar,
+		cmd.PersistentFlags().BoolVar)
+}
+
+// AttachFlags allows attaching of flags through a set of lambda functions.
+func (o *Options) AttachFlags(
+	stringArrayVar func(p *[]string, name string, value []string, usage string),
+	stringVar func(p *string, name string, value string, usage string),
+	_ func(p *int, name string, value int, usage string),
+	boolVar func(p *bool, name string, value bool, usage string),
+) {
+	stringArrayVar(&o.OutputPaths, "log_target", o.OutputPaths,
+		"The set of paths where to output the log. This can be any path as well as the special values stdout and stderr")
+
+	boolVar(&o.JSONEncoding, "log_as_json", o.JSONEncoding,
+		"Whether to format output as JSON or in plain console-friendly format")
+
+	levelListString := fmt.Sprintf("[%s, %s, %s, %s, %s, %s]",
+		levelToString[DebugLevel],
+		levelToString[InfoLevel],
+		levelToString[WarnLevel],
+		levelToString[ErrorLevel],
+		levelToString[FatalLevel],
+		levelToString[NoneLevel])
+
+	allScopes := Scopes()
+	if len(allScopes) > 1 {
+		keys := make([]string, 0, len(allScopes))
+		for name := range allScopes {
+			keys = append(keys, name)
+		}
+		keys = append(keys, OverrideScopeName)
+		sort.Strings(keys)
+		s := strings.Join(keys, ", ")
+
+		stringVar(&o.outputLevels, "log_output_level", o.outputLevels,
+			fmt.Sprintf("Comma-separated minimum per-scope logging level of messages to output, in the form of "+
+				"<scope>:<level>,<scope>:<level>,... where scope can be one of [%s] and level can be one of %s",
+				s, levelListString))
+
+		stringVar(&o.stackTraceLevels, "log_stacktrace_level", o.stackTraceLevels,
+			fmt.Sprintf("Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of "+
+				"<scope>:<level>,<scope:level>,... where scope can be one of [%s] and level can be one of %s",
+				s, levelListString))
+
+		stringVar(&o.logCallers, "log_caller", o.logCallers,
+			fmt.Sprintf("Comma-separated list of scopes for which to include caller information, scopes can be any of [%s]", s))
+	} else {
+		stringVar(&o.outputLevels, "log_output_level", o.outputLevels,
+			fmt.Sprintf("The minimum logging level of messages to output,  can be one of %s",
+				levelListString))
+
+		stringVar(&o.stackTraceLevels, "log_stacktrace_level", o.stackTraceLevels,
+			fmt.Sprintf("The minimum logging level at which stack traces are captured, can be one of %s",
+				levelListString))
+
+		stringVar(&o.logCallers, "log_caller", o.logCallers,
+			"Comma-separated list of scopes for which to include called information, scopes can be any of [default]")
+	}
+
+	// NOTE: we don't currently expose a command-line option to control ErrorOutputPaths since it
+	// seems too esoteric.
+}
diff --git a/vendor/istio.io/istio/pkg/log/scope.go b/vendor/istio.io/istio/pkg/log/scope.go
new file mode 100644
index 0000000000..e1c9eca866
--- /dev/null
+++ b/vendor/istio.io/istio/pkg/log/scope.go
@@ -0,0 +1,404 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package log
+
+import (
+	"fmt"
+	"runtime"
+	"strings"
+	"sync"
+	"sync/atomic"
+	"time"
+
+	"go.uber.org/zap"
+	"go.uber.org/zap/zapcore"
+)
+
+// Scope constrains logging control to a named scope level. It gives users a fine grained control over output severity
+// threshold and stack traces.
+//
+// Scope supports structured logging using WithLabels:
+//
+//	s := RegisterScope("MyScope", "Description", 0)
+//	s = s.WithLabels("foo", "bar", "baz", 123, "qux", 0.123)
+//	s.Info("Hello")                      // <time>   info   MyScope   Hello  foo=bar baz=123 qux=0.123
+//
+// The output format can be globally configured to be JSON instead, using Options in this package.
+//
+//	e.g. <time>   info   MyScope   { "message":"Hello","foo":"bar","baz":123 }
+//
+// Scope also supports an error dictionary. The caller can pass a *structured.Error object as the first parameter
+// to any of the output functions (Fatal*, Error* etc.) and this will append the fields in the object to the output:
+//
+//	e := &structured.Error{MoreInfo:"See the documentation in istio.io/helpful_link"}
+//	s.WithLabels("foo", "bar").Error(e, "Hello")
+//	  <time>   info   MyScope   Hello  moreInfo=See the documentation in istio.io/helpful_link foo=bar
+//
+// See structured.Error for additional guidance on defining errors in a dictionary.
+type Scope struct {
+	// immutable, set at creation
+	name        string
+	nameToEmit  string
+	description string
+	callerSkip  int
+
+	// set by the Configure method and adjustable dynamically
+	outputLevel     *atomic.Value
+	stackTraceLevel *atomic.Value
+	logCallers      *atomic.Value
+
+	// labels data - key slice to preserve ordering
+	labelKeys []string
+	labels    map[string]any
+}
+
+var (
+	scopes = make(map[string]*Scope)
+	lock   sync.RWMutex
+)
+
+// RegisterScope registers a new logging scope. If the same name is used multiple times
+// for a single process, the same Scope struct is returned.
+//
+// Scope names cannot include colons, commas, or periods.
+func RegisterScope(name string, description string) *Scope {
+	// We only allow internal callers to set callerSkip
+	return registerScope(name, description, 0)
+}
+
+func registerScope(name string, description string, callerSkip int) *Scope {
+	if strings.ContainsAny(name, ":,.") {
+		panic(fmt.Sprintf("scope name %s is invalid, it cannot contain colons, commas, or periods", name))
+	}
+
+	lock.Lock()
+	defer lock.Unlock()
+
+	s, ok := scopes[name]
+	if !ok {
+		s = &Scope{
+			name:            name,
+			description:     description,
+			callerSkip:      callerSkip,
+			outputLevel:     &atomic.Value{},
+			stackTraceLevel: &atomic.Value{},
+			logCallers:      &atomic.Value{},
+		}
+		s.SetOutputLevel(InfoLevel)
+		s.SetStackTraceLevel(NoneLevel)
+		s.SetLogCallers(false)
+
+		if name != DefaultScopeName {
+			s.nameToEmit = name
+		}
+
+		scopes[name] = s
+	}
+
+	s.labels = make(map[string]any)
+
+	return s
+}
+
+// FindScope returns a previously registered scope, or nil if the named scope wasn't previously registered
+func FindScope(scope string) *Scope {
+	lock.RLock()
+	defer lock.RUnlock()
+
+	s := scopes[scope]
+	return s
+}
+
+// Scopes returns a snapshot of the currently defined set of scopes
+func Scopes() map[string]*Scope {
+	lock.RLock()
+	defer lock.RUnlock()
+
+	s := make(map[string]*Scope, len(scopes))
+	for k, v := range scopes {
+		s[k] = v
+	}
+
+	return s
+}
+
+// Fatal uses fmt.Sprint to construct and log a message at fatal level.
+func (s *Scope) Fatal(msg any) {
+	if s.GetOutputLevel() >= FatalLevel {
+		s.emit(zapcore.FatalLevel, fmt.Sprint(msg))
+	}
+}
+
+// Fatalf uses fmt.Sprintf to construct and log a message at fatal level.
+func (s *Scope) Fatalf(format string, args ...any) {
+	if s.GetOutputLevel() >= FatalLevel {
+		msg := maybeSprintf(format, args)
+		s.emit(zapcore.FatalLevel, msg)
+	}
+}
+
+// FatalEnabled returns whether output of messages using this scope is currently enabled for fatal-level output.
+func (s *Scope) FatalEnabled() bool {
+	return s.GetOutputLevel() >= FatalLevel
+}
+
+// Error outputs a message at error level.
+func (s *Scope) Error(msg any) {
+	if s.GetOutputLevel() >= ErrorLevel {
+		s.emit(zapcore.ErrorLevel, fmt.Sprint(msg))
+	}
+}
+
+// Errorf uses fmt.Sprintf to construct and log a message at error level.
+func (s *Scope) Errorf(format string, args ...any) {
+	if s.GetOutputLevel() >= ErrorLevel {
+		msg := maybeSprintf(format, args)
+		s.emit(zapcore.ErrorLevel, msg)
+	}
+}
+
+// ErrorEnabled returns whether output of messages using this scope is currently enabled for error-level output.
+func (s *Scope) ErrorEnabled() bool {
+	return s.GetOutputLevel() >= ErrorLevel
+}
+
+// Warn outputs a message at warn level.
+func (s *Scope) Warn(msg any) {
+	if s.GetOutputLevel() >= WarnLevel {
+		s.emit(zapcore.WarnLevel, fmt.Sprint(msg))
+	}
+}
+
+// Warnf uses fmt.Sprintf to construct and log a message at warn level.
+func (s *Scope) Warnf(format string, args ...any) {
+	if s.GetOutputLevel() >= WarnLevel {
+		msg := maybeSprintf(format, args)
+		s.emit(zapcore.WarnLevel, msg)
+	}
+}
+
+// WarnEnabled returns whether output of messages using this scope is currently enabled for warn-level output.
+func (s *Scope) WarnEnabled() bool {
+	return s.GetOutputLevel() >= WarnLevel
+}
+
+// Info outputs a message at info level.
+func (s *Scope) Info(msg any) {
+	if s.GetOutputLevel() >= InfoLevel {
+		s.emit(zapcore.InfoLevel, fmt.Sprint(msg))
+	}
+}
+
+// Infof uses fmt.Sprintf to construct and log a message at info level.
+func (s *Scope) Infof(format string, args ...any) {
+	if s.GetOutputLevel() >= InfoLevel {
+		msg := maybeSprintf(format, args)
+		s.emit(zapcore.InfoLevel, msg)
+	}
+}
+
+// InfoEnabled returns whether output of messages using this scope is currently enabled for info-level output.
+func (s *Scope) InfoEnabled() bool {
+	return s.GetOutputLevel() >= InfoLevel
+}
+
+// Debug outputs a message at debug level.
+func (s *Scope) Debug(msg any) {
+	if s.GetOutputLevel() >= DebugLevel {
+		s.emit(zapcore.DebugLevel, fmt.Sprint(msg))
+	}
+}
+
+// LogWithTime outputs a message with a given timestamp.
+func (s *Scope) LogWithTime(level Level, msg string, t time.Time) {
+	if s.GetOutputLevel() >= level {
+		s.emitWithTime(levelToZap[level], msg, t)
+	}
+}
+
+// Debugf uses fmt.Sprintf to construct and log a message at debug level.
+func (s *Scope) Debugf(format string, args ...any) {
+	if s.GetOutputLevel() >= DebugLevel {
+		msg := maybeSprintf(format, args)
+		s.emit(zapcore.DebugLevel, msg)
+	}
+}
+
+// DebugEnabled returns whether output of messages using this scope is currently enabled for debug-level output.
+func (s *Scope) DebugEnabled() bool {
+	return s.GetOutputLevel() >= DebugLevel
+}
+
+// Name returns this scope's name.
+func (s *Scope) Name() string {
+	return s.name
+}
+
+// Description returns this scope's description
+func (s *Scope) Description() string {
+	return s.description
+}
+
+// SetOutputLevel adjusts the output level associated with the scope.
+func (s *Scope) SetOutputLevel(l Level) {
+	s.outputLevel.Store(l)
+}
+
+// GetOutputLevel returns the output level associated with the scope.
+func (s *Scope) GetOutputLevel() Level {
+	return s.outputLevel.Load().(Level)
+}
+
+// SetStackTraceLevel adjusts the stack tracing level associated with the scope.
+func (s *Scope) SetStackTraceLevel(l Level) {
+	s.stackTraceLevel.Store(l)
+}
+
+// GetStackTraceLevel returns the stack tracing level associated with the scope.
+func (s *Scope) GetStackTraceLevel() Level {
+	return s.stackTraceLevel.Load().(Level)
+}
+
+// SetLogCallers adjusts the output level associated with the scope.
+func (s *Scope) SetLogCallers(logCallers bool) {
+	s.logCallers.Store(logCallers)
+}
+
+// GetLogCallers returns the output level associated with the scope.
+func (s *Scope) GetLogCallers() bool {
+	return s.logCallers.Load().(bool)
+}
+
+// copy makes a copy of s and returns a pointer to it.
+func (s *Scope) copy() *Scope {
+	out := *s
+	out.labels = copyStringInterfaceMap(s.labels)
+	return &out
+}
+
+// WithLabels adds a key-value pairs to the labels in s. The key must be a string, while the value may be any type.
+// It returns a copy of s, with the labels added.
+// e.g. newScope := oldScope.WithLabels("foo", "bar", "baz", 123, "qux", 0.123)
+func (s *Scope) WithLabels(kvlist ...any) *Scope {
+	out := s.copy()
+	if len(kvlist)%2 != 0 {
+		out.labels["WithLabels error"] = fmt.Sprintf("even number of parameters required, got %d", len(kvlist))
+		return out
+	}
+
+	for i := 0; i < len(kvlist); i += 2 {
+		keyi := kvlist[i]
+		key, ok := keyi.(string)
+		if !ok {
+			out.labels["WithLabels error"] = fmt.Sprintf("label name %v must be a string, got %T ", keyi, keyi)
+			return out
+		}
+		_, override := out.labels[key]
+		out.labels[key] = kvlist[i+1]
+		if override {
+			// Key already set, just modify the value
+			continue
+		}
+		out.labelKeys = append(out.labelKeys, key)
+	}
+	return out
+}
+
+func (s *Scope) emit(level zapcore.Level, msg string) {
+	s.emitWithTime(level, msg, time.Now())
+}
+
+func (s *Scope) emitWithTime(level zapcore.Level, msg string, t time.Time) {
+	if t.IsZero() {
+		t = time.Now()
+	}
+
+	e := zapcore.Entry{
+		Message:    msg,
+		Level:      level,
+		Time:       t,
+		LoggerName: s.nameToEmit,
+	}
+
+	if s.GetLogCallers() {
+		e.Caller = zapcore.NewEntryCaller(runtime.Caller(s.callerSkip + callerSkipOffset))
+	}
+
+	if dumpStack(level, s) {
+		e.Stack = zap.Stack("").String
+	}
+
+	var fields []zapcore.Field
+	if useJSON.Load().(bool) {
+		fields = make([]zapcore.Field, 0, len(s.labelKeys))
+		for _, k := range s.labelKeys {
+			v := s.labels[k]
+			if d, ok := v.(time.Duration); ok {
+				fields = append(fields, zap.Field{
+					Key:     k,
+					Integer: int64(d),
+					Type:    zapcore.DurationType,
+				})
+			} else {
+				fields = append(fields, zap.Field{
+					Key:       k,
+					Interface: v,
+					Type:      zapcore.ReflectType,
+				})
+			}
+		}
+	} else if len(s.labelKeys) > 0 {
+		sb := &strings.Builder{}
+		// Assume roughly 15 chars per kv pair. Its fine to be off, this is just an optimization
+		sb.Grow(len(msg) + 15*len(s.labelKeys))
+		sb.WriteString(msg)
+		sb.WriteString("\t")
+		space := false
+		for _, k := range s.labelKeys {
+			if space {
+				sb.WriteString(" ")
+			}
+			sb.WriteString(k)
+			sb.WriteString("=")
+			sb.WriteString(fmt.Sprint(s.labels[k]))
+			space = true
+		}
+		e.Message = sb.String()
+	}
+
+	pt := funcs.Load().(patchTable)
+	if pt.write != nil {
+		if err := pt.write(e, fields); err != nil {
+			_, _ = fmt.Fprintf(pt.errorSink, "%v log write error: %v\n", time.Now(), err)
+			_ = pt.errorSink.Sync()
+		}
+	}
+}
+
+func copyStringInterfaceMap(m map[string]any) map[string]any {
+	out := make(map[string]any, len(m))
+	for k, v := range m {
+		out[k] = v
+	}
+	return out
+}
+
+func maybeSprintf(format string, args []any) string {
+	msg := format
+	if len(args) > 0 {
+		msg = fmt.Sprintf(format, args...)
+	}
+	return msg
+}
diff --git a/vendor/istio.io/istio/pkg/log/uds.go b/vendor/istio.io/istio/pkg/log/uds.go
new file mode 100644
index 0000000000..b985879d00
--- /dev/null
+++ b/vendor/istio.io/istio/pkg/log/uds.go
@@ -0,0 +1,150 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package log
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"net"
+	"net/http"
+	"sync"
+	"time"
+
+	"go.uber.org/zap"
+	"go.uber.org/zap/buffer"
+	"go.uber.org/zap/zapcore"
+	lj "gopkg.in/natefinch/lumberjack.v2"
+)
+
+// An udsCore write entries to an UDS server with HTTP Post. Log messages will be encoded into a JSON array.
+type udsCore struct {
+	client       http.Client
+	minimumLevel zapcore.Level
+	url          string
+	enc          zapcore.Encoder
+	buffers      []*buffer.Buffer
+	mu           sync.Mutex
+}
+
+// teeToUDSServer returns a zapcore.Core that writes entries to both the provided core and to an uds server.
+func teeToUDSServer(baseCore zapcore.Core, address, path string) zapcore.Core {
+	c := http.Client{
+		Transport: &http.Transport{
+			DialContext: func(_ context.Context, _, _ string) (net.Conn, error) {
+				return net.Dial("unix", address)
+			},
+		},
+		Timeout: time.Second,
+	}
+	uc := &udsCore{
+		client:  c,
+		url:     "http://unix" + path,
+		enc:     zapcore.NewJSONEncoder(defaultEncoderConfig),
+		buffers: make([]*buffer.Buffer, 0),
+	}
+	for l := zapcore.DebugLevel; l <= zapcore.FatalLevel; l++ {
+		if baseCore.Enabled(l) {
+			uc.minimumLevel = l
+			break
+		}
+	}
+
+	return zapcore.NewTee(baseCore, uc)
+}
+
+// Creates a small/fixed rolling log on the node's local FS.
+// This can be useful as a backup/fallback in case the node agent is down
+// and the UDS logging consequently fails (losing logs).
+func teeToRollingLocal(baseCore zapcore.Core, path string, maxSizeMB int) zapcore.Core {
+	w := zapcore.AddSync(&lj.Logger{
+		Filename:   path,
+		MaxSize:    maxSizeMB,
+		MaxBackups: 1,
+		MaxAge:     2, // days
+	})
+
+	core := zapcore.NewCore(
+		zapcore.NewJSONEncoder(defaultEncoderConfig),
+		w,
+		zap.InfoLevel,
+	)
+
+	return zapcore.NewTee(baseCore, core)
+}
+
+// Enabled implements zapcore.Core.
+func (u *udsCore) Enabled(l zapcore.Level) bool {
+	return l >= u.minimumLevel
+}
+
+// With implements zapcore.Core.
+func (u *udsCore) With(fields []zapcore.Field) zapcore.Core {
+	return &udsCore{
+		client:       u.client,
+		minimumLevel: u.minimumLevel,
+	}
+}
+
+// Check implements zapcore.Core.
+func (u *udsCore) Check(e zapcore.Entry, ce *zapcore.CheckedEntry) *zapcore.CheckedEntry {
+	if u.Enabled(e.Level) {
+		return ce.AddCore(e, u)
+	}
+	return ce
+}
+
+// Sync implements zapcore.Core. It sends log messages with HTTP POST.
+func (u *udsCore) Sync() error {
+	logs := u.logsFromBuffer()
+	msg, err := json.Marshal(logs)
+	if err != nil {
+		return fmt.Errorf("failed to sync uds log: %v", err)
+	}
+	resp, err := u.client.Post(u.url, "application/json", bytes.NewReader(msg))
+	if err != nil {
+		return fmt.Errorf("failed to send logs to uds server %v: %v", u.url, err)
+	}
+	if resp.StatusCode != http.StatusOK {
+		return fmt.Errorf("uds server returns non-ok status %v: %v", u.url, resp.Status)
+	}
+	return nil
+}
+
+// Write implements zapcore.Core. Log messages will be temporarily buffered and sent to
+// UDS server asyncrhonously.
+func (u *udsCore) Write(entry zapcore.Entry, fields []zapcore.Field) error {
+	buffer, err := u.enc.EncodeEntry(entry, fields)
+	if err != nil {
+		return fmt.Errorf("failed to write log to uds logger: %v", err)
+	}
+	u.mu.Lock()
+	u.buffers = append(u.buffers, buffer)
+	u.mu.Unlock()
+	return nil
+}
+
+func (u *udsCore) logsFromBuffer() []string {
+	u.mu.Lock()
+	defer u.mu.Unlock()
+	logs := make([]string, 0, len(u.buffers))
+	for _, b := range u.buffers {
+		logs = append(logs, b.String())
+		b.Free()
+	}
+	u.buffers = make([]*buffer.Buffer, 0)
+	return logs
+}
diff --git a/vendor/istio.io/istio/pkg/log/zapcore_handler.go b/vendor/istio.io/istio/pkg/log/zapcore_handler.go
new file mode 100644
index 0000000000..5670e87286
--- /dev/null
+++ b/vendor/istio.io/istio/pkg/log/zapcore_handler.go
@@ -0,0 +1,43 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package log
+
+import (
+	"go.uber.org/zap/zapcore"
+)
+
+var toLevel = map[zapcore.Level]Level{
+	zapcore.FatalLevel: FatalLevel,
+	zapcore.ErrorLevel: ErrorLevel,
+	zapcore.WarnLevel:  WarnLevel,
+	zapcore.InfoLevel:  InfoLevel,
+	zapcore.DebugLevel: DebugLevel,
+}
+
+// callerSkipOffset is how many callers to pop off the stack to determine the caller function locality, used for
+// adding file/line number to log output.
+const callerSkipOffset = 3
+
+func dumpStack(level zapcore.Level, scope *Scope) bool {
+	thresh := toLevel[level]
+	if scope != defaultScope {
+		thresh = ErrorLevel
+		switch level {
+		case zapcore.FatalLevel:
+			thresh = FatalLevel
+		}
+	}
+	return scope.GetStackTraceLevel() >= thresh
+}
diff --git a/vendor/istio.io/istio/pkg/ptr/pointer.go b/vendor/istio.io/istio/pkg/ptr/pointer.go
new file mode 100644
index 0000000000..7c4543eff5
--- /dev/null
+++ b/vendor/istio.io/istio/pkg/ptr/pointer.go
@@ -0,0 +1,89 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package ptr
+
+import (
+	"fmt"
+)
+
+// Of returns a pointer to the input. In most cases, callers should just do &t. However, in some cases
+// Go cannot take a pointer. For example, `ptr.Of(f())`.
+func Of[T any](t T) *T {
+	return &t
+}
+
+// OrEmpty returns *t if its non-nil, or else an empty T
+func OrEmpty[T any](t *T) T {
+	if t != nil {
+		return *t
+	}
+	var empty T
+	return empty
+}
+
+// OrDefault returns *t if its non-nil, or else def.
+func OrDefault[T any](t *T, def T) T {
+	if t != nil {
+		return *t
+	}
+	return def
+}
+
+// NonEmptyOrDefault returns t if its non-empty, or else def.
+func NonEmptyOrDefault[T comparable](t T, def T) T {
+	var empty T
+	if t != empty {
+		return t
+	}
+	return def
+}
+
+// Empty returns an empty T type
+func Empty[T any]() T {
+	var empty T
+	return empty
+}
+
+// ToList returns an empty list if t is nil, or a list with a single element
+func ToList[T any](t *T) []T {
+	if t == nil {
+		return nil
+	}
+	return []T{*t}
+}
+
+// TypeName returns the name of the type
+func TypeName[T any]() string {
+	var empty T
+	return fmt.Sprintf("%T", empty)
+}
+
+// Flatten converts a double pointer to a single pointer by referencing if its non-nil
+func Flatten[T any](t **T) *T {
+	if t == nil {
+		return nil
+	}
+	return *t
+}
+
+func Equal[T comparable](a, b *T) bool {
+	if (a == nil) != (b == nil) {
+		return false
+	}
+	if a == nil {
+		return true
+	}
+	return *a == *b
+}
diff --git a/vendor/istio.io/istio/pkg/slices/slices.go b/vendor/istio.io/istio/pkg/slices/slices.go
new file mode 100644
index 0000000000..b6b13253c2
--- /dev/null
+++ b/vendor/istio.io/istio/pkg/slices/slices.go
@@ -0,0 +1,361 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package slices defines various functions useful with slices of any type.
+package slices
+
+import (
+	"cmp"
+	"slices" // nolint: depguard
+	"strings"
+)
+
+// Equal reports whether two slices are equal: the same length and all
+// elements equal. If the lengths are different, Equal returns false.
+// Otherwise, the elements are compared in increasing index order, and the
+// comparison stops at the first unequal pair.
+// Floating point NaNs are not considered equal.
+func Equal[E comparable](s1, s2 []E) bool {
+	return slices.Equal(s1, s2)
+}
+
+// EqualUnordered reports whether two slices are equal, ignoring order
+func EqualUnordered[E comparable](s1, s2 []E) bool {
+	if len(s1) != len(s2) {
+		return false
+	}
+	first := make(map[E]struct{}, len(s1))
+	for _, c := range s1 {
+		first[c] = struct{}{}
+	}
+	for _, c := range s2 {
+		if _, f := first[c]; !f {
+			return false
+		}
+	}
+	return true
+}
+
+// EqualFunc reports whether two slices are equal using a comparison
+// function on each pair of elements. If the lengths are different,
+// EqualFunc returns false. Otherwise, the elements are compared in
+// increasing index order, and the comparison stops at the first index
+// for which eq returns false.
+func EqualFunc[E1, E2 comparable](s1 []E1, s2 []E2, eq func(E1, E2) bool) bool {
+	return slices.EqualFunc(s1, s2, eq)
+}
+
+// SortFunc sorts the slice x in ascending order as determined by the less function.
+// This sort is not guaranteed to be stable.
+// The slice is modified in place but returned.
+func SortFunc[E any](x []E, less func(a, b E) int) []E {
+	if len(x) <= 1 {
+		return x
+	}
+	slices.SortFunc(x, less)
+	return x
+}
+
+// SortStableFunc sorts the slice x while keeping the original order of equal element.
+// The slice is modified in place but returned.
+// Please refer to SortFunc for usage instructions.
+func SortStableFunc[E any](x []E, less func(a, b E) int) []E {
+	if len(x) <= 1 {
+		return x
+	}
+	slices.SortStableFunc(x, less)
+	return x
+}
+
+// SortBy is a helper to sort a slice by some value. Typically, this would be sorting a struct
+// by a single field. If you need to have multiple fields, see the ExampleSort.
+func SortBy[E any, A cmp.Ordered](x []E, extract func(a E) A) []E {
+	if len(x) <= 1 {
+		return x
+	}
+	SortFunc(x, func(a, b E) int {
+		return cmp.Compare(extract(a), extract(b))
+	})
+	return x
+}
+
+// Sort sorts a slice of any ordered type in ascending order.
+// The slice is modified in place but returned.
+func Sort[E cmp.Ordered](x []E) []E {
+	if len(x) <= 1 {
+		return x
+	}
+	slices.Sort(x)
+	return x
+}
+
+// Clone returns a copy of the slice.
+// The elements are copied using assignment, so this is a shallow clone.
+func Clone[S ~[]E, E any](s S) S {
+	return slices.Clone(s)
+}
+
+// Delete removes the element i from s, returning the modified slice.
+func Delete[S ~[]E, E any](s S, i int) S {
+	// Since Go 1.22, "slices.Delete zeroes the elements s[len(s)-(j-i):len(s)]"
+	// (no memory leak)
+	return slices.Delete(s, i, i+1)
+}
+
+// Contains reports whether v is present in s.
+func Contains[E comparable](s []E, v E) bool {
+	return slices.Contains(s, v)
+}
+
+// Max returns the maximal value in x. It panics if x is empty.
+// For floating-point E, Max propagates NaNs (any NaN value in x
+// forces the output to be NaN).
+func Max[S ~[]E, E cmp.Ordered](x S) E {
+	return slices.Max(x)
+}
+
+// MaxFunc returns the maximal value in x, using cmp to compare elements.
+// It panics if x is empty. If there is more than one maximal element
+// according to the cmp function, MaxFunc returns the first one.
+func MaxFunc[S ~[]E, E any](x S, cmp func(a, b E) int) E {
+	return slices.MaxFunc(x, cmp)
+}
+
+// Min returns the minimal value in x. It panics if x is empty.
+// For floating-point numbers, Min propagates NaNs (any NaN value in x
+// forces the output to be NaN).
+func Min[S ~[]E, E cmp.Ordered](x S) E {
+	return slices.Min(x)
+}
+
+// MinFunc returns the minimal value in x, using cmp to compare elements.
+// It panics if x is empty. If there is more than one minimal element
+// according to the cmp function, MinFunc returns the first one.
+func MinFunc[S ~[]E, E any](x S, cmp func(a, b E) int) E {
+	return slices.MinFunc(x, cmp)
+}
+
+// Index returns the index of the first occurrence of v in s,
+// or -1 if not present.
+func Index[S ~[]E, E comparable](s S, v E) int {
+	return slices.Index(s, v)
+}
+
+// IndexFunc returns the first index i satisfying f(s[i]),
+// or -1 if none do.
+func IndexFunc[S ~[]E, E any](s S, f func(E) bool) int {
+	return slices.IndexFunc(s, f)
+}
+
+// FindFunc finds the first element matching the function, or nil if none do
+func FindFunc[E any](s []E, f func(E) bool) *E {
+	idx := slices.IndexFunc(s, f)
+	if idx == -1 {
+		return nil
+	}
+	return &s[idx]
+}
+
+// First returns the first item in the slice, if there is one
+func First[E any](s []E) *E {
+	if len(s) == 0 {
+		return nil
+	}
+	return &s[0]
+}
+
+// Reverse returns its argument array reversed
+func Reverse[E any](r []E) []E {
+	for i, j := 0, len(r)-1; i < len(r)/2; i, j = i+1, j-1 {
+		r[i], r[j] = r[j], r[i]
+	}
+	return r
+}
+
+func BinarySearch[S ~[]E, E cmp.Ordered](x S, target E) (int, bool) {
+	return slices.BinarySearch(x, target)
+}
+
+// FilterInPlace retains all elements in []E that keep(E) returns true for.
+// The array is *mutated in place* and returned.
+// Use Filter to avoid mutation
+func FilterInPlace[E any](s []E, keep func(E) bool) []E {
+	// find the first to filter index
+	i := slices.IndexFunc(s, func(e E) bool {
+		return !keep(e)
+	})
+	if i == -1 {
+		return s
+	}
+
+	// don't start copying elements until we find one to filter
+	for j := i + 1; j < len(s); j++ {
+		if v := s[j]; keep(v) {
+			s[i] = v
+			i++
+		}
+	}
+
+	clear(s[i:]) // zero/nil out the obsolete elements, for GC
+	return s[:i]
+}
+
+func FilterDuplicates[E comparable](s []E) []E {
+	seen := make(map[E]struct{})
+	result := make([]E, 0)
+	for _, item := range s {
+		if _, ok := seen[item]; !ok {
+			result = append(result, item)
+			seen[item] = struct{}{}
+		}
+	}
+	return result
+}
+
+// FilterDuplicatesPresorted retains all unique elements in []E.
+// The slices MUST be pre-sorted.
+func FilterDuplicatesPresorted[E comparable](s []E) []E {
+	if len(s) <= 1 {
+		return s
+	}
+	n := 1
+	for i := 1; i < len(s); i++ {
+		val := s[i]
+		if val != s[i-1] {
+			s[n] = val
+			n++
+		}
+	}
+
+	// If those elements contain pointers you might consider zeroing those elements
+	// so that objects they reference can be garbage collected."
+	var empty E
+	for i := n; i < len(s); i++ {
+		s[i] = empty
+	}
+
+	s = s[:n]
+	return s
+}
+
+// Filter retains all elements in []E that f(E) returns true for.
+// A new slice is created and returned. Use FilterInPlace to perform in-place
+func Filter[E any](s []E, f func(E) bool) []E {
+	matched := []E{}
+	for _, v := range s {
+		if f(v) {
+			matched = append(matched, v)
+		}
+	}
+	return matched
+}
+
+// Map runs f() over all elements in s and returns the result
+func Map[E any, O any](s []E, f func(E) O) []O {
+	n := make([]O, 0, len(s))
+	for _, e := range s {
+		n = append(n, f(e))
+	}
+	return n
+}
+
+// MapErr runs f() over all elements in s and returns the result, short circuiting if there is an error.
+func MapErr[E any, O any](s []E, f func(E) (O, error)) ([]O, error) {
+	n := make([]O, 0, len(s))
+	for _, e := range s {
+		res, err := f(e)
+		if err != nil {
+			return nil, err
+		}
+		n = append(n, res)
+	}
+	return n, nil
+}
+
+// MapFilter runs f() over all elements in s and returns any non-nil results
+func MapFilter[E any, O any](s []E, f func(E) *O) []O {
+	n := make([]O, 0, len(s))
+	for _, e := range s {
+		if res := f(e); res != nil {
+			n = append(n, *res)
+		}
+	}
+	return n
+}
+
+// Reference takes a pointer to all elements in the slice
+func Reference[E any](s []E) []*E {
+	res := make([]*E, 0, len(s))
+	for _, v := range s {
+		res = append(res, &v)
+	}
+	return res
+}
+
+// Dereference returns all non-nil references, dereferenced
+func Dereference[E any](s []*E) []E {
+	res := make([]E, 0, len(s))
+	for _, v := range s {
+		if v != nil {
+			res = append(res, *v)
+		}
+	}
+	return res
+}
+
+// Flatten merges a slice of slices into a single slice.
+func Flatten[E any](s [][]E) []E {
+	if s == nil {
+		return nil
+	}
+	res := make([]E, 0)
+	for _, v := range s {
+		res = append(res, v...)
+	}
+	return res
+}
+
+// Group groups a slice by a key.
+func Group[T any, K comparable](data []T, f func(T) K) map[K][]T {
+	res := make(map[K][]T, len(data))
+	for _, e := range data {
+		k := f(e)
+		res[k] = append(res[k], e)
+	}
+	return res
+}
+
+// GroupUnique groups a slice by a key. Each key must be unique or data will be lost. To allow multiple use Group.
+func GroupUnique[T any, K comparable](data []T, f func(T) K) map[K]T {
+	res := make(map[K]T, len(data))
+	for _, e := range data {
+		res[f(e)] = e
+	}
+	return res
+}
+
+func Join(sep string, fields ...string) string {
+	return strings.Join(fields, sep)
+}
+
+// Insert inserts the values v... into s at index i,
+// returning the modified slice.
+// The elements at s[i:] are shifted up to make room.
+// In the returned slice r, r[i] == v[0],
+// and r[i+len(v)] == value originally at r[i].
+// Insert panics if i is out of range.
+// This function is O(len(s) + len(v)).
+func Insert[S ~[]E, E any](s S, i int, v ...E) S {
+	return slices.Insert(s, i, v...)
+}
diff --git a/vendor/istio.io/istio/pkg/util/sets/set.go b/vendor/istio.io/istio/pkg/util/sets/set.go
new file mode 100644
index 0000000000..a6936caf94
--- /dev/null
+++ b/vendor/istio.io/istio/pkg/util/sets/set.go
@@ -0,0 +1,312 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package sets
+
+import (
+	"cmp"
+	"fmt"
+
+	"istio.io/istio/pkg/slices"
+)
+
+type Set[T comparable] map[T]struct{}
+
+type String = Set[string]
+
+// NewWithLength returns an empty Set with the given capacity.
+// It's only a hint, not a limitation.
+func NewWithLength[T comparable](l int) Set[T] {
+	return make(Set[T], l)
+}
+
+// New creates a new Set with the given items.
+func New[T comparable](items ...T) Set[T] {
+	s := NewWithLength[T](len(items))
+	return s.InsertAll(items...)
+}
+
+// Insert a single item to this Set.
+func (s Set[T]) Insert(item T) Set[T] {
+	s[item] = struct{}{}
+	return s
+}
+
+// InsertAll adds the items to this Set.
+func (s Set[T]) InsertAll(items ...T) Set[T] {
+	for _, item := range items {
+		s[item] = struct{}{}
+	}
+	return s
+}
+
+// Delete removes an item from the set.
+func (s Set[T]) Delete(item T) Set[T] {
+	delete(s, item)
+	return s
+}
+
+// DeleteAll removes items from the set.
+func (s Set[T]) DeleteAll(items ...T) Set[T] {
+	for _, item := range items {
+		delete(s, item)
+	}
+	return s
+}
+
+// DeleteAllSet removes items from the set.
+// Note: this differs from Difference() as this is in-place
+func (s Set[T]) DeleteAllSet(other Set[T]) Set[T] {
+	for item := range other {
+		delete(s, item)
+	}
+	return s
+}
+
+// Merge a set of objects that are in s2 into s
+// For example:
+// s = {a1, a2, a3}
+// s2 = {a3, a4, a5}
+// s.Merge(s2) = {a1, a2, a3, a4, a5}
+func (s Set[T]) Merge(s2 Set[T]) Set[T] {
+	for item := range s2 {
+		s[item] = struct{}{}
+	}
+
+	return s
+}
+
+// Copy this set.
+func (s Set[T]) Copy() Set[T] {
+	result := NewWithLength[T](s.Len())
+	for key := range s {
+		result.Insert(key)
+	}
+	return result
+}
+
+// Union returns a set of objects that are in s or s2
+// For example:
+// s = {a1, a2, a3}
+// s2 = {a1, a2, a4, a5}
+// s.Union(s2) = s2.Union(s) = {a1, a2, a3, a4, a5}
+func (s Set[T]) Union(s2 Set[T]) Set[T] {
+	result := s.Copy()
+	for key := range s2 {
+		result.Insert(key)
+	}
+	return result
+}
+
+// Difference returns a set of objects that are not in s2
+// For example:
+// s = {a1, a2, a3}
+// s2 = {a1, a2, a4, a5}
+// s.Difference(s2) = {a3}
+// s2.Difference(s) = {a4, a5}
+func (s Set[T]) Difference(s2 Set[T]) Set[T] {
+	result := New[T]()
+	for key := range s {
+		if !s2.Contains(key) {
+			result.Insert(key)
+		}
+	}
+	return result
+}
+
+// DifferenceInPlace similar to Difference, but has better performance.
+// Note: This function modifies s in place.
+func (s Set[T]) DifferenceInPlace(s2 Set[T]) Set[T] {
+	for key := range s {
+		if s2.Contains(key) {
+			delete(s, key)
+		}
+	}
+	return s
+}
+
+// Diff takes a pair of Sets, and returns the elements that occur only on the left and right set.
+func (s Set[T]) Diff(other Set[T]) (left []T, right []T) {
+	for k := range s {
+		if _, f := other[k]; !f {
+			left = append(left, k)
+		}
+	}
+	for k := range other {
+		if _, f := s[k]; !f {
+			right = append(right, k)
+		}
+	}
+	return left, right
+}
+
+// Intersection returns a set of objects that are common between s and s2
+// For example:
+// s = {a1, a2, a3}
+// s2 = {a1, a2, a4, a5}
+// s.Intersection(s2) = {a1, a2}
+func (s Set[T]) Intersection(s2 Set[T]) Set[T] {
+	result := New[T]()
+	for key := range s {
+		if s2.Contains(key) {
+			result.Insert(key)
+		}
+	}
+	return result
+}
+
+// IntersectInPlace similar to Intersection, but has better performance.
+// Note: This function modifies s in place.
+func (s Set[T]) IntersectInPlace(s2 Set[T]) Set[T] {
+	for key := range s {
+		if !s2.Contains(key) {
+			delete(s, key)
+		}
+	}
+	return s
+}
+
+// SupersetOf returns true if s contains all elements of s2
+// For example:
+// s = {a1, a2, a3}
+// s2 = {a1, a2, a3, a4, a5}
+// s.SupersetOf(s2) = false
+// s2.SupersetOf(s) = true
+func (s Set[T]) SupersetOf(s2 Set[T]) bool {
+	if s2 == nil {
+		return true
+	}
+	if len(s2) > len(s) {
+		return false
+	}
+	for key := range s2 {
+		if !s.Contains(key) {
+			return false
+		}
+	}
+	return true
+}
+
+// UnsortedList returns the slice with contents in random order.
+func (s Set[T]) UnsortedList() []T {
+	res := make([]T, 0, s.Len())
+	for key := range s {
+		res = append(res, key)
+	}
+	return res
+}
+
+// SortedList returns the slice with contents sorted.
+func SortedList[T cmp.Ordered](s Set[T]) []T {
+	res := s.UnsortedList()
+	slices.Sort(res)
+	return res
+}
+
+// InsertContains inserts the item into the set and returns if it was already present.
+// Example:
+//
+//		if !set.InsertContains(item) {
+//			fmt.Println("Added item for the first time", item)
+//	  }
+func (s Set[T]) InsertContains(item T) bool {
+	if s.Contains(item) {
+		return true
+	}
+	s[item] = struct{}{}
+	return false
+}
+
+// DeleteContains deletes the item from the set and returns if it was already present.
+// Example:
+//
+//	if set.DeleteContains(item) {
+//		fmt.Println("item was delete", item)
+//	}
+func (s Set[T]) DeleteContains(item T) bool {
+	if !s.Contains(item) {
+		return false
+	}
+	delete(s, item)
+	return true
+}
+
+// Contains returns whether the given item is in the set.
+func (s Set[T]) Contains(item T) bool {
+	_, ok := s[item]
+	return ok
+}
+
+// ContainsAll is alias of SupersetOf
+// returns true if s contains all elements of s2
+func (s Set[T]) ContainsAll(s2 Set[T]) bool {
+	return s.SupersetOf(s2)
+}
+
+// Equals checks whether the given set is equal to the current set.
+func (s Set[T]) Equals(other Set[T]) bool {
+	if s.Len() != other.Len() {
+		return false
+	}
+
+	for key := range s {
+		if !other.Contains(key) {
+			return false
+		}
+	}
+
+	return true
+}
+
+// Len returns the number of elements in this Set.
+func (s Set[T]) Len() int {
+	return len(s)
+}
+
+// IsEmpty indicates whether the set is the empty set.
+func (s Set[T]) IsEmpty() bool {
+	return len(s) == 0
+}
+
+// String returns a string representation of the set.
+// Be aware that the order of elements is random so the string representation may vary.
+// Use it only for debugging and logging.
+func (s Set[T]) String() string {
+	return fmt.Sprintf("%v", s.UnsortedList())
+}
+
+// InsertOrNew inserts t into the set if the set exists, or returns a new set with t if not.
+// Works well with DeleteCleanupLast.
+// Example:
+//
+//	InsertOrNew(m, key, value)
+func InsertOrNew[K comparable, T comparable](m map[K]Set[T], k K, v T) {
+	s, f := m[k]
+	if !f {
+		m[k] = New(v)
+	} else {
+		s.Insert(v)
+	}
+}
+
+// DeleteCleanupLast removes an element from a set in a map of sets, deleting the key from the map if there are no keys left.
+// Works well with InsertOrNew.
+// Example:
+//
+//	sets.DeleteCleanupLast(m, key, value)
+func DeleteCleanupLast[K comparable, T comparable](m map[K]Set[T], k K, v T) {
+	if m[k].Delete(v).IsEmpty() {
+		delete(m, k)
+	}
+}
diff --git a/vendor/k8s.io/apimachinery/pkg/api/validation/path/name.go b/vendor/k8s.io/apimachinery/pkg/api/validation/path/name.go
new file mode 100644
index 0000000000..ffb9f56d80
--- /dev/null
+++ b/vendor/k8s.io/apimachinery/pkg/api/validation/path/name.go
@@ -0,0 +1,68 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package path
+
+import (
+	"fmt"
+	"strings"
+)
+
+// NameMayNotBe specifies strings that cannot be used as names specified as path segments (like the REST API or etcd store)
+var NameMayNotBe = []string{".", ".."}
+
+// NameMayNotContain specifies substrings that cannot be used in names specified as path segments (like the REST API or etcd store)
+var NameMayNotContain = []string{"/", "%"}
+
+// IsValidPathSegmentName validates the name can be safely encoded as a path segment
+func IsValidPathSegmentName(name string) []string {
+	for _, illegalName := range NameMayNotBe {
+		if name == illegalName {
+			return []string{fmt.Sprintf(`may not be '%s'`, illegalName)}
+		}
+	}
+
+	var errors []string
+	for _, illegalContent := range NameMayNotContain {
+		if strings.Contains(name, illegalContent) {
+			errors = append(errors, fmt.Sprintf(`may not contain '%s'`, illegalContent))
+		}
+	}
+
+	return errors
+}
+
+// IsValidPathSegmentPrefix validates the name can be used as a prefix for a name which will be encoded as a path segment
+// It does not check for exact matches with disallowed names, since an arbitrary suffix might make the name valid
+func IsValidPathSegmentPrefix(name string) []string {
+	var errors []string
+	for _, illegalContent := range NameMayNotContain {
+		if strings.Contains(name, illegalContent) {
+			errors = append(errors, fmt.Sprintf(`may not contain '%s'`, illegalContent))
+		}
+	}
+
+	return errors
+}
+
+// ValidatePathSegmentName validates the name can be safely encoded as a path segment
+func ValidatePathSegmentName(name string, prefix bool) []string {
+	if prefix {
+		return IsValidPathSegmentPrefix(name)
+	}
+
+	return IsValidPathSegmentName(name)
+}
diff --git a/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/unstructured/unstructuredscheme/scheme.go b/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/unstructured/unstructuredscheme/scheme.go
new file mode 100644
index 0000000000..f8f5ec8560
--- /dev/null
+++ b/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/unstructured/unstructuredscheme/scheme.go
@@ -0,0 +1,129 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package unstructuredscheme
+
+import (
+	"fmt"
+
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/runtime/serializer/json"
+	"k8s.io/apimachinery/pkg/runtime/serializer/versioning"
+)
+
+var scheme = runtime.NewScheme()
+
+// NewUnstructuredNegotiatedSerializer returns a simple, negotiated serializer
+func NewUnstructuredNegotiatedSerializer() runtime.NegotiatedSerializer {
+	return unstructuredNegotiatedSerializer{
+		scheme:  scheme,
+		typer:   NewUnstructuredObjectTyper(),
+		creator: NewUnstructuredCreator(),
+	}
+}
+
+type unstructuredNegotiatedSerializer struct {
+	scheme  *runtime.Scheme
+	typer   runtime.ObjectTyper
+	creator runtime.ObjectCreater
+}
+
+func (s unstructuredNegotiatedSerializer) SupportedMediaTypes() []runtime.SerializerInfo {
+	return []runtime.SerializerInfo{
+		{
+			MediaType:        "application/json",
+			MediaTypeType:    "application",
+			MediaTypeSubType: "json",
+			EncodesAsText:    true,
+			Serializer:       json.NewSerializerWithOptions(json.DefaultMetaFactory, s.creator, s.typer, json.SerializerOptions{}),
+			PrettySerializer: json.NewSerializerWithOptions(json.DefaultMetaFactory, s.creator, s.typer, json.SerializerOptions{Pretty: true}),
+			StreamSerializer: &runtime.StreamSerializerInfo{
+				EncodesAsText: true,
+				Serializer:    json.NewSerializerWithOptions(json.DefaultMetaFactory, s.creator, s.typer, json.SerializerOptions{}),
+				Framer:        json.Framer,
+			},
+		},
+		{
+			MediaType:        "application/yaml",
+			MediaTypeType:    "application",
+			MediaTypeSubType: "yaml",
+			EncodesAsText:    true,
+			Serializer:       json.NewSerializerWithOptions(json.DefaultMetaFactory, s.creator, s.typer, json.SerializerOptions{Yaml: true}),
+		},
+	}
+}
+
+func (s unstructuredNegotiatedSerializer) EncoderForVersion(encoder runtime.Encoder, gv runtime.GroupVersioner) runtime.Encoder {
+	return versioning.NewDefaultingCodecForScheme(s.scheme, encoder, nil, gv, nil)
+}
+
+func (s unstructuredNegotiatedSerializer) DecoderToVersion(decoder runtime.Decoder, gv runtime.GroupVersioner) runtime.Decoder {
+	return versioning.NewDefaultingCodecForScheme(s.scheme, nil, decoder, nil, gv)
+}
+
+type unstructuredObjectTyper struct {
+}
+
+// NewUnstructuredObjectTyper returns an object typer that can deal with unstructured things
+func NewUnstructuredObjectTyper() runtime.ObjectTyper {
+	return unstructuredObjectTyper{}
+}
+
+func (t unstructuredObjectTyper) ObjectKinds(obj runtime.Object) ([]schema.GroupVersionKind, bool, error) {
+	// Delegate for things other than Unstructured.
+	if _, ok := obj.(runtime.Unstructured); !ok {
+		return nil, false, fmt.Errorf("cannot type %T", obj)
+	}
+	gvk := obj.GetObjectKind().GroupVersionKind()
+	if len(gvk.Kind) == 0 {
+		return nil, false, runtime.NewMissingKindErr("object has no kind field ")
+	}
+	if len(gvk.Version) == 0 {
+		return nil, false, runtime.NewMissingVersionErr("object has no apiVersion field")
+	}
+
+	return []schema.GroupVersionKind{obj.GetObjectKind().GroupVersionKind()}, false, nil
+}
+
+func (t unstructuredObjectTyper) Recognizes(gvk schema.GroupVersionKind) bool {
+	return true
+}
+
+type unstructuredCreator struct{}
+
+// NewUnstructuredCreator returns a simple object creator that always returns an unstructured
+func NewUnstructuredCreator() runtime.ObjectCreater {
+	return unstructuredCreator{}
+}
+
+func (c unstructuredCreator) New(kind schema.GroupVersionKind) (runtime.Object, error) {
+	ret := &unstructured.Unstructured{}
+	ret.SetGroupVersionKind(kind)
+	return ret, nil
+}
+
+type unstructuredDefaulter struct {
+}
+
+// NewUnstructuredDefaulter returns defaulter suitable for unstructured types that doesn't default anything
+func NewUnstructuredDefaulter() runtime.ObjectDefaulter {
+	return unstructuredDefaulter{}
+}
+
+func (d unstructuredDefaulter) Default(in runtime.Object) {
+}
diff --git a/vendor/k8s.io/apimachinery/pkg/util/duration/duration.go b/vendor/k8s.io/apimachinery/pkg/util/duration/duration.go
new file mode 100644
index 0000000000..a20136a4e5
--- /dev/null
+++ b/vendor/k8s.io/apimachinery/pkg/util/duration/duration.go
@@ -0,0 +1,93 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package duration
+
+import (
+	"fmt"
+	"time"
+)
+
+// ShortHumanDuration returns a succinct representation of the provided duration
+// with limited precision for consumption by humans.
+func ShortHumanDuration(d time.Duration) string {
+	// Allow deviation no more than 2 seconds(excluded) to tolerate machine time
+	// inconsistence, it can be considered as almost now.
+	if seconds := int(d.Seconds()); seconds < -1 {
+		return "<invalid>"
+	} else if seconds < 0 {
+		return "0s"
+	} else if seconds < 60 {
+		return fmt.Sprintf("%ds", seconds)
+	} else if minutes := int(d.Minutes()); minutes < 60 {
+		return fmt.Sprintf("%dm", minutes)
+	} else if hours := int(d.Hours()); hours < 24 {
+		return fmt.Sprintf("%dh", hours)
+	} else if hours < 24*365 {
+		return fmt.Sprintf("%dd", hours/24)
+	}
+	return fmt.Sprintf("%dy", int(d.Hours()/24/365))
+}
+
+// HumanDuration returns a succinct representation of the provided duration
+// with limited precision for consumption by humans. It provides ~2-3 significant
+// figures of duration.
+func HumanDuration(d time.Duration) string {
+	// Allow deviation no more than 2 seconds(excluded) to tolerate machine time
+	// inconsistence, it can be considered as almost now.
+	if seconds := int(d.Seconds()); seconds < -1 {
+		return "<invalid>"
+	} else if seconds < 0 {
+		return "0s"
+	} else if seconds < 60*2 {
+		return fmt.Sprintf("%ds", seconds)
+	}
+	minutes := int(d / time.Minute)
+	if minutes < 10 {
+		s := int(d/time.Second) % 60
+		if s == 0 {
+			return fmt.Sprintf("%dm", minutes)
+		}
+		return fmt.Sprintf("%dm%ds", minutes, s)
+	} else if minutes < 60*3 {
+		return fmt.Sprintf("%dm", minutes)
+	}
+	hours := int(d / time.Hour)
+	if hours < 8 {
+		m := int(d/time.Minute) % 60
+		if m == 0 {
+			return fmt.Sprintf("%dh", hours)
+		}
+		return fmt.Sprintf("%dh%dm", hours, m)
+	} else if hours < 48 {
+		return fmt.Sprintf("%dh", hours)
+	} else if hours < 24*8 {
+		h := hours % 24
+		if h == 0 {
+			return fmt.Sprintf("%dd", hours/24)
+		}
+		return fmt.Sprintf("%dd%dh", hours/24, h)
+	} else if hours < 24*365*2 {
+		return fmt.Sprintf("%dd", hours/24)
+	} else if hours < 24*365*8 {
+		dy := int(hours/24) % 365
+		if dy == 0 {
+			return fmt.Sprintf("%dy", hours/24/365)
+		}
+		return fmt.Sprintf("%dy%dd", hours/24/365, dy)
+	}
+	return fmt.Sprintf("%dy", int(hours/24/365))
+}
diff --git a/vendor/k8s.io/apimachinery/pkg/util/jsonmergepatch/patch.go b/vendor/k8s.io/apimachinery/pkg/util/jsonmergepatch/patch.go
new file mode 100644
index 0000000000..786c16e27a
--- /dev/null
+++ b/vendor/k8s.io/apimachinery/pkg/util/jsonmergepatch/patch.go
@@ -0,0 +1,160 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package jsonmergepatch
+
+import (
+	"fmt"
+	"reflect"
+
+	"gopkg.in/evanphx/json-patch.v4"
+	"k8s.io/apimachinery/pkg/util/json"
+	"k8s.io/apimachinery/pkg/util/mergepatch"
+)
+
+// Create a 3-way merge patch based-on JSON merge patch.
+// Calculate addition-and-change patch between current and modified.
+// Calculate deletion patch between original and modified.
+func CreateThreeWayJSONMergePatch(original, modified, current []byte, fns ...mergepatch.PreconditionFunc) ([]byte, error) {
+	if len(original) == 0 {
+		original = []byte(`{}`)
+	}
+	if len(modified) == 0 {
+		modified = []byte(`{}`)
+	}
+	if len(current) == 0 {
+		current = []byte(`{}`)
+	}
+
+	addAndChangePatch, err := jsonpatch.CreateMergePatch(current, modified)
+	if err != nil {
+		return nil, err
+	}
+	// Only keep addition and changes
+	addAndChangePatch, addAndChangePatchObj, err := keepOrDeleteNullInJsonPatch(addAndChangePatch, false)
+	if err != nil {
+		return nil, err
+	}
+
+	deletePatch, err := jsonpatch.CreateMergePatch(original, modified)
+	if err != nil {
+		return nil, err
+	}
+	// Only keep deletion
+	deletePatch, deletePatchObj, err := keepOrDeleteNullInJsonPatch(deletePatch, true)
+	if err != nil {
+		return nil, err
+	}
+
+	hasConflicts, err := mergepatch.HasConflicts(addAndChangePatchObj, deletePatchObj)
+	if err != nil {
+		return nil, err
+	}
+	if hasConflicts {
+		return nil, mergepatch.NewErrConflict(mergepatch.ToYAMLOrError(addAndChangePatchObj), mergepatch.ToYAMLOrError(deletePatchObj))
+	}
+	patch, err := jsonpatch.MergePatch(deletePatch, addAndChangePatch)
+	if err != nil {
+		return nil, err
+	}
+
+	var patchMap map[string]interface{}
+	err = json.Unmarshal(patch, &patchMap)
+	if err != nil {
+		return nil, fmt.Errorf("failed to unmarshal patch for precondition check: %s", patch)
+	}
+	meetPreconditions, err := meetPreconditions(patchMap, fns...)
+	if err != nil {
+		return nil, err
+	}
+	if !meetPreconditions {
+		return nil, mergepatch.NewErrPreconditionFailed(patchMap)
+	}
+
+	return patch, nil
+}
+
+// keepOrDeleteNullInJsonPatch takes a json-encoded byte array and a boolean.
+// It returns a filtered object and its corresponding json-encoded byte array.
+// It is a wrapper of func keepOrDeleteNullInObj
+func keepOrDeleteNullInJsonPatch(patch []byte, keepNull bool) ([]byte, map[string]interface{}, error) {
+	var patchMap map[string]interface{}
+	err := json.Unmarshal(patch, &patchMap)
+	if err != nil {
+		return nil, nil, err
+	}
+	filteredMap, err := keepOrDeleteNullInObj(patchMap, keepNull)
+	if err != nil {
+		return nil, nil, err
+	}
+	o, err := json.Marshal(filteredMap)
+	return o, filteredMap, err
+}
+
+// keepOrDeleteNullInObj will keep only the null value and delete all the others,
+// if keepNull is true. Otherwise, it will delete all the null value and keep the others.
+func keepOrDeleteNullInObj(m map[string]interface{}, keepNull bool) (map[string]interface{}, error) {
+	filteredMap := make(map[string]interface{})
+	var err error
+	for key, val := range m {
+		switch {
+		case keepNull && val == nil:
+			filteredMap[key] = nil
+		case val != nil:
+			switch typedVal := val.(type) {
+			case map[string]interface{}:
+				// Explicitly-set empty maps are treated as values instead of empty patches
+				if len(typedVal) == 0 {
+					if !keepNull {
+						filteredMap[key] = typedVal
+					}
+					continue
+				}
+
+				var filteredSubMap map[string]interface{}
+				filteredSubMap, err = keepOrDeleteNullInObj(typedVal, keepNull)
+				if err != nil {
+					return nil, err
+				}
+
+				// If the returned filtered submap was empty, this is an empty patch for the entire subdict, so the key
+				// should not be set
+				if len(filteredSubMap) != 0 {
+					filteredMap[key] = filteredSubMap
+				}
+
+			case []interface{}, string, float64, bool, int64, nil:
+				// Lists are always replaced in Json, no need to check each entry in the list.
+				if !keepNull {
+					filteredMap[key] = val
+				}
+			default:
+				return nil, fmt.Errorf("unknown type: %v", reflect.TypeOf(typedVal))
+			}
+		}
+	}
+	return filteredMap, nil
+}
+
+func meetPreconditions(patchObj map[string]interface{}, fns ...mergepatch.PreconditionFunc) (bool, error) {
+	// Apply the preconditions to the patch, and return an error if any of them fail.
+	for _, fn := range fns {
+		if !fn(patchObj) {
+			return false, fmt.Errorf("precondition failed for: %v", patchObj)
+		}
+	}
+	return true, nil
+}
diff --git a/vendor/k8s.io/apiserver/pkg/endpoints/deprecation/deprecation.go b/vendor/k8s.io/apiserver/pkg/endpoints/deprecation/deprecation.go
new file mode 100644
index 0000000000..7f8986faea
--- /dev/null
+++ b/vendor/k8s.io/apiserver/pkg/endpoints/deprecation/deprecation.go
@@ -0,0 +1,134 @@
+/*
+Copyright 2020 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package deprecation
+
+import (
+	"fmt"
+	"regexp"
+	"strconv"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/version"
+)
+
+type apiLifecycleDeprecated interface {
+	APILifecycleDeprecated() (major, minor int)
+}
+
+type apiLifecycleRemoved interface {
+	APILifecycleRemoved() (major, minor int)
+}
+
+type apiLifecycleReplacement interface {
+	APILifecycleReplacement() schema.GroupVersionKind
+}
+
+// extract all digits at the beginning of the string
+var leadingDigits = regexp.MustCompile(`^(\d+)`)
+
+// MajorMinor parses a numeric major/minor version from the provided version info.
+// The minor version drops all characters after the first non-digit character:
+//
+//	version.Info{Major:"1", Minor:"2+"} -> 1,2
+//	version.Info{Major:"1", Minor:"2.3-build4"} -> 1,2
+func MajorMinor(v version.Info) (int, int, error) {
+	major, err := strconv.Atoi(v.Major)
+	if err != nil {
+		return 0, 0, err
+	}
+	minor, err := strconv.Atoi(leadingDigits.FindString(v.Minor))
+	if err != nil {
+		return 0, 0, err
+	}
+	return major, minor, nil
+}
+
+// IsDeprecated returns true if obj implements APILifecycleDeprecated() and returns
+// a major/minor version that is non-zero and is <= the specified current major/minor version.
+func IsDeprecated(obj runtime.Object, currentMajor, currentMinor int) bool {
+	deprecated, isDeprecated := obj.(apiLifecycleDeprecated)
+	if !isDeprecated {
+		return false
+	}
+
+	deprecatedMajor, deprecatedMinor := deprecated.APILifecycleDeprecated()
+	// no deprecation version expressed
+	if deprecatedMajor == 0 && deprecatedMinor == 0 {
+		return false
+	}
+	// no current version info available
+	if currentMajor == 0 && currentMinor == 0 {
+		return true
+	}
+	// compare deprecation version to current version
+	if deprecatedMajor > currentMajor {
+		return false
+	}
+	if deprecatedMajor == currentMajor && deprecatedMinor > currentMinor {
+		return false
+	}
+	return true
+}
+
+// RemovedRelease returns the major/minor version in which the given object is unavailable (in the form "<major>.<minor>")
+// if the object implements APILifecycleRemoved() to indicate a non-zero removal version, and returns an empty string otherwise.
+func RemovedRelease(obj runtime.Object) string {
+	if removed, hasRemovalInfo := obj.(apiLifecycleRemoved); hasRemovalInfo {
+		removedMajor, removedMinor := removed.APILifecycleRemoved()
+		if removedMajor != 0 || removedMinor != 0 {
+			return fmt.Sprintf("%d.%d", removedMajor, removedMinor)
+		}
+	}
+	return ""
+}
+
+// WarningMessage returns a human-readable deprecation warning if the object implements APILifecycleDeprecated()
+// to indicate a non-zero deprecated major/minor version and has a populated GetObjectKind().GroupVersionKind().
+func WarningMessage(obj runtime.Object) string {
+	deprecated, isDeprecated := obj.(apiLifecycleDeprecated)
+	if !isDeprecated {
+		return ""
+	}
+
+	deprecatedMajor, deprecatedMinor := deprecated.APILifecycleDeprecated()
+	if deprecatedMajor == 0 && deprecatedMinor == 0 {
+		return ""
+	}
+
+	gvk := obj.GetObjectKind().GroupVersionKind()
+	if gvk.Empty() {
+		return ""
+	}
+	deprecationWarning := fmt.Sprintf("%s %s is deprecated in v%d.%d+", gvk.GroupVersion().String(), gvk.Kind, deprecatedMajor, deprecatedMinor)
+
+	if removed, hasRemovalInfo := obj.(apiLifecycleRemoved); hasRemovalInfo {
+		removedMajor, removedMinor := removed.APILifecycleRemoved()
+		if removedMajor != 0 || removedMinor != 0 {
+			deprecationWarning = deprecationWarning + fmt.Sprintf(", unavailable in v%d.%d+", removedMajor, removedMinor)
+		}
+	}
+
+	if replaced, hasReplacement := obj.(apiLifecycleReplacement); hasReplacement {
+		replacement := replaced.APILifecycleReplacement()
+		if !replacement.Empty() {
+			deprecationWarning = deprecationWarning + fmt.Sprintf("; use %s %s", replacement.GroupVersion().String(), replacement.Kind)
+		}
+	}
+
+	return deprecationWarning
+}
diff --git a/vendor/k8s.io/cli-runtime/LICENSE b/vendor/k8s.io/cli-runtime/LICENSE
new file mode 100644
index 0000000000..d645695673
--- /dev/null
+++ b/vendor/k8s.io/cli-runtime/LICENSE
@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/vendor/k8s.io/cli-runtime/pkg/genericclioptions/builder_flags.go b/vendor/k8s.io/cli-runtime/pkg/genericclioptions/builder_flags.go
new file mode 100644
index 0000000000..8adb1d97d4
--- /dev/null
+++ b/vendor/k8s.io/cli-runtime/pkg/genericclioptions/builder_flags.go
@@ -0,0 +1,228 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package genericclioptions
+
+import (
+	"github.com/spf13/pflag"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/cli-runtime/pkg/resource"
+	"k8s.io/utils/ptr"
+)
+
+// ResourceBuilderFlags are flags for finding resources
+// TODO(juanvallejo): wire --local flag from commands through
+type ResourceBuilderFlags struct {
+	FileNameFlags *FileNameFlags
+
+	LabelSelector *string
+	FieldSelector *string
+	AllNamespaces *bool
+	All           *bool
+	Local         *bool
+
+	Scheme           *runtime.Scheme
+	Latest           bool
+	StopOnFirstError bool
+}
+
+// NewResourceBuilderFlags returns a default ResourceBuilderFlags
+func NewResourceBuilderFlags() *ResourceBuilderFlags {
+	filenames := []string{}
+
+	return &ResourceBuilderFlags{
+		FileNameFlags: &FileNameFlags{
+			Usage:     "identifying the resource.",
+			Filenames: &filenames,
+			Recursive: ptr.To(true),
+		},
+	}
+}
+
+// WithFile sets the FileNameFlags.
+// If recurse is set, it will process directory recursively. Useful when you want to manage related manifests
+// organized within the same directory.
+func (o *ResourceBuilderFlags) WithFile(recurse bool, files ...string) *ResourceBuilderFlags {
+	o.FileNameFlags = &FileNameFlags{
+		Usage:     "identifying the resource.",
+		Filenames: &files,
+		Recursive: ptr.To(recurse),
+	}
+
+	return o
+}
+
+// WithLabelSelector sets the LabelSelector flag
+func (o *ResourceBuilderFlags) WithLabelSelector(selector string) *ResourceBuilderFlags {
+	o.LabelSelector = &selector
+	return o
+}
+
+// WithFieldSelector sets the FieldSelector flag
+func (o *ResourceBuilderFlags) WithFieldSelector(selector string) *ResourceBuilderFlags {
+	o.FieldSelector = &selector
+	return o
+}
+
+// WithAllNamespaces sets the AllNamespaces flag
+func (o *ResourceBuilderFlags) WithAllNamespaces(defaultVal bool) *ResourceBuilderFlags {
+	o.AllNamespaces = &defaultVal
+	return o
+}
+
+// WithAll sets the All flag
+func (o *ResourceBuilderFlags) WithAll(defaultVal bool) *ResourceBuilderFlags {
+	o.All = &defaultVal
+	return o
+}
+
+// WithLocal sets the Local flag
+func (o *ResourceBuilderFlags) WithLocal(defaultVal bool) *ResourceBuilderFlags {
+	o.Local = &defaultVal
+	return o
+}
+
+// WithScheme sets the Scheme flag
+func (o *ResourceBuilderFlags) WithScheme(scheme *runtime.Scheme) *ResourceBuilderFlags {
+	o.Scheme = scheme
+	return o
+}
+
+// WithLatest sets the Latest flag
+func (o *ResourceBuilderFlags) WithLatest() *ResourceBuilderFlags {
+	o.Latest = true
+	return o
+}
+
+// StopOnError sets the StopOnFirstError flag
+func (o *ResourceBuilderFlags) StopOnError() *ResourceBuilderFlags {
+	o.StopOnFirstError = true
+	return o
+}
+
+// AddFlags registers flags for finding resources
+func (o *ResourceBuilderFlags) AddFlags(flagset *pflag.FlagSet) {
+	o.FileNameFlags.AddFlags(flagset)
+
+	if o.LabelSelector != nil {
+		flagset.StringVarP(o.LabelSelector, "selector", "l", *o.LabelSelector, "Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2)")
+	}
+	if o.FieldSelector != nil {
+		flagset.StringVar(o.FieldSelector, "field-selector", *o.FieldSelector, "Selector (field query) to filter on, supports '=', '==', and '!='.(e.g. --field-selector key1=value1,key2=value2). The server only supports a limited number of field queries per type.")
+	}
+	if o.AllNamespaces != nil {
+		flagset.BoolVarP(o.AllNamespaces, "all-namespaces", "A", *o.AllNamespaces, "If present, list the requested object(s) across all namespaces. Namespace in current context is ignored even if specified with --namespace.")
+	}
+	if o.All != nil {
+		flagset.BoolVar(o.All, "all", *o.All, "Select all resources in the namespace of the specified resource types")
+	}
+	if o.Local != nil {
+		flagset.BoolVar(o.Local, "local", *o.Local, "If true, annotation will NOT contact api-server but run locally.")
+	}
+}
+
+// ToBuilder gives you back a resource finder to visit resources that are located
+func (o *ResourceBuilderFlags) ToBuilder(restClientGetter RESTClientGetter, resources []string) ResourceFinder {
+	namespace, enforceNamespace, namespaceErr := restClientGetter.ToRawKubeConfigLoader().Namespace()
+
+	builder := resource.NewBuilder(restClientGetter).
+		NamespaceParam(namespace).DefaultNamespace()
+
+	if o.AllNamespaces != nil {
+		builder.AllNamespaces(*o.AllNamespaces)
+	}
+
+	if o.Scheme != nil {
+		builder.WithScheme(o.Scheme, o.Scheme.PrioritizedVersionsAllGroups()...)
+	} else {
+		builder.Unstructured()
+	}
+
+	if o.FileNameFlags != nil {
+		opts := o.FileNameFlags.ToOptions()
+		builder.FilenameParam(enforceNamespace, &opts)
+	}
+
+	if o.Local == nil || !*o.Local {
+		// resource type/name tuples only work non-local
+		if o.All != nil {
+			builder.ResourceTypeOrNameArgs(*o.All, resources...)
+		} else {
+			builder.ResourceTypeOrNameArgs(false, resources...)
+		}
+		// label selectors only work non-local (for now)
+		if o.LabelSelector != nil {
+			builder.LabelSelectorParam(*o.LabelSelector)
+		}
+		// field selectors only work non-local (forever)
+		if o.FieldSelector != nil {
+			builder.FieldSelectorParam(*o.FieldSelector)
+		}
+		// latest only works non-local (forever)
+		if o.Latest {
+			builder.Latest()
+		}
+
+	} else {
+		builder.Local()
+
+		if len(resources) > 0 {
+			builder.AddError(resource.LocalResourceError)
+		}
+	}
+
+	if !o.StopOnFirstError {
+		builder.ContinueOnError()
+	}
+
+	return &ResourceFindBuilderWrapper{
+		builder: builder.
+			Flatten(). // I think we're going to recommend this everywhere
+			AddError(namespaceErr),
+	}
+}
+
+// ResourceFindBuilderWrapper wraps a builder in an interface
+type ResourceFindBuilderWrapper struct {
+	builder *resource.Builder
+}
+
+// Do finds you resources to check
+func (b *ResourceFindBuilderWrapper) Do() resource.Visitor {
+	return b.builder.Do()
+}
+
+// ResourceFinder allows mocking the resource builder
+// TODO resource builders needs to become more interfacey
+type ResourceFinder interface {
+	Do() resource.Visitor
+}
+
+// ResourceFinderFunc is a handy way to make a  ResourceFinder
+type ResourceFinderFunc func() resource.Visitor
+
+// Do implements ResourceFinder
+func (fn ResourceFinderFunc) Do() resource.Visitor {
+	return fn()
+}
+
+// ResourceFinderForResult skins a visitor for re-use as a ResourceFinder
+func ResourceFinderForResult(result resource.Visitor) ResourceFinder {
+	return ResourceFinderFunc(func() resource.Visitor {
+		return result
+	})
+}
diff --git a/vendor/k8s.io/cli-runtime/pkg/genericclioptions/builder_flags_fake.go b/vendor/k8s.io/cli-runtime/pkg/genericclioptions/builder_flags_fake.go
new file mode 100644
index 0000000000..adc496feb8
--- /dev/null
+++ b/vendor/k8s.io/cli-runtime/pkg/genericclioptions/builder_flags_fake.go
@@ -0,0 +1,65 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package genericclioptions
+
+import (
+	"k8s.io/cli-runtime/pkg/resource"
+)
+
+// NewSimpleFakeResourceFinder builds a super simple ResourceFinder that just iterates over the objects you provided
+func NewSimpleFakeResourceFinder(infos ...*resource.Info) *FakeResourceFinder {
+	return &FakeResourceFinder{
+		Infos: infos,
+	}
+}
+
+func (f *FakeResourceFinder) WithError(err error) *FakeResourceFinder {
+	f.err = err
+	return f
+}
+
+type FakeResourceFinder struct {
+	Infos []*resource.Info
+	err   error
+}
+
+// Do implements the interface
+func (f *FakeResourceFinder) Do() resource.Visitor {
+	return &fakeResourceResult{
+		Infos: f.Infos,
+		err:   f.err,
+	}
+}
+
+type fakeResourceResult struct {
+	Infos []*resource.Info
+	err   error
+}
+
+// Visit just iterates over info
+func (r *fakeResourceResult) Visit(fn resource.VisitorFunc) error {
+	if r.err != nil {
+		return r.err
+	}
+	for _, info := range r.Infos {
+		err := fn(info, nil)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
diff --git a/vendor/k8s.io/cli-runtime/pkg/genericclioptions/client_config.go b/vendor/k8s.io/cli-runtime/pkg/genericclioptions/client_config.go
new file mode 100644
index 0000000000..0e22d71407
--- /dev/null
+++ b/vendor/k8s.io/cli-runtime/pkg/genericclioptions/client_config.go
@@ -0,0 +1,72 @@
+/*
+Copyright 2020 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package genericclioptions
+
+import (
+	restclient "k8s.io/client-go/rest"
+	"k8s.io/client-go/tools/clientcmd"
+	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
+)
+
+var (
+	// ErrEmptyConfig is the error message to be displayed if the configuration info is missing or incomplete
+	ErrEmptyConfig = clientcmd.NewEmptyConfigError(`Missing or incomplete configuration info.  Please point to an existing, complete config file:
+
+
+  1. Via the command-line flag --kubeconfig
+  2. Via the KUBECONFIG environment variable
+  3. In your home directory as ~/.kube/config
+
+To view or setup config directly use the 'config' command.`)
+)
+
+var _ = clientcmd.ClientConfig(&clientConfig{})
+
+type clientConfig struct {
+	defaultClientConfig clientcmd.ClientConfig
+}
+
+func (c *clientConfig) RawConfig() (clientcmdapi.Config, error) {
+	config, err := c.defaultClientConfig.RawConfig()
+	// replace client-go's ErrEmptyConfig error with our custom, more verbose version
+	if clientcmd.IsEmptyConfig(err) {
+		return config, ErrEmptyConfig
+	}
+	return config, err
+}
+
+func (c *clientConfig) ClientConfig() (*restclient.Config, error) {
+	config, err := c.defaultClientConfig.ClientConfig()
+	// replace client-go's ErrEmptyConfig error with our custom, more verbose version
+	if clientcmd.IsEmptyConfig(err) {
+		return config, ErrEmptyConfig
+	}
+	return config, err
+}
+
+func (c *clientConfig) Namespace() (string, bool, error) {
+	namespace, ok, err := c.defaultClientConfig.Namespace()
+	// replace client-go's ErrEmptyConfig error with our custom, more verbose version
+	if clientcmd.IsEmptyConfig(err) {
+		return namespace, ok, ErrEmptyConfig
+	}
+	return namespace, ok, err
+}
+
+func (c *clientConfig) ConfigAccess() clientcmd.ConfigAccess {
+	return c.defaultClientConfig.ConfigAccess()
+}
diff --git a/vendor/k8s.io/cli-runtime/pkg/genericclioptions/command_headers.go b/vendor/k8s.io/cli-runtime/pkg/genericclioptions/command_headers.go
new file mode 100644
index 0000000000..04712fb497
--- /dev/null
+++ b/vendor/k8s.io/cli-runtime/pkg/genericclioptions/command_headers.go
@@ -0,0 +1,109 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package genericclioptions
+
+import (
+	"net/http"
+	"strings"
+	"sync/atomic"
+
+	"github.com/google/uuid"
+	"github.com/spf13/cobra"
+)
+
+const (
+	kubectlCommandHeader = "Kubectl-Command"
+	kubectlSessionHeader = "Kubectl-Session"
+)
+
+// CommandHeaderRoundTripper adds a layer around the standard
+// round tripper to add Request headers before delegation. Implements
+// the go standard library "http.RoundTripper" interface.
+type CommandHeaderRoundTripper struct {
+	Delegate    http.RoundTripper
+	Headers     map[string]string
+	SkipHeaders *atomic.Bool
+}
+
+// CommandHeaderRoundTripper adds Request headers before delegating to standard
+// round tripper. These headers are kubectl command headers which
+// detail the kubectl command. See SIG CLI KEP 859:
+//
+//	https://github.com/kubernetes/enhancements/tree/master/keps/sig-cli/859-kubectl-headers
+func (c *CommandHeaderRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
+	if c.shouldSkipHeaders() {
+		return c.Delegate.RoundTrip(req)
+	}
+
+	for header, value := range c.Headers {
+		req.Header.Set(header, value)
+	}
+
+	return c.Delegate.RoundTrip(req)
+}
+
+// ParseCommandHeaders fills in a map of custom headers into the CommandHeaderRoundTripper. These
+// headers are then filled into each request. For details on the custom headers see:
+//
+//	https://github.com/kubernetes/enhancements/tree/master/keps/sig-cli/859-kubectl-headers
+//
+// Each call overwrites the previously parsed command headers (not additive).
+// TODO(seans3): Parse/add flags removing PII from flag values.
+func (c *CommandHeaderRoundTripper) ParseCommandHeaders(cmd *cobra.Command, args []string) {
+	if cmd == nil {
+		return
+	}
+	// Overwrites previously parsed command headers (headers not additive).
+	c.Headers = map[string]string{}
+	// Session identifier to aggregate multiple Requests from single kubectl command.
+	uid := uuid.New().String()
+	c.Headers[kubectlSessionHeader] = uid
+	// Iterate up the hierarchy of commands from the leaf command to create
+	// the full command string. Example: kubectl create secret generic
+	cmdStrs := []string{}
+	for cmd.HasParent() {
+		parent := cmd.Parent()
+		currName := strings.TrimSpace(cmd.Name())
+		cmdStrs = append([]string{currName}, cmdStrs...)
+		cmd = parent
+	}
+	currName := strings.TrimSpace(cmd.Name())
+	cmdStrs = append([]string{currName}, cmdStrs...)
+	if len(cmdStrs) > 0 {
+		c.Headers[kubectlCommandHeader] = strings.Join(cmdStrs, " ")
+	}
+}
+
+// CancelRequest is propagated to the Delegate RoundTripper within
+// if the wrapped RoundTripper implements this function.
+func (c *CommandHeaderRoundTripper) CancelRequest(req *http.Request) {
+	type canceler interface {
+		CancelRequest(*http.Request)
+	}
+	// If possible, call "CancelRequest" on the wrapped Delegate RoundTripper.
+	if cr, ok := c.Delegate.(canceler); ok {
+		cr.CancelRequest(req)
+	}
+}
+
+func (c *CommandHeaderRoundTripper) shouldSkipHeaders() bool {
+	if c.SkipHeaders == nil {
+		return false
+	}
+
+	return c.SkipHeaders.Load()
+}
diff --git a/vendor/k8s.io/cli-runtime/pkg/genericclioptions/config_flags.go b/vendor/k8s.io/cli-runtime/pkg/genericclioptions/config_flags.go
new file mode 100644
index 0000000000..350c7beedc
--- /dev/null
+++ b/vendor/k8s.io/cli-runtime/pkg/genericclioptions/config_flags.go
@@ -0,0 +1,514 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package genericclioptions
+
+import (
+	"os"
+	"path/filepath"
+	"regexp"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/spf13/pflag"
+
+	"k8s.io/apimachinery/pkg/api/meta"
+	"k8s.io/cli-runtime/pkg/genericiooptions"
+	"k8s.io/cli-runtime/pkg/printers"
+	"k8s.io/client-go/discovery"
+	diskcached "k8s.io/client-go/discovery/cached/disk"
+	"k8s.io/client-go/rest"
+	"k8s.io/client-go/restmapper"
+	"k8s.io/client-go/tools/clientcmd"
+	"k8s.io/client-go/util/homedir"
+	"k8s.io/utils/ptr"
+)
+
+const (
+	flagClusterName          = "cluster"
+	flagAuthInfoName         = "user"
+	flagContext              = "context"
+	flagNamespace            = "namespace"
+	flagAPIServer            = "server"
+	flagTLSServerName        = "tls-server-name"
+	flagInsecure             = "insecure-skip-tls-verify"
+	flagCertFile             = "client-certificate"
+	flagKeyFile              = "client-key"
+	flagCAFile               = "certificate-authority"
+	flagBearerToken          = "token"
+	flagImpersonate          = "as"
+	flagImpersonateUID       = "as-uid"
+	flagImpersonateGroup     = "as-group"
+	flagImpersonateUserExtra = "as-user-extra"
+	flagUsername             = "username"
+	flagPassword             = "password"
+	flagTimeout              = "request-timeout"
+	flagCacheDir             = "cache-dir"
+	flagDisableCompression   = "disable-compression"
+)
+
+// RESTClientGetter is an interface that the ConfigFlags describe to provide an easier way to mock for commands
+// and eliminate the direct coupling to a struct type.  Users may wish to duplicate this type in their own packages
+// as per the golang type overlapping.
+type RESTClientGetter interface {
+	// ToRESTConfig returns restconfig
+	ToRESTConfig() (*rest.Config, error)
+	// ToDiscoveryClient returns discovery client
+	ToDiscoveryClient() (discovery.CachedDiscoveryInterface, error)
+	// ToRESTMapper returns a restmapper
+	ToRESTMapper() (meta.RESTMapper, error)
+	// ToRawKubeConfigLoader return kubeconfig loader as-is
+	ToRawKubeConfigLoader() clientcmd.ClientConfig
+}
+
+var _ RESTClientGetter = &ConfigFlags{}
+
+// ConfigFlags composes the set of values necessary
+// for obtaining a REST client config
+type ConfigFlags struct {
+	CacheDir   *string
+	KubeConfig *string
+
+	// config flags
+	ClusterName          *string
+	AuthInfoName         *string
+	Context              *string
+	Namespace            *string
+	APIServer            *string
+	TLSServerName        *string
+	Insecure             *bool
+	CertFile             *string
+	KeyFile              *string
+	CAFile               *string
+	BearerToken          *string
+	Impersonate          *string
+	ImpersonateUID       *string
+	ImpersonateGroup     *[]string
+	ImpersonateUserExtra *[]string
+	Username             *string
+	Password             *string
+	Timeout              *string
+	DisableCompression   *bool
+	// If non-nil, wrap config function can transform the Config
+	// before it is returned in ToRESTConfig function.
+	WrapConfigFn func(*rest.Config) *rest.Config
+
+	clientConfig     clientcmd.ClientConfig
+	clientConfigLock sync.Mutex
+
+	restMapper     meta.RESTMapper
+	restMapperLock sync.Mutex
+
+	discoveryClient     discovery.CachedDiscoveryInterface
+	discoveryClientLock sync.Mutex
+
+	// If set to true, will use persistent client config, rest mapper, discovery client, and
+	// propagate them to the places that need them, rather than
+	// instantiating them multiple times.
+	usePersistentConfig bool
+	// Allows increasing burst used for discovery, this is useful
+	// in clusters with many registered resources
+	discoveryBurst int
+	// Allows increasing qps used for discovery, this is useful
+	// in clusters with many registered resources
+	discoveryQPS float32
+	// Allows all possible warnings are printed in a standardized
+	// format.
+	warningPrinter *printers.WarningPrinter
+}
+
+// ToRESTConfig implements RESTClientGetter.
+// Returns a REST client configuration based on a provided path
+// to a .kubeconfig file, loading rules, and config flag overrides.
+// Expects the AddFlags method to have been called. If WrapConfigFn
+// is non-nil this function can transform config before return.
+func (f *ConfigFlags) ToRESTConfig() (*rest.Config, error) {
+	c, err := f.ToRawKubeConfigLoader().ClientConfig()
+	if err != nil {
+		return nil, err
+	}
+	if f.WrapConfigFn != nil {
+		return f.WrapConfigFn(c), nil
+	}
+	return c, nil
+}
+
+// ToRawKubeConfigLoader binds config flag values to config overrides
+// Returns an interactive clientConfig if the password flag is enabled,
+// or a non-interactive clientConfig otherwise.
+func (f *ConfigFlags) ToRawKubeConfigLoader() clientcmd.ClientConfig {
+	if f.usePersistentConfig {
+		return f.toRawKubePersistentConfigLoader()
+	}
+	return f.toRawKubeConfigLoader()
+}
+
+func (f *ConfigFlags) toRawKubeConfigLoader() clientcmd.ClientConfig {
+	loadingRules := clientcmd.NewDefaultClientConfigLoadingRules()
+	// use the standard defaults for this client command
+	// DEPRECATED: remove and replace with something more accurate
+	loadingRules.DefaultClientConfig = &clientcmd.DefaultClientConfig
+
+	if f.KubeConfig != nil {
+		loadingRules.ExplicitPath = *f.KubeConfig
+	}
+
+	overrides := &clientcmd.ConfigOverrides{ClusterDefaults: clientcmd.ClusterDefaults}
+
+	// bind auth info flag values to overrides
+	if f.CertFile != nil {
+		overrides.AuthInfo.ClientCertificate = *f.CertFile
+		overrides.AuthInfo.ClientCertificateData = nil
+	}
+	if f.KeyFile != nil {
+		overrides.AuthInfo.ClientKey = *f.KeyFile
+		overrides.AuthInfo.ClientKeyData = nil
+	}
+	if f.BearerToken != nil {
+		overrides.AuthInfo.Token = *f.BearerToken
+		overrides.AuthInfo.TokenFile = ""
+	}
+	if f.Impersonate != nil {
+		overrides.AuthInfo.Impersonate = *f.Impersonate
+	}
+	if f.ImpersonateUserExtra != nil && len(*f.ImpersonateUserExtra) > 0 {
+		userExtras := make(map[string][]string)
+		for _, extra := range *f.ImpersonateUserExtra {
+			parts := strings.SplitN(extra, "=", 2)
+			if len(parts) != 2 {
+				continue
+			}
+			key := parts[0]
+			value := parts[1]
+			userExtras[key] = append(userExtras[key], value)
+		}
+		overrides.AuthInfo.ImpersonateUserExtra = userExtras
+	}
+	if f.ImpersonateUID != nil {
+		overrides.AuthInfo.ImpersonateUID = *f.ImpersonateUID
+	}
+	if f.ImpersonateGroup != nil {
+		overrides.AuthInfo.ImpersonateGroups = *f.ImpersonateGroup
+	}
+	if f.Username != nil {
+		overrides.AuthInfo.Username = *f.Username
+	}
+	if f.Password != nil {
+		overrides.AuthInfo.Password = *f.Password
+	}
+
+	// bind cluster flags
+	if f.APIServer != nil {
+		overrides.ClusterInfo.Server = *f.APIServer
+	}
+	if f.TLSServerName != nil {
+		overrides.ClusterInfo.TLSServerName = *f.TLSServerName
+	}
+	if f.CAFile != nil {
+		overrides.ClusterInfo.CertificateAuthority = *f.CAFile
+	}
+	if f.Insecure != nil {
+		overrides.ClusterInfo.InsecureSkipTLSVerify = *f.Insecure
+	}
+	if f.DisableCompression != nil {
+		overrides.ClusterInfo.DisableCompression = *f.DisableCompression
+	}
+
+	// bind context flags
+	if f.Context != nil {
+		overrides.CurrentContext = *f.Context
+	}
+	if f.ClusterName != nil {
+		overrides.Context.Cluster = *f.ClusterName
+	}
+	if f.AuthInfoName != nil {
+		overrides.Context.AuthInfo = *f.AuthInfoName
+	}
+	if f.Namespace != nil {
+		overrides.Context.Namespace = *f.Namespace
+	}
+
+	if f.Timeout != nil {
+		overrides.Timeout = *f.Timeout
+	}
+
+	// we only have an interactive prompt when a password is allowed
+	if f.Password == nil {
+		return &clientConfig{clientcmd.NewNonInteractiveDeferredLoadingClientConfig(loadingRules, overrides)}
+	}
+	return &clientConfig{clientcmd.NewInteractiveDeferredLoadingClientConfig(loadingRules, overrides, os.Stdin)}
+}
+
+// toRawKubePersistentConfigLoader binds config flag values to config overrides
+// Returns a persistent clientConfig for propagation.
+func (f *ConfigFlags) toRawKubePersistentConfigLoader() clientcmd.ClientConfig {
+	f.clientConfigLock.Lock()
+	defer f.clientConfigLock.Unlock()
+
+	if f.clientConfig == nil {
+		f.clientConfig = f.toRawKubeConfigLoader()
+	}
+
+	return f.clientConfig
+}
+
+// ToDiscoveryClient implements RESTClientGetter.
+// Expects the AddFlags method to have been called.
+// Returns a CachedDiscoveryInterface using a computed RESTConfig.
+func (f *ConfigFlags) ToDiscoveryClient() (discovery.CachedDiscoveryInterface, error) {
+	if f.usePersistentConfig {
+		return f.toPersistentDiscoveryClient()
+	}
+	return f.toDiscoveryClient()
+}
+
+func (f *ConfigFlags) toPersistentDiscoveryClient() (discovery.CachedDiscoveryInterface, error) {
+	f.discoveryClientLock.Lock()
+	defer f.discoveryClientLock.Unlock()
+
+	if f.discoveryClient == nil {
+		discoveryClient, err := f.toDiscoveryClient()
+		if err != nil {
+			return nil, err
+		}
+		f.discoveryClient = discoveryClient
+	}
+	return f.discoveryClient, nil
+}
+
+func (f *ConfigFlags) toDiscoveryClient() (discovery.CachedDiscoveryInterface, error) {
+	config, err := f.ToRESTConfig()
+	if err != nil {
+		return nil, err
+	}
+
+	config.Burst = f.discoveryBurst
+	config.QPS = f.discoveryQPS
+
+	cacheDir := getDefaultCacheDir()
+
+	// retrieve a user-provided value for the "cache-dir"
+	// override httpCacheDir and discoveryCacheDir if user-value is given.
+	// user-provided value has higher precedence than default
+	// and KUBECACHEDIR environment variable.
+	if f.CacheDir != nil && *f.CacheDir != "" && *f.CacheDir != getDefaultCacheDir() {
+		cacheDir = *f.CacheDir
+	}
+
+	httpCacheDir := filepath.Join(cacheDir, "http")
+	discoveryCacheDir := computeDiscoverCacheDir(filepath.Join(cacheDir, "discovery"), config.Host)
+
+	return diskcached.NewCachedDiscoveryClientForConfig(config, discoveryCacheDir, httpCacheDir, time.Duration(6*time.Hour))
+}
+
+// getDefaultCacheDir returns default caching directory path.
+// it first looks at KUBECACHEDIR env var if it is set, otherwise
+// it returns standard kube cache dir.
+func getDefaultCacheDir() string {
+	if kcd := os.Getenv("KUBECACHEDIR"); kcd != "" {
+		return kcd
+	}
+
+	return filepath.Join(homedir.HomeDir(), ".kube", "cache")
+}
+
+// ToRESTMapper returns a mapper.
+func (f *ConfigFlags) ToRESTMapper() (meta.RESTMapper, error) {
+	if f.usePersistentConfig {
+		return f.toPersistentRESTMapper()
+	}
+	return f.toRESTMapper()
+}
+
+func (f *ConfigFlags) toPersistentRESTMapper() (meta.RESTMapper, error) {
+	f.restMapperLock.Lock()
+	defer f.restMapperLock.Unlock()
+
+	if f.restMapper == nil {
+		restMapper, err := f.toRESTMapper()
+		if err != nil {
+			return nil, err
+		}
+		f.restMapper = restMapper
+	}
+	return f.restMapper, nil
+}
+
+func (f *ConfigFlags) toRESTMapper() (meta.RESTMapper, error) {
+	discoveryClient, err := f.ToDiscoveryClient()
+	if err != nil {
+		return nil, err
+	}
+
+	mapper := restmapper.NewDeferredDiscoveryRESTMapper(discoveryClient)
+	expander := restmapper.NewShortcutExpander(mapper, discoveryClient, func(a string) {
+		if f.warningPrinter != nil {
+			f.warningPrinter.Print(a)
+		}
+	})
+	return expander, nil
+}
+
+// AddFlags binds client configuration flags to a given flagset
+func (f *ConfigFlags) AddFlags(flags *pflag.FlagSet) {
+	if f.KubeConfig != nil {
+		flags.StringVar(f.KubeConfig, "kubeconfig", *f.KubeConfig, "Path to the kubeconfig file to use for CLI requests.")
+	}
+	if f.CacheDir != nil {
+		flags.StringVar(f.CacheDir, flagCacheDir, *f.CacheDir, "Default cache directory")
+	}
+
+	// add config options
+	if f.CertFile != nil {
+		flags.StringVar(f.CertFile, flagCertFile, *f.CertFile, "Path to a client certificate file for TLS")
+	}
+	if f.KeyFile != nil {
+		flags.StringVar(f.KeyFile, flagKeyFile, *f.KeyFile, "Path to a client key file for TLS")
+	}
+	if f.BearerToken != nil {
+		flags.StringVar(f.BearerToken, flagBearerToken, *f.BearerToken, "Bearer token for authentication to the API server")
+	}
+	if f.Impersonate != nil {
+		flags.StringVar(f.Impersonate, flagImpersonate, *f.Impersonate, "Username to impersonate for the operation. User could be a regular user or a service account in a namespace.")
+	}
+	if f.ImpersonateUID != nil {
+		flags.StringVar(f.ImpersonateUID, flagImpersonateUID, *f.ImpersonateUID, "UID to impersonate for the operation.")
+	}
+	if f.ImpersonateGroup != nil {
+		flags.StringArrayVar(f.ImpersonateGroup, flagImpersonateGroup, *f.ImpersonateGroup, "Group to impersonate for the operation, this flag can be repeated to specify multiple groups.")
+	}
+	if f.ImpersonateUserExtra != nil {
+		flags.StringArrayVar(f.ImpersonateUserExtra, flagImpersonateUserExtra, *f.ImpersonateUserExtra, "User extras to impersonate for the operation, this flag can be repeated to specify multiple values for the same key.")
+	}
+	if f.Username != nil {
+		flags.StringVar(f.Username, flagUsername, *f.Username, "Username for basic authentication to the API server")
+	}
+	if f.Password != nil {
+		flags.StringVar(f.Password, flagPassword, *f.Password, "Password for basic authentication to the API server")
+	}
+	if f.ClusterName != nil {
+		flags.StringVar(f.ClusterName, flagClusterName, *f.ClusterName, "The name of the kubeconfig cluster to use")
+	}
+	if f.AuthInfoName != nil {
+		flags.StringVar(f.AuthInfoName, flagAuthInfoName, *f.AuthInfoName, "The name of the kubeconfig user to use")
+	}
+	if f.Namespace != nil {
+		flags.StringVarP(f.Namespace, flagNamespace, "n", *f.Namespace, "If present, the namespace scope for this CLI request")
+	}
+	if f.Context != nil {
+		flags.StringVar(f.Context, flagContext, *f.Context, "The name of the kubeconfig context to use")
+	}
+
+	if f.APIServer != nil {
+		flags.StringVarP(f.APIServer, flagAPIServer, "s", *f.APIServer, "The address and port of the Kubernetes API server")
+	}
+	if f.TLSServerName != nil {
+		flags.StringVar(f.TLSServerName, flagTLSServerName, *f.TLSServerName, "Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used")
+	}
+	if f.Insecure != nil {
+		flags.BoolVar(f.Insecure, flagInsecure, *f.Insecure, "If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure")
+	}
+	if f.CAFile != nil {
+		flags.StringVar(f.CAFile, flagCAFile, *f.CAFile, "Path to a cert file for the certificate authority")
+	}
+	if f.Timeout != nil {
+		flags.StringVar(f.Timeout, flagTimeout, *f.Timeout, "The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests.")
+	}
+	if f.DisableCompression != nil {
+		flags.BoolVar(f.DisableCompression, flagDisableCompression, *f.DisableCompression, "If true, opt-out of response compression for all requests to the server")
+	}
+}
+
+// WithDeprecatedPasswordFlag enables the username and password config flags
+func (f *ConfigFlags) WithDeprecatedPasswordFlag() *ConfigFlags {
+	f.Username = ptr.To("")
+	f.Password = ptr.To("")
+	return f
+}
+
+// WithDiscoveryBurst sets the RESTClient burst for discovery.
+func (f *ConfigFlags) WithDiscoveryBurst(discoveryBurst int) *ConfigFlags {
+	f.discoveryBurst = discoveryBurst
+	return f
+}
+
+// WithDiscoveryQPS sets the RESTClient QPS for discovery.
+func (f *ConfigFlags) WithDiscoveryQPS(discoveryQPS float32) *ConfigFlags {
+	f.discoveryQPS = discoveryQPS
+	return f
+}
+
+// WithWrapConfigFn allows providing a wrapper function for the client Config.
+func (f *ConfigFlags) WithWrapConfigFn(wrapConfigFn func(*rest.Config) *rest.Config) *ConfigFlags {
+	f.WrapConfigFn = wrapConfigFn
+	return f
+}
+
+// WithWarningPrinter initializes WarningPrinter with the given IOStreams
+func (f *ConfigFlags) WithWarningPrinter(ioStreams genericiooptions.IOStreams) *ConfigFlags {
+	f.warningPrinter = printers.NewWarningPrinter(ioStreams.ErrOut, printers.WarningPrinterOptions{Color: printers.AllowsColorOutput(ioStreams.ErrOut)})
+	return f
+}
+
+// NewConfigFlags returns ConfigFlags with default values set
+func NewConfigFlags(usePersistentConfig bool) *ConfigFlags {
+	impersonateGroup := []string{}
+	impersonateUserExtra := []string{}
+	insecure := false
+	disableCompression := false
+
+	return &ConfigFlags{
+		Insecure:   &insecure,
+		Timeout:    ptr.To("0"),
+		KubeConfig: ptr.To(""),
+
+		CacheDir:             ptr.To(getDefaultCacheDir()),
+		ClusterName:          ptr.To(""),
+		AuthInfoName:         ptr.To(""),
+		Context:              ptr.To(""),
+		Namespace:            ptr.To(""),
+		APIServer:            ptr.To(""),
+		TLSServerName:        ptr.To(""),
+		CertFile:             ptr.To(""),
+		KeyFile:              ptr.To(""),
+		CAFile:               ptr.To(""),
+		BearerToken:          ptr.To(""),
+		Impersonate:          ptr.To(""),
+		ImpersonateUID:       ptr.To(""),
+		ImpersonateGroup:     &impersonateGroup,
+		ImpersonateUserExtra: &impersonateUserExtra,
+		DisableCompression:   &disableCompression,
+
+		usePersistentConfig: usePersistentConfig,
+		// The more groups you have, the more discovery requests you need to make.
+		// with a burst of 300, we will not be rate-limiting for most clusters but
+		// the safeguard will still be here. This config is only used for discovery.
+		discoveryBurst: 300,
+	}
+}
+
+// overlyCautiousIllegalFileCharacters matches characters that *might* not be supported.  Windows is really restrictive, so this is really restrictive
+var overlyCautiousIllegalFileCharacters = regexp.MustCompile(`[^(\w/.)]`)
+
+// computeDiscoverCacheDir takes the parentDir and the host and comes up with a "usually non-colliding" name.
+func computeDiscoverCacheDir(parentDir, host string) string {
+	// strip the optional scheme from host if its there:
+	schemelessHost := strings.Replace(strings.Replace(host, "https://", "", 1), "http://", "", 1)
+	// now do a simple collapse of non-AZ09 characters.  Collisions are possible but unlikely.  Even if we do collide the problem is short lived
+	safeHost := overlyCautiousIllegalFileCharacters.ReplaceAllString(schemelessHost, "_")
+	return filepath.Join(parentDir, safeHost)
+}
diff --git a/vendor/k8s.io/cli-runtime/pkg/genericclioptions/config_flags_fake.go b/vendor/k8s.io/cli-runtime/pkg/genericclioptions/config_flags_fake.go
new file mode 100644
index 0000000000..9bb5e28c94
--- /dev/null
+++ b/vendor/k8s.io/cli-runtime/pkg/genericclioptions/config_flags_fake.go
@@ -0,0 +1,127 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package genericclioptions
+
+import (
+	"fmt"
+
+	"k8s.io/apimachinery/pkg/api/meta"
+	"k8s.io/client-go/discovery"
+	"k8s.io/client-go/rest"
+	"k8s.io/client-go/restmapper"
+	"k8s.io/client-go/tools/clientcmd"
+	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
+)
+
+// TestConfigFlags contains clientConfig struct
+// and interfaces that implements RESTClientGetter
+type TestConfigFlags struct {
+	clientConfig    clientcmd.ClientConfig
+	discoveryClient discovery.CachedDiscoveryInterface
+	restMapper      meta.RESTMapper
+}
+
+// ToRawKubeConfigLoader implements RESTClientGetter
+// Returns a clientconfig if it's set
+func (f *TestConfigFlags) ToRawKubeConfigLoader() clientcmd.ClientConfig {
+	if f.clientConfig == nil {
+		panic("attempt to obtain a test RawKubeConfigLoader with no clientConfig specified")
+	}
+	return f.clientConfig
+}
+
+// ToRESTConfig implements RESTClientGetter.
+// Returns a REST client configuration based on a provided path
+// to a .kubeconfig file, loading rules, and config flag overrides.
+// Expects the AddFlags method to have been called.
+func (f *TestConfigFlags) ToRESTConfig() (*rest.Config, error) {
+	return f.ToRawKubeConfigLoader().ClientConfig()
+}
+
+// ToDiscoveryClient implements RESTClientGetter.
+// Returns a CachedDiscoveryInterface
+func (f *TestConfigFlags) ToDiscoveryClient() (discovery.CachedDiscoveryInterface, error) {
+	return f.discoveryClient, nil
+}
+
+// ToRESTMapper implements RESTClientGetter.
+// Returns a mapper.
+func (f *TestConfigFlags) ToRESTMapper() (meta.RESTMapper, error) {
+	if f.restMapper != nil {
+		return f.restMapper, nil
+	}
+	if f.discoveryClient != nil {
+		mapper := restmapper.NewDeferredDiscoveryRESTMapper(f.discoveryClient)
+		expander := restmapper.NewShortcutExpander(mapper, f.discoveryClient, nil)
+		return expander, nil
+	}
+	return nil, fmt.Errorf("no restmapper")
+}
+
+// WithClientConfig sets the clientConfig flag
+func (f *TestConfigFlags) WithClientConfig(clientConfig clientcmd.ClientConfig) *TestConfigFlags {
+	f.clientConfig = clientConfig
+	return f
+}
+
+// WithRESTMapper sets the restMapper flag
+func (f *TestConfigFlags) WithRESTMapper(mapper meta.RESTMapper) *TestConfigFlags {
+	f.restMapper = mapper
+	return f
+}
+
+// WithDiscoveryClient sets the discoveryClient flag
+func (f *TestConfigFlags) WithDiscoveryClient(c discovery.CachedDiscoveryInterface) *TestConfigFlags {
+	f.discoveryClient = c
+	return f
+}
+
+// WithNamespace sets the clientConfig flag by modifying delagate and namespace
+func (f *TestConfigFlags) WithNamespace(ns string) *TestConfigFlags {
+	if f.clientConfig == nil {
+		panic("attempt to obtain a test RawKubeConfigLoader with no clientConfig specified")
+	}
+	f.clientConfig = &namespacedClientConfig{
+		delegate:  f.clientConfig,
+		namespace: ns,
+	}
+	return f
+}
+
+// NewTestConfigFlags builds a TestConfigFlags struct to test ConfigFlags
+func NewTestConfigFlags() *TestConfigFlags {
+	return &TestConfigFlags{}
+}
+
+type namespacedClientConfig struct {
+	delegate  clientcmd.ClientConfig
+	namespace string
+}
+
+func (c *namespacedClientConfig) Namespace() (string, bool, error) {
+	return c.namespace, len(c.namespace) > 0, nil
+}
+
+func (c *namespacedClientConfig) RawConfig() (clientcmdapi.Config, error) {
+	return c.delegate.RawConfig()
+}
+func (c *namespacedClientConfig) ClientConfig() (*rest.Config, error) {
+	return c.delegate.ClientConfig()
+}
+func (c *namespacedClientConfig) ConfigAccess() clientcmd.ConfigAccess {
+	return c.delegate.ConfigAccess()
+}
diff --git a/vendor/k8s.io/cli-runtime/pkg/genericclioptions/doc.go b/vendor/k8s.io/cli-runtime/pkg/genericclioptions/doc.go
new file mode 100644
index 0000000000..82c0783924
--- /dev/null
+++ b/vendor/k8s.io/cli-runtime/pkg/genericclioptions/doc.go
@@ -0,0 +1,19 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package genericclioptions contains flags which can be added to your command, bound, completed, and produce
+// useful helper functions.  Nothing in this package can depend on kube/kube
+package genericclioptions
diff --git a/vendor/k8s.io/cli-runtime/pkg/genericclioptions/filename_flags.go b/vendor/k8s.io/cli-runtime/pkg/genericclioptions/filename_flags.go
new file mode 100644
index 0000000000..74259e4170
--- /dev/null
+++ b/vendor/k8s.io/cli-runtime/pkg/genericclioptions/filename_flags.go
@@ -0,0 +1,82 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package genericclioptions
+
+import (
+	"strings"
+
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+
+	"k8s.io/cli-runtime/pkg/resource"
+)
+
+// FileNameFlags are flags for processing files.
+// Usage of this struct by itself is discouraged.
+// These flags are composed by ResourceBuilderFlags
+// which should be used instead.
+type FileNameFlags struct {
+	Usage string
+
+	Filenames *[]string
+	Kustomize *string
+	Recursive *bool
+}
+
+// ToOptions creates a new FileNameOptions struct and sets FilenameOptions based on FileNameflags
+func (o *FileNameFlags) ToOptions() resource.FilenameOptions {
+	options := resource.FilenameOptions{}
+
+	if o == nil {
+		return options
+	}
+
+	if o.Recursive != nil {
+		options.Recursive = *o.Recursive
+	}
+	if o.Filenames != nil {
+		options.Filenames = *o.Filenames
+	}
+	if o.Kustomize != nil {
+		options.Kustomize = *o.Kustomize
+	}
+
+	return options
+}
+
+// AddFlags binds file name flags to a given flagset
+func (o *FileNameFlags) AddFlags(flags *pflag.FlagSet) {
+	if o == nil {
+		return
+	}
+
+	if o.Recursive != nil {
+		flags.BoolVarP(o.Recursive, "recursive", "R", *o.Recursive, "Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory.")
+	}
+	if o.Filenames != nil {
+		flags.StringSliceVarP(o.Filenames, "filename", "f", *o.Filenames, o.Usage)
+		annotations := make([]string, 0, len(resource.FileExtensions))
+		for _, ext := range resource.FileExtensions {
+			annotations = append(annotations, strings.TrimLeft(ext, "."))
+		}
+		flags.SetAnnotation("filename", cobra.BashCompFilenameExt, annotations)
+	}
+	if o.Kustomize != nil {
+		flags.StringVarP(o.Kustomize, "kustomize", "k", *o.Kustomize,
+			"Process a kustomization directory. This flag can't be used together with -f or -R.")
+	}
+}
diff --git a/vendor/k8s.io/cli-runtime/pkg/genericclioptions/io_options.go b/vendor/k8s.io/cli-runtime/pkg/genericclioptions/io_options.go
new file mode 100644
index 0000000000..b831351398
--- /dev/null
+++ b/vendor/k8s.io/cli-runtime/pkg/genericclioptions/io_options.go
@@ -0,0 +1,54 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package genericclioptions
+
+import (
+	"bytes"
+	"io"
+
+	"k8s.io/cli-runtime/pkg/genericiooptions"
+)
+
+// IOStreams provides the standard names for iostreams.  This is useful for embedding and for unit testing.
+// Inconsistent and different names make it hard to read and review code
+// DEPRECATED: use genericiooptions.IOStreams
+type IOStreams = genericiooptions.IOStreams
+
+// NewTestIOStreams returns a valid IOStreams and in, out, errout buffers for unit tests
+// DEPRECATED: use genericiooptions.NewTestIOStreams
+func NewTestIOStreams() (genericiooptions.IOStreams, *bytes.Buffer, *bytes.Buffer, *bytes.Buffer) {
+	in := &bytes.Buffer{}
+	out := &bytes.Buffer{}
+	errOut := &bytes.Buffer{}
+
+	return IOStreams{
+		In:     in,
+		Out:    out,
+		ErrOut: errOut,
+	}, in, out, errOut
+}
+
+// NewTestIOStreamsDiscard returns a valid IOStreams that just discards
+// DEPRECATED: use genericiooptions.NewTestIOStreamsDiscard
+func NewTestIOStreamsDiscard() genericiooptions.IOStreams {
+	in := &bytes.Buffer{}
+	return IOStreams{
+		In:     in,
+		Out:    io.Discard,
+		ErrOut: io.Discard,
+	}
+}
diff --git a/vendor/k8s.io/cli-runtime/pkg/genericclioptions/json_yaml_flags.go b/vendor/k8s.io/cli-runtime/pkg/genericclioptions/json_yaml_flags.go
new file mode 100644
index 0000000000..9828450967
--- /dev/null
+++ b/vendor/k8s.io/cli-runtime/pkg/genericclioptions/json_yaml_flags.go
@@ -0,0 +1,94 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package genericclioptions
+
+import (
+	"os"
+	"slices"
+	"strings"
+
+	"github.com/spf13/cobra"
+
+	"k8s.io/cli-runtime/pkg/printers"
+)
+
+// AllowedFormats returns slice of string of allowed JSONYaml printing format
+func (f *JSONYamlPrintFlags) AllowedFormats() []string {
+	if f == nil {
+		return []string{}
+	}
+	formats := []string{"json", "yaml"}
+	// We can't use the cmdutil pkg directly because of import cycle.
+	if strings.ToLower(os.Getenv("KUBECTL_KYAML")) != "false" {
+		formats = append(formats, "kyaml")
+	}
+	return formats
+}
+
+// JSONYamlPrintFlags provides default flags necessary for json/yaml printing.
+// Given the following flag values, a printer can be requested that knows
+// how to handle printing based on these values.
+type JSONYamlPrintFlags struct {
+	ShowManagedFields bool
+}
+
+// ToPrinter receives an outputFormat and returns a printer capable of
+// handling --output=(yaml|json) printing.
+// Returns false if the specified outputFormat does not match a supported format.
+// Supported Format types can be found in pkg/printers/printers.go
+func (f *JSONYamlPrintFlags) ToPrinter(outputFormat string) (printers.ResourcePrinter, error) {
+	var printer printers.ResourcePrinter
+
+	outputFormat = strings.ToLower(outputFormat)
+
+	valid := f.AllowedFormats()
+	if !slices.Contains(valid, outputFormat) {
+		return nil, NoCompatiblePrinterError{OutputFormat: &outputFormat, AllowedFormats: valid}
+	}
+
+	switch outputFormat {
+	case "json":
+		printer = &printers.JSONPrinter{}
+	case "yaml":
+		printer = &printers.YAMLPrinter{}
+	case "kyaml":
+		printer = &printers.KYAMLPrinter{}
+	default:
+		return nil, NoCompatiblePrinterError{OutputFormat: &outputFormat, AllowedFormats: f.AllowedFormats()}
+	}
+
+	if !f.ShowManagedFields {
+		printer = &printers.OmitManagedFieldsPrinter{Delegate: printer}
+	}
+	return printer, nil
+}
+
+// AddFlags receives a *cobra.Command reference and binds
+// flags related to JSON or Yaml printing to it
+func (f *JSONYamlPrintFlags) AddFlags(c *cobra.Command) {
+	if f == nil {
+		return
+	}
+
+	c.Flags().BoolVar(&f.ShowManagedFields, "show-managed-fields", f.ShowManagedFields, "If true, keep the managedFields when printing objects in JSON or YAML format.")
+}
+
+// NewJSONYamlPrintFlags returns flags associated with
+// yaml or json printing, with default values set.
+func NewJSONYamlPrintFlags() *JSONYamlPrintFlags {
+	return &JSONYamlPrintFlags{}
+}
diff --git a/vendor/k8s.io/cli-runtime/pkg/genericclioptions/jsonpath_flags.go b/vendor/k8s.io/cli-runtime/pkg/genericclioptions/jsonpath_flags.go
new file mode 100644
index 0000000000..a3d86d7619
--- /dev/null
+++ b/vendor/k8s.io/cli-runtime/pkg/genericclioptions/jsonpath_flags.go
@@ -0,0 +1,137 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package genericclioptions
+
+import (
+	"fmt"
+	"os"
+	"sort"
+	"strings"
+
+	"github.com/spf13/cobra"
+
+	"k8s.io/cli-runtime/pkg/printers"
+)
+
+// templates are logically optional for specifying a format.
+// this allows a user to specify a template format value
+// as --output=jsonpath=
+var jsonFormats = map[string]bool{
+	"jsonpath":         true,
+	"jsonpath-file":    true,
+	"jsonpath-as-json": true,
+}
+
+// JSONPathPrintFlags provides default flags necessary for template printing.
+// Given the following flag values, a printer can be requested that knows
+// how to handle printing based on these values.
+type JSONPathPrintFlags struct {
+	// indicates if it is OK to ignore missing keys for rendering
+	// an output template.
+	AllowMissingKeys *bool
+	TemplateArgument *string
+}
+
+// AllowedFormats returns slice of string of allowed JSONPath printing format
+func (f *JSONPathPrintFlags) AllowedFormats() []string {
+	formats := make([]string, 0, len(jsonFormats))
+	for format := range jsonFormats {
+		formats = append(formats, format)
+	}
+	sort.Strings(formats)
+	return formats
+}
+
+// ToPrinter receives an templateFormat and returns a printer capable of
+// handling --template format printing.
+// Returns false if the specified templateFormat does not match a template format.
+func (f *JSONPathPrintFlags) ToPrinter(templateFormat string) (printers.ResourcePrinter, error) {
+	if (f.TemplateArgument == nil || len(*f.TemplateArgument) == 0) && len(templateFormat) == 0 {
+		return nil, NoCompatiblePrinterError{Options: f, OutputFormat: &templateFormat}
+	}
+
+	templateValue := ""
+
+	if f.TemplateArgument == nil || len(*f.TemplateArgument) == 0 {
+		for format := range jsonFormats {
+			format = format + "="
+			if strings.HasPrefix(templateFormat, format) {
+				templateValue = templateFormat[len(format):]
+				templateFormat = format[:len(format)-1]
+				break
+			}
+		}
+	} else {
+		templateValue = *f.TemplateArgument
+	}
+
+	if _, supportedFormat := jsonFormats[templateFormat]; !supportedFormat {
+		return nil, NoCompatiblePrinterError{OutputFormat: &templateFormat, AllowedFormats: f.AllowedFormats()}
+	}
+
+	if len(templateValue) == 0 {
+		return nil, fmt.Errorf("template format specified but no template given")
+	}
+
+	if templateFormat == "jsonpath-file" {
+		data, err := os.ReadFile(templateValue)
+		if err != nil {
+			return nil, fmt.Errorf("error reading --template %s, %v", templateValue, err)
+		}
+
+		templateValue = string(data)
+	}
+
+	p, err := printers.NewJSONPathPrinter(templateValue)
+	if err != nil {
+		return nil, fmt.Errorf("error parsing jsonpath %s, %v", templateValue, err)
+	}
+
+	allowMissingKeys := true
+	if f.AllowMissingKeys != nil {
+		allowMissingKeys = *f.AllowMissingKeys
+	}
+
+	p.AllowMissingKeys(allowMissingKeys)
+
+	if templateFormat == "jsonpath-as-json" {
+		p.EnableJSONOutput(true)
+	}
+
+	return p, nil
+}
+
+// AddFlags receives a *cobra.Command reference and binds
+// flags related to template printing to it
+func (f *JSONPathPrintFlags) AddFlags(c *cobra.Command) {
+	if f.TemplateArgument != nil {
+		c.Flags().StringVar(f.TemplateArgument, "template", *f.TemplateArgument, "Template string or path to template file to use when --output=jsonpath, --output=jsonpath-file.")
+		c.MarkFlagFilename("template")
+	}
+	if f.AllowMissingKeys != nil {
+		c.Flags().BoolVar(f.AllowMissingKeys, "allow-missing-template-keys", *f.AllowMissingKeys, "If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.")
+	}
+}
+
+// NewJSONPathPrintFlags returns flags associated with
+// --template printing, with default values set.
+func NewJSONPathPrintFlags(templateValue string, allowMissingKeys bool) *JSONPathPrintFlags {
+	return &JSONPathPrintFlags{
+		TemplateArgument: &templateValue,
+		AllowMissingKeys: &allowMissingKeys,
+	}
+}
diff --git a/vendor/k8s.io/cli-runtime/pkg/genericclioptions/kube_template_flags.go b/vendor/k8s.io/cli-runtime/pkg/genericclioptions/kube_template_flags.go
new file mode 100644
index 0000000000..518a20ac6b
--- /dev/null
+++ b/vendor/k8s.io/cli-runtime/pkg/genericclioptions/kube_template_flags.go
@@ -0,0 +1,94 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package genericclioptions
+
+import (
+	"github.com/spf13/cobra"
+
+	"k8s.io/cli-runtime/pkg/printers"
+)
+
+// KubeTemplatePrintFlags composes print flags that provide both a JSONPath and a go-template printer.
+// This is necessary if dealing with cases that require support both both printers, since both sets of flags
+// require overlapping flags.
+type KubeTemplatePrintFlags struct {
+	GoTemplatePrintFlags *GoTemplatePrintFlags
+	JSONPathPrintFlags   *JSONPathPrintFlags
+
+	AllowMissingKeys *bool
+	TemplateArgument *string
+}
+
+// AllowedFormats returns slice of string of allowed GoTemplete and JSONPathPrint printing formats
+func (f *KubeTemplatePrintFlags) AllowedFormats() []string {
+	if f == nil {
+		return []string{}
+	}
+	return append(f.GoTemplatePrintFlags.AllowedFormats(), f.JSONPathPrintFlags.AllowedFormats()...)
+}
+
+// ToPrinter receives an outputFormat and returns a printer capable of
+// handling --template printing.
+// Returns false if the specified outputFormat does not match a supported format.
+// Supported Format types can be found in pkg/printers/printers.go
+func (f *KubeTemplatePrintFlags) ToPrinter(outputFormat string) (printers.ResourcePrinter, error) {
+	if f == nil {
+		return nil, NoCompatiblePrinterError{}
+	}
+
+	if p, err := f.JSONPathPrintFlags.ToPrinter(outputFormat); !IsNoCompatiblePrinterError(err) {
+		return p, err
+	}
+	return f.GoTemplatePrintFlags.ToPrinter(outputFormat)
+}
+
+// AddFlags receives a *cobra.Command reference and binds
+// flags related to template printing to it
+func (f *KubeTemplatePrintFlags) AddFlags(c *cobra.Command) {
+	if f == nil {
+		return
+	}
+
+	if f.TemplateArgument != nil {
+		c.Flags().StringVar(f.TemplateArgument, "template", *f.TemplateArgument, "Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview].")
+		c.MarkFlagFilename("template")
+	}
+	if f.AllowMissingKeys != nil {
+		c.Flags().BoolVar(f.AllowMissingKeys, "allow-missing-template-keys", *f.AllowMissingKeys, "If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.")
+	}
+}
+
+// NewKubeTemplatePrintFlags returns flags associated with
+// --template printing, with default values set.
+func NewKubeTemplatePrintFlags() *KubeTemplatePrintFlags {
+	allowMissingKeysPtr := true
+	templateArgPtr := ""
+
+	return &KubeTemplatePrintFlags{
+		GoTemplatePrintFlags: &GoTemplatePrintFlags{
+			TemplateArgument: &templateArgPtr,
+			AllowMissingKeys: &allowMissingKeysPtr,
+		},
+		JSONPathPrintFlags: &JSONPathPrintFlags{
+			TemplateArgument: &templateArgPtr,
+			AllowMissingKeys: &allowMissingKeysPtr,
+		},
+
+		TemplateArgument: &templateArgPtr,
+		AllowMissingKeys: &allowMissingKeysPtr,
+	}
+}
diff --git a/vendor/k8s.io/cli-runtime/pkg/genericclioptions/name_flags.go b/vendor/k8s.io/cli-runtime/pkg/genericclioptions/name_flags.go
new file mode 100644
index 0000000000..16bf422656
--- /dev/null
+++ b/vendor/k8s.io/cli-runtime/pkg/genericclioptions/name_flags.go
@@ -0,0 +1,83 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package genericclioptions
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/spf13/cobra"
+
+	"k8s.io/cli-runtime/pkg/printers"
+)
+
+// NamePrintFlags provides default flags necessary for printing
+// a resource's fully-qualified Kind.group/name, or a successful
+// message about that resource if an Operation is provided.
+type NamePrintFlags struct {
+	// Operation describes the name of the action that
+	// took place on an object, to be included in the
+	// finalized "successful" message.
+	Operation string
+}
+
+// Complete sets NamePrintFlags operation flag from successTemplate
+func (f *NamePrintFlags) Complete(successTemplate string) error {
+	f.Operation = fmt.Sprintf(successTemplate, f.Operation)
+	return nil
+}
+
+// AllowedFormats returns slice of string of allowed Name printing format
+func (f *NamePrintFlags) AllowedFormats() []string {
+	if f == nil {
+		return []string{}
+	}
+	return []string{"name"}
+}
+
+// ToPrinter receives an outputFormat and returns a printer capable of
+// handling --output=name printing.
+// Returns false if the specified outputFormat does not match a supported format.
+// Supported format types can be found in pkg/printers/printers.go
+func (f *NamePrintFlags) ToPrinter(outputFormat string) (printers.ResourcePrinter, error) {
+	namePrinter := &printers.NamePrinter{
+		Operation: f.Operation,
+	}
+
+	outputFormat = strings.ToLower(outputFormat)
+	switch outputFormat {
+	case "name":
+		namePrinter.ShortOutput = true
+		fallthrough
+	case "":
+		return namePrinter, nil
+	default:
+		return nil, NoCompatiblePrinterError{OutputFormat: &outputFormat, AllowedFormats: f.AllowedFormats()}
+	}
+}
+
+// AddFlags receives a *cobra.Command reference and binds
+// flags related to name printing to it
+func (f *NamePrintFlags) AddFlags(c *cobra.Command) {}
+
+// NewNamePrintFlags returns flags associated with
+// --name printing, with default values set.
+func NewNamePrintFlags(operation string) *NamePrintFlags {
+	return &NamePrintFlags{
+		Operation: operation,
+	}
+}
diff --git a/vendor/k8s.io/cli-runtime/pkg/genericclioptions/print_flags.go b/vendor/k8s.io/cli-runtime/pkg/genericclioptions/print_flags.go
new file mode 100644
index 0000000000..815f19bbda
--- /dev/null
+++ b/vendor/k8s.io/cli-runtime/pkg/genericclioptions/print_flags.go
@@ -0,0 +1,171 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package genericclioptions
+
+import (
+	"fmt"
+	"sort"
+	"strings"
+
+	"github.com/spf13/cobra"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/cli-runtime/pkg/printers"
+)
+
+// NoCompatiblePrinterError is a struct that contains error information.
+// It will be constructed when a invalid printing format is provided
+type NoCompatiblePrinterError struct {
+	OutputFormat   *string
+	AllowedFormats []string
+	Options        interface{}
+}
+
+func (e NoCompatiblePrinterError) Error() string {
+	output := ""
+	if e.OutputFormat != nil {
+		output = *e.OutputFormat
+	}
+
+	sort.Strings(e.AllowedFormats)
+	return fmt.Sprintf("unable to match a printer suitable for the output format %q, allowed formats are: %s", output, strings.Join(e.AllowedFormats, ","))
+}
+
+// IsNoCompatiblePrinterError returns true if it is a not a compatible printer
+// otherwise it will return false
+func IsNoCompatiblePrinterError(err error) bool {
+	if err == nil {
+		return false
+	}
+
+	_, ok := err.(NoCompatiblePrinterError)
+	return ok
+}
+
+// PrintFlags composes common printer flag structs
+// used across all commands, and provides a method
+// of retrieving a known printer based on flag values provided.
+type PrintFlags struct {
+	JSONYamlPrintFlags   *JSONYamlPrintFlags
+	NamePrintFlags       *NamePrintFlags
+	TemplatePrinterFlags *KubeTemplatePrintFlags
+
+	TypeSetterPrinter *printers.TypeSetterPrinter
+
+	OutputFormat *string
+
+	// OutputFlagSpecified indicates whether the user specifically requested a certain kind of output.
+	// Using this function allows a sophisticated caller to change the flag binding logic if they so desire.
+	OutputFlagSpecified func() bool
+}
+
+// Complete sets NamePrintFlags operation flag from successTemplate
+func (f *PrintFlags) Complete(successTemplate string) error {
+	return f.NamePrintFlags.Complete(successTemplate)
+}
+
+// AllowedFormats returns slice of string of allowed JSONYaml/Name/Template printing format
+func (f *PrintFlags) AllowedFormats() []string {
+	ret := []string{}
+	ret = append(ret, f.JSONYamlPrintFlags.AllowedFormats()...)
+	ret = append(ret, f.NamePrintFlags.AllowedFormats()...)
+	ret = append(ret, f.TemplatePrinterFlags.AllowedFormats()...)
+	return ret
+}
+
+// ToPrinter returns a printer capable of
+// handling --output or --template printing.
+// Returns false if the specified outputFormat does not match a supported format.
+// Supported format types can be found in pkg/printers/printers.go
+func (f *PrintFlags) ToPrinter() (printers.ResourcePrinter, error) {
+	outputFormat := ""
+	if f.OutputFormat != nil {
+		outputFormat = *f.OutputFormat
+	}
+	// For backwards compatibility we want to support a --template argument given, even when no --output format is provided.
+	// If no explicit output format has been provided via the --output flag, fallback
+	// to honoring the --template argument.
+	templateFlagSpecified := f.TemplatePrinterFlags != nil &&
+		f.TemplatePrinterFlags.TemplateArgument != nil &&
+		len(*f.TemplatePrinterFlags.TemplateArgument) > 0
+	outputFlagSpecified := f.OutputFlagSpecified != nil && f.OutputFlagSpecified()
+	if templateFlagSpecified && !outputFlagSpecified {
+		outputFormat = "go-template"
+	}
+
+	if f.JSONYamlPrintFlags != nil {
+		if p, err := f.JSONYamlPrintFlags.ToPrinter(outputFormat); !IsNoCompatiblePrinterError(err) {
+			return f.TypeSetterPrinter.WrapToPrinter(p, err)
+		}
+	}
+
+	if f.NamePrintFlags != nil {
+		if p, err := f.NamePrintFlags.ToPrinter(outputFormat); !IsNoCompatiblePrinterError(err) {
+			return f.TypeSetterPrinter.WrapToPrinter(p, err)
+		}
+	}
+
+	if f.TemplatePrinterFlags != nil {
+		if p, err := f.TemplatePrinterFlags.ToPrinter(outputFormat); !IsNoCompatiblePrinterError(err) {
+			return f.TypeSetterPrinter.WrapToPrinter(p, err)
+		}
+	}
+
+	return nil, NoCompatiblePrinterError{OutputFormat: f.OutputFormat, AllowedFormats: f.AllowedFormats()}
+}
+
+// AddFlags receives a *cobra.Command reference and binds
+// flags related to JSON/Yaml/Name/Template printing to it
+func (f *PrintFlags) AddFlags(cmd *cobra.Command) {
+	f.JSONYamlPrintFlags.AddFlags(cmd)
+	f.NamePrintFlags.AddFlags(cmd)
+	f.TemplatePrinterFlags.AddFlags(cmd)
+
+	if f.OutputFormat != nil {
+		cmd.Flags().StringVarP(f.OutputFormat, "output", "o", *f.OutputFormat, fmt.Sprintf(`Output format. One of: (%s).`, strings.Join(f.AllowedFormats(), ", ")))
+		if f.OutputFlagSpecified == nil {
+			f.OutputFlagSpecified = func() bool {
+				return cmd.Flag("output").Changed
+			}
+		}
+	}
+}
+
+// WithDefaultOutput sets a default output format if one is not provided through a flag value
+func (f *PrintFlags) WithDefaultOutput(output string) *PrintFlags {
+	f.OutputFormat = &output
+	return f
+}
+
+// WithTypeSetter sets a wrapper than will surround the returned printer with a printer to type resources
+func (f *PrintFlags) WithTypeSetter(scheme *runtime.Scheme) *PrintFlags {
+	f.TypeSetterPrinter = printers.NewTypeSetter(scheme)
+	return f
+}
+
+// NewPrintFlags returns a default *PrintFlags
+func NewPrintFlags(operation string) *PrintFlags {
+	outputFormat := ""
+
+	return &PrintFlags{
+		OutputFormat: &outputFormat,
+
+		JSONYamlPrintFlags:   NewJSONYamlPrintFlags(),
+		NamePrintFlags:       NewNamePrintFlags(operation),
+		TemplatePrinterFlags: NewKubeTemplatePrintFlags(),
+	}
+}
diff --git a/vendor/k8s.io/cli-runtime/pkg/genericclioptions/record_flags.go b/vendor/k8s.io/cli-runtime/pkg/genericclioptions/record_flags.go
new file mode 100644
index 0000000000..e3cee34733
--- /dev/null
+++ b/vendor/k8s.io/cli-runtime/pkg/genericclioptions/record_flags.go
@@ -0,0 +1,201 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package genericclioptions
+
+import (
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+	jsonpatch "gopkg.in/evanphx/json-patch.v4"
+
+	"k8s.io/apimachinery/pkg/api/meta"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/json"
+)
+
+// ChangeCauseAnnotation is the annotation indicating a guess at "why" something was changed
+const ChangeCauseAnnotation = "kubernetes.io/change-cause"
+
+// RecordFlags contains all flags associated with the "--record" operation
+type RecordFlags struct {
+	// Record indicates the state of the recording flag.  It is a pointer so a caller can opt out or rebind
+	Record *bool
+
+	changeCause string
+}
+
+// ToRecorder returns a ChangeCause recorder if --record=false was not
+// explicitly given by the user
+func (f *RecordFlags) ToRecorder() (Recorder, error) {
+	if f == nil {
+		return NoopRecorder{}, nil
+	}
+
+	shouldRecord := false
+	if f.Record != nil {
+		shouldRecord = *f.Record
+	}
+
+	// if flag was explicitly set to false by the user,
+	// do not record
+	if !shouldRecord {
+		return NoopRecorder{}, nil
+	}
+
+	return &ChangeCauseRecorder{
+		changeCause: f.changeCause,
+	}, nil
+}
+
+// Complete is called before the command is run, but after it is invoked to finish the state of the struct before use.
+func (f *RecordFlags) Complete(cmd *cobra.Command) error {
+	if f == nil {
+		return nil
+	}
+
+	f.changeCause = parseCommandArguments(cmd)
+	return nil
+}
+
+// CompleteWithChangeCause alters changeCause value with a new cause
+func (f *RecordFlags) CompleteWithChangeCause(cause string) error {
+	if f == nil {
+		return nil
+	}
+
+	f.changeCause = cause
+	return nil
+}
+
+// AddFlags binds the requested flags to the provided flagset
+// TODO have this only take a flagset
+func (f *RecordFlags) AddFlags(cmd *cobra.Command) {
+	if f == nil {
+		return
+	}
+
+	if f.Record != nil {
+		cmd.Flags().BoolVar(f.Record, "record", *f.Record, "Record current kubectl command in the resource annotation. If set to false, do not record the command. If set to true, record the command. If not set, default to updating the existing annotation value only if one already exists.")
+		cmd.Flags().MarkDeprecated("record", "--record will be removed in the future")
+	}
+}
+
+// NewRecordFlags provides a RecordFlags with reasonable default values set for use
+func NewRecordFlags() *RecordFlags {
+	record := false
+
+	return &RecordFlags{
+		Record: &record,
+	}
+}
+
+// Recorder is used to record why a runtime.Object was changed in an annotation.
+type Recorder interface {
+	// Record records why a runtime.Object was changed in an annotation.
+	Record(runtime.Object) error
+	MakeRecordMergePatch(runtime.Object) ([]byte, error)
+}
+
+// NoopRecorder does nothing.  It is a "do nothing" that can be returned so code doesn't switch on it.
+type NoopRecorder struct{}
+
+// Record implements Recorder
+func (r NoopRecorder) Record(obj runtime.Object) error {
+	return nil
+}
+
+// MakeRecordMergePatch implements Recorder
+func (r NoopRecorder) MakeRecordMergePatch(obj runtime.Object) ([]byte, error) {
+	return nil, nil
+}
+
+// ChangeCauseRecorder annotates a "change-cause" to an input runtime object
+type ChangeCauseRecorder struct {
+	changeCause string
+}
+
+// Record annotates a "change-cause" to a given info if either "shouldRecord" is true,
+// or the resource info previously contained a "change-cause" annotation.
+func (r *ChangeCauseRecorder) Record(obj runtime.Object) error {
+	accessor, err := meta.Accessor(obj)
+	if err != nil {
+		return err
+	}
+	annotations := accessor.GetAnnotations()
+	if annotations == nil {
+		annotations = make(map[string]string)
+	}
+	annotations[ChangeCauseAnnotation] = r.changeCause
+	accessor.SetAnnotations(annotations)
+	return nil
+}
+
+// MakeRecordMergePatch produces a merge patch for updating the recording annotation.
+func (r *ChangeCauseRecorder) MakeRecordMergePatch(obj runtime.Object) ([]byte, error) {
+	// copy so we don't mess with the original
+	objCopy := obj.DeepCopyObject()
+	if err := r.Record(objCopy); err != nil {
+		return nil, err
+	}
+
+	oldData, err := json.Marshal(obj)
+	if err != nil {
+		return nil, err
+	}
+	newData, err := json.Marshal(objCopy)
+	if err != nil {
+		return nil, err
+	}
+
+	return jsonpatch.CreateMergePatch(oldData, newData)
+}
+
+// parseCommandArguments will stringify and return all environment arguments ie. a command run by a client
+// using the factory.
+// Set showSecrets false to filter out stuff like secrets.
+func parseCommandArguments(cmd *cobra.Command) string {
+	if len(os.Args) == 0 {
+		return ""
+	}
+
+	flags := ""
+	parseFunc := func(flag *pflag.Flag, value string) error {
+		flags = flags + " --" + flag.Name
+		if set, ok := flag.Annotations["classified"]; !ok || len(set) == 0 {
+			flags = flags + "=" + value
+		} else {
+			flags = flags + "=CLASSIFIED"
+		}
+		return nil
+	}
+	var err error
+	err = cmd.Flags().ParseAll(os.Args[1:], parseFunc)
+	if err != nil || !cmd.Flags().Parsed() {
+		return ""
+	}
+
+	args := ""
+	if arguments := cmd.Flags().Args(); len(arguments) > 0 {
+		args = " " + strings.Join(arguments, " ")
+	}
+
+	base := filepath.Base(os.Args[0])
+	return base + args + flags
+}
diff --git a/vendor/k8s.io/cli-runtime/pkg/genericclioptions/template_flags.go b/vendor/k8s.io/cli-runtime/pkg/genericclioptions/template_flags.go
new file mode 100644
index 0000000000..9d670daa44
--- /dev/null
+++ b/vendor/k8s.io/cli-runtime/pkg/genericclioptions/template_flags.go
@@ -0,0 +1,136 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package genericclioptions
+
+import (
+	"fmt"
+	"os"
+	"sort"
+	"strings"
+
+	"github.com/spf13/cobra"
+
+	"k8s.io/cli-runtime/pkg/printers"
+)
+
+// templates are logically optional for specifying a format.
+// this allows a user to specify a template format value
+// as --output=go-template=
+var templateFormats = map[string]bool{
+	"template":         true,
+	"go-template":      true,
+	"go-template-file": true,
+	"templatefile":     true,
+}
+
+// GoTemplatePrintFlags provides default flags necessary for template printing.
+// Given the following flag values, a printer can be requested that knows
+// how to handle printing based on these values.
+type GoTemplatePrintFlags struct {
+	// indicates if it is OK to ignore missing keys for rendering
+	// an output template.
+	AllowMissingKeys *bool
+	TemplateArgument *string
+}
+
+// AllowedFormats returns slice of string of allowed GoTemplatePrint printing format
+func (f *GoTemplatePrintFlags) AllowedFormats() []string {
+	formats := make([]string, 0, len(templateFormats))
+	for format := range templateFormats {
+		formats = append(formats, format)
+	}
+	sort.Strings(formats)
+	return formats
+}
+
+// ToPrinter receives an templateFormat and returns a printer capable of
+// handling --template format printing.
+// Returns false if the specified templateFormat does not match a template format.
+func (f *GoTemplatePrintFlags) ToPrinter(templateFormat string) (printers.ResourcePrinter, error) {
+	if (f.TemplateArgument == nil || len(*f.TemplateArgument) == 0) && len(templateFormat) == 0 {
+		return nil, NoCompatiblePrinterError{Options: f, OutputFormat: &templateFormat}
+	}
+
+	templateValue := ""
+
+	if f.TemplateArgument == nil || len(*f.TemplateArgument) == 0 {
+		for format := range templateFormats {
+			format = format + "="
+			if strings.HasPrefix(templateFormat, format) {
+				templateValue = templateFormat[len(format):]
+				templateFormat = format[:len(format)-1]
+				break
+			}
+		}
+	} else {
+		templateValue = *f.TemplateArgument
+	}
+
+	if _, supportedFormat := templateFormats[templateFormat]; !supportedFormat {
+		return nil, NoCompatiblePrinterError{OutputFormat: &templateFormat, AllowedFormats: f.AllowedFormats()}
+	}
+
+	if len(templateValue) == 0 {
+		return nil, fmt.Errorf("template format specified but no template given")
+	}
+
+	if templateFormat == "templatefile" || templateFormat == "go-template-file" {
+		data, err := os.ReadFile(templateValue)
+		if err != nil {
+			return nil, fmt.Errorf("error reading --template %s, %v", templateValue, err)
+		}
+
+		templateValue = string(data)
+	}
+
+	p, err := printers.NewGoTemplatePrinter([]byte(templateValue))
+	if err != nil {
+		return nil, fmt.Errorf("error parsing template %s, %v", templateValue, err)
+	}
+
+	allowMissingKeys := true
+	if f.AllowMissingKeys != nil {
+		allowMissingKeys = *f.AllowMissingKeys
+	}
+
+	p.AllowMissingKeys(allowMissingKeys)
+	return p, nil
+}
+
+// AddFlags receives a *cobra.Command reference and binds
+// flags related to template printing to it
+func (f *GoTemplatePrintFlags) AddFlags(c *cobra.Command) {
+	if f.TemplateArgument != nil {
+		c.Flags().StringVar(f.TemplateArgument, "template", *f.TemplateArgument, "Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview].")
+		c.MarkFlagFilename("template")
+	}
+	if f.AllowMissingKeys != nil {
+		c.Flags().BoolVar(f.AllowMissingKeys, "allow-missing-template-keys", *f.AllowMissingKeys, "If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.")
+	}
+}
+
+// NewGoTemplatePrintFlags returns flags associated with
+// --template printing, with default values set.
+func NewGoTemplatePrintFlags() *GoTemplatePrintFlags {
+	allowMissingKeysPtr := true
+	templateValuePtr := ""
+
+	return &GoTemplatePrintFlags{
+		TemplateArgument: &templateValuePtr,
+		AllowMissingKeys: &allowMissingKeysPtr,
+	}
+}
diff --git a/vendor/k8s.io/cli-runtime/pkg/genericiooptions/io_options.go b/vendor/k8s.io/cli-runtime/pkg/genericiooptions/io_options.go
new file mode 100644
index 0000000000..247b1c2ee1
--- /dev/null
+++ b/vendor/k8s.io/cli-runtime/pkg/genericiooptions/io_options.go
@@ -0,0 +1,56 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package genericiooptions
+
+import (
+	"bytes"
+	"io"
+)
+
+// IOStreams provides the standard names for iostreams.  This is useful for embedding and for unit testing.
+// Inconsistent and different names make it hard to read and review code
+type IOStreams struct {
+	// In think, os.Stdin
+	In io.Reader
+	// Out think, os.Stdout
+	Out io.Writer
+	// ErrOut think, os.Stderr
+	ErrOut io.Writer
+}
+
+// NewTestIOStreams returns a valid IOStreams and in, out, errout buffers for unit tests
+func NewTestIOStreams() (IOStreams, *bytes.Buffer, *bytes.Buffer, *bytes.Buffer) {
+	in := &bytes.Buffer{}
+	out := &bytes.Buffer{}
+	errOut := &bytes.Buffer{}
+
+	return IOStreams{
+		In:     in,
+		Out:    out,
+		ErrOut: errOut,
+	}, in, out, errOut
+}
+
+// NewTestIOStreamsDiscard returns a valid IOStreams that just discards
+func NewTestIOStreamsDiscard() IOStreams {
+	in := &bytes.Buffer{}
+	return IOStreams{
+		In:     in,
+		Out:    io.Discard,
+		ErrOut: io.Discard,
+	}
+}
diff --git a/vendor/k8s.io/cli-runtime/pkg/printers/discard.go b/vendor/k8s.io/cli-runtime/pkg/printers/discard.go
new file mode 100644
index 0000000000..cd934976da
--- /dev/null
+++ b/vendor/k8s.io/cli-runtime/pkg/printers/discard.go
@@ -0,0 +1,30 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package printers
+
+import (
+	"io"
+
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+// NewDiscardingPrinter is a printer that discards all objects
+func NewDiscardingPrinter() ResourcePrinterFunc {
+	return ResourcePrinterFunc(func(runtime.Object, io.Writer) error {
+		return nil
+	})
+}
diff --git a/vendor/k8s.io/cli-runtime/pkg/printers/doc.go b/vendor/k8s.io/cli-runtime/pkg/printers/doc.go
new file mode 100644
index 0000000000..5f84f40b35
--- /dev/null
+++ b/vendor/k8s.io/cli-runtime/pkg/printers/doc.go
@@ -0,0 +1,19 @@
+/*
+Copyright 2019 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package printers is helper for formatting and printing runtime objects into
+// primitives io.writer.
+package printers
diff --git a/vendor/k8s.io/cli-runtime/pkg/printers/interface.go b/vendor/k8s.io/cli-runtime/pkg/printers/interface.go
new file mode 100644
index 0000000000..e88ff63ae6
--- /dev/null
+++ b/vendor/k8s.io/cli-runtime/pkg/printers/interface.go
@@ -0,0 +1,54 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package printers
+
+import (
+	"io"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// ResourcePrinterFunc is a function that can print objects
+type ResourcePrinterFunc func(runtime.Object, io.Writer) error
+
+// PrintObj implements ResourcePrinter
+func (fn ResourcePrinterFunc) PrintObj(obj runtime.Object, w io.Writer) error {
+	return fn(obj, w)
+}
+
+// ResourcePrinter is an interface that knows how to print runtime objects.
+type ResourcePrinter interface {
+	// PrintObj receives a runtime object, formats it and prints it to a writer.
+	PrintObj(runtime.Object, io.Writer) error
+}
+
+// PrintOptions struct defines a struct for various print options
+type PrintOptions struct {
+	NoHeaders     bool
+	WithNamespace bool
+	WithKind      bool
+	Wide          bool
+	ShowLabels    bool
+	Kind          schema.GroupKind
+	ColumnLabels  []string
+
+	SortBy string
+
+	// indicates if it is OK to ignore missing keys for rendering an output template.
+	AllowMissingKeys bool
+}
diff --git a/vendor/k8s.io/cli-runtime/pkg/printers/json.go b/vendor/k8s.io/cli-runtime/pkg/printers/json.go
new file mode 100644
index 0000000000..7d14a4e5a6
--- /dev/null
+++ b/vendor/k8s.io/cli-runtime/pkg/printers/json.go
@@ -0,0 +1,80 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package printers
+
+import (
+	"bytes"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"reflect"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+// JSONPrinter is an implementation of ResourcePrinter which outputs an object as JSON.
+type JSONPrinter struct{}
+
+// PrintObj is an implementation of ResourcePrinter.PrintObj which simply writes the object to the Writer.
+func (p *JSONPrinter) PrintObj(obj runtime.Object, w io.Writer) error {
+	// we use reflect.Indirect here in order to obtain the actual value from a pointer.
+	// we need an actual value in order to retrieve the package path for an object.
+	// using reflect.Indirect indiscriminately is valid here, as all runtime.Objects are supposed to be pointers.
+	if InternalObjectPreventer.IsForbidden(reflect.Indirect(reflect.ValueOf(obj)).Type().PkgPath()) {
+		return errors.New(InternalObjectPrinterErr)
+	}
+
+	switch obj := obj.(type) {
+	case *metav1.WatchEvent:
+		if InternalObjectPreventer.IsForbidden(reflect.Indirect(reflect.ValueOf(obj.Object.Object)).Type().PkgPath()) {
+			return errors.New(InternalObjectPrinterErr)
+		}
+		data, err := json.Marshal(obj)
+		if err != nil {
+			return err
+		}
+		_, err = w.Write(data)
+		if err != nil {
+			return err
+		}
+		_, err = w.Write([]byte{'\n'})
+		return err
+	case *runtime.Unknown:
+		var buf bytes.Buffer
+		err := json.Indent(&buf, obj.Raw, "", "    ")
+		if err != nil {
+			return err
+		}
+		buf.WriteRune('\n')
+		_, err = buf.WriteTo(w)
+		return err
+	}
+
+	if obj.GetObjectKind().GroupVersionKind().Empty() {
+		return fmt.Errorf("missing apiVersion or kind; try GetObjectKind().SetGroupVersionKind() if you know the type")
+	}
+
+	data, err := json.MarshalIndent(obj, "", "    ")
+	if err != nil {
+		return err
+	}
+	data = append(data, '\n')
+	_, err = w.Write(data)
+	return err
+}
diff --git a/vendor/k8s.io/cli-runtime/pkg/printers/jsonpath.go b/vendor/k8s.io/cli-runtime/pkg/printers/jsonpath.go
new file mode 100644
index 0000000000..216449ec44
--- /dev/null
+++ b/vendor/k8s.io/cli-runtime/pkg/printers/jsonpath.go
@@ -0,0 +1,148 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package printers
+
+import (
+	"bytes"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"reflect"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/client-go/util/jsonpath"
+)
+
+// exists returns true if it would be possible to call the index function
+// with these arguments.
+//
+// TODO: how to document this for users?
+//
+// index returns the result of indexing its first argument by the following
+// arguments.  Thus "index x 1 2 3" is, in Go syntax, x[1][2][3]. Each
+// indexed item must be a map, slice, or array.
+func exists(item interface{}, indices ...interface{}) bool {
+	v := reflect.ValueOf(item)
+	for _, i := range indices {
+		index := reflect.ValueOf(i)
+		var isNil bool
+		if v, isNil = indirect(v); isNil {
+			return false
+		}
+		switch v.Kind() {
+		case reflect.Array, reflect.Slice, reflect.String:
+			var x int64
+			switch index.Kind() {
+			case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
+				x = index.Int()
+			case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr:
+				x = int64(index.Uint())
+			default:
+				return false
+			}
+			if x < 0 || x >= int64(v.Len()) {
+				return false
+			}
+			v = v.Index(int(x))
+		case reflect.Map:
+			if !index.IsValid() {
+				index = reflect.Zero(v.Type().Key())
+			}
+			if !index.Type().AssignableTo(v.Type().Key()) {
+				return false
+			}
+			if x := v.MapIndex(index); x.IsValid() {
+				v = x
+			} else {
+				v = reflect.Zero(v.Type().Elem())
+			}
+		default:
+			return false
+		}
+	}
+	if _, isNil := indirect(v); isNil {
+		return false
+	}
+	return true
+}
+
+// stolen from text/template
+// indirect returns the item at the end of indirection, and a bool to indicate if it's nil.
+// We indirect through pointers and empty interfaces (only) because
+// non-empty interfaces have methods we might need.
+func indirect(v reflect.Value) (rv reflect.Value, isNil bool) {
+	for ; v.Kind() == reflect.Pointer || v.Kind() == reflect.Interface; v = v.Elem() {
+		if v.IsNil() {
+			return v, true
+		}
+		if v.Kind() == reflect.Interface && v.NumMethod() > 0 {
+			break
+		}
+	}
+	return v, false
+}
+
+// JSONPathPrinter is an implementation of ResourcePrinter which formats data with jsonpath expression.
+type JSONPathPrinter struct {
+	rawTemplate string
+	*jsonpath.JSONPath
+}
+
+func NewJSONPathPrinter(tmpl string) (*JSONPathPrinter, error) {
+	j := jsonpath.New("out")
+	if err := j.Parse(tmpl); err != nil {
+		return nil, err
+	}
+	return &JSONPathPrinter{
+		rawTemplate: tmpl,
+		JSONPath:    j,
+	}, nil
+}
+
+// PrintObj formats the obj with the JSONPath Template.
+func (j *JSONPathPrinter) PrintObj(obj runtime.Object, w io.Writer) error {
+	// we use reflect.Indirect here in order to obtain the actual value from a pointer.
+	// we need an actual value in order to retrieve the package path for an object.
+	// using reflect.Indirect indiscriminately is valid here, as all runtime.Objects are supposed to be pointers.
+	if InternalObjectPreventer.IsForbidden(reflect.Indirect(reflect.ValueOf(obj)).Type().PkgPath()) {
+		return errors.New(InternalObjectPrinterErr)
+	}
+
+	var queryObj interface{} = obj
+	if unstructured, ok := obj.(runtime.Unstructured); ok {
+		queryObj = unstructured.UnstructuredContent()
+	} else {
+		data, err := json.Marshal(obj)
+		if err != nil {
+			return err
+		}
+		queryObj = map[string]interface{}{}
+		if err := json.Unmarshal(data, &queryObj); err != nil {
+			return err
+		}
+	}
+
+	if err := j.JSONPath.Execute(w, queryObj); err != nil {
+		buf := bytes.NewBuffer(nil)
+		fmt.Fprintf(buf, "Error executing template: %v. Printing more information for debugging the template:\n", err)
+		fmt.Fprintf(buf, "\ttemplate was:\n\t\t%v\n", j.rawTemplate)
+		fmt.Fprintf(buf, "\tobject given to jsonpath engine was:\n\t\t%#v\n\n", queryObj)
+		return fmt.Errorf("error executing jsonpath %q: %v\n", j.rawTemplate, buf.String())
+	}
+	return nil
+}
diff --git a/vendor/k8s.io/cli-runtime/pkg/printers/kyaml.go b/vendor/k8s.io/cli-runtime/pkg/printers/kyaml.go
new file mode 100644
index 0000000000..285da2037d
--- /dev/null
+++ b/vendor/k8s.io/cli-runtime/pkg/printers/kyaml.go
@@ -0,0 +1,66 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// package kyaml provides a printer for Kubernetes objects that formats them
+// as KYAML, a strict subset of YAML that is designed to be explicit and
+// unambiguous.  KYAML is YAML.
+package printers
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"io"
+	"reflect"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"sigs.k8s.io/yaml/kyaml"
+)
+
+// KYAMLPrinter is an implementation of ResourcePrinter which formats data into
+// a specific dialect of YAML, known as KYAML. KYAML is halfway between YAML
+// and JSON, but is a strict subset of YAML, and so it should should be
+// readable by any YAML parser. It is designed to be explicit and unambiguous,
+// and eschews significant whitespace.
+type KYAMLPrinter struct {
+	encoder kyaml.Encoder
+}
+
+// PrintObj prints the data as KYAML to the specified writer.
+func (p *KYAMLPrinter) PrintObj(obj runtime.Object, w io.Writer) error {
+	// We use reflect.Indirect here in order to obtain the actual value from a pointer.
+	// We need an actual value in order to retrieve the package path for an object.
+	// Using reflect.Indirect indiscriminately is valid here, as all runtime.Objects are supposed to be pointers.
+	if InternalObjectPreventer.IsForbidden(reflect.Indirect(reflect.ValueOf(obj)).Type().PkgPath()) {
+		return errors.New(InternalObjectPrinterErr)
+	}
+
+	switch obj := obj.(type) {
+	case *metav1.WatchEvent:
+		if InternalObjectPreventer.IsForbidden(reflect.Indirect(reflect.ValueOf(obj.Object.Object)).Type().PkgPath()) {
+			return errors.New(InternalObjectPrinterErr)
+		}
+	case *runtime.Unknown:
+		return p.encoder.FromYAML(bytes.NewReader(obj.Raw), w)
+	}
+
+	if obj.GetObjectKind().GroupVersionKind().Empty() {
+		return fmt.Errorf("missing apiVersion or kind; try GetObjectKind().SetGroupVersionKind() if you know the type")
+	}
+
+	return p.encoder.FromObject(obj, w)
+}
diff --git a/vendor/k8s.io/cli-runtime/pkg/printers/managedfields.go b/vendor/k8s.io/cli-runtime/pkg/printers/managedfields.go
new file mode 100644
index 0000000000..cab54d0584
--- /dev/null
+++ b/vendor/k8s.io/cli-runtime/pkg/printers/managedfields.go
@@ -0,0 +1,59 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package printers
+
+import (
+	"io"
+
+	"k8s.io/apimachinery/pkg/api/meta"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+// OmitManagedFieldsPrinter wraps an existing printer and omits the managed fields from the object
+// before printing it.
+type OmitManagedFieldsPrinter struct {
+	Delegate ResourcePrinter
+}
+
+var _ ResourcePrinter = (*OmitManagedFieldsPrinter)(nil)
+
+func omitManagedFields(o runtime.Object) runtime.Object {
+	a, err := meta.Accessor(o)
+	if err != nil {
+		// The object is not a `metav1.Object`, ignore it.
+		return o
+	}
+	a.SetManagedFields(nil)
+	return o
+}
+
+// PrintObj copies the object and omits the managed fields from the copied object before printing it.
+func (p *OmitManagedFieldsPrinter) PrintObj(obj runtime.Object, w io.Writer) error {
+	if obj == nil {
+		return p.Delegate.PrintObj(obj, w)
+	}
+	if meta.IsListType(obj) {
+		obj = obj.DeepCopyObject()
+		_ = meta.EachListItem(obj, func(item runtime.Object) error {
+			omitManagedFields(item)
+			return nil
+		})
+	} else if _, err := meta.Accessor(obj); err == nil {
+		obj = omitManagedFields(obj.DeepCopyObject())
+	}
+	return p.Delegate.PrintObj(obj, w)
+}
diff --git a/vendor/k8s.io/cli-runtime/pkg/printers/name.go b/vendor/k8s.io/cli-runtime/pkg/printers/name.go
new file mode 100644
index 0000000000..1d2fe7f964
--- /dev/null
+++ b/vendor/k8s.io/cli-runtime/pkg/printers/name.go
@@ -0,0 +1,131 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package printers
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"reflect"
+	"strings"
+
+	"k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// NamePrinter is an implementation of ResourcePrinter which outputs "resource/name" pair of an object.
+type NamePrinter struct {
+	// ShortOutput indicates whether an operation should be
+	// printed along side the "resource/name" pair for an object.
+	ShortOutput bool
+	// Operation describes the name of the action that
+	// took place on an object, to be included in the
+	// finalized "successful" message.
+	Operation string
+}
+
+// PrintObj is an implementation of ResourcePrinter.PrintObj which decodes the object
+// and print "resource/name" pair. If the object is a List, print all items in it.
+func (p *NamePrinter) PrintObj(obj runtime.Object, w io.Writer) error {
+	switch castObj := obj.(type) {
+	case *metav1.WatchEvent:
+		obj = castObj.Object.Object
+	}
+
+	// we use reflect.Indirect here in order to obtain the actual value from a pointer.
+	// using reflect.Indirect indiscriminately is valid here, as all runtime.Objects are supposed to be pointers.
+	// we need an actual value in order to retrieve the package path for an object.
+	if InternalObjectPreventer.IsForbidden(reflect.Indirect(reflect.ValueOf(obj)).Type().PkgPath()) {
+		return errors.New(InternalObjectPrinterErr)
+	}
+
+	if meta.IsListType(obj) {
+		// we allow unstructured lists for now because they always contain the GVK information.  We should chase down
+		// callers and stop them from passing unflattened lists
+		// TODO chase the caller that is setting this and remove it.
+		if _, ok := obj.(*unstructured.UnstructuredList); !ok {
+			return fmt.Errorf("list types are not supported by name printing: %T", obj)
+		}
+
+		items, err := meta.ExtractList(obj)
+		if err != nil {
+			return err
+		}
+		for _, obj := range items {
+			if err := p.PrintObj(obj, w); err != nil {
+				return err
+			}
+		}
+		return nil
+	}
+
+	if obj.GetObjectKind().GroupVersionKind().Empty() {
+		return fmt.Errorf("missing apiVersion or kind; try GetObjectKind().SetGroupVersionKind() if you know the type")
+	}
+
+	name := "<unknown>"
+	if acc, err := meta.Accessor(obj); err == nil {
+		if n := acc.GetName(); len(n) > 0 {
+			name = n
+		}
+	}
+
+	return printObj(w, name, p.Operation, p.ShortOutput, GetObjectGroupKind(obj))
+}
+
+func GetObjectGroupKind(obj runtime.Object) schema.GroupKind {
+	if obj == nil {
+		return schema.GroupKind{Kind: "<unknown>"}
+	}
+	groupVersionKind := obj.GetObjectKind().GroupVersionKind()
+	if len(groupVersionKind.Kind) > 0 {
+		return groupVersionKind.GroupKind()
+	}
+
+	if uns, ok := obj.(*unstructured.Unstructured); ok {
+		if len(uns.GroupVersionKind().Kind) > 0 {
+			return uns.GroupVersionKind().GroupKind()
+		}
+	}
+
+	return schema.GroupKind{Kind: "<unknown>"}
+}
+
+func printObj(w io.Writer, name string, operation string, shortOutput bool, groupKind schema.GroupKind) error {
+	if len(groupKind.Kind) == 0 {
+		return fmt.Errorf("missing kind for resource with name %v", name)
+	}
+
+	if len(operation) > 0 {
+		operation = " " + operation
+	}
+
+	if shortOutput {
+		operation = ""
+	}
+
+	if len(groupKind.Group) == 0 {
+		fmt.Fprintf(w, "%s/%s%s\n", strings.ToLower(groupKind.Kind), name, operation)
+		return nil
+	}
+
+	fmt.Fprintf(w, "%s.%s/%s%s\n", strings.ToLower(groupKind.Kind), groupKind.Group, name, operation)
+	return nil
+}
diff --git a/vendor/k8s.io/cli-runtime/pkg/printers/sourcechecker.go b/vendor/k8s.io/cli-runtime/pkg/printers/sourcechecker.go
new file mode 100644
index 0000000000..e360c8fe0b
--- /dev/null
+++ b/vendor/k8s.io/cli-runtime/pkg/printers/sourcechecker.go
@@ -0,0 +1,60 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package printers
+
+import (
+	"strings"
+)
+
+var (
+	InternalObjectPrinterErr = "a versioned object must be passed to a printer"
+
+	// disallowedPackagePrefixes contains regular expression templates
+	// for object package paths that are not allowed by printers.
+	disallowedPackagePrefixes = []string{
+		"k8s.io/kubernetes/pkg/apis/",
+	}
+)
+
+var InternalObjectPreventer = &illegalPackageSourceChecker{disallowedPackagePrefixes}
+
+func IsInternalObjectError(err error) bool {
+	if err == nil {
+		return false
+	}
+
+	return err.Error() == InternalObjectPrinterErr
+}
+
+// illegalPackageSourceChecker compares a given
+// object's package path, and determines if the
+// object originates from a disallowed source.
+type illegalPackageSourceChecker struct {
+	// disallowedPrefixes is a slice of disallowed package path
+	// prefixes for a given runtime.Object that we are printing.
+	disallowedPrefixes []string
+}
+
+func (c *illegalPackageSourceChecker) IsForbidden(pkgPath string) bool {
+	for _, forbiddenPrefix := range c.disallowedPrefixes {
+		if strings.HasPrefix(pkgPath, forbiddenPrefix) || strings.Contains(pkgPath, "/vendor/"+forbiddenPrefix) {
+			return true
+		}
+	}
+
+	return false
+}
diff --git a/vendor/k8s.io/cli-runtime/pkg/printers/tableprinter.go b/vendor/k8s.io/cli-runtime/pkg/printers/tableprinter.go
new file mode 100644
index 0000000000..548596659e
--- /dev/null
+++ b/vendor/k8s.io/cli-runtime/pkg/printers/tableprinter.go
@@ -0,0 +1,589 @@
+/*
+Copyright 2019 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package printers
+
+import (
+	"fmt"
+	"io"
+	"reflect"
+	"strings"
+	"time"
+
+	"github.com/liggitt/tabwriter"
+	"k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/duration"
+	"k8s.io/apimachinery/pkg/watch"
+)
+
+var _ ResourcePrinter = &HumanReadablePrinter{}
+
+type printHandler struct {
+	columnDefinitions []metav1.TableColumnDefinition
+	printFunc         reflect.Value
+}
+
+var (
+	statusHandlerEntry = &printHandler{
+		columnDefinitions: statusColumnDefinitions,
+		printFunc:         reflect.ValueOf(printStatus),
+	}
+
+	statusColumnDefinitions = []metav1.TableColumnDefinition{
+		{Name: "Status", Type: "string"},
+		{Name: "Reason", Type: "string"},
+		{Name: "Message", Type: "string"},
+	}
+
+	defaultHandlerEntry = &printHandler{
+		columnDefinitions: objectMetaColumnDefinitions,
+		printFunc:         reflect.ValueOf(printObjectMeta),
+	}
+
+	objectMetaColumnDefinitions = []metav1.TableColumnDefinition{
+		{Name: "Name", Type: "string", Format: "name", Description: metav1.ObjectMeta{}.SwaggerDoc()["name"]},
+		{Name: "Age", Type: "string", Description: metav1.ObjectMeta{}.SwaggerDoc()["creationTimestamp"]},
+	}
+
+	withEventTypePrefixColumns = []string{"EVENT"}
+	withNamespacePrefixColumns = []string{"NAMESPACE"} // TODO(erictune): print cluster name too.
+)
+
+// HumanReadablePrinter is an implementation of ResourcePrinter which attempts to provide
+// more elegant output. It is not threadsafe, but you may call PrintObj repeatedly; headers
+// will only be printed if the object type changes. This makes it useful for printing items
+// received from watches.
+type HumanReadablePrinter struct {
+	options        PrintOptions
+	lastType       interface{}
+	lastColumns    []metav1.TableColumnDefinition
+	printedHeaders bool
+}
+
+// NewTablePrinter creates a printer suitable for calling PrintObj().
+func NewTablePrinter(options PrintOptions) ResourcePrinter {
+	printer := &HumanReadablePrinter{
+		options: options,
+	}
+	return printer
+}
+
+func printHeader(columnNames []string, w io.Writer) error {
+	if _, err := fmt.Fprintf(w, "%s\n", strings.Join(columnNames, "\t")); err != nil {
+		return err
+	}
+	return nil
+}
+
+// PrintObj prints the obj in a human-friendly format according to the type of the obj.
+func (h *HumanReadablePrinter) PrintObj(obj runtime.Object, output io.Writer) error {
+
+	if _, found := output.(*tabwriter.Writer); !found {
+		w := GetNewTabWriter(output)
+		output = w
+		defer w.Flush()
+	}
+
+	var eventType string
+	if event, isEvent := obj.(*metav1.WatchEvent); isEvent {
+		eventType = event.Type
+		obj = event.Object.Object
+	}
+
+	// Parameter "obj" is a table from server; print it.
+	// display tables following the rules of options
+	if table, ok := obj.(*metav1.Table); ok {
+		// Do not print headers if this table has no column definitions, or they are the same as the last ones we printed
+		localOptions := h.options
+		if h.printedHeaders && (len(table.ColumnDefinitions) == 0 || reflect.DeepEqual(table.ColumnDefinitions, h.lastColumns)) {
+			localOptions.NoHeaders = true
+		}
+
+		if len(table.ColumnDefinitions) == 0 {
+			// If this table has no column definitions, use the columns from the last table we printed for decoration and layout.
+			// This is done when receiving tables in watch events to save bandwidth.
+			table.ColumnDefinitions = h.lastColumns
+		} else if !reflect.DeepEqual(table.ColumnDefinitions, h.lastColumns) {
+			// If this table has column definitions, remember them for future use.
+			h.lastColumns = table.ColumnDefinitions
+			h.printedHeaders = false
+		}
+
+		if len(table.Rows) > 0 {
+			h.printedHeaders = true
+		}
+
+		if err := decorateTable(table, localOptions); err != nil {
+			return err
+		}
+		if len(eventType) > 0 {
+			if err := addColumns(beginning, table,
+				[]metav1.TableColumnDefinition{{Name: "Event", Type: "string"}},
+				[]cellValueFunc{func(metav1.TableRow) (interface{}, error) { return formatEventType(eventType), nil }},
+			); err != nil {
+				return err
+			}
+		}
+		return printTable(table, output, localOptions)
+	}
+
+	// Could not find print handler for "obj"; use the default or status print handler.
+	// Print with the default or status handler, and use the columns from the last time
+	var handler *printHandler
+	if _, isStatus := obj.(*metav1.Status); isStatus {
+		handler = statusHandlerEntry
+	} else {
+		handler = defaultHandlerEntry
+	}
+
+	includeHeaders := h.lastType != handler && !h.options.NoHeaders
+
+	if h.lastType != nil && h.lastType != handler && !h.options.NoHeaders {
+		fmt.Fprintln(output)
+	}
+
+	if err := printRowsForHandlerEntry(output, handler, eventType, obj, h.options, includeHeaders); err != nil {
+		return err
+	}
+	h.lastType = handler
+
+	return nil
+}
+
+// printTable prints a table to the provided output respecting the filtering rules for options
+// for wide columns and filtered rows. It filters out rows that are Completed. You should call
+// decorateTable if you receive a table from a remote server before calling printTable.
+func printTable(table *metav1.Table, output io.Writer, options PrintOptions) error {
+	if !options.NoHeaders {
+		// avoid printing headers if we have no rows to display
+		if len(table.Rows) == 0 {
+			return nil
+		}
+
+		first := true
+		for _, column := range table.ColumnDefinitions {
+			if !options.Wide && column.Priority != 0 {
+				continue
+			}
+			if first {
+				first = false
+			} else {
+				fmt.Fprint(output, "\t")
+			}
+			fmt.Fprint(output, strings.ToUpper(column.Name))
+		}
+		fmt.Fprintln(output)
+	}
+	for _, row := range table.Rows {
+		first := true
+		for i, cell := range row.Cells {
+			if i >= len(table.ColumnDefinitions) {
+				// https://issue.k8s.io/66379
+				// don't panic in case of bad output from the server, with more cells than column definitions
+				break
+			}
+			column := table.ColumnDefinitions[i]
+			if !options.Wide && column.Priority != 0 {
+				continue
+			}
+			if first {
+				first = false
+			} else {
+				fmt.Fprint(output, "\t")
+			}
+			if cell != nil {
+				switch val := cell.(type) {
+				case string:
+					print := val
+					truncated := false
+					// Truncate at the first newline, carriage return or formfeed
+					// (treated as a newline by tabwriter).
+					breakchar := strings.IndexAny(print, "\f\n\r")
+					if breakchar >= 0 {
+						truncated = true
+						print = print[:breakchar]
+					}
+					WriteEscaped(output, print)
+					if truncated {
+						fmt.Fprint(output, "...")
+					}
+				default:
+					WriteEscaped(output, fmt.Sprint(val))
+				}
+			}
+		}
+		fmt.Fprintln(output)
+	}
+	return nil
+}
+
+type cellValueFunc func(metav1.TableRow) (interface{}, error)
+
+type columnAddPosition int
+
+const (
+	beginning columnAddPosition = 1
+	end       columnAddPosition = 2
+)
+
+func addColumns(pos columnAddPosition, table *metav1.Table, columns []metav1.TableColumnDefinition, valueFuncs []cellValueFunc) error {
+	if len(columns) != len(valueFuncs) {
+		return fmt.Errorf("cannot prepend columns, unmatched value functions")
+	}
+	if len(columns) == 0 {
+		return nil
+	}
+
+	// Compute the new rows
+	newRows := make([][]interface{}, len(table.Rows))
+	for i := range table.Rows {
+		newCells := make([]interface{}, 0, len(columns)+len(table.Rows[i].Cells))
+
+		if pos == end {
+			// If we're appending, start with the existing cells,
+			// then add nil cells to match the number of columns
+			newCells = append(newCells, table.Rows[i].Cells...)
+			for len(newCells) < len(table.ColumnDefinitions) {
+				newCells = append(newCells, nil)
+			}
+		}
+
+		// Compute cells for new columns
+		for _, f := range valueFuncs {
+			newCell, err := f(table.Rows[i])
+			if err != nil {
+				return err
+			}
+			newCells = append(newCells, newCell)
+		}
+
+		if pos == beginning {
+			// If we're prepending, add existing cells
+			newCells = append(newCells, table.Rows[i].Cells...)
+		}
+
+		// Remember the new cells for this row
+		newRows[i] = newCells
+	}
+
+	// All cells successfully computed, now replace columns and rows
+	newColumns := make([]metav1.TableColumnDefinition, 0, len(columns)+len(table.ColumnDefinitions))
+	switch pos {
+	case beginning:
+		newColumns = append(newColumns, columns...)
+		newColumns = append(newColumns, table.ColumnDefinitions...)
+	case end:
+		newColumns = append(newColumns, table.ColumnDefinitions...)
+		newColumns = append(newColumns, columns...)
+	default:
+		return fmt.Errorf("invalid column add position: %v", pos)
+	}
+	table.ColumnDefinitions = newColumns
+	for i := range table.Rows {
+		table.Rows[i].Cells = newRows[i]
+	}
+
+	return nil
+}
+
+// decorateTable takes a table and attempts to add label columns and the
+// namespace column. It will fill empty columns with nil (if the object
+// does not expose metadata). It returns an error if the table cannot
+// be decorated.
+func decorateTable(table *metav1.Table, options PrintOptions) error {
+	width := len(table.ColumnDefinitions) + len(options.ColumnLabels)
+	if options.WithNamespace {
+		width++
+	}
+	if options.ShowLabels {
+		width++
+	}
+
+	columns := table.ColumnDefinitions
+
+	nameColumn := -1
+	if options.WithKind && !options.Kind.Empty() {
+		for i := range columns {
+			if columns[i].Format == "name" && columns[i].Type == "string" {
+				nameColumn = i
+				break
+			}
+		}
+	}
+
+	if width != len(table.ColumnDefinitions) {
+		columns = make([]metav1.TableColumnDefinition, 0, width)
+		if options.WithNamespace {
+			columns = append(columns, metav1.TableColumnDefinition{
+				Name: "Namespace",
+				Type: "string",
+			})
+		}
+		columns = append(columns, table.ColumnDefinitions...)
+		for _, label := range formatLabelHeaders(options.ColumnLabels) {
+			columns = append(columns, metav1.TableColumnDefinition{
+				Name: label,
+				Type: "string",
+			})
+		}
+		if options.ShowLabels {
+			columns = append(columns, metav1.TableColumnDefinition{
+				Name: "Labels",
+				Type: "string",
+			})
+		}
+	}
+
+	rows := table.Rows
+
+	includeLabels := len(options.ColumnLabels) > 0 || options.ShowLabels
+	if includeLabels || options.WithNamespace || nameColumn != -1 {
+		for i := range rows {
+			row := rows[i]
+
+			if nameColumn != -1 {
+				row.Cells[nameColumn] = fmt.Sprintf("%s/%s", strings.ToLower(options.Kind.String()), row.Cells[nameColumn])
+			}
+
+			var m metav1.Object
+			if obj := row.Object.Object; obj != nil {
+				if acc, err := meta.Accessor(obj); err == nil {
+					m = acc
+				}
+			}
+			// if we can't get an accessor, fill out the appropriate columns with empty spaces
+			if m == nil {
+				if options.WithNamespace {
+					r := make([]interface{}, 1, width)
+					row.Cells = append(r, row.Cells...)
+				}
+				for j := 0; j < width-len(row.Cells); j++ {
+					row.Cells = append(row.Cells, nil)
+				}
+				rows[i] = row
+				continue
+			}
+
+			if options.WithNamespace {
+				r := make([]interface{}, 1, width)
+				r[0] = m.GetNamespace()
+				row.Cells = append(r, row.Cells...)
+			}
+			if includeLabels {
+				row.Cells = appendLabelCells(row.Cells, m.GetLabels(), options)
+			}
+			rows[i] = row
+		}
+	}
+
+	table.ColumnDefinitions = columns
+	table.Rows = rows
+	return nil
+}
+
+// printRowsForHandlerEntry prints the incremental table output (headers if the current type is
+// different from lastType) including all the rows in the object. It returns the current type
+// or an error, if any.
+func printRowsForHandlerEntry(output io.Writer, handler *printHandler, eventType string, obj runtime.Object, options PrintOptions, includeHeaders bool) error {
+	var results []reflect.Value
+
+	args := []reflect.Value{reflect.ValueOf(obj), reflect.ValueOf(options)}
+	results = handler.printFunc.Call(args)
+	if !results[1].IsNil() {
+		return results[1].Interface().(error)
+	}
+
+	if includeHeaders {
+		var headers []string
+		for _, column := range handler.columnDefinitions {
+			if column.Priority != 0 && !options.Wide {
+				continue
+			}
+			headers = append(headers, strings.ToUpper(column.Name))
+		}
+		headers = append(headers, formatLabelHeaders(options.ColumnLabels)...)
+		// LABELS is always the last column.
+		headers = append(headers, formatShowLabelsHeader(options.ShowLabels)...)
+		// prepend namespace header
+		if options.WithNamespace {
+			headers = append(withNamespacePrefixColumns, headers...)
+		}
+		// prepend event type header
+		if len(eventType) > 0 {
+			headers = append(withEventTypePrefixColumns, headers...)
+		}
+		printHeader(headers, output)
+	}
+
+	if results[1].IsNil() {
+		rows := results[0].Interface().([]metav1.TableRow)
+		printRows(output, eventType, rows, options)
+		return nil
+	}
+	return results[1].Interface().(error)
+}
+
+var formattedEventType = map[string]string{
+	string(watch.Added):    "ADDED   ",
+	string(watch.Modified): "MODIFIED",
+	string(watch.Deleted):  "DELETED ",
+	string(watch.Error):    "ERROR   ",
+}
+
+func formatEventType(eventType string) string {
+	if formatted, ok := formattedEventType[eventType]; ok {
+		return formatted
+	}
+	return eventType
+}
+
+// printRows writes the provided rows to output.
+func printRows(output io.Writer, eventType string, rows []metav1.TableRow, options PrintOptions) {
+	for _, row := range rows {
+		if len(eventType) > 0 {
+			fmt.Fprint(output, formatEventType(eventType))
+			fmt.Fprint(output, "\t")
+		}
+		if options.WithNamespace {
+			if obj := row.Object.Object; obj != nil {
+				if m, err := meta.Accessor(obj); err == nil {
+					fmt.Fprint(output, m.GetNamespace())
+				}
+			}
+			fmt.Fprint(output, "\t")
+		}
+
+		for i, cell := range row.Cells {
+			if i != 0 {
+				fmt.Fprint(output, "\t")
+			} else {
+				// TODO: remove this once we drop the legacy printers
+				if options.WithKind && !options.Kind.Empty() {
+					fmt.Fprintf(output, "%s/%s", strings.ToLower(options.Kind.String()), cell)
+					continue
+				}
+			}
+			fmt.Fprint(output, cell)
+		}
+
+		hasLabels := len(options.ColumnLabels) > 0
+		if obj := row.Object.Object; obj != nil && (hasLabels || options.ShowLabels) {
+			if m, err := meta.Accessor(obj); err == nil {
+				for _, value := range labelValues(m.GetLabels(), options) {
+					output.Write([]byte("\t"))
+					output.Write([]byte(value))
+				}
+			}
+		}
+
+		output.Write([]byte("\n"))
+	}
+}
+
+func formatLabelHeaders(columnLabels []string) []string {
+	formHead := make([]string, len(columnLabels))
+	for i, l := range columnLabels {
+		p := strings.Split(l, "/")
+		formHead[i] = strings.ToUpper(p[len(p)-1])
+	}
+	return formHead
+}
+
+// headers for --show-labels=true
+func formatShowLabelsHeader(showLabels bool) []string {
+	if showLabels {
+		return []string{"LABELS"}
+	}
+	return nil
+}
+
+// labelValues returns a slice of value columns matching the requested print options.
+func labelValues(itemLabels map[string]string, opts PrintOptions) []string {
+	var values []string
+	for _, key := range opts.ColumnLabels {
+		values = append(values, itemLabels[key])
+	}
+	if opts.ShowLabels {
+		values = append(values, labels.FormatLabels(itemLabels))
+	}
+	return values
+}
+
+// appendLabelCells returns a slice of value columns matching the requested print options.
+// Intended for use with tables.
+func appendLabelCells(values []interface{}, itemLabels map[string]string, opts PrintOptions) []interface{} {
+	for _, key := range opts.ColumnLabels {
+		values = append(values, itemLabels[key])
+	}
+	if opts.ShowLabels {
+		values = append(values, labels.FormatLabels(itemLabels))
+	}
+	return values
+}
+
+func printStatus(obj runtime.Object, options PrintOptions) ([]metav1.TableRow, error) {
+	status, ok := obj.(*metav1.Status)
+	if !ok {
+		return nil, fmt.Errorf("expected *v1.Status, got %T", obj)
+	}
+	return []metav1.TableRow{{
+		Object: runtime.RawExtension{Object: obj},
+		Cells:  []interface{}{status.Status, status.Reason, status.Message},
+	}}, nil
+}
+
+func printObjectMeta(obj runtime.Object, options PrintOptions) ([]metav1.TableRow, error) {
+	if meta.IsListType(obj) {
+		rows := make([]metav1.TableRow, 0, 16)
+		err := meta.EachListItem(obj, func(obj runtime.Object) error {
+			nestedRows, err := printObjectMeta(obj, options)
+			if err != nil {
+				return err
+			}
+			rows = append(rows, nestedRows...)
+			return nil
+		})
+		if err != nil {
+			return nil, err
+		}
+		return rows, nil
+	}
+
+	rows := make([]metav1.TableRow, 0, 1)
+	m, err := meta.Accessor(obj)
+	if err != nil {
+		return nil, err
+	}
+	row := metav1.TableRow{
+		Object: runtime.RawExtension{Object: obj},
+	}
+	row.Cells = append(row.Cells, m.GetName(), translateTimestampSince(m.GetCreationTimestamp()))
+	rows = append(rows, row)
+	return rows, nil
+}
+
+// translateTimestampSince returns the elapsed time since timestamp in
+// human-readable approximation.
+func translateTimestampSince(timestamp metav1.Time) string {
+	if timestamp.IsZero() {
+		return "<unknown>"
+	}
+
+	return duration.HumanDuration(time.Since(timestamp.Time))
+}
diff --git a/vendor/k8s.io/cli-runtime/pkg/printers/tabwriter.go b/vendor/k8s.io/cli-runtime/pkg/printers/tabwriter.go
new file mode 100644
index 0000000000..21d60e1c41
--- /dev/null
+++ b/vendor/k8s.io/cli-runtime/pkg/printers/tabwriter.go
@@ -0,0 +1,36 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package printers
+
+import (
+	"io"
+
+	"github.com/liggitt/tabwriter"
+)
+
+const (
+	tabwriterMinWidth = 6
+	tabwriterWidth    = 4
+	tabwriterPadding  = 3
+	tabwriterPadChar  = ' '
+	tabwriterFlags    = tabwriter.RememberWidths
+)
+
+// GetNewTabWriter returns a tabwriter that translates tabbed columns in input into properly aligned text.
+func GetNewTabWriter(output io.Writer) *tabwriter.Writer {
+	return tabwriter.NewWriter(output, tabwriterMinWidth, tabwriterWidth, tabwriterPadding, tabwriterPadChar, tabwriterFlags)
+}
diff --git a/vendor/k8s.io/cli-runtime/pkg/printers/template.go b/vendor/k8s.io/cli-runtime/pkg/printers/template.go
new file mode 100644
index 0000000000..4b08573ce3
--- /dev/null
+++ b/vendor/k8s.io/cli-runtime/pkg/printers/template.go
@@ -0,0 +1,119 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package printers
+
+import (
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"io"
+	"reflect"
+	"text/template"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/json"
+)
+
+// GoTemplatePrinter is an implementation of ResourcePrinter which formats data with a Go Template.
+type GoTemplatePrinter struct {
+	rawTemplate string
+	template    *template.Template
+}
+
+func NewGoTemplatePrinter(tmpl []byte) (*GoTemplatePrinter, error) {
+	t, err := template.New("output").
+		Funcs(template.FuncMap{
+			"exists":       exists,
+			"base64decode": base64decode,
+		}).
+		Parse(string(tmpl))
+	if err != nil {
+		return nil, err
+	}
+	return &GoTemplatePrinter{
+		rawTemplate: string(tmpl),
+		template:    t,
+	}, nil
+}
+
+// AllowMissingKeys tells the template engine if missing keys are allowed.
+func (p *GoTemplatePrinter) AllowMissingKeys(allow bool) {
+	if allow {
+		p.template.Option("missingkey=default")
+	} else {
+		p.template.Option("missingkey=error")
+	}
+}
+
+// PrintObj formats the obj with the Go Template.
+func (p *GoTemplatePrinter) PrintObj(obj runtime.Object, w io.Writer) error {
+	if InternalObjectPreventer.IsForbidden(reflect.Indirect(reflect.ValueOf(obj)).Type().PkgPath()) {
+		return errors.New(InternalObjectPrinterErr)
+	}
+
+	var data []byte
+	var err error
+	data, err = json.Marshal(obj)
+	if err != nil {
+		return err
+	}
+
+	out := map[string]interface{}{}
+	if err := json.Unmarshal(data, &out); err != nil {
+		return err
+	}
+	if err = p.safeExecute(w, out); err != nil {
+		// It is way easier to debug this stuff when it shows up in
+		// stdout instead of just stdin. So in addition to returning
+		// a nice error, also print useful stuff with the writer.
+		fmt.Fprintf(w, "Error executing template: %v. Printing more information for debugging the template:\n", err)
+		fmt.Fprintf(w, "\ttemplate was:\n\t\t%v\n", p.rawTemplate)
+		fmt.Fprintf(w, "\traw data was:\n\t\t%v\n", string(data))
+		fmt.Fprintf(w, "\tobject given to template engine was:\n\t\t%+v\n\n", out)
+		return fmt.Errorf("error executing template %q: %v", p.rawTemplate, err)
+	}
+	return nil
+}
+
+// safeExecute tries to execute the template, but catches panics and returns an error
+// should the template engine panic.
+func (p *GoTemplatePrinter) safeExecute(w io.Writer, obj interface{}) error {
+	var panicErr error
+	// Sorry for the double anonymous function. There's probably a clever way
+	// to do this that has the defer'd func setting the value to be returned, but
+	// that would be even less obvious.
+	retErr := func() error {
+		defer func() {
+			if x := recover(); x != nil {
+				panicErr = fmt.Errorf("caught panic: %+v", x)
+			}
+		}()
+		return p.template.Execute(w, obj)
+	}()
+	if panicErr != nil {
+		return panicErr
+	}
+	return retErr
+}
+
+func base64decode(v string) (string, error) {
+	data, err := base64.StdEncoding.DecodeString(v)
+	if err != nil {
+		return "", fmt.Errorf("base64 decode failed: %v", err)
+	}
+	return string(data), nil
+}
diff --git a/vendor/k8s.io/cli-runtime/pkg/printers/terminal.go b/vendor/k8s.io/cli-runtime/pkg/printers/terminal.go
new file mode 100644
index 0000000000..9dc904e59c
--- /dev/null
+++ b/vendor/k8s.io/cli-runtime/pkg/printers/terminal.go
@@ -0,0 +1,75 @@
+/*
+Copyright 2022 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package printers
+
+import (
+	"io"
+	"os"
+	"runtime"
+	"strings"
+
+	"github.com/moby/term"
+)
+
+// terminalEscaper replaces ANSI escape sequences and other terminal special
+// characters to avoid terminal escape character attacks (issue #101695).
+var terminalEscaper = strings.NewReplacer("\x1b", "^[", "\r", "\\r")
+
+// WriteEscaped replaces unsafe terminal characters with replacement strings
+// and writes them to the given writer.
+func WriteEscaped(writer io.Writer, output string) error {
+	_, err := terminalEscaper.WriteString(writer, output)
+	return err
+}
+
+// EscapeTerminal escapes terminal special characters in a human readable (but
+// non-reversible) format.
+func EscapeTerminal(in string) string {
+	return terminalEscaper.Replace(in)
+}
+
+// IsTerminal returns whether the passed object is a terminal or not
+func IsTerminal(i interface{}) bool {
+	_, terminal := term.GetFdInfo(i)
+	return terminal
+}
+
+// AllowsColorOutput returns true if the specified writer is a terminal and
+// the process environment indicates color output is supported and desired.
+func AllowsColorOutput(w io.Writer) bool {
+	if !IsTerminal(w) {
+		return false
+	}
+
+	// https://en.wikipedia.org/wiki/Computer_terminal#Dumb_terminals
+	if os.Getenv("TERM") == "dumb" {
+		return false
+	}
+
+	// https://no-color.org/
+	if _, nocolor := os.LookupEnv("NO_COLOR"); nocolor {
+		return false
+	}
+
+	// On Windows WT_SESSION is set by the modern terminal component.
+	// Older terminals have poor support for UTF-8, VT escape codes, etc.
+	if runtime.GOOS == "windows" && os.Getenv("WT_SESSION") == "" {
+		return false
+	}
+
+	return true
+}
diff --git a/vendor/k8s.io/cli-runtime/pkg/printers/typesetter.go b/vendor/k8s.io/cli-runtime/pkg/printers/typesetter.go
new file mode 100644
index 0000000000..8d2d9b56ec
--- /dev/null
+++ b/vendor/k8s.io/cli-runtime/pkg/printers/typesetter.go
@@ -0,0 +1,95 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package printers
+
+import (
+	"fmt"
+	"io"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// TypeSetterPrinter is an implementation of ResourcePrinter wraps another printer with types set on the objects
+type TypeSetterPrinter struct {
+	Delegate ResourcePrinter
+
+	Typer runtime.ObjectTyper
+}
+
+// NewTypeSetter constructs a wrapping printer with required params
+func NewTypeSetter(typer runtime.ObjectTyper) *TypeSetterPrinter {
+	return &TypeSetterPrinter{Typer: typer}
+}
+
+// PrintObj is an implementation of ResourcePrinter.PrintObj which sets type information on the obj for the duration
+// of printing.  It is NOT threadsafe.
+func (p *TypeSetterPrinter) PrintObj(obj runtime.Object, w io.Writer) error {
+	if obj == nil {
+		return p.Delegate.PrintObj(obj, w)
+	}
+	if !obj.GetObjectKind().GroupVersionKind().Empty() {
+		return p.Delegate.PrintObj(obj, w)
+	}
+
+	// we were empty coming in, make sure we're empty going out.  This makes the call thread-unsafe
+	defer func() {
+		obj.GetObjectKind().SetGroupVersionKind(schema.GroupVersionKind{})
+	}()
+
+	gvks, _, err := p.Typer.ObjectKinds(obj)
+	if err != nil {
+		// printers wrapped by us expect to find the type information present
+		return fmt.Errorf("missing apiVersion or kind and cannot assign it; %v", err)
+	}
+
+	for _, gvk := range gvks {
+		if len(gvk.Kind) == 0 {
+			continue
+		}
+		if len(gvk.Version) == 0 || gvk.Version == runtime.APIVersionInternal {
+			continue
+		}
+		obj.GetObjectKind().SetGroupVersionKind(gvk)
+		break
+	}
+
+	return p.Delegate.PrintObj(obj, w)
+}
+
+// ToPrinter returns a printer (not threadsafe!) that has been wrapped
+func (p *TypeSetterPrinter) ToPrinter(delegate ResourcePrinter) ResourcePrinter {
+	if p == nil {
+		return delegate
+	}
+
+	p.Delegate = delegate
+	return p
+}
+
+// WrapToPrinter wraps the common ToPrinter method
+func (p *TypeSetterPrinter) WrapToPrinter(delegate ResourcePrinter, err error) (ResourcePrinter, error) {
+	if err != nil {
+		return delegate, err
+	}
+	if p == nil {
+		return delegate, nil
+	}
+
+	p.Delegate = delegate
+	return p, nil
+}
diff --git a/vendor/k8s.io/cli-runtime/pkg/printers/warningprinter.go b/vendor/k8s.io/cli-runtime/pkg/printers/warningprinter.go
new file mode 100644
index 0000000000..b3a8264f78
--- /dev/null
+++ b/vendor/k8s.io/cli-runtime/pkg/printers/warningprinter.go
@@ -0,0 +1,55 @@
+/*
+Copyright 2022 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package printers
+
+import (
+	"fmt"
+	"io"
+)
+
+const (
+	yellowColor = "\u001b[33;1m"
+	resetColor  = "\u001b[0m"
+)
+
+type WarningPrinter struct {
+	// out is the writer to output warnings to
+	out io.Writer
+	// opts contains options controlling warning output
+	opts WarningPrinterOptions
+}
+
+// WarningPrinterOptions controls the behavior of a WarningPrinter constructed using NewWarningPrinter()
+type WarningPrinterOptions struct {
+	// Color indicates that warning output can include ANSI color codes
+	Color bool
+}
+
+// NewWarningPrinter returns an implementation of warningPrinter that outputs warnings to the specified writer.
+func NewWarningPrinter(out io.Writer, opts WarningPrinterOptions) *WarningPrinter {
+	h := &WarningPrinter{out: out, opts: opts}
+	return h
+}
+
+// Print prints warnings to the configured writer.
+func (w *WarningPrinter) Print(message string) {
+	if w.opts.Color {
+		fmt.Fprintf(w.out, "%sWarning:%s %s\n", yellowColor, resetColor, message)
+	} else {
+		fmt.Fprintf(w.out, "Warning: %s\n", message)
+	}
+}
diff --git a/vendor/k8s.io/cli-runtime/pkg/printers/yaml.go b/vendor/k8s.io/cli-runtime/pkg/printers/yaml.go
new file mode 100644
index 0000000000..8c6be82fe8
--- /dev/null
+++ b/vendor/k8s.io/cli-runtime/pkg/printers/yaml.go
@@ -0,0 +1,86 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package printers
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"reflect"
+	"sync/atomic"
+
+	"sigs.k8s.io/yaml"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+// YAMLPrinter is an implementation of ResourcePrinter which outputs an object as YAML.
+// The input object is assumed to be in the internal version of an API and is converted
+// to the given version first.
+// If PrintObj() is called multiple times, objects are separated with a '---' separator.
+type YAMLPrinter struct {
+	printCount int64
+}
+
+// PrintObj prints the data as YAML.
+func (p *YAMLPrinter) PrintObj(obj runtime.Object, w io.Writer) error {
+	// we use reflect.Indirect here in order to obtain the actual value from a pointer.
+	// we need an actual value in order to retrieve the package path for an object.
+	// using reflect.Indirect indiscriminately is valid here, as all runtime.Objects are supposed to be pointers.
+	if InternalObjectPreventer.IsForbidden(reflect.Indirect(reflect.ValueOf(obj)).Type().PkgPath()) {
+		return errors.New(InternalObjectPrinterErr)
+	}
+
+	count := atomic.AddInt64(&p.printCount, 1)
+	if count > 1 {
+		if _, err := w.Write([]byte("---\n")); err != nil {
+			return err
+		}
+	}
+
+	switch obj := obj.(type) {
+	case *metav1.WatchEvent:
+		if InternalObjectPreventer.IsForbidden(reflect.Indirect(reflect.ValueOf(obj.Object.Object)).Type().PkgPath()) {
+			return errors.New(InternalObjectPrinterErr)
+		}
+		data, err := yaml.Marshal(obj)
+		if err != nil {
+			return err
+		}
+		_, err = w.Write(data)
+		return err
+	case *runtime.Unknown:
+		data, err := yaml.JSONToYAML(obj.Raw)
+		if err != nil {
+			return err
+		}
+		_, err = w.Write(data)
+		return err
+	}
+
+	if obj.GetObjectKind().GroupVersionKind().Empty() {
+		return fmt.Errorf("missing apiVersion or kind; try GetObjectKind().SetGroupVersionKind() if you know the type")
+	}
+
+	output, err := yaml.Marshal(obj)
+	if err != nil {
+		return err
+	}
+	_, err = fmt.Fprint(w, string(output))
+	return err
+}
diff --git a/vendor/k8s.io/cli-runtime/pkg/resource/builder.go b/vendor/k8s.io/cli-runtime/pkg/resource/builder.go
new file mode 100644
index 0000000000..37e830852c
--- /dev/null
+++ b/vendor/k8s.io/cli-runtime/pkg/resource/builder.go
@@ -0,0 +1,1263 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package resource
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"net/url"
+	"os"
+	"path/filepath"
+	"strings"
+	"sync"
+
+	"k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured/unstructuredscheme"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/runtime/serializer"
+	utilerrors "k8s.io/apimachinery/pkg/util/errors"
+	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/client-go/discovery"
+	"k8s.io/client-go/rest"
+	"k8s.io/client-go/restmapper"
+	"sigs.k8s.io/kustomize/kyaml/filesys"
+)
+
+var FileExtensions = []string{".json", ".yaml", ".yml"}
+var InputExtensions = append(FileExtensions, "stdin")
+
+const defaultHttpGetAttempts = 3
+const pathNotExistError = "the path %q does not exist"
+
+// Builder provides convenience functions for taking arguments and parameters
+// from the command line and converting them to a list of resources to iterate
+// over using the Visitor interface.
+type Builder struct {
+	categoryExpanderFn CategoryExpanderFunc
+
+	// mapper is set explicitly by resource builders
+	mapper *mapper
+
+	// clientConfigFn is a function to produce a client, *if* you need one
+	clientConfigFn ClientConfigFunc
+
+	restMapperFn RESTMapperFunc
+
+	// objectTyper is statically determinant per-command invocation based on your internal or unstructured choice
+	// it does not ever need to rely upon discovery.
+	objectTyper runtime.ObjectTyper
+
+	// codecFactory describes which codecs you want to use
+	negotiatedSerializer runtime.NegotiatedSerializer
+
+	// local indicates that we cannot make server calls
+	local bool
+
+	errs []error
+
+	paths      []Visitor
+	stream     bool
+	stdinInUse bool
+	dir        bool
+
+	visitorConcurrency int
+
+	labelSelector     *string
+	fieldSelector     *string
+	selectAll         bool
+	limitChunks       int64
+	requestTransforms []RequestTransform
+
+	resources   []string
+	subresource string
+
+	namespace    string
+	allNamespace bool
+	names        []string
+
+	resourceTuples []resourceTuple
+
+	defaultNamespace bool
+	requireNamespace bool
+
+	flatten bool
+	latest  bool
+
+	requireObject bool
+
+	singleResourceType bool
+	continueOnError    bool
+
+	singleItemImplied bool
+
+	schema ContentValidator
+
+	// fakeClientFn is used for testing
+	fakeClientFn FakeClientFunc
+}
+
+var missingResourceError = fmt.Errorf(`You must provide one or more resources by argument or filename.
+Example resource specifications include:
+   '-f rsrc.yaml'
+   '--filename=rsrc.json'
+   '<resource> <name>'
+   '<resource>'`)
+
+var LocalResourceError = errors.New(`error: you must specify resources by --filename when --local is set.
+Example resource specifications include:
+   '-f rsrc.yaml'
+   '--filename=rsrc.json'`)
+
+var StdinMultiUseError = errors.New("standard input cannot be used for multiple arguments")
+
+// ErrMultipleResourceTypes is returned when Builder.SingleResourceType() was called,
+// but multiple resource types were specified.
+var ErrMultipleResourceTypes = errors.New("you may only specify a single resource type")
+
+// TODO: expand this to include other errors.
+func IsUsageError(err error) bool {
+	if err == nil {
+		return false
+	}
+	return err == missingResourceError
+}
+
+type FilenameOptions struct {
+	Filenames []string
+	Kustomize string
+	Recursive bool
+}
+
+func (o *FilenameOptions) validate() []error {
+	var errs []error
+	if len(o.Filenames) > 0 && len(o.Kustomize) > 0 {
+		errs = append(errs, fmt.Errorf("only one of -f or -k can be specified"))
+	}
+	if len(o.Kustomize) > 0 && o.Recursive {
+		errs = append(errs, fmt.Errorf("the -k flag can't be used with -f or -R"))
+	}
+	return errs
+}
+
+func (o *FilenameOptions) RequireFilenameOrKustomize() error {
+	if len(o.Filenames) == 0 && len(o.Kustomize) == 0 {
+		return fmt.Errorf("must specify one of -f and -k")
+	}
+	return nil
+}
+
+type resourceTuple struct {
+	Resource string
+	Name     string
+}
+
+type FakeClientFunc func(version schema.GroupVersion) (RESTClient, error)
+
+func NewFakeBuilder(fakeClientFn FakeClientFunc, restMapper RESTMapperFunc, categoryExpander CategoryExpanderFunc) *Builder {
+	ret := newBuilder(nil, restMapper, categoryExpander)
+	ret.fakeClientFn = fakeClientFn
+	return ret
+}
+
+// NewBuilder creates a builder that operates on generic objects. At least one of
+// internal or unstructured must be specified.
+// TODO: Add versioned client (although versioned is still lossy)
+// TODO remove internal and unstructured mapper and instead have them set the negotiated serializer for use in the client
+func newBuilder(clientConfigFn ClientConfigFunc, restMapper RESTMapperFunc, categoryExpander CategoryExpanderFunc) *Builder {
+	return &Builder{
+		clientConfigFn:     clientConfigFn,
+		restMapperFn:       restMapper,
+		categoryExpanderFn: categoryExpander,
+		requireObject:      true,
+	}
+}
+
+// noopClientGetter implements RESTClientGetter returning only errors.
+// used as a dummy getter in a local-only builder.
+type noopClientGetter struct{}
+
+func (noopClientGetter) ToRESTConfig() (*rest.Config, error) {
+	return nil, fmt.Errorf("local operation only")
+}
+func (noopClientGetter) ToDiscoveryClient() (discovery.CachedDiscoveryInterface, error) {
+	return nil, fmt.Errorf("local operation only")
+}
+func (noopClientGetter) ToRESTMapper() (meta.RESTMapper, error) {
+	return nil, fmt.Errorf("local operation only")
+}
+
+// NewLocalBuilder returns a builder that is configured not to create REST clients and avoids asking the server for results.
+func NewLocalBuilder() *Builder {
+	return NewBuilder(noopClientGetter{}).Local()
+}
+
+func NewBuilder(restClientGetter RESTClientGetter) *Builder {
+	categoryExpanderFn := func() (restmapper.CategoryExpander, error) {
+		discoveryClient, err := restClientGetter.ToDiscoveryClient()
+		if err != nil {
+			return nil, err
+		}
+		return restmapper.NewDiscoveryCategoryExpander(discoveryClient), err
+	}
+
+	return newBuilder(
+		restClientGetter.ToRESTConfig,
+		restClientGetter.ToRESTMapper,
+		(&cachingCategoryExpanderFunc{delegate: categoryExpanderFn}).ToCategoryExpander,
+	)
+}
+
+func (b *Builder) Schema(schema ContentValidator) *Builder {
+	b.schema = schema
+	return b
+}
+
+func (b *Builder) AddError(err error) *Builder {
+	if err == nil {
+		return b
+	}
+	b.errs = append(b.errs, err)
+	return b
+}
+
+// VisitorConcurrency sets the number of concurrent visitors to use when
+// visiting lists.
+func (b *Builder) VisitorConcurrency(concurrency int) *Builder {
+	b.visitorConcurrency = concurrency
+	return b
+}
+
+// FilenameParam groups input in two categories: URLs and files (files, directories, STDIN)
+// If enforceNamespace is false, namespaces in the specs will be allowed to
+// override the default namespace. If it is true, namespaces that don't match
+// will cause an error.
+// If ContinueOnError() is set prior to this method, objects on the path that are not
+// recognized will be ignored (but logged at V(2)).
+func (b *Builder) FilenameParam(enforceNamespace bool, filenameOptions *FilenameOptions) *Builder {
+	if errs := filenameOptions.validate(); len(errs) > 0 {
+		b.errs = append(b.errs, errs...)
+		return b
+	}
+	recursive := filenameOptions.Recursive
+	paths := filenameOptions.Filenames
+	for _, s := range paths {
+		switch {
+		case s == "-":
+			b.Stdin()
+		case strings.Index(s, "http://") == 0 || strings.Index(s, "https://") == 0:
+			url, err := url.Parse(s)
+			if err != nil {
+				b.errs = append(b.errs, fmt.Errorf("the URL passed to filename %q is not valid: %v", s, err))
+				continue
+			}
+			b.URL(defaultHttpGetAttempts, url)
+		default:
+			matches, err := expandIfFilePattern(s)
+			if err != nil {
+				b.errs = append(b.errs, err)
+				continue
+			}
+			if !recursive && len(matches) == 1 {
+				b.singleItemImplied = true
+			}
+			b.Path(recursive, matches...)
+		}
+	}
+	if filenameOptions.Kustomize != "" {
+		b.paths = append(
+			b.paths,
+			&KustomizeVisitor{
+				mapper:  b.mapper,
+				dirPath: filenameOptions.Kustomize,
+				schema:  b.schema,
+				fSys:    filesys.MakeFsOnDisk(),
+			})
+	}
+
+	if enforceNamespace {
+		b.RequireNamespace()
+	}
+
+	return b
+}
+
+// Unstructured updates the builder so that it will request and send unstructured
+// objects. Unstructured objects preserve all fields sent by the server in a map format
+// based on the object's JSON structure which means no data is lost when the client
+// reads and then writes an object. Use this mode in preference to Internal unless you
+// are working with Go types directly.
+func (b *Builder) Unstructured() *Builder {
+	if b.mapper != nil {
+		b.errs = append(b.errs, fmt.Errorf("another mapper was already selected, cannot use unstructured types"))
+		return b
+	}
+	b.objectTyper = unstructuredscheme.NewUnstructuredObjectTyper()
+	b.mapper = &mapper{
+		localFn:      b.isLocal,
+		restMapperFn: b.restMapperFn,
+		clientFn:     b.getClient,
+		decoder:      &metadataValidatingDecoder{unstructured.UnstructuredJSONScheme},
+	}
+
+	return b
+}
+
+// WithScheme uses the scheme to manage typing, conversion (optional), and decoding.  If decodingVersions
+// is empty, then you can end up with internal types.  You have been warned.
+func (b *Builder) WithScheme(scheme *runtime.Scheme, decodingVersions ...schema.GroupVersion) *Builder {
+	if b.mapper != nil {
+		b.errs = append(b.errs, fmt.Errorf("another mapper was already selected, cannot use internal types"))
+		return b
+	}
+	b.objectTyper = scheme
+	codecFactory := serializer.NewCodecFactory(scheme)
+	negotiatedSerializer := runtime.NegotiatedSerializer(codecFactory)
+	// if you specified versions, you're specifying a desire for external types, which you don't want to round-trip through
+	// internal types
+	if len(decodingVersions) > 0 {
+		negotiatedSerializer = codecFactory.WithoutConversion()
+	}
+	b.negotiatedSerializer = negotiatedSerializer
+
+	b.mapper = &mapper{
+		localFn:      b.isLocal,
+		restMapperFn: b.restMapperFn,
+		clientFn:     b.getClient,
+		decoder:      codecFactory.UniversalDecoder(decodingVersions...),
+	}
+
+	return b
+}
+
+// LocalParam calls Local() if local is true.
+func (b *Builder) LocalParam(local bool) *Builder {
+	if local {
+		b.Local()
+	}
+	return b
+}
+
+// Local will avoid asking the server for results.
+func (b *Builder) Local() *Builder {
+	b.local = true
+	return b
+}
+
+func (b *Builder) isLocal() bool {
+	return b.local
+}
+
+// Mapper returns a copy of the current mapper.
+func (b *Builder) Mapper() *mapper {
+	mapper := *b.mapper
+	return &mapper
+}
+
+// URL accepts a number of URLs directly.
+func (b *Builder) URL(httpAttemptCount int, urls ...*url.URL) *Builder {
+	for _, u := range urls {
+		b.paths = append(b.paths, &URLVisitor{
+			URL:              u,
+			StreamVisitor:    NewStreamVisitor(nil, b.mapper, u.String(), b.schema),
+			HttpAttemptCount: httpAttemptCount,
+		})
+	}
+	return b
+}
+
+// Stdin will read objects from the standard input. If ContinueOnError() is set
+// prior to this method being called, objects in the stream that are unrecognized
+// will be ignored (but logged at V(2)). If StdinInUse() is set prior to this method
+// being called, an error will be recorded as there are multiple entities trying to use
+// the single standard input stream.
+func (b *Builder) Stdin() *Builder {
+	b.stream = true
+	if b.stdinInUse {
+		b.errs = append(b.errs, StdinMultiUseError)
+	}
+	b.stdinInUse = true
+	b.paths = append(b.paths, FileVisitorForSTDIN(b.mapper, b.schema))
+	return b
+}
+
+// StdinInUse will mark standard input as in use by this Builder, and therefore standard
+// input should not be used by another entity. If Stdin() is set prior to this method
+// being called, an error will be recorded as there are multiple entities trying to use
+// the single standard input stream.
+func (b *Builder) StdinInUse() *Builder {
+	if b.stdinInUse {
+		b.errs = append(b.errs, StdinMultiUseError)
+	}
+	b.stdinInUse = true
+	return b
+}
+
+// Stream will read objects from the provided reader, and if an error occurs will
+// include the name string in the error message. If ContinueOnError() is set
+// prior to this method being called, objects in the stream that are unrecognized
+// will be ignored (but logged at V(2)).
+func (b *Builder) Stream(r io.Reader, name string) *Builder {
+	b.stream = true
+	b.paths = append(b.paths, NewStreamVisitor(r, b.mapper, name, b.schema))
+	return b
+}
+
+// Path accepts a set of paths that may be files, directories (all can containing
+// one or more resources). Creates a FileVisitor for each file and then each
+// FileVisitor is streaming the content to a StreamVisitor. If ContinueOnError() is set
+// prior to this method being called, objects on the path that are unrecognized will be
+// ignored (but logged at V(2)).
+func (b *Builder) Path(recursive bool, paths ...string) *Builder {
+	for _, p := range paths {
+		_, err := os.Stat(p)
+		if os.IsNotExist(err) {
+			b.errs = append(b.errs, fmt.Errorf(pathNotExistError, p))
+			continue
+		}
+		if err != nil {
+			b.errs = append(b.errs, fmt.Errorf("the path %q cannot be accessed: %v", p, err))
+			continue
+		}
+
+		visitors, err := ExpandPathsToFileVisitors(b.mapper, p, recursive, FileExtensions, b.schema)
+		if err != nil {
+			b.errs = append(b.errs, fmt.Errorf("error reading %q: %v", p, err))
+		}
+		if len(visitors) > 1 {
+			b.dir = true
+		}
+
+		b.paths = append(b.paths, visitors...)
+	}
+	if len(b.paths) == 0 && len(b.errs) == 0 {
+		b.errs = append(b.errs, fmt.Errorf("error reading %v: recognized file extensions are %v", paths, FileExtensions))
+	}
+	return b
+}
+
+// ResourceTypes is a list of types of resources to operate on, when listing objects on
+// the server or retrieving objects that match a selector.
+func (b *Builder) ResourceTypes(types ...string) *Builder {
+	b.resources = append(b.resources, types...)
+	return b
+}
+
+// ResourceNames accepts a default type and one or more names, and creates tuples of
+// resources
+func (b *Builder) ResourceNames(resource string, names ...string) *Builder {
+	for _, name := range names {
+		// See if this input string is of type/name format
+		tuple, ok, err := splitResourceTypeName(name)
+		if err != nil {
+			b.errs = append(b.errs, err)
+			return b
+		}
+
+		if ok {
+			b.resourceTuples = append(b.resourceTuples, tuple)
+			continue
+		}
+		if len(resource) == 0 {
+			b.errs = append(b.errs, fmt.Errorf("the argument %q must be RESOURCE/NAME", name))
+			continue
+		}
+
+		// Use the given default type to create a resource tuple
+		b.resourceTuples = append(b.resourceTuples, resourceTuple{Resource: resource, Name: name})
+	}
+	return b
+}
+
+// LabelSelectorParam defines a selector that should be applied to the object types to load.
+// This will not affect files loaded from disk or URL. If the parameter is empty it is
+// a no-op - to select all resources invoke `b.LabelSelector(labels.Everything.String)`.
+func (b *Builder) LabelSelectorParam(s string) *Builder {
+	selector := strings.TrimSpace(s)
+	if len(selector) == 0 {
+		return b
+	}
+	if b.selectAll {
+		b.errs = append(b.errs, fmt.Errorf("found non-empty label selector %q with previously set 'all' parameter. ", s))
+		return b
+	}
+	return b.LabelSelector(selector)
+}
+
+// LabelSelector accepts a selector directly and will filter the resulting list by that object.
+// Use LabelSelectorParam instead for user input.
+func (b *Builder) LabelSelector(selector string) *Builder {
+	if len(selector) == 0 {
+		return b
+	}
+
+	b.labelSelector = &selector
+	return b
+}
+
+// FieldSelectorParam defines a selector that should be applied to the object types to load.
+// This will not affect files loaded from disk or URL. If the parameter is empty it is
+// a no-op - to select all resources.
+func (b *Builder) FieldSelectorParam(s string) *Builder {
+	s = strings.TrimSpace(s)
+	if len(s) == 0 {
+		return b
+	}
+	if b.selectAll {
+		b.errs = append(b.errs, fmt.Errorf("found non-empty field selector %q with previously set 'all' parameter. ", s))
+		return b
+	}
+	b.fieldSelector = &s
+	return b
+}
+
+// NamespaceParam accepts the namespace that these resources should be
+// considered under from - used by DefaultNamespace() and RequireNamespace()
+func (b *Builder) NamespaceParam(namespace string) *Builder {
+	b.namespace = namespace
+	return b
+}
+
+// DefaultNamespace instructs the builder to set the namespace value for any object found
+// to NamespaceParam() if empty.
+func (b *Builder) DefaultNamespace() *Builder {
+	b.defaultNamespace = true
+	return b
+}
+
+// AllNamespaces instructs the builder to metav1.NamespaceAll as a namespace to request resources
+// across all of the namespace. This overrides the namespace set by NamespaceParam().
+func (b *Builder) AllNamespaces(allNamespace bool) *Builder {
+	if allNamespace {
+		b.namespace = metav1.NamespaceAll
+	}
+	b.allNamespace = allNamespace
+	return b
+}
+
+// RequireNamespace instructs the builder to set the namespace value for any object found
+// to NamespaceParam() if empty, and if the value on the resource does not match
+// NamespaceParam() an error will be returned.
+func (b *Builder) RequireNamespace() *Builder {
+	b.requireNamespace = true
+	return b
+}
+
+// RequestChunksOf attempts to load responses from the server in batches of size limit
+// to avoid long delays loading and transferring very large lists. If unset defaults to
+// no chunking.
+func (b *Builder) RequestChunksOf(chunkSize int64) *Builder {
+	b.limitChunks = chunkSize
+	return b
+}
+
+// TransformRequests alters API calls made by clients requested from this builder. Pass
+// an empty list to clear modifiers.
+func (b *Builder) TransformRequests(opts ...RequestTransform) *Builder {
+	b.requestTransforms = opts
+	return b
+}
+
+// Subresource instructs the builder to retrieve the object at the
+// subresource path instead of the main resource path.
+func (b *Builder) Subresource(subresource string) *Builder {
+	b.subresource = subresource
+	return b
+}
+
+// SelectEverythingParam
+func (b *Builder) SelectAllParam(selectAll bool) *Builder {
+	if selectAll && (b.labelSelector != nil || b.fieldSelector != nil) {
+		b.errs = append(b.errs, fmt.Errorf("setting 'all' parameter but found a non empty selector. "))
+		return b
+	}
+	b.selectAll = selectAll
+	return b
+}
+
+// ResourceTypeOrNameArgs indicates that the builder should accept arguments
+// of the form `(<type1>[,<type2>,...]|<type> <name1>[,<name2>,...])`. When one argument is
+// received, the types provided will be retrieved from the server (and be comma delimited).
+// When two or more arguments are received, they must be a single type and resource name(s).
+// The allowEmptySelector permits to select all the resources (via Everything func).
+func (b *Builder) ResourceTypeOrNameArgs(allowEmptySelector bool, args ...string) *Builder {
+	args = normalizeMultipleResourcesArgs(args)
+	if ok, err := hasCombinedTypeArgs(args); ok {
+		if err != nil {
+			b.errs = append(b.errs, err)
+			return b
+		}
+		for _, s := range args {
+			tuple, ok, err := splitResourceTypeName(s)
+			if err != nil {
+				b.errs = append(b.errs, err)
+				return b
+			}
+			if ok {
+				b.resourceTuples = append(b.resourceTuples, tuple)
+			}
+		}
+		return b
+	}
+	if len(args) > 0 {
+		// Try replacing aliases only in types
+		args[0] = b.ReplaceAliases(args[0])
+	}
+	switch {
+	case len(args) > 2:
+		b.names = append(b.names, args[1:]...)
+		b.ResourceTypes(SplitResourceArgument(args[0])...)
+	case len(args) == 2:
+		b.names = append(b.names, args[1])
+		b.ResourceTypes(SplitResourceArgument(args[0])...)
+	case len(args) == 1:
+		b.ResourceTypes(SplitResourceArgument(args[0])...)
+		if b.labelSelector == nil && allowEmptySelector {
+			selector := labels.Everything().String()
+			b.labelSelector = &selector
+		}
+	case len(args) == 0:
+	default:
+		b.errs = append(b.errs, fmt.Errorf("arguments must consist of a resource or a resource and name"))
+	}
+	return b
+}
+
+// ReplaceAliases accepts an argument and tries to expand any existing
+// aliases found in it
+func (b *Builder) ReplaceAliases(input string) string {
+	replaced := []string{}
+	for _, arg := range strings.Split(input, ",") {
+		if b.categoryExpanderFn == nil {
+			continue
+		}
+		categoryExpander, err := b.categoryExpanderFn()
+		if err != nil {
+			b.AddError(err)
+			continue
+		}
+
+		if resources, ok := categoryExpander.Expand(arg); ok {
+			asStrings := []string{}
+			for _, resource := range resources {
+				if len(resource.Group) == 0 {
+					asStrings = append(asStrings, resource.Resource)
+					continue
+				}
+				asStrings = append(asStrings, resource.Resource+"."+resource.Group)
+			}
+			arg = strings.Join(asStrings, ",")
+		}
+		replaced = append(replaced, arg)
+	}
+	return strings.Join(replaced, ",")
+}
+
+func hasCombinedTypeArgs(args []string) (bool, error) {
+	hasSlash := 0
+	for _, s := range args {
+		if strings.Contains(s, "/") {
+			hasSlash++
+		}
+	}
+	switch {
+	case hasSlash > 0 && hasSlash == len(args):
+		return true, nil
+	case hasSlash > 0 && hasSlash != len(args):
+		baseCmd := "cmd"
+		if len(os.Args) > 0 {
+			baseCmdSlice := strings.Split(os.Args[0], "/")
+			baseCmd = baseCmdSlice[len(baseCmdSlice)-1]
+		}
+		return true, fmt.Errorf("there is no need to specify a resource type as a separate argument when passing arguments in resource/name form (e.g. '%s get resource/<resource_name>' instead of '%s get resource resource/<resource_name>'", baseCmd, baseCmd)
+	default:
+		return false, nil
+	}
+}
+
+// Normalize args convert multiple resources to resource tuples, a,b,c d
+// as a transform to a/d b/d c/d
+func normalizeMultipleResourcesArgs(args []string) []string {
+	if len(args) >= 2 {
+		resources := []string{}
+		resources = append(resources, SplitResourceArgument(args[0])...)
+		if len(resources) > 1 {
+			names := []string{}
+			names = append(names, args[1:]...)
+			newArgs := []string{}
+			for _, resource := range resources {
+				for _, name := range names {
+					newArgs = append(newArgs, strings.Join([]string{resource, name}, "/"))
+				}
+			}
+			return newArgs
+		}
+	}
+	return args
+}
+
+// splitResourceTypeName handles type/name resource formats and returns a resource tuple
+// (empty or not), whether it successfully found one, and an error
+func splitResourceTypeName(s string) (resourceTuple, bool, error) {
+	if !strings.Contains(s, "/") {
+		return resourceTuple{}, false, nil
+	}
+	seg := strings.Split(s, "/")
+	if len(seg) != 2 {
+		return resourceTuple{}, false, fmt.Errorf("arguments in resource/name form may not have more than one slash")
+	}
+	resource, name := seg[0], seg[1]
+	if len(resource) == 0 || len(name) == 0 || len(SplitResourceArgument(resource)) != 1 {
+		return resourceTuple{}, false, fmt.Errorf("arguments in resource/name form must have a single resource and name")
+	}
+	return resourceTuple{Resource: resource, Name: name}, true, nil
+}
+
+// Flatten will convert any objects with a field named "Items" that is an array of runtime.Object
+// compatible types into individual entries and give them their own items. The original object
+// is not passed to any visitors.
+func (b *Builder) Flatten() *Builder {
+	b.flatten = true
+	return b
+}
+
+// Latest will fetch the latest copy of any objects loaded from URLs or files from the server.
+func (b *Builder) Latest() *Builder {
+	b.latest = true
+	return b
+}
+
+// RequireObject ensures that resulting infos have an object set. If false, resulting info may not have an object set.
+func (b *Builder) RequireObject(require bool) *Builder {
+	b.requireObject = require
+	return b
+}
+
+// ContinueOnError will attempt to load and visit as many objects as possible, even if some visits
+// return errors or some objects cannot be loaded. The default behavior is to terminate after
+// the first error is returned from a VisitorFunc.
+func (b *Builder) ContinueOnError() *Builder {
+	b.continueOnError = true
+	return b
+}
+
+// SingleResourceType will cause the builder to error if the user specifies more than a single type
+// of resource.
+func (b *Builder) SingleResourceType() *Builder {
+	b.singleResourceType = true
+	return b
+}
+
+// mappingFor returns the RESTMapping for the Kind given, or the Kind referenced by the resource.
+// Prefers a fully specified GroupVersionResource match. If one is not found, we match on a fully
+// specified GroupVersionKind, or fallback to a match on GroupKind.
+func (b *Builder) mappingFor(resourceOrKindArg string) (*meta.RESTMapping, error) {
+	fullySpecifiedGVR, groupResource := schema.ParseResourceArg(resourceOrKindArg)
+	gvk := schema.GroupVersionKind{}
+	restMapper, err := b.restMapperFn()
+	if err != nil {
+		return nil, err
+	}
+
+	if fullySpecifiedGVR != nil {
+		gvk, _ = restMapper.KindFor(*fullySpecifiedGVR)
+	}
+	if gvk.Empty() {
+		gvk, _ = restMapper.KindFor(groupResource.WithVersion(""))
+	}
+	if !gvk.Empty() {
+		return restMapper.RESTMapping(gvk.GroupKind(), gvk.Version)
+	}
+
+	fullySpecifiedGVK, groupKind := schema.ParseKindArg(resourceOrKindArg)
+	if fullySpecifiedGVK == nil {
+		gvk := groupKind.WithVersion("")
+		fullySpecifiedGVK = &gvk
+	}
+
+	if !fullySpecifiedGVK.Empty() {
+		if mapping, err := restMapper.RESTMapping(fullySpecifiedGVK.GroupKind(), fullySpecifiedGVK.Version); err == nil {
+			return mapping, nil
+		}
+	}
+
+	mapping, err := restMapper.RESTMapping(groupKind, gvk.Version)
+	if err != nil {
+		// if we error out here, it is because we could not match a resource or a kind
+		// for the given argument. To maintain consistency with previous behavior,
+		// announce that a resource type could not be found.
+		// if the error is _not_ a *meta.NoKindMatchError, then we had trouble doing discovery,
+		// so we should return the original error since it may help a user diagnose what is actually wrong
+		if meta.IsNoMatchError(err) {
+			return nil, fmt.Errorf("the server doesn't have a resource type %q", groupResource.Resource)
+		}
+		return nil, err
+	}
+
+	return mapping, nil
+}
+
+func (b *Builder) resourceMappings() ([]*meta.RESTMapping, error) {
+	if len(b.resources) > 1 && b.singleResourceType {
+		return nil, ErrMultipleResourceTypes
+	}
+	mappings := []*meta.RESTMapping{}
+	seen := map[schema.GroupVersionKind]bool{}
+	for _, r := range b.resources {
+		mapping, err := b.mappingFor(r)
+		if err != nil {
+			return nil, err
+		}
+		// This ensures the mappings for resources(shortcuts, plural) unique
+		if seen[mapping.GroupVersionKind] {
+			continue
+		}
+		seen[mapping.GroupVersionKind] = true
+
+		mappings = append(mappings, mapping)
+	}
+	return mappings, nil
+}
+
+func (b *Builder) resourceTupleMappings() (map[string]*meta.RESTMapping, error) {
+	mappings := make(map[string]*meta.RESTMapping)
+	canonical := make(map[schema.GroupVersionResource]struct{})
+	for _, r := range b.resourceTuples {
+		if _, ok := mappings[r.Resource]; ok {
+			continue
+		}
+		mapping, err := b.mappingFor(r.Resource)
+		if err != nil {
+			return nil, err
+		}
+
+		mappings[r.Resource] = mapping
+		canonical[mapping.Resource] = struct{}{}
+	}
+	if len(canonical) > 1 && b.singleResourceType {
+		return nil, ErrMultipleResourceTypes
+	}
+	return mappings, nil
+}
+
+func (b *Builder) visitorResult() *Result {
+	if len(b.errs) > 0 {
+		return &Result{err: utilerrors.NewAggregate(b.errs)}
+	}
+
+	if b.selectAll {
+		selector := labels.Everything().String()
+		b.labelSelector = &selector
+	}
+
+	// visit items specified by paths
+	if len(b.paths) != 0 {
+		return b.visitByPaths()
+	}
+
+	// visit selectors
+	if b.labelSelector != nil || b.fieldSelector != nil {
+		return b.visitBySelector()
+	}
+
+	// visit items specified by resource and name
+	if len(b.resourceTuples) != 0 {
+		return b.visitByResource()
+	}
+
+	// visit items specified by name
+	if len(b.names) != 0 {
+		return b.visitByName()
+	}
+
+	if len(b.resources) != 0 {
+		for _, r := range b.resources {
+			_, err := b.mappingFor(r)
+			if err != nil {
+				return &Result{err: err}
+			}
+		}
+		return &Result{err: fmt.Errorf("resource(s) were provided, but no name was specified")}
+	}
+	return &Result{err: missingResourceError}
+}
+
+func (b *Builder) visitBySelector() *Result {
+	result := &Result{
+		targetsSingleItems: false,
+	}
+
+	if len(b.names) != 0 {
+		return result.withError(fmt.Errorf("name cannot be provided when a selector is specified"))
+	}
+	if len(b.resourceTuples) != 0 {
+		return result.withError(fmt.Errorf("selectors and the all flag cannot be used when passing resource/name arguments"))
+	}
+	if len(b.resources) == 0 {
+		return result.withError(fmt.Errorf("at least one resource must be specified to use a selector"))
+	}
+	if len(b.subresource) != 0 {
+		return result.withError(fmt.Errorf("subresource cannot be used when bulk resources are specified"))
+	}
+
+	mappings, err := b.resourceMappings()
+	if err != nil {
+		result.err = err
+		return result
+	}
+
+	var labelSelector, fieldSelector string
+	if b.labelSelector != nil {
+		labelSelector = *b.labelSelector
+	}
+	if b.fieldSelector != nil {
+		fieldSelector = *b.fieldSelector
+	}
+
+	visitors := []Visitor{}
+	for _, mapping := range mappings {
+		client, err := b.getClient(mapping.GroupVersionKind.GroupVersion())
+		if err != nil {
+			result.err = err
+			return result
+		}
+		selectorNamespace := b.namespace
+		if mapping.Scope.Name() != meta.RESTScopeNameNamespace {
+			selectorNamespace = ""
+		}
+		visitors = append(visitors, NewSelector(client, mapping, selectorNamespace, labelSelector, fieldSelector, b.limitChunks))
+	}
+	if b.continueOnError {
+		result.visitor = EagerVisitorList(visitors)
+	} else {
+		result.visitor = VisitorList(visitors)
+	}
+	result.sources = visitors
+	return result
+}
+
+func (b *Builder) getClient(gv schema.GroupVersion) (RESTClient, error) {
+	var (
+		client RESTClient
+		err    error
+	)
+
+	switch {
+	case b.fakeClientFn != nil:
+		client, err = b.fakeClientFn(gv)
+	case b.negotiatedSerializer != nil:
+		client, err = b.clientConfigFn.withStdinUnavailable(b.stdinInUse).clientForGroupVersion(gv, b.negotiatedSerializer)
+	default:
+		client, err = b.clientConfigFn.withStdinUnavailable(b.stdinInUse).unstructuredClientForGroupVersion(gv)
+	}
+
+	if err != nil {
+		return nil, err
+	}
+
+	return NewClientWithOptions(client, b.requestTransforms...), nil
+}
+
+func (b *Builder) visitByResource() *Result {
+	// if b.singleItemImplied is false, this could be by default, so double-check length
+	// of resourceTuples to determine if in fact it is singleItemImplied or not
+	isSingleItemImplied := b.singleItemImplied
+	if !isSingleItemImplied {
+		isSingleItemImplied = len(b.resourceTuples) == 1
+	}
+
+	result := &Result{
+		singleItemImplied:  isSingleItemImplied,
+		targetsSingleItems: true,
+	}
+
+	if len(b.resources) != 0 {
+		return result.withError(fmt.Errorf("you may not specify individual resources and bulk resources in the same call"))
+	}
+
+	// retrieve one client for each resource
+	mappings, err := b.resourceTupleMappings()
+	if err != nil {
+		result.err = err
+		return result
+	}
+	clients := make(map[string]RESTClient)
+	for _, mapping := range mappings {
+		s := fmt.Sprintf("%s/%s", mapping.GroupVersionKind.GroupVersion().String(), mapping.Resource.Resource)
+		if _, ok := clients[s]; ok {
+			continue
+		}
+		client, err := b.getClient(mapping.GroupVersionKind.GroupVersion())
+		if err != nil {
+			result.err = err
+			return result
+		}
+		clients[s] = client
+	}
+
+	items := []Visitor{}
+	for _, tuple := range b.resourceTuples {
+		mapping, ok := mappings[tuple.Resource]
+		if !ok {
+			return result.withError(fmt.Errorf("resource %q is not recognized: %v", tuple.Resource, mappings))
+		}
+		s := fmt.Sprintf("%s/%s", mapping.GroupVersionKind.GroupVersion().String(), mapping.Resource.Resource)
+		client, ok := clients[s]
+		if !ok {
+			return result.withError(fmt.Errorf("could not find a client for resource %q", tuple.Resource))
+		}
+
+		selectorNamespace := b.namespace
+		if mapping.Scope.Name() != meta.RESTScopeNameNamespace {
+			selectorNamespace = ""
+		} else {
+			if len(b.namespace) == 0 {
+				errMsg := "namespace may not be empty when retrieving a resource by name"
+				if b.allNamespace {
+					errMsg = "a resource cannot be retrieved by name across all namespaces"
+				}
+				return result.withError(errors.New(errMsg))
+			}
+		}
+
+		info := &Info{
+			Client:      client,
+			Mapping:     mapping,
+			Namespace:   selectorNamespace,
+			Name:        tuple.Name,
+			Subresource: b.subresource,
+		}
+		items = append(items, info)
+	}
+
+	var visitors Visitor
+	if b.continueOnError {
+		visitors = EagerVisitorList(items)
+	} else {
+		visitors = VisitorList(items)
+	}
+	result.visitor = visitors
+	result.sources = items
+	return result
+}
+
+func (b *Builder) visitByName() *Result {
+	result := &Result{
+		singleItemImplied:  len(b.names) == 1,
+		targetsSingleItems: true,
+	}
+
+	if len(b.paths) != 0 {
+		return result.withError(fmt.Errorf("when paths, URLs, or stdin is provided as input, you may not specify a resource by arguments as well"))
+	}
+	if len(b.resources) == 0 {
+		return result.withError(fmt.Errorf("you must provide a resource and a resource name together"))
+	}
+	if len(b.resources) > 1 {
+		return result.withError(fmt.Errorf("you must specify only one resource"))
+	}
+
+	mappings, err := b.resourceMappings()
+	if err != nil {
+		result.err = err
+		return result
+	}
+	mapping := mappings[0]
+
+	client, err := b.getClient(mapping.GroupVersionKind.GroupVersion())
+	if err != nil {
+		result.err = err
+		return result
+	}
+
+	selectorNamespace := b.namespace
+	if mapping.Scope.Name() != meta.RESTScopeNameNamespace {
+		selectorNamespace = ""
+	} else {
+		if len(b.namespace) == 0 {
+			errMsg := "namespace may not be empty when retrieving a resource by name"
+			if b.allNamespace {
+				errMsg = "a resource cannot be retrieved by name across all namespaces"
+			}
+			return result.withError(errors.New(errMsg))
+		}
+	}
+
+	visitors := []Visitor{}
+	for _, name := range b.names {
+		info := &Info{
+			Client:      client,
+			Mapping:     mapping,
+			Namespace:   selectorNamespace,
+			Name:        name,
+			Subresource: b.subresource,
+		}
+		visitors = append(visitors, info)
+	}
+	result.visitor = VisitorList(visitors)
+	result.sources = visitors
+	return result
+}
+
+func (b *Builder) visitByPaths() *Result {
+	result := &Result{
+		singleItemImplied:  !b.dir && !b.stream && len(b.paths) == 1,
+		targetsSingleItems: true,
+	}
+
+	if len(b.resources) != 0 {
+		return result.withError(fmt.Errorf("when paths, URLs, or stdin is provided as input, you may not specify resource arguments as well"))
+	}
+	if len(b.names) != 0 {
+		return result.withError(fmt.Errorf("name cannot be provided when a path is specified"))
+	}
+	if len(b.resourceTuples) != 0 {
+		return result.withError(fmt.Errorf("resource/name arguments cannot be provided when a path is specified"))
+	}
+
+	var visitors Visitor
+	if b.continueOnError {
+		visitors = EagerVisitorList(b.paths)
+	} else {
+		visitors = ConcurrentVisitorList{
+			visitors:    b.paths,
+			concurrency: b.visitorConcurrency,
+		}
+	}
+
+	if b.flatten {
+		visitors = NewFlattenListVisitor(visitors, b.objectTyper, b.mapper)
+	}
+
+	// only items from disk can be refetched
+	if b.latest {
+		// must set namespace prior to fetching
+		if b.defaultNamespace {
+			visitors = NewDecoratedVisitor(visitors, SetNamespace(b.namespace))
+		}
+		visitors = NewDecoratedVisitor(visitors, RetrieveLatest)
+	}
+	if b.labelSelector != nil {
+		selector, err := labels.Parse(*b.labelSelector)
+		if err != nil {
+			return result.withError(fmt.Errorf("the provided selector %q is not valid: %v", *b.labelSelector, err))
+		}
+		visitors = NewFilteredVisitor(visitors, FilterByLabelSelector(selector))
+	}
+	result.visitor = visitors
+	result.sources = b.paths
+	return result
+}
+
+// Do returns a Result object with a Visitor for the resources identified by the Builder.
+// The visitor will respect the error behavior specified by ContinueOnError. Note that stream
+// inputs are consumed by the first execution - use Infos() or Object() on the Result to capture a list
+// for further iteration.
+func (b *Builder) Do() *Result {
+	r := b.visitorResult()
+	r.mapper = b.Mapper()
+	if r.err != nil {
+		return r
+	}
+	if b.flatten {
+		r.visitor = NewFlattenListVisitor(r.visitor, b.objectTyper, b.mapper)
+	}
+	helpers := []VisitorFunc{}
+	if b.defaultNamespace {
+		helpers = append(helpers, SetNamespace(b.namespace))
+	}
+	if b.requireNamespace {
+		helpers = append(helpers, RequireNamespace(b.namespace))
+	}
+	helpers = append(helpers, FilterNamespace)
+	if b.requireObject {
+		helpers = append(helpers, RetrieveLazy)
+	}
+	if b.continueOnError {
+		r.visitor = ContinueOnErrorVisitor{Visitor: r.visitor}
+	}
+	r.visitor = NewDecoratedVisitor(r.visitor, helpers...)
+	return r
+}
+
+// SplitResourceArgument splits the argument with commas and returns unique
+// strings in the original order.
+func SplitResourceArgument(arg string) []string {
+	out := []string{}
+	set := sets.New[string]()
+	for _, s := range strings.Split(arg, ",") {
+		if set.Has(s) {
+			continue
+		}
+		set.Insert(s)
+		out = append(out, s)
+	}
+	return out
+}
+
+// HasNames returns true if the provided args contain resource names
+func HasNames(args []string) (bool, error) {
+	args = normalizeMultipleResourcesArgs(args)
+	hasCombinedTypes, err := hasCombinedTypeArgs(args)
+	if err != nil {
+		return false, err
+	}
+	return hasCombinedTypes || len(args) > 1, nil
+}
+
+// expandIfFilePattern returns all the filenames that match the input pattern
+// or the filename if it is a specific filename and not a pattern.
+// If the input is a pattern and it yields no result it will result in an error.
+func expandIfFilePattern(pattern string) ([]string, error) {
+	if _, err := os.Stat(pattern); os.IsNotExist(err) {
+		matches, err := filepath.Glob(pattern)
+		if err == nil && len(matches) == 0 {
+			return nil, fmt.Errorf(pathNotExistError, pattern)
+		}
+		if err == filepath.ErrBadPattern {
+			return nil, fmt.Errorf("pattern %q is not valid: %v", pattern, err)
+		}
+		return matches, err
+	}
+	return []string{pattern}, nil
+}
+
+type cachingCategoryExpanderFunc struct {
+	delegate CategoryExpanderFunc
+
+	lock   sync.Mutex
+	cached restmapper.CategoryExpander
+}
+
+func (c *cachingCategoryExpanderFunc) ToCategoryExpander() (restmapper.CategoryExpander, error) {
+	c.lock.Lock()
+	defer c.lock.Unlock()
+	if c.cached != nil {
+		return c.cached, nil
+	}
+
+	ret, err := c.delegate()
+	if err != nil {
+		return nil, err
+	}
+	c.cached = ret
+	return c.cached, nil
+}
diff --git a/vendor/k8s.io/cli-runtime/pkg/resource/client.go b/vendor/k8s.io/cli-runtime/pkg/resource/client.go
new file mode 100644
index 0000000000..cd52c30431
--- /dev/null
+++ b/vendor/k8s.io/cli-runtime/pkg/resource/client.go
@@ -0,0 +1,69 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package resource
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/client-go/rest"
+)
+
+// TODO require negotiatedSerializer.  leaving it optional lets us plumb current behavior and deal with the difference after major plumbing is complete
+func (clientConfigFn ClientConfigFunc) clientForGroupVersion(gv schema.GroupVersion, negotiatedSerializer runtime.NegotiatedSerializer) (RESTClient, error) {
+	cfg, err := clientConfigFn()
+	if err != nil {
+		return nil, err
+	}
+	if negotiatedSerializer != nil {
+		cfg.ContentConfig.NegotiatedSerializer = negotiatedSerializer
+	}
+	cfg.GroupVersion = &gv
+	if len(gv.Group) == 0 {
+		cfg.APIPath = "/api"
+	} else {
+		cfg.APIPath = "/apis"
+	}
+
+	return rest.RESTClientFor(cfg)
+}
+
+func (clientConfigFn ClientConfigFunc) unstructuredClientForGroupVersion(gv schema.GroupVersion) (RESTClient, error) {
+	cfg, err := clientConfigFn()
+	if err != nil {
+		return nil, err
+	}
+	cfg.ContentConfig = UnstructuredPlusDefaultContentConfig()
+	cfg.GroupVersion = &gv
+	if len(gv.Group) == 0 {
+		cfg.APIPath = "/api"
+	} else {
+		cfg.APIPath = "/apis"
+	}
+
+	return rest.RESTClientFor(cfg)
+}
+
+func (clientConfigFn ClientConfigFunc) withStdinUnavailable(stdinUnavailable bool) ClientConfigFunc {
+	return func() (*rest.Config, error) {
+		cfg, err := clientConfigFn()
+		if stdinUnavailable && cfg != nil && cfg.ExecProvider != nil {
+			cfg.ExecProvider.StdinUnavailable = stdinUnavailable
+			cfg.ExecProvider.StdinUnavailableMessage = "used by stdin resource manifest reader"
+		}
+		return cfg, err
+	}
+}
diff --git a/vendor/k8s.io/cli-runtime/pkg/resource/crd_finder.go b/vendor/k8s.io/cli-runtime/pkg/resource/crd_finder.go
new file mode 100644
index 0000000000..4694f7791a
--- /dev/null
+++ b/vendor/k8s.io/cli-runtime/pkg/resource/crd_finder.go
@@ -0,0 +1,110 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package resource
+
+import (
+	"context"
+	"fmt"
+	"reflect"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/client-go/dynamic"
+)
+
+// CRDGetter is a function that can download the list of GVK for all
+// CRDs.
+type CRDGetter func() ([]schema.GroupKind, error)
+
+func CRDFromDynamic(client dynamic.Interface) CRDGetter {
+	return func() ([]schema.GroupKind, error) {
+		list, err := client.Resource(schema.GroupVersionResource{
+			Group:    "apiextensions.k8s.io",
+			Version:  "v1",
+			Resource: "customresourcedefinitions",
+		}).List(context.TODO(), metav1.ListOptions{})
+		if err != nil {
+			return nil, fmt.Errorf("failed to list CRDs: %v", err)
+		}
+		if list == nil {
+			return nil, nil
+		}
+
+		gks := []schema.GroupKind{}
+
+		// We need to parse the list to get the gvk, I guess that's fine.
+		for _, crd := range (*list).Items {
+			// Look for group, version, and kind
+			group, _, _ := unstructured.NestedString(crd.Object, "spec", "group")
+			kind, _, _ := unstructured.NestedString(crd.Object, "spec", "names", "kind")
+
+			gks = append(gks, schema.GroupKind{
+				Group: group,
+				Kind:  kind,
+			})
+		}
+
+		return gks, nil
+	}
+}
+
+// CRDFinder keeps a cache of known CRDs and finds a given GVK in the
+// list.
+type CRDFinder interface {
+	HasCRD(gvk schema.GroupKind) (bool, error)
+}
+
+func NewCRDFinder(getter CRDGetter) CRDFinder {
+	return &crdFinder{
+		getter: getter,
+	}
+}
+
+type crdFinder struct {
+	getter CRDGetter
+	cache  *[]schema.GroupKind
+}
+
+func (f *crdFinder) cacheCRDs() error {
+	if f.cache != nil {
+		return nil
+	}
+
+	list, err := f.getter()
+	if err != nil {
+		return err
+	}
+	f.cache = &list
+	return nil
+}
+
+func (f *crdFinder) findCRD(gvk schema.GroupKind) bool {
+	for _, crd := range *f.cache {
+		if reflect.DeepEqual(gvk, crd) {
+			return true
+		}
+	}
+	return false
+}
+
+func (f *crdFinder) HasCRD(gvk schema.GroupKind) (bool, error) {
+	if err := f.cacheCRDs(); err != nil {
+		return false, err
+	}
+	return f.findCRD(gvk), nil
+}
diff --git a/vendor/k8s.io/cli-runtime/pkg/resource/doc.go b/vendor/k8s.io/cli-runtime/pkg/resource/doc.go
new file mode 100644
index 0000000000..a0e22e7cf7
--- /dev/null
+++ b/vendor/k8s.io/cli-runtime/pkg/resource/doc.go
@@ -0,0 +1,24 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package resource assists clients in dealing with RESTful objects that match the
+// Kubernetes API conventions. The Helper object provides simple CRUD operations
+// on resources. The Visitor interface makes it easy to deal with multiple resources
+// in bulk for retrieval and operation. The Builder object simplifies converting
+// standard command line arguments and parameters into a Visitor that can iterate
+// over all of the identified resources, whether on the server or on the local
+// filesystem.
+package resource
diff --git a/vendor/k8s.io/cli-runtime/pkg/resource/fake.go b/vendor/k8s.io/cli-runtime/pkg/resource/fake.go
new file mode 100644
index 0000000000..276c343e21
--- /dev/null
+++ b/vendor/k8s.io/cli-runtime/pkg/resource/fake.go
@@ -0,0 +1,40 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package resource
+
+import (
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/client-go/restmapper"
+)
+
+// FakeCategoryExpander is for testing only
+var FakeCategoryExpander restmapper.CategoryExpander = restmapper.SimpleCategoryExpander{
+	Expansions: map[string][]schema.GroupResource{
+		"all": {
+			{Group: "", Resource: "pods"},
+			{Group: "", Resource: "replicationcontrollers"},
+			{Group: "", Resource: "services"},
+			{Group: "apps", Resource: "statefulsets"},
+			{Group: "autoscaling", Resource: "horizontalpodautoscalers"},
+			{Group: "batch", Resource: "jobs"},
+			{Group: "batch", Resource: "cronjobs"},
+			{Group: "extensions", Resource: "daemonsets"},
+			{Group: "extensions", Resource: "deployments"},
+			{Group: "extensions", Resource: "replicasets"},
+		},
+	},
+}
diff --git a/vendor/k8s.io/cli-runtime/pkg/resource/fallback_query_param_verifier.go b/vendor/k8s.io/cli-runtime/pkg/resource/fallback_query_param_verifier.go
new file mode 100644
index 0000000000..05418801e8
--- /dev/null
+++ b/vendor/k8s.io/cli-runtime/pkg/resource/fallback_query_param_verifier.go
@@ -0,0 +1,59 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package resource
+
+import (
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/klog/v2"
+)
+
+// fallbackQueryParamVerifier encapsulates the primary Verifier that
+// is invoked, and the secondary/fallback Verifier.
+type fallbackQueryParamVerifier struct {
+	primary   Verifier
+	secondary Verifier
+}
+
+var _ Verifier = &fallbackQueryParamVerifier{}
+
+// NewFallbackQueryParamVerifier returns a new Verifier which will invoke the
+// initial/primary Verifier. If the primary Verifier is "NotFound", then the
+// secondary Verifier is invoked as a fallback.
+func NewFallbackQueryParamVerifier(primary Verifier, secondary Verifier) Verifier {
+	return &fallbackQueryParamVerifier{
+		primary:   primary,
+		secondary: secondary,
+	}
+}
+
+// HasSupport returns an error if the passed GVK does not support the
+// query param (fieldValidation), as determined by the primary and
+// secondary OpenAPI endpoints. The primary endoint is checked first,
+// but if there is an error retrieving the OpenAPI V3 document, the
+// secondary attempts to determine support. If the GVK supports the query param,
+// nil is returned.
+func (f *fallbackQueryParamVerifier) HasSupport(gvk schema.GroupVersionKind) error {
+	err := f.primary.HasSupport(gvk)
+	// If an error was returned from the primary OpenAPI endpoint,
+	// we fallback to check the secondary OpenAPI endpoint for
+	// any error *except* "paramUnsupportedError".
+	if err != nil && !IsParamUnsupportedError(err) {
+		klog.V(7).Infof("openapi v3 error...falling back to legacy: %s", err)
+		err = f.secondary.HasSupport(gvk)
+	}
+	return err
+}
diff --git a/vendor/k8s.io/cli-runtime/pkg/resource/helper.go b/vendor/k8s.io/cli-runtime/pkg/resource/helper.go
new file mode 100644
index 0000000000..aa400ae0e6
--- /dev/null
+++ b/vendor/k8s.io/cli-runtime/pkg/resource/helper.go
@@ -0,0 +1,321 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package resource
+
+import (
+	"context"
+	"fmt"
+
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"k8s.io/apimachinery/pkg/fields"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/watch"
+)
+
+var metadataAccessor = meta.NewAccessor()
+
+// Helper provides methods for retrieving or mutating a RESTful
+// resource.
+type Helper struct {
+	// The name of this resource as the server would recognize it
+	Resource string
+	// The name of the subresource as the server would recognize it
+	Subresource string
+	// A RESTClient capable of mutating this resource.
+	RESTClient RESTClient
+	// True if the resource type is scoped to namespaces
+	NamespaceScoped bool
+	// If true, then use server-side dry-run to not persist changes to storage
+	// for verbs and resources that support server-side dry-run.
+	//
+	// Note this should only be used against an apiserver with dry-run enabled,
+	// and on resources that support dry-run. If the apiserver or the resource
+	// does not support dry-run, then the change will be persisted to storage.
+	ServerDryRun bool
+
+	// FieldManager is the name associated with the actor or entity that is making
+	// changes.
+	FieldManager string
+
+	// FieldValidation is the directive used to indicate how the server should perform
+	// field validation (Ignore, Warn, or Strict)
+	FieldValidation string
+}
+
+// NewHelper creates a Helper from a ResourceMapping
+func NewHelper(client RESTClient, mapping *meta.RESTMapping) *Helper {
+	return &Helper{
+		Resource:        mapping.Resource.Resource,
+		RESTClient:      client,
+		NamespaceScoped: mapping.Scope.Name() == meta.RESTScopeNameNamespace,
+	}
+}
+
+// DryRun, if true, will use server-side dry-run to not persist changes to storage.
+// Otherwise, changes will be persisted to storage.
+func (m *Helper) DryRun(dryRun bool) *Helper {
+	m.ServerDryRun = dryRun
+	return m
+}
+
+// WithFieldManager sets the field manager option to indicate the actor or entity
+// that is making changes in a create or update operation.
+func (m *Helper) WithFieldManager(fieldManager string) *Helper {
+	m.FieldManager = fieldManager
+	return m
+}
+
+// WithFieldValidation sets the field validation option to indicate
+// how the server should perform field validation (Ignore, Warn, or Strict).
+func (m *Helper) WithFieldValidation(validationDirective string) *Helper {
+	m.FieldValidation = validationDirective
+	return m
+}
+
+// Subresource sets the helper to access (<resource>/[ns/<namespace>/]<name>/<subresource>)
+func (m *Helper) WithSubresource(subresource string) *Helper {
+	m.Subresource = subresource
+	return m
+}
+
+func (m *Helper) Get(namespace, name string) (runtime.Object, error) {
+	req := m.RESTClient.Get().
+		NamespaceIfScoped(namespace, m.NamespaceScoped).
+		Resource(m.Resource).
+		Name(name).
+		SubResource(m.Subresource)
+	return req.Do(context.TODO()).Get()
+}
+
+func (m *Helper) List(namespace, apiVersion string, options *metav1.ListOptions) (runtime.Object, error) {
+	req := m.RESTClient.Get().
+		NamespaceIfScoped(namespace, m.NamespaceScoped).
+		Resource(m.Resource).
+		VersionedParams(options, metav1.ParameterCodec)
+	return req.Do(context.TODO()).Get()
+}
+
+// FollowContinue handles the continue parameter returned by the API server when using list
+// chunking. To take advantage of this, the initial ListOptions provided by the consumer
+// should include a non-zero Limit parameter.
+func FollowContinue(initialOpts *metav1.ListOptions,
+	listFunc func(metav1.ListOptions) (runtime.Object, error)) error {
+	opts := initialOpts
+	for {
+		list, err := listFunc(*opts)
+		if err != nil {
+			return err
+		}
+		nextContinueToken, _ := metadataAccessor.Continue(list)
+		if len(nextContinueToken) == 0 {
+			return nil
+		}
+		opts.Continue = nextContinueToken
+	}
+}
+
+// EnhanceListError augments errors typically returned by List operations with additional context,
+// making sure to retain the StatusError type when applicable.
+func EnhanceListError(err error, opts metav1.ListOptions, subj string) error {
+	if apierrors.IsResourceExpired(err) {
+		return err
+	}
+	if apierrors.IsBadRequest(err) || apierrors.IsNotFound(err) {
+		if se, ok := err.(*apierrors.StatusError); ok {
+			// modify the message without hiding this is an API error
+			if len(opts.LabelSelector) == 0 && len(opts.FieldSelector) == 0 {
+				se.ErrStatus.Message = fmt.Sprintf("Unable to list %q: %v", subj,
+					se.ErrStatus.Message)
+			} else {
+				se.ErrStatus.Message = fmt.Sprintf(
+					"Unable to find %q that match label selector %q, field selector %q: %v", subj,
+					opts.LabelSelector,
+					opts.FieldSelector, se.ErrStatus.Message)
+			}
+			return se
+		}
+		if len(opts.LabelSelector) == 0 && len(opts.FieldSelector) == 0 {
+			return fmt.Errorf("Unable to list %q: %v", subj, err)
+		}
+		return fmt.Errorf("Unable to find %q that match label selector %q, field selector %q: %v",
+			subj, opts.LabelSelector, opts.FieldSelector, err)
+	}
+	return err
+}
+
+func (m *Helper) Watch(namespace, apiVersion string, options *metav1.ListOptions) (watch.Interface, error) {
+	options.Watch = true
+	return m.RESTClient.Get().
+		NamespaceIfScoped(namespace, m.NamespaceScoped).
+		Resource(m.Resource).
+		VersionedParams(options, metav1.ParameterCodec).
+		Watch(context.TODO())
+}
+
+func (m *Helper) WatchSingle(namespace, name, resourceVersion string) (watch.Interface, error) {
+	return m.RESTClient.Get().
+		NamespaceIfScoped(namespace, m.NamespaceScoped).
+		Resource(m.Resource).
+		VersionedParams(&metav1.ListOptions{
+			ResourceVersion: resourceVersion,
+			Watch:           true,
+			FieldSelector:   fields.OneTermEqualSelector("metadata.name", name).String(),
+		}, metav1.ParameterCodec).
+		Watch(context.TODO())
+}
+
+func (m *Helper) Delete(namespace, name string) (runtime.Object, error) {
+	return m.DeleteWithOptions(namespace, name, nil)
+}
+
+func (m *Helper) DeleteWithOptions(namespace, name string, options *metav1.DeleteOptions) (runtime.Object, error) {
+	if options == nil {
+		options = &metav1.DeleteOptions{}
+	}
+	if m.ServerDryRun {
+		options.DryRun = []string{metav1.DryRunAll}
+	}
+
+	return m.RESTClient.Delete().
+		NamespaceIfScoped(namespace, m.NamespaceScoped).
+		Resource(m.Resource).
+		Name(name).
+		Body(options).
+		Do(context.TODO()).
+		Get()
+}
+
+func (m *Helper) Create(namespace string, modify bool, obj runtime.Object) (runtime.Object, error) {
+	return m.CreateWithOptions(namespace, modify, obj, nil)
+}
+
+func (m *Helper) CreateWithOptions(namespace string, modify bool, obj runtime.Object, options *metav1.CreateOptions) (runtime.Object, error) {
+	if options == nil {
+		options = &metav1.CreateOptions{}
+	}
+	if m.ServerDryRun {
+		options.DryRun = []string{metav1.DryRunAll}
+	}
+	if m.FieldManager != "" {
+		options.FieldManager = m.FieldManager
+	}
+	if m.FieldValidation != "" {
+		options.FieldValidation = m.FieldValidation
+	}
+	if modify {
+		// Attempt to version the object based on client logic.
+		version, err := metadataAccessor.ResourceVersion(obj)
+		if err != nil {
+			// We don't know how to clear the version on this object, so send it to the server as is
+			return m.createResource(m.RESTClient, m.Resource, namespace, obj, options)
+		}
+		if version != "" {
+			if err := metadataAccessor.SetResourceVersion(obj, ""); err != nil {
+				return nil, err
+			}
+		}
+	}
+
+	return m.createResource(m.RESTClient, m.Resource, namespace, obj, options)
+}
+
+func (m *Helper) createResource(c RESTClient, resource, namespace string, obj runtime.Object, options *metav1.CreateOptions) (runtime.Object, error) {
+	return c.Post().
+		NamespaceIfScoped(namespace, m.NamespaceScoped).
+		Resource(resource).
+		VersionedParams(options, metav1.ParameterCodec).
+		Body(obj).
+		Do(context.TODO()).
+		Get()
+}
+func (m *Helper) Patch(namespace, name string, pt types.PatchType, data []byte, options *metav1.PatchOptions) (runtime.Object, error) {
+	if options == nil {
+		options = &metav1.PatchOptions{}
+	}
+	if m.ServerDryRun {
+		options.DryRun = []string{metav1.DryRunAll}
+	}
+	if m.FieldManager != "" {
+		options.FieldManager = m.FieldManager
+	}
+	if m.FieldValidation != "" {
+		options.FieldValidation = m.FieldValidation
+	}
+	return m.RESTClient.Patch(pt).
+		NamespaceIfScoped(namespace, m.NamespaceScoped).
+		Resource(m.Resource).
+		Name(name).
+		SubResource(m.Subresource).
+		VersionedParams(options, metav1.ParameterCodec).
+		Body(data).
+		Do(context.TODO()).
+		Get()
+}
+
+func (m *Helper) Replace(namespace, name string, overwrite bool, obj runtime.Object) (runtime.Object, error) {
+	c := m.RESTClient
+	var options = &metav1.UpdateOptions{}
+	if m.ServerDryRun {
+		options.DryRun = []string{metav1.DryRunAll}
+	}
+	if m.FieldManager != "" {
+		options.FieldManager = m.FieldManager
+	}
+	if m.FieldValidation != "" {
+		options.FieldValidation = m.FieldValidation
+	}
+
+	// Attempt to version the object based on client logic.
+	version, err := metadataAccessor.ResourceVersion(obj)
+	if err != nil {
+		// We don't know how to version this object, so send it to the server as is
+		return m.replaceResource(c, m.Resource, namespace, name, obj, options)
+	}
+	if version == "" && overwrite {
+		// Retrieve the current version of the object to overwrite the server object
+		serverObj, err := c.Get().NamespaceIfScoped(namespace, m.NamespaceScoped).Resource(m.Resource).Name(name).SubResource(m.Subresource).Do(context.TODO()).Get()
+		if err != nil {
+			// The object does not exist, but we want it to be created
+			return m.replaceResource(c, m.Resource, namespace, name, obj, options)
+		}
+		serverVersion, err := metadataAccessor.ResourceVersion(serverObj)
+		if err != nil {
+			return nil, err
+		}
+		if err := metadataAccessor.SetResourceVersion(obj, serverVersion); err != nil {
+			return nil, err
+		}
+	}
+
+	return m.replaceResource(c, m.Resource, namespace, name, obj, options)
+}
+
+func (m *Helper) replaceResource(c RESTClient, resource, namespace, name string, obj runtime.Object, options *metav1.UpdateOptions) (runtime.Object, error) {
+	return c.Put().
+		NamespaceIfScoped(namespace, m.NamespaceScoped).
+		Resource(resource).
+		Name(name).
+		SubResource(m.Subresource).
+		VersionedParams(options, metav1.ParameterCodec).
+		Body(obj).
+		Do(context.TODO()).
+		Get()
+}
diff --git a/vendor/k8s.io/cli-runtime/pkg/resource/interfaces.go b/vendor/k8s.io/cli-runtime/pkg/resource/interfaces.go
new file mode 100644
index 0000000000..29d7b34ab6
--- /dev/null
+++ b/vendor/k8s.io/cli-runtime/pkg/resource/interfaces.go
@@ -0,0 +1,103 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package resource
+
+import (
+	"k8s.io/apimachinery/pkg/api/meta"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/client-go/discovery"
+	"k8s.io/client-go/rest"
+	"k8s.io/client-go/restmapper"
+)
+
+type RESTClientGetter interface {
+	ToRESTConfig() (*rest.Config, error)
+	ToDiscoveryClient() (discovery.CachedDiscoveryInterface, error)
+	ToRESTMapper() (meta.RESTMapper, error)
+}
+
+type ClientConfigFunc func() (*rest.Config, error)
+type RESTMapperFunc func() (meta.RESTMapper, error)
+type CategoryExpanderFunc func() (restmapper.CategoryExpander, error)
+
+// RESTClient is a client helper for dealing with RESTful resources
+// in a generic way.
+type RESTClient interface {
+	Get() *rest.Request
+	Post() *rest.Request
+	Patch(types.PatchType) *rest.Request
+	Delete() *rest.Request
+	Put() *rest.Request
+}
+
+// RequestTransform is a function that is given a chance to modify the outgoing request.
+type RequestTransform func(*rest.Request)
+
+// NewClientWithOptions wraps the provided RESTClient and invokes each transform on each
+// newly created request.
+func NewClientWithOptions(c RESTClient, transforms ...RequestTransform) RESTClient {
+	if len(transforms) == 0 {
+		return c
+	}
+	return &clientOptions{c: c, transforms: transforms}
+}
+
+type clientOptions struct {
+	c          RESTClient
+	transforms []RequestTransform
+}
+
+func (c *clientOptions) modify(req *rest.Request) *rest.Request {
+	for _, transform := range c.transforms {
+		transform(req)
+	}
+	return req
+}
+
+func (c *clientOptions) Get() *rest.Request {
+	return c.modify(c.c.Get())
+}
+
+func (c *clientOptions) Post() *rest.Request {
+	return c.modify(c.c.Post())
+}
+func (c *clientOptions) Patch(t types.PatchType) *rest.Request {
+	return c.modify(c.c.Patch(t))
+}
+func (c *clientOptions) Delete() *rest.Request {
+	return c.modify(c.c.Delete())
+}
+func (c *clientOptions) Put() *rest.Request {
+	return c.modify(c.c.Put())
+}
+
+// ContentValidator is an interface that knows how to validate an API object serialized to a byte array.
+type ContentValidator interface {
+	ValidateBytes(data []byte) error
+}
+
+// Visitor lets clients walk a list of resources.
+type Visitor interface {
+	Visit(VisitorFunc) error
+}
+
+// VisitorFunc implements the Visitor interface for a matching function.
+// If there was a problem walking a list of resources, the incoming error
+// will describe the problem and the function can decide how to handle that error.
+// A nil returned indicates to accept an error to continue loops even when errors happen.
+// This is useful for ignoring certain kinds of errors or aggregating errors in some way.
+type VisitorFunc func(*Info, error) error
diff --git a/vendor/k8s.io/cli-runtime/pkg/resource/kustomizevisitor.go b/vendor/k8s.io/cli-runtime/pkg/resource/kustomizevisitor.go
new file mode 100644
index 0000000000..32895ea4f2
--- /dev/null
+++ b/vendor/k8s.io/cli-runtime/pkg/resource/kustomizevisitor.go
@@ -0,0 +1,54 @@
+/*
+Copyright 2019 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package resource
+
+import (
+	"bytes"
+
+	"sigs.k8s.io/kustomize/api/krusty"
+	"sigs.k8s.io/kustomize/kyaml/filesys"
+)
+
+// KustomizeVisitor handles kustomization.yaml files.
+type KustomizeVisitor struct {
+	mapper *mapper
+	schema ContentValidator
+	// Directory expected to contain a kustomization file.
+	dirPath string
+	// File system containing dirPath.
+	fSys filesys.FileSystem
+	// Holds result of kustomize build, retained for tests.
+	yml []byte
+}
+
+// Visit passes the result of a kustomize build to a StreamVisitor.
+func (v *KustomizeVisitor) Visit(fn VisitorFunc) error {
+	kOpts := krusty.MakeDefaultOptions()
+	kOpts.Reorder = krusty.ReorderOptionLegacy
+	k := krusty.MakeKustomizer(kOpts)
+	m, err := k.Run(v.fSys, v.dirPath)
+	if err != nil {
+		return err
+	}
+	v.yml, err = m.AsYaml()
+	if err != nil {
+		return err
+	}
+	sv := NewStreamVisitor(
+		bytes.NewReader(v.yml), v.mapper, v.dirPath, v.schema)
+	return sv.Visit(fn)
+}
diff --git a/vendor/k8s.io/cli-runtime/pkg/resource/mapper.go b/vendor/k8s.io/cli-runtime/pkg/resource/mapper.go
new file mode 100644
index 0000000000..03b6668420
--- /dev/null
+++ b/vendor/k8s.io/cli-runtime/pkg/resource/mapper.go
@@ -0,0 +1,166 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package resource
+
+import (
+	"fmt"
+	"reflect"
+
+	"k8s.io/apimachinery/pkg/api/meta"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// Mapper is a convenience struct for holding references to the interfaces
+// needed to create Info for arbitrary objects.
+type mapper struct {
+	// localFn indicates the call can't make server requests
+	localFn func() bool
+
+	restMapperFn RESTMapperFunc
+	clientFn     func(version schema.GroupVersion) (RESTClient, error)
+	decoder      runtime.Decoder
+}
+
+// InfoForData creates an Info object for the given data. An error is returned
+// if any of the decoding or client lookup steps fail. Name and namespace will be
+// set into Info if the mapping's MetadataAccessor can retrieve them.
+func (m *mapper) infoForData(data []byte, source string) (*Info, error) {
+	obj, gvk, err := m.decoder.Decode(data, nil, nil)
+	if err != nil {
+		return nil, fmt.Errorf("unable to decode %q: %v", source, err)
+	}
+
+	name, _ := metadataAccessor.Name(obj)
+	namespace, _ := metadataAccessor.Namespace(obj)
+	resourceVersion, _ := metadataAccessor.ResourceVersion(obj)
+
+	ret := &Info{
+		Source:          source,
+		Namespace:       namespace,
+		Name:            name,
+		ResourceVersion: resourceVersion,
+
+		Object: obj,
+	}
+
+	if m.localFn == nil || !m.localFn() {
+		restMapper, err := m.restMapperFn()
+		if err != nil {
+			return nil, err
+		}
+		mapping, err := restMapper.RESTMapping(gvk.GroupKind(), gvk.Version)
+		if err != nil {
+			if _, ok := err.(*meta.NoKindMatchError); ok {
+				return nil, fmt.Errorf("resource mapping not found for name: %q namespace: %q from %q: %w\nensure CRDs are installed first",
+					name, namespace, source, err)
+			}
+			return nil, fmt.Errorf("unable to recognize %q: %v", source, err)
+		}
+		ret.Mapping = mapping
+
+		client, err := m.clientFn(gvk.GroupVersion())
+		if err != nil {
+			return nil, fmt.Errorf("unable to connect to a server to handle %q: %v", mapping.Resource, err)
+		}
+		ret.Client = client
+	}
+
+	return ret, nil
+}
+
+// InfoForObject creates an Info object for the given Object. An error is returned
+// if the object cannot be introspected. Name and namespace will be set into Info
+// if the mapping's MetadataAccessor can retrieve them.
+func (m *mapper) infoForObject(obj runtime.Object, typer runtime.ObjectTyper, preferredGVKs []schema.GroupVersionKind) (*Info, error) {
+	groupVersionKinds, _, err := typer.ObjectKinds(obj)
+	if err != nil {
+		return nil, fmt.Errorf("unable to get type info from the object %q: %v", reflect.TypeOf(obj), err)
+	}
+
+	gvk := groupVersionKinds[0]
+	if len(groupVersionKinds) > 1 && len(preferredGVKs) > 0 {
+		gvk = preferredObjectKind(groupVersionKinds, preferredGVKs)
+	}
+
+	name, _ := metadataAccessor.Name(obj)
+	namespace, _ := metadataAccessor.Namespace(obj)
+	resourceVersion, _ := metadataAccessor.ResourceVersion(obj)
+	ret := &Info{
+		Namespace:       namespace,
+		Name:            name,
+		ResourceVersion: resourceVersion,
+
+		Object: obj,
+	}
+
+	if m.localFn == nil || !m.localFn() {
+		restMapper, err := m.restMapperFn()
+		if err != nil {
+			return nil, err
+		}
+		mapping, err := restMapper.RESTMapping(gvk.GroupKind(), gvk.Version)
+		if err != nil {
+			return nil, fmt.Errorf("unable to recognize %v", err)
+		}
+		ret.Mapping = mapping
+
+		client, err := m.clientFn(gvk.GroupVersion())
+		if err != nil {
+			return nil, fmt.Errorf("unable to connect to a server to handle %q: %v", mapping.Resource, err)
+		}
+		ret.Client = client
+	}
+
+	return ret, nil
+}
+
+// preferredObjectKind picks the possibility that most closely matches the priority list in this order:
+// GroupVersionKind matches (exact match)
+// GroupKind matches
+// Group matches
+func preferredObjectKind(possibilities []schema.GroupVersionKind, preferences []schema.GroupVersionKind) schema.GroupVersionKind {
+	// Exact match
+	for _, priority := range preferences {
+		for _, possibility := range possibilities {
+			if possibility == priority {
+				return possibility
+			}
+		}
+	}
+
+	// GroupKind match
+	for _, priority := range preferences {
+		for _, possibility := range possibilities {
+			if possibility.GroupKind() == priority.GroupKind() {
+				return possibility
+			}
+		}
+	}
+
+	// Group match
+	for _, priority := range preferences {
+		for _, possibility := range possibilities {
+			if possibility.Group == priority.Group {
+				return possibility
+			}
+		}
+	}
+
+	// Just pick the first
+	return possibilities[0]
+}
diff --git a/vendor/k8s.io/cli-runtime/pkg/resource/metadata_decoder.go b/vendor/k8s.io/cli-runtime/pkg/resource/metadata_decoder.go
new file mode 100644
index 0000000000..d688c3a08a
--- /dev/null
+++ b/vendor/k8s.io/cli-runtime/pkg/resource/metadata_decoder.go
@@ -0,0 +1,56 @@
+/*
+Copyright 2019 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package resource
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	utiljson "k8s.io/apimachinery/pkg/util/json"
+)
+
+// metadataValidatingDecoder wraps a decoder and additionally ensures metadata schema fields decode before returning an unstructured object
+type metadataValidatingDecoder struct {
+	decoder runtime.Decoder
+}
+
+func (m *metadataValidatingDecoder) Decode(data []byte, defaults *schema.GroupVersionKind, into runtime.Object) (runtime.Object, *schema.GroupVersionKind, error) {
+	obj, gvk, err := m.decoder.Decode(data, defaults, into)
+
+	// if we already errored, return
+	if err != nil {
+		return obj, gvk, err
+	}
+
+	// if we're not unstructured, return
+	if _, isUnstructured := obj.(runtime.Unstructured); !isUnstructured {
+		return obj, gvk, err
+	}
+
+	// make sure the data can decode into ObjectMeta before we return,
+	// so we don't silently truncate schema errors in metadata later with accesser get/set calls
+	v := &metadataOnlyObject{}
+	if typedErr := utiljson.Unmarshal(data, v); typedErr != nil {
+		return obj, gvk, typedErr
+	}
+	return obj, gvk, err
+}
+
+type metadataOnlyObject struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+}
diff --git a/vendor/k8s.io/cli-runtime/pkg/resource/query_param_verifier.go b/vendor/k8s.io/cli-runtime/pkg/resource/query_param_verifier.go
new file mode 100644
index 0000000000..f2292983e9
--- /dev/null
+++ b/vendor/k8s.io/cli-runtime/pkg/resource/query_param_verifier.go
@@ -0,0 +1,176 @@
+/*
+Copyright 2019 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package resource
+
+import (
+	"errors"
+	"fmt"
+
+	openapi_v2 "github.com/google/gnostic-models/openapiv2"
+
+	yaml "go.yaml.in/yaml/v2"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/client-go/discovery"
+	"k8s.io/client-go/dynamic"
+)
+
+func NewQueryParamVerifier(dynamicClient dynamic.Interface, openAPIGetter discovery.OpenAPISchemaInterface, queryParam VerifiableQueryParam) *QueryParamVerifier {
+	return &QueryParamVerifier{
+		finder:        NewCRDFinder(CRDFromDynamic(dynamicClient)),
+		openAPIGetter: openAPIGetter,
+		queryParam:    queryParam,
+	}
+}
+
+// QueryParamVerifier verifies if a given group-version-kind supports a
+// given VerifiableQueryParam against the current server.
+//
+// Currently supported query params are: fieldValidation
+//
+// Support for each of these query params needs to be verified because
+// we determine whether or not to perform server-side or client-side
+// schema validation based on whether the fieldValidation query param is
+// supported or not.
+//
+// It reads the OpenAPI to see if the given GVK supports the given query param.
+// If the GVK can not be found, we assume that CRDs will have the same level of
+// support as "namespaces", and non-CRDs will not be supported. We
+// delay the check for CRDs as much as possible though, since it
+// requires an extra round-trip to the server.
+type QueryParamVerifier struct {
+	finder        CRDFinder
+	openAPIGetter discovery.OpenAPISchemaInterface
+	queryParam    VerifiableQueryParam
+}
+
+// Verifier is the generic verifier interface used for testing QueryParamVerifier
+type Verifier interface {
+	HasSupport(gvk schema.GroupVersionKind) error
+}
+
+// VerifiableQueryParam is a query parameter who's enablement on the
+// apiserver can be determined by evaluating the OpenAPI for a specific
+// GVK.
+type VerifiableQueryParam string
+
+const (
+	QueryParamFieldValidation VerifiableQueryParam = "fieldValidation"
+)
+
+// HasSupport checks if the given gvk supports the query param configured on v
+func (v *QueryParamVerifier) HasSupport(gvk schema.GroupVersionKind) error {
+	if (gvk == schema.GroupVersionKind{Version: "v1", Kind: "List"}) {
+		return NewParamUnsupportedError(gvk, v.queryParam)
+	}
+
+	oapi, err := v.openAPIGetter.OpenAPISchema()
+	if err != nil {
+		return fmt.Errorf("failed to download openapi: %v", err)
+	}
+	supports, err := supportsQueryParam(oapi, gvk, v.queryParam)
+	if err != nil {
+		// We assume that we couldn't find the type, then check for namespace:
+		supports, _ = supportsQueryParam(oapi, schema.GroupVersionKind{Group: "", Version: "v1", Kind: "Namespace"}, v.queryParam)
+		// If namespace supports the query param, then we will support the query param for CRDs only.
+		if supports {
+			supports, err = v.finder.HasCRD(gvk.GroupKind())
+			if err != nil {
+				return fmt.Errorf("failed to check CRD: %v", err)
+			}
+		}
+	}
+	if !supports {
+		return NewParamUnsupportedError(gvk, v.queryParam)
+	}
+	return nil
+}
+
+type paramUnsupportedError struct {
+	gvk   schema.GroupVersionKind
+	param VerifiableQueryParam
+}
+
+func NewParamUnsupportedError(gvk schema.GroupVersionKind, param VerifiableQueryParam) error {
+	return &paramUnsupportedError{
+		gvk:   gvk,
+		param: param,
+	}
+}
+
+func (e *paramUnsupportedError) Error() string {
+	return fmt.Sprintf("%v doesn't support %s", e.gvk, e.param)
+}
+
+func IsParamUnsupportedError(err error) bool {
+	if err == nil {
+		return false
+	}
+	_, ok := err.(*paramUnsupportedError)
+	return ok
+}
+
+func hasGVKExtension(extensions []*openapi_v2.NamedAny, gvk schema.GroupVersionKind) bool {
+	for _, extension := range extensions {
+		if extension.GetValue().GetYaml() == "" ||
+			extension.GetName() != "x-kubernetes-group-version-kind" {
+			continue
+		}
+		var value map[string]string
+		err := yaml.Unmarshal([]byte(extension.GetValue().GetYaml()), &value)
+		if err != nil {
+			continue
+		}
+
+		if value["group"] == gvk.Group && value["kind"] == gvk.Kind && value["version"] == gvk.Version {
+			return true
+		}
+		return false
+	}
+	return false
+}
+
+// supportsQueryParam is a method that let's us look in the OpenAPI if the
+// specific group-version-kind supports the specific query parameter for
+// the PATCH end-point.
+func supportsQueryParam(doc *openapi_v2.Document, gvk schema.GroupVersionKind, queryParam VerifiableQueryParam) (bool, error) {
+	globalParams := map[string]*openapi_v2.NamedParameter{}
+	for _, p := range doc.GetParameters().GetAdditionalProperties() {
+		globalParams["#/parameters/"+p.GetName()] = p
+	}
+
+	for _, path := range doc.GetPaths().GetPath() {
+		// Is this describing the gvk we're looking for?
+		if !hasGVKExtension(path.GetValue().GetPatch().GetVendorExtension(), gvk) {
+			continue
+		}
+		for _, param := range path.GetValue().GetPatch().GetParameters() {
+			if param.GetParameter().GetNonBodyParameter().GetQueryParameterSubSchema().GetName() == string(queryParam) {
+				return true, nil
+			}
+
+			// lookup global parameters
+			if ref := param.GetJsonReference().GetXRef(); ref != "" {
+				if globalParam, ok := globalParams[ref]; ok && globalParam != nil && globalParam.GetValue().GetNonBodyParameter().GetQueryParameterSubSchema().GetName() == string(queryParam) {
+					return true, nil
+				}
+			}
+		}
+		return false, nil
+	}
+
+	return false, errors.New("couldn't find GVK in openapi")
+}
diff --git a/vendor/k8s.io/cli-runtime/pkg/resource/query_param_verifier_v3.go b/vendor/k8s.io/cli-runtime/pkg/resource/query_param_verifier_v3.go
new file mode 100644
index 0000000000..7183ea09ae
--- /dev/null
+++ b/vendor/k8s.io/cli-runtime/pkg/resource/query_param_verifier_v3.go
@@ -0,0 +1,145 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package resource
+
+import (
+	"fmt"
+	"strings"
+
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/client-go/dynamic"
+	"k8s.io/client-go/openapi"
+	"k8s.io/client-go/openapi3"
+	"k8s.io/kube-openapi/pkg/spec3"
+	"k8s.io/kube-openapi/pkg/validation/spec"
+)
+
+var _ Verifier = &queryParamVerifierV3{}
+
+// NewQueryParamVerifierV3 returns a pointer to the created queryParamVerifier3 struct,
+// which implements the Verifier interface. The caching characteristics of the
+// OpenAPI V3 specs are determined by the passed oapiClient. For memory caching, the
+// client should be wrapped beforehand as: cached.NewClient(oapiClient). The disk
+// caching is determined by the discovery client the oapiClient is created from.
+func NewQueryParamVerifierV3(dynamicClient dynamic.Interface, oapiClient openapi.Client, queryParam VerifiableQueryParam) Verifier {
+	return &queryParamVerifierV3{
+		finder:     NewCRDFinder(CRDFromDynamic(dynamicClient)),
+		root:       openapi3.NewRoot(oapiClient),
+		queryParam: queryParam,
+	}
+}
+
+// queryParamVerifierV3 encapsulates info necessary to determine if
+// the queryParam is a parameter for the Patch endpoint for a
+// passed GVK.
+type queryParamVerifierV3 struct {
+	finder     CRDFinder
+	root       openapi3.Root
+	queryParam VerifiableQueryParam
+}
+
+var namespaceGVK = schema.GroupVersionKind{Group: "", Version: "v1", Kind: "Namespace"}
+
+// HasSupport returns nil error if the passed GVK supports the parameter
+// (stored in struct; usually "fieldValidation") for Patch endpoint.
+// Returns an error if the passed GVK does not support the query param,
+// or if another error occurred. If the Open API V3 spec for a CRD is not
+// found, then the spec for Namespace is checked for query param support instead.
+func (v *queryParamVerifierV3) HasSupport(gvk schema.GroupVersionKind) error {
+	if (gvk == schema.GroupVersionKind{Version: "v1", Kind: "List"}) {
+		return NewParamUnsupportedError(gvk, v.queryParam)
+	}
+	gvSpec, err := v.root.GVSpec(gvk.GroupVersion())
+	if err == nil {
+		return supportsQueryParamV3(gvSpec, gvk, v.queryParam)
+	}
+	if _, isErr := err.(*openapi3.GroupVersionNotFoundError); !isErr {
+		return err
+	}
+	// If the spec for the passed GVK is not found, then check if it is a CRD.
+	// For CRD's substitute Namespace OpenAPI V3 spec to check if query param is supported.
+	if found, _ := v.finder.HasCRD(gvk.GroupKind()); found {
+		namespaceSpec, err := v.root.GVSpec(namespaceGVK.GroupVersion())
+		if err != nil {
+			// If error retrieving Namespace spec, propagate error.
+			return err
+		}
+		return supportsQueryParamV3(namespaceSpec, namespaceGVK, v.queryParam)
+	}
+	return NewParamUnsupportedError(gvk, v.queryParam)
+}
+
+// hasGVKExtensionV3 returns true if the passed OpenAPI extensions map contains
+// the passed GVK; false otherwise.
+func hasGVKExtensionV3(extensions spec.Extensions, gvk schema.GroupVersionKind) bool {
+	var oapiGVK map[string]string
+	err := extensions.GetObject("x-kubernetes-group-version-kind", &oapiGVK)
+	if err != nil {
+		return false
+	}
+	if oapiGVK["group"] == gvk.Group &&
+		oapiGVK["version"] == gvk.Version &&
+		oapiGVK["kind"] == gvk.Kind {
+		return true
+	}
+	return false
+}
+
+// supportsQueryParam is a method that let's us look in the OpenAPI if the
+// specific group-version-kind supports the specific query parameter for
+// the PATCH end-point. Returns nil if the passed GVK supports the passed
+// query parameter; otherwise, a "paramUnsupportedError" is returned (except
+// when an invalid document error is returned when an invalid OpenAPI V3
+// is passed in).
+func supportsQueryParamV3(doc *spec3.OpenAPI, gvk schema.GroupVersionKind, queryParam VerifiableQueryParam) error {
+	if doc == nil || doc.Paths == nil {
+		return fmt.Errorf("Invalid OpenAPI V3 document")
+	}
+	for _, path := range doc.Paths.Paths {
+		// If operation is not PATCH, then continue.
+		if path == nil {
+			continue
+		}
+		op := path.PathProps.Patch
+		if op == nil {
+			continue
+		}
+		// Is this PATCH operation for the passed GVK?
+		if !hasGVKExtensionV3(op.VendorExtensible.Extensions, gvk) {
+			continue
+		}
+		// Now look for the query parameter among the parameters
+		// for the PATCH operation.
+		for _, param := range op.OperationProps.Parameters {
+			if param.ParameterProps.Name == string(queryParam) && param.In == "query" {
+				return nil
+			}
+
+			// lookup global parameters
+			if ref := param.Refable.Ref.Ref.String(); strings.HasPrefix(ref, "#/parameters/") && doc.Components != nil {
+				k := strings.TrimPrefix(ref, "#/parameters/")
+				if globalParam, ok := doc.Components.Parameters[k]; ok && globalParam != nil {
+					if globalParam.In == "query" && globalParam.Name == string(queryParam) {
+						return nil
+					}
+				}
+			}
+		}
+		return NewParamUnsupportedError(gvk, queryParam)
+	}
+	return fmt.Errorf("Path not found for GVK (%s) in OpenAPI V3 doc", gvk)
+}
diff --git a/vendor/k8s.io/cli-runtime/pkg/resource/result.go b/vendor/k8s.io/cli-runtime/pkg/resource/result.go
new file mode 100644
index 0000000000..9a39cb4cdd
--- /dev/null
+++ b/vendor/k8s.io/cli-runtime/pkg/resource/result.go
@@ -0,0 +1,242 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package resource
+
+import (
+	"fmt"
+	"reflect"
+
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	utilerrors "k8s.io/apimachinery/pkg/util/errors"
+	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/apimachinery/pkg/watch"
+)
+
+// ErrMatchFunc can be used to filter errors that may not be true failures.
+type ErrMatchFunc func(error) bool
+
+// Result contains helper methods for dealing with the outcome of a Builder.
+type Result struct {
+	err     error
+	visitor Visitor
+
+	sources            []Visitor
+	singleItemImplied  bool
+	targetsSingleItems bool
+
+	mapper       *mapper
+	ignoreErrors []utilerrors.Matcher
+
+	// populated by a call to Infos
+	info []*Info
+}
+
+// withError allows a fluent style for internal result code.
+func (r *Result) withError(err error) *Result {
+	r.err = err
+	return r
+}
+
+// TargetsSingleItems returns true if any of the builder arguments pointed
+// to non-list calls (if the user explicitly asked for any object by name).
+// This includes directories, streams, URLs, and resource name tuples.
+func (r *Result) TargetsSingleItems() bool {
+	return r.targetsSingleItems
+}
+
+// IgnoreErrors will filter errors that occur when by visiting the result
+// (but not errors that occur by creating the result in the first place),
+// eliminating any that match fns. This is best used in combination with
+// Builder.ContinueOnError(), where the visitors accumulate errors and return
+// them after visiting as a slice of errors. If no errors remain after
+// filtering, the various visitor methods on Result will return nil for
+// err.
+func (r *Result) IgnoreErrors(fns ...ErrMatchFunc) *Result {
+	for _, fn := range fns {
+		r.ignoreErrors = append(r.ignoreErrors, utilerrors.Matcher(fn))
+	}
+	return r
+}
+
+// Mapper returns a copy of the builder's mapper.
+func (r *Result) Mapper() *mapper {
+	return r.mapper
+}
+
+// Err returns one or more errors (via a util.ErrorList) that occurred prior
+// to visiting the elements in the visitor. To see all errors including those
+// that occur during visitation, invoke Infos().
+func (r *Result) Err() error {
+	return r.err
+}
+
+// Visit implements the Visitor interface on the items described in the Builder.
+// Note that some visitor sources are not traversable more than once, or may
+// return different results.  If you wish to operate on the same set of resources
+// multiple times, use the Infos() method.
+func (r *Result) Visit(fn VisitorFunc) error {
+	if r.err != nil {
+		return r.err
+	}
+	err := r.visitor.Visit(fn)
+	return utilerrors.FilterOut(err, r.ignoreErrors...)
+}
+
+// IntoSingleItemImplied sets the provided boolean pointer to true if the Builder input
+// implies a single item, or multiple.
+func (r *Result) IntoSingleItemImplied(b *bool) *Result {
+	*b = r.singleItemImplied
+	return r
+}
+
+// Infos returns an array of all of the resource infos retrieved via traversal.
+// Will attempt to traverse the entire set of visitors only once, and will return
+// a cached list on subsequent calls.
+func (r *Result) Infos() ([]*Info, error) {
+	if r.err != nil {
+		return nil, r.err
+	}
+	if r.info != nil {
+		return r.info, nil
+	}
+
+	infos := []*Info{}
+	err := r.visitor.Visit(func(info *Info, err error) error {
+		if err != nil {
+			return err
+		}
+		infos = append(infos, info)
+		return nil
+	})
+	err = utilerrors.FilterOut(err, r.ignoreErrors...)
+
+	r.info, r.err = infos, err
+	return infos, err
+}
+
+// Object returns a single object representing the output of a single visit to all
+// found resources.  If the Builder was a singular context (expected to return a
+// single resource by user input) and only a single resource was found, the resource
+// will be returned as is.  Otherwise, the returned resources will be part of an
+// v1.List. The ResourceVersion of the v1.List will be set only if it is identical
+// across all infos returned.
+func (r *Result) Object() (runtime.Object, error) {
+	infos, err := r.Infos()
+	if err != nil {
+		return nil, err
+	}
+
+	versions := sets.New[string]()
+	objects := []runtime.Object{}
+	for _, info := range infos {
+		if info.Object != nil {
+			objects = append(objects, info.Object)
+			versions.Insert(info.ResourceVersion)
+		}
+	}
+
+	if len(objects) == 1 {
+		if r.singleItemImplied {
+			return objects[0], nil
+		}
+		// if the item is a list already, don't create another list
+		if meta.IsListType(objects[0]) {
+			return objects[0], nil
+		}
+	}
+
+	version := ""
+	if len(versions) == 1 {
+		version = versions.UnsortedList()[0]
+	}
+
+	return toV1List(objects, version), err
+}
+
+// Compile time check to enforce that list implements the necessary interface
+var _ metav1.ListInterface = &v1.List{}
+var _ metav1.ListMetaAccessor = &v1.List{}
+
+// toV1List takes a slice of Objects + their version, and returns
+// a v1.List Object containing the objects in the Items field
+func toV1List(objects []runtime.Object, version string) runtime.Object {
+	raw := []runtime.RawExtension{}
+	for _, o := range objects {
+		raw = append(raw, runtime.RawExtension{Object: o})
+	}
+	return &v1.List{
+		ListMeta: metav1.ListMeta{
+			ResourceVersion: version,
+		},
+		Items: raw,
+	}
+}
+
+// ResourceMapping returns a single meta.RESTMapping representing the
+// resources located by the builder, or an error if more than one
+// mapping was found.
+func (r *Result) ResourceMapping() (*meta.RESTMapping, error) {
+	if r.err != nil {
+		return nil, r.err
+	}
+	mappings := map[schema.GroupVersionResource]*meta.RESTMapping{}
+	for i := range r.sources {
+		m, ok := r.sources[i].(ResourceMapping)
+		if !ok {
+			return nil, fmt.Errorf("a resource mapping could not be loaded from %v", reflect.TypeOf(r.sources[i]))
+		}
+		mapping := m.ResourceMapping()
+		mappings[mapping.Resource] = mapping
+	}
+	if len(mappings) != 1 {
+		return nil, fmt.Errorf("expected only a single resource type")
+	}
+	for _, mapping := range mappings {
+		return mapping, nil
+	}
+	return nil, nil
+}
+
+// Watch retrieves changes that occur on the server to the specified resource.
+// It currently supports watching a single source - if the resource source
+// (selectors or pure types) can be watched, they will be, otherwise the list
+// will be visited (equivalent to the Infos() call) and if there is a single
+// resource present, it will be watched, otherwise an error will be returned.
+func (r *Result) Watch(resourceVersion string) (watch.Interface, error) {
+	if r.err != nil {
+		return nil, r.err
+	}
+	if len(r.sources) != 1 {
+		return nil, fmt.Errorf("you may only watch a single resource or type of resource at a time")
+	}
+	w, ok := r.sources[0].(Watchable)
+	if !ok {
+		info, err := r.Infos()
+		if err != nil {
+			return nil, err
+		}
+		if len(info) != 1 {
+			return nil, fmt.Errorf("watch is only supported on individual resources and resource collections - %d resources were found", len(info))
+		}
+		return info[0].Watch(resourceVersion)
+	}
+	return w.Watch(resourceVersion)
+}
diff --git a/vendor/k8s.io/cli-runtime/pkg/resource/scheme.go b/vendor/k8s.io/cli-runtime/pkg/resource/scheme.go
new file mode 100644
index 0000000000..858a46202c
--- /dev/null
+++ b/vendor/k8s.io/cli-runtime/pkg/resource/scheme.go
@@ -0,0 +1,82 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package resource
+
+import (
+	"encoding/json"
+	"io"
+	"strings"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/runtime/serializer"
+	"k8s.io/client-go/kubernetes/scheme"
+	"k8s.io/client-go/rest"
+)
+
+// dynamicCodec is a codec that wraps the standard unstructured codec
+// with special handling for Status objects.
+// Deprecated only used by test code and its wrong
+type dynamicCodec struct{}
+
+func (dynamicCodec) Decode(data []byte, gvk *schema.GroupVersionKind, obj runtime.Object) (runtime.Object, *schema.GroupVersionKind, error) {
+	obj, gvk, err := unstructured.UnstructuredJSONScheme.Decode(data, gvk, obj)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	if strings.EqualFold(gvk.Kind, "status") && gvk.Version == "v1" && (gvk.Group == "" || gvk.Group == "meta.k8s.io") {
+		if _, ok := obj.(*metav1.Status); !ok {
+			obj = &metav1.Status{}
+			err := json.Unmarshal(data, obj)
+			if err != nil {
+				return nil, nil, err
+			}
+		}
+	}
+
+	return obj, gvk, nil
+}
+
+func (dynamicCodec) Encode(obj runtime.Object, w io.Writer) error {
+	// There is no need to handle runtime.CacheableObject, as we only
+	// fallback to other encoders here.
+	return unstructured.UnstructuredJSONScheme.Encode(obj, w)
+}
+
+// Identifier implements runtime.Encoder interface.
+func (dynamicCodec) Identifier() runtime.Identifier {
+	return unstructured.UnstructuredJSONScheme.Identifier()
+}
+
+// UnstructuredPlusDefaultContentConfig returns a rest.ContentConfig for dynamic types.  It includes enough codecs to act as a "normal"
+// serializer for the rest.client with options, status and the like.
+func UnstructuredPlusDefaultContentConfig() rest.ContentConfig {
+	// TODO: scheme.Codecs here should become "pkg/apis/server/scheme" which is the minimal core you need
+	// to talk to a kubernetes server
+	jsonInfo, _ := runtime.SerializerInfoForMediaType(scheme.Codecs.SupportedMediaTypes(), runtime.ContentTypeJSON)
+
+	jsonInfo.Serializer = dynamicCodec{}
+	jsonInfo.PrettySerializer = nil
+	return rest.ContentConfig{
+		AcceptContentTypes:   runtime.ContentTypeJSON,
+		ContentType:          runtime.ContentTypeJSON,
+		NegotiatedSerializer: serializer.NegotiatedSerializerWrapper(jsonInfo),
+	}
+}
diff --git a/vendor/k8s.io/cli-runtime/pkg/resource/selector.go b/vendor/k8s.io/cli-runtime/pkg/resource/selector.go
new file mode 100644
index 0000000000..2a283d4e06
--- /dev/null
+++ b/vendor/k8s.io/cli-runtime/pkg/resource/selector.go
@@ -0,0 +1,92 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package resource
+
+import (
+	"k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/watch"
+)
+
+// Selector is a Visitor for resources that match a label selector.
+type Selector struct {
+	Client        RESTClient
+	Mapping       *meta.RESTMapping
+	Namespace     string
+	LabelSelector string
+	FieldSelector string
+	LimitChunks   int64
+}
+
+// NewSelector creates a resource selector which hides details of getting items by their label selector.
+func NewSelector(client RESTClient, mapping *meta.RESTMapping, namespace, labelSelector, fieldSelector string, limitChunks int64) *Selector {
+	return &Selector{
+		Client:        client,
+		Mapping:       mapping,
+		Namespace:     namespace,
+		LabelSelector: labelSelector,
+		FieldSelector: fieldSelector,
+		LimitChunks:   limitChunks,
+	}
+}
+
+// Visit implements Visitor and uses request chunking by default.
+func (r *Selector) Visit(fn VisitorFunc) error {
+	helper := NewHelper(r.Client, r.Mapping)
+	initialOpts := metav1.ListOptions{
+		LabelSelector: r.LabelSelector,
+		FieldSelector: r.FieldSelector,
+		Limit:         r.LimitChunks,
+	}
+	return FollowContinue(&initialOpts, func(options metav1.ListOptions) (runtime.Object, error) {
+		list, err := helper.List(
+			r.Namespace,
+			r.ResourceMapping().GroupVersionKind.GroupVersion().String(),
+			&options,
+		)
+		if err != nil {
+			return nil, EnhanceListError(err, options, r.Mapping.Resource.String())
+		}
+		resourceVersion, _ := metadataAccessor.ResourceVersion(list)
+
+		info := &Info{
+			Client:  r.Client,
+			Mapping: r.Mapping,
+
+			Namespace:       r.Namespace,
+			ResourceVersion: resourceVersion,
+
+			Object: list,
+		}
+
+		if err := fn(info, nil); err != nil {
+			return nil, err
+		}
+		return list, nil
+	})
+}
+
+func (r *Selector) Watch(resourceVersion string) (watch.Interface, error) {
+	return NewHelper(r.Client, r.Mapping).Watch(r.Namespace, r.ResourceMapping().GroupVersionKind.GroupVersion().String(),
+		&metav1.ListOptions{ResourceVersion: resourceVersion, LabelSelector: r.LabelSelector, FieldSelector: r.FieldSelector})
+}
+
+// ResourceMapping returns the mapping for this resource and implements ResourceMapping
+func (r *Selector) ResourceMapping() *meta.RESTMapping {
+	return r.Mapping
+}
diff --git a/vendor/k8s.io/cli-runtime/pkg/resource/visitor.go b/vendor/k8s.io/cli-runtime/pkg/resource/visitor.go
new file mode 100644
index 0000000000..76cfbbda82
--- /dev/null
+++ b/vendor/k8s.io/cli-runtime/pkg/resource/visitor.go
@@ -0,0 +1,770 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package resource
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"os"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"golang.org/x/sync/errgroup"
+	"golang.org/x/text/encoding/unicode"
+	"golang.org/x/text/transform"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	utilerrors "k8s.io/apimachinery/pkg/util/errors"
+	"k8s.io/apimachinery/pkg/util/yaml"
+	"k8s.io/apimachinery/pkg/watch"
+)
+
+const (
+	constSTDINstr       = "STDIN"
+	stopValidateMessage = "if you choose to ignore these errors, turn validation off with --validate=false"
+)
+
+// Watchable describes a resource that can be watched for changes that occur on the server,
+// beginning after the provided resource version.
+type Watchable interface {
+	Watch(resourceVersion string) (watch.Interface, error)
+}
+
+// ResourceMapping allows an object to return the resource mapping associated with
+// the resource or resources it represents.
+type ResourceMapping interface {
+	ResourceMapping() *meta.RESTMapping
+}
+
+// Info contains temporary info to execute a REST call, or show the results
+// of an already completed REST call.
+type Info struct {
+	// Client will only be present if this builder was not local
+	Client RESTClient
+	// Mapping will only be present if this builder was not local
+	Mapping *meta.RESTMapping
+
+	// Namespace will be set if the object is namespaced and has a specified value.
+	Namespace string
+	Name      string
+
+	// Optional, Source is the filename or URL to template file (.json or .yaml),
+	// or stdin to use to handle the resource
+	Source string
+	// Optional, this is the most recent value returned by the server if available. It will
+	// typically be in unstructured or internal forms, depending on how the Builder was
+	// defined. If retrieved from the server, the Builder expects the mapping client to
+	// decide the final form. Use the AsVersioned, AsUnstructured, and AsInternal helpers
+	// to alter the object versions.
+	// If Subresource is specified, this will be the object for the subresource.
+	Object runtime.Object
+	// Optional, this is the most recent resource version the server knows about for
+	// this type of resource. It may not match the resource version of the object,
+	// but if set it should be equal to or newer than the resource version of the
+	// object (however the server defines resource version).
+	ResourceVersion string
+	// Optional, if specified, the object is the most recent value of the subresource
+	// returned by the server if available.
+	Subresource string
+}
+
+// Visit implements Visitor
+func (i *Info) Visit(fn VisitorFunc) error {
+	return fn(i, nil)
+}
+
+// Get retrieves the object from the Namespace and Name fields
+func (i *Info) Get() (err error) {
+	obj, err := NewHelper(i.Client, i.Mapping).WithSubresource(i.Subresource).Get(i.Namespace, i.Name)
+	if err != nil {
+		if errors.IsNotFound(err) && len(i.Namespace) > 0 && i.Namespace != metav1.NamespaceDefault && i.Namespace != metav1.NamespaceAll {
+			err2 := i.Client.Get().AbsPath("api", "v1", "namespaces", i.Namespace).Do(context.TODO()).Error()
+			if err2 != nil && errors.IsNotFound(err2) {
+				return err2
+			}
+		}
+		return err
+	}
+	i.Object = obj
+	i.ResourceVersion, _ = metadataAccessor.ResourceVersion(obj)
+	return nil
+}
+
+// Refresh updates the object with another object. If ignoreError is set
+// the Object will be updated even if name, namespace, or resourceVersion
+// attributes cannot be loaded from the object.
+func (i *Info) Refresh(obj runtime.Object, ignoreError bool) error {
+	name, err := metadataAccessor.Name(obj)
+	if err != nil {
+		if !ignoreError {
+			return err
+		}
+	} else {
+		i.Name = name
+	}
+	namespace, err := metadataAccessor.Namespace(obj)
+	if err != nil {
+		if !ignoreError {
+			return err
+		}
+	} else {
+		i.Namespace = namespace
+	}
+	version, err := metadataAccessor.ResourceVersion(obj)
+	if err != nil {
+		if !ignoreError {
+			return err
+		}
+	} else {
+		i.ResourceVersion = version
+	}
+	i.Object = obj
+	return nil
+}
+
+// ObjectName returns an approximate form of the resource's kind/name.
+func (i *Info) ObjectName() string {
+	if i.Mapping != nil {
+		return fmt.Sprintf("%s/%s", i.Mapping.Resource.Resource, i.Name)
+	}
+	gvk := i.Object.GetObjectKind().GroupVersionKind()
+	if len(gvk.Group) == 0 {
+		return fmt.Sprintf("%s/%s", strings.ToLower(gvk.Kind), i.Name)
+	}
+	return fmt.Sprintf("%s.%s/%s\n", strings.ToLower(gvk.Kind), gvk.Group, i.Name)
+}
+
+// String returns the general purpose string representation
+func (i *Info) String() string {
+	basicInfo := fmt.Sprintf("Name: %q, Namespace: %q", i.Name, i.Namespace)
+	if i.Mapping != nil {
+		mappingInfo := fmt.Sprintf("Resource: %q, GroupVersionKind: %q", i.Mapping.Resource.String(),
+			i.Mapping.GroupVersionKind.String())
+		return fmt.Sprint(mappingInfo, "\n", basicInfo)
+	}
+	return basicInfo
+}
+
+// Namespaced returns true if the object belongs to a namespace
+func (i *Info) Namespaced() bool {
+	if i.Mapping != nil {
+		// if we have RESTMapper info, use it
+		return i.Mapping.Scope.Name() == meta.RESTScopeNameNamespace
+	}
+	// otherwise, use the presence of a namespace in the info as an indicator
+	return len(i.Namespace) > 0
+}
+
+// Watch returns server changes to this object after it was retrieved.
+func (i *Info) Watch(resourceVersion string) (watch.Interface, error) {
+	return NewHelper(i.Client, i.Mapping).WatchSingle(i.Namespace, i.Name, resourceVersion)
+}
+
+// ResourceMapping returns the mapping for this resource and implements ResourceMapping
+func (i *Info) ResourceMapping() *meta.RESTMapping {
+	return i.Mapping
+}
+
+// VisitorList implements Visit for the sub visitors it contains. The first error
+// returned from a child Visitor will terminate iteration.
+type VisitorList []Visitor
+
+// Visit implements Visitor
+func (l VisitorList) Visit(fn VisitorFunc) error {
+	for i := range l {
+		if err := l[i].Visit(fn); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+type ConcurrentVisitorList struct {
+	visitors    []Visitor
+	concurrency int
+}
+
+func (l ConcurrentVisitorList) Visit(fn VisitorFunc) error {
+	g := errgroup.Group{}
+
+	// Concurrency 1 just runs the visitors sequentially, this is the default
+	// as it preserves the previous behavior, but allows components to opt into
+	// concurrency.
+	concurrency := 1
+	if l.concurrency > concurrency {
+		concurrency = l.concurrency
+	}
+	g.SetLimit(concurrency)
+
+	for i := range l.visitors {
+		i := i
+		g.Go(func() error {
+			return l.visitors[i].Visit(fn)
+		})
+	}
+
+	return g.Wait()
+}
+
+// EagerVisitorList implements Visit for the sub visitors it contains. All errors
+// will be captured and returned at the end of iteration.
+type EagerVisitorList []Visitor
+
+// Visit implements Visitor, and gathers errors that occur during processing until
+// all sub visitors have been visited.
+func (l EagerVisitorList) Visit(fn VisitorFunc) error {
+	var errs []error
+	for i := range l {
+		err := l[i].Visit(func(info *Info, err error) error {
+			if err != nil {
+				errs = append(errs, err)
+				return nil
+			}
+			if err := fn(info, nil); err != nil {
+				errs = append(errs, err)
+			}
+			return nil
+		})
+		if err != nil {
+			errs = append(errs, err)
+		}
+	}
+	return utilerrors.NewAggregate(errs)
+}
+
+func ValidateSchema(data []byte, schema ContentValidator) error {
+	if schema == nil {
+		return nil
+	}
+	if err := schema.ValidateBytes(data); err != nil {
+		return fmt.Errorf("error validating data: %v; %s", err, stopValidateMessage)
+	}
+	return nil
+}
+
+// URLVisitor downloads the contents of a URL, and if successful, returns
+// an info object representing the downloaded object.
+type URLVisitor struct {
+	URL *url.URL
+	*StreamVisitor
+	HttpAttemptCount int
+}
+
+func (v *URLVisitor) Visit(fn VisitorFunc) error {
+	body, err := readHttpWithRetries(httpgetImpl, time.Second, v.URL.String(), v.HttpAttemptCount)
+	if err != nil {
+		return err
+	}
+	defer body.Close()
+	v.StreamVisitor.Reader = body
+	return v.StreamVisitor.Visit(fn)
+}
+
+// readHttpWithRetries tries to http.Get the v.URL retries times before giving up.
+func readHttpWithRetries(get httpget, duration time.Duration, u string, attempts int) (io.ReadCloser, error) {
+	var err error
+	if attempts <= 0 {
+		return nil, fmt.Errorf("http attempts must be greater than 0, was %d", attempts)
+	}
+	for i := 0; i < attempts; i++ {
+		var (
+			statusCode int
+			status     string
+			body       io.ReadCloser
+		)
+		if i > 0 {
+			time.Sleep(duration)
+		}
+
+		// Try to get the URL
+		statusCode, status, body, err = get(u)
+
+		// Retry Errors
+		if err != nil {
+			continue
+		}
+
+		if statusCode == http.StatusOK {
+			return body, nil
+		}
+		body.Close()
+		// Error - Set the error condition from the StatusCode
+		err = fmt.Errorf("unable to read URL %q, server reported %s, status code=%d", u, status, statusCode)
+
+		if statusCode >= 500 && statusCode < 600 {
+			// Retry 500's
+			continue
+		} else {
+			// Don't retry other StatusCodes
+			break
+		}
+	}
+	return nil, err
+}
+
+// httpget Defines function to retrieve a url and return the results.  Exists for unit test stubbing.
+type httpget func(url string) (int, string, io.ReadCloser, error)
+
+// httpgetImpl Implements a function to retrieve a url and return the results.
+func httpgetImpl(url string) (int, string, io.ReadCloser, error) {
+	resp, err := http.Get(url)
+	if err != nil {
+		return 0, "", nil, err
+	}
+	return resp.StatusCode, resp.Status, resp.Body, nil
+}
+
+// DecoratedVisitor will invoke the decorators in order prior to invoking the visitor function
+// passed to Visit. An error will terminate the visit.
+type DecoratedVisitor struct {
+	visitor    Visitor
+	decorators []VisitorFunc
+}
+
+// NewDecoratedVisitor will create a visitor that invokes the provided visitor functions before
+// the user supplied visitor function is invoked, giving them the opportunity to mutate the Info
+// object or terminate early with an error.
+func NewDecoratedVisitor(v Visitor, fn ...VisitorFunc) Visitor {
+	if len(fn) == 0 {
+		return v
+	}
+	return DecoratedVisitor{v, fn}
+}
+
+// Visit implements Visitor
+func (v DecoratedVisitor) Visit(fn VisitorFunc) error {
+	return v.visitor.Visit(func(info *Info, err error) error {
+		if err != nil {
+			return err
+		}
+		for i := range v.decorators {
+			if err := v.decorators[i](info, nil); err != nil {
+				return err
+			}
+		}
+		return fn(info, nil)
+	})
+}
+
+// ContinueOnErrorVisitor visits each item and, if an error occurs on
+// any individual item, returns an aggregate error after all items
+// are visited.
+type ContinueOnErrorVisitor struct {
+	Visitor
+}
+
+// Visit returns nil if no error occurs during traversal, a regular
+// error if one occurs, or if multiple errors occur, an aggregate
+// error.  If the provided visitor fails on any individual item it
+// will not prevent the remaining items from being visited. An error
+// returned by the visitor directly may still result in some items
+// not being visited.
+func (v ContinueOnErrorVisitor) Visit(fn VisitorFunc) error {
+	var errs []error
+	err := v.Visitor.Visit(func(info *Info, err error) error {
+		if err != nil {
+			errs = append(errs, err)
+			return nil
+		}
+		if err := fn(info, nil); err != nil {
+			errs = append(errs, err)
+		}
+		return nil
+	})
+	if err != nil {
+		errs = append(errs, err)
+	}
+	if len(errs) == 1 {
+		return errs[0]
+	}
+	return utilerrors.NewAggregate(errs)
+}
+
+// FlattenListVisitor flattens any objects that runtime.ExtractList recognizes as a list
+// - has an "Items" public field that is a slice of runtime.Objects or objects satisfying
+// that interface - into multiple Infos. Returns nil in the case of no errors.
+// When an error is hit on sub items (for instance, if a List contains an object that does
+// not have a registered client or resource), returns an aggregate error.
+type FlattenListVisitor struct {
+	visitor Visitor
+	typer   runtime.ObjectTyper
+	mapper  *mapper
+}
+
+// NewFlattenListVisitor creates a visitor that will expand list style runtime.Objects
+// into individual items and then visit them individually.
+func NewFlattenListVisitor(v Visitor, typer runtime.ObjectTyper, mapper *mapper) Visitor {
+	return FlattenListVisitor{v, typer, mapper}
+}
+
+func (v FlattenListVisitor) Visit(fn VisitorFunc) error {
+	return v.visitor.Visit(func(info *Info, err error) error {
+		if err != nil {
+			return err
+		}
+		if info.Object == nil {
+			return fn(info, nil)
+		}
+		if !meta.IsListType(info.Object) {
+			return fn(info, nil)
+		}
+
+		items := []runtime.Object{}
+		itemsToProcess := []runtime.Object{info.Object}
+
+		for i := 0; i < len(itemsToProcess); i++ {
+			currObj := itemsToProcess[i]
+			if !meta.IsListType(currObj) {
+				items = append(items, currObj)
+				continue
+			}
+
+			currItems, err := meta.ExtractList(currObj)
+			if err != nil {
+				return err
+			}
+			if errs := runtime.DecodeList(currItems, v.mapper.decoder); len(errs) > 0 {
+				return utilerrors.NewAggregate(errs)
+			}
+			itemsToProcess = append(itemsToProcess, currItems...)
+		}
+
+		// If we have a GroupVersionKind on the list, prioritize that when asking for info on the objects contained in the list
+		var preferredGVKs []schema.GroupVersionKind
+		if info.Mapping != nil && !info.Mapping.GroupVersionKind.Empty() {
+			preferredGVKs = append(preferredGVKs, info.Mapping.GroupVersionKind)
+		}
+		var errs []error
+		for i := range items {
+			item, err := v.mapper.infoForObject(items[i], v.typer, preferredGVKs)
+			if err != nil {
+				errs = append(errs, err)
+				continue
+			}
+			if len(info.ResourceVersion) != 0 {
+				item.ResourceVersion = info.ResourceVersion
+			}
+			// propagate list source to items source
+			if len(info.Source) != 0 {
+				item.Source = info.Source
+			}
+			if err := fn(item, nil); err != nil {
+				errs = append(errs, err)
+			}
+		}
+		return utilerrors.NewAggregate(errs)
+	})
+}
+
+func ignoreFile(path string, extensions []string) bool {
+	if len(extensions) == 0 {
+		return false
+	}
+	ext := filepath.Ext(path)
+	for _, s := range extensions {
+		if s == ext {
+			return false
+		}
+	}
+	return true
+}
+
+// FileVisitorForSTDIN return a special FileVisitor just for STDIN
+func FileVisitorForSTDIN(mapper *mapper, schema ContentValidator) Visitor {
+	return &FileVisitor{
+		Path:          constSTDINstr,
+		StreamVisitor: NewStreamVisitor(nil, mapper, constSTDINstr, schema),
+	}
+}
+
+// ExpandPathsToFileVisitors will return a slice of FileVisitors that will handle files from the provided path.
+// After FileVisitors open the files, they will pass an io.Reader to a StreamVisitor to do the reading. (stdin
+// is also taken care of). Paths argument also accepts a single file, and will return a single visitor
+func ExpandPathsToFileVisitors(mapper *mapper, paths string, recursive bool, extensions []string, schema ContentValidator) ([]Visitor, error) {
+	var visitors []Visitor
+	err := filepath.Walk(paths, func(path string, fi os.FileInfo, err error) error {
+		if err != nil {
+			return err
+		}
+
+		if fi.IsDir() {
+			if path != paths && !recursive {
+				return filepath.SkipDir
+			}
+			return nil
+		}
+		// Don't check extension if the filepath was passed explicitly
+		if path != paths && ignoreFile(path, extensions) {
+			return nil
+		}
+
+		visitor := &FileVisitor{
+			Path:          path,
+			StreamVisitor: NewStreamVisitor(nil, mapper, path, schema),
+		}
+
+		visitors = append(visitors, visitor)
+		return nil
+	})
+
+	if err != nil {
+		return nil, err
+	}
+	return visitors, nil
+}
+
+// FileVisitor is wrapping around a StreamVisitor, to handle open/close files
+type FileVisitor struct {
+	Path string
+	*StreamVisitor
+}
+
+// Visit in a FileVisitor is just taking care of opening/closing files
+func (v *FileVisitor) Visit(fn VisitorFunc) error {
+	var f *os.File
+	if v.Path == constSTDINstr {
+		f = os.Stdin
+	} else {
+		var err error
+		f, err = os.Open(v.Path)
+		if err != nil {
+			return err
+		}
+		defer f.Close()
+	}
+
+	// TODO: Consider adding a flag to force to UTF16, apparently some
+	// Windows tools don't write the BOM
+	utf16bom := unicode.BOMOverride(unicode.UTF8.NewDecoder())
+	v.StreamVisitor.Reader = transform.NewReader(f, utf16bom)
+
+	return v.StreamVisitor.Visit(fn)
+}
+
+// StreamVisitor reads objects from an io.Reader and walks them. A stream visitor can only be
+// visited once.
+// TODO: depends on objects being in JSON format before being passed to decode - need to implement
+// a stream decoder method on runtime.Codec to properly handle this.
+type StreamVisitor struct {
+	io.Reader
+	*mapper
+
+	Source string
+	Schema ContentValidator
+}
+
+// NewStreamVisitor is a helper function that is useful when we want to change the fields of the struct but keep calls the same.
+func NewStreamVisitor(r io.Reader, mapper *mapper, source string, schema ContentValidator) *StreamVisitor {
+	return &StreamVisitor{
+		Reader: r,
+		mapper: mapper,
+		Source: source,
+		Schema: schema,
+	}
+}
+
+// Visit implements Visitor over a stream. StreamVisitor is able to distinct multiple resources in one stream.
+func (v *StreamVisitor) Visit(fn VisitorFunc) error {
+	d := yaml.NewYAMLOrJSONDecoder(v.Reader, 4096)
+	for {
+		ext := runtime.RawExtension{}
+		if err := d.Decode(&ext); err != nil {
+			if err == io.EOF {
+				return nil
+			}
+			return fmt.Errorf("error parsing %s: %v", v.Source, err)
+		}
+		// TODO: This needs to be able to handle object in other encodings and schemas.
+		ext.Raw = bytes.TrimSpace(ext.Raw)
+		if len(ext.Raw) == 0 || bytes.Equal(ext.Raw, []byte("null")) {
+			continue
+		}
+		if err := ValidateSchema(ext.Raw, v.Schema); err != nil {
+			return fmt.Errorf("error validating %q: %v", v.Source, err)
+		}
+		info, err := v.infoForData(ext.Raw, v.Source)
+		if err != nil {
+			if fnErr := fn(info, err); fnErr != nil {
+				return fnErr
+			}
+			continue
+		}
+		if err := fn(info, nil); err != nil {
+			return err
+		}
+	}
+}
+
+func UpdateObjectNamespace(info *Info, err error) error {
+	if err != nil {
+		return err
+	}
+	if info.Object != nil {
+		return metadataAccessor.SetNamespace(info.Object, info.Namespace)
+	}
+	return nil
+}
+
+// FilterNamespace omits the namespace if the object is not namespace scoped
+func FilterNamespace(info *Info, err error) error {
+	if err != nil {
+		return err
+	}
+	if !info.Namespaced() {
+		info.Namespace = ""
+		UpdateObjectNamespace(info, nil)
+	}
+	return nil
+}
+
+// SetNamespace ensures that every Info object visited will have a namespace
+// set. If info.Object is set, it will be mutated as well.
+func SetNamespace(namespace string) VisitorFunc {
+	return func(info *Info, err error) error {
+		if err != nil {
+			return err
+		}
+		if !info.Namespaced() {
+			return nil
+		}
+		if len(info.Namespace) == 0 {
+			info.Namespace = namespace
+			UpdateObjectNamespace(info, nil)
+		}
+		return nil
+	}
+}
+
+// RequireNamespace will either set a namespace if none is provided on the
+// Info object, or if the namespace is set and does not match the provided
+// value, returns an error. This is intended to guard against administrators
+// accidentally operating on resources outside their namespace.
+func RequireNamespace(namespace string) VisitorFunc {
+	return func(info *Info, err error) error {
+		if err != nil {
+			return err
+		}
+		if !info.Namespaced() {
+			return nil
+		}
+		if len(info.Namespace) == 0 {
+			info.Namespace = namespace
+			UpdateObjectNamespace(info, nil)
+			return nil
+		}
+		if info.Namespace != namespace {
+			return fmt.Errorf("the namespace from the provided object %q does not match the namespace %q. You must pass '--namespace=%s' to perform this operation.", info.Namespace, namespace, info.Namespace)
+		}
+		return nil
+	}
+}
+
+// RetrieveLatest updates the Object on each Info by invoking a standard client
+// Get.
+func RetrieveLatest(info *Info, err error) error {
+	if err != nil {
+		return err
+	}
+	if meta.IsListType(info.Object) {
+		return fmt.Errorf("watch is only supported on individual resources and resource collections, but a list of resources is found")
+	}
+	if len(info.Name) == 0 {
+		return nil
+	}
+	if info.Namespaced() && len(info.Namespace) == 0 {
+		return fmt.Errorf("no namespace set on resource %s %q", info.Mapping.Resource, info.Name)
+	}
+	return info.Get()
+}
+
+// RetrieveLazy updates the object if it has not been loaded yet.
+func RetrieveLazy(info *Info, err error) error {
+	if err != nil {
+		return err
+	}
+	if info.Object == nil {
+		return info.Get()
+	}
+	return nil
+}
+
+type FilterFunc func(info *Info, err error) (bool, error)
+
+type FilteredVisitor struct {
+	visitor Visitor
+	filters []FilterFunc
+}
+
+func NewFilteredVisitor(v Visitor, fn ...FilterFunc) Visitor {
+	if len(fn) == 0 {
+		return v
+	}
+	return FilteredVisitor{v, fn}
+}
+
+func (v FilteredVisitor) Visit(fn VisitorFunc) error {
+	return v.visitor.Visit(func(info *Info, err error) error {
+		if err != nil {
+			return err
+		}
+		for _, filter := range v.filters {
+			ok, err := filter(info, nil)
+			if err != nil {
+				return err
+			}
+			if !ok {
+				return nil
+			}
+		}
+		return fn(info, nil)
+	})
+}
+
+func FilterByLabelSelector(s labels.Selector) FilterFunc {
+	return func(info *Info, err error) (bool, error) {
+		if err != nil {
+			return false, err
+		}
+		a, err := meta.Accessor(info.Object)
+		if err != nil {
+			return false, err
+		}
+		if !s.Matches(labels.Set(a.GetLabels())) {
+			return false, nil
+		}
+		return true, nil
+	}
+}
+
+type InfoListVisitor []*Info
+
+func (infos InfoListVisitor) Visit(fn VisitorFunc) error {
+	var err error
+	for _, i := range infos {
+		err = fn(i, err)
+	}
+	return err
+}
diff --git a/vendor/k8s.io/client-go/discovery/cached/disk/cached_discovery.go b/vendor/k8s.io/client-go/discovery/cached/disk/cached_discovery.go
new file mode 100644
index 0000000000..158810ee53
--- /dev/null
+++ b/vendor/k8s.io/client-go/discovery/cached/disk/cached_discovery.go
@@ -0,0 +1,325 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package disk
+
+import (
+	"errors"
+	"io"
+	"net/http"
+	"os"
+	"path/filepath"
+	"sync"
+	"time"
+
+	openapi_v2 "github.com/google/gnostic-models/openapiv2"
+	"k8s.io/klog/v2"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/version"
+	"k8s.io/client-go/discovery"
+	"k8s.io/client-go/discovery/cached/memory"
+	"k8s.io/client-go/kubernetes/scheme"
+	"k8s.io/client-go/openapi"
+	cachedopenapi "k8s.io/client-go/openapi/cached"
+	restclient "k8s.io/client-go/rest"
+)
+
+// CachedDiscoveryClient implements the functions that discovery server-supported API groups,
+// versions and resources.
+type CachedDiscoveryClient struct {
+	delegate discovery.DiscoveryInterface
+
+	// cacheDirectory is the directory where discovery docs are held.  It must be unique per host:port combination to work well.
+	cacheDirectory string
+
+	// ttl is how long the cache should be considered valid
+	ttl time.Duration
+
+	// mutex protects the variables below
+	mutex sync.Mutex
+
+	// ourFiles are all filenames of cache files created by this process
+	ourFiles map[string]struct{}
+	// invalidated is true if all cache files should be ignored that are not ours (e.g. after Invalidate() was called)
+	invalidated bool
+	// fresh is true if all used cache files were ours
+	fresh bool
+
+	// caching openapi v3 client which wraps the delegate's client
+	openapiClient openapi.Client
+}
+
+var _ discovery.CachedDiscoveryInterface = &CachedDiscoveryClient{}
+
+// ServerResourcesForGroupVersion returns the supported resources for a group and version.
+func (d *CachedDiscoveryClient) ServerResourcesForGroupVersion(groupVersion string) (*metav1.APIResourceList, error) {
+	filename := filepath.Join(d.cacheDirectory, groupVersion, "serverresources.json")
+	cachedBytes, err := d.getCachedFile(filename)
+	// don't fail on errors, we either don't have a file or won't be able to run the cached check. Either way we can fallback.
+	if err == nil {
+		cachedResources := &metav1.APIResourceList{}
+		if err := runtime.DecodeInto(scheme.Codecs.UniversalDecoder(), cachedBytes, cachedResources); err == nil {
+			klog.V(10).Infof("returning cached discovery info from %v", filename)
+			return cachedResources, nil
+		}
+	}
+
+	liveResources, err := d.delegate.ServerResourcesForGroupVersion(groupVersion)
+	if err != nil {
+		klog.V(3).Infof("skipped caching discovery info due to %v", err)
+		return liveResources, err
+	}
+	if liveResources == nil || len(liveResources.APIResources) == 0 {
+		klog.V(3).Infof("skipped caching discovery info, no resources found")
+		return liveResources, err
+	}
+
+	if err := d.writeCachedFile(filename, liveResources); err != nil {
+		klog.V(1).Infof("failed to write cache to %v due to %v", filename, err)
+	}
+
+	return liveResources, nil
+}
+
+// ServerGroupsAndResources returns the supported groups and resources for all groups and versions.
+func (d *CachedDiscoveryClient) ServerGroupsAndResources() ([]*metav1.APIGroup, []*metav1.APIResourceList, error) {
+	return discovery.ServerGroupsAndResources(d)
+}
+
+// ServerGroups returns the supported groups, with information like supported versions and the
+// preferred version.
+func (d *CachedDiscoveryClient) ServerGroups() (*metav1.APIGroupList, error) {
+	filename := filepath.Join(d.cacheDirectory, "servergroups.json")
+	cachedBytes, err := d.getCachedFile(filename)
+	// don't fail on errors, we either don't have a file or won't be able to run the cached check. Either way we can fallback.
+	if err == nil {
+		cachedGroups := &metav1.APIGroupList{}
+		if err := runtime.DecodeInto(scheme.Codecs.UniversalDecoder(), cachedBytes, cachedGroups); err == nil {
+			klog.V(10).Infof("returning cached discovery info from %v", filename)
+			return cachedGroups, nil
+		}
+	}
+
+	liveGroups, err := d.delegate.ServerGroups()
+	if err != nil {
+		klog.V(3).Infof("skipped caching discovery info due to %v", err)
+		return liveGroups, err
+	}
+	if liveGroups == nil || len(liveGroups.Groups) == 0 {
+		klog.V(3).Infof("skipped caching discovery info, no groups found")
+		return liveGroups, err
+	}
+
+	if err := d.writeCachedFile(filename, liveGroups); err != nil {
+		klog.V(1).Infof("failed to write cache to %v due to %v", filename, err)
+	}
+
+	return liveGroups, nil
+}
+
+func (d *CachedDiscoveryClient) getCachedFile(filename string) ([]byte, error) {
+	// after invalidation ignore cache files not created by this process
+	d.mutex.Lock()
+	_, ourFile := d.ourFiles[filename]
+	if d.invalidated && !ourFile {
+		d.mutex.Unlock()
+		return nil, errors.New("cache invalidated")
+	}
+	d.mutex.Unlock()
+
+	file, err := os.Open(filename)
+	if err != nil {
+		return nil, err
+	}
+	defer file.Close()
+
+	fileInfo, err := file.Stat()
+	if err != nil {
+		return nil, err
+	}
+
+	if time.Now().After(fileInfo.ModTime().Add(d.ttl)) {
+		return nil, errors.New("cache expired")
+	}
+
+	// the cache is present and its valid.  Try to read and use it.
+	cachedBytes, err := io.ReadAll(file)
+	if err != nil {
+		return nil, err
+	}
+
+	d.mutex.Lock()
+	defer d.mutex.Unlock()
+	d.fresh = d.fresh && ourFile
+
+	return cachedBytes, nil
+}
+
+func (d *CachedDiscoveryClient) writeCachedFile(filename string, obj runtime.Object) error {
+	if err := os.MkdirAll(filepath.Dir(filename), 0750); err != nil {
+		return err
+	}
+
+	bytes, err := runtime.Encode(scheme.Codecs.LegacyCodec(), obj)
+	if err != nil {
+		return err
+	}
+
+	f, err := os.CreateTemp(filepath.Dir(filename), filepath.Base(filename)+".")
+	if err != nil {
+		return err
+	}
+	defer os.Remove(f.Name())
+	_, err = f.Write(bytes)
+	if err != nil {
+		return err
+	}
+
+	err = os.Chmod(f.Name(), 0660)
+	if err != nil {
+		return err
+	}
+
+	name := f.Name()
+	err = f.Close()
+	if err != nil {
+		return err
+	}
+
+	// atomic rename
+	d.mutex.Lock()
+	defer d.mutex.Unlock()
+	err = os.Rename(name, filename)
+	if err == nil {
+		d.ourFiles[filename] = struct{}{}
+	}
+	return err
+}
+
+// RESTClient returns a RESTClient that is used to communicate with API server
+// by this client implementation.
+func (d *CachedDiscoveryClient) RESTClient() restclient.Interface {
+	return d.delegate.RESTClient()
+}
+
+// ServerPreferredResources returns the supported resources with the version preferred by the
+// server.
+func (d *CachedDiscoveryClient) ServerPreferredResources() ([]*metav1.APIResourceList, error) {
+	return discovery.ServerPreferredResources(d)
+}
+
+// ServerPreferredNamespacedResources returns the supported namespaced resources with the
+// version preferred by the server.
+func (d *CachedDiscoveryClient) ServerPreferredNamespacedResources() ([]*metav1.APIResourceList, error) {
+	return discovery.ServerPreferredNamespacedResources(d)
+}
+
+// ServerVersion retrieves and parses the server's version (git version).
+func (d *CachedDiscoveryClient) ServerVersion() (*version.Info, error) {
+	return d.delegate.ServerVersion()
+}
+
+// OpenAPISchema retrieves and parses the swagger API schema the server supports.
+func (d *CachedDiscoveryClient) OpenAPISchema() (*openapi_v2.Document, error) {
+	return d.delegate.OpenAPISchema()
+}
+
+// OpenAPIV3 retrieves and parses the OpenAPIV3 specs exposed by the server
+func (d *CachedDiscoveryClient) OpenAPIV3() openapi.Client {
+	// Must take lock since Invalidate call may modify openapiClient
+	d.mutex.Lock()
+	defer d.mutex.Unlock()
+
+	if d.openapiClient == nil {
+		// Delegate is discovery client created with special HTTP client which
+		// respects E-Tag cache responses to serve cache from disk.
+		d.openapiClient = cachedopenapi.NewClient(d.delegate.OpenAPIV3())
+	}
+
+	return d.openapiClient
+}
+
+// Fresh is supposed to tell the caller whether or not to retry if the cache
+// fails to find something (false = retry, true = no need to retry).
+func (d *CachedDiscoveryClient) Fresh() bool {
+	d.mutex.Lock()
+	defer d.mutex.Unlock()
+
+	return d.fresh
+}
+
+// Invalidate enforces that no cached data is used in the future that is older than the current time.
+func (d *CachedDiscoveryClient) Invalidate() {
+	d.mutex.Lock()
+	defer d.mutex.Unlock()
+
+	d.ourFiles = map[string]struct{}{}
+	d.fresh = true
+	d.invalidated = true
+	d.openapiClient = nil
+	if ad, ok := d.delegate.(discovery.CachedDiscoveryInterface); ok {
+		ad.Invalidate()
+	}
+}
+
+// WithLegacy returns current cached discovery client;
+// current client does not support legacy-only discovery.
+func (d *CachedDiscoveryClient) WithLegacy() discovery.DiscoveryInterface {
+	return d
+}
+
+// NewCachedDiscoveryClientForConfig creates a new DiscoveryClient for the given config, and wraps
+// the created client in a CachedDiscoveryClient. The provided configuration is updated with a
+// custom transport that understands cache responses.
+// We receive two distinct cache directories for now, in order to preserve old behavior
+// which makes use of the --cache-dir flag value for storing cache data from the CacheRoundTripper,
+// and makes use of the hardcoded destination (~/.kube/cache/discovery/...) for storing
+// CachedDiscoveryClient cache data. If httpCacheDir is empty, the restconfig's transport will not
+// be updated with a roundtripper that understands cache responses.
+// If discoveryCacheDir is empty, cached server resource data will be looked up in the current directory.
+func NewCachedDiscoveryClientForConfig(config *restclient.Config, discoveryCacheDir, httpCacheDir string, ttl time.Duration) (*CachedDiscoveryClient, error) {
+	if len(httpCacheDir) > 0 {
+		// update the given restconfig with a custom roundtripper that
+		// understands how to handle cache responses.
+		config = restclient.CopyConfig(config)
+		config.Wrap(func(rt http.RoundTripper) http.RoundTripper {
+			return newCacheRoundTripper(httpCacheDir, rt)
+		})
+	}
+
+	discoveryClient, err := discovery.NewDiscoveryClientForConfig(config)
+	if err != nil {
+		return nil, err
+	}
+
+	// The delegate caches the discovery groups and resources (memcache). "ServerGroups",
+	// which usually only returns (and caches) the groups, can now store the resources as
+	// well if the server supports the newer aggregated discovery format.
+	return newCachedDiscoveryClient(memory.NewMemCacheClient(discoveryClient), discoveryCacheDir, ttl), nil
+}
+
+// NewCachedDiscoveryClient creates a new DiscoveryClient.  cacheDirectory is the directory where discovery docs are held.  It must be unique per host:port combination to work well.
+func newCachedDiscoveryClient(delegate discovery.DiscoveryInterface, cacheDirectory string, ttl time.Duration) *CachedDiscoveryClient {
+	return &CachedDiscoveryClient{
+		delegate:       delegate,
+		cacheDirectory: cacheDirectory,
+		ttl:            ttl,
+		ourFiles:       map[string]struct{}{},
+		fresh:          true,
+	}
+}
diff --git a/vendor/k8s.io/client-go/discovery/cached/disk/round_tripper.go b/vendor/k8s.io/client-go/discovery/cached/disk/round_tripper.go
new file mode 100644
index 0000000000..f3a4b2947f
--- /dev/null
+++ b/vendor/k8s.io/client-go/discovery/cached/disk/round_tripper.go
@@ -0,0 +1,120 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package disk
+
+import (
+	"bytes"
+	"crypto/sha256"
+	"fmt"
+	"net/http"
+	"os"
+	"path/filepath"
+
+	"github.com/gregjones/httpcache"
+	"github.com/peterbourgon/diskv"
+	"k8s.io/klog/v2"
+)
+
+type cacheRoundTripper struct {
+	rt *httpcache.Transport
+}
+
+// newCacheRoundTripper creates a roundtripper that reads the ETag on
+// response headers and send the If-None-Match header on subsequent
+// corresponding requests.
+func newCacheRoundTripper(cacheDir string, rt http.RoundTripper) http.RoundTripper {
+	d := diskv.New(diskv.Options{
+		PathPerm: os.FileMode(0750),
+		FilePerm: os.FileMode(0660),
+		BasePath: cacheDir,
+		TempDir:  filepath.Join(cacheDir, ".diskv-temp"),
+	})
+	t := httpcache.NewTransport(&sumDiskCache{disk: d})
+	t.Transport = rt
+
+	return &cacheRoundTripper{rt: t}
+}
+
+func (rt *cacheRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
+	return rt.rt.RoundTrip(req)
+}
+
+func (rt *cacheRoundTripper) CancelRequest(req *http.Request) {
+	type canceler interface {
+		CancelRequest(*http.Request)
+	}
+	if cr, ok := rt.rt.Transport.(canceler); ok {
+		cr.CancelRequest(req)
+	} else {
+		klog.Errorf("CancelRequest not implemented by %T", rt.rt.Transport)
+	}
+}
+
+func (rt *cacheRoundTripper) WrappedRoundTripper() http.RoundTripper { return rt.rt.Transport }
+
+// A sumDiskCache is a cache backend for github.com/gregjones/httpcache. It is
+// similar to httpcache's diskcache package, but uses SHA256 sums to ensure
+// cache integrity at read time rather than fsyncing each cache entry to
+// increase the likelihood they will be persisted at write time. This avoids
+// significant performance degradation on MacOS.
+//
+// See https://github.com/kubernetes/kubernetes/issues/110753 for more.
+type sumDiskCache struct {
+	disk *diskv.Diskv
+}
+
+// Get the requested key from the cache on disk. If Get encounters an error, or
+// the returned value is not a SHA256 sum followed by bytes with a matching
+// checksum it will return false to indicate a cache miss.
+func (c *sumDiskCache) Get(key string) ([]byte, bool) {
+	b, err := c.disk.Read(sanitize(key))
+	if err != nil || len(b) < sha256.Size {
+		return []byte{}, false
+	}
+
+	response := b[sha256.Size:]
+	want := b[:sha256.Size] // The first 32 bytes of the file should be the SHA256 sum.
+	got := sha256.Sum256(response)
+	if !bytes.Equal(want, got[:]) {
+		return []byte{}, false
+	}
+
+	return response, true
+}
+
+// Set writes the response to a file on disk. The filename will be the SHA256
+// sum of the key. The file will contain a SHA256 sum of the response bytes,
+// followed by said response bytes.
+func (c *sumDiskCache) Set(key string, response []byte) {
+	s := sha256.Sum256(response)
+	_ = c.disk.Write(sanitize(key), append(s[:], response...)) // Nothing we can do with this error.
+}
+
+func (c *sumDiskCache) Delete(key string) {
+	_ = c.disk.Erase(sanitize(key)) // Nothing we can do with this error.
+}
+
+// Sanitize an httpcache key such that it can be used as a diskv key, which must
+// be a valid filename. The httpcache key will either be the requested URL (if
+// the request method was GET) or "<method> <url>" for other methods, per the
+// httpcache.cacheKey function.
+func sanitize(key string) string {
+	// These keys are not sensitive. We use sha256 to avoid a (potentially
+	// malicious) collision causing the wrong cache data to be written or
+	// accessed.
+	return fmt.Sprintf("%x", sha256.Sum256([]byte(key)))
+}
diff --git a/vendor/k8s.io/client-go/dynamic/dynamicinformer/informer.go b/vendor/k8s.io/client-go/dynamic/dynamicinformer/informer.go
new file mode 100644
index 0000000000..b933c13798
--- /dev/null
+++ b/vendor/k8s.io/client-go/dynamic/dynamicinformer/informer.go
@@ -0,0 +1,200 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package dynamicinformer
+
+import (
+	"context"
+	"sync"
+	"time"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/watch"
+	"k8s.io/client-go/dynamic"
+	"k8s.io/client-go/dynamic/dynamiclister"
+	"k8s.io/client-go/informers"
+	"k8s.io/client-go/tools/cache"
+)
+
+// NewDynamicSharedInformerFactory constructs a new instance of dynamicSharedInformerFactory for all namespaces.
+func NewDynamicSharedInformerFactory(client dynamic.Interface, defaultResync time.Duration) DynamicSharedInformerFactory {
+	return NewFilteredDynamicSharedInformerFactory(client, defaultResync, metav1.NamespaceAll, nil)
+}
+
+// NewFilteredDynamicSharedInformerFactory constructs a new instance of dynamicSharedInformerFactory.
+// Listers obtained via this factory will be subject to the same filters as specified here.
+func NewFilteredDynamicSharedInformerFactory(client dynamic.Interface, defaultResync time.Duration, namespace string, tweakListOptions TweakListOptionsFunc) DynamicSharedInformerFactory {
+	return &dynamicSharedInformerFactory{
+		client:           client,
+		defaultResync:    defaultResync,
+		namespace:        namespace,
+		informers:        map[schema.GroupVersionResource]informers.GenericInformer{},
+		startedInformers: make(map[schema.GroupVersionResource]bool),
+		tweakListOptions: tweakListOptions,
+	}
+}
+
+type dynamicSharedInformerFactory struct {
+	client        dynamic.Interface
+	defaultResync time.Duration
+	namespace     string
+
+	lock      sync.Mutex
+	informers map[schema.GroupVersionResource]informers.GenericInformer
+	// startedInformers is used for tracking which informers have been started.
+	// This allows Start() to be called multiple times safely.
+	startedInformers map[schema.GroupVersionResource]bool
+	tweakListOptions TweakListOptionsFunc
+
+	// wg tracks how many goroutines were started.
+	wg sync.WaitGroup
+	// shuttingDown is true when Shutdown has been called. It may still be running
+	// because it needs to wait for goroutines.
+	shuttingDown bool
+}
+
+var _ DynamicSharedInformerFactory = &dynamicSharedInformerFactory{}
+
+func (f *dynamicSharedInformerFactory) ForResource(gvr schema.GroupVersionResource) informers.GenericInformer {
+	f.lock.Lock()
+	defer f.lock.Unlock()
+
+	key := gvr
+	informer, exists := f.informers[key]
+	if exists {
+		return informer
+	}
+
+	informer = NewFilteredDynamicInformer(f.client, gvr, f.namespace, f.defaultResync, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
+	f.informers[key] = informer
+
+	return informer
+}
+
+// Start initializes all requested informers.
+func (f *dynamicSharedInformerFactory) Start(stopCh <-chan struct{}) {
+	f.lock.Lock()
+	defer f.lock.Unlock()
+
+	if f.shuttingDown {
+		return
+	}
+
+	for informerType, informer := range f.informers {
+		if !f.startedInformers[informerType] {
+			f.wg.Add(1)
+			// We need a new variable in each loop iteration,
+			// otherwise the goroutine would use the loop variable
+			// and that keeps changing.
+			informer := informer.Informer()
+			go func() {
+				defer f.wg.Done()
+				informer.Run(stopCh)
+			}()
+			f.startedInformers[informerType] = true
+		}
+	}
+}
+
+// WaitForCacheSync waits for all started informers' cache were synced.
+func (f *dynamicSharedInformerFactory) WaitForCacheSync(stopCh <-chan struct{}) map[schema.GroupVersionResource]bool {
+	informers := func() map[schema.GroupVersionResource]cache.SharedIndexInformer {
+		f.lock.Lock()
+		defer f.lock.Unlock()
+
+		informers := map[schema.GroupVersionResource]cache.SharedIndexInformer{}
+		for informerType, informer := range f.informers {
+			if f.startedInformers[informerType] {
+				informers[informerType] = informer.Informer()
+			}
+		}
+		return informers
+	}()
+
+	res := map[schema.GroupVersionResource]bool{}
+	for informType, informer := range informers {
+		res[informType] = cache.WaitForCacheSync(stopCh, informer.HasSynced)
+	}
+	return res
+}
+
+func (f *dynamicSharedInformerFactory) Shutdown() {
+	// Will return immediately if there is nothing to wait for.
+	defer f.wg.Wait()
+
+	f.lock.Lock()
+	defer f.lock.Unlock()
+	f.shuttingDown = true
+}
+
+// NewFilteredDynamicInformer constructs a new informer for a dynamic type.
+func NewFilteredDynamicInformer(client dynamic.Interface, gvr schema.GroupVersionResource, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions TweakListOptionsFunc) informers.GenericInformer {
+	return &dynamicInformer{
+		gvr: gvr,
+		informer: cache.NewSharedIndexInformerWithOptions(
+			cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
+				ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
+					if tweakListOptions != nil {
+						tweakListOptions(&options)
+					}
+					return client.Resource(gvr).Namespace(namespace).List(context.Background(), options)
+				},
+				WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) {
+					if tweakListOptions != nil {
+						tweakListOptions(&options)
+					}
+					return client.Resource(gvr).Namespace(namespace).Watch(context.Background(), options)
+				},
+				ListWithContextFunc: func(ctx context.Context, options metav1.ListOptions) (runtime.Object, error) {
+					if tweakListOptions != nil {
+						tweakListOptions(&options)
+					}
+					return client.Resource(gvr).Namespace(namespace).List(ctx, options)
+				},
+				WatchFuncWithContext: func(ctx context.Context, options metav1.ListOptions) (watch.Interface, error) {
+					if tweakListOptions != nil {
+						tweakListOptions(&options)
+					}
+					return client.Resource(gvr).Namespace(namespace).Watch(ctx, options)
+				},
+			}, client),
+			&unstructured.Unstructured{},
+			cache.SharedIndexInformerOptions{
+				ResyncPeriod:      resyncPeriod,
+				Indexers:          indexers,
+				ObjectDescription: gvr.String(),
+			},
+		),
+	}
+}
+
+type dynamicInformer struct {
+	informer cache.SharedIndexInformer
+	gvr      schema.GroupVersionResource
+}
+
+var _ informers.GenericInformer = &dynamicInformer{}
+
+func (d *dynamicInformer) Informer() cache.SharedIndexInformer {
+	return d.informer
+}
+
+func (d *dynamicInformer) Lister() cache.GenericLister {
+	return dynamiclister.NewRuntimeObjectShim(dynamiclister.New(d.informer.GetIndexer(), d.gvr))
+}
diff --git a/vendor/k8s.io/client-go/dynamic/dynamicinformer/interface.go b/vendor/k8s.io/client-go/dynamic/dynamicinformer/interface.go
new file mode 100644
index 0000000000..0419ef4f86
--- /dev/null
+++ b/vendor/k8s.io/client-go/dynamic/dynamicinformer/interface.go
@@ -0,0 +1,53 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package dynamicinformer
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/client-go/informers"
+)
+
+// DynamicSharedInformerFactory provides access to a shared informer and lister for dynamic client
+type DynamicSharedInformerFactory interface {
+	// Start initializes all requested informers. They are handled in goroutines
+	// which run until the stop channel gets closed.
+	Start(stopCh <-chan struct{})
+
+	// ForResource gives generic access to a shared informer of the matching type.
+	ForResource(gvr schema.GroupVersionResource) informers.GenericInformer
+
+	// WaitForCacheSync blocks until all started informers' caches were synced
+	// or the stop channel gets closed.
+	WaitForCacheSync(stopCh <-chan struct{}) map[schema.GroupVersionResource]bool
+
+	// Shutdown marks a factory as shutting down. At that point no new
+	// informers can be started anymore and Start will return without
+	// doing anything.
+	//
+	// In addition, Shutdown blocks until all goroutines have terminated. For that
+	// to happen, the close channel(s) that they were started with must be closed,
+	// either before Shutdown gets called or while it is waiting.
+	//
+	// Shutdown may be called multiple times, even concurrently. All such calls will
+	// block until all goroutines have terminated.
+	Shutdown()
+}
+
+// TweakListOptionsFunc defines the signature of a helper function
+// that wants to provide more listing options to API
+type TweakListOptionsFunc func(*metav1.ListOptions)
diff --git a/vendor/k8s.io/client-go/dynamic/dynamiclister/interface.go b/vendor/k8s.io/client-go/dynamic/dynamiclister/interface.go
new file mode 100644
index 0000000000..c39cbee925
--- /dev/null
+++ b/vendor/k8s.io/client-go/dynamic/dynamiclister/interface.go
@@ -0,0 +1,40 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package dynamiclister
+
+import (
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/labels"
+)
+
+// Lister helps list resources.
+type Lister interface {
+	// List lists all resources in the indexer.
+	List(selector labels.Selector) (ret []*unstructured.Unstructured, err error)
+	// Get retrieves a resource from the indexer with the given name
+	Get(name string) (*unstructured.Unstructured, error)
+	// Namespace returns an object that can list and get resources in a given namespace.
+	Namespace(namespace string) NamespaceLister
+}
+
+// NamespaceLister helps list and get resources.
+type NamespaceLister interface {
+	// List lists all resources in the indexer for a given namespace.
+	List(selector labels.Selector) (ret []*unstructured.Unstructured, err error)
+	// Get retrieves a resource from the indexer for a given namespace and name.
+	Get(name string) (*unstructured.Unstructured, error)
+}
diff --git a/vendor/k8s.io/client-go/dynamic/dynamiclister/lister.go b/vendor/k8s.io/client-go/dynamic/dynamiclister/lister.go
new file mode 100644
index 0000000000..a50fc471e9
--- /dev/null
+++ b/vendor/k8s.io/client-go/dynamic/dynamiclister/lister.go
@@ -0,0 +1,91 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package dynamiclister
+
+import (
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/client-go/tools/cache"
+)
+
+var _ Lister = &dynamicLister{}
+var _ NamespaceLister = &dynamicNamespaceLister{}
+
+// dynamicLister implements the Lister interface.
+type dynamicLister struct {
+	indexer cache.Indexer
+	gvr     schema.GroupVersionResource
+}
+
+// New returns a new Lister.
+func New(indexer cache.Indexer, gvr schema.GroupVersionResource) Lister {
+	return &dynamicLister{indexer: indexer, gvr: gvr}
+}
+
+// List lists all resources in the indexer.
+func (l *dynamicLister) List(selector labels.Selector) (ret []*unstructured.Unstructured, err error) {
+	err = cache.ListAll(l.indexer, selector, func(m interface{}) {
+		ret = append(ret, m.(*unstructured.Unstructured))
+	})
+	return ret, err
+}
+
+// Get retrieves a resource from the indexer with the given name
+func (l *dynamicLister) Get(name string) (*unstructured.Unstructured, error) {
+	obj, exists, err := l.indexer.GetByKey(name)
+	if err != nil {
+		return nil, err
+	}
+	if !exists {
+		return nil, errors.NewNotFound(l.gvr.GroupResource(), name)
+	}
+	return obj.(*unstructured.Unstructured), nil
+}
+
+// Namespace returns an object that can list and get resources from a given namespace.
+func (l *dynamicLister) Namespace(namespace string) NamespaceLister {
+	return &dynamicNamespaceLister{indexer: l.indexer, namespace: namespace, gvr: l.gvr}
+}
+
+// dynamicNamespaceLister implements the NamespaceLister interface.
+type dynamicNamespaceLister struct {
+	indexer   cache.Indexer
+	namespace string
+	gvr       schema.GroupVersionResource
+}
+
+// List lists all resources in the indexer for a given namespace.
+func (l *dynamicNamespaceLister) List(selector labels.Selector) (ret []*unstructured.Unstructured, err error) {
+	err = cache.ListAllByNamespace(l.indexer, l.namespace, selector, func(m interface{}) {
+		ret = append(ret, m.(*unstructured.Unstructured))
+	})
+	return ret, err
+}
+
+// Get retrieves a resource from the indexer for a given namespace and name.
+func (l *dynamicNamespaceLister) Get(name string) (*unstructured.Unstructured, error) {
+	obj, exists, err := l.indexer.GetByKey(l.namespace + "/" + name)
+	if err != nil {
+		return nil, err
+	}
+	if !exists {
+		return nil, errors.NewNotFound(l.gvr.GroupResource(), name)
+	}
+	return obj.(*unstructured.Unstructured), nil
+}
diff --git a/vendor/k8s.io/client-go/dynamic/dynamiclister/shim.go b/vendor/k8s.io/client-go/dynamic/dynamiclister/shim.go
new file mode 100644
index 0000000000..92a5f54af9
--- /dev/null
+++ b/vendor/k8s.io/client-go/dynamic/dynamiclister/shim.go
@@ -0,0 +1,87 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package dynamiclister
+
+import (
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/client-go/tools/cache"
+)
+
+var _ cache.GenericLister = &dynamicListerShim{}
+var _ cache.GenericNamespaceLister = &dynamicNamespaceListerShim{}
+
+// dynamicListerShim implements the cache.GenericLister interface.
+type dynamicListerShim struct {
+	lister Lister
+}
+
+// NewRuntimeObjectShim returns a new shim for Lister.
+// It wraps Lister so that it implements cache.GenericLister interface
+func NewRuntimeObjectShim(lister Lister) cache.GenericLister {
+	return &dynamicListerShim{lister: lister}
+}
+
+// List will return all objects across namespaces
+func (s *dynamicListerShim) List(selector labels.Selector) (ret []runtime.Object, err error) {
+	objs, err := s.lister.List(selector)
+	if err != nil {
+		return nil, err
+	}
+
+	ret = make([]runtime.Object, len(objs))
+	for index, obj := range objs {
+		ret[index] = obj
+	}
+	return ret, err
+}
+
+// Get will attempt to retrieve assuming that name==key
+func (s *dynamicListerShim) Get(name string) (runtime.Object, error) {
+	return s.lister.Get(name)
+}
+
+func (s *dynamicListerShim) ByNamespace(namespace string) cache.GenericNamespaceLister {
+	return &dynamicNamespaceListerShim{
+		namespaceLister: s.lister.Namespace(namespace),
+	}
+}
+
+// dynamicNamespaceListerShim implements the NamespaceLister interface.
+// It wraps NamespaceLister so that it implements cache.GenericNamespaceLister interface
+type dynamicNamespaceListerShim struct {
+	namespaceLister NamespaceLister
+}
+
+// List will return all objects in this namespace
+func (ns *dynamicNamespaceListerShim) List(selector labels.Selector) (ret []runtime.Object, err error) {
+	objs, err := ns.namespaceLister.List(selector)
+	if err != nil {
+		return nil, err
+	}
+
+	ret = make([]runtime.Object, len(objs))
+	for index, obj := range objs {
+		ret[index] = obj
+	}
+	return ret, err
+}
+
+// Get will attempt to retrieve by namespace and name
+func (ns *dynamicNamespaceListerShim) Get(name string) (runtime.Object, error) {
+	return ns.namespaceLister.Get(name)
+}
diff --git a/vendor/k8s.io/client-go/openapi3/root.go b/vendor/k8s.io/client-go/openapi3/root.go
new file mode 100644
index 0000000000..4333e8628f
--- /dev/null
+++ b/vendor/k8s.io/client-go/openapi3/root.go
@@ -0,0 +1,182 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package openapi3
+
+import (
+	"encoding/json"
+	"fmt"
+	"sort"
+	"strings"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/client-go/openapi"
+	"k8s.io/kube-openapi/pkg/spec3"
+)
+
+// Root interface defines functions implemented against the root
+// OpenAPI V3 document. The root OpenAPI V3 document maps the
+// API Server relative url for all GroupVersions to the relative
+// url for the OpenAPI relative url. Example for single GroupVersion
+// apps/v1:
+//
+//	"apis/apps/v1": {
+//	    "ServerRelativeURL": "/openapi/v3/apis/apps/v1?hash=<HASH>"
+//	}
+type Root interface {
+	// GroupVersions returns every GroupVersion for which there is an
+	// OpenAPI V3 GroupVersion document. Returns an error for problems
+	// retrieving or parsing the OpenAPI V3 root document.
+	GroupVersions() ([]schema.GroupVersion, error)
+	// GVSpec returns the specification for all the resources in a
+	// GroupVersion as a pointer to a spec3.OpenAPI struct.
+	// Returns an error for problems retrieving or parsing the root
+	// document or GroupVersion OpenAPI V3 document.
+	GVSpec(gv schema.GroupVersion) (*spec3.OpenAPI, error)
+	// GVSpecAsMap returns the specification for all the resources in a
+	// GroupVersion as unstructured bytes. Returns an error for
+	// problems retrieving or parsing the root or GroupVersion
+	// OpenAPI V3 document.
+	GVSpecAsMap(gv schema.GroupVersion) (map[string]interface{}, error)
+}
+
+// root implements the Root interface, and encapsulates the
+// fields to retrieve, store the parsed OpenAPI V3 root document.
+type root struct {
+	// OpenAPI client to retrieve the OpenAPI V3 documents.
+	client openapi.Client
+}
+
+// Validate root implements the Root interface.
+var _ Root = &root{}
+
+// NewRoot returns a structure implementing the Root interface,
+// created with the passed rest client.
+func NewRoot(client openapi.Client) Root {
+	return &root{client: client}
+}
+
+func (r *root) GroupVersions() ([]schema.GroupVersion, error) {
+	paths, err := r.client.Paths()
+	if err != nil {
+		return nil, err
+	}
+	// Example GroupVersion API path: "apis/apps/v1"
+	gvs := make([]schema.GroupVersion, 0, len(paths))
+	for gvAPIPath := range paths {
+		gv, err := pathToGroupVersion(gvAPIPath)
+		if err != nil {
+			// Ignore paths which do not parse to GroupVersion
+			continue
+		}
+		gvs = append(gvs, gv)
+	}
+	// Sort GroupVersions alphabetically
+	sort.Slice(gvs, func(i, j int) bool {
+		return gvs[i].String() < gvs[j].String()
+	})
+	return gvs, nil
+}
+
+func (r *root) GVSpec(gv schema.GroupVersion) (*spec3.OpenAPI, error) {
+	openAPISchemaBytes, err := r.retrieveGVBytes(gv)
+	if err != nil {
+		return nil, err
+	}
+	// Unmarshal the downloaded Group/Version bytes into the spec3.OpenAPI struct.
+	var parsedV3Schema spec3.OpenAPI
+	err = json.Unmarshal(openAPISchemaBytes, &parsedV3Schema)
+	return &parsedV3Schema, err
+}
+
+func (r *root) GVSpecAsMap(gv schema.GroupVersion) (map[string]interface{}, error) {
+	gvOpenAPIBytes, err := r.retrieveGVBytes(gv)
+	if err != nil {
+		return nil, err
+	}
+	// GroupVersion bytes into unstructured map[string] -> empty interface.
+	var gvMap map[string]interface{}
+	err = json.Unmarshal(gvOpenAPIBytes, &gvMap)
+	return gvMap, err
+}
+
+// retrieveGVBytes returns the schema for a passed GroupVersion as an
+// unstructured slice of bytes or an error if there is a problem downloading
+// or if the passed GroupVersion is not supported.
+func (r *root) retrieveGVBytes(gv schema.GroupVersion) ([]byte, error) {
+	paths, err := r.client.Paths()
+	if err != nil {
+		return nil, err
+	}
+	apiPath := gvToAPIPath(gv)
+	gvOpenAPI, found := paths[apiPath]
+	if !found {
+		return nil, &GroupVersionNotFoundError{gv: gv}
+	}
+	return gvOpenAPI.Schema(runtime.ContentTypeJSON)
+}
+
+// gvToAPIPath maps the passed GroupVersion to a relative api
+// server url. Example:
+//
+//	GroupVersion{Group: "apps", Version: "v1"} -> "apis/apps/v1".
+func gvToAPIPath(gv schema.GroupVersion) string {
+	var resourcePath string
+	if len(gv.Group) == 0 {
+		resourcePath = fmt.Sprintf("api/%s", gv.Version)
+	} else {
+		resourcePath = fmt.Sprintf("apis/%s/%s", gv.Group, gv.Version)
+	}
+	return resourcePath
+}
+
+// pathToGroupVersion is a helper function parsing the passed relative
+// url into a GroupVersion.
+//
+//	Example: apis/apps/v1 -> GroupVersion{Group: "apps", Version: "v1"}
+//	Example: api/v1 -> GroupVersion{Group: "", Version: "v1"}
+func pathToGroupVersion(path string) (schema.GroupVersion, error) {
+	var gv schema.GroupVersion
+	parts := strings.Split(path, "/")
+	if len(parts) < 2 {
+		return gv, fmt.Errorf("Unable to parse api relative path: %s", path)
+	}
+	apiPrefix := parts[0]
+	if apiPrefix == "apis" {
+		// Example: apis/apps (without version)
+		if len(parts) < 3 {
+			return gv, fmt.Errorf("Group without Version not allowed")
+		}
+		gv.Group = parts[1]
+		gv.Version = parts[2]
+	} else if apiPrefix == "api" {
+		gv.Version = parts[1]
+	} else {
+		return gv, fmt.Errorf("Unable to parse api relative path: %s", path)
+	}
+	return gv, nil
+}
+
+// Encapsulates GroupVersion not found as one of the paths
+// at OpenAPI V3 endpoint.
+type GroupVersionNotFoundError struct {
+	gv schema.GroupVersion
+}
+
+func (r *GroupVersionNotFoundError) Error() string {
+	return fmt.Sprintf("GroupVersion (%v) not found as OpenAPI V3 path", r.gv)
+}
diff --git a/vendor/k8s.io/client-go/third_party/forked/golang/LICENSE b/vendor/k8s.io/client-go/third_party/forked/golang/LICENSE
new file mode 100644
index 0000000000..6a66aea5ea
--- /dev/null
+++ b/vendor/k8s.io/client-go/third_party/forked/golang/LICENSE
@@ -0,0 +1,27 @@
+Copyright (c) 2009 The Go Authors. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+   * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+   * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+   * Neither the name of Google Inc. nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/vendor/k8s.io/client-go/third_party/forked/golang/PATENTS b/vendor/k8s.io/client-go/third_party/forked/golang/PATENTS
new file mode 100644
index 0000000000..733099041f
--- /dev/null
+++ b/vendor/k8s.io/client-go/third_party/forked/golang/PATENTS
@@ -0,0 +1,22 @@
+Additional IP Rights Grant (Patents)
+
+"This implementation" means the copyrightable works distributed by
+Google as part of the Go project.
+
+Google hereby grants to You a perpetual, worldwide, non-exclusive,
+no-charge, royalty-free, irrevocable (except as stated in this section)
+patent license to make, have made, use, offer to sell, sell, import,
+transfer and otherwise run, modify and propagate the contents of this
+implementation of Go, where such license applies only to those patent
+claims, both currently owned or controlled by Google and acquired in
+the future, licensable by Google that are necessarily infringed by this
+implementation of Go.  This grant does not include claims that would be
+infringed only as a consequence of further modification of this
+implementation.  If you or your agent or exclusive licensee institute or
+order or agree to the institution of patent litigation against any
+entity (including a cross-claim or counterclaim in a lawsuit) alleging
+that this implementation of Go or any code incorporated within this
+implementation of Go constitutes direct or contributory patent
+infringement, or inducement of patent infringement, then any patent
+rights granted to you under this License for this implementation of Go
+shall terminate as of the date such litigation is filed.
diff --git a/vendor/k8s.io/client-go/third_party/forked/golang/template/exec.go b/vendor/k8s.io/client-go/third_party/forked/golang/template/exec.go
new file mode 100644
index 0000000000..7cf29524ce
--- /dev/null
+++ b/vendor/k8s.io/client-go/third_party/forked/golang/template/exec.go
@@ -0,0 +1,52 @@
+//This package is copied from Go library text/template.
+//The original private functions indirect and printableValue
+//are exported as public functions.
+package template
+
+import (
+	"fmt"
+	"reflect"
+)
+
+var (
+	errorType       = reflect.TypeOf((*error)(nil)).Elem()
+	fmtStringerType = reflect.TypeOf((*fmt.Stringer)(nil)).Elem()
+)
+
+// Indirect returns the item at the end of indirection, and a bool to indicate if it's nil.
+// We indirect through pointers and empty interfaces (only) because
+// non-empty interfaces have methods we might need.
+func Indirect(v reflect.Value) (rv reflect.Value, isNil bool) {
+	for ; v.Kind() == reflect.Pointer || v.Kind() == reflect.Interface; v = v.Elem() {
+		if v.IsNil() {
+			return v, true
+		}
+		if v.Kind() == reflect.Interface && v.NumMethod() > 0 {
+			break
+		}
+	}
+	return v, false
+}
+
+// PrintableValue returns the, possibly indirected, interface value inside v that
+// is best for a call to formatted printer.
+func PrintableValue(v reflect.Value) (interface{}, bool) {
+	if v.Kind() == reflect.Pointer {
+		v, _ = Indirect(v) // fmt.Fprint handles nil.
+	}
+	if !v.IsValid() {
+		return "<no value>", true
+	}
+
+	if !v.Type().Implements(errorType) && !v.Type().Implements(fmtStringerType) {
+		if v.CanAddr() && (reflect.PointerTo(v.Type()).Implements(errorType) || reflect.PointerTo(v.Type()).Implements(fmtStringerType)) {
+			v = v.Addr()
+		} else {
+			switch v.Kind() {
+			case reflect.Chan, reflect.Func:
+				return nil, false
+			}
+		}
+	}
+	return v.Interface(), true
+}
diff --git a/vendor/k8s.io/client-go/third_party/forked/golang/template/funcs.go b/vendor/k8s.io/client-go/third_party/forked/golang/template/funcs.go
new file mode 100644
index 0000000000..f0c8e712ca
--- /dev/null
+++ b/vendor/k8s.io/client-go/third_party/forked/golang/template/funcs.go
@@ -0,0 +1,177 @@
+//This package is copied from Go library text/template.
+//The original private functions eq, ge, gt, le, lt, and ne
+//are exported as public functions.
+package template
+
+import (
+	"errors"
+	"reflect"
+)
+
+var (
+	errBadComparisonType = errors.New("invalid type for comparison")
+	errBadComparison     = errors.New("incompatible types for comparison")
+	errNoComparison      = errors.New("missing argument for comparison")
+)
+
+type kind int
+
+const (
+	invalidKind kind = iota
+	boolKind
+	complexKind
+	intKind
+	floatKind
+	integerKind
+	stringKind
+	uintKind
+)
+
+func basicKind(v reflect.Value) (kind, error) {
+	switch v.Kind() {
+	case reflect.Bool:
+		return boolKind, nil
+	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
+		return intKind, nil
+	case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr:
+		return uintKind, nil
+	case reflect.Float32, reflect.Float64:
+		return floatKind, nil
+	case reflect.Complex64, reflect.Complex128:
+		return complexKind, nil
+	case reflect.String:
+		return stringKind, nil
+	}
+	return invalidKind, errBadComparisonType
+}
+
+// Equal evaluates the comparison a == b || a == c || ...
+func Equal(arg1 interface{}, arg2 ...interface{}) (bool, error) {
+	v1 := reflect.ValueOf(arg1)
+	k1, err := basicKind(v1)
+	if err != nil {
+		return false, err
+	}
+	if len(arg2) == 0 {
+		return false, errNoComparison
+	}
+	for _, arg := range arg2 {
+		v2 := reflect.ValueOf(arg)
+		k2, err := basicKind(v2)
+		if err != nil {
+			return false, err
+		}
+		truth := false
+		if k1 != k2 {
+			// Special case: Can compare integer values regardless of type's sign.
+			switch {
+			case k1 == intKind && k2 == uintKind:
+				truth = v1.Int() >= 0 && uint64(v1.Int()) == v2.Uint()
+			case k1 == uintKind && k2 == intKind:
+				truth = v2.Int() >= 0 && v1.Uint() == uint64(v2.Int())
+			default:
+				return false, errBadComparison
+			}
+		} else {
+			switch k1 {
+			case boolKind:
+				truth = v1.Bool() == v2.Bool()
+			case complexKind:
+				truth = v1.Complex() == v2.Complex()
+			case floatKind:
+				truth = v1.Float() == v2.Float()
+			case intKind:
+				truth = v1.Int() == v2.Int()
+			case stringKind:
+				truth = v1.String() == v2.String()
+			case uintKind:
+				truth = v1.Uint() == v2.Uint()
+			default:
+				panic("invalid kind")
+			}
+		}
+		if truth {
+			return true, nil
+		}
+	}
+	return false, nil
+}
+
+// NotEqual evaluates the comparison a != b.
+func NotEqual(arg1, arg2 interface{}) (bool, error) {
+	// != is the inverse of ==.
+	equal, err := Equal(arg1, arg2)
+	return !equal, err
+}
+
+// Less evaluates the comparison a < b.
+func Less(arg1, arg2 interface{}) (bool, error) {
+	v1 := reflect.ValueOf(arg1)
+	k1, err := basicKind(v1)
+	if err != nil {
+		return false, err
+	}
+	v2 := reflect.ValueOf(arg2)
+	k2, err := basicKind(v2)
+	if err != nil {
+		return false, err
+	}
+	truth := false
+	if k1 != k2 {
+		// Special case: Can compare integer values regardless of type's sign.
+		switch {
+		case k1 == intKind && k2 == uintKind:
+			truth = v1.Int() < 0 || uint64(v1.Int()) < v2.Uint()
+		case k1 == uintKind && k2 == intKind:
+			truth = v2.Int() >= 0 && v1.Uint() < uint64(v2.Int())
+		default:
+			return false, errBadComparison
+		}
+	} else {
+		switch k1 {
+		case boolKind, complexKind:
+			return false, errBadComparisonType
+		case floatKind:
+			truth = v1.Float() < v2.Float()
+		case intKind:
+			truth = v1.Int() < v2.Int()
+		case stringKind:
+			truth = v1.String() < v2.String()
+		case uintKind:
+			truth = v1.Uint() < v2.Uint()
+		default:
+			panic("invalid kind")
+		}
+	}
+	return truth, nil
+}
+
+// LessEqual evaluates the comparison <= b.
+func LessEqual(arg1, arg2 interface{}) (bool, error) {
+	// <= is < or ==.
+	lessThan, err := Less(arg1, arg2)
+	if lessThan || err != nil {
+		return lessThan, err
+	}
+	return Equal(arg1, arg2)
+}
+
+// Greater evaluates the comparison a > b.
+func Greater(arg1, arg2 interface{}) (bool, error) {
+	// > is the inverse of <=.
+	lessOrEqual, err := LessEqual(arg1, arg2)
+	if err != nil {
+		return false, err
+	}
+	return !lessOrEqual, nil
+}
+
+// GreaterEqual evaluates the comparison a >= b.
+func GreaterEqual(arg1, arg2 interface{}) (bool, error) {
+	// >= is the inverse of <.
+	lessThan, err := Less(arg1, arg2)
+	if err != nil {
+		return false, err
+	}
+	return !lessThan, nil
+}
diff --git a/vendor/k8s.io/client-go/tools/watch/informerwatcher.go b/vendor/k8s.io/client-go/tools/watch/informerwatcher.go
new file mode 100644
index 0000000000..114abfcc9b
--- /dev/null
+++ b/vendor/k8s.io/client-go/tools/watch/informerwatcher.go
@@ -0,0 +1,166 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package watch
+
+import (
+	"sync"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/wait"
+	"k8s.io/apimachinery/pkg/watch"
+	"k8s.io/client-go/tools/cache"
+	"k8s.io/klog/v2"
+)
+
+func newEventProcessor(out chan<- watch.Event) *eventProcessor {
+	return &eventProcessor{
+		out:  out,
+		cond: sync.NewCond(&sync.Mutex{}),
+		done: make(chan struct{}),
+	}
+}
+
+// eventProcessor buffers events and writes them to an out chan when a reader
+// is waiting. Because of the requirement to buffer events, it synchronizes
+// input with a condition, and synchronizes output with a channels. It needs to
+// be able to yield while both waiting on an input condition and while blocked
+// on writing to the output channel.
+type eventProcessor struct {
+	out chan<- watch.Event
+
+	cond *sync.Cond
+	buff []watch.Event
+
+	done chan struct{}
+}
+
+func (e *eventProcessor) run() {
+	for {
+		batch := e.takeBatch()
+		e.writeBatch(batch)
+		if e.stopped() {
+			return
+		}
+	}
+}
+
+func (e *eventProcessor) takeBatch() []watch.Event {
+	e.cond.L.Lock()
+	defer e.cond.L.Unlock()
+
+	for len(e.buff) == 0 && !e.stopped() {
+		e.cond.Wait()
+	}
+
+	batch := e.buff
+	e.buff = nil
+	return batch
+}
+
+func (e *eventProcessor) writeBatch(events []watch.Event) {
+	for _, event := range events {
+		select {
+		case e.out <- event:
+		case <-e.done:
+			return
+		}
+	}
+}
+
+func (e *eventProcessor) push(event watch.Event) {
+	e.cond.L.Lock()
+	defer e.cond.L.Unlock()
+	defer e.cond.Signal()
+	e.buff = append(e.buff, event)
+}
+
+func (e *eventProcessor) stopped() bool {
+	select {
+	case <-e.done:
+		return true
+	default:
+		return false
+	}
+}
+
+func (e *eventProcessor) stop() {
+	close(e.done)
+	e.cond.Signal()
+}
+
+// NewIndexerInformerWatcher will create an IndexerInformer and wrap it into watch.Interface
+// so you can use it anywhere where you'd have used a regular Watcher returned from Watch method.
+// it also returns a channel you can use to wait for the informers to fully shutdown.
+//
+// Contextual logging: NewIndexerInformerWatcherWithLogger should be used instead of NewIndexerInformerWatcher in code which supports contextual logging.
+func NewIndexerInformerWatcher(lw cache.ListerWatcher, objType runtime.Object) (cache.Indexer, cache.Controller, watch.Interface, <-chan struct{}) {
+	return NewIndexerInformerWatcherWithLogger(klog.Background(), lw, objType)
+}
+
+// NewIndexerInformerWatcherWithLogger will create an IndexerInformer and wrap it into watch.Interface
+// so you can use it anywhere where you'd have used a regular Watcher returned from Watch method.
+// it also returns a channel you can use to wait for the informers to fully shutdown.
+func NewIndexerInformerWatcherWithLogger(logger klog.Logger, lw cache.ListerWatcher, objType runtime.Object) (cache.Indexer, cache.Controller, watch.Interface, <-chan struct{}) {
+	ch := make(chan watch.Event)
+	w := watch.NewProxyWatcher(ch)
+	e := newEventProcessor(ch)
+
+	indexer, informer := cache.NewIndexerInformer(lw, objType, 0, cache.ResourceEventHandlerFuncs{
+		AddFunc: func(obj interface{}) {
+			e.push(watch.Event{
+				Type:   watch.Added,
+				Object: obj.(runtime.Object),
+			})
+		},
+		UpdateFunc: func(old, new interface{}) {
+			e.push(watch.Event{
+				Type:   watch.Modified,
+				Object: new.(runtime.Object),
+			})
+		},
+		DeleteFunc: func(obj interface{}) {
+			staleObj, stale := obj.(cache.DeletedFinalStateUnknown)
+			if stale {
+				// We have no means of passing the additional information down using
+				// watch API based on watch.Event but the caller can filter such
+				// objects by checking if metadata.deletionTimestamp is set
+				obj = staleObj.Obj
+			}
+
+			e.push(watch.Event{
+				Type:   watch.Deleted,
+				Object: obj.(runtime.Object),
+			})
+		},
+	}, cache.Indexers{})
+
+	// This will get stopped, but without waiting for it.
+	go e.run()
+
+	doneCh := make(chan struct{})
+	go func() {
+		defer close(doneCh)
+		defer e.stop()
+		// Waiting for w.StopChan() is the traditional behavior which gets
+		// preserved here, with the logger added to support contextual logging.
+		ctx := wait.ContextForChannel(w.StopChan())
+		ctx = klog.NewContext(ctx, logger)
+		informer.RunWithContext(ctx)
+	}()
+
+	return indexer, informer, w, doneCh
+}
diff --git a/vendor/k8s.io/client-go/tools/watch/retrywatcher.go b/vendor/k8s.io/client-go/tools/watch/retrywatcher.go
new file mode 100644
index 0000000000..45249d8e47
--- /dev/null
+++ b/vendor/k8s.io/client-go/tools/watch/retrywatcher.go
@@ -0,0 +1,327 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package watch
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"time"
+
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/dump"
+	"k8s.io/apimachinery/pkg/util/net"
+	"k8s.io/apimachinery/pkg/util/wait"
+	"k8s.io/apimachinery/pkg/watch"
+	"k8s.io/client-go/tools/cache"
+	"k8s.io/klog/v2"
+)
+
+// resourceVersionGetter is an interface used to get resource version from events.
+// We can't reuse an interface from meta otherwise it would be a cyclic dependency and we need just this one method
+type resourceVersionGetter interface {
+	GetResourceVersion() string
+}
+
+// RetryWatcher will make sure that in case the underlying watcher is closed (e.g. due to API timeout or etcd timeout)
+// it will get restarted from the last point without the consumer even knowing about it.
+// RetryWatcher does that by inspecting events and keeping track of resourceVersion.
+// Especially useful when using watch.UntilWithoutRetry where premature termination is causing issues and flakes.
+// Please note that this is not resilient to etcd cache not having the resource version anymore - you would need to
+// use Informers for that.
+type RetryWatcher struct {
+	cancel              func(error)
+	lastResourceVersion string
+	watcherClient       cache.WatcherWithContext
+	resultChan          chan watch.Event
+	doneChan            chan struct{}
+	minRestartDelay     time.Duration
+}
+
+// NewRetryWatcher creates a new RetryWatcher.
+// It will make sure that watches gets restarted in case of recoverable errors.
+// The initialResourceVersion will be given to watch method when first called.
+//
+// Deprecated: use NewRetryWatcherWithContext instead.
+func NewRetryWatcher(initialResourceVersion string, watcherClient cache.Watcher) (*RetryWatcher, error) {
+	return NewRetryWatcherWithContext(context.Background(), initialResourceVersion, cache.ToWatcherWithContext(watcherClient))
+}
+
+// NewRetryWatcherWithContext creates a new RetryWatcher.
+// It will make sure that watches gets restarted in case of recoverable errors.
+// The initialResourceVersion will be given to watch method when first called.
+func NewRetryWatcherWithContext(ctx context.Context, initialResourceVersion string, watcherClient cache.WatcherWithContext) (*RetryWatcher, error) {
+	return newRetryWatcher(ctx, initialResourceVersion, watcherClient, 1*time.Second)
+}
+
+func newRetryWatcher(ctx context.Context, initialResourceVersion string, watcherClient cache.WatcherWithContext, minRestartDelay time.Duration) (*RetryWatcher, error) {
+	switch initialResourceVersion {
+	case "", "0":
+		// TODO: revisit this if we ever get WATCH v2 where it means start "now"
+		//       without doing the synthetic list of objects at the beginning (see #74022)
+		return nil, fmt.Errorf("initial RV %q is not supported due to issues with underlying WATCH", initialResourceVersion)
+	default:
+		break
+	}
+
+	ctx, cancel := context.WithCancelCause(ctx)
+
+	rw := &RetryWatcher{
+		cancel:              cancel,
+		lastResourceVersion: initialResourceVersion,
+		watcherClient:       watcherClient,
+		doneChan:            make(chan struct{}),
+		resultChan:          make(chan watch.Event, 0),
+		minRestartDelay:     minRestartDelay,
+	}
+
+	go rw.receive(ctx)
+	return rw, nil
+}
+
+func (rw *RetryWatcher) send(ctx context.Context, event watch.Event) bool {
+	// Writing to an unbuffered channel is blocking operation
+	// and we need to check if stop wasn't requested while doing so.
+	select {
+	case rw.resultChan <- event:
+		return true
+	case <-ctx.Done():
+		return false
+	}
+}
+
+// doReceive returns true when it is done, false otherwise.
+// If it is not done the second return value holds the time to wait before calling it again.
+func (rw *RetryWatcher) doReceive(ctx context.Context) (bool, time.Duration) {
+	watcher, err := rw.watcherClient.WatchWithContext(ctx, metav1.ListOptions{
+		ResourceVersion:     rw.lastResourceVersion,
+		AllowWatchBookmarks: true,
+	})
+	// We are very unlikely to hit EOF here since we are just establishing the call,
+	// but it may happen that the apiserver is just shutting down (e.g. being restarted)
+	// This is consistent with how it is handled for informers
+	switch err {
+	case nil:
+		break
+
+	case io.EOF:
+		// watch closed normally
+		return false, 0
+
+	case io.ErrUnexpectedEOF:
+		klog.FromContext(ctx).V(1).Info("Watch closed with unexpected EOF", "err", err)
+		return false, 0
+
+	default:
+		msg := "Watch failed"
+		if net.IsProbableEOF(err) || net.IsTimeout(err) {
+			klog.FromContext(ctx).V(5).Info(msg, "err", err)
+			// Retry
+			return false, 0
+		}
+
+		// Check if the watch failed due to the client not having permission to watch the resource or the credentials
+		// being invalid (e.g. expired token).
+		if apierrors.IsForbidden(err) || apierrors.IsUnauthorized(err) {
+			// Add more detail since the forbidden message returned by the Kubernetes API is just "unknown".
+			klog.FromContext(ctx).Error(err, msg+": ensure the client has valid credentials and watch permissions on the resource")
+
+			if apiStatus, ok := err.(apierrors.APIStatus); ok {
+				statusErr := apiStatus.Status()
+
+				sent := rw.send(ctx, watch.Event{
+					Type:   watch.Error,
+					Object: &statusErr,
+				})
+				if !sent {
+					// This likely means the RetryWatcher is stopping but return false so the caller to doReceive can
+					// verify this and potentially retry.
+					klog.FromContext(ctx).Error(nil, "Failed to send the Unauthorized or Forbidden watch event")
+
+					return false, 0
+				}
+			} else {
+				// This should never happen since apierrors only handles apierrors.APIStatus. Still, this is an
+				// unrecoverable error, so still allow it to return true below.
+				klog.FromContext(ctx).Error(err, msg+": encountered an unexpected Unauthorized or Forbidden error type")
+			}
+
+			return true, 0
+		}
+
+		klog.FromContext(ctx).Error(err, msg)
+		// Retry
+		return false, 0
+	}
+
+	if watcher == nil {
+		klog.FromContext(ctx).Error(nil, "Watch returned nil watcher")
+		// Retry
+		return false, 0
+	}
+
+	ch := watcher.ResultChan()
+	defer watcher.Stop()
+
+	for {
+		select {
+		case <-ctx.Done():
+			klog.FromContext(ctx).V(4).Info("Stopping RetryWatcher")
+			return true, 0
+		case event, ok := <-ch:
+			if !ok {
+				klog.FromContext(ctx).V(4).Info("Failed to get event - re-creating the watcher", "resourceVersion", rw.lastResourceVersion)
+				return false, 0
+			}
+
+			// We need to inspect the event and get ResourceVersion out of it
+			switch event.Type {
+			case watch.Added, watch.Modified, watch.Deleted, watch.Bookmark:
+				metaObject, ok := event.Object.(resourceVersionGetter)
+				if !ok {
+					_ = rw.send(ctx, watch.Event{
+						Type:   watch.Error,
+						Object: &apierrors.NewInternalError(errors.New("retryWatcher: doesn't support resourceVersion")).ErrStatus,
+					})
+					// We have to abort here because this might cause lastResourceVersion inconsistency by skipping a potential RV with valid data!
+					return true, 0
+				}
+
+				resourceVersion := metaObject.GetResourceVersion()
+				if resourceVersion == "" {
+					_ = rw.send(ctx, watch.Event{
+						Type:   watch.Error,
+						Object: &apierrors.NewInternalError(fmt.Errorf("retryWatcher: object %#v doesn't support resourceVersion", event.Object)).ErrStatus,
+					})
+					// We have to abort here because this might cause lastResourceVersion inconsistency by skipping a potential RV with valid data!
+					return true, 0
+				}
+
+				// All is fine; send the non-bookmark events and update resource version.
+				if event.Type != watch.Bookmark {
+					ok = rw.send(ctx, event)
+					if !ok {
+						return true, 0
+					}
+				}
+				rw.lastResourceVersion = resourceVersion
+
+				continue
+
+			case watch.Error:
+				// This round trip allows us to handle unstructured status
+				errObject := apierrors.FromObject(event.Object)
+				statusErr, ok := errObject.(*apierrors.StatusError)
+				if !ok {
+					klog.FromContext(ctx).Error(nil, "Received an error which is not *metav1.Status", "errorObject", dump.Pretty(event.Object))
+					// Retry unknown errors
+					return false, 0
+				}
+
+				status := statusErr.ErrStatus
+
+				statusDelay := time.Duration(0)
+				if status.Details != nil {
+					statusDelay = time.Duration(status.Details.RetryAfterSeconds) * time.Second
+				}
+
+				switch status.Code {
+				case http.StatusGone:
+					// Never retry RV too old errors
+					_ = rw.send(ctx, event)
+					return true, 0
+
+				case http.StatusGatewayTimeout, http.StatusInternalServerError:
+					// Retry
+					return false, statusDelay
+
+				default:
+					// We retry by default. RetryWatcher is meant to proceed unless it is certain
+					// that it can't. If we are not certain, we proceed with retry and leave it
+					// up to the user to timeout if needed.
+
+					// Log here so we have a record of hitting the unexpected error
+					// and we can whitelist some error codes if we missed any that are expected.
+					klog.FromContext(ctx).V(5).Info("Retrying after unexpected error", "errorObject", dump.Pretty(event.Object))
+
+					// Retry
+					return false, statusDelay
+				}
+
+			default:
+				klog.FromContext(ctx).Error(nil, "Failed to recognize event", "type", event.Type)
+				_ = rw.send(ctx, watch.Event{
+					Type:   watch.Error,
+					Object: &apierrors.NewInternalError(fmt.Errorf("retryWatcher failed to recognize Event type %q", event.Type)).ErrStatus,
+				})
+				// We are unable to restart the watch and have to stop the loop or this might cause lastResourceVersion inconsistency by skipping a potential RV with valid data!
+				return true, 0
+			}
+		}
+	}
+}
+
+// receive reads the result from a watcher, restarting it if necessary.
+func (rw *RetryWatcher) receive(ctx context.Context) {
+	defer close(rw.doneChan)
+	defer close(rw.resultChan)
+
+	logger := klog.FromContext(ctx)
+	logger.V(4).Info("Starting RetryWatcher")
+	defer logger.V(4).Info("Stopping RetryWatcher")
+
+	ctx, cancel := context.WithCancel(ctx)
+	defer cancel()
+
+	// We use non sliding until so we don't introduce delays on happy path when WATCH call
+	// timeouts or gets closed and we need to reestablish it while also avoiding hot loops.
+	wait.NonSlidingUntilWithContext(ctx, func(ctx context.Context) {
+		done, retryAfter := rw.doReceive(ctx)
+		if done {
+			cancel()
+			return
+		}
+
+		timer := time.NewTimer(retryAfter)
+		select {
+		case <-ctx.Done():
+			timer.Stop()
+			return
+		case <-timer.C:
+		}
+
+		logger.V(4).Info("Restarting RetryWatcher", "resourceVersion", rw.lastResourceVersion)
+	}, rw.minRestartDelay)
+}
+
+// ResultChan implements Interface.
+func (rw *RetryWatcher) ResultChan() <-chan watch.Event {
+	return rw.resultChan
+}
+
+// Stop implements Interface.
+func (rw *RetryWatcher) Stop() {
+	rw.cancel(errors.New("asked to stop"))
+}
+
+// Done allows the caller to be notified when Retry watcher stops.
+func (rw *RetryWatcher) Done() <-chan struct{} {
+	return rw.doneChan
+}
diff --git a/vendor/k8s.io/client-go/tools/watch/until.go b/vendor/k8s.io/client-go/tools/watch/until.go
new file mode 100644
index 0000000000..7a9b34a871
--- /dev/null
+++ b/vendor/k8s.io/client-go/tools/watch/until.go
@@ -0,0 +1,168 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package watch
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"time"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/wait"
+	"k8s.io/apimachinery/pkg/watch"
+	"k8s.io/client-go/tools/cache"
+	"k8s.io/klog/v2"
+)
+
+// PreconditionFunc returns true if the condition has been reached, false if it has not been reached yet,
+// or an error if the condition failed or detected an error state.
+type PreconditionFunc func(store cache.Store) (bool, error)
+
+// ConditionFunc returns true if the condition has been reached, false if it has not been reached yet,
+// or an error if the condition cannot be checked and should terminate. In general, it is better to define
+// level driven conditions over edge driven conditions (pod has ready=true, vs pod modified and ready changed
+// from false to true).
+type ConditionFunc func(event watch.Event) (bool, error)
+
+// ErrWatchClosed is returned when the watch channel is closed before timeout in UntilWithoutRetry.
+var ErrWatchClosed = errors.New("watch closed before UntilWithoutRetry timeout")
+
+// UntilWithoutRetry reads items from the watch until each provided condition succeeds, and then returns the last watch
+// encountered. The first condition that returns an error terminates the watch (and the event is also returned).
+// If no event has been received, the returned event will be nil.
+// Conditions are satisfied sequentially so as to provide a useful primitive for higher level composition.
+// Waits until context deadline or until context is canceled.
+//
+// Warning: Unless you have a very specific use case (probably a special Watcher) don't use this function!!!
+// Warning: This will fail e.g. on API timeouts and/or 'too old resource version' error.
+// Warning: You are most probably looking for a function *Until* or *UntilWithSync* below,
+// Warning: solving such issues.
+// TODO: Consider making this function private to prevent misuse when the other occurrences in our codebase are gone.
+func UntilWithoutRetry(ctx context.Context, watcher watch.Interface, conditions ...ConditionFunc) (*watch.Event, error) {
+	ch := watcher.ResultChan()
+	defer watcher.Stop()
+	var lastEvent *watch.Event
+	for _, condition := range conditions {
+		// check the next condition against the previous event and short circuit waiting for the next watch
+		if lastEvent != nil {
+			done, err := condition(*lastEvent)
+			if err != nil {
+				return lastEvent, err
+			}
+			if done {
+				continue
+			}
+		}
+	ConditionSucceeded:
+		for {
+			select {
+			case event, ok := <-ch:
+				if !ok {
+					return lastEvent, ErrWatchClosed
+				}
+				lastEvent = &event
+
+				done, err := condition(event)
+				if err != nil {
+					return lastEvent, err
+				}
+				if done {
+					break ConditionSucceeded
+				}
+
+			case <-ctx.Done():
+				return lastEvent, wait.ErrorInterrupted(nil)
+			}
+		}
+	}
+	return lastEvent, nil
+}
+
+// Until wraps the watcherClient's watch function with RetryWatcher making sure that watcher gets restarted in case of errors.
+// The initialResourceVersion will be given to watch method when first called. It shall not be "" or "0"
+// given the underlying WATCH call issues (#74022).
+// Remaining behaviour is identical to function UntilWithoutRetry. (See above.)
+// Until can deal with API timeouts and lost connections.
+// It guarantees you to see all events and in the order they happened.
+// Due to this guarantee there is no way it can deal with 'Resource version too old error'. It will fail in this case.
+// (See `UntilWithSync` if you'd prefer to recover from all the errors including RV too old by re-listing
+// those items. In normal code you should care about being level driven so you'd not care about not seeing all the edges.)
+//
+// The most frequent usage for Until would be a test where you want to verify exact order of events ("edges").
+func Until(ctx context.Context, initialResourceVersion string, watcherClient cache.Watcher, conditions ...ConditionFunc) (*watch.Event, error) {
+	w, err := NewRetryWatcherWithContext(ctx, initialResourceVersion, cache.ToWatcherWithContext(watcherClient))
+	if err != nil {
+		return nil, err
+	}
+
+	return UntilWithoutRetry(ctx, w, conditions...)
+}
+
+// UntilWithSync creates an informer from lw, optionally checks precondition when the store is synced,
+// and watches the output until each provided condition succeeds, in a way that is identical
+// to function UntilWithoutRetry. (See above.)
+// UntilWithSync can deal with all errors like API timeout, lost connections and 'Resource version too old'.
+// It is the only function that can recover from 'Resource version too old', Until and UntilWithoutRetry will
+// just fail in that case. On the other hand it can't provide you with guarantees as strong as using simple
+// Watch method with Until. It can skip some intermediate events in case of watch function failing but it will
+// re-list to recover and you always get an event, if there has been a change, after recovery.
+// Also with the current implementation based on DeltaFIFO, order of the events you receive is guaranteed only for
+// particular object, not between more of them even it's the same resource.
+// The most frequent usage would be a command that needs to watch the "state of the world" and should't fail, like:
+// waiting for object reaching a state, "small" controllers, ...
+func UntilWithSync(ctx context.Context, lw cache.ListerWatcher, objType runtime.Object, precondition PreconditionFunc, conditions ...ConditionFunc) (*watch.Event, error) {
+	indexer, informer, watcher, done := NewIndexerInformerWatcherWithLogger(klog.FromContext(ctx), lw, objType)
+	// We need to wait for the internal informers to fully stop so it's easier to reason about
+	// and it works with non-thread safe clients.
+	defer func() { <-done }()
+	// Proxy watcher can be stopped multiple times so it's fine to use defer here to cover alternative branches and
+	// let UntilWithoutRetry to stop it
+	defer watcher.Stop()
+
+	if precondition != nil {
+		if !cache.WaitForCacheSync(ctx.Done(), informer.HasSynced) {
+			return nil, fmt.Errorf("UntilWithSync: unable to sync caches: %w", ctx.Err())
+		}
+
+		done, err := precondition(indexer)
+		if err != nil {
+			return nil, err
+		}
+
+		if done {
+			return nil, nil
+		}
+	}
+
+	return UntilWithoutRetry(ctx, watcher, conditions...)
+}
+
+// ContextWithOptionalTimeout wraps context.WithTimeout and handles infinite timeouts expressed as 0 duration.
+func ContextWithOptionalTimeout(parent context.Context, timeout time.Duration) (context.Context, context.CancelFunc) {
+	if timeout < 0 {
+		// This should be handled in validation
+		klog.FromContext(parent).Error(nil, "Timeout for context shall not be negative")
+		timeout = 0
+	}
+
+	if timeout == 0 {
+		return context.WithCancel(parent)
+	}
+
+	return context.WithTimeout(parent, timeout)
+}
diff --git a/vendor/k8s.io/client-go/util/jsonpath/doc.go b/vendor/k8s.io/client-go/util/jsonpath/doc.go
new file mode 100644
index 0000000000..2a6e170617
--- /dev/null
+++ b/vendor/k8s.io/client-go/util/jsonpath/doc.go
@@ -0,0 +1,20 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// package jsonpath is a template engine using jsonpath syntax,
+// which can be seen at http://goessner.net/articles/JsonPath/.
+// In addition, it has {range} {end} function to iterate list and slice.
+package jsonpath
diff --git a/vendor/k8s.io/client-go/util/jsonpath/jsonpath.go b/vendor/k8s.io/client-go/util/jsonpath/jsonpath.go
new file mode 100644
index 0000000000..86a3d6dde9
--- /dev/null
+++ b/vendor/k8s.io/client-go/util/jsonpath/jsonpath.go
@@ -0,0 +1,582 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package jsonpath
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"io"
+	"reflect"
+	"strings"
+
+	"k8s.io/client-go/third_party/forked/golang/template"
+)
+
+type JSONPath struct {
+	name       string
+	parser     *Parser
+	beginRange int
+	inRange    int
+	endRange   int
+
+	lastEndNode *Node
+
+	allowMissingKeys bool
+	outputJSON       bool
+}
+
+// New creates a new JSONPath with the given name.
+func New(name string) *JSONPath {
+	return &JSONPath{
+		name:       name,
+		beginRange: 0,
+		inRange:    0,
+		endRange:   0,
+	}
+}
+
+// AllowMissingKeys allows a caller to specify whether they want an error if a field or map key
+// cannot be located, or simply an empty result. The receiver is returned for chaining.
+func (j *JSONPath) AllowMissingKeys(allow bool) *JSONPath {
+	j.allowMissingKeys = allow
+	return j
+}
+
+// Parse parses the given template and returns an error.
+func (j *JSONPath) Parse(text string) error {
+	var err error
+	j.parser, err = Parse(j.name, text)
+	return err
+}
+
+// Execute bounds data into template and writes the result.
+func (j *JSONPath) Execute(wr io.Writer, data interface{}) error {
+	fullResults, err := j.FindResults(data)
+	if err != nil {
+		return err
+	}
+	for ix := range fullResults {
+		if err := j.PrintResults(wr, fullResults[ix]); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (j *JSONPath) FindResults(data interface{}) ([][]reflect.Value, error) {
+	if j.parser == nil {
+		return nil, fmt.Errorf("%s is an incomplete jsonpath template", j.name)
+	}
+
+	cur := []reflect.Value{reflect.ValueOf(data)}
+	nodes := j.parser.Root.Nodes
+	fullResult := [][]reflect.Value{}
+	for i := 0; i < len(nodes); i++ {
+		node := nodes[i]
+		results, err := j.walk(cur, node)
+		if err != nil {
+			return nil, err
+		}
+
+		// encounter an end node, break the current block
+		if j.endRange > 0 && j.endRange <= j.inRange {
+			j.endRange--
+			j.lastEndNode = &nodes[i]
+			break
+		}
+		// encounter a range node, start a range loop
+		if j.beginRange > 0 {
+			j.beginRange--
+			j.inRange++
+			if len(results) > 0 {
+				for _, value := range results {
+					j.parser.Root.Nodes = nodes[i+1:]
+					nextResults, err := j.FindResults(value.Interface())
+					if err != nil {
+						return nil, err
+					}
+					fullResult = append(fullResult, nextResults...)
+				}
+			} else {
+				// If the range has no results, we still need to process the nodes within the range
+				// so the position will advance to the end node
+				j.parser.Root.Nodes = nodes[i+1:]
+				_, err := j.FindResults(nil)
+				if err != nil {
+					return nil, err
+				}
+			}
+			j.inRange--
+
+			// Fast forward to resume processing after the most recent end node that was encountered
+			for k := i + 1; k < len(nodes); k++ {
+				if &nodes[k] == j.lastEndNode {
+					i = k
+					break
+				}
+			}
+			continue
+		}
+		fullResult = append(fullResult, results)
+	}
+	return fullResult, nil
+}
+
+// EnableJSONOutput changes the PrintResults behavior to return a JSON array of results
+func (j *JSONPath) EnableJSONOutput(v bool) {
+	j.outputJSON = v
+}
+
+// PrintResults writes the results into writer
+func (j *JSONPath) PrintResults(wr io.Writer, results []reflect.Value) error {
+	if j.outputJSON {
+		// convert the []reflect.Value to something that json
+		// will be able to marshal
+		r := make([]interface{}, 0, len(results))
+		for i := range results {
+			r = append(r, results[i].Interface())
+		}
+		results = []reflect.Value{reflect.ValueOf(r)}
+	}
+	for i, r := range results {
+		var text []byte
+		var err error
+		outputJSON := true
+		kind := r.Kind()
+		if kind == reflect.Interface {
+			kind = r.Elem().Kind()
+		}
+		switch kind {
+		case reflect.Map:
+		case reflect.Array:
+		case reflect.Slice:
+		case reflect.Struct:
+		default:
+			outputJSON = false
+		}
+		switch {
+		case outputJSON || j.outputJSON:
+			if j.outputJSON {
+				text, err = json.MarshalIndent(r.Interface(), "", "    ")
+				text = append(text, '\n')
+			} else {
+				text, err = json.Marshal(r.Interface())
+			}
+		default:
+			text, err = j.evalToText(r)
+		}
+		if err != nil {
+			return err
+		}
+		if i != len(results)-1 {
+			text = append(text, ' ')
+		}
+		if _, err = wr.Write(text); err != nil {
+			return err
+		}
+	}
+
+	return nil
+
+}
+
+// walk visits tree rooted at the given node in DFS order
+func (j *JSONPath) walk(value []reflect.Value, node Node) ([]reflect.Value, error) {
+	switch node := node.(type) {
+	case *ListNode:
+		return j.evalList(value, node)
+	case *TextNode:
+		return []reflect.Value{reflect.ValueOf(node.Text)}, nil
+	case *FieldNode:
+		return j.evalField(value, node)
+	case *ArrayNode:
+		return j.evalArray(value, node)
+	case *FilterNode:
+		return j.evalFilter(value, node)
+	case *IntNode:
+		return j.evalInt(value, node)
+	case *BoolNode:
+		return j.evalBool(value, node)
+	case *FloatNode:
+		return j.evalFloat(value, node)
+	case *WildcardNode:
+		return j.evalWildcard(value, node)
+	case *RecursiveNode:
+		return j.evalRecursive(value, node)
+	case *UnionNode:
+		return j.evalUnion(value, node)
+	case *IdentifierNode:
+		return j.evalIdentifier(value, node)
+	default:
+		return value, fmt.Errorf("unexpected Node %v", node)
+	}
+}
+
+// evalInt evaluates IntNode
+func (j *JSONPath) evalInt(input []reflect.Value, node *IntNode) ([]reflect.Value, error) {
+	result := make([]reflect.Value, len(input))
+	for i := range input {
+		result[i] = reflect.ValueOf(node.Value)
+	}
+	return result, nil
+}
+
+// evalFloat evaluates FloatNode
+func (j *JSONPath) evalFloat(input []reflect.Value, node *FloatNode) ([]reflect.Value, error) {
+	result := make([]reflect.Value, len(input))
+	for i := range input {
+		result[i] = reflect.ValueOf(node.Value)
+	}
+	return result, nil
+}
+
+// evalBool evaluates BoolNode
+func (j *JSONPath) evalBool(input []reflect.Value, node *BoolNode) ([]reflect.Value, error) {
+	result := make([]reflect.Value, len(input))
+	for i := range input {
+		result[i] = reflect.ValueOf(node.Value)
+	}
+	return result, nil
+}
+
+// evalList evaluates ListNode
+func (j *JSONPath) evalList(value []reflect.Value, node *ListNode) ([]reflect.Value, error) {
+	var err error
+	curValue := value
+	for _, node := range node.Nodes {
+		curValue, err = j.walk(curValue, node)
+		if err != nil {
+			return curValue, err
+		}
+	}
+	return curValue, nil
+}
+
+// evalIdentifier evaluates IdentifierNode
+func (j *JSONPath) evalIdentifier(input []reflect.Value, node *IdentifierNode) ([]reflect.Value, error) {
+	results := []reflect.Value{}
+	switch node.Name {
+	case "range":
+		j.beginRange++
+		results = input
+	case "end":
+		if j.inRange > 0 {
+			j.endRange++
+		} else {
+			return results, fmt.Errorf("not in range, nothing to end")
+		}
+	default:
+		return input, fmt.Errorf("unrecognized identifier %v", node.Name)
+	}
+	return results, nil
+}
+
+// evalArray evaluates ArrayNode
+func (j *JSONPath) evalArray(input []reflect.Value, node *ArrayNode) ([]reflect.Value, error) {
+	result := []reflect.Value{}
+	for _, value := range input {
+
+		value, isNil := template.Indirect(value)
+		if isNil {
+			continue
+		}
+		if value.Kind() != reflect.Array && value.Kind() != reflect.Slice {
+			return input, fmt.Errorf("%v is not array or slice", value.Type())
+		}
+		params := node.Params
+		if !params[0].Known {
+			params[0].Value = 0
+		}
+		if params[0].Value < 0 {
+			params[0].Value += value.Len()
+		}
+		if !params[1].Known {
+			params[1].Value = value.Len()
+		}
+
+		if params[1].Value < 0 || (params[1].Value == 0 && params[1].Derived) {
+			params[1].Value += value.Len()
+		}
+		sliceLength := value.Len()
+		if params[1].Value != params[0].Value { // if you're requesting zero elements, allow it through.
+			if params[0].Value >= sliceLength || params[0].Value < 0 {
+				return input, fmt.Errorf("array index out of bounds: index %d, length %d", params[0].Value, sliceLength)
+			}
+			if params[1].Value > sliceLength || params[1].Value < 0 {
+				return input, fmt.Errorf("array index out of bounds: index %d, length %d", params[1].Value-1, sliceLength)
+			}
+			if params[0].Value > params[1].Value {
+				return input, fmt.Errorf("starting index %d is greater than ending index %d", params[0].Value, params[1].Value)
+			}
+		} else {
+			return result, nil
+		}
+
+		value = value.Slice(params[0].Value, params[1].Value)
+
+		step := 1
+		if params[2].Known {
+			if params[2].Value <= 0 {
+				return input, fmt.Errorf("step must be > 0")
+			}
+			step = params[2].Value
+		}
+		for i := 0; i < value.Len(); i += step {
+			result = append(result, value.Index(i))
+		}
+	}
+	return result, nil
+}
+
+// evalUnion evaluates UnionNode
+func (j *JSONPath) evalUnion(input []reflect.Value, node *UnionNode) ([]reflect.Value, error) {
+	result := []reflect.Value{}
+	for _, listNode := range node.Nodes {
+		temp, err := j.evalList(input, listNode)
+		if err != nil {
+			return input, err
+		}
+		result = append(result, temp...)
+	}
+	return result, nil
+}
+
+func (j *JSONPath) findFieldInValue(value *reflect.Value, node *FieldNode) (reflect.Value, error) {
+	t := value.Type()
+	var inlineValue *reflect.Value
+	for ix := 0; ix < t.NumField(); ix++ {
+		f := t.Field(ix)
+		jsonTag := f.Tag.Get("json")
+		parts := strings.Split(jsonTag, ",")
+		if len(parts) == 0 {
+			continue
+		}
+		if parts[0] == node.Value {
+			return value.Field(ix), nil
+		}
+		if len(parts[0]) == 0 {
+			val := value.Field(ix)
+			inlineValue = &val
+		}
+	}
+	if inlineValue != nil {
+		if inlineValue.Kind() == reflect.Struct {
+			// handle 'inline'
+			match, err := j.findFieldInValue(inlineValue, node)
+			if err != nil {
+				return reflect.Value{}, err
+			}
+			if match.IsValid() {
+				return match, nil
+			}
+		}
+	}
+	return value.FieldByName(node.Value), nil
+}
+
+// evalField evaluates field of struct or key of map.
+func (j *JSONPath) evalField(input []reflect.Value, node *FieldNode) ([]reflect.Value, error) {
+	results := []reflect.Value{}
+	// If there's no input, there's no output
+	if len(input) == 0 {
+		return results, nil
+	}
+	for _, value := range input {
+		var result reflect.Value
+		value, isNil := template.Indirect(value)
+		if isNil {
+			continue
+		}
+
+		if value.Kind() == reflect.Struct {
+			var err error
+			if result, err = j.findFieldInValue(&value, node); err != nil {
+				return nil, err
+			}
+		} else if value.Kind() == reflect.Map {
+			mapKeyType := value.Type().Key()
+			nodeValue := reflect.ValueOf(node.Value)
+			// node value type must be convertible to map key type
+			if !nodeValue.Type().ConvertibleTo(mapKeyType) {
+				return results, fmt.Errorf("%s is not convertible to %s", nodeValue, mapKeyType)
+			}
+			result = value.MapIndex(nodeValue.Convert(mapKeyType))
+		}
+		if result.IsValid() {
+			results = append(results, result)
+		}
+	}
+	if len(results) == 0 {
+		if j.allowMissingKeys {
+			return results, nil
+		}
+		return results, fmt.Errorf("%s is not found", node.Value)
+	}
+	return results, nil
+}
+
+// evalWildcard extracts all contents of the given value
+func (j *JSONPath) evalWildcard(input []reflect.Value, node *WildcardNode) ([]reflect.Value, error) {
+	results := []reflect.Value{}
+	for _, value := range input {
+		value, isNil := template.Indirect(value)
+		if isNil {
+			continue
+		}
+
+		kind := value.Kind()
+		if kind == reflect.Struct {
+			for i := 0; i < value.NumField(); i++ {
+				results = append(results, value.Field(i))
+			}
+		} else if kind == reflect.Map {
+			for _, key := range value.MapKeys() {
+				results = append(results, value.MapIndex(key))
+			}
+		} else if kind == reflect.Array || kind == reflect.Slice || kind == reflect.String {
+			for i := 0; i < value.Len(); i++ {
+				results = append(results, value.Index(i))
+			}
+		}
+	}
+	return results, nil
+}
+
+// evalRecursive visits the given value recursively and pushes all of them to result
+func (j *JSONPath) evalRecursive(input []reflect.Value, node *RecursiveNode) ([]reflect.Value, error) {
+	result := []reflect.Value{}
+	for _, value := range input {
+		results := []reflect.Value{}
+		value, isNil := template.Indirect(value)
+		if isNil {
+			continue
+		}
+
+		kind := value.Kind()
+		if kind == reflect.Struct {
+			for i := 0; i < value.NumField(); i++ {
+				results = append(results, value.Field(i))
+			}
+		} else if kind == reflect.Map {
+			for _, key := range value.MapKeys() {
+				results = append(results, value.MapIndex(key))
+			}
+		} else if kind == reflect.Array || kind == reflect.Slice || kind == reflect.String {
+			for i := 0; i < value.Len(); i++ {
+				results = append(results, value.Index(i))
+			}
+		}
+		if len(results) != 0 {
+			result = append(result, value)
+			output, err := j.evalRecursive(results, node)
+			if err != nil {
+				return result, err
+			}
+			result = append(result, output...)
+		}
+	}
+	return result, nil
+}
+
+// evalFilter filters array according to FilterNode
+func (j *JSONPath) evalFilter(input []reflect.Value, node *FilterNode) ([]reflect.Value, error) {
+	results := []reflect.Value{}
+	for _, value := range input {
+		value, _ = template.Indirect(value)
+
+		if value.Kind() != reflect.Array && value.Kind() != reflect.Slice {
+			return input, fmt.Errorf("%v is not array or slice and cannot be filtered", value)
+		}
+		for i := 0; i < value.Len(); i++ {
+			temp := []reflect.Value{value.Index(i)}
+			lefts, err := j.evalList(temp, node.Left)
+
+			//case exists
+			if node.Operator == "exists" {
+				if len(lefts) > 0 {
+					results = append(results, value.Index(i))
+				}
+				continue
+			}
+
+			if err != nil {
+				return input, err
+			}
+
+			var left, right interface{}
+			switch {
+			case len(lefts) == 0:
+				continue
+			case len(lefts) > 1:
+				return input, fmt.Errorf("can only compare one element at a time")
+			}
+			left = lefts[0].Interface()
+
+			rights, err := j.evalList(temp, node.Right)
+			if err != nil {
+				return input, err
+			}
+			switch {
+			case len(rights) == 0:
+				continue
+			case len(rights) > 1:
+				return input, fmt.Errorf("can only compare one element at a time")
+			}
+			right = rights[0].Interface()
+
+			pass := false
+			switch node.Operator {
+			case "<":
+				pass, err = template.Less(left, right)
+			case ">":
+				pass, err = template.Greater(left, right)
+			case "==":
+				pass, err = template.Equal(left, right)
+			case "!=":
+				pass, err = template.NotEqual(left, right)
+			case "<=":
+				pass, err = template.LessEqual(left, right)
+			case ">=":
+				pass, err = template.GreaterEqual(left, right)
+			default:
+				return results, fmt.Errorf("unrecognized filter operator %s", node.Operator)
+			}
+			if err != nil {
+				return results, err
+			}
+			if pass {
+				results = append(results, value.Index(i))
+			}
+		}
+	}
+	return results, nil
+}
+
+// evalToText translates reflect value to corresponding text
+func (j *JSONPath) evalToText(v reflect.Value) ([]byte, error) {
+	iface, ok := template.PrintableValue(v)
+	if !ok {
+		return nil, fmt.Errorf("can't print type %s", v.Type())
+	}
+	if iface == nil {
+		return []byte("null"), nil
+	}
+	var buffer bytes.Buffer
+	fmt.Fprint(&buffer, iface)
+	return buffer.Bytes(), nil
+}
diff --git a/vendor/k8s.io/client-go/util/jsonpath/node.go b/vendor/k8s.io/client-go/util/jsonpath/node.go
new file mode 100644
index 0000000000..83abe8b037
--- /dev/null
+++ b/vendor/k8s.io/client-go/util/jsonpath/node.go
@@ -0,0 +1,256 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package jsonpath
+
+import "fmt"
+
+// NodeType identifies the type of a parse tree node.
+type NodeType int
+
+// Type returns itself and provides an easy default implementation
+func (t NodeType) Type() NodeType {
+	return t
+}
+
+func (t NodeType) String() string {
+	return NodeTypeName[t]
+}
+
+const (
+	NodeText NodeType = iota
+	NodeArray
+	NodeList
+	NodeField
+	NodeIdentifier
+	NodeFilter
+	NodeInt
+	NodeFloat
+	NodeWildcard
+	NodeRecursive
+	NodeUnion
+	NodeBool
+)
+
+var NodeTypeName = map[NodeType]string{
+	NodeText:       "NodeText",
+	NodeArray:      "NodeArray",
+	NodeList:       "NodeList",
+	NodeField:      "NodeField",
+	NodeIdentifier: "NodeIdentifier",
+	NodeFilter:     "NodeFilter",
+	NodeInt:        "NodeInt",
+	NodeFloat:      "NodeFloat",
+	NodeWildcard:   "NodeWildcard",
+	NodeRecursive:  "NodeRecursive",
+	NodeUnion:      "NodeUnion",
+	NodeBool:       "NodeBool",
+}
+
+type Node interface {
+	Type() NodeType
+	String() string
+}
+
+// ListNode holds a sequence of nodes.
+type ListNode struct {
+	NodeType
+	Nodes []Node // The element nodes in lexical order.
+}
+
+func newList() *ListNode {
+	return &ListNode{NodeType: NodeList}
+}
+
+func (l *ListNode) append(n Node) {
+	l.Nodes = append(l.Nodes, n)
+}
+
+func (l *ListNode) String() string {
+	return l.Type().String()
+}
+
+// TextNode holds plain text.
+type TextNode struct {
+	NodeType
+	Text string // The text; may span newlines.
+}
+
+func newText(text string) *TextNode {
+	return &TextNode{NodeType: NodeText, Text: text}
+}
+
+func (t *TextNode) String() string {
+	return fmt.Sprintf("%s: %s", t.Type(), t.Text)
+}
+
+// FieldNode holds field of struct
+type FieldNode struct {
+	NodeType
+	Value string
+}
+
+func newField(value string) *FieldNode {
+	return &FieldNode{NodeType: NodeField, Value: value}
+}
+
+func (f *FieldNode) String() string {
+	return fmt.Sprintf("%s: %s", f.Type(), f.Value)
+}
+
+// IdentifierNode holds an identifier
+type IdentifierNode struct {
+	NodeType
+	Name string
+}
+
+func newIdentifier(value string) *IdentifierNode {
+	return &IdentifierNode{
+		NodeType: NodeIdentifier,
+		Name:     value,
+	}
+}
+
+func (f *IdentifierNode) String() string {
+	return fmt.Sprintf("%s: %s", f.Type(), f.Name)
+}
+
+// ParamsEntry holds param information for ArrayNode
+type ParamsEntry struct {
+	Value   int
+	Known   bool // whether the value is known when parse it
+	Derived bool
+}
+
+// ArrayNode holds start, end, step information for array index selection
+type ArrayNode struct {
+	NodeType
+	Params [3]ParamsEntry // start, end, step
+}
+
+func newArray(params [3]ParamsEntry) *ArrayNode {
+	return &ArrayNode{
+		NodeType: NodeArray,
+		Params:   params,
+	}
+}
+
+func (a *ArrayNode) String() string {
+	return fmt.Sprintf("%s: %v", a.Type(), a.Params)
+}
+
+// FilterNode holds operand and operator information for filter
+type FilterNode struct {
+	NodeType
+	Left     *ListNode
+	Right    *ListNode
+	Operator string
+}
+
+func newFilter(left, right *ListNode, operator string) *FilterNode {
+	return &FilterNode{
+		NodeType: NodeFilter,
+		Left:     left,
+		Right:    right,
+		Operator: operator,
+	}
+}
+
+func (f *FilterNode) String() string {
+	return fmt.Sprintf("%s: %s %s %s", f.Type(), f.Left, f.Operator, f.Right)
+}
+
+// IntNode holds integer value
+type IntNode struct {
+	NodeType
+	Value int
+}
+
+func newInt(num int) *IntNode {
+	return &IntNode{NodeType: NodeInt, Value: num}
+}
+
+func (i *IntNode) String() string {
+	return fmt.Sprintf("%s: %d", i.Type(), i.Value)
+}
+
+// FloatNode holds float value
+type FloatNode struct {
+	NodeType
+	Value float64
+}
+
+func newFloat(num float64) *FloatNode {
+	return &FloatNode{NodeType: NodeFloat, Value: num}
+}
+
+func (i *FloatNode) String() string {
+	return fmt.Sprintf("%s: %f", i.Type(), i.Value)
+}
+
+// WildcardNode means a wildcard
+type WildcardNode struct {
+	NodeType
+}
+
+func newWildcard() *WildcardNode {
+	return &WildcardNode{NodeType: NodeWildcard}
+}
+
+func (i *WildcardNode) String() string {
+	return i.Type().String()
+}
+
+// RecursiveNode means a recursive descent operator
+type RecursiveNode struct {
+	NodeType
+}
+
+func newRecursive() *RecursiveNode {
+	return &RecursiveNode{NodeType: NodeRecursive}
+}
+
+func (r *RecursiveNode) String() string {
+	return r.Type().String()
+}
+
+// UnionNode is union of ListNode
+type UnionNode struct {
+	NodeType
+	Nodes []*ListNode
+}
+
+func newUnion(nodes []*ListNode) *UnionNode {
+	return &UnionNode{NodeType: NodeUnion, Nodes: nodes}
+}
+
+func (u *UnionNode) String() string {
+	return u.Type().String()
+}
+
+// BoolNode holds bool value
+type BoolNode struct {
+	NodeType
+	Value bool
+}
+
+func newBool(value bool) *BoolNode {
+	return &BoolNode{NodeType: NodeBool, Value: value}
+}
+
+func (b *BoolNode) String() string {
+	return fmt.Sprintf("%s: %t", b.Type(), b.Value)
+}
diff --git a/vendor/k8s.io/client-go/util/jsonpath/parser.go b/vendor/k8s.io/client-go/util/jsonpath/parser.go
new file mode 100644
index 0000000000..40bab188dc
--- /dev/null
+++ b/vendor/k8s.io/client-go/util/jsonpath/parser.go
@@ -0,0 +1,527 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package jsonpath
+
+import (
+	"errors"
+	"fmt"
+	"regexp"
+	"strconv"
+	"strings"
+	"unicode"
+	"unicode/utf8"
+)
+
+const eof = -1
+
+const (
+	leftDelim  = "{"
+	rightDelim = "}"
+)
+
+type Parser struct {
+	Name  string
+	Root  *ListNode
+	input string
+	pos   int
+	start int
+	width int
+}
+
+var (
+	ErrSyntax        = errors.New("invalid syntax")
+	dictKeyRex       = regexp.MustCompile(`^'([^']*)'$`)
+	sliceOperatorRex = regexp.MustCompile(`^(-?[\d]*)(:-?[\d]*)?(:-?[\d]*)?$`)
+)
+
+// Parse parsed the given text and return a node Parser.
+// If an error is encountered, parsing stops and an empty
+// Parser is returned with the error
+func Parse(name, text string) (*Parser, error) {
+	p := NewParser(name)
+	err := p.Parse(text)
+	if err != nil {
+		p = nil
+	}
+	return p, err
+}
+
+func NewParser(name string) *Parser {
+	return &Parser{
+		Name: name,
+	}
+}
+
+// parseAction parsed the expression inside delimiter
+func parseAction(name, text string) (*Parser, error) {
+	p, err := Parse(name, fmt.Sprintf("%s%s%s", leftDelim, text, rightDelim))
+	// when error happens, p will be nil, so we need to return here
+	if err != nil {
+		return p, err
+	}
+	p.Root = p.Root.Nodes[0].(*ListNode)
+	return p, nil
+}
+
+func (p *Parser) Parse(text string) error {
+	p.input = text
+	p.Root = newList()
+	p.pos = 0
+	return p.parseText(p.Root)
+}
+
+// consumeText return the parsed text since last cosumeText
+func (p *Parser) consumeText() string {
+	value := p.input[p.start:p.pos]
+	p.start = p.pos
+	return value
+}
+
+// next returns the next rune in the input.
+func (p *Parser) next() rune {
+	if p.pos >= len(p.input) {
+		p.width = 0
+		return eof
+	}
+	r, w := utf8.DecodeRuneInString(p.input[p.pos:])
+	p.width = w
+	p.pos += p.width
+	return r
+}
+
+// peek returns but does not consume the next rune in the input.
+func (p *Parser) peek() rune {
+	r := p.next()
+	p.backup()
+	return r
+}
+
+// backup steps back one rune. Can only be called once per call of next.
+func (p *Parser) backup() {
+	p.pos -= p.width
+}
+
+func (p *Parser) parseText(cur *ListNode) error {
+	for {
+		if strings.HasPrefix(p.input[p.pos:], leftDelim) {
+			if p.pos > p.start {
+				cur.append(newText(p.consumeText()))
+			}
+			return p.parseLeftDelim(cur)
+		}
+		if p.next() == eof {
+			break
+		}
+	}
+	// Correctly reached EOF.
+	if p.pos > p.start {
+		cur.append(newText(p.consumeText()))
+	}
+	return nil
+}
+
+// parseLeftDelim scans the left delimiter, which is known to be present.
+func (p *Parser) parseLeftDelim(cur *ListNode) error {
+	p.pos += len(leftDelim)
+	p.consumeText()
+	newNode := newList()
+	cur.append(newNode)
+	cur = newNode
+	return p.parseInsideAction(cur)
+}
+
+func (p *Parser) parseInsideAction(cur *ListNode) error {
+	prefixMap := map[string]func(*ListNode) error{
+		rightDelim: p.parseRightDelim,
+		"[?(":      p.parseFilter,
+		"..":       p.parseRecursive,
+	}
+	for prefix, parseFunc := range prefixMap {
+		if strings.HasPrefix(p.input[p.pos:], prefix) {
+			return parseFunc(cur)
+		}
+	}
+
+	switch r := p.next(); {
+	case r == eof || isEndOfLine(r):
+		return fmt.Errorf("unclosed action")
+	case r == ' ':
+		p.consumeText()
+	case r == '@' || r == '$': //the current object, just pass it
+		p.consumeText()
+	case r == '[':
+		return p.parseArray(cur)
+	case r == '"' || r == '\'':
+		return p.parseQuote(cur, r)
+	case r == '.':
+		return p.parseField(cur)
+	case r == '+' || r == '-' || unicode.IsDigit(r):
+		p.backup()
+		return p.parseNumber(cur)
+	case isAlphaNumeric(r):
+		p.backup()
+		return p.parseIdentifier(cur)
+	default:
+		return fmt.Errorf("unrecognized character in action: %#U", r)
+	}
+	return p.parseInsideAction(cur)
+}
+
+// parseRightDelim scans the right delimiter, which is known to be present.
+func (p *Parser) parseRightDelim(cur *ListNode) error {
+	p.pos += len(rightDelim)
+	p.consumeText()
+	return p.parseText(p.Root)
+}
+
+// parseIdentifier scans build-in keywords, like "range" "end"
+func (p *Parser) parseIdentifier(cur *ListNode) error {
+	var r rune
+	for {
+		r = p.next()
+		if isTerminator(r) {
+			p.backup()
+			break
+		}
+	}
+	value := p.consumeText()
+
+	if isBool(value) {
+		v, err := strconv.ParseBool(value)
+		if err != nil {
+			return fmt.Errorf("can not parse bool '%s': %s", value, err.Error())
+		}
+
+		cur.append(newBool(v))
+	} else {
+		cur.append(newIdentifier(value))
+	}
+
+	return p.parseInsideAction(cur)
+}
+
+// parseRecursive scans the recursive descent operator ..
+func (p *Parser) parseRecursive(cur *ListNode) error {
+	if lastIndex := len(cur.Nodes) - 1; lastIndex >= 0 && cur.Nodes[lastIndex].Type() == NodeRecursive {
+		return fmt.Errorf("invalid multiple recursive descent")
+	}
+	p.pos += len("..")
+	p.consumeText()
+	cur.append(newRecursive())
+	if r := p.peek(); isAlphaNumeric(r) {
+		return p.parseField(cur)
+	}
+	return p.parseInsideAction(cur)
+}
+
+// parseNumber scans number
+func (p *Parser) parseNumber(cur *ListNode) error {
+	r := p.peek()
+	if r == '+' || r == '-' {
+		p.next()
+	}
+	for {
+		r = p.next()
+		if r != '.' && !unicode.IsDigit(r) {
+			p.backup()
+			break
+		}
+	}
+	value := p.consumeText()
+	i, err := strconv.Atoi(value)
+	if err == nil {
+		cur.append(newInt(i))
+		return p.parseInsideAction(cur)
+	}
+	d, err := strconv.ParseFloat(value, 64)
+	if err == nil {
+		cur.append(newFloat(d))
+		return p.parseInsideAction(cur)
+	}
+	return fmt.Errorf("cannot parse number %s", value)
+}
+
+// parseArray scans array index selection
+func (p *Parser) parseArray(cur *ListNode) error {
+Loop:
+	for {
+		switch p.next() {
+		case eof, '\n':
+			return fmt.Errorf("unterminated array")
+		case ']':
+			break Loop
+		}
+	}
+	text := p.consumeText()
+	text = text[1 : len(text)-1]
+	if text == "*" {
+		text = ":"
+	}
+
+	//union operator
+	strs := strings.Split(text, ",")
+	if len(strs) > 1 {
+		union := []*ListNode{}
+		for _, str := range strs {
+			parser, err := parseAction("union", fmt.Sprintf("[%s]", strings.Trim(str, " ")))
+			if err != nil {
+				return err
+			}
+			union = append(union, parser.Root)
+		}
+		cur.append(newUnion(union))
+		return p.parseInsideAction(cur)
+	}
+
+	// dict key
+	value := dictKeyRex.FindStringSubmatch(text)
+	if value != nil {
+		parser, err := parseAction("arraydict", fmt.Sprintf(".%s", value[1]))
+		if err != nil {
+			return err
+		}
+		for _, node := range parser.Root.Nodes {
+			cur.append(node)
+		}
+		return p.parseInsideAction(cur)
+	}
+
+	//slice operator
+	value = sliceOperatorRex.FindStringSubmatch(text)
+	if value == nil {
+		return fmt.Errorf("invalid array index %s", text)
+	}
+	value = value[1:]
+	params := [3]ParamsEntry{}
+	for i := 0; i < 3; i++ {
+		if value[i] != "" {
+			if i > 0 {
+				value[i] = value[i][1:]
+			}
+			if i > 0 && value[i] == "" {
+				params[i].Known = false
+			} else {
+				var err error
+				params[i].Known = true
+				params[i].Value, err = strconv.Atoi(value[i])
+				if err != nil {
+					return fmt.Errorf("array index %s is not a number", value[i])
+				}
+			}
+		} else {
+			if i == 1 {
+				params[i].Known = true
+				params[i].Value = params[0].Value + 1
+				params[i].Derived = true
+			} else {
+				params[i].Known = false
+				params[i].Value = 0
+			}
+		}
+	}
+	cur.append(newArray(params))
+	return p.parseInsideAction(cur)
+}
+
+// parseFilter scans filter inside array selection
+func (p *Parser) parseFilter(cur *ListNode) error {
+	p.pos += len("[?(")
+	p.consumeText()
+	begin := false
+	end := false
+	var pair rune
+
+Loop:
+	for {
+		r := p.next()
+		switch r {
+		case eof, '\n':
+			return fmt.Errorf("unterminated filter")
+		case '"', '\'':
+			if begin == false {
+				//save the paired rune
+				begin = true
+				pair = r
+				continue
+			}
+			//only add when met paired rune
+			if p.input[p.pos-2] != '\\' && r == pair {
+				end = true
+			}
+		case ')':
+			//in rightParser below quotes only appear zero or once
+			//and must be paired at the beginning and end
+			if begin == end {
+				break Loop
+			}
+		}
+	}
+	if p.next() != ']' {
+		return fmt.Errorf("unclosed array expect ]")
+	}
+	reg := regexp.MustCompile(`^([^!<>=]+)([!<>=]+)(.+?)$`)
+	text := p.consumeText()
+	text = text[:len(text)-2]
+	value := reg.FindStringSubmatch(text)
+	if value == nil {
+		parser, err := parseAction("text", text)
+		if err != nil {
+			return err
+		}
+		cur.append(newFilter(parser.Root, newList(), "exists"))
+	} else {
+		leftParser, err := parseAction("left", value[1])
+		if err != nil {
+			return err
+		}
+		rightParser, err := parseAction("right", value[3])
+		if err != nil {
+			return err
+		}
+		cur.append(newFilter(leftParser.Root, rightParser.Root, value[2]))
+	}
+	return p.parseInsideAction(cur)
+}
+
+// parseQuote unquotes string inside double or single quote
+func (p *Parser) parseQuote(cur *ListNode, end rune) error {
+Loop:
+	for {
+		switch p.next() {
+		case eof, '\n':
+			return fmt.Errorf("unterminated quoted string")
+		case end:
+			//if it's not escape break the Loop
+			if p.input[p.pos-2] != '\\' {
+				break Loop
+			}
+		}
+	}
+	value := p.consumeText()
+	s, err := UnquoteExtend(value)
+	if err != nil {
+		return fmt.Errorf("unquote string %s error %v", value, err)
+	}
+	cur.append(newText(s))
+	return p.parseInsideAction(cur)
+}
+
+// parseField scans a field until a terminator
+func (p *Parser) parseField(cur *ListNode) error {
+	p.consumeText()
+	for p.advance() {
+	}
+	value := p.consumeText()
+	if value == "*" {
+		cur.append(newWildcard())
+	} else {
+		cur.append(newField(strings.Replace(value, "\\", "", -1)))
+	}
+	return p.parseInsideAction(cur)
+}
+
+// advance scans until next non-escaped terminator
+func (p *Parser) advance() bool {
+	r := p.next()
+	if r == '\\' {
+		p.next()
+	} else if isTerminator(r) {
+		p.backup()
+		return false
+	}
+	return true
+}
+
+// isTerminator reports whether the input is at valid termination character to appear after an identifier.
+func isTerminator(r rune) bool {
+	if isSpace(r) || isEndOfLine(r) {
+		return true
+	}
+	switch r {
+	case eof, '.', ',', '[', ']', '$', '@', '{', '}':
+		return true
+	}
+	return false
+}
+
+// isSpace reports whether r is a space character.
+func isSpace(r rune) bool {
+	return r == ' ' || r == '\t'
+}
+
+// isEndOfLine reports whether r is an end-of-line character.
+func isEndOfLine(r rune) bool {
+	return r == '\r' || r == '\n'
+}
+
+// isAlphaNumeric reports whether r is an alphabetic, digit, or underscore.
+func isAlphaNumeric(r rune) bool {
+	return r == '_' || unicode.IsLetter(r) || unicode.IsDigit(r)
+}
+
+// isBool reports whether s is a boolean value.
+func isBool(s string) bool {
+	return s == "true" || s == "false"
+}
+
+// UnquoteExtend is almost same as strconv.Unquote(), but it support parse single quotes as a string
+func UnquoteExtend(s string) (string, error) {
+	n := len(s)
+	if n < 2 {
+		return "", ErrSyntax
+	}
+	quote := s[0]
+	if quote != s[n-1] {
+		return "", ErrSyntax
+	}
+	s = s[1 : n-1]
+
+	if quote != '"' && quote != '\'' {
+		return "", ErrSyntax
+	}
+
+	// Is it trivial?  Avoid allocation.
+	if !contains(s, '\\') && !contains(s, quote) {
+		return s, nil
+	}
+
+	var runeTmp [utf8.UTFMax]byte
+	buf := make([]byte, 0, 3*len(s)/2) // Try to avoid more allocations.
+	for len(s) > 0 {
+		c, multibyte, ss, err := strconv.UnquoteChar(s, quote)
+		if err != nil {
+			return "", err
+		}
+		s = ss
+		if c < utf8.RuneSelf || !multibyte {
+			buf = append(buf, byte(c))
+		} else {
+			n := utf8.EncodeRune(runeTmp[:], c)
+			buf = append(buf, runeTmp[:n]...)
+		}
+	}
+	return string(buf), nil
+}
+
+func contains(s string, c byte) bool {
+	for i := 0; i < len(s); i++ {
+		if s[i] == c {
+			return true
+		}
+	}
+	return false
+}
diff --git a/vendor/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1/doc.go b/vendor/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1/doc.go
index 95e92cb8df..d3dfe0689e 100644
--- a/vendor/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1/doc.go
+++ b/vendor/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1/doc.go
@@ -18,11 +18,9 @@ limitations under the License.
 // +k8s:protobuf-gen=package
 // +k8s:conversion-gen=k8s.io/kube-aggregator/pkg/apis/apiregistration
 // +k8s:openapi-gen=true
+// +groupName=apiregistration.k8s.io
 // +k8s:defaulter-gen=TypeMeta
 // +k8s:prerelease-lifecycle-gen=true
-// +k8s:openapi-model-package=io.k8s.kube-aggregator.pkg.apis.apiregistration.v1
-
-// +groupName=apiregistration.k8s.io
 
 // Package v1 contains the API Registration API, which is responsible for
 // registering an API `Group`/`Version` with another kubernetes like API server.
diff --git a/vendor/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1/generated.pb.go b/vendor/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1/generated.pb.go
index 2fe94e4095..690810e8bb 100644
--- a/vendor/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1/generated.pb.go
+++ b/vendor/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1/generated.pb.go
@@ -24,22 +24,261 @@ import (
 
 	io "io"
 
+	proto "github.com/gogo/protobuf/proto"
+
+	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-func (m *APIService) Reset() { *m = APIService{} }
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
 
-func (m *APIServiceCondition) Reset() { *m = APIServiceCondition{} }
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
 
-func (m *APIServiceList) Reset() { *m = APIServiceList{} }
+func (m *APIService) Reset()      { *m = APIService{} }
+func (*APIService) ProtoMessage() {}
+func (*APIService) Descriptor() ([]byte, []int) {
+	return fileDescriptor_93cf925561aed99f, []int{0}
+}
+func (m *APIService) XXX_Unmarshal(b []byte) error {
+	return m.Unmarshal(b)
+}
+func (m *APIService) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	b = b[:cap(b)]
+	n, err := m.MarshalToSizedBuffer(b)
+	if err != nil {
+		return nil, err
+	}
+	return b[:n], nil
+}
+func (m *APIService) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_APIService.Merge(m, src)
+}
+func (m *APIService) XXX_Size() int {
+	return m.Size()
+}
+func (m *APIService) XXX_DiscardUnknown() {
+	xxx_messageInfo_APIService.DiscardUnknown(m)
+}
 
-func (m *APIServiceSpec) Reset() { *m = APIServiceSpec{} }
+var xxx_messageInfo_APIService proto.InternalMessageInfo
 
-func (m *APIServiceStatus) Reset() { *m = APIServiceStatus{} }
+func (m *APIServiceCondition) Reset()      { *m = APIServiceCondition{} }
+func (*APIServiceCondition) ProtoMessage() {}
+func (*APIServiceCondition) Descriptor() ([]byte, []int) {
+	return fileDescriptor_93cf925561aed99f, []int{1}
+}
+func (m *APIServiceCondition) XXX_Unmarshal(b []byte) error {
+	return m.Unmarshal(b)
+}
+func (m *APIServiceCondition) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	b = b[:cap(b)]
+	n, err := m.MarshalToSizedBuffer(b)
+	if err != nil {
+		return nil, err
+	}
+	return b[:n], nil
+}
+func (m *APIServiceCondition) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_APIServiceCondition.Merge(m, src)
+}
+func (m *APIServiceCondition) XXX_Size() int {
+	return m.Size()
+}
+func (m *APIServiceCondition) XXX_DiscardUnknown() {
+	xxx_messageInfo_APIServiceCondition.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_APIServiceCondition proto.InternalMessageInfo
 
-func (m *ServiceReference) Reset() { *m = ServiceReference{} }
+func (m *APIServiceList) Reset()      { *m = APIServiceList{} }
+func (*APIServiceList) ProtoMessage() {}
+func (*APIServiceList) Descriptor() ([]byte, []int) {
+	return fileDescriptor_93cf925561aed99f, []int{2}
+}
+func (m *APIServiceList) XXX_Unmarshal(b []byte) error {
+	return m.Unmarshal(b)
+}
+func (m *APIServiceList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	b = b[:cap(b)]
+	n, err := m.MarshalToSizedBuffer(b)
+	if err != nil {
+		return nil, err
+	}
+	return b[:n], nil
+}
+func (m *APIServiceList) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_APIServiceList.Merge(m, src)
+}
+func (m *APIServiceList) XXX_Size() int {
+	return m.Size()
+}
+func (m *APIServiceList) XXX_DiscardUnknown() {
+	xxx_messageInfo_APIServiceList.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_APIServiceList proto.InternalMessageInfo
+
+func (m *APIServiceSpec) Reset()      { *m = APIServiceSpec{} }
+func (*APIServiceSpec) ProtoMessage() {}
+func (*APIServiceSpec) Descriptor() ([]byte, []int) {
+	return fileDescriptor_93cf925561aed99f, []int{3}
+}
+func (m *APIServiceSpec) XXX_Unmarshal(b []byte) error {
+	return m.Unmarshal(b)
+}
+func (m *APIServiceSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	b = b[:cap(b)]
+	n, err := m.MarshalToSizedBuffer(b)
+	if err != nil {
+		return nil, err
+	}
+	return b[:n], nil
+}
+func (m *APIServiceSpec) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_APIServiceSpec.Merge(m, src)
+}
+func (m *APIServiceSpec) XXX_Size() int {
+	return m.Size()
+}
+func (m *APIServiceSpec) XXX_DiscardUnknown() {
+	xxx_messageInfo_APIServiceSpec.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_APIServiceSpec proto.InternalMessageInfo
+
+func (m *APIServiceStatus) Reset()      { *m = APIServiceStatus{} }
+func (*APIServiceStatus) ProtoMessage() {}
+func (*APIServiceStatus) Descriptor() ([]byte, []int) {
+	return fileDescriptor_93cf925561aed99f, []int{4}
+}
+func (m *APIServiceStatus) XXX_Unmarshal(b []byte) error {
+	return m.Unmarshal(b)
+}
+func (m *APIServiceStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	b = b[:cap(b)]
+	n, err := m.MarshalToSizedBuffer(b)
+	if err != nil {
+		return nil, err
+	}
+	return b[:n], nil
+}
+func (m *APIServiceStatus) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_APIServiceStatus.Merge(m, src)
+}
+func (m *APIServiceStatus) XXX_Size() int {
+	return m.Size()
+}
+func (m *APIServiceStatus) XXX_DiscardUnknown() {
+	xxx_messageInfo_APIServiceStatus.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_APIServiceStatus proto.InternalMessageInfo
+
+func (m *ServiceReference) Reset()      { *m = ServiceReference{} }
+func (*ServiceReference) ProtoMessage() {}
+func (*ServiceReference) Descriptor() ([]byte, []int) {
+	return fileDescriptor_93cf925561aed99f, []int{5}
+}
+func (m *ServiceReference) XXX_Unmarshal(b []byte) error {
+	return m.Unmarshal(b)
+}
+func (m *ServiceReference) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	b = b[:cap(b)]
+	n, err := m.MarshalToSizedBuffer(b)
+	if err != nil {
+		return nil, err
+	}
+	return b[:n], nil
+}
+func (m *ServiceReference) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_ServiceReference.Merge(m, src)
+}
+func (m *ServiceReference) XXX_Size() int {
+	return m.Size()
+}
+func (m *ServiceReference) XXX_DiscardUnknown() {
+	xxx_messageInfo_ServiceReference.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_ServiceReference proto.InternalMessageInfo
+
+func init() {
+	proto.RegisterType((*APIService)(nil), "k8s.io.kube_aggregator.pkg.apis.apiregistration.v1.APIService")
+	proto.RegisterType((*APIServiceCondition)(nil), "k8s.io.kube_aggregator.pkg.apis.apiregistration.v1.APIServiceCondition")
+	proto.RegisterType((*APIServiceList)(nil), "k8s.io.kube_aggregator.pkg.apis.apiregistration.v1.APIServiceList")
+	proto.RegisterType((*APIServiceSpec)(nil), "k8s.io.kube_aggregator.pkg.apis.apiregistration.v1.APIServiceSpec")
+	proto.RegisterType((*APIServiceStatus)(nil), "k8s.io.kube_aggregator.pkg.apis.apiregistration.v1.APIServiceStatus")
+	proto.RegisterType((*ServiceReference)(nil), "k8s.io.kube_aggregator.pkg.apis.apiregistration.v1.ServiceReference")
+}
+
+func init() {
+	proto.RegisterFile("k8s.io/kube-aggregator/pkg/apis/apiregistration/v1/generated.proto", fileDescriptor_93cf925561aed99f)
+}
+
+var fileDescriptor_93cf925561aed99f = []byte{
+	// 826 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xa4, 0x55, 0x5d, 0x6b, 0x2b, 0x45,
+	0x18, 0xce, 0xb6, 0x49, 0x9b, 0x4e, 0xeb, 0x69, 0x1d, 0xcf, 0xe1, 0x2c, 0xe5, 0xb8, 0xad, 0x11,
+	0x34, 0x0a, 0x67, 0xd7, 0x06, 0x11, 0x45, 0x10, 0xba, 0x47, 0x28, 0x85, 0x56, 0xc3, 0xa4, 0x14,
+	0x11, 0x41, 0x27, 0x9b, 0xb7, 0xdb, 0x31, 0xdd, 0x0f, 0x66, 0x66, 0x03, 0xc1, 0x1b, 0xc1, 0x1f,
+	0xa0, 0xbf, 0xc9, 0xab, 0x5e, 0x1e, 0xf0, 0xa6, 0x57, 0xc1, 0xc4, 0x7f, 0x71, 0xae, 0x64, 0x66,
+	0x67, 0x77, 0xd3, 0x34, 0xe2, 0xe9, 0xe9, 0x4d, 0xc8, 0xfb, 0xf1, 0x3c, 0xcf, 0x3b, 0xef, 0x3c,
+	0x99, 0x20, 0x7f, 0xf8, 0xb9, 0x70, 0x59, 0xe2, 0x0d, 0xb3, 0x3e, 0x3c, 0xa7, 0x61, 0xc8, 0x21,
+	0xa4, 0x32, 0xe1, 0x5e, 0x3a, 0x0c, 0x3d, 0x9a, 0x32, 0xa1, 0x3e, 0x38, 0x84, 0x4c, 0x48, 0x4e,
+	0x25, 0x4b, 0x62, 0x6f, 0x74, 0xe0, 0x85, 0x10, 0x03, 0xa7, 0x12, 0x06, 0x6e, 0xca, 0x13, 0x99,
+	0xe0, 0x4e, 0xce, 0xe1, 0x2a, 0x8e, 0x1f, 0x2b, 0x0e, 0x37, 0x1d, 0x86, 0xae, 0xe2, 0x70, 0x17,
+	0x38, 0xdc, 0xd1, 0xc1, 0xee, 0xf3, 0x90, 0xc9, 0xcb, 0xac, 0xef, 0x06, 0x49, 0xe4, 0x85, 0x49,
+	0x98, 0x78, 0x9a, 0xaa, 0x9f, 0x5d, 0xe8, 0x48, 0x07, 0xfa, 0x5b, 0x2e, 0xb1, 0xfb, 0xa9, 0x19,
+	0x93, 0xa6, 0x2c, 0xa2, 0xc1, 0x25, 0x8b, 0x81, 0x8f, 0xab, 0x19, 0x23, 0x90, 0x74, 0xc9, 0x60,
+	0xbb, 0xde, 0x7f, 0xa1, 0x78, 0x16, 0x4b, 0x16, 0xc1, 0x1d, 0xc0, 0x67, 0xff, 0x07, 0x10, 0xc1,
+	0x25, 0x44, 0x74, 0x11, 0xd7, 0xfa, 0x73, 0x05, 0xa1, 0xc3, 0xee, 0x71, 0x0f, 0xf8, 0x88, 0x05,
+	0x80, 0x7f, 0x42, 0x4d, 0x35, 0xd2, 0x80, 0x4a, 0x6a, 0x5b, 0xfb, 0x56, 0x7b, 0xb3, 0xf3, 0x89,
+	0x6b, 0x76, 0x34, 0xcf, 0x5c, 0x2d, 0x48, 0x75, 0xbb, 0xa3, 0x03, 0xf7, 0xdb, 0xfe, 0xcf, 0x10,
+	0xc8, 0x53, 0x90, 0xd4, 0xc7, 0xd7, 0x93, 0xbd, 0xda, 0x6c, 0xb2, 0x87, 0xaa, 0x1c, 0x29, 0x59,
+	0xf1, 0x00, 0xd5, 0x45, 0x0a, 0x81, 0xbd, 0xa2, 0xd9, 0x7d, 0xf7, 0xfe, 0x37, 0xe0, 0x56, 0xf3,
+	0xf6, 0x52, 0x08, 0xfc, 0x2d, 0xa3, 0x57, 0x57, 0x11, 0xd1, 0xec, 0xf8, 0x0a, 0xad, 0x09, 0x49,
+	0x65, 0x26, 0xec, 0x55, 0xad, 0xf3, 0xf5, 0x03, 0x75, 0x34, 0x97, 0xff, 0xc8, 0x28, 0xad, 0xe5,
+	0x31, 0x31, 0x1a, 0xad, 0x9b, 0x15, 0xf4, 0x4e, 0xd5, 0xfc, 0x22, 0x89, 0x07, 0x4c, 0x71, 0xe0,
+	0x2f, 0x51, 0x5d, 0x8e, 0x53, 0xd0, 0x9b, 0xdc, 0xf0, 0x3f, 0x2c, 0xe6, 0x3c, 0x1b, 0xa7, 0xf0,
+	0x6a, 0xb2, 0xf7, 0x74, 0x09, 0x44, 0x95, 0x88, 0x06, 0xe1, 0x2f, 0xca, 0x23, 0xac, 0x68, 0xf8,
+	0x7b, 0xb7, 0xc5, 0x5f, 0x4d, 0xf6, 0xb6, 0x4b, 0xd8, 0xed, 0x79, 0xf0, 0x08, 0xe1, 0x2b, 0x2a,
+	0xe4, 0x19, 0xa7, 0xb1, 0xc8, 0x69, 0x59, 0x04, 0x66, 0x13, 0x1f, 0xbf, 0xde, 0x7d, 0x2a, 0x84,
+	0xbf, 0x6b, 0x24, 0xf1, 0xc9, 0x1d, 0x36, 0xb2, 0x44, 0x01, 0x7f, 0x80, 0xd6, 0x38, 0x50, 0x91,
+	0xc4, 0x76, 0x5d, 0x8f, 0x5c, 0xee, 0x8b, 0xe8, 0x2c, 0x31, 0x55, 0xfc, 0x11, 0x5a, 0x8f, 0x40,
+	0x08, 0x1a, 0x82, 0xdd, 0xd0, 0x8d, 0xdb, 0xa6, 0x71, 0xfd, 0x34, 0x4f, 0x93, 0xa2, 0xde, 0xfa,
+	0xcb, 0x42, 0x8f, 0xaa, 0x3d, 0x9d, 0x30, 0x21, 0xf1, 0x0f, 0x77, 0x3c, 0xea, 0xbe, 0xde, 0x99,
+	0x14, 0x5a, 0x3b, 0x74, 0xc7, 0xc8, 0x35, 0x8b, 0xcc, 0x9c, 0x3f, 0x03, 0xd4, 0x60, 0x12, 0x22,
+	0xb5, 0xf5, 0xd5, 0xf6, 0x66, 0xe7, 0xab, 0x87, 0x19, 0xc7, 0x7f, 0xcb, 0x48, 0x35, 0x8e, 0x15,
+	0x29, 0xc9, 0xb9, 0x5b, 0xd3, 0xd5, 0xf9, 0x53, 0x29, 0xdf, 0xe2, 0x21, 0x5a, 0x17, 0x79, 0x68,
+	0x0e, 0xf5, 0x46, 0x96, 0x35, 0x8c, 0x04, 0x2e, 0x80, 0x43, 0x1c, 0x80, 0xbf, 0xa9, 0xb6, 0x5a,
+	0x64, 0x0b, 0x05, 0xfc, 0x3e, 0x6a, 0x84, 0x3c, 0xc9, 0x52, 0x63, 0xad, 0x72, 0xc8, 0x23, 0x95,
+	0x24, 0x79, 0x4d, 0xdd, 0xd2, 0x08, 0xb8, 0x60, 0x49, 0xac, 0xad, 0x33, 0x77, 0x4b, 0xe7, 0x79,
+	0x9a, 0x14, 0x75, 0xdc, 0x43, 0x4f, 0x58, 0x2c, 0x20, 0xc8, 0x38, 0xf4, 0x86, 0x2c, 0x3d, 0x3b,
+	0xe9, 0x9d, 0x03, 0x67, 0x17, 0x63, 0xed, 0x83, 0xa6, 0xff, 0xae, 0x01, 0x3e, 0x39, 0x5e, 0xd6,
+	0x44, 0x96, 0x63, 0x71, 0x1b, 0x35, 0x03, 0xea, 0x67, 0xf1, 0xe0, 0x2a, 0xb7, 0xc9, 0x96, 0xbf,
+	0xa5, 0xee, 0xec, 0xc5, 0x61, 0x9e, 0x23, 0x65, 0x15, 0x77, 0xd1, 0x63, 0x3d, 0x72, 0x97, 0xb3,
+	0x84, 0x33, 0x39, 0x3e, 0x65, 0x31, 0x8b, 0xb2, 0xc8, 0x5e, 0xdf, 0xb7, 0xda, 0x0d, 0xff, 0x99,
+	0x51, 0x7f, 0x7c, 0xb4, 0xa4, 0x87, 0x2c, 0x45, 0xe2, 0x43, 0xb4, 0x6d, 0xce, 0x56, 0x54, 0xec,
+	0xa6, 0x26, 0x7b, 0x6a, 0xc8, 0xb6, 0xcf, 0x6f, 0x97, 0xc9, 0x62, 0x7f, 0xeb, 0x77, 0x0b, 0xed,
+	0x2c, 0xbe, 0x20, 0xf8, 0x17, 0x84, 0x82, 0xe2, 0x47, 0x2b, 0x6c, 0x4b, 0x5b, 0xec, 0xe8, 0x61,
+	0x16, 0x2b, 0x1f, 0x81, 0xea, 0xe1, 0x2d, 0x53, 0x82, 0xcc, 0xc9, 0xb5, 0x7e, 0xb3, 0xd0, 0xce,
+	0xa2, 0x41, 0xb0, 0x87, 0x36, 0x62, 0x1a, 0x81, 0x48, 0x69, 0x50, 0x3c, 0x54, 0x6f, 0x1b, 0x9e,
+	0x8d, 0x6f, 0x8a, 0x02, 0xa9, 0x7a, 0xf0, 0x3e, 0xaa, 0xab, 0xc0, 0x58, 0xa7, 0x7c, 0x7c, 0x55,
+	0x2f, 0xd1, 0x15, 0xfc, 0x0c, 0xd5, 0xd3, 0x84, 0x4b, 0xed, 0x9a, 0x86, 0xdf, 0x54, 0xd5, 0x6e,
+	0xc2, 0x25, 0xd1, 0x59, 0xff, 0xbb, 0xeb, 0xa9, 0x53, 0x7b, 0x39, 0x75, 0x6a, 0x37, 0x53, 0xa7,
+	0xf6, 0xeb, 0xcc, 0xb1, 0xae, 0x67, 0x8e, 0xf5, 0x72, 0xe6, 0x58, 0x37, 0x33, 0xc7, 0xfa, 0x7b,
+	0xe6, 0x58, 0x7f, 0xfc, 0xe3, 0xd4, 0xbe, 0xef, 0xdc, 0xff, 0xdf, 0xfd, 0xdf, 0x00, 0x00, 0x00,
+	0xff, 0xff, 0x19, 0x6e, 0x3d, 0x66, 0x12, 0x08, 0x00, 0x00,
+}
 
 func (m *APIService) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
diff --git a/vendor/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1/zz_generated.model_name.go b/vendor/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1/zz_generated.model_name.go
deleted file mode 100644
index 5a46c2cb5d..0000000000
--- a/vendor/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1/zz_generated.model_name.go
+++ /dev/null
@@ -1,52 +0,0 @@
-//go:build !ignore_autogenerated
-// +build !ignore_autogenerated
-
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Code generated by openapi-gen. DO NOT EDIT.
-
-package v1
-
-// OpenAPIModelName returns the OpenAPI model name for this type.
-func (in APIService) OpenAPIModelName() string {
-	return "io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIService"
-}
-
-// OpenAPIModelName returns the OpenAPI model name for this type.
-func (in APIServiceCondition) OpenAPIModelName() string {
-	return "io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIServiceCondition"
-}
-
-// OpenAPIModelName returns the OpenAPI model name for this type.
-func (in APIServiceList) OpenAPIModelName() string {
-	return "io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIServiceList"
-}
-
-// OpenAPIModelName returns the OpenAPI model name for this type.
-func (in APIServiceSpec) OpenAPIModelName() string {
-	return "io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIServiceSpec"
-}
-
-// OpenAPIModelName returns the OpenAPI model name for this type.
-func (in APIServiceStatus) OpenAPIModelName() string {
-	return "io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIServiceStatus"
-}
-
-// OpenAPIModelName returns the OpenAPI model name for this type.
-func (in ServiceReference) OpenAPIModelName() string {
-	return "io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.ServiceReference"
-}
diff --git a/vendor/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1/doc.go b/vendor/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1/doc.go
index 07ee950de8..40d1131ca0 100644
--- a/vendor/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1/doc.go
+++ b/vendor/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1/doc.go
@@ -18,11 +18,9 @@ limitations under the License.
 // +k8s:protobuf-gen=package
 // +k8s:conversion-gen=k8s.io/kube-aggregator/pkg/apis/apiregistration
 // +k8s:openapi-gen=true
+// +groupName=apiregistration.k8s.io
 // +k8s:defaulter-gen=TypeMeta
 // +k8s:prerelease-lifecycle-gen=true
-// +k8s:openapi-model-package=io.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1
-
-// +groupName=apiregistration.k8s.io
 
 // Package v1beta1 contains the API Registration API, which is responsible for
 // registering an API `Group`/`Version` with another kubernetes like API server.
diff --git a/vendor/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1/generated.pb.go b/vendor/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1/generated.pb.go
index 5ae842edcd..8f1a4c5ff4 100644
--- a/vendor/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1/generated.pb.go
+++ b/vendor/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1/generated.pb.go
@@ -24,22 +24,262 @@ import (
 
 	io "io"
 
+	proto "github.com/gogo/protobuf/proto"
+
+	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-func (m *APIService) Reset() { *m = APIService{} }
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
 
-func (m *APIServiceCondition) Reset() { *m = APIServiceCondition{} }
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
 
-func (m *APIServiceList) Reset() { *m = APIServiceList{} }
+func (m *APIService) Reset()      { *m = APIService{} }
+func (*APIService) ProtoMessage() {}
+func (*APIService) Descriptor() ([]byte, []int) {
+	return fileDescriptor_6acc79c5d169026d, []int{0}
+}
+func (m *APIService) XXX_Unmarshal(b []byte) error {
+	return m.Unmarshal(b)
+}
+func (m *APIService) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	b = b[:cap(b)]
+	n, err := m.MarshalToSizedBuffer(b)
+	if err != nil {
+		return nil, err
+	}
+	return b[:n], nil
+}
+func (m *APIService) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_APIService.Merge(m, src)
+}
+func (m *APIService) XXX_Size() int {
+	return m.Size()
+}
+func (m *APIService) XXX_DiscardUnknown() {
+	xxx_messageInfo_APIService.DiscardUnknown(m)
+}
 
-func (m *APIServiceSpec) Reset() { *m = APIServiceSpec{} }
+var xxx_messageInfo_APIService proto.InternalMessageInfo
 
-func (m *APIServiceStatus) Reset() { *m = APIServiceStatus{} }
+func (m *APIServiceCondition) Reset()      { *m = APIServiceCondition{} }
+func (*APIServiceCondition) ProtoMessage() {}
+func (*APIServiceCondition) Descriptor() ([]byte, []int) {
+	return fileDescriptor_6acc79c5d169026d, []int{1}
+}
+func (m *APIServiceCondition) XXX_Unmarshal(b []byte) error {
+	return m.Unmarshal(b)
+}
+func (m *APIServiceCondition) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	b = b[:cap(b)]
+	n, err := m.MarshalToSizedBuffer(b)
+	if err != nil {
+		return nil, err
+	}
+	return b[:n], nil
+}
+func (m *APIServiceCondition) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_APIServiceCondition.Merge(m, src)
+}
+func (m *APIServiceCondition) XXX_Size() int {
+	return m.Size()
+}
+func (m *APIServiceCondition) XXX_DiscardUnknown() {
+	xxx_messageInfo_APIServiceCondition.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_APIServiceCondition proto.InternalMessageInfo
 
-func (m *ServiceReference) Reset() { *m = ServiceReference{} }
+func (m *APIServiceList) Reset()      { *m = APIServiceList{} }
+func (*APIServiceList) ProtoMessage() {}
+func (*APIServiceList) Descriptor() ([]byte, []int) {
+	return fileDescriptor_6acc79c5d169026d, []int{2}
+}
+func (m *APIServiceList) XXX_Unmarshal(b []byte) error {
+	return m.Unmarshal(b)
+}
+func (m *APIServiceList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	b = b[:cap(b)]
+	n, err := m.MarshalToSizedBuffer(b)
+	if err != nil {
+		return nil, err
+	}
+	return b[:n], nil
+}
+func (m *APIServiceList) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_APIServiceList.Merge(m, src)
+}
+func (m *APIServiceList) XXX_Size() int {
+	return m.Size()
+}
+func (m *APIServiceList) XXX_DiscardUnknown() {
+	xxx_messageInfo_APIServiceList.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_APIServiceList proto.InternalMessageInfo
+
+func (m *APIServiceSpec) Reset()      { *m = APIServiceSpec{} }
+func (*APIServiceSpec) ProtoMessage() {}
+func (*APIServiceSpec) Descriptor() ([]byte, []int) {
+	return fileDescriptor_6acc79c5d169026d, []int{3}
+}
+func (m *APIServiceSpec) XXX_Unmarshal(b []byte) error {
+	return m.Unmarshal(b)
+}
+func (m *APIServiceSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	b = b[:cap(b)]
+	n, err := m.MarshalToSizedBuffer(b)
+	if err != nil {
+		return nil, err
+	}
+	return b[:n], nil
+}
+func (m *APIServiceSpec) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_APIServiceSpec.Merge(m, src)
+}
+func (m *APIServiceSpec) XXX_Size() int {
+	return m.Size()
+}
+func (m *APIServiceSpec) XXX_DiscardUnknown() {
+	xxx_messageInfo_APIServiceSpec.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_APIServiceSpec proto.InternalMessageInfo
+
+func (m *APIServiceStatus) Reset()      { *m = APIServiceStatus{} }
+func (*APIServiceStatus) ProtoMessage() {}
+func (*APIServiceStatus) Descriptor() ([]byte, []int) {
+	return fileDescriptor_6acc79c5d169026d, []int{4}
+}
+func (m *APIServiceStatus) XXX_Unmarshal(b []byte) error {
+	return m.Unmarshal(b)
+}
+func (m *APIServiceStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	b = b[:cap(b)]
+	n, err := m.MarshalToSizedBuffer(b)
+	if err != nil {
+		return nil, err
+	}
+	return b[:n], nil
+}
+func (m *APIServiceStatus) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_APIServiceStatus.Merge(m, src)
+}
+func (m *APIServiceStatus) XXX_Size() int {
+	return m.Size()
+}
+func (m *APIServiceStatus) XXX_DiscardUnknown() {
+	xxx_messageInfo_APIServiceStatus.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_APIServiceStatus proto.InternalMessageInfo
+
+func (m *ServiceReference) Reset()      { *m = ServiceReference{} }
+func (*ServiceReference) ProtoMessage() {}
+func (*ServiceReference) Descriptor() ([]byte, []int) {
+	return fileDescriptor_6acc79c5d169026d, []int{5}
+}
+func (m *ServiceReference) XXX_Unmarshal(b []byte) error {
+	return m.Unmarshal(b)
+}
+func (m *ServiceReference) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	b = b[:cap(b)]
+	n, err := m.MarshalToSizedBuffer(b)
+	if err != nil {
+		return nil, err
+	}
+	return b[:n], nil
+}
+func (m *ServiceReference) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_ServiceReference.Merge(m, src)
+}
+func (m *ServiceReference) XXX_Size() int {
+	return m.Size()
+}
+func (m *ServiceReference) XXX_DiscardUnknown() {
+	xxx_messageInfo_ServiceReference.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_ServiceReference proto.InternalMessageInfo
+
+func init() {
+	proto.RegisterType((*APIService)(nil), "k8s.io.kube_aggregator.pkg.apis.apiregistration.v1beta1.APIService")
+	proto.RegisterType((*APIServiceCondition)(nil), "k8s.io.kube_aggregator.pkg.apis.apiregistration.v1beta1.APIServiceCondition")
+	proto.RegisterType((*APIServiceList)(nil), "k8s.io.kube_aggregator.pkg.apis.apiregistration.v1beta1.APIServiceList")
+	proto.RegisterType((*APIServiceSpec)(nil), "k8s.io.kube_aggregator.pkg.apis.apiregistration.v1beta1.APIServiceSpec")
+	proto.RegisterType((*APIServiceStatus)(nil), "k8s.io.kube_aggregator.pkg.apis.apiregistration.v1beta1.APIServiceStatus")
+	proto.RegisterType((*ServiceReference)(nil), "k8s.io.kube_aggregator.pkg.apis.apiregistration.v1beta1.ServiceReference")
+}
+
+func init() {
+	proto.RegisterFile("k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1/generated.proto", fileDescriptor_6acc79c5d169026d)
+}
+
+var fileDescriptor_6acc79c5d169026d = []byte{
+	// 833 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xac, 0x56, 0x4d, 0x6f, 0xe3, 0x44,
+	0x18, 0x8e, 0xdb, 0xa4, 0x4d, 0xa7, 0x65, 0x5b, 0x86, 0x5d, 0xad, 0x55, 0x2d, 0x6e, 0x09, 0x12,
+	0x14, 0xa4, 0xb5, 0xe9, 0x0a, 0xb1, 0x20, 0x4e, 0x75, 0x0f, 0x55, 0xa5, 0x16, 0xa2, 0x49, 0xd5,
+	0x03, 0x02, 0xc1, 0xc4, 0x79, 0xeb, 0x0c, 0x59, 0x7f, 0x30, 0x33, 0x8e, 0x94, 0xdb, 0x4a, 0xfc,
+	0x01, 0x2e, 0xfc, 0xa7, 0x1e, 0x38, 0xec, 0x31, 0xa7, 0x88, 0x06, 0x89, 0x1f, 0xb1, 0x27, 0x34,
+	0xe3, 0xb1, 0x9d, 0x26, 0x41, 0x5b, 0x55, 0xbd, 0x44, 0x79, 0x3f, 0x9e, 0xe7, 0x79, 0xe7, 0x9d,
+	0x27, 0xa3, 0xa0, 0x93, 0xc1, 0xd7, 0xc2, 0x65, 0x89, 0x37, 0xc8, 0xba, 0xf0, 0x9c, 0x86, 0x21,
+	0x87, 0x90, 0xca, 0x84, 0x7b, 0xe9, 0x20, 0xf4, 0x68, 0xca, 0x84, 0xfa, 0xe0, 0x10, 0x32, 0x21,
+	0x39, 0x95, 0x2c, 0x89, 0xbd, 0xe1, 0x61, 0x17, 0x24, 0x3d, 0xf4, 0x42, 0x88, 0x81, 0x53, 0x09,
+	0x3d, 0x37, 0xe5, 0x89, 0x4c, 0xf0, 0xcb, 0x9c, 0xc8, 0x55, 0x44, 0x3f, 0x57, 0x44, 0x6e, 0x3a,
+	0x08, 0x5d, 0x45, 0xe4, 0xce, 0x11, 0xb9, 0x86, 0x68, 0xf7, 0x79, 0xc8, 0x64, 0x3f, 0xeb, 0xba,
+	0x41, 0x12, 0x79, 0x61, 0x12, 0x26, 0x9e, 0xe6, 0xeb, 0x66, 0x57, 0x3a, 0xd2, 0x81, 0xfe, 0x96,
+	0xeb, 0xec, 0x7e, 0x69, 0x06, 0xa6, 0x29, 0x8b, 0x68, 0xd0, 0x67, 0x31, 0xf0, 0x51, 0x35, 0x6d,
+	0x04, 0x92, 0x7a, 0xc3, 0x85, 0xe9, 0x76, 0xbd, 0xff, 0x43, 0xf1, 0x2c, 0x96, 0x2c, 0x82, 0x05,
+	0xc0, 0x57, 0xef, 0x02, 0x88, 0xa0, 0x0f, 0x11, 0x9d, 0xc7, 0xb5, 0xfe, 0x5a, 0x41, 0xe8, 0xa8,
+	0x7d, 0xda, 0x01, 0x3e, 0x64, 0x01, 0xe0, 0x5f, 0x50, 0x53, 0x8d, 0xd4, 0xa3, 0x92, 0xda, 0xd6,
+	0xbe, 0x75, 0xb0, 0xf9, 0xe2, 0x0b, 0xd7, 0x2c, 0x6a, 0x96, 0xb9, 0xda, 0x92, 0xea, 0x76, 0x87,
+	0x87, 0xee, 0xf7, 0xdd, 0x5f, 0x21, 0x90, 0xe7, 0x20, 0xa9, 0x8f, 0xaf, 0x27, 0x7b, 0xb5, 0xe9,
+	0x64, 0x0f, 0x55, 0x39, 0x52, 0xb2, 0x62, 0x86, 0xea, 0x22, 0x85, 0xc0, 0x5e, 0xd1, 0xec, 0x27,
+	0xee, 0x3d, 0xaf, 0xc1, 0xad, 0x86, 0xee, 0xa4, 0x10, 0xf8, 0x5b, 0x46, 0xb4, 0xae, 0x22, 0xa2,
+	0x25, 0xf0, 0x6f, 0x68, 0x4d, 0x48, 0x2a, 0x33, 0x61, 0xaf, 0x6a, 0xb1, 0xd3, 0x87, 0x10, 0xd3,
+	0x84, 0xfe, 0x23, 0x23, 0xb7, 0x96, 0xc7, 0xc4, 0x08, 0xb5, 0xc6, 0x2b, 0xe8, 0x83, 0xaa, 0xf9,
+	0x38, 0x89, 0x7b, 0x4c, 0x11, 0xe1, 0x6f, 0x51, 0x5d, 0x8e, 0x52, 0xd0, 0x3b, 0xdd, 0xf0, 0x3f,
+	0x2d, 0x86, 0xbd, 0x18, 0xa5, 0xf0, 0x76, 0xb2, 0xf7, 0x74, 0x09, 0x44, 0x95, 0x88, 0x06, 0xe1,
+	0x6f, 0xca, 0x73, 0xac, 0x68, 0xf8, 0x47, 0xb7, 0xc5, 0xdf, 0x4e, 0xf6, 0xb6, 0x4b, 0xd8, 0xed,
+	0x79, 0xf0, 0x10, 0xe1, 0x57, 0x54, 0xc8, 0x0b, 0x4e, 0x63, 0x91, 0xd3, 0xb2, 0x08, 0xcc, 0x3a,
+	0x3e, 0xbf, 0xdb, 0xcd, 0x2a, 0x84, 0xbf, 0x6b, 0x24, 0xf1, 0xd9, 0x02, 0x1b, 0x59, 0xa2, 0x80,
+	0x3f, 0x41, 0x6b, 0x1c, 0xa8, 0x48, 0x62, 0xbb, 0xae, 0x47, 0x2e, 0xf7, 0x45, 0x74, 0x96, 0x98,
+	0x2a, 0xfe, 0x0c, 0xad, 0x47, 0x20, 0x04, 0x0d, 0xc1, 0x6e, 0xe8, 0xc6, 0x6d, 0xd3, 0xb8, 0x7e,
+	0x9e, 0xa7, 0x49, 0x51, 0x6f, 0x8d, 0x2d, 0xf4, 0xa8, 0xda, 0xd3, 0x19, 0x13, 0x12, 0xff, 0xb8,
+	0xe0, 0x56, 0xf7, 0x6e, 0x67, 0x52, 0x68, 0xed, 0xd5, 0x1d, 0x23, 0xd7, 0x2c, 0x32, 0x33, 0x4e,
+	0xed, 0xa3, 0x06, 0x93, 0x10, 0xa9, 0xad, 0xaf, 0x1e, 0x6c, 0xbe, 0x38, 0x7e, 0x00, 0xf7, 0xf8,
+	0xef, 0x19, 0xbd, 0xc6, 0xa9, 0x62, 0x26, 0xb9, 0x40, 0xeb, 0xdf, 0xd5, 0xd9, 0xa3, 0x29, 0x07,
+	0xe3, 0x14, 0xad, 0x8b, 0x3c, 0x34, 0x27, 0xbb, 0xbf, 0x79, 0x0d, 0x2d, 0x81, 0x2b, 0xe0, 0x10,
+	0x07, 0xe0, 0x6f, 0xaa, 0xfd, 0x16, 0xd9, 0x42, 0x06, 0x7f, 0x8c, 0x1a, 0x21, 0x4f, 0xb2, 0xd4,
+	0x98, 0xac, 0x9c, 0xf4, 0x44, 0x25, 0x49, 0x5e, 0x53, 0xf7, 0x35, 0x04, 0x2e, 0x58, 0x12, 0x6b,
+	0x13, 0xcd, 0xdc, 0xd7, 0x65, 0x9e, 0x26, 0x45, 0x1d, 0x77, 0xd0, 0x13, 0x16, 0x0b, 0x08, 0x32,
+	0x0e, 0x9d, 0x01, 0x4b, 0x2f, 0xce, 0x3a, 0x97, 0xc0, 0xd9, 0xd5, 0x48, 0x3b, 0xa2, 0xe9, 0x7f,
+	0x68, 0x80, 0x4f, 0x4e, 0x97, 0x35, 0x91, 0xe5, 0x58, 0x7c, 0x80, 0x9a, 0x01, 0xf5, 0xb3, 0xb8,
+	0xf7, 0x2a, 0x37, 0xcc, 0x96, 0xbf, 0xa5, 0x6e, 0xef, 0xf8, 0x28, 0xcf, 0x91, 0xb2, 0x8a, 0xdb,
+	0xe8, 0xb1, 0x1e, 0xb9, 0xcd, 0x59, 0xc2, 0x99, 0x1c, 0x9d, 0xb3, 0x98, 0x45, 0x59, 0x64, 0xaf,
+	0xef, 0x5b, 0x07, 0x0d, 0xff, 0x99, 0x51, 0x7f, 0x7c, 0xb2, 0xa4, 0x87, 0x2c, 0x45, 0xe2, 0x23,
+	0xb4, 0x6d, 0xce, 0x56, 0x54, 0xec, 0xa6, 0x26, 0x7b, 0x6a, 0xc8, 0xb6, 0x2f, 0x6f, 0x97, 0xc9,
+	0x7c, 0x7f, 0xeb, 0x4f, 0x0b, 0xed, 0xcc, 0xbf, 0x25, 0xf8, 0xb5, 0x85, 0x50, 0x50, 0xfc, 0x7e,
+	0x85, 0x6d, 0x69, 0xb7, 0x9d, 0x3d, 0x80, 0xdb, 0xca, 0x47, 0xa1, 0x7a, 0x92, 0xcb, 0x94, 0x20,
+	0x33, 0x9a, 0xad, 0xdf, 0x2d, 0xb4, 0x33, 0x6f, 0x13, 0xec, 0xa1, 0x8d, 0x98, 0x46, 0x20, 0x52,
+	0x1a, 0x14, 0x0f, 0xd7, 0xfb, 0x86, 0x67, 0xe3, 0xbb, 0xa2, 0x40, 0xaa, 0x1e, 0xbc, 0x8f, 0xea,
+	0x2a, 0x30, 0x06, 0x2a, 0x5f, 0x64, 0xd5, 0x4b, 0x74, 0x05, 0x3f, 0x43, 0xf5, 0x34, 0xe1, 0x52,
+	0x7b, 0xa7, 0xe1, 0x37, 0x55, 0xb5, 0x9d, 0x70, 0x49, 0x74, 0xd6, 0xff, 0xe9, 0xfa, 0xc6, 0xa9,
+	0xbd, 0xb9, 0x71, 0x6a, 0xe3, 0x1b, 0xa7, 0xf6, 0x7a, 0xea, 0x58, 0xd7, 0x53, 0xc7, 0x7a, 0x33,
+	0x75, 0xac, 0xf1, 0xd4, 0xb1, 0xfe, 0x9e, 0x3a, 0xd6, 0x1f, 0xff, 0x38, 0xb5, 0x1f, 0x5e, 0xde,
+	0xf3, 0x1f, 0xc0, 0x7f, 0x01, 0x00, 0x00, 0xff, 0xff, 0x5f, 0x50, 0xda, 0x9b, 0x3b, 0x08, 0x00,
+	0x00,
+}
 
 func (m *APIService) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
diff --git a/vendor/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1/zz_generated.model_name.go b/vendor/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1/zz_generated.model_name.go
deleted file mode 100644
index 490a39e886..0000000000
--- a/vendor/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1/zz_generated.model_name.go
+++ /dev/null
@@ -1,52 +0,0 @@
-//go:build !ignore_autogenerated
-// +build !ignore_autogenerated
-
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Code generated by openapi-gen. DO NOT EDIT.
-
-package v1beta1
-
-// OpenAPIModelName returns the OpenAPI model name for this type.
-func (in APIService) OpenAPIModelName() string {
-	return "io.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.APIService"
-}
-
-// OpenAPIModelName returns the OpenAPI model name for this type.
-func (in APIServiceCondition) OpenAPIModelName() string {
-	return "io.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.APIServiceCondition"
-}
-
-// OpenAPIModelName returns the OpenAPI model name for this type.
-func (in APIServiceList) OpenAPIModelName() string {
-	return "io.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.APIServiceList"
-}
-
-// OpenAPIModelName returns the OpenAPI model name for this type.
-func (in APIServiceSpec) OpenAPIModelName() string {
-	return "io.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.APIServiceSpec"
-}
-
-// OpenAPIModelName returns the OpenAPI model name for this type.
-func (in APIServiceStatus) OpenAPIModelName() string {
-	return "io.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.APIServiceStatus"
-}
-
-// OpenAPIModelName returns the OpenAPI model name for this type.
-func (in ServiceReference) OpenAPIModelName() string {
-	return "io.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.ServiceReference"
-}
diff --git a/vendor/k8s.io/kube-openapi/pkg/util/proto/validation/errors.go b/vendor/k8s.io/kube-openapi/pkg/util/proto/validation/errors.go
new file mode 100644
index 0000000000..b1aa8c008a
--- /dev/null
+++ b/vendor/k8s.io/kube-openapi/pkg/util/proto/validation/errors.go
@@ -0,0 +1,79 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package validation
+
+import (
+	"fmt"
+)
+
+type errors struct {
+	errors []error
+}
+
+func (e *errors) Errors() []error {
+	return e.errors
+}
+
+func (e *errors) AppendErrors(err ...error) {
+	e.errors = append(e.errors, err...)
+}
+
+type ValidationError struct {
+	Path string
+	Err  error
+}
+
+func (e ValidationError) Error() string {
+	return fmt.Sprintf("ValidationError(%s): %v", e.Path, e.Err)
+}
+
+type InvalidTypeError struct {
+	Path     string
+	Expected string
+	Actual   string
+}
+
+func (e InvalidTypeError) Error() string {
+	return fmt.Sprintf("invalid type for %s: got %q, expected %q", e.Path, e.Actual, e.Expected)
+}
+
+type MissingRequiredFieldError struct {
+	Path  string
+	Field string
+}
+
+func (e MissingRequiredFieldError) Error() string {
+	return fmt.Sprintf("missing required field %q in %s", e.Field, e.Path)
+}
+
+type UnknownFieldError struct {
+	Path  string
+	Field string
+}
+
+func (e UnknownFieldError) Error() string {
+	return fmt.Sprintf("unknown field %q in %s", e.Field, e.Path)
+}
+
+type InvalidObjectTypeError struct {
+	Path string
+	Type string
+}
+
+func (e InvalidObjectTypeError) Error() string {
+	return fmt.Sprintf("unknown object type %q in %s", e.Type, e.Path)
+}
diff --git a/vendor/k8s.io/kube-openapi/pkg/util/proto/validation/types.go b/vendor/k8s.io/kube-openapi/pkg/util/proto/validation/types.go
new file mode 100644
index 0000000000..e66342a7f1
--- /dev/null
+++ b/vendor/k8s.io/kube-openapi/pkg/util/proto/validation/types.go
@@ -0,0 +1,299 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package validation
+
+import (
+	"reflect"
+	"sort"
+
+	"k8s.io/kube-openapi/pkg/util/proto"
+)
+
+type validationItem interface {
+	proto.SchemaVisitor
+
+	Errors() []error
+	Path() *proto.Path
+}
+
+type baseItem struct {
+	errors errors
+	path   proto.Path
+}
+
+// Errors returns the list of errors found for this item.
+func (item *baseItem) Errors() []error {
+	return item.errors.Errors()
+}
+
+// AddValidationError wraps the given error into a ValidationError and
+// attaches it to this item.
+func (item *baseItem) AddValidationError(err error) {
+	item.errors.AppendErrors(ValidationError{Path: item.path.String(), Err: err})
+}
+
+// AddError adds a regular (non-validation related) error to the list.
+func (item *baseItem) AddError(err error) {
+	item.errors.AppendErrors(err)
+}
+
+// CopyErrors adds a list of errors to this item. This is useful to copy
+// errors from subitems.
+func (item *baseItem) CopyErrors(errs []error) {
+	item.errors.AppendErrors(errs...)
+}
+
+// Path returns the path of this item, helps print useful errors.
+func (item *baseItem) Path() *proto.Path {
+	return &item.path
+}
+
+// mapItem represents a map entry in the yaml.
+type mapItem struct {
+	baseItem
+
+	Map map[string]interface{}
+}
+
+func (item *mapItem) sortedKeys() []string {
+	sortedKeys := []string{}
+	for key := range item.Map {
+		sortedKeys = append(sortedKeys, key)
+	}
+	sort.Strings(sortedKeys)
+	return sortedKeys
+}
+
+var _ validationItem = &mapItem{}
+
+func (item *mapItem) VisitPrimitive(schema *proto.Primitive) {
+	item.AddValidationError(InvalidTypeError{Path: schema.GetPath().String(), Expected: schema.Type, Actual: "map"})
+}
+
+func (item *mapItem) VisitArray(schema *proto.Array) {
+	item.AddValidationError(InvalidTypeError{Path: schema.GetPath().String(), Expected: "array", Actual: "map"})
+}
+
+func (item *mapItem) VisitMap(schema *proto.Map) {
+	for _, key := range item.sortedKeys() {
+		subItem, err := itemFactory(item.Path().FieldPath(key), item.Map[key])
+		if err != nil {
+			item.AddError(err)
+			continue
+		}
+		schema.SubType.Accept(subItem)
+		item.CopyErrors(subItem.Errors())
+	}
+}
+
+func (item *mapItem) VisitKind(schema *proto.Kind) {
+	// Verify each sub-field.
+	for _, key := range item.sortedKeys() {
+		if item.Map[key] == nil {
+			continue
+		}
+		subItem, err := itemFactory(item.Path().FieldPath(key), item.Map[key])
+		if err != nil {
+			item.AddError(err)
+			continue
+		}
+		if _, ok := schema.Fields[key]; !ok {
+			item.AddValidationError(UnknownFieldError{Path: schema.GetPath().String(), Field: key})
+			continue
+		}
+		schema.Fields[key].Accept(subItem)
+		item.CopyErrors(subItem.Errors())
+	}
+
+	// Verify that all required fields are present.
+	for _, required := range schema.RequiredFields {
+		if v, ok := item.Map[required]; !ok || v == nil {
+			item.AddValidationError(MissingRequiredFieldError{Path: schema.GetPath().String(), Field: required})
+		}
+	}
+}
+
+func (item *mapItem) VisitArbitrary(schema *proto.Arbitrary) {
+}
+
+func (item *mapItem) VisitReference(schema proto.Reference) {
+	// passthrough
+	schema.SubSchema().Accept(item)
+}
+
+// arrayItem represents a yaml array.
+type arrayItem struct {
+	baseItem
+
+	Array []interface{}
+}
+
+var _ validationItem = &arrayItem{}
+
+func (item *arrayItem) VisitPrimitive(schema *proto.Primitive) {
+	item.AddValidationError(InvalidTypeError{Path: schema.GetPath().String(), Expected: schema.Type, Actual: "array"})
+}
+
+func (item *arrayItem) VisitArray(schema *proto.Array) {
+	for i, v := range item.Array {
+		path := item.Path().ArrayPath(i)
+		if v == nil {
+			item.AddValidationError(InvalidObjectTypeError{Type: "nil", Path: path.String()})
+			continue
+		}
+		subItem, err := itemFactory(path, v)
+		if err != nil {
+			item.AddError(err)
+			continue
+		}
+		schema.SubType.Accept(subItem)
+		item.CopyErrors(subItem.Errors())
+	}
+}
+
+func (item *arrayItem) VisitMap(schema *proto.Map) {
+	item.AddValidationError(InvalidTypeError{Path: schema.GetPath().String(), Expected: "map", Actual: "array"})
+}
+
+func (item *arrayItem) VisitKind(schema *proto.Kind) {
+	item.AddValidationError(InvalidTypeError{Path: schema.GetPath().String(), Expected: "map", Actual: "array"})
+}
+
+func (item *arrayItem) VisitArbitrary(schema *proto.Arbitrary) {
+}
+
+func (item *arrayItem) VisitReference(schema proto.Reference) {
+	// passthrough
+	schema.SubSchema().Accept(item)
+}
+
+// primitiveItem represents a yaml value.
+type primitiveItem struct {
+	baseItem
+
+	Value interface{}
+	Kind  string
+}
+
+var _ validationItem = &primitiveItem{}
+
+func (item *primitiveItem) VisitPrimitive(schema *proto.Primitive) {
+	// Some types of primitives can match more than one (a number
+	// can be a string, but not the other way around). Return from
+	// the switch if we have a valid possible type conversion
+	// NOTE(apelisse): This logic is blindly copied from the
+	// existing swagger logic, and I'm not sure I agree with it.
+	switch schema.Type {
+	case proto.Boolean:
+		switch item.Kind {
+		case proto.Boolean:
+			return
+		}
+	case proto.Integer:
+		switch item.Kind {
+		case proto.Integer, proto.Number:
+			return
+		}
+	case proto.Number:
+		switch item.Kind {
+		case proto.Integer, proto.Number:
+			return
+		}
+	case proto.String:
+		return
+	}
+	// TODO(wrong): this misses "null"
+
+	item.AddValidationError(InvalidTypeError{Path: schema.GetPath().String(), Expected: schema.Type, Actual: item.Kind})
+}
+
+func (item *primitiveItem) VisitArray(schema *proto.Array) {
+	item.AddValidationError(InvalidTypeError{Path: schema.GetPath().String(), Expected: "array", Actual: item.Kind})
+}
+
+func (item *primitiveItem) VisitMap(schema *proto.Map) {
+	item.AddValidationError(InvalidTypeError{Path: schema.GetPath().String(), Expected: "map", Actual: item.Kind})
+}
+
+func (item *primitiveItem) VisitKind(schema *proto.Kind) {
+	item.AddValidationError(InvalidTypeError{Path: schema.GetPath().String(), Expected: "map", Actual: item.Kind})
+}
+
+func (item *primitiveItem) VisitArbitrary(schema *proto.Arbitrary) {
+}
+
+func (item *primitiveItem) VisitReference(schema proto.Reference) {
+	// passthrough
+	schema.SubSchema().Accept(item)
+}
+
+// itemFactory creates the relevant item type/visitor based on the current yaml type.
+func itemFactory(path proto.Path, v interface{}) (validationItem, error) {
+	// We need to special case for no-type fields in yaml (e.g. empty item in list)
+	if v == nil {
+		return nil, InvalidObjectTypeError{Type: "nil", Path: path.String()}
+	}
+	kind := reflect.TypeOf(v).Kind()
+	switch kind {
+	case reflect.Bool:
+		return &primitiveItem{
+			baseItem: baseItem{path: path},
+			Value:    v,
+			Kind:     proto.Boolean,
+		}, nil
+	case reflect.Int,
+		reflect.Int8,
+		reflect.Int16,
+		reflect.Int32,
+		reflect.Int64,
+		reflect.Uint,
+		reflect.Uint8,
+		reflect.Uint16,
+		reflect.Uint32,
+		reflect.Uint64:
+		return &primitiveItem{
+			baseItem: baseItem{path: path},
+			Value:    v,
+			Kind:     proto.Integer,
+		}, nil
+	case reflect.Float32,
+		reflect.Float64:
+		return &primitiveItem{
+			baseItem: baseItem{path: path},
+			Value:    v,
+			Kind:     proto.Number,
+		}, nil
+	case reflect.String:
+		return &primitiveItem{
+			baseItem: baseItem{path: path},
+			Value:    v,
+			Kind:     proto.String,
+		}, nil
+	case reflect.Array,
+		reflect.Slice:
+		return &arrayItem{
+			baseItem: baseItem{path: path},
+			Array:    v.([]interface{}),
+		}, nil
+	case reflect.Map:
+		return &mapItem{
+			baseItem: baseItem{path: path},
+			Map:      v.(map[string]interface{}),
+		}, nil
+	}
+	return nil, InvalidObjectTypeError{Type: kind.String(), Path: path.String()}
+}
diff --git a/vendor/k8s.io/kube-openapi/pkg/util/proto/validation/validation.go b/vendor/k8s.io/kube-openapi/pkg/util/proto/validation/validation.go
new file mode 100644
index 0000000000..35310f637a
--- /dev/null
+++ b/vendor/k8s.io/kube-openapi/pkg/util/proto/validation/validation.go
@@ -0,0 +1,30 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package validation
+
+import (
+	"k8s.io/kube-openapi/pkg/util/proto"
+)
+
+func ValidateModel(obj interface{}, schema proto.Schema, name string) []error {
+	rootValidation, err := itemFactory(proto.NewPath(name), obj)
+	if err != nil {
+		return []error{err}
+	}
+	schema.Accept(rootValidation)
+	return rootValidation.Errors()
+}
diff --git a/vendor/k8s.io/kube-openapi/pkg/validation/spec/ref.go b/vendor/k8s.io/kube-openapi/pkg/validation/spec/ref.go
index 775b3b0c36..29cec61930 100644
--- a/vendor/k8s.io/kube-openapi/pkg/validation/spec/ref.go
+++ b/vendor/k8s.io/kube-openapi/pkg/validation/spec/ref.go
@@ -16,10 +16,6 @@ package spec
 
 import (
 	"encoding/json"
-	"net/http"
-	"os"
-	"path/filepath"
-
 	"github.com/go-openapi/jsonreference"
 
 	"k8s.io/kube-openapi/pkg/internal"
@@ -56,52 +52,6 @@ func (r *Ref) RemoteURI() string {
 	return u.String()
 }
 
-// IsValidURI returns true when the url the ref points to can be found
-func (r *Ref) IsValidURI(basepaths ...string) bool {
-	if r.String() == "" {
-		return true
-	}
-
-	v := r.RemoteURI()
-	if v == "" {
-		return true
-	}
-
-	if r.HasFullURL {
-		rr, err := http.Get(v)
-		if err != nil {
-			return false
-		}
-
-		return rr.StatusCode/100 == 2
-	}
-
-	if !(r.HasFileScheme || r.HasFullFilePath || r.HasURLPathOnly) {
-		return false
-	}
-
-	// check for local file
-	pth := v
-	if r.HasURLPathOnly {
-		base := "."
-		if len(basepaths) > 0 {
-			base = filepath.Dir(filepath.Join(basepaths...))
-		}
-		p, e := filepath.Abs(filepath.ToSlash(filepath.Join(base, pth)))
-		if e != nil {
-			return false
-		}
-		pth = p
-	}
-
-	fi, err := os.Stat(filepath.ToSlash(pth))
-	if err != nil {
-		return false
-	}
-
-	return !fi.IsDir()
-}
-
 // Inherits creates a new reference from a parent and a child
 // If the child cannot inherit from the parent, an error is returned
 func (r *Ref) Inherits(child Ref) (*Ref, error) {
diff --git a/vendor/k8s.io/kubectl/LICENSE b/vendor/k8s.io/kubectl/LICENSE
new file mode 100644
index 0000000000..8dada3edaf
--- /dev/null
+++ b/vendor/k8s.io/kubectl/LICENSE
@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "{}"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright {yyyy} {name of copyright owner}
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/vendor/k8s.io/kubectl/pkg/cmd/util/caching_verifier.go b/vendor/k8s.io/kubectl/pkg/cmd/util/caching_verifier.go
new file mode 100644
index 0000000000..ea111223f2
--- /dev/null
+++ b/vendor/k8s.io/kubectl/pkg/cmd/util/caching_verifier.go
@@ -0,0 +1,59 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package util
+
+import (
+	"sync"
+
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/cli-runtime/pkg/resource"
+)
+
+// cachingVerifier wraps the given Verifier to cache return values forever.
+type cachingVerifier struct {
+	cache map[schema.GroupVersionKind]error
+	mu    sync.RWMutex
+	next  resource.Verifier
+}
+
+// newCachingVerifier creates a new cache using the given underlying verifier.
+func newCachingVerifier(next resource.Verifier) *cachingVerifier {
+	return &cachingVerifier{
+		cache: make(map[schema.GroupVersionKind]error),
+		next:  next,
+	}
+}
+
+// HasSupport implements resource.Verifier. It cached return values from the underlying verifier forever.
+func (cv *cachingVerifier) HasSupport(gvk schema.GroupVersionKind) error {
+	// Try to get the cached value.
+	cv.mu.RLock()
+	err, ok := cv.cache[gvk]
+	cv.mu.RUnlock()
+	if ok {
+		return err
+	}
+
+	// Cache miss. Get the actual result.
+	err = cv.next.HasSupport(gvk)
+
+	// Update the cache.
+	cv.mu.Lock()
+	cv.cache[gvk] = err
+	cv.mu.Unlock()
+	return err
+}
diff --git a/vendor/k8s.io/kubectl/pkg/cmd/util/env_file.go b/vendor/k8s.io/kubectl/pkg/cmd/util/env_file.go
new file mode 100644
index 0000000000..ed1255839e
--- /dev/null
+++ b/vendor/k8s.io/kubectl/pkg/cmd/util/env_file.go
@@ -0,0 +1,103 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package util
+
+import (
+	"bufio"
+	"bytes"
+	"fmt"
+	"os"
+	"strings"
+	"unicode"
+	"unicode/utf8"
+
+	"k8s.io/apimachinery/pkg/util/validation"
+)
+
+var utf8bom = []byte{0xEF, 0xBB, 0xBF}
+
+// processEnvFileLine returns a blank key if the line is empty or a comment.
+// The value will be retrieved from the environment if necessary.
+func processEnvFileLine(line []byte, filePath string,
+	currentLine int) (key, value string, err error) {
+
+	if !utf8.Valid(line) {
+		return ``, ``, fmt.Errorf("env file %s contains invalid utf8 bytes at line %d: %v",
+			filePath, currentLine+1, line)
+	}
+
+	// We trim UTF8 BOM from the first line of the file but no others
+	if currentLine == 0 {
+		line = bytes.TrimPrefix(line, utf8bom)
+	}
+
+	// trim the line from all leading whitespace first
+	line = bytes.TrimLeftFunc(line, unicode.IsSpace)
+
+	// If the line is empty or a comment, we return a blank key/value pair.
+	if len(line) == 0 || line[0] == '#' {
+		return ``, ``, nil
+	}
+
+	data := strings.SplitN(string(line), "=", 2)
+	key = data[0]
+	if errs := validation.IsEnvVarName(key); len(errs) != 0 {
+		return ``, ``, fmt.Errorf("%q is not a valid key name: %s", key, strings.Join(errs, ";"))
+	}
+
+	if len(data) == 2 {
+		value = data[1]
+	} else {
+		// No value (no `=` in the line) is a signal to obtain the value
+		// from the environment.
+		value = os.Getenv(key)
+	}
+	return
+}
+
+// AddFromEnvFile processes an env file allows a generic addTo to handle the
+// collection of key value pairs or returns an error.
+func AddFromEnvFile(filePath string, addTo func(key, value string) error) error {
+	f, err := os.Open(filePath)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+
+	scanner := bufio.NewScanner(f)
+	currentLine := 0
+	for scanner.Scan() {
+		// Process the current line, retrieving a key/value pair if
+		// possible.
+		scannedBytes := scanner.Bytes()
+		key, value, err := processEnvFileLine(scannedBytes, filePath, currentLine)
+		if err != nil {
+			return err
+		}
+		currentLine++
+
+		if len(key) == 0 {
+			// no key means line was empty or a comment
+			continue
+		}
+
+		if err = addTo(key, value); err != nil {
+			return err
+		}
+	}
+	return nil
+}
diff --git a/vendor/k8s.io/kubectl/pkg/cmd/util/factory.go b/vendor/k8s.io/kubectl/pkg/cmd/util/factory.go
new file mode 100644
index 0000000000..e6414f3e0d
--- /dev/null
+++ b/vendor/k8s.io/kubectl/pkg/cmd/util/factory.go
@@ -0,0 +1,72 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package util
+
+import (
+	"k8s.io/apimachinery/pkg/api/meta"
+	"k8s.io/cli-runtime/pkg/genericclioptions"
+	"k8s.io/cli-runtime/pkg/resource"
+	"k8s.io/client-go/dynamic"
+	"k8s.io/client-go/kubernetes"
+	openapiclient "k8s.io/client-go/openapi"
+	restclient "k8s.io/client-go/rest"
+	"k8s.io/kubectl/pkg/util/openapi"
+	"k8s.io/kubectl/pkg/validation"
+)
+
+// Factory provides abstractions that allow the Kubectl command to be extended across multiple types
+// of resources and different API sets.
+// The rings are here for a reason. In order for composers to be able to provide alternative factory implementations
+// they need to provide low level pieces of *certain* functions so that when the factory calls back into itself
+// it uses the custom version of the function. Rather than try to enumerate everything that someone would want to override
+// we split the factory into rings, where each ring can depend on methods in an earlier ring, but cannot depend
+// upon peer methods in its own ring.
+// TODO: make the functions interfaces
+// TODO: pass the various interfaces on the factory directly into the command constructors (so the
+// commands are decoupled from the factory).
+type Factory interface {
+	genericclioptions.RESTClientGetter
+
+	// DynamicClient returns a dynamic client ready for use
+	DynamicClient() (dynamic.Interface, error)
+
+	// KubernetesClientSet gives you back an external clientset
+	KubernetesClientSet() (*kubernetes.Clientset, error)
+
+	// Returns a RESTClient for accessing Kubernetes resources or an error.
+	RESTClient() (*restclient.RESTClient, error)
+
+	// NewBuilder returns an object that assists in loading objects from both disk and the server
+	// and which implements the common patterns for CLI interactions with generic resources.
+	NewBuilder() *resource.Builder
+
+	// Returns a RESTClient for working with the specified RESTMapping or an error. This is intended
+	// for working with arbitrary resources and is not guaranteed to point to a Kubernetes APIServer.
+	ClientForMapping(mapping *meta.RESTMapping) (resource.RESTClient, error)
+	// Returns a RESTClient for working with Unstructured objects.
+	UnstructuredClientForMapping(mapping *meta.RESTMapping) (resource.RESTClient, error)
+
+	// Returns a schema that can validate objects stored on disk.
+	Validator(validationDirective string) (validation.Schema, error)
+
+	// Used for retrieving openapi v2 resources.
+	openapi.OpenAPIResourcesGetter
+
+	// OpenAPIV3Schema returns a client for fetching parsed schemas for
+	// any group version
+	OpenAPIV3Client() (openapiclient.Client, error)
+}
diff --git a/vendor/k8s.io/kubectl/pkg/cmd/util/factory_client_access.go b/vendor/k8s.io/kubectl/pkg/cmd/util/factory_client_access.go
new file mode 100644
index 0000000000..c2a06cf928
--- /dev/null
+++ b/vendor/k8s.io/kubectl/pkg/cmd/util/factory_client_access.go
@@ -0,0 +1,218 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// this file contains factories with no other dependencies
+
+package util
+
+import (
+	"errors"
+	"sync"
+
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/cli-runtime/pkg/genericclioptions"
+	"k8s.io/cli-runtime/pkg/resource"
+	"k8s.io/client-go/discovery"
+	"k8s.io/client-go/dynamic"
+	"k8s.io/client-go/kubernetes"
+	openapiclient "k8s.io/client-go/openapi"
+	"k8s.io/client-go/openapi/cached"
+	restclient "k8s.io/client-go/rest"
+	"k8s.io/client-go/tools/clientcmd"
+	"k8s.io/kubectl/pkg/util/openapi"
+	"k8s.io/kubectl/pkg/validation"
+)
+
+type factoryImpl struct {
+	clientGetter genericclioptions.RESTClientGetter
+
+	// Caches OpenAPI document and parsed resources
+	openAPIParser *openapi.CachedOpenAPIParser
+	oapi          *openapi.CachedOpenAPIGetter
+	parser        sync.Once
+	getter        sync.Once
+}
+
+func NewFactory(clientGetter genericclioptions.RESTClientGetter) Factory {
+	if clientGetter == nil {
+		panic("attempt to instantiate client_access_factory with nil clientGetter")
+	}
+	f := &factoryImpl{
+		clientGetter: clientGetter,
+	}
+
+	return f
+}
+
+func (f *factoryImpl) ToRESTConfig() (*restclient.Config, error) {
+	return f.clientGetter.ToRESTConfig()
+}
+
+func (f *factoryImpl) ToRESTMapper() (meta.RESTMapper, error) {
+	return f.clientGetter.ToRESTMapper()
+}
+
+func (f *factoryImpl) ToDiscoveryClient() (discovery.CachedDiscoveryInterface, error) {
+	return f.clientGetter.ToDiscoveryClient()
+}
+
+func (f *factoryImpl) ToRawKubeConfigLoader() clientcmd.ClientConfig {
+	return f.clientGetter.ToRawKubeConfigLoader()
+}
+
+func (f *factoryImpl) KubernetesClientSet() (*kubernetes.Clientset, error) {
+	clientConfig, err := f.ToRESTConfig()
+	if err != nil {
+		return nil, err
+	}
+	return kubernetes.NewForConfig(clientConfig)
+}
+
+func (f *factoryImpl) DynamicClient() (dynamic.Interface, error) {
+	clientConfig, err := f.ToRESTConfig()
+	if err != nil {
+		return nil, err
+	}
+	return dynamic.NewForConfig(clientConfig)
+}
+
+// NewBuilder returns a new resource builder for structured api objects.
+func (f *factoryImpl) NewBuilder() *resource.Builder {
+	return resource.NewBuilder(f.clientGetter)
+}
+
+func (f *factoryImpl) RESTClient() (*restclient.RESTClient, error) {
+	clientConfig, err := f.ToRESTConfig()
+	if err != nil {
+		return nil, err
+	}
+	setKubernetesDefaults(clientConfig)
+	return restclient.RESTClientFor(clientConfig)
+}
+
+func (f *factoryImpl) ClientForMapping(mapping *meta.RESTMapping) (resource.RESTClient, error) {
+	cfg, err := f.clientGetter.ToRESTConfig()
+	if err != nil {
+		return nil, err
+	}
+	if err := setKubernetesDefaults(cfg); err != nil {
+		return nil, err
+	}
+	gvk := mapping.GroupVersionKind
+	switch gvk.Group {
+	case corev1.GroupName:
+		cfg.APIPath = "/api"
+	default:
+		cfg.APIPath = "/apis"
+	}
+	gv := gvk.GroupVersion()
+	cfg.GroupVersion = &gv
+	return restclient.RESTClientFor(cfg)
+}
+
+func (f *factoryImpl) UnstructuredClientForMapping(mapping *meta.RESTMapping) (resource.RESTClient, error) {
+	cfg, err := f.clientGetter.ToRESTConfig()
+	if err != nil {
+		return nil, err
+	}
+	if err := restclient.SetKubernetesDefaults(cfg); err != nil {
+		return nil, err
+	}
+	cfg.APIPath = "/apis"
+	if mapping.GroupVersionKind.Group == corev1.GroupName {
+		cfg.APIPath = "/api"
+	}
+	gv := mapping.GroupVersionKind.GroupVersion()
+	cfg.ContentConfig = resource.UnstructuredPlusDefaultContentConfig()
+	cfg.GroupVersion = &gv
+	return restclient.RESTClientFor(cfg)
+}
+
+func (f *factoryImpl) Validator(validationDirective string) (validation.Schema, error) {
+	// client-side schema validation is only performed
+	// when the validationDirective is strict.
+	// If the directive is warn, we rely on the ParamVerifyingSchema
+	// to ignore the client-side validation and provide a warning
+	// to the user that attempting warn validation when SS validation
+	// is unsupported is inert.
+	if validationDirective == metav1.FieldValidationIgnore {
+		return validation.NullSchema{}, nil
+	}
+
+	schema := validation.ConjunctiveSchema{
+		validation.NewSchemaValidation(f),
+		validation.NoDoubleKeySchema{},
+	}
+
+	dynamicClient, err := f.DynamicClient()
+	if err != nil {
+		return nil, err
+	}
+	// Create the FieldValidationVerifier for use in the ParamVerifyingSchema.
+	discoveryClient, err := f.ToDiscoveryClient()
+	if err != nil {
+		return nil, err
+	}
+	// Memory-cache the OpenAPI V3 responses. The disk cache behavior is determined by
+	// the discovery client.
+	oapiV3Client := cached.NewClient(discoveryClient.OpenAPIV3())
+	queryParam := resource.QueryParamFieldValidation
+	primary := newCachingVerifier(resource.NewQueryParamVerifierV3(dynamicClient, oapiV3Client, queryParam))
+	secondary := resource.NewQueryParamVerifier(dynamicClient, f.openAPIGetter(), queryParam)
+	fallback := resource.NewFallbackQueryParamVerifier(primary, secondary)
+	return validation.NewParamVerifyingSchema(schema, fallback, string(validationDirective)), nil
+}
+
+// OpenAPISchema returns metadata and structural information about
+// Kubernetes object definitions.
+func (f *factoryImpl) OpenAPISchema() (openapi.Resources, error) {
+	openAPIGetter := f.openAPIGetter()
+	if openAPIGetter == nil {
+		return nil, errors.New("no openapi getter")
+	}
+
+	// Lazily initialize the OpenAPIParser once
+	f.parser.Do(func() {
+		// Create the caching OpenAPIParser
+		f.openAPIParser = openapi.NewOpenAPIParser(f.openAPIGetter())
+	})
+
+	// Delegate to the OpenAPIPArser
+	return f.openAPIParser.Parse()
+}
+
+func (f *factoryImpl) openAPIGetter() discovery.OpenAPISchemaInterface {
+	discovery, err := f.clientGetter.ToDiscoveryClient()
+	if err != nil {
+		return nil
+	}
+	f.getter.Do(func() {
+		f.oapi = openapi.NewOpenAPIGetter(discovery)
+	})
+
+	return f.oapi
+}
+
+func (f *factoryImpl) OpenAPIV3Client() (openapiclient.Client, error) {
+	discovery, err := f.clientGetter.ToDiscoveryClient()
+	if err != nil {
+		return nil, err
+	}
+
+	return cached.NewClient(discovery.OpenAPIV3()), nil
+}
diff --git a/vendor/k8s.io/kubectl/pkg/cmd/util/helpers.go b/vendor/k8s.io/kubectl/pkg/cmd/util/helpers.go
new file mode 100644
index 0000000000..755533aeb9
--- /dev/null
+++ b/vendor/k8s.io/kubectl/pkg/cmd/util/helpers.go
@@ -0,0 +1,930 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package util
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"io"
+	"net/url"
+	"os"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+	jsonpatch "gopkg.in/evanphx/json-patch.v4"
+
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	utilerrors "k8s.io/apimachinery/pkg/util/errors"
+	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/apimachinery/pkg/util/strategicpatch"
+	"k8s.io/apimachinery/pkg/util/yaml"
+	"k8s.io/cli-runtime/pkg/genericclioptions"
+	"k8s.io/cli-runtime/pkg/resource"
+	"k8s.io/client-go/dynamic"
+	"k8s.io/client-go/rest"
+	"k8s.io/client-go/scale"
+	"k8s.io/client-go/tools/clientcmd"
+	"k8s.io/klog/v2"
+	utilexec "k8s.io/utils/exec"
+)
+
+const (
+	ApplyAnnotationsFlag = "save-config"
+	DefaultErrorExitCode = 1
+	DefaultChunkSize     = 500
+)
+
+type debugError interface {
+	DebugError() (msg string, args []interface{})
+}
+
+// AddSourceToErr adds handleResourcePrefix and source string to error message.
+// verb is the string like "creating", "deleting" etc.
+// source is the filename or URL to the template file(*.json or *.yaml), or stdin to use to handle the resource.
+func AddSourceToErr(verb string, source string, err error) error {
+	if source != "" {
+		if statusError, ok := err.(apierrors.APIStatus); ok {
+			status := statusError.Status()
+			status.Message = fmt.Sprintf("error when %s %q: %v", verb, source, status.Message)
+			return &apierrors.StatusError{ErrStatus: status}
+		}
+		return fmt.Errorf("error when %s %q: %v", verb, source, err)
+	}
+	return err
+}
+
+var fatalErrHandler = fatal
+
+// BehaviorOnFatal allows you to override the default behavior when a fatal
+// error occurs, which is to call os.Exit(code). You can pass 'panic' as a function
+// here if you prefer the panic() over os.Exit(1).
+func BehaviorOnFatal(f func(string, int)) {
+	fatalErrHandler = f
+}
+
+// DefaultBehaviorOnFatal allows you to undo any previous override.  Useful in
+// tests.
+func DefaultBehaviorOnFatal() {
+	fatalErrHandler = fatal
+}
+
+// fatal prints the message (if provided) and then exits. If V(99) or greater,
+// klog.Fatal is invoked for extended information. This is intended for maintainer
+// debugging and out of a reasonable range for users.
+func fatal(msg string, code int) {
+	// nolint:logcheck // Not using the result of klog.V(99) inside the if
+	// branch is okay, we just use it to determine how to terminate.
+	if klog.V(99).Enabled() {
+		klog.FatalDepth(2, msg)
+	}
+	if len(msg) > 0 {
+		// add newline if needed
+		if !strings.HasSuffix(msg, "\n") {
+			msg += "\n"
+		}
+		fmt.Fprint(os.Stderr, msg)
+	}
+	os.Exit(code)
+}
+
+// ErrExit may be passed to CheckError to instruct it to output nothing but exit with
+// status code 1.
+var ErrExit = fmt.Errorf("exit")
+
+// CheckErr prints a user friendly error to STDERR and exits with a non-zero
+// exit code. Unrecognized errors will be printed with an "error: " prefix.
+//
+// This method is generic to the command in use and may be used by non-Kubectl
+// commands.
+func CheckErr(err error) {
+	checkErr(err, fatalErrHandler)
+}
+
+// CheckDiffErr prints a user friendly error to STDERR and exits with a
+// non-zero and non-one exit code. Unrecognized errors will be printed
+// with an "error: " prefix.
+//
+// This method is meant specifically for `kubectl diff` and may be used
+// by other commands.
+func CheckDiffErr(err error) {
+	checkErr(err, func(msg string, code int) {
+		fatalErrHandler(msg, code+1)
+	})
+}
+
+// isInvalidReasonStatusError returns true if this is an API Status error with reason=Invalid.
+// This is distinct from generic 422 errors we want to fall back to generic error handling.
+func isInvalidReasonStatusError(err error) bool {
+	if !apierrors.IsInvalid(err) {
+		return false
+	}
+	statusError, isStatusError := err.(*apierrors.StatusError)
+	if !isStatusError {
+		return false
+	}
+	status := statusError.Status()
+	return status.Reason == metav1.StatusReasonInvalid
+}
+
+// checkErr formats a given error as a string and calls the passed handleErr
+// func with that string and an kubectl exit code.
+func checkErr(err error, handleErr func(string, int)) {
+	// unwrap aggregates of 1
+	if agg, ok := err.(utilerrors.Aggregate); ok && len(agg.Errors()) == 1 {
+		err = agg.Errors()[0]
+	}
+
+	if err == nil {
+		return
+	}
+
+	switch {
+	case err == ErrExit:
+		handleErr("", DefaultErrorExitCode)
+	case isInvalidReasonStatusError(err):
+		status := err.(*apierrors.StatusError).Status()
+		details := status.Details
+		s := "The request is invalid"
+		if details == nil {
+			// if we have no other details, include the message from the server if present
+			if len(status.Message) > 0 {
+				s += ": " + status.Message
+			}
+			handleErr(s, DefaultErrorExitCode)
+			return
+		}
+		if len(details.Kind) != 0 || len(details.Name) != 0 {
+			s = fmt.Sprintf("The %s %q is invalid", details.Kind, details.Name)
+		} else if len(status.Message) > 0 && len(details.Causes) == 0 {
+			// only append the message if we have no kind/name details and no causes,
+			// since default invalid error constructors duplicate that information in the message
+			s += ": " + status.Message
+		}
+
+		if len(details.Causes) > 0 {
+			errs := statusCausesToAggrError(details.Causes)
+			handleErr(MultilineError(s+": ", errs), DefaultErrorExitCode)
+		} else {
+			handleErr(s, DefaultErrorExitCode)
+		}
+	case clientcmd.IsConfigurationInvalid(err):
+		handleErr(MultilineError("Error in configuration: ", err), DefaultErrorExitCode)
+	default:
+		switch err := err.(type) {
+		case *meta.NoResourceMatchError:
+			switch {
+			case len(err.PartialResource.Group) > 0 && len(err.PartialResource.Version) > 0:
+				handleErr(fmt.Sprintf("the server doesn't have a resource type %q in group %q and version %q", err.PartialResource.Resource, err.PartialResource.Group, err.PartialResource.Version), DefaultErrorExitCode)
+			case len(err.PartialResource.Group) > 0:
+				handleErr(fmt.Sprintf("the server doesn't have a resource type %q in group %q", err.PartialResource.Resource, err.PartialResource.Group), DefaultErrorExitCode)
+			case len(err.PartialResource.Version) > 0:
+				handleErr(fmt.Sprintf("the server doesn't have a resource type %q in version %q", err.PartialResource.Resource, err.PartialResource.Version), DefaultErrorExitCode)
+			default:
+				handleErr(fmt.Sprintf("the server doesn't have a resource type %q", err.PartialResource.Resource), DefaultErrorExitCode)
+			}
+		case utilerrors.Aggregate:
+			handleErr(MultipleErrors(``, err.Errors()), DefaultErrorExitCode)
+		case utilexec.ExitError:
+			handleErr(err.Error(), err.ExitStatus())
+		default: // for any other error type
+			msg, ok := StandardErrorMessage(err)
+			if !ok {
+				msg = err.Error()
+				if !strings.HasPrefix(msg, "error: ") {
+					msg = fmt.Sprintf("error: %s", msg)
+				}
+			}
+			handleErr(msg, DefaultErrorExitCode)
+		}
+	}
+}
+
+func statusCausesToAggrError(scs []metav1.StatusCause) utilerrors.Aggregate {
+	errs := make([]error, 0, len(scs))
+	errorMsgs := sets.New[string]()
+	for _, sc := range scs {
+		// check for duplicate error messages and skip them
+		msg := fmt.Sprintf("%s: %s", sc.Field, sc.Message)
+		if errorMsgs.Has(msg) {
+			continue
+		}
+		errorMsgs.Insert(msg)
+		errs = append(errs, errors.New(msg))
+	}
+	return utilerrors.NewAggregate(errs)
+}
+
+// StandardErrorMessage translates common errors into a human readable message, or returns
+// false if the error is not one of the recognized types. It may also log extended
+// information to klog.
+//
+// This method is generic to the command in use and may be used by non-Kubectl
+// commands.
+func StandardErrorMessage(err error) (string, bool) {
+	if debugErr, ok := err.(debugError); ok {
+		klog.V(4).Info(debugErr.DebugError())
+	}
+	status, isStatus := err.(apierrors.APIStatus)
+	switch {
+	case isStatus:
+		switch s := status.Status(); {
+		case s.Reason == metav1.StatusReasonUnauthorized:
+			return fmt.Sprintf("error: You must be logged in to the server (%s)", s.Message), true
+		case len(s.Reason) > 0:
+			return fmt.Sprintf("Error from server (%s): %s", s.Reason, err.Error()), true
+		default:
+			return fmt.Sprintf("Error from server: %s", err.Error()), true
+		}
+	case apierrors.IsUnexpectedObjectError(err):
+		return fmt.Sprintf("Server returned an unexpected response: %s", err.Error()), true
+	}
+	switch t := err.(type) {
+	case *url.Error:
+		klog.V(4).Infof("Connection error: %s %s: %v", t.Op, t.URL, t.Err)
+		switch {
+		case strings.Contains(t.Err.Error(), "connection refused"):
+			host := t.URL
+			if server, err := url.Parse(t.URL); err == nil {
+				host = server.Host
+			}
+			return fmt.Sprintf("The connection to the server %s was refused - did you specify the right host or port?", host), true
+		}
+		return fmt.Sprintf("Unable to connect to the server: %v", t.Err), true
+	}
+	return "", false
+}
+
+// MultilineError returns a string representing an error that splits sub errors into their own
+// lines. The returned string will end with a newline.
+func MultilineError(prefix string, err error) string {
+	if agg, ok := err.(utilerrors.Aggregate); ok {
+		errs := utilerrors.Flatten(agg).Errors()
+		buf := &bytes.Buffer{}
+		switch len(errs) {
+		case 0:
+			return fmt.Sprintf("%s%v\n", prefix, err)
+		case 1:
+			return fmt.Sprintf("%s%v\n", prefix, messageForError(errs[0]))
+		default:
+			fmt.Fprintln(buf, prefix)
+			for _, err := range errs {
+				fmt.Fprintf(buf, "* %v\n", messageForError(err))
+			}
+			return buf.String()
+		}
+	}
+	return fmt.Sprintf("%s%s\n", prefix, err)
+}
+
+// PrintErrorWithCauses prints an error's kind, name, and each of the error's causes in a new line.
+// The returned string will end with a newline.
+// Returns true if a case exists to handle the error type, or false otherwise.
+func PrintErrorWithCauses(err error, errOut io.Writer) bool {
+	switch t := err.(type) {
+	case *apierrors.StatusError:
+		errorDetails := t.Status().Details
+		if errorDetails != nil {
+			fmt.Fprintf(errOut, "error: %s %q is invalid\n\n", errorDetails.Kind, errorDetails.Name)
+			for _, cause := range errorDetails.Causes {
+				fmt.Fprintf(errOut, "* %s: %s\n", cause.Field, cause.Message)
+			}
+			return true
+		}
+	}
+
+	fmt.Fprintf(errOut, "error: %v\n", err)
+	return false
+}
+
+// MultipleErrors returns a newline delimited string containing
+// the prefix and referenced errors in standard form.
+func MultipleErrors(prefix string, errs []error) string {
+	buf := &bytes.Buffer{}
+	for _, err := range errs {
+		fmt.Fprintf(buf, "%s%v\n", prefix, messageForError(err))
+	}
+	return buf.String()
+}
+
+// messageForError returns the string representing the error.
+func messageForError(err error) string {
+	msg, ok := StandardErrorMessage(err)
+	if !ok {
+		msg = err.Error()
+	}
+	return msg
+}
+
+func UsageErrorf(cmd *cobra.Command, format string, args ...interface{}) error {
+	msg := fmt.Sprintf(format, args...)
+	return fmt.Errorf("%s\nSee '%s -h' for help and examples", msg, cmd.CommandPath())
+}
+
+func IsFilenameSliceEmpty(filenames []string, directory string) bool {
+	return len(filenames) == 0 && directory == ""
+}
+
+func GetFlagString(cmd *cobra.Command, flag string) string {
+	s, err := cmd.Flags().GetString(flag)
+	if err != nil {
+		klog.Fatalf("error accessing flag %s for command %s: %v", flag, cmd.Name(), err)
+	}
+	return s
+}
+
+// GetFlagStringSlice can be used to accept multiple argument with flag repetition (e.g. -f arg1,arg2 -f arg3 ...)
+func GetFlagStringSlice(cmd *cobra.Command, flag string) []string {
+	s, err := cmd.Flags().GetStringSlice(flag)
+	if err != nil {
+		klog.Fatalf("error accessing flag %s for command %s: %v", flag, cmd.Name(), err)
+	}
+	return s
+}
+
+// GetFlagStringArray can be used to accept multiple argument with flag repetition (e.g. -f arg1 -f arg2 ...)
+func GetFlagStringArray(cmd *cobra.Command, flag string) []string {
+	s, err := cmd.Flags().GetStringArray(flag)
+	if err != nil {
+		klog.Fatalf("error accessing flag %s for command %s: %v", flag, cmd.Name(), err)
+	}
+	return s
+}
+
+func GetFlagBool(cmd *cobra.Command, flag string) bool {
+	b, err := cmd.Flags().GetBool(flag)
+	if err != nil {
+		klog.Fatalf("error accessing flag %s for command %s: %v", flag, cmd.Name(), err)
+	}
+	return b
+}
+
+// Assumes the flag has a default value.
+func GetFlagInt(cmd *cobra.Command, flag string) int {
+	i, err := cmd.Flags().GetInt(flag)
+	if err != nil {
+		klog.Fatalf("error accessing flag %s for command %s: %v", flag, cmd.Name(), err)
+	}
+	return i
+}
+
+// Assumes the flag has a default value.
+func GetFlagInt32(cmd *cobra.Command, flag string) int32 {
+	i, err := cmd.Flags().GetInt32(flag)
+	if err != nil {
+		klog.Fatalf("error accessing flag %s for command %s: %v", flag, cmd.Name(), err)
+	}
+	return i
+}
+
+// Assumes the flag has a default value.
+func GetFlagInt64(cmd *cobra.Command, flag string) int64 {
+	i, err := cmd.Flags().GetInt64(flag)
+	if err != nil {
+		klog.Fatalf("error accessing flag %s for command %s: %v", flag, cmd.Name(), err)
+	}
+	return i
+}
+
+func GetFlagDuration(cmd *cobra.Command, flag string) time.Duration {
+	d, err := cmd.Flags().GetDuration(flag)
+	if err != nil {
+		klog.Fatalf("error accessing flag %s for command %s: %v", flag, cmd.Name(), err)
+	}
+	return d
+}
+
+func GetPodRunningTimeoutFlag(cmd *cobra.Command) (time.Duration, error) {
+	timeout := GetFlagDuration(cmd, "pod-running-timeout")
+	if timeout <= 0 {
+		return timeout, fmt.Errorf("--pod-running-timeout must be higher than zero")
+	}
+	return timeout, nil
+}
+
+type FeatureGate string
+
+const (
+	// owner: @ardaguclu
+	// kep: https://kep.k8s.io/3104
+	//
+	// Separate kubectl user preferences.
+	KubeRC FeatureGate = "KUBECTL_KUBERC"
+
+	// owner: @justinb
+	// kep: https://kep.k8s.io/3659
+	//
+	// Improved kubectl apply --prune behavior.
+	ApplySet FeatureGate = "KUBECTL_APPLYSET"
+
+	// owner: @seans
+	// kep: https://kep.k8s.io/4006
+	//
+	// Transition to WebSockets.
+	RemoteCommandWebsockets FeatureGate = "KUBECTL_REMOTE_COMMAND_WEBSOCKETS"
+	PortForwardWebsockets   FeatureGate = "KUBECTL_PORT_FORWARD_WEBSOCKETS"
+
+	// owner: @thockin
+	// kep: https://kep.k8s.io/5296
+	//
+	// Support KYAML output.
+	KYAMLOutput FeatureGate = "KUBECTL_KYAML"
+)
+
+// IsEnabled returns true iff environment variable is set to true.
+// All other cases, it returns false.
+func (f FeatureGate) IsEnabled() bool {
+	return strings.ToLower(os.Getenv(string(f))) == "true"
+}
+
+// IsDisabled returns true iff environment variable is set to false.
+// All other cases, it returns true.
+// This function is used for the cases where feature is enabled by default,
+// but it may be needed to provide a way to ability to disable this feature.
+func (f FeatureGate) IsDisabled() bool {
+	return strings.ToLower(os.Getenv(string(f))) == "false"
+}
+
+func AddValidateFlags(cmd *cobra.Command) {
+	cmd.Flags().String(
+		"validate",
+		"strict",
+		`Must be one of: strict (or true), warn, ignore (or false). "true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not. "warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise. "false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields.`,
+	)
+
+	cmd.Flags().Lookup("validate").NoOptDefVal = "strict"
+}
+
+func AddFilenameOptionFlags(cmd *cobra.Command, options *resource.FilenameOptions, usage string) {
+	AddJsonFilenameFlag(cmd.Flags(), &options.Filenames, "Filename, directory, or URL to files "+usage)
+	AddKustomizeFlag(cmd.Flags(), &options.Kustomize)
+	cmd.Flags().BoolVarP(&options.Recursive, "recursive", "R", options.Recursive, "Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory.")
+}
+
+func AddJsonFilenameFlag(flags *pflag.FlagSet, value *[]string, usage string) {
+	flags.StringSliceVarP(value, "filename", "f", *value, usage)
+	annotations := make([]string, 0, len(resource.FileExtensions))
+	for _, ext := range resource.FileExtensions {
+		annotations = append(annotations, strings.TrimLeft(ext, "."))
+	}
+	flags.SetAnnotation("filename", cobra.BashCompFilenameExt, annotations)
+}
+
+// AddKustomizeFlag adds kustomize flag to a command
+func AddKustomizeFlag(flags *pflag.FlagSet, value *string) {
+	flags.StringVarP(value, "kustomize", "k", *value, "Process the kustomization directory. This flag can't be used together with -f or -R.")
+}
+
+// AddDryRunFlag adds dry-run flag to a command. Usually used by mutations.
+func AddDryRunFlag(cmd *cobra.Command) {
+	cmd.Flags().String(
+		"dry-run",
+		"none",
+		`Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource.`,
+	)
+	cmd.Flags().Lookup("dry-run").NoOptDefVal = "unchanged"
+}
+
+func AddFieldManagerFlagVar(cmd *cobra.Command, p *string, defaultFieldManager string) {
+	cmd.Flags().StringVar(p, "field-manager", defaultFieldManager, "Name of the manager used to track field ownership.")
+}
+
+func AddContainerVarFlags(cmd *cobra.Command, p *string, containerName string) {
+	cmd.Flags().StringVarP(p, "container", "c", containerName, "Container name. If omitted, use the kubectl.kubernetes.io/default-container annotation for selecting the container to be attached or the first container in the pod will be chosen")
+}
+
+func AddServerSideApplyFlags(cmd *cobra.Command) {
+	cmd.Flags().Bool("server-side", false, "If true, apply runs in the server instead of the client.")
+	cmd.Flags().Bool("force-conflicts", false, "If true, server-side apply will force the changes against conflicts.")
+}
+
+func AddPodRunningTimeoutFlag(cmd *cobra.Command, defaultTimeout time.Duration) {
+	cmd.Flags().Duration("pod-running-timeout", defaultTimeout, "The length of time (like 5s, 2m, or 3h, higher than zero) to wait until at least one pod is running")
+}
+
+func AddApplyAnnotationFlags(cmd *cobra.Command) {
+	cmd.Flags().Bool(ApplyAnnotationsFlag, false, "If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future.")
+}
+
+func AddApplyAnnotationVarFlags(cmd *cobra.Command, applyAnnotation *bool) {
+	cmd.Flags().BoolVar(applyAnnotation, ApplyAnnotationsFlag, *applyAnnotation, "If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future.")
+}
+
+func AddChunkSizeFlag(cmd *cobra.Command, value *int64) {
+	cmd.Flags().Int64Var(value, "chunk-size", *value,
+		"Return large lists in chunks rather than all at once. Pass 0 to disable.")
+}
+
+func AddLabelSelectorFlagVar(cmd *cobra.Command, p *string) {
+	cmd.Flags().StringVarP(p, "selector", "l", *p, "Selector (label query) to filter on, supports '=', '==', '!=', 'in', 'notin'.(e.g. -l key1=value1,key2=value2,key3 in (value3)). Matching objects must satisfy all of the specified label constraints.")
+}
+
+func AddPruningFlags(cmd *cobra.Command, prune *bool, pruneAllowlist *[]string, all *bool, applySetRef *string) {
+	// Flags associated with the original allowlist-based alpha
+	cmd.Flags().StringArrayVar(pruneAllowlist, "prune-allowlist", *pruneAllowlist, "Overwrite the default allowlist with <group/version/kind> for --prune")
+	cmd.Flags().BoolVar(all, "all", *all, "Select all resources in the namespace of the specified resource types.")
+
+	// Flags associated with the new ApplySet-based alpha
+	if ApplySet.IsEnabled() {
+		cmd.Flags().StringVar(applySetRef, "applyset", *applySetRef, "[alpha] The name of the ApplySet that tracks which resources are being managed, for the purposes of determining what to prune. Live resources that are part of the ApplySet but have been removed from the provided configs will be deleted. Format: [RESOURCE][.GROUP]/NAME. A Secret will be used if no resource or group is specified.")
+		cmd.Flags().BoolVar(prune, "prune", *prune, "Automatically delete previously applied resource objects that do not appear in the provided configs. For alpha1, use with either -l or --all. For alpha2, use with --applyset.")
+	} else {
+		// different docs for the shared --prune flag if only alpha1 is enabled
+		cmd.Flags().BoolVar(prune, "prune", *prune, "Automatically delete resource objects, that do not appear in the configs and are created by either apply or create --save-config. Should be used with either -l or --all.")
+	}
+}
+
+func AddSubresourceFlags(cmd *cobra.Command, subresource *string, usage string) {
+	cmd.Flags().StringVar(subresource, "subresource", "", usage)
+	CheckErr(cmd.RegisterFlagCompletionFunc("subresource", func(*cobra.Command, []string, string) ([]string, cobra.ShellCompDirective) {
+		var commonSubresources = []string{"status", "scale", "resize"}
+		return commonSubresources, cobra.ShellCompDirectiveNoFileComp
+	}))
+}
+
+type ValidateOptions struct {
+	ValidationDirective string
+}
+
+// Merge converts the passed in object to JSON, merges the fragment into it using an RFC7396 JSON Merge Patch,
+// and returns the resulting object
+// TODO: merge assumes JSON serialization, and does not properly abstract API retrieval
+func Merge(codec runtime.Codec, dst runtime.Object, fragment string) (runtime.Object, error) {
+	// encode dst into versioned json and apply fragment directly too it
+	target, err := runtime.Encode(codec, dst)
+	if err != nil {
+		return nil, err
+	}
+	patched, err := jsonpatch.MergePatch(target, []byte(fragment))
+	if err != nil {
+		return nil, err
+	}
+	out, err := runtime.Decode(codec, patched)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+// StrategicMerge converts the passed in object to JSON, merges the fragment into it using a Strategic Merge Patch,
+// and returns the resulting object
+func StrategicMerge(codec runtime.Codec, dst runtime.Object, fragment string, dataStruct runtime.Object) (runtime.Object, error) {
+	target, err := runtime.Encode(codec, dst)
+	if err != nil {
+		return nil, err
+	}
+	patched, err := strategicpatch.StrategicMergePatch(target, []byte(fragment), dataStruct)
+	if err != nil {
+		return nil, err
+	}
+	out, err := runtime.Decode(codec, patched)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+// JSONPatch converts the passed in object to JSON, performs an RFC6902 JSON Patch using operations specified in the
+// fragment, and returns the resulting object
+func JSONPatch(codec runtime.Codec, dst runtime.Object, fragment string) (runtime.Object, error) {
+	target, err := runtime.Encode(codec, dst)
+	if err != nil {
+		return nil, err
+	}
+	patch, err := jsonpatch.DecodePatch([]byte(fragment))
+	if err != nil {
+		return nil, err
+	}
+	patched, err := patch.Apply(target)
+	if err != nil {
+		return nil, err
+	}
+	out, err := runtime.Decode(codec, patched)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+// DumpReaderToFile writes all data from the given io.Reader to the specified file
+// (usually for temporary use).
+func DumpReaderToFile(reader io.Reader, filename string) error {
+	f, err := os.OpenFile(filename, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+
+	buffer := make([]byte, 1024)
+	for {
+		count, err := reader.Read(buffer)
+		if err == io.EOF {
+			break
+		}
+		if err != nil {
+			return err
+		}
+		_, err = f.Write(buffer[:count])
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func GetServerSideApplyFlag(cmd *cobra.Command) bool {
+	return GetFlagBool(cmd, "server-side")
+}
+
+func GetForceConflictsFlag(cmd *cobra.Command) bool {
+	return GetFlagBool(cmd, "force-conflicts")
+}
+
+func GetFieldManagerFlag(cmd *cobra.Command) string {
+	return GetFlagString(cmd, "field-manager")
+}
+
+func GetValidationDirective(cmd *cobra.Command) (string, error) {
+	var validateFlag = GetFlagString(cmd, "validate")
+	b, err := strconv.ParseBool(validateFlag)
+	if err != nil {
+		switch validateFlag {
+		case "strict":
+			return metav1.FieldValidationStrict, nil
+		case "warn":
+			return metav1.FieldValidationWarn, nil
+		case "ignore":
+			return metav1.FieldValidationIgnore, nil
+		default:
+			return metav1.FieldValidationStrict, fmt.Errorf(`invalid - validate option %q; must be one of: strict (or true), warn, ignore (or false)`, validateFlag)
+		}
+	}
+	// The flag was a boolean
+	if b {
+		return metav1.FieldValidationStrict, nil
+	}
+	return metav1.FieldValidationIgnore, nil
+}
+
+type DryRunStrategy int
+
+const (
+	// DryRunNone indicates the client will make all mutating calls
+	DryRunNone DryRunStrategy = iota
+
+	// DryRunClient, or client-side dry-run, indicates the client will prevent
+	// making mutating calls such as CREATE, PATCH, and DELETE
+	DryRunClient
+
+	// DryRunServer, or server-side dry-run, indicates the client will send
+	// mutating calls to the APIServer with the dry-run parameter to prevent
+	// persisting changes.
+	//
+	// Note that clients sending server-side dry-run calls should verify that
+	// the APIServer and the resource supports server-side dry-run, and otherwise
+	// clients should fail early.
+	//
+	// If a client sends a server-side dry-run call to an APIServer that doesn't
+	// support server-side dry-run, then the APIServer will persist changes inadvertently.
+	DryRunServer
+)
+
+func GetDryRunStrategy(cmd *cobra.Command) (DryRunStrategy, error) {
+	var dryRunFlag = GetFlagString(cmd, "dry-run")
+	b, err := strconv.ParseBool(dryRunFlag)
+	// The flag is not a boolean
+	if err != nil {
+		switch dryRunFlag {
+		case cmd.Flag("dry-run").NoOptDefVal:
+			klog.Warning(`--dry-run is deprecated and can be replaced with --dry-run=client.`)
+			return DryRunClient, nil
+		case "client":
+			return DryRunClient, nil
+		case "server":
+			return DryRunServer, nil
+		case "none":
+			return DryRunNone, nil
+		default:
+			return DryRunNone, fmt.Errorf(`Invalid dry-run value (%v). Must be "none", "server", or "client".`, dryRunFlag)
+		}
+	}
+	// The flag was a boolean
+	if b {
+		klog.Warningf(`--dry-run=%v is deprecated (boolean value) and can be replaced with --dry-run=%s.`, dryRunFlag, "client")
+		return DryRunClient, nil
+	}
+	klog.Warningf(`--dry-run=%v is deprecated (boolean value) and can be replaced with --dry-run=%s.`, dryRunFlag, "none")
+	return DryRunNone, nil
+}
+
+// PrintFlagsWithDryRunStrategy sets a success message at print time for the dry run strategy
+//
+// TODO(juanvallejo): This can be cleaned up even further by creating
+// a PrintFlags struct that binds the --dry-run flag, and whose
+// ToPrinter method returns a printer that understands how to print
+// this success message.
+func PrintFlagsWithDryRunStrategy(printFlags *genericclioptions.PrintFlags, dryRunStrategy DryRunStrategy) *genericclioptions.PrintFlags {
+	switch dryRunStrategy {
+	case DryRunClient:
+		printFlags.Complete("%s (dry run)")
+	case DryRunServer:
+		printFlags.Complete("%s (server dry run)")
+	}
+	return printFlags
+}
+
+// GetResourcesAndPairs retrieves resources and "KEY=VALUE or KEY-" pair args from given args
+func GetResourcesAndPairs(args []string, pairType string) (resources []string, pairArgs []string, err error) {
+	foundPair := false
+	for _, s := range args {
+		nonResource := (strings.Contains(s, "=") && s[0] != '=') || (strings.HasSuffix(s, "-") && s != "-")
+		switch {
+		case !foundPair && nonResource:
+			foundPair = true
+			fallthrough
+		case foundPair && nonResource:
+			pairArgs = append(pairArgs, s)
+		case !foundPair && !nonResource:
+			resources = append(resources, s)
+		case foundPair && !nonResource:
+			err = fmt.Errorf("all resources must be specified before %s changes: %s", pairType, s)
+			return
+		}
+	}
+	return
+}
+
+// ParsePairs retrieves new and remove pairs (if supportRemove is true) from "KEY=VALUE or KEY-" pair args
+func ParsePairs(pairArgs []string, pairType string, supportRemove bool) (newPairs map[string]string, removePairs []string, err error) {
+	newPairs = map[string]string{}
+	if supportRemove {
+		removePairs = []string{}
+	}
+	var invalidBuf bytes.Buffer
+	var invalidBufNonEmpty bool
+	for _, pairArg := range pairArgs {
+		if strings.Contains(pairArg, "=") && pairArg[0] != '=' {
+			parts := strings.SplitN(pairArg, "=", 2)
+			if len(parts) != 2 {
+				if invalidBufNonEmpty {
+					invalidBuf.WriteString(", ")
+				}
+				invalidBuf.WriteString(pairArg)
+				invalidBufNonEmpty = true
+			} else {
+				newPairs[parts[0]] = parts[1]
+			}
+		} else if supportRemove && strings.HasSuffix(pairArg, "-") && pairArg != "-" {
+			removePairs = append(removePairs, pairArg[:len(pairArg)-1])
+		} else {
+			if invalidBufNonEmpty {
+				invalidBuf.WriteString(", ")
+			}
+			invalidBuf.WriteString(pairArg)
+			invalidBufNonEmpty = true
+		}
+	}
+	if invalidBufNonEmpty {
+		err = fmt.Errorf("invalid %s format: %s", pairType, invalidBuf.String())
+		return
+	}
+
+	return
+}
+
+// IsSiblingCommandExists receives a pointer to a cobra command and a target string.
+// Returns true if the target string is found in the list of sibling commands.
+func IsSiblingCommandExists(cmd *cobra.Command, targetCmdName string) bool {
+	for _, c := range cmd.Parent().Commands() {
+		if c.Name() == targetCmdName {
+			return true
+		}
+	}
+
+	return false
+}
+
+// DefaultSubCommandRun prints a command's help string to the specified output if no
+// arguments (sub-commands) are provided, or a usage error otherwise.
+func DefaultSubCommandRun(out io.Writer) func(c *cobra.Command, args []string) {
+	return func(c *cobra.Command, args []string) {
+		c.SetOut(out)
+		c.SetErr(out)
+		RequireNoArguments(c, args)
+		c.Help()
+		CheckErr(ErrExit)
+	}
+}
+
+// RequireNoArguments exits with a usage error if extra arguments are provided.
+func RequireNoArguments(c *cobra.Command, args []string) {
+	if len(args) > 0 {
+		CheckErr(UsageErrorf(c, "unknown command %q", strings.Join(args, " ")))
+	}
+}
+
+// StripComments will transform a YAML file into JSON, thus dropping any comments
+// in it. Note that if the given file has a syntax error, the transformation will
+// fail and we will manually drop all comments from the file.
+func StripComments(file []byte) []byte {
+	stripped := file
+	stripped, err := yaml.ToJSON(stripped)
+	if err != nil {
+		stripped = ManualStrip(file)
+	}
+	return stripped
+}
+
+// ManualStrip is used for dropping comments from a YAML file
+func ManualStrip(file []byte) []byte {
+	stripped := []byte{}
+	lines := bytes.Split(file, []byte("\n"))
+	for i, line := range lines {
+		trimline := bytes.TrimSpace(line)
+
+		if bytes.HasPrefix(trimline, []byte("#")) && !bytes.HasPrefix(trimline, []byte("#!")) {
+			continue
+		}
+		stripped = append(stripped, line...)
+		if i < len(lines)-1 {
+			stripped = append(stripped, '\n')
+		}
+	}
+	return stripped
+}
+
+// ScaleClientFunc provides a ScalesGetter
+type ScaleClientFunc func(genericclioptions.RESTClientGetter) (scale.ScalesGetter, error)
+
+// ScaleClientFn gives a way to easily override the function for unit testing if needed.
+var ScaleClientFn ScaleClientFunc = scaleClient
+
+// scaleClient gives you back scale getter
+func scaleClient(restClientGetter genericclioptions.RESTClientGetter) (scale.ScalesGetter, error) {
+	discoveryClient, err := restClientGetter.ToDiscoveryClient()
+	if err != nil {
+		return nil, err
+	}
+
+	clientConfig, err := restClientGetter.ToRESTConfig()
+	if err != nil {
+		return nil, err
+	}
+
+	setKubernetesDefaults(clientConfig)
+	restClient, err := rest.RESTClientFor(clientConfig)
+	if err != nil {
+		return nil, err
+	}
+	resolver := scale.NewDiscoveryScaleKindResolver(discoveryClient)
+	mapper, err := restClientGetter.ToRESTMapper()
+	if err != nil {
+		return nil, err
+	}
+
+	return scale.New(restClient, mapper, dynamic.LegacyAPIPathResolverFunc, resolver), nil
+}
+
+func Warning(cmdErr io.Writer, newGeneratorName, oldGeneratorName string) {
+	fmt.Fprintf(cmdErr, "WARNING: New generator %q specified, "+
+		"but it isn't available. "+
+		"Falling back to %q.\n",
+		newGeneratorName,
+		oldGeneratorName,
+	)
+}
+
+// Difference removes any elements of subArray from fullArray and returns the result
+func Difference(fullArray []string, subArray []string) []string {
+	exclude := make(map[string]bool, len(subArray))
+	for _, elem := range subArray {
+		exclude[elem] = true
+	}
+	var result []string
+	for _, elem := range fullArray {
+		if _, found := exclude[elem]; !found {
+			result = append(result, elem)
+		}
+	}
+	return result
+}
diff --git a/vendor/k8s.io/kubectl/pkg/cmd/util/kubectl_match_version.go b/vendor/k8s.io/kubectl/pkg/cmd/util/kubectl_match_version.go
new file mode 100644
index 0000000000..74308bc5d8
--- /dev/null
+++ b/vendor/k8s.io/kubectl/pkg/cmd/util/kubectl_match_version.go
@@ -0,0 +1,129 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package util
+
+import (
+	"sync"
+
+	"github.com/spf13/pflag"
+
+	"k8s.io/apimachinery/pkg/api/meta"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/client-go/discovery"
+	"k8s.io/client-go/rest"
+	"k8s.io/client-go/tools/clientcmd"
+	"k8s.io/kubectl/pkg/scheme"
+
+	"k8s.io/cli-runtime/pkg/genericclioptions"
+	"k8s.io/component-base/version"
+)
+
+const (
+	flagMatchBinaryVersion = "match-server-version"
+)
+
+// MatchVersionFlags is for setting the "match server version" function.
+type MatchVersionFlags struct {
+	Delegate genericclioptions.RESTClientGetter
+
+	RequireMatchedServerVersion bool
+	checkServerVersion          sync.Once
+	matchesServerVersionErr     error
+}
+
+var _ genericclioptions.RESTClientGetter = &MatchVersionFlags{}
+
+func (f *MatchVersionFlags) checkMatchingServerVersion() error {
+	f.checkServerVersion.Do(func() {
+		if !f.RequireMatchedServerVersion {
+			return
+		}
+		discoveryClient, err := f.Delegate.ToDiscoveryClient()
+		if err != nil {
+			f.matchesServerVersionErr = err
+			return
+		}
+		f.matchesServerVersionErr = discovery.MatchesServerVersion(version.Get(), discoveryClient)
+	})
+
+	return f.matchesServerVersionErr
+}
+
+// ToRESTConfig implements RESTClientGetter.
+// Returns a REST client configuration based on a provided path
+// to a .kubeconfig file, loading rules, and config flag overrides.
+// Expects the AddFlags method to have been called.
+func (f *MatchVersionFlags) ToRESTConfig() (*rest.Config, error) {
+	if err := f.checkMatchingServerVersion(); err != nil {
+		return nil, err
+	}
+	clientConfig, err := f.Delegate.ToRESTConfig()
+	if err != nil {
+		return nil, err
+	}
+	// TODO we should not have to do this.  It smacks of something going wrong.
+	setKubernetesDefaults(clientConfig)
+	return clientConfig, nil
+}
+
+func (f *MatchVersionFlags) ToRawKubeConfigLoader() clientcmd.ClientConfig {
+	return f.Delegate.ToRawKubeConfigLoader()
+}
+
+func (f *MatchVersionFlags) ToDiscoveryClient() (discovery.CachedDiscoveryInterface, error) {
+	if err := f.checkMatchingServerVersion(); err != nil {
+		return nil, err
+	}
+	return f.Delegate.ToDiscoveryClient()
+}
+
+// ToRESTMapper returns a mapper.
+func (f *MatchVersionFlags) ToRESTMapper() (meta.RESTMapper, error) {
+	if err := f.checkMatchingServerVersion(); err != nil {
+		return nil, err
+	}
+	return f.Delegate.ToRESTMapper()
+}
+
+func (f *MatchVersionFlags) AddFlags(flags *pflag.FlagSet) {
+	flags.BoolVar(&f.RequireMatchedServerVersion, flagMatchBinaryVersion, f.RequireMatchedServerVersion, "Require server version to match client version")
+}
+
+func NewMatchVersionFlags(delegate genericclioptions.RESTClientGetter) *MatchVersionFlags {
+	return &MatchVersionFlags{
+		Delegate: delegate,
+	}
+}
+
+// setKubernetesDefaults sets default values on the provided client config for accessing the
+// Kubernetes API or returns an error if any of the defaults are impossible or invalid.
+// TODO this isn't what we want.  Each clientset should be setting defaults as it sees fit.
+func setKubernetesDefaults(config *rest.Config) error {
+	// TODO remove this hack.  This is allowing the GetOptions to be serialized.
+	config.GroupVersion = &schema.GroupVersion{Group: "", Version: "v1"}
+
+	if config.APIPath == "" {
+		config.APIPath = "/api"
+	}
+	if config.NegotiatedSerializer == nil {
+		// This codec factory ensures the resources are not converted. Therefore, resources
+		// will not be round-tripped through internal versions. Defaulting does not happen
+		// on the client.
+		config.NegotiatedSerializer = scheme.Codecs.WithoutConversion()
+	}
+	return rest.SetKubernetesDefaults(config)
+}
diff --git a/vendor/k8s.io/kubectl/pkg/cmd/util/override_options.go b/vendor/k8s.io/kubectl/pkg/cmd/util/override_options.go
new file mode 100644
index 0000000000..1e63bc789b
--- /dev/null
+++ b/vendor/k8s.io/kubectl/pkg/cmd/util/override_options.go
@@ -0,0 +1,90 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package util
+
+import (
+	"fmt"
+
+	"github.com/spf13/cobra"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/kubectl/pkg/scheme"
+	"k8s.io/kubectl/pkg/util/i18n"
+)
+
+type OverrideType string
+
+const (
+	// OverrideTypeJSON will use an RFC6902 JSON Patch to alter the generated output
+	OverrideTypeJSON OverrideType = "json"
+
+	// OverrideTypeMerge will use an RFC7396 JSON Merge Patch to alter the generated output
+	OverrideTypeMerge OverrideType = "merge"
+
+	// OverrideTypeStrategic will use a Strategic Merge Patch to alter the generated output
+	OverrideTypeStrategic OverrideType = "strategic"
+)
+
+const DefaultOverrideType = OverrideTypeMerge
+
+type OverrideOptions struct {
+	Overrides    string
+	OverrideType OverrideType
+}
+
+func (o *OverrideOptions) AddOverrideFlags(cmd *cobra.Command) {
+	cmd.Flags().StringVar(&o.Overrides, "overrides", "", i18n.T("An inline JSON override for the generated object. If this is non-empty, it is used to override the generated object. Requires that the object supply a valid apiVersion field."))
+	cmd.Flags().StringVar((*string)(&o.OverrideType), "override-type", string(DefaultOverrideType), fmt.Sprintf("The method used to override the generated object: %s, %s, or %s.", OverrideTypeJSON, OverrideTypeMerge, OverrideTypeStrategic))
+}
+
+func (o *OverrideOptions) NewOverrider(dataStruct runtime.Object) *Overrider {
+	return &Overrider{
+		Options:    o,
+		DataStruct: dataStruct,
+	}
+}
+
+type Overrider struct {
+	Options    *OverrideOptions
+	DataStruct runtime.Object
+}
+
+func (o *Overrider) Apply(obj runtime.Object) (runtime.Object, error) {
+	if len(o.Options.Overrides) == 0 {
+		return obj, nil
+	}
+
+	codec := runtime.NewCodec(scheme.DefaultJSONEncoder(), scheme.Codecs.UniversalDecoder(scheme.Scheme.PrioritizedVersionsAllGroups()...))
+
+	var overrideType OverrideType
+	if len(o.Options.OverrideType) == 0 {
+		overrideType = DefaultOverrideType
+	} else {
+		overrideType = o.Options.OverrideType
+	}
+
+	switch overrideType {
+	case OverrideTypeJSON:
+		return JSONPatch(codec, obj, o.Options.Overrides)
+	case OverrideTypeMerge:
+		return Merge(codec, obj, o.Options.Overrides)
+	case OverrideTypeStrategic:
+		return StrategicMerge(codec, obj, o.Options.Overrides, o.DataStruct)
+	default:
+		return nil, fmt.Errorf("invalid override type: %v", overrideType)
+	}
+}
diff --git a/vendor/k8s.io/kubectl/pkg/cmd/util/printing.go b/vendor/k8s.io/kubectl/pkg/cmd/util/printing.go
new file mode 100644
index 0000000000..ebd228821e
--- /dev/null
+++ b/vendor/k8s.io/kubectl/pkg/cmd/util/printing.go
@@ -0,0 +1,29 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package util
+
+import (
+	"fmt"
+
+	"k8s.io/kubectl/pkg/util/templates"
+)
+
+// SuggestAPIResources returns a suggestion to use the "api-resources" command
+// to retrieve a supported list of resources
+func SuggestAPIResources(parent string) string {
+	return templates.LongDesc(fmt.Sprintf("Use \"%s api-resources\" for a complete list of supported resources.", parent))
+}
diff --git a/vendor/k8s.io/kubectl/pkg/scheme/install.go b/vendor/k8s.io/kubectl/pkg/scheme/install.go
new file mode 100644
index 0000000000..34c9878220
--- /dev/null
+++ b/vendor/k8s.io/kubectl/pkg/scheme/install.go
@@ -0,0 +1,83 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package scheme
+
+import (
+	admissionv1 "k8s.io/api/admission/v1"
+	admissionv1beta1 "k8s.io/api/admission/v1beta1"
+	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
+	admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
+	appsv1 "k8s.io/api/apps/v1"
+	appsv1beta1 "k8s.io/api/apps/v1beta1"
+	appsv1beta2 "k8s.io/api/apps/v1beta2"
+	authenticationv1 "k8s.io/api/authentication/v1"
+	authenticationv1beta1 "k8s.io/api/authentication/v1beta1"
+	authorizationv1 "k8s.io/api/authorization/v1"
+	authorizationv1beta1 "k8s.io/api/authorization/v1beta1"
+	autoscalingv1 "k8s.io/api/autoscaling/v1"
+	autoscalingv2 "k8s.io/api/autoscaling/v2"
+	batchv1 "k8s.io/api/batch/v1"
+	batchv1beta1 "k8s.io/api/batch/v1beta1"
+	certificatesv1 "k8s.io/api/certificates/v1"
+	certificatesv1beta1 "k8s.io/api/certificates/v1beta1"
+	corev1 "k8s.io/api/core/v1"
+	extensionsv1beta1 "k8s.io/api/extensions/v1beta1"
+	imagepolicyv1alpha1 "k8s.io/api/imagepolicy/v1alpha1"
+	networkingv1 "k8s.io/api/networking/v1"
+	policyv1 "k8s.io/api/policy/v1"
+	policyv1beta1 "k8s.io/api/policy/v1beta1"
+	rbacv1 "k8s.io/api/rbac/v1"
+	rbacv1alpha1 "k8s.io/api/rbac/v1alpha1"
+	rbacv1beta1 "k8s.io/api/rbac/v1beta1"
+	schedulingv1alpha1 "k8s.io/api/scheduling/v1alpha1"
+	storagev1 "k8s.io/api/storage/v1"
+	storagev1alpha1 "k8s.io/api/storage/v1alpha1"
+	storagev1beta1 "k8s.io/api/storage/v1beta1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	metav1beta1 "k8s.io/apimachinery/pkg/apis/meta/v1beta1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	"k8s.io/client-go/kubernetes/scheme"
+)
+
+// Register all groups in the kubectl's registry, but no componentconfig group since it's not in k8s.io/api
+// The code in this file mostly duplicate the install under k8s.io/kubernetes/pkg/api and k8s.io/kubernetes/pkg/apis,
+// but does NOT register the internal types.
+func init() {
+	// Register external types for Scheme
+	metav1.AddToGroupVersion(Scheme, schema.GroupVersion{Version: "v1"})
+	utilruntime.Must(metav1beta1.AddMetaToScheme(Scheme))
+	utilruntime.Must(metav1.AddMetaToScheme(Scheme))
+	utilruntime.Must(scheme.AddToScheme(Scheme))
+
+	utilruntime.Must(Scheme.SetVersionPriority(corev1.SchemeGroupVersion))
+	utilruntime.Must(Scheme.SetVersionPriority(admissionv1beta1.SchemeGroupVersion, admissionv1.SchemeGroupVersion))
+	utilruntime.Must(Scheme.SetVersionPriority(admissionregistrationv1beta1.SchemeGroupVersion, admissionregistrationv1.SchemeGroupVersion))
+	utilruntime.Must(Scheme.SetVersionPriority(appsv1beta1.SchemeGroupVersion, appsv1beta2.SchemeGroupVersion, appsv1.SchemeGroupVersion))
+	utilruntime.Must(Scheme.SetVersionPriority(authenticationv1.SchemeGroupVersion, authenticationv1beta1.SchemeGroupVersion))
+	utilruntime.Must(Scheme.SetVersionPriority(authorizationv1.SchemeGroupVersion, authorizationv1beta1.SchemeGroupVersion))
+	utilruntime.Must(Scheme.SetVersionPriority(autoscalingv1.SchemeGroupVersion, autoscalingv2.SchemeGroupVersion))
+	utilruntime.Must(Scheme.SetVersionPriority(batchv1.SchemeGroupVersion, batchv1beta1.SchemeGroupVersion))
+	utilruntime.Must(Scheme.SetVersionPriority(certificatesv1.SchemeGroupVersion, certificatesv1beta1.SchemeGroupVersion))
+	utilruntime.Must(Scheme.SetVersionPriority(extensionsv1beta1.SchemeGroupVersion))
+	utilruntime.Must(Scheme.SetVersionPriority(imagepolicyv1alpha1.SchemeGroupVersion))
+	utilruntime.Must(Scheme.SetVersionPriority(networkingv1.SchemeGroupVersion))
+	utilruntime.Must(Scheme.SetVersionPriority(policyv1beta1.SchemeGroupVersion, policyv1.SchemeGroupVersion))
+	utilruntime.Must(Scheme.SetVersionPriority(rbacv1.SchemeGroupVersion, rbacv1beta1.SchemeGroupVersion, rbacv1alpha1.SchemeGroupVersion))
+	utilruntime.Must(Scheme.SetVersionPriority(schedulingv1alpha1.SchemeGroupVersion))
+	utilruntime.Must(Scheme.SetVersionPriority(storagev1.SchemeGroupVersion, storagev1beta1.SchemeGroupVersion, storagev1alpha1.SchemeGroupVersion))
+}
diff --git a/vendor/k8s.io/kubectl/pkg/scheme/scheme.go b/vendor/k8s.io/kubectl/pkg/scheme/scheme.go
new file mode 100644
index 0000000000..d1d7847b8f
--- /dev/null
+++ b/vendor/k8s.io/kubectl/pkg/scheme/scheme.go
@@ -0,0 +1,39 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package scheme
+
+import (
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/serializer"
+)
+
+// All kubectl code should eventually switch to use this Registry and Scheme instead of the global ones.
+
+// Scheme is the default instance of runtime.Scheme to which types in the Kubernetes API are already registered.
+var Scheme = runtime.NewScheme()
+
+// Codecs provides access to encoding and decoding for the scheme
+var Codecs = serializer.NewCodecFactory(Scheme)
+
+// ParameterCodec handles versioning of objects that are converted to query parameters.
+var ParameterCodec = runtime.NewParameterCodec(Scheme)
+
+// DefaultJSONEncoder returns a default encoder for our scheme
+func DefaultJSONEncoder() runtime.Encoder {
+	return unstructured.NewJSONFallbackEncoder(Codecs.LegacyCodec(Scheme.PrioritizedVersionsAllGroups()...))
+}
diff --git a/vendor/k8s.io/kubectl/pkg/util/i18n/i18n.go b/vendor/k8s.io/kubectl/pkg/util/i18n/i18n.go
new file mode 100644
index 0000000000..8b8481c7bd
--- /dev/null
+++ b/vendor/k8s.io/kubectl/pkg/util/i18n/i18n.go
@@ -0,0 +1,214 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package i18n
+
+import (
+	"archive/zip"
+	"bytes"
+	"embed"
+	"errors"
+	"fmt"
+	"os"
+	"strings"
+	"sync"
+
+	"github.com/chai2010/gettext-go"
+
+	"k8s.io/klog/v2"
+)
+
+//go:embed translations
+var translations embed.FS
+
+var knownTranslations = map[string][]string{
+	"kubectl": {
+		"default",
+		"en_US",
+		"fr_FR",
+		"zh_CN",
+		"ja_JP",
+		"zh_TW",
+		"it_IT",
+		"de_DE",
+		"ko_KR",
+		"pt_BR",
+	},
+	// only used for unit tests.
+	"test": {
+		"default",
+		"en_US",
+	},
+}
+
+var (
+	lazyLoadTranslationsOnce sync.Once
+	LoadTranslationsFunc     = func() error {
+		return LoadTranslations("kubectl", nil)
+	}
+	translationsLoaded bool
+)
+
+// SetLoadTranslationsFunc sets the function called to lazy load translations.
+// It must be called in an init() func that occurs BEFORE any i18n.T() calls are made by any package. You can
+// accomplish this by creating a separate package containing your init() func, and then importing that package BEFORE
+// any other packages that call i18n.T().
+//
+// Example Usage:
+//
+//	package myi18n
+//
+//	import "k8s.io/kubectl/pkg/util/i18n"
+//
+//	func init() {
+//		if err := i18n.SetLoadTranslationsFunc(loadCustomTranslations); err != nil {
+//			panic(err)
+//		}
+//	}
+//
+//	func loadCustomTranslations() error {
+//		// Load your custom translations here...
+//	}
+//
+// And then in your main or root command package, import your custom package like this:
+//
+//	import (
+//		// Other imports that don't need i18n...
+//		_ "example.com/myapp/myi18n"
+//		// Other imports that do need i18n...
+//	)
+func SetLoadTranslationsFunc(f func() error) error {
+	if translationsLoaded {
+		return errors.New("translations have already been loaded")
+	}
+	LoadTranslationsFunc = func() error {
+		if err := f(); err != nil {
+			return err
+		}
+		translationsLoaded = true
+		return nil
+	}
+	return nil
+}
+
+func loadSystemLanguage() string {
+	// Implements the following locale priority order: LC_ALL, LC_MESSAGES, LANG
+	// Similarly to: https://www.gnu.org/software/gettext/manual/html_node/Locale-Environment-Variables.html
+	langStr := os.Getenv("LC_ALL")
+	if langStr == "" {
+		langStr = os.Getenv("LC_MESSAGES")
+	}
+	if langStr == "" {
+		langStr = os.Getenv("LANG")
+	}
+
+	if langStr == "" {
+		klog.V(3).Infof("Couldn't find the LC_ALL, LC_MESSAGES or LANG environment variables, defaulting to en_US")
+		return "default"
+	}
+	pieces := strings.Split(langStr, ".")
+	if len(pieces) != 2 {
+		klog.V(3).Infof("Unexpected system language (%s), defaulting to en_US", langStr)
+		return "default"
+	}
+	return pieces[0]
+}
+
+func findLanguage(root string, getLanguageFn func() string) string {
+	langStr := getLanguageFn()
+
+	translations := knownTranslations[root]
+	for ix := range translations {
+		if translations[ix] == langStr {
+			return langStr
+		}
+	}
+	klog.V(3).Infof("Couldn't find translations for %s, using default", langStr)
+	return "default"
+}
+
+// LoadTranslations loads translation files. getLanguageFn should return a language
+// string (e.g. 'en-US'). If getLanguageFn is nil, then the loadSystemLanguage function
+// is used, which uses the 'LANG' environment variable.
+func LoadTranslations(root string, getLanguageFn func() string) error {
+	if getLanguageFn == nil {
+		getLanguageFn = loadSystemLanguage
+	}
+
+	langStr := findLanguage(root, getLanguageFn)
+	translationFiles := []string{
+		fmt.Sprintf("%s/%s/LC_MESSAGES/k8s.po", root, langStr),
+		fmt.Sprintf("%s/%s/LC_MESSAGES/k8s.mo", root, langStr),
+	}
+
+	// TODO: list the directory and load all files.
+	buf := new(bytes.Buffer)
+	w := zip.NewWriter(buf)
+
+	// Make sure to check the error on Close.
+	for _, file := range translationFiles {
+		filename := "translations/" + file
+		f, err := w.Create(file)
+		if err != nil {
+			return err
+		}
+		data, err := translations.ReadFile(filename)
+		if err != nil {
+			return err
+		}
+		if _, err := f.Write(data); err != nil {
+			return nil
+		}
+	}
+	if err := w.Close(); err != nil {
+		return err
+	}
+	gettext.BindLocale(gettext.New("k8s", root+".zip", buf.Bytes()))
+	gettext.SetDomain("k8s")
+	gettext.SetLanguage(langStr)
+	translationsLoaded = true
+	return nil
+}
+
+func lazyLoadTranslations() {
+	lazyLoadTranslationsOnce.Do(func() {
+		if translationsLoaded {
+			return
+		}
+		if err := LoadTranslationsFunc(); err != nil {
+			klog.Warning("Failed to load translations")
+		}
+	})
+}
+
+// T translates a string, possibly substituting arguments into it along
+// the way. If len(args) is > 0, args1 is assumed to be the plural value
+// and plural translation is used.
+func T(defaultValue string, args ...int) string {
+	lazyLoadTranslations()
+	if len(args) == 0 {
+		return gettext.PGettext("", defaultValue)
+	}
+	return fmt.Sprintf(gettext.PNGettext("", defaultValue, defaultValue+".plural", args[0]),
+		args[0])
+}
+
+// Errorf produces an error with a translated error string.
+// Substitution is performed via the `T` function above, following
+// the same rules.
+func Errorf(defaultValue string, args ...int) error {
+	return errors.New(T(defaultValue, args...))
+}
diff --git a/vendor/k8s.io/kubectl/pkg/util/i18n/translations/OWNERS b/vendor/k8s.io/kubectl/pkg/util/i18n/translations/OWNERS
new file mode 100644
index 0000000000..610dc59f84
--- /dev/null
+++ b/vendor/k8s.io/kubectl/pkg/util/i18n/translations/OWNERS
@@ -0,0 +1,7 @@
+# See the OWNERS docs at https://go.k8s.io/owners
+
+reviewers: []
+approvers:
+  - sig-cli-maintainers
+emeritus_approvers:
+  - brendandburns
diff --git a/vendor/k8s.io/kubectl/pkg/util/i18n/translations/README.md b/vendor/k8s.io/kubectl/pkg/util/i18n/translations/README.md
new file mode 100644
index 0000000000..a97180466a
--- /dev/null
+++ b/vendor/k8s.io/kubectl/pkg/util/i18n/translations/README.md
@@ -0,0 +1,82 @@
+# Translations README
+
+This is a basic sketch of the workflow needed to add translations:
+
+# Adding/Updating Translations
+
+## New languages
+Create `staging/src/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/<language>/LC_MESSAGES/k8s.po`. There's
+no need to update `translations/test/...` which is only used for unit tests.
+
+There is an example [PR here](https://github.com/kubernetes/kubernetes/pull/40645) which adds support for French.
+
+Once you've added a new language, you'll need to register it in
+`staging/src/k8s.io/kubectl/pkg/util/i18n/i18n.go` by adding it to the `knownTranslations` map.
+
+## Wrapping strings
+There is a simple script in `staging/src/k8s.io/kubectl/pkg/util/i18n/translations/extract.py` that performs
+simple regular expression based wrapping of strings. It can always
+use improvements to understand additional strings.
+
+## Extracting strings
+Once the strings are wrapped, you can extract strings from go files using
+the `go-xgettext` command which can be installed with:
+
+```console
+go get github.com/gosexy/gettext/go-xgettext
+```
+
+Once that's installed you can run `./hack/update-translations.sh`, which
+will extract and sort any new strings.
+
+## Adding new translations
+Edit the appropriate `k8s.po` file, `poedit` is a popular open source tool
+for translations. You can load the `staging/src/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/template.pot` file
+to find messages that might be missing.
+
+Once you are done with your `k8s.po` file, generate the corresponding `k8s.mo`
+file. `poedit` does this automatically on save, but you can also run
+`./hack/update-translations.sh` to perform the `po` to `mo` translation.
+
+We use the English translation as the `msgid`.
+
+## Regenerating the bindata file
+
+> Note: Regeneration of bindata is no more necessary for Kubernetes 1.22+ as
+> the translations are now embedded into the binary at compile time.
+> See: https://github.com/kubernetes/kubernetes/pull/99829
+
+With the `mo` files up to date, you can now convert the generated files
+into code using `go-bindata` command which can be installed with:
+
+```console
+go get github.com/go-bindata/go-bindata/...
+```
+
+Run `./hack/generate-bindata.sh`, this will turn the translation files
+into generated code which will in turn be packaged into the Kubernetes
+binaries.
+
+## Extracting strings
+
+There is a script in `staging/src/k8s.io/kubectl/pkg/util/i18n/translations/extract.py` that knows how to do some
+simple extraction. It needs a lot of work.
+
+# Using translations
+
+To use translations, you simply need to add:
+```go
+import pkg/i18n
+...
+// Get a translated string
+translated := i18n.T("Your message in english here")
+
+// Get a translated plural string
+translated := i18n.T("You had %d items", items)
+
+// Translated error
+return i18n.Error("Something bad happened")
+
+// Translated plural error
+return i18n.Error("%d bad things happened")
+```
diff --git a/vendor/k8s.io/kubectl/pkg/util/i18n/translations/extract.py b/vendor/k8s.io/kubectl/pkg/util/i18n/translations/extract.py
new file mode 100644
index 0000000000..33f9751287
--- /dev/null
+++ b/vendor/k8s.io/kubectl/pkg/util/i18n/translations/extract.py
@@ -0,0 +1,105 @@
+#!/usr/bin/env python3
+
+# Copyright 2017 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Extract strings from command files and externalize into translation files.
+Expects to be run from the root directory of the repository.
+
+Usage:
+   extract.py pkg/kubectl/cmd/apply.go
+
+"""
+import fileinput
+import sys
+import re
+
+class MatchHandler(object):
+    """ Simple holder for a regular expression and a function
+    to run if that regular expression matches a line.
+    The function should expect (re.match, file, linenumber) as parameters
+    """
+    def __init__(self, regex, replace_fn):
+        self.regex = re.compile(regex)
+        self.replace_fn = replace_fn
+
+def short_replace(match, file, line_number):
+    """Replace a Short: ... cobra command description with an internationalization
+    """
+    sys.stdout.write('{}i18n.T({}),\n'.format(match.group(1), match.group(2)))
+
+SHORT_MATCH = MatchHandler(r'(\s+Short:\s+)("[^"]+"),', short_replace)
+
+def import_replace(match, file, line_number):
+    """Add an extra import for the i18n library.
+    Doesn't try to be smart and detect if it's already present, assumes a
+    gofmt round wil fix things.
+    """
+    sys.stdout.write('{}\n"k8s.io/kubectl/pkg/util/i18n"\n'.format(match.group(1)))
+
+IMPORT_MATCH = MatchHandler('(.*"k8s.io/kubectl/pkg/cmd/util")', import_replace)
+
+
+def string_flag_replace(match, file, line_number):
+    """Replace a cmd.Flags().String("...", "", "...") with an internationalization
+    """
+    sys.stdout.write('{}i18n.T("{})"))\n'.format(match.group(1), match.group(2)))
+
+STRING_FLAG_MATCH = MatchHandler('(\s+cmd\.Flags\(\).String\("[^"]*", "[^"]*", )"([^"]*)"\)', string_flag_replace)
+
+
+def long_string_replace(match, file, line_number):
+    return '{}i18n.T({}){}'.format(match.group(1), match.group(2), match.group(3))
+
+LONG_DESC_MATCH = MatchHandler('(LongDesc\()(`[^`]+`)([^\n]\n)', long_string_replace)
+
+EXAMPLE_MATCH = MatchHandler('(Examples\()(`[^`]+`)([^\n]\n)', long_string_replace)
+
+def replace(filename, matchers, multiline_matchers):
+    """Given a file and a set of matchers, run those matchers
+    across the file and replace it with the results.
+    """
+    # Run all the matchers
+    line_number = 0
+    for line in fileinput.input(filename, inplace=True):
+        line_number += 1
+        matched = False
+        for matcher in matchers:
+            match = matcher.regex.match(line)
+            if match:
+                matcher.replace_fn(match, filename, line_number)
+                matched = True
+                break
+        if not matched:
+            sys.stdout.write(line)
+    sys.stdout.flush()
+    with open(filename, 'r') as datafile:
+        content = datafile.read()
+        for matcher in multiline_matchers:
+            match = matcher.regex.search(content)
+            while match:
+                rep = matcher.replace_fn(match, filename, 0)
+                # Escape back references in the replacement string
+                # (And escape for Python)
+                # (And escape for regex)
+                rep = re.sub('\\\\(\\d)', '\\\\\\\\\\1', rep)
+                content = matcher.regex.sub(rep, content, 1)
+                match = matcher.regex.search(content)
+        sys.stdout.write(content)
+
+    # gofmt the file again
+    from subprocess import call
+    call(["goimports", "-w", filename])
+
+replace(sys.argv[1], [SHORT_MATCH, IMPORT_MATCH, STRING_FLAG_MATCH], [LONG_DESC_MATCH, EXAMPLE_MATCH])
diff --git a/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/OWNERS b/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/OWNERS
new file mode 100644
index 0000000000..56cbb7f7c7
--- /dev/null
+++ b/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/OWNERS
@@ -0,0 +1,6 @@
+# See the OWNERS docs at https://go.k8s.io/owners
+
+approvers:
+  - sig-cli-maintainers
+reviewers:
+  - sig-cli-reviewers
diff --git a/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/de_DE/LC_MESSAGES/k8s.mo b/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/de_DE/LC_MESSAGES/k8s.mo
new file mode 100644
index 0000000000..ee64eb7a8d
Binary files /dev/null and b/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/de_DE/LC_MESSAGES/k8s.mo differ
diff --git a/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/de_DE/LC_MESSAGES/k8s.po b/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/de_DE/LC_MESSAGES/k8s.po
new file mode 100644
index 0000000000..18b6a6215e
--- /dev/null
+++ b/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/de_DE/LC_MESSAGES/k8s.po
@@ -0,0 +1,2920 @@
+# German translation.
+# Copyright (C) 2017
+# This file is distributed under the same license as the Kubernetes package.
+# FIRST AUTHOR steffenschmitz@hotmail.de, 2017.
+#
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: kubernetes\n"
+"Report-Msgid-Bugs-To: EMAIL\n"
+"POT-Creation-Date: 2021-07-07 20:15+0200\n"
+"PO-Revision-Date: 2017-09-02 01:36+0200\n"
+"Last-Translator: Steffen Schmitz <steffenschmitz@hotmail.de>\n"
+"Language-Team: Steffen Schmitz <steffenschmitz@hotmail.de>\n"
+"Language: de_DE\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Plural-Forms: nplurals=2; plural=(n != 1);\n"
+"X-Generator: Poedit 1.8.7.1\n"
+"X-Poedit-SourceCharset: UTF-8\n"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/top/top_node.go:62
+msgid ""
+"\n"
+"\t\t  # Show metrics for all nodes\n"
+"\t\t  kubectl top node\n"
+"\n"
+"\t\t  # Show metrics for a given node\n"
+"\t\t  kubectl top node NODE_NAME"
+msgstr ""
+"\n"
+"\t\t  # Zeige Metriken für alle Nodes\n"
+"\t\t  kubectl top node\n"
+"\n"
+"\t\t  # Zeige Metriken für den gegebenen Node\n"
+"\t\t  kubectl top node NODE_NAME"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/explain/explain.go:46
+msgid ""
+"\n"
+"\t\t# Get the documentation of the resource and its fields\n"
+"\t\tkubectl explain pods\n"
+"\n"
+"\t\t# Get the documentation of a specific field of a resource\n"
+"\t\tkubectl explain pods.spec.containers"
+msgstr ""
+"\n"
+"\t\t# Erhalte die Dokumentation einer Resource und ihrer Felder\n"
+"\t\tkubectl explain pods\n"
+"\n"
+"\t\t# Erhalte die Dokumentation eines speziellen Felds einer Resource\n"
+"\t\tkubectl explain pods.spec.containers"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/options/options.go:29
+msgid ""
+"\n"
+"\t\t# Print flags inherited by all commands\n"
+"\t\tkubectl options"
+msgstr ""
+"\n"
+"\t\t# Gebe Optionen aus, die an alle Kommandos vererbt werden\n"
+"\t\tkubectl options"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/version/version.go:44
+msgid ""
+"\n"
+"\t\t# Print the client and server versions for the current context\n"
+"\t\tkubectl version"
+msgstr ""
+"\n"
+"\t\t# Gebe die Client- und Server-Versionen des aktuellen Kontexts aus\n"
+"\t\tkubectl version"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/apiresources/apiversions.go:34
+msgid ""
+"\n"
+"\t\t# Print the supported API versions\n"
+"\t\tkubectl api-versions"
+msgstr ""
+"\n"
+"\t\t# Gebe die unterstützten API Versionen aus\n"
+"\t\tkubectl api-versions"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/top/top_pod.go:75
+msgid ""
+"\n"
+"\t\t# Show metrics for all pods in the default namespace\n"
+"\t\tkubectl top pod\n"
+"\n"
+"\t\t# Show metrics for all pods in the given namespace\n"
+"\t\tkubectl top pod --namespace=NAMESPACE\n"
+"\n"
+"\t\t# Show metrics for a given pod and its containers\n"
+"\t\tkubectl top pod POD_NAME --containers\n"
+"\n"
+"\t\t# Show metrics for the pods defined by label name=myLabel\n"
+"\t\tkubectl top pod -l name=myLabel"
+msgstr ""
+"\n"
+"\t\t# Zeige Metriken für alle Pods im Namespace default\n"
+"\t\tkubectl top pod\n"
+"\n"
+"\t\t# Zeige Metriken für alle Pods im gegebenen namespace\n"
+"\t\tkubectl top pod --namespace=NAMESPACE\n"
+"\n"
+"\t\t# Zeige Metriken für den gebenen Pod und seine Container\n"
+"\t\tkubectl top pod POD_NAME --containers\n"
+"\n"
+"\t\t# Zeige Metriken für Pods mit dem Label name=myLabel\n"
+"\t\tkubectl top pod -l name=myLabel"
+
+#: pkg/kubectl/cmd/convert/convert.go:40
+msgid ""
+"\n"
+"\t\tConvert config files between different API versions. Both YAML\n"
+"\t\tand JSON formats are accepted.\n"
+"\n"
+"\t\tThe command takes filename, directory, or URL as input, and convert it "
+"into format\n"
+"\t\tof version specified by --output-version flag. If target version is not "
+"specified or\n"
+"\t\tnot supported, convert to latest version.\n"
+"\n"
+"\t\tThe default output will be printed to stdout in YAML format. One can use "
+"-o option\n"
+"\t\tto change to output destination."
+msgstr ""
+"\n"
+"\t\tKonvertiere Konfigurationsdateien zwischen API Versionen. Sowohl YAML-\n"
+"\t\talsauch JSON-Formate werden akzeptiert.\n"
+"\n"
+"\t\tDer Befehlt akzeptiert Dateinamen, Ordner  oder URL als Parameter und "
+"konvertiert es ins Format\n"
+"\t\tder mit --output-version gegebenen Version. Wenn die Zielversion nicht \n"
+"\t\tangegeben wird oder ungültig ist, wird die neueste Version verwendet.\n"
+"\n"
+"\t\tDie Standardausgabe wird auf stdout im YAML-Format ausgegeben. Man kann "
+"die Option -o verwenden,\n"
+"\t\tum das Ausgabeziel festzulegen."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_namespace.go:39
+msgid ""
+"\n"
+"\t\tCreate a namespace with the specified name."
+msgstr ""
+"\n"
+"\t\tErstelle einen Namespace mit dem gegebenen Namen."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_role.go:43
+msgid ""
+"\n"
+"\t\tCreate a role with single rule."
+msgstr ""
+"\n"
+"\t\tErstelle eine Role mit einer einzelnen Rule."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_serviceaccount.go:40
+msgid ""
+"\n"
+"\t\tCreate a service account with the specified name."
+msgstr ""
+"\n"
+"\t\tErstelle einen ServiceAccount mit dem gegebenen Namen."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go:84
+msgid ""
+"\n"
+"\t\tMark node as schedulable."
+msgstr ""
+"\n"
+"\t\tMarkiere Knoten als schedulable."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go:55
+msgid ""
+"\n"
+"\t\tMark node as unschedulable."
+msgstr ""
+"\n"
+"\t\tMarkiere Knoten als unschedulable."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/apply/apply_set_last_applied.go:70
+msgid ""
+"\n"
+"\t\tSet the latest last-applied-configuration annotations by setting it to "
+"match the contents of a file.\n"
+"\t\tThis results in the last-applied-configuration being updated as though "
+"'kubectl apply -f <file>' was run,\n"
+"\t\twithout updating any other parts of the object."
+msgstr ""
+"\n"
+"\t\tSetze die aktuelle Annotation Last-Applied-Configuration auf den Inhalt "
+"der Datei.\n"
+"\t\tDas bedeutet, dass Last-Applied-Configuration aktualisiert wird, als ob "
+"'kubectl apply -f <file>' ausgeführt wurde,\n"
+"\t\tohne andere Teile des Objekts zu aktualisieren."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_namespace.go:42
+msgid ""
+"\n"
+"\t  # Create a new namespace named my-namespace\n"
+"\t  kubectl create namespace my-namespace"
+msgstr ""
+"\n"
+"\t  # Erstelle einen neuen Namespace my-namespace\n"
+"\t  kubectl create namespace my-namespace"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_serviceaccount.go:43
+msgid ""
+"\n"
+"\t  # Create a new service account named my-service-account\n"
+"\t  kubectl create serviceaccount my-service-account"
+msgstr ""
+"\n"
+"\t  # Erstelle einen neuen ServiceAccount my-service-account\n"
+"\t  kubectl create serviceaccount my-service-account"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:344
+msgid ""
+"\n"
+"\tCreate an ExternalName service with the specified name.\n"
+"\n"
+"\tExternalName service references to an external DNS address instead of\n"
+"\tonly pods, which will allow application authors to reference services\n"
+"\tthat exist off platform, on other clusters, or locally."
+msgstr ""
+"\n"
+"\tErstelle einen ExternalName-Service mit den gegebenen Namen.\n"
+"\n"
+"\tExternalName service referenziert eine externe DNS Adresse statt\n"
+"\teines pods, was Anwendungsautoren erlaubt, einen Service zu "
+"referenzieren,\n"
+"\tder abseits der Platform, auf anderen Clustern oder lokal exisiert."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/help/help.go:28
+msgid ""
+"\n"
+"\tHelp provides help for any command in the application.\n"
+"\tSimply type kubectl help [path to command] for full details."
+msgstr ""
+"\n"
+"\tHelp hilft bei jedem Befehl in der Anwendung.\n"
+"\tGib einfach kubectl help [path to command] für alle Details ein."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:311
+msgid ""
+"\n"
+"    # Create a new LoadBalancer service named my-lbs\n"
+"    kubectl create service loadbalancer my-lbs --tcp=5678:8080"
+msgstr ""
+"\n"
+"    # Erstelle einen neuen LoadBalancer-Service my-lbs\n"
+"    kubectl create service loadbalancer my-lbs --tcp=5678:8080"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/clusterinfo/clusterinfo_dump.go:102
+msgid ""
+"\n"
+"    # Dump current cluster state to stdout\n"
+"    kubectl cluster-info dump\n"
+"\n"
+"    # Dump current cluster state to /path/to/cluster-state\n"
+"    kubectl cluster-info dump --output-directory=/path/to/cluster-state\n"
+"\n"
+"    # Dump all namespaces to stdout\n"
+"    kubectl cluster-info dump --all-namespaces\n"
+"\n"
+"    # Dump a set of namespaces to /path/to/cluster-state\n"
+"    kubectl cluster-info dump --namespaces default,kube-system --output-"
+"directory=/path/to/cluster-state"
+msgstr ""
+"\n"
+"    # Schreibe den aktuellen Cluster-Zustand auf stdout\n"
+"    kubectl cluster-info dump\n"
+"\n"
+"    # Schreibe aktuellen Cluster-Zustand in /path/to/cluster-state\n"
+"    kubectl cluster-info dump --output-directory=/path/to/cluster-state\n"
+"\n"
+"    # Schreibe alle Namespaces auf stdout\n"
+"    kubectl cluster-info dump --all-namespaces\n"
+"\n"
+"    # Schreibe eine Menge an Namespaces in /path/to/cluster-state\n"
+"    kubectl cluster-info dump --namespaces default,kube-system --output-"
+"directory=/path/to/cluster-state"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:308
+msgid ""
+"\n"
+"    Create a LoadBalancer service with the specified name."
+msgstr ""
+"\n"
+"    Erstelle einen LoadBalancer-Service mit dem gegebenen Namen."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_quota.go:107
+msgid ""
+"A comma-delimited set of quota scopes that must all match each object "
+"tracked by the quota."
+msgstr ""
+"Eine komma-separierte Menge von Quota-Scopes, die zu jedem Object passen "
+"muss, dass von der Quota betroffen ist."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_quota.go:106
+msgid ""
+"A comma-delimited set of resource=quantity pairs that define a hard limit."
+msgstr ""
+"Eine komma-separierte Menge von resource=quantity Paaren, die ein hartes "
+"Limit definieren."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_pdb.go:113
+msgid ""
+"A label selector to use for this budget. Only equality-based selector "
+"requirements are supported."
+msgstr ""
+"Ein Label-Selektor, der für das Budget benutzt werden kann. Nur gleichheits-"
+"basierte Auswahlkriterien werden unterstützt."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:152
+msgid ""
+"A label selector to use for this service. Only equality-based selector "
+"requirements are supported. If empty (the default) infer the selector from "
+"the replication controller or replica set.)"
+msgstr ""
+"Ein Label-Selektor, der für den Service benutzt werden kann. Nur gleichheits-"
+"basierte Auswahlkriterien werden unterstützt. Wenn er leer ist (standard), "
+"wird der Selektor vom ReplicationController oder ReplicaSet abgeleitet"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:157
+msgid ""
+"Additional external IP address (not managed by Kubernetes) to accept for the "
+"service. If this IP is routed to a node, the service can be accessed by this "
+"IP in addition to its generated service IP."
+msgstr ""
+"Zusätzliche, externe IP Adressen (die nicht von Kubernetes verwaltet "
+"werden), die der Service akzeptieren soll. Wenn diese IP zu einem Knoten "
+"gerouted wird, kann der Service über die IP angesprochen werden, zusätzlich "
+"zu seiner generierten Service-IP."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/certificates/certificates.go:125
+msgid "Approve a certificate signing request"
+msgstr "Genehmige eine Certificate-Signing-Request"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:263
+msgid ""
+"Assign your own ClusterIP or set to 'None' for a 'headless' service (no "
+"loadbalancing)."
+msgstr ""
+"Weise Deine eigene ClusterIP zu oder setze sie auf 'None' für einen "
+"'headless'-Service (kein LoadBalancing)."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/attach/attach.go:105
+msgid "Attach to a running container"
+msgstr "Weise einem laufenden Container zu"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:161
+msgid ""
+"ClusterIP to be assigned to the service. Leave empty to auto-allocate, or "
+"set to 'None' to create a headless service."
+msgstr ""
+"ClusterIP, die dem Service zugewiesen werden soll. Freilassen, für "
+"automatische Zuweisung oder auf 'None' setzen für einen headless-Service."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_clusterrolebinding.go:101
+msgid "ClusterRole this ClusterRoleBinding should reference"
+msgstr "ClusterRole, die das ClusterRoleBinding referenzieren soll"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_rolebinding.go:104
+msgid "ClusterRole this RoleBinding should reference"
+msgstr "ClusterRole, die das RoleBinding referenzieren soll"
+
+#: pkg/kubectl/cmd/convert/convert.go:95
+msgid "Convert config files between different API versions"
+msgstr "Konvertiere Config-Dateien zwischen verschiedenen API Versionen"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/cp/cp.go:106
+msgid "Copy files and directories to and from containers."
+msgstr "Kopiere Dateien und Ordner aus/in Container(n)."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_tls.go:94
+msgid "Create a TLS secret"
+msgstr "Erstelle ein TLS-Secret"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_namespace.go:83
+msgid "Create a namespace with the specified name"
+msgstr "Erstelle einen Namespace mit dem gegebenen Namen"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_docker.go:134
+msgid "Create a secret for use with a Docker registry"
+msgstr "Erstelle ein Secret für die Benutzung mit einer Docker-Registry"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret.go:49
+msgid "Create a secret using specified subcommand"
+msgstr "Erstelle ein Secret mit dem angegebenen Sub-Befehl"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_serviceaccount.go:85
+msgid "Create a service account with the specified name"
+msgstr "Erstelle einen ServiceAccount mit dem gegebenen Namen"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/delete_cluster.go:42
+msgid "Delete the specified cluster from the kubeconfig"
+msgstr "Lösche das angegebene Cluster aus der kubeconfig"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/delete_context.go:42
+msgid "Delete the specified context from the kubeconfig"
+msgstr "Lösche den angegebenen Kontext aus der kubeconfig"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/certificates/certificates.go:174
+msgid "Deny a certificate signing request"
+msgstr "Lehne eine Certificate-Signing-Request ab"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/get_contexts.go:72
+msgid "Describe one or many contexts"
+msgstr "Beschreibe einen oder mehrere Kontexte"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/get_clusters.go:41
+msgid "Display clusters defined in the kubeconfig"
+msgstr "Zeige Cluster, die in der kubeconfig definiert sind"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/view.go:81
+msgid "Display merged kubeconfig settings or a specified kubeconfig file"
+msgstr ""
+"Zeige vereinte kubeconfig-Einstellungen oder die angegebene kubeconfig-Datei"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/get/get.go:165
+msgid "Display one or many resources"
+msgstr "Zeige eine oder mehrere Resourcen"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go:184
+msgid "Drain node in preparation for maintenance"
+msgstr "Leere Knoten, um eine Wartung vorzubereiten"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/edit/edit.go:77
+msgid "Edit a resource on the server"
+msgstr "Bearbeite eine Resource auf dem Server"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_docker.go:152
+msgid "Email for Docker registry"
+msgstr "E-Mail für Docker-Registry"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/exec/exec.go:89
+msgid "Execute a command in a container"
+msgstr "Führe einen Befehl im Container aus"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/portforward/portforward.go:109
+msgid "Forward one or more local ports to a pod"
+msgstr "Leite einen oder mehrere lokale Ports an einen Pod weiter"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/help/help.go:37
+msgid "Help about any command"
+msgstr "Hilfe für jeden Befehl"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go:98
+msgid "Mark node as schedulable"
+msgstr "Markiere Knoten als schedulable"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go:69
+msgid "Mark node as unschedulable"
+msgstr "Markiere Knoten als unschedulable"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_pause.go:83
+msgid "Mark the provided resource as paused"
+msgstr "Markiere die gegebene Resource als pausiert"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/certificates/certificates.go:49
+#: staging/src/k8s.io/kubectl/pkg/cmd/certificates/certificates.go:50
+msgid "Modify certificate resources."
+msgstr "Verändere Certificate-Resources"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/config.go:42
+msgid "Modify kubeconfig files"
+msgstr "Verändere kubeconfig Dateien"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:156
+msgid ""
+"Name or number for the port on the container that the service should direct "
+"traffic to. Optional."
+msgstr ""
+"Name oder Nummer des Ports in dem Container, zu dem der Service Daten leiten "
+"soll. Optional."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/logs/logs.go:174
+msgid ""
+"Only return logs after a specific date (RFC3339). Defaults to all logs. Only "
+"one of since-time / since may be used."
+msgstr ""
+"Zeige nur Logs nach einem bestimmten Datum (RFC3339) an. Zeigt standardmäßig "
+"alle logs. Es kann entweder since-time oder since benutzt werden."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/completion/completion.go:112
+msgid "Output shell completion code for the specified shell (bash or zsh)"
+msgstr "Zeige Shell-Completion-Code für die angegebene Shell (bash oder zsh)"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_docker.go:151
+msgid "Password for Docker registry authentication"
+msgstr "Passwort für die Authentifizierung bei der Docker-Registry"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_tls.go:110
+msgid "Path to PEM encoded public key certificate."
+msgstr "Pfad des Public-Key-Zertifikats im PEM-Format."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_tls.go:111
+msgid "Path to private key associated with given certificate."
+msgstr "Pfad zum Private-Key, der zum gegebenen Zertifikat passt."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/scale/scale.go:130
+msgid ""
+"Precondition for resource version. Requires that the current resource "
+"version match this value in order to scale."
+msgstr ""
+"Vorbedingung für Resource-Version. Verlangt, dass die aktuelle Resource-"
+"Version diesen Wert erfüllt, um zu skalieren."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/version/version.go:73
+msgid "Print the client and server version information"
+msgstr "Schreibt die Client- und Server-Versionsinformation"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/options/options.go:38
+#: staging/src/k8s.io/kubectl/pkg/cmd/options/options.go:39
+msgid "Print the list of flags inherited by all commands"
+msgstr "Schreibt die Liste von Optionen, die alle Befehle erben"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/logs/logs.go:152
+msgid "Print the logs for a container in a pod"
+msgstr "Schreibt die Logs für einen Container in einem Pod"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_resume.go:87
+msgid "Resume a paused resource"
+msgstr "Setze eine pausierte Resource fort"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_rolebinding.go:105
+msgid "Role this RoleBinding should reference"
+msgstr "Role, die dieses RoleBinding referenzieren soll"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run.go:152
+msgid "Run a particular image on the cluster"
+msgstr "Starte ein bestimmtes Image auf dem Cluster"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/proxy/proxy.go:119
+msgid "Run a proxy to the Kubernetes API server"
+msgstr "Starte einen Proxy zum Kubernetes-API-Server"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set.go:39
+msgid "Set specific features on objects"
+msgstr "Setze bestimmte Features auf Objekten"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set_selector.go:104
+msgid "Set the selector on a resource"
+msgstr "Setze den Selektor auf einer Resource"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/describe/describe.go:107
+msgid "Show details of a specific resource or group of resources"
+msgstr "Zeige Details zu einer bestimmten Resource oder Gruppe von Resourcen"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_status.go:102
+msgid "Show the status of the rollout"
+msgstr "Zeige den Status des Rollout"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:154
+msgid "Synonym for --target-port"
+msgstr "Synonym für --target-port"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run.go:174
+msgid "The image for the container to run."
+msgstr "Das Image, dass auf dem Container gestartet werden soll."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run.go:176
+msgid ""
+"The image pull policy for the container. If left empty, this value will not "
+"be specified by the client and defaulted by the server"
+msgstr ""
+"Die Image-Pull-Policy für den Container. Wenn leer, wird der Wert nicht vom "
+"Client gesetzt, sondern standardmäßig vom Server."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_pdb.go:111
+msgid ""
+"The minimum number or percentage of available pods this budget requires."
+msgstr ""
+"Die minimale Anzahl oder Prozentzahl von verfügbaren Pods, die das Budget "
+"voraussetzt."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:159
+msgid "The name for the newly created object."
+msgstr "Der Name des neu erstellten Objekts."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/autoscale/autoscale.go:125
+msgid ""
+"The name for the newly created object. If not specified, the name of the "
+"input resource will be used."
+msgstr ""
+"Der Name des neu erstellten Objekts. Falls nicht angegeben, wird der Name "
+"der Input-Resource verwendet."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:147
+msgid ""
+"The name of the API generator to use. There are 2 generators: 'service/v1' "
+"and 'service/v2'. The only difference between them is that service port in "
+"v1 is named 'default', while it is left unnamed in v2. Default is 'service/"
+"v2'."
+msgstr ""
+"Der Name des zu verwendenden API-Generators. Es gibt zwei Generatoren: "
+"'service/v1' und 'service/v2'. Der einzige Unterschied ist, dass der "
+"Serviceport in v1 'default' heißt, während er in v2 unbenannt bleibt. "
+"Standard ist 'service/v2'."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:148
+msgid "The network protocol for the service to be created. Default is 'TCP'."
+msgstr ""
+"Das Netzwerkprotokoll, für den zu erstellenden Service. Standard ist 'TCP'."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:149
+msgid ""
+"The port that the service should serve on. Copied from the resource being "
+"exposed, if unspecified"
+msgstr ""
+"Der Port auf den der Service hören soll. Wird von der angebotenen Resource "
+"kopiert, falls nicht angegeben"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret.go:155
+msgid "The type of secret to create"
+msgstr "Der Typ des zu erstellenden Secrets"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_undo.go:87
+msgid "Undo a previous rollout"
+msgstr "Widerrufe ein vorheriges Rollout"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set_resources.go:116
+msgid "Update resource requests/limits on objects with pod templates"
+msgstr "Aktualisiere Resourcen requests/limits auf Objekten mit Pod-Templates"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/annotate/annotate.go:135
+msgid "Update the annotations on a resource"
+msgstr "Aktualisiere die Annotationen auf einer Resource"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/label/label.go:133
+msgid "Update the labels on a resource"
+msgstr "Aktualisiere die Labels auf einer Resource"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/taint/taint.go:109
+msgid "Update the taints on one or more nodes"
+msgstr "Aktualisiere die Taints auf einem oder mehreren Knoten"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_docker.go:150
+msgid "Username for Docker registry authentication"
+msgstr "Username für Authentifizierung bei der Docker-Registry"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_history.go:83
+msgid "View rollout history"
+msgstr "Zeige rollout-Verlauf"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/cmd.go:227
+msgid "kubectl controls the Kubernetes cluster manager"
+msgstr "kubectl kontrolliert den Kubernetes-Cluster-Manager"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t  # Create a ClusterRoleBinding for user1, user2, and group1 using "
+#~ "the cluster-admin ClusterRole\n"
+#~ "\t\t  kubectl create clusterrolebinding cluster-admin --"
+#~ "clusterrole=cluster-admin --user=user1 --user=user2 --group=group1"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t # Erstellt ein ClusterRoleBinding für user1, user2 und group1 mit "
+#~ "der ClusterRole cluster-admin\n"
+#~ "\t\t  kubectl create clusterrolebinding cluster-admin --"
+#~ "clusterrole=cluster-admin --user=user1 --user=user2 --group=group1"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t  # Create a RoleBinding for user1, user2, and group1 using the admin "
+#~ "ClusterRole\n"
+#~ "\t\t  kubectl create rolebinding admin --clusterrole=admin --user=user1 --"
+#~ "user=user2 --group=group1"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t  # Erstellt ein RoleBinding für user1, user2 und group1 mit der "
+#~ "ClusterRole admin\n"
+#~ "\t\t  kubectl create rolebinding admin --clusterrole=admin --user=user1 --"
+#~ "user=user2 --group=group1"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t  # Create a new configmap named my-config based on folder bar\n"
+#~ "\t\t  kubectl create configmap my-config --from-file=path/to/bar\n"
+#~ "\n"
+#~ "\t\t  # Create a new configmap named my-config with specified keys "
+#~ "instead of file basenames on disk\n"
+#~ "\t\t  kubectl create configmap my-config --from-file=key1=/path/to/bar/"
+#~ "file1.txt --from-file=key2=/path/to/bar/file2.txt\n"
+#~ "\n"
+#~ "\t\t  # Create a new configmap named my-config with key1=config1 and "
+#~ "key2=config2\n"
+#~ "\t\t  kubectl create configmap my-config --from-literal=key1=config1 --"
+#~ "from-literal=key2=config2"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t  # Erstellt eine neue ConfigMap mit dem Namen my-config basierend "
+#~ "auf dem Ordner bar\n"
+#~ "\t\t  kubectl create configmap my-config --from-file=path/to/bar\n"
+#~ "\n"
+#~ "\t\t  # Erstellt eine neue ConfigMap mit dem Namen my-config mit den "
+#~ "angegebenen Keys statt des Dateinamens auf der Festplatte.\n"
+#~ "\t\t  kubectl create configmap my-config --from-file=key1=/path/to/bar/"
+#~ "file1.txt --from-file=key2=/path/to/bar/file2.txt\n"
+#~ "\n"
+#~ "\t\t  # Erstellt eine neue ConfigMap mit dem Namen my-config mit "
+#~ "key1=config1 und key2=config2\n"
+#~ "\t\t  kubectl create configmap my-config --from-literal=key1=config1 --"
+#~ "from-literal=key2=config2"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t  # If you don't already have a .dockercfg file, you can create a "
+#~ "dockercfg secret directly by using:\n"
+#~ "\t\t  kubectl create secret docker-registry my-secret --docker-"
+#~ "server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-"
+#~ "password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t  # Wenn keine .dockercfg Datei existiert, kann direkt ein dockercfg "
+#~ "Secret erstellen mit:\n"
+#~ "\t\t  kubectl create secret docker-registry my-secret --docker-"
+#~ "server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-"
+#~ "password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Apply the configuration in pod.json to a pod.\n"
+#~ "\t\tkubectl apply -f ./pod.json\n"
+#~ "\n"
+#~ "\t\t# Apply the JSON passed into stdin to a pod.\n"
+#~ "\t\tcat pod.json | kubectl apply -f -\n"
+#~ "\n"
+#~ "\t\t# Note: --prune is still in Alpha\n"
+#~ "\t\t# Apply the configuration in manifest.yaml that matches label "
+#~ "app=nginx and delete all the other resources that are not in the file and "
+#~ "match label app=nginx.\n"
+#~ "\t\tkubectl apply --prune -f manifest.yaml -l app=nginx\n"
+#~ "\n"
+#~ "\t\t# Apply the configuration in manifest.yaml and delete all the other "
+#~ "configmaps that are not in the file.\n"
+#~ "\t\tkubectl apply --prune -f manifest.yaml --all --prune-allowlist=core/"
+#~ "v1/ConfigMap"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Wende die Konfiguration in pod.json auf einen Pod an.\n"
+#~ "\t\tkubectl apply -f ./pod.json\n"
+#~ "\n"
+#~ "\t\t# Wende die JSON-Daten von stdin auf einen Pod an.\n"
+#~ "\t\tcat pod.json | kubectl apply -f -\n"
+#~ "\n"
+#~ "\t\t# Hinweis: --prune ist noch in Alpha\n"
+#~ "\t\t# Wende die Konfiguration, mit dem Label app=nginx, im manifest.yaml "
+#~ "an und lösche alle Resourcen, die nicht in der Datei sind oder nicht das "
+#~ "Label app=nginx besitzen.\n"
+#~ "\t\tkubectl apply --prune -f manifest.yaml -l app=nginx\n"
+#~ "\n"
+#~ "\t\t# Wende die Konfiguration im manifest.yaml an und lösche alle "
+#~ "ConfigMaps, die nicht in der Datei sind.\n"
+#~ "\t\tkubectl apply --prune -f manifest.yaml --all --prune-allowlist=core/"
+#~ "v1/ConfigMap"
+
+#, c-format
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Auto scale a deployment \"foo\", with the number of pods between 2 "
+#~ "and 10, no target CPU utilization specified so a default autoscaling "
+#~ "policy will be used:\n"
+#~ "\t\tkubectl autoscale deployment foo --min=2 --max=10\n"
+#~ "\n"
+#~ "\t\t# Auto scale a replication controller \"foo\", with the number of "
+#~ "pods between 1 and 5, target CPU utilization at 80%:\n"
+#~ "\t\tkubectl autoscale rc foo --max=5 --cpu-percent=80"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Auto-skaliere ein Deployment \"foo\", mit einer Anzahl an Pods "
+#~ "zwischen 2 und 10, eine Ziel-CPU-Auslastung ist angegeben, sodass eine "
+#~ "Standard-autoskalierungsregel verwendet wird:\n"
+#~ "\t\tkubectl autoscale deployment foo --min=2 --max=10\n"
+#~ "\n"
+#~ "\t\t# Auto-skaliere einen Replication-Controller \"foo\", mit einer "
+#~ "Anzahl an Pods zwischen 1 und 5, mit einer Ziel-CPU-Auslastung von 80%:\n"
+#~ "\t\tkubectl autoscale rc foo --max=5 --cpu-percent=80"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Convert 'pod.yaml' to latest version and print to stdout.\n"
+#~ "\t\tkubectl convert -f pod.yaml\n"
+#~ "\n"
+#~ "\t\t# Convert the live state of the resource specified by 'pod.yaml' to "
+#~ "the latest version\n"
+#~ "\t\t# and print to stdout in json format.\n"
+#~ "\t\tkubectl convert -f pod.yaml --local -o json\n"
+#~ "\n"
+#~ "\t\t# Convert all files under current directory to latest version and "
+#~ "create them all.\n"
+#~ "\t\tkubectl convert -f . | kubectl create -f -"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Konvertiere 'pod.yaml' zur neuesten Version und schreibe auf "
+#~ "stdout.\n"
+#~ "\t\tkubectl convert -f pod.yaml\n"
+#~ "\n"
+#~ "\t\t# Konvertiere den aktuellen Zustand der Resource, die in 'pod.yaml' "
+#~ "angegeben ist, zur neuesten Version\n"
+#~ "\t\t# und schreibe auf stdout im JSON-Format.\n"
+#~ "\t\tkubectl convert -f pod.yaml --local -o json\n"
+#~ "\n"
+#~ "\t\t# Konvertiere alle Dateien im aktuellen Ordner zur neuesten Version "
+#~ "und erstelle sie.\n"
+#~ "\t\tkubectl convert -f . | kubectl create -f -"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Create a ClusterRole named \"pod-reader\" that allows user to "
+#~ "perform \"get\", \"watch\" and \"list\" on pods\n"
+#~ "\t\tkubectl create clusterrole pod-reader --verb=get,list,watch --"
+#~ "resource=pods\n"
+#~ "\n"
+#~ "\t\t# Create a ClusterRole named \"pod-reader\" with ResourceName "
+#~ "specified\n"
+#~ "\t\tkubectl create clusterrole pod-reader --verb=get,list,watch --"
+#~ "resource=pods --resource-name=readablepod"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Erstellt eine ClusterRole \"pod-reader\", die es Nutzern erlaubt "
+#~ "\"get\", \"watch\" und \"list\" auf den Pods auszuführen\n"
+#~ "\t\tkubectl create clusterrole pod-reader --verb=get,list,watch --"
+#~ "resource=pods\n"
+#~ "\n"
+#~ "\t\t# Erstellt eine ClusterRole \"pod-reader\" mit dem angegebenen "
+#~ "ResourceName\n"
+#~ "\t\tkubectl create clusterrole pod-reader --verb=get,list,watch --"
+#~ "resource=pods --resource-name=readablepod"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Create a Role named \"pod-reader\" that allows user to perform \"get"
+#~ "\", \"watch\" and \"list\" on pods\n"
+#~ "\t\tkubectl create role pod-reader --verb=get --verb=list --verb=watch --"
+#~ "resource=pods\n"
+#~ "\n"
+#~ "\t\t# Create a Role named \"pod-reader\" with ResourceName specified\n"
+#~ "\t\tkubectl create role pod-reader --verb=get --verg=list --verb=watch --"
+#~ "resource=pods --resource-name=readablepod"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Erstellt eine Role \"pod-reader\", die es dem Nutzer erlaubt \"get"
+#~ "\", \"watch\" und \"list\" auf den Pods auszuführen\n"
+#~ "\t\tkubectl create role pod-reader --verb=get --verb=list --verb=watch --"
+#~ "resource=pods\n"
+#~ "\n"
+#~ "\t\t# Erstellt eine Role \"pod-reader\" mit dem angegebenen ResourceName\n"
+#~ "\t\tkubectl create role pod-reader --verb=get --verg=list --verb=watch --"
+#~ "resource=pods --resource-name=readablepod"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Create a new resourcequota named my-quota\n"
+#~ "\t\tkubectl create quota my-quota --hard=cpu=1,memory=1G,pods=2,"
+#~ "services=3,replicationcontrollers=2,resourcequotas=1,secrets=5,"
+#~ "persistentvolumeclaims=10\n"
+#~ "\n"
+#~ "\t\t# Create a new resourcequota named best-effort\n"
+#~ "\t\tkubectl create quota best-effort --hard=pods=100 --scopes=BestEffort"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Erstellt eine neue ResourceQuota my-quota\n"
+#~ "\t\tkubectl create quota my-quota --hard=cpu=1,memory=1G,pods=2,"
+#~ "services=3,replicationcontrollers=2,resourcequotas=1,secrets=5,"
+#~ "persistentvolumeclaims=10\n"
+#~ "\n"
+#~ "\t\t# Erstellt eine neue ResourceQuota best-effort\n"
+#~ "\t\tkubectl create quota best-effort --hard=pods=100 --scopes=BestEffort"
+
+#, c-format
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Create a pod disruption budget named my-pdb that will select all "
+#~ "pods with the app=rails label\n"
+#~ "\t\t# and require at least one of them being available at any point in "
+#~ "time.\n"
+#~ "\t\tkubectl create poddisruptionbudget my-pdb --selector=app=rails --min-"
+#~ "available=1\n"
+#~ "\n"
+#~ "\t\t# Create a pod disruption budget named my-pdb that will select all "
+#~ "pods with the app=nginx label\n"
+#~ "\t\t# and require at least half of the pods selected to be available at "
+#~ "any point in time.\n"
+#~ "\t\tkubectl create pdb my-pdb --selector=app=nginx --min-available=50%"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Erstellt ein Pod-Disruption-Budget my-pdb, dass alle Pods mit dem "
+#~ "Label app=rails auswählt\n"
+#~ "\t\t# und sicherstellt, dass mindestens einer von ihnen zu jedem "
+#~ "Zeitpunkt verfügbar ist.\n"
+#~ "\t\tkubectl create poddisruptionbudget my-pdb --selector=app=rails --min-"
+#~ "available=1\n"
+#~ "\n"
+#~ "\t\t# Erstellt ein Pod-Disruption-Budget my-pdb, dass alle Pods mit dem "
+#~ "Label app=nginx auswählt\n"
+#~ "\t\t# und sicherstellt, dass mindestens die Hälfte der gewählten Pods zu "
+#~ "jedem Zeitpunkt verfügbar ist.\n"
+#~ "\t\tkubectl create pdb my-pdb --selector=app=nginx --min-available=50%"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Create a pod using the data in pod.json.\n"
+#~ "\t\tkubectl create -f ./pod.json\n"
+#~ "\n"
+#~ "\t\t# Create a pod based on the JSON passed into stdin.\n"
+#~ "\t\tcat pod.json | kubectl create -f -\n"
+#~ "\n"
+#~ "\t\t# Edit the data in docker-registry.yaml in JSON using the v1 API "
+#~ "format then create the resource using the edited data.\n"
+#~ "\t\tkubectl create -f docker-registry.yaml --edit --output-version=v1 -o "
+#~ "json"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Erstellt einen Pod mit den Daten in pod.json.\n"
+#~ "\t\tkubectl create -f ./pod.json\n"
+#~ "\n"
+#~ "\t\t# Erstellt einen Pod basierend auf den JSON-Daten von stdin.\n"
+#~ "\t\tcat pod.json | kubectl create -f -\n"
+#~ "\n"
+#~ "\t\t# Verändert die Daten in docker-registry.yaml in JSON mit dem v1 API "
+#~ "Format und erstellt eine Resource mit den veränderten Daten.\n"
+#~ "\t\tkubectl create -f docker-registry.yaml --edit --output-version=v1 -o "
+#~ "json"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Create a service for a replicated nginx, which serves on port 80 "
+#~ "and connects to the containers on port 8000.\n"
+#~ "\t\tkubectl expose rc nginx --port=80 --target-port=8000\n"
+#~ "\n"
+#~ "\t\t# Create a service for a replication controller identified by type "
+#~ "and name specified in \"nginx-controller.yaml\", which serves on port 80 "
+#~ "and connects to the containers on port 8000.\n"
+#~ "\t\tkubectl expose -f nginx-controller.yaml --port=80 --target-port=8000\n"
+#~ "\n"
+#~ "\t\t# Create a service for a pod valid-pod, which serves on port 444 with "
+#~ "the name \"frontend\"\n"
+#~ "\t\tkubectl expose pod valid-pod --port=444 --name=frontend\n"
+#~ "\n"
+#~ "\t\t# Create a second service based on the above service, exposing the "
+#~ "container port 8443 as port 443 with the name \"nginx-https\"\n"
+#~ "\t\tkubectl expose service nginx --port=443 --target-port=8443 --"
+#~ "name=nginx-https\n"
+#~ "\n"
+#~ "\t\t# Create a service for a replicated streaming application on port "
+#~ "4100 balancing UDP traffic and named 'video-stream'.\n"
+#~ "\t\tkubectl expose rc streamer --port=4100 --protocol=udp --name=video-"
+#~ "stream\n"
+#~ "\n"
+#~ "\t\t# Create a service for a replicated nginx using replica set, which "
+#~ "serves on port 80 and connects to the containers on port 8000.\n"
+#~ "\t\tkubectl expose rs nginx --port=80 --target-port=8000\n"
+#~ "\n"
+#~ "\t\t# Create a service for an nginx deployment, which serves on port 80 "
+#~ "and connects to the containers on port 8000.\n"
+#~ "\t\tkubectl expose deployment nginx --port=80 --target-port=8000"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Erstellt einen Service für einen replizierten nginx, der auf Port "
+#~ "80 hört und verbindet sich mit den Containern auf Port 8000.\n"
+#~ "\t\tkubectl expose rc nginx --port=80 --target-port=8000\n"
+#~ "\n"
+#~ "\t\t# Erstellt einen Service für einen Replication-Controller, der über "
+#~ "type und name in \"nginx-controller.yaml\" identifiziert wird, auf Port "
+#~ "80 hört und verbindet sich mit den Containern auf Port 8000.\n"
+#~ "\t\tkubectl expose -f nginx-controller.yaml --port=80 --target-port=8000\n"
+#~ "\n"
+#~ "\t\t# Erstellt einen Service, mit dem Namen \"frontend\", für einen Pod "
+#~ "valid-pod, der auf port 444 hört\n"
+#~ "\t\tkubectl expose pod valid-pod --port=444 --name=frontend\n"
+#~ "\n"
+#~ "\t\t# Erstellt einen zweiten Service basierend auf dem vorherigen "
+#~ "Service, der den Container Port 8443 auf Port 443 mit dem Namen \"nginx-"
+#~ "https\" anbietet\n"
+#~ "\t\tkubectl expose service nginx --port=443 --target-port=8443 --"
+#~ "name=nginx-https\n"
+#~ "\n"
+#~ "\t\t# Erstellt einen Service für eine Replicated-Streaming-Application "
+#~ "auf Port 4100, die UDP-Traffic verarbeitet und 'video-stream' heißt.\n"
+#~ "\t\tkubectl expose rc streamer --port=4100 --protocol=udp --name=video-"
+#~ "stream\n"
+#~ "\n"
+#~ "\t\t# Erstellt einen Service für einen replizierten nginx mit einem "
+#~ "Replica-Set, dass auf Port 80 hört und verbindet sich mit den Containern "
+#~ "auf Port 8000.\n"
+#~ "\t\tkubectl expose rs nginx --port=80 --target-port=8000\n"
+#~ "\n"
+#~ "\t\t# Erstellt einen Service für ein nginx Deployment, dass auf Port 80 "
+#~ "hört und verbindet sich mit den Containern auf Port 8000.\n"
+#~ "\t\tkubectl expose deployment nginx --port=80 --target-port=8000"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Delete a pod using the type and name specified in pod.json.\n"
+#~ "\t\tkubectl delete -f ./pod.json\n"
+#~ "\n"
+#~ "\t\t# Delete a pod based on the type and name in the JSON passed into "
+#~ "stdin.\n"
+#~ "\t\tcat pod.json | kubectl delete -f -\n"
+#~ "\n"
+#~ "\t\t# Delete pods and services with same names \"baz\" and \"foo\"\n"
+#~ "\t\tkubectl delete pod,service baz foo\n"
+#~ "\n"
+#~ "\t\t# Delete pods and services with label name=myLabel.\n"
+#~ "\t\tkubectl delete pods,services -l name=myLabel\n"
+#~ "\n"
+#~ "\t\t# Delete a pod with minimal delay\n"
+#~ "\t\tkubectl delete pod foo --now\n"
+#~ "\n"
+#~ "\t\t# Force delete a pod on a dead node\n"
+#~ "\t\tkubectl delete pod foo --grace-period=0 --force\n"
+#~ "\n"
+#~ "\t\t# Delete all pods\n"
+#~ "\t\tkubectl delete pods --all"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Löscht einen Pod mit type und name aus pod.json.\n"
+#~ "\t\tkubectl delete -f ./pod.json\n"
+#~ "\n"
+#~ "\t\t# Löscht einen Pod mit dem type und name aus den JSON-Daten von "
+#~ "stdin.\n"
+#~ "\t\tcat pod.json | kubectl delete -f -\n"
+#~ "\n"
+#~ "\t\t# Löscht Pods und Services mit den Namen \"baz\" und \"foo\"\n"
+#~ "\t\tkubectl delete pod,service baz foo\n"
+#~ "\n"
+#~ "\t\t# Löscht Pods und Services mit dem Label name=myLabel.\n"
+#~ "\t\tkubectl delete pods,services -l name=myLabel\n"
+#~ "\n"
+#~ "\t\t# Löscht einen Pod mit minimaler Verzögerung\n"
+#~ "\t\tkubectl delete pod foo --now\n"
+#~ "\n"
+#~ "\t\t# Erzwingt das Löschen eines Pods auf einem toten Node\n"
+#~ "\t\tkubectl delete pod foo --grace-period=0 --force\n"
+#~ "\n"
+#~ "\t\t# Löscht alle Pods\n"
+#~ "\t\tkubectl delete pods --all"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Describe a node\n"
+#~ "\t\tkubectl describe nodes kubernetes-node-emt8.c.myproject.internal\n"
+#~ "\n"
+#~ "\t\t# Describe a pod\n"
+#~ "\t\tkubectl describe pods/nginx\n"
+#~ "\n"
+#~ "\t\t# Describe a pod identified by type and name in \"pod.json\"\n"
+#~ "\t\tkubectl describe -f pod.json\n"
+#~ "\n"
+#~ "\t\t# Describe all pods\n"
+#~ "\t\tkubectl describe pods\n"
+#~ "\n"
+#~ "\t\t# Describe pods by label name=myLabel\n"
+#~ "\t\tkubectl describe po -l name=myLabel\n"
+#~ "\n"
+#~ "\t\t# Describe all pods managed by the 'frontend' replication controller "
+#~ "(rc-created pods\n"
+#~ "\t\t# get the name of the rc as a prefix in the pod the name).\n"
+#~ "\t\tkubectl describe pods frontend"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Beschreibt einen Knoten\n"
+#~ "\t\tkubectl describe nodes kubernetes-node-emt8.c.myproject.internal\n"
+#~ "\n"
+#~ "\t\t# Beschreibt einen Pod\n"
+#~ "\t\tkubectl describe pods/nginx\n"
+#~ "\n"
+#~ "\t\t# Beschreibt einen Pod mit type und name aus \"pod.json\"\n"
+#~ "\t\tkubectl describe -f pod.json\n"
+#~ "\n"
+#~ "\t\t# Beschreibt alle Pods\n"
+#~ "\t\tkubectl describe pods\n"
+#~ "\n"
+#~ "\t\t# Beschreibt Pods mit dem Label name=myLabel\n"
+#~ "\t\tkubectl describe po -l name=myLabel\n"
+#~ "\n"
+#~ "\t\t# Beschreibt alle Pods, die vom ReplicationController 'frontend' "
+#~ "verwaltet werden (rc-erstellte Pods\n"
+#~ "\t\t# bekommen den Namen des rc als Prefix im Podnamen).\n"
+#~ "\t\tkubectl describe pods frontend"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Drain node \"foo\", even if there are pods not managed by a "
+#~ "ReplicationController, ReplicaSet, Job, DaemonSet or StatefulSet on it.\n"
+#~ "\t\t$ kubectl drain foo --force\n"
+#~ "\n"
+#~ "\t\t# As above, but abort if there are pods not managed by a "
+#~ "ReplicationController, ReplicaSet, Job, DaemonSet or StatefulSet, and use "
+#~ "a grace period of 15 minutes.\n"
+#~ "\t\t$ kubectl drain foo --grace-period=900"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Leere den Knoten \"foo\", selbst wenn er Pods enthält, die nicht "
+#~ "von einem ReplicationController, ReplicaSet, Job, DaemonSet oder "
+#~ "StatefulSet verwaltet werden.\n"
+#~ "\t\t$ kubectl drain foo --force\n"
+#~ "\n"
+#~ "\t\t# Wie zuvor, aber es wird abgebrochen, wenn er Pods enthält, die "
+#~ "nicht von einem ReplicationController, ReplicaSet, Job, DaemonSet oder "
+#~ "StatefulSet verwaltet werden und mit einer Schonfrist von 15 Minuten.\n"
+#~ "\t\t$ kubectl drain foo --grace-period=900"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Edit the service named 'docker-registry':\n"
+#~ "\t\tkubectl edit svc/docker-registry\n"
+#~ "\n"
+#~ "\t\t# Use an alternative editor\n"
+#~ "\t\tKUBE_EDITOR=\"nano\" kubectl edit svc/docker-registry\n"
+#~ "\n"
+#~ "\t\t# Edit the job 'myjob' in JSON using the v1 API format:\n"
+#~ "\t\tkubectl edit job.v1.batch/myjob -o json\n"
+#~ "\n"
+#~ "\t\t# Edit the deployment 'mydeployment' in YAML and save the modified "
+#~ "config in its annotation:\n"
+#~ "\t\tkubectl edit deployment/mydeployment -o yaml --save-config"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Bearbeite den Service 'docker-registry':\n"
+#~ "\t\tkubectl edit svc/docker-registry\n"
+#~ "\n"
+#~ "\t\t# Benutze einen anderen Editor\n"
+#~ "\t\tKUBE_EDITOR=\"nano\" kubectl edit svc/docker-registry\n"
+#~ "\n"
+#~ "\t\t# Bearbeite den Job 'myjob' in JSON mit dem v1 API Format:\n"
+#~ "\t\tkubectl edit job.v1.batch/myjob -o json\n"
+#~ "\n"
+#~ "\t\t# Bearbeite das Deployment 'mydeployment' in YAML und speichere die "
+#~ "veränderte Konfiguration in ihrer Annotation:\n"
+#~ "\t\tkubectl edit deployment/mydeployment -o yaml --save-config"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Get output from running 'date' from pod 123456-7890, using the "
+#~ "first container by default\n"
+#~ "\t\tkubectl exec 123456-7890 date\n"
+#~ "\n"
+#~ "\t\t# Get output from running 'date' in ruby-container from pod "
+#~ "123456-7890\n"
+#~ "\t\tkubectl exec 123456-7890 -c ruby-container date\n"
+#~ "\n"
+#~ "\t\t# Switch to raw terminal mode, sends stdin to 'bash' in ruby-"
+#~ "container from pod 123456-7890\n"
+#~ "\t\t# and sends stdout/stderr from 'bash' back to the client\n"
+#~ "\t\tkubectl exec 123456-7890 -c ruby-container -i -t -- bash -il"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Erhalte die Ausgabe vom Aufruf von 'date' auf dem Pod 123456-7890, "
+#~ "mit dem ersten Container als Standard\n"
+#~ "\t\tkubectl exec 123456-7890 date\n"
+#~ "\n"
+#~ "\t\t# Erhalte die Ausgabe vom Aufruf von 'date' im Ruby-Container aus dem "
+#~ "Pod 123456-7890\n"
+#~ "\t\tkubectl exec 123456-7890 -c ruby-container date\n"
+#~ "\n"
+#~ "\t\t# Wechsle in den Terminal-Modus und sende stdin zu 'bash' im Ruby-"
+#~ "Container aus dem Pod 123456-7890\n"
+#~ "\t\t# und sende stdout/stderr von 'bash' zurück zum Client\n"
+#~ "\t\tkubectl exec 123456-7890 -c ruby-container -i -t -- bash -il"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Get output from running pod 123456-7890, using the first container "
+#~ "by default\n"
+#~ "\t\tkubectl attach 123456-7890\n"
+#~ "\n"
+#~ "\t\t# Get output from ruby-container from pod 123456-7890\n"
+#~ "\t\tkubectl attach 123456-7890 -c ruby-container\n"
+#~ "\n"
+#~ "\t\t# Switch to raw terminal mode, sends stdin to 'bash' in ruby-"
+#~ "container from pod 123456-7890\n"
+#~ "\t\t# and sends stdout/stderr from 'bash' back to the client\n"
+#~ "\t\tkubectl attach 123456-7890 -c ruby-container -i -t\n"
+#~ "\n"
+#~ "\t\t# Get output from the first pod of a ReplicaSet named nginx\n"
+#~ "\t\tkubectl attach rs/nginx\n"
+#~ "\t\t"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Erhalte die Ausgabe vom laufenden Pod 123456-7890, mit dem ersten "
+#~ "Container als Standard\n"
+#~ "\t\tkubectl attach 123456-7890\n"
+#~ "\n"
+#~ "\t\t# Erhalte die Ausgabe vom Ruby-Container aus dem Pod 123456-7890\n"
+#~ "\t\tkubectl attach 123456-7890 -c ruby-container\n"
+#~ "\n"
+#~ "\t\t# Wechsle in den Terminal-Modus und sende stdin zu 'bash' im Ruby-"
+#~ "Container aus dem Pod 123456-7890\n"
+#~ "\t\t# und sende stdout/stderr von 'bash' zurück zum Client\n"
+#~ "\t\tkubectl attach 123456-7890 -c ruby-container -i -t\n"
+#~ "\n"
+#~ "\t\t# Erhalte die Ausgabe vom ersten Pod eines ReplicaSets nginx\n"
+#~ "\t\tkubectl attach rs/nginx\n"
+#~ "\t\t"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Install bash completion on a Mac using homebrew\n"
+#~ "\t\tbrew install bash-completion\n"
+#~ "\t\tprintf \"\n"
+#~ "# Bash completion support\n"
+#~ "source $(brew --prefix)/etc/bash_completion\n"
+#~ "\" >> $HOME/.bash_profile\n"
+#~ "\t\tsource $HOME/.bash_profile\n"
+#~ "\n"
+#~ "\t\t# Load the kubectl completion code for bash into the current shell\n"
+#~ "\t\tsource <(kubectl completion bash)\n"
+#~ "\n"
+#~ "\t\t# Write bash completion code to a file and source if from ."
+#~ "bash_profile\n"
+#~ "\t\tkubectl completion bash > ~/.kube/completion.bash.inc\n"
+#~ "\t\tprintf \"\n"
+#~ "# Kubectl shell completion\n"
+#~ "source '$HOME/.kube/completion.bash.inc'\n"
+#~ "\" >> $HOME/.bash_profile\n"
+#~ "\t\tsource $HOME/.bash_profile\n"
+#~ "\n"
+#~ "\t\t# Load the kubectl completion code for zsh[1] into the current shell\n"
+#~ "\t\tsource <(kubectl completion zsh)"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Installiere bash completion auf einem Mac mit homebrew\n"
+#~ "\t\tbrew install bash-completion\n"
+#~ "\t\tprintf \"\n"
+#~ "# Bash completion support\n"
+#~ "source $(brew --prefix)/etc/bash_completion\n"
+#~ "\" >> $HOME/.bash_profile\n"
+#~ "\t\tsource $HOME/.bash_profile\n"
+#~ "\n"
+#~ "\t\t# Lade den kubectl-Completion-Code für bash in der aktuellen Shell\n"
+#~ "\t\tsource <(kubectl completion bash)\n"
+#~ "\n"
+#~ "\t\t# Schreibe den Bash-Completion-Code in eine Datei und source sie im ."
+#~ "bash_profile\n"
+#~ "\t\tkubectl completion bash > ~/.kube/completion.bash.inc\n"
+#~ "\t\tprintf \"\n"
+#~ "# Kubectl shell completion\n"
+#~ "source '$HOME/.kube/completion.bash.inc'\n"
+#~ "\" >> $HOME/.bash_profile\n"
+#~ "\t\tsource $HOME/.bash_profile\n"
+#~ "\n"
+#~ "\t\t# Lade den kubectl-Completion-Code für zsh[1] in die aktuelle Shell\n"
+#~ "\t\tsource <(kubectl completion zsh)"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# List all pods in ps output format.\n"
+#~ "\t\tkubectl get pods\n"
+#~ "\n"
+#~ "\t\t# List all pods in ps output format with more information (such as "
+#~ "node name).\n"
+#~ "\t\tkubectl get pods -o wide\n"
+#~ "\n"
+#~ "\t\t# List a single replication controller with specified NAME in ps "
+#~ "output format.\n"
+#~ "\t\tkubectl get replicationcontroller web\n"
+#~ "\n"
+#~ "\t\t# List a single pod in JSON output format.\n"
+#~ "\t\tkubectl get -o json pod web-pod-13je7\n"
+#~ "\n"
+#~ "\t\t# List a pod identified by type and name specified in \"pod.yaml\" in "
+#~ "JSON output format.\n"
+#~ "\t\tkubectl get -f pod.yaml -o json\n"
+#~ "\n"
+#~ "\t\t# Return only the phase value of the specified pod.\n"
+#~ "\t\tkubectl get -o template pod/web-pod-13je7 --template={{.status."
+#~ "phase}}\n"
+#~ "\n"
+#~ "\t\t# List all replication controllers and services together in ps output "
+#~ "format.\n"
+#~ "\t\tkubectl get rc,services\n"
+#~ "\n"
+#~ "\t\t# List one or more resources by their type and names.\n"
+#~ "\t\tkubectl get rc/web service/frontend pods/web-pod-13je7\n"
+#~ "\n"
+#~ "\t\t# List all resources with different types.\n"
+#~ "\t\tkubectl get all"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Liste alle Pods im ps-Format auf.\n"
+#~ "\t\tkubectl get pods\n"
+#~ "\n"
+#~ "\t\t# Liste alle Pods im ps-Format mit zusätzlichen Informationen (wie "
+#~ "dem Knotennamen) auf.\n"
+#~ "\t\tkubectl get pods -o wide\n"
+#~ "\n"
+#~ "\t\t# Liste alle einzelnen ReplicationController mit dem angegebenen "
+#~ "Namen im ps-Format auf.\n"
+#~ "\t\tkubectl get replicationcontroller web\n"
+#~ "\n"
+#~ "\t\t# Liste einen einzelnen Pod im JSON-Format auf.\n"
+#~ "\t\tkubectl get -o json pod web-pod-13je7\n"
+#~ "\n"
+#~ "\t\t# Liste einen Pod mit Typ und Namen aus \"pod.yaml\" im JSON-Format "
+#~ "auf.\n"
+#~ "\t\tkubectl get -f pod.yaml -o json\n"
+#~ "\n"
+#~ "\t\t# Gib nur den phase-Wert des angegebenen Pods zurück.\n"
+#~ "\t\tkubectl get -o template pod/web-pod-13je7 --template={{.status."
+#~ "phase}}\n"
+#~ "\n"
+#~ "\t\t# Liste alle ReplicationController und Services im ps-Format auf.\n"
+#~ "\t\tkubectl get rc,services\n"
+#~ "\n"
+#~ "\t\t# Liste eine oder mehrere Resourcen über ihren Typ und Namen auf.\n"
+#~ "\t\tkubectl get rc/web service/frontend pods/web-pod-13je7\n"
+#~ "\n"
+#~ "\t\t# Liste alle Resourcen mit verschiedenen Typen auf.\n"
+#~ "\t\tkubectl get all"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Listen on ports 5000 and 6000 locally, forwarding data to/from "
+#~ "ports 5000 and 6000 in the pod\n"
+#~ "\t\tkubectl port-forward mypod 5000 6000\n"
+#~ "\n"
+#~ "\t\t# Listen on port 8888 locally, forwarding to 5000 in the pod\n"
+#~ "\t\tkubectl port-forward mypod 8888:5000\n"
+#~ "\n"
+#~ "\t\t# Listen on a random port locally, forwarding to 5000 in the pod\n"
+#~ "\t\tkubectl port-forward mypod :5000\n"
+#~ "\n"
+#~ "\t\t# Listen on a random port locally, forwarding to 5000 in the pod\n"
+#~ "\t\tkubectl port-forward mypod 0:5000"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Hört lokal auf Port 5000 und 6000 und leitet Daten zum/vom Port "
+#~ "5000 und 6000 weiter an den Pod\n"
+#~ "\t\tkubectl port-forward mypod 5000 6000\n"
+#~ "\n"
+#~ "\t\t# Hört lokal auf Port 8888 und leitet an Port 5000 des Pods weiter\n"
+#~ "\t\tkubectl port-forward mypod 8888:5000\n"
+#~ "\n"
+#~ "\t\t# Hört auf einen zufälligen lokalen Port und leitet an Port 5000 des "
+#~ "Pods weiter\n"
+#~ "\t\tkubectl port-forward mypod :5000\n"
+#~ "\n"
+#~ "\t\t# Hört auf einen zufälligen lokalen Port und leitet an Port 5000 des "
+#~ "Pods weiter\n"
+#~ "\t\tkubectl port-forward mypod 0:5000"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Mark node \"foo\" as schedulable.\n"
+#~ "\t\t$ kubectl uncordon foo"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Markiere Knoten \"foo\" als schedulable.\n"
+#~ "\t\t$ kubectl uncordon foo"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Mark node \"foo\" as unschedulable.\n"
+#~ "\t\tkubectl cordon foo"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Markiere Knoten \"foo\" als unschedulable.\n"
+#~ "\t\tkubectl cordon foo"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Partially update a node using strategic merge patch\n"
+#~ "\t\tkubectl patch node k8s-node-1 -p '{\"spec\":{\"unschedulable\":"
+#~ "true}}'\n"
+#~ "\n"
+#~ "\t\t# Partially update a node identified by the type and name specified "
+#~ "in \"node.json\" using strategic merge patch\n"
+#~ "\t\tkubectl patch -f node.json -p '{\"spec\":{\"unschedulable\":true}}'\n"
+#~ "\n"
+#~ "\t\t# Update a container's image; spec.containers[*].name is required "
+#~ "because it's a merge key\n"
+#~ "\t\tkubectl patch pod valid-pod -p '{\"spec\":{\"containers\":[{\"name\":"
+#~ "\"kubernetes-serve-hostname\",\"image\":\"new image\"}]}}'\n"
+#~ "\n"
+#~ "\t\t# Update a container's image using a json patch with positional "
+#~ "arrays\n"
+#~ "\t\tkubectl patch pod valid-pod --type='json' -p='[{\"op\": \"replace\", "
+#~ "\"path\": \"/spec/containers/0/image\", \"value\":\"new image\"}]'"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Aktualisiere einen Knoten teilweise mit einem Strategic-Merge-"
+#~ "Patch\n"
+#~ "\t\tkubectl patch node k8s-node-1 -p '{\"spec\":{\"unschedulable\":"
+#~ "true}}'\n"
+#~ "\n"
+#~ "\t\t# Aktualisiere einen Knoten, mit type und name aus \"node.json\", mit "
+#~ "einem Strategic-Merge-Patch\n"
+#~ "\t\tkubectl patch -f node.json -p '{\"spec\":{\"unschedulable\":true}}'\n"
+#~ "\n"
+#~ "\t\t# Aktualisiere das Image eines Containers; spec.containers[*].name "
+#~ "ist erforderlich, da es der Merge-Key ist\n"
+#~ "\t\tkubectl patch pod valid-pod -p '{\"spec\":{\"containers\":[{\"name\":"
+#~ "\"kubernetes-serve-hostname\",\"image\":\"new image\"}]}}'\n"
+#~ "\n"
+#~ "\t\t# Aktualisiere das Image eines Containers mit einem JSON-Patch mit "
+#~ "Positional-Arrays\n"
+#~ "\t\tkubectl patch pod valid-pod --type='json' -p='[{\"op\": \"replace\", "
+#~ "\"path\": \"/spec/containers/0/image\", \"value\":\"new image\"}]'"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Print the address of the master and cluster services\n"
+#~ "\t\tkubectl cluster-info"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Gebe die Adresse des Masters und des Cluster-Services aus\n"
+#~ "\t\tkubectl cluster-info"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Replace a pod using the data in pod.json.\n"
+#~ "\t\tkubectl replace -f ./pod.json\n"
+#~ "\n"
+#~ "\t\t# Replace a pod based on the JSON passed into stdin.\n"
+#~ "\t\tcat pod.json | kubectl replace -f -\n"
+#~ "\n"
+#~ "\t\t# Update a single-container pod's image version (tag) to v4\n"
+#~ "\t\tkubectl get pod mypod -o yaml | sed 's/\\(image: myimage\\):.*$/
:v4/' "
+#~ "| kubectl replace -f -\n"
+#~ "\n"
+#~ "\t\t# Force replace, delete and then re-create the resource\n"
+#~ "\t\tkubectl replace --force -f ./pod.json"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Ersetze einen Pod mit den Daten aus pod.json.\n"
+#~ "\t\tkubectl replace -f ./pod.json\n"
+#~ "\n"
+#~ "\t\t# Ersetze einen Pod mit den JSON-Daten von stdin.\n"
+#~ "\t\tcat pod.json | kubectl replace -f -\n"
+#~ "\n"
+#~ "\t\t# Setze die Pod-Image-Version (tag) eines einzelnen Containers zu v4\n"
+#~ "\t\tkubectl get pod mypod -o yaml | sed 's/\\(image: myimage\\):.*$/
:v4/' "
+#~ "| kubectl replace -f -\n"
+#~ "\n"
+#~ "\t\t# Erzwinge das Ersetzen, Löschen und Neu-Erstellen der Resource\n"
+#~ "\t\tkubectl replace --force -f ./pod.json"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Return snapshot logs from pod nginx with only one container\n"
+#~ "\t\tkubectl logs nginx\n"
+#~ "\n"
+#~ "\t\t# Return snapshot logs for the pods defined by label app=nginx\n"
+#~ "\t\tkubectl logs -lapp=nginx\n"
+#~ "\n"
+#~ "\t\t# Return snapshot of previous terminated ruby container logs from pod "
+#~ "web-1\n"
+#~ "\t\tkubectl logs -p -c ruby web-1\n"
+#~ "\n"
+#~ "\t\t# Begin streaming the logs of the ruby container in pod web-1\n"
+#~ "\t\tkubectl logs -f -c ruby web-1\n"
+#~ "\n"
+#~ "\t\t# Display only the most recent 20 lines of output in pod nginx\n"
+#~ "\t\tkubectl logs --tail=20 nginx\n"
+#~ "\n"
+#~ "\t\t# Show all logs from pod nginx written in the last hour\n"
+#~ "\t\tkubectl logs --since=1h nginx\n"
+#~ "\n"
+#~ "\t\t# Return snapshot logs from first container of a job named hello\n"
+#~ "\t\tkubectl logs job/hello\n"
+#~ "\n"
+#~ "\t\t# Return snapshot logs from container nginx-1 of a deployment named "
+#~ "nginx\n"
+#~ "\t\tkubectl logs deployment/nginx -c nginx-1"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Gib die Snapshot-Logs des Pods nginx mit nur einem Container "
+#~ "zurück\n"
+#~ "\t\tkubectl logs nginx\n"
+#~ "\n"
+#~ "\t\t# Gib die Snapshot-Logs für die Pods mit dem Label app=nginx zurück\n"
+#~ "\t\tkubectl logs -lapp=nginx\n"
+#~ "\n"
+#~ "\t\t# Gib die Snapshot-Logs des zuvor gelöschten Ruby-Containers des Pods "
+#~ "web-1 zurück\n"
+#~ "\t\tkubectl logs -p -c ruby web-1\n"
+#~ "\n"
+#~ "\t\t# Starte das Streaming der Logs vom Ruby-Container im Pod web-1\n"
+#~ "\t\tkubectl logs -f -c ruby web-1\n"
+#~ "\n"
+#~ "\t\t# Zeige die letzten 20 Zeilen der Ausgabe des Pods nginx\n"
+#~ "\t\tkubectl logs --tail=20 nginx\n"
+#~ "\n"
+#~ "\t\t# Zeige alle Logs der letzten Stunde des Pods nginx an\n"
+#~ "\t\tkubectl logs --since=1h nginx\n"
+#~ "\n"
+#~ "\t\t# Gib die Snapshot-Logs des ersten Containers des Jobs hello zurück\n"
+#~ "\t\tkubectl logs job/hello\n"
+#~ "\n"
+#~ "\t\t# Gib die Snapshot-Logs des Containers nginx-1 eines Deployments "
+#~ "nginx zurück\n"
+#~ "\t\tkubectl logs deployment/nginx -c nginx-1"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Run a proxy to kubernetes apiserver on port 8011, serving static "
+#~ "content from ./local/www/\n"
+#~ "\t\tkubectl proxy --port=8011 --www=./local/www/\n"
+#~ "\n"
+#~ "\t\t# Run a proxy to kubernetes apiserver on an arbitrary local port.\n"
+#~ "\t\t# The chosen port for the server will be output to stdout.\n"
+#~ "\t\tkubectl proxy --port=0\n"
+#~ "\n"
+#~ "\t\t# Run a proxy to kubernetes apiserver, changing the api prefix to k8s-"
+#~ "api\n"
+#~ "\t\t# This makes e.g. the pods api available at localhost:8001/k8s-api/v1/"
+#~ "pods/\n"
+#~ "\t\tkubectl proxy --api-prefix=/k8s-api"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Starte einen Proxy zum Kubernetes-Apiserver auf Port 8011 und sende "
+#~ "statische Inhalte von ./local/www/\n"
+#~ "\t\tkubectl proxy --port=8011 --www=./local/www/\n"
+#~ "\n"
+#~ "\t\t# Starte einen Proxy zum Kubernetes-Apiserver auf einem zufälligen "
+#~ "lokalen Port.\n"
+#~ "\t\t# Der gewählte Port für den Server wird im stdout zurückgegeben.\n"
+#~ "\t\tkubectl proxy --port=0\n"
+#~ "\n"
+#~ "\t\t# Starte einen Proxy zum Kubernetes-Apiserver und ändere das API-"
+#~ "Prefix zu k8s-api\n"
+#~ "\t\t# Damit ist die Pods-API bspw. unter localhost:8001/k8s-api/v1/pods/ "
+#~ "erreichbar\n"
+#~ "\t\tkubectl proxy --api-prefix=/k8s-api"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Scale a replicaset named 'foo' to 3.\n"
+#~ "\t\tkubectl scale --replicas=3 rs/foo\n"
+#~ "\n"
+#~ "\t\t# Scale a resource identified by type and name specified in \"foo.yaml"
+#~ "\" to 3.\n"
+#~ "\t\tkubectl scale --replicas=3 -f foo.yaml\n"
+#~ "\n"
+#~ "\t\t# If the deployment named mysql's current size is 2, scale mysql to "
+#~ "3.\n"
+#~ "\t\tkubectl scale --current-replicas=2 --replicas=3 deployment/mysql\n"
+#~ "\n"
+#~ "\t\t# Scale multiple replication controllers.\n"
+#~ "\t\tkubectl scale --replicas=5 rc/foo rc/bar rc/baz\n"
+#~ "\n"
+#~ "\t\t# Scale job named 'cron' to 3.\n"
+#~ "\t\tkubectl scale --replicas=3 job/cron"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Skaliere ein ReplicaSet 'foo' auf 3.\n"
+#~ "\t\tkubectl scale --replicas=3 rs/foo\n"
+#~ "\n"
+#~ "\t\t# Skaliere eine Resource mit type und name aus \"foo.yaml\" auf 3.\n"
+#~ "\t\tkubectl scale --replicas=3 -f foo.yaml\n"
+#~ "\n"
+#~ "\t\t# Wenn die aktuelle Größe des Deployments mysql 2 ist, skaliere mysql "
+#~ "auf 3.\n"
+#~ "\t\tkubectl scale --current-replicas=2 --replicas=3 deployment/mysql\n"
+#~ "\n"
+#~ "\t\t# Skaliere mehrere MultiplicationController.\n"
+#~ "\t\tkubectl scale --replicas=5 rc/foo rc/bar rc/baz\n"
+#~ "\n"
+#~ "\t\t# Skaliere den Job cron auf 3.\n"
+#~ "\t\tkubectl scale --replicas=3 job/cron"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Set the last-applied-configuration of a resource to match the "
+#~ "contents of a file.\n"
+#~ "\t\tkubectl apply set-last-applied -f deploy.yaml\n"
+#~ "\n"
+#~ "\t\t# Execute set-last-applied against each configuration file in a "
+#~ "directory.\n"
+#~ "\t\tkubectl apply set-last-applied -f path/\n"
+#~ "\n"
+#~ "\t\t# Set the last-applied-configuration of a resource to match the "
+#~ "contents of a file, will create the annotation if it does not already "
+#~ "exist.\n"
+#~ "\t\tkubectl apply set-last-applied -f deploy.yaml --create-"
+#~ "annotation=true\n"
+#~ "\t\t"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Setze die Last-Applied-Configuration einer Resource auf den Inhalt "
+#~ "einer Datei.\n"
+#~ "\t\tkubectl apply set-last-applied -f deploy.yaml\n"
+#~ "\n"
+#~ "\t\t# Führe Set-Last-Applied auf jeder Konfigurationsdatei in einem "
+#~ "Ordner aus.\n"
+#~ "\t\tkubectl apply set-last-applied -f path/\n"
+#~ "\n"
+#~ "\t\t# Setze die Last-Applied-Configuration einer Resource auf den Inhalt "
+#~ "einer Datei; erstellt die Annotation, wenn sie noch nicht existiert.\n"
+#~ "\t\tkubectl apply set-last-applied -f deploy.yaml --create-"
+#~ "annotation=true\n"
+#~ "\t\t"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Shut down foo.\n"
+#~ "\t\tkubectl stop replicationcontroller foo\n"
+#~ "\n"
+#~ "\t\t# Stop pods and services with label name=myLabel.\n"
+#~ "\t\tkubectl stop pods,services -l name=myLabel\n"
+#~ "\n"
+#~ "\t\t# Shut down the service defined in service.json\n"
+#~ "\t\tkubectl stop -f service.json\n"
+#~ "\n"
+#~ "\t\t# Shut down all resources in the path/to/resources directory\n"
+#~ "\t\tkubectl stop -f path/to/resources"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Stoppe foo.\n"
+#~ "\t\tkubectl stop replicationcontroller foo\n"
+#~ "\n"
+#~ "\t\t# Stoppe Pods und Services mit dem Label name=myLabel.\n"
+#~ "\t\tkubectl stop pods,services -l name=myLabel\n"
+#~ "\n"
+#~ "\t\t# Stoppe den in service.json definierten Service\n"
+#~ "\t\tkubectl stop -f service.json\n"
+#~ "\n"
+#~ "\t\t# Stoppe alle Resourcen im Ordner path/to/resources\n"
+#~ "\t\tkubectl stop -f path/to/resources"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Start a single instance of nginx.\n"
+#~ "\t\tkubectl run nginx --image=nginx\n"
+#~ "\n"
+#~ "\t\t# Start a single instance of hazelcast and let the container expose "
+#~ "port 5701 .\n"
+#~ "\t\tkubectl run hazelcast --image=hazelcast --port=5701\n"
+#~ "\n"
+#~ "\t\t# Start a single instance of hazelcast and set environment variables "
+#~ "\"DNS_DOMAIN=cluster\" and \"POD_NAMESPACE=default\" in the container.\n"
+#~ "\t\tkubectl run hazelcast --image=hazelcast --env=\"DNS_DOMAIN=cluster\" "
+#~ "--env=\"POD_NAMESPACE=default\"\n"
+#~ "\n"
+#~ "\t\t# Start a replicated instance of nginx.\n"
+#~ "\t\tkubectl run nginx --image=nginx --replicas=5\n"
+#~ "\n"
+#~ "\t\t# Dry run. Print the corresponding API objects without creating "
+#~ "them.\n"
+#~ "\t\tkubectl run nginx --image=nginx --dry-run\n"
+#~ "\n"
+#~ "\t\t# Start a single instance of nginx, but overload the spec of the "
+#~ "deployment with a partial set of values parsed from JSON.\n"
+#~ "\t\tkubectl run nginx --image=nginx --overrides='{ \"apiVersion\": "
+#~ "\"v1\", \"spec\": { ... } }'\n"
+#~ "\n"
+#~ "\t\t# Start a pod of busybox and keep it in the foreground, don't restart "
+#~ "it if it exits.\n"
+#~ "\t\tkubectl run -i -t busybox --image=busybox --restart=Never\n"
+#~ "\n"
+#~ "\t\t# Start the nginx container using the default command, but use custom "
+#~ "arguments (arg1 .. argN) for that command.\n"
+#~ "\t\tkubectl run nginx --image=nginx -- <arg1> <arg2> ... <argN>\n"
+#~ "\n"
+#~ "\t\t# Start the nginx container using a different command and custom "
+#~ "arguments.\n"
+#~ "\t\tkubectl run nginx --image=nginx --command -- <cmd> <arg1> ... <argN>\n"
+#~ "\n"
+#~ "\t\t# Start the perl container to compute π to 2000 places and print it "
+#~ "out.\n"
+#~ "\t\tkubectl run pi --image=perl --restart=OnFailure -- perl -Mbignum=bpi -"
+#~ "wle 'print bpi(2000)'\n"
+#~ "\n"
+#~ "\t\t# Start the cron job to compute π to 2000 places and print it out "
+#~ "every 5 minutes.\n"
+#~ "\t\tkubectl run pi --schedule=\"0/5 * * * ?\" --image=perl --"
+#~ "restart=OnFailure -- perl -Mbignum=bpi -wle 'print bpi(2000)'"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Starte eine einzelne Instanz von nginx.\n"
+#~ "\t\tkubectl run nginx --image=nginx\n"
+#~ "\n"
+#~ "\t\t# Starte eine einzelne Instanz von hazelcast und öffne Port 5701 auf "
+#~ "dem Container.\n"
+#~ "\t\tkubectl run hazelcast --image=hazelcast --port=5701\n"
+#~ "\n"
+#~ "\t\t# Starte eine einzelne Instanz von hazelcast und setze die Umgebungs-"
+#~ "variablen \"DNS_DOMAIN=cluster\" und \"POD_NAMESPACE=default\" im "
+#~ "Container.\n"
+#~ "\t\tkubectl run hazelcast --image=hazelcast --env=\"DNS_DOMAIN=cluster\" "
+#~ "--env=\"POD_NAMESPACE=default\"\n"
+#~ "\n"
+#~ "\t\t# Starte eine replizierte Instanz von nginx.\n"
+#~ "\t\tkubectl run nginx --image=nginx --replicas=5\n"
+#~ "\n"
+#~ "\t\t# Testlauf. Zeige die zugehörigen API Objekte ohne sie zu erstellen.\n"
+#~ "\t\tkubectl run nginx --image=nginx --dry-run\n"
+#~ "\n"
+#~ "\t\t# Starte eine einzelne Instanz von nginx, aber überlade die Spec des "
+#~ "Deployments mit einer Teilmenge von JSON-Werten.\n"
+#~ "\t\tkubectl run nginx --image=nginx --overrides='{ \"apiVersion\": "
+#~ "\"v1\", \"spec\": { ... } }'\n"
+#~ "\n"
+#~ "\t\t# Starte einen busybox Pod und lass ihn im Vordergrund laufen; starte "
+#~ "ihn nicht neu, wenn er existiert.\n"
+#~ "\t\tkubectl run -i -t busybox --image=busybox --restart=Never\n"
+#~ "\n"
+#~ "\t\t# Starte einen nginx-Container mit dem Standardkommando, aber "
+#~ "übergebe die Parameter (arg1 .. argN) an das Kommando.\n"
+#~ "\t\tkubectl run nginx --image=nginx -- <arg1> <arg2> ... <argN>\n"
+#~ "\n"
+#~ "\t\t# Starte den nginx-Container mit einem anderen Kommando und "
+#~ "Parametern.\n"
+#~ "\t\tkubectl run nginx --image=nginx --command -- <cmd> <arg1> ... <argN>\n"
+#~ "\n"
+#~ "\t\t# Starte den perl-Container, um π auf 2000 Stellen zu berechnen und "
+#~ "gib es aus.\n"
+#~ "\t\tkubectl run pi --image=perl --restart=OnFailure -- perl -Mbignum=bpi -"
+#~ "wle 'print bpi(2000)'\n"
+#~ "\n"
+#~ "\t\t# Starte den cron-Job, um π auf 2000 Stellen zu berechnen und gib sie "
+#~ "alle 5 Minuten aus.\n"
+#~ "\t\tkubectl run pi --schedule=\"0/5 * * * ?\" --image=perl --"
+#~ "restart=OnFailure -- perl -Mbignum=bpi -wle 'print bpi(2000)'"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Update node 'foo' with a taint with key 'dedicated' and value "
+#~ "'special-user' and effect 'NoSchedule'.\n"
+#~ "\t\t# If a taint with that key and effect already exists, its value is "
+#~ "replaced as specified.\n"
+#~ "\t\tkubectl taint nodes foo dedicated=special-user:NoSchedule\n"
+#~ "\n"
+#~ "\t\t# Remove from node 'foo' the taint with key 'dedicated' and effect "
+#~ "'NoSchedule' if one exists.\n"
+#~ "\t\tkubectl taint nodes foo dedicated:NoSchedule-\n"
+#~ "\n"
+#~ "\t\t# Remove from node 'foo' all the taints with key 'dedicated'\n"
+#~ "\t\tkubectl taint nodes foo dedicated-"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Aktualisiere Knoten 'foo' mit einem Taint mit dem Key 'dedicated', "
+#~ "dem Value 'special-user' und dem Effect 'NoSchedule'.\n"
+#~ "\t\t# Wenn ein Taint mit dem Key und Effect schon existiert, wird sein "
+#~ "Value mit den gegebenen Werten ersetzt.\n"
+#~ "\t\tkubectl taint nodes foo dedicated=special-user:NoSchedule\n"
+#~ "\n"
+#~ "\t\t# Entferne vom Knoten 'foo' den Taint mit dem Key 'dedicated' und dem "
+#~ "Effect 'NoSchedule', wenn er existiert.\n"
+#~ "\t\tkubectl taint nodes foo dedicated:NoSchedule-\n"
+#~ "\n"
+#~ "\t\t# Entferne vom Knoten 'foo' alle Tains mit dem Key 'dedicated'\n"
+#~ "\t\tkubectl taint nodes foo dedicated-"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Update pod 'foo' with the label 'unhealthy' and the value 'true'.\n"
+#~ "\t\tkubectl label pods foo unhealthy=true\n"
+#~ "\n"
+#~ "\t\t# Update pod 'foo' with the label 'status' and the value 'unhealthy', "
+#~ "overwriting any existing value.\n"
+#~ "\t\tkubectl label --overwrite pods foo status=unhealthy\n"
+#~ "\n"
+#~ "\t\t# Update all pods in the namespace\n"
+#~ "\t\tkubectl label pods --all status=unhealthy\n"
+#~ "\n"
+#~ "\t\t# Update a pod identified by the type and name in \"pod.json\"\n"
+#~ "\t\tkubectl label -f pod.json status=unhealthy\n"
+#~ "\n"
+#~ "\t\t# Update pod 'foo' only if the resource is unchanged from version 1.\n"
+#~ "\t\tkubectl label pods foo status=unhealthy --resource-version=1\n"
+#~ "\n"
+#~ "\t\t# Update pod 'foo' by removing a label named 'bar' if it exists.\n"
+#~ "\t\t# Does not require the --overwrite flag.\n"
+#~ "\t\tkubectl label pods foo bar-"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Aktualisiere den Pod 'foo' mit dem Label 'unhealthy' und dem Value "
+#~ "'true'.\n"
+#~ "\t\tkubectl label pods foo unhealthy=true\n"
+#~ "\n"
+#~ "\t\t# Aktualisiere den Pod 'foo' mit dem Label 'status' und dem Value "
+#~ "'unhealthy' und überschreibe alle bisherigen Values.\n"
+#~ "\t\tkubectl label --overwrite pods foo status=unhealthy\n"
+#~ "\n"
+#~ "\t\t# Aktualisiere alle Pods im Namespace\n"
+#~ "\t\tkubectl label pods --all status=unhealthy\n"
+#~ "\n"
+#~ "\t\t# Aktualisiere den Pod mit type und name aus \"pod.json\"\n"
+#~ "\t\tkubectl label -f pod.json status=unhealthy\n"
+#~ "\n"
+#~ "\t\t# Aktualisiere den Pod 'foo', wenn die Resource sich nicht von "
+#~ "version 1 unterscheidet.\n"
+#~ "\t\tkubectl label pods foo status=unhealthy --resource-version=1\n"
+#~ "\n"
+#~ "\t\t# Aktualisiere den Pod 'foo', indem das Label 'bar' gelöscht wird, "
+#~ "wenn es existiert.\n"
+#~ "\t\t# Benötigt kein --overwrite flag.\n"
+#~ "\t\tkubectl label pods foo bar-"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Update pods of frontend-v1 using new replication controller data in "
+#~ "frontend-v2.json.\n"
+#~ "\t\tkubectl rolling-update frontend-v1 -f frontend-v2.json\n"
+#~ "\n"
+#~ "\t\t# Update pods of frontend-v1 using JSON data passed into stdin.\n"
+#~ "\t\tcat frontend-v2.json | kubectl rolling-update frontend-v1 -f -\n"
+#~ "\n"
+#~ "\t\t# Update the pods of frontend-v1 to frontend-v2 by just changing the "
+#~ "image, and switching the\n"
+#~ "\t\t# name of the replication controller.\n"
+#~ "\t\tkubectl rolling-update frontend-v1 frontend-v2 --image=image:v2\n"
+#~ "\n"
+#~ "\t\t# Update the pods of frontend by just changing the image, and keeping "
+#~ "the old name.\n"
+#~ "\t\tkubectl rolling-update frontend --image=image:v2\n"
+#~ "\n"
+#~ "\t\t# Abort and reverse an existing rollout in progress (from frontend-v1 "
+#~ "to frontend-v2).\n"
+#~ "\t\tkubectl rolling-update frontend-v1 frontend-v2 --rollback"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Aktualisiere die Pods in frontend-v1 mit den neuen Replication-"
+#~ "Controller Daten in frontend-v2.json.\n"
+#~ "\t\tkubectl rolling-update frontend-v1 -f frontend-v2.json\n"
+#~ "\n"
+#~ "\t\t# Aktualisiere die Pods in frontend-v1 mit den JSON-Daten von stdin.\n"
+#~ "\t\tcat frontend-v2.json | kubectl rolling-update frontend-v1 -f -\n"
+#~ "\n"
+#~ "\t\t# Aktualisiere die Pods von frontend-v1 auf frontend-v2, indem das "
+#~ "Image geändert wird und\n"
+#~ "\t\t# der Name des ReplicationControllers.\n"
+#~ "\t\tkubectl rolling-update frontend-v1 frontend-v2 --image=image:v2\n"
+#~ "\n"
+#~ "\t\t# Aktualisiere die Pods in frontend, indem das Image geändert, aber "
+#~ "der alte Name beibehalten wird.\n"
+#~ "\t\tkubectl rolling-update frontend --image=image:v2\n"
+#~ "\n"
+#~ "\t\t# Breche ein laufendes Rollout (von frontend-v1 zu frontend-v2) ab "
+#~ "und mache es rückgängig.\n"
+#~ "\t\tkubectl rolling-update frontend-v1 frontend-v2 --rollback"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# View the last-applied-configuration annotations by type/name in "
+#~ "YAML.\n"
+#~ "\t\tkubectl apply view-last-applied deployment/nginx\n"
+#~ "\n"
+#~ "\t\t# View the last-applied-configuration annotations by file in JSON\n"
+#~ "\t\tkubectl apply view-last-applied -f deploy.yaml -o json"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Zeige die Annotation Last-Applied-Configuration mit type/name in "
+#~ "YAML an.\n"
+#~ "\t\tkubectl apply view-last-applied deployment/nginx\n"
+#~ "\n"
+#~ "\t\t# Zeige die Annotation Last-applied-configuration mit der Datei in "
+#~ "JSON an\n"
+#~ "\t\tkubectl apply view-last-applied -f deploy.yaml -o json"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tApply a configuration to a resource by filename or stdin.\n"
+#~ "\t\tThis resource will be created if it doesn't exist yet.\n"
+#~ "\t\tTo use 'apply', always create the resource initially with either "
+#~ "'apply' or 'create --save-config'.\n"
+#~ "\n"
+#~ "\t\tJSON and YAML formats are accepted.\n"
+#~ "\n"
+#~ "\t\tAlpha Disclaimer: the --prune functionality is not yet complete. Do "
+#~ "not use unless you are aware of what the current state is. See https://"
+#~ "issues.k8s.io/34274."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tWende eine Konfiguration auf eine Resource mit Dateinamen oder stdin "
+#~ "an.\n"
+#~ "\t\tDie Resource wird erstellt, wenn sie noch nicht existiert.\n"
+#~ "\t\tUm 'apply' zu benutzen, muss die Resource initital mit 'apply' oder "
+#~ "'create --save-config' erstellt werden.\n"
+#~ "\n"
+#~ "\t\tJSON- und YAML-Formate werden akzeptiert.\n"
+#~ "\n"
+#~ "\t\tAlpha Disclaimer: Die --prune Funktion ist noch nicht fertig. Benutze "
+#~ "sie nicht, wenn der aktuelle Zustand nicht bekannt ist. Siehe https://"
+#~ "issues.k8s.io/34274."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tCreate a ClusterRole."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tErstelle eine ClusterRole."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tCreate a ClusterRoleBinding for a particular ClusterRole."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tErstelle ein ClusterRoleBinding für eine bestimmte ClusterRole."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tCreate a RoleBinding for a particular Role or ClusterRole."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tErstelle ein RoleBinding für eine bestimmte ClusterRole."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tCreate a TLS secret from the given public/private key pair.\n"
+#~ "\n"
+#~ "\t\tThe public/private key pair must exist before hand. The public key "
+#~ "certificate must be .PEM encoded and match the given private key."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tErstelle ein TLS-Secret vom gegebenen Public/Private-Schlüsselpaar.\n"
+#~ "\n"
+#~ "\t\tDas Public/Private-Schlüsselpaar muss vorab bestehen. Das Public-Key-"
+#~ "Zertifikat muss im PEM-Format sein und zum gegebenen Private-Key passen."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tCreate a configmap based on a file, directory, or specified literal "
+#~ "value.\n"
+#~ "\n"
+#~ "\t\tA single configmap may package one or more key/value pairs.\n"
+#~ "\n"
+#~ "\t\tWhen creating a configmap based on a file, the key will default to "
+#~ "the basename of the file, and the value will\n"
+#~ "\t\tdefault to the file content.  If the basename is an invalid key, you "
+#~ "may specify an alternate key.\n"
+#~ "\n"
+#~ "\t\tWhen creating a configmap based on a directory, each file whose "
+#~ "basename is a valid key in the directory will be\n"
+#~ "\t\tpackaged into the configmap.  Any directory entries except regular "
+#~ "files are ignored (e.g. subdirectories,\n"
+#~ "\t\tsymlinks, devices, pipes, etc)."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tErstelle eine ConfigMap basierend auf einer Datei, einem Order oder "
+#~ "einem gegebenen Wert.\n"
+#~ "\n"
+#~ "\t\tEine einzelne ConfigMap kann eins oder mehr Key/Value-Paare "
+#~ "beinhalten.\n"
+#~ "\n"
+#~ "\t\tWenn man eine ConfigMap von einer Datei erstellt, wird der Key "
+#~ "standardmäßig der Name der Datei, und der Wert wird\n"
+#~ "\t\tstandardmäßig der Dateiinhalt. Wenn der Dateiname ein ungültiger Key "
+#~ "ist, kann ein anderer Key angegeben werden.\n"
+#~ "\n"
+#~ "\t\tWenn man eine ConfigMap von einem Ordner erstellt, wird jede Datei, "
+#~ "deren Name ein gültiger Key ist\n"
+#~ "\t\tin die ConfigMap aufgenommen. Jegliche Einträge im Ordner, die keine "
+#~ "regulären Dateien sind, werden ignoriert (z.B. SubDirectories, \n"
+#~ "\t\tSymLinks, Devices, Pipes, usw)."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tCreate a new secret for use with Docker registries.\n"
+#~ "\n"
+#~ "\t\tDockercfg secrets are used to authenticate against Docker "
+#~ "registries.\n"
+#~ "\n"
+#~ "\t\tWhen using the Docker command line to push images, you can "
+#~ "authenticate to a given registry by running\n"
+#~ "\n"
+#~ "\t\t    $ docker login DOCKER_REGISTRY_SERVER --username=DOCKER_USER --"
+#~ "password=DOCKER_PASSWORD --email=DOCKER_EMAIL'.\n"
+#~ "\n"
+#~ "    That produces a ~/.dockercfg file that is used by subsequent 'docker "
+#~ "push' and 'docker pull' commands to\n"
+#~ "\t\tauthenticate to the registry. The email address is optional.\n"
+#~ "\n"
+#~ "\t\tWhen creating applications, you may have a Docker registry that "
+#~ "requires authentication.  In order for the\n"
+#~ "\t\tnodes to pull images on your behalf, they have to have the "
+#~ "credentials.  You can provide this information\n"
+#~ "\t\tby creating a dockercfg secret and attaching it to your service "
+#~ "account."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tErstelle ein Secret für die Benutzung mit Docker-Registries.\n"
+#~ "\n"
+#~ "\t\tDockercfg Secrets werden für die Authentifizierung bei Docker-"
+#~ "Registries benutzt.\n"
+#~ "\n"
+#~ "\t\tWenn die Docker-command -line zum pushen von Images benutzt wird, "
+#~ "kann man sich bei einer gegebenen Registry authentifizieren mit\n"
+#~ "\n"
+#~ "\t\t    $ docker login DOCKER_REGISTRY_SERVER --username=DOCKER_USER --"
+#~ "password=DOCKER_PASSWORD --email=DOCKER_EMAIL'.\n"
+#~ "\n"
+#~ "    Dies produziert eine ~/.dockercfg Datei, die für folgende 'docker "
+#~ "push' und 'docker pull' Befehle genutzt wird,\n"
+#~ "\t\tum sich an der Registry zu authentifizieren. Die E-Mail-Adresse ist "
+#~ "optional.\n"
+#~ "\n"
+#~ "\t\tBei der Erstellung von Applikationen, kann eine Docker-Registry eine "
+#~ "Authentifizierung verlangen. Damit\n"
+#~ "\t\tdeine Knoten in deinem Namen Images herunterladen können, benötigen "
+#~ "sie die Credentials.  Man kann diese Information bereitstellen\n"
+#~ "\t\tindem man ein dockercfg secret erstellt und zu seinem ServiceAccount "
+#~ "hinzufügt."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tCreate a pod disruption budget with the specified name, selector, and "
+#~ "desired minimum available pods"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tErstelle ein Pod-Disruption-Budget mit dem gegebenen name, selector "
+#~ "und der gewünschten Mindestanzahl verfügbarer Pods"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tCreate a resource by filename or stdin.\n"
+#~ "\n"
+#~ "\t\tJSON and YAML formats are accepted."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tErstelle eine Resource mit Dateinamen oder stdin.\n"
+#~ "\n"
+#~ "\t\tJSON- und YAML-Formate werden akzeptiert."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tCreate a resourcequota with the specified name, hard limits and "
+#~ "optional scopes"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tErstelle eine ResourceQuota mit dem gegebenen name, hard limits und "
+#~ "optional scopes"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tCreate a secret based on a file, directory, or specified literal "
+#~ "value.\n"
+#~ "\n"
+#~ "\t\tA single secret may package one or more key/value pairs.\n"
+#~ "\n"
+#~ "\t\tWhen creating a secret based on a file, the key will default to the "
+#~ "basename of the file, and the value will\n"
+#~ "\t\tdefault to the file content.  If the basename is an invalid key, you "
+#~ "may specify an alternate key.\n"
+#~ "\n"
+#~ "\t\tWhen creating a secret based on a directory, each file whose basename "
+#~ "is a valid key in the directory will be\n"
+#~ "\t\tpackaged into the secret.  Any directory entries except regular files "
+#~ "are ignored (e.g. subdirectories,\n"
+#~ "\t\tsymlinks, devices, pipes, etc)."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tErstelle ein Secret basierend auf einer Datei, einem Ordner oder "
+#~ "einem gegebenen Wert.\n"
+#~ "\n"
+#~ "\t\tEin einzelnes Secret kann eins oder mehr Key/Value-Paare beinhalten.\n"
+#~ "\n"
+#~ "\t\tWenn man ein Secret von einer Datei erstellt, wird der Key "
+#~ "standardmäßig der Name der Datei, und der Wert wird\n"
+#~ "\t\tstandardmäßig der Dateiinhalt. Wenn der Dateiname ein ungültiger Key "
+#~ "ist, kann ein anderer Key angegeben werden.\n"
+#~ "\n"
+#~ "\t\tWenn man ein Secret von einem Ordner erstellt, wird jede Datei, deren "
+#~ "Name ein gültiger Key ist\n"
+#~ "\t\tin das Secret aufgenommen. Jegliche Einträge im Ordner, die keine "
+#~ "regulären Dateien sind, werden ignoriert (z.B. SubDirectories, \n"
+#~ "\t\tSymLinks, Devices, Pipes, usw)."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tCreate and run a particular image, possibly replicated.\n"
+#~ "\n"
+#~ "\t\tCreates a deployment or job to manage the created container(s)."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tErstelle und starte ein bestimmtes Image, möglicherweise repliziert.\n"
+#~ "\n"
+#~ "\t\tErstellt ein Deployment oder Job, um den/die erstellten Container zu "
+#~ "verwalten."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tCreates an autoscaler that automatically chooses and sets the number "
+#~ "of pods that run in a kubernetes cluster.\n"
+#~ "\n"
+#~ "\t\tLooks up a Deployment, ReplicaSet, or ReplicationController by name "
+#~ "and creates an autoscaler that uses the given resource as a reference.\n"
+#~ "\t\tAn autoscaler can automatically increase or decrease number of pods "
+#~ "deployed within the system as needed."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tErstellt einen AutoScaler der die Anzahl der Pods, die im Kubernetes-"
+#~ "Cluster laufen, automatisch wählt und anpasst.\n"
+#~ "\n"
+#~ "\t\tSucht ein Deployment, ReplicaSet oder ReplicationController mit Namen "
+#~ "name und erstellt einen AutoScaler, der die Resource als Referenz nimmt.\n"
+#~ "\t\tEin AutoScaler kann die Anzahl der im System deployten Pods nach "
+#~ "Bedarf erhöhen oder verringern."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tDelete resources by filenames, stdin, resources and names, or by "
+#~ "resources and label selector.\n"
+#~ "\n"
+#~ "\t\tJSON and YAML formats are accepted. Only one type of the arguments "
+#~ "may be specified: filenames,\n"
+#~ "\t\tresources and names, or resources and label selector.\n"
+#~ "\n"
+#~ "\t\tSome resources, such as pods, support graceful deletion. These "
+#~ "resources define a default period\n"
+#~ "\t\tbefore they are forcibly terminated (the grace period) but you may "
+#~ "override that value with\n"
+#~ "\t\tthe --grace-period flag, or pass --now to set a grace-period of 1. "
+#~ "Because these resources often\n"
+#~ "\t\trepresent entities in the cluster, deletion may not be acknowledged "
+#~ "immediately. If the node\n"
+#~ "\t\thosting a pod is down or cannot reach the API server, termination may "
+#~ "take significantly longer\n"
+#~ "\t\tthan the grace period. To force delete a resource,\tyou must pass a "
+#~ "grace\tperiod of 0 and specify\n"
+#~ "\t\tthe --force flag.\n"
+#~ "\n"
+#~ "\t\tIMPORTANT: Force deleting pods does not wait for confirmation that "
+#~ "the pod's processes have been\n"
+#~ "\t\tterminated, which can leave those processes running until the node "
+#~ "detects the deletion and\n"
+#~ "\t\tcompletes graceful deletion. If your processes use shared storage or "
+#~ "talk to a remote API and\n"
+#~ "\t\tdepend on the name of the pod to identify themselves, force deleting "
+#~ "those pods may result in\n"
+#~ "\t\tmultiple processes running on different machines using the same "
+#~ "identification which may lead\n"
+#~ "\t\tto data corruption or inconsistency. Only force delete pods when you "
+#~ "are sure the pod is\n"
+#~ "\t\tterminated, or if your application can tolerate multiple copies of "
+#~ "the same pod running at once.\n"
+#~ "\t\tAlso, if you force delete pods the scheduler may place new pods on "
+#~ "those nodes before the node\n"
+#~ "\t\thas released those resources and causing those pods to be evicted "
+#~ "immediately.\n"
+#~ "\n"
+#~ "\t\tNote that the delete command does NOT do resource version checks, so "
+#~ "if someone\n"
+#~ "\t\tsubmits an update to a resource right when you submit a delete, their "
+#~ "update\n"
+#~ "\t\twill be lost along with the rest of the resource."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tLöscht die Resourcen mit Dateinamen, stdin, resources- und names- "
+#~ "oder mit resources- und label-Selektor.\n"
+#~ "\n"
+#~ "\t\tJSON- und YAML-Formate werden akzeptiert. Nur einer der Parameter "
+#~ "darf verwendet werden: Dateiname,\n"
+#~ "\t\tresources- und names-, oder resources- und label-Selektor.\n"
+#~ "\n"
+#~ "\t\tManche Resourcen, zum Beispiel Pods, unterstützen graziöses Löschen. "
+#~ "Sie definieren einen Standardzeitraum\n"
+#~ "\t\tbevor das Löschen erzwungen wird (grace-period), aber dieser Wert "
+#~ "kann überschrieben werden mit\n"
+#~ "\t\tder --grace-period Option, oder mit --now, das die grace-period auf 1 "
+#~ "setzt. Da diese Resourcen\n"
+#~ "\t\thäufig Einheiten im Cluster sind, kann das Löschen nicht immer direkt "
+#~ "bestätigt werden. Wenn der Knoten\n"
+#~ "\t\tauf dem der Pod läuft nicht verfügbar ist, oder den API Server nicht "
+#~ "erreichen kann, kann das Löschen bedeutend länger dauern\n"
+#~ "\t\tals die grace-period. Um das Löschen zu erzwingen, muss eine grace-"
+#~ "period von 0 übergeben werden\n"
+#~ "\t\tund die --force Option gesetzt sein.\n"
+#~ "\n"
+#~ "\t\tWICHTIG: Ein erzwungenes Löschen wartet nicht auf die Bestätigung, "
+#~ "dass der Prozess\n"
+#~ "\t\tbeendet wurde, was den Prozess am Leben erhalten kann, bis der Knoten "
+#~ "die Löschung erkennt\n"
+#~ "\t\tund das graziöse Löschen beendet. Wenn Prozesse Shared-Storage oder "
+#~ "eine Remote-API verwenden und\n"
+#~ "\t\tden Namen des Pods brauchen, um sich selbst zu identifizieren, kann "
+#~ "das erzwungene Löschen dazu führen, dass\n"
+#~ "\t\tmehrere Prozesse auf der gleichen Maschine die gleiche Identität "
+#~ "verwenden, was zu\n"
+#~ "\t\tDatenkorruption oder Inkonsistenz führen kann. Erzwinge nur ein "
+#~ "Löschen, wenn sichergestellt ist, dass der Pod\n"
+#~ "\t\tgelöscht ist, oder wenn die Anwendung mehrere gleichzeitig laufende "
+#~ "Kopien verarbeiten kann.\n"
+#~ "\t\tAußerdem kann es passieren, dass der Scheduler neue Pods auf dem "
+#~ "Knoten plaziert, bevor der Knoten\n"
+#~ "\t\tdie Resourcen freigegeben hat, sodass diese Pods direkt entfernt "
+#~ "werden.\n"
+#~ "\n"
+#~ "\t\tBerücksichtige außerdem, dass der Delete-Befehl KEINE versionen "
+#~ "prüft, sodass, wenn jemand\n"
+#~ "\t\tein Update einer Resource gleichzeitig mit Deinem delete anstößt, "
+#~ "dessen Update\n"
+#~ "\t\tmit dem Rest der Resource entfernt wird."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tDeprecated: Gracefully shut down a resource by name or filename.\n"
+#~ "\n"
+#~ "\t\tThe stop command is deprecated, all its functionalities are covered "
+#~ "by delete command.\n"
+#~ "\t\tSee 'kubectl delete --help' for more details.\n"
+#~ "\n"
+#~ "\t\tAttempts to shut down and delete a resource that supports graceful "
+#~ "termination.\n"
+#~ "\t\tIf the resource is scalable it will be scaled to 0 before deletion."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tVeraltet: Fahre eine Resource mit Namen oder Dateinamen graziös "
+#~ "heruter.\n"
+#~ "\n"
+#~ "\t\tDer Stop-Befehl ist veraltet und alle Funktioneren werden mit dem "
+#~ "Delete-Befehl abgedeckt.\n"
+#~ "\t\tSiehe 'kubectl delete --help' für mehr Details.\n"
+#~ "\n"
+#~ "\t\tVersucht eine Resource, die graziöses Löschen unterstützt, "
+#~ "herunterzufahren und zu löschen.\n"
+#~ "\t\tWenn die Resource skaliert werden kann, wird sie vor dem Löschen auf "
+#~ "0 skaliert."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tDisplay Resource (CPU/Memory/Storage) usage of nodes.\n"
+#~ "\n"
+#~ "\t\tThe top-node command allows you to see the resource consumption of "
+#~ "nodes."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tZeigt die Resourcennutzung (CPU/Memory/Storage) von Knoten.\n"
+#~ "\n"
+#~ "\t\tDer top-node-Befehl erlaubt es, die Resourcennutzung von Knoten zu "
+#~ "betrachten."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tDisplay Resource (CPU/Memory/Storage) usage of pods.\n"
+#~ "\n"
+#~ "\t\tThe 'top pod' command allows you to see the resource consumption of "
+#~ "pods.\n"
+#~ "\n"
+#~ "\t\tDue to the metrics pipeline delay, they may be unavailable for a few "
+#~ "minutes\n"
+#~ "\t\tsince pod creation."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tZeigt die Resourcennutzung (CPU/Memory/Storage) von Pods.\n"
+#~ "\n"
+#~ "\t\tDer 'top pod'-Befehl erlaubt es, die Resourcennutzung von Pods zu "
+#~ "betrachten.\n"
+#~ "\n"
+#~ "\t\tAufgrund der Metrik-Pipeline-Verzögerung, können sie für ein paar "
+#~ "Minuten nicht verfügbar sein,\n"
+#~ "\t\tnach der Pod-Erstellung."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tDisplay Resource (CPU/Memory/Storage) usage.\n"
+#~ "\n"
+#~ "\t\tThe top command allows you to see the resource consumption for nodes "
+#~ "or pods.\n"
+#~ "\n"
+#~ "\t\tThis command requires Heapster to be correctly configured and working "
+#~ "on the server. "
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tZeige Resourcennutzung (CPU/Memory/Storage).\n"
+#~ "\n"
+#~ "\t\tDer top-Befehl erlaubt es, die Resourcennutzung von Knoten oder Pods "
+#~ "zu betrachten.\n"
+#~ "\n"
+#~ "\t\tDieser Befehl benötigt eine korrekt konfigurierte und funktionierende "
+#~ "Heapster-Installation auf dem Server. "
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tDrain node in preparation for maintenance.\n"
+#~ "\n"
+#~ "\t\tThe given node will be marked unschedulable to prevent new pods from "
+#~ "arriving.\n"
+#~ "\t\t'drain' evicts the pods if the APIServer supports eviction\n"
+#~ "\t\t(http://kubernetes.io/docs/admin/disruptions/). Otherwise, it will "
+#~ "use normal DELETE\n"
+#~ "\t\tto delete the pods.\n"
+#~ "\t\tThe 'drain' evicts or deletes all pods except mirror pods (which "
+#~ "cannot be deleted through\n"
+#~ "\t\tthe API server).  If there are DaemonSet-managed pods, drain will not "
+#~ "proceed\n"
+#~ "\t\twithout --ignore-daemonsets, and regardless it will not delete any\n"
+#~ "\t\tDaemonSet-managed pods, because those pods would be immediately "
+#~ "replaced by the\n"
+#~ "\t\tDaemonSet controller, which ignores unschedulable markings.  If there "
+#~ "are any\n"
+#~ "\t\tpods that are neither mirror pods nor managed by "
+#~ "ReplicationController,\n"
+#~ "\t\tReplicaSet, DaemonSet, StatefulSet or Job, then drain will not delete "
+#~ "any pods unless you\n"
+#~ "\t\tuse --force.  --force will also allow deletion to proceed if the "
+#~ "managing resource of one\n"
+#~ "\t\tor more pods is missing.\n"
+#~ "\n"
+#~ "\t\t'drain' waits for graceful termination. You should not operate on the "
+#~ "machine until\n"
+#~ "\t\tthe command completes.\n"
+#~ "\n"
+#~ "\t\tWhen you are ready to put the node back into service, use kubectl "
+#~ "uncordon, which\n"
+#~ "\t\twill make the node schedulable again.\n"
+#~ "\n"
+#~ "\t\t![Workflow](http://kubernetes.io/images/docs/kubectl_drain.svg)"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tLeere Knoten, um eine Wartung vorzubereiten.\n"
+#~ "\n"
+#~ "\t\tDer gegebene Knoten wird als unschedulable markiert, um die Zuordnung "
+#~ "von neuen Pods zu verhindern.\n"
+#~ "\t\t'drain' entfernt den Pod, falls der API-Server die Entfernung "
+#~ "unterstützt\n"
+#~ "\t\t(http://kubernetes.io/docs/admin/disruptions/). Wenn nicht, wird ein "
+#~ "normales DELETE verwendet,\n"
+#~ "\t\tum die Pods zu löschen.\n"
+#~ "\t\t'drain' entfernt oder löscht alle Pods mit der Ausnahme von Mirror-"
+#~ "Pods (welche vom API Server nicht gelöscht werden können)\n"
+#~ "\t\tWenn DaemonSet-verwaltete Pods existieren, wird 'drain' nicht "
+#~ "fortgesetzt\n"
+#~ "\t\tohne die --ignore-daemonsets Option, und es wird in keinem Fall\n"
+#~ "\t\tDaemonSet-verwaltete Pods löschen, weil diese Pods direkt ersetzt "
+#~ "würden durch den\n"
+#~ "\t\tDaemonSet-Controller, der unschedulable Markierungen ignoriert.  Wenn "
+#~ "es irgendwelche\n"
+#~ "\t\tPods gibt, die weder Mirror-Pods sind, noch von einem "
+#~ "ReplicationController,\n"
+#~ "\t\tReplicaSet, DaemonSet, StatefulSet oder Job verwaltet werden, wird "
+#~ "drain keine Pods löschen, außer die\n"
+#~ "\t\t--force Option ist gesetzt.  --force lässt das Löschen selbst zu, "
+#~ "wenn die verwaltende Resource von einem\n"
+#~ "\t\toder mehreren Pods fehlt.\n"
+#~ "\n"
+#~ "\t\t'drain' wartet auf eine graziöse Löschung. Man sollte auf der "
+#~ "Maschine nichts tun, während\n"
+#~ "\t\tder Befehl läuft.\n"
+#~ "\n"
+#~ "\t\tWenn der Knoten wieder bereit ist die Arbeit aufzunehmen, benutze "
+#~ "kubectl uncordon,\n"
+#~ "\t\twas den Knoten als schedulable markiert.\n"
+#~ "\n"
+#~ "\t\t![Workflow](http://kubernetes.io/images/docs/kubectl_drain.svg)"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tEdit a resource from the default editor.\n"
+#~ "\n"
+#~ "\t\tThe edit command allows you to directly edit any API resource you can "
+#~ "retrieve via the\n"
+#~ "\t\tcommand line tools. It will open the editor defined by your "
+#~ "KUBE_EDITOR, or EDITOR\n"
+#~ "\t\tenvironment variables, or fall back to 'vi' for Linux or 'notepad' "
+#~ "for Windows.\n"
+#~ "\t\tYou can edit multiple objects, although changes are applied one at a "
+#~ "time. The command\n"
+#~ "\t\taccepts filenames as well as command line arguments, although the "
+#~ "files you point to must\n"
+#~ "\t\tbe previously saved versions of resources.\n"
+#~ "\n"
+#~ "\t\tEditing is done with the API version used to fetch the resource.\n"
+#~ "\t\tTo edit using a specific API version, fully-qualify the resource, "
+#~ "version, and group.\n"
+#~ "\n"
+#~ "\t\tThe default format is YAML. To edit in JSON, specify \"-o json\".\n"
+#~ "\n"
+#~ "\t\tThe flag --windows-line-endings can be used to force Windows line "
+#~ "endings,\n"
+#~ "\t\totherwise the default for your operating system will be used.\n"
+#~ "\n"
+#~ "\t\tIn the event an error occurs while updating, a temporary file will be "
+#~ "created on disk\n"
+#~ "\t\tthat contains your unapplied changes. The most common error when "
+#~ "updating a resource\n"
+#~ "\t\tis another editor changing the resource on the server. When this "
+#~ "occurs, you will have\n"
+#~ "\t\tto apply your changes to the newer version of the resource, or update "
+#~ "your temporary\n"
+#~ "\t\tsaved copy to include the latest resource version."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tBearbeite eine Resource mit dem Standardeditor.\n"
+#~ "\n"
+#~ "\t\tDer edit-Befehl erlaubt es jede API Resource direkt zu bearbeiten, "
+#~ "wenn sie mit den\n"
+#~ "\t\tCommand-Line-Tools erreichbar ist. Er öffnet den Editor, der in der "
+#~ "KUBE_EDITOR oder EDITOR\n"
+#~ "\t\tUmgebunsvariable festgelegt ist, oder 'vi' auf Linux und 'notepad' "
+#~ "auf Windows.\n"
+#~ "\t\tEs ist möglich mehrere Objekte zu bearbeiten, aber die Änderungen "
+#~ "werden nacheinander angewendet. Der Befehl\n"
+#~ "\t\takzeptiert Dateinamen und Command-Line-Parameter, aber die "
+#~ "verwendeten Dateien müssen\n"
+#~ "\t\tvorab gespeicherte Versionen von Resourcen sein.\n"
+#~ "\n"
+#~ "\t\tDie Bearbeitung verwendet die API Version, die genutzt wurde, um die "
+#~ "Resource zu lesen.\n"
+#~ "\t\tUm eine spezifische API Version zu verwenden, muss die vollständige "
+#~ "Resource, Version und Group angegeben werden.\n"
+#~ "\n"
+#~ "\t\tDas Standardformat ist YAML. Um mit JSON zu arbeiten, setze \"-o json"
+#~ "\".\n"
+#~ "\n"
+#~ "\t\tDie Option --windows-line-endings kann benutzt werden, um Windows "
+#~ "Zeilen-umbrüche zu verwenden,\n"
+#~ "\t\tansonsten wird der Standard des Betriebssystems verwendet.\n"
+#~ "\n"
+#~ "\t\tFalls beim Update ein Fehler auftritt, wird eine temporäre Datei auf "
+#~ "der Festplatte angelegt,\n"
+#~ "\t\tdie die nicht verarbeiteten Änderungen enthält. Der häufigste Fehler "
+#~ "beim Bearbeiten einer Resource\n"
+#~ "\t\tist ein anderer Editor, der die Resource auf dem Server ändert. Wenn "
+#~ "das auftritt, muss man\n"
+#~ "\t\tseine Änderungen auf die neue Version anwenden oder seine temporäre\n"
+#~ "\t\tgespeicherte Kopie mit der neuesten Resourcenversion aktualisieren."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tOutput shell completion code for the specified shell (bash or zsh).\n"
+#~ "\t\tThe shell code must be evaluated to provide interactive\n"
+#~ "\t\tcompletion of kubectl commands.  This can be done by sourcing it "
+#~ "from\n"
+#~ "\t\tthe .bash_profile.\n"
+#~ "\n"
+#~ "\t\tNote: this requires the bash-completion framework, which is not "
+#~ "installed\n"
+#~ "\t\tby default on Mac.  This can be installed by using homebrew:\n"
+#~ "\n"
+#~ "\t\t    $ brew install bash-completion\n"
+#~ "\n"
+#~ "\t\tOnce installed, bash_completion must be evaluated.  This can be done "
+#~ "by adding the\n"
+#~ "\t\tfollowing line to the .bash_profile\n"
+#~ "\n"
+#~ "\t\t    $ source $(brew --prefix)/etc/bash_completion\n"
+#~ "\n"
+#~ "\t\tNote for zsh users: [1] zsh completions are only supported in "
+#~ "versions of zsh >= 5.2"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tGibt den Shell-Completion-Code für die angegebene Shell aus (bash "
+#~ "oder zsh).\n"
+#~ "\t\tDer Shell-Code muss für eine interaktive Vervollständigung von "
+#~ "kubectl \n"
+#~ "\t\tausgewertet werden. Das ist möglich, indem man\n"
+#~ "\t\tdie .bash_profile Datei sourcet.\n"
+#~ "\n"
+#~ "\t\tHinweis: Dies setzt das Bash-Completion-Framework voraus, das auf dem "
+#~ "Mac nicht standardmäßig installiert ist. \n"
+#~ "\t\tEs kann mit homebrew installiert werden:\n"
+#~ "\n"
+#~ "\t\t    $ brew install bash-completion\n"
+#~ "\n"
+#~ "\t\tSobald es installiert ist, muss bash_completion ausgewertet werden. "
+#~ "Dies wird erreicht, indem man\n"
+#~ "\t\tdie folgende Zeile zur .bash_profile-Datei hinzufügt\n"
+#~ "\n"
+#~ "\t\t    $ source $(brew --prefix)/etc/bash_completion\n"
+#~ "\n"
+#~ "\t\tHinweis für zsh Nutzer: [1] zsh completions werden nur in Versionen "
+#~ "von zsh >= 5.2 unterstützt"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tPerform a rolling update of the given ReplicationController.\n"
+#~ "\n"
+#~ "\t\tReplaces the specified replication controller with a new replication "
+#~ "controller by updating one pod at a time to use the\n"
+#~ "\t\tnew PodTemplate. The new-controller.json must specify the same "
+#~ "namespace as the\n"
+#~ "\t\texisting replication controller and overwrite at least one (common) "
+#~ "label in its replicaSelector.\n"
+#~ "\n"
+#~ "\t\t![Workflow](http://kubernetes.io/images/docs/kubectl_rollingupdate."
+#~ "svg)"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tFühre ein Rolling-Update des gegebenen ReplicationControllers aus.\n"
+#~ "\n"
+#~ "\t\tErsetzt den gegebenen ReplicationController mit einem neuen "
+#~ "Replication-Controller, indem die neue PodTampleta Pod für Pod\n"
+#~ "\t\tangewendet wird. Die new-controller.json muss den gleichen Namespace "
+#~ "wie\n"
+#~ "\t\tder aktuelle ReplicationController besitzen und mindestens ein "
+#~ "gemeinsames Label im ReplicaSelector überschreiben.\n"
+#~ "\n"
+#~ "\t\t![Workflow](http://kubernetes.io/images/docs/kubectl_rollingupdate."
+#~ "svg)"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tReplace a resource by filename or stdin.\n"
+#~ "\n"
+#~ "\t\tJSON and YAML formats are accepted. If replacing an existing "
+#~ "resource, the\n"
+#~ "\t\tcomplete resource spec must be provided. This can be obtained by\n"
+#~ "\n"
+#~ "\t\t    $ kubectl get TYPE NAME -o yaml\n"
+#~ "\n"
+#~ "\t\tPlease refer to the models in https://htmlpreview.github.io/?https://"
+#~ "github.com/kubernetes/kubernetes/blob/HEAD/docs/api-reference/v1/"
+#~ "definitions.html to find if a field is mutable."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tErsetze eine Resource mit Dateinamen oder stdin.\n"
+#~ "\n"
+#~ "\t\tJSON- and YAML-Formate werden akzeptiert. Wenn eine existierende "
+#~ "Resource ersetzt wird,\n"
+#~ "\t\tmuss die vollständige spSpecec mitgegeben werden. Diese kann hiermit "
+#~ "ausgelesen werden\n"
+#~ "\n"
+#~ "\t\t    $ kubectl get TYPE NAME -o yaml\n"
+#~ "\n"
+#~ "\t\tBitte konsultiere https://htmlpreview.github.io/?https://github.com/"
+#~ "kubernetes/kubernetes/blob/HEAD/docs/api-reference/v1/definitions.html um "
+#~ "zu erfahren, ob ein Feld verändert werden darf."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tSet a new size for a Deployment, ReplicaSet, Replication Controller, "
+#~ "or Job.\n"
+#~ "\n"
+#~ "\t\tScale also allows users to specify one or more preconditions for the "
+#~ "scale action.\n"
+#~ "\n"
+#~ "\t\tIf --current-replicas or --resource-version is specified, it is "
+#~ "validated before the\n"
+#~ "\t\tscale is attempted, and it is guaranteed that the precondition holds "
+#~ "true when the\n"
+#~ "\t\tscale is sent to the server."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tSetze eine neue Größe für ein Deployment, ReplicaSet, Replication-"
+#~ "Contoller oder Job.\n"
+#~ "\n"
+#~ "\t\tScale erlaubt es Nutzern eine oder mehr Voraussetzungen für die "
+#~ "Aktion festzulegen.\n"
+#~ "\n"
+#~ "\t\tWenn --current-replicas oder --resource-version gegeben ist, wird es "
+#~ "validiert, bevor\n"
+#~ "\t\tscale versucht wird, und es wird garantiert, dass die Voraussetzungen "
+#~ "erfüllt sind, wenn\n"
+#~ "\t\tscale zum Server geschickt wird."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tTo proxy all of the kubernetes api and nothing else, use:\n"
+#~ "\n"
+#~ "\t\t    $ kubectl proxy --api-prefix=/\n"
+#~ "\n"
+#~ "\t\tTo proxy only part of the kubernetes api and also some static files:\n"
+#~ "\n"
+#~ "\t\t    $ kubectl proxy --www=/my/files --www-prefix=/static/ --api-"
+#~ "prefix=/api/\n"
+#~ "\n"
+#~ "\t\tThe above lets you 'curl localhost:8001/api/v1/pods'.\n"
+#~ "\n"
+#~ "\t\tTo proxy the entire kubernetes api at a different root, use:\n"
+#~ "\n"
+#~ "\t\t    $ kubectl proxy --api-prefix=/custom/\n"
+#~ "\n"
+#~ "\t\tThe above lets you 'curl localhost:8001/custom/api/v1/pods'"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tProxy alle Teile der Kubernetes-API und sonst nichts:\n"
+#~ "\n"
+#~ "\t\t    $ kubectl proxy --api-prefix=/\n"
+#~ "\n"
+#~ "\t\tProxy nur bestimmte Teile der Kubernetes-API und einige statische "
+#~ "Dateien:\n"
+#~ "\n"
+#~ "\t\t    $ kubectl proxy --www=/my/files --www-prefix=/static/ --api-"
+#~ "prefix=/api/\n"
+#~ "\n"
+#~ "\t\tDer Befehl oben lässt dich 'curl localhost:8001/api/v1/pods' "
+#~ "aufrufen.\n"
+#~ "\n"
+#~ "\t\tProxy alle Teile der Kubernetes-API auf einem anderen root:\n"
+#~ "\n"
+#~ "\t\t    $ kubectl proxy --api-prefix=/custom/\n"
+#~ "\n"
+#~ "\t\tDer Befehl oben lässt dich 'curl localhost:8001/custom/api/v1/pods' "
+#~ "aufrufen"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tUpdate field(s) of a resource using strategic merge patch\n"
+#~ "\n"
+#~ "\t\tJSON and YAML formats are accepted.\n"
+#~ "\n"
+#~ "\t\tPlease refer to the models in https://htmlpreview.github.io/?https://"
+#~ "github.com/kubernetes/kubernetes/blob/HEAD/docs/api-reference/v1/"
+#~ "definitions.html to find if a field is mutable."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tAktualisiere Felder einer Resource mit einem Strategic-Merge-Patch\n"
+#~ "\n"
+#~ "\t\tJSON- und YAML-Formate werden akzeptiert.\n"
+#~ "\n"
+#~ "\t\tBitte konsultiere https://htmlpreview.github.io/?https://github.com/"
+#~ "kubernetes/kubernetes/blob/HEAD/docs/api-reference/v1/definitions.html um "
+#~ "zu erfahren, ob ein Feld mutable ist."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t  # Create a new TLS secret named tls-secret with the given key pair:\n"
+#~ "\t  kubectl create secret tls tls-secret --cert=path/to/tls.cert --"
+#~ "key=path/to/tls.key"
+#~ msgstr ""
+#~ "\n"
+#~ "\t  # Erstelle ein neues TLS Secret tl-secret mit dem gegebenen "
+#~ "Schlüsselpaar:\n"
+#~ "\t  kubectl create secret tls tls-secret --cert=path/to/tls.cert --"
+#~ "key=path/to/tls.key"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t  # Create a new secret named my-secret with keys for each file in "
+#~ "folder bar\n"
+#~ "\t  kubectl create secret generic my-secret --from-file=path/to/bar\n"
+#~ "\n"
+#~ "\t  # Create a new secret named my-secret with specified keys instead of "
+#~ "names on disk\n"
+#~ "\t  kubectl create secret generic my-secret --from-file=ssh-privatekey=~/."
+#~ "ssh/id_rsa --from-file=ssh-publickey=~/.ssh/id_rsa.pub\n"
+#~ "\n"
+#~ "\t  # Create a new secret named my-secret with key1=supersecret and "
+#~ "key2=topsecret\n"
+#~ "\t  kubectl create secret generic my-secret --from-"
+#~ "literal=key1=supersecret --from-literal=key2=topsecret"
+#~ msgstr ""
+#~ "\n"
+#~ "\t  # Erstelle ein neues Secret my-secret mit einem Key für jede Datei im "
+#~ "Ordner bar\n"
+#~ "\t  kubectl create secret generic my-secret --from-file=path/to/bar\n"
+#~ "\n"
+#~ "\t  # Erstelle ein neues Secret my-secret mit den gegebenen Keys statt "
+#~ "der Namen auf der Festplatte\n"
+#~ "\t  kubectl create secret generic my-secret --from-file=ssh-privatekey=~/."
+#~ "ssh/id_rsa --from-file=ssh-publickey=~/.ssh/id_rsa.pub\n"
+#~ "\n"
+#~ "\t  # Erstelle ein neues Scret my-secret mit key1=supersecret und "
+#~ "key2=topsecret\n"
+#~ "\t  kubectl create secret generic my-secret --from-"
+#~ "literal=key1=supersecret --from-literal=key2=topsecret"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t# Create a new ExternalName service named my-ns \n"
+#~ "\tkubectl create service externalname my-ns --external-name bar.com"
+#~ msgstr ""
+#~ "\n"
+#~ "\t# Erstelle einen neuen ExternalName-Service my-ns \n"
+#~ "\tkubectl create service externalname my-ns --external-name bar.com"
+
+#~ msgid ""
+#~ "\n"
+#~ "    # Create a new clusterIP service named my-cs\n"
+#~ "    kubectl create service clusterip my-cs --tcp=5678:8080\n"
+#~ "\n"
+#~ "    # Create a new clusterIP service named my-cs (in headless mode)\n"
+#~ "    kubectl create service clusterip my-cs --clusterip=\"None\""
+#~ msgstr ""
+#~ "\n"
+#~ "    # Erstelle einen neuen ClusterIP-Service my-cs\n"
+#~ "    kubectl create service clusterip my-cs --tcp=5678:8080\n"
+#~ "\n"
+#~ "    # Erstelle einen neuen ClusterIP-Service my-cs (im headless-Modus)\n"
+#~ "    kubectl create service clusterip my-cs --clusterip=\"None\""
+
+#~ msgid ""
+#~ "\n"
+#~ "    # Create a new deployment named my-dep that runs the busybox image.\n"
+#~ "    kubectl create deployment my-dep --image=busybox"
+#~ msgstr ""
+#~ "\n"
+#~ "    # Erstelle ein neues Deployment my-dep, dass das busybox-Image "
+#~ "nutzt.\n"
+#~ "    kubectl create deployment my-dep --image=busybox"
+
+#~ msgid ""
+#~ "\n"
+#~ "    # Create a new nodeport service named my-ns\n"
+#~ "    kubectl create service nodeport my-ns --tcp=5678:8080"
+#~ msgstr ""
+#~ "\n"
+#~ "    # Erstelle einen neuen NodePort-Service my-ns\n"
+#~ "    kubectl create service nodeport my-ns --tcp=5678:8080"
+
+#~ msgid ""
+#~ "\n"
+#~ "    Create a clusterIP service with the specified name."
+#~ msgstr ""
+#~ "\n"
+#~ "    Erstelle einen ClusterIP-Service mit dem gegebenen Namen."
+
+#~ msgid ""
+#~ "\n"
+#~ "    Create a deployment with the specified name."
+#~ msgstr ""
+#~ "\n"
+#~ "    Erstelle ein Deployment mit dem gegebenen Namen."
+
+#~ msgid ""
+#~ "\n"
+#~ "    Create a nodeport service with the specified name."
+#~ msgstr ""
+#~ "\n"
+#~ "    Erstelle einen NodePort-Service mit dem gegebenen Namen."
+
+#~ msgid ""
+#~ "\n"
+#~ "  Display addresses of the master and services with label kubernetes.io/"
+#~ "cluster-service=true\n"
+#~ "  To further debug and diagnose cluster problems, use 'kubectl cluster-"
+#~ "info dump'."
+#~ msgstr ""
+#~ "\n"
+#~ "  Zeigt Adressen des Master und von Services mit Label kubernetes.io/"
+#~ "cluster-service=true\n"
+#~ "  Für das weitere Debugging und die Diagnose von Clusterproblemen nutze "
+#~ "'kubectl cluster-info dump'."
+
+#~ msgid "A schedule in the Cron format the job should be run with."
+#~ msgstr "Ein Schedule im Cron Format, dass der Job nutzen soll."
+
+#~ msgid "Apply a configuration to a resource by filename or stdin"
+#~ msgstr ""
+#~ "Wende eine Konfiguration auf eine Resource über den Dateinamen oder stdin "
+#~ "an"
+
+#~ msgid "Auto-scale a Deployment, ReplicaSet, or ReplicationController"
+#~ msgstr "Auto-skaliere ein Deployment, ReplicaSet oder ReplicationController"
+
+#~ msgid ""
+#~ "Container name which will have its image upgraded. Only relevant when --"
+#~ "image is specified, ignored otherwise. Required when using --image on a "
+#~ "multi-container pod"
+#~ msgstr ""
+#~ "Name des Containers dessen Image aktualisiert wird. Nur relevant, wenn --"
+#~ "image angegeben ist, sonst ignoriert. Verpflichtend, wenn --image auf "
+#~ "einem Multi-Container-Pod verwendet wird"
+
+#~ msgid "Create a ClusterRoleBinding for a particular ClusterRole"
+#~ msgstr "Erstelle ein ClusterRoleBinding für eine bestimmte ClusterRole"
+
+#~ msgid "Create a LoadBalancer service."
+#~ msgstr "Erstelle einen LoadBalancer-Service."
+
+#~ msgid "Create a NodePort service."
+#~ msgstr "Erstelle einen NodePort-Service."
+
+#~ msgid "Create a RoleBinding for a particular Role or ClusterRole"
+#~ msgstr "Erstelle ein RoleBinding für eine bestimmte Role oder ClusterRole"
+
+#~ msgid "Create a clusterIP service."
+#~ msgstr "Erstelle einen ClusterIP-Service"
+
+#~ msgid "Create a configmap from a local file, directory or literal value"
+#~ msgstr ""
+#~ "Erstelle eine ConfigMap von einer Datei, einem Ordner oder einem festen "
+#~ "Wert"
+
+#~ msgid "Create a deployment with the specified name."
+#~ msgstr "Erstelle ein Deployment mit dem gegebenen Namen."
+
+#~ msgid "Create a pod disruption budget with the specified name."
+#~ msgstr "Erstelle ein Pod-Disruption-Budget mit dem gegebenen Namen."
+
+#~ msgid "Create a quota with the specified name."
+#~ msgstr "Erstelle eine Quota mit dem gegebenen Namen."
+
+#~ msgid "Create a resource by filename or stdin"
+#~ msgstr "Erstelle eine Resource von einer Datei oder stdin"
+
+#~ msgid "Create a secret from a local file, directory or literal value"
+#~ msgstr ""
+#~ "Erstelle ein Secret von einer lokalen Datei, einem Ordner oder einem "
+#~ "festen Wert"
+
+#~ msgid "Create a service using specified subcommand."
+#~ msgstr "Erstelle einen Servuce mit dem angegebenen Sub-Befehl"
+
+#~ msgid "Create an ExternalName service."
+#~ msgstr "Erstelle einen ExternalName-Service."
+
+#~ msgid ""
+#~ "Delete resources by filenames, stdin, resources and names, or by "
+#~ "resources and label selector"
+#~ msgstr ""
+#~ "Lösche Resourcen von einer Datei, stdin, resources- und names- oder mit "
+#~ "resources- und label-Selektor"
+
+#~ msgid "Deprecated: Gracefully shut down a resource by name or filename"
+#~ msgstr ""
+#~ "Veraltet: Graziöses herunterfahren einer Resource über den Namen oder "
+#~ "Dateinamen"
+
+#~ msgid "Display Resource (CPU/Memory) usage of nodes"
+#~ msgstr "Zeige Resourcennutzung (CPU/Memory) von Knoten"
+
+#~ msgid "Display Resource (CPU/Memory) usage of pods"
+#~ msgstr "Zeige Resourcennutzung (CPU/Memory) von Pods"
+
+#~ msgid "Display Resource (CPU/Memory) usage."
+#~ msgstr "Zeige Resourcennutzung (CPU/Memory)."
+
+#~ msgid "Display cluster info"
+#~ msgstr "Zeige Cluster-Info"
+
+#~ msgid "Displays the current-context"
+#~ msgstr "Zeige den aktuellen Kontext"
+
+#~ msgid "Documentation of resources"
+#~ msgstr "Dokumentation einer Resource"
+
+#~ msgid "Dump lots of relevant info for debugging and diagnosis"
+#~ msgstr "Zeige viele relevante Informationen für Debugging und Diagnose"
+
+#~ msgid ""
+#~ "Explicit policy for when to pull container images. Required when --image "
+#~ "is same as existing image, ignored otherwise."
+#~ msgstr ""
+#~ "Explizite Vorgabe, wann Container-Images gepullt werden. Verpflichtend, "
+#~ "wenn --image ist gleich dem aktuellen Image ist - sonst ignoriert."
+
+#~ msgid ""
+#~ "IP to assign to the Load Balancer. If empty, an ephemeral IP will be "
+#~ "created and used (cloud-provider specific)."
+#~ msgstr ""
+#~ "IP, die dem Load-Balancer zugewiesen wird. Falls leer, wird eine "
+#~ "temporäre IP erstellt und verwendet (Cloud-Provider spezifisch)"
+
+#~ msgid "Manage a deployment rollout"
+#~ msgstr "Verwalte ein Deployment-Rollout"
+
+#~ msgid "Perform a rolling update of the given ReplicationController"
+#~ msgstr "Führe ein Rolling-Update des gegebenen ReplicationControllers aus"
+
+#~ msgid "Replace a resource by filename or stdin"
+#~ msgstr "Ersetze eine Resource von einem Dateinamen oder stdin"
+
+#~ msgid ""
+#~ "Set a new size for a Deployment, ReplicaSet, Replication Controller, or "
+#~ "Job"
+#~ msgstr ""
+#~ "Setze eine neue Größe für ein Deployment, ReplicaSet, "
+#~ "ReplicationController oder Job"
+
+#~ msgid ""
+#~ "Set the last-applied-configuration annotation on a live object to match "
+#~ "the contents of a file."
+#~ msgstr ""
+#~ "Setze die Annotation Last-Applied-Configuration auf einem Live-Objekt auf "
+#~ "den Inhalt einer Datei."
+
+#~ msgid "Sets a cluster entry in kubeconfig"
+#~ msgstr "Setze einen Cluster-Eintrag in der kubeconfig"
+
+#~ msgid "Sets a context entry in kubeconfig"
+#~ msgstr "Setze einen Kontext-Eintrag in der kubeconfig"
+
+#~ msgid "Sets a user entry in kubeconfig"
+#~ msgstr "Setze einen User-Eintrag in der kubeconfig"
+
+#~ msgid "Sets an individual value in a kubeconfig file"
+#~ msgstr "Setze einen einzelnen Value in einer kubeconfig-Datei"
+
+#~ msgid "Sets the current-context in a kubeconfig file"
+#~ msgstr "Setze den aktuellen Kontext in einer kubeconfig-Datei"
+
+#~ msgid ""
+#~ "Take a replication controller, service, deployment or pod and expose it "
+#~ "as a new Kubernetes Service"
+#~ msgstr ""
+#~ "Nehme einen Replication Controller, Service, Deployment oder Pod und "
+#~ "biete ihn als neuen Kubernetes-Service an"
+
+#~ msgid ""
+#~ "The name of the API generator to use, see http://kubernetes.io/docs/user-"
+#~ "guide/kubectl-conventions/#generators for a list."
+#~ msgstr ""
+#~ "Der Name des zu verwendenden API-Generators. Siehe http://kubernetes.io/"
+#~ "docs/user-guide/kubectl-conventions/#generators für eine Übersicht."
+
+#~ msgid ""
+#~ "The name of the API generator to use. Currently there is only 1 generator."
+#~ msgstr ""
+#~ "Der Name des zu verwendenden API-Generators. Zur Zeit gibt es nur einen "
+#~ "Generator."
+
+#~ msgid ""
+#~ "The name of the generator to use for creating a service.  Only used if --"
+#~ "expose is true"
+#~ msgstr ""
+#~ "Der Name des zu verwendenden Generators, um einen Service zu erstellen. "
+#~ "Wird nur benutzt, wenn --expose true ist"
+
+#~ msgid ""
+#~ "The port that this container exposes.  If --expose is true, this is also "
+#~ "the port used by the service that is created."
+#~ msgstr ""
+#~ "Der Port, den der Container anbietet.  Wenn --expose true ist, ist es "
+#~ "auch der Port, den der zu erstellende Service verwendet"
+
+#~ msgid ""
+#~ "Type for this service: ClusterIP, NodePort, or LoadBalancer. Default is "
+#~ "'ClusterIP'."
+#~ msgstr ""
+#~ "Typ für diesen Service: ClusterIP, NodePort oder LoadBalancer. Standard "
+#~ "ist 'ClusterIP'."
+
+#~ msgid "Update field(s) of a resource using strategic merge patch"
+#~ msgstr "Aktualisiere Felder einer Resource mit einem Strategic-Merge-Patch"
+
+#~ msgid "Update image of a pod template"
+#~ msgstr "Aktualisiere das Image einer Pod-Template"
+
+#~ msgid ""
+#~ "View latest last-applied-configuration annotations of a resource/object"
+#~ msgstr ""
+#~ "Zeige die aktuelle Annotation Last-Applied-Configuration einer Resource / "
+#~ "eines Object"
diff --git a/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/default/LC_MESSAGES/k8s.mo b/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/default/LC_MESSAGES/k8s.mo
new file mode 100644
index 0000000000..77b13524a3
Binary files /dev/null and b/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/default/LC_MESSAGES/k8s.mo differ
diff --git a/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/default/LC_MESSAGES/k8s.po b/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/default/LC_MESSAGES/k8s.po
new file mode 100644
index 0000000000..609c85d7ce
--- /dev/null
+++ b/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/default/LC_MESSAGES/k8s.po
@@ -0,0 +1,5077 @@
+# Test translations for unit tests.
+# Copyright (C) 2016
+# This file is distributed under the same license as the Kubernetes package.
+# FIRST AUTHOR brendan.d.burns@gmail.com, 2016.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: gettext-go-examples-hello\n"
+"Report-Msgid-Bugs-To: EMAIL\n"
+"POT-Creation-Date: 2021-07-07 20:15+0200\n"
+"PO-Revision-Date: 2017-05-24 18:01+0800\n"
+"Last-Translator: Brendan Burns <brendan.d.burns@gmail.com>\n"
+"Language-Team: \n"
+"Language: en\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Generator: Poedit 1.8.12\n"
+"X-Poedit-SourceCharset: UTF-8\n"
+"Plural-Forms: nplurals=2; plural=(n != 1);\n"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/certificates/certificates.go:138
+msgid ""
+"\n"
+"\t\t\t# Approve CSR 'csr-sqgzp'\n"
+"\t\t\tkubectl certificate approve csr-sqgzp\n"
+"\t\t"
+msgstr ""
+"\n"
+"\t\t\t# Approve CSR 'csr-sqgzp'\n"
+"\t\t\tkubectl certificate approve csr-sqgzp\n"
+"\t\t"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/certificates/certificates.go:182
+msgid ""
+"\n"
+"\t\t\t# Deny CSR 'csr-sqgzp'\n"
+"\t\t\tkubectl certificate deny csr-sqgzp\n"
+"\t\t"
+msgstr ""
+"\n"
+"\t\t\t# Deny CSR 'csr-sqgzp'\n"
+"\t\t\tkubectl certificate deny csr-sqgzp\n"
+"\t\t"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/config.go:43
+msgid ""
+"\n"
+"\t\t\tModify kubeconfig files using subcommands like \"kubectl config set "
+"current-context my-context\"\n"
+"\n"
+"\t\t\tThe loading order follows these rules:\n"
+"\n"
+"\t\t\t1. If the --"
+msgstr ""
+"\n"
+"\t\t\tModify kubeconfig files using subcommands like \"kubectl config set "
+"current-context my-context\"\n"
+"\n"
+"\t\t\tThe loading order follows these rules:\n"
+"\n"
+"\t\t\t1. If the --"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_clusterrolebinding.go:44
+msgid ""
+"\n"
+"\t\t  # Create a cluster role binding for user1, user2, and group1 using the "
+"cluster-admin cluster role\n"
+"\t\t  kubectl create clusterrolebinding cluster-admin --clusterrole=cluster-"
+"admin --user=user1 --user=user2 --group=group1"
+msgstr ""
+"\n"
+"\t\t  # Create a cluster role binding for user1, user2, and group1 using the "
+"cluster-admin cluster role\n"
+"\t\t  kubectl create clusterrolebinding cluster-admin --clusterrole=cluster-"
+"admin --user=user1 --user=user2 --group=group1"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_configmap.go:58
+msgid ""
+"\n"
+"\t\t  # Create a new config map named my-config based on folder bar\n"
+"\t\t  kubectl create configmap my-config --from-file=path/to/bar\n"
+"\n"
+"\t\t  # Create a new config map named my-config with specified keys instead "
+"of file basenames on disk\n"
+"\t\t  kubectl create configmap my-config --from-file=key1=/path/to/bar/file1."
+"txt --from-file=key2=/path/to/bar/file2.txt\n"
+"\n"
+"\t\t  # Create a new config map named my-config with key1=config1 and "
+"key2=config2\n"
+"\t\t  kubectl create configmap my-config --from-literal=key1=config1 --from-"
+"literal=key2=config2\n"
+"\n"
+"\t\t  # Create a new config map named my-config from the key=value pairs in "
+"the file\n"
+"\t\t  kubectl create configmap my-config --from-file=path/to/bar\n"
+"\n"
+"\t\t  # Create a new config map named my-config from an env file\n"
+"\t\t  kubectl create configmap my-config --from-env-file=path/to/bar.env"
+msgstr ""
+"\n"
+"\t\t  # Create a new config map named my-config based on folder bar\n"
+"\t\t  kubectl create configmap my-config --from-file=path/to/bar\n"
+"\n"
+"\t\t  # Create a new config map named my-config with specified keys instead "
+"of file basenames on disk\n"
+"\t\t  kubectl create configmap my-config --from-file=key1=/path/to/bar/file1."
+"txt --from-file=key2=/path/to/bar/file2.txt\n"
+"\n"
+"\t\t  # Create a new config map named my-config with key1=config1 and "
+"key2=config2\n"
+"\t\t  kubectl create configmap my-config --from-literal=key1=config1 --from-"
+"literal=key2=config2\n"
+"\n"
+"\t\t  # Create a new config map named my-config from the key=value pairs in "
+"the file\n"
+"\t\t  kubectl create configmap my-config --from-file=path/to/bar\n"
+"\n"
+"\t\t  # Create a new config map named my-config from an env file\n"
+"\t\t  kubectl create configmap my-config --from-env-file=path/to/bar.env"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_rolebinding.go:43
+msgid ""
+"\n"
+"\t\t  # Create a role binding for user1, user2, and group1 using the admin "
+"cluster role\n"
+"\t\t  kubectl create rolebinding admin --clusterrole=admin --user=user1 --"
+"user=user2 --group=group1"
+msgstr ""
+"\n"
+"\t\t  # Create a role binding for user1, user2, and group1 using the admin "
+"cluster role\n"
+"\t\t  kubectl create rolebinding admin --clusterrole=admin --user=user1 --"
+"user=user2 --group=group1"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_docker.go:56
+msgid ""
+"\n"
+"\t\t  # If you don't already have a .dockercfg file, you can create a "
+"dockercfg secret directly by using:\n"
+"\t\t  kubectl create secret docker-registry my-secret --docker-"
+"server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-"
+"password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL\n"
+"\n"
+"\t\t  # Create a new secret named my-secret from ~/.docker/config.json\n"
+"\t\t  kubectl create secret docker-registry my-secret --from-file=."
+"dockerconfigjson=path/to/.docker/config.json"
+msgstr ""
+"\n"
+"\t\t  # If you don't already have a .dockercfg file, you can create a "
+"dockercfg secret directly by using:\n"
+"\t\t  kubectl create secret docker-registry my-secret --docker-"
+"server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-"
+"password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL\n"
+"\n"
+"\t\t  # Create a new secret named my-secret from ~/.docker/config.json\n"
+"\t\t  kubectl create secret docker-registry my-secret --from-file=."
+"dockerconfigjson=path/to/.docker/config.json"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/top/top_node.go:62
+msgid ""
+"\n"
+"\t\t  # Show metrics for all nodes\n"
+"\t\t  kubectl top node\n"
+"\n"
+"\t\t  # Show metrics for a given node\n"
+"\t\t  kubectl top node NODE_NAME"
+msgstr ""
+"\n"
+"\t\t  # Show metrics for all nodes\n"
+"\t\t  kubectl top node\n"
+"\n"
+"\t\t  # Show metrics for a given node\n"
+"\t\t  kubectl top node NODE_NAME"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/cp/cp.go:45
+msgid ""
+"\n"
+"\t\t# !!!Important Note!!!\n"
+"\t\t# Requires that the 'tar' binary is present in your container\n"
+"\t\t# image.  If 'tar' is not present, 'kubectl cp' will fail.\n"
+"\t\t#\n"
+"\t\t# For advanced use cases, such as symlinks, wildcard expansion or\n"
+"\t\t# file mode preservation, consider using 'kubectl exec'.\n"
+"\n"
+"\t\t# Copy /tmp/foo local file to /tmp/bar in a remote pod in namespace "
+"<some-namespace>\n"
+"\t\ttar cf - /tmp/foo | kubectl exec -i -n <some-namespace> <some-pod> -- "
+"tar xf - -C /tmp/bar\n"
+"\n"
+"\t\t# Copy /tmp/foo from a remote pod to /tmp/bar locally\n"
+"\t\tkubectl exec -n <some-namespace> <some-pod> -- tar cf - /tmp/foo | tar "
+"xf - -C /tmp/bar\n"
+"\n"
+"\t\t# Copy /tmp/foo_dir local directory to /tmp/bar_dir in a remote pod in "
+"the default namespace\n"
+"\t\tkubectl cp /tmp/foo_dir <some-pod>:/tmp/bar_dir\n"
+"\n"
+"\t\t# Copy /tmp/foo local file to /tmp/bar in a remote pod in a specific "
+"container\n"
+"\t\tkubectl cp /tmp/foo <some-pod>:/tmp/bar -c <specific-container>\n"
+"\n"
+"\t\t# Copy /tmp/foo local file to /tmp/bar in a remote pod in namespace "
+"<some-namespace>\n"
+"\t\tkubectl cp /tmp/foo <some-namespace>/<some-pod>:/tmp/bar\n"
+"\n"
+"\t\t# Copy /tmp/foo from a remote pod to /tmp/bar locally\n"
+"\t\tkubectl cp <some-namespace>/<some-pod>:/tmp/foo /tmp/bar"
+msgstr ""
+"\n"
+"\t\t# !!!Important Note!!!\n"
+"\t\t# Requires that the 'tar' binary is present in your container\n"
+"\t\t# image.  If 'tar' is not present, 'kubectl cp' will fail.\n"
+"\t\t#\n"
+"\t\t# For advanced use cases, such as symlinks, wildcard expansion or\n"
+"\t\t# file mode preservation, consider using 'kubectl exec'.\n"
+"\n"
+"\t\t# Copy /tmp/foo local file to /tmp/bar in a remote pod in namespace "
+"<some-namespace>\n"
+"\t\ttar cf - /tmp/foo | kubectl exec -i -n <some-namespace> <some-pod> -- "
+"tar xf - -C /tmp/bar\n"
+"\n"
+"\t\t# Copy /tmp/foo from a remote pod to /tmp/bar locally\n"
+"\t\tkubectl exec -n <some-namespace> <some-pod> -- tar cf - /tmp/foo | tar "
+"xf - -C /tmp/bar\n"
+"\n"
+"\t\t# Copy /tmp/foo_dir local directory to /tmp/bar_dir in a remote pod in "
+"the default namespace\n"
+"\t\tkubectl cp /tmp/foo_dir <some-pod>:/tmp/bar_dir\n"
+"\n"
+"\t\t# Copy /tmp/foo local file to /tmp/bar in a remote pod in a specific "
+"container\n"
+"\t\tkubectl cp /tmp/foo <some-pod>:/tmp/bar -c <specific-container>\n"
+"\n"
+"\t\t# Copy /tmp/foo local file to /tmp/bar in a remote pod in namespace "
+"<some-namespace>\n"
+"\t\tkubectl cp /tmp/foo <some-namespace>/<some-pod>:/tmp/bar\n"
+"\n"
+"\t\t# Copy /tmp/foo from a remote pod to /tmp/bar locally\n"
+"\t\tkubectl cp <some-namespace>/<some-pod>:/tmp/foo /tmp/bar"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/apply/apply.go:119
+msgid ""
+"\n"
+"\t\t# Apply the configuration in pod.json to a pod\n"
+"\t\tkubectl apply -f ./pod.json\n"
+"\n"
+"\t\t# Apply resources from a directory containing kustomization.yaml - e.g. "
+"dir/kustomization.yaml\n"
+"\t\tkubectl apply -k dir/\n"
+"\n"
+"\t\t# Apply the JSON passed into stdin to a pod\n"
+"\t\tcat pod.json | kubectl apply -f -\n"
+"\n"
+"\t\t# Note: --prune is still in Alpha\n"
+"\t\t# Apply the configuration in manifest.yaml that matches label app=nginx "
+"and delete all other resources that are not in the file and match label "
+"app=nginx\n"
+"\t\tkubectl apply --prune -f manifest.yaml -l app=nginx\n"
+"\n"
+"\t\t# Apply the configuration in manifest.yaml and delete all the other "
+"config maps that are not in the file\n"
+"\t\tkubectl apply --prune -f manifest.yaml --all --prune-allowlist=core/v1/"
+"ConfigMap"
+msgstr ""
+"\n"
+"\t\t# Apply the configuration in pod.json to a pod\n"
+"\t\tkubectl apply -f ./pod.json\n"
+"\n"
+"\t\t# Apply resources from a directory containing kustomization.yaml - e.g. "
+"dir/kustomization.yaml\n"
+"\t\tkubectl apply -k dir/\n"
+"\n"
+"\t\t# Apply the JSON passed into stdin to a pod\n"
+"\t\tcat pod.json | kubectl apply -f -\n"
+"\n"
+"\t\t# Note: --prune is still in Alpha\n"
+"\t\t# Apply the configuration in manifest.yaml that matches label app=nginx "
+"and delete all other resources that are not in the file and match label "
+"app=nginx\n"
+"\t\tkubectl apply --prune -f manifest.yaml -l app=nginx\n"
+"\n"
+"\t\t# Apply the configuration in manifest.yaml and delete all the other "
+"config maps that are not in the file\n"
+"\t\tkubectl apply --prune -f manifest.yaml --all --prune-allowlist=core/v1/"
+"ConfigMap"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/autoscale/autoscale.go:48
+#, c-format
+msgid ""
+"\n"
+"\t\t# Auto scale a deployment \"foo\", with the number of pods between 2 and "
+"10, no target CPU utilization specified so a default autoscaling policy will "
+"be used\n"
+"\t\tkubectl autoscale deployment foo --min=2 --max=10\n"
+"\n"
+"\t\t# Auto scale a replication controller \"foo\", with the number of pods "
+"between 1 and 5, target CPU utilization at 80%\n"
+"\t\tkubectl autoscale rc foo --max=5 --cpu-percent=80"
+msgstr ""
+"\n"
+"\t\t# Auto scale a deployment \"foo\", with the number of pods between 2 and "
+"10, no target CPU utilization specified so a default autoscaling policy will "
+"be used\n"
+"\t\tkubectl autoscale deployment foo --min=2 --max=10\n"
+"\n"
+"\t\t# Auto scale a replication controller \"foo\", with the number of pods "
+"between 1 and 5, target CPU utilization at 80%\n"
+"\t\tkubectl autoscale rc foo --max=5 --cpu-percent=80"
+
+#: pkg/kubectl/cmd/convert/convert.go:51
+msgid ""
+"\n"
+"\t\t# Convert 'pod.yaml' to latest version and print to stdout.\n"
+"\t\tkubectl convert -f pod.yaml\n"
+"\n"
+"\t\t# Convert the live state of the resource specified by 'pod.yaml' to the "
+"latest version\n"
+"\t\t# and print to stdout in JSON format.\n"
+"\t\tkubectl convert -f pod.yaml --local -o json\n"
+"\n"
+"\t\t# Convert all files under current directory to latest version and create "
+"them all.\n"
+"\t\tkubectl convert -f . | kubectl create -f -"
+msgstr ""
+"\n"
+"\t\t# Convert 'pod.yaml' to latest version and print to stdout.\n"
+"\t\tkubectl convert -f pod.yaml\n"
+"\n"
+"\t\t# Convert the live state of the resource specified by 'pod.yaml' to the "
+"latest version\n"
+"\t\t# and print to stdout in JSON format.\n"
+"\t\tkubectl convert -f pod.yaml --local -o json\n"
+"\n"
+"\t\t# Convert all files under current directory to latest version and create "
+"them all.\n"
+"\t\tkubectl convert -f . | kubectl create -f -"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_clusterrole.go:41
+msgid ""
+"\n"
+"\t\t# Create a cluster role named \"pod-reader\" that allows user to perform "
+"\"get\", \"watch\" and \"list\" on pods\n"
+"\t\tkubectl create clusterrole pod-reader --verb=get,list,watch --"
+"resource=pods\n"
+"\n"
+"\t\t# Create a cluster role named \"pod-reader\" with ResourceName "
+"specified\n"
+"\t\tkubectl create clusterrole pod-reader --verb=get --resource=pods --"
+"resource-name=readablepod --resource-name=anotherpod\n"
+"\n"
+"\t\t# Create a cluster role named \"foo\" with API Group specified\n"
+"\t\tkubectl create clusterrole foo --verb=get,list,watch --resource=rs."
+"extensions\n"
+"\n"
+"\t\t# Create a cluster role named \"foo\" with SubResource specified\n"
+"\t\tkubectl create clusterrole foo --verb=get,list,watch --resource=pods,"
+"pods/status\n"
+"\n"
+"\t\t# Create a cluster role name \"foo\" with NonResourceURL specified\n"
+"\t\tkubectl create clusterrole \"foo\" --verb=get --non-resource-url=/logs/"
+"*\n"
+"\n"
+"\t\t# Create a cluster role name \"monitoring\" with AggregationRule "
+"specified\n"
+"\t\tkubectl create clusterrole monitoring --aggregation-rule=\"rbac.example."
+"com/aggregate-to-monitoring=true\""
+msgstr ""
+"\n"
+"\t\t# Create a cluster role named \"pod-reader\" that allows user to perform "
+"\"get\", \"watch\" and \"list\" on pods\n"
+"\t\tkubectl create clusterrole pod-reader --verb=get,list,watch --"
+"resource=pods\n"
+"\n"
+"\t\t# Create a cluster role named \"pod-reader\" with ResourceName "
+"specified\n"
+"\t\tkubectl create clusterrole pod-reader --verb=get --resource=pods --"
+"resource-name=readablepod --resource-name=anotherpod\n"
+"\n"
+"\t\t# Create a cluster role named \"foo\" with API Group specified\n"
+"\t\tkubectl create clusterrole foo --verb=get,list,watch --resource=rs."
+"extensions\n"
+"\n"
+"\t\t# Create a cluster role named \"foo\" with SubResource specified\n"
+"\t\tkubectl create clusterrole foo --verb=get,list,watch --resource=pods,"
+"pods/status\n"
+"\n"
+"\t\t# Create a cluster role name \"foo\" with NonResourceURL specified\n"
+"\t\tkubectl create clusterrole \"foo\" --verb=get --non-resource-url=/logs/"
+"*\n"
+"\n"
+"\t\t# Create a cluster role name \"monitoring\" with AggregationRule "
+"specified\n"
+"\t\tkubectl create clusterrole monitoring --aggregation-rule=\"rbac.example."
+"com/aggregate-to-monitoring=true\""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_job.go:43
+msgid ""
+"\n"
+"\t\t# Create a job\n"
+"\t\tkubectl create job my-job --image=busybox\n"
+"\n"
+"\t\t# Create a job with a command\n"
+"\t\tkubectl create job my-job --image=busybox -- date\n"
+"\n"
+"\t\t# Create a job from a cron job named \"a-cronjob\"\n"
+"\t\tkubectl create job test-job --from=cronjob/a-cronjob"
+msgstr ""
+"\n"
+"\t\t# Create a job\n"
+"\t\tkubectl create job my-job --image=busybox\n"
+"\n"
+"\t\t# Create a job with a command\n"
+"\t\tkubectl create job my-job --image=busybox -- date\n"
+"\n"
+"\t\t# Create a job from a cron job named \"a-cronjob\"\n"
+"\t\tkubectl create job test-job --from=cronjob/a-cronjob"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_quota.go:44
+msgid ""
+"\n"
+"\t\t# Create a new resource quota named my-quota\n"
+"\t\tkubectl create quota my-quota --hard=cpu=1,memory=1G,pods=2,services=3,"
+"replicationcontrollers=2,resourcequotas=1,secrets=5,"
+"persistentvolumeclaims=10\n"
+"\n"
+"\t\t# Create a new resource quota named best-effort\n"
+"\t\tkubectl create quota best-effort --hard=pods=100 --scopes=BestEffort"
+msgstr ""
+"\n"
+"\t\t# Create a new resource quota named my-quota\n"
+"\t\tkubectl create quota my-quota --hard=cpu=1,memory=1G,pods=2,services=3,"
+"replicationcontrollers=2,resourcequotas=1,secrets=5,"
+"persistentvolumeclaims=10\n"
+"\n"
+"\t\t# Create a new resource quota named best-effort\n"
+"\t\tkubectl create quota best-effort --hard=pods=100 --scopes=BestEffort"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_pdb.go:44
+#, c-format
+msgid ""
+"\n"
+"\t\t# Create a pod disruption budget named my-pdb that will select all pods "
+"with the app=rails label\n"
+"\t\t# and require at least one of them being available at any point in time\n"
+"\t\tkubectl create poddisruptionbudget my-pdb --selector=app=rails --min-"
+"available=1\n"
+"\n"
+"\t\t# Create a pod disruption budget named my-pdb that will select all pods "
+"with the app=nginx label\n"
+"\t\t# and require at least half of the pods selected to be available at any "
+"point in time\n"
+"\t\tkubectl create pdb my-pdb --selector=app=nginx --min-available=50%"
+msgstr ""
+"\n"
+"\t\t# Create a pod disruption budget named my-pdb that will select all pods "
+"with the app=rails label\n"
+"\t\t# and require at least one of them being available at any point in time\n"
+"\t\tkubectl create poddisruptionbudget my-pdb --selector=app=rails --min-"
+"available=1\n"
+"\n"
+"\t\t# Create a pod disruption budget named my-pdb that will select all pods "
+"with the app=nginx label\n"
+"\t\t# and require at least half of the pods selected to be available at any "
+"point in time\n"
+"\t\tkubectl create pdb my-pdb --selector=app=nginx --min-available=50%"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create.go:76
+msgid ""
+"\n"
+"\t\t# Create a pod using the data in pod.json\n"
+"\t\tkubectl create -f ./pod.json\n"
+"\n"
+"\t\t# Create a pod based on the JSON passed into stdin\n"
+"\t\tcat pod.json | kubectl create -f -\n"
+"\n"
+"\t\t# Edit the data in docker-registry.yaml in JSON then create the resource "
+"using the edited data\n"
+"\t\tkubectl create -f docker-registry.yaml --edit -o json"
+msgstr ""
+"\n"
+"\t\t# Create a pod using the data in pod.json\n"
+"\t\tkubectl create -f ./pod.json\n"
+"\n"
+"\t\t# Create a pod based on the JSON passed into stdin\n"
+"\t\tcat pod.json | kubectl create -f -\n"
+"\n"
+"\t\t# Edit the data in docker-registry.yaml in JSON then create the resource "
+"using the edited data\n"
+"\t\tkubectl create -f docker-registry.yaml --edit -o json"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_priorityclass.go:43
+msgid ""
+"\n"
+"\t\t# Create a priority class named high-priority\n"
+"\t\tkubectl create priorityclass high-priority --value=1000 --description="
+"\"high priority\"\n"
+"\n"
+"\t\t# Create a priority class named default-priority that is considered as "
+"the global default priority\n"
+"\t\tkubectl create priorityclass default-priority --value=1000 --global-"
+"default=true --description=\"default priority\"\n"
+"\n"
+"\t\t# Create a priority class named high-priority that cannot preempt pods "
+"with lower priority\n"
+"\t\tkubectl create priorityclass high-priority --value=1000 --description="
+"\"high priority\" --preemption-policy=\"Never\""
+msgstr ""
+"\n"
+"\t\t# Create a priority class named high-priority\n"
+"\t\tkubectl create priorityclass high-priority --value=1000 --description="
+"\"high priority\"\n"
+"\n"
+"\t\t# Create a priority class named default-priority that is considered as "
+"the global default priority\n"
+"\t\tkubectl create priorityclass default-priority --value=1000 --global-"
+"default=true --description=\"default priority\"\n"
+"\n"
+"\t\t# Create a priority class named high-priority that cannot preempt pods "
+"with lower priority\n"
+"\t\tkubectl create priorityclass high-priority --value=1000 --description="
+"\"high priority\" --preemption-policy=\"Never\""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_role.go:46
+msgid ""
+"\n"
+"\t\t# Create a role named \"pod-reader\" that allows user to perform \"get"
+"\", \"watch\" and \"list\" on pods\n"
+"\t\tkubectl create role pod-reader --verb=get --verb=list --verb=watch --"
+"resource=pods\n"
+"\n"
+"\t\t# Create a role named \"pod-reader\" with ResourceName specified\n"
+"\t\tkubectl create role pod-reader --verb=get --resource=pods --resource-"
+"name=readablepod --resource-name=anotherpod\n"
+"\n"
+"\t\t# Create a role named \"foo\" with API Group specified\n"
+"\t\tkubectl create role foo --verb=get,list,watch --resource=rs.extensions\n"
+"\n"
+"\t\t# Create a role named \"foo\" with SubResource specified\n"
+"\t\tkubectl create role foo --verb=get,list,watch --resource=pods,pods/status"
+msgstr ""
+"\n"
+"\t\t# Create a role named \"pod-reader\" that allows user to perform \"get"
+"\", \"watch\" and \"list\" on pods\n"
+"\t\tkubectl create role pod-reader --verb=get --verb=list --verb=watch --"
+"resource=pods\n"
+"\n"
+"\t\t# Create a role named \"pod-reader\" with ResourceName specified\n"
+"\t\tkubectl create role pod-reader --verb=get --resource=pods --resource-"
+"name=readablepod --resource-name=anotherpod\n"
+"\n"
+"\t\t# Create a role named \"foo\" with API Group specified\n"
+"\t\tkubectl create role foo --verb=get,list,watch --resource=rs.extensions\n"
+"\n"
+"\t\t# Create a role named \"foo\" with SubResource specified\n"
+"\t\tkubectl create role foo --verb=get,list,watch --resource=pods,pods/status"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:61
+msgid ""
+"\n"
+"\t\t# Create a service for a replicated nginx, which serves on port 80 and "
+"connects to the containers on port 8000\n"
+"\t\tkubectl expose rc nginx --port=80 --target-port=8000\n"
+"\n"
+"\t\t# Create a service for a replication controller identified by type and "
+"name specified in \"nginx-controller.yaml\", which serves on port 80 and "
+"connects to the containers on port 8000\n"
+"\t\tkubectl expose -f nginx-controller.yaml --port=80 --target-port=8000\n"
+"\n"
+"\t\t# Create a service for a pod valid-pod, which serves on port 444 with "
+"the name \"frontend\"\n"
+"\t\tkubectl expose pod valid-pod --port=444 --name=frontend\n"
+"\n"
+"\t\t# Create a second service based on the above service, exposing the "
+"container port 8443 as port 443 with the name \"nginx-https\"\n"
+"\t\tkubectl expose service nginx --port=443 --target-port=8443 --name=nginx-"
+"https\n"
+"\n"
+"\t\t# Create a service for a replicated streaming application on port 4100 "
+"balancing UDP traffic and named 'video-stream'.\n"
+"\t\tkubectl expose rc streamer --port=4100 --protocol=UDP --name=video-"
+"stream\n"
+"\n"
+"\t\t# Create a service for a replicated nginx using replica set, which "
+"serves on port 80 and connects to the containers on port 8000\n"
+"\t\tkubectl expose rs nginx --port=80 --target-port=8000\n"
+"\n"
+"\t\t# Create a service for an nginx deployment, which serves on port 80 and "
+"connects to the containers on port 8000\n"
+"\t\tkubectl expose deployment nginx --port=80 --target-port=8000"
+msgstr ""
+"\n"
+"\t\t# Create a service for a replicated nginx, which serves on port 80 and "
+"connects to the containers on port 8000\n"
+"\t\tkubectl expose rc nginx --port=80 --target-port=8000\n"
+"\n"
+"\t\t# Create a service for a replication controller identified by type and "
+"name specified in \"nginx-controller.yaml\", which serves on port 80 and "
+"connects to the containers on port 8000\n"
+"\t\tkubectl expose -f nginx-controller.yaml --port=80 --target-port=8000\n"
+"\n"
+"\t\t# Create a service for a pod valid-pod, which serves on port 444 with "
+"the name \"frontend\"\n"
+"\t\tkubectl expose pod valid-pod --port=444 --name=frontend\n"
+"\n"
+"\t\t# Create a second service based on the above service, exposing the "
+"container port 8443 as port 443 with the name \"nginx-https\"\n"
+"\t\tkubectl expose service nginx --port=443 --target-port=8443 --name=nginx-"
+"https\n"
+"\n"
+"\t\t# Create a service for a replicated streaming application on port 4100 "
+"balancing UDP traffic and named 'video-stream'.\n"
+"\t\tkubectl expose rc streamer --port=4100 --protocol=UDP --name=video-"
+"stream\n"
+"\n"
+"\t\t# Create a service for a replicated nginx using replica set, which "
+"serves on port 80 and connects to the containers on port 8000\n"
+"\t\tkubectl expose rs nginx --port=80 --target-port=8000\n"
+"\n"
+"\t\t# Create a service for an nginx deployment, which serves on port 80 and "
+"connects to the containers on port 8000\n"
+"\t\tkubectl expose deployment nginx --port=80 --target-port=8000"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_ingress.go:64
+msgid ""
+"\n"
+"\t\t# Create a single ingress called 'simple' that directs requests to foo."
+"com/bar to svc\n"
+"\t\t# svc1:8080 with a tls secret \"my-cert\"\n"
+"\t\tkubectl create ingress simple --rule=\"foo.com/bar=svc1:8080,tls=my-cert"
+"\"\n"
+"\n"
+"\t\t# Create a catch all ingress of \"/path\" pointing to service svc:port "
+"and Ingress Class as \"otheringress\"\n"
+"\t\tkubectl create ingress catch-all --class=otheringress --rule=\"/path=svc:"
+"port\"\n"
+"\n"
+"\t\t# Create an ingress with two annotations: ingress.annotation1 and "
+"ingress.annotations2\n"
+"\t\tkubectl create ingress annotated --class=default --rule=\"foo.com/"
+"bar=svc:port\" \\n\t\t\t--annotation ingress.annotation1=foo \\n\t\t\t--"
+"annotation ingress.annotation2=bla\n"
+"\n"
+"\t\t# Create an ingress with the same host and multiple paths\n"
+"\t\tkubectl create ingress multipath --class=default \\n\t\t\t--rule=\"foo."
+"com/=svc:port\" \\n\t\t\t--rule=\"foo.com/admin/=svcadmin:portadmin\"\n"
+"\n"
+"\t\t# Create an ingress with multiple hosts and the pathType as Prefix\n"
+"\t\tkubectl create ingress ingress1 --class=default \\n\t\t\t--rule=\"foo."
+"com/path*=svc:8080\" \\n\t\t\t--rule=\"bar.com/admin*=svc2:http\"\n"
+"\n"
+"\t\t# Create an ingress with TLS enabled using the default ingress "
+"certificate and different path types\n"
+"\t\tkubectl create ingress ingtls --class=default \\n\t\t   --rule=\"foo.com/"
+"=svc:https,tls\" \\n\t\t   --rule=\"foo.com/path/subpath*=othersvc:8080\"\n"
+"\n"
+"\t\t# Create an ingress with TLS enabled using a specific secret and "
+"pathType as Prefix\n"
+"\t\tkubectl create ingress ingsecret --class=default \\n\t\t   --rule=\"foo."
+"com/*=svc:8080,tls=secret1\"\n"
+"\n"
+"\t\t# Create an ingress with a default backend\n"
+"\t\tkubectl create ingress ingdefault --class=default \\n\t\t   --default-"
+"backend=defaultsvc:http \\n\t\t   --rule=\"foo.com/*=svc:8080,tls=secret1\"\n"
+"\n"
+"\t\t"
+msgstr ""
+"\n"
+"\t\t# Create a single ingress called 'simple' that directs requests to foo."
+"com/bar to svc\n"
+"\t\t# svc1:8080 with a tls secret \"my-cert\"\n"
+"\t\tkubectl create ingress simple --rule=\"foo.com/bar=svc1:8080,tls=my-cert"
+"\"\n"
+"\n"
+"\t\t# Create a catch all ingress of \"/path\" pointing to service svc:port "
+"and Ingress Class as \"otheringress\"\n"
+"\t\tkubectl create ingress catch-all --class=otheringress --rule=\"/path=svc:"
+"port\"\n"
+"\n"
+"\t\t# Create an ingress with two annotations: ingress.annotation1 and "
+"ingress.annotations2\n"
+"\t\tkubectl create ingress annotated --class=default --rule=\"foo.com/"
+"bar=svc:port\" \\n\t\t\t--annotation ingress.annotation1=foo \\n\t\t\t--"
+"annotation ingress.annotation2=bla\n"
+"\n"
+"\t\t# Create an ingress with the same host and multiple paths\n"
+"\t\tkubectl create ingress multipath --class=default \\n\t\t\t--rule=\"foo."
+"com/=svc:port\" \\n\t\t\t--rule=\"foo.com/admin/=svcadmin:portadmin\"\n"
+"\n"
+"\t\t# Create an ingress with multiple hosts and the pathType as Prefix\n"
+"\t\tkubectl create ingress ingress1 --class=default \\n\t\t\t--rule=\"foo."
+"com/path*=svc:8080\" \\n\t\t\t--rule=\"bar.com/admin*=svc2:http\"\n"
+"\n"
+"\t\t# Create an ingress with TLS enabled using the default ingress "
+"certificate and different path types\n"
+"\t\tkubectl create ingress ingtls --class=default \\n\t\t   --rule=\"foo.com/"
+"=svc:https,tls\" \\n\t\t   --rule=\"foo.com/path/subpath*=othersvc:8080\"\n"
+"\n"
+"\t\t# Create an ingress with TLS enabled using a specific secret and "
+"pathType as Prefix\n"
+"\t\tkubectl create ingress ingsecret --class=default \\n\t\t   --rule=\"foo."
+"com/*=svc:8080,tls=secret1\"\n"
+"\n"
+"\t\t# Create an ingress with a default backend\n"
+"\t\tkubectl create ingress ingdefault --class=default \\n\t\t   --default-"
+"backend=defaultsvc:http \\n\t\t   --rule=\"foo.com/*=svc:8080,tls=secret1\"\n"
+"\n"
+"\t\t"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/debug/debug.go:74
+msgid ""
+"\n"
+"\t\t# Create an interactive debugging session in pod mypod and immediately "
+"attach to it.\n"
+"\t\tkubectl debug mypod -it --image=busybox\n"
+"\n"
+"\t\t# Create a debug container named debugger using a custom automated "
+"debugging image.\n"
+"\t\tkubectl debug --image=myproj/debug-tools -c debugger mypod\n"
+"\n"
+"\t\t# Create a copy of mypod adding a debug container and attach to it\n"
+"\t\tkubectl debug mypod -it --image=busybox --copy-to=my-debugger\n"
+"\n"
+"\t\t# Create a copy of mypod changing the command of mycontainer\n"
+"\t\tkubectl debug mypod -it --copy-to=my-debugger --container=mycontainer -- "
+"sh\n"
+"\n"
+"\t\t# Create a copy of mypod changing all container images to busybox\n"
+"\t\tkubectl debug mypod --copy-to=my-debugger --set-image=*=busybox\n"
+"\n"
+"\t\t# Create a copy of mypod adding a debug container and changing container "
+"images\n"
+"\t\tkubectl debug mypod -it --copy-to=my-debugger --image=debian --set-"
+"image=app=app:debug,sidecar=sidecar:debug\n"
+"\n"
+"\t\t# Create an interactive debugging session on a node and immediately "
+"attach to it.\n"
+"\t\t# The container will run in the host namespaces and the host's "
+"filesystem will be mounted at /host\n"
+"\t\tkubectl debug node/mynode -it --image=busybox\n"
+msgstr ""
+"\n"
+"\t\t# Create an interactive debugging session in pod mypod and immediately "
+"attach to it.\n"
+"\t\tkubectl debug mypod -it --image=busybox\n"
+"\n"
+"\t\t# Create a debug container named debugger using a custom automated "
+"debugging image.\n"
+"\t\tkubectl debug --image=myproj/debug-tools -c debugger mypod\n"
+"\n"
+"\t\t# Create a copy of mypod adding a debug container and attach to it\n"
+"\t\tkubectl debug mypod -it --image=busybox --copy-to=my-debugger\n"
+"\n"
+"\t\t# Create a copy of mypod changing the command of mycontainer\n"
+"\t\tkubectl debug mypod -it --copy-to=my-debugger --container=mycontainer -- "
+"sh\n"
+"\n"
+"\t\t# Create a copy of mypod changing all container images to busybox\n"
+"\t\tkubectl debug mypod --copy-to=my-debugger --set-image=*=busybox\n"
+"\n"
+"\t\t# Create a copy of mypod adding a debug container and changing container "
+"images\n"
+"\t\tkubectl debug mypod -it --copy-to=my-debugger --image=debian --set-"
+"image=app=app:debug,sidecar=sidecar:debug\n"
+"\n"
+"\t\t# Create an interactive debugging session on a node and immediately "
+"attach to it.\n"
+"\t\t# The container will run in the host namespaces and the host's "
+"filesystem will be mounted at /host\n"
+"\t\tkubectl debug node/mynode -it --image=busybox\n"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/delete/delete.go:74
+msgid ""
+"\n"
+"\t\t# Delete a pod using the type and name specified in pod.json\n"
+"\t\tkubectl delete -f ./pod.json\n"
+"\n"
+"\t\t# Delete resources from a directory containing kustomization.yaml - e.g. "
+"dir/kustomization.yaml\n"
+"\t\tkubectl delete -k dir\n"
+"\n"
+"\t\t# Delete a pod based on the type and name in the JSON passed into stdin\n"
+"\t\tcat pod.json | kubectl delete -f -\n"
+"\n"
+"\t\t# Delete pods and services with same names \"baz\" and \"foo\"\n"
+"\t\tkubectl delete pod,service baz foo\n"
+"\n"
+"\t\t# Delete pods and services with label name=myLabel\n"
+"\t\tkubectl delete pods,services -l name=myLabel\n"
+"\n"
+"\t\t# Delete a pod with minimal delay\n"
+"\t\tkubectl delete pod foo --now\n"
+"\n"
+"\t\t# Force delete a pod on a dead node\n"
+"\t\tkubectl delete pod foo --force\n"
+"\n"
+"\t\t# Delete all pods\n"
+"\t\tkubectl delete pods --all"
+msgstr ""
+"\n"
+"\t\t# Delete a pod using the type and name specified in pod.json\n"
+"\t\tkubectl delete -f ./pod.json\n"
+"\n"
+"\t\t# Delete resources from a directory containing kustomization.yaml - e.g. "
+"dir/kustomization.yaml\n"
+"\t\tkubectl delete -k dir\n"
+"\n"
+"\t\t# Delete a pod based on the type and name in the JSON passed into stdin\n"
+"\t\tcat pod.json | kubectl delete -f -\n"
+"\n"
+"\t\t# Delete pods and services with same names \"baz\" and \"foo\"\n"
+"\t\tkubectl delete pod,service baz foo\n"
+"\n"
+"\t\t# Delete pods and services with label name=myLabel\n"
+"\t\tkubectl delete pods,services -l name=myLabel\n"
+"\n"
+"\t\t# Delete a pod with minimal delay\n"
+"\t\tkubectl delete pod foo --now\n"
+"\n"
+"\t\t# Force delete a pod on a dead node\n"
+"\t\tkubectl delete pod foo --force\n"
+"\n"
+"\t\t# Delete all pods\n"
+"\t\tkubectl delete pods --all"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/describe/describe.go:51
+msgid ""
+"\n"
+"\t\t# Describe a node\n"
+"\t\tkubectl describe nodes kubernetes-node-emt8.c.myproject.internal\n"
+"\n"
+"\t\t# Describe a pod\n"
+"\t\tkubectl describe pods/nginx\n"
+"\n"
+"\t\t# Describe a pod identified by type and name in \"pod.json\"\n"
+"\t\tkubectl describe -f pod.json\n"
+"\n"
+"\t\t# Describe all pods\n"
+"\t\tkubectl describe pods\n"
+"\n"
+"\t\t# Describe pods by label name=myLabel\n"
+"\t\tkubectl describe po -l name=myLabel\n"
+"\n"
+"\t\t# Describe all pods managed by the 'frontend' replication controller (rc-"
+"created pods\n"
+"\t\t# get the name of the rc as a prefix in the pod the name)\n"
+"\t\tkubectl describe pods frontend"
+msgstr ""
+"\n"
+"\t\t# Describe a node\n"
+"\t\tkubectl describe nodes kubernetes-node-emt8.c.myproject.internal\n"
+"\n"
+"\t\t# Describe a pod\n"
+"\t\tkubectl describe pods/nginx\n"
+"\n"
+"\t\t# Describe a pod identified by type and name in \"pod.json\"\n"
+"\t\tkubectl describe -f pod.json\n"
+"\n"
+"\t\t# Describe all pods\n"
+"\t\tkubectl describe pods\n"
+"\n"
+"\t\t# Describe pods by label name=myLabel\n"
+"\t\tkubectl describe po -l name=myLabel\n"
+"\n"
+"\t\t# Describe all pods managed by the 'frontend' replication controller (rc-"
+"created pods\n"
+"\t\t# get the name of the rc as a prefix in the pod the name)\n"
+"\t\tkubectl describe pods frontend"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/diff/diff.go:76
+msgid ""
+"\n"
+"\t\t# Diff resources included in pod.json\n"
+"\t\tkubectl diff -f pod.json\n"
+"\n"
+"\t\t# Diff file read from stdin\n"
+"\t\tcat service.yaml | kubectl diff -f -"
+msgstr ""
+"\n"
+"\t\t# Diff resources included in pod.json\n"
+"\t\tkubectl diff -f pod.json\n"
+"\n"
+"\t\t# Diff file read from stdin\n"
+"\t\tcat service.yaml | kubectl diff -f -"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go:138
+msgid ""
+"\n"
+"\t\t# Drain node \"foo\", even if there are pods not managed by a "
+"replication controller, replica set, job, daemon set or stateful set on it\n"
+"\t\tkubectl drain foo --force\n"
+"\n"
+"\t\t# As above, but abort if there are pods not managed by a replication "
+"controller, replica set, job, daemon set or stateful set, and use a grace "
+"period of 15 minutes\n"
+"\t\tkubectl drain foo --grace-period=900"
+msgstr ""
+"\n"
+"\t\t# Drain node \"foo\", even if there are pods not managed by a "
+"replication controller, replica set, job, daemon set or stateful set on it\n"
+"\t\tkubectl drain foo --force\n"
+"\n"
+"\t\t# As above, but abort if there are pods not managed by a replication "
+"controller, replica set, job, daemon set or stateful set, and use a grace "
+"period of 15 minutes\n"
+"\t\tkubectl drain foo --grace-period=900"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/edit/edit.go:55
+msgid ""
+"\n"
+"\t\t# Edit the service named 'docker-registry'\n"
+"\t\tkubectl edit svc/docker-registry\n"
+"\n"
+"\t\t# Use an alternative editor\n"
+"\t\tKUBE_EDITOR=\"nano\" kubectl edit svc/docker-registry\n"
+"\n"
+"\t\t# Edit the job 'myjob' in JSON using the v1 API format\n"
+"\t\tkubectl edit job.v1.batch/myjob -o json\n"
+"\n"
+"\t\t# Edit the deployment 'mydeployment' in YAML and save the modified "
+"config in its annotation\n"
+"\t\tkubectl edit deployment/mydeployment -o yaml --save-config"
+msgstr ""
+"\n"
+"\t\t# Edit the service named 'docker-registry'\n"
+"\t\tkubectl edit svc/docker-registry\n"
+"\n"
+"\t\t# Use an alternative editor\n"
+"\t\tKUBE_EDITOR=\"nano\" kubectl edit svc/docker-registry\n"
+"\n"
+"\t\t# Edit the job 'myjob' in JSON using the v1 API format\n"
+"\t\tkubectl edit job.v1.batch/myjob -o json\n"
+"\n"
+"\t\t# Edit the deployment 'mydeployment' in YAML and save the modified "
+"config in its annotation\n"
+"\t\tkubectl edit deployment/mydeployment -o yaml --save-config"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/attach/attach.go:44
+msgid ""
+"\n"
+"\t\t# Get output from running pod mypod; use the 'kubectl.kubernetes.io/"
+"default-container' annotation\n"
+"\t\t# for selecting the container to be attached or the first container in "
+"the pod will be chosen\n"
+"\t\tkubectl attach mypod\n"
+"\n"
+"\t\t# Get output from ruby-container from pod mypod\n"
+"\t\tkubectl attach mypod -c ruby-container\n"
+"\n"
+"\t\t# Switch to raw terminal mode; sends stdin to 'bash' in ruby-container "
+"from pod mypod\n"
+"\t\t# and sends stdout/stderr from 'bash' back to the client\n"
+"\t\tkubectl attach mypod -c ruby-container -i -t\n"
+"\n"
+"\t\t# Get output from the first pod of a replica set named nginx\n"
+"\t\tkubectl attach rs/nginx\n"
+"\t\t"
+msgstr ""
+"\n"
+"\t\t# Get output from running pod mypod; use the 'kubectl.kubernetes.io/"
+"default-container' annotation\n"
+"\t\t# for selecting the container to be attached or the first container in "
+"the pod will be chosen\n"
+"\t\tkubectl attach mypod\n"
+"\n"
+"\t\t# Get output from ruby-container from pod mypod\n"
+"\t\tkubectl attach mypod -c ruby-container\n"
+"\n"
+"\t\t# Switch to raw terminal mode; sends stdin to 'bash' in ruby-container "
+"from pod mypod\n"
+"\t\t# and sends stdout/stderr from 'bash' back to the client\n"
+"\t\tkubectl attach mypod -c ruby-container -i -t\n"
+"\n"
+"\t\t# Get output from the first pod of a replica set named nginx\n"
+"\t\tkubectl attach rs/nginx\n"
+"\t\t"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/exec/exec.go:48
+msgid ""
+"\n"
+"\t\t# Get output from running the 'date' command from pod mypod, using the "
+"first container by default\n"
+"\t\tkubectl exec mypod -- date\n"
+"\n"
+"\t\t# Get output from running the 'date' command in ruby-container from pod "
+"mypod\n"
+"\t\tkubectl exec mypod -c ruby-container -- date\n"
+"\n"
+"\t\t# Switch to raw terminal mode; sends stdin to 'bash' in ruby-container "
+"from pod mypod\n"
+"\t\t# and sends stdout/stderr from 'bash' back to the client\n"
+"\t\tkubectl exec mypod -c ruby-container -i -t -- bash -il\n"
+"\n"
+"\t\t# List contents of /usr from the first container of pod mypod and sort "
+"by modification time\n"
+"\t\t# If the command you want to execute in the pod has any flags in common "
+"(e.g. -i),\n"
+"\t\t# you must use two dashes (--) to separate your command's flags/"
+"arguments\n"
+"\t\t# Also note, do not surround your command and its flags/arguments with "
+"quotes\n"
+"\t\t# unless that is how you would execute it normally (i.e., do ls -t /usr, "
+"not \"ls -t /usr\")\n"
+"\t\tkubectl exec mypod -i -t -- ls -t /usr\n"
+"\n"
+"\t\t# Get output from running 'date' command from the first pod of the "
+"deployment mydeployment, using the first container by default\n"
+"\t\tkubectl exec deploy/mydeployment -- date\n"
+"\n"
+"\t\t# Get output from running 'date' command from the first pod of the "
+"service myservice, using the first container by default\n"
+"\t\tkubectl exec svc/myservice -- date\n"
+"\t\t"
+msgstr ""
+"\n"
+"\t\t# Get output from running the 'date' command from pod mypod, using the "
+"first container by default\n"
+"\t\tkubectl exec mypod -- date\n"
+"\n"
+"\t\t# Get output from running the 'date' command in ruby-container from pod "
+"mypod\n"
+"\t\tkubectl exec mypod -c ruby-container -- date\n"
+"\n"
+"\t\t# Switch to raw terminal mode; sends stdin to 'bash' in ruby-container "
+"from pod mypod\n"
+"\t\t# and sends stdout/stderr from 'bash' back to the client\n"
+"\t\tkubectl exec mypod -c ruby-container -i -t -- bash -il\n"
+"\n"
+"\t\t# List contents of /usr from the first container of pod mypod and sort "
+"by modification time\n"
+"\t\t# If the command you want to execute in the pod has any flags in common "
+"(e.g. -i),\n"
+"\t\t# you must use two dashes (--) to separate your command's flags/"
+"arguments\n"
+"\t\t# Also note, do not surround your command and its flags/arguments with "
+"quotes\n"
+"\t\t# unless that is how you would execute it normally (i.e., do ls -t /usr, "
+"not \"ls -t /usr\")\n"
+"\t\tkubectl exec mypod -i -t -- ls -t /usr\n"
+"\n"
+"\t\t# Get output from running 'date' command from the first pod of the "
+"deployment mydeployment, using the first container by default\n"
+"\t\tkubectl exec deploy/mydeployment -- date\n"
+"\n"
+"\t\t# Get output from running 'date' command from the first pod of the "
+"service myservice, using the first container by default\n"
+"\t\tkubectl exec svc/myservice -- date\n"
+"\t\t"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/explain/explain.go:46
+msgid ""
+"\n"
+"\t\t# Get the documentation of the resource and its fields\n"
+"\t\tkubectl explain pods\n"
+"\n"
+"\t\t# Get the documentation of a specific field of a resource\n"
+"\t\tkubectl explain pods.spec.containers"
+msgstr ""
+"\n"
+"\t\t# Get the documentation of the resource and its fields\n"
+"\t\tkubectl explain pods\n"
+"\n"
+"\t\t# Get the documentation of a specific field of a resource\n"
+"\t\tkubectl explain pods.spec.containers"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/completion/completion.go:65
+msgid ""
+"\n"
+"\t\t# Installing bash completion on macOS using homebrew\n"
+"\t\t## If running Bash 3.2 included with macOS\n"
+"\t\t    brew install bash-completion\n"
+"\t\t## or, if running Bash 4.1+\n"
+"\t\t    brew install bash-completion@2\n"
+"\t\t## If kubectl is installed via homebrew, this should start working "
+"immediately\n"
+"\t\t## If you've installed via other means, you may need add the completion "
+"to your completion directory\n"
+"\t\t    kubectl completion bash > $(brew --prefix)/etc/bash_completion.d/"
+"kubectl\n"
+"\n"
+"\n"
+"\t\t# Installing bash completion on Linux\n"
+"\t\t## If bash-completion is not installed on Linux, install the 'bash-"
+"completion' package\n"
+"\t\t## via your distribution's package manager.\n"
+"\t\t## Load the kubectl completion code for bash into the current shell\n"
+"\t\t    source <(kubectl completion bash)\n"
+"\t\t## Write bash completion code to a file and source it from ."
+"bash_profile\n"
+"\t\t    kubectl completion bash > ~/.kube/completion.bash.inc\n"
+"\t\t    printf \"\n"
+"\t\t      # Kubectl shell completion\n"
+"\t\t      source '$HOME/.kube/completion.bash.inc'\n"
+"\t\t      \" >> $HOME/.bash_profile\n"
+"\t\t    source $HOME/.bash_profile\n"
+"\n"
+"\t\t# Load the kubectl completion code for zsh[1] into the current shell\n"
+"\t\t    source <(kubectl completion zsh)\n"
+"\t\t# Set the kubectl completion code for zsh[1] to autoload on startup\n"
+"\t\t    kubectl completion zsh > \"${fpath[1]}/_kubectl\""
+msgstr ""
+"\n"
+"\t\t# Installing bash completion on macOS using homebrew\n"
+"\t\t## If running Bash 3.2 included with macOS\n"
+"\t\t    brew install bash-completion\n"
+"\t\t## or, if running Bash 4.1+\n"
+"\t\t    brew install bash-completion@2\n"
+"\t\t## If kubectl is installed via homebrew, this should start working "
+"immediately\n"
+"\t\t## If you've installed via other means, you may need add the completion "
+"to your completion directory\n"
+"\t\t    kubectl completion bash > $(brew --prefix)/etc/bash_completion.d/"
+"kubectl\n"
+"\n"
+"\n"
+"\t\t# Installing bash completion on Linux\n"
+"\t\t## If bash-completion is not installed on Linux, install the 'bash-"
+"completion' package\n"
+"\t\t## via your distribution's package manager.\n"
+"\t\t## Load the kubectl completion code for bash into the current shell\n"
+"\t\t    source <(kubectl completion bash)\n"
+"\t\t## Write bash completion code to a file and source it from ."
+"bash_profile\n"
+"\t\t    kubectl completion bash > ~/.kube/completion.bash.inc\n"
+"\t\t    printf \"\n"
+"\t\t      # Kubectl shell completion\n"
+"\t\t      source '$HOME/.kube/completion.bash.inc'\n"
+"\t\t      \" >> $HOME/.bash_profile\n"
+"\t\t    source $HOME/.bash_profile\n"
+"\n"
+"\t\t# Load the kubectl completion code for zsh[1] into the current shell\n"
+"\t\t    source <(kubectl completion zsh)\n"
+"\t\t# Set the kubectl completion code for zsh[1] to autoload on startup\n"
+"\t\t    kubectl completion zsh > \"${fpath[1]}/_kubectl\""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/get/get.go:105
+msgid ""
+"\n"
+"\t\t# List all pods in ps output format\n"
+"\t\tkubectl get pods\n"
+"\n"
+"\t\t# List all pods in ps output format with more information (such as node "
+"name)\n"
+"\t\tkubectl get pods -o wide\n"
+"\n"
+"\t\t# List a single replication controller with specified NAME in ps output "
+"format\n"
+"\t\tkubectl get replicationcontroller web\n"
+"\n"
+"\t\t# List deployments in JSON output format, in the \"v1\" version of the "
+"\"apps\" API group\n"
+"\t\tkubectl get deployments.v1.apps -o json\n"
+"\n"
+"\t\t# List a single pod in JSON output format\n"
+"\t\tkubectl get -o json pod web-pod-13je7\n"
+"\n"
+"\t\t# List a pod identified by type and name specified in \"pod.yaml\" in "
+"JSON output format\n"
+"\t\tkubectl get -f pod.yaml -o json\n"
+"\n"
+"\t\t# List resources from a directory with kustomization.yaml - e.g. dir/"
+"kustomization.yaml\n"
+"\t\tkubectl get -k dir/\n"
+"\n"
+"\t\t# Return only the phase value of the specified pod\n"
+"\t\tkubectl get -o template pod/web-pod-13je7 --template={{.status.phase}}\n"
+"\n"
+"\t\t# List resource information in custom columns\n"
+"\t\tkubectl get pod test-pod -o custom-columns=CONTAINER:.spec.containers[0]."
+"name,IMAGE:.spec.containers[0].image\n"
+"\n"
+"\t\t# List all replication controllers and services together in ps output "
+"format\n"
+"\t\tkubectl get rc,services\n"
+"\n"
+"\t\t# List one or more resources by their type and names\n"
+"\t\tkubectl get rc/web service/frontend pods/web-pod-13je7"
+msgstr ""
+"\n"
+"\t\t# List all pods in ps output format\n"
+"\t\tkubectl get pods\n"
+"\n"
+"\t\t# List all pods in ps output format with more information (such as node "
+"name)\n"
+"\t\tkubectl get pods -o wide\n"
+"\n"
+"\t\t# List a single replication controller with specified NAME in ps output "
+"format\n"
+"\t\tkubectl get replicationcontroller web\n"
+"\n"
+"\t\t# List deployments in JSON output format, in the \"v1\" version of the "
+"\"apps\" API group\n"
+"\t\tkubectl get deployments.v1.apps -o json\n"
+"\n"
+"\t\t# List a single pod in JSON output format\n"
+"\t\tkubectl get -o json pod web-pod-13je7\n"
+"\n"
+"\t\t# List a pod identified by type and name specified in \"pod.yaml\" in "
+"JSON output format\n"
+"\t\tkubectl get -f pod.yaml -o json\n"
+"\n"
+"\t\t# List resources from a directory with kustomization.yaml - e.g. dir/"
+"kustomization.yaml\n"
+"\t\tkubectl get -k dir/\n"
+"\n"
+"\t\t# Return only the phase value of the specified pod\n"
+"\t\tkubectl get -o template pod/web-pod-13je7 --template={{.status.phase}}\n"
+"\n"
+"\t\t# List resource information in custom columns\n"
+"\t\tkubectl get pod test-pod -o custom-columns=CONTAINER:.spec.containers[0]."
+"name,IMAGE:.spec.containers[0].image\n"
+"\n"
+"\t\t# List all replication controllers and services together in ps output "
+"format\n"
+"\t\tkubectl get rc,services\n"
+"\n"
+"\t\t# List one or more resources by their type and names\n"
+"\t\tkubectl get rc/web service/frontend pods/web-pod-13je7"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/portforward/portforward.go:72
+msgid ""
+"\n"
+"\t\t# Listen on ports 5000 and 6000 locally, forwarding data to/from ports "
+"5000 and 6000 in the pod\n"
+"\t\tkubectl port-forward pod/mypod 5000 6000\n"
+"\n"
+"\t\t# Listen on ports 5000 and 6000 locally, forwarding data to/from ports "
+"5000 and 6000 in a pod selected by the deployment\n"
+"\t\tkubectl port-forward deployment/mydeployment 5000 6000\n"
+"\n"
+"\t\t# Listen on port 8443 locally, forwarding to the targetPort of the "
+"service's port named \"https\" in a pod selected by the service\n"
+"\t\tkubectl port-forward service/myservice 8443:https\n"
+"\n"
+"\t\t# Listen on port 8888 locally, forwarding to 5000 in the pod\n"
+"\t\tkubectl port-forward pod/mypod 8888:5000\n"
+"\n"
+"\t\t# Listen on port 8888 on all addresses, forwarding to 5000 in the pod\n"
+"\t\tkubectl port-forward --address 0.0.0.0 pod/mypod 8888:5000\n"
+"\n"
+"\t\t# Listen on port 8888 on localhost and selected IP, forwarding to 5000 "
+"in the pod\n"
+"\t\tkubectl port-forward --address localhost,10.19.21.23 pod/mypod "
+"8888:5000\n"
+"\n"
+"\t\t# Listen on a random port locally, forwarding to 5000 in the pod\n"
+"\t\tkubectl port-forward pod/mypod :5000"
+msgstr ""
+"\n"
+"\t\t# Listen on ports 5000 and 6000 locally, forwarding data to/from ports "
+"5000 and 6000 in the pod\n"
+"\t\tkubectl port-forward pod/mypod 5000 6000\n"
+"\n"
+"\t\t# Listen on ports 5000 and 6000 locally, forwarding data to/from ports "
+"5000 and 6000 in a pod selected by the deployment\n"
+"\t\tkubectl port-forward deployment/mydeployment 5000 6000\n"
+"\n"
+"\t\t# Listen on port 8443 locally, forwarding to the targetPort of the "
+"service's port named \"https\" in a pod selected by the service\n"
+"\t\tkubectl port-forward service/myservice 8443:https\n"
+"\n"
+"\t\t# Listen on port 8888 locally, forwarding to 5000 in the pod\n"
+"\t\tkubectl port-forward pod/mypod 8888:5000\n"
+"\n"
+"\t\t# Listen on port 8888 on all addresses, forwarding to 5000 in the pod\n"
+"\t\tkubectl port-forward --address 0.0.0.0 pod/mypod 8888:5000\n"
+"\n"
+"\t\t# Listen on port 8888 on localhost and selected IP, forwarding to 5000 "
+"in the pod\n"
+"\t\tkubectl port-forward --address localhost,10.19.21.23 pod/mypod "
+"8888:5000\n"
+"\n"
+"\t\t# Listen on a random port locally, forwarding to 5000 in the pod\n"
+"\t\tkubectl port-forward pod/mypod :5000"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go:87
+msgid ""
+"\n"
+"\t\t# Mark node \"foo\" as schedulable\n"
+"\t\tkubectl uncordon foo"
+msgstr ""
+"\n"
+"\t\t# Mark node \"foo\" as schedulable\n"
+"\t\tkubectl uncordon foo"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go:58
+msgid ""
+"\n"
+"\t\t# Mark node \"foo\" as unschedulable\n"
+"\t\tkubectl cordon foo"
+msgstr ""
+"\n"
+"\t\t# Mark node \"foo\" as unschedulable\n"
+"\t\tkubectl cordon foo"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/patch/patch.go:83
+msgid ""
+"\n"
+"\t\t# Partially update a node using a strategic merge patch, specifying the "
+"patch as JSON\n"
+"\t\tkubectl patch node k8s-node-1 -p '{\"spec\":{\"unschedulable\":true}}'\n"
+"\n"
+"\t\t# Partially update a node using a strategic merge patch, specifying the "
+"patch as YAML\n"
+"\t\tkubectl patch node k8s-node-1 -p $'spec:\n"
+" unschedulable: true'\n"
+"\n"
+"\t\t# Partially update a node identified by the type and name specified in "
+"\"node.json\" using strategic merge patch\n"
+"\t\tkubectl patch -f node.json -p '{\"spec\":{\"unschedulable\":true}}'\n"
+"\n"
+"\t\t# Update a container's image; spec.containers[*].name is required "
+"because it's a merge key\n"
+"\t\tkubectl patch pod valid-pod -p '{\"spec\":{\"containers\":[{\"name\":"
+"\"kubernetes-serve-hostname\",\"image\":\"new image\"}]}}'\n"
+"\n"
+"\t\t# Update a container's image using a JSON patch with positional arrays\n"
+"\t\tkubectl patch pod valid-pod --type='json' -p='[{\"op\": \"replace\", "
+"\"path\": \"/spec/containers/0/image\", \"value\":\"new image\"}]'"
+msgstr ""
+"\n"
+"\t\t# Partially update a node using a strategic merge patch, specifying the "
+"patch as JSON\n"
+"\t\tkubectl patch node k8s-node-1 -p '{\"spec\":{\"unschedulable\":true}}'\n"
+"\n"
+"\t\t# Partially update a node using a strategic merge patch, specifying the "
+"patch as YAML\n"
+"\t\tkubectl patch node k8s-node-1 -p $'spec:\n"
+" unschedulable: true'\n"
+"\n"
+"\t\t# Partially update a node identified by the type and name specified in "
+"\"node.json\" using strategic merge patch\n"
+"\t\tkubectl patch -f node.json -p '{\"spec\":{\"unschedulable\":true}}'\n"
+"\n"
+"\t\t# Update a container's image; spec.containers[*].name is required "
+"because it's a merge key\n"
+"\t\tkubectl patch pod valid-pod -p '{\"spec\":{\"containers\":[{\"name\":"
+"\"kubernetes-serve-hostname\",\"image\":\"new image\"}]}}'\n"
+"\n"
+"\t\t# Update a container's image using a JSON patch with positional arrays\n"
+"\t\tkubectl patch pod valid-pod --type='json' -p='[{\"op\": \"replace\", "
+"\"path\": \"/spec/containers/0/image\", \"value\":\"new image\"}]'"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/options.go#L37
+#: staging/src/k8s.io/kubectl/pkg/cmd/options/options.go:29
+msgid ""
+"\n"
+"\t\t# Print flags inherited by all commands\n"
+"\t\tkubectl options"
+msgstr ""
+"\n"
+"\t\t# Print flags inherited by all commands\n"
+"\t\tkubectl options"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/clusterinfo/clusterinfo.go:44
+msgid ""
+"\n"
+"\t\t# Print the address of the control plane and cluster services\n"
+"\t\tkubectl cluster-info"
+msgstr ""
+"\n"
+"\t\t# Print the address of the control plane and cluster services\n"
+"\t\tkubectl cluster-info"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/version.go#L39
+#: staging/src/k8s.io/kubectl/pkg/cmd/version/version.go:44
+msgid ""
+"\n"
+"\t\t# Print the client and server versions for the current context\n"
+"\t\tkubectl version"
+msgstr ""
+"\n"
+"\t\t# Print the client and server versions for the current context\n"
+"\t\tkubectl version"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/apiresources/apiversions.go:34
+msgid ""
+"\n"
+"\t\t# Print the supported API versions\n"
+"\t\tkubectl api-versions"
+msgstr ""
+"\n"
+"\t\t# Print the supported API versions\n"
+"\t\tkubectl api-versions"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/replace/replace.go:56
+msgid ""
+"\n"
+"\t\t# Replace a pod using the data in pod.json\n"
+"\t\tkubectl replace -f ./pod.json\n"
+"\n"
+"\t\t# Replace a pod based on the JSON passed into stdin\n"
+"\t\tcat pod.json | kubectl replace -f -\n"
+"\n"
+"\t\t# Update a single-container pod's image version (tag) to v4\n"
+"\t\tkubectl get pod mypod -o yaml | sed 's/\\(image: myimage\\):.*$/
:v4/' | "
+"kubectl replace -f -\n"
+"\n"
+"\t\t# Force replace, delete and then re-create the resource\n"
+"\t\tkubectl replace --force -f ./pod.json"
+msgstr ""
+"\n"
+"\t\t# Replace a pod using the data in pod.json\n"
+"\t\tkubectl replace -f ./pod.json\n"
+"\n"
+"\t\t# Replace a pod based on the JSON passed into stdin\n"
+"\t\tcat pod.json | kubectl replace -f -\n"
+"\n"
+"\t\t# Update a single-container pod's image version (tag) to v4\n"
+"\t\tkubectl get pod mypod -o yaml | sed 's/\\(image: myimage\\):.*$/
:v4/' | "
+"kubectl replace -f -\n"
+"\n"
+"\t\t# Force replace, delete and then re-create the resource\n"
+"\t\tkubectl replace --force -f ./pod.json"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/logs/logs.go:53
+msgid ""
+"\n"
+"\t\t# Return snapshot logs from pod nginx with only one container\n"
+"\t\tkubectl logs nginx\n"
+"\n"
+"\t\t# Return snapshot logs from pod nginx with multi containers\n"
+"\t\tkubectl logs nginx --all-containers=true\n"
+"\n"
+"\t\t# Return snapshot logs from all containers in pods defined by label "
+"app=nginx\n"
+"\t\tkubectl logs -l app=nginx --all-containers=true\n"
+"\n"
+"\t\t# Return snapshot of previous terminated ruby container logs from pod "
+"web-1\n"
+"\t\tkubectl logs -p -c ruby web-1\n"
+"\n"
+"\t\t# Begin streaming the logs of the ruby container in pod web-1\n"
+"\t\tkubectl logs -f -c ruby web-1\n"
+"\n"
+"\t\t# Begin streaming the logs from all containers in pods defined by label "
+"app=nginx\n"
+"\t\tkubectl logs -f -l app=nginx --all-containers=true\n"
+"\n"
+"\t\t# Display only the most recent 20 lines of output in pod nginx\n"
+"\t\tkubectl logs --tail=20 nginx\n"
+"\n"
+"\t\t# Show all logs from pod nginx written in the last hour\n"
+"\t\tkubectl logs --since=1h nginx\n"
+"\n"
+"\t\t# Show logs from a kubelet with an expired serving certificate\n"
+"\t\tkubectl logs --insecure-skip-tls-verify-backend nginx\n"
+"\n"
+"\t\t# Return snapshot logs from first container of a job named hello\n"
+"\t\tkubectl logs job/hello\n"
+"\n"
+"\t\t# Return snapshot logs from container nginx-1 of a deployment named "
+"nginx\n"
+"\t\tkubectl logs deployment/nginx -c nginx-1"
+msgstr ""
+"\n"
+"\t\t# Return snapshot logs from pod nginx with only one container\n"
+"\t\tkubectl logs nginx\n"
+"\n"
+"\t\t# Return snapshot logs from pod nginx with multi containers\n"
+"\t\tkubectl logs nginx --all-containers=true\n"
+"\n"
+"\t\t# Return snapshot logs from all containers in pods defined by label "
+"app=nginx\n"
+"\t\tkubectl logs -l app=nginx --all-containers=true\n"
+"\n"
+"\t\t# Return snapshot of previous terminated ruby container logs from pod "
+"web-1\n"
+"\t\tkubectl logs -p -c ruby web-1\n"
+"\n"
+"\t\t# Begin streaming the logs of the ruby container in pod web-1\n"
+"\t\tkubectl logs -f -c ruby web-1\n"
+"\n"
+"\t\t# Begin streaming the logs from all containers in pods defined by label "
+"app=nginx\n"
+"\t\tkubectl logs -f -l app=nginx --all-containers=true\n"
+"\n"
+"\t\t# Display only the most recent 20 lines of output in pod nginx\n"
+"\t\tkubectl logs --tail=20 nginx\n"
+"\n"
+"\t\t# Show all logs from pod nginx written in the last hour\n"
+"\t\tkubectl logs --since=1h nginx\n"
+"\n"
+"\t\t# Show logs from a kubelet with an expired serving certificate\n"
+"\t\tkubectl logs --insecure-skip-tls-verify-backend nginx\n"
+"\n"
+"\t\t# Return snapshot logs from first container of a job named hello\n"
+"\t\tkubectl logs job/hello\n"
+"\n"
+"\t\t# Return snapshot logs from container nginx-1 of a deployment named "
+"nginx\n"
+"\t\tkubectl logs deployment/nginx -c nginx-1"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/scale/scale.go:49
+msgid ""
+"\n"
+"\t\t# Scale a replica set named 'foo' to 3\n"
+"\t\tkubectl scale --replicas=3 rs/foo\n"
+"\n"
+"\t\t# Scale a resource identified by type and name specified in \"foo.yaml\" "
+"to 3\n"
+"\t\tkubectl scale --replicas=3 -f foo.yaml\n"
+"\n"
+"\t\t# If the deployment named mysql's current size is 2, scale mysql to 3\n"
+"\t\tkubectl scale --current-replicas=2 --replicas=3 deployment/mysql\n"
+"\n"
+"\t\t# Scale multiple replication controllers\n"
+"\t\tkubectl scale --replicas=5 rc/foo rc/bar rc/baz\n"
+"\n"
+"\t\t# Scale stateful set named 'web' to 3\n"
+"\t\tkubectl scale --replicas=3 statefulset/web"
+msgstr ""
+"\n"
+"\t\t# Scale a replica set named 'foo' to 3\n"
+"\t\tkubectl scale --replicas=3 rs/foo\n"
+"\n"
+"\t\t# Scale a resource identified by type and name specified in \"foo.yaml\" "
+"to 3\n"
+"\t\tkubectl scale --replicas=3 -f foo.yaml\n"
+"\n"
+"\t\t# If the deployment named mysql's current size is 2, scale mysql to 3\n"
+"\t\tkubectl scale --current-replicas=2 --replicas=3 deployment/mysql\n"
+"\n"
+"\t\t# Scale multiple replication controllers\n"
+"\t\tkubectl scale --replicas=5 rc/foo rc/bar rc/baz\n"
+"\n"
+"\t\t# Scale stateful set named 'web' to 3\n"
+"\t\tkubectl scale --replicas=3 statefulset/web"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/apply/apply_set_last_applied.go:75
+msgid ""
+"\n"
+"\t\t# Set the last-applied-configuration of a resource to match the contents "
+"of a file\n"
+"\t\tkubectl apply set-last-applied -f deploy.yaml\n"
+"\n"
+"\t\t# Execute set-last-applied against each configuration file in a "
+"directory\n"
+"\t\tkubectl apply set-last-applied -f path/\n"
+"\n"
+"\t\t# Set the last-applied-configuration of a resource to match the contents "
+"of a file; will create the annotation if it does not already exist\n"
+"\t\tkubectl apply set-last-applied -f deploy.yaml --create-annotation=true\n"
+"\t\t"
+msgstr ""
+"\n"
+"\t\t# Set the last-applied-configuration of a resource to match the contents "
+"of a file\n"
+"\t\tkubectl apply set-last-applied -f deploy.yaml\n"
+"\n"
+"\t\t# Execute set-last-applied against each configuration file in a "
+"directory\n"
+"\t\tkubectl apply set-last-applied -f path/\n"
+"\n"
+"\t\t# Set the last-applied-configuration of a resource to match the contents "
+"of a file; will create the annotation if it does not already exist\n"
+"\t\tkubectl apply set-last-applied -f deploy.yaml --create-annotation=true\n"
+"\t\t"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/top/top_pod.go:75
+msgid ""
+"\n"
+"\t\t# Show metrics for all pods in the default namespace\n"
+"\t\tkubectl top pod\n"
+"\n"
+"\t\t# Show metrics for all pods in the given namespace\n"
+"\t\tkubectl top pod --namespace=NAMESPACE\n"
+"\n"
+"\t\t# Show metrics for a given pod and its containers\n"
+"\t\tkubectl top pod POD_NAME --containers\n"
+"\n"
+"\t\t# Show metrics for the pods defined by label name=myLabel\n"
+"\t\tkubectl top pod -l name=myLabel"
+msgstr ""
+"\n"
+"\t\t# Show metrics for all pods in the default namespace\n"
+"\t\tkubectl top pod\n"
+"\n"
+"\t\t# Show metrics for all pods in the given namespace\n"
+"\t\tkubectl top pod --namespace=NAMESPACE\n"
+"\n"
+"\t\t# Show metrics for a given pod and its containers\n"
+"\t\tkubectl top pod POD_NAME --containers\n"
+"\n"
+"\t\t# Show metrics for the pods defined by label name=myLabel\n"
+"\t\tkubectl top pod -l name=myLabel"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run.go:62
+msgid ""
+"\n"
+"\t\t# Start a nginx pod\n"
+"\t\tkubectl run nginx --image=nginx\n"
+"\n"
+"\t\t# Start a hazelcast pod and let the container expose port 5701\n"
+"\t\tkubectl run hazelcast --image=hazelcast/hazelcast --port=5701\n"
+"\n"
+"\t\t# Start a hazelcast pod and set environment variables "
+"\"DNS_DOMAIN=cluster\" and \"POD_NAMESPACE=default\" in the container\n"
+"\t\tkubectl run hazelcast --image=hazelcast/hazelcast --env="
+"\"DNS_DOMAIN=cluster\" --env=\"POD_NAMESPACE=default\"\n"
+"\n"
+"\t\t# Start a hazelcast pod and set labels \"app=hazelcast\" and \"env=prod"
+"\" in the container\n"
+"\t\tkubectl run hazelcast --image=hazelcast/hazelcast --labels="
+"\"app=hazelcast,env=prod\"\n"
+"\n"
+"\t\t# Dry run; print the corresponding API objects without creating them\n"
+"\t\tkubectl run nginx --image=nginx --dry-run=client\n"
+"\n"
+"\t\t# Start a nginx pod, but overload the spec with a partial set of values "
+"parsed from JSON\n"
+"\t\tkubectl run nginx --image=nginx --overrides='{ \"apiVersion\": \"v1\", "
+"\"spec\": { ... } }'\n"
+"\n"
+"\t\t# Start a busybox pod and keep it in the foreground, don't restart it if "
+"it exits\n"
+"\t\tkubectl run -i -t busybox --image=busybox --restart=Never\n"
+"\n"
+"\t\t# Start the nginx pod using the default command, but use custom "
+"arguments (arg1 .. argN) for that command\n"
+"\t\tkubectl run nginx --image=nginx -- <arg1> <arg2> ... <argN>\n"
+"\n"
+"\t\t# Start the nginx pod using a different command and custom arguments\n"
+"\t\tkubectl run nginx --image=nginx --command -- <cmd> <arg1> ... <argN>"
+msgstr ""
+"\n"
+"\t\t# Start a nginx pod\n"
+"\t\tkubectl run nginx --image=nginx\n"
+"\n"
+"\t\t# Start a hazelcast pod and let the container expose port 5701\n"
+"\t\tkubectl run hazelcast --image=hazelcast/hazelcast --port=5701\n"
+"\n"
+"\t\t# Start a hazelcast pod and set environment variables "
+"\"DNS_DOMAIN=cluster\" and \"POD_NAMESPACE=default\" in the container\n"
+"\t\tkubectl run hazelcast --image=hazelcast/hazelcast --env="
+"\"DNS_DOMAIN=cluster\" --env=\"POD_NAMESPACE=default\"\n"
+"\n"
+"\t\t# Start a hazelcast pod and set labels \"app=hazelcast\" and \"env=prod"
+"\" in the container\n"
+"\t\tkubectl run hazelcast --image=hazelcast/hazelcast --labels="
+"\"app=hazelcast,env=prod\"\n"
+"\n"
+"\t\t# Dry run; print the corresponding API objects without creating them\n"
+"\t\tkubectl run nginx --image=nginx --dry-run=client\n"
+"\n"
+"\t\t# Start a nginx pod, but overload the spec with a partial set of values "
+"parsed from JSON\n"
+"\t\tkubectl run nginx --image=nginx --overrides='{ \"apiVersion\": \"v1\", "
+"\"spec\": { ... } }'\n"
+"\n"
+"\t\t# Start a busybox pod and keep it in the foreground, don't restart it if "
+"it exits\n"
+"\t\tkubectl run -i -t busybox --image=busybox --restart=Never\n"
+"\n"
+"\t\t# Start the nginx pod using the default command, but use custom "
+"arguments (arg1 .. argN) for that command\n"
+"\t\tkubectl run nginx --image=nginx -- <arg1> <arg2> ... <argN>\n"
+"\n"
+"\t\t# Start the nginx pod using a different command and custom arguments\n"
+"\t\tkubectl run nginx --image=nginx --command -- <cmd> <arg1> ... <argN>"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/proxy/proxy.go:73
+msgid ""
+"\n"
+"\t\t# To proxy all of the Kubernetes API and nothing else\n"
+"\t\tkubectl proxy --api-prefix=/\n"
+"\n"
+"\t\t# To proxy only part of the Kubernetes API and also some static files\n"
+"\t\t# You can get pods info with 'curl localhost:8001/api/v1/pods'\n"
+"\t\tkubectl proxy --www=/my/files --www-prefix=/static/ --api-prefix=/api/\n"
+"\n"
+"\t\t# To proxy the entire Kubernetes API at a different root\n"
+"\t\t# You can get pods info with 'curl localhost:8001/custom/api/v1/pods'\n"
+"\t\tkubectl proxy --api-prefix=/custom/\n"
+"\n"
+"\t\t# Run a proxy to the Kubernetes API server on port 8011, serving static "
+"content from ./local/www/\n"
+"\t\tkubectl proxy --port=8011 --www=./local/www/\n"
+"\n"
+"\t\t# Run a proxy to the Kubernetes API server on an arbitrary local port\n"
+"\t\t# The chosen port for the server will be output to stdout\n"
+"\t\tkubectl proxy --port=0\n"
+"\n"
+"\t\t# Run a proxy to the Kubernetes API server, changing the API prefix to "
+"k8s-api\n"
+"\t\t# This makes e.g. the pods API available at localhost:8001/k8s-api/v1/"
+"pods/\n"
+"\t\tkubectl proxy --api-prefix=/k8s-api"
+msgstr ""
+"\n"
+"\t\t# To proxy all of the Kubernetes API and nothing else\n"
+"\t\tkubectl proxy --api-prefix=/\n"
+"\n"
+"\t\t# To proxy only part of the Kubernetes API and also some static files\n"
+"\t\t# You can get pods info with 'curl localhost:8001/api/v1/pods'\n"
+"\t\tkubectl proxy --www=/my/files --www-prefix=/static/ --api-prefix=/api/\n"
+"\n"
+"\t\t# To proxy the entire Kubernetes API at a different root\n"
+"\t\t# You can get pods info with 'curl localhost:8001/custom/api/v1/pods'\n"
+"\t\tkubectl proxy --api-prefix=/custom/\n"
+"\n"
+"\t\t# Run a proxy to the Kubernetes API server on port 8011, serving static "
+"content from ./local/www/\n"
+"\t\tkubectl proxy --port=8011 --www=./local/www/\n"
+"\n"
+"\t\t# Run a proxy to the Kubernetes API server on an arbitrary local port\n"
+"\t\t# The chosen port for the server will be output to stdout\n"
+"\t\tkubectl proxy --port=0\n"
+"\n"
+"\t\t# Run a proxy to the Kubernetes API server, changing the API prefix to "
+"k8s-api\n"
+"\t\t# This makes e.g. the pods API available at localhost:8001/k8s-api/v1/"
+"pods/\n"
+"\t\tkubectl proxy --api-prefix=/k8s-api"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/taint/taint.go:80
+msgid ""
+"\n"
+"\t\t# Update node 'foo' with a taint with key 'dedicated' and value 'special-"
+"user' and effect 'NoSchedule'\n"
+"\t\t# If a taint with that key and effect already exists, its value is "
+"replaced as specified\n"
+"\t\tkubectl taint nodes foo dedicated=special-user:NoSchedule\n"
+"\n"
+"\t\t# Remove from node 'foo' the taint with key 'dedicated' and effect "
+"'NoSchedule' if one exists\n"
+"\t\tkubectl taint nodes foo dedicated:NoSchedule-\n"
+"\n"
+"\t\t# Remove from node 'foo' all the taints with key 'dedicated'\n"
+"\t\tkubectl taint nodes foo dedicated-\n"
+"\n"
+"\t\t# Add a taint with key 'dedicated' on nodes having label mylabel=X\n"
+"\t\tkubectl taint node -l myLabel=X  dedicated=foo:PreferNoSchedule\n"
+"\n"
+"\t\t# Add to node 'foo' a taint with key 'bar' and no value\n"
+"\t\tkubectl taint nodes foo bar:NoSchedule"
+msgstr ""
+"\n"
+"\t\t# Update node 'foo' with a taint with key 'dedicated' and value 'special-"
+"user' and effect 'NoSchedule'\n"
+"\t\t# If a taint with that key and effect already exists, its value is "
+"replaced as specified\n"
+"\t\tkubectl taint nodes foo dedicated=special-user:NoSchedule\n"
+"\n"
+"\t\t# Remove from node 'foo' the taint with key 'dedicated' and effect "
+"'NoSchedule' if one exists\n"
+"\t\tkubectl taint nodes foo dedicated:NoSchedule-\n"
+"\n"
+"\t\t# Remove from node 'foo' all the taints with key 'dedicated'\n"
+"\t\tkubectl taint nodes foo dedicated-\n"
+"\n"
+"\t\t# Add a taint with key 'dedicated' on nodes having label mylabel=X\n"
+"\t\tkubectl taint node -l myLabel=X  dedicated=foo:PreferNoSchedule\n"
+"\n"
+"\t\t# Add to node 'foo' a taint with key 'bar' and no value\n"
+"\t\tkubectl taint nodes foo bar:NoSchedule"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/label/label.go:95
+msgid ""
+"\n"
+"\t\t# Update pod 'foo' with the label 'unhealthy' and the value 'true'\n"
+"\t\tkubectl label pods foo unhealthy=true\n"
+"\n"
+"\t\t# Update pod 'foo' with the label 'status' and the value 'unhealthy', "
+"overwriting any existing value\n"
+"\t\tkubectl label --overwrite pods foo status=unhealthy\n"
+"\n"
+"\t\t# Update all pods in the namespace\n"
+"\t\tkubectl label pods --all status=unhealthy\n"
+"\n"
+"\t\t# Update a pod identified by the type and name in \"pod.json\"\n"
+"\t\tkubectl label -f pod.json status=unhealthy\n"
+"\n"
+"\t\t# Update pod 'foo' only if the resource is unchanged from version 1\n"
+"\t\tkubectl label pods foo status=unhealthy --resource-version=1\n"
+"\n"
+"\t\t# Update pod 'foo' by removing a label named 'bar' if it exists\n"
+"\t\t# Does not require the --overwrite flag\n"
+"\t\tkubectl label pods foo bar-"
+msgstr ""
+"\n"
+"\t\t# Update pod 'foo' with the label 'unhealthy' and the value 'true'\n"
+"\t\tkubectl label pods foo unhealthy=true\n"
+"\n"
+"\t\t# Update pod 'foo' with the label 'status' and the value 'unhealthy', "
+"overwriting any existing value\n"
+"\t\tkubectl label --overwrite pods foo status=unhealthy\n"
+"\n"
+"\t\t# Update all pods in the namespace\n"
+"\t\tkubectl label pods --all status=unhealthy\n"
+"\n"
+"\t\t# Update a pod identified by the type and name in \"pod.json\"\n"
+"\t\tkubectl label -f pod.json status=unhealthy\n"
+"\n"
+"\t\t# Update pod 'foo' only if the resource is unchanged from version 1\n"
+"\t\tkubectl label pods foo status=unhealthy --resource-version=1\n"
+"\n"
+"\t\t# Update pod 'foo' by removing a label named 'bar' if it exists\n"
+"\t\t# Does not require the --overwrite flag\n"
+"\t\tkubectl label pods foo bar-"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/apply/apply_view_last_applied.go:53
+msgid ""
+"\n"
+"\t\t# View the last-applied-configuration annotations by type/name in YAML\n"
+"\t\tkubectl apply view-last-applied deployment/nginx\n"
+"\n"
+"\t\t# View the last-applied-configuration annotations by file in JSON\n"
+"\t\tkubectl apply view-last-applied -f deploy.yaml -o json"
+msgstr ""
+"\n"
+"\t\t# View the last-applied-configuration annotations by type/name in YAML\n"
+"\t\tkubectl apply view-last-applied deployment/nginx\n"
+"\n"
+"\t\t# View the last-applied-configuration annotations by file in JSON\n"
+"\t\tkubectl apply view-last-applied -f deploy.yaml -o json"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/wait/wait.go:61
+msgid ""
+"\n"
+"\t\t# Wait for the pod \"busybox1\" to contain the status condition of type "
+"\"Ready\"\n"
+"\t\tkubectl wait --for=condition=Ready pod/busybox1\n"
+"\n"
+"\t\t# The default value of status condition is true; you can set it to "
+"false\n"
+"\t\tkubectl wait --for=condition=Ready=false pod/busybox1\n"
+"\n"
+"\t\t# Wait for the pod \"busybox1\" to be deleted, with a timeout of 60s, "
+"after having issued the \"delete\" command\n"
+"\t\tkubectl delete pod/busybox1\n"
+"\t\tkubectl wait --for=delete pod/busybox1 --timeout=60s"
+msgstr ""
+"\n"
+"\t\t# Wait for the pod \"busybox1\" to contain the status condition of type "
+"\"Ready\"\n"
+"\t\tkubectl wait --for=condition=Ready pod/busybox1\n"
+"\n"
+"\t\t# The default value of status condition is true; you can set it to "
+"false\n"
+"\t\tkubectl wait --for=condition=Ready=false pod/busybox1\n"
+"\n"
+"\t\t# Wait for the pod \"busybox1\" to be deleted, with a timeout of 60s, "
+"after having issued the \"delete\" command\n"
+"\t\tkubectl delete pod/busybox1\n"
+"\t\tkubectl wait --for=delete pod/busybox1 --timeout=60s"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/apply/apply.go:110
+msgid ""
+"\n"
+"\t\tApply a configuration to a resource by file name or stdin.\n"
+"\t\tThe resource name must be specified. This resource will be created if it "
+"doesn't exist yet.\n"
+"\t\tTo use 'apply', always create the resource initially with either 'apply' "
+"or 'create --save-config'.\n"
+"\n"
+"\t\tJSON and YAML formats are accepted.\n"
+"\n"
+"\t\tAlpha Disclaimer: the --prune functionality is not yet complete. Do not "
+"use unless you are aware of what the current state is. See https://issues."
+"k8s.io/34274."
+msgstr ""
+"\n"
+"\t\tApply a configuration to a resource by file name or stdin.\n"
+"\t\tThe resource name must be specified. This resource will be created if it "
+"doesn't exist yet.\n"
+"\t\tTo use 'apply', always create the resource initially with either 'apply' "
+"or 'create --save-config'.\n"
+"\n"
+"\t\tJSON and YAML formats are accepted.\n"
+"\n"
+"\t\tAlpha Disclaimer: the --prune functionality is not yet complete. Do not "
+"use unless you are aware of what the current state is. See https://issues."
+"k8s.io/34274."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/certificates/certificates.go:126
+msgid ""
+"\n"
+"\t\tApprove a certificate signing request.\n"
+"\n"
+"\t\tkubectl certificate approve allows a cluster admin to approve a "
+"certificate\n"
+"\t\tsigning request (CSR). This action tells a certificate signing "
+"controller to\n"
+"\t\tissue a certificate to the requestor with the attributes requested in "
+"the CSR.\n"
+"\n"
+"\t\tSECURITY NOTICE: Depending on the requested attributes, the issued "
+"certificate\n"
+"\t\tcan potentially grant a requester access to cluster resources or to "
+"authenticate\n"
+"\t\tas a requested identity. Before approving a CSR, ensure you understand "
+"what the\n"
+"\t\tsigned certificate can do.\n"
+"\t\t"
+msgstr ""
+"\n"
+"\t\tApprove a certificate signing request.\n"
+"\n"
+"\t\tkubectl certificate approve allows a cluster admin to approve a "
+"certificate\n"
+"\t\tsigning request (CSR). This action tells a certificate signing "
+"controller to\n"
+"\t\tissue a certificate to the requestor with the attributes requested in "
+"the CSR.\n"
+"\n"
+"\t\tSECURITY NOTICE: Depending on the requested attributes, the issued "
+"certificate\n"
+"\t\tcan potentially grant a requester access to cluster resources or to "
+"authenticate\n"
+"\t\tas a requested identity. Before approving a CSR, ensure you understand "
+"what the\n"
+"\t\tsigned certificate can do.\n"
+"\t\t"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set.go:28
+msgid ""
+"\n"
+"\t\tConfigure application resources.\n"
+"\n"
+"\t\tThese commands help you make changes to existing application resources."
+msgstr ""
+"\n"
+"\t\tConfigure application resources.\n"
+"\n"
+"\t\tThese commands help you make changes to existing application resources."
+
+#: pkg/kubectl/cmd/convert/convert.go:40
+msgid ""
+"\n"
+"\t\tConvert config files between different API versions. Both YAML\n"
+"\t\tand JSON formats are accepted.\n"
+"\n"
+"\t\tThe command takes filename, directory, or URL as input, and convert it "
+"into format\n"
+"\t\tof version specified by --output-version flag. If target version is not "
+"specified or\n"
+"\t\tnot supported, convert to latest version.\n"
+"\n"
+"\t\tThe default output will be printed to stdout in YAML format. One can use "
+"-o option\n"
+"\t\tto change to output destination."
+msgstr ""
+"\n"
+"\t\tConvert config files between different API versions. Both YAML\n"
+"\t\tand JSON formats are accepted.\n"
+"\n"
+"\t\tThe command takes filename, directory, or URL as input, and convert it "
+"into format\n"
+"\t\tof version specified by --output-version flag. If target version is not "
+"specified or\n"
+"\t\tnot supported, convert to latest version.\n"
+"\n"
+"\t\tThe default output will be printed to stdout in YAML format. One can use "
+"-o option\n"
+"\t\tto change to output destination."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_tls.go:41
+msgid ""
+"\n"
+"\t\tCreate a TLS secret from the given public/private key pair.\n"
+"\n"
+"\t\tThe public/private key pair must exist beforehand. The public key "
+"certificate must be .PEM encoded and match\n"
+"\t\tthe given private key."
+msgstr ""
+"\n"
+"\t\tCreate a TLS secret from the given public/private key pair.\n"
+"\n"
+"\t\tThe public/private key pair must exist beforehand. The public key "
+"certificate must be .PEM encoded and match\n"
+"\t\tthe given private key."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_clusterrolebinding.go:41
+msgid ""
+"\n"
+"\t\tCreate a cluster role binding for a particular cluster role."
+msgstr ""
+"\n"
+"\t\tCreate a cluster role binding for a particular cluster role."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_clusterrole.go:38
+msgid ""
+"\n"
+"\t\tCreate a cluster role."
+msgstr ""
+"\n"
+"\t\tCreate a cluster role."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_configmap.go:46
+msgid ""
+"\n"
+"\t\tCreate a config map based on a file, directory, or specified literal "
+"value.\n"
+"\n"
+"\t\tA single config map may package one or more key/value pairs.\n"
+"\n"
+"\t\tWhen creating a config map based on a file, the key will default to the "
+"basename of the file, and the value will\n"
+"\t\tdefault to the file content.  If the basename is an invalid key, you may "
+"specify an alternate key.\n"
+"\n"
+"\t\tWhen creating a config map based on a directory, each file whose "
+"basename is a valid key in the directory will be\n"
+"\t\tpackaged into the config map.  Any directory entries except regular "
+"files are ignored (e.g. subdirectories,\n"
+"\t\tsymlinks, devices, pipes, etc)."
+msgstr ""
+"\n"
+"\t\tCreate a config map based on a file, directory, or specified literal "
+"value.\n"
+"\n"
+"\t\tA single config map may package one or more key/value pairs.\n"
+"\n"
+"\t\tWhen creating a config map based on a file, the key will default to the "
+"basename of the file, and the value will\n"
+"\t\tdefault to the file content.  If the basename is an invalid key, you may "
+"specify an alternate key.\n"
+"\n"
+"\t\tWhen creating a config map based on a directory, each file whose "
+"basename is a valid key in the directory will be\n"
+"\t\tpackaged into the config map.  Any directory entries except regular "
+"files are ignored (e.g. subdirectories,\n"
+"\t\tsymlinks, devices, pipes, etc)."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_cronjob.go:40
+msgid ""
+"\n"
+"\t\tCreate a cron job with the specified name."
+msgstr ""
+"\n"
+"\t\tCreate a cron job with the specified name."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_job.go:40
+msgid ""
+"\n"
+"\t\tCreate a job with the specified name."
+msgstr ""
+"\n"
+"\t\tCreate a job with the specified name."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_namespace.go#L44
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_namespace.go:39
+msgid ""
+"\n"
+"\t\tCreate a namespace with the specified name."
+msgstr ""
+"\n"
+"\t\tCreate a namespace with the specified name."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_docker.go:41
+msgid ""
+"\n"
+"\t\tCreate a new secret for use with Docker registries.\n"
+"\n"
+"\t\tDockercfg secrets are used to authenticate against Docker registries.\n"
+"\n"
+"\t\tWhen using the Docker command line to push images, you can authenticate "
+"to a given registry by running:\n"
+"\t\t\t'$ docker login DOCKER_REGISTRY_SERVER --username=DOCKER_USER --"
+"password=DOCKER_PASSWORD --email=DOCKER_EMAIL'.\n"
+"\n"
+"\tThat produces a ~/.dockercfg file that is used by subsequent 'docker push' "
+"and 'docker pull' commands to\n"
+"\t\tauthenticate to the registry. The email address is optional.\n"
+"\n"
+"\t\tWhen creating applications, you may have a Docker registry that requires "
+"authentication.  In order for the\n"
+"\t\tnodes to pull images on your behalf, they must have the credentials.  "
+"You can provide this information\n"
+"\t\tby creating a dockercfg secret and attaching it to your service account."
+msgstr ""
+"\n"
+"\t\tCreate a new secret for use with Docker registries.\n"
+"\n"
+"\t\tDockercfg secrets are used to authenticate against Docker registries.\n"
+"\n"
+"\t\tWhen using the Docker command line to push images, you can authenticate "
+"to a given registry by running:\n"
+"\t\t\t'$ docker login DOCKER_REGISTRY_SERVER --username=DOCKER_USER --"
+"password=DOCKER_PASSWORD --email=DOCKER_EMAIL'.\n"
+"\n"
+"\tThat produces a ~/.dockercfg file that is used by subsequent 'docker push' "
+"and 'docker pull' commands to\n"
+"\t\tauthenticate to the registry. The email address is optional.\n"
+"\n"
+"\t\tWhen creating applications, you may have a Docker registry that requires "
+"authentication.  In order for the\n"
+"\t\tnodes to pull images on your behalf, they must have the credentials.  "
+"You can provide this information\n"
+"\t\tby creating a dockercfg secret and attaching it to your service account."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_pdb.go:41
+msgid ""
+"\n"
+"\t\tCreate a pod disruption budget with the specified name, selector, and "
+"desired minimum available pods."
+msgstr ""
+"\n"
+"\t\tCreate a pod disruption budget with the specified name, selector, and "
+"desired minimum available pods."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_priorityclass.go:40
+msgid ""
+"\n"
+"\t\tCreate a priority class with the specified name, value, globalDefault "
+"and description."
+msgstr ""
+"\n"
+"\t\tCreate a priority class with the specified name, value, globalDefault "
+"and description."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create.go:71
+msgid ""
+"\n"
+"\t\tCreate a resource from a file or from stdin.\n"
+"\n"
+"\t\tJSON and YAML formats are accepted."
+msgstr ""
+"\n"
+"\t\tCreate a resource from a file or from stdin.\n"
+"\n"
+"\t\tJSON and YAML formats are accepted."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_quota.go:41
+msgid ""
+"\n"
+"\t\tCreate a resource quota with the specified name, hard limits, and "
+"optional scopes."
+msgstr ""
+"\n"
+"\t\tCreate a resource quota with the specified name, hard limits, and "
+"optional scopes."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_rolebinding.go:40
+msgid ""
+"\n"
+"\t\tCreate a role binding for a particular role or cluster role."
+msgstr ""
+"\n"
+"\t\tCreate a role binding for a particular role or cluster role."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_quota.go#L47
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_role.go:43
+msgid ""
+"\n"
+"\t\tCreate a role with single rule."
+msgstr ""
+"\n"
+"\t\tCreate a role with single rule."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret.go:61
+msgid ""
+"\n"
+"\t\tCreate a secret based on a file, directory, or specified literal value.\n"
+"\n"
+"\t\tA single secret may package one or more key/value pairs.\n"
+"\n"
+"\t\tWhen creating a secret based on a file, the key will default to the "
+"basename of the file, and the value will\n"
+"\t\tdefault to the file content. If the basename is an invalid key or you "
+"wish to chose your own, you may specify\n"
+"\t\tan alternate key.\n"
+"\n"
+"\t\tWhen creating a secret based on a directory, each file whose basename is "
+"a valid key in the directory will be\n"
+"\t\tpackaged into the secret. Any directory entries except regular files are "
+"ignored (e.g. subdirectories,\n"
+"\t\tsymlinks, devices, pipes, etc)."
+msgstr ""
+"\n"
+"\t\tCreate a secret based on a file, directory, or specified literal value.\n"
+"\n"
+"\t\tA single secret may package one or more key/value pairs.\n"
+"\n"
+"\t\tWhen creating a secret based on a file, the key will default to the "
+"basename of the file, and the value will\n"
+"\t\tdefault to the file content. If the basename is an invalid key or you "
+"wish to chose your own, you may specify\n"
+"\t\tan alternate key.\n"
+"\n"
+"\t\tWhen creating a secret based on a directory, each file whose basename is "
+"a valid key in the directory will be\n"
+"\t\tpackaged into the secret. Any directory entries except regular files are "
+"ignored (e.g. subdirectories,\n"
+"\t\tsymlinks, devices, pipes, etc)."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_serviceaccount.go#L44
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_serviceaccount.go:40
+msgid ""
+"\n"
+"\t\tCreate a service account with the specified name."
+msgstr ""
+"\n"
+"\t\tCreate a service account with the specified name."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/proxy/proxy.go:67
+msgid ""
+"\n"
+"\t\tCreates a proxy server or application-level gateway between localhost "
+"and\n"
+"\t\tthe Kubernetes API server. It also allows serving static content over "
+"specified\n"
+"\t\tHTTP path. All incoming data enters through one port and gets forwarded "
+"to\n"
+"\t\tthe remote Kubernetes API server port, except for the path matching the "
+"static content path."
+msgstr ""
+"\n"
+"\t\tCreates a proxy server or application-level gateway between localhost "
+"and\n"
+"\t\tthe Kubernetes API server. It also allows serving static content over "
+"specified\n"
+"\t\tHTTP path. All incoming data enters through one port and gets forwarded "
+"to\n"
+"\t\tthe remote Kubernetes API server port, except for the path matching the "
+"static content path."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/autoscale/autoscale.go:42
+msgid ""
+"\n"
+"\t\tCreates an autoscaler that automatically chooses and sets the number of "
+"pods that run in a Kubernetes cluster.\n"
+"\n"
+"\t\tLooks up a deployment, replica set, stateful set, or replication "
+"controller by name and creates an autoscaler that uses the given resource as "
+"a reference.\n"
+"\t\tAn autoscaler can automatically increase or decrease number of pods "
+"deployed within the system as needed."
+msgstr ""
+"\n"
+"\t\tCreates an autoscaler that automatically chooses and sets the number of "
+"pods that run in a Kubernetes cluster.\n"
+"\n"
+"\t\tLooks up a deployment, replica set, stateful set, or replication "
+"controller by name and creates an autoscaler that uses the given resource as "
+"a reference.\n"
+"\t\tAn autoscaler can automatically increase or decrease number of pods "
+"deployed within the system as needed."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/debug/debug.go:57
+msgid ""
+"\n"
+"\t\tDebug cluster resources using interactive debugging containers.\n"
+"\n"
+"\t\t'debug' provides automation for common debugging tasks for cluster "
+"objects identified by\n"
+"\t\tresource and name. Pods will be used by default if no resource is "
+"specified.\n"
+"\n"
+"\t\tThe action taken by 'debug' varies depending on what resource is "
+"specified. Supported\n"
+"\t\tactions include:\n"
+"\n"
+"\t\t* Workload: Create a copy of an existing pod with certain attributes "
+"changed,\n"
+"\t                for example changing the image tag to a new version.\n"
+"\t\t* Workload: Add an ephemeral container to an already running pod, for "
+"example to add\n"
+"\t\t            debugging utilities without restarting the pod.\n"
+"\t\t* Node: Create a new pod that runs in the node's host namespaces and can "
+"access\n"
+"\t\t        the node's filesystem.\n"
+msgstr ""
+"\n"
+"\t\tDebug cluster resources using interactive debugging containers.\n"
+"\n"
+"\t\t'debug' provides automation for common debugging tasks for cluster "
+"objects identified by\n"
+"\t\tresource and name. Pods will be used by default if no resource is "
+"specified.\n"
+"\n"
+"\t\tThe action taken by 'debug' varies depending on what resource is "
+"specified. Supported\n"
+"\t\tactions include:\n"
+"\n"
+"\t\t* Workload: Create a copy of an existing pod with certain attributes "
+"changed,\n"
+"\t                for example changing the image tag to a new version.\n"
+"\t\t* Workload: Add an ephemeral container to an already running pod, for "
+"example to add\n"
+"\t\t            debugging utilities without restarting the pod.\n"
+"\t\t* Node: Create a new pod that runs in the node's host namespaces and can "
+"access\n"
+"\t\t        the node's filesystem.\n"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/delete/delete.go:45
+msgid ""
+"\n"
+"\t\tDelete resources by file names, stdin, resources and names, or by "
+"resources and label selector.\n"
+"\n"
+"\t\tJSON and YAML formats are accepted. Only one type of argument may be "
+"specified: file names,\n"
+"\t\tresources and names, or resources and label selector.\n"
+"\n"
+"\t\tSome resources, such as pods, support graceful deletion. These resources "
+"define a default period\n"
+"\t\tbefore they are forcibly terminated (the grace period) but you may "
+"override that value with\n"
+"\t\tthe --grace-period flag, or pass --now to set a grace-period of 1. "
+"Because these resources often\n"
+"\t\trepresent entities in the cluster, deletion may not be acknowledged "
+"immediately. If the node\n"
+"\t\thosting a pod is down or cannot reach the API server, termination may "
+"take significantly longer\n"
+"\t\tthan the grace period. To force delete a resource, you must specify the "
+"--force flag.\n"
+"\t\tNote: only a subset of resources support graceful deletion. In absence "
+"of the support,\n"
+"\t\tthe --grace-period flag is ignored.\n"
+"\n"
+"\t\tIMPORTANT: Force deleting pods does not wait for confirmation that the "
+"pod's processes have been\n"
+"\t\tterminated, which can leave those processes running until the node "
+"detects the deletion and\n"
+"\t\tcompletes graceful deletion. If your processes use shared storage or "
+"talk to a remote API and\n"
+"\t\tdepend on the name of the pod to identify themselves, force deleting "
+"those pods may result in\n"
+"\t\tmultiple processes running on different machines using the same "
+"identification which may lead\n"
+"\t\tto data corruption or inconsistency. Only force delete pods when you are "
+"sure the pod is\n"
+"\t\tterminated, or if your application can tolerate multiple copies of the "
+"same pod running at once.\n"
+"\t\tAlso, if you force delete pods, the scheduler may place new pods on "
+"those nodes before the node\n"
+"\t\thas released those resources and causing those pods to be evicted "
+"immediately.\n"
+"\n"
+"\t\tNote that the delete command does NOT do resource version checks, so if "
+"someone submits an\n"
+"\t\tupdate to a resource right when you submit a delete, their update will "
+"be lost along with the\n"
+"\t\trest of the resource."
+msgstr ""
+"\n"
+"\t\tDelete resources by file names, stdin, resources and names, or by "
+"resources and label selector.\n"
+"\n"
+"\t\tJSON and YAML formats are accepted. Only one type of argument may be "
+"specified: file names,\n"
+"\t\tresources and names, or resources and label selector.\n"
+"\n"
+"\t\tSome resources, such as pods, support graceful deletion. These resources "
+"define a default period\n"
+"\t\tbefore they are forcibly terminated (the grace period) but you may "
+"override that value with\n"
+"\t\tthe --grace-period flag, or pass --now to set a grace-period of 1. "
+"Because these resources often\n"
+"\t\trepresent entities in the cluster, deletion may not be acknowledged "
+"immediately. If the node\n"
+"\t\thosting a pod is down or cannot reach the API server, termination may "
+"take significantly longer\n"
+"\t\tthan the grace period. To force delete a resource, you must specify the "
+"--force flag.\n"
+"\t\tNote: only a subset of resources support graceful deletion. In absence "
+"of the support,\n"
+"\t\tthe --grace-period flag is ignored.\n"
+"\n"
+"\t\tIMPORTANT: Force deleting pods does not wait for confirmation that the "
+"pod's processes have been\n"
+"\t\tterminated, which can leave those processes running until the node "
+"detects the deletion and\n"
+"\t\tcompletes graceful deletion. If your processes use shared storage or "
+"talk to a remote API and\n"
+"\t\tdepend on the name of the pod to identify themselves, force deleting "
+"those pods may result in\n"
+"\t\tmultiple processes running on different machines using the same "
+"identification which may lead\n"
+"\t\tto data corruption or inconsistency. Only force delete pods when you are "
+"sure the pod is\n"
+"\t\tterminated, or if your application can tolerate multiple copies of the "
+"same pod running at once.\n"
+"\t\tAlso, if you force delete pods, the scheduler may place new pods on "
+"those nodes before the node\n"
+"\t\thas released those resources and causing those pods to be evicted "
+"immediately.\n"
+"\n"
+"\t\tNote that the delete command does NOT do resource version checks, so if "
+"someone submits an\n"
+"\t\tupdate to a resource right when you submit a delete, their update will "
+"be lost along with the\n"
+"\t\trest of the resource."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/certificates/certificates.go:175
+msgid ""
+"\n"
+"\t\tDeny a certificate signing request.\n"
+"\n"
+"\t\tkubectl certificate deny allows a cluster admin to deny a certificate\n"
+"\t\tsigning request (CSR). This action tells a certificate signing "
+"controller to\n"
+"\t\tnot to issue a certificate to the requestor.\n"
+"\t\t"
+msgstr ""
+"\n"
+"\t\tDeny a certificate signing request.\n"
+"\n"
+"\t\tkubectl certificate deny allows a cluster admin to deny a certificate\n"
+"\t\tsigning request (CSR). This action tells a certificate signing "
+"controller to\n"
+"\t\tnot to issue a certificate to the requestor.\n"
+"\t\t"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/diff/diff.go:53
+msgid ""
+"\n"
+"\t\tDiff configurations specified by file name or stdin between the current "
+"online\n"
+"\t\tconfiguration, and the configuration as it would be if applied.\n"
+"\n"
+"\t\tThe output is always YAML.\n"
+"\n"
+"\t\tKUBECTL_EXTERNAL_DIFF environment variable can be used to select your "
+"own\n"
+"\t\tdiff command. Users can use external commands with params too, example:\n"
+"\t\tKUBECTL_EXTERNAL_DIFF=\"colordiff -N -u\"\n"
+"\n"
+"\t\tBy default, the \"diff\" command available in your path will be\n"
+"\t\trun with the \"-u\" (unified diff) and \"-N\" (treat absent files as "
+"empty) options.\n"
+"\n"
+"\t\tExit status:\n"
+"\t\t 0\n"
+"\t\tNo differences were found.\n"
+"\t\t 1\n"
+"\t\tDifferences were found.\n"
+"\t\t >1\n"
+"\t\tKubectl or diff failed with an error.\n"
+"\n"
+"\t\tNote: KUBECTL_EXTERNAL_DIFF, if used, is expected to follow that "
+"convention."
+msgstr ""
+"\n"
+"\t\tDiff configurations specified by file name or stdin between the current "
+"online\n"
+"\t\tconfiguration, and the configuration as it would be if applied.\n"
+"\n"
+"\t\tThe output is always YAML.\n"
+"\n"
+"\t\tKUBECTL_EXTERNAL_DIFF environment variable can be used to select your "
+"own\n"
+"\t\tdiff command. Users can use external commands with params too, example:\n"
+"\t\tKUBECTL_EXTERNAL_DIFF=\"colordiff -N -u\"\n"
+"\n"
+"\t\tBy default, the \"diff\" command available in your path will be\n"
+"\t\trun with the \"-u\" (unified diff) and \"-N\" (treat absent files as "
+"empty) options.\n"
+"\n"
+"\t\tExit status:\n"
+"\t\t 0\n"
+"\t\tNo differences were found.\n"
+"\t\t 1\n"
+"\t\tDifferences were found.\n"
+"\t\t >1\n"
+"\t\tKubectl or diff failed with an error.\n"
+"\n"
+"\t\tNote: KUBECTL_EXTERNAL_DIFF, if used, is expected to follow that "
+"convention."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/top/top.go:39
+msgid ""
+"\n"
+"\t\tDisplay Resource (CPU/Memory) usage.\n"
+"\n"
+"\t\tThe top command allows you to see the resource consumption for nodes or "
+"pods.\n"
+"\n"
+"\t\tThis command requires Metrics Server to be correctly configured and "
+"working on the server. "
+msgstr ""
+"\n"
+"\t\tDisplay Resource (CPU/Memory) usage.\n"
+"\n"
+"\t\tThe top command allows you to see the resource consumption for nodes or "
+"pods.\n"
+"\n"
+"\t\tThis command requires Metrics Server to be correctly configured and "
+"working on the server. "
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/view.go:54
+msgid ""
+"\n"
+"\t\tDisplay merged kubeconfig settings or a specified kubeconfig file.\n"
+"\n"
+"\t\tYou can use --output jsonpath={...} to extract specific values using a "
+"jsonpath expression."
+msgstr ""
+"\n"
+"\t\tDisplay merged kubeconfig settings or a specified kubeconfig file.\n"
+"\n"
+"\t\tYou can use --output jsonpath={...} to extract specific values using a "
+"jsonpath expression."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/get/get.go:92
+msgid ""
+"\n"
+"\t\tDisplay one or many resources.\n"
+"\n"
+"\t\tPrints a table of the most important information about the specified "
+"resources.\n"
+"\t\tYou can filter the list using a label selector and the --selector flag. "
+"If the\n"
+"\t\tdesired resource type is namespaced you will only see results in your "
+"current\n"
+"\t\tnamespace unless you pass --all-namespaces.\n"
+"\n"
+"\t\tUninitialized objects are not shown unless --include-uninitialized is "
+"passed.\n"
+"\n"
+"\t\tBy specifying the output as 'template' and providing a Go template as "
+"the value\n"
+"\t\tof the --template flag, you can filter the attributes of the fetched "
+"resources."
+msgstr ""
+"\n"
+"\t\tDisplay one or many resources.\n"
+"\n"
+"\t\tPrints a table of the most important information about the specified "
+"resources.\n"
+"\t\tYou can filter the list using a label selector and the --selector flag. "
+"If the\n"
+"\t\tdesired resource type is namespaced you will only see results in your "
+"current\n"
+"\t\tnamespace unless you pass --all-namespaces.\n"
+"\n"
+"\t\tUninitialized objects are not shown unless --include-uninitialized is "
+"passed.\n"
+"\n"
+"\t\tBy specifying the output as 'template' and providing a Go template as "
+"the value\n"
+"\t\tof the --template flag, you can filter the attributes of the fetched "
+"resources."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/top/top_node.go:57
+msgid ""
+"\n"
+"\t\tDisplay resource (CPU/memory) usage of nodes.\n"
+"\n"
+"\t\tThe top-node command allows you to see the resource consumption of nodes."
+msgstr ""
+"\n"
+"\t\tDisplay resource (CPU/memory) usage of nodes.\n"
+"\n"
+"\t\tThe top-node command allows you to see the resource consumption of nodes."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/top/top_pod.go:67
+msgid ""
+"\n"
+"\t\tDisplay resource (CPU/memory) usage of pods.\n"
+"\n"
+"\t\tThe 'top pod' command allows you to see the resource consumption of "
+"pods.\n"
+"\n"
+"\t\tDue to the metrics pipeline delay, they may be unavailable for a few "
+"minutes\n"
+"\t\tsince pod creation."
+msgstr ""
+"\n"
+"\t\tDisplay resource (CPU/memory) usage of pods.\n"
+"\n"
+"\t\tThe 'top pod' command allows you to see the resource consumption of "
+"pods.\n"
+"\n"
+"\t\tDue to the metrics pipeline delay, they may be unavailable for a few "
+"minutes\n"
+"\t\tsince pod creation."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/current_context.go:37
+msgid ""
+"\n"
+"\t\tDisplay the current-context."
+msgstr ""
+"\n"
+"\t\tDisplay the current-context."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go:113
+msgid ""
+"\n"
+"\t\tDrain node in preparation for maintenance.\n"
+"\n"
+"\t\tThe given node will be marked unschedulable to prevent new pods from "
+"arriving.\n"
+"\t\t'drain' evicts the pods if the API server supports\n"
+"\t\t[eviction](https://kubernetes.io/docs/concepts/workloads/pods/"
+"disruptions/). Otherwise, it will use normal\n"
+"\t\tDELETE to delete the pods.\n"
+"\t\tThe 'drain' evicts or deletes all pods except mirror pods (which cannot "
+"be deleted through\n"
+"\t\tthe API server).  If there are daemon set-managed pods, drain will not "
+"proceed\n"
+"\t\twithout --ignore-daemonsets, and regardless it will not delete any\n"
+"\t\tdaemon set-managed pods, because those pods would be immediately "
+"replaced by the\n"
+"\t\tdaemon set controller, which ignores unschedulable markings.  If there "
+"are any\n"
+"\t\tpods that are neither mirror pods nor managed by a replication "
+"controller,\n"
+"\t\treplica set, daemon set, stateful set, or job, then drain will not "
+"delete any pods unless you\n"
+"\t\tuse --force.  --force will also allow deletion to proceed if the "
+"managing resource of one\n"
+"\t\tor more pods is missing.\n"
+"\n"
+"\t\t'drain' waits for graceful termination. You should not operate on the "
+"machine until\n"
+"\t\tthe command completes.\n"
+"\n"
+"\t\tWhen you are ready to put the node back into service, use kubectl "
+"uncordon, which\n"
+"\t\twill make the node schedulable again.\n"
+"\n"
+"\t\t![Workflow](https://kubernetes.io/images/docs/kubectl_drain.svg)"
+msgstr ""
+"\n"
+"\t\tDrain node in preparation for maintenance.\n"
+"\n"
+"\t\tThe given node will be marked unschedulable to prevent new pods from "
+"arriving.\n"
+"\t\t'drain' evicts the pods if the API server supports\n"
+"\t\t[eviction](https://kubernetes.io/docs/concepts/workloads/pods/"
+"disruptions/). Otherwise, it will use normal\n"
+"\t\tDELETE to delete the pods.\n"
+"\t\tThe 'drain' evicts or deletes all pods except mirror pods (which cannot "
+"be deleted through\n"
+"\t\tthe API server).  If there are daemon set-managed pods, drain will not "
+"proceed\n"
+"\t\twithout --ignore-daemonsets, and regardless it will not delete any\n"
+"\t\tdaemon set-managed pods, because those pods would be immediately "
+"replaced by the\n"
+"\t\tdaemon set controller, which ignores unschedulable markings.  If there "
+"are any\n"
+"\t\tpods that are neither mirror pods nor managed by a replication "
+"controller,\n"
+"\t\treplica set, daemon set, stateful set, or job, then drain will not "
+"delete any pods unless you\n"
+"\t\tuse --force.  --force will also allow deletion to proceed if the "
+"managing resource of one\n"
+"\t\tor more pods is missing.\n"
+"\n"
+"\t\t'drain' waits for graceful termination. You should not operate on the "
+"machine until\n"
+"\t\tthe command completes.\n"
+"\n"
+"\t\tWhen you are ready to put the node back into service, use kubectl "
+"uncordon, which\n"
+"\t\twill make the node schedulable again.\n"
+"\n"
+"\t\t![Workflow](https://kubernetes.io/images/docs/kubectl_drain.svg)"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/edit/edit.go:31
+msgid ""
+"\n"
+"\t\tEdit a resource from the default editor.\n"
+"\n"
+"\t\tThe edit command allows you to directly edit any API resource you can "
+"retrieve via the\n"
+"\t\tcommand-line tools. It will open the editor defined by your KUBE_EDITOR, "
+"or EDITOR\n"
+"\t\tenvironment variables, or fall back to 'vi' for Linux or 'notepad' for "
+"Windows.\n"
+"\t\tYou can edit multiple objects, although changes are applied one at a "
+"time. The command\n"
+"\t\taccepts file names as well as command-line arguments, although the files "
+"you point to must\n"
+"\t\tbe previously saved versions of resources.\n"
+"\n"
+"\t\tEditing is done with the API version used to fetch the resource.\n"
+"\t\tTo edit using a specific API version, fully-qualify the resource, "
+"version, and group.\n"
+"\n"
+"\t\tThe default format is YAML. To edit in JSON, specify \"-o json\".\n"
+"\n"
+"\t\tThe flag --windows-line-endings can be used to force Windows line "
+"endings,\n"
+"\t\totherwise the default for your operating system will be used.\n"
+"\n"
+"\t\tIn the event an error occurs while updating, a temporary file will be "
+"created on disk\n"
+"\t\tthat contains your unapplied changes. The most common error when "
+"updating a resource\n"
+"\t\tis another editor changing the resource on the server. When this occurs, "
+"you will have\n"
+"\t\tto apply your changes to the newer version of the resource, or update "
+"your temporary\n"
+"\t\tsaved copy to include the latest resource version."
+msgstr ""
+"\n"
+"\t\tEdit a resource from the default editor.\n"
+"\n"
+"\t\tThe edit command allows you to directly edit any API resource you can "
+"retrieve via the\n"
+"\t\tcommand-line tools. It will open the editor defined by your KUBE_EDITOR, "
+"or EDITOR\n"
+"\t\tenvironment variables, or fall back to 'vi' for Linux or 'notepad' for "
+"Windows.\n"
+"\t\tYou can edit multiple objects, although changes are applied one at a "
+"time. The command\n"
+"\t\taccepts file names as well as command-line arguments, although the files "
+"you point to must\n"
+"\t\tbe previously saved versions of resources.\n"
+"\n"
+"\t\tEditing is done with the API version used to fetch the resource.\n"
+"\t\tTo edit using a specific API version, fully-qualify the resource, "
+"version, and group.\n"
+"\n"
+"\t\tThe default format is YAML. To edit in JSON, specify \"-o json\".\n"
+"\n"
+"\t\tThe flag --windows-line-endings can be used to force Windows line "
+"endings,\n"
+"\t\totherwise the default for your operating system will be used.\n"
+"\n"
+"\t\tIn the event an error occurs while updating, a temporary file will be "
+"created on disk\n"
+"\t\tthat contains your unapplied changes. The most common error when "
+"updating a resource\n"
+"\t\tis another editor changing the resource on the server. When this occurs, "
+"you will have\n"
+"\t\tto apply your changes to the newer version of the resource, or update "
+"your temporary\n"
+"\t\tsaved copy to include the latest resource version."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/apply/apply_edit_last_applied.go:31
+msgid ""
+"\n"
+"\t\tEdit the latest last-applied-configuration annotations of resources from "
+"the default editor.\n"
+"\n"
+"\t\tThe edit-last-applied command allows you to directly edit any API "
+"resource you can retrieve via the\n"
+"\t\tcommand-line tools. It will open the editor defined by your KUBE_EDITOR, "
+"or EDITOR\n"
+"\t\tenvironment variables, or fall back to 'vi' for Linux or 'notepad' for "
+"Windows.\n"
+"\t\tYou can edit multiple objects, although changes are applied one at a "
+"time. The command\n"
+"\t\taccepts file names as well as command-line arguments, although the files "
+"you point to must\n"
+"\t\tbe previously saved versions of resources.\n"
+"\n"
+"\t\tThe default format is YAML. To edit in JSON, specify \"-o json\".\n"
+"\n"
+"\t\tThe flag --windows-line-endings can be used to force Windows line "
+"endings,\n"
+"\t\totherwise the default for your operating system will be used.\n"
+"\n"
+"\t\tIn the event an error occurs while updating, a temporary file will be "
+"created on disk\n"
+"\t\tthat contains your unapplied changes. The most common error when "
+"updating a resource\n"
+"\t\tis another editor changing the resource on the server. When this occurs, "
+"you will have\n"
+"\t\tto apply your changes to the newer version of the resource, or update "
+"your temporary\n"
+"\t\tsaved copy to include the latest resource version."
+msgstr ""
+"\n"
+"\t\tEdit the latest last-applied-configuration annotations of resources from "
+"the default editor.\n"
+"\n"
+"\t\tThe edit-last-applied command allows you to directly edit any API "
+"resource you can retrieve via the\n"
+"\t\tcommand-line tools. It will open the editor defined by your KUBE_EDITOR, "
+"or EDITOR\n"
+"\t\tenvironment variables, or fall back to 'vi' for Linux or 'notepad' for "
+"Windows.\n"
+"\t\tYou can edit multiple objects, although changes are applied one at a "
+"time. The command\n"
+"\t\taccepts file names as well as command-line arguments, although the files "
+"you point to must\n"
+"\t\tbe previously saved versions of resources.\n"
+"\n"
+"\t\tThe default format is YAML. To edit in JSON, specify \"-o json\".\n"
+"\n"
+"\t\tThe flag --windows-line-endings can be used to force Windows line "
+"endings,\n"
+"\t\totherwise the default for your operating system will be used.\n"
+"\n"
+"\t\tIn the event an error occurs while updating, a temporary file will be "
+"created on disk\n"
+"\t\tthat contains your unapplied changes. The most common error when "
+"updating a resource\n"
+"\t\tis another editor changing the resource on the server. When this occurs, "
+"you will have\n"
+"\t\tto apply your changes to the newer version of the resource, or update "
+"your temporary\n"
+"\t\tsaved copy to include the latest resource version."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/wait/wait.go:49
+msgid ""
+"\n"
+"\t\tExperimental: Wait for a specific condition on one or many resources.\n"
+"\n"
+"\t\tThe command takes multiple resources and waits until the specified "
+"condition\n"
+"\t\tis seen in the Status field of every given resource.\n"
+"\n"
+"\t\tAlternatively, the command can wait for the given set of resources to be "
+"deleted\n"
+"\t\tby providing the \"delete\" keyword as the value to the --for flag.\n"
+"\n"
+"\t\tA successful message will be printed to stdout indicating when the "
+"specified\n"
+"        condition has been met. You can use -o option to change to output "
+"destination."
+msgstr ""
+"\n"
+"\t\tExperimental: Wait for a specific condition on one or many resources.\n"
+"\n"
+"\t\tThe command takes multiple resources and waits until the specified "
+"condition\n"
+"\t\tis seen in the Status field of every given resource.\n"
+"\n"
+"\t\tAlternatively, the command can wait for the given set of resources to be "
+"deleted\n"
+"\t\tby providing the \"delete\" keyword as the value to the --for flag.\n"
+"\n"
+"\t\tA successful message will be printed to stdout indicating when the "
+"specified\n"
+"        condition has been met. You can use -o option to change to output "
+"destination."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:47
+msgid ""
+"\n"
+"\t\tExpose a resource as a new Kubernetes service.\n"
+"\n"
+"\t\tLooks up a deployment, service, replica set, replication controller or "
+"pod by name and uses the selector\n"
+"\t\tfor that resource as the selector for a new service on the specified "
+"port. A deployment or replica set\n"
+"\t\twill be exposed as a service only if its selector is convertible to a "
+"selector that service supports,\n"
+"\t\ti.e. when the selector contains only the matchLabels component. Note "
+"that if no port is specified via\n"
+"\t\t--port and the exposed resource has multiple ports, all will be re-used "
+"by the new service. Also if no\n"
+"\t\tlabels are specified, the new service will re-use the labels from the "
+"resource it exposes.\n"
+"\n"
+"\t\tPossible resources include (case insensitive):\n"
+"\n"
+"\t\t"
+msgstr ""
+"\n"
+"\t\tExpose a resource as a new Kubernetes service.\n"
+"\n"
+"\t\tLooks up a deployment, service, replica set, replication controller or "
+"pod by name and uses the selector\n"
+"\t\tfor that resource as the selector for a new service on the specified "
+"port. A deployment or replica set\n"
+"\t\twill be exposed as a service only if its selector is convertible to a "
+"selector that service supports,\n"
+"\t\ti.e. when the selector contains only the matchLabels component. Note "
+"that if no port is specified via\n"
+"\t\t--port and the exposed resource has multiple ports, all will be re-used "
+"by the new service. Also if no\n"
+"\t\tlabels are specified, the new service will re-use the labels from the "
+"resource it exposes.\n"
+"\n"
+"\t\tPossible resources include (case insensitive):\n"
+"\n"
+"\t\t"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/plugin/plugin.go:46
+msgid ""
+"\n"
+"\t\tList all available plugin files on a user's PATH.\n"
+"\n"
+"\t\tAvailable plugin files are those that are:\n"
+"\t\t- executable\n"
+"\t\t- anywhere on the user's PATH\n"
+"\t\t- begin with \"kubectl-\"\n"
+msgstr ""
+"\n"
+"\t\tList all available plugin files on a user's PATH.\n"
+"\n"
+"\t\tAvailable plugin files are those that are:\n"
+"\t\t- executable\n"
+"\t\t- anywhere on the user's PATH\n"
+"\t\t- begin with \"kubectl-\"\n"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/explain/explain.go:35
+msgid ""
+"\n"
+"\t\tList the fields for supported resources.\n"
+"\n"
+"\t\tThis command describes the fields associated with each supported API "
+"resource.\n"
+"\t\tFields are identified via a simple JSONPath identifier:\n"
+"\n"
+"\t\t\t<type>.<fieldName>[.<fieldName>]\n"
+"\n"
+"\t\tAdd the --recursive flag to display all of the fields at once without "
+"descriptions.\n"
+"\t\tInformation about each field is retrieved from the server in OpenAPI "
+"format."
+msgstr ""
+"\n"
+"\t\tList the fields for supported resources.\n"
+"\n"
+"\t\tThis command describes the fields associated with each supported API "
+"resource.\n"
+"\t\tFields are identified via a simple JSONPath identifier:\n"
+"\n"
+"\t\t\t<type>.<fieldName>[.<fieldName>]\n"
+"\n"
+"\t\tAdd the --recursive flag to display all of the fields at once without "
+"descriptions.\n"
+"\t\tInformation about each field is retrieved from the server in OpenAPI "
+"format."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout.go:30
+msgid ""
+"\n"
+"\t\tManage the rollout of a resource."
+msgstr ""
+"\n"
+"\t\tManage the rollout of a resource."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/drain.go#L127
+#: staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go:84
+msgid ""
+"\n"
+"\t\tMark node as schedulable."
+msgstr ""
+"\n"
+"\t\tMark node as schedulable."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/drain.go#L102
+#: staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go:55
+msgid ""
+"\n"
+"\t\tMark node as unschedulable."
+msgstr ""
+"\n"
+"\t\tMark node as unschedulable."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_pause.go:57
+msgid ""
+"\n"
+"\t\tMark the provided resource as paused.\n"
+"\n"
+"\t\tPaused resources will not be reconciled by a controller.\n"
+"\t\tUse \"kubectl rollout resume\" to resume a paused resource.\n"
+"\t\tCurrently only deployments support being paused."
+msgstr ""
+"\n"
+"\t\tMark the provided resource as paused.\n"
+"\n"
+"\t\tPaused resources will not be reconciled by a controller.\n"
+"\t\tUse \"kubectl rollout resume\" to resume a paused resource.\n"
+"\t\tCurrently only deployments support being paused."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/completion/completion.go:46
+msgid ""
+"\n"
+"\t\tOutput shell completion code for the specified shell (bash or zsh).\n"
+"\t\tThe shell code must be evaluated to provide interactive\n"
+"\t\tcompletion of kubectl commands.  This can be done by sourcing it from\n"
+"\t\tthe .bash_profile.\n"
+"\n"
+"\t\tDetailed instructions on how to do this are available here:\n"
+"\n"
+"        for macOS:\n"
+"        https://kubernetes.io/docs/tasks/tools/install-kubectl-macos/#enable-"
+"shell-autocompletion\n"
+"\n"
+"        for linux:\n"
+"        https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/#enable-"
+"shell-autocompletion\n"
+"\n"
+"        for windows:\n"
+"        https://kubernetes.io/docs/tasks/tools/install-kubectl-windows/"
+"#enable-shell-autocompletion\n"
+"\n"
+"\t\tNote for zsh users: [1] zsh completions are only supported in versions "
+"of zsh >= 5.2."
+msgstr ""
+"\n"
+"\t\tOutput shell completion code for the specified shell (bash or zsh).\n"
+"\t\tThe shell code must be evaluated to provide interactive\n"
+"\t\tcompletion of kubectl commands.  This can be done by sourcing it from\n"
+"\t\tthe .bash_profile.\n"
+"\n"
+"\t\tDetailed instructions on how to do this are available here:\n"
+"\n"
+"        for macOS:\n"
+"        https://kubernetes.io/docs/tasks/tools/install-kubectl-macos/#enable-"
+"shell-autocompletion\n"
+"\n"
+"        for linux:\n"
+"        https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/#enable-"
+"shell-autocompletion\n"
+"\n"
+"        for windows:\n"
+"        https://kubernetes.io/docs/tasks/tools/install-kubectl-windows/"
+"#enable-shell-autocompletion\n"
+"\n"
+"\t\tNote for zsh users: [1] zsh completions are only supported in versions "
+"of zsh >= 5.2."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/logs/logs.go:49
+msgid ""
+"\n"
+"\t\tPrint the logs for a container in a pod or specified resource. \n"
+"\t\tIf the pod has only one container, the container name is optional."
+msgstr ""
+"\n"
+"\t\tPrint the logs for a container in a pod or specified resource. \n"
+"\t\tIf the pod has only one container, the container name is optional."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/plugin/plugin.go:37
+msgid ""
+"\n"
+"\t\tProvides utilities for interacting with plugins.\n"
+"\n"
+"\t\tPlugins provide extended functionality that is not part of the major "
+"command-line distribution.\n"
+"\t\tPlease refer to the documentation and examples for more information "
+"about how write your own plugins.\n"
+"\n"
+"\t\tThe easiest way to discover and install plugins is via the kubernetes "
+"sub-project krew.\n"
+"\t\tTo install krew, visit [krew.sigs.k8s.io](https://krew.sigs.k8s.io/docs/"
+"user-guide/setup/install/)"
+msgstr ""
+"\n"
+"\t\tProvides utilities for interacting with plugins.\n"
+"\n"
+"\t\tPlugins provide extended functionality that is not part of the major "
+"command-line distribution.\n"
+"\t\tPlease refer to the documentation and examples for more information "
+"about how write your own plugins.\n"
+"\n"
+"\t\tThe easiest way to discover and install plugins is via the kubernetes "
+"sub-project krew.\n"
+"\t\tTo install krew, visit [krew.sigs.k8s.io](https://krew.sigs.k8s.io/docs/"
+"user-guide/setup/install/)"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/rename_context.go:47
+msgid ""
+"\n"
+"\t\tRenames a context from the kubeconfig file.\n"
+"\n"
+"\t\tCONTEXT_NAME is the context name that you want to change.\n"
+"\n"
+"\t\tNEW_NAME is the new name you want to set.\n"
+"\n"
+"\t\tNote: If the context being renamed is the 'current-context', this field "
+"will also be updated."
+msgstr ""
+"\n"
+"\t\tRenames a context from the kubeconfig file.\n"
+"\n"
+"\t\tCONTEXT_NAME is the context name that you want to change.\n"
+"\n"
+"\t\tNEW_NAME is the new name you want to set.\n"
+"\n"
+"\t\tNote: If the context being renamed is the 'current-context', this field "
+"will also be updated."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/replace/replace.go:48
+msgid ""
+"\n"
+"\t\tReplace a resource by file name or stdin.\n"
+"\n"
+"\t\tJSON and YAML formats are accepted. If replacing an existing resource, "
+"the\n"
+"\t\tcomplete resource spec must be provided. This can be obtained by\n"
+"\n"
+"\t\t    $ kubectl get TYPE NAME -o yaml"
+msgstr ""
+"\n"
+"\t\tReplace a resource by file name or stdin.\n"
+"\n"
+"\t\tJSON and YAML formats are accepted. If replacing an existing resource, "
+"the\n"
+"\t\tcomplete resource spec must be provided. This can be obtained by\n"
+"\n"
+"\t\t    $ kubectl get TYPE NAME -o yaml"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_restart.go:57
+msgid ""
+"\n"
+"\t\tRestart a resource.\n"
+"\n"
+"\t        Resource rollout will be restarted."
+msgstr ""
+"\n"
+"\t\tRestart a resource.\n"
+"\n"
+"\t        Resource rollout will be restarted."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_resume.go:58
+msgid ""
+"\n"
+"\t\tResume a paused resource.\n"
+"\n"
+"\t\tPaused resources will not be reconciled by a controller. By resuming a\n"
+"\t\tresource, we allow it to be reconciled again.\n"
+"\t\tCurrently only deployments support being resumed."
+msgstr ""
+"\n"
+"\t\tResume a paused resource.\n"
+"\n"
+"\t\tPaused resources will not be reconciled by a controller. By resuming a\n"
+"\t\tresource, we allow it to be reconciled again.\n"
+"\t\tCurrently only deployments support being resumed."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_undo.go:55
+msgid ""
+"\n"
+"\t\tRoll back to a previous rollout."
+msgstr ""
+"\n"
+"\t\tRoll back to a previous rollout."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/create_cluster.go:47
+msgid ""
+"\n"
+"\t\tSet a cluster entry in kubeconfig.\n"
+"\n"
+"\t\tSpecifying a name that already exists will merge new fields on top of "
+"existing values for those fields."
+msgstr ""
+"\n"
+"\t\tSet a cluster entry in kubeconfig.\n"
+"\n"
+"\t\tSpecifying a name that already exists will merge new fields on top of "
+"existing values for those fields."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/create_context.go:44
+msgid ""
+"\n"
+"\t\tSet a context entry in kubeconfig.\n"
+"\n"
+"\t\tSpecifying a name that already exists will merge new fields on top of "
+"existing values for those fields."
+msgstr ""
+"\n"
+"\t\tSet a context entry in kubeconfig.\n"
+"\n"
+"\t\tSpecifying a name that already exists will merge new fields on top of "
+"existing values for those fields."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/scale/scale.go:40
+msgid ""
+"\n"
+"\t\tSet a new size for a deployment, replica set, replication controller, or "
+"stateful set.\n"
+"\n"
+"\t\tScale also allows users to specify one or more preconditions for the "
+"scale action.\n"
+"\n"
+"\t\tIf --current-replicas or --resource-version is specified, it is "
+"validated before the\n"
+"\t\tscale is attempted, and it is guaranteed that the precondition holds "
+"true when the\n"
+"\t\tscale is sent to the server."
+msgstr ""
+"\n"
+"\t\tSet a new size for a deployment, replica set, replication controller, or "
+"stateful set.\n"
+"\n"
+"\t\tScale also allows users to specify one or more preconditions for the "
+"scale action.\n"
+"\n"
+"\t\tIf --current-replicas or --resource-version is specified, it is "
+"validated before the\n"
+"\t\tscale is attempted, and it is guaranteed that the precondition holds "
+"true when the\n"
+"\t\tscale is sent to the server."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/create_authinfo.go:70
+#, c-format
+msgid ""
+"\n"
+"\t\tSet a user entry in kubeconfig.\n"
+"\n"
+"\t\tSpecifying a name that already exists will merge new fields on top of "
+"existing values.\n"
+"\n"
+"\t\t    Client-certificate flags:\n"
+"\t\t    --%v=certfile --%v=keyfile\n"
+"\n"
+"\t\t    Bearer token flags:\n"
+"\t\t\t  --%v=bearer_token\n"
+"\n"
+"\t\t    Basic auth flags:\n"
+"\t\t\t  --%v=basic_user --%v=basic_password\n"
+"\n"
+"\t\tBearer token and basic auth are mutually exclusive."
+msgstr ""
+"\n"
+"\t\tSet a user entry in kubeconfig.\n"
+"\n"
+"\t\tSpecifying a name that already exists will merge new fields on top of "
+"existing values.\n"
+"\n"
+"\t\t    Client-certificate flags:\n"
+"\t\t    --%v=certfile --%v=keyfile\n"
+"\n"
+"\t\t    Bearer token flags:\n"
+"\t\t\t  --%v=bearer_token\n"
+"\n"
+"\t\t    Basic auth flags:\n"
+"\t\t\t  --%v=basic_user --%v=basic_password\n"
+"\n"
+"\t\tBearer token and basic auth are mutually exclusive."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/apply/apply_set_last_applied.go:70
+msgid ""
+"\n"
+"\t\tSet the latest last-applied-configuration annotations by setting it to "
+"match the contents of a file.\n"
+"\t\tThis results in the last-applied-configuration being updated as though "
+"'kubectl apply -f <file>' was run,\n"
+"\t\twithout updating any other parts of the object."
+msgstr ""
+"\n"
+"\t\tSet the latest last-applied-configuration annotations by setting it to "
+"match the contents of a file.\n"
+"\t\tThis results in the last-applied-configuration being updated as though "
+"'kubectl apply -f <file>' was run,\n"
+"\t\twithout updating any other parts of the object."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set_selector.go:67
+#, c-format
+msgid ""
+"\n"
+"\t\tSet the selector on a resource. Note that the new selector will "
+"overwrite the old selector if the resource had one prior to the invocation\n"
+"\t\tof 'set selector'.\n"
+"\n"
+"\t\tA selector must begin with a letter or number, and may contain letters, "
+"numbers, hyphens, dots, and underscores, up to %[1]d characters.\n"
+"\t\tIf --resource-version is specified, then updates will use this resource "
+"version, otherwise the existing resource-version will be used.\n"
+"        Note: currently selectors can only be set on Service objects."
+msgstr ""
+"\n"
+"\t\tSet the selector on a resource. Note that the new selector will "
+"overwrite the old selector if the resource had one prior to the invocation\n"
+"\t\tof 'set selector'.\n"
+"\n"
+"\t\tA selector must begin with a letter or number, and may contain letters, "
+"numbers, hyphens, dots, and underscores, up to %[1]d characters.\n"
+"\t\tIf --resource-version is specified, then updates will use this resource "
+"version, otherwise the existing resource-version will be used.\n"
+"        Note: currently selectors can only be set on Service objects."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/describe/describe.go:39
+msgid ""
+"\n"
+"\t\tShow details of a specific resource or group of resources.\n"
+"\n"
+"\t\tPrint a detailed description of the selected resources, including "
+"related resources such\n"
+"\t\tas events or controllers. You may select a single object by name, all "
+"objects of that\n"
+"\t\ttype, provide a name prefix, or label selector. For example:\n"
+"\n"
+"\t\t    $ kubectl describe TYPE NAME_PREFIX\n"
+"\n"
+"\t\twill first check for an exact match on TYPE and NAME_PREFIX. If no such "
+"resource\n"
+"\t\texists, it will output details for every resource that has a name "
+"prefixed with NAME_PREFIX."
+msgstr ""
+"\n"
+"\t\tShow details of a specific resource or group of resources.\n"
+"\n"
+"\t\tPrint a detailed description of the selected resources, including "
+"related resources such\n"
+"\t\tas events or controllers. You may select a single object by name, all "
+"objects of that\n"
+"\t\ttype, provide a name prefix, or label selector. For example:\n"
+"\n"
+"\t\t    $ kubectl describe TYPE NAME_PREFIX\n"
+"\n"
+"\t\twill first check for an exact match on TYPE and NAME_PREFIX. If no such "
+"resource\n"
+"\t\texists, it will output details for every resource that has a name "
+"prefixed with NAME_PREFIX."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_status.go:47
+msgid ""
+"\n"
+"\t\tShow the status of the rollout.\n"
+"\n"
+"\t\tBy default 'rollout status' will watch the status of the latest rollout\n"
+"\t\tuntil it's done. If you don't want to wait for the rollout to finish "
+"then\n"
+"\t\tyou can use --watch=false. Note that if a new rollout starts in-between, "
+"then\n"
+"\t\t'rollout status' will continue watching the latest revision. If you want "
+"to\n"
+"\t\tpin to a specific revision and abort if it is rolled over by another "
+"revision,\n"
+"\t\tuse --revision=N where N is the revision you need to watch for."
+msgstr ""
+"\n"
+"\t\tShow the status of the rollout.\n"
+"\n"
+"\t\tBy default 'rollout status' will watch the status of the latest rollout\n"
+"\t\tuntil it's done. If you don't want to wait for the rollout to finish "
+"then\n"
+"\t\tyou can use --watch=false. Note that if a new rollout starts in-between, "
+"then\n"
+"\t\t'rollout status' will continue watching the latest revision. If you want "
+"to\n"
+"\t\tpin to a specific revision and abort if it is rolled over by another "
+"revision,\n"
+"\t\tuse --revision=N where N is the revision you need to watch for."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set_resources.go:41
+#, c-format
+msgid ""
+"\n"
+"\t\tSpecify compute resource requirements (CPU, memory) for any resource "
+"that defines a pod template.  If a pod is successfully scheduled, it is "
+"guaranteed the amount of resource requested, but may burst up to its "
+"specified limits.\n"
+"\n"
+"\t\tFor each compute resource, if a limit is specified and a request is "
+"omitted, the request will default to the limit.\n"
+"\n"
+"\t\tPossible resources include (case insensitive): %s."
+msgstr ""
+"\n"
+"\t\tSpecify compute resource requirements (CPU, memory) for any resource "
+"that defines a pod template.  If a pod is successfully scheduled, it is "
+"guaranteed the amount of resource requested, but may burst up to its "
+"specified limits.\n"
+"\n"
+"\t\tFor each compute resource, if a limit is specified and a request is "
+"omitted, the request will default to the limit.\n"
+"\n"
+"\t\tPossible resources include (case insensitive): %s."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set_env.go:50
+msgid ""
+"\n"
+"\t\tUpdate environment variables on a pod template.\n"
+"\n"
+"\t\tList environment variable definitions in one or more pods, pod "
+"templates.\n"
+"\t\tAdd, update, or remove container environment variable definitions in one "
+"or\n"
+"\t\tmore pod templates (within replication controllers or deployment "
+"configurations).\n"
+"\t\tView or modify the environment variable definitions on all containers in "
+"the\n"
+"\t\tspecified pods or pod templates, or just those that match a wildcard.\n"
+"\n"
+"\t\tIf \"--env -\" is passed, environment variables can be read from STDIN "
+"using the standard env\n"
+"\t\tsyntax.\n"
+"\n"
+"\t\tPossible resources include (case insensitive):\n"
+"\t\t"
+msgstr ""
+"\n"
+"\t\tUpdate environment variables on a pod template.\n"
+"\n"
+"\t\tList environment variable definitions in one or more pods, pod "
+"templates.\n"
+"\t\tAdd, update, or remove container environment variable definitions in one "
+"or\n"
+"\t\tmore pod templates (within replication controllers or deployment "
+"configurations).\n"
+"\t\tView or modify the environment variable definitions on all containers in "
+"the\n"
+"\t\tspecified pods or pod templates, or just those that match a wildcard.\n"
+"\n"
+"\t\tIf \"--env -\" is passed, environment variables can be read from STDIN "
+"using the standard env\n"
+"\t\tsyntax.\n"
+"\n"
+"\t\tPossible resources include (case insensitive):\n"
+"\t\t"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set_image.go:71
+msgid ""
+"\n"
+"\t\tUpdate existing container image(s) of resources.\n"
+"\n"
+"\t\tPossible resources include (case insensitive):\n"
+"\t\t"
+msgstr ""
+"\n"
+"\t\tUpdate existing container image(s) of resources.\n"
+"\n"
+"\t\tPossible resources include (case insensitive):\n"
+"\t\t"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/patch/patch.go:78
+msgid ""
+"\n"
+"\t\tUpdate fields of a resource using strategic merge patch, a JSON merge "
+"patch, or a JSON patch.\n"
+"\n"
+"\t\tJSON and YAML formats are accepted."
+msgstr ""
+"\n"
+"\t\tUpdate fields of a resource using strategic merge patch, a JSON merge "
+"patch, or a JSON patch.\n"
+"\n"
+"\t\tJSON and YAML formats are accepted."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/annotate/annotate.go:83
+msgid ""
+"\n"
+"\t\tUpdate the annotations on one or more resources.\n"
+"\n"
+"\t\tAll Kubernetes objects support the ability to store additional data with "
+"the object as\n"
+"\t\tannotations. Annotations are key/value pairs that can be larger than "
+"labels and include\n"
+"\t\tarbitrary string values such as structured JSON. Tools and system "
+"extensions may use\n"
+"\t\tannotations to store their own data.\n"
+"\n"
+"\t\tAttempting to set an annotation that already exists will fail unless --"
+"overwrite is set.\n"
+"\t\tIf --resource-version is specified and does not match the current "
+"resource version on\n"
+"\t\tthe server the command will fail."
+msgstr ""
+"\n"
+"\t\tUpdate the annotations on one or more resources.\n"
+"\n"
+"\t\tAll Kubernetes objects support the ability to store additional data with "
+"the object as\n"
+"\t\tannotations. Annotations are key/value pairs that can be larger than "
+"labels and include\n"
+"\t\tarbitrary string values such as structured JSON. Tools and system "
+"extensions may use\n"
+"\t\tannotations to store their own data.\n"
+"\n"
+"\t\tAttempting to set an annotation that already exists will fail unless --"
+"overwrite is set.\n"
+"\t\tIf --resource-version is specified and does not match the current "
+"resource version on\n"
+"\t\tthe server the command will fail."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/label/label.go:87
+#, c-format
+msgid ""
+"\n"
+"\t\tUpdate the labels on a resource.\n"
+"\n"
+"\t\t* A label key and value must begin with a letter or number, and may "
+"contain letters, numbers, hyphens, dots, and underscores, up to %[1]d "
+"characters each.\n"
+"\t\t* Optionally, the key can begin with a DNS subdomain prefix and a single "
+"'/', like example.com/my-app.\n"
+"\t\t* If --overwrite is true, then existing labels can be overwritten, "
+"otherwise attempting to overwrite a label will result in an error.\n"
+"\t\t* If --resource-version is specified, then updates will use this "
+"resource version, otherwise the existing resource-version will be used."
+msgstr ""
+"\n"
+"\t\tUpdate the labels on a resource.\n"
+"\n"
+"\t\t* A label key and value must begin with a letter or number, and may "
+"contain letters, numbers, hyphens, dots, and underscores, up to %[1]d "
+"characters each.\n"
+"\t\t* Optionally, the key can begin with a DNS subdomain prefix and a single "
+"'/', like example.com/my-app.\n"
+"\t\t* If --overwrite is true, then existing labels can be overwritten, "
+"otherwise attempting to overwrite a label will result in an error.\n"
+"\t\t* If --resource-version is specified, then updates will use this "
+"resource version, otherwise the existing resource-version will be used."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/taint/taint.go:70
+#, c-format
+msgid ""
+"\n"
+"\t\tUpdate the taints on one or more nodes.\n"
+"\n"
+"\t\t* A taint consists of a key, value, and effect. As an argument here, it "
+"is expressed as key=value:effect.\n"
+"\t\t* The key must begin with a letter or number, and may contain letters, "
+"numbers, hyphens, dots, and underscores, up to %[1]d characters.\n"
+"\t\t* Optionally, the key can begin with a DNS subdomain prefix and a single "
+"'/', like example.com/my-app.\n"
+"\t\t* The value is optional. If given, it must begin with a letter or "
+"number, and may contain letters, numbers, hyphens, dots, and underscores, up "
+"to %[2]d characters.\n"
+"\t\t* The effect must be NoSchedule, PreferNoSchedule or NoExecute.\n"
+"\t\t* Currently taint can only apply to node."
+msgstr ""
+"\n"
+"\t\tUpdate the taints on one or more nodes.\n"
+"\n"
+"\t\t* A taint consists of a key, value, and effect. As an argument here, it "
+"is expressed as key=value:effect.\n"
+"\t\t* The key must begin with a letter or number, and may contain letters, "
+"numbers, hyphens, dots, and underscores, up to %[1]d characters.\n"
+"\t\t* Optionally, the key can begin with a DNS subdomain prefix and a single "
+"'/', like example.com/my-app.\n"
+"\t\t* The value is optional. If given, it must begin with a letter or "
+"number, and may contain letters, numbers, hyphens, dots, and underscores, up "
+"to %[2]d characters.\n"
+"\t\t* The effect must be NoSchedule, PreferNoSchedule or NoExecute.\n"
+"\t\t* Currently taint can only apply to node."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_history.go:36
+msgid ""
+"\n"
+"\t\tView previous rollout revisions and configurations."
+msgstr ""
+"\n"
+"\t\tView previous rollout revisions and configurations."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/apply/apply_view_last_applied.go:47
+msgid ""
+"\n"
+"\t\tView the latest last-applied-configuration annotations by type/name or "
+"file.\n"
+"\n"
+"\t\tThe default output will be printed to stdout in YAML format. You can use "
+"the -o option\n"
+"\t\tto change the output format."
+msgstr ""
+"\n"
+"\t\tView the latest last-applied-configuration annotations by type/name or "
+"file.\n"
+"\n"
+"\t\tThe default output will be printed to stdout in YAML format. You can use "
+"the -o option\n"
+"\t\tto change the output format."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_tls.go:47
+msgid ""
+"\n"
+"\t  # Create a new TLS secret named tls-secret with the given key pair\n"
+"\t  kubectl create secret tls tls-secret --cert=path/to/tls.cert --key=path/"
+"to/tls.key"
+msgstr ""
+"\n"
+"\t  # Create a new TLS secret named tls-secret with the given key pair\n"
+"\t  kubectl create secret tls tls-secret --cert=path/to/tls.cert --key=path/"
+"to/tls.key"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_namespace.go:42
+msgid ""
+"\n"
+"\t  # Create a new namespace named my-namespace\n"
+"\t  kubectl create namespace my-namespace"
+msgstr ""
+"\n"
+"\t  # Create a new namespace named my-namespace\n"
+"\t  kubectl create namespace my-namespace"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret.go:74
+msgid ""
+"\n"
+"\t  # Create a new secret named my-secret with keys for each file in folder "
+"bar\n"
+"\t  kubectl create secret generic my-secret --from-file=path/to/bar\n"
+"\n"
+"\t  # Create a new secret named my-secret with specified keys instead of "
+"names on disk\n"
+"\t  kubectl create secret generic my-secret --from-file=ssh-privatekey=path/"
+"to/id_rsa --from-file=ssh-publickey=path/to/id_rsa.pub\n"
+"\n"
+"\t  # Create a new secret named my-secret with key1=supersecret and "
+"key2=topsecret\n"
+"\t  kubectl create secret generic my-secret --from-literal=key1=supersecret "
+"--from-literal=key2=topsecret\n"
+"\n"
+"\t  # Create a new secret named my-secret using a combination of a file and "
+"a literal\n"
+"\t  kubectl create secret generic my-secret --from-file=ssh-privatekey=path/"
+"to/id_rsa --from-literal=passphrase=topsecret\n"
+"\n"
+"\t  # Create a new secret named my-secret from an env file\n"
+"\t  kubectl create secret generic my-secret --from-env-file=path/to/bar.env"
+msgstr ""
+"\n"
+"\t  # Create a new secret named my-secret with keys for each file in folder "
+"bar\n"
+"\t  kubectl create secret generic my-secret --from-file=path/to/bar\n"
+"\n"
+"\t  # Create a new secret named my-secret with specified keys instead of "
+"names on disk\n"
+"\t  kubectl create secret generic my-secret --from-file=ssh-privatekey=path/"
+"to/id_rsa --from-file=ssh-publickey=path/to/id_rsa.pub\n"
+"\n"
+"\t  # Create a new secret named my-secret with key1=supersecret and "
+"key2=topsecret\n"
+"\t  kubectl create secret generic my-secret --from-literal=key1=supersecret "
+"--from-literal=key2=topsecret\n"
+"\n"
+"\t  # Create a new secret named my-secret using a combination of a file and "
+"a literal\n"
+"\t  kubectl create secret generic my-secret --from-file=ssh-privatekey=path/"
+"to/id_rsa --from-literal=passphrase=topsecret\n"
+"\n"
+"\t  # Create a new secret named my-secret from an env file\n"
+"\t  kubectl create secret generic my-secret --from-env-file=path/to/bar.env"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_serviceaccount.go:43
+msgid ""
+"\n"
+"\t  # Create a new service account named my-service-account\n"
+"\t  kubectl create serviceaccount my-service-account"
+msgstr ""
+"\n"
+"\t  # Create a new service account named my-service-account\n"
+"\t  kubectl create serviceaccount my-service-account"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_deployment.go:45
+msgid ""
+"\n"
+"\t# Create a deployment named my-dep that runs the busybox image\n"
+"\tkubectl create deployment my-dep --image=busybox\n"
+"\n"
+"\t# Create a deployment with a command\n"
+"\tkubectl create deployment my-dep --image=busybox -- date\n"
+"\n"
+"\t# Create a deployment named my-dep that runs the nginx image with 3 "
+"replicas\n"
+"\tkubectl create deployment my-dep --image=nginx --replicas=3\n"
+"\n"
+"\t# Create a deployment named my-dep that runs the busybox image and expose "
+"port 5701\n"
+"\tkubectl create deployment my-dep --image=busybox --port=5701"
+msgstr ""
+"\n"
+"\t# Create a deployment named my-dep that runs the busybox image\n"
+"\tkubectl create deployment my-dep --image=busybox\n"
+"\n"
+"\t# Create a deployment with a command\n"
+"\tkubectl create deployment my-dep --image=busybox -- date\n"
+"\n"
+"\t# Create a deployment named my-dep that runs the nginx image with 3 "
+"replicas\n"
+"\tkubectl create deployment my-dep --image=nginx --replicas=3\n"
+"\n"
+"\t# Create a deployment named my-dep that runs the busybox image and expose "
+"port 5701\n"
+"\tkubectl create deployment my-dep --image=busybox --port=5701"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:351
+msgid ""
+"\n"
+"\t# Create a new ExternalName service named my-ns\n"
+"\tkubectl create service externalname my-ns --external-name bar.com"
+msgstr ""
+"\n"
+"\t# Create a new ExternalName service named my-ns\n"
+"\tkubectl create service externalname my-ns --external-name bar.com"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set_serviceaccount.go:50
+msgid ""
+"\n"
+"\t# Set deployment nginx-deployment's service account to serviceaccount1\n"
+"\tkubectl set serviceaccount deployment nginx-deployment serviceaccount1\n"
+"\n"
+"\t# Print the result (in YAML format) of updated nginx deployment with the "
+"service account from local file, without hitting the API server\n"
+"\tkubectl set sa -f nginx-deployment.yaml serviceaccount1 --local --dry-"
+"run=client -o yaml\n"
+"\t"
+msgstr ""
+"\n"
+"\t# Set deployment nginx-deployment's service account to serviceaccount1\n"
+"\tkubectl set serviceaccount deployment nginx-deployment serviceaccount1\n"
+"\n"
+"\t# Print the result (in YAML format) of updated nginx deployment with the "
+"service account from local file, without hitting the API server\n"
+"\tkubectl set sa -f nginx-deployment.yaml serviceaccount1 --local --dry-"
+"run=client -o yaml\n"
+"\t"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_deployment.go:42
+msgid ""
+"\n"
+"\tCreate a deployment with the specified name."
+msgstr ""
+"\n"
+"\tCreate a deployment with the specified name."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:344
+msgid ""
+"\n"
+"\tCreate an ExternalName service with the specified name.\n"
+"\n"
+"\tExternalName service references to an external DNS address instead of\n"
+"\tonly pods, which will allow application authors to reference services\n"
+"\tthat exist off platform, on other clusters, or locally."
+msgstr ""
+"\n"
+"\tCreate an ExternalName service with the specified name.\n"
+"\n"
+"\tExternalName service references to an external DNS address instead of\n"
+"\tonly pods, which will allow application authors to reference services\n"
+"\tthat exist off platform, on other clusters, or locally."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_ingress.go:61
+msgid ""
+"\n"
+"\tCreate an ingress with the specified name."
+msgstr ""
+"\n"
+"\tCreate an ingress with the specified name."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/help/help.go:28
+msgid ""
+"\n"
+"\tHelp provides help for any command in the application.\n"
+"\tSimply type kubectl help [path to command] for full details."
+msgstr ""
+"\n"
+"\tHelp provides help for any command in the application.\n"
+"\tSimply type kubectl help [path to command] for full details."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/set.go:44
+msgid ""
+"\n"
+"\tSet an individual value in a kubeconfig file.\n"
+"\n"
+"\tPROPERTY_NAME is a dot delimited name where each token represents either "
+"an attribute name or a map key.  Map keys may not contain dots.\n"
+"\n"
+"\tPROPERTY_VALUE is the new value you want to set. Binary fields such as "
+"'certificate-authority-data' expect a base64 encoded string unless the --set-"
+"raw-bytes flag is used.\n"
+"\n"
+"\tSpecifying an attribute name that already exists will merge new fields on "
+"top of existing values."
+msgstr ""
+"\n"
+"\tSet an individual value in a kubeconfig file.\n"
+"\n"
+"\tPROPERTY_NAME is a dot delimited name where each token represents either "
+"an attribute name or a map key.  Map keys may not contain dots.\n"
+"\n"
+"\tPROPERTY_VALUE is the new value you want to set. Binary fields such as "
+"'certificate-authority-data' expect a base64 encoded string unless the --set-"
+"raw-bytes flag is used.\n"
+"\n"
+"\tSpecifying an attribute name that already exists will merge new fields on "
+"top of existing values."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/unset.go:39
+msgid ""
+"\n"
+"\tUnset an individual value in a kubeconfig file.\n"
+"\n"
+"\tPROPERTY_NAME is a dot delimited name where each token represents either "
+"an attribute name or a map key.  Map keys may not contain dots."
+msgstr ""
+"\n"
+"\tUnset an individual value in a kubeconfig file.\n"
+"\n"
+"\tPROPERTY_NAME is a dot delimited name where each token represents either "
+"an attribute name or a map key.  Map keys may not contain dots."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set_serviceaccount.go:43
+msgid ""
+"\n"
+"\tUpdate the service account of pod template resources.\n"
+"\n"
+"\tPossible resources (case insensitive) can be:\n"
+"\n"
+"\t"
+msgstr ""
+"\n"
+"\tUpdate the service account of pod template resources.\n"
+"\n"
+"\tPossible resources (case insensitive) can be:\n"
+"\n"
+"\t"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set_subject.go:40
+msgid ""
+"\n"
+"\tUpdate the user, group, or service account in a role binding or cluster "
+"role binding."
+msgstr ""
+"\n"
+"\tUpdate the user, group, or service account in a role binding or cluster "
+"role binding."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set_image.go:68
+msgid ""
+"\n"
+"  \tpod (po), replicationcontroller (rc), deployment (deploy), daemonset "
+"(ds), replicaset (rs)"
+msgstr ""
+"\n"
+"  \tpod (po), replicationcontroller (rc), deployment (deploy), daemonset "
+"(ds), replicaset (rs)"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/portforward/portforward.go:63
+msgid ""
+"\n"
+"                Forward one or more local ports to a pod.\n"
+"\n"
+"                Use resource type/name such as deployment/mydeployment to "
+"select a pod. Resource type defaults to 'pod' if omitted.\n"
+"\n"
+"                If there are multiple pods matching the criteria, a pod will "
+"be selected automatically. The\n"
+"                forwarding session ends when the selected pod terminates, "
+"and a rerun of the command is needed\n"
+"                to resume forwarding."
+msgstr ""
+"\n"
+"                Forward one or more local ports to a pod.\n"
+"\n"
+"                Use resource type/name such as deployment/mydeployment to "
+"select a pod. Resource type defaults to 'pod' if omitted.\n"
+"\n"
+"                If there are multiple pods matching the criteria, a pod will "
+"be selected automatically. The\n"
+"                forwarding session ends when the selected pod terminates, "
+"and a rerun of the command is needed\n"
+"                to resume forwarding."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:233
+msgid ""
+"\n"
+"    # Create a new ClusterIP service named my-cs\n"
+"    kubectl create service clusterip my-cs --tcp=5678:8080\n"
+"\n"
+"    # Create a new ClusterIP service named my-cs (in headless mode)\n"
+"    kubectl create service clusterip my-cs --clusterip=\"None\""
+msgstr ""
+"\n"
+"    # Create a new ClusterIP service named my-cs\n"
+"    kubectl create service clusterip my-cs --tcp=5678:8080\n"
+"\n"
+"    # Create a new ClusterIP service named my-cs (in headless mode)\n"
+"    kubectl create service clusterip my-cs --clusterip=\"None\""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:311
+msgid ""
+"\n"
+"    # Create a new LoadBalancer service named my-lbs\n"
+"    kubectl create service loadbalancer my-lbs --tcp=5678:8080"
+msgstr ""
+"\n"
+"    # Create a new LoadBalancer service named my-lbs\n"
+"    kubectl create service loadbalancer my-lbs --tcp=5678:8080"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:274
+msgid ""
+"\n"
+"    # Create a new NodePort service named my-ns\n"
+"    kubectl create service nodeport my-ns --tcp=5678:8080"
+msgstr ""
+"\n"
+"    # Create a new NodePort service named my-ns\n"
+"    kubectl create service nodeport my-ns --tcp=5678:8080"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/clusterinfo/clusterinfo_dump.go:102
+msgid ""
+"\n"
+"    # Dump current cluster state to stdout\n"
+"    kubectl cluster-info dump\n"
+"\n"
+"    # Dump current cluster state to /path/to/cluster-state\n"
+"    kubectl cluster-info dump --output-directory=/path/to/cluster-state\n"
+"\n"
+"    # Dump all namespaces to stdout\n"
+"    kubectl cluster-info dump --all-namespaces\n"
+"\n"
+"    # Dump a set of namespaces to /path/to/cluster-state\n"
+"    kubectl cluster-info dump --namespaces default,kube-system --output-"
+"directory=/path/to/cluster-state"
+msgstr ""
+"\n"
+"    # Dump current cluster state to stdout\n"
+"    kubectl cluster-info dump\n"
+"\n"
+"    # Dump current cluster state to /path/to/cluster-state\n"
+"    kubectl cluster-info dump --output-directory=/path/to/cluster-state\n"
+"\n"
+"    # Dump all namespaces to stdout\n"
+"    kubectl cluster-info dump --all-namespaces\n"
+"\n"
+"    # Dump a set of namespaces to /path/to/cluster-state\n"
+"    kubectl cluster-info dump --namespaces default,kube-system --output-"
+"directory=/path/to/cluster-state"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/annotate/annotate.go:95
+msgid ""
+"\n"
+"    # Update pod 'foo' with the annotation 'description' and the value 'my "
+"frontend'\n"
+"    # If the same annotation is set multiple times, only the last value will "
+"be applied\n"
+"    kubectl annotate pods foo description='my frontend'\n"
+"\n"
+"    # Update a pod identified by type and name in \"pod.json\"\n"
+"    kubectl annotate -f pod.json description='my frontend'\n"
+"\n"
+"    # Update pod 'foo' with the annotation 'description' and the value 'my "
+"frontend running nginx', overwriting any existing value\n"
+"    kubectl annotate --overwrite pods foo description='my frontend running "
+"nginx'\n"
+"\n"
+"    # Update all pods in the namespace\n"
+"    kubectl annotate pods --all description='my frontend running nginx'\n"
+"\n"
+"    # Update pod 'foo' only if the resource is unchanged from version 1\n"
+"    kubectl annotate pods foo description='my frontend running nginx' --"
+"resource-version=1\n"
+"\n"
+"    # Update pod 'foo' by removing an annotation named 'description' if it "
+"exists\n"
+"    # Does not require the --overwrite flag\n"
+"    kubectl annotate pods foo description-"
+msgstr ""
+"\n"
+"    # Update pod 'foo' with the annotation 'description' and the value 'my "
+"frontend'\n"
+"    # If the same annotation is set multiple times, only the last value will "
+"be applied\n"
+"    kubectl annotate pods foo description='my frontend'\n"
+"\n"
+"    # Update a pod identified by type and name in \"pod.json\"\n"
+"    kubectl annotate -f pod.json description='my frontend'\n"
+"\n"
+"    # Update pod 'foo' with the annotation 'description' and the value 'my "
+"frontend running nginx', overwriting any existing value\n"
+"    kubectl annotate --overwrite pods foo description='my frontend running "
+"nginx'\n"
+"\n"
+"    # Update all pods in the namespace\n"
+"    kubectl annotate pods --all description='my frontend running nginx'\n"
+"\n"
+"    # Update pod 'foo' only if the resource is unchanged from version 1\n"
+"    kubectl annotate pods foo description='my frontend running nginx' --"
+"resource-version=1\n"
+"\n"
+"    # Update pod 'foo' by removing an annotation named 'description' if it "
+"exists\n"
+"    # Does not require the --overwrite flag\n"
+"    kubectl annotate pods foo description-"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:230
+msgid ""
+"\n"
+"    Create a ClusterIP service with the specified name."
+msgstr ""
+"\n"
+"    Create a ClusterIP service with the specified name."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_namespace.go#L44
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:308
+msgid ""
+"\n"
+"    Create a LoadBalancer service with the specified name."
+msgstr ""
+"\n"
+"    Create a LoadBalancer service with the specified name."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:271
+msgid ""
+"\n"
+"    Create a NodePort service with the specified name."
+msgstr ""
+"\n"
+"    Create a NodePort service with the specified name."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/clusterinfo/clusterinfo_dump.go:93
+msgid ""
+"\n"
+"    Dump cluster information out suitable for debugging and diagnosing "
+"cluster problems.  By default, dumps everything to\n"
+"    stdout. You can optionally specify a directory with --output-directory.  "
+"If you specify a directory, Kubernetes will\n"
+"    build a set of files in that directory.  By default, only dumps things "
+"in the current namespace and 'kube-system' namespace, but you can\n"
+"    switch to a different namespace with the --namespaces flag, or specify --"
+"all-namespaces to dump all namespaces.\n"
+"\n"
+"    The command also dumps the logs of all of the pods in the cluster; these "
+"logs are dumped into different directories\n"
+"    based on namespace and pod name."
+msgstr ""
+"\n"
+"    Dump cluster information out suitable for debugging and diagnosing "
+"cluster problems.  By default, dumps everything to\n"
+"    stdout. You can optionally specify a directory with --output-directory.  "
+"If you specify a directory, Kubernetes will\n"
+"    build a set of files in that directory.  By default, only dumps things "
+"in the current namespace and 'kube-system' namespace, but you can\n"
+"    switch to a different namespace with the --namespaces flag, or specify --"
+"all-namespaces to dump all namespaces.\n"
+"\n"
+"    The command also dumps the logs of all of the pods in the cluster; these "
+"logs are dumped into different directories\n"
+"    based on namespace and pod name."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/clusterinfo/clusterinfo.go:40
+msgid ""
+"\n"
+"  Display addresses of the control plane and services with label kubernetes."
+"io/cluster-service=true.\n"
+"  To further debug and diagnose cluster problems, use 'kubectl cluster-info "
+"dump'."
+msgstr ""
+"\n"
+"  Display addresses of the control plane and services with label kubernetes."
+"io/cluster-service=true.\n"
+"  To further debug and diagnose cluster problems, use 'kubectl cluster-info "
+"dump'."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/config.go:49
+msgid ""
+" environment variable is set, then it is used as a list of paths (normal "
+"path delimiting rules for your system). These paths are merged. When a value "
+"is modified, it is modified in the file that defines the stanza. When a "
+"value is created, it is created in the first file that exists. If no files "
+"in the chain exist, then it creates the last file in the list.\n"
+"\t\t\t3. Otherwise, "
+msgstr ""
+" environment variable is set, then it is used as a list of paths (normal "
+"path delimiting rules for your system). These paths are merged. When a value "
+"is modified, it is modified in the file that defines the stanza. When a "
+"value is created, it is created in the first file that exists. If no files "
+"in the chain exist, then it creates the last file in the list.\n"
+"\t\t\t3. Otherwise, "
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/config.go:48
+msgid ""
+" flag is set, then only that file is loaded. The flag may only be set once "
+"and no merging takes place.\n"
+"\t\t\t2. If $"
+msgstr ""
+" flag is set, then only that file is loaded. The flag may only be set once "
+"and no merging takes place.\n"
+"\t\t\t2. If $"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/config.go:50
+msgid " is used and no merging takes place."
+msgstr " is used and no merging takes place."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_quota.go#L61
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_quota.go:107
+msgid ""
+"A comma-delimited set of quota scopes that must all match each object "
+"tracked by the quota."
+msgstr ""
+"A comma-delimited set of quota scopes that must all match each object "
+"tracked by the quota."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_quota.go#L60
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_quota.go:106
+msgid ""
+"A comma-delimited set of resource=quantity pairs that define a hard limit."
+msgstr ""
+"A comma-delimited set of resource=quantity pairs that define a hard limit."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_pdb.go#L63
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_pdb.go:113
+msgid ""
+"A label selector to use for this budget. Only equality-based selector "
+"requirements are supported."
+msgstr ""
+"A label selector to use for this budget. Only equality-based selector "
+"requirements are supported."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/expose.go#L106
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:152
+msgid ""
+"A label selector to use for this service. Only equality-based selector "
+"requirements are supported. If empty (the default) infer the selector from "
+"the replication controller or replica set.)"
+msgstr ""
+"A label selector to use for this service. Only equality-based selector "
+"requirements are supported. If empty (the default) infer the selector from "
+"the replication controller or replica set.)"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/expose.go#L111
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:157
+msgid ""
+"Additional external IP address (not managed by Kubernetes) to accept for the "
+"service. If this IP is routed to a node, the service can be accessed by this "
+"IP in addition to its generated service IP."
+msgstr ""
+"Additional external IP address (not managed by Kubernetes) to accept for the "
+"service. If this IP is routed to a node, the service can be accessed by this "
+"IP in addition to its generated service IP."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/debug/debug.go:178
+msgid "Allocate a TTY for the debugging container."
+msgstr "Allocate a TTY for the debugging container."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/run.go#L119
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:158
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run.go:178
+msgid ""
+"An inline JSON override for the generated object. If this is non-empty, it "
+"is used to override the generated object. Requires that the object supply a "
+"valid apiVersion field."
+msgstr ""
+"An inline JSON override for the generated object. If this is non-empty, it "
+"is used to override the generated object. Requires that the object supply a "
+"valid apiVersion field."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run.go:173
+msgid "Annotations to apply to the pod."
+msgstr "Annotations to apply to the pod."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/apply/apply.go:173
+msgid "Apply a configuration to a resource by file name or stdin"
+msgstr "Apply a configuration to a resource by file name or stdin"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/certificates.go#L71
+#: staging/src/k8s.io/kubectl/pkg/cmd/certificates/certificates.go:125
+msgid "Approve a certificate signing request"
+msgstr "Approve a certificate signing request"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_service.go#L81
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:263
+msgid ""
+"Assign your own ClusterIP or set to 'None' for a 'headless' service (no "
+"loadbalancing)."
+msgstr ""
+"Assign your own ClusterIP or set to 'None' for a 'headless' service (no "
+"loadbalancing)."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/attach/attach.go:106
+msgid ""
+"Attach to a process that is already running inside an existing container."
+msgstr ""
+"Attach to a process that is already running inside an existing container."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/attach.go#L64
+#: staging/src/k8s.io/kubectl/pkg/cmd/attach/attach.go:105
+msgid "Attach to a running container"
+msgstr "Attach to a running container"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/autoscale/autoscale.go:107
+msgid ""
+"Auto-scale a deployment, replica set, stateful set, or replication controller"
+msgstr ""
+"Auto-scale a deployment, replica set, stateful set, or replication controller"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/expose.go#L115
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:161
+msgid ""
+"ClusterIP to be assigned to the service. Leave empty to auto-allocate, or "
+"set to 'None' to create a headless service."
+msgstr ""
+"ClusterIP to be assigned to the service. Leave empty to auto-allocate, or "
+"set to 'None' to create a headless service."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_clusterrolebinding.go#L55
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_clusterrolebinding.go:101
+msgid "ClusterRole this ClusterRoleBinding should reference"
+msgstr "ClusterRole this ClusterRoleBinding should reference"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_rolebinding.go#L55
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_rolebinding.go:104
+msgid "ClusterRole this RoleBinding should reference"
+msgstr "ClusterRole this RoleBinding should reference"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/alpha.go:32
+msgid "Commands for features in alpha"
+msgstr "Commands for features in alpha"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/debug/debug.go:170
+msgid "Container image to use for debug container."
+msgstr "Container image to use for debug container."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/debug/debug.go:166
+msgid "Container name to use for debug container."
+msgstr "Container name to use for debug container."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/convert.go#L67
+#: pkg/kubectl/cmd/convert/convert.go:95
+msgid "Convert config files between different API versions"
+msgstr "Convert config files between different API versions"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/cp/cp.go:105
+msgid "Copy files and directories to and from containers"
+msgstr "Copy files and directories to and from containers"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/cp.go#L64
+#: staging/src/k8s.io/kubectl/pkg/cmd/cp/cp.go:106
+msgid "Copy files and directories to and from containers."
+msgstr "Copy files and directories to and from containers."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:248
+msgid "Create a ClusterIP service"
+msgstr "Create a ClusterIP service"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:323
+msgid "Create a LoadBalancer service"
+msgstr "Create a LoadBalancer service"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:286
+msgid "Create a NodePort service"
+msgstr "Create a NodePort service"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_secret.go#L214
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_tls.go:94
+msgid "Create a TLS secret"
+msgstr "Create a TLS secret"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_clusterrole.go:81
+msgid "Create a cluster role"
+msgstr "Create a cluster role"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_clusterrolebinding.go:87
+msgid "Create a cluster role binding for a particular cluster role"
+msgstr "Create a cluster role binding for a particular cluster role"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_configmap.go:124
+msgid "Create a config map from a local file, directory or literal value"
+msgstr "Create a config map from a local file, directory or literal value"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/debug/debug.go:167
+msgid "Create a copy of the target Pod with this name."
+msgstr "Create a copy of the target Pod with this name."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_cronjob.go:90
+msgid "Create a cron job with the specified name"
+msgstr "Create a cron job with the specified name"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_deployment.go:100
+msgid "Create a deployment with the specified name"
+msgstr "Create a deployment with the specified name"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_job.go:91
+msgid "Create a job with the specified name"
+msgstr "Create a job with the specified name"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_namespace.go#L44
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_namespace.go:83
+msgid "Create a namespace with the specified name"
+msgstr "Create a namespace with the specified name"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_pdb.go:95
+msgid "Create a pod disruption budget with the specified name"
+msgstr "Create a pod disruption budget with the specified name"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_priorityclass.go:92
+msgid "Create a priority class with the specified name"
+msgstr "Create a priority class with the specified name"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_quota.go:91
+msgid "Create a quota with the specified name"
+msgstr "Create a quota with the specified name"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create.go:106
+msgid "Create a resource from a file or from stdin"
+msgstr "Create a resource from a file or from stdin"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_rolebinding.go:89
+msgid "Create a role binding for a particular role or cluster role"
+msgstr "Create a role binding for a particular role or cluster role"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_role.go:161
+msgid "Create a role with single rule"
+msgstr "Create a role with single rule"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_secret.go#L143
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_docker.go:134
+msgid "Create a secret for use with a Docker registry"
+msgstr "Create a secret for use with a Docker registry"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret.go:137
+msgid "Create a secret from a local file, directory, or literal value"
+msgstr "Create a secret from a local file, directory, or literal value"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_secret.go#L34
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret.go:49
+msgid "Create a secret using specified subcommand"
+msgstr "Create a secret using specified subcommand"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret.go:50
+msgid "Create a secret using specified subcommand."
+msgstr "Create a secret using specified subcommand."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_serviceaccount.go#L44
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_serviceaccount.go:85
+msgid "Create a service account with the specified name"
+msgstr "Create a service account with the specified name"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:48
+msgid "Create a service using a specified subcommand"
+msgstr "Create a service using a specified subcommand"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:49
+msgid "Create a service using a specified subcommand."
+msgstr "Create a service using a specified subcommand."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:363
+msgid "Create an ExternalName service"
+msgstr "Create an ExternalName service"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_ingress.go:145
+msgid "Create an ingress with the specified name"
+msgstr "Create an ingress with the specified name"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run.go:60
+msgid "Create and run a particular image in a pod."
+msgstr "Create and run a particular image in a pod."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/debug/debug.go:149
+msgid "Create debugging sessions for troubleshooting workloads and nodes"
+msgstr "Create debugging sessions for troubleshooting workloads and nodes"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/delete/delete.go:137
+msgid ""
+"Delete resources by file names, stdin, resources and names, or by resources "
+"and label selector"
+msgstr ""
+"Delete resources by file names, stdin, resources and names, or by resources "
+"and label selector"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/delete_cluster.go#L38
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/delete_cluster.go:42
+msgid "Delete the specified cluster from the kubeconfig"
+msgstr "Delete the specified cluster from the kubeconfig"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/delete_cluster.go:43
+msgid "Delete the specified cluster from the kubeconfig."
+msgstr "Delete the specified cluster from the kubeconfig."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/delete_context.go#L38
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/delete_context.go:42
+msgid "Delete the specified context from the kubeconfig"
+msgstr "Delete the specified context from the kubeconfig"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/delete_context.go:43
+msgid "Delete the specified context from the kubeconfig."
+msgstr "Delete the specified context from the kubeconfig."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/delete_user.go:64
+msgid "Delete the specified user from the kubeconfig"
+msgstr "Delete the specified user from the kubeconfig"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/delete_user.go:65
+msgid "Delete the specified user from the kubeconfig."
+msgstr "Delete the specified user from the kubeconfig."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/certificates.go#L121
+#: staging/src/k8s.io/kubectl/pkg/cmd/certificates/certificates.go:174
+msgid "Deny a certificate signing request"
+msgstr "Deny a certificate signing request"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/get_contexts.go#L62
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/get_contexts.go:72
+msgid "Describe one or many contexts"
+msgstr "Describe one or many contexts"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/diff/diff.go:142
+msgid "Diff the live version against a would-be applied version"
+msgstr "Diff the live version against a would-be applied version"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/clusterinfo/clusterinfo.go:65
+msgid "Display cluster information"
+msgstr "Display cluster information"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/get_clusters.go#L40
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/get_clusters.go:41
+msgid "Display clusters defined in the kubeconfig"
+msgstr "Display clusters defined in the kubeconfig"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/get_clusters.go:42
+msgid "Display clusters defined in the kubeconfig."
+msgstr "Display clusters defined in the kubeconfig."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/view.go#L64
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/view.go:81
+msgid "Display merged kubeconfig settings or a specified kubeconfig file"
+msgstr "Display merged kubeconfig settings or a specified kubeconfig file"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/get_contexts.go:50
+msgid "Display one or many contexts from the kubeconfig file."
+msgstr "Display one or many contexts from the kubeconfig file."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/get.go#L107
+#: staging/src/k8s.io/kubectl/pkg/cmd/get/get.go:165
+msgid "Display one or many resources"
+msgstr "Display one or many resources"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/top/top.go:50
+msgid "Display resource (CPU/memory) usage"
+msgstr "Display resource (CPU/memory) usage"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/top/top_node.go:81
+msgid "Display resource (CPU/memory) usage of nodes"
+msgstr "Display resource (CPU/memory) usage of nodes"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/top/top_pod.go:100
+msgid "Display resource (CPU/memory) usage of pods"
+msgstr "Display resource (CPU/memory) usage of pods"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/current_context.go:51
+msgid "Display the current-context"
+msgstr "Display the current-context"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/get_users.go:60
+msgid "Display users defined in the kubeconfig"
+msgstr "Display users defined in the kubeconfig"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/get_users.go:61
+msgid "Display users defined in the kubeconfig."
+msgstr "Display users defined in the kubeconfig."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/drain.go#L176
+#: staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go:184
+msgid "Drain node in preparation for maintenance"
+msgstr "Drain node in preparation for maintenance"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/clusterinfo/clusterinfo_dump.go:74
+msgid "Dump relevant information for debugging and diagnosis"
+msgstr "Dump relevant information for debugging and diagnosis"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/edit.go#L100
+#: staging/src/k8s.io/kubectl/pkg/cmd/edit/edit.go:77
+msgid "Edit a resource on the server"
+msgstr "Edit a resource on the server"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/apply/apply_edit_last_applied.go:67
+msgid "Edit latest last-applied-configuration annotations of a resource/object"
+msgstr ""
+"Edit latest last-applied-configuration annotations of a resource/object"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_secret.go#L159
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_docker.go:152
+msgid "Email for Docker registry"
+msgstr "Email for Docker registry"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/debug/debug.go:169
+msgid "Environment variables to set in the container."
+msgstr "Environment variables to set in the container."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/exec.go#L68
+#: staging/src/k8s.io/kubectl/pkg/cmd/exec/exec.go:89
+msgid "Execute a command in a container"
+msgstr "Execute a command in a container"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/exec/exec.go:90
+msgid "Execute a command in a container."
+msgstr "Execute a command in a container."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/wait/wait.go:115
+msgid "Experimental: Wait for a specific condition on one or many resources"
+msgstr "Experimental: Wait for a specific condition on one or many resources"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:378
+msgid "External name of service"
+msgstr "External name of service"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/portforward.go#L75
+#: staging/src/k8s.io/kubectl/pkg/cmd/portforward/portforward.go:109
+msgid "Forward one or more local ports to a pod"
+msgstr "Forward one or more local ports to a pod"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/explain/explain.go:79
+msgid "Get documentation for a resource"
+msgstr "Get documentation for a resource"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/help.go#L36
+#: staging/src/k8s.io/kubectl/pkg/cmd/help/help.go:37
+msgid "Help about any command"
+msgstr "Help about any command"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:151
+msgid ""
+"IP to assign to the LoadBalancer. If empty, an ephemeral IP will be created "
+"and used (cloud-provider specific)."
+msgstr ""
+"IP to assign to the LoadBalancer. If empty, an ephemeral IP will be created "
+"and used (cloud-provider specific)."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/expose.go#L114
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:160
+msgid ""
+"If non-empty, set the session affinity for the service to this; legal "
+"values: 'None', 'ClientIP'"
+msgstr ""
+"If non-empty, set the session affinity for the service to this; legal "
+"values: 'None', 'ClientIP'"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/annotate.go#L135
+#: staging/src/k8s.io/kubectl/pkg/cmd/annotate/annotate.go:157
+msgid ""
+"If non-empty, the annotation update will only succeed if this is the current "
+"resource-version for the object. Only valid when specifying a single "
+"resource."
+msgstr ""
+"If non-empty, the annotation update will only succeed if this is the current "
+"resource-version for the object. Only valid when specifying a single "
+"resource."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/label.go#L132
+#: staging/src/k8s.io/kubectl/pkg/cmd/label/label.go:154
+msgid ""
+"If non-empty, the labels update will only succeed if this is the current "
+"resource-version for the object. Only valid when specifying a single "
+"resource."
+msgstr ""
+"If non-empty, the labels update will only succeed if this is the current "
+"resource-version for the object. Only valid when specifying a single "
+"resource."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/debug/debug.go:164
+msgid ""
+"If specified, everything after -- will be passed to the new container as "
+"Args instead of Command."
+msgstr ""
+"If specified, everything after -- will be passed to the new container as "
+"Args instead of Command."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run.go:198
+msgid "If true, run the container in privileged mode."
+msgstr "If true, run the container in privileged mode."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/debug/debug.go:174
+msgid "If true, suppress informational messages."
+msgstr "If true, suppress informational messages."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/debug/debug.go:165
+msgid ""
+"If true, wait for the container to start running, and then attach as if "
+"'kubectl attach ...' were called.  Default false, unless '-i/--stdin' is "
+"set, in which case the default is true."
+msgstr ""
+"If true, wait for the container to start running, and then attach as if "
+"'kubectl attach ...' were called.  Default false, unless '-i/--stdin' is "
+"set, in which case the default is true."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/debug/debug.go:173
+msgid ""
+"Keep stdin open on the container(s) in the pod, even if nothing is attached."
+msgstr ""
+"Keep stdin open on the container(s) in the pod, even if nothing is attached."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/plugin/plugin.go:90
+msgid "List all visible plugin executables on a user's PATH"
+msgstr "List all visible plugin executables on a user's PATH"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout.go:54
+msgid "Manage the rollout of a resource"
+msgstr "Manage the rollout of a resource"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/drain.go#L127
+#: staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go:98
+msgid "Mark node as schedulable"
+msgstr "Mark node as schedulable"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/drain.go#L102
+#: staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go:69
+msgid "Mark node as unschedulable"
+msgstr "Mark node as unschedulable"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/rollout/rollout_pause.go#L73
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_pause.go:83
+msgid "Mark the provided resource as paused"
+msgstr "Mark the provided resource as paused"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/certificates.go#L35
+#: staging/src/k8s.io/kubectl/pkg/cmd/certificates/certificates.go:49
+#: staging/src/k8s.io/kubectl/pkg/cmd/certificates/certificates.go:50
+msgid "Modify certificate resources."
+msgstr "Modify certificate resources."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/config.go#L39
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/config.go:42
+msgid "Modify kubeconfig files"
+msgstr "Modify kubeconfig files"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/expose.go#L110
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:156
+msgid ""
+"Name or number for the port on the container that the service should direct "
+"traffic to. Optional."
+msgstr ""
+"Name or number for the port on the container that the service should direct "
+"traffic to. Optional."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/alpha.go:43
+msgid "No alpha commands are available in this version of kubectl"
+msgstr "No alpha commands are available in this version of kubectl"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/logs.go#L108
+#: staging/src/k8s.io/kubectl/pkg/cmd/logs/logs.go:174
+msgid ""
+"Only return logs after a specific date (RFC3339). Defaults to all logs. Only "
+"one of since-time / since may be used."
+msgstr ""
+"Only return logs after a specific date (RFC3339). Defaults to all logs. Only "
+"one of since-time / since may be used."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/completion.go#L97
+#: staging/src/k8s.io/kubectl/pkg/cmd/completion/completion.go:112
+msgid "Output shell completion code for the specified shell (bash or zsh)"
+msgstr "Output shell completion code for the specified shell (bash or zsh)"
+
+#: pkg/kubectl/cmd/convert/convert.go:105
+msgid ""
+"Output the formatted object with the given group version (for ex: "
+"'extensions/v1beta1')."
+msgstr ""
+"Output the formatted object with the given group version (for ex: "
+"'extensions/v1beta1')."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_secret.go#L157
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_docker.go:151
+msgid "Password for Docker registry authentication"
+msgstr "Password for Docker registry authentication"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_secret.go#L226
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_tls.go:110
+msgid "Path to PEM encoded public key certificate."
+msgstr "Path to PEM encoded public key certificate."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_secret.go#L227
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_tls.go:111
+msgid "Path to private key associated with given certificate."
+msgstr "Path to private key associated with given certificate."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/scale.go#L82
+#: staging/src/k8s.io/kubectl/pkg/cmd/scale/scale.go:130
+msgid ""
+"Precondition for resource version. Requires that the current resource "
+"version match this value in order to scale."
+msgstr ""
+"Precondition for resource version. Requires that the current resource "
+"version match this value in order to scale."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/version.go#L39
+#: staging/src/k8s.io/kubectl/pkg/cmd/version/version.go:73
+msgid "Print the client and server version information"
+msgstr "Print the client and server version information"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/version/version.go:74
+msgid ""
+"Print the client and server version information for the current context."
+msgstr ""
+"Print the client and server version information for the current context."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/options.go#L37
+#: staging/src/k8s.io/kubectl/pkg/cmd/options/options.go:38
+#: staging/src/k8s.io/kubectl/pkg/cmd/options/options.go:39
+msgid "Print the list of flags inherited by all commands"
+msgstr "Print the list of flags inherited by all commands"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/logs.go#L86
+#: staging/src/k8s.io/kubectl/pkg/cmd/logs/logs.go:152
+msgid "Print the logs for a container in a pod"
+msgstr "Print the logs for a container in a pod"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/apiresources/apiresources.go:97
+msgid "Print the supported API resources on the server"
+msgstr "Print the supported API resources on the server"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/apiresources/apiresources.go:98
+msgid "Print the supported API resources on the server."
+msgstr "Print the supported API resources on the server."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/apiresources/apiversions.go:58
+msgid ""
+"Print the supported API versions on the server, in the form of \"group/"
+"version\""
+msgstr ""
+"Print the supported API versions on the server, in the form of \"group/"
+"version\""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/apiresources/apiversions.go:59
+msgid ""
+"Print the supported API versions on the server, in the form of \"group/"
+"version\"."
+msgstr ""
+"Print the supported API versions on the server, in the form of \"group/"
+"version\"."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/plugin/plugin.go:62
+msgid "Provides utilities for interacting with plugins"
+msgstr "Provides utilities for interacting with plugins"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/rename_context.go:45
+msgid "Rename a context from the kubeconfig file"
+msgstr "Rename a context from the kubeconfig file"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/replace/replace.go:115
+msgid "Replace a resource by file name or stdin"
+msgstr "Replace a resource by file name or stdin"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_restart.go:87
+msgid "Restart a resource"
+msgstr "Restart a resource"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/rollout/rollout_resume.go#L71
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_resume.go:87
+msgid "Resume a paused resource"
+msgstr "Resume a paused resource"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_rolebinding.go#L56
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_rolebinding.go:105
+msgid "Role this RoleBinding should reference"
+msgstr "Role this RoleBinding should reference"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/run.go#L94
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run.go:152
+msgid "Run a particular image on the cluster"
+msgstr "Run a particular image on the cluster"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/proxy.go#L68
+#: staging/src/k8s.io/kubectl/pkg/cmd/proxy/proxy.go:119
+msgid "Run a proxy to the Kubernetes API server"
+msgstr "Run a proxy to the Kubernetes API server"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_secret.go#L161
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_docker.go:153
+msgid "Server location for Docker registry"
+msgstr "Server location for Docker registry"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/create_cluster.go:73
+msgid "Set a cluster entry in kubeconfig"
+msgstr "Set a cluster entry in kubeconfig"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/create_context.go:61
+msgid "Set a context entry in kubeconfig"
+msgstr "Set a context entry in kubeconfig"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/scale/scale.go:114
+msgid "Set a new size for a deployment, replica set, or replication controller"
+msgstr ""
+"Set a new size for a deployment, replica set, or replication controller"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/create_authinfo.go:152
+msgid "Set a user entry in kubeconfig"
+msgstr "Set a user entry in kubeconfig"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/set.go:74
+msgid "Set an individual value in a kubeconfig file"
+msgstr "Set an individual value in a kubeconfig file"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/set/set.go#L37
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set.go:39
+msgid "Set specific features on objects"
+msgstr "Set specific features on objects"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/use_context.go:52
+msgid "Set the current-context in a kubeconfig file"
+msgstr "Set the current-context in a kubeconfig file"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/apply/apply_set_last_applied.go:101
+msgid ""
+"Set the last-applied-configuration annotation on a live object to match the "
+"contents of a file"
+msgstr ""
+"Set the last-applied-configuration annotation on a live object to match the "
+"contents of a file"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/set/set_selector.go#L81
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set_selector.go:104
+msgid "Set the selector on a resource"
+msgstr "Set the selector on a resource"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/describe.go#L80
+#: staging/src/k8s.io/kubectl/pkg/cmd/describe/describe.go:107
+msgid "Show details of a specific resource or group of resources"
+msgstr "Show details of a specific resource or group of resources"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/rollout/rollout_status.go#L57
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_status.go:102
+msgid "Show the status of the rollout"
+msgstr "Show the status of the rollout"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/expose.go#L108
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:154
+msgid "Synonym for --target-port"
+msgstr "Synonym for --target-port"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:134
+msgid ""
+"Take a replication controller, service, deployment or pod and expose it as a "
+"new Kubernetes service"
+msgstr ""
+"Take a replication controller, service, deployment or pod and expose it as a "
+"new Kubernetes service"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/run.go#L114
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run.go:174
+msgid "The image for the container to run."
+msgstr "The image for the container to run."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/run.go#L116
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run.go:176
+msgid ""
+"The image pull policy for the container. If left empty, this value will not "
+"be specified by the client and defaulted by the server"
+msgstr ""
+"The image pull policy for the container. If left empty, this value will not "
+"be specified by the client and defaulted by the server"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/debug/debug.go:172
+msgid ""
+"The image pull policy for the container. If left empty, this value will not "
+"be specified by the client and defaulted by the server."
+msgstr ""
+"The image pull policy for the container. If left empty, this value will not "
+"be specified by the client and defaulted by the server."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_pdb.go:112
+msgid ""
+"The maximum number or percentage of unavailable pods this budget requires."
+msgstr ""
+"The maximum number or percentage of unavailable pods this budget requires."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_pdb.go#L62
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_pdb.go:111
+msgid ""
+"The minimum number or percentage of available pods this budget requires."
+msgstr ""
+"The minimum number or percentage of available pods this budget requires."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/expose.go#L113
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:159
+msgid "The name for the newly created object."
+msgstr "The name for the newly created object."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/autoscale.go#L71
+#: staging/src/k8s.io/kubectl/pkg/cmd/autoscale/autoscale.go:125
+msgid ""
+"The name for the newly created object. If not specified, the name of the "
+"input resource will be used."
+msgstr ""
+"The name for the newly created object. If not specified, the name of the "
+"input resource will be used."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/expose.go#L98
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:147
+msgid ""
+"The name of the API generator to use. There are 2 generators: 'service/v1' "
+"and 'service/v2'. The only difference between them is that service port in "
+"v1 is named 'default', while it is left unnamed in v2. Default is 'service/"
+"v2'."
+msgstr ""
+"The name of the API generator to use. There are 2 generators: 'service/v1' "
+"and 'service/v2'. The only difference between them is that service port in "
+"v1 is named 'default', while it is left unnamed in v2. Default is 'service/"
+"v2'."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/expose.go#L99
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:148
+msgid "The network protocol for the service to be created. Default is 'TCP'."
+msgstr "The network protocol for the service to be created. Default is 'TCP'."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/expose.go#L100
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:149
+msgid ""
+"The port that the service should serve on. Copied from the resource being "
+"exposed, if unspecified"
+msgstr ""
+"The port that the service should serve on. Copied from the resource being "
+"exposed, if unspecified"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run.go:182
+msgid "The port that this container exposes."
+msgstr "The port that this container exposes."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/run.go#L131
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run.go:194
+msgid ""
+"The resource requirement limits for this container.  For example, 'cpu=200m,"
+"memory=512Mi'.  Note that server side components may assign limits depending "
+"on the server configuration, such as limit ranges."
+msgstr ""
+"The resource requirement limits for this container.  For example, 'cpu=200m,"
+"memory=512Mi'.  Note that server side components may assign limits depending "
+"on the server configuration, such as limit ranges."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/run.go#L130
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run.go:192
+msgid ""
+"The resource requirement requests for this container.  For example, "
+"'cpu=100m,memory=256Mi'.  Note that server side components may assign "
+"requests depending on the server configuration, such as limit ranges."
+msgstr ""
+"The resource requirement requests for this container.  For example, "
+"'cpu=100m,memory=256Mi'.  Note that server side components may assign "
+"requests depending on the server configuration, such as limit ranges."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run.go:190
+msgid ""
+"The restart policy for this Pod.  Legal values [Always, OnFailure, Never]."
+msgstr ""
+"The restart policy for this Pod.  Legal values [Always, OnFailure, Never]."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_secret.go#L87
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret.go:155
+msgid "The type of secret to create"
+msgstr "The type of secret to create"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/alpha.go:33
+msgid ""
+"These commands correspond to alpha features that are not enabled in "
+"Kubernetes clusters by default."
+msgstr ""
+"These commands correspond to alpha features that are not enabled in "
+"Kubernetes clusters by default."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:150
+msgid ""
+"Type for this service: ClusterIP, NodePort, LoadBalancer, or ExternalName. "
+"Default is 'ClusterIP'."
+msgstr ""
+"Type for this service: ClusterIP, NodePort, LoadBalancer, or ExternalName. "
+"Default is 'ClusterIP'."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/rollout/rollout_undo.go#L71
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_undo.go:87
+msgid "Undo a previous rollout"
+msgstr "Undo a previous rollout"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/unset.go:59
+msgid "Unset an individual value in a kubeconfig file"
+msgstr "Unset an individual value in a kubeconfig file"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set_env.go:154
+msgid "Update environment variables on a pod template"
+msgstr "Update environment variables on a pod template"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/patch/patch.go:115
+msgid "Update fields of a resource"
+msgstr "Update fields of a resource"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/set/set_resources.go#L101
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set_resources.go:116
+msgid "Update resource requests/limits on objects with pod templates"
+msgstr "Update resource requests/limits on objects with pod templates"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/annotate/annotate.go:135
+msgid "Update the annotations on a resource"
+msgstr "Update the annotations on a resource"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set_image.go:110
+msgid "Update the image of a pod template"
+msgstr "Update the image of a pod template"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/label.go#L109
+#: staging/src/k8s.io/kubectl/pkg/cmd/label/label.go:133
+msgid "Update the labels on a resource"
+msgstr "Update the labels on a resource"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set_serviceaccount.go:102
+msgid "Update the service account of a resource"
+msgstr "Update the service account of a resource"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/taint.go#L88
+#: staging/src/k8s.io/kubectl/pkg/cmd/taint/taint.go:109
+msgid "Update the taints on one or more nodes"
+msgstr "Update the taints on one or more nodes"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set_subject.go:99
+msgid ""
+"Update the user, group, or service account in a role binding or cluster role "
+"binding"
+msgstr ""
+"Update the user, group, or service account in a role binding or cluster role "
+"binding"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_secret.go#L155
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_docker.go:150
+msgid "Username for Docker registry authentication"
+msgstr "Username for Docker registry authentication"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/rollout/rollout_history.go#L51
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_history.go:83
+msgid "View rollout history"
+msgstr "View rollout history"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/apply/apply_view_last_applied.go:77
+msgid ""
+"View the latest last-applied-configuration annotations of a resource/object"
+msgstr ""
+"View the latest last-applied-configuration annotations of a resource/object"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/debug/debug.go:171
+msgid ""
+"When used with '--copy-to', a list of name=image pairs for changing "
+"container images, similar to how 'kubectl set image' works."
+msgstr ""
+"When used with '--copy-to', a list of name=image pairs for changing "
+"container images, similar to how 'kubectl set image' works."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/debug/debug.go:168
+msgid "When used with '--copy-to', delete the original Pod."
+msgstr "When used with '--copy-to', delete the original Pod."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/debug/debug.go:176
+msgid ""
+"When used with '--copy-to', enable process namespace sharing in the copy."
+msgstr ""
+"When used with '--copy-to', enable process namespace sharing in the copy."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/debug/debug.go:175
+msgid ""
+"When used with '--copy-to', schedule the copy of target Pod on the same node."
+msgstr ""
+"When used with '--copy-to', schedule the copy of target Pod on the same node."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/debug/debug.go:177
+msgid ""
+"When using an ephemeral container, target processes in this container name."
+msgstr ""
+"When using an ephemeral container, target processes in this container name."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/clusterinfo_dump.go#L45
+#: staging/src/k8s.io/kubectl/pkg/cmd/clusterinfo/clusterinfo_dump.go:85
+msgid ""
+"Where to output the files.  If empty or '-' uses stdout, otherwise creates a "
+"directory hierarchy in that directory"
+msgstr ""
+"Where to output the files.  If empty or '-' uses stdout, otherwise creates a "
+"directory hierarchy in that directory"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_priorityclass.go:108
+msgid ""
+"description is an arbitrary string that usually provides guidelines on when "
+"this priority class should be used."
+msgstr ""
+"description is an arbitrary string that usually provides guidelines on when "
+"this priority class should be used."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run_test.go:88
+msgid "dummy restart flag)"
+msgstr "dummy restart flag)"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_priorityclass.go:107
+msgid ""
+"global-default specifies whether this PriorityClass should be considered as "
+"the default priority."
+msgstr ""
+"global-default specifies whether this PriorityClass should be considered as "
+"the default priority."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/cmd.go#L217
+#: staging/src/k8s.io/kubectl/pkg/cmd/cmd.go:227
+msgid "kubectl controls the Kubernetes cluster manager"
+msgstr "kubectl controls the Kubernetes cluster manager"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:45
+msgid ""
+"pod (po), service (svc), replicationcontroller (rc), deployment (deploy), "
+"replicaset (rs)"
+msgstr ""
+"pod (po), service (svc), replicationcontroller (rc), deployment (deploy), "
+"replicaset (rs)"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_priorityclass.go:109
+msgid ""
+"preemption-policy is the policy for preempting pods with lower priority."
+msgstr ""
+"preemption-policy is the policy for preempting pods with lower priority."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set_serviceaccount.go:41
+msgid ""
+"replicationcontroller (rc), deployment (deploy), daemonset (ds), job, "
+"replicaset (rs), statefulset"
+msgstr ""
+"replicationcontroller (rc), deployment (deploy), daemonset (ds), job, "
+"replicaset (rs), statefulset"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_priorityclass.go:106
+msgid "the value of this priority class."
+msgstr "the value of this priority class."
diff --git a/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/en_US/LC_MESSAGES/k8s.mo b/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/en_US/LC_MESSAGES/k8s.mo
new file mode 100644
index 0000000000..9c0c708fcd
Binary files /dev/null and b/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/en_US/LC_MESSAGES/k8s.mo differ
diff --git a/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/en_US/LC_MESSAGES/k8s.po b/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/en_US/LC_MESSAGES/k8s.po
new file mode 100644
index 0000000000..c4f0e403f9
--- /dev/null
+++ b/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/en_US/LC_MESSAGES/k8s.po
@@ -0,0 +1,5077 @@
+# Test translations for unit tests.
+# Copyright (C) 2016
+# This file is distributed under the same license as the Kubernetes package.
+# FIRST AUTHOR brendan.d.burns@gmail.com, 2016.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: gettext-go-examples-hello\n"
+"Report-Msgid-Bugs-To: EMAIL\n"
+"POT-Creation-Date: 2021-07-07 20:15+0200\n"
+"PO-Revision-Date: 2017-03-14 21:33-0800\n"
+"Last-Translator: Brendan Burns <brendan.d.burns@gmail.com>\n"
+"Language-Team: \n"
+"Language: en\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Generator: Poedit 1.6.10\n"
+"X-Poedit-SourceCharset: UTF-8\n"
+"Plural-Forms: nplurals=2; plural=(n != 1);\n"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/certificates/certificates.go:138
+msgid ""
+"\n"
+"\t\t\t# Approve CSR 'csr-sqgzp'\n"
+"\t\t\tkubectl certificate approve csr-sqgzp\n"
+"\t\t"
+msgstr ""
+"\n"
+"\t\t\t# Approve CSR 'csr-sqgzp'\n"
+"\t\t\tkubectl certificate approve csr-sqgzp\n"
+"\t\t"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/certificates/certificates.go:182
+msgid ""
+"\n"
+"\t\t\t# Deny CSR 'csr-sqgzp'\n"
+"\t\t\tkubectl certificate deny csr-sqgzp\n"
+"\t\t"
+msgstr ""
+"\n"
+"\t\t\t# Deny CSR 'csr-sqgzp'\n"
+"\t\t\tkubectl certificate deny csr-sqgzp\n"
+"\t\t"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/config.go:43
+msgid ""
+"\n"
+"\t\t\tModify kubeconfig files using subcommands like \"kubectl config set "
+"current-context my-context\"\n"
+"\n"
+"\t\t\tThe loading order follows these rules:\n"
+"\n"
+"\t\t\t1. If the --"
+msgstr ""
+"\n"
+"\t\t\tModify kubeconfig files using subcommands like \"kubectl config set "
+"current-context my-context\"\n"
+"\n"
+"\t\t\tThe loading order follows these rules:\n"
+"\n"
+"\t\t\t1. If the --"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_clusterrolebinding.go:44
+msgid ""
+"\n"
+"\t\t  # Create a cluster role binding for user1, user2, and group1 using the "
+"cluster-admin cluster role\n"
+"\t\t  kubectl create clusterrolebinding cluster-admin --clusterrole=cluster-"
+"admin --user=user1 --user=user2 --group=group1"
+msgstr ""
+"\n"
+"\t\t  # Create a cluster role binding for user1, user2, and group1 using the "
+"cluster-admin cluster role\n"
+"\t\t  kubectl create clusterrolebinding cluster-admin --clusterrole=cluster-"
+"admin --user=user1 --user=user2 --group=group1"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_configmap.go:58
+msgid ""
+"\n"
+"\t\t  # Create a new config map named my-config based on folder bar\n"
+"\t\t  kubectl create configmap my-config --from-file=path/to/bar\n"
+"\n"
+"\t\t  # Create a new config map named my-config with specified keys instead "
+"of file basenames on disk\n"
+"\t\t  kubectl create configmap my-config --from-file=key1=/path/to/bar/file1."
+"txt --from-file=key2=/path/to/bar/file2.txt\n"
+"\n"
+"\t\t  # Create a new config map named my-config with key1=config1 and "
+"key2=config2\n"
+"\t\t  kubectl create configmap my-config --from-literal=key1=config1 --from-"
+"literal=key2=config2\n"
+"\n"
+"\t\t  # Create a new config map named my-config from the key=value pairs in "
+"the file\n"
+"\t\t  kubectl create configmap my-config --from-file=path/to/bar\n"
+"\n"
+"\t\t  # Create a new config map named my-config from an env file\n"
+"\t\t  kubectl create configmap my-config --from-env-file=path/to/bar.env"
+msgstr ""
+"\n"
+"\t\t  # Create a new config map named my-config based on folder bar\n"
+"\t\t  kubectl create configmap my-config --from-file=path/to/bar\n"
+"\n"
+"\t\t  # Create a new config map named my-config with specified keys instead "
+"of file basenames on disk\n"
+"\t\t  kubectl create configmap my-config --from-file=key1=/path/to/bar/file1."
+"txt --from-file=key2=/path/to/bar/file2.txt\n"
+"\n"
+"\t\t  # Create a new config map named my-config with key1=config1 and "
+"key2=config2\n"
+"\t\t  kubectl create configmap my-config --from-literal=key1=config1 --from-"
+"literal=key2=config2\n"
+"\n"
+"\t\t  # Create a new config map named my-config from the key=value pairs in "
+"the file\n"
+"\t\t  kubectl create configmap my-config --from-file=path/to/bar\n"
+"\n"
+"\t\t  # Create a new config map named my-config from an env file\n"
+"\t\t  kubectl create configmap my-config --from-env-file=path/to/bar.env"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_rolebinding.go:43
+msgid ""
+"\n"
+"\t\t  # Create a role binding for user1, user2, and group1 using the admin "
+"cluster role\n"
+"\t\t  kubectl create rolebinding admin --clusterrole=admin --user=user1 --"
+"user=user2 --group=group1"
+msgstr ""
+"\n"
+"\t\t  # Create a role binding for user1, user2, and group1 using the admin "
+"cluster role\n"
+"\t\t  kubectl create rolebinding admin --clusterrole=admin --user=user1 --"
+"user=user2 --group=group1"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_docker.go:56
+msgid ""
+"\n"
+"\t\t  # If you don't already have a .dockercfg file, you can create a "
+"dockercfg secret directly by using:\n"
+"\t\t  kubectl create secret docker-registry my-secret --docker-"
+"server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-"
+"password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL\n"
+"\n"
+"\t\t  # Create a new secret named my-secret from ~/.docker/config.json\n"
+"\t\t  kubectl create secret docker-registry my-secret --from-file=."
+"dockerconfigjson=path/to/.docker/config.json"
+msgstr ""
+"\n"
+"\t\t  # If you don't already have a .dockercfg file, you can create a "
+"dockercfg secret directly by using:\n"
+"\t\t  kubectl create secret docker-registry my-secret --docker-"
+"server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-"
+"password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL\n"
+"\n"
+"\t\t  # Create a new secret named my-secret from ~/.docker/config.json\n"
+"\t\t  kubectl create secret docker-registry my-secret --from-file=."
+"dockerconfigjson=path/to/.docker/config.json"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/top/top_node.go:62
+msgid ""
+"\n"
+"\t\t  # Show metrics for all nodes\n"
+"\t\t  kubectl top node\n"
+"\n"
+"\t\t  # Show metrics for a given node\n"
+"\t\t  kubectl top node NODE_NAME"
+msgstr ""
+"\n"
+"\t\t  # Show metrics for all nodes\n"
+"\t\t  kubectl top node\n"
+"\n"
+"\t\t  # Show metrics for a given node\n"
+"\t\t  kubectl top node NODE_NAME"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/cp/cp.go:45
+msgid ""
+"\n"
+"\t\t# !!!Important Note!!!\n"
+"\t\t# Requires that the 'tar' binary is present in your container\n"
+"\t\t# image.  If 'tar' is not present, 'kubectl cp' will fail.\n"
+"\t\t#\n"
+"\t\t# For advanced use cases, such as symlinks, wildcard expansion or\n"
+"\t\t# file mode preservation, consider using 'kubectl exec'.\n"
+"\n"
+"\t\t# Copy /tmp/foo local file to /tmp/bar in a remote pod in namespace "
+"<some-namespace>\n"
+"\t\ttar cf - /tmp/foo | kubectl exec -i -n <some-namespace> <some-pod> -- "
+"tar xf - -C /tmp/bar\n"
+"\n"
+"\t\t# Copy /tmp/foo from a remote pod to /tmp/bar locally\n"
+"\t\tkubectl exec -n <some-namespace> <some-pod> -- tar cf - /tmp/foo | tar "
+"xf - -C /tmp/bar\n"
+"\n"
+"\t\t# Copy /tmp/foo_dir local directory to /tmp/bar_dir in a remote pod in "
+"the default namespace\n"
+"\t\tkubectl cp /tmp/foo_dir <some-pod>:/tmp/bar_dir\n"
+"\n"
+"\t\t# Copy /tmp/foo local file to /tmp/bar in a remote pod in a specific "
+"container\n"
+"\t\tkubectl cp /tmp/foo <some-pod>:/tmp/bar -c <specific-container>\n"
+"\n"
+"\t\t# Copy /tmp/foo local file to /tmp/bar in a remote pod in namespace "
+"<some-namespace>\n"
+"\t\tkubectl cp /tmp/foo <some-namespace>/<some-pod>:/tmp/bar\n"
+"\n"
+"\t\t# Copy /tmp/foo from a remote pod to /tmp/bar locally\n"
+"\t\tkubectl cp <some-namespace>/<some-pod>:/tmp/foo /tmp/bar"
+msgstr ""
+"\n"
+"\t\t# !!!Important Note!!!\n"
+"\t\t# Requires that the 'tar' binary is present in your container\n"
+"\t\t# image.  If 'tar' is not present, 'kubectl cp' will fail.\n"
+"\t\t#\n"
+"\t\t# For advanced use cases, such as symlinks, wildcard expansion or\n"
+"\t\t# file mode preservation, consider using 'kubectl exec'.\n"
+"\n"
+"\t\t# Copy /tmp/foo local file to /tmp/bar in a remote pod in namespace "
+"<some-namespace>\n"
+"\t\ttar cf - /tmp/foo | kubectl exec -i -n <some-namespace> <some-pod> -- "
+"tar xf - -C /tmp/bar\n"
+"\n"
+"\t\t# Copy /tmp/foo from a remote pod to /tmp/bar locally\n"
+"\t\tkubectl exec -n <some-namespace> <some-pod> -- tar cf - /tmp/foo | tar "
+"xf - -C /tmp/bar\n"
+"\n"
+"\t\t# Copy /tmp/foo_dir local directory to /tmp/bar_dir in a remote pod in "
+"the default namespace\n"
+"\t\tkubectl cp /tmp/foo_dir <some-pod>:/tmp/bar_dir\n"
+"\n"
+"\t\t# Copy /tmp/foo local file to /tmp/bar in a remote pod in a specific "
+"container\n"
+"\t\tkubectl cp /tmp/foo <some-pod>:/tmp/bar -c <specific-container>\n"
+"\n"
+"\t\t# Copy /tmp/foo local file to /tmp/bar in a remote pod in namespace "
+"<some-namespace>\n"
+"\t\tkubectl cp /tmp/foo <some-namespace>/<some-pod>:/tmp/bar\n"
+"\n"
+"\t\t# Copy /tmp/foo from a remote pod to /tmp/bar locally\n"
+"\t\tkubectl cp <some-namespace>/<some-pod>:/tmp/foo /tmp/bar"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/apply/apply.go:119
+msgid ""
+"\n"
+"\t\t# Apply the configuration in pod.json to a pod\n"
+"\t\tkubectl apply -f ./pod.json\n"
+"\n"
+"\t\t# Apply resources from a directory containing kustomization.yaml - e.g. "
+"dir/kustomization.yaml\n"
+"\t\tkubectl apply -k dir/\n"
+"\n"
+"\t\t# Apply the JSON passed into stdin to a pod\n"
+"\t\tcat pod.json | kubectl apply -f -\n"
+"\n"
+"\t\t# Note: --prune is still in Alpha\n"
+"\t\t# Apply the configuration in manifest.yaml that matches label app=nginx "
+"and delete all other resources that are not in the file and match label "
+"app=nginx\n"
+"\t\tkubectl apply --prune -f manifest.yaml -l app=nginx\n"
+"\n"
+"\t\t# Apply the configuration in manifest.yaml and delete all the other "
+"config maps that are not in the file\n"
+"\t\tkubectl apply --prune -f manifest.yaml --all --prune-allowlist=core/v1/"
+"ConfigMap"
+msgstr ""
+"\n"
+"\t\t# Apply the configuration in pod.json to a pod\n"
+"\t\tkubectl apply -f ./pod.json\n"
+"\n"
+"\t\t# Apply resources from a directory containing kustomization.yaml - e.g. "
+"dir/kustomization.yaml\n"
+"\t\tkubectl apply -k dir/\n"
+"\n"
+"\t\t# Apply the JSON passed into stdin to a pod\n"
+"\t\tcat pod.json | kubectl apply -f -\n"
+"\n"
+"\t\t# Note: --prune is still in Alpha\n"
+"\t\t# Apply the configuration in manifest.yaml that matches label app=nginx "
+"and delete all other resources that are not in the file and match label "
+"app=nginx\n"
+"\t\tkubectl apply --prune -f manifest.yaml -l app=nginx\n"
+"\n"
+"\t\t# Apply the configuration in manifest.yaml and delete all the other "
+"config maps that are not in the file\n"
+"\t\tkubectl apply --prune -f manifest.yaml --all --prune-allowlist=core/v1/"
+"ConfigMap"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/autoscale/autoscale.go:48
+#, c-format
+msgid ""
+"\n"
+"\t\t# Auto scale a deployment \"foo\", with the number of pods between 2 and "
+"10, no target CPU utilization specified so a default autoscaling policy will "
+"be used\n"
+"\t\tkubectl autoscale deployment foo --min=2 --max=10\n"
+"\n"
+"\t\t# Auto scale a replication controller \"foo\", with the number of pods "
+"between 1 and 5, target CPU utilization at 80%\n"
+"\t\tkubectl autoscale rc foo --max=5 --cpu-percent=80"
+msgstr ""
+"\n"
+"\t\t# Auto scale a deployment \"foo\", with the number of pods between 2 and "
+"10, no target CPU utilization specified so a default autoscaling policy will "
+"be used\n"
+"\t\tkubectl autoscale deployment foo --min=2 --max=10\n"
+"\n"
+"\t\t# Auto scale a replication controller \"foo\", with the number of pods "
+"between 1 and 5, target CPU utilization at 80%\n"
+"\t\tkubectl autoscale rc foo --max=5 --cpu-percent=80"
+
+#: pkg/kubectl/cmd/convert/convert.go:51
+msgid ""
+"\n"
+"\t\t# Convert 'pod.yaml' to latest version and print to stdout.\n"
+"\t\tkubectl convert -f pod.yaml\n"
+"\n"
+"\t\t# Convert the live state of the resource specified by 'pod.yaml' to the "
+"latest version\n"
+"\t\t# and print to stdout in JSON format.\n"
+"\t\tkubectl convert -f pod.yaml --local -o json\n"
+"\n"
+"\t\t# Convert all files under current directory to latest version and create "
+"them all.\n"
+"\t\tkubectl convert -f . | kubectl create -f -"
+msgstr ""
+"\n"
+"\t\t# Convert 'pod.yaml' to latest version and print to stdout.\n"
+"\t\tkubectl convert -f pod.yaml\n"
+"\n"
+"\t\t# Convert the live state of the resource specified by 'pod.yaml' to the "
+"latest version\n"
+"\t\t# and print to stdout in JSON format.\n"
+"\t\tkubectl convert -f pod.yaml --local -o json\n"
+"\n"
+"\t\t# Convert all files under current directory to latest version and create "
+"them all.\n"
+"\t\tkubectl convert -f . | kubectl create -f -"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_clusterrole.go:41
+msgid ""
+"\n"
+"\t\t# Create a cluster role named \"pod-reader\" that allows user to perform "
+"\"get\", \"watch\" and \"list\" on pods\n"
+"\t\tkubectl create clusterrole pod-reader --verb=get,list,watch --"
+"resource=pods\n"
+"\n"
+"\t\t# Create a cluster role named \"pod-reader\" with ResourceName "
+"specified\n"
+"\t\tkubectl create clusterrole pod-reader --verb=get --resource=pods --"
+"resource-name=readablepod --resource-name=anotherpod\n"
+"\n"
+"\t\t# Create a cluster role named \"foo\" with API Group specified\n"
+"\t\tkubectl create clusterrole foo --verb=get,list,watch --resource=rs."
+"extensions\n"
+"\n"
+"\t\t# Create a cluster role named \"foo\" with SubResource specified\n"
+"\t\tkubectl create clusterrole foo --verb=get,list,watch --resource=pods,"
+"pods/status\n"
+"\n"
+"\t\t# Create a cluster role name \"foo\" with NonResourceURL specified\n"
+"\t\tkubectl create clusterrole \"foo\" --verb=get --non-resource-url=/logs/"
+"*\n"
+"\n"
+"\t\t# Create a cluster role name \"monitoring\" with AggregationRule "
+"specified\n"
+"\t\tkubectl create clusterrole monitoring --aggregation-rule=\"rbac.example."
+"com/aggregate-to-monitoring=true\""
+msgstr ""
+"\n"
+"\t\t# Create a cluster role named \"pod-reader\" that allows user to perform "
+"\"get\", \"watch\" and \"list\" on pods\n"
+"\t\tkubectl create clusterrole pod-reader --verb=get,list,watch --"
+"resource=pods\n"
+"\n"
+"\t\t# Create a cluster role named \"pod-reader\" with ResourceName "
+"specified\n"
+"\t\tkubectl create clusterrole pod-reader --verb=get --resource=pods --"
+"resource-name=readablepod --resource-name=anotherpod\n"
+"\n"
+"\t\t# Create a cluster role named \"foo\" with API Group specified\n"
+"\t\tkubectl create clusterrole foo --verb=get,list,watch --resource=rs."
+"extensions\n"
+"\n"
+"\t\t# Create a cluster role named \"foo\" with SubResource specified\n"
+"\t\tkubectl create clusterrole foo --verb=get,list,watch --resource=pods,"
+"pods/status\n"
+"\n"
+"\t\t# Create a cluster role name \"foo\" with NonResourceURL specified\n"
+"\t\tkubectl create clusterrole \"foo\" --verb=get --non-resource-url=/logs/"
+"*\n"
+"\n"
+"\t\t# Create a cluster role name \"monitoring\" with AggregationRule "
+"specified\n"
+"\t\tkubectl create clusterrole monitoring --aggregation-rule=\"rbac.example."
+"com/aggregate-to-monitoring=true\""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_job.go:43
+msgid ""
+"\n"
+"\t\t# Create a job\n"
+"\t\tkubectl create job my-job --image=busybox\n"
+"\n"
+"\t\t# Create a job with a command\n"
+"\t\tkubectl create job my-job --image=busybox -- date\n"
+"\n"
+"\t\t# Create a job from a cron job named \"a-cronjob\"\n"
+"\t\tkubectl create job test-job --from=cronjob/a-cronjob"
+msgstr ""
+"\n"
+"\t\t# Create a job\n"
+"\t\tkubectl create job my-job --image=busybox\n"
+"\n"
+"\t\t# Create a job with a command\n"
+"\t\tkubectl create job my-job --image=busybox -- date\n"
+"\n"
+"\t\t# Create a job from a cron job named \"a-cronjob\"\n"
+"\t\tkubectl create job test-job --from=cronjob/a-cronjob"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_quota.go:44
+msgid ""
+"\n"
+"\t\t# Create a new resource quota named my-quota\n"
+"\t\tkubectl create quota my-quota --hard=cpu=1,memory=1G,pods=2,services=3,"
+"replicationcontrollers=2,resourcequotas=1,secrets=5,"
+"persistentvolumeclaims=10\n"
+"\n"
+"\t\t# Create a new resource quota named best-effort\n"
+"\t\tkubectl create quota best-effort --hard=pods=100 --scopes=BestEffort"
+msgstr ""
+"\n"
+"\t\t# Create a new resource quota named my-quota\n"
+"\t\tkubectl create quota my-quota --hard=cpu=1,memory=1G,pods=2,services=3,"
+"replicationcontrollers=2,resourcequotas=1,secrets=5,"
+"persistentvolumeclaims=10\n"
+"\n"
+"\t\t# Create a new resource quota named best-effort\n"
+"\t\tkubectl create quota best-effort --hard=pods=100 --scopes=BestEffort"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_pdb.go:44
+#, c-format
+msgid ""
+"\n"
+"\t\t# Create a pod disruption budget named my-pdb that will select all pods "
+"with the app=rails label\n"
+"\t\t# and require at least one of them being available at any point in time\n"
+"\t\tkubectl create poddisruptionbudget my-pdb --selector=app=rails --min-"
+"available=1\n"
+"\n"
+"\t\t# Create a pod disruption budget named my-pdb that will select all pods "
+"with the app=nginx label\n"
+"\t\t# and require at least half of the pods selected to be available at any "
+"point in time\n"
+"\t\tkubectl create pdb my-pdb --selector=app=nginx --min-available=50%"
+msgstr ""
+"\n"
+"\t\t# Create a pod disruption budget named my-pdb that will select all pods "
+"with the app=rails label\n"
+"\t\t# and require at least one of them being available at any point in time\n"
+"\t\tkubectl create poddisruptionbudget my-pdb --selector=app=rails --min-"
+"available=1\n"
+"\n"
+"\t\t# Create a pod disruption budget named my-pdb that will select all pods "
+"with the app=nginx label\n"
+"\t\t# and require at least half of the pods selected to be available at any "
+"point in time\n"
+"\t\tkubectl create pdb my-pdb --selector=app=nginx --min-available=50%"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create.go:76
+msgid ""
+"\n"
+"\t\t# Create a pod using the data in pod.json\n"
+"\t\tkubectl create -f ./pod.json\n"
+"\n"
+"\t\t# Create a pod based on the JSON passed into stdin\n"
+"\t\tcat pod.json | kubectl create -f -\n"
+"\n"
+"\t\t# Edit the data in docker-registry.yaml in JSON then create the resource "
+"using the edited data\n"
+"\t\tkubectl create -f docker-registry.yaml --edit -o json"
+msgstr ""
+"\n"
+"\t\t# Create a pod using the data in pod.json\n"
+"\t\tkubectl create -f ./pod.json\n"
+"\n"
+"\t\t# Create a pod based on the JSON passed into stdin\n"
+"\t\tcat pod.json | kubectl create -f -\n"
+"\n"
+"\t\t# Edit the data in docker-registry.yaml in JSON then create the resource "
+"using the edited data\n"
+"\t\tkubectl create -f docker-registry.yaml --edit -o json"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_priorityclass.go:43
+msgid ""
+"\n"
+"\t\t# Create a priority class named high-priority\n"
+"\t\tkubectl create priorityclass high-priority --value=1000 --description="
+"\"high priority\"\n"
+"\n"
+"\t\t# Create a priority class named default-priority that is considered as "
+"the global default priority\n"
+"\t\tkubectl create priorityclass default-priority --value=1000 --global-"
+"default=true --description=\"default priority\"\n"
+"\n"
+"\t\t# Create a priority class named high-priority that cannot preempt pods "
+"with lower priority\n"
+"\t\tkubectl create priorityclass high-priority --value=1000 --description="
+"\"high priority\" --preemption-policy=\"Never\""
+msgstr ""
+"\n"
+"\t\t# Create a priority class named high-priority\n"
+"\t\tkubectl create priorityclass high-priority --value=1000 --description="
+"\"high priority\"\n"
+"\n"
+"\t\t# Create a priority class named default-priority that is considered as "
+"the global default priority\n"
+"\t\tkubectl create priorityclass default-priority --value=1000 --global-"
+"default=true --description=\"default priority\"\n"
+"\n"
+"\t\t# Create a priority class named high-priority that cannot preempt pods "
+"with lower priority\n"
+"\t\tkubectl create priorityclass high-priority --value=1000 --description="
+"\"high priority\" --preemption-policy=\"Never\""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_role.go:46
+msgid ""
+"\n"
+"\t\t# Create a role named \"pod-reader\" that allows user to perform \"get"
+"\", \"watch\" and \"list\" on pods\n"
+"\t\tkubectl create role pod-reader --verb=get --verb=list --verb=watch --"
+"resource=pods\n"
+"\n"
+"\t\t# Create a role named \"pod-reader\" with ResourceName specified\n"
+"\t\tkubectl create role pod-reader --verb=get --resource=pods --resource-"
+"name=readablepod --resource-name=anotherpod\n"
+"\n"
+"\t\t# Create a role named \"foo\" with API Group specified\n"
+"\t\tkubectl create role foo --verb=get,list,watch --resource=rs.extensions\n"
+"\n"
+"\t\t# Create a role named \"foo\" with SubResource specified\n"
+"\t\tkubectl create role foo --verb=get,list,watch --resource=pods,pods/status"
+msgstr ""
+"\n"
+"\t\t# Create a role named \"pod-reader\" that allows user to perform \"get"
+"\", \"watch\" and \"list\" on pods\n"
+"\t\tkubectl create role pod-reader --verb=get --verb=list --verb=watch --"
+"resource=pods\n"
+"\n"
+"\t\t# Create a role named \"pod-reader\" with ResourceName specified\n"
+"\t\tkubectl create role pod-reader --verb=get --resource=pods --resource-"
+"name=readablepod --resource-name=anotherpod\n"
+"\n"
+"\t\t# Create a role named \"foo\" with API Group specified\n"
+"\t\tkubectl create role foo --verb=get,list,watch --resource=rs.extensions\n"
+"\n"
+"\t\t# Create a role named \"foo\" with SubResource specified\n"
+"\t\tkubectl create role foo --verb=get,list,watch --resource=pods,pods/status"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:61
+msgid ""
+"\n"
+"\t\t# Create a service for a replicated nginx, which serves on port 80 and "
+"connects to the containers on port 8000\n"
+"\t\tkubectl expose rc nginx --port=80 --target-port=8000\n"
+"\n"
+"\t\t# Create a service for a replication controller identified by type and "
+"name specified in \"nginx-controller.yaml\", which serves on port 80 and "
+"connects to the containers on port 8000\n"
+"\t\tkubectl expose -f nginx-controller.yaml --port=80 --target-port=8000\n"
+"\n"
+"\t\t# Create a service for a pod valid-pod, which serves on port 444 with "
+"the name \"frontend\"\n"
+"\t\tkubectl expose pod valid-pod --port=444 --name=frontend\n"
+"\n"
+"\t\t# Create a second service based on the above service, exposing the "
+"container port 8443 as port 443 with the name \"nginx-https\"\n"
+"\t\tkubectl expose service nginx --port=443 --target-port=8443 --name=nginx-"
+"https\n"
+"\n"
+"\t\t# Create a service for a replicated streaming application on port 4100 "
+"balancing UDP traffic and named 'video-stream'.\n"
+"\t\tkubectl expose rc streamer --port=4100 --protocol=UDP --name=video-"
+"stream\n"
+"\n"
+"\t\t# Create a service for a replicated nginx using replica set, which "
+"serves on port 80 and connects to the containers on port 8000\n"
+"\t\tkubectl expose rs nginx --port=80 --target-port=8000\n"
+"\n"
+"\t\t# Create a service for an nginx deployment, which serves on port 80 and "
+"connects to the containers on port 8000\n"
+"\t\tkubectl expose deployment nginx --port=80 --target-port=8000"
+msgstr ""
+"\n"
+"\t\t# Create a service for a replicated nginx, which serves on port 80 and "
+"connects to the containers on port 8000\n"
+"\t\tkubectl expose rc nginx --port=80 --target-port=8000\n"
+"\n"
+"\t\t# Create a service for a replication controller identified by type and "
+"name specified in \"nginx-controller.yaml\", which serves on port 80 and "
+"connects to the containers on port 8000\n"
+"\t\tkubectl expose -f nginx-controller.yaml --port=80 --target-port=8000\n"
+"\n"
+"\t\t# Create a service for a pod valid-pod, which serves on port 444 with "
+"the name \"frontend\"\n"
+"\t\tkubectl expose pod valid-pod --port=444 --name=frontend\n"
+"\n"
+"\t\t# Create a second service based on the above service, exposing the "
+"container port 8443 as port 443 with the name \"nginx-https\"\n"
+"\t\tkubectl expose service nginx --port=443 --target-port=8443 --name=nginx-"
+"https\n"
+"\n"
+"\t\t# Create a service for a replicated streaming application on port 4100 "
+"balancing UDP traffic and named 'video-stream'.\n"
+"\t\tkubectl expose rc streamer --port=4100 --protocol=UDP --name=video-"
+"stream\n"
+"\n"
+"\t\t# Create a service for a replicated nginx using replica set, which "
+"serves on port 80 and connects to the containers on port 8000\n"
+"\t\tkubectl expose rs nginx --port=80 --target-port=8000\n"
+"\n"
+"\t\t# Create a service for an nginx deployment, which serves on port 80 and "
+"connects to the containers on port 8000\n"
+"\t\tkubectl expose deployment nginx --port=80 --target-port=8000"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_ingress.go:64
+msgid ""
+"\n"
+"\t\t# Create a single ingress called 'simple' that directs requests to foo."
+"com/bar to svc\n"
+"\t\t# svc1:8080 with a tls secret \"my-cert\"\n"
+"\t\tkubectl create ingress simple --rule=\"foo.com/bar=svc1:8080,tls=my-cert"
+"\"\n"
+"\n"
+"\t\t# Create a catch all ingress of \"/path\" pointing to service svc:port "
+"and Ingress Class as \"otheringress\"\n"
+"\t\tkubectl create ingress catch-all --class=otheringress --rule=\"/path=svc:"
+"port\"\n"
+"\n"
+"\t\t# Create an ingress with two annotations: ingress.annotation1 and "
+"ingress.annotations2\n"
+"\t\tkubectl create ingress annotated --class=default --rule=\"foo.com/"
+"bar=svc:port\" \\n\t\t\t--annotation ingress.annotation1=foo \\n\t\t\t--"
+"annotation ingress.annotation2=bla\n"
+"\n"
+"\t\t# Create an ingress with the same host and multiple paths\n"
+"\t\tkubectl create ingress multipath --class=default \\n\t\t\t--rule=\"foo."
+"com/=svc:port\" \\n\t\t\t--rule=\"foo.com/admin/=svcadmin:portadmin\"\n"
+"\n"
+"\t\t# Create an ingress with multiple hosts and the pathType as Prefix\n"
+"\t\tkubectl create ingress ingress1 --class=default \\n\t\t\t--rule=\"foo."
+"com/path*=svc:8080\" \\n\t\t\t--rule=\"bar.com/admin*=svc2:http\"\n"
+"\n"
+"\t\t# Create an ingress with TLS enabled using the default ingress "
+"certificate and different path types\n"
+"\t\tkubectl create ingress ingtls --class=default \\n\t\t   --rule=\"foo.com/"
+"=svc:https,tls\" \\n\t\t   --rule=\"foo.com/path/subpath*=othersvc:8080\"\n"
+"\n"
+"\t\t# Create an ingress with TLS enabled using a specific secret and "
+"pathType as Prefix\n"
+"\t\tkubectl create ingress ingsecret --class=default \\n\t\t   --rule=\"foo."
+"com/*=svc:8080,tls=secret1\"\n"
+"\n"
+"\t\t# Create an ingress with a default backend\n"
+"\t\tkubectl create ingress ingdefault --class=default \\n\t\t   --default-"
+"backend=defaultsvc:http \\n\t\t   --rule=\"foo.com/*=svc:8080,tls=secret1\"\n"
+"\n"
+"\t\t"
+msgstr ""
+"\n"
+"\t\t# Create a single ingress called 'simple' that directs requests to foo."
+"com/bar to svc\n"
+"\t\t# svc1:8080 with a tls secret \"my-cert\"\n"
+"\t\tkubectl create ingress simple --rule=\"foo.com/bar=svc1:8080,tls=my-cert"
+"\"\n"
+"\n"
+"\t\t# Create a catch all ingress of \"/path\" pointing to service svc:port "
+"and Ingress Class as \"otheringress\"\n"
+"\t\tkubectl create ingress catch-all --class=otheringress --rule=\"/path=svc:"
+"port\"\n"
+"\n"
+"\t\t# Create an ingress with two annotations: ingress.annotation1 and "
+"ingress.annotations2\n"
+"\t\tkubectl create ingress annotated --class=default --rule=\"foo.com/"
+"bar=svc:port\" \\n\t\t\t--annotation ingress.annotation1=foo \\n\t\t\t--"
+"annotation ingress.annotation2=bla\n"
+"\n"
+"\t\t# Create an ingress with the same host and multiple paths\n"
+"\t\tkubectl create ingress multipath --class=default \\n\t\t\t--rule=\"foo."
+"com/=svc:port\" \\n\t\t\t--rule=\"foo.com/admin/=svcadmin:portadmin\"\n"
+"\n"
+"\t\t# Create an ingress with multiple hosts and the pathType as Prefix\n"
+"\t\tkubectl create ingress ingress1 --class=default \\n\t\t\t--rule=\"foo."
+"com/path*=svc:8080\" \\n\t\t\t--rule=\"bar.com/admin*=svc2:http\"\n"
+"\n"
+"\t\t# Create an ingress with TLS enabled using the default ingress "
+"certificate and different path types\n"
+"\t\tkubectl create ingress ingtls --class=default \\n\t\t   --rule=\"foo.com/"
+"=svc:https,tls\" \\n\t\t   --rule=\"foo.com/path/subpath*=othersvc:8080\"\n"
+"\n"
+"\t\t# Create an ingress with TLS enabled using a specific secret and "
+"pathType as Prefix\n"
+"\t\tkubectl create ingress ingsecret --class=default \\n\t\t   --rule=\"foo."
+"com/*=svc:8080,tls=secret1\"\n"
+"\n"
+"\t\t# Create an ingress with a default backend\n"
+"\t\tkubectl create ingress ingdefault --class=default \\n\t\t   --default-"
+"backend=defaultsvc:http \\n\t\t   --rule=\"foo.com/*=svc:8080,tls=secret1\"\n"
+"\n"
+"\t\t"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/debug/debug.go:74
+msgid ""
+"\n"
+"\t\t# Create an interactive debugging session in pod mypod and immediately "
+"attach to it.\n"
+"\t\tkubectl debug mypod -it --image=busybox\n"
+"\n"
+"\t\t# Create a debug container named debugger using a custom automated "
+"debugging image.\n"
+"\t\tkubectl debug --image=myproj/debug-tools -c debugger mypod\n"
+"\n"
+"\t\t# Create a copy of mypod adding a debug container and attach to it\n"
+"\t\tkubectl debug mypod -it --image=busybox --copy-to=my-debugger\n"
+"\n"
+"\t\t# Create a copy of mypod changing the command of mycontainer\n"
+"\t\tkubectl debug mypod -it --copy-to=my-debugger --container=mycontainer -- "
+"sh\n"
+"\n"
+"\t\t# Create a copy of mypod changing all container images to busybox\n"
+"\t\tkubectl debug mypod --copy-to=my-debugger --set-image=*=busybox\n"
+"\n"
+"\t\t# Create a copy of mypod adding a debug container and changing container "
+"images\n"
+"\t\tkubectl debug mypod -it --copy-to=my-debugger --image=debian --set-"
+"image=app=app:debug,sidecar=sidecar:debug\n"
+"\n"
+"\t\t# Create an interactive debugging session on a node and immediately "
+"attach to it.\n"
+"\t\t# The container will run in the host namespaces and the host's "
+"filesystem will be mounted at /host\n"
+"\t\tkubectl debug node/mynode -it --image=busybox\n"
+msgstr ""
+"\n"
+"\t\t# Create an interactive debugging session in pod mypod and immediately "
+"attach to it.\n"
+"\t\tkubectl debug mypod -it --image=busybox\n"
+"\n"
+"\t\t# Create a debug container named debugger using a custom automated "
+"debugging image.\n"
+"\t\tkubectl debug --image=myproj/debug-tools -c debugger mypod\n"
+"\n"
+"\t\t# Create a copy of mypod adding a debug container and attach to it\n"
+"\t\tkubectl debug mypod -it --image=busybox --copy-to=my-debugger\n"
+"\n"
+"\t\t# Create a copy of mypod changing the command of mycontainer\n"
+"\t\tkubectl debug mypod -it --copy-to=my-debugger --container=mycontainer -- "
+"sh\n"
+"\n"
+"\t\t# Create a copy of mypod changing all container images to busybox\n"
+"\t\tkubectl debug mypod --copy-to=my-debugger --set-image=*=busybox\n"
+"\n"
+"\t\t# Create a copy of mypod adding a debug container and changing container "
+"images\n"
+"\t\tkubectl debug mypod -it --copy-to=my-debugger --image=debian --set-"
+"image=app=app:debug,sidecar=sidecar:debug\n"
+"\n"
+"\t\t# Create an interactive debugging session on a node and immediately "
+"attach to it.\n"
+"\t\t# The container will run in the host namespaces and the host's "
+"filesystem will be mounted at /host\n"
+"\t\tkubectl debug node/mynode -it --image=busybox\n"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/delete/delete.go:74
+msgid ""
+"\n"
+"\t\t# Delete a pod using the type and name specified in pod.json\n"
+"\t\tkubectl delete -f ./pod.json\n"
+"\n"
+"\t\t# Delete resources from a directory containing kustomization.yaml - e.g. "
+"dir/kustomization.yaml\n"
+"\t\tkubectl delete -k dir\n"
+"\n"
+"\t\t# Delete a pod based on the type and name in the JSON passed into stdin\n"
+"\t\tcat pod.json | kubectl delete -f -\n"
+"\n"
+"\t\t# Delete pods and services with same names \"baz\" and \"foo\"\n"
+"\t\tkubectl delete pod,service baz foo\n"
+"\n"
+"\t\t# Delete pods and services with label name=myLabel\n"
+"\t\tkubectl delete pods,services -l name=myLabel\n"
+"\n"
+"\t\t# Delete a pod with minimal delay\n"
+"\t\tkubectl delete pod foo --now\n"
+"\n"
+"\t\t# Force delete a pod on a dead node\n"
+"\t\tkubectl delete pod foo --force\n"
+"\n"
+"\t\t# Delete all pods\n"
+"\t\tkubectl delete pods --all"
+msgstr ""
+"\n"
+"\t\t# Delete a pod using the type and name specified in pod.json\n"
+"\t\tkubectl delete -f ./pod.json\n"
+"\n"
+"\t\t# Delete resources from a directory containing kustomization.yaml - e.g. "
+"dir/kustomization.yaml\n"
+"\t\tkubectl delete -k dir\n"
+"\n"
+"\t\t# Delete a pod based on the type and name in the JSON passed into stdin\n"
+"\t\tcat pod.json | kubectl delete -f -\n"
+"\n"
+"\t\t# Delete pods and services with same names \"baz\" and \"foo\"\n"
+"\t\tkubectl delete pod,service baz foo\n"
+"\n"
+"\t\t# Delete pods and services with label name=myLabel\n"
+"\t\tkubectl delete pods,services -l name=myLabel\n"
+"\n"
+"\t\t# Delete a pod with minimal delay\n"
+"\t\tkubectl delete pod foo --now\n"
+"\n"
+"\t\t# Force delete a pod on a dead node\n"
+"\t\tkubectl delete pod foo --force\n"
+"\n"
+"\t\t# Delete all pods\n"
+"\t\tkubectl delete pods --all"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/describe/describe.go:51
+msgid ""
+"\n"
+"\t\t# Describe a node\n"
+"\t\tkubectl describe nodes kubernetes-node-emt8.c.myproject.internal\n"
+"\n"
+"\t\t# Describe a pod\n"
+"\t\tkubectl describe pods/nginx\n"
+"\n"
+"\t\t# Describe a pod identified by type and name in \"pod.json\"\n"
+"\t\tkubectl describe -f pod.json\n"
+"\n"
+"\t\t# Describe all pods\n"
+"\t\tkubectl describe pods\n"
+"\n"
+"\t\t# Describe pods by label name=myLabel\n"
+"\t\tkubectl describe po -l name=myLabel\n"
+"\n"
+"\t\t# Describe all pods managed by the 'frontend' replication controller (rc-"
+"created pods\n"
+"\t\t# get the name of the rc as a prefix in the pod the name)\n"
+"\t\tkubectl describe pods frontend"
+msgstr ""
+"\n"
+"\t\t# Describe a node\n"
+"\t\tkubectl describe nodes kubernetes-node-emt8.c.myproject.internal\n"
+"\n"
+"\t\t# Describe a pod\n"
+"\t\tkubectl describe pods/nginx\n"
+"\n"
+"\t\t# Describe a pod identified by type and name in \"pod.json\"\n"
+"\t\tkubectl describe -f pod.json\n"
+"\n"
+"\t\t# Describe all pods\n"
+"\t\tkubectl describe pods\n"
+"\n"
+"\t\t# Describe pods by label name=myLabel\n"
+"\t\tkubectl describe po -l name=myLabel\n"
+"\n"
+"\t\t# Describe all pods managed by the 'frontend' replication controller (rc-"
+"created pods\n"
+"\t\t# get the name of the rc as a prefix in the pod the name)\n"
+"\t\tkubectl describe pods frontend"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/diff/diff.go:76
+msgid ""
+"\n"
+"\t\t# Diff resources included in pod.json\n"
+"\t\tkubectl diff -f pod.json\n"
+"\n"
+"\t\t# Diff file read from stdin\n"
+"\t\tcat service.yaml | kubectl diff -f -"
+msgstr ""
+"\n"
+"\t\t# Diff resources included in pod.json\n"
+"\t\tkubectl diff -f pod.json\n"
+"\n"
+"\t\t# Diff file read from stdin\n"
+"\t\tcat service.yaml | kubectl diff -f -"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go:138
+msgid ""
+"\n"
+"\t\t# Drain node \"foo\", even if there are pods not managed by a "
+"replication controller, replica set, job, daemon set or stateful set on it\n"
+"\t\tkubectl drain foo --force\n"
+"\n"
+"\t\t# As above, but abort if there are pods not managed by a replication "
+"controller, replica set, job, daemon set or stateful set, and use a grace "
+"period of 15 minutes\n"
+"\t\tkubectl drain foo --grace-period=900"
+msgstr ""
+"\n"
+"\t\t# Drain node \"foo\", even if there are pods not managed by a "
+"replication controller, replica set, job, daemon set or stateful set on it\n"
+"\t\tkubectl drain foo --force\n"
+"\n"
+"\t\t# As above, but abort if there are pods not managed by a replication "
+"controller, replica set, job, daemon set or stateful set, and use a grace "
+"period of 15 minutes\n"
+"\t\tkubectl drain foo --grace-period=900"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/edit/edit.go:55
+msgid ""
+"\n"
+"\t\t# Edit the service named 'docker-registry'\n"
+"\t\tkubectl edit svc/docker-registry\n"
+"\n"
+"\t\t# Use an alternative editor\n"
+"\t\tKUBE_EDITOR=\"nano\" kubectl edit svc/docker-registry\n"
+"\n"
+"\t\t# Edit the job 'myjob' in JSON using the v1 API format\n"
+"\t\tkubectl edit job.v1.batch/myjob -o json\n"
+"\n"
+"\t\t# Edit the deployment 'mydeployment' in YAML and save the modified "
+"config in its annotation\n"
+"\t\tkubectl edit deployment/mydeployment -o yaml --save-config"
+msgstr ""
+"\n"
+"\t\t# Edit the service named 'docker-registry'\n"
+"\t\tkubectl edit svc/docker-registry\n"
+"\n"
+"\t\t# Use an alternative editor\n"
+"\t\tKUBE_EDITOR=\"nano\" kubectl edit svc/docker-registry\n"
+"\n"
+"\t\t# Edit the job 'myjob' in JSON using the v1 API format\n"
+"\t\tkubectl edit job.v1.batch/myjob -o json\n"
+"\n"
+"\t\t# Edit the deployment 'mydeployment' in YAML and save the modified "
+"config in its annotation\n"
+"\t\tkubectl edit deployment/mydeployment -o yaml --save-config"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/attach/attach.go:44
+msgid ""
+"\n"
+"\t\t# Get output from running pod mypod; use the 'kubectl.kubernetes.io/"
+"default-container' annotation\n"
+"\t\t# for selecting the container to be attached or the first container in "
+"the pod will be chosen\n"
+"\t\tkubectl attach mypod\n"
+"\n"
+"\t\t# Get output from ruby-container from pod mypod\n"
+"\t\tkubectl attach mypod -c ruby-container\n"
+"\n"
+"\t\t# Switch to raw terminal mode; sends stdin to 'bash' in ruby-container "
+"from pod mypod\n"
+"\t\t# and sends stdout/stderr from 'bash' back to the client\n"
+"\t\tkubectl attach mypod -c ruby-container -i -t\n"
+"\n"
+"\t\t# Get output from the first pod of a replica set named nginx\n"
+"\t\tkubectl attach rs/nginx\n"
+"\t\t"
+msgstr ""
+"\n"
+"\t\t# Get output from running pod mypod; use the 'kubectl.kubernetes.io/"
+"default-container' annotation\n"
+"\t\t# for selecting the container to be attached or the first container in "
+"the pod will be chosen\n"
+"\t\tkubectl attach mypod\n"
+"\n"
+"\t\t# Get output from ruby-container from pod mypod\n"
+"\t\tkubectl attach mypod -c ruby-container\n"
+"\n"
+"\t\t# Switch to raw terminal mode; sends stdin to 'bash' in ruby-container "
+"from pod mypod\n"
+"\t\t# and sends stdout/stderr from 'bash' back to the client\n"
+"\t\tkubectl attach mypod -c ruby-container -i -t\n"
+"\n"
+"\t\t# Get output from the first pod of a replica set named nginx\n"
+"\t\tkubectl attach rs/nginx\n"
+"\t\t"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/exec/exec.go:48
+msgid ""
+"\n"
+"\t\t# Get output from running the 'date' command from pod mypod, using the "
+"first container by default\n"
+"\t\tkubectl exec mypod -- date\n"
+"\n"
+"\t\t# Get output from running the 'date' command in ruby-container from pod "
+"mypod\n"
+"\t\tkubectl exec mypod -c ruby-container -- date\n"
+"\n"
+"\t\t# Switch to raw terminal mode; sends stdin to 'bash' in ruby-container "
+"from pod mypod\n"
+"\t\t# and sends stdout/stderr from 'bash' back to the client\n"
+"\t\tkubectl exec mypod -c ruby-container -i -t -- bash -il\n"
+"\n"
+"\t\t# List contents of /usr from the first container of pod mypod and sort "
+"by modification time\n"
+"\t\t# If the command you want to execute in the pod has any flags in common "
+"(e.g. -i),\n"
+"\t\t# you must use two dashes (--) to separate your command's flags/"
+"arguments\n"
+"\t\t# Also note, do not surround your command and its flags/arguments with "
+"quotes\n"
+"\t\t# unless that is how you would execute it normally (i.e., do ls -t /usr, "
+"not \"ls -t /usr\")\n"
+"\t\tkubectl exec mypod -i -t -- ls -t /usr\n"
+"\n"
+"\t\t# Get output from running 'date' command from the first pod of the "
+"deployment mydeployment, using the first container by default\n"
+"\t\tkubectl exec deploy/mydeployment -- date\n"
+"\n"
+"\t\t# Get output from running 'date' command from the first pod of the "
+"service myservice, using the first container by default\n"
+"\t\tkubectl exec svc/myservice -- date\n"
+"\t\t"
+msgstr ""
+"\n"
+"\t\t# Get output from running the 'date' command from pod mypod, using the "
+"first container by default\n"
+"\t\tkubectl exec mypod -- date\n"
+"\n"
+"\t\t# Get output from running the 'date' command in ruby-container from pod "
+"mypod\n"
+"\t\tkubectl exec mypod -c ruby-container -- date\n"
+"\n"
+"\t\t# Switch to raw terminal mode; sends stdin to 'bash' in ruby-container "
+"from pod mypod\n"
+"\t\t# and sends stdout/stderr from 'bash' back to the client\n"
+"\t\tkubectl exec mypod -c ruby-container -i -t -- bash -il\n"
+"\n"
+"\t\t# List contents of /usr from the first container of pod mypod and sort "
+"by modification time\n"
+"\t\t# If the command you want to execute in the pod has any flags in common "
+"(e.g. -i),\n"
+"\t\t# you must use two dashes (--) to separate your command's flags/"
+"arguments\n"
+"\t\t# Also note, do not surround your command and its flags/arguments with "
+"quotes\n"
+"\t\t# unless that is how you would execute it normally (i.e., do ls -t /usr, "
+"not \"ls -t /usr\")\n"
+"\t\tkubectl exec mypod -i -t -- ls -t /usr\n"
+"\n"
+"\t\t# Get output from running 'date' command from the first pod of the "
+"deployment mydeployment, using the first container by default\n"
+"\t\tkubectl exec deploy/mydeployment -- date\n"
+"\n"
+"\t\t# Get output from running 'date' command from the first pod of the "
+"service myservice, using the first container by default\n"
+"\t\tkubectl exec svc/myservice -- date\n"
+"\t\t"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/explain/explain.go:46
+msgid ""
+"\n"
+"\t\t# Get the documentation of the resource and its fields\n"
+"\t\tkubectl explain pods\n"
+"\n"
+"\t\t# Get the documentation of a specific field of a resource\n"
+"\t\tkubectl explain pods.spec.containers"
+msgstr ""
+"\n"
+"\t\t# Get the documentation of the resource and its fields\n"
+"\t\tkubectl explain pods\n"
+"\n"
+"\t\t# Get the documentation of a specific field of a resource\n"
+"\t\tkubectl explain pods.spec.containers"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/completion/completion.go:65
+msgid ""
+"\n"
+"\t\t# Installing bash completion on macOS using homebrew\n"
+"\t\t## If running Bash 3.2 included with macOS\n"
+"\t\t    brew install bash-completion\n"
+"\t\t## or, if running Bash 4.1+\n"
+"\t\t    brew install bash-completion@2\n"
+"\t\t## If kubectl is installed via homebrew, this should start working "
+"immediately\n"
+"\t\t## If you've installed via other means, you may need add the completion "
+"to your completion directory\n"
+"\t\t    kubectl completion bash > $(brew --prefix)/etc/bash_completion.d/"
+"kubectl\n"
+"\n"
+"\n"
+"\t\t# Installing bash completion on Linux\n"
+"\t\t## If bash-completion is not installed on Linux, install the 'bash-"
+"completion' package\n"
+"\t\t## via your distribution's package manager.\n"
+"\t\t## Load the kubectl completion code for bash into the current shell\n"
+"\t\t    source <(kubectl completion bash)\n"
+"\t\t## Write bash completion code to a file and source it from ."
+"bash_profile\n"
+"\t\t    kubectl completion bash > ~/.kube/completion.bash.inc\n"
+"\t\t    printf \"\n"
+"\t\t      # Kubectl shell completion\n"
+"\t\t      source '$HOME/.kube/completion.bash.inc'\n"
+"\t\t      \" >> $HOME/.bash_profile\n"
+"\t\t    source $HOME/.bash_profile\n"
+"\n"
+"\t\t# Load the kubectl completion code for zsh[1] into the current shell\n"
+"\t\t    source <(kubectl completion zsh)\n"
+"\t\t# Set the kubectl completion code for zsh[1] to autoload on startup\n"
+"\t\t    kubectl completion zsh > \"${fpath[1]}/_kubectl\""
+msgstr ""
+"\n"
+"\t\t# Installing bash completion on macOS using homebrew\n"
+"\t\t## If running Bash 3.2 included with macOS\n"
+"\t\t    brew install bash-completion\n"
+"\t\t## or, if running Bash 4.1+\n"
+"\t\t    brew install bash-completion@2\n"
+"\t\t## If kubectl is installed via homebrew, this should start working "
+"immediately\n"
+"\t\t## If you've installed via other means, you may need add the completion "
+"to your completion directory\n"
+"\t\t    kubectl completion bash > $(brew --prefix)/etc/bash_completion.d/"
+"kubectl\n"
+"\n"
+"\n"
+"\t\t# Installing bash completion on Linux\n"
+"\t\t## If bash-completion is not installed on Linux, install the 'bash-"
+"completion' package\n"
+"\t\t## via your distribution's package manager.\n"
+"\t\t## Load the kubectl completion code for bash into the current shell\n"
+"\t\t    source <(kubectl completion bash)\n"
+"\t\t## Write bash completion code to a file and source it from ."
+"bash_profile\n"
+"\t\t    kubectl completion bash > ~/.kube/completion.bash.inc\n"
+"\t\t    printf \"\n"
+"\t\t      # Kubectl shell completion\n"
+"\t\t      source '$HOME/.kube/completion.bash.inc'\n"
+"\t\t      \" >> $HOME/.bash_profile\n"
+"\t\t    source $HOME/.bash_profile\n"
+"\n"
+"\t\t# Load the kubectl completion code for zsh[1] into the current shell\n"
+"\t\t    source <(kubectl completion zsh)\n"
+"\t\t# Set the kubectl completion code for zsh[1] to autoload on startup\n"
+"\t\t    kubectl completion zsh > \"${fpath[1]}/_kubectl\""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/get/get.go:105
+msgid ""
+"\n"
+"\t\t# List all pods in ps output format\n"
+"\t\tkubectl get pods\n"
+"\n"
+"\t\t# List all pods in ps output format with more information (such as node "
+"name)\n"
+"\t\tkubectl get pods -o wide\n"
+"\n"
+"\t\t# List a single replication controller with specified NAME in ps output "
+"format\n"
+"\t\tkubectl get replicationcontroller web\n"
+"\n"
+"\t\t# List deployments in JSON output format, in the \"v1\" version of the "
+"\"apps\" API group\n"
+"\t\tkubectl get deployments.v1.apps -o json\n"
+"\n"
+"\t\t# List a single pod in JSON output format\n"
+"\t\tkubectl get -o json pod web-pod-13je7\n"
+"\n"
+"\t\t# List a pod identified by type and name specified in \"pod.yaml\" in "
+"JSON output format\n"
+"\t\tkubectl get -f pod.yaml -o json\n"
+"\n"
+"\t\t# List resources from a directory with kustomization.yaml - e.g. dir/"
+"kustomization.yaml\n"
+"\t\tkubectl get -k dir/\n"
+"\n"
+"\t\t# Return only the phase value of the specified pod\n"
+"\t\tkubectl get -o template pod/web-pod-13je7 --template={{.status.phase}}\n"
+"\n"
+"\t\t# List resource information in custom columns\n"
+"\t\tkubectl get pod test-pod -o custom-columns=CONTAINER:.spec.containers[0]."
+"name,IMAGE:.spec.containers[0].image\n"
+"\n"
+"\t\t# List all replication controllers and services together in ps output "
+"format\n"
+"\t\tkubectl get rc,services\n"
+"\n"
+"\t\t# List one or more resources by their type and names\n"
+"\t\tkubectl get rc/web service/frontend pods/web-pod-13je7"
+msgstr ""
+"\n"
+"\t\t# List all pods in ps output format\n"
+"\t\tkubectl get pods\n"
+"\n"
+"\t\t# List all pods in ps output format with more information (such as node "
+"name)\n"
+"\t\tkubectl get pods -o wide\n"
+"\n"
+"\t\t# List a single replication controller with specified NAME in ps output "
+"format\n"
+"\t\tkubectl get replicationcontroller web\n"
+"\n"
+"\t\t# List deployments in JSON output format, in the \"v1\" version of the "
+"\"apps\" API group\n"
+"\t\tkubectl get deployments.v1.apps -o json\n"
+"\n"
+"\t\t# List a single pod in JSON output format\n"
+"\t\tkubectl get -o json pod web-pod-13je7\n"
+"\n"
+"\t\t# List a pod identified by type and name specified in \"pod.yaml\" in "
+"JSON output format\n"
+"\t\tkubectl get -f pod.yaml -o json\n"
+"\n"
+"\t\t# List resources from a directory with kustomization.yaml - e.g. dir/"
+"kustomization.yaml\n"
+"\t\tkubectl get -k dir/\n"
+"\n"
+"\t\t# Return only the phase value of the specified pod\n"
+"\t\tkubectl get -o template pod/web-pod-13je7 --template={{.status.phase}}\n"
+"\n"
+"\t\t# List resource information in custom columns\n"
+"\t\tkubectl get pod test-pod -o custom-columns=CONTAINER:.spec.containers[0]."
+"name,IMAGE:.spec.containers[0].image\n"
+"\n"
+"\t\t# List all replication controllers and services together in ps output "
+"format\n"
+"\t\tkubectl get rc,services\n"
+"\n"
+"\t\t# List one or more resources by their type and names\n"
+"\t\tkubectl get rc/web service/frontend pods/web-pod-13je7"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/portforward/portforward.go:72
+msgid ""
+"\n"
+"\t\t# Listen on ports 5000 and 6000 locally, forwarding data to/from ports "
+"5000 and 6000 in the pod\n"
+"\t\tkubectl port-forward pod/mypod 5000 6000\n"
+"\n"
+"\t\t# Listen on ports 5000 and 6000 locally, forwarding data to/from ports "
+"5000 and 6000 in a pod selected by the deployment\n"
+"\t\tkubectl port-forward deployment/mydeployment 5000 6000\n"
+"\n"
+"\t\t# Listen on port 8443 locally, forwarding to the targetPort of the "
+"service's port named \"https\" in a pod selected by the service\n"
+"\t\tkubectl port-forward service/myservice 8443:https\n"
+"\n"
+"\t\t# Listen on port 8888 locally, forwarding to 5000 in the pod\n"
+"\t\tkubectl port-forward pod/mypod 8888:5000\n"
+"\n"
+"\t\t# Listen on port 8888 on all addresses, forwarding to 5000 in the pod\n"
+"\t\tkubectl port-forward --address 0.0.0.0 pod/mypod 8888:5000\n"
+"\n"
+"\t\t# Listen on port 8888 on localhost and selected IP, forwarding to 5000 "
+"in the pod\n"
+"\t\tkubectl port-forward --address localhost,10.19.21.23 pod/mypod "
+"8888:5000\n"
+"\n"
+"\t\t# Listen on a random port locally, forwarding to 5000 in the pod\n"
+"\t\tkubectl port-forward pod/mypod :5000"
+msgstr ""
+"\n"
+"\t\t# Listen on ports 5000 and 6000 locally, forwarding data to/from ports "
+"5000 and 6000 in the pod\n"
+"\t\tkubectl port-forward pod/mypod 5000 6000\n"
+"\n"
+"\t\t# Listen on ports 5000 and 6000 locally, forwarding data to/from ports "
+"5000 and 6000 in a pod selected by the deployment\n"
+"\t\tkubectl port-forward deployment/mydeployment 5000 6000\n"
+"\n"
+"\t\t# Listen on port 8443 locally, forwarding to the targetPort of the "
+"service's port named \"https\" in a pod selected by the service\n"
+"\t\tkubectl port-forward service/myservice 8443:https\n"
+"\n"
+"\t\t# Listen on port 8888 locally, forwarding to 5000 in the pod\n"
+"\t\tkubectl port-forward pod/mypod 8888:5000\n"
+"\n"
+"\t\t# Listen on port 8888 on all addresses, forwarding to 5000 in the pod\n"
+"\t\tkubectl port-forward --address 0.0.0.0 pod/mypod 8888:5000\n"
+"\n"
+"\t\t# Listen on port 8888 on localhost and selected IP, forwarding to 5000 "
+"in the pod\n"
+"\t\tkubectl port-forward --address localhost,10.19.21.23 pod/mypod "
+"8888:5000\n"
+"\n"
+"\t\t# Listen on a random port locally, forwarding to 5000 in the pod\n"
+"\t\tkubectl port-forward pod/mypod :5000"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go:87
+msgid ""
+"\n"
+"\t\t# Mark node \"foo\" as schedulable\n"
+"\t\tkubectl uncordon foo"
+msgstr ""
+"\n"
+"\t\t# Mark node \"foo\" as schedulable\n"
+"\t\tkubectl uncordon foo"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go:58
+msgid ""
+"\n"
+"\t\t# Mark node \"foo\" as unschedulable\n"
+"\t\tkubectl cordon foo"
+msgstr ""
+"\n"
+"\t\t# Mark node \"foo\" as unschedulable\n"
+"\t\tkubectl cordon foo"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/patch/patch.go:83
+msgid ""
+"\n"
+"\t\t# Partially update a node using a strategic merge patch, specifying the "
+"patch as JSON\n"
+"\t\tkubectl patch node k8s-node-1 -p '{\"spec\":{\"unschedulable\":true}}'\n"
+"\n"
+"\t\t# Partially update a node using a strategic merge patch, specifying the "
+"patch as YAML\n"
+"\t\tkubectl patch node k8s-node-1 -p $'spec:\n"
+" unschedulable: true'\n"
+"\n"
+"\t\t# Partially update a node identified by the type and name specified in "
+"\"node.json\" using strategic merge patch\n"
+"\t\tkubectl patch -f node.json -p '{\"spec\":{\"unschedulable\":true}}'\n"
+"\n"
+"\t\t# Update a container's image; spec.containers[*].name is required "
+"because it's a merge key\n"
+"\t\tkubectl patch pod valid-pod -p '{\"spec\":{\"containers\":[{\"name\":"
+"\"kubernetes-serve-hostname\",\"image\":\"new image\"}]}}'\n"
+"\n"
+"\t\t# Update a container's image using a JSON patch with positional arrays\n"
+"\t\tkubectl patch pod valid-pod --type='json' -p='[{\"op\": \"replace\", "
+"\"path\": \"/spec/containers/0/image\", \"value\":\"new image\"}]'"
+msgstr ""
+"\n"
+"\t\t# Partially update a node using a strategic merge patch, specifying the "
+"patch as JSON\n"
+"\t\tkubectl patch node k8s-node-1 -p '{\"spec\":{\"unschedulable\":true}}'\n"
+"\n"
+"\t\t# Partially update a node using a strategic merge patch, specifying the "
+"patch as YAML\n"
+"\t\tkubectl patch node k8s-node-1 -p $'spec:\n"
+" unschedulable: true'\n"
+"\n"
+"\t\t# Partially update a node identified by the type and name specified in "
+"\"node.json\" using strategic merge patch\n"
+"\t\tkubectl patch -f node.json -p '{\"spec\":{\"unschedulable\":true}}'\n"
+"\n"
+"\t\t# Update a container's image; spec.containers[*].name is required "
+"because it's a merge key\n"
+"\t\tkubectl patch pod valid-pod -p '{\"spec\":{\"containers\":[{\"name\":"
+"\"kubernetes-serve-hostname\",\"image\":\"new image\"}]}}'\n"
+"\n"
+"\t\t# Update a container's image using a JSON patch with positional arrays\n"
+"\t\tkubectl patch pod valid-pod --type='json' -p='[{\"op\": \"replace\", "
+"\"path\": \"/spec/containers/0/image\", \"value\":\"new image\"}]'"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/options.go#L37
+#: staging/src/k8s.io/kubectl/pkg/cmd/options/options.go:29
+msgid ""
+"\n"
+"\t\t# Print flags inherited by all commands\n"
+"\t\tkubectl options"
+msgstr ""
+"\n"
+"\t\t# Print flags inherited by all commands\n"
+"\t\tkubectl options"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/clusterinfo/clusterinfo.go:44
+msgid ""
+"\n"
+"\t\t# Print the address of the control plane and cluster services\n"
+"\t\tkubectl cluster-info"
+msgstr ""
+"\n"
+"\t\t# Print the address of the control plane and cluster services\n"
+"\t\tkubectl cluster-info"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/version.go#L39
+#: staging/src/k8s.io/kubectl/pkg/cmd/version/version.go:44
+msgid ""
+"\n"
+"\t\t# Print the client and server versions for the current context\n"
+"\t\tkubectl version"
+msgstr ""
+"\n"
+"\t\t# Print the client and server versions for the current context\n"
+"\t\tkubectl version"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/apiresources/apiversions.go:34
+msgid ""
+"\n"
+"\t\t# Print the supported API versions\n"
+"\t\tkubectl api-versions"
+msgstr ""
+"\n"
+"\t\t# Print the supported API versions\n"
+"\t\tkubectl api-versions"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/replace/replace.go:56
+msgid ""
+"\n"
+"\t\t# Replace a pod using the data in pod.json\n"
+"\t\tkubectl replace -f ./pod.json\n"
+"\n"
+"\t\t# Replace a pod based on the JSON passed into stdin\n"
+"\t\tcat pod.json | kubectl replace -f -\n"
+"\n"
+"\t\t# Update a single-container pod's image version (tag) to v4\n"
+"\t\tkubectl get pod mypod -o yaml | sed 's/\\(image: myimage\\):.*$/
:v4/' | "
+"kubectl replace -f -\n"
+"\n"
+"\t\t# Force replace, delete and then re-create the resource\n"
+"\t\tkubectl replace --force -f ./pod.json"
+msgstr ""
+"\n"
+"\t\t# Replace a pod using the data in pod.json\n"
+"\t\tkubectl replace -f ./pod.json\n"
+"\n"
+"\t\t# Replace a pod based on the JSON passed into stdin\n"
+"\t\tcat pod.json | kubectl replace -f -\n"
+"\n"
+"\t\t# Update a single-container pod's image version (tag) to v4\n"
+"\t\tkubectl get pod mypod -o yaml | sed 's/\\(image: myimage\\):.*$/
:v4/' | "
+"kubectl replace -f -\n"
+"\n"
+"\t\t# Force replace, delete and then re-create the resource\n"
+"\t\tkubectl replace --force -f ./pod.json"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/logs/logs.go:53
+msgid ""
+"\n"
+"\t\t# Return snapshot logs from pod nginx with only one container\n"
+"\t\tkubectl logs nginx\n"
+"\n"
+"\t\t# Return snapshot logs from pod nginx with multi containers\n"
+"\t\tkubectl logs nginx --all-containers=true\n"
+"\n"
+"\t\t# Return snapshot logs from all containers in pods defined by label "
+"app=nginx\n"
+"\t\tkubectl logs -l app=nginx --all-containers=true\n"
+"\n"
+"\t\t# Return snapshot of previous terminated ruby container logs from pod "
+"web-1\n"
+"\t\tkubectl logs -p -c ruby web-1\n"
+"\n"
+"\t\t# Begin streaming the logs of the ruby container in pod web-1\n"
+"\t\tkubectl logs -f -c ruby web-1\n"
+"\n"
+"\t\t# Begin streaming the logs from all containers in pods defined by label "
+"app=nginx\n"
+"\t\tkubectl logs -f -l app=nginx --all-containers=true\n"
+"\n"
+"\t\t# Display only the most recent 20 lines of output in pod nginx\n"
+"\t\tkubectl logs --tail=20 nginx\n"
+"\n"
+"\t\t# Show all logs from pod nginx written in the last hour\n"
+"\t\tkubectl logs --since=1h nginx\n"
+"\n"
+"\t\t# Show logs from a kubelet with an expired serving certificate\n"
+"\t\tkubectl logs --insecure-skip-tls-verify-backend nginx\n"
+"\n"
+"\t\t# Return snapshot logs from first container of a job named hello\n"
+"\t\tkubectl logs job/hello\n"
+"\n"
+"\t\t# Return snapshot logs from container nginx-1 of a deployment named "
+"nginx\n"
+"\t\tkubectl logs deployment/nginx -c nginx-1"
+msgstr ""
+"\n"
+"\t\t# Return snapshot logs from pod nginx with only one container\n"
+"\t\tkubectl logs nginx\n"
+"\n"
+"\t\t# Return snapshot logs from pod nginx with multi containers\n"
+"\t\tkubectl logs nginx --all-containers=true\n"
+"\n"
+"\t\t# Return snapshot logs from all containers in pods defined by label "
+"app=nginx\n"
+"\t\tkubectl logs -l app=nginx --all-containers=true\n"
+"\n"
+"\t\t# Return snapshot of previous terminated ruby container logs from pod "
+"web-1\n"
+"\t\tkubectl logs -p -c ruby web-1\n"
+"\n"
+"\t\t# Begin streaming the logs of the ruby container in pod web-1\n"
+"\t\tkubectl logs -f -c ruby web-1\n"
+"\n"
+"\t\t# Begin streaming the logs from all containers in pods defined by label "
+"app=nginx\n"
+"\t\tkubectl logs -f -l app=nginx --all-containers=true\n"
+"\n"
+"\t\t# Display only the most recent 20 lines of output in pod nginx\n"
+"\t\tkubectl logs --tail=20 nginx\n"
+"\n"
+"\t\t# Show all logs from pod nginx written in the last hour\n"
+"\t\tkubectl logs --since=1h nginx\n"
+"\n"
+"\t\t# Show logs from a kubelet with an expired serving certificate\n"
+"\t\tkubectl logs --insecure-skip-tls-verify-backend nginx\n"
+"\n"
+"\t\t# Return snapshot logs from first container of a job named hello\n"
+"\t\tkubectl logs job/hello\n"
+"\n"
+"\t\t# Return snapshot logs from container nginx-1 of a deployment named "
+"nginx\n"
+"\t\tkubectl logs deployment/nginx -c nginx-1"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/scale/scale.go:49
+msgid ""
+"\n"
+"\t\t# Scale a replica set named 'foo' to 3\n"
+"\t\tkubectl scale --replicas=3 rs/foo\n"
+"\n"
+"\t\t# Scale a resource identified by type and name specified in \"foo.yaml\" "
+"to 3\n"
+"\t\tkubectl scale --replicas=3 -f foo.yaml\n"
+"\n"
+"\t\t# If the deployment named mysql's current size is 2, scale mysql to 3\n"
+"\t\tkubectl scale --current-replicas=2 --replicas=3 deployment/mysql\n"
+"\n"
+"\t\t# Scale multiple replication controllers\n"
+"\t\tkubectl scale --replicas=5 rc/foo rc/bar rc/baz\n"
+"\n"
+"\t\t# Scale stateful set named 'web' to 3\n"
+"\t\tkubectl scale --replicas=3 statefulset/web"
+msgstr ""
+"\n"
+"\t\t# Scale a replica set named 'foo' to 3\n"
+"\t\tkubectl scale --replicas=3 rs/foo\n"
+"\n"
+"\t\t# Scale a resource identified by type and name specified in \"foo.yaml\" "
+"to 3\n"
+"\t\tkubectl scale --replicas=3 -f foo.yaml\n"
+"\n"
+"\t\t# If the deployment named mysql's current size is 2, scale mysql to 3\n"
+"\t\tkubectl scale --current-replicas=2 --replicas=3 deployment/mysql\n"
+"\n"
+"\t\t# Scale multiple replication controllers\n"
+"\t\tkubectl scale --replicas=5 rc/foo rc/bar rc/baz\n"
+"\n"
+"\t\t# Scale stateful set named 'web' to 3\n"
+"\t\tkubectl scale --replicas=3 statefulset/web"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/apply/apply_set_last_applied.go:75
+msgid ""
+"\n"
+"\t\t# Set the last-applied-configuration of a resource to match the contents "
+"of a file\n"
+"\t\tkubectl apply set-last-applied -f deploy.yaml\n"
+"\n"
+"\t\t# Execute set-last-applied against each configuration file in a "
+"directory\n"
+"\t\tkubectl apply set-last-applied -f path/\n"
+"\n"
+"\t\t# Set the last-applied-configuration of a resource to match the contents "
+"of a file; will create the annotation if it does not already exist\n"
+"\t\tkubectl apply set-last-applied -f deploy.yaml --create-annotation=true\n"
+"\t\t"
+msgstr ""
+"\n"
+"\t\t# Set the last-applied-configuration of a resource to match the contents "
+"of a file\n"
+"\t\tkubectl apply set-last-applied -f deploy.yaml\n"
+"\n"
+"\t\t# Execute set-last-applied against each configuration file in a "
+"directory\n"
+"\t\tkubectl apply set-last-applied -f path/\n"
+"\n"
+"\t\t# Set the last-applied-configuration of a resource to match the contents "
+"of a file; will create the annotation if it does not already exist\n"
+"\t\tkubectl apply set-last-applied -f deploy.yaml --create-annotation=true\n"
+"\t\t"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/top/top_pod.go:75
+msgid ""
+"\n"
+"\t\t# Show metrics for all pods in the default namespace\n"
+"\t\tkubectl top pod\n"
+"\n"
+"\t\t# Show metrics for all pods in the given namespace\n"
+"\t\tkubectl top pod --namespace=NAMESPACE\n"
+"\n"
+"\t\t# Show metrics for a given pod and its containers\n"
+"\t\tkubectl top pod POD_NAME --containers\n"
+"\n"
+"\t\t# Show metrics for the pods defined by label name=myLabel\n"
+"\t\tkubectl top pod -l name=myLabel"
+msgstr ""
+"\n"
+"\t\t# Show metrics for all pods in the default namespace\n"
+"\t\tkubectl top pod\n"
+"\n"
+"\t\t# Show metrics for all pods in the given namespace\n"
+"\t\tkubectl top pod --namespace=NAMESPACE\n"
+"\n"
+"\t\t# Show metrics for a given pod and its containers\n"
+"\t\tkubectl top pod POD_NAME --containers\n"
+"\n"
+"\t\t# Show metrics for the pods defined by label name=myLabel\n"
+"\t\tkubectl top pod -l name=myLabel"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run.go:62
+msgid ""
+"\n"
+"\t\t# Start a nginx pod\n"
+"\t\tkubectl run nginx --image=nginx\n"
+"\n"
+"\t\t# Start a hazelcast pod and let the container expose port 5701\n"
+"\t\tkubectl run hazelcast --image=hazelcast/hazelcast --port=5701\n"
+"\n"
+"\t\t# Start a hazelcast pod and set environment variables "
+"\"DNS_DOMAIN=cluster\" and \"POD_NAMESPACE=default\" in the container\n"
+"\t\tkubectl run hazelcast --image=hazelcast/hazelcast --env="
+"\"DNS_DOMAIN=cluster\" --env=\"POD_NAMESPACE=default\"\n"
+"\n"
+"\t\t# Start a hazelcast pod and set labels \"app=hazelcast\" and \"env=prod"
+"\" in the container\n"
+"\t\tkubectl run hazelcast --image=hazelcast/hazelcast --labels="
+"\"app=hazelcast,env=prod\"\n"
+"\n"
+"\t\t# Dry run; print the corresponding API objects without creating them\n"
+"\t\tkubectl run nginx --image=nginx --dry-run=client\n"
+"\n"
+"\t\t# Start a nginx pod, but overload the spec with a partial set of values "
+"parsed from JSON\n"
+"\t\tkubectl run nginx --image=nginx --overrides='{ \"apiVersion\": \"v1\", "
+"\"spec\": { ... } }'\n"
+"\n"
+"\t\t# Start a busybox pod and keep it in the foreground, don't restart it if "
+"it exits\n"
+"\t\tkubectl run -i -t busybox --image=busybox --restart=Never\n"
+"\n"
+"\t\t# Start the nginx pod using the default command, but use custom "
+"arguments (arg1 .. argN) for that command\n"
+"\t\tkubectl run nginx --image=nginx -- <arg1> <arg2> ... <argN>\n"
+"\n"
+"\t\t# Start the nginx pod using a different command and custom arguments\n"
+"\t\tkubectl run nginx --image=nginx --command -- <cmd> <arg1> ... <argN>"
+msgstr ""
+"\n"
+"\t\t# Start a nginx pod\n"
+"\t\tkubectl run nginx --image=nginx\n"
+"\n"
+"\t\t# Start a hazelcast pod and let the container expose port 5701\n"
+"\t\tkubectl run hazelcast --image=hazelcast/hazelcast --port=5701\n"
+"\n"
+"\t\t# Start a hazelcast pod and set environment variables "
+"\"DNS_DOMAIN=cluster\" and \"POD_NAMESPACE=default\" in the container\n"
+"\t\tkubectl run hazelcast --image=hazelcast/hazelcast --env="
+"\"DNS_DOMAIN=cluster\" --env=\"POD_NAMESPACE=default\"\n"
+"\n"
+"\t\t# Start a hazelcast pod and set labels \"app=hazelcast\" and \"env=prod"
+"\" in the container\n"
+"\t\tkubectl run hazelcast --image=hazelcast/hazelcast --labels="
+"\"app=hazelcast,env=prod\"\n"
+"\n"
+"\t\t# Dry run; print the corresponding API objects without creating them\n"
+"\t\tkubectl run nginx --image=nginx --dry-run=client\n"
+"\n"
+"\t\t# Start a nginx pod, but overload the spec with a partial set of values "
+"parsed from JSON\n"
+"\t\tkubectl run nginx --image=nginx --overrides='{ \"apiVersion\": \"v1\", "
+"\"spec\": { ... } }'\n"
+"\n"
+"\t\t# Start a busybox pod and keep it in the foreground, don't restart it if "
+"it exits\n"
+"\t\tkubectl run -i -t busybox --image=busybox --restart=Never\n"
+"\n"
+"\t\t# Start the nginx pod using the default command, but use custom "
+"arguments (arg1 .. argN) for that command\n"
+"\t\tkubectl run nginx --image=nginx -- <arg1> <arg2> ... <argN>\n"
+"\n"
+"\t\t# Start the nginx pod using a different command and custom arguments\n"
+"\t\tkubectl run nginx --image=nginx --command -- <cmd> <arg1> ... <argN>"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/proxy/proxy.go:73
+msgid ""
+"\n"
+"\t\t# To proxy all of the Kubernetes API and nothing else\n"
+"\t\tkubectl proxy --api-prefix=/\n"
+"\n"
+"\t\t# To proxy only part of the Kubernetes API and also some static files\n"
+"\t\t# You can get pods info with 'curl localhost:8001/api/v1/pods'\n"
+"\t\tkubectl proxy --www=/my/files --www-prefix=/static/ --api-prefix=/api/\n"
+"\n"
+"\t\t# To proxy the entire Kubernetes API at a different root\n"
+"\t\t# You can get pods info with 'curl localhost:8001/custom/api/v1/pods'\n"
+"\t\tkubectl proxy --api-prefix=/custom/\n"
+"\n"
+"\t\t# Run a proxy to the Kubernetes API server on port 8011, serving static "
+"content from ./local/www/\n"
+"\t\tkubectl proxy --port=8011 --www=./local/www/\n"
+"\n"
+"\t\t# Run a proxy to the Kubernetes API server on an arbitrary local port\n"
+"\t\t# The chosen port for the server will be output to stdout\n"
+"\t\tkubectl proxy --port=0\n"
+"\n"
+"\t\t# Run a proxy to the Kubernetes API server, changing the API prefix to "
+"k8s-api\n"
+"\t\t# This makes e.g. the pods API available at localhost:8001/k8s-api/v1/"
+"pods/\n"
+"\t\tkubectl proxy --api-prefix=/k8s-api"
+msgstr ""
+"\n"
+"\t\t# To proxy all of the Kubernetes API and nothing else\n"
+"\t\tkubectl proxy --api-prefix=/\n"
+"\n"
+"\t\t# To proxy only part of the Kubernetes API and also some static files\n"
+"\t\t# You can get pods info with 'curl localhost:8001/api/v1/pods'\n"
+"\t\tkubectl proxy --www=/my/files --www-prefix=/static/ --api-prefix=/api/\n"
+"\n"
+"\t\t# To proxy the entire Kubernetes API at a different root\n"
+"\t\t# You can get pods info with 'curl localhost:8001/custom/api/v1/pods'\n"
+"\t\tkubectl proxy --api-prefix=/custom/\n"
+"\n"
+"\t\t# Run a proxy to the Kubernetes API server on port 8011, serving static "
+"content from ./local/www/\n"
+"\t\tkubectl proxy --port=8011 --www=./local/www/\n"
+"\n"
+"\t\t# Run a proxy to the Kubernetes API server on an arbitrary local port\n"
+"\t\t# The chosen port for the server will be output to stdout\n"
+"\t\tkubectl proxy --port=0\n"
+"\n"
+"\t\t# Run a proxy to the Kubernetes API server, changing the API prefix to "
+"k8s-api\n"
+"\t\t# This makes e.g. the pods API available at localhost:8001/k8s-api/v1/"
+"pods/\n"
+"\t\tkubectl proxy --api-prefix=/k8s-api"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/taint/taint.go:80
+msgid ""
+"\n"
+"\t\t# Update node 'foo' with a taint with key 'dedicated' and value 'special-"
+"user' and effect 'NoSchedule'\n"
+"\t\t# If a taint with that key and effect already exists, its value is "
+"replaced as specified\n"
+"\t\tkubectl taint nodes foo dedicated=special-user:NoSchedule\n"
+"\n"
+"\t\t# Remove from node 'foo' the taint with key 'dedicated' and effect "
+"'NoSchedule' if one exists\n"
+"\t\tkubectl taint nodes foo dedicated:NoSchedule-\n"
+"\n"
+"\t\t# Remove from node 'foo' all the taints with key 'dedicated'\n"
+"\t\tkubectl taint nodes foo dedicated-\n"
+"\n"
+"\t\t# Add a taint with key 'dedicated' on nodes having label mylabel=X\n"
+"\t\tkubectl taint node -l myLabel=X  dedicated=foo:PreferNoSchedule\n"
+"\n"
+"\t\t# Add to node 'foo' a taint with key 'bar' and no value\n"
+"\t\tkubectl taint nodes foo bar:NoSchedule"
+msgstr ""
+"\n"
+"\t\t# Update node 'foo' with a taint with key 'dedicated' and value 'special-"
+"user' and effect 'NoSchedule'\n"
+"\t\t# If a taint with that key and effect already exists, its value is "
+"replaced as specified\n"
+"\t\tkubectl taint nodes foo dedicated=special-user:NoSchedule\n"
+"\n"
+"\t\t# Remove from node 'foo' the taint with key 'dedicated' and effect "
+"'NoSchedule' if one exists\n"
+"\t\tkubectl taint nodes foo dedicated:NoSchedule-\n"
+"\n"
+"\t\t# Remove from node 'foo' all the taints with key 'dedicated'\n"
+"\t\tkubectl taint nodes foo dedicated-\n"
+"\n"
+"\t\t# Add a taint with key 'dedicated' on nodes having label mylabel=X\n"
+"\t\tkubectl taint node -l myLabel=X  dedicated=foo:PreferNoSchedule\n"
+"\n"
+"\t\t# Add to node 'foo' a taint with key 'bar' and no value\n"
+"\t\tkubectl taint nodes foo bar:NoSchedule"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/label/label.go:95
+msgid ""
+"\n"
+"\t\t# Update pod 'foo' with the label 'unhealthy' and the value 'true'\n"
+"\t\tkubectl label pods foo unhealthy=true\n"
+"\n"
+"\t\t# Update pod 'foo' with the label 'status' and the value 'unhealthy', "
+"overwriting any existing value\n"
+"\t\tkubectl label --overwrite pods foo status=unhealthy\n"
+"\n"
+"\t\t# Update all pods in the namespace\n"
+"\t\tkubectl label pods --all status=unhealthy\n"
+"\n"
+"\t\t# Update a pod identified by the type and name in \"pod.json\"\n"
+"\t\tkubectl label -f pod.json status=unhealthy\n"
+"\n"
+"\t\t# Update pod 'foo' only if the resource is unchanged from version 1\n"
+"\t\tkubectl label pods foo status=unhealthy --resource-version=1\n"
+"\n"
+"\t\t# Update pod 'foo' by removing a label named 'bar' if it exists\n"
+"\t\t# Does not require the --overwrite flag\n"
+"\t\tkubectl label pods foo bar-"
+msgstr ""
+"\n"
+"\t\t# Update pod 'foo' with the label 'unhealthy' and the value 'true'\n"
+"\t\tkubectl label pods foo unhealthy=true\n"
+"\n"
+"\t\t# Update pod 'foo' with the label 'status' and the value 'unhealthy', "
+"overwriting any existing value\n"
+"\t\tkubectl label --overwrite pods foo status=unhealthy\n"
+"\n"
+"\t\t# Update all pods in the namespace\n"
+"\t\tkubectl label pods --all status=unhealthy\n"
+"\n"
+"\t\t# Update a pod identified by the type and name in \"pod.json\"\n"
+"\t\tkubectl label -f pod.json status=unhealthy\n"
+"\n"
+"\t\t# Update pod 'foo' only if the resource is unchanged from version 1\n"
+"\t\tkubectl label pods foo status=unhealthy --resource-version=1\n"
+"\n"
+"\t\t# Update pod 'foo' by removing a label named 'bar' if it exists\n"
+"\t\t# Does not require the --overwrite flag\n"
+"\t\tkubectl label pods foo bar-"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/apply/apply_view_last_applied.go:53
+msgid ""
+"\n"
+"\t\t# View the last-applied-configuration annotations by type/name in YAML\n"
+"\t\tkubectl apply view-last-applied deployment/nginx\n"
+"\n"
+"\t\t# View the last-applied-configuration annotations by file in JSON\n"
+"\t\tkubectl apply view-last-applied -f deploy.yaml -o json"
+msgstr ""
+"\n"
+"\t\t# View the last-applied-configuration annotations by type/name in YAML\n"
+"\t\tkubectl apply view-last-applied deployment/nginx\n"
+"\n"
+"\t\t# View the last-applied-configuration annotations by file in JSON\n"
+"\t\tkubectl apply view-last-applied -f deploy.yaml -o json"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/wait/wait.go:61
+msgid ""
+"\n"
+"\t\t# Wait for the pod \"busybox1\" to contain the status condition of type "
+"\"Ready\"\n"
+"\t\tkubectl wait --for=condition=Ready pod/busybox1\n"
+"\n"
+"\t\t# The default value of status condition is true; you can set it to "
+"false\n"
+"\t\tkubectl wait --for=condition=Ready=false pod/busybox1\n"
+"\n"
+"\t\t# Wait for the pod \"busybox1\" to be deleted, with a timeout of 60s, "
+"after having issued the \"delete\" command\n"
+"\t\tkubectl delete pod/busybox1\n"
+"\t\tkubectl wait --for=delete pod/busybox1 --timeout=60s"
+msgstr ""
+"\n"
+"\t\t# Wait for the pod \"busybox1\" to contain the status condition of type "
+"\"Ready\"\n"
+"\t\tkubectl wait --for=condition=Ready pod/busybox1\n"
+"\n"
+"\t\t# The default value of status condition is true; you can set it to "
+"false\n"
+"\t\tkubectl wait --for=condition=Ready=false pod/busybox1\n"
+"\n"
+"\t\t# Wait for the pod \"busybox1\" to be deleted, with a timeout of 60s, "
+"after having issued the \"delete\" command\n"
+"\t\tkubectl delete pod/busybox1\n"
+"\t\tkubectl wait --for=delete pod/busybox1 --timeout=60s"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/apply/apply.go:110
+msgid ""
+"\n"
+"\t\tApply a configuration to a resource by file name or stdin.\n"
+"\t\tThe resource name must be specified. This resource will be created if it "
+"doesn't exist yet.\n"
+"\t\tTo use 'apply', always create the resource initially with either 'apply' "
+"or 'create --save-config'.\n"
+"\n"
+"\t\tJSON and YAML formats are accepted.\n"
+"\n"
+"\t\tAlpha Disclaimer: the --prune functionality is not yet complete. Do not "
+"use unless you are aware of what the current state is. See https://issues."
+"k8s.io/34274."
+msgstr ""
+"\n"
+"\t\tApply a configuration to a resource by file name or stdin.\n"
+"\t\tThe resource name must be specified. This resource will be created if it "
+"doesn't exist yet.\n"
+"\t\tTo use 'apply', always create the resource initially with either 'apply' "
+"or 'create --save-config'.\n"
+"\n"
+"\t\tJSON and YAML formats are accepted.\n"
+"\n"
+"\t\tAlpha Disclaimer: the --prune functionality is not yet complete. Do not "
+"use unless you are aware of what the current state is. See https://issues."
+"k8s.io/34274."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/certificates/certificates.go:126
+msgid ""
+"\n"
+"\t\tApprove a certificate signing request.\n"
+"\n"
+"\t\tkubectl certificate approve allows a cluster admin to approve a "
+"certificate\n"
+"\t\tsigning request (CSR). This action tells a certificate signing "
+"controller to\n"
+"\t\tissue a certificate to the requestor with the attributes requested in "
+"the CSR.\n"
+"\n"
+"\t\tSECURITY NOTICE: Depending on the requested attributes, the issued "
+"certificate\n"
+"\t\tcan potentially grant a requester access to cluster resources or to "
+"authenticate\n"
+"\t\tas a requested identity. Before approving a CSR, ensure you understand "
+"what the\n"
+"\t\tsigned certificate can do.\n"
+"\t\t"
+msgstr ""
+"\n"
+"\t\tApprove a certificate signing request.\n"
+"\n"
+"\t\tkubectl certificate approve allows a cluster admin to approve a "
+"certificate\n"
+"\t\tsigning request (CSR). This action tells a certificate signing "
+"controller to\n"
+"\t\tissue a certificate to the requestor with the attributes requested in "
+"the CSR.\n"
+"\n"
+"\t\tSECURITY NOTICE: Depending on the requested attributes, the issued "
+"certificate\n"
+"\t\tcan potentially grant a requester access to cluster resources or to "
+"authenticate\n"
+"\t\tas a requested identity. Before approving a CSR, ensure you understand "
+"what the\n"
+"\t\tsigned certificate can do.\n"
+"\t\t"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set.go:28
+msgid ""
+"\n"
+"\t\tConfigure application resources.\n"
+"\n"
+"\t\tThese commands help you make changes to existing application resources."
+msgstr ""
+"\n"
+"\t\tConfigure application resources.\n"
+"\n"
+"\t\tThese commands help you make changes to existing application resources."
+
+#: pkg/kubectl/cmd/convert/convert.go:40
+msgid ""
+"\n"
+"\t\tConvert config files between different API versions. Both YAML\n"
+"\t\tand JSON formats are accepted.\n"
+"\n"
+"\t\tThe command takes filename, directory, or URL as input, and convert it "
+"into format\n"
+"\t\tof version specified by --output-version flag. If target version is not "
+"specified or\n"
+"\t\tnot supported, convert to latest version.\n"
+"\n"
+"\t\tThe default output will be printed to stdout in YAML format. One can use "
+"-o option\n"
+"\t\tto change to output destination."
+msgstr ""
+"\n"
+"\t\tConvert config files between different API versions. Both YAML\n"
+"\t\tand JSON formats are accepted.\n"
+"\n"
+"\t\tThe command takes filename, directory, or URL as input, and convert it "
+"into format\n"
+"\t\tof version specified by --output-version flag. If target version is not "
+"specified or\n"
+"\t\tnot supported, convert to latest version.\n"
+"\n"
+"\t\tThe default output will be printed to stdout in YAML format. One can use "
+"-o option\n"
+"\t\tto change to output destination."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_tls.go:41
+msgid ""
+"\n"
+"\t\tCreate a TLS secret from the given public/private key pair.\n"
+"\n"
+"\t\tThe public/private key pair must exist beforehand. The public key "
+"certificate must be .PEM encoded and match\n"
+"\t\tthe given private key."
+msgstr ""
+"\n"
+"\t\tCreate a TLS secret from the given public/private key pair.\n"
+"\n"
+"\t\tThe public/private key pair must exist beforehand. The public key "
+"certificate must be .PEM encoded and match\n"
+"\t\tthe given private key."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_clusterrolebinding.go:41
+msgid ""
+"\n"
+"\t\tCreate a cluster role binding for a particular cluster role."
+msgstr ""
+"\n"
+"\t\tCreate a cluster role binding for a particular cluster role."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_clusterrole.go:38
+msgid ""
+"\n"
+"\t\tCreate a cluster role."
+msgstr ""
+"\n"
+"\t\tCreate a cluster role."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_configmap.go:46
+msgid ""
+"\n"
+"\t\tCreate a config map based on a file, directory, or specified literal "
+"value.\n"
+"\n"
+"\t\tA single config map may package one or more key/value pairs.\n"
+"\n"
+"\t\tWhen creating a config map based on a file, the key will default to the "
+"basename of the file, and the value will\n"
+"\t\tdefault to the file content.  If the basename is an invalid key, you may "
+"specify an alternate key.\n"
+"\n"
+"\t\tWhen creating a config map based on a directory, each file whose "
+"basename is a valid key in the directory will be\n"
+"\t\tpackaged into the config map.  Any directory entries except regular "
+"files are ignored (e.g. subdirectories,\n"
+"\t\tsymlinks, devices, pipes, etc)."
+msgstr ""
+"\n"
+"\t\tCreate a config map based on a file, directory, or specified literal "
+"value.\n"
+"\n"
+"\t\tA single config map may package one or more key/value pairs.\n"
+"\n"
+"\t\tWhen creating a config map based on a file, the key will default to the "
+"basename of the file, and the value will\n"
+"\t\tdefault to the file content.  If the basename is an invalid key, you may "
+"specify an alternate key.\n"
+"\n"
+"\t\tWhen creating a config map based on a directory, each file whose "
+"basename is a valid key in the directory will be\n"
+"\t\tpackaged into the config map.  Any directory entries except regular "
+"files are ignored (e.g. subdirectories,\n"
+"\t\tsymlinks, devices, pipes, etc)."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_cronjob.go:40
+msgid ""
+"\n"
+"\t\tCreate a cron job with the specified name."
+msgstr ""
+"\n"
+"\t\tCreate a cron job with the specified name."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_job.go:40
+msgid ""
+"\n"
+"\t\tCreate a job with the specified name."
+msgstr ""
+"\n"
+"\t\tCreate a job with the specified name."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_namespace.go#L44
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_namespace.go:39
+msgid ""
+"\n"
+"\t\tCreate a namespace with the specified name."
+msgstr ""
+"\n"
+"\t\tCreate a namespace with the specified name."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_docker.go:41
+msgid ""
+"\n"
+"\t\tCreate a new secret for use with Docker registries.\n"
+"\n"
+"\t\tDockercfg secrets are used to authenticate against Docker registries.\n"
+"\n"
+"\t\tWhen using the Docker command line to push images, you can authenticate "
+"to a given registry by running:\n"
+"\t\t\t'$ docker login DOCKER_REGISTRY_SERVER --username=DOCKER_USER --"
+"password=DOCKER_PASSWORD --email=DOCKER_EMAIL'.\n"
+"\n"
+"\tThat produces a ~/.dockercfg file that is used by subsequent 'docker push' "
+"and 'docker pull' commands to\n"
+"\t\tauthenticate to the registry. The email address is optional.\n"
+"\n"
+"\t\tWhen creating applications, you may have a Docker registry that requires "
+"authentication.  In order for the\n"
+"\t\tnodes to pull images on your behalf, they must have the credentials.  "
+"You can provide this information\n"
+"\t\tby creating a dockercfg secret and attaching it to your service account."
+msgstr ""
+"\n"
+"\t\tCreate a new secret for use with Docker registries.\n"
+"\n"
+"\t\tDockercfg secrets are used to authenticate against Docker registries.\n"
+"\n"
+"\t\tWhen using the Docker command line to push images, you can authenticate "
+"to a given registry by running:\n"
+"\t\t\t'$ docker login DOCKER_REGISTRY_SERVER --username=DOCKER_USER --"
+"password=DOCKER_PASSWORD --email=DOCKER_EMAIL'.\n"
+"\n"
+"\tThat produces a ~/.dockercfg file that is used by subsequent 'docker push' "
+"and 'docker pull' commands to\n"
+"\t\tauthenticate to the registry. The email address is optional.\n"
+"\n"
+"\t\tWhen creating applications, you may have a Docker registry that requires "
+"authentication.  In order for the\n"
+"\t\tnodes to pull images on your behalf, they must have the credentials.  "
+"You can provide this information\n"
+"\t\tby creating a dockercfg secret and attaching it to your service account."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_pdb.go:41
+msgid ""
+"\n"
+"\t\tCreate a pod disruption budget with the specified name, selector, and "
+"desired minimum available pods."
+msgstr ""
+"\n"
+"\t\tCreate a pod disruption budget with the specified name, selector, and "
+"desired minimum available pods."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_priorityclass.go:40
+msgid ""
+"\n"
+"\t\tCreate a priority class with the specified name, value, globalDefault "
+"and description."
+msgstr ""
+"\n"
+"\t\tCreate a priority class with the specified name, value, globalDefault "
+"and description."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create.go:71
+msgid ""
+"\n"
+"\t\tCreate a resource from a file or from stdin.\n"
+"\n"
+"\t\tJSON and YAML formats are accepted."
+msgstr ""
+"\n"
+"\t\tCreate a resource from a file or from stdin.\n"
+"\n"
+"\t\tJSON and YAML formats are accepted."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_quota.go:41
+msgid ""
+"\n"
+"\t\tCreate a resource quota with the specified name, hard limits, and "
+"optional scopes."
+msgstr ""
+"\n"
+"\t\tCreate a resource quota with the specified name, hard limits, and "
+"optional scopes."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_rolebinding.go:40
+msgid ""
+"\n"
+"\t\tCreate a role binding for a particular role or cluster role."
+msgstr ""
+"\n"
+"\t\tCreate a role binding for a particular role or cluster role."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_quota.go#L47
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_role.go:43
+msgid ""
+"\n"
+"\t\tCreate a role with single rule."
+msgstr ""
+"\n"
+"\t\tCreate a role with single rule."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret.go:61
+msgid ""
+"\n"
+"\t\tCreate a secret based on a file, directory, or specified literal value.\n"
+"\n"
+"\t\tA single secret may package one or more key/value pairs.\n"
+"\n"
+"\t\tWhen creating a secret based on a file, the key will default to the "
+"basename of the file, and the value will\n"
+"\t\tdefault to the file content. If the basename is an invalid key or you "
+"wish to chose your own, you may specify\n"
+"\t\tan alternate key.\n"
+"\n"
+"\t\tWhen creating a secret based on a directory, each file whose basename is "
+"a valid key in the directory will be\n"
+"\t\tpackaged into the secret. Any directory entries except regular files are "
+"ignored (e.g. subdirectories,\n"
+"\t\tsymlinks, devices, pipes, etc)."
+msgstr ""
+"\n"
+"\t\tCreate a secret based on a file, directory, or specified literal value.\n"
+"\n"
+"\t\tA single secret may package one or more key/value pairs.\n"
+"\n"
+"\t\tWhen creating a secret based on a file, the key will default to the "
+"basename of the file, and the value will\n"
+"\t\tdefault to the file content. If the basename is an invalid key or you "
+"wish to chose your own, you may specify\n"
+"\t\tan alternate key.\n"
+"\n"
+"\t\tWhen creating a secret based on a directory, each file whose basename is "
+"a valid key in the directory will be\n"
+"\t\tpackaged into the secret. Any directory entries except regular files are "
+"ignored (e.g. subdirectories,\n"
+"\t\tsymlinks, devices, pipes, etc)."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_serviceaccount.go#L44
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_serviceaccount.go:40
+msgid ""
+"\n"
+"\t\tCreate a service account with the specified name."
+msgstr ""
+"\n"
+"\t\tCreate a service account with the specified name."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/proxy/proxy.go:67
+msgid ""
+"\n"
+"\t\tCreates a proxy server or application-level gateway between localhost "
+"and\n"
+"\t\tthe Kubernetes API server. It also allows serving static content over "
+"specified\n"
+"\t\tHTTP path. All incoming data enters through one port and gets forwarded "
+"to\n"
+"\t\tthe remote Kubernetes API server port, except for the path matching the "
+"static content path."
+msgstr ""
+"\n"
+"\t\tCreates a proxy server or application-level gateway between localhost "
+"and\n"
+"\t\tthe Kubernetes API server. It also allows serving static content over "
+"specified\n"
+"\t\tHTTP path. All incoming data enters through one port and gets forwarded "
+"to\n"
+"\t\tthe remote Kubernetes API server port, except for the path matching the "
+"static content path."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/autoscale/autoscale.go:42
+msgid ""
+"\n"
+"\t\tCreates an autoscaler that automatically chooses and sets the number of "
+"pods that run in a Kubernetes cluster.\n"
+"\n"
+"\t\tLooks up a deployment, replica set, stateful set, or replication "
+"controller by name and creates an autoscaler that uses the given resource as "
+"a reference.\n"
+"\t\tAn autoscaler can automatically increase or decrease number of pods "
+"deployed within the system as needed."
+msgstr ""
+"\n"
+"\t\tCreates an autoscaler that automatically chooses and sets the number of "
+"pods that run in a Kubernetes cluster.\n"
+"\n"
+"\t\tLooks up a deployment, replica set, stateful set, or replication "
+"controller by name and creates an autoscaler that uses the given resource as "
+"a reference.\n"
+"\t\tAn autoscaler can automatically increase or decrease number of pods "
+"deployed within the system as needed."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/debug/debug.go:57
+msgid ""
+"\n"
+"\t\tDebug cluster resources using interactive debugging containers.\n"
+"\n"
+"\t\t'debug' provides automation for common debugging tasks for cluster "
+"objects identified by\n"
+"\t\tresource and name. Pods will be used by default if no resource is "
+"specified.\n"
+"\n"
+"\t\tThe action taken by 'debug' varies depending on what resource is "
+"specified. Supported\n"
+"\t\tactions include:\n"
+"\n"
+"\t\t* Workload: Create a copy of an existing pod with certain attributes "
+"changed,\n"
+"\t                for example changing the image tag to a new version.\n"
+"\t\t* Workload: Add an ephemeral container to an already running pod, for "
+"example to add\n"
+"\t\t            debugging utilities without restarting the pod.\n"
+"\t\t* Node: Create a new pod that runs in the node's host namespaces and can "
+"access\n"
+"\t\t        the node's filesystem.\n"
+msgstr ""
+"\n"
+"\t\tDebug cluster resources using interactive debugging containers.\n"
+"\n"
+"\t\t'debug' provides automation for common debugging tasks for cluster "
+"objects identified by\n"
+"\t\tresource and name. Pods will be used by default if no resource is "
+"specified.\n"
+"\n"
+"\t\tThe action taken by 'debug' varies depending on what resource is "
+"specified. Supported\n"
+"\t\tactions include:\n"
+"\n"
+"\t\t* Workload: Create a copy of an existing pod with certain attributes "
+"changed,\n"
+"\t                for example changing the image tag to a new version.\n"
+"\t\t* Workload: Add an ephemeral container to an already running pod, for "
+"example to add\n"
+"\t\t            debugging utilities without restarting the pod.\n"
+"\t\t* Node: Create a new pod that runs in the node's host namespaces and can "
+"access\n"
+"\t\t        the node's filesystem.\n"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/delete/delete.go:45
+msgid ""
+"\n"
+"\t\tDelete resources by file names, stdin, resources and names, or by "
+"resources and label selector.\n"
+"\n"
+"\t\tJSON and YAML formats are accepted. Only one type of argument may be "
+"specified: file names,\n"
+"\t\tresources and names, or resources and label selector.\n"
+"\n"
+"\t\tSome resources, such as pods, support graceful deletion. These resources "
+"define a default period\n"
+"\t\tbefore they are forcibly terminated (the grace period) but you may "
+"override that value with\n"
+"\t\tthe --grace-period flag, or pass --now to set a grace-period of 1. "
+"Because these resources often\n"
+"\t\trepresent entities in the cluster, deletion may not be acknowledged "
+"immediately. If the node\n"
+"\t\thosting a pod is down or cannot reach the API server, termination may "
+"take significantly longer\n"
+"\t\tthan the grace period. To force delete a resource, you must specify the "
+"--force flag.\n"
+"\t\tNote: only a subset of resources support graceful deletion. In absence "
+"of the support,\n"
+"\t\tthe --grace-period flag is ignored.\n"
+"\n"
+"\t\tIMPORTANT: Force deleting pods does not wait for confirmation that the "
+"pod's processes have been\n"
+"\t\tterminated, which can leave those processes running until the node "
+"detects the deletion and\n"
+"\t\tcompletes graceful deletion. If your processes use shared storage or "
+"talk to a remote API and\n"
+"\t\tdepend on the name of the pod to identify themselves, force deleting "
+"those pods may result in\n"
+"\t\tmultiple processes running on different machines using the same "
+"identification which may lead\n"
+"\t\tto data corruption or inconsistency. Only force delete pods when you are "
+"sure the pod is\n"
+"\t\tterminated, or if your application can tolerate multiple copies of the "
+"same pod running at once.\n"
+"\t\tAlso, if you force delete pods, the scheduler may place new pods on "
+"those nodes before the node\n"
+"\t\thas released those resources and causing those pods to be evicted "
+"immediately.\n"
+"\n"
+"\t\tNote that the delete command does NOT do resource version checks, so if "
+"someone submits an\n"
+"\t\tupdate to a resource right when you submit a delete, their update will "
+"be lost along with the\n"
+"\t\trest of the resource."
+msgstr ""
+"\n"
+"\t\tDelete resources by file names, stdin, resources and names, or by "
+"resources and label selector.\n"
+"\n"
+"\t\tJSON and YAML formats are accepted. Only one type of argument may be "
+"specified: file names,\n"
+"\t\tresources and names, or resources and label selector.\n"
+"\n"
+"\t\tSome resources, such as pods, support graceful deletion. These resources "
+"define a default period\n"
+"\t\tbefore they are forcibly terminated (the grace period) but you may "
+"override that value with\n"
+"\t\tthe --grace-period flag, or pass --now to set a grace-period of 1. "
+"Because these resources often\n"
+"\t\trepresent entities in the cluster, deletion may not be acknowledged "
+"immediately. If the node\n"
+"\t\thosting a pod is down or cannot reach the API server, termination may "
+"take significantly longer\n"
+"\t\tthan the grace period. To force delete a resource, you must specify the "
+"--force flag.\n"
+"\t\tNote: only a subset of resources support graceful deletion. In absence "
+"of the support,\n"
+"\t\tthe --grace-period flag is ignored.\n"
+"\n"
+"\t\tIMPORTANT: Force deleting pods does not wait for confirmation that the "
+"pod's processes have been\n"
+"\t\tterminated, which can leave those processes running until the node "
+"detects the deletion and\n"
+"\t\tcompletes graceful deletion. If your processes use shared storage or "
+"talk to a remote API and\n"
+"\t\tdepend on the name of the pod to identify themselves, force deleting "
+"those pods may result in\n"
+"\t\tmultiple processes running on different machines using the same "
+"identification which may lead\n"
+"\t\tto data corruption or inconsistency. Only force delete pods when you are "
+"sure the pod is\n"
+"\t\tterminated, or if your application can tolerate multiple copies of the "
+"same pod running at once.\n"
+"\t\tAlso, if you force delete pods, the scheduler may place new pods on "
+"those nodes before the node\n"
+"\t\thas released those resources and causing those pods to be evicted "
+"immediately.\n"
+"\n"
+"\t\tNote that the delete command does NOT do resource version checks, so if "
+"someone submits an\n"
+"\t\tupdate to a resource right when you submit a delete, their update will "
+"be lost along with the\n"
+"\t\trest of the resource."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/certificates/certificates.go:175
+msgid ""
+"\n"
+"\t\tDeny a certificate signing request.\n"
+"\n"
+"\t\tkubectl certificate deny allows a cluster admin to deny a certificate\n"
+"\t\tsigning request (CSR). This action tells a certificate signing "
+"controller to\n"
+"\t\tnot to issue a certificate to the requestor.\n"
+"\t\t"
+msgstr ""
+"\n"
+"\t\tDeny a certificate signing request.\n"
+"\n"
+"\t\tkubectl certificate deny allows a cluster admin to deny a certificate\n"
+"\t\tsigning request (CSR). This action tells a certificate signing "
+"controller to\n"
+"\t\tnot to issue a certificate to the requestor.\n"
+"\t\t"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/diff/diff.go:53
+msgid ""
+"\n"
+"\t\tDiff configurations specified by file name or stdin between the current "
+"online\n"
+"\t\tconfiguration, and the configuration as it would be if applied.\n"
+"\n"
+"\t\tThe output is always YAML.\n"
+"\n"
+"\t\tKUBECTL_EXTERNAL_DIFF environment variable can be used to select your "
+"own\n"
+"\t\tdiff command. Users can use external commands with params too, example:\n"
+"\t\tKUBECTL_EXTERNAL_DIFF=\"colordiff -N -u\"\n"
+"\n"
+"\t\tBy default, the \"diff\" command available in your path will be\n"
+"\t\trun with the \"-u\" (unified diff) and \"-N\" (treat absent files as "
+"empty) options.\n"
+"\n"
+"\t\tExit status:\n"
+"\t\t 0\n"
+"\t\tNo differences were found.\n"
+"\t\t 1\n"
+"\t\tDifferences were found.\n"
+"\t\t >1\n"
+"\t\tKubectl or diff failed with an error.\n"
+"\n"
+"\t\tNote: KUBECTL_EXTERNAL_DIFF, if used, is expected to follow that "
+"convention."
+msgstr ""
+"\n"
+"\t\tDiff configurations specified by file name or stdin between the current "
+"online\n"
+"\t\tconfiguration, and the configuration as it would be if applied.\n"
+"\n"
+"\t\tThe output is always YAML.\n"
+"\n"
+"\t\tKUBECTL_EXTERNAL_DIFF environment variable can be used to select your "
+"own\n"
+"\t\tdiff command. Users can use external commands with params too, example:\n"
+"\t\tKUBECTL_EXTERNAL_DIFF=\"colordiff -N -u\"\n"
+"\n"
+"\t\tBy default, the \"diff\" command available in your path will be\n"
+"\t\trun with the \"-u\" (unified diff) and \"-N\" (treat absent files as "
+"empty) options.\n"
+"\n"
+"\t\tExit status:\n"
+"\t\t 0\n"
+"\t\tNo differences were found.\n"
+"\t\t 1\n"
+"\t\tDifferences were found.\n"
+"\t\t >1\n"
+"\t\tKubectl or diff failed with an error.\n"
+"\n"
+"\t\tNote: KUBECTL_EXTERNAL_DIFF, if used, is expected to follow that "
+"convention."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/top/top.go:39
+msgid ""
+"\n"
+"\t\tDisplay Resource (CPU/Memory) usage.\n"
+"\n"
+"\t\tThe top command allows you to see the resource consumption for nodes or "
+"pods.\n"
+"\n"
+"\t\tThis command requires Metrics Server to be correctly configured and "
+"working on the server. "
+msgstr ""
+"\n"
+"\t\tDisplay Resource (CPU/Memory) usage.\n"
+"\n"
+"\t\tThe top command allows you to see the resource consumption for nodes or "
+"pods.\n"
+"\n"
+"\t\tThis command requires Metrics Server to be correctly configured and "
+"working on the server. "
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/view.go:54
+msgid ""
+"\n"
+"\t\tDisplay merged kubeconfig settings or a specified kubeconfig file.\n"
+"\n"
+"\t\tYou can use --output jsonpath={...} to extract specific values using a "
+"jsonpath expression."
+msgstr ""
+"\n"
+"\t\tDisplay merged kubeconfig settings or a specified kubeconfig file.\n"
+"\n"
+"\t\tYou can use --output jsonpath={...} to extract specific values using a "
+"jsonpath expression."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/get/get.go:92
+msgid ""
+"\n"
+"\t\tDisplay one or many resources.\n"
+"\n"
+"\t\tPrints a table of the most important information about the specified "
+"resources.\n"
+"\t\tYou can filter the list using a label selector and the --selector flag. "
+"If the\n"
+"\t\tdesired resource type is namespaced you will only see results in your "
+"current\n"
+"\t\tnamespace unless you pass --all-namespaces.\n"
+"\n"
+"\t\tUninitialized objects are not shown unless --include-uninitialized is "
+"passed.\n"
+"\n"
+"\t\tBy specifying the output as 'template' and providing a Go template as "
+"the value\n"
+"\t\tof the --template flag, you can filter the attributes of the fetched "
+"resources."
+msgstr ""
+"\n"
+"\t\tDisplay one or many resources.\n"
+"\n"
+"\t\tPrints a table of the most important information about the specified "
+"resources.\n"
+"\t\tYou can filter the list using a label selector and the --selector flag. "
+"If the\n"
+"\t\tdesired resource type is namespaced you will only see results in your "
+"current\n"
+"\t\tnamespace unless you pass --all-namespaces.\n"
+"\n"
+"\t\tUninitialized objects are not shown unless --include-uninitialized is "
+"passed.\n"
+"\n"
+"\t\tBy specifying the output as 'template' and providing a Go template as "
+"the value\n"
+"\t\tof the --template flag, you can filter the attributes of the fetched "
+"resources."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/top/top_node.go:57
+msgid ""
+"\n"
+"\t\tDisplay resource (CPU/memory) usage of nodes.\n"
+"\n"
+"\t\tThe top-node command allows you to see the resource consumption of nodes."
+msgstr ""
+"\n"
+"\t\tDisplay resource (CPU/memory) usage of nodes.\n"
+"\n"
+"\t\tThe top-node command allows you to see the resource consumption of nodes."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/top/top_pod.go:67
+msgid ""
+"\n"
+"\t\tDisplay resource (CPU/memory) usage of pods.\n"
+"\n"
+"\t\tThe 'top pod' command allows you to see the resource consumption of "
+"pods.\n"
+"\n"
+"\t\tDue to the metrics pipeline delay, they may be unavailable for a few "
+"minutes\n"
+"\t\tsince pod creation."
+msgstr ""
+"\n"
+"\t\tDisplay resource (CPU/memory) usage of pods.\n"
+"\n"
+"\t\tThe 'top pod' command allows you to see the resource consumption of "
+"pods.\n"
+"\n"
+"\t\tDue to the metrics pipeline delay, they may be unavailable for a few "
+"minutes\n"
+"\t\tsince pod creation."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/current_context.go:37
+msgid ""
+"\n"
+"\t\tDisplay the current-context."
+msgstr ""
+"\n"
+"\t\tDisplay the current-context."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go:113
+msgid ""
+"\n"
+"\t\tDrain node in preparation for maintenance.\n"
+"\n"
+"\t\tThe given node will be marked unschedulable to prevent new pods from "
+"arriving.\n"
+"\t\t'drain' evicts the pods if the API server supports\n"
+"\t\t[eviction](https://kubernetes.io/docs/concepts/workloads/pods/"
+"disruptions/). Otherwise, it will use normal\n"
+"\t\tDELETE to delete the pods.\n"
+"\t\tThe 'drain' evicts or deletes all pods except mirror pods (which cannot "
+"be deleted through\n"
+"\t\tthe API server).  If there are daemon set-managed pods, drain will not "
+"proceed\n"
+"\t\twithout --ignore-daemonsets, and regardless it will not delete any\n"
+"\t\tdaemon set-managed pods, because those pods would be immediately "
+"replaced by the\n"
+"\t\tdaemon set controller, which ignores unschedulable markings.  If there "
+"are any\n"
+"\t\tpods that are neither mirror pods nor managed by a replication "
+"controller,\n"
+"\t\treplica set, daemon set, stateful set, or job, then drain will not "
+"delete any pods unless you\n"
+"\t\tuse --force.  --force will also allow deletion to proceed if the "
+"managing resource of one\n"
+"\t\tor more pods is missing.\n"
+"\n"
+"\t\t'drain' waits for graceful termination. You should not operate on the "
+"machine until\n"
+"\t\tthe command completes.\n"
+"\n"
+"\t\tWhen you are ready to put the node back into service, use kubectl "
+"uncordon, which\n"
+"\t\twill make the node schedulable again.\n"
+"\n"
+"\t\t![Workflow](https://kubernetes.io/images/docs/kubectl_drain.svg)"
+msgstr ""
+"\n"
+"\t\tDrain node in preparation for maintenance.\n"
+"\n"
+"\t\tThe given node will be marked unschedulable to prevent new pods from "
+"arriving.\n"
+"\t\t'drain' evicts the pods if the API server supports\n"
+"\t\t[eviction](https://kubernetes.io/docs/concepts/workloads/pods/"
+"disruptions/). Otherwise, it will use normal\n"
+"\t\tDELETE to delete the pods.\n"
+"\t\tThe 'drain' evicts or deletes all pods except mirror pods (which cannot "
+"be deleted through\n"
+"\t\tthe API server).  If there are daemon set-managed pods, drain will not "
+"proceed\n"
+"\t\twithout --ignore-daemonsets, and regardless it will not delete any\n"
+"\t\tdaemon set-managed pods, because those pods would be immediately "
+"replaced by the\n"
+"\t\tdaemon set controller, which ignores unschedulable markings.  If there "
+"are any\n"
+"\t\tpods that are neither mirror pods nor managed by a replication "
+"controller,\n"
+"\t\treplica set, daemon set, stateful set, or job, then drain will not "
+"delete any pods unless you\n"
+"\t\tuse --force.  --force will also allow deletion to proceed if the "
+"managing resource of one\n"
+"\t\tor more pods is missing.\n"
+"\n"
+"\t\t'drain' waits for graceful termination. You should not operate on the "
+"machine until\n"
+"\t\tthe command completes.\n"
+"\n"
+"\t\tWhen you are ready to put the node back into service, use kubectl "
+"uncordon, which\n"
+"\t\twill make the node schedulable again.\n"
+"\n"
+"\t\t![Workflow](https://kubernetes.io/images/docs/kubectl_drain.svg)"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/edit/edit.go:31
+msgid ""
+"\n"
+"\t\tEdit a resource from the default editor.\n"
+"\n"
+"\t\tThe edit command allows you to directly edit any API resource you can "
+"retrieve via the\n"
+"\t\tcommand-line tools. It will open the editor defined by your KUBE_EDITOR, "
+"or EDITOR\n"
+"\t\tenvironment variables, or fall back to 'vi' for Linux or 'notepad' for "
+"Windows.\n"
+"\t\tYou can edit multiple objects, although changes are applied one at a "
+"time. The command\n"
+"\t\taccepts file names as well as command-line arguments, although the files "
+"you point to must\n"
+"\t\tbe previously saved versions of resources.\n"
+"\n"
+"\t\tEditing is done with the API version used to fetch the resource.\n"
+"\t\tTo edit using a specific API version, fully-qualify the resource, "
+"version, and group.\n"
+"\n"
+"\t\tThe default format is YAML. To edit in JSON, specify \"-o json\".\n"
+"\n"
+"\t\tThe flag --windows-line-endings can be used to force Windows line "
+"endings,\n"
+"\t\totherwise the default for your operating system will be used.\n"
+"\n"
+"\t\tIn the event an error occurs while updating, a temporary file will be "
+"created on disk\n"
+"\t\tthat contains your unapplied changes. The most common error when "
+"updating a resource\n"
+"\t\tis another editor changing the resource on the server. When this occurs, "
+"you will have\n"
+"\t\tto apply your changes to the newer version of the resource, or update "
+"your temporary\n"
+"\t\tsaved copy to include the latest resource version."
+msgstr ""
+"\n"
+"\t\tEdit a resource from the default editor.\n"
+"\n"
+"\t\tThe edit command allows you to directly edit any API resource you can "
+"retrieve via the\n"
+"\t\tcommand-line tools. It will open the editor defined by your KUBE_EDITOR, "
+"or EDITOR\n"
+"\t\tenvironment variables, or fall back to 'vi' for Linux or 'notepad' for "
+"Windows.\n"
+"\t\tYou can edit multiple objects, although changes are applied one at a "
+"time. The command\n"
+"\t\taccepts file names as well as command-line arguments, although the files "
+"you point to must\n"
+"\t\tbe previously saved versions of resources.\n"
+"\n"
+"\t\tEditing is done with the API version used to fetch the resource.\n"
+"\t\tTo edit using a specific API version, fully-qualify the resource, "
+"version, and group.\n"
+"\n"
+"\t\tThe default format is YAML. To edit in JSON, specify \"-o json\".\n"
+"\n"
+"\t\tThe flag --windows-line-endings can be used to force Windows line "
+"endings,\n"
+"\t\totherwise the default for your operating system will be used.\n"
+"\n"
+"\t\tIn the event an error occurs while updating, a temporary file will be "
+"created on disk\n"
+"\t\tthat contains your unapplied changes. The most common error when "
+"updating a resource\n"
+"\t\tis another editor changing the resource on the server. When this occurs, "
+"you will have\n"
+"\t\tto apply your changes to the newer version of the resource, or update "
+"your temporary\n"
+"\t\tsaved copy to include the latest resource version."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/apply/apply_edit_last_applied.go:31
+msgid ""
+"\n"
+"\t\tEdit the latest last-applied-configuration annotations of resources from "
+"the default editor.\n"
+"\n"
+"\t\tThe edit-last-applied command allows you to directly edit any API "
+"resource you can retrieve via the\n"
+"\t\tcommand-line tools. It will open the editor defined by your KUBE_EDITOR, "
+"or EDITOR\n"
+"\t\tenvironment variables, or fall back to 'vi' for Linux or 'notepad' for "
+"Windows.\n"
+"\t\tYou can edit multiple objects, although changes are applied one at a "
+"time. The command\n"
+"\t\taccepts file names as well as command-line arguments, although the files "
+"you point to must\n"
+"\t\tbe previously saved versions of resources.\n"
+"\n"
+"\t\tThe default format is YAML. To edit in JSON, specify \"-o json\".\n"
+"\n"
+"\t\tThe flag --windows-line-endings can be used to force Windows line "
+"endings,\n"
+"\t\totherwise the default for your operating system will be used.\n"
+"\n"
+"\t\tIn the event an error occurs while updating, a temporary file will be "
+"created on disk\n"
+"\t\tthat contains your unapplied changes. The most common error when "
+"updating a resource\n"
+"\t\tis another editor changing the resource on the server. When this occurs, "
+"you will have\n"
+"\t\tto apply your changes to the newer version of the resource, or update "
+"your temporary\n"
+"\t\tsaved copy to include the latest resource version."
+msgstr ""
+"\n"
+"\t\tEdit the latest last-applied-configuration annotations of resources from "
+"the default editor.\n"
+"\n"
+"\t\tThe edit-last-applied command allows you to directly edit any API "
+"resource you can retrieve via the\n"
+"\t\tcommand-line tools. It will open the editor defined by your KUBE_EDITOR, "
+"or EDITOR\n"
+"\t\tenvironment variables, or fall back to 'vi' for Linux or 'notepad' for "
+"Windows.\n"
+"\t\tYou can edit multiple objects, although changes are applied one at a "
+"time. The command\n"
+"\t\taccepts file names as well as command-line arguments, although the files "
+"you point to must\n"
+"\t\tbe previously saved versions of resources.\n"
+"\n"
+"\t\tThe default format is YAML. To edit in JSON, specify \"-o json\".\n"
+"\n"
+"\t\tThe flag --windows-line-endings can be used to force Windows line "
+"endings,\n"
+"\t\totherwise the default for your operating system will be used.\n"
+"\n"
+"\t\tIn the event an error occurs while updating, a temporary file will be "
+"created on disk\n"
+"\t\tthat contains your unapplied changes. The most common error when "
+"updating a resource\n"
+"\t\tis another editor changing the resource on the server. When this occurs, "
+"you will have\n"
+"\t\tto apply your changes to the newer version of the resource, or update "
+"your temporary\n"
+"\t\tsaved copy to include the latest resource version."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/wait/wait.go:49
+msgid ""
+"\n"
+"\t\tExperimental: Wait for a specific condition on one or many resources.\n"
+"\n"
+"\t\tThe command takes multiple resources and waits until the specified "
+"condition\n"
+"\t\tis seen in the Status field of every given resource.\n"
+"\n"
+"\t\tAlternatively, the command can wait for the given set of resources to be "
+"deleted\n"
+"\t\tby providing the \"delete\" keyword as the value to the --for flag.\n"
+"\n"
+"\t\tA successful message will be printed to stdout indicating when the "
+"specified\n"
+"        condition has been met. You can use -o option to change to output "
+"destination."
+msgstr ""
+"\n"
+"\t\tExperimental: Wait for a specific condition on one or many resources.\n"
+"\n"
+"\t\tThe command takes multiple resources and waits until the specified "
+"condition\n"
+"\t\tis seen in the Status field of every given resource.\n"
+"\n"
+"\t\tAlternatively, the command can wait for the given set of resources to be "
+"deleted\n"
+"\t\tby providing the \"delete\" keyword as the value to the --for flag.\n"
+"\n"
+"\t\tA successful message will be printed to stdout indicating when the "
+"specified\n"
+"        condition has been met. You can use -o option to change to output "
+"destination."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:47
+msgid ""
+"\n"
+"\t\tExpose a resource as a new Kubernetes service.\n"
+"\n"
+"\t\tLooks up a deployment, service, replica set, replication controller or "
+"pod by name and uses the selector\n"
+"\t\tfor that resource as the selector for a new service on the specified "
+"port. A deployment or replica set\n"
+"\t\twill be exposed as a service only if its selector is convertible to a "
+"selector that service supports,\n"
+"\t\ti.e. when the selector contains only the matchLabels component. Note "
+"that if no port is specified via\n"
+"\t\t--port and the exposed resource has multiple ports, all will be re-used "
+"by the new service. Also if no\n"
+"\t\tlabels are specified, the new service will re-use the labels from the "
+"resource it exposes.\n"
+"\n"
+"\t\tPossible resources include (case insensitive):\n"
+"\n"
+"\t\t"
+msgstr ""
+"\n"
+"\t\tExpose a resource as a new Kubernetes service.\n"
+"\n"
+"\t\tLooks up a deployment, service, replica set, replication controller or "
+"pod by name and uses the selector\n"
+"\t\tfor that resource as the selector for a new service on the specified "
+"port. A deployment or replica set\n"
+"\t\twill be exposed as a service only if its selector is convertible to a "
+"selector that service supports,\n"
+"\t\ti.e. when the selector contains only the matchLabels component. Note "
+"that if no port is specified via\n"
+"\t\t--port and the exposed resource has multiple ports, all will be re-used "
+"by the new service. Also if no\n"
+"\t\tlabels are specified, the new service will re-use the labels from the "
+"resource it exposes.\n"
+"\n"
+"\t\tPossible resources include (case insensitive):\n"
+"\n"
+"\t\t"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/plugin/plugin.go:46
+msgid ""
+"\n"
+"\t\tList all available plugin files on a user's PATH.\n"
+"\n"
+"\t\tAvailable plugin files are those that are:\n"
+"\t\t- executable\n"
+"\t\t- anywhere on the user's PATH\n"
+"\t\t- begin with \"kubectl-\"\n"
+msgstr ""
+"\n"
+"\t\tList all available plugin files on a user's PATH.\n"
+"\n"
+"\t\tAvailable plugin files are those that are:\n"
+"\t\t- executable\n"
+"\t\t- anywhere on the user's PATH\n"
+"\t\t- begin with \"kubectl-\"\n"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/explain/explain.go:35
+msgid ""
+"\n"
+"\t\tList the fields for supported resources.\n"
+"\n"
+"\t\tThis command describes the fields associated with each supported API "
+"resource.\n"
+"\t\tFields are identified via a simple JSONPath identifier:\n"
+"\n"
+"\t\t\t<type>.<fieldName>[.<fieldName>]\n"
+"\n"
+"\t\tAdd the --recursive flag to display all of the fields at once without "
+"descriptions.\n"
+"\t\tInformation about each field is retrieved from the server in OpenAPI "
+"format."
+msgstr ""
+"\n"
+"\t\tList the fields for supported resources.\n"
+"\n"
+"\t\tThis command describes the fields associated with each supported API "
+"resource.\n"
+"\t\tFields are identified via a simple JSONPath identifier:\n"
+"\n"
+"\t\t\t<type>.<fieldName>[.<fieldName>]\n"
+"\n"
+"\t\tAdd the --recursive flag to display all of the fields at once without "
+"descriptions.\n"
+"\t\tInformation about each field is retrieved from the server in OpenAPI "
+"format."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout.go:30
+msgid ""
+"\n"
+"\t\tManage the rollout of a resource."
+msgstr ""
+"\n"
+"\t\tManage the rollout of a resource."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/drain.go#L127
+#: staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go:84
+msgid ""
+"\n"
+"\t\tMark node as schedulable."
+msgstr ""
+"\n"
+"\t\tMark node as schedulable."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/drain.go#L102
+#: staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go:55
+msgid ""
+"\n"
+"\t\tMark node as unschedulable."
+msgstr ""
+"\n"
+"\t\tMark node as unschedulable."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_pause.go:57
+msgid ""
+"\n"
+"\t\tMark the provided resource as paused.\n"
+"\n"
+"\t\tPaused resources will not be reconciled by a controller.\n"
+"\t\tUse \"kubectl rollout resume\" to resume a paused resource.\n"
+"\t\tCurrently only deployments support being paused."
+msgstr ""
+"\n"
+"\t\tMark the provided resource as paused.\n"
+"\n"
+"\t\tPaused resources will not be reconciled by a controller.\n"
+"\t\tUse \"kubectl rollout resume\" to resume a paused resource.\n"
+"\t\tCurrently only deployments support being paused."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/completion/completion.go:46
+msgid ""
+"\n"
+"\t\tOutput shell completion code for the specified shell (bash or zsh).\n"
+"\t\tThe shell code must be evaluated to provide interactive\n"
+"\t\tcompletion of kubectl commands.  This can be done by sourcing it from\n"
+"\t\tthe .bash_profile.\n"
+"\n"
+"\t\tDetailed instructions on how to do this are available here:\n"
+"\n"
+"        for macOS:\n"
+"        https://kubernetes.io/docs/tasks/tools/install-kubectl-macos/#enable-"
+"shell-autocompletion\n"
+"\n"
+"        for linux:\n"
+"        https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/#enable-"
+"shell-autocompletion\n"
+"\n"
+"        for windows:\n"
+"        https://kubernetes.io/docs/tasks/tools/install-kubectl-windows/"
+"#enable-shell-autocompletion\n"
+"\n"
+"\t\tNote for zsh users: [1] zsh completions are only supported in versions "
+"of zsh >= 5.2."
+msgstr ""
+"\n"
+"\t\tOutput shell completion code for the specified shell (bash or zsh).\n"
+"\t\tThe shell code must be evaluated to provide interactive\n"
+"\t\tcompletion of kubectl commands.  This can be done by sourcing it from\n"
+"\t\tthe .bash_profile.\n"
+"\n"
+"\t\tDetailed instructions on how to do this are available here:\n"
+"\n"
+"        for macOS:\n"
+"        https://kubernetes.io/docs/tasks/tools/install-kubectl-macos/#enable-"
+"shell-autocompletion\n"
+"\n"
+"        for linux:\n"
+"        https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/#enable-"
+"shell-autocompletion\n"
+"\n"
+"        for windows:\n"
+"        https://kubernetes.io/docs/tasks/tools/install-kubectl-windows/"
+"#enable-shell-autocompletion\n"
+"\n"
+"\t\tNote for zsh users: [1] zsh completions are only supported in versions "
+"of zsh >= 5.2."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/logs/logs.go:49
+msgid ""
+"\n"
+"\t\tPrint the logs for a container in a pod or specified resource. \n"
+"\t\tIf the pod has only one container, the container name is optional."
+msgstr ""
+"\n"
+"\t\tPrint the logs for a container in a pod or specified resource. \n"
+"\t\tIf the pod has only one container, the container name is optional."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/plugin/plugin.go:37
+msgid ""
+"\n"
+"\t\tProvides utilities for interacting with plugins.\n"
+"\n"
+"\t\tPlugins provide extended functionality that is not part of the major "
+"command-line distribution.\n"
+"\t\tPlease refer to the documentation and examples for more information "
+"about how write your own plugins.\n"
+"\n"
+"\t\tThe easiest way to discover and install plugins is via the kubernetes "
+"sub-project krew.\n"
+"\t\tTo install krew, visit [krew.sigs.k8s.io](https://krew.sigs.k8s.io/docs/"
+"user-guide/setup/install/)"
+msgstr ""
+"\n"
+"\t\tProvides utilities for interacting with plugins.\n"
+"\n"
+"\t\tPlugins provide extended functionality that is not part of the major "
+"command-line distribution.\n"
+"\t\tPlease refer to the documentation and examples for more information "
+"about how write your own plugins.\n"
+"\n"
+"\t\tThe easiest way to discover and install plugins is via the kubernetes "
+"sub-project krew.\n"
+"\t\tTo install krew, visit [krew.sigs.k8s.io](https://krew.sigs.k8s.io/docs/"
+"user-guide/setup/install/)"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/rename_context.go:47
+msgid ""
+"\n"
+"\t\tRenames a context from the kubeconfig file.\n"
+"\n"
+"\t\tCONTEXT_NAME is the context name that you want to change.\n"
+"\n"
+"\t\tNEW_NAME is the new name you want to set.\n"
+"\n"
+"\t\tNote: If the context being renamed is the 'current-context', this field "
+"will also be updated."
+msgstr ""
+"\n"
+"\t\tRenames a context from the kubeconfig file.\n"
+"\n"
+"\t\tCONTEXT_NAME is the context name that you want to change.\n"
+"\n"
+"\t\tNEW_NAME is the new name you want to set.\n"
+"\n"
+"\t\tNote: If the context being renamed is the 'current-context', this field "
+"will also be updated."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/replace/replace.go:48
+msgid ""
+"\n"
+"\t\tReplace a resource by file name or stdin.\n"
+"\n"
+"\t\tJSON and YAML formats are accepted. If replacing an existing resource, "
+"the\n"
+"\t\tcomplete resource spec must be provided. This can be obtained by\n"
+"\n"
+"\t\t    $ kubectl get TYPE NAME -o yaml"
+msgstr ""
+"\n"
+"\t\tReplace a resource by file name or stdin.\n"
+"\n"
+"\t\tJSON and YAML formats are accepted. If replacing an existing resource, "
+"the\n"
+"\t\tcomplete resource spec must be provided. This can be obtained by\n"
+"\n"
+"\t\t    $ kubectl get TYPE NAME -o yaml"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_restart.go:57
+msgid ""
+"\n"
+"\t\tRestart a resource.\n"
+"\n"
+"\t        Resource rollout will be restarted."
+msgstr ""
+"\n"
+"\t\tRestart a resource.\n"
+"\n"
+"\t        Resource rollout will be restarted."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_resume.go:58
+msgid ""
+"\n"
+"\t\tResume a paused resource.\n"
+"\n"
+"\t\tPaused resources will not be reconciled by a controller. By resuming a\n"
+"\t\tresource, we allow it to be reconciled again.\n"
+"\t\tCurrently only deployments support being resumed."
+msgstr ""
+"\n"
+"\t\tResume a paused resource.\n"
+"\n"
+"\t\tPaused resources will not be reconciled by a controller. By resuming a\n"
+"\t\tresource, we allow it to be reconciled again.\n"
+"\t\tCurrently only deployments support being resumed."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_undo.go:55
+msgid ""
+"\n"
+"\t\tRoll back to a previous rollout."
+msgstr ""
+"\n"
+"\t\tRoll back to a previous rollout."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/create_cluster.go:47
+msgid ""
+"\n"
+"\t\tSet a cluster entry in kubeconfig.\n"
+"\n"
+"\t\tSpecifying a name that already exists will merge new fields on top of "
+"existing values for those fields."
+msgstr ""
+"\n"
+"\t\tSet a cluster entry in kubeconfig.\n"
+"\n"
+"\t\tSpecifying a name that already exists will merge new fields on top of "
+"existing values for those fields."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/create_context.go:44
+msgid ""
+"\n"
+"\t\tSet a context entry in kubeconfig.\n"
+"\n"
+"\t\tSpecifying a name that already exists will merge new fields on top of "
+"existing values for those fields."
+msgstr ""
+"\n"
+"\t\tSet a context entry in kubeconfig.\n"
+"\n"
+"\t\tSpecifying a name that already exists will merge new fields on top of "
+"existing values for those fields."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/scale/scale.go:40
+msgid ""
+"\n"
+"\t\tSet a new size for a deployment, replica set, replication controller, or "
+"stateful set.\n"
+"\n"
+"\t\tScale also allows users to specify one or more preconditions for the "
+"scale action.\n"
+"\n"
+"\t\tIf --current-replicas or --resource-version is specified, it is "
+"validated before the\n"
+"\t\tscale is attempted, and it is guaranteed that the precondition holds "
+"true when the\n"
+"\t\tscale is sent to the server."
+msgstr ""
+"\n"
+"\t\tSet a new size for a deployment, replica set, replication controller, or "
+"stateful set.\n"
+"\n"
+"\t\tScale also allows users to specify one or more preconditions for the "
+"scale action.\n"
+"\n"
+"\t\tIf --current-replicas or --resource-version is specified, it is "
+"validated before the\n"
+"\t\tscale is attempted, and it is guaranteed that the precondition holds "
+"true when the\n"
+"\t\tscale is sent to the server."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/create_authinfo.go:70
+#, c-format
+msgid ""
+"\n"
+"\t\tSet a user entry in kubeconfig.\n"
+"\n"
+"\t\tSpecifying a name that already exists will merge new fields on top of "
+"existing values.\n"
+"\n"
+"\t\t    Client-certificate flags:\n"
+"\t\t    --%v=certfile --%v=keyfile\n"
+"\n"
+"\t\t    Bearer token flags:\n"
+"\t\t\t  --%v=bearer_token\n"
+"\n"
+"\t\t    Basic auth flags:\n"
+"\t\t\t  --%v=basic_user --%v=basic_password\n"
+"\n"
+"\t\tBearer token and basic auth are mutually exclusive."
+msgstr ""
+"\n"
+"\t\tSet a user entry in kubeconfig.\n"
+"\n"
+"\t\tSpecifying a name that already exists will merge new fields on top of "
+"existing values.\n"
+"\n"
+"\t\t    Client-certificate flags:\n"
+"\t\t    --%v=certfile --%v=keyfile\n"
+"\n"
+"\t\t    Bearer token flags:\n"
+"\t\t\t  --%v=bearer_token\n"
+"\n"
+"\t\t    Basic auth flags:\n"
+"\t\t\t  --%v=basic_user --%v=basic_password\n"
+"\n"
+"\t\tBearer token and basic auth are mutually exclusive."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/apply/apply_set_last_applied.go:70
+msgid ""
+"\n"
+"\t\tSet the latest last-applied-configuration annotations by setting it to "
+"match the contents of a file.\n"
+"\t\tThis results in the last-applied-configuration being updated as though "
+"'kubectl apply -f <file>' was run,\n"
+"\t\twithout updating any other parts of the object."
+msgstr ""
+"\n"
+"\t\tSet the latest last-applied-configuration annotations by setting it to "
+"match the contents of a file.\n"
+"\t\tThis results in the last-applied-configuration being updated as though "
+"'kubectl apply -f <file>' was run,\n"
+"\t\twithout updating any other parts of the object."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set_selector.go:67
+#, c-format
+msgid ""
+"\n"
+"\t\tSet the selector on a resource. Note that the new selector will "
+"overwrite the old selector if the resource had one prior to the invocation\n"
+"\t\tof 'set selector'.\n"
+"\n"
+"\t\tA selector must begin with a letter or number, and may contain letters, "
+"numbers, hyphens, dots, and underscores, up to %[1]d characters.\n"
+"\t\tIf --resource-version is specified, then updates will use this resource "
+"version, otherwise the existing resource-version will be used.\n"
+"        Note: currently selectors can only be set on Service objects."
+msgstr ""
+"\n"
+"\t\tSet the selector on a resource. Note that the new selector will "
+"overwrite the old selector if the resource had one prior to the invocation\n"
+"\t\tof 'set selector'.\n"
+"\n"
+"\t\tA selector must begin with a letter or number, and may contain letters, "
+"numbers, hyphens, dots, and underscores, up to %[1]d characters.\n"
+"\t\tIf --resource-version is specified, then updates will use this resource "
+"version, otherwise the existing resource-version will be used.\n"
+"        Note: currently selectors can only be set on Service objects."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/describe/describe.go:39
+msgid ""
+"\n"
+"\t\tShow details of a specific resource or group of resources.\n"
+"\n"
+"\t\tPrint a detailed description of the selected resources, including "
+"related resources such\n"
+"\t\tas events or controllers. You may select a single object by name, all "
+"objects of that\n"
+"\t\ttype, provide a name prefix, or label selector. For example:\n"
+"\n"
+"\t\t    $ kubectl describe TYPE NAME_PREFIX\n"
+"\n"
+"\t\twill first check for an exact match on TYPE and NAME_PREFIX. If no such "
+"resource\n"
+"\t\texists, it will output details for every resource that has a name "
+"prefixed with NAME_PREFIX."
+msgstr ""
+"\n"
+"\t\tShow details of a specific resource or group of resources.\n"
+"\n"
+"\t\tPrint a detailed description of the selected resources, including "
+"related resources such\n"
+"\t\tas events or controllers. You may select a single object by name, all "
+"objects of that\n"
+"\t\ttype, provide a name prefix, or label selector. For example:\n"
+"\n"
+"\t\t    $ kubectl describe TYPE NAME_PREFIX\n"
+"\n"
+"\t\twill first check for an exact match on TYPE and NAME_PREFIX. If no such "
+"resource\n"
+"\t\texists, it will output details for every resource that has a name "
+"prefixed with NAME_PREFIX."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_status.go:47
+msgid ""
+"\n"
+"\t\tShow the status of the rollout.\n"
+"\n"
+"\t\tBy default 'rollout status' will watch the status of the latest rollout\n"
+"\t\tuntil it's done. If you don't want to wait for the rollout to finish "
+"then\n"
+"\t\tyou can use --watch=false. Note that if a new rollout starts in-between, "
+"then\n"
+"\t\t'rollout status' will continue watching the latest revision. If you want "
+"to\n"
+"\t\tpin to a specific revision and abort if it is rolled over by another "
+"revision,\n"
+"\t\tuse --revision=N where N is the revision you need to watch for."
+msgstr ""
+"\n"
+"\t\tShow the status of the rollout.\n"
+"\n"
+"\t\tBy default 'rollout status' will watch the status of the latest rollout\n"
+"\t\tuntil it's done. If you don't want to wait for the rollout to finish "
+"then\n"
+"\t\tyou can use --watch=false. Note that if a new rollout starts in-between, "
+"then\n"
+"\t\t'rollout status' will continue watching the latest revision. If you want "
+"to\n"
+"\t\tpin to a specific revision and abort if it is rolled over by another "
+"revision,\n"
+"\t\tuse --revision=N where N is the revision you need to watch for."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set_resources.go:41
+#, c-format
+msgid ""
+"\n"
+"\t\tSpecify compute resource requirements (CPU, memory) for any resource "
+"that defines a pod template.  If a pod is successfully scheduled, it is "
+"guaranteed the amount of resource requested, but may burst up to its "
+"specified limits.\n"
+"\n"
+"\t\tFor each compute resource, if a limit is specified and a request is "
+"omitted, the request will default to the limit.\n"
+"\n"
+"\t\tPossible resources include (case insensitive): %s."
+msgstr ""
+"\n"
+"\t\tSpecify compute resource requirements (CPU, memory) for any resource "
+"that defines a pod template.  If a pod is successfully scheduled, it is "
+"guaranteed the amount of resource requested, but may burst up to its "
+"specified limits.\n"
+"\n"
+"\t\tFor each compute resource, if a limit is specified and a request is "
+"omitted, the request will default to the limit.\n"
+"\n"
+"\t\tPossible resources include (case insensitive): %s."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set_env.go:50
+msgid ""
+"\n"
+"\t\tUpdate environment variables on a pod template.\n"
+"\n"
+"\t\tList environment variable definitions in one or more pods, pod "
+"templates.\n"
+"\t\tAdd, update, or remove container environment variable definitions in one "
+"or\n"
+"\t\tmore pod templates (within replication controllers or deployment "
+"configurations).\n"
+"\t\tView or modify the environment variable definitions on all containers in "
+"the\n"
+"\t\tspecified pods or pod templates, or just those that match a wildcard.\n"
+"\n"
+"\t\tIf \"--env -\" is passed, environment variables can be read from STDIN "
+"using the standard env\n"
+"\t\tsyntax.\n"
+"\n"
+"\t\tPossible resources include (case insensitive):\n"
+"\t\t"
+msgstr ""
+"\n"
+"\t\tUpdate environment variables on a pod template.\n"
+"\n"
+"\t\tList environment variable definitions in one or more pods, pod "
+"templates.\n"
+"\t\tAdd, update, or remove container environment variable definitions in one "
+"or\n"
+"\t\tmore pod templates (within replication controllers or deployment "
+"configurations).\n"
+"\t\tView or modify the environment variable definitions on all containers in "
+"the\n"
+"\t\tspecified pods or pod templates, or just those that match a wildcard.\n"
+"\n"
+"\t\tIf \"--env -\" is passed, environment variables can be read from STDIN "
+"using the standard env\n"
+"\t\tsyntax.\n"
+"\n"
+"\t\tPossible resources include (case insensitive):\n"
+"\t\t"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set_image.go:71
+msgid ""
+"\n"
+"\t\tUpdate existing container image(s) of resources.\n"
+"\n"
+"\t\tPossible resources include (case insensitive):\n"
+"\t\t"
+msgstr ""
+"\n"
+"\t\tUpdate existing container image(s) of resources.\n"
+"\n"
+"\t\tPossible resources include (case insensitive):\n"
+"\t\t"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/patch/patch.go:78
+msgid ""
+"\n"
+"\t\tUpdate fields of a resource using strategic merge patch, a JSON merge "
+"patch, or a JSON patch.\n"
+"\n"
+"\t\tJSON and YAML formats are accepted."
+msgstr ""
+"\n"
+"\t\tUpdate fields of a resource using strategic merge patch, a JSON merge "
+"patch, or a JSON patch.\n"
+"\n"
+"\t\tJSON and YAML formats are accepted."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/annotate/annotate.go:83
+msgid ""
+"\n"
+"\t\tUpdate the annotations on one or more resources.\n"
+"\n"
+"\t\tAll Kubernetes objects support the ability to store additional data with "
+"the object as\n"
+"\t\tannotations. Annotations are key/value pairs that can be larger than "
+"labels and include\n"
+"\t\tarbitrary string values such as structured JSON. Tools and system "
+"extensions may use\n"
+"\t\tannotations to store their own data.\n"
+"\n"
+"\t\tAttempting to set an annotation that already exists will fail unless --"
+"overwrite is set.\n"
+"\t\tIf --resource-version is specified and does not match the current "
+"resource version on\n"
+"\t\tthe server the command will fail."
+msgstr ""
+"\n"
+"\t\tUpdate the annotations on one or more resources.\n"
+"\n"
+"\t\tAll Kubernetes objects support the ability to store additional data with "
+"the object as\n"
+"\t\tannotations. Annotations are key/value pairs that can be larger than "
+"labels and include\n"
+"\t\tarbitrary string values such as structured JSON. Tools and system "
+"extensions may use\n"
+"\t\tannotations to store their own data.\n"
+"\n"
+"\t\tAttempting to set an annotation that already exists will fail unless --"
+"overwrite is set.\n"
+"\t\tIf --resource-version is specified and does not match the current "
+"resource version on\n"
+"\t\tthe server the command will fail."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/label/label.go:87
+#, c-format
+msgid ""
+"\n"
+"\t\tUpdate the labels on a resource.\n"
+"\n"
+"\t\t* A label key and value must begin with a letter or number, and may "
+"contain letters, numbers, hyphens, dots, and underscores, up to %[1]d "
+"characters each.\n"
+"\t\t* Optionally, the key can begin with a DNS subdomain prefix and a single "
+"'/', like example.com/my-app.\n"
+"\t\t* If --overwrite is true, then existing labels can be overwritten, "
+"otherwise attempting to overwrite a label will result in an error.\n"
+"\t\t* If --resource-version is specified, then updates will use this "
+"resource version, otherwise the existing resource-version will be used."
+msgstr ""
+"\n"
+"\t\tUpdate the labels on a resource.\n"
+"\n"
+"\t\t* A label key and value must begin with a letter or number, and may "
+"contain letters, numbers, hyphens, dots, and underscores, up to %[1]d "
+"characters each.\n"
+"\t\t* Optionally, the key can begin with a DNS subdomain prefix and a single "
+"'/', like example.com/my-app.\n"
+"\t\t* If --overwrite is true, then existing labels can be overwritten, "
+"otherwise attempting to overwrite a label will result in an error.\n"
+"\t\t* If --resource-version is specified, then updates will use this "
+"resource version, otherwise the existing resource-version will be used."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/taint/taint.go:70
+#, c-format
+msgid ""
+"\n"
+"\t\tUpdate the taints on one or more nodes.\n"
+"\n"
+"\t\t* A taint consists of a key, value, and effect. As an argument here, it "
+"is expressed as key=value:effect.\n"
+"\t\t* The key must begin with a letter or number, and may contain letters, "
+"numbers, hyphens, dots, and underscores, up to %[1]d characters.\n"
+"\t\t* Optionally, the key can begin with a DNS subdomain prefix and a single "
+"'/', like example.com/my-app.\n"
+"\t\t* The value is optional. If given, it must begin with a letter or "
+"number, and may contain letters, numbers, hyphens, dots, and underscores, up "
+"to %[2]d characters.\n"
+"\t\t* The effect must be NoSchedule, PreferNoSchedule or NoExecute.\n"
+"\t\t* Currently taint can only apply to node."
+msgstr ""
+"\n"
+"\t\tUpdate the taints on one or more nodes.\n"
+"\n"
+"\t\t* A taint consists of a key, value, and effect. As an argument here, it "
+"is expressed as key=value:effect.\n"
+"\t\t* The key must begin with a letter or number, and may contain letters, "
+"numbers, hyphens, dots, and underscores, up to %[1]d characters.\n"
+"\t\t* Optionally, the key can begin with a DNS subdomain prefix and a single "
+"'/', like example.com/my-app.\n"
+"\t\t* The value is optional. If given, it must begin with a letter or "
+"number, and may contain letters, numbers, hyphens, dots, and underscores, up "
+"to %[2]d characters.\n"
+"\t\t* The effect must be NoSchedule, PreferNoSchedule or NoExecute.\n"
+"\t\t* Currently taint can only apply to node."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_history.go:36
+msgid ""
+"\n"
+"\t\tView previous rollout revisions and configurations."
+msgstr ""
+"\n"
+"\t\tView previous rollout revisions and configurations."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/apply/apply_view_last_applied.go:47
+msgid ""
+"\n"
+"\t\tView the latest last-applied-configuration annotations by type/name or "
+"file.\n"
+"\n"
+"\t\tThe default output will be printed to stdout in YAML format. You can use "
+"the -o option\n"
+"\t\tto change the output format."
+msgstr ""
+"\n"
+"\t\tView the latest last-applied-configuration annotations by type/name or "
+"file.\n"
+"\n"
+"\t\tThe default output will be printed to stdout in YAML format. You can use "
+"the -o option\n"
+"\t\tto change the output format."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_tls.go:47
+msgid ""
+"\n"
+"\t  # Create a new TLS secret named tls-secret with the given key pair\n"
+"\t  kubectl create secret tls tls-secret --cert=path/to/tls.cert --key=path/"
+"to/tls.key"
+msgstr ""
+"\n"
+"\t  # Create a new TLS secret named tls-secret with the given key pair\n"
+"\t  kubectl create secret tls tls-secret --cert=path/to/tls.cert --key=path/"
+"to/tls.key"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_namespace.go:42
+msgid ""
+"\n"
+"\t  # Create a new namespace named my-namespace\n"
+"\t  kubectl create namespace my-namespace"
+msgstr ""
+"\n"
+"\t  # Create a new namespace named my-namespace\n"
+"\t  kubectl create namespace my-namespace"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret.go:74
+msgid ""
+"\n"
+"\t  # Create a new secret named my-secret with keys for each file in folder "
+"bar\n"
+"\t  kubectl create secret generic my-secret --from-file=path/to/bar\n"
+"\n"
+"\t  # Create a new secret named my-secret with specified keys instead of "
+"names on disk\n"
+"\t  kubectl create secret generic my-secret --from-file=ssh-privatekey=path/"
+"to/id_rsa --from-file=ssh-publickey=path/to/id_rsa.pub\n"
+"\n"
+"\t  # Create a new secret named my-secret with key1=supersecret and "
+"key2=topsecret\n"
+"\t  kubectl create secret generic my-secret --from-literal=key1=supersecret "
+"--from-literal=key2=topsecret\n"
+"\n"
+"\t  # Create a new secret named my-secret using a combination of a file and "
+"a literal\n"
+"\t  kubectl create secret generic my-secret --from-file=ssh-privatekey=path/"
+"to/id_rsa --from-literal=passphrase=topsecret\n"
+"\n"
+"\t  # Create a new secret named my-secret from an env file\n"
+"\t  kubectl create secret generic my-secret --from-env-file=path/to/bar.env"
+msgstr ""
+"\n"
+"\t  # Create a new secret named my-secret with keys for each file in folder "
+"bar\n"
+"\t  kubectl create secret generic my-secret --from-file=path/to/bar\n"
+"\n"
+"\t  # Create a new secret named my-secret with specified keys instead of "
+"names on disk\n"
+"\t  kubectl create secret generic my-secret --from-file=ssh-privatekey=path/"
+"to/id_rsa --from-file=ssh-publickey=path/to/id_rsa.pub\n"
+"\n"
+"\t  # Create a new secret named my-secret with key1=supersecret and "
+"key2=topsecret\n"
+"\t  kubectl create secret generic my-secret --from-literal=key1=supersecret "
+"--from-literal=key2=topsecret\n"
+"\n"
+"\t  # Create a new secret named my-secret using a combination of a file and "
+"a literal\n"
+"\t  kubectl create secret generic my-secret --from-file=ssh-privatekey=path/"
+"to/id_rsa --from-literal=passphrase=topsecret\n"
+"\n"
+"\t  # Create a new secret named my-secret from an env file\n"
+"\t  kubectl create secret generic my-secret --from-env-file=path/to/bar.env"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_serviceaccount.go:43
+msgid ""
+"\n"
+"\t  # Create a new service account named my-service-account\n"
+"\t  kubectl create serviceaccount my-service-account"
+msgstr ""
+"\n"
+"\t  # Create a new service account named my-service-account\n"
+"\t  kubectl create serviceaccount my-service-account"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_deployment.go:45
+msgid ""
+"\n"
+"\t# Create a deployment named my-dep that runs the busybox image\n"
+"\tkubectl create deployment my-dep --image=busybox\n"
+"\n"
+"\t# Create a deployment with a command\n"
+"\tkubectl create deployment my-dep --image=busybox -- date\n"
+"\n"
+"\t# Create a deployment named my-dep that runs the nginx image with 3 "
+"replicas\n"
+"\tkubectl create deployment my-dep --image=nginx --replicas=3\n"
+"\n"
+"\t# Create a deployment named my-dep that runs the busybox image and expose "
+"port 5701\n"
+"\tkubectl create deployment my-dep --image=busybox --port=5701"
+msgstr ""
+"\n"
+"\t# Create a deployment named my-dep that runs the busybox image\n"
+"\tkubectl create deployment my-dep --image=busybox\n"
+"\n"
+"\t# Create a deployment with a command\n"
+"\tkubectl create deployment my-dep --image=busybox -- date\n"
+"\n"
+"\t# Create a deployment named my-dep that runs the nginx image with 3 "
+"replicas\n"
+"\tkubectl create deployment my-dep --image=nginx --replicas=3\n"
+"\n"
+"\t# Create a deployment named my-dep that runs the busybox image and expose "
+"port 5701\n"
+"\tkubectl create deployment my-dep --image=busybox --port=5701"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:351
+msgid ""
+"\n"
+"\t# Create a new ExternalName service named my-ns\n"
+"\tkubectl create service externalname my-ns --external-name bar.com"
+msgstr ""
+"\n"
+"\t# Create a new ExternalName service named my-ns\n"
+"\tkubectl create service externalname my-ns --external-name bar.com"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set_serviceaccount.go:50
+msgid ""
+"\n"
+"\t# Set deployment nginx-deployment's service account to serviceaccount1\n"
+"\tkubectl set serviceaccount deployment nginx-deployment serviceaccount1\n"
+"\n"
+"\t# Print the result (in YAML format) of updated nginx deployment with the "
+"service account from local file, without hitting the API server\n"
+"\tkubectl set sa -f nginx-deployment.yaml serviceaccount1 --local --dry-"
+"run=client -o yaml\n"
+"\t"
+msgstr ""
+"\n"
+"\t# Set deployment nginx-deployment's service account to serviceaccount1\n"
+"\tkubectl set serviceaccount deployment nginx-deployment serviceaccount1\n"
+"\n"
+"\t# Print the result (in YAML format) of updated nginx deployment with the "
+"service account from local file, without hitting the API server\n"
+"\tkubectl set sa -f nginx-deployment.yaml serviceaccount1 --local --dry-"
+"run=client -o yaml\n"
+"\t"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_deployment.go:42
+msgid ""
+"\n"
+"\tCreate a deployment with the specified name."
+msgstr ""
+"\n"
+"\tCreate a deployment with the specified name."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:344
+msgid ""
+"\n"
+"\tCreate an ExternalName service with the specified name.\n"
+"\n"
+"\tExternalName service references to an external DNS address instead of\n"
+"\tonly pods, which will allow application authors to reference services\n"
+"\tthat exist off platform, on other clusters, or locally."
+msgstr ""
+"\n"
+"\tCreate an ExternalName service with the specified name.\n"
+"\n"
+"\tExternalName service references to an external DNS address instead of\n"
+"\tonly pods, which will allow application authors to reference services\n"
+"\tthat exist off platform, on other clusters, or locally."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_ingress.go:61
+msgid ""
+"\n"
+"\tCreate an ingress with the specified name."
+msgstr ""
+"\n"
+"\tCreate an ingress with the specified name."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/help/help.go:28
+msgid ""
+"\n"
+"\tHelp provides help for any command in the application.\n"
+"\tSimply type kubectl help [path to command] for full details."
+msgstr ""
+"\n"
+"\tHelp provides help for any command in the application.\n"
+"\tSimply type kubectl help [path to command] for full details."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/set.go:44
+msgid ""
+"\n"
+"\tSet an individual value in a kubeconfig file.\n"
+"\n"
+"\tPROPERTY_NAME is a dot delimited name where each token represents either "
+"an attribute name or a map key.  Map keys may not contain dots.\n"
+"\n"
+"\tPROPERTY_VALUE is the new value you want to set. Binary fields such as "
+"'certificate-authority-data' expect a base64 encoded string unless the --set-"
+"raw-bytes flag is used.\n"
+"\n"
+"\tSpecifying an attribute name that already exists will merge new fields on "
+"top of existing values."
+msgstr ""
+"\n"
+"\tSet an individual value in a kubeconfig file.\n"
+"\n"
+"\tPROPERTY_NAME is a dot delimited name where each token represents either "
+"an attribute name or a map key.  Map keys may not contain dots.\n"
+"\n"
+"\tPROPERTY_VALUE is the new value you want to set. Binary fields such as "
+"'certificate-authority-data' expect a base64 encoded string unless the --set-"
+"raw-bytes flag is used.\n"
+"\n"
+"\tSpecifying an attribute name that already exists will merge new fields on "
+"top of existing values."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/unset.go:39
+msgid ""
+"\n"
+"\tUnset an individual value in a kubeconfig file.\n"
+"\n"
+"\tPROPERTY_NAME is a dot delimited name where each token represents either "
+"an attribute name or a map key.  Map keys may not contain dots."
+msgstr ""
+"\n"
+"\tUnset an individual value in a kubeconfig file.\n"
+"\n"
+"\tPROPERTY_NAME is a dot delimited name where each token represents either "
+"an attribute name or a map key.  Map keys may not contain dots."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set_serviceaccount.go:43
+msgid ""
+"\n"
+"\tUpdate the service account of pod template resources.\n"
+"\n"
+"\tPossible resources (case insensitive) can be:\n"
+"\n"
+"\t"
+msgstr ""
+"\n"
+"\tUpdate the service account of pod template resources.\n"
+"\n"
+"\tPossible resources (case insensitive) can be:\n"
+"\n"
+"\t"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set_subject.go:40
+msgid ""
+"\n"
+"\tUpdate the user, group, or service account in a role binding or cluster "
+"role binding."
+msgstr ""
+"\n"
+"\tUpdate the user, group, or service account in a role binding or cluster "
+"role binding."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set_image.go:68
+msgid ""
+"\n"
+"  \tpod (po), replicationcontroller (rc), deployment (deploy), daemonset "
+"(ds), replicaset (rs)"
+msgstr ""
+"\n"
+"  \tpod (po), replicationcontroller (rc), deployment (deploy), daemonset "
+"(ds), replicaset (rs)"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/portforward/portforward.go:63
+msgid ""
+"\n"
+"                Forward one or more local ports to a pod.\n"
+"\n"
+"                Use resource type/name such as deployment/mydeployment to "
+"select a pod. Resource type defaults to 'pod' if omitted.\n"
+"\n"
+"                If there are multiple pods matching the criteria, a pod will "
+"be selected automatically. The\n"
+"                forwarding session ends when the selected pod terminates, "
+"and a rerun of the command is needed\n"
+"                to resume forwarding."
+msgstr ""
+"\n"
+"                Forward one or more local ports to a pod.\n"
+"\n"
+"                Use resource type/name such as deployment/mydeployment to "
+"select a pod. Resource type defaults to 'pod' if omitted.\n"
+"\n"
+"                If there are multiple pods matching the criteria, a pod will "
+"be selected automatically. The\n"
+"                forwarding session ends when the selected pod terminates, "
+"and a rerun of the command is needed\n"
+"                to resume forwarding."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:233
+msgid ""
+"\n"
+"    # Create a new ClusterIP service named my-cs\n"
+"    kubectl create service clusterip my-cs --tcp=5678:8080\n"
+"\n"
+"    # Create a new ClusterIP service named my-cs (in headless mode)\n"
+"    kubectl create service clusterip my-cs --clusterip=\"None\""
+msgstr ""
+"\n"
+"    # Create a new ClusterIP service named my-cs\n"
+"    kubectl create service clusterip my-cs --tcp=5678:8080\n"
+"\n"
+"    # Create a new ClusterIP service named my-cs (in headless mode)\n"
+"    kubectl create service clusterip my-cs --clusterip=\"None\""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:311
+msgid ""
+"\n"
+"    # Create a new LoadBalancer service named my-lbs\n"
+"    kubectl create service loadbalancer my-lbs --tcp=5678:8080"
+msgstr ""
+"\n"
+"    # Create a new LoadBalancer service named my-lbs\n"
+"    kubectl create service loadbalancer my-lbs --tcp=5678:8080"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:274
+msgid ""
+"\n"
+"    # Create a new NodePort service named my-ns\n"
+"    kubectl create service nodeport my-ns --tcp=5678:8080"
+msgstr ""
+"\n"
+"    # Create a new NodePort service named my-ns\n"
+"    kubectl create service nodeport my-ns --tcp=5678:8080"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/clusterinfo/clusterinfo_dump.go:102
+msgid ""
+"\n"
+"    # Dump current cluster state to stdout\n"
+"    kubectl cluster-info dump\n"
+"\n"
+"    # Dump current cluster state to /path/to/cluster-state\n"
+"    kubectl cluster-info dump --output-directory=/path/to/cluster-state\n"
+"\n"
+"    # Dump all namespaces to stdout\n"
+"    kubectl cluster-info dump --all-namespaces\n"
+"\n"
+"    # Dump a set of namespaces to /path/to/cluster-state\n"
+"    kubectl cluster-info dump --namespaces default,kube-system --output-"
+"directory=/path/to/cluster-state"
+msgstr ""
+"\n"
+"    # Dump current cluster state to stdout\n"
+"    kubectl cluster-info dump\n"
+"\n"
+"    # Dump current cluster state to /path/to/cluster-state\n"
+"    kubectl cluster-info dump --output-directory=/path/to/cluster-state\n"
+"\n"
+"    # Dump all namespaces to stdout\n"
+"    kubectl cluster-info dump --all-namespaces\n"
+"\n"
+"    # Dump a set of namespaces to /path/to/cluster-state\n"
+"    kubectl cluster-info dump --namespaces default,kube-system --output-"
+"directory=/path/to/cluster-state"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/annotate/annotate.go:95
+msgid ""
+"\n"
+"    # Update pod 'foo' with the annotation 'description' and the value 'my "
+"frontend'\n"
+"    # If the same annotation is set multiple times, only the last value will "
+"be applied\n"
+"    kubectl annotate pods foo description='my frontend'\n"
+"\n"
+"    # Update a pod identified by type and name in \"pod.json\"\n"
+"    kubectl annotate -f pod.json description='my frontend'\n"
+"\n"
+"    # Update pod 'foo' with the annotation 'description' and the value 'my "
+"frontend running nginx', overwriting any existing value\n"
+"    kubectl annotate --overwrite pods foo description='my frontend running "
+"nginx'\n"
+"\n"
+"    # Update all pods in the namespace\n"
+"    kubectl annotate pods --all description='my frontend running nginx'\n"
+"\n"
+"    # Update pod 'foo' only if the resource is unchanged from version 1\n"
+"    kubectl annotate pods foo description='my frontend running nginx' --"
+"resource-version=1\n"
+"\n"
+"    # Update pod 'foo' by removing an annotation named 'description' if it "
+"exists\n"
+"    # Does not require the --overwrite flag\n"
+"    kubectl annotate pods foo description-"
+msgstr ""
+"\n"
+"    # Update pod 'foo' with the annotation 'description' and the value 'my "
+"frontend'\n"
+"    # If the same annotation is set multiple times, only the last value will "
+"be applied\n"
+"    kubectl annotate pods foo description='my frontend'\n"
+"\n"
+"    # Update a pod identified by type and name in \"pod.json\"\n"
+"    kubectl annotate -f pod.json description='my frontend'\n"
+"\n"
+"    # Update pod 'foo' with the annotation 'description' and the value 'my "
+"frontend running nginx', overwriting any existing value\n"
+"    kubectl annotate --overwrite pods foo description='my frontend running "
+"nginx'\n"
+"\n"
+"    # Update all pods in the namespace\n"
+"    kubectl annotate pods --all description='my frontend running nginx'\n"
+"\n"
+"    # Update pod 'foo' only if the resource is unchanged from version 1\n"
+"    kubectl annotate pods foo description='my frontend running nginx' --"
+"resource-version=1\n"
+"\n"
+"    # Update pod 'foo' by removing an annotation named 'description' if it "
+"exists\n"
+"    # Does not require the --overwrite flag\n"
+"    kubectl annotate pods foo description-"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:230
+msgid ""
+"\n"
+"    Create a ClusterIP service with the specified name."
+msgstr ""
+"\n"
+"    Create a ClusterIP service with the specified name."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_namespace.go#L44
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:308
+msgid ""
+"\n"
+"    Create a LoadBalancer service with the specified name."
+msgstr ""
+"\n"
+"    Create a LoadBalancer service with the specified name."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:271
+msgid ""
+"\n"
+"    Create a NodePort service with the specified name."
+msgstr ""
+"\n"
+"    Create a NodePort service with the specified name."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/clusterinfo/clusterinfo_dump.go:93
+msgid ""
+"\n"
+"    Dump cluster information out suitable for debugging and diagnosing "
+"cluster problems.  By default, dumps everything to\n"
+"    stdout. You can optionally specify a directory with --output-directory.  "
+"If you specify a directory, Kubernetes will\n"
+"    build a set of files in that directory.  By default, only dumps things "
+"in the current namespace and 'kube-system' namespace, but you can\n"
+"    switch to a different namespace with the --namespaces flag, or specify --"
+"all-namespaces to dump all namespaces.\n"
+"\n"
+"    The command also dumps the logs of all of the pods in the cluster; these "
+"logs are dumped into different directories\n"
+"    based on namespace and pod name."
+msgstr ""
+"\n"
+"    Dump cluster information out suitable for debugging and diagnosing "
+"cluster problems.  By default, dumps everything to\n"
+"    stdout. You can optionally specify a directory with --output-directory.  "
+"If you specify a directory, Kubernetes will\n"
+"    build a set of files in that directory.  By default, only dumps things "
+"in the current namespace and 'kube-system' namespace, but you can\n"
+"    switch to a different namespace with the --namespaces flag, or specify --"
+"all-namespaces to dump all namespaces.\n"
+"\n"
+"    The command also dumps the logs of all of the pods in the cluster; these "
+"logs are dumped into different directories\n"
+"    based on namespace and pod name."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/clusterinfo/clusterinfo.go:40
+msgid ""
+"\n"
+"  Display addresses of the control plane and services with label kubernetes."
+"io/cluster-service=true.\n"
+"  To further debug and diagnose cluster problems, use 'kubectl cluster-info "
+"dump'."
+msgstr ""
+"\n"
+"  Display addresses of the control plane and services with label kubernetes."
+"io/cluster-service=true.\n"
+"  To further debug and diagnose cluster problems, use 'kubectl cluster-info "
+"dump'."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/config.go:49
+msgid ""
+" environment variable is set, then it is used as a list of paths (normal "
+"path delimiting rules for your system). These paths are merged. When a value "
+"is modified, it is modified in the file that defines the stanza. When a "
+"value is created, it is created in the first file that exists. If no files "
+"in the chain exist, then it creates the last file in the list.\n"
+"\t\t\t3. Otherwise, "
+msgstr ""
+" environment variable is set, then it is used as a list of paths (normal "
+"path delimiting rules for your system). These paths are merged. When a value "
+"is modified, it is modified in the file that defines the stanza. When a "
+"value is created, it is created in the first file that exists. If no files "
+"in the chain exist, then it creates the last file in the list.\n"
+"\t\t\t3. Otherwise, "
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/config.go:48
+msgid ""
+" flag is set, then only that file is loaded. The flag may only be set once "
+"and no merging takes place.\n"
+"\t\t\t2. If $"
+msgstr ""
+" flag is set, then only that file is loaded. The flag may only be set once "
+"and no merging takes place.\n"
+"\t\t\t2. If $"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/config.go:50
+msgid " is used and no merging takes place."
+msgstr " is used and no merging takes place."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_quota.go#L61
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_quota.go:107
+msgid ""
+"A comma-delimited set of quota scopes that must all match each object "
+"tracked by the quota."
+msgstr ""
+"A comma-delimited set of quota scopes that must all match each object "
+"tracked by the quota."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_quota.go#L60
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_quota.go:106
+msgid ""
+"A comma-delimited set of resource=quantity pairs that define a hard limit."
+msgstr ""
+"A comma-delimited set of resource=quantity pairs that define a hard limit."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_pdb.go#L63
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_pdb.go:113
+msgid ""
+"A label selector to use for this budget. Only equality-based selector "
+"requirements are supported."
+msgstr ""
+"A label selector to use for this budget. Only equality-based selector "
+"requirements are supported."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/expose.go#L106
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:152
+msgid ""
+"A label selector to use for this service. Only equality-based selector "
+"requirements are supported. If empty (the default) infer the selector from "
+"the replication controller or replica set.)"
+msgstr ""
+"A label selector to use for this service. Only equality-based selector "
+"requirements are supported. If empty (the default) infer the selector from "
+"the replication controller or replica set.)"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/expose.go#L111
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:157
+msgid ""
+"Additional external IP address (not managed by Kubernetes) to accept for the "
+"service. If this IP is routed to a node, the service can be accessed by this "
+"IP in addition to its generated service IP."
+msgstr ""
+"Additional external IP address (not managed by Kubernetes) to accept for the "
+"service. If this IP is routed to a node, the service can be accessed by this "
+"IP in addition to its generated service IP."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/debug/debug.go:178
+msgid "Allocate a TTY for the debugging container."
+msgstr "Allocate a TTY for the debugging container."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/run.go#L119
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:158
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run.go:178
+msgid ""
+"An inline JSON override for the generated object. If this is non-empty, it "
+"is used to override the generated object. Requires that the object supply a "
+"valid apiVersion field."
+msgstr ""
+"An inline JSON override for the generated object. If this is non-empty, it "
+"is used to override the generated object. Requires that the object supply a "
+"valid apiVersion field."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run.go:173
+msgid "Annotations to apply to the pod."
+msgstr "Annotations to apply to the pod."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/apply/apply.go:173
+msgid "Apply a configuration to a resource by file name or stdin"
+msgstr "Apply a configuration to a resource by file name or stdin"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/certificates.go#L71
+#: staging/src/k8s.io/kubectl/pkg/cmd/certificates/certificates.go:125
+msgid "Approve a certificate signing request"
+msgstr "Approve a certificate signing request"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_service.go#L81
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:263
+msgid ""
+"Assign your own ClusterIP or set to 'None' for a 'headless' service (no "
+"loadbalancing)."
+msgstr ""
+"Assign your own ClusterIP or set to 'None' for a 'headless' service (no "
+"loadbalancing)."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/attach/attach.go:106
+msgid ""
+"Attach to a process that is already running inside an existing container."
+msgstr ""
+"Attach to a process that is already running inside an existing container."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/attach.go#L64
+#: staging/src/k8s.io/kubectl/pkg/cmd/attach/attach.go:105
+msgid "Attach to a running container"
+msgstr "Attach to a running container"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/autoscale/autoscale.go:107
+msgid ""
+"Auto-scale a deployment, replica set, stateful set, or replication controller"
+msgstr ""
+"Auto-scale a deployment, replica set, stateful set, or replication controller"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/expose.go#L115
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:161
+msgid ""
+"ClusterIP to be assigned to the service. Leave empty to auto-allocate, or "
+"set to 'None' to create a headless service."
+msgstr ""
+"ClusterIP to be assigned to the service. Leave empty to auto-allocate, or "
+"set to 'None' to create a headless service."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_clusterrolebinding.go#L55
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_clusterrolebinding.go:101
+msgid "ClusterRole this ClusterRoleBinding should reference"
+msgstr "ClusterRole this ClusterRoleBinding should reference"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_rolebinding.go#L55
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_rolebinding.go:104
+msgid "ClusterRole this RoleBinding should reference"
+msgstr "ClusterRole this RoleBinding should reference"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/alpha.go:32
+msgid "Commands for features in alpha"
+msgstr "Commands for features in alpha"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/debug/debug.go:170
+msgid "Container image to use for debug container."
+msgstr "Container image to use for debug container."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/debug/debug.go:166
+msgid "Container name to use for debug container."
+msgstr "Container name to use for debug container."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/convert.go#L67
+#: pkg/kubectl/cmd/convert/convert.go:95
+msgid "Convert config files between different API versions"
+msgstr "Convert config files between different API versions"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/cp/cp.go:105
+msgid "Copy files and directories to and from containers"
+msgstr "Copy files and directories to and from containers"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/cp.go#L64
+#: staging/src/k8s.io/kubectl/pkg/cmd/cp/cp.go:106
+msgid "Copy files and directories to and from containers."
+msgstr "Copy files and directories to and from containers."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:248
+msgid "Create a ClusterIP service"
+msgstr "Create a ClusterIP service"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:323
+msgid "Create a LoadBalancer service"
+msgstr "Create a LoadBalancer service"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:286
+msgid "Create a NodePort service"
+msgstr "Create a NodePort service"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_secret.go#L214
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_tls.go:94
+msgid "Create a TLS secret"
+msgstr "Create a TLS secret"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_clusterrole.go:81
+msgid "Create a cluster role"
+msgstr "Create a cluster role"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_clusterrolebinding.go:87
+msgid "Create a cluster role binding for a particular cluster role"
+msgstr "Create a cluster role binding for a particular cluster role"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_configmap.go:124
+msgid "Create a config map from a local file, directory or literal value"
+msgstr "Create a config map from a local file, directory or literal value"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/debug/debug.go:167
+msgid "Create a copy of the target Pod with this name."
+msgstr "Create a copy of the target Pod with this name."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_cronjob.go:90
+msgid "Create a cron job with the specified name"
+msgstr "Create a cron job with the specified name"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_deployment.go:100
+msgid "Create a deployment with the specified name"
+msgstr "Create a deployment with the specified name"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_job.go:91
+msgid "Create a job with the specified name"
+msgstr "Create a job with the specified name"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_namespace.go#L44
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_namespace.go:83
+msgid "Create a namespace with the specified name"
+msgstr "Create a namespace with the specified name"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_pdb.go:95
+msgid "Create a pod disruption budget with the specified name"
+msgstr "Create a pod disruption budget with the specified name"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_priorityclass.go:92
+msgid "Create a priority class with the specified name"
+msgstr "Create a priority class with the specified name"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_quota.go:91
+msgid "Create a quota with the specified name"
+msgstr "Create a quota with the specified name"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create.go:106
+msgid "Create a resource from a file or from stdin"
+msgstr "Create a resource from a file or from stdin"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_rolebinding.go:89
+msgid "Create a role binding for a particular role or cluster role"
+msgstr "Create a role binding for a particular role or cluster role"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_role.go:161
+msgid "Create a role with single rule"
+msgstr "Create a role with single rule"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_secret.go#L143
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_docker.go:134
+msgid "Create a secret for use with a Docker registry"
+msgstr "Create a secret for use with a Docker registry"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret.go:137
+msgid "Create a secret from a local file, directory, or literal value"
+msgstr "Create a secret from a local file, directory, or literal value"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_secret.go#L34
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret.go:49
+msgid "Create a secret using specified subcommand"
+msgstr "Create a secret using specified subcommand"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret.go:50
+msgid "Create a secret using specified subcommand."
+msgstr "Create a secret using specified subcommand."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_serviceaccount.go#L44
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_serviceaccount.go:85
+msgid "Create a service account with the specified name"
+msgstr "Create a service account with the specified name"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:48
+msgid "Create a service using a specified subcommand"
+msgstr "Create a service using a specified subcommand"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:49
+msgid "Create a service using a specified subcommand."
+msgstr "Create a service using a specified subcommand."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:363
+msgid "Create an ExternalName service"
+msgstr "Create an ExternalName service"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_ingress.go:145
+msgid "Create an ingress with the specified name"
+msgstr "Create an ingress with the specified name"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run.go:60
+msgid "Create and run a particular image in a pod."
+msgstr "Create and run a particular image in a pod."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/debug/debug.go:149
+msgid "Create debugging sessions for troubleshooting workloads and nodes"
+msgstr "Create debugging sessions for troubleshooting workloads and nodes"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/delete/delete.go:137
+msgid ""
+"Delete resources by file names, stdin, resources and names, or by resources "
+"and label selector"
+msgstr ""
+"Delete resources by file names, stdin, resources and names, or by resources "
+"and label selector"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/delete_cluster.go#L38
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/delete_cluster.go:42
+msgid "Delete the specified cluster from the kubeconfig"
+msgstr "Delete the specified cluster from the kubeconfig"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/delete_cluster.go:43
+msgid "Delete the specified cluster from the kubeconfig."
+msgstr "Delete the specified cluster from the kubeconfig."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/delete_context.go#L38
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/delete_context.go:42
+msgid "Delete the specified context from the kubeconfig"
+msgstr "Delete the specified context from the kubeconfig"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/delete_context.go:43
+msgid "Delete the specified context from the kubeconfig."
+msgstr "Delete the specified context from the kubeconfig."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/delete_user.go:64
+msgid "Delete the specified user from the kubeconfig"
+msgstr "Delete the specified user from the kubeconfig"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/delete_user.go:65
+msgid "Delete the specified user from the kubeconfig."
+msgstr "Delete the specified user from the kubeconfig."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/certificates.go#L121
+#: staging/src/k8s.io/kubectl/pkg/cmd/certificates/certificates.go:174
+msgid "Deny a certificate signing request"
+msgstr "Deny a certificate signing request"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/get_contexts.go#L62
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/get_contexts.go:72
+msgid "Describe one or many contexts"
+msgstr "Describe one or many contexts"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/diff/diff.go:142
+msgid "Diff the live version against a would-be applied version"
+msgstr "Diff the live version against a would-be applied version"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/clusterinfo/clusterinfo.go:65
+msgid "Display cluster information"
+msgstr "Display cluster information"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/get_clusters.go#L40
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/get_clusters.go:41
+msgid "Display clusters defined in the kubeconfig"
+msgstr "Display clusters defined in the kubeconfig"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/get_clusters.go:42
+msgid "Display clusters defined in the kubeconfig."
+msgstr "Display clusters defined in the kubeconfig."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/view.go#L64
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/view.go:81
+msgid "Display merged kubeconfig settings or a specified kubeconfig file"
+msgstr "Display merged kubeconfig settings or a specified kubeconfig file"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/get_contexts.go:50
+msgid "Display one or many contexts from the kubeconfig file."
+msgstr "Display one or many contexts from the kubeconfig file."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/get.go#L107
+#: staging/src/k8s.io/kubectl/pkg/cmd/get/get.go:165
+msgid "Display one or many resources"
+msgstr "Display one or many resources"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/top/top.go:50
+msgid "Display resource (CPU/memory) usage"
+msgstr "Display resource (CPU/memory) usage"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/top/top_node.go:81
+msgid "Display resource (CPU/memory) usage of nodes"
+msgstr "Display resource (CPU/memory) usage of nodes"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/top/top_pod.go:100
+msgid "Display resource (CPU/memory) usage of pods"
+msgstr "Display resource (CPU/memory) usage of pods"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/current_context.go:51
+msgid "Display the current-context"
+msgstr "Display the current-context"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/get_users.go:60
+msgid "Display users defined in the kubeconfig"
+msgstr "Display users defined in the kubeconfig"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/get_users.go:61
+msgid "Display users defined in the kubeconfig."
+msgstr "Display users defined in the kubeconfig."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/drain.go#L176
+#: staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go:184
+msgid "Drain node in preparation for maintenance"
+msgstr "Drain node in preparation for maintenance"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/clusterinfo/clusterinfo_dump.go:74
+msgid "Dump relevant information for debugging and diagnosis"
+msgstr "Dump relevant information for debugging and diagnosis"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/edit.go#L100
+#: staging/src/k8s.io/kubectl/pkg/cmd/edit/edit.go:77
+msgid "Edit a resource on the server"
+msgstr "Edit a resource on the server"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/apply/apply_edit_last_applied.go:67
+msgid "Edit latest last-applied-configuration annotations of a resource/object"
+msgstr ""
+"Edit latest last-applied-configuration annotations of a resource/object"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_secret.go#L159
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_docker.go:152
+msgid "Email for Docker registry"
+msgstr "Email for Docker registry"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/debug/debug.go:169
+msgid "Environment variables to set in the container."
+msgstr "Environment variables to set in the container."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/exec.go#L68
+#: staging/src/k8s.io/kubectl/pkg/cmd/exec/exec.go:89
+msgid "Execute a command in a container"
+msgstr "Execute a command in a container"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/exec/exec.go:90
+msgid "Execute a command in a container."
+msgstr "Execute a command in a container."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/wait/wait.go:115
+msgid "Experimental: Wait for a specific condition on one or many resources"
+msgstr "Experimental: Wait for a specific condition on one or many resources"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:378
+msgid "External name of service"
+msgstr "External name of service"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/portforward.go#L75
+#: staging/src/k8s.io/kubectl/pkg/cmd/portforward/portforward.go:109
+msgid "Forward one or more local ports to a pod"
+msgstr "Forward one or more local ports to a pod"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/explain/explain.go:79
+msgid "Get documentation for a resource"
+msgstr "Get documentation for a resource"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/help.go#L36
+#: staging/src/k8s.io/kubectl/pkg/cmd/help/help.go:37
+msgid "Help about any command"
+msgstr "Help about any command"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:151
+msgid ""
+"IP to assign to the LoadBalancer. If empty, an ephemeral IP will be created "
+"and used (cloud-provider specific)."
+msgstr ""
+"IP to assign to the LoadBalancer. If empty, an ephemeral IP will be created "
+"and used (cloud-provider specific)."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/expose.go#L114
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:160
+msgid ""
+"If non-empty, set the session affinity for the service to this; legal "
+"values: 'None', 'ClientIP'"
+msgstr ""
+"If non-empty, set the session affinity for the service to this; legal "
+"values: 'None', 'ClientIP'"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/annotate.go#L135
+#: staging/src/k8s.io/kubectl/pkg/cmd/annotate/annotate.go:157
+msgid ""
+"If non-empty, the annotation update will only succeed if this is the current "
+"resource-version for the object. Only valid when specifying a single "
+"resource."
+msgstr ""
+"If non-empty, the annotation update will only succeed if this is the current "
+"resource-version for the object. Only valid when specifying a single "
+"resource."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/label.go#L132
+#: staging/src/k8s.io/kubectl/pkg/cmd/label/label.go:154
+msgid ""
+"If non-empty, the labels update will only succeed if this is the current "
+"resource-version for the object. Only valid when specifying a single "
+"resource."
+msgstr ""
+"If non-empty, the labels update will only succeed if this is the current "
+"resource-version for the object. Only valid when specifying a single "
+"resource."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/debug/debug.go:164
+msgid ""
+"If specified, everything after -- will be passed to the new container as "
+"Args instead of Command."
+msgstr ""
+"If specified, everything after -- will be passed to the new container as "
+"Args instead of Command."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run.go:198
+msgid "If true, run the container in privileged mode."
+msgstr "If true, run the container in privileged mode."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/debug/debug.go:174
+msgid "If true, suppress informational messages."
+msgstr "If true, suppress informational messages."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/debug/debug.go:165
+msgid ""
+"If true, wait for the container to start running, and then attach as if "
+"'kubectl attach ...' were called.  Default false, unless '-i/--stdin' is "
+"set, in which case the default is true."
+msgstr ""
+"If true, wait for the container to start running, and then attach as if "
+"'kubectl attach ...' were called.  Default false, unless '-i/--stdin' is "
+"set, in which case the default is true."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/debug/debug.go:173
+msgid ""
+"Keep stdin open on the container(s) in the pod, even if nothing is attached."
+msgstr ""
+"Keep stdin open on the container(s) in the pod, even if nothing is attached."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/plugin/plugin.go:90
+msgid "List all visible plugin executables on a user's PATH"
+msgstr "List all visible plugin executables on a user's PATH"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout.go:54
+msgid "Manage the rollout of a resource"
+msgstr "Manage the rollout of a resource"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/drain.go#L127
+#: staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go:98
+msgid "Mark node as schedulable"
+msgstr "Mark node as schedulable"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/drain.go#L102
+#: staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go:69
+msgid "Mark node as unschedulable"
+msgstr "Mark node as unschedulable"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/rollout/rollout_pause.go#L73
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_pause.go:83
+msgid "Mark the provided resource as paused"
+msgstr "Mark the provided resource as paused"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/certificates.go#L35
+#: staging/src/k8s.io/kubectl/pkg/cmd/certificates/certificates.go:49
+#: staging/src/k8s.io/kubectl/pkg/cmd/certificates/certificates.go:50
+msgid "Modify certificate resources."
+msgstr "Modify certificate resources."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/config.go#L39
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/config.go:42
+msgid "Modify kubeconfig files"
+msgstr "Modify kubeconfig files"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/expose.go#L110
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:156
+msgid ""
+"Name or number for the port on the container that the service should direct "
+"traffic to. Optional."
+msgstr ""
+"Name or number for the port on the container that the service should direct "
+"traffic to. Optional."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/alpha.go:43
+msgid "No alpha commands are available in this version of kubectl"
+msgstr "No alpha commands are available in this version of kubectl"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/logs.go#L108
+#: staging/src/k8s.io/kubectl/pkg/cmd/logs/logs.go:174
+msgid ""
+"Only return logs after a specific date (RFC3339). Defaults to all logs. Only "
+"one of since-time / since may be used."
+msgstr ""
+"Only return logs after a specific date (RFC3339). Defaults to all logs. Only "
+"one of since-time / since may be used."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/completion.go#L97
+#: staging/src/k8s.io/kubectl/pkg/cmd/completion/completion.go:112
+msgid "Output shell completion code for the specified shell (bash or zsh)"
+msgstr "Output shell completion code for the specified shell (bash or zsh)"
+
+#: pkg/kubectl/cmd/convert/convert.go:105
+msgid ""
+"Output the formatted object with the given group version (for ex: "
+"'extensions/v1beta1')."
+msgstr ""
+"Output the formatted object with the given group version (for ex: "
+"'extensions/v1beta1')."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_secret.go#L157
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_docker.go:151
+msgid "Password for Docker registry authentication"
+msgstr "Password for Docker registry authentication"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_secret.go#L226
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_tls.go:110
+msgid "Path to PEM encoded public key certificate."
+msgstr "Path to PEM encoded public key certificate."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_secret.go#L227
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_tls.go:111
+msgid "Path to private key associated with given certificate."
+msgstr "Path to private key associated with given certificate."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/scale.go#L82
+#: staging/src/k8s.io/kubectl/pkg/cmd/scale/scale.go:130
+msgid ""
+"Precondition for resource version. Requires that the current resource "
+"version match this value in order to scale."
+msgstr ""
+"Precondition for resource version. Requires that the current resource "
+"version match this value in order to scale."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/version.go#L39
+#: staging/src/k8s.io/kubectl/pkg/cmd/version/version.go:73
+msgid "Print the client and server version information"
+msgstr "Print the client and server version information"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/version/version.go:74
+msgid ""
+"Print the client and server version information for the current context."
+msgstr ""
+"Print the client and server version information for the current context."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/options.go#L37
+#: staging/src/k8s.io/kubectl/pkg/cmd/options/options.go:38
+#: staging/src/k8s.io/kubectl/pkg/cmd/options/options.go:39
+msgid "Print the list of flags inherited by all commands"
+msgstr "Print the list of flags inherited by all commands"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/logs.go#L86
+#: staging/src/k8s.io/kubectl/pkg/cmd/logs/logs.go:152
+msgid "Print the logs for a container in a pod"
+msgstr "Print the logs for a container in a pod"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/apiresources/apiresources.go:97
+msgid "Print the supported API resources on the server"
+msgstr "Print the supported API resources on the server"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/apiresources/apiresources.go:98
+msgid "Print the supported API resources on the server."
+msgstr "Print the supported API resources on the server."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/apiresources/apiversions.go:58
+msgid ""
+"Print the supported API versions on the server, in the form of \"group/"
+"version\""
+msgstr ""
+"Print the supported API versions on the server, in the form of \"group/"
+"version\""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/apiresources/apiversions.go:59
+msgid ""
+"Print the supported API versions on the server, in the form of \"group/"
+"version\"."
+msgstr ""
+"Print the supported API versions on the server, in the form of \"group/"
+"version\"."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/plugin/plugin.go:62
+msgid "Provides utilities for interacting with plugins"
+msgstr "Provides utilities for interacting with plugins"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/rename_context.go:45
+msgid "Rename a context from the kubeconfig file"
+msgstr "Rename a context from the kubeconfig file"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/replace/replace.go:115
+msgid "Replace a resource by file name or stdin"
+msgstr "Replace a resource by file name or stdin"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_restart.go:87
+msgid "Restart a resource"
+msgstr "Restart a resource"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/rollout/rollout_resume.go#L71
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_resume.go:87
+msgid "Resume a paused resource"
+msgstr "Resume a paused resource"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_rolebinding.go#L56
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_rolebinding.go:105
+msgid "Role this RoleBinding should reference"
+msgstr "Role this RoleBinding should reference"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/run.go#L94
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run.go:152
+msgid "Run a particular image on the cluster"
+msgstr "Run a particular image on the cluster"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/proxy.go#L68
+#: staging/src/k8s.io/kubectl/pkg/cmd/proxy/proxy.go:119
+msgid "Run a proxy to the Kubernetes API server"
+msgstr "Run a proxy to the Kubernetes API server"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_secret.go#L161
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_docker.go:153
+msgid "Server location for Docker registry"
+msgstr "Server location for Docker registry"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/create_cluster.go:73
+msgid "Set a cluster entry in kubeconfig"
+msgstr "Set a cluster entry in kubeconfig"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/create_context.go:61
+msgid "Set a context entry in kubeconfig"
+msgstr "Set a context entry in kubeconfig"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/scale/scale.go:114
+msgid "Set a new size for a deployment, replica set, or replication controller"
+msgstr ""
+"Set a new size for a deployment, replica set, or replication controller"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/create_authinfo.go:152
+msgid "Set a user entry in kubeconfig"
+msgstr "Set a user entry in kubeconfig"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/set.go:74
+msgid "Set an individual value in a kubeconfig file"
+msgstr "Set an individual value in a kubeconfig file"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/set/set.go#L37
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set.go:39
+msgid "Set specific features on objects"
+msgstr "Set specific features on objects"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/use_context.go:52
+msgid "Set the current-context in a kubeconfig file"
+msgstr "Set the current-context in a kubeconfig file"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/apply/apply_set_last_applied.go:101
+msgid ""
+"Set the last-applied-configuration annotation on a live object to match the "
+"contents of a file"
+msgstr ""
+"Set the last-applied-configuration annotation on a live object to match the "
+"contents of a file"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/set/set_selector.go#L81
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set_selector.go:104
+msgid "Set the selector on a resource"
+msgstr "Set the selector on a resource"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/describe.go#L80
+#: staging/src/k8s.io/kubectl/pkg/cmd/describe/describe.go:107
+msgid "Show details of a specific resource or group of resources"
+msgstr "Show details of a specific resource or group of resources"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/rollout/rollout_status.go#L57
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_status.go:102
+msgid "Show the status of the rollout"
+msgstr "Show the status of the rollout"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/expose.go#L108
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:154
+msgid "Synonym for --target-port"
+msgstr "Synonym for --target-port"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:134
+msgid ""
+"Take a replication controller, service, deployment or pod and expose it as a "
+"new Kubernetes service"
+msgstr ""
+"Take a replication controller, service, deployment or pod and expose it as a "
+"new Kubernetes service"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/run.go#L114
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run.go:174
+msgid "The image for the container to run."
+msgstr "The image for the container to run."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/run.go#L116
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run.go:176
+msgid ""
+"The image pull policy for the container. If left empty, this value will not "
+"be specified by the client and defaulted by the server"
+msgstr ""
+"The image pull policy for the container. If left empty, this value will not "
+"be specified by the client and defaulted by the server"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/debug/debug.go:172
+msgid ""
+"The image pull policy for the container. If left empty, this value will not "
+"be specified by the client and defaulted by the server."
+msgstr ""
+"The image pull policy for the container. If left empty, this value will not "
+"be specified by the client and defaulted by the server."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_pdb.go:112
+msgid ""
+"The maximum number or percentage of unavailable pods this budget requires."
+msgstr ""
+"The maximum number or percentage of unavailable pods this budget requires."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_pdb.go#L62
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_pdb.go:111
+msgid ""
+"The minimum number or percentage of available pods this budget requires."
+msgstr ""
+"The minimum number or percentage of available pods this budget requires."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/expose.go#L113
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:159
+msgid "The name for the newly created object."
+msgstr "The name for the newly created object."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/autoscale.go#L71
+#: staging/src/k8s.io/kubectl/pkg/cmd/autoscale/autoscale.go:125
+msgid ""
+"The name for the newly created object. If not specified, the name of the "
+"input resource will be used."
+msgstr ""
+"The name for the newly created object. If not specified, the name of the "
+"input resource will be used."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/expose.go#L98
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:147
+msgid ""
+"The name of the API generator to use. There are 2 generators: 'service/v1' "
+"and 'service/v2'. The only difference between them is that service port in "
+"v1 is named 'default', while it is left unnamed in v2. Default is 'service/"
+"v2'."
+msgstr ""
+"The name of the API generator to use. There are 2 generators: 'service/v1' "
+"and 'service/v2'. The only difference between them is that service port in "
+"v1 is named 'default', while it is left unnamed in v2. Default is 'service/"
+"v2'."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/expose.go#L99
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:148
+msgid "The network protocol for the service to be created. Default is 'TCP'."
+msgstr "The network protocol for the service to be created. Default is 'TCP'."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/expose.go#L100
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:149
+msgid ""
+"The port that the service should serve on. Copied from the resource being "
+"exposed, if unspecified"
+msgstr ""
+"The port that the service should serve on. Copied from the resource being "
+"exposed, if unspecified"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run.go:182
+msgid "The port that this container exposes."
+msgstr "The port that this container exposes."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/run.go#L131
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run.go:194
+msgid ""
+"The resource requirement limits for this container.  For example, 'cpu=200m,"
+"memory=512Mi'.  Note that server side components may assign limits depending "
+"on the server configuration, such as limit ranges."
+msgstr ""
+"The resource requirement limits for this container.  For example, 'cpu=200m,"
+"memory=512Mi'.  Note that server side components may assign limits depending "
+"on the server configuration, such as limit ranges."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/run.go#L130
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run.go:192
+msgid ""
+"The resource requirement requests for this container.  For example, "
+"'cpu=100m,memory=256Mi'.  Note that server side components may assign "
+"requests depending on the server configuration, such as limit ranges."
+msgstr ""
+"The resource requirement requests for this container.  For example, "
+"'cpu=100m,memory=256Mi'.  Note that server side components may assign "
+"requests depending on the server configuration, such as limit ranges."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run.go:190
+msgid ""
+"The restart policy for this Pod.  Legal values [Always, OnFailure, Never]."
+msgstr ""
+"The restart policy for this Pod.  Legal values [Always, OnFailure, Never]."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_secret.go#L87
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret.go:155
+msgid "The type of secret to create"
+msgstr "The type of secret to create"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/alpha.go:33
+msgid ""
+"These commands correspond to alpha features that are not enabled in "
+"Kubernetes clusters by default."
+msgstr ""
+"These commands correspond to alpha features that are not enabled in "
+"Kubernetes clusters by default."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:150
+msgid ""
+"Type for this service: ClusterIP, NodePort, LoadBalancer, or ExternalName. "
+"Default is 'ClusterIP'."
+msgstr ""
+"Type for this service: ClusterIP, NodePort, LoadBalancer, or ExternalName. "
+"Default is 'ClusterIP'."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/rollout/rollout_undo.go#L71
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_undo.go:87
+msgid "Undo a previous rollout"
+msgstr "Undo a previous rollout"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/unset.go:59
+msgid "Unset an individual value in a kubeconfig file"
+msgstr "Unset an individual value in a kubeconfig file"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set_env.go:154
+msgid "Update environment variables on a pod template"
+msgstr "Update environment variables on a pod template"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/patch/patch.go:115
+msgid "Update fields of a resource"
+msgstr "Update fields of a resource"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/set/set_resources.go#L101
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set_resources.go:116
+msgid "Update resource requests/limits on objects with pod templates"
+msgstr "Update resource requests/limits on objects with pod templates"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/annotate/annotate.go:135
+msgid "Update the annotations on a resource"
+msgstr "Update the annotations on a resource"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set_image.go:110
+msgid "Update the image of a pod template"
+msgstr "Update the image of a pod template"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/label.go#L109
+#: staging/src/k8s.io/kubectl/pkg/cmd/label/label.go:133
+msgid "Update the labels on a resource"
+msgstr "Update the labels on a resource"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set_serviceaccount.go:102
+msgid "Update the service account of a resource"
+msgstr "Update the service account of a resource"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/taint.go#L88
+#: staging/src/k8s.io/kubectl/pkg/cmd/taint/taint.go:109
+msgid "Update the taints on one or more nodes"
+msgstr "Update the taints on one or more nodes"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set_subject.go:99
+msgid ""
+"Update the user, group, or service account in a role binding or cluster role "
+"binding"
+msgstr ""
+"Update the user, group, or service account in a role binding or cluster role "
+"binding"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_secret.go#L155
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_docker.go:150
+msgid "Username for Docker registry authentication"
+msgstr "Username for Docker registry authentication"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/rollout/rollout_history.go#L51
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_history.go:83
+msgid "View rollout history"
+msgstr "View rollout history"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/apply/apply_view_last_applied.go:77
+msgid ""
+"View the latest last-applied-configuration annotations of a resource/object"
+msgstr ""
+"View the latest last-applied-configuration annotations of a resource/object"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/debug/debug.go:171
+msgid ""
+"When used with '--copy-to', a list of name=image pairs for changing "
+"container images, similar to how 'kubectl set image' works."
+msgstr ""
+"When used with '--copy-to', a list of name=image pairs for changing "
+"container images, similar to how 'kubectl set image' works."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/debug/debug.go:168
+msgid "When used with '--copy-to', delete the original Pod."
+msgstr "When used with '--copy-to', delete the original Pod."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/debug/debug.go:176
+msgid ""
+"When used with '--copy-to', enable process namespace sharing in the copy."
+msgstr ""
+"When used with '--copy-to', enable process namespace sharing in the copy."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/debug/debug.go:175
+msgid ""
+"When used with '--copy-to', schedule the copy of target Pod on the same node."
+msgstr ""
+"When used with '--copy-to', schedule the copy of target Pod on the same node."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/debug/debug.go:177
+msgid ""
+"When using an ephemeral container, target processes in this container name."
+msgstr ""
+"When using an ephemeral container, target processes in this container name."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/clusterinfo_dump.go#L45
+#: staging/src/k8s.io/kubectl/pkg/cmd/clusterinfo/clusterinfo_dump.go:85
+msgid ""
+"Where to output the files.  If empty or '-' uses stdout, otherwise creates a "
+"directory hierarchy in that directory"
+msgstr ""
+"Where to output the files.  If empty or '-' uses stdout, otherwise creates a "
+"directory hierarchy in that directory"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_priorityclass.go:108
+msgid ""
+"description is an arbitrary string that usually provides guidelines on when "
+"this priority class should be used."
+msgstr ""
+"description is an arbitrary string that usually provides guidelines on when "
+"this priority class should be used."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run_test.go:88
+msgid "dummy restart flag)"
+msgstr "dummy restart flag)"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_priorityclass.go:107
+msgid ""
+"global-default specifies whether this PriorityClass should be considered as "
+"the default priority."
+msgstr ""
+"global-default specifies whether this PriorityClass should be considered as "
+"the default priority."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/cmd.go#L217
+#: staging/src/k8s.io/kubectl/pkg/cmd/cmd.go:227
+msgid "kubectl controls the Kubernetes cluster manager"
+msgstr "kubectl controls the Kubernetes cluster manager"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:45
+msgid ""
+"pod (po), service (svc), replicationcontroller (rc), deployment (deploy), "
+"replicaset (rs)"
+msgstr ""
+"pod (po), service (svc), replicationcontroller (rc), deployment (deploy), "
+"replicaset (rs)"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_priorityclass.go:109
+msgid ""
+"preemption-policy is the policy for preempting pods with lower priority."
+msgstr ""
+"preemption-policy is the policy for preempting pods with lower priority."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set_serviceaccount.go:41
+msgid ""
+"replicationcontroller (rc), deployment (deploy), daemonset (ds), job, "
+"replicaset (rs), statefulset"
+msgstr ""
+"replicationcontroller (rc), deployment (deploy), daemonset (ds), job, "
+"replicaset (rs), statefulset"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_priorityclass.go:106
+msgid "the value of this priority class."
+msgstr "the value of this priority class."
diff --git a/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/fr_FR/LC_MESSAGES/k8s.mo b/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/fr_FR/LC_MESSAGES/k8s.mo
new file mode 100644
index 0000000000..5a22e42887
Binary files /dev/null and b/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/fr_FR/LC_MESSAGES/k8s.mo differ
diff --git a/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/fr_FR/LC_MESSAGES/k8s.po b/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/fr_FR/LC_MESSAGES/k8s.po
new file mode 100644
index 0000000000..78b601a372
--- /dev/null
+++ b/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/fr_FR/LC_MESSAGES/k8s.po
@@ -0,0 +1,103 @@
+# Test translations for unit tests.
+# Copyright (C) 2016
+# This file is distributed under the same license as the Kubernetes package.
+# FIRST AUTHOR brendan.d.burns@gmail.com, 2016.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: gettext-go-examples-hello\n"
+"Report-Msgid-Bugs-To: EMAIL\n"
+"POT-Creation-Date: 2021-07-07 20:15+0200\n"
+"PO-Revision-Date: 2017-01-29 22:54-0800\n"
+"Last-Translator: Brendan Burns <brendan.d.burns@gmail.com>\n"
+"Language-Team: \n"
+"Language: fr\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Generator: Poedit 1.6.10\n"
+"X-Poedit-SourceCharset: UTF-8\n"
+"Plural-Forms: nplurals=2; plural=(n > 1);\n"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/delete_cluster.go#L38
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/delete_cluster.go:42
+msgid "Delete the specified cluster from the kubeconfig"
+msgstr "Supprimer le cluster spécifié du kubeconfig"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/delete_context.go#L38
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/delete_context.go:42
+msgid "Delete the specified context from the kubeconfig"
+msgstr "Supprimer le contexte spécifié du kubeconfig"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/get_contexts.go#L62
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/get_contexts.go:72
+msgid "Describe one or many contexts"
+msgstr "Décrire un ou plusieurs contextes"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/get_clusters.go#L40
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/get_clusters.go:41
+msgid "Display clusters defined in the kubeconfig"
+msgstr "Afficher les cluster définis dans kubeconfig"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/view.go#L64
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/view.go:81
+msgid "Display merged kubeconfig settings or a specified kubeconfig file"
+msgstr ""
+"Afficher les paramètres fusionnés de kubeconfig ou d'un fichier kubeconfig "
+"spécifié"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/config.go#L39
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/config.go:42
+msgid "Modify kubeconfig files"
+msgstr "Modifier des fichiers kubeconfig"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/annotate/annotate.go:135
+msgid "Update the annotations on a resource"
+msgstr "Mettre à jour les annotations d'une ressource"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/apply.go#L98
+#~ msgid "Apply a configuration to a resource by filename or stdin"
+#~ msgstr ""
+#~ "Appliquer une configuration à une ressource par nom de fichier ou depuis "
+#~ "stdin"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/current_context.go#L48
+#~ msgid "Displays the current-context"
+#~ msgstr "Affiche le contexte actuel"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/create_cluster.go#L67
+#~ msgid "Sets a cluster entry in kubeconfig"
+#~ msgstr "Définit un cluster dans kubeconfig"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/create_context.go#L57
+#~ msgid "Sets a context entry in kubeconfig"
+#~ msgstr "Définit un contexte dans kubeconfig"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/create_authinfo.go#L103
+#~ msgid "Sets a user entry in kubeconfig"
+#~ msgstr "Définit un utilisateur dans kubeconfig"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/set.go#L59
+#~ msgid "Sets an individual value in a kubeconfig file"
+#~ msgstr "Définit une valeur individuelle dans un fichier kubeconfig"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/use_context.go#L48
+#~ msgid "Sets the current-context in a kubeconfig file"
+#~ msgstr "Définit le contexte courant dans un fichier kubeconfig"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/unset.go#L47
+#~ msgid "Unsets an individual value in a kubeconfig file"
+#~ msgstr "Supprime une valeur individuelle dans un fichier kubeconfig"
+
+#~ msgid ""
+#~ "watch is only supported on individual resources and resource collections "
+#~ "- %d resources were found"
+#~ msgid_plural ""
+#~ "watch is only supported on individual resources and resource collections "
+#~ "- %d resources were found"
+#~ msgstr[0] ""
+#~ "watch n'est compatible qu'avec les ressources individuelles et les "
+#~ "collections de ressources.  - %d ressource a été trouvée. "
+#~ msgstr[1] ""
+#~ "watch n'est compatible qu'avec les ressources individuelles et les "
+#~ "collections de ressources.  - %d ressources ont été trouvées. "
diff --git a/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/it_IT/LC_MESSAGES/k8s.mo b/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/it_IT/LC_MESSAGES/k8s.mo
new file mode 100644
index 0000000000..afe881717e
Binary files /dev/null and b/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/it_IT/LC_MESSAGES/k8s.mo differ
diff --git a/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/it_IT/LC_MESSAGES/k8s.po b/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/it_IT/LC_MESSAGES/k8s.po
new file mode 100644
index 0000000000..ff6d83262f
--- /dev/null
+++ b/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/it_IT/LC_MESSAGES/k8s.po
@@ -0,0 +1,3249 @@
+# Italian translation.
+# Copyright (C) 2017
+# This file is distributed under the same license as the Kubernetes package.
+# FIRST AUTHOR evolution85@gmail.com, 2017.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: kubernetes\n"
+"Report-Msgid-Bugs-To: EMAIL\n"
+"POT-Creation-Date: 2021-07-07 20:15+0200\n"
+"PO-Revision-Date: 2017-08-28 15:20+0200\n"
+"Last-Translator: Luca Berton <mr.evolution85@gmail.com>\n"
+"Language-Team: Luca Berton <mr.evolution85@gmail.com>\n"
+"Language: it_IT\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Plural-Forms: nplurals=2; plural=(n != 1);\n"
+"X-Generator: Poedit 1.8.7.1\n"
+"X-Poedit-SourceCharset: UTF-8\n"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/top/top_node.go:62
+msgid ""
+"\n"
+"\t\t  # Show metrics for all nodes\n"
+"\t\t  kubectl top node\n"
+"\n"
+"\t\t  # Show metrics for a given node\n"
+"\t\t  kubectl top node NODE_NAME"
+msgstr ""
+"\n"
+"\t\t  # Mostra metriche per tutti i nodi\n"
+"\t\t kubectl top node\n"
+"\n"
+"\t\t # Mostra metriche per un determinato nodo\n"
+"\t\t kubectl top node NODE_NAME"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/explain/explain.go:46
+msgid ""
+"\n"
+"\t\t# Get the documentation of the resource and its fields\n"
+"\t\tkubectl explain pods\n"
+"\n"
+"\t\t# Get the documentation of a specific field of a resource\n"
+"\t\tkubectl explain pods.spec.containers"
+msgstr ""
+"\n"
+"\t\t# Ottieni la documentazione della risorsa e i relativi campi\n"
+"\t\tkubectl explain pods\n"
+"\n"
+"\t\t# Ottieni la documentazione di un campo specifico di una risorsa\n"
+"\t\tkubectl explain pods.spec.containers"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/options/options.go:29
+msgid ""
+"\n"
+"\t\t# Print flags inherited by all commands\n"
+"\t\tkubectl options"
+msgstr ""
+"\n"
+"\t\t# Stampa i flag ereditati da tutti i comandi\n"
+"\t\tkubectl options"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/version/version.go:44
+msgid ""
+"\n"
+"\t\t# Print the client and server versions for the current context\n"
+"\t\tkubectl version"
+msgstr ""
+"\n"
+"\t\t# Stampa le versioni client e server per il current context\n"
+"\t\tkubectl version"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/apiresources/apiversions.go:34
+msgid ""
+"\n"
+"\t\t# Print the supported API versions\n"
+"\t\tkubectl api-versions"
+msgstr ""
+"\n"
+"\t\t# Stampa le versioni API supportate\n"
+"\t\tkubectl api-versions"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/top/top_pod.go:75
+msgid ""
+"\n"
+"\t\t# Show metrics for all pods in the default namespace\n"
+"\t\tkubectl top pod\n"
+"\n"
+"\t\t# Show metrics for all pods in the given namespace\n"
+"\t\tkubectl top pod --namespace=NAMESPACE\n"
+"\n"
+"\t\t# Show metrics for a given pod and its containers\n"
+"\t\tkubectl top pod POD_NAME --containers\n"
+"\n"
+"\t\t# Show metrics for the pods defined by label name=myLabel\n"
+"\t\tkubectl top pod -l name=myLabel"
+msgstr ""
+"\n"
+"\t\t# Mostra metriche di tutti i pod nello spazio dei nomi predefinito\n"
+"\t\tkubectl top pod\n"
+"\n"
+"\t\t# Mostra metriche di tutti i pod nello spazio dei nomi specificato\n"
+"\t\tkubectl top pod --namespace=NAMESPACE\n"
+"\n"
+"\t\t# Mostra metriche per un pod e i suoi relativi container\n"
+"\t\tkubectl top pod POD_NAME --containers\n"
+"\n"
+"\t\t# Mostra metriche per i pod definiti da label name = myLabel\n"
+"\t\tkubectl top pod -l name=myLabel"
+
+#: pkg/kubectl/cmd/convert/convert.go:40
+msgid ""
+"\n"
+"\t\tConvert config files between different API versions. Both YAML\n"
+"\t\tand JSON formats are accepted.\n"
+"\n"
+"\t\tThe command takes filename, directory, or URL as input, and convert it "
+"into format\n"
+"\t\tof version specified by --output-version flag. If target version is not "
+"specified or\n"
+"\t\tnot supported, convert to latest version.\n"
+"\n"
+"\t\tThe default output will be printed to stdout in YAML format. One can use "
+"-o option\n"
+"\t\tto change to output destination."
+msgstr ""
+"\n"
+"\t\tConvertire i file di configurazione tra diverse versioni API. Sono\n"
+"\t\taccettati i formati YAML e JSON.\n"
+"\n"
+"\t\tIl comando prende il nome di file, la directory o l'URL come input e lo "
+"converte nel formato\n"
+"\t\tdi versione specificata dal flag -output-version. Se la versione di "
+"destinazione non è specificata o\n"
+"\t\tnon supportata, viene convertita nella versione più recente.\n"
+"\n"
+"\t\tL'output predefinito verrà stampato su stdout nel formato YAML. Si può "
+"usare l'opzione -o\n"
+"\t\tper cambiare la destinazione di output."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_namespace.go:39
+msgid ""
+"\n"
+"\t\tCreate a namespace with the specified name."
+msgstr ""
+"\n"
+"\t\tCreare un namespace con il nome specificato."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_role.go:43
+msgid ""
+"\n"
+"\t\tCreate a role with single rule."
+msgstr ""
+"\n"
+"\t\tCrea un ruolo con una singola regola."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_serviceaccount.go:40
+msgid ""
+"\n"
+"\t\tCreate a service account with the specified name."
+msgstr ""
+"\n"
+"\t\tCreare un service account con il nome specificato."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go:84
+msgid ""
+"\n"
+"\t\tMark node as schedulable."
+msgstr ""
+"\n"
+"\t\tContrassegna il nodo come programmabile."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go:55
+msgid ""
+"\n"
+"\t\tMark node as unschedulable."
+msgstr ""
+"\n"
+"\t\tContrassegnare il nodo come non programmabile."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/apply/apply_set_last_applied.go:70
+msgid ""
+"\n"
+"\t\tSet the latest last-applied-configuration annotations by setting it to "
+"match the contents of a file.\n"
+"\t\tThis results in the last-applied-configuration being updated as though "
+"'kubectl apply -f <file>' was run,\n"
+"\t\twithout updating any other parts of the object."
+msgstr ""
+"\n"
+"\t\tImposta le annotazioni dell'ultima-configurazione-applicata impostandola "
+"in modo che corrisponda al contenuto di un file.\n"
+"\t\tCiò determina l'aggiornamento dell'ultima-configurazione-applicata come "
+"se 'kubectl apply -f <file>' fosse stato eseguito,\n"
+"\t\tsenza aggiornare altre parti dell'oggetto."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_namespace.go:42
+msgid ""
+"\n"
+"\t  # Create a new namespace named my-namespace\n"
+"\t  kubectl create namespace my-namespace"
+msgstr ""
+"\n"
+"\t  # Crea un nuovo namespace denominato my-namespace\n"
+"\t  kubectl create namespace my-namespace"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_serviceaccount.go:43
+msgid ""
+"\n"
+"\t  # Create a new service account named my-service-account\n"
+"\t  kubectl create serviceaccount my-service-account"
+msgstr ""
+"\n"
+"\t  # Crea un nuovo service account denominato my-service-account\n"
+"\t  kubectl create serviceaccount my-service-account"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:344
+msgid ""
+"\n"
+"\tCreate an ExternalName service with the specified name.\n"
+"\n"
+"\tExternalName service references to an external DNS address instead of\n"
+"\tonly pods, which will allow application authors to reference services\n"
+"\tthat exist off platform, on other clusters, or locally."
+msgstr ""
+"\n"
+"\tCrea un servizio ExternalName con il nome specificato.\n"
+"\n"
+"\tIl servizio ExternalName fa riferimento a un indirizzo DNS esterno \n"
+"\tsolo pod, che permetteranno agli autori delle applicazioni di utilizzare i "
+"servizi di riferimento\n"
+"\tche esistono fuori dalla piattaforma, su altri cluster, o localmente.."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/help/help.go:28
+msgid ""
+"\n"
+"\tHelp provides help for any command in the application.\n"
+"\tSimply type kubectl help [path to command] for full details."
+msgstr ""
+"\n"
+"\tHelp fornisce assistenza per qualsiasi comando nell'applicazione.\n"
+"\tBasta digitare kubectl help [path to command] per i dettagli completi."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:311
+msgid ""
+"\n"
+"    # Create a new LoadBalancer service named my-lbs\n"
+"    kubectl create service loadbalancer my-lbs --tcp=5678:8080"
+msgstr ""
+"\n"
+"    # Creare un nuovo servizio LoadBalancer denominato my-lbs\n"
+"    kubectl create service loadbalancer my-lbs --tcp=5678:8080"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/clusterinfo/clusterinfo_dump.go:102
+msgid ""
+"\n"
+"    # Dump current cluster state to stdout\n"
+"    kubectl cluster-info dump\n"
+"\n"
+"    # Dump current cluster state to /path/to/cluster-state\n"
+"    kubectl cluster-info dump --output-directory=/path/to/cluster-state\n"
+"\n"
+"    # Dump all namespaces to stdout\n"
+"    kubectl cluster-info dump --all-namespaces\n"
+"\n"
+"    # Dump a set of namespaces to /path/to/cluster-state\n"
+"    kubectl cluster-info dump --namespaces default,kube-system --output-"
+"directory=/path/to/cluster-state"
+msgstr ""
+"\n"
+"    # Dump dello stato corrente del cluster verso stdout\n"
+"    kubectl cluster-info dump\n"
+"\n"
+"    # Dump dello stato corrente del cluster verso /path/to/cluster-state\n"
+"    kubectl cluster-info dump --output-directory=/path/to/cluster-state\n"
+"\n"
+"    # Dump di tutti i namespaces verso stdout\n"
+"    kubectl cluster-info dump --all-namespaces\n"
+"\n"
+"    # Dump di un set di namespace verso /path/to/cluster-state\n"
+"    kubectl cluster-info dump --namespaces default,kube-system --output-"
+"directory=/path/to/cluster-state"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:308
+msgid ""
+"\n"
+"    Create a LoadBalancer service with the specified name."
+msgstr ""
+"\n"
+"    Crea un servizio LoadBalancer con il nome specificato."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_quota.go:107
+msgid ""
+"A comma-delimited set of quota scopes that must all match each object "
+"tracked by the quota."
+msgstr ""
+"Un insieme delimitato-da-virgole di quota scopes che devono corrispondere a "
+"ciascun oggetto gestito dalla quota."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_quota.go:106
+msgid ""
+"A comma-delimited set of resource=quantity pairs that define a hard limit."
+msgstr ""
+"Un insieme delimitato-da-virgola di coppie risorsa = quantità che "
+"definiscono un hard limit."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_pdb.go:113
+msgid ""
+"A label selector to use for this budget. Only equality-based selector "
+"requirements are supported."
+msgstr ""
+"Un label selector da utilizzare per questo budget. Sono supportati solo i "
+"selettori equality-based selector."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:152
+msgid ""
+"A label selector to use for this service. Only equality-based selector "
+"requirements are supported. If empty (the default) infer the selector from "
+"the replication controller or replica set.)"
+msgstr ""
+"Un selettore di label da utilizzare per questo servizio. Sono supportati "
+"solo equality-based selector.  Se vuota (default) dedurre il selettore dal "
+"replication controller o replica set.)"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:157
+msgid ""
+"Additional external IP address (not managed by Kubernetes) to accept for the "
+"service. If this IP is routed to a node, the service can be accessed by this "
+"IP in addition to its generated service IP."
+msgstr ""
+"Indirizzo IP esterno aggiuntivo (non gestito da Kubernetes) da accettare per "
+"il servizio. Se questo IP viene indirizzato a un nodo, è possibile accedere "
+"da questo IP in aggiunta al service IP generato."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:158
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run.go:178
+msgid ""
+"An inline JSON override for the generated object. If this is non-empty, it "
+"is used to override the generated object. Requires that the object supply a "
+"valid apiVersion field."
+msgstr ""
+"Un override JSON inline per l'oggetto generato. Se questo non è vuoto, viene "
+"utilizzato per ignorare l'oggetto generato. Richiede che l'oggetto fornisca "
+"un campo valido apiVersion."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/certificates/certificates.go:125
+msgid "Approve a certificate signing request"
+msgstr "Approva una richiesta di firma del certificato"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:263
+msgid ""
+"Assign your own ClusterIP or set to 'None' for a 'headless' service (no "
+"loadbalancing)."
+msgstr ""
+"Assegnare il proprio ClusterIP o impostare su 'None' per un servizio "
+"'headless' (nessun bilanciamento del carico)."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/attach/attach.go:105
+msgid "Attach to a running container"
+msgstr "Collega a un container in esecuzione"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:161
+msgid ""
+"ClusterIP to be assigned to the service. Leave empty to auto-allocate, or "
+"set to 'None' to create a headless service."
+msgstr ""
+"ClusterIP da assegnare al servizio. Lasciare vuoto per allocare "
+"automaticamente o impostare su 'None' per creare un servizio headless."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_clusterrolebinding.go:101
+msgid "ClusterRole this ClusterRoleBinding should reference"
+msgstr "ClusterRole a cui questo ClusterRoleBinding fa riferimento"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_rolebinding.go:104
+msgid "ClusterRole this RoleBinding should reference"
+msgstr "ClusterRole a cui questo RoleBinding fa riferimento"
+
+#: pkg/kubectl/cmd/convert/convert.go:95
+msgid "Convert config files between different API versions"
+msgstr "Convertire i file di configurazione tra diverse versioni APIs"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/cp/cp.go:106
+msgid "Copy files and directories to and from containers."
+msgstr "Copiare file e directory da e verso i container."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_tls.go:94
+msgid "Create a TLS secret"
+msgstr "Crea un secret TLS"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_namespace.go:83
+msgid "Create a namespace with the specified name"
+msgstr "Crea un namespace con il nome specificato"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_docker.go:134
+msgid "Create a secret for use with a Docker registry"
+msgstr "Crea un secret da utilizzare con un registro Docker"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret.go:49
+msgid "Create a secret using specified subcommand"
+msgstr "Crea un secret utilizzando un subcommand specificato"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_serviceaccount.go:85
+msgid "Create a service account with the specified name"
+msgstr "Creare un account di servizio con il nome specificato"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/delete_cluster.go:42
+msgid "Delete the specified cluster from the kubeconfig"
+msgstr "Elimina il cluster specificato dal kubeconfig"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/delete_context.go:42
+msgid "Delete the specified context from the kubeconfig"
+msgstr "Elimina il context specificato dal kubeconfig"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/certificates/certificates.go:174
+msgid "Deny a certificate signing request"
+msgstr "Nega una richiesta di firma del certificato"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/get_contexts.go:72
+msgid "Describe one or many contexts"
+msgstr "Descrive uno o più context"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/get_clusters.go:41
+msgid "Display clusters defined in the kubeconfig"
+msgstr "Mostra i cluster definiti nel kubeconfig"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/view.go:81
+msgid "Display merged kubeconfig settings or a specified kubeconfig file"
+msgstr ""
+"Visualizza le impostazioni merged di kubeconfig o un file kubeconfig "
+"specificato"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/get/get.go:165
+msgid "Display one or many resources"
+msgstr "Visualizza una o più risorse"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go:184
+msgid "Drain node in preparation for maintenance"
+msgstr "Drain node in preparazione alla manutenzione"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/edit/edit.go:77
+msgid "Edit a resource on the server"
+msgstr "Modificare una risorsa sul server"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_docker.go:152
+msgid "Email for Docker registry"
+msgstr "Email per il registro Docker"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/exec/exec.go:89
+msgid "Execute a command in a container"
+msgstr "Esegui un comando in un contenitore"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/portforward/portforward.go:109
+msgid "Forward one or more local ports to a pod"
+msgstr "Inoltra una o più porte locali a un pod"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/help/help.go:37
+msgid "Help about any command"
+msgstr "Aiuto per qualsiasi comando"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:160
+msgid ""
+"If non-empty, set the session affinity for the service to this; legal "
+"values: 'None', 'ClientIP'"
+msgstr ""
+"Se non è vuoto, impostare l'affinità di sessione per il servizio; Valori "
+"validi: 'None', 'ClientIP'"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/annotate/annotate.go:157
+msgid ""
+"If non-empty, the annotation update will only succeed if this is the current "
+"resource-version for the object. Only valid when specifying a single "
+"resource."
+msgstr ""
+"Se non è vuoto, l'aggiornamento delle annotazioni avrà successo solo se "
+"questa è la resource-version corrente per l'oggetto. Valido solo quando si "
+"specifica una singola risorsa."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/label/label.go:154
+msgid ""
+"If non-empty, the labels update will only succeed if this is the current "
+"resource-version for the object. Only valid when specifying a single "
+"resource."
+msgstr ""
+"Se non vuoto, l'aggiornamento delle label avrà successo solo se questa è la "
+"resource-version corrente per l'oggetto. Valido solo quando si specifica una "
+"singola risorsa."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go:98
+msgid "Mark node as schedulable"
+msgstr "Contrassegnare il nodo come programmabile"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go:69
+msgid "Mark node as unschedulable"
+msgstr "Contrassegnare il nodo come non programmabile"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_pause.go:83
+msgid "Mark the provided resource as paused"
+msgstr "Imposta la risorsa indicata in pausa"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/certificates/certificates.go:49
+#: staging/src/k8s.io/kubectl/pkg/cmd/certificates/certificates.go:50
+msgid "Modify certificate resources."
+msgstr "Modificare le risorse del certificato."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/config.go:42
+msgid "Modify kubeconfig files"
+msgstr "Modifica i file kubeconfig"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:156
+msgid ""
+"Name or number for the port on the container that the service should direct "
+"traffic to. Optional."
+msgstr ""
+"Nome o numero di porta nel container verso il quale il servizio deve "
+"dirigere il traffico. Opzionale."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/logs/logs.go:174
+msgid ""
+"Only return logs after a specific date (RFC3339). Defaults to all logs. Only "
+"one of since-time / since may be used."
+msgstr ""
+"Restituisce solo i log dopo una data specificata (RFC3339). Predefinito "
+"tutti i log. È possibile utilizzare solo uno tra data-inizio/a-partire-da."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/completion/completion.go:112
+msgid "Output shell completion code for the specified shell (bash or zsh)"
+msgstr ""
+"Codice di completamento shell di output per la shell specificata (bash o zsh)"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_docker.go:151
+msgid "Password for Docker registry authentication"
+msgstr "Password per l'autenticazione al registro di Docker"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_tls.go:110
+msgid "Path to PEM encoded public key certificate."
+msgstr "Percorso certificato di chiave pubblica codificato PEM."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_tls.go:111
+msgid "Path to private key associated with given certificate."
+msgstr "Percorso alla chiave privata associata a un certificato specificato."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/scale/scale.go:130
+msgid ""
+"Precondition for resource version. Requires that the current resource "
+"version match this value in order to scale."
+msgstr ""
+"Prerequisito per la versione delle risorse. Richiede che la versione "
+"corrente delle risorse corrisponda a questo valore per scalare."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/version/version.go:73
+msgid "Print the client and server version information"
+msgstr "Stampa per client e server le informazioni sulla versione"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/options/options.go:38
+#: staging/src/k8s.io/kubectl/pkg/cmd/options/options.go:39
+msgid "Print the list of flags inherited by all commands"
+msgstr "Stampa l'elenco flag ereditati da tutti i comandi"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/logs/logs.go:152
+msgid "Print the logs for a container in a pod"
+msgstr "Stampa i log per container in un pod"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_resume.go:87
+msgid "Resume a paused resource"
+msgstr "Riprendere una risorsa in pausa"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_rolebinding.go:105
+msgid "Role this RoleBinding should reference"
+msgstr "Ruolo di riferimento per RoleBinding"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run.go:152
+msgid "Run a particular image on the cluster"
+msgstr "Esegui una particolare immagine nel cluster"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/proxy/proxy.go:119
+msgid "Run a proxy to the Kubernetes API server"
+msgstr "Eseguire un proxy al server Kubernetes API"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_docker.go:153
+msgid "Server location for Docker registry"
+msgstr "Posizione del server per il Registro Docker"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set.go:39
+msgid "Set specific features on objects"
+msgstr "Imposta caratteristiche specifiche sugli oggetti"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set_selector.go:104
+msgid "Set the selector on a resource"
+msgstr "Impostare il selettore di una risorsa"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/describe/describe.go:107
+msgid "Show details of a specific resource or group of resources"
+msgstr "Mostra i dettagli di una specifica risorsa o un gruppo di risorse"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_status.go:102
+msgid "Show the status of the rollout"
+msgstr "Mostra lo stato del rollout"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:154
+msgid "Synonym for --target-port"
+msgstr "Sinonimo di --target-port"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run.go:174
+msgid "The image for the container to run."
+msgstr "L'immagine per il container da eseguire."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run.go:176
+msgid ""
+"The image pull policy for the container. If left empty, this value will not "
+"be specified by the client and defaulted by the server"
+msgstr ""
+"La politica di pull dell'immagine per il container. Se lasciato vuoto, "
+"questo valore non verrà specificato dal client e predefinito dal server"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_pdb.go:111
+msgid ""
+"The minimum number or percentage of available pods this budget requires."
+msgstr ""
+"Il numero minimo o la percentuale di pod disponibili che questo budget "
+"richiede."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:159
+msgid "The name for the newly created object."
+msgstr "Il nome dell'oggetto appena creato."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/autoscale/autoscale.go:125
+msgid ""
+"The name for the newly created object. If not specified, the name of the "
+"input resource will be used."
+msgstr ""
+"Il nome dell'oggetto appena creato. Se non specificato, verrà utilizzato il "
+"nome della risorsa di input."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:147
+msgid ""
+"The name of the API generator to use. There are 2 generators: 'service/v1' "
+"and 'service/v2'. The only difference between them is that service port in "
+"v1 is named 'default', while it is left unnamed in v2. Default is 'service/"
+"v2'."
+msgstr ""
+"Il nome del generatore API da utilizzare. Ci sono 2 generatori: 'service/v1' "
+"e 'service/v2'. L'unica differenza tra loro è che la porta di servizio in v1 "
+"è denominata \"predefinita\", mentre viene lasciata unnamed in v2. Il valore "
+"predefinito è 'service/v2'."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:148
+msgid "The network protocol for the service to be created. Default is 'TCP'."
+msgstr ""
+"Il protocollo di rete per il servizio da creare. Il valore predefinito è "
+"'TCP'."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:149
+msgid ""
+"The port that the service should serve on. Copied from the resource being "
+"exposed, if unspecified"
+msgstr ""
+"La porta che il servizio deve servire. Copiato dalla risorsa esposta, se non "
+"specificata"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run.go:194
+msgid ""
+"The resource requirement limits for this container.  For example, 'cpu=200m,"
+"memory=512Mi'.  Note that server side components may assign limits depending "
+"on the server configuration, such as limit ranges."
+msgstr ""
+"I limiti delle richieste di risorse per questo contenitore.  Ad esempio, "
+"'cpu=200m,memory=512Mi'. Si noti che i componenti lato server possono "
+"assegnare i limiti a seconda della configurazione del server, ad esempio "
+"intervalli di limiti."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run.go:192
+msgid ""
+"The resource requirement requests for this container.  For example, "
+"'cpu=100m,memory=256Mi'.  Note that server side components may assign "
+"requests depending on the server configuration, such as limit ranges."
+msgstr ""
+"La risorsa necessita di richieste di requisiti per questo pod. Ad esempio, "
+"'cpu = 100m, memoria = 256Mi'. Si noti che i componenti lato server possono "
+"assegnare i requisiti a seconda della configurazione del server, ad esempio "
+"intervalli di limiti."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret.go:155
+msgid "The type of secret to create"
+msgstr "Tipo di segreto da creare"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_undo.go:87
+msgid "Undo a previous rollout"
+msgstr "Annulla un precedente rollout"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set_resources.go:116
+msgid "Update resource requests/limits on objects with pod templates"
+msgstr "Aggiorna richieste di risorse/limiti sugli oggetti con pod template"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/annotate/annotate.go:135
+msgid "Update the annotations on a resource"
+msgstr "Aggiorna annotazioni di risorsa"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/label/label.go:133
+msgid "Update the labels on a resource"
+msgstr "Aggiorna label di una risorsa"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/taint/taint.go:109
+msgid "Update the taints on one or more nodes"
+msgstr "Aggiorna i taints su uno o più nodi"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_docker.go:150
+msgid "Username for Docker registry authentication"
+msgstr "Nome utente per l'autenticazione nel registro Docker"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_history.go:83
+msgid "View rollout history"
+msgstr "Visualizza la storia del rollout"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/clusterinfo/clusterinfo_dump.go:85
+msgid ""
+"Where to output the files.  If empty or '-' uses stdout, otherwise creates a "
+"directory hierarchy in that directory"
+msgstr ""
+"Dove eseguire l'output dei file. Se vuota o '-' utilizza lo stdout, "
+"altrimenti crea una gerarchia di directory in quella directory"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run_test.go:88
+msgid "dummy restart flag)"
+msgstr "flag di riavvio finto)"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/cmd.go:227
+msgid "kubectl controls the Kubernetes cluster manager"
+msgstr "Kubectl controlla il gestore cluster di Kubernetes"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t  # Create a ClusterRoleBinding for user1, user2, and group1 using "
+#~ "the cluster-admin ClusterRole\n"
+#~ "\t\t  kubectl create clusterrolebinding cluster-admin --"
+#~ "clusterrole=cluster-admin --user=user1 --user=user2 --group=group1"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t # Creare un ClusterRoleBinding per user1, user2 e group1 utilizzando "
+#~ "il cluster-admin ClusterRole\n"
+#~ "\t\t  kubectl create clusterrolebinding cluster-admin --"
+#~ "clusterrole=cluster-admin --user=user1 --user=user2 --group=group1"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t  # Create a RoleBinding for user1, user2, and group1 using the admin "
+#~ "ClusterRole\n"
+#~ "\t\t  kubectl create rolebinding admin --clusterrole=admin --user=user1 --"
+#~ "user=user2 --group=group1"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t  # Crea un RoleBinding per user1, user2, and group1 utilizzando "
+#~ "l'admin ClusterRole\n"
+#~ "\t\t  kubectl create rolebinding admin --clusterrole=admin --user=user1 --"
+#~ "user=user2 --group=group1"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t  # Create a new configmap named my-config based on folder bar\n"
+#~ "\t\t  kubectl create configmap my-config --from-file=path/to/bar\n"
+#~ "\n"
+#~ "\t\t  # Create a new configmap named my-config with specified keys "
+#~ "instead of file basenames on disk\n"
+#~ "\t\t  kubectl create configmap my-config --from-file=key1=/path/to/bar/"
+#~ "file1.txt --from-file=key2=/path/to/bar/file2.txt\n"
+#~ "\n"
+#~ "\t\t  # Create a new configmap named my-config with key1=config1 and "
+#~ "key2=config2\n"
+#~ "\t\t  kubectl create configmap my-config --from-literal=key1=config1 --"
+#~ "from-literal=key2=config2"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t  # Crea un nuovo configmap denominato my-config in base alla "
+#~ "cartella bar\n"
+#~ "\t\t  kubectl create configmap my-config --from-file=path/to/bar\n"
+#~ "\n"
+#~ "\t\t  # Crea un nuovo configmap denominato my-config con le chiavi "
+#~ "specificate anziché i nomi dei file su disco\n"
+#~ "\t\t  kubectl create configmap my-config --from-file=key1=/path/to/bar/"
+#~ "file1.txt --from-file=key2=/path/to/bar/file2.txt\n"
+#~ "\n"
+#~ "\t\t  # Crea un nuovo configmap denominato my-config con key1 = config1 e "
+#~ "key2 = config2\n"
+#~ "\t\t  kubectl create configmap my-config --from-literal=key1=config1 --"
+#~ "from-literal=key2=config2"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t  # If you don't already have a .dockercfg file, you can create a "
+#~ "dockercfg secret directly by using:\n"
+#~ "\t\t  kubectl create secret docker-registry my-secret --docker-"
+#~ "server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-"
+#~ "password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t  # Se non si dispone ancora di un file .dockercfg, è possibile "
+#~ "creare un secret dockercfg direttamente utilizzando:\n"
+#~ "\t\t  kubectl create secret docker-registry my-secret --docker-"
+#~ "server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-"
+#~ "password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Apply the configuration in pod.json to a pod.\n"
+#~ "\t\tkubectl apply -f ./pod.json\n"
+#~ "\n"
+#~ "\t\t# Apply the JSON passed into stdin to a pod.\n"
+#~ "\t\tcat pod.json | kubectl apply -f -\n"
+#~ "\n"
+#~ "\t\t# Note: --prune is still in Alpha\n"
+#~ "\t\t# Apply the configuration in manifest.yaml that matches label "
+#~ "app=nginx and delete all the other resources that are not in the file and "
+#~ "match label app=nginx.\n"
+#~ "\t\tkubectl apply --prune -f manifest.yaml -l app=nginx\n"
+#~ "\n"
+#~ "\t\t# Apply the configuration in manifest.yaml and delete all the other "
+#~ "configmaps that are not in the file.\n"
+#~ "\t\tkubectl apply --prune -f manifest.yaml --all --prune-allowlist=core/"
+#~ "v1/ConfigMap"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Applica la configurazione pod.json a un pod.\n"
+#~ "\t\tkubectl apply -f ./pod.json\n"
+#~ "\n"
+#~ "\t\t# Applicare il JSON passato in stdin a un pod.\n"
+#~ "\t\tcat pod.json | kubectl apply -f -\n"
+#~ "\n"
+#~ "\t\t# Nota: --prune è ancora in in Alpha\n"
+#~ "\t\t# Applica la configurazione manifest.yaml che corrisponde alla label "
+#~ "app = nginx ed elimina tutte le altre risorse che non sono nel file e "
+#~ "nella label corrispondente app = nginx.\n"
+#~ "\t\tkubectl apply --prune -f manifest.yaml -l app=nginx\n"
+#~ "\n"
+#~ "\t\t# Applica la configurazione manifest.yaml ed elimina tutti gli altri "
+#~ "configmaps non presenti nel file.\n"
+#~ "\t\tkubectl apply --prune -f manifest.yaml --all --prune-allowlist=core/"
+#~ "v1/ConfigMap"
+
+#, c-format
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Auto scale a deployment \"foo\", with the number of pods between 2 "
+#~ "and 10, no target CPU utilization specified so a default autoscaling "
+#~ "policy will be used:\n"
+#~ "\t\tkubectl autoscale deployment foo --min=2 --max=10\n"
+#~ "\n"
+#~ "\t\t# Auto scale a replication controller \"foo\", with the number of "
+#~ "pods between 1 and 5, target CPU utilization at 80%:\n"
+#~ "\t\tkubectl autoscale rc foo --max=5 --cpu-percent=80"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t#  Auto scale un deployment \"foo\", con il numero di pod compresi "
+#~ "tra 2 e 10, utilizzo della CPU target specificato in modo da utilizzare "
+#~ "una politica di autoscaling predefinita:\n"
+#~ "\t\tkubectl autoscale deployment foo --min=2 --max=10\n"
+#~ "\n"
+#~ "\t\t# Auto scale un controller di replica \"foo\", con il numero di pod "
+#~ "compresi tra 1 e 5, utilizzo dell'utilizzo della CPU a 80%:\n"
+#~ "\t\tkubectl autoscale rc foo --max=5 --cpu-percent=80"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Convert 'pod.yaml' to latest version and print to stdout.\n"
+#~ "\t\tkubectl convert -f pod.yaml\n"
+#~ "\n"
+#~ "\t\t# Convert the live state of the resource specified by 'pod.yaml' to "
+#~ "the latest version\n"
+#~ "\t\t# and print to stdout in json format.\n"
+#~ "\t\tkubectl convert -f pod.yaml --local -o json\n"
+#~ "\n"
+#~ "\t\t# Convert all files under current directory to latest version and "
+#~ "create them all.\n"
+#~ "\t\tkubectl convert -f . | kubectl create -f -"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Converte 'pod.yaml' alla versione più recente e stampa in stdout.\n"
+#~ "\t\tkubectl convert -f pod.yaml\n"
+#~ "\n"
+#~ "\t\t# Converte lo stato live della risorsa specificata da 'pod.yaml' "
+#~ "nella versione più recente.\n"
+#~ "\t\t# e stampa in stdout nel formato json.\n"
+#~ "\t\tkubectl convert -f pod.yaml --local -o json\n"
+#~ "\n"
+#~ "\t\t# Converte tutti i file nella directory corrente alla versione più "
+#~ "recente e li crea tutti.\n"
+#~ "\t\tkubectl convert -f . | kubectl create -f -"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Create a ClusterRole named \"pod-reader\" that allows user to "
+#~ "perform \"get\", \"watch\" and \"list\" on pods\n"
+#~ "\t\tkubectl create clusterrole pod-reader --verb=get,list,watch --"
+#~ "resource=pods\n"
+#~ "\n"
+#~ "\t\t# Create a ClusterRole named \"pod-reader\" with ResourceName "
+#~ "specified\n"
+#~ "\t\tkubectl create clusterrole pod-reader --verb=get,list,watch --"
+#~ "resource=pods --resource-name=readablepod"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Crea un ClusterRole denominato \"pod-reader\" che consente "
+#~ "all'utente di eseguire \"get\", \"watch\" e \"list\" sui pod\n"
+#~ "\t\tkubectl create clusterrole pod-reader --verb=get,list,watch --"
+#~ "resource=pods\n"
+#~ "\n"
+#~ "\t\t# Crea un ClusterRole denominato \"pod-reader\" con ResourceName "
+#~ "specificato\n"
+#~ "\t\tkubectl create clusterrole pod-reader --verb=get,list,watch --"
+#~ "resource=pods --resource-name=readablepod"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Create a Role named \"pod-reader\" that allows user to perform \"get"
+#~ "\", \"watch\" and \"list\" on pods\n"
+#~ "\t\tkubectl create role pod-reader --verb=get --verb=list --verb=watch --"
+#~ "resource=pods\n"
+#~ "\n"
+#~ "\t\t# Create a Role named \"pod-reader\" with ResourceName specified\n"
+#~ "\t\tkubectl create role pod-reader --verb=get --verg=list --verb=watch --"
+#~ "resource=pods --resource-name=readablepod"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Crea un ruolo denominato \"pod-reader\" che consente all'utente di "
+#~ "eseguire \"get\", \"watch\" e \"list\" sui pod\n"
+#~ "\t\tkubectl create role pod-reader --verb=get --verb=list --verb=watch --"
+#~ "resource=pods\n"
+#~ "\n"
+#~ "\t\t# Crea un ruolo denominato \"pod-reader\" con ResourceName "
+#~ "specificato\n"
+#~ "\t\tkubectl create role pod-reader --verb=get --verg=list --verb=watch --"
+#~ "resource=pods --resource-name=readablepod"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Create a new resourcequota named my-quota\n"
+#~ "\t\tkubectl create quota my-quota --hard=cpu=1,memory=1G,pods=2,"
+#~ "services=3,replicationcontrollers=2,resourcequotas=1,secrets=5,"
+#~ "persistentvolumeclaims=10\n"
+#~ "\n"
+#~ "\t\t# Create a new resourcequota named best-effort\n"
+#~ "\t\tkubectl create quota best-effort --hard=pods=100 --scopes=BestEffort"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Crea una nuova resourcequota chiamata my-quota\n"
+#~ "\t\tkubectl create quota my-quota --hard=cpu=1,memory=1G,pods=2,"
+#~ "services=3,replicationcontrollers=2,resourcequotas=1,secrets=5,"
+#~ "persistentvolumeclaims=10\n"
+#~ "\n"
+#~ "\t\t# Creare una nuova resourcequota denominata best-effort\n"
+#~ "\t\tkubectl create quota best-effort --hard=pods=100 --scopes=BestEffort"
+
+#, c-format
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Create a pod disruption budget named my-pdb that will select all "
+#~ "pods with the app=rails label\n"
+#~ "\t\t# and require at least one of them being available at any point in "
+#~ "time.\n"
+#~ "\t\tkubectl create poddisruptionbudget my-pdb --selector=app=rails --min-"
+#~ "available=1\n"
+#~ "\n"
+#~ "\t\t# Create a pod disruption budget named my-pdb that will select all "
+#~ "pods with the app=nginx label\n"
+#~ "\t\t# and require at least half of the pods selected to be available at "
+#~ "any point in time.\n"
+#~ "\t\tkubectl create pdb my-pdb --selector=app=nginx --min-available=50%"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Crea un pod disruption budget chiamato my-pdb che seleziona tutti i "
+#~ "pod con label app = rail\n"
+#~ "\t\t# e richiede che almeno uno di essi sia disponibile in qualsiasi "
+#~ "momento.\n"
+#~ "\t\tkubectl create poddisruptionbudget my-pdb --selector=app=rails --min-"
+#~ "available=1\n"
+#~ "\n"
+#~ "\t\t# Crea un pod disruption budget con nome my-pdb che seleziona tutti i "
+#~ "pod con label app = nginx \n"
+#~ "\t\t# e richiede che almeno la metà dei pod selezionati sia disponibile "
+#~ "in qualsiasi momento.\n"
+#~ "\t\tkubectl create pdb my-pdb --selector=app=nginx --min-available=50%"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Create a pod using the data in pod.json.\n"
+#~ "\t\tkubectl create -f ./pod.json\n"
+#~ "\n"
+#~ "\t\t# Create a pod based on the JSON passed into stdin.\n"
+#~ "\t\tcat pod.json | kubectl create -f -\n"
+#~ "\n"
+#~ "\t\t# Edit the data in docker-registry.yaml in JSON using the v1 API "
+#~ "format then create the resource using the edited data.\n"
+#~ "\t\tkubectl create -f docker-registry.yaml --edit --output-version=v1 -o "
+#~ "json"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Crea un pod utilizzando i dati in pod.json.\n"
+#~ "\t\tkubectl create -f ./pod.json\n"
+#~ "\n"
+#~ "\t\t# Crea un pod basato sul JSON passato in stdin.\n"
+#~ "\t\tcat pod.json | kubectl create -f -\n"
+#~ "\n"
+#~ "\t\t# Modifica i dati in docker-registry.yaml in JSON utilizzando il "
+#~ "formato API v1 quindi creare la risorsa utilizzando i dati modificati.\n"
+#~ "\t\tkubectl create -f docker-registry.yaml --edit --output-version=v1 -o "
+#~ "json"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Create a service for a replicated nginx, which serves on port 80 "
+#~ "and connects to the containers on port 8000.\n"
+#~ "\t\tkubectl expose rc nginx --port=80 --target-port=8000\n"
+#~ "\n"
+#~ "\t\t# Create a service for a replication controller identified by type "
+#~ "and name specified in \"nginx-controller.yaml\", which serves on port 80 "
+#~ "and connects to the containers on port 8000.\n"
+#~ "\t\tkubectl expose -f nginx-controller.yaml --port=80 --target-port=8000\n"
+#~ "\n"
+#~ "\t\t# Create a service for a pod valid-pod, which serves on port 444 with "
+#~ "the name \"frontend\"\n"
+#~ "\t\tkubectl expose pod valid-pod --port=444 --name=frontend\n"
+#~ "\n"
+#~ "\t\t# Create a second service based on the above service, exposing the "
+#~ "container port 8443 as port 443 with the name \"nginx-https\"\n"
+#~ "\t\tkubectl expose service nginx --port=443 --target-port=8443 --"
+#~ "name=nginx-https\n"
+#~ "\n"
+#~ "\t\t# Create a service for a replicated streaming application on port "
+#~ "4100 balancing UDP traffic and named 'video-stream'.\n"
+#~ "\t\tkubectl expose rc streamer --port=4100 --protocol=udp --name=video-"
+#~ "stream\n"
+#~ "\n"
+#~ "\t\t# Create a service for a replicated nginx using replica set, which "
+#~ "serves on port 80 and connects to the containers on port 8000.\n"
+#~ "\t\tkubectl expose rs nginx --port=80 --target-port=8000\n"
+#~ "\n"
+#~ "\t\t# Create a service for an nginx deployment, which serves on port 80 "
+#~ "and connects to the containers on port 8000.\n"
+#~ "\t\tkubectl expose deployment nginx --port=80 --target-port=8000"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Crea un servizio per un nginx replicato, che serve nella porta 80 e "
+#~ "si collega ai container sulla porta 8000.\n"
+#~ "\t\tkubectl expose rc nginx --port=80 --target-port=8000\n"
+#~ "\n"
+#~ "\t\t# Crea un servizio per un controller di replica identificato per tipo "
+#~ "e nome specificato in \"nginx-controller.yaml\", che serve nella porta 80 "
+#~ "e si collega ai container sulla porta 8000.\n"
+#~ "\t\tkubectl expose -f nginx-controller.yaml --port=80 --target-port=8000\n"
+#~ "\n"
+#~ "\t\t# Crea un servizio per un pod valid-pod, che serve nella porta 444 "
+#~ "con il nome \"frontend\"\n"
+#~ "\t\tkubectl expose pod valid-pod --port=444 --name=frontend\n"
+#~ "\n"
+#~ "\t\t# Crea un secondo servizio basato sul servizio sopra, esponendo la "
+#~ "porta container 8443 come porta 443 con il nome \"nginx-https\"\n"
+#~ "\t\tkubectl expose service nginx --port=443 --target-port=8443 --"
+#~ "name=nginx-https\n"
+#~ "\n"
+#~ "\t\t#  Crea un servizio per un'applicazione di replica in porta 4100 che "
+#~ "bilanci il traffico UDP e denominato \"video stream\".\n"
+#~ "\t\tkubectl expose rc streamer --port=4100 --protocol=udp --name=video-"
+#~ "stream\n"
+#~ "\n"
+#~ "\t\t# Crea un servizio per un nginx replicato utilizzando l'insieme di "
+#~ "replica, che serve nella porta 80 e si collega ai contenitori sulla porta "
+#~ "8000.\n"
+#~ "\t\tkubectl expose rs nginx --port=80 --target-port=8000\n"
+#~ "\n"
+#~ "\t\t# Crea un servizio per una distribuzione di nginx, che serve nella "
+#~ "porta 80 e si collega ai contenitori della porta 8000.\n"
+#~ "\t\tkubectl expose deployment nginx --port=80 --target-port=8000"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Delete a pod using the type and name specified in pod.json.\n"
+#~ "\t\tkubectl delete -f ./pod.json\n"
+#~ "\n"
+#~ "\t\t# Delete a pod based on the type and name in the JSON passed into "
+#~ "stdin.\n"
+#~ "\t\tcat pod.json | kubectl delete -f -\n"
+#~ "\n"
+#~ "\t\t# Delete pods and services with same names \"baz\" and \"foo\"\n"
+#~ "\t\tkubectl delete pod,service baz foo\n"
+#~ "\n"
+#~ "\t\t# Delete pods and services with label name=myLabel.\n"
+#~ "\t\tkubectl delete pods,services -l name=myLabel\n"
+#~ "\n"
+#~ "\t\t# Delete a pod with minimal delay\n"
+#~ "\t\tkubectl delete pod foo --now\n"
+#~ "\n"
+#~ "\t\t# Force delete a pod on a dead node\n"
+#~ "\t\tkubectl delete pod foo --grace-period=0 --force\n"
+#~ "\n"
+#~ "\t\t# Delete all pods\n"
+#~ "\t\tkubectl delete pods --all"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Elimina un pod utilizzando il tipo e il nome specificati in pod."
+#~ "json.\n"
+#~ "\t\tkubectl delete -f ./pod.json\n"
+#~ "\n"
+#~ "\t\t# Elimina un pod in base al tipo e al nome del JSON passato in "
+#~ "stdin.\n"
+#~ "\t\tcat pod.json | kubectl delete -f -\n"
+#~ "\n"
+#~ "\t\t# Elimina i baccelli ei servizi con gli stessi nomi \"baz\" e \"foo"
+#~ "\"\n"
+#~ "\t\tkubectl delete pod,service baz foo\n"
+#~ "\n"
+#~ "\t\t# Elimina i baccelli ei servizi con il nome dell'etichetta = "
+#~ "myLabel.\n"
+#~ "\t\tkubectl delete pods,services -l name=myLabel\n"
+#~ "\n"
+#~ "\t\t# Eliminare un pod con un ritardo minimo\n"
+#~ "\t\tkubectl delete pod foo --now\n"
+#~ "\n"
+#~ "\t\t# Forza elimina un pod in un nodo morto\n"
+#~ "\t\tkubectl delete pod foo --grace-period=0 --force\n"
+#~ "\n"
+#~ "\t\t# Elimina tutti i pod\n"
+#~ "\t\tkubectl delete pods --all"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Describe a node\n"
+#~ "\t\tkubectl describe nodes kubernetes-node-emt8.c.myproject.internal\n"
+#~ "\n"
+#~ "\t\t# Describe a pod\n"
+#~ "\t\tkubectl describe pods/nginx\n"
+#~ "\n"
+#~ "\t\t# Describe a pod identified by type and name in \"pod.json\"\n"
+#~ "\t\tkubectl describe -f pod.json\n"
+#~ "\n"
+#~ "\t\t# Describe all pods\n"
+#~ "\t\tkubectl describe pods\n"
+#~ "\n"
+#~ "\t\t# Describe pods by label name=myLabel\n"
+#~ "\t\tkubectl describe po -l name=myLabel\n"
+#~ "\n"
+#~ "\t\t# Describe all pods managed by the 'frontend' replication controller "
+#~ "(rc-created pods\n"
+#~ "\t\t# get the name of the rc as a prefix in the pod the name).\n"
+#~ "\t\tkubectl describe pods frontend"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Descrive un nodo\n"
+#~ "\t\tkubectl describe nodes kubernetes-node-emt8.c.myproject.internal\n"
+#~ "\n"
+#~ "\t\t# Descrive un pod\n"
+#~ "\t\tkubectl describe pods/nginx\n"
+#~ "\n"
+#~ "\t\t# Descrive un pod identificato da tipo e nome in \"pod.json\"\n"
+#~ "\t\tkubectl describe -f pod.json\n"
+#~ "\n"
+#~ "\t\t# Descrive tutti i pod\n"
+#~ "\t\tkubectl describe pods\n"
+#~ "\n"
+#~ "\t\t# Descrive i pod con label name=myLabel\n"
+#~ "\t\tkubectl describe po -l name=myLabel\n"
+#~ "\n"
+#~ "\t\t# Descrivere tutti i pod gestiti dal controller di replica \"frontend"
+#~ "\"  (rc-created pods\n"
+#~ "\t\t# ottiene il nome del rc come un prefisso del nome pod).\n"
+#~ "\t\tkubectl describe pods frontend"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Drain node \"foo\", even if there are pods not managed by a "
+#~ "ReplicationController, ReplicaSet, Job, DaemonSet or StatefulSet on it.\n"
+#~ "\t\t$ kubectl drain foo --force\n"
+#~ "\n"
+#~ "\t\t# As above, but abort if there are pods not managed by a "
+#~ "ReplicationController, ReplicaSet, Job, DaemonSet or StatefulSet, and use "
+#~ "a grace period of 15 minutes.\n"
+#~ "\t\t$ kubectl drain foo --grace-period=900"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Drain node \"foo\", anche se ci sono i baccelli non gestiti da "
+#~ "ReplicationController, ReplicaSet, Job, DaemonSet o StatefulSet su di "
+#~ "esso.\n"
+#~ "\t\t$ kubectl drain foo --force\n"
+#~ "\n"
+#~ "\t\t# Come sopra, ma interrompere se ci sono i baccelli non gestiti da "
+#~ "ReplicationController, ReplicaSet, Job, DaemonSet or StatefulSet, e "
+#~ "utilizzare un periodo di grazia di 15 minuti.\n"
+#~ "\t\t$ kubectl drain foo --grace-period=900"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Edit the service named 'docker-registry':\n"
+#~ "\t\tkubectl edit svc/docker-registry\n"
+#~ "\n"
+#~ "\t\t# Use an alternative editor\n"
+#~ "\t\tKUBE_EDITOR=\"nano\" kubectl edit svc/docker-registry\n"
+#~ "\n"
+#~ "\t\t# Edit the job 'myjob' in JSON using the v1 API format:\n"
+#~ "\t\tkubectl edit job.v1.batch/myjob -o json\n"
+#~ "\n"
+#~ "\t\t# Edit the deployment 'mydeployment' in YAML and save the modified "
+#~ "config in its annotation:\n"
+#~ "\t\tkubectl edit deployment/mydeployment -o yaml --save-config"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Modifica il servizio denominato 'docker-registry':\n"
+#~ "\t\tkubectl edit svc/docker-registry\n"
+#~ "\n"
+#~ "\t\t# Usa un editor alternativo\n"
+#~ "\t\tKUBE_EDITOR=\"nano\" kubectl edit svc/docker-registry\n"
+#~ "\n"
+#~ "\t\t# Modifica il lavoro 'myjob' in JSON utilizzando il formato API v1:\n"
+#~ "\t\tkubectl edit job.v1.batch/myjob -o json\n"
+#~ "\n"
+#~ "\t\t# Modifica la distribuzione 'mydeployment' in YAML e salvare la "
+#~ "configurazione modificata nella sua annotazione:\n"
+#~ "\t\tkubectl edit deployment/mydeployment -o yaml --save-config"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Get output from running 'date' from pod 123456-7890, using the "
+#~ "first container by default\n"
+#~ "\t\tkubectl exec 123456-7890 date\n"
+#~ "\n"
+#~ "\t\t# Get output from running 'date' in ruby-container from pod "
+#~ "123456-7890\n"
+#~ "\t\tkubectl exec 123456-7890 -c ruby-container date\n"
+#~ "\n"
+#~ "\t\t# Switch to raw terminal mode, sends stdin to 'bash' in ruby-"
+#~ "container from pod 123456-7890\n"
+#~ "\t\t# and sends stdout/stderr from 'bash' back to the client\n"
+#~ "\t\tkubectl exec 123456-7890 -c ruby-container -i -t -- bash -il"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Ottieni l'output dalla 'data' di esecuzione del pod 123456-7890, "
+#~ "utilizzando il primo contenitore per impostazione predefinita\n"
+#~ "\t\tkubectl exec 123456-7890 date\n"
+#~ "\n"
+#~ "\t\t# Ottieni l'output dalla data di esecuzione in ruby-container del pod "
+#~ "123456-7890\n"
+#~ "\t\tkubectl exec 123456-7890 -c ruby-container date\n"
+#~ "\n"
+#~ "\t\t# Passare alla modalità raw terminal, invia stdin a 'bash' in ruby-"
+#~ "container del pod 123456-7890\n"
+#~ "\t\t# and sends stdout/stderr from 'bash' back to the client\n"
+#~ "\t\tkubectl exec 123456-7890 -c ruby-container -i -t -- bash -il"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Get output from running pod 123456-7890, using the first container "
+#~ "by default\n"
+#~ "\t\tkubectl attach 123456-7890\n"
+#~ "\n"
+#~ "\t\t# Get output from ruby-container from pod 123456-7890\n"
+#~ "\t\tkubectl attach 123456-7890 -c ruby-container\n"
+#~ "\n"
+#~ "\t\t# Switch to raw terminal mode, sends stdin to 'bash' in ruby-"
+#~ "container from pod 123456-7890\n"
+#~ "\t\t# and sends stdout/stderr from 'bash' back to the client\n"
+#~ "\t\tkubectl attach 123456-7890 -c ruby-container -i -t\n"
+#~ "\n"
+#~ "\t\t# Get output from the first pod of a ReplicaSet named nginx\n"
+#~ "\t\tkubectl attach rs/nginx\n"
+#~ "\t\t"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Ottieni l'output dal pod 123456-7890 in esecuzione, utilizzando il "
+#~ "primo contenitore per impostazione predefinita\n"
+#~ "\t\tkubectl attach 123456-7890\n"
+#~ "\n"
+#~ "\t\t#  Ottieni l'output dal  ruby-container del pod 123456-7890\n"
+#~ "\t\tkubectl attach 123456-7890 -c ruby-container\n"
+#~ "\n"
+#~ "\t\t# Passa alla modalità raw terminal, invia stdin a 'bash' in ruby-"
+#~ "container del pod 123456-7890\n"
+#~ "\t\t# e invia stdout/stderr da 'bash' al client\n"
+#~ "\t\tkubectl attach 123456-7890 -c ruby-container -i -t\n"
+#~ "\n"
+#~ "\t\t# Ottieni l'output dal primo pod di una ReplicaSet denominata nginx\n"
+#~ "\t\tkubectl attach rs/nginx\n"
+#~ "\t\t"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Install bash completion on a Mac using homebrew\n"
+#~ "\t\tbrew install bash-completion\n"
+#~ "\t\tprintf \"\n"
+#~ "# Bash completion support\n"
+#~ "source $(brew --prefix)/etc/bash_completion\n"
+#~ "\" >> $HOME/.bash_profile\n"
+#~ "\t\tsource $HOME/.bash_profile\n"
+#~ "\n"
+#~ "\t\t# Load the kubectl completion code for bash into the current shell\n"
+#~ "\t\tsource <(kubectl completion bash)\n"
+#~ "\n"
+#~ "\t\t# Write bash completion code to a file and source if from ."
+#~ "bash_profile\n"
+#~ "\t\tkubectl completion bash > ~/.kube/completion.bash.inc\n"
+#~ "\t\tprintf \"\n"
+#~ "# Kubectl shell completion\n"
+#~ "source '$HOME/.kube/completion.bash.inc'\n"
+#~ "\" >> $HOME/.bash_profile\n"
+#~ "\t\tsource $HOME/.bash_profile\n"
+#~ "\n"
+#~ "\t\t# Load the kubectl completion code for zsh[1] into the current shell\n"
+#~ "\t\tsource <(kubectl completion zsh)"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Installa il completamento di bash su un Mac utilizzando homebrew\n"
+#~ "\t\tbrew install bash-completion\n"
+#~ "\t\tprintf \"\n"
+#~ "# Bash completion support\n"
+#~ "source $(brew --prefix)/etc/bash_completion\n"
+#~ "\" >> $HOME/.bash_profile\n"
+#~ "\t\tsource $HOME/.bash_profile\n"
+#~ "\n"
+#~ "\t\t# Carica il codice di completamento kubectl per bash nella shell "
+#~ "corrente\n"
+#~ "\t\tsource <(kubectl completion bash)\n"
+#~ "\n"
+#~ "\t\t# Scrive il codice di completamento bash in un file e lo carica da ."
+#~ "bash_profile\n"
+#~ "\t\tkubectl completion bash > ~/.kube/completion.bash.inc\n"
+#~ "\t\tprintf \"\n"
+#~ "# Kubectl shell completion\n"
+#~ "source '$HOME/.kube/completion.bash.inc'\n"
+#~ "\" >> $HOME/.bash_profile\n"
+#~ "\t\tsource $HOME/.bash_profile\n"
+#~ "\n"
+#~ "\t\t# Carica il codice di completamento kubectl per zsh [1] nella shell "
+#~ "corrente\n"
+#~ "\t\tsource <(kubectl completion zsh)"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# List all pods in ps output format.\n"
+#~ "\t\tkubectl get pods\n"
+#~ "\n"
+#~ "\t\t# List all pods in ps output format with more information (such as "
+#~ "node name).\n"
+#~ "\t\tkubectl get pods -o wide\n"
+#~ "\n"
+#~ "\t\t# List a single replication controller with specified NAME in ps "
+#~ "output format.\n"
+#~ "\t\tkubectl get replicationcontroller web\n"
+#~ "\n"
+#~ "\t\t# List a single pod in JSON output format.\n"
+#~ "\t\tkubectl get -o json pod web-pod-13je7\n"
+#~ "\n"
+#~ "\t\t# List a pod identified by type and name specified in \"pod.yaml\" in "
+#~ "JSON output format.\n"
+#~ "\t\tkubectl get -f pod.yaml -o json\n"
+#~ "\n"
+#~ "\t\t# Return only the phase value of the specified pod.\n"
+#~ "\t\tkubectl get -o template pod/web-pod-13je7 --template={{.status."
+#~ "phase}}\n"
+#~ "\n"
+#~ "\t\t# List all replication controllers and services together in ps output "
+#~ "format.\n"
+#~ "\t\tkubectl get rc,services\n"
+#~ "\n"
+#~ "\t\t# List one or more resources by their type and names.\n"
+#~ "\t\tkubectl get rc/web service/frontend pods/web-pod-13je7\n"
+#~ "\n"
+#~ "\t\t# List all resources with different types.\n"
+#~ "\t\tkubectl get all"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Elenca tutti i pod in formato output ps.\n"
+#~ "\t\tkubectl get pods\n"
+#~ "\n"
+#~ "\t\t# Elenca tutti i pod in formato output ps con maggiori informazioni "
+#~ "(ad esempio il nome del nodo).\n"
+#~ "\t\tkubectl get pods -o wide\n"
+#~ "\n"
+#~ "\t\t# Elenca un controller di replica singolo con NAME specificato nel "
+#~ "formato di output ps.\n"
+#~ "\t\tkubectl get replicationcontroller web\n"
+#~ "\n"
+#~ "\t\t# Elenca un singolo pod nel formato di uscita JSON.\n"
+#~ "\t\tkubectl get -o json pod web-pod-13je7\n"
+#~ "\n"
+#~ "\t\t# Elenca un pod identificato per tipo e nome specificato in \"pod.yaml"
+#~ "\" nel formato di uscita JSON.\n"
+#~ "\t\tkubectl get -f pod.yaml -o json\n"
+#~ "\n"
+#~ "\t\t# Restituisce solo il valore di fase del pod specificato.\n"
+#~ "\t\tkubectl get -o template pod/web-pod-13je7 --template={{.status."
+#~ "phase}}\n"
+#~ "\n"
+#~ "\t\t# Elenca tutti i controller e servizi di replica insieme in formato "
+#~ "output ps.\n"
+#~ "\t\tkubectl get rc,services\n"
+#~ "\n"
+#~ "\t\t# Elenca una o più risorse per il tipo e per i nomi.\n"
+#~ "\t\tkubectl get rc/web service/frontend pods/web-pod-13je7\n"
+#~ "\n"
+#~ "\t\t# Elenca tutte le risorse con tipi diversi.\n"
+#~ "\t\tkubectl get all"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Listen on ports 5000 and 6000 locally, forwarding data to/from "
+#~ "ports 5000 and 6000 in the pod\n"
+#~ "\t\tkubectl port-forward mypod 5000 6000\n"
+#~ "\n"
+#~ "\t\t# Listen on port 8888 locally, forwarding to 5000 in the pod\n"
+#~ "\t\tkubectl port-forward mypod 8888:5000\n"
+#~ "\n"
+#~ "\t\t# Listen on a random port locally, forwarding to 5000 in the pod\n"
+#~ "\t\tkubectl port-forward mypod :5000\n"
+#~ "\n"
+#~ "\t\t# Listen on a random port locally, forwarding to 5000 in the pod\n"
+#~ "\t\tkubectl port-forward mypod 0:5000"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Ascolta localmente le porte 5000 e 6000, inoltrando i dati da/verso "
+#~ "le porte 5000 e 6000 nel pod\n"
+#~ "\t\tkubectl port-forward mypod 5000 6000\n"
+#~ "\n"
+#~ "\t\t# Ascolta localmente la porta 8888, inoltra a 5000 nel pod\n"
+#~ "\t\tkubectl port-forward mypod 8888:5000\n"
+#~ "\n"
+#~ "\t\t# Ascolta localmente una porta casuale, inoltra a 5000 nel pod\n"
+#~ "\t\tkubectl port-forward mypod :5000\n"
+#~ "\n"
+#~ "\t\t# Ascolta localmente una porta casuale, inoltra a 5000 nel pod\n"
+#~ "\t\tkubectl port-forward mypod 0:5000"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Mark node \"foo\" as schedulable.\n"
+#~ "\t\t$ kubectl uncordon foo"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Segna il nodo \"foo\" come programmabile.\n"
+#~ "\t\t$ Kubectl uncordon foo"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Mark node \"foo\" as unschedulable.\n"
+#~ "\t\tkubectl cordon foo"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t#  Segna il nodo \"foo\" come non programmabile.\n"
+#~ "\t\tkubectl cordon foo"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Partially update a node using strategic merge patch\n"
+#~ "\t\tkubectl patch node k8s-node-1 -p '{\"spec\":{\"unschedulable\":"
+#~ "true}}'\n"
+#~ "\n"
+#~ "\t\t# Partially update a node identified by the type and name specified "
+#~ "in \"node.json\" using strategic merge patch\n"
+#~ "\t\tkubectl patch -f node.json -p '{\"spec\":{\"unschedulable\":true}}'\n"
+#~ "\n"
+#~ "\t\t# Update a container's image; spec.containers[*].name is required "
+#~ "because it's a merge key\n"
+#~ "\t\tkubectl patch pod valid-pod -p '{\"spec\":{\"containers\":[{\"name\":"
+#~ "\"kubernetes-serve-hostname\",\"image\":\"new image\"}]}}'\n"
+#~ "\n"
+#~ "\t\t# Update a container's image using a json patch with positional "
+#~ "arrays\n"
+#~ "\t\tkubectl patch pod valid-pod --type='json' -p='[{\"op\": \"replace\", "
+#~ "\"path\": \"/spec/containers/0/image\", \"value\":\"new image\"}]'"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Aggiorna parzialmente un nodo utilizzando merge patch strategica\n"
+#~ "\t\tkubectl patch node k8s-node-1 -p '{\"spec\":{\"unschedulable\":"
+#~ "true}}'\n"
+#~ "\n"
+#~ "\t\t# Aggiorna parzialmente un nodo identificato dal tipo e dal nome "
+#~ "specificato in \"node.json\" utilizzando  merge patch strategica\n"
+#~ "\t\tkubectl patch -f node.json -p '{\"spec\":{\"unschedulable\":true}}'\n"
+#~ "\n"
+#~ "\t\t# Aggiorna l'immagine di un contenitore; spec.containers [*]. name è "
+#~ "richiesto perché è una chiave di fusione\n"
+#~ "\t\tkubectl patch pod valid-pod -p '{\"spec\":{\"containers\":[{\"name\":"
+#~ "\"kubernetes-serve-hostname\",\"image\":\"new image\"}]}}'\n"
+#~ "\n"
+#~ "\t\t# Aggiorna l'immagine di un contenitore utilizzando una patch json "
+#~ "con array posizionali\n"
+#~ "\t\tkubectl patch pod valid-pod --type='json' -p='[{\"op\": \"replace\", "
+#~ "\"path\": \"/spec/containers/0/image\", \"value\":\"new image\"}]'"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Print the address of the master and cluster services\n"
+#~ "\t\tkubectl cluster-info"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Stampa l'indirizzo dei servizi master e cluster\n"
+#~ "\t\tkubectl cluster-info"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Replace a pod using the data in pod.json.\n"
+#~ "\t\tkubectl replace -f ./pod.json\n"
+#~ "\n"
+#~ "\t\t# Replace a pod based on the JSON passed into stdin.\n"
+#~ "\t\tcat pod.json | kubectl replace -f -\n"
+#~ "\n"
+#~ "\t\t# Update a single-container pod's image version (tag) to v4\n"
+#~ "\t\tkubectl get pod mypod -o yaml | sed 's/\\(image: myimage\\):.*$/
:v4/' "
+#~ "| kubectl replace -f -\n"
+#~ "\n"
+#~ "\t\t# Force replace, delete and then re-create the resource\n"
+#~ "\t\tkubectl replace --force -f ./pod.json"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Sostituire un pod utilizzando i dati in pod.json.\n"
+#~ "\t\tkubectl replace -f ./pod.json\n"
+#~ "\n"
+#~ "\t\t# Sostituire un pod usando il JSON passato da stdin.\n"
+#~ "\t\tcat pod.json | kubectl replace -f -\n"
+#~ "\n"
+#~ "\t\t# Aggiorna la versione dell'immagine (tag) di un singolo container di "
+#~ "pod a v4\n"
+#~ "\t\tkubectl get pod mypod -o yaml | sed 's/\\(image: myimage\\):.*$/
:v4/' "
+#~ "| kubectl replace -f -\n"
+#~ "\n"
+#~ "\t\t# Forza la sostituzione, cancellazione e quindi ricreare la risorsa\n"
+#~ "\t\tkubectl replace --force -f ./pod.json"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Return snapshot logs from pod nginx with only one container\n"
+#~ "\t\tkubectl logs nginx\n"
+#~ "\n"
+#~ "\t\t# Return snapshot logs for the pods defined by label app=nginx\n"
+#~ "\t\tkubectl logs -lapp=nginx\n"
+#~ "\n"
+#~ "\t\t# Return snapshot of previous terminated ruby container logs from pod "
+#~ "web-1\n"
+#~ "\t\tkubectl logs -p -c ruby web-1\n"
+#~ "\n"
+#~ "\t\t# Begin streaming the logs of the ruby container in pod web-1\n"
+#~ "\t\tkubectl logs -f -c ruby web-1\n"
+#~ "\n"
+#~ "\t\t# Display only the most recent 20 lines of output in pod nginx\n"
+#~ "\t\tkubectl logs --tail=20 nginx\n"
+#~ "\n"
+#~ "\t\t# Show all logs from pod nginx written in the last hour\n"
+#~ "\t\tkubectl logs --since=1h nginx\n"
+#~ "\n"
+#~ "\t\t# Return snapshot logs from first container of a job named hello\n"
+#~ "\t\tkubectl logs job/hello\n"
+#~ "\n"
+#~ "\t\t# Return snapshot logs from container nginx-1 of a deployment named "
+#~ "nginx\n"
+#~ "\t\tkubectl logs deployment/nginx -c nginx-1"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Restituisce snapshot log dal pod nginx con un solo container\n"
+#~ "\t\tkubectl logs nginx\n"
+#~ "\n"
+#~ "\t\t# Restituisce snapshot log dei pod definiti dalla label app=nginx\n"
+#~ "\t\tkubectl logs -lapp=nginx\n"
+#~ "\n"
+#~ "\t\t# Restituisce snapshot log del container ruby  terminato nel pod "
+#~ "web-1\n"
+#~ "\t\tkubectl logs -p -c ruby web-1\n"
+#~ "\n"
+#~ "\t\t# Iniziare a trasmettere i log del contenitore ruby nel pod web-1\n"
+#~ "\t\tkubectl logs -f -c ruby web-1\n"
+#~ "\n"
+#~ "\t\t# Visualizza solo le ultime 20 righe di output del pod nginx\n"
+#~ "\t\tkubectl logs --tail=20 nginx\n"
+#~ "\n"
+#~ "\t\t# Mostra tutti i log del pod nginx scritti nell'ultima ora\n"
+#~ "\t\tkubectl logs --since=1h nginx\n"
+#~ "\n"
+#~ "\t\t# Restituisce snapshot log dal primo contenitore di un lavoro "
+#~ "chiamato hello\n"
+#~ "\t\tkubectl logs job/hello\n"
+#~ "\n"
+#~ "\t\t# Restituisce snapshot logs del container nginx-1 del deployment "
+#~ "chiamato nginx\n"
+#~ "\t\tkubectl logs deployment/nginx -c nginx-1"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Run a proxy to kubernetes apiserver on port 8011, serving static "
+#~ "content from ./local/www/\n"
+#~ "\t\tkubectl proxy --port=8011 --www=./local/www/\n"
+#~ "\n"
+#~ "\t\t# Run a proxy to kubernetes apiserver on an arbitrary local port.\n"
+#~ "\t\t# The chosen port for the server will be output to stdout.\n"
+#~ "\t\tkubectl proxy --port=0\n"
+#~ "\n"
+#~ "\t\t# Run a proxy to kubernetes apiserver, changing the api prefix to k8s-"
+#~ "api\n"
+#~ "\t\t# This makes e.g. the pods api available at localhost:8001/k8s-api/v1/"
+#~ "pods/\n"
+#~ "\t\tkubectl proxy --api-prefix=/k8s-api"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Esegui un proxy verso kubernetes apiserver sulla porta 8011, che "
+#~ "fornisce contenuti statici da ./local/www/\n"
+#~ "\t\tkubectl proxy --port=8011 --www=./local/www/\n"
+#~ "\n"
+#~ "\t\t# Esegui un proxy verso kubernetes apiserver su una porta locale "
+#~ "arbitraria.\n"
+#~ "\t\t# La porta selezionata per il server verrà inviata a stdout.\n"
+#~ "\t\tkubectl proxy --port=0\n"
+#~ "\n"
+#~ "\t\t# Esegui un proxy verso kubernetes apiserver, cambiando il prefisso "
+#~ "api in k8s-api\n"
+#~ "\t\t# Questo comporta, ad es., pod api disponibili presso localhost:8001/"
+#~ "k8s-api/v1/pods/\n"
+#~ "\t\tkubectl proxy --api-prefix=/k8s-api"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Scale a replicaset named 'foo' to 3.\n"
+#~ "\t\tkubectl scale --replicas=3 rs/foo\n"
+#~ "\n"
+#~ "\t\t# Scale a resource identified by type and name specified in \"foo.yaml"
+#~ "\" to 3.\n"
+#~ "\t\tkubectl scale --replicas=3 -f foo.yaml\n"
+#~ "\n"
+#~ "\t\t# If the deployment named mysql's current size is 2, scale mysql to "
+#~ "3.\n"
+#~ "\t\tkubectl scale --current-replicas=2 --replicas=3 deployment/mysql\n"
+#~ "\n"
+#~ "\t\t# Scale multiple replication controllers.\n"
+#~ "\t\tkubectl scale --replicas=5 rc/foo rc/bar rc/baz\n"
+#~ "\n"
+#~ "\t\t# Scale job named 'cron' to 3.\n"
+#~ "\t\tkubectl scale --replicas=3 job/cron"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Scala un replicaset denominato 'foo' a 3.\n"
+#~ "\t\tkubectl scale --replicas=3 rs/foo\n"
+#~ "\n"
+#~ "\t\t# Scala una risorsa identificata per tipo e nome specificato in \"foo."
+#~ "yaml\" a 3.\n"
+#~ "\t\tkubectl scale --replicas=3 -f foo.yaml\n"
+#~ "\n"
+#~ "\t\t#  Se la distribuzione corrente di mysql è 2, scala mysql a 3.\n"
+#~ "\t\tkubectl scale --current-replicas=2 --replicas=3 deployment/mysql\n"
+#~ "\n"
+#~ "\t\t# Scalare più controllori di replica.\n"
+#~ "\t\tkubectl scale --replicas=5 rc/foo rc/bar rc/baz\n"
+#~ "\n"
+#~ "\t\t# Scala il lavoro denominato 'cron' a 3.\n"
+#~ "\t\tkubectl scale --replicas=3 job/cron"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Set the last-applied-configuration of a resource to match the "
+#~ "contents of a file.\n"
+#~ "\t\tkubectl apply set-last-applied -f deploy.yaml\n"
+#~ "\n"
+#~ "\t\t# Execute set-last-applied against each configuration file in a "
+#~ "directory.\n"
+#~ "\t\tkubectl apply set-last-applied -f path/\n"
+#~ "\n"
+#~ "\t\t# Set the last-applied-configuration of a resource to match the "
+#~ "contents of a file, will create the annotation if it does not already "
+#~ "exist.\n"
+#~ "\t\tkubectl apply set-last-applied -f deploy.yaml --create-"
+#~ "annotation=true\n"
+#~ "\t\t"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Imposta l'ultima-configurazione-applicata di una risorsa che "
+#~ "corrisponda al contenuto di un file.\n"
+#~ "\t\tkubectl apply set-last-applied -f deploy.yaml\n"
+#~ "\n"
+#~ "\t\t# Esegue set-last-applied per ogni file di configurazione in una "
+#~ "directory.\n"
+#~ "\t\tkubectl apply set-last-applied -f path/\n"
+#~ "\n"
+#~ "\t\t# Imposta la configurazione dell'ultima applicazione di una risorsa "
+#~ "che corrisponda al contenuto di un file, creerà l'annotazione se non "
+#~ "esiste già.\n"
+#~ "\t\tkubectl apply set-last-applied -f deploy.yaml --create-"
+#~ "annotation=true\n"
+#~ "\t\t"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Shut down foo.\n"
+#~ "\t\tkubectl stop replicationcontroller foo\n"
+#~ "\n"
+#~ "\t\t# Stop pods and services with label name=myLabel.\n"
+#~ "\t\tkubectl stop pods,services -l name=myLabel\n"
+#~ "\n"
+#~ "\t\t# Shut down the service defined in service.json\n"
+#~ "\t\tkubectl stop -f service.json\n"
+#~ "\n"
+#~ "\t\t# Shut down all resources in the path/to/resources directory\n"
+#~ "\t\tkubectl stop -f path/to/resources"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Spegni foo.\n"
+#~ "\t\tkubectl stop replicationcontroller foo\n"
+#~ "\n"
+#~ "\t\t# Stop di tutti i pod e servizi con label name=myLabel.\n"
+#~ "\t\tkubectl stop pods,services -l name=myLabel\n"
+#~ "\n"
+#~ "\t\t# Spegnere il servizio definito in service.json\n"
+#~ "\t\tkubectl stop -f service.json\n"
+#~ "\n"
+#~ "\t\t# Spegnere tutte le resources in path/to/resources directory\n"
+#~ "\t\tkubectl stop -f path/to/resources"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Start a single instance of nginx.\n"
+#~ "\t\tkubectl run nginx --image=nginx\n"
+#~ "\n"
+#~ "\t\t# Start a single instance of hazelcast and let the container expose "
+#~ "port 5701 .\n"
+#~ "\t\tkubectl run hazelcast --image=hazelcast --port=5701\n"
+#~ "\n"
+#~ "\t\t# Start a single instance of hazelcast and set environment variables "
+#~ "\"DNS_DOMAIN=cluster\" and \"POD_NAMESPACE=default\" in the container.\n"
+#~ "\t\tkubectl run hazelcast --image=hazelcast --env=\"DNS_DOMAIN=cluster\" "
+#~ "--env=\"POD_NAMESPACE=default\"\n"
+#~ "\n"
+#~ "\t\t# Start a replicated instance of nginx.\n"
+#~ "\t\tkubectl run nginx --image=nginx --replicas=5\n"
+#~ "\n"
+#~ "\t\t# Dry run. Print the corresponding API objects without creating "
+#~ "them.\n"
+#~ "\t\tkubectl run nginx --image=nginx --dry-run\n"
+#~ "\n"
+#~ "\t\t# Start a single instance of nginx, but overload the spec of the "
+#~ "deployment with a partial set of values parsed from JSON.\n"
+#~ "\t\tkubectl run nginx --image=nginx --overrides='{ \"apiVersion\": "
+#~ "\"v1\", \"spec\": { ... } }'\n"
+#~ "\n"
+#~ "\t\t# Start a pod of busybox and keep it in the foreground, don't restart "
+#~ "it if it exits.\n"
+#~ "\t\tkubectl run -i -t busybox --image=busybox --restart=Never\n"
+#~ "\n"
+#~ "\t\t# Start the nginx container using the default command, but use custom "
+#~ "arguments (arg1 .. argN) for that command.\n"
+#~ "\t\tkubectl run nginx --image=nginx -- <arg1> <arg2> ... <argN>\n"
+#~ "\n"
+#~ "\t\t# Start the nginx container using a different command and custom "
+#~ "arguments.\n"
+#~ "\t\tkubectl run nginx --image=nginx --command -- <cmd> <arg1> ... <argN>\n"
+#~ "\n"
+#~ "\t\t# Start the perl container to compute π to 2000 places and print it "
+#~ "out.\n"
+#~ "\t\tkubectl run pi --image=perl --restart=OnFailure -- perl -Mbignum=bpi -"
+#~ "wle 'print bpi(2000)'\n"
+#~ "\n"
+#~ "\t\t# Start the cron job to compute π to 2000 places and print it out "
+#~ "every 5 minutes.\n"
+#~ "\t\tkubectl run pi --schedule=\"0/5 * * * ?\" --image=perl --"
+#~ "restart=OnFailure -- perl -Mbignum=bpi -wle 'print bpi(2000)'"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Avviare un'unica istanza di nginx.\n"
+#~ "\t\tkubectl run nginx --image=nginx\n"
+#~ "\n"
+#~ "\t\t# Avviare un'unica istanza di hazelcast e lasciare che il container  "
+#~ "esponga la porta 5701.\n"
+#~ "\t\tkubectl run hazelcast --image=hazelcast --port=5701\n"
+#~ "\n"
+#~ "\t\t# Avviare una singola istanza di hazelcast ed imposta le variabili "
+#~ "ambiente \"DNS_DOMAIN=cluster\" e \"POD_NAMESPACE=default\" nel "
+#~ "container.\n"
+#~ "\t\tkubectl run hazelcast --image=hazelcast --env=\"DNS_DOMAIN=cluster\" "
+#~ "--env=\"POD_NAMESPACE=default\"\n"
+#~ "\n"
+#~ "\t\t# Avviare un'istanza replicata di nginx.\n"
+#~ "\t\tkubectl run nginx --image=nginx --replicas=5\n"
+#~ "\n"
+#~ "\t\t# Dry run. Stampare gli oggetti API corrispondenti senza crearli.\n"
+#~ "\t\tkubectl run nginx --image=nginx --dry-run\n"
+#~ "\n"
+#~ "\t\t# Avviare un'unica istanza di nginx, ma overload  le spec  del "
+#~ "deployment  con un insieme parziale di valori analizzati da JSON.\n"
+#~ "\t\tkubectl run nginx --image=nginx --overrides='{ \"apiVersion\": "
+#~ "\"v1\", \"spec\": { ... } }'\n"
+#~ "\n"
+#~ "\t\t# Avviare un pod di busybox e tenerlo in primo piano, non riavviarlo "
+#~ "se esce.\n"
+#~ "\t\tkubectl run -i -t busybox --image=busybox --restart=Never\n"
+#~ "\n"
+#~ "\t\t# Avviare il container nginx utilizzando il comando predefinito, ma "
+#~ "utilizzare argomenti personalizzati (arg1 .. argN) per quel comando.\n"
+#~ "\t\tkubectl run nginx --image=nginx -- <arg1> <arg2> ... <argN>\n"
+#~ "\n"
+#~ "\t\t# Avviare il container  nginx utilizzando un diverso comando e "
+#~ "argomenti personalizzati.\n"
+#~ "\t\tkubectl run nginx --image=nginx --command -- <cmd> <arg1> ... <argN>\n"
+#~ "\n"
+#~ "\t\t# Avviare il contenitore perl per calcolare π a 2000 posti e "
+#~ "stamparlo.\n"
+#~ "\t\tkubectl run pi --image=perl --restart=OnFailure -- perl -Mbignum=bpi -"
+#~ "wle 'print bpi(2000)'\n"
+#~ "\n"
+#~ "\t\t# Avviare il cron job per calcolare π a 2000 posti e stampare ogni 5 "
+#~ "minuti.\n"
+#~ "\t\tkubectl run pi --schedule=\"0/5 * * * ?\" --image=perl --"
+#~ "restart=OnFailure -- perl -Mbignum=bpi -wle 'print bpi(2000)'"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Update node 'foo' with a taint with key 'dedicated' and value "
+#~ "'special-user' and effect 'NoSchedule'.\n"
+#~ "\t\t# If a taint with that key and effect already exists, its value is "
+#~ "replaced as specified.\n"
+#~ "\t\tkubectl taint nodes foo dedicated=special-user:NoSchedule\n"
+#~ "\n"
+#~ "\t\t# Remove from node 'foo' the taint with key 'dedicated' and effect "
+#~ "'NoSchedule' if one exists.\n"
+#~ "\t\tkubectl taint nodes foo dedicated:NoSchedule-\n"
+#~ "\n"
+#~ "\t\t# Remove from node 'foo' all the taints with key 'dedicated'\n"
+#~ "\t\tkubectl taint nodes foo dedicated-"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Aggiorna il nodo \"foo\" con un marcatore con il tasto 'dedicated' "
+#~ "e il valore 'special-user' ed effettua 'NoSchedule'.\n"
+#~ "\t\t# Se un marcatore con quel tasto e l'effetto già esiste, il suo "
+#~ "valore viene sostituito come specificato.\n"
+#~ "\t\tkubectl taint nodes foo dedicated=special-user:NoSchedule\n"
+#~ "\n"
+#~ "\t\t# Rimuove dal nodo 'foo' il marcatore con il tasto 'dedicated' ed "
+#~ "effettua 'NoSchedule' se esiste.\n"
+#~ "\t\tkubectl taint nodes foo dedicated:NoSchedule-\n"
+#~ "\n"
+#~ "\t\t# Rimuovi dal nodo 'foo' tutti i marcatori con chiave 'dedicated'\n"
+#~ "\t\tkubectl taint nodes foo dedicated-"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Update pod 'foo' with the label 'unhealthy' and the value 'true'.\n"
+#~ "\t\tkubectl label pods foo unhealthy=true\n"
+#~ "\n"
+#~ "\t\t# Update pod 'foo' with the label 'status' and the value 'unhealthy', "
+#~ "overwriting any existing value.\n"
+#~ "\t\tkubectl label --overwrite pods foo status=unhealthy\n"
+#~ "\n"
+#~ "\t\t# Update all pods in the namespace\n"
+#~ "\t\tkubectl label pods --all status=unhealthy\n"
+#~ "\n"
+#~ "\t\t# Update a pod identified by the type and name in \"pod.json\"\n"
+#~ "\t\tkubectl label -f pod.json status=unhealthy\n"
+#~ "\n"
+#~ "\t\t# Update pod 'foo' only if the resource is unchanged from version 1.\n"
+#~ "\t\tkubectl label pods foo status=unhealthy --resource-version=1\n"
+#~ "\n"
+#~ "\t\t# Update pod 'foo' by removing a label named 'bar' if it exists.\n"
+#~ "\t\t# Does not require the --overwrite flag.\n"
+#~ "\t\tkubectl label pods foo bar-"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Aggiorna il pod 'foo' con l'etichetta 'unhealthy' e il valore "
+#~ "'true'.\n"
+#~ "\t\tkubectl label pods foo unhealthy=true\n"
+#~ "\n"
+#~ "\t\t# Aggiorna il pod 'foo' con l'etichetta 'status' e il valore "
+#~ "'unhealthy', sovrascrivendo qualsiasi valore esistente.\n"
+#~ "\t\tkubectl label --overwrite pods foo status=unhealthy\n"
+#~ "\n"
+#~ "\t\t# Aggiorna tutti i pod nello spazio dei nomi\n"
+#~ "\t\tkubectl label pods --all status=unhealthy\n"
+#~ "\n"
+#~ "\t\t# Aggiorna un pod identificato dal tipo e dal nome in \"pod.json\"\n"
+#~ "\t\tkubectl label -f pod.json status=unhealthy\n"
+#~ "\n"
+#~ "\t\t# Aggiorna il pod 'foo' solo se la risorsa è invariata dalla versione "
+#~ "1.\n"
+#~ "\t\tkubectl label pods foo status=unhealthy --resource-version=1\n"
+#~ "\n"
+#~ "\t\t#  Aggiorna il pod 'foo' rimuovendo un'etichetta denominata 'bar' se "
+#~ "esiste.\n"
+#~ "\t\t# Non richiede la flag -overwrite.\n"
+#~ "\t\tkubectl label pods foo bar-"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Update pods of frontend-v1 using new replication controller data in "
+#~ "frontend-v2.json.\n"
+#~ "\t\tkubectl rolling-update frontend-v1 -f frontend-v2.json\n"
+#~ "\n"
+#~ "\t\t# Update pods of frontend-v1 using JSON data passed into stdin.\n"
+#~ "\t\tcat frontend-v2.json | kubectl rolling-update frontend-v1 -f -\n"
+#~ "\n"
+#~ "\t\t# Update the pods of frontend-v1 to frontend-v2 by just changing the "
+#~ "image, and switching the\n"
+#~ "\t\t# name of the replication controller.\n"
+#~ "\t\tkubectl rolling-update frontend-v1 frontend-v2 --image=image:v2\n"
+#~ "\n"
+#~ "\t\t# Update the pods of frontend by just changing the image, and keeping "
+#~ "the old name.\n"
+#~ "\t\tkubectl rolling-update frontend --image=image:v2\n"
+#~ "\n"
+#~ "\t\t# Abort and reverse an existing rollout in progress (from frontend-v1 "
+#~ "to frontend-v2).\n"
+#~ "\t\tkubectl rolling-update frontend-v1 frontend-v2 --rollback"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Aggiorna i pod di frontend-v1 usando i dati del replication "
+#~ "controller in frontend-v2.json.\n"
+#~ "\t\tkubectl rolling-update frontend-v1 -f frontend-v2.json\n"
+#~ "\n"
+#~ "\t\t# Aggiorna i pod di frontend-v1 usando i dati JSON passati da stdin.\n"
+#~ "\t\tcat frontend-v2.json | kubectl rolling-update frontend-v1 -f -\n"
+#~ "\n"
+#~ "\t\t# Aggiorna i pod di frontend-v1 in frontend-v2  solo cambiando "
+#~ "l'immagine e modificando\n"
+#~ "\t\t# il nome del replication controller.\n"
+#~ "\t\tkubectl rolling-update frontend-v1 frontend-v2 --image=image:v2\n"
+#~ "\n"
+#~ "\t\t# Aggiorna i pod di frontend solo cambiando l'immaginee mantenendo il "
+#~ "vecchio none.\n"
+#~ "\t\tkubectl rolling-update frontend --image=image:v2\n"
+#~ "\n"
+#~ "\t\t#  Interrompee ed invertire un rollout esistente in corso (da "
+#~ "frontend-v1 a frontend-v2).\n"
+#~ "\t\tkubectl rolling-update frontend-v1 frontend-v2 --rollback"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# View the last-applied-configuration annotations by type/name in "
+#~ "YAML.\n"
+#~ "\t\tkubectl apply view-last-applied deployment/nginx\n"
+#~ "\n"
+#~ "\t\t# View the last-applied-configuration annotations by file in JSON\n"
+#~ "\t\tkubectl apply view-last-applied -f deploy.yaml -o json"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Visualizza le annotazioni dell'ultima-configurazione-applicata per "
+#~ "tipo/nome in YAML.\n"
+#~ "\t\tkubectl apply view-last-applied deployment/nginx\n"
+#~ "\n"
+#~ "\t\t# # Visualizza le annotazioni dell'ultima-configurazione-applicata "
+#~ "per file in JSON.\n"
+#~ "\t\tkubectl apply view-last-applied -f deploy.yaml -o json"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tApply a configuration to a resource by filename or stdin.\n"
+#~ "\t\tThis resource will be created if it doesn't exist yet.\n"
+#~ "\t\tTo use 'apply', always create the resource initially with either "
+#~ "'apply' or 'create --save-config'.\n"
+#~ "\n"
+#~ "\t\tJSON and YAML formats are accepted.\n"
+#~ "\n"
+#~ "\t\tAlpha Disclaimer: the --prune functionality is not yet complete. Do "
+#~ "not use unless you are aware of what the current state is. See https://"
+#~ "issues.k8s.io/34274."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tApplicare una configurazione a una risorsa per nomefile o stdin.\n"
+#~ "\t\tQuesta risorsa verrà creata se non esiste ancora.\n"
+#~ "\t\tPer utilizzare 'apply', creare sempre la risorsa inizialmente con "
+#~ "'apply' o 'create --save-config'.\n"
+#~ "\n"
+#~ "\t\tSono accettati i formati JSON e YAML.\n"
+#~ "\n"
+#~ "\t\tDisclaimer Alpha: la funzionalità --prune non è ancora completa. Non "
+#~ "utilizzare a meno che non si sia a conoscenza di quale sia lo stato "
+#~ "attuale. Vedi https://issues.k8s.io/34274."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tCreate a ClusterRole."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\n"
+#~ "Crea un ClusterRole."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tCreate a ClusterRoleBinding for a particular ClusterRole."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tCrea un ClusterRoleBinding per un ClusterRole particolare."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tCreate a RoleBinding for a particular Role or ClusterRole."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tCrea un RoleBinding per un particolare Ruolo o ClusterRole."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tCreate a TLS secret from the given public/private key pair.\n"
+#~ "\n"
+#~ "\t\tThe public/private key pair must exist before hand. The public key "
+#~ "certificate must be .PEM encoded and match the given private key."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tCrea un TLS secret dalla coppia di chiavi pubblica/privata.\n"
+#~ "\n"
+#~ "\t\tLa coppia di chiavi pubblica/privata deve esistere prima. Il "
+#~ "certificato chiave pubblica deve essere .PEM codificato e corrispondere "
+#~ "alla chiave privata data."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tCreate a configmap based on a file, directory, or specified literal "
+#~ "value.\n"
+#~ "\n"
+#~ "\t\tA single configmap may package one or more key/value pairs.\n"
+#~ "\n"
+#~ "\t\tWhen creating a configmap based on a file, the key will default to "
+#~ "the basename of the file, and the value will\n"
+#~ "\t\tdefault to the file content.  If the basename is an invalid key, you "
+#~ "may specify an alternate key.\n"
+#~ "\n"
+#~ "\t\tWhen creating a configmap based on a directory, each file whose "
+#~ "basename is a valid key in the directory will be\n"
+#~ "\t\tpackaged into the configmap.  Any directory entries except regular "
+#~ "files are ignored (e.g. subdirectories,\n"
+#~ "\t\tsymlinks, devices, pipes, etc)."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tCreare un configmap basato su un file, una directory o un valore "
+#~ "literal specificato.\n"
+#~ "\n"
+#~ "\t\tUn singolo configmap può includere una o più coppie chiave/valore.\n"
+#~ "\n"
+#~ "\t\tQuando si crea una configmap basata su un file, il valore predefinito "
+#~ "sarà il nome di base del file e il valore sarà\n"
+#~ "\t\tpredefinito per il contenuto del file. Se il nome di base è una "
+#~ "chiave non valida, è possibile specificare un tasto alternativo.\n"
+#~ "\n"
+#~ "\t\tQuando si crea un configmap basato su una directory, ogni file il cui "
+#~ "nome di base è una chiave valida nella directory verrà\n"
+#~ "\t\tpacchettizzata nel configmap. Le voci di directory tranne i file "
+#~ "regolari vengono ignorati (ad esempio sottodirectory,\n"
+#~ "\t\tsymlinks, devices, pipes, ecc)."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tCreate a new secret for use with Docker registries.\n"
+#~ "\n"
+#~ "\t\tDockercfg secrets are used to authenticate against Docker "
+#~ "registries.\n"
+#~ "\n"
+#~ "\t\tWhen using the Docker command line to push images, you can "
+#~ "authenticate to a given registry by running\n"
+#~ "\n"
+#~ "\t\t    $ docker login DOCKER_REGISTRY_SERVER --username=DOCKER_USER --"
+#~ "password=DOCKER_PASSWORD --email=DOCKER_EMAIL'.\n"
+#~ "\n"
+#~ "    That produces a ~/.dockercfg file that is used by subsequent 'docker "
+#~ "push' and 'docker pull' commands to\n"
+#~ "\t\tauthenticate to the registry. The email address is optional.\n"
+#~ "\n"
+#~ "\t\tWhen creating applications, you may have a Docker registry that "
+#~ "requires authentication.  In order for the\n"
+#~ "\t\tnodes to pull images on your behalf, they have to have the "
+#~ "credentials.  You can provide this information\n"
+#~ "\t\tby creating a dockercfg secret and attaching it to your service "
+#~ "account."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tCreare un nuovo secret per l'utilizzo con i registri Docker.\n"
+#~ "\n"
+#~ "\t\tDockercfg secrets vengono utilizzati per autenticare i registri "
+#~ "Docker.\n"
+#~ "\n"
+#~ "\t\tQuando utilizzi la riga di comando Docker per il push delle immagini, "
+#~ "è possibile eseguire l'autenticazione eseguendo correttamente un "
+#~ "determinato registry\n"
+#~ "\n"
+#~ "\t\t    $ docker login DOCKER_REGISTRY_SERVER --username=DOCKER_USER --"
+#~ "password=DOCKER_PASSWORD --email=DOCKER_EMAIL'.\n"
+#~ "\n"
+#~ "    Questo produce un file ~ / .dockercfg che viene utilizzato dai "
+#~ "successivi comandi \"docker push\" e \"docker pull\"\n"
+#~ "\t\tper autenticarsi nel registry. L'indirizzo email è facoltativo.\n"
+#~ "\n"
+#~ "\t\tDurante la creazione di applicazioni, è possibile avere un Docker "
+#~ "registry che richiede l'autenticazione. Affinché i \n"
+#~ "\t\tnodi eseguano pull di immagini per vostro conto, devono avere le "
+#~ "credenziali. È possibile fornire queste informazioni \n"
+#~ "\t\tcreando un dockercfg secret e collegandolo al tuo account di servizio."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tCreate a pod disruption budget with the specified name, selector, and "
+#~ "desired minimum available pods"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tCrea un pod disruption budget con il nome specificato, selector e il "
+#~ "numero minimo di pod disponibili"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tCreate a resource by filename or stdin.\n"
+#~ "\n"
+#~ "\t\tJSON and YAML formats are accepted."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tCrea una risorsa per nome file o stdin.\n"
+#~ "\n"
+#~ "\t\tSono accettati i formati JSON e YAML."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tCreate a resourcequota with the specified name, hard limits and "
+#~ "optional scopes"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tCrea una resourcequota con il nome specificato, hard limits e gli "
+#~ "scope opzionali"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tCreate a secret based on a file, directory, or specified literal "
+#~ "value.\n"
+#~ "\n"
+#~ "\t\tA single secret may package one or more key/value pairs.\n"
+#~ "\n"
+#~ "\t\tWhen creating a secret based on a file, the key will default to the "
+#~ "basename of the file, and the value will\n"
+#~ "\t\tdefault to the file content.  If the basename is an invalid key, you "
+#~ "may specify an alternate key.\n"
+#~ "\n"
+#~ "\t\tWhen creating a secret based on a directory, each file whose basename "
+#~ "is a valid key in the directory will be\n"
+#~ "\t\tpackaged into the secret.  Any directory entries except regular files "
+#~ "are ignored (e.g. subdirectories,\n"
+#~ "\t\tsymlinks, devices, pipes, etc)."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tCrea un secret basato su un file, una directory o un valore specifico "
+#~ "literal.\n"
+#~ "\n"
+#~ "\t\tUn singolo secret  può includere una o più coppie chiave/valore.\n"
+#~ "\n"
+#~ "\t\tQuando si crea un secret basato su un file, la chiave per "
+#~ "impostazione predefinita sarà il nome di base del file e il valore sarà\n"
+#~ "\t\tpredefinito al contenuto del file. Se il nome di base è una chiave "
+#~ "non valida, è possibile specificare un tasto alternativo.\n"
+#~ "\n"
+#~ "\n"
+#~ "\t\tQuando si crea un segreto basato su una directory, ogni file il cui "
+#~ "nome di base è una chiave valida nella directory verrà \n"
+#~ "\t\\paccehttizzataw in un secret.   Le voci di directory tranne i file "
+#~ "regolari vengono ignorati (ad esempio sottodirectory,\n"
+#~ "\t\tsymlinks, devices, pipes, ecc)."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tCreate and run a particular image, possibly replicated.\n"
+#~ "\n"
+#~ "\t\tCreates a deployment or job to manage the created container(s)."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tCrea ed esegue un'immagine particolare, eventualmente replicata.\n"
+#~ "\n"
+#~ "\t\tCrea un deployment o un job per gestire i container creati."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tCreates an autoscaler that automatically chooses and sets the number "
+#~ "of pods that run in a kubernetes cluster.\n"
+#~ "\n"
+#~ "\t\tLooks up a Deployment, ReplicaSet, or ReplicationController by name "
+#~ "and creates an autoscaler that uses the given resource as a reference.\n"
+#~ "\t\tAn autoscaler can automatically increase or decrease number of pods "
+#~ "deployed within the system as needed."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tCrea un autoscaler che automaticamente sceglie e imposta il numero di "
+#~ "pod che vengono eseguiti in un cluster di kubernetes.\n"
+#~ "\n"
+#~ "\t\tEsegue una ricerca di un Deployment, ReplicaSet o "
+#~ "ReplicationController per nome e crea un autoscaler che utilizza la "
+#~ "risorsa indicata come riferimento.\n"
+#~ "\t\tUn autoscaler può aumentare o diminuire automaticamente il numero di "
+#~ "pod distribuiti all'interno del sistema se necessario."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tDelete resources by filenames, stdin, resources and names, or by "
+#~ "resources and label selector.\n"
+#~ "\n"
+#~ "\t\tJSON and YAML formats are accepted. Only one type of the arguments "
+#~ "may be specified: filenames,\n"
+#~ "\t\tresources and names, or resources and label selector.\n"
+#~ "\n"
+#~ "\t\tSome resources, such as pods, support graceful deletion. These "
+#~ "resources define a default period\n"
+#~ "\t\tbefore they are forcibly terminated (the grace period) but you may "
+#~ "override that value with\n"
+#~ "\t\tthe --grace-period flag, or pass --now to set a grace-period of 1. "
+#~ "Because these resources often\n"
+#~ "\t\trepresent entities in the cluster, deletion may not be acknowledged "
+#~ "immediately. If the node\n"
+#~ "\t\thosting a pod is down or cannot reach the API server, termination may "
+#~ "take significantly longer\n"
+#~ "\t\tthan the grace period. To force delete a resource,\tyou must pass a "
+#~ "grace\tperiod of 0 and specify\n"
+#~ "\t\tthe --force flag.\n"
+#~ "\n"
+#~ "\t\tIMPORTANT: Force deleting pods does not wait for confirmation that "
+#~ "the pod's processes have been\n"
+#~ "\t\tterminated, which can leave those processes running until the node "
+#~ "detects the deletion and\n"
+#~ "\t\tcompletes graceful deletion. If your processes use shared storage or "
+#~ "talk to a remote API and\n"
+#~ "\t\tdepend on the name of the pod to identify themselves, force deleting "
+#~ "those pods may result in\n"
+#~ "\t\tmultiple processes running on different machines using the same "
+#~ "identification which may lead\n"
+#~ "\t\tto data corruption or inconsistency. Only force delete pods when you "
+#~ "are sure the pod is\n"
+#~ "\t\tterminated, or if your application can tolerate multiple copies of "
+#~ "the same pod running at once.\n"
+#~ "\t\tAlso, if you force delete pods the scheduler may place new pods on "
+#~ "those nodes before the node\n"
+#~ "\t\thas released those resources and causing those pods to be evicted "
+#~ "immediately.\n"
+#~ "\n"
+#~ "\t\tNote that the delete command does NOT do resource version checks, so "
+#~ "if someone\n"
+#~ "\t\tsubmits an update to a resource right when you submit a delete, their "
+#~ "update\n"
+#~ "\t\twill be lost along with the rest of the resource."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tCancella risorse secondo nomi di file, stdin, risorse e nomi, o per "
+#~ "selettori di risorse e etichette.\n"
+#~ "\n"
+#~ "\t\tSono accettati i formati JSON e YAML. È possibile specificare un solo "
+#~ "tipo di argomenti: nome file,\n"
+#~ "\t\trisorse e nomi, o risorse e selettore di etichette.\n"
+#~ "\n"
+#~ "\t\tAlcune risorse, come i pod, supportano cacellazione corretta. Queste "
+#~ "risorse definiscono un periodo di default\n"
+#~ "\t\tprima che siano forzatamente terminate (il grace period) ma si può "
+#~ "sostituire quel valore con\n"
+#~ "\t\til falg --grace-period, o passare --now per impostare il grace-period "
+#~ "a 1. Poiché queste risorse spesso\n"
+#~ "\t\trappresentano entità del cluster, la cancellazione non può essere "
+#~ "presa in carico immediatamente. Se il nodo\n"
+#~ "\t\tche ospita un pod è spento o non raggiungibile da API server, "
+#~ "termination può richiedere molto più tempo\n"
+#~ "\t\tdel grace period. Per forzare la cancellazione di una resource,\tdevi "
+#~ "obbligatoriamente indicare un grace\tperiod di 0 e specificare\n"
+#~ "\t\til flag --force.\n"
+#~ "\n"
+#~ "\t\tIMPORTANTE: Fozare la cancellazione dei pod non attende conferma che "
+#~ "i processi del pod siano\n"
+#~ "\t\tterminati, che può lasciare questi processi in esecuzione fino a "
+#~ "quando il nodo rileva la cancellazione\n"
+#~ "\t\tcompletata correttamente. Se i tuoi processi utilizzano "
+#~ "l'archiviazione condivisa o parlano con un'API remota e\n"
+#~ "\t\tdipendono dal nome del pod per identificarsi, la forzata eliminazione "
+#~ "di questi pod può comportare\n"
+#~ "\t\tpiù processi in esecuzione su macchine diverse che utilizzando la "
+#~ "stessa identificazione che può portare\n"
+#~ "\t\tcorruzione o inconsistenza dei dati. Forza i pod solo quando si è "
+#~ "sicuri che il pod sia\n"
+#~ "\t\tterminato, o se la tua applicazione può can tollerare più copie dello "
+#~ "stesso pod in esecuzione contemporaneamente.\n"
+#~ "\t\tInoltre, se forzate l'eliminazione dei i nodi, lo scheduler può può "
+#~ "creare nuovi nodi su questi nodi prima che il nodo\n"
+#~ "\t\tabbia liberato quelle risorse e provocando immediatamente evict di "
+#~ "tali pod.\n"
+#~ "\n"
+#~ "\n"
+#~ "\t\tNotare che il comando di eliminazione NON fa verificare la versione "
+#~ "delle risorse, quindi se qualcuno\n"
+#~ "\t\tinvia un aggiornamento ad una risorsa quando invii un eliminazione, "
+#~ "il loro aggiornamento\n"
+#~ "\t\tsaranno persi insieme al resto della risorsa."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tDeprecated: Gracefully shut down a resource by name or filename.\n"
+#~ "\n"
+#~ "\t\tThe stop command is deprecated, all its functionalities are covered "
+#~ "by delete command.\n"
+#~ "\t\tSee 'kubectl delete --help' for more details.\n"
+#~ "\n"
+#~ "\t\tAttempts to shut down and delete a resource that supports graceful "
+#~ "termination.\n"
+#~ "\t\tIf the resource is scalable it will be scaled to 0 before deletion."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tDeprecated: chiudere correttamente una risorsa per nome o nome file.\n"
+#~ "\n"
+#~ "\t\tIl comando stop è deprecato, tutte le sue funzionalità sono coperte "
+#~ "dal comando delete.\n"
+#~ "\t\tVedere 'kubectl delete --help' per ulteriori dettagli.\n"
+#~ "\n"
+#~ "\t\tTenta di arrestare ed eliminare una risorsa che supporta la corretta "
+#~ "terminazione.\n"
+#~ "\t\tSe la risorsa è scalabile, verrà scalata a 0 prima dell'eliminazione."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tDisplay Resource (CPU/Memory/Storage) usage of nodes.\n"
+#~ "\n"
+#~ "\t\tThe top-node command allows you to see the resource consumption of "
+#~ "nodes."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tVisualizza l'utilizzo di risorse (CPU/Memoria/Storage) dei nodi.\n"
+#~ "\n"
+#~ "\t\tIl comando top-node consente di visualizzare il consumo di risorse "
+#~ "dei nodi."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tDisplay Resource (CPU/Memory/Storage) usage of pods.\n"
+#~ "\n"
+#~ "\t\tThe 'top pod' command allows you to see the resource consumption of "
+#~ "pods.\n"
+#~ "\n"
+#~ "\t\tDue to the metrics pipeline delay, they may be unavailable for a few "
+#~ "minutes\n"
+#~ "\t\tsince pod creation."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tVisualizza l'utilizzo di risorse (CPU/Memoria/Storage) dei pod.\n"
+#~ "\n"
+#~ "\t\tIl comando \"top pod\" consente di visualizzare il consumo delle "
+#~ "risorse dei pod.\n"
+#~ "\n"
+#~ "\t\tA causa del ritardo della pipeline metrica, potrebbero non essere "
+#~ "disponibili per alcuni minuti\n"
+#~ "\t\teal momento della creazione dei pod."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tDisplay Resource (CPU/Memory/Storage) usage.\n"
+#~ "\n"
+#~ "\t\tThe top command allows you to see the resource consumption for nodes "
+#~ "or pods.\n"
+#~ "\n"
+#~ "\t\tThis command requires Heapster to be correctly configured and working "
+#~ "on the server. "
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tVisualizza l'utilizzo di risorse (CPU/Memoria/Storage).\n"
+#~ "\n"
+#~ "\t\tIl comando top consente di visualizzare il consumo di risorse per "
+#~ "nodi o pod.\n"
+#~ "\n"
+#~ "\t\tQuesto comando richiede che Heapster sia configurato correttamente e "
+#~ "che funzioni sul server."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tDrain node in preparation for maintenance.\n"
+#~ "\n"
+#~ "\t\tThe given node will be marked unschedulable to prevent new pods from "
+#~ "arriving.\n"
+#~ "\t\t'drain' evicts the pods if the APIServer supports eviction\n"
+#~ "\t\t(http://kubernetes.io/docs/admin/disruptions/). Otherwise, it will "
+#~ "use normal DELETE\n"
+#~ "\t\tto delete the pods.\n"
+#~ "\t\tThe 'drain' evicts or deletes all pods except mirror pods (which "
+#~ "cannot be deleted through\n"
+#~ "\t\tthe API server).  If there are DaemonSet-managed pods, drain will not "
+#~ "proceed\n"
+#~ "\t\twithout --ignore-daemonsets, and regardless it will not delete any\n"
+#~ "\t\tDaemonSet-managed pods, because those pods would be immediately "
+#~ "replaced by the\n"
+#~ "\t\tDaemonSet controller, which ignores unschedulable markings.  If there "
+#~ "are any\n"
+#~ "\t\tpods that are neither mirror pods nor managed by "
+#~ "ReplicationController,\n"
+#~ "\t\tReplicaSet, DaemonSet, StatefulSet or Job, then drain will not delete "
+#~ "any pods unless you\n"
+#~ "\t\tuse --force.  --force will also allow deletion to proceed if the "
+#~ "managing resource of one\n"
+#~ "\t\tor more pods is missing.\n"
+#~ "\n"
+#~ "\t\t'drain' waits for graceful termination. You should not operate on the "
+#~ "machine until\n"
+#~ "\t\tthe command completes.\n"
+#~ "\n"
+#~ "\t\tWhen you are ready to put the node back into service, use kubectl "
+#~ "uncordon, which\n"
+#~ "\t\twill make the node schedulable again.\n"
+#~ "\n"
+#~ "\t\t![Workflow](http://kubernetes.io/images/docs/kubectl_drain.svg)"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tDrain node in preparazione alla manutenzione.\n"
+#~ "\n"
+#~ "\t\tIl nodo indicato verrà contrassegnato unschedulable  per impedire che "
+#~ "nuovi pod arrivino.\n"
+#~ "\t\t'drain' evict i pod se l'APIServer supporta eviction\n"
+#~ "\t\t(http://kubernetes.io/docs/admin/disruptions/).  Altrimenti, usa il "
+#~ "normale DELETE\n"
+#~ "\t\tper eliminare i pod.\n"
+#~ "\t\tIl 'drain' evicts o la cancellazione di tutti all pod tranne mirror "
+#~ "pods (che non possono essere eliminati\n"
+#~ "\t\tattraverso API server).  Se ci sono i pod gestiti da  DaemonSet, "
+#~ "drain non procederà\n"
+#~ "\t\tsenza --ignore-daemonsets e, a prescindere da ciò, non cancellerà "
+#~ "alcun\n"
+#~ "\t\tpod gestitto da DaemonSet,poiché questi pods verrebbero "
+#~ "immediatamente sostituiti dal\n"
+#~ "\t\tDaemonSet controller,  che ignora le marcature unschedulable.  Se ci "
+#~ "sono\n"
+#~ "\t\tpod che non sono né mirror pod né gestiti dal ReplicationController,\n"
+#~ "\t\tReplicaSet, DaemonSet, StatefulSet o Job, allora drain non cancellerà "
+#~ "alcun pod finché non\n"
+#~ "\t\tuserai --force.  --force permetterà alla cancellazione di procedere "
+#~ "se la risorsa gestita da uno\n"
+#~ "\t\to più pod è mancante.\n"
+#~ "\n"
+#~ "\t\t'drain' attende il termine corretto. Non devi operare sulla macchina "
+#~ "finché\n"
+#~ "\t\til comando non viene completato.\n"
+#~ "\n"
+#~ "\t\tQuando sei pronto per riportare il nodo al servizio, utilizza kubectl "
+#~ "uncordon, per\n"
+#~ "\t\trimettere il nodo schedulable nuovamente.\n"
+#~ "\n"
+#~ "\t\t![Workflow](http://kubernetes.io/images/docs/kubectl_drain.svg)"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tEdit a resource from the default editor.\n"
+#~ "\n"
+#~ "\t\tThe edit command allows you to directly edit any API resource you can "
+#~ "retrieve via the\n"
+#~ "\t\tcommand line tools. It will open the editor defined by your "
+#~ "KUBE_EDITOR, or EDITOR\n"
+#~ "\t\tenvironment variables, or fall back to 'vi' for Linux or 'notepad' "
+#~ "for Windows.\n"
+#~ "\t\tYou can edit multiple objects, although changes are applied one at a "
+#~ "time. The command\n"
+#~ "\t\taccepts filenames as well as command line arguments, although the "
+#~ "files you point to must\n"
+#~ "\t\tbe previously saved versions of resources.\n"
+#~ "\n"
+#~ "\t\tEditing is done with the API version used to fetch the resource.\n"
+#~ "\t\tTo edit using a specific API version, fully-qualify the resource, "
+#~ "version, and group.\n"
+#~ "\n"
+#~ "\t\tThe default format is YAML. To edit in JSON, specify \"-o json\".\n"
+#~ "\n"
+#~ "\t\tThe flag --windows-line-endings can be used to force Windows line "
+#~ "endings,\n"
+#~ "\t\totherwise the default for your operating system will be used.\n"
+#~ "\n"
+#~ "\t\tIn the event an error occurs while updating, a temporary file will be "
+#~ "created on disk\n"
+#~ "\t\tthat contains your unapplied changes. The most common error when "
+#~ "updating a resource\n"
+#~ "\t\tis another editor changing the resource on the server. When this "
+#~ "occurs, you will have\n"
+#~ "\t\tto apply your changes to the newer version of the resource, or update "
+#~ "your temporary\n"
+#~ "\t\tsaved copy to include the latest resource version."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tModificare una risorsa dall'editor predefinito.\n"
+#~ "\n"
+#~ "\t\tIl comando di modifica consente di modificare direttamente qualsiasi "
+#~ "risorsa API che è possibile recuperare tramite gli\n"
+#~ "\t\tstrumenti di riga di comando. Apre l'editor definito dalle variabili "
+#~ "d'ambiente\n"
+#~ "\t\tKUBE_EDITOR o EDITOR, o ritornare a 'vi' per Linux o 'notepad' per "
+#~ "Windows.\n"
+#~ "\t\tÈ possibile modificare più oggetti, anche se le modifiche vengono "
+#~ "applicate una alla volta. Il comando\n"
+#~ "\t\taccetta sia nomi di file che argomenti da riga di comando, anche se i "
+#~ "file a cui fa riferimento devono\n"
+#~ "\t\tessere state salvate precedentemente le versioni delle risorse.\n"
+#~ "\n"
+#~ "\t\tLa modifica viene eseguita con la versione API utilizzata per "
+#~ "recuperare la risorsa.\n"
+#~ "\t\tPer modificare utilizzando una specifica versione API, fully-qualify "
+#~ "la risorsa, versione e il gruppo.\n"
+#~ "\n"
+#~ "\t\tIl formato predefinito è YAML. Per modificare in JSON, specificare \"-"
+#~ "o json\".\n"
+#~ "\n"
+#~ "\t\tIl flag --windows-line-endings può essere utilizzato per forzare i "
+#~ "fine linea Windows,\n"
+#~ "\t\taltrimenti verrà utilizzato il default per il sistema operativo.\n"
+#~ "\n"
+#~ "\t\tNel caso in cui si verifica un errore durante l'aggiornamento, verrà "
+#~ "creato un file temporaneo sul disco\n"
+#~ "\t\tche contiene le modifiche non apportate. L'errore più comune durante "
+#~ "l'aggiornamento di una risorsa\n"
+#~ "\t\tè una modifica da pare di un altro editor della risorsa sul server. "
+#~ "Quando questo si verifica, dovrai\n"
+#~ "\t\tapplicare le modifiche alla versione più recente della risorsa o "
+#~ "aggiornare il tua copia\n"
+#~ "\t\ttemporanea salvata per includere l'ultima versione delle risorse."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tOutput shell completion code for the specified shell (bash or zsh).\n"
+#~ "\t\tThe shell code must be evaluated to provide interactive\n"
+#~ "\t\tcompletion of kubectl commands.  This can be done by sourcing it "
+#~ "from\n"
+#~ "\t\tthe .bash_profile.\n"
+#~ "\n"
+#~ "\t\tNote: this requires the bash-completion framework, which is not "
+#~ "installed\n"
+#~ "\t\tby default on Mac.  This can be installed by using homebrew:\n"
+#~ "\n"
+#~ "\t\t    $ brew install bash-completion\n"
+#~ "\n"
+#~ "\t\tOnce installed, bash_completion must be evaluated.  This can be done "
+#~ "by adding the\n"
+#~ "\t\tfollowing line to the .bash_profile\n"
+#~ "\n"
+#~ "\t\t    $ source $(brew --prefix)/etc/bash_completion\n"
+#~ "\n"
+#~ "\t\tNote for zsh users: [1] zsh completions are only supported in "
+#~ "versions of zsh >= 5.2"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tIn output codice di completamento shell output per la shell "
+#~ "specificata (bash o zsh).\n"
+#~ "\t\tIl codice di shell deve essere valorizzato per fornire completamento\n"
+#~ "\t\tinterattivo dei comandi kubectl. Questo può essere eseguito "
+#~ "richiamandolo\n"
+#~ "\t\tda .bash_profile.\n"
+#~ "\n"
+#~ "\t\tNota: questo richiede il framework di completamento bash, che non è "
+#~ "installato\n"
+#~ "\t\tper impostazione predefinita su Mac. Questo può essere installato "
+#~ "utilizzando homebrew:\n"
+#~ "\n"
+#~ "\t\t    $ brew install bash-completion\n"
+#~ "\n"
+#~ "\t\tUna volta installato, bash_completion deve essere valutato. Ciò può "
+#~ "essere fatto aggiungendo la\n"
+#~ "\t\tseguente riga al file .bash_profile\n"
+#~ "\n"
+#~ "\t\t    $ source $(brew --prefix)/etc/bash_completion\n"
+#~ "\n"
+#~ "\t\tNota per gli utenti zsh: [1] i completamenti zsh sono supportati solo "
+#~ "nelle versioni zsh> = 5.2"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tPerform a rolling update of the given ReplicationController.\n"
+#~ "\n"
+#~ "\t\tReplaces the specified replication controller with a new replication "
+#~ "controller by updating one pod at a time to use the\n"
+#~ "\t\tnew PodTemplate. The new-controller.json must specify the same "
+#~ "namespace as the\n"
+#~ "\t\texisting replication controller and overwrite at least one (common) "
+#~ "label in its replicaSelector.\n"
+#~ "\n"
+#~ "\t\t![Workflow](http://kubernetes.io/images/docs/kubectl_rollingupdate."
+#~ "svg)"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tEseguire un rolling update del ReplicationController specificato.\n"
+#~ "\n"
+#~ "\t\tSostituisce il replication controller specificato con un nuovo "
+#~ "replication controller aggiornando un pod alla volta per usare il\n"
+#~ "\t\tnuovo PodTemplate. Il new-controller.json deve specificare lo stesso "
+#~ "namespace del\n"
+#~ "\t\tcontroller di replica esistente e sovrascrivere almeno una etichetta "
+#~ "(comune) nella sua replicaSelector.\n"
+#~ "\n"
+#~ "\t\t![Workflow](http://kubernetes.io/images/docs/kubectl_rollingupdate."
+#~ "svg)"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tReplace a resource by filename or stdin.\n"
+#~ "\n"
+#~ "\t\tJSON and YAML formats are accepted. If replacing an existing "
+#~ "resource, the\n"
+#~ "\t\tcomplete resource spec must be provided. This can be obtained by\n"
+#~ "\n"
+#~ "\t\t    $ kubectl get TYPE NAME -o yaml\n"
+#~ "\n"
+#~ "\t\tPlease refer to the models in https://htmlpreview.github.io/?https://"
+#~ "github.com/kubernetes/kubernetes/blob/HEAD/docs/api-reference/v1/"
+#~ "definitions.html to find if a field is mutable."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tSostituire una risorsa per nomefile o stdin.\n"
+#~ "\n"
+#~ "\t\tSono accettati i formati JSON e YAML. Se si sostituisce una risorsa "
+#~ "esistente, \n"
+#~ "\t\tè necessario fornire la specifica completa delle risorse. Questo può "
+#~ "essere ottenuta da\n"
+#~ "\n"
+#~ "\t\t    $ kubectl get TYPE NAME -o yaml\n"
+#~ "\n"
+#~ "\t\tFare riferimento ai modelli https://htmlpreview.github.io/?https://"
+#~ "github.com/kubernetes/kubernetes/blob/HEAD/docs/api-reference/v1/"
+#~ "definitions.html per trovare se un campo è mutevole."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tSet a new size for a Deployment, ReplicaSet, Replication Controller, "
+#~ "or Job.\n"
+#~ "\n"
+#~ "\t\tScale also allows users to specify one or more preconditions for the "
+#~ "scale action.\n"
+#~ "\n"
+#~ "\t\tIf --current-replicas or --resource-version is specified, it is "
+#~ "validated before the\n"
+#~ "\t\tscale is attempted, and it is guaranteed that the precondition holds "
+#~ "true when the\n"
+#~ "\t\tscale is sent to the server."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tImposta una nuova dimensione per Deployment, ReplicaSet, Replication "
+#~ "Controller, o Job.\n"
+#~ "\n"
+#~ "\t\tScala consente anche agli utenti di specificare una o più condizioni "
+#~ "preliminari per l'azione della scala.\n"
+#~ "\n"
+#~ "\t\tSe --current-replicas o --resource-version sono specificate, viene "
+#~ "convalidata prima di\n"
+#~ "\t\ttentare scale, ed è garantito che la precondizione vale quando\n"
+#~ "\t\tscale viene inviata al server.."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tTo proxy all of the kubernetes api and nothing else, use:\n"
+#~ "\n"
+#~ "\t\t    $ kubectl proxy --api-prefix=/\n"
+#~ "\n"
+#~ "\t\tTo proxy only part of the kubernetes api and also some static files:\n"
+#~ "\n"
+#~ "\t\t    $ kubectl proxy --www=/my/files --www-prefix=/static/ --api-"
+#~ "prefix=/api/\n"
+#~ "\n"
+#~ "\t\tThe above lets you 'curl localhost:8001/api/v1/pods'.\n"
+#~ "\n"
+#~ "\t\tTo proxy the entire kubernetes api at a different root, use:\n"
+#~ "\n"
+#~ "\t\t    $ kubectl proxy --api-prefix=/custom/\n"
+#~ "\n"
+#~ "\t\tThe above lets you 'curl localhost:8001/custom/api/v1/pods'"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tPer proxy tutti i kubernetes api e nient'altro, utilizzare:\n"
+#~ "\n"
+#~ "\t\t    $ kubectl proxy --api-prefix=/\n"
+#~ "\n"
+#~ "\t\tPer proxy solo una parte dei kubernetes api e anche alcuni file "
+#~ "static\n"
+#~ "\n"
+#~ "\t\t    $ kubectl proxy --www=/my/files --www-prefix=/static/ --api-"
+#~ "prefix=/api/\n"
+#~ "\n"
+#~ "\t\tQuanto sopra consente 'curl localhost:8001/api/v1/pods'.\n"
+#~ "\n"
+#~ "\t\tPer eseguire il proxy tutti i kubernetes api in una radice diversa, "
+#~ "utilizzare:\n"
+#~ "\n"
+#~ "\t\t    $ kubectl proxy --api-prefix=/custom/\n"
+#~ "\n"
+#~ "\t\tQuanto sopra ti permette 'curl localhost:8001/custom/api/v1/pods'"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tUpdate field(s) of a resource using strategic merge patch\n"
+#~ "\n"
+#~ "\t\tJSON and YAML formats are accepted.\n"
+#~ "\n"
+#~ "\t\tPlease refer to the models in https://htmlpreview.github.io/?https://"
+#~ "github.com/kubernetes/kubernetes/blob/HEAD/docs/api-reference/v1/"
+#~ "definitions.html to find if a field is mutable."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tAggiorna i campi di una risorsa utilizzando la merge patch "
+#~ "strategica\n"
+#~ "\n"
+#~ "\t\tSono accettati i formati JSON e YAML.\n"
+#~ "\n"
+#~ "\t\tSi prega di fare riferimento ai modelli in https://htmlpreview.github."
+#~ "io/?https://github.com/kubernetes/kubernetes/blob/HEAD/docs/api-reference/"
+#~ "v1/definitions.html per trovare se un campo è mutevole."
+
+#, c-format
+#~ msgid ""
+#~ "\n"
+#~ "\t\tUpdate the labels on a resource.\n"
+#~ "\n"
+#~ "\t\t* A label must begin with a letter or number, and may contain "
+#~ "letters, numbers, hyphens, dots, and underscores, up to %[1]d "
+#~ "characters.\n"
+#~ "\t\t* If --overwrite is true, then existing labels can be overwritten, "
+#~ "otherwise attempting to overwrite a label will result in an error.\n"
+#~ "\t\t* If --resource-version is specified, then updates will use this "
+#~ "resource version, otherwise the existing resource-version will be used."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tAggiorna le label di una risorsa.\n"
+#~ "\n"
+#~ "\t\t* A label must begin with a letter or number, and may contain "
+#~ "letters, numbers, hyphens, dots, and underscores, up to %[1]d "
+#~ "characters.\n"
+#~ "\t\t* If --overwrite is true, then existing labels can be overwritten, "
+#~ "otherwise attempting to overwrite a label will result in an error.\n"
+#~ "\t\t* If --resource-version is specified, then updates will use this "
+#~ "resource version, otherwise the existing resource-version will be used."
+
+#, c-format
+#~ msgid ""
+#~ "\n"
+#~ "\t\tUpdate the taints on one or more nodes.\n"
+#~ "\n"
+#~ "\t\t* A taint consists of a key, value, and effect. As an argument here, "
+#~ "it is expressed as key=value:effect.\n"
+#~ "\t\t* The key must begin with a letter or number, and may contain "
+#~ "letters, numbers, hyphens, dots, and underscores, up to %[1]d "
+#~ "characters.\n"
+#~ "\t\t* The value must begin with a letter or number, and may contain "
+#~ "letters, numbers, hyphens, dots, and underscores, up to %[2]d "
+#~ "characters.\n"
+#~ "\t\t* The effect must be NoSchedule, PreferNoSchedule or NoExecute.\n"
+#~ "\t\t* Currently taint can only apply to node."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tAggiorna i marcatori su uno o più nodi.\n"
+#~ "\n"
+#~ "\t\t* Un marcatore è costituita da una chiave, un valore e un effetto. "
+#~ "Come argomento qui, viene espresso come chiave = valore: effetto.\n"
+#~ "\t\t* La chiave deve iniziare con una lettera o un numero e può contenere "
+#~ "lettere, numeri, trattini, punti e sottolineature, fino a% [1] d "
+#~ "caratteri.\n"
+#~ "\t\t* Il valore deve iniziare con una lettera o un numero e può contenere "
+#~ "lettere, numeri, trattini, punti e sottolineature, fino a% [2] d "
+#~ "caratteri.\n"
+#~ "\t\t* L'effetto deve essere NoSchedule, PreferNoSchedule o NoExecute.\n"
+#~ "\t\t* Attualmente il marcatore può essere applicato solo al nodo."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tView the latest last-applied-configuration annotations by type/name "
+#~ "or file.\n"
+#~ "\n"
+#~ "\t\tThe default output will be printed to stdout in YAML format. One can "
+#~ "use -o option\n"
+#~ "\t\tto change output format."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tVisualizza le annotazioni dell'ultima-configurazione-applicata per "
+#~ "tipo/nome o file.\n"
+#~ "\n"
+#~ "\t\tL'output predefinito verrà stampato su stdout nel formato YAML. Si "
+#~ "può usare l'opzione -o\n"
+#~ "\t\tPer cambiare il formato di output."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t    # !!!Important Note!!!\n"
+#~ "\t    # Requires that the 'tar' binary is present in your container\n"
+#~ "\t    # image.  If 'tar' is not present, 'kubectl cp' will fail.\n"
+#~ "\n"
+#~ "\t    # Copy /tmp/foo_dir local directory to /tmp/bar_dir in a remote pod "
+#~ "in the default namespace\n"
+#~ "\t\tkubectl cp /tmp/foo_dir <some-pod>:/tmp/bar_dir\n"
+#~ "\n"
+#~ "        # Copy /tmp/foo local file to /tmp/bar in a remote pod in a "
+#~ "specific container\n"
+#~ "\t\tkubectl cp /tmp/foo <some-pod>:/tmp/bar -c <specific-container>\n"
+#~ "\n"
+#~ "\t\t# Copy /tmp/foo local file to /tmp/bar in a remote pod in namespace "
+#~ "<some-namespace>\n"
+#~ "\t\tkubectl cp /tmp/foo <some-namespace>/<some-pod>:/tmp/bar\n"
+#~ "\n"
+#~ "\t\t# Copy /tmp/foo from a remote pod to /tmp/bar locally\n"
+#~ "\t\tkubectl cp <some-namespace>/<some-pod>:/tmp/foo /tmp/bar"
+#~ msgstr ""
+#~ "\n"
+#~ "\t    #  !!!Nota importante!!!\n"
+#~ "\t    # Richiede che il binario 'tar' sia presente nel tuo contenitore\n"
+#~ "\t    #  immagine. Se 'tar' non è presente, 'kubectl cp' non riesce.\n"
+#~ "\n"
+#~ "\t    # Copia /tmp/foo_dir directory locale in /tmp/bar_dir in un pod "
+#~ "remoto nello spazio dei nomi predefinito\n"
+#~ "\t\tkubectl cp /tmp/foo_dir <some-pod>:/tmp/bar_dir\n"
+#~ "\n"
+#~ "        # Copia /tmp/foo file locale in /tmp/bar in un pod remoto in un "
+#~ "contenitore specifico\n"
+#~ "\t\tkubectl cp /tmp/foo <some-pod>:/tmp/bar -c <specific-container>\n"
+#~ "\n"
+#~ "\t\t# Copia /tmp/foo file locale in /tmp/bar in un pod remoto nello "
+#~ "spazio dei nomi <some-namespace>\n"
+#~ "\t\tkubectl cp /tmp/foo <some-namespace>/<some-pod>:/tmp/bar\n"
+#~ "\n"
+#~ "\t\t# Copia /tmp/foo da un pod remoto in /tmp/bar localmente\n"
+#~ "\t\tkubectl cp <some-namespace>/<some-pod>:/tmp/foo /tmp/bar"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t  # Create a new TLS secret named tls-secret with the given key pair:\n"
+#~ "\t  kubectl create secret tls tls-secret --cert=path/to/tls.cert --"
+#~ "key=path/to/tls.key"
+#~ msgstr ""
+#~ "\n"
+#~ "\t  # Crea un nuovo secret TLS denominato tls-secret con la coppia di "
+#~ "dati fornita:\n"
+#~ "\t  kubectl create secret tls tls-secret --cert=path/to/tls.cert --"
+#~ "key=path/to/tls.key"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t  # Create a new secret named my-secret with keys for each file in "
+#~ "folder bar\n"
+#~ "\t  kubectl create secret generic my-secret --from-file=path/to/bar\n"
+#~ "\n"
+#~ "\t  # Create a new secret named my-secret with specified keys instead of "
+#~ "names on disk\n"
+#~ "\t  kubectl create secret generic my-secret --from-file=ssh-privatekey=~/."
+#~ "ssh/id_rsa --from-file=ssh-publickey=~/.ssh/id_rsa.pub\n"
+#~ "\n"
+#~ "\t  # Create a new secret named my-secret with key1=supersecret and "
+#~ "key2=topsecret\n"
+#~ "\t  kubectl create secret generic my-secret --from-"
+#~ "literal=key1=supersecret --from-literal=key2=topsecret"
+#~ msgstr ""
+#~ "\n"
+#~ "\t  # Crea un nuovo secret denominato my-secret con i tasti per ogni file "
+#~ "nella barra delle cartelle\n"
+#~ "\t  kubectl create secret generic my-secret --from-file=path/to/bar\n"
+#~ "\n"
+#~ "\t  # Crea un nuovo secret denominato my-secret con le chiavi specificate "
+#~ "anziché i nomi sul disco\n"
+#~ "\t  kubectl create secret generic my-secret --from-file=ssh-privatekey=~/."
+#~ "ssh/id_rsa --from-file=ssh-publickey=~/.ssh/id_rsa.pub\n"
+#~ "\n"
+#~ "\t  # Crea un nuovo secret denominato my-secret con key1 = supersecret e "
+#~ "key2 = topsecret\n"
+#~ "\t  kubectl create secret generic my-secret --from-"
+#~ "literal=key1=supersecret --from-literal=key2=topsecret"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t# Create a new ExternalName service named my-ns \n"
+#~ "\tkubectl create service externalname my-ns --external-name bar.com"
+#~ msgstr ""
+#~ "\n"
+#~ "\t#  Crea un nuovo servizio ExternalName denominato my-ns \n"
+#~ "\tkubectl create service externalname my-ns --external-name bar.com"
+
+#~ msgid ""
+#~ "\n"
+#~ "    # Create a new clusterIP service named my-cs\n"
+#~ "    kubectl create service clusterip my-cs --tcp=5678:8080\n"
+#~ "\n"
+#~ "    # Create a new clusterIP service named my-cs (in headless mode)\n"
+#~ "    kubectl create service clusterip my-cs --clusterip=\"None\""
+#~ msgstr ""
+#~ "\n"
+#~ "    # Creare un nuovo servizio clusterIP denominato my-cs\n"
+#~ "    kubectl create service clusterip my-cs --tcp=5678:8080\n"
+#~ "\n"
+#~ "    # Creare un nuovo servizio clusterIP denominato my-cs (in modalità "
+#~ "headless)\n"
+#~ "    kubectl create service clusterip my-cs --clusterip=\"None\""
+
+#~ msgid ""
+#~ "\n"
+#~ "    # Create a new deployment named my-dep that runs the busybox image.\n"
+#~ "    kubectl create deployment my-dep --image=busybox"
+#~ msgstr ""
+#~ "\n"
+#~ "    # Crea una nuovo deployment chiamato my-dep che esegue l'immagine "
+#~ "busybox.\n"
+#~ "    kubectl create deployment my-dep --image=busybox"
+
+#~ msgid ""
+#~ "\n"
+#~ "    # Create a new nodeport service named my-ns\n"
+#~ "    kubectl create service nodeport my-ns --tcp=5678:8080"
+#~ msgstr ""
+#~ "\n"
+#~ "    # Creare un nuovo servizio nodeport denominato my-ns\n"
+#~ "    kubectl create service nodeport my-ns --tcp=5678:8080"
+
+#~ msgid ""
+#~ "\n"
+#~ "    # Update pod 'foo' with the annotation 'description' and the value "
+#~ "'my frontend'.\n"
+#~ "    # If the same annotation is set multiple times, only the last value "
+#~ "will be applied\n"
+#~ "    kubectl annotate pods foo description='my frontend'\n"
+#~ "\n"
+#~ "    # Update a pod identified by type and name in \"pod.json\"\n"
+#~ "    kubectl annotate -f pod.json description='my frontend'\n"
+#~ "\n"
+#~ "    # Update pod 'foo' with the annotation 'description' and the value "
+#~ "'my frontend running nginx', overwriting any existing value.\n"
+#~ "    kubectl annotate --overwrite pods foo description='my frontend "
+#~ "running nginx'\n"
+#~ "\n"
+#~ "    # Update all pods in the namespace\n"
+#~ "    kubectl annotate pods --all description='my frontend running nginx'\n"
+#~ "\n"
+#~ "    # Update pod 'foo' only if the resource is unchanged from version 1.\n"
+#~ "    kubectl annotate pods foo description='my frontend running nginx' --"
+#~ "resource-version=1\n"
+#~ "\n"
+#~ "    # Update pod 'foo' by removing an annotation named 'description' if "
+#~ "it exists.\n"
+#~ "    # Does not require the --overwrite flag.\n"
+#~ "    kubectl annotate pods foo description-"
+#~ msgstr ""
+#~ "\n"
+#~ "    # Aggiorna il pod 'foo' con annotazione 'description'e il valore 'my "
+#~ "frontend'.\n"
+#~ "    # Se la stessa annotazione è impostata più volte, verrà applicato "
+#~ "solo l'ultimo valore\n"
+#~ "    kubectl annotate pods foo description='my frontend'\n"
+#~ "\n"
+#~ "    # Aggiorna un pod identificato per tipo e nome in \"pod.json\"\n"
+#~ "    kubectl annotate -f pod.json description='my frontend'\n"
+#~ "\n"
+#~ "    # Aggiorna pod 'foo' con la annotazione 'description' e il valore 'my "
+#~ "frontend running nginx', sovrascrivendo qualsiasi valore esistente.\n"
+#~ "    kubectl annotate --overwrite pods foo description='my frontend "
+#~ "running nginx'\n"
+#~ "\n"
+#~ "    # Aggiorna tutti i baccelli nel namespace\n"
+#~ "    kubectl annotate pods --all description='my frontend running nginx'\n"
+#~ "\n"
+#~ "    # Aggiorna il pod 'foo' solo se la risorsa è invariata dalla versione "
+#~ "1.\n"
+#~ "    kubectl annotate pods foo description='my frontend running nginx' --"
+#~ "resource-version=1\n"
+#~ "\n"
+#~ "    # Aggiorna il pod 'foo' rimuovendo un'annotazione denominata "
+#~ "'descrizione' se esiste.\n"
+#~ "    # Non richiede flag -overwrite.\n"
+#~ "    kubectl annotate pods foo description-"
+
+#~ msgid ""
+#~ "\n"
+#~ "    Create a clusterIP service with the specified name."
+#~ msgstr ""
+#~ "\n"
+#~ "    Crea un servizio clusterIP con il nome specificato."
+
+#~ msgid ""
+#~ "\n"
+#~ "    Create a deployment with the specified name."
+#~ msgstr ""
+#~ "\n"
+#~ "    Creare un deployment con il nome specificato."
+
+#~ msgid ""
+#~ "\n"
+#~ "    Create a nodeport service with the specified name."
+#~ msgstr ""
+#~ "\n"
+#~ "    Creare un servizio nodeport con il nome specificato."
+
+#~ msgid ""
+#~ "\n"
+#~ "    Dumps cluster info out suitable for debugging and diagnosing cluster "
+#~ "problems.  By default, dumps everything to\n"
+#~ "    stdout. You can optionally specify a directory with --output-"
+#~ "directory.  If you specify a directory, kubernetes will\n"
+#~ "    build a set of files in that directory.  By default only dumps things "
+#~ "in the 'kube-system' namespace, but you can\n"
+#~ "    switch to a different namespace with the --namespaces flag, or "
+#~ "specify --all-namespaces to dump all namespaces.\n"
+#~ "\n"
+#~ "    The command also dumps the logs of all of the pods in the cluster, "
+#~ "these logs are dumped into different directories\n"
+#~ "    based on namespace and pod name."
+#~ msgstr ""
+#~ "\n"
+#~ "    Dump delle informazioni di cluster idonee per il debug e la "
+#~ "diagnostica di problemi di cluster. Per impostazione predefinita, tutto\n"
+#~ "    verso stdout. È possibile specificare opzionalmente una directory con "
+#~ "--output-directory. Se si specifica una directory, kubernetes \n"
+#~ "    creearà un insieme di file in quella directory. Per impostazione "
+#~ "predefinita, dumps solo i dati del namespace \"kube-system\", ma è\n"
+#~ "    possibile passare ad namespace diverso con il flag --namespaces o "
+#~ "specificare --all-namespaces per il dump di tutti i namespace.\n"
+#~ "\n"
+#~ "     Il comando esegue dump anche dei log di tutti i pod del cluster, "
+#~ "questi log vengono scaricati in directory differenti\n"
+#~ "     basati sul namespace e sul nome del pod."
+
+#~ msgid ""
+#~ "\n"
+#~ "  Display addresses of the master and services with label kubernetes.io/"
+#~ "cluster-service=true\n"
+#~ "  To further debug and diagnose cluster problems, use 'kubectl cluster-"
+#~ "info dump'."
+#~ msgstr ""
+#~ "\n"
+#~ "  Visualizza gli indirizzi del master e dei servizi con label kubernetes."
+#~ "io/cluster-service=true\n"
+#~ "  Per ulteriore debug e diagnosticare i problemi di cluster, utilizzare "
+#~ "'kubectl cluster-info dump'."
+
+#~ msgid "A schedule in the Cron format the job should be run with."
+#~ msgstr "Un calendario in formato Cron del lavoro che deve essere eseguito."
+
+#~ msgid ""
+#~ "An inline JSON override for the generated service object. If this is non-"
+#~ "empty, it is used to override the generated object. Requires that the "
+#~ "object supply a valid apiVersion field.  Only used if --expose is true."
+#~ msgstr ""
+#~ "Un override JSON inline per l'oggetto di servizio generato. Se questo non "
+#~ "è vuoto, viene utilizzato per ignorare l'oggetto generato. Richiede che "
+#~ "l'oggetto fornisca un campo valido apiVersion. Utilizzato solo se --"
+#~ "expose è true."
+
+#~ msgid "Apply a configuration to a resource by filename or stdin"
+#~ msgstr "Applica una configurazione risorsa per nomefile o stdin"
+
+#~ msgid "Auto-scale a Deployment, ReplicaSet, or ReplicationController"
+#~ msgstr "Auto-scale a Deployment, ReplicaSet, o ReplicationController"
+
+#~ msgid ""
+#~ "Container name which will have its image upgraded. Only relevant when --"
+#~ "image is specified, ignored otherwise. Required when using --image on a "
+#~ "multi-container pod"
+#~ msgstr ""
+#~ "Nome container che avrà la sua immagine aggiornata. Soltanto rilevante "
+#~ "quando --image è specificato, altrimenti ignorato. Necessario quando si "
+#~ "utilizza --image su un contenitore a più contenitori"
+
+#~ msgid "Create a ClusterRoleBinding for a particular ClusterRole"
+#~ msgstr "Crea un ClusterRoleBinding per un ClusterRole particolare"
+
+#~ msgid "Create a LoadBalancer service."
+#~ msgstr "Creare un servizio LoadBalancer."
+
+#~ msgid "Create a NodePort service."
+#~ msgstr "Crea un servizio NodePort."
+
+#~ msgid "Create a RoleBinding for a particular Role or ClusterRole"
+#~ msgstr "Crea un RoleBinding per un particolare Role o ClusterRole"
+
+#~ msgid "Create a clusterIP service."
+#~ msgstr "Crea un servizio clusterIP."
+
+#~ msgid "Create a configmap from a local file, directory or literal value"
+#~ msgstr ""
+#~ "Crea un configmap da un file locale, una directory o un valore letterale"
+
+#~ msgid "Create a deployment with the specified name."
+#~ msgstr "Creare un deployment con il nome specificato."
+
+#~ msgid "Create a pod disruption budget with the specified name."
+#~ msgstr "Crea un pod disruption budget con il nome specificato."
+
+#~ msgid "Create a quota with the specified name."
+#~ msgstr "Crea una quota con il nome specificato."
+
+#~ msgid "Create a resource by filename or stdin"
+#~ msgstr "Crea una risorsa per nome file o stdin"
+
+#~ msgid "Create a secret from a local file, directory or literal value"
+#~ msgstr ""
+#~ "Crea un secret da un file locale, una directory o un valore letterale"
+
+#~ msgid "Create a service using specified subcommand."
+#~ msgstr "Crea un servizio utilizzando il subcommand specificato."
+
+#~ msgid "Create an ExternalName service."
+#~ msgstr "Crea un servizio ExternalName."
+
+#~ msgid ""
+#~ "Delete resources by filenames, stdin, resources and names, or by "
+#~ "resources and label selector"
+#~ msgstr ""
+#~ "Elimina risorse selezionate per nomi di file, stdin, risorse e nomi, o "
+#~ "per risorsa e selettore di label"
+
+#~ msgid "Deprecated: Gracefully shut down a resource by name or filename"
+#~ msgstr "Deprecated: spegne correttamente una risorsa per nome o nome file"
+
+#~ msgid "Display Resource (CPU/Memory) usage of nodes"
+#~ msgstr "Visualizza l'utilizzo di risorse (CPU/Memoria) per nodo"
+
+#~ msgid "Display Resource (CPU/Memory) usage of pods"
+#~ msgstr "Visualizza l'utilizzo di risorse (CPU/Memoria) per pod."
+
+#~ msgid "Display Resource (CPU/Memory) usage."
+#~ msgstr "Visualizza l'utilizzo di risorse (CPU/Memoria)."
+
+#~ msgid "Display cluster info"
+#~ msgstr "Visualizza informazioni sul cluster"
+
+#~ msgid "Displays the current-context"
+#~ msgstr "Visualizza il current-context"
+
+#~ msgid "Documentation of resources"
+#~ msgstr "Documentazione delle risorse"
+
+#~ msgid "Dump lots of relevant info for debugging and diagnosis"
+#~ msgstr ""
+#~ "Dump di un sacco di informazioni pertinenti per il debug e la diagnosi"
+
+#~ msgid ""
+#~ "Explicit policy for when to pull container images. Required when --image "
+#~ "is same as existing image, ignored otherwise."
+#~ msgstr ""
+#~ "Politica esplicita per il pull delle immagini container. Richiesto quando "
+#~ "--image è uguale all'immagine esistente, altrimenti ignorata."
+
+#~ msgid ""
+#~ "IP to assign to the Load Balancer. If empty, an ephemeral IP will be "
+#~ "created and used (cloud-provider specific)."
+#~ msgstr ""
+#~ "IP da assegnare al Load Balancer. Se vuota, un IP effimero verrà creato e "
+#~ "utilizzato (specifico per provider cloud)."
+
+#~ msgid ""
+#~ "Image to use for upgrading the replication controller. Must be distinct "
+#~ "from the existing image (either new image or new image tag).  Can not be "
+#~ "used with --filename/-f"
+#~ msgstr ""
+#~ "Immagine da utilizzare per aggiornare il replication controller. Deve "
+#~ "essere diversa dall'immagine esistente (nuova immagine o nuovo tag "
+#~ "immagine). Non può essere utilizzata con --filename/-f"
+
+#~ msgid "Manage a deployment rollout"
+#~ msgstr "Gestisci un deployment rollout"
+
+#~ msgid ""
+#~ "Output the formatted object with the given group version (for ex: "
+#~ "'extensions/v1beta1').)"
+#~ msgstr ""
+#~ "Output dell'oggetto formattato con la versione del gruppo fornito (per "
+#~ "esempio: 'extensions/v1beta1').)"
+
+#~ msgid "Perform a rolling update of the given ReplicationController"
+#~ msgstr "Eseguire un rolling update del ReplicationController specificato"
+
+#~ msgid "Replace a resource by filename or stdin"
+#~ msgstr "Sostituire una risorsa per nomefile o stdin"
+
+#~ msgid ""
+#~ "Set a new size for a Deployment, ReplicaSet, Replication Controller, or "
+#~ "Job"
+#~ msgstr ""
+#~ "Imposta una nuova dimensione per Deployment, ReplicaSet, Replication "
+#~ "Controller, o Job"
+
+#~ msgid ""
+#~ "Set the last-applied-configuration annotation on a live object to match "
+#~ "the contents of a file."
+#~ msgstr ""
+#~ "Imposta l'annotazione dell'ultima-configurazione-applicata ad un oggetto "
+#~ "live per abbinare il contenuto di un file."
+
+#~ msgid "Sets a cluster entry in kubeconfig"
+#~ msgstr "Imposta una voce cluster in kubeconfig"
+
+#~ msgid "Sets a context entry in kubeconfig"
+#~ msgstr "Imposta una voce context in kubeconfig"
+
+#~ msgid "Sets a user entry in kubeconfig"
+#~ msgstr "Imposta una voce utente in kubeconfig"
+
+#~ msgid "Sets an individual value in a kubeconfig file"
+#~ msgstr "Imposta un singolo valore in un file kubeconfig"
+
+#~ msgid "Sets the current-context in a kubeconfig file"
+#~ msgstr "Imposta il current-context in un file kubeconfig"
+
+#~ msgid ""
+#~ "Take a replication controller, service, deployment or pod and expose it "
+#~ "as a new Kubernetes Service"
+#~ msgstr ""
+#~ "Prende un replication controller, service, deployment o un pod e lo "
+#~ "espone come nuovo servizio Kubernetes"
+
+#~ msgid ""
+#~ "The key to use to differentiate between two different controllers, "
+#~ "default 'deployment'.  Only relevant when --image is specified, ignored "
+#~ "otherwise"
+#~ msgstr ""
+#~ "La chiave da utilizzare per distinguere tra due controller diversi, "
+#~ "predefinito \"deployment\". Rilevante soltanto quando --image è "
+#~ "specificato, altrimenti ignorato"
+
+#~ msgid ""
+#~ "The name of the API generator to use, see http://kubernetes.io/docs/user-"
+#~ "guide/kubectl-conventions/#generators for a list."
+#~ msgstr ""
+#~ "Il nome del generatore API da utilizzare, si veda http://kubernetes.io/"
+#~ "docs/user-guide/kubectl-conventions/#generators per un elenco."
+
+#~ msgid ""
+#~ "The name of the API generator to use. Currently there is only 1 generator."
+#~ msgstr ""
+#~ "Il nome del generatore API da utilizzare. Attualmente c'è solo 1 "
+#~ "generatore."
+
+#~ msgid ""
+#~ "The name of the generator to use for creating a service.  Only used if --"
+#~ "expose is true"
+#~ msgstr ""
+#~ "Il nome del generatore da utilizzare per la creazione di un servizio. "
+#~ "Utilizzato solo se --expose è true"
+
+#~ msgid ""
+#~ "The port that this container exposes.  If --expose is true, this is also "
+#~ "the port used by the service that is created."
+#~ msgstr ""
+#~ "La porta che questo contenitore espone. Se --expose è true, questa è "
+#~ "anche la porta utilizzata dal servizio creato."
+
+#~ msgid ""
+#~ "The restart policy for this Pod.  Legal values [Always, OnFailure, "
+#~ "Never].  If set to 'Always' a deployment is created, if set to "
+#~ "'OnFailure' a job is created, if set to 'Never', a regular pod is "
+#~ "created. For the latter two --replicas must be 1.  Default 'Always', for "
+#~ "CronJobs `Never`."
+#~ msgstr ""
+#~ "La politica di riavvio per questo Pod. Valori accettati [Always, "
+#~ "OnFailure, Never]. Se impostato su 'Always' viene creato un deployment, "
+#~ "se impostato su 'OnFailure' viene creato un job, se impostato su 'Never', "
+#~ "viene creato un pod. Per questi ultimi due le - repliche devono essere 1. "
+#~ "Predefinito 'Always', per CronJobs `Never`."
+
+#~ msgid ""
+#~ "Type for this service: ClusterIP, NodePort, or LoadBalancer. Default is "
+#~ "'ClusterIP'."
+#~ msgstr ""
+#~ "Digitare per questo servizio: ClusterIP, NodePort o LoadBalancer. "
+#~ "Ppredefinito è 'ClusterIP'."
+
+#~ msgid "Unsets an individual value in a kubeconfig file"
+#~ msgstr "Annulla singolo valore in un file kubeconfig"
+
+#~ msgid "Update field(s) of a resource using strategic merge patch"
+#~ msgstr "Aggiornare campo/i risorsa utilizzando merge patch strategici"
+
+#~ msgid "Update image of a pod template"
+#~ msgstr "Aggiorna immagine di un pod template"
+
+#~ msgid ""
+#~ "View latest last-applied-configuration annotations of a resource/object"
+#~ msgstr ""
+#~ "Visualizza ultime annotazioni dell'ultima configurazione applicata per "
+#~ "risorsa/oggetto"
+
+#~ msgid "external name of service"
+#~ msgstr "nome esterno del servizio"
diff --git a/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/ja_JP/LC_MESSAGES/k8s.mo b/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/ja_JP/LC_MESSAGES/k8s.mo
new file mode 100644
index 0000000000..f917b6c5bf
Binary files /dev/null and b/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/ja_JP/LC_MESSAGES/k8s.mo differ
diff --git a/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/ja_JP/LC_MESSAGES/k8s.po b/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/ja_JP/LC_MESSAGES/k8s.po
new file mode 100644
index 0000000000..f7280b4fe3
--- /dev/null
+++ b/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/ja_JP/LC_MESSAGES/k8s.po
@@ -0,0 +1,3365 @@
+# Test translations for unit tests.
+# Copyright (C) 2017
+# This file is distributed under the same license as the Kubernetes package.
+# FIRST AUTHOR girikuncoro@gmail.com, 2017.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: gettext-go-examples-hello\n"
+"Report-Msgid-Bugs-To: EMAIL\n"
+"POT-Creation-Date: 2021-07-07 20:15+0200\n"
+"PO-Revision-Date: 2020-01-05 09:55+0900\n"
+"Last-Translator: Kohei Ota <kohei.ota@zozo.com>\n"
+"Language-Team: \n"
+"Language: ja\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Generator: Poedit 2.2.4\n"
+"X-Poedit-SourceCharset: UTF-8\n"
+"Plural-Forms: nplurals=2; plural=(n != 1);\n"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/top/top_node.go:62
+msgid ""
+"\n"
+"\t\t  # Show metrics for all nodes\n"
+"\t\t  kubectl top node\n"
+"\n"
+"\t\t  # Show metrics for a given node\n"
+"\t\t  kubectl top node NODE_NAME"
+msgstr ""
+"\n"
+"\t\t  # Show metrics for all nodes\n"
+"\t\t  kubectl top node\n"
+"\n"
+"\t\t  # Show metrics for a given node\n"
+"\t\t  kubectl top node NODE_NAME"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/explain/explain.go:46
+msgid ""
+"\n"
+"\t\t# Get the documentation of the resource and its fields\n"
+"\t\tkubectl explain pods\n"
+"\n"
+"\t\t# Get the documentation of a specific field of a resource\n"
+"\t\tkubectl explain pods.spec.containers"
+msgstr ""
+"\n"
+"\t\t# Get the documentation of the resource and its fields\n"
+"\t\tkubectl explain pods\n"
+"\n"
+"\t\t# Get the documentation of a specific field of a resource\n"
+"\t\tkubectl explain pods.spec.containers"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/options.go#L37
+#: staging/src/k8s.io/kubectl/pkg/cmd/options/options.go:29
+msgid ""
+"\n"
+"\t\t# Print flags inherited by all commands\n"
+"\t\tkubectl options"
+msgstr ""
+"\n"
+"\t\t# Print flags inherited by all commands\n"
+"\t\tkubectl options"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/version.go#L39
+#: staging/src/k8s.io/kubectl/pkg/cmd/version/version.go:44
+msgid ""
+"\n"
+"\t\t# Print the client and server versions for the current context\n"
+"\t\tkubectl version"
+msgstr ""
+"\n"
+"\t\t# Print the client and server versions for the current context\n"
+"\t\tkubectl version"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/apiresources/apiversions.go:34
+msgid ""
+"\n"
+"\t\t# Print the supported API versions\n"
+"\t\tkubectl api-versions"
+msgstr ""
+"\n"
+"\t\t# Print the supported API versions\n"
+"\t\tkubectl api-versions"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/top/top_pod.go:75
+msgid ""
+"\n"
+"\t\t# Show metrics for all pods in the default namespace\n"
+"\t\tkubectl top pod\n"
+"\n"
+"\t\t# Show metrics for all pods in the given namespace\n"
+"\t\tkubectl top pod --namespace=NAMESPACE\n"
+"\n"
+"\t\t# Show metrics for a given pod and its containers\n"
+"\t\tkubectl top pod POD_NAME --containers\n"
+"\n"
+"\t\t# Show metrics for the pods defined by label name=myLabel\n"
+"\t\tkubectl top pod -l name=myLabel"
+msgstr ""
+"\n"
+"\t\t# Show metrics for all pods in the default namespace\n"
+"\t\tkubectl top pod\n"
+"\n"
+"\t\t# Show metrics for all pods in the given namespace\n"
+"\t\tkubectl top pod --namespace=NAMESPACE\n"
+"\n"
+"\t\t# Show metrics for a given pod and its containers\n"
+"\t\tkubectl top pod POD_NAME --containers\n"
+"\n"
+"\t\t# Show metrics for the pods defined by label name=myLabel\n"
+"\t\tkubectl top pod -l name=myLabel"
+
+#: pkg/kubectl/cmd/convert/convert.go:40
+msgid ""
+"\n"
+"\t\tConvert config files between different API versions. Both YAML\n"
+"\t\tand JSON formats are accepted.\n"
+"\n"
+"\t\tThe command takes filename, directory, or URL as input, and convert it "
+"into format\n"
+"\t\tof version specified by --output-version flag. If target version is not "
+"specified or\n"
+"\t\tnot supported, convert to latest version.\n"
+"\n"
+"\t\tThe default output will be printed to stdout in YAML format. One can use "
+"-o option\n"
+"\t\tto change to output destination."
+msgstr ""
+"\n"
+"\t\tConvert config files between different API versions. Both YAML\n"
+"\t\tand JSON formats are accepted.\n"
+"\n"
+"\t\tThe command takes filename, directory, or URL as input, and convert it "
+"into format\n"
+"\t\tof version specified by --output-version flag. If target version is not "
+"specified or\n"
+"\t\tnot supported, convert to latest version.\n"
+"\n"
+"\t\tThe default output will be printed to stdout in YAML format. One can use "
+"-o option\n"
+"\t\tto change to output destination."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_namespace.go#L44
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_namespace.go:39
+msgid ""
+"\n"
+"\t\tCreate a namespace with the specified name."
+msgstr ""
+"\n"
+"\t\tCreate a namespace with the specified name."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_quota.go#L47
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_role.go:43
+msgid ""
+"\n"
+"\t\tCreate a role with single rule."
+msgstr ""
+"\n"
+"\t\tCreate a role with single rule."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_serviceaccount.go#L44
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_serviceaccount.go:40
+msgid ""
+"\n"
+"\t\tCreate a service account with the specified name."
+msgstr ""
+"\n"
+"\t\tCreate a service account with the specified name."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/drain.go#L127
+#: staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go:84
+msgid ""
+"\n"
+"\t\tMark node as schedulable."
+msgstr ""
+"\n"
+"\t\tMark node as schedulable."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/drain.go#L102
+#: staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go:55
+msgid ""
+"\n"
+"\t\tMark node as unschedulable."
+msgstr ""
+"\n"
+"\t\tMark node as unschedulable."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/apply/apply_set_last_applied.go:70
+msgid ""
+"\n"
+"\t\tSet the latest last-applied-configuration annotations by setting it to "
+"match the contents of a file.\n"
+"\t\tThis results in the last-applied-configuration being updated as though "
+"'kubectl apply -f <file>' was run,\n"
+"\t\twithout updating any other parts of the object."
+msgstr ""
+"\n"
+"\t\tSet the latest last-applied-configuration annotations by setting it to "
+"match the contents of a file.\n"
+"\t\tThis results in the last-applied-configuration being updated as though "
+"'kubectl apply -f <file>' was run,\n"
+"\t\twithout updating any other parts of the object."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_namespace.go:42
+msgid ""
+"\n"
+"\t  # Create a new namespace named my-namespace\n"
+"\t  kubectl create namespace my-namespace"
+msgstr ""
+"\n"
+"\t  # Create a new namespace named my-namespace\n"
+"\t  kubectl create namespace my-namespace"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_serviceaccount.go:43
+msgid ""
+"\n"
+"\t  # Create a new service account named my-service-account\n"
+"\t  kubectl create serviceaccount my-service-account"
+msgstr ""
+"\n"
+"\t  # Create a new service account named my-service-account\n"
+"\t  kubectl create serviceaccount my-service-account"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:344
+msgid ""
+"\n"
+"\tCreate an ExternalName service with the specified name.\n"
+"\n"
+"\tExternalName service references to an external DNS address instead of\n"
+"\tonly pods, which will allow application authors to reference services\n"
+"\tthat exist off platform, on other clusters, or locally."
+msgstr ""
+"\n"
+"\tCreate an ExternalName service with the specified name.\n"
+"\n"
+"\tExternalName service references to an external DNS address instead of\n"
+"\tonly pods, which will allow application authors to reference services\n"
+"\tthat exist off platform, on other clusters, or locally."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/help/help.go:28
+msgid ""
+"\n"
+"\tHelp provides help for any command in the application.\n"
+"\tSimply type kubectl help [path to command] for full details."
+msgstr ""
+"\n"
+"\tHelp provides help for any command in the application.\n"
+"\tSimply type kubectl help [path to command] for full details."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:311
+msgid ""
+"\n"
+"    # Create a new LoadBalancer service named my-lbs\n"
+"    kubectl create service loadbalancer my-lbs --tcp=5678:8080"
+msgstr ""
+"\n"
+"    # Create a new LoadBalancer service named my-lbs\n"
+"    kubectl create service loadbalancer my-lbs --tcp=5678:8080"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/clusterinfo/clusterinfo_dump.go:102
+msgid ""
+"\n"
+"    # Dump current cluster state to stdout\n"
+"    kubectl cluster-info dump\n"
+"\n"
+"    # Dump current cluster state to /path/to/cluster-state\n"
+"    kubectl cluster-info dump --output-directory=/path/to/cluster-state\n"
+"\n"
+"    # Dump all namespaces to stdout\n"
+"    kubectl cluster-info dump --all-namespaces\n"
+"\n"
+"    # Dump a set of namespaces to /path/to/cluster-state\n"
+"    kubectl cluster-info dump --namespaces default,kube-system --output-"
+"directory=/path/to/cluster-state"
+msgstr ""
+"\n"
+"    # Dump current cluster state to stdout\n"
+"    kubectl cluster-info dump\n"
+"\n"
+"    # Dump current cluster state to /path/to/cluster-state\n"
+"    kubectl cluster-info dump --output-directory=/path/to/cluster-state\n"
+"\n"
+"    # Dump all namespaces to stdout\n"
+"    kubectl cluster-info dump --all-namespaces\n"
+"\n"
+"    # Dump a set of namespaces to /path/to/cluster-state\n"
+"    kubectl cluster-info dump --namespaces default,kube-system --output-"
+"directory=/path/to/cluster-state"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_namespace.go#L44
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:308
+msgid ""
+"\n"
+"    Create a LoadBalancer service with the specified name."
+msgstr ""
+"\n"
+"    Create a LoadBalancer service with the specified name."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_quota.go#L61
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_quota.go:107
+msgid ""
+"A comma-delimited set of quota scopes that must all match each object "
+"tracked by the quota."
+msgstr ""
+"A comma-delimited set of quota scopes that must all match each object "
+"tracked by the quota."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_quota.go#L60
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_quota.go:106
+msgid ""
+"A comma-delimited set of resource=quantity pairs that define a hard limit."
+msgstr ""
+"A comma-delimited set of resource=quantity pairs that define a hard limit."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_pdb.go#L63
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_pdb.go:113
+msgid ""
+"A label selector to use for this budget. Only equality-based selector "
+"requirements are supported."
+msgstr ""
+"A label selector to use for this budget. Only equality-based selector "
+"requirements are supported."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/expose.go#L106
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:152
+msgid ""
+"A label selector to use for this service. Only equality-based selector "
+"requirements are supported. If empty (the default) infer the selector from "
+"the replication controller or replica set.)"
+msgstr ""
+"A label selector to use for this service. Only equality-based selector "
+"requirements are supported. If empty (the default) infer the selector from "
+"the replication controller or replica set.)"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/expose.go#L111
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:157
+msgid ""
+"Additional external IP address (not managed by Kubernetes) to accept for the "
+"service. If this IP is routed to a node, the service can be accessed by this "
+"IP in addition to its generated service IP."
+msgstr ""
+"Additional external IP address (not managed by Kubernetes) to accept for the "
+"service. If this IP is routed to a node, the service can be accessed by this "
+"IP in addition to its generated service IP."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/run.go#L119
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:158
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run.go:178
+msgid ""
+"An inline JSON override for the generated object. If this is non-empty, it "
+"is used to override the generated object. Requires that the object supply a "
+"valid apiVersion field."
+msgstr ""
+"An inline JSON override for the generated object. If this is non-empty, it "
+"is used to override the generated object. Requires that the object supply a "
+"valid apiVersion field."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/certificates.go#L71
+#: staging/src/k8s.io/kubectl/pkg/cmd/certificates/certificates.go:125
+msgid "Approve a certificate signing request"
+msgstr "Approve a certificate signing request"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_service.go#L81
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:263
+msgid ""
+"Assign your own ClusterIP or set to 'None' for a 'headless' service (no "
+"loadbalancing)."
+msgstr ""
+"Assign your own ClusterIP or set to 'None' for a 'headless' service (no "
+"loadbalancing)."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/attach.go#L64
+#: staging/src/k8s.io/kubectl/pkg/cmd/attach/attach.go:105
+msgid "Attach to a running container"
+msgstr "Attach to a running container"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/expose.go#L115
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:161
+msgid ""
+"ClusterIP to be assigned to the service. Leave empty to auto-allocate, or "
+"set to 'None' to create a headless service."
+msgstr ""
+"ClusterIP to be assigned to the service. Leave empty to auto-allocate, or "
+"set to 'None' to create a headless service."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_clusterrolebinding.go#L55
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_clusterrolebinding.go:101
+msgid "ClusterRole this ClusterRoleBinding should reference"
+msgstr "ClusterRole this ClusterRoleBinding should reference"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_rolebinding.go#L55
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_rolebinding.go:104
+msgid "ClusterRole this RoleBinding should reference"
+msgstr "ClusterRole this RoleBinding should reference"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/convert.go#L67
+#: pkg/kubectl/cmd/convert/convert.go:95
+msgid "Convert config files between different API versions"
+msgstr "Convert config files between different API versions"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/cp.go#L64
+#: staging/src/k8s.io/kubectl/pkg/cmd/cp/cp.go:106
+msgid "Copy files and directories to and from containers."
+msgstr "Copy files and directories to and from containers."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_secret.go#L214
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_tls.go:94
+msgid "Create a TLS secret"
+msgstr "Create a TLS secret"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_namespace.go#L44
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_namespace.go:83
+msgid "Create a namespace with the specified name"
+msgstr "Create a namespace with the specified name"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_secret.go#L143
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_docker.go:134
+msgid "Create a secret for use with a Docker registry"
+msgstr "Create a secret for use with a Docker registry"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_secret.go#L34
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret.go:49
+msgid "Create a secret using specified subcommand"
+msgstr "Create a secret using specified subcommand"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_serviceaccount.go#L44
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_serviceaccount.go:85
+msgid "Create a service account with the specified name"
+msgstr "Create a service account with the specified name"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/delete_cluster.go#L38
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/delete_cluster.go:42
+msgid "Delete the specified cluster from the kubeconfig"
+msgstr "指定��クラスターをkubeconfig�ら削除�る"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/delete_context.go#L38
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/delete_context.go:42
+msgid "Delete the specified context from the kubeconfig"
+msgstr "指定��コンテキストをkubeconfig�ら削除�る"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/certificates.go#L121
+#: staging/src/k8s.io/kubectl/pkg/cmd/certificates/certificates.go:174
+msgid "Deny a certificate signing request"
+msgstr "Deny a certificate signing request"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/get_contexts.go#L62
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/get_contexts.go:72
+msgid "Describe one or many contexts"
+msgstr "1����複数�コンテキストを記述�る"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/get_clusters.go#L40
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/get_clusters.go:41
+msgid "Display clusters defined in the kubeconfig"
+msgstr "kubeconfig�定義�れ�クラスターを表示�る"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/view.go#L64
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/view.go:81
+msgid "Display merged kubeconfig settings or a specified kubeconfig file"
+msgstr "マージ�れ�kubeconfig�設定���指定�れ�kubeconfigを表示�る"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/get.go#L107
+#: staging/src/k8s.io/kubectl/pkg/cmd/get/get.go:165
+msgid "Display one or many resources"
+msgstr "1����複数�リソースを表示�る"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/drain.go#L176
+#: staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go:184
+msgid "Drain node in preparation for maintenance"
+msgstr "Drain node in preparation for maintenance"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/edit.go#L100
+#: staging/src/k8s.io/kubectl/pkg/cmd/edit/edit.go:77
+msgid "Edit a resource on the server"
+msgstr "Edit a resource on the server"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_secret.go#L159
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_docker.go:152
+msgid "Email for Docker registry"
+msgstr "Email for Docker registry"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/exec.go#L68
+#: staging/src/k8s.io/kubectl/pkg/cmd/exec/exec.go:89
+msgid "Execute a command in a container"
+msgstr "Execute a command in a container"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/portforward.go#L75
+#: staging/src/k8s.io/kubectl/pkg/cmd/portforward/portforward.go:109
+msgid "Forward one or more local ports to a pod"
+msgstr "Forward one or more local ports to a pod"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/help.go#L36
+#: staging/src/k8s.io/kubectl/pkg/cmd/help/help.go:37
+msgid "Help about any command"
+msgstr "Help about any command"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/expose.go#L114
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:160
+msgid ""
+"If non-empty, set the session affinity for the service to this; legal "
+"values: 'None', 'ClientIP'"
+msgstr ""
+"If non-empty, set the session affinity for the service to this; legal "
+"values: 'None', 'ClientIP'"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/annotate.go#L135
+#: staging/src/k8s.io/kubectl/pkg/cmd/annotate/annotate.go:157
+msgid ""
+"If non-empty, the annotation update will only succeed if this is the current "
+"resource-version for the object. Only valid when specifying a single "
+"resource."
+msgstr ""
+"If non-empty, the annotation update will only succeed if this is the current "
+"resource-version for the object. Only valid when specifying a single "
+"resource."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/label.go#L132
+#: staging/src/k8s.io/kubectl/pkg/cmd/label/label.go:154
+msgid ""
+"If non-empty, the labels update will only succeed if this is the current "
+"resource-version for the object. Only valid when specifying a single "
+"resource."
+msgstr ""
+"If non-empty, the labels update will only succeed if this is the current "
+"resource-version for the object. Only valid when specifying a single "
+"resource."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/drain.go#L127
+#: staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go:98
+msgid "Mark node as schedulable"
+msgstr "Mark node as schedulable"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/drain.go#L102
+#: staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go:69
+msgid "Mark node as unschedulable"
+msgstr "Mark node as unschedulable"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/rollout/rollout_pause.go#L73
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_pause.go:83
+msgid "Mark the provided resource as paused"
+msgstr "Mark the provided resource as paused"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/certificates.go#L35
+#: staging/src/k8s.io/kubectl/pkg/cmd/certificates/certificates.go:49
+#: staging/src/k8s.io/kubectl/pkg/cmd/certificates/certificates.go:50
+msgid "Modify certificate resources."
+msgstr "Modify certificate resources."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/config.go#L39
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/config.go:42
+msgid "Modify kubeconfig files"
+msgstr "kubeconfigを変更�る"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/expose.go#L110
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:156
+msgid ""
+"Name or number for the port on the container that the service should direct "
+"traffic to. Optional."
+msgstr ""
+"Name or number for the port on the container that the service should direct "
+"traffic to. Optional."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/logs.go#L108
+#: staging/src/k8s.io/kubectl/pkg/cmd/logs/logs.go:174
+msgid ""
+"Only return logs after a specific date (RFC3339). Defaults to all logs. Only "
+"one of since-time / since may be used."
+msgstr ""
+"Only return logs after a specific date (RFC3339). Defaults to all logs. Only "
+"one of since-time / since may be used."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/completion.go#L97
+#: staging/src/k8s.io/kubectl/pkg/cmd/completion/completion.go:112
+msgid "Output shell completion code for the specified shell (bash or zsh)"
+msgstr "Output shell completion code for the specified shell (bash or zsh)"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_secret.go#L157
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_docker.go:151
+msgid "Password for Docker registry authentication"
+msgstr "Password for Docker registry authentication"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_secret.go#L226
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_tls.go:110
+msgid "Path to PEM encoded public key certificate."
+msgstr "Path to PEM encoded public key certificate."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_secret.go#L227
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_tls.go:111
+msgid "Path to private key associated with given certificate."
+msgstr "Path to private key associated with given certificate."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/scale.go#L82
+#: staging/src/k8s.io/kubectl/pkg/cmd/scale/scale.go:130
+msgid ""
+"Precondition for resource version. Requires that the current resource "
+"version match this value in order to scale."
+msgstr ""
+"Precondition for resource version. Requires that the current resource "
+"version match this value in order to scale."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/version.go#L39
+#: staging/src/k8s.io/kubectl/pkg/cmd/version/version.go:73
+msgid "Print the client and server version information"
+msgstr "Print the client and server version information"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/options.go#L37
+#: staging/src/k8s.io/kubectl/pkg/cmd/options/options.go:38
+#: staging/src/k8s.io/kubectl/pkg/cmd/options/options.go:39
+msgid "Print the list of flags inherited by all commands"
+msgstr "Print the list of flags inherited by all commands"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/logs.go#L86
+#: staging/src/k8s.io/kubectl/pkg/cmd/logs/logs.go:152
+msgid "Print the logs for a container in a pod"
+msgstr "Print the logs for a container in a pod"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/rollout/rollout_resume.go#L71
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_resume.go:87
+msgid "Resume a paused resource"
+msgstr "Resume a paused resource"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_rolebinding.go#L56
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_rolebinding.go:105
+msgid "Role this RoleBinding should reference"
+msgstr "Role this RoleBinding should reference"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/run.go#L94
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run.go:152
+msgid "Run a particular image on the cluster"
+msgstr "Run a particular image on the cluster"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/proxy.go#L68
+#: staging/src/k8s.io/kubectl/pkg/cmd/proxy/proxy.go:119
+msgid "Run a proxy to the Kubernetes API server"
+msgstr "Run a proxy to the Kubernetes API server"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_secret.go#L161
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_docker.go:153
+msgid "Server location for Docker registry"
+msgstr "Server location for Docker registry"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/set/set.go#L37
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set.go:39
+msgid "Set specific features on objects"
+msgstr "Set specific features on objects"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/set/set_selector.go#L81
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set_selector.go:104
+msgid "Set the selector on a resource"
+msgstr "リソース�セレクターを設定�る"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/describe.go#L80
+#: staging/src/k8s.io/kubectl/pkg/cmd/describe/describe.go:107
+msgid "Show details of a specific resource or group of resources"
+msgstr "Show details of a specific resource or group of resources"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/rollout/rollout_status.go#L57
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_status.go:102
+msgid "Show the status of the rollout"
+msgstr "Show the status of the rollout"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/expose.go#L108
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:154
+msgid "Synonym for --target-port"
+msgstr "Synonym for --target-port"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/run.go#L114
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run.go:174
+msgid "The image for the container to run."
+msgstr "The image for the container to run."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/run.go#L116
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run.go:176
+msgid ""
+"The image pull policy for the container. If left empty, this value will not "
+"be specified by the client and defaulted by the server"
+msgstr ""
+"The image pull policy for the container. If left empty, this value will not "
+"be specified by the client and defaulted by the server"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_pdb.go#L62
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_pdb.go:111
+msgid ""
+"The minimum number or percentage of available pods this budget requires."
+msgstr ""
+"The minimum number or percentage of available pods this budget requires."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/expose.go#L113
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:159
+msgid "The name for the newly created object."
+msgstr "The name for the newly created object."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/autoscale.go#L71
+#: staging/src/k8s.io/kubectl/pkg/cmd/autoscale/autoscale.go:125
+msgid ""
+"The name for the newly created object. If not specified, the name of the "
+"input resource will be used."
+msgstr ""
+"The name for the newly created object. If not specified, the name of the "
+"input resource will be used."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/expose.go#L98
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:147
+msgid ""
+"The name of the API generator to use. There are 2 generators: 'service/v1' "
+"and 'service/v2'. The only difference between them is that service port in "
+"v1 is named 'default', while it is left unnamed in v2. Default is 'service/"
+"v2'."
+msgstr ""
+"The name of the API generator to use. There are 2 generators: 'service/v1' "
+"and 'service/v2'. The only difference between them is that service port in "
+"v1 is named 'default', while it is left unnamed in v2. Default is 'service/"
+"v2'."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/expose.go#L99
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:148
+msgid "The network protocol for the service to be created. Default is 'TCP'."
+msgstr "The network protocol for the service to be created. Default is 'TCP'."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/expose.go#L100
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:149
+msgid ""
+"The port that the service should serve on. Copied from the resource being "
+"exposed, if unspecified"
+msgstr ""
+"The port that the service should serve on. Copied from the resource being "
+"exposed, if unspecified"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/run.go#L131
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run.go:194
+msgid ""
+"The resource requirement limits for this container.  For example, 'cpu=200m,"
+"memory=512Mi'.  Note that server side components may assign limits depending "
+"on the server configuration, such as limit ranges."
+msgstr ""
+"The resource requirement limits for this container.  For example, 'cpu=200m,"
+"memory=512Mi'.  Note that server side components may assign limits depending "
+"on the server configuration, such as limit ranges."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/run.go#L130
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run.go:192
+msgid ""
+"The resource requirement requests for this container.  For example, "
+"'cpu=100m,memory=256Mi'.  Note that server side components may assign "
+"requests depending on the server configuration, such as limit ranges."
+msgstr ""
+"The resource requirement requests for this container.  For example, "
+"'cpu=100m,memory=256Mi'.  Note that server side components may assign "
+"requests depending on the server configuration, such as limit ranges."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_secret.go#L87
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret.go:155
+msgid "The type of secret to create"
+msgstr "The type of secret to create"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/rollout/rollout_undo.go#L71
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_undo.go:87
+msgid "Undo a previous rollout"
+msgstr "�在�ロールアウトを�り消�"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/set/set_resources.go#L101
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set_resources.go:116
+msgid "Update resource requests/limits on objects with pod templates"
+msgstr "Update resource requests/limits on objects with pod templates"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/annotate/annotate.go:135
+msgid "Update the annotations on a resource"
+msgstr "リソース�アノテーションを更新�る"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/label.go#L109
+#: staging/src/k8s.io/kubectl/pkg/cmd/label/label.go:133
+msgid "Update the labels on a resource"
+msgstr "リソース�ラベルを更新�る"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/taint.go#L88
+#: staging/src/k8s.io/kubectl/pkg/cmd/taint/taint.go:109
+msgid "Update the taints on one or more nodes"
+msgstr "Update the taints on one or more nodes"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_secret.go#L155
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_docker.go:150
+msgid "Username for Docker registry authentication"
+msgstr "Username for Docker registry authentication"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/rollout/rollout_history.go#L51
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_history.go:83
+msgid "View rollout history"
+msgstr "ロールアウト�履歴を表示�る"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/clusterinfo_dump.go#L45
+#: staging/src/k8s.io/kubectl/pkg/cmd/clusterinfo/clusterinfo_dump.go:85
+msgid ""
+"Where to output the files.  If empty or '-' uses stdout, otherwise creates a "
+"directory hierarchy in that directory"
+msgstr ""
+"Where to output the files.  If empty or '-' uses stdout, otherwise creates a "
+"directory hierarchy in that directory"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run_test.go:88
+msgid "dummy restart flag)"
+msgstr "dummy restart flag)"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/cmd.go#L217
+#: staging/src/k8s.io/kubectl/pkg/cmd/cmd.go:227
+msgid "kubectl controls the Kubernetes cluster manager"
+msgstr "kubectl controls the Kubernetes cluster manager"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t  # Create a ClusterRoleBinding for user1, user2, and group1 using "
+#~ "the cluster-admin ClusterRole\n"
+#~ "\t\t  kubectl create clusterrolebinding cluster-admin --"
+#~ "clusterrole=cluster-admin --user=user1 --user=user2 --group=group1"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t  # Create a ClusterRoleBinding for user1, user2, and group1 using "
+#~ "the cluster-admin ClusterRole\n"
+#~ "\t\t  kubectl create clusterrolebinding cluster-admin --"
+#~ "clusterrole=cluster-admin --user=user1 --user=user2 --group=group1"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t  # Create a RoleBinding for user1, user2, and group1 using the admin "
+#~ "ClusterRole\n"
+#~ "\t\t  kubectl create rolebinding admin --clusterrole=admin --user=user1 --"
+#~ "user=user2 --group=group1"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t  # Create a RoleBinding for user1, user2, and group1 using the admin "
+#~ "ClusterRole\n"
+#~ "\t\t  kubectl create rolebinding admin --clusterrole=admin --user=user1 --"
+#~ "user=user2 --group=group1"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t  # Create a new configmap named my-config based on folder bar\n"
+#~ "\t\t  kubectl create configmap my-config --from-file=path/to/bar\n"
+#~ "\n"
+#~ "\t\t  # Create a new configmap named my-config with specified keys "
+#~ "instead of file basenames on disk\n"
+#~ "\t\t  kubectl create configmap my-config --from-file=key1=/path/to/bar/"
+#~ "file1.txt --from-file=key2=/path/to/bar/file2.txt\n"
+#~ "\n"
+#~ "\t\t  # Create a new configmap named my-config with key1=config1 and "
+#~ "key2=config2\n"
+#~ "\t\t  kubectl create configmap my-config --from-literal=key1=config1 --"
+#~ "from-literal=key2=config2"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t  # Create a new configmap named my-config based on folder bar\n"
+#~ "\t\t  kubectl create configmap my-config --from-file=path/to/bar\n"
+#~ "\n"
+#~ "\t\t  # Create a new configmap named my-config with specified keys "
+#~ "instead of file basenames on disk\n"
+#~ "\t\t  kubectl create configmap my-config --from-file=key1=/path/to/bar/"
+#~ "file1.txt --from-file=key2=/path/to/bar/file2.txt\n"
+#~ "\n"
+#~ "\t\t  # Create a new configmap named my-config with key1=config1 and "
+#~ "key2=config2\n"
+#~ "\t\t  kubectl create configmap my-config --from-literal=key1=config1 --"
+#~ "from-literal=key2=config2"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t  # If you don't already have a .dockercfg file, you can create a "
+#~ "dockercfg secret directly by using:\n"
+#~ "\t\t  kubectl create secret docker-registry my-secret --docker-"
+#~ "server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-"
+#~ "password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t  # If you don't already have a .dockercfg file, you can create a "
+#~ "dockercfg secret directly by using:\n"
+#~ "\t\t  kubectl create secret docker-registry my-secret --docker-"
+#~ "server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-"
+#~ "password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Apply the configuration in pod.json to a pod.\n"
+#~ "\t\tkubectl apply -f ./pod.json\n"
+#~ "\n"
+#~ "\t\t# Apply the JSON passed into stdin to a pod.\n"
+#~ "\t\tcat pod.json | kubectl apply -f -\n"
+#~ "\n"
+#~ "\t\t# Note: --prune is still in Alpha\n"
+#~ "\t\t# Apply the configuration in manifest.yaml that matches label "
+#~ "app=nginx and delete all the other resources that are not in the file and "
+#~ "match label app=nginx.\n"
+#~ "\t\tkubectl apply --prune -f manifest.yaml -l app=nginx\n"
+#~ "\n"
+#~ "\t\t# Apply the configuration in manifest.yaml and delete all the other "
+#~ "configmaps that are not in the file.\n"
+#~ "\t\tkubectl apply --prune -f manifest.yaml --all --prune-allowlist=core/"
+#~ "v1/ConfigMap"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Apply the configuration in pod.json to a pod.\n"
+#~ "\t\tkubectl apply -f ./pod.json\n"
+#~ "\n"
+#~ "\t\t# Apply the JSON passed into stdin to a pod.\n"
+#~ "\t\tcat pod.json | kubectl apply -f -\n"
+#~ "\n"
+#~ "\t\t# Note: --prune is still in Alpha\n"
+#~ "\t\t# Apply the configuration in manifest.yaml that matches label "
+#~ "app=nginx and delete all the other resources that are not in the file and "
+#~ "match label app=nginx.\n"
+#~ "\t\tkubectl apply --prune -f manifest.yaml -l app=nginx\n"
+#~ "\n"
+#~ "\t\t# Apply the configuration in manifest.yaml and delete all the other "
+#~ "configmaps that are not in the file.\n"
+#~ "\t\tkubectl apply --prune -f manifest.yaml --all --prune-allowlist=core/"
+#~ "v1/ConfigMap"
+
+#, c-format
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Auto scale a deployment \"foo\", with the number of pods between 2 "
+#~ "and 10, no target CPU utilization specified so a default autoscaling "
+#~ "policy will be used:\n"
+#~ "\t\tkubectl autoscale deployment foo --min=2 --max=10\n"
+#~ "\n"
+#~ "\t\t# Auto scale a replication controller \"foo\", with the number of "
+#~ "pods between 1 and 5, target CPU utilization at 80%:\n"
+#~ "\t\tkubectl autoscale rc foo --max=5 --cpu-percent=80"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Auto scale a deployment \"foo\", with the number of pods between 2 "
+#~ "and 10, no target CPU utilization specified so a default autoscaling "
+#~ "policy will be used:\n"
+#~ "\t\tkubectl autoscale deployment foo --min=2 --max=10\n"
+#~ "\n"
+#~ "\t\t# Auto scale a replication controller \"foo\", with the number of "
+#~ "pods between 1 and 5, target CPU utilization at 80%:\n"
+#~ "\t\tkubectl autoscale rc foo --max=5 --cpu-percent=80"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Convert 'pod.yaml' to latest version and print to stdout.\n"
+#~ "\t\tkubectl convert -f pod.yaml\n"
+#~ "\n"
+#~ "\t\t# Convert the live state of the resource specified by 'pod.yaml' to "
+#~ "the latest version\n"
+#~ "\t\t# and print to stdout in json format.\n"
+#~ "\t\tkubectl convert -f pod.yaml --local -o json\n"
+#~ "\n"
+#~ "\t\t# Convert all files under current directory to latest version and "
+#~ "create them all.\n"
+#~ "\t\tkubectl convert -f . | kubectl create -f -"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Convert 'pod.yaml' to latest version and print to stdout.\n"
+#~ "\t\tkubectl convert -f pod.yaml\n"
+#~ "\n"
+#~ "\t\t# Convert the live state of the resource specified by 'pod.yaml' to "
+#~ "the latest version\n"
+#~ "\t\t# and print to stdout in json format.\n"
+#~ "\t\tkubectl convert -f pod.yaml --local -o json\n"
+#~ "\n"
+#~ "\t\t# Convert all files under current directory to latest version and "
+#~ "create them all.\n"
+#~ "\t\tkubectl convert -f . | kubectl create -f -"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Create a ClusterRole named \"pod-reader\" that allows user to "
+#~ "perform \"get\", \"watch\" and \"list\" on pods\n"
+#~ "\t\tkubectl create clusterrole pod-reader --verb=get,list,watch --"
+#~ "resource=pods\n"
+#~ "\n"
+#~ "\t\t# Create a ClusterRole named \"pod-reader\" with ResourceName "
+#~ "specified\n"
+#~ "\t\tkubectl create clusterrole pod-reader --verb=get,list,watch --"
+#~ "resource=pods --resource-name=readablepod"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Create a ClusterRole named \"pod-reader\" that allows user to "
+#~ "perform \"get\", \"watch\" and \"list\" on pods\n"
+#~ "\t\tkubectl create clusterrole pod-reader --verb=get,list,watch --"
+#~ "resource=pods\n"
+#~ "\n"
+#~ "\t\t# Create a ClusterRole named \"pod-reader\" with ResourceName "
+#~ "specified\n"
+#~ "\t\tkubectl create clusterrole pod-reader --verb=get,list,watch --"
+#~ "resource=pods --resource-name=readablepod"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Create a Role named \"pod-reader\" that allows user to perform \"get"
+#~ "\", \"watch\" and \"list\" on pods\n"
+#~ "\t\tkubectl create role pod-reader --verb=get --verb=list --verb=watch --"
+#~ "resource=pods\n"
+#~ "\n"
+#~ "\t\t# Create a Role named \"pod-reader\" with ResourceName specified\n"
+#~ "\t\tkubectl create role pod-reader --verb=get --verg=list --verb=watch --"
+#~ "resource=pods --resource-name=readablepod"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Create a Role named \"pod-reader\" that allows user to perform \"get"
+#~ "\", \"watch\" and \"list\" on pods\n"
+#~ "\t\tkubectl create role pod-reader --verb=get --verb=list --verb=watch --"
+#~ "resource=pods\n"
+#~ "\n"
+#~ "\t\t# Create a Role named \"pod-reader\" with ResourceName specified\n"
+#~ "\t\tkubectl create role pod-reader --verb=get --verg=list --verb=watch --"
+#~ "resource=pods --resource-name=readablepod"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Create a new resourcequota named my-quota\n"
+#~ "\t\tkubectl create quota my-quota --hard=cpu=1,memory=1G,pods=2,"
+#~ "services=3,replicationcontrollers=2,resourcequotas=1,secrets=5,"
+#~ "persistentvolumeclaims=10\n"
+#~ "\n"
+#~ "\t\t# Create a new resourcequota named best-effort\n"
+#~ "\t\tkubectl create quota best-effort --hard=pods=100 --scopes=BestEffort"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Create a new resourcequota named my-quota\n"
+#~ "\t\tkubectl create quota my-quota --hard=cpu=1,memory=1G,pods=2,"
+#~ "services=3,replicationcontrollers=2,resourcequotas=1,secrets=5,"
+#~ "persistentvolumeclaims=10\n"
+#~ "\n"
+#~ "\t\t# Create a new resourcequota named best-effort\n"
+#~ "\t\tkubectl create quota best-effort --hard=pods=100 --scopes=BestEffort"
+
+#, c-format
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Create a pod disruption budget named my-pdb that will select all "
+#~ "pods with the app=rails label\n"
+#~ "\t\t# and require at least one of them being available at any point in "
+#~ "time.\n"
+#~ "\t\tkubectl create poddisruptionbudget my-pdb --selector=app=rails --min-"
+#~ "available=1\n"
+#~ "\n"
+#~ "\t\t# Create a pod disruption budget named my-pdb that will select all "
+#~ "pods with the app=nginx label\n"
+#~ "\t\t# and require at least half of the pods selected to be available at "
+#~ "any point in time.\n"
+#~ "\t\tkubectl create pdb my-pdb --selector=app=nginx --min-available=50%"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Create a pod disruption budget named my-pdb that will select all "
+#~ "pods with the app=rails label\n"
+#~ "\t\t# and require at least one of them being available at any point in "
+#~ "time.\n"
+#~ "\t\tkubectl create poddisruptionbudget my-pdb --selector=app=rails --min-"
+#~ "available=1\n"
+#~ "\n"
+#~ "\t\t# Create a pod disruption budget named my-pdb that will select all "
+#~ "pods with the app=nginx label\n"
+#~ "\t\t# and require at least half of the pods selected to be available at "
+#~ "any point in time.\n"
+#~ "\t\tkubectl create pdb my-pdb --selector=app=nginx --min-available=50%"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Create a pod using the data in pod.json.\n"
+#~ "\t\tkubectl create -f ./pod.json\n"
+#~ "\n"
+#~ "\t\t# Create a pod based on the JSON passed into stdin.\n"
+#~ "\t\tcat pod.json | kubectl create -f -\n"
+#~ "\n"
+#~ "\t\t# Edit the data in docker-registry.yaml in JSON using the v1 API "
+#~ "format then create the resource using the edited data.\n"
+#~ "\t\tkubectl create -f docker-registry.yaml --edit --output-version=v1 -o "
+#~ "json"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Create a pod using the data in pod.json.\n"
+#~ "\t\tkubectl create -f ./pod.json\n"
+#~ "\n"
+#~ "\t\t# Create a pod based on the JSON passed into stdin.\n"
+#~ "\t\tcat pod.json | kubectl create -f -\n"
+#~ "\n"
+#~ "\t\t# Edit the data in docker-registry.yaml in JSON using the v1 API "
+#~ "format then create the resource using the edited data.\n"
+#~ "\t\tkubectl create -f docker-registry.yaml --edit --output-version=v1 -o "
+#~ "json"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Create a service for a replicated nginx, which serves on port 80 "
+#~ "and connects to the containers on port 8000.\n"
+#~ "\t\tkubectl expose rc nginx --port=80 --target-port=8000\n"
+#~ "\n"
+#~ "\t\t# Create a service for a replication controller identified by type "
+#~ "and name specified in \"nginx-controller.yaml\", which serves on port 80 "
+#~ "and connects to the containers on port 8000.\n"
+#~ "\t\tkubectl expose -f nginx-controller.yaml --port=80 --target-port=8000\n"
+#~ "\n"
+#~ "\t\t# Create a service for a pod valid-pod, which serves on port 444 with "
+#~ "the name \"frontend\"\n"
+#~ "\t\tkubectl expose pod valid-pod --port=444 --name=frontend\n"
+#~ "\n"
+#~ "\t\t# Create a second service based on the above service, exposing the "
+#~ "container port 8443 as port 443 with the name \"nginx-https\"\n"
+#~ "\t\tkubectl expose service nginx --port=443 --target-port=8443 --"
+#~ "name=nginx-https\n"
+#~ "\n"
+#~ "\t\t# Create a service for a replicated streaming application on port "
+#~ "4100 balancing UDP traffic and named 'video-stream'.\n"
+#~ "\t\tkubectl expose rc streamer --port=4100 --protocol=udp --name=video-"
+#~ "stream\n"
+#~ "\n"
+#~ "\t\t# Create a service for a replicated nginx using replica set, which "
+#~ "serves on port 80 and connects to the containers on port 8000.\n"
+#~ "\t\tkubectl expose rs nginx --port=80 --target-port=8000\n"
+#~ "\n"
+#~ "\t\t# Create a service for an nginx deployment, which serves on port 80 "
+#~ "and connects to the containers on port 8000.\n"
+#~ "\t\tkubectl expose deployment nginx --port=80 --target-port=8000"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Create a service for a replicated nginx, which serves on port 80 "
+#~ "and connects to the containers on port 8000.\n"
+#~ "\t\tkubectl expose rc nginx --port=80 --target-port=8000\n"
+#~ "\n"
+#~ "\t\t# Create a service for a replication controller identified by type "
+#~ "and name specified in \"nginx-controller.yaml\", which serves on port 80 "
+#~ "and connects to the containers on port 8000.\n"
+#~ "\t\tkubectl expose -f nginx-controller.yaml --port=80 --target-port=8000\n"
+#~ "\n"
+#~ "\t\t# Create a service for a pod valid-pod, which serves on port 444 with "
+#~ "the name \"frontend\"\n"
+#~ "\t\tkubectl expose pod valid-pod --port=444 --name=frontend\n"
+#~ "\n"
+#~ "\t\t# Create a second service based on the above service, exposing the "
+#~ "container port 8443 as port 443 with the name \"nginx-https\"\n"
+#~ "\t\tkubectl expose service nginx --port=443 --target-port=8443 --"
+#~ "name=nginx-https\n"
+#~ "\n"
+#~ "\t\t# Create a service for a replicated streaming application on port "
+#~ "4100 balancing UDP traffic and named 'video-stream'.\n"
+#~ "\t\tkubectl expose rc streamer --port=4100 --protocol=udp --name=video-"
+#~ "stream\n"
+#~ "\n"
+#~ "\t\t# Create a service for a replicated nginx using replica set, which "
+#~ "serves on port 80 and connects to the containers on port 8000.\n"
+#~ "\t\tkubectl expose rs nginx --port=80 --target-port=8000\n"
+#~ "\n"
+#~ "\t\t# Create a service for an nginx deployment, which serves on port 80 "
+#~ "and connects to the containers on port 8000.\n"
+#~ "\t\tkubectl expose deployment nginx --port=80 --target-port=8000"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Delete a pod using the type and name specified in pod.json.\n"
+#~ "\t\tkubectl delete -f ./pod.json\n"
+#~ "\n"
+#~ "\t\t# Delete a pod based on the type and name in the JSON passed into "
+#~ "stdin.\n"
+#~ "\t\tcat pod.json | kubectl delete -f -\n"
+#~ "\n"
+#~ "\t\t# Delete pods and services with same names \"baz\" and \"foo\"\n"
+#~ "\t\tkubectl delete pod,service baz foo\n"
+#~ "\n"
+#~ "\t\t# Delete pods and services with label name=myLabel.\n"
+#~ "\t\tkubectl delete pods,services -l name=myLabel\n"
+#~ "\n"
+#~ "\t\t# Delete a pod with minimal delay\n"
+#~ "\t\tkubectl delete pod foo --now\n"
+#~ "\n"
+#~ "\t\t# Force delete a pod on a dead node\n"
+#~ "\t\tkubectl delete pod foo --grace-period=0 --force\n"
+#~ "\n"
+#~ "\t\t# Delete all pods\n"
+#~ "\t\tkubectl delete pods --all"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Delete a pod using the type and name specified in pod.json.\n"
+#~ "\t\tkubectl delete -f ./pod.json\n"
+#~ "\n"
+#~ "\t\t# Delete a pod based on the type and name in the JSON passed into "
+#~ "stdin.\n"
+#~ "\t\tcat pod.json | kubectl delete -f -\n"
+#~ "\n"
+#~ "\t\t# Delete pods and services with same names \"baz\" and \"foo\"\n"
+#~ "\t\tkubectl delete pod,service baz foo\n"
+#~ "\n"
+#~ "\t\t# Delete pods and services with label name=myLabel.\n"
+#~ "\t\tkubectl delete pods,services -l name=myLabel\n"
+#~ "\n"
+#~ "\t\t# Delete a pod with minimal delay\n"
+#~ "\t\tkubectl delete pod foo --now\n"
+#~ "\n"
+#~ "\t\t# Force delete a pod on a dead node\n"
+#~ "\t\tkubectl delete pod foo --grace-period=0 --force\n"
+#~ "\n"
+#~ "\t\t# Delete all pods\n"
+#~ "\t\tkubectl delete pods --all"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Describe a node\n"
+#~ "\t\tkubectl describe nodes kubernetes-node-emt8.c.myproject.internal\n"
+#~ "\n"
+#~ "\t\t# Describe a pod\n"
+#~ "\t\tkubectl describe pods/nginx\n"
+#~ "\n"
+#~ "\t\t# Describe a pod identified by type and name in \"pod.json\"\n"
+#~ "\t\tkubectl describe -f pod.json\n"
+#~ "\n"
+#~ "\t\t# Describe all pods\n"
+#~ "\t\tkubectl describe pods\n"
+#~ "\n"
+#~ "\t\t# Describe pods by label name=myLabel\n"
+#~ "\t\tkubectl describe po -l name=myLabel\n"
+#~ "\n"
+#~ "\t\t# Describe all pods managed by the 'frontend' replication controller "
+#~ "(rc-created pods\n"
+#~ "\t\t# get the name of the rc as a prefix in the pod the name).\n"
+#~ "\t\tkubectl describe pods frontend"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Describe a node\n"
+#~ "\t\tkubectl describe nodes kubernetes-node-emt8.c.myproject.internal\n"
+#~ "\n"
+#~ "\t\t# Describe a pod\n"
+#~ "\t\tkubectl describe pods/nginx\n"
+#~ "\n"
+#~ "\t\t# Describe a pod identified by type and name in \"pod.json\"\n"
+#~ "\t\tkubectl describe -f pod.json\n"
+#~ "\n"
+#~ "\t\t# Describe all pods\n"
+#~ "\t\tkubectl describe pods\n"
+#~ "\n"
+#~ "\t\t# Describe pods by label name=myLabel\n"
+#~ "\t\tkubectl describe po -l name=myLabel\n"
+#~ "\n"
+#~ "\t\t# Describe all pods managed by the 'frontend' replication controller "
+#~ "(rc-created pods\n"
+#~ "\t\t# get the name of the rc as a prefix in the pod the name).\n"
+#~ "\t\tkubectl describe pods frontend"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Drain node \"foo\", even if there are pods not managed by a "
+#~ "ReplicationController, ReplicaSet, Job, DaemonSet or StatefulSet on it.\n"
+#~ "\t\t$ kubectl drain foo --force\n"
+#~ "\n"
+#~ "\t\t# As above, but abort if there are pods not managed by a "
+#~ "ReplicationController, ReplicaSet, Job, DaemonSet or StatefulSet, and use "
+#~ "a grace period of 15 minutes.\n"
+#~ "\t\t$ kubectl drain foo --grace-period=900"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Drain node \"foo\", even if there are pods not managed by a "
+#~ "ReplicationController, ReplicaSet, Job, DaemonSet or StatefulSet on it.\n"
+#~ "\t\t$ kubectl drain foo --force\n"
+#~ "\n"
+#~ "\t\t# As above, but abort if there are pods not managed by a "
+#~ "ReplicationController, ReplicaSet, Job, DaemonSet or StatefulSet, and use "
+#~ "a grace period of 15 minutes.\n"
+#~ "\t\t$ kubectl drain foo --grace-period=900"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Edit the service named 'docker-registry':\n"
+#~ "\t\tkubectl edit svc/docker-registry\n"
+#~ "\n"
+#~ "\t\t# Use an alternative editor\n"
+#~ "\t\tKUBE_EDITOR=\"nano\" kubectl edit svc/docker-registry\n"
+#~ "\n"
+#~ "\t\t# Edit the job 'myjob' in JSON using the v1 API format:\n"
+#~ "\t\tkubectl edit job.v1.batch/myjob -o json\n"
+#~ "\n"
+#~ "\t\t# Edit the deployment 'mydeployment' in YAML and save the modified "
+#~ "config in its annotation:\n"
+#~ "\t\tkubectl edit deployment/mydeployment -o yaml --save-config"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Edit the service named 'docker-registry':\n"
+#~ "\t\tkubectl edit svc/docker-registry\n"
+#~ "\n"
+#~ "\t\t# Use an alternative editor\n"
+#~ "\t\tKUBE_EDITOR=\"nano\" kubectl edit svc/docker-registry\n"
+#~ "\n"
+#~ "\t\t# Edit the job 'myjob' in JSON using the v1 API format:\n"
+#~ "\t\tkubectl edit job.v1.batch/myjob -o json\n"
+#~ "\n"
+#~ "\t\t# Edit the deployment 'mydeployment' in YAML and save the modified "
+#~ "config in its annotation:\n"
+#~ "\t\tkubectl edit deployment/mydeployment -o yaml --save-config"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Get output from running 'date' from pod 123456-7890, using the "
+#~ "first container by default\n"
+#~ "\t\tkubectl exec 123456-7890 date\n"
+#~ "\n"
+#~ "\t\t# Get output from running 'date' in ruby-container from pod "
+#~ "123456-7890\n"
+#~ "\t\tkubectl exec 123456-7890 -c ruby-container date\n"
+#~ "\n"
+#~ "\t\t# Switch to raw terminal mode, sends stdin to 'bash' in ruby-"
+#~ "container from pod 123456-7890\n"
+#~ "\t\t# and sends stdout/stderr from 'bash' back to the client\n"
+#~ "\t\tkubectl exec 123456-7890 -c ruby-container -i -t -- bash -il"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Get output from running 'date' from pod 123456-7890, using the "
+#~ "first container by default\n"
+#~ "\t\tkubectl exec 123456-7890 date\n"
+#~ "\n"
+#~ "\t\t# Get output from running 'date' in ruby-container from pod "
+#~ "123456-7890\n"
+#~ "\t\tkubectl exec 123456-7890 -c ruby-container date\n"
+#~ "\n"
+#~ "\t\t# Switch to raw terminal mode, sends stdin to 'bash' in ruby-"
+#~ "container from pod 123456-7890\n"
+#~ "\t\t# and sends stdout/stderr from 'bash' back to the client\n"
+#~ "\t\tkubectl exec 123456-7890 -c ruby-container -i -t -- bash -il"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Get output from running pod 123456-7890, using the first container "
+#~ "by default\n"
+#~ "\t\tkubectl attach 123456-7890\n"
+#~ "\n"
+#~ "\t\t# Get output from ruby-container from pod 123456-7890\n"
+#~ "\t\tkubectl attach 123456-7890 -c ruby-container\n"
+#~ "\n"
+#~ "\t\t# Switch to raw terminal mode, sends stdin to 'bash' in ruby-"
+#~ "container from pod 123456-7890\n"
+#~ "\t\t# and sends stdout/stderr from 'bash' back to the client\n"
+#~ "\t\tkubectl attach 123456-7890 -c ruby-container -i -t\n"
+#~ "\n"
+#~ "\t\t# Get output from the first pod of a ReplicaSet named nginx\n"
+#~ "\t\tkubectl attach rs/nginx\n"
+#~ "\t\t"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Get output from running pod 123456-7890, using the first container "
+#~ "by default\n"
+#~ "\t\tkubectl attach 123456-7890\n"
+#~ "\n"
+#~ "\t\t# Get output from ruby-container from pod 123456-7890\n"
+#~ "\t\tkubectl attach 123456-7890 -c ruby-container\n"
+#~ "\n"
+#~ "\t\t# Switch to raw terminal mode, sends stdin to 'bash' in ruby-"
+#~ "container from pod 123456-7890\n"
+#~ "\t\t# and sends stdout/stderr from 'bash' back to the client\n"
+#~ "\t\tkubectl attach 123456-7890 -c ruby-container -i -t\n"
+#~ "\n"
+#~ "\t\t# Get output from the first pod of a ReplicaSet named nginx\n"
+#~ "\t\tkubectl attach rs/nginx\n"
+#~ "\t\t"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Install bash completion on a Mac using homebrew\n"
+#~ "\t\tbrew install bash-completion\n"
+#~ "\t\tprintf \"\n"
+#~ "# Bash completion support\n"
+#~ "source $(brew --prefix)/etc/bash_completion\n"
+#~ "\" >> $HOME/.bash_profile\n"
+#~ "\t\tsource $HOME/.bash_profile\n"
+#~ "\n"
+#~ "\t\t# Load the kubectl completion code for bash into the current shell\n"
+#~ "\t\tsource <(kubectl completion bash)\n"
+#~ "\n"
+#~ "\t\t# Write bash completion code to a file and source if from ."
+#~ "bash_profile\n"
+#~ "\t\tkubectl completion bash > ~/.kube/completion.bash.inc\n"
+#~ "\t\tprintf \"\n"
+#~ "# Kubectl shell completion\n"
+#~ "source '$HOME/.kube/completion.bash.inc'\n"
+#~ "\" >> $HOME/.bash_profile\n"
+#~ "\t\tsource $HOME/.bash_profile\n"
+#~ "\n"
+#~ "\t\t# Load the kubectl completion code for zsh[1] into the current shell\n"
+#~ "\t\tsource <(kubectl completion zsh)"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Install bash completion on a Mac using homebrew\n"
+#~ "\t\tbrew install bash-completion\n"
+#~ "\t\tprintf \"\n"
+#~ "# Bash completion support\n"
+#~ "source $(brew --prefix)/etc/bash_completion\n"
+#~ "\" >> $HOME/.bash_profile\n"
+#~ "\t\tsource $HOME/.bash_profile\n"
+#~ "\n"
+#~ "\t\t# Load the kubectl completion code for bash into the current shell\n"
+#~ "\t\tsource <(kubectl completion bash)\n"
+#~ "\n"
+#~ "\t\t# Write bash completion code to a file and source if from ."
+#~ "bash_profile\n"
+#~ "\t\tkubectl completion bash > ~/.kube/completion.bash.inc\n"
+#~ "\t\tprintf \"\n"
+#~ "# Kubectl shell completion\n"
+#~ "source '$HOME/.kube/completion.bash.inc'\n"
+#~ "\" >> $HOME/.bash_profile\n"
+#~ "\t\tsource $HOME/.bash_profile\n"
+#~ "\n"
+#~ "\t\t# Load the kubectl completion code for zsh[1] into the current shell\n"
+#~ "\t\tsource <(kubectl completion zsh)"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# List all pods in ps output format.\n"
+#~ "\t\tkubectl get pods\n"
+#~ "\n"
+#~ "\t\t# List all pods in ps output format with more information (such as "
+#~ "node name).\n"
+#~ "\t\tkubectl get pods -o wide\n"
+#~ "\n"
+#~ "\t\t# List a single replication controller with specified NAME in ps "
+#~ "output format.\n"
+#~ "\t\tkubectl get replicationcontroller web\n"
+#~ "\n"
+#~ "\t\t# List a single pod in JSON output format.\n"
+#~ "\t\tkubectl get -o json pod web-pod-13je7\n"
+#~ "\n"
+#~ "\t\t# List a pod identified by type and name specified in \"pod.yaml\" in "
+#~ "JSON output format.\n"
+#~ "\t\tkubectl get -f pod.yaml -o json\n"
+#~ "\n"
+#~ "\t\t# Return only the phase value of the specified pod.\n"
+#~ "\t\tkubectl get -o template pod/web-pod-13je7 --template={{.status."
+#~ "phase}}\n"
+#~ "\n"
+#~ "\t\t# List all replication controllers and services together in ps output "
+#~ "format.\n"
+#~ "\t\tkubectl get rc,services\n"
+#~ "\n"
+#~ "\t\t# List one or more resources by their type and names.\n"
+#~ "\t\tkubectl get rc/web service/frontend pods/web-pod-13je7\n"
+#~ "\n"
+#~ "\t\t# List all resources with different types.\n"
+#~ "\t\tkubectl get all"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# List all pods in ps output format.\n"
+#~ "\t\tkubectl get pods\n"
+#~ "\n"
+#~ "\t\t# List all pods in ps output format with more information (such as "
+#~ "node name).\n"
+#~ "\t\tkubectl get pods -o wide\n"
+#~ "\n"
+#~ "\t\t# List a single replication controller with specified NAME in ps "
+#~ "output format.\n"
+#~ "\t\tkubectl get replicationcontroller web\n"
+#~ "\n"
+#~ "\t\t# List a single pod in JSON output format.\n"
+#~ "\t\tkubectl get -o json pod web-pod-13je7\n"
+#~ "\n"
+#~ "\t\t# List a pod identified by type and name specified in \"pod.yaml\" in "
+#~ "JSON output format.\n"
+#~ "\t\tkubectl get -f pod.yaml -o json\n"
+#~ "\n"
+#~ "\t\t# Return only the phase value of the specified pod.\n"
+#~ "\t\tkubectl get -o template pod/web-pod-13je7 --template={{.status."
+#~ "phase}}\n"
+#~ "\n"
+#~ "\t\t# List all replication controllers and services together in ps output "
+#~ "format.\n"
+#~ "\t\tkubectl get rc,services\n"
+#~ "\n"
+#~ "\t\t# List one or more resources by their type and names.\n"
+#~ "\t\tkubectl get rc/web service/frontend pods/web-pod-13je7\n"
+#~ "\n"
+#~ "\t\t# List all resources with different types.\n"
+#~ "\t\tkubectl get all"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Listen on ports 5000 and 6000 locally, forwarding data to/from "
+#~ "ports 5000 and 6000 in the pod\t\tkubectl port-forward pod/mypod 5000 "
+#~ "6000\n"
+#~ "\t\t# Listen on ports 5000 and 6000 locally, forwarding data to/from "
+#~ "ports 5000 and 6000 in a pod selected by the deployment\t\tkubectl port-"
+#~ "forward deployment/mydeployment 5000 6000\n"
+#~ "\t\t# Listen on ports 5000 and 6000 locally, forwarding data to/from "
+#~ "ports 5000 and 6000 in a pod selected by the service\t\tkubectl port-"
+#~ "forward service/myservice 5000 6000\n"
+#~ "\t\t# Listen on port 8888 locally, forwarding to 5000 in the pod\t"
+#~ "\tkubectl port-forward pod/mypod 8888:5000\n"
+#~ "\t\t# Listen on a random port locally, forwarding to 5000 in the pod\t"
+#~ "\tkubectl port-forward pod/mypod :5000"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Listen on ports 5000 and 6000 locally, forwarding data to/from "
+#~ "ports 5000 and 6000 in the pod\t\tkubectl port-forward pod/mypod 5000 "
+#~ "6000\n"
+#~ "\t\t# Listen on ports 5000 and 6000 locally, forwarding data to/from "
+#~ "ports 5000 and 6000 in a pod selected by the deployment\t\tkubectl port-"
+#~ "forward deployment/mydeployment 5000 6000\n"
+#~ "\t\t# Listen on ports 5000 and 6000 locally, forwarding data to/from "
+#~ "ports 5000 and 6000 in a pod selected by the service\t\tkubectl port-"
+#~ "forward service/myservice 5000 6000\n"
+#~ "\t\t# Listen on port 8888 locally, forwarding to 5000 in the pod\t"
+#~ "\tkubectl port-forward pod/mypod 8888:5000\n"
+#~ "\t\t# Listen on a random port locally, forwarding to 5000 in the pod\t"
+#~ "\tkubectl port-forward pod/mypod :5000"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Mark node \"foo\" as schedulable.\n"
+#~ "\t\t$ kubectl uncordon foo"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Mark node \"foo\" as schedulable.\n"
+#~ "\t\t$ kubectl uncordon foo"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/drain.go#L102
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Mark node \"foo\" as unschedulable.\n"
+#~ "\t\tkubectl cordon foo"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Mark node \"foo\" as unschedulable.\n"
+#~ "\t\tkubectl cordon foo"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Partially update a node using strategic merge patch\n"
+#~ "\t\tkubectl patch node k8s-node-1 -p '{\"spec\":{\"unschedulable\":"
+#~ "true}}'\n"
+#~ "\n"
+#~ "\t\t# Partially update a node identified by the type and name specified "
+#~ "in \"node.json\" using strategic merge patch\n"
+#~ "\t\tkubectl patch -f node.json -p '{\"spec\":{\"unschedulable\":true}}'\n"
+#~ "\n"
+#~ "\t\t# Update a container's image; spec.containers[*].name is required "
+#~ "because it's a merge key\n"
+#~ "\t\tkubectl patch pod valid-pod -p '{\"spec\":{\"containers\":[{\"name\":"
+#~ "\"kubernetes-serve-hostname\",\"image\":\"new image\"}]}}'\n"
+#~ "\n"
+#~ "\t\t# Update a container's image using a json patch with positional "
+#~ "arrays\n"
+#~ "\t\tkubectl patch pod valid-pod --type='json' -p='[{\"op\": \"replace\", "
+#~ "\"path\": \"/spec/containers/0/image\", \"value\":\"new image\"}]'"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Partially update a node using strategic merge patch\n"
+#~ "\t\tkubectl patch node k8s-node-1 -p '{\"spec\":{\"unschedulable\":"
+#~ "true}}'\n"
+#~ "\n"
+#~ "\t\t# Partially update a node identified by the type and name specified "
+#~ "in \"node.json\" using strategic merge patch\n"
+#~ "\t\tkubectl patch -f node.json -p '{\"spec\":{\"unschedulable\":true}}'\n"
+#~ "\n"
+#~ "\t\t# Update a container's image; spec.containers[*].name is required "
+#~ "because it's a merge key\n"
+#~ "\t\tkubectl patch pod valid-pod -p '{\"spec\":{\"containers\":[{\"name\":"
+#~ "\"kubernetes-serve-hostname\",\"image\":\"new image\"}]}}'\n"
+#~ "\n"
+#~ "\t\t# Update a container's image using a json patch with positional "
+#~ "arrays\n"
+#~ "\t\tkubectl patch pod valid-pod --type='json' -p='[{\"op\": \"replace\", "
+#~ "\"path\": \"/spec/containers/0/image\", \"value\":\"new image\"}]'"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Print the address of the master and cluster services\n"
+#~ "\t\tkubectl cluster-info"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Print the address of the master and cluster services\n"
+#~ "\t\tkubectl cluster-info"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Replace a pod using the data in pod.json.\n"
+#~ "\t\tkubectl replace -f ./pod.json\n"
+#~ "\n"
+#~ "\t\t# Replace a pod based on the JSON passed into stdin.\n"
+#~ "\t\tcat pod.json | kubectl replace -f -\n"
+#~ "\n"
+#~ "\t\t# Update a single-container pod's image version (tag) to v4\n"
+#~ "\t\tkubectl get pod mypod -o yaml | sed 's/\\(image: myimage\\):.*$/
:v4/' "
+#~ "| kubectl replace -f -\n"
+#~ "\n"
+#~ "\t\t# Force replace, delete and then re-create the resource\n"
+#~ "\t\tkubectl replace --force -f ./pod.json"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Replace a pod using the data in pod.json.\n"
+#~ "\t\tkubectl replace -f ./pod.json\n"
+#~ "\n"
+#~ "\t\t# Replace a pod based on the JSON passed into stdin.\n"
+#~ "\t\tcat pod.json | kubectl replace -f -\n"
+#~ "\n"
+#~ "\t\t# Update a single-container pod's image version (tag) to v4\n"
+#~ "\t\tkubectl get pod mypod -o yaml | sed 's/\\(image: myimage\\):.*$/
:v4/' "
+#~ "| kubectl replace -f -\n"
+#~ "\n"
+#~ "\t\t# Force replace, delete and then re-create the resource\n"
+#~ "\t\tkubectl replace --force -f ./pod.json"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Return snapshot logs from pod nginx with only one container\n"
+#~ "\t\tkubectl logs nginx\n"
+#~ "\n"
+#~ "\t\t# Return snapshot logs for the pods defined by label app=nginx\n"
+#~ "\t\tkubectl logs -lapp=nginx\n"
+#~ "\n"
+#~ "\t\t# Return snapshot of previous terminated ruby container logs from pod "
+#~ "web-1\n"
+#~ "\t\tkubectl logs -p -c ruby web-1\n"
+#~ "\n"
+#~ "\t\t# Begin streaming the logs of the ruby container in pod web-1\n"
+#~ "\t\tkubectl logs -f -c ruby web-1\n"
+#~ "\n"
+#~ "\t\t# Display only the most recent 20 lines of output in pod nginx\n"
+#~ "\t\tkubectl logs --tail=20 nginx\n"
+#~ "\n"
+#~ "\t\t# Show all logs from pod nginx written in the last hour\n"
+#~ "\t\tkubectl logs --since=1h nginx\n"
+#~ "\n"
+#~ "\t\t# Return snapshot logs from first container of a job named hello\n"
+#~ "\t\tkubectl logs job/hello\n"
+#~ "\n"
+#~ "\t\t# Return snapshot logs from container nginx-1 of a deployment named "
+#~ "nginx\n"
+#~ "\t\tkubectl logs deployment/nginx -c nginx-1"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Return snapshot logs from pod nginx with only one container\n"
+#~ "\t\tkubectl logs nginx\n"
+#~ "\n"
+#~ "\t\t# Return snapshot logs for the pods defined by label app=nginx\n"
+#~ "\t\tkubectl logs -lapp=nginx\n"
+#~ "\n"
+#~ "\t\t# Return snapshot of previous terminated ruby container logs from pod "
+#~ "web-1\n"
+#~ "\t\tkubectl logs -p -c ruby web-1\n"
+#~ "\n"
+#~ "\t\t# Begin streaming the logs of the ruby container in pod web-1\n"
+#~ "\t\tkubectl logs -f -c ruby web-1\n"
+#~ "\n"
+#~ "\t\t# Display only the most recent 20 lines of output in pod nginx\n"
+#~ "\t\tkubectl logs --tail=20 nginx\n"
+#~ "\n"
+#~ "\t\t# Show all logs from pod nginx written in the last hour\n"
+#~ "\t\tkubectl logs --since=1h nginx\n"
+#~ "\n"
+#~ "\t\t# Return snapshot logs from first container of a job named hello\n"
+#~ "\t\tkubectl logs job/hello\n"
+#~ "\n"
+#~ "\t\t# Return snapshot logs from container nginx-1 of a deployment named "
+#~ "nginx\n"
+#~ "\t\tkubectl logs deployment/nginx -c nginx-1"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Run a proxy to kubernetes apiserver on port 8011, serving static "
+#~ "content from ./local/www/\n"
+#~ "\t\tkubectl proxy --port=8011 --www=./local/www/\n"
+#~ "\n"
+#~ "\t\t# Run a proxy to kubernetes apiserver on an arbitrary local port.\n"
+#~ "\t\t# The chosen port for the server will be output to stdout.\n"
+#~ "\t\tkubectl proxy --port=0\n"
+#~ "\n"
+#~ "\t\t# Run a proxy to kubernetes apiserver, changing the api prefix to k8s-"
+#~ "api\n"
+#~ "\t\t# This makes e.g. the pods api available at localhost:8001/k8s-api/v1/"
+#~ "pods/\n"
+#~ "\t\tkubectl proxy --api-prefix=/k8s-api"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Run a proxy to kubernetes apiserver on port 8011, serving static "
+#~ "content from ./local/www/\n"
+#~ "\t\tkubectl proxy --port=8011 --www=./local/www/\n"
+#~ "\n"
+#~ "\t\t# Run a proxy to kubernetes apiserver on an arbitrary local port.\n"
+#~ "\t\t# The chosen port for the server will be output to stdout.\n"
+#~ "\t\tkubectl proxy --port=0\n"
+#~ "\n"
+#~ "\t\t# Run a proxy to kubernetes apiserver, changing the api prefix to k8s-"
+#~ "api\n"
+#~ "\t\t# This makes e.g. the pods api available at localhost:8001/k8s-api/v1/"
+#~ "pods/\n"
+#~ "\t\tkubectl proxy --api-prefix=/k8s-api"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Scale a replicaset named 'foo' to 3.\n"
+#~ "\t\tkubectl scale --replicas=3 rs/foo\n"
+#~ "\n"
+#~ "\t\t# Scale a resource identified by type and name specified in \"foo.yaml"
+#~ "\" to 3.\n"
+#~ "\t\tkubectl scale --replicas=3 -f foo.yaml\n"
+#~ "\n"
+#~ "\t\t# If the deployment named mysql's current size is 2, scale mysql to "
+#~ "3.\n"
+#~ "\t\tkubectl scale --current-replicas=2 --replicas=3 deployment/mysql\n"
+#~ "\n"
+#~ "\t\t# Scale multiple replication controllers.\n"
+#~ "\t\tkubectl scale --replicas=5 rc/foo rc/bar rc/baz\n"
+#~ "\n"
+#~ "\t\t# Scale job named 'cron' to 3.\n"
+#~ "\t\tkubectl scale --replicas=3 job/cron"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Scale a replicaset named 'foo' to 3.\n"
+#~ "\t\tkubectl scale --replicas=3 rs/foo\n"
+#~ "\n"
+#~ "\t\t# Scale a resource identified by type and name specified in \"foo.yaml"
+#~ "\" to 3.\n"
+#~ "\t\tkubectl scale --replicas=3 -f foo.yaml\n"
+#~ "\n"
+#~ "\t\t# If the deployment named mysql's current size is 2, scale mysql to "
+#~ "3.\n"
+#~ "\t\tkubectl scale --current-replicas=2 --replicas=3 deployment/mysql\n"
+#~ "\n"
+#~ "\t\t# Scale multiple replication controllers.\n"
+#~ "\t\tkubectl scale --replicas=5 rc/foo rc/bar rc/baz\n"
+#~ "\n"
+#~ "\t\t# Scale job named 'cron' to 3.\n"
+#~ "\t\tkubectl scale --replicas=3 job/cron"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Set the last-applied-configuration of a resource to match the "
+#~ "contents of a file.\n"
+#~ "\t\tkubectl apply set-last-applied -f deploy.yaml\n"
+#~ "\n"
+#~ "\t\t# Execute set-last-applied against each configuration file in a "
+#~ "directory.\n"
+#~ "\t\tkubectl apply set-last-applied -f path/\n"
+#~ "\n"
+#~ "\t\t# Set the last-applied-configuration of a resource to match the "
+#~ "contents of a file, will create the annotation if it does not already "
+#~ "exist.\n"
+#~ "\t\tkubectl apply set-last-applied -f deploy.yaml --create-"
+#~ "annotation=true\n"
+#~ "\t\t"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Set the last-applied-configuration of a resource to match the "
+#~ "contents of a file.\n"
+#~ "\t\tkubectl apply set-last-applied -f deploy.yaml\n"
+#~ "\n"
+#~ "\t\t# Execute set-last-applied against each configuration file in a "
+#~ "directory.\n"
+#~ "\t\tkubectl apply set-last-applied -f path/\n"
+#~ "\n"
+#~ "\t\t# Set the last-applied-configuration of a resource to match the "
+#~ "contents of a file, will create the annotation if it does not already "
+#~ "exist.\n"
+#~ "\t\tkubectl apply set-last-applied -f deploy.yaml --create-"
+#~ "annotation=true\n"
+#~ "\t\t"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Shut down foo.\n"
+#~ "\t\tkubectl stop replicationcontroller foo\n"
+#~ "\n"
+#~ "\t\t# Stop pods and services with label name=myLabel.\n"
+#~ "\t\tkubectl stop pods,services -l name=myLabel\n"
+#~ "\n"
+#~ "\t\t# Shut down the service defined in service.json\n"
+#~ "\t\tkubectl stop -f service.json\n"
+#~ "\n"
+#~ "\t\t# Shut down all resources in the path/to/resources directory\n"
+#~ "\t\tkubectl stop -f path/to/resources"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Shut down foo.\n"
+#~ "\t\tkubectl stop replicationcontroller foo\n"
+#~ "\n"
+#~ "\t\t# Stop pods and services with label name=myLabel.\n"
+#~ "\t\tkubectl stop pods,services -l name=myLabel\n"
+#~ "\n"
+#~ "\t\t# Shut down the service defined in service.json\n"
+#~ "\t\tkubectl stop -f service.json\n"
+#~ "\n"
+#~ "\t\t# Shut down all resources in the path/to/resources directory\n"
+#~ "\t\tkubectl stop -f path/to/resources"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Start a single instance of nginx.\n"
+#~ "\t\tkubectl run nginx --image=nginx\n"
+#~ "\n"
+#~ "\t\t# Start a single instance of hazelcast and let the container expose "
+#~ "port 5701 .\n"
+#~ "\t\tkubectl run hazelcast --image=hazelcast --port=5701\n"
+#~ "\n"
+#~ "\t\t# Start a single instance of hazelcast and set environment variables "
+#~ "\"DNS_DOMAIN=cluster\" and \"POD_NAMESPACE=default\" in the container.\n"
+#~ "\t\tkubectl run hazelcast --image=hazelcast --env=\"DNS_DOMAIN=cluster\" "
+#~ "--env=\"POD_NAMESPACE=default\"\n"
+#~ "\n"
+#~ "\t\t# Start a replicated instance of nginx.\n"
+#~ "\t\tkubectl run nginx --image=nginx --replicas=5\n"
+#~ "\n"
+#~ "\t\t# Dry run. Print the corresponding API objects without creating "
+#~ "them.\n"
+#~ "\t\tkubectl run nginx --image=nginx --dry-run\n"
+#~ "\n"
+#~ "\t\t# Start a single instance of nginx, but overload the spec of the "
+#~ "deployment with a partial set of values parsed from JSON.\n"
+#~ "\t\tkubectl run nginx --image=nginx --overrides='{ \"apiVersion\": "
+#~ "\"v1\", \"spec\": { ... } }'\n"
+#~ "\n"
+#~ "\t\t# Start a pod of busybox and keep it in the foreground, don't restart "
+#~ "it if it exits.\n"
+#~ "\t\tkubectl run -i -t busybox --image=busybox --restart=Never\n"
+#~ "\n"
+#~ "\t\t# Start the nginx container using the default command, but use custom "
+#~ "arguments (arg1 .. argN) for that command.\n"
+#~ "\t\tkubectl run nginx --image=nginx -- <arg1> <arg2> ... <argN>\n"
+#~ "\n"
+#~ "\t\t# Start the nginx container using a different command and custom "
+#~ "arguments.\n"
+#~ "\t\tkubectl run nginx --image=nginx --command -- <cmd> <arg1> ... <argN>\n"
+#~ "\n"
+#~ "\t\t# Start the perl container to compute π to 2000 places and print it "
+#~ "out.\n"
+#~ "\t\tkubectl run pi --image=perl --restart=OnFailure -- perl -Mbignum=bpi -"
+#~ "wle 'print bpi(2000)'\n"
+#~ "\n"
+#~ "\t\t# Start the cron job to compute π to 2000 places and print it out "
+#~ "every 5 minutes.\n"
+#~ "\t\tkubectl run pi --schedule=\"0/5 * * * ?\" --image=perl --"
+#~ "restart=OnFailure -- perl -Mbignum=bpi -wle 'print bpi(2000)'"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Start a single instance of nginx.\n"
+#~ "\t\tkubectl run nginx --image=nginx\n"
+#~ "\n"
+#~ "\t\t# Start a single instance of hazelcast and let the container expose "
+#~ "port 5701 .\n"
+#~ "\t\tkubectl run hazelcast --image=hazelcast --port=5701\n"
+#~ "\n"
+#~ "\t\t# Start a single instance of hazelcast and set environment variables "
+#~ "\"DNS_DOMAIN=cluster\" and \"POD_NAMESPACE=default\" in the container.\n"
+#~ "\t\tkubectl run hazelcast --image=hazelcast --env=\"DNS_DOMAIN=cluster\" "
+#~ "--env=\"POD_NAMESPACE=default\"\n"
+#~ "\n"
+#~ "\t\t# Start a replicated instance of nginx.\n"
+#~ "\t\tkubectl run nginx --image=nginx --replicas=5\n"
+#~ "\n"
+#~ "\t\t# Dry run. Print the corresponding API objects without creating "
+#~ "them.\n"
+#~ "\t\tkubectl run nginx --image=nginx --dry-run\n"
+#~ "\n"
+#~ "\t\t# Start a single instance of nginx, but overload the spec of the "
+#~ "deployment with a partial set of values parsed from JSON.\n"
+#~ "\t\tkubectl run nginx --image=nginx --overrides='{ \"apiVersion\": "
+#~ "\"v1\", \"spec\": { ... } }'\n"
+#~ "\n"
+#~ "\t\t# Start a pod of busybox and keep it in the foreground, don't restart "
+#~ "it if it exits.\n"
+#~ "\t\tkubectl run -i -t busybox --image=busybox --restart=Never\n"
+#~ "\n"
+#~ "\t\t# Start the nginx container using the default command, but use custom "
+#~ "arguments (arg1 .. argN) for that command.\n"
+#~ "\t\tkubectl run nginx --image=nginx -- <arg1> <arg2> ... <argN>\n"
+#~ "\n"
+#~ "\t\t# Start the nginx container using a different command and custom "
+#~ "arguments.\n"
+#~ "\t\tkubectl run nginx --image=nginx --command -- <cmd> <arg1> ... <argN>\n"
+#~ "\n"
+#~ "\t\t# Start the perl container to compute π to 2000 places and print it "
+#~ "out.\n"
+#~ "\t\tkubectl run pi --image=perl --restart=OnFailure -- perl -Mbignum=bpi -"
+#~ "wle 'print bpi(2000)'\n"
+#~ "\n"
+#~ "\t\t# Start the cron job to compute π to 2000 places and print it out "
+#~ "every 5 minutes.\n"
+#~ "\t\tkubectl run pi --schedule=\"0/5 * * * ?\" --image=perl --"
+#~ "restart=OnFailure -- perl -Mbignum=bpi -wle 'print bpi(2000)'"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Update node 'foo' with a taint with key 'dedicated' and value "
+#~ "'special-user' and effect 'NoSchedule'.\n"
+#~ "\t\t# If a taint with that key and effect already exists, its value is "
+#~ "replaced as specified.\n"
+#~ "\t\tkubectl taint nodes foo dedicated=special-user:NoSchedule\n"
+#~ "\n"
+#~ "\t\t# Remove from node 'foo' the taint with key 'dedicated' and effect "
+#~ "'NoSchedule' if one exists.\n"
+#~ "\t\tkubectl taint nodes foo dedicated:NoSchedule-\n"
+#~ "\n"
+#~ "\t\t# Remove from node 'foo' all the taints with key 'dedicated'\n"
+#~ "\t\tkubectl taint nodes foo dedicated-"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Update node 'foo' with a taint with key 'dedicated' and value "
+#~ "'special-user' and effect 'NoSchedule'.\n"
+#~ "\t\t# If a taint with that key and effect already exists, its value is "
+#~ "replaced as specified.\n"
+#~ "\t\tkubectl taint nodes foo dedicated=special-user:NoSchedule\n"
+#~ "\n"
+#~ "\t\t# Remove from node 'foo' the taint with key 'dedicated' and effect "
+#~ "'NoSchedule' if one exists.\n"
+#~ "\t\tkubectl taint nodes foo dedicated:NoSchedule-\n"
+#~ "\n"
+#~ "\t\t# Remove from node 'foo' all the taints with key 'dedicated'\n"
+#~ "\t\tkubectl taint nodes foo dedicated-"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Update pod 'foo' with the label 'unhealthy' and the value 'true'.\n"
+#~ "\t\tkubectl label pods foo unhealthy=true\n"
+#~ "\n"
+#~ "\t\t# Update pod 'foo' with the label 'status' and the value 'unhealthy', "
+#~ "overwriting any existing value.\n"
+#~ "\t\tkubectl label --overwrite pods foo status=unhealthy\n"
+#~ "\n"
+#~ "\t\t# Update all pods in the namespace\n"
+#~ "\t\tkubectl label pods --all status=unhealthy\n"
+#~ "\n"
+#~ "\t\t# Update a pod identified by the type and name in \"pod.json\"\n"
+#~ "\t\tkubectl label -f pod.json status=unhealthy\n"
+#~ "\n"
+#~ "\t\t# Update pod 'foo' only if the resource is unchanged from version 1.\n"
+#~ "\t\tkubectl label pods foo status=unhealthy --resource-version=1\n"
+#~ "\n"
+#~ "\t\t# Update pod 'foo' by removing a label named 'bar' if it exists.\n"
+#~ "\t\t# Does not require the --overwrite flag.\n"
+#~ "\t\tkubectl label pods foo bar-"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Update pod 'foo' with the label 'unhealthy' and the value 'true'.\n"
+#~ "\t\tkubectl label pods foo unhealthy=true\n"
+#~ "\n"
+#~ "\t\t# Update pod 'foo' with the label 'status' and the value 'unhealthy', "
+#~ "overwriting any existing value.\n"
+#~ "\t\tkubectl label --overwrite pods foo status=unhealthy\n"
+#~ "\n"
+#~ "\t\t# Update all pods in the namespace\n"
+#~ "\t\tkubectl label pods --all status=unhealthy\n"
+#~ "\n"
+#~ "\t\t# Update a pod identified by the type and name in \"pod.json\"\n"
+#~ "\t\tkubectl label -f pod.json status=unhealthy\n"
+#~ "\n"
+#~ "\t\t# Update pod 'foo' only if the resource is unchanged from version 1.\n"
+#~ "\t\tkubectl label pods foo status=unhealthy --resource-version=1\n"
+#~ "\n"
+#~ "\t\t# Update pod 'foo' by removing a label named 'bar' if it exists.\n"
+#~ "\t\t# Does not require the --overwrite flag.\n"
+#~ "\t\tkubectl label pods foo bar-"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Update pods of frontend-v1 using new replication controller data in "
+#~ "frontend-v2.json.\n"
+#~ "\t\tkubectl rolling-update frontend-v1 -f frontend-v2.json\n"
+#~ "\n"
+#~ "\t\t# Update pods of frontend-v1 using JSON data passed into stdin.\n"
+#~ "\t\tcat frontend-v2.json | kubectl rolling-update frontend-v1 -f -\n"
+#~ "\n"
+#~ "\t\t# Update the pods of frontend-v1 to frontend-v2 by just changing the "
+#~ "image, and switching the\n"
+#~ "\t\t# name of the replication controller.\n"
+#~ "\t\tkubectl rolling-update frontend-v1 frontend-v2 --image=image:v2\n"
+#~ "\n"
+#~ "\t\t# Update the pods of frontend by just changing the image, and keeping "
+#~ "the old name.\n"
+#~ "\t\tkubectl rolling-update frontend --image=image:v2\n"
+#~ "\n"
+#~ "\t\t# Abort and reverse an existing rollout in progress (from frontend-v1 "
+#~ "to frontend-v2).\n"
+#~ "\t\tkubectl rolling-update frontend-v1 frontend-v2 --rollback"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Update pods of frontend-v1 using new replication controller data in "
+#~ "frontend-v2.json.\n"
+#~ "\t\tkubectl rolling-update frontend-v1 -f frontend-v2.json\n"
+#~ "\n"
+#~ "\t\t# Update pods of frontend-v1 using JSON data passed into stdin.\n"
+#~ "\t\tcat frontend-v2.json | kubectl rolling-update frontend-v1 -f -\n"
+#~ "\n"
+#~ "\t\t# Update the pods of frontend-v1 to frontend-v2 by just changing the "
+#~ "image, and switching the\n"
+#~ "\t\t# name of the replication controller.\n"
+#~ "\t\tkubectl rolling-update frontend-v1 frontend-v2 --image=image:v2\n"
+#~ "\n"
+#~ "\t\t# Update the pods of frontend by just changing the image, and keeping "
+#~ "the old name.\n"
+#~ "\t\tkubectl rolling-update frontend --image=image:v2\n"
+#~ "\n"
+#~ "\t\t# Abort and reverse an existing rollout in progress (from frontend-v1 "
+#~ "to frontend-v2).\n"
+#~ "\t\tkubectl rolling-update frontend-v1 frontend-v2 --rollback"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# View the last-applied-configuration annotations by type/name in "
+#~ "YAML.\n"
+#~ "\t\tkubectl apply view-last-applied deployment/nginx\n"
+#~ "\n"
+#~ "\t\t# View the last-applied-configuration annotations by file in JSON\n"
+#~ "\t\tkubectl apply view-last-applied -f deploy.yaml -o json"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# View the last-applied-configuration annotations by type/name in "
+#~ "YAML.\n"
+#~ "\t\tkubectl apply view-last-applied deployment/nginx\n"
+#~ "\n"
+#~ "\t\t# View the last-applied-configuration annotations by file in JSON\n"
+#~ "\t\tkubectl apply view-last-applied -f deploy.yaml -o json"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tApply a configuration to a resource by filename or stdin.\n"
+#~ "\t\tThis resource will be created if it doesn't exist yet.\n"
+#~ "\t\tTo use 'apply', always create the resource initially with either "
+#~ "'apply' or 'create --save-config'.\n"
+#~ "\n"
+#~ "\t\tJSON and YAML formats are accepted.\n"
+#~ "\n"
+#~ "\t\tAlpha Disclaimer: the --prune functionality is not yet complete. Do "
+#~ "not use unless you are aware of what the current state is. See https://"
+#~ "issues.k8s.io/34274."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tApply a configuration to a resource by filename or stdin.\n"
+#~ "\t\tThis resource will be created if it doesn't exist yet.\n"
+#~ "\t\tTo use 'apply', always create the resource initially with either "
+#~ "'apply' or 'create --save-config'.\n"
+#~ "\n"
+#~ "\t\tJSON and YAML formats are accepted.\n"
+#~ "\n"
+#~ "\t\tAlpha Disclaimer: the --prune functionality is not yet complete. Do "
+#~ "not use unless you are aware of what the current state is. See https://"
+#~ "issues.k8s.io/34274."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_service.go#L68
+#~ msgid ""
+#~ "\n"
+#~ "\t\tCreate a ClusterRole."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tCreate a ClusterRole."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_clusterrolebinding.go#L43
+#~ msgid ""
+#~ "\n"
+#~ "\t\tCreate a ClusterRoleBinding for a particular ClusterRole."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tCreate a ClusterRoleBinding for a particular ClusterRole."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_rolebinding.go#L43
+#~ msgid ""
+#~ "\n"
+#~ "\t\tCreate a RoleBinding for a particular Role or ClusterRole."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tCreate a RoleBinding for a particular Role or ClusterRole."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tCreate a TLS secret from the given public/private key pair.\n"
+#~ "\n"
+#~ "\t\tThe public/private key pair must exist before hand. The public key "
+#~ "certificate must be .PEM encoded and match the given private key."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tCreate a TLS secret from the given public/private key pair.\n"
+#~ "\n"
+#~ "\t\tThe public/private key pair must exist before hand. The public key "
+#~ "certificate must be .PEM encoded and match the given private key."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tCreate a configmap based on a file, directory, or specified literal "
+#~ "value.\n"
+#~ "\n"
+#~ "\t\tA single configmap may package one or more key/value pairs.\n"
+#~ "\n"
+#~ "\t\tWhen creating a configmap based on a file, the key will default to "
+#~ "the basename of the file, and the value will\n"
+#~ "\t\tdefault to the file content.  If the basename is an invalid key, you "
+#~ "may specify an alternate key.\n"
+#~ "\n"
+#~ "\t\tWhen creating a configmap based on a directory, each file whose "
+#~ "basename is a valid key in the directory will be\n"
+#~ "\t\tpackaged into the configmap.  Any directory entries except regular "
+#~ "files are ignored (e.g. subdirectories,\n"
+#~ "\t\tsymlinks, devices, pipes, etc)."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tCreate a configmap based on a file, directory, or specified literal "
+#~ "value.\n"
+#~ "\n"
+#~ "\t\tA single configmap may package one or more key/value pairs.\n"
+#~ "\n"
+#~ "\t\tWhen creating a configmap based on a file, the key will default to "
+#~ "the basename of the file, and the value will\n"
+#~ "\t\tdefault to the file content.  If the basename is an invalid key, you "
+#~ "may specify an alternate key.\n"
+#~ "\n"
+#~ "\t\tWhen creating a configmap based on a directory, each file whose "
+#~ "basename is a valid key in the directory will be\n"
+#~ "\t\tpackaged into the configmap.  Any directory entries except regular "
+#~ "files are ignored (e.g. subdirectories,\n"
+#~ "\t\tsymlinks, devices, pipes, etc)."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tCreate a new secret for use with Docker registries.\n"
+#~ "\n"
+#~ "\t\tDockercfg secrets are used to authenticate against Docker "
+#~ "registries.\n"
+#~ "\n"
+#~ "\t\tWhen using the Docker command line to push images, you can "
+#~ "authenticate to a given registry by running\n"
+#~ "\n"
+#~ "\t\t    $ docker login DOCKER_REGISTRY_SERVER --username=DOCKER_USER --"
+#~ "password=DOCKER_PASSWORD --email=DOCKER_EMAIL'.\n"
+#~ "\n"
+#~ "    That produces a ~/.dockercfg file that is used by subsequent 'docker "
+#~ "push' and 'docker pull' commands to\n"
+#~ "\t\tauthenticate to the registry. The email address is optional.\n"
+#~ "\n"
+#~ "\t\tWhen creating applications, you may have a Docker registry that "
+#~ "requires authentication.  In order for the\n"
+#~ "\t\tnodes to pull images on your behalf, they have to have the "
+#~ "credentials.  You can provide this information\n"
+#~ "\t\tby creating a dockercfg secret and attaching it to your service "
+#~ "account."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tCreate a new secret for use with Docker registries.\n"
+#~ "\n"
+#~ "\t\tDockercfg secrets are used to authenticate against Docker "
+#~ "registries.\n"
+#~ "\n"
+#~ "\t\tWhen using the Docker command line to push images, you can "
+#~ "authenticate to a given registry by running\n"
+#~ "\n"
+#~ "\t\t    $ docker login DOCKER_REGISTRY_SERVER --username=DOCKER_USER --"
+#~ "password=DOCKER_PASSWORD --email=DOCKER_EMAIL'.\n"
+#~ "\n"
+#~ "    That produces a ~/.dockercfg file that is used by subsequent 'docker "
+#~ "push' and 'docker pull' commands to\n"
+#~ "\t\tauthenticate to the registry. The email address is optional.\n"
+#~ "\n"
+#~ "\t\tWhen creating applications, you may have a Docker registry that "
+#~ "requires authentication.  In order for the\n"
+#~ "\t\tnodes to pull images on your behalf, they have to have the "
+#~ "credentials.  You can provide this information\n"
+#~ "\t\tby creating a dockercfg secret and attaching it to your service "
+#~ "account."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_pdb.go#L49
+#~ msgid ""
+#~ "\n"
+#~ "\t\tCreate a pod disruption budget with the specified name, selector, and "
+#~ "desired minimum available pods"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tCreate a pod disruption budget with the specified name, selector, and "
+#~ "desired minimum available pods"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create.go#L56
+#~ msgid ""
+#~ "\n"
+#~ "\t\tCreate a resource by filename or stdin.\n"
+#~ "\n"
+#~ "\t\tJSON and YAML formats are accepted."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tCreate a resource by filename or stdin.\n"
+#~ "\n"
+#~ "\t\tJSON and YAML formats are accepted."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_quota.go#L47
+#~ msgid ""
+#~ "\n"
+#~ "\t\tCreate a resourcequota with the specified name, hard limits and "
+#~ "optional scopes"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tCreate a resourcequota with the specified name, hard limits and "
+#~ "optional scopes"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tCreate a secret based on a file, directory, or specified literal "
+#~ "value.\n"
+#~ "\n"
+#~ "\t\tA single secret may package one or more key/value pairs.\n"
+#~ "\n"
+#~ "\t\tWhen creating a secret based on a file, the key will default to the "
+#~ "basename of the file, and the value will\n"
+#~ "\t\tdefault to the file content.  If the basename is an invalid key, you "
+#~ "may specify an alternate key.\n"
+#~ "\n"
+#~ "\t\tWhen creating a secret based on a directory, each file whose basename "
+#~ "is a valid key in the directory will be\n"
+#~ "\t\tpackaged into the secret.  Any directory entries except regular files "
+#~ "are ignored (e.g. subdirectories,\n"
+#~ "\t\tsymlinks, devices, pipes, etc)."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tCreate a secret based on a file, directory, or specified literal "
+#~ "value.\n"
+#~ "\n"
+#~ "\t\tA single secret may package one or more key/value pairs.\n"
+#~ "\n"
+#~ "\t\tWhen creating a secret based on a file, the key will default to the "
+#~ "basename of the file, and the value will\n"
+#~ "\t\tdefault to the file content.  If the basename is an invalid key, you "
+#~ "may specify an alternate key.\n"
+#~ "\n"
+#~ "\t\tWhen creating a secret based on a directory, each file whose basename "
+#~ "is a valid key in the directory will be\n"
+#~ "\t\tpackaged into the secret.  Any directory entries except regular files "
+#~ "are ignored (e.g. subdirectories,\n"
+#~ "\t\tsymlinks, devices, pipes, etc)."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tCreate and run a particular image, possibly replicated.\n"
+#~ "\n"
+#~ "\t\tCreates a deployment or job to manage the created container(s)."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tCreate and run a particular image, possibly replicated.\n"
+#~ "\n"
+#~ "\t\tCreates a deployment or job to manage the created container(s)."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tCreates an autoscaler that automatically chooses and sets the number "
+#~ "of pods that run in a kubernetes cluster.\n"
+#~ "\n"
+#~ "\t\tLooks up a Deployment, ReplicaSet, or ReplicationController by name "
+#~ "and creates an autoscaler that uses the given resource as a reference.\n"
+#~ "\t\tAn autoscaler can automatically increase or decrease number of pods "
+#~ "deployed within the system as needed."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tCreates an autoscaler that automatically chooses and sets the number "
+#~ "of pods that run in a kubernetes cluster.\n"
+#~ "\n"
+#~ "\t\tLooks up a Deployment, ReplicaSet, or ReplicationController by name "
+#~ "and creates an autoscaler that uses the given resource as a reference.\n"
+#~ "\t\tAn autoscaler can automatically increase or decrease number of pods "
+#~ "deployed within the system as needed."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tDelete resources by filenames, stdin, resources and names, or by "
+#~ "resources and label selector.\n"
+#~ "\n"
+#~ "\t\tJSON and YAML formats are accepted. Only one type of the arguments "
+#~ "may be specified: filenames,\n"
+#~ "\t\tresources and names, or resources and label selector.\n"
+#~ "\n"
+#~ "\t\tSome resources, such as pods, support graceful deletion. These "
+#~ "resources define a default period\n"
+#~ "\t\tbefore they are forcibly terminated (the grace period) but you may "
+#~ "override that value with\n"
+#~ "\t\tthe --grace-period flag, or pass --now to set a grace-period of 1. "
+#~ "Because these resources often\n"
+#~ "\t\trepresent entities in the cluster, deletion may not be acknowledged "
+#~ "immediately. If the node\n"
+#~ "\t\thosting a pod is down or cannot reach the API server, termination may "
+#~ "take significantly longer\n"
+#~ "\t\tthan the grace period. To force delete a resource,\tyou must pass a "
+#~ "grace\tperiod of 0 and specify\n"
+#~ "\t\tthe --force flag.\n"
+#~ "\n"
+#~ "\t\tIMPORTANT: Force deleting pods does not wait for confirmation that "
+#~ "the pod's processes have been\n"
+#~ "\t\tterminated, which can leave those processes running until the node "
+#~ "detects the deletion and\n"
+#~ "\t\tcompletes graceful deletion. If your processes use shared storage or "
+#~ "talk to a remote API and\n"
+#~ "\t\tdepend on the name of the pod to identify themselves, force deleting "
+#~ "those pods may result in\n"
+#~ "\t\tmultiple processes running on different machines using the same "
+#~ "identification which may lead\n"
+#~ "\t\tto data corruption or inconsistency. Only force delete pods when you "
+#~ "are sure the pod is\n"
+#~ "\t\tterminated, or if your application can tolerate multiple copies of "
+#~ "the same pod running at once.\n"
+#~ "\t\tAlso, if you force delete pods the scheduler may place new pods on "
+#~ "those nodes before the node\n"
+#~ "\t\thas released those resources and causing those pods to be evicted "
+#~ "immediately.\n"
+#~ "\n"
+#~ "\t\tNote that the delete command does NOT do resource version checks, so "
+#~ "if someone\n"
+#~ "\t\tsubmits an update to a resource right when you submit a delete, their "
+#~ "update\n"
+#~ "\t\twill be lost along with the rest of the resource."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tDelete resources by filenames, stdin, resources and names, or by "
+#~ "resources and label selector.\n"
+#~ "\n"
+#~ "\t\tJSON and YAML formats are accepted. Only one type of the arguments "
+#~ "may be specified: filenames,\n"
+#~ "\t\tresources and names, or resources and label selector.\n"
+#~ "\n"
+#~ "\t\tSome resources, such as pods, support graceful deletion. These "
+#~ "resources define a default period\n"
+#~ "\t\tbefore they are forcibly terminated (the grace period) but you may "
+#~ "override that value with\n"
+#~ "\t\tthe --grace-period flag, or pass --now to set a grace-period of 1. "
+#~ "Because these resources often\n"
+#~ "\t\trepresent entities in the cluster, deletion may not be acknowledged "
+#~ "immediately. If the node\n"
+#~ "\t\thosting a pod is down or cannot reach the API server, termination may "
+#~ "take significantly longer\n"
+#~ "\t\tthan the grace period. To force delete a resource,\tyou must pass a "
+#~ "grace\tperiod of 0 and specify\n"
+#~ "\t\tthe --force flag.\n"
+#~ "\n"
+#~ "\t\tIMPORTANT: Force deleting pods does not wait for confirmation that "
+#~ "the pod's processes have been\n"
+#~ "\t\tterminated, which can leave those processes running until the node "
+#~ "detects the deletion and\n"
+#~ "\t\tcompletes graceful deletion. If your processes use shared storage or "
+#~ "talk to a remote API and\n"
+#~ "\t\tdepend on the name of the pod to identify themselves, force deleting "
+#~ "those pods may result in\n"
+#~ "\t\tmultiple processes running on different machines using the same "
+#~ "identification which may lead\n"
+#~ "\t\tto data corruption or inconsistency. Only force delete pods when you "
+#~ "are sure the pod is\n"
+#~ "\t\tterminated, or if your application can tolerate multiple copies of "
+#~ "the same pod running at once.\n"
+#~ "\t\tAlso, if you force delete pods the scheduler may place new pods on "
+#~ "those nodes before the node\n"
+#~ "\t\thas released those resources and causing those pods to be evicted "
+#~ "immediately.\n"
+#~ "\n"
+#~ "\t\tNote that the delete command does NOT do resource version checks, so "
+#~ "if someone\n"
+#~ "\t\tsubmits an update to a resource right when you submit a delete, their "
+#~ "update\n"
+#~ "\t\twill be lost along with the rest of the resource."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tDeprecated: Gracefully shut down a resource by name or filename.\n"
+#~ "\n"
+#~ "\t\tThe stop command is deprecated, all its functionalities are covered "
+#~ "by delete command.\n"
+#~ "\t\tSee 'kubectl delete --help' for more details.\n"
+#~ "\n"
+#~ "\t\tAttempts to shut down and delete a resource that supports graceful "
+#~ "termination.\n"
+#~ "\t\tIf the resource is scalable it will be scaled to 0 before deletion."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tDeprecated: Gracefully shut down a resource by name or filename.\n"
+#~ "\n"
+#~ "\t\tThe stop command is deprecated, all its functionalities are covered "
+#~ "by delete command.\n"
+#~ "\t\tSee 'kubectl delete --help' for more details.\n"
+#~ "\n"
+#~ "\t\tAttempts to shut down and delete a resource that supports graceful "
+#~ "termination.\n"
+#~ "\t\tIf the resource is scalable it will be scaled to 0 before deletion."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tDisplay Resource (CPU/Memory/Storage) usage of nodes.\n"
+#~ "\n"
+#~ "\t\tThe top-node command allows you to see the resource consumption of "
+#~ "nodes."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tDisplay Resource (CPU/Memory/Storage) usage of nodes.\n"
+#~ "\n"
+#~ "\t\tThe top-node command allows you to see the resource consumption of "
+#~ "nodes."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tDisplay Resource (CPU/Memory/Storage) usage of pods.\n"
+#~ "\n"
+#~ "\t\tThe 'top pod' command allows you to see the resource consumption of "
+#~ "pods.\n"
+#~ "\n"
+#~ "\t\tDue to the metrics pipeline delay, they may be unavailable for a few "
+#~ "minutes\n"
+#~ "\t\tsince pod creation."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tDisplay Resource (CPU/Memory/Storage) usage of pods.\n"
+#~ "\n"
+#~ "\t\tThe 'top pod' command allows you to see the resource consumption of "
+#~ "pods.\n"
+#~ "\n"
+#~ "\t\tDue to the metrics pipeline delay, they may be unavailable for a few "
+#~ "minutes\n"
+#~ "\t\tsince pod creation."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tDisplay Resource (CPU/Memory/Storage) usage.\n"
+#~ "\n"
+#~ "\t\tThe top command allows you to see the resource consumption for nodes "
+#~ "or pods.\n"
+#~ "\n"
+#~ "\t\tThis command requires Heapster to be correctly configured and working "
+#~ "on the server. "
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tDisplay Resource (CPU/Memory/Storage) usage.\n"
+#~ "\n"
+#~ "\t\tThe top command allows you to see the resource consumption for nodes "
+#~ "or pods.\n"
+#~ "\n"
+#~ "\t\tThis command requires Heapster to be correctly configured and working "
+#~ "on the server. "
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tDrain node in preparation for maintenance.\n"
+#~ "\n"
+#~ "\t\tThe given node will be marked unschedulable to prevent new pods from "
+#~ "arriving.\n"
+#~ "\t\t'drain' evicts the pods if the APIServer supports eviction\n"
+#~ "\t\t(http://kubernetes.io/docs/admin/disruptions/). Otherwise, it will "
+#~ "use normal DELETE\n"
+#~ "\t\tto delete the pods.\n"
+#~ "\t\tThe 'drain' evicts or deletes all pods except mirror pods (which "
+#~ "cannot be deleted through\n"
+#~ "\t\tthe API server).  If there are DaemonSet-managed pods, drain will not "
+#~ "proceed\n"
+#~ "\t\twithout --ignore-daemonsets, and regardless it will not delete any\n"
+#~ "\t\tDaemonSet-managed pods, because those pods would be immediately "
+#~ "replaced by the\n"
+#~ "\t\tDaemonSet controller, which ignores unschedulable markings.  If there "
+#~ "are any\n"
+#~ "\t\tpods that are neither mirror pods nor managed by "
+#~ "ReplicationController,\n"
+#~ "\t\tReplicaSet, DaemonSet, StatefulSet or Job, then drain will not delete "
+#~ "any pods unless you\n"
+#~ "\t\tuse --force.  --force will also allow deletion to proceed if the "
+#~ "managing resource of one\n"
+#~ "\t\tor more pods is missing.\n"
+#~ "\n"
+#~ "\t\t'drain' waits for graceful termination. You should not operate on the "
+#~ "machine until\n"
+#~ "\t\tthe command completes.\n"
+#~ "\n"
+#~ "\t\tWhen you are ready to put the node back into service, use kubectl "
+#~ "uncordon, which\n"
+#~ "\t\twill make the node schedulable again.\n"
+#~ "\n"
+#~ "\t\t![Workflow](http://kubernetes.io/images/docs/kubectl_drain.svg)"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tDrain node in preparation for maintenance.\n"
+#~ "\n"
+#~ "\t\tThe given node will be marked unschedulable to prevent new pods from "
+#~ "arriving.\n"
+#~ "\t\t'drain' evicts the pods if the APIServer supports eviction\n"
+#~ "\t\t(http://kubernetes.io/docs/admin/disruptions/). Otherwise, it will "
+#~ "use normal DELETE\n"
+#~ "\t\tto delete the pods.\n"
+#~ "\t\tThe 'drain' evicts or deletes all pods except mirror pods (which "
+#~ "cannot be deleted through\n"
+#~ "\t\tthe API server).  If there are DaemonSet-managed pods, drain will not "
+#~ "proceed\n"
+#~ "\t\twithout --ignore-daemonsets, and regardless it will not delete any\n"
+#~ "\t\tDaemonSet-managed pods, because those pods would be immediately "
+#~ "replaced by the\n"
+#~ "\t\tDaemonSet controller, which ignores unschedulable markings.  If there "
+#~ "are any\n"
+#~ "\t\tpods that are neither mirror pods nor managed by "
+#~ "ReplicationController,\n"
+#~ "\t\tReplicaSet, DaemonSet, StatefulSet or Job, then drain will not delete "
+#~ "any pods unless you\n"
+#~ "\t\tuse --force.  --force will also allow deletion to proceed if the "
+#~ "managing resource of one\n"
+#~ "\t\tor more pods is missing.\n"
+#~ "\n"
+#~ "\t\t'drain' waits for graceful termination. You should not operate on the "
+#~ "machine until\n"
+#~ "\t\tthe command completes.\n"
+#~ "\n"
+#~ "\t\tWhen you are ready to put the node back into service, use kubectl "
+#~ "uncordon, which\n"
+#~ "\t\twill make the node schedulable again.\n"
+#~ "\n"
+#~ "\t\t![Workflow](http://kubernetes.io/images/docs/kubectl_drain.svg)"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tEdit a resource from the default editor.\n"
+#~ "\n"
+#~ "\t\tThe edit command allows you to directly edit any API resource you can "
+#~ "retrieve via the\n"
+#~ "\t\tcommand line tools. It will open the editor defined by your "
+#~ "KUBE_EDITOR, or EDITOR\n"
+#~ "\t\tenvironment variables, or fall back to 'vi' for Linux or 'notepad' "
+#~ "for Windows.\n"
+#~ "\t\tYou can edit multiple objects, although changes are applied one at a "
+#~ "time. The command\n"
+#~ "\t\taccepts filenames as well as command line arguments, although the "
+#~ "files you point to must\n"
+#~ "\t\tbe previously saved versions of resources.\n"
+#~ "\n"
+#~ "\t\tEditing is done with the API version used to fetch the resource.\n"
+#~ "\t\tTo edit using a specific API version, fully-qualify the resource, "
+#~ "version, and group.\n"
+#~ "\n"
+#~ "\t\tThe default format is YAML. To edit in JSON, specify \"-o json\".\n"
+#~ "\n"
+#~ "\t\tThe flag --windows-line-endings can be used to force Windows line "
+#~ "endings,\n"
+#~ "\t\totherwise the default for your operating system will be used.\n"
+#~ "\n"
+#~ "\t\tIn the event an error occurs while updating, a temporary file will be "
+#~ "created on disk\n"
+#~ "\t\tthat contains your unapplied changes. The most common error when "
+#~ "updating a resource\n"
+#~ "\t\tis another editor changing the resource on the server. When this "
+#~ "occurs, you will have\n"
+#~ "\t\tto apply your changes to the newer version of the resource, or update "
+#~ "your temporary\n"
+#~ "\t\tsaved copy to include the latest resource version."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tEdit a resource from the default editor.\n"
+#~ "\n"
+#~ "\t\tThe edit command allows you to directly edit any API resource you can "
+#~ "retrieve via the\n"
+#~ "\t\tcommand line tools. It will open the editor defined by your "
+#~ "KUBE_EDITOR, or EDITOR\n"
+#~ "\t\tenvironment variables, or fall back to 'vi' for Linux or 'notepad' "
+#~ "for Windows.\n"
+#~ "\t\tYou can edit multiple objects, although changes are applied one at a "
+#~ "time. The command\n"
+#~ "\t\taccepts filenames as well as command line arguments, although the "
+#~ "files you point to must\n"
+#~ "\t\tbe previously saved versions of resources.\n"
+#~ "\n"
+#~ "\t\tEditing is done with the API version used to fetch the resource.\n"
+#~ "\t\tTo edit using a specific API version, fully-qualify the resource, "
+#~ "version, and group.\n"
+#~ "\n"
+#~ "\t\tThe default format is YAML. To edit in JSON, specify \"-o json\".\n"
+#~ "\n"
+#~ "\t\tThe flag --windows-line-endings can be used to force Windows line "
+#~ "endings,\n"
+#~ "\t\totherwise the default for your operating system will be used.\n"
+#~ "\n"
+#~ "\t\tIn the event an error occurs while updating, a temporary file will be "
+#~ "created on disk\n"
+#~ "\t\tthat contains your unapplied changes. The most common error when "
+#~ "updating a resource\n"
+#~ "\t\tis another editor changing the resource on the server. When this "
+#~ "occurs, you will have\n"
+#~ "\t\tto apply your changes to the newer version of the resource, or update "
+#~ "your temporary\n"
+#~ "\t\tsaved copy to include the latest resource version."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tOutput shell completion code for the specified shell (bash or zsh).\n"
+#~ "\t\tThe shell code must be evaluated to provide interactive\n"
+#~ "\t\tcompletion of kubectl commands.  This can be done by sourcing it "
+#~ "from\n"
+#~ "\t\tthe .bash_profile.\n"
+#~ "\n"
+#~ "\t\tNote: this requires the bash-completion framework, which is not "
+#~ "installed\n"
+#~ "\t\tby default on Mac.  This can be installed by using homebrew:\n"
+#~ "\n"
+#~ "\t\t    $ brew install bash-completion\n"
+#~ "\n"
+#~ "\t\tOnce installed, bash_completion must be evaluated.  This can be done "
+#~ "by adding the\n"
+#~ "\t\tfollowing line to the .bash_profile\n"
+#~ "\n"
+#~ "\t\t    $ source $(brew --prefix)/etc/bash_completion\n"
+#~ "\n"
+#~ "\t\tNote for zsh users: [1] zsh completions are only supported in "
+#~ "versions of zsh >= 5.2"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tOutput shell completion code for the specified shell (bash or zsh).\n"
+#~ "\t\tThe shell code must be evaluated to provide interactive\n"
+#~ "\t\tcompletion of kubectl commands.  This can be done by sourcing it "
+#~ "from\n"
+#~ "\t\tthe .bash_profile.\n"
+#~ "\n"
+#~ "\t\tNote: this requires the bash-completion framework, which is not "
+#~ "installed\n"
+#~ "\t\tby default on Mac.  This can be installed by using homebrew:\n"
+#~ "\n"
+#~ "\t\t    $ brew install bash-completion\n"
+#~ "\n"
+#~ "\t\tOnce installed, bash_completion must be evaluated.  This can be done "
+#~ "by adding the\n"
+#~ "\t\tfollowing line to the .bash_profile\n"
+#~ "\n"
+#~ "\t\t    $ source $(brew --prefix)/etc/bash_completion\n"
+#~ "\n"
+#~ "\t\tNote for zsh users: [1] zsh completions are only supported in "
+#~ "versions of zsh >= 5.2"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tPerform a rolling update of the given ReplicationController.\n"
+#~ "\n"
+#~ "\t\tReplaces the specified replication controller with a new replication "
+#~ "controller by updating one pod at a time to use the\n"
+#~ "\t\tnew PodTemplate. The new-controller.json must specify the same "
+#~ "namespace as the\n"
+#~ "\t\texisting replication controller and overwrite at least one (common) "
+#~ "label in its replicaSelector.\n"
+#~ "\n"
+#~ "\t\t![Workflow](http://kubernetes.io/images/docs/kubectl_rollingupdate."
+#~ "svg)"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tPerform a rolling update of the given ReplicationController.\n"
+#~ "\n"
+#~ "\t\tReplaces the specified replication controller with a new replication "
+#~ "controller by updating one pod at a time to use the\n"
+#~ "\t\tnew PodTemplate. The new-controller.json must specify the same "
+#~ "namespace as the\n"
+#~ "\t\texisting replication controller and overwrite at least one (common) "
+#~ "label in its replicaSelector.\n"
+#~ "\n"
+#~ "\t\t![Workflow](http://kubernetes.io/images/docs/kubectl_rollingupdate."
+#~ "svg)"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tReplace a resource by filename or stdin.\n"
+#~ "\n"
+#~ "\t\tJSON and YAML formats are accepted. If replacing an existing "
+#~ "resource, the\n"
+#~ "\t\tcomplete resource spec must be provided. This can be obtained by\n"
+#~ "\n"
+#~ "\t\t    $ kubectl get TYPE NAME -o yaml\n"
+#~ "\n"
+#~ "\t\tPlease refer to the models in https://htmlpreview.github.io/?https://"
+#~ "github.com/kubernetes/kubernetes/blob/HEAD/docs/api-reference/v1/"
+#~ "definitions.html to find if a field is mutable."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tReplace a resource by filename or stdin.\n"
+#~ "\n"
+#~ "\t\tJSON and YAML formats are accepted. If replacing an existing "
+#~ "resource, the\n"
+#~ "\t\tcomplete resource spec must be provided. This can be obtained by\n"
+#~ "\n"
+#~ "\t\t    $ kubectl get TYPE NAME -o yaml\n"
+#~ "\n"
+#~ "\t\tPlease refer to the models in https://htmlpreview.github.io/?https://"
+#~ "github.com/kubernetes/kubernetes/blob/HEAD/docs/api-reference/v1/"
+#~ "definitions.html to find if a field is mutable."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tSet a new size for a Deployment, ReplicaSet, Replication Controller, "
+#~ "or Job.\n"
+#~ "\n"
+#~ "\t\tScale also allows users to specify one or more preconditions for the "
+#~ "scale action.\n"
+#~ "\n"
+#~ "\t\tIf --current-replicas or --resource-version is specified, it is "
+#~ "validated before the\n"
+#~ "\t\tscale is attempted, and it is guaranteed that the precondition holds "
+#~ "true when the\n"
+#~ "\t\tscale is sent to the server."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tSet a new size for a Deployment, ReplicaSet, Replication Controller, "
+#~ "or Job.\n"
+#~ "\n"
+#~ "\t\tScale also allows users to specify one or more preconditions for the "
+#~ "scale action.\n"
+#~ "\n"
+#~ "\t\tIf --current-replicas or --resource-version is specified, it is "
+#~ "validated before the\n"
+#~ "\t\tscale is attempted, and it is guaranteed that the precondition holds "
+#~ "true when the\n"
+#~ "\t\tscale is sent to the server."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tTo proxy all of the kubernetes api and nothing else, use:\n"
+#~ "\n"
+#~ "\t\t    $ kubectl proxy --api-prefix=/\n"
+#~ "\n"
+#~ "\t\tTo proxy only part of the kubernetes api and also some static files:\n"
+#~ "\n"
+#~ "\t\t    $ kubectl proxy --www=/my/files --www-prefix=/static/ --api-"
+#~ "prefix=/api/\n"
+#~ "\n"
+#~ "\t\tThe above lets you 'curl localhost:8001/api/v1/pods'.\n"
+#~ "\n"
+#~ "\t\tTo proxy the entire kubernetes api at a different root, use:\n"
+#~ "\n"
+#~ "\t\t    $ kubectl proxy --api-prefix=/custom/\n"
+#~ "\n"
+#~ "\t\tThe above lets you 'curl localhost:8001/custom/api/v1/pods'"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tTo proxy all of the kubernetes api and nothing else, use:\n"
+#~ "\n"
+#~ "\t\t    $ kubectl proxy --api-prefix=/\n"
+#~ "\n"
+#~ "\t\tTo proxy only part of the kubernetes api and also some static files:\n"
+#~ "\n"
+#~ "\t\t    $ kubectl proxy --www=/my/files --www-prefix=/static/ --api-"
+#~ "prefix=/api/\n"
+#~ "\n"
+#~ "\t\tThe above lets you 'curl localhost:8001/api/v1/pods'.\n"
+#~ "\n"
+#~ "\t\tTo proxy the entire kubernetes api at a different root, use:\n"
+#~ "\n"
+#~ "\t\t    $ kubectl proxy --api-prefix=/custom/\n"
+#~ "\n"
+#~ "\t\tThe above lets you 'curl localhost:8001/custom/api/v1/pods'"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tUpdate field(s) of a resource using strategic merge patch\n"
+#~ "\n"
+#~ "\t\tJSON and YAML formats are accepted.\n"
+#~ "\n"
+#~ "\t\tPlease refer to the models in https://htmlpreview.github.io/?https://"
+#~ "github.com/kubernetes/kubernetes/blob/HEAD/docs/api-reference/v1/"
+#~ "definitions.html to find if a field is mutable."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tUpdate field(s) of a resource using strategic merge patch\n"
+#~ "\n"
+#~ "\t\tJSON and YAML formats are accepted.\n"
+#~ "\n"
+#~ "\t\tPlease refer to the models in https://htmlpreview.github.io/?https://"
+#~ "github.com/kubernetes/kubernetes/blob/HEAD/docs/api-reference/v1/"
+#~ "definitions.html to find if a field is mutable."
+
+#, c-format
+#~ msgid ""
+#~ "\n"
+#~ "\t\tUpdate the labels on a resource.\n"
+#~ "\n"
+#~ "\t\t* A label must begin with a letter or number, and may contain "
+#~ "letters, numbers, hyphens, dots, and underscores, up to %[1]d "
+#~ "characters.\n"
+#~ "\t\t* If --overwrite is true, then existing labels can be overwritten, "
+#~ "otherwise attempting to overwrite a label will result in an error.\n"
+#~ "\t\t* If --resource-version is specified, then updates will use this "
+#~ "resource version, otherwise the existing resource-version will be used."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tUpdate the labels on a resource.\n"
+#~ "\n"
+#~ "\t\t* A label must begin with a letter or number, and may contain "
+#~ "letters, numbers, hyphens, dots, and underscores, up to %[1]d "
+#~ "characters.\n"
+#~ "\t\t* If --overwrite is true, then existing labels can be overwritten, "
+#~ "otherwise attempting to overwrite a label will result in an error.\n"
+#~ "\t\t* If --resource-version is specified, then updates will use this "
+#~ "resource version, otherwise the existing resource-version will be used."
+
+#, c-format
+#~ msgid ""
+#~ "\n"
+#~ "\t\tUpdate the taints on one or more nodes.\n"
+#~ "\n"
+#~ "\t\t* A taint consists of a key, value, and effect. As an argument here, "
+#~ "it is expressed as key=value:effect.\n"
+#~ "\t\t* The key must begin with a letter or number, and may contain "
+#~ "letters, numbers, hyphens, dots, and underscores, up to %[1]d "
+#~ "characters.\n"
+#~ "\t\t* The value must begin with a letter or number, and may contain "
+#~ "letters, numbers, hyphens, dots, and underscores, up to %[2]d "
+#~ "characters.\n"
+#~ "\t\t* The effect must be NoSchedule, PreferNoSchedule or NoExecute.\n"
+#~ "\t\t* Currently taint can only apply to node."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tUpdate the taints on one or more nodes.\n"
+#~ "\n"
+#~ "\t\t* A taint consists of a key, value, and effect. As an argument here, "
+#~ "it is expressed as key=value:effect.\n"
+#~ "\t\t* The key must begin with a letter or number, and may contain "
+#~ "letters, numbers, hyphens, dots, and underscores, up to %[1]d "
+#~ "characters.\n"
+#~ "\t\t* The value must begin with a letter or number, and may contain "
+#~ "letters, numbers, hyphens, dots, and underscores, up to %[2]d "
+#~ "characters.\n"
+#~ "\t\t* The effect must be NoSchedule, PreferNoSchedule or NoExecute.\n"
+#~ "\t\t* Currently taint can only apply to node."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tView the latest last-applied-configuration annotations by type/name "
+#~ "or file.\n"
+#~ "\n"
+#~ "\t\tThe default output will be printed to stdout in YAML format. One can "
+#~ "use -o option\n"
+#~ "\t\tto change output format."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tView the latest last-applied-configuration annotations by type/name "
+#~ "or file.\n"
+#~ "\n"
+#~ "\t\tThe default output will be printed to stdout in YAML format. One can "
+#~ "use -o option\n"
+#~ "\t\tto change output format."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t    # !!!Important Note!!!\n"
+#~ "\t    # Requires that the 'tar' binary is present in your container\n"
+#~ "\t    # image.  If 'tar' is not present, 'kubectl cp' will fail.\n"
+#~ "\n"
+#~ "\t    # Copy /tmp/foo_dir local directory to /tmp/bar_dir in a remote pod "
+#~ "in the default namespace\n"
+#~ "\t\tkubectl cp /tmp/foo_dir <some-pod>:/tmp/bar_dir\n"
+#~ "\n"
+#~ "        # Copy /tmp/foo local file to /tmp/bar in a remote pod in a "
+#~ "specific container\n"
+#~ "\t\tkubectl cp /tmp/foo <some-pod>:/tmp/bar -c <specific-container>\n"
+#~ "\n"
+#~ "\t\t# Copy /tmp/foo local file to /tmp/bar in a remote pod in namespace "
+#~ "<some-namespace>\n"
+#~ "\t\tkubectl cp /tmp/foo <some-namespace>/<some-pod>:/tmp/bar\n"
+#~ "\n"
+#~ "\t\t# Copy /tmp/foo from a remote pod to /tmp/bar locally\n"
+#~ "\t\tkubectl cp <some-namespace>/<some-pod>:/tmp/foo /tmp/bar"
+#~ msgstr ""
+#~ "\n"
+#~ "\t    # !!!Important Note!!!\n"
+#~ "\t    # Requires that the 'tar' binary is present in your container\n"
+#~ "\t    # image.  If 'tar' is not present, 'kubectl cp' will fail.\n"
+#~ "\n"
+#~ "\t    # Copy /tmp/foo_dir local directory to /tmp/bar_dir in a remote pod "
+#~ "in the default namespace\n"
+#~ "\t\tkubectl cp /tmp/foo_dir <some-pod>:/tmp/bar_dir\n"
+#~ "\n"
+#~ "        # Copy /tmp/foo local file to /tmp/bar in a remote pod in a "
+#~ "specific container\n"
+#~ "\t\tkubectl cp /tmp/foo <some-pod>:/tmp/bar -c <specific-container>\n"
+#~ "\n"
+#~ "\t\t# Copy /tmp/foo local file to /tmp/bar in a remote pod in namespace "
+#~ "<some-namespace>\n"
+#~ "\t\tkubectl cp /tmp/foo <some-namespace>/<some-pod>:/tmp/bar\n"
+#~ "\n"
+#~ "\t\t# Copy /tmp/foo from a remote pod to /tmp/bar locally\n"
+#~ "\t\tkubectl cp <some-namespace>/<some-pod>:/tmp/foo /tmp/bar"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t  # Create a new TLS secret named tls-secret with the given key pair:\n"
+#~ "\t  kubectl create secret tls tls-secret --cert=path/to/tls.cert --"
+#~ "key=path/to/tls.key"
+#~ msgstr ""
+#~ "\n"
+#~ "\t  # Create a new TLS secret named tls-secret with the given key pair:\n"
+#~ "\t  kubectl create secret tls tls-secret --cert=path/to/tls.cert --"
+#~ "key=path/to/tls.key"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t  # Create a new secret named my-secret with keys for each file in "
+#~ "folder bar\n"
+#~ "\t  kubectl create secret generic my-secret --from-file=path/to/bar\n"
+#~ "\n"
+#~ "\t  # Create a new secret named my-secret with specified keys instead of "
+#~ "names on disk\n"
+#~ "\t  kubectl create secret generic my-secret --from-file=ssh-privatekey=~/."
+#~ "ssh/id_rsa --from-file=ssh-publickey=~/.ssh/id_rsa.pub\n"
+#~ "\n"
+#~ "\t  # Create a new secret named my-secret with key1=supersecret and "
+#~ "key2=topsecret\n"
+#~ "\t  kubectl create secret generic my-secret --from-"
+#~ "literal=key1=supersecret --from-literal=key2=topsecret"
+#~ msgstr ""
+#~ "\n"
+#~ "\t  # Create a new secret named my-secret with keys for each file in "
+#~ "folder bar\n"
+#~ "\t  kubectl create secret generic my-secret --from-file=path/to/bar\n"
+#~ "\n"
+#~ "\t  # Create a new secret named my-secret with specified keys instead of "
+#~ "names on disk\n"
+#~ "\t  kubectl create secret generic my-secret --from-file=ssh-privatekey=~/."
+#~ "ssh/id_rsa --from-file=ssh-publickey=~/.ssh/id_rsa.pub\n"
+#~ "\n"
+#~ "\t  # Create a new secret named my-secret with key1=supersecret and "
+#~ "key2=topsecret\n"
+#~ "\t  kubectl create secret generic my-secret --from-"
+#~ "literal=key1=supersecret --from-literal=key2=topsecret"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t# Create a new ExternalName service named my-ns \n"
+#~ "\tkubectl create service externalname my-ns --external-name bar.com"
+#~ msgstr ""
+#~ "\n"
+#~ "\t# Create a new ExternalName service named my-ns \n"
+#~ "\tkubectl create service externalname my-ns --external-name bar.com"
+
+#~ msgid ""
+#~ "\n"
+#~ "    # Create a new clusterIP service named my-cs\n"
+#~ "    kubectl create service clusterip my-cs --tcp=5678:8080\n"
+#~ "\n"
+#~ "    # Create a new clusterIP service named my-cs (in headless mode)\n"
+#~ "    kubectl create service clusterip my-cs --clusterip=\"None\""
+#~ msgstr ""
+#~ "\n"
+#~ "    # Create a new clusterIP service named my-cs\n"
+#~ "    kubectl create service clusterip my-cs --tcp=5678:8080\n"
+#~ "\n"
+#~ "    # Create a new clusterIP service named my-cs (in headless mode)\n"
+#~ "    kubectl create service clusterip my-cs --clusterip=\"None\""
+
+#~ msgid ""
+#~ "\n"
+#~ "    # Create a new deployment named my-dep that runs the busybox image.\n"
+#~ "    kubectl create deployment my-dep --image=busybox"
+#~ msgstr ""
+#~ "\n"
+#~ "    # Create a new deployment named my-dep that runs the busybox image.\n"
+#~ "    kubectl create deployment my-dep --image=busybox"
+
+#~ msgid ""
+#~ "\n"
+#~ "    # Create a new nodeport service named my-ns\n"
+#~ "    kubectl create service nodeport my-ns --tcp=5678:8080"
+#~ msgstr ""
+#~ "\n"
+#~ "    # Create a new nodeport service named my-ns\n"
+#~ "    kubectl create service nodeport my-ns --tcp=5678:8080"
+
+#~ msgid ""
+#~ "\n"
+#~ "    # Update pod 'foo' with the annotation 'description' and the value "
+#~ "'my frontend'.\n"
+#~ "    # If the same annotation is set multiple times, only the last value "
+#~ "will be applied\n"
+#~ "    kubectl annotate pods foo description='my frontend'\n"
+#~ "\n"
+#~ "    # Update a pod identified by type and name in \"pod.json\"\n"
+#~ "    kubectl annotate -f pod.json description='my frontend'\n"
+#~ "\n"
+#~ "    # Update pod 'foo' with the annotation 'description' and the value "
+#~ "'my frontend running nginx', overwriting any existing value.\n"
+#~ "    kubectl annotate --overwrite pods foo description='my frontend "
+#~ "running nginx'\n"
+#~ "\n"
+#~ "    # Update all pods in the namespace\n"
+#~ "    kubectl annotate pods --all description='my frontend running nginx'\n"
+#~ "\n"
+#~ "    # Update pod 'foo' only if the resource is unchanged from version 1.\n"
+#~ "    kubectl annotate pods foo description='my frontend running nginx' --"
+#~ "resource-version=1\n"
+#~ "\n"
+#~ "    # Update pod 'foo' by removing an annotation named 'description' if "
+#~ "it exists.\n"
+#~ "    # Does not require the --overwrite flag.\n"
+#~ "    kubectl annotate pods foo description-"
+#~ msgstr ""
+#~ "\n"
+#~ "    # Update pod 'foo' with the annotation 'description' and the value "
+#~ "'my frontend'.\n"
+#~ "    # If the same annotation is set multiple times, only the last value "
+#~ "will be applied\n"
+#~ "    kubectl annotate pods foo description='my frontend'\n"
+#~ "\n"
+#~ "    # Update a pod identified by type and name in \"pod.json\"\n"
+#~ "    kubectl annotate -f pod.json description='my frontend'\n"
+#~ "\n"
+#~ "    # Update pod 'foo' with the annotation 'description' and the value "
+#~ "'my frontend running nginx', overwriting any existing value.\n"
+#~ "    kubectl annotate --overwrite pods foo description='my frontend "
+#~ "running nginx'\n"
+#~ "\n"
+#~ "    # Update all pods in the namespace\n"
+#~ "    kubectl annotate pods --all description='my frontend running nginx'\n"
+#~ "\n"
+#~ "    # Update pod 'foo' only if the resource is unchanged from version 1.\n"
+#~ "    kubectl annotate pods foo description='my frontend running nginx' --"
+#~ "resource-version=1\n"
+#~ "\n"
+#~ "    # Update pod 'foo' by removing an annotation named 'description' if "
+#~ "it exists.\n"
+#~ "    # Does not require the --overwrite flag.\n"
+#~ "    kubectl annotate pods foo description-"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_serviceaccount.go#L44
+#~ msgid ""
+#~ "\n"
+#~ "    Create a clusterIP service with the specified name."
+#~ msgstr ""
+#~ "\n"
+#~ "    Create a clusterIP service with the specified name."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_deployment.go#L44
+#~ msgid ""
+#~ "\n"
+#~ "    Create a deployment with the specified name."
+#~ msgstr ""
+#~ "\n"
+#~ "    Create a deployment with the specified name."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_deployment.go#L44
+#~ msgid ""
+#~ "\n"
+#~ "    Create a nodeport service with the specified name."
+#~ msgstr ""
+#~ "\n"
+#~ "    Create a nodeport service with the specified name."
+
+#~ msgid ""
+#~ "\n"
+#~ "    Dumps cluster info out suitable for debugging and diagnosing cluster "
+#~ "problems.  By default, dumps everything to\n"
+#~ "    stdout. You can optionally specify a directory with --output-"
+#~ "directory.  If you specify a directory, kubernetes will\n"
+#~ "    build a set of files in that directory.  By default only dumps things "
+#~ "in the 'kube-system' namespace, but you can\n"
+#~ "    switch to a different namespace with the --namespaces flag, or "
+#~ "specify --all-namespaces to dump all namespaces.\n"
+#~ "\n"
+#~ "    The command also dumps the logs of all of the pods in the cluster, "
+#~ "these logs are dumped into different directories\n"
+#~ "    based on namespace and pod name."
+#~ msgstr ""
+#~ "\n"
+#~ "    Dumps cluster info out suitable for debugging and diagnosing cluster "
+#~ "problems.  By default, dumps everything to\n"
+#~ "    stdout. You can optionally specify a directory with --output-"
+#~ "directory.  If you specify a directory, kubernetes will\n"
+#~ "    build a set of files in that directory.  By default only dumps things "
+#~ "in the 'kube-system' namespace, but you can\n"
+#~ "    switch to a different namespace with the --namespaces flag, or "
+#~ "specify --all-namespaces to dump all namespaces.\n"
+#~ "\n"
+#~ "    The command also dumps the logs of all of the pods in the cluster, "
+#~ "these logs are dumped into different directories\n"
+#~ "    based on namespace and pod name."
+
+#~ msgid ""
+#~ "\n"
+#~ "  Display addresses of the master and services with label kubernetes.io/"
+#~ "cluster-service=true\n"
+#~ "  To further debug and diagnose cluster problems, use 'kubectl cluster-"
+#~ "info dump'."
+#~ msgstr ""
+#~ "\n"
+#~ "  Display addresses of the master and services with label kubernetes.io/"
+#~ "cluster-service=true\n"
+#~ "  To further debug and diagnose cluster problems, use 'kubectl cluster-"
+#~ "info dump'."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/run.go#L136
+#~ msgid "A schedule in the Cron format the job should be run with."
+#~ msgstr "A schedule in the Cron format the job should be run with."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/run.go#L134
+#~ msgid ""
+#~ "An inline JSON override for the generated service object. If this is non-"
+#~ "empty, it is used to override the generated object. Requires that the "
+#~ "object supply a valid apiVersion field.  Only used if --expose is true."
+#~ msgstr ""
+#~ "An inline JSON override for the generated service object. If this is non-"
+#~ "empty, it is used to override the generated object. Requires that the "
+#~ "object supply a valid apiVersion field.  Only used if --expose is true."
+
+#~ msgid "Apply a configuration to a resource by filename or stdin"
+#~ msgstr "ファイル����標準入力�リソース�コンフィグを�用�る"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/autoscale.go#L55
+#~ msgid "Auto-scale a Deployment, ReplicaSet, or ReplicationController"
+#~ msgstr "Auto-scale a Deployment, ReplicaSet, or ReplicationController"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/rollingupdate.go#L101
+#~ msgid ""
+#~ "Container name which will have its image upgraded. Only relevant when --"
+#~ "image is specified, ignored otherwise. Required when using --image on a "
+#~ "multi-container pod"
+#~ msgstr ""
+#~ "Container name which will have its image upgraded. Only relevant when --"
+#~ "image is specified, ignored otherwise. Required when using --image on a "
+#~ "multi-container pod"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_clusterrolebinding.go#L43
+#~ msgid "Create a ClusterRoleBinding for a particular ClusterRole"
+#~ msgstr "Create a ClusterRoleBinding for a particular ClusterRole"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_service.go#L181
+#~ msgid "Create a LoadBalancer service."
+#~ msgstr "Create a LoadBalancer service."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_service.go#L124
+#~ msgid "Create a NodePort service."
+#~ msgstr "Create a NodePort service."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_rolebinding.go#L43
+#~ msgid "Create a RoleBinding for a particular Role or ClusterRole"
+#~ msgstr "Create a RoleBinding for a particular Role or ClusterRole"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_service.go#L68
+#~ msgid "Create a clusterIP service."
+#~ msgstr "Create a clusterIP service."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_configmap.go#L59
+#~ msgid "Create a configmap from a local file, directory or literal value"
+#~ msgstr "Create a configmap from a local file, directory or literal value"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_deployment.go#L44
+#~ msgid "Create a deployment with the specified name."
+#~ msgstr "Create a deployment with the specified name."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_pdb.go#L49
+#~ msgid "Create a pod disruption budget with the specified name."
+#~ msgstr "Create a pod disruption budget with the specified name."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_quota.go#L47
+#~ msgid "Create a quota with the specified name."
+#~ msgstr "Create a quota with the specified name."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create.go#L56
+#~ msgid "Create a resource by filename or stdin"
+#~ msgstr "ファイル����標準入力�リソースを作��る"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_secret.go#L73
+#~ msgid "Create a secret from a local file, directory or literal value"
+#~ msgstr "Create a secret from a local file, directory or literal value"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_service.go#L36
+#~ msgid "Create a service using specified subcommand."
+#~ msgstr "Create a service using specified subcommand."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_service.go#L240
+#~ msgid "Create an ExternalName service."
+#~ msgstr "Create an ExternalName service."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/delete.go#L130
+#~ msgid ""
+#~ "Delete resources by filenames, stdin, resources and names, or by "
+#~ "resources and label selector"
+#~ msgstr ""
+#~ "Delete resources by filenames, stdin, resources and names, or by "
+#~ "resources and label selector"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/stop.go#L58
+#~ msgid "Deprecated: Gracefully shut down a resource by name or filename"
+#~ msgstr "Deprecated: Gracefully shut down a resource by name or filename"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/top_node.go#L77
+#~ msgid "Display Resource (CPU/Memory) usage of nodes"
+#~ msgstr "Display Resource (CPU/Memory) usage of nodes"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/top_pod.go#L79
+#~ msgid "Display Resource (CPU/Memory) usage of pods"
+#~ msgstr "Display Resource (CPU/Memory) usage of pods"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/top.go#L43
+#~ msgid "Display Resource (CPU/Memory) usage."
+#~ msgstr "Display Resource (CPU/Memory) usage."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/clusterinfo.go#L49
+#~ msgid "Display cluster info"
+#~ msgstr "クラスター�情報を表示�る"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/current_context.go#L48
+#~ msgid "Displays the current-context"
+#~ msgstr "current-contextを表示�る"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/explain.go#L50
+#~ msgid "Documentation of resources"
+#~ msgstr "リソース�説明を表示�る"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/clusterinfo_dump.go#L37
+#~ msgid "Dump lots of relevant info for debugging and diagnosis"
+#~ msgstr "Dump lots of relevant info for debugging and diagnosis"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/rollingupdate.go#L102
+#~ msgid ""
+#~ "Explicit policy for when to pull container images. Required when --image "
+#~ "is same as existing image, ignored otherwise."
+#~ msgstr ""
+#~ "Explicit policy for when to pull container images. Required when --image "
+#~ "is same as existing image, ignored otherwise."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/expose.go#L105
+#~ msgid ""
+#~ "IP to assign to the Load Balancer. If empty, an ephemeral IP will be "
+#~ "created and used (cloud-provider specific)."
+#~ msgstr ""
+#~ "IP to assign to the Load Balancer. If empty, an ephemeral IP will be "
+#~ "created and used (cloud-provider specific)."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/rollingupdate.go#L98
+#~ msgid ""
+#~ "Image to use for upgrading the replication controller. Must be distinct "
+#~ "from the existing image (either new image or new image tag).  Can not be "
+#~ "used with --filename/-f"
+#~ msgstr ""
+#~ "Image to use for upgrading the replication controller. Must be distinct "
+#~ "from the existing image (either new image or new image tag).  Can not be "
+#~ "used with --filename/-f"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/rollout/rollout.go#L46
+#~ msgid "Manage a deployment rollout"
+#~ msgstr "Manage a deployment rollout"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/edit.go#L115
+#~ msgid ""
+#~ "Output the formatted object with the given group version (for ex: "
+#~ "'extensions/v1beta1').)"
+#~ msgstr ""
+#~ "Output the formatted object with the given group version (for ex: "
+#~ "'extensions/v1beta1').)"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/rollingupdate.go#L84
+#~ msgid "Perform a rolling update of the given ReplicationController"
+#~ msgstr "Perform a rolling update of the given ReplicationController"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/replace.go#L70
+#~ msgid "Replace a resource by filename or stdin"
+#~ msgstr "Replace a resource by filename or stdin"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/scale.go#L71
+#~ msgid ""
+#~ "Set a new size for a Deployment, ReplicaSet, Replication Controller, or "
+#~ "Job"
+#~ msgstr ""
+#~ "Set a new size for a Deployment, ReplicaSet, Replication Controller, or "
+#~ "Job"
+
+#~ msgid ""
+#~ "Set the last-applied-configuration annotation on a live object to match "
+#~ "the contents of a file."
+#~ msgstr ""
+#~ "Set the last-applied-configuration annotation on a live object to match "
+#~ "the contents of a file."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/create_cluster.go#L67
+#~ msgid "Sets a cluster entry in kubeconfig"
+#~ msgstr "kubeconfig�クラスターエントリを設定�る"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/create_context.go#L57
+#~ msgid "Sets a context entry in kubeconfig"
+#~ msgstr "kubeconfig�コンテキストエントリを設定�る"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/create_authinfo.go#L103
+#~ msgid "Sets a user entry in kubeconfig"
+#~ msgstr "kubeconfig�ユーザーエントリを設定�る"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/set.go#L59
+#~ msgid "Sets an individual value in a kubeconfig file"
+#~ msgstr "kubeconfig�個別�変数を設定�る"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/use_context.go#L48
+#~ msgid "Sets the current-context in a kubeconfig file"
+#~ msgstr "kubeconfig�current-contextを設定�る"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/expose.go#L87
+#~ msgid ""
+#~ "Take a replication controller, service, deployment or pod and expose it "
+#~ "as a new Kubernetes Service"
+#~ msgstr ""
+#~ "Take a replication controller, service, deployment or pod and expose it "
+#~ "as a new Kubernetes Service"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/rollingupdate.go#L100
+#~ msgid ""
+#~ "The key to use to differentiate between two different controllers, "
+#~ "default 'deployment'.  Only relevant when --image is specified, ignored "
+#~ "otherwise"
+#~ msgstr ""
+#~ "The key to use to differentiate between two different controllers, "
+#~ "default 'deployment'.  Only relevant when --image is specified, ignored "
+#~ "otherwise"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/run.go#L113
+#~ msgid ""
+#~ "The name of the API generator to use, see http://kubernetes.io/docs/user-"
+#~ "guide/kubectl-conventions/#generators for a list."
+#~ msgstr ""
+#~ "The name of the API generator to use, see http://kubernetes.io/docs/user-"
+#~ "guide/kubectl-conventions/#generators for a list."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/autoscale.go#L66
+#~ msgid ""
+#~ "The name of the API generator to use. Currently there is only 1 generator."
+#~ msgstr ""
+#~ "The name of the API generator to use. Currently there is only 1 generator."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/run.go#L133
+#~ msgid ""
+#~ "The name of the generator to use for creating a service.  Only used if --"
+#~ "expose is true"
+#~ msgstr ""
+#~ "The name of the generator to use for creating a service.  Only used if --"
+#~ "expose is true"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/run.go#L121
+#~ msgid ""
+#~ "The port that this container exposes.  If --expose is true, this is also "
+#~ "the port used by the service that is created."
+#~ msgstr ""
+#~ "The port that this container exposes.  If --expose is true, this is also "
+#~ "the port used by the service that is created."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/run.go#L128
+#~ msgid ""
+#~ "The restart policy for this Pod.  Legal values [Always, OnFailure, "
+#~ "Never].  If set to 'Always' a deployment is created, if set to "
+#~ "'OnFailure' a job is created, if set to 'Never', a regular pod is "
+#~ "created. For the latter two --replicas must be 1.  Default 'Always', for "
+#~ "CronJobs `Never`."
+#~ msgstr ""
+#~ "The restart policy for this Pod.  Legal values [Always, OnFailure, "
+#~ "Never].  If set to 'Always' a deployment is created, if set to "
+#~ "'OnFailure' a job is created, if set to 'Never', a regular pod is "
+#~ "created. For the latter two --replicas must be 1.  Default 'Always', for "
+#~ "CronJobs `Never`."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/expose.go#L101
+#~ msgid ""
+#~ "Type for this service: ClusterIP, NodePort, or LoadBalancer. Default is "
+#~ "'ClusterIP'."
+#~ msgstr ""
+#~ "Type for this service: ClusterIP, NodePort, or LoadBalancer. Default is "
+#~ "'ClusterIP'."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/unset.go#L47
+#~ msgid "Unsets an individual value in a kubeconfig file"
+#~ msgstr "kubeconfig�ら変数を個別�削除�る"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/patch.go#L91
+#~ msgid "Update field(s) of a resource using strategic merge patch"
+#~ msgstr "Update field(s) of a resource using strategic merge patch"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/set/set_image.go#L94
+#~ msgid "Update image of a pod template"
+#~ msgstr "Update image of a pod template"
+
+#~ msgid ""
+#~ "View latest last-applied-configuration annotations of a resource/object"
+#~ msgstr ""
+#~ "View latest last-applied-configuration annotations of a resource/object"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_service.go#L253
+#~ msgid "external name of service"
+#~ msgstr "external name of service"
+
+#~ msgid ""
+#~ "watch is only supported on individual resources and resource collections "
+#~ "- %d resources were found"
+#~ msgid_plural ""
+#~ "watch is only supported on individual resources and resource collections "
+#~ "- %d resources were found"
+#~ msgstr[0] ""
+#~ "watch��一リソース��リソースコレクション��サ�ート�����- %d個�"
+#~ "リソース�見��り���"
+#~ msgstr[1] ""
+#~ "watch��一リソース��リソースコレクション��サ�ート�����- %d個�"
+#~ "リソース�見��り���"
diff --git a/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/ko_KR/LC_MESSAGES/k8s.mo b/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/ko_KR/LC_MESSAGES/k8s.mo
new file mode 100644
index 0000000000..70398367b1
Binary files /dev/null and b/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/ko_KR/LC_MESSAGES/k8s.mo differ
diff --git a/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/ko_KR/LC_MESSAGES/k8s.po b/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/ko_KR/LC_MESSAGES/k8s.po
new file mode 100644
index 0000000000..b6804ef908
--- /dev/null
+++ b/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/ko_KR/LC_MESSAGES/k8s.po
@@ -0,0 +1,96 @@
+# Test translations for unit tests.
+# Copyright (C) 2017
+# This file is distributed under the same license as the Kubernetes package.
+# FIRST AUTHOR ianyrchoi@gmail.com, 2018.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: gettext-go-examples-hello\n"
+"Report-Msgid-Bugs-To: EMAIL\n"
+"POT-Creation-Date: 2021-07-07 20:15+0200\n"
+"PO-Revision-Date: 2018-04-03 06:05+0900\n"
+"Last-Translator: Ian Y. Choi <ianyrchoi@gmail.com>\n"
+"Language-Team: \n"
+"Language: ko_KR\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Generator: Poedit 2.0.6\n"
+"X-Poedit-SourceCharset: UTF-8\n"
+"Plural-Forms: nplurals=1; plural=0;\n"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/delete_cluster.go#L38
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/delete_cluster.go:42
+msgid "Delete the specified cluster from the kubeconfig"
+msgstr "kubeconfig�서 지정� �러스터를 삭제합니다"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/delete_context.go#L38
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/delete_context.go:42
+msgid "Delete the specified context from the kubeconfig"
+msgstr "kubeconfig�서 지정� 컨�스트를 삭제합니다"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/get_contexts.go#L62
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/get_contexts.go:72
+msgid "Describe one or many contexts"
+msgstr "하나 �는 여러 컨�스트를 설명합니다"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/get_clusters.go#L40
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/get_clusters.go:41
+msgid "Display clusters defined in the kubeconfig"
+msgstr "kubeconfig� 정�� �러스터를 표시합니다"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/view.go#L64
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/view.go:81
+msgid "Display merged kubeconfig settings or a specified kubeconfig file"
+msgstr "병합� kubeconfig 설정 �는 지정� kubeconfig 파�� 표시합니다"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/config.go#L39
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/config.go:42
+msgid "Modify kubeconfig files"
+msgstr "kubeconfig 파�� 수정합니다"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/annotate/annotate.go:135
+msgid "Update the annotations on a resource"
+msgstr "��� 대한 주�� 업��트합니다"
+
+# https://github.com/kubernetes/kubernetes/blob/masterpkg/kubectl/cmd/apply.go#L98
+#~ msgid "Apply a configuration to a resource by filename or stdin"
+#~ msgstr "구성� 파� �름 �는 stdin� �한 ��� �용합니다"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/current_context.go#L48
+#~ msgid "Displays the current-context"
+#~ msgstr "현재-컨�스트를 표시합니다"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/create_cluster.go#L67
+#~ msgid "Sets a cluster entry in kubeconfig"
+#~ msgstr "kubeconfig�서 �러스터 항목� 설정합니다"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/create_context.go#L57
+#~ msgid "Sets a context entry in kubeconfig"
+#~ msgstr "kubeconfig�서 컨�스트 항목� 설정합니다"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/create_authinfo.go#L103
+#~ msgid "Sets a user entry in kubeconfig"
+#~ msgstr "kubeconfig�서 사용� 항목� 설정합니다"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/set.go#L59
+#~ msgid "Sets an individual value in a kubeconfig file"
+#~ msgstr "kubeconfig 파��서 단�값� 설정합니다"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/use_context.go#L48
+#~ msgid "Sets the current-context in a kubeconfig file"
+#~ msgstr "kubeconfig 파��서 현재-컨�스트를 설정합니다"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/unset.go#L47
+#~ msgid "Unsets an individual value in a kubeconfig file"
+#~ msgstr "kubeconfig 파��서 단�값 설정� 해제합니다"
+
+#~ msgid ""
+#~ "watch is only supported on individual resources and resource collections "
+#~ "- %d resources were found"
+#~ msgid_plural ""
+#~ "watch is only supported on individual resources and resource collections "
+#~ "- %d resources were found"
+#~ msgstr[0] ""
+#~ "watch는 단� 리소스와 리소스 모�만� 지�합니다 - %d 개 ��� 발견하였습"
+#~ "니다"
diff --git a/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/pt_BR/LC_MESSAGES/k8s.mo b/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/pt_BR/LC_MESSAGES/k8s.mo
new file mode 100644
index 0000000000..e3c52ec8a6
Binary files /dev/null and b/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/pt_BR/LC_MESSAGES/k8s.mo differ
diff --git a/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/pt_BR/LC_MESSAGES/k8s.po b/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/pt_BR/LC_MESSAGES/k8s.po
new file mode 100644
index 0000000000..7fe6d2cf17
--- /dev/null
+++ b/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/pt_BR/LC_MESSAGES/k8s.po
@@ -0,0 +1,3250 @@
+# Brazilian Portuguese translation.
+# Copyright (C) 2020
+# This file is distributed under the same license as the PACKAGE package.
+# FIRST AUTHOR ctadeu@gmail.com, 2020.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: \n"
+"Report-Msgid-Bugs-To: EMAIL\n"
+"POT-Creation-Date: 2021-07-07 20:15+0200\n"
+"PO-Revision-Date: 2020-12-11 17:03+0100\n"
+"Last-Translator: Carlos Panato <ctadeu@gmail.com>\n"
+"Language-Team: \n"
+"Language: pt_BR\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Generator: Poedit 2.4.2\n"
+"Plural-Forms: nplurals=2; plural=(n > 1);\n"
+"X-Poedit-KeywordsList: \n"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/top/top_node.go:62
+msgid ""
+"\n"
+"\t\t  # Show metrics for all nodes\n"
+"\t\t  kubectl top node\n"
+"\n"
+"\t\t  # Show metrics for a given node\n"
+"\t\t  kubectl top node NODE_NAME"
+msgstr ""
+"\n"
+"\t\t  # Mostra as métricas para todos os nodes\n"
+"\t\t  kubectl top node\n"
+"\n"
+"\t\t  # Mostra as métricas para um node específico\n"
+"\t\t  kubectl top node NODE_NAME"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/explain/explain.go:46
+msgid ""
+"\n"
+"\t\t# Get the documentation of the resource and its fields\n"
+"\t\tkubectl explain pods\n"
+"\n"
+"\t\t# Get the documentation of a specific field of a resource\n"
+"\t\tkubectl explain pods.spec.containers"
+msgstr ""
+"\n"
+"\t\t# Mostra a documentação do recurso e seus campos\n"
+"\t\tkubectl explain pods\n"
+"\n"
+"\t\t# Mostra a documentação de um campo específico de um recurso\n"
+"\t\tkubectl explain pods.spec.containers"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/options/options.go:29
+msgid ""
+"\n"
+"\t\t# Print flags inherited by all commands\n"
+"\t\tkubectl options"
+msgstr ""
+"\n"
+"\t\t# Mostra as opções herdadas por todos os comandos\n"
+"\t\tkubectl options"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/version/version.go:44
+msgid ""
+"\n"
+"\t\t# Print the client and server versions for the current context\n"
+"\t\tkubectl version"
+msgstr ""
+"\n"
+"\t\t# Imprime a versão do cliente e do servidor para o contexto atual\n"
+"\t\tkubectl version"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/apiresources/apiversions.go:34
+msgid ""
+"\n"
+"\t\t# Print the supported API versions\n"
+"\t\tkubectl api-versions"
+msgstr ""
+"\n"
+"\t\t# Mostra as versões de API suportadas\n"
+"\t\tkubectl api-versions"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/top/top_pod.go:75
+msgid ""
+"\n"
+"\t\t# Show metrics for all pods in the default namespace\n"
+"\t\tkubectl top pod\n"
+"\n"
+"\t\t# Show metrics for all pods in the given namespace\n"
+"\t\tkubectl top pod --namespace=NAMESPACE\n"
+"\n"
+"\t\t# Show metrics for a given pod and its containers\n"
+"\t\tkubectl top pod POD_NAME --containers\n"
+"\n"
+"\t\t# Show metrics for the pods defined by label name=myLabel\n"
+"\t\tkubectl top pod -l name=myLabel"
+msgstr ""
+"\n"
+"\t\t# Mostra as métricas para todos os pods no namespace default\n"
+"\t\tkubectl top pod\n"
+"\n"
+"\t\t# Mostra as métricas para todos os pods em um dado namespace\n"
+"\t\tkubectl top pod —namespace=NAMESPACE\n"
+"\n"
+"\t\t# Mostra as métricas para um dado pod e seus containers\n"
+"\t\tkubectl top pod POD_NAME —containers\n"
+"\n"
+"\t\t# Mostra as métricas para os pods definidos pelo label name=myLabel\n"
+"\t\tkubectl top pod -l name=myLabel"
+
+#: pkg/kubectl/cmd/convert/convert.go:40
+msgid ""
+"\n"
+"\t\tConvert config files between different API versions. Both YAML\n"
+"\t\tand JSON formats are accepted.\n"
+"\n"
+"\t\tThe command takes filename, directory, or URL as input, and convert it "
+"into format\n"
+"\t\tof version specified by --output-version flag. If target version is not "
+"specified or\n"
+"\t\tnot supported, convert to latest version.\n"
+"\n"
+"\t\tThe default output will be printed to stdout in YAML format. One can use "
+"-o option\n"
+"\t\tto change to output destination."
+msgstr ""
+"\n"
+"\t\tConvert os arquivos de configuração para diferentes versões de API. "
+"Ambos formatos YAML\n"
+"\t\\e JSON são aceitos.\n"
+"\n"
+"\t\tO command recebe o nome do arquivo, diretório ou URL como entrada, e "
+"converteno formato\n"
+"\t\tpara a versão especificada pelo parametro —output-version. Se a versão "
+"desejada não é especificada ou \n"
+"\t\tnão é suportada, converte para a última versã disponível.\n"
+"\n"
+"\t\tA saída padrão é no formato YAML. Pode ser utilizadoa opção -o\n"
+"\t\tpara mudar o formato de saída."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_namespace.go:39
+msgid ""
+"\n"
+"\t\tCreate a namespace with the specified name."
+msgstr ""
+"\n"
+"\t\tCria um namespace com um nome especificado."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_role.go:43
+msgid ""
+"\n"
+"\t\tCreate a role with single rule."
+msgstr ""
+"\n"
+"\t\tCria uma role com uma única regra."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_serviceaccount.go:40
+msgid ""
+"\n"
+"\t\tCreate a service account with the specified name."
+msgstr ""
+"\n"
+"\t\tCria uma conta de serviço com um nome especificado."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go:84
+msgid ""
+"\n"
+"\t\tMark node as schedulable."
+msgstr ""
+"\n"
+"\t\tRemove a restrição de execução de workloads no node."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go:55
+msgid ""
+"\n"
+"\t\tMark node as unschedulable."
+msgstr ""
+"\n"
+"\t\tAplica a restrição de execução de workloads no node."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/apply/apply_set_last_applied.go:70
+msgid ""
+"\n"
+"\t\tSet the latest last-applied-configuration annotations by setting it to "
+"match the contents of a file.\n"
+"\t\tThis results in the last-applied-configuration being updated as though "
+"'kubectl apply -f <file>' was run,\n"
+"\t\twithout updating any other parts of the object."
+msgstr ""
+"\n"
+"\t\tDefine a annotation last-applied-configuration configurando para ser "
+"igual ao conteúdo do arquivo.\n"
+"\t\tIsto resulta no last-applied-configuration ser atualizado quando o "
+"'kubectl apply -f <file>' executa,\n"
+"\t\tnão atualizando as outras partes do objeto."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_namespace.go:42
+msgid ""
+"\n"
+"\t  # Create a new namespace named my-namespace\n"
+"\t  kubectl create namespace my-namespace"
+msgstr ""
+"\n"
+"\t  # Cria um novo namespace chamado my-namespace\n"
+"\t  kubectl create namespace my-namespace"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_serviceaccount.go:43
+msgid ""
+"\n"
+"\t  # Create a new service account named my-service-account\n"
+"\t  kubectl create serviceaccount my-service-account"
+msgstr ""
+"\n"
+"\t  # Cria um novo service account chamado my-service-account\n"
+"\t  kubectl create serviceaccount my-service-account"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:344
+msgid ""
+"\n"
+"\tCreate an ExternalName service with the specified name.\n"
+"\n"
+"\tExternalName service references to an external DNS address instead of\n"
+"\tonly pods, which will allow application authors to reference services\n"
+"\tthat exist off platform, on other clusters, or locally."
+msgstr ""
+"\n"
+"\tCria um serviço do tipo ExternalName com o nome especificado.\n"
+"\n"
+"\tServiço ExternalName referencia um endereço externo de DNS ao invés de\n"
+"\tapenas pods, o que permite aos desenvolvedores de aplicações referenciar "
+"serviços\n"
+"\tque existem fora da plataforma, em outros clusters ou localmente."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/help/help.go:28
+msgid ""
+"\n"
+"\tHelp provides help for any command in the application.\n"
+"\tSimply type kubectl help [path to command] for full details."
+msgstr ""
+"\n"
+"\tHelp provê ajuda para qualquer comando na aplicação.\n"
+"\tDigite simplesmente kubectl help [caminho do comando] para detalhes "
+"completos."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:311
+msgid ""
+"\n"
+"    # Create a new LoadBalancer service named my-lbs\n"
+"    kubectl create service loadbalancer my-lbs --tcp=5678:8080"
+msgstr ""
+"\n"
+"    # Cria um novo serviço do tipo LoadBalancer chamado my-lbs\n"
+"    kubectl create service loadbalancer my-lbs —tcp=5678:8080"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/clusterinfo/clusterinfo_dump.go:102
+msgid ""
+"\n"
+"    # Dump current cluster state to stdout\n"
+"    kubectl cluster-info dump\n"
+"\n"
+"    # Dump current cluster state to /path/to/cluster-state\n"
+"    kubectl cluster-info dump --output-directory=/path/to/cluster-state\n"
+"\n"
+"    # Dump all namespaces to stdout\n"
+"    kubectl cluster-info dump --all-namespaces\n"
+"\n"
+"    # Dump a set of namespaces to /path/to/cluster-state\n"
+"    kubectl cluster-info dump --namespaces default,kube-system --output-"
+"directory=/path/to/cluster-state"
+msgstr ""
+"\n"
+"    # Coleta o estado corrente do cluster e exibe no stdout\n"
+"    kubectl cluster-info dump\n"
+"\n"
+"    # Coleta o estado corrente do custer para /path/to/cluster-state\n"
+"    kubectl cluster-info dump --output-directory=/path/to/cluster-state\n"
+"\n"
+"    # Coleta informação de todos os namespaces para stdout\n"
+"    kubectl cluster-info dump --all-namespaces\n"
+"\n"
+"    # Coleta o conjunto especificado de namespaces para /path/to/cluster-"
+"state\n"
+"    kubectl cluster-info dump --namespaces default,kube-system --output-"
+"directory=/path/to/cluster-state"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:308
+msgid ""
+"\n"
+"    Create a LoadBalancer service with the specified name."
+msgstr ""
+"\n"
+"    Cria um serviço do tipo LoadBalancer com o nome especificado."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_quota.go:107
+msgid ""
+"A comma-delimited set of quota scopes that must all match each object "
+"tracked by the quota."
+msgstr ""
+"Lista de valores delimitados por vírgulas para um conjunto de escopos de "
+"quota que devem corresponder para cada objeto rastreado pela quota."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_quota.go:106
+msgid ""
+"A comma-delimited set of resource=quantity pairs that define a hard limit."
+msgstr ""
+"Lista de valores delimitados por vírgulas ajusta os pares resource=quantity "
+"que define um limite rigído."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_pdb.go:113
+msgid ""
+"A label selector to use for this budget. Only equality-based selector "
+"requirements are supported."
+msgstr ""
+"Um seletor de label a ser usado para o PDB. Apenas seletores baseado em "
+"igualdade são suportados."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:152
+msgid ""
+"A label selector to use for this service. Only equality-based selector "
+"requirements are supported. If empty (the default) infer the selector from "
+"the replication controller or replica set.)"
+msgstr ""
+"Um seletor de label para ser utilizado neste serviço. Apenas seletores "
+"baseado em igualdade são suportados. Se vazio (por padrão) o seletor do "
+"replication controller ou replica set será utilizado."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:157
+msgid ""
+"Additional external IP address (not managed by Kubernetes) to accept for the "
+"service. If this IP is routed to a node, the service can be accessed by this "
+"IP in addition to its generated service IP."
+msgstr ""
+"Um IP externo adicional (não gerenciado pelo Kubernetes) para ser usado no "
+"serviço. Se este IP for roteado para um nó, o serviço pode ser acessado por "
+"este IP além de seu IP de serviço gerado."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:158
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run.go:178
+msgid ""
+"An inline JSON override for the generated object. If this is non-empty, it "
+"is used to override the generated object. Requires that the object supply a "
+"valid apiVersion field."
+msgstr ""
+"Uma substituição inline JSON para o objeto gerado. Se não estiver vazio, ele "
+"será usado para substituir o objeto gerado. Requer que o objeto forneça um "
+"campo apiVersion válido."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/certificates/certificates.go:125
+msgid "Approve a certificate signing request"
+msgstr "Aprova uma solicitação de assinatura de certificado"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:263
+msgid ""
+"Assign your own ClusterIP or set to 'None' for a 'headless' service (no "
+"loadbalancing)."
+msgstr ""
+"Atribuir o seu próprio ClusterIP ou configura para 'None' para um serviço "
+"'headless' (sem loadbalancing)."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/attach/attach.go:105
+msgid "Attach to a running container"
+msgstr "Se conecta a um container em execução"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:161
+msgid ""
+"ClusterIP to be assigned to the service. Leave empty to auto-allocate, or "
+"set to 'None' to create a headless service."
+msgstr ""
+"ClusterIP que será atribuído ao serviço. Deixe vazio para auto atribuição, "
+"ou configure para 'None' para criar um serviço headless."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_clusterrolebinding.go:101
+msgid "ClusterRole this ClusterRoleBinding should reference"
+msgstr "ClusterRole que esse ClusterRoleBinding deve referenciar"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_rolebinding.go:104
+msgid "ClusterRole this RoleBinding should reference"
+msgstr "ClusterRole que esse RoleBinding deve referenciar"
+
+#: pkg/kubectl/cmd/convert/convert.go:95
+msgid "Convert config files between different API versions"
+msgstr "Converte arquivos de configuração entre versões de API diferentes"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/cp/cp.go:106
+msgid "Copy files and directories to and from containers."
+msgstr "Copia arquivos e diretórios de e para containers."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_tls.go:94
+msgid "Create a TLS secret"
+msgstr "Cria uma secret do tipo TLS"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_namespace.go:83
+msgid "Create a namespace with the specified name"
+msgstr "Cria a namespace com um nome especificado"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_docker.go:134
+msgid "Create a secret for use with a Docker registry"
+msgstr "Cria um secret para ser utilizado com o Docker registry"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret.go:49
+msgid "Create a secret using specified subcommand"
+msgstr "Cria um secret utilizando um sub-comando especificado"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_serviceaccount.go:85
+msgid "Create a service account with the specified name"
+msgstr "Cria uma conta de serviço com um nome especificado"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/delete_cluster.go:42
+msgid "Delete the specified cluster from the kubeconfig"
+msgstr "Apaga o cluster especificado do kubeconfig"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/delete_context.go:42
+msgid "Delete the specified context from the kubeconfig"
+msgstr "Apaga o contexto especificado do kubeconfig"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/certificates/certificates.go:174
+msgid "Deny a certificate signing request"
+msgstr "Rejeita o pedido de assinatura do certificado"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/get_contexts.go:72
+msgid "Describe one or many contexts"
+msgstr "Mostra um ou mais contextos"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/get_clusters.go:41
+msgid "Display clusters defined in the kubeconfig"
+msgstr "Mostra os clusters definidos no kubeconfig"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/view.go:81
+msgid "Display merged kubeconfig settings or a specified kubeconfig file"
+msgstr ""
+"Mostra a configuração do kubeconfig mescladas ou um arquivo kubeconfig "
+"especificado"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/get/get.go:165
+msgid "Display one or many resources"
+msgstr "Mostra um ou mais recursos"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go:184
+msgid "Drain node in preparation for maintenance"
+msgstr "Drenar o node para preparação de manutenção"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/edit/edit.go:77
+msgid "Edit a resource on the server"
+msgstr "Edita um recurso no servidor"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_docker.go:152
+msgid "Email for Docker registry"
+msgstr "Email para o Docker registry"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/exec/exec.go:89
+msgid "Execute a command in a container"
+msgstr "Executa um comando em um container"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/portforward/portforward.go:109
+msgid "Forward one or more local ports to a pod"
+msgstr "Encaminhar uma ou mais portas locais para um pod"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/help/help.go:37
+msgid "Help about any command"
+msgstr "Ajuda sobre qualquer comando"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:160
+msgid ""
+"If non-empty, set the session affinity for the service to this; legal "
+"values: 'None', 'ClientIP'"
+msgstr ""
+"Se não vazio, configura a afinidade de sessão para o serviço; valores "
+"válidos: 'None', 'ClientIP'"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/annotate/annotate.go:157
+msgid ""
+"If non-empty, the annotation update will only succeed if this is the current "
+"resource-version for the object. Only valid when specifying a single "
+"resource."
+msgstr ""
+"Se não estiver vazio, a atualização dos annotation só terá êxito se esta for "
+"a versão do recurso atual para o objeto. Válido apenas ao especificar um "
+"único recurso."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/label/label.go:154
+msgid ""
+"If non-empty, the labels update will only succeed if this is the current "
+"resource-version for the object. Only valid when specifying a single "
+"resource."
+msgstr ""
+"Se não estiver vazio, a atualização dos labels só terá êxito se esta for a "
+"versão do recurso atual para o objeto. Válido apenas ao especificar um único "
+"recurso."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go:98
+msgid "Mark node as schedulable"
+msgstr "Marca o node como agendável"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go:69
+msgid "Mark node as unschedulable"
+msgstr "Marca o node como não agendável"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_pause.go:83
+msgid "Mark the provided resource as paused"
+msgstr "Marca o recurso fornecido como pausado"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/certificates/certificates.go:49
+#: staging/src/k8s.io/kubectl/pkg/cmd/certificates/certificates.go:50
+msgid "Modify certificate resources."
+msgstr "Edita o certificado dos recursos."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/config.go:42
+msgid "Modify kubeconfig files"
+msgstr "Edita o arquivo kubeconfig"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:156
+msgid ""
+"Name or number for the port on the container that the service should direct "
+"traffic to. Optional."
+msgstr ""
+"Nome ou o número da porta em um container em que o serviço deve direcionar o "
+"tráfego. Opcional."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/logs/logs.go:174
+msgid ""
+"Only return logs after a specific date (RFC3339). Defaults to all logs. Only "
+"one of since-time / since may be used."
+msgstr ""
+"Apenas retorna os logs após uma data específica (RFC3339). Padrão para todos "
+"os logs. Apenas um since-time / since deve ser utilizado."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/completion/completion.go:112
+msgid "Output shell completion code for the specified shell (bash or zsh)"
+msgstr "Saída do autocomplete de shell para um Shell específico (bash ou zsh)"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_docker.go:151
+msgid "Password for Docker registry authentication"
+msgstr "Senha para a autenticação do registro do Docker"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_tls.go:110
+msgid "Path to PEM encoded public key certificate."
+msgstr "Caminho para a chave pública em formato PEM."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_tls.go:111
+msgid "Path to private key associated with given certificate."
+msgstr "Caminho para a chave private associada a um certificado fornecido."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/scale/scale.go:130
+msgid ""
+"Precondition for resource version. Requires that the current resource "
+"version match this value in order to scale."
+msgstr ""
+"Pré-condição para a versão do recurso. Requer que a versão do recurso atual "
+"corresponda a este valor para escalar."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/version/version.go:73
+msgid "Print the client and server version information"
+msgstr "Mostra a informação de versão do cliente e do servidor"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/options/options.go:38
+#: staging/src/k8s.io/kubectl/pkg/cmd/options/options.go:39
+msgid "Print the list of flags inherited by all commands"
+msgstr "Mostra a lista de opções herdadas por todos os comandos"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/logs/logs.go:152
+msgid "Print the logs for a container in a pod"
+msgstr "Mostra os logs de um container em um pod"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_resume.go:87
+msgid "Resume a paused resource"
+msgstr "Retoma um recurso pausado"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_rolebinding.go:105
+msgid "Role this RoleBinding should reference"
+msgstr "Role que a RoleBinding deve referenciar"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run.go:152
+msgid "Run a particular image on the cluster"
+msgstr "Executa uma imagem específica no cluster"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/proxy/proxy.go:119
+msgid "Run a proxy to the Kubernetes API server"
+msgstr "Executa um proxy para o servidor de API do Kubernetes"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_docker.go:153
+msgid "Server location for Docker registry"
+msgstr "Localização do servidor para o registro do Docker"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set.go:39
+msgid "Set specific features on objects"
+msgstr "Define funcionalidades específicas em objetos"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set_selector.go:104
+msgid "Set the selector on a resource"
+msgstr "Define um seletor em um recurso"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/describe/describe.go:107
+msgid "Show details of a specific resource or group of resources"
+msgstr "Mostra os detalhes de um recurso específico ou de um grupo de recursos"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_status.go:102
+msgid "Show the status of the rollout"
+msgstr "Mostra o status de uma atualização dinamica"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:154
+msgid "Synonym for --target-port"
+msgstr "Sinônimo para —target-port"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run.go:174
+msgid "The image for the container to run."
+msgstr "A imagem para o container executar."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run.go:176
+msgid ""
+"The image pull policy for the container. If left empty, this value will not "
+"be specified by the client and defaulted by the server"
+msgstr ""
+"A política de obtenção de imagens. Se deixado em branco, este valor não será "
+"especificado pelo cliente e será utilizado o padrão do servidor"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_pdb.go:111
+msgid ""
+"The minimum number or percentage of available pods this budget requires."
+msgstr ""
+"Um número mínimo ou porcentagem de pods disponíveis que este budget requer."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:159
+msgid "The name for the newly created object."
+msgstr "O nome para o objeto recém criado."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/autoscale/autoscale.go:125
+msgid ""
+"The name for the newly created object. If not specified, the name of the "
+"input resource will be used."
+msgstr ""
+"O nome para o objeto recém criado. Se não especificado, o nome do input "
+"resource será utilizado."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:147
+msgid ""
+"The name of the API generator to use. There are 2 generators: 'service/v1' "
+"and 'service/v2'. The only difference between them is that service port in "
+"v1 is named 'default', while it is left unnamed in v2. Default is 'service/"
+"v2'."
+msgstr ""
+"O nome do gerador de API a ser usado. Existem 2 geradores: 'service/v1' e "
+"'service/v2'. A única diferença entre eles é que a porta de serviço na v1 é "
+"chamada de 'default', enquanto ela é deixada sem nome na v2. O padrão é "
+"'service/v2'."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:148
+msgid "The network protocol for the service to be created. Default is 'TCP'."
+msgstr "O protocolo de rede para o serviço ser criado. Padrão é 'TCP'."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:149
+msgid ""
+"The port that the service should serve on. Copied from the resource being "
+"exposed, if unspecified"
+msgstr ""
+"A porta para que o serviço possa servir. Copiado do recurso sendo exposto, "
+"se não especificado"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run.go:194
+msgid ""
+"The resource requirement limits for this container.  For example, 'cpu=200m,"
+"memory=512Mi'.  Note that server side components may assign limits depending "
+"on the server configuration, such as limit ranges."
+msgstr ""
+"O recurso requerido para este container.  Por exemplo, 'cpu=200m,"
+"memory=512Mi'.  Observe que os componentes do lado do servidor podem "
+"atribuir limites, dependendo da configuração do servidor, como intervalos de "
+"limite."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run.go:192
+msgid ""
+"The resource requirement requests for this container.  For example, "
+"'cpu=100m,memory=256Mi'.  Note that server side components may assign "
+"requests depending on the server configuration, such as limit ranges."
+msgstr ""
+"O recurso requerido de requests para este container.  Por exemplo, 'cpu=100m,"
+"memory=256Mi'.  Observe que os componentes do lado do servidor podem "
+"atribuir requests, dependendo da configuração do servidor, como intervalos "
+"de limite."
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret.go:155
+msgid "The type of secret to create"
+msgstr "O tipo de segredo para criar"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_undo.go:87
+msgid "Undo a previous rollout"
+msgstr "Desfazer o rollout anterior"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set_resources.go:116
+msgid "Update resource requests/limits on objects with pod templates"
+msgstr ""
+"Atualizar os recursos de request/limites em um objeto com template de pod"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/annotate/annotate.go:135
+msgid "Update the annotations on a resource"
+msgstr "Atualizar as anotações de um recurso"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/label/label.go:133
+msgid "Update the labels on a resource"
+msgstr "Atualizar os labels de um recurso"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/taint/taint.go:109
+msgid "Update the taints on one or more nodes"
+msgstr "Atualizar o taints de um ou mais nodes"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_docker.go:150
+msgid "Username for Docker registry authentication"
+msgstr "Nome de usuário para a autenticação no Docker registry"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_history.go:83
+msgid "View rollout history"
+msgstr "Visualizar o histórico de rollout"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/clusterinfo/clusterinfo_dump.go:85
+msgid ""
+"Where to output the files.  If empty or '-' uses stdout, otherwise creates a "
+"directory hierarchy in that directory"
+msgstr ""
+"Onde colocar os arquivos de saída. Se vazio ou '-' usa o stdout do terminal, "
+"caso contrário, cria uma hierarquia no diretório configurado"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run_test.go:88
+msgid "dummy restart flag)"
+msgstr "dummy restart flag)"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/cmd.go:227
+msgid "kubectl controls the Kubernetes cluster manager"
+msgstr "kubectl controla o gerenciador de cluster do Kubernetes"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t  # Create a ClusterRoleBinding for user1, user2, and group1 using "
+#~ "the cluster-admin ClusterRole\n"
+#~ "\t\t  kubectl create clusterrolebinding cluster-admin --"
+#~ "clusterrole=cluster-admin --user=user1 --user=user2 --group=group1"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t  # Criar o ClusterRoleBinding para user1, user2, e group1 utilizando "
+#~ "o ClusterRole cluster-admin\n"
+#~ "\t\t  kubectl create clusterrolebinding cluster-admin --"
+#~ "clusterrole=cluster-admin —user=user1 —user=user2 —group=group1"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t  # Create a RoleBinding for user1, user2, and group1 using the admin "
+#~ "ClusterRole\n"
+#~ "\t\t  kubectl create rolebinding admin --clusterrole=admin --user=user1 --"
+#~ "user=user2 --group=group1"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t  # Criar uma RoleBinding para user1, user2, e group1 utilizando o "
+#~ "admin ClusterRole\n"
+#~ "\t\t  kubectl create rolebinding admin --clusterrole=admin —user=user1 —"
+#~ "user=user2 —group=group1"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t  # Create a new configmap named my-config based on folder bar\n"
+#~ "\t\t  kubectl create configmap my-config --from-file=path/to/bar\n"
+#~ "\n"
+#~ "\t\t  # Create a new configmap named my-config with specified keys "
+#~ "instead of file basenames on disk\n"
+#~ "\t\t  kubectl create configmap my-config --from-file=key1=/path/to/bar/"
+#~ "file1.txt --from-file=key2=/path/to/bar/file2.txt\n"
+#~ "\n"
+#~ "\t\t  # Create a new configmap named my-config with key1=config1 and "
+#~ "key2=config2\n"
+#~ "\t\t  kubectl create configmap my-config --from-literal=key1=config1 --"
+#~ "from-literal=key2=config2"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t  # Criar um novo configmap com o nome de my-config baseado na pasta "
+#~ "bar\n"
+#~ "\t\t  kubectl create configmap my-config —from-file=path/to/bar\n"
+#~ "\n"
+#~ "\t\t  # Cria um novo configmap com o nome my-config, onde cada chave "
+#~ "possui o valor especificado em um arquivo distinto no disco\n"
+#~ "\t\t  kubectl create configmap my-config —from-file=key1=/path/to/bar/"
+#~ "file1.txt —from-file=key2=/path/to/bar/file2.txt\n"
+#~ "\n"
+#~ "\t\t  # Criar um novo configmap com o nome de my-config com key1=config1 "
+#~ "e key2=config2\n"
+#~ "\t\t  kubectl create configmap my-config —from-literal=key1=config1 —from-"
+#~ "literal=key2=config2"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t  # If you don't already have a .dockercfg file, you can create a "
+#~ "dockercfg secret directly by using:\n"
+#~ "\t\t  kubectl create secret docker-registry my-secret --docker-"
+#~ "server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-"
+#~ "password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t  # Se você ainda não tem o arquivo .dockercfg, você pode gerar "
+#~ "diretamente o dockercfg secret utilizando o comando:\n"
+#~ "\t\t  kubectl create secret docker-registry my-secret —docker-"
+#~ "server=DOCKER_REGISTRY_SERVER —docker-username=DOCKER_USER —docker-"
+#~ "password=DOCKER_PASSWORD —docker-email=DOCKER_EMAIL"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Apply the configuration in pod.json to a pod.\n"
+#~ "\t\tkubectl apply -f ./pod.json\n"
+#~ "\n"
+#~ "\t\t# Apply the JSON passed into stdin to a pod.\n"
+#~ "\t\tcat pod.json | kubectl apply -f -\n"
+#~ "\n"
+#~ "\t\t# Note: --prune is still in Alpha\n"
+#~ "\t\t# Apply the configuration in manifest.yaml that matches label "
+#~ "app=nginx and delete all the other resources that are not in the file and "
+#~ "match label app=nginx.\n"
+#~ "\t\tkubectl apply --prune -f manifest.yaml -l app=nginx\n"
+#~ "\n"
+#~ "\t\t# Apply the configuration in manifest.yaml and delete all the other "
+#~ "configmaps that are not in the file.\n"
+#~ "\t\tkubectl apply --prune -f manifest.yaml --all --prune-allowlist=core/"
+#~ "v1/ConfigMap"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Aplica a configuração do arquivo pod.json a um pod.\n"
+#~ "\t\tkubectl apply -f ./pod.json\n"
+#~ "\n"
+#~ "\t\t# Aplica o JSON recebido via stdin para um pod.\n"
+#~ "\t\tcat pod.json | kubectl apply -f -\n"
+#~ "\n"
+#~ "\t\t# Nota: —prune ainda está em Alpha\n"
+#~ "\t\t# Aplica a configuração do manifest.yaml que conter o label app=nginx "
+#~ "e remove todos os outros recursos que não estejam no arquivo e não "
+#~ "contenham o label.\n"
+#~ "\t\tkubectl apply —prune -f manifest.yaml -l app=nginx\n"
+#~ "\n"
+#~ "\t\t# Aplica a configuração do manifest.yaml e remove todos os outros "
+#~ "configmaps que não estão no arquivo.\n"
+#~ "\t\tkubectl apply —prune -f manifest.yaml —all —prune-allowlist=core/v1/"
+#~ "ConfigMap"
+
+#, c-format
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Auto scale a deployment \"foo\", with the number of pods between 2 "
+#~ "and 10, no target CPU utilization specified so a default autoscaling "
+#~ "policy will be used:\n"
+#~ "\t\tkubectl autoscale deployment foo --min=2 --max=10\n"
+#~ "\n"
+#~ "\t\t# Auto scale a replication controller \"foo\", with the number of "
+#~ "pods between 1 and 5, target CPU utilization at 80%:\n"
+#~ "\t\tkubectl autoscale rc foo --max=5 --cpu-percent=80"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Escala automaticamente um deployment \"foo\", com o número de pods "
+#~ "entre 2 e 10, sem especificar a utilização da CPU o padrão da política de "
+#~ "autoscaling será utilizado:\n"
+#~ "\t\tkubectl autoscale deployment foo —min=2 —max=10\n"
+#~ "\n"
+#~ "\t\t# Escala automaticamente um replication controller \"foo\", com o "
+#~ "número de pods entre 1 and 5, e definindo a utilização da CPU em 80%:\n"
+#~ "\t\tkubectl autoscale rc foo —max=5 —cpu-percent=80"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Convert 'pod.yaml' to latest version and print to stdout.\n"
+#~ "\t\tkubectl convert -f pod.yaml\n"
+#~ "\n"
+#~ "\t\t# Convert the live state of the resource specified by 'pod.yaml' to "
+#~ "the latest version\n"
+#~ "\t\t# and print to stdout in json format.\n"
+#~ "\t\tkubectl convert -f pod.yaml --local -o json\n"
+#~ "\n"
+#~ "\t\t# Convert all files under current directory to latest version and "
+#~ "create them all.\n"
+#~ "\t\tkubectl convert -f . | kubectl create -f -"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# converte o arquivo 'pod.yaml' para a versão mais atual e imprime a "
+#~ "saída para o stdout.\n"
+#~ "\t\tkubectl convert -f pod.yaml\n"
+#~ "\n"
+#~ "\t\t# Converte o estado atual do recurso especificado pelo 'pod.yaml' "
+#~ "para a versão mais atual\n"
+#~ "\t\t# e imprime a saída para o stdout no formato json.\n"
+#~ "\t\tkubectl convert -f pod.yaml —local -o json\n"
+#~ "\n"
+#~ "\t\t# Converte todos os arquivos dentro do diretório atual para a versão "
+#~ "mais recente e cria todos.\n"
+#~ "\t\tkubectl convert -f . | kubectl create -f -"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Create a ClusterRole named \"pod-reader\" that allows user to "
+#~ "perform \"get\", \"watch\" and \"list\" on pods\n"
+#~ "\t\tkubectl create clusterrole pod-reader --verb=get,list,watch --"
+#~ "resource=pods\n"
+#~ "\n"
+#~ "\t\t# Create a ClusterRole named \"pod-reader\" with ResourceName "
+#~ "specified\n"
+#~ "\t\tkubectl create clusterrole pod-reader --verb=get,list,watch --"
+#~ "resource=pods --resource-name=readablepod"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Cria um ClusterRole com o nome de \"pod-reader\" que permite o "
+#~ "usuário realizar \"get\", \"watch\" e \"list\" em pods\n"
+#~ "\t\tkubectl create clusterrole pod-reader —verb=get,list,watch —"
+#~ "resource=pods\n"
+#~ "\n"
+#~ "\t\t# Cria a ClusterRole com o nome de \"pod-reader\" com um ResourceName "
+#~ "especificado\n"
+#~ "\t\tkubectl create clusterrole pod-reader —verb=get,list,watch —"
+#~ "resource=pods —resource-name=readablepod"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Create a Role named \"pod-reader\" that allows user to perform \"get"
+#~ "\", \"watch\" and \"list\" on pods\n"
+#~ "\t\tkubectl create role pod-reader --verb=get --verb=list --verb=watch --"
+#~ "resource=pods\n"
+#~ "\n"
+#~ "\t\t# Create a Role named \"pod-reader\" with ResourceName specified\n"
+#~ "\t\tkubectl create role pod-reader --verb=get --verg=list --verb=watch --"
+#~ "resource=pods --resource-name=readablepod"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Cria uma Role com o nome de \"pod-reader\" que permite o usuário "
+#~ "realizar \"get\", \"watch\" e \"list\" em pods\n"
+#~ "\t\tkubectl create role pod-reader —verb=get —verb=list —verb=watch —"
+#~ "resource=pods\n"
+#~ "\n"
+#~ "\t\t# Cria uma Role com o nome de \"pod-reader\" com um ResourceName "
+#~ "especificado\n"
+#~ "\t\tkubectl create role pod-reader —verb=get —verg=list —verb=watch —"
+#~ "resource=pods —resource-name=readablepod"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Create a new resourcequota named my-quota\n"
+#~ "\t\tkubectl create quota my-quota --hard=cpu=1,memory=1G,pods=2,"
+#~ "services=3,replicationcontrollers=2,resourcequotas=1,secrets=5,"
+#~ "persistentvolumeclaims=10\n"
+#~ "\n"
+#~ "\t\t# Create a new resourcequota named best-effort\n"
+#~ "\t\tkubectl create quota best-effort --hard=pods=100 --scopes=BestEffort"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Cria um novo resourcequota com o nome de my-quota\n"
+#~ "\t\tkubectl create quota my-quota —hard=cpu=1,memory=1G,pods=2,services=3,"
+#~ "replicationcontrollers=2,resourcequotas=1,secrets=5,"
+#~ "persistentvolumeclaims=10\n"
+#~ "\n"
+#~ "\t\t# Cria um novo resourcequota com o nome de best-effort\n"
+#~ "\t\tkubectl create quota best-effort —hard=pods=100 —scopes=BestEffort"
+
+#, c-format
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Create a pod disruption budget named my-pdb that will select all "
+#~ "pods with the app=rails label\n"
+#~ "\t\t# and require at least one of them being available at any point in "
+#~ "time.\n"
+#~ "\t\tkubectl create poddisruptionbudget my-pdb --selector=app=rails --min-"
+#~ "available=1\n"
+#~ "\n"
+#~ "\t\t# Create a pod disruption budget named my-pdb that will select all "
+#~ "pods with the app=nginx label\n"
+#~ "\t\t# and require at least half of the pods selected to be available at "
+#~ "any point in time.\n"
+#~ "\t\tkubectl create pdb my-pdb --selector=app=nginx --min-available=50%"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Cria um pod disruption budget com o nome de my-pdb que irá "
+#~ "selecionar todos os pods com o label app=rails\n"
+#~ "\t\t# e requer que pelo menos um deles esteja disponível a qualquer "
+#~ "momento.\n"
+#~ "\t\tkubectl create poddisruptionbudget my-pdb —selector=app=rails —min-"
+#~ "available=1\n"
+#~ "\n"
+#~ "\t\t# Cria um pod disruption budget com o nome de my-pdb que irá "
+#~ "selecionar todos os pods com o label app=nginx\n"
+#~ "\t\t# e requer pelo menos que metade dos pods selecionados estejam "
+#~ "disponíveis em qualquer momento.\n"
+#~ "\t\tkubectl create pdb my-pdb —selector=app=nginx —min-available=50%"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Create a pod using the data in pod.json.\n"
+#~ "\t\tkubectl create -f ./pod.json\n"
+#~ "\n"
+#~ "\t\t# Create a pod based on the JSON passed into stdin.\n"
+#~ "\t\tcat pod.json | kubectl create -f -\n"
+#~ "\n"
+#~ "\t\t# Edit the data in docker-registry.yaml in JSON using the v1 API "
+#~ "format then create the resource using the edited data.\n"
+#~ "\t\tkubectl create -f docker-registry.yaml --edit --output-version=v1 -o "
+#~ "json"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Cria um pod utilizando o arquivo pod.json.\n"
+#~ "\t\tkubectl create -f ./pod.json\n"
+#~ "\n"
+#~ "\t\t# Cria um pod utilizando o JSON recebido via stdin.\n"
+#~ "\t\tcat pod.json | kubectl create -f -\n"
+#~ "\n"
+#~ "\t\t# Edita o conteúdo do arquivo docker-registry.yaml em JSON utilizando "
+#~ "o formato da API v1, criando o recurso com o conteúdo editado.\n"
+#~ "\t\tkubectl create -f docker-registry.yaml —edit —output-version=v1 -o "
+#~ "json"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Create a service for a replicated nginx, which serves on port 80 "
+#~ "and connects to the containers on port 8000.\n"
+#~ "\t\tkubectl expose rc nginx --port=80 --target-port=8000\n"
+#~ "\n"
+#~ "\t\t# Create a service for a replication controller identified by type "
+#~ "and name specified in \"nginx-controller.yaml\", which serves on port 80 "
+#~ "and connects to the containers on port 8000.\n"
+#~ "\t\tkubectl expose -f nginx-controller.yaml --port=80 --target-port=8000\n"
+#~ "\n"
+#~ "\t\t# Create a service for a pod valid-pod, which serves on port 444 with "
+#~ "the name \"frontend\"\n"
+#~ "\t\tkubectl expose pod valid-pod --port=444 --name=frontend\n"
+#~ "\n"
+#~ "\t\t# Create a second service based on the above service, exposing the "
+#~ "container port 8443 as port 443 with the name \"nginx-https\"\n"
+#~ "\t\tkubectl expose service nginx --port=443 --target-port=8443 --"
+#~ "name=nginx-https\n"
+#~ "\n"
+#~ "\t\t# Create a service for a replicated streaming application on port "
+#~ "4100 balancing UDP traffic and named 'video-stream'.\n"
+#~ "\t\tkubectl expose rc streamer --port=4100 --protocol=udp --name=video-"
+#~ "stream\n"
+#~ "\n"
+#~ "\t\t# Create a service for a replicated nginx using replica set, which "
+#~ "serves on port 80 and connects to the containers on port 8000.\n"
+#~ "\t\tkubectl expose rs nginx --port=80 --target-port=8000\n"
+#~ "\n"
+#~ "\t\t# Create a service for an nginx deployment, which serves on port 80 "
+#~ "and connects to the containers on port 8000.\n"
+#~ "\t\tkubectl expose deployment nginx --port=80 --target-port=8000"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Cria um serviço para um nginx replicado, que escuta na porta 80 e "
+#~ "conecta na porta 8000 dos containers.\n"
+#~ "\\t\tkubectl expose rc nginx —port=80 —target-port=8000\n"
+#~ "\n"
+#~ "\t\t# Cria um serviço para um replication controller identificado por "
+#~ "tipo e com o nome especificado em \"nginx-controller.yaml\", que escuta "
+#~ "na porta 80 e conecta na porta 8000 dos containers.\n"
+#~ "\t\tkubectl expose -f nginx-controller.yaml —port=80 —target-port=8000\n"
+#~ "\n"
+#~ "\t\t# Cria um serviço para um pod valid-pod, que escuta na porta 444 com "
+#~ "o nome \"frontend\"\n"
+#~ "\t\tkubectl expose pod valid-pod —port=444 —name=frontend\n"
+#~ "\n"
+#~ "\t\t# Cria um segundo serviço baseado no serviço acima, expondo a porta "
+#~ "8443 do container como porta 443 e com nome \"nginx-https\"\n"
+#~ "\t\tkubectl expose service nginx —port=443 —target-port=8443 —name=nginx-"
+#~ "https\n"
+#~ "\n"
+#~ "\t\t# Cria um serviço para uma aplicação streaming replicada na porta "
+#~ "4100 com trafico balanceado UDP e nome 'video-stream'.\n"
+#~ "\t\tkubectl expose rc streamer —port=4100 —protocol=udp —name=video-"
+#~ "stream\n"
+#~ "\n"
+#~ "\t\t# Cria um serviço para um nginx replicado usando o replica set, que "
+#~ "escuta na porta 80 e conecta na porta 8000 dos containers.\n"
+#~ "\t\tkubectl expose rs nginx —port=80 —target-port=8000\n"
+#~ "\n"
+#~ "\t\t# Cria um serviço para um deployment nginx, que escuta na porta 80 e "
+#~ "conecta na porta 8000 dos containers.\n"
+#~ "\t\tkubectl expose deployment nginx —port=80 —target-port=8000"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Delete a pod using the type and name specified in pod.json.\n"
+#~ "\t\tkubectl delete -f ./pod.json\n"
+#~ "\n"
+#~ "\t\t# Delete a pod based on the type and name in the JSON passed into "
+#~ "stdin.\n"
+#~ "\t\tcat pod.json | kubectl delete -f -\n"
+#~ "\n"
+#~ "\t\t# Delete pods and services with same names \"baz\" and \"foo\"\n"
+#~ "\t\tkubectl delete pod,service baz foo\n"
+#~ "\n"
+#~ "\t\t# Delete pods and services with label name=myLabel.\n"
+#~ "\t\tkubectl delete pods,services -l name=myLabel\n"
+#~ "\n"
+#~ "\t\t# Delete a pod with minimal delay\n"
+#~ "\t\tkubectl delete pod foo --now\n"
+#~ "\n"
+#~ "\t\t# Force delete a pod on a dead node\n"
+#~ "\t\tkubectl delete pod foo --grace-period=0 --force\n"
+#~ "\n"
+#~ "\t\t# Delete all pods\n"
+#~ "\t\tkubectl delete pods --all"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Remove um pod usando o tipo e nome especificado no arquivo pod."
+#~ "json.\n"
+#~ "\t\tkubectl delete -f ./pod.json\n"
+#~ "\n"
+#~ "\t\t# Remove um pod baseado no tipo e nome no JSON passado na entrada de "
+#~ "comando(stdin).\n"
+#~ "\t\tcat pod.json | kubectl delete -f -\n"
+#~ "\n"
+#~ "\t\t# Remove pods e serviços com os nomes \"baz\" e \"foo\"\n"
+#~ "\t\tkubectl delete pod,service baz foo\n"
+#~ "\n"
+#~ "\t\t# Remove pods e serviços com label name=myLabel.\n"
+#~ "\t\tkubectl delete pods,services -l name=myLabel\n"
+#~ "\n"
+#~ "\t\t# Remove um pod com um mínimo de delay\n"
+#~ "\t\tkubectl delete pod foo —now\n"
+#~ "\n"
+#~ "\t\t# Força a remoção de  um pod em um node morto\n"
+#~ "\t\tkubectl delete pod foo —grace-period=0 —force\n"
+#~ "\n"
+#~ "\t\t# Remove todos os pods\n"
+#~ "\t\tkubectl delete pods —all"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Describe a node\n"
+#~ "\t\tkubectl describe nodes kubernetes-node-emt8.c.myproject.internal\n"
+#~ "\n"
+#~ "\t\t# Describe a pod\n"
+#~ "\t\tkubectl describe pods/nginx\n"
+#~ "\n"
+#~ "\t\t# Describe a pod identified by type and name in \"pod.json\"\n"
+#~ "\t\tkubectl describe -f pod.json\n"
+#~ "\n"
+#~ "\t\t# Describe all pods\n"
+#~ "\t\tkubectl describe pods\n"
+#~ "\n"
+#~ "\t\t# Describe pods by label name=myLabel\n"
+#~ "\t\tkubectl describe po -l name=myLabel\n"
+#~ "\n"
+#~ "\t\t# Describe all pods managed by the 'frontend' replication controller "
+#~ "(rc-created pods\n"
+#~ "\t\t# get the name of the rc as a prefix in the pod the name).\n"
+#~ "\t\tkubectl describe pods frontend"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Descreve um node\n"
+#~ "\t\tkubectl describe nodes kubernetes-node-emt8.c.myproject.internal\n"
+#~ "\n"
+#~ "\t\t# Descreve um pod\n"
+#~ "\t\tkubectl describe pods/nginx\n"
+#~ "\n"
+#~ "\t\t# Descreve um pod identificado pelo tipo e nome no arquivo \"pod.json"
+#~ "\"\n"
+#~ "\t\tkubectl describe -f pod.json\n"
+#~ "\n"
+#~ "\t\t# Descreve todos os pods\n"
+#~ "\t\tkubectl describe pods\n"
+#~ "\n"
+#~ "\t\t# Descreve os pods com label name=myLabel\n"
+#~ "\t\tkubectl describe po -l name=myLabel\n"
+#~ "\n"
+#~ "\t\t# Descreve todos os pods gerenciados pelo replication controller "
+#~ "'frontend' (rc-created pods\n"
+#~ "\t\t# tem o nome de rc como prefixo no nome do pod).\n"
+#~ "\t\tkubectl describe pods frontend"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Drain node \"foo\", even if there are pods not managed by a "
+#~ "ReplicationController, ReplicaSet, Job, DaemonSet or StatefulSet on it.\n"
+#~ "\t\t$ kubectl drain foo --force\n"
+#~ "\n"
+#~ "\t\t# As above, but abort if there are pods not managed by a "
+#~ "ReplicationController, ReplicaSet, Job, DaemonSet or StatefulSet, and use "
+#~ "a grace period of 15 minutes.\n"
+#~ "\t\t$ kubectl drain foo --grace-period=900"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Drena o node \"foo\", mesmo se os pods não são gerenciados por um "
+#~ "ReplicationController, ReplicaSet, Job, DaemonSet ou StatefulSet.\n"
+#~ "\t\t$ kubectl drain foo —force\n"
+#~ "\n"
+#~ "\t\t# Mesmo que acima, mas é interrompido se os pods não são gerenciados "
+#~ "por um ReplicationController, ReplicaSet, Job, DaemonSet ou StatefulSet, "
+#~ "e tem espera por 15 minutos.\n"
+#~ "\t\t$ kubectl drain foo —grace-period=900"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Edit the service named 'docker-registry':\n"
+#~ "\t\tkubectl edit svc/docker-registry\n"
+#~ "\n"
+#~ "\t\t# Use an alternative editor\n"
+#~ "\t\tKUBE_EDITOR=\"nano\" kubectl edit svc/docker-registry\n"
+#~ "\n"
+#~ "\t\t# Edit the job 'myjob' in JSON using the v1 API format:\n"
+#~ "\t\tkubectl edit job.v1.batch/myjob -o json\n"
+#~ "\n"
+#~ "\t\t# Edit the deployment 'mydeployment' in YAML and save the modified "
+#~ "config in its annotation:\n"
+#~ "\t\tkubectl edit deployment/mydeployment -o yaml --save-config"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Edita o serviço chamado 'docker-registry':\n"
+#~ "\t\tkubectl edit svc/docker-registry\n"
+#~ "\n"
+#~ "\t\t# Usa um editor alternativo\n"
+#~ "\t\tKUBE_EDITOR=\"nano\" kubectl edit svc/docker-registry\n"
+#~ "\n"
+#~ "\t\t# Edita o Job 'myjob' em JSON utilizando o format da API v1:\n"
+#~ "\t\tkubectl edit job.v1.batch/myjob -o json\n"
+#~ "\n"
+#~ "\t\t# Edita o deployment 'mydeployment' em YAML e salva a configuração "
+#~ "modificada em sua annotation:\n"
+#~ "\t\tkubectl edit deployment/mydeployment -o yaml —save-config"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Get output from running 'date' from pod 123456-7890, using the "
+#~ "first container by default\n"
+#~ "\t\tkubectl exec 123456-7890 date\n"
+#~ "\n"
+#~ "\t\t# Get output from running 'date' in ruby-container from pod "
+#~ "123456-7890\n"
+#~ "\t\tkubectl exec 123456-7890 -c ruby-container date\n"
+#~ "\n"
+#~ "\t\t# Switch to raw terminal mode, sends stdin to 'bash' in ruby-"
+#~ "container from pod 123456-7890\n"
+#~ "\t\t# and sends stdout/stderr from 'bash' back to the client\n"
+#~ "\t\tkubectl exec 123456-7890 -c ruby-container -i -t -- bash -il"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Pega a saída de execução do comando 'date' do pod 123456-7890, "
+#~ "usando o primeiro container por padrão\n"
+#~ "\t\tkubectl exec 123456-7890 date\n"
+#~ "\n"
+#~ "\t\t# Pega a saída de execução do comando 'date' no ruby-container do pod "
+#~ "123456-7890\n"
+#~ "\t\tkubectl exec 123456-7890 -c ruby-container date\n"
+#~ "\n"
+#~ "\t\t# Troca para raw terminal mode, envia stdin para o 'bash' no ruby-"
+#~ "container do pod 123456-7890\n"
+#~ "\t\t# e envia stdout/stderr do 'bash' de volta para o cliente\n"
+#~ "\t\tkubectl exec 123456-7890 -c ruby-container -i -t — bash -il"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Get output from running pod 123456-7890, using the first container "
+#~ "by default\n"
+#~ "\t\tkubectl attach 123456-7890\n"
+#~ "\n"
+#~ "\t\t# Get output from ruby-container from pod 123456-7890\n"
+#~ "\t\tkubectl attach 123456-7890 -c ruby-container\n"
+#~ "\n"
+#~ "\t\t# Switch to raw terminal mode, sends stdin to 'bash' in ruby-"
+#~ "container from pod 123456-7890\n"
+#~ "\t\t# and sends stdout/stderr from 'bash' back to the client\n"
+#~ "\t\tkubectl attach 123456-7890 -c ruby-container -i -t\n"
+#~ "\n"
+#~ "\t\t# Get output from the first pod of a ReplicaSet named nginx\n"
+#~ "\t\tkubectl attach rs/nginx\n"
+#~ "\t\t"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Pega a saída do pod em execução 123456-7890, utilizando o primeiro "
+#~ "container por padrão\n"
+#~ "\t\tkubectl attach 123456-7890\n"
+#~ "\n"
+#~ "\t\t# Pega a saída do ruby-container do pod 123456-7890\n"
+#~ "\t\tkubectl attach 123456-7890 -c ruby-container\n"
+#~ "\n"
+#~ "\t\t# Troca para raw terminal mode, envia stdin para o 'bash' no ruby-"
+#~ "container do pod 123456-7890\n"
+#~ "\t\t# e envia stdout/stderr do 'bash' de volta para o cliente\n"
+#~ "\t\tkubectl attach 123456-7890 -c ruby-container -i -t\n"
+#~ "\n"
+#~ "\t\t# Pega a saída do primeiro pod de um ReplicaSet chamado nginx\n"
+#~ "\t\tkubectl attach rs/nginx\n"
+#~ "\t\t"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Install bash completion on a Mac using homebrew\n"
+#~ "\t\tbrew install bash-completion\n"
+#~ "\t\tprintf \"\n"
+#~ "# Bash completion support\n"
+#~ "source $(brew --prefix)/etc/bash_completion\n"
+#~ "\" >> $HOME/.bash_profile\n"
+#~ "\t\tsource $HOME/.bash_profile\n"
+#~ "\n"
+#~ "\t\t# Load the kubectl completion code for bash into the current shell\n"
+#~ "\t\tsource <(kubectl completion bash)\n"
+#~ "\n"
+#~ "\t\t# Write bash completion code to a file and source if from ."
+#~ "bash_profile\n"
+#~ "\t\tkubectl completion bash > ~/.kube/completion.bash.inc\n"
+#~ "\t\tprintf \"\n"
+#~ "# Kubectl shell completion\n"
+#~ "source '$HOME/.kube/completion.bash.inc'\n"
+#~ "\" >> $HOME/.bash_profile\n"
+#~ "\t\tsource $HOME/.bash_profile\n"
+#~ "\n"
+#~ "\t\t# Load the kubectl completion code for zsh[1] into the current shell\n"
+#~ "\t\tsource <(kubectl completion zsh)"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Instala o auto completar do bash no Mac utilizando homebrew\n"
+#~ "\t\tbrew install bash-completion\n"
+#~ "\t\tprintf \"\n"
+#~ "# Bash completion support\n"
+#~ "source $(brew —prefix)/etc/bash_completion\n"
+#~ "\" >> $HOME/.bash_profile\n"
+#~ "\t\tsource $HOME/.bash_profile\n"
+#~ "\n"
+#~ "\t\t# Carrega o código de auto complentar do kubectl para o bash no shell "
+#~ "corrente\n"
+#~ "\t\tsource <(kubectl completion bash)\n"
+#~ "\n"
+#~ "\t\t# Escreve o código de autocompletar do bash no arquivo de perfil e "
+#~ "faz o source se é para o .bash_profile\n"
+#~ "\t\tkubectl completion bash > ~/.kube/completion.bash.inc\n"
+#~ "\t\tprintf \"\n"
+#~ "# Kubectl shell completion\n"
+#~ "source '$HOME/.kube/completion.bash.inc'\n"
+#~ "\" >> $HOME/.bash_profile\n"
+#~ "\t\tsource $HOME/.bash_profile\n"
+#~ "\n"
+#~ "\t\t# Carrega o código de auto complentar do kubectl para zsh[1] no shell "
+#~ "em utilização\n"
+#~ "\t\tsource <(kubectl completion zsh)"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# List all pods in ps output format.\n"
+#~ "\t\tkubectl get pods\n"
+#~ "\n"
+#~ "\t\t# List all pods in ps output format with more information (such as "
+#~ "node name).\n"
+#~ "\t\tkubectl get pods -o wide\n"
+#~ "\n"
+#~ "\t\t# List a single replication controller with specified NAME in ps "
+#~ "output format.\n"
+#~ "\t\tkubectl get replicationcontroller web\n"
+#~ "\n"
+#~ "\t\t# List a single pod in JSON output format.\n"
+#~ "\t\tkubectl get -o json pod web-pod-13je7\n"
+#~ "\n"
+#~ "\t\t# List a pod identified by type and name specified in \"pod.yaml\" in "
+#~ "JSON output format.\n"
+#~ "\t\tkubectl get -f pod.yaml -o json\n"
+#~ "\n"
+#~ "\t\t# Return only the phase value of the specified pod.\n"
+#~ "\t\tkubectl get -o template pod/web-pod-13je7 --template={{.status."
+#~ "phase}}\n"
+#~ "\n"
+#~ "\t\t# List all replication controllers and services together in ps output "
+#~ "format.\n"
+#~ "\t\tkubectl get rc,services\n"
+#~ "\n"
+#~ "\t\t# List one or more resources by their type and names.\n"
+#~ "\t\tkubectl get rc/web service/frontend pods/web-pod-13je7\n"
+#~ "\n"
+#~ "\t\t# List all resources with different types.\n"
+#~ "\t\tkubectl get all"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Lista todos os pods no formato de saída ps.\n"
+#~ "\t\tkubectl get pods\n"
+#~ "\n"
+#~ "\t\t# Lista todos os pods no formato de saída ps com mais informações "
+#~ "(como o nome do node).\n"
+#~ "\t\tkubectl get pods -o wide\n"
+#~ "\n"
+#~ "\t\t# Lista um único replication controller com o nome especificado no "
+#~ "formato de saída ps\n"
+#~ "\t\tkubectl get replicationcontroller web\n"
+#~ "\n"
+#~ "\t\t# Lista um único pod e usa o formato de saída JSON.\n"
+#~ "\t\tkubectl get -o json pod web-pod-13je7\n"
+#~ "\n"
+#~ "\t\t# Lista o pod identificado com o tipo e nome especificado no \"pod."
+#~ "yaml\" e usa o formato de saída JSON.\n"
+#~ "\t\tkubectl get -f pod.yaml -o json\n"
+#~ "\n"
+#~ "\t\t# Mostra apenas em que estágio o pod especificado está.\n"
+#~ "\t\tkubectl get -o template pod/web-pod-13je7 —template={{.status."
+#~ "phase}}\n"
+#~ "\n"
+#~ "\t\t# Lista todos os replication controllers e services juntos no formato "
+#~ "de saída ps.\n"
+#~ "\t\tkubectl get rc,services\n"
+#~ "\n"
+#~ "\t\t# Lista um ou mais recursos pelo seu tipo e nomes.\n"
+#~ "\t\tkubectl get rc/web service/frontend pods/web-pod-13je7\n"
+#~ "\n"
+#~ "\t\t# Lista todos os recursos e com tipos diferentes.\n"
+#~ "\t\tkubectl get all"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Listen on ports 5000 and 6000 locally, forwarding data to/from "
+#~ "ports 5000 and 6000 in the pod\n"
+#~ "\t\tkubectl port-forward mypod 5000 6000\n"
+#~ "\n"
+#~ "\t\t# Listen on port 8888 locally, forwarding to 5000 in the pod\n"
+#~ "\t\tkubectl port-forward mypod 8888:5000\n"
+#~ "\n"
+#~ "\t\t# Listen on a random port locally, forwarding to 5000 in the pod\n"
+#~ "\t\tkubectl port-forward mypod :5000\n"
+#~ "\n"
+#~ "\t\t# Listen on a random port locally, forwarding to 5000 in the pod\n"
+#~ "\t\tkubectl port-forward mypod 0:5000"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Escuta nas portas locais 5000 e 6000, e redireciona os dados de/"
+#~ "para as portas 5000 e 6000 no pod\n"
+#~ "\t\tkubectl port-forward mypod 5000 6000\n"
+#~ "\n"
+#~ "\t\t# Escuta na porta local 8888 localmente, e redireciona para a porta "
+#~ "5000 no pod\n"
+#~ "\t\tkubectl port-forward mypod 8888:5000\n"
+#~ "\n"
+#~ "\t\t# Escuta uma porta local aleatória, e redireciona para a porta 5000 "
+#~ "no pod\n"
+#~ "\t\tkubectl port-forward mypod :5000\n"
+#~ "\n"
+#~ "\t\t# Escuta uma porta local aleatória, e redireciona para a porta 5000 "
+#~ "no pod\\n\n"
+#~ "\t\tkubectl port-forward mypod 0:5000"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Mark node \"foo\" as schedulable.\n"
+#~ "\t\t$ kubectl uncordon foo"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Remove a restrição de execução de Pods no node \"foo\".\n"
+#~ "\t\t$ kubectl uncordon foo"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Mark node \"foo\" as unschedulable.\n"
+#~ "\t\tkubectl cordon foo"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Restringe a execução de novos Pods no node \"foo\".\n"
+#~ "\t\tkubectl cordon foo"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Partially update a node using strategic merge patch\n"
+#~ "\t\tkubectl patch node k8s-node-1 -p '{\"spec\":{\"unschedulable\":"
+#~ "true}}'\n"
+#~ "\n"
+#~ "\t\t# Partially update a node identified by the type and name specified "
+#~ "in \"node.json\" using strategic merge patch\n"
+#~ "\t\tkubectl patch -f node.json -p '{\"spec\":{\"unschedulable\":true}}'\n"
+#~ "\n"
+#~ "\t\t# Update a container's image; spec.containers[*].name is required "
+#~ "because it's a merge key\n"
+#~ "\t\tkubectl patch pod valid-pod -p '{\"spec\":{\"containers\":[{\"name\":"
+#~ "\"kubernetes-serve-hostname\",\"image\":\"new image\"}]}}'\n"
+#~ "\n"
+#~ "\t\t# Update a container's image using a json patch with positional "
+#~ "arrays\n"
+#~ "\t\tkubectl patch pod valid-pod --type='json' -p='[{\"op\": \"replace\", "
+#~ "\"path\": \"/spec/containers/0/image\", \"value\":\"new image\"}]'"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Atualiza parcialmente um node utilizando a estratégia merge patch\n"
+#~ "\t\tkubectl patch node k8s-node-1 -p '{\"spec\":{\"unschedulable\":"
+#~ "true}}'\n"
+#~ "\n"
+#~ "\t\t# Atualiza parcialmente um node identificado pelo tipo e nome no "
+#~ "arquivo \"node.json\" utilizando a estratégia merge patch\n"
+#~ "\t\tkubectl patch -f node.json -p '{\"spec\":{\"unschedulable\":true}}'\n"
+#~ "\n"
+#~ "\t\t# Atualiza uma imagem em um container; spec.containers[*].name é "
+#~ "requerido pois será usado como índice para a mudança\n"
+#~ "\t\tkubectl patch pod valid-pod -p '{\"spec\":{\"containers\":[{\"name\":"
+#~ "\"kubernetes-serve-hostname\",\"image\":\"new image\"}]}}'\n"
+#~ "\n"
+#~ "\t\t# Atualiza uma imagem em um container utilizando o json patch com "
+#~ "positional arrays\n"
+#~ "\t\tkubectl patch pod valid-pod —type='json' -p='[{\"op\": \"replace\", "
+#~ "\"path\": \"/spec/containers/0/image\", \"value\":\"new image\"}]'"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Print the address of the master and cluster services\n"
+#~ "\t\tkubectl cluster-info"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Mostra o endereço do servidor de gerenciamento e dos serviços do "
+#~ "cluster\n"
+#~ "\t\tkubectl cluster-info"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Replace a pod using the data in pod.json.\n"
+#~ "\t\tkubectl replace -f ./pod.json\n"
+#~ "\n"
+#~ "\t\t# Replace a pod based on the JSON passed into stdin.\n"
+#~ "\t\tcat pod.json | kubectl replace -f -\n"
+#~ "\n"
+#~ "\t\t# Update a single-container pod's image version (tag) to v4\n"
+#~ "\t\tkubectl get pod mypod -o yaml | sed 's/\\(image: myimage\\):.*$/
:v4/' "
+#~ "| kubectl replace -f -\n"
+#~ "\n"
+#~ "\t\t# Force replace, delete and then re-create the resource\n"
+#~ "\t\tkubectl replace --force -f ./pod.json"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Substitui um pod utlizando os dados contidos em pod.json.\n"
+#~ "\t\tkubectl replace -f ./pod.json\n"
+#~ "\n"
+#~ "\t\t# Troca um pod com base no JSON fornecido no stdin.\n"
+#~ "\t\tcat pod.json | kubectl replace -f -\n"
+#~ "\n"
+#~ "\t\t# Atualiza uma versão de imagem (tag) de um pod com um único "
+#~ "container para v4\n"
+#~ "\t\tkubectl get pod mypod -o yaml | sed 's/\\(image: myimage\\):.*$/
:v4/' "
+#~ "| kubectl replace -f -\n"
+#~ "\n"
+#~ "\t\t# Força a troca, removendo e recriando o recurso\n"
+#~ "\t\tkubectl replace —force -f ./pod.json"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Return snapshot logs from pod nginx with only one container\n"
+#~ "\t\tkubectl logs nginx\n"
+#~ "\n"
+#~ "\t\t# Return snapshot logs for the pods defined by label app=nginx\n"
+#~ "\t\tkubectl logs -lapp=nginx\n"
+#~ "\n"
+#~ "\t\t# Return snapshot of previous terminated ruby container logs from pod "
+#~ "web-1\n"
+#~ "\t\tkubectl logs -p -c ruby web-1\n"
+#~ "\n"
+#~ "\t\t# Begin streaming the logs of the ruby container in pod web-1\n"
+#~ "\t\tkubectl logs -f -c ruby web-1\n"
+#~ "\n"
+#~ "\t\t# Display only the most recent 20 lines of output in pod nginx\n"
+#~ "\t\tkubectl logs --tail=20 nginx\n"
+#~ "\n"
+#~ "\t\t# Show all logs from pod nginx written in the last hour\n"
+#~ "\t\tkubectl logs --since=1h nginx\n"
+#~ "\n"
+#~ "\t\t# Return snapshot logs from first container of a job named hello\n"
+#~ "\t\tkubectl logs job/hello\n"
+#~ "\n"
+#~ "\t\t# Return snapshot logs from container nginx-1 of a deployment named "
+#~ "nginx\n"
+#~ "\t\tkubectl logs deployment/nginx -c nginx-1"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Retorna os logs do pod nginx com um único container\n"
+#~ "\t\tkubectl logs nginx\n"
+#~ "\n"
+#~ "\t\t# Retorna os logs dos pods definidos pelo label app=nginx\n"
+#~ "\t\tkubectl logs -lapp=nginx\n"
+#~ "\n"
+#~ "\t\t# Retorna os logs do container ruby finalizado do pod web-1\n"
+#~ "\t\tkubectl logs -p -c ruby web-1\n"
+#~ "\n"
+#~ "\t\t# Começa o streaming de logs de um ruby container no pod web-1\n"
+#~ "\t\tkubectl logs -f -c ruby web-1\n"
+#~ "\n"
+#~ "\t\t# Mostra apenas as 20 linhas mais recentes de saída do pod nginx\n"
+#~ "\t\tkubectl logs —tail=20 nginx\n"
+#~ "\n"
+#~ "\t\t# Mostra todos os logs do pod nginx escrito na última hora\n"
+#~ "\t\tkubectl logs —since=1h nginx\n"
+#~ "\n"
+#~ "\t\t# Retorna os logs do primeiro container com o Job chamado hello\n"
+#~ "\t\tkubectl logs job/hello\n"
+#~ "\n"
+#~ "\t\t# Retorna os logs do container nginx-1 de um deployment chamado "
+#~ "nginx\n"
+#~ "\t\tkubectl logs deployment/nginx -c nginx-1"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Run a proxy to kubernetes apiserver on port 8011, serving static "
+#~ "content from ./local/www/\n"
+#~ "\t\tkubectl proxy --port=8011 --www=./local/www/\n"
+#~ "\n"
+#~ "\t\t# Run a proxy to kubernetes apiserver on an arbitrary local port.\n"
+#~ "\t\t# The chosen port for the server will be output to stdout.\n"
+#~ "\t\tkubectl proxy --port=0\n"
+#~ "\n"
+#~ "\t\t# Run a proxy to kubernetes apiserver, changing the api prefix to k8s-"
+#~ "api\n"
+#~ "\t\t# This makes e.g. the pods api available at localhost:8001/k8s-api/v1/"
+#~ "pods/\n"
+#~ "\t\tkubectl proxy --api-prefix=/k8s-api"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Executa um proxy para o apiserver do kubernetes na porta 8011, "
+#~ "servindo um conteúdo estático do caminho ./local/www/\n"
+#~ "\t\tkubectl proxy —port=8011 —www=./local/www/\n"
+#~ "\n"
+#~ "\t\t# Executa um proxy para o apiserver do kubernetes em uma porta local "
+#~ "arbitrária.\n"
+#~ "\t\t# A porta escolhida para o servidor será utilizada para o saída de "
+#~ "stdout.\n"
+#~ "\t\tkubectl proxy —port=0\n"
+#~ "\n"
+#~ "\t\t# Executa um proxy para o apiserver do kubernetes, mudando o prefixo "
+#~ "do api para k8s-api\n"
+#~ "\t\t# Com isso a api dos pods estarão disponível em localhost:8001/k8s-"
+#~ "api/v1/pods/\n"
+#~ "\t\tkubectl proxy —api-prefix=/k8s-api"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Scale a replicaset named 'foo' to 3.\n"
+#~ "\t\tkubectl scale --replicas=3 rs/foo\n"
+#~ "\n"
+#~ "\t\t# Scale a resource identified by type and name specified in \"foo.yaml"
+#~ "\" to 3.\n"
+#~ "\t\tkubectl scale --replicas=3 -f foo.yaml\n"
+#~ "\n"
+#~ "\t\t# If the deployment named mysql's current size is 2, scale mysql to "
+#~ "3.\n"
+#~ "\t\tkubectl scale --current-replicas=2 --replicas=3 deployment/mysql\n"
+#~ "\n"
+#~ "\t\t# Scale multiple replication controllers.\n"
+#~ "\t\tkubectl scale --replicas=5 rc/foo rc/bar rc/baz\n"
+#~ "\n"
+#~ "\t\t# Scale job named 'cron' to 3.\n"
+#~ "\t\tkubectl scale --replicas=3 job/cron"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Escala um replicaset chamado 'foo' para 3.\n"
+#~ "\t\tkubectl scale —replicas=3 rs/foo\n"
+#~ "\n"
+#~ "\t\t# Escala um recurso identificado pelo tipo e nome especificado no "
+#~ "arquivo \"foo.yaml\" para 3.\n"
+#~ "\t\tkubectl scale —replicas=3 -f foo.yaml\n"
+#~ "\n"
+#~ "\t\t# Se um deployment chamado mysql tem tamanho 2, escala o mysql para "
+#~ "3.\n"
+#~ "\t\tkubectl scale —current-replicas=2 —replicas=3 deployment/mysql\n"
+#~ "\n"
+#~ "\t\t# Escala múltiplos replication controllers.\n"
+#~ "\t\tkubectl scale —replicas=5 rc/foo rc/bar rc/baz\n"
+#~ "\n"
+#~ "\t\t# Escala um Job chamado 'cron' para 3.\n"
+#~ "\t\tkubectl scale —replicas=3 job/cron"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Set the last-applied-configuration of a resource to match the "
+#~ "contents of a file.\n"
+#~ "\t\tkubectl apply set-last-applied -f deploy.yaml\n"
+#~ "\n"
+#~ "\t\t# Execute set-last-applied against each configuration file in a "
+#~ "directory.\n"
+#~ "\t\tkubectl apply set-last-applied -f path/\n"
+#~ "\n"
+#~ "\t\t# Set the last-applied-configuration of a resource to match the "
+#~ "contents of a file, will create the annotation if it does not already "
+#~ "exist.\n"
+#~ "\t\tkubectl apply set-last-applied -f deploy.yaml --create-"
+#~ "annotation=true\n"
+#~ "\t\t"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Ajusta o last-applied-configuration de um recurso para corresponder "
+#~ "ao conteúdo de um arquivo.\n"
+#~ "\t\tkubectl apply set-last-applied -f deploy.yaml\n"
+#~ "\n"
+#~ "\t\t# Executa o set-last-applied em todos os arquivos de configuração no "
+#~ "diretório.\n"
+#~ "\t\tkubectl apply set-last-applied -f path/\n"
+#~ "\n"
+#~ "\t\t# Ajusta o last-applied-configuration de um recurso para corresponder "
+#~ "ao conteúdo de um arquivo, será criada uma annotation se esta ainda não "
+#~ "existe.\n"
+#~ "\t\tkubectl apply set-last-applied -f deploy.yaml —create-"
+#~ "annotation=true\n"
+#~ "\t\t"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Shut down foo.\n"
+#~ "\t\tkubectl stop replicationcontroller foo\n"
+#~ "\n"
+#~ "\t\t# Stop pods and services with label name=myLabel.\n"
+#~ "\t\tkubectl stop pods,services -l name=myLabel\n"
+#~ "\n"
+#~ "\t\t# Shut down the service defined in service.json\n"
+#~ "\t\tkubectl stop -f service.json\n"
+#~ "\n"
+#~ "\t\t# Shut down all resources in the path/to/resources directory\n"
+#~ "\t\tkubectl stop -f path/to/resources"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Termina o replicationcontroller foo.\n"
+#~ "\t\tkubectl stop replicationcontroller foo\n"
+#~ "\n"
+#~ "\t\t# Para os pods e serviços com o label name=myLabel.\n"
+#~ "\t\tkubectl stop pods,services -l name=myLabel\n"
+#~ "\n"
+#~ "\t\t# Termina o serviço definido no arquivo service.json\n"
+#~ "\t\tkubectl stop -f service.json\n"
+#~ "\n"
+#~ "\t\t# Termina todos os recursos no caminho do diretório path/to/"
+#~ "resources\n"
+#~ "\t\tkubectl stop -f path/to/resources"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Start a single instance of nginx.\n"
+#~ "\t\tkubectl run nginx --image=nginx\n"
+#~ "\n"
+#~ "\t\t# Start a single instance of hazelcast and let the container expose "
+#~ "port 5701 .\n"
+#~ "\t\tkubectl run hazelcast --image=hazelcast --port=5701\n"
+#~ "\n"
+#~ "\t\t# Start a single instance of hazelcast and set environment variables "
+#~ "\"DNS_DOMAIN=cluster\" and \"POD_NAMESPACE=default\" in the container.\n"
+#~ "\t\tkubectl run hazelcast --image=hazelcast --env=\"DNS_DOMAIN=cluster\" "
+#~ "--env=\"POD_NAMESPACE=default\"\n"
+#~ "\n"
+#~ "\t\t# Start a replicated instance of nginx.\n"
+#~ "\t\tkubectl run nginx --image=nginx --replicas=5\n"
+#~ "\n"
+#~ "\t\t# Dry run. Print the corresponding API objects without creating "
+#~ "them.\n"
+#~ "\t\tkubectl run nginx --image=nginx --dry-run\n"
+#~ "\n"
+#~ "\t\t# Start a single instance of nginx, but overload the spec of the "
+#~ "deployment with a partial set of values parsed from JSON.\n"
+#~ "\t\tkubectl run nginx --image=nginx --overrides='{ \"apiVersion\": "
+#~ "\"v1\", \"spec\": { ... } }'\n"
+#~ "\n"
+#~ "\t\t# Start a pod of busybox and keep it in the foreground, don't restart "
+#~ "it if it exits.\n"
+#~ "\t\tkubectl run -i -t busybox --image=busybox --restart=Never\n"
+#~ "\n"
+#~ "\t\t# Start the nginx container using the default command, but use custom "
+#~ "arguments (arg1 .. argN) for that command.\n"
+#~ "\t\tkubectl run nginx --image=nginx -- <arg1> <arg2> ... <argN>\n"
+#~ "\n"
+#~ "\t\t# Start the nginx container using a different command and custom "
+#~ "arguments.\n"
+#~ "\t\tkubectl run nginx --image=nginx --command -- <cmd> <arg1> ... <argN>\n"
+#~ "\n"
+#~ "\t\t# Start the perl container to compute π to 2000 places and print it "
+#~ "out.\n"
+#~ "\t\tkubectl run pi --image=perl --restart=OnFailure -- perl -Mbignum=bpi -"
+#~ "wle 'print bpi(2000)'\n"
+#~ "\n"
+#~ "\t\t# Start the cron job to compute π to 2000 places and print it out "
+#~ "every 5 minutes.\n"
+#~ "\t\tkubectl run pi --schedule=\"0/5 * * * ?\" --image=perl --"
+#~ "restart=OnFailure -- perl -Mbignum=bpi -wle 'print bpi(2000)'"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Inicia uma única instância de nginx.\n"
+#~ "\t\tkubectl run nginx —image=nginx\n"
+#~ "\n"
+#~ "\t\t# Inicia uma única instância do hazelcast e expõe a porta 5701 do "
+#~ "container.\n"
+#~ "\t\tkubectl run hazelcast —image=hazelcast —port=5701\n"
+#~ "\n"
+#~ "\t\t# Inicia uma única instância do hazelcast e seta as variáveis de "
+#~ "ambiente \"DNS_DOMAIN=cluster\" e \"POD_NAMESPACE=default\" no "
+#~ "container.\n"
+#~ "\t\tkubectl run hazelcast —image=hazelcast —env=\"DNS_DOMAIN=cluster\" —"
+#~ "env=\"POD_NAMESPACE=default\"\n"
+#~ "\n"
+#~ "\t\t# Inicia uma instância replicada de nginx.\n"
+#~ "\t\tkubectl run nginx —image=nginx —replicas=5\n"
+#~ "\n"
+#~ "\t\t# Dry run. Mostra os objetos da API correspondente sem criar elas.\n"
+#~ "\t\tkubectl run nginx —image=nginx —dry-run\n"
+#~ "\n"
+#~ "\t\t# Inicia uma única instância de nginx, mas sobrescreve a spec do "
+#~ "deployment com um conjunto parcial de valores passeados do JSON.\n"
+#~ "\t\tkubectl run nginx —image=nginx —overrides='{ \"apiVersion\": \"v1\", "
+#~ "\"spec\": { … } }'\n"
+#~ "\n"
+#~ "\t\t# Inicia um pod de busybox e mantém ele em primeiro plano, não "
+#~ "reinicia se ele já existe.\n"
+#~ "\t\tkubectl run -i -t busybox —image=busybox —restart=Never\n"
+#~ "\n"
+#~ "\t\t# Inicia um container nginx usando o comando padrão, mas utiliza "
+#~ "argumentos customizados (arg1 .. argN) para o comando.\n"
+#~ "\t\tkubectl run nginx —image=nginx — <arg1> <arg2> … <argN>\n"
+#~ "\n"
+#~ "\t\t# Inicia um container nginx usando um comando diferente e argumentos "
+#~ "customizados.\n"
+#~ "\t\tkubectl run nginx —image=nginx —command — <cmd> <arg1> … <argN>\n"
+#~ "\n"
+#~ "\t\t# Inicia um container perl para processar π to 2000 posições e mostra "
+#~ "a saída.\n"
+#~ "\t\tkubectl run pi —image=perl —restart=OnFailure — perl -Mbignum=bpi -"
+#~ "wle 'print bpi(2000)'\n"
+#~ "\n"
+#~ "\t\t# Inicia um cron job para processar as 2000 posições de π e mostra a "
+#~ "saída a cada 5 minutos.\n"
+#~ "\t\tkubectl run pi —schedule=\"0/5 * * * ?\" —image=perl —"
+#~ "restart=OnFailure — perl -Mbignum=bpi -wle 'print bpi(2000)'"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Update node 'foo' with a taint with key 'dedicated' and value "
+#~ "'special-user' and effect 'NoSchedule'.\n"
+#~ "\t\t# If a taint with that key and effect already exists, its value is "
+#~ "replaced as specified.\n"
+#~ "\t\tkubectl taint nodes foo dedicated=special-user:NoSchedule\n"
+#~ "\n"
+#~ "\t\t# Remove from node 'foo' the taint with key 'dedicated' and effect "
+#~ "'NoSchedule' if one exists.\n"
+#~ "\t\tkubectl taint nodes foo dedicated:NoSchedule-\n"
+#~ "\n"
+#~ "\t\t# Remove from node 'foo' all the taints with key 'dedicated'\n"
+#~ "\t\tkubectl taint nodes foo dedicated-"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Atualiza a restrição para a chave 'dedicated' e o valor 'special-"
+#~ "user' e o efeito 'NoSchedule' para o node 'foo'.\n"
+#~ "\t\t# Se o taint com esta chave e efeito já existirem, o seu valor é "
+#~ "substituído pelo especificado.\n"
+#~ "\t\tkubectl taint nodes foo dedicated=special-user:NoSchedule\n"
+#~ "\n"
+#~ "\t\t# Remove a restrição com a chave 'dedicated' e efeito 'NoSchedule' do "
+#~ "nodo 'foo' se existir.\n"
+#~ "\t\tkubectl taint nodes foo dedicated:NoSchedule-\n"
+#~ "\n"
+#~ "\t\t# Remove o node 'foo' todos os taints com a chave 'dedicated'\n"
+#~ "\t\tkubectl taint nodes foo dedicated-"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Update pod 'foo' with the label 'unhealthy' and the value 'true'.\n"
+#~ "\t\tkubectl label pods foo unhealthy=true\n"
+#~ "\n"
+#~ "\t\t# Update pod 'foo' with the label 'status' and the value 'unhealthy', "
+#~ "overwriting any existing value.\n"
+#~ "\t\tkubectl label --overwrite pods foo status=unhealthy\n"
+#~ "\n"
+#~ "\t\t# Update all pods in the namespace\n"
+#~ "\t\tkubectl label pods --all status=unhealthy\n"
+#~ "\n"
+#~ "\t\t# Update a pod identified by the type and name in \"pod.json\"\n"
+#~ "\t\tkubectl label -f pod.json status=unhealthy\n"
+#~ "\n"
+#~ "\t\t# Update pod 'foo' only if the resource is unchanged from version 1.\n"
+#~ "\t\tkubectl label pods foo status=unhealthy --resource-version=1\n"
+#~ "\n"
+#~ "\t\t# Update pod 'foo' by removing a label named 'bar' if it exists.\n"
+#~ "\t\t# Does not require the --overwrite flag.\n"
+#~ "\t\tkubectl label pods foo bar-"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Atualiza o pod 'foo' com o label 'unhealthy' e valor 'true'.\n"
+#~ "\t\tkubectl label pods foo unhealthy=true\n"
+#~ "\n"
+#~ "\t\t# Atualiza o pod 'foo' com o label 'status' e valor 'unhealthy', "
+#~ "sobrescrevendo qualquer valor existente.\n"
+#~ "\t\tkubectl label —overwrite pods foo status=unhealthy\n"
+#~ "\n"
+#~ "\t\t# Atualiza todos os pods no namespace corrente\n"
+#~ "\t\tkubectl label pods —all status=unhealthy\n"
+#~ "\n"
+#~ "\t\t# Atualiza o pod identificado pelo tipo e nome em \"pod.json\"\n"
+#~ "\t\tkubectl label -f pod.json status=unhealthy\n"
+#~ "\n"
+#~ "\t\t# Atualiza o pod 'foo' apenas se o recurso não foi modificado na "
+#~ "versão 1.\n"
+#~ "\t\tkubectl label pods foo status=unhealthy —resource-version=1\n"
+#~ "\n"
+#~ "\t\t# Atualiza o pod 'foo' removendo o label chamado 'bar', se ele "
+#~ "existir.\n"
+#~ "\t\t# Não necessita a flag —overwrite.\n"
+#~ "\t\tkubectl label pods foo bar-"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Update pods of frontend-v1 using new replication controller data in "
+#~ "frontend-v2.json.\n"
+#~ "\t\tkubectl rolling-update frontend-v1 -f frontend-v2.json\n"
+#~ "\n"
+#~ "\t\t# Update pods of frontend-v1 using JSON data passed into stdin.\n"
+#~ "\t\tcat frontend-v2.json | kubectl rolling-update frontend-v1 -f -\n"
+#~ "\n"
+#~ "\t\t# Update the pods of frontend-v1 to frontend-v2 by just changing the "
+#~ "image, and switching the\n"
+#~ "\t\t# name of the replication controller.\n"
+#~ "\t\tkubectl rolling-update frontend-v1 frontend-v2 --image=image:v2\n"
+#~ "\n"
+#~ "\t\t# Update the pods of frontend by just changing the image, and keeping "
+#~ "the old name.\n"
+#~ "\t\tkubectl rolling-update frontend --image=image:v2\n"
+#~ "\n"
+#~ "\t\t# Abort and reverse an existing rollout in progress (from frontend-v1 "
+#~ "to frontend-v2).\n"
+#~ "\t\tkubectl rolling-update frontend-v1 frontend-v2 --rollback"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Atualiza os pods de frontend-v1 utilizando os dados do novo "
+#~ "replication controller definido em frontend-v2.json.\n"
+#~ "\t\tkubectl rolling-update frontend-v1 -f frontend-v2.json\n"
+#~ "\n"
+#~ "\t\t# Atualiza os pods do frontend-v1 utilizando os dados em JSON "
+#~ "passados pelo stdin.\n"
+#~ "\t\tcat frontend-v2.json | kubectl rolling-update frontend-v1 -f -\n"
+#~ "\n"
+#~ "\t\t# Atualiza os pods do frontend-v1 para frontend-v2 trocando a imagem, "
+#~ "e trocando o\n"
+#~ "\t\t# nome do replication controller.\n"
+#~ "\t\tkubectl rolling-update frontend-v1 frontend-v2 --image=image:v2\n"
+#~ "\n"
+#~ "\t\t# Atualiza os pods do frontend trocando a imagem, e mantendo o nome "
+#~ "antigo.\n"
+#~ "\t\tkubectl rolling-update frontend --image=image:v2\n"
+#~ "\n"
+#~ "\t\t# Cancela e reverte um rollout existente em progresso (de frontend-v1 "
+#~ "para frontend-v2).\n"
+#~ "\t\tkubectl rolling-update frontend-v1 frontend-v2 --rollback"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# View the last-applied-configuration annotations by type/name in "
+#~ "YAML.\n"
+#~ "\t\tkubectl apply view-last-applied deployment/nginx\n"
+#~ "\n"
+#~ "\t\t# View the last-applied-configuration annotations by file in JSON\n"
+#~ "\t\tkubectl apply view-last-applied -f deploy.yaml -o json"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Visualiza a anotação last-applied-configuration pelo tipo/nome no "
+#~ "YAML.\n"
+#~ "\t\tkubectl apply view-last-applied deployment/nginx\n"
+#~ "\n"
+#~ "\t\t# Visualiza a anotação last-applied-configuration no arquivo JSON\n"
+#~ "\t\tkubectl apply view-last-applied -f deploy.yaml -o json"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tApply a configuration to a resource by filename or stdin.\n"
+#~ "\t\tThis resource will be created if it doesn't exist yet.\n"
+#~ "\t\tTo use 'apply', always create the resource initially with either "
+#~ "'apply' or 'create --save-config'.\n"
+#~ "\n"
+#~ "\t\tJSON and YAML formats are accepted.\n"
+#~ "\n"
+#~ "\t\tAlpha Disclaimer: the --prune functionality is not yet complete. Do "
+#~ "not use unless you are aware of what the current state is. See https://"
+#~ "issues.k8s.io/34274."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tAplica a configuração em um recurso usando um nome de arquivo ou "
+#~ "stdin.\n"
+#~ "\t\tEste recurso será criado se ele não existir.\n"
+#~ "\t\tPara utilizar o 'apply', sempre crie o recurso inicialmente com "
+#~ "'apply' ou 'create --save-config'.\n"
+#~ "\n"
+#~ "\t\tFormatos JSON e YAML são aceitos.\n"
+#~ "\n"
+#~ "\t\tNota Alpha: a funcionalidade --prune não está completa. Não utilize a "
+#~ "não ser que você saibe qual é o estado corrente. Veja https://issues.k8s."
+#~ "io/34274."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tCreate a ClusterRole."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tCria um ClusterRole."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tCreate a ClusterRoleBinding for a particular ClusterRole."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tCria um ClusterRoleBinding para um ClusterRole específico."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tCreate a RoleBinding for a particular Role or ClusterRole."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tCria uma RoleBinding para uma Role específica ou ClusterRole."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tCreate a TLS secret from the given public/private key pair.\n"
+#~ "\n"
+#~ "\t\tThe public/private key pair must exist before hand. The public key "
+#~ "certificate must be .PEM encoded and match the given private key."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tCria um TLS secret de uma chave pública/privada fornecida.\n"
+#~ "\n"
+#~ "\t\tA chave pública/privada deve existir antes. O certificado da chave "
+#~ "deve ser codificada como PEM, e ter sido gerada pela chave privada."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tCreate a configmap based on a file, directory, or specified literal "
+#~ "value.\n"
+#~ "\n"
+#~ "\t\tA single configmap may package one or more key/value pairs.\n"
+#~ "\n"
+#~ "\t\tWhen creating a configmap based on a file, the key will default to "
+#~ "the basename of the file, and the value will\n"
+#~ "\t\tdefault to the file content.  If the basename is an invalid key, you "
+#~ "may specify an alternate key.\n"
+#~ "\n"
+#~ "\t\tWhen creating a configmap based on a directory, each file whose "
+#~ "basename is a valid key in the directory will be\n"
+#~ "\t\tpackaged into the configmap.  Any directory entries except regular "
+#~ "files are ignored (e.g. subdirectories,\n"
+#~ "\t\tsymlinks, devices, pipes, etc)."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tCria um configmap com base em um arquivo, diretório, ou um valor "
+#~ "literal especificado.\n"
+#~ "\n"
+#~ "\t\tUm configmap único pode conter um ou mais pares de chave/valor.\n"
+#~ "\n"
+#~ "\t\tQuando criar um configmap com base em um arquivo, a chave será por "
+#~ "padrão o nome do arquivo, e o valor será\n"
+#~ "\t\tpor padrão o conteúdo do arquivo.  Se o nome do arquivo for uma chave "
+#~ "inválida, você deve especificar uma chave alternativa.\n"
+#~ "\n"
+#~ "\t\tQuando criar um configmap com base em um diretório, cada arquivo cujo "
+#~ "o nome é uma chave válida no diretório será\n"
+#~ "\t\tcolocada no configmap.  Qualquer entrada de diretório, exceto as com "
+#~ "arquivos válidos serão ignorados (por exemplo: sub-diretórios,\n"
+#~ "\t\tsymlinks, devices, pipes, etc)."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tCreate a new secret for use with Docker registries.\n"
+#~ "\n"
+#~ "\t\tDockercfg secrets are used to authenticate against Docker "
+#~ "registries.\n"
+#~ "\n"
+#~ "\t\tWhen using the Docker command line to push images, you can "
+#~ "authenticate to a given registry by running\n"
+#~ "\n"
+#~ "\t\t    $ docker login DOCKER_REGISTRY_SERVER --username=DOCKER_USER --"
+#~ "password=DOCKER_PASSWORD --email=DOCKER_EMAIL'.\n"
+#~ "\n"
+#~ "    That produces a ~/.dockercfg file that is used by subsequent 'docker "
+#~ "push' and 'docker pull' commands to\n"
+#~ "\t\tauthenticate to the registry. The email address is optional.\n"
+#~ "\n"
+#~ "\t\tWhen creating applications, you may have a Docker registry that "
+#~ "requires authentication.  In order for the\n"
+#~ "\t\tnodes to pull images on your behalf, they have to have the "
+#~ "credentials.  You can provide this information\n"
+#~ "\t\tby creating a dockercfg secret and attaching it to your service "
+#~ "account."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tCria um novo secret para utilizar com Docker registries.\n"
+#~ "\n"
+#~ "\t\tDockercfg secrets são utilizados para autenticar Docker registries.\n"
+#~ "\n"
+#~ "\t\tQuando utilizando a linha de comando do Docker para realizar envio "
+#~ "das images, você pode se autenticar para um registro fornecido "
+#~ "executando\n"
+#~ "\n"
+#~ "\t\t    $ docker login DOCKER_REGISTRY_SERVER —username=DOCKER_USER —"
+#~ "password=DOCKER_PASSWORD —email=DOCKER_EMAIL'.\n"
+#~ "\n"
+#~ "    Isso irá gerar um arquivo ~/.dockercfg que será utilizado para os "
+#~ "comandos 'docker push' e 'docker pull' \n"
+#~ "\t\tse autenticarem no registro. O endereço de email é opcional.\n"
+#~ "\n"
+#~ "\t\tQuando criar aplicações, você pode ter um Docker registry que requer "
+#~ "autenticação.  Para que \n"
+#~ "\t\tos nodes possam baixar as imagens em seu nome, eles devem ter as "
+#~ "credenciais.  Você pode prover esta informação\n"
+#~ "\t\tcriando um dockercfg secret e anexando-o à sua conta de serviço."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tCreate a pod disruption budget with the specified name, selector, and "
+#~ "desired minimum available pods"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tCria um pod disruption budget com o nome especificado, seletor, e o "
+#~ "número mínimo de pode disponíveis"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tCreate a resource by filename or stdin.\n"
+#~ "\n"
+#~ "\t\tJSON and YAML formats are accepted."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tCria um recurso por nome de arquivo ou stdin.\n"
+#~ "\n"
+#~ "\t\tOs formatos JSON e YAML são aceitos."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tCreate a resourcequota with the specified name, hard limits and "
+#~ "optional scopes"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tCria um resourcequota com o nome especificado, limits rigídos e "
+#~ "escopo opcional"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tCreate a secret based on a file, directory, or specified literal "
+#~ "value.\n"
+#~ "\n"
+#~ "\t\tA single secret may package one or more key/value pairs.\n"
+#~ "\n"
+#~ "\t\tWhen creating a secret based on a file, the key will default to the "
+#~ "basename of the file, and the value will\n"
+#~ "\t\tdefault to the file content.  If the basename is an invalid key, you "
+#~ "may specify an alternate key.\n"
+#~ "\n"
+#~ "\t\tWhen creating a secret based on a directory, each file whose basename "
+#~ "is a valid key in the directory will be\n"
+#~ "\t\tpackaged into the secret.  Any directory entries except regular files "
+#~ "are ignored (e.g. subdirectories,\n"
+#~ "\t\tsymlinks, devices, pipes, etc)."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tCria um secret com base em um arquivo, diretório, ou um valor literal "
+#~ "especificado.\n"
+#~ "\n"
+#~ "\t\tUm secret único pode conter um ou mais pares de chave/valor.\n"
+#~ "\n"
+#~ "\t\tQuando criar um secret com base em um arquivo, a chave será por "
+#~ "padrão o nome do arquivo, e o valor será\n"
+#~ "\t\tpor padrão o conteúdo do arquivo.  Se o nome do arquivo for uma chave "
+#~ "inválida, você deve especificar uma chave alternativa.\n"
+#~ "\n"
+#~ "\t\tQuando criar um secret com base em um diretório, cada arquivo cujo o "
+#~ "nome é uma chave válida no diretório será\n"
+#~ "\t\tcolocada no configmap.  Qualquer entrada de diretório, exceto as com "
+#~ "arquivos válidos serão ignorados (por exemplo: sub-diretórios,\n"
+#~ "\t\tsymlinks, devices, pipes, etc)."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tCreate and run a particular image, possibly replicated.\n"
+#~ "\n"
+#~ "\t\tCreates a deployment or job to manage the created container(s)."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tCria e executa uma imagem específica, possivelmente replicada.\n"
+#~ "\n"
+#~ "\t\tCria um deployment ou job para gerenciar o(s) container(s) criado(s)."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tCreates an autoscaler that automatically chooses and sets the number "
+#~ "of pods that run in a kubernetes cluster.\n"
+#~ "\n"
+#~ "\t\tLooks up a Deployment, ReplicaSet, or ReplicationController by name "
+#~ "and creates an autoscaler that uses the given resource as a reference.\n"
+#~ "\t\tAn autoscaler can automatically increase or decrease number of pods "
+#~ "deployed within the system as needed."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tCria um autoscaler que automaticamente escolhe e configura quantos "
+#~ "pods irão executar em um cluster kubernetes.\n"
+#~ "\n"
+#~ "\t\tProcura por um Deployment, ReplicaSet, ou ReplicationController por "
+#~ "nome e cria um autoscaler que utiliza o recurso fornecido como "
+#~ "referência.\n"
+#~ "\t\tUm autoscaler pode automaticamente aumentar ou reduzir o número de "
+#~ "pods quando necessário."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tDelete resources by filenames, stdin, resources and names, or by "
+#~ "resources and label selector.\n"
+#~ "\n"
+#~ "\t\tJSON and YAML formats are accepted. Only one type of the arguments "
+#~ "may be specified: filenames,\n"
+#~ "\t\tresources and names, or resources and label selector.\n"
+#~ "\n"
+#~ "\t\tSome resources, such as pods, support graceful deletion. These "
+#~ "resources define a default period\n"
+#~ "\t\tbefore they are forcibly terminated (the grace period) but you may "
+#~ "override that value with\n"
+#~ "\t\tthe --grace-period flag, or pass --now to set a grace-period of 1. "
+#~ "Because these resources often\n"
+#~ "\t\trepresent entities in the cluster, deletion may not be acknowledged "
+#~ "immediately. If the node\n"
+#~ "\t\thosting a pod is down or cannot reach the API server, termination may "
+#~ "take significantly longer\n"
+#~ "\t\tthan the grace period. To force delete a resource,\tyou must pass a "
+#~ "grace\tperiod of 0 and specify\n"
+#~ "\t\tthe --force flag.\n"
+#~ "\n"
+#~ "\t\tIMPORTANT: Force deleting pods does not wait for confirmation that "
+#~ "the pod's processes have been\n"
+#~ "\t\tterminated, which can leave those processes running until the node "
+#~ "detects the deletion and\n"
+#~ "\t\tcompletes graceful deletion. If your processes use shared storage or "
+#~ "talk to a remote API and\n"
+#~ "\t\tdepend on the name of the pod to identify themselves, force deleting "
+#~ "those pods may result in\n"
+#~ "\t\tmultiple processes running on different machines using the same "
+#~ "identification which may lead\n"
+#~ "\t\tto data corruption or inconsistency. Only force delete pods when you "
+#~ "are sure the pod is\n"
+#~ "\t\tterminated, or if your application can tolerate multiple copies of "
+#~ "the same pod running at once.\n"
+#~ "\t\tAlso, if you force delete pods the scheduler may place new pods on "
+#~ "those nodes before the node\n"
+#~ "\t\thas released those resources and causing those pods to be evicted "
+#~ "immediately.\n"
+#~ "\n"
+#~ "\t\tNote that the delete command does NOT do resource version checks, so "
+#~ "if someone\n"
+#~ "\t\tsubmits an update to a resource right when you submit a delete, their "
+#~ "update\n"
+#~ "\t\twill be lost along with the rest of the resource."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tDelete resources by filenames, stdin, resources and names, or by "
+#~ "resources and label selector.\n"
+#~ "\n"
+#~ "\t\tJSON and YAML formats are accepted. Only one type of the arguments "
+#~ "may be specified: filenames,\n"
+#~ "\t\tresources and names, or resources and label selector.\n"
+#~ "\n"
+#~ "\t\tSome resources, such as pods, support graceful deletion. These "
+#~ "resources define a default period\n"
+#~ "\t\tbefore they are forcibly terminated (the grace period) but you may "
+#~ "override that value with\n"
+#~ "\t\tthe —grace-period flag, or pass —now to set a grace-period of 1. "
+#~ "Because these resources often\n"
+#~ "\t\trepresent entities in the cluster, deletion may not be acknowledged "
+#~ "immediately. If the node\n"
+#~ "\t\thosting a pod is down or cannot reach the API server, termination may "
+#~ "take significantly longer\n"
+#~ "\t\tthan the grace period. To force delete a resource,\tyou must pass a "
+#~ "grace\tperiod of 0 and specify\n"
+#~ "\t\tthe —force flag.\n"
+#~ "\n"
+#~ "\t\tIMPORTANT: Force deleting pods does not wait for confirmation that "
+#~ "the pod's processes have been\n"
+#~ "\t\tterminated, which can leave those processes running until the node "
+#~ "detects the deletion and\n"
+#~ "\t\tcompletes graceful deletion. If your processes use shared storage or "
+#~ "talk to a remote API and\n"
+#~ "\t\tdepend on the name of the pod to identify themselves, force deleting "
+#~ "those pods may result in\n"
+#~ "\t\tmultiple processes running on different machines using the same "
+#~ "identification which may lead\n"
+#~ "\t\tto data corruption or inconsistency. Only force delete pods when you "
+#~ "are sure the pod is\n"
+#~ "\t\tterminated, or if your application can tolerate multiple copies of "
+#~ "the same pod running at once.\n"
+#~ "\t\tAlso, if you force delete pods the scheduler may place new pods on "
+#~ "those nodes before the node\n"
+#~ "\t\thas released those resources and causing those pods to be evicted "
+#~ "immediately.\n"
+#~ "\n"
+#~ "\t\tNote that the delete command does NOT do resource version checks, so "
+#~ "if someone\n"
+#~ "\t\tsubmits an update to a resource right when you submit a delete, their "
+#~ "update\n"
+#~ "\t\twill be lost along with the rest of the resource."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tDeprecated: Gracefully shut down a resource by name or filename.\n"
+#~ "\n"
+#~ "\t\tThe stop command is deprecated, all its functionalities are covered "
+#~ "by delete command.\n"
+#~ "\t\tSee 'kubectl delete --help' for more details.\n"
+#~ "\n"
+#~ "\t\tAttempts to shut down and delete a resource that supports graceful "
+#~ "termination.\n"
+#~ "\t\tIf the resource is scalable it will be scaled to 0 before deletion."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tDeprecated: Gracefully shut down a resource by name or filename.\n"
+#~ "\n"
+#~ "\t\tThe stop command is deprecated, all its functionalities are covered "
+#~ "by delete command.\n"
+#~ "\t\tSee 'kubectl delete —help' for more details.\n"
+#~ "\n"
+#~ "\t\tAttempts to shut down and delete a resource that supports graceful "
+#~ "termination.\n"
+#~ "\t\tIf the resource is scalable it will be scaled to 0 before deletion."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tDisplay Resource (CPU/Memory/Storage) usage of nodes.\n"
+#~ "\n"
+#~ "\t\tThe top-node command allows you to see the resource consumption of "
+#~ "nodes."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tMostra os Recursos (CPU/Memória/Armazenamento) utilizados nos nodes.\n"
+#~ "\n"
+#~ "\t\tO comando top-node permite que você veja o consumo de recursos dos "
+#~ "nodes."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tDisplay Resource (CPU/Memory/Storage) usage of pods.\n"
+#~ "\n"
+#~ "\t\tThe 'top pod' command allows you to see the resource consumption of "
+#~ "pods.\n"
+#~ "\n"
+#~ "\t\tDue to the metrics pipeline delay, they may be unavailable for a few "
+#~ "minutes\n"
+#~ "\t\tsince pod creation."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tMostra a utilização de recursos dos pods (CPU/Memória/"
+#~ "Armazenamento).\n"
+#~ "\n"
+#~ "\t\tO comando 'top pod' deixa você ver a utilização dos recusrsos dos "
+#~ "pods.\n"
+#~ "\n"
+#~ "\t\tDevido ao atraso da pipeline de métricas, o resultado pode estar "
+#~ "indisponível por alguns minutos\n"
+#~ "\t\tdesde a criação do pod."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tDisplay Resource (CPU/Memory/Storage) usage.\n"
+#~ "\n"
+#~ "\t\tThe top command allows you to see the resource consumption for nodes "
+#~ "or pods.\n"
+#~ "\n"
+#~ "\t\tThis command requires Heapster to be correctly configured and working "
+#~ "on the server. "
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tMostra a utilização de recursos (CPU/Memória/Armazenamento).\n"
+#~ "\n"
+#~ "\t\tO comando top deixa você ver a utilização de recursos de nodes e "
+#~ "pods.\n"
+#~ "\n"
+#~ "\t\tEste comando necessita que o Heapster esteja corretamente configurado "
+#~ "e rodando no servidor. "
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tDrain node in preparation for maintenance.\n"
+#~ "\n"
+#~ "\t\tThe given node will be marked unschedulable to prevent new pods from "
+#~ "arriving.\n"
+#~ "\t\t'drain' evicts the pods if the APIServer supports eviction\n"
+#~ "\t\t(http://kubernetes.io/docs/admin/disruptions/). Otherwise, it will "
+#~ "use normal DELETE\n"
+#~ "\t\tto delete the pods.\n"
+#~ "\t\tThe 'drain' evicts or deletes all pods except mirror pods (which "
+#~ "cannot be deleted through\n"
+#~ "\t\tthe API server).  If there are DaemonSet-managed pods, drain will not "
+#~ "proceed\n"
+#~ "\t\twithout --ignore-daemonsets, and regardless it will not delete any\n"
+#~ "\t\tDaemonSet-managed pods, because those pods would be immediately "
+#~ "replaced by the\n"
+#~ "\t\tDaemonSet controller, which ignores unschedulable markings.  If there "
+#~ "are any\n"
+#~ "\t\tpods that are neither mirror pods nor managed by "
+#~ "ReplicationController,\n"
+#~ "\t\tReplicaSet, DaemonSet, StatefulSet or Job, then drain will not delete "
+#~ "any pods unless you\n"
+#~ "\t\tuse --force.  --force will also allow deletion to proceed if the "
+#~ "managing resource of one\n"
+#~ "\t\tor more pods is missing.\n"
+#~ "\n"
+#~ "\t\t'drain' waits for graceful termination. You should not operate on the "
+#~ "machine until\n"
+#~ "\t\tthe command completes.\n"
+#~ "\n"
+#~ "\t\tWhen you are ready to put the node back into service, use kubectl "
+#~ "uncordon, which\n"
+#~ "\t\twill make the node schedulable again.\n"
+#~ "\n"
+#~ "\t\t![Workflow](http://kubernetes.io/images/docs/kubectl_drain.svg)"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tDrain node in preparation for maintenance.\n"
+#~ "\n"
+#~ "\t\tThe given node will be marked unschedulable to prevent new pods from "
+#~ "arriving.\n"
+#~ "\t\t'drain' evicts the pods if the APIServer supports eviction\n"
+#~ "\t\t(http://kubernetes.io/docs/admin/disruptions/). Otherwise, it will "
+#~ "use normal DELETE\n"
+#~ "\t\tto delete the pods.\n"
+#~ "\t\tThe 'drain' evicts or deletes all pods except mirror pods (which "
+#~ "cannot be deleted through\n"
+#~ "\t\tthe API server).  If there are DaemonSet-managed pods, drain will not "
+#~ "proceed\n"
+#~ "\t\twithout —ignore-daemonsets, and regardless it will not delete any\n"
+#~ "\t\tDaemonSet-managed pods, because those pods would be immediately "
+#~ "replaced by the\n"
+#~ "\t\tDaemonSet controller, which ignores unschedulable markings.  If there "
+#~ "are any\n"
+#~ "\t\tpods that are neither mirror pods nor managed by "
+#~ "ReplicationController,\n"
+#~ "\t\tReplicaSet, DaemonSet, StatefulSet or Job, then drain will not delete "
+#~ "any pods unless you\n"
+#~ "\t\tuse —force.  —force will also allow deletion to proceed if the "
+#~ "managing resource of one\n"
+#~ "\t\tor more pods is missing.\n"
+#~ "\n"
+#~ "\t\t'drain' waits for graceful termination. You should not operate on the "
+#~ "machine until\n"
+#~ "\t\tthe command completes.\n"
+#~ "\n"
+#~ "\t\tWhen you are ready to put the node back into service, use kubectl "
+#~ "uncordon, which\n"
+#~ "\t\twill make the node schedulable again.\n"
+#~ "\n"
+#~ "\t\t![Workflow](http://kubernetes.io/images/docs/kubectl_drain.svg)"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tEdit a resource from the default editor.\n"
+#~ "\n"
+#~ "\t\tThe edit command allows you to directly edit any API resource you can "
+#~ "retrieve via the\n"
+#~ "\t\tcommand line tools. It will open the editor defined by your "
+#~ "KUBE_EDITOR, or EDITOR\n"
+#~ "\t\tenvironment variables, or fall back to 'vi' for Linux or 'notepad' "
+#~ "for Windows.\n"
+#~ "\t\tYou can edit multiple objects, although changes are applied one at a "
+#~ "time. The command\n"
+#~ "\t\taccepts filenames as well as command line arguments, although the "
+#~ "files you point to must\n"
+#~ "\t\tbe previously saved versions of resources.\n"
+#~ "\n"
+#~ "\t\tEditing is done with the API version used to fetch the resource.\n"
+#~ "\t\tTo edit using a specific API version, fully-qualify the resource, "
+#~ "version, and group.\n"
+#~ "\n"
+#~ "\t\tThe default format is YAML. To edit in JSON, specify \"-o json\".\n"
+#~ "\n"
+#~ "\t\tThe flag --windows-line-endings can be used to force Windows line "
+#~ "endings,\n"
+#~ "\t\totherwise the default for your operating system will be used.\n"
+#~ "\n"
+#~ "\t\tIn the event an error occurs while updating, a temporary file will be "
+#~ "created on disk\n"
+#~ "\t\tthat contains your unapplied changes. The most common error when "
+#~ "updating a resource\n"
+#~ "\t\tis another editor changing the resource on the server. When this "
+#~ "occurs, you will have\n"
+#~ "\t\tto apply your changes to the newer version of the resource, or update "
+#~ "your temporary\n"
+#~ "\t\tsaved copy to include the latest resource version."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tEdit a resource from the default editor.\n"
+#~ "\n"
+#~ "\t\tThe edit command allows you to directly edit any API resource you can "
+#~ "retrieve via the\n"
+#~ "\t\tcommand line tools. It will open the editor defined by your "
+#~ "KUBE_EDITOR, or EDITOR\n"
+#~ "\t\tenvironment variables, or fall back to 'vi' for Linux or 'notepad' "
+#~ "for Windows.\n"
+#~ "\t\tYou can edit multiple objects, although changes are applied one at a "
+#~ "time. The command\n"
+#~ "\t\taccepts filenames as well as command line arguments, although the "
+#~ "files you point to must\n"
+#~ "\t\tbe previously saved versions of resources.\n"
+#~ "\n"
+#~ "\t\tEditing is done with the API version used to fetch the resource.\n"
+#~ "\t\tTo edit using a specific API version, fully-qualify the resource, "
+#~ "version, and group.\n"
+#~ "\n"
+#~ "\t\tThe default format is YAML. To edit in JSON, specify \"-o json\".\n"
+#~ "\n"
+#~ "\t\tThe flag —windows-line-endings can be used to force Windows line "
+#~ "endings,\n"
+#~ "\t\totherwise the default for your operating system will be used.\n"
+#~ "\n"
+#~ "\t\tIn the event an error occurs while updating, a temporary file will be "
+#~ "created on disk\n"
+#~ "\t\tthat contains your unapplied changes. The most common error when "
+#~ "updating a resource\n"
+#~ "\t\tis another editor changing the resource on the server. When this "
+#~ "occurs, you will have\n"
+#~ "\t\tto apply your changes to the newer version of the resource, or update "
+#~ "your temporary\n"
+#~ "\t\tsaved copy to include the latest resource version."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tOutput shell completion code for the specified shell (bash or zsh).\n"
+#~ "\t\tThe shell code must be evaluated to provide interactive\n"
+#~ "\t\tcompletion of kubectl commands.  This can be done by sourcing it "
+#~ "from\n"
+#~ "\t\tthe .bash_profile.\n"
+#~ "\n"
+#~ "\t\tNote: this requires the bash-completion framework, which is not "
+#~ "installed\n"
+#~ "\t\tby default on Mac.  This can be installed by using homebrew:\n"
+#~ "\n"
+#~ "\t\t    $ brew install bash-completion\n"
+#~ "\n"
+#~ "\t\tOnce installed, bash_completion must be evaluated.  This can be done "
+#~ "by adding the\n"
+#~ "\t\tfollowing line to the .bash_profile\n"
+#~ "\n"
+#~ "\t\t    $ source $(brew --prefix)/etc/bash_completion\n"
+#~ "\n"
+#~ "\t\tNote for zsh users: [1] zsh completions are only supported in "
+#~ "versions of zsh >= 5.2"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tOutput shell completion code for the specified shell (bash or zsh).\n"
+#~ "\t\tThe shell code must be evaluated to provide interactive\n"
+#~ "\t\tcompletion of kubectl commands.  This can be done by sourcing it "
+#~ "from\n"
+#~ "\t\tthe .bash_profile.\n"
+#~ "\n"
+#~ "\t\tNote: this requires the bash-completion framework, which is not "
+#~ "installed\n"
+#~ "\t\tby default on Mac.  This can be installed by using homebrew:\n"
+#~ "\n"
+#~ "\t\t    $ brew install bash-completion\n"
+#~ "\n"
+#~ "\t\tOnce installed, bash_completion must be evaluated.  This can be done "
+#~ "by adding the\n"
+#~ "\t\tfollowing line to the .bash_profile\n"
+#~ "\n"
+#~ "\t\t    $ source $(brew —prefix)/etc/bash_completion\n"
+#~ "\n"
+#~ "\t\tNote for zsh users: [1] zsh completions are only supported in "
+#~ "versions of zsh >= 5.2"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tPerform a rolling update of the given ReplicationController.\n"
+#~ "\n"
+#~ "\t\tReplaces the specified replication controller with a new replication "
+#~ "controller by updating one pod at a time to use the\n"
+#~ "\t\tnew PodTemplate. The new-controller.json must specify the same "
+#~ "namespace as the\n"
+#~ "\t\texisting replication controller and overwrite at least one (common) "
+#~ "label in its replicaSelector.\n"
+#~ "\n"
+#~ "\t\t![Workflow](http://kubernetes.io/images/docs/kubectl_rollingupdate."
+#~ "svg)"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tAplica uma atualização contínua em um ReplicationController.\n"
+#~ "\n"
+#~ "\t\tTroca o replication controller especificado por um novo replication "
+#~ "controller atualizando um pod por vez para utilizar o\n"
+#~ "\t\tnovo PodTemplate. O new-controller.json deve ser especificado no "
+#~ "mesmo namespace que o\n"
+#~ "\t\treplication controller existente e sobrescrever pelo menos uma label "
+#~ "comum  no seu replicaSelector.\n"
+#~ "\n"
+#~ "\t\t![Workflow](http://kubernetes.io/images/docs/kubectl_rollingupdate."
+#~ "svg)"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tReplace a resource by filename or stdin.\n"
+#~ "\n"
+#~ "\t\tJSON and YAML formats are accepted. If replacing an existing "
+#~ "resource, the\n"
+#~ "\t\tcomplete resource spec must be provided. This can be obtained by\n"
+#~ "\n"
+#~ "\t\t    $ kubectl get TYPE NAME -o yaml\n"
+#~ "\n"
+#~ "\t\tPlease refer to the models in https://htmlpreview.github.io/?https://"
+#~ "github.com/kubernetes/kubernetes/blob/HEAD/docs/api-reference/v1/"
+#~ "definitions.html to find if a field is mutable."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tSubstitui um recurso pelo especificado em um arquivo ou via stdin.\n"
+#~ "\n"
+#~ "\t\tOs formatos JSON and YAML são aceitos. Quando substituindo recursos "
+#~ "existentes,\n"
+#~ "\t\t especificação completa do recurso deve ser fornecida. Isto pode ser "
+#~ "obtido com\n"
+#~ "\n"
+#~ "\t\t    $ kubectl get TYPE NAME -o yaml\n"
+#~ "\n"
+#~ "\t\tConsulte os modelos em https://htmlpreview.github.io/?https://github."
+#~ "com/kubernetes/kubernetes/blob/HEAD/docs/api-reference/v1/definitions."
+#~ "html para descobrir se um campo é mutável."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tSet a new size for a Deployment, ReplicaSet, Replication Controller, "
+#~ "or Job.\n"
+#~ "\n"
+#~ "\t\tScale also allows users to specify one or more preconditions for the "
+#~ "scale action.\n"
+#~ "\n"
+#~ "\t\tIf --current-replicas or --resource-version is specified, it is "
+#~ "validated before the\n"
+#~ "\t\tscale is attempted, and it is guaranteed that the precondition holds "
+#~ "true when the\n"
+#~ "\t\tscale is sent to the server."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tDefine um novo tamanho para um Deployment, ReplicaSet, Replication "
+#~ "Controller, ou Job.\n"
+#~ "\n"
+#~ "\t\tScale deixa os usuários especificar uma ou mais pre-condições para a "
+#~ "ação de scale.\n"
+#~ "\n"
+#~ "\t\tSe --current-replicas ou --resource-version forem especificados, será "
+#~ "validado antes\n"
+#~ "\t\tda tentativa de scale, e garante que a  pre-condição é verdadeira "
+#~ "quando\n"
+#~ "\t\to scale é enviado para o servidor."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tTo proxy all of the kubernetes api and nothing else, use:\n"
+#~ "\n"
+#~ "\t\t    $ kubectl proxy --api-prefix=/\n"
+#~ "\n"
+#~ "\t\tTo proxy only part of the kubernetes api and also some static files:\n"
+#~ "\n"
+#~ "\t\t    $ kubectl proxy --www=/my/files --www-prefix=/static/ --api-"
+#~ "prefix=/api/\n"
+#~ "\n"
+#~ "\t\tThe above lets you 'curl localhost:8001/api/v1/pods'.\n"
+#~ "\n"
+#~ "\t\tTo proxy the entire kubernetes api at a different root, use:\n"
+#~ "\n"
+#~ "\t\t    $ kubectl proxy --api-prefix=/custom/\n"
+#~ "\n"
+#~ "\t\tThe above lets you 'curl localhost:8001/custom/api/v1/pods'"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tPara fazer o proxy the todas as apis do kubernetes, utilize:\n"
+#~ "\n"
+#~ "\t\t    $ kubectl proxy —api-prefix=/\n"
+#~ "\n"
+#~ "\t\tPara fazer o proxy de parte da api do kubernetes e alguns arquivos "
+#~ "estáticos:\n"
+#~ "\n"
+#~ "\t\t    $ kubectl proxy —www=/my/files —www-prefix=/static/ —api-prefix=/"
+#~ "api/\n"
+#~ "\n"
+#~ "\t\tCom os comandos acima você pode fazer 'curl localhost:8001/api/v1/"
+#~ "pods'.\n"
+#~ "\n"
+#~ "\t\tPara fazer o proxy the todas as apis do kubernetes em um caminho "
+#~ "diferente, utilize:\n"
+#~ "\n"
+#~ "\t\t    $ kubectl proxy —api-prefix=/custom/\n"
+#~ "\n"
+#~ "\t\tCom o comando acima você pode fazer 'curl localhost:8001/custom/api/"
+#~ "v1/pods'"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tUpdate field(s) of a resource using strategic merge patch\n"
+#~ "\n"
+#~ "\t\tJSON and YAML formats are accepted.\n"
+#~ "\n"
+#~ "\t\tPlease refer to the models in https://htmlpreview.github.io/?https://"
+#~ "github.com/kubernetes/kubernetes/blob/HEAD/docs/api-reference/v1/"
+#~ "definitions.html to find if a field is mutable."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tAtualiza o(s) campo(s) de um recurso usando strategic merge patch\n"
+#~ "\n"
+#~ "\t\tFormatos JSON e YAML são aceitos.\n"
+#~ "\n"
+#~ "\t\tConsulte os modelos em https://htmlpreview.github.io/?https://github."
+#~ "com/kubernetes/kubernetes/blob/HEAD/docs/api-reference/v1/definitions."
+#~ "html para descobrir se um campo é mutável."
+
+#, c-format
+#~ msgid ""
+#~ "\n"
+#~ "\t\tUpdate the labels on a resource.\n"
+#~ "\n"
+#~ "\t\t* A label must begin with a letter or number, and may contain "
+#~ "letters, numbers, hyphens, dots, and underscores, up to %[1]d "
+#~ "characters.\n"
+#~ "\t\t* If --overwrite is true, then existing labels can be overwritten, "
+#~ "otherwise attempting to overwrite a label will result in an error.\n"
+#~ "\t\t* If --resource-version is specified, then updates will use this "
+#~ "resource version, otherwise the existing resource-version will be used."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tAtualiza labels em um recurso.\n"
+#~ "\n"
+#~ "\t\t* Um label deve começar com uma letra ou número, e pode conter letra, "
+#~ "números, hífens, pontos e sublinhados, com no máximo %[1]d caracteres.\n"
+#~ "\t\t* Se --overwrite for verdadeiro, então labels podem ser "
+#~ "sobreescritos, caso contrário a sobreescrita irá falhar.\n"
+#~ "\t\t* Se --resource-version for especificado, então as atualizações "
+#~ "usarão esta versão do recurso, caso contrário, a versão do recurso "
+#~ "existente será usada."
+
+#, c-format
+#~ msgid ""
+#~ "\n"
+#~ "\t\tUpdate the taints on one or more nodes.\n"
+#~ "\n"
+#~ "\t\t* A taint consists of a key, value, and effect. As an argument here, "
+#~ "it is expressed as key=value:effect.\n"
+#~ "\t\t* The key must begin with a letter or number, and may contain "
+#~ "letters, numbers, hyphens, dots, and underscores, up to %[1]d "
+#~ "characters.\n"
+#~ "\t\t* The value must begin with a letter or number, and may contain "
+#~ "letters, numbers, hyphens, dots, and underscores, up to %[2]d "
+#~ "characters.\n"
+#~ "\t\t* The effect must be NoSchedule, PreferNoSchedule or NoExecute.\n"
+#~ "\t\t* Currently taint can only apply to node."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tAtualiza os taints em um ou mais nodes.\n"
+#~ "\n"
+#~ "\t\t* Um taint consiste em uma chave, valor e efeito. Como arqgumento, é "
+#~ "expressado como chave=valor:efeito.\n"
+#~ "\t\t* Uma chave deve começar com uma letra ou número, e pode conter "
+#~ "letras, números, hífens, pontos e sublinhados, com no máximo %[1]d "
+#~ "caractéres.\n"
+#~ "\t\t* Um valor deve começar com uma letra ou número, e pode conter "
+#~ "letras, números, hífens, pontos e sublinhados, com no máximo %[2]d "
+#~ "caractéres.\n"
+#~ "\t\t* O efeito deve ser NoSchedule, PreferNoSchedule ou NoExecute.\n"
+#~ "\t\t* Atualmente taint pode ser aplicado apenas para nodes."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tView the latest last-applied-configuration annotations by type/name "
+#~ "or file.\n"
+#~ "\n"
+#~ "\t\tThe default output will be printed to stdout in YAML format. One can "
+#~ "use -o option\n"
+#~ "\t\tto change output format."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tView the latest last-applied-configuration annotations by type/name "
+#~ "or file.\n"
+#~ "\n"
+#~ "\t\tThe default output will be printed to stdout in YAML format. One can "
+#~ "use -o option\n"
+#~ "\t\tto change output format."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t    # !!!Important Note!!!\n"
+#~ "\t    # Requires that the 'tar' binary is present in your container\n"
+#~ "\t    # image.  If 'tar' is not present, 'kubectl cp' will fail.\n"
+#~ "\n"
+#~ "\t    # Copy /tmp/foo_dir local directory to /tmp/bar_dir in a remote pod "
+#~ "in the default namespace\n"
+#~ "\t\tkubectl cp /tmp/foo_dir <some-pod>:/tmp/bar_dir\n"
+#~ "\n"
+#~ "        # Copy /tmp/foo local file to /tmp/bar in a remote pod in a "
+#~ "specific container\n"
+#~ "\t\tkubectl cp /tmp/foo <some-pod>:/tmp/bar -c <specific-container>\n"
+#~ "\n"
+#~ "\t\t# Copy /tmp/foo local file to /tmp/bar in a remote pod in namespace "
+#~ "<some-namespace>\n"
+#~ "\t\tkubectl cp /tmp/foo <some-namespace>/<some-pod>:/tmp/bar\n"
+#~ "\n"
+#~ "\t\t# Copy /tmp/foo from a remote pod to /tmp/bar locally\n"
+#~ "\t\tkubectl cp <some-namespace>/<some-pod>:/tmp/foo /tmp/bar"
+#~ msgstr ""
+#~ "\n"
+#~ "\t    # !!!Nota Importante!!!\n"
+#~ "\t    # Necessita que o binário 'tar' esteja presente na imagem do\n"
+#~ "\t    # container.  Se 'tar' não estiver presente, o 'kubectl cp' irá "
+#~ "falhar.\n"
+#~ "\n"
+#~ "\t    # Copia o diretório local /tmp/foo_dir para /tmp/bar_dir no pod "
+#~ "remoto no namespace default\n"
+#~ "\t\tkubectl cp /tmp/foo_dir <some-pod>:/tmp/bar_dir\n"
+#~ "\n"
+#~ "        # Copia o arquivo local /tmp/foo para /tmp/bar no pod remoto no "
+#~ "container específico\n"
+#~ "\t\tkubectl cp /tmp/foo <some-pod>:/tmp/bar -c <specific-container>\n"
+#~ "\n"
+#~ "\t\t# Copia o arquivo local /tmp/foo para /tmp/bar no pod remoto no "
+#~ "namespace <some-namespace>\n"
+#~ "\t\tkubectl cp /tmp/foo <some-namespace>/<some-pod>:/tmp/bar\n"
+#~ "\n"
+#~ "\t\t# Copia /tmp/foo do pod remoto para /tmp/bar localmente\n"
+#~ "\t\tkubectl cp <some-namespace>/<some-pod>:/tmp/foo /tmp/bar"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t  # Create a new TLS secret named tls-secret with the given key pair:\n"
+#~ "\t  kubectl create secret tls tls-secret --cert=path/to/tls.cert --"
+#~ "key=path/to/tls.key"
+#~ msgstr ""
+#~ "\n"
+#~ "\t  # Cria um novo segredo TLS chamado tls-secret com o par the chaves "
+#~ "fornecido:\n"
+#~ "\t  kubectl create secret tls tls-secret —cert=path/to/tls.cert —key=path/"
+#~ "to/tls.key"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t  # Create a new secret named my-secret with keys for each file in "
+#~ "folder bar\n"
+#~ "\t  kubectl create secret generic my-secret --from-file=path/to/bar\n"
+#~ "\n"
+#~ "\t  # Create a new secret named my-secret with specified keys instead of "
+#~ "names on disk\n"
+#~ "\t  kubectl create secret generic my-secret --from-file=ssh-privatekey=~/."
+#~ "ssh/id_rsa --from-file=ssh-publickey=~/.ssh/id_rsa.pub\n"
+#~ "\n"
+#~ "\t  # Create a new secret named my-secret with key1=supersecret and "
+#~ "key2=topsecret\n"
+#~ "\t  kubectl create secret generic my-secret --from-"
+#~ "literal=key1=supersecret --from-literal=key2=topsecret"
+#~ msgstr ""
+#~ "\n"
+#~ "\t  # Cria um novo segredo chamado my-secret com as chaves para cada "
+#~ "arquivo no diretório bar\n"
+#~ "\t  kubectl create secret generic my-secret --from-file=path/to/bar\n"
+#~ "\n"
+#~ "\t  # Cria um novo segredo chamado my-secret com chaves especificadas em "
+#~ "vez dos nomes dos arquivos\n"
+#~ "\t  kubectl create secret generic my-secret --from-file=ssh-privatekey=~/."
+#~ "ssh/id_rsa --from-file=ssh-publickey=~/.ssh/id_rsa.pub\n"
+#~ "\n"
+#~ "\t  # Cria um novo segredo chamado my-secret com key1=supersecret e "
+#~ "key2=topsecret\n"
+#~ "\t  kubectl create secret generic my-secret --from-"
+#~ "literal=key1=supersecret --from-literal=key2=topsecret"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t# Create a new ExternalName service named my-ns \n"
+#~ "\tkubectl create service externalname my-ns --external-name bar.com"
+#~ msgstr ""
+#~ "\n"
+#~ "\t# Cria um novo serviço do tipo ExternalName chamado my-ns \n"
+#~ "\tkubectl create service externalname my-ns —external-name bar.com"
+
+#~ msgid ""
+#~ "\n"
+#~ "    # Create a new clusterIP service named my-cs\n"
+#~ "    kubectl create service clusterip my-cs --tcp=5678:8080\n"
+#~ "\n"
+#~ "    # Create a new clusterIP service named my-cs (in headless mode)\n"
+#~ "    kubectl create service clusterip my-cs --clusterip=\"None\""
+#~ msgstr ""
+#~ "\n"
+#~ "    # Cria um novo serviço clusterIP chamado my-cs\n"
+#~ "    kubectl create service clusterip my-cs --tcp=5678:8080\n"
+#~ "\n"
+#~ "    # Cria um novo serviço clusterIP chamado my-cs (em modo headless)\n"
+#~ "    kubectl create service clusterip my-cs --clusterip=\"None\""
+
+#~ msgid ""
+#~ "\n"
+#~ "    # Create a new deployment named my-dep that runs the busybox image.\n"
+#~ "    kubectl create deployment my-dep --image=busybox"
+#~ msgstr ""
+#~ "\n"
+#~ "    # Cria um novo deployment chamado my-dep que executa uma imagem "
+#~ "busybox.\n"
+#~ "    kubectl create deployment my-dep —image=busybox"
+
+#~ msgid ""
+#~ "\n"
+#~ "    # Create a new nodeport service named my-ns\n"
+#~ "    kubectl create service nodeport my-ns --tcp=5678:8080"
+#~ msgstr ""
+#~ "\n"
+#~ "    # Cria um novo serviço nodeport chamado my-ns\n"
+#~ "    kubectl create service nodeport my-ns —tcp=5678:8080"
+
+#~ msgid ""
+#~ "\n"
+#~ "    # Update pod 'foo' with the annotation 'description' and the value "
+#~ "'my frontend'.\n"
+#~ "    # If the same annotation is set multiple times, only the last value "
+#~ "will be applied\n"
+#~ "    kubectl annotate pods foo description='my frontend'\n"
+#~ "\n"
+#~ "    # Update a pod identified by type and name in \"pod.json\"\n"
+#~ "    kubectl annotate -f pod.json description='my frontend'\n"
+#~ "\n"
+#~ "    # Update pod 'foo' with the annotation 'description' and the value "
+#~ "'my frontend running nginx', overwriting any existing value.\n"
+#~ "    kubectl annotate --overwrite pods foo description='my frontend "
+#~ "running nginx'\n"
+#~ "\n"
+#~ "    # Update all pods in the namespace\n"
+#~ "    kubectl annotate pods --all description='my frontend running nginx'\n"
+#~ "\n"
+#~ "    # Update pod 'foo' only if the resource is unchanged from version 1.\n"
+#~ "    kubectl annotate pods foo description='my frontend running nginx' --"
+#~ "resource-version=1\n"
+#~ "\n"
+#~ "    # Update pod 'foo' by removing an annotation named 'description' if "
+#~ "it exists.\n"
+#~ "    # Does not require the --overwrite flag.\n"
+#~ "    kubectl annotate pods foo description-"
+#~ msgstr ""
+#~ "\n"
+#~ "    # Atualiza o pod 'foo' com a annotation 'description' e o valor 'my "
+#~ "frontend'.\n"
+#~ "    # Se a mesma annotation é configurada várias vezes, apenas o último "
+#~ "valor será utilizado\n"
+#~ "    kubectl annotate pods foo description='my frontend'\n"
+#~ "\n"
+#~ "    # Atualiza o pod identificado pelo tipo e nome definido no \"pod.json"
+#~ "\"\n"
+#~ "    kubectl annotate -f pod.json description='my frontend'\n"
+#~ "\n"
+#~ "    # Atualiza o pod 'foo' com a annotation 'description' e o valor 'my "
+#~ "frontend running nginx', sobreescrevendo qualquer valor existente.\n"
+#~ "    kubectl annotate --overwrite pods foo description='my frontend "
+#~ "running nginx'\n"
+#~ "\n"
+#~ "    # Atualiza todos os pods no namespace\n"
+#~ "    kubectl annotate pods --all description='my frontend running nginx'\n"
+#~ "\n"
+#~ "    # Atualiza o pod 'foo' apenas se o recurso não foi modificado na "
+#~ "versão 1.\n"
+#~ "    kubectl annotate pods foo description='my frontend running nginx' --"
+#~ "resource-version=1\n"
+#~ "\n"
+#~ "    # Atualiza o pod 'foo' removendo a annotation chamada 'description' "
+#~ "se ela existir.\n"
+#~ "    # Não necessita da flag --overwrite.\n"
+#~ "    kubectl annotate pods foo description-"
+
+#~ msgid ""
+#~ "\n"
+#~ "    Create a clusterIP service with the specified name."
+#~ msgstr ""
+#~ "\n"
+#~ "    Cria um serviço do tipo clusterIP com o nome especificado."
+
+#~ msgid ""
+#~ "\n"
+#~ "    Create a deployment with the specified name."
+#~ msgstr ""
+#~ "\n"
+#~ "    Cria um deployment com o nome especificado."
+
+#~ msgid ""
+#~ "\n"
+#~ "    Create a nodeport service with the specified name."
+#~ msgstr ""
+#~ "\n"
+#~ "    Cria um serviço do tipo nodeport com o nome especificado."
+
+#~ msgid ""
+#~ "\n"
+#~ "    Dumps cluster info out suitable for debugging and diagnosing cluster "
+#~ "problems.  By default, dumps everything to\n"
+#~ "    stdout. You can optionally specify a directory with --output-"
+#~ "directory.  If you specify a directory, kubernetes will\n"
+#~ "    build a set of files in that directory.  By default only dumps things "
+#~ "in the 'kube-system' namespace, but you can\n"
+#~ "    switch to a different namespace with the --namespaces flag, or "
+#~ "specify --all-namespaces to dump all namespaces.\n"
+#~ "\n"
+#~ "    The command also dumps the logs of all of the pods in the cluster, "
+#~ "these logs are dumped into different directories\n"
+#~ "    based on namespace and pod name."
+#~ msgstr ""
+#~ "\n"
+#~ "    Coleta informações do cluster para debugar e diagnosticar problemas "
+#~ "do dele.  Por padrão, exibe tudo para o\n"
+#~ "    stdout. Você pode, se quiser, especificar um diretório com --output-"
+#~ "directory.  Se especificar o diretório, kubernetes irá\n"
+#~ "    montar um conjunto de arquivos no diretório.  Por padrão, apenas "
+#~ "coleta informações no namespace 'kube-system' , mas você pode\n"
+#~ "    trocar para um namespace diferente com a flag --namespaces, ou "
+#~ "especificar --all-namespaces para todos os namespaces.\n"
+#~ "\n"
+#~ "    O comando também coleta os logs de todos os pods no cluster, estes "
+#~ "logs são salvos em outros diretórios\n"
+#~ "    baseado no namespace e nome do pod."
+
+#~ msgid ""
+#~ "\n"
+#~ "  Display addresses of the master and services with label kubernetes.io/"
+#~ "cluster-service=true\n"
+#~ "  To further debug and diagnose cluster problems, use 'kubectl cluster-"
+#~ "info dump'."
+#~ msgstr ""
+#~ "\n"
+#~ "  Mostra os endereços dos servidores de gerenciamento e serviços com o "
+#~ "label kubernetes.io/cluster-service=true\n"
+#~ "  Para debugar e diagnosticar outros problemas do cluster, utilize "
+#~ "'kubectl cluster-info dump'."
+
+#~ msgid "A schedule in the Cron format the job should be run with."
+#~ msgstr "Agendamento no formato Cron em qual o job deve rodar."
+
+#~ msgid ""
+#~ "An inline JSON override for the generated service object. If this is non-"
+#~ "empty, it is used to override the generated object. Requires that the "
+#~ "object supply a valid apiVersion field.  Only used if --expose is true."
+#~ msgstr ""
+#~ "Uma substituição inline JSON para o objeto de serviço gerado. Se não "
+#~ "estiver vazio, ele será usado para substituir o objeto gerado. Requer que "
+#~ "o objeto forneça o campo apiVersion válido.  Usado apenas se --expose for "
+#~ "true."
+
+#~ msgid "Apply a configuration to a resource by filename or stdin"
+#~ msgstr ""
+#~ "Aplica a configuração para um recurso utilizado um nome de arquivo ou "
+#~ "stdin"
+
+#~ msgid "Auto-scale a Deployment, ReplicaSet, or ReplicationController"
+#~ msgstr "Auto-escala um Deployment, ReplicaSet ou ReplicationController"
+
+#~ msgid ""
+#~ "Container name which will have its image upgraded. Only relevant when --"
+#~ "image is specified, ignored otherwise. Required when using --image on a "
+#~ "multi-container pod"
+#~ msgstr ""
+#~ "Nome do contêiner que terá sua imagem atualizada. Relevante apenas quando "
+#~ "--image for especificado, caso contrário, ignorado. Obrigatório ao usar --"
+#~ "image em um pod com vários contêineres"
+
+#~ msgid "Create a ClusterRoleBinding for a particular ClusterRole"
+#~ msgstr "Cria um ClusterRoleBinding para um ClusterRole especifico"
+
+#~ msgid "Create a LoadBalancer service."
+#~ msgstr "Cria um serviço do tipo LoadBalancer."
+
+#~ msgid "Create a NodePort service."
+#~ msgstr "Cria um serviço do tipo NodePort."
+
+#~ msgid "Create a RoleBinding for a particular Role or ClusterRole"
+#~ msgstr "Cria um RoleBinding para uma Role ou ClusterRole especifico"
+
+#~ msgid "Create a clusterIP service."
+#~ msgstr "Cria um serviço do tipo clusterIP."
+
+#~ msgid "Create a configmap from a local file, directory or literal value"
+#~ msgstr ""
+#~ "Cria um configmap com base em um arquivo, diretório, ou um valor literal"
+
+#~ msgid "Create a deployment with the specified name."
+#~ msgstr "Cria um deployment com um nome especificado."
+
+#~ msgid "Create a pod disruption budget with the specified name."
+#~ msgstr "Cria um pod disruption budget com um nome especificado."
+
+#~ msgid "Create a quota with the specified name."
+#~ msgstr "Cria uma quota com um nome especificado."
+
+#~ msgid "Create a resource by filename or stdin"
+#~ msgstr "Cria um recurso por nome de arquivo ou stdin"
+
+#~ msgid "Create a secret from a local file, directory or literal value"
+#~ msgstr ""
+#~ "Cria um secret com base em um arquivo, diretório ou um valor literal"
+
+#~ msgid "Create a service using specified subcommand."
+#~ msgstr "Cria um service utilizando um sub-comando especificado."
+
+#~ msgid "Create an ExternalName service."
+#~ msgstr "Cria um serviço do tipo ExternalName."
+
+#~ msgid ""
+#~ "Delete resources by filenames, stdin, resources and names, or by "
+#~ "resources and label selector"
+#~ msgstr ""
+#~ "Apaga os recusros por nome de arquivos, stdin, recursos e nomes, ou por "
+#~ "recursos e seletor de label"
+
+#~ msgid "Deprecated: Gracefully shut down a resource by name or filename"
+#~ msgstr "Descontinuado: Termina um recurso por nome ou nome de arquivo"
+
+#~ msgid "Display Resource (CPU/Memory) usage of nodes"
+#~ msgstr "Mostra a utilização de recursos (CPU/Memória) nos nodes"
+
+#~ msgid "Display Resource (CPU/Memory) usage of pods"
+#~ msgstr "Mostra a utilização de recursos (CPU/Memória) nos pods"
+
+#~ msgid "Display Resource (CPU/Memory) usage."
+#~ msgstr "Mostra a utilização de recursos (CPU/Memória)."
+
+#~ msgid "Display cluster info"
+#~ msgstr "Mostra as informações do cluster"
+
+#~ msgid "Displays the current-context"
+#~ msgstr "Mostra o contexto corrente"
+
+#~ msgid "Documentation of resources"
+#~ msgstr "Documentação dos recursos"
+
+#~ msgid "Dump lots of relevant info for debugging and diagnosis"
+#~ msgstr ""
+#~ "Realiza o dump de muitas informações relevantes para debugging e "
+#~ "diagnósticos"
+
+#~ msgid ""
+#~ "Explicit policy for when to pull container images. Required when --image "
+#~ "is same as existing image, ignored otherwise."
+#~ msgstr ""
+#~ "Política explícita para quando extrair imagens de contêiner. Obrigatório "
+#~ "quando --image for igual à imagem existente, caso contrário, será "
+#~ "ignorado."
+
+#~ msgid ""
+#~ "IP to assign to the Load Balancer. If empty, an ephemeral IP will be "
+#~ "created and used (cloud-provider specific)."
+#~ msgstr ""
+#~ "IP para ser alocado no Load Balancer. Se vazio, um IP efêmero será criado "
+#~ "e utilizado (específico para cada provedor cloud)."
+
+#~ msgid ""
+#~ "Image to use for upgrading the replication controller. Must be distinct "
+#~ "from the existing image (either new image or new image tag).  Can not be "
+#~ "used with --filename/-f"
+#~ msgstr ""
+#~ "Imagem a ser utilizada para atualizar o replication controller. Deve ser "
+#~ "diferente da imagem atual (pode ser uma nova imagem ou uma nova tag). Não "
+#~ "pode ser utilizada com —filename/-f"
+
+#~ msgid "Manage a deployment rollout"
+#~ msgstr "Gerencia um deployment rollout"
+
+#~ msgid ""
+#~ "Output the formatted object with the given group version (for ex: "
+#~ "'extensions/v1beta1').)"
+#~ msgstr ""
+#~ "Imprime o objeto formatado com a dada versão de grupo (por exemplo: "
+#~ "'extensions/v1beta1').)"
+
+#~ msgid "Perform a rolling update of the given ReplicationController"
+#~ msgstr "Executa uma atualização contínua"
+
+#~ msgid "Replace a resource by filename or stdin"
+#~ msgstr "Substitui um recurso por um nome de arquivo ou stdin"
+
+#~ msgid ""
+#~ "Set a new size for a Deployment, ReplicaSet, Replication Controller, or "
+#~ "Job"
+#~ msgstr ""
+#~ "Define um novo tamanho para um Deployment, ReplicaSet, Replication "
+#~ "Controller, ou Job"
+
+#~ msgid ""
+#~ "Set the last-applied-configuration annotation on a live object to match "
+#~ "the contents of a file."
+#~ msgstr ""
+#~ "Define a anotação last-applied-configuration em um objeto existente para "
+#~ "corresponder ao conteúdo do arquivo."
+
+#~ msgid "Sets a cluster entry in kubeconfig"
+#~ msgstr "Define um cluster no arquivo kubeconfig"
+
+#~ msgid "Sets a context entry in kubeconfig"
+#~ msgstr "Define um contexto no arquivo kubeconfig"
+
+#~ msgid "Sets a user entry in kubeconfig"
+#~ msgstr "Define um usuário no arquivo kubeconfig"
+
+#~ msgid "Sets an individual value in a kubeconfig file"
+#~ msgstr "Define um valor individual no arquivo kubeconfig"
+
+#~ msgid "Sets the current-context in a kubeconfig file"
+#~ msgstr "Define o current-context no arquivo kubeconfig"
+
+#~ msgid ""
+#~ "Take a replication controller, service, deployment or pod and expose it "
+#~ "as a new Kubernetes Service"
+#~ msgstr ""
+#~ "Pega um replication controlar, service, deployment ou pod e expõe como um "
+#~ "novo Serviço do Kubernetes"
+
+#~ msgid ""
+#~ "The key to use to differentiate between two different controllers, "
+#~ "default 'deployment'.  Only relevant when --image is specified, ignored "
+#~ "otherwise"
+#~ msgstr ""
+#~ "A chave utilizada para diferenciar entre dois controlares diferentes, "
+#~ "padrão 'deployment'.  Apenas relevante quando --image é especificado, é "
+#~ "ignorado caso contrário"
+
+#~ msgid ""
+#~ "The name of the API generator to use, see http://kubernetes.io/docs/user-"
+#~ "guide/kubectl-conventions/#generators for a list."
+#~ msgstr ""
+#~ "O nome do gerador de API a ser usado, veja a lista em http://kubernetes."
+#~ "io/docs/user-guide/kubectl-conventions/#generators."
+
+#~ msgid ""
+#~ "The name of the API generator to use. Currently there is only 1 generator."
+#~ msgstr ""
+#~ "O nome do gerador de API a ser usado. Atualmente existe apenas 1 gerador."
+
+#~ msgid ""
+#~ "The name of the generator to use for creating a service.  Only used if --"
+#~ "expose is true"
+#~ msgstr ""
+#~ "O nome do recurso para ser utilizado quando criando um serviço.  Apenas "
+#~ "utilizado se —expose é verdadeiro"
+
+#~ msgid ""
+#~ "The port that this container exposes.  If --expose is true, this is also "
+#~ "the port used by the service that is created."
+#~ msgstr ""
+#~ "A porta que o container expõe.  Se —expose é verdadeiro, esta também é a "
+#~ "porta utilizada pelo serviço quando for criado."
+
+#~ msgid ""
+#~ "The restart policy for this Pod.  Legal values [Always, OnFailure, "
+#~ "Never].  If set to 'Always' a deployment is created, if set to "
+#~ "'OnFailure' a job is created, if set to 'Never', a regular pod is "
+#~ "created. For the latter two --replicas must be 1.  Default 'Always', for "
+#~ "CronJobs `Never`."
+#~ msgstr ""
+#~ "A politica de restart para este Pod.  Possíveis valores [Always, "
+#~ "OnFailure, Never].  Se configurado para 'Always' um deployment é criado, "
+#~ "se configurado para 'OnFailure' um job é criado, se configurado para "
+#~ "'Never', um pod é criado. Para os dois últimos —replicas deve ser 1.  "
+#~ "Valor padrão 'Always', para CronJobs `Never`."
+
+#~ msgid ""
+#~ "Type for this service: ClusterIP, NodePort, or LoadBalancer. Default is "
+#~ "'ClusterIP'."
+#~ msgstr ""
+#~ "Tipo para este serviço: ClusterIP, NodePort, ou LoadBalancer. Valor "
+#~ "padrão é 'ClusterIP'."
+
+#~ msgid "Unsets an individual value in a kubeconfig file"
+#~ msgstr "Remover um valor individual do arquivo kubeconfig"
+
+#~ msgid "Update field(s) of a resource using strategic merge patch"
+#~ msgstr ""
+#~ "Atualizar o(s) campo(s) de um recurso usando a estratégia de merge patch"
+
+#~ msgid "Update image of a pod template"
+#~ msgstr "Atualizar a imagem de um template de pod"
+
+#~ msgid ""
+#~ "View latest last-applied-configuration annotations of a resource/object"
+#~ msgstr ""
+#~ "Visualizar a última anotação last-applied-configuration de um recurso/"
+#~ "objeto"
+
+#~ msgid "external name of service"
+#~ msgstr "nome externo do serviço"
diff --git a/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/template.pot b/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/template.pot
new file mode 100644
index 0000000000..4e60cfc997
--- /dev/null
+++ b/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/template.pot
@@ -0,0 +1,3291 @@
+# SOME DESCRIPTIVE TITLE.
+# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
+# This file is distributed under the same license as the PACKAGE package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+#
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: \n"
+"Report-Msgid-Bugs-To: EMAIL\n"
+"POT-Creation-Date: 2023-06-27 12:09-0400\n"
+"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: LANGUAGE <LL@li.org>\n"
+"Language: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/certificates/certificates.go:142
+msgid ""
+"\n"
+"\t\t\t# Approve CSR 'csr-sqgzp'\n"
+"\t\t\tkubectl certificate approve csr-sqgzp\n"
+"\t\t"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/certificates/certificates.go:185
+msgid ""
+"\n"
+"\t\t\t# Deny CSR 'csr-sqgzp'\n"
+"\t\t\tkubectl certificate deny csr-sqgzp\n"
+"\t\t"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/config.go:43
+msgid ""
+"\n"
+"\t\t\tModify kubeconfig files using subcommands like \"kubectl config set "
+"current-context my-context\".\n"
+"\n"
+"\t\t\tThe loading order follows these rules:\n"
+"\n"
+"\t\t\t1. If the --"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_clusterrolebinding.go:44
+msgid ""
+"\n"
+"\t\t  # Create a cluster role binding for user1, user2, and group1 using the "
+"cluster-admin cluster role\n"
+"\t\t  kubectl create clusterrolebinding cluster-admin --clusterrole=cluster-"
+"admin --user=user1 --user=user2 --group=group1"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_configmap.go:57
+msgid ""
+"\n"
+"\t\t  # Create a new config map named my-config based on folder bar\n"
+"\t\t  kubectl create configmap my-config --from-file=path/to/bar\n"
+"\n"
+"\t\t  # Create a new config map named my-config with specified keys instead "
+"of file basenames on disk\n"
+"\t\t  kubectl create configmap my-config --from-file=key1=/path/to/bar/file1."
+"txt --from-file=key2=/path/to/bar/file2.txt\n"
+"\n"
+"\t\t  # Create a new config map named my-config with key1=config1 and "
+"key2=config2\n"
+"\t\t  kubectl create configmap my-config --from-literal=key1=config1 --from-"
+"literal=key2=config2\n"
+"\n"
+"\t\t  # Create a new config map named my-config from the key=value pairs in "
+"the file\n"
+"\t\t  kubectl create configmap my-config --from-file=path/to/bar\n"
+"\n"
+"\t\t  # Create a new config map named my-config from an env file\n"
+"\t\t  kubectl create configmap my-config --from-env-file=path/to/foo.env --"
+"from-env-file=path/to/bar.env"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_docker.go:56
+msgid ""
+"\n"
+"\t\t  # If you do not already have a .dockercfg file, create a dockercfg "
+"secret directly\n"
+"\t\t  kubectl create secret docker-registry my-secret --docker-"
+"server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-"
+"password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL\n"
+"\n"
+"\t\t  # Create a new secret named my-secret from ~/.docker/config.json\n"
+"\t\t  kubectl create secret docker-registry my-secret --from-file=."
+"dockerconfigjson=path/to/.docker/config.json"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/top/top_node.go:63
+msgid ""
+"\n"
+"\t\t  # Show metrics for all nodes\n"
+"\t\t  kubectl top node\n"
+"\n"
+"\t\t  # Show metrics for a given node\n"
+"\t\t  kubectl top node NODE_NAME"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/cp/cp.go:41
+msgid ""
+"\n"
+"\t\t# !!!Important Note!!!\n"
+"\t\t# Requires that the 'tar' binary is present in your container\n"
+"\t\t# image.  If 'tar' is not present, 'kubectl cp' will fail.\n"
+"\t\t#\n"
+"\t\t# For advanced use cases, such as symlinks, wildcard expansion or\n"
+"\t\t# file mode preservation, consider using 'kubectl exec'.\n"
+"\n"
+"\t\t# Copy /tmp/foo local file to /tmp/bar in a remote pod in namespace "
+"<some-namespace>\n"
+"\t\ttar cf - /tmp/foo | kubectl exec -i -n <some-namespace> <some-pod> -- "
+"tar xf - -C /tmp/bar\n"
+"\n"
+"\t\t# Copy /tmp/foo from a remote pod to /tmp/bar locally\n"
+"\t\tkubectl exec -n <some-namespace> <some-pod> -- tar cf - /tmp/foo | tar "
+"xf - -C /tmp/bar\n"
+"\n"
+"\t\t# Copy /tmp/foo_dir local directory to /tmp/bar_dir in a remote pod in "
+"the default namespace\n"
+"\t\tkubectl cp /tmp/foo_dir <some-pod>:/tmp/bar_dir\n"
+"\n"
+"\t\t# Copy /tmp/foo local file to /tmp/bar in a remote pod in a specific "
+"container\n"
+"\t\tkubectl cp /tmp/foo <some-pod>:/tmp/bar -c <specific-container>\n"
+"\n"
+"\t\t# Copy /tmp/foo local file to /tmp/bar in a remote pod in namespace "
+"<some-namespace>\n"
+"\t\tkubectl cp /tmp/foo <some-namespace>/<some-pod>:/tmp/bar\n"
+"\n"
+"\t\t# Copy /tmp/foo from a remote pod to /tmp/bar locally\n"
+"\t\tkubectl cp <some-namespace>/<some-pod>:/tmp/foo /tmp/bar"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/apply/apply.go:153
+msgid ""
+"\n"
+"\t\t# Apply the configuration in pod.json to a pod\n"
+"\t\tkubectl apply -f ./pod.json\n"
+"\n"
+"\t\t# Apply resources from a directory containing kustomization.yaml - e.g. "
+"dir/kustomization.yaml\n"
+"\t\tkubectl apply -k dir/\n"
+"\n"
+"\t\t# Apply the JSON passed into stdin to a pod\n"
+"\t\tcat pod.json | kubectl apply -f -\n"
+"\n"
+"\t\t# Apply the configuration from all files that end with '.json'\n"
+"\t\tkubectl apply -f '*.json'\n"
+"\n"
+"\t\t# Note: --prune is still in Alpha\n"
+"\t\t# Apply the configuration in manifest.yaml that matches label app=nginx "
+"and delete all other resources that are not in the file and match label "
+"app=nginx\n"
+"\t\tkubectl apply --prune -f manifest.yaml -l app=nginx\n"
+"\n"
+"\t\t# Apply the configuration in manifest.yaml and delete all the other "
+"config maps that are not in the file\n"
+"\t\tkubectl apply --prune -f manifest.yaml --all --prune-allowlist=core/v1/"
+"ConfigMap"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/autoscale/autoscale.go:50
+#, c-format
+msgid ""
+"\n"
+"\t\t# Auto scale a deployment \"foo\", with the number of pods between 2 and "
+"10, no target CPU utilization specified so a default autoscaling policy will "
+"be used\n"
+"\t\tkubectl autoscale deployment foo --min=2 --max=10\n"
+"\n"
+"\t\t# Auto scale a replication controller \"foo\", with the number of pods "
+"between 1 and 5, target CPU utilization at 80%\n"
+"\t\tkubectl autoscale rc foo --max=5 --cpu-percent=80"
+msgstr ""
+
+#: pkg/kubectl/cmd/convert/convert.go:52
+msgid ""
+"\n"
+"\t\t# Convert 'pod.yaml' to latest version and print to stdout.\n"
+"\t\tkubectl convert -f pod.yaml\n"
+"\n"
+"\t\t# Convert the live state of the resource specified by 'pod.yaml' to the "
+"latest version\n"
+"\t\t# and print to stdout in JSON format.\n"
+"\t\tkubectl convert -f pod.yaml --local -o json\n"
+"\n"
+"\t\t# Convert all files under current directory to latest version and create "
+"them all.\n"
+"\t\tkubectl convert -f . | kubectl create -f -"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_clusterrole.go:41
+msgid ""
+"\n"
+"\t\t# Create a cluster role named \"pod-reader\" that allows user to perform "
+"\"get\", \"watch\" and \"list\" on pods\n"
+"\t\tkubectl create clusterrole pod-reader --verb=get,list,watch --"
+"resource=pods\n"
+"\n"
+"\t\t# Create a cluster role named \"pod-reader\" with ResourceName "
+"specified\n"
+"\t\tkubectl create clusterrole pod-reader --verb=get --resource=pods --"
+"resource-name=readablepod --resource-name=anotherpod\n"
+"\n"
+"\t\t# Create a cluster role named \"foo\" with API Group specified\n"
+"\t\tkubectl create clusterrole foo --verb=get,list,watch --resource=rs.apps\n"
+"\n"
+"\t\t# Create a cluster role named \"foo\" with SubResource specified\n"
+"\t\tkubectl create clusterrole foo --verb=get,list,watch --resource=pods,"
+"pods/status\n"
+"\n"
+"\t\t# Create a cluster role name \"foo\" with NonResourceURL specified\n"
+"\t\tkubectl create clusterrole \"foo\" --verb=get --non-resource-url=/logs/"
+"*\n"
+"\n"
+"\t\t# Create a cluster role name \"monitoring\" with AggregationRule "
+"specified\n"
+"\t\tkubectl create clusterrole monitoring --aggregation-rule=\"rbac.example."
+"com/aggregate-to-monitoring=true\""
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_job.go:44
+msgid ""
+"\n"
+"\t\t# Create a job\n"
+"\t\tkubectl create job my-job --image=busybox\n"
+"\n"
+"\t\t# Create a job with a command\n"
+"\t\tkubectl create job my-job --image=busybox -- date\n"
+"\n"
+"\t\t# Create a job from a cron job named \"a-cronjob\"\n"
+"\t\tkubectl create job test-job --from=cronjob/a-cronjob"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_quota.go:44
+msgid ""
+"\n"
+"\t\t# Create a new resource quota named my-quota\n"
+"\t\tkubectl create quota my-quota --hard=cpu=1,memory=1G,pods=2,services=3,"
+"replicationcontrollers=2,resourcequotas=1,secrets=5,"
+"persistentvolumeclaims=10\n"
+"\n"
+"\t\t# Create a new resource quota named best-effort\n"
+"\t\tkubectl create quota best-effort --hard=pods=100 --scopes=BestEffort"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_pdb.go:44
+#, c-format
+msgid ""
+"\n"
+"\t\t# Create a pod disruption budget named my-pdb that will select all pods "
+"with the app=rails label\n"
+"\t\t# and require at least one of them being available at any point in time\n"
+"\t\tkubectl create poddisruptionbudget my-pdb --selector=app=rails --min-"
+"available=1\n"
+"\n"
+"\t\t# Create a pod disruption budget named my-pdb that will select all pods "
+"with the app=nginx label\n"
+"\t\t# and require at least half of the pods selected to be available at any "
+"point in time\n"
+"\t\tkubectl create pdb my-pdb --selector=app=nginx --min-available=50%"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create.go:78
+msgid ""
+"\n"
+"\t\t# Create a pod using the data in pod.json\n"
+"\t\tkubectl create -f ./pod.json\n"
+"\n"
+"\t\t# Create a pod based on the JSON passed into stdin\n"
+"\t\tcat pod.json | kubectl create -f -\n"
+"\n"
+"\t\t# Edit the data in registry.yaml in JSON then create the resource using "
+"the edited data\n"
+"\t\tkubectl create -f registry.yaml --edit -o json"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_priorityclass.go:43
+msgid ""
+"\n"
+"\t\t# Create a priority class named high-priority\n"
+"\t\tkubectl create priorityclass high-priority --value=1000 --"
+"description=\"high priority\"\n"
+"\n"
+"\t\t# Create a priority class named default-priority that is considered as "
+"the global default priority\n"
+"\t\tkubectl create priorityclass default-priority --value=1000 --global-"
+"default=true --description=\"default priority\"\n"
+"\n"
+"\t\t# Create a priority class named high-priority that cannot preempt pods "
+"with lower priority\n"
+"\t\tkubectl create priorityclass high-priority --value=1000 --"
+"description=\"high priority\" --preemption-policy=\"Never\""
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_rolebinding.go:43
+msgid ""
+"\n"
+"\t\t# Create a role binding for user1, user2, and group1 using the admin "
+"cluster role\n"
+"\t\tkubectl create rolebinding admin --clusterrole=admin --user=user1 --"
+"user=user2 --group=group1\n"
+"\n"
+"\t\t# Create a role binding for serviceaccount monitoring:sa-dev using the "
+"admin role\n"
+"\t\tkubectl create rolebinding admin-binding --role=admin --"
+"serviceaccount=monitoring:sa-dev"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_role.go:46
+msgid ""
+"\n"
+"\t\t# Create a role named \"pod-reader\" that allows user to perform "
+"\"get\", \"watch\" and \"list\" on pods\n"
+"\t\tkubectl create role pod-reader --verb=get --verb=list --verb=watch --"
+"resource=pods\n"
+"\n"
+"\t\t# Create a role named \"pod-reader\" with ResourceName specified\n"
+"\t\tkubectl create role pod-reader --verb=get --resource=pods --resource-"
+"name=readablepod --resource-name=anotherpod\n"
+"\n"
+"\t\t# Create a role named \"foo\" with API Group specified\n"
+"\t\tkubectl create role foo --verb=get,list,watch --resource=rs.apps\n"
+"\n"
+"\t\t# Create a role named \"foo\" with SubResource specified\n"
+"\t\tkubectl create role foo --verb=get,list,watch --resource=pods,pods/status"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:67
+msgid ""
+"\n"
+"\t\t# Create a service for a replicated nginx, which serves on port 80 and "
+"connects to the containers on port 8000\n"
+"\t\tkubectl expose rc nginx --port=80 --target-port=8000\n"
+"\n"
+"\t\t# Create a service for a replication controller identified by type and "
+"name specified in \"nginx-controller.yaml\", which serves on port 80 and "
+"connects to the containers on port 8000\n"
+"\t\tkubectl expose -f nginx-controller.yaml --port=80 --target-port=8000\n"
+"\n"
+"\t\t# Create a service for a pod valid-pod, which serves on port 444 with "
+"the name \"frontend\"\n"
+"\t\tkubectl expose pod valid-pod --port=444 --name=frontend\n"
+"\n"
+"\t\t# Create a second service based on the above service, exposing the "
+"container port 8443 as port 443 with the name \"nginx-https\"\n"
+"\t\tkubectl expose service nginx --port=443 --target-port=8443 --name=nginx-"
+"https\n"
+"\n"
+"\t\t# Create a service for a replicated streaming application on port 4100 "
+"balancing UDP traffic and named 'video-stream'.\n"
+"\t\tkubectl expose rc streamer --port=4100 --protocol=UDP --name=video-"
+"stream\n"
+"\n"
+"\t\t# Create a service for a replicated nginx using replica set, which "
+"serves on port 80 and connects to the containers on port 8000\n"
+"\t\tkubectl expose rs nginx --port=80 --target-port=8000\n"
+"\n"
+"\t\t# Create a service for an nginx deployment, which serves on port 80 and "
+"connects to the containers on port 8000\n"
+"\t\tkubectl expose deployment nginx --port=80 --target-port=8000"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_ingress.go:64
+msgid ""
+"\n"
+"\t\t# Create a single ingress called 'simple' that directs requests to foo."
+"com/bar to svc\n"
+"\t\t# svc1:8080 with a TLS secret \"my-cert\"\n"
+"\t\tkubectl create ingress simple --rule=\"foo.com/bar=svc1:8080,tls=my-"
+"cert\"\n"
+"\n"
+"\t\t# Create a catch all ingress of \"/path\" pointing to service svc:port "
+"and Ingress Class as \"otheringress\"\n"
+"\t\tkubectl create ingress catch-all --class=otheringress --rule=\"/path=svc:"
+"port\"\n"
+"\n"
+"\t\t# Create an ingress with two annotations: ingress.annotation1 and "
+"ingress.annotations2\n"
+"\t\tkubectl create ingress annotated --class=default --rule=\"foo.com/"
+"bar=svc:port\" \\\n"
+"\t\t\t--annotation ingress.annotation1=foo \\\n"
+"\t\t\t--annotation ingress.annotation2=bla\n"
+"\n"
+"\t\t# Create an ingress with the same host and multiple paths\n"
+"\t\tkubectl create ingress multipath --class=default \\\n"
+"\t\t\t--rule=\"foo.com/=svc:port\" \\\n"
+"\t\t\t--rule=\"foo.com/admin/=svcadmin:portadmin\"\n"
+"\n"
+"\t\t# Create an ingress with multiple hosts and the pathType as Prefix\n"
+"\t\tkubectl create ingress ingress1 --class=default \\\n"
+"\t\t\t--rule=\"foo.com/path*=svc:8080\" \\\n"
+"\t\t\t--rule=\"bar.com/admin*=svc2:http\"\n"
+"\n"
+"\t\t# Create an ingress with TLS enabled using the default ingress "
+"certificate and different path types\n"
+"\t\tkubectl create ingress ingtls --class=default \\\n"
+"\t\t   --rule=\"foo.com/=svc:https,tls\" \\\n"
+"\t\t   --rule=\"foo.com/path/subpath*=othersvc:8080\"\n"
+"\n"
+"\t\t# Create an ingress with TLS enabled using a specific secret and "
+"pathType as Prefix\n"
+"\t\tkubectl create ingress ingsecret --class=default \\\n"
+"\t\t   --rule=\"foo.com/*=svc:8080,tls=secret1\"\n"
+"\n"
+"\t\t# Create an ingress with a default backend\n"
+"\t\tkubectl create ingress ingdefault --class=default \\\n"
+"\t\t   --default-backend=defaultsvc:http \\\n"
+"\t\t   --rule=\"foo.com/*=svc:8080,tls=secret1\"\n"
+"\n"
+"\t\t"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/debug/debug.go:78
+msgid ""
+"\n"
+"\t\t# Create an interactive debugging session in pod mypod and immediately "
+"attach to it.\n"
+"\t\tkubectl debug mypod -it --image=busybox\n"
+"\n"
+"\t\t# Create an interactive debugging session for the pod in the file pod."
+"yaml and immediately attach to it.\n"
+"\t\t# (requires the EphemeralContainers feature to be enabled in the "
+"cluster)\n"
+"\t\tkubectl debug -f pod.yaml -it --image=busybox\n"
+"\n"
+"\t\t# Create a debug container named debugger using a custom automated "
+"debugging image.\n"
+"\t\tkubectl debug --image=myproj/debug-tools -c debugger mypod\n"
+"\n"
+"\t\t# Create a copy of mypod adding a debug container and attach to it\n"
+"\t\tkubectl debug mypod -it --image=busybox --copy-to=my-debugger\n"
+"\n"
+"\t\t# Create a copy of mypod changing the command of mycontainer\n"
+"\t\tkubectl debug mypod -it --copy-to=my-debugger --container=mycontainer -- "
+"sh\n"
+"\n"
+"\t\t# Create a copy of mypod changing all container images to busybox\n"
+"\t\tkubectl debug mypod --copy-to=my-debugger --set-image=*=busybox\n"
+"\n"
+"\t\t# Create a copy of mypod adding a debug container and changing container "
+"images\n"
+"\t\tkubectl debug mypod -it --copy-to=my-debugger --image=debian --set-"
+"image=app=app:debug,sidecar=sidecar:debug\n"
+"\n"
+"\t\t# Create an interactive debugging session on a node and immediately "
+"attach to it.\n"
+"\t\t# The container will run in the host namespaces and the host's "
+"filesystem will be mounted at /host\n"
+"\t\tkubectl debug node/mynode -it --image=busybox\n"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/delete/delete.go:80
+msgid ""
+"\n"
+"\t\t# Delete a pod using the type and name specified in pod.json\n"
+"\t\tkubectl delete -f ./pod.json\n"
+"\n"
+"\t\t# Delete resources from a directory containing kustomization.yaml - e.g. "
+"dir/kustomization.yaml\n"
+"\t\tkubectl delete -k dir\n"
+"\n"
+"\t\t# Delete resources from all files that end with '.json'\n"
+"\t\tkubectl delete -f '*.json'\n"
+"\n"
+"\t\t# Delete a pod based on the type and name in the JSON passed into stdin\n"
+"\t\tcat pod.json | kubectl delete -f -\n"
+"\n"
+"\t\t# Delete pods and services with same names \"baz\" and \"foo\"\n"
+"\t\tkubectl delete pod,service baz foo\n"
+"\n"
+"\t\t# Delete pods and services with label name=myLabel\n"
+"\t\tkubectl delete pods,services -l name=myLabel\n"
+"\n"
+"\t\t# Delete a pod with minimal delay\n"
+"\t\tkubectl delete pod foo --now\n"
+"\n"
+"\t\t# Force delete a pod on a dead node\n"
+"\t\tkubectl delete pod foo --force\n"
+"\n"
+"\t\t# Delete all pods\n"
+"\t\tkubectl delete pods --all"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/describe/describe.go:51
+msgid ""
+"\n"
+"\t\t# Describe a node\n"
+"\t\tkubectl describe nodes kubernetes-node-emt8.c.myproject.internal\n"
+"\n"
+"\t\t# Describe a pod\n"
+"\t\tkubectl describe pods/nginx\n"
+"\n"
+"\t\t# Describe a pod identified by type and name in \"pod.json\"\n"
+"\t\tkubectl describe -f pod.json\n"
+"\n"
+"\t\t# Describe all pods\n"
+"\t\tkubectl describe pods\n"
+"\n"
+"\t\t# Describe pods by label name=myLabel\n"
+"\t\tkubectl describe pods -l name=myLabel\n"
+"\n"
+"\t\t# Describe all pods managed by the 'frontend' replication controller\n"
+"\t\t# (rc-created pods get the name of the rc as a prefix in the pod name)\n"
+"\t\tkubectl describe pods frontend"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/diff/diff.go:75
+msgid ""
+"\n"
+"\t\t# Diff resources included in pod.json\n"
+"\t\tkubectl diff -f pod.json\n"
+"\n"
+"\t\t# Diff file read from stdin\n"
+"\t\tcat service.yaml | kubectl diff -f -"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go:140
+msgid ""
+"\n"
+"\t\t# Drain node \"foo\", even if there are pods not managed by a "
+"replication controller, replica set, job, daemon set, or stateful set on it\n"
+"\t\tkubectl drain foo --force\n"
+"\n"
+"\t\t# As above, but abort if there are pods not managed by a replication "
+"controller, replica set, job, daemon set, or stateful set, and use a grace "
+"period of 15 minutes\n"
+"\t\tkubectl drain foo --grace-period=900"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/edit/edit.go:60
+msgid ""
+"\n"
+"\t\t# Edit the service named 'registry'\n"
+"\t\tkubectl edit svc/registry\n"
+"\n"
+"\t\t# Use an alternative editor\n"
+"\t\tKUBE_EDITOR=\"nano\" kubectl edit svc/registry\n"
+"\n"
+"\t\t# Edit the job 'myjob' in JSON using the v1 API format\n"
+"\t\tkubectl edit job.v1.batch/myjob -o json\n"
+"\n"
+"\t\t# Edit the deployment 'mydeployment' in YAML and save the modified "
+"config in its annotation\n"
+"\t\tkubectl edit deployment/mydeployment -o yaml --save-config\n"
+"\n"
+"\t\t# Edit the 'status' subresource for the 'mydeployment' deployment\n"
+"\t\tkubectl edit deployment mydeployment --subresource='status'"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/attach/attach.go:47
+msgid ""
+"\n"
+"\t\t# Get output from running pod mypod; use the 'kubectl.kubernetes.io/"
+"default-container' annotation\n"
+"\t\t# for selecting the container to be attached or the first container in "
+"the pod will be chosen\n"
+"\t\tkubectl attach mypod\n"
+"\n"
+"\t\t# Get output from ruby-container from pod mypod\n"
+"\t\tkubectl attach mypod -c ruby-container\n"
+"\n"
+"\t\t# Switch to raw terminal mode; sends stdin to 'bash' in ruby-container "
+"from pod mypod\n"
+"\t\t# and sends stdout/stderr from 'bash' back to the client\n"
+"\t\tkubectl attach mypod -c ruby-container -i -t\n"
+"\n"
+"\t\t# Get output from the first pod of a replica set named nginx\n"
+"\t\tkubectl attach rs/nginx\n"
+"\t\t"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/exec/exec.go:50
+msgid ""
+"\n"
+"\t\t# Get output from running the 'date' command from pod mypod, using the "
+"first container by default\n"
+"\t\tkubectl exec mypod -- date\n"
+"\n"
+"\t\t# Get output from running the 'date' command in ruby-container from pod "
+"mypod\n"
+"\t\tkubectl exec mypod -c ruby-container -- date\n"
+"\n"
+"\t\t# Switch to raw terminal mode; sends stdin to 'bash' in ruby-container "
+"from pod mypod\n"
+"\t\t# and sends stdout/stderr from 'bash' back to the client\n"
+"\t\tkubectl exec mypod -c ruby-container -i -t -- bash -il\n"
+"\n"
+"\t\t# List contents of /usr from the first container of pod mypod and sort "
+"by modification time\n"
+"\t\t# If the command you want to execute in the pod has any flags in common "
+"(e.g. -i),\n"
+"\t\t# you must use two dashes (--) to separate your command's flags/"
+"arguments\n"
+"\t\t# Also note, do not surround your command and its flags/arguments with "
+"quotes\n"
+"\t\t# unless that is how you would execute it normally (i.e., do ls -t /usr, "
+"not \"ls -t /usr\")\n"
+"\t\tkubectl exec mypod -i -t -- ls -t /usr\n"
+"\n"
+"\t\t# Get output from running 'date' command from the first pod of the "
+"deployment mydeployment, using the first container by default\n"
+"\t\tkubectl exec deploy/mydeployment -- date\n"
+"\n"
+"\t\t# Get output from running 'date' command from the first pod of the "
+"service myservice, using the first container by default\n"
+"\t\tkubectl exec svc/myservice -- date\n"
+"\t\t"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/explain/explain.go:47
+msgid ""
+"\n"
+"\t\t# Get the documentation of the resource and its fields\n"
+"\t\tkubectl explain pods\n"
+"\n"
+"\t\t# Get all the fields in the resource\n"
+"\t\tkubectl explain pods --recursive\n"
+"\n"
+"\t\t# Get the explanation for deployment in supported api versions\n"
+"\t\tkubectl explain deployments --api-version=apps/v1\n"
+"\n"
+"\t\t# Get the documentation of a specific field of a resource\n"
+"\t\tkubectl explain pods.spec.containers\n"
+"\t\t\n"
+"\t\t# Get the documentation of resources in different format\n"
+"\t\tkubectl explain deployment --output=plaintext-openapiv2"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/completion/completion.go:66
+msgid ""
+"\n"
+"\t\t# Installing bash completion on macOS using homebrew\n"
+"\t\t## If running Bash 3.2 included with macOS\n"
+"\t\t    brew install bash-completion\n"
+"\t\t## or, if running Bash 4.1+\n"
+"\t\t    brew install bash-completion@2\n"
+"\t\t## If kubectl is installed via homebrew, this should start working "
+"immediately\n"
+"\t\t## If you've installed via other means, you may need add the completion "
+"to your completion directory\n"
+"\t\t    kubectl completion bash > $(brew --prefix)/etc/bash_completion.d/"
+"kubectl\n"
+"\n"
+"\n"
+"\t\t# Installing bash completion on Linux\n"
+"\t\t## If bash-completion is not installed on Linux, install the 'bash-"
+"completion' package\n"
+"\t\t## via your distribution's package manager.\n"
+"\t\t## Load the kubectl completion code for bash into the current shell\n"
+"\t\t    source <(kubectl completion bash)\n"
+"\t\t## Write bash completion code to a file and source it from ."
+"bash_profile\n"
+"\t\t    kubectl completion bash > ~/.kube/completion.bash.inc\n"
+"\t\t    printf \"\n"
+"\t\t      # kubectl shell completion\n"
+"\t\t      source '$HOME/.kube/completion.bash.inc'\n"
+"\t\t      \" >> $HOME/.bash_profile\n"
+"\t\t    source $HOME/.bash_profile\n"
+"\n"
+"\t\t# Load the kubectl completion code for zsh[1] into the current shell\n"
+"\t\t    source <(kubectl completion zsh)\n"
+"\t\t# Set the kubectl completion code for zsh[1] to autoload on startup\n"
+"\t\t    kubectl completion zsh > \"${fpath[1]}/_kubectl\"\n"
+"\n"
+"\n"
+"\t\t# Load the kubectl completion code for fish[2] into the current shell\n"
+"\t\t    kubectl completion fish | source\n"
+"\t\t# To load completions for each session, execute once:\n"
+"\t\t    kubectl completion fish > ~/.config/fish/completions/kubectl.fish\n"
+"\n"
+"\t\t# Load the kubectl completion code for powershell into the current "
+"shell\n"
+"\t\t    kubectl completion powershell | Out-String | Invoke-Expression\n"
+"\t\t# Set kubectl completion code for powershell to run on startup\n"
+"\t\t## Save completion code to a script and execute in the profile\n"
+"\t\t    kubectl completion powershell > $HOME\\.kube\\completion.ps1\n"
+"\t\t    Add-Content $PROFILE \"$HOME\\.kube\\completion.ps1\"\n"
+"\t\t## Execute completion code in the profile\n"
+"\t\t    Add-Content $PROFILE \"if (Get-Command kubectl -ErrorAction "
+"SilentlyContinue) {\n"
+"\t\t        kubectl completion powershell | Out-String | Invoke-Expression\n"
+"\t\t    }\"\n"
+"\t\t## Add completion code directly to the $PROFILE script\n"
+"\t\t    kubectl completion powershell >> $PROFILE"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/plugin/plugin.go:46
+msgid ""
+"\n"
+"\t\t# List all available plugins\n"
+"\t\tkubectl plugin list"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/get/get.go:100
+msgid ""
+"\n"
+"\t\t# List all pods in ps output format\n"
+"\t\tkubectl get pods\n"
+"\n"
+"\t\t# List all pods in ps output format with more information (such as node "
+"name)\n"
+"\t\tkubectl get pods -o wide\n"
+"\n"
+"\t\t# List a single replication controller with specified NAME in ps output "
+"format\n"
+"\t\tkubectl get replicationcontroller web\n"
+"\n"
+"\t\t# List deployments in JSON output format, in the \"v1\" version of the "
+"\"apps\" API group\n"
+"\t\tkubectl get deployments.v1.apps -o json\n"
+"\n"
+"\t\t# List a single pod in JSON output format\n"
+"\t\tkubectl get -o json pod web-pod-13je7\n"
+"\n"
+"\t\t# List a pod identified by type and name specified in \"pod.yaml\" in "
+"JSON output format\n"
+"\t\tkubectl get -f pod.yaml -o json\n"
+"\n"
+"\t\t# List resources from a directory with kustomization.yaml - e.g. dir/"
+"kustomization.yaml\n"
+"\t\tkubectl get -k dir/\n"
+"\n"
+"\t\t# Return only the phase value of the specified pod\n"
+"\t\tkubectl get -o template pod/web-pod-13je7 --template={{.status.phase}}\n"
+"\n"
+"\t\t# List resource information in custom columns\n"
+"\t\tkubectl get pod test-pod -o custom-columns=CONTAINER:.spec.containers[0]."
+"name,IMAGE:.spec.containers[0].image\n"
+"\n"
+"\t\t# List all replication controllers and services together in ps output "
+"format\n"
+"\t\tkubectl get rc,services\n"
+"\n"
+"\t\t# List one or more resources by their type and names\n"
+"\t\tkubectl get rc/web service/frontend pods/web-pod-13je7\n"
+"\n"
+"\t\t# List the 'status' subresource for a single pod\n"
+"\t\tkubectl get pod web-pod-13je7 --subresource status"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/portforward/portforward.go:73
+msgid ""
+"\n"
+"\t\t# Listen on ports 5000 and 6000 locally, forwarding data to/from ports "
+"5000 and 6000 in the pod\n"
+"\t\tkubectl port-forward pod/mypod 5000 6000\n"
+"\n"
+"\t\t# Listen on ports 5000 and 6000 locally, forwarding data to/from ports "
+"5000 and 6000 in a pod selected by the deployment\n"
+"\t\tkubectl port-forward deployment/mydeployment 5000 6000\n"
+"\n"
+"\t\t# Listen on port 8443 locally, forwarding to the targetPort of the "
+"service's port named \"https\" in a pod selected by the service\n"
+"\t\tkubectl port-forward service/myservice 8443:https\n"
+"\n"
+"\t\t# Listen on port 8888 locally, forwarding to 5000 in the pod\n"
+"\t\tkubectl port-forward pod/mypod 8888:5000\n"
+"\n"
+"\t\t# Listen on port 8888 on all addresses, forwarding to 5000 in the pod\n"
+"\t\tkubectl port-forward --address 0.0.0.0 pod/mypod 8888:5000\n"
+"\n"
+"\t\t# Listen on port 8888 on localhost and selected IP, forwarding to 5000 "
+"in the pod\n"
+"\t\tkubectl port-forward --address localhost,10.19.21.23 pod/mypod "
+"8888:5000\n"
+"\n"
+"\t\t# Listen on a random port locally, forwarding to 5000 in the pod\n"
+"\t\tkubectl port-forward pod/mypod :5000"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go:89
+msgid ""
+"\n"
+"\t\t# Mark node \"foo\" as schedulable\n"
+"\t\tkubectl uncordon foo"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go:60
+msgid ""
+"\n"
+"\t\t# Mark node \"foo\" as unschedulable\n"
+"\t\tkubectl cordon foo"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/patch/patch.go:89
+msgid ""
+"\n"
+"\t\t# Partially update a node using a strategic merge patch, specifying the "
+"patch as JSON\n"
+"\t\tkubectl patch node k8s-node-1 -p '{\"spec\":{\"unschedulable\":true}}'\n"
+"\n"
+"\t\t# Partially update a node using a strategic merge patch, specifying the "
+"patch as YAML\n"
+"\t\tkubectl patch node k8s-node-1 -p $'spec:\n"
+" unschedulable: true'\n"
+"\n"
+"\t\t# Partially update a node identified by the type and name specified in "
+"\"node.json\" using strategic merge patch\n"
+"\t\tkubectl patch -f node.json -p '{\"spec\":{\"unschedulable\":true}}'\n"
+"\n"
+"\t\t# Update a container's image; spec.containers[*].name is required "
+"because it's a merge key\n"
+"\t\tkubectl patch pod valid-pod -p '{\"spec\":{\"containers\":[{\"name\":"
+"\"kubernetes-serve-hostname\",\"image\":\"new image\"}]}}'\n"
+"\n"
+"\t\t# Update a container's image using a JSON patch with positional arrays\n"
+"\t\tkubectl patch pod valid-pod --type='json' -p='[{\"op\": \"replace\", "
+"\"path\": \"/spec/containers/0/image\", \"value\":\"new image\"}]'\n"
+"\n"
+"\t\t# Update a deployment's replicas through the 'scale' subresource using a "
+"merge patch\n"
+"\t\tkubectl patch deployment nginx-deployment --subresource='scale' --"
+"type='merge' -p '{\"spec\":{\"replicas\":2}}'"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/options/options.go:29
+msgid ""
+"\n"
+"\t\t# Print flags inherited by all commands\n"
+"\t\tkubectl options"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/clusterinfo/clusterinfo.go:45
+msgid ""
+"\n"
+"\t\t# Print the address of the control plane and cluster services\n"
+"\t\tkubectl cluster-info"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/version/version.go:49
+msgid ""
+"\n"
+"\t\t# Print the client and server versions for the current context\n"
+"\t\tkubectl version"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/apiresources/apiversions.go:35
+msgid ""
+"\n"
+"\t\t# Print the supported API versions\n"
+"\t\tkubectl api-versions"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/replace/replace.go:57
+msgid ""
+"\n"
+"\t\t# Replace a pod using the data in pod.json\n"
+"\t\tkubectl replace -f ./pod.json\n"
+"\n"
+"\t\t# Replace a pod based on the JSON passed into stdin\n"
+"\t\tcat pod.json | kubectl replace -f -\n"
+"\n"
+"\t\t# Update a single-container pod's image version (tag) to v4\n"
+"\t\tkubectl get pod mypod -o yaml | sed 's/\\(image: myimage\\):.*$/\\1:v4/' "
+"| kubectl replace -f -\n"
+"\n"
+"\t\t# Force replace, delete and then re-create the resource\n"
+"\t\tkubectl replace --force -f ./pod.json"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/logs/logs.go:55
+msgid ""
+"\n"
+"\t\t# Return snapshot logs from pod nginx with only one container\n"
+"\t\tkubectl logs nginx\n"
+"\n"
+"\t\t# Return snapshot logs from pod nginx with multi containers\n"
+"\t\tkubectl logs nginx --all-containers=true\n"
+"\n"
+"\t\t# Return snapshot logs from all containers in pods defined by label "
+"app=nginx\n"
+"\t\tkubectl logs -l app=nginx --all-containers=true\n"
+"\n"
+"\t\t# Return snapshot of previous terminated ruby container logs from pod "
+"web-1\n"
+"\t\tkubectl logs -p -c ruby web-1\n"
+"\n"
+"\t\t# Begin streaming the logs of the ruby container in pod web-1\n"
+"\t\tkubectl logs -f -c ruby web-1\n"
+"\n"
+"\t\t# Begin streaming the logs from all containers in pods defined by label "
+"app=nginx\n"
+"\t\tkubectl logs -f -l app=nginx --all-containers=true\n"
+"\n"
+"\t\t# Display only the most recent 20 lines of output in pod nginx\n"
+"\t\tkubectl logs --tail=20 nginx\n"
+"\n"
+"\t\t# Show all logs from pod nginx written in the last hour\n"
+"\t\tkubectl logs --since=1h nginx\n"
+"\n"
+"\t\t# Show logs from a kubelet with an expired serving certificate\n"
+"\t\tkubectl logs --insecure-skip-tls-verify-backend nginx\n"
+"\n"
+"\t\t# Return snapshot logs from first container of a job named hello\n"
+"\t\tkubectl logs job/hello\n"
+"\n"
+"\t\t# Return snapshot logs from container nginx-1 of a deployment named "
+"nginx\n"
+"\t\tkubectl logs deployment/nginx -c nginx-1"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/scale/scale.go:50
+msgid ""
+"\n"
+"\t\t# Scale a replica set named 'foo' to 3\n"
+"\t\tkubectl scale --replicas=3 rs/foo\n"
+"\n"
+"\t\t# Scale a resource identified by type and name specified in \"foo.yaml\" "
+"to 3\n"
+"\t\tkubectl scale --replicas=3 -f foo.yaml\n"
+"\n"
+"\t\t# If the deployment named mysql's current size is 2, scale mysql to 3\n"
+"\t\tkubectl scale --current-replicas=2 --replicas=3 deployment/mysql\n"
+"\n"
+"\t\t# Scale multiple replication controllers\n"
+"\t\tkubectl scale --replicas=5 rc/example1 rc/example2 rc/example3\n"
+"\n"
+"\t\t# Scale stateful set named 'web' to 3\n"
+"\t\tkubectl scale --replicas=3 statefulset/web"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/apply/apply_set_last_applied.go:75
+msgid ""
+"\n"
+"\t\t# Set the last-applied-configuration of a resource to match the contents "
+"of a file\n"
+"\t\tkubectl apply set-last-applied -f deploy.yaml\n"
+"\n"
+"\t\t# Execute set-last-applied against each configuration file in a "
+"directory\n"
+"\t\tkubectl apply set-last-applied -f path/\n"
+"\n"
+"\t\t# Set the last-applied-configuration of a resource to match the contents "
+"of a file; will create the annotation if it does not already exist\n"
+"\t\tkubectl apply set-last-applied -f deploy.yaml --create-annotation=true\n"
+"\t\t"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/top/top_pod.go:76
+msgid ""
+"\n"
+"\t\t# Show metrics for all pods in the default namespace\n"
+"\t\tkubectl top pod\n"
+"\n"
+"\t\t# Show metrics for all pods in the given namespace\n"
+"\t\tkubectl top pod --namespace=NAMESPACE\n"
+"\n"
+"\t\t# Show metrics for a given pod and its containers\n"
+"\t\tkubectl top pod POD_NAME --containers\n"
+"\n"
+"\t\t# Show metrics for the pods defined by label name=myLabel\n"
+"\t\tkubectl top pod -l name=myLabel"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run.go:63
+msgid ""
+"\n"
+"\t\t# Start a nginx pod\n"
+"\t\tkubectl run nginx --image=nginx\n"
+"\n"
+"\t\t# Start a hazelcast pod and let the container expose port 5701\n"
+"\t\tkubectl run hazelcast --image=hazelcast/hazelcast --port=5701\n"
+"\n"
+"\t\t# Start a hazelcast pod and set environment variables "
+"\"DNS_DOMAIN=cluster\" and \"POD_NAMESPACE=default\" in the container\n"
+"\t\tkubectl run hazelcast --image=hazelcast/hazelcast --"
+"env=\"DNS_DOMAIN=cluster\" --env=\"POD_NAMESPACE=default\"\n"
+"\n"
+"\t\t# Start a hazelcast pod and set labels \"app=hazelcast\" and "
+"\"env=prod\" in the container\n"
+"\t\tkubectl run hazelcast --image=hazelcast/hazelcast --"
+"labels=\"app=hazelcast,env=prod\"\n"
+"\n"
+"\t\t# Dry run; print the corresponding API objects without creating them\n"
+"\t\tkubectl run nginx --image=nginx --dry-run=client\n"
+"\n"
+"\t\t# Start a nginx pod, but overload the spec with a partial set of values "
+"parsed from JSON\n"
+"\t\tkubectl run nginx --image=nginx --overrides='{ \"apiVersion\": \"v1\", "
+"\"spec\": { ... } }'\n"
+"\n"
+"\t\t# Start a busybox pod and keep it in the foreground, don't restart it if "
+"it exits\n"
+"\t\tkubectl run -i -t busybox --image=busybox --restart=Never\n"
+"\n"
+"\t\t# Start the nginx pod using the default command, but use custom "
+"arguments (arg1 .. argN) for that command\n"
+"\t\tkubectl run nginx --image=nginx -- <arg1> <arg2> ... <argN>\n"
+"\n"
+"\t\t# Start the nginx pod using a different command and custom arguments\n"
+"\t\tkubectl run nginx --image=nginx --command -- <cmd> <arg1> ... <argN>"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/proxy/proxy.go:78
+msgid ""
+"\n"
+"\t\t# To proxy all of the Kubernetes API and nothing else\n"
+"\t\tkubectl proxy --api-prefix=/\n"
+"\n"
+"\t\t# To proxy only part of the Kubernetes API and also some static files\n"
+"\t\t# You can get pods info with 'curl localhost:8001/api/v1/pods'\n"
+"\t\tkubectl proxy --www=/my/files --www-prefix=/static/ --api-prefix=/api/\n"
+"\n"
+"\t\t# To proxy the entire Kubernetes API at a different root\n"
+"\t\t# You can get pods info with 'curl localhost:8001/custom/api/v1/pods'\n"
+"\t\tkubectl proxy --api-prefix=/custom/\n"
+"\n"
+"\t\t# Run a proxy to the Kubernetes API server on port 8011, serving static "
+"content from ./local/www/\n"
+"\t\tkubectl proxy --port=8011 --www=./local/www/\n"
+"\n"
+"\t\t# Run a proxy to the Kubernetes API server on an arbitrary local port\n"
+"\t\t# The chosen port for the server will be output to stdout\n"
+"\t\tkubectl proxy --port=0\n"
+"\n"
+"\t\t# Run a proxy to the Kubernetes API server, changing the API prefix to "
+"k8s-api\n"
+"\t\t# This makes e.g. the pods API available at localhost:8001/k8s-api/v1/"
+"pods/\n"
+"\t\tkubectl proxy --api-prefix=/k8s-api"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/taint/taint.go:81
+msgid ""
+"\n"
+"\t\t# Update node 'foo' with a taint with key 'dedicated' and value 'special-"
+"user' and effect 'NoSchedule'\n"
+"\t\t# If a taint with that key and effect already exists, its value is "
+"replaced as specified\n"
+"\t\tkubectl taint nodes foo dedicated=special-user:NoSchedule\n"
+"\n"
+"\t\t# Remove from node 'foo' the taint with key 'dedicated' and effect "
+"'NoSchedule' if one exists\n"
+"\t\tkubectl taint nodes foo dedicated:NoSchedule-\n"
+"\n"
+"\t\t# Remove from node 'foo' all the taints with key 'dedicated'\n"
+"\t\tkubectl taint nodes foo dedicated-\n"
+"\n"
+"\t\t# Add a taint with key 'dedicated' on nodes having label myLabel=X\n"
+"\t\tkubectl taint node -l myLabel=X  dedicated=foo:PreferNoSchedule\n"
+"\n"
+"\t\t# Add to node 'foo' a taint with key 'bar' and no value\n"
+"\t\tkubectl taint nodes foo bar:NoSchedule"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/label/label.go:101
+msgid ""
+"\n"
+"\t\t# Update pod 'foo' with the label 'unhealthy' and the value 'true'\n"
+"\t\tkubectl label pods foo unhealthy=true\n"
+"\n"
+"\t\t# Update pod 'foo' with the label 'status' and the value 'unhealthy', "
+"overwriting any existing value\n"
+"\t\tkubectl label --overwrite pods foo status=unhealthy\n"
+"\n"
+"\t\t# Update all pods in the namespace\n"
+"\t\tkubectl label pods --all status=unhealthy\n"
+"\n"
+"\t\t# Update a pod identified by the type and name in \"pod.json\"\n"
+"\t\tkubectl label -f pod.json status=unhealthy\n"
+"\n"
+"\t\t# Update pod 'foo' only if the resource is unchanged from version 1\n"
+"\t\tkubectl label pods foo status=unhealthy --resource-version=1\n"
+"\n"
+"\t\t# Update pod 'foo' by removing a label named 'bar' if it exists\n"
+"\t\t# Does not require the --overwrite flag\n"
+"\t\tkubectl label pods foo bar-"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/apply/apply_view_last_applied.go:54
+msgid ""
+"\n"
+"\t\t# View the last-applied-configuration annotations by type/name in YAML\n"
+"\t\tkubectl apply view-last-applied deployment/nginx\n"
+"\n"
+"\t\t# View the last-applied-configuration annotations by file in JSON\n"
+"\t\tkubectl apply view-last-applied -f deploy.yaml -o json"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/wait/wait.go:67
+msgid ""
+"\n"
+"\t\t# Wait for the pod \"busybox1\" to contain the status condition of type "
+"\"Ready\"\n"
+"\t\tkubectl wait --for=condition=Ready pod/busybox1\n"
+"\n"
+"\t\t# The default value of status condition is true; you can wait for other "
+"targets after an equal delimiter (compared after Unicode simple case "
+"folding, which is a more general form of case-insensitivity)\n"
+"\t\tkubectl wait --for=condition=Ready=false pod/busybox1\n"
+"\n"
+"\t\t# Wait for the pod \"busybox1\" to contain the status phase to be "
+"\"Running\"\n"
+"\t\tkubectl wait --for=jsonpath='{.status.phase}'=Running pod/busybox1\n"
+"\n"
+"\t\t# Wait for the pod \"busybox1\" to be deleted, with a timeout of 60s, "
+"after having issued the \"delete\" command\n"
+"\t\tkubectl delete pod/busybox1\n"
+"\t\tkubectl wait --for=delete pod/busybox1 --timeout=60s"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/apply/apply.go:144
+msgid ""
+"\n"
+"\t\tApply a configuration to a resource by file name or stdin.\n"
+"\t\tThe resource name must be specified. This resource will be created if it "
+"doesn't exist yet.\n"
+"\t\tTo use 'apply', always create the resource initially with either 'apply' "
+"or 'create --save-config'.\n"
+"\n"
+"\t\tJSON and YAML formats are accepted.\n"
+"\n"
+"\t\tAlpha Disclaimer: the --prune functionality is not yet complete. Do not "
+"use unless you are aware of what the current state is. See https://issues."
+"k8s.io/34274."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/certificates/certificates.go:130
+msgid ""
+"\n"
+"\t\tApprove a certificate signing request.\n"
+"\n"
+"\t\tkubectl certificate approve allows a cluster admin to approve a "
+"certificate\n"
+"\t\tsigning request (CSR). This action tells a certificate signing "
+"controller to\n"
+"\t\tissue a certificate to the requester with the attributes requested in "
+"the CSR.\n"
+"\n"
+"\t\tSECURITY NOTICE: Depending on the requested attributes, the issued "
+"certificate\n"
+"\t\tcan potentially grant a requester access to cluster resources or to "
+"authenticate\n"
+"\t\tas a requested identity. Before approving a CSR, ensure you understand "
+"what the\n"
+"\t\tsigned certificate can do.\n"
+"\t\t"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set.go:30
+msgid ""
+"\n"
+"\t\tConfigure application resources.\n"
+"\n"
+"\t\tThese commands help you make changes to existing application resources."
+msgstr ""
+
+#: pkg/kubectl/cmd/convert/convert.go:41
+msgid ""
+"\n"
+"\t\tConvert config files between different API versions. Both YAML\n"
+"\t\tand JSON formats are accepted.\n"
+"\n"
+"\t\tThe command takes filename, directory, or URL as input, and convert it "
+"into format\n"
+"\t\tof version specified by --output-version flag. If target version is not "
+"specified or\n"
+"\t\tnot supported, convert to latest version.\n"
+"\n"
+"\t\tThe default output will be printed to stdout in YAML format. One can use "
+"-o option\n"
+"\t\tto change to output destination."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_tls.go:41
+msgid ""
+"\n"
+"\t\tCreate a TLS secret from the given public/private key pair.\n"
+"\n"
+"\t\tThe public/private key pair must exist beforehand. The public key "
+"certificate must be .PEM encoded and match\n"
+"\t\tthe given private key."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_clusterrolebinding.go:41
+msgid ""
+"\n"
+"\t\tCreate a cluster role binding for a particular cluster role."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_clusterrole.go:38
+msgid ""
+"\n"
+"\t\tCreate a cluster role."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_configmap.go:45
+msgid ""
+"\n"
+"\t\tCreate a config map based on a file, directory, or specified literal "
+"value.\n"
+"\n"
+"\t\tA single config map may package one or more key/value pairs.\n"
+"\n"
+"\t\tWhen creating a config map based on a file, the key will default to the "
+"basename of the file, and the value will\n"
+"\t\tdefault to the file content.  If the basename is an invalid key, you may "
+"specify an alternate key.\n"
+"\n"
+"\t\tWhen creating a config map based on a directory, each file whose "
+"basename is a valid key in the directory will be\n"
+"\t\tpackaged into the config map.  Any directory entries except regular "
+"files are ignored (e.g. subdirectories,\n"
+"\t\tsymlinks, devices, pipes, etc)."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_cronjob.go:41
+msgid ""
+"\n"
+"\t\tCreate a cron job with the specified name."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_job.go:41
+msgid ""
+"\n"
+"\t\tCreate a job with the specified name."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_namespace.go:40
+msgid ""
+"\n"
+"\t\tCreate a namespace with the specified name."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_docker.go:41
+msgid ""
+"\n"
+"\t\tCreate a new secret for use with Docker registries.\n"
+"\n"
+"\t\tDockercfg secrets are used to authenticate against Docker registries.\n"
+"\n"
+"\t\tWhen using the Docker command line to push images, you can authenticate "
+"to a given registry by running:\n"
+"\t\t\t'$ docker login DOCKER_REGISTRY_SERVER --username=DOCKER_USER --"
+"password=DOCKER_PASSWORD --email=DOCKER_EMAIL'.\n"
+"\n"
+"\tThat produces a ~/.dockercfg file that is used by subsequent 'docker push' "
+"and 'docker pull' commands to\n"
+"\t\tauthenticate to the registry. The email address is optional.\n"
+"\n"
+"\t\tWhen creating applications, you may have a Docker registry that requires "
+"authentication.  In order for the\n"
+"\t\tnodes to pull images on your behalf, they must have the credentials.  "
+"You can provide this information\n"
+"\t\tby creating a dockercfg secret and attaching it to your service account."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_pdb.go:41
+msgid ""
+"\n"
+"\t\tCreate a pod disruption budget with the specified name, selector, and "
+"desired minimum available pods."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_priorityclass.go:40
+msgid ""
+"\n"
+"\t\tCreate a priority class with the specified name, value, globalDefault "
+"and description."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create.go:73
+msgid ""
+"\n"
+"\t\tCreate a resource from a file or from stdin.\n"
+"\n"
+"\t\tJSON and YAML formats are accepted."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_quota.go:41
+msgid ""
+"\n"
+"\t\tCreate a resource quota with the specified name, hard limits, and "
+"optional scopes."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_rolebinding.go:40
+msgid ""
+"\n"
+"\t\tCreate a role binding for a particular role or cluster role."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_role.go:43
+msgid ""
+"\n"
+"\t\tCreate a role with single rule."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret.go:70
+msgid ""
+"\n"
+"\t\tCreate a secret based on a file, directory, or specified literal value.\n"
+"\n"
+"\t\tA single secret may package one or more key/value pairs.\n"
+"\n"
+"\t\tWhen creating a secret based on a file, the key will default to the "
+"basename of the file, and the value will\n"
+"\t\tdefault to the file content. If the basename is an invalid key or you "
+"wish to chose your own, you may specify\n"
+"\t\tan alternate key.\n"
+"\n"
+"\t\tWhen creating a secret based on a directory, each file whose basename is "
+"a valid key in the directory will be\n"
+"\t\tpackaged into the secret. Any directory entries except regular files are "
+"ignored (e.g. subdirectories,\n"
+"\t\tsymlinks, devices, pipes, etc)."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret.go:61
+msgid ""
+"\n"
+"\t\tCreate a secret with specified type.\n"
+"\t\t\n"
+"\t\tA docker-registry type secret is for accessing a container registry.\n"
+"\n"
+"\t\tA generic type secret indicate an Opaque secret type.\n"
+"\n"
+"\t\tA tls type secret holds TLS certificate and its associated key."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_serviceaccount.go:40
+msgid ""
+"\n"
+"\t\tCreate a service account with the specified name."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/proxy/proxy.go:72
+msgid ""
+"\n"
+"\t\tCreates a proxy server or application-level gateway between localhost "
+"and\n"
+"\t\tthe Kubernetes API server. It also allows serving static content over "
+"specified\n"
+"\t\tHTTP path. All incoming data enters through one port and gets forwarded "
+"to\n"
+"\t\tthe remote Kubernetes API server port, except for the path matching the "
+"static content path."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/autoscale/autoscale.go:44
+msgid ""
+"\n"
+"\t\tCreates an autoscaler that automatically chooses and sets the number of "
+"pods that run in a Kubernetes cluster.\n"
+"\n"
+"\t\tLooks up a deployment, replica set, stateful set, or replication "
+"controller by name and creates an autoscaler that uses the given resource as "
+"a reference.\n"
+"\t\tAn autoscaler can automatically increase or decrease number of pods "
+"deployed within the system as needed."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/debug/debug.go:61
+msgid ""
+"\n"
+"\t\tDebug cluster resources using interactive debugging containers.\n"
+"\n"
+"\t\t'debug' provides automation for common debugging tasks for cluster "
+"objects identified by\n"
+"\t\tresource and name. Pods will be used by default if no resource is "
+"specified.\n"
+"\n"
+"\t\tThe action taken by 'debug' varies depending on what resource is "
+"specified. Supported\n"
+"\t\tactions include:\n"
+"\n"
+"\t\t* Workload: Create a copy of an existing pod with certain attributes "
+"changed,\n"
+"\t                for example changing the image tag to a new version.\n"
+"\t\t* Workload: Add an ephemeral container to an already running pod, for "
+"example to add\n"
+"\t\t            debugging utilities without restarting the pod.\n"
+"\t\t* Node: Create a new pod that runs in the node's host namespaces and can "
+"access\n"
+"\t\t        the node's filesystem.\n"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/delete/delete.go:47
+msgid ""
+"\n"
+"\t\tDelete resources by file names, stdin, resources and names, or by "
+"resources and label selector.\n"
+"\n"
+"\t\tJSON and YAML formats are accepted. Only one type of argument may be "
+"specified: file names,\n"
+"\t\tresources and names, or resources and label selector.\n"
+"\n"
+"\t\tSome resources, such as pods, support graceful deletion. These resources "
+"define a default period\n"
+"\t\tbefore they are forcibly terminated (the grace period) but you may "
+"override that value with\n"
+"\t\tthe --grace-period flag, or pass --now to set a grace-period of 1. "
+"Because these resources often\n"
+"\t\trepresent entities in the cluster, deletion may not be acknowledged "
+"immediately. If the node\n"
+"\t\thosting a pod is down or cannot reach the API server, termination may "
+"take significantly longer\n"
+"\t\tthan the grace period. To force delete a resource, you must specify the "
+"--force flag.\n"
+"\t\tNote: only a subset of resources support graceful deletion. In absence "
+"of the support,\n"
+"\t\tthe --grace-period flag is ignored.\n"
+"\n"
+"\t\tIMPORTANT: Force deleting pods does not wait for confirmation that the "
+"pod's processes have been\n"
+"\t\tterminated, which can leave those processes running until the node "
+"detects the deletion and\n"
+"\t\tcompletes graceful deletion. If your processes use shared storage or "
+"talk to a remote API and\n"
+"\t\tdepend on the name of the pod to identify themselves, force deleting "
+"those pods may result in\n"
+"\t\tmultiple processes running on different machines using the same "
+"identification which may lead\n"
+"\t\tto data corruption or inconsistency. Only force delete pods when you are "
+"sure the pod is\n"
+"\t\tterminated, or if your application can tolerate multiple copies of the "
+"same pod running at once.\n"
+"\t\tAlso, if you force delete pods, the scheduler may place new pods on "
+"those nodes before the node\n"
+"\t\thas released those resources and causing those pods to be evicted "
+"immediately.\n"
+"\n"
+"\t\tNote that the delete command does NOT do resource version checks, so if "
+"someone submits an\n"
+"\t\tupdate to a resource right when you submit a delete, their update will "
+"be lost along with the\n"
+"\t\trest of the resource.\n"
+"\n"
+"\t\tAfter a CustomResourceDefinition is deleted, invalidation of discovery "
+"cache may take up\n"
+"\t\tto 6 hours. If you don't want to wait, you might want to run \"kubectl "
+"api-resources\" to refresh\n"
+"\t\tthe discovery cache."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/certificates/certificates.go:178
+msgid ""
+"\n"
+"\t\tDeny a certificate signing request.\n"
+"\n"
+"\t\tkubectl certificate deny allows a cluster admin to deny a certificate\n"
+"\t\tsigning request (CSR). This action tells a certificate signing "
+"controller to\n"
+"\t\tnot to issue a certificate to the requester.\n"
+"\t\t"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/explain/explain.go:37
+msgid ""
+"\n"
+"\t\tDescribe fields and structure of various resources.\n"
+"\n"
+"\t\tThis command describes the fields associated with each supported API "
+"resource.\n"
+"\t\tFields are identified via a simple JSONPath identifier:\n"
+"\n"
+"\t\t\t<type>.<fieldName>[.<fieldName>]\n"
+"\n"
+"\t\tInformation about each field is retrieved from the server in OpenAPI "
+"format."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/diff/diff.go:52
+msgid ""
+"\n"
+"\t\tDiff configurations specified by file name or stdin between the current "
+"online\n"
+"\t\tconfiguration, and the configuration as it would be if applied.\n"
+"\n"
+"\t\tThe output is always YAML.\n"
+"\n"
+"\t\tKUBECTL_EXTERNAL_DIFF environment variable can be used to select your "
+"own\n"
+"\t\tdiff command. Users can use external commands with params too, example:\n"
+"\t\tKUBECTL_EXTERNAL_DIFF=\"colordiff -N -u\"\n"
+"\n"
+"\t\tBy default, the \"diff\" command available in your path will be\n"
+"\t\trun with the \"-u\" (unified diff) and \"-N\" (treat absent files as "
+"empty) options.\n"
+"\n"
+"\t\tExit status:\n"
+"\t\t 0\n"
+"\t\tNo differences were found.\n"
+"\t\t 1\n"
+"\t\tDifferences were found.\n"
+"\t\t >1\n"
+"\t\tKubectl or diff failed with an error.\n"
+"\n"
+"\t\tNote: KUBECTL_EXTERNAL_DIFF, if used, is expected to follow that "
+"convention."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/events/events.go:51
+msgid ""
+"\n"
+"\t\tDisplay events.\n"
+"\n"
+"\t\tPrints a table of the most important information about events.\n"
+"\t\tYou can request events for a namespace, for all namespace, or\n"
+"\t\tfiltered to only those pertaining to a specified resource."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/view.go:55
+msgid ""
+"\n"
+"\t\tDisplay merged kubeconfig settings or a specified kubeconfig file.\n"
+"\n"
+"\t\tYou can use --output jsonpath={...} to extract specific values using a "
+"jsonpath expression."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/get/get.go:89
+msgid ""
+"\n"
+"\t\tDisplay one or many resources.\n"
+"\n"
+"\t\tPrints a table of the most important information about the specified "
+"resources.\n"
+"\t\tYou can filter the list using a label selector and the --selector flag. "
+"If the\n"
+"\t\tdesired resource type is namespaced you will only see results in your "
+"current\n"
+"\t\tnamespace unless you pass --all-namespaces.\n"
+"\n"
+"\t\tBy specifying the output as 'template' and providing a Go template as "
+"the value\n"
+"\t\tof the --template flag, you can filter the attributes of the fetched "
+"resources."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/top/top_node.go:58
+msgid ""
+"\n"
+"\t\tDisplay resource (CPU/memory) usage of nodes.\n"
+"\n"
+"\t\tThe top-node command allows you to see the resource consumption of nodes."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/top/top_pod.go:68
+msgid ""
+"\n"
+"\t\tDisplay resource (CPU/memory) usage of pods.\n"
+"\n"
+"\t\tThe 'top pod' command allows you to see the resource consumption of "
+"pods.\n"
+"\n"
+"\t\tDue to the metrics pipeline delay, they may be unavailable for a few "
+"minutes\n"
+"\t\tsince pod creation."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/top/top.go:39
+msgid ""
+"\n"
+"\t\tDisplay resource (CPU/memory) usage.\n"
+"\n"
+"\t\tThe top command allows you to see the resource consumption for nodes or "
+"pods.\n"
+"\n"
+"\t\tThis command requires Metrics Server to be correctly configured and "
+"working on the server. "
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/current_context.go:37
+msgid ""
+"\n"
+"\t\tDisplay the current-context."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go:115
+msgid ""
+"\n"
+"\t\tDrain node in preparation for maintenance.\n"
+"\n"
+"\t\tThe given node will be marked unschedulable to prevent new pods from "
+"arriving.\n"
+"\t\t'drain' evicts the pods if the API server supports\n"
+"\t\t[eviction](https://kubernetes.io/docs/concepts/workloads/pods/"
+"disruptions/). Otherwise, it will use normal\n"
+"\t\tDELETE to delete the pods.\n"
+"\t\tThe 'drain' evicts or deletes all pods except mirror pods (which cannot "
+"be deleted through\n"
+"\t\tthe API server).  If there are daemon set-managed pods, drain will not "
+"proceed\n"
+"\t\twithout --ignore-daemonsets, and regardless it will not delete any\n"
+"\t\tdaemon set-managed pods, because those pods would be immediately "
+"replaced by the\n"
+"\t\tdaemon set controller, which ignores unschedulable markings.  If there "
+"are any\n"
+"\t\tpods that are neither mirror pods nor managed by a replication "
+"controller,\n"
+"\t\treplica set, daemon set, stateful set, or job, then drain will not "
+"delete any pods unless you\n"
+"\t\tuse --force.  --force will also allow deletion to proceed if the "
+"managing resource of one\n"
+"\t\tor more pods is missing.\n"
+"\n"
+"\t\t'drain' waits for graceful termination. You should not operate on the "
+"machine until\n"
+"\t\tthe command completes.\n"
+"\n"
+"\t\tWhen you are ready to put the node back into service, use kubectl "
+"uncordon, which\n"
+"\t\twill make the node schedulable again.\n"
+"\n"
+"\t\t![Workflow](https://kubernetes.io/images/docs/kubectl_drain.svg)"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/edit/edit.go:32
+msgid ""
+"\n"
+"\t\tEdit a resource from the default editor.\n"
+"\n"
+"\t\tThe edit command allows you to directly edit any API resource you can "
+"retrieve via the\n"
+"\t\tcommand-line tools. It will open the editor defined by your KUBE_EDITOR, "
+"or EDITOR\n"
+"\t\tenvironment variables, or fall back to 'vi' for Linux or 'notepad' for "
+"Windows.\n"
+"\t\tWhen attempting to open the editor, it will first attempt to use the "
+"shell\n"
+"\t\tthat has been defined in the 'SHELL' environment variable. If this is "
+"not defined,\n"
+"\t\tthe default shell will be used, which is '/bin/bash' for Linux or 'cmd' "
+"for Windows.\n"
+"\n"
+"\t\tYou can edit multiple objects, although changes are applied one at a "
+"time. The command\n"
+"\t\taccepts file names as well as command-line arguments, although the files "
+"you point to must\n"
+"\t\tbe previously saved versions of resources.\n"
+"\n"
+"\t\tEditing is done with the API version used to fetch the resource.\n"
+"\t\tTo edit using a specific API version, fully-qualify the resource, "
+"version, and group.\n"
+"\n"
+"\t\tThe default format is YAML. To edit in JSON, specify \"-o json\".\n"
+"\n"
+"\t\tThe flag --windows-line-endings can be used to force Windows line "
+"endings,\n"
+"\t\totherwise the default for your operating system will be used.\n"
+"\n"
+"\t\tIn the event an error occurs while updating, a temporary file will be "
+"created on disk\n"
+"\t\tthat contains your unapplied changes. The most common error when "
+"updating a resource\n"
+"\t\tis another editor changing the resource on the server. When this occurs, "
+"you will have\n"
+"\t\tto apply your changes to the newer version of the resource, or update "
+"your temporary\n"
+"\t\tsaved copy to include the latest resource version."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/apply/apply_edit_last_applied.go:31
+msgid ""
+"\n"
+"\t\tEdit the latest last-applied-configuration annotations of resources from "
+"the default editor.\n"
+"\n"
+"\t\tThe edit-last-applied command allows you to directly edit any API "
+"resource you can retrieve via the\n"
+"\t\tcommand-line tools. It will open the editor defined by your KUBE_EDITOR, "
+"or EDITOR\n"
+"\t\tenvironment variables, or fall back to 'vi' for Linux or 'notepad' for "
+"Windows.\n"
+"\t\tYou can edit multiple objects, although changes are applied one at a "
+"time. The command\n"
+"\t\taccepts file names as well as command-line arguments, although the files "
+"you point to must\n"
+"\t\tbe previously saved versions of resources.\n"
+"\n"
+"\t\tThe default format is YAML. To edit in JSON, specify \"-o json\".\n"
+"\n"
+"\t\tThe flag --windows-line-endings can be used to force Windows line "
+"endings,\n"
+"\t\totherwise the default for your operating system will be used.\n"
+"\n"
+"\t\tIn the event an error occurs while updating, a temporary file will be "
+"created on disk\n"
+"\t\tthat contains your unapplied changes. The most common error when "
+"updating a resource\n"
+"\t\tis another editor changing the resource on the server. When this occurs, "
+"you will have\n"
+"\t\tto apply your changes to the newer version of the resource, or update "
+"your temporary\n"
+"\t\tsaved copy to include the latest resource version."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/wait/wait.go:55
+msgid ""
+"\n"
+"\t\tExperimental: Wait for a specific condition on one or many resources.\n"
+"\n"
+"\t\tThe command takes multiple resources and waits until the specified "
+"condition\n"
+"\t\tis seen in the Status field of every given resource.\n"
+"\n"
+"\t\tAlternatively, the command can wait for the given set of resources to be "
+"deleted\n"
+"\t\tby providing the \"delete\" keyword as the value to the --for flag.\n"
+"\n"
+"\t\tA successful message will be printed to stdout indicating when the "
+"specified\n"
+"        condition has been met. You can use -o option to change to output "
+"destination."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:53
+msgid ""
+"\n"
+"\t\tExpose a resource as a new Kubernetes service.\n"
+"\n"
+"\t\tLooks up a deployment, service, replica set, replication controller or "
+"pod by name and uses the selector\n"
+"\t\tfor that resource as the selector for a new service on the specified "
+"port. A deployment or replica set\n"
+"\t\twill be exposed as a service only if its selector is convertible to a "
+"selector that service supports,\n"
+"\t\ti.e. when the selector contains only the matchLabels component. Note "
+"that if no port is specified via\n"
+"\t\t--port and the exposed resource has multiple ports, all will be re-used "
+"by the new service. Also if no\n"
+"\t\tlabels are specified, the new service will re-use the labels from the "
+"resource it exposes.\n"
+"\n"
+"\t\tPossible resources include (case insensitive):\n"
+"\n"
+"\t\t"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/plugin/plugin.go:50
+msgid ""
+"\n"
+"\t\tList all available plugin files on a user's PATH.\n"
+"\n"
+"\t\tAvailable plugin files are those that are:\n"
+"\t\t- executable\n"
+"\t\t- anywhere on the user's PATH\n"
+"\t\t- begin with \"kubectl-\"\n"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout.go:31
+msgid ""
+"\n"
+"\t\tManage the rollout of one or many resources."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go:86
+msgid ""
+"\n"
+"\t\tMark node as schedulable."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go:57
+msgid ""
+"\n"
+"\t\tMark node as unschedulable."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_pause.go:59
+msgid ""
+"\n"
+"\t\tMark the provided resource as paused.\n"
+"\n"
+"\t\tPaused resources will not be reconciled by a controller.\n"
+"\t\tUse \"kubectl rollout resume\" to resume a paused resource.\n"
+"\t\tCurrently only deployments support being paused."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/completion/completion.go:47
+msgid ""
+"\n"
+"\t\tOutput shell completion code for the specified shell (bash, zsh, fish, "
+"or powershell).\n"
+"\t\tThe shell code must be evaluated to provide interactive\n"
+"\t\tcompletion of kubectl commands.  This can be done by sourcing it from\n"
+"\t\tthe .bash_profile.\n"
+"\n"
+"\t\tDetailed instructions on how to do this are available here:\n"
+"\n"
+"        for macOS:\n"
+"        https://kubernetes.io/docs/tasks/tools/install-kubectl-macos/#enable-"
+"shell-autocompletion\n"
+"\n"
+"        for linux:\n"
+"        https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/#enable-"
+"shell-autocompletion\n"
+"\n"
+"        for windows:\n"
+"        https://kubernetes.io/docs/tasks/tools/install-kubectl-windows/"
+"#enable-shell-autocompletion\n"
+"\n"
+"\t\tNote for zsh users: [1] zsh completions are only supported in versions "
+"of zsh >= 5.2."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/logs/logs.go:51
+msgid ""
+"\n"
+"\t\tPrint the logs for a container in a pod or specified resource. \n"
+"\t\tIf the pod has only one container, the container name is optional."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/plugin/plugin.go:37
+msgid ""
+"\n"
+"\t\tProvides utilities for interacting with plugins.\n"
+"\n"
+"\t\tPlugins provide extended functionality that is not part of the major "
+"command-line distribution.\n"
+"\t\tPlease refer to the documentation and examples for more information "
+"about how write your own plugins.\n"
+"\n"
+"\t\tThe easiest way to discover and install plugins is via the kubernetes "
+"sub-project krew.\n"
+"\t\tTo install krew, visit [krew.sigs.k8s.io](https://krew.sigs.k8s.io/docs/"
+"user-guide/setup/install/)"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/rename_context.go:47
+msgid ""
+"\n"
+"\t\tRenames a context from the kubeconfig file.\n"
+"\n"
+"\t\tCONTEXT_NAME is the context name that you want to change.\n"
+"\n"
+"\t\tNEW_NAME is the new name you want to set.\n"
+"\n"
+"\t\tNote: If the context being renamed is the 'current-context', this field "
+"will also be updated."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/replace/replace.go:49
+msgid ""
+"\n"
+"\t\tReplace a resource by file name or stdin.\n"
+"\n"
+"\t\tJSON and YAML formats are accepted. If replacing an existing resource, "
+"the\n"
+"\t\tcomplete resource spec must be provided. This can be obtained by\n"
+"\n"
+"\t\t    $ kubectl get TYPE NAME -o yaml"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_restart.go:60
+msgid ""
+"\n"
+"\t\tRestart a resource.\n"
+"\n"
+"\t        Resource rollout will be restarted."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_resume.go:60
+msgid ""
+"\n"
+"\t\tResume a paused resource.\n"
+"\n"
+"\t\tPaused resources will not be reconciled by a controller. By resuming a\n"
+"\t\tresource, we allow it to be reconciled again.\n"
+"\t\tCurrently only deployments support being resumed."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_undo.go:56
+msgid ""
+"\n"
+"\t\tRoll back to a previous rollout."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/set_cluster.go:47
+msgid ""
+"\n"
+"\t\tSet a cluster entry in kubeconfig.\n"
+"\n"
+"\t\tSpecifying a name that already exists will merge new fields on top of "
+"existing values for those fields."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/set_context.go:45
+msgid ""
+"\n"
+"\t\tSet a context entry in kubeconfig.\n"
+"\n"
+"\t\tSpecifying a name that already exists will merge new fields on top of "
+"existing values for those fields."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/scale/scale.go:41
+msgid ""
+"\n"
+"\t\tSet a new size for a deployment, replica set, replication controller, or "
+"stateful set.\n"
+"\n"
+"\t\tScale also allows users to specify one or more preconditions for the "
+"scale action.\n"
+"\n"
+"\t\tIf --current-replicas or --resource-version is specified, it is "
+"validated before the\n"
+"\t\tscale is attempted, and it is guaranteed that the precondition holds "
+"true when the\n"
+"\t\tscale is sent to the server."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/set_credentials.go:69
+#, c-format
+msgid ""
+"\n"
+"\t\tSet a user entry in kubeconfig.\n"
+"\n"
+"\t\tSpecifying a name that already exists will merge new fields on top of "
+"existing values.\n"
+"\n"
+"\t\t    Client-certificate flags:\n"
+"\t\t    --%v=certfile --%v=keyfile\n"
+"\n"
+"\t\t    Bearer token flags:\n"
+"\t\t\t  --%v=bearer_token\n"
+"\n"
+"\t\t    Basic auth flags:\n"
+"\t\t\t  --%v=basic_user --%v=basic_password\n"
+"\n"
+"\t\tBearer token and basic auth are mutually exclusive."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/apply/apply_set_last_applied.go:70
+msgid ""
+"\n"
+"\t\tSet the latest last-applied-configuration annotations by setting it to "
+"match the contents of a file.\n"
+"\t\tThis results in the last-applied-configuration being updated as though "
+"'kubectl apply -f <file>' was run,\n"
+"\t\twithout updating any other parts of the object."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set_selector.go:67
+#, c-format
+msgid ""
+"\n"
+"\t\tSet the selector on a resource. Note that the new selector will "
+"overwrite the old selector if the resource had one prior to the invocation\n"
+"\t\tof 'set selector'.\n"
+"\n"
+"\t\tA selector must begin with a letter or number, and may contain letters, "
+"numbers, hyphens, dots, and underscores, up to %[1]d characters.\n"
+"\t\tIf --resource-version is specified, then updates will use this resource "
+"version, otherwise the existing resource-version will be used.\n"
+"        Note: currently selectors can only be set on Service objects."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/describe/describe.go:39
+msgid ""
+"\n"
+"\t\tShow details of a specific resource or group of resources.\n"
+"\n"
+"\t\tPrint a detailed description of the selected resources, including "
+"related resources such\n"
+"\t\tas events or controllers. You may select a single object by name, all "
+"objects of that\n"
+"\t\ttype, provide a name prefix, or label selector. For example:\n"
+"\n"
+"\t\t    $ kubectl describe TYPE NAME_PREFIX\n"
+"\n"
+"\t\twill first check for an exact match on TYPE and NAME_PREFIX. If no such "
+"resource\n"
+"\t\texists, it will output details for every resource that has a name "
+"prefixed with NAME_PREFIX."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_status.go:48
+msgid ""
+"\n"
+"\t\tShow the status of the rollout.\n"
+"\n"
+"\t\tBy default 'rollout status' will watch the status of the latest rollout\n"
+"\t\tuntil it's done. If you don't want to wait for the rollout to finish "
+"then\n"
+"\t\tyou can use --watch=false. Note that if a new rollout starts in-between, "
+"then\n"
+"\t\t'rollout status' will continue watching the latest revision. If you want "
+"to\n"
+"\t\tpin to a specific revision and abort if it is rolled over by another "
+"revision,\n"
+"\t\tuse --revision=N where N is the revision you need to watch for."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set_resources.go:42
+#, c-format
+msgid ""
+"\n"
+"\t\tSpecify compute resource requirements (CPU, memory) for any resource "
+"that defines a pod template.  If a pod is successfully scheduled, it is "
+"guaranteed the amount of resource requested, but may burst up to its "
+"specified limits.\n"
+"\n"
+"\t\tFor each compute resource, if a limit is specified and a request is "
+"omitted, the request will default to the limit.\n"
+"\n"
+"\t\tPossible resources include (case insensitive): %s."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set_env.go:52
+msgid ""
+"\n"
+"\t\tUpdate environment variables on a pod template.\n"
+"\n"
+"\t\tList environment variable definitions in one or more pods, pod "
+"templates.\n"
+"\t\tAdd, update, or remove container environment variable definitions in one "
+"or\n"
+"\t\tmore pod templates (within replication controllers or deployment "
+"configurations).\n"
+"\t\tView or modify the environment variable definitions on all containers in "
+"the\n"
+"\t\tspecified pods or pod templates, or just those that match a wildcard.\n"
+"\n"
+"\t\tIf \"--env -\" is passed, environment variables can be read from STDIN "
+"using the standard env\n"
+"\t\tsyntax.\n"
+"\n"
+"\t\tPossible resources include (case insensitive):\n"
+"\t\t"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set_image.go:79
+msgid ""
+"\n"
+"\t\tUpdate existing container image(s) of resources.\n"
+"\n"
+"\t\tPossible resources include (case insensitive):\n"
+"\t\t"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/patch/patch.go:82
+msgid ""
+"\n"
+"\t\tUpdate fields of a resource using strategic merge patch, a JSON merge "
+"patch, or a JSON patch.\n"
+"\n"
+"\t\tJSON and YAML formats are accepted.\n"
+"\n"
+"\t\tNote: Strategic merge patch is not supported for custom resources."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/annotate/annotate.go:112
+msgid ""
+"\n"
+"\t\tUpdate the annotations on one or more resources.\n"
+"\n"
+"\t\tAll Kubernetes objects support the ability to store additional data with "
+"the object as\n"
+"\t\tannotations. Annotations are key/value pairs that can be larger than "
+"labels and include\n"
+"\t\tarbitrary string values such as structured JSON. Tools and system "
+"extensions may use\n"
+"\t\tannotations to store their own data.\n"
+"\n"
+"\t\tAttempting to set an annotation that already exists will fail unless --"
+"overwrite is set.\n"
+"\t\tIf --resource-version is specified and does not match the current "
+"resource version on\n"
+"\t\tthe server the command will fail."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/label/label.go:93
+#, c-format
+msgid ""
+"\n"
+"\t\tUpdate the labels on a resource.\n"
+"\n"
+"\t\t* A label key and value must begin with a letter or number, and may "
+"contain letters, numbers, hyphens, dots, and underscores, up to %[1]d "
+"characters each.\n"
+"\t\t* Optionally, the key can begin with a DNS subdomain prefix and a single "
+"'/', like example.com/my-app.\n"
+"\t\t* If --overwrite is true, then existing labels can be overwritten, "
+"otherwise attempting to overwrite a label will result in an error.\n"
+"\t\t* If --resource-version is specified, then updates will use this "
+"resource version, otherwise the existing resource-version will be used."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/taint/taint.go:71
+#, c-format
+msgid ""
+"\n"
+"\t\tUpdate the taints on one or more nodes.\n"
+"\n"
+"\t\t* A taint consists of a key, value, and effect. As an argument here, it "
+"is expressed as key=value:effect.\n"
+"\t\t* The key must begin with a letter or number, and may contain letters, "
+"numbers, hyphens, dots, and underscores, up to %[1]d characters.\n"
+"\t\t* Optionally, the key can begin with a DNS subdomain prefix and a single "
+"'/', like example.com/my-app.\n"
+"\t\t* The value is optional. If given, it must begin with a letter or "
+"number, and may contain letters, numbers, hyphens, dots, and underscores, up "
+"to %[2]d characters.\n"
+"\t\t* The effect must be NoSchedule, PreferNoSchedule or NoExecute.\n"
+"\t\t* Currently taint can only apply to node."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_history.go:38
+msgid ""
+"\n"
+"\t\tView previous rollout revisions and configurations."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/apply/apply_view_last_applied.go:48
+msgid ""
+"\n"
+"\t\tView the latest last-applied-configuration annotations by type/name or "
+"file.\n"
+"\n"
+"\t\tThe default output will be printed to stdout in YAML format. You can use "
+"the -o option\n"
+"\t\tto change the output format."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_tls.go:47
+msgid ""
+"\n"
+"\t  # Create a new TLS secret named tls-secret with the given key pair\n"
+"\t  kubectl create secret tls tls-secret --cert=path/to/tls.cert --key=path/"
+"to/tls.key"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_namespace.go:43
+msgid ""
+"\n"
+"\t  # Create a new namespace named my-namespace\n"
+"\t  kubectl create namespace my-namespace"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret.go:83
+msgid ""
+"\n"
+"\t  # Create a new secret named my-secret with keys for each file in folder "
+"bar\n"
+"\t  kubectl create secret generic my-secret --from-file=path/to/bar\n"
+"\n"
+"\t  # Create a new secret named my-secret with specified keys instead of "
+"names on disk\n"
+"\t  kubectl create secret generic my-secret --from-file=ssh-privatekey=path/"
+"to/id_rsa --from-file=ssh-publickey=path/to/id_rsa.pub\n"
+"\n"
+"\t  # Create a new secret named my-secret with key1=supersecret and "
+"key2=topsecret\n"
+"\t  kubectl create secret generic my-secret --from-literal=key1=supersecret "
+"--from-literal=key2=topsecret\n"
+"\n"
+"\t  # Create a new secret named my-secret using a combination of a file and "
+"a literal\n"
+"\t  kubectl create secret generic my-secret --from-file=ssh-privatekey=path/"
+"to/id_rsa --from-literal=passphrase=topsecret\n"
+"\n"
+"\t  # Create a new secret named my-secret from env files\n"
+"\t  kubectl create secret generic my-secret --from-env-file=path/to/foo.env "
+"--from-env-file=path/to/bar.env"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_serviceaccount.go:43
+msgid ""
+"\n"
+"\t  # Create a new service account named my-service-account\n"
+"\t  kubectl create serviceaccount my-service-account"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_deployment.go:45
+msgid ""
+"\n"
+"\t# Create a deployment named my-dep that runs the busybox image\n"
+"\tkubectl create deployment my-dep --image=busybox\n"
+"\n"
+"\t# Create a deployment with a command\n"
+"\tkubectl create deployment my-dep --image=busybox -- date\n"
+"\n"
+"\t# Create a deployment named my-dep that runs the nginx image with 3 "
+"replicas\n"
+"\tkubectl create deployment my-dep --image=nginx --replicas=3\n"
+"\n"
+"\t# Create a deployment named my-dep that runs the busybox image and expose "
+"port 5701\n"
+"\tkubectl create deployment my-dep --image=busybox --port=5701"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:352
+msgid ""
+"\n"
+"\t# Create a new ExternalName service named my-ns\n"
+"\tkubectl create service externalname my-ns --external-name bar.com"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/events/events.go:58
+msgid ""
+"\n"
+"\t# List recent events in the default namespace\n"
+"\tkubectl events\n"
+"\n"
+"\t# List recent events in all namespaces\n"
+"\tkubectl events --all-namespaces\n"
+"\n"
+"\t# List recent events for the specified pod, then wait for more events and "
+"list them as they arrive\n"
+"\tkubectl events --for pod/web-pod-13je7 --watch\n"
+"\n"
+"\t# List recent events in YAML format\n"
+"\tkubectl events -oyaml\n"
+"\n"
+"\t# List recent only events of type 'Warning' or 'Normal'\n"
+"\tkubectl events --types=Warning,Normal"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set_serviceaccount.go:51
+msgid ""
+"\n"
+"\t# Set deployment nginx-deployment's service account to serviceaccount1\n"
+"\tkubectl set serviceaccount deployment nginx-deployment serviceaccount1\n"
+"\n"
+"\t# Print the result (in YAML format) of updated nginx deployment with the "
+"service account from local file, without hitting the API server\n"
+"\tkubectl set sa -f nginx-deployment.yaml serviceaccount1 --local --dry-"
+"run=client -o yaml\n"
+"\t"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_deployment.go:42
+msgid ""
+"\n"
+"\tCreate a deployment with the specified name."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:345
+msgid ""
+"\n"
+"\tCreate an ExternalName service with the specified name.\n"
+"\n"
+"\tExternalName service references to an external DNS address instead of\n"
+"\tonly pods, which will allow application authors to reference services\n"
+"\tthat exist off platform, on other clusters, or locally."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_ingress.go:61
+msgid ""
+"\n"
+"\tCreate an ingress with the specified name."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/help/help.go:28
+msgid ""
+"\n"
+"\tHelp provides help for any command in the application.\n"
+"\tSimply type kubectl help [path to command] for full details."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/set.go:44
+msgid ""
+"\n"
+"\tSet an individual value in a kubeconfig file.\n"
+"\n"
+"\tPROPERTY_NAME is a dot delimited name where each token represents either "
+"an attribute name or a map key.  Map keys may not contain dots.\n"
+"\n"
+"\tPROPERTY_VALUE is the new value you want to set. Binary fields such as "
+"'certificate-authority-data' expect a base64 encoded string unless the --set-"
+"raw-bytes flag is used.\n"
+"\n"
+"\tSpecifying an attribute name that already exists will merge new fields on "
+"top of existing values."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/unset.go:39
+msgid ""
+"\n"
+"\tUnset an individual value in a kubeconfig file.\n"
+"\n"
+"\tPROPERTY_NAME is a dot delimited name where each token represents either "
+"an attribute name or a map key.  Map keys may not contain dots."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set_serviceaccount.go:44
+msgid ""
+"\n"
+"\tUpdate the service account of pod template resources.\n"
+"\n"
+"\tPossible resources (case insensitive) can be:\n"
+"\n"
+"\t"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set_subject.go:41
+msgid ""
+"\n"
+"\tUpdate the user, group, or service account in a role binding or cluster "
+"role binding."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set_image.go:76
+msgid ""
+"\n"
+"  \tpod (po), replicationcontroller (rc), deployment (deploy), daemonset "
+"(ds), statefulset (sts), cronjob (cj), replicaset (rs)"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/portforward/portforward.go:64
+msgid ""
+"\n"
+"                Forward one or more local ports to a pod.\n"
+"\n"
+"                Use resource type/name such as deployment/mydeployment to "
+"select a pod. Resource type defaults to 'pod' if omitted.\n"
+"\n"
+"                If there are multiple pods matching the criteria, a pod will "
+"be selected automatically. The\n"
+"                forwarding session ends when the selected pod terminates, "
+"and a rerun of the command is needed\n"
+"                to resume forwarding."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:234
+msgid ""
+"\n"
+"    # Create a new ClusterIP service named my-cs\n"
+"    kubectl create service clusterip my-cs --tcp=5678:8080\n"
+"\n"
+"    # Create a new ClusterIP service named my-cs (in headless mode)\n"
+"    kubectl create service clusterip my-cs --clusterip=\"None\""
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:312
+msgid ""
+"\n"
+"    # Create a new LoadBalancer service named my-lbs\n"
+"    kubectl create service loadbalancer my-lbs --tcp=5678:8080"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:275
+msgid ""
+"\n"
+"    # Create a new NodePort service named my-ns\n"
+"    kubectl create service nodeport my-ns --tcp=5678:8080"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/clusterinfo/clusterinfo_dump.go:103
+msgid ""
+"\n"
+"    # Dump current cluster state to stdout\n"
+"    kubectl cluster-info dump\n"
+"\n"
+"    # Dump current cluster state to /path/to/cluster-state\n"
+"    kubectl cluster-info dump --output-directory=/path/to/cluster-state\n"
+"\n"
+"    # Dump all namespaces to stdout\n"
+"    kubectl cluster-info dump --all-namespaces\n"
+"\n"
+"    # Dump a set of namespaces to /path/to/cluster-state\n"
+"    kubectl cluster-info dump --namespaces default,kube-system --output-"
+"directory=/path/to/cluster-state"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/annotate/annotate.go:124
+msgid ""
+"\n"
+"    # Update pod 'foo' with the annotation 'description' and the value 'my "
+"frontend'\n"
+"    # If the same annotation is set multiple times, only the last value will "
+"be applied\n"
+"    kubectl annotate pods foo description='my frontend'\n"
+"\n"
+"    # Update a pod identified by type and name in \"pod.json\"\n"
+"    kubectl annotate -f pod.json description='my frontend'\n"
+"\n"
+"    # Update pod 'foo' with the annotation 'description' and the value 'my "
+"frontend running nginx', overwriting any existing value\n"
+"    kubectl annotate --overwrite pods foo description='my frontend running "
+"nginx'\n"
+"\n"
+"    # Update all pods in the namespace\n"
+"    kubectl annotate pods --all description='my frontend running nginx'\n"
+"\n"
+"    # Update pod 'foo' only if the resource is unchanged from version 1\n"
+"    kubectl annotate pods foo description='my frontend running nginx' --"
+"resource-version=1\n"
+"\n"
+"    # Update pod 'foo' by removing an annotation named 'description' if it "
+"exists\n"
+"    # Does not require the --overwrite flag\n"
+"    kubectl annotate pods foo description-"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:231
+msgid ""
+"\n"
+"    Create a ClusterIP service with the specified name."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:309
+msgid ""
+"\n"
+"    Create a LoadBalancer service with the specified name."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:272
+msgid ""
+"\n"
+"    Create a NodePort service with the specified name."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/clusterinfo/clusterinfo_dump.go:94
+msgid ""
+"\n"
+"    Dump cluster information out suitable for debugging and diagnosing "
+"cluster problems.  By default, dumps everything to\n"
+"    stdout. You can optionally specify a directory with --output-directory.  "
+"If you specify a directory, Kubernetes will\n"
+"    build a set of files in that directory.  By default, only dumps things "
+"in the current namespace and 'kube-system' namespace, but you can\n"
+"    switch to a different namespace with the --namespaces flag, or specify --"
+"all-namespaces to dump all namespaces.\n"
+"\n"
+"    The command also dumps the logs of all of the pods in the cluster; these "
+"logs are dumped into different directories\n"
+"    based on namespace and pod name."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/clusterinfo/clusterinfo.go:41
+msgid ""
+"\n"
+"  Display addresses of the control plane and services with label kubernetes."
+"io/cluster-service=true.\n"
+"  To further debug and diagnose cluster problems, use 'kubectl cluster-info "
+"dump'."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/config.go:49
+msgid ""
+" environment variable is set, then it is used as a list of paths (normal "
+"path delimiting rules for your system). These paths are merged. When a value "
+"is modified, it is modified in the file that defines the stanza. When a "
+"value is created, it is created in the first file that exists. If no files "
+"in the chain exist, then it creates the last file in the list.\n"
+"\t\t\t3. Otherwise, "
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/config.go:48
+msgid ""
+" flag is set, then only that file is loaded. The flag may only be set once "
+"and no merging takes place.\n"
+"\t\t\t2. If $"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/config.go:50
+msgid " is used and no merging takes place."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_quota.go:107
+msgid ""
+"A comma-delimited set of quota scopes that must all match each object "
+"tracked by the quota."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_quota.go:106
+msgid ""
+"A comma-delimited set of resource=quantity pairs that define a hard limit."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_pdb.go:113
+msgid ""
+"A label selector to use for this budget. Only equality-based selector "
+"requirements are supported."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:180
+msgid ""
+"A label selector to use for this service. Only equality-based selector "
+"requirements are supported. If empty (the default) infer the selector from "
+"the replication controller or replica set.)"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:183
+msgid ""
+"Additional external IP address (not managed by Kubernetes) to accept for the "
+"service. If this IP is routed to a node, the service can be accessed by this "
+"IP in addition to its generated service IP."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/debug/debug.go:193
+msgid "Allocate a TTY for the debugging container."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/util/override_options.go:50
+msgid ""
+"An inline JSON override for the generated object. If this is non-empty, it "
+"is used to override the generated object. Requires that the object supply a "
+"valid apiVersion field."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run.go:191
+msgid "Annotations to apply to the pod."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/apply/apply.go:203
+msgid "Apply a configuration to a resource by file name or stdin"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/certificates/certificates.go:129
+msgid "Approve a certificate signing request"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:264
+msgid ""
+"Assign your own ClusterIP or set to 'None' for a 'headless' service (no "
+"loadbalancing)."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/attach/attach.go:109
+msgid ""
+"Attach to a process that is already running inside an existing container."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/attach/attach.go:108
+msgid "Attach to a running container"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/autoscale/autoscale.go:108
+msgid ""
+"Auto-scale a deployment, replica set, stateful set, or replication controller"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:186
+msgid ""
+"ClusterIP to be assigned to the service. Leave empty to auto-allocate, or "
+"set to 'None' to create a headless service."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_clusterrolebinding.go:101
+msgid "ClusterRole this ClusterRoleBinding should reference"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_rolebinding.go:107
+msgid "ClusterRole this RoleBinding should reference"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/alpha.go:33
+msgid "Commands for features in alpha"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/debug/debug.go:185
+msgid "Container image to use for debug container."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/debug/debug.go:181
+msgid "Container name to use for debug container."
+msgstr ""
+
+#: pkg/kubectl/cmd/convert/convert.go:96
+msgid "Convert config files between different API versions"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/cp/cp.go:98
+msgid "Copy files and directories to and from containers"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/cp/cp.go:99
+msgid "Copy files and directories to and from containers."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:249
+msgid "Create a ClusterIP service"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:324
+msgid "Create a LoadBalancer service"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:287
+msgid "Create a NodePort service"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_tls.go:94
+msgid "Create a TLS secret"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_clusterrole.go:81
+msgid "Create a cluster role"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_clusterrolebinding.go:87
+msgid "Create a cluster role binding for a particular cluster role"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_configmap.go:121
+msgid "Create a config map from a local file, directory or literal value"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/debug/debug.go:182
+msgid "Create a copy of the target Pod with this name."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_cronjob.go:91
+msgid "Create a cron job with the specified name"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_deployment.go:100
+msgid "Create a deployment with the specified name"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_job.go:92
+msgid "Create a job with the specified name"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_namespace.go:84
+msgid "Create a namespace with the specified name"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_pdb.go:95
+msgid "Create a pod disruption budget with the specified name"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_priorityclass.go:92
+msgid "Create a priority class with the specified name"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_quota.go:91
+msgid "Create a quota with the specified name"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create.go:108
+msgid "Create a resource from a file or from stdin"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_rolebinding.go:92
+msgid "Create a role binding for a particular role or cluster role"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_role.go:171
+msgid "Create a role with single rule"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_docker.go:134
+msgid "Create a secret for use with a Docker registry"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret.go:146
+msgid "Create a secret from a local file, directory, or literal value"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret.go:49
+msgid "Create a secret using a specified subcommand"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_serviceaccount.go:85
+msgid "Create a service account with the specified name"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:48
+msgid "Create a service using a specified subcommand"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:49
+msgid "Create a service using a specified subcommand."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:364
+msgid "Create an ExternalName service"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_ingress.go:145
+msgid "Create an ingress with the specified name"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run.go:61
+msgid "Create and run a particular image in a pod."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/debug/debug.go:162
+msgid "Create debugging sessions for troubleshooting workloads and nodes"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/debug/debug.go:194
+msgid ""
+"Debugging profile. Options are \"legacy\", \"general\", \"baseline\", "
+"\"netadmin\", or \"restricted\"."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/delete/delete.go:146
+msgid ""
+"Delete resources by file names, stdin, resources and names, or by resources "
+"and label selector"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/delete_cluster.go:42
+msgid "Delete the specified cluster from the kubeconfig"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/delete_cluster.go:43
+msgid "Delete the specified cluster from the kubeconfig."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/delete_context.go:42
+msgid "Delete the specified context from the kubeconfig"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/delete_context.go:43
+msgid "Delete the specified context from the kubeconfig."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/delete_user.go:65
+msgid "Delete the specified user from the kubeconfig"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/delete_user.go:66
+msgid "Delete the specified user from the kubeconfig."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/certificates/certificates.go:177
+msgid "Deny a certificate signing request"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/get_contexts.go:75
+msgid "Describe one or many contexts"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/diff/diff.go:136
+msgid "Diff the live version against a would-be applied version"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/clusterinfo/clusterinfo.go:66
+msgid "Display cluster information"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/get_clusters.go:41
+msgid "Display clusters defined in the kubeconfig"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/get_clusters.go:42
+msgid "Display clusters defined in the kubeconfig."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/view.go:82
+msgid "Display merged kubeconfig settings or a specified kubeconfig file"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/get_contexts.go:53
+msgid "Display one or many contexts from the kubeconfig file."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/get/get.go:164
+msgid "Display one or many resources"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/top/top.go:50
+msgid "Display resource (CPU/memory) usage"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/top/top_node.go:82
+msgid "Display resource (CPU/memory) usage of nodes"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/top/top_pod.go:101
+msgid "Display resource (CPU/memory) usage of pods"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/current_context.go:51
+msgid "Display the current-context"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/get_users.go:60
+msgid "Display users defined in the kubeconfig"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/get_users.go:61
+msgid "Display users defined in the kubeconfig."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go:186
+msgid "Drain node in preparation for maintenance"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/clusterinfo/clusterinfo_dump.go:75
+msgid "Dump relevant information for debugging and diagnosis"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/edit/edit.go:83
+msgid "Edit a resource on the server"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/apply/apply_edit_last_applied.go:67
+msgid "Edit latest last-applied-configuration annotations of a resource/object"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_docker.go:152
+msgid "Email for Docker registry"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/debug/debug.go:184
+msgid "Environment variables to set in the container."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/exec/exec.go:91
+msgid "Execute a command in a container"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/exec/exec.go:92
+msgid "Execute a command in a container."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/wait/wait.go:124
+msgid "Experimental: Wait for a specific condition on one or many resources"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:379
+msgid "External name of service"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/portforward/portforward.go:110
+msgid "Forward one or more local ports to a pod"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/explain/explain.go:102
+msgid "Get documentation for a resource"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/help/help.go:37
+msgid "Help about any command"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:179
+msgid ""
+"IP to assign to the LoadBalancer. If empty, an ephemeral IP will be created "
+"and used (cloud-provider specific)."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:185
+msgid ""
+"If non-empty, set the session affinity for the service to this; legal "
+"values: 'None', 'ClientIP'"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/annotate/annotate.go:187
+msgid ""
+"If non-empty, the annotation update will only succeed if this is the current "
+"resource-version for the object. Only valid when specifying a single "
+"resource."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/label/label.go:159
+msgid ""
+"If non-empty, the labels update will only succeed if this is the current "
+"resource-version for the object. Only valid when specifying a single "
+"resource."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/debug/debug.go:179
+msgid ""
+"If specified, everything after -- will be passed to the new container as "
+"Args instead of Command."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run.go:207
+msgid "If true, run the container in privileged mode."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/debug/debug.go:189
+msgid "If true, suppress informational messages."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/debug/debug.go:180
+msgid ""
+"If true, wait for the container to start running, and then attach as if "
+"'kubectl attach ...' were called.  Default false, unless '-i/--stdin' is "
+"set, in which case the default is true."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/debug/debug.go:188
+msgid ""
+"Keep stdin open on the container(s) in the pod, even if nothing is attached."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/plugin/plugin.go:94
+msgid "List all visible plugin executables on a user's PATH"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/events/events.go:126
+msgid "List events"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout.go:61
+msgid "Manage the rollout of a resource"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go:100
+msgid "Mark node as schedulable"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go:71
+msgid "Mark node as unschedulable"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_pause.go:85
+msgid "Mark the provided resource as paused"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/certificates/certificates.go:48
+msgid "Modify certificate resources"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/certificates/certificates.go:49
+msgid "Modify certificate resources."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/config.go:42
+msgid "Modify kubeconfig files"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:182
+msgid ""
+"Name or number for the port on the container that the service should direct "
+"traffic to. Optional."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/alpha.go:41
+msgid "No alpha commands are available in this version of kubectl"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/logs/logs.go:176
+msgid ""
+"Only return logs after a specific date (RFC3339). Defaults to all logs. Only "
+"one of since-time / since may be used."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/completion/completion.go:134
+msgid ""
+"Output shell completion code for the specified shell (bash, zsh, fish, or "
+"powershell)"
+msgstr ""
+
+#: pkg/kubectl/cmd/convert/convert.go:106
+msgid ""
+"Output the formatted object with the given group version (for ex: "
+"'extensions/v1beta1')."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_docker.go:151
+msgid "Password for Docker registry authentication"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_tls.go:110
+msgid "Path to PEM encoded public key certificate."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_tls.go:111
+msgid "Path to private key associated with given certificate."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/scale/scale.go:129
+msgid ""
+"Precondition for resource version. Requires that the current resource "
+"version match this value in order to scale."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/version/version.go:80
+msgid "Print the client and server version information"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/version/version.go:81
+msgid ""
+"Print the client and server version information for the current context."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/options/options.go:38
+#: staging/src/k8s.io/kubectl/pkg/cmd/options/options.go:39
+msgid "Print the list of flags inherited by all commands"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/logs/logs.go:154
+msgid "Print the logs for a container in a pod"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/apiresources/apiresources.go:102
+msgid "Print the supported API resources on the server"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/apiresources/apiresources.go:103
+msgid "Print the supported API resources on the server."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/apiresources/apiversions.go:59
+msgid ""
+"Print the supported API versions on the server, in the form of \"group/"
+"version\""
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/apiresources/apiversions.go:60
+msgid ""
+"Print the supported API versions on the server, in the form of \"group/"
+"version\"."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/plugin/plugin.go:66
+msgid "Provides utilities for interacting with plugins"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/rename_context.go:45
+msgid "Rename a context from the kubeconfig file"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/replace/replace.go:119
+msgid "Replace a resource by file name or stdin"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_restart.go:93
+msgid "Restart a resource"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_resume.go:89
+msgid "Resume a paused resource"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_rolebinding.go:108
+msgid "Role this RoleBinding should reference"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run.go:153
+msgid "Run a particular image on the cluster"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/proxy/proxy.go:124
+msgid "Run a proxy to the Kubernetes API server"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_docker.go:153
+msgid "Server location for Docker registry"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/set_cluster.go:76
+msgid "Set a cluster entry in kubeconfig"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/set_context.go:62
+msgid "Set a context entry in kubeconfig"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/scale/scale.go:114
+msgid "Set a new size for a deployment, replica set, or replication controller"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/set_credentials.go:157
+msgid "Set a user entry in kubeconfig"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/set.go:74
+msgid "Set an individual value in a kubeconfig file"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set.go:41
+msgid "Set specific features on objects"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/use_context.go:52
+msgid "Set the current-context in a kubeconfig file"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/apply/apply_set_last_applied.go:101
+msgid ""
+"Set the last-applied-configuration annotation on a live object to match the "
+"contents of a file"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set_selector.go:104
+msgid "Set the selector on a resource"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/describe/describe.go:150
+msgid "Show details of a specific resource or group of resources"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_status.go:104
+msgid "Show the status of the rollout"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:163
+msgid ""
+"Take a replication controller, service, deployment or pod and expose it as a "
+"new Kubernetes service"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run.go:192
+msgid "The image for the container to run."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run.go:194
+msgid ""
+"The image pull policy for the container.  If left empty, this value will not "
+"be specified by the client and defaulted by the server."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/debug/debug.go:187
+msgid ""
+"The image pull policy for the container. If left empty, this value will not "
+"be specified by the client and defaulted by the server."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_pdb.go:112
+msgid ""
+"The maximum number or percentage of unavailable pods this budget requires."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_pdb.go:111
+msgid ""
+"The minimum number or percentage of available pods this budget requires."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:184
+msgid "The name for the newly created object."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/autoscale/autoscale.go:126
+msgid ""
+"The name for the newly created object. If not specified, the name of the "
+"input resource will be used."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:176
+msgid "The network protocol for the service to be created. Default is 'TCP'."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:177
+msgid ""
+"The port that the service should serve on. Copied from the resource being "
+"exposed, if unspecified"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run.go:197
+msgid "The port that this container exposes."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run.go:203
+msgid ""
+"The restart policy for this Pod.  Legal values [Always, OnFailure, Never]."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret.go:164
+msgid "The type of secret to create"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/alpha.go:34
+msgid ""
+"These commands correspond to alpha features that are not enabled in "
+"Kubernetes clusters by default."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:178
+msgid ""
+"Type for this service: ClusterIP, NodePort, LoadBalancer, or ExternalName. "
+"Default is 'ClusterIP'."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_undo.go:88
+msgid "Undo a previous rollout"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/unset.go:59
+msgid "Unset an individual value in a kubeconfig file"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set_env.go:156
+msgid "Update environment variables on a pod template"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/patch/patch.go:126
+msgid "Update fields of a resource"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set_resources.go:116
+msgid "Update resource requests/limits on objects with pod templates"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/annotate/annotate.go:153
+msgid "Update the annotations on a resource"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set_image.go:118
+msgid "Update the image of a pod template"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/label/label.go:139
+msgid "Update the labels on a resource"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set_serviceaccount.go:102
+msgid "Update the service account of a resource"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/taint/taint.go:110
+msgid "Update the taints on one or more nodes"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set_subject.go:99
+msgid ""
+"Update the user, group, or service account in a role binding or cluster role "
+"binding"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_docker.go:150
+msgid "Username for Docker registry authentication"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_history.go:86
+msgid "View rollout history"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/apply/apply_view_last_applied.go:78
+msgid ""
+"View the latest last-applied-configuration annotations of a resource/object"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/debug/debug.go:186
+msgid ""
+"When used with '--copy-to', a list of name=image pairs for changing "
+"container images, similar to how 'kubectl set image' works."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/debug/debug.go:183
+msgid "When used with '--copy-to', delete the original Pod."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/debug/debug.go:191
+msgid ""
+"When used with '--copy-to', enable process namespace sharing in the copy."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/debug/debug.go:190
+msgid ""
+"When used with '--copy-to', schedule the copy of target Pod on the same node."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/debug/debug.go:192
+msgid ""
+"When using an ephemeral container, target processes in this container name."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/clusterinfo/clusterinfo_dump.go:86
+msgid ""
+"Where to output the files.  If empty or '-' uses stdout, otherwise creates a "
+"directory hierarchy in that directory"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_priorityclass.go:108
+msgid ""
+"description is an arbitrary string that usually provides guidelines on when "
+"this priority class should be used."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run_test.go:89
+msgid "dummy restart flag)"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_priorityclass.go:107
+msgid ""
+"global-default specifies whether this PriorityClass should be considered as "
+"the default priority."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/cmd.go:317
+msgid "kubectl controls the Kubernetes cluster manager"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:51
+msgid ""
+"pod (po), service (svc), replicationcontroller (rc), deployment (deploy), "
+"replicaset (rs)"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_priorityclass.go:109
+msgid ""
+"preemption-policy is the policy for preempting pods with lower priority."
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set_serviceaccount.go:42
+msgid ""
+"replicationcontroller (rc), deployment (deploy), daemonset (ds), job, "
+"replicaset (rs), statefulset"
+msgstr ""
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_priorityclass.go:106
+msgid "the value of this priority class."
+msgstr ""
diff --git a/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/zh_CN/LC_MESSAGES/k8s.mo b/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/zh_CN/LC_MESSAGES/k8s.mo
new file mode 100644
index 0000000000..42bc2ad659
Binary files /dev/null and b/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/zh_CN/LC_MESSAGES/k8s.mo differ
diff --git a/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/zh_CN/LC_MESSAGES/k8s.po b/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/zh_CN/LC_MESSAGES/k8s.po
new file mode 100644
index 0000000000..ffdf03cb6d
--- /dev/null
+++ b/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/zh_CN/LC_MESSAGES/k8s.po
@@ -0,0 +1,3236 @@
+# Test translations for unit tests.
+# Copyright (C) 2017
+# This file is distributed under the same license as the Kubernetes package.
+# FIRST AUTHOR shiywang@redhat.com, 2017.
+# FIRST AUTHOR zhengjiajin@caicloud.io, 2017.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: gettext-go-examples-hello\n"
+"Report-Msgid-Bugs-To: EMAIL\n"
+"POT-Creation-Date: 2021-07-07 20:15+0200\n"
+"PO-Revision-Date: 2022-07-04 18:54+0800\n"
+"Last-Translator: zhengjiajin <zhengjiajin@caicloud.io>\n"
+"Language-Team: \n"
+"Language: zh\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Plural-Forms: nplurals=2; plural=(n > 1);\n"
+"X-Generator: Poedit 3.0.1\n"
+"X-Poedit-SourceCharset: UTF-8\n"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/top/top_node.go:62
+msgid ""
+"\n"
+"\t\t  # Show metrics for all nodes\n"
+"\t\t  kubectl top node\n"
+"\n"
+"\t\t  # Show metrics for a given node\n"
+"\t\t  kubectl top node NODE_NAME"
+msgstr ""
+"\n"
+"\t\t  # 显示所有节点的指标\n"
+"\t\t  kubectl top node\n"
+"\n"
+"\t\t  # 显示指定节点的指标\n"
+"\t\t  kubectl top node NODE_NAME"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/explain/explain.go:46
+msgid ""
+"\n"
+"\t\t# Get the documentation of the resource and its fields\n"
+"\t\tkubectl explain pods\n"
+"\n"
+"\t\t# Get the documentation of a specific field of a resource\n"
+"\t\tkubectl explain pods.spec.containers"
+msgstr ""
+"\n"
+"\t\t# 获�资��其字段的文档\n"
+"\t\tkubectl explain pods\n"
+"\n"
+"\t\t# 获�资�指定字段的文档\n"
+"\t\tkubectl explain pods.spec.containers"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/options.go#L37
+#: staging/src/k8s.io/kubectl/pkg/cmd/options/options.go:29
+msgid ""
+"\n"
+"\t\t# Print flags inherited by all commands\n"
+"\t\tkubectl options"
+msgstr ""
+"\n"
+"\t\t# 输出所有命令继承的 flags\n"
+"\t\tkubectl options"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/version.go#L39
+#: staging/src/k8s.io/kubectl/pkg/cmd/version/version.go:44
+msgid ""
+"\n"
+"\t\t# Print the client and server versions for the current context\n"
+"\t\tkubectl version"
+msgstr ""
+"\n"
+"\t\t# 输出当�客户端和�务端的版本\n"
+"\t\tkubectl version"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/apiresources/apiversions.go:34
+msgid ""
+"\n"
+"\t\t# Print the supported API versions\n"
+"\t\tkubectl api-versions"
+msgstr ""
+"\n"
+"\t\t# 输出支�的 API 版本\n"
+"\t\tkubectl api-versions"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/top/top_pod.go:75
+msgid ""
+"\n"
+"\t\t# Show metrics for all pods in the default namespace\n"
+"\t\tkubectl top pod\n"
+"\n"
+"\t\t# Show metrics for all pods in the given namespace\n"
+"\t\tkubectl top pod --namespace=NAMESPACE\n"
+"\n"
+"\t\t# Show metrics for a given pod and its containers\n"
+"\t\tkubectl top pod POD_NAME --containers\n"
+"\n"
+"\t\t# Show metrics for the pods defined by label name=myLabel\n"
+"\t\tkubectl top pod -l name=myLabel"
+msgstr ""
+"\n"
+"\t\t# 显示 default 命�空间下所有 Pods 的指标\n"
+"\t\tkubectl top pod\n"
+"\n"
+"\t\t# 显示指定命�空间下所有 Pods 的指标\n"
+"\t\tkubectl top pod --namespace=NAMESPACE\n"
+"\n"
+"\t\t# 显示指定 Pod 和它的容器的 metrics\n"
+"\t\tkubectl top pod POD_NAME --containers\n"
+"\n"
+"\t\t# 显示指定 label 为 name=myLabel 的 Pods 的 metrics\n"
+"\t\tkubectl top pod -l name=myLabel"
+
+#: pkg/kubectl/cmd/convert/convert.go:40
+msgid ""
+"\n"
+"\t\tConvert config files between different API versions. Both YAML\n"
+"\t\tand JSON formats are accepted.\n"
+"\n"
+"\t\tThe command takes filename, directory, or URL as input, and convert it "
+"into format\n"
+"\t\tof version specified by --output-version flag. If target version is not "
+"specified or\n"
+"\t\tnot supported, convert to latest version.\n"
+"\n"
+"\t\tThe default output will be printed to stdout in YAML format. One can use -"
+"o option\n"
+"\t\tto change to output destination."
+msgstr ""
+"\n"
+"\t\t在��的 API 版本之间转��置文件。接� YAML\n"
+"\t\t和 JSON 格�。\n"
+"\n"
+"\t\t这个命令以文件�, 目录, 或者 URL 作为输入，并通过 —output-version �数\n"
+"\t\t 转�到指定版本的格�。如果没有指定目标版本或者所指定版本\n"
+"\t\t�支�, 则转�为最新版本。\n"
+"\n"
+"\t\t默认以 YAML 格�输出到标准输出。�以使用 -o option\n"
+"\t\t修改目标输出的格�。"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_namespace.go#L44
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_namespace.go:39
+msgid ""
+"\n"
+"\t\tCreate a namespace with the specified name."
+msgstr ""
+"\n"
+"\t\t用给定�称创建一个命�空间。"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_quota.go#L47
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_role.go:43
+msgid ""
+"\n"
+"\t\tCreate a role with single rule."
+msgstr ""
+"\n"
+"\t\t创建一个具有�一规则的角色。"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_serviceaccount.go#L44
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_serviceaccount.go:40
+msgid ""
+"\n"
+"\t\tCreate a service account with the specified name."
+msgstr ""
+"\n"
+"\t\t用指定的�称创建一个�务账户。"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/drain.go#L127
+#: staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go:84
+msgid ""
+"\n"
+"\t\tMark node as schedulable."
+msgstr ""
+"\n"
+"\t\t标记节点为�调度。"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/drain.go#L102
+#: staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go:55
+msgid ""
+"\n"
+"\t\tMark node as unschedulable."
+msgstr ""
+"\n"
+"\t\t标记节点为��调度。"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/apply/apply_set_last_applied.go:70
+msgid ""
+"\n"
+"\t\tSet the latest last-applied-configuration annotations by setting it to "
+"match the contents of a file.\n"
+"\t\tThis results in the last-applied-configuration being updated as though "
+"'kubectl apply -f <file>' was run,\n"
+"\t\twithout updating any other parts of the object."
+msgstr ""
+"\n"
+"\t\t设置最新的 last-applied-configuration 注解，使之匹��文件的内容。\n"
+"\t\t这会导致 last-applied-configuration 被更新，就�执行了 kubectl apply -f "
+"<file> 一样，\n"
+"\t\t�是�会更新对象的其他部分。"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_namespace.go:42
+msgid ""
+"\n"
+"\t  # Create a new namespace named my-namespace\n"
+"\t  kubectl create namespace my-namespace"
+msgstr ""
+"\n"
+"\t  # 创建一个�为 my-namespace 的新命�空间\n"
+"\t  kubectl create namespace my-namespace"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_serviceaccount.go:43
+msgid ""
+"\n"
+"\t  # Create a new service account named my-service-account\n"
+"\t  kubectl create serviceaccount my-service-account"
+msgstr ""
+"\n"
+"\t  # 创建一个�为 my-service-account 的新�务�户\n"
+"\t  kubectl create serviceaccount my-service-account"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:344
+msgid ""
+"\n"
+"\tCreate an ExternalName service with the specified name.\n"
+"\n"
+"\tExternalName service references to an external DNS address instead of\n"
+"\tonly pods, which will allow application authors to reference services\n"
+"\tthat exist off platform, on other clusters, or locally."
+msgstr ""
+"\n"
+"\t创建具有指定�称的 ExternalName �务。\n"
+"\n"
+"\tExternalName �务引用外部 DNS 地�而�是 Pod 地�，\n"
+"\t这将�许应用程�作者引用存在于平�外�其他集群上或本地的�务。"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/help/help.go:28
+msgid ""
+"\n"
+"\tHelp provides help for any command in the application.\n"
+"\tSimply type kubectl help [path to command] for full details."
+msgstr ""
+"\n"
+"\tHelp 为应用程�中的任何命令�供帮助。\n"
+"\t�需键入 kubectl help [命令路径] ��获得完整的详细信�。"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:311
+msgid ""
+"\n"
+"    # Create a new LoadBalancer service named my-lbs\n"
+"    kubectl create service loadbalancer my-lbs --tcp=5678:8080"
+msgstr ""
+"\n"
+"    # 创建一个�称为 my-lbs 的新负载�衡�务\n"
+"    kubectl create service loadbalancer my-lbs --tcp=5678:8080"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/clusterinfo/clusterinfo_dump.go:102
+msgid ""
+"\n"
+"    # Dump current cluster state to stdout\n"
+"    kubectl cluster-info dump\n"
+"\n"
+"    # Dump current cluster state to /path/to/cluster-state\n"
+"    kubectl cluster-info dump --output-directory=/path/to/cluster-state\n"
+"\n"
+"    # Dump all namespaces to stdout\n"
+"    kubectl cluster-info dump --all-namespaces\n"
+"\n"
+"    # Dump a set of namespaces to /path/to/cluster-state\n"
+"    kubectl cluster-info dump --namespaces default,kube-system --output-"
+"directory=/path/to/cluster-state"
+msgstr ""
+"\n"
+"    # 导出当�的集群状�信�到标准输出\n"
+"    kubectl cluster-info dump\n"
+"\n"
+"    # 导出当�的集群状�到 /path/to/cluster-state\n"
+"    kubectl cluster-info dump --output-directory=/path/to/cluster-state\n"
+"\n"
+"    # 导出所有命�空间到标准输出\n"
+"    kubectl cluster-info dump --all-namespaces\n"
+"\n"
+"    # 导出一组命�空间到 /path/to/cluster-state\n"
+"    kubectl cluster-info dump --namespaces default,kube-system --output-"
+"directory=/path/to/cluster-state"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_namespace.go#L44
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:308
+msgid ""
+"\n"
+"    Create a LoadBalancer service with the specified name."
+msgstr ""
+"\n"
+"    使用一个指定的�称创建一个 LoadBalancer �务。"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_quota.go#L61
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_quota.go:107
+msgid ""
+"A comma-delimited set of quota scopes that must all match each object tracked "
+"by the quota."
+msgstr "一组以逗�分隔的��范围，必须全部匹���所跟踪的�个对象。"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_quota.go#L60
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_quota.go:106
+msgid ""
+"A comma-delimited set of resource=quantity pairs that define a hard limit."
+msgstr "一组以逗�分隔的资�=数�对，用于定义硬性�制。"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_pdb.go#L63
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_pdb.go:113
+msgid ""
+"A label selector to use for this budget. Only equality-based selector "
+"requirements are supported."
+msgstr "一个用于该预算的标签选择器。�支�基于等值比较的选择器�求。"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/expose.go#L106
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:152
+msgid ""
+"A label selector to use for this service. Only equality-based selector "
+"requirements are supported. If empty (the default) infer the selector from "
+"the replication controller or replica set.)"
+msgstr ""
+"用于此�务的标签选择器。仅支�基于等值比较的选择器�求。如果为空（默认），则从"
+"副本控制器或副本集中推断选择器。）"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/expose.go#L111
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:157
+msgid ""
+"Additional external IP address (not managed by Kubernetes) to accept for the "
+"service. If this IP is routed to a node, the service can be accessed by this "
+"IP in addition to its generated service IP."
+msgstr ""
+"为�务所接�的其他外部 IP 地�（�由 Kubernetes 管�）。如果这个 IP 被路由到一"
+"个节点，除了其生�的�务 IP 外，还�以通过这个 IP 访问�务。"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/run.go#L119
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:158
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run.go:178
+msgid ""
+"An inline JSON override for the generated object. If this is non-empty, it is "
+"used to override the generated object. Requires that the object supply a "
+"valid apiVersion field."
+msgstr ""
+"针对所生�对象的内� JSON 覆盖。如果这一对象是�空的，将用于覆盖所生�的对象。"
+"�求对象�供有效的 apiVersion 字段。"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/certificates.go#L71
+#: staging/src/k8s.io/kubectl/pkg/cmd/certificates/certificates.go:125
+msgid "Approve a certificate signing request"
+msgstr "批准一个�书签署请求"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_service.go#L81
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_service.go:263
+msgid ""
+"Assign your own ClusterIP or set to 'None' for a 'headless' service (no "
+"loadbalancing)."
+msgstr "为“无头��务（无负载平衡）分�你自己的 ClusterIP 或设置为“无。"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/attach.go#L64
+#: staging/src/k8s.io/kubectl/pkg/cmd/attach/attach.go:105
+msgid "Attach to a running container"
+msgstr "挂接到一个�行中的容器"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/expose.go#L115
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:161
+msgid ""
+"ClusterIP to be assigned to the service. Leave empty to auto-allocate, or set "
+"to 'None' to create a headless service."
+msgstr ""
+"�分�给�务的 ClusterIP。留空表示自动分�，或设置为 “None� 以创建无头�务。"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_clusterrolebinding.go#L55
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_clusterrolebinding.go:101
+msgid "ClusterRole this ClusterRoleBinding should reference"
+msgstr "ClusterRoleBinding 应该指定 ClusterRole"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_rolebinding.go#L55
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_rolebinding.go:104
+msgid "ClusterRole this RoleBinding should reference"
+msgstr "RoleBinding 应该指定 ClusterRole"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/convert.go#L67
+#: pkg/kubectl/cmd/convert/convert.go:95
+msgid "Convert config files between different API versions"
+msgstr "在��的 API 版本之间转��置文件"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/cp.go#L64
+#: staging/src/k8s.io/kubectl/pkg/cmd/cp/cp.go:106
+msgid "Copy files and directories to and from containers."
+msgstr "将文件和目录�制到容器中或从容器中�制出�。"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_secret.go#L214
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_tls.go:94
+msgid "Create a TLS secret"
+msgstr "创建一个 TLS secret"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_namespace.go#L44
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_namespace.go:83
+msgid "Create a namespace with the specified name"
+msgstr "用指定的�称创建一个命�空间"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_secret.go#L143
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_docker.go:134
+msgid "Create a secret for use with a Docker registry"
+msgstr "创建一个给 Docker registry 使用的 Secret"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_secret.go#L34
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret.go:49
+msgid "Create a secret using specified subcommand"
+msgstr "使用指定的�命令创建一个 Secret"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_serviceaccount.go#L44
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_serviceaccount.go:85
+msgid "Create a service account with the specified name"
+msgstr "创建一个指定�称的�务账户"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/delete_cluster.go#L38
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/delete_cluster.go:42
+msgid "Delete the specified cluster from the kubeconfig"
+msgstr "从 kubeconfig 中删除指定的集群"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/delete_context.go#L38
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/delete_context.go:42
+msgid "Delete the specified context from the kubeconfig"
+msgstr "从 kubeconfig 中删除指定的上下文"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/certificates.go#L121
+#: staging/src/k8s.io/kubectl/pkg/cmd/certificates/certificates.go:174
+msgid "Deny a certificate signing request"
+msgstr "拒�一个�书签�请求"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/get_contexts.go#L62
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/get_contexts.go:72
+msgid "Describe one or many contexts"
+msgstr "�述一个或多个上下文"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/get_clusters.go#L40
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/get_clusters.go:41
+msgid "Display clusters defined in the kubeconfig"
+msgstr "显示在 kubeconfig 中定义的集群"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/view.go#L64
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/view.go:81
+msgid "Display merged kubeconfig settings or a specified kubeconfig file"
+msgstr "显示�并的 kubeconfig �置或一个指定的 kubeconfig 文件"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/get.go#L107
+#: staging/src/k8s.io/kubectl/pkg/cmd/get/get.go:165
+msgid "Display one or many resources"
+msgstr "显示一个或多个资�"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/drain.go#L176
+#: staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go:184
+msgid "Drain node in preparation for maintenance"
+msgstr "清空节点以准备维护"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/edit.go#L100
+#: staging/src/k8s.io/kubectl/pkg/cmd/edit/edit.go:77
+msgid "Edit a resource on the server"
+msgstr "编辑�务器上的资�"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_secret.go#L159
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_docker.go:152
+msgid "Email for Docker registry"
+msgstr "用于 Docker 镜�库的邮件地�"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/exec.go#L68
+#: staging/src/k8s.io/kubectl/pkg/cmd/exec/exec.go:89
+msgid "Execute a command in a container"
+msgstr "在�个容器中执行一个命令"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/portforward.go#L75
+#: staging/src/k8s.io/kubectl/pkg/cmd/portforward/portforward.go:109
+msgid "Forward one or more local ports to a pod"
+msgstr "将一个或多个本地端�转�到�个 Pod"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/help.go#L36
+#: staging/src/k8s.io/kubectl/pkg/cmd/help/help.go:37
+msgid "Help about any command"
+msgstr "关于任何命令的帮助"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/expose.go#L114
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:160
+msgid ""
+"If non-empty, set the session affinity for the service to this; legal values: "
+"'None', 'ClientIP'"
+msgstr "如果�空，则将�务的会�亲和性设置为此值；�法值：'None'�'ClientIP'"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/annotate.go#L135
+#: staging/src/k8s.io/kubectl/pkg/cmd/annotate/annotate.go:157
+msgid ""
+"If non-empty, the annotation update will only succeed if this is the current "
+"resource-version for the object. Only valid when specifying a single resource."
+msgstr ""
+"如果�空，则�有当所给值是对象的当�资�版本时，注解更新�会�功。 仅在指定�"
+"个资�时有效。"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/label.go#L132
+#: staging/src/k8s.io/kubectl/pkg/cmd/label/label.go:154
+msgid ""
+"If non-empty, the labels update will only succeed if this is the current "
+"resource-version for the object. Only valid when specifying a single resource."
+msgstr ""
+"如果�空，则标签更新�有在所给值是对象的当�资�版本时�会�功。仅在指定�个资"
+"�时有效。"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/drain.go#L127
+#: staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go:98
+msgid "Mark node as schedulable"
+msgstr "标记节点为�调度"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/drain.go#L102
+#: staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go:69
+msgid "Mark node as unschedulable"
+msgstr "标记节点为��调度"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/rollout/rollout_pause.go#L73
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_pause.go:83
+msgid "Mark the provided resource as paused"
+msgstr "将所指定的资�标记为已暂�"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/certificates.go#L35
+#: staging/src/k8s.io/kubectl/pkg/cmd/certificates/certificates.go:49
+#: staging/src/k8s.io/kubectl/pkg/cmd/certificates/certificates.go:50
+msgid "Modify certificate resources."
+msgstr "修改�书资�。"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/config.go#L39
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/config.go:42
+msgid "Modify kubeconfig files"
+msgstr "修改 kubeconfig 文件"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/expose.go#L110
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:156
+msgid ""
+"Name or number for the port on the container that the service should direct "
+"traffic to. Optional."
+msgstr ""
+"此为端�的�称或端��，�务应将��定�到容器上的这一端�。此属性为�选。"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/logs.go#L108
+#: staging/src/k8s.io/kubectl/pkg/cmd/logs/logs.go:174
+msgid ""
+"Only return logs after a specific date (RFC3339). Defaults to all logs. Only "
+"one of since-time / since may be used."
+msgstr ""
+"仅返回在指定日期 (RFC3339) 之�的日志。默认为所有日志。�能使用 since-time / "
+"since 之一。"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/completion.go#L97
+#: staging/src/k8s.io/kubectl/pkg/cmd/completion/completion.go:112
+msgid "Output shell completion code for the specified shell (bash or zsh)"
+msgstr "为指定的 Shell(Bash 或 zsh) 输出 Shell 补全代�。"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_secret.go#L157
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_docker.go:151
+msgid "Password for Docker registry authentication"
+msgstr "用于 Docker 镜�库身份验�的密�"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_secret.go#L226
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_tls.go:110
+msgid "Path to PEM encoded public key certificate."
+msgstr "PEM 编�的公钥�书的路径。"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_secret.go#L227
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_tls.go:111
+msgid "Path to private key associated with given certificate."
+msgstr "与给定�书关�的�钥的路径。"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/scale.go#L82
+#: staging/src/k8s.io/kubectl/pkg/cmd/scale/scale.go:130
+msgid ""
+"Precondition for resource version. Requires that the current resource version "
+"match this value in order to scale."
+msgstr "资�版本的���件。�求当�资�版本与此值匹��能进行扩缩�作。"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/version.go#L39
+#: staging/src/k8s.io/kubectl/pkg/cmd/version/version.go:73
+msgid "Print the client and server version information"
+msgstr "输出客户端和�务端的版本信�"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/options.go#L37
+#: staging/src/k8s.io/kubectl/pkg/cmd/options/options.go:38
+#: staging/src/k8s.io/kubectl/pkg/cmd/options/options.go:39
+msgid "Print the list of flags inherited by all commands"
+msgstr "输出所有命令的层级关系"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/logs.go#L86
+#: staging/src/k8s.io/kubectl/pkg/cmd/logs/logs.go:152
+msgid "Print the logs for a container in a pod"
+msgstr "打� Pod 中容器的日志"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/rollout/rollout_resume.go#L71
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_resume.go:87
+msgid "Resume a paused resource"
+msgstr "��暂�的资�"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_rolebinding.go#L56
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_rolebinding.go:105
+msgid "Role this RoleBinding should reference"
+msgstr "RoleBinding 应该引用的 Role"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/run.go#L94
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run.go:152
+msgid "Run a particular image on the cluster"
+msgstr "在集群上�行特定镜�"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/proxy.go#L68
+#: staging/src/k8s.io/kubectl/pkg/cmd/proxy/proxy.go:119
+msgid "Run a proxy to the Kubernetes API server"
+msgstr "�行一个指� Kubernetes API �务器的代�"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_secret.go#L161
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_docker.go:153
+msgid "Server location for Docker registry"
+msgstr "Docker 镜�库的�务器�置"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/set/set.go#L37
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set.go:39
+msgid "Set specific features on objects"
+msgstr "为对象设置指定特性"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/set/set_selector.go#L81
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set_selector.go:104
+msgid "Set the selector on a resource"
+msgstr "为资�设置选择器"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/describe.go#L80
+#: staging/src/k8s.io/kubectl/pkg/cmd/describe/describe.go:107
+msgid "Show details of a specific resource or group of resources"
+msgstr "显示特定资�或资�组的详细信�"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/rollout/rollout_status.go#L57
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_status.go:102
+msgid "Show the status of the rollout"
+msgstr "显示上线的状�"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/expose.go#L108
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:154
+msgid "Synonym for --target-port"
+msgstr "--target-port 的�义�"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/run.go#L114
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run.go:174
+msgid "The image for the container to run."
+msgstr "指定容器��行的镜�."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/run.go#L116
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run.go:176
+msgid ""
+"The image pull policy for the container. If left empty, this value will not "
+"be specified by the client and defaulted by the server"
+msgstr "容器的镜�拉�策略。如果留空，该值将�由客户端指定，由�务器默认设置"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_pdb.go#L62
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_pdb.go:111
+msgid "The minimum number or percentage of available pods this budget requires."
+msgstr "此预算�求的�用 Pod 的最�数�或百分比。"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/expose.go#L113
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:159
+msgid "The name for the newly created object."
+msgstr "新创建的对象的�称。"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/autoscale.go#L71
+#: staging/src/k8s.io/kubectl/pkg/cmd/autoscale/autoscale.go:125
+msgid ""
+"The name for the newly created object. If not specified, the name of the "
+"input resource will be used."
+msgstr "新创建的对象的�称。如果未指定，将使用输入资�的�称。"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/expose.go#L98
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:147
+msgid ""
+"The name of the API generator to use. There are 2 generators: 'service/v1' "
+"and 'service/v2'. The only difference between them is that service port in v1 "
+"is named 'default', while it is left unnamed in v2. Default is 'service/v2'."
+msgstr ""
+"�使用的 API 生�器的�称。有两个生�器。'service/v1' 和 'service/v2'。它们之"
+"间唯一的区别是，v1 中的�务端�被命�为 'default'，如果在 v2 中没有指定�称。"
+"默认是 'service/v2'。"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/expose.go#L99
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:148
+msgid "The network protocol for the service to be created. Default is 'TCP'."
+msgstr "�创建的�务的网络�议。默认为 “TCP�。"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/expose.go#L100
+#: staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go:149
+msgid ""
+"The port that the service should serve on. Copied from the resource being "
+"exposed, if unspecified"
+msgstr "�务�使用的端�。如果没有指定，则从被暴露的资��制"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/run.go#L131
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run.go:194
+msgid ""
+"The resource requirement limits for this container.  For example, 'cpu=200m,"
+"memory=512Mi'.  Note that server side components may assign limits depending "
+"on the server configuration, such as limit ranges."
+msgstr ""
+"这个容器的资�需求�制。例如，\"cpu=200m,内存=512Mi\"。请注�，�务器端的组件"
+"�能会根��务器的�置�分��制，例如�制范围。"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/run.go#L130
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run.go:192
+msgid ""
+"The resource requirement requests for this container.  For example, 'cpu=100m,"
+"memory=256Mi'.  Note that server side components may assign requests "
+"depending on the server configuration, such as limit ranges."
+msgstr ""
+"这个容器的资�需求请求。例如，\"cpu=200m,内存=512Mi\"。请注�，�务器端的组件"
+"�能会根��务器的�置�分��制，例如�制范围。"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_secret.go#L87
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret.go:155
+msgid "The type of secret to create"
+msgstr "�创建的 Secret 类型"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/rollout/rollout_undo.go#L71
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_undo.go:87
+msgid "Undo a previous rollout"
+msgstr "撤销上一次的上线"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/set/set_resources.go#L101
+#: staging/src/k8s.io/kubectl/pkg/cmd/set/set_resources.go:116
+msgid "Update resource requests/limits on objects with pod templates"
+msgstr "使用 Pod 模�更新对象的资�请求/�制"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/annotate/annotate.go:135
+msgid "Update the annotations on a resource"
+msgstr "更新一个资�的注解"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/label.go#L109
+#: staging/src/k8s.io/kubectl/pkg/cmd/label/label.go:133
+msgid "Update the labels on a resource"
+msgstr "更新�资�上的标签"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/taint.go#L88
+#: staging/src/k8s.io/kubectl/pkg/cmd/taint/taint.go:109
+msgid "Update the taints on one or more nodes"
+msgstr "更新一个或者多个节点上的污点"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_secret.go#L155
+#: staging/src/k8s.io/kubectl/pkg/cmd/create/create_secret_docker.go:150
+msgid "Username for Docker registry authentication"
+msgstr "用于 Docker 镜�库身份验�的用户�"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/rollout/rollout_history.go#L51
+#: staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_history.go:83
+msgid "View rollout history"
+msgstr "显示上线历�"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/clusterinfo_dump.go#L45
+#: staging/src/k8s.io/kubectl/pkg/cmd/clusterinfo/clusterinfo_dump.go:85
+msgid ""
+"Where to output the files.  If empty or '-' uses stdout, otherwise creates a "
+"directory hierarchy in that directory"
+msgstr ""
+"在哪里输出文件。如果为空或 “-� 则使用标准输出，�则在该目录中创建目录层次结构"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/run/run_test.go:88
+msgid "dummy restart flag)"
+msgstr "�的��标志)"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/cmd.go#L217
+#: staging/src/k8s.io/kubectl/pkg/cmd/cmd.go:227
+msgid "kubectl controls the Kubernetes cluster manager"
+msgstr "kubectl 控制 Kubernetes 集群管�器"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t  # Create a ClusterRoleBinding for user1, user2, and group1 using the "
+#~ "cluster-admin ClusterRole\n"
+#~ "\t\t  kubectl create clusterrolebinding cluster-admin --"
+#~ "clusterrole=cluster-admin --user=user1 --user=user2 --group=group1"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t  # 使用 cluster-admin ClusterRole 为 user1, user2, and group1 创建一"
+#~ "个 ClusterRoleBinding\n"
+#~ "\t\t  kubectl create clusterrolebinding cluster-admin --"
+#~ "clusterrole=cluster-admin --user=user1 --user=user2 --group=group1"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t  # Create a RoleBinding for user1, user2, and group1 using the admin "
+#~ "ClusterRole\n"
+#~ "\t\t  kubectl create rolebinding admin --clusterrole=admin --user=user1 --"
+#~ "user=user2 --group=group1"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t  # 使用 admin ClusterRole 为 user1, user2, and group1 创建一个 "
+#~ "RoleBinding\n"
+#~ "\t\t  kubectl create rolebinding admin --clusterrole=admin --user=user1 --"
+#~ "user=user2 --group=group1"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t  # Create a new configmap named my-config based on folder bar\n"
+#~ "\t\t  kubectl create configmap my-config --from-file=path/to/bar\n"
+#~ "\n"
+#~ "\t\t  # Create a new configmap named my-config with specified keys instead "
+#~ "of file basenames on disk\n"
+#~ "\t\t  kubectl create configmap my-config --from-file=key1=/path/to/bar/"
+#~ "file1.txt --from-file=key2=/path/to/bar/file2.txt\n"
+#~ "\n"
+#~ "\t\t  # Create a new configmap named my-config with key1=config1 and "
+#~ "key2=config2\n"
+#~ "\t\t  kubectl create configmap my-config --from-literal=key1=config1 --"
+#~ "from-literal=key2=config2"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t  # 通过文件夹 bar 创建一个�称为 my-config 的 configmap\n"
+#~ "\t\t  kubectl create configmap my-config --from-file=path/to/bar\n"
+#~ "\n"
+#~ "\t\t  # 创建一个�称为 my-config 的 configmap 并指定 keys 而�是使用�盘上"
+#~ "所在的文件�\n"
+#~ "\t\t  kubectl create configmap my-config --from-file=key1=/path/to/bar/"
+#~ "file1.txt --from-file=key2=/path/to/bar/file2.txt\n"
+#~ "\n"
+#~ "\t\t  # 创建一个�称为 my-config 的 configmap 且 key1=config1 和 "
+#~ "key2=config2\n"
+#~ "\t\t  kubectl create configmap my-config --from-literal=key1=config1 --"
+#~ "from-literal=key2=config2"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t  # If you don't already have a .dockercfg file, you can create a "
+#~ "dockercfg secret directly by using:\n"
+#~ "\t\t  kubectl create secret docker-registry my-secret --docker-"
+#~ "server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-"
+#~ "password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t  # 如果你还没有 .dockercfg 文件, 你�以直接使用下�的命令创建一个 "
+#~ "dockercfg 类型的 Secret：\n"
+#~ "\t\t  kubectl create secret docker-registry my-secret --docker-"
+#~ "server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-"
+#~ "password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Apply the configuration in pod.json to a pod.\n"
+#~ "\t\tkubectl apply -f ./pod.json\n"
+#~ "\n"
+#~ "\t\t# Apply the JSON passed into stdin to a pod.\n"
+#~ "\t\tcat pod.json | kubectl apply -f -\n"
+#~ "\n"
+#~ "\t\t# Note: --prune is still in Alpha\n"
+#~ "\t\t# Apply the configuration in manifest.yaml that matches label "
+#~ "app=nginx and delete all the other resources that are not in the file and "
+#~ "match label app=nginx.\n"
+#~ "\t\tkubectl apply --prune -f manifest.yaml -l app=nginx\n"
+#~ "\n"
+#~ "\t\t# Apply the configuration in manifest.yaml and delete all the other "
+#~ "configmaps that are not in the file.\n"
+#~ "\t\tkubectl apply --prune -f manifest.yaml --all --prune-allowlist=core/v1/"
+#~ "ConfigMap"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# 将 pod.json 上的�置应用于 pod.\n"
+#~ "\t\tkubectl apply -f ./pod.json\n"
+#~ "\n"
+#~ "\t\t# 将传入 stdin 的 JSON 应用到一个 pod.\n"
+#~ "\t\tcat pod.json | kubectl apply -f -\n"
+#~ "\n"
+#~ "\t\t# Note: --prune �然在 Alpha\n"
+#~ "\t\t# 应用在 manifest.yaml 中匹�标签 app=nginx 的资��置并删除所有�在这"
+#~ "个文件中并匹�标签app=nginx 的资�\n"
+#~ "\t\tkubectl apply --prune -f manifest.yaml -l app=nginx\n"
+#~ "\n"
+#~ "\t\t# 应用 manifest.yaml 的�置并删除所有�在这个文件中的 ConfigMaps。\n"
+#~ "\t\tkubectl apply --prune -f manifest.yaml --all --prune-allowlist=core/v1/"
+#~ "ConfigMap"
+
+#, c-format
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Auto scale a deployment \"foo\", with the number of pods between 2 "
+#~ "and 10, target CPU utilization specified so a default autoscaling policy "
+#~ "will be used:\n"
+#~ "\t\tkubectl autoscale deployment foo --min=2 --max=10\n"
+#~ "\n"
+#~ "\t\t# Auto scale a replication controller \"foo\", with the number of pods "
+#~ "between 1 and 5, target CPU utilization at 80%:\n"
+#~ "\t\tkubectl autoscale rc foo --max=5 --cpu-percent=80"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# 自动弹性伸缩 deployment \"foo\", pods 的数�在 2 和 10 之间, 目标 "
+#~ "CPU 指定为默认的弹性伸缩策略:\n"
+#~ "\t\tkubectl autoscale deployment foo --min=2 --max=10\n"
+#~ "\n"
+#~ "\t\t# 自动弹性伸缩 replication controller \"foo\", pods 的数�在 1 和 5 之"
+#~ "间, 目标 CPU 利用率为 80%:\n"
+#~ "\t\tkubectl autoscale rc foo --max=5 --cpu-percent=80"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Convert 'pod.yaml' to latest version and print to stdout.\n"
+#~ "\t\tkubectl convert -f pod.yaml\n"
+#~ "\n"
+#~ "\t\t# Convert the live state of the resource specified by 'pod.yaml' to "
+#~ "the latest version\n"
+#~ "\t\t# and print to stdout in json format.\n"
+#~ "\t\tkubectl convert -f pod.yaml --local -o json\n"
+#~ "\n"
+#~ "\t\t# Convert all files under current directory to latest version and "
+#~ "create them all.\n"
+#~ "\t\tkubectl convert -f . | kubectl create -f -"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# 将’pod.yaml' 转�为最新版本并打�到 stdout.\n"
+#~ "\t\tkubectl convert -f pod.yaml\n"
+#~ "\n"
+#~ "\t\t# 将 ‘pod.yaml' 指定的资�的实时状�转�为最新版本\n"
+#~ "\t\t# 并以 json 格�打�到 stdout.\n"
+#~ "\t\tkubectl convert -f pod.yaml --local -o json\n"
+#~ "\n"
+#~ "\t\t# 将当�目录下的所以文件转�为最新版本并创建它们.\n"
+#~ "\t\tkubectl convert -f . | kubectl create -f -"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Create a ClusterRole named \"pod-reader\" that allows user to "
+#~ "perform \"get\", \"watch\" and \"list\" on pods\n"
+#~ "\t\tkubectl create clusterrole pod-reader --verb=get,list,watch --"
+#~ "resource=pods\n"
+#~ "\n"
+#~ "\t\t# Create a ClusterRole named \"pod-reader\" with ResourceName "
+#~ "specified\n"
+#~ "\t\tkubectl create clusterrole pod-reader --verb=get,list,watch --"
+#~ "resource=pods --resource-name=readablepod"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# 创建一个�为 \"pod-reader\" 的 ClusterRole, �许用户在 pods 上执行 "
+#~ "“get\", \"watch\" 和 \"list\"\n"
+#~ "\t\tkubectl create clusterrole pod-reader --verb=get,list,watch --"
+#~ "resource=pods\n"
+#~ "\n"
+#~ "\t\t# 创建一个�为 \"pod-reader\" ClusterRole, 其中指定了 ResourceName\n"
+#~ "\t\tkubectl create clusterrole pod-reader --verb=get,list,watch --"
+#~ "resource=pods --resource-name=readablepod"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Create a new resourcequota named my-quota\n"
+#~ "\t\tkubectl create quota my-quota --hard=cpu=1,memory=1G,pods=2,services=3,"
+#~ "replicationcontrollers=2,resourcequotas=1,secrets=5,"
+#~ "persistentvolumeclaims=10\n"
+#~ "\n"
+#~ "\t\t# Create a new resourcequota named best-effort\n"
+#~ "\t\tkubectl create quota best-effort --hard=pods=100 --scopes=BestEffort"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# 创建一个�为 my-quota 的 resourcequota\n"
+#~ "\t\tkubectl create quota my-quota --hard=cpu=1,memory=1G,pods=2,services=3,"
+#~ "replicationcontrollers=2,resourcequotas=1,secrets=5,"
+#~ "persistentvolumeclaims=10\n"
+#~ "\n"
+#~ "\t\t# 创建一个�为 best-effort 的 resourcequota\n"
+#~ "\t\tkubectl create quota best-effort --hard=pods=100 --scopes=BestEffort"
+
+#, c-format
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Create a pod disruption budget named my-pdb that will select all "
+#~ "pods with the app=rails label\n"
+#~ "\t\t# and require at least one of them being available at any point in "
+#~ "time.\n"
+#~ "\t\tkubectl create poddisruptionbudget my-pdb --selector=app=rails --min-"
+#~ "available=1\n"
+#~ "\n"
+#~ "\t\t# Create a pod disruption budget named my-pdb that will select all "
+#~ "pods with the app=nginx label\n"
+#~ "\t\t# and require at least half of the pods selected to be available at "
+#~ "any point in time.\n"
+#~ "\t\tkubectl create pdb my-pdb --selector=app=nginx --min-available=50%"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# 创建一个�称为 my-pdb 的 pod disruption budget 并将会选择所有 "
+#~ "app=rails 标签的 pods\n"
+#~ "\t\t# 并�求他们在�一时间中最少有一个�用. \n"
+#~ "\t\tkubectl create poddisruptionbudget my-pdb --selector=app=rails --min-"
+#~ "available=1\n"
+#~ "\n"
+#~ "\t\t# 创建一个�称为 my-pdb 的 pod disruption budget 并将会选择所有 "
+#~ "app=rails 标签的 pods\n"
+#~ "\t\t# 并�求他们在�一时间中最少有一��用.\n"
+#~ "\t\tkubectl create pdb my-pdb --selector=app=nginx --min-available=50%"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Create a pod using the data in pod.json.\n"
+#~ "\t\tkubectl create -f ./pod.json\n"
+#~ "\n"
+#~ "\t\t# Create a pod based on the JSON passed into stdin.\n"
+#~ "\t\tcat pod.json | kubectl create -f -\n"
+#~ "\n"
+#~ "\t\t# Edit the data in docker-registry.yaml in JSON using the v1 API "
+#~ "format then create the resource using the edited data.\n"
+#~ "\t\tkubectl create -f docker-registry.yaml --edit --output-version=v1 -o "
+#~ "json"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# 使用在 pod.json 的 数�创建一个 pod.\n"
+#~ "\t\tkubectl create -f ./pod.json\n"
+#~ "\n"
+#~ "\t\t# 根�传入 stdin 的 JSON 创建一个 pod.\n"
+#~ "\t\tcat pod.json | kubectl create -f -\n"
+#~ "\n"
+#~ "\t\t# 使用 v1 API 格�在 JSON 中编辑在 docker-registry.yaml 中的数�然�使"
+#~ "用被编辑�的数�创建资�.\n"
+#~ "\t\tkubectl create -f docker-registry.yaml --edit --output-version=v1 -o "
+#~ "json"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Create a service for a replicated nginx, which serves on port 80 and "
+#~ "connects to the containers on port 8000.\n"
+#~ "\t\tkubectl expose rc nginx --port=80 --target-port=8000\n"
+#~ "\n"
+#~ "\t\t# Create a service for a replication controller identified by type and "
+#~ "name specified in \"nginx-controller.yaml\", which serves on port 80 and "
+#~ "connects to the containers on port 8000.\n"
+#~ "\t\tkubectl expose -f nginx-controller.yaml --port=80 --target-port=8000\n"
+#~ "\n"
+#~ "\t\t# Create a service for a pod valid-pod, which serves on port 444 with "
+#~ "the name \"frontend\"\n"
+#~ "\t\tkubectl expose pod valid-pod --port=444 --name=frontend\n"
+#~ "\n"
+#~ "\t\t# Create a second service based on the above service, exposing the "
+#~ "container port 8443 as port 443 with the name \"nginx-https\"\n"
+#~ "\t\tkubectl expose service nginx --port=443 --target-port=8443 --"
+#~ "name=nginx-https\n"
+#~ "\n"
+#~ "\t\t# Create a service for a replicated streaming application on port 4100 "
+#~ "balancing UDP traffic and named 'video-stream'.\n"
+#~ "\t\tkubectl expose rc streamer --port=4100 --protocol=udp --name=video-"
+#~ "stream\n"
+#~ "\n"
+#~ "\t\t# Create a service for a replicated nginx using replica set, which "
+#~ "serves on port 80 and connects to the containers on port 8000.\n"
+#~ "\t\tkubectl expose rs nginx --port=80 --target-port=8000\n"
+#~ "\n"
+#~ "\t\t# Create a service for an nginx deployment, which serves on port 80 "
+#~ "and connects to the containers on port 8000.\n"
+#~ "\t\tkubectl expose deployment nginx --port=80 --target-port=8000"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# 为一个 replicated nginx 创建一个 service, �务在端� 80 并连接到 "
+#~ "containers 的8000端�.\n"
+#~ "\t\tkubectl expose rc nginx --port=80 --target-port=8000\n"
+#~ "\n"
+#~ "\t\t# 使用在 \"nginx-controller.yaml\\ 中指定的 type 和 name 为一个"
+#~ "replication controller 创建一个 service, �务在端� 80 并连接到 containers "
+#~ "的8000端�.\n"
+#~ "\t\tkubectl expose -f nginx-controller.yaml --port=80 --target-port=8000\n"
+#~ "\n"
+#~ "\t\t# 为�为 valid-pod 的 pod 创建一个 service, �务在端� 444 并命�为 "
+#~ "\"frontend\" \n"
+#~ "\t\tkubectl expose pod valid-pod --port=444 --name=frontend\n"
+#~ "\n"
+#~ "\t\t# 基于上�的 service 创建第二个 service, 暴露容器端� 8443 并命�为 "
+#~ "\"nginx-https\" 端�为 443 \n"
+#~ "\t\tkubectl expose service nginx --port=443 --target-port=8443 --"
+#~ "name=nginx-https\n"
+#~ "\n"
+#~ "\t\t# 为一个�称为 streaming 的应用创建一个 service 暴露端� 4100, �议为 "
+#~ "UDP �称为 'video-stream'.\n"
+#~ "\t\tkubectl expose rc streamer --port=4100 --protocol=udp --name=video-"
+#~ "stream\n"
+#~ "\n"
+#~ "\t\t# 为一个�称为 nginx 的 replica set 创建一个 service, �务在 端� 80 且"
+#~ "连接到容器端� 8000.\n"
+#~ "\t\tkubectl expose rs nginx --port=80 --target-port=8000\n"
+#~ "\n"
+#~ "\t\t# 为一个�称为 nginx 的 deployment 创建一个 service, �务在端� 80 且 "
+#~ "连接到 containers 的 8000 端�.\n"
+#~ "\t\tkubectl expose deployment nginx --port=80 --target-port=8000"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Delete a pod using the type and name specified in pod.json.\n"
+#~ "\t\tkubectl delete -f ./pod.json\n"
+#~ "\n"
+#~ "\t\t# Delete a pod based on the type and name in the JSON passed into "
+#~ "stdin.\n"
+#~ "\t\tcat pod.json | kubectl delete -f -\n"
+#~ "\n"
+#~ "\t\t# Delete pods and services with same names \"baz\" and \"foo\"\n"
+#~ "\t\tkubectl delete pod,service baz foo\n"
+#~ "\n"
+#~ "\t\t# Delete pods and services with label name=myLabel.\n"
+#~ "\t\tkubectl delete pods,services -l name=myLabel\n"
+#~ "\n"
+#~ "\t\t# Delete a pod with minimal delay\n"
+#~ "\t\tkubectl delete pod foo --now\n"
+#~ "\n"
+#~ "\t\t# Force delete a pod on a dead node\n"
+#~ "\t\tkubectl delete pod foo --grace-period=0 --force\n"
+#~ "\n"
+#~ "\t\t# Delete all pods\n"
+#~ "\t\tkubectl delete pods --all"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# 使用 pod.json 中的类型和�称删除一个 pod.\n"
+#~ "\t\tkubectl delete -f ./pod.json\n"
+#~ "\n"
+#~ "\t\t# 基于�定�到 stdin 中的 JSON 的类型和�称删除一个 pod.\n"
+#~ "\t\tcat pod.json | kubectl delete -f -\n"
+#~ "\n"
+#~ "\t\t# 删除�为 \"baz\" 和 \"foo\" 的 pod 和 service\n"
+#~ "\t\tkubectl delete pod,service baz foo\n"
+#~ "\n"
+#~ "\t\t# 删除标签为 name=myLabel 的 pods 和 services.\n"
+#~ "\t\tkubectl delete pods,services -l name=myLabel\n"
+#~ "\n"
+#~ "\t\t# 删除最�延迟的 pod\n"
+#~ "\t\tkubectl delete pod foo --now\n"
+#~ "\n"
+#~ "\t\t# 强制删除�为 foo 的 pod\n"
+#~ "\t\tkubectl delete pod foo --grace-period=0 --force\n"
+#~ "\n"
+#~ "\t\t# 删除所有 pods\n"
+#~ "\t\tkubectl delete pods --all"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Describe a node\n"
+#~ "\t\tkubectl describe nodes kubernetes-node-emt8.c.myproject.internal\n"
+#~ "\n"
+#~ "\t\t# Describe a pod\n"
+#~ "\t\tkubectl describe pods/nginx\n"
+#~ "\n"
+#~ "\t\t# Describe a pod identified by type and name in \"pod.json\"\n"
+#~ "\t\tkubectl describe -f pod.json\n"
+#~ "\n"
+#~ "\t\t# Describe all pods\n"
+#~ "\t\tkubectl describe pods\n"
+#~ "\n"
+#~ "\t\t# Describe pods by label name=myLabel\n"
+#~ "\t\tkubectl describe po -l name=myLabel\n"
+#~ "\n"
+#~ "\t\t# Describe all pods managed by the 'frontend' replication controller "
+#~ "(rc-created pods\n"
+#~ "\t\t# get the name of the rc as a prefix in the pod the name).\n"
+#~ "\t\tkubectl describe pods frontend"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# �述一个 node\n"
+#~ "\t\tkubectl describe nodes kubernetes-node-emt8.c.myproject.internal\n"
+#~ "\n"
+#~ "\t\t# �述一个 pod\n"
+#~ "\t\tkubectl describe pods/nginx\n"
+#~ "\n"
+#~ "\t\t# �述一个被 \"pod.json\" 中的类型和�称标识的 pod\n"
+#~ "\t\tkubectl describe -f pod.json\n"
+#~ "\n"
+#~ "\t\t# �述所有 pods\n"
+#~ "\t\tkubectl describe pods\n"
+#~ "\n"
+#~ "\t\t# �述标签为 name=myLabel 的 pods\n"
+#~ "\t\tkubectl describe po -l name=myLabel\n"
+#~ "\n"
+#~ "\t\t# �述所有被�称为 'frontend' 的 replication controller 管�的 pods(rc-"
+#~ "创建 pods\n"
+#~ "\t\t# 并使用 rc 的�称作为 pod 的�缀).\n"
+#~ "\t\tkubectl describe pods frontend"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Drain node \"foo\", even if there are pods not managed by a "
+#~ "ReplicationController, ReplicaSet, Job, DaemonSet or StatefulSet on it.\n"
+#~ "\t\t$ kubectl drain foo --force\n"
+#~ "\n"
+#~ "\t\t# As above, but abort if there are pods not managed by a "
+#~ "ReplicationController, ReplicaSet, Job, DaemonSet 或者 StatefulSet, and "
+#~ "use a grace period of 15 minutes.\n"
+#~ "\t\t$ kubectl drain foo --grace-period=900"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# 驱�节点 \"foo\", �使很多 pods 没有被一个在 node 上的 "
+#~ "ReplicationController, ReplicaSet, Job, DaemonSet 或者 StatefulSet 管�.\n"
+#~ "\t\t$ kubectl drain foo --force\n"
+#~ "\n"
+#~ "\t\t# �上, 如果存在 pods 没有被一个 ReplicationController, ReplicaSet, "
+#~ "Job, DaemonSet 或者 StatefulSet 管�超过 15 分钟则退出.\n"
+#~ "\t\t$ kubectl drain foo --grace-period=900"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Edit the service named 'docker-registry':\n"
+#~ "\t\tkubectl edit svc/docker-registry\n"
+#~ "\n"
+#~ "\t\t# Use an alternative editor\n"
+#~ "\t\tKUBE_EDITOR=\"nano\" kubectl edit svc/docker-registry\n"
+#~ "\n"
+#~ "\t\t# Edit the job 'myjob' in JSON using the v1 API format:\n"
+#~ "\t\tkubectl edit job.v1.batch/myjob -o json\n"
+#~ "\n"
+#~ "\t\t# Edit the deployment 'mydeployment' in YAML and save the modified "
+#~ "config in its annotation:\n"
+#~ "\t\tkubectl edit deployment/mydeployment -o yaml --save-config"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# 编辑�为 'docker-registry' 的 service:\n"
+#~ "\t\tkubectl edit svc/docker-registry\n"
+#~ "\n"
+#~ "\t\t# 使用一个�选择的编辑器\n"
+#~ "\t\tKUBE_EDITOR=\"nano\" kubectl edit svc/docker-registry\n"
+#~ "\n"
+#~ "\t\t# 使用 v1 API 格�的 JSON 编辑�为 'myjob' 的 job:\n"
+#~ "\t\tkubectl edit job.v1.batch/myjob -o json\n"
+#~ "\n"
+#~ "\t\t# 在 YAML 中编辑�为 'mydeployment' 的 deployment 并在它的注解中�存修"
+#~ "改�的�置:\n"
+#~ "\t\tkubectl edit deployment/mydeployment -o yaml --save-config"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Get output from running 'date' from pod 123456-7890, using the first "
+#~ "container by default\n"
+#~ "\t\tkubectl exec 123456-7890 date\n"
+#~ "\n"
+#~ "\t\t# Get output from running 'date' in ruby-container from pod "
+#~ "123456-7890\n"
+#~ "\t\tkubectl exec 123456-7890 -c ruby-container date\n"
+#~ "\n"
+#~ "\t\t# Switch to raw terminal mode, sends stdin to 'bash' in ruby-container "
+#~ "from pod 123456-7890\n"
+#~ "\t\t# and sends stdout/stderr from 'bash' back to the client\n"
+#~ "\t\tkubectl exec 123456-7890 -c ruby-container -i -t -- bash -il"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# 从�行中pod 123456-7890 获�执行 'date' 的输出, 默认使用第一个容器\n"
+#~ "\t\tkubectl exec 123456-7890 date\n"
+#~ "\n"
+#~ "\t\t# 从 pod 123456-7890 的容器 ruby-container 获�执行 'date' 的输出\n"
+#~ "\t\tkubectl exec 123456-7890 -c ruby-container date\n"
+#~ "\n"
+#~ "\t\t# 切�到 terminal 模�, �� stdin 到�行在 pod 123456-7890 的容器 "
+#~ "ruby-container 'bash' \n"
+#~ "\t\t# 并从 'bash' �� stdout/stderr 返回到 client\n"
+#~ "\t\tkubectl exec 123456-7890 -c ruby-container -i -t -- bash -il"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Get output from running pod 123456-7890, using the first container "
+#~ "by default\n"
+#~ "\t\tkubectl attach 123456-7890\n"
+#~ "\n"
+#~ "\t\t# Get output from ruby-container from pod 123456-7890\n"
+#~ "\t\tkubectl attach 123456-7890 -c ruby-container\n"
+#~ "\n"
+#~ "\t\t# Switch to raw terminal mode, sends stdin to 'bash' in ruby-container "
+#~ "from pod 123456-7890\n"
+#~ "\t\t# and sends stdout/stderr from 'bash' back to the client\n"
+#~ "\t\tkubectl attach 123456-7890 -c ruby-container -i -t\n"
+#~ "\n"
+#~ "\t\t# Get output from the first pod of a ReplicaSet named nginx\n"
+#~ "\t\tkubectl attach rs/nginx\n"
+#~ "\t\t"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# 从�行中pod 123456-7890 获�执行 'date' 的输出, 默认使用第一个容器\n"
+#~ "\t\tkubectl attach 123456-7890\n"
+#~ "\n"
+#~ "\t\t# 从 pod 123456-7890 的容器 ruby-container 获�输出\n"
+#~ "\t\tkubectl attach 123456-7890 -c ruby-container\n"
+#~ "\n"
+#~ "\t\t# 切�到 terminal 模�, �� stdin 到�行在 pod 123456-7890 的容器 "
+#~ "ruby-container 'bash' \n"
+#~ "\t\t# 并从 'bash' �� stdout/stderr 返回到 client\n"
+#~ "\t\tkubectl attach 123456-7890 -c ruby-container -i -t\n"
+#~ "\n"
+#~ "\t\t# 从�称为 nginx 的 ReplicaSet 获�第一个 pod 的输出\n"
+#~ "\t\tkubectl attach rs/nginx\n"
+#~ "\t\t"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Install bash completion on a Mac using homebrew\n"
+#~ "\t\tbrew install bash-completion\n"
+#~ "\t\tprintf \"\n"
+#~ "# Bash completion support\n"
+#~ "source $(brew --prefix)/etc/bash_completion\n"
+#~ "\" >> $HOME/.bash_profile\n"
+#~ "\t\tsource $HOME/.bash_profile\n"
+#~ "\n"
+#~ "\t\t# Load the kubectl completion code for bash into the current shell\n"
+#~ "\t\tsource <(kubectl completion bash)\n"
+#~ "\n"
+#~ "\t\t# Write bash completion code to a file and source if from ."
+#~ "bash_profile\n"
+#~ "\t\tkubectl completion bash > ~/.kube/completion.bash.inc\n"
+#~ "\t\tprintf \"\n"
+#~ "# Kubectl shell completion\n"
+#~ "source '$HOME/.kube/completion.bash.inc'\n"
+#~ "\" >> $HOME/.bash_profile\n"
+#~ "\t\tsource $HOME/.bash_profile\n"
+#~ "\n"
+#~ "\t\t# Load the kubectl completion code for zsh[1] into the current shell\n"
+#~ "\t\tsource <(kubectl completion zsh)"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# 在一个 Mac 中使用 homebrew 安装 bash 补全\n"
+#~ "\t\tbrew install bash-completion\n"
+#~ "\t\tprintf \"\n"
+#~ "# Bash 补全支�\n"
+#~ "source $(brew --prefix)/etc/bash_completion\n"
+#~ "\" >> $HOME/.bash_profile\n"
+#~ "\t\tsource $HOME/.bash_profile\n"
+#~ "\n"
+#~ "\t\t# 导入 kubectl 补全代�到当� shell\n"
+#~ "\t\tsource <(kubectl completion bash)\n"
+#~ "\n"
+#~ "\t\t# 写入 bash 补全代�到一个文件并 source 如果它是 .bash_profile\n"
+#~ "\t\tkubectl completion bash > ~/.kube/completion.bash.inc\n"
+#~ "\t\tprintf \"\n"
+#~ "# Kubectl shell 补全\n"
+#~ "source '$HOME/.kube/completion.bash.inc'\n"
+#~ "\" >> $HOME/.bash_profile\n"
+#~ "\t\tsource $HOME/.bash_profile\n"
+#~ "\n"
+#~ "\t\t# 为 zsh[1] 导入 kubectl 补全代�到当� shell\n"
+#~ "\t\tsource <(kubectl completion zsh)"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# List all pods in ps output format.\n"
+#~ "\t\tkubectl get pods\n"
+#~ "\n"
+#~ "\t\t# List all pods in ps output format with more information (such as "
+#~ "node name).\n"
+#~ "\t\tkubectl get pods -o wide\n"
+#~ "\n"
+#~ "\t\t# List a single replication controller with specified NAME in ps "
+#~ "output format.\n"
+#~ "\t\tkubectl get replicationcontroller web\n"
+#~ "\n"
+#~ "\t\t# List a single pod in JSON output format.\n"
+#~ "\t\tkubectl get -o json pod web-pod-13je7\n"
+#~ "\n"
+#~ "\t\t# List a pod identified by type and name specified in \"pod.yaml\" in "
+#~ "JSON output format.\n"
+#~ "\t\tkubectl get -f pod.yaml -o json\n"
+#~ "\n"
+#~ "\t\t# Return only the phase value of the specified pod.\n"
+#~ "\t\tkubectl get -o template pod/web-pod-13je7 --template={{.status."
+#~ "phase}}\n"
+#~ "\n"
+#~ "\t\t# List all replication controllers and services together in ps output "
+#~ "format.\n"
+#~ "\t\tkubectl get rc,services\n"
+#~ "\n"
+#~ "\t\t# List one or more resources by their type and names.\n"
+#~ "\t\tkubectl get rc/web service/frontend pods/web-pod-13je7\n"
+#~ "\n"
+#~ "\t\t# List all resources with different types.\n"
+#~ "\t\tkubectl get all"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# 以 ps 输出格�列出所有 pod.\n"
+#~ "\t\tkubectl get pods\n"
+#~ "\n"
+#~ "\t\t# 以 ps 输出格�列出所有 pod(如节点�称).\n"
+#~ "\t\tkubectl get pods -o wide\n"
+#~ "\n"
+#~ "\t\t# 获��称为 web 的 replicationcontroller.\n"
+#~ "\t\tkubectl get replicationcontroller web\n"
+#~ "\n"
+#~ "\t\t# 使用 JSON 格�化输出显示一个�独的 pod.\n"
+#~ "\t\tkubectl get -o json pod web-pod-13je7\n"
+#~ "\n"
+#~ "\t\t# 显示一个被 \"pod.yaml\" 中的 type 和 name 标识的 pod 并使用 JSON 格�"
+#~ "化输出.\n"
+#~ "\t\tkubectl get -f pod.yaml -o json\n"
+#~ "\n"
+#~ "\t\t# �返回被指定 pod 中 phase 的值.\n"
+#~ "\t\tkubectl get -o template pod/web-pod-13je7 --template={{.status."
+#~ "phase}}\n"
+#~ "\n"
+#~ "\t\t# 显示所有的 replication controllers 和 services 并格�化输出.\n"
+#~ "\t\tkubectl get rc,services\n"
+#~ "\n"
+#~ "\t\t# 显示一个或者更多 resources 通过它们的 type 和 names.\n"
+#~ "\t\tkubectl get rc/web service/frontend pods/web-pod-13je7\n"
+#~ "\n"
+#~ "\t\t# 使用��的 types 显示所有 resources.\n"
+#~ "\t\tkubectl get all"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Listen on ports 5000 and 6000 locally, forwarding data to/from ports "
+#~ "5000 and 6000 in the pod\n"
+#~ "\t\tkubectl port-forward mypod 5000 6000\n"
+#~ "\n"
+#~ "\t\t# Listen on port 8888 locally, forwarding to 5000 in the pod\n"
+#~ "\t\tkubectl port-forward mypod 8888:5000\n"
+#~ "\n"
+#~ "\t\t# Listen on a random port locally, forwarding to 5000 in the pod\n"
+#~ "\t\tkubectl port-forward mypod :5000\n"
+#~ "\n"
+#~ "\t\t# Listen on a random port locally, forwarding to 5000 in the pod\n"
+#~ "\t\tkubectl port-forward mypod 0:5000"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# 在本地监�端� 5000 和 6000 , forwarding 数� to/from 在 pod 5000 和 "
+#~ "6000 端�\n"
+#~ "\t\tkubectl port-forward mypod 5000 6000\n"
+#~ "\n"
+#~ "\t\t# 在本地监�端� 8888 , forwarding 到 pod 的 5000端�\n"
+#~ "\t\tkubectl port-forward mypod 8888:5000\n"
+#~ "\n"
+#~ "\t\t# 在本地�机监�一个端� , forwarding 到 pod 的 5000端�\n"
+#~ "\t\tkubectl port-forward mypod :5000\n"
+#~ "\n"
+#~ "\t\t# 在本地�机监�一个端� , forwarding 到 pod 的 5000端�\n"
+#~ "\t\tkubectl port-forward mypod 0:5000"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Mark node \"foo\" as schedulable.\n"
+#~ "\t\t$ kubectl uncordon foo"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# 标记 node \"foo\" 为 schedulable.\n"
+#~ "\t\t$ kubectl uncordon foo"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/drain.go#L102
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Mark node \"foo\" as unschedulable.\n"
+#~ "\t\tkubectl cordon foo"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# 标记 node \"foo\" 为 unschedulable.\n"
+#~ "\t\tkubectl cordon foo"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Partially update a node using strategic merge patch\n"
+#~ "\t\tkubectl patch node k8s-node-1 -p '{\"spec\":{\"unschedulable\":"
+#~ "true}}'\n"
+#~ "\n"
+#~ "\t\t# Partially update a node identified by the type and name specified in "
+#~ "\"node.json\" using strategic merge patch\n"
+#~ "\t\tkubectl patch -f node.json -p '{\"spec\":{\"unschedulable\":true}}'\n"
+#~ "\n"
+#~ "\t\t# Update a container's image; spec.containers[*].name is required "
+#~ "because it's a merge key\n"
+#~ "\t\tkubectl patch pod valid-pod -p '{\"spec\":{\"containers\":[{\"name\":"
+#~ "\"kubernetes-serve-hostname\",\"image\":\"new image\"}]}}'\n"
+#~ "\n"
+#~ "\t\t# Update a container's image using a json patch with positional "
+#~ "arrays\n"
+#~ "\t\tkubectl patch pod valid-pod --type='json' -p='[{\"op\": \"replace\", "
+#~ "\"path\": \"/spec/containers/0/image\", \"value\":\"new image\"}]'"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# 使用 strategic merge patch 部分更新一个 node\n"
+#~ "\t\tkubectl patch node k8s-node-1 -p '{\"spec\":{\"unschedulable\":"
+#~ "true}}'\n"
+#~ "\n"
+#~ "\t\t# 使用 strategic merge patch 部分更新一个被 \"node.json\" 的 type 和 "
+#~ "name 标示  的 node.\n"
+#~ "\t\tkubectl patch -f node.json -p '{\"spec\":{\"unschedulable\":true}}'\n"
+#~ "\n"
+#~ "\t\t# 更新一个 container 的 image; spec.containers[*].name 是必须的 因为它"
+#~ "是一个 merge key\n"
+#~ "\t\tkubectl patch pod valid-pod -p '{\"spec\":{\"containers\":[{\"name\":"
+#~ "\"kubernetes-serve-hostname\",\"image\":\"new image\"}]}}'\n"
+#~ "\n"
+#~ "\t\t#  使用一个 json patch 更新一个指定�标的 container 的 image \n"
+#~ "\t\tkubectl patch pod valid-pod --type='json' -p='[{\"op\": \"replace\", "
+#~ "\"path\": \"/spec/containers/0/image\", \"value\":\"new image\"}]'"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Print the address of the master and cluster services\n"
+#~ "\t\tkubectl cluster-info"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# 输出 master 和 cluster services 的地�\n"
+#~ "\t\tkubectl cluster-info"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Replace a pod using the data in pod.json.\n"
+#~ "\t\tkubectl replace -f ./pod.json\n"
+#~ "\n"
+#~ "\t\t# Replace a pod based on the JSON passed into stdin.\n"
+#~ "\t\tcat pod.json | kubectl replace -f -\n"
+#~ "\n"
+#~ "\t\t# Update a single-container pod's image version (tag) to v4\n"
+#~ "\t\tkubectl get pod mypod -o yaml | sed 's/\\(image: myimage\\):.*$/
:v4/' "
+#~ "| kubectl replace -f -\n"
+#~ "\n"
+#~ "\t\t# Force replace, delete and then re-create the resource\n"
+#~ "\t\tkubectl replace --force -f ./pod.json"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# 使用在 pod.json 中的数�替�一个 pod.\n"
+#~ "\t\tkubectl replace -f ./pod.json\n"
+#~ "\n"
+#~ "\t\t# 基于被�定�到 stdin 中的 JSON 替�一个 pod.\n"
+#~ "\t\tcat pod.json | kubectl replace -f -\n"
+#~ "\n"
+#~ "\t\t# 更新一个�独容器的 pod 的 image 版本 (tag) 到 v4\n"
+#~ "\t\tkubectl get pod mypod -o yaml | sed 's/\\(image: myimage\\):.*$/
:v4/' "
+#~ "| kubectl replace -f -\n"
+#~ "\n"
+#~ "\t\t# 强制替�, 删除然��新创建这个 resource\n"
+#~ "\t\tkubectl replace --force -f ./pod.json"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Return snapshot logs from pod nginx with only one container\n"
+#~ "\t\tkubectl logs nginx\n"
+#~ "\n"
+#~ "\t\t# Return snapshot logs for the pods defined by label app=nginx\n"
+#~ "\t\tkubectl logs -lapp=nginx\n"
+#~ "\n"
+#~ "\t\t# Return snapshot of previous terminated ruby container logs from pod "
+#~ "web-1\n"
+#~ "\t\tkubectl logs -p -c ruby web-1\n"
+#~ "\n"
+#~ "\t\t# Begin streaming the logs of the ruby container in pod web-1\n"
+#~ "\t\tkubectl logs -f -c ruby web-1\n"
+#~ "\n"
+#~ "\t\t# Display only the most recent 20 lines of output in pod nginx\n"
+#~ "\t\tkubectl logs --tail=20 nginx\n"
+#~ "\n"
+#~ "\t\t# Show all logs from pod nginx written in the last hour\n"
+#~ "\t\tkubectl logs --since=1h nginx\n"
+#~ "\n"
+#~ "\t\t# Return snapshot logs from first container of a job named hello\n"
+#~ "\t\tkubectl logs job/hello\n"
+#~ "\n"
+#~ "\t\t# Return snapshot logs from container nginx-1 of a deployment named "
+#~ "nginx\n"
+#~ "\t\tkubectl logs deployment/nginx -c nginx-1"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# 返回仅有一个容器 pod �称为 nginx 的 snapshot 日志\n"
+#~ "\t\tkubectl logs nginx\n"
+#~ "\n"
+#~ "\t\t# 返回 label 为 app=nginx 的 pods 的 snapshot 日志\n"
+#~ "\t\tkubectl logs -lapp=nginx\n"
+#~ "\n"
+#~ "\t\t# Return snapshot of previous terminated ruby container logs from pod "
+#~ "web-1\n"
+#~ "\t\tkubectl logs -p -c ruby web-1\n"
+#~ "\n"
+#~ "\t\t# Begin streaming the logs of the ruby container in pod web-1\n"
+#~ "\t\tkubectl logs -f -c ruby web-1\n"
+#~ "\n"
+#~ "\t\t# Display only the most recent 20 lines of output in pod nginx\n"
+#~ "\t\tkubectl logs --tail=20 nginx\n"
+#~ "\n"
+#~ "\t\t# Show all logs from pod nginx written in the last hour\n"
+#~ "\t\tkubectl logs --since=1h nginx\n"
+#~ "\n"
+#~ "\t\t# Return snapshot logs from first container of a job named hello\n"
+#~ "\t\tkubectl logs job/hello\n"
+#~ "\n"
+#~ "\t\t# Return snapshot logs from container nginx-1 of a deployment named "
+#~ "nginx\n"
+#~ "\t\tkubectl logs deployment/nginx -c nginx-1"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Run a proxy to kubernetes apiserver on port 8011, serving static "
+#~ "content from ./local/www/\n"
+#~ "\t\tkubectl proxy --port=8011 --www=./local/www/\n"
+#~ "\n"
+#~ "\t\t# Run a proxy to kubernetes apiserver on an arbitrary local port.\n"
+#~ "\t\t# The chosen port for the server will be output to stdout.\n"
+#~ "\t\tkubectl proxy --port=0\n"
+#~ "\n"
+#~ "\t\t# Run a proxy to kubernetes apiserver, changing the api prefix to k8s-"
+#~ "api\n"
+#~ "\t\t# This makes e.g. the pods api available at localhost:8001/k8s-api/v1/"
+#~ "pods/\n"
+#~ "\t\tkubectl proxy --api-prefix=/k8s-api"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# �行 proxy 到 kubernetes apiserver 的 8011 端�上, �务��内容路径"
+#~ "为 ./local/www/\n"
+#~ "\t\tkubectl proxy --port=8011 --www=./local/www/\n"
+#~ "\n"
+#~ "\t\t# 在任�的本地端�上�行一个 proxy 到 kubernetes apiserver.\n"
+#~ "\t\t# 为这个 server 挑选的端�将会被输出到 stdout.\n"
+#~ "\t\tkubectl proxy --port=0\n"
+#~ "\n"
+#~ "\t\t# �行一个 proxy 到 kubernetes apiserver, 修改 api prefix 为 k8s-api\n"
+#~ "\t\t# 这会使 e.g. 这个 pods 的有效 api 为 localhost:8001/k8s-api/v1/pods/\n"
+#~ "\t\tkubectl proxy --api-prefix=/k8s-api"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Scale a replicaset named 'foo' to 3.\n"
+#~ "\t\tkubectl scale --replicas=3 rs/foo\n"
+#~ "\n"
+#~ "\t\t# Scale a resource identified by type and name specified in \"foo."
+#~ "yaml\" to 3.\n"
+#~ "\t\tkubectl scale --replicas=3 -f foo.yaml\n"
+#~ "\n"
+#~ "\t\t# If the deployment named mysql's current size is 2, scale mysql to "
+#~ "3.\n"
+#~ "\t\tkubectl scale --current-replicas=2 --replicas=3 deployment/mysql\n"
+#~ "\n"
+#~ "\t\t# Scale multiple replication controllers.\n"
+#~ "\t\tkubectl scale --replicas=5 rc/foo rc/bar rc/baz\n"
+#~ "\n"
+#~ "\t\t# Scale job named 'cron' to 3.\n"
+#~ "\t\tkubectl scale --replicas=3 job/cron"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Scale 一个�称为 ‘foo’ 的 replicaset �本数为 3.\n"
+#~ "\t\tkubectl scale --replicas=3 rs/foo\n"
+#~ "\n"
+#~ "\t\t# Scale 指定的 \"foo.yaml\" 的 type 和 name 标识的 resource 副本数�为 "
+#~ "3.\n"
+#~ "\t\tkubectl scale --replicas=3 -f foo.yaml\n"
+#~ "\n"
+#~ "\t\t# 如果�称为 mysql 的 deployment 当�副本数�为 2, scale mysql 到 3.\n"
+#~ "\t\tkubectl scale --current-replicas=2 --replicas=3 deployment/mysql\n"
+#~ "\n"
+#~ "\t\t# Scale 多个 replication controllers.\n"
+#~ "\t\tkubectl scale --replicas=5 rc/foo rc/bar rc/baz\n"
+#~ "\n"
+#~ "\t\t# Scale �称为 ’cron’ 的 job 副本数�为 3.\n"
+#~ "\t\tkubectl scale --replicas=3 job/cron"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Set the last-applied-configuration of a resource to match the "
+#~ "contents of a file.\n"
+#~ "\t\tkubectl apply set-last-applied -f deploy.yaml\n"
+#~ "\n"
+#~ "\t\t# Execute set-last-applied against each configuration file in a "
+#~ "directory.\n"
+#~ "\t\tkubectl apply set-last-applied -f path/\n"
+#~ "\n"
+#~ "\t\t# Set the last-applied-configuration of a resource to match the "
+#~ "contents of a file, will create the annotation if it does not already "
+#~ "exist.\n"
+#~ "\t\tkubectl apply set-last-applied -f deploy.yaml --create-"
+#~ "annotation=true\n"
+#~ "\t\t"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# 设置一个资�的 last-applied-configuration 去匹�一个文件的内容.\n"
+#~ "\t\tkubectl apply set-last-applied -f deploy.yaml\n"
+#~ "\n"
+#~ "\t\t# Execute set-last-applied against each configuration file in a "
+#~ "directory.\n"
+#~ "\t\tkubectl apply set-last-applied -f path/\n"
+#~ "\n"
+#~ "\t\t# 设置一个资�的 last-applied-configuration 去匹�一个文件的内容, 如果"
+#~ "�存在将会创建一个 annotation.\n"
+#~ "\t\tkubectl apply set-last-applied -f deploy.yaml --create-"
+#~ "annotation=true\n"
+#~ "\t\t"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Shut down foo.\n"
+#~ "\t\tkubectl stop replicationcontroller foo\n"
+#~ "\n"
+#~ "\t\t# Stop pods and services with label name=myLabel.\n"
+#~ "\t\tkubectl stop pods,services -l name=myLabel\n"
+#~ "\n"
+#~ "\t\t# Shut down the service defined in service.json\n"
+#~ "\t\tkubectl stop -f service.json\n"
+#~ "\n"
+#~ "\t\t# Shut down all resources in the path/to/resources directory\n"
+#~ "\t\tkubectl stop -f path/to/resources"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Shut down foo.\n"
+#~ "\t\tkubectl stop replicationcontroller foo\n"
+#~ "\n"
+#~ "\t\t# Stop pods and services with label name=myLabel.\n"
+#~ "\t\tkubectl stop pods,services -l name=myLabel\n"
+#~ "\n"
+#~ "\t\t# Shut down the service defined in service.json\n"
+#~ "\t\tkubectl stop -f service.json\n"
+#~ "\n"
+#~ "\t\t# Shut down all resources in the path/to/resources directory\n"
+#~ "\t\tkubectl stop -f path/to/resources"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Start a single instance of nginx.\n"
+#~ "\t\tkubectl run nginx --image=nginx\n"
+#~ "\n"
+#~ "\t\t# Start a single instance of hazelcast and let the container expose "
+#~ "port 5701 .\n"
+#~ "\t\tkubectl run hazelcast --image=hazelcast --port=5701\n"
+#~ "\n"
+#~ "\t\t# Start a single instance of hazelcast and set environment variables "
+#~ "\"DNS_DOMAIN=cluster\" and \"POD_NAMESPACE=default\" in the container.\n"
+#~ "\t\tkubectl run hazelcast --image=hazelcast --env=\"DNS_DOMAIN=cluster\" --"
+#~ "env=\"POD_NAMESPACE=default\"\n"
+#~ "\n"
+#~ "\t\t# Start a replicated instance of nginx.\n"
+#~ "\t\tkubectl run nginx --image=nginx --replicas=5\n"
+#~ "\n"
+#~ "\t\t# Dry run. Print the corresponding API objects without creating them.\n"
+#~ "\t\tkubectl run nginx --image=nginx --dry-run\n"
+#~ "\n"
+#~ "\t\t# Start a single instance of nginx, but overload the spec of the "
+#~ "deployment with a partial set of values parsed from JSON.\n"
+#~ "\t\tkubectl run nginx --image=nginx --overrides='{ \"apiVersion\": \"v1\", "
+#~ "\"spec\": { ... } }'\n"
+#~ "\n"
+#~ "\t\t# Start a pod of busybox and keep it in the foreground, don't restart "
+#~ "it if it exits.\n"
+#~ "\t\tkubectl run -i -t busybox --image=busybox --restart=Never\n"
+#~ "\n"
+#~ "\t\t# Start the nginx container using the default command, but use custom "
+#~ "arguments (arg1 .. argN) for that command.\n"
+#~ "\t\tkubectl run nginx --image=nginx -- <arg1> <arg2> ... <argN>\n"
+#~ "\n"
+#~ "\t\t# Start the nginx container using a different command and custom "
+#~ "arguments.\n"
+#~ "\t\tkubectl run nginx --image=nginx --command -- <cmd> <arg1> ... <argN>\n"
+#~ "\n"
+#~ "\t\t# Start the perl container to compute π to 2000 places and print it "
+#~ "out.\n"
+#~ "\t\tkubectl run pi --image=perl --restart=OnFailure -- perl -Mbignum=bpi -"
+#~ "wle 'print bpi(2000)'\n"
+#~ "\n"
+#~ "\t\t# Start the cron job to compute π to 2000 places and print it out "
+#~ "every 5 minutes.\n"
+#~ "\t\tkubectl run pi --schedule=\"0/5 * * * ?\" --image=perl --"
+#~ "restart=OnFailure -- perl -Mbignum=bpi -wle 'print bpi(2000)'"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Start a single instance of nginx.\n"
+#~ "\t\tkubectl run nginx --image=nginx\n"
+#~ "\n"
+#~ "\t\t# Start a single instance of hazelcast and let the container expose "
+#~ "port 5701 .\n"
+#~ "\t\tkubectl run hazelcast --image=hazelcast --port=5701\n"
+#~ "\n"
+#~ "\t\t# Start a single instance of hazelcast and set environment variables "
+#~ "\"DNS_DOMAIN=cluster\" and \"POD_NAMESPACE=default\" in the container.\n"
+#~ "\t\tkubectl run hazelcast --image=hazelcast --env=\"DNS_DOMAIN=cluster\" --"
+#~ "env=\"POD_NAMESPACE=default\"\n"
+#~ "\n"
+#~ "\t\t# Start a replicated instance of nginx.\n"
+#~ "\t\tkubectl run nginx --image=nginx --replicas=5\n"
+#~ "\n"
+#~ "\t\t# Dry run. Print the corresponding API objects without creating them.\n"
+#~ "\t\tkubectl run nginx --image=nginx --dry-run\n"
+#~ "\n"
+#~ "\t\t# Start a single instance of nginx, but overload the spec of the "
+#~ "deployment with a partial set of values parsed from JSON.\n"
+#~ "\t\tkubectl run nginx --image=nginx --overrides='{ \"apiVersion\": \"v1\", "
+#~ "\"spec\": { ... } }'\n"
+#~ "\n"
+#~ "\t\t# Start a pod of busybox and keep it in the foreground, don't restart "
+#~ "it if it exits.\n"
+#~ "\t\tkubectl run -i -t busybox --image=busybox --restart=Never\n"
+#~ "\n"
+#~ "\t\t# Start the nginx container using the default command, but use custom "
+#~ "arguments (arg1 .. argN) for that command.\n"
+#~ "\t\tkubectl run nginx --image=nginx -- <arg1> <arg2> ... <argN>\n"
+#~ "\n"
+#~ "\t\t# Start the nginx container using a different command and custom "
+#~ "arguments.\n"
+#~ "\t\tkubectl run nginx --image=nginx --command -- <cmd> <arg1> ... <argN>\n"
+#~ "\n"
+#~ "\t\t# Start the perl container to compute π to 2000 places and print it "
+#~ "out.\n"
+#~ "\t\tkubectl run pi --image=perl --restart=OnFailure -- perl -Mbignum=bpi -"
+#~ "wle 'print bpi(2000)'\n"
+#~ "\n"
+#~ "\t\t# Start the cron job to compute π to 2000 places and print it out "
+#~ "every 5 minutes.\n"
+#~ "\t\tkubectl run pi --schedule=\"0/5 * * * ?\" --image=perl --"
+#~ "restart=OnFailure -- perl -Mbignum=bpi -wle 'print bpi(2000)'"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Update node 'foo' with a taint with key 'dedicated' and value "
+#~ "'special-user' and effect 'NoSchedule'.\n"
+#~ "\t\t# If a taint with that key and effect already exists, its value is "
+#~ "replaced as specified.\n"
+#~ "\t\tkubectl taint nodes foo dedicated=special-user:NoSchedule\n"
+#~ "\n"
+#~ "\t\t# Remove from node 'foo' the taint with key 'dedicated' and effect "
+#~ "'NoSchedule' if one exists.\n"
+#~ "\t\tkubectl taint nodes foo dedicated:NoSchedule-\n"
+#~ "\n"
+#~ "\t\t# Remove from node 'foo' all the taints with key 'dedicated'\n"
+#~ "\t\tkubectl taint nodes foo dedicated-"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Update node 'foo' with a taint with key 'dedicated' and value "
+#~ "'special-user' and effect 'NoSchedule'.\n"
+#~ "\t\t# If a taint with that key and effect already exists, its value is "
+#~ "replaced as specified.\n"
+#~ "\t\tkubectl taint nodes foo dedicated=special-user:NoSchedule\n"
+#~ "\n"
+#~ "\t\t# Remove from node 'foo' the taint with key 'dedicated' and effect "
+#~ "'NoSchedule' if one exists.\n"
+#~ "\t\tkubectl taint nodes foo dedicated:NoSchedule-\n"
+#~ "\n"
+#~ "\t\t# Remove from node 'foo' all the taints with key 'dedicated'\n"
+#~ "\t\tkubectl taint nodes foo dedicated-"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Update pod 'foo' with the label 'unhealthy' and the value 'true'.\n"
+#~ "\t\tkubectl label pods foo unhealthy=true\n"
+#~ "\n"
+#~ "\t\t# Update pod 'foo' with the label 'status' and the value 'unhealthy', "
+#~ "overwriting any existing value.\n"
+#~ "\t\tkubectl label --overwrite pods foo status=unhealthy\n"
+#~ "\n"
+#~ "\t\t# Update all pods in the namespace\n"
+#~ "\t\tkubectl label pods --all status=unhealthy\n"
+#~ "\n"
+#~ "\t\t# Update a pod identified by the type and name in \"pod.json\"\n"
+#~ "\t\tkubectl label -f pod.json status=unhealthy\n"
+#~ "\n"
+#~ "\t\t# Update pod 'foo' only if the resource is unchanged from version 1.\n"
+#~ "\t\tkubectl label pods foo status=unhealthy --resource-version=1\n"
+#~ "\n"
+#~ "\t\t# Update pod 'foo' by removing a label named 'bar' if it exists.\n"
+#~ "\t\t# Does not require the --overwrite flag.\n"
+#~ "\t\tkubectl label pods foo bar-"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Update pod 'foo' with the label 'unhealthy' and the value 'true'.\n"
+#~ "\t\tkubectl label pods foo unhealthy=true\n"
+#~ "\n"
+#~ "\t\t# Update pod 'foo' with the label 'status' and the value 'unhealthy', "
+#~ "overwriting any existing value.\n"
+#~ "\t\tkubectl label --overwrite pods foo status=unhealthy\n"
+#~ "\n"
+#~ "\t\t# Update all pods in the namespace\n"
+#~ "\t\tkubectl label pods --all status=unhealthy\n"
+#~ "\n"
+#~ "\t\t# Update a pod identified by the type and name in \"pod.json\"\n"
+#~ "\t\tkubectl label -f pod.json status=unhealthy\n"
+#~ "\n"
+#~ "\t\t# Update pod 'foo' only if the resource is unchanged from version 1.\n"
+#~ "\t\tkubectl label pods foo status=unhealthy --resource-version=1\n"
+#~ "\n"
+#~ "\t\t# Update pod 'foo' by removing a label named 'bar' if it exists.\n"
+#~ "\t\t# Does not require the --overwrite flag.\n"
+#~ "\t\tkubectl label pods foo bar-"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# Update pods of frontend-v1 using new replication controller data in "
+#~ "frontend-v2.json.\n"
+#~ "\t\tkubectl rolling-update frontend-v1 -f frontend-v2.json\n"
+#~ "\n"
+#~ "\t\t# Update pods of frontend-v1 using JSON data passed into stdin.\n"
+#~ "\t\tcat frontend-v2.json | kubectl rolling-update frontend-v1 -f -\n"
+#~ "\n"
+#~ "\t\t# Update the pods of frontend-v1 to frontend-v2 by just changing the "
+#~ "image, and switching the\n"
+#~ "\t\t# name of the replication controller.\n"
+#~ "\t\tkubectl rolling-update frontend-v1 frontend-v2 --image=image:v2\n"
+#~ "\n"
+#~ "\t\t# Update the pods of frontend by just changing the image, and keeping "
+#~ "the old name.\n"
+#~ "\t\tkubectl rolling-update frontend --image=image:v2\n"
+#~ "\n"
+#~ "\t\t# Abort and reverse an existing rollout in progress (from frontend-v1 "
+#~ "to frontend-v2).\n"
+#~ "\t\tkubectl rolling-update frontend-v1 frontend-v2 --rollback"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# Update pods of frontend-v1 using new replication controller data in "
+#~ "frontend-v2.json.\n"
+#~ "\t\tkubectl rolling-update frontend-v1 -f frontend-v2.json\n"
+#~ "\n"
+#~ "\t\t# Update pods of frontend-v1 using JSON data passed into stdin.\n"
+#~ "\t\tcat frontend-v2.json | kubectl rolling-update frontend-v1 -f -\n"
+#~ "\n"
+#~ "\t\t# Update the pods of frontend-v1 to frontend-v2 by just changing the "
+#~ "image, and switching the\n"
+#~ "\t\t# name of the replication controller.\n"
+#~ "\t\tkubectl rolling-update frontend-v1 frontend-v2 --image=image:v2\n"
+#~ "\n"
+#~ "\t\t# Update the pods of frontend by just changing the image, and keeping "
+#~ "the old name.\n"
+#~ "\t\tkubectl rolling-update frontend --image=image:v2\n"
+#~ "\n"
+#~ "\t\t# Abort and reverse an existing rollout in progress (from frontend-v1 "
+#~ "to frontend-v2).\n"
+#~ "\t\tkubectl rolling-update frontend-v1 frontend-v2 --rollback"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\t# View the last-applied-configuration annotations by type/name in "
+#~ "YAML.\n"
+#~ "\t\tkubectl apply view-last-applied deployment/nginx\n"
+#~ "\n"
+#~ "\t\t# View the last-applied-configuration annotations by file in JSON\n"
+#~ "\t\tkubectl apply view-last-applied -f deploy.yaml -o json"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t# View the last-applied-configuration annotations by type/name in "
+#~ "YAML.\n"
+#~ "\t\tkubectl apply view-last-applied deployment/nginx\n"
+#~ "\n"
+#~ "\t\t# View the last-applied-configuration annotations by file in JSON\n"
+#~ "\t\tkubectl apply view-last-applied -f deploy.yaml -o json"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tApply a configuration to a resource by filename or stdin.\n"
+#~ "\t\tThis resource will be created if it doesn't exist yet.\n"
+#~ "\t\tTo use 'apply', always create the resource initially with either "
+#~ "'apply' or 'create --save-config'.\n"
+#~ "\n"
+#~ "\t\tJSON and YAML formats are accepted.\n"
+#~ "\n"
+#~ "\t\tAlpha Disclaimer: the --prune functionality is not yet complete. Do "
+#~ "not use unless you are aware of what the current state is. See https://"
+#~ "issues.k8s.io/34274."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t通过文件�或标准输入�(stdin)对资�进行�置.\n"
+#~ "\t\tThis resource will be created if it doesn't exist yet.\n"
+#~ "\t\tTo use 'apply', always create the resource initially with either "
+#~ "'apply' or 'create --save-config'.\n"
+#~ "\n"
+#~ "\t\tJSON and YAML formats are accepted.\n"
+#~ "\n"
+#~ "\t\tAlpha Disclaimer: the --prune functionality is not yet complete. Do "
+#~ "not use unless you are aware of what the current state is. See https://"
+#~ "issues.k8s.io/34274."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_service.go#L68
+#~ msgid ""
+#~ "\n"
+#~ "\t\tCreate a ClusterRole."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t创建一个 ClusterRole."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_clusterrolebinding.go#L43
+#~ msgid ""
+#~ "\n"
+#~ "\t\tCreate a ClusterRoleBinding for a particular ClusterRole."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t 为指定的 ClusterRole 创建一个 ClusterRoleBinding."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_rolebinding.go#L43
+#~ msgid ""
+#~ "\n"
+#~ "\t\tCreate a RoleBinding for a particular Role or ClusterRole."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t为指定的 Role 或者 ClusterRole 创建一个 RoleBinding."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tCreate a TLS secret from the given public/private key pair.\n"
+#~ "\n"
+#~ "\t\tThe public/private key pair must exist before hand. The public key "
+#~ "certificate must be .PEM encoded and match the given private key."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t为指定的 public/private key pair 创建一个 TLS secret.\n"
+#~ "\n"
+#~ "\t\tpublic/private key pair 必须在传递�存在. public key certificate 必须"
+#~ "以 .PEM 被编�且匹�指定的 private key."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tCreate a configmap based on a file, directory, or specified literal "
+#~ "value.\n"
+#~ "\n"
+#~ "\t\tA single configmap may package one or more key/value pairs.\n"
+#~ "\n"
+#~ "\t\tWhen creating a configmap based on a file, the key will default to the "
+#~ "basename of the file, and the value will\n"
+#~ "\t\tdefault to the file content.  If the basename is an invalid key, you "
+#~ "may specify an alternate key.\n"
+#~ "\n"
+#~ "\t\tWhen creating a configmap based on a directory, each file whose "
+#~ "basename is a valid key in the directory will be\n"
+#~ "\t\tpackaged into the configmap.  Any directory entries except regular "
+#~ "files are ignored (e.g. subdirectories,\n"
+#~ "\t\tsymlinks, devices, pipes, etc)."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tCreate a configmap based on a file, directory, or specified literal "
+#~ "value.\n"
+#~ "\n"
+#~ "\t\tA single configmap may package one or more key/value pairs.\n"
+#~ "\n"
+#~ "\t\tWhen creating a configmap based on a file, the key will default to the "
+#~ "basename of the file, and the value will\n"
+#~ "\t\tdefault to the file content.  If the basename is an invalid key, you "
+#~ "may specify an alternate key.\n"
+#~ "\n"
+#~ "\t\tWhen creating a configmap based on a directory, each file whose "
+#~ "basename is a valid key in the directory will be\n"
+#~ "\t\tpackaged into the configmap.  Any directory entries except regular "
+#~ "files are ignored (e.g. subdirectories,\n"
+#~ "\t\tsymlinks, devices, pipes, etc)."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tCreate a new secret for use with Docker registries.\n"
+#~ "\n"
+#~ "\t\tDockercfg secrets are used to authenticate against Docker registries.\n"
+#~ "\n"
+#~ "\t\tWhen using the Docker command line to push images, you can "
+#~ "authenticate to a given registry by running\n"
+#~ "\n"
+#~ "\t\t    $ docker login DOCKER_REGISTRY_SERVER --username=DOCKER_USER --"
+#~ "password=DOCKER_PASSWORD --email=DOCKER_EMAIL'.\n"
+#~ "\n"
+#~ "    That produces a ~/.dockercfg file that is used by subsequent 'docker "
+#~ "push' and 'docker pull' commands to\n"
+#~ "\t\tauthenticate to the registry. The email address is optional.\n"
+#~ "\n"
+#~ "\t\tWhen creating applications, you may have a Docker registry that "
+#~ "requires authentication.  In order for the\n"
+#~ "\t\tnodes to pull images on your behalf, they have to have the "
+#~ "credentials.  You can provide this information\n"
+#~ "\t\tby creating a dockercfg secret and attaching it to your service "
+#~ "account."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tCreate a new secret for use with Docker registries.\n"
+#~ "\n"
+#~ "\t\tDockercfg secrets are used to authenticate against Docker registries.\n"
+#~ "\n"
+#~ "\t\tWhen using the Docker command line to push images, you can "
+#~ "authenticate to a given registry by running\n"
+#~ "\n"
+#~ "\t\t    $ docker login DOCKER_REGISTRY_SERVER --username=DOCKER_USER --"
+#~ "password=DOCKER_PASSWORD --email=DOCKER_EMAIL'.\n"
+#~ "\n"
+#~ "    That produces a ~/.dockercfg file that is used by subsequent 'docker "
+#~ "push' and 'docker pull' commands to\n"
+#~ "\t\tauthenticate to the registry. The email address is optional.\n"
+#~ "\n"
+#~ "\t\tWhen creating applications, you may have a Docker registry that "
+#~ "requires authentication.  In order for the\n"
+#~ "\t\tnodes to pull images on your behalf, they have to have the "
+#~ "credentials.  You can provide this information\n"
+#~ "\t\tby creating a dockercfg secret and attaching it to your service "
+#~ "account."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_pdb.go#L49
+#~ msgid ""
+#~ "\n"
+#~ "\t\tCreate a pod disruption budget with the specified name, selector, and "
+#~ "desired minimum available pods"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tCreate a pod disruption budget with the specified name, selector, and "
+#~ "desired minimum available pods"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create.go#L56
+#~ msgid ""
+#~ "\n"
+#~ "\t\tCreate a resource by filename or stdin.\n"
+#~ "\n"
+#~ "\t\tJSON and YAML formats are accepted."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t通过文件�或者标准输入�(stdin)创建一个资�.\n"
+#~ "\n"
+#~ "\t\tJSON and YAML formats are accepted."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_quota.go#L47
+#~ msgid ""
+#~ "\n"
+#~ "\t\tCreate a resourcequota with the specified name, hard limits and "
+#~ "optional scopes"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tCreate a resourcequota with the specified name, hard limits and "
+#~ "optional scopes"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tCreate a secret based on a file, directory, or specified literal "
+#~ "value.\n"
+#~ "\n"
+#~ "\t\tA single secret may package one or more key/value pairs.\n"
+#~ "\n"
+#~ "\t\tWhen creating a secret based on a file, the key will default to the "
+#~ "basename of the file, and the value will\n"
+#~ "\t\tdefault to the file content.  If the basename is an invalid key, you "
+#~ "may specify an alternate key.\n"
+#~ "\n"
+#~ "\t\tWhen creating a secret based on a directory, each file whose basename "
+#~ "is a valid key in the directory will be\n"
+#~ "\t\tpackaged into the secret.  Any directory entries except regular files "
+#~ "are ignored (e.g. subdirectories,\n"
+#~ "\t\tsymlinks, devices, pipes, etc)."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tCreate a secret based on a file, directory, or specified literal "
+#~ "value.\n"
+#~ "\n"
+#~ "\t\tA single secret may package one or more key/value pairs.\n"
+#~ "\n"
+#~ "\t\tWhen creating a secret based on a file, the key will default to the "
+#~ "basename of the file, and the value will\n"
+#~ "\t\tdefault to the file content.  If the basename is an invalid key, you "
+#~ "may specify an alternate key.\n"
+#~ "\n"
+#~ "\t\tWhen creating a secret based on a directory, each file whose basename "
+#~ "is a valid key in the directory will be\n"
+#~ "\t\tpackaged into the secret.  Any directory entries except regular files "
+#~ "are ignored (e.g. subdirectories,\n"
+#~ "\t\tsymlinks, devices, pipes, etc)."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tCreate and run a particular image, possibly replicated.\n"
+#~ "\n"
+#~ "\t\tCreates a deployment or job to manage the created container(s)."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tCreate and run a particular image, possibly replicated.\n"
+#~ "\n"
+#~ "\t\tCreates a deployment or job to manage the created container(s)."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tCreates an autoscaler that automatically chooses and sets the number "
+#~ "of pods that run in a kubernetes cluster.\n"
+#~ "\n"
+#~ "\t\tLooks up a Deployment, ReplicaSet, or ReplicationController by name "
+#~ "and creates an autoscaler that uses the given resource as a reference.\n"
+#~ "\t\tAn autoscaler can automatically increase or decrease number of pods "
+#~ "deployed within the system as needed."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tCreates an autoscaler that automatically chooses and sets the number "
+#~ "of pods that run in a kubernetes cluster.\n"
+#~ "\n"
+#~ "\t\tLooks up a Deployment, ReplicaSet, or ReplicationController by name "
+#~ "and creates an autoscaler that uses the given resource as a reference.\n"
+#~ "\t\tAn autoscaler can automatically increase or decrease number of pods "
+#~ "deployed within the system as needed."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tDelete resources by filenames, stdin, resources and names, or by "
+#~ "resources and label selector.\n"
+#~ "\n"
+#~ "\t\tJSON and YAML formats are accepted. Only one type of the arguments may "
+#~ "be specified: filenames,\n"
+#~ "\t\tresources and names, or resources and label selector.\n"
+#~ "\n"
+#~ "\t\tSome resources, such as pods, support graceful deletion. These "
+#~ "resources define a default period\n"
+#~ "\t\tbefore they are forcibly terminated (the grace period) but you may "
+#~ "override that value with\n"
+#~ "\t\tthe --grace-period flag, or pass --now to set a grace-period of 1. "
+#~ "Because these resources often\n"
+#~ "\t\trepresent entities in the cluster, deletion may not be acknowledged "
+#~ "immediately. If the node\n"
+#~ "\t\thosting a pod is down or cannot reach the API server, termination may "
+#~ "take significantly longer\n"
+#~ "\t\tthan the grace period. To force delete a resource,\tyou must pass a "
+#~ "grace\tperiod of 0 and specify\n"
+#~ "\t\tthe --force flag.\n"
+#~ "\n"
+#~ "\t\tIMPORTANT: Force deleting pods does not wait for confirmation that the "
+#~ "pod's processes have been\n"
+#~ "\t\tterminated, which can leave those processes running until the node "
+#~ "detects the deletion and\n"
+#~ "\t\tcompletes graceful deletion. If your processes use shared storage or "
+#~ "talk to a remote API and\n"
+#~ "\t\tdepend on the name of the pod to identify themselves, force deleting "
+#~ "those pods may result in\n"
+#~ "\t\tmultiple processes running on different machines using the same "
+#~ "identification which may lead\n"
+#~ "\t\tto data corruption or inconsistency. Only force delete pods when you "
+#~ "are sure the pod is\n"
+#~ "\t\tterminated, or if your application can tolerate multiple copies of the "
+#~ "same pod running at once.\n"
+#~ "\t\tAlso, if you force delete pods the scheduler may place new pods on "
+#~ "those nodes before the node\n"
+#~ "\t\thas released those resources and causing those pods to be evicted "
+#~ "immediately.\n"
+#~ "\n"
+#~ "\t\tNote that the delete command does NOT do resource version checks, so "
+#~ "if someone\n"
+#~ "\t\tsubmits an update to a resource right when you submit a delete, their "
+#~ "update\n"
+#~ "\t\twill be lost along with the rest of the resource."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tDelete resources by filenames, stdin, resources and names, or by "
+#~ "resources and label selector.\n"
+#~ "\n"
+#~ "\t\tJSON and YAML formats are accepted. Only one type of the arguments may "
+#~ "be specified: filenames,\n"
+#~ "\t\tresources and names, or resources and label selector.\n"
+#~ "\n"
+#~ "\t\tSome resources, such as pods, support graceful deletion. These "
+#~ "resources define a default period\n"
+#~ "\t\tbefore they are forcibly terminated (the grace period) but you may "
+#~ "override that value with\n"
+#~ "\t\tthe --grace-period flag, or pass --now to set a grace-period of 1. "
+#~ "Because these resources often\n"
+#~ "\t\trepresent entities in the cluster, deletion may not be acknowledged "
+#~ "immediately. If the node\n"
+#~ "\t\thosting a pod is down or cannot reach the API server, termination may "
+#~ "take significantly longer\n"
+#~ "\t\tthan the grace period. To force delete a resource,\tyou must pass a "
+#~ "grace\tperiod of 0 and specify\n"
+#~ "\t\tthe --force flag.\n"
+#~ "\n"
+#~ "\t\tIMPORTANT: Force deleting pods does not wait for confirmation that the "
+#~ "pod's processes have been\n"
+#~ "\t\tterminated, which can leave those processes running until the node "
+#~ "detects the deletion and\n"
+#~ "\t\tcompletes graceful deletion. If your processes use shared storage or "
+#~ "talk to a remote API and\n"
+#~ "\t\tdepend on the name of the pod to identify themselves, force deleting "
+#~ "those pods may result in\n"
+#~ "\t\tmultiple processes running on different machines using the same "
+#~ "identification which may lead\n"
+#~ "\t\tto data corruption or inconsistency. Only force delete pods when you "
+#~ "are sure the pod is\n"
+#~ "\t\tterminated, or if your application can tolerate multiple copies of the "
+#~ "same pod running at once.\n"
+#~ "\t\tAlso, if you force delete pods the scheduler may place new pods on "
+#~ "those nodes before the node\n"
+#~ "\t\thas released those resources and causing those pods to be evicted "
+#~ "immediately.\n"
+#~ "\n"
+#~ "\t\tNote that the delete command does NOT do resource version checks, so "
+#~ "if someone\n"
+#~ "\t\tsubmits an update to a resource right when you submit a delete, their "
+#~ "update\n"
+#~ "\t\twill be lost along with the rest of the resource."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tDeprecated: Gracefully shut down a resource by name or filename.\n"
+#~ "\n"
+#~ "\t\tThe stop command is deprecated, all its functionalities are covered by "
+#~ "delete command.\n"
+#~ "\t\tSee 'kubectl delete --help' for more details.\n"
+#~ "\n"
+#~ "\t\tAttempts to shut down and delete a resource that supports graceful "
+#~ "termination.\n"
+#~ "\t\tIf the resource is scalable it will be scaled to 0 before deletion."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tDeprecated: Gracefully shut down a resource by name or filename.\n"
+#~ "\n"
+#~ "\t\tThe stop command is deprecated, all its functionalities are covered by "
+#~ "delete command.\n"
+#~ "\t\tSee 'kubectl delete --help' for more details.\n"
+#~ "\n"
+#~ "\t\tAttempts to shut down and delete a resource that supports graceful "
+#~ "termination.\n"
+#~ "\t\tIf the resource is scalable it will be scaled to 0 before deletion."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tDisplay Resource (CPU/Memory/Storage) usage of nodes.\n"
+#~ "\n"
+#~ "\t\tThe top-node command allows you to see the resource consumption of "
+#~ "nodes."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t显示 node 的资�(CPU/Memory/Storage)使用.\n"
+#~ "\n"
+#~ "\t\tThe top-node command allows you to see the resource consumption of "
+#~ "nodes."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tDisplay Resource (CPU/Memory/Storage) usage of pods.\n"
+#~ "\n"
+#~ "\t\tThe 'top pod' command allows you to see the resource consumption of "
+#~ "pods.\n"
+#~ "\n"
+#~ "\t\tDue to the metrics pipeline delay, they may be unavailable for a few "
+#~ "minutes\n"
+#~ "\t\tsince pod creation."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t显示 pods 资�(CPU/Memory/Storage)使用.\n"
+#~ "\n"
+#~ "\t\tThe 'top pod' command allows you to see the resource consumption of "
+#~ "pods.\n"
+#~ "\n"
+#~ "\t\tDue to the metrics pipeline delay, they may be unavailable for a few "
+#~ "minutes\n"
+#~ "\t\tsince pod creation."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tDisplay Resource (CPU/Memory/Storage) usage.\n"
+#~ "\n"
+#~ "\t\tThe top command allows you to see the resource consumption for nodes "
+#~ "or pods.\n"
+#~ "\n"
+#~ "\t\tThis command requires Heapster to be correctly configured and working "
+#~ "on the server. "
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t显示资�(CPU/Memory/Storage)使用.\n"
+#~ "\n"
+#~ "\t\tThe top command allows you to see the resource consumption for nodes "
+#~ "or pods.\n"
+#~ "\n"
+#~ "\t\tThis command requires Heapster to be correctly configured and working "
+#~ "on the server. "
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tDrain node in preparation for maintenance.\n"
+#~ "\n"
+#~ "\t\tThe given node will be marked unschedulable to prevent new pods from "
+#~ "arriving.\n"
+#~ "\t\t'drain' evicts the pods if the APIServer supports eviction\n"
+#~ "\t\t(http://kubernetes.io/docs/admin/disruptions/). Otherwise, it will use "
+#~ "normal DELETE\n"
+#~ "\t\tto delete the pods.\n"
+#~ "\t\tThe 'drain' evicts or deletes all pods except mirror pods (which "
+#~ "cannot be deleted through\n"
+#~ "\t\tthe API server).  If there are DaemonSet-managed pods, drain will not "
+#~ "proceed\n"
+#~ "\t\twithout --ignore-daemonsets, and regardless it will not delete any\n"
+#~ "\t\tDaemonSet-managed pods, because those pods would be immediately "
+#~ "replaced by the\n"
+#~ "\t\tDaemonSet controller, which ignores unschedulable markings.  If there "
+#~ "are any\n"
+#~ "\t\tpods that are neither mirror pods nor managed by "
+#~ "ReplicationController,\n"
+#~ "\t\tReplicaSet, DaemonSet, StatefulSet or Job, then drain will not delete "
+#~ "any pods unless you\n"
+#~ "\t\tuse --force.  --force will also allow deletion to proceed if the "
+#~ "managing resource of one\n"
+#~ "\t\tor more pods is missing.\n"
+#~ "\n"
+#~ "\t\t'drain' waits for graceful termination. You should not operate on the "
+#~ "machine until\n"
+#~ "\t\tthe command completes.\n"
+#~ "\n"
+#~ "\t\tWhen you are ready to put the node back into service, use kubectl "
+#~ "uncordon, which\n"
+#~ "\t\twill make the node schedulable again.\n"
+#~ "\n"
+#~ "\t\t![Workflow](http://kubernetes.io/images/docs/kubectl_drain.svg)"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t清�节点为节点维护�准备.\n"
+#~ "\n"
+#~ "\t\tThe given node will be marked unschedulable to prevent new pods from "
+#~ "arriving.\n"
+#~ "\t\t'drain' evicts the pods if the APIServer supports eviction\n"
+#~ "\t\t(http://kubernetes.io/docs/admin/disruptions/). Otherwise, it will use "
+#~ "normal DELETE\n"
+#~ "\t\tto delete the pods.\n"
+#~ "\t\tThe 'drain' evicts or deletes all pods except mirror pods (which "
+#~ "cannot be deleted through\n"
+#~ "\t\tthe API server).  If there are DaemonSet-managed pods, drain will not "
+#~ "proceed\n"
+#~ "\t\twithout --ignore-daemonsets, and regardless it will not delete any\n"
+#~ "\t\tDaemonSet-managed pods, because those pods would be immediately "
+#~ "replaced by the\n"
+#~ "\t\tDaemonSet controller, which ignores unschedulable markings.  If there "
+#~ "are any\n"
+#~ "\t\tpods that are neither mirror pods nor managed by "
+#~ "ReplicationController,\n"
+#~ "\t\tReplicaSet, DaemonSet, StatefulSet or Job, then drain will not delete "
+#~ "any pods unless you\n"
+#~ "\t\tuse --force.  --force will also allow deletion to proceed if the "
+#~ "managing resource of one\n"
+#~ "\t\tor more pods is missing.\n"
+#~ "\n"
+#~ "\t\t'drain' waits for graceful termination. You should not operate on the "
+#~ "machine until\n"
+#~ "\t\tthe command completes.\n"
+#~ "\n"
+#~ "\t\tWhen you are ready to put the node back into service, use kubectl "
+#~ "uncordon, which\n"
+#~ "\t\twill make the node schedulable again.\n"
+#~ "\n"
+#~ "\t\t![Workflow](http://kubernetes.io/images/docs/kubectl_drain.svg)"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tEdit a resource from the default editor.\n"
+#~ "\n"
+#~ "\t\tThe edit command allows you to directly edit any API resource you can "
+#~ "retrieve via the\n"
+#~ "\t\tcommand line tools. It will open the editor defined by your "
+#~ "KUBE_EDITOR, or EDITOR\n"
+#~ "\t\tenvironment variables, or fall back to 'vi' for Linux or 'notepad' for "
+#~ "Windows.\n"
+#~ "\t\tYou can edit multiple objects, although changes are applied one at a "
+#~ "time. The command\n"
+#~ "\t\taccepts filenames as well as command line arguments, although the "
+#~ "files you point to must\n"
+#~ "\t\tbe previously saved versions of resources.\n"
+#~ "\n"
+#~ "\t\tEditing is done with the API version used to fetch the resource.\n"
+#~ "\t\tTo edit using a specific API version, fully-qualify the resource, "
+#~ "version, and group.\n"
+#~ "\n"
+#~ "\t\tThe default format is YAML. To edit in JSON, specify \"-o json\".\n"
+#~ "\n"
+#~ "\t\tThe flag --windows-line-endings can be used to force Windows line "
+#~ "endings,\n"
+#~ "\t\totherwise the default for your operating system will be used.\n"
+#~ "\n"
+#~ "\t\tIn the event an error occurs while updating, a temporary file will be "
+#~ "created on disk\n"
+#~ "\t\tthat contains your unapplied changes. The most common error when "
+#~ "updating a resource\n"
+#~ "\t\tis another editor changing the resource on the server. When this "
+#~ "occurs, you will have\n"
+#~ "\t\tto apply your changes to the newer version of the resource, or update "
+#~ "your temporary\n"
+#~ "\t\tsaved copy to include the latest resource version."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t使用默认的编辑器修改资�.\n"
+#~ "\n"
+#~ "\t\tedit 命令�许你通过命令行直接修改 API 资�.\n"
+#~ "\t\t它会打开你在 KUBE_EDITOR 或者EDITOR 环境��中定义的编辑器\n"
+#~ "\t\t或者回滚到 Linux vi 编辑器或者 Windows notepad.\n"
+#~ "\t\t你�以修改多个对象, 虽然�次�能修改一次. 这个命令\n"
+#~ "\t\t�时也接�文件�作为命令行�数, 尽管这些文件你指出必须是\n"
+#~ "\t\t你之��存的资�版本.\n"
+#~ "\n"
+#~ "\t\tEditing 是通过用于获�资�的API版本完�的.\n"
+#~ "\t\t为了能通过指定的 API 版本修改, 请完全�定 resource, version 和 group.\n"
+#~ "\n"
+#~ "\t\t默认是 YAML 格�. 想在 JSON 中修改, 指定 \"-o json\".\n"
+#~ "\n"
+#~ "\t\t--windows-line-endings 命令行�数�以用�强制使用 Windows line "
+#~ "endings,\n"
+#~ "\t\t�则会使用你�作系统的默认值.\n"
+#~ "\n"
+#~ "\t\t如果更新时�生错误，将在�盘上创建一个临时文件\n"
+#~ "\t\t里�包�您未应用的更改. 更新资�时最常�的错误\n"
+#~ "\t\t是�一个编辑器也在�务器中修改这个资�. 当�生这�情况时, 你将\n"
+#~ "\t\t需�应用你的修改到资�的最新版本, 或者更新你被�存的临时文件\n"
+#~ "\t\t�制它并使用最新的版本."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tOutput shell completion code for the specified shell (bash or zsh).\n"
+#~ "\t\tThe shell code must be evaluated to provide interactive\n"
+#~ "\t\tcompletion of kubectl commands.  This can be done by sourcing it from\n"
+#~ "\t\tthe .bash_profile.\n"
+#~ "\n"
+#~ "\t\tNote: this requires the bash-completion framework, which is not "
+#~ "installed\n"
+#~ "\t\tby default on Mac.  This can be installed by using homebrew:\n"
+#~ "\n"
+#~ "\t\t    $ brew install bash-completion\n"
+#~ "\n"
+#~ "\t\tOnce installed, bash_completion must be evaluated.  This can be done "
+#~ "by adding the\n"
+#~ "\t\tfollowing line to the .bash_profile\n"
+#~ "\n"
+#~ "\t\t    $ source $(brew --prefix)/etc/bash_completion\n"
+#~ "\n"
+#~ "\t\tNote for zsh users: [1] zsh completions are only supported in versions "
+#~ "of zsh >= 5.2"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tOutput shell completion code for the specified shell (bash or zsh).\n"
+#~ "\t\tThe shell code must be evaluated to provide interactive\n"
+#~ "\t\tcompletion of kubectl commands.  This can be done by sourcing it from\n"
+#~ "\t\tthe .bash_profile.\n"
+#~ "\n"
+#~ "\t\tNote: this requires the bash-completion framework, which is not "
+#~ "installed\n"
+#~ "\t\tby default on Mac.  This can be installed by using homebrew:\n"
+#~ "\n"
+#~ "\t\t    $ brew install bash-completion\n"
+#~ "\n"
+#~ "\t\tOnce installed, bash_completion must be evaluated.  This can be done "
+#~ "by adding the\n"
+#~ "\t\tfollowing line to the .bash_profile\n"
+#~ "\n"
+#~ "\t\t    $ source $(brew --prefix)/etc/bash_completion\n"
+#~ "\n"
+#~ "\t\tNote for zsh users: [1] zsh completions are only supported in versions "
+#~ "of zsh >= 5.2"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tPerform a rolling update of the given ReplicationController.\n"
+#~ "\n"
+#~ "\t\tReplaces the specified replication controller with a new replication "
+#~ "controller by updating one pod at a time to use the\n"
+#~ "\t\tnew PodTemplate. The new-controller.json must specify the same "
+#~ "namespace as the\n"
+#~ "\t\texisting replication controller and overwrite at least one (common) "
+#~ "label in its replicaSelector.\n"
+#~ "\n"
+#~ "\t\t![Workflow](http://kubernetes.io/images/docs/kubectl_rollingupdate.svg)"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t完�指定的 ReplicationController 的滚动�级.\n"
+#~ "\n"
+#~ "\t\tReplaces the specified replication controller with a new replication "
+#~ "controller by updating one pod at a time to use the\n"
+#~ "\t\tnew PodTemplate. The new-controller.json must specify the same "
+#~ "namespace as the\n"
+#~ "\t\texisting replication controller and overwrite at least one (common) "
+#~ "label in its replicaSelector.\n"
+#~ "\n"
+#~ "\t\t![Workflow](http://kubernetes.io/images/docs/kubectl_rollingupdate.svg)"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tReplace a resource by filename or stdin.\n"
+#~ "\n"
+#~ "\t\tJSON and YAML formats are accepted. If replacing an existing resource, "
+#~ "the\n"
+#~ "\t\tcomplete resource spec must be provided. This can be obtained by\n"
+#~ "\n"
+#~ "\t\t    $ kubectl get TYPE NAME -o yaml\n"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tReplace a resource by filename or stdin.\n"
+#~ "\n"
+#~ "\t\tJSON and YAML formats are accepted. If replacing an existing resource, "
+#~ "the\n"
+#~ "\t\tcomplete resource spec must be provided. This can be obtained by\n"
+#~ "\n"
+#~ "\t\t    $ kubectl get TYPE NAME -o yaml\n"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tSet a new size for a Deployment, ReplicaSet, Replication Controller, "
+#~ "or Job.\n"
+#~ "\n"
+#~ "\t\tScale also allows users to specify one or more preconditions for the "
+#~ "scale action.\n"
+#~ "\n"
+#~ "\t\tIf --current-replicas or --resource-version is specified, it is "
+#~ "validated before the\n"
+#~ "\t\tscale is attempted, and it is guaranteed that the precondition holds "
+#~ "true when the\n"
+#~ "\t\tscale is sent to the server."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tSet a new size for a Deployment, ReplicaSet, Replication Controller, "
+#~ "or Job.\n"
+#~ "\n"
+#~ "\t\tScale also allows users to specify one or more preconditions for the "
+#~ "scale action.\n"
+#~ "\n"
+#~ "\t\tIf --current-replicas or --resource-version is specified, it is "
+#~ "validated before the\n"
+#~ "\t\tscale is attempted, and it is guaranteed that the precondition holds "
+#~ "true when the\n"
+#~ "\t\tscale is sent to the server."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tTo proxy all of the kubernetes api and nothing else, use:\n"
+#~ "\n"
+#~ "\t\t    $ kubectl proxy --api-prefix=/\n"
+#~ "\n"
+#~ "\t\tTo proxy only part of the kubernetes api and also some static files:\n"
+#~ "\n"
+#~ "\t\t    $ kubectl proxy --www=/my/files --www-prefix=/static/ --api-"
+#~ "prefix=/api/\n"
+#~ "\n"
+#~ "\t\tThe above lets you 'curl localhost:8001/api/v1/pods'.\n"
+#~ "\n"
+#~ "\t\tTo proxy the entire kubernetes api at a different root, use:\n"
+#~ "\n"
+#~ "\t\t    $ kubectl proxy --api-prefix=/custom/\n"
+#~ "\n"
+#~ "\t\tThe above lets you 'curl localhost:8001/custom/api/v1/pods'"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tTo proxy all of the kubernetes api and nothing else, use:\n"
+#~ "\n"
+#~ "\t\t    $ kubectl proxy --api-prefix=/\n"
+#~ "\n"
+#~ "\t\tTo proxy only part of the kubernetes api and also some static files:\n"
+#~ "\n"
+#~ "\t\t    $ kubectl proxy --www=/my/files --www-prefix=/static/ --api-"
+#~ "prefix=/api/\n"
+#~ "\n"
+#~ "\t\tThe above lets you 'curl localhost:8001/api/v1/pods'.\n"
+#~ "\n"
+#~ "\t\tTo proxy the entire kubernetes api at a different root, use:\n"
+#~ "\n"
+#~ "\t\t    $ kubectl proxy --api-prefix=/custom/\n"
+#~ "\n"
+#~ "\t\tThe above lets you 'curl localhost:8001/custom/api/v1/pods'"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tUpdate field(s) of a resource using strategic merge patch\n"
+#~ "\n"
+#~ "\t\tJSON and YAML formats are accepted.\n"
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tUpdate field(s) of a resource using strategic merge patch\n"
+#~ "\n"
+#~ "\t\tJSON and YAML formats are accepted.\n"
+
+#, c-format
+#~ msgid ""
+#~ "\n"
+#~ "\t\tUpdate the labels on a resource.\n"
+#~ "\n"
+#~ "\t\t* A label must begin with a letter or number, and may contain letters, "
+#~ "numbers, hyphens, dots, and underscores, up to %[1]d characters.\n"
+#~ "\t\t* If --overwrite is true, then existing labels can be overwritten, "
+#~ "otherwise attempting to overwrite a label will result in an error.\n"
+#~ "\t\t* If --resource-version is specified, then updates will use this "
+#~ "resource version, otherwise the existing resource-version will be used."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tUpdate the labels on a resource.\n"
+#~ "\n"
+#~ "\t\t* A label must begin with a letter or number, and may contain letters, "
+#~ "numbers, hyphens, dots, and underscores, up to %[1]d characters.\n"
+#~ "\t\t* If --overwrite is true, then existing labels can be overwritten, "
+#~ "otherwise attempting to overwrite a label will result in an error.\n"
+#~ "\t\t* If --resource-version is specified, then updates will use this "
+#~ "resource version, otherwise the existing resource-version will be used."
+
+#, c-format
+#~ msgid ""
+#~ "\n"
+#~ "\t\tUpdate the taints on one or more nodes.\n"
+#~ "\n"
+#~ "\t\t* A taint consists of a key, value, and effect. As an argument here, "
+#~ "it is expressed as key=value:effect.\n"
+#~ "\t\t* The key must begin with a letter or number, and may contain letters, "
+#~ "numbers, hyphens, dots, and underscores, up to %[1]d characters.\n"
+#~ "\t\t* The value must begin with a letter or number, and may contain "
+#~ "letters, numbers, hyphens, dots, and underscores, up to %[2]d characters.\n"
+#~ "\t\t* The effect must be NoSchedule, PreferNoSchedule or NoExecute.\n"
+#~ "\t\t* Currently taint can only apply to node."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\t更新一个或者多个 node 上的 taints.\n"
+#~ "\n"
+#~ "\t\t* A taint consists of a key, value, and effect. As an argument here, "
+#~ "it is expressed as key=value:effect.\n"
+#~ "\t\t* The key must begin with a letter or number, and may contain letters, "
+#~ "numbers, hyphens, dots, and underscores, up to %[1]d characters.\n"
+#~ "\t\t* The value must begin with a letter or number, and may contain "
+#~ "letters, numbers, hyphens, dots, and underscores, up to %[2]d characters.\n"
+#~ "\t\t* The effect must be NoSchedule, PreferNoSchedule or NoExecute.\n"
+#~ "\t\t* Currently taint can only apply to node."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t\tView the latest last-applied-configuration annotations by type/name or "
+#~ "file.\n"
+#~ "\n"
+#~ "\t\tThe default output will be printed to stdout in YAML format. One can "
+#~ "use -o option\n"
+#~ "\t\tto change output format."
+#~ msgstr ""
+#~ "\n"
+#~ "\t\tView the latest last-applied-configuration annotations by type/name or "
+#~ "file.\n"
+#~ "\n"
+#~ "\t\tThe default output will be printed to stdout in YAML format. One can "
+#~ "use -o option\n"
+#~ "\t\tto change output format."
+
+#~ msgid ""
+#~ "\n"
+#~ "\t    # !!!Important Note!!!\n"
+#~ "\t    # Requires that the 'tar' binary is present in your container\n"
+#~ "\t    # image.  If 'tar' is not present, 'kubectl cp' will fail.\n"
+#~ "\n"
+#~ "\t    # Copy /tmp/foo_dir local directory to /tmp/bar_dir in a remote pod "
+#~ "in the default namespace\n"
+#~ "\t\tkubectl cp /tmp/foo_dir <some-pod>:/tmp/bar_dir\n"
+#~ "\n"
+#~ "        # Copy /tmp/foo local file to /tmp/bar in a remote pod in a "
+#~ "specific container\n"
+#~ "\t\tkubectl cp /tmp/foo <some-pod>:/tmp/bar -c <specific-container>\n"
+#~ "\n"
+#~ "\t\t# Copy /tmp/foo local file to /tmp/bar in a remote pod in namespace "
+#~ "<some-namespace>\n"
+#~ "\t\tkubectl cp /tmp/foo <some-namespace>/<some-pod>:/tmp/bar\n"
+#~ "\n"
+#~ "\t\t# Copy /tmp/foo from a remote pod to /tmp/bar locally\n"
+#~ "\t\tkubectl cp <some-namespace>/<some-pod>:/tmp/foo /tmp/bar"
+#~ msgstr ""
+#~ "\n"
+#~ "\t    # !!!注�!!!\n"
+#~ "\t    # �求容器中有 'tar' 命令\n"
+#~ "\t    # image.  If 'tar' is not present, 'kubectl cp' will fail.\n"
+#~ "\n"
+#~ "\t    # �制本地目录 /tmp/foo_dir 到 default namespace 下的远程 pod 的 /"
+#~ "tmp/bar_dir 路径 \n"
+#~ "\t\tkubectl cp /tmp/foo_dir <some-pod>:/tmp/bar_dir\n"
+#~ "\n"
+#~ "        # �制 /tmp/foo local 本地文件到指定远程 pod 的指定容器的 /tmp/bar "
+#~ "路径\n"
+#~ "\t\tkubectl cp /tmp/foo <some-pod>:/tmp/bar -c <specific-container>\n"
+#~ "\n"
+#~ "\t\t# �制 /tmp/foo 本地文件到在 namespace <some-namespace> 下的�个 pod "
+#~ "的 /tmp/bar 路径\n"
+#~ "\t\tkubectl cp /tmp/foo <some-namespace>/<some-pod>:/tmp/bar\n"
+#~ "\n"
+#~ "\t\t# 从一个远程的 pod 的 /tmp/foo 路径�制到本地 /tmp/bar 路径\n"
+#~ "\t\tkubectl cp <some-namespace>/<some-pod>:/tmp/foo /tmp/bar"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t  # Create a new TLS secret named tls-secret with the given key pair:\n"
+#~ "\t  kubectl create secret tls tls-secret --cert=path/to/tls.cert --"
+#~ "key=path/to/tls.key"
+#~ msgstr ""
+#~ "\n"
+#~ "\t  # 使用�供的 key pair �称为tls-secret 的 secret:\n"
+#~ "\t  kubectl create secret tls tls-secret --cert=path/to/tls.cert --"
+#~ "key=path/to/tls.key"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t  # Create a new secret named my-secret with keys for each file in "
+#~ "folder bar\n"
+#~ "\t  kubectl create secret generic my-secret --from-file=path/to/bar\n"
+#~ "\n"
+#~ "\t  # Create a new secret named my-secret with specified keys instead of "
+#~ "names on disk\n"
+#~ "\t  kubectl create secret generic my-secret --from-file=ssh-privatekey=~/."
+#~ "ssh/id_rsa --from-file=ssh-publickey=~/.ssh/id_rsa.pub\n"
+#~ "\n"
+#~ "\t  # Create a new secret named my-secret with key1=supersecret and "
+#~ "key2=topsecret\n"
+#~ "\t  kubectl create secret generic my-secret --from-"
+#~ "literal=key1=supersecret --from-literal=key2=topsecret"
+#~ msgstr ""
+#~ "\n"
+#~ "\t  # Create a new secret named my-secret with keys for each file in "
+#~ "folder bar\n"
+#~ "\t  kubectl create secret generic my-secret --from-file=path/to/bar\n"
+#~ "\n"
+#~ "\t  # Create a new secret named my-secret with specified keys instead of "
+#~ "names on disk\n"
+#~ "\t  kubectl create secret generic my-secret --from-file=ssh-privatekey=~/."
+#~ "ssh/id_rsa --from-file=ssh-publickey=~/.ssh/id_rsa.pub\n"
+#~ "\n"
+#~ "\t  # Create a new secret named my-secret with key1=supersecret and "
+#~ "key2=topsecret\n"
+#~ "\t  kubectl create secret generic my-secret --from-"
+#~ "literal=key1=supersecret --from-literal=key2=topsecret"
+
+#~ msgid ""
+#~ "\n"
+#~ "\t# Create a new ExternalName service named my-ns \n"
+#~ "\tkubectl create service externalname my-ns --external-name bar.com"
+#~ msgstr ""
+#~ "\n"
+#~ "\t# Create a new ExternalName service named my-ns \n"
+#~ "\tkubectl create service externalname my-ns --external-name bar.com"
+
+#~ msgid ""
+#~ "\n"
+#~ "    # Create a new clusterIP service named my-cs\n"
+#~ "    kubectl create service clusterip my-cs --tcp=5678:8080\n"
+#~ "\n"
+#~ "    # Create a new clusterIP service named my-cs (in headless mode)\n"
+#~ "    kubectl create service clusterip my-cs --clusterip=\"None\""
+#~ msgstr ""
+#~ "\n"
+#~ "    # 创建一个�称为 my-cs 的 clusterIP service\n"
+#~ "    kubectl create service clusterip my-cs --tcp=5678:8080\n"
+#~ "\n"
+#~ "    # 创建一个�称为 my-cs 的 clusterIP service (在 headless 模�)\n"
+#~ "    kubectl create service clusterip my-cs --clusterip=\"None\""
+
+#~ msgid ""
+#~ "\n"
+#~ "    # Create a new deployment named my-dep that runs the busybox image.\n"
+#~ "    kubectl create deployment my-dep --image=busybox"
+#~ msgstr ""
+#~ "\n"
+#~ "    # 创建一个�称为 my-dep 的 deployment 并�行 busybox image.\n"
+#~ "    kubectl create deployment my-dep --image=busybox"
+
+#~ msgid ""
+#~ "\n"
+#~ "    # Create a new nodeport service named my-ns\n"
+#~ "    kubectl create service nodeport my-ns --tcp=5678:8080"
+#~ msgstr ""
+#~ "\n"
+#~ "    # 创建一个�称为 my-ns 的 nodeport service\n"
+#~ "    kubectl create service nodeport my-ns --tcp=5678:8080"
+
+#~ msgid ""
+#~ "\n"
+#~ "    # Update pod 'foo' with the annotation 'description' and the value 'my "
+#~ "frontend'.\n"
+#~ "    # If the same annotation is set multiple times, only the last value "
+#~ "will be applied\n"
+#~ "    kubectl annotate pods foo description='my frontend'\n"
+#~ "\n"
+#~ "    # Update a pod identified by type and name in \"pod.json\"\n"
+#~ "    kubectl annotate -f pod.json description='my frontend'\n"
+#~ "\n"
+#~ "    # Update pod 'foo' with the annotation 'description' and the value 'my "
+#~ "frontend running nginx', overwriting any existing value.\n"
+#~ "    kubectl annotate --overwrite pods foo description='my frontend running "
+#~ "nginx'\n"
+#~ "\n"
+#~ "    # Update all pods in the namespace\n"
+#~ "    kubectl annotate pods --all description='my frontend running nginx'\n"
+#~ "\n"
+#~ "    # Update pod 'foo' only if the resource is unchanged from version 1.\n"
+#~ "    kubectl annotate pods foo description='my frontend running nginx' --"
+#~ "resource-version=1\n"
+#~ "\n"
+#~ "    # Update pod 'foo' by removing an annotation named 'description' if it "
+#~ "exists.\n"
+#~ "    # Does not require the --overwrite flag.\n"
+#~ "    kubectl annotate pods foo description-"
+#~ msgstr ""
+#~ "\n"
+#~ "    # Update pod 'foo' with the annotation 'description' and the value 'my "
+#~ "frontend'.\n"
+#~ "    # If the same annotation is set multiple times, only the last value "
+#~ "will be applied\n"
+#~ "    kubectl annotate pods foo description='my frontend'\n"
+#~ "\n"
+#~ "    # Update a pod identified by type and name in \"pod.json\"\n"
+#~ "    kubectl annotate -f pod.json description='my frontend'\n"
+#~ "\n"
+#~ "    # Update pod 'foo' with the annotation 'description' and the value 'my "
+#~ "frontend running nginx', overwriting any existing value.\n"
+#~ "    kubectl annotate --overwrite pods foo description='my frontend running "
+#~ "nginx'\n"
+#~ "\n"
+#~ "    # Update all pods in the namespace\n"
+#~ "    kubectl annotate pods --all description='my frontend running nginx'\n"
+#~ "\n"
+#~ "    # Update pod 'foo' only if the resource is unchanged from version 1.\n"
+#~ "    kubectl annotate pods foo description='my frontend running nginx' --"
+#~ "resource-version=1\n"
+#~ "\n"
+#~ "    # 更新�称为 'foo' 的 pod, 删除一个�称为 'description' 的 annotation "
+#~ "如果它存在. \n"
+#~ "    # ��求使用 --overwrite flag.\n"
+#~ "    kubectl annotate pods foo description-"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_serviceaccount.go#L44
+#~ msgid ""
+#~ "\n"
+#~ "    Create a clusterIP service with the specified name."
+#~ msgstr ""
+#~ "\n"
+#~ "    使用一个指定的�称创建一个 clusterIP service."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_deployment.go#L44
+#~ msgid ""
+#~ "\n"
+#~ "    Create a deployment with the specified name."
+#~ msgstr ""
+#~ "\n"
+#~ "    使用一个指定的�称创建一个 deployment."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_deployment.go#L44
+#~ msgid ""
+#~ "\n"
+#~ "    Create a nodeport service with the specified name."
+#~ msgstr ""
+#~ "\n"
+#~ "    使用一个指定的�称创建一个 nodeport service."
+
+#~ msgid ""
+#~ "\n"
+#~ "    Dumps cluster info out suitable for debugging and diagnosing cluster "
+#~ "problems.  By default, dumps everything to\n"
+#~ "    stdout. You can optionally specify a directory with --output-"
+#~ "directory.  If you specify a directory, kubernetes will\n"
+#~ "    build a set of files in that directory.  By default only dumps things "
+#~ "in the 'kube-system' namespace, but you can\n"
+#~ "    switch to a different namespace with the --namespaces flag, or specify "
+#~ "--all-namespaces to dump all namespaces.\n"
+#~ "\n"
+#~ "    The command also dumps the logs of all of the pods in the cluster, "
+#~ "these logs are dumped into different directories\n"
+#~ "    based on namespace and pod name."
+#~ msgstr ""
+#~ "\n"
+#~ "    Dumps cluster info out suitable for debugging and diagnosing cluster "
+#~ "problems.  By default, dumps everything to\n"
+#~ "    stdout. You can optionally specify a directory with --output-"
+#~ "directory.  If you specify a directory, kubernetes will\n"
+#~ "    build a set of files in that directory.  By default only dumps things "
+#~ "in the 'kube-system' namespace, but you can\n"
+#~ "    switch to a different namespace with the --namespaces flag, or specify "
+#~ "--all-namespaces to dump all namespaces.\n"
+#~ "\n"
+#~ "    The command also dumps the logs of all of the pods in the cluster, "
+#~ "these logs are dumped into different directories\n"
+#~ "    based on namespace and pod name."
+
+#~ msgid ""
+#~ "\n"
+#~ "  Display addresses of the master and services with label kubernetes.io/"
+#~ "cluster-service=true\n"
+#~ "  To further debug and diagnose cluster problems, use 'kubectl cluster-"
+#~ "info dump'."
+#~ msgstr ""
+#~ "\n"
+#~ "  Display addresses of the master and services with label kubernetes.io/"
+#~ "cluster-service=true\n"
+#~ "  To further debug and diagnose cluster problems, use 'kubectl cluster-"
+#~ "info dump'."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/run.go#L136
+#~ msgid "A schedule in the Cron format the job should be run with."
+#~ msgstr "A schedule in the Cron format the job should be run with."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/run.go#L134
+#~ msgid ""
+#~ "An inline JSON override for the generated service object. If this is non-"
+#~ "empty, it is used to override the generated object. Requires that the "
+#~ "object supply a valid apiVersion field.  Only used if --expose is true."
+#~ msgstr ""
+#~ "An inline JSON override for the generated service object. If this is non-"
+#~ "empty, it is used to override the generated object. Requires that the "
+#~ "object supply a valid apiVersion field.  Only used if --expose is true."
+
+#~ msgid "Apply a configuration to a resource by filename or stdin"
+#~ msgstr "通过文件�或标准输入�(stdin)对资�进行�置"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/autoscale.go#L55
+#~ msgid "Auto-scale a Deployment, ReplicaSet, or ReplicationController"
+#~ msgstr ""
+#~ "自动调整一个 Deployment, ReplicaSet, 或者 ReplicationController 的副本数�"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/rollingupdate.go#L101
+#~ msgid ""
+#~ "Container name which will have its image upgraded. Only relevant when --"
+#~ "image is specified, ignored otherwise. Required when using --image on a "
+#~ "multi-container pod"
+#~ msgstr ""
+#~ "Container name which will have its image upgraded. Only relevant when --"
+#~ "image is specified, ignored otherwise. Required when using --image on a "
+#~ "multi-container pod"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_clusterrolebinding.go#L43
+#~ msgid "Create a ClusterRoleBinding for a particular ClusterRole"
+#~ msgstr "为一个指定的 ClusterRole 创建一个 ClusterRoleBinding"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_service.go#L181
+#~ msgid "Create a LoadBalancer service."
+#~ msgstr "创建一个 LoadBalancer service."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_service.go#L124
+#~ msgid "Create a NodePort service."
+#~ msgstr "创建一个 NodePort service."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_rolebinding.go#L43
+#~ msgid "Create a RoleBinding for a particular Role or ClusterRole"
+#~ msgstr "为一个指定的 Role 或者 ClusterRole创建一个 RoleBinding"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_service.go#L68
+#~ msgid "Create a clusterIP service."
+#~ msgstr "创建一个 clusterIP service."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_configmap.go#L59
+#~ msgid "Create a configmap from a local file, directory or literal value"
+#~ msgstr "从本地 file, directory 或者 literal value 创建一个 configmap"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_deployment.go#L44
+#~ msgid "Create a deployment with the specified name."
+#~ msgstr "创建一个指定�称的 deployment."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_pdb.go#L49
+#~ msgid "Create a pod disruption budget with the specified name."
+#~ msgstr "创建一个指定�称的 pod disruption budget."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_quota.go#L47
+#~ msgid "Create a quota with the specified name."
+#~ msgstr "创建一个指定�称的 quota."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create.go#L56
+#~ msgid "Create a resource by filename or stdin"
+#~ msgstr "通过文件�或者标准输入�(stdin)创建一个资�"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_secret.go#L73
+#~ msgid "Create a secret from a local file, directory or literal value"
+#~ msgstr "从本地 file, directory 或者 literal value 创建一个 secret"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_service.go#L36
+#~ msgid "Create a service using specified subcommand."
+#~ msgstr "使用指定的 subcommand 创建一个 service."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_service.go#L240
+#~ msgid "Create an ExternalName service."
+#~ msgstr "Create an ExternalName service."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/delete.go#L130
+#~ msgid ""
+#~ "Delete resources by filenames, stdin, resources and names, or by resources "
+#~ "and label selector"
+#~ msgstr ""
+#~ "Delete resources by filenames, stdin, resources and names, or by resources "
+#~ "and label selector"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/stop.go#L58
+#~ msgid "Deprecated: Gracefully shut down a resource by name or filename"
+#~ msgstr "Deprecated: Gracefully shut down a resource by name or filename"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/top_node.go#L77
+#~ msgid "Display Resource (CPU/Memory) usage of nodes"
+#~ msgstr "显示 nodes 的 Resource (CPU/Memory) 使用"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/top_pod.go#L79
+#~ msgid "Display Resource (CPU/Memory) usage of pods"
+#~ msgstr "显示 pods 的 Resource (CPU/Memory) 使用"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/top.go#L43
+#~ msgid "Display Resource (CPU/Memory) usage."
+#~ msgstr "显示 Resource (CPU/Memory) 使用."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/clusterinfo.go#L49
+#~ msgid "Display cluster info"
+#~ msgstr "显示集群信�"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/current_context.go#L48
+#~ msgid "Displays the current-context"
+#~ msgstr "显示当�的 context"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/explain.go#L50
+#~ msgid "Documentation of resources"
+#~ msgstr "查看资�的文档"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/clusterinfo_dump.go#L37
+#~ msgid "Dump lots of relevant info for debugging and diagnosis"
+#~ msgstr "Dump lots of relevant info for debugging and diagnosis"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/rollingupdate.go#L102
+#~ msgid ""
+#~ "Explicit policy for when to pull container images. Required when --image "
+#~ "is same as existing image, ignored otherwise."
+#~ msgstr ""
+#~ "Explicit policy for when to pull container images. Required when --image "
+#~ "is same as existing image, ignored otherwise."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/expose.go#L105
+#~ msgid ""
+#~ "IP to assign to the Load Balancer. If empty, an ephemeral IP will be "
+#~ "created and used (cloud-provider specific)."
+#~ msgstr ""
+#~ "IP to assign to the Load Balancer. If empty, an ephemeral IP will be "
+#~ "created and used (cloud-provider specific)."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/rollingupdate.go#L98
+#~ msgid ""
+#~ "Image to use for upgrading the replication controller. Must be distinct "
+#~ "from the existing image (either new image or new image tag).  Can not be "
+#~ "used with --filename/-f"
+#~ msgstr ""
+#~ "Image to use for upgrading the replication controller. Must be distinct "
+#~ "from the existing image (either new image or new image tag).  Can not be "
+#~ "used with --filename/-f"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/rollout/rollout.go#L46
+#~ msgid "Manage a deployment rollout"
+#~ msgstr "管�一个 deployment 的 rollout"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/edit.go#L115
+#~ msgid ""
+#~ "Output the formatted object with the given group version (for ex: "
+#~ "'extensions/v1beta1').)"
+#~ msgstr ""
+#~ "Output the formatted object with the given group version (for ex: "
+#~ "'extensions/v1beta1').)"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/rollingupdate.go#L84
+#~ msgid "Perform a rolling update of the given ReplicationController"
+#~ msgstr "完�指定的 ReplicationController 的滚动�级"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/replace.go#L70
+#~ msgid "Replace a resource by filename or stdin"
+#~ msgstr "通过 filename 或者 stdin替�一个资�"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/scale.go#L71
+#~ msgid ""
+#~ "Set a new size for a Deployment, ReplicaSet, Replication Controller, or Job"
+#~ msgstr ""
+#~ "为 Deployment, ReplicaSet, Replication Controller 或者 Job 设置一个新的副本"
+#~ "数�"
+
+#~ msgid ""
+#~ "Set the last-applied-configuration annotation on a live object to match "
+#~ "the contents of a file."
+#~ msgstr ""
+#~ "Set the last-applied-configuration annotation on a live object to match "
+#~ "the contents of a file."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/create_cluster.go#L67
+#~ msgid "Sets a cluster entry in kubeconfig"
+#~ msgstr "设置 kubeconfig 文件中的一个集群�目"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/create_context.go#L57
+#~ msgid "Sets a context entry in kubeconfig"
+#~ msgstr "设置 kubeconfig 文件中的一个 context �目"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/create_authinfo.go#L103
+#~ msgid "Sets a user entry in kubeconfig"
+#~ msgstr "设置 kubeconfig 文件中的一个用户�目"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/set.go#L59
+#~ msgid "Sets an individual value in a kubeconfig file"
+#~ msgstr "设置 kubeconfig 文件中的一个�个值"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/use_context.go#L48
+#~ msgid "Sets the current-context in a kubeconfig file"
+#~ msgstr "设置 kubeconfig 文件中的当�上下文"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/expose.go#L87
+#~ msgid ""
+#~ "Take a replication controller, service, deployment or pod and expose it as "
+#~ "a new Kubernetes Service"
+#~ msgstr ""
+#~ "使用 replication controller, service, deployment 或者 pod 并暴露它作为一个 "
+#~ "æ–°çš„ Kubernetes Service"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/rollingupdate.go#L100
+#~ msgid ""
+#~ "The key to use to differentiate between two different controllers, default "
+#~ "'deployment'.  Only relevant when --image is specified, ignored otherwise"
+#~ msgstr ""
+#~ "这个 key 使用有区别在两个��的 controllers, 默认 'deployment'. �有当 --"
+#~ "image 指定值, �则忽略"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/run.go#L113
+#~ msgid ""
+#~ "The name of the API generator to use, see http://kubernetes.io/docs/user-"
+#~ "guide/kubectl-conventions/#generators for a list."
+#~ msgstr ""
+#~ "使用 API generator 的�字, 在 http://kubernetes.io/docs/user-guide/kubectl-"
+#~ "conventions/#generators 查看列表."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/autoscale.go#L66
+#~ msgid ""
+#~ "The name of the API generator to use. Currently there is only 1 generator."
+#~ msgstr "使用 API generator 的�字. 目��有 1 个 generator."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/run.go#L133
+#~ msgid ""
+#~ "The name of the generator to use for creating a service.  Only used if --"
+#~ "expose is true"
+#~ msgstr ""
+#~ "使用 gnerator 的�称创建一个 service.  �有在 --expose 为 true 的时候使用"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/run.go#L121
+#~ msgid ""
+#~ "The port that this container exposes.  If --expose is true, this is also "
+#~ "the port used by the service that is created."
+#~ msgstr ""
+#~ "The port that this container exposes.  If --expose is true, this is also "
+#~ "the port used by the service that is created."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/run.go#L128
+#~ msgid ""
+#~ "The restart policy for this Pod.  Legal values [Always, OnFailure, "
+#~ "Never].  If set to 'Always' a deployment is created, if set to 'OnFailure' "
+#~ "a job is created, if set to 'Never', a regular pod is created. For the "
+#~ "latter two --replicas must be 1.  Default 'Always', for CronJobs `Never`."
+#~ msgstr ""
+#~ "这个 Pod 的 restart policy.  Legal values [Always, OnFailure, Never]. 如果"
+#~ "设置为 'Always' 一个 deployment 被创建, 如果设置为 ’OnFailure' 一个 job 被"
+#~ "创建, 如果设置为 'Never', 一个普通的 pod 被创建. 对于��两个 --replicas 必"
+#~ "须为 1.  默认 'Always', 为 CronJobs 设置为 `Never`."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/expose.go#L101
+#~ msgid ""
+#~ "Type for this service: ClusterIP, NodePort, or LoadBalancer. Default is "
+#~ "'ClusterIP'."
+#~ msgstr ""
+#~ "对于�务的类型: ClusterIP, NodePort, 或者 LoadBalancer. 默认是 'ClusterIP’."
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/config/unset.go#L47
+#~ msgid "Unsets an individual value in a kubeconfig file"
+#~ msgstr "�消设置 kubeconfig 文件中的一个�个值"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/patch.go#L91
+#~ msgid "Update field(s) of a resource using strategic merge patch"
+#~ msgstr "使用 strategic merge patch 更新一个资�的 field(s)"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/set/set_image.go#L94
+#~ msgid "Update image of a pod template"
+#~ msgstr "更新一个 pod template 的镜�"
+
+#~ msgid ""
+#~ "View latest last-applied-configuration annotations of a resource/object"
+#~ msgstr "显示最�的 resource/object 的 last-applied-configuration annotations"
+
+# https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_service.go#L253
+#~ msgid "external name of service"
+#~ msgstr "�务的外部�称"
+
+#~ msgid ""
+#~ "watch is only supported on individual resources and resource collections - "
+#~ "%d resources were found"
+#~ msgid_plural ""
+#~ "watch is only supported on individual resources and resource collections - "
+#~ "%d resources were found"
+#~ msgstr[0] ""
+#~ "watch 仅支��独的资�或者资�集� - 找到了 %d 个资�watch is only "
+#~ "supported on individual resources and resource collections - %d resource "
+#~ "was found"
+#~ msgstr[1] ""
+#~ "watch 仅支��独的资�或者资�集� - 找到了 %d 个资�watch is only "
+#~ "supported on individual resources and resource collections - %d resources "
+#~ "were found"
diff --git a/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/zh_TW/LC_MESSAGES/k8s.mo b/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/zh_TW/LC_MESSAGES/k8s.mo
new file mode 100644
index 0000000000..9be9a30d32
Binary files /dev/null and b/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/zh_TW/LC_MESSAGES/k8s.mo differ
diff --git a/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/zh_TW/LC_MESSAGES/k8s.po b/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/zh_TW/LC_MESSAGES/k8s.po
new file mode 100644
index 0000000000..58fd63a9ff
--- /dev/null
+++ b/vendor/k8s.io/kubectl/pkg/util/i18n/translations/kubectl/zh_TW/LC_MESSAGES/k8s.po
@@ -0,0 +1,81 @@
+# Test translations for unit tests.
+# Copyright (C) 2017
+# This file is distributed under the same license as the Kubernetes package.
+# FIRST AUTHOR warmchang@outlook.com, 2017.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: hello-world\n"
+"Report-Msgid-Bugs-To: EMAIL\n"
+"POT-Creation-Date: 2021-07-07 20:15+0200\n"
+"PO-Revision-Date: 2017-06-02 09:13+0800\n"
+"Last-Translator: William Chang <warmchang@outlook.com>\n"
+"Language-Team: \n"
+"Language: zh\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Generator: Poedit 2.0.2\n"
+"X-Poedit-SourceCharset: UTF-8\n"
+"Plural-Forms: nplurals=2; plural=(n > 1);\n"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/delete_cluster.go:42
+msgid "Delete the specified cluster from the kubeconfig"
+msgstr "刪除 kubeconfig 檔案中指定的�集(cluster)"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/delete_context.go:42
+msgid "Delete the specified context from the kubeconfig"
+msgstr "刪除 kubeconfig 檔案中指定的 context"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/get_contexts.go:72
+msgid "Describe one or many contexts"
+msgstr "�述一個或多個 context"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/get_clusters.go:41
+msgid "Display clusters defined in the kubeconfig"
+msgstr "顯示 kubeconfig 檔案中定義的�集(cluster)"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/view.go:81
+msgid "Display merged kubeconfig settings or a specified kubeconfig file"
+msgstr "顯示�併的 kubeconfig �置或一個指定的 kubeconfig 檔案"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/config/config.go:42
+msgid "Modify kubeconfig files"
+msgstr "修改 kubeconfig 檔案"
+
+#: staging/src/k8s.io/kubectl/pkg/cmd/annotate/annotate.go:135
+msgid "Update the annotations on a resource"
+msgstr "更新一個資�的注解(annotations)"
+
+#~ msgid "Apply a configuration to a resource by filename or stdin"
+#~ msgstr "通�檔案�或標準輸入�(stdin)�資�進行�置"
+
+#~ msgid "Displays the current-context"
+#~ msgstr "顯示目�的 context"
+
+#~ msgid "Sets a cluster entry in kubeconfig"
+#~ msgstr "設置 kubeconfig 檔案中的一個�集(cluster)�目"
+
+#~ msgid "Sets a context entry in kubeconfig"
+#~ msgstr "設置 kubeconfig 檔案中的一個 context �目"
+
+#~ msgid "Sets a user entry in kubeconfig"
+#~ msgstr "設置 kubeconfig 檔案中的一個使用者�目"
+
+#~ msgid "Sets an individual value in a kubeconfig file"
+#~ msgstr "設置 kubeconfig 檔案中的一個值"
+
+#~ msgid "Sets the current-context in a kubeconfig file"
+#~ msgstr "設置 kubeconfig 檔案中的目� context"
+
+#~ msgid "Unsets an individual value in a kubeconfig file"
+#~ msgstr "�消設置 kubeconfig 檔案中的一個值"
+
+#~ msgid ""
+#~ "watch is only supported on individual resources and resource collections "
+#~ "- %d resources were found"
+#~ msgid_plural ""
+#~ "watch is only supported on individual resources and resource collections "
+#~ "- %d resources were found"
+#~ msgstr[0] "一次�能 watch 一個資�或資料集� - 找到了 %d 個資�"
+#~ msgstr[1] "一次�能 watch 一個資�或資料集� - 找到了 %d 個資�"
diff --git a/vendor/k8s.io/kubectl/pkg/util/i18n/translations/test/default/LC_MESSAGES/k8s.mo b/vendor/k8s.io/kubectl/pkg/util/i18n/translations/test/default/LC_MESSAGES/k8s.mo
new file mode 100644
index 0000000000..5487fb8ccf
Binary files /dev/null and b/vendor/k8s.io/kubectl/pkg/util/i18n/translations/test/default/LC_MESSAGES/k8s.mo differ
diff --git a/vendor/k8s.io/kubectl/pkg/util/i18n/translations/test/default/LC_MESSAGES/k8s.po b/vendor/k8s.io/kubectl/pkg/util/i18n/translations/test/default/LC_MESSAGES/k8s.po
new file mode 100644
index 0000000000..7e77c43009
--- /dev/null
+++ b/vendor/k8s.io/kubectl/pkg/util/i18n/translations/test/default/LC_MESSAGES/k8s.po
@@ -0,0 +1,28 @@
+# Test translations for unit tests.
+# Copyright (C) 2016
+# This file is distributed under the same license as the Kubernetes package.
+# FIRST AUTHOR brendan.d.burns@gmail.com, 2016.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: gettext-go-examples-hello\n"
+"Report-Msgid-Bugs-To: \n"
+"POT-Creation-Date: 2013-12-12 20:03+0000\n"
+"PO-Revision-Date: 2016-12-13 21:35-0800\n"
+"Last-Translator: Brendan Burns <brendan.d.burns@gmail.com>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Generator: Poedit 1.6.10\n"
+"X-Poedit-SourceCharset: UTF-8\n"
+"Language-Team: \n"
+"Plural-Forms: nplurals=2; plural=(n != 1);\n"
+"Language: en\n"
+
+msgid "test_plural"
+msgid_plural "test_plural"
+msgstr[0] "there was %d item"
+msgstr[1] "there were %d items"
+
+msgid "test_string"
+msgstr "foo"
diff --git a/vendor/k8s.io/kubectl/pkg/util/i18n/translations/test/en_US/LC_MESSAGES/k8s.mo b/vendor/k8s.io/kubectl/pkg/util/i18n/translations/test/en_US/LC_MESSAGES/k8s.mo
new file mode 100644
index 0000000000..44fe7b5d96
Binary files /dev/null and b/vendor/k8s.io/kubectl/pkg/util/i18n/translations/test/en_US/LC_MESSAGES/k8s.mo differ
diff --git a/vendor/k8s.io/kubectl/pkg/util/i18n/translations/test/en_US/LC_MESSAGES/k8s.po b/vendor/k8s.io/kubectl/pkg/util/i18n/translations/test/en_US/LC_MESSAGES/k8s.po
new file mode 100644
index 0000000000..9944046aeb
--- /dev/null
+++ b/vendor/k8s.io/kubectl/pkg/util/i18n/translations/test/en_US/LC_MESSAGES/k8s.po
@@ -0,0 +1,28 @@
+# Test translations for unit tests.
+# Copyright (C) 2016
+# This file is distributed under the same license as the Kubernetes package.
+# FIRST AUTHOR brendan.d.burns@gmail.com, 2016.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: gettext-go-examples-hello\n"
+"Report-Msgid-Bugs-To: \n"
+"POT-Creation-Date: 2013-12-12 20:03+0000\n"
+"PO-Revision-Date: 2016-12-13 22:12-0800\n"
+"Last-Translator: Brendan Burns <brendan.d.burns@gmail.com>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Generator: Poedit 1.6.10\n"
+"X-Poedit-SourceCharset: UTF-8\n"
+"Language-Team: \n"
+"Plural-Forms: nplurals=2; plural=(n != 1);\n"
+"Language: en\n"
+
+msgid "test_plural"
+msgid_plural "test_plural"
+msgstr[0] "there was %d item"
+msgstr[1] "there were %d items"
+
+msgid "test_string"
+msgstr "baz"
diff --git a/vendor/k8s.io/kubectl/pkg/util/interrupt/interrupt.go b/vendor/k8s.io/kubectl/pkg/util/interrupt/interrupt.go
new file mode 100644
index 0000000000..0265b9fb17
--- /dev/null
+++ b/vendor/k8s.io/kubectl/pkg/util/interrupt/interrupt.go
@@ -0,0 +1,104 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package interrupt
+
+import (
+	"os"
+	"os/signal"
+	"sync"
+	"syscall"
+)
+
+// terminationSignals are signals that cause the program to exit in the
+// supported platforms (linux, darwin, windows).
+var terminationSignals = []os.Signal{syscall.SIGHUP, syscall.SIGINT, syscall.SIGTERM, syscall.SIGQUIT}
+
+// Handler guarantees execution of notifications after a critical section (the function passed
+// to a Run method), even in the presence of process termination. It guarantees exactly once
+// invocation of the provided notify functions.
+type Handler struct {
+	notify []func()
+	final  func(os.Signal)
+	once   sync.Once
+}
+
+// Chain creates a new handler that invokes all notify functions when the critical section exits
+// and then invokes the optional handler's notifications. This allows critical sections to be
+// nested without losing exactly once invocations. Notify functions can invoke any cleanup needed
+// but should not exit (which is the responsibility of the parent handler).
+func Chain(handler *Handler, notify ...func()) *Handler {
+	if handler == nil {
+		return New(nil, notify...)
+	}
+	return New(handler.Signal, append(notify, handler.Close)...)
+}
+
+// New creates a new handler that guarantees all notify functions are run after the critical
+// section exits (or is interrupted by the OS), then invokes the final handler. If no final
+// handler is specified, the default final is `os.Exit(1)`. A handler can only be used for
+// one critical section.
+func New(final func(os.Signal), notify ...func()) *Handler {
+	return &Handler{
+		final:  final,
+		notify: notify,
+	}
+}
+
+// Close executes all the notification handlers if they have not yet been executed.
+func (h *Handler) Close() {
+	h.once.Do(func() {
+		for _, fn := range h.notify {
+			fn()
+		}
+	})
+}
+
+// Signal is called when an os.Signal is received, and guarantees that all notifications
+// are executed, then the final handler is executed. This function should only be called once
+// per Handler instance.
+func (h *Handler) Signal(s os.Signal) {
+	h.once.Do(func() {
+		for _, fn := range h.notify {
+			fn()
+		}
+		if h.final == nil {
+			os.Exit(1)
+		}
+		h.final(s)
+	})
+}
+
+// Run ensures that any notifications are invoked after the provided fn exits (even if the
+// process is interrupted by an OS termination signal). Notifications are only invoked once
+// per Handler instance, so calling Run more than once will not behave as the user expects.
+func (h *Handler) Run(fn func() error) error {
+	ch := make(chan os.Signal, 1)
+	signal.Notify(ch, terminationSignals...)
+	defer func() {
+		signal.Stop(ch)
+		close(ch)
+	}()
+	go func() {
+		sig, ok := <-ch
+		if !ok {
+			return
+		}
+		h.Signal(sig)
+	}()
+	defer h.Close()
+	return fn()
+}
diff --git a/vendor/k8s.io/kubectl/pkg/util/openapi/OWNERS b/vendor/k8s.io/kubectl/pkg/util/openapi/OWNERS
new file mode 100644
index 0000000000..cb873612b1
--- /dev/null
+++ b/vendor/k8s.io/kubectl/pkg/util/openapi/OWNERS
@@ -0,0 +1,6 @@
+# See the OWNERS docs at https://go.k8s.io/owners
+
+approvers:
+  - apelisse
+reviewers:
+  - apelisse
diff --git a/vendor/k8s.io/kubectl/pkg/util/openapi/doc.go b/vendor/k8s.io/kubectl/pkg/util/openapi/doc.go
new file mode 100644
index 0000000000..56b393a1eb
--- /dev/null
+++ b/vendor/k8s.io/kubectl/pkg/util/openapi/doc.go
@@ -0,0 +1,21 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package openapi is a collection of libraries for fetching the openapi spec
+// from a Kubernetes server and then indexing the type definitions.
+// The openapi spec contains the object model definitions and extensions metadata
+// such as the patchStrategy and patchMergeKey for creating patches.
+package openapi
diff --git a/vendor/k8s.io/kubectl/pkg/util/openapi/openapi.go b/vendor/k8s.io/kubectl/pkg/util/openapi/openapi.go
new file mode 100644
index 0000000000..74955da367
--- /dev/null
+++ b/vendor/k8s.io/kubectl/pkg/util/openapi/openapi.go
@@ -0,0 +1,177 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package openapi
+
+import (
+	openapi_v2 "github.com/google/gnostic-models/openapiv2"
+
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/kube-openapi/pkg/util/proto"
+	"sigs.k8s.io/yaml"
+)
+
+// OpenAPIResourcesGetter represents a function to return
+// OpenAPI V2 resource specifications. Used for lazy-loading
+// these resource specifications.
+type OpenAPIResourcesGetter interface {
+	OpenAPISchema() (Resources, error)
+}
+
+// Resources interface describe a resources provider, that can give you
+// resource based on group-version-kind.
+type Resources interface {
+	LookupResource(gvk schema.GroupVersionKind) proto.Schema
+	GetConsumes(gvk schema.GroupVersionKind, operation string) []string
+}
+
+// groupVersionKindExtensionKey is the key used to lookup the
+// GroupVersionKind value for an object definition from the
+// definition's "extensions" map.
+const groupVersionKindExtensionKey = "x-kubernetes-group-version-kind"
+
+// document is an implementation of `Resources`. It looks for
+// resources in an openapi Schema.
+type document struct {
+	// Maps gvk to model name
+	resources map[schema.GroupVersionKind]string
+	models    proto.Models
+	doc       *openapi_v2.Document
+}
+
+var _ Resources = &document{}
+
+// NewOpenAPIData creates a new `Resources` out of the openapi document
+func NewOpenAPIData(doc *openapi_v2.Document) (Resources, error) {
+	models, err := proto.NewOpenAPIData(doc)
+	if err != nil {
+		return nil, err
+	}
+
+	resources := map[schema.GroupVersionKind]string{}
+	for _, modelName := range models.ListModels() {
+		model := models.LookupModel(modelName)
+		if model == nil {
+			panic("ListModels returns a model that can't be looked-up.")
+		}
+		gvkList := parseGroupVersionKind(model)
+		for _, gvk := range gvkList {
+			if len(gvk.Kind) > 0 {
+				resources[gvk] = modelName
+			}
+		}
+	}
+
+	return &document{
+		resources: resources,
+		models:    models,
+		doc:       doc,
+	}, nil
+}
+
+func (d *document) LookupResource(gvk schema.GroupVersionKind) proto.Schema {
+	modelName, found := d.resources[gvk]
+	if !found {
+		return nil
+	}
+	return d.models.LookupModel(modelName)
+}
+
+func (d *document) GetConsumes(gvk schema.GroupVersionKind, operation string) []string {
+	for _, path := range d.doc.GetPaths().GetPath() {
+		for _, ex := range path.GetValue().GetPatch().GetVendorExtension() {
+			if ex.GetValue().GetYaml() == "" ||
+				ex.GetName() != "x-kubernetes-group-version-kind" {
+				continue
+			}
+
+			var value map[string]string
+			err := yaml.Unmarshal([]byte(ex.GetValue().GetYaml()), &value)
+			if err != nil {
+				continue
+			}
+
+			if value["group"] == gvk.Group && value["kind"] == gvk.Kind && value["version"] == gvk.Version {
+				switch operation {
+				case "GET":
+					return path.GetValue().GetGet().GetConsumes()
+				case "PATCH":
+					return path.GetValue().GetPatch().GetConsumes()
+				case "HEAD":
+					return path.GetValue().GetHead().GetConsumes()
+				case "PUT":
+					return path.GetValue().GetPut().GetConsumes()
+				case "POST":
+					return path.GetValue().GetPost().GetConsumes()
+				case "OPTIONS":
+					return path.GetValue().GetOptions().GetConsumes()
+				case "DELETE":
+					return path.GetValue().GetDelete().GetConsumes()
+				}
+			}
+		}
+	}
+
+	return nil
+}
+
+// Get and parse GroupVersionKind from the extension. Returns empty if it doesn't have one.
+func parseGroupVersionKind(s proto.Schema) []schema.GroupVersionKind {
+	extensions := s.GetExtensions()
+
+	gvkListResult := []schema.GroupVersionKind{}
+
+	// Get the extensions
+	gvkExtension, ok := extensions[groupVersionKindExtensionKey]
+	if !ok {
+		return []schema.GroupVersionKind{}
+	}
+
+	// gvk extension must be a list of at least 1 element.
+	gvkList, ok := gvkExtension.([]interface{})
+	if !ok {
+		return []schema.GroupVersionKind{}
+	}
+
+	for _, gvk := range gvkList {
+		// gvk extension list must be a map with group, version, and
+		// kind fields
+		gvkMap, ok := gvk.(map[interface{}]interface{})
+		if !ok {
+			continue
+		}
+		group, ok := gvkMap["group"].(string)
+		if !ok {
+			continue
+		}
+		version, ok := gvkMap["version"].(string)
+		if !ok {
+			continue
+		}
+		kind, ok := gvkMap["kind"].(string)
+		if !ok {
+			continue
+		}
+
+		gvkListResult = append(gvkListResult, schema.GroupVersionKind{
+			Group:   group,
+			Version: version,
+			Kind:    kind,
+		})
+	}
+
+	return gvkListResult
+}
diff --git a/vendor/k8s.io/kubectl/pkg/util/openapi/openapi_getter.go b/vendor/k8s.io/kubectl/pkg/util/openapi/openapi_getter.go
new file mode 100644
index 0000000000..3179161ee0
--- /dev/null
+++ b/vendor/k8s.io/kubectl/pkg/util/openapi/openapi_getter.go
@@ -0,0 +1,82 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package openapi
+
+import (
+	"sync"
+
+	openapi_v2 "github.com/google/gnostic-models/openapiv2"
+	"k8s.io/client-go/discovery"
+)
+
+// CachedOpenAPIGetter fetches the openapi schema once and then caches it in memory
+type CachedOpenAPIGetter struct {
+	openAPIClient discovery.OpenAPISchemaInterface
+
+	// Cached results
+	sync.Once
+	openAPISchema *openapi_v2.Document
+	err           error
+}
+
+var _ discovery.OpenAPISchemaInterface = &CachedOpenAPIGetter{}
+
+// NewOpenAPIGetter returns an object to return OpenAPIDatas which reads
+// from a server, and then stores in memory for subsequent invocations
+func NewOpenAPIGetter(openAPIClient discovery.OpenAPISchemaInterface) *CachedOpenAPIGetter {
+	return &CachedOpenAPIGetter{
+		openAPIClient: openAPIClient,
+	}
+}
+
+// OpenAPISchema implements OpenAPISchemaInterface.
+func (g *CachedOpenAPIGetter) OpenAPISchema() (*openapi_v2.Document, error) {
+	g.Do(func() {
+		g.openAPISchema, g.err = g.openAPIClient.OpenAPISchema()
+	})
+
+	// Return the saved result.
+	return g.openAPISchema, g.err
+}
+
+type CachedOpenAPIParser struct {
+	openAPIClient discovery.OpenAPISchemaInterface
+
+	// Cached results
+	sync.Once
+	openAPIResources Resources
+	err              error
+}
+
+func NewOpenAPIParser(openAPIClient discovery.OpenAPISchemaInterface) *CachedOpenAPIParser {
+	return &CachedOpenAPIParser{
+		openAPIClient: openAPIClient,
+	}
+}
+
+func (p *CachedOpenAPIParser) Parse() (Resources, error) {
+	p.Do(func() {
+		oapi, err := p.openAPIClient.OpenAPISchema()
+		if err != nil {
+			p.err = err
+			return
+		}
+		p.openAPIResources, p.err = NewOpenAPIData(oapi)
+	})
+
+	return p.openAPIResources, p.err
+}
diff --git a/vendor/k8s.io/kubectl/pkg/util/templates/command_groups.go b/vendor/k8s.io/kubectl/pkg/util/templates/command_groups.go
new file mode 100644
index 0000000000..447a39621f
--- /dev/null
+++ b/vendor/k8s.io/kubectl/pkg/util/templates/command_groups.go
@@ -0,0 +1,59 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package templates
+
+import (
+	"github.com/spf13/cobra"
+)
+
+type CommandGroup struct {
+	Message  string
+	Commands []*cobra.Command
+}
+
+type CommandGroups []CommandGroup
+
+func (g CommandGroups) Add(c *cobra.Command) {
+	for _, group := range g {
+		c.AddCommand(group.Commands...)
+	}
+}
+
+func (g CommandGroups) Has(c *cobra.Command) bool {
+	for _, group := range g {
+		for _, command := range group.Commands {
+			if command == c {
+				return true
+			}
+		}
+	}
+	return false
+}
+
+func AddAdditionalCommands(g CommandGroups, message string, cmds []*cobra.Command) CommandGroups {
+	group := CommandGroup{Message: message}
+	for _, c := range cmds {
+		// Don't show commands that have no short description
+		if !g.Has(c) && len(c.Short) != 0 {
+			group.Commands = append(group.Commands, c)
+		}
+	}
+	if len(group.Commands) == 0 {
+		return g
+	}
+	return append(g, group)
+}
diff --git a/vendor/k8s.io/kubectl/pkg/util/templates/help_flags_printer.go b/vendor/k8s.io/kubectl/pkg/util/templates/help_flags_printer.go
new file mode 100644
index 0000000000..b7e1bf00f8
--- /dev/null
+++ b/vendor/k8s.io/kubectl/pkg/util/templates/help_flags_printer.go
@@ -0,0 +1,76 @@
+/*
+Copyright 2022 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package templates
+
+import (
+	"bytes"
+	"fmt"
+	"io"
+	"strings"
+
+	"github.com/mitchellh/go-wordwrap"
+	flag "github.com/spf13/pflag"
+)
+
+const offset = 10
+
+// HelpFlagPrinter is a printer that
+// processes the help flag and print
+// it to i/o writer
+type HelpFlagPrinter struct {
+	wrapLimit uint
+	out       io.Writer
+}
+
+// NewHelpFlagPrinter will initialize a HelpFlagPrinter given the
+// i/o writer
+func NewHelpFlagPrinter(out io.Writer, wrapLimit uint) *HelpFlagPrinter {
+	return &HelpFlagPrinter{
+		wrapLimit: wrapLimit,
+		out:       out,
+	}
+}
+
+// PrintHelpFlag will beautify the help flags and print it out to p.out
+func (p *HelpFlagPrinter) PrintHelpFlag(flag *flag.Flag) {
+	formatBuf := new(bytes.Buffer)
+	writeFlag(formatBuf, flag)
+
+	wrappedStr := formatBuf.String()
+	flagAndUsage := strings.Split(formatBuf.String(), "\n")
+	flagStr := flagAndUsage[0]
+
+	// if the flag usage is longer than one line, wrap it again
+	if len(flagAndUsage) > 1 {
+		nextLines := strings.Join(flagAndUsage[1:], " ")
+		wrappedUsages := wordwrap.WrapString(nextLines, p.wrapLimit-offset)
+		wrappedStr = flagStr + "\n" + wrappedUsages
+	}
+	appendTabStr := strings.ReplaceAll(wrappedStr, "\n", "\n\t")
+
+	fmt.Fprint(p.out, appendTabStr+"\n\n")
+}
+
+// writeFlag will output the help flag based
+// on the format provided by getFlagFormat to i/o writer
+func writeFlag(out io.Writer, f *flag.Flag) {
+	deprecated := ""
+	if f.Deprecated != "" {
+		deprecated = fmt.Sprintf(" (DEPRECATED: %s)", f.Deprecated)
+	}
+	fmt.Fprintf(out, getFlagFormat(f), f.Shorthand, f.Name, f.DefValue, f.Usage, deprecated)
+}
diff --git a/vendor/k8s.io/kubectl/pkg/util/templates/markdown.go b/vendor/k8s.io/kubectl/pkg/util/templates/markdown.go
new file mode 100644
index 0000000000..962cd9eec9
--- /dev/null
+++ b/vendor/k8s.io/kubectl/pkg/util/templates/markdown.go
@@ -0,0 +1,116 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package templates
+
+import (
+	"fmt"
+	"io"
+	"strings"
+
+	"github.com/russross/blackfriday/v2"
+)
+
+const linebreak = "\n"
+
+// ASCIIRenderer implements blackfriday.Renderer
+var _ blackfriday.Renderer = &ASCIIRenderer{}
+
+// ASCIIRenderer is a blackfriday.Renderer intended for rendering markdown
+// documents as plain text, well suited for human reading on terminals.
+type ASCIIRenderer struct {
+	Indentation string
+
+	listItemCount uint
+	listLevel     uint
+}
+
+// render markdown to text
+func (r *ASCIIRenderer) RenderNode(w io.Writer, node *blackfriday.Node, entering bool) blackfriday.WalkStatus {
+	switch node.Type {
+	case blackfriday.Text:
+		raw := string(node.Literal)
+		lines := strings.Split(raw, linebreak)
+		for _, line := range lines {
+			trimmed := strings.Trim(line, " \n\t")
+			if len(trimmed) > 0 && trimmed[0] != '_' {
+				w.Write([]byte(" "))
+			}
+			w.Write([]byte(trimmed))
+		}
+	case blackfriday.HorizontalRule, blackfriday.Hardbreak:
+		w.Write([]byte(linebreak + "----------" + linebreak))
+	case blackfriday.Code, blackfriday.CodeBlock:
+		w.Write([]byte(linebreak))
+		lines := []string{}
+		for _, line := range strings.Split(string(node.Literal), linebreak) {
+			trimmed := strings.Trim(line, " \t")
+			// Adding 4 times of indentation will let blackfriday to accept
+			// this literal as Code or CodeBlock again in next invocation
+			indented := strings.Repeat(r.Indentation, 4) + trimmed
+			lines = append(lines, indented)
+		}
+		w.Write([]byte(strings.Join(lines, linebreak)))
+	case blackfriday.Image:
+		w.Write(node.LinkData.Destination)
+	case blackfriday.Link:
+		w.Write([]byte(" "))
+		w.Write(node.LinkData.Destination)
+	case blackfriday.Paragraph:
+		if r.listLevel == 0 {
+			w.Write([]byte(linebreak))
+		}
+	case blackfriday.List:
+		if entering {
+			w.Write([]byte(linebreak))
+			r.listLevel++
+		} else {
+			r.listLevel--
+			r.listItemCount = 0
+		}
+	case blackfriday.Item:
+		if entering {
+			r.listItemCount++
+			for i := 0; uint(i) < r.listLevel; i++ {
+				w.Write([]byte(r.Indentation))
+			}
+			if node.ListFlags&blackfriday.ListTypeOrdered != 0 {
+				w.Write([]byte(fmt.Sprintf("%d. ", r.listItemCount)))
+			} else {
+				w.Write([]byte("* "))
+			}
+		} else {
+			w.Write([]byte(linebreak))
+		}
+	default:
+		normalText(w, node.Literal)
+	}
+	return blackfriday.GoToNext
+}
+
+func normalText(w io.Writer, text []byte) {
+	w.Write([]byte(strings.Trim(string(text), " \n\t")))
+}
+
+// RenderHeader writes document preamble and TOC if requested.
+func (r *ASCIIRenderer) RenderHeader(w io.Writer, ast *blackfriday.Node) {
+
+}
+
+// RenderFooter writes document footer.
+func (r *ASCIIRenderer) RenderFooter(w io.Writer, ast *blackfriday.Node) {
+	io.WriteString(w, "\n")
+}
diff --git a/vendor/k8s.io/kubectl/pkg/util/templates/normalizers.go b/vendor/k8s.io/kubectl/pkg/util/templates/normalizers.go
new file mode 100644
index 0000000000..09094ffdfe
--- /dev/null
+++ b/vendor/k8s.io/kubectl/pkg/util/templates/normalizers.go
@@ -0,0 +1,97 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package templates
+
+import (
+	"strings"
+
+	"github.com/MakeNowJust/heredoc"
+	"github.com/russross/blackfriday/v2"
+	"github.com/spf13/cobra"
+)
+
+const Indentation = `  `
+
+// LongDesc normalizes a command's long description to follow the conventions.
+func LongDesc(s string) string {
+	if len(s) == 0 {
+		return s
+	}
+	return normalizer{s}.heredoc().markdown().trim().string
+}
+
+// Examples normalizes a command's examples to follow the conventions.
+func Examples(s string) string {
+	if len(s) == 0 {
+		return s
+	}
+	return normalizer{s}.trim().indent().string
+}
+
+// Normalize perform all required normalizations on a given command.
+func Normalize(cmd *cobra.Command) *cobra.Command {
+	if len(cmd.Long) > 0 {
+		cmd.Long = LongDesc(cmd.Long)
+	}
+	if len(cmd.Example) > 0 {
+		cmd.Example = Examples(cmd.Example)
+	}
+	return cmd
+}
+
+// NormalizeAll perform all required normalizations in the entire command tree.
+func NormalizeAll(cmd *cobra.Command) *cobra.Command {
+	if cmd.HasSubCommands() {
+		for _, subCmd := range cmd.Commands() {
+			NormalizeAll(subCmd)
+		}
+	}
+	Normalize(cmd)
+	return cmd
+}
+
+type normalizer struct {
+	string
+}
+
+func (s normalizer) markdown() normalizer {
+	bytes := []byte(s.string)
+	formatted := blackfriday.Run(bytes, blackfriday.WithExtensions(blackfriday.NoIntraEmphasis), blackfriday.WithRenderer(&ASCIIRenderer{Indentation: Indentation}))
+	s.string = string(formatted)
+	return s
+}
+
+func (s normalizer) heredoc() normalizer {
+	s.string = heredoc.Doc(s.string)
+	return s
+}
+
+func (s normalizer) trim() normalizer {
+	s.string = strings.TrimSpace(s.string)
+	return s
+}
+
+func (s normalizer) indent() normalizer {
+	indentedLines := []string{}
+	for _, line := range strings.Split(s.string, "\n") {
+		trimmed := strings.TrimSpace(line)
+		indented := Indentation + trimmed
+		indentedLines = append(indentedLines, indented)
+	}
+	s.string = strings.Join(indentedLines, "\n")
+	return s
+}
diff --git a/vendor/k8s.io/kubectl/pkg/util/templates/templater.go b/vendor/k8s.io/kubectl/pkg/util/templates/templater.go
new file mode 100644
index 0000000000..8fe181a050
--- /dev/null
+++ b/vendor/k8s.io/kubectl/pkg/util/templates/templater.go
@@ -0,0 +1,319 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package templates
+
+import (
+	"bytes"
+	"fmt"
+	"strings"
+	"text/template"
+	"unicode"
+
+	"github.com/spf13/cobra"
+	flag "github.com/spf13/pflag"
+
+	"k8s.io/kubectl/pkg/util/term"
+)
+
+type FlagExposer interface {
+	ExposeFlags(cmd *cobra.Command, flags ...string) FlagExposer
+}
+
+func ActsAsRootCommand(cmd *cobra.Command, filters []string, groups ...CommandGroup) FlagExposer {
+	if cmd == nil {
+		panic("nil root command")
+	}
+	templater := &templater{
+		RootCmd:       cmd,
+		UsageTemplate: MainUsageTemplate(),
+		HelpTemplate:  MainHelpTemplate(),
+		CommandGroups: groups,
+		Filtered:      filters,
+	}
+	cmd.SetFlagErrorFunc(templater.FlagErrorFunc())
+	cmd.SilenceUsage = true
+	cmd.SetUsageFunc(templater.UsageFunc())
+	cmd.SetHelpFunc(templater.HelpFunc())
+	return templater
+}
+
+func UseOptionsTemplates(cmd *cobra.Command) {
+	templater := &templater{
+		UsageTemplate: OptionsUsageTemplate(),
+		HelpTemplate:  OptionsHelpTemplate(),
+	}
+	cmd.SetUsageFunc(templater.UsageFunc())
+	cmd.SetHelpFunc(templater.HelpFunc())
+}
+
+type templater struct {
+	UsageTemplate string
+	HelpTemplate  string
+	RootCmd       *cobra.Command
+	CommandGroups
+	Filtered []string
+}
+
+func (templater *templater) FlagErrorFunc(exposedFlags ...string) func(*cobra.Command, error) error {
+	return func(c *cobra.Command, err error) error {
+		c.SilenceUsage = true
+		switch c.CalledAs() {
+		case "options":
+			return fmt.Errorf("%s\nRun '%s' without flags.", err, c.CommandPath())
+		default:
+			return fmt.Errorf("%s\nSee '%s --help' for usage.", err, c.CommandPath())
+		}
+	}
+}
+
+func (templater *templater) ExposeFlags(cmd *cobra.Command, flags ...string) FlagExposer {
+	cmd.SetUsageFunc(templater.UsageFunc(flags...))
+	return templater
+}
+
+func (templater *templater) HelpFunc() func(*cobra.Command, []string) {
+	return func(c *cobra.Command, s []string) {
+		t := template.New("help")
+		t.Funcs(templater.templateFuncs())
+		template.Must(t.Parse(templater.HelpTemplate))
+		out := term.NewResponsiveWriter(c.OutOrStdout())
+		err := t.Execute(out, c)
+		if err != nil {
+			c.Println(err)
+		}
+	}
+}
+
+func (templater *templater) UsageFunc(exposedFlags ...string) func(*cobra.Command) error {
+	return func(c *cobra.Command) error {
+		t := template.New("usage")
+		t.Funcs(templater.templateFuncs(exposedFlags...))
+		template.Must(t.Parse(templater.UsageTemplate))
+		out := term.NewResponsiveWriter(c.OutOrStderr())
+		return t.Execute(out, c)
+	}
+}
+
+func (templater *templater) templateFuncs(exposedFlags ...string) template.FuncMap {
+	return template.FuncMap{
+		"trim":                strings.TrimSpace,
+		"trimRight":           func(s string) string { return strings.TrimRightFunc(s, unicode.IsSpace) },
+		"trimLeft":            func(s string) string { return strings.TrimLeftFunc(s, unicode.IsSpace) },
+		"gt":                  cobra.Gt,
+		"eq":                  cobra.Eq,
+		"rpad":                rpad,
+		"appendIfNotPresent":  appendIfNotPresent,
+		"flagsNotIntersected": flagsNotIntersected,
+		"visibleFlags":        visibleFlags,
+		"flagsUsages":         flagsUsages,
+		"cmdGroups":           templater.cmdGroups,
+		"cmdGroupsString":     templater.cmdGroupsString,
+		"rootCmd":             templater.rootCmdName,
+		"isRootCmd":           templater.isRootCmd,
+		"optionsCmdFor":       templater.optionsCmdFor,
+		"usageLine":           templater.usageLine,
+		"reverseParentsNames": templater.reverseParentsNames,
+		"exposed": func(c *cobra.Command) *flag.FlagSet {
+			exposed := flag.NewFlagSet("exposed", flag.ContinueOnError)
+			if len(exposedFlags) > 0 {
+				for _, name := range exposedFlags {
+					if flag := c.Flags().Lookup(name); flag != nil {
+						exposed.AddFlag(flag)
+					}
+				}
+			}
+			return exposed
+		},
+	}
+}
+
+func (templater *templater) cmdGroups(c *cobra.Command, all []*cobra.Command) []CommandGroup {
+	if len(templater.CommandGroups) > 0 && c == templater.RootCmd {
+		all = filter(all, templater.Filtered...)
+		return AddAdditionalCommands(templater.CommandGroups, "Other Commands:", all)
+	}
+	all = filter(all, "options")
+	return []CommandGroup{
+		{
+			Message:  "Available Commands:",
+			Commands: all,
+		},
+	}
+}
+
+func (t *templater) cmdGroupsString(c *cobra.Command) string {
+	groups := []string{}
+	for _, cmdGroup := range t.cmdGroups(c, c.Commands()) {
+		cmds := []string{cmdGroup.Message}
+		for _, cmd := range cmdGroup.Commands {
+			if cmd.IsAvailableCommand() {
+				cmds = append(cmds, "  "+rpad(cmd.Name(), cmd.NamePadding())+"   "+cmd.Short)
+			}
+		}
+		groups = append(groups, strings.Join(cmds, "\n"))
+	}
+	return strings.Join(groups, "\n\n")
+}
+
+func (t *templater) rootCmdName(c *cobra.Command) string {
+	return t.rootCmd(c).CommandPath()
+}
+
+func (t *templater) reverseParentsNames(c *cobra.Command) []string {
+	reverseParentsNames := []string{}
+	parents := t.parents(c)
+	for i := len(parents) - 1; i >= 0; i-- {
+		reverseParentsNames = append(reverseParentsNames, parents[i].Name())
+	}
+	return reverseParentsNames
+}
+
+func (t *templater) isRootCmd(c *cobra.Command) bool {
+	return t.rootCmd(c) == c
+}
+
+func (t *templater) parents(c *cobra.Command) []*cobra.Command {
+	parents := []*cobra.Command{c}
+	for current := c; !t.isRootCmd(current) && current.HasParent(); {
+		current = current.Parent()
+		parents = append(parents, current)
+	}
+	return parents
+}
+
+func (t *templater) rootCmd(c *cobra.Command) *cobra.Command {
+	if c != nil && !c.HasParent() {
+		return c
+	}
+	if t.RootCmd == nil {
+		panic("nil root cmd")
+	}
+	return t.RootCmd
+}
+
+func (t *templater) optionsCmdFor(c *cobra.Command) string {
+	if !c.Runnable() {
+		return ""
+	}
+	rootCmdStructure := t.parents(c)
+	for i := len(rootCmdStructure) - 1; i >= 0; i-- {
+		cmd := rootCmdStructure[i]
+		if _, _, err := cmd.Find([]string{"options"}); err == nil {
+			return cmd.CommandPath() + " options"
+		}
+	}
+	return ""
+}
+
+func (t *templater) usageLine(c *cobra.Command) string {
+	usage := c.UseLine()
+	suffix := "[options]"
+	if c.HasFlags() && !strings.Contains(usage, suffix) {
+		usage += " " + suffix
+	}
+	return usage
+}
+
+// flagsUsages will print out the kubectl help flags
+func flagsUsages(f *flag.FlagSet) (string, error) {
+	flagBuf := new(bytes.Buffer)
+	wrapLimit, err := term.GetWordWrapperLimit()
+	if err != nil {
+		wrapLimit = 0
+	}
+	printer := NewHelpFlagPrinter(flagBuf, wrapLimit)
+
+	f.VisitAll(func(flag *flag.Flag) {
+		if flag.Hidden {
+			return
+		}
+		printer.PrintHelpFlag(flag)
+	})
+
+	return flagBuf.String(), nil
+}
+
+// getFlagFormat will output the flag format
+func getFlagFormat(f *flag.Flag) string {
+	var format string
+	format = "--%s=%s:\n%s%s"
+	if f.Value.Type() == "string" {
+		format = "--%s='%s':\n%s%s"
+	}
+
+	if len(f.Shorthand) > 0 {
+		format = "    -%s, " + format
+	} else {
+		format = "    %s" + format
+	}
+
+	return format
+}
+
+func rpad(s string, padding int) string {
+	template := fmt.Sprintf("%%-%ds", padding)
+	return fmt.Sprintf(template, s)
+}
+
+func appendIfNotPresent(s, stringToAppend string) string {
+	if strings.Contains(s, stringToAppend) {
+		return s
+	}
+	return s + " " + stringToAppend
+}
+
+func flagsNotIntersected(l *flag.FlagSet, r *flag.FlagSet) *flag.FlagSet {
+	f := flag.NewFlagSet("notIntersected", flag.ContinueOnError)
+	l.VisitAll(func(flag *flag.Flag) {
+		if r.Lookup(flag.Name) == nil {
+			f.AddFlag(flag)
+		}
+	})
+	return f
+}
+
+func visibleFlags(l *flag.FlagSet) *flag.FlagSet {
+	hidden := "help"
+	f := flag.NewFlagSet("visible", flag.ContinueOnError)
+	l.VisitAll(func(flag *flag.Flag) {
+		if flag.Name != hidden {
+			f.AddFlag(flag)
+		}
+	})
+	return f
+}
+
+func filter(cmds []*cobra.Command, names ...string) []*cobra.Command {
+	out := []*cobra.Command{}
+	for _, c := range cmds {
+		if c.Hidden {
+			continue
+		}
+		skip := false
+		for _, name := range names {
+			if name == c.Name() {
+				skip = true
+				break
+			}
+		}
+		if skip {
+			continue
+		}
+		out = append(out, c)
+	}
+	return out
+}
diff --git a/vendor/k8s.io/kubectl/pkg/util/templates/templates.go b/vendor/k8s.io/kubectl/pkg/util/templates/templates.go
new file mode 100644
index 0000000000..454695c0b2
--- /dev/null
+++ b/vendor/k8s.io/kubectl/pkg/util/templates/templates.go
@@ -0,0 +1,104 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package templates
+
+import (
+	"strings"
+	"unicode"
+)
+
+const (
+	// SectionVars is the help template section that declares variables to be used in the template.
+	SectionVars = `{{$isRootCmd := isRootCmd .}}` +
+		`{{$rootCmd := rootCmd .}}` +
+		`{{$visibleFlags := visibleFlags (flagsNotIntersected .LocalFlags .PersistentFlags)}}` +
+		`{{$explicitlyExposedFlags := exposed .}}` +
+		`{{$optionsCmdFor := optionsCmdFor .}}` +
+		`{{$usageLine := usageLine .}}` +
+		`{{$reverseParentsNames := reverseParentsNames .}}`
+
+	// SectionAliases is the help template section that displays command aliases.
+	SectionAliases = `{{if gt .Aliases 0}}Aliases:
+{{.NameAndAliases}}
+
+{{end}}`
+
+	// SectionExamples is the help template section that displays command examples.
+	SectionExamples = `{{if .HasExample}}Examples:
+{{trimRight .Example}}
+
+{{end}}`
+
+	// SectionSubcommands is the help template section that displays the command's subcommands.
+	SectionSubcommands = `{{if .HasAvailableSubCommands}}{{cmdGroupsString .}}
+
+{{end}}`
+
+	// SectionFlags is the help template section that displays the command's flags.
+	SectionFlags = `{{ if or $visibleFlags.HasFlags $explicitlyExposedFlags.HasFlags}}Options:
+{{ if $visibleFlags.HasFlags}}{{trimRight (flagsUsages $visibleFlags)}}{{end}}{{ if $explicitlyExposedFlags.HasFlags}}{{ if $visibleFlags.HasFlags}}
+{{end}}{{trimRight (flagsUsages $explicitlyExposedFlags)}}{{end}}
+
+{{end}}`
+
+	// SectionUsage is the help template section that displays the command's usage.
+	SectionUsage = `{{if and .Runnable (ne .UseLine "") (ne .UseLine $rootCmd)}}Usage:
+  {{$usageLine}}
+
+{{end}}`
+
+	// SectionTipsHelp is the help template section that displays the '--help' hint.
+	SectionTipsHelp = `{{if .HasSubCommands}}Use "{{range $reverseParentsNames}}{{.}} {{end}}<command> --help" for more information about a given command.
+{{end}}`
+
+	// SectionTipsGlobalOptions is the help template section that displays the 'options' hint for displaying global flags.
+	SectionTipsGlobalOptions = `{{if $optionsCmdFor}}Use "{{$optionsCmdFor}}" for a list of global command-line options (applies to all commands).
+{{end}}`
+)
+
+// MainHelpTemplate if the template for 'help' used by most commands.
+func MainHelpTemplate() string {
+	return `{{with or .Long .Short }}{{. | trim}}{{end}}{{if or .Runnable .HasSubCommands}}{{.UsageString}}{{end}}`
+}
+
+// MainUsageTemplate if the template for 'usage' used by most commands.
+func MainUsageTemplate() string {
+	sections := []string{
+		"\n\n",
+		SectionVars,
+		SectionAliases,
+		SectionExamples,
+		SectionSubcommands,
+		SectionFlags,
+		SectionUsage,
+		SectionTipsHelp,
+		SectionTipsGlobalOptions,
+	}
+	return strings.TrimRightFunc(strings.Join(sections, ""), unicode.IsSpace)
+}
+
+// OptionsHelpTemplate if the template for 'help' used by the 'options' command.
+func OptionsHelpTemplate() string {
+	return ""
+}
+
+// OptionsUsageTemplate if the template for 'usage' used by the 'options' command.
+func OptionsUsageTemplate() string {
+	return `{{ if .HasInheritedFlags}}The following options can be passed to any command:
+
+{{flagsUsages .InheritedFlags}}{{end}}`
+}
diff --git a/vendor/k8s.io/kubectl/pkg/util/term/resize.go b/vendor/k8s.io/kubectl/pkg/util/term/resize.go
new file mode 100644
index 0000000000..a38d27f3d8
--- /dev/null
+++ b/vendor/k8s.io/kubectl/pkg/util/term/resize.go
@@ -0,0 +1,148 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package term
+
+import (
+	"fmt"
+
+	"github.com/moby/term"
+	"k8s.io/apimachinery/pkg/util/runtime"
+)
+
+// TerminalSize represents the width and height of a terminal.
+// It is the same as staging/src/k8s.io/client-go/tools/remotecommand.TerminalSize.
+// Copied to decouple the packages. Terminal-related package should not depend on API client and vice versa.
+type TerminalSize struct {
+	Width  uint16
+	Height uint16
+}
+
+// TerminalSizeQueue is capable of returning terminal resize events as they occur.
+// It is the same as staging/src/k8s.io/client-go/tools/remotecommand.TerminalSizeQueue.
+// Copied to decouple the packages. Terminal-related package should not depend on API client and vice versa.
+type TerminalSizeQueue interface {
+	// Next returns the new terminal size after the terminal has been resized. It returns nil when
+	// monitoring has been stopped.
+	Next() *TerminalSize
+}
+
+// GetSize returns the current size of the user's terminal. If it isn't a terminal,
+// nil is returned.
+func (t TTY) GetSize() *TerminalSize {
+	outFd, isTerminal := term.GetFdInfo(t.Out)
+	if !isTerminal {
+		return nil
+	}
+	return GetSize(outFd)
+}
+
+// GetSize returns the current size of the terminal associated with fd.
+func GetSize(fd uintptr) *TerminalSize {
+	winsize, err := term.GetWinsize(fd)
+	if err != nil {
+		runtime.HandleError(fmt.Errorf("unable to get terminal size: %v", err))
+		return nil
+	}
+
+	return &TerminalSize{Width: winsize.Width, Height: winsize.Height}
+}
+
+// MonitorSize monitors the terminal's size. It returns a TerminalSizeQueue primed with
+// initialSizes, or nil if there's no TTY present.
+func (t *TTY) MonitorSize(initialSizes ...*TerminalSize) TerminalSizeQueue {
+	outFd, isTerminal := term.GetFdInfo(t.Out)
+	if !isTerminal {
+		return nil
+	}
+
+	t.sizeQueue = &sizeQueue{
+		t: *t,
+		// make it buffered so we can send the initial terminal sizes without blocking, prior to starting
+		// the streaming below
+		resizeChan:   make(chan TerminalSize, len(initialSizes)),
+		stopResizing: make(chan struct{}),
+	}
+
+	t.sizeQueue.monitorSize(outFd, initialSizes...)
+
+	return t.sizeQueue
+}
+
+// sizeQueue implements remotecommand.TerminalSizeQueue
+type sizeQueue struct {
+	t TTY
+	// resizeChan receives a Size each time the user's terminal is resized.
+	resizeChan   chan TerminalSize
+	stopResizing chan struct{}
+}
+
+// make sure sizeQueue implements the TerminalSizeQueue interface
+var _ TerminalSizeQueue = &sizeQueue{}
+
+// monitorSize primes resizeChan with initialSizes and then monitors for resize events. With each
+// new event, it sends the current terminal size to resizeChan.
+func (s *sizeQueue) monitorSize(outFd uintptr, initialSizes ...*TerminalSize) {
+	// send the initial sizes
+	for i := range initialSizes {
+		if initialSizes[i] != nil {
+			s.resizeChan <- *initialSizes[i]
+		}
+	}
+
+	resizeEvents := make(chan TerminalSize, 1)
+
+	monitorResizeEvents(outFd, resizeEvents, s.stopResizing)
+
+	// listen for resize events in the background
+	go func() {
+		defer runtime.HandleCrash()
+
+		for {
+			select {
+			case size, ok := <-resizeEvents:
+				if !ok {
+					return
+				}
+
+				select {
+				// try to send the size to resizeChan, but don't block
+				case s.resizeChan <- size:
+					// send successful
+				default:
+					// unable to send / no-op
+				}
+			case <-s.stopResizing:
+				return
+			}
+		}
+	}()
+}
+
+// Next returns the new terminal size after the terminal has been resized. It returns nil when
+// monitoring has been stopped.
+func (s *sizeQueue) Next() *TerminalSize {
+	size, ok := <-s.resizeChan
+	if !ok {
+		return nil
+	}
+	return &size
+}
+
+// stop stops the background goroutine that is monitoring for terminal resizes.
+func (s *sizeQueue) stop() {
+	close(s.stopResizing)
+}
diff --git a/vendor/k8s.io/kubectl/pkg/util/term/resizeevents.go b/vendor/k8s.io/kubectl/pkg/util/term/resizeevents.go
new file mode 100644
index 0000000000..04b8cdab24
--- /dev/null
+++ b/vendor/k8s.io/kubectl/pkg/util/term/resizeevents.go
@@ -0,0 +1,61 @@
+//go:build !windows
+// +build !windows
+
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package term
+
+import (
+	"os"
+	"os/signal"
+
+	"golang.org/x/sys/unix"
+	"k8s.io/apimachinery/pkg/util/runtime"
+)
+
+// monitorResizeEvents spawns a goroutine that waits for SIGWINCH signals (these indicate the
+// terminal has resized). After receiving a SIGWINCH, this gets the terminal size and tries to send
+// it to the resizeEvents channel. The goroutine stops when the stop channel is closed.
+func monitorResizeEvents(fd uintptr, resizeEvents chan<- TerminalSize, stop chan struct{}) {
+	go func() {
+		defer runtime.HandleCrash()
+
+		winch := make(chan os.Signal, 1)
+		signal.Notify(winch, unix.SIGWINCH)
+		defer signal.Stop(winch)
+
+		for {
+			select {
+			case <-winch:
+				size := GetSize(fd)
+				if size == nil {
+					return
+				}
+
+				// try to send size
+				select {
+				case resizeEvents <- *size:
+					// success
+				default:
+					// not sent
+				}
+			case <-stop:
+				return
+			}
+		}
+	}()
+}
diff --git a/vendor/k8s.io/kubectl/pkg/util/term/resizeevents_windows.go b/vendor/k8s.io/kubectl/pkg/util/term/resizeevents_windows.go
new file mode 100644
index 0000000000..ae930642f5
--- /dev/null
+++ b/vendor/k8s.io/kubectl/pkg/util/term/resizeevents_windows.go
@@ -0,0 +1,61 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package term
+
+import (
+	"time"
+
+	"k8s.io/apimachinery/pkg/util/runtime"
+)
+
+// monitorResizeEvents spawns a goroutine that periodically gets the terminal size and tries to send
+// it to the resizeEvents channel if the size has changed. The goroutine stops when the stop channel
+// is closed.
+func monitorResizeEvents(fd uintptr, resizeEvents chan<- TerminalSize, stop chan struct{}) {
+	go func() {
+		defer runtime.HandleCrash()
+
+		size := GetSize(fd)
+		if size == nil {
+			return
+		}
+		lastSize := *size
+
+		for {
+			// see if we need to stop running
+			select {
+			case <-stop:
+				return
+			default:
+			}
+
+			size := GetSize(fd)
+			if size == nil {
+				return
+			}
+
+			if size.Height != lastSize.Height || size.Width != lastSize.Width {
+				lastSize.Height = size.Height
+				lastSize.Width = size.Width
+				resizeEvents <- *size
+			}
+
+			// sleep to avoid hot looping
+			time.Sleep(250 * time.Millisecond)
+		}
+	}()
+}
diff --git a/vendor/k8s.io/kubectl/pkg/util/term/term.go b/vendor/k8s.io/kubectl/pkg/util/term/term.go
new file mode 100644
index 0000000000..93a992fe31
--- /dev/null
+++ b/vendor/k8s.io/kubectl/pkg/util/term/term.go
@@ -0,0 +1,115 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package term
+
+import (
+	"io"
+	"os"
+
+	"k8s.io/cli-runtime/pkg/printers"
+
+	"github.com/moby/term"
+
+	"k8s.io/kubectl/pkg/util/interrupt"
+)
+
+// SafeFunc is a function to be invoked by TTY.
+type SafeFunc func() error
+
+// TTY helps invoke a function and preserve the state of the terminal, even if the process is
+// terminated during execution. It also provides support for terminal resizing for remote command
+// execution/attachment.
+type TTY struct {
+	// In is a reader representing stdin. It is a required field.
+	In io.Reader
+	// Out is a writer representing stdout. It must be set to support terminal resizing. It is an
+	// optional field.
+	Out io.Writer
+	// Raw is true if the terminal should be set raw.
+	Raw bool
+	// TryDev indicates the TTY should try to open /dev/tty if the provided input
+	// is not a file descriptor.
+	TryDev bool
+	// Parent is an optional interrupt handler provided to this function - if provided
+	// it will be invoked after the terminal state is restored. If it is not provided,
+	// a signal received during the TTY will result in os.Exit(0) being invoked.
+	Parent *interrupt.Handler
+
+	// sizeQueue is set after a call to MonitorSize() and is used to monitor SIGWINCH signals when the
+	// user's terminal resizes.
+	sizeQueue *sizeQueue
+}
+
+// IsTerminalIn returns true if t.In is a terminal. Does not check /dev/tty
+// even if TryDev is set.
+func (t TTY) IsTerminalIn() bool {
+	return printers.IsTerminal(t.In)
+}
+
+// IsTerminalOut returns true if t.Out is a terminal. Does not check /dev/tty
+// even if TryDev is set.
+func (t TTY) IsTerminalOut() bool {
+	return printers.IsTerminal(t.Out)
+}
+
+// IsTerminal returns whether the passed object is a terminal or not.
+// Deprecated: use printers.IsTerminal instead.
+var IsTerminal = printers.IsTerminal
+
+// AllowsColorOutput returns true if the specified writer is a terminal and
+// the process environment indicates color output is supported and desired.
+// Deprecated: use printers.AllowsColorOutput instead.
+var AllowsColorOutput = printers.AllowsColorOutput
+
+// Safe invokes the provided function and will attempt to ensure that when the
+// function returns (or a termination signal is sent) that the terminal state
+// is reset to the condition it was in prior to the function being invoked. If
+// t.Raw is true the terminal will be put into raw mode prior to calling the function.
+// If the input file descriptor is not a TTY and TryDev is true, the /dev/tty file
+// will be opened (if available).
+func (t TTY) Safe(fn SafeFunc) error {
+	inFd, isTerminal := term.GetFdInfo(t.In)
+
+	if !isTerminal && t.TryDev {
+		if f, err := os.Open("/dev/tty"); err == nil {
+			defer f.Close()
+			inFd = f.Fd()
+			isTerminal = term.IsTerminal(inFd)
+		}
+	}
+	if !isTerminal {
+		return fn()
+	}
+
+	var state *term.State
+	var err error
+	if t.Raw {
+		state, err = term.MakeRaw(inFd)
+	} else {
+		state, err = term.SaveState(inFd)
+	}
+	if err != nil {
+		return err
+	}
+	return interrupt.Chain(t.Parent, func() {
+		if t.sizeQueue != nil {
+			t.sizeQueue.stop()
+		}
+
+		term.RestoreTerminal(inFd, state)
+	}).Run(fn)
+}
diff --git a/vendor/k8s.io/kubectl/pkg/util/term/term_writer.go b/vendor/k8s.io/kubectl/pkg/util/term/term_writer.go
new file mode 100644
index 0000000000..df85482fcd
--- /dev/null
+++ b/vendor/k8s.io/kubectl/pkg/util/term/term_writer.go
@@ -0,0 +1,144 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package term
+
+import (
+	"errors"
+	"io"
+	"os"
+
+	wordwrap "github.com/mitchellh/go-wordwrap"
+	"github.com/moby/term"
+)
+
+type wordWrapWriter struct {
+	limit  uint
+	writer io.Writer
+}
+
+// NewResponsiveWriter creates a Writer that detects the column width of the
+// terminal we are in, and adjusts every line width to fit and use recommended
+// terminal sizes for better readability. Does proper word wrapping automatically.
+//
+//	if terminal width >= 120 columns		use 120 columns
+//	if terminal width >= 100 columns		use 100 columns
+//	if terminal width >=  80 columns		use  80 columns
+//
+// In case we're not in a terminal or if it's smaller than 80 columns width,
+// doesn't do any wrapping.
+func NewResponsiveWriter(w io.Writer) io.Writer {
+	file, ok := w.(*os.File)
+	if !ok {
+		return w
+	}
+	fd := file.Fd()
+	if !term.IsTerminal(fd) {
+		return w
+	}
+
+	terminalSize := GetSize(fd)
+	if terminalSize == nil {
+		return w
+	}
+	limit := getTerminalLimitWidth(terminalSize)
+
+	return NewWordWrapWriter(w, limit)
+}
+
+// NewWordWrapWriter is a Writer that supports a limit of characters on every line
+// and does auto word wrapping that respects that limit.
+func NewWordWrapWriter(w io.Writer, limit uint) io.Writer {
+	return &wordWrapWriter{
+		limit:  limit,
+		writer: w,
+	}
+}
+
+func getTerminalLimitWidth(terminalSize *TerminalSize) uint {
+	var limit uint
+	switch {
+	case terminalSize.Width >= 120:
+		limit = 120
+	case terminalSize.Width >= 100:
+		limit = 100
+	case terminalSize.Width >= 80:
+		limit = 80
+	}
+	return limit
+}
+
+func GetWordWrapperLimit() (uint, error) {
+	stdout := os.Stdout
+	fd := stdout.Fd()
+	if !term.IsTerminal(fd) {
+		return 0, errors.New("file descriptor is not a terminal")
+	}
+	terminalSize := GetSize(fd)
+	if terminalSize == nil {
+		return 0, errors.New("terminal size is nil")
+	}
+	return getTerminalLimitWidth(terminalSize), nil
+}
+
+func (w wordWrapWriter) Write(p []byte) (nn int, err error) {
+	if w.limit == 0 {
+		return w.writer.Write(p)
+	}
+	original := string(p)
+	wrapped := wordwrap.WrapString(original, w.limit)
+	return w.writer.Write([]byte(wrapped))
+}
+
+// NewPunchCardWriter is a NewWordWrapWriter that limits the line width to 80 columns.
+func NewPunchCardWriter(w io.Writer) io.Writer {
+	return NewWordWrapWriter(w, 80)
+}
+
+type maxWidthWriter struct {
+	maxWidth     uint
+	currentWidth uint
+	written      uint
+	writer       io.Writer
+}
+
+// NewMaxWidthWriter is a Writer that supports a limit of characters on every
+// line, but doesn't do any word wrapping automatically.
+func NewMaxWidthWriter(w io.Writer, maxWidth uint) io.Writer {
+	return &maxWidthWriter{
+		maxWidth: maxWidth,
+		writer:   w,
+	}
+}
+
+func (m maxWidthWriter) Write(p []byte) (nn int, err error) {
+	for _, b := range p {
+		if m.currentWidth == m.maxWidth {
+			m.writer.Write([]byte{'\n'})
+			m.currentWidth = 0
+		}
+		if b == '\n' {
+			m.currentWidth = 0
+		}
+		_, err := m.writer.Write([]byte{b})
+		if err != nil {
+			return int(m.written), err
+		}
+		m.written++
+		m.currentWidth++
+	}
+	return len(p), nil
+}
diff --git a/vendor/k8s.io/kubectl/pkg/validation/schema.go b/vendor/k8s.io/kubectl/pkg/validation/schema.go
new file mode 100644
index 0000000000..fb8841b9c4
--- /dev/null
+++ b/vendor/k8s.io/kubectl/pkg/validation/schema.go
@@ -0,0 +1,153 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package validation
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+
+	ejson "github.com/exponent-io/jsonpath"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	utilerrors "k8s.io/apimachinery/pkg/util/errors"
+	"k8s.io/cli-runtime/pkg/resource"
+	"k8s.io/klog/v2"
+)
+
+// Schema is an interface that knows how to validate an API object serialized to a byte array.
+type Schema interface {
+	ValidateBytes(data []byte) error
+}
+
+// NullSchema always validates bytes.
+type NullSchema struct{}
+
+// ValidateBytes never fails for NullSchema.
+func (NullSchema) ValidateBytes(data []byte) error { return nil }
+
+// NoDoubleKeySchema is a schema that disallows double keys.
+type NoDoubleKeySchema struct{}
+
+// ValidateBytes validates bytes.
+func (NoDoubleKeySchema) ValidateBytes(data []byte) error {
+	var list []error
+	if err := validateNoDuplicateKeys(data, "metadata", "labels"); err != nil {
+		list = append(list, err)
+	}
+	if err := validateNoDuplicateKeys(data, "metadata", "annotations"); err != nil {
+		list = append(list, err)
+	}
+	return utilerrors.NewAggregate(list)
+}
+
+func validateNoDuplicateKeys(data []byte, path ...string) error {
+	r := ejson.NewDecoder(bytes.NewReader(data))
+	// This is Go being unfriendly. The 'path ...string' comes in as a
+	// []string, and SeekTo takes ...interface{}, so we can't just pass
+	// the path straight in, we have to copy it.  *sigh*
+	ifacePath := []interface{}{}
+	for ix := range path {
+		ifacePath = append(ifacePath, path[ix])
+	}
+	found, err := r.SeekTo(ifacePath...)
+	if err != nil {
+		return err
+	}
+	if !found {
+		return nil
+	}
+	seen := map[string]bool{}
+	for {
+		tok, err := r.Token()
+		if err != nil {
+			return err
+		}
+		switch t := tok.(type) {
+		case json.Delim:
+			if t.String() == "}" {
+				return nil
+			}
+		case ejson.KeyString:
+			if seen[string(t)] {
+				return fmt.Errorf("duplicate key: %s", string(t))
+			}
+			seen[string(t)] = true
+		}
+	}
+}
+
+// ConjunctiveSchema encapsulates a schema list.
+type ConjunctiveSchema []Schema
+
+// ValidateBytes validates bytes per a ConjunctiveSchema.
+func (c ConjunctiveSchema) ValidateBytes(data []byte) error {
+	var list []error
+	schemas := []Schema(c)
+	for ix := range schemas {
+		if err := schemas[ix].ValidateBytes(data); err != nil {
+			list = append(list, err)
+		}
+	}
+	return utilerrors.NewAggregate(list)
+}
+
+func NewParamVerifyingSchema(s Schema, verifier resource.Verifier, directive string) Schema {
+	return &paramVerifyingSchema{
+		schema:    s,
+		verifier:  verifier,
+		directive: directive,
+	}
+}
+
+// paramVerifyingSchema only performs validation
+// based on the fieldValidation query param
+// being unsupported by the apiserver, because
+// server-side validation will be performed instead
+// of client-side validation.
+type paramVerifyingSchema struct {
+	schema    Schema
+	verifier  resource.Verifier
+	directive string
+}
+
+// ValidateBytes validates bytes per a ParamVerifyingSchema
+func (c *paramVerifyingSchema) ValidateBytes(data []byte) error {
+	obj, err := parse(data)
+	if err != nil {
+		return err
+	}
+
+	gvk, errs := getObjectKind(obj)
+	if errs != nil {
+		return utilerrors.NewAggregate(errs)
+	}
+
+	err = c.verifier.HasSupport(gvk)
+	if resource.IsParamUnsupportedError(err) {
+		switch c.directive {
+		case metav1.FieldValidationStrict:
+			return c.schema.ValidateBytes(data)
+		case metav1.FieldValidationWarn:
+			klog.Warningf("cannot perform warn validation if server-side field validation is unsupported, skipping validation")
+		default:
+			// can't be reached
+			klog.Warningf("unexpected field validation directive: %s, skipping validation", c.directive)
+		}
+		return nil
+	}
+	return err
+}
diff --git a/vendor/k8s.io/kubectl/pkg/validation/validation.go b/vendor/k8s.io/kubectl/pkg/validation/validation.go
new file mode 100644
index 0000000000..47c74e5b85
--- /dev/null
+++ b/vendor/k8s.io/kubectl/pkg/validation/validation.go
@@ -0,0 +1,144 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package validation
+
+import (
+	"errors"
+
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	utilerrors "k8s.io/apimachinery/pkg/util/errors"
+	"k8s.io/apimachinery/pkg/util/json"
+	"k8s.io/apimachinery/pkg/util/yaml"
+	"k8s.io/kube-openapi/pkg/util/proto/validation"
+	"k8s.io/kubectl/pkg/util/openapi"
+)
+
+// schemaValidation validates the object against an OpenAPI schema.
+type schemaValidation struct {
+	resourcesGetter openapi.OpenAPIResourcesGetter
+}
+
+// NewSchemaValidation creates a new Schema that can be used
+// to validate objects.
+func NewSchemaValidation(resourcesGetter openapi.OpenAPIResourcesGetter) Schema {
+	return &schemaValidation{
+		resourcesGetter: resourcesGetter,
+	}
+}
+
+// ValidateBytes will validates the object against using the Resources
+// object.
+func (v *schemaValidation) ValidateBytes(data []byte) error {
+	obj, err := parse(data)
+	if err != nil {
+		return err
+	}
+
+	gvk, errs := getObjectKind(obj)
+	if errs != nil {
+		return utilerrors.NewAggregate(errs)
+	}
+
+	if (gvk == schema.GroupVersionKind{Version: "v1", Kind: "List"}) {
+		return utilerrors.NewAggregate(v.validateList(obj))
+	}
+	return utilerrors.NewAggregate(v.validateResource(obj, gvk))
+}
+
+func (v *schemaValidation) validateList(object interface{}) []error {
+	fields, ok := object.(map[string]interface{})
+	if !ok || fields == nil {
+		return []error{errors.New("invalid object to validate")}
+	}
+
+	allErrors := []error{}
+	if _, ok := fields["items"].([]interface{}); !ok {
+		return []error{errors.New("invalid object to validate")}
+	}
+	for _, item := range fields["items"].([]interface{}) {
+		if gvk, errs := getObjectKind(item); errs != nil {
+			allErrors = append(allErrors, errs...)
+		} else {
+			allErrors = append(allErrors, v.validateResource(item, gvk)...)
+		}
+	}
+	return allErrors
+}
+
+func (v *schemaValidation) validateResource(obj interface{}, gvk schema.GroupVersionKind) []error {
+	// This lazy-loads the OpenAPI V2 specifications, caching the specs.
+	resources, err := v.resourcesGetter.OpenAPISchema()
+	if err != nil {
+		return []error{err}
+	}
+	resource := resources.LookupResource(gvk)
+	if resource == nil {
+		// resource is not present, let's just skip validation.
+		return nil
+	}
+
+	return validation.ValidateModel(obj, resource, gvk.Kind)
+}
+
+func parse(data []byte) (interface{}, error) {
+	var obj interface{}
+	out, err := yaml.ToJSON(data)
+	if err != nil {
+		return nil, err
+	}
+	if err := json.Unmarshal(out, &obj); err != nil {
+		return nil, err
+	}
+	return obj, nil
+}
+
+func getObjectKind(object interface{}) (schema.GroupVersionKind, []error) {
+	var listErrors []error
+	fields, ok := object.(map[string]interface{})
+	if !ok || fields == nil {
+		listErrors = append(listErrors, errors.New("invalid object to validate"))
+		return schema.GroupVersionKind{}, listErrors
+	}
+
+	var group string
+	var version string
+	apiVersion := fields["apiVersion"]
+	if apiVersion == nil {
+		listErrors = append(listErrors, errors.New("apiVersion not set"))
+	} else if _, ok := apiVersion.(string); !ok {
+		listErrors = append(listErrors, errors.New("apiVersion isn't string type"))
+	} else {
+		gv, err := schema.ParseGroupVersion(apiVersion.(string))
+		if err != nil {
+			listErrors = append(listErrors, err)
+		} else {
+			group = gv.Group
+			version = gv.Version
+		}
+	}
+	kind := fields["kind"]
+	if kind == nil {
+		listErrors = append(listErrors, errors.New("kind not set"))
+	} else if _, ok := kind.(string); !ok {
+		listErrors = append(listErrors, errors.New("kind isn't string type"))
+	}
+	if listErrors != nil {
+		return schema.GroupVersionKind{}, listErrors
+	}
+
+	return schema.GroupVersionKind{Group: group, Version: version, Kind: kind.(string)}, nil
+}
diff --git a/vendor/k8s.io/utils/buffer/ring_fixed.go b/vendor/k8s.io/utils/buffer/ring_fixed.go
new file mode 100644
index 0000000000..a104e12a38
--- /dev/null
+++ b/vendor/k8s.io/utils/buffer/ring_fixed.go
@@ -0,0 +1,120 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package buffer
+
+import (
+	"errors"
+	"io"
+)
+
+// Compile-time check that *TypedRingFixed[byte] implements io.Writer.
+var _ io.Writer = (*TypedRingFixed[byte])(nil)
+
+// ErrInvalidSize indicates size must be > 0
+var ErrInvalidSize = errors.New("size must be positive")
+
+// TypedRingFixed is a fixed-size circular buffer for elements of type T.
+// Writes overwrite older data, keeping only the last N elements.
+// Not thread safe.
+type TypedRingFixed[T any] struct {
+	data        []T
+	size        int
+	writeCursor int
+	written     int64
+}
+
+// NewTypedRingFixed creates a circular buffer with the given capacity (must be > 0).
+func NewTypedRingFixed[T any](size int) (*TypedRingFixed[T], error) {
+	if size <= 0 {
+		return nil, ErrInvalidSize
+	}
+	return &TypedRingFixed[T]{
+		data: make([]T, size),
+		size: size,
+	}, nil
+}
+
+// Write writes p to the buffer, overwriting old data if needed.
+func (r *TypedRingFixed[T]) Write(p []T) (int, error) {
+	originalLen := len(p)
+	r.written += int64(originalLen)
+
+	// If the input is larger than our buffer, only keep the last 'size' elements
+	if originalLen > r.size {
+		p = p[originalLen-r.size:]
+	}
+
+	// Copy data, handling wrap-around
+	n := len(p)
+	remain := r.size - r.writeCursor
+	if n <= remain {
+		copy(r.data[r.writeCursor:], p)
+	} else {
+		copy(r.data[r.writeCursor:], p[:remain])
+		copy(r.data, p[remain:])
+	}
+
+	r.writeCursor = (r.writeCursor + n) % r.size
+	return originalLen, nil
+}
+
+// Slice returns buffer contents in write order. Don't modify the returned slice.
+func (r *TypedRingFixed[T]) Slice() []T {
+	if r.written == 0 {
+		return nil
+	}
+
+	// Buffer hasn't wrapped yet
+	if r.written < int64(r.size) {
+		return r.data[:r.writeCursor]
+	}
+
+	// Buffer has wrapped - need to return data in correct order
+	// Data from writeCursor to end is oldest, data from 0 to writeCursor is newest
+	if r.writeCursor == 0 {
+		return r.data
+	}
+
+	out := make([]T, r.size)
+	copy(out, r.data[r.writeCursor:])
+	copy(out[r.size-r.writeCursor:], r.data[:r.writeCursor])
+	return out
+}
+
+// Size returns the buffer capacity.
+func (r *TypedRingFixed[T]) Size() int {
+	return r.size
+}
+
+// Len returns how many elements are currently in the buffer.
+func (r *TypedRingFixed[T]) Len() int {
+	if r.written < int64(r.size) {
+		return int(r.written)
+	}
+	return r.size
+}
+
+// TotalWritten returns total elements ever written (including overwritten ones).
+func (r *TypedRingFixed[T]) TotalWritten() int64 {
+	return r.written
+}
+
+// Reset clears the buffer.
+func (r *TypedRingFixed[T]) Reset() {
+	r.writeCursor = 0
+	r.written = 0
+}
diff --git a/vendor/k8s.io/utils/exec/README.md b/vendor/k8s.io/utils/exec/README.md
new file mode 100644
index 0000000000..7944e8dd3b
--- /dev/null
+++ b/vendor/k8s.io/utils/exec/README.md
@@ -0,0 +1,5 @@
+# Exec
+
+This package provides an interface for `os/exec`. It makes it easier to mock
+and replace in tests, especially with the [FakeExec](testing/fake_exec.go)
+struct.
diff --git a/vendor/k8s.io/utils/exec/doc.go b/vendor/k8s.io/utils/exec/doc.go
new file mode 100644
index 0000000000..cbb44bdb5d
--- /dev/null
+++ b/vendor/k8s.io/utils/exec/doc.go
@@ -0,0 +1,18 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package exec provides an injectable interface and implementations for running commands.
+package exec // import "k8s.io/utils/exec"
diff --git a/vendor/k8s.io/utils/exec/exec.go b/vendor/k8s.io/utils/exec/exec.go
new file mode 100644
index 0000000000..d9c91e3ca3
--- /dev/null
+++ b/vendor/k8s.io/utils/exec/exec.go
@@ -0,0 +1,256 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package exec
+
+import (
+	"context"
+	"io"
+	"io/fs"
+	osexec "os/exec"
+	"syscall"
+	"time"
+)
+
+// ErrExecutableNotFound is returned if the executable is not found.
+var ErrExecutableNotFound = osexec.ErrNotFound
+
+// Interface is an interface that presents a subset of the os/exec API. Use this
+// when you want to inject fakeable/mockable exec behavior.
+type Interface interface {
+	// Command returns a Cmd instance which can be used to run a single command.
+	// This follows the pattern of package os/exec.
+	Command(cmd string, args ...string) Cmd
+
+	// CommandContext returns a Cmd instance which can be used to run a single command.
+	//
+	// The provided context is used to kill the process if the context becomes done
+	// before the command completes on its own. For example, a timeout can be set in
+	// the context.
+	CommandContext(ctx context.Context, cmd string, args ...string) Cmd
+
+	// LookPath wraps os/exec.LookPath
+	LookPath(file string) (string, error)
+}
+
+// Cmd is an interface that presents an API that is very similar to Cmd from os/exec.
+// As more functionality is needed, this can grow. Since Cmd is a struct, we will have
+// to replace fields with get/set method pairs.
+type Cmd interface {
+	// Run runs the command to the completion.
+	Run() error
+	// CombinedOutput runs the command and returns its combined standard output
+	// and standard error. This follows the pattern of package os/exec.
+	CombinedOutput() ([]byte, error)
+	// Output runs the command and returns standard output, but not standard err
+	Output() ([]byte, error)
+	SetDir(dir string)
+	SetStdin(in io.Reader)
+	SetStdout(out io.Writer)
+	SetStderr(out io.Writer)
+	SetEnv(env []string)
+
+	// StdoutPipe and StderrPipe for getting the process' Stdout and Stderr as
+	// Readers
+	StdoutPipe() (io.ReadCloser, error)
+	StderrPipe() (io.ReadCloser, error)
+
+	// Start and Wait are for running a process non-blocking
+	Start() error
+	Wait() error
+
+	// Stops the command by sending SIGTERM. It is not guaranteed the
+	// process will stop before this function returns. If the process is not
+	// responding, an internal timer function will send a SIGKILL to force
+	// terminate after 10 seconds.
+	Stop()
+}
+
+// ExitError is an interface that presents an API similar to os.ProcessState, which is
+// what ExitError from os/exec is. This is designed to make testing a bit easier and
+// probably loses some of the cross-platform properties of the underlying library.
+type ExitError interface {
+	String() string
+	Error() string
+	Exited() bool
+	ExitStatus() int
+}
+
+// Implements Interface in terms of really exec()ing.
+type executor struct{}
+
+// New returns a new Interface which will os/exec to run commands.
+func New() Interface {
+	return &executor{}
+}
+
+// Command is part of the Interface interface.
+func (executor *executor) Command(cmd string, args ...string) Cmd {
+	return (*cmdWrapper)(maskErrDotCmd(osexec.Command(cmd, args...)))
+}
+
+// CommandContext is part of the Interface interface.
+func (executor *executor) CommandContext(ctx context.Context, cmd string, args ...string) Cmd {
+	return (*cmdWrapper)(maskErrDotCmd(osexec.CommandContext(ctx, cmd, args...)))
+}
+
+// LookPath is part of the Interface interface
+func (executor *executor) LookPath(file string) (string, error) {
+	path, err := osexec.LookPath(file)
+	return path, handleError(maskErrDot(err))
+}
+
+// Wraps exec.Cmd so we can capture errors.
+type cmdWrapper osexec.Cmd
+
+var _ Cmd = &cmdWrapper{}
+
+func (cmd *cmdWrapper) SetDir(dir string) {
+	cmd.Dir = dir
+}
+
+func (cmd *cmdWrapper) SetStdin(in io.Reader) {
+	cmd.Stdin = in
+}
+
+func (cmd *cmdWrapper) SetStdout(out io.Writer) {
+	cmd.Stdout = out
+}
+
+func (cmd *cmdWrapper) SetStderr(out io.Writer) {
+	cmd.Stderr = out
+}
+
+func (cmd *cmdWrapper) SetEnv(env []string) {
+	cmd.Env = env
+}
+
+func (cmd *cmdWrapper) StdoutPipe() (io.ReadCloser, error) {
+	r, err := (*osexec.Cmd)(cmd).StdoutPipe()
+	return r, handleError(err)
+}
+
+func (cmd *cmdWrapper) StderrPipe() (io.ReadCloser, error) {
+	r, err := (*osexec.Cmd)(cmd).StderrPipe()
+	return r, handleError(err)
+}
+
+func (cmd *cmdWrapper) Start() error {
+	err := (*osexec.Cmd)(cmd).Start()
+	return handleError(err)
+}
+
+func (cmd *cmdWrapper) Wait() error {
+	err := (*osexec.Cmd)(cmd).Wait()
+	return handleError(err)
+}
+
+// Run is part of the Cmd interface.
+func (cmd *cmdWrapper) Run() error {
+	err := (*osexec.Cmd)(cmd).Run()
+	return handleError(err)
+}
+
+// CombinedOutput is part of the Cmd interface.
+func (cmd *cmdWrapper) CombinedOutput() ([]byte, error) {
+	out, err := (*osexec.Cmd)(cmd).CombinedOutput()
+	return out, handleError(err)
+}
+
+func (cmd *cmdWrapper) Output() ([]byte, error) {
+	out, err := (*osexec.Cmd)(cmd).Output()
+	return out, handleError(err)
+}
+
+// Stop is part of the Cmd interface.
+func (cmd *cmdWrapper) Stop() {
+	c := (*osexec.Cmd)(cmd)
+
+	if c.Process == nil {
+		return
+	}
+
+	c.Process.Signal(syscall.SIGTERM)
+
+	time.AfterFunc(10*time.Second, func() {
+		if !c.ProcessState.Exited() {
+			c.Process.Signal(syscall.SIGKILL)
+		}
+	})
+}
+
+func handleError(err error) error {
+	if err == nil {
+		return nil
+	}
+
+	switch e := err.(type) {
+	case *osexec.ExitError:
+		return &ExitErrorWrapper{e}
+	case *fs.PathError:
+		return ErrExecutableNotFound
+	case *osexec.Error:
+		if e.Err == osexec.ErrNotFound {
+			return ErrExecutableNotFound
+		}
+	}
+
+	return err
+}
+
+// ExitErrorWrapper is an implementation of ExitError in terms of os/exec ExitError.
+// Note: standard exec.ExitError is type *os.ProcessState, which already implements Exited().
+type ExitErrorWrapper struct {
+	*osexec.ExitError
+}
+
+var _ ExitError = &ExitErrorWrapper{}
+
+// ExitStatus is part of the ExitError interface.
+func (eew ExitErrorWrapper) ExitStatus() int {
+	ws, ok := eew.Sys().(syscall.WaitStatus)
+	if !ok {
+		panic("can't call ExitStatus() on a non-WaitStatus exitErrorWrapper")
+	}
+	return ws.ExitStatus()
+}
+
+// CodeExitError is an implementation of ExitError consisting of an error object
+// and an exit code (the upper bits of os.exec.ExitStatus).
+type CodeExitError struct {
+	Err  error
+	Code int
+}
+
+var _ ExitError = CodeExitError{}
+
+func (e CodeExitError) Error() string {
+	return e.Err.Error()
+}
+
+func (e CodeExitError) String() string {
+	return e.Err.Error()
+}
+
+// Exited is to check if the process has finished
+func (e CodeExitError) Exited() bool {
+	return true
+}
+
+// ExitStatus is for checking the error code
+func (e CodeExitError) ExitStatus() int {
+	return e.Code
+}
diff --git a/vendor/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1/generated.protomessage.pb.go b/vendor/k8s.io/utils/exec/fixup_go118.go
similarity index 53%
rename from vendor/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1/generated.protomessage.pb.go
rename to vendor/k8s.io/utils/exec/fixup_go118.go
index 23dd6b3aa1..acf45f1cd5 100644
--- a/vendor/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1/generated.protomessage.pb.go
+++ b/vendor/k8s.io/utils/exec/fixup_go118.go
@@ -1,8 +1,8 @@
-//go:build kubernetes_protomessage_one_more_release
-// +build kubernetes_protomessage_one_more_release
+//go:build !go1.19
+// +build !go1.19
 
 /*
-Copyright The Kubernetes Authors.
+Copyright 2022 The Kubernetes Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -17,18 +17,16 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-// Code generated by go-to-protobuf. DO NOT EDIT.
+package exec
 
-package v1beta1
+import (
+	osexec "os/exec"
+)
 
-func (*APIService) ProtoMessage() {}
+func maskErrDotCmd(cmd *osexec.Cmd) *osexec.Cmd {
+	return cmd
+}
 
-func (*APIServiceCondition) ProtoMessage() {}
-
-func (*APIServiceList) ProtoMessage() {}
-
-func (*APIServiceSpec) ProtoMessage() {}
-
-func (*APIServiceStatus) ProtoMessage() {}
-
-func (*ServiceReference) ProtoMessage() {}
+func maskErrDot(err error) error {
+	return err
+}
diff --git a/vendor/k8s.io/utils/exec/fixup_go119.go b/vendor/k8s.io/utils/exec/fixup_go119.go
new file mode 100644
index 0000000000..55874c9297
--- /dev/null
+++ b/vendor/k8s.io/utils/exec/fixup_go119.go
@@ -0,0 +1,40 @@
+//go:build go1.19
+// +build go1.19
+
+/*
+Copyright 2022 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package exec
+
+import (
+	"errors"
+	osexec "os/exec"
+)
+
+// maskErrDotCmd reverts the behavior of osexec.Cmd to what it was before go1.19
+// specifically set the Err field to nil (LookPath returns a new error when the file
+// is resolved to the current directory.
+func maskErrDotCmd(cmd *osexec.Cmd) *osexec.Cmd {
+	cmd.Err = maskErrDot(cmd.Err)
+	return cmd
+}
+
+func maskErrDot(err error) error {
+	if err != nil && errors.Is(err, osexec.ErrDot) {
+		return nil
+	}
+	return err
+}
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 89fd7145c4..cffbcae1f5 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -1,6 +1,9 @@
-# cloud.google.com/go/compute/metadata v0.7.0
-## explicit; go 1.23.0
+# cloud.google.com/go/compute/metadata v0.9.0
+## explicit; go 1.24.0
 cloud.google.com/go/compute/metadata
+# dario.cat/mergo v1.0.2
+## explicit; go 1.13
+dario.cat/mergo
 # github.com/Azure/azure-sdk-for-go/sdk/azcore v1.17.0
 ## explicit; go 1.18
 github.com/Azure/azure-sdk-for-go/sdk/azcore
@@ -49,6 +52,10 @@ github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets
 # github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.1
 ## explicit; go 1.18
 github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal
+# github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c
+## explicit; go 1.16
+github.com/Azure/go-ansiterm
+github.com/Azure/go-ansiterm/winterm
 # github.com/Azure/go-autorest v14.2.0+incompatible
 ## explicit
 github.com/Azure/go-autorest
@@ -99,6 +106,10 @@ github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/options
 github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/shared
 github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/version
 github.com/AzureAD/microsoft-authentication-library-for-go/apps/public
+# github.com/BurntSushi/toml v1.5.0
+## explicit; go 1.18
+github.com/BurntSushi/toml
+github.com/BurntSushi/toml/internal
 # github.com/IBM/go-sdk-core/v5 v5.17.4
 ## explicit; go 1.20
 github.com/IBM/go-sdk-core/v5/core
@@ -107,6 +118,21 @@ github.com/IBM/go-sdk-core/v5/core
 github.com/IBM/networking-go-sdk/common
 github.com/IBM/networking-go-sdk/dnsrecordsv1
 github.com/IBM/networking-go-sdk/dnssvcsv1
+# github.com/MakeNowJust/heredoc v1.0.0
+## explicit; go 1.12
+github.com/MakeNowJust/heredoc
+# github.com/Masterminds/goutils v1.1.1
+## explicit
+github.com/Masterminds/goutils
+# github.com/Masterminds/semver/v3 v3.4.0
+## explicit; go 1.21
+github.com/Masterminds/semver/v3
+# github.com/Masterminds/sprig/v3 v3.3.0
+## explicit; go 1.21
+github.com/Masterminds/sprig/v3
+# github.com/Masterminds/squirrel v1.5.4
+## explicit; go 1.14
+github.com/Masterminds/squirrel
 # github.com/antlr4-go/antlr/v4 v4.13.1
 ## explicit; go 1.22
 github.com/antlr4-go/antlr/v4
@@ -172,10 +198,38 @@ github.com/blang/semver/v4
 # github.com/cespare/xxhash/v2 v2.3.0
 ## explicit; go 1.11
 github.com/cespare/xxhash/v2
-# github.com/cncf/xds/go v0.0.0-20250501225837-2ac532fd4443
-## explicit; go 1.19
+# github.com/chai2010/gettext-go v1.0.3
+## explicit; go 1.14
+github.com/chai2010/gettext-go
+github.com/chai2010/gettext-go/mo
+github.com/chai2010/gettext-go/plural
+github.com/chai2010/gettext-go/po
+# github.com/cncf/xds/go v0.0.0-20251110193048-8bfbf64dc13e
+## explicit; go 1.24
 github.com/cncf/xds/go/xds/data/orca/v3
 github.com/cncf/xds/go/xds/service/orca/v3
+# github.com/containerd/containerd v1.7.29
+## explicit; go 1.23.0
+github.com/containerd/containerd/archive/compression
+github.com/containerd/containerd/content
+github.com/containerd/containerd/errdefs
+github.com/containerd/containerd/filters
+github.com/containerd/containerd/images
+github.com/containerd/containerd/labels
+github.com/containerd/containerd/pkg/randutil
+github.com/containerd/containerd/remotes
+# github.com/containerd/errdefs v0.3.0
+## explicit; go 1.20
+github.com/containerd/errdefs
+# github.com/containerd/log v0.1.0
+## explicit; go 1.20
+github.com/containerd/log
+# github.com/containerd/platforms v0.2.1
+## explicit; go 1.20
+github.com/containerd/platforms
+# github.com/cyphar/filepath-securejoin v0.4.1
+## explicit; go 1.18
+github.com/cyphar/filepath-securejoin
 # github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc
 ## explicit
 github.com/davecgh/go-spew/spew
@@ -183,13 +237,19 @@ github.com/davecgh/go-spew/spew
 ## explicit; go 1.13
 github.com/emicklei/go-restful/v3
 github.com/emicklei/go-restful/v3/log
-# github.com/envoyproxy/protoc-gen-validate v1.2.1
+# github.com/envoyproxy/protoc-gen-validate v1.3.0
 ## explicit; go 1.21.1
 github.com/envoyproxy/protoc-gen-validate/validate
+# github.com/evanphx/json-patch v5.9.11+incompatible
+## explicit
+github.com/evanphx/json-patch
 # github.com/evanphx/json-patch/v5 v5.9.11
 ## explicit; go 1.18
 github.com/evanphx/json-patch/v5
 github.com/evanphx/json-patch/v5/internal/json
+# github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f
+## explicit; go 1.15
+github.com/exponent-io/jsonpath
 # github.com/fatih/color v1.18.0
 ## explicit; go 1.17
 github.com/fatih/color
@@ -210,6 +270,12 @@ github.com/gabriel-vasile/mimetype
 github.com/gabriel-vasile/mimetype/internal/charset
 github.com/gabriel-vasile/mimetype/internal/json
 github.com/gabriel-vasile/mimetype/internal/magic
+# github.com/go-errors/errors v1.5.1
+## explicit; go 1.14
+github.com/go-errors/errors
+# github.com/go-gorp/gorp/v3 v3.1.0
+## explicit; go 1.18
+github.com/go-gorp/gorp/v3
 # github.com/go-logr/logr v1.4.3
 ## explicit; go 1.18
 github.com/go-logr/logr
@@ -220,19 +286,55 @@ github.com/go-logr/zapr
 # github.com/go-openapi/errors v0.21.0
 ## explicit; go 1.19
 github.com/go-openapi/errors
-# github.com/go-openapi/jsonpointer v0.21.2
-## explicit; go 1.20
+# github.com/go-openapi/jsonpointer v0.22.4
+## explicit; go 1.24.0
 github.com/go-openapi/jsonpointer
-# github.com/go-openapi/jsonreference v0.21.0
-## explicit; go 1.20
+# github.com/go-openapi/jsonreference v0.21.4
+## explicit; go 1.24.0
 github.com/go-openapi/jsonreference
 github.com/go-openapi/jsonreference/internal
 # github.com/go-openapi/strfmt v0.22.1
 ## explicit; go 1.19
 github.com/go-openapi/strfmt
-# github.com/go-openapi/swag v0.23.1
-## explicit; go 1.20
+# github.com/go-openapi/swag v0.25.4
+## explicit; go 1.24.0
 github.com/go-openapi/swag
+# github.com/go-openapi/swag/cmdutils v0.25.4
+## explicit; go 1.24.0
+github.com/go-openapi/swag/cmdutils
+# github.com/go-openapi/swag/conv v0.25.4
+## explicit; go 1.24.0
+github.com/go-openapi/swag/conv
+# github.com/go-openapi/swag/fileutils v0.25.4
+## explicit; go 1.24.0
+github.com/go-openapi/swag/fileutils
+# github.com/go-openapi/swag/jsonname v0.25.4
+## explicit; go 1.24.0
+github.com/go-openapi/swag/jsonname
+# github.com/go-openapi/swag/jsonutils v0.25.4
+## explicit; go 1.24.0
+github.com/go-openapi/swag/jsonutils
+github.com/go-openapi/swag/jsonutils/adapters
+github.com/go-openapi/swag/jsonutils/adapters/ifaces
+github.com/go-openapi/swag/jsonutils/adapters/stdlib/json
+# github.com/go-openapi/swag/loading v0.25.4
+## explicit; go 1.24.0
+github.com/go-openapi/swag/loading
+# github.com/go-openapi/swag/mangling v0.25.4
+## explicit; go 1.24.0
+github.com/go-openapi/swag/mangling
+# github.com/go-openapi/swag/netutils v0.25.4
+## explicit; go 1.24.0
+github.com/go-openapi/swag/netutils
+# github.com/go-openapi/swag/stringutils v0.25.4
+## explicit; go 1.24.0
+github.com/go-openapi/swag/stringutils
+# github.com/go-openapi/swag/typeutils v0.25.4
+## explicit; go 1.24.0
+github.com/go-openapi/swag/typeutils
+# github.com/go-openapi/swag/yamlutils v0.25.4
+## explicit; go 1.24.0
+github.com/go-openapi/swag/yamlutils
 # github.com/go-playground/locales v0.14.1
 ## explicit; go 1.17
 github.com/go-playground/locales
@@ -243,6 +345,16 @@ github.com/go-playground/universal-translator
 # github.com/go-playground/validator/v10 v10.19.0
 ## explicit; go 1.18
 github.com/go-playground/validator/v10
+# github.com/gobwas/glob v0.2.3
+## explicit
+github.com/gobwas/glob
+github.com/gobwas/glob/compiler
+github.com/gobwas/glob/match
+github.com/gobwas/glob/syntax
+github.com/gobwas/glob/syntax/ast
+github.com/gobwas/glob/syntax/lexer
+github.com/gobwas/glob/util/runes
+github.com/gobwas/glob/util/strings
 # github.com/gogo/protobuf v1.3.2
 ## explicit; go 1.15
 github.com/gogo/protobuf/proto
@@ -262,7 +374,7 @@ github.com/golang/protobuf/proto
 # github.com/google/btree v1.1.3
 ## explicit; go 1.18
 github.com/google/btree
-# github.com/google/gnostic-models v0.7.0
+# github.com/google/gnostic-models v0.7.1
 ## explicit; go 1.22
 github.com/google/gnostic-models/compiler
 github.com/google/gnostic-models/extensions
@@ -319,52 +431,109 @@ github.com/googleapis/gax-go/v2/internal
 # github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674
 ## explicit; go 1.20
 github.com/gorilla/websocket
+# github.com/gosuri/uitable v0.0.4
+## explicit
+github.com/gosuri/uitable
+github.com/gosuri/uitable/util/strutil
+github.com/gosuri/uitable/util/wordwrap
+# github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79
+## explicit
+github.com/gregjones/httpcache
+# github.com/hashicorp/errwrap v1.1.0
+## explicit
+github.com/hashicorp/errwrap
 # github.com/hashicorp/go-cleanhttp v0.5.2
 ## explicit; go 1.13
 github.com/hashicorp/go-cleanhttp
+# github.com/hashicorp/go-multierror v1.1.1
+## explicit; go 1.13
+github.com/hashicorp/go-multierror
 # github.com/hashicorp/go-retryablehttp v0.7.7
 ## explicit; go 1.19
 github.com/hashicorp/go-retryablehttp
+# github.com/huandu/xstrings v1.5.0
+## explicit; go 1.12
+github.com/huandu/xstrings
 # github.com/imdario/mergo v1.0.0 => github.com/imdario/mergo v0.3.5
 ## explicit
 github.com/imdario/mergo
 # github.com/inconshreveable/mousetrap v1.1.0
 ## explicit; go 1.18
 github.com/inconshreveable/mousetrap
-# github.com/istio-ecosystem/sail-operator v0.0.0-20250513111011-30be83268d6b
-## explicit; go 1.24.0
+# github.com/istio-ecosystem/sail-operator v0.0.0-20260212113734-df7c3ff58926 => github.com/aslakknutsen/sail-operator v0.0.0-20260223154431-ffebc5493a7f
+## explicit; go 1.25.0
 github.com/istio-ecosystem/sail-operator/api/v1
+github.com/istio-ecosystem/sail-operator/chart/crds
+github.com/istio-ecosystem/sail-operator/pkg/config
+github.com/istio-ecosystem/sail-operator/pkg/constants
+github.com/istio-ecosystem/sail-operator/pkg/env
+github.com/istio-ecosystem/sail-operator/pkg/helm
+github.com/istio-ecosystem/sail-operator/pkg/install
+github.com/istio-ecosystem/sail-operator/pkg/istiovalues
+github.com/istio-ecosystem/sail-operator/pkg/istioversion
+github.com/istio-ecosystem/sail-operator/pkg/kube
+github.com/istio-ecosystem/sail-operator/pkg/reconcile
+github.com/istio-ecosystem/sail-operator/pkg/reconciler
+github.com/istio-ecosystem/sail-operator/pkg/revision
+github.com/istio-ecosystem/sail-operator/pkg/validation
+github.com/istio-ecosystem/sail-operator/resources
 # github.com/jmespath/go-jmespath v0.4.0
 ## explicit; go 1.14
 github.com/jmespath/go-jmespath
-# github.com/josharian/intern v1.0.0
-## explicit; go 1.5
-github.com/josharian/intern
+# github.com/jmoiron/sqlx v1.4.0
+## explicit; go 1.10
+github.com/jmoiron/sqlx
+github.com/jmoiron/sqlx/reflectx
 # github.com/josharian/native v1.0.0
 ## explicit; go 1.13
 github.com/josharian/native
 # github.com/json-iterator/go v1.1.12
 ## explicit; go 1.12
 github.com/json-iterator/go
+# github.com/klauspost/compress v1.18.0
+## explicit; go 1.22
+github.com/klauspost/compress
+github.com/klauspost/compress/fse
+github.com/klauspost/compress/huff0
+github.com/klauspost/compress/internal/cpuinfo
+github.com/klauspost/compress/internal/le
+github.com/klauspost/compress/internal/snapref
+github.com/klauspost/compress/zstd
+github.com/klauspost/compress/zstd/internal/xxhash
 # github.com/kylelemons/godebug v1.1.0
 ## explicit; go 1.11
 github.com/kylelemons/godebug/diff
 github.com/kylelemons/godebug/pretty
+# github.com/lann/builder v0.0.0-20180802200727-47ae307949d0
+## explicit
+github.com/lann/builder
+# github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0
+## explicit
+github.com/lann/ps
 # github.com/leodido/go-urn v1.4.0
 ## explicit; go 1.18
 github.com/leodido/go-urn
 github.com/leodido/go-urn/scim/schema
-# github.com/mailru/easyjson v0.9.0
-## explicit; go 1.20
-github.com/mailru/easyjson/buffer
-github.com/mailru/easyjson/jlexer
-github.com/mailru/easyjson/jwriter
+# github.com/lib/pq v1.10.9
+## explicit; go 1.13
+github.com/lib/pq
+github.com/lib/pq/oid
+github.com/lib/pq/scram
+# github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de
+## explicit
+github.com/liggitt/tabwriter
+# github.com/magiconair/properties v1.8.9
+## explicit; go 1.19
+github.com/magiconair/properties
 # github.com/mattn/go-colorable v0.1.14
 ## explicit; go 1.18
 github.com/mattn/go-colorable
 # github.com/mattn/go-isatty v0.0.20
 ## explicit; go 1.15
 github.com/mattn/go-isatty
+# github.com/mattn/go-runewidth v0.0.16
+## explicit; go 1.9
+github.com/mattn/go-runewidth
 # github.com/mdlayher/netlink v1.6.0
 ## explicit; go 1.13
 github.com/mdlayher/netlink
@@ -372,19 +541,35 @@ github.com/mdlayher/netlink/nlenc
 # github.com/mdlayher/socket v0.1.1
 ## explicit; go 1.17
 github.com/mdlayher/socket
+# github.com/mitchellh/copystructure v1.2.0
+## explicit; go 1.15
+github.com/mitchellh/copystructure
+# github.com/mitchellh/go-wordwrap v1.0.1
+## explicit; go 1.14
+github.com/mitchellh/go-wordwrap
 # github.com/mitchellh/mapstructure v1.5.0
 ## explicit; go 1.14
 github.com/mitchellh/mapstructure
+# github.com/mitchellh/reflectwalk v1.0.2
+## explicit
+github.com/mitchellh/reflectwalk
 # github.com/moby/spdystream v0.5.0
 ## explicit; go 1.13
 github.com/moby/spdystream
 github.com/moby/spdystream/spdy
+# github.com/moby/term v0.5.2
+## explicit; go 1.18
+github.com/moby/term
+github.com/moby/term/windows
 # github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd
 ## explicit
 github.com/modern-go/concurrent
 # github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee
 ## explicit; go 1.12
 github.com/modern-go/reflect2
+# github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00
+## explicit
+github.com/monochromegane/go-gitignore
 # github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822
 ## explicit
 github.com/munnerz/goautoneg
@@ -394,10 +579,19 @@ github.com/mxk/go-flowrate/flowrate
 # github.com/oklog/ulid v1.3.1
 ## explicit
 github.com/oklog/ulid
-# github.com/openshift/api v0.0.0-20251214014457-bfa868a22401
+# github.com/opencontainers/go-digest v1.0.0
+## explicit; go 1.13
+github.com/opencontainers/go-digest
+# github.com/opencontainers/image-spec v1.1.1
+## explicit; go 1.18
+github.com/opencontainers/image-spec/specs-go
+github.com/opencontainers/image-spec/specs-go/v1
+# github.com/openshift/api v0.0.0-20260223154456-de86ee3bf481
 ## explicit; go 1.24.0
 github.com/openshift/api
 github.com/openshift/api/annotations
+github.com/openshift/api/apiextensions
+github.com/openshift/api/apiextensions/v1alpha1
 github.com/openshift/api/apiserver
 github.com/openshift/api/apiserver/v1
 github.com/openshift/api/apps
@@ -414,6 +608,8 @@ github.com/openshift/api/config/v1alpha1
 github.com/openshift/api/config/v1alpha2
 github.com/openshift/api/console
 github.com/openshift/api/console/v1
+github.com/openshift/api/etcd
+github.com/openshift/api/etcd/v1alpha1
 github.com/openshift/api/features
 github.com/openshift/api/helm
 github.com/openshift/api/helm/v1beta1
@@ -523,6 +719,9 @@ github.com/openshift/library-go/test/library/metrics
 github.com/operator-framework/api/pkg/lib/version
 github.com/operator-framework/api/pkg/operators
 github.com/operator-framework/api/pkg/operators/v1alpha1
+# github.com/peterbourgon/diskv v2.0.1+incompatible
+## explicit
+github.com/peterbourgon/diskv
 # github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c
 ## explicit; go 1.14
 github.com/pkg/browser
@@ -558,22 +757,43 @@ github.com/prometheus/common/model
 github.com/prometheus/procfs
 github.com/prometheus/procfs/internal/fs
 github.com/prometheus/procfs/internal/util
+# github.com/rivo/uniseg v0.4.7
+## explicit; go 1.18
+github.com/rivo/uniseg
 # github.com/robfig/cron v1.2.0
 ## explicit
 github.com/robfig/cron
+# github.com/rubenv/sql-migrate v1.8.0
+## explicit; go 1.23.0
+github.com/rubenv/sql-migrate
+github.com/rubenv/sql-migrate/sqlparse
+# github.com/russross/blackfriday/v2 v2.1.0
+## explicit
+github.com/russross/blackfriday/v2
+# github.com/santhosh-tekuri/jsonschema/v6 v6.0.2
+## explicit; go 1.21
+github.com/santhosh-tekuri/jsonschema/v6
+github.com/santhosh-tekuri/jsonschema/v6/kind
+# github.com/shopspring/decimal v1.4.0
+## explicit; go 1.10
+github.com/shopspring/decimal
 # github.com/sirupsen/logrus v1.9.3
 ## explicit; go 1.13
 github.com/sirupsen/logrus
+# github.com/spf13/cast v1.8.0
+## explicit; go 1.19
+github.com/spf13/cast
 # github.com/spf13/cobra v1.10.0
 ## explicit; go 1.15
 github.com/spf13/cobra
-# github.com/spf13/pflag v1.0.9
+# github.com/spf13/pflag v1.0.10
 ## explicit; go 1.12
 github.com/spf13/pflag
 # github.com/stretchr/testify v1.11.1
 ## explicit; go 1.17
 github.com/stretchr/testify/assert
 github.com/stretchr/testify/assert/yaml
+github.com/stretchr/testify/require
 # github.com/summerwind/h2spec v0.0.0-20200804131034-70ac22940108
 ## explicit; go 1.12
 github.com/summerwind/h2spec
@@ -591,6 +811,9 @@ github.com/tcnksm/go-httpstat
 # github.com/x448/float16 v0.8.4
 ## explicit; go 1.11
 github.com/x448/float16
+# github.com/xlab/treeprint v1.2.0
+## explicit; go 1.13
+github.com/xlab/treeprint
 # go.mongodb.org/mongo-driver v1.14.0
 ## explicit; go 1.18
 go.mongodb.org/mongo-driver/bson
@@ -618,13 +841,13 @@ go.opencensus.io/trace
 go.opencensus.io/trace/internal
 go.opencensus.io/trace/propagation
 go.opencensus.io/trace/tracestate
-# go.opentelemetry.io/otel v1.37.0
+# go.opentelemetry.io/otel v1.38.0
 ## explicit; go 1.23.0
 go.opentelemetry.io/otel/attribute
 go.opentelemetry.io/otel/attribute/internal
 go.opentelemetry.io/otel/codes
-go.opentelemetry.io/otel/semconv/v1.34.0
-# go.opentelemetry.io/otel/trace v1.37.0
+go.opentelemetry.io/otel/semconv/v1.37.0
+# go.opentelemetry.io/otel/trace v1.38.0
 ## explicit; go 1.23.0
 go.opentelemetry.io/otel/trace
 go.opentelemetry.io/otel/trace/embedded
@@ -643,14 +866,18 @@ go.uber.org/zap/internal/exit
 go.uber.org/zap/internal/pool
 go.uber.org/zap/internal/stacktrace
 go.uber.org/zap/zapcore
+go.uber.org/zap/zapgrpc
 # go.yaml.in/yaml/v2 v2.4.3
 ## explicit; go 1.15
 go.yaml.in/yaml/v2
 # go.yaml.in/yaml/v3 v3.0.4
 ## explicit; go 1.16
 go.yaml.in/yaml/v3
-# golang.org/x/crypto v0.45.0
+# golang.org/x/crypto v0.46.0
 ## explicit; go 1.24.0
+golang.org/x/crypto/bcrypt
+golang.org/x/crypto/blowfish
+golang.org/x/crypto/cast5
 golang.org/x/crypto/chacha20
 golang.org/x/crypto/chacha20poly1305
 golang.org/x/crypto/cryptobyte
@@ -658,13 +885,22 @@ golang.org/x/crypto/cryptobyte/asn1
 golang.org/x/crypto/hkdf
 golang.org/x/crypto/internal/alias
 golang.org/x/crypto/internal/poly1305
+golang.org/x/crypto/openpgp
+golang.org/x/crypto/openpgp/armor
+golang.org/x/crypto/openpgp/clearsign
+golang.org/x/crypto/openpgp/elgamal
+golang.org/x/crypto/openpgp/errors
+golang.org/x/crypto/openpgp/packet
+golang.org/x/crypto/openpgp/s2k
+golang.org/x/crypto/pbkdf2
 golang.org/x/crypto/pkcs12
 golang.org/x/crypto/pkcs12/internal/rc2
+golang.org/x/crypto/scrypt
 golang.org/x/crypto/sha3
-# golang.org/x/exp v0.0.0-20250506013437-ce4c2cf36ca6
-## explicit; go 1.23.0
+# golang.org/x/exp v0.0.0-20251017212417-90e834f514db
+## explicit; go 1.24.0
 golang.org/x/exp/slices
-# golang.org/x/net v0.47.0
+# golang.org/x/net v0.48.0
 ## explicit; go 1.24.0
 golang.org/x/net/bpf
 golang.org/x/net/html
@@ -679,8 +915,8 @@ golang.org/x/net/internal/timeseries
 golang.org/x/net/proxy
 golang.org/x/net/trace
 golang.org/x/net/websocket
-# golang.org/x/oauth2 v0.30.0
-## explicit; go 1.23.0
+# golang.org/x/oauth2 v0.34.0
+## explicit; go 1.24.0
 golang.org/x/oauth2
 golang.org/x/oauth2/authhandler
 golang.org/x/oauth2/google
@@ -691,31 +927,46 @@ golang.org/x/oauth2/google/internal/stsexchange
 golang.org/x/oauth2/internal
 golang.org/x/oauth2/jws
 golang.org/x/oauth2/jwt
-# golang.org/x/sync v0.18.0
+# golang.org/x/sync v0.19.0
 ## explicit; go 1.24.0
 golang.org/x/sync/errgroup
-# golang.org/x/sys v0.38.0
+golang.org/x/sync/semaphore
+# golang.org/x/sys v0.39.0
 ## explicit; go 1.24.0
 golang.org/x/sys/cpu
 golang.org/x/sys/plan9
 golang.org/x/sys/unix
 golang.org/x/sys/windows
 golang.org/x/sys/windows/registry
-# golang.org/x/term v0.37.0
+# golang.org/x/term v0.38.0
 ## explicit; go 1.24.0
 golang.org/x/term
-# golang.org/x/text v0.31.0
+# golang.org/x/text v0.32.0
 ## explicit; go 1.24.0
+golang.org/x/text/encoding
+golang.org/x/text/encoding/internal
+golang.org/x/text/encoding/internal/identifier
+golang.org/x/text/encoding/unicode
+golang.org/x/text/feature/plural
+golang.org/x/text/internal
+golang.org/x/text/internal/catmsg
+golang.org/x/text/internal/format
 golang.org/x/text/internal/language
 golang.org/x/text/internal/language/compact
+golang.org/x/text/internal/number
+golang.org/x/text/internal/stringset
 golang.org/x/text/internal/tag
+golang.org/x/text/internal/utf8internal
 golang.org/x/text/language
+golang.org/x/text/message
+golang.org/x/text/message/catalog
+golang.org/x/text/runes
 golang.org/x/text/secure/bidirule
 golang.org/x/text/transform
 golang.org/x/text/unicode/bidi
 golang.org/x/text/unicode/norm
-# golang.org/x/time v0.12.0
-## explicit; go 1.23.0
+# golang.org/x/time v0.14.0
+## explicit; go 1.24.0
 golang.org/x/time/rate
 # gomodules.xyz/jsonpatch/v2 v2.5.0
 ## explicit; go 1.20
@@ -748,13 +999,13 @@ google.golang.org/appengine/internal/socket
 google.golang.org/appengine/internal/urlfetch
 google.golang.org/appengine/socket
 google.golang.org/appengine/urlfetch
-# google.golang.org/genproto/googleapis/rpc v0.0.0-20250826171959-ef028d996bc1
+# google.golang.org/genproto/googleapis/rpc v0.0.0-20251213004720-97cd9d5aeac2
 ## explicit; go 1.24.0
 google.golang.org/genproto/googleapis/rpc/code
 google.golang.org/genproto/googleapis/rpc/errdetails
 google.golang.org/genproto/googleapis/rpc/status
-# google.golang.org/grpc v1.75.1
-## explicit; go 1.23.0
+# google.golang.org/grpc v1.78.0
+## explicit; go 1.24.0
 google.golang.org/grpc
 google.golang.org/grpc/attributes
 google.golang.org/grpc/backoff
@@ -764,7 +1015,6 @@ google.golang.org/grpc/balancer/endpointsharding
 google.golang.org/grpc/balancer/grpclb/state
 google.golang.org/grpc/balancer/pickfirst
 google.golang.org/grpc/balancer/pickfirst/internal
-google.golang.org/grpc/balancer/pickfirst/pickfirstleaf
 google.golang.org/grpc/balancer/roundrobin
 google.golang.org/grpc/benchmark/stats
 google.golang.org/grpc/binarylog/grpc_binarylog_v1
@@ -774,6 +1024,7 @@ google.golang.org/grpc/connectivity
 google.golang.org/grpc/credentials
 google.golang.org/grpc/credentials/insecure
 google.golang.org/grpc/encoding
+google.golang.org/grpc/encoding/internal
 google.golang.org/grpc/encoding/proto
 google.golang.org/grpc/experimental/stats
 google.golang.org/grpc/grpclog
@@ -821,7 +1072,7 @@ google.golang.org/grpc/serviceconfig
 google.golang.org/grpc/stats
 google.golang.org/grpc/status
 google.golang.org/grpc/tap
-# google.golang.org/protobuf v1.36.8
+# google.golang.org/protobuf v1.36.11
 ## explicit; go 1.23
 google.golang.org/protobuf/encoding/protodelim
 google.golang.org/protobuf/encoding/protojson
@@ -870,12 +1121,60 @@ gopkg.in/fsnotify.v1
 # gopkg.in/inf.v0 v0.9.1
 ## explicit
 gopkg.in/inf.v0
+# gopkg.in/natefinch/lumberjack.v2 v2.2.1
+## explicit; go 1.13
+gopkg.in/natefinch/lumberjack.v2
 # gopkg.in/yaml.v2 v2.4.0
 ## explicit; go 1.15
 gopkg.in/yaml.v2
 # gopkg.in/yaml.v3 v3.0.1
 ## explicit
 gopkg.in/yaml.v3
+# helm.sh/helm/v3 v3.18.6
+## explicit; go 1.24.0
+helm.sh/helm/v3/internal/fileutil
+helm.sh/helm/v3/internal/resolver
+helm.sh/helm/v3/internal/sympath
+helm.sh/helm/v3/internal/third_party/dep/fs
+helm.sh/helm/v3/internal/third_party/k8s.io/kubernetes/deployment/util
+helm.sh/helm/v3/internal/tlsutil
+helm.sh/helm/v3/internal/urlutil
+helm.sh/helm/v3/internal/version
+helm.sh/helm/v3/pkg/action
+helm.sh/helm/v3/pkg/chart
+helm.sh/helm/v3/pkg/chart/loader
+helm.sh/helm/v3/pkg/chartutil
+helm.sh/helm/v3/pkg/cli
+helm.sh/helm/v3/pkg/downloader
+helm.sh/helm/v3/pkg/engine
+helm.sh/helm/v3/pkg/getter
+helm.sh/helm/v3/pkg/helmpath
+helm.sh/helm/v3/pkg/helmpath/xdg
+helm.sh/helm/v3/pkg/ignore
+helm.sh/helm/v3/pkg/kube
+helm.sh/helm/v3/pkg/kube/fake
+helm.sh/helm/v3/pkg/lint
+helm.sh/helm/v3/pkg/lint/rules
+helm.sh/helm/v3/pkg/lint/support
+helm.sh/helm/v3/pkg/plugin
+helm.sh/helm/v3/pkg/postrender
+helm.sh/helm/v3/pkg/provenance
+helm.sh/helm/v3/pkg/pusher
+helm.sh/helm/v3/pkg/registry
+helm.sh/helm/v3/pkg/release
+helm.sh/helm/v3/pkg/releaseutil
+helm.sh/helm/v3/pkg/repo
+helm.sh/helm/v3/pkg/storage
+helm.sh/helm/v3/pkg/storage/driver
+helm.sh/helm/v3/pkg/time
+helm.sh/helm/v3/pkg/time/ctime
+helm.sh/helm/v3/pkg/uploader
+# istio.io/istio v0.0.0-20260208024451-a30ad73344d7
+## explicit; go 1.25.0
+istio.io/istio/pkg/log
+istio.io/istio/pkg/ptr
+istio.io/istio/pkg/slices
+istio.io/istio/pkg/util/sets
 # k8s.io/api v0.35.0
 ## explicit; go 1.25.0
 k8s.io/api/admission/v1
@@ -962,11 +1261,13 @@ k8s.io/apimachinery/pkg/api/validate
 k8s.io/apimachinery/pkg/api/validate/constraints
 k8s.io/apimachinery/pkg/api/validate/content
 k8s.io/apimachinery/pkg/api/validation
+k8s.io/apimachinery/pkg/api/validation/path
 k8s.io/apimachinery/pkg/apis/meta/internalversion
 k8s.io/apimachinery/pkg/apis/meta/internalversion/scheme
 k8s.io/apimachinery/pkg/apis/meta/internalversion/validation
 k8s.io/apimachinery/pkg/apis/meta/v1
 k8s.io/apimachinery/pkg/apis/meta/v1/unstructured
+k8s.io/apimachinery/pkg/apis/meta/v1/unstructured/unstructuredscheme
 k8s.io/apimachinery/pkg/apis/meta/v1/validation
 k8s.io/apimachinery/pkg/apis/meta/v1beta1
 k8s.io/apimachinery/pkg/conversion
@@ -989,6 +1290,7 @@ k8s.io/apimachinery/pkg/types
 k8s.io/apimachinery/pkg/util/cache
 k8s.io/apimachinery/pkg/util/diff
 k8s.io/apimachinery/pkg/util/dump
+k8s.io/apimachinery/pkg/util/duration
 k8s.io/apimachinery/pkg/util/errors
 k8s.io/apimachinery/pkg/util/framer
 k8s.io/apimachinery/pkg/util/httpstream
@@ -996,6 +1298,7 @@ k8s.io/apimachinery/pkg/util/httpstream/spdy
 k8s.io/apimachinery/pkg/util/httpstream/wsstream
 k8s.io/apimachinery/pkg/util/intstr
 k8s.io/apimachinery/pkg/util/json
+k8s.io/apimachinery/pkg/util/jsonmergepatch
 k8s.io/apimachinery/pkg/util/managedfields
 k8s.io/apimachinery/pkg/util/managedfields/internal
 k8s.io/apimachinery/pkg/util/mergepatch
@@ -1022,7 +1325,14 @@ k8s.io/apimachinery/third_party/forked/golang/reflect
 # k8s.io/apiserver v0.35.0
 ## explicit; go 1.25.0
 k8s.io/apiserver/pkg/authentication/user
+k8s.io/apiserver/pkg/endpoints/deprecation
 k8s.io/apiserver/pkg/storage/names
+# k8s.io/cli-runtime v0.35.0
+## explicit; go 1.25.0
+k8s.io/cli-runtime/pkg/genericclioptions
+k8s.io/cli-runtime/pkg/genericiooptions
+k8s.io/cli-runtime/pkg/printers
+k8s.io/cli-runtime/pkg/resource
 # k8s.io/client-go v0.35.0
 ## explicit; go 1.25.0
 k8s.io/client-go/applyconfigurations
@@ -1081,8 +1391,11 @@ k8s.io/client-go/applyconfigurations/storage/v1beta1
 k8s.io/client-go/applyconfigurations/storagemigration/v1beta1
 k8s.io/client-go/discovery
 k8s.io/client-go/discovery/cached
+k8s.io/client-go/discovery/cached/disk
 k8s.io/client-go/discovery/cached/memory
 k8s.io/client-go/dynamic
+k8s.io/client-go/dynamic/dynamicinformer
+k8s.io/client-go/dynamic/dynamiclister
 k8s.io/client-go/features
 k8s.io/client-go/gentype
 k8s.io/client-go/informers
@@ -1268,6 +1581,7 @@ k8s.io/client-go/listers/storagemigration/v1beta1
 k8s.io/client-go/metadata
 k8s.io/client-go/openapi
 k8s.io/client-go/openapi/cached
+k8s.io/client-go/openapi3
 k8s.io/client-go/pkg/apis/clientauthentication
 k8s.io/client-go/pkg/apis/clientauthentication/install
 k8s.io/client-go/pkg/apis/clientauthentication/v1
@@ -1286,6 +1600,7 @@ k8s.io/client-go/scale/scheme/autoscalingv1
 k8s.io/client-go/scale/scheme/extensionsint
 k8s.io/client-go/scale/scheme/extensionsv1beta1
 k8s.io/client-go/testing
+k8s.io/client-go/third_party/forked/golang/template
 k8s.io/client-go/tools/auth
 k8s.io/client-go/tools/cache
 k8s.io/client-go/tools/cache/synctrack
@@ -1303,6 +1618,7 @@ k8s.io/client-go/tools/record
 k8s.io/client-go/tools/record/util
 k8s.io/client-go/tools/reference
 k8s.io/client-go/tools/remotecommand
+k8s.io/client-go/tools/watch
 k8s.io/client-go/transport
 k8s.io/client-go/transport/spdy
 k8s.io/client-go/transport/websocket
@@ -1313,6 +1629,7 @@ k8s.io/client-go/util/consistencydetector
 k8s.io/client-go/util/exec
 k8s.io/client-go/util/flowcontrol
 k8s.io/client-go/util/homedir
+k8s.io/client-go/util/jsonpath
 k8s.io/client-go/util/keyutil
 k8s.io/client-go/util/retry
 k8s.io/client-go/util/watchlist
@@ -1332,14 +1649,14 @@ k8s.io/klog/v2/internal/dbg
 k8s.io/klog/v2/internal/serialize
 k8s.io/klog/v2/internal/severity
 k8s.io/klog/v2/internal/sloghandler
-# k8s.io/kube-aggregator v0.35.0
-## explicit; go 1.25.0
+# k8s.io/kube-aggregator v0.34.1
+## explicit; go 1.24.0
 k8s.io/kube-aggregator/pkg/apis/apiregistration
 k8s.io/kube-aggregator/pkg/apis/apiregistration/v1
 k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1
 k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme
 k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/typed/apiregistration/v1
-# k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912
+# k8s.io/kube-openapi v0.0.0-20251125145642-4e65d59e963e
 ## explicit; go 1.23.0
 k8s.io/kube-openapi/pkg/cached
 k8s.io/kube-openapi/pkg/common
@@ -1350,12 +1667,24 @@ k8s.io/kube-openapi/pkg/schemaconv
 k8s.io/kube-openapi/pkg/spec3
 k8s.io/kube-openapi/pkg/util
 k8s.io/kube-openapi/pkg/util/proto
+k8s.io/kube-openapi/pkg/util/proto/validation
 k8s.io/kube-openapi/pkg/validation/spec
-# k8s.io/utils v0.0.0-20251002143259-bc988d571ff4
-## explicit; go 1.18
+# k8s.io/kubectl v0.35.0
+## explicit; go 1.25.0
+k8s.io/kubectl/pkg/cmd/util
+k8s.io/kubectl/pkg/scheme
+k8s.io/kubectl/pkg/util/i18n
+k8s.io/kubectl/pkg/util/interrupt
+k8s.io/kubectl/pkg/util/openapi
+k8s.io/kubectl/pkg/util/templates
+k8s.io/kubectl/pkg/util/term
+k8s.io/kubectl/pkg/validation
+# k8s.io/utils v0.0.0-20251219084037-98d557b7f1e7
+## explicit; go 1.23
 k8s.io/utils/buffer
 k8s.io/utils/clock
 k8s.io/utils/clock/testing
+k8s.io/utils/exec
 k8s.io/utils/internal/third_party/forked/golang/golang-lru
 k8s.io/utils/internal/third_party/forked/golang/net
 k8s.io/utils/lru
@@ -1363,8 +1692,43 @@ k8s.io/utils/net
 k8s.io/utils/pointer
 k8s.io/utils/ptr
 k8s.io/utils/trace
+# oras.land/oras-go/v2 v2.6.0
+## explicit; go 1.23.0
+oras.land/oras-go/v2
+oras.land/oras-go/v2/content
+oras.land/oras-go/v2/content/memory
+oras.land/oras-go/v2/errdef
+oras.land/oras-go/v2/internal/cas
+oras.land/oras-go/v2/internal/container/set
+oras.land/oras-go/v2/internal/copyutil
+oras.land/oras-go/v2/internal/descriptor
+oras.land/oras-go/v2/internal/docker
+oras.land/oras-go/v2/internal/graph
+oras.land/oras-go/v2/internal/httputil
+oras.land/oras-go/v2/internal/interfaces
+oras.land/oras-go/v2/internal/ioutil
+oras.land/oras-go/v2/internal/manifestutil
+oras.land/oras-go/v2/internal/platform
+oras.land/oras-go/v2/internal/registryutil
+oras.land/oras-go/v2/internal/resolver
+oras.land/oras-go/v2/internal/spec
+oras.land/oras-go/v2/internal/status
+oras.land/oras-go/v2/internal/syncutil
+oras.land/oras-go/v2/registry
+oras.land/oras-go/v2/registry/remote
+oras.land/oras-go/v2/registry/remote/auth
+oras.land/oras-go/v2/registry/remote/credentials
+oras.land/oras-go/v2/registry/remote/credentials/internal/config
+oras.land/oras-go/v2/registry/remote/credentials/internal/executer
+oras.land/oras-go/v2/registry/remote/credentials/internal/ioutil
+oras.land/oras-go/v2/registry/remote/credentials/trace
+oras.land/oras-go/v2/registry/remote/errcode
+oras.land/oras-go/v2/registry/remote/internal/errutil
+oras.land/oras-go/v2/registry/remote/retry
 # sigs.k8s.io/controller-runtime v0.23.1
 ## explicit; go 1.25.0
+sigs.k8s.io/controller-runtime
+sigs.k8s.io/controller-runtime/pkg/builder
 sigs.k8s.io/controller-runtime/pkg/cache
 sigs.k8s.io/controller-runtime/pkg/cache/informertest
 sigs.k8s.io/controller-runtime/pkg/cache/internal
@@ -1379,6 +1743,7 @@ sigs.k8s.io/controller-runtime/pkg/cluster
 sigs.k8s.io/controller-runtime/pkg/config
 sigs.k8s.io/controller-runtime/pkg/controller
 sigs.k8s.io/controller-runtime/pkg/controller/controllertest
+sigs.k8s.io/controller-runtime/pkg/controller/controllerutil
 sigs.k8s.io/controller-runtime/pkg/controller/priorityqueue
 sigs.k8s.io/controller-runtime/pkg/conversion
 sigs.k8s.io/controller-runtime/pkg/event
@@ -1424,6 +1789,84 @@ sigs.k8s.io/kube-storage-version-migrator/pkg/apis/migration/v1alpha1
 sigs.k8s.io/kube-storage-version-migrator/pkg/clients/clientset
 sigs.k8s.io/kube-storage-version-migrator/pkg/clients/clientset/scheme
 sigs.k8s.io/kube-storage-version-migrator/pkg/clients/clientset/typed/migration/v1alpha1
+# sigs.k8s.io/kustomize/api v0.20.1
+## explicit; go 1.22.7
+sigs.k8s.io/kustomize/api/filters/annotations
+sigs.k8s.io/kustomize/api/filters/fieldspec
+sigs.k8s.io/kustomize/api/filters/filtersutil
+sigs.k8s.io/kustomize/api/filters/fsslice
+sigs.k8s.io/kustomize/api/filters/iampolicygenerator
+sigs.k8s.io/kustomize/api/filters/imagetag
+sigs.k8s.io/kustomize/api/filters/labels
+sigs.k8s.io/kustomize/api/filters/nameref
+sigs.k8s.io/kustomize/api/filters/namespace
+sigs.k8s.io/kustomize/api/filters/patchjson6902
+sigs.k8s.io/kustomize/api/filters/patchstrategicmerge
+sigs.k8s.io/kustomize/api/filters/prefix
+sigs.k8s.io/kustomize/api/filters/refvar
+sigs.k8s.io/kustomize/api/filters/replacement
+sigs.k8s.io/kustomize/api/filters/replicacount
+sigs.k8s.io/kustomize/api/filters/suffix
+sigs.k8s.io/kustomize/api/filters/valueadd
+sigs.k8s.io/kustomize/api/hasher
+sigs.k8s.io/kustomize/api/ifc
+sigs.k8s.io/kustomize/api/internal/accumulator
+sigs.k8s.io/kustomize/api/internal/builtins
+sigs.k8s.io/kustomize/api/internal/generators
+sigs.k8s.io/kustomize/api/internal/git
+sigs.k8s.io/kustomize/api/internal/image
+sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts
+sigs.k8s.io/kustomize/api/internal/kusterr
+sigs.k8s.io/kustomize/api/internal/loader
+sigs.k8s.io/kustomize/api/internal/plugins/builtinconfig
+sigs.k8s.io/kustomize/api/internal/plugins/builtinhelpers
+sigs.k8s.io/kustomize/api/internal/plugins/execplugin
+sigs.k8s.io/kustomize/api/internal/plugins/fnplugin
+sigs.k8s.io/kustomize/api/internal/plugins/loader
+sigs.k8s.io/kustomize/api/internal/plugins/utils
+sigs.k8s.io/kustomize/api/internal/target
+sigs.k8s.io/kustomize/api/internal/utils
+sigs.k8s.io/kustomize/api/internal/validate
+sigs.k8s.io/kustomize/api/konfig
+sigs.k8s.io/kustomize/api/krusty
+sigs.k8s.io/kustomize/api/kv
+sigs.k8s.io/kustomize/api/provenance
+sigs.k8s.io/kustomize/api/provider
+sigs.k8s.io/kustomize/api/resmap
+sigs.k8s.io/kustomize/api/resource
+sigs.k8s.io/kustomize/api/types
+# sigs.k8s.io/kustomize/kyaml v0.20.1
+## explicit; go 1.22.7
+sigs.k8s.io/kustomize/kyaml/comments
+sigs.k8s.io/kustomize/kyaml/errors
+sigs.k8s.io/kustomize/kyaml/ext
+sigs.k8s.io/kustomize/kyaml/fieldmeta
+sigs.k8s.io/kustomize/kyaml/filesys
+sigs.k8s.io/kustomize/kyaml/fn/runtime/container
+sigs.k8s.io/kustomize/kyaml/fn/runtime/exec
+sigs.k8s.io/kustomize/kyaml/fn/runtime/runtimeutil
+sigs.k8s.io/kustomize/kyaml/kio
+sigs.k8s.io/kustomize/kyaml/kio/kioutil
+sigs.k8s.io/kustomize/kyaml/openapi
+sigs.k8s.io/kustomize/kyaml/openapi/kubernetesapi
+sigs.k8s.io/kustomize/kyaml/openapi/kubernetesapi/v1_21_2
+sigs.k8s.io/kustomize/kyaml/openapi/kustomizationapi
+sigs.k8s.io/kustomize/kyaml/order
+sigs.k8s.io/kustomize/kyaml/resid
+sigs.k8s.io/kustomize/kyaml/runfn
+sigs.k8s.io/kustomize/kyaml/sets
+sigs.k8s.io/kustomize/kyaml/sliceutil
+sigs.k8s.io/kustomize/kyaml/utils
+sigs.k8s.io/kustomize/kyaml/yaml
+sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/labels
+sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/selection
+sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/util/errors
+sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/util/sets
+sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/util/validation
+sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/util/validation/field
+sigs.k8s.io/kustomize/kyaml/yaml/merge2
+sigs.k8s.io/kustomize/kyaml/yaml/schema
+sigs.k8s.io/kustomize/kyaml/yaml/walk
 # sigs.k8s.io/randfill v1.0.0
 ## explicit; go 1.18
 sigs.k8s.io/randfill
@@ -1438,4 +1881,7 @@ sigs.k8s.io/structured-merge-diff/v6/value
 # sigs.k8s.io/yaml v1.6.0
 ## explicit; go 1.22
 sigs.k8s.io/yaml
+sigs.k8s.io/yaml/goyaml.v3
+sigs.k8s.io/yaml/kyaml
 # github.com/imdario/mergo => github.com/imdario/mergo v0.3.5
+# github.com/istio-ecosystem/sail-operator => github.com/aslakknutsen/sail-operator v0.0.0-20260223154431-ffebc5493a7f
diff --git a/vendor/oras.land/oras-go/v2/.gitignore b/vendor/oras.land/oras-go/v2/.gitignore
new file mode 100644
index 0000000000..400a0ea0cb
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/.gitignore
@@ -0,0 +1,41 @@
+# Copyright The ORAS Authors.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Binaries for programs and plugins
+*.exe
+*.exe~
+*.dll
+*.so
+*.dylib
+
+# Test binary, build with `go test -c`
+*.test
+
+# Output of the go coverage tool, specifically when used with LiteIDE
+*.out
+
+# VS Code
+.vscode
+debug
+
+# Jetbrains
+.idea
+
+# Custom
+coverage.txt
+bin/
+dist/
+*.tar.gz
+vendor/
+_dist/
+.cover
diff --git a/vendor/oras.land/oras-go/v2/CODEOWNERS b/vendor/oras.land/oras-go/v2/CODEOWNERS
new file mode 100644
index 0000000000..45a68a31c2
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/CODEOWNERS
@@ -0,0 +1,2 @@
+# Derived from OWNERS.md
+* @sajayantony @shizhMSFT @stevelasker @Wwwsylvia
diff --git a/vendor/oras.land/oras-go/v2/CODE_OF_CONDUCT.md b/vendor/oras.land/oras-go/v2/CODE_OF_CONDUCT.md
new file mode 100644
index 0000000000..49579ab800
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/CODE_OF_CONDUCT.md
@@ -0,0 +1,3 @@
+# Code of Conduct
+
+OCI Registry As Storage (ORAS) follows the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md).
diff --git a/vendor/oras.land/oras-go/v2/LICENSE b/vendor/oras.land/oras-go/v2/LICENSE
new file mode 100644
index 0000000000..a67d169389
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/LICENSE
@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright 2021 ORAS Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/vendor/oras.land/oras-go/v2/MIGRATION_GUIDE.md b/vendor/oras.land/oras-go/v2/MIGRATION_GUIDE.md
new file mode 100644
index 0000000000..9a922f5a3d
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/MIGRATION_GUIDE.md
@@ -0,0 +1,61 @@
+# Migration Guide
+
+In version `v2`, ORAS Go library has been completely refreshed with:
+
+- More unified interfaces
+- Notably fewer dependencies
+- Higher test coverage
+- Better documentation
+
+**Additionally, ORAS Go `v2` is now a registry client.**
+
+## Major Changes in `v2`
+
+- Content store
+  - [`content.File`](https://pkg.go.dev/oras.land/oras-go/pkg/content#File) is now [`file.Store`](https://pkg.go.dev/oras.land/oras-go/v2/content/file#Store)
+  - [`content.OCI`](https://pkg.go.dev/oras.land/oras-go/pkg/content#OCI) is now [`oci.Store`](https://pkg.go.dev/oras.land/oras-go/v2/content/oci#Store)
+  - [`content.Memory`](https://pkg.go.dev/oras.land/oras-go/pkg/content#Memory) is now [`memory.Store`](https://pkg.go.dev/oras.land/oras-go/v2/content/memory#Store)
+- Registry interaction
+  - Introduces an [SDK](https://pkg.go.dev/oras.land/oras-go/v2/registry/remote) to interact with OCI-compliant and Docker-compliant registries
+- Authentication
+  - Implements authentication through [`auth.Client`](https://pkg.go.dev/oras.land/oras-go/v2/registry/remote/auth#Client) and supports credential management via [`credentials`](https://pkg.go.dev/oras.land/oras-go/v2/registry/remote/credentials)
+- Copy operations
+  - Enhances artifact [copying](https://pkg.go.dev/oras.land/oras-go/v2#Copy) capabilities between various [`Target`](https://pkg.go.dev/oras.land/oras-go/v2#Target) with flexible options
+  - Enables [extended-copying](https://pkg.go.dev/oras.land/oras-go/v2#ExtendedCopy) of artifacts along with their predecessors (e.g., referrers)
+
+## Migrating from `v1` to `v2`
+
+1. Get the `v2` package
+
+    ```sh
+    go get oras.land/oras-go/v2
+    ```
+
+2. Import and use the `v2` package
+
+    ```go
+    import "oras.land/oras-go/v2"
+    ```
+
+3. Run
+
+   ```sh
+   go mod tidy
+    ```
+
+Since breaking changes are introduced in `v2`, code refactoring is required for migrating from `v1` to `v2`.  
+The migration can be done in an iterative fashion, as `v1` and `v2` can be imported and used at the same time.
+
+For comprehensive documentation and examples, please refer to [pkg.go.dev](https://pkg.go.dev/oras.land/oras-go/v2).
+
+## FAQs
+
+### Is there a 1:1 mapping of APIs between `v1` and `v2`?
+
+No, `v2` does not have a direct 1:1 mapping of APIs with `v1`, as the structure of the APIs has been significantly redesigned. Instead of looking for a direct replacement, see this as a chance to upgrade your application with `v2`'s new features.
+
+You can explore the [end-to-end examples](https://pkg.go.dev/oras.land/oras-go/v2#pkg-overview) that demonstrate the usage of v2 in practical scenarios.
+
+## Community Support
+
+If you encounter challenges during migration, seek assistance from the community by [submitting GitHub issues](https://github.com/oras-project/oras-go/issues/new) or asking in the [#oras](https://cloud-native.slack.com/archives/CJ1KHJM5Z) Slack channel.
diff --git a/vendor/oras.land/oras-go/v2/Makefile b/vendor/oras.land/oras-go/v2/Makefile
new file mode 100644
index 0000000000..bc671e4405
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/Makefile
@@ -0,0 +1,38 @@
+# Copyright The ORAS Authors.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+.PHONY: test
+test: vendor check-encoding
+	go test -race -v -coverprofile=coverage.txt -covermode=atomic ./...
+
+.PHONY: covhtml
+covhtml:
+	open .cover/coverage.html
+
+.PHONY: clean
+clean:
+	git status --ignored --short | grep '^!! ' | sed 's/!! //' | xargs rm -rf
+
+.PHONY: check-encoding
+check-encoding:
+	! find . -not -path "./vendor/*" -name "*.go" -type f -exec file "{}" ";" | grep CRLF
+	! find scripts -name "*.sh" -type f -exec file "{}" ";" | grep CRLF
+
+.PHONY: fix-encoding
+fix-encoding:
+	find . -not -path "./vendor/*" -name "*.go" -type f -exec sed -i -e "s/\r//g" {} +
+	find scripts -name "*.sh" -type f -exec sed -i -e "s/\r//g" {} +
+
+.PHONY: vendor
+vendor:
+	go mod vendor
diff --git a/vendor/oras.land/oras-go/v2/OWNERS.md b/vendor/oras.land/oras-go/v2/OWNERS.md
new file mode 100644
index 0000000000..402c4a97df
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/OWNERS.md
@@ -0,0 +1,11 @@
+# Owners
+
+Owners:
+  - Sajay Antony (@sajayantony)
+  - Shiwei Zhang (@shizhMSFT)
+  - Steve Lasker (@stevelasker)
+  - Sylvia Lei (@Wwwsylvia)
+
+Emeritus:
+  - Avi Deitcher (@deitch)
+  - Josh Dolitsky (@jdolitsky)
diff --git a/vendor/oras.land/oras-go/v2/README.md b/vendor/oras.land/oras-go/v2/README.md
new file mode 100644
index 0000000000..9224754fce
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/README.md
@@ -0,0 +1,66 @@
+# ORAS Go library
+
+[![Build Status](https://github.com/oras-project/oras-go/actions/workflows/build.yml/badge.svg?event=push&branch=main)](https://github.com/oras-project/oras-go/actions/workflows/build.yml?query=workflow%3Abuild+event%3Apush+branch%3Amain)
+[![codecov](https://codecov.io/gh/oras-project/oras-go/branch/main/graph/badge.svg)](https://codecov.io/gh/oras-project/oras-go)
+[![Go Report Card](https://goreportcard.com/badge/oras.land/oras-go/v2)](https://goreportcard.com/report/oras.land/oras-go/v2)
+[![Go Reference](https://pkg.go.dev/badge/oras.land/oras-go/v2.svg)](https://pkg.go.dev/oras.land/oras-go/v2)
+
+<p align="left">
+<a href="https://oras.land/"><img src="https://oras.land/img/oras.svg" alt="ORAS logo" width="100px"></a>
+</p>
+
+`oras-go` is a Go library for managing OCI artifacts, compliant with the [OCI Image Format Specification](https://github.com/opencontainers/image-spec) and the [OCI Distribution Specification](https://github.com/opencontainers/distribution-spec). It provides unified APIs for pushing, pulling, and managing artifacts across OCI-compliant registries, local file systems, and in-memory stores.
+
+> [!Note]
+> The `main` branch follows [Go's Security Policy](https://github.com/golang/go/security/policy) and supports the two latest versions of Go (currently `1.23` and `1.24`).
+
+## Getting Started
+
+### Concepts
+
+Gain insights into the fundamental concepts:
+
+- [Modeling Artifacts](docs/Modeling-Artifacts.md)
+- [Targets and Content Stores](docs/Targets.md)
+
+### Quickstart
+
+Follow the step-by-step tutorial to use `oras-go` v2:
+
+- [Quickstart: Managing OCI Artifacts with `oras-go` v2](docs/tutorial/quickstart.md)
+
+### Examples
+
+Check out sample code for common use cases:
+
+- [Artifact copying](https://pkg.go.dev/oras.land/oras-go/v2#pkg-examples)
+- [Registry operations](https://pkg.go.dev/oras.land/oras-go/v2/registry#pkg-examples)
+- [Repository operations](https://pkg.go.dev/oras.land/oras-go/v2/registry/remote#pkg-examples)
+- [Authentication](https://pkg.go.dev/oras.land/oras-go/v2/registry/remote/auth#pkg-examples)
+- [Credentials management](https://pkg.go.dev/oras.land/oras-go/v2/registry/remote/credentials#pkg-examples)
+
+Find more API examples at [pkg.go.dev](https://pkg.go.dev/oras.land/oras-go/v2).
+
+
+## Versioning
+
+This project follows [Semantic Versioning](https://semver.org/) (`MAJOR`.`MINOR`.`PATCH`), with `MAJOR` for breaking changes, `MINOR` for backward-compatible features, and `PATCH` for backward-compatible fixes.
+
+## Previous Major Versions
+
+### v1 (maintenance)
+
+[![Build Status](https://github.com/oras-project/oras-go/actions/workflows/build.yml/badge.svg?event=push&branch=v1)](https://github.com/oras-project/oras-go/actions/workflows/build.yml?query=workflow%3Abuild+event%3Apush+branch%3Av1)
+[![Go Report Card](https://goreportcard.com/badge/oras.land/oras-go)](https://goreportcard.com/report/oras.land/oras-go)
+[![Go Reference](https://pkg.go.dev/badge/oras.land/oras-go.svg)](https://pkg.go.dev/oras.land/oras-go)
+
+The [`v1`](https://github.com/oras-project/oras-go/tree/v1) branch is maintained for dependency updates and security fixes only. All feature development happens in the [`main`](https://github.com/oras-project/oras-go/tree/main) branch.
+
+To migrate from `v1` to `v2`, see [MIGRATION_GUIDE.md](MIGRATION_GUIDE.md).
+
+## Community
+
+- Code of Conduct: [CODE_OF_CONDUCT.md](CODE_OF_CONDUCT.md)
+- Security Policy: [SECURITY.md](SECURITY.md)
+- Reviewing Guide: [Reviewing Guide](https://github.com/oras-project/community/blob/main/REVIEWING.md)
+- Slack: [`#oras`](https://cloud-native.slack.com/archives/CJ1KHJM5Z) channel on CNCF Slack
diff --git a/vendor/oras.land/oras-go/v2/SECURITY.md b/vendor/oras.land/oras-go/v2/SECURITY.md
new file mode 100644
index 0000000000..ffefe3417f
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/SECURITY.md
@@ -0,0 +1,3 @@
+# Security Policy
+
+Please follow the [security policy](https://oras.land/docs/community/reporting_security_concerns) to report a security vulnerability or concern.
diff --git a/vendor/oras.land/oras-go/v2/content.go b/vendor/oras.land/oras-go/v2/content.go
new file mode 100644
index 0000000000..b8bf26386f
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/content.go
@@ -0,0 +1,411 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package oras
+
+import (
+	"bytes"
+	"context"
+	"errors"
+	"fmt"
+	"io"
+
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"oras.land/oras-go/v2/content"
+	"oras.land/oras-go/v2/errdef"
+	"oras.land/oras-go/v2/internal/cas"
+	"oras.land/oras-go/v2/internal/docker"
+	"oras.land/oras-go/v2/internal/interfaces"
+	"oras.land/oras-go/v2/internal/platform"
+	"oras.land/oras-go/v2/internal/syncutil"
+	"oras.land/oras-go/v2/registry"
+	"oras.land/oras-go/v2/registry/remote/auth"
+)
+
+const (
+	// defaultTagConcurrency is the default concurrency of tagging.
+	defaultTagConcurrency int = 5 // This value is consistent with dockerd
+
+	// defaultTagNMaxMetadataBytes is the default value of
+	// TagNOptions.MaxMetadataBytes.
+	defaultTagNMaxMetadataBytes int64 = 4 * 1024 * 1024 // 4 MiB
+
+	// defaultResolveMaxMetadataBytes is the default value of
+	// ResolveOptions.MaxMetadataBytes.
+	defaultResolveMaxMetadataBytes int64 = 4 * 1024 * 1024 // 4 MiB
+
+	// defaultMaxBytes is the default value of FetchBytesOptions.MaxBytes.
+	defaultMaxBytes int64 = 4 * 1024 * 1024 // 4 MiB
+)
+
+// DefaultTagNOptions provides the default TagNOptions.
+var DefaultTagNOptions TagNOptions
+
+// TagNOptions contains parameters for [oras.TagN].
+type TagNOptions struct {
+	// Concurrency limits the maximum number of concurrent tag tasks.
+	// If less than or equal to 0, a default (currently 5) is used.
+	Concurrency int
+
+	// MaxMetadataBytes limits the maximum size of metadata that can be cached
+	// in the memory.
+	// If less than or equal to 0, a default (currently 4 MiB) is used.
+	MaxMetadataBytes int64
+}
+
+// TagN tags the descriptor identified by srcReference with dstReferences.
+func TagN(ctx context.Context, target Target, srcReference string, dstReferences []string, opts TagNOptions) (ocispec.Descriptor, error) {
+	switch len(dstReferences) {
+	case 0:
+		return ocispec.Descriptor{}, fmt.Errorf("dstReferences cannot be empty: %w", errdef.ErrMissingReference)
+	case 1:
+		return Tag(ctx, target, srcReference, dstReferences[0])
+	}
+
+	if opts.Concurrency <= 0 {
+		opts.Concurrency = defaultTagConcurrency
+	}
+	if opts.MaxMetadataBytes <= 0 {
+		opts.MaxMetadataBytes = defaultTagNMaxMetadataBytes
+	}
+
+	_, isRefFetcher := target.(registry.ReferenceFetcher)
+	_, isRefPusher := target.(registry.ReferencePusher)
+	if isRefFetcher && isRefPusher {
+		if repo, ok := target.(interfaces.ReferenceParser); ok {
+			// add scope hints to minimize the number of auth requests
+			ref, err := repo.ParseReference(srcReference)
+			if err != nil {
+				return ocispec.Descriptor{}, err
+			}
+			ctx = auth.AppendRepositoryScope(ctx, ref, auth.ActionPull, auth.ActionPush)
+		}
+
+		desc, contentBytes, err := FetchBytes(ctx, target, srcReference, FetchBytesOptions{
+			MaxBytes: opts.MaxMetadataBytes,
+		})
+		if err != nil {
+			if errors.Is(err, errdef.ErrSizeExceedsLimit) {
+				err = fmt.Errorf(
+					"content size %v exceeds MaxMetadataBytes %v: %w",
+					desc.Size,
+					opts.MaxMetadataBytes,
+					errdef.ErrSizeExceedsLimit)
+			}
+			return ocispec.Descriptor{}, err
+		}
+
+		if err := tagBytesN(ctx, target, desc, contentBytes, dstReferences, TagBytesNOptions{
+			Concurrency: opts.Concurrency,
+		}); err != nil {
+			return ocispec.Descriptor{}, err
+		}
+		return desc, nil
+	}
+
+	desc, err := target.Resolve(ctx, srcReference)
+	if err != nil {
+		return ocispec.Descriptor{}, err
+	}
+	eg, egCtx := syncutil.LimitGroup(ctx, opts.Concurrency)
+	for _, dstRef := range dstReferences {
+		eg.Go(func(dst string) func() error {
+			return func() error {
+				if err := target.Tag(egCtx, desc, dst); err != nil {
+					return fmt.Errorf("failed to tag %s as %s: %w", srcReference, dst, err)
+				}
+				return nil
+			}
+		}(dstRef))
+	}
+
+	if err := eg.Wait(); err != nil {
+		return ocispec.Descriptor{}, err
+	}
+	return desc, nil
+}
+
+// Tag tags the descriptor identified by src with dst.
+func Tag(ctx context.Context, target Target, src, dst string) (ocispec.Descriptor, error) {
+	refFetcher, okFetch := target.(registry.ReferenceFetcher)
+	refPusher, okPush := target.(registry.ReferencePusher)
+	if okFetch && okPush {
+		if repo, ok := target.(interfaces.ReferenceParser); ok {
+			// add scope hints to minimize the number of auth requests
+			ref, err := repo.ParseReference(src)
+			if err != nil {
+				return ocispec.Descriptor{}, err
+			}
+			ctx = auth.AppendRepositoryScope(ctx, ref, auth.ActionPull, auth.ActionPush)
+		}
+		desc, rc, err := refFetcher.FetchReference(ctx, src)
+		if err != nil {
+			return ocispec.Descriptor{}, err
+		}
+		defer rc.Close()
+		if err := refPusher.PushReference(ctx, desc, rc, dst); err != nil {
+			return ocispec.Descriptor{}, err
+		}
+		return desc, nil
+	}
+
+	desc, err := target.Resolve(ctx, src)
+	if err != nil {
+		return ocispec.Descriptor{}, err
+	}
+	if err := target.Tag(ctx, desc, dst); err != nil {
+		return ocispec.Descriptor{}, err
+	}
+	return desc, nil
+}
+
+// DefaultResolveOptions provides the default ResolveOptions.
+var DefaultResolveOptions ResolveOptions
+
+// ResolveOptions contains parameters for [oras.Resolve].
+type ResolveOptions struct {
+	// TargetPlatform ensures the resolved content matches the target platform
+	// if the node is a manifest, or selects the first resolved content that
+	// matches the target platform if the node is a manifest list.
+	TargetPlatform *ocispec.Platform
+
+	// MaxMetadataBytes limits the maximum size of metadata that can be cached
+	// in the memory.
+	// If less than or equal to 0, a default (currently 4 MiB) is used.
+	MaxMetadataBytes int64
+}
+
+// Resolve resolves a descriptor with provided reference from the target.
+func Resolve(ctx context.Context, target ReadOnlyTarget, reference string, opts ResolveOptions) (ocispec.Descriptor, error) {
+	if opts.TargetPlatform == nil {
+		return target.Resolve(ctx, reference)
+	}
+	return resolve(ctx, target, nil, reference, opts)
+}
+
+// resolve resolves a descriptor with provided reference from the target, with
+// specified caching.
+func resolve(ctx context.Context, target ReadOnlyTarget, proxy *cas.Proxy, reference string, opts ResolveOptions) (ocispec.Descriptor, error) {
+	if opts.MaxMetadataBytes <= 0 {
+		opts.MaxMetadataBytes = defaultResolveMaxMetadataBytes
+	}
+
+	if refFetcher, ok := target.(registry.ReferenceFetcher); ok {
+		// optimize performance for ReferenceFetcher targets
+		desc, rc, err := refFetcher.FetchReference(ctx, reference)
+		if err != nil {
+			return ocispec.Descriptor{}, err
+		}
+		defer rc.Close()
+
+		switch desc.MediaType {
+		case docker.MediaTypeManifestList, ocispec.MediaTypeImageIndex,
+			docker.MediaTypeManifest, ocispec.MediaTypeImageManifest:
+			// cache the fetched content
+			if desc.Size > opts.MaxMetadataBytes {
+				return ocispec.Descriptor{}, fmt.Errorf(
+					"content size %v exceeds MaxMetadataBytes %v: %w",
+					desc.Size,
+					opts.MaxMetadataBytes,
+					errdef.ErrSizeExceedsLimit)
+			}
+			if proxy == nil {
+				proxy = cas.NewProxyWithLimit(target, cas.NewMemory(), opts.MaxMetadataBytes)
+			}
+			if err := proxy.Cache.Push(ctx, desc, rc); err != nil {
+				return ocispec.Descriptor{}, err
+			}
+			// stop caching as SelectManifest may fetch a config blob
+			proxy.StopCaching = true
+			return platform.SelectManifest(ctx, proxy, desc, opts.TargetPlatform)
+		default:
+			return ocispec.Descriptor{}, fmt.Errorf("%s: %s: %w", desc.Digest, desc.MediaType, errdef.ErrUnsupported)
+		}
+	}
+
+	desc, err := target.Resolve(ctx, reference)
+	if err != nil {
+		return ocispec.Descriptor{}, err
+	}
+	return platform.SelectManifest(ctx, target, desc, opts.TargetPlatform)
+}
+
+// DefaultFetchOptions provides the default FetchOptions.
+var DefaultFetchOptions FetchOptions
+
+// FetchOptions contains parameters for [oras.Fetch].
+type FetchOptions struct {
+	// ResolveOptions contains parameters for resolving reference.
+	ResolveOptions
+}
+
+// Fetch fetches the content identified by the reference.
+func Fetch(ctx context.Context, target ReadOnlyTarget, reference string, opts FetchOptions) (ocispec.Descriptor, io.ReadCloser, error) {
+	if opts.TargetPlatform == nil {
+		if refFetcher, ok := target.(registry.ReferenceFetcher); ok {
+			return refFetcher.FetchReference(ctx, reference)
+		}
+
+		desc, err := target.Resolve(ctx, reference)
+		if err != nil {
+			return ocispec.Descriptor{}, nil, err
+		}
+		rc, err := target.Fetch(ctx, desc)
+		if err != nil {
+			return ocispec.Descriptor{}, nil, err
+		}
+		return desc, rc, nil
+	}
+
+	if opts.MaxMetadataBytes <= 0 {
+		opts.MaxMetadataBytes = defaultResolveMaxMetadataBytes
+	}
+	proxy := cas.NewProxyWithLimit(target, cas.NewMemory(), opts.MaxMetadataBytes)
+	desc, err := resolve(ctx, target, proxy, reference, opts.ResolveOptions)
+	if err != nil {
+		return ocispec.Descriptor{}, nil, err
+	}
+	// if the content exists in cache, fetch it from cache
+	// otherwise fetch without caching
+	proxy.StopCaching = true
+	rc, err := proxy.Fetch(ctx, desc)
+	if err != nil {
+		return ocispec.Descriptor{}, nil, err
+	}
+	return desc, rc, nil
+}
+
+// DefaultFetchBytesOptions provides the default FetchBytesOptions.
+var DefaultFetchBytesOptions FetchBytesOptions
+
+// FetchBytesOptions contains parameters for [oras.FetchBytes].
+type FetchBytesOptions struct {
+	// FetchOptions contains parameters for fetching content.
+	FetchOptions
+	// MaxBytes limits the maximum size of the fetched content bytes.
+	// If less than or equal to 0, a default (currently 4 MiB) is used.
+	MaxBytes int64
+}
+
+// FetchBytes fetches the content bytes identified by the reference.
+func FetchBytes(ctx context.Context, target ReadOnlyTarget, reference string, opts FetchBytesOptions) (ocispec.Descriptor, []byte, error) {
+	if opts.MaxBytes <= 0 {
+		opts.MaxBytes = defaultMaxBytes
+	}
+
+	desc, rc, err := Fetch(ctx, target, reference, opts.FetchOptions)
+	if err != nil {
+		return ocispec.Descriptor{}, nil, err
+	}
+	defer rc.Close()
+
+	if desc.Size > opts.MaxBytes {
+		return ocispec.Descriptor{}, nil, fmt.Errorf(
+			"content size %v exceeds MaxBytes %v: %w",
+			desc.Size,
+			opts.MaxBytes,
+			errdef.ErrSizeExceedsLimit)
+	}
+	bytes, err := content.ReadAll(rc, desc)
+	if err != nil {
+		return ocispec.Descriptor{}, nil, err
+	}
+
+	return desc, bytes, nil
+}
+
+// PushBytes describes the contentBytes using the given mediaType and pushes it.
+// If mediaType is not specified, "application/octet-stream" is used.
+func PushBytes(ctx context.Context, pusher content.Pusher, mediaType string, contentBytes []byte) (ocispec.Descriptor, error) {
+	desc := content.NewDescriptorFromBytes(mediaType, contentBytes)
+	r := bytes.NewReader(contentBytes)
+	if err := pusher.Push(ctx, desc, r); err != nil {
+		return ocispec.Descriptor{}, err
+	}
+
+	return desc, nil
+}
+
+// DefaultTagBytesNOptions provides the default TagBytesNOptions.
+var DefaultTagBytesNOptions TagBytesNOptions
+
+// TagBytesNOptions contains parameters for [oras.TagBytesN].
+type TagBytesNOptions struct {
+	// Concurrency limits the maximum number of concurrent tag tasks.
+	// If less than or equal to 0, a default (currently 5) is used.
+	Concurrency int
+}
+
+// TagBytesN describes the contentBytes using the given mediaType, pushes it,
+// and tag it with the given references.
+// If mediaType is not specified, "application/octet-stream" is used.
+func TagBytesN(ctx context.Context, target Target, mediaType string, contentBytes []byte, references []string, opts TagBytesNOptions) (ocispec.Descriptor, error) {
+	if len(references) == 0 {
+		return PushBytes(ctx, target, mediaType, contentBytes)
+	}
+
+	desc := content.NewDescriptorFromBytes(mediaType, contentBytes)
+	if opts.Concurrency <= 0 {
+		opts.Concurrency = defaultTagConcurrency
+	}
+
+	if err := tagBytesN(ctx, target, desc, contentBytes, references, opts); err != nil {
+		return ocispec.Descriptor{}, err
+	}
+	return desc, nil
+}
+
+// tagBytesN pushes the contentBytes using the given desc, and tag it with the
+// given references.
+func tagBytesN(ctx context.Context, target Target, desc ocispec.Descriptor, contentBytes []byte, references []string, opts TagBytesNOptions) error {
+	eg, egCtx := syncutil.LimitGroup(ctx, opts.Concurrency)
+	if refPusher, ok := target.(registry.ReferencePusher); ok {
+		for _, reference := range references {
+			eg.Go(func(ref string) func() error {
+				return func() error {
+					r := bytes.NewReader(contentBytes)
+					if err := refPusher.PushReference(egCtx, desc, r, ref); err != nil && !errors.Is(err, errdef.ErrAlreadyExists) {
+						return fmt.Errorf("failed to tag %s: %w", ref, err)
+					}
+					return nil
+				}
+			}(reference))
+		}
+	} else {
+		r := bytes.NewReader(contentBytes)
+		if err := target.Push(ctx, desc, r); err != nil && !errors.Is(err, errdef.ErrAlreadyExists) {
+			return fmt.Errorf("failed to push content: %w", err)
+		}
+		for _, reference := range references {
+			eg.Go(func(ref string) func() error {
+				return func() error {
+					if err := target.Tag(egCtx, desc, ref); err != nil {
+						return fmt.Errorf("failed to tag %s: %w", ref, err)
+					}
+					return nil
+				}
+			}(reference))
+		}
+	}
+
+	return eg.Wait()
+}
+
+// TagBytes describes the contentBytes using the given mediaType, pushes it,
+// and tag it with the given reference.
+// If mediaType is not specified, "application/octet-stream" is used.
+func TagBytes(ctx context.Context, target Target, mediaType string, contentBytes []byte, reference string) (ocispec.Descriptor, error) {
+	return TagBytesN(ctx, target, mediaType, contentBytes, []string{reference}, DefaultTagBytesNOptions)
+}
diff --git a/vendor/oras.land/oras-go/v2/content/descriptor.go b/vendor/oras.land/oras-go/v2/content/descriptor.go
new file mode 100644
index 0000000000..8e6c25dec2
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/content/descriptor.go
@@ -0,0 +1,40 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package content
+
+import (
+	"github.com/opencontainers/go-digest"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"oras.land/oras-go/v2/internal/descriptor"
+)
+
+// NewDescriptorFromBytes returns a descriptor, given the content and media type.
+// If no media type is specified, "application/octet-stream" will be used.
+func NewDescriptorFromBytes(mediaType string, content []byte) ocispec.Descriptor {
+	if mediaType == "" {
+		mediaType = descriptor.DefaultMediaType
+	}
+	return ocispec.Descriptor{
+		MediaType: mediaType,
+		Digest:    digest.FromBytes(content),
+		Size:      int64(len(content)),
+	}
+}
+
+// Equal returns true if two descriptors point to the same content.
+func Equal(a, b ocispec.Descriptor) bool {
+	return a.Size == b.Size && a.Digest == b.Digest && a.MediaType == b.MediaType
+}
diff --git a/vendor/oras.land/oras-go/v2/content/graph.go b/vendor/oras.land/oras-go/v2/content/graph.go
new file mode 100644
index 0000000000..9ae837285e
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/content/graph.go
@@ -0,0 +1,122 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package content
+
+import (
+	"context"
+	"encoding/json"
+
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"oras.land/oras-go/v2/internal/docker"
+	"oras.land/oras-go/v2/internal/spec"
+)
+
+// PredecessorFinder finds out the nodes directly pointing to a given node of a
+// directed acyclic graph.
+// In other words, returns the "parents" of the current descriptor.
+// PredecessorFinder is an extension of Storage.
+type PredecessorFinder interface {
+	// Predecessors returns the nodes directly pointing to the current node.
+	Predecessors(ctx context.Context, node ocispec.Descriptor) ([]ocispec.Descriptor, error)
+}
+
+// GraphStorage represents a CAS that supports direct predecessor node finding.
+type GraphStorage interface {
+	Storage
+	PredecessorFinder
+}
+
+// ReadOnlyGraphStorage represents a read-only GraphStorage.
+type ReadOnlyGraphStorage interface {
+	ReadOnlyStorage
+	PredecessorFinder
+}
+
+// Successors returns the nodes directly pointed by the current node.
+// In other words, returns the "children" of the current descriptor.
+func Successors(ctx context.Context, fetcher Fetcher, node ocispec.Descriptor) ([]ocispec.Descriptor, error) {
+	switch node.MediaType {
+	case docker.MediaTypeManifest:
+		content, err := FetchAll(ctx, fetcher, node)
+		if err != nil {
+			return nil, err
+		}
+		// OCI manifest schema can be used to marshal docker manifest
+		var manifest ocispec.Manifest
+		if err := json.Unmarshal(content, &manifest); err != nil {
+			return nil, err
+		}
+		return append([]ocispec.Descriptor{manifest.Config}, manifest.Layers...), nil
+	case ocispec.MediaTypeImageManifest:
+		content, err := FetchAll(ctx, fetcher, node)
+		if err != nil {
+			return nil, err
+		}
+		var manifest ocispec.Manifest
+		if err := json.Unmarshal(content, &manifest); err != nil {
+			return nil, err
+		}
+		var nodes []ocispec.Descriptor
+		if manifest.Subject != nil {
+			nodes = append(nodes, *manifest.Subject)
+		}
+		nodes = append(nodes, manifest.Config)
+		return append(nodes, manifest.Layers...), nil
+	case docker.MediaTypeManifestList:
+		content, err := FetchAll(ctx, fetcher, node)
+		if err != nil {
+			return nil, err
+		}
+
+		// OCI manifest index schema can be used to marshal docker manifest list
+		var index ocispec.Index
+		if err := json.Unmarshal(content, &index); err != nil {
+			return nil, err
+		}
+		return index.Manifests, nil
+	case ocispec.MediaTypeImageIndex:
+		content, err := FetchAll(ctx, fetcher, node)
+		if err != nil {
+			return nil, err
+		}
+
+		var index ocispec.Index
+		if err := json.Unmarshal(content, &index); err != nil {
+			return nil, err
+		}
+		var nodes []ocispec.Descriptor
+		if index.Subject != nil {
+			nodes = append(nodes, *index.Subject)
+		}
+		return append(nodes, index.Manifests...), nil
+	case spec.MediaTypeArtifactManifest:
+		content, err := FetchAll(ctx, fetcher, node)
+		if err != nil {
+			return nil, err
+		}
+
+		var manifest spec.Artifact
+		if err := json.Unmarshal(content, &manifest); err != nil {
+			return nil, err
+		}
+		var nodes []ocispec.Descriptor
+		if manifest.Subject != nil {
+			nodes = append(nodes, *manifest.Subject)
+		}
+		return append(nodes, manifest.Blobs...), nil
+	}
+	return nil, nil
+}
diff --git a/vendor/oras.land/oras-go/v2/content/limitedstorage.go b/vendor/oras.land/oras-go/v2/content/limitedstorage.go
new file mode 100644
index 0000000000..9a6df2f82f
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/content/limitedstorage.go
@@ -0,0 +1,50 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package content
+
+import (
+	"context"
+	"fmt"
+	"io"
+
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"oras.land/oras-go/v2/errdef"
+)
+
+// LimitedStorage represents a CAS with a push size limit.
+type LimitedStorage struct {
+	Storage         // underlying storage
+	PushLimit int64 // max size for push
+}
+
+// Push pushes the content, matching the expected descriptor.
+// The size of the content cannot exceed the push size limit.
+func (ls *LimitedStorage) Push(ctx context.Context, expected ocispec.Descriptor, content io.Reader) error {
+	if expected.Size > ls.PushLimit {
+		return fmt.Errorf(
+			"content size %v exceeds push size limit %v: %w",
+			expected.Size,
+			ls.PushLimit,
+			errdef.ErrSizeExceedsLimit)
+	}
+
+	return ls.Storage.Push(ctx, expected, io.LimitReader(content, expected.Size))
+}
+
+// LimitStorage returns a storage with a push size limit.
+func LimitStorage(s Storage, n int64) *LimitedStorage {
+	return &LimitedStorage{s, n}
+}
diff --git a/vendor/oras.land/oras-go/v2/content/memory/memory.go b/vendor/oras.land/oras-go/v2/content/memory/memory.go
new file mode 100644
index 0000000000..f4e6c1d963
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/content/memory/memory.go
@@ -0,0 +1,96 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package memory provides implementation of a memory backed content store.
+package memory
+
+import (
+	"context"
+	"fmt"
+	"io"
+
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"oras.land/oras-go/v2/content"
+	"oras.land/oras-go/v2/errdef"
+	"oras.land/oras-go/v2/internal/cas"
+	"oras.land/oras-go/v2/internal/graph"
+	"oras.land/oras-go/v2/internal/resolver"
+)
+
+// Store represents a memory based store, which implements `oras.Target`.
+type Store struct {
+	storage  content.Storage
+	resolver content.TagResolver
+	graph    *graph.Memory
+}
+
+// New creates a new memory based store.
+func New() *Store {
+	return &Store{
+		storage:  cas.NewMemory(),
+		resolver: resolver.NewMemory(),
+		graph:    graph.NewMemory(),
+	}
+}
+
+// Fetch fetches the content identified by the descriptor.
+func (s *Store) Fetch(ctx context.Context, target ocispec.Descriptor) (io.ReadCloser, error) {
+	return s.storage.Fetch(ctx, target)
+}
+
+// Push pushes the content, matching the expected descriptor.
+func (s *Store) Push(ctx context.Context, expected ocispec.Descriptor, reader io.Reader) error {
+	if err := s.storage.Push(ctx, expected, reader); err != nil {
+		return err
+	}
+
+	// index predecessors.
+	// there is no data consistency issue as long as deletion is not implemented
+	// for the memory store.
+	return s.graph.Index(ctx, s.storage, expected)
+}
+
+// Exists returns true if the described content exists.
+func (s *Store) Exists(ctx context.Context, target ocispec.Descriptor) (bool, error) {
+	return s.storage.Exists(ctx, target)
+}
+
+// Resolve resolves a reference to a descriptor.
+func (s *Store) Resolve(ctx context.Context, reference string) (ocispec.Descriptor, error) {
+	return s.resolver.Resolve(ctx, reference)
+}
+
+// Tag tags a descriptor with a reference string.
+// Returns ErrNotFound if the tagged content does not exist.
+func (s *Store) Tag(ctx context.Context, desc ocispec.Descriptor, reference string) error {
+	exists, err := s.storage.Exists(ctx, desc)
+	if err != nil {
+		return err
+	}
+	if !exists {
+		return fmt.Errorf("%s: %s: %w", desc.Digest, desc.MediaType, errdef.ErrNotFound)
+	}
+	return s.resolver.Tag(ctx, desc, reference)
+}
+
+// Predecessors returns the nodes directly pointing to the current node.
+// Predecessors returns nil without error if the node does not exists in the
+// store.
+// Like other operations, calling Predecessors() is go-routine safe. However,
+// it does not necessarily correspond to any consistent snapshot of the stored
+// contents.
+func (s *Store) Predecessors(ctx context.Context, node ocispec.Descriptor) ([]ocispec.Descriptor, error) {
+	return s.graph.Predecessors(ctx, node)
+}
diff --git a/vendor/oras.land/oras-go/v2/content/reader.go b/vendor/oras.land/oras-go/v2/content/reader.go
new file mode 100644
index 0000000000..37bab5e1b2
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/content/reader.go
@@ -0,0 +1,149 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package content
+
+import (
+	"errors"
+	"fmt"
+	"io"
+
+	"github.com/opencontainers/go-digest"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+var (
+	// ErrInvalidDescriptorSize is returned by ReadAll() when
+	// the descriptor has an invalid size.
+	ErrInvalidDescriptorSize = errors.New("invalid descriptor size")
+
+	// ErrMismatchedDigest is returned by ReadAll() when
+	// the descriptor has an invalid digest.
+	ErrMismatchedDigest = errors.New("mismatched digest")
+
+	// ErrTrailingData is returned by ReadAll() when
+	// there exists trailing data unread when the read terminates.
+	ErrTrailingData = errors.New("trailing data")
+)
+
+var (
+	// errEarlyVerify is returned by VerifyReader.Verify() when
+	// Verify() is called before completing reading the entire content blob.
+	errEarlyVerify = errors.New("early verify")
+)
+
+// VerifyReader reads the content described by its descriptor and verifies
+// against its size and digest.
+type VerifyReader struct {
+	base     *io.LimitedReader
+	verifier digest.Verifier
+	verified bool
+	err      error
+}
+
+// Read reads up to len(p) bytes into p. It returns the number of bytes
+// read (0 <= n <= len(p)) and any error encountered.
+func (vr *VerifyReader) Read(p []byte) (n int, err error) {
+	if vr.err != nil {
+		return 0, vr.err
+	}
+
+	n, err = vr.base.Read(p)
+	if err != nil {
+		if err == io.EOF && vr.base.N > 0 {
+			err = io.ErrUnexpectedEOF
+		}
+		vr.err = err
+	}
+	return
+}
+
+// Verify checks for remaining unread content and verifies the read content against the digest
+func (vr *VerifyReader) Verify() error {
+	if vr.verified {
+		return nil
+	}
+	if vr.err == nil {
+		if vr.base.N > 0 {
+			return errEarlyVerify
+		}
+	} else if vr.err != io.EOF {
+		return vr.err
+	}
+
+	if err := ensureEOF(vr.base.R); err != nil {
+		vr.err = err
+		return vr.err
+	}
+	if !vr.verifier.Verified() {
+		vr.err = ErrMismatchedDigest
+		return vr.err
+	}
+
+	vr.verified = true
+	vr.err = io.EOF
+	return nil
+}
+
+// NewVerifyReader wraps r for reading content with verification against desc.
+func NewVerifyReader(r io.Reader, desc ocispec.Descriptor) *VerifyReader {
+	if err := desc.Digest.Validate(); err != nil {
+		return &VerifyReader{
+			err: fmt.Errorf("failed to validate %s: %w", desc.Digest, err),
+		}
+	}
+	verifier := desc.Digest.Verifier()
+	lr := &io.LimitedReader{
+		R: io.TeeReader(r, verifier),
+		N: desc.Size,
+	}
+	return &VerifyReader{
+		base:     lr,
+		verifier: verifier,
+	}
+}
+
+// ReadAll safely reads the content described by the descriptor.
+// The read content is verified against the size and the digest
+// using a VerifyReader.
+func ReadAll(r io.Reader, desc ocispec.Descriptor) ([]byte, error) {
+	if desc.Size < 0 {
+		return nil, ErrInvalidDescriptorSize
+	}
+	buf := make([]byte, desc.Size)
+
+	vr := NewVerifyReader(r, desc)
+	if n, err := io.ReadFull(vr, buf); err != nil {
+		if errors.Is(err, io.ErrUnexpectedEOF) {
+			return nil, fmt.Errorf("read failed: expected content size of %d, got %d, for digest %s: %w", desc.Size, n, desc.Digest.String(), err)
+		}
+		return nil, fmt.Errorf("read failed: %w", err)
+	}
+	if err := vr.Verify(); err != nil {
+		return nil, err
+	}
+	return buf, nil
+}
+
+// ensureEOF ensures the read operation ends with an EOF and no
+// trailing data is present.
+func ensureEOF(r io.Reader) error {
+	var peek [1]byte
+	_, err := io.ReadFull(r, peek[:])
+	if err != io.EOF {
+		return ErrTrailingData
+	}
+	return nil
+}
diff --git a/vendor/oras.land/oras-go/v2/content/resolver.go b/vendor/oras.land/oras-go/v2/content/resolver.go
new file mode 100644
index 0000000000..bc0fd8df9c
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/content/resolver.go
@@ -0,0 +1,47 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package content provides implementations to access content stores.
+package content
+
+import (
+	"context"
+
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+// Resolver resolves reference tags.
+type Resolver interface {
+	// Resolve resolves a reference to a descriptor.
+	Resolve(ctx context.Context, reference string) (ocispec.Descriptor, error)
+}
+
+// Tagger tags reference tags.
+type Tagger interface {
+	// Tag tags a descriptor with a reference string.
+	Tag(ctx context.Context, desc ocispec.Descriptor, reference string) error
+}
+
+// TagResolver provides reference tag indexing services.
+type TagResolver interface {
+	Tagger
+	Resolver
+}
+
+// Untagger untags reference tags.
+type Untagger interface {
+	// Untag untags the given reference string.
+	Untag(ctx context.Context, reference string) error
+}
diff --git a/vendor/oras.land/oras-go/v2/content/storage.go b/vendor/oras.land/oras-go/v2/content/storage.go
new file mode 100644
index 0000000000..47c95d8769
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/content/storage.go
@@ -0,0 +1,80 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package content
+
+import (
+	"context"
+	"io"
+
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+// Fetcher fetches content.
+type Fetcher interface {
+	// Fetch fetches the content identified by the descriptor.
+	Fetch(ctx context.Context, target ocispec.Descriptor) (io.ReadCloser, error)
+}
+
+// Pusher pushes content.
+type Pusher interface {
+	// Push pushes the content, matching the expected descriptor.
+	// Reader is preferred to Writer so that the suitable buffer size can be
+	// chosen by the underlying implementation. Furthermore, the implementation
+	// can also do reflection on the Reader for more advanced I/O optimization.
+	Push(ctx context.Context, expected ocispec.Descriptor, content io.Reader) error
+}
+
+// Storage represents a content-addressable storage (CAS) where contents are
+// accessed via Descriptors.
+// The storage is designed to handle blobs of large sizes.
+type Storage interface {
+	ReadOnlyStorage
+	Pusher
+}
+
+// ReadOnlyStorage represents a read-only Storage.
+type ReadOnlyStorage interface {
+	Fetcher
+
+	// Exists returns true if the described content exists.
+	Exists(ctx context.Context, target ocispec.Descriptor) (bool, error)
+}
+
+// Deleter removes content.
+// Deleter is an extension of Storage.
+type Deleter interface {
+	// Delete removes the content identified by the descriptor.
+	Delete(ctx context.Context, target ocispec.Descriptor) error
+}
+
+// FetchAll safely fetches the content described by the descriptor.
+// The fetched content is verified against the size and the digest.
+func FetchAll(ctx context.Context, fetcher Fetcher, desc ocispec.Descriptor) ([]byte, error) {
+	rc, err := fetcher.Fetch(ctx, desc)
+	if err != nil {
+		return nil, err
+	}
+	defer rc.Close()
+	return ReadAll(rc, desc)
+}
+
+// FetcherFunc is the basic Fetch method defined in Fetcher.
+type FetcherFunc func(ctx context.Context, target ocispec.Descriptor) (io.ReadCloser, error)
+
+// Fetch performs Fetch operation by the FetcherFunc.
+func (fn FetcherFunc) Fetch(ctx context.Context, target ocispec.Descriptor) (io.ReadCloser, error) {
+	return fn(ctx, target)
+}
diff --git a/vendor/oras.land/oras-go/v2/copy.go b/vendor/oras.land/oras-go/v2/copy.go
new file mode 100644
index 0000000000..2c61469401
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/copy.go
@@ -0,0 +1,533 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package oras
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"io"
+
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"golang.org/x/sync/semaphore"
+	"oras.land/oras-go/v2/content"
+	"oras.land/oras-go/v2/errdef"
+	"oras.land/oras-go/v2/internal/cas"
+	"oras.land/oras-go/v2/internal/descriptor"
+	"oras.land/oras-go/v2/internal/platform"
+	"oras.land/oras-go/v2/internal/registryutil"
+	"oras.land/oras-go/v2/internal/status"
+	"oras.land/oras-go/v2/internal/syncutil"
+	"oras.land/oras-go/v2/registry"
+)
+
+// defaultConcurrency is the default value of CopyGraphOptions.Concurrency.
+const defaultConcurrency int = 3 // This value is consistent with dockerd and containerd.
+
+// SkipNode signals to stop copying a node. When returned from PreCopy the blob must exist in the target.
+// This can be used to signal that a blob has been made available in the target repository by "Mount()" or some other technique.
+var SkipNode = errors.New("skip node")
+
+// DefaultCopyOptions provides the default CopyOptions.
+var DefaultCopyOptions CopyOptions = CopyOptions{
+	CopyGraphOptions: DefaultCopyGraphOptions,
+}
+
+// CopyOptions contains parameters for [oras.Copy].
+type CopyOptions struct {
+	CopyGraphOptions
+	// MapRoot maps the resolved root node to a desired root node for copy.
+	// When MapRoot is provided, the descriptor resolved from the source
+	// reference will be passed to MapRoot, and the mapped descriptor will be
+	// used as the root node for copy.
+	MapRoot func(ctx context.Context, src content.ReadOnlyStorage, root ocispec.Descriptor) (ocispec.Descriptor, error)
+}
+
+// WithTargetPlatform configures opts.MapRoot to select the manifest whose
+// platform matches the given platform. When MapRoot is provided, the platform
+// selection will be applied on the mapped root node.
+//   - If the given platform is nil, no platform selection will be applied.
+//   - If the root node is a manifest, it will remain the same if platform
+//     matches, otherwise ErrNotFound will be returned.
+//   - If the root node is a manifest list, it will be mapped to the first
+//     matching manifest if exists, otherwise ErrNotFound will be returned.
+//   - Otherwise ErrUnsupported will be returned.
+func (opts *CopyOptions) WithTargetPlatform(p *ocispec.Platform) {
+	if p == nil {
+		return
+	}
+	mapRoot := opts.MapRoot
+	opts.MapRoot = func(ctx context.Context, src content.ReadOnlyStorage, root ocispec.Descriptor) (desc ocispec.Descriptor, err error) {
+		if mapRoot != nil {
+			if root, err = mapRoot(ctx, src, root); err != nil {
+				return ocispec.Descriptor{}, err
+			}
+		}
+		return platform.SelectManifest(ctx, src, root, p)
+	}
+}
+
+// defaultCopyMaxMetadataBytes is the default value of
+// CopyGraphOptions.MaxMetadataBytes.
+const defaultCopyMaxMetadataBytes int64 = 4 * 1024 * 1024 // 4 MiB
+
+// DefaultCopyGraphOptions provides the default CopyGraphOptions.
+var DefaultCopyGraphOptions CopyGraphOptions
+
+// CopyGraphOptions contains parameters for [oras.CopyGraph].
+type CopyGraphOptions struct {
+	// Concurrency limits the maximum number of concurrent copy tasks.
+	// If less than or equal to 0, a default (currently 3) is used.
+	Concurrency int
+	// MaxMetadataBytes limits the maximum size of the metadata that can be
+	// cached in the memory.
+	// If less than or equal to 0, a default (currently 4 MiB) is used.
+	MaxMetadataBytes int64
+	// PreCopy handles the current descriptor before it is copied. PreCopy can
+	// return a SkipNode to signal that desc should be skipped when it already
+	// exists in the target.
+	PreCopy func(ctx context.Context, desc ocispec.Descriptor) error
+	// PostCopy handles the current descriptor after it is copied.
+	PostCopy func(ctx context.Context, desc ocispec.Descriptor) error
+	// OnCopySkipped will be called when the sub-DAG rooted by the current node
+	// is skipped.
+	OnCopySkipped func(ctx context.Context, desc ocispec.Descriptor) error
+	// MountFrom returns the candidate repositories that desc may be mounted from.
+	// The OCI references will be tried in turn.  If mounting fails on all of them,
+	// then it falls back to a copy.
+	MountFrom func(ctx context.Context, desc ocispec.Descriptor) ([]string, error)
+	// OnMounted will be invoked when desc is mounted.
+	OnMounted func(ctx context.Context, desc ocispec.Descriptor) error
+	// FindSuccessors finds the successors of the current node.
+	// fetcher provides cached access to the source storage, and is suitable
+	// for fetching non-leaf nodes like manifests. Since anything fetched from
+	// fetcher will be cached in the memory, it is recommended to use original
+	// source storage to fetch large blobs.
+	// If FindSuccessors is nil, content.Successors will be used.
+	FindSuccessors func(ctx context.Context, fetcher content.Fetcher, desc ocispec.Descriptor) ([]ocispec.Descriptor, error)
+}
+
+// Copy copies a rooted directed acyclic graph (DAG), such as an artifact,
+// from the source Target to the destination Target.
+//
+// The root node (e.g. a tagged manifest of the artifact) is identified by the
+// source reference.
+// The destination reference will be the same as the source reference if the
+// destination reference is left blank.
+//
+// Returns the descriptor of the root node on successful copy.
+func Copy(ctx context.Context, src ReadOnlyTarget, srcRef string, dst Target, dstRef string, opts CopyOptions) (ocispec.Descriptor, error) {
+	if src == nil {
+		return ocispec.Descriptor{}, newCopyError("Copy", CopyErrorOriginSource, errors.New("nil source target"))
+	}
+	if dst == nil {
+		return ocispec.Descriptor{}, newCopyError("Copy", CopyErrorOriginDestination, errors.New("nil destination target"))
+	}
+	if dstRef == "" {
+		dstRef = srcRef
+	}
+
+	// use caching proxy on non-leaf nodes
+	if opts.MaxMetadataBytes <= 0 {
+		opts.MaxMetadataBytes = defaultCopyMaxMetadataBytes
+	}
+	proxy := cas.NewProxyWithLimit(src, cas.NewMemory(), opts.MaxMetadataBytes)
+	root, err := resolveRoot(ctx, src, srcRef, proxy)
+	if err != nil {
+		return ocispec.Descriptor{}, err
+	}
+
+	if opts.MapRoot != nil {
+		proxy.StopCaching = true
+		root, err = opts.MapRoot(ctx, proxy, root)
+		if err != nil {
+			return ocispec.Descriptor{}, newCopyError("MapRoot", CopyErrorOriginSource, err)
+		}
+		proxy.StopCaching = false
+	}
+
+	if err := prepareCopy(ctx, dst, dstRef, proxy, root, &opts); err != nil {
+		return ocispec.Descriptor{}, err
+	}
+
+	if err := copyGraph(ctx, src, dst, root, proxy, nil, nil, opts.CopyGraphOptions); err != nil {
+		return ocispec.Descriptor{}, err
+	}
+
+	return root, nil
+}
+
+// CopyGraph copies a rooted directed acyclic graph (DAG), such as an artifact,
+// from the source CAS to the destination CAS.
+// The root node (e.g. a manifest of the artifact) is identified by a descriptor.
+func CopyGraph(ctx context.Context, src content.ReadOnlyStorage, dst content.Storage, root ocispec.Descriptor, opts CopyGraphOptions) error {
+	if src == nil {
+		return newCopyError("CopyGraph", CopyErrorOriginSource, errors.New("nil source target"))
+	}
+	if dst == nil {
+		return newCopyError("CopyGraph", CopyErrorOriginDestination, errors.New("nil destination target"))
+	}
+	return copyGraph(ctx, src, dst, root, nil, nil, nil, opts)
+}
+
+// copyGraph copies a rooted directed acyclic graph (DAG) from the source CAS to
+// the destination CAS with specified caching, concurrency limiter and tracker.
+func copyGraph(ctx context.Context, src content.ReadOnlyStorage, dst content.Storage, root ocispec.Descriptor,
+	proxy *cas.Proxy, limiter *semaphore.Weighted, tracker *status.Tracker, opts CopyGraphOptions) error {
+	if proxy == nil {
+		// use caching proxy on non-leaf nodes
+		if opts.MaxMetadataBytes <= 0 {
+			opts.MaxMetadataBytes = defaultCopyMaxMetadataBytes
+		}
+		proxy = cas.NewProxyWithLimit(src, cas.NewMemory(), opts.MaxMetadataBytes)
+	}
+	if limiter == nil {
+		// if Concurrency is not set or invalid, use the default concurrency
+		if opts.Concurrency <= 0 {
+			opts.Concurrency = defaultConcurrency
+		}
+		limiter = semaphore.NewWeighted(int64(opts.Concurrency))
+	}
+	if tracker == nil {
+		// track content status
+		tracker = status.NewTracker()
+	}
+	// if FindSuccessors is not provided, use the default one
+	if opts.FindSuccessors == nil {
+		opts.FindSuccessors = content.Successors
+	}
+
+	// traverse the graph
+	var fn syncutil.GoFunc[ocispec.Descriptor]
+	fn = func(ctx context.Context, region *syncutil.LimitedRegion, desc ocispec.Descriptor) (err error) {
+		// skip the descriptor if other go routine is working on it
+		done, committed := tracker.TryCommit(desc)
+		if !committed {
+			return nil
+		}
+		defer func() {
+			if err == nil {
+				// mark the content as done on success
+				close(done)
+			}
+		}()
+
+		// skip if a rooted sub-DAG exists
+		exists, err := dst.Exists(ctx, desc)
+		if err != nil {
+			return newCopyError("Exists", CopyErrorOriginDestination, err)
+		}
+		if exists {
+			if opts.OnCopySkipped != nil {
+				if err := opts.OnCopySkipped(ctx, desc); err != nil {
+					return err
+				}
+			}
+			return nil
+		}
+
+		// find successors while non-leaf nodes will be fetched and cached
+		successors, err := opts.FindSuccessors(ctx, proxy, desc)
+		if err != nil {
+			return newCopyError("FindSuccessors", CopyErrorOriginSource, err)
+		}
+		successors = removeForeignLayers(successors)
+
+		if len(successors) != 0 {
+			// for non-leaf nodes, process successors and wait for them to complete
+			region.End()
+			if err := syncutil.Go(ctx, limiter, fn, successors...); err != nil {
+				return err
+			}
+			for _, node := range successors {
+				done, committed := tracker.TryCommit(node)
+				if committed {
+					return fmt.Errorf("%s: %s: successor not committed", desc.Digest, node.Digest)
+				}
+				select {
+				case <-done:
+				case <-ctx.Done():
+					return ctx.Err()
+				}
+			}
+			if err := region.Start(); err != nil {
+				return err
+			}
+		}
+
+		exists, err = proxy.Cache.Exists(ctx, desc)
+		if err != nil {
+			return fmt.Errorf("failed to check cache existence: %s: %w", desc.Digest, err)
+		}
+		if exists {
+			return copyNode(ctx, proxy.Cache, dst, desc, opts)
+		}
+		return mountOrCopyNode(ctx, src, dst, desc, opts)
+	}
+
+	return syncutil.Go(ctx, limiter, fn, root)
+}
+
+// mountOrCopyNode tries to mount the node, if not falls back to copying.
+func mountOrCopyNode(ctx context.Context, src content.ReadOnlyStorage, dst content.Storage, desc ocispec.Descriptor, opts CopyGraphOptions) error {
+	// Need MountFrom and it must be a blob
+	if opts.MountFrom == nil || descriptor.IsManifest(desc) {
+		return copyNode(ctx, src, dst, desc, opts)
+	}
+
+	mounter, ok := dst.(registry.Mounter)
+	if !ok {
+		// mounting is not supported by the destination
+		return copyNode(ctx, src, dst, desc, opts)
+	}
+
+	sourceRepositories, err := opts.MountFrom(ctx, desc)
+	if err != nil {
+		// Technically this error is not fatal, we can still attempt to copy the node
+		// But for consistency with the other callbacks we bail out.
+		return err
+	}
+
+	if len(sourceRepositories) == 0 {
+		return copyNode(ctx, src, dst, desc, opts)
+	}
+
+	skipSource := errors.New("skip source")
+	for i, sourceRepository := range sourceRepositories {
+		// try mounting this source repository
+		var mountFailed bool
+		getContent := func() (io.ReadCloser, error) {
+			// the invocation of getContent indicates that mounting has failed
+			mountFailed = true
+
+			if i < len(sourceRepositories)-1 {
+				// If this is not the last one, skip this source and try next one
+				// We want to return an error that we will test for from mounter.Mount()
+				return nil, skipSource
+			}
+			// this is the last iteration so we need to actually get the content and do the copy
+			// but first call the PreCopy function
+			if opts.PreCopy != nil {
+				if err := opts.PreCopy(ctx, desc); err != nil {
+					return nil, err
+				}
+			}
+			return src.Fetch(ctx, desc)
+		}
+
+		// Mount or copy
+		if err := mounter.Mount(ctx, desc, sourceRepository, getContent); err != nil && !errors.Is(err, skipSource) {
+			return newCopyError("Mount", CopyErrorOriginDestination, err)
+		}
+
+		if !mountFailed {
+			// mounted, success
+			if opts.OnMounted != nil {
+				if err := opts.OnMounted(ctx, desc); err != nil {
+					return err
+				}
+			}
+			return nil
+		}
+	}
+
+	// we copied it
+	if opts.PostCopy != nil {
+		if err := opts.PostCopy(ctx, desc); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// doCopyNode copies a single content from the source CAS to the destination CAS.
+func doCopyNode(ctx context.Context, src content.ReadOnlyStorage, dst content.Storage, desc ocispec.Descriptor) error {
+	rc, err := src.Fetch(ctx, desc)
+	if err != nil {
+		return newCopyError("Fetch", CopyErrorOriginSource, err)
+	}
+	defer rc.Close()
+	err = dst.Push(ctx, desc, rc)
+	if err != nil && !errors.Is(err, errdef.ErrAlreadyExists) {
+		return newCopyError("Push", CopyErrorOriginDestination, err)
+	}
+	return nil
+}
+
+// copyNode copies a single content from the source CAS to the destination CAS,
+// and apply the given options.
+func copyNode(ctx context.Context, src content.ReadOnlyStorage, dst content.Storage, desc ocispec.Descriptor, opts CopyGraphOptions) error {
+	if opts.PreCopy != nil {
+		if err := opts.PreCopy(ctx, desc); err != nil {
+			if err == SkipNode {
+				return nil
+			}
+			return err
+		}
+	}
+
+	if err := doCopyNode(ctx, src, dst, desc); err != nil {
+		return err
+	}
+
+	if opts.PostCopy != nil {
+		return opts.PostCopy(ctx, desc)
+	}
+	return nil
+}
+
+// copyCachedNodeWithReference copies a single content with a reference from the
+// source cache to the destination ReferencePusher.
+func copyCachedNodeWithReference(ctx context.Context, src *cas.Proxy, dst registry.ReferencePusher, desc ocispec.Descriptor, dstRef string) error {
+	rc, err := src.FetchCached(ctx, desc)
+	if err != nil {
+		return newCopyError("Fetch", CopyErrorOriginSource, err)
+	}
+	defer rc.Close()
+
+	err = dst.PushReference(ctx, desc, rc, dstRef)
+	if err != nil && !errors.Is(err, errdef.ErrAlreadyExists) {
+		return newCopyError("PushReference", CopyErrorOriginDestination, err)
+	}
+	return nil
+}
+
+// resolveRoot resolves the source reference to the root node.
+func resolveRoot(ctx context.Context, src ReadOnlyTarget, srcRef string, proxy *cas.Proxy) (ocispec.Descriptor, error) {
+	refFetcher, ok := src.(registry.ReferenceFetcher)
+	if !ok {
+		desc, err := src.Resolve(ctx, srcRef)
+		if err != nil {
+			return ocispec.Descriptor{}, newCopyError("Resolve", CopyErrorOriginSource, err)
+		}
+		return desc, nil
+	}
+
+	// optimize performance for ReferenceFetcher targets
+	refProxy := &registryutil.Proxy{
+		ReferenceFetcher: refFetcher,
+		Proxy:            proxy,
+	}
+	root, rc, err := refProxy.FetchReference(ctx, srcRef)
+	if err != nil {
+		return ocispec.Descriptor{}, newCopyError("FetchReference", CopyErrorOriginSource, err)
+	}
+	defer rc.Close()
+	// cache root if it is a non-leaf node
+	fetcher := content.FetcherFunc(func(ctx context.Context, target ocispec.Descriptor) (io.ReadCloser, error) {
+		if content.Equal(target, root) {
+			return rc, nil
+		}
+		return nil, errors.New("fetching only root node expected")
+	})
+	if _, err = content.Successors(ctx, fetcher, root); err != nil {
+		return ocispec.Descriptor{}, newCopyError("Successors", CopyErrorOriginSource, err)
+	}
+
+	// TODO: optimize special case where root is a leaf node (i.e. a blob)
+	//       and dst is a ReferencePusher.
+	return root, nil
+}
+
+// prepareCopy prepares the hooks for copy.
+func prepareCopy(_ context.Context, dst Target, dstRef string, proxy *cas.Proxy, root ocispec.Descriptor, opts *CopyOptions) error {
+	if refPusher, ok := dst.(registry.ReferencePusher); ok {
+		// optimize performance for ReferencePusher targets
+		preCopy := opts.PreCopy
+		opts.PreCopy = func(ctx context.Context, desc ocispec.Descriptor) error {
+			if preCopy != nil {
+				if err := preCopy(ctx, desc); err != nil {
+					return err
+				}
+			}
+			if !content.Equal(desc, root) {
+				// for non-root node, do nothing
+				return nil
+			}
+
+			// for root node, prepare optimized copy
+			if err := copyCachedNodeWithReference(ctx, proxy, refPusher, desc, dstRef); err != nil {
+				return err
+			}
+			if opts.PostCopy != nil {
+				if err := opts.PostCopy(ctx, desc); err != nil {
+					return err
+				}
+			}
+			// skip the regular copy workflow
+			return SkipNode
+		}
+	} else {
+		postCopy := opts.PostCopy
+		opts.PostCopy = func(ctx context.Context, desc ocispec.Descriptor) error {
+			if content.Equal(desc, root) {
+				// for root node, tag it after copying it
+				if err := dst.Tag(ctx, root, dstRef); err != nil {
+					return newCopyError("Tag", CopyErrorOriginDestination, err)
+				}
+			}
+			if postCopy != nil {
+				return postCopy(ctx, desc)
+			}
+			return nil
+		}
+	}
+
+	onCopySkipped := opts.OnCopySkipped
+	opts.OnCopySkipped = func(ctx context.Context, desc ocispec.Descriptor) error {
+		if !content.Equal(desc, root) {
+			if onCopySkipped != nil {
+				return onCopySkipped(ctx, desc)
+			}
+			return nil
+		}
+
+		// enforce tagging when the skipped node is root
+		if refPusher, ok := dst.(registry.ReferencePusher); ok {
+			// NOTE: refPusher tags the node by copying it with the reference,
+			// so onCopySkipped shouldn't be invoked in this case
+			return copyCachedNodeWithReference(ctx, proxy, refPusher, desc, dstRef)
+		}
+
+		// invoke onCopySkipped before tagging
+		if onCopySkipped != nil {
+			if err := onCopySkipped(ctx, desc); err != nil {
+				return err
+			}
+		}
+		if err := dst.Tag(ctx, root, dstRef); err != nil {
+			return newCopyError("Tag", CopyErrorOriginDestination, err)
+		}
+		return nil
+	}
+
+	return nil
+}
+
+// removeForeignLayers in-place removes all foreign layers in the given slice.
+func removeForeignLayers(descs []ocispec.Descriptor) []ocispec.Descriptor {
+	var j int
+	for i, desc := range descs {
+		if !descriptor.IsForeignLayer(desc) {
+			if i != j {
+				descs[j] = desc
+			}
+			j++
+		}
+	}
+	return descs[:j]
+}
diff --git a/vendor/oras.land/oras-go/v2/copyerror.go b/vendor/oras.land/oras-go/v2/copyerror.go
new file mode 100644
index 0000000000..03ed8e243f
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/copyerror.go
@@ -0,0 +1,78 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package oras
+
+import "fmt"
+
+// CopyErrorOrigin defines the source of a copy error.
+type CopyErrorOrigin int
+
+const (
+	// CopyErrorOriginSource indicates the error occurred at the source side.
+	CopyErrorOriginSource CopyErrorOrigin = 1
+
+	// CopyErrorOriginDestination indicates the error occurred at the destination side.
+	CopyErrorOriginDestination CopyErrorOrigin = 2
+)
+
+// String returns the string representation of the CopyErrorOrigin.
+func (o CopyErrorOrigin) String() string {
+	switch o {
+	case CopyErrorOriginSource:
+		return "source"
+	case CopyErrorOriginDestination:
+		return "destination"
+	default:
+		return "unknown"
+	}
+}
+
+// CopyError represents an error encountered during a copy operation.
+type CopyError struct {
+	// Op is the operation that caused the error.
+	Op string
+	// Origin indicates the source of the error.
+	Origin CopyErrorOrigin
+	// Err is the underlying error.
+	Err error
+}
+
+// newCopyError creates a new CopyError.
+func newCopyError(op string, origin CopyErrorOrigin, err error) error {
+	if err == nil {
+		return nil
+	}
+	return &CopyError{
+		Op:     op,
+		Origin: origin,
+		Err:    err,
+	}
+}
+
+// Error implements the error interface for CopyError.
+func (e *CopyError) Error() string {
+	switch e.Origin {
+	case CopyErrorOriginSource, CopyErrorOriginDestination:
+		return fmt.Sprintf("failed to perform %q on %s: %v", e.Op, e.Origin, e.Err)
+	default:
+		return fmt.Sprintf("failed to perform %q: %v", e.Op, e.Err)
+	}
+}
+
+// Unwrap implements the errors.Unwrap interface for CopyError.
+func (e *CopyError) Unwrap() error {
+	return e.Err
+}
diff --git a/vendor/oras.land/oras-go/v2/errdef/errors.go b/vendor/oras.land/oras-go/v2/errdef/errors.go
new file mode 100644
index 0000000000..7adb44b173
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/errdef/errors.go
@@ -0,0 +1,31 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package errdef
+
+import "errors"
+
+// Common errors used in ORAS
+var (
+	ErrAlreadyExists      = errors.New("already exists")
+	ErrInvalidDigest      = errors.New("invalid digest")
+	ErrInvalidReference   = errors.New("invalid reference")
+	ErrInvalidMediaType   = errors.New("invalid media type")
+	ErrMissingReference   = errors.New("missing reference")
+	ErrNotFound           = errors.New("not found")
+	ErrSizeExceedsLimit   = errors.New("size exceeds limit")
+	ErrUnsupported        = errors.New("unsupported")
+	ErrUnsupportedVersion = errors.New("unsupported version")
+)
diff --git a/vendor/oras.land/oras-go/v2/extendedcopy.go b/vendor/oras.land/oras-go/v2/extendedcopy.go
new file mode 100644
index 0000000000..40f57832c8
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/extendedcopy.go
@@ -0,0 +1,404 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package oras
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"regexp"
+
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"golang.org/x/sync/semaphore"
+	"oras.land/oras-go/v2/content"
+	"oras.land/oras-go/v2/internal/cas"
+	"oras.land/oras-go/v2/internal/container/set"
+	"oras.land/oras-go/v2/internal/copyutil"
+	"oras.land/oras-go/v2/internal/descriptor"
+	"oras.land/oras-go/v2/internal/docker"
+	"oras.land/oras-go/v2/internal/spec"
+	"oras.land/oras-go/v2/internal/status"
+	"oras.land/oras-go/v2/internal/syncutil"
+	"oras.land/oras-go/v2/registry"
+)
+
+// DefaultExtendedCopyOptions provides the default ExtendedCopyOptions.
+var DefaultExtendedCopyOptions ExtendedCopyOptions = ExtendedCopyOptions{
+	ExtendedCopyGraphOptions: DefaultExtendedCopyGraphOptions,
+}
+
+// ExtendedCopyOptions contains parameters for [oras.ExtendedCopy].
+type ExtendedCopyOptions struct {
+	ExtendedCopyGraphOptions
+}
+
+// DefaultExtendedCopyGraphOptions provides the default ExtendedCopyGraphOptions.
+var DefaultExtendedCopyGraphOptions ExtendedCopyGraphOptions = ExtendedCopyGraphOptions{
+	CopyGraphOptions: DefaultCopyGraphOptions,
+}
+
+// ExtendedCopyGraphOptions contains parameters for [oras.ExtendedCopyGraph].
+type ExtendedCopyGraphOptions struct {
+	CopyGraphOptions
+	// Depth limits the maximum depth of the directed acyclic graph (DAG) that
+	// will be extended-copied.
+	// If Depth is no specified, or the specified value is less than or
+	// equal to 0, the depth limit will be considered as infinity.
+	Depth int
+	// FindPredecessors finds the predecessors of the current node.
+	// If FindPredecessors is nil, src.Predecessors will be adapted and used.
+	FindPredecessors func(ctx context.Context, src content.ReadOnlyGraphStorage, desc ocispec.Descriptor) ([]ocispec.Descriptor, error)
+}
+
+// ExtendedCopy copies the directed acyclic graph (DAG) that are reachable from
+// the given tagged node from the source GraphTarget to the destination Target.
+// In other words, it copies a tagged artifact along with its referrers or
+// other predecessor manifests referencing it.
+//
+// The tagged node (e.g. a tagged manifest of the artifact) is identified by the
+// source reference.
+// The destination reference will be the same as the source reference if the
+// destination reference is left blank.
+//
+// Returns the descriptor of the tagged node on successful copy.
+func ExtendedCopy(ctx context.Context, src ReadOnlyGraphTarget, srcRef string, dst Target, dstRef string, opts ExtendedCopyOptions) (ocispec.Descriptor, error) {
+	if src == nil {
+		return ocispec.Descriptor{}, newCopyError("ExtendedCopy", CopyErrorOriginSource, errors.New("nil source target"))
+	}
+	if dst == nil {
+		return ocispec.Descriptor{}, newCopyError("ExtendedCopy", CopyErrorOriginDestination, errors.New("nil destination target"))
+	}
+	if dstRef == "" {
+		dstRef = srcRef
+	}
+
+	node, err := src.Resolve(ctx, srcRef)
+	if err != nil {
+		return ocispec.Descriptor{}, newCopyError("Resolve", CopyErrorOriginSource, err)
+	}
+
+	if err := ExtendedCopyGraph(ctx, src, dst, node, opts.ExtendedCopyGraphOptions); err != nil {
+		return ocispec.Descriptor{}, err
+	}
+
+	if err := dst.Tag(ctx, node, dstRef); err != nil {
+		return ocispec.Descriptor{}, newCopyError("Tag", CopyErrorOriginDestination, err)
+	}
+
+	return node, nil
+}
+
+// ExtendedCopyGraph copies the directed acyclic graph (DAG) that are reachable
+// from the given node from the source GraphStorage to the destination Storage.
+// In other words, it copies an artifact along with its referrers or other
+// predecessor manifests referencing it.
+// The node (e.g. a manifest of the artifact) is identified by a descriptor.
+func ExtendedCopyGraph(ctx context.Context, src content.ReadOnlyGraphStorage, dst content.Storage, node ocispec.Descriptor, opts ExtendedCopyGraphOptions) error {
+	if src == nil {
+		return newCopyError("ExtendedCopyGraph", CopyErrorOriginSource, errors.New("nil source target"))
+	}
+	if dst == nil {
+		return newCopyError("ExtendedCopyGraph", CopyErrorOriginDestination, errors.New("nil destination target"))
+	}
+
+	roots, err := findRoots(ctx, src, node, opts)
+	if err != nil {
+		return err
+	}
+
+	// if Concurrency is not set or invalid, use the default concurrency
+	if opts.Concurrency <= 0 {
+		opts.Concurrency = defaultConcurrency
+	}
+	limiter := semaphore.NewWeighted(int64(opts.Concurrency))
+	// use caching proxy on non-leaf nodes
+	if opts.MaxMetadataBytes <= 0 {
+		opts.MaxMetadataBytes = defaultCopyMaxMetadataBytes
+	}
+	proxy := cas.NewProxyWithLimit(src, cas.NewMemory(), opts.MaxMetadataBytes)
+	// track content status
+	tracker := status.NewTracker()
+
+	// copy the sub-DAGs rooted by the root nodes
+	return syncutil.Go(ctx, limiter, func(ctx context.Context, region *syncutil.LimitedRegion, root ocispec.Descriptor) error {
+		// As a root can be a predecessor of other roots, release the limit here
+		// for dispatching, to avoid dead locks where predecessor roots are
+		// handled first and are waiting for its successors to complete.
+		region.End()
+		if err := copyGraph(ctx, src, dst, root, proxy, limiter, tracker, opts.CopyGraphOptions); err != nil {
+			return err
+		}
+		return region.Start()
+	}, roots...)
+}
+
+// findRoots finds the root nodes reachable from the given node through a
+// depth-first search.
+func findRoots(ctx context.Context, storage content.ReadOnlyGraphStorage, node ocispec.Descriptor, opts ExtendedCopyGraphOptions) ([]ocispec.Descriptor, error) {
+	visited := set.New[descriptor.Descriptor]()
+	rootMap := make(map[descriptor.Descriptor]ocispec.Descriptor)
+	addRoot := func(key descriptor.Descriptor, val ocispec.Descriptor) {
+		if _, exists := rootMap[key]; !exists {
+			rootMap[key] = val
+		}
+	}
+
+	// if FindPredecessors is not provided, use the default one
+	if opts.FindPredecessors == nil {
+		opts.FindPredecessors = func(ctx context.Context, src content.ReadOnlyGraphStorage, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) {
+			return src.Predecessors(ctx, desc)
+		}
+	}
+
+	var stack copyutil.Stack
+	// push the initial node to the stack, set the depth to 0
+	stack.Push(copyutil.NodeInfo{Node: node, Depth: 0})
+	for {
+		current, ok := stack.Pop()
+		if !ok {
+			// empty stack
+			break
+		}
+		currentNode := current.Node
+		currentKey := descriptor.FromOCI(currentNode)
+
+		if visited.Contains(currentKey) {
+			// skip the current node if it has been visited
+			continue
+		}
+		visited.Add(currentKey)
+
+		// stop finding predecessors if the target depth is reached
+		if opts.Depth > 0 && current.Depth == opts.Depth {
+			addRoot(currentKey, currentNode)
+			continue
+		}
+
+		predecessors, err := opts.FindPredecessors(ctx, storage, currentNode)
+		if err != nil {
+			return nil, newCopyError("FindPredecessors", CopyErrorOriginSource, err)
+		}
+
+		// The current node has no predecessor node,
+		// which means it is a root node of a sub-DAG.
+		if len(predecessors) == 0 {
+			addRoot(currentKey, currentNode)
+			continue
+		}
+
+		// The current node has predecessor nodes, which means it is NOT a root node.
+		// Push the predecessor nodes to the stack and keep finding from there.
+		for _, predecessor := range predecessors {
+			predecessorKey := descriptor.FromOCI(predecessor)
+			if !visited.Contains(predecessorKey) {
+				// push the predecessor node with increased depth
+				stack.Push(copyutil.NodeInfo{Node: predecessor, Depth: current.Depth + 1})
+			}
+		}
+	}
+
+	roots := make([]ocispec.Descriptor, 0, len(rootMap))
+	for _, root := range rootMap {
+		roots = append(roots, root)
+	}
+	return roots, nil
+}
+
+// FilterAnnotation configures opts.FindPredecessors to filter the predecessors
+// whose annotation matches a given regex pattern.
+//
+// A predecessor is kept if key is in its annotations and the annotation value
+// matches regex.
+// If regex is nil, predecessors whose annotations contain key will be kept,
+// no matter of the annotation value.
+//
+// For performance consideration, when using both FilterArtifactType and
+// FilterAnnotation, it's recommended to call FilterArtifactType first.
+func (opts *ExtendedCopyGraphOptions) FilterAnnotation(key string, regex *regexp.Regexp) {
+	keep := func(desc ocispec.Descriptor) bool {
+		value, ok := desc.Annotations[key]
+		return ok && (regex == nil || regex.MatchString(value))
+	}
+
+	fp := opts.FindPredecessors
+	opts.FindPredecessors = func(ctx context.Context, src content.ReadOnlyGraphStorage, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) {
+		var predecessors []ocispec.Descriptor
+		var err error
+		if fp == nil {
+			if rf, ok := src.(registry.ReferrerLister); ok {
+				// if src is a ReferrerLister, use Referrers() for possible memory saving
+				if err := rf.Referrers(ctx, desc, "", func(referrers []ocispec.Descriptor) error {
+					// for each page of the results, filter the referrers
+					for _, r := range referrers {
+						if keep(r) {
+							predecessors = append(predecessors, r)
+						}
+					}
+					return nil
+				}); err != nil {
+					return nil, err
+				}
+				return predecessors, nil
+			}
+			predecessors, err = src.Predecessors(ctx, desc)
+		} else {
+			predecessors, err = fp(ctx, src, desc)
+		}
+		if err != nil {
+			return nil, err
+		}
+
+		// Predecessor descriptors that are not from Referrers API are not
+		// guaranteed to include the annotations of the corresponding manifests.
+		var kept []ocispec.Descriptor
+		for _, p := range predecessors {
+			if p.Annotations == nil {
+				// If the annotations are not present in the descriptors,
+				// fetch it from the manifest content.
+				switch p.MediaType {
+				case docker.MediaTypeManifest, ocispec.MediaTypeImageManifest,
+					docker.MediaTypeManifestList, ocispec.MediaTypeImageIndex,
+					spec.MediaTypeArtifactManifest:
+					annotations, err := fetchAnnotations(ctx, src, p)
+					if err != nil {
+						return nil, err
+					}
+					p.Annotations = annotations
+				}
+			}
+			if keep(p) {
+				kept = append(kept, p)
+			}
+		}
+		return kept, nil
+	}
+}
+
+// fetchAnnotations fetches the annotations of the manifest described by desc.
+func fetchAnnotations(ctx context.Context, src content.ReadOnlyGraphStorage, desc ocispec.Descriptor) (map[string]string, error) {
+	rc, err := src.Fetch(ctx, desc)
+	if err != nil {
+		return nil, err
+	}
+	defer rc.Close()
+
+	var manifest struct {
+		Annotations map[string]string `json:"annotations"`
+	}
+	if err := json.NewDecoder(rc).Decode(&manifest); err != nil {
+		return nil, err
+	}
+	if manifest.Annotations == nil {
+		// to differentiate with nil
+		return make(map[string]string), nil
+	}
+	return manifest.Annotations, nil
+}
+
+// FilterArtifactType configures opts.FindPredecessors to filter the
+// predecessors whose artifact type matches a given regex pattern.
+//
+// A predecessor is kept if its artifact type matches regex.
+// If regex is nil, all predecessors will be kept.
+//
+// For performance consideration, when using both FilterArtifactType and
+// FilterAnnotation, it's recommended to call FilterArtifactType first.
+func (opts *ExtendedCopyGraphOptions) FilterArtifactType(regex *regexp.Regexp) {
+	if regex == nil {
+		return
+	}
+	keep := func(desc ocispec.Descriptor) bool {
+		return regex.MatchString(desc.ArtifactType)
+	}
+
+	fp := opts.FindPredecessors
+	opts.FindPredecessors = func(ctx context.Context, src content.ReadOnlyGraphStorage, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) {
+		var predecessors []ocispec.Descriptor
+		var err error
+		if fp == nil {
+			if rf, ok := src.(registry.ReferrerLister); ok {
+				// if src is a ReferrerLister, use Referrers() for possible memory saving
+				if err := rf.Referrers(ctx, desc, "", func(referrers []ocispec.Descriptor) error {
+					// for each page of the results, filter the referrers
+					for _, r := range referrers {
+						if keep(r) {
+							predecessors = append(predecessors, r)
+						}
+					}
+					return nil
+				}); err != nil {
+					return nil, err
+				}
+				return predecessors, nil
+			}
+			predecessors, err = src.Predecessors(ctx, desc)
+		} else {
+			predecessors, err = fp(ctx, src, desc)
+		}
+		if err != nil {
+			return nil, err
+		}
+
+		// predecessor descriptors that are not from Referrers API are not
+		// guaranteed to include the artifact type of the corresponding
+		// manifests.
+		var kept []ocispec.Descriptor
+		for _, p := range predecessors {
+			if p.ArtifactType == "" {
+				// if the artifact type is not present in the descriptors,
+				// fetch it from the manifest content.
+				switch p.MediaType {
+				case spec.MediaTypeArtifactManifest, ocispec.MediaTypeImageManifest:
+					artifactType, err := fetchArtifactType(ctx, src, p)
+					if err != nil {
+						return nil, err
+					}
+					p.ArtifactType = artifactType
+				}
+			}
+			if keep(p) {
+				kept = append(kept, p)
+			}
+		}
+		return kept, nil
+	}
+}
+
+// fetchArtifactType fetches the artifact type of the manifest described by desc.
+func fetchArtifactType(ctx context.Context, src content.ReadOnlyGraphStorage, desc ocispec.Descriptor) (string, error) {
+	rc, err := src.Fetch(ctx, desc)
+	if err != nil {
+		return "", err
+	}
+	defer rc.Close()
+
+	switch desc.MediaType {
+	case spec.MediaTypeArtifactManifest:
+		var manifest spec.Artifact
+		if err := json.NewDecoder(rc).Decode(&manifest); err != nil {
+			return "", err
+		}
+		return manifest.ArtifactType, nil
+	case ocispec.MediaTypeImageManifest:
+		var manifest ocispec.Manifest
+		if err := json.NewDecoder(rc).Decode(&manifest); err != nil {
+			return "", err
+		}
+		return manifest.Config.MediaType, nil
+	default:
+		return "", nil
+	}
+}
diff --git a/vendor/oras.land/oras-go/v2/internal/cas/memory.go b/vendor/oras.land/oras-go/v2/internal/cas/memory.go
new file mode 100644
index 0000000000..7e358e136c
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/internal/cas/memory.go
@@ -0,0 +1,88 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cas
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io"
+	"sync"
+
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	contentpkg "oras.land/oras-go/v2/content"
+	"oras.land/oras-go/v2/errdef"
+	"oras.land/oras-go/v2/internal/descriptor"
+)
+
+// Memory is a memory based CAS.
+type Memory struct {
+	content sync.Map // map[descriptor.Descriptor][]byte
+}
+
+// NewMemory creates a new Memory CAS.
+func NewMemory() *Memory {
+	return &Memory{}
+}
+
+// Fetch fetches the content identified by the descriptor.
+func (m *Memory) Fetch(_ context.Context, target ocispec.Descriptor) (io.ReadCloser, error) {
+	key := descriptor.FromOCI(target)
+	content, exists := m.content.Load(key)
+	if !exists {
+		return nil, fmt.Errorf("%s: %s: %w", key.Digest, key.MediaType, errdef.ErrNotFound)
+	}
+	return io.NopCloser(bytes.NewReader(content.([]byte))), nil
+}
+
+// Push pushes the content, matching the expected descriptor.
+func (m *Memory) Push(_ context.Context, expected ocispec.Descriptor, content io.Reader) error {
+	key := descriptor.FromOCI(expected)
+
+	// check if the content exists in advance to avoid reading from the content.
+	if _, exists := m.content.Load(key); exists {
+		return fmt.Errorf("%s: %s: %w", key.Digest, key.MediaType, errdef.ErrAlreadyExists)
+	}
+
+	// read and try to store the content.
+	value, err := contentpkg.ReadAll(content, expected)
+	if err != nil {
+		return err
+	}
+	if _, exists := m.content.LoadOrStore(key, value); exists {
+		return fmt.Errorf("%s: %s: %w", key.Digest, key.MediaType, errdef.ErrAlreadyExists)
+	}
+	return nil
+}
+
+// Exists returns true if the described content exists.
+func (m *Memory) Exists(_ context.Context, target ocispec.Descriptor) (bool, error) {
+	key := descriptor.FromOCI(target)
+	_, exists := m.content.Load(key)
+	return exists, nil
+}
+
+// Map dumps the memory into a built-in map structure.
+// Like other operations, calling Map() is go-routine safe. However, it does not
+// necessarily correspond to any consistent snapshot of the storage contents.
+func (m *Memory) Map() map[descriptor.Descriptor][]byte {
+	res := make(map[descriptor.Descriptor][]byte)
+	m.content.Range(func(key, value interface{}) bool {
+		res[key.(descriptor.Descriptor)] = value.([]byte)
+		return true
+	})
+	return res
+}
diff --git a/vendor/oras.land/oras-go/v2/internal/cas/proxy.go b/vendor/oras.land/oras-go/v2/internal/cas/proxy.go
new file mode 100644
index 0000000000..ada5f94e00
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/internal/cas/proxy.go
@@ -0,0 +1,125 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cas
+
+import (
+	"context"
+	"io"
+	"sync"
+
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"oras.land/oras-go/v2/content"
+	"oras.land/oras-go/v2/internal/ioutil"
+)
+
+// Proxy is a caching proxy for the storage.
+// The first fetch call of a described content will read from the remote and
+// cache the fetched content.
+// The subsequent fetch call will read from the local cache.
+type Proxy struct {
+	content.ReadOnlyStorage
+	Cache       content.Storage
+	StopCaching bool
+}
+
+// NewProxy creates a proxy for the `base` storage, using the `cache` storage as
+// the cache.
+func NewProxy(base content.ReadOnlyStorage, cache content.Storage) *Proxy {
+	return &Proxy{
+		ReadOnlyStorage: base,
+		Cache:           cache,
+	}
+}
+
+// NewProxyWithLimit creates a proxy for the `base` storage, using the `cache`
+// storage with a push size limit as the cache.
+func NewProxyWithLimit(base content.ReadOnlyStorage, cache content.Storage, pushLimit int64) *Proxy {
+	limitedCache := content.LimitStorage(cache, pushLimit)
+	return &Proxy{
+		ReadOnlyStorage: base,
+		Cache:           limitedCache,
+	}
+}
+
+// Fetch fetches the content identified by the descriptor.
+func (p *Proxy) Fetch(ctx context.Context, target ocispec.Descriptor) (io.ReadCloser, error) {
+	if p.StopCaching {
+		return p.FetchCached(ctx, target)
+	}
+
+	rc, err := p.Cache.Fetch(ctx, target)
+	if err == nil {
+		return rc, nil
+	}
+
+	rc, err = p.ReadOnlyStorage.Fetch(ctx, target)
+	if err != nil {
+		return nil, err
+	}
+	pr, pw := io.Pipe()
+	var wg sync.WaitGroup
+	wg.Add(1)
+	var pushErr error
+	go func() {
+		defer wg.Done()
+		pushErr = p.Cache.Push(ctx, target, pr)
+		if pushErr != nil {
+			pr.CloseWithError(pushErr)
+		}
+	}()
+	closer := ioutil.CloserFunc(func() error {
+		rcErr := rc.Close()
+		if err := pw.Close(); err != nil {
+			return err
+		}
+		wg.Wait()
+		if pushErr != nil {
+			return pushErr
+		}
+		return rcErr
+	})
+
+	return struct {
+		io.Reader
+		io.Closer
+	}{
+		Reader: io.TeeReader(rc, pw),
+		Closer: closer,
+	}, nil
+}
+
+// FetchCached fetches the content identified by the descriptor.
+// If the content is not cached, it will be fetched from the remote without
+// caching.
+func (p *Proxy) FetchCached(ctx context.Context, target ocispec.Descriptor) (io.ReadCloser, error) {
+	exists, err := p.Cache.Exists(ctx, target)
+	if err != nil {
+		return nil, err
+	}
+	if exists {
+		return p.Cache.Fetch(ctx, target)
+	}
+	return p.ReadOnlyStorage.Fetch(ctx, target)
+}
+
+// Exists returns true if the described content exists.
+func (p *Proxy) Exists(ctx context.Context, target ocispec.Descriptor) (bool, error) {
+	exists, err := p.Cache.Exists(ctx, target)
+	if err == nil && exists {
+		return true, nil
+	}
+	return p.ReadOnlyStorage.Exists(ctx, target)
+}
diff --git a/vendor/oras.land/oras-go/v2/internal/container/set/set.go b/vendor/oras.land/oras-go/v2/internal/container/set/set.go
new file mode 100644
index 0000000000..07c96d47d1
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/internal/container/set/set.go
@@ -0,0 +1,40 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package set
+
+// Set represents a set data structure.
+type Set[T comparable] map[T]struct{}
+
+// New returns an initialized set.
+func New[T comparable]() Set[T] {
+	return make(Set[T])
+}
+
+// Add adds item into the set s.
+func (s Set[T]) Add(item T) {
+	s[item] = struct{}{}
+}
+
+// Contains returns true if the set s contains item.
+func (s Set[T]) Contains(item T) bool {
+	_, ok := s[item]
+	return ok
+}
+
+// Delete deletes an item from the set.
+func (s Set[T]) Delete(item T) {
+	delete(s, item)
+}
diff --git a/vendor/oras.land/oras-go/v2/internal/copyutil/stack.go b/vendor/oras.land/oras-go/v2/internal/copyutil/stack.go
new file mode 100644
index 0000000000..69412b0099
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/internal/copyutil/stack.go
@@ -0,0 +1,55 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package copyutil
+
+import (
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+// NodeInfo represents information of a node that is being visited in
+// ExtendedCopy.
+type NodeInfo struct {
+	// Node represents a node in the graph.
+	Node ocispec.Descriptor
+	// Depth represents the depth of the node in the graph.
+	Depth int
+}
+
+// Stack represents a stack data structure that is used in ExtendedCopy for
+// storing node information.
+type Stack []NodeInfo
+
+// IsEmpty returns true if the stack is empty, otherwise returns false.
+func (s *Stack) IsEmpty() bool {
+	return len(*s) == 0
+}
+
+// Push pushes an item to the stack.
+func (s *Stack) Push(i NodeInfo) {
+	*s = append(*s, i)
+}
+
+// Pop pops the top item out of the stack.
+func (s *Stack) Pop() (NodeInfo, bool) {
+	if s.IsEmpty() {
+		return NodeInfo{}, false
+	}
+
+	last := len(*s) - 1
+	top := (*s)[last]
+	*s = (*s)[:last]
+	return top, true
+}
diff --git a/vendor/oras.land/oras-go/v2/internal/descriptor/descriptor.go b/vendor/oras.land/oras-go/v2/internal/descriptor/descriptor.go
new file mode 100644
index 0000000000..b9b339c048
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/internal/descriptor/descriptor.go
@@ -0,0 +1,89 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package descriptor
+
+import (
+	"github.com/opencontainers/go-digest"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"oras.land/oras-go/v2/internal/docker"
+	"oras.land/oras-go/v2/internal/spec"
+)
+
+// DefaultMediaType is the media type used when no media type is specified.
+const DefaultMediaType string = "application/octet-stream"
+
+// Descriptor contains the minimun information to describe the disposition of
+// targeted content.
+// Since it only has strings and integers, Descriptor is a comparable struct.
+type Descriptor struct {
+	// MediaType is the media type of the object this schema refers to.
+	MediaType string `json:"mediaType,omitempty"`
+
+	// Digest is the digest of the targeted content.
+	Digest digest.Digest `json:"digest"`
+
+	// Size specifies the size in bytes of the blob.
+	Size int64 `json:"size"`
+}
+
+// Empty is an empty descriptor
+var Empty Descriptor
+
+// FromOCI shrinks the OCI descriptor to the minimum.
+func FromOCI(desc ocispec.Descriptor) Descriptor {
+	return Descriptor{
+		MediaType: desc.MediaType,
+		Digest:    desc.Digest,
+		Size:      desc.Size,
+	}
+}
+
+// IsForeignLayer checks if a descriptor describes a foreign layer.
+func IsForeignLayer(desc ocispec.Descriptor) bool {
+	switch desc.MediaType {
+	case ocispec.MediaTypeImageLayerNonDistributable,
+		ocispec.MediaTypeImageLayerNonDistributableGzip,
+		ocispec.MediaTypeImageLayerNonDistributableZstd,
+		docker.MediaTypeForeignLayer:
+		return true
+	default:
+		return false
+	}
+}
+
+// IsManifest checks if a descriptor describes a manifest.
+func IsManifest(desc ocispec.Descriptor) bool {
+	switch desc.MediaType {
+	case docker.MediaTypeManifest,
+		docker.MediaTypeManifestList,
+		ocispec.MediaTypeImageManifest,
+		ocispec.MediaTypeImageIndex,
+		spec.MediaTypeArtifactManifest:
+		return true
+	default:
+		return false
+	}
+}
+
+// Plain returns a plain descriptor that contains only MediaType, Digest and
+// Size.
+func Plain(desc ocispec.Descriptor) ocispec.Descriptor {
+	return ocispec.Descriptor{
+		MediaType: desc.MediaType,
+		Digest:    desc.Digest,
+		Size:      desc.Size,
+	}
+}
diff --git a/vendor/oras.land/oras-go/v2/internal/docker/mediatype.go b/vendor/oras.land/oras-go/v2/internal/docker/mediatype.go
new file mode 100644
index 0000000000..76a4ba9ed9
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/internal/docker/mediatype.go
@@ -0,0 +1,24 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package docker
+
+// docker media types
+const (
+	MediaTypeConfig       = "application/vnd.docker.container.image.v1+json"
+	MediaTypeManifestList = "application/vnd.docker.distribution.manifest.list.v2+json"
+	MediaTypeManifest     = "application/vnd.docker.distribution.manifest.v2+json"
+	MediaTypeForeignLayer = "application/vnd.docker.image.rootfs.foreign.diff.tar.gzip"
+)
diff --git a/vendor/oras.land/oras-go/v2/internal/graph/memory.go b/vendor/oras.land/oras-go/v2/internal/graph/memory.go
new file mode 100644
index 0000000000..016e5f96a8
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/internal/graph/memory.go
@@ -0,0 +1,201 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package graph
+
+import (
+	"context"
+	"errors"
+	"sync"
+
+	"github.com/opencontainers/go-digest"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"oras.land/oras-go/v2/content"
+	"oras.land/oras-go/v2/errdef"
+	"oras.land/oras-go/v2/internal/container/set"
+	"oras.land/oras-go/v2/internal/descriptor"
+	"oras.land/oras-go/v2/internal/status"
+	"oras.land/oras-go/v2/internal/syncutil"
+)
+
+// Memory is a memory based PredecessorFinder.
+type Memory struct {
+	// nodes has the following properties and behaviors:
+	//  1. a node exists in Memory.nodes if and only if it exists in the memory
+	//  2. Memory.nodes saves the ocispec.Descriptor map keys, which are used by
+	//    the other fields.
+	nodes map[descriptor.Descriptor]ocispec.Descriptor
+
+	// predecessors has the following properties and behaviors:
+	//  1. a node exists in Memory.predecessors if it has at least one predecessor
+	//    in the memory, regardless of whether or not the node itself exists in
+	//    the memory.
+	//  2. a node does not exist in Memory.predecessors, if it doesn't have any predecessors
+	//    in the memory.
+	predecessors map[descriptor.Descriptor]set.Set[descriptor.Descriptor]
+
+	// successors has the following properties and behaviors:
+	//  1. a node exists in Memory.successors if and only if it exists in the memory.
+	//  2. a node's entry in Memory.successors is always consistent with the actual
+	//    content of the node, regardless of whether or not each successor exists
+	//    in the memory.
+	successors map[descriptor.Descriptor]set.Set[descriptor.Descriptor]
+
+	lock sync.RWMutex
+}
+
+// NewMemory creates a new memory PredecessorFinder.
+func NewMemory() *Memory {
+	return &Memory{
+		nodes:        make(map[descriptor.Descriptor]ocispec.Descriptor),
+		predecessors: make(map[descriptor.Descriptor]set.Set[descriptor.Descriptor]),
+		successors:   make(map[descriptor.Descriptor]set.Set[descriptor.Descriptor]),
+	}
+}
+
+// Index indexes predecessors for each direct successor of the given node.
+func (m *Memory) Index(ctx context.Context, fetcher content.Fetcher, node ocispec.Descriptor) error {
+	_, err := m.index(ctx, fetcher, node)
+	return err
+}
+
+// Index indexes predecessors for all the successors of the given node.
+func (m *Memory) IndexAll(ctx context.Context, fetcher content.Fetcher, node ocispec.Descriptor) error {
+	// track content status
+	tracker := status.NewTracker()
+	var fn syncutil.GoFunc[ocispec.Descriptor]
+	fn = func(ctx context.Context, region *syncutil.LimitedRegion, desc ocispec.Descriptor) error {
+		// skip the node if other go routine is working on it
+		_, committed := tracker.TryCommit(desc)
+		if !committed {
+			return nil
+		}
+		successors, err := m.index(ctx, fetcher, desc)
+		if err != nil {
+			if errors.Is(err, errdef.ErrNotFound) {
+				// skip the node if it does not exist
+				return nil
+			}
+			return err
+		}
+		if len(successors) > 0 {
+			// traverse and index successors
+			return syncutil.Go(ctx, nil, fn, successors...)
+		}
+		return nil
+	}
+	return syncutil.Go(ctx, nil, fn, node)
+}
+
+// Predecessors returns the nodes directly pointing to the current node.
+// Predecessors returns nil without error if the node does not exists in the
+// store. Like other operations, calling Predecessors() is go-routine safe.
+// However, it does not necessarily correspond to any consistent snapshot of
+// the stored contents.
+func (m *Memory) Predecessors(_ context.Context, node ocispec.Descriptor) ([]ocispec.Descriptor, error) {
+	m.lock.RLock()
+	defer m.lock.RUnlock()
+
+	key := descriptor.FromOCI(node)
+	set, exists := m.predecessors[key]
+	if !exists {
+		return nil, nil
+	}
+	var res []ocispec.Descriptor
+	for k := range set {
+		res = append(res, m.nodes[k])
+	}
+	return res, nil
+}
+
+// Remove removes the node from its predecessors and successors, and returns the
+// dangling root nodes caused by the deletion.
+func (m *Memory) Remove(node ocispec.Descriptor) []ocispec.Descriptor {
+	m.lock.Lock()
+	defer m.lock.Unlock()
+
+	nodeKey := descriptor.FromOCI(node)
+	var danglings []ocispec.Descriptor
+	// remove the node from its successors' predecessor list
+	for successorKey := range m.successors[nodeKey] {
+		predecessorEntry := m.predecessors[successorKey]
+		predecessorEntry.Delete(nodeKey)
+
+		// if none of the predecessors of the node still exists, we remove the
+		// predecessors entry and return it as a dangling node. Otherwise, we do
+		// not remove the entry.
+		if len(predecessorEntry) == 0 {
+			delete(m.predecessors, successorKey)
+			if _, exists := m.nodes[successorKey]; exists {
+				danglings = append(danglings, m.nodes[successorKey])
+			}
+		}
+	}
+	delete(m.successors, nodeKey)
+	delete(m.nodes, nodeKey)
+	return danglings
+}
+
+// DigestSet returns the set of node digest in memory.
+func (m *Memory) DigestSet() set.Set[digest.Digest] {
+	m.lock.RLock()
+	defer m.lock.RUnlock()
+
+	s := set.New[digest.Digest]()
+	for desc := range m.nodes {
+		s.Add(desc.Digest)
+	}
+	return s
+}
+
+// index indexes predecessors for each direct successor of the given node.
+func (m *Memory) index(ctx context.Context, fetcher content.Fetcher, node ocispec.Descriptor) ([]ocispec.Descriptor, error) {
+	successors, err := content.Successors(ctx, fetcher, node)
+	if err != nil {
+		return nil, err
+	}
+	m.lock.Lock()
+	defer m.lock.Unlock()
+
+	// index the node
+	nodeKey := descriptor.FromOCI(node)
+	m.nodes[nodeKey] = node
+
+	// for each successor, put it into the node's successors list, and
+	// put node into the succeesor's predecessors list
+	successorSet := set.New[descriptor.Descriptor]()
+	m.successors[nodeKey] = successorSet
+	for _, successor := range successors {
+		successorKey := descriptor.FromOCI(successor)
+		successorSet.Add(successorKey)
+		predecessorSet, exists := m.predecessors[successorKey]
+		if !exists {
+			predecessorSet = set.New[descriptor.Descriptor]()
+			m.predecessors[successorKey] = predecessorSet
+		}
+		predecessorSet.Add(nodeKey)
+	}
+	return successors, nil
+}
+
+// Exists checks if the node exists in the graph
+func (m *Memory) Exists(node ocispec.Descriptor) bool {
+	m.lock.RLock()
+	defer m.lock.RUnlock()
+
+	nodeKey := descriptor.FromOCI(node)
+	_, exists := m.nodes[nodeKey]
+	return exists
+}
diff --git a/vendor/oras.land/oras-go/v2/internal/httputil/seek.go b/vendor/oras.land/oras-go/v2/internal/httputil/seek.go
new file mode 100644
index 0000000000..3fa14e2dd3
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/internal/httputil/seek.go
@@ -0,0 +1,116 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package httputil
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+)
+
+// Client is an interface for a HTTP client.
+// This interface is defined inside this package to prevent potential import
+// loop.
+type Client interface {
+	// Do sends an HTTP request and returns an HTTP response.
+	Do(*http.Request) (*http.Response, error)
+}
+
+// readSeekCloser seeks http body by starting new connections.
+type readSeekCloser struct {
+	client Client
+	req    *http.Request
+	rc     io.ReadCloser
+	size   int64
+	offset int64
+	closed bool
+}
+
+// NewReadSeekCloser returns a seeker to make the HTTP response seekable.
+// Callers should ensure that the server supports Range request.
+func NewReadSeekCloser(client Client, req *http.Request, respBody io.ReadCloser, size int64) io.ReadSeekCloser {
+	return &readSeekCloser{
+		client: client,
+		req:    req,
+		rc:     respBody,
+		size:   size,
+	}
+}
+
+// Read reads the content body and counts offset.
+func (rsc *readSeekCloser) Read(p []byte) (n int, err error) {
+	if rsc.closed {
+		return 0, errors.New("read: already closed")
+	}
+	n, err = rsc.rc.Read(p)
+	rsc.offset += int64(n)
+	return
+}
+
+// Seek starts a new connection to the remote for reading if position changes.
+func (rsc *readSeekCloser) Seek(offset int64, whence int) (int64, error) {
+	if rsc.closed {
+		return 0, errors.New("seek: already closed")
+	}
+	switch whence {
+	case io.SeekCurrent:
+		offset += rsc.offset
+	case io.SeekStart:
+		// no-op
+	case io.SeekEnd:
+		offset += rsc.size
+	default:
+		return 0, errors.New("seek: invalid whence")
+	}
+	if offset < 0 {
+		return 0, errors.New("seek: an attempt was made to move the pointer before the beginning of the content")
+	}
+	if offset == rsc.offset {
+		return offset, nil
+	}
+	if offset >= rsc.size {
+		rsc.rc.Close()
+		rsc.rc = http.NoBody
+		rsc.offset = offset
+		return offset, nil
+	}
+
+	req := rsc.req.Clone(rsc.req.Context())
+	req.Header.Set("Range", fmt.Sprintf("bytes=%d-%d", offset, rsc.size-1))
+	resp, err := rsc.client.Do(req)
+	if err != nil {
+		return 0, fmt.Errorf("seek: %s %q: %w", req.Method, req.URL, err)
+	}
+	if resp.StatusCode != http.StatusPartialContent {
+		resp.Body.Close()
+		return 0, fmt.Errorf("seek: %s %q: unexpected status code %d", resp.Request.Method, resp.Request.URL, resp.StatusCode)
+	}
+
+	rsc.rc.Close()
+	rsc.rc = resp.Body
+	rsc.offset = offset
+	return offset, nil
+}
+
+// Close closes the content body.
+func (rsc *readSeekCloser) Close() error {
+	if rsc.closed {
+		return nil
+	}
+	rsc.closed = true
+	return rsc.rc.Close()
+}
diff --git a/vendor/oras.land/oras-go/v2/internal/interfaces/registry.go b/vendor/oras.land/oras-go/v2/internal/interfaces/registry.go
new file mode 100644
index 0000000000..05600148e6
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/internal/interfaces/registry.go
@@ -0,0 +1,24 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package interfaces
+
+import "oras.land/oras-go/v2/registry"
+
+// ReferenceParser provides reference parsing.
+type ReferenceParser interface {
+	// ParseReference parses a reference to a fully qualified reference.
+	ParseReference(reference string) (registry.Reference, error)
+}
diff --git a/vendor/oras.land/oras-go/v2/internal/ioutil/io.go b/vendor/oras.land/oras-go/v2/internal/ioutil/io.go
new file mode 100644
index 0000000000..de41bda909
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/internal/ioutil/io.go
@@ -0,0 +1,66 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package ioutil
+
+import (
+	"fmt"
+	"io"
+	"reflect"
+
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"oras.land/oras-go/v2/content"
+)
+
+// CloserFunc is the basic Close method defined in io.Closer.
+type CloserFunc func() error
+
+// Close performs close operation by the CloserFunc.
+func (fn CloserFunc) Close() error {
+	return fn()
+}
+
+// CopyBuffer copies from src to dst through the provided buffer
+// until either EOF is reached on src, or an error occurs.
+// The copied content is verified against the size and the digest.
+func CopyBuffer(dst io.Writer, src io.Reader, buf []byte, desc ocispec.Descriptor) error {
+	// verify while copying
+	vr := content.NewVerifyReader(src, desc)
+	if _, err := io.CopyBuffer(dst, vr, buf); err != nil {
+		return fmt.Errorf("copy failed: %w", err)
+	}
+	return vr.Verify()
+}
+
+// Types returned by `io.NopCloser()`.
+var (
+	nopCloserType         = reflect.TypeOf(io.NopCloser(nil))
+	nopCloserWriterToType = reflect.TypeOf(io.NopCloser(struct {
+		io.Reader
+		io.WriterTo
+	}{}))
+)
+
+// UnwrapNopCloser unwraps the reader wrapped by `io.NopCloser()`.
+// Similar implementation can be found in the built-in package `net/http`.
+// Reference: https://github.com/golang/go/blob/go1.22.1/src/net/http/transfer.go#L1090-L1105
+func UnwrapNopCloser(r io.Reader) io.Reader {
+	switch reflect.TypeOf(r) {
+	case nopCloserType, nopCloserWriterToType:
+		return reflect.ValueOf(r).Field(0).Interface().(io.Reader)
+	default:
+		return r
+	}
+}
diff --git a/vendor/oras.land/oras-go/v2/internal/manifestutil/parser.go b/vendor/oras.land/oras-go/v2/internal/manifestutil/parser.go
new file mode 100644
index 0000000000..89d556b8fe
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/internal/manifestutil/parser.go
@@ -0,0 +1,84 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package manifestutil
+
+import (
+	"context"
+	"encoding/json"
+
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"oras.land/oras-go/v2/content"
+	"oras.land/oras-go/v2/internal/docker"
+	"oras.land/oras-go/v2/internal/spec"
+)
+
+// Config returns the config of desc, if present.
+func Config(ctx context.Context, fetcher content.Fetcher, desc ocispec.Descriptor) (*ocispec.Descriptor, error) {
+	switch desc.MediaType {
+	case docker.MediaTypeManifest, ocispec.MediaTypeImageManifest:
+		content, err := content.FetchAll(ctx, fetcher, desc)
+		if err != nil {
+			return nil, err
+		}
+		// OCI manifest schema can be used to marshal docker manifest
+		var manifest ocispec.Manifest
+		if err := json.Unmarshal(content, &manifest); err != nil {
+			return nil, err
+		}
+		return &manifest.Config, nil
+	default:
+		return nil, nil
+	}
+}
+
+// Manifest returns the manifests of desc, if present.
+func Manifests(ctx context.Context, fetcher content.Fetcher, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) {
+	switch desc.MediaType {
+	case docker.MediaTypeManifestList, ocispec.MediaTypeImageIndex:
+		content, err := content.FetchAll(ctx, fetcher, desc)
+		if err != nil {
+			return nil, err
+		}
+		// OCI manifest index schema can be used to marshal docker manifest list
+		var index ocispec.Index
+		if err := json.Unmarshal(content, &index); err != nil {
+			return nil, err
+		}
+		return index.Manifests, nil
+	default:
+		return nil, nil
+	}
+}
+
+// Subject returns the subject of desc, if present.
+func Subject(ctx context.Context, fetcher content.Fetcher, desc ocispec.Descriptor) (*ocispec.Descriptor, error) {
+	switch desc.MediaType {
+	case ocispec.MediaTypeImageManifest, ocispec.MediaTypeImageIndex, spec.MediaTypeArtifactManifest:
+		content, err := content.FetchAll(ctx, fetcher, desc)
+		if err != nil {
+			return nil, err
+		}
+		var manifest struct {
+			Subject *ocispec.Descriptor `json:"subject,omitempty"`
+		}
+		if err := json.Unmarshal(content, &manifest); err != nil {
+			return nil, err
+		}
+		return manifest.Subject, nil
+	default:
+		return nil, nil
+	}
+}
diff --git a/vendor/oras.land/oras-go/v2/internal/platform/platform.go b/vendor/oras.land/oras-go/v2/internal/platform/platform.go
new file mode 100644
index 0000000000..60d000d14f
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/internal/platform/platform.go
@@ -0,0 +1,145 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package platform
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"oras.land/oras-go/v2/content"
+	"oras.land/oras-go/v2/errdef"
+	"oras.land/oras-go/v2/internal/docker"
+	"oras.land/oras-go/v2/internal/manifestutil"
+)
+
+// Match checks whether the current platform matches the target platform.
+// Match will return true if all of the following conditions are met.
+//   - Architecture and OS exactly match.
+//   - Variant and OSVersion exactly match if target platform provided.
+//   - OSFeatures of the target platform are the subsets of the OSFeatures
+//     array of the current platform.
+//
+// Note: Variant, OSVersion and OSFeatures are optional fields, will skip
+// the comparison if the target platform does not provide specific value.
+func Match(got *ocispec.Platform, want *ocispec.Platform) bool {
+	if got == nil && want == nil {
+		return true
+	}
+
+	if got == nil || want == nil {
+		return false
+	}
+
+	if got.Architecture != want.Architecture || got.OS != want.OS {
+		return false
+	}
+
+	if want.OSVersion != "" && got.OSVersion != want.OSVersion {
+		return false
+	}
+
+	if want.Variant != "" && got.Variant != want.Variant {
+		return false
+	}
+
+	if len(want.OSFeatures) != 0 && !isSubset(want.OSFeatures, got.OSFeatures) {
+		return false
+	}
+
+	return true
+}
+
+// isSubset returns true if all items in slice A are present in slice B.
+func isSubset(a, b []string) bool {
+	set := make(map[string]bool, len(b))
+	for _, v := range b {
+		set[v] = true
+	}
+	for _, v := range a {
+		if _, ok := set[v]; !ok {
+			return false
+		}
+	}
+
+	return true
+}
+
+// SelectManifest implements platform filter and returns the descriptor of the
+// first matched manifest if the root is a manifest list. If the root is a
+// manifest, then return the root descriptor if platform matches.
+func SelectManifest(ctx context.Context, src content.ReadOnlyStorage, root ocispec.Descriptor, p *ocispec.Platform) (ocispec.Descriptor, error) {
+	switch root.MediaType {
+	case docker.MediaTypeManifestList, ocispec.MediaTypeImageIndex:
+		manifests, err := manifestutil.Manifests(ctx, src, root)
+		if err != nil {
+			return ocispec.Descriptor{}, err
+		}
+
+		// platform filter
+		for _, m := range manifests {
+			if Match(m.Platform, p) {
+				return m, nil
+			}
+		}
+		return ocispec.Descriptor{}, fmt.Errorf("%s: %w: no matching manifest was found in the manifest list", root.Digest, errdef.ErrNotFound)
+	case docker.MediaTypeManifest, ocispec.MediaTypeImageManifest:
+		// config will be non-nil for docker manifest and OCI image manifest
+		config, err := manifestutil.Config(ctx, src, root)
+		if err != nil {
+			return ocispec.Descriptor{}, err
+		}
+
+		configMediaType := docker.MediaTypeConfig
+		if root.MediaType == ocispec.MediaTypeImageManifest {
+			configMediaType = ocispec.MediaTypeImageConfig
+		}
+		cfgPlatform, err := getPlatformFromConfig(ctx, src, *config, configMediaType)
+		if err != nil {
+			return ocispec.Descriptor{}, err
+		}
+
+		if Match(cfgPlatform, p) {
+			return root, nil
+		}
+		return ocispec.Descriptor{}, fmt.Errorf("%s: %w: platform in manifest does not match target platform", root.Digest, errdef.ErrNotFound)
+	default:
+		return ocispec.Descriptor{}, fmt.Errorf("%s: %s: %w", root.Digest, root.MediaType, errdef.ErrUnsupported)
+	}
+}
+
+// getPlatformFromConfig returns a platform object which is made up from the
+// fields in config blob.
+func getPlatformFromConfig(ctx context.Context, src content.ReadOnlyStorage, desc ocispec.Descriptor, targetConfigMediaType string) (*ocispec.Platform, error) {
+	if desc.MediaType != targetConfigMediaType {
+		return nil, fmt.Errorf("fail to recognize platform from unknown config %s: expect %s: %w", desc.MediaType, targetConfigMediaType, errdef.ErrUnsupported)
+	}
+
+	rc, err := src.Fetch(ctx, desc)
+	if err != nil {
+		return nil, err
+	}
+	defer rc.Close()
+
+	var platform ocispec.Platform
+	if err = json.NewDecoder(rc).Decode(&platform); err != nil && err != io.EOF {
+		return nil, err
+	}
+
+	return &platform, nil
+}
diff --git a/vendor/oras.land/oras-go/v2/internal/registryutil/proxy.go b/vendor/oras.land/oras-go/v2/internal/registryutil/proxy.go
new file mode 100644
index 0000000000..c238713e5f
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/internal/registryutil/proxy.go
@@ -0,0 +1,102 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package registryutil
+
+import (
+	"context"
+	"io"
+	"sync"
+
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"oras.land/oras-go/v2/content"
+	"oras.land/oras-go/v2/internal/cas"
+	"oras.land/oras-go/v2/internal/ioutil"
+	"oras.land/oras-go/v2/registry"
+)
+
+// ReferenceStorage represents a CAS that supports registry.ReferenceFetcher.
+type ReferenceStorage interface {
+	content.ReadOnlyStorage
+	registry.ReferenceFetcher
+}
+
+// Proxy is a caching proxy dedicated for registry.ReferenceFetcher.
+// The first fetch call of a described content will read from the remote and
+// cache the fetched content.
+// The subsequent fetch call will read from the local cache.
+type Proxy struct {
+	registry.ReferenceFetcher
+	*cas.Proxy
+}
+
+// NewProxy creates a proxy for the `base` ReferenceStorage, using the `cache`
+// storage as the cache.
+func NewProxy(base ReferenceStorage, cache content.Storage) *Proxy {
+	return &Proxy{
+		ReferenceFetcher: base,
+		Proxy:            cas.NewProxy(base, cache),
+	}
+}
+
+// FetchReference fetches the content identified by the reference from the
+// remote and cache the fetched content.
+func (p *Proxy) FetchReference(ctx context.Context, reference string) (ocispec.Descriptor, io.ReadCloser, error) {
+	target, rc, err := p.ReferenceFetcher.FetchReference(ctx, reference)
+	if err != nil {
+		return ocispec.Descriptor{}, nil, err
+	}
+
+	// skip caching if the content already exists in cache
+	exists, err := p.Cache.Exists(ctx, target)
+	if err != nil {
+		return ocispec.Descriptor{}, nil, err
+	}
+	if exists {
+		return target, rc, nil
+	}
+
+	// cache content while reading
+	pr, pw := io.Pipe()
+	var wg sync.WaitGroup
+	wg.Add(1)
+	var pushErr error
+	go func() {
+		defer wg.Done()
+		pushErr = p.Cache.Push(ctx, target, pr)
+		if pushErr != nil {
+			pr.CloseWithError(pushErr)
+		}
+	}()
+	closer := ioutil.CloserFunc(func() error {
+		rcErr := rc.Close()
+		if err := pw.Close(); err != nil {
+			return err
+		}
+		wg.Wait()
+		if pushErr != nil {
+			return pushErr
+		}
+		return rcErr
+	})
+
+	return target, struct {
+		io.Reader
+		io.Closer
+	}{
+		Reader: io.TeeReader(rc, pw),
+		Closer: closer,
+	}, nil
+}
diff --git a/vendor/oras.land/oras-go/v2/internal/resolver/memory.go b/vendor/oras.land/oras-go/v2/internal/resolver/memory.go
new file mode 100644
index 0000000000..df710e66de
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/internal/resolver/memory.go
@@ -0,0 +1,105 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package resolver
+
+import (
+	"context"
+	"fmt"
+	"maps"
+	"sync"
+
+	"github.com/opencontainers/go-digest"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"oras.land/oras-go/v2/errdef"
+	"oras.land/oras-go/v2/internal/container/set"
+)
+
+// Memory is a memory based resolver.
+type Memory struct {
+	lock  sync.RWMutex
+	index map[string]ocispec.Descriptor
+	tags  map[digest.Digest]set.Set[string]
+}
+
+// NewMemory creates a new Memory resolver.
+func NewMemory() *Memory {
+	return &Memory{
+		index: make(map[string]ocispec.Descriptor),
+		tags:  make(map[digest.Digest]set.Set[string]),
+	}
+}
+
+// Resolve resolves a reference to a descriptor.
+func (m *Memory) Resolve(_ context.Context, reference string) (ocispec.Descriptor, error) {
+	m.lock.RLock()
+	defer m.lock.RUnlock()
+
+	desc, ok := m.index[reference]
+	if !ok {
+		return ocispec.Descriptor{}, fmt.Errorf("%s: %w", reference, errdef.ErrNotFound)
+	}
+	return desc, nil
+}
+
+// Tag tags a descriptor with a reference string.
+func (m *Memory) Tag(_ context.Context, desc ocispec.Descriptor, reference string) error {
+	m.lock.Lock()
+	defer m.lock.Unlock()
+
+	m.index[reference] = desc
+	tagSet, ok := m.tags[desc.Digest]
+	if !ok {
+		tagSet = set.New[string]()
+		m.tags[desc.Digest] = tagSet
+	}
+	tagSet.Add(reference)
+	return nil
+}
+
+// Untag removes a reference from index map.
+func (m *Memory) Untag(reference string) {
+	m.lock.Lock()
+	defer m.lock.Unlock()
+
+	desc, ok := m.index[reference]
+	if !ok {
+		return
+	}
+	delete(m.index, reference)
+	tagSet := m.tags[desc.Digest]
+	tagSet.Delete(reference)
+	if len(tagSet) == 0 {
+		delete(m.tags, desc.Digest)
+	}
+}
+
+// Map dumps the memory into a built-in map structure.
+// Like other operations, calling Map() is go-routine safe.
+func (m *Memory) Map() map[string]ocispec.Descriptor {
+	m.lock.RLock()
+	defer m.lock.RUnlock()
+
+	return maps.Clone(m.index)
+}
+
+// TagSet returns the set of tags of the descriptor.
+func (m *Memory) TagSet(desc ocispec.Descriptor) set.Set[string] {
+	m.lock.RLock()
+	defer m.lock.RUnlock()
+
+	tagSet := m.tags[desc.Digest]
+	return maps.Clone(tagSet)
+}
diff --git a/vendor/oras.land/oras-go/v2/internal/spec/artifact.go b/vendor/oras.land/oras-go/v2/internal/spec/artifact.go
new file mode 100644
index 0000000000..7f801fd9ca
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/internal/spec/artifact.go
@@ -0,0 +1,57 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package spec
+
+import ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+
+const (
+	// AnnotationArtifactCreated is the annotation key for the date and time on which the artifact was built, conforming to RFC 3339.
+	AnnotationArtifactCreated = "org.opencontainers.artifact.created"
+
+	// AnnotationArtifactDescription is the annotation key for the human readable description for the artifact.
+	AnnotationArtifactDescription = "org.opencontainers.artifact.description"
+
+	// AnnotationReferrersFiltersApplied is the annotation key for the comma separated list of filters applied by the registry in the referrers listing.
+	AnnotationReferrersFiltersApplied = "org.opencontainers.referrers.filtersApplied"
+)
+
+// MediaTypeArtifactManifest specifies the media type for a content descriptor.
+const MediaTypeArtifactManifest = "application/vnd.oci.artifact.manifest.v1+json"
+
+// Artifact describes an artifact manifest.
+// This structure provides `application/vnd.oci.artifact.manifest.v1+json` mediatype when marshalled to JSON.
+//
+// This manifest type was introduced in image-spec v1.1.0-rc1 and was removed in
+// image-spec v1.1.0-rc3. It is not part of the current image-spec and is kept
+// here for Go compatibility.
+//
+// Reference: https://github.com/opencontainers/image-spec/pull/999
+type Artifact struct {
+	// MediaType is the media type of the object this schema refers to.
+	MediaType string `json:"mediaType"`
+
+	// ArtifactType is the IANA media type of the artifact this schema refers to.
+	ArtifactType string `json:"artifactType"`
+
+	// Blobs is a collection of blobs referenced by this manifest.
+	Blobs []ocispec.Descriptor `json:"blobs,omitempty"`
+
+	// Subject (reference) is an optional link from the artifact to another manifest forming an association between the artifact and the other manifest.
+	Subject *ocispec.Descriptor `json:"subject,omitempty"`
+
+	// Annotations contains arbitrary metadata for the artifact manifest.
+	Annotations map[string]string `json:"annotations,omitempty"`
+}
diff --git a/vendor/oras.land/oras-go/v2/internal/status/tracker.go b/vendor/oras.land/oras-go/v2/internal/status/tracker.go
new file mode 100644
index 0000000000..1a48bb5aff
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/internal/status/tracker.go
@@ -0,0 +1,43 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package status
+
+import (
+	"sync"
+
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"oras.land/oras-go/v2/internal/descriptor"
+)
+
+// Tracker tracks content status described by a descriptor.
+type Tracker struct {
+	status sync.Map // map[descriptor.Descriptor]chan struct{}
+}
+
+// NewTracker creates a new content status tracker.
+func NewTracker() *Tracker {
+	return &Tracker{}
+}
+
+// TryCommit tries to commit the work for the target descriptor.
+// Returns true if committed. A channel is also returned for sending
+// notifications. Once the work is done, the channel should be closed.
+// Returns false if the work is done or still in progress.
+func (t *Tracker) TryCommit(target ocispec.Descriptor) (chan struct{}, bool) {
+	key := descriptor.FromOCI(target)
+	status, exists := t.status.LoadOrStore(key, make(chan struct{}))
+	return status.(chan struct{}), !exists
+}
diff --git a/vendor/oras.land/oras-go/v2/internal/syncutil/limit.go b/vendor/oras.land/oras-go/v2/internal/syncutil/limit.go
new file mode 100644
index 0000000000..e429f24f47
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/internal/syncutil/limit.go
@@ -0,0 +1,107 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package syncutil
+
+import (
+	"context"
+
+	"golang.org/x/sync/errgroup"
+	"golang.org/x/sync/semaphore"
+)
+
+// LimitedRegion provides a way to bound concurrent access to a code block.
+type LimitedRegion struct {
+	ctx     context.Context
+	limiter *semaphore.Weighted
+	ended   bool
+}
+
+// LimitRegion creates a new LimitedRegion.
+func LimitRegion(ctx context.Context, limiter *semaphore.Weighted) *LimitedRegion {
+	if limiter == nil {
+		return nil
+	}
+	return &LimitedRegion{
+		ctx:     ctx,
+		limiter: limiter,
+		ended:   true,
+	}
+}
+
+// Start starts the region with concurrency limit.
+func (lr *LimitedRegion) Start() error {
+	if lr == nil || !lr.ended {
+		return nil
+	}
+	if err := lr.limiter.Acquire(lr.ctx, 1); err != nil {
+		return err
+	}
+	lr.ended = false
+	return nil
+}
+
+// End ends the region with concurrency limit.
+func (lr *LimitedRegion) End() {
+	if lr == nil || lr.ended {
+		return
+	}
+	lr.limiter.Release(1)
+	lr.ended = true
+}
+
+// GoFunc represents a function that can be invoked by Go.
+type GoFunc[T any] func(ctx context.Context, region *LimitedRegion, t T) error
+
+// Go concurrently invokes fn on items.
+func Go[T any](ctx context.Context, limiter *semaphore.Weighted, fn GoFunc[T], items ...T) error {
+	ctx, cancel := context.WithCancelCause(ctx)
+	defer cancel(nil)
+
+	eg, egCtx := errgroup.WithContext(ctx)
+	for _, item := range items {
+		region := LimitRegion(egCtx, limiter)
+		if err := region.Start(); err != nil {
+			cancel(err)
+			// break loop instead of returning to allow previously scheduled
+			// goroutines to finish their deferred region.End() calls
+			break
+		}
+
+		eg.Go(func(t T, lr *LimitedRegion) func() error {
+			return func() error {
+				defer lr.End()
+
+				select {
+				case <-egCtx.Done():
+					// skip the task if the context is already cancelled
+					return nil
+				default:
+				}
+
+				if err := fn(egCtx, lr, t); err != nil {
+					cancel(err)
+					return err
+				}
+				return nil
+			}
+		}(item, region))
+	}
+
+	if err := eg.Wait(); err != nil {
+		cancel(err)
+	}
+	return context.Cause(ctx)
+}
diff --git a/vendor/oras.land/oras-go/v2/internal/syncutil/limitgroup.go b/vendor/oras.land/oras-go/v2/internal/syncutil/limitgroup.go
new file mode 100644
index 0000000000..4ef087dcc0
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/internal/syncutil/limitgroup.go
@@ -0,0 +1,67 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package syncutil
+
+import (
+	"context"
+
+	"golang.org/x/sync/errgroup"
+)
+
+// LimitedGroup is a collection of goroutines working on subtasks that are part of
+// the same overall task.
+type LimitedGroup struct {
+	grp *errgroup.Group
+	ctx context.Context
+}
+
+// LimitGroup returns a new LimitedGroup and an associated Context derived from ctx.
+//
+// The number of active goroutines in this group is limited to the given limit.
+// A negative value indicates no limit.
+//
+// The derived Context is canceled the first time a function passed to Go
+// returns a non-nil error or the first time Wait returns, whichever occurs
+// first.
+func LimitGroup(ctx context.Context, limit int) (*LimitedGroup, context.Context) {
+	grp, ctx := errgroup.WithContext(ctx)
+	grp.SetLimit(limit)
+	return &LimitedGroup{grp: grp, ctx: ctx}, ctx
+}
+
+// Go calls the given function in a new goroutine.
+// It blocks until the new goroutine can be added without the number of
+// active goroutines in the group exceeding the configured limit.
+//
+// The first call to return a non-nil error cancels the group's context.
+// After which, any subsequent calls to Go will not execute their given function.
+// The error will be returned by Wait.
+func (g *LimitedGroup) Go(f func() error) {
+	g.grp.Go(func() error {
+		select {
+		case <-g.ctx.Done():
+			return g.ctx.Err()
+		default:
+			return f()
+		}
+	})
+}
+
+// Wait blocks until all function calls from the Go method have returned, then
+// returns the first non-nil error (if any) from them.
+func (g *LimitedGroup) Wait() error {
+	return g.grp.Wait()
+}
diff --git a/vendor/oras.land/oras-go/v2/internal/syncutil/merge.go b/vendor/oras.land/oras-go/v2/internal/syncutil/merge.go
new file mode 100644
index 0000000000..44788990c2
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/internal/syncutil/merge.go
@@ -0,0 +1,140 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package syncutil
+
+import "sync"
+
+// mergeStatus represents the merge status of an item.
+type mergeStatus struct {
+	// main indicates if items are being merged by the current go-routine.
+	main bool
+	// err represents the error of the merge operation.
+	err error
+}
+
+// Merge represents merge operations on items.
+// The state transfer is shown as below:
+//
+//	           +----------+
+//	           |  Start   +--------+-------------+
+//	           +----+-----+        |             |
+//	                |              |             |
+//	                v              v             v
+//	           +----+-----+   +----+----+   +----+----+
+//	   +-------+ Prepare  +<--+ Pending +-->+ Waiting |
+//	   |       +----+-----+   +---------+   +----+----+
+//	   |            |                            |
+//	   |            v                            |
+//	   |       + ---+---- +                      |
+//	On Error   | Resolve  |                      |
+//	   |       + ---+---- +                      |
+//	   |            |                            |
+//	   |            v                            |
+//	   |       +----+-----+                      |
+//	   +------>+ Complete +<---------------------+
+//	           +----+-----+
+//	                |
+//	                v
+//	           +----+-----+
+//	           |   End    |
+//	           +----------+
+type Merge[T any] struct {
+	lock          sync.Mutex
+	committed     bool
+	items         []T
+	status        chan mergeStatus
+	pending       []T
+	pendingStatus chan mergeStatus
+}
+
+// Do merges concurrent operations of items into a single call of prepare and
+// resolve.
+// If Do is called multiple times concurrently, only one of the calls will be
+// selected to invoke prepare and resolve.
+func (m *Merge[T]) Do(item T, prepare func() error, resolve func(items []T) error) error {
+	status := <-m.assign(item)
+	if status.main {
+		err := prepare()
+		items := m.commit()
+		if err == nil {
+			err = resolve(items)
+		}
+		m.complete(err)
+		return err
+	}
+	return status.err
+}
+
+// assign adds a new item into the item list.
+func (m *Merge[T]) assign(item T) <-chan mergeStatus {
+	m.lock.Lock()
+	defer m.lock.Unlock()
+
+	if m.committed {
+		if m.pendingStatus == nil {
+			m.pendingStatus = make(chan mergeStatus, 1)
+		}
+		m.pending = append(m.pending, item)
+		return m.pendingStatus
+	}
+
+	if m.status == nil {
+		m.status = make(chan mergeStatus, 1)
+		m.status <- mergeStatus{main: true}
+	}
+	m.items = append(m.items, item)
+	return m.status
+}
+
+// commit closes the assignment window, and the assigned items will be ready
+// for resolve.
+func (m *Merge[T]) commit() []T {
+	m.lock.Lock()
+	defer m.lock.Unlock()
+
+	m.committed = true
+	return m.items
+}
+
+// complete completes the previous merge, and moves the pending items to the
+// stage for the next merge.
+func (m *Merge[T]) complete(err error) {
+	// notify results
+	if err == nil {
+		close(m.status)
+	} else {
+		remaining := len(m.items) - 1
+		status := m.status
+		for remaining > 0 {
+			status <- mergeStatus{err: err}
+			remaining--
+		}
+	}
+
+	// move pending items to the stage
+	m.lock.Lock()
+	defer m.lock.Unlock()
+
+	m.committed = false
+	m.items = m.pending
+	m.status = m.pendingStatus
+	m.pending = nil
+	m.pendingStatus = nil
+
+	if m.status != nil {
+		m.status <- mergeStatus{main: true}
+	}
+}
diff --git a/vendor/oras.land/oras-go/v2/internal/syncutil/once.go b/vendor/oras.land/oras-go/v2/internal/syncutil/once.go
new file mode 100644
index 0000000000..e449705304
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/internal/syncutil/once.go
@@ -0,0 +1,102 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package syncutil
+
+import (
+	"context"
+	"sync"
+	"sync/atomic"
+)
+
+// Once is an object that will perform exactly one action.
+// Unlike sync.Once, this Once allows the action to have return values.
+type Once struct {
+	result interface{}
+	err    error
+	status chan bool
+}
+
+// NewOnce creates a new Once instance.
+func NewOnce() *Once {
+	status := make(chan bool, 1)
+	status <- true
+	return &Once{
+		status: status,
+	}
+}
+
+// Do calls the function f if and only if Do is being called first time or all
+// previous function calls are cancelled, deadline exceeded, or panicking.
+// When `once.Do(ctx, f)` is called multiple times, the return value of the
+// first call of the function f is stored, and is directly returned for other
+// calls.
+// Besides the return value of the function f, including the error, Do returns
+// true if the function f passed is called first and is not cancelled, deadline
+// exceeded, or panicking. Otherwise, returns false.
+func (o *Once) Do(ctx context.Context, f func() (interface{}, error)) (bool, interface{}, error) {
+	defer func() {
+		if r := recover(); r != nil {
+			o.status <- true
+			panic(r)
+		}
+	}()
+	for {
+		select {
+		case inProgress := <-o.status:
+			if !inProgress {
+				return false, o.result, o.err
+			}
+			result, err := f()
+			if err == context.Canceled || err == context.DeadlineExceeded {
+				o.status <- true
+				return false, nil, err
+			}
+			o.result, o.err = result, err
+			close(o.status)
+			return true, result, err
+		case <-ctx.Done():
+			return false, nil, ctx.Err()
+		}
+	}
+}
+
+// OnceOrRetry is an object that will perform exactly one success action.
+type OnceOrRetry struct {
+	done atomic.Bool
+	lock sync.Mutex
+}
+
+// OnceOrRetry calls the function f if and only if Do is being called for the
+// first time for this instance of Once or all previous calls to Do are failed.
+func (o *OnceOrRetry) Do(f func() error) error {
+	// fast path
+	if o.done.Load() {
+		return nil
+	}
+
+	// slow path
+	o.lock.Lock()
+	defer o.lock.Unlock()
+
+	if o.done.Load() {
+		return nil
+	}
+	if err := f(); err != nil {
+		return err
+	}
+	o.done.Store(true)
+	return nil
+}
diff --git a/vendor/oras.land/oras-go/v2/internal/syncutil/pool.go b/vendor/oras.land/oras-go/v2/internal/syncutil/pool.go
new file mode 100644
index 0000000000..6fb4a69c51
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/internal/syncutil/pool.go
@@ -0,0 +1,64 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package syncutil
+
+import "sync"
+
+// poolItem represents an item in Pool.
+type poolItem[T any] struct {
+	value    T
+	refCount int
+}
+
+// Pool is a scalable pool with items identified by keys.
+type Pool[T any] struct {
+	// New optionally specifies a function to generate a value when Get would
+	// otherwise return nil.
+	// It may not be changed concurrently with calls to Get.
+	New func() T
+
+	lock  sync.Mutex
+	items map[any]*poolItem[T]
+}
+
+// Get gets the value identified by key.
+// The caller should invoke the returned function after using the returned item.
+func (p *Pool[T]) Get(key any) (*T, func()) {
+	p.lock.Lock()
+	defer p.lock.Unlock()
+
+	item, ok := p.items[key]
+	if !ok {
+		if p.items == nil {
+			p.items = make(map[any]*poolItem[T])
+		}
+		item = &poolItem[T]{}
+		if p.New != nil {
+			item.value = p.New()
+		}
+		p.items[key] = item
+	}
+	item.refCount++
+
+	return &item.value, func() {
+		p.lock.Lock()
+		defer p.lock.Unlock()
+		item.refCount--
+		if item.refCount <= 0 {
+			delete(p.items, key)
+		}
+	}
+}
diff --git a/vendor/oras.land/oras-go/v2/pack.go b/vendor/oras.land/oras-go/v2/pack.go
new file mode 100644
index 0000000000..6d1635c9fc
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/pack.go
@@ -0,0 +1,448 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package oras
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"maps"
+	"regexp"
+	"time"
+
+	specs "github.com/opencontainers/image-spec/specs-go"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"oras.land/oras-go/v2/content"
+	"oras.land/oras-go/v2/errdef"
+	"oras.land/oras-go/v2/internal/spec"
+)
+
+const (
+	// MediaTypeUnknownConfig is the default config mediaType used
+	//   - for [Pack] when PackOptions.PackImageManifest is true and
+	//     PackOptions.ConfigDescriptor is not specified.
+	//   - for [PackManifest] when packManifestVersion is PackManifestVersion1_0
+	//     and PackManifestOptions.ConfigDescriptor is not specified.
+	MediaTypeUnknownConfig = "application/vnd.unknown.config.v1+json"
+
+	// MediaTypeUnknownArtifact is the default artifactType used for [Pack]
+	// when PackOptions.PackImageManifest is false and artifactType is
+	// not specified.
+	MediaTypeUnknownArtifact = "application/vnd.unknown.artifact.v1"
+)
+
+var (
+	// ErrInvalidDateTimeFormat is returned by [Pack] and [PackManifest] when
+	// "org.opencontainers.artifact.created" or "org.opencontainers.image.created"
+	// is provided, but its value is not in RFC 3339 format.
+	// Reference: https://www.rfc-editor.org/rfc/rfc3339#section-5.6
+	ErrInvalidDateTimeFormat = errors.New("invalid date and time format")
+
+	// ErrMissingArtifactType is returned by [PackManifest] when
+	// packManifestVersion is PackManifestVersion1_1 and artifactType is
+	// empty and the config media type is set to
+	// "application/vnd.oci.empty.v1+json".
+	ErrMissingArtifactType = errors.New("missing artifact type")
+)
+
+// PackManifestVersion represents the manifest version used for [PackManifest].
+type PackManifestVersion int
+
+const (
+	// PackManifestVersion1_0 represents the OCI Image Manifest defined in
+	// image-spec v1.0.2.
+	// Reference: https://github.com/opencontainers/image-spec/blob/v1.0.2/manifest.md
+	PackManifestVersion1_0 PackManifestVersion = 1
+
+	// PackManifestVersion1_1_RC4 represents the OCI Image Manifest defined
+	// in image-spec v1.1.0-rc4.
+	// Reference: https://github.com/opencontainers/image-spec/blob/v1.1.0-rc4/manifest.md
+	//
+	// Deprecated: This constant is deprecated and not recommended for future use.
+	// Use [PackManifestVersion1_1] instead.
+	PackManifestVersion1_1_RC4 PackManifestVersion = PackManifestVersion1_1
+
+	// PackManifestVersion1_1 represents the OCI Image Manifest defined in
+	// image-spec v1.1.1.
+	// Reference: https://github.com/opencontainers/image-spec/blob/v1.1.1/manifest.md
+	PackManifestVersion1_1 PackManifestVersion = 2
+)
+
+// PackManifestOptions contains optional parameters for [PackManifest].
+type PackManifestOptions struct {
+	// Subject is the subject of the manifest.
+	// This option is only valid when PackManifestVersion is
+	// NOT PackManifestVersion1_0.
+	Subject *ocispec.Descriptor
+
+	// Layers is the layers of the manifest.
+	Layers []ocispec.Descriptor
+
+	// ManifestAnnotations is the annotation map of the manifest. In order to
+	// make [PackManifest] reproducible, set the key ocispec.AnnotationCreated
+	// (i.e. "org.opencontainers.image.created") to a fixed value. The value
+	// must conform to RFC 3339.
+	ManifestAnnotations map[string]string
+
+	// ConfigDescriptor is a pointer to the descriptor of the config blob.
+	// If not nil, ConfigAnnotations will be ignored.
+	ConfigDescriptor *ocispec.Descriptor
+
+	// ConfigAnnotations is the annotation map of the config descriptor.
+	// This option is valid only when ConfigDescriptor is nil.
+	ConfigAnnotations map[string]string
+}
+
+// mediaTypeRegexp checks the format of media types.
+// References:
+//   - https://github.com/opencontainers/image-spec/blob/v1.1.1/schema/defs-descriptor.json#L7
+//   - https://datatracker.ietf.org/doc/html/rfc6838#section-4.2
+var mediaTypeRegexp = regexp.MustCompile(`^[A-Za-z0-9][A-Za-z0-9!#$&^_.+-]{0,126}/[A-Za-z0-9][A-Za-z0-9!#$&^_.+-]{0,126}$`)
+
+// PackManifest generates an OCI Image Manifest based on the given parameters
+// and pushes the packed manifest to a content storage using pusher. The version
+// of the manifest to be packed is determined by packManifestVersion
+// (Recommended value: PackManifestVersion1_1).
+//
+//   - If packManifestVersion is [PackManifestVersion1_1]:
+//     artifactType MUST NOT be empty unless opts.ConfigDescriptor is specified.
+//   - If packManifestVersion is [PackManifestVersion1_0]:
+//     if opts.ConfigDescriptor is nil, artifactType will be used as the
+//     config media type; if artifactType is empty,
+//     "application/vnd.unknown.config.v1+json" will be used.
+//     if opts.ConfigDescriptor is NOT nil, artifactType will be ignored.
+//
+// artifactType and opts.ConfigDescriptor.MediaType MUST comply with RFC 6838.
+//
+// Each time when PackManifest is called, if a time stamp is not specified, a new time
+// stamp is generated in the manifest annotations with the key ocispec.AnnotationCreated
+// (i.e. "org.opencontainers.image.created"). To make [PackManifest] reproducible,
+// set the key ocispec.AnnotationCreated to a fixed value in
+// opts.ManifestAnnotations. The value MUST conform to RFC 3339.
+//
+// If succeeded, returns a descriptor of the packed manifest.
+func PackManifest(ctx context.Context, pusher content.Pusher, packManifestVersion PackManifestVersion, artifactType string, opts PackManifestOptions) (ocispec.Descriptor, error) {
+	switch packManifestVersion {
+	case PackManifestVersion1_0:
+		return packManifestV1_0(ctx, pusher, artifactType, opts)
+	case PackManifestVersion1_1:
+		return packManifestV1_1(ctx, pusher, artifactType, opts)
+	default:
+		return ocispec.Descriptor{}, fmt.Errorf("PackManifestVersion(%v): %w", packManifestVersion, errdef.ErrUnsupported)
+	}
+}
+
+// PackOptions contains optional parameters for [Pack].
+//
+// Deprecated: This type is deprecated and not recommended for future use.
+// Use [PackManifestOptions] instead.
+type PackOptions struct {
+	// Subject is the subject of the manifest.
+	Subject *ocispec.Descriptor
+
+	// ManifestAnnotations is the annotation map of the manifest.
+	ManifestAnnotations map[string]string
+
+	// PackImageManifest controls whether to pack an OCI Image Manifest or not.
+	//   - If true, pack an OCI Image Manifest.
+	//   - If false, pack an OCI Artifact Manifest (deprecated).
+	//
+	// Default value: false.
+	PackImageManifest bool
+
+	// ConfigDescriptor is a pointer to the descriptor of the config blob.
+	// If not nil, artifactType will be implied by the mediaType of the
+	// specified ConfigDescriptor, and ConfigAnnotations will be ignored.
+	// This option is valid only when PackImageManifest is true.
+	ConfigDescriptor *ocispec.Descriptor
+
+	// ConfigAnnotations is the annotation map of the config descriptor.
+	// This option is valid only when PackImageManifest is true
+	// and ConfigDescriptor is nil.
+	ConfigAnnotations map[string]string
+}
+
+// Pack packs the given blobs, generates a manifest for the pack,
+// and pushes it to a content storage.
+//
+// When opts.PackImageManifest is true, artifactType will be used as the
+// the config descriptor mediaType of the image manifest.
+//
+// If succeeded, returns a descriptor of the manifest.
+//
+// Deprecated: This method is deprecated and not recommended for future use.
+// Use [PackManifest] instead.
+func Pack(ctx context.Context, pusher content.Pusher, artifactType string, blobs []ocispec.Descriptor, opts PackOptions) (ocispec.Descriptor, error) {
+	if opts.PackImageManifest {
+		return packManifestV1_1_RC2(ctx, pusher, artifactType, blobs, opts)
+	}
+	return packArtifact(ctx, pusher, artifactType, blobs, opts)
+}
+
+// packArtifact packs an Artifact manifest as defined in image-spec v1.1.0-rc2.
+// Reference: https://github.com/opencontainers/image-spec/blob/v1.1.0-rc2/artifact.md
+func packArtifact(ctx context.Context, pusher content.Pusher, artifactType string, blobs []ocispec.Descriptor, opts PackOptions) (ocispec.Descriptor, error) {
+	if artifactType == "" {
+		artifactType = MediaTypeUnknownArtifact
+	}
+
+	annotations, err := ensureAnnotationCreated(opts.ManifestAnnotations, spec.AnnotationArtifactCreated)
+	if err != nil {
+		return ocispec.Descriptor{}, err
+	}
+	manifest := spec.Artifact{
+		MediaType:    spec.MediaTypeArtifactManifest,
+		ArtifactType: artifactType,
+		Blobs:        blobs,
+		Subject:      opts.Subject,
+		Annotations:  annotations,
+	}
+	return pushManifest(ctx, pusher, manifest, manifest.MediaType, manifest.ArtifactType, manifest.Annotations)
+}
+
+// packManifestV1_0 packs an image manifest defined in image-spec v1.0.2.
+// Reference: https://github.com/opencontainers/image-spec/blob/v1.0.2/manifest.md
+func packManifestV1_0(ctx context.Context, pusher content.Pusher, artifactType string, opts PackManifestOptions) (ocispec.Descriptor, error) {
+	if opts.Subject != nil {
+		return ocispec.Descriptor{}, fmt.Errorf("subject is not supported for manifest version %v: %w", PackManifestVersion1_0, errdef.ErrUnsupported)
+	}
+
+	// prepare config
+	var configDesc ocispec.Descriptor
+	if opts.ConfigDescriptor != nil {
+		if err := validateMediaType(opts.ConfigDescriptor.MediaType); err != nil {
+			return ocispec.Descriptor{}, fmt.Errorf("invalid config mediaType format: %w", err)
+		}
+		configDesc = *opts.ConfigDescriptor
+	} else {
+		if artifactType == "" {
+			artifactType = MediaTypeUnknownConfig
+		} else if err := validateMediaType(artifactType); err != nil {
+			return ocispec.Descriptor{}, fmt.Errorf("invalid artifactType format: %w", err)
+		}
+		var err error
+		configDesc, err = pushCustomEmptyConfig(ctx, pusher, artifactType, opts.ConfigAnnotations)
+		if err != nil {
+			return ocispec.Descriptor{}, err
+		}
+	}
+
+	annotations, err := ensureAnnotationCreated(opts.ManifestAnnotations, ocispec.AnnotationCreated)
+	if err != nil {
+		return ocispec.Descriptor{}, err
+	}
+	if opts.Layers == nil {
+		opts.Layers = []ocispec.Descriptor{} // make it an empty array to prevent potential server-side bugs
+	}
+	manifest := ocispec.Manifest{
+		Versioned: specs.Versioned{
+			SchemaVersion: 2, // historical value. does not pertain to OCI or docker version
+		},
+		Config:      configDesc,
+		MediaType:   ocispec.MediaTypeImageManifest,
+		Layers:      opts.Layers,
+		Annotations: annotations,
+	}
+	return pushManifest(ctx, pusher, manifest, manifest.MediaType, manifest.Config.MediaType, manifest.Annotations)
+}
+
+// packManifestV1_1_RC2 packs an image manifest as defined in image-spec
+// v1.1.0-rc2.
+// Reference: https://github.com/opencontainers/image-spec/blob/v1.1.0-rc2/manifest.md
+func packManifestV1_1_RC2(ctx context.Context, pusher content.Pusher, configMediaType string, layers []ocispec.Descriptor, opts PackOptions) (ocispec.Descriptor, error) {
+	if configMediaType == "" {
+		configMediaType = MediaTypeUnknownConfig
+	}
+
+	// prepare config
+	var configDesc ocispec.Descriptor
+	if opts.ConfigDescriptor != nil {
+		configDesc = *opts.ConfigDescriptor
+	} else {
+		var err error
+		configDesc, err = pushCustomEmptyConfig(ctx, pusher, configMediaType, opts.ConfigAnnotations)
+		if err != nil {
+			return ocispec.Descriptor{}, err
+		}
+	}
+
+	annotations, err := ensureAnnotationCreated(opts.ManifestAnnotations, ocispec.AnnotationCreated)
+	if err != nil {
+		return ocispec.Descriptor{}, err
+	}
+	if layers == nil {
+		layers = []ocispec.Descriptor{} // make it an empty array to prevent potential server-side bugs
+	}
+	manifest := ocispec.Manifest{
+		Versioned: specs.Versioned{
+			SchemaVersion: 2, // historical value. does not pertain to OCI or docker version
+		},
+		Config:      configDesc,
+		MediaType:   ocispec.MediaTypeImageManifest,
+		Layers:      layers,
+		Subject:     opts.Subject,
+		Annotations: annotations,
+	}
+	return pushManifest(ctx, pusher, manifest, manifest.MediaType, manifest.Config.MediaType, manifest.Annotations)
+}
+
+// packManifestV1_1 packs an image manifest defined in image-spec v1.1.1.
+// Reference: https://github.com/opencontainers/image-spec/blob/v1.1.1/manifest.md#guidelines-for-artifact-usage
+func packManifestV1_1(ctx context.Context, pusher content.Pusher, artifactType string, opts PackManifestOptions) (ocispec.Descriptor, error) {
+	if artifactType == "" && (opts.ConfigDescriptor == nil || opts.ConfigDescriptor.MediaType == ocispec.MediaTypeEmptyJSON) {
+		// artifactType MUST be set when config.mediaType is set to the empty value
+		return ocispec.Descriptor{}, ErrMissingArtifactType
+	}
+	if artifactType != "" {
+		if err := validateMediaType(artifactType); err != nil {
+			return ocispec.Descriptor{}, fmt.Errorf("invalid artifactType format: %w", err)
+		}
+	}
+
+	// prepare config
+	var emptyBlobExists bool
+	var configDesc ocispec.Descriptor
+	if opts.ConfigDescriptor != nil {
+		if err := validateMediaType(opts.ConfigDescriptor.MediaType); err != nil {
+			return ocispec.Descriptor{}, fmt.Errorf("invalid config mediaType format: %w", err)
+		}
+		configDesc = *opts.ConfigDescriptor
+	} else {
+		// use the empty descriptor for config
+		configDesc = ocispec.DescriptorEmptyJSON
+		configDesc.Annotations = opts.ConfigAnnotations
+		configBytes := ocispec.DescriptorEmptyJSON.Data
+		// push config
+		if err := pushIfNotExist(ctx, pusher, configDesc, configBytes); err != nil {
+			return ocispec.Descriptor{}, fmt.Errorf("failed to push config: %w", err)
+		}
+		emptyBlobExists = true
+	}
+
+	annotations, err := ensureAnnotationCreated(opts.ManifestAnnotations, ocispec.AnnotationCreated)
+	if err != nil {
+		return ocispec.Descriptor{}, err
+	}
+	if len(opts.Layers) == 0 {
+		// use the empty descriptor as the single layer
+		layerDesc := ocispec.DescriptorEmptyJSON
+		layerData := ocispec.DescriptorEmptyJSON.Data
+		if !emptyBlobExists {
+			if err := pushIfNotExist(ctx, pusher, layerDesc, layerData); err != nil {
+				return ocispec.Descriptor{}, fmt.Errorf("failed to push layer: %w", err)
+			}
+		}
+		opts.Layers = []ocispec.Descriptor{layerDesc}
+	}
+
+	manifest := ocispec.Manifest{
+		Versioned: specs.Versioned{
+			SchemaVersion: 2, // historical value. does not pertain to OCI or docker version
+		},
+		Config:       configDesc,
+		MediaType:    ocispec.MediaTypeImageManifest,
+		Layers:       opts.Layers,
+		Subject:      opts.Subject,
+		ArtifactType: artifactType,
+		Annotations:  annotations,
+	}
+	return pushManifest(ctx, pusher, manifest, manifest.MediaType, manifest.ArtifactType, manifest.Annotations)
+}
+
+// pushIfNotExist pushes data described by desc if it does not exist in the
+// target.
+func pushIfNotExist(ctx context.Context, pusher content.Pusher, desc ocispec.Descriptor, data []byte) error {
+	if ros, ok := pusher.(content.ReadOnlyStorage); ok {
+		exists, err := ros.Exists(ctx, desc)
+		if err != nil {
+			return fmt.Errorf("failed to check existence: %s: %s: %w", desc.Digest.String(), desc.MediaType, err)
+		}
+		if exists {
+			return nil
+		}
+	}
+
+	if err := pusher.Push(ctx, desc, bytes.NewReader(data)); err != nil && !errors.Is(err, errdef.ErrAlreadyExists) {
+		return fmt.Errorf("failed to push: %s: %s: %w", desc.Digest.String(), desc.MediaType, err)
+	}
+	return nil
+}
+
+// pushManifest marshals manifest into JSON bytes and pushes it.
+func pushManifest(ctx context.Context, pusher content.Pusher, manifest any, mediaType string, artifactType string, annotations map[string]string) (ocispec.Descriptor, error) {
+	manifestJSON, err := json.Marshal(manifest)
+	if err != nil {
+		return ocispec.Descriptor{}, fmt.Errorf("failed to marshal manifest: %w", err)
+	}
+	manifestDesc := content.NewDescriptorFromBytes(mediaType, manifestJSON)
+	// populate ArtifactType and Annotations of the manifest into manifestDesc
+	manifestDesc.ArtifactType = artifactType
+	manifestDesc.Annotations = annotations
+	// push manifest
+	if err := pusher.Push(ctx, manifestDesc, bytes.NewReader(manifestJSON)); err != nil && !errors.Is(err, errdef.ErrAlreadyExists) {
+		return ocispec.Descriptor{}, fmt.Errorf("failed to push manifest: %w", err)
+	}
+	return manifestDesc, nil
+}
+
+// pushCustomEmptyConfig generates and pushes an empty config blob.
+func pushCustomEmptyConfig(ctx context.Context, pusher content.Pusher, mediaType string, annotations map[string]string) (ocispec.Descriptor, error) {
+	// Use an empty JSON object here, because some registries may not accept
+	// empty config blob.
+	// As of September 2022, GAR is known to return 400 on empty blob upload.
+	// See https://github.com/oras-project/oras-go/issues/294 for details.
+	configBytes := []byte("{}")
+	configDesc := content.NewDescriptorFromBytes(mediaType, configBytes)
+	configDesc.Annotations = annotations
+	// push config
+	if err := pushIfNotExist(ctx, pusher, configDesc, configBytes); err != nil {
+		return ocispec.Descriptor{}, fmt.Errorf("failed to push config: %w", err)
+	}
+	return configDesc, nil
+}
+
+// ensureAnnotationCreated ensures that annotationCreatedKey is in annotations,
+// and that its value conforms to RFC 3339. Otherwise returns a new annotation
+// map with annotationCreatedKey created.
+func ensureAnnotationCreated(annotations map[string]string, annotationCreatedKey string) (map[string]string, error) {
+	if createdTime, ok := annotations[annotationCreatedKey]; ok {
+		// if annotationCreatedKey is provided, validate its format
+		if _, err := time.Parse(time.RFC3339, createdTime); err != nil {
+			return nil, fmt.Errorf("%w: %v", ErrInvalidDateTimeFormat, err)
+		}
+		return annotations, nil
+	}
+
+	// copy the original annotation map
+	copied := make(map[string]string, len(annotations)+1)
+	maps.Copy(copied, annotations)
+
+	// set creation time in RFC 3339 format
+	// reference: https://github.com/opencontainers/image-spec/blob/v1.1.0-rc2/annotations.md#pre-defined-annotation-keys
+	now := time.Now().UTC()
+	copied[annotationCreatedKey] = now.Format(time.RFC3339)
+	return copied, nil
+}
+
+// validateMediaType validates the format of mediaType.
+func validateMediaType(mediaType string) error {
+	if !mediaTypeRegexp.MatchString(mediaType) {
+		return fmt.Errorf("%s: %w", mediaType, errdef.ErrInvalidMediaType)
+	}
+	return nil
+}
diff --git a/vendor/oras.land/oras-go/v2/registry/reference.go b/vendor/oras.land/oras-go/v2/registry/reference.go
new file mode 100644
index 0000000000..54c72fd29c
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/registry/reference.go
@@ -0,0 +1,276 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package registry
+
+import (
+	"fmt"
+	"net/url"
+	"regexp"
+	"strings"
+
+	"github.com/opencontainers/go-digest"
+	"oras.land/oras-go/v2/errdef"
+)
+
+// regular expressions for components.
+var (
+	// repositoryRegexp is adapted from the distribution implementation. The
+	// repository name set under OCI distribution spec is a subset of the docker
+	// spec. For maximum compatability, the docker spec is verified client-side.
+	// Further checks are left to the server-side.
+	//
+	// References:
+	//   - https://github.com/distribution/distribution/blob/v2.7.1/reference/regexp.go#L53
+	//   - https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#pulling-manifests
+	repositoryRegexp = regexp.MustCompile(`^[a-z0-9]+(?:(?:[._]|__|[-]*)[a-z0-9]+)*(?:/[a-z0-9]+(?:(?:[._]|__|[-]*)[a-z0-9]+)*)*$`)
+
+	// tagRegexp checks the tag name.
+	// The docker and OCI spec have the same regular expression.
+	//
+	// Reference: https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#pulling-manifests
+	tagRegexp = regexp.MustCompile(`^[\w][\w.-]{0,127}$`)
+)
+
+// Reference references either a resource descriptor (where Reference.Reference
+// is a tag or a digest), or a resource repository (where Reference.Reference
+// is the empty string).
+type Reference struct {
+	// Registry is the name of the registry. It is usually the domain name of
+	// the registry optionally with a port.
+	Registry string
+
+	// Repository is the name of the repository.
+	Repository string
+
+	// Reference is the reference of the object in the repository. This field
+	// can take any one of the four valid forms (see ParseReference). In the
+	// case where it's the empty string, it necessarily implies valid form D,
+	// and where it is non-empty, then it is either a tag, or a digest
+	// (implying one of valid forms A, B, or C).
+	Reference string
+}
+
+// ParseReference parses a string (artifact) into an `artifact reference`.
+// Corresponding cryptographic hash implementations are required to be imported
+// as specified by https://pkg.go.dev/github.com/opencontainers/go-digest#readme-usage
+// if the string contains a digest.
+//
+// Note: An "image" is an "artifact", however, an "artifact" is not necessarily
+// an "image".
+//
+// The token `artifact` is composed of other tokens, and those in turn are
+// composed of others.  This definition recursivity requires a notation capable
+// of recursion, thus the following two forms have been adopted:
+//
+//  1. Backus–Naur Form (BNF) has been adopted to address the recursive nature
+//     of the definition.
+//  2. Token opacity is revealed via its label letter-casing.  That is, "opaque"
+//     tokens (i.e., tokens that are not final, and must therefore be further
+//     broken down into their constituents) are denoted in *lowercase*, while
+//     final tokens (i.e., leaf-node tokens that are final) are denoted in
+//     *uppercase*.
+//
+// Finally, note that a number of the opaque tokens are polymorphic in nature;
+// that is, they can take on one of numerous forms, not restricted to a single
+// defining form.
+//
+// The top-level token, `artifact`, is composed of two (opaque) tokens; namely
+// `socketaddr` and `path`:
+//
+//	<artifact> ::= <socketaddr> "/" <path>
+//
+// The former is described as follows:
+//
+//	   <socketaddr> ::= <host> | <host> ":" <PORT>
+//		     <host> ::= <ip> | <FQDN>
+//		       <ip> ::= <IPV4-ADDR> | <IPV6-ADDR>
+//
+// The latter, which is of greater interest here, is described as follows:
+//
+//	     <path> ::= <REPOSITORY> | <REPOSITORY> <reference>
+//	<reference> ::= "@" <digest> | ":" <TAG> "@" <DIGEST> | ":" <TAG>
+//	   <digest> ::= <ALGO> ":" <HASH>
+//
+// This second token--`path`--can take on exactly four forms, each of which will
+// now be illustrated:
+//
+//	<--- path --------------------------------------------> |  - Decode `path`
+//	<=== REPOSITORY ===> <--- reference ------------------> |    - Decode `reference`
+//	<=== REPOSITORY ===> @ <=================== digest ===> |      - Valid Form A
+//	<=== REPOSITORY ===> : <!!! TAG !!!> @ <=== digest ===> |      - Valid Form B (tag is dropped)
+//	<=== REPOSITORY ===> : <=== TAG ======================> |      - Valid Form C
+//	<=== REPOSITORY ======================================> |    - Valid Form D
+//
+// Note: In the case of Valid Form B, TAG is dropped without any validation or
+// further consideration.
+func ParseReference(artifact string) (Reference, error) {
+	parts := strings.SplitN(artifact, "/", 2)
+	if len(parts) == 1 {
+		// Invalid Form
+		return Reference{}, fmt.Errorf("%w: missing registry or repository", errdef.ErrInvalidReference)
+	}
+	registry, path := parts[0], parts[1]
+
+	var isTag bool
+	var repository string
+	var reference string
+	if index := strings.Index(path, "@"); index != -1 {
+		// `digest` found; Valid Form A (if not B)
+		isTag = false
+		repository = path[:index]
+		reference = path[index+1:]
+
+		if index = strings.Index(repository, ":"); index != -1 {
+			// `tag` found (and now dropped without validation) since `the
+			// `digest` already present; Valid Form B
+			repository = repository[:index]
+		}
+	} else if index = strings.Index(path, ":"); index != -1 {
+		// `tag` found; Valid Form C
+		isTag = true
+		repository = path[:index]
+		reference = path[index+1:]
+	} else {
+		// empty `reference`; Valid Form D
+		repository = path
+	}
+	ref := Reference{
+		Registry:   registry,
+		Repository: repository,
+		Reference:  reference,
+	}
+
+	if err := ref.ValidateRegistry(); err != nil {
+		return Reference{}, err
+	}
+
+	if err := ref.ValidateRepository(); err != nil {
+		return Reference{}, err
+	}
+
+	if len(ref.Reference) == 0 {
+		return ref, nil
+	}
+
+	validator := ref.ValidateReferenceAsDigest
+	if isTag {
+		validator = ref.ValidateReferenceAsTag
+	}
+	if err := validator(); err != nil {
+		return Reference{}, err
+	}
+
+	return ref, nil
+}
+
+// Validate the entire reference object; the registry, the repository, and the
+// reference.
+func (r Reference) Validate() error {
+	if err := r.ValidateRegistry(); err != nil {
+		return err
+	}
+
+	if err := r.ValidateRepository(); err != nil {
+		return err
+	}
+
+	return r.ValidateReference()
+}
+
+// ValidateRegistry validates the registry.
+func (r Reference) ValidateRegistry() error {
+	if uri, err := url.ParseRequestURI("dummy://" + r.Registry); err != nil || uri.Host == "" || uri.Host != r.Registry {
+		return fmt.Errorf("%w: invalid registry %q", errdef.ErrInvalidReference, r.Registry)
+	}
+	return nil
+}
+
+// ValidateRepository validates the repository.
+func (r Reference) ValidateRepository() error {
+	if !repositoryRegexp.MatchString(r.Repository) {
+		return fmt.Errorf("%w: invalid repository %q", errdef.ErrInvalidReference, r.Repository)
+	}
+	return nil
+}
+
+// ValidateReferenceAsTag validates the reference as a tag.
+func (r Reference) ValidateReferenceAsTag() error {
+	if !tagRegexp.MatchString(r.Reference) {
+		return fmt.Errorf("%w: invalid tag %q", errdef.ErrInvalidReference, r.Reference)
+	}
+	return nil
+}
+
+// ValidateReferenceAsDigest validates the reference as a digest.
+func (r Reference) ValidateReferenceAsDigest() error {
+	if _, err := r.Digest(); err != nil {
+		return fmt.Errorf("%w: invalid digest %q: %v", errdef.ErrInvalidReference, r.Reference, err)
+	}
+	return nil
+}
+
+// ValidateReference where the reference is first tried as an ampty string, then
+// as a digest, and if that fails, as a tag.
+func (r Reference) ValidateReference() error {
+	if len(r.Reference) == 0 {
+		return nil
+	}
+
+	if index := strings.IndexByte(r.Reference, ':'); index != -1 {
+		return r.ValidateReferenceAsDigest()
+	}
+
+	return r.ValidateReferenceAsTag()
+}
+
+// Host returns the host name of the registry.
+func (r Reference) Host() string {
+	if r.Registry == "docker.io" {
+		return "registry-1.docker.io"
+	}
+	return r.Registry
+}
+
+// ReferenceOrDefault returns the reference or the default reference if empty.
+func (r Reference) ReferenceOrDefault() string {
+	if r.Reference == "" {
+		return "latest"
+	}
+	return r.Reference
+}
+
+// Digest returns the reference as a digest.
+// Corresponding cryptographic hash implementations are required to be imported
+// as specified by https://pkg.go.dev/github.com/opencontainers/go-digest#readme-usage
+func (r Reference) Digest() (digest.Digest, error) {
+	return digest.Parse(r.Reference)
+}
+
+// String implements `fmt.Stringer` and returns the reference string.
+// The resulted string is meaningful only if the reference is valid.
+func (r Reference) String() string {
+	if r.Repository == "" {
+		return r.Registry
+	}
+	ref := r.Registry + "/" + r.Repository
+	if r.Reference == "" {
+		return ref
+	}
+	if d, err := r.Digest(); err == nil {
+		return ref + "@" + d.String()
+	}
+	return ref + ":" + r.Reference
+}
diff --git a/vendor/oras.land/oras-go/v2/registry/registry.go b/vendor/oras.land/oras-go/v2/registry/registry.go
new file mode 100644
index 0000000000..4736efa84f
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/registry/registry.go
@@ -0,0 +1,52 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package registry provides high-level operations to manage registries.
+package registry
+
+import "context"
+
+// Registry represents a collection of repositories.
+type Registry interface {
+	// Repositories lists the name of repositories available in the registry.
+	// Since the returned repositories may be paginated by the underlying
+	// implementation, a function should be passed in to process the paginated
+	// repository list.
+	// `last` argument is the `last` parameter when invoking the catalog API.
+	// If `last` is NOT empty, the entries in the response start after the
+	// repo specified by `last`. Otherwise, the response starts from the top
+	// of the Repositories list.
+	// Note: When implemented by a remote registry, the catalog API is called.
+	// However, not all registries supports pagination or conforms the
+	// specification.
+	// Reference: https://distribution.github.io/distribution/spec/api/#catalog
+	// See also `Repositories()` in this package.
+	Repositories(ctx context.Context, last string, fn func(repos []string) error) error
+
+	// Repository returns a repository reference by the given name.
+	Repository(ctx context.Context, name string) (Repository, error)
+}
+
+// Repositories lists the name of repositories available in the registry.
+func Repositories(ctx context.Context, reg Registry) ([]string, error) {
+	var res []string
+	if err := reg.Repositories(ctx, "", func(repos []string) error {
+		res = append(res, repos...)
+		return nil
+	}); err != nil {
+		return nil, err
+	}
+	return res, nil
+}
diff --git a/vendor/oras.land/oras-go/v2/registry/remote/auth/cache.go b/vendor/oras.land/oras-go/v2/registry/remote/auth/cache.go
new file mode 100644
index 0000000000..d11c092bf5
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/registry/remote/auth/cache.go
@@ -0,0 +1,232 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package auth
+
+import (
+	"context"
+	"strings"
+	"sync"
+
+	"oras.land/oras-go/v2/errdef"
+	"oras.land/oras-go/v2/internal/syncutil"
+)
+
+// DefaultCache is the sharable cache used by DefaultClient.
+var DefaultCache Cache = NewCache()
+
+// Cache caches the auth-scheme and auth-token for the "Authorization" header in
+// accessing the remote registry.
+// Precisely, the header is `Authorization: auth-scheme auth-token`.
+// The `auth-token` is a generic term as `token68` in RFC 7235 section 2.1.
+type Cache interface {
+	// GetScheme returns the auth-scheme part cached for the given registry.
+	// A single registry is assumed to have a consistent scheme.
+	// If a registry has different schemes per path, the auth client is still
+	// workable. However, the cache may not be effective as the cache cannot
+	// correctly guess the scheme.
+	GetScheme(ctx context.Context, registry string) (Scheme, error)
+
+	// GetToken returns the auth-token part cached for the given registry of a
+	// given scheme.
+	// The underlying implementation MAY cache the token for all schemes for the
+	// given registry.
+	GetToken(ctx context.Context, registry string, scheme Scheme, key string) (string, error)
+
+	// Set fetches the token using the given fetch function and caches the token
+	// for the given scheme with the given key for the given registry.
+	// The return values of the fetch function is returned by this function.
+	// The underlying implementation MAY combine the fetch operation if the Set
+	// function is invoked multiple times at the same time.
+	Set(ctx context.Context, registry string, scheme Scheme, key string, fetch func(context.Context) (string, error)) (string, error)
+}
+
+// cacheEntry is a cache entry for a single registry.
+type cacheEntry struct {
+	scheme Scheme
+	tokens sync.Map // map[string]string
+}
+
+// concurrentCache is a cache suitable for concurrent invocation.
+type concurrentCache struct {
+	status sync.Map // map[string]*syncutil.Once
+	cache  sync.Map // map[string]*cacheEntry
+}
+
+// NewCache creates a new go-routine safe cache instance.
+func NewCache() Cache {
+	return &concurrentCache{}
+}
+
+// GetScheme returns the auth-scheme part cached for the given registry.
+func (cc *concurrentCache) GetScheme(ctx context.Context, registry string) (Scheme, error) {
+	entry, ok := cc.cache.Load(registry)
+	if !ok {
+		return SchemeUnknown, errdef.ErrNotFound
+	}
+	return entry.(*cacheEntry).scheme, nil
+}
+
+// GetToken returns the auth-token part cached for the given registry of a given
+// scheme.
+func (cc *concurrentCache) GetToken(ctx context.Context, registry string, scheme Scheme, key string) (string, error) {
+	entryValue, ok := cc.cache.Load(registry)
+	if !ok {
+		return "", errdef.ErrNotFound
+	}
+	entry := entryValue.(*cacheEntry)
+	if entry.scheme != scheme {
+		return "", errdef.ErrNotFound
+	}
+	if token, ok := entry.tokens.Load(key); ok {
+		return token.(string), nil
+	}
+	return "", errdef.ErrNotFound
+}
+
+// Set fetches the token using the given fetch function and caches the token
+// for the given scheme with the given key for the given registry.
+// Set combines the fetch operation if the Set is invoked multiple times at the
+// same time.
+func (cc *concurrentCache) Set(ctx context.Context, registry string, scheme Scheme, key string, fetch func(context.Context) (string, error)) (string, error) {
+	// fetch token
+	statusKey := strings.Join([]string{
+		registry,
+		scheme.String(),
+		key,
+	}, " ")
+	statusValue, _ := cc.status.LoadOrStore(statusKey, syncutil.NewOnce())
+	fetchOnce := statusValue.(*syncutil.Once)
+	fetchedFirst, result, err := fetchOnce.Do(ctx, func() (interface{}, error) {
+		return fetch(ctx)
+	})
+	if fetchedFirst {
+		cc.status.Delete(statusKey)
+	}
+	if err != nil {
+		return "", err
+	}
+	token := result.(string)
+	if !fetchedFirst {
+		return token, nil
+	}
+
+	// cache token
+	newEntry := &cacheEntry{
+		scheme: scheme,
+	}
+	entryValue, exists := cc.cache.LoadOrStore(registry, newEntry)
+	entry := entryValue.(*cacheEntry)
+	if exists && entry.scheme != scheme {
+		// there is a scheme change, which is not expected in most scenarios.
+		// force invalidating all previous cache.
+		entry = newEntry
+		cc.cache.Store(registry, entry)
+	}
+	entry.tokens.Store(key, token)
+
+	return token, nil
+}
+
+// noCache is a cache implementation that does not do cache at all.
+type noCache struct{}
+
+// GetScheme always returns not found error as it has no cache.
+func (noCache) GetScheme(ctx context.Context, registry string) (Scheme, error) {
+	return SchemeUnknown, errdef.ErrNotFound
+}
+
+// GetToken always returns not found error as it has no cache.
+func (noCache) GetToken(ctx context.Context, registry string, scheme Scheme, key string) (string, error) {
+	return "", errdef.ErrNotFound
+}
+
+// Set calls fetch directly without caching.
+func (noCache) Set(ctx context.Context, registry string, scheme Scheme, key string, fetch func(context.Context) (string, error)) (string, error) {
+	return fetch(ctx)
+}
+
+// hostCache is an auth cache that ignores scopes.  Uses only the registry's hostname to find a token.
+type hostCache struct {
+	Cache
+}
+
+// GetToken implements Cache.
+func (c *hostCache) GetToken(ctx context.Context, registry string, scheme Scheme, key string) (string, error) {
+	return c.Cache.GetToken(ctx, registry, scheme, "")
+}
+
+// Set implements Cache.
+func (c *hostCache) Set(ctx context.Context, registry string, scheme Scheme, key string, fetch func(context.Context) (string, error)) (string, error) {
+	return c.Cache.Set(ctx, registry, scheme, "", fetch)
+}
+
+// fallbackCache tries the primary cache then falls back to the secondary cache.
+type fallbackCache struct {
+	primary   Cache
+	secondary Cache
+}
+
+// GetScheme implements Cache.
+func (fc *fallbackCache) GetScheme(ctx context.Context, registry string) (Scheme, error) {
+	scheme, err := fc.primary.GetScheme(ctx, registry)
+	if err == nil {
+		return scheme, nil
+	}
+
+	// fallback
+	return fc.secondary.GetScheme(ctx, registry)
+}
+
+// GetToken implements Cache.
+func (fc *fallbackCache) GetToken(ctx context.Context, registry string, scheme Scheme, key string) (string, error) {
+	token, err := fc.primary.GetToken(ctx, registry, scheme, key)
+	if err == nil {
+		return token, nil
+	}
+
+	// fallback
+	return fc.secondary.GetToken(ctx, registry, scheme, key)
+}
+
+// Set implements Cache.
+func (fc *fallbackCache) Set(ctx context.Context, registry string, scheme Scheme, key string, fetch func(context.Context) (string, error)) (string, error) {
+	token, err := fc.primary.Set(ctx, registry, scheme, key, fetch)
+	if err != nil {
+		return "", err
+	}
+
+	return fc.secondary.Set(ctx, registry, scheme, key, func(ctx context.Context) (string, error) {
+		return token, nil
+	})
+}
+
+// NewSingleContextCache creates a host-based cache for optimizing the auth flow for non-compliant registries.
+// It is intended to be used in a single context, such as pulling from a single repository.
+// This cache should not be shared.
+//
+// Note: [NewCache] should be used for compliant registries as it can be shared
+// across context and will generally make less re-authentication requests.
+func NewSingleContextCache() Cache {
+	cache := NewCache()
+	return &fallbackCache{
+		primary: cache,
+		// We can re-use the came concurrentCache here because the key space is different
+		// (keys are always empty for the hostCache) so there is no collision.
+		// Even if there is a collision it is not an issue.
+		// Re-using saves a little memory.
+		secondary: &hostCache{cache},
+	}
+}
diff --git a/vendor/oras.land/oras-go/v2/registry/remote/auth/challenge.go b/vendor/oras.land/oras-go/v2/registry/remote/auth/challenge.go
new file mode 100644
index 0000000000..ffc52f8e21
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/registry/remote/auth/challenge.go
@@ -0,0 +1,167 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package auth
+
+import (
+	"strconv"
+	"strings"
+)
+
+// Scheme define the authentication method.
+type Scheme byte
+
+const (
+	// SchemeUnknown represents unknown or unsupported schemes
+	SchemeUnknown Scheme = iota
+
+	// SchemeBasic represents the "Basic" HTTP authentication scheme.
+	// Reference: https://tools.ietf.org/html/rfc7617
+	SchemeBasic
+
+	// SchemeBearer represents the Bearer token in OAuth 2.0.
+	// Reference: https://tools.ietf.org/html/rfc6750
+	SchemeBearer
+)
+
+// parseScheme parse the authentication scheme from the given string
+// case-insensitively.
+func parseScheme(scheme string) Scheme {
+	switch {
+	case strings.EqualFold(scheme, "basic"):
+		return SchemeBasic
+	case strings.EqualFold(scheme, "bearer"):
+		return SchemeBearer
+	}
+	return SchemeUnknown
+}
+
+// String return the string for the scheme.
+func (s Scheme) String() string {
+	switch s {
+	case SchemeBasic:
+		return "Basic"
+	case SchemeBearer:
+		return "Bearer"
+	}
+	return "Unknown"
+}
+
+// parseChallenge parses the "WWW-Authenticate" header returned by the remote
+// registry, and extracts parameters if scheme is Bearer.
+// References:
+// - https://distribution.github.io/distribution/spec/auth/token/#how-to-authenticate
+// - https://tools.ietf.org/html/rfc7235#section-2.1
+func parseChallenge(header string) (scheme Scheme, params map[string]string) {
+	// as defined in RFC 7235 section 2.1, we have
+	//     challenge   = auth-scheme [ 1*SP ( token68 / #auth-param ) ]
+	//     auth-scheme = token
+	//     auth-param  = token BWS "=" BWS ( token / quoted-string )
+	//
+	// since we focus parameters only on Bearer, we have
+	//     challenge   = auth-scheme [ 1*SP #auth-param ]
+	schemeString, rest := parseToken(header)
+	scheme = parseScheme(schemeString)
+
+	// fast path for non bearer challenge
+	if scheme != SchemeBearer {
+		return
+	}
+
+	// parse params for bearer auth.
+	// combining RFC 7235 section 2.1 with RFC 7230 section 7, we have
+	//     #auth-param => auth-param *( OWS "," OWS auth-param )
+	var key, value string
+	for {
+		key, rest = parseToken(skipSpace(rest))
+		if key == "" {
+			return
+		}
+
+		rest = skipSpace(rest)
+		if rest == "" || rest[0] != '=' {
+			return
+		}
+		rest = skipSpace(rest[1:])
+		if rest == "" {
+			return
+		}
+
+		if rest[0] == '"' {
+			prefix, err := strconv.QuotedPrefix(rest)
+			if err != nil {
+				return
+			}
+			value, err = strconv.Unquote(prefix)
+			if err != nil {
+				return
+			}
+			rest = rest[len(prefix):]
+		} else {
+			value, rest = parseToken(rest)
+			if value == "" {
+				return
+			}
+		}
+		if params == nil {
+			params = map[string]string{
+				key: value,
+			}
+		} else {
+			params[key] = value
+		}
+
+		rest = skipSpace(rest)
+		if rest == "" || rest[0] != ',' {
+			return
+		}
+		rest = rest[1:]
+	}
+}
+
+// isNotTokenChar reports whether rune is not a `tchar` defined in RFC 7230
+// section 3.2.6.
+func isNotTokenChar(r rune) bool {
+	// tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*"
+	//       / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~"
+	//       / DIGIT / ALPHA
+	//       ; any VCHAR, except delimiters
+	return (r < 'A' || r > 'Z') && (r < 'a' || r > 'z') &&
+		(r < '0' || r > '9') && !strings.ContainsRune("!#$%&'*+-.^_`|~", r)
+}
+
+// parseToken finds the next token from the given string. If no token found,
+// an empty token is returned and the whole of the input is returned in rest.
+// Note: Since token = 1*tchar, empty string is not a valid token.
+func parseToken(s string) (token, rest string) {
+	if i := strings.IndexFunc(s, isNotTokenChar); i != -1 {
+		return s[:i], s[i:]
+	}
+	return s, ""
+}
+
+// skipSpace skips "bad" whitespace (BWS) defined in RFC 7230 section 3.2.3.
+func skipSpace(s string) string {
+	// OWS = *( SP / HTAB )
+	//     ; optional whitespace
+	// BWS = OWS
+	//     ; "bad" whitespace
+	if i := strings.IndexFunc(s, func(r rune) bool {
+		return r != ' ' && r != '\t'
+	}); i != -1 {
+		return s[i:]
+	}
+	return s
+}
diff --git a/vendor/oras.land/oras-go/v2/registry/remote/auth/client.go b/vendor/oras.land/oras-go/v2/registry/remote/auth/client.go
new file mode 100644
index 0000000000..5c5330e725
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/registry/remote/auth/client.go
@@ -0,0 +1,430 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package auth provides authentication for a client to a remote registry.
+package auth
+
+import (
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"strings"
+
+	"oras.land/oras-go/v2/registry/remote/internal/errutil"
+	"oras.land/oras-go/v2/registry/remote/retry"
+)
+
+// ErrBasicCredentialNotFound is returned  when the credential is not found for
+// basic auth.
+var ErrBasicCredentialNotFound = errors.New("basic credential not found")
+
+// DefaultClient is the default auth-decorated client.
+var DefaultClient = &Client{
+	Client: retry.DefaultClient,
+	Header: http.Header{
+		"User-Agent": {"oras-go"},
+	},
+	Cache: DefaultCache,
+}
+
+// maxResponseBytes specifies the default limit on how many response bytes are
+// allowed in the server's response from authorization service servers.
+// A typical response message from authorization service servers is around 1 to
+// 4 KiB. Since the size of a token must be smaller than the HTTP header size
+// limit, which is usually 16 KiB. As specified by the distribution, the
+// response may contain 2 identical tokens, that is, 16 x 2 = 32 KiB.
+// Hence, 128 KiB should be sufficient.
+// References: https://distribution.github.io/distribution/spec/auth/token/
+var maxResponseBytes int64 = 128 * 1024 // 128 KiB
+
+// defaultClientID specifies the default client ID used in OAuth2.
+// See also ClientID.
+var defaultClientID = "oras-go"
+
+// CredentialFunc represents a function that resolves the credential for the
+// given registry (i.e. host:port).
+//
+// [EmptyCredential] is a valid return value and should not be considered as
+// an error.
+type CredentialFunc func(ctx context.Context, hostport string) (Credential, error)
+
+// StaticCredential specifies static credentials for the given host.
+func StaticCredential(registry string, cred Credential) CredentialFunc {
+	if registry == "docker.io" {
+		// it is expected that traffic targeting "docker.io" will be redirected
+		// to "registry-1.docker.io"
+		// reference: https://github.com/moby/moby/blob/v24.0.0-beta.2/registry/config.go#L25-L48
+		registry = "registry-1.docker.io"
+	}
+	return func(_ context.Context, hostport string) (Credential, error) {
+		if hostport == registry {
+			return cred, nil
+		}
+		return EmptyCredential, nil
+	}
+}
+
+// Client is an auth-decorated HTTP client.
+// Its zero value is a usable client that uses http.DefaultClient with no cache.
+type Client struct {
+	// Client is the underlying HTTP client used to access the remote
+	// server.
+	// If nil, http.DefaultClient is used.
+	// It is possible to use the default retry client from the package
+	// `oras.land/oras-go/v2/registry/remote/retry`. That client is already available
+	// in the DefaultClient.
+	// It is also possible to use a custom client. For example, github.com/hashicorp/go-retryablehttp
+	// is a popular HTTP client that supports retries.
+	Client *http.Client
+
+	// Header contains the custom headers to be added to each request.
+	Header http.Header
+
+	// Credential specifies the function for resolving the credential for the
+	// given registry (i.e. host:port).
+	// EmptyCredential is a valid return value and should not be considered as
+	// an error.
+	// If nil, the credential is always resolved to EmptyCredential.
+	Credential CredentialFunc
+
+	// Cache caches credentials for direct accessing the remote registry.
+	// If nil, no cache is used.
+	Cache Cache
+
+	// ClientID used in fetching OAuth2 token as a required field.
+	// If empty, a default client ID is used.
+	// Reference: https://distribution.github.io/distribution/spec/auth/oauth/#getting-a-token
+	ClientID string
+
+	// ForceAttemptOAuth2 controls whether to follow OAuth2 with password grant
+	// instead the distribution spec when authenticating using username and
+	// password.
+	// References:
+	// - https://distribution.github.io/distribution/spec/auth/jwt/
+	// - https://distribution.github.io/distribution/spec/auth/oauth/
+	ForceAttemptOAuth2 bool
+}
+
+// client returns an HTTP client used to access the remote registry.
+// http.DefaultClient is return if the client is not configured.
+func (c *Client) client() *http.Client {
+	if c.Client == nil {
+		return http.DefaultClient
+	}
+	return c.Client
+}
+
+// send adds headers to the request and sends the request to the remote server.
+func (c *Client) send(req *http.Request) (*http.Response, error) {
+	for key, values := range c.Header {
+		req.Header[key] = append(req.Header[key], values...)
+	}
+	return c.client().Do(req)
+}
+
+// credential resolves the credential for the given registry.
+func (c *Client) credential(ctx context.Context, reg string) (Credential, error) {
+	if c.Credential == nil {
+		return EmptyCredential, nil
+	}
+	return c.Credential(ctx, reg)
+}
+
+// cache resolves the cache.
+// noCache is return if the cache is not configured.
+func (c *Client) cache() Cache {
+	if c.Cache == nil {
+		return noCache{}
+	}
+	return c.Cache
+}
+
+// SetUserAgent sets the user agent for all out-going requests.
+func (c *Client) SetUserAgent(userAgent string) {
+	if c.Header == nil {
+		c.Header = http.Header{}
+	}
+	c.Header.Set("User-Agent", userAgent)
+}
+
+// Do sends the request to the remote server, attempting to resolve
+// authentication if 'Authorization' header is not set.
+//
+// On authentication failure due to bad credential,
+//   - Do returns error if it fails to fetch token for bearer auth.
+//   - Do returns the registry response without error for basic auth.
+func (c *Client) Do(originalReq *http.Request) (*http.Response, error) {
+	if auth := originalReq.Header.Get("Authorization"); auth != "" {
+		return c.send(originalReq)
+	}
+
+	ctx := originalReq.Context()
+	req := originalReq.Clone(ctx)
+
+	// attempt cached auth token
+	var attemptedKey string
+	cache := c.cache()
+	host := originalReq.Host
+	scheme, err := cache.GetScheme(ctx, host)
+	if err == nil {
+		switch scheme {
+		case SchemeBasic:
+			token, err := cache.GetToken(ctx, host, SchemeBasic, "")
+			if err == nil {
+				req.Header.Set("Authorization", "Basic "+token)
+			}
+		case SchemeBearer:
+			scopes := GetAllScopesForHost(ctx, host)
+			attemptedKey = strings.Join(scopes, " ")
+			token, err := cache.GetToken(ctx, host, SchemeBearer, attemptedKey)
+			if err == nil {
+				req.Header.Set("Authorization", "Bearer "+token)
+			}
+		}
+	}
+
+	resp, err := c.send(req)
+	if err != nil {
+		return nil, err
+	}
+	if resp.StatusCode != http.StatusUnauthorized {
+		return resp, nil
+	}
+
+	// attempt again with credentials for recognized schemes
+	challenge := resp.Header.Get("Www-Authenticate")
+	scheme, params := parseChallenge(challenge)
+	switch scheme {
+	case SchemeBasic:
+		resp.Body.Close()
+
+		token, err := cache.Set(ctx, host, SchemeBasic, "", func(ctx context.Context) (string, error) {
+			return c.fetchBasicAuth(ctx, host)
+		})
+		if err != nil {
+			return nil, fmt.Errorf("%s %q: %w", resp.Request.Method, resp.Request.URL, err)
+		}
+
+		req = originalReq.Clone(ctx)
+		req.Header.Set("Authorization", "Basic "+token)
+	case SchemeBearer:
+		resp.Body.Close()
+
+		scopes := GetAllScopesForHost(ctx, host)
+		if paramScope := params["scope"]; paramScope != "" {
+			// merge hinted scopes with challenged scopes
+			scopes = append(scopes, strings.Split(paramScope, " ")...)
+			scopes = CleanScopes(scopes)
+		}
+		key := strings.Join(scopes, " ")
+
+		// attempt the cache again if there is a scope change
+		if key != attemptedKey {
+			if token, err := cache.GetToken(ctx, host, SchemeBearer, key); err == nil {
+				req = originalReq.Clone(ctx)
+				req.Header.Set("Authorization", "Bearer "+token)
+				if err := rewindRequestBody(req); err != nil {
+					return nil, err
+				}
+
+				resp, err := c.send(req)
+				if err != nil {
+					return nil, err
+				}
+				if resp.StatusCode != http.StatusUnauthorized {
+					return resp, nil
+				}
+				resp.Body.Close()
+			}
+		}
+
+		// attempt with credentials
+		realm := params["realm"]
+		service := params["service"]
+		token, err := cache.Set(ctx, host, SchemeBearer, key, func(ctx context.Context) (string, error) {
+			return c.fetchBearerToken(ctx, host, realm, service, scopes)
+		})
+		if err != nil {
+			return nil, fmt.Errorf("%s %q: %w", resp.Request.Method, resp.Request.URL, err)
+		}
+
+		req = originalReq.Clone(ctx)
+		req.Header.Set("Authorization", "Bearer "+token)
+	default:
+		return resp, nil
+	}
+	if err := rewindRequestBody(req); err != nil {
+		return nil, err
+	}
+
+	return c.send(req)
+}
+
+// fetchBasicAuth fetches a basic auth token for the basic challenge.
+func (c *Client) fetchBasicAuth(ctx context.Context, registry string) (string, error) {
+	cred, err := c.credential(ctx, registry)
+	if err != nil {
+		return "", fmt.Errorf("failed to resolve credential: %w", err)
+	}
+	if cred == EmptyCredential {
+		return "", ErrBasicCredentialNotFound
+	}
+	if cred.Username == "" || cred.Password == "" {
+		return "", errors.New("missing username or password for basic auth")
+	}
+	auth := cred.Username + ":" + cred.Password
+	return base64.StdEncoding.EncodeToString([]byte(auth)), nil
+}
+
+// fetchBearerToken fetches an access token for the bearer challenge.
+func (c *Client) fetchBearerToken(ctx context.Context, registry, realm, service string, scopes []string) (string, error) {
+	cred, err := c.credential(ctx, registry)
+	if err != nil {
+		return "", err
+	}
+	if cred.AccessToken != "" {
+		return cred.AccessToken, nil
+	}
+	if cred == EmptyCredential || (cred.RefreshToken == "" && !c.ForceAttemptOAuth2) {
+		return c.fetchDistributionToken(ctx, realm, service, scopes, cred.Username, cred.Password)
+	}
+	return c.fetchOAuth2Token(ctx, realm, service, scopes, cred)
+}
+
+// fetchDistributionToken fetches an access token as defined by the distribution
+// specification.
+// It fetches anonymous tokens if no credential is provided.
+// References:
+// - https://distribution.github.io/distribution/spec/auth/jwt/
+// - https://distribution.github.io/distribution/spec/auth/token/
+func (c *Client) fetchDistributionToken(ctx context.Context, realm, service string, scopes []string, username, password string) (string, error) {
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, realm, nil)
+	if err != nil {
+		return "", err
+	}
+	if username != "" || password != "" {
+		req.SetBasicAuth(username, password)
+	}
+	q := req.URL.Query()
+	if service != "" {
+		q.Set("service", service)
+	}
+	for _, scope := range scopes {
+		q.Add("scope", scope)
+	}
+	req.URL.RawQuery = q.Encode()
+
+	resp, err := c.send(req)
+	if err != nil {
+		return "", err
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		return "", errutil.ParseErrorResponse(resp)
+	}
+
+	// As specified in https://distribution.github.io/distribution/spec/auth/token/ section
+	// "Token Response Fields", the token is either in `token` or
+	// `access_token`. If both present, they are identical.
+	var result struct {
+		Token       string `json:"token"`
+		AccessToken string `json:"access_token"`
+	}
+	lr := io.LimitReader(resp.Body, maxResponseBytes)
+	if err := json.NewDecoder(lr).Decode(&result); err != nil {
+		return "", fmt.Errorf("%s %q: failed to decode response: %w", resp.Request.Method, resp.Request.URL, err)
+	}
+	if result.AccessToken != "" {
+		return result.AccessToken, nil
+	}
+	if result.Token != "" {
+		return result.Token, nil
+	}
+	return "", fmt.Errorf("%s %q: empty token returned", resp.Request.Method, resp.Request.URL)
+}
+
+// fetchOAuth2Token fetches an OAuth2 access token.
+// Reference: https://distribution.github.io/distribution/spec/auth/oauth/
+func (c *Client) fetchOAuth2Token(ctx context.Context, realm, service string, scopes []string, cred Credential) (string, error) {
+	form := url.Values{}
+	if cred.RefreshToken != "" {
+		form.Set("grant_type", "refresh_token")
+		form.Set("refresh_token", cred.RefreshToken)
+	} else if cred.Username != "" && cred.Password != "" {
+		form.Set("grant_type", "password")
+		form.Set("username", cred.Username)
+		form.Set("password", cred.Password)
+	} else {
+		return "", errors.New("missing username or password for bearer auth")
+	}
+	form.Set("service", service)
+	clientID := c.ClientID
+	if clientID == "" {
+		clientID = defaultClientID
+	}
+	form.Set("client_id", clientID)
+	if len(scopes) != 0 {
+		form.Set("scope", strings.Join(scopes, " "))
+	}
+	body := strings.NewReader(form.Encode())
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, realm, body)
+	if err != nil {
+		return "", err
+	}
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+
+	resp, err := c.send(req)
+	if err != nil {
+		return "", err
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		return "", errutil.ParseErrorResponse(resp)
+	}
+
+	var result struct {
+		AccessToken string `json:"access_token"`
+	}
+	lr := io.LimitReader(resp.Body, maxResponseBytes)
+	if err := json.NewDecoder(lr).Decode(&result); err != nil {
+		return "", fmt.Errorf("%s %q: failed to decode response: %w", resp.Request.Method, resp.Request.URL, err)
+	}
+	if result.AccessToken != "" {
+		return result.AccessToken, nil
+	}
+	return "", fmt.Errorf("%s %q: empty token returned", resp.Request.Method, resp.Request.URL)
+}
+
+// rewindRequestBody tries to rewind the request body if exists.
+func rewindRequestBody(req *http.Request) error {
+	if req.Body == nil || req.Body == http.NoBody {
+		return nil
+	}
+	if req.GetBody == nil {
+		return fmt.Errorf("%s %q: request body is not rewindable", req.Method, req.URL)
+	}
+	body, err := req.GetBody()
+	if err != nil {
+		return fmt.Errorf("%s %q: failed to get request body: %w", req.Method, req.URL, err)
+	}
+	req.Body = body
+	return nil
+}
diff --git a/vendor/oras.land/oras-go/v2/registry/remote/auth/credential.go b/vendor/oras.land/oras-go/v2/registry/remote/auth/credential.go
new file mode 100644
index 0000000000..044bcaecdf
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/registry/remote/auth/credential.go
@@ -0,0 +1,40 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package auth
+
+// EmptyCredential represents an empty credential.
+var EmptyCredential Credential
+
+// Credential contains authentication credentials used to access remote
+// registries.
+type Credential struct {
+	// Username is the name of the user for the remote registry.
+	Username string
+
+	// Password is the secret associated with the username.
+	Password string
+
+	// RefreshToken is a bearer token to be sent to the authorization service
+	// for fetching access tokens.
+	// A refresh token is often referred as an identity token.
+	// Reference: https://distribution.github.io/distribution/spec/auth/oauth/
+	RefreshToken string
+
+	// AccessToken is a bearer token to be sent to the registry.
+	// An access token is often referred as a registry token.
+	// Reference: https://distribution.github.io/distribution/spec/auth/token/
+	AccessToken string
+}
diff --git a/vendor/oras.land/oras-go/v2/registry/remote/auth/scope.go b/vendor/oras.land/oras-go/v2/registry/remote/auth/scope.go
new file mode 100644
index 0000000000..bdd6e5c48c
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/registry/remote/auth/scope.go
@@ -0,0 +1,325 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package auth
+
+import (
+	"context"
+	"slices"
+	"strings"
+
+	"oras.land/oras-go/v2/registry"
+)
+
+// Actions used in scopes.
+// Reference: https://distribution.github.io/distribution/spec/auth/scope/
+const (
+	// ActionPull represents generic read access for resources of the repository
+	// type.
+	ActionPull = "pull"
+
+	// ActionPush represents generic write access for resources of the
+	// repository type.
+	ActionPush = "push"
+
+	// ActionDelete represents the delete permission for resources of the
+	// repository type.
+	ActionDelete = "delete"
+)
+
+// ScopeRegistryCatalog is the scope for registry catalog access.
+const ScopeRegistryCatalog = "registry:catalog:*"
+
+// ScopeRepository returns a repository scope with given actions.
+// Reference: https://distribution.github.io/distribution/spec/auth/scope/
+func ScopeRepository(repository string, actions ...string) string {
+	actions = cleanActions(actions)
+	if repository == "" || len(actions) == 0 {
+		return ""
+	}
+	return strings.Join([]string{
+		"repository",
+		repository,
+		strings.Join(actions, ","),
+	}, ":")
+}
+
+// AppendRepositoryScope returns a new context containing scope hints for the
+// auth client to fetch bearer tokens with the given actions on the repository.
+// If called multiple times, the new scopes will be appended to the existing
+// scopes. The resulted scopes are de-duplicated.
+//
+// For example, uploading blob to the repository "hello-world" does HEAD request
+// first then POST and PUT. The HEAD request will return a challenge for scope
+// `repository:hello-world:pull`, and the auth client will fetch a token for
+// that challenge. Later, the POST request will return a challenge for scope
+// `repository:hello-world:push`, and the auth client will fetch a token for
+// that challenge again. By invoking AppendRepositoryScope with the actions
+// [ActionPull] and [ActionPush] for the repository `hello-world`,
+// the auth client with cache is hinted to fetch a token via a single token
+// fetch request for all the HEAD, POST, PUT requests.
+func AppendRepositoryScope(ctx context.Context, ref registry.Reference, actions ...string) context.Context {
+	if len(actions) == 0 {
+		return ctx
+	}
+	scope := ScopeRepository(ref.Repository, actions...)
+	return AppendScopesForHost(ctx, ref.Host(), scope)
+}
+
+// scopesContextKey is the context key for scopes.
+type scopesContextKey struct{}
+
+// WithScopes returns a context with scopes added. Scopes are de-duplicated.
+// Scopes are used as hints for the auth client to fetch bearer tokens with
+// larger scopes.
+//
+// For example, uploading blob to the repository "hello-world" does HEAD request
+// first then POST and PUT. The HEAD request will return a challenge for scope
+// `repository:hello-world:pull`, and the auth client will fetch a token for
+// that challenge. Later, the POST request will return a challenge for scope
+// `repository:hello-world:push`, and the auth client will fetch a token for
+// that challenge again. By invoking WithScopes with the scope
+// `repository:hello-world:pull,push`, the auth client with cache is hinted to
+// fetch a token via a single token fetch request for all the HEAD, POST, PUT
+// requests.
+//
+// Passing an empty list of scopes will virtually remove the scope hints in the
+// context.
+//
+// Reference: https://distribution.github.io/distribution/spec/auth/scope/
+func WithScopes(ctx context.Context, scopes ...string) context.Context {
+	scopes = CleanScopes(scopes)
+	return context.WithValue(ctx, scopesContextKey{}, scopes)
+}
+
+// AppendScopes appends additional scopes to the existing scopes in the context
+// and returns a new context. The resulted scopes are de-duplicated.
+// The append operation does modify the existing scope in the context passed in.
+func AppendScopes(ctx context.Context, scopes ...string) context.Context {
+	if len(scopes) == 0 {
+		return ctx
+	}
+	return WithScopes(ctx, append(GetScopes(ctx), scopes...)...)
+}
+
+// GetScopes returns the scopes in the context.
+func GetScopes(ctx context.Context) []string {
+	if scopes, ok := ctx.Value(scopesContextKey{}).([]string); ok {
+		return slices.Clone(scopes)
+	}
+	return nil
+}
+
+// scopesForHostContextKey is the context key for per-host scopes.
+type scopesForHostContextKey string
+
+// WithScopesForHost returns a context with per-host scopes added.
+// Scopes are de-duplicated.
+// Scopes are used as hints for the auth client to fetch bearer tokens with
+// larger scopes.
+//
+// For example, uploading blob to the repository "hello-world" does HEAD request
+// first then POST and PUT. The HEAD request will return a challenge for scope
+// `repository:hello-world:pull`, and the auth client will fetch a token for
+// that challenge. Later, the POST request will return a challenge for scope
+// `repository:hello-world:push`, and the auth client will fetch a token for
+// that challenge again. By invoking WithScopesForHost with the scope
+// `repository:hello-world:pull,push`, the auth client with cache is hinted to
+// fetch a token via a single token fetch request for all the HEAD, POST, PUT
+// requests.
+//
+// Passing an empty list of scopes will virtually remove the scope hints in the
+// context for the given host.
+//
+// Reference: https://distribution.github.io/distribution/spec/auth/scope/
+func WithScopesForHost(ctx context.Context, host string, scopes ...string) context.Context {
+	scopes = CleanScopes(scopes)
+	return context.WithValue(ctx, scopesForHostContextKey(host), scopes)
+}
+
+// AppendScopesForHost appends additional scopes to the existing scopes
+// in the context for the given host and returns a new context.
+// The resulted scopes are de-duplicated.
+// The append operation does modify the existing scope in the context passed in.
+func AppendScopesForHost(ctx context.Context, host string, scopes ...string) context.Context {
+	if len(scopes) == 0 {
+		return ctx
+	}
+	oldScopes := GetScopesForHost(ctx, host)
+	return WithScopesForHost(ctx, host, append(oldScopes, scopes...)...)
+}
+
+// GetScopesForHost returns the scopes in the context for the given host,
+// excluding global scopes added by [WithScopes] and [AppendScopes].
+func GetScopesForHost(ctx context.Context, host string) []string {
+	if scopes, ok := ctx.Value(scopesForHostContextKey(host)).([]string); ok {
+		return slices.Clone(scopes)
+	}
+	return nil
+}
+
+// GetAllScopesForHost returns the scopes in the context for the given host,
+// including global scopes added by [WithScopes] and [AppendScopes].
+func GetAllScopesForHost(ctx context.Context, host string) []string {
+	scopes := GetScopesForHost(ctx, host)
+	globalScopes := GetScopes(ctx)
+
+	if len(scopes) == 0 {
+		return globalScopes
+	}
+	if len(globalScopes) == 0 {
+		return scopes
+	}
+	// re-clean the scopes
+	allScopes := append(scopes, globalScopes...)
+	return CleanScopes(allScopes)
+}
+
+// CleanScopes merges and sort the actions in ascending order if the scopes have
+// the same resource type and name. The final scopes are sorted in ascending
+// order. In other words, the scopes passed in are de-duplicated and sorted.
+// Therefore, the output of this function is deterministic.
+//
+// If there is a wildcard `*` in the action, other actions in the same resource
+// type and name are ignored.
+func CleanScopes(scopes []string) []string {
+	// fast paths
+	switch len(scopes) {
+	case 0:
+		return nil
+	case 1:
+		scope := scopes[0]
+		i := strings.LastIndex(scope, ":")
+		if i == -1 {
+			return []string{scope}
+		}
+		actionList := strings.Split(scope[i+1:], ",")
+		actionList = cleanActions(actionList)
+		if len(actionList) == 0 {
+			return nil
+		}
+		actions := strings.Join(actionList, ",")
+		scope = scope[:i+1] + actions
+		return []string{scope}
+	}
+
+	// slow path
+	var result []string
+
+	// merge recognizable scopes
+	resourceTypes := make(map[string]map[string]map[string]struct{})
+	for _, scope := range scopes {
+		// extract resource type
+		i := strings.Index(scope, ":")
+		if i == -1 {
+			result = append(result, scope)
+			continue
+		}
+		resourceType := scope[:i]
+
+		// extract resource name and actions
+		rest := scope[i+1:]
+		i = strings.LastIndex(rest, ":")
+		if i == -1 {
+			result = append(result, scope)
+			continue
+		}
+		resourceName := rest[:i]
+		actions := rest[i+1:]
+		if actions == "" {
+			// drop scope since no action found
+			continue
+		}
+
+		// add to the intermediate map for de-duplication
+		namedActions := resourceTypes[resourceType]
+		if namedActions == nil {
+			namedActions = make(map[string]map[string]struct{})
+			resourceTypes[resourceType] = namedActions
+		}
+		actionSet := namedActions[resourceName]
+		if actionSet == nil {
+			actionSet = make(map[string]struct{})
+			namedActions[resourceName] = actionSet
+		}
+		for _, action := range strings.Split(actions, ",") {
+			if action != "" {
+				actionSet[action] = struct{}{}
+			}
+		}
+	}
+
+	// reconstruct scopes
+	for resourceType, namedActions := range resourceTypes {
+		for resourceName, actionSet := range namedActions {
+			if len(actionSet) == 0 {
+				continue
+			}
+			var actions []string
+			for action := range actionSet {
+				if action == "*" {
+					actions = []string{"*"}
+					break
+				}
+				actions = append(actions, action)
+			}
+			slices.Sort(actions)
+			scope := resourceType + ":" + resourceName + ":" + strings.Join(actions, ",")
+			result = append(result, scope)
+		}
+	}
+
+	// sort and return
+	slices.Sort(result)
+	return result
+}
+
+// cleanActions removes the duplicated actions and sort in ascending order.
+// If there is a wildcard `*` in the action, other actions are ignored.
+func cleanActions(actions []string) []string {
+	// fast paths
+	switch len(actions) {
+	case 0:
+		return nil
+	case 1:
+		if actions[0] == "" {
+			return nil
+		}
+		return actions
+	}
+
+	// slow path
+	slices.Sort(actions)
+	n := 0
+	for i := range len(actions) {
+		if actions[i] == "*" {
+			return []string{"*"}
+		}
+		if actions[i] != actions[n] {
+			n++
+			if n != i {
+				actions[n] = actions[i]
+			}
+		}
+	}
+	n++
+	if actions[0] == "" {
+		if n == 1 {
+			return nil
+		}
+		return actions[1:n]
+	}
+	return actions[:n]
+}
diff --git a/vendor/oras.land/oras-go/v2/registry/remote/credentials/file_store.go b/vendor/oras.land/oras-go/v2/registry/remote/credentials/file_store.go
new file mode 100644
index 0000000000..7664cc2ab0
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/registry/remote/credentials/file_store.go
@@ -0,0 +1,97 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package credentials
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"strings"
+
+	"oras.land/oras-go/v2/registry/remote/auth"
+	"oras.land/oras-go/v2/registry/remote/credentials/internal/config"
+)
+
+// FileStore implements a credentials store using the docker configuration file
+// to keep the credentials in plain-text.
+//
+// Reference: https://docs.docker.com/engine/reference/commandline/cli/#docker-cli-configuration-file-configjson-properties
+type FileStore struct {
+	// DisablePut disables putting credentials in plaintext.
+	// If DisablePut is set to true, Put() will return ErrPlaintextPutDisabled.
+	DisablePut bool
+
+	config *config.Config
+}
+
+var (
+	// ErrPlaintextPutDisabled is returned by Put() when DisablePut is set
+	// to true.
+	ErrPlaintextPutDisabled = errors.New("putting plaintext credentials is disabled")
+	// ErrBadCredentialFormat is returned by Put() when the credential format
+	// is bad.
+	ErrBadCredentialFormat = errors.New("bad credential format")
+)
+
+// NewFileStore creates a new file credentials store.
+//
+// Reference: https://docs.docker.com/engine/reference/commandline/cli/#docker-cli-configuration-file-configjson-properties
+func NewFileStore(configPath string) (*FileStore, error) {
+	cfg, err := config.Load(configPath)
+	if err != nil {
+		return nil, err
+	}
+	return newFileStore(cfg), nil
+}
+
+// newFileStore creates a file credentials store based on the given config instance.
+func newFileStore(cfg *config.Config) *FileStore {
+	return &FileStore{config: cfg}
+}
+
+// Get retrieves credentials from the store for the given server address.
+func (fs *FileStore) Get(_ context.Context, serverAddress string) (auth.Credential, error) {
+	return fs.config.GetCredential(serverAddress)
+}
+
+// Put saves credentials into the store for the given server address.
+// Returns ErrPlaintextPutDisabled if fs.DisablePut is set to true.
+func (fs *FileStore) Put(_ context.Context, serverAddress string, cred auth.Credential) error {
+	if fs.DisablePut {
+		return ErrPlaintextPutDisabled
+	}
+	if err := validateCredentialFormat(cred); err != nil {
+		return err
+	}
+
+	return fs.config.PutCredential(serverAddress, cred)
+}
+
+// Delete removes credentials from the store for the given server address.
+func (fs *FileStore) Delete(_ context.Context, serverAddress string) error {
+	return fs.config.DeleteCredential(serverAddress)
+}
+
+// validateCredentialFormat validates the format of cred.
+func validateCredentialFormat(cred auth.Credential) error {
+	if strings.ContainsRune(cred.Username, ':') {
+		// Username and password will be encoded in the base64(username:password)
+		// format in the file. The decoded result will be wrong if username
+		// contains colon(s).
+		return fmt.Errorf("%w: colons(:) are not allowed in username", ErrBadCredentialFormat)
+	}
+	return nil
+}
diff --git a/vendor/oras.land/oras-go/v2/registry/remote/credentials/internal/config/config.go b/vendor/oras.land/oras-go/v2/registry/remote/credentials/internal/config/config.go
new file mode 100644
index 0000000000..3a898f22b1
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/registry/remote/credentials/internal/config/config.go
@@ -0,0 +1,332 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package config
+
+import (
+	"bytes"
+	"encoding/base64"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+	"sync"
+
+	"oras.land/oras-go/v2/registry/remote/auth"
+	"oras.land/oras-go/v2/registry/remote/credentials/internal/ioutil"
+)
+
+const (
+	// configFieldAuths is the "auths" field in the config file.
+	// Reference: https://github.com/docker/cli/blob/v24.0.0-beta.2/cli/config/configfile/file.go#L19
+	configFieldAuths = "auths"
+	// configFieldCredentialsStore is the "credsStore" field in the config file.
+	configFieldCredentialsStore = "credsStore"
+	// configFieldCredentialHelpers is the "credHelpers" field in the config file.
+	configFieldCredentialHelpers = "credHelpers"
+)
+
+// ErrInvalidConfigFormat is returned when the config format is invalid.
+var ErrInvalidConfigFormat = errors.New("invalid config format")
+
+// AuthConfig contains authorization information for connecting to a Registry.
+// References:
+//   - https://github.com/docker/cli/blob/v24.0.0-beta.2/cli/config/configfile/file.go#L17-L45
+//   - https://github.com/docker/cli/blob/v24.0.0-beta.2/cli/config/types/authconfig.go#L3-L22
+type AuthConfig struct {
+	// Auth is a base64-encoded string of "{username}:{password}".
+	Auth string `json:"auth,omitempty"`
+	// IdentityToken is used to authenticate the user and get an access token
+	// for the registry.
+	IdentityToken string `json:"identitytoken,omitempty"`
+	// RegistryToken is a bearer token to be sent to a registry.
+	RegistryToken string `json:"registrytoken,omitempty"`
+
+	Username string `json:"username,omitempty"` // legacy field for compatibility
+	Password string `json:"password,omitempty"` // legacy field for compatibility
+}
+
+// NewAuthConfig creates an authConfig based on cred.
+func NewAuthConfig(cred auth.Credential) AuthConfig {
+	return AuthConfig{
+		Auth:          encodeAuth(cred.Username, cred.Password),
+		IdentityToken: cred.RefreshToken,
+		RegistryToken: cred.AccessToken,
+	}
+}
+
+// Credential returns an auth.Credential based on ac.
+func (ac AuthConfig) Credential() (auth.Credential, error) {
+	cred := auth.Credential{
+		Username:     ac.Username,
+		Password:     ac.Password,
+		RefreshToken: ac.IdentityToken,
+		AccessToken:  ac.RegistryToken,
+	}
+	if ac.Auth != "" {
+		var err error
+		// override username and password
+		cred.Username, cred.Password, err = decodeAuth(ac.Auth)
+		if err != nil {
+			return auth.EmptyCredential, fmt.Errorf("failed to decode auth field: %w: %v", ErrInvalidConfigFormat, err)
+		}
+	}
+	return cred, nil
+}
+
+// Config represents a docker configuration file.
+// References:
+//   - https://docs.docker.com/engine/reference/commandline/cli/#docker-cli-configuration-file-configjson-properties
+//   - https://github.com/docker/cli/blob/v24.0.0-beta.2/cli/config/configfile/file.go#L17-L44
+type Config struct {
+	// path is the path to the config file.
+	path string
+	// rwLock is a read-write-lock for the file store.
+	rwLock sync.RWMutex
+	// content is the content of the config file.
+	// Reference: https://github.com/docker/cli/blob/v24.0.0-beta.2/cli/config/configfile/file.go#L17-L44
+	content map[string]json.RawMessage
+	// authsCache is a cache of the auths field of the config.
+	// Reference: https://github.com/docker/cli/blob/v24.0.0-beta.2/cli/config/configfile/file.go#L19
+	authsCache map[string]json.RawMessage
+	// credentialsStore is the credsStore field of the config.
+	// Reference: https://github.com/docker/cli/blob/v24.0.0-beta.2/cli/config/configfile/file.go#L28
+	credentialsStore string
+	// credentialHelpers is the credHelpers field of the config.
+	// Reference: https://github.com/docker/cli/blob/v24.0.0-beta.2/cli/config/configfile/file.go#L29
+	credentialHelpers map[string]string
+}
+
+// Load loads Config from the given config path.
+func Load(configPath string) (*Config, error) {
+	cfg := &Config{path: configPath}
+	configFile, err := os.Open(configPath)
+	if err != nil {
+		if os.IsNotExist(err) {
+			// init content and caches if the content file does not exist
+			cfg.content = make(map[string]json.RawMessage)
+			cfg.authsCache = make(map[string]json.RawMessage)
+			return cfg, nil
+		}
+		return nil, fmt.Errorf("failed to open config file at %s: %w", configPath, err)
+	}
+	defer configFile.Close()
+
+	// decode config content if the config file exists
+	if err := json.NewDecoder(configFile).Decode(&cfg.content); err != nil {
+		return nil, fmt.Errorf("failed to decode config file at %s: %w: %v", configPath, ErrInvalidConfigFormat, err)
+	}
+
+	if credsStoreBytes, ok := cfg.content[configFieldCredentialsStore]; ok {
+		if err := json.Unmarshal(credsStoreBytes, &cfg.credentialsStore); err != nil {
+			return nil, fmt.Errorf("failed to unmarshal creds store field: %w: %v", ErrInvalidConfigFormat, err)
+		}
+	}
+
+	if credHelpersBytes, ok := cfg.content[configFieldCredentialHelpers]; ok {
+		if err := json.Unmarshal(credHelpersBytes, &cfg.credentialHelpers); err != nil {
+			return nil, fmt.Errorf("failed to unmarshal cred helpers field: %w: %v", ErrInvalidConfigFormat, err)
+		}
+	}
+
+	if authsBytes, ok := cfg.content[configFieldAuths]; ok {
+		if err := json.Unmarshal(authsBytes, &cfg.authsCache); err != nil {
+			return nil, fmt.Errorf("failed to unmarshal auths field: %w: %v", ErrInvalidConfigFormat, err)
+		}
+	}
+	if cfg.authsCache == nil {
+		cfg.authsCache = make(map[string]json.RawMessage)
+	}
+
+	return cfg, nil
+}
+
+// GetAuthConfig returns an auth.Credential for serverAddress.
+func (cfg *Config) GetCredential(serverAddress string) (auth.Credential, error) {
+	cfg.rwLock.RLock()
+	defer cfg.rwLock.RUnlock()
+
+	authCfgBytes, ok := cfg.authsCache[serverAddress]
+	if !ok {
+		// NOTE: the auth key for the server address may have been stored with
+		// a http/https prefix in legacy config files, e.g. "registry.example.com"
+		// can be stored as "https://registry.example.com/".
+		var matched bool
+		for addr, auth := range cfg.authsCache {
+			if ToHostname(addr) == serverAddress {
+				matched = true
+				authCfgBytes = auth
+				break
+			}
+		}
+		if !matched {
+			return auth.EmptyCredential, nil
+		}
+	}
+	var authCfg AuthConfig
+	if err := json.Unmarshal(authCfgBytes, &authCfg); err != nil {
+		return auth.EmptyCredential, fmt.Errorf("failed to unmarshal auth field: %w: %v", ErrInvalidConfigFormat, err)
+	}
+	return authCfg.Credential()
+}
+
+// PutAuthConfig puts cred for serverAddress.
+func (cfg *Config) PutCredential(serverAddress string, cred auth.Credential) error {
+	cfg.rwLock.Lock()
+	defer cfg.rwLock.Unlock()
+
+	authCfg := NewAuthConfig(cred)
+	authCfgBytes, err := json.Marshal(authCfg)
+	if err != nil {
+		return fmt.Errorf("failed to marshal auth field: %w", err)
+	}
+	cfg.authsCache[serverAddress] = authCfgBytes
+	return cfg.saveFile()
+}
+
+// DeleteAuthConfig deletes the corresponding credential for serverAddress.
+func (cfg *Config) DeleteCredential(serverAddress string) error {
+	cfg.rwLock.Lock()
+	defer cfg.rwLock.Unlock()
+
+	if _, ok := cfg.authsCache[serverAddress]; !ok {
+		// no ops
+		return nil
+	}
+	delete(cfg.authsCache, serverAddress)
+	return cfg.saveFile()
+}
+
+// GetCredentialHelper returns the credential helpers for serverAddress.
+func (cfg *Config) GetCredentialHelper(serverAddress string) string {
+	return cfg.credentialHelpers[serverAddress]
+}
+
+// CredentialsStore returns the configured credentials store.
+func (cfg *Config) CredentialsStore() string {
+	cfg.rwLock.RLock()
+	defer cfg.rwLock.RUnlock()
+
+	return cfg.credentialsStore
+}
+
+// Path returns the path to the config file.
+func (cfg *Config) Path() string {
+	return cfg.path
+}
+
+// SetCredentialsStore puts the configured credentials store.
+func (cfg *Config) SetCredentialsStore(credsStore string) error {
+	cfg.rwLock.Lock()
+	defer cfg.rwLock.Unlock()
+
+	cfg.credentialsStore = credsStore
+	return cfg.saveFile()
+}
+
+// IsAuthConfigured returns whether there is authentication configured in this
+// config file or not.
+func (cfg *Config) IsAuthConfigured() bool {
+	return cfg.credentialsStore != "" ||
+		len(cfg.credentialHelpers) > 0 ||
+		len(cfg.authsCache) > 0
+}
+
+// saveFile saves Config into the file.
+func (cfg *Config) saveFile() (returnErr error) {
+	// marshal content
+	// credentialHelpers is skipped as it's never set
+	if cfg.credentialsStore != "" {
+		credsStoreBytes, err := json.Marshal(cfg.credentialsStore)
+		if err != nil {
+			return fmt.Errorf("failed to marshal creds store: %w", err)
+		}
+		cfg.content[configFieldCredentialsStore] = credsStoreBytes
+	} else {
+		// omit empty
+		delete(cfg.content, configFieldCredentialsStore)
+	}
+	authsBytes, err := json.Marshal(cfg.authsCache)
+	if err != nil {
+		return fmt.Errorf("failed to marshal credentials: %w", err)
+	}
+	cfg.content[configFieldAuths] = authsBytes
+	jsonBytes, err := json.MarshalIndent(cfg.content, "", "\t")
+	if err != nil {
+		return fmt.Errorf("failed to marshal config: %w", err)
+	}
+
+	// write the content to a ingest file for atomicity
+	configDir := filepath.Dir(cfg.path)
+	if err := os.MkdirAll(configDir, 0700); err != nil {
+		return fmt.Errorf("failed to make directory %s: %w", configDir, err)
+	}
+	ingest, err := ioutil.Ingest(configDir, bytes.NewReader(jsonBytes))
+	if err != nil {
+		return fmt.Errorf("failed to save config file: %w", err)
+	}
+	defer func() {
+		if returnErr != nil {
+			// clean up the ingest file in case of error
+			os.Remove(ingest)
+		}
+	}()
+
+	// overwrite the config file
+	if err := os.Rename(ingest, cfg.path); err != nil {
+		return fmt.Errorf("failed to save config file: %w", err)
+	}
+	return nil
+}
+
+// encodeAuth base64-encodes username and password into base64(username:password).
+func encodeAuth(username, password string) string {
+	if username == "" && password == "" {
+		return ""
+	}
+	return base64.StdEncoding.EncodeToString([]byte(username + ":" + password))
+}
+
+// decodeAuth decodes a base64 encoded string and returns username and password.
+func decodeAuth(authStr string) (username string, password string, err error) {
+	if authStr == "" {
+		return "", "", nil
+	}
+
+	decoded, err := base64.StdEncoding.DecodeString(authStr)
+	if err != nil {
+		return "", "", err
+	}
+	decodedStr := string(decoded)
+	username, password, ok := strings.Cut(decodedStr, ":")
+	if !ok {
+		return "", "", fmt.Errorf("auth '%s' does not conform the base64(username:password) format", decodedStr)
+	}
+	return username, password, nil
+}
+
+// ToHostname normalizes a server address to just its hostname, removing
+// the scheme and the path parts.
+// It is used to match keys in the auths map, which may be either stored as
+// hostname or as hostname including scheme (in legacy docker config files).
+// Reference: https://github.com/docker/cli/blob/v24.0.6/cli/config/credentials/file_store.go#L71
+func ToHostname(addr string) string {
+	addr = strings.TrimPrefix(addr, "http://")
+	addr = strings.TrimPrefix(addr, "https://")
+	addr, _, _ = strings.Cut(addr, "/")
+	return addr
+}
diff --git a/vendor/oras.land/oras-go/v2/registry/remote/credentials/internal/executer/executer.go b/vendor/oras.land/oras-go/v2/registry/remote/credentials/internal/executer/executer.go
new file mode 100644
index 0000000000..a074c68462
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/registry/remote/credentials/internal/executer/executer.go
@@ -0,0 +1,80 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package executer is an abstraction for the docker credential helper protocol
+// binaries. It is used by nativeStore to interact with installed binaries.
+package executer
+
+import (
+	"bytes"
+	"context"
+	"errors"
+	"io"
+	"os"
+	"os/exec"
+
+	"oras.land/oras-go/v2/registry/remote/credentials/trace"
+)
+
+// dockerDesktopHelperName is the name of the docker credentials helper
+// execuatable.
+const dockerDesktopHelperName = "docker-credential-desktop.exe"
+
+// Executer is an interface that simulates an executable binary.
+type Executer interface {
+	Execute(ctx context.Context, input io.Reader, action string) ([]byte, error)
+}
+
+// executable implements the Executer interface.
+type executable struct {
+	name string
+}
+
+// New returns a new Executer instance.
+func New(name string) Executer {
+	return &executable{
+		name: name,
+	}
+}
+
+// Execute operates on an executable binary and supports context.
+func (c *executable) Execute(ctx context.Context, input io.Reader, action string) ([]byte, error) {
+	cmd := exec.CommandContext(ctx, c.name, action)
+	cmd.Stdin = input
+	cmd.Stderr = os.Stderr
+	trace := trace.ContextExecutableTrace(ctx)
+	if trace != nil && trace.ExecuteStart != nil {
+		trace.ExecuteStart(c.name, action)
+	}
+	output, err := cmd.Output()
+	if trace != nil && trace.ExecuteDone != nil {
+		trace.ExecuteDone(c.name, action, err)
+	}
+	if err != nil {
+		switch execErr := err.(type) {
+		case *exec.ExitError:
+			if errMessage := string(bytes.TrimSpace(output)); errMessage != "" {
+				return nil, errors.New(errMessage)
+			}
+		case *exec.Error:
+			// check if the error is caused by Docker Desktop not running
+			if execErr.Err == exec.ErrNotFound && c.name == dockerDesktopHelperName {
+				return nil, errors.New("credentials store is configured to `desktop.exe` but Docker Desktop seems not running")
+			}
+		}
+		return nil, err
+	}
+	return output, nil
+}
diff --git a/vendor/oras.land/oras-go/v2/registry/remote/credentials/internal/ioutil/ioutil.go b/vendor/oras.land/oras-go/v2/registry/remote/credentials/internal/ioutil/ioutil.go
new file mode 100644
index 0000000000..b2e3179ddb
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/registry/remote/credentials/internal/ioutil/ioutil.go
@@ -0,0 +1,49 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package ioutil
+
+import (
+	"fmt"
+	"io"
+	"os"
+)
+
+// Ingest writes content into a temporary ingest file with the file name format
+// "oras_credstore_temp_{randomString}".
+func Ingest(dir string, content io.Reader) (path string, ingestErr error) {
+	tempFile, err := os.CreateTemp(dir, "oras_credstore_temp_*")
+	if err != nil {
+		return "", fmt.Errorf("failed to create ingest file: %w", err)
+	}
+	path = tempFile.Name()
+	defer func() {
+		if err := tempFile.Close(); err != nil && ingestErr == nil {
+			ingestErr = fmt.Errorf("failed to close ingest file: %w", err)
+		}
+		// remove the temp file in case of error.
+		if ingestErr != nil {
+			os.Remove(path)
+		}
+	}()
+
+	if err := tempFile.Chmod(0600); err != nil {
+		return "", fmt.Errorf("failed to ensure permission: %w", err)
+	}
+	if _, err := io.Copy(tempFile, content); err != nil {
+		return "", fmt.Errorf("failed to ingest: %w", err)
+	}
+	return
+}
diff --git a/vendor/oras.land/oras-go/v2/registry/remote/credentials/memory_store.go b/vendor/oras.land/oras-go/v2/registry/remote/credentials/memory_store.go
new file mode 100644
index 0000000000..7fdabb1e8a
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/registry/remote/credentials/memory_store.go
@@ -0,0 +1,81 @@
+/*
+   Copyright The ORAS Authors.
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package credentials
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"sync"
+
+	"oras.land/oras-go/v2/registry/remote/auth"
+	"oras.land/oras-go/v2/registry/remote/credentials/internal/config"
+)
+
+// memoryStore is a store that keeps credentials in memory.
+type memoryStore struct {
+	store sync.Map
+}
+
+// NewMemoryStore creates a new in-memory credentials store.
+func NewMemoryStore() Store {
+	return &memoryStore{}
+}
+
+// NewMemoryStoreFromDockerConfig creates a new in-memory credentials store from the given configuration.
+//
+// Reference: https://docs.docker.com/engine/reference/commandline/cli/#docker-cli-configuration-file-configjson-properties
+func NewMemoryStoreFromDockerConfig(c []byte) (Store, error) {
+	cfg := struct {
+		Auths map[string]config.AuthConfig `json:"auths"`
+	}{}
+	if err := json.Unmarshal(c, &cfg); err != nil {
+		return nil, fmt.Errorf("failed to unmarshal auth field: %w: %v", config.ErrInvalidConfigFormat, err)
+	}
+
+	s := &memoryStore{}
+	for addr, auth := range cfg.Auths {
+		// Normalize the auth key to hostname.
+		hostname := config.ToHostname(addr)
+		cred, err := auth.Credential()
+		if err != nil {
+			return nil, err
+		}
+		_, _ = s.store.LoadOrStore(hostname, cred)
+	}
+	return s, nil
+}
+
+// Get retrieves credentials from the store for the given server address.
+func (ms *memoryStore) Get(_ context.Context, serverAddress string) (auth.Credential, error) {
+	cred, found := ms.store.Load(serverAddress)
+	if !found {
+		return auth.EmptyCredential, nil
+	}
+	return cred.(auth.Credential), nil
+}
+
+// Put saves credentials into the store for the given server address.
+func (ms *memoryStore) Put(_ context.Context, serverAddress string, cred auth.Credential) error {
+	ms.store.Store(serverAddress, cred)
+	return nil
+}
+
+// Delete removes credentials from the store for the given server address.
+func (ms *memoryStore) Delete(_ context.Context, serverAddress string) error {
+	ms.store.Delete(serverAddress)
+	return nil
+}
diff --git a/vendor/oras.land/oras-go/v2/registry/remote/credentials/native_store.go b/vendor/oras.land/oras-go/v2/registry/remote/credentials/native_store.go
new file mode 100644
index 0000000000..9f4c7f742d
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/registry/remote/credentials/native_store.go
@@ -0,0 +1,139 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package credentials
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"os/exec"
+	"strings"
+
+	"oras.land/oras-go/v2/registry/remote/auth"
+	"oras.land/oras-go/v2/registry/remote/credentials/internal/executer"
+)
+
+const (
+	remoteCredentialsPrefix       = "docker-credential-"
+	emptyUsername                 = "<token>"
+	errCredentialsNotFoundMessage = "credentials not found in native keychain"
+)
+
+// dockerCredentials mimics how docker credential helper binaries store
+// credential information.
+// Reference:
+//   - https://docs.docker.com/engine/reference/commandline/login/#credential-helper-protocol
+type dockerCredentials struct {
+	ServerURL string `json:"ServerURL"`
+	Username  string `json:"Username"`
+	Secret    string `json:"Secret"`
+}
+
+// nativeStore implements a credentials store using native keychain to keep
+// credentials secure.
+type nativeStore struct {
+	exec executer.Executer
+}
+
+// NewNativeStore creates a new native store that uses a remote helper program to
+// manage credentials.
+//
+// The argument of NewNativeStore can be the native keychains
+// ("wincred" for Windows, "pass" for linux and "osxkeychain" for macOS),
+// or any program that follows the docker-credentials-helper protocol.
+//
+// Reference:
+//   - https://docs.docker.com/engine/reference/commandline/login#credentials-store
+func NewNativeStore(helperSuffix string) Store {
+	return &nativeStore{
+		exec: executer.New(remoteCredentialsPrefix + helperSuffix),
+	}
+}
+
+// NewDefaultNativeStore returns a native store based on the platform-default
+// docker credentials helper and a bool indicating if the native store is
+// available.
+//   - Windows: "wincred"
+//   - Linux: "pass" or "secretservice"
+//   - macOS: "osxkeychain"
+//
+// Reference:
+//   - https://docs.docker.com/engine/reference/commandline/login/#credentials-store
+func NewDefaultNativeStore() (Store, bool) {
+	if helper := getDefaultHelperSuffix(); helper != "" {
+		return NewNativeStore(helper), true
+	}
+	return nil, false
+}
+
+// Get retrieves credentials from the store for the given server.
+func (ns *nativeStore) Get(ctx context.Context, serverAddress string) (auth.Credential, error) {
+	var cred auth.Credential
+	out, err := ns.exec.Execute(ctx, strings.NewReader(serverAddress), "get")
+	if err != nil {
+		if err.Error() == errCredentialsNotFoundMessage {
+			// do not return an error if the credentials are not in the keychain.
+			return auth.EmptyCredential, nil
+		}
+		return auth.EmptyCredential, err
+	}
+	var dockerCred dockerCredentials
+	if err := json.Unmarshal(out, &dockerCred); err != nil {
+		return auth.EmptyCredential, err
+	}
+	// bearer auth is used if the username is "<token>"
+	if dockerCred.Username == emptyUsername {
+		cred.RefreshToken = dockerCred.Secret
+	} else {
+		cred.Username = dockerCred.Username
+		cred.Password = dockerCred.Secret
+	}
+	return cred, nil
+}
+
+// Put saves credentials into the store.
+func (ns *nativeStore) Put(ctx context.Context, serverAddress string, cred auth.Credential) error {
+	dockerCred := &dockerCredentials{
+		ServerURL: serverAddress,
+		Username:  cred.Username,
+		Secret:    cred.Password,
+	}
+	if cred.RefreshToken != "" {
+		dockerCred.Username = emptyUsername
+		dockerCred.Secret = cred.RefreshToken
+	}
+	credJSON, err := json.Marshal(dockerCred)
+	if err != nil {
+		return err
+	}
+	_, err = ns.exec.Execute(ctx, bytes.NewReader(credJSON), "store")
+	return err
+}
+
+// Delete removes credentials from the store for the given server.
+func (ns *nativeStore) Delete(ctx context.Context, serverAddress string) error {
+	_, err := ns.exec.Execute(ctx, strings.NewReader(serverAddress), "erase")
+	return err
+}
+
+// getDefaultHelperSuffix returns the default credential helper suffix.
+func getDefaultHelperSuffix() string {
+	platformDefault := getPlatformDefaultHelperSuffix()
+	if _, err := exec.LookPath(remoteCredentialsPrefix + platformDefault); err == nil {
+		return platformDefault
+	}
+	return ""
+}
diff --git a/vendor/oras.land/oras-go/v2/registry/remote/credentials/native_store_darwin.go b/vendor/oras.land/oras-go/v2/registry/remote/credentials/native_store_darwin.go
new file mode 100644
index 0000000000..1a9aca6fc7
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/registry/remote/credentials/native_store_darwin.go
@@ -0,0 +1,23 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package credentials
+
+// getPlatformDefaultHelperSuffix returns the platform default credential
+// helper suffix.
+// Reference: https://docs.docker.com/engine/reference/commandline/login/#default-behavior
+func getPlatformDefaultHelperSuffix() string {
+	return "osxkeychain"
+}
diff --git a/vendor/oras.land/oras-go/v2/registry/remote/credentials/native_store_generic.go b/vendor/oras.land/oras-go/v2/registry/remote/credentials/native_store_generic.go
new file mode 100644
index 0000000000..5c7d4a3b27
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/registry/remote/credentials/native_store_generic.go
@@ -0,0 +1,25 @@
+//go:build !windows && !darwin && !linux
+
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package credentials
+
+// getPlatformDefaultHelperSuffix returns the platform default credential
+// helper suffix.
+// Reference: https://docs.docker.com/engine/reference/commandline/login/#default-behavior
+func getPlatformDefaultHelperSuffix() string {
+	return ""
+}
diff --git a/vendor/oras.land/oras-go/v2/registry/remote/credentials/native_store_linux.go b/vendor/oras.land/oras-go/v2/registry/remote/credentials/native_store_linux.go
new file mode 100644
index 0000000000..f182923b7a
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/registry/remote/credentials/native_store_linux.go
@@ -0,0 +1,29 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package credentials
+
+import "os/exec"
+
+// getPlatformDefaultHelperSuffix returns the platform default credential
+// helper suffix.
+// Reference: https://docs.docker.com/engine/reference/commandline/login/#default-behavior
+func getPlatformDefaultHelperSuffix() string {
+	if _, err := exec.LookPath("pass"); err == nil {
+		return "pass"
+	}
+
+	return "secretservice"
+}
diff --git a/vendor/oras.land/oras-go/v2/registry/remote/credentials/native_store_windows.go b/vendor/oras.land/oras-go/v2/registry/remote/credentials/native_store_windows.go
new file mode 100644
index 0000000000..e334cc79b1
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/registry/remote/credentials/native_store_windows.go
@@ -0,0 +1,23 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package credentials
+
+// getPlatformDefaultHelperSuffix returns the platform default credential
+// helper suffix.
+// Reference: https://docs.docker.com/engine/reference/commandline/login/#default-behavior
+func getPlatformDefaultHelperSuffix() string {
+	return "wincred"
+}
diff --git a/vendor/oras.land/oras-go/v2/registry/remote/credentials/registry.go b/vendor/oras.land/oras-go/v2/registry/remote/credentials/registry.go
new file mode 100644
index 0000000000..39735b77cb
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/registry/remote/credentials/registry.go
@@ -0,0 +1,102 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package credentials
+
+import (
+	"context"
+	"errors"
+	"fmt"
+
+	"oras.land/oras-go/v2/registry/remote"
+	"oras.land/oras-go/v2/registry/remote/auth"
+)
+
+// ErrClientTypeUnsupported is thrown by Login() when the registry's client type
+// is not supported.
+var ErrClientTypeUnsupported = errors.New("client type not supported")
+
+// Login provides the login functionality with the given credentials. The target
+// registry's client should be nil or of type *auth.Client. Login uses
+// a client local to the function and will not modify the original client of
+// the registry.
+func Login(ctx context.Context, store Store, reg *remote.Registry, cred auth.Credential) error {
+	// create a clone of the original registry for login purpose
+	regClone := *reg
+	// we use the original client if applicable, otherwise use a default client
+	var authClient auth.Client
+	if reg.Client == nil {
+		authClient = *auth.DefaultClient
+		authClient.Cache = nil // no cache
+	} else if client, ok := reg.Client.(*auth.Client); ok {
+		authClient = *client
+	} else {
+		return ErrClientTypeUnsupported
+	}
+	regClone.Client = &authClient
+	// update credentials with the client
+	authClient.Credential = auth.StaticCredential(reg.Reference.Registry, cred)
+	// validate and store the credential
+	if err := regClone.Ping(ctx); err != nil {
+		return fmt.Errorf("failed to validate the credentials for %s: %w", regClone.Reference.Registry, err)
+	}
+	hostname := ServerAddressFromRegistry(regClone.Reference.Registry)
+	if err := store.Put(ctx, hostname, cred); err != nil {
+		return fmt.Errorf("failed to store the credentials for %s: %w", hostname, err)
+	}
+	return nil
+}
+
+// Logout provides the logout functionality given the registry name.
+func Logout(ctx context.Context, store Store, registryName string) error {
+	registryName = ServerAddressFromRegistry(registryName)
+	if err := store.Delete(ctx, registryName); err != nil {
+		return fmt.Errorf("failed to delete the credential for %s: %w", registryName, err)
+	}
+	return nil
+}
+
+// Credential returns a Credential() function that can be used by auth.Client.
+func Credential(store Store) auth.CredentialFunc {
+	return func(ctx context.Context, hostport string) (auth.Credential, error) {
+		hostport = ServerAddressFromHostname(hostport)
+		if hostport == "" {
+			return auth.EmptyCredential, nil
+		}
+		return store.Get(ctx, hostport)
+	}
+}
+
+// ServerAddressFromRegistry maps a registry to a server address, which is used as
+// a key for credentials store. The Docker CLI expects that the credentials of
+// the registry 'docker.io' will be added under the key "https://index.docker.io/v1/".
+// See: https://github.com/moby/moby/blob/v24.0.2/registry/config.go#L25-L48
+func ServerAddressFromRegistry(registry string) string {
+	if registry == "docker.io" {
+		return "https://index.docker.io/v1/"
+	}
+	return registry
+}
+
+// ServerAddressFromHostname maps a hostname to a server address, which is used as
+// a key for credentials store. It is expected that the traffic targetting the
+// host "registry-1.docker.io" will be redirected to "https://index.docker.io/v1/".
+// See: https://github.com/moby/moby/blob/v24.0.2/registry/config.go#L25-L48
+func ServerAddressFromHostname(hostname string) string {
+	if hostname == "registry-1.docker.io" {
+		return "https://index.docker.io/v1/"
+	}
+	return hostname
+}
diff --git a/vendor/oras.land/oras-go/v2/registry/remote/credentials/store.go b/vendor/oras.land/oras-go/v2/registry/remote/credentials/store.go
new file mode 100644
index 0000000000..e26a98ae7a
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/registry/remote/credentials/store.go
@@ -0,0 +1,262 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package credentials supports reading, saving, and removing credentials from
+// Docker configuration files and external credential stores that follow
+// the Docker credential helper protocol.
+//
+// Reference: https://docs.docker.com/engine/reference/commandline/login/#credential-stores
+package credentials
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"oras.land/oras-go/v2/internal/syncutil"
+	"oras.land/oras-go/v2/registry/remote/auth"
+	"oras.land/oras-go/v2/registry/remote/credentials/internal/config"
+)
+
+const (
+	dockerConfigDirEnv   = "DOCKER_CONFIG"
+	dockerConfigFileDir  = ".docker"
+	dockerConfigFileName = "config.json"
+)
+
+// Store is the interface that any credentials store must implement.
+type Store interface {
+	// Get retrieves credentials from the store for the given server address.
+	Get(ctx context.Context, serverAddress string) (auth.Credential, error)
+	// Put saves credentials into the store for the given server address.
+	Put(ctx context.Context, serverAddress string, cred auth.Credential) error
+	// Delete removes credentials from the store for the given server address.
+	Delete(ctx context.Context, serverAddress string) error
+}
+
+// DynamicStore dynamically determines which store to use based on the settings
+// in the config file.
+type DynamicStore struct {
+	config             *config.Config
+	options            StoreOptions
+	detectedCredsStore string
+	setCredsStoreOnce  syncutil.OnceOrRetry
+}
+
+// StoreOptions provides options for NewStore.
+type StoreOptions struct {
+	// AllowPlaintextPut allows saving credentials in plaintext in the config
+	// file.
+	//   - If AllowPlaintextPut is set to false (default value), Put() will
+	//     return an error when native store is not available.
+	//   - If AllowPlaintextPut is set to true, Put() will save credentials in
+	//     plaintext in the config file when native store is not available.
+	AllowPlaintextPut bool
+
+	// DetectDefaultNativeStore enables detecting the platform-default native
+	// credentials store when the config file has no authentication information.
+	//
+	// If DetectDefaultNativeStore is set to true, the store will detect and set
+	// the default native credentials store in the "credsStore" field of the
+	// config file.
+	//   - Windows: "wincred"
+	//   - Linux: "pass" or "secretservice"
+	//   - macOS: "osxkeychain"
+	//
+	// References:
+	//   - https://docs.docker.com/engine/reference/commandline/login/#credentials-store
+	//   - https://docs.docker.com/engine/reference/commandline/cli/#docker-cli-configuration-file-configjson-properties
+	DetectDefaultNativeStore bool
+}
+
+// NewStore returns a Store based on the given configuration file.
+//
+// For Get(), Put() and Delete(), the returned Store will dynamically determine
+// which underlying credentials store to use for the given server address.
+// The underlying credentials store is determined in the following order:
+//  1. Native server-specific credential helper
+//  2. Native credentials store
+//  3. The plain-text config file itself
+//
+// References:
+//   - https://docs.docker.com/engine/reference/commandline/login/#credentials-store
+//   - https://docs.docker.com/engine/reference/commandline/cli/#docker-cli-configuration-file-configjson-properties
+func NewStore(configPath string, opts StoreOptions) (*DynamicStore, error) {
+	cfg, err := config.Load(configPath)
+	if err != nil {
+		return nil, err
+	}
+	ds := &DynamicStore{
+		config:  cfg,
+		options: opts,
+	}
+	if opts.DetectDefaultNativeStore && !cfg.IsAuthConfigured() {
+		// no authentication configured, detect the default credentials store
+		ds.detectedCredsStore = getDefaultHelperSuffix()
+	}
+	return ds, nil
+}
+
+// NewStoreFromDocker returns a Store based on the default docker config file.
+//   - If the $DOCKER_CONFIG environment variable is set,
+//     $DOCKER_CONFIG/config.json will be used.
+//   - Otherwise, the default location $HOME/.docker/config.json will be used.
+//
+// NewStoreFromDocker internally calls [NewStore].
+//
+// References:
+//   - https://docs.docker.com/engine/reference/commandline/cli/#configuration-files
+//   - https://docs.docker.com/engine/reference/commandline/cli/#change-the-docker-directory
+func NewStoreFromDocker(opt StoreOptions) (*DynamicStore, error) {
+	configPath, err := getDockerConfigPath()
+	if err != nil {
+		return nil, err
+	}
+	return NewStore(configPath, opt)
+}
+
+// Get retrieves credentials from the store for the given server address.
+func (ds *DynamicStore) Get(ctx context.Context, serverAddress string) (auth.Credential, error) {
+	return ds.getStore(serverAddress).Get(ctx, serverAddress)
+}
+
+// Put saves credentials into the store for the given server address.
+// Put returns ErrPlaintextPutDisabled if native store is not available and
+// [StoreOptions].AllowPlaintextPut is set to false.
+func (ds *DynamicStore) Put(ctx context.Context, serverAddress string, cred auth.Credential) error {
+	if err := ds.getStore(serverAddress).Put(ctx, serverAddress, cred); err != nil {
+		return err
+	}
+	// save the detected creds store back to the config file on first put
+	return ds.setCredsStoreOnce.Do(func() error {
+		if ds.detectedCredsStore != "" {
+			if err := ds.config.SetCredentialsStore(ds.detectedCredsStore); err != nil {
+				return fmt.Errorf("failed to set credsStore: %w", err)
+			}
+		}
+		return nil
+	})
+}
+
+// Delete removes credentials from the store for the given server address.
+func (ds *DynamicStore) Delete(ctx context.Context, serverAddress string) error {
+	return ds.getStore(serverAddress).Delete(ctx, serverAddress)
+}
+
+// IsAuthConfigured returns whether there is authentication configured in the
+// config file or not.
+//
+// IsAuthConfigured returns true when:
+//   - The "credsStore" field is not empty
+//   - Or the "credHelpers" field is not empty
+//   - Or there is any entry in the "auths" field
+func (ds *DynamicStore) IsAuthConfigured() bool {
+	return ds.config.IsAuthConfigured()
+}
+
+// ConfigPath returns the path to the config file.
+func (ds *DynamicStore) ConfigPath() string {
+	return ds.config.Path()
+}
+
+// getHelperSuffix returns the credential helper suffix for the given server
+// address.
+func (ds *DynamicStore) getHelperSuffix(serverAddress string) string {
+	// 1. Look for a server-specific credential helper first
+	if helper := ds.config.GetCredentialHelper(serverAddress); helper != "" {
+		return helper
+	}
+	// 2. Then look for the configured native store
+	if credsStore := ds.config.CredentialsStore(); credsStore != "" {
+		return credsStore
+	}
+	// 3. Use the detected default store
+	return ds.detectedCredsStore
+}
+
+// getStore returns a store for the given server address.
+func (ds *DynamicStore) getStore(serverAddress string) Store {
+	if helper := ds.getHelperSuffix(serverAddress); helper != "" {
+		return NewNativeStore(helper)
+	}
+
+	fs := newFileStore(ds.config)
+	fs.DisablePut = !ds.options.AllowPlaintextPut
+	return fs
+}
+
+// getDockerConfigPath returns the path to the default docker config file.
+func getDockerConfigPath() (string, error) {
+	// first try the environment variable
+	configDir := os.Getenv(dockerConfigDirEnv)
+	if configDir == "" {
+		// then try home directory
+		homeDir, err := os.UserHomeDir()
+		if err != nil {
+			return "", fmt.Errorf("failed to get user home directory: %w", err)
+		}
+		configDir = filepath.Join(homeDir, dockerConfigFileDir)
+	}
+	return filepath.Join(configDir, dockerConfigFileName), nil
+}
+
+// storeWithFallbacks is a store that has multiple fallback stores.
+type storeWithFallbacks struct {
+	stores []Store
+}
+
+// NewStoreWithFallbacks returns a new store based on the given stores.
+//   - Get() searches the primary and the fallback stores
+//     for the credentials and returns when it finds the
+//     credentials in any of the stores.
+//   - Put() saves the credentials into the primary store.
+//   - Delete() deletes the credentials from the primary store.
+func NewStoreWithFallbacks(primary Store, fallbacks ...Store) Store {
+	if len(fallbacks) == 0 {
+		return primary
+	}
+	return &storeWithFallbacks{
+		stores: append([]Store{primary}, fallbacks...),
+	}
+}
+
+// Get retrieves credentials from the StoreWithFallbacks for the given server.
+// It searches the primary and the fallback stores for the credentials of serverAddress
+// and returns when it finds the credentials in any of the stores.
+func (sf *storeWithFallbacks) Get(ctx context.Context, serverAddress string) (auth.Credential, error) {
+	for _, s := range sf.stores {
+		cred, err := s.Get(ctx, serverAddress)
+		if err != nil {
+			return auth.EmptyCredential, err
+		}
+		if cred != auth.EmptyCredential {
+			return cred, nil
+		}
+	}
+	return auth.EmptyCredential, nil
+}
+
+// Put saves credentials into the StoreWithFallbacks. It puts
+// the credentials into the primary store.
+func (sf *storeWithFallbacks) Put(ctx context.Context, serverAddress string, cred auth.Credential) error {
+	return sf.stores[0].Put(ctx, serverAddress, cred)
+}
+
+// Delete removes credentials from the StoreWithFallbacks for the given server.
+// It deletes the credentials from the primary store.
+func (sf *storeWithFallbacks) Delete(ctx context.Context, serverAddress string) error {
+	return sf.stores[0].Delete(ctx, serverAddress)
+}
diff --git a/vendor/oras.land/oras-go/v2/registry/remote/credentials/trace/trace.go b/vendor/oras.land/oras-go/v2/registry/remote/credentials/trace/trace.go
new file mode 100644
index 0000000000..b7cd8683c4
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/registry/remote/credentials/trace/trace.go
@@ -0,0 +1,94 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package trace
+
+import "context"
+
+// executableTraceContextKey is a value key used to retrieve the ExecutableTrace
+// from Context.
+type executableTraceContextKey struct{}
+
+// ExecutableTrace is a set of hooks used to trace the execution of binary
+// executables. Any particular hook may be nil.
+type ExecutableTrace struct {
+	// ExecuteStart is called before the execution of the executable. The
+	// executableName parameter is the name of the credential helper executable
+	// used with NativeStore. The action parameter is one of "store", "get" and
+	// "erase".
+	//
+	// Reference:
+	//   - https://docs.docker.com/engine/reference/commandline/login#credentials-store
+	ExecuteStart func(executableName string, action string)
+
+	// ExecuteDone is called after the execution of an executable completes.
+	// The executableName parameter is the name of the credential helper
+	// executable used with NativeStore. The action parameter is one of "store",
+	// "get" and "erase". The err parameter is the error (if any) returned from
+	// the execution.
+	//
+	// Reference:
+	//   - https://docs.docker.com/engine/reference/commandline/login#credentials-store
+	ExecuteDone func(executableName string, action string, err error)
+}
+
+// ContextExecutableTrace returns the ExecutableTrace associated with the
+// context. If none, it returns nil.
+func ContextExecutableTrace(ctx context.Context) *ExecutableTrace {
+	trace, _ := ctx.Value(executableTraceContextKey{}).(*ExecutableTrace)
+	return trace
+}
+
+// WithExecutableTrace takes a Context and an ExecutableTrace, and returns a
+// Context with the ExecutableTrace added as a Value. If the Context has a
+// previously added trace, the hooks defined in the new trace will be added
+// in addition to the previous ones. The recent hooks will be called first.
+func WithExecutableTrace(ctx context.Context, trace *ExecutableTrace) context.Context {
+	if trace == nil {
+		return ctx
+	}
+	if oldTrace := ContextExecutableTrace(ctx); oldTrace != nil {
+		trace.compose(oldTrace)
+	}
+	return context.WithValue(ctx, executableTraceContextKey{}, trace)
+}
+
+// compose takes an oldTrace and modifies the existing trace to include
+// the hooks defined in the oldTrace. The hooks in the existing trace will
+// be called first.
+func (trace *ExecutableTrace) compose(oldTrace *ExecutableTrace) {
+	if oldStart := oldTrace.ExecuteStart; oldStart != nil {
+		start := trace.ExecuteStart
+		if start != nil {
+			trace.ExecuteStart = func(executableName, action string) {
+				start(executableName, action)
+				oldStart(executableName, action)
+			}
+		} else {
+			trace.ExecuteStart = oldStart
+		}
+	}
+	if oldDone := oldTrace.ExecuteDone; oldDone != nil {
+		done := trace.ExecuteDone
+		if done != nil {
+			trace.ExecuteDone = func(executableName, action string, err error) {
+				done(executableName, action, err)
+				oldDone(executableName, action, err)
+			}
+		} else {
+			trace.ExecuteDone = oldDone
+		}
+	}
+}
diff --git a/vendor/oras.land/oras-go/v2/registry/remote/errcode/errors.go b/vendor/oras.land/oras-go/v2/registry/remote/errcode/errors.go
new file mode 100644
index 0000000000..a32f1e5eee
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/registry/remote/errcode/errors.go
@@ -0,0 +1,128 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package errcode
+
+import (
+	"fmt"
+	"net/http"
+	"net/url"
+	"strings"
+	"unicode"
+)
+
+// References:
+//   - https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#error-codes
+//   - https://distribution.github.io/distribution/spec/api/#errors-2
+const (
+	ErrorCodeBlobUnknown         = "BLOB_UNKNOWN"
+	ErrorCodeBlobUploadInvalid   = "BLOB_UPLOAD_INVALID"
+	ErrorCodeBlobUploadUnknown   = "BLOB_UPLOAD_UNKNOWN"
+	ErrorCodeDigestInvalid       = "DIGEST_INVALID"
+	ErrorCodeManifestBlobUnknown = "MANIFEST_BLOB_UNKNOWN"
+	ErrorCodeManifestInvalid     = "MANIFEST_INVALID"
+	ErrorCodeManifestUnknown     = "MANIFEST_UNKNOWN"
+	ErrorCodeNameInvalid         = "NAME_INVALID"
+	ErrorCodeNameUnknown         = "NAME_UNKNOWN"
+	ErrorCodeSizeInvalid         = "SIZE_INVALID"
+	ErrorCodeUnauthorized        = "UNAUTHORIZED"
+	ErrorCodeDenied              = "DENIED"
+	ErrorCodeUnsupported         = "UNSUPPORTED"
+)
+
+// Error represents a response inner error returned by the remote
+// registry.
+// References:
+//   - https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#error-codes
+//   - https://distribution.github.io/distribution/spec/api/#errors-2
+type Error struct {
+	Code    string `json:"code"`
+	Message string `json:"message"`
+	Detail  any    `json:"detail,omitempty"`
+}
+
+// Error returns a error string describing the error.
+func (e Error) Error() string {
+	code := strings.Map(func(r rune) rune {
+		if r == '_' {
+			return ' '
+		}
+		return unicode.ToLower(r)
+	}, e.Code)
+	if e.Message == "" {
+		return code
+	}
+	if e.Detail == nil {
+		return fmt.Sprintf("%s: %s", code, e.Message)
+	}
+	return fmt.Sprintf("%s: %s: %v", code, e.Message, e.Detail)
+}
+
+// Errors represents a list of response inner errors returned by the remote
+// server.
+// References:
+//   - https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#error-codes
+//   - https://distribution.github.io/distribution/spec/api/#errors-2
+type Errors []Error
+
+// Error returns a error string describing the error.
+func (errs Errors) Error() string {
+	switch len(errs) {
+	case 0:
+		return "<nil>"
+	case 1:
+		return errs[0].Error()
+	}
+	var errmsgs []string
+	for _, err := range errs {
+		errmsgs = append(errmsgs, err.Error())
+	}
+	return strings.Join(errmsgs, "; ")
+}
+
+// Unwrap returns the inner error only when there is exactly one error.
+func (errs Errors) Unwrap() error {
+	if len(errs) == 1 {
+		return errs[0]
+	}
+	return nil
+}
+
+// ErrorResponse represents an error response.
+type ErrorResponse struct {
+	Method     string
+	URL        *url.URL
+	StatusCode int
+	Errors     Errors
+}
+
+// Error returns a error string describing the error.
+func (err *ErrorResponse) Error() string {
+	var errmsg string
+	if len(err.Errors) > 0 {
+		errmsg = err.Errors.Error()
+	} else {
+		errmsg = http.StatusText(err.StatusCode)
+	}
+	return fmt.Sprintf("%s %q: response status code %d: %s", err.Method, err.URL, err.StatusCode, errmsg)
+}
+
+// Unwrap returns the internal errors of err if any.
+func (err *ErrorResponse) Unwrap() error {
+	if len(err.Errors) == 0 {
+		return nil
+	}
+	return err.Errors
+}
diff --git a/vendor/oras.land/oras-go/v2/registry/remote/internal/errutil/errutil.go b/vendor/oras.land/oras-go/v2/registry/remote/internal/errutil/errutil.go
new file mode 100644
index 0000000000..52dc3612aa
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/registry/remote/internal/errutil/errutil.go
@@ -0,0 +1,54 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package errutil
+
+import (
+	"encoding/json"
+	"errors"
+	"io"
+	"net/http"
+
+	"oras.land/oras-go/v2/registry/remote/errcode"
+)
+
+// maxErrorBytes specifies the default limit on how many response bytes are
+// allowed in the server's error response.
+// A typical error message is around 200 bytes. Hence, 8 KiB should be
+// sufficient.
+const maxErrorBytes int64 = 8 * 1024 // 8 KiB
+
+// ParseErrorResponse parses the error returned by the remote registry.
+func ParseErrorResponse(resp *http.Response) error {
+	resultErr := &errcode.ErrorResponse{
+		Method:     resp.Request.Method,
+		URL:        resp.Request.URL,
+		StatusCode: resp.StatusCode,
+	}
+	var body struct {
+		Errors errcode.Errors `json:"errors"`
+	}
+	lr := io.LimitReader(resp.Body, maxErrorBytes)
+	if err := json.NewDecoder(lr).Decode(&body); err == nil {
+		resultErr.Errors = body.Errors
+	}
+	return resultErr
+}
+
+// IsErrorCode returns true if err is an Error and its Code equals to code.
+func IsErrorCode(err error, code string) bool {
+	var ec errcode.Error
+	return errors.As(err, &ec) && ec.Code == code
+}
diff --git a/vendor/oras.land/oras-go/v2/registry/remote/manifest.go b/vendor/oras.land/oras-go/v2/registry/remote/manifest.go
new file mode 100644
index 0000000000..0e10297cb1
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/registry/remote/manifest.go
@@ -0,0 +1,59 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package remote
+
+import (
+	"strings"
+
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"oras.land/oras-go/v2/internal/docker"
+	"oras.land/oras-go/v2/internal/spec"
+)
+
+// defaultManifestMediaTypes contains the default set of manifests media types.
+var defaultManifestMediaTypes = []string{
+	docker.MediaTypeManifest,
+	docker.MediaTypeManifestList,
+	ocispec.MediaTypeImageManifest,
+	ocispec.MediaTypeImageIndex,
+	spec.MediaTypeArtifactManifest,
+}
+
+// defaultManifestAcceptHeader is the default set in the `Accept` header for
+// resolving manifests from tags.
+var defaultManifestAcceptHeader = strings.Join(defaultManifestMediaTypes, ", ")
+
+// isManifest determines if the given descriptor points to a manifest.
+func isManifest(manifestMediaTypes []string, desc ocispec.Descriptor) bool {
+	if len(manifestMediaTypes) == 0 {
+		manifestMediaTypes = defaultManifestMediaTypes
+	}
+	for _, mediaType := range manifestMediaTypes {
+		if desc.MediaType == mediaType {
+			return true
+		}
+	}
+	return false
+}
+
+// manifestAcceptHeader generates the set in the `Accept` header for resolving
+// manifests from tags.
+func manifestAcceptHeader(manifestMediaTypes []string) string {
+	if len(manifestMediaTypes) == 0 {
+		return defaultManifestAcceptHeader
+	}
+	return strings.Join(manifestMediaTypes, ", ")
+}
diff --git a/vendor/oras.land/oras-go/v2/registry/remote/referrers.go b/vendor/oras.land/oras-go/v2/registry/remote/referrers.go
new file mode 100644
index 0000000000..720430d392
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/registry/remote/referrers.go
@@ -0,0 +1,225 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package remote
+
+import (
+	"errors"
+	"fmt"
+	"strings"
+
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"oras.land/oras-go/v2/content"
+	"oras.land/oras-go/v2/internal/descriptor"
+)
+
+// zeroDigest represents a digest that consists of zeros. zeroDigest is used
+// for pinging Referrers API.
+const zeroDigest = "sha256:0000000000000000000000000000000000000000000000000000000000000000"
+
+// referrersState represents the state of Referrers API.
+type referrersState = int32
+
+const (
+	// referrersStateUnknown represents an unknown state of Referrers API.
+	referrersStateUnknown referrersState = iota
+	// referrersStateSupported represents that the repository is known to
+	// support Referrers API.
+	referrersStateSupported
+	// referrersStateUnsupported represents that the repository is known to
+	// not support Referrers API.
+	referrersStateUnsupported
+)
+
+// referrerOperation represents an operation on a referrer.
+type referrerOperation = int32
+
+const (
+	// referrerOperationAdd represents an addition operation on a referrer.
+	referrerOperationAdd referrerOperation = iota
+	// referrerOperationRemove represents a removal operation on a referrer.
+	referrerOperationRemove
+)
+
+// referrerChange represents a change on a referrer.
+type referrerChange struct {
+	referrer  ocispec.Descriptor
+	operation referrerOperation
+}
+
+var (
+	// ErrReferrersCapabilityAlreadySet is returned by SetReferrersCapability()
+	// when the Referrers API capability has been already set.
+	ErrReferrersCapabilityAlreadySet = errors.New("referrers capability cannot be changed once set")
+
+	// errNoReferrerUpdate is returned by applyReferrerChanges() when there
+	// is no any referrer update.
+	errNoReferrerUpdate = errors.New("no referrer update")
+)
+
+const (
+	// opDeleteReferrersIndex represents the operation for deleting a
+	// referrers index.
+	opDeleteReferrersIndex = "DeleteReferrersIndex"
+)
+
+// ReferrersError records an error and the operation and the subject descriptor.
+type ReferrersError struct {
+	// Op represents the failing operation.
+	Op string
+	// Subject is the descriptor of referenced artifact.
+	Subject ocispec.Descriptor
+	// Err is the entity of referrers error.
+	Err error
+}
+
+// Error returns error msg of IgnorableError.
+func (e *ReferrersError) Error() string {
+	return e.Err.Error()
+}
+
+// Unwrap returns the inner error of IgnorableError.
+func (e *ReferrersError) Unwrap() error {
+	return errors.Unwrap(e.Err)
+}
+
+// IsIndexDelete tells if e is kind of error related to referrers
+// index deletion.
+func (e *ReferrersError) IsReferrersIndexDelete() bool {
+	return e.Op == opDeleteReferrersIndex
+}
+
+// buildReferrersTag builds the referrers tag for the given manifest descriptor.
+// Format: <algorithm>-<digest>
+// Reference: https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#unavailable-referrers-api
+func buildReferrersTag(desc ocispec.Descriptor) (string, error) {
+	if err := desc.Digest.Validate(); err != nil {
+		return "", fmt.Errorf("failed to build referrers tag for %s: %w", desc.Digest, err)
+	}
+	alg := desc.Digest.Algorithm().String()
+	encoded := desc.Digest.Encoded()
+	return alg + "-" + encoded, nil
+}
+
+// isReferrersFilterApplied checks if requsted is in the applied filter list.
+func isReferrersFilterApplied(applied, requested string) bool {
+	if applied == "" || requested == "" {
+		return false
+	}
+	filters := strings.Split(applied, ",")
+	for _, f := range filters {
+		if f == requested {
+			return true
+		}
+	}
+	return false
+}
+
+// filterReferrers filters a slice of referrers by artifactType in place.
+// The returned slice contains matching referrers.
+func filterReferrers(refs []ocispec.Descriptor, artifactType string) []ocispec.Descriptor {
+	if artifactType == "" {
+		return refs
+	}
+	var j int
+	for i, ref := range refs {
+		if ref.ArtifactType == artifactType {
+			if i != j {
+				refs[j] = ref
+			}
+			j++
+		}
+	}
+	return refs[:j]
+}
+
+// applyReferrerChanges applies referrerChanges on referrers and returns the
+// updated referrers.
+// Returns errNoReferrerUpdate if there is no any referrers updates.
+func applyReferrerChanges(referrers []ocispec.Descriptor, referrerChanges []referrerChange) ([]ocispec.Descriptor, error) {
+	referrersMap := make(map[descriptor.Descriptor]int, len(referrers)+len(referrerChanges))
+	updatedReferrers := make([]ocispec.Descriptor, 0, len(referrers)+len(referrerChanges))
+	var updateRequired bool
+	for _, r := range referrers {
+		if content.Equal(r, ocispec.Descriptor{}) {
+			// skip bad entry
+			updateRequired = true
+			continue
+		}
+		key := descriptor.FromOCI(r)
+		if _, ok := referrersMap[key]; ok {
+			// skip duplicates
+			updateRequired = true
+			continue
+		}
+		updatedReferrers = append(updatedReferrers, r)
+		referrersMap[key] = len(updatedReferrers) - 1
+	}
+
+	// apply changes
+	for _, change := range referrerChanges {
+		key := descriptor.FromOCI(change.referrer)
+		switch change.operation {
+		case referrerOperationAdd:
+			if _, ok := referrersMap[key]; !ok {
+				// add distinct referrers
+				updatedReferrers = append(updatedReferrers, change.referrer)
+				referrersMap[key] = len(updatedReferrers) - 1
+			}
+		case referrerOperationRemove:
+			if pos, ok := referrersMap[key]; ok {
+				// remove referrers that are already in the map
+				updatedReferrers[pos] = ocispec.Descriptor{}
+				delete(referrersMap, key)
+			}
+		}
+	}
+
+	// skip unnecessary update
+	if !updateRequired && len(referrersMap) == len(referrers) {
+		// if the result referrer map contains the same content as the
+		// original referrers, consider that there is no update on the
+		// referrers.
+		for _, r := range referrers {
+			key := descriptor.FromOCI(r)
+			if _, ok := referrersMap[key]; !ok {
+				updateRequired = true
+			}
+		}
+		if !updateRequired {
+			return nil, errNoReferrerUpdate
+		}
+	}
+
+	return removeEmptyDescriptors(updatedReferrers, len(referrersMap)), nil
+}
+
+// removeEmptyDescriptors in-place removes empty items from descs, given a hint
+// of the number of non-empty descriptors.
+func removeEmptyDescriptors(descs []ocispec.Descriptor, hint int) []ocispec.Descriptor {
+	j := 0
+	for i, r := range descs {
+		if !content.Equal(r, ocispec.Descriptor{}) {
+			if i > j {
+				descs[j] = r
+			}
+			j++
+		}
+		if j == hint {
+			break
+		}
+	}
+	return descs[:j]
+}
diff --git a/vendor/oras.land/oras-go/v2/registry/remote/registry.go b/vendor/oras.land/oras-go/v2/registry/remote/registry.go
new file mode 100644
index 0000000000..bb707c7e18
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/registry/remote/registry.go
@@ -0,0 +1,190 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package remote provides a client to the remote registry.
+// Reference: https://github.com/distribution/distribution
+package remote
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"strconv"
+
+	"oras.land/oras-go/v2/errdef"
+	"oras.land/oras-go/v2/registry"
+	"oras.land/oras-go/v2/registry/remote/auth"
+	"oras.land/oras-go/v2/registry/remote/internal/errutil"
+)
+
+// RepositoryOptions is an alias of Repository to avoid name conflicts.
+// It also hides all methods associated with Repository.
+type RepositoryOptions Repository
+
+// Registry is an HTTP client to a remote registry.
+type Registry struct {
+	// RepositoryOptions contains common options for Registry and Repository.
+	// It is also used as a template for derived repositories.
+	RepositoryOptions
+
+	// RepositoryListPageSize specifies the page size when invoking the catalog
+	// API.
+	// If zero, the page size is determined by the remote registry.
+	// Reference: https://distribution.github.io/distribution/spec/api/#catalog
+	RepositoryListPageSize int
+}
+
+// NewRegistry creates a client to the remote registry with the specified domain
+// name.
+// Example: localhost:5000
+func NewRegistry(name string) (*Registry, error) {
+	ref := registry.Reference{
+		Registry: name,
+	}
+	if err := ref.ValidateRegistry(); err != nil {
+		return nil, err
+	}
+	return &Registry{
+		RepositoryOptions: RepositoryOptions{
+			Reference: ref,
+		},
+	}, nil
+}
+
+// client returns an HTTP client used to access the remote registry.
+// A default HTTP client is return if the client is not configured.
+func (r *Registry) client() Client {
+	if r.Client == nil {
+		return auth.DefaultClient
+	}
+	return r.Client
+}
+
+// do sends an HTTP request and returns an HTTP response using the HTTP client
+// returned by r.client().
+func (r *Registry) do(req *http.Request) (*http.Response, error) {
+	if r.HandleWarning == nil {
+		return r.client().Do(req)
+	}
+
+	resp, err := r.client().Do(req)
+	if err != nil {
+		return nil, err
+	}
+	handleWarningHeaders(resp.Header.Values(headerWarning), r.HandleWarning)
+	return resp, nil
+}
+
+// Ping checks whether or not the registry implement Docker Registry API V2 or
+// OCI Distribution Specification.
+// Ping can be used to check authentication when an auth client is configured.
+//
+// References:
+//   - https://distribution.github.io/distribution/spec/api/#base
+//   - https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#api
+func (r *Registry) Ping(ctx context.Context) error {
+	url := buildRegistryBaseURL(r.PlainHTTP, r.Reference)
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
+	if err != nil {
+		return err
+	}
+
+	resp, err := r.do(req)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+
+	switch resp.StatusCode {
+	case http.StatusOK:
+		return nil
+	case http.StatusNotFound:
+		return errdef.ErrNotFound
+	default:
+		return errutil.ParseErrorResponse(resp)
+	}
+}
+
+// Repositories lists the name of repositories available in the registry.
+// See also `RepositoryListPageSize`.
+//
+// If `last` is NOT empty, the entries in the response start after the
+// repo specified by `last`. Otherwise, the response starts from the top
+// of the Repositories list.
+//
+// Reference: https://distribution.github.io/distribution/spec/api/#catalog
+func (r *Registry) Repositories(ctx context.Context, last string, fn func(repos []string) error) error {
+	ctx = auth.AppendScopesForHost(ctx, r.Reference.Host(), auth.ScopeRegistryCatalog)
+	url := buildRegistryCatalogURL(r.PlainHTTP, r.Reference)
+	var err error
+	for err == nil {
+		url, err = r.repositories(ctx, last, fn, url)
+		// clear `last` for subsequent pages
+		last = ""
+	}
+	if err != errNoLink {
+		return err
+	}
+	return nil
+}
+
+// repositories returns a single page of repository list with the next link.
+func (r *Registry) repositories(ctx context.Context, last string, fn func(repos []string) error, url string) (string, error) {
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
+	if err != nil {
+		return "", err
+	}
+	if r.RepositoryListPageSize > 0 || last != "" {
+		q := req.URL.Query()
+		if r.RepositoryListPageSize > 0 {
+			q.Set("n", strconv.Itoa(r.RepositoryListPageSize))
+		}
+		if last != "" {
+			q.Set("last", last)
+		}
+		req.URL.RawQuery = q.Encode()
+	}
+	resp, err := r.do(req)
+	if err != nil {
+		return "", err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return "", errutil.ParseErrorResponse(resp)
+	}
+	var page struct {
+		Repositories []string `json:"repositories"`
+	}
+	lr := limitReader(resp.Body, r.MaxMetadataBytes)
+	if err := json.NewDecoder(lr).Decode(&page); err != nil {
+		return "", fmt.Errorf("%s %q: failed to decode response: %w", resp.Request.Method, resp.Request.URL, err)
+	}
+	if err := fn(page.Repositories); err != nil {
+		return "", err
+	}
+
+	return parseLink(resp)
+}
+
+// Repository returns a repository reference by the given name.
+func (r *Registry) Repository(ctx context.Context, name string) (registry.Repository, error) {
+	ref := registry.Reference{
+		Registry:   r.Reference.Registry,
+		Repository: name,
+	}
+	return newRepositoryWithOptions(ref, &r.RepositoryOptions)
+}
diff --git a/vendor/oras.land/oras-go/v2/registry/remote/repository.go b/vendor/oras.land/oras-go/v2/registry/remote/repository.go
new file mode 100644
index 0000000000..fed993dffd
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/registry/remote/repository.go
@@ -0,0 +1,1681 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package remote
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"mime"
+	"net/http"
+	"slices"
+	"strconv"
+	"strings"
+	"sync"
+	"sync/atomic"
+
+	"github.com/opencontainers/go-digest"
+	specs "github.com/opencontainers/image-spec/specs-go"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"oras.land/oras-go/v2/content"
+	"oras.land/oras-go/v2/errdef"
+	"oras.land/oras-go/v2/internal/cas"
+	"oras.land/oras-go/v2/internal/httputil"
+	"oras.land/oras-go/v2/internal/ioutil"
+	"oras.land/oras-go/v2/internal/spec"
+	"oras.land/oras-go/v2/internal/syncutil"
+	"oras.land/oras-go/v2/registry"
+	"oras.land/oras-go/v2/registry/remote/auth"
+	"oras.land/oras-go/v2/registry/remote/errcode"
+	"oras.land/oras-go/v2/registry/remote/internal/errutil"
+)
+
+const (
+	// headerDockerContentDigest is the "Docker-Content-Digest" header.
+	// If present on the response, it contains the canonical digest of the
+	// uploaded blob.
+	//
+	// References:
+	//   - https://distribution.github.io/distribution/spec/api/#digest-header
+	//   - https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#pull
+	headerDockerContentDigest = "Docker-Content-Digest"
+
+	// headerOCIFiltersApplied is the "OCI-Filters-Applied" header.
+	// If present on the response, it contains a comma-separated list of the
+	// applied filters.
+	//
+	// Reference:
+	//   - https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#listing-referrers
+	headerOCIFiltersApplied = "OCI-Filters-Applied"
+
+	// headerOCISubject is the "OCI-Subject" header.
+	// If present on the response, it contains the digest of the subject,
+	// indicating that Referrers API is supported by the registry.
+	headerOCISubject = "OCI-Subject"
+)
+
+// filterTypeArtifactType is the "artifactType" filter applied on the list of
+// referrers.
+//
+// References:
+//   - Latest spec: https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#listing-referrers
+//   - Compatible spec: https://github.com/opencontainers/distribution-spec/blob/v1.1.0-rc1/spec.md#listing-referrers
+const filterTypeArtifactType = "artifactType"
+
+// Client is an interface for a HTTP client.
+type Client interface {
+	// Do sends an HTTP request and returns an HTTP response.
+	//
+	// Unlike http.RoundTripper, Client can attempt to interpret the response
+	// and handle higher-level protocol details such as redirects and
+	// authentication.
+	//
+	// Like http.RoundTripper, Client should not modify the request, and must
+	// always close the request body.
+	Do(*http.Request) (*http.Response, error)
+}
+
+// Repository is an HTTP client to a remote repository.
+type Repository struct {
+	// Client is the underlying HTTP client used to access the remote registry.
+	// If nil, auth.DefaultClient is used.
+	Client Client
+
+	// Reference references the remote repository.
+	Reference registry.Reference
+
+	// PlainHTTP signals the transport to access the remote repository via HTTP
+	// instead of HTTPS.
+	PlainHTTP bool
+
+	// ManifestMediaTypes is used in `Accept` header for resolving manifests
+	// from references. It is also used in identifying manifests and blobs from
+	// descriptors. If an empty list is present, default manifest media types
+	// are used.
+	ManifestMediaTypes []string
+
+	// TagListPageSize specifies the page size when invoking the tag list API.
+	// If zero, the page size is determined by the remote registry.
+	// Reference: https://distribution.github.io/distribution/spec/api/#tags
+	TagListPageSize int
+
+	// ReferrerListPageSize specifies the page size when invoking the Referrers
+	// API.
+	// If zero, the page size is determined by the remote registry.
+	//
+	// NOTE: Pagination for the Referrers API is not defined in the distribution
+	// spec, so not all registries support it. ReferrerListPageSize may be
+	// ignored if pagination is unsupported by the remote registry.
+	//
+	// Reference: https://github.com/oras-project/oras-go/issues/841
+	ReferrerListPageSize int
+
+	// MaxMetadataBytes specifies a limit on how many response bytes are allowed
+	// in the server's response to the metadata APIs, such as catalog list, tag
+	// list, and referrers list.
+	// If less than or equal to zero, a default (currently 4MiB) is used.
+	MaxMetadataBytes int64
+
+	// SkipReferrersGC specifies whether to delete the dangling referrers
+	// index when referrers tag schema is utilized.
+	//  - If false, the old referrers index will be deleted after the new one
+	//    is successfully uploaded.
+	//  - If true, the old referrers index is kept.
+	// By default, it is disabled (set to false). See also:
+	//  - https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#referrers-tag-schema
+	//  - https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#pushing-manifests-with-subject
+	//  - https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#deleting-manifests
+	SkipReferrersGC bool
+
+	// HandleWarning handles the warning returned by the remote server.
+	// Callers SHOULD deduplicate warnings from multiple associated responses.
+	//
+	// References:
+	//   - https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#warnings
+	//   - https://www.rfc-editor.org/rfc/rfc7234#section-5.5
+	HandleWarning func(warning Warning)
+
+	// NOTE: Must keep fields in sync with clone().
+
+	// referrersState represents that if the repository supports Referrers API.
+	// default: referrersStateUnknown
+	referrersState referrersState
+
+	// referrersPingLock locks the pingReferrers() method and allows only
+	// one go-routine to send the request.
+	referrersPingLock sync.Mutex
+
+	// referrersMergePool provides a way to manage concurrent updates to a
+	// referrers index tagged by referrers tag schema.
+	referrersMergePool syncutil.Pool[syncutil.Merge[referrerChange]]
+}
+
+// NewRepository creates a client to the remote repository identified by a
+// reference.
+// Example: localhost:5000/hello-world
+func NewRepository(reference string) (*Repository, error) {
+	ref, err := registry.ParseReference(reference)
+	if err != nil {
+		return nil, err
+	}
+	return &Repository{
+		Reference: ref,
+	}, nil
+}
+
+// newRepositoryWithOptions returns a Repository with the given Reference and
+// RepositoryOptions.
+//
+// RepositoryOptions are part of the Registry struct and set its defaults.
+// RepositoryOptions shares the same struct definition as Repository, which
+// contains unexported state that must not be copied to multiple Repositories.
+// To handle this we explicitly copy only the fields that we want to reproduce.
+func newRepositoryWithOptions(ref registry.Reference, opts *RepositoryOptions) (*Repository, error) {
+	if err := ref.ValidateRepository(); err != nil {
+		return nil, err
+	}
+	repo := (*Repository)(opts).clone()
+	repo.Reference = ref
+	return repo, nil
+}
+
+// clone makes a copy of the Repository being careful not to copy non-copyable fields (sync.Mutex and syncutil.Pool types)
+func (r *Repository) clone() *Repository {
+	return &Repository{
+		Client:               r.Client,
+		Reference:            r.Reference,
+		PlainHTTP:            r.PlainHTTP,
+		ManifestMediaTypes:   slices.Clone(r.ManifestMediaTypes),
+		TagListPageSize:      r.TagListPageSize,
+		ReferrerListPageSize: r.ReferrerListPageSize,
+		MaxMetadataBytes:     r.MaxMetadataBytes,
+		SkipReferrersGC:      r.SkipReferrersGC,
+		HandleWarning:        r.HandleWarning,
+	}
+}
+
+// SetReferrersCapability indicates the Referrers API capability of the remote
+// repository. true: capable; false: not capable.
+//
+// SetReferrersCapability is valid only when it is called for the first time.
+// SetReferrersCapability returns ErrReferrersCapabilityAlreadySet if the
+// Referrers API capability has been already set.
+//   - When the capability is set to true, the Referrers() function will always
+//     request the Referrers API. Reference: https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#listing-referrers
+//   - When the capability is set to false, the Referrers() function will always
+//     request the Referrers Tag. Reference: https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#referrers-tag-schema
+//   - When the capability is not set, the Referrers() function will automatically
+//     determine which API to use.
+func (r *Repository) SetReferrersCapability(capable bool) error {
+	var state referrersState
+	if capable {
+		state = referrersStateSupported
+	} else {
+		state = referrersStateUnsupported
+	}
+	if swapped := atomic.CompareAndSwapInt32(&r.referrersState, referrersStateUnknown, state); !swapped {
+		if fact := r.loadReferrersState(); fact != state {
+			return fmt.Errorf("%w: current capability = %v, new capability = %v",
+				ErrReferrersCapabilityAlreadySet,
+				fact == referrersStateSupported,
+				capable)
+		}
+	}
+	return nil
+}
+
+// setReferrersState atomically loads r.referrersState.
+func (r *Repository) loadReferrersState() referrersState {
+	return atomic.LoadInt32(&r.referrersState)
+}
+
+// client returns an HTTP client used to access the remote repository.
+// A default HTTP client is return if the client is not configured.
+func (r *Repository) client() Client {
+	if r.Client == nil {
+		return auth.DefaultClient
+	}
+	return r.Client
+}
+
+// do sends an HTTP request and returns an HTTP response using the HTTP client
+// returned by r.client().
+func (r *Repository) do(req *http.Request) (*http.Response, error) {
+	if r.HandleWarning == nil {
+		return r.client().Do(req)
+	}
+
+	resp, err := r.client().Do(req)
+	if err != nil {
+		return nil, err
+	}
+	handleWarningHeaders(resp.Header.Values(headerWarning), r.HandleWarning)
+	return resp, nil
+}
+
+// blobStore detects the blob store for the given descriptor.
+func (r *Repository) blobStore(desc ocispec.Descriptor) registry.BlobStore {
+	if isManifest(r.ManifestMediaTypes, desc) {
+		return r.Manifests()
+	}
+	return r.Blobs()
+}
+
+// Fetch fetches the content identified by the descriptor.
+func (r *Repository) Fetch(ctx context.Context, target ocispec.Descriptor) (io.ReadCloser, error) {
+	return r.blobStore(target).Fetch(ctx, target)
+}
+
+// Push pushes the content, matching the expected descriptor.
+func (r *Repository) Push(ctx context.Context, expected ocispec.Descriptor, content io.Reader) error {
+	return r.blobStore(expected).Push(ctx, expected, content)
+}
+
+// Mount makes the blob with the given digest in fromRepo
+// available in the repository signified by the receiver.
+//
+// This avoids the need to pull content down from fromRepo only to push it to r.
+//
+// If the registry does not implement mounting, getContent will be used to get the
+// content to push. If getContent is nil, the content will be pulled from the source
+// repository. If getContent returns an error, it will be wrapped inside the error
+// returned from Mount.
+func (r *Repository) Mount(ctx context.Context, desc ocispec.Descriptor, fromRepo string, getContent func() (io.ReadCloser, error)) error {
+	return r.Blobs().(registry.Mounter).Mount(ctx, desc, fromRepo, getContent)
+}
+
+// Exists returns true if the described content exists.
+func (r *Repository) Exists(ctx context.Context, target ocispec.Descriptor) (bool, error) {
+	return r.blobStore(target).Exists(ctx, target)
+}
+
+// Delete removes the content identified by the descriptor.
+func (r *Repository) Delete(ctx context.Context, target ocispec.Descriptor) error {
+	return r.blobStore(target).Delete(ctx, target)
+}
+
+// Blobs provides access to the blob CAS only, which contains config blobs,
+// layers, and other generic blobs.
+func (r *Repository) Blobs() registry.BlobStore {
+	return &blobStore{repo: r}
+}
+
+// Manifests provides access to the manifest CAS only.
+func (r *Repository) Manifests() registry.ManifestStore {
+	return &manifestStore{repo: r}
+}
+
+// Resolve resolves a reference to a manifest descriptor.
+// See also `ManifestMediaTypes`.
+func (r *Repository) Resolve(ctx context.Context, reference string) (ocispec.Descriptor, error) {
+	return r.Manifests().Resolve(ctx, reference)
+}
+
+// Tag tags a manifest descriptor with a reference string.
+func (r *Repository) Tag(ctx context.Context, desc ocispec.Descriptor, reference string) error {
+	return r.Manifests().Tag(ctx, desc, reference)
+}
+
+// PushReference pushes the manifest with a reference tag.
+func (r *Repository) PushReference(ctx context.Context, expected ocispec.Descriptor, content io.Reader, reference string) error {
+	return r.Manifests().PushReference(ctx, expected, content, reference)
+}
+
+// FetchReference fetches the manifest identified by the reference.
+// The reference can be a tag or digest.
+func (r *Repository) FetchReference(ctx context.Context, reference string) (ocispec.Descriptor, io.ReadCloser, error) {
+	return r.Manifests().FetchReference(ctx, reference)
+}
+
+// ParseReference resolves a tag or a digest reference to a fully qualified
+// reference from a base reference r.Reference.
+// Tag, digest, or fully qualified references are accepted as input.
+//
+// If reference is a fully qualified reference, then ParseReference parses it
+// and returns the parsed reference. If the parsed reference does not share
+// the same base reference with the Repository r, ParseReference returns a
+// wrapped error ErrInvalidReference.
+func (r *Repository) ParseReference(reference string) (registry.Reference, error) {
+	ref, err := registry.ParseReference(reference)
+	if err != nil {
+		ref = registry.Reference{
+			Registry:   r.Reference.Registry,
+			Repository: r.Reference.Repository,
+			Reference:  reference,
+		}
+
+		// reference is not a FQDN
+		if index := strings.IndexByte(reference, '@'); index != -1 {
+			// `@` implies *digest*, so drop the *tag* (irrespective of what it is).
+			ref.Reference = reference[index+1:]
+			err = ref.ValidateReferenceAsDigest()
+		} else {
+			err = ref.ValidateReference()
+		}
+
+		if err != nil {
+			return registry.Reference{}, err
+		}
+	} else if ref.Registry != r.Reference.Registry || ref.Repository != r.Reference.Repository {
+		return registry.Reference{}, fmt.Errorf(
+			"%w: mismatch between received %q and expected %q",
+			errdef.ErrInvalidReference, ref, r.Reference,
+		)
+	}
+
+	if len(ref.Reference) == 0 {
+		return registry.Reference{}, errdef.ErrInvalidReference
+	}
+
+	return ref, nil
+}
+
+// Tags lists the tags available in the repository.
+// See also `TagListPageSize`.
+// If `last` is NOT empty, the entries in the response start after the
+// tag specified by `last`. Otherwise, the response starts from the top
+// of the Tags list.
+//
+// References:
+//   - https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#content-discovery
+//   - https://distribution.github.io/distribution/spec/api/#tags
+func (r *Repository) Tags(ctx context.Context, last string, fn func(tags []string) error) error {
+	ctx = auth.AppendRepositoryScope(ctx, r.Reference, auth.ActionPull)
+	url := buildRepositoryTagListURL(r.PlainHTTP, r.Reference)
+	var err error
+	for err == nil {
+		url, err = r.tags(ctx, last, fn, url)
+		// clear `last` for subsequent pages
+		last = ""
+	}
+	if err != errNoLink {
+		return err
+	}
+	return nil
+}
+
+// tags returns a single page of tag list with the next link.
+func (r *Repository) tags(ctx context.Context, last string, fn func(tags []string) error, url string) (string, error) {
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
+	if err != nil {
+		return "", err
+	}
+	if r.TagListPageSize > 0 || last != "" {
+		q := req.URL.Query()
+		if r.TagListPageSize > 0 {
+			q.Set("n", strconv.Itoa(r.TagListPageSize))
+		}
+		if last != "" {
+			q.Set("last", last)
+		}
+		req.URL.RawQuery = q.Encode()
+	}
+	resp, err := r.do(req)
+	if err != nil {
+		return "", err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return "", errutil.ParseErrorResponse(resp)
+	}
+	var page struct {
+		Tags []string `json:"tags"`
+	}
+	lr := limitReader(resp.Body, r.MaxMetadataBytes)
+	if err := json.NewDecoder(lr).Decode(&page); err != nil {
+		return "", fmt.Errorf("%s %q: failed to decode response: %w", resp.Request.Method, resp.Request.URL, err)
+	}
+	if err := fn(page.Tags); err != nil {
+		return "", err
+	}
+
+	return parseLink(resp)
+}
+
+// Predecessors returns the descriptors of image or artifact manifests directly
+// referencing the given manifest descriptor.
+// Predecessors internally leverages Referrers.
+// Reference: https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#listing-referrers
+func (r *Repository) Predecessors(ctx context.Context, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) {
+	var res []ocispec.Descriptor
+	if err := r.Referrers(ctx, desc, "", func(referrers []ocispec.Descriptor) error {
+		res = append(res, referrers...)
+		return nil
+	}); err != nil {
+		return nil, err
+	}
+	return res, nil
+}
+
+// Referrers lists the descriptors of image or artifact manifests directly
+// referencing the given manifest descriptor.
+//
+// fn is called for each page of the referrers result.
+// If artifactType is not empty, only referrers of the same artifact type are
+// fed to fn.
+//
+// Reference: https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#listing-referrers
+func (r *Repository) Referrers(ctx context.Context, desc ocispec.Descriptor, artifactType string, fn func(referrers []ocispec.Descriptor) error) error {
+	state := r.loadReferrersState()
+	if state == referrersStateUnsupported {
+		// The repository is known to not support Referrers API, fallback to
+		// referrers tag schema.
+		return r.referrersByTagSchema(ctx, desc, artifactType, fn)
+	}
+
+	err := r.referrersByAPI(ctx, desc, artifactType, fn)
+	if state == referrersStateSupported {
+		// The repository is known to support Referrers API, no fallback.
+		return err
+	}
+
+	// The referrers state is unknown.
+	if err != nil {
+		if errors.Is(err, errdef.ErrUnsupported) {
+			// Referrers API is not supported, fallback to referrers tag schema.
+			r.SetReferrersCapability(false)
+			return r.referrersByTagSchema(ctx, desc, artifactType, fn)
+		}
+		return err
+	}
+
+	r.SetReferrersCapability(true)
+	return nil
+}
+
+// referrersByAPI lists the descriptors of manifests directly referencing
+// the given manifest descriptor by requesting Referrers API.
+// fn is called for the referrers result. If artifactType is not empty,
+// only referrers of the same artifact type are fed to fn.
+func (r *Repository) referrersByAPI(ctx context.Context, desc ocispec.Descriptor, artifactType string, fn func(referrers []ocispec.Descriptor) error) error {
+	ref := r.Reference
+	ref.Reference = desc.Digest.String()
+	ctx = auth.AppendRepositoryScope(ctx, ref, auth.ActionPull)
+
+	url := buildReferrersURL(r.PlainHTTP, ref, artifactType)
+	var err error
+	for err == nil {
+		url, err = r.referrersPageByAPI(ctx, artifactType, fn, url)
+	}
+	if err == errNoLink {
+		return nil
+	}
+	return err
+}
+
+// referrersPageByAPI lists a single page of the descriptors of manifests
+// directly referencing the given manifest descriptor. fn is called for
+// a page of referrersPageByAPI result.
+// If artifactType is not empty, only referrersPageByAPI of the same
+// artifact type are fed to fn.
+// referrersPageByAPI returns the link url for the next page.
+func (r *Repository) referrersPageByAPI(ctx context.Context, artifactType string, fn func(referrers []ocispec.Descriptor) error, url string) (string, error) {
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
+	if err != nil {
+		return "", err
+	}
+	if r.ReferrerListPageSize > 0 {
+		q := req.URL.Query()
+		q.Set("n", strconv.Itoa(r.ReferrerListPageSize))
+		req.URL.RawQuery = q.Encode()
+	}
+
+	resp, err := r.do(req)
+	if err != nil {
+		return "", err
+	}
+	defer resp.Body.Close()
+
+	switch resp.StatusCode {
+	case http.StatusOK:
+	case http.StatusNotFound:
+		if errResp := errutil.ParseErrorResponse(resp); errutil.IsErrorCode(errResp, errcode.ErrorCodeNameUnknown) {
+			// The repository is not found, Referrers API status is unknown
+			return "", errResp
+		}
+		// Referrers API is not supported.
+		return "", fmt.Errorf("failed to query referrers API: %w", errdef.ErrUnsupported)
+	default:
+		return "", errutil.ParseErrorResponse(resp)
+	}
+
+	// also check the content type
+	if ct := resp.Header.Get("Content-Type"); ct != ocispec.MediaTypeImageIndex {
+		return "", fmt.Errorf("unknown content returned (%s), expecting image index: %w", ct, errdef.ErrUnsupported)
+	}
+
+	var index ocispec.Index
+	lr := limitReader(resp.Body, r.MaxMetadataBytes)
+	if err := json.NewDecoder(lr).Decode(&index); err != nil {
+		return "", fmt.Errorf("%s %q: failed to decode response: %w", resp.Request.Method, resp.Request.URL, err)
+	}
+
+	referrers := index.Manifests
+	if artifactType != "" {
+		// check both filters header and filters annotations for compatibility
+		// latest spec for filters header: https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#listing-referrers
+		// older spec for filters annotations: https://github.com/opencontainers/distribution-spec/blob/v1.1.0-rc1/spec.md#listing-referrers
+		filtersHeader := resp.Header.Get(headerOCIFiltersApplied)
+		filtersAnnotation := index.Annotations[spec.AnnotationReferrersFiltersApplied]
+		if !isReferrersFilterApplied(filtersHeader, filterTypeArtifactType) &&
+			!isReferrersFilterApplied(filtersAnnotation, filterTypeArtifactType) {
+			// perform client side filtering if the filter is not applied on the server side
+			referrers = filterReferrers(referrers, artifactType)
+		}
+	}
+	if len(referrers) > 0 {
+		if err := fn(referrers); err != nil {
+			return "", err
+		}
+	}
+	return parseLink(resp)
+}
+
+// referrersByTagSchema lists the descriptors of manifests directly
+// referencing the given manifest descriptor by requesting referrers tag.
+// fn is called for the referrers result. If artifactType is not empty,
+// only referrers of the same artifact type are fed to fn.
+// reference: https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#backwards-compatibility
+func (r *Repository) referrersByTagSchema(ctx context.Context, desc ocispec.Descriptor, artifactType string, fn func(referrers []ocispec.Descriptor) error) error {
+	referrersTag, err := buildReferrersTag(desc)
+	if err != nil {
+		return err
+	}
+	_, referrers, err := r.referrersFromIndex(ctx, referrersTag)
+	if err != nil {
+		if errors.Is(err, errdef.ErrNotFound) {
+			// no referrers to the manifest
+			return nil
+		}
+		return err
+	}
+
+	filtered := filterReferrers(referrers, artifactType)
+	if len(filtered) == 0 {
+		return nil
+	}
+	return fn(filtered)
+}
+
+// referrersFromIndex queries the referrers index using the the given referrers
+// tag. If Succeeded, returns the descriptor of referrers index and the
+// referrers list.
+func (r *Repository) referrersFromIndex(ctx context.Context, referrersTag string) (ocispec.Descriptor, []ocispec.Descriptor, error) {
+	desc, rc, err := r.FetchReference(ctx, referrersTag)
+	if err != nil {
+		return ocispec.Descriptor{}, nil, err
+	}
+	defer rc.Close()
+
+	if err := limitSize(desc, r.MaxMetadataBytes); err != nil {
+		return ocispec.Descriptor{}, nil, fmt.Errorf("failed to read referrers index from referrers tag %s: %w", referrersTag, err)
+	}
+	var index ocispec.Index
+	if err := decodeJSON(rc, desc, &index); err != nil {
+		return ocispec.Descriptor{}, nil, fmt.Errorf("failed to decode referrers index from referrers tag %s: %w", referrersTag, err)
+	}
+
+	return desc, index.Manifests, nil
+}
+
+// pingReferrers returns true if the Referrers API is available for r.
+func (r *Repository) pingReferrers(ctx context.Context) (bool, error) {
+	switch r.loadReferrersState() {
+	case referrersStateSupported:
+		return true, nil
+	case referrersStateUnsupported:
+		return false, nil
+	}
+
+	// referrers state is unknown
+	// limit the rate of pinging referrers API
+	r.referrersPingLock.Lock()
+	defer r.referrersPingLock.Unlock()
+
+	switch r.loadReferrersState() {
+	case referrersStateSupported:
+		return true, nil
+	case referrersStateUnsupported:
+		return false, nil
+	}
+
+	ref := r.Reference
+	ref.Reference = zeroDigest
+	ctx = auth.AppendRepositoryScope(ctx, ref, auth.ActionPull)
+
+	url := buildReferrersURL(r.PlainHTTP, ref, "")
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
+	if err != nil {
+		return false, err
+	}
+	resp, err := r.do(req)
+	if err != nil {
+		return false, err
+	}
+	defer resp.Body.Close()
+
+	switch resp.StatusCode {
+	case http.StatusOK:
+		supported := resp.Header.Get("Content-Type") == ocispec.MediaTypeImageIndex
+		r.SetReferrersCapability(supported)
+		return supported, nil
+	case http.StatusNotFound:
+		if err := errutil.ParseErrorResponse(resp); errutil.IsErrorCode(err, errcode.ErrorCodeNameUnknown) {
+			// repository not found
+			return false, err
+		}
+		r.SetReferrersCapability(false)
+		return false, nil
+	default:
+		return false, errutil.ParseErrorResponse(resp)
+	}
+}
+
+// delete removes the content identified by the descriptor in the entity "blobs"
+// or "manifests".
+func (r *Repository) delete(ctx context.Context, target ocispec.Descriptor, isManifest bool) error {
+	ref := r.Reference
+	ref.Reference = target.Digest.String()
+	ctx = auth.AppendRepositoryScope(ctx, ref, auth.ActionDelete)
+	buildURL := buildRepositoryBlobURL
+	if isManifest {
+		buildURL = buildRepositoryManifestURL
+	}
+	url := buildURL(r.PlainHTTP, ref)
+	req, err := http.NewRequestWithContext(ctx, http.MethodDelete, url, nil)
+	if err != nil {
+		return err
+	}
+
+	resp, err := r.do(req)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+
+	switch resp.StatusCode {
+	case http.StatusAccepted:
+		return verifyContentDigest(resp, target.Digest)
+	case http.StatusNotFound:
+		return fmt.Errorf("%s: %w", target.Digest, errdef.ErrNotFound)
+	default:
+		return errutil.ParseErrorResponse(resp)
+	}
+}
+
+// blobStore accesses the blob part of the repository.
+type blobStore struct {
+	repo *Repository
+}
+
+// Fetch fetches the content identified by the descriptor.
+func (s *blobStore) Fetch(ctx context.Context, target ocispec.Descriptor) (rc io.ReadCloser, err error) {
+	ref := s.repo.Reference
+	ref.Reference = target.Digest.String()
+	ctx = auth.AppendRepositoryScope(ctx, ref, auth.ActionPull)
+	url := buildRepositoryBlobURL(s.repo.PlainHTTP, ref)
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	resp, err := s.repo.do(req)
+	if err != nil {
+		return nil, err
+	}
+	defer func() {
+		if err != nil {
+			resp.Body.Close()
+		}
+	}()
+
+	switch resp.StatusCode {
+	case http.StatusOK:
+		if size := resp.ContentLength; size != -1 && size != target.Size {
+			return nil, fmt.Errorf("%s %q: mismatch Content-Length", resp.Request.Method, resp.Request.URL)
+		}
+		if err := verifyContentDigest(resp, target.Digest); err != nil {
+			return nil, err
+		}
+
+		// check server range request capability.
+		// Docker spec allows range header form of "Range: bytes=<start>-<end>".
+		// However, the remote server may still not RFC 7233 compliant.
+		// Reference: https://distribution.github.io/distribution/spec/api/#blob
+		if rangeUnit := resp.Header.Get("Accept-Ranges"); rangeUnit == "bytes" {
+			return httputil.NewReadSeekCloser(s.repo.client(), req, resp.Body, target.Size), nil
+		}
+		return resp.Body, nil
+	case http.StatusNotFound:
+		return nil, fmt.Errorf("%s: %w", target.Digest, errdef.ErrNotFound)
+	default:
+		return nil, errutil.ParseErrorResponse(resp)
+	}
+}
+
+// Mount mounts the given descriptor from fromRepo into s.
+func (s *blobStore) Mount(ctx context.Context, desc ocispec.Descriptor, fromRepo string, getContent func() (io.ReadCloser, error)) error {
+	// pushing usually requires both pull and push actions.
+	// Reference: https://github.com/distribution/distribution/blob/v2.7.1/registry/handlers/app.go#L921-L930
+	ctx = auth.AppendRepositoryScope(ctx, s.repo.Reference, auth.ActionPull, auth.ActionPush)
+
+	// We also need pull access to the source repo.
+	fromRef := s.repo.Reference
+	fromRef.Repository = fromRepo
+	ctx = auth.AppendRepositoryScope(ctx, fromRef, auth.ActionPull)
+
+	url := buildRepositoryBlobMountURL(s.repo.PlainHTTP, s.repo.Reference, desc.Digest, fromRepo)
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, url, nil)
+	if err != nil {
+		return err
+	}
+	resp, err := s.repo.do(req)
+	if err != nil {
+		return err
+	}
+	if resp.StatusCode == http.StatusCreated {
+		defer resp.Body.Close()
+		// Check the server seems to be behaving.
+		return verifyContentDigest(resp, desc.Digest)
+	}
+	if resp.StatusCode != http.StatusAccepted {
+		defer resp.Body.Close()
+		return errutil.ParseErrorResponse(resp)
+	}
+	resp.Body.Close()
+	// From the [spec]:
+	//
+	// "If a registry does not support cross-repository mounting
+	// or is unable to mount the requested blob,
+	// it SHOULD return a 202.
+	// This indicates that the upload session has begun
+	// and that the client MAY proceed with the upload."
+	//
+	// So we need to get the content from somewhere in order to
+	// push it. If the caller has provided a getContent function, we
+	// can use that, otherwise pull the content from the source repository.
+	//
+	// [spec]: https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#mounting-a-blob-from-another-repository
+
+	var r io.ReadCloser
+	if getContent != nil {
+		r, err = getContent()
+	} else {
+		r, err = s.sibling(fromRepo).Fetch(ctx, desc)
+	}
+	if err != nil {
+		return fmt.Errorf("cannot read source blob: %w", err)
+	}
+	defer r.Close()
+	return s.completePushAfterInitialPost(ctx, req, resp, desc, r)
+}
+
+// sibling returns a blob store for another repository in the same
+// registry.
+func (s *blobStore) sibling(otherRepoName string) *blobStore {
+	otherRepo := s.repo.clone()
+	otherRepo.Reference.Repository = otherRepoName
+	return &blobStore{
+		repo: otherRepo,
+	}
+}
+
+// Push pushes the content, matching the expected descriptor.
+// Existing content is not checked by Push() to minimize the number of out-going
+// requests.
+// Push is done by conventional 2-step monolithic upload instead of a single
+// `POST` request for better overall performance. It also allows early fail on
+// authentication errors.
+//
+// References:
+//   - https://distribution.github.io/distribution/spec/api/#pushing-an-image
+//   - https://distribution.github.io/distribution/spec/api/#initiate-blob-upload
+//   - https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#pushing-a-blob-monolithically
+func (s *blobStore) Push(ctx context.Context, expected ocispec.Descriptor, content io.Reader) error {
+	// start an upload
+	// pushing usually requires both pull and push actions.
+	// Reference: https://github.com/distribution/distribution/blob/v2.7.1/registry/handlers/app.go#L921-L930
+	ctx = auth.AppendRepositoryScope(ctx, s.repo.Reference, auth.ActionPull, auth.ActionPush)
+	url := buildRepositoryBlobUploadURL(s.repo.PlainHTTP, s.repo.Reference)
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, url, nil)
+	if err != nil {
+		return err
+	}
+
+	resp, err := s.repo.do(req)
+	if err != nil {
+		return err
+	}
+
+	if resp.StatusCode != http.StatusAccepted {
+		defer resp.Body.Close()
+		return errutil.ParseErrorResponse(resp)
+	}
+	resp.Body.Close()
+	return s.completePushAfterInitialPost(ctx, req, resp, expected, content)
+}
+
+// completePushAfterInitialPost implements step 2 of the push protocol. This can be invoked either by
+// Push or by Mount when the receiving repository does not implement the
+// mount endpoint.
+func (s *blobStore) completePushAfterInitialPost(ctx context.Context, req *http.Request, resp *http.Response, expected ocispec.Descriptor, content io.Reader) error {
+	reqHostname := req.URL.Hostname()
+	reqPort := req.URL.Port()
+	// monolithic upload
+	location, err := resp.Location()
+	if err != nil {
+		return err
+	}
+	// work-around solution for https://github.com/oras-project/oras-go/issues/177
+	// For some registries, if the port 443 is explicitly set to the hostname
+	// like registry.wabbit-networks.io:443/myrepo, blob push will fail since
+	// the hostname of the Location header in the response is set to
+	// registry.wabbit-networks.io instead of registry.wabbit-networks.io:443.
+	locationHostname := location.Hostname()
+	locationPort := location.Port()
+	// if location port 443 is missing, add it back
+	if reqPort == "443" && locationHostname == reqHostname && locationPort == "" {
+		location.Host = locationHostname + ":" + reqPort
+	}
+	url := location.String()
+	req, err = http.NewRequestWithContext(ctx, http.MethodPut, url, content)
+	if err != nil {
+		return err
+	}
+	if req.GetBody != nil && req.ContentLength != expected.Size {
+		// short circuit a size mismatch for built-in types.
+		return fmt.Errorf("mismatch content length %d: expect %d", req.ContentLength, expected.Size)
+	}
+	req.ContentLength = expected.Size
+	// the expected media type is ignored as in the API doc.
+	req.Header.Set("Content-Type", "application/octet-stream")
+	q := req.URL.Query()
+	q.Set("digest", expected.Digest.String())
+	req.URL.RawQuery = q.Encode()
+
+	// reuse credential from previous POST request
+	if auth := resp.Request.Header.Get("Authorization"); auth != "" {
+		req.Header.Set("Authorization", auth)
+	}
+	resp, err = s.repo.do(req)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusCreated {
+		return errutil.ParseErrorResponse(resp)
+	}
+	return nil
+}
+
+// Exists returns true if the described content exists.
+func (s *blobStore) Exists(ctx context.Context, target ocispec.Descriptor) (bool, error) {
+	_, err := s.Resolve(ctx, target.Digest.String())
+	if err == nil {
+		return true, nil
+	}
+	if errors.Is(err, errdef.ErrNotFound) {
+		return false, nil
+	}
+	return false, err
+}
+
+// Delete removes the content identified by the descriptor.
+func (s *blobStore) Delete(ctx context.Context, target ocispec.Descriptor) error {
+	return s.repo.delete(ctx, target, false)
+}
+
+// Resolve resolves a reference to a descriptor.
+func (s *blobStore) Resolve(ctx context.Context, reference string) (ocispec.Descriptor, error) {
+	ref, err := s.repo.ParseReference(reference)
+	if err != nil {
+		return ocispec.Descriptor{}, err
+	}
+	refDigest, err := ref.Digest()
+	if err != nil {
+		return ocispec.Descriptor{}, err
+	}
+	ctx = auth.AppendRepositoryScope(ctx, ref, auth.ActionPull)
+	url := buildRepositoryBlobURL(s.repo.PlainHTTP, ref)
+	req, err := http.NewRequestWithContext(ctx, http.MethodHead, url, nil)
+	if err != nil {
+		return ocispec.Descriptor{}, err
+	}
+
+	resp, err := s.repo.do(req)
+	if err != nil {
+		return ocispec.Descriptor{}, err
+	}
+	defer resp.Body.Close()
+
+	switch resp.StatusCode {
+	case http.StatusOK:
+		return generateBlobDescriptor(resp, refDigest)
+	case http.StatusNotFound:
+		return ocispec.Descriptor{}, fmt.Errorf("%s: %w", ref, errdef.ErrNotFound)
+	default:
+		return ocispec.Descriptor{}, errutil.ParseErrorResponse(resp)
+	}
+}
+
+// FetchReference fetches the blob identified by the reference.
+// The reference must be a digest.
+func (s *blobStore) FetchReference(ctx context.Context, reference string) (desc ocispec.Descriptor, rc io.ReadCloser, err error) {
+	ref, err := s.repo.ParseReference(reference)
+	if err != nil {
+		return ocispec.Descriptor{}, nil, err
+	}
+	refDigest, err := ref.Digest()
+	if err != nil {
+		return ocispec.Descriptor{}, nil, err
+	}
+
+	ctx = auth.AppendRepositoryScope(ctx, ref, auth.ActionPull)
+	url := buildRepositoryBlobURL(s.repo.PlainHTTP, ref)
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
+	if err != nil {
+		return ocispec.Descriptor{}, nil, err
+	}
+
+	resp, err := s.repo.do(req)
+	if err != nil {
+		return ocispec.Descriptor{}, nil, err
+	}
+	defer func() {
+		if err != nil {
+			resp.Body.Close()
+		}
+	}()
+
+	switch resp.StatusCode {
+	case http.StatusOK: // server does not support seek as `Range` was ignored.
+		if resp.ContentLength == -1 {
+			desc, err = s.Resolve(ctx, reference)
+		} else {
+			desc, err = generateBlobDescriptor(resp, refDigest)
+		}
+		if err != nil {
+			return ocispec.Descriptor{}, nil, err
+		}
+
+		// check server range request capability.
+		// Docker spec allows range header form of "Range: bytes=<start>-<end>".
+		// However, the remote server may still not RFC 7233 compliant.
+		// Reference: https://distribution.github.io/distribution/spec/api/#blob
+		if rangeUnit := resp.Header.Get("Accept-Ranges"); rangeUnit == "bytes" {
+			return desc, httputil.NewReadSeekCloser(s.repo.client(), req, resp.Body, desc.Size), nil
+		}
+		return desc, resp.Body, nil
+	case http.StatusNotFound:
+		return ocispec.Descriptor{}, nil, fmt.Errorf("%s: %w", ref, errdef.ErrNotFound)
+	default:
+		return ocispec.Descriptor{}, nil, errutil.ParseErrorResponse(resp)
+	}
+}
+
+// generateBlobDescriptor returns a descriptor generated from the response.
+func generateBlobDescriptor(resp *http.Response, refDigest digest.Digest) (ocispec.Descriptor, error) {
+	mediaType, _, _ := mime.ParseMediaType(resp.Header.Get("Content-Type"))
+	if mediaType == "" {
+		mediaType = "application/octet-stream"
+	}
+
+	size := resp.ContentLength
+	if size == -1 {
+		return ocispec.Descriptor{}, fmt.Errorf("%s %q: unknown response Content-Length", resp.Request.Method, resp.Request.URL)
+	}
+
+	if err := verifyContentDigest(resp, refDigest); err != nil {
+		return ocispec.Descriptor{}, err
+	}
+
+	return ocispec.Descriptor{
+		MediaType: mediaType,
+		Digest:    refDigest,
+		Size:      size,
+	}, nil
+}
+
+// manifestStore accesses the manifest part of the repository.
+type manifestStore struct {
+	repo *Repository
+}
+
+// Fetch fetches the content identified by the descriptor.
+func (s *manifestStore) Fetch(ctx context.Context, target ocispec.Descriptor) (rc io.ReadCloser, err error) {
+	ref := s.repo.Reference
+	ref.Reference = target.Digest.String()
+	ctx = auth.AppendRepositoryScope(ctx, ref, auth.ActionPull)
+	url := buildRepositoryManifestURL(s.repo.PlainHTTP, ref)
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
+	if err != nil {
+		return nil, err
+	}
+	req.Header.Set("Accept", target.MediaType)
+
+	resp, err := s.repo.do(req)
+	if err != nil {
+		return nil, err
+	}
+	defer func() {
+		if err != nil {
+			resp.Body.Close()
+		}
+	}()
+
+	switch resp.StatusCode {
+	case http.StatusOK:
+		// no-op
+	case http.StatusNotFound:
+		return nil, fmt.Errorf("%s: %w", target.Digest, errdef.ErrNotFound)
+	default:
+		return nil, errutil.ParseErrorResponse(resp)
+	}
+	mediaType, _, err := mime.ParseMediaType(resp.Header.Get("Content-Type"))
+	if err != nil {
+		return nil, fmt.Errorf("%s %q: invalid response Content-Type: %w", resp.Request.Method, resp.Request.URL, err)
+	}
+	if mediaType != target.MediaType {
+		return nil, fmt.Errorf("%s %q: mismatch response Content-Type %q: expect %q", resp.Request.Method, resp.Request.URL, mediaType, target.MediaType)
+	}
+	if size := resp.ContentLength; size != -1 && size != target.Size {
+		return nil, fmt.Errorf("%s %q: mismatch Content-Length", resp.Request.Method, resp.Request.URL)
+	}
+	if err := verifyContentDigest(resp, target.Digest); err != nil {
+		return nil, err
+	}
+	return resp.Body, nil
+}
+
+// Push pushes the content, matching the expected descriptor.
+func (s *manifestStore) Push(ctx context.Context, expected ocispec.Descriptor, content io.Reader) error {
+	return s.pushWithIndexing(ctx, expected, content, expected.Digest.String())
+}
+
+// Exists returns true if the described content exists.
+func (s *manifestStore) Exists(ctx context.Context, target ocispec.Descriptor) (bool, error) {
+	_, err := s.Resolve(ctx, target.Digest.String())
+	if err == nil {
+		return true, nil
+	}
+	if errors.Is(err, errdef.ErrNotFound) {
+		return false, nil
+	}
+	return false, err
+}
+
+// Delete removes the manifest content identified by the descriptor.
+func (s *manifestStore) Delete(ctx context.Context, target ocispec.Descriptor) error {
+	return s.deleteWithIndexing(ctx, target)
+}
+
+// deleteWithIndexing removes the manifest content identified by the descriptor,
+// and indexes referrers for the manifest when needed.
+func (s *manifestStore) deleteWithIndexing(ctx context.Context, target ocispec.Descriptor) error {
+	switch target.MediaType {
+	case spec.MediaTypeArtifactManifest, ocispec.MediaTypeImageManifest, ocispec.MediaTypeImageIndex:
+		if state := s.repo.loadReferrersState(); state == referrersStateSupported {
+			// referrers API is available, no client-side indexing needed
+			return s.repo.delete(ctx, target, true)
+		}
+
+		if err := limitSize(target, s.repo.MaxMetadataBytes); err != nil {
+			return err
+		}
+		ctx = auth.AppendRepositoryScope(ctx, s.repo.Reference, auth.ActionPull, auth.ActionDelete)
+		manifestJSON, err := content.FetchAll(ctx, s, target)
+		if err != nil {
+			return err
+		}
+		if err := s.indexReferrersForDelete(ctx, target, manifestJSON); err != nil {
+			return err
+		}
+	}
+
+	return s.repo.delete(ctx, target, true)
+}
+
+// indexReferrersForDelete indexes referrers for manifests with a subject field
+// on manifest delete.
+//
+// References:
+//   - Latest spec: https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#deleting-manifests
+//   - Compatible spec: https://github.com/opencontainers/distribution-spec/blob/v1.1.0-rc1/spec.md#deleting-manifests
+func (s *manifestStore) indexReferrersForDelete(ctx context.Context, desc ocispec.Descriptor, manifestJSON []byte) error {
+	var manifest struct {
+		Subject *ocispec.Descriptor `json:"subject"`
+	}
+	if err := json.Unmarshal(manifestJSON, &manifest); err != nil {
+		return fmt.Errorf("failed to decode manifest: %s: %s: %w", desc.Digest, desc.MediaType, err)
+	}
+	if manifest.Subject == nil {
+		// no subject, no indexing needed
+		return nil
+	}
+
+	subject := *manifest.Subject
+	ok, err := s.repo.pingReferrers(ctx)
+	if err != nil {
+		return err
+	}
+	if ok {
+		// referrers API is available, no client-side indexing needed
+		return nil
+	}
+	return s.updateReferrersIndex(ctx, subject, referrerChange{desc, referrerOperationRemove})
+}
+
+// Resolve resolves a reference to a descriptor.
+// See also `ManifestMediaTypes`.
+func (s *manifestStore) Resolve(ctx context.Context, reference string) (ocispec.Descriptor, error) {
+	ref, err := s.repo.ParseReference(reference)
+	if err != nil {
+		return ocispec.Descriptor{}, err
+	}
+	ctx = auth.AppendRepositoryScope(ctx, ref, auth.ActionPull)
+	url := buildRepositoryManifestURL(s.repo.PlainHTTP, ref)
+	req, err := http.NewRequestWithContext(ctx, http.MethodHead, url, nil)
+	if err != nil {
+		return ocispec.Descriptor{}, err
+	}
+	req.Header.Set("Accept", manifestAcceptHeader(s.repo.ManifestMediaTypes))
+
+	resp, err := s.repo.do(req)
+	if err != nil {
+		return ocispec.Descriptor{}, err
+	}
+	defer resp.Body.Close()
+
+	switch resp.StatusCode {
+	case http.StatusOK:
+		return s.generateDescriptor(resp, ref, req.Method)
+	case http.StatusNotFound:
+		return ocispec.Descriptor{}, fmt.Errorf("%s: %w", ref, errdef.ErrNotFound)
+	default:
+		return ocispec.Descriptor{}, errutil.ParseErrorResponse(resp)
+	}
+}
+
+// FetchReference fetches the manifest identified by the reference.
+// The reference can be a tag or digest.
+func (s *manifestStore) FetchReference(ctx context.Context, reference string) (desc ocispec.Descriptor, rc io.ReadCloser, err error) {
+	ref, err := s.repo.ParseReference(reference)
+	if err != nil {
+		return ocispec.Descriptor{}, nil, err
+	}
+
+	ctx = auth.AppendRepositoryScope(ctx, ref, auth.ActionPull)
+	url := buildRepositoryManifestURL(s.repo.PlainHTTP, ref)
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
+	if err != nil {
+		return ocispec.Descriptor{}, nil, err
+	}
+	req.Header.Set("Accept", manifestAcceptHeader(s.repo.ManifestMediaTypes))
+
+	resp, err := s.repo.do(req)
+	if err != nil {
+		return ocispec.Descriptor{}, nil, err
+	}
+	defer func() {
+		if err != nil {
+			resp.Body.Close()
+		}
+	}()
+
+	switch resp.StatusCode {
+	case http.StatusOK:
+		if resp.ContentLength == -1 {
+			desc, err = s.Resolve(ctx, reference)
+		} else {
+			desc, err = s.generateDescriptor(resp, ref, req.Method)
+		}
+		if err != nil {
+			return ocispec.Descriptor{}, nil, err
+		}
+		return desc, resp.Body, nil
+	case http.StatusNotFound:
+		return ocispec.Descriptor{}, nil, fmt.Errorf("%s: %w", ref, errdef.ErrNotFound)
+	default:
+		return ocispec.Descriptor{}, nil, errutil.ParseErrorResponse(resp)
+	}
+}
+
+// Tag tags a manifest descriptor with a reference string.
+func (s *manifestStore) Tag(ctx context.Context, desc ocispec.Descriptor, reference string) error {
+	ref, err := s.repo.ParseReference(reference)
+	if err != nil {
+		return err
+	}
+
+	ctx = auth.AppendRepositoryScope(ctx, ref, auth.ActionPull, auth.ActionPush)
+	rc, err := s.Fetch(ctx, desc)
+	if err != nil {
+		return err
+	}
+	defer rc.Close()
+
+	return s.push(ctx, desc, rc, ref.Reference)
+}
+
+// PushReference pushes the manifest with a reference tag.
+func (s *manifestStore) PushReference(ctx context.Context, expected ocispec.Descriptor, content io.Reader, reference string) error {
+	ref, err := s.repo.ParseReference(reference)
+	if err != nil {
+		return err
+	}
+	return s.pushWithIndexing(ctx, expected, content, ref.Reference)
+}
+
+// push pushes the manifest content, matching the expected descriptor.
+func (s *manifestStore) push(ctx context.Context, expected ocispec.Descriptor, content io.Reader, reference string) error {
+	ref := s.repo.Reference
+	ref.Reference = reference
+	// pushing usually requires both pull and push actions.
+	// Reference: https://github.com/distribution/distribution/blob/v2.7.1/registry/handlers/app.go#L921-L930
+	ctx = auth.AppendRepositoryScope(ctx, ref, auth.ActionPull, auth.ActionPush)
+	url := buildRepositoryManifestURL(s.repo.PlainHTTP, ref)
+	// unwrap the content for optimizations of built-in types.
+	body := ioutil.UnwrapNopCloser(content)
+	if _, ok := body.(io.ReadCloser); ok {
+		// undo unwrap if the nopCloser is intended.
+		body = content
+	}
+	req, err := http.NewRequestWithContext(ctx, http.MethodPut, url, body)
+	if err != nil {
+		return err
+	}
+	if req.GetBody != nil && req.ContentLength != expected.Size {
+		// short circuit a size mismatch for built-in types.
+		return fmt.Errorf("mismatch content length %d: expect %d", req.ContentLength, expected.Size)
+	}
+	req.ContentLength = expected.Size
+	req.Header.Set("Content-Type", expected.MediaType)
+
+	// if the underlying client is an auth client, the content might be read
+	// more than once for obtaining the auth challenge and the actual request.
+	// To prevent double reading, the manifest is read and stored in the memory,
+	// and serve from the memory.
+	client := s.repo.client()
+	if _, ok := client.(*auth.Client); ok && req.GetBody == nil {
+		store := cas.NewMemory()
+		err := store.Push(ctx, expected, content)
+		if err != nil {
+			return err
+		}
+		req.GetBody = func() (io.ReadCloser, error) {
+			return store.Fetch(ctx, expected)
+		}
+		req.Body, err = req.GetBody()
+		if err != nil {
+			return err
+		}
+	}
+	resp, err := s.repo.do(req)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusCreated {
+		return errutil.ParseErrorResponse(resp)
+	}
+	s.checkOCISubjectHeader(resp)
+	return verifyContentDigest(resp, expected.Digest)
+}
+
+// checkOCISubjectHeader checks the "OCI-Subject" header in the response and
+// sets referrers capability accordingly.
+// Reference: https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#pushing-manifests-with-subject
+func (s *manifestStore) checkOCISubjectHeader(resp *http.Response) {
+	// If the "OCI-Subject" header is set, it indicates that the registry
+	// supports the Referrers API and has processed the subject of the manifest.
+	if subjectHeader := resp.Header.Get(headerOCISubject); subjectHeader != "" {
+		s.repo.SetReferrersCapability(true)
+	}
+
+	// If the "OCI-Subject" header is NOT set, it means that either the manifest
+	// has no subject OR the referrers API is NOT supported by the registry.
+	//
+	// Since we don't know whether the pushed manifest has a subject or not,
+	// we do not set the referrers capability to false at here.
+}
+
+// pushWithIndexing pushes the manifest content matching the expected descriptor,
+// and indexes referrers for the manifest when needed.
+func (s *manifestStore) pushWithIndexing(ctx context.Context, expected ocispec.Descriptor, r io.Reader, reference string) error {
+	switch expected.MediaType {
+	case spec.MediaTypeArtifactManifest, ocispec.MediaTypeImageManifest, ocispec.MediaTypeImageIndex:
+		if state := s.repo.loadReferrersState(); state == referrersStateSupported {
+			// referrers API is available, no client-side indexing needed
+			return s.push(ctx, expected, r, reference)
+		}
+
+		if err := limitSize(expected, s.repo.MaxMetadataBytes); err != nil {
+			return err
+		}
+		manifestJSON, err := content.ReadAll(r, expected)
+		if err != nil {
+			return err
+		}
+		if err := s.push(ctx, expected, bytes.NewReader(manifestJSON), reference); err != nil {
+			return err
+		}
+		// check referrers API availability again after push
+		if state := s.repo.loadReferrersState(); state == referrersStateSupported {
+			// the subject has been processed the registry, no client-side
+			// indexing needed
+			return nil
+		}
+		return s.indexReferrersForPush(ctx, expected, manifestJSON)
+	default:
+		return s.push(ctx, expected, r, reference)
+	}
+}
+
+// indexReferrersForPush indexes referrers for manifests with a subject field
+// on manifest push.
+//
+// References:
+//   - Latest spec: https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#pushing-manifests-with-subject
+//   - Compatible spec: https://github.com/opencontainers/distribution-spec/blob/v1.1.0-rc1/spec.md#pushing-manifests-with-subject
+func (s *manifestStore) indexReferrersForPush(ctx context.Context, desc ocispec.Descriptor, manifestJSON []byte) error {
+	var subject ocispec.Descriptor
+	switch desc.MediaType {
+	case spec.MediaTypeArtifactManifest:
+		var manifest spec.Artifact
+		if err := json.Unmarshal(manifestJSON, &manifest); err != nil {
+			return fmt.Errorf("failed to decode manifest: %s: %s: %w", desc.Digest, desc.MediaType, err)
+		}
+		if manifest.Subject == nil {
+			// no subject, no indexing needed
+			return nil
+		}
+		subject = *manifest.Subject
+		desc.ArtifactType = manifest.ArtifactType
+		desc.Annotations = manifest.Annotations
+	case ocispec.MediaTypeImageManifest:
+		var manifest ocispec.Manifest
+		if err := json.Unmarshal(manifestJSON, &manifest); err != nil {
+			return fmt.Errorf("failed to decode manifest: %s: %s: %w", desc.Digest, desc.MediaType, err)
+		}
+		if manifest.Subject == nil {
+			// no subject, no indexing needed
+			return nil
+		}
+		subject = *manifest.Subject
+		desc.ArtifactType = manifest.ArtifactType
+		if desc.ArtifactType == "" {
+			desc.ArtifactType = manifest.Config.MediaType
+		}
+		desc.Annotations = manifest.Annotations
+	case ocispec.MediaTypeImageIndex:
+		var manifest ocispec.Index
+		if err := json.Unmarshal(manifestJSON, &manifest); err != nil {
+			return fmt.Errorf("failed to decode manifest: %s: %s: %w", desc.Digest, desc.MediaType, err)
+		}
+		if manifest.Subject == nil {
+			// no subject, no indexing needed
+			return nil
+		}
+		subject = *manifest.Subject
+		desc.ArtifactType = manifest.ArtifactType
+		desc.Annotations = manifest.Annotations
+	default:
+		return nil
+	}
+
+	// if the manifest has a subject but the remote registry does not process it,
+	// it means that the Referrers API is not supported by the registry.
+	s.repo.SetReferrersCapability(false)
+	return s.updateReferrersIndex(ctx, subject, referrerChange{desc, referrerOperationAdd})
+}
+
+// updateReferrersIndex updates the referrers index for desc referencing subject
+// on manifest push and manifest delete.
+// References:
+//   - https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#pushing-manifests-with-subject
+//   - https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#deleting-manifests
+func (s *manifestStore) updateReferrersIndex(ctx context.Context, subject ocispec.Descriptor, change referrerChange) (err error) {
+	referrersTag, err := buildReferrersTag(subject)
+	if err != nil {
+		return err
+	}
+
+	var oldIndexDesc *ocispec.Descriptor
+	var oldReferrers []ocispec.Descriptor
+	prepare := func() error {
+		// 1. pull the original referrers list using the referrers tag schema
+		indexDesc, referrers, err := s.repo.referrersFromIndex(ctx, referrersTag)
+		if err != nil {
+			if errors.Is(err, errdef.ErrNotFound) {
+				// valid case: no old referrers index
+				return nil
+			}
+			return err
+		}
+		oldIndexDesc = &indexDesc
+		oldReferrers = referrers
+		return nil
+	}
+	update := func(referrerChanges []referrerChange) error {
+		// 2. apply the referrer changes on the referrers list
+		updatedReferrers, err := applyReferrerChanges(oldReferrers, referrerChanges)
+		if err != nil {
+			if err == errNoReferrerUpdate {
+				return nil
+			}
+			return err
+		}
+
+		// 3. push the updated referrers list using referrers tag schema
+		if len(updatedReferrers) > 0 || s.repo.SkipReferrersGC {
+			// push a new index in either case:
+			// 1. the referrers list has been updated with a non-zero size
+			// 2. OR the updated referrers list is empty but referrers GC
+			//    is skipped, in this case an empty index should still be pushed
+			//    as the old index won't get deleted
+			newIndexDesc, newIndex, err := generateIndex(updatedReferrers)
+			if err != nil {
+				return fmt.Errorf("failed to generate referrers index for referrers tag %s: %w", referrersTag, err)
+			}
+			if err := s.push(ctx, newIndexDesc, bytes.NewReader(newIndex), referrersTag); err != nil {
+				return fmt.Errorf("failed to push referrers index tagged by %s: %w", referrersTag, err)
+			}
+		}
+
+		// 4. delete the dangling original referrers index, if applicable
+		if s.repo.SkipReferrersGC || oldIndexDesc == nil {
+			return nil
+		}
+		if err := s.repo.delete(ctx, *oldIndexDesc, true); err != nil {
+			return &ReferrersError{
+				Op:      opDeleteReferrersIndex,
+				Err:     fmt.Errorf("failed to delete dangling referrers index %s for referrers tag %s: %w", oldIndexDesc.Digest.String(), referrersTag, err),
+				Subject: subject,
+			}
+		}
+		return nil
+	}
+
+	merge, done := s.repo.referrersMergePool.Get(referrersTag)
+	defer done()
+	return merge.Do(change, prepare, update)
+}
+
+// ParseReference parses a reference to a fully qualified reference.
+func (s *manifestStore) ParseReference(reference string) (registry.Reference, error) {
+	return s.repo.ParseReference(reference)
+}
+
+// generateDescriptor returns a descriptor generated from the response.
+// See the truth table at the top of `repository_test.go`
+func (s *manifestStore) generateDescriptor(resp *http.Response, ref registry.Reference, httpMethod string) (ocispec.Descriptor, error) {
+	// 1. Validate Content-Type
+	mediaType, _, err := mime.ParseMediaType(resp.Header.Get("Content-Type"))
+	if err != nil {
+		return ocispec.Descriptor{}, fmt.Errorf(
+			"%s %q: invalid response `Content-Type` header; %w",
+			resp.Request.Method,
+			resp.Request.URL,
+			err,
+		)
+	}
+
+	// 2. Validate Size
+	if resp.ContentLength == -1 {
+		return ocispec.Descriptor{}, fmt.Errorf(
+			"%s %q: unknown response Content-Length",
+			resp.Request.Method,
+			resp.Request.URL,
+		)
+	}
+
+	// 3. Validate Client Reference
+	var refDigest digest.Digest
+	if d, err := ref.Digest(); err == nil {
+		refDigest = d
+	}
+
+	// 4. Validate Server Digest (if present)
+	var serverHeaderDigest digest.Digest
+	if serverHeaderDigestStr := resp.Header.Get(headerDockerContentDigest); serverHeaderDigestStr != "" {
+		if serverHeaderDigest, err = digest.Parse(serverHeaderDigestStr); err != nil {
+			return ocispec.Descriptor{}, fmt.Errorf(
+				"%s %q: invalid response header value: `%s: %s`; %w",
+				resp.Request.Method,
+				resp.Request.URL,
+				headerDockerContentDigest,
+				serverHeaderDigestStr,
+				err,
+			)
+		}
+	}
+
+	/* 5. Now, look for specific error conditions; see truth table in method docstring */
+	var contentDigest digest.Digest
+
+	if len(serverHeaderDigest) == 0 {
+		if httpMethod == http.MethodHead {
+			if len(refDigest) == 0 {
+				// HEAD without server `Docker-Content-Digest` header is an
+				// immediate fail
+				return ocispec.Descriptor{}, fmt.Errorf(
+					"HTTP %s request missing required header %q",
+					httpMethod, headerDockerContentDigest,
+				)
+			}
+			// Otherwise, just trust the client-supplied digest
+			contentDigest = refDigest
+		} else {
+			// GET without server `Docker-Content-Digest` header forces the
+			// expensive calculation
+			var calculatedDigest digest.Digest
+			if calculatedDigest, err = calculateDigestFromResponse(resp, s.repo.MaxMetadataBytes); err != nil {
+				return ocispec.Descriptor{}, fmt.Errorf("failed to calculate digest on response body; %w", err)
+			}
+			contentDigest = calculatedDigest
+		}
+	} else {
+		contentDigest = serverHeaderDigest
+	}
+
+	if len(refDigest) > 0 && refDigest != contentDigest {
+		return ocispec.Descriptor{}, fmt.Errorf(
+			"%s %q: invalid response; digest mismatch in %s: received %q when expecting %q",
+			resp.Request.Method, resp.Request.URL,
+			headerDockerContentDigest, contentDigest,
+			refDigest,
+		)
+	}
+
+	// 6. Finally, if we made it this far, then all is good; return.
+	return ocispec.Descriptor{
+		MediaType: mediaType,
+		Digest:    contentDigest,
+		Size:      resp.ContentLength,
+	}, nil
+}
+
+// calculateDigestFromResponse calculates the actual digest of the response body
+// taking care not to destroy it in the process.
+func calculateDigestFromResponse(resp *http.Response, maxMetadataBytes int64) (digest.Digest, error) {
+	defer resp.Body.Close()
+
+	body := limitReader(resp.Body, maxMetadataBytes)
+	content, err := io.ReadAll(body)
+	if err != nil {
+		return "", fmt.Errorf("%s %q: failed to read response body: %w", resp.Request.Method, resp.Request.URL, err)
+	}
+	resp.Body = io.NopCloser(bytes.NewReader(content))
+
+	return digest.FromBytes(content), nil
+}
+
+// verifyContentDigest verifies "Docker-Content-Digest" header if present.
+// OCI distribution-spec states the Docker-Content-Digest header is optional.
+// Reference: https://github.com/opencontainers/distribution-spec/blob/v1.0.1/spec.md#legacy-docker-support-http-headers
+func verifyContentDigest(resp *http.Response, expected digest.Digest) error {
+	digestStr := resp.Header.Get(headerDockerContentDigest)
+
+	if len(digestStr) == 0 {
+		return nil
+	}
+
+	contentDigest, err := digest.Parse(digestStr)
+	if err != nil {
+		return fmt.Errorf(
+			"%s %q: invalid response header: `%s: %s`",
+			resp.Request.Method, resp.Request.URL,
+			headerDockerContentDigest, digestStr,
+		)
+	}
+
+	if contentDigest != expected {
+		return fmt.Errorf(
+			"%s %q: invalid response; digest mismatch in %s: received %q when expecting %q",
+			resp.Request.Method, resp.Request.URL,
+			headerDockerContentDigest, contentDigest,
+			expected,
+		)
+	}
+
+	return nil
+}
+
+// generateIndex generates an image index containing the given manifests list.
+func generateIndex(manifests []ocispec.Descriptor) (ocispec.Descriptor, []byte, error) {
+	if manifests == nil {
+		manifests = []ocispec.Descriptor{} // make it an empty array to prevent potential server-side bugs
+	}
+	index := ocispec.Index{
+		Versioned: specs.Versioned{
+			SchemaVersion: 2, // historical value. does not pertain to OCI or docker version
+		},
+		MediaType: ocispec.MediaTypeImageIndex,
+		Manifests: manifests,
+	}
+	indexJSON, err := json.Marshal(index)
+	if err != nil {
+		return ocispec.Descriptor{}, nil, err
+	}
+	indexDesc := content.NewDescriptorFromBytes(index.MediaType, indexJSON)
+	return indexDesc, indexJSON, nil
+}
diff --git a/vendor/oras.land/oras-go/v2/registry/remote/retry/client.go b/vendor/oras.land/oras-go/v2/registry/remote/retry/client.go
new file mode 100644
index 0000000000..5e986ea02a
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/registry/remote/retry/client.go
@@ -0,0 +1,114 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package retry
+
+import (
+	"net/http"
+	"time"
+)
+
+// DefaultClient is a client with the default retry policy.
+var DefaultClient = NewClient()
+
+// NewClient creates an HTTP client with the default retry policy.
+func NewClient() *http.Client {
+	return &http.Client{
+		Transport: NewTransport(nil),
+	}
+}
+
+// Transport is an HTTP transport with retry policy.
+type Transport struct {
+	// Base is the underlying HTTP transport to use.
+	// If nil, http.DefaultTransport is used for round trips.
+	Base http.RoundTripper
+
+	// Policy returns a retry Policy to use for the request.
+	// If nil, DefaultPolicy is used to determine if the request should be retried.
+	Policy func() Policy
+}
+
+// NewTransport creates an HTTP Transport with the default retry policy.
+func NewTransport(base http.RoundTripper) *Transport {
+	return &Transport{
+		Base: base,
+	}
+}
+
+// RoundTrip executes a single HTTP transaction, returning a Response for the
+// provided Request.
+// It relies on the configured Policy to determine if the request should be
+// retried and to backoff.
+func (t *Transport) RoundTrip(req *http.Request) (*http.Response, error) {
+	ctx := req.Context()
+	policy := t.policy()
+	attempt := 0
+	for {
+		resp, respErr := t.roundTrip(req)
+		duration, err := policy.Retry(attempt, resp, respErr)
+		if err != nil {
+			if respErr == nil {
+				resp.Body.Close()
+			}
+			return nil, err
+		}
+		if duration < 0 {
+			return resp, respErr
+		}
+
+		// rewind the body if possible
+		if req.Body != nil {
+			if req.GetBody == nil {
+				// body can't be rewound, so we can't retry
+				return resp, respErr
+			}
+			body, err := req.GetBody()
+			if err != nil {
+				// failed to rewind the body, so we can't retry
+				return resp, respErr
+			}
+			req.Body = body
+		}
+
+		// close the response body if needed
+		if respErr == nil {
+			resp.Body.Close()
+		}
+
+		timer := time.NewTimer(duration)
+		select {
+		case <-ctx.Done():
+			timer.Stop()
+			return nil, ctx.Err()
+		case <-timer.C:
+		}
+		attempt++
+	}
+}
+
+func (t *Transport) roundTrip(req *http.Request) (*http.Response, error) {
+	if t.Base == nil {
+		return http.DefaultTransport.RoundTrip(req)
+	}
+	return t.Base.RoundTrip(req)
+}
+
+func (t *Transport) policy() Policy {
+	if t.Policy == nil {
+		return DefaultPolicy
+	}
+	return t.Policy()
+}
diff --git a/vendor/oras.land/oras-go/v2/registry/remote/retry/policy.go b/vendor/oras.land/oras-go/v2/registry/remote/retry/policy.go
new file mode 100644
index 0000000000..ebe8b37301
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/registry/remote/retry/policy.go
@@ -0,0 +1,154 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package retry
+
+import (
+	"hash/maphash"
+	"math"
+	"math/rand/v2"
+	"net"
+	"net/http"
+	"strconv"
+	"time"
+)
+
+// headerRetryAfter is the header key for Retry-After.
+const headerRetryAfter = "Retry-After"
+
+// DefaultPolicy is a policy with fine-tuned retry parameters.
+// It uses an exponential backoff with jitter.
+var DefaultPolicy Policy = &GenericPolicy{
+	Retryable: DefaultPredicate,
+	Backoff:   DefaultBackoff,
+	MinWait:   200 * time.Millisecond,
+	MaxWait:   3 * time.Second,
+	MaxRetry:  5,
+}
+
+// DefaultPredicate is a predicate that retries on 5xx errors, 429 Too Many
+// Requests, 408 Request Timeout and on network dial timeout.
+var DefaultPredicate Predicate = func(resp *http.Response, err error) (bool, error) {
+	if err != nil {
+		// retry on Dial timeout
+		if err, ok := err.(net.Error); ok && err.Timeout() {
+			return true, nil
+		}
+		return false, err
+	}
+
+	if resp.StatusCode == http.StatusRequestTimeout || resp.StatusCode == http.StatusTooManyRequests {
+		return true, nil
+	}
+
+	if resp.StatusCode == 0 || resp.StatusCode >= 500 {
+		return true, nil
+	}
+
+	return false, nil
+}
+
+// DefaultBackoff is a backoff that uses an exponential backoff with jitter.
+// It uses a base of 250ms, a factor of 2 and a jitter of 10%.
+var DefaultBackoff Backoff = ExponentialBackoff(250*time.Millisecond, 2, 0.1)
+
+// Policy is a retry policy.
+type Policy interface {
+	// Retry returns the duration to wait before retrying the request.
+	// It returns a negative value if the request should not be retried.
+	// The attempt is used to:
+	//  - calculate the backoff duration, the default backoff is an exponential backoff.
+	//  - determine if the request should be retried.
+	// The attempt starts at 0 and should be less than MaxRetry for the request to
+	// be retried.
+	Retry(attempt int, resp *http.Response, err error) (time.Duration, error)
+}
+
+// Predicate is a function that returns true if the request should be retried.
+type Predicate func(resp *http.Response, err error) (bool, error)
+
+// Backoff is a function that returns the duration to wait before retrying the
+// request. The attempt, is the next attempt number. The response is the
+// response from the previous request.
+type Backoff func(attempt int, resp *http.Response) time.Duration
+
+// ExponentialBackoff returns a Backoff that uses an exponential backoff with
+// jitter. The backoff is calculated as:
+//
+//	temp = backoff * factor ^ attempt
+//	interval = temp * (1 - jitter) + rand.Int64N(2 * jitter * temp)
+//
+// The HTTP response is checked for a Retry-After header. If it is present, the
+// value is used as the backoff duration.
+func ExponentialBackoff(backoff time.Duration, factor, jitter float64) Backoff {
+	return func(attempt int, resp *http.Response) time.Duration {
+		var h maphash.Hash
+		h.SetSeed(maphash.MakeSeed())
+		rand := rand.New(rand.NewPCG(0, h.Sum64()))
+
+		// check Retry-After
+		if resp != nil && resp.StatusCode == http.StatusTooManyRequests {
+			if v := resp.Header.Get(headerRetryAfter); v != "" {
+				if retryAfter, _ := strconv.ParseInt(v, 10, 64); retryAfter > 0 {
+					return time.Duration(retryAfter) * time.Second
+				}
+			}
+		}
+
+		// do exponential backoff with jitter
+		temp := float64(backoff) * math.Pow(factor, float64(attempt))
+		return time.Duration(temp*(1-jitter)) + time.Duration(rand.Int64N(int64(2*jitter*temp)))
+	}
+}
+
+// GenericPolicy is a generic retry policy.
+type GenericPolicy struct {
+	// Retryable is a predicate that returns true if the request should be
+	// retried.
+	Retryable Predicate
+
+	// Backoff is a function that returns the duration to wait before retrying.
+	Backoff Backoff
+
+	// MinWait is the minimum duration to wait before retrying.
+	MinWait time.Duration
+
+	// MaxWait is the maximum duration to wait before retrying.
+	MaxWait time.Duration
+
+	// MaxRetry is the maximum number of retries.
+	MaxRetry int
+}
+
+// Retry returns the duration to wait before retrying the request.
+// It returns -1 if the request should not be retried.
+func (p *GenericPolicy) Retry(attempt int, resp *http.Response, err error) (time.Duration, error) {
+	if attempt >= p.MaxRetry {
+		return -1, nil
+	}
+	if ok, err := p.Retryable(resp, err); err != nil {
+		return -1, err
+	} else if !ok {
+		return -1, nil
+	}
+	backoff := p.Backoff(attempt, resp)
+	if backoff < p.MinWait {
+		backoff = p.MinWait
+	}
+	if backoff > p.MaxWait {
+		backoff = p.MaxWait
+	}
+	return backoff, nil
+}
diff --git a/vendor/oras.land/oras-go/v2/registry/remote/url.go b/vendor/oras.land/oras-go/v2/registry/remote/url.go
new file mode 100644
index 0000000000..64f6670a34
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/registry/remote/url.go
@@ -0,0 +1,119 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package remote
+
+import (
+	"fmt"
+	"net/url"
+	"strings"
+
+	"github.com/opencontainers/go-digest"
+	"oras.land/oras-go/v2/registry"
+)
+
+// buildScheme returns HTTP scheme used to access the remote registry.
+func buildScheme(plainHTTP bool) string {
+	if plainHTTP {
+		return "http"
+	}
+	return "https"
+}
+
+// buildRegistryBaseURL builds the URL for accessing the base API.
+// Format: <scheme>://<registry>/v2/
+// Reference: https://distribution.github.io/distribution/spec/api/#base
+func buildRegistryBaseURL(plainHTTP bool, ref registry.Reference) string {
+	return fmt.Sprintf("%s://%s/v2/", buildScheme(plainHTTP), ref.Host())
+}
+
+// buildRegistryCatalogURL builds the URL for accessing the catalog API.
+// Format: <scheme>://<registry>/v2/_catalog
+// Reference: https://distribution.github.io/distribution/spec/api/#catalog
+func buildRegistryCatalogURL(plainHTTP bool, ref registry.Reference) string {
+	return fmt.Sprintf("%s://%s/v2/_catalog", buildScheme(plainHTTP), ref.Host())
+}
+
+// buildRepositoryBaseURL builds the base endpoint of the remote repository.
+// Format: <scheme>://<registry>/v2/<repository>
+func buildRepositoryBaseURL(plainHTTP bool, ref registry.Reference) string {
+	return fmt.Sprintf("%s://%s/v2/%s", buildScheme(plainHTTP), ref.Host(), ref.Repository)
+}
+
+// buildRepositoryTagListURL builds the URL for accessing the tag list API.
+// Format: <scheme>://<registry>/v2/<repository>/tags/list
+// Reference: https://distribution.github.io/distribution/spec/api/#tags
+func buildRepositoryTagListURL(plainHTTP bool, ref registry.Reference) string {
+	return buildRepositoryBaseURL(plainHTTP, ref) + "/tags/list"
+}
+
+// buildRepositoryManifestURL builds the URL for accessing the manifest API.
+// Format: <scheme>://<registry>/v2/<repository>/manifests/<digest_or_tag>
+// Reference: https://distribution.github.io/distribution/spec/api/#manifest
+func buildRepositoryManifestURL(plainHTTP bool, ref registry.Reference) string {
+	return strings.Join([]string{
+		buildRepositoryBaseURL(plainHTTP, ref),
+		"manifests",
+		ref.Reference,
+	}, "/")
+}
+
+// buildRepositoryBlobURL builds the URL for accessing the blob API.
+// Format: <scheme>://<registry>/v2/<repository>/blobs/<digest>
+// Reference: https://distribution.github.io/distribution/spec/api/#blob
+func buildRepositoryBlobURL(plainHTTP bool, ref registry.Reference) string {
+	return strings.Join([]string{
+		buildRepositoryBaseURL(plainHTTP, ref),
+		"blobs",
+		ref.Reference,
+	}, "/")
+}
+
+// buildRepositoryBlobUploadURL builds the URL for blob uploading.
+// Format: <scheme>://<registry>/v2/<repository>/blobs/uploads/
+// Reference: https://distribution.github.io/distribution/spec/api/#initiate-blob-upload
+func buildRepositoryBlobUploadURL(plainHTTP bool, ref registry.Reference) string {
+	return buildRepositoryBaseURL(plainHTTP, ref) + "/blobs/uploads/"
+}
+
+// buildRepositoryBlobMountURLbuilds the URL for cross-repository mounting.
+// Format: <scheme>://<registry>/v2/<repository>/blobs/uploads/?mount=<digest>&from=<other_repository>
+// Reference: https://distribution.github.io/distribution/spec/api/#blob
+func buildRepositoryBlobMountURL(plainHTTP bool, ref registry.Reference, d digest.Digest, fromRepo string) string {
+	return fmt.Sprintf("%s?mount=%s&from=%s",
+		buildRepositoryBlobUploadURL(plainHTTP, ref),
+		d,
+		fromRepo,
+	)
+}
+
+// buildReferrersURL builds the URL for querying the Referrers API.
+// Format: <scheme>://<registry>/v2/<repository>/referrers/<digest>?artifactType=<artifactType>
+// Reference: https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#listing-referrers
+func buildReferrersURL(plainHTTP bool, ref registry.Reference, artifactType string) string {
+	var query string
+	if artifactType != "" {
+		v := url.Values{}
+		v.Set("artifactType", artifactType)
+		query = "?" + v.Encode()
+	}
+
+	return fmt.Sprintf(
+		"%s/referrers/%s%s",
+		buildRepositoryBaseURL(plainHTTP, ref),
+		ref.Reference,
+		query,
+	)
+}
diff --git a/vendor/oras.land/oras-go/v2/registry/remote/utils.go b/vendor/oras.land/oras-go/v2/registry/remote/utils.go
new file mode 100644
index 0000000000..797169f48f
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/registry/remote/utils.go
@@ -0,0 +1,94 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package remote
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"strings"
+
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"oras.land/oras-go/v2/content"
+	"oras.land/oras-go/v2/errdef"
+)
+
+// defaultMaxMetadataBytes specifies the default limit on how many response
+// bytes are allowed in the server's response to the metadata APIs.
+// See also: Repository.MaxMetadataBytes
+var defaultMaxMetadataBytes int64 = 4 * 1024 * 1024 // 4 MiB
+
+// errNoLink is returned by parseLink() when no Link header is present.
+var errNoLink = errors.New("no Link header in response")
+
+// parseLink returns the URL of the response's "Link" header, if present.
+func parseLink(resp *http.Response) (string, error) {
+	link := resp.Header.Get("Link")
+	if link == "" {
+		return "", errNoLink
+	}
+	if link[0] != '<' {
+		return "", fmt.Errorf("invalid next link %q: missing '<'", link)
+	}
+	if i := strings.IndexByte(link, '>'); i == -1 {
+		return "", fmt.Errorf("invalid next link %q: missing '>'", link)
+	} else {
+		link = link[1:i]
+	}
+
+	linkURL, err := resp.Request.URL.Parse(link)
+	if err != nil {
+		return "", err
+	}
+	return linkURL.String(), nil
+}
+
+// limitReader returns a Reader that reads from r but stops with EOF after n
+// bytes. If n is less than or equal to zero, defaultMaxMetadataBytes is used.
+func limitReader(r io.Reader, n int64) io.Reader {
+	if n <= 0 {
+		n = defaultMaxMetadataBytes
+	}
+	return io.LimitReader(r, n)
+}
+
+// limitSize returns ErrSizeExceedsLimit if the size of desc exceeds the limit n.
+// If n is less than or equal to zero, defaultMaxMetadataBytes is used.
+func limitSize(desc ocispec.Descriptor, n int64) error {
+	if n <= 0 {
+		n = defaultMaxMetadataBytes
+	}
+	if desc.Size > n {
+		return fmt.Errorf(
+			"content size %v exceeds MaxMetadataBytes %v: %w",
+			desc.Size,
+			n,
+			errdef.ErrSizeExceedsLimit)
+	}
+	return nil
+}
+
+// decodeJSON safely reads the JSON content described by desc, and
+// decodes it into v.
+func decodeJSON(r io.Reader, desc ocispec.Descriptor, v any) error {
+	jsonBytes, err := content.ReadAll(r, desc)
+	if err != nil {
+		return err
+	}
+	return json.Unmarshal(jsonBytes, v)
+}
diff --git a/vendor/oras.land/oras-go/v2/registry/remote/warning.go b/vendor/oras.land/oras-go/v2/registry/remote/warning.go
new file mode 100644
index 0000000000..02d758eaf9
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/registry/remote/warning.go
@@ -0,0 +1,100 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package remote
+
+import (
+	"errors"
+	"fmt"
+	"strconv"
+	"strings"
+)
+
+const (
+	// headerWarning is the "Warning" header.
+	// Reference: https://www.rfc-editor.org/rfc/rfc7234#section-5.5
+	headerWarning = "Warning"
+
+	// warnCode299 is the 299 warn-code.
+	// Reference: https://www.rfc-editor.org/rfc/rfc7234#section-5.5
+	warnCode299 = 299
+
+	// warnAgentUnknown represents an unknown warn-agent.
+	// Reference: https://www.rfc-editor.org/rfc/rfc7234#section-5.5
+	warnAgentUnknown = "-"
+)
+
+// errUnexpectedWarningFormat is returned by parseWarningHeader when
+// an unexpected warning format is encountered.
+var errUnexpectedWarningFormat = errors.New("unexpected warning format")
+
+// WarningValue represents the value of the Warning header.
+//
+// References:
+//   - https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#warnings
+//   - https://www.rfc-editor.org/rfc/rfc7234#section-5.5
+type WarningValue struct {
+	// Code is the warn-code.
+	Code int
+	// Agent is the warn-agent.
+	Agent string
+	// Text is the warn-text.
+	Text string
+}
+
+// Warning contains the value of the warning header and may contain
+// other information related to the warning.
+//
+// References:
+//   - https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#warnings
+//   - https://www.rfc-editor.org/rfc/rfc7234#section-5.5
+type Warning struct {
+	// WarningValue is the value of the warning header.
+	WarningValue
+}
+
+// parseWarningHeader parses the warning header into WarningValue.
+func parseWarningHeader(header string) (WarningValue, error) {
+	if len(header) < 9 || !strings.HasPrefix(header, `299 - "`) || !strings.HasSuffix(header, `"`) {
+		// minimum header value: `299 - "x"`
+		return WarningValue{}, fmt.Errorf("%s: %w", header, errUnexpectedWarningFormat)
+	}
+
+	// validate text only as code and agent are fixed
+	quotedText := header[6:] // behind `299 - `, quoted by "
+	text, err := strconv.Unquote(quotedText)
+	if err != nil {
+		return WarningValue{}, fmt.Errorf("%s: unexpected text: %w: %v", header, errUnexpectedWarningFormat, err)
+	}
+
+	return WarningValue{
+		Code:  warnCode299,
+		Agent: warnAgentUnknown,
+		Text:  text,
+	}, nil
+}
+
+// handleWarningHeaders parses the warning headers and handles the parsed
+// warnings using handleWarning.
+func handleWarningHeaders(headers []string, handleWarning func(Warning)) {
+	for _, h := range headers {
+		if value, err := parseWarningHeader(h); err == nil {
+			// ignore warnings in unexpected formats
+			handleWarning(Warning{
+				WarningValue: value,
+			})
+		}
+	}
+}
diff --git a/vendor/oras.land/oras-go/v2/registry/repository.go b/vendor/oras.land/oras-go/v2/registry/repository.go
new file mode 100644
index 0000000000..367f2d0f91
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/registry/repository.go
@@ -0,0 +1,226 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package registry
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"oras.land/oras-go/v2/content"
+	"oras.land/oras-go/v2/errdef"
+	"oras.land/oras-go/v2/internal/descriptor"
+	"oras.land/oras-go/v2/internal/spec"
+)
+
+// Repository is an ORAS target and an union of the blob and the manifest CASs.
+//
+// As specified by https://distribution.github.io/distribution/spec/api/, it is natural to
+// assume that content.Resolver interface only works for manifests. Tagging a
+// blob may be resulted in an `ErrUnsupported` error. However, this interface
+// does not restrict tagging blobs.
+//
+// Since a repository is an union of the blob and the manifest CASs, all
+// operations defined in the `BlobStore` are executed depending on the media
+// type of the given descriptor accordingly.
+//
+// Furthermore, this interface also provides the ability to enforce the
+// separation of the blob and the manifests CASs.
+type Repository interface {
+	content.Storage
+	content.Deleter
+	content.TagResolver
+	ReferenceFetcher
+	ReferencePusher
+	ReferrerLister
+	TagLister
+
+	// Blobs provides access to the blob CAS only, which contains config blobs,
+	// layers, and other generic blobs.
+	Blobs() BlobStore
+
+	// Manifests provides access to the manifest CAS only.
+	Manifests() ManifestStore
+}
+
+// BlobStore is a CAS with the ability to stat and delete its content.
+type BlobStore interface {
+	content.Storage
+	content.Deleter
+	content.Resolver
+	ReferenceFetcher
+}
+
+// ManifestStore is a CAS with the ability to stat and delete its content.
+// Besides, ManifestStore provides reference tagging.
+type ManifestStore interface {
+	BlobStore
+	content.Tagger
+	ReferencePusher
+}
+
+// ReferencePusher provides advanced push with the tag service.
+type ReferencePusher interface {
+	// PushReference pushes the manifest with a reference tag.
+	PushReference(ctx context.Context, expected ocispec.Descriptor, content io.Reader, reference string) error
+}
+
+// ReferenceFetcher provides advanced fetch with the tag service.
+type ReferenceFetcher interface {
+	// FetchReference fetches the content identified by the reference.
+	FetchReference(ctx context.Context, reference string) (ocispec.Descriptor, io.ReadCloser, error)
+}
+
+// ReferrerLister provides the Referrers API.
+// Reference: https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#listing-referrers
+type ReferrerLister interface {
+	Referrers(ctx context.Context, desc ocispec.Descriptor, artifactType string, fn func(referrers []ocispec.Descriptor) error) error
+}
+
+// TagLister lists tags by the tag service.
+type TagLister interface {
+	// Tags lists the tags available in the repository.
+	// Since the returned tag list may be paginated by the underlying
+	// implementation, a function should be passed in to process the paginated
+	// tag list.
+	//
+	// `last` argument is the `last` parameter when invoking the tags API.
+	// If `last` is NOT empty, the entries in the response start after the
+	// tag specified by `last`. Otherwise, the response starts from the top
+	// of the Tags list.
+	//
+	// Note: When implemented by a remote registry, the tags API is called.
+	// However, not all registries supports pagination or conforms the
+	// specification.
+	//
+	// References:
+	//   - https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#content-discovery
+	//   - https://distribution.github.io/distribution/spec/api/#tags
+	// See also `Tags()` in this package.
+	Tags(ctx context.Context, last string, fn func(tags []string) error) error
+}
+
+// Mounter allows cross-repository blob mounts.
+// For backward compatibility reasons, this is not implemented by
+// BlobStore: use a type assertion to check availability.
+type Mounter interface {
+	// Mount makes the blob with the given descriptor in fromRepo
+	// available in the repository signified by the receiver.
+	Mount(ctx context.Context,
+		desc ocispec.Descriptor,
+		fromRepo string,
+		getContent func() (io.ReadCloser, error),
+	) error
+}
+
+// Tags lists the tags available in the repository.
+func Tags(ctx context.Context, repo TagLister) ([]string, error) {
+	var res []string
+	if err := repo.Tags(ctx, "", func(tags []string) error {
+		res = append(res, tags...)
+		return nil
+	}); err != nil {
+		return nil, err
+	}
+	return res, nil
+}
+
+// Referrers lists the descriptors of image or artifact manifests directly
+// referencing the given manifest descriptor.
+//
+// Reference: https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#listing-referrers
+func Referrers(ctx context.Context, store content.ReadOnlyGraphStorage, desc ocispec.Descriptor, artifactType string) ([]ocispec.Descriptor, error) {
+	if !descriptor.IsManifest(desc) {
+		return nil, fmt.Errorf("the descriptor %v is not a manifest: %w", desc, errdef.ErrUnsupported)
+	}
+
+	var results []ocispec.Descriptor
+
+	// use the Referrer API if it is available
+	if rf, ok := store.(ReferrerLister); ok {
+		if err := rf.Referrers(ctx, desc, artifactType, func(referrers []ocispec.Descriptor) error {
+			results = append(results, referrers...)
+			return nil
+		}); err != nil {
+			return nil, err
+		}
+		return results, nil
+	}
+
+	predecessors, err := store.Predecessors(ctx, desc)
+	if err != nil {
+		return nil, err
+	}
+	for _, node := range predecessors {
+		switch node.MediaType {
+		case ocispec.MediaTypeImageManifest:
+			fetched, err := content.FetchAll(ctx, store, node)
+			if err != nil {
+				return nil, err
+			}
+			var manifest ocispec.Manifest
+			if err := json.Unmarshal(fetched, &manifest); err != nil {
+				return nil, err
+			}
+			if manifest.Subject == nil || !content.Equal(*manifest.Subject, desc) {
+				continue
+			}
+			node.ArtifactType = manifest.ArtifactType
+			if node.ArtifactType == "" {
+				node.ArtifactType = manifest.Config.MediaType
+			}
+			node.Annotations = manifest.Annotations
+		case ocispec.MediaTypeImageIndex:
+			fetched, err := content.FetchAll(ctx, store, node)
+			if err != nil {
+				return nil, err
+			}
+			var index ocispec.Index
+			if err := json.Unmarshal(fetched, &index); err != nil {
+				return nil, err
+			}
+			if index.Subject == nil || !content.Equal(*index.Subject, desc) {
+				continue
+			}
+			node.ArtifactType = index.ArtifactType
+			node.Annotations = index.Annotations
+		case spec.MediaTypeArtifactManifest:
+			fetched, err := content.FetchAll(ctx, store, node)
+			if err != nil {
+				return nil, err
+			}
+			var artifact spec.Artifact
+			if err := json.Unmarshal(fetched, &artifact); err != nil {
+				return nil, err
+			}
+			if artifact.Subject == nil || !content.Equal(*artifact.Subject, desc) {
+				continue
+			}
+			node.ArtifactType = artifact.ArtifactType
+			node.Annotations = artifact.Annotations
+		default:
+			continue
+		}
+		if artifactType == "" || artifactType == node.ArtifactType {
+			// the field artifactType in referrers descriptor is allowed to be empty
+			// https://github.com/opencontainers/distribution-spec/issues/458
+			results = append(results, node)
+		}
+	}
+	return results, nil
+}
diff --git a/vendor/oras.land/oras-go/v2/target.go b/vendor/oras.land/oras-go/v2/target.go
new file mode 100644
index 0000000000..c6dcaef9ba
--- /dev/null
+++ b/vendor/oras.land/oras-go/v2/target.go
@@ -0,0 +1,43 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package oras
+
+import "oras.land/oras-go/v2/content"
+
+// Target is a CAS with generic tags.
+type Target interface {
+	content.Storage
+	content.TagResolver
+}
+
+// GraphTarget is a CAS with generic tags that supports direct predecessor node
+// finding.
+type GraphTarget interface {
+	content.GraphStorage
+	content.TagResolver
+}
+
+// ReadOnlyTarget represents a read-only Target.
+type ReadOnlyTarget interface {
+	content.ReadOnlyStorage
+	content.Resolver
+}
+
+// ReadOnlyGraphTarget represents a read-only GraphTarget.
+type ReadOnlyGraphTarget interface {
+	content.ReadOnlyGraphStorage
+	content.Resolver
+}
diff --git a/vendor/sigs.k8s.io/controller-runtime/.gitignore b/vendor/sigs.k8s.io/controller-runtime/.gitignore
new file mode 100644
index 0000000000..2ddc5a8b87
--- /dev/null
+++ b/vendor/sigs.k8s.io/controller-runtime/.gitignore
@@ -0,0 +1,30 @@
+# Binaries for programs and plugins
+*.exe
+*.exe~
+*.dll
+*.so
+*.dylib
+
+# Test binary, build with `go test -c`
+*.test
+
+# Output of the go coverage tool, specifically when used with LiteIDE
+*.out
+
+# editor and IDE paraphernalia
+.idea
+*.swp
+*.swo
+*~
+
+# Vscode files
+.vscode
+
+# Tools binaries.
+hack/tools/bin
+
+# Release artifacts
+tools/setup-envtest/out
+
+junit-report.xml
+/artifacts
diff --git a/vendor/sigs.k8s.io/controller-runtime/.golangci.yml b/vendor/sigs.k8s.io/controller-runtime/.golangci.yml
new file mode 100644
index 0000000000..5c86af65a3
--- /dev/null
+++ b/vendor/sigs.k8s.io/controller-runtime/.golangci.yml
@@ -0,0 +1,209 @@
+version: "2"
+run:
+  go: "1.25"
+  timeout: 10m
+  allow-parallel-runners: true
+linters:
+  default: none
+  enable:
+    - asasalint
+    - asciicheck
+    - bidichk
+    - bodyclose
+    - copyloopvar
+    - depguard
+    - dogsled
+    - dupl
+    - errcheck
+    - errchkjson
+    - errorlint
+    - exhaustive
+    - forbidigo
+    - ginkgolinter
+    - goconst
+    - gocritic
+    - gocyclo
+    - godoclint
+    - goprintffuncname
+    - govet
+    - importas
+    - ineffassign
+    - iotamixing
+    - makezero
+    - misspell
+    - modernize
+    - nakedret
+    - nilerr
+    - nolintlint
+    - prealloc
+    - revive
+    - staticcheck
+    - tagliatelle
+    - unconvert
+    - unparam
+    - unused
+    - whitespace
+  settings:
+    depguard:
+      rules:
+        forbid-pkg-errors:
+          deny:
+            - pkg: sort
+              desc: Should be replaced with slices package
+    forbidigo:
+        forbid:
+          - pattern: context.Background
+            msg: Use ginkgos SpecContext or go testings t.Context instead
+          - pattern: context.TODO
+            msg: Use ginkgos SpecContext or go testings t.Context instead
+    govet:
+      disable:
+        - fieldalignment
+        - shadow
+        - buildtag
+      enable-all: true
+    importas:
+      alias:
+        - pkg: k8s.io/api/core/v1
+          alias: corev1
+        - pkg: k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1
+          alias: apiextensionsv1
+        - pkg: k8s.io/apimachinery/pkg/apis/meta/v1
+          alias: metav1
+        - pkg: k8s.io/apimachinery/pkg/api/errors
+          alias: apierrors
+        - pkg: k8s.io/apimachinery/pkg/util/errors
+          alias: kerrors
+        - pkg: sigs.k8s.io/controller-runtime
+          alias: ctrl
+      no-unaliased: true
+    modernize:
+      disable:
+        - omitzero
+        - fmtappendf
+    revive:
+      rules:
+        # The following rules are recommended https://github.com/mgechev/revive#recommended-configuration
+        - name: blank-imports
+        - name: context-as-argument
+        - name: context-keys-type
+        - name: dot-imports
+        - name: error-return
+        - name: error-strings
+        - name: error-naming
+        - name: exported
+        - name: if-return
+        - name: increment-decrement
+        - name: var-naming
+        - name: var-declaration
+        - name: range
+        - name: receiver-naming
+        - name: time-naming
+        - name: unexported-return
+        - name: indent-error-flow
+        - name: errorf
+        - name: superfluous-else
+        - name: unreachable-code
+        - name: redefines-builtin-id
+        #
+        # Rules in addition to the recommended configuration above.
+        #
+        - name: bool-literal-in-expr
+        - name: constant-logical-expr
+  exclusions:
+    generated: strict
+    paths:
+      - zz_generated.*\.go$
+      - .*conversion.*\.go$
+    rules:
+      - linters:
+          - forbidigo
+        path-except: _test\.go
+      - linters:
+          - gosec
+        text: 'G108: Profiling endpoint is automatically exposed on /debug/pprof'
+      - linters:
+          - revive
+        text: 'exported: exported method .*\.(Reconcile|SetupWithManager|SetupWebhookWithManager) should have comment or be unexported'
+      - linters:
+          - errcheck
+        text: Error return value of .((os\.)?std(out|err)\..*|.*Close|.*Flush|os\.Remove(All)?|.*print(f|ln)?|os\.(Un)?Setenv). is not checked
+      - linters:
+          - staticcheck
+        text: 'SA1019: .*The component config package has been deprecated and will be removed in a future release.'
+      # With Go 1.16, the new embed directive can be used with an un-named import,
+      # revive (previously, golint) only allows these to be imported in a main.go, which wouldn't work for us.
+      # This directive allows the embed package to be imported with an underscore everywhere.
+      - linters:
+          - revive
+        source: _ "embed"
+      # Exclude some packages or code to require comments, for example test code, or fake clients.
+      - linters:
+          - revive
+        text: exported (method|function|type|const) (.+) should have comment or be unexported
+        source: (func|type).*Fake.*
+      - linters:
+          - revive
+        path: fake_\.go
+        text: exported (method|function|type|const) (.+) should have comment or be unexported
+      # Disable unparam "always receives" which might not be really
+      # useful when building libraries.
+      - linters:
+          - unparam
+        text: always receives
+      # Dot imports for gomega and ginkgo are allowed
+      # within test files.
+      - path: _test\.go
+        text: should not use dot imports
+      - path: _test\.go
+        text: cyclomatic complexity
+      - path: _test\.go
+        text: 'G107: Potential HTTP request made with variable url'
+      # Append should be able to assign to a different var/slice.
+      - linters:
+          - gocritic
+        text: 'appendAssign: append result not assigned to the same slice'
+      - linters:
+          - gocritic
+        text: 'singleCaseSwitch: should rewrite switch statement to if statement'
+      # It considers all file access to a filename that comes from a variable problematic,
+      # which is naiv at best.
+      - linters:
+          - gosec
+        text: 'G304: Potential file inclusion via variable'
+      - linters:
+          - dupl
+        path: _test\.go
+      - linters:
+          - revive
+        path: .*/internal/.*
+      - linters:
+          - unused
+        # Seems to incorrectly trigger on the two implementations that are only
+        # used through an interface and not directly..?
+        # Likely same issue as https://github.com/dominikh/go-tools/issues/1616
+        path: pkg/controller/priorityqueue/metrics\.go
+      # The following are being worked on to remove their exclusion. This list should be reduced or go away all together over time.
+      # If it is decided they will not be addressed they should be moved above this comment.
+      - path: (.+)\.go$
+        text: Subprocess launch(ed with variable|ing should be audited)
+      - linters:
+          - gosec
+        path: (.+)\.go$
+        text: (G204|G104|G307)
+      - linters:
+          - staticcheck
+        path: (.+)\.go$
+        text: (ST1000|QF1008)
+issues:
+  max-issues-per-linter: 0
+  max-same-issues: 0
+formatters:
+  enable:
+    - gofmt
+    - goimports
+  exclusions:
+    generated: strict
+    paths:
+      - zz_generated.*\.go$
+      - .*conversion.*\.go$
diff --git a/vendor/sigs.k8s.io/controller-runtime/.gomodcheck.yaml b/vendor/sigs.k8s.io/controller-runtime/.gomodcheck.yaml
new file mode 100644
index 0000000000..3eaff8dc47
--- /dev/null
+++ b/vendor/sigs.k8s.io/controller-runtime/.gomodcheck.yaml
@@ -0,0 +1,21 @@
+upstreamRefs:
+  - k8s.io/api
+  - k8s.io/apiextensions-apiserver
+  - k8s.io/apimachinery
+  - k8s.io/apiserver
+  - k8s.io/client-go
+  - k8s.io/component-base
+  # k8s.io/klog/v2 -> conflicts with k/k deps
+  # k8s.io/utils -> conflicts with k/k deps
+
+excludedModules:
+  # Needs a newer version to fix https://github.com/kubernetes-sigs/controller-runtime/issues/3418
+  # This should not be needed by the time we update to 1.36
+  - sigs.k8s.io/structured-merge-diff/v6
+
+  # --- test dependencies:
+  - github.com/onsi/ginkgo/v2
+  - github.com/onsi/gomega
+
+  # --- We want a newer version with generics support for this
+  - github.com/google/btree
diff --git a/vendor/sigs.k8s.io/controller-runtime/CONTRIBUTING.md b/vendor/sigs.k8s.io/controller-runtime/CONTRIBUTING.md
new file mode 100644
index 0000000000..2c0ea1f667
--- /dev/null
+++ b/vendor/sigs.k8s.io/controller-runtime/CONTRIBUTING.md
@@ -0,0 +1,19 @@
+# Contributing guidelines
+
+## Sign the CLA
+
+Kubernetes projects require that you sign a Contributor License Agreement (CLA) before we can accept your pull requests.
+  
+Please see https://git.k8s.io/community/CLA.md for more info
+
+## Contributing steps
+
+1. Submit an issue describing your proposed change to the repo in question.
+1. The [repo owners](OWNERS) will respond to your issue promptly.
+1. If your proposed change is accepted, and you haven't already done so, sign a Contributor License Agreement (see details above).
+1. Fork the desired repo, develop and test your code changes.
+1. Submit a pull request.
+
+## Test locally
+
+Run the command `make test` to test the changes locally.
diff --git a/vendor/sigs.k8s.io/controller-runtime/FAQ.md b/vendor/sigs.k8s.io/controller-runtime/FAQ.md
new file mode 100644
index 0000000000..9c36c8112e
--- /dev/null
+++ b/vendor/sigs.k8s.io/controller-runtime/FAQ.md
@@ -0,0 +1,81 @@
+# FAQ
+
+### Q: How do I know which type of object a controller references?
+
+**A**: Each controller should only reconcile one object type.  Other
+affected objects should be mapped to a single type of root object, using
+the `handler.EnqueueRequestForOwner` or `handler.EnqueueRequestsFromMapFunc` event
+handlers, and potentially indices. Then, your Reconcile method should
+attempt to reconcile *all* state for that given root objects.
+
+### Q: How do I have different logic in my reconciler for different types of events (e.g. create, update, delete)?
+
+**A**: You should not. Reconcile functions should be idempotent, and
+should always reconcile state by reading all the state it needs, then
+writing updates.  This allows your reconciler to correctly respond to
+generic events, adjust to skipped or coalesced events, and easily deal
+with application startup.  The controller will enqueue reconcile requests
+for both old and new objects if a mapping changes, but it's your
+responsibility to make sure you have enough information to be able clean
+up state that's no longer referenced.
+
+### Q: My cache might be stale if I read from a cache! How should I deal with that?
+
+**A**: There are several different approaches that can be taken, depending
+on your situation.
+
+- When you can, take advantage of optimistic locking: use deterministic
+  names for objects you create, so that the Kubernetes API server will
+  warn you if the object already exists.  Many controllers in Kubernetes
+  take this approach: the StatefulSet controller appends a specific number
+  to each pod that it creates, while the Deployment controller hashes the
+  pod template spec and appends that.
+
+- In the few cases when you cannot take advantage of deterministic names
+  (e.g. when using generateName), it may be useful in to track which
+  actions you took, and assume that they need to be repeated if they don't
+  occur after a given time (e.g. using a requeue result).  This is what
+  the ReplicaSet controller does.
+
+In general, write your controller with the assumption that information
+will eventually be correct, but may be slightly out of date. Make sure
+that your reconcile function enforces the entire state of the world each
+time it runs.  If none of this works for you, you can always construct
+a client that reads directly from the API server, but this is generally
+considered to be a last resort, and the two approaches above should
+generally cover most circumstances.
+
+### Q: Where's the fake client?  How do I use it?
+
+**A**: The fake client
+[exists](https://pkg.go.dev/sigs.k8s.io/controller-runtime/pkg/client/fake),
+but we generally recommend using
+[envtest.Environment](https://pkg.go.dev/sigs.k8s.io/controller-runtime/pkg/envtest#Environment)
+to test against a real API server.  In our experience, tests using fake
+clients gradually re-implement poorly-written impressions of a real API
+server, which leads to hard-to-maintain, complex test code.
+
+### Q: How should I write tests?  Any suggestions for getting started?
+
+- Use the aforementioned
+  [envtest.Environment](https://pkg.go.dev/sigs.k8s.io/controller-runtime/pkg/envtest#Environment)
+  to spin up a real API server instead of trying to mock one out.
+
+- Structure your tests to check that the state of the world is as you
+  expect it, *not* that a particular set of API calls were made, when
+  working with Kubernetes APIs.  This will allow you to more easily
+  refactor and improve the internals of your controllers without changing
+  your tests.
+
+- Remember that any time you're interacting with the API server, changes
+  may have some delay between write time and reconcile time.
+
+### Q: What are these errors about no Kind being registered for a type?
+
+**A**: You're probably missing a fully-set-up Scheme.  Schemes record the
+mapping between Go types and group-version-kinds in Kubernetes. In
+general, your application should have its own Scheme containing the types
+from the API groups that it needs (be they Kubernetes types or your own).
+See the [scheme builder
+docs](https://pkg.go.dev/sigs.k8s.io/controller-runtime/pkg/scheme) for
+more information.
diff --git a/vendor/sigs.k8s.io/controller-runtime/Makefile b/vendor/sigs.k8s.io/controller-runtime/Makefile
new file mode 100644
index 0000000000..1c1fb7f429
--- /dev/null
+++ b/vendor/sigs.k8s.io/controller-runtime/Makefile
@@ -0,0 +1,214 @@
+#!/usr/bin/env bash
+
+#  Copyright 2020 The Kubernetes Authors.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+
+# If you update this file, please follow
+# https://suva.sh/posts/well-documented-makefiles
+
+## --------------------------------------
+## General
+## --------------------------------------
+
+SHELL:=/usr/bin/env bash
+.DEFAULT_GOAL:=help
+
+#
+# Go.
+#
+GO_VERSION ?= 1.25.0
+
+# Use GOPROXY environment variable if set
+GOPROXY := $(shell go env GOPROXY)
+ifeq ($(GOPROXY),)
+GOPROXY := https://proxy.golang.org
+endif
+export GOPROXY
+
+# Active module mode, as we use go modules to manage dependencies
+export GO111MODULE=on
+
+# Hosts running SELinux need :z added to volume mounts
+SELINUX_ENABLED := $(shell cat /sys/fs/selinux/enforce 2> /dev/null || echo 0)
+
+ifeq ($(SELINUX_ENABLED),1)
+  DOCKER_VOL_OPTS?=:z
+endif
+
+# Tools.
+TOOLS_DIR := hack/tools
+TOOLS_BIN_DIR := $(abspath $(TOOLS_DIR)/bin)
+GOLANGCI_LINT := $(abspath $(TOOLS_BIN_DIR)/golangci-lint)
+GO_APIDIFF := $(TOOLS_BIN_DIR)/go-apidiff
+CONTROLLER_GEN := $(TOOLS_BIN_DIR)/controller-gen
+ENVTEST_DIR := $(abspath tools/setup-envtest)
+SCRATCH_ENV_DIR := $(abspath examples/scratch-env)
+GO_INSTALL := ./hack/go-install.sh
+
+# The help will print out all targets with their descriptions organized bellow their categories. The categories are represented by `##@` and the target descriptions by `##`.
+# The awk commands is responsible to read the entire set of makefiles included in this invocation, looking for lines of the file as xyz: ## something, and then pretty-format the target and help. Then, if there's a line with ##@ something, that gets pretty-printed as a category.
+# More info over the usage of ANSI control characters for terminal formatting: https://en.wikipedia.org/wiki/ANSI_escape_code#SGR_parameters
+# More info over awk command: http://linuxcommand.org/lc3_adv_awk.php
+.PHONY: help
+help:  ## Display this help
+	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
+
+## --------------------------------------
+## Testing
+## --------------------------------------
+
+.PHONY: test
+test: ## Run the script check-everything.sh which will check all.
+	TRACE=1 ./hack/check-everything.sh
+
+## --------------------------------------
+## Binaries
+## --------------------------------------
+
+GO_APIDIFF_VER := v0.8.3
+GO_APIDIFF_BIN := go-apidiff
+GO_APIDIFF := $(abspath $(TOOLS_BIN_DIR)/$(GO_APIDIFF_BIN)-$(GO_APIDIFF_VER))
+GO_APIDIFF_PKG := github.com/joelanford/go-apidiff
+
+$(GO_APIDIFF): # Build go-apidiff from tools folder.
+	GOBIN=$(TOOLS_BIN_DIR) $(GO_INSTALL) $(GO_APIDIFF_PKG) $(GO_APIDIFF_BIN) $(GO_APIDIFF_VER)
+
+CONTROLLER_GEN_VER := v0.20.0
+CONTROLLER_GEN_BIN := controller-gen
+CONTROLLER_GEN := $(abspath $(TOOLS_BIN_DIR)/$(CONTROLLER_GEN_BIN)-$(CONTROLLER_GEN_VER))
+CONTROLLER_GEN_PKG := sigs.k8s.io/controller-tools/cmd/controller-gen
+
+$(CONTROLLER_GEN): # Build controller-gen from tools folder.
+	GOBIN=$(TOOLS_BIN_DIR) $(GO_INSTALL) $(CONTROLLER_GEN_PKG) $(CONTROLLER_GEN_BIN) $(CONTROLLER_GEN_VER)
+
+GOLANGCI_LINT_BIN := golangci-lint
+GOLANGCI_LINT_VER := $(shell cat .github/workflows/golangci-lint.yml | grep [[:space:]]version: | sed 's/.*version: //')
+GOLANGCI_LINT := $(abspath $(TOOLS_BIN_DIR)/$(GOLANGCI_LINT_BIN)-$(GOLANGCI_LINT_VER))
+GOLANGCI_LINT_PKG := github.com/golangci/golangci-lint/v2/cmd/golangci-lint
+
+$(GOLANGCI_LINT): # Build golangci-lint from tools folder.
+	GOBIN=$(TOOLS_BIN_DIR) $(GO_INSTALL) $(GOLANGCI_LINT_PKG) $(GOLANGCI_LINT_BIN) $(GOLANGCI_LINT_VER)
+
+GO_MOD_CHECK_DIR := $(abspath ./hack/tools/cmd/gomodcheck)
+GO_MOD_CHECK := $(abspath $(TOOLS_BIN_DIR)/gomodcheck)
+GO_MOD_CHECK_IGNORE := $(abspath .gomodcheck.yaml)
+.PHONY: $(GO_MOD_CHECK)
+$(GO_MOD_CHECK): # Build gomodcheck
+	go build -C $(GO_MOD_CHECK_DIR) -o $(GO_MOD_CHECK)
+
+## --------------------------------------
+## Linting
+## --------------------------------------
+
+.PHONY: lint
+lint: $(GOLANGCI_LINT) ## Lint codebase
+	$(GOLANGCI_LINT) run -v $(GOLANGCI_LINT_EXTRA_ARGS)
+	cd tools/setup-envtest; $(GOLANGCI_LINT) run -v $(GOLANGCI_LINT_EXTRA_ARGS)
+
+.PHONY: lint-fix
+lint-fix: $(GOLANGCI_LINT) ## Lint the codebase and run auto-fixers if supported by the linter.
+	GOLANGCI_LINT_EXTRA_ARGS=--fix $(MAKE) lint
+
+## --------------------------------------
+## Generate
+## --------------------------------------
+
+.PHONY: modules
+modules: ## Runs go mod to ensure modules are up to date.
+	go mod tidy
+	cd $(TOOLS_DIR); go mod tidy
+	cd $(ENVTEST_DIR); go mod tidy
+	cd $(SCRATCH_ENV_DIR); go mod tidy
+
+## --------------------------------------
+## Release
+## --------------------------------------
+
+RELEASE_DIR := tools/setup-envtest/out
+
+.PHONY: $(RELEASE_DIR)
+$(RELEASE_DIR):
+	mkdir -p $(RELEASE_DIR)/
+
+.PHONY: release
+release: clean-release $(RELEASE_DIR) ## Build release.
+	@if ! [ -z "$$(git status --porcelain)" ]; then echo "Your local git repository contains uncommitted changes, use git clean before proceeding."; exit 1; fi
+
+	# Build binaries first.
+	$(MAKE) release-binaries
+
+.PHONY: release-binaries
+release-binaries: ## Build release binaries.
+	RELEASE_BINARY=setup-envtest-linux-amd64       GOOS=linux   GOARCH=amd64   $(MAKE) release-binary
+	RELEASE_BINARY=setup-envtest-linux-arm64       GOOS=linux   GOARCH=arm64   $(MAKE) release-binary
+	RELEASE_BINARY=setup-envtest-linux-ppc64le     GOOS=linux   GOARCH=ppc64le $(MAKE) release-binary
+	RELEASE_BINARY=setup-envtest-linux-s390x       GOOS=linux   GOARCH=s390x   $(MAKE) release-binary
+	RELEASE_BINARY=setup-envtest-darwin-amd64      GOOS=darwin  GOARCH=amd64   $(MAKE) release-binary
+	RELEASE_BINARY=setup-envtest-darwin-arm64      GOOS=darwin  GOARCH=arm64   $(MAKE) release-binary
+	RELEASE_BINARY=setup-envtest-windows-amd64.exe GOOS=windows GOARCH=amd64   $(MAKE) release-binary
+
+.PHONY: release-binary
+release-binary: $(RELEASE_DIR)
+	docker run \
+		--rm \
+		-e CGO_ENABLED=0 \
+		-e GOOS=$(GOOS) \
+		-e GOARCH=$(GOARCH) \
+		-e GOCACHE=/tmp/ \
+		--user $$(id -u):$$(id -g) \
+		-v "$$(pwd):/workspace$(DOCKER_VOL_OPTS)" \
+		-w /workspace/tools/setup-envtest \
+		golang:$(GO_VERSION) \
+		go build -a -trimpath -ldflags "-X 'sigs.k8s.io/controller-runtime/tools/setup-envtest/version.version=$(RELEASE_TAG)' -extldflags '-static'" \
+		-o ./out/$(RELEASE_BINARY) ./
+
+## --------------------------------------
+## Cleanup / Verification
+## --------------------------------------
+
+.PHONY: clean
+clean: ## Cleanup.
+	$(GOLANGCI_LINT) cache clean
+	$(MAKE) clean-bin
+
+.PHONY: clean-bin
+clean-bin: ## Remove all generated binaries.
+	rm -rf hack/tools/bin
+
+.PHONY: clean-release
+clean-release: ## Remove the release folder
+	rm -rf $(RELEASE_DIR)
+
+.PHONY: verify-modules
+verify-modules: modules $(GO_MOD_CHECK) ## Verify go modules are up to date
+	@if !(git diff --quiet HEAD -- go.sum go.mod $(TOOLS_DIR)/go.mod $(TOOLS_DIR)/go.sum $(ENVTEST_DIR)/go.mod $(ENVTEST_DIR)/go.sum $(SCRATCH_ENV_DIR)/go.sum); then \
+		git diff; \
+		echo "go module files are out of date, please run 'make modules'"; exit 1; \
+	fi
+	$(GO_MOD_CHECK) $(GO_MOD_CHECK_IGNORE)
+
+APIDIFF_OLD_COMMIT ?= $(shell git rev-parse origin/main)
+
+.PHONY: apidiff
+verify-apidiff: $(GO_APIDIFF) ## Check for API differences
+	$(GO_APIDIFF) $(APIDIFF_OLD_COMMIT) --print-compatible
+
+## --------------------------------------
+## Helpers
+## --------------------------------------
+
+##@ helpers:
+
+go-version: ## Print the go version we use to compile our binaries and images
+	@echo $(GO_VERSION)
diff --git a/vendor/sigs.k8s.io/controller-runtime/OWNERS b/vendor/sigs.k8s.io/controller-runtime/OWNERS
new file mode 100644
index 0000000000..9f2d296e4c
--- /dev/null
+++ b/vendor/sigs.k8s.io/controller-runtime/OWNERS
@@ -0,0 +1,11 @@
+# See the OWNERS docs: https://git.k8s.io/community/contributors/guide/owners.md
+
+approvers:
+  - controller-runtime-admins
+  - controller-runtime-maintainers
+  - controller-runtime-approvers
+reviewers:
+  - controller-runtime-admins
+  - controller-runtime-maintainers
+  - controller-runtime-approvers
+  - controller-runtime-reviewers
diff --git a/vendor/sigs.k8s.io/controller-runtime/OWNERS_ALIASES b/vendor/sigs.k8s.io/controller-runtime/OWNERS_ALIASES
new file mode 100644
index 0000000000..47bf6eedf3
--- /dev/null
+++ b/vendor/sigs.k8s.io/controller-runtime/OWNERS_ALIASES
@@ -0,0 +1,39 @@
+# See the OWNERS docs: https://git.k8s.io/community/contributors/guide/owners.md
+
+aliases:
+  # active folks who can be contacted to perform admin-related
+  # tasks on the repo, or otherwise approve any PRS.
+  controller-runtime-admins:
+  - alvaroaleman
+  - joelanford
+  - sbueringer
+  - vincepri
+
+  # non-admin folks who have write-access and can approve any PRs in the repo
+  controller-runtime-maintainers:
+  - alvaroaleman
+  - joelanford
+  - sbueringer
+  - vincepri
+
+  # non-admin folks who can approve any PRs in the repo
+  controller-runtime-approvers:
+  - fillzpp
+
+  # folks who can review and LGTM any PRs in the repo (doesn't
+  # include approvers & admins -- those count too via the OWNERS
+  # file)
+  controller-runtime-reviewers:
+  - varshaprasad96
+  - inteon
+  - JoelSpeed
+  - troy0820
+
+  # folks who may have context on ancient history,
+  # but are no longer directly involved
+  controller-runtime-emeritus-maintainers:
+  - directxman12
+  controller-runtime-emeritus-admins:
+  - droot
+  - mengqiy
+  - pwittrock
diff --git a/vendor/sigs.k8s.io/controller-runtime/README.md b/vendor/sigs.k8s.io/controller-runtime/README.md
new file mode 100644
index 0000000000..8549f4e880
--- /dev/null
+++ b/vendor/sigs.k8s.io/controller-runtime/README.md
@@ -0,0 +1,86 @@
+[![Go Report Card](https://goreportcard.com/badge/sigs.k8s.io/controller-runtime)](https://goreportcard.com/report/sigs.k8s.io/controller-runtime)
+[![godoc](https://pkg.go.dev/badge/sigs.k8s.io/controller-runtime)](https://pkg.go.dev/sigs.k8s.io/controller-runtime)
+
+# Kubernetes controller-runtime Project
+
+The Kubernetes controller-runtime Project is a set of go libraries for building
+Controllers. It is leveraged by [Kubebuilder](https://book.kubebuilder.io/) and
+[Operator SDK](https://github.com/operator-framework/operator-sdk). Both are
+a great place to start for new projects. See
+[Kubebuilder's Quick Start](https://book.kubebuilder.io/quick-start.html) to
+see how it can be used.
+
+Documentation:
+
+- [Package overview](https://pkg.go.dev/sigs.k8s.io/controller-runtime/pkg)
+- [Basic controller using builder](https://pkg.go.dev/sigs.k8s.io/controller-runtime/pkg/builder#example-Builder)
+- [Creating a manager](https://pkg.go.dev/sigs.k8s.io/controller-runtime/pkg/manager#example-New)
+- [Creating a controller](https://pkg.go.dev/sigs.k8s.io/controller-runtime/pkg/controller#example-New)
+- [Examples](https://github.com/kubernetes-sigs/controller-runtime/blob/main/examples)
+- [Designs](https://github.com/kubernetes-sigs/controller-runtime/blob/main/designs)
+
+# Versioning, Maintenance, and Compatibility
+
+The full documentation can be found at [VERSIONING.md](VERSIONING.md), but TL;DR:
+
+Users:
+
+- We stick to a zero major version
+- We publish a minor version for each Kubernetes minor release and allow breaking changes between minor versions
+- We publish patch versions as needed and we don't allow breaking changes in them
+
+Contributors:
+
+- All code PR must be labeled with :bug: (patch fixes), :sparkles: (backwards-compatible features), or :warning: (breaking changes)
+- Breaking changes will find their way into the next major release, other changes will go into an semi-immediate patch or minor release
+- For a quick PR template suggesting the right information, use one of these PR templates:
+  * [Breaking Changes/Features](/.github/PULL_REQUEST_TEMPLATE/breaking_change.md)
+  * [Backwards-Compatible Features](/.github/PULL_REQUEST_TEMPLATE/compat_feature.md)
+  * [Bug fixes](/.github/PULL_REQUEST_TEMPLATE/bug_fix.md)
+  * [Documentation Changes](/.github/PULL_REQUEST_TEMPLATE/docs.md)
+  * [Test/Build/Other Changes](/.github/PULL_REQUEST_TEMPLATE/other.md)
+
+## Compatibility
+
+Every minor version of controller-runtime has been tested with a specific minor version of client-go. A controller-runtime minor version *may* be compatible with
+other client-go minor versions, but this is by chance and neither supported nor tested. In general, we create one minor version of controller-runtime
+for each minor version of client-go and other k8s.io/* dependencies.
+
+The minimum Go version of controller-runtime is the highest minimum Go version of our Go dependencies. Usually, this will
+be identical to the minimum Go version of the corresponding k8s.io/* dependencies.
+
+Compatible k8s.io/*, client-go and minimum Go versions can be looked up in our [go.mod](go.mod) file.
+
+|          | k8s.io/*, client-go | minimum Go version |
+|----------|:-------------------:|:------------------:|
+| CR v0.22 |        v0.34        |        1.24        |
+| CR v0.21 |        v0.33        |        1.24        |
+| CR v0.20 |        v0.32        |        1.23        |
+| CR v0.19 |        v0.31        |        1.22        |
+| CR v0.18 |        v0.30        |        1.22        |
+| CR v0.17 |        v0.29        |        1.21        |
+| CR v0.16 |        v0.28        |        1.20        |
+| CR v0.15 |        v0.27        |        1.20        |
+
+## FAQ
+
+See [FAQ.md](FAQ.md)
+
+## Community, discussion, contribution, and support
+
+Learn how to engage with the Kubernetes community on the [community page](http://kubernetes.io/community/).
+
+You can reach the maintainers of this project at:
+
+- Slack channel: [#controller-runtime](https://kubernetes.slack.com/archives/C02MRBMN00Z)
+- Google Group: [kubebuilder@googlegroups.com](https://groups.google.com/forum/#!forum/kubebuilder)
+
+## Contributing
+
+Contributions are greatly appreciated. The maintainers actively manage the issues list, and try to highlight issues suitable for newcomers.
+The project follows the typical GitHub pull request model. See [CONTRIBUTING.md](CONTRIBUTING.md) for more details.
+Before starting any work, please either comment on an existing issue, or file a new one.
+
+## Code of conduct
+
+Participation in the Kubernetes community is governed by the [Kubernetes Code of Conduct](code-of-conduct.md).
diff --git a/vendor/sigs.k8s.io/controller-runtime/RELEASE.md b/vendor/sigs.k8s.io/controller-runtime/RELEASE.md
new file mode 100644
index 0000000000..2a857b976e
--- /dev/null
+++ b/vendor/sigs.k8s.io/controller-runtime/RELEASE.md
@@ -0,0 +1,51 @@
+# Release Process
+
+The Kubernetes controller-runtime Project is released on an as-needed basis. The process is as follows:
+
+**Note:** Releases are done from the `release-MAJOR.MINOR` branches. For PATCH releases is not required
+to create a new branch you will just need to ensure that all big fixes are cherry-picked into the respective
+`release-MAJOR.MINOR` branch. To know more about versioning check https://semver.org/.
+
+## How to do a release
+
+### Create the new branch and the release tag
+
+1. Create a new branch `git checkout -b release-<MAJOR.MINOR>` from main
+2. Push the new branch to the remote repository
+
+### Now, let's generate the changelog
+
+1. Create the changelog from the new branch `release-<MAJOR.MINOR>` (`git checkout release-<MAJOR.MINOR>`).
+You will need to use the [kubebuilder-release-tools][kubebuilder-release-tools] to generate the notes. See [here][release-notes-generation]
+
+> **Note**
+> - You will need to have checkout locally from the remote repository the previous branch
+> - Also, ensure that you fetch all tags from the remote `git fetch --all --tags`
+
+### Draft a new release from GitHub
+
+1. Create a new tag with the correct version from the new `release-<MAJOR.MINOR>` branch
+2. Add the changelog on it and publish. Now, the code source is released !
+
+### Add a new Prow test the for the new branch release
+
+1. Create a new prow test under [github.com/kubernetes/test-infra/tree/master/config/jobs/kubernetes-sigs/controller-runtime](https://github.com/kubernetes/test-infra/tree/master/config/jobs/kubernetes-sigs/controller-runtime)
+for the new `release-<MAJOR.MINOR>` branch. (i.e. for the `0.11.0` release see the PR: https://github.com/kubernetes/test-infra/pull/25205)
+2. Ping the infra PR in the controller-runtime slack channel for reviews.
+
+### Announce the new release:
+
+1. Publish on the Slack channel the new release, i.e:
+
+````
+:announce: Controller-Runtime v0.12.0 has been released!
+This release includes a Kubernetes dependency bump to v1.24.
+For more info, see the release page: https://github.com/kubernetes-sigs/controller-runtime/releases.
+ :tada:  Thanks to all our contributors!
+````
+
+2. An announcement email is sent to `kubebuilder@googlegroups.com` with the subject `[ANNOUNCE] Controller-Runtime $VERSION is released`
+
+[kubebuilder-release-tools]: https://github.com/kubernetes-sigs/kubebuilder-release-tools
+[release-notes-generation]: https://github.com/kubernetes-sigs/kubebuilder-release-tools/blob/master/README.md#release-notes-generation
+[release-process]: https://github.com/kubernetes-sigs/kubebuilder/blob/master/VERSIONING.md#releasing
diff --git a/vendor/sigs.k8s.io/controller-runtime/SECURITY_CONTACTS b/vendor/sigs.k8s.io/controller-runtime/SECURITY_CONTACTS
new file mode 100644
index 0000000000..9c5241c6b4
--- /dev/null
+++ b/vendor/sigs.k8s.io/controller-runtime/SECURITY_CONTACTS
@@ -0,0 +1,15 @@
+# Defined below are the security contacts for this repo.
+#
+# They are the contact point for the Product Security Team to reach out
+# to for triaging and handling of incoming issues.
+#
+# The below names agree to abide by the
+# [Embargo Policy](https://github.com/kubernetes/sig-release/blob/master/security-release-process-documentation/security-release-process.md#embargo-policy)
+# and will be removed and replaced if they violate that agreement.
+#
+# DO NOT REPORT SECURITY VULNERABILITIES DIRECTLY TO THESE NAMES, FOLLOW THE
+# INSTRUCTIONS AT https://kubernetes.io/security/
+
+alvaroaleman
+sbueringer
+vincepri
diff --git a/vendor/sigs.k8s.io/controller-runtime/TMP-LOGGING.md b/vendor/sigs.k8s.io/controller-runtime/TMP-LOGGING.md
new file mode 100644
index 0000000000..97e091fd48
--- /dev/null
+++ b/vendor/sigs.k8s.io/controller-runtime/TMP-LOGGING.md
@@ -0,0 +1,169 @@
+Logging Guidelines
+==================
+
+controller-runtime uses a kind of logging called *structured logging*. If
+you've used a library like Zap or logrus before, you'll be familiar with
+the concepts we use.  If you've only used a logging library like the "log"
+package (in the Go standard library) or "glog" (in Kubernetes), you'll
+need to adjust how you think about logging a bit.
+
+### Getting Started With Structured Logging
+
+With structured logging, we associate a *constant* log message with some
+variable key-value pairs.  For instance, suppose we wanted to log that we
+were starting reconciliation on a pod.  In the Go standard library logger,
+we might write:
+
+```go
+log.Printf("starting reconciliation for pod %s/%s", podNamespace, podName)
+```
+
+In controller-runtime, we'd instead write:
+
+```go
+logger.Info("starting reconciliation", "pod", req.NamespacedName)
+```
+
+or even write
+
+```go
+func (r *Reconciler) Reconcile(req reconcile.Request) (reconcile.Response, error) {
+    logger := logger.WithValues("pod", req.NamespacedName)
+    // do some stuff
+    logger.Info("starting reconciliation")
+}
+```
+
+Notice how we've broken out the information that we want to convey into
+a constant message (`"starting reconciliation"`) and some key-value pairs
+that convey variable information (`"pod", req.NamespacedName`).  We've
+there-by added "structure" to our logs, which makes them easier to save
+and search later, as well as correlate with metrics and events.
+
+All of controller-runtime's logging is done via
+[logr](https://github.com/go-logr/logr), a generic interface for
+structured logging.  You can use whichever logging library you want to
+implement the actual mechanics of the logging.  controller-runtime
+provides some helpers to make it easy to use
+[Zap](https://go.uber.org/zap) as the implementation.
+
+You can configure the logging implementation using
+`"sigs.k8s.io/controller-runtime/pkg/log".SetLogger`.  That
+package also contains the convenience functions for setting up Zap.
+
+You can get a handle to the "root" logger using
+`"sigs.k8s.io/controller-runtime/pkg/log".Log`, and can then call
+`WithName` to create individual named loggers.  You can call `WithName`
+repeatedly to chain names together:
+
+```go
+logger := log.Log.WithName("controller").WithName("replicaset")
+// in reconcile...
+logger = logger.WithValues("replicaset", req.NamespacedName)
+// later on in reconcile...
+logger.Info("doing things with pods", "pod", newPod)
+```
+
+As seen above, you can also call `WithValue` to create a new sub-logger
+that always attaches some key-value pairs to a logger.
+
+Finally, you can use `V(1)` to mark a particular log line as "debug" logs:
+
+```go
+logger.V(1).Info("this is particularly verbose!", "state of the world",
+allKubernetesObjectsEverywhere)
+```
+
+While it's possible to use higher log levels, it's recommended that you
+stick with `V(1)` or `V(0)` (which is equivalent to not specifying `V`),
+and then filter later based on key-value pairs or messages; different
+numbers tend to lose meaning easily over time, and you'll be left
+wondering why particular logs lines are at `V(5)` instead of `V(7)`.
+
+## Logging errors
+
+Errors should *always* be logged with `log.Error`, which allows logr
+implementations to provide special handling of errors (for instance,
+providing stack traces in debug mode).
+
+It's acceptable to log call `log.Error` with a nil error object.  This
+conveys that an error occurred in some capacity, but that no actual
+`error` object was involved.
+
+Errors returned by the `Reconcile` implementation of the `Reconciler` interface are commonly logged as a `Reconciler error`.
+It's a developer choice to create an additional error log in the `Reconcile` implementation so a more specific file name and line for the error are returned. 
+
+## Logging messages
+
+- Don't put variable content in your messages -- use key-value pairs for
+  that. Never use `fmt.Sprintf` in your message.
+
+- Try to match the terminology in your messages with your key-value pairs
+  -- for instance, if you have a key-value pairs `api version`, use the
+  term `APIVersion` instead of `GroupVersion` in your message.
+
+## Logging Kubernetes Objects
+
+Kubernetes objects should be logged directly, like `log.Info("this is
+a Kubernetes object", "pod", somePod)`.  controller-runtime provides
+a special encoder for Zap that will transform Kubernetes objects into
+`name, namespace, apiVersion, kind` objects, when available and not in
+development mode.  Other logr implementations should implement similar
+logic.
+
+## Logging Structured Values (Key-Value pairs)
+
+- Use lower-case, space separated keys.  For example `object` for objects,
+  `api version` for `APIVersion`
+
+- Be consistent across your application, and with controller-runtime when
+  possible.
+
+- Try to be brief but descriptive.
+
+- Match terminology in keys with terminology in the message.
+
+- Be careful logging non-Kubernetes objects verbatim if they're very
+  large.
+
+### Groups, Versions, and Kinds
+
+- Kinds should not be logged alone (they're meaningless alone).  Use
+  a `GroupKind` object to log them instead, or a `GroupVersionKind` when
+  version is relevant.
+
+- If you need to log an API version string, use `api version` as the key
+  (formatted as with a `GroupVersion`, or as received directly from API
+  discovery).
+
+### Objects and Types
+
+- If code works with a generic Kubernetes `runtime.Object`, use the
+  `object` key.  For specific objects, prefer the resource name as the key
+  (e.g. `pod` for `v1.Pod` objects).
+
+- For non-Kubernetes objects, the `object` key may also be used, if you
+  accept a generic interface.
+
+- When logging a raw type, log it using the `type` key, with a value of
+  `fmt.Sprintf("%T", typ)`
+
+- If there's specific context around a type, the key may be more specific,
+  but should end with `type` -- for instance, `OwnerType` should be logged
+  as `owner` in the context of `log.Error(err, "Could not get ObjectKinds
+  for OwnerType", `owner type`, fmt.Sprintf("%T"))`.  When possible, favor
+  communicating kind instead.
+
+### Multiple things
+
+- When logging multiple things, simply pluralize the key.
+
+### controller-runtime Specifics
+
+- Reconcile requests should be logged as `request`, although normal code
+  should favor logging the key.
+
+- Reconcile keys should be logged as with the same key as if you were
+  logging the object directly (e.g. `log.Info("reconciling pod", "pod",
+  req.NamespacedName)`).  This ends up having a similar effect to logging
+  the object directly.
diff --git a/vendor/sigs.k8s.io/controller-runtime/VERSIONING.md b/vendor/sigs.k8s.io/controller-runtime/VERSIONING.md
new file mode 100644
index 0000000000..7ad6b142cc
--- /dev/null
+++ b/vendor/sigs.k8s.io/controller-runtime/VERSIONING.md
@@ -0,0 +1,40 @@
+# Versioning and Branching in controller-runtime
+
+We follow the [common KubeBuilder versioning guidelines][guidelines], and
+use the corresponding tooling.
+
+For the purposes of the aforementioned guidelines, controller-runtime
+counts as a "library project", but otherwise follows the guidelines
+exactly.
+
+We stick to a major version of zero and create a minor version for
+each Kubernetes minor version and we allow breaking changes in our
+minor versions. We create patch releases as needed and don't allow
+breaking changes in them.
+
+Publishing a non-zero major version is pointless for us, as the k8s.io/*
+libraries we heavily depend on do breaking changes but use the same
+versioning scheme as described above. Consequently, a project can only
+ever depend on one controller-runtime version.
+
+[guidelines]: https://sigs.k8s.io/kubebuilder-release-tools/VERSIONING.md
+
+## Compatibility and Release Support
+
+For release branches, we generally tend to support backporting one (1)
+major release (`release-{X-1}` or `release-0.{Y-1}`), but may go back
+further if the need arises and is very pressing (e.g. security updates).
+
+### Dependency Support
+
+Note the [guidelines on dependency versions][dep-versions].  Particularly:
+
+- We **DO** guarantee Kubernetes REST API compatibility -- if a given
+  version of controller-runtime stops working with what should be
+  a supported version of Kubernetes, this is almost certainly a bug.
+
+- We **DO NOT** guarantee any particular compatibility matrix between
+  kubernetes library dependencies (client-go, apimachinery, etc); Such
+  compatibility is infeasible due to the way those libraries are versioned.
+
+[dep-versions]: https://sigs.k8s.io/kubebuilder-release-tools/VERSIONING.md#kubernetes-version-compatibility
diff --git a/vendor/sigs.k8s.io/controller-runtime/alias.go b/vendor/sigs.k8s.io/controller-runtime/alias.go
new file mode 100644
index 0000000000..e2ac45a5e0
--- /dev/null
+++ b/vendor/sigs.k8s.io/controller-runtime/alias.go
@@ -0,0 +1,168 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package controllerruntime
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"sigs.k8s.io/controller-runtime/pkg/builder"
+	"sigs.k8s.io/controller-runtime/pkg/client/config"
+	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
+	"sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/manager"
+	"sigs.k8s.io/controller-runtime/pkg/manager/signals"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+	"sigs.k8s.io/controller-runtime/pkg/scheme"
+)
+
+// Builder builds an Application ControllerManagedBy (e.g. Operator) and returns a manager.Manager to start it.
+type Builder = builder.Builder
+
+// Request contains the information necessary to reconcile a Kubernetes object.  This includes the
+// information to uniquely identify the object - its Name and Namespace.  It does NOT contain information about
+// any specific Event or the object contents itself.
+type Request = reconcile.Request
+
+// Result contains the result of a Reconciler invocation.
+type Result = reconcile.Result
+
+// Manager initializes shared dependencies such as Caches and Clients, and provides them to Runnables.
+// A Manager is required to create Controllers.
+type Manager = manager.Manager
+
+// Options are the arguments for creating a new Manager.
+type Options = manager.Options
+
+// SchemeBuilder builds a new Scheme for mapping go types to Kubernetes GroupVersionKinds.
+type SchemeBuilder = scheme.Builder
+
+// GroupVersion contains the "group" and the "version", which uniquely identifies the API.
+type GroupVersion = schema.GroupVersion
+
+// GroupResource specifies a Group and a Resource, but does not force a version.  This is useful for identifying
+// concepts during lookup stages without having partially valid types.
+type GroupResource = schema.GroupResource
+
+// TypeMeta describes an individual object in an API response or request
+// with strings representing the type of the object and its API schema version.
+// Structures that are versioned or persisted should inline TypeMeta.
+//
+// +k8s:deepcopy-gen=false
+type TypeMeta = metav1.TypeMeta
+
+// ObjectMeta is metadata that all persisted resources must have, which includes all objects
+// users must create.
+type ObjectMeta = metav1.ObjectMeta
+
+var (
+	// RegisterFlags registers flag variables to the given FlagSet if not already registered.
+	// It uses the default command line FlagSet, if none is provided. Currently, it only registers the kubeconfig flag.
+	RegisterFlags = config.RegisterFlags
+
+	// GetConfigOrDie creates a *rest.Config for talking to a Kubernetes apiserver.
+	// If --kubeconfig is set, will use the kubeconfig file at that location.  Otherwise will assume running
+	// in cluster and use the cluster provided kubeconfig.
+	//
+	// The returned `*rest.Config` has client-side ratelimting disabled as we can rely on API priority and
+	// fairness. Set its QPS to a value equal or bigger than 0 to re-enable it.
+	//
+	// Will log an error and exit if there is an error creating the rest.Config.
+	GetConfigOrDie = config.GetConfigOrDie
+
+	// GetConfig creates a *rest.Config for talking to a Kubernetes apiserver.
+	// If --kubeconfig is set, will use the kubeconfig file at that location.  Otherwise will assume running
+	// in cluster and use the cluster provided kubeconfig.
+	//
+	// The returned `*rest.Config` has client-side ratelimting disabled as we can rely on API priority and
+	// fairness. Set its QPS to a value equal or bigger than 0 to re-enable it.
+	//
+	// Config precedence
+	//
+	// * --kubeconfig flag pointing at a file
+	//
+	// * KUBECONFIG environment variable pointing at a file
+	//
+	// * In-cluster config if running in cluster
+	//
+	// * $HOME/.kube/config if exists.
+	GetConfig = config.GetConfig
+
+	// NewControllerManagedBy returns a new controller builder that will be started by the provided Manager.
+	NewControllerManagedBy = builder.ControllerManagedBy
+
+	// NewManager returns a new Manager for creating Controllers.
+	// Note that if ContentType in the given config is not set, "application/vnd.kubernetes.protobuf"
+	// will be used for all built-in resources of Kubernetes, and "application/json" is for other types
+	// including all CRD resources.
+	NewManager = manager.New
+
+	// CreateOrPatch creates or patches the given object obj in the Kubernetes
+	// cluster. The object's desired state should be reconciled with the existing
+	// state using the passed in ReconcileFn. obj must be a struct pointer so that
+	// obj can be patched with the content returned by the Server.
+	//
+	// It returns the executed operation and an error.
+	CreateOrPatch = controllerutil.CreateOrPatch
+
+	// CreateOrUpdate creates or updates the given object obj in the Kubernetes
+	// cluster. The object's desired state should be reconciled with the existing
+	// state using the passed in ReconcileFn. obj must be a struct pointer so that
+	// obj can be updated with the content returned by the Server.
+	//
+	// It returns the executed operation and an error.
+	CreateOrUpdate = controllerutil.CreateOrUpdate
+
+	// SetControllerReference sets owner as a Controller OwnerReference on owned.
+	// This is used for garbage collection of the owned object and for
+	// reconciling the owner object on changes to owned (with a Watch + EnqueueRequestForOwner).
+	// Since only one OwnerReference can be a controller, it returns an error if
+	// there is another OwnerReference with Controller flag set.
+	SetControllerReference = controllerutil.SetControllerReference
+
+	// SetupSignalHandler registers for SIGTERM and SIGINT. A context is returned
+	// which is canceled on one of these signals. If a second signal is caught, the program
+	// is terminated with exit code 1.
+	SetupSignalHandler = signals.SetupSignalHandler
+
+	// Log is the base logger used by controller-runtime.  It delegates
+	// to another logr.Logger.  You *must* call SetLogger to
+	// get any actual logging.
+	Log = log.Log
+
+	// LoggerFrom returns a logger with predefined values from a context.Context.
+	// The logger, when used with controllers, can be expected to contain basic information about the object
+	// that's being reconciled like:
+	// - `reconciler group` and `reconciler kind` coming from the For(...) object passed in when building a controller.
+	// - `name` and `namespace` from the reconciliation request.
+	//
+	// This is meant to be used with the context supplied in a struct that satisfies the Reconciler interface.
+	LoggerFrom = log.FromContext
+
+	// LoggerInto takes a context and sets the logger as one of its keys.
+	//
+	// This is meant to be used in reconcilers to enrich the logger within a context with additional values.
+	LoggerInto = log.IntoContext
+
+	// SetLogger sets a concrete logging implementation for all deferred Loggers.
+	SetLogger = log.SetLogger
+)
+
+// NewWebhookManagedBy returns a new webhook builder for the provided type T.
+func NewWebhookManagedBy[T runtime.Object](mgr manager.Manager, obj T) *builder.WebhookBuilder[T] {
+	return builder.WebhookManagedBy(mgr, obj)
+}
diff --git a/vendor/sigs.k8s.io/controller-runtime/code-of-conduct.md b/vendor/sigs.k8s.io/controller-runtime/code-of-conduct.md
new file mode 100644
index 0000000000..0d15c00cf3
--- /dev/null
+++ b/vendor/sigs.k8s.io/controller-runtime/code-of-conduct.md
@@ -0,0 +1,3 @@
+# Kubernetes Community Code of Conduct
+
+Please refer to our [Kubernetes Community Code of Conduct](https://git.k8s.io/community/code-of-conduct.md)
diff --git a/vendor/sigs.k8s.io/controller-runtime/doc.go b/vendor/sigs.k8s.io/controller-runtime/doc.go
new file mode 100644
index 0000000000..75d1d908c5
--- /dev/null
+++ b/vendor/sigs.k8s.io/controller-runtime/doc.go
@@ -0,0 +1,128 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package controllerruntime provides tools to construct Kubernetes-style
+// controllers that manipulate both Kubernetes CRDs and aggregated/built-in
+// Kubernetes APIs.
+//
+// It defines easy helpers for the common use cases when building CRDs, built
+// on top of customizable layers of abstraction.  Common cases should be easy,
+// and uncommon cases should be possible.  In general, controller-runtime tries
+// to guide users towards Kubernetes controller best-practices.
+//
+// # Getting Started
+//
+// The main entrypoint for controller-runtime is this root package, which
+// contains all of the common types needed to get started building controllers:
+//
+//	import (
+//		ctrl "sigs.k8s.io/controller-runtime"
+//	)
+//
+// The examples in this package walk through a basic controller setup.  The
+// kubebuilder book (https://book.kubebuilder.io) has some more in-depth
+// walkthroughs.
+//
+// controller-runtime favors structs with sane defaults over constructors, so
+// it's fairly common to see structs being used directly in controller-runtime.
+//
+// # Organization
+//
+// A brief-ish walkthrough of the layout of this library can be found below. Each
+// package contains more information about how to use it.
+//
+// Frequently asked questions about using controller-runtime and designing
+// controllers can be found at
+// https://github.com/kubernetes-sigs/controller-runtime/blob/main/FAQ.md.
+//
+// # Managers
+//
+// Every controller and webhook is ultimately run by a Manager (pkg/manager). A
+// manager is responsible for running controllers and webhooks, and setting up
+// common dependencies, like shared caches and clients, as
+// well as managing leader election (pkg/leaderelection).  Managers are
+// generally configured to gracefully shut down controllers on pod termination
+// by wiring up a signal handler (pkg/manager/signals).
+//
+// # Controllers
+//
+// Controllers (pkg/controller) use events (pkg/event) to eventually trigger
+// reconcile requests.  They may be constructed manually, but are often
+// constructed with a Builder (pkg/builder), which eases the wiring of event
+// sources (pkg/source), like Kubernetes API object changes, to event handlers
+// (pkg/handler), like "enqueue a reconcile request for the object owner".
+// Predicates (pkg/predicate) can be used to filter which events actually
+// trigger reconciles.  There are pre-written utilities for the common cases, and
+// interfaces and helpers for advanced cases.
+//
+// # Reconcilers
+//
+// Controller logic is implemented in terms of Reconcilers (pkg/reconcile).  A
+// Reconciler implements a function which takes a reconcile Request containing
+// the name and namespace of the object to reconcile, reconciles the object,
+// and returns a Response or an error indicating whether to requeue for a
+// second round of processing.
+//
+// # Clients and Caches
+//
+// Reconcilers use Clients (pkg/client) to access API objects.  The default
+// client provided by the manager reads from a local shared cache (pkg/cache)
+// and writes directly to the API server, but clients can be constructed that
+// only talk to the API server, without a cache.  The Cache will auto-populate
+// with watched objects, as well as when other structured objects are
+// requested. The default split client does not promise to invalidate the cache
+// during writes (nor does it promise sequential create/get coherence), and code
+// should not assume a get immediately following a create/update will return
+// the updated resource. Caches may also have indexes, which can be created via
+// a FieldIndexer (pkg/client) obtained from the manager.  Indexes can be used to
+// quickly and easily look up all objects with certain fields set.  Reconcilers
+// may retrieve event recorders (pkg/recorder) to emit events using the
+// manager.
+//
+// # Schemes
+//
+// Clients, Caches, and many other things in Kubernetes use Schemes
+// (pkg/scheme) to associate Go types to Kubernetes API Kinds
+// (Group-Version-Kinds, to be specific).
+//
+// # Webhooks
+//
+// Similarly, webhooks (pkg/webhook/admission) may be implemented directly, but
+// are often constructed using a builder (pkg/webhook/admission/builder).  They
+// are run via a server (pkg/webhook) which is managed by a Manager.
+//
+// # Logging and Metrics
+//
+// Logging (pkg/log) in controller-runtime is done via structured logs, using a
+// log set of interfaces called logr
+// (https://pkg.go.dev/github.com/go-logr/logr).  While controller-runtime
+// provides easy setup for using Zap (https://go.uber.org/zap, pkg/log/zap),
+// you can provide any implementation of logr as the base logger for
+// controller-runtime.
+//
+// Metrics (pkg/metrics) provided by controller-runtime are registered into a
+// controller-runtime-specific Prometheus metrics registry.  The manager can
+// serve these by an HTTP endpoint, and additional metrics may be registered to
+// this Registry as normal.
+//
+// # Testing
+//
+// You can easily build integration and unit tests for your controllers and
+// webhooks using the test Environment (pkg/envtest).  This will automatically
+// stand up a copy of etcd and kube-apiserver, and provide the correct options
+// to connect to the API server.  It's designed to work well with the Ginkgo
+// testing framework, but should work with any testing setup.
+package controllerruntime
diff --git a/vendor/sigs.k8s.io/controller-runtime/pkg/builder/controller.go b/vendor/sigs.k8s.io/controller-runtime/pkg/builder/controller.go
new file mode 100644
index 0000000000..840e27b679
--- /dev/null
+++ b/vendor/sigs.k8s.io/controller-runtime/pkg/builder/controller.go
@@ -0,0 +1,466 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package builder
+
+import (
+	"errors"
+	"fmt"
+	"reflect"
+	"strings"
+
+	"github.com/go-logr/logr"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/klog/v2"
+
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/client/apiutil"
+	"sigs.k8s.io/controller-runtime/pkg/controller"
+	"sigs.k8s.io/controller-runtime/pkg/handler"
+	"sigs.k8s.io/controller-runtime/pkg/manager"
+	"sigs.k8s.io/controller-runtime/pkg/predicate"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+	"sigs.k8s.io/controller-runtime/pkg/source"
+)
+
+// project represents other forms that we can use to
+// send/receive a given resource (metadata-only, unstructured, etc).
+type objectProjection int
+
+const (
+	// projectAsNormal doesn't change the object from the form given.
+	projectAsNormal objectProjection = iota
+	// projectAsMetadata turns this into a metadata-only watch.
+	projectAsMetadata
+)
+
+// Builder builds a Controller.
+type Builder = TypedBuilder[reconcile.Request]
+
+// TypedBuilder builds a Controller. The request is the request type
+// that is passed to the workqueue and then to the Reconciler.
+// The workqueue de-duplicates identical requests.
+type TypedBuilder[request comparable] struct {
+	forInput         ForInput
+	ownsInput        []OwnsInput
+	rawSources       []source.TypedSource[request]
+	watchesInput     []WatchesInput[request]
+	mgr              manager.Manager
+	globalPredicates []predicate.Predicate
+	ctrl             controller.TypedController[request]
+	ctrlOptions      controller.TypedOptions[request]
+	name             string
+	newController    func(name string, mgr manager.Manager, options controller.TypedOptions[request]) (controller.TypedController[request], error)
+}
+
+// ControllerManagedBy returns a new controller builder that will be started by the provided Manager.
+func ControllerManagedBy(m manager.Manager) *Builder {
+	return TypedControllerManagedBy[reconcile.Request](m)
+}
+
+// TypedControllerManagedBy returns a new typed controller builder that will be started by the provided Manager.
+func TypedControllerManagedBy[request comparable](m manager.Manager) *TypedBuilder[request] {
+	return &TypedBuilder[request]{mgr: m}
+}
+
+// ForInput represents the information set by the For method.
+type ForInput struct {
+	object           client.Object
+	predicates       []predicate.Predicate
+	objectProjection objectProjection
+	err              error
+}
+
+// For defines the type of Object being *reconciled*, and configures the ControllerManagedBy to respond to create / delete /
+// update events by *reconciling the object*.
+//
+// This is the equivalent of calling
+// Watches(source.Kind(cache, &Type{}, &handler.EnqueueRequestForObject{})).
+func (blder *TypedBuilder[request]) For(object client.Object, opts ...ForOption) *TypedBuilder[request] {
+	if blder.forInput.object != nil {
+		blder.forInput.err = fmt.Errorf("For(...) should only be called once, could not assign multiple objects for reconciliation")
+		return blder
+	}
+	input := ForInput{object: object}
+	for _, opt := range opts {
+		opt.ApplyToFor(&input)
+	}
+
+	blder.forInput = input
+	return blder
+}
+
+// OwnsInput represents the information set by Owns method.
+type OwnsInput struct {
+	matchEveryOwner  bool
+	object           client.Object
+	predicates       []predicate.Predicate
+	objectProjection objectProjection
+}
+
+// Owns defines types of Objects being *generated* by the ControllerManagedBy, and configures the ControllerManagedBy to respond to
+// create / delete / update events by *reconciling the owner object*.
+//
+// The default behavior reconciles only the first controller-type OwnerReference of the given type.
+// Use Owns(object, builder.MatchEveryOwner) to reconcile all owners.
+//
+// By default, this is the equivalent of calling
+// Watches(source.Kind(cache, &Type{}, handler.EnqueueRequestForOwner([...], &OwnerType{}, OnlyControllerOwner()))).
+func (blder *TypedBuilder[request]) Owns(object client.Object, opts ...OwnsOption) *TypedBuilder[request] {
+	input := OwnsInput{object: object}
+	for _, opt := range opts {
+		opt.ApplyToOwns(&input)
+	}
+
+	blder.ownsInput = append(blder.ownsInput, input)
+	return blder
+}
+
+type untypedWatchesInput interface {
+	setPredicates([]predicate.Predicate)
+	setObjectProjection(objectProjection)
+}
+
+// WatchesInput represents the information set by Watches method.
+type WatchesInput[request comparable] struct {
+	obj              client.Object
+	handler          handler.TypedEventHandler[client.Object, request]
+	predicates       []predicate.Predicate
+	objectProjection objectProjection
+}
+
+func (w *WatchesInput[request]) setPredicates(predicates []predicate.Predicate) {
+	w.predicates = predicates
+}
+
+func (w *WatchesInput[request]) setObjectProjection(objectProjection objectProjection) {
+	w.objectProjection = objectProjection
+}
+
+// Watches defines the type of Object to watch, and configures the ControllerManagedBy to respond to create / delete /
+// update events by *reconciling the object* with the given EventHandler.
+//
+// This is the equivalent of calling
+// WatchesRawSource(source.Kind(cache, object, eventHandler, predicates...)).
+func (blder *TypedBuilder[request]) Watches(
+	object client.Object,
+	eventHandler handler.TypedEventHandler[client.Object, request],
+	opts ...WatchesOption,
+) *TypedBuilder[request] {
+	input := WatchesInput[request]{
+		obj:     object,
+		handler: eventHandler,
+	}
+	for _, opt := range opts {
+		opt.ApplyToWatches(&input)
+	}
+
+	blder.watchesInput = append(blder.watchesInput, input)
+
+	return blder
+}
+
+// WatchesMetadata is the same as Watches, but forces the internal cache to only watch PartialObjectMetadata.
+//
+// This is useful when watching lots of objects, really big objects, or objects for which you only know
+// the GVK, but not the structure. You'll need to pass metav1.PartialObjectMetadata to the client
+// when fetching objects in your reconciler, otherwise you'll end up with a duplicate structured or unstructured cache.
+//
+// When watching a resource with metadata only, for example the v1.Pod, you should not Get and List using the v1.Pod type.
+// Instead, you should use the special metav1.PartialObjectMetadata type.
+//
+// � Incorrect:
+//
+//	pod := &v1.Pod{}
+//	mgr.GetClient().Get(ctx, nsAndName, pod)
+//
+// ✅ Correct:
+//
+//	pod := &metav1.PartialObjectMetadata{}
+//	pod.SetGroupVersionKind(schema.GroupVersionKind{
+//	    Group:   "",
+//	    Version: "v1",
+//	    Kind:    "Pod",
+//	})
+//	mgr.GetClient().Get(ctx, nsAndName, pod)
+//
+// In the first case, controller-runtime will create another cache for the
+// concrete type on top of the metadata cache; this increases memory
+// consumption and leads to race conditions as caches are not in sync.
+func (blder *TypedBuilder[request]) WatchesMetadata(
+	object client.Object,
+	eventHandler handler.TypedEventHandler[client.Object, request],
+	opts ...WatchesOption,
+) *TypedBuilder[request] {
+	opts = append(opts, OnlyMetadata)
+	return blder.Watches(object, eventHandler, opts...)
+}
+
+// WatchesRawSource exposes the lower-level ControllerManagedBy Watches functions through the builder.
+//
+// WatchesRawSource does not respect predicates configured through WithEventFilter.
+//
+// WatchesRawSource makes it possible to use typed handlers and predicates with `source.Kind` as well as custom source implementations.
+func (blder *TypedBuilder[request]) WatchesRawSource(src source.TypedSource[request]) *TypedBuilder[request] {
+	blder.rawSources = append(blder.rawSources, src)
+
+	return blder
+}
+
+// WithEventFilter sets the event filters, to filter which create/update/delete/generic events eventually
+// trigger reconciliations. For example, filtering on whether the resource version has changed.
+// Given predicate is added for all watched objects and thus must be able to deal with the type
+// of all watched objects.
+//
+// Defaults to the empty list.
+func (blder *TypedBuilder[request]) WithEventFilter(p predicate.Predicate) *TypedBuilder[request] {
+	blder.globalPredicates = append(blder.globalPredicates, p)
+	return blder
+}
+
+// WithOptions overrides the controller options used in doController. Defaults to empty.
+func (blder *TypedBuilder[request]) WithOptions(options controller.TypedOptions[request]) *TypedBuilder[request] {
+	blder.ctrlOptions = options
+	return blder
+}
+
+// WithLogConstructor overrides the controller options's LogConstructor.
+func (blder *TypedBuilder[request]) WithLogConstructor(logConstructor func(*request) logr.Logger) *TypedBuilder[request] {
+	blder.ctrlOptions.LogConstructor = logConstructor
+	return blder
+}
+
+// Named sets the name of the controller to the given name. The name shows up
+// in metrics, among other things, and thus should be a prometheus compatible name
+// (underscores and alphanumeric characters only).
+//
+// By default, controllers are named using the lowercase version of their kind.
+//
+// The name must be unique as it is used to identify the controller in metrics and logs.
+func (blder *TypedBuilder[request]) Named(name string) *TypedBuilder[request] {
+	blder.name = name
+	return blder
+}
+
+// Complete builds the Application Controller.
+func (blder *TypedBuilder[request]) Complete(r reconcile.TypedReconciler[request]) error {
+	_, err := blder.Build(r)
+	return err
+}
+
+// Build builds the Application Controller and returns the Controller it created.
+func (blder *TypedBuilder[request]) Build(r reconcile.TypedReconciler[request]) (controller.TypedController[request], error) {
+	if r == nil {
+		return nil, fmt.Errorf("must provide a non-nil Reconciler")
+	}
+	if blder.mgr == nil {
+		return nil, fmt.Errorf("must provide a non-nil Manager")
+	}
+	if blder.forInput.err != nil {
+		return nil, blder.forInput.err
+	}
+
+	// Set the ControllerManagedBy
+	if err := blder.doController(r); err != nil {
+		return nil, err
+	}
+
+	// Set the Watch
+	if err := blder.doWatch(); err != nil {
+		return nil, err
+	}
+
+	return blder.ctrl, nil
+}
+
+func (blder *TypedBuilder[request]) project(obj client.Object, proj objectProjection) (client.Object, error) {
+	switch proj {
+	case projectAsNormal:
+		return obj, nil
+	case projectAsMetadata:
+		metaObj := &metav1.PartialObjectMetadata{}
+		gvk, err := apiutil.GVKForObject(obj, blder.mgr.GetScheme())
+		if err != nil {
+			return nil, fmt.Errorf("unable to determine GVK of %T for a metadata-only watch: %w", obj, err)
+		}
+		metaObj.SetGroupVersionKind(gvk)
+		return metaObj, nil
+	default:
+		panic(fmt.Sprintf("unexpected projection type %v on type %T, should not be possible since this is an internal field", proj, obj))
+	}
+}
+
+func (blder *TypedBuilder[request]) doWatch() error {
+	// Reconcile type
+	if blder.forInput.object != nil {
+		obj, err := blder.project(blder.forInput.object, blder.forInput.objectProjection)
+		if err != nil {
+			return err
+		}
+
+		if reflect.TypeFor[request]() != reflect.TypeFor[reconcile.Request]() {
+			return fmt.Errorf("For() can only be used with reconcile.Request, got %T", *new(request))
+		}
+
+		var hdler handler.TypedEventHandler[client.Object, request]
+		reflect.ValueOf(&hdler).Elem().Set(reflect.ValueOf(&handler.EnqueueRequestForObject{}))
+		allPredicates := append([]predicate.Predicate(nil), blder.globalPredicates...)
+		allPredicates = append(allPredicates, blder.forInput.predicates...)
+		src := source.TypedKind(blder.mgr.GetCache(), obj, hdler, allPredicates...)
+		if err := blder.ctrl.Watch(src); err != nil {
+			return err
+		}
+	}
+
+	// Watches the managed types
+	if len(blder.ownsInput) > 0 && blder.forInput.object == nil {
+		return errors.New("Owns() can only be used together with For()")
+	}
+	for _, own := range blder.ownsInput {
+		obj, err := blder.project(own.object, own.objectProjection)
+		if err != nil {
+			return err
+		}
+		opts := []handler.OwnerOption{}
+		if !own.matchEveryOwner {
+			opts = append(opts, handler.OnlyControllerOwner())
+		}
+
+		var hdler handler.TypedEventHandler[client.Object, request]
+		reflect.ValueOf(&hdler).Elem().Set(reflect.ValueOf(handler.EnqueueRequestForOwner(
+			blder.mgr.GetScheme(), blder.mgr.GetRESTMapper(),
+			blder.forInput.object,
+			opts...,
+		)))
+		allPredicates := append([]predicate.Predicate(nil), blder.globalPredicates...)
+		allPredicates = append(allPredicates, own.predicates...)
+		src := source.TypedKind(blder.mgr.GetCache(), obj, hdler, allPredicates...)
+		if err := blder.ctrl.Watch(src); err != nil {
+			return err
+		}
+	}
+
+	// Do the watch requests
+	if len(blder.watchesInput) == 0 && blder.forInput.object == nil && len(blder.rawSources) == 0 {
+		return errors.New("there are no watches configured, controller will never get triggered. Use For(), Owns(), Watches() or WatchesRawSource() to set them up")
+	}
+	for _, w := range blder.watchesInput {
+		projected, err := blder.project(w.obj, w.objectProjection)
+		if err != nil {
+			return fmt.Errorf("failed to project for %T: %w", w.obj, err)
+		}
+		allPredicates := append([]predicate.Predicate(nil), blder.globalPredicates...)
+		allPredicates = append(allPredicates, w.predicates...)
+		if err := blder.ctrl.Watch(source.TypedKind(blder.mgr.GetCache(), projected, w.handler, allPredicates...)); err != nil {
+			return err
+		}
+	}
+	for _, src := range blder.rawSources {
+		if err := blder.ctrl.Watch(src); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (blder *TypedBuilder[request]) getControllerName(gvk schema.GroupVersionKind, hasGVK bool) (string, error) {
+	if blder.name != "" {
+		return blder.name, nil
+	}
+	if !hasGVK {
+		return "", errors.New("one of For() or Named() must be called")
+	}
+	return strings.ToLower(gvk.Kind), nil
+}
+
+func (blder *TypedBuilder[request]) doController(r reconcile.TypedReconciler[request]) error {
+	globalOpts := blder.mgr.GetControllerOptions()
+
+	ctrlOptions := blder.ctrlOptions
+	if ctrlOptions.Reconciler != nil && r != nil {
+		return errors.New("reconciler was set via WithOptions() and via Build() or Complete()")
+	}
+	if ctrlOptions.Reconciler == nil {
+		ctrlOptions.Reconciler = r
+	}
+
+	// Retrieve the GVK from the object we're reconciling
+	// to pre-populate logger information, and to optionally generate a default name.
+	var gvk schema.GroupVersionKind
+	hasGVK := blder.forInput.object != nil
+	if hasGVK {
+		var err error
+		gvk, err = apiutil.GVKForObject(blder.forInput.object, blder.mgr.GetScheme())
+		if err != nil {
+			return err
+		}
+	}
+
+	// Setup concurrency.
+	if ctrlOptions.MaxConcurrentReconciles == 0 && hasGVK {
+		groupKind := gvk.GroupKind().String()
+
+		if concurrency, ok := globalOpts.GroupKindConcurrency[groupKind]; ok && concurrency > 0 {
+			ctrlOptions.MaxConcurrentReconciles = concurrency
+		}
+	}
+
+	// Setup cache sync timeout.
+	if ctrlOptions.CacheSyncTimeout == 0 && globalOpts.CacheSyncTimeout > 0 {
+		ctrlOptions.CacheSyncTimeout = globalOpts.CacheSyncTimeout
+	}
+
+	controllerName, err := blder.getControllerName(gvk, hasGVK)
+	if err != nil {
+		return err
+	}
+
+	// Setup the logger.
+	if ctrlOptions.LogConstructor == nil {
+		log := blder.mgr.GetLogger().WithValues(
+			"controller", controllerName,
+		)
+		if hasGVK {
+			log = log.WithValues(
+				"controllerGroup", gvk.Group,
+				"controllerKind", gvk.Kind,
+			)
+		}
+
+		ctrlOptions.LogConstructor = func(in *request) logr.Logger {
+			log := log
+
+			if req, ok := any(in).(*reconcile.Request); ok && req != nil {
+				if hasGVK {
+					log = log.WithValues(gvk.Kind, klog.KRef(req.Namespace, req.Name))
+				}
+				log = log.WithValues(
+					"namespace", req.Namespace, "name", req.Name,
+				)
+			}
+			return log
+		}
+	}
+
+	if blder.newController == nil {
+		blder.newController = controller.NewTyped[request]
+	}
+
+	// Build the controller and return.
+	blder.ctrl, err = blder.newController(controllerName, blder.mgr, ctrlOptions)
+	return err
+}
diff --git a/vendor/sigs.k8s.io/controller-runtime/pkg/builder/doc.go b/vendor/sigs.k8s.io/controller-runtime/pkg/builder/doc.go
new file mode 100644
index 0000000000..e4df1b709f
--- /dev/null
+++ b/vendor/sigs.k8s.io/controller-runtime/pkg/builder/doc.go
@@ -0,0 +1,28 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package builder wraps other controller-runtime libraries and exposes simple
+// patterns for building common Controllers.
+//
+// Projects built with the builder package can trivially be rebased on top of the underlying
+// packages if the project requires more customized behavior in the future.
+package builder
+
+import (
+	logf "sigs.k8s.io/controller-runtime/pkg/internal/log"
+)
+
+var log = logf.RuntimeLog.WithName("builder")
diff --git a/vendor/sigs.k8s.io/controller-runtime/pkg/builder/options.go b/vendor/sigs.k8s.io/controller-runtime/pkg/builder/options.go
new file mode 100644
index 0000000000..b907b5d020
--- /dev/null
+++ b/vendor/sigs.k8s.io/controller-runtime/pkg/builder/options.go
@@ -0,0 +1,156 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package builder
+
+import (
+	"sigs.k8s.io/controller-runtime/pkg/predicate"
+)
+
+// {{{ "Functional" Option Interfaces
+
+// ForOption is some configuration that modifies options for a For request.
+type ForOption interface {
+	// ApplyToFor applies this configuration to the given for input.
+	ApplyToFor(*ForInput)
+}
+
+// OwnsOption is some configuration that modifies options for an owns request.
+type OwnsOption interface {
+	// ApplyToOwns applies this configuration to the given owns input.
+	ApplyToOwns(*OwnsInput)
+}
+
+// WatchesOption is some configuration that modifies options for a watches request.
+type WatchesOption interface {
+	// ApplyToWatches applies this configuration to the given watches options.
+	ApplyToWatches(untypedWatchesInput)
+}
+
+// }}}
+
+// {{{ Multi-Type Options
+
+// WithPredicates sets the given predicates list.
+func WithPredicates(predicates ...predicate.Predicate) Predicates {
+	return Predicates{
+		predicates: predicates,
+	}
+}
+
+// Predicates filters events before enqueuing the keys.
+type Predicates struct {
+	predicates []predicate.Predicate
+}
+
+// ApplyToFor applies this configuration to the given ForInput options.
+func (w Predicates) ApplyToFor(opts *ForInput) {
+	opts.predicates = w.predicates
+}
+
+// ApplyToOwns applies this configuration to the given OwnsInput options.
+func (w Predicates) ApplyToOwns(opts *OwnsInput) {
+	opts.predicates = w.predicates
+}
+
+// ApplyToWatches applies this configuration to the given WatchesInput options.
+func (w Predicates) ApplyToWatches(opts untypedWatchesInput) {
+	opts.setPredicates(w.predicates)
+}
+
+var _ ForOption = &Predicates{}
+var _ OwnsOption = &Predicates{}
+var _ WatchesOption = &Predicates{}
+
+// }}}
+
+// {{{ For & Owns Dual-Type options
+
+// projectAs configures the projection on the input.
+// Currently only OnlyMetadata is supported.  We might want to expand
+// this to arbitrary non-special local projections in the future.
+type projectAs objectProjection
+
+// ApplyToFor applies this configuration to the given ForInput options.
+func (p projectAs) ApplyToFor(opts *ForInput) {
+	opts.objectProjection = objectProjection(p)
+}
+
+// ApplyToOwns applies this configuration to the given OwnsInput options.
+func (p projectAs) ApplyToOwns(opts *OwnsInput) {
+	opts.objectProjection = objectProjection(p)
+}
+
+// ApplyToWatches applies this configuration to the given WatchesInput options.
+func (p projectAs) ApplyToWatches(opts untypedWatchesInput) {
+	opts.setObjectProjection(objectProjection(p))
+}
+
+var (
+	// OnlyMetadata tells the controller to *only* cache metadata, and to watch
+	// the API server in metadata-only form. This is useful when watching
+	// lots of objects, really big objects, or objects for which you only know
+	// the GVK, but not the structure. You'll need to pass
+	// metav1.PartialObjectMetadata to the client when fetching objects in your
+	// reconciler, otherwise you'll end up with a duplicate structured or
+	// unstructured cache.
+	//
+	// When watching a resource with OnlyMetadata, for example the v1.Pod, you
+	// should not Get and List using the v1.Pod type. Instead, you should use
+	// the special metav1.PartialObjectMetadata type.
+	//
+	// � Incorrect:
+	//
+	//   pod := &v1.Pod{}
+	//   mgr.GetClient().Get(ctx, nsAndName, pod)
+	//
+	// ✅ Correct:
+	//
+	//   pod := &metav1.PartialObjectMetadata{}
+	//   pod.SetGroupVersionKind(schema.GroupVersionKind{
+	//       Group:   "",
+	//       Version: "v1",
+	//       Kind:    "Pod",
+	//   })
+	//   mgr.GetClient().Get(ctx, nsAndName, pod)
+	//
+	// In the first case, controller-runtime will create another cache for the
+	// concrete type on top of the metadata cache; this increases memory
+	// consumption and leads to race conditions as caches are not in sync.
+	OnlyMetadata = projectAs(projectAsMetadata)
+
+	_ ForOption     = OnlyMetadata
+	_ OwnsOption    = OnlyMetadata
+	_ WatchesOption = OnlyMetadata
+)
+
+// }}}
+
+// MatchEveryOwner determines whether the watch should be filtered based on
+// controller ownership. As in, when the OwnerReference.Controller field is set.
+//
+// If passed as an option,
+// the handler receives notification for every owner of the object with the given type.
+// If unset (default), the handler receives notification only for the first
+// OwnerReference with `Controller: true`.
+var MatchEveryOwner = &matchEveryOwner{}
+
+type matchEveryOwner struct{}
+
+// ApplyToOwns applies this configuration to the given OwnsInput options.
+func (o matchEveryOwner) ApplyToOwns(opts *OwnsInput) {
+	opts.matchEveryOwner = true
+}
diff --git a/vendor/sigs.k8s.io/controller-runtime/pkg/builder/webhook.go b/vendor/sigs.k8s.io/controller-runtime/pkg/builder/webhook.go
new file mode 100644
index 0000000000..d9c57c5e8b
--- /dev/null
+++ b/vendor/sigs.k8s.io/controller-runtime/pkg/builder/webhook.go
@@ -0,0 +1,386 @@
+/*
+Copyright 2019 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package builder
+
+import (
+	"context"
+	"errors"
+	"net/http"
+	"net/url"
+	"regexp"
+	"strings"
+
+	"github.com/go-logr/logr"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/client-go/rest"
+	"k8s.io/klog/v2"
+
+	"sigs.k8s.io/controller-runtime/pkg/client/apiutil"
+	"sigs.k8s.io/controller-runtime/pkg/manager"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/conversion"
+)
+
+// WebhookBuilder builds a Webhook.
+type WebhookBuilder[T runtime.Object] struct {
+	apiType                   runtime.Object
+	customDefaulter           admission.CustomDefaulter //nolint:staticcheck
+	defaulter                 admission.Defaulter[T]
+	customDefaulterOpts       []admission.DefaulterOption
+	customValidator           admission.CustomValidator //nolint:staticcheck
+	validator                 admission.Validator[T]
+	customPath                string
+	customValidatorCustomPath string
+	customDefaulterCustomPath string
+	converterConstructor      func(*runtime.Scheme) (conversion.Converter, error)
+	gvk                       schema.GroupVersionKind
+	mgr                       manager.Manager
+	config                    *rest.Config
+	recoverPanic              *bool
+	logConstructor            func(base logr.Logger, req *admission.Request) logr.Logger
+	contextFunc               func(context.Context, *http.Request) context.Context
+	err                       error
+}
+
+// WebhookManagedBy returns a new webhook builder.
+func WebhookManagedBy[T runtime.Object](m manager.Manager, object T) *WebhookBuilder[T] {
+	return &WebhookBuilder[T]{mgr: m, apiType: object}
+}
+
+// WithCustomDefaulter takes an admission.CustomDefaulter interface, a MutatingWebhook with the provided opts (admission.DefaulterOption)
+// will be wired for this type.
+//
+// Deprecated: Use WithDefaulter instead.
+func (blder *WebhookBuilder[T]) WithCustomDefaulter(defaulter admission.CustomDefaulter, opts ...admission.DefaulterOption) *WebhookBuilder[T] {
+	blder.customDefaulter = defaulter
+	blder.customDefaulterOpts = opts
+	return blder
+}
+
+// WithDefaulter sets up the provided admission.Defaulter in a defaulting webhook.
+func (blder *WebhookBuilder[T]) WithDefaulter(defaulter admission.Defaulter[T], opts ...admission.DefaulterOption) *WebhookBuilder[T] {
+	blder.defaulter = defaulter
+	blder.customDefaulterOpts = opts
+	return blder
+}
+
+// WithCustomValidator takes a admission.CustomValidator interface, a ValidatingWebhook will be wired for this type.
+//
+// Deprecated: Use WithValidator instead.
+func (blder *WebhookBuilder[T]) WithCustomValidator(validator admission.CustomValidator) *WebhookBuilder[T] {
+	blder.customValidator = validator
+	return blder
+}
+
+// WithValidator sets up the provided admission.Validator in a validating webhook.
+func (blder *WebhookBuilder[T]) WithValidator(validator admission.Validator[T]) *WebhookBuilder[T] {
+	blder.validator = validator
+	return blder
+}
+
+// WithConverter takes a func that constructs a converter.Converter.
+// The Converter will then be used by the conversion endpoint for the type passed into NewWebhookManagedBy()
+func (blder *WebhookBuilder[T]) WithConverter(converterConstructor func(*runtime.Scheme) (conversion.Converter, error)) *WebhookBuilder[T] {
+	blder.converterConstructor = converterConstructor
+	return blder
+}
+
+// WithLogConstructor overrides the webhook's LogConstructor.
+func (blder *WebhookBuilder[T]) WithLogConstructor(logConstructor func(base logr.Logger, req *admission.Request) logr.Logger) *WebhookBuilder[T] {
+	blder.logConstructor = logConstructor
+	return blder
+}
+
+// WithContextFunc overrides the webhook's WithContextFunc.
+func (blder *WebhookBuilder[T]) WithContextFunc(contextFunc func(context.Context, *http.Request) context.Context) *WebhookBuilder[T] {
+	blder.contextFunc = contextFunc
+	return blder
+}
+
+// RecoverPanic indicates whether panics caused by the webhook should be recovered.
+// Defaults to true.
+func (blder *WebhookBuilder[T]) RecoverPanic(recoverPanic bool) *WebhookBuilder[T] {
+	blder.recoverPanic = &recoverPanic
+	return blder
+}
+
+// WithCustomPath overrides the webhook's default path by the customPath
+//
+// Deprecated: WithCustomPath should not be used anymore.
+// Please use WithValidatorCustomPath or WithDefaulterCustomPath instead.
+func (blder *WebhookBuilder[T]) WithCustomPath(customPath string) *WebhookBuilder[T] {
+	blder.customPath = customPath
+	return blder
+}
+
+// WithValidatorCustomPath overrides the path of the Validator.
+func (blder *WebhookBuilder[T]) WithValidatorCustomPath(customPath string) *WebhookBuilder[T] {
+	blder.customValidatorCustomPath = customPath
+	return blder
+}
+
+// WithDefaulterCustomPath overrides the path of the Defaulter.
+func (blder *WebhookBuilder[T]) WithDefaulterCustomPath(customPath string) *WebhookBuilder[T] {
+	blder.customDefaulterCustomPath = customPath
+	return blder
+}
+
+// Complete builds the webhook.
+func (blder *WebhookBuilder[T]) Complete() error {
+	// Set the Config
+	blder.loadRestConfig()
+
+	// Configure the default LogConstructor
+	blder.setLogConstructor()
+
+	// Set the Webhook if needed
+	return blder.registerWebhooks()
+}
+
+func (blder *WebhookBuilder[T]) loadRestConfig() {
+	if blder.config == nil {
+		blder.config = blder.mgr.GetConfig()
+	}
+}
+
+func (blder *WebhookBuilder[T]) setLogConstructor() {
+	if blder.logConstructor == nil {
+		blder.logConstructor = func(base logr.Logger, req *admission.Request) logr.Logger {
+			log := base.WithValues(
+				"webhookGroup", blder.gvk.Group,
+				"webhookKind", blder.gvk.Kind,
+			)
+			if req != nil {
+				return log.WithValues(
+					blder.gvk.Kind, klog.KRef(req.Namespace, req.Name),
+					"namespace", req.Namespace, "name", req.Name,
+					"resource", req.Resource, "user", req.UserInfo.Username,
+					"requestID", req.UID,
+				)
+			}
+			return log
+		}
+	}
+}
+
+func (blder *WebhookBuilder[T]) isThereCustomPathConflict() bool {
+	return (blder.customPath != "" && blder.customDefaulter != nil && blder.customValidator != nil) || (blder.customPath != "" && blder.customDefaulterCustomPath != "") || (blder.customPath != "" && blder.customValidatorCustomPath != "")
+}
+
+func (blder *WebhookBuilder[T]) registerWebhooks() error {
+	typ, err := blder.getType()
+	if err != nil {
+		return err
+	}
+
+	blder.gvk, err = apiutil.GVKForObject(typ, blder.mgr.GetScheme())
+	if err != nil {
+		return err
+	}
+
+	if blder.isThereCustomPathConflict() {
+		return errors.New("only one of CustomDefaulter or CustomValidator should be set when using WithCustomPath. Otherwise, WithDefaulterCustomPath() and WithValidatorCustomPath() should be used")
+	}
+	if blder.customPath != "" {
+		// isThereCustomPathConflict() already checks for potential conflicts.
+		// Since we are sure that only one of customDefaulter or customValidator will be used,
+		// we can set both customDefaulterCustomPath and validatingCustomPath.
+		blder.customDefaulterCustomPath = blder.customPath
+		blder.customValidatorCustomPath = blder.customPath
+	}
+
+	// Register webhook(s) for type
+	err = blder.registerDefaultingWebhook()
+	if err != nil {
+		return err
+	}
+
+	err = blder.registerValidatingWebhook()
+	if err != nil {
+		return err
+	}
+
+	err = blder.registerConversionWebhook()
+	if err != nil {
+		return err
+	}
+	return blder.err
+}
+
+// registerDefaultingWebhook registers a defaulting webhook if necessary.
+func (blder *WebhookBuilder[T]) registerDefaultingWebhook() error {
+	mwh, err := blder.getDefaultingWebhook()
+	if err != nil {
+		return err
+	}
+	if mwh != nil {
+		mwh.LogConstructor = blder.logConstructor
+		mwh.WithContextFunc = blder.contextFunc
+		path := generateMutatePath(blder.gvk)
+		if blder.customDefaulterCustomPath != "" {
+			generatedCustomPath, err := generateCustomPath(blder.customDefaulterCustomPath)
+			if err != nil {
+				return err
+			}
+			path = generatedCustomPath
+		}
+
+		// Checking if the path is already registered.
+		// If so, just skip it.
+		if !blder.isAlreadyHandled(path) {
+			log.Info("Registering a mutating webhook",
+				"GVK", blder.gvk,
+				"path", path)
+			blder.mgr.GetWebhookServer().Register(path, mwh)
+		}
+	}
+
+	return nil
+}
+
+func (blder *WebhookBuilder[T]) getDefaultingWebhook() (*admission.Webhook, error) {
+	var w *admission.Webhook
+	if blder.defaulter != nil {
+		if blder.customDefaulter != nil {
+			return nil, errors.New("only one of Defaulter or CustomDefaulter can be set")
+		}
+		w = admission.WithDefaulter(blder.mgr.GetScheme(), blder.defaulter, blder.customDefaulterOpts...)
+	} else if blder.customDefaulter != nil {
+		w = admission.WithCustomDefaulter(blder.mgr.GetScheme(), blder.apiType, blder.customDefaulter, blder.customDefaulterOpts...)
+	}
+	if w != nil && blder.recoverPanic != nil {
+		w = w.WithRecoverPanic(*blder.recoverPanic)
+	}
+	return w, nil
+}
+
+// registerValidatingWebhook registers a validating webhook if necessary.
+func (blder *WebhookBuilder[T]) registerValidatingWebhook() error {
+	vwh, err := blder.getValidatingWebhook()
+	if err != nil {
+		return err
+	}
+	if vwh != nil {
+		vwh.LogConstructor = blder.logConstructor
+		vwh.WithContextFunc = blder.contextFunc
+		path := generateValidatePath(blder.gvk)
+		if blder.customValidatorCustomPath != "" {
+			generatedCustomPath, err := generateCustomPath(blder.customValidatorCustomPath)
+			if err != nil {
+				return err
+			}
+			path = generatedCustomPath
+		}
+
+		// Checking if the path is already registered.
+		// If so, just skip it.
+		if !blder.isAlreadyHandled(path) {
+			log.Info("Registering a validating webhook",
+				"GVK", blder.gvk,
+				"path", path)
+			blder.mgr.GetWebhookServer().Register(path, vwh)
+		}
+	}
+
+	return nil
+}
+
+func (blder *WebhookBuilder[T]) getValidatingWebhook() (*admission.Webhook, error) {
+	var w *admission.Webhook
+	if blder.validator != nil {
+		if blder.customValidator != nil {
+			return nil, errors.New("only one of Validator or CustomValidator can be set")
+		}
+		w = admission.WithValidator(blder.mgr.GetScheme(), blder.validator)
+	} else if blder.customValidator != nil {
+		//nolint:staticcheck
+		w = admission.WithCustomValidator(blder.mgr.GetScheme(), blder.apiType, blder.customValidator)
+	}
+	if w != nil && blder.recoverPanic != nil {
+		w = w.WithRecoverPanic(*blder.recoverPanic)
+	}
+	return w, nil
+}
+
+func (blder *WebhookBuilder[T]) registerConversionWebhook() error {
+	if blder.converterConstructor != nil {
+		converter, err := blder.converterConstructor(blder.mgr.GetScheme())
+		if err != nil {
+			return err
+		}
+
+		if err := blder.mgr.GetConverterRegistry().RegisterConverter(blder.gvk.GroupKind(), converter); err != nil {
+			return err
+		}
+	} else {
+		ok, err := conversion.IsConvertible(blder.mgr.GetScheme(), blder.apiType)
+		if err != nil {
+			log.Error(err, "conversion check failed", "GVK", blder.gvk)
+			return err
+		}
+		if !ok {
+			return nil
+		}
+	}
+
+	if !blder.isAlreadyHandled("/convert") {
+		blder.mgr.GetWebhookServer().Register("/convert", conversion.NewWebhookHandler(blder.mgr.GetScheme(), blder.mgr.GetConverterRegistry()))
+	}
+	log.Info("Conversion webhook enabled", "GVK", blder.gvk)
+
+	return nil
+}
+
+func (blder *WebhookBuilder[T]) getType() (runtime.Object, error) {
+	if blder.apiType != nil {
+		return blder.apiType, nil
+	}
+	return nil, errors.New("NewWebhookManagedBy() must be called with a valid object")
+}
+
+func (blder *WebhookBuilder[T]) isAlreadyHandled(path string) bool {
+	if blder.mgr.GetWebhookServer().WebhookMux() == nil {
+		return false
+	}
+	h, p := blder.mgr.GetWebhookServer().WebhookMux().Handler(&http.Request{URL: &url.URL{Path: path}})
+	if p == path && h != nil {
+		return true
+	}
+	return false
+}
+
+func generateMutatePath(gvk schema.GroupVersionKind) string {
+	return "/mutate-" + strings.ReplaceAll(gvk.Group, ".", "-") + "-" +
+		gvk.Version + "-" + strings.ToLower(gvk.Kind)
+}
+
+func generateValidatePath(gvk schema.GroupVersionKind) string {
+	return "/validate-" + strings.ReplaceAll(gvk.Group, ".", "-") + "-" +
+		gvk.Version + "-" + strings.ToLower(gvk.Kind)
+}
+
+const webhookPathStringValidation = `^((/[a-zA-Z0-9-_]+)+|/)$`
+
+var validWebhookPathRegex = regexp.MustCompile(webhookPathStringValidation)
+
+func generateCustomPath(customPath string) (string, error) {
+	if !validWebhookPathRegex.MatchString(customPath) {
+		return "", errors.New("customPath \"" + customPath + "\" does not match this regex: " + webhookPathStringValidation)
+	}
+	return customPath, nil
+}
diff --git a/vendor/sigs.k8s.io/controller-runtime/pkg/controller/controllerutil/controllerutil.go b/vendor/sigs.k8s.io/controller-runtime/pkg/controller/controllerutil/controllerutil.go
new file mode 100644
index 0000000000..0f12b934ee
--- /dev/null
+++ b/vendor/sigs.k8s.io/controller-runtime/pkg/controller/controllerutil/controllerutil.go
@@ -0,0 +1,534 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package controllerutil
+
+import (
+	"context"
+	"fmt"
+	"reflect"
+	"slices"
+
+	"k8s.io/apimachinery/pkg/api/equality"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/utils/ptr"
+
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/client/apiutil"
+)
+
+// AlreadyOwnedError is an error returned if the object you are trying to assign
+// a controller reference is already owned by another controller Object is the
+// subject and Owner is the reference for the current owner.
+type AlreadyOwnedError struct {
+	Object metav1.Object
+	Owner  metav1.OwnerReference
+}
+
+func (e *AlreadyOwnedError) Error() string {
+	return fmt.Sprintf("Object %s/%s is already owned by another %s controller %s", e.Object.GetNamespace(), e.Object.GetName(), e.Owner.Kind, e.Owner.Name)
+}
+
+func newAlreadyOwnedError(obj metav1.Object, owner metav1.OwnerReference) *AlreadyOwnedError {
+	return &AlreadyOwnedError{
+		Object: obj,
+		Owner:  owner,
+	}
+}
+
+// OwnerReferenceOption is a function that can modify a `metav1.OwnerReference`.
+type OwnerReferenceOption func(*metav1.OwnerReference)
+
+// WithBlockOwnerDeletion allows configuring the BlockOwnerDeletion field on the `metav1.OwnerReference`.
+func WithBlockOwnerDeletion(blockOwnerDeletion bool) OwnerReferenceOption {
+	return func(ref *metav1.OwnerReference) {
+		ref.BlockOwnerDeletion = &blockOwnerDeletion
+	}
+}
+
+// SetControllerReference sets owner as a Controller OwnerReference on controlled.
+// This is used for garbage collection of the controlled object and for
+// reconciling the owner object on changes to controlled (with a Watch + EnqueueRequestForOwner).
+// Since only one OwnerReference can be a controller, it returns an error if
+// there is another OwnerReference with Controller flag set.
+func SetControllerReference(owner, controlled metav1.Object, scheme *runtime.Scheme, opts ...OwnerReferenceOption) error {
+	// Validate the owner.
+	ro, ok := owner.(runtime.Object)
+	if !ok {
+		return fmt.Errorf("%T is not a runtime.Object, cannot call SetControllerReference", owner)
+	}
+	if err := validateOwner(owner, controlled); err != nil {
+		return err
+	}
+
+	// Create a new controller ref.
+	gvk, err := apiutil.GVKForObject(ro, scheme)
+	if err != nil {
+		return err
+	}
+	ref := metav1.OwnerReference{
+		APIVersion:         gvk.GroupVersion().String(),
+		Kind:               gvk.Kind,
+		Name:               owner.GetName(),
+		UID:                owner.GetUID(),
+		BlockOwnerDeletion: ptr.To(true),
+		Controller:         ptr.To(true),
+	}
+	for _, opt := range opts {
+		opt(&ref)
+	}
+
+	// Return early with an error if the object is already controlled.
+	if existing := metav1.GetControllerOf(controlled); existing != nil && !referSameObject(*existing, ref) {
+		return newAlreadyOwnedError(controlled, *existing)
+	}
+
+	// Update owner references and return.
+	upsertOwnerRef(ref, controlled)
+	return nil
+}
+
+// SetOwnerReference is a helper method to make sure the given object contains an object reference to the object provided.
+// This allows you to declare that owner has a dependency on the object without specifying it as a controller.
+// If a reference to the same object already exists, it'll be overwritten with the newly provided version.
+func SetOwnerReference(owner, object metav1.Object, scheme *runtime.Scheme, opts ...OwnerReferenceOption) error {
+	// Validate the owner.
+	ro, ok := owner.(runtime.Object)
+	if !ok {
+		return fmt.Errorf("%T is not a runtime.Object, cannot call SetOwnerReference", owner)
+	}
+	if err := validateOwner(owner, object); err != nil {
+		return err
+	}
+
+	// Create a new owner ref.
+	gvk, err := apiutil.GVKForObject(ro, scheme)
+	if err != nil {
+		return err
+	}
+	ref := metav1.OwnerReference{
+		APIVersion: gvk.GroupVersion().String(),
+		Kind:       gvk.Kind,
+		UID:        owner.GetUID(),
+		Name:       owner.GetName(),
+	}
+	for _, opt := range opts {
+		opt(&ref)
+	}
+
+	// Update owner references and return.
+	upsertOwnerRef(ref, object)
+	return nil
+}
+
+// RemoveOwnerReference is a helper method to make sure the given object removes an owner reference to the object provided.
+// This allows you to remove the owner to establish a new owner of the object in a subsequent call.
+func RemoveOwnerReference(owner, object metav1.Object, scheme *runtime.Scheme) error {
+	owners := object.GetOwnerReferences()
+	length := len(owners)
+	if length < 1 {
+		return fmt.Errorf("%T does not have any owner references", object)
+	}
+	ro, ok := owner.(runtime.Object)
+	if !ok {
+		return fmt.Errorf("%T is not a runtime.Object, cannot call RemoveOwnerReference", owner)
+	}
+	gvk, err := apiutil.GVKForObject(ro, scheme)
+	if err != nil {
+		return err
+	}
+
+	index := indexOwnerRef(owners, metav1.OwnerReference{
+		APIVersion: gvk.GroupVersion().String(),
+		Name:       owner.GetName(),
+		Kind:       gvk.Kind,
+	})
+	if index == -1 {
+		return fmt.Errorf("%T does not have an owner reference for %T", object, owner)
+	}
+
+	owners = append(owners[:index], owners[index+1:]...)
+	object.SetOwnerReferences(owners)
+	return nil
+}
+
+// HasControllerReference returns true if the object
+// has an owner ref with controller equal to true
+func HasControllerReference(object metav1.Object) bool {
+	owners := object.GetOwnerReferences()
+	for _, owner := range owners {
+		isTrue := owner.Controller
+		if owner.Controller != nil && *isTrue {
+			return true
+		}
+	}
+	return false
+}
+
+// HasOwnerReference returns true if the owners list contains an owner reference
+// that matches the object's group, kind, and name.
+func HasOwnerReference(ownerRefs []metav1.OwnerReference, obj client.Object, scheme *runtime.Scheme) (bool, error) {
+	gvk, err := apiutil.GVKForObject(obj, scheme)
+	if err != nil {
+		return false, err
+	}
+	idx := indexOwnerRef(ownerRefs, metav1.OwnerReference{
+		APIVersion: gvk.GroupVersion().String(),
+		Name:       obj.GetName(),
+		Kind:       gvk.Kind,
+	})
+	return idx != -1, nil
+}
+
+// RemoveControllerReference removes an owner reference where the controller
+// equals true
+func RemoveControllerReference(owner, object metav1.Object, scheme *runtime.Scheme) error {
+	if ok := HasControllerReference(object); !ok {
+		return fmt.Errorf("%T does not have a owner reference with controller equals true", object)
+	}
+	ro, ok := owner.(runtime.Object)
+	if !ok {
+		return fmt.Errorf("%T is not a runtime.Object, cannot call RemoveControllerReference", owner)
+	}
+	gvk, err := apiutil.GVKForObject(ro, scheme)
+	if err != nil {
+		return err
+	}
+	ownerRefs := object.GetOwnerReferences()
+	index := indexOwnerRef(ownerRefs, metav1.OwnerReference{
+		APIVersion: gvk.GroupVersion().String(),
+		Name:       owner.GetName(),
+		Kind:       gvk.Kind,
+	})
+
+	if index == -1 {
+		return fmt.Errorf("%T does not have an controller reference for %T", object, owner)
+	}
+
+	if ownerRefs[index].Controller == nil || !*ownerRefs[index].Controller {
+		return fmt.Errorf("%T owner is not the controller reference for %T", owner, object)
+	}
+
+	ownerRefs = append(ownerRefs[:index], ownerRefs[index+1:]...)
+	object.SetOwnerReferences(ownerRefs)
+	return nil
+}
+
+func upsertOwnerRef(ref metav1.OwnerReference, object metav1.Object) {
+	owners := object.GetOwnerReferences()
+	if idx := indexOwnerRef(owners, ref); idx == -1 {
+		owners = append(owners, ref)
+	} else {
+		owners[idx] = ref
+	}
+	object.SetOwnerReferences(owners)
+}
+
+// indexOwnerRef returns the index of the owner reference in the slice if found, or -1.
+func indexOwnerRef(ownerReferences []metav1.OwnerReference, ref metav1.OwnerReference) int {
+	for index, r := range ownerReferences {
+		if referSameObject(r, ref) {
+			return index
+		}
+	}
+	return -1
+}
+
+func validateOwner(owner, object metav1.Object) error {
+	ownerNs := owner.GetNamespace()
+	if ownerNs != "" {
+		objNs := object.GetNamespace()
+		if objNs == "" {
+			return fmt.Errorf("cluster-scoped resource must not have a namespace-scoped owner, owner's namespace %s", ownerNs)
+		}
+		if ownerNs != objNs {
+			return fmt.Errorf("cross-namespace owner references are disallowed, owner's namespace %s, obj's namespace %s", owner.GetNamespace(), object.GetNamespace())
+		}
+	}
+	return nil
+}
+
+// Returns true if a and b point to the same object.
+func referSameObject(a, b metav1.OwnerReference) bool {
+	aGV, err := schema.ParseGroupVersion(a.APIVersion)
+	if err != nil {
+		return false
+	}
+
+	bGV, err := schema.ParseGroupVersion(b.APIVersion)
+	if err != nil {
+		return false
+	}
+	return aGV.Group == bGV.Group && a.Kind == b.Kind && a.Name == b.Name
+}
+
+// OperationResult is the action result of a CreateOrUpdate or CreateOrPatch call.
+type OperationResult string
+
+const ( // They should complete the sentence "Deployment default/foo has been ..."
+	// OperationResultNone means that the resource has not been changed.
+	OperationResultNone OperationResult = "unchanged"
+	// OperationResultCreated means that a new resource is created.
+	OperationResultCreated OperationResult = "created"
+	// OperationResultUpdated means that an existing resource is updated.
+	OperationResultUpdated OperationResult = "updated"
+	// OperationResultUpdatedStatus means that an existing resource and its status is updated.
+	OperationResultUpdatedStatus OperationResult = "updatedStatus"
+	// OperationResultUpdatedStatusOnly means that only an existing status is updated.
+	OperationResultUpdatedStatusOnly OperationResult = "updatedStatusOnly"
+)
+
+// CreateOrUpdate attempts to fetch the given object from the Kubernetes cluster.
+// If the object didn't exist, MutateFn will be called, and it will be created.
+// If the object did exist, MutateFn will be called, and if it changed the
+// object, it will be updated.
+// Otherwise, it will be left unchanged.
+// The executed operation (and an error) will be returned.
+//
+// WARNING: If the MutateFn resets a value on obj that has a default value,
+// CreateOrUpdate will *always* perform an update. This is because when the
+// object is fetched from the API server, the value will have taken on the
+// default value, and the check for equality will fail. For example, Deployments
+// must have a Replicas value set. If the MutateFn sets a Deployment's Replicas
+// to nil, then it will never match with the object returned from the API
+// server, which defaults the value to 1.
+//
+// WARNING: CreateOrUpdate assumes that no values have been set on obj aside
+// from the Name/Namespace. Values other than Name and Namespace that existed on
+// obj may be overwritten by the corresponding values in the object returned
+// from the Kubernetes API server. When this happens, the Update will not work
+// as expected.
+//
+// Note: changes made by MutateFn to any sub-resource (status...), will be
+// discarded.
+func CreateOrUpdate(ctx context.Context, c client.Client, obj client.Object, f MutateFn) (OperationResult, error) {
+	key := client.ObjectKeyFromObject(obj)
+	if err := c.Get(ctx, key, obj); err != nil {
+		if !apierrors.IsNotFound(err) {
+			return OperationResultNone, err
+		}
+		if f != nil {
+			if err := mutate(f, key, obj); err != nil {
+				return OperationResultNone, err
+			}
+		}
+
+		if err := c.Create(ctx, obj); err != nil {
+			return OperationResultNone, err
+		}
+		return OperationResultCreated, nil
+	}
+
+	existing := obj.DeepCopyObject()
+	if f != nil {
+		if err := mutate(f, key, obj); err != nil {
+			return OperationResultNone, err
+		}
+	}
+
+	if equality.Semantic.DeepEqual(existing, obj) {
+		return OperationResultNone, nil
+	}
+
+	if err := c.Update(ctx, obj); err != nil {
+		return OperationResultNone, err
+	}
+	return OperationResultUpdated, nil
+}
+
+// CreateOrPatch attempts to fetch the given object from the Kubernetes cluster.
+// If the object didn't exist, MutateFn will be called, and it will be created.
+// If the object did exist, MutateFn will be called, and if it changed the
+// object, it will be patched.
+// Otherwise, it will be left unchanged.
+// The executed operation (and an error) will be returned.
+//
+// WARNING: If the MutateFn resets a value on obj that has a default value,
+// CreateOrPatch will *always* perform a patch. This is because when the
+// object is fetched from the API server, the value will have taken on the
+// default value, and the check for equality will fail.
+// For example, Deployments must have a Replicas value set. If the MutateFn sets
+// a Deployment's Replicas to nil, then it will never match with the object
+// returned from the API server, which defaults the value to 1.
+//
+// WARNING: CreateOrPatch assumes that no values have been set on obj aside
+// from the Name/Namespace. Values other than Name and Namespace that existed on
+// obj may be overwritten by the corresponding values in the object returned
+// from the Kubernetes API server. When this happens, the Patch will not work
+// as expected.
+//
+// Note: changes to any sub-resource other than status will be ignored.
+// Changes to the status sub-resource will only be applied if the object
+// already exist. To change the status on object creation, the easiest
+// way is to requeue the object in the controller if OperationResult is
+// OperationResultCreated
+func CreateOrPatch(ctx context.Context, c client.Client, obj client.Object, f MutateFn) (OperationResult, error) {
+	key := client.ObjectKeyFromObject(obj)
+	if err := c.Get(ctx, key, obj); err != nil {
+		if !apierrors.IsNotFound(err) {
+			return OperationResultNone, err
+		}
+		if f != nil {
+			if err := mutate(f, key, obj); err != nil {
+				return OperationResultNone, err
+			}
+		}
+		if err := c.Create(ctx, obj); err != nil {
+			return OperationResultNone, err
+		}
+		return OperationResultCreated, nil
+	}
+
+	// Create patches for the object and its possible status.
+	objPatch := client.MergeFrom(obj.DeepCopyObject().(client.Object))
+	statusPatch := client.MergeFrom(obj.DeepCopyObject().(client.Object))
+
+	// Create a copy of the original object as well as converting that copy to
+	// unstructured data.
+	before, err := runtime.DefaultUnstructuredConverter.ToUnstructured(obj.DeepCopyObject())
+	if err != nil {
+		return OperationResultNone, err
+	}
+
+	// Attempt to extract the status from the resource for easier comparison later
+	beforeStatus, hasBeforeStatus, err := unstructured.NestedFieldCopy(before, "status")
+	if err != nil {
+		return OperationResultNone, err
+	}
+
+	// If the resource contains a status then remove it from the unstructured
+	// copy to avoid unnecessary patching later.
+	if hasBeforeStatus {
+		unstructured.RemoveNestedField(before, "status")
+	}
+
+	// Mutate the original object.
+	if f != nil {
+		if err := mutate(f, key, obj); err != nil {
+			return OperationResultNone, err
+		}
+	}
+
+	// Convert the resource to unstructured to compare against our before copy.
+	after, err := runtime.DefaultUnstructuredConverter.ToUnstructured(obj)
+	if err != nil {
+		return OperationResultNone, err
+	}
+
+	// Attempt to extract the status from the resource for easier comparison later
+	afterStatus, hasAfterStatus, err := unstructured.NestedFieldCopy(after, "status")
+	if err != nil {
+		return OperationResultNone, err
+	}
+
+	// If the resource contains a status then remove it from the unstructured
+	// copy to avoid unnecessary patching later.
+	if hasAfterStatus {
+		unstructured.RemoveNestedField(after, "status")
+	}
+
+	result := OperationResultNone
+
+	if !reflect.DeepEqual(before, after) {
+		// Only issue a Patch if the before and after resources (minus status) differ
+		if err := c.Patch(ctx, obj, objPatch); err != nil {
+			return result, err
+		}
+		result = OperationResultUpdated
+	}
+
+	if (hasBeforeStatus || hasAfterStatus) && !reflect.DeepEqual(beforeStatus, afterStatus) {
+		// Only issue a Status Patch if the resource has a status and the beforeStatus
+		// and afterStatus copies differ
+		if result == OperationResultUpdated {
+			// If Status was replaced by Patch before, set it to afterStatus
+			objectAfterPatch, err := runtime.DefaultUnstructuredConverter.ToUnstructured(obj)
+			if err != nil {
+				return result, err
+			}
+			if err = unstructured.SetNestedField(objectAfterPatch, afterStatus, "status"); err != nil {
+				return result, err
+			}
+			// If Status was replaced by Patch before, restore patched structure to the obj
+			if err = runtime.DefaultUnstructuredConverter.FromUnstructured(objectAfterPatch, obj); err != nil {
+				return result, err
+			}
+		}
+		if err := c.Status().Patch(ctx, obj, statusPatch); err != nil {
+			return result, err
+		}
+		if result == OperationResultUpdated {
+			result = OperationResultUpdatedStatus
+		} else {
+			result = OperationResultUpdatedStatusOnly
+		}
+	}
+
+	return result, nil
+}
+
+// mutate wraps a MutateFn and applies validation to its result.
+func mutate(f MutateFn, key client.ObjectKey, obj client.Object) error {
+	if err := f(); err != nil {
+		return err
+	}
+	if newKey := client.ObjectKeyFromObject(obj); key != newKey {
+		return fmt.Errorf("MutateFn cannot mutate object name and/or object namespace")
+	}
+	return nil
+}
+
+// MutateFn is a function which mutates the existing object into its desired state.
+type MutateFn func() error
+
+// AddFinalizer accepts an Object and adds the provided finalizer if not present.
+// It returns an indication of whether it updated the object's list of finalizers.
+func AddFinalizer(o client.Object, finalizer string) (finalizersUpdated bool) {
+	f := o.GetFinalizers()
+	if slices.Contains(f, finalizer) {
+		return false
+	}
+	o.SetFinalizers(append(f, finalizer))
+	return true
+}
+
+// RemoveFinalizer accepts an Object and removes the provided finalizer if present.
+// It returns an indication of whether it updated the object's list of finalizers.
+func RemoveFinalizer(o client.Object, finalizer string) (finalizersUpdated bool) {
+	f := o.GetFinalizers()
+	length := len(f)
+
+	index := 0
+	for i := range length {
+		if f[i] == finalizer {
+			continue
+		}
+		f[index] = f[i]
+		index++
+	}
+	o.SetFinalizers(f[:index])
+	return length != index
+}
+
+// ContainsFinalizer checks an Object that the provided finalizer is present.
+func ContainsFinalizer(o client.Object, finalizer string) bool {
+	f := o.GetFinalizers()
+	return slices.Contains(f, finalizer)
+}
diff --git a/vendor/sigs.k8s.io/controller-runtime/pkg/controller/controllerutil/doc.go b/vendor/sigs.k8s.io/controller-runtime/pkg/controller/controllerutil/doc.go
new file mode 100644
index 0000000000..ab386b29cd
--- /dev/null
+++ b/vendor/sigs.k8s.io/controller-runtime/pkg/controller/controllerutil/doc.go
@@ -0,0 +1,20 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+/*
+Package controllerutil contains utility functions for working with and implementing Controllers.
+*/
+package controllerutil
diff --git a/vendor/sigs.k8s.io/kustomize/api/LICENSE b/vendor/sigs.k8s.io/kustomize/api/LICENSE
new file mode 100644
index 0000000000..8dada3edaf
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/LICENSE
@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "{}"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright {yyyy} {name of copyright owner}
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/annotations/annotations.go b/vendor/sigs.k8s.io/kustomize/api/filters/annotations/annotations.go
new file mode 100644
index 0000000000..4998f5a3e7
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/filters/annotations/annotations.go
@@ -0,0 +1,52 @@
+// Copyright 2020 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package annotations
+
+import (
+	"sigs.k8s.io/kustomize/api/filters/filtersutil"
+	"sigs.k8s.io/kustomize/api/filters/fsslice"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/kio"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+type annoMap map[string]string
+
+type Filter struct {
+	// Annotations is the set of annotations to apply to the inputs
+	Annotations annoMap `yaml:"annotations,omitempty"`
+
+	// FsSlice contains the FieldSpecs to locate the namespace field
+	FsSlice types.FsSlice
+
+	trackableSetter filtersutil.TrackableSetter
+}
+
+var _ kio.Filter = Filter{}
+var _ kio.TrackableFilter = &Filter{}
+
+// WithMutationTracker registers a callback which will be invoked each time a field is mutated
+func (f *Filter) WithMutationTracker(callback func(key, value, tag string, node *yaml.RNode)) {
+	f.trackableSetter.WithMutationTracker(callback)
+}
+
+func (f Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) {
+	keys := yaml.SortedMapKeys(f.Annotations)
+	_, err := kio.FilterAll(yaml.FilterFunc(
+		func(node *yaml.RNode) (*yaml.RNode, error) {
+			for _, k := range keys {
+				if err := node.PipeE(fsslice.Filter{
+					FsSlice: f.FsSlice,
+					SetValue: f.trackableSetter.SetEntry(
+						k, f.Annotations[k], yaml.NodeTagString),
+					CreateKind: yaml.MappingNode, // Annotations are MappingNodes.
+					CreateTag:  yaml.NodeTagMap,
+				}); err != nil {
+					return nil, err
+				}
+			}
+			return node, nil
+		})).Filter(nodes)
+	return nodes, err
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/annotations/doc.go b/vendor/sigs.k8s.io/kustomize/api/filters/annotations/doc.go
new file mode 100644
index 0000000000..b1f6a0b66e
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/filters/annotations/doc.go
@@ -0,0 +1,6 @@
+// Copyright 2020 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+// Package annotations contains a kio.Filter implementation of the kustomize
+// annotations transformer.
+package annotations
diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/fieldspec/doc.go b/vendor/sigs.k8s.io/kustomize/api/filters/fieldspec/doc.go
new file mode 100644
index 0000000000..6f643630a5
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/filters/fieldspec/doc.go
@@ -0,0 +1,6 @@
+// Copyright 2020 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+// Package fieldspec contains a yaml.Filter to modify a resource
+// that matches the FieldSpec.
+package fieldspec
diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/fieldspec/fieldspec.go b/vendor/sigs.k8s.io/kustomize/api/filters/fieldspec/fieldspec.go
new file mode 100644
index 0000000000..8e4e78ca6e
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/filters/fieldspec/fieldspec.go
@@ -0,0 +1,182 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package fieldspec
+
+import (
+	"fmt"
+	"strings"
+
+	"sigs.k8s.io/kustomize/api/filters/filtersutil"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/errors"
+	"sigs.k8s.io/kustomize/kyaml/resid"
+	"sigs.k8s.io/kustomize/kyaml/utils"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+var _ yaml.Filter = Filter{}
+
+// Filter possibly mutates its object argument using a FieldSpec.
+// If the object matches the FieldSpec, and the node found
+// by following the fieldSpec's path is non-null, this filter calls
+// the setValue function on the node at the end of the path.
+// If any part of the path doesn't exist, the filter returns
+// without doing anything and without error, unless it was set
+// to create the path. If set to create, it creates a tree of maps
+// along the path, and the leaf node gets the setValue called on it.
+// Error on GVK mismatch, empty or poorly formed path.
+// Filter expect kustomize style paths, not JSON paths.
+// Filter stores internal state and should not be reused
+type Filter struct {
+	// FieldSpec contains the path to the value to set.
+	FieldSpec types.FieldSpec `yaml:"fieldSpec"`
+
+	// Set the field using this function
+	SetValue filtersutil.SetFn
+
+	// CreateKind defines the type of node to create if the field is not found
+	CreateKind yaml.Kind
+
+	CreateTag string
+
+	// path keeps internal state about the current path
+	path []string
+}
+
+func (fltr Filter) Filter(obj *yaml.RNode) (*yaml.RNode, error) {
+	// check if the FieldSpec applies to the object
+	if match := isMatchGVK(fltr.FieldSpec, obj); !match {
+		return obj, nil
+	}
+	fltr.path = utils.PathSplitter(fltr.FieldSpec.Path, "/")
+	if err := fltr.filter(obj); err != nil {
+		return nil, errors.WrapPrefixf(err,
+			"considering field '%s' of object %s", fltr.FieldSpec.Path, resid.FromRNode(obj))
+	}
+	return obj, nil
+}
+
+// Recursively called.
+func (fltr Filter) filter(obj *yaml.RNode) error {
+	if len(fltr.path) == 0 {
+		// found the field -- set its value
+		return fltr.SetValue(obj)
+	}
+	if obj.IsTaggedNull() || obj.IsNil() {
+		return nil
+	}
+	switch obj.YNode().Kind {
+	case yaml.SequenceNode:
+		return fltr.handleSequence(obj)
+	case yaml.MappingNode:
+		return fltr.handleMap(obj)
+	case yaml.AliasNode:
+		return fltr.filter(yaml.NewRNode(obj.YNode().Alias))
+	default:
+		return errors.Errorf("expected sequence or mapping node")
+	}
+}
+
+// handleMap calls filter on the map field matching the next path element
+func (fltr Filter) handleMap(obj *yaml.RNode) error {
+	fieldName, isSeq := isSequenceField(fltr.path[0])
+	if fieldName == "" {
+		return fmt.Errorf("cannot set or create an empty field name")
+	}
+	// lookup the field matching the next path element
+	var operation yaml.Filter
+	var kind yaml.Kind
+	tag := yaml.NodeTagEmpty
+	switch {
+	case !fltr.FieldSpec.CreateIfNotPresent || fltr.CreateKind == 0 || isSeq:
+		// don't create the field if we don't find it
+		operation = yaml.Lookup(fieldName)
+		if isSeq {
+			// The query path thinks this field should be a sequence;
+			// accept this hint for use later if the tag is NodeTagNull.
+			kind = yaml.SequenceNode
+		}
+	case len(fltr.path) <= 1:
+		// create the field if it is missing: use the provided node kind
+		operation = yaml.LookupCreate(fltr.CreateKind, fieldName)
+		kind = fltr.CreateKind
+		tag = fltr.CreateTag
+	default:
+		// create the field if it is missing: must be a mapping node
+		operation = yaml.LookupCreate(yaml.MappingNode, fieldName)
+		kind = yaml.MappingNode
+		tag = yaml.NodeTagMap
+	}
+
+	// locate (or maybe create) the field
+	field, err := obj.Pipe(operation)
+	if err != nil {
+		return errors.WrapPrefixf(err, "fieldName: %s", fieldName)
+	}
+	if field == nil {
+		// No error if field not found.
+		return nil
+	}
+
+	// if the value exists, but is null and kind is set,
+	// then change it to the creation type
+	// TODO: update yaml.LookupCreate to support this
+	if field.YNode().Tag == yaml.NodeTagNull && yaml.IsCreate(kind) {
+		field.YNode().Kind = kind
+		field.YNode().Tag = tag
+	}
+
+	// copy the current fltr and change the path on the copy
+	var next = fltr
+	// call filter for the next path element on the matching field
+	next.path = fltr.path[1:]
+	return next.filter(field)
+}
+
+// seq calls filter on all sequence elements
+func (fltr Filter) handleSequence(obj *yaml.RNode) error {
+	if err := obj.VisitElements(func(node *yaml.RNode) error {
+		// set an accurate FieldPath for nested elements
+		node.AppendToFieldPath(obj.FieldPath()...)
+		// recurse on each element -- re-allocating a Filter is
+		// not strictly required, but is more consistent with field
+		// and less likely to have side effects
+		// keep the entire path -- it does not contain parts for sequences
+		return fltr.filter(node)
+	}); err != nil {
+		return errors.WrapPrefixf(err,
+			"visit traversal on path: %v", fltr.path)
+	}
+	return nil
+}
+
+// isSequenceField returns true if the path element is for a sequence field.
+// isSequence also returns the path element with the '[]' suffix trimmed
+func isSequenceField(name string) (string, bool) {
+	shorter := strings.TrimSuffix(name, "[]")
+	return shorter, shorter != name
+}
+
+// isMatchGVK returns true if the fs.GVK matches the obj GVK.
+func isMatchGVK(fs types.FieldSpec, obj *yaml.RNode) bool {
+	if kind := obj.GetKind(); fs.Kind != "" && fs.Kind != kind {
+		// kind doesn't match
+		return false
+	}
+
+	// parse the group and version from the apiVersion field
+	group, version := resid.ParseGroupVersion(obj.GetApiVersion())
+
+	if fs.Group != "" && fs.Group != group {
+		// group doesn't match
+		return false
+	}
+
+	if fs.Version != "" && fs.Version != version {
+		// version doesn't match
+		return false
+	}
+
+	return true
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/filtersutil/setters.go b/vendor/sigs.k8s.io/kustomize/api/filters/filtersutil/setters.go
new file mode 100644
index 0000000000..f776667856
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/filters/filtersutil/setters.go
@@ -0,0 +1,105 @@
+// Copyright 2022 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package filtersutil
+
+import (
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+// SetFn is a function that accepts an RNode to possibly modify.
+type SetFn func(*yaml.RNode) error
+
+// SetScalar returns a SetFn to set a scalar value
+func SetScalar(value string) SetFn {
+	return SetEntry("", value, yaml.NodeTagEmpty)
+}
+
+// SetEntry returns a SetFn to set a field or a map entry to a value.
+// It can be used with an empty name to set both a value and a tag on a scalar node.
+// When setting only a value on a scalar node, use SetScalar instead.
+func SetEntry(name, value, tag string) SetFn {
+	n := &yaml.Node{
+		Kind:  yaml.ScalarNode,
+		Value: value,
+		Tag:   tag,
+	}
+	return func(node *yaml.RNode) error {
+		return node.PipeE(yaml.FieldSetter{
+			Name:  name,
+			Value: yaml.NewRNode(n),
+		})
+	}
+}
+
+type TrackableSetter struct {
+	// SetValueCallback will be invoked each time a field is set
+	setValueCallback func(name, value, tag string, node *yaml.RNode)
+}
+
+// WithMutationTracker registers a callback which will be invoked each time a field is mutated
+func (s *TrackableSetter) WithMutationTracker(callback func(key, value, tag string, node *yaml.RNode)) *TrackableSetter {
+	s.setValueCallback = callback
+	return s
+}
+
+// SetScalar returns a SetFn to set a scalar value.
+// if a mutation tracker has been registered, the tracker will be invoked each
+// time a scalar is set
+func (s TrackableSetter) SetScalar(value string) SetFn {
+	return s.SetEntry("", value, yaml.NodeTagEmpty)
+}
+
+// SetScalarIfEmpty returns a SetFn to set a scalar value only if it isn't already set.
+// If a mutation tracker has been registered, the tracker will be invoked each
+// time a scalar is actually set.
+func (s TrackableSetter) SetScalarIfEmpty(value string) SetFn {
+	return s.SetEntryIfEmpty("", value, yaml.NodeTagEmpty)
+}
+
+// SetEntry returns a SetFn to set a field or a map entry to a value.
+// It can be used with an empty name to set both a value and a tag on a scalar node.
+// When setting only a value on a scalar node, use SetScalar instead.
+// If a mutation tracker has been registered, the tracker will be invoked each
+// time an entry is set.
+func (s TrackableSetter) SetEntry(name, value, tag string) SetFn {
+	origSetEntry := SetEntry(name, value, tag)
+	return func(node *yaml.RNode) error {
+		if s.setValueCallback != nil {
+			s.setValueCallback(name, value, tag, node)
+		}
+		return origSetEntry(node)
+	}
+}
+
+// SetEntryIfEmpty returns a SetFn to set a field or a map entry to a value only if it isn't already set.
+// It can be used with an empty name to set both a value and a tag on a scalar node.
+// When setting only a value on a scalar node, use SetScalar instead.
+// If a mutation tracker has been registered, the tracker will be invoked each
+// time an entry is actually set.
+func (s TrackableSetter) SetEntryIfEmpty(key, value, tag string) SetFn {
+	origSetEntry := SetEntry(key, value, tag)
+	return func(node *yaml.RNode) error {
+		if hasExistingValue(node, key) {
+			return nil
+		}
+		if s.setValueCallback != nil {
+			s.setValueCallback(key, value, tag, node)
+		}
+		return origSetEntry(node)
+	}
+}
+
+func hasExistingValue(node *yaml.RNode, key string) bool {
+	if node.IsNilOrEmpty() {
+		return false
+	}
+	if err := yaml.ErrorIfInvalid(node, yaml.ScalarNode); err == nil {
+		return yaml.GetValue(node) != ""
+	}
+	entry := node.Field(key)
+	if entry.IsNilOrEmpty() {
+		return false
+	}
+	return yaml.GetValue(entry.Value) != ""
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/fsslice/doc.go b/vendor/sigs.k8s.io/kustomize/api/filters/fsslice/doc.go
new file mode 100644
index 0000000000..b0f197722e
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/filters/fsslice/doc.go
@@ -0,0 +1,6 @@
+// Copyright 2020 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+// Package fsslice contains a yaml.Filter to modify a resource if
+// it matches one or more FieldSpec entries.
+package fsslice
diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/fsslice/fsslice.go b/vendor/sigs.k8s.io/kustomize/api/filters/fsslice/fsslice.go
new file mode 100644
index 0000000000..9eb5c13133
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/filters/fsslice/fsslice.go
@@ -0,0 +1,47 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package fsslice
+
+import (
+	"sigs.k8s.io/kustomize/api/filters/fieldspec"
+	"sigs.k8s.io/kustomize/api/filters/filtersutil"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+var _ yaml.Filter = Filter{}
+
+// Filter ranges over an FsSlice to modify fields on a single object.
+// An FsSlice is a range of FieldSpecs. A FieldSpec is a GVK plus a path.
+type Filter struct {
+	// FieldSpecList list of FieldSpecs to set
+	FsSlice types.FsSlice `yaml:"fsSlice"`
+
+	// SetValue is called on each field that matches one of the FieldSpecs
+	SetValue filtersutil.SetFn
+
+	// CreateKind is used to create fields that do not exist
+	CreateKind yaml.Kind
+
+	// CreateTag is used to set the tag if encountering a null field
+	CreateTag string
+}
+
+func (fltr Filter) Filter(obj *yaml.RNode) (*yaml.RNode, error) {
+	for i := range fltr.FsSlice {
+		// apply this FieldSpec
+		// create a new filter for each iteration because they
+		// store internal state about the field paths
+		_, err := (&fieldspec.Filter{
+			FieldSpec:  fltr.FsSlice[i],
+			SetValue:   fltr.SetValue,
+			CreateKind: fltr.CreateKind,
+			CreateTag:  fltr.CreateTag,
+		}).Filter(obj)
+		if err != nil {
+			return nil, err
+		}
+	}
+	return obj, nil
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/iampolicygenerator/doc.go b/vendor/sigs.k8s.io/kustomize/api/filters/iampolicygenerator/doc.go
new file mode 100644
index 0000000000..3fe20a6d6d
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/filters/iampolicygenerator/doc.go
@@ -0,0 +1,6 @@
+// Copyright 2022 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+// Package gkesagenerator contains a kio.Filter that that generates a
+// iampolicy-related resources for a given cloud provider
+package iampolicygenerator
diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/iampolicygenerator/iampolicygenerator.go b/vendor/sigs.k8s.io/kustomize/api/filters/iampolicygenerator/iampolicygenerator.go
new file mode 100644
index 0000000000..97ea31693e
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/filters/iampolicygenerator/iampolicygenerator.go
@@ -0,0 +1,55 @@
+// Copyright 2021 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package iampolicygenerator
+
+import (
+	"fmt"
+
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+type Filter struct {
+	IAMPolicyGenerator types.IAMPolicyGeneratorArgs `json:",inline,omitempty" yaml:",inline,omitempty"`
+}
+
+// Filter adds a GKE service account object to nodes
+func (f Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) {
+	switch f.IAMPolicyGenerator.Cloud {
+	case types.GKE:
+		IAMPolicyResources, err := f.generateGkeIAMPolicyResources()
+		if err != nil {
+			return nil, err
+		}
+		nodes = append(nodes, IAMPolicyResources...)
+	default:
+		return nil, fmt.Errorf("cloud provider %s not supported yet", f.IAMPolicyGenerator.Cloud)
+	}
+	return nodes, nil
+}
+
+func (f Filter) generateGkeIAMPolicyResources() ([]*yaml.RNode, error) {
+	var result []*yaml.RNode
+	input := fmt.Sprintf(`
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    iam.gke.io/gcp-service-account: %s@%s.iam.gserviceaccount.com
+  name: %s
+`, f.IAMPolicyGenerator.ServiceAccount.Name,
+		f.IAMPolicyGenerator.ProjectId,
+		f.IAMPolicyGenerator.KubernetesService.Name)
+
+	if f.IAMPolicyGenerator.Namespace != "" {
+		input += fmt.Sprintf("\n  namespace: %s", f.IAMPolicyGenerator.Namespace)
+	}
+
+	sa, err := yaml.Parse(input)
+	if err != nil {
+		return nil, err
+	}
+
+	return append(result, sa), nil
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/imagetag/doc.go b/vendor/sigs.k8s.io/kustomize/api/filters/imagetag/doc.go
new file mode 100644
index 0000000000..d919491dd6
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/filters/imagetag/doc.go
@@ -0,0 +1,12 @@
+// Copyright 2020 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+// Package imagetag contains two kio.Filter implementations to cover the
+// functionality of the kustomize imagetag transformer.
+//
+// Filter updates fields based on a FieldSpec and an ImageTag.
+//
+// LegacyFilter doesn't use a FieldSpec, and instead only updates image
+// references if the field is name image and it is underneath a field called
+// either containers or initContainers.
+package imagetag
diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/imagetag/imagetag.go b/vendor/sigs.k8s.io/kustomize/api/filters/imagetag/imagetag.go
new file mode 100644
index 0000000000..24ab99f740
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/filters/imagetag/imagetag.go
@@ -0,0 +1,72 @@
+// Copyright 2020 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package imagetag
+
+import (
+	"sigs.k8s.io/kustomize/api/filters/filtersutil"
+	"sigs.k8s.io/kustomize/api/filters/fsslice"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/kio"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+// Filter modifies an "image tag", the value used to specify the
+// name, tag, version digest etc. of (docker) container images
+// used by a pod template.
+type Filter struct {
+	// imageTag is the tag we want to apply to the inputs
+	// The name of the image is used as a key, and other fields
+	// can specify a new name, tag, etc.
+	ImageTag types.Image `json:"imageTag,omitempty" yaml:"imageTag,omitempty"`
+
+	// FsSlice contains the FieldSpecs to locate an image field,
+	// e.g. Path: "spec/myContainers[]/image"
+	FsSlice types.FsSlice `json:"fieldSpecs,omitempty" yaml:"fieldSpecs,omitempty"`
+
+	trackableSetter filtersutil.TrackableSetter
+}
+
+var _ kio.Filter = Filter{}
+var _ kio.TrackableFilter = &Filter{}
+
+// WithMutationTracker registers a callback which will be invoked each time a field is mutated
+func (f *Filter) WithMutationTracker(callback func(key, value, tag string, node *yaml.RNode)) {
+	f.trackableSetter.WithMutationTracker(callback)
+}
+
+func (f Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) {
+	_, err := kio.FilterAll(yaml.FilterFunc(f.filter)).Filter(nodes)
+	return nodes, err
+}
+
+func (f Filter) filter(node *yaml.RNode) (*yaml.RNode, error) {
+	// FsSlice is an allowlist, not a denyList, so to deny
+	// something via configuration a new config mechanism is
+	// needed. Until then, hardcode it.
+	if f.isOnDenyList(node) {
+		return node, nil
+	}
+	if err := node.PipeE(fsslice.Filter{
+		FsSlice: f.FsSlice,
+		SetValue: imageTagUpdater{
+			ImageTag:        f.ImageTag,
+			trackableSetter: f.trackableSetter,
+		}.SetImageValue,
+	}); err != nil {
+		return nil, err
+	}
+	return node, nil
+}
+
+func (f Filter) isOnDenyList(node *yaml.RNode) bool {
+	meta, err := node.GetMeta()
+	if err != nil {
+		// A missing 'meta' field will cause problems elsewhere;
+		// ignore it here to keep the signature simple.
+		return false
+	}
+	// Ignore CRDs
+	// https://github.com/kubernetes-sigs/kustomize/issues/890
+	return meta.Kind == `CustomResourceDefinition`
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/imagetag/legacy.go b/vendor/sigs.k8s.io/kustomize/api/filters/imagetag/legacy.go
new file mode 100644
index 0000000000..d6f5b33f27
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/filters/imagetag/legacy.go
@@ -0,0 +1,104 @@
+// Copyright 2020 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package imagetag
+
+import (
+	"sigs.k8s.io/kustomize/api/internal/utils"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/errors"
+	"sigs.k8s.io/kustomize/kyaml/kio"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+// LegacyFilter is an implementation of the kio.Filter interface
+// that scans through the provided kyaml data structure and updates
+// any values of any image fields that is inside a sequence under
+// a field called either containers or initContainers. The field is only
+// update if it has a value that matches and image reference and the name
+// of the image is a match with the provided ImageTag.
+type LegacyFilter struct {
+	ImageTag types.Image `json:"imageTag,omitempty" yaml:"imageTag,omitempty"`
+}
+
+var _ kio.Filter = LegacyFilter{}
+
+func (lf LegacyFilter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) {
+	return kio.FilterAll(yaml.FilterFunc(lf.filter)).Filter(nodes)
+}
+
+func (lf LegacyFilter) filter(node *yaml.RNode) (*yaml.RNode, error) {
+	meta, err := node.GetMeta()
+	if err != nil {
+		return nil, err
+	}
+
+	// We do not make any changes if the type of the resource
+	// is CustomResourceDefinition.
+	if meta.Kind == `CustomResourceDefinition` {
+		return node, nil
+	}
+
+	fff := findFieldsFilter{
+		fields:        []string{"containers", "initContainers"},
+		fieldCallback: checkImageTagsFn(lf.ImageTag),
+	}
+	if err := node.PipeE(fff); err != nil {
+		return nil, err
+	}
+	return node, nil
+}
+
+type fieldCallback func(node *yaml.RNode) error
+
+// findFieldsFilter is an implementation of the kio.Filter
+// interface. It will walk the data structure and look for fields
+// that matches the provided list of field names. For each match,
+// the value of the field will be passed in as a parameter to the
+// provided fieldCallback.
+// TODO: move this to kyaml/filterutils
+type findFieldsFilter struct {
+	fields []string
+
+	fieldCallback fieldCallback
+}
+
+func (f findFieldsFilter) Filter(obj *yaml.RNode) (*yaml.RNode, error) {
+	return obj, f.walk(obj)
+}
+
+func (f findFieldsFilter) walk(node *yaml.RNode) error {
+	switch node.YNode().Kind {
+	case yaml.MappingNode:
+		return node.VisitFields(func(n *yaml.MapNode) error {
+			err := f.walk(n.Value)
+			if err != nil {
+				return err
+			}
+			key := n.Key.YNode().Value
+			if utils.StringSliceContains(f.fields, key) {
+				return f.fieldCallback(n.Value)
+			}
+			return nil
+		})
+	case yaml.SequenceNode:
+		return errors.Wrap(node.VisitElements(f.walk))
+	}
+	return nil
+}
+
+func checkImageTagsFn(imageTag types.Image) fieldCallback {
+	return func(node *yaml.RNode) error {
+		if node.YNode().Kind != yaml.SequenceNode {
+			return nil
+		}
+
+		return node.VisitElements(func(n *yaml.RNode) error {
+			// Look up any fields on the provided node that is named
+			// image.
+			return n.PipeE(yaml.Get("image"), imageTagUpdater{
+				ImageTag: imageTag,
+			})
+		})
+	}
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/imagetag/updater.go b/vendor/sigs.k8s.io/kustomize/api/filters/imagetag/updater.go
new file mode 100644
index 0000000000..58297d4415
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/filters/imagetag/updater.go
@@ -0,0 +1,71 @@
+// Copyright 2020 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package imagetag
+
+import (
+	"sigs.k8s.io/kustomize/api/filters/filtersutil"
+
+	"sigs.k8s.io/kustomize/api/internal/image"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+// imageTagUpdater is an implementation of the kio.Filter interface
+// that will update the value of the yaml node based on the provided
+// ImageTag if the current value matches the format of an image reference.
+type imageTagUpdater struct {
+	Kind            string      `yaml:"kind,omitempty"`
+	ImageTag        types.Image `yaml:"imageTag,omitempty"`
+	trackableSetter filtersutil.TrackableSetter
+}
+
+func (u imageTagUpdater) SetImageValue(rn *yaml.RNode) error {
+	if err := yaml.ErrorIfInvalid(rn, yaml.ScalarNode); err != nil {
+		return err
+	}
+
+	value := rn.YNode().Value
+
+	if !image.IsImageMatched(value, u.ImageTag.Name) {
+		return nil
+	}
+
+	name, tag, digest := image.Split(value)
+	if u.ImageTag.NewName != "" {
+		name = u.ImageTag.NewName
+	}
+
+	// overriding tag or digest will replace both original tag and digest values
+	switch {
+	case u.ImageTag.NewTag != "" && u.ImageTag.Digest != "":
+		tag = u.ImageTag.NewTag
+		digest = u.ImageTag.Digest
+	case u.ImageTag.NewTag != "":
+		tag = u.ImageTag.NewTag
+		digest = ""
+	case u.ImageTag.Digest != "":
+		tag = ""
+		digest = u.ImageTag.Digest
+	case u.ImageTag.TagSuffix != "":
+		tag += u.ImageTag.TagSuffix
+		digest = ""
+	}
+
+	// build final image name
+	if tag != "" {
+		name += ":" + tag
+	}
+	if digest != "" {
+		name += "@" + digest
+	}
+
+	return u.trackableSetter.SetScalar(name)(rn)
+}
+
+func (u imageTagUpdater) Filter(rn *yaml.RNode) (*yaml.RNode, error) {
+	if err := u.SetImageValue(rn); err != nil {
+		return nil, err
+	}
+	return rn, nil
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/labels/doc.go b/vendor/sigs.k8s.io/kustomize/api/filters/labels/doc.go
new file mode 100644
index 0000000000..978033c7e0
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/filters/labels/doc.go
@@ -0,0 +1,6 @@
+// Copyright 2020 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+// Package labels contains a kio.Filter implementation of the kustomize
+// labels transformer.
+package labels
diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/labels/labels.go b/vendor/sigs.k8s.io/kustomize/api/filters/labels/labels.go
new file mode 100644
index 0000000000..b67d4d4b13
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/filters/labels/labels.go
@@ -0,0 +1,53 @@
+// Copyright 2020 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package labels
+
+import (
+	"sigs.k8s.io/kustomize/api/filters/filtersutil"
+	"sigs.k8s.io/kustomize/api/filters/fsslice"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/kio"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+type labelMap map[string]string
+
+// Filter sets labels.
+type Filter struct {
+	// Labels is the set of labels to apply to the inputs
+	Labels labelMap `yaml:"labels,omitempty"`
+
+	// FsSlice identifies the label fields.
+	FsSlice types.FsSlice
+
+	trackableSetter filtersutil.TrackableSetter
+}
+
+var _ kio.Filter = Filter{}
+var _ kio.TrackableFilter = &Filter{}
+
+// WithMutationTracker registers a callback which will be invoked each time a field is mutated
+func (f *Filter) WithMutationTracker(callback func(key, value, tag string, node *yaml.RNode)) {
+	f.trackableSetter.WithMutationTracker(callback)
+}
+
+func (f Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) {
+	keys := yaml.SortedMapKeys(f.Labels)
+	_, err := kio.FilterAll(yaml.FilterFunc(
+		func(node *yaml.RNode) (*yaml.RNode, error) {
+			for _, k := range keys {
+				if err := node.PipeE(fsslice.Filter{
+					FsSlice: f.FsSlice,
+					SetValue: f.trackableSetter.SetEntry(
+						k, f.Labels[k], yaml.NodeTagString),
+					CreateKind: yaml.MappingNode, // Labels are MappingNodes.
+					CreateTag:  yaml.NodeTagMap,
+				}); err != nil {
+					return nil, err
+				}
+			}
+			return node, nil
+		})).Filter(nodes)
+	return nodes, err
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/nameref/doc.go b/vendor/sigs.k8s.io/kustomize/api/filters/nameref/doc.go
new file mode 100644
index 0000000000..78f938933e
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/filters/nameref/doc.go
@@ -0,0 +1,6 @@
+// Copyright 2022 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+// Package nameref contains a kio.Filter implementation of the kustomize
+// name reference transformer.
+package nameref
diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/nameref/nameref.go b/vendor/sigs.k8s.io/kustomize/api/filters/nameref/nameref.go
new file mode 100644
index 0000000000..ff83420cb1
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/filters/nameref/nameref.go
@@ -0,0 +1,416 @@
+// Copyright 2022 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package nameref
+
+import (
+	"fmt"
+	"strings"
+
+	"sigs.k8s.io/kustomize/api/filters/fieldspec"
+	"sigs.k8s.io/kustomize/api/resmap"
+	"sigs.k8s.io/kustomize/api/resource"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/errors"
+	"sigs.k8s.io/kustomize/kyaml/kio"
+	"sigs.k8s.io/kustomize/kyaml/resid"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+// Filter updates a name references.
+type Filter struct {
+	// Referrer refers to another resource X by X's name.
+	// E.g. A Deployment can refer to a ConfigMap.
+	// The Deployment is the Referrer,
+	// the ConfigMap is the ReferralTarget.
+	// This filter seeks to repair the reference in Deployment, given
+	// that the ConfigMap's name may have changed.
+	Referrer *resource.Resource
+
+	// NameFieldToUpdate is the field in the Referrer
+	// that holds the name requiring an update.
+	// This is the field to write.
+	NameFieldToUpdate types.FieldSpec
+
+	// ReferralTarget is the source of the new value for
+	// the name, always in the 'metadata/name' field.
+	// This is the field to read.
+	ReferralTarget resid.Gvk
+
+	// Set of resources to scan to find the ReferralTarget.
+	ReferralCandidates resmap.ResMap
+}
+
+// At time of writing, in practice this is called with a slice with only
+// one entry, the node also referred to be the resource in the Referrer field.
+func (f Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) {
+	return kio.FilterAll(yaml.FilterFunc(f.run)).Filter(nodes)
+}
+
+// The node passed in here is the same node as held in Referrer;
+// that's how the referrer's name field is updated.
+// Currently, however, this filter still needs the extra methods on Referrer
+// to consult things like the resource Id, its namespace, etc.
+// TODO(3455): No filter should use the Resource api; all information
+// about names should come from annotations, with helper methods
+// on the RNode object.  Resource should get stupider, RNode smarter.
+func (f Filter) run(node *yaml.RNode) (*yaml.RNode, error) {
+	if err := f.confirmNodeMatchesReferrer(node); err != nil {
+		// sanity check.
+		return nil, err
+	}
+	f.NameFieldToUpdate.Gvk = f.Referrer.GetGvk()
+	if err := node.PipeE(fieldspec.Filter{
+		FieldSpec: f.NameFieldToUpdate,
+		SetValue:  f.set,
+	}); err != nil {
+		return nil, errors.WrapPrefixf(
+			err, "updating name reference in '%s' field of '%s'",
+			f.NameFieldToUpdate.Path, f.Referrer.CurId().String())
+	}
+	return node, nil
+}
+
+// This function is called on the node found at FieldSpec.Path.
+// It's some node in the Referrer.
+func (f Filter) set(node *yaml.RNode) error {
+	if yaml.IsMissingOrNull(node) {
+		return nil
+	}
+	switch node.YNode().Kind {
+	case yaml.ScalarNode:
+		return f.setScalar(node)
+	case yaml.MappingNode:
+		return f.setMapping(node)
+	case yaml.SequenceNode:
+		return applyFilterToSeq(seqFilter{
+			setScalarFn:  f.setScalar,
+			setMappingFn: f.setMapping,
+		}, node)
+	default:
+		return fmt.Errorf("node must be a scalar, sequence or map")
+	}
+}
+
+// This method used when NameFieldToUpdate doesn't lead to
+// one scalar field (typically called 'name'), but rather
+// leads to a map field (called anything). In this case we
+// must complete the field path, looking for both  a 'name'
+// and a 'namespace' field to help select the proper
+// ReferralTarget to read the name and namespace from.
+func (f Filter) setMapping(node *yaml.RNode) error {
+	if node.YNode().Kind != yaml.MappingNode {
+		return fmt.Errorf("expect a mapping node")
+	}
+	nameNode, err := node.Pipe(yaml.FieldMatcher{Name: "name"})
+	if err != nil {
+		return errors.WrapPrefixf(err, "trying to match 'name' field")
+	}
+	if nameNode == nil {
+		// This is a _configuration_ error; the field path
+		// specified in NameFieldToUpdate.Path doesn't resolve
+		// to a map with a 'name' field, so we have no idea what
+		// field to update with a new name.
+		return fmt.Errorf("path config error; no 'name' field in node")
+	}
+	candidates, err := f.filterMapCandidatesByNamespace(node)
+	if err != nil {
+		return err
+	}
+	oldName := nameNode.YNode().Value
+	// use allNamesAndNamespacesAreTheSame to compare referral candidates for functional identity,
+	// because we source both name and namespace values from the referral in this case.
+	referral, err := f.selectReferral(oldName, candidates, allNamesAndNamespacesAreTheSame)
+	if err != nil || referral == nil {
+		// Nil referral means nothing to do.
+		return err
+	}
+	f.recordTheReferral(referral)
+	if referral.GetName() == oldName && referral.GetNamespace() == "" {
+		// The name has not changed, nothing to do.
+		return nil
+	}
+	if err = node.PipeE(yaml.FieldSetter{
+		Name:        "name",
+		StringValue: referral.GetName(),
+	}); err != nil {
+		return err
+	}
+	if referral.GetNamespace() == "" {
+		// Don't write an empty string into the namespace field, as
+		// it should not replace the value "default".  The empty
+		// string is handled as a wild card here, not as an implicit
+		// specification of the "default" k8s namespace.
+		return nil
+	}
+	return node.PipeE(yaml.FieldSetter{
+		Name:        "namespace",
+		StringValue: referral.GetNamespace(),
+	})
+}
+
+func (f Filter) filterMapCandidatesByNamespace(
+	node *yaml.RNode) ([]*resource.Resource, error) {
+	namespaceNode, err := node.Pipe(yaml.FieldMatcher{Name: "namespace"})
+	if err != nil {
+		return nil, errors.WrapPrefixf(err, "trying to match 'namespace' field")
+	}
+	if namespaceNode == nil {
+		return f.ReferralCandidates.Resources(), nil
+	}
+	namespace := namespaceNode.YNode().Value
+	nsMap := f.ReferralCandidates.GroupedByOriginalNamespace()
+	if candidates, ok := nsMap[namespace]; ok {
+		return candidates, nil
+	}
+	nsMap = f.ReferralCandidates.GroupedByCurrentNamespace()
+	// This could be nil, or an empty list.
+	return nsMap[namespace], nil
+}
+
+func (f Filter) setScalar(node *yaml.RNode) error {
+	// use allNamesAreTheSame to compare referral candidates for functional identity,
+	// because we only source the name from the referral in this case.
+	referral, err := f.selectReferral(
+		node.YNode().Value, f.ReferralCandidates.Resources(), allNamesAreTheSame)
+	if err != nil || referral == nil {
+		// Nil referral means nothing to do.
+		return err
+	}
+	f.recordTheReferral(referral)
+	if referral.GetName() == node.YNode().Value {
+		// The name has not changed, nothing to do.
+		return nil
+	}
+	return node.PipeE(yaml.FieldSetter{StringValue: referral.GetName()})
+}
+
+// In the resource, make a note that it is referred to by the Referrer.
+func (f Filter) recordTheReferral(referral *resource.Resource) {
+	referral.AppendRefBy(f.Referrer.CurId())
+}
+
+// getRoleRefGvk returns a Gvk in the roleRef field. Return error
+// if the roleRef, roleRef/apiGroup or roleRef/kind is missing.
+func getRoleRefGvk(n *resource.Resource) (*resid.Gvk, error) {
+	roleRef, err := n.Pipe(yaml.Lookup("roleRef"))
+	if err != nil {
+		return nil, err
+	}
+	if roleRef.IsNil() {
+		return nil, fmt.Errorf("roleRef cannot be found in %s", n.MustString())
+	}
+	apiGroup, err := roleRef.Pipe(yaml.Lookup("apiGroup"))
+	if err != nil {
+		return nil, err
+	}
+	if apiGroup.IsNil() {
+		return nil, fmt.Errorf(
+			"apiGroup cannot be found in roleRef %s", roleRef.MustString())
+	}
+	kind, err := roleRef.Pipe(yaml.Lookup("kind"))
+	if err != nil {
+		return nil, err
+	}
+	if kind.IsNil() {
+		return nil, fmt.Errorf(
+			"kind cannot be found in roleRef %s", roleRef.MustString())
+	}
+	return &resid.Gvk{
+		Group: apiGroup.YNode().Value,
+		Kind:  kind.YNode().Value,
+	}, nil
+}
+
+// sieveFunc returns true if the resource argument satisfies some criteria.
+type sieveFunc func(*resource.Resource) bool
+
+// doSieve uses a function to accept or ignore resources from a list.
+// If list is nil, returns immediately.
+// It's a filter obviously, but that term is overloaded here.
+func doSieve(list []*resource.Resource, fn sieveFunc) (s []*resource.Resource) {
+	for _, r := range list {
+		if fn(r) {
+			s = append(s, r)
+		}
+	}
+	return
+}
+
+func acceptAll(r *resource.Resource) bool {
+	return true
+}
+
+func previousNameMatches(name string) sieveFunc {
+	return func(r *resource.Resource) bool {
+		for _, id := range r.PrevIds() {
+			if id.Name == name {
+				return true
+			}
+		}
+		return false
+	}
+}
+
+func previousIdSelectedByGvk(gvk *resid.Gvk) sieveFunc {
+	return func(r *resource.Resource) bool {
+		for _, id := range r.PrevIds() {
+			if id.IsSelected(gvk) {
+				return true
+			}
+		}
+		return false
+	}
+}
+
+// If the we are updating a 'roleRef/name' field, the 'apiGroup' and 'kind'
+// fields in the same 'roleRef' map must be considered.
+// If either object is cluster-scoped, there can be a referral.
+// E.g. a RoleBinding (which exists in a namespace) can refer
+// to a ClusterRole (cluster-scoped) object.
+// https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole
+// Likewise, a ClusterRole can refer to a Secret (in a namespace).
+// Objects in different namespaces generally cannot refer to other
+// with some exceptions (e.g. RoleBinding and ServiceAccount are both
+// namespaceable, but the former can refer to accounts in other namespaces).
+func (f Filter) roleRefFilter() sieveFunc {
+	if !strings.HasSuffix(f.NameFieldToUpdate.Path, "roleRef/name") {
+		return acceptAll
+	}
+	roleRefGvk, err := getRoleRefGvk(f.Referrer)
+	if err != nil {
+		return acceptAll
+	}
+	return previousIdSelectedByGvk(roleRefGvk)
+}
+
+func prefixSuffixEquals(other resource.ResCtx, allowEmpty bool) sieveFunc {
+	return func(r *resource.Resource) bool {
+		return r.PrefixesSuffixesEquals(other, allowEmpty)
+	}
+}
+
+func (f Filter) sameCurrentNamespaceAsReferrer() sieveFunc {
+	referrerCurId := f.Referrer.CurId()
+	if referrerCurId.IsClusterScoped() {
+		// If the referrer is cluster-scoped, let anything through.
+		return acceptAll
+	}
+	return func(r *resource.Resource) bool {
+		if r.CurId().IsClusterScoped() {
+			// Allow cluster-scoped through.
+			return true
+		}
+		if r.GetKind() == "ServiceAccount" {
+			// Allow service accounts through, even though they
+			// are in a namespace.  A RoleBinding in another namespace
+			// can reference them.
+			return true
+		}
+		return referrerCurId.IsNsEquals(r.CurId())
+	}
+}
+
+// selectReferral picks the best referral from a list of candidates.
+func (f Filter) selectReferral(
+	// The name referral that may need to be updated.
+	oldName string,
+	candidates []*resource.Resource,
+	// function that returns whether two referrals are identical for the purposes of the transformation
+	candidatesIdentical func(resources []*resource.Resource) bool) (*resource.Resource, error) {
+	candidates = doSieve(candidates, previousNameMatches(oldName))
+	candidates = doSieve(candidates, previousIdSelectedByGvk(&f.ReferralTarget))
+	candidates = doSieve(candidates, f.roleRefFilter())
+	candidates = doSieve(candidates, f.sameCurrentNamespaceAsReferrer())
+	if len(candidates) == 1 {
+		return candidates[0], nil
+	}
+	candidates = doSieve(candidates, prefixSuffixEquals(f.Referrer, true))
+	if len(candidates) > 1 {
+		candidates = doSieve(candidates, prefixSuffixEquals(f.Referrer, false))
+	}
+	if len(candidates) == 1 {
+		return candidates[0], nil
+	}
+	if len(candidates) == 0 {
+		return nil, nil
+	}
+	if candidatesIdentical(candidates) {
+		// Just take the first one.
+		return candidates[0], nil
+	}
+	ids := getIds(candidates)
+	return nil, fmt.Errorf("found multiple possible referrals: %s\n%s", ids, f.failureDetails(candidates))
+}
+
+func (f Filter) failureDetails(resources []*resource.Resource) string {
+	msg := strings.Builder{}
+	msg.WriteString(fmt.Sprintf("\n**** Too many possible referral targets to referrer:\n%s\n", f.Referrer.MustYaml()))
+	for i, r := range resources {
+		msg.WriteString(fmt.Sprintf("--- possible referral %d:\n%s\n", i, r.MustYaml()))
+	}
+	return msg.String()
+}
+
+func allNamesAreTheSame(resources []*resource.Resource) bool {
+	name := resources[0].GetName()
+	for i := 1; i < len(resources); i++ {
+		if name != resources[i].GetName() {
+			return false
+		}
+	}
+	return true
+}
+
+func allNamesAndNamespacesAreTheSame(resources []*resource.Resource) bool {
+	name := resources[0].GetName()
+	namespace := resources[0].GetNamespace()
+	for i := 1; i < len(resources); i++ {
+		if name != resources[i].GetName() || namespace != resources[i].GetNamespace() {
+			return false
+		}
+	}
+	return true
+}
+
+func getIds(rs []*resource.Resource) string {
+	var result []string
+	for _, r := range rs {
+		result = append(result, r.CurId().String())
+	}
+	return strings.Join(result, ", ")
+}
+
+func checkEqual(k, a, b string) error {
+	if a != b {
+		return fmt.Errorf(
+			"node-referrerOriginal '%s' mismatch '%s' != '%s'",
+			k, a, b)
+	}
+	return nil
+}
+
+func (f Filter) confirmNodeMatchesReferrer(node *yaml.RNode) error {
+	meta, err := node.GetMeta()
+	if err != nil {
+		return err
+	}
+	gvk := f.Referrer.GetGvk()
+	if err = checkEqual(
+		"APIVersion", meta.APIVersion, gvk.ApiVersion()); err != nil {
+		return err
+	}
+	if err = checkEqual(
+		"Kind", meta.Kind, gvk.Kind); err != nil {
+		return err
+	}
+	if err = checkEqual(
+		"Name", meta.Name, f.Referrer.GetName()); err != nil {
+		return err
+	}
+	if err = checkEqual(
+		"Namespace", meta.Namespace, f.Referrer.GetNamespace()); err != nil {
+		return err
+	}
+	return nil
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/nameref/seqfilter.go b/vendor/sigs.k8s.io/kustomize/api/filters/nameref/seqfilter.go
new file mode 100644
index 0000000000..0caab4c9b7
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/filters/nameref/seqfilter.go
@@ -0,0 +1,60 @@
+// Copyright 2022 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package nameref
+
+import (
+	"fmt"
+
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+type setFn func(*yaml.RNode) error
+
+type seqFilter struct {
+	setScalarFn  setFn
+	setMappingFn setFn
+}
+
+func (sf seqFilter) Filter(node *yaml.RNode) (*yaml.RNode, error) {
+	if yaml.IsMissingOrNull(node) {
+		return node, nil
+	}
+	switch node.YNode().Kind {
+	case yaml.ScalarNode:
+		// Kind: Role/ClusterRole
+		// FieldSpec is rules.resourceNames
+		err := sf.setScalarFn(node)
+		return node, err
+	case yaml.MappingNode:
+		// Kind: RoleBinding/ClusterRoleBinding
+		// FieldSpec is subjects
+		// Note: The corresponding fieldSpec had been changed from
+		// from path: subjects/name to just path: subjects. This is
+		// what get mutatefield to request the mapping of the whole
+		// map containing namespace and name instead of just a simple
+		// string field containing the name
+		err := sf.setMappingFn(node)
+		return node, err
+	default:
+		return node, fmt.Errorf(
+			"%#v is expected to be either a string or a map of string", node)
+	}
+}
+
+// applyFilterToSeq will apply the filter to each element in the sequence node
+func applyFilterToSeq(filter yaml.Filter, node *yaml.RNode) error {
+	if node.YNode().Kind != yaml.SequenceNode {
+		return fmt.Errorf("expect a sequence node but got %v", node.YNode().Kind)
+	}
+
+	for _, elem := range node.Content() {
+		rnode := yaml.NewRNode(elem)
+		err := rnode.PipeE(filter)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/namespace/doc.go b/vendor/sigs.k8s.io/kustomize/api/filters/namespace/doc.go
new file mode 100644
index 0000000000..539758b282
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/filters/namespace/doc.go
@@ -0,0 +1,9 @@
+// Copyright 2020 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+// Package namespace contains a kio.Filter implementation of the kustomize
+// namespace transformer.
+//
+// Special cases for known Kubernetes resources have been hardcoded in addition
+// to those defined by the FsSlice.
+package namespace
diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/namespace/namespace.go b/vendor/sigs.k8s.io/kustomize/api/filters/namespace/namespace.go
new file mode 100644
index 0000000000..9279abb9d4
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/filters/namespace/namespace.go
@@ -0,0 +1,217 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package namespace
+
+import (
+	"sigs.k8s.io/kustomize/api/filters/filtersutil"
+	"sigs.k8s.io/kustomize/api/filters/fsslice"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/errors"
+	"sigs.k8s.io/kustomize/kyaml/kio"
+	"sigs.k8s.io/kustomize/kyaml/resid"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+type Filter struct {
+	// Namespace is the namespace to apply to the inputs
+	Namespace string `yaml:"namespace,omitempty"`
+
+	// FsSlice contains the FieldSpecs to locate the namespace field
+	FsSlice types.FsSlice `json:"fieldSpecs,omitempty" yaml:"fieldSpecs,omitempty"`
+
+	// UnsetOnly means only blank namespace fields will be set
+	UnsetOnly bool `json:"unsetOnly" yaml:"unsetOnly"`
+
+	// SetRoleBindingSubjects determines which subject fields in RoleBinding and ClusterRoleBinding
+	// objects will have their namespace fields set. Overrides field specs provided for these types, if any.
+	// - defaultOnly (default): namespace will be set only on subjects named "default".
+	// - allServiceAccounts: namespace will be set on all subjects with "kind: ServiceAccount"
+	// - none: all subjects will be skipped.
+	SetRoleBindingSubjects RoleBindingSubjectMode `json:"setRoleBindingSubjects" yaml:"setRoleBindingSubjects"`
+
+	trackableSetter filtersutil.TrackableSetter
+}
+
+type RoleBindingSubjectMode string
+
+const (
+	DefaultSubjectsOnly       RoleBindingSubjectMode = "defaultOnly"
+	SubjectModeUnspecified    RoleBindingSubjectMode = ""
+	AllServiceAccountSubjects RoleBindingSubjectMode = "allServiceAccounts"
+	NoSubjects                RoleBindingSubjectMode = "none"
+)
+
+var _ kio.Filter = Filter{}
+var _ kio.TrackableFilter = &Filter{}
+
+// WithMutationTracker registers a callback which will be invoked each time a field is mutated
+func (ns *Filter) WithMutationTracker(callback func(key, value, tag string, node *yaml.RNode)) {
+	ns.trackableSetter.WithMutationTracker(callback)
+}
+
+func (ns Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) {
+	return kio.FilterAll(yaml.FilterFunc(ns.run)).Filter(nodes)
+}
+
+// Run runs the filter on a single node rather than a slice
+func (ns Filter) run(node *yaml.RNode) (*yaml.RNode, error) {
+	// Special handling for metadata.namespace and metadata.name -- :(
+	// never let SetEntry handle metadata.namespace--it will incorrectly include cluster-scoped resources
+	// only update metadata.name if api version is expected one--so-as it leaves other resources of kind namespace alone
+	apiVersion := node.GetApiVersion()
+	ns.FsSlice = ns.removeUnneededMetaFieldSpecs(apiVersion, ns.FsSlice)
+	gvk := resid.GvkFromNode(node)
+	if err := ns.metaNamespaceHack(node, gvk); err != nil {
+		return nil, err
+	}
+
+	// Special handling for (cluster) role binding subjects -- :(
+	if isRoleBinding(gvk.Kind) {
+		ns.FsSlice = ns.removeRoleBindingSubjectFieldSpecs(ns.FsSlice)
+		if err := ns.roleBindingHack(node); err != nil {
+			return nil, err
+		}
+	}
+
+	// transformations based on data -- :)
+	err := node.PipeE(fsslice.Filter{
+		FsSlice:    ns.FsSlice,
+		SetValue:   ns.fieldSetter(),
+		CreateKind: yaml.ScalarNode, // Namespace is a ScalarNode
+		CreateTag:  yaml.NodeTagString,
+	})
+	invalidKindErr := &yaml.InvalidNodeKindError{}
+	if err != nil && errors.As(err, &invalidKindErr) && invalidKindErr.ActualNodeKind() != yaml.ScalarNode {
+		return nil, errors.WrapPrefixf(err, "namespace field specs must target scalar nodes")
+	}
+	return node, errors.WrapPrefixf(err, "namespace transformation failed")
+}
+
+// metaNamespaceHack is a hack for implementing the namespace transform
+// for the metadata.namespace field on namespace scoped resources.
+func (ns Filter) metaNamespaceHack(obj *yaml.RNode, gvk resid.Gvk) error {
+	if gvk.IsClusterScoped() {
+		return nil
+	}
+	f := fsslice.Filter{
+		FsSlice: []types.FieldSpec{
+			{Path: types.MetadataNamespacePath, CreateIfNotPresent: true},
+		},
+		SetValue:   ns.fieldSetter(),
+		CreateKind: yaml.ScalarNode, // Namespace is a ScalarNode
+	}
+	_, err := f.Filter(obj)
+	return err
+}
+
+// roleBindingHack is a hack for implementing the transformer's SetRoleBindingSubjects option
+// for RoleBinding and ClusterRoleBinding resource types.
+//
+// In NoSubjects mode, it does nothing.
+//
+// In AllServiceAccountSubjects mode, it sets the namespace on subjects with "kind: ServiceAccount".
+//
+// In DefaultSubjectsOnly mode (default mode), RoleBinding and ClusterRoleBinding have namespace set on
+// elements of the "subjects" field if and only if the subject elements
+// "name" is "default".  Otherwise the namespace is not set.
+// Example:
+//
+// kind: RoleBinding
+// subjects:
+// - name: "default" # this will have the namespace set
+//   ...
+// - name: "something-else" # this will not have the namespace set
+//   ...
+func (ns Filter) roleBindingHack(obj *yaml.RNode) error {
+	var visitor filtersutil.SetFn
+	switch ns.SetRoleBindingSubjects {
+	case NoSubjects:
+		return nil
+	case DefaultSubjectsOnly, SubjectModeUnspecified:
+		visitor = ns.setSubjectsNamedDefault
+	case AllServiceAccountSubjects:
+		visitor = ns.setServiceAccountNamespaces
+	default:
+		return errors.Errorf("invalid value %q for setRoleBindingSubjects: "+
+			"must be one of %q, %q or %q", ns.SetRoleBindingSubjects,
+			DefaultSubjectsOnly, NoSubjects, AllServiceAccountSubjects)
+	}
+
+	// Lookup the subjects field on all elements.
+	obj, err := obj.Pipe(yaml.Lookup(subjectsField))
+	if err != nil || yaml.IsMissingOrNull(obj) {
+		return err
+	}
+	// Use the appropriate visitor to set the namespace field on the correct subset of subjects
+	return errors.WrapPrefixf(obj.VisitElements(visitor), "setting namespace on (cluster)role binding subjects")
+}
+
+func isRoleBinding(kind string) bool {
+	return kind == roleBindingKind || kind == clusterRoleBindingKind
+}
+
+func (ns Filter) setServiceAccountNamespaces(o *yaml.RNode) error {
+	name, err := o.Pipe(yaml.Lookup("kind"), yaml.Match("ServiceAccount"))
+	if err != nil || yaml.IsMissingOrNull(name) {
+		return errors.WrapPrefixf(err, "looking up kind on (cluster)role binding subject")
+	}
+	return setNamespaceField(o, ns.fieldSetter())
+}
+
+func (ns Filter) setSubjectsNamedDefault(o *yaml.RNode) error {
+	name, err := o.Pipe(yaml.Lookup("name"), yaml.Match("default"))
+	if err != nil || yaml.IsMissingOrNull(name) {
+		return errors.WrapPrefixf(err, "looking up name on (cluster)role binding subject")
+	}
+	return setNamespaceField(o, ns.fieldSetter())
+}
+
+func setNamespaceField(node *yaml.RNode, setter filtersutil.SetFn) error {
+	node, err := node.Pipe(yaml.LookupCreate(yaml.ScalarNode, "namespace"))
+	if err != nil {
+		return errors.WrapPrefixf(err, "setting namespace field on (cluster)role binding subject")
+	}
+	return setter(node)
+}
+
+// removeRoleBindingSubjectFieldSpecs removes from the list fieldspecs that
+// have hardcoded implementations
+func (ns Filter) removeRoleBindingSubjectFieldSpecs(fs types.FsSlice) types.FsSlice {
+	var val types.FsSlice
+	for i := range fs {
+		if isRoleBinding(fs[i].Kind) && fs[i].Path == subjectsNamespacePath {
+			continue
+		}
+		val = append(val, fs[i])
+	}
+	return val
+}
+
+func (ns Filter) removeUnneededMetaFieldSpecs(apiVersion string, fs types.FsSlice) types.FsSlice {
+	var val types.FsSlice
+	for i := range fs {
+		if fs[i].Path == types.MetadataNamespacePath {
+			continue
+		}
+		if apiVersion != types.MetadataNamespaceApiVersion && fs[i].Path == types.MetadataNamePath {
+			continue
+		}
+		val = append(val, fs[i])
+	}
+	return val
+}
+
+func (ns *Filter) fieldSetter() filtersutil.SetFn {
+	if ns.UnsetOnly {
+		return ns.trackableSetter.SetEntryIfEmpty("", ns.Namespace, yaml.NodeTagString)
+	}
+	return ns.trackableSetter.SetEntry("", ns.Namespace, yaml.NodeTagString)
+}
+
+const (
+	subjectsField          = "subjects"
+	subjectsNamespacePath  = "subjects/namespace"
+	roleBindingKind        = "RoleBinding"
+	clusterRoleBindingKind = "ClusterRoleBinding"
+)
diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/patchjson6902/doc.go b/vendor/sigs.k8s.io/kustomize/api/filters/patchjson6902/doc.go
new file mode 100644
index 0000000000..ec4cfa8211
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/filters/patchjson6902/doc.go
@@ -0,0 +1,6 @@
+// Copyright 2020 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+// Package namespace contains a kio.Filter implementation of the kustomize
+// patchjson6902 transformer
+package patchjson6902
diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/patchjson6902/patchjson6902.go b/vendor/sigs.k8s.io/kustomize/api/filters/patchjson6902/patchjson6902.go
new file mode 100644
index 0000000000..671567d9a1
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/filters/patchjson6902/patchjson6902.go
@@ -0,0 +1,65 @@
+// Copyright 2020 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package patchjson6902
+
+import (
+	"strings"
+
+	jsonpatch "gopkg.in/evanphx/json-patch.v4"
+	"sigs.k8s.io/kustomize/kyaml/kio"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+	k8syaml "sigs.k8s.io/yaml"
+)
+
+type Filter struct {
+	Patch string
+
+	decodedPatch jsonpatch.Patch
+}
+
+var _ kio.Filter = Filter{}
+
+func (pf Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) {
+	decodedPatch, err := pf.decodePatch()
+	if err != nil {
+		return nil, err
+	}
+	pf.decodedPatch = decodedPatch
+	return kio.FilterAll(yaml.FilterFunc(pf.run)).Filter(nodes)
+}
+
+func (pf Filter) decodePatch() (jsonpatch.Patch, error) {
+	patch := pf.Patch
+	// If the patch doesn't look like a JSON6902 patch, we
+	// try to parse it to json.
+	if !strings.HasPrefix(pf.Patch, "[") {
+		p, err := k8syaml.YAMLToJSON([]byte(patch))
+		if err != nil {
+			return nil, err
+		}
+		patch = string(p)
+	}
+	decodedPatch, err := jsonpatch.DecodePatch([]byte(patch))
+	if err != nil {
+		return nil, err
+	}
+	return decodedPatch, nil
+}
+
+func (pf Filter) run(node *yaml.RNode) (*yaml.RNode, error) {
+	// We don't actually use the kyaml library for manipulating the
+	// yaml here. We just marshal it to json and rely on the
+	// jsonpatch library to take care of applying the patch.
+	// This means ordering might not be preserved with this filter.
+	b, err := node.MarshalJSON()
+	if err != nil {
+		return nil, err
+	}
+	res, err := pf.decodedPatch.Apply(b)
+	if err != nil {
+		return nil, err
+	}
+	err = node.UnmarshalJSON(res)
+	return node, err
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/patchstrategicmerge/doc.go b/vendor/sigs.k8s.io/kustomize/api/filters/patchstrategicmerge/doc.go
new file mode 100644
index 0000000000..1733fd8a2c
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/filters/patchstrategicmerge/doc.go
@@ -0,0 +1,6 @@
+// Copyright 2020 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+// Package patchstrategicmerge contains a kio.Filter implementation of the
+// kustomize strategic merge patch transformer.
+package patchstrategicmerge
diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/patchstrategicmerge/patchstrategicmerge.go b/vendor/sigs.k8s.io/kustomize/api/filters/patchstrategicmerge/patchstrategicmerge.go
new file mode 100644
index 0000000000..1a70d19aac
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/filters/patchstrategicmerge/patchstrategicmerge.go
@@ -0,0 +1,36 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package patchstrategicmerge
+
+import (
+	"sigs.k8s.io/kustomize/kyaml/kio"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+	"sigs.k8s.io/kustomize/kyaml/yaml/merge2"
+)
+
+type Filter struct {
+	Patch *yaml.RNode
+}
+
+var _ kio.Filter = Filter{}
+
+// Filter does a strategic merge patch, which can delete nodes.
+func (pf Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) {
+	var result []*yaml.RNode
+	for i := range nodes {
+		r, err := merge2.Merge(
+			pf.Patch, nodes[i],
+			yaml.MergeOptions{
+				ListIncreaseDirection: yaml.MergeOptionsListPrepend,
+			},
+		)
+		if err != nil {
+			return nil, err
+		}
+		if r != nil {
+			result = append(result, r)
+		}
+	}
+	return result, nil
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/prefix/doc.go b/vendor/sigs.k8s.io/kustomize/api/filters/prefix/doc.go
new file mode 100644
index 0000000000..95236859fa
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/filters/prefix/doc.go
@@ -0,0 +1,6 @@
+// Copyright 2020 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+// Package prefix contains a kio.Filter implementation of the kustomize
+// PrefixTransformer.
+package prefix
diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/prefix/prefix.go b/vendor/sigs.k8s.io/kustomize/api/filters/prefix/prefix.go
new file mode 100644
index 0000000000..daa375d1f7
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/filters/prefix/prefix.go
@@ -0,0 +1,50 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package prefix
+
+import (
+	"fmt"
+
+	"sigs.k8s.io/kustomize/api/filters/fieldspec"
+	"sigs.k8s.io/kustomize/api/filters/filtersutil"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/kio"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+// Filter applies resource name prefix's using the fieldSpecs
+type Filter struct {
+	Prefix string `json:"prefix,omitempty" yaml:"prefix,omitempty"`
+
+	FieldSpec types.FieldSpec `json:"fieldSpec,omitempty" yaml:"fieldSpec,omitempty"`
+
+	trackableSetter filtersutil.TrackableSetter
+}
+
+var _ kio.Filter = Filter{}
+var _ kio.TrackableFilter = &Filter{}
+
+// WithMutationTracker registers a callback which will be invoked each time a field is mutated
+func (f *Filter) WithMutationTracker(callback func(key, value, tag string, node *yaml.RNode)) {
+	f.trackableSetter.WithMutationTracker(callback)
+}
+
+func (f Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) {
+	return kio.FilterAll(yaml.FilterFunc(f.run)).Filter(nodes)
+}
+
+func (f Filter) run(node *yaml.RNode) (*yaml.RNode, error) {
+	err := node.PipeE(fieldspec.Filter{
+		FieldSpec:  f.FieldSpec,
+		SetValue:   f.evaluateField,
+		CreateKind: yaml.ScalarNode, // Name is a ScalarNode
+		CreateTag:  yaml.NodeTagString,
+	})
+	return node, err
+}
+
+func (f Filter) evaluateField(node *yaml.RNode) error {
+	return f.trackableSetter.SetScalar(fmt.Sprintf(
+		"%s%s", f.Prefix, node.YNode().Value))(node)
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/refvar/doc.go b/vendor/sigs.k8s.io/kustomize/api/filters/refvar/doc.go
new file mode 100644
index 0000000000..e307198712
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/filters/refvar/doc.go
@@ -0,0 +1,6 @@
+// Copyright 2022 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+// Package refvar contains a kio.Filter implementation of the kustomize
+// refvar transformer (find and replace $(FOO) style variables in strings).
+package refvar
diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/refvar/expand.go b/vendor/sigs.k8s.io/kustomize/api/filters/refvar/expand.go
new file mode 100644
index 0000000000..3bcbd7a53b
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/filters/refvar/expand.go
@@ -0,0 +1,147 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package refvar
+
+import (
+	"fmt"
+	"log"
+	"strings"
+)
+
+const (
+	operator        = '$'
+	referenceOpener = '('
+	referenceCloser = ')'
+)
+
+// syntaxWrap returns the input string wrapped by the expansion syntax.
+func syntaxWrap(input string) string {
+	var sb strings.Builder
+	sb.WriteByte(operator)
+	sb.WriteByte(referenceOpener)
+	sb.WriteString(input)
+	sb.WriteByte(referenceCloser)
+	return sb.String()
+}
+
+// MappingFunc maps a string to anything.
+type MappingFunc func(string) interface{}
+
+// MakePrimitiveReplacer returns a MappingFunc that uses a map to do
+// replacements, and a histogram to count map hits.
+//
+// Func behavior:
+//
+// If the input key is NOT found in the map, the key is wrapped up as
+// as a variable declaration string and returned, e.g. key FOO becomes $(FOO).
+// This string is presumably put back where it was found, and might get replaced
+// later.
+//
+// If the key is found in the map, the value is returned if it is a primitive
+// type (string, bool, number), and the hit is counted.
+//
+// If it's not a primitive type (e.g. a map, struct, func, etc.) then this
+// function doesn't know what to do with it and it returns the key wrapped up
+// again as if it had not been replaced.  This should probably be an error.
+func MakePrimitiveReplacer(
+	counts map[string]int, someMap map[string]interface{}) MappingFunc {
+	return func(key string) interface{} {
+		if value, ok := someMap[key]; ok {
+			switch typedV := value.(type) {
+			case string, int, int32, int64, float32, float64, bool:
+				counts[key]++
+				return typedV
+			default:
+				// If the value is some complicated type (e.g. a map or struct),
+				// this function doesn't know how to jam it into a string,
+				// so just pretend it was a cache miss.
+				// Likely this should be an error instead of a silent failure,
+				// since the programmer passed an impossible value.
+				log.Printf(
+					"MakePrimitiveReplacer: bad replacement type=%T val=%v",
+					typedV, typedV)
+				return syntaxWrap(key)
+			}
+		}
+		// If unable to return the mapped variable, return it
+		// as it was found, and a later mapping might be able to
+		// replace it.
+		return syntaxWrap(key)
+	}
+}
+
+// DoReplacements replaces variable references in the input string
+// using the mapping function.
+func DoReplacements(input string, mapping MappingFunc) interface{} {
+	var buf strings.Builder
+	checkpoint := 0
+	for cursor := 0; cursor < len(input); cursor++ {
+		if input[cursor] == operator && cursor+1 < len(input) {
+			// Copy the portion of the input string since the last
+			// checkpoint into the buffer
+			buf.WriteString(input[checkpoint:cursor])
+
+			// Attempt to read the variable name as defined by the
+			// syntax from the input string
+			read, isVar, advance := tryReadVariableName(input[cursor+1:])
+
+			if isVar {
+				// We were able to read a variable name correctly;
+				// apply the mapping to the variable name and copy the
+				// bytes into the buffer
+				mapped := mapping(read)
+				if input == syntaxWrap(read) {
+					// Preserve the type of variable
+					return mapped
+				}
+
+				// Variable is used in a middle of a string
+				buf.WriteString(fmt.Sprintf("%v", mapped))
+			} else {
+				// Not a variable name; copy the read bytes into the buffer
+				buf.WriteString(read)
+			}
+
+			// Advance the cursor in the input string to account for
+			// bytes consumed to read the variable name expression
+			cursor += advance
+
+			// Advance the checkpoint in the input string
+			checkpoint = cursor + 1
+		}
+	}
+
+	// Return the buffer and any remaining unwritten bytes in the
+	// input string.
+	return buf.String() + input[checkpoint:]
+}
+
+// tryReadVariableName attempts to read a variable name from the input
+// string and returns the content read from the input, whether that content
+// represents a variable name to perform mapping on, and the number of bytes
+// consumed in the input string.
+//
+// The input string is assumed not to contain the initial operator.
+func tryReadVariableName(input string) (string, bool, int) {
+	switch input[0] {
+	case operator:
+		// Escaped operator; return it.
+		return input[0:1], false, 1
+	case referenceOpener:
+		// Scan to expression closer
+		for i := 1; i < len(input); i++ {
+			if input[i] == referenceCloser {
+				return input[1:i], true, i + 1
+			}
+		}
+
+		// Incomplete reference; return it.
+		return string(operator) + string(referenceOpener), false, 1
+	default:
+		// Not the beginning of an expression, ie, an operator
+		// that doesn't begin an expression.  Return the operator
+		// and the first rune in the string.
+		return string(operator) + string(input[0]), false, 1
+	}
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/refvar/refvar.go b/vendor/sigs.k8s.io/kustomize/api/filters/refvar/refvar.go
new file mode 100644
index 0000000000..e00afafd7b
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/filters/refvar/refvar.go
@@ -0,0 +1,113 @@
+// Copyright 2022 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package refvar
+
+import (
+	"fmt"
+	"strconv"
+
+	"sigs.k8s.io/kustomize/api/filters/fieldspec"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/kio"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+// Filter updates $(VAR) style variables with values.
+// The fieldSpecs are the places to look for occurrences of $(VAR).
+type Filter struct {
+	MappingFunc MappingFunc     `json:"mappingFunc,omitempty" yaml:"mappingFunc,omitempty"`
+	FieldSpec   types.FieldSpec `json:"fieldSpec,omitempty" yaml:"fieldSpec,omitempty"`
+}
+
+func (f Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) {
+	return kio.FilterAll(yaml.FilterFunc(f.run)).Filter(nodes)
+}
+
+func (f Filter) run(node *yaml.RNode) (*yaml.RNode, error) {
+	err := node.PipeE(fieldspec.Filter{
+		FieldSpec: f.FieldSpec,
+		SetValue:  f.set,
+	})
+	return node, err
+}
+
+func (f Filter) set(node *yaml.RNode) error {
+	if yaml.IsMissingOrNull(node) {
+		return nil
+	}
+	switch node.YNode().Kind {
+	case yaml.ScalarNode:
+		return f.setScalar(node)
+	case yaml.MappingNode:
+		return f.setMap(node)
+	case yaml.SequenceNode:
+		return f.setSeq(node)
+	default:
+		return fmt.Errorf("invalid type encountered %v", node.YNode().Kind)
+	}
+}
+
+func updateNodeValue(node *yaml.Node, newValue interface{}) {
+	switch newValue := newValue.(type) {
+	case int:
+		node.Value = strconv.FormatInt(int64(newValue), 10)
+		node.Tag = yaml.NodeTagInt
+	case int32:
+		node.Value = strconv.FormatInt(int64(newValue), 10)
+		node.Tag = yaml.NodeTagInt
+	case int64:
+		node.Value = strconv.FormatInt(newValue, 10)
+		node.Tag = yaml.NodeTagInt
+	case bool:
+		node.SetString(strconv.FormatBool(newValue))
+		node.Tag = yaml.NodeTagBool
+	case float32:
+		node.SetString(strconv.FormatFloat(float64(newValue), 'f', -1, 32))
+		node.Tag = yaml.NodeTagFloat
+	case float64:
+		node.SetString(strconv.FormatFloat(newValue, 'f', -1, 64))
+		node.Tag = yaml.NodeTagFloat
+	default:
+		node.SetString(newValue.(string))
+		node.Tag = yaml.NodeTagString
+	}
+	node.Style = 0
+}
+
+func (f Filter) setScalar(node *yaml.RNode) error {
+	if !yaml.IsYNodeString(node.YNode()) {
+		return nil
+	}
+	v := DoReplacements(node.YNode().Value, f.MappingFunc)
+	updateNodeValue(node.YNode(), v)
+	return nil
+}
+
+func (f Filter) setMap(node *yaml.RNode) error {
+	contents := node.YNode().Content
+	for i := 0; i < len(contents); i += 2 {
+		if !yaml.IsYNodeString(contents[i]) {
+			return fmt.Errorf(
+				"invalid map key: value='%s', tag='%s'",
+				contents[i].Value, contents[i].Tag)
+		}
+		if !yaml.IsYNodeString(contents[i+1]) {
+			continue
+		}
+		newValue := DoReplacements(contents[i+1].Value, f.MappingFunc)
+		updateNodeValue(contents[i+1], newValue)
+	}
+	return nil
+}
+
+func (f Filter) setSeq(node *yaml.RNode) error {
+	for _, item := range node.YNode().Content {
+		if !yaml.IsYNodeString(item) {
+			return fmt.Errorf("invalid value type expect a string")
+		}
+		newValue := DoReplacements(item.Value, f.MappingFunc)
+		updateNodeValue(item, newValue)
+	}
+	return nil
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/replacement/doc.go b/vendor/sigs.k8s.io/kustomize/api/filters/replacement/doc.go
new file mode 100644
index 0000000000..667c928933
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/filters/replacement/doc.go
@@ -0,0 +1,7 @@
+// Copyright 2022 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+// Package replacement contains a kio.Filter implementation of the kustomize
+// replacement transformer (accepts sources and looks for targets to replace
+// their values with values from the sources).
+package replacement
diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/replacement/replacement.go b/vendor/sigs.k8s.io/kustomize/api/filters/replacement/replacement.go
new file mode 100644
index 0000000000..56e70d8756
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/filters/replacement/replacement.go
@@ -0,0 +1,256 @@
+// Copyright 2021 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package replacement
+
+import (
+	"fmt"
+	"strings"
+
+	"sigs.k8s.io/kustomize/api/internal/utils"
+	"sigs.k8s.io/kustomize/api/resource"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/errors"
+	"sigs.k8s.io/kustomize/kyaml/resid"
+	kyaml_utils "sigs.k8s.io/kustomize/kyaml/utils"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+type Filter struct {
+	Replacements []types.Replacement `json:"replacements,omitempty" yaml:"replacements,omitempty"`
+}
+
+// Filter replaces values of targets with values from sources
+func (f Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) {
+	for i, r := range f.Replacements {
+		if (r.SourceValue == nil && r.Source == nil) || r.Targets == nil {
+			return nil, fmt.Errorf("replacements must specify a source and at least one target")
+		}
+		value, err := getReplacement(nodes, &f.Replacements[i])
+		if err != nil {
+			return nil, err
+		}
+		nodes, err = applyReplacement(nodes, value, r.Targets)
+		if err != nil {
+			return nil, err
+		}
+	}
+	return nodes, nil
+}
+
+func getReplacement(nodes []*yaml.RNode, r *types.Replacement) (*yaml.RNode, error) {
+	if r.SourceValue != nil && r.Source != nil {
+		return nil, fmt.Errorf("value and resource selectors are mutually exclusive")
+	}
+	if r.SourceValue != nil {
+		return yaml.NewScalarRNode(*r.SourceValue), nil
+	}
+
+	source, err := selectSourceNode(nodes, r.Source)
+	if err != nil {
+		return nil, err
+	}
+
+	if r.Source.FieldPath == "" {
+		r.Source.FieldPath = types.DefaultReplacementFieldPath
+	}
+	fieldPath := kyaml_utils.SmarterPathSplitter(r.Source.FieldPath, ".")
+
+	rn, err := source.Pipe(yaml.Lookup(fieldPath...))
+	if err != nil {
+		return nil, fmt.Errorf("error looking up replacement source: %w", err)
+	}
+	if rn.IsNilOrEmpty() {
+		return nil, fmt.Errorf("fieldPath `%s` is missing for replacement source %s", r.Source.FieldPath, r.Source.ResId)
+	}
+
+	return getRefinedValue(r.Source.Options, rn)
+}
+
+// selectSourceNode finds the node that matches the selector, returning
+// an error if multiple or none are found
+func selectSourceNode(nodes []*yaml.RNode, selector *types.SourceSelector) (*yaml.RNode, error) {
+	var matches []*yaml.RNode
+	for _, n := range nodes {
+		ids, err := utils.MakeResIds(n)
+		if err != nil {
+			return nil, fmt.Errorf("error getting node IDs: %w", err)
+		}
+		for _, id := range ids {
+			if id.IsSelectedBy(selector.ResId) {
+				if len(matches) > 0 {
+					return nil, fmt.Errorf(
+						"multiple matches for selector %s", selector)
+				}
+				matches = append(matches, n)
+				break
+			}
+		}
+	}
+	if len(matches) == 0 {
+		return nil, fmt.Errorf("nothing selected by %s", selector)
+	}
+	return matches[0], nil
+}
+
+func getRefinedValue(options *types.FieldOptions, rn *yaml.RNode) (*yaml.RNode, error) {
+	if options == nil || options.Delimiter == "" {
+		return rn, nil
+	}
+	if rn.YNode().Kind != yaml.ScalarNode {
+		return nil, fmt.Errorf("delimiter option can only be used with scalar nodes")
+	}
+	value := strings.Split(yaml.GetValue(rn), options.Delimiter)
+	if options.Index >= len(value) || options.Index < 0 {
+		return nil, fmt.Errorf("options.index %d is out of bounds for value %s", options.Index, yaml.GetValue(rn))
+	}
+	n := rn.Copy()
+	n.YNode().Value = value[options.Index]
+	return n, nil
+}
+
+func applyReplacement(nodes []*yaml.RNode, value *yaml.RNode, targetSelectors []*types.TargetSelector) ([]*yaml.RNode, error) {
+	for _, selector := range targetSelectors {
+		if selector.Select == nil {
+			return nil, errors.Errorf("target must specify resources to select")
+		}
+		if len(selector.FieldPaths) == 0 {
+			selector.FieldPaths = []string{types.DefaultReplacementFieldPath}
+		}
+		for _, possibleTarget := range nodes {
+			ids, err := utils.MakeResIds(possibleTarget)
+			if err != nil {
+				return nil, err
+			}
+
+			// filter targets by label and annotation selectors
+			selectByAnnoAndLabel, err := selectByAnnoAndLabel(possibleTarget, selector)
+			if err != nil {
+				return nil, err
+			}
+			if !selectByAnnoAndLabel {
+				continue
+			}
+
+			// filter targets by matching resource IDs
+			for _, id := range ids {
+				if id.IsSelectedBy(selector.Select.ResId) && !containsRejectId(selector.Reject, ids) {
+					err := copyValueToTarget(possibleTarget, value, selector)
+					if err != nil {
+						return nil, err
+					}
+					break
+				}
+			}
+		}
+	}
+	return nodes, nil
+}
+
+func selectByAnnoAndLabel(n *yaml.RNode, t *types.TargetSelector) (bool, error) {
+	if matchesSelect, err := matchesAnnoAndLabelSelector(n, t.Select); !matchesSelect || err != nil {
+		return false, err
+	}
+	for _, reject := range t.Reject {
+		if reject.AnnotationSelector == "" && reject.LabelSelector == "" {
+			continue
+		}
+		if m, err := matchesAnnoAndLabelSelector(n, reject); m || err != nil {
+			return false, err
+		}
+	}
+	return true, nil
+}
+
+func matchesAnnoAndLabelSelector(n *yaml.RNode, selector *types.Selector) (bool, error) {
+	r := resource.Resource{RNode: *n}
+	annoMatch, err := r.MatchesAnnotationSelector(selector.AnnotationSelector)
+	if err != nil {
+		return false, err
+	}
+	labelMatch, err := r.MatchesLabelSelector(selector.LabelSelector)
+	if err != nil {
+		return false, err
+	}
+	return annoMatch && labelMatch, nil
+}
+
+func containsRejectId(rejects []*types.Selector, ids []resid.ResId) bool {
+	for _, r := range rejects {
+		if r.ResId.IsEmpty() {
+			continue
+		}
+		for _, id := range ids {
+			if id.IsSelectedBy(r.ResId) {
+				return true
+			}
+		}
+	}
+	return false
+}
+
+func copyValueToTarget(target *yaml.RNode, value *yaml.RNode, selector *types.TargetSelector) error {
+	for _, fp := range selector.FieldPaths {
+		createKind := yaml.Kind(0) // do not create
+		if selector.Options != nil && selector.Options.Create {
+			createKind = value.YNode().Kind
+		}
+		targetFieldList, err := target.Pipe(&yaml.PathMatcher{
+			Path:   kyaml_utils.SmarterPathSplitter(fp, "."),
+			Create: createKind})
+		if err != nil {
+			return errors.WrapPrefixf(err, fieldRetrievalError(fp, createKind != 0)) //nolint:govet
+		}
+		targetFields, err := targetFieldList.Elements()
+		if err != nil {
+			return errors.WrapPrefixf(err, fieldRetrievalError(fp, createKind != 0)) //nolint:govet
+		}
+		if len(targetFields) == 0 {
+			return errors.Errorf(fieldRetrievalError(fp, createKind != 0)) //nolint:govet
+		}
+
+		for _, t := range targetFields {
+			if err := setFieldValue(selector.Options, t, value); err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+func fieldRetrievalError(fieldPath string, isCreate bool) string {
+	if isCreate {
+		return fmt.Sprintf("unable to find or create field %q in replacement target", fieldPath)
+	}
+	return fmt.Sprintf("unable to find field %q in replacement target", fieldPath)
+}
+
+func setFieldValue(options *types.FieldOptions, targetField *yaml.RNode, value *yaml.RNode) error {
+	value = value.Copy()
+	if options != nil && options.Delimiter != "" {
+		if targetField.YNode().Kind != yaml.ScalarNode {
+			return fmt.Errorf("delimiter option can only be used with scalar nodes")
+		}
+		tv := strings.Split(targetField.YNode().Value, options.Delimiter)
+		v := yaml.GetValue(value)
+		// TODO: Add a way to remove an element
+		switch {
+		case options.Index < 0: // prefix
+			tv = append([]string{v}, tv...)
+		case options.Index >= len(tv): // suffix
+			tv = append(tv, v)
+		default: // replace an element
+			tv[options.Index] = v
+		}
+		value.YNode().Value = strings.Join(tv, options.Delimiter)
+	}
+
+	if targetField.YNode().Kind == yaml.ScalarNode {
+		// For scalar, only copy the value (leave any type intact to auto-convert int->string or string->int)
+		targetField.YNode().Value = value.YNode().Value
+	} else {
+		targetField.SetYNode(value.YNode())
+	}
+
+	return nil
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/replicacount/doc.go b/vendor/sigs.k8s.io/kustomize/api/filters/replicacount/doc.go
new file mode 100644
index 0000000000..a22d13034b
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/filters/replicacount/doc.go
@@ -0,0 +1,6 @@
+// Copyright 2020 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+// Package replicacount contains a kio.Filter implementation of the kustomize
+// ReplicaCountTransformer.
+package replicacount
diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/replicacount/replicacount.go b/vendor/sigs.k8s.io/kustomize/api/filters/replicacount/replicacount.go
new file mode 100644
index 0000000000..ea5351f9bd
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/filters/replicacount/replicacount.go
@@ -0,0 +1,48 @@
+// Copyright 2022 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package replicacount
+
+import (
+	"strconv"
+
+	"sigs.k8s.io/kustomize/api/filters/fieldspec"
+	"sigs.k8s.io/kustomize/api/filters/filtersutil"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/kio"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+// Filter updates/sets replicas fields using the fieldSpecs
+type Filter struct {
+	Replica   types.Replica   `json:"replica,omitempty" yaml:"replica,omitempty"`
+	FieldSpec types.FieldSpec `json:"fieldSpec,omitempty" yaml:"fieldSpec,omitempty"`
+
+	trackableSetter filtersutil.TrackableSetter
+}
+
+var _ kio.Filter = Filter{}
+var _ kio.TrackableFilter = &Filter{}
+
+// WithMutationTracker registers a callback which will be invoked each time a field is mutated
+func (rc *Filter) WithMutationTracker(callback func(key, value, tag string, node *yaml.RNode)) {
+	rc.trackableSetter.WithMutationTracker(callback)
+}
+
+func (rc Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) {
+	return kio.FilterAll(yaml.FilterFunc(rc.run)).Filter(nodes)
+}
+
+func (rc Filter) run(node *yaml.RNode) (*yaml.RNode, error) {
+	err := node.PipeE(fieldspec.Filter{
+		FieldSpec:  rc.FieldSpec,
+		SetValue:   rc.set,
+		CreateKind: yaml.ScalarNode, // replicas is a ScalarNode
+		CreateTag:  yaml.NodeTagInt,
+	})
+	return node, err
+}
+
+func (rc Filter) set(node *yaml.RNode) error {
+	return rc.trackableSetter.SetEntry("", strconv.FormatInt(rc.Replica.Count, 10), yaml.NodeTagInt)(node)
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/suffix/doc.go b/vendor/sigs.k8s.io/kustomize/api/filters/suffix/doc.go
new file mode 100644
index 0000000000..18be62dfdb
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/filters/suffix/doc.go
@@ -0,0 +1,6 @@
+// Copyright 2021 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+// Package suffix contains a kio.Filter implementation of the kustomize
+// SuffixTransformer.
+package suffix
diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/suffix/suffix.go b/vendor/sigs.k8s.io/kustomize/api/filters/suffix/suffix.go
new file mode 100644
index 0000000000..babc257be4
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/filters/suffix/suffix.go
@@ -0,0 +1,50 @@
+// Copyright 2021 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package suffix
+
+import (
+	"fmt"
+
+	"sigs.k8s.io/kustomize/api/filters/fieldspec"
+	"sigs.k8s.io/kustomize/api/filters/filtersutil"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/kio"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+// Filter applies resource name suffix's using the fieldSpecs
+type Filter struct {
+	Suffix string `json:"suffix,omitempty" yaml:"suffix,omitempty"`
+
+	FieldSpec types.FieldSpec `json:"fieldSpec,omitempty" yaml:"fieldSpec,omitempty"`
+
+	trackableSetter filtersutil.TrackableSetter
+}
+
+var _ kio.Filter = Filter{}
+var _ kio.TrackableFilter = &Filter{}
+
+// WithMutationTracker registers a callback which will be invoked each time a field is mutated
+func (f *Filter) WithMutationTracker(callback func(key, value, tag string, node *yaml.RNode)) {
+	f.trackableSetter.WithMutationTracker(callback)
+}
+
+func (f Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) {
+	return kio.FilterAll(yaml.FilterFunc(f.run)).Filter(nodes)
+}
+
+func (f Filter) run(node *yaml.RNode) (*yaml.RNode, error) {
+	err := node.PipeE(fieldspec.Filter{
+		FieldSpec:  f.FieldSpec,
+		SetValue:   f.evaluateField,
+		CreateKind: yaml.ScalarNode, // Name is a ScalarNode
+		CreateTag:  yaml.NodeTagString,
+	})
+	return node, err
+}
+
+func (f Filter) evaluateField(node *yaml.RNode) error {
+	return f.trackableSetter.SetScalar(fmt.Sprintf(
+		"%s%s", node.YNode().Value, f.Suffix))(node)
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/valueadd/valueadd.go b/vendor/sigs.k8s.io/kustomize/api/filters/valueadd/valueadd.go
new file mode 100644
index 0000000000..f8e6b2f826
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/filters/valueadd/valueadd.go
@@ -0,0 +1,134 @@
+// Copyright 2020 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package valueadd
+
+import (
+	"strings"
+
+	"sigs.k8s.io/kustomize/kyaml/filesys"
+	"sigs.k8s.io/kustomize/kyaml/kio"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+// An 'Add' operation aspiring to IETF RFC 6902 JSON.
+//
+// The filter tries to add a value to a node at a particular field path.
+//
+// Kinds of target fields:
+//
+// - Non-existent target field.
+//
+//   The field will be added and the value inserted.
+//
+// - Existing field, scalar or map.
+//
+//   E.g. 'spec/template/spec/containers/[name:nginx]/image'
+//
+//   This behaves like an IETF RFC 6902 Replace operation would;
+//   the existing value is replaced without complaint, even though
+//   this  is an Add operation.  In contrast, a Replace operation
+//   must fail (report an error) if the field doesn't exist.
+//
+// - Existing field, list (array)
+//   Not supported yet.
+//   TODO: Honor fields with RFC-6902-style array indices
+//   TODO: like 'spec/template/spec/containers/2'
+//   TODO: Modify kyaml/yaml/PathGetter to allow this.
+//   The value will be inserted into the array at the given position,
+//   shifting other contents. To instead replace an array entry, use
+//   an implementation of an IETF RFC 6902 Replace operation.
+//
+// For the common case of a filepath in the field value, and a desire
+// to add the value to the filepath (rather than replace the filepath),
+// use a non-zero value of FilePathPosition (see below).
+type Filter struct {
+	// Value is the value to add.
+	//
+	// Empty values are disallowed, i.e. this filter isn't intended
+	// for use in erasing or removing fields. For that, use a filter
+	// more aligned with the IETF RFC 6902 JSON Remove operation.
+	//
+	// At the time of writing, Value's value should be a simple string,
+	// not a JSON document.  This particular filter focuses on easing
+	// injection of a single-sourced cloud project and/or cluster name
+	// into various fields, especially namespace and various filepath
+	// specifications.
+	Value string
+
+	// FieldPath is a JSON-style path to the field intended to hold the value.
+	FieldPath string
+
+	// FilePathPosition is a filepath field index.
+	//
+	// Call the value of this field _i_.
+	//
+	//   If _i_ is zero, negative or unspecified, this field has no effect.
+	//
+	//   If _i_ is > 0, then it's assumed that
+	//   - 'Value' is a string that can work as a directory or file name,
+	//   - the field value intended for replacement holds a filepath.
+	//
+	// The filepath is split into a string slice, the value is inserted
+	// at position [i-1], shifting the rest of the path to the right.
+	// A value of i==1 puts the new value at the start of the path.
+	// This change never converts an absolute path to a relative path,
+	// meaning adding a new field at position i==1 will preserve a
+	// leading slash. E.g. if Value == 'PEACH'
+	//
+	//                  OLD : NEW                    : FilePathPosition
+	//      --------------------------------------------------------
+	//              {empty} : PEACH                  : irrelevant
+	//                    / : /PEACH                 : irrelevant
+	//                  pie : PEACH/pie              : 1 (or less to prefix)
+	//                 /pie : /PEACH/pie             : 1 (or less to prefix)
+	//                  raw : raw/PEACH              : 2 (or more to postfix)
+	//                 /raw : /raw/PEACH             : 2 (or more to postfix)
+	//      a/nice/warm/pie : a/nice/warm/PEACH/pie  : 4
+	//     /a/nice/warm/pie : /a/nice/warm/PEACH/pie : 4
+	//
+	// For robustness (liberal input, conservative output) FilePathPosition
+	// values that that are too large to index the split filepath result in a
+	// postfix rather than an error.  So use 1 to prefix, 9999 to postfix.
+	FilePathPosition int `json:"filePathPosition,omitempty" yaml:"filePathPosition,omitempty"`
+}
+
+var _ kio.Filter = Filter{}
+
+func (f Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) {
+	_, err := kio.FilterAll(yaml.FilterFunc(
+		func(node *yaml.RNode) (*yaml.RNode, error) {
+			var fields []string
+			// if there is forward slash '/' in the field name, a back slash '\'
+			// will be used to escape it.
+			for _, f := range strings.Split(f.FieldPath, "/") {
+				if len(fields) > 0 && strings.HasSuffix(fields[len(fields)-1], "\\") {
+					concatField := strings.TrimSuffix(fields[len(fields)-1], "\\") + "/" + f
+					fields = append(fields[:len(fields)-1], concatField)
+				} else {
+					fields = append(fields, f)
+				}
+			}
+			// TODO: support SequenceNode.
+			// Presumably here one could look for array indices (digits) at
+			// the end of the field path (as described in IETF RFC 6902 JSON),
+			// and if found, take it as a signal that this should be a
+			// SequenceNode instead of a ScalarNode, and insert the value
+			// into the proper slot, shifting every over.
+			n, err := node.Pipe(yaml.LookupCreate(yaml.ScalarNode, fields...))
+			if err != nil {
+				return node, err
+			}
+			// TODO: allow more kinds
+			if err := yaml.ErrorIfInvalid(n, yaml.ScalarNode); err != nil {
+				return nil, err
+			}
+			newValue := f.Value
+			if f.FilePathPosition > 0 {
+				newValue = filesys.InsertPathPart(
+					n.YNode().Value, f.FilePathPosition-1, newValue)
+			}
+			return n.Pipe(yaml.FieldSetter{StringValue: newValue})
+		})).Filter(nodes)
+	return nodes, err
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/hasher/hasher.go b/vendor/sigs.k8s.io/kustomize/api/hasher/hasher.go
new file mode 100644
index 0000000000..aef436d919
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/hasher/hasher.go
@@ -0,0 +1,155 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package hasher
+
+import (
+	"crypto/sha256"
+	"encoding/json"
+	"fmt"
+	"sort"
+
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+// SortArrayAndComputeHash sorts a string array and
+// returns a hash for it
+func SortArrayAndComputeHash(s []string) (string, error) {
+	sort.Strings(s)
+	data, err := json.Marshal(s)
+	if err != nil {
+		return "", err
+	}
+	return encode(hex256(string(data)))
+}
+
+// Copied from https://github.com/kubernetes/kubernetes
+// /blob/master/pkg/kubectl/util/hash/hash.go
+func encode(hex string) (string, error) {
+	if len(hex) < 10 {
+		return "", fmt.Errorf(
+			"input length must be at least 10")
+	}
+	enc := []rune(hex[:10])
+	for i := range enc {
+		switch enc[i] {
+		case '0':
+			enc[i] = 'g'
+		case '1':
+			enc[i] = 'h'
+		case '3':
+			enc[i] = 'k'
+		case 'a':
+			enc[i] = 'm'
+		case 'e':
+			enc[i] = 't'
+		}
+	}
+	return string(enc), nil
+}
+
+// hex256 returns the hex form of the sha256 of the argument.
+func hex256(data string) string {
+	return fmt.Sprintf("%x", sha256.Sum256([]byte(data)))
+}
+
+// Hasher computes the hash of an RNode.
+type Hasher struct{}
+
+// Hash returns a hash of the argument.
+func (h *Hasher) Hash(node *yaml.RNode) (r string, err error) {
+	var encoded string
+	switch node.GetKind() {
+	case "ConfigMap":
+		encoded, err = encodeConfigMap(node)
+	case "Secret":
+		encoded, err = encodeSecret(node)
+	default:
+		var encodedBytes []byte
+		encodedBytes, err = json.Marshal(node.YNode())
+		encoded = string(encodedBytes)
+	}
+	if err != nil {
+		return "", err
+	}
+	return encode(hex256(encoded))
+}
+
+func getNodeValues(
+	node *yaml.RNode, paths []string) (map[string]interface{}, error) {
+	values := make(map[string]interface{})
+	for _, p := range paths {
+		vn, err := node.Pipe(yaml.Lookup(p))
+		if err != nil {
+			return map[string]interface{}{}, err
+		}
+		if vn == nil {
+			values[p] = ""
+			continue
+		}
+		if vn.YNode().Kind != yaml.ScalarNode {
+			vs, err := vn.MarshalJSON()
+			if err != nil {
+				return map[string]interface{}{}, err
+			}
+			// data, binaryData and stringData are all maps
+			var v map[string]interface{}
+			json.Unmarshal(vs, &v)
+			values[p] = v
+		} else {
+			values[p] = vn.YNode().Value
+		}
+	}
+	return values, nil
+}
+
+// encodeConfigMap encodes a ConfigMap.
+// Data, Kind, and Name are taken into account.
+// BinaryData is included if it's not empty to avoid useless key in output.
+func encodeConfigMap(node *yaml.RNode) (string, error) {
+	// get fields
+	paths := []string{"metadata/name", "data", "binaryData"}
+	values, err := getNodeValues(node, paths)
+	if err != nil {
+		return "", err
+	}
+	m := map[string]interface{}{
+		"kind": "ConfigMap",
+		"name": values["metadata/name"],
+		"data": values["data"],
+	}
+	if _, ok := values["binaryData"].(map[string]interface{}); ok {
+		m["binaryData"] = values["binaryData"]
+	}
+
+	// json.Marshal sorts the keys in a stable order in the encoding
+	data, err := json.Marshal(m)
+	if err != nil {
+		return "", err
+	}
+	return string(data), nil
+}
+
+// encodeSecret encodes a Secret.
+// Data, Kind, Name, and Type are taken into account.
+// StringData is included if it's not empty to avoid useless key in output.
+func encodeSecret(node *yaml.RNode) (string, error) {
+	// get fields
+	paths := []string{"type", "metadata/name", "data", "stringData"}
+	values, err := getNodeValues(node, paths)
+	if err != nil {
+		return "", err
+	}
+	m := map[string]interface{}{"kind": "Secret", "type": values["type"],
+		"name": values["metadata/name"], "data": values["data"]}
+	if _, ok := values["stringData"].(map[string]interface{}); ok {
+		m["stringData"] = values["stringData"]
+	}
+
+	// json.Marshal sorts the keys in a stable order in the encoding
+	data, err := json.Marshal(m)
+	if err != nil {
+		return "", err
+	}
+	return string(data), nil
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/ifc/ifc.go b/vendor/sigs.k8s.io/kustomize/api/ifc/ifc.go
new file mode 100644
index 0000000000..4cd62dd596
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/ifc/ifc.go
@@ -0,0 +1,56 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+// Package ifc holds miscellaneous interfaces used by kustomize.
+package ifc
+
+import (
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+// Validator provides functions to validate annotations and labels
+type Validator interface {
+	MakeAnnotationValidator() func(map[string]string) error
+	MakeAnnotationNameValidator() func([]string) error
+	MakeLabelValidator() func(map[string]string) error
+	MakeLabelNameValidator() func([]string) error
+	ValidateNamespace(string) []string
+	ErrIfInvalidKey(string) error
+	IsEnvVarName(k string) error
+}
+
+// KvLoader reads and validates KV pairs.
+type KvLoader interface {
+	Validator() Validator
+	Load(args types.KvPairSources) (all []types.Pair, err error)
+}
+
+// Loader interface exposes methods to read bytes.
+type Loader interface {
+
+	// Repo returns the repo location if this Loader was created from a url
+	// or the empty string otherwise.
+	Repo() string
+
+	// Root returns the root location for this Loader.
+	Root() string
+
+	// New returns Loader located at newRoot.
+	New(newRoot string) (Loader, error)
+
+	// Load returns the bytes read from the location or an error.
+	Load(location string) ([]byte, error)
+
+	// Cleanup cleans the loader
+	Cleanup() error
+}
+
+// KustHasher returns a hash of the argument
+// or an error.
+type KustHasher interface {
+	Hash(*yaml.RNode) (string, error)
+}
+
+// See core.v1.SecretTypeOpaque
+const SecretTypeOpaque = "Opaque"
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/accumulator/loadconfigfromcrds.go b/vendor/sigs.k8s.io/kustomize/api/internal/accumulator/loadconfigfromcrds.go
new file mode 100644
index 0000000000..f60c517b76
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/accumulator/loadconfigfromcrds.go
@@ -0,0 +1,198 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package accumulator
+
+import (
+	"encoding/json"
+	"strings"
+
+	"k8s.io/kube-openapi/pkg/validation/spec"
+	"sigs.k8s.io/kustomize/api/ifc"
+	"sigs.k8s.io/kustomize/api/internal/plugins/builtinconfig"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/errors"
+	"sigs.k8s.io/kustomize/kyaml/filesys"
+	"sigs.k8s.io/kustomize/kyaml/resid"
+	"sigs.k8s.io/yaml"
+)
+
+// OpenAPIDefinition describes single type.
+// Normally these definitions are auto-generated using gen-openapi.
+// Same as in k8s.io / kube-openapi / pkg / common.
+type OpenAPIDefinition struct {
+	Schema       spec.Schema
+	Dependencies []string
+}
+
+type myProperties = map[string]spec.Schema
+type nameToApiMap map[string]OpenAPIDefinition
+
+// LoadConfigFromCRDs parse CRD schemas from paths into a TransformerConfig
+func LoadConfigFromCRDs(
+	ldr ifc.Loader, paths []string) (*builtinconfig.TransformerConfig, error) {
+	tc := builtinconfig.MakeEmptyConfig()
+	for _, path := range paths {
+		content, err := ldr.Load(path)
+		if err != nil {
+			return nil, err
+		}
+		m, err := makeNameToApiMap(content)
+		if err != nil {
+			return nil, errors.WrapPrefixf(err, "unable to parse open API definition from '%s'", path)
+		}
+		otherTc, err := makeConfigFromApiMap(m)
+		if err != nil {
+			return nil, err
+		}
+		tc, err = tc.Merge(otherTc)
+		if err != nil {
+			return nil, err
+		}
+	}
+	return tc, nil
+}
+
+func makeNameToApiMap(content []byte) (result nameToApiMap, err error) {
+	if content[0] == '{' {
+		err = json.Unmarshal(content, &result)
+	} else {
+		err = yaml.Unmarshal(content, &result)
+	}
+	return
+}
+
+func makeConfigFromApiMap(m nameToApiMap) (*builtinconfig.TransformerConfig, error) {
+	result := builtinconfig.MakeEmptyConfig()
+	for name, api := range m {
+		if !looksLikeAk8sType(api.Schema.SchemaProps.Properties) {
+			continue
+		}
+		tc := builtinconfig.MakeEmptyConfig()
+		err := loadCrdIntoConfig(
+			tc, makeGvkFromTypeName(name), m, name, []string{})
+		if err != nil {
+			return result, err
+		}
+		result, err = result.Merge(tc)
+		if err != nil {
+			return result, err
+		}
+	}
+	return result, nil
+}
+
+// TODO: Get Group and Version for CRD from the
+// openAPI definition once
+// "x-kubernetes-group-version-kind" is available in CRD
+func makeGvkFromTypeName(n string) resid.Gvk {
+	names := strings.Split(n, filesys.SelfDir)
+	kind := names[len(names)-1]
+	return resid.Gvk{Kind: kind}
+}
+
+func looksLikeAk8sType(properties myProperties) bool {
+	_, ok := properties["kind"]
+	if !ok {
+		return false
+	}
+	_, ok = properties["apiVersion"]
+	if !ok {
+		return false
+	}
+	_, ok = properties["metadata"]
+	return ok
+}
+
+const (
+	// "x-kubernetes-annotation": ""
+	xAnnotation = "x-kubernetes-annotation"
+
+	// "x-kubernetes-label-selector": ""
+	xLabelSelector = "x-kubernetes-label-selector"
+
+	// "x-kubernetes-identity": ""
+	xIdentity = "x-kubernetes-identity"
+
+	// "x-kubernetes-object-ref-api-version": <apiVersion name>
+	xVersion = "x-kubernetes-object-ref-api-version"
+
+	// "x-kubernetes-object-ref-kind": <kind name>
+	xKind = "x-kubernetes-object-ref-kind"
+
+	// "x-kubernetes-object-ref-name-key": "name"
+	// default is "name"
+	xNameKey = "x-kubernetes-object-ref-name-key"
+)
+
+// loadCrdIntoConfig loads a CRD spec into a TransformerConfig
+func loadCrdIntoConfig(
+	theConfig *builtinconfig.TransformerConfig, theGvk resid.Gvk, theMap nameToApiMap,
+	typeName string, path []string) (err error) {
+	api, ok := theMap[typeName]
+	if !ok {
+		return nil
+	}
+	for propName, property := range api.Schema.SchemaProps.Properties {
+		_, annotate := property.Extensions.GetString(xAnnotation)
+		if annotate {
+			err = theConfig.AddAnnotationFieldSpec(
+				makeFs(theGvk, append(path, propName)))
+			if err != nil {
+				return
+			}
+		}
+		_, label := property.Extensions.GetString(xLabelSelector)
+		if label {
+			err = theConfig.AddCommonLabelsFieldSpec(
+				makeFs(theGvk, append(path, propName)))
+			if err != nil {
+				return
+			}
+		}
+		_, identity := property.Extensions.GetString(xIdentity)
+		if identity {
+			err = theConfig.AddPrefixFieldSpec(
+				makeFs(theGvk, append(path, propName)))
+			if err != nil {
+				return
+			}
+		}
+		version, ok := property.Extensions.GetString(xVersion)
+		if ok {
+			kind, ok := property.Extensions.GetString(xKind)
+			if ok {
+				nameKey, ok := property.Extensions.GetString(xNameKey)
+				if !ok {
+					nameKey = "name"
+				}
+				err = theConfig.AddNamereferenceFieldSpec(
+					builtinconfig.NameBackReferences{
+						Gvk: resid.Gvk{Kind: kind, Version: version},
+						Referrers: []types.FieldSpec{
+							makeFs(theGvk, append(path, propName, nameKey))},
+					})
+				if err != nil {
+					return
+				}
+			}
+		}
+		if property.Ref.GetURL() != nil {
+			err = loadCrdIntoConfig(
+				theConfig, theGvk, theMap,
+				property.Ref.String(), append(path, propName))
+			if err != nil {
+				return
+			}
+		}
+	}
+	return nil
+}
+
+func makeFs(in resid.Gvk, path []string) types.FieldSpec {
+	return types.FieldSpec{
+		CreateIfNotPresent: false,
+		Gvk:                in,
+		Path:               strings.Join(path, "/"),
+	}
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/accumulator/namereferencetransformer.go b/vendor/sigs.k8s.io/kustomize/api/internal/accumulator/namereferencetransformer.go
new file mode 100644
index 0000000000..f8f12b4f2b
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/accumulator/namereferencetransformer.go
@@ -0,0 +1,164 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package accumulator
+
+import (
+	"fmt"
+	"log"
+
+	"sigs.k8s.io/kustomize/api/filters/nameref"
+	"sigs.k8s.io/kustomize/api/internal/plugins/builtinconfig"
+	"sigs.k8s.io/kustomize/api/resmap"
+	"sigs.k8s.io/kustomize/api/resource"
+	"sigs.k8s.io/kustomize/kyaml/resid"
+)
+
+type nameReferenceTransformer struct {
+	backRefs []builtinconfig.NameBackReferences
+}
+
+const doDebug = false
+
+var _ resmap.Transformer = &nameReferenceTransformer{}
+
+type filterMap map[*resource.Resource][]nameref.Filter
+
+// newNameReferenceTransformer constructs a nameReferenceTransformer
+// with a given slice of NameBackReferences.
+func newNameReferenceTransformer(
+	br []builtinconfig.NameBackReferences) resmap.Transformer {
+	if br == nil {
+		log.Fatal("backrefs not expected to be nil")
+	}
+	return &nameReferenceTransformer{backRefs: br}
+}
+
+// Transform updates name references in resource A that
+// refer to resource B, given that B's name may have
+// changed.
+//
+// For example, a HorizontalPodAutoscaler (HPA)
+// necessarily refers to a Deployment, the thing that
+// an HPA scales. In this case:
+//
+//   - the HPA instance is the Referrer,
+//   - the Deployment instance is the ReferralTarget.
+//
+// If the Deployment's name changes, e.g. a prefix is added,
+// then the HPA's reference to the Deployment must be fixed.
+//
+func (t *nameReferenceTransformer) Transform(m resmap.ResMap) error {
+	fMap := t.determineFilters(m.Resources())
+	debug(fMap)
+	for r, fList := range fMap {
+		c, err := m.SubsetThatCouldBeReferencedByResource(r)
+		if err != nil {
+			return err
+		}
+		for _, f := range fList {
+			f.Referrer = r
+			f.ReferralCandidates = c
+			if err := f.Referrer.ApplyFilter(f); err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+func debug(fMap filterMap) {
+	if !doDebug {
+		return
+	}
+	fmt.Printf("filterMap has %d entries:\n", len(fMap))
+	rCount := 0
+	for r, fList := range fMap {
+		yml, _ := r.AsYAML()
+		rCount++
+		fmt.Printf(`
+---- %3d. possible referrer -------------
+%s
+---------`, rCount, string(yml),
+		)
+		for i, f := range fList {
+			fmt.Printf(`
+%3d/%3d update: %s
+          from: %s
+`, rCount, i+1, f.NameFieldToUpdate.Path, f.ReferralTarget,
+			)
+		}
+	}
+}
+
+// Produce a map from referrer resources that might need to be fixed
+// to filters that might fix them.  The keys to this map are potential
+// referrers, so won't include resources like ConfigMap or Secret.
+//
+// In the inner loop over the resources below, say we
+// encounter an HPA instance. Then, in scanning the set
+// of all known backrefs, we encounter an entry like
+//
+//   - kind: Deployment
+//     fieldSpecs:
+//     - kind: HorizontalPodAutoscaler
+//       path: spec/scaleTargetRef/name
+//
+// This entry says that an HPA, via its
+// 'spec/scaleTargetRef/name' field, may refer to a
+// Deployment.
+//
+// This means that a filter will need to hunt for the right Deployment,
+// obtain it's new name, and write that name into the HPA's
+// 'spec/scaleTargetRef/name' field. Return a filter that can do that.
+func (t *nameReferenceTransformer) determineFilters(
+	resources []*resource.Resource) (fMap filterMap) {
+	// We cache the resource OrgId values because they don't change and otherwise are very visible in a memory pprof
+	resourceOrgIds := make([]resid.ResId, len(resources))
+	for i, resource := range resources {
+		resourceOrgIds[i] = resource.OrgId()
+	}
+
+	fMap = make(filterMap)
+	for _, backReference := range t.backRefs {
+		for _, referrerSpec := range backReference.Referrers {
+			for i, res := range resources {
+				if resourceOrgIds[i].IsSelected(&referrerSpec.Gvk) {
+					// If this is true, the res might be a referrer, and if
+					// so, the name reference it holds might need an update.
+					if resHasField(res, referrerSpec.Path) {
+						// Optimization - the referrer has the field
+						// that might need updating.
+						fMap[res] = append(fMap[res], nameref.Filter{
+							// Name field to write in the Referrer.
+							// If the path specified here isn't found in
+							// the Referrer, nothing happens (no error,
+							// no field creation).
+							NameFieldToUpdate: referrerSpec,
+							// Specification of object class to read from.
+							// Always read from metadata/name field.
+							ReferralTarget: backReference.Gvk,
+						})
+					}
+				}
+			}
+		}
+	}
+	return fMap
+}
+
+// TODO: check res for field existence here to avoid extra work.
+// res.GetFieldValue, which uses yaml.Lookup under the hood, doesn't know
+// how to parse fieldspec-style paths that make no distinction
+// between maps and sequences.  This means it cannot lookup commonly
+// used "indeterminate" paths like
+//    spec/containers/env/valueFrom/configMapKeyRef/name
+// ('containers' is a list, not a map).
+// However, the fieldspec filter does know how to handle this;
+// extract that code and call it here?
+func resHasField(res *resource.Resource, path string) bool {
+	return true
+	// fld := strings.Join(utils.PathSplitter(path), ".")
+	// _, e := res.GetFieldValue(fld)
+	// return e == nil
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/accumulator/refvartransformer.go b/vendor/sigs.k8s.io/kustomize/api/internal/accumulator/refvartransformer.go
new file mode 100644
index 0000000000..a02edc4fb3
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/accumulator/refvartransformer.go
@@ -0,0 +1,57 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package accumulator
+
+import (
+	"sigs.k8s.io/kustomize/api/filters/refvar"
+	"sigs.k8s.io/kustomize/api/resmap"
+	"sigs.k8s.io/kustomize/api/types"
+)
+
+type refVarTransformer struct {
+	varMap            map[string]interface{}
+	replacementCounts map[string]int
+	fieldSpecs        []types.FieldSpec
+}
+
+// newRefVarTransformer returns a new refVarTransformer
+// that replaces $(VAR) style variables with values.
+// The fieldSpecs are the places to look for occurrences of $(VAR).
+func newRefVarTransformer(
+	varMap map[string]interface{}, fs []types.FieldSpec) *refVarTransformer {
+	return &refVarTransformer{
+		varMap:     varMap,
+		fieldSpecs: fs,
+	}
+}
+
+// UnusedVars returns slice of Var names that were unused
+// after a Transform run.
+func (rv *refVarTransformer) UnusedVars() []string {
+	var unused []string
+	for k := range rv.varMap {
+		if _, ok := rv.replacementCounts[k]; !ok {
+			unused = append(unused, k)
+		}
+	}
+	return unused
+}
+
+// Transform replaces $(VAR) style variables with values.
+func (rv *refVarTransformer) Transform(m resmap.ResMap) error {
+	rv.replacementCounts = make(map[string]int)
+	mf := refvar.MakePrimitiveReplacer(rv.replacementCounts, rv.varMap)
+	for _, res := range m.Resources() {
+		for _, fieldSpec := range rv.fieldSpecs {
+			err := res.ApplyFilter(refvar.Filter{
+				MappingFunc: mf,
+				FieldSpec:   fieldSpec,
+			})
+			if err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/accumulator/resaccumulator.go b/vendor/sigs.k8s.io/kustomize/api/internal/accumulator/resaccumulator.go
new file mode 100644
index 0000000000..d3a894123f
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/accumulator/resaccumulator.go
@@ -0,0 +1,190 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package accumulator
+
+import (
+	"fmt"
+	"log"
+	"strings"
+
+	"sigs.k8s.io/kustomize/api/internal/plugins/builtinconfig"
+	"sigs.k8s.io/kustomize/api/resmap"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/resid"
+)
+
+// ResAccumulator accumulates resources and the rules
+// used to customize those resources.  It's a ResMap
+// plus stuff needed to modify the ResMap.
+type ResAccumulator struct {
+	resMap  resmap.ResMap
+	tConfig *builtinconfig.TransformerConfig
+	varSet  types.VarSet
+}
+
+func MakeEmptyAccumulator() *ResAccumulator {
+	ra := &ResAccumulator{}
+	ra.resMap = resmap.New()
+	ra.tConfig = &builtinconfig.TransformerConfig{}
+	ra.varSet = types.NewVarSet()
+	return ra
+}
+
+// ResMap returns a copy of the internal resMap.
+func (ra *ResAccumulator) ResMap() resmap.ResMap {
+	return ra.resMap.ShallowCopy()
+}
+
+// Vars returns a copy of underlying vars.
+func (ra *ResAccumulator) Vars() []types.Var {
+	return ra.varSet.AsSlice()
+}
+
+func (ra *ResAccumulator) AppendAll(resources resmap.ResMap) error {
+	return ra.resMap.AppendAll(resources)
+}
+
+func (ra *ResAccumulator) AbsorbAll(resources resmap.ResMap) error {
+	return ra.resMap.AbsorbAll(resources)
+}
+
+func (ra *ResAccumulator) MergeConfig(
+	tConfig *builtinconfig.TransformerConfig) (err error) {
+	ra.tConfig, err = ra.tConfig.Merge(tConfig)
+	return err
+}
+
+func (ra *ResAccumulator) GetTransformerConfig() *builtinconfig.TransformerConfig {
+	return ra.tConfig
+}
+
+// MergeVars accumulates vars into ResAccumulator.
+// A Var is a tuple of name, object reference and field reference.
+// This func takes a list of vars from the current kustomization file and
+// annotates the accumulated resources with the names of the vars that match
+// those resources.  E.g. if there's a var named "sam" that wants to get
+// its data from a ConfigMap named "james", and the resource list contains a
+// ConfigMap named "james", then that ConfigMap will be annotated with the
+// var name "sam".  Later this annotation is used to find the data for "sam"
+// by digging into a particular fieldpath of "james".
+func (ra *ResAccumulator) MergeVars(incoming []types.Var) error {
+	for _, v := range incoming {
+		targetId := resid.NewResIdWithNamespace(v.ObjRef.GVK(), v.ObjRef.Name, v.ObjRef.Namespace)
+		idMatcher := targetId.GvknEquals
+		if targetId.Namespace != "" || targetId.IsClusterScoped() {
+			// Preserve backward compatibility. An empty namespace means
+			// wildcard search on the namespace hence we still use GvknEquals
+			idMatcher = targetId.Equals
+		}
+		matched := ra.resMap.GetMatchingResourcesByAnyId(idMatcher)
+		if len(matched) > 1 {
+			return fmt.Errorf(
+				"found %d resId matches for var %s "+
+					"(unable to disambiguate)",
+				len(matched), v)
+		}
+		if len(matched) == 1 {
+			matched[0].AppendRefVarName(v)
+		}
+	}
+	return ra.varSet.MergeSlice(incoming)
+}
+
+func (ra *ResAccumulator) MergeAccumulator(other *ResAccumulator) (err error) {
+	err = ra.AppendAll(other.resMap)
+	if err != nil {
+		return err
+	}
+	err = ra.MergeConfig(other.tConfig)
+	if err != nil {
+		return err
+	}
+	return ra.varSet.MergeSet(other.varSet)
+}
+
+func (ra *ResAccumulator) findVarValueFromResources(v types.Var) (interface{}, error) {
+	for _, res := range ra.resMap.Resources() {
+		for _, varName := range res.GetRefVarNames() {
+			if varName == v.Name {
+				s, err := res.GetFieldValue(v.FieldRef.FieldPath)
+				if err != nil {
+					return "", fmt.Errorf(
+						"field specified in var '%v' "+
+							"not found in corresponding resource", v)
+				}
+				return s, nil
+			}
+		}
+	}
+	return "", fmt.Errorf(
+		"var '%v' cannot be mapped to a field "+
+			"in the set of known resources", v)
+}
+
+// makeVarReplacementMap returns a map of Var names to
+// their final values. The values are strings intended
+// for substitution wherever the $(var.Name) occurs.
+func (ra *ResAccumulator) makeVarReplacementMap() (map[string]interface{}, error) {
+	result := map[string]interface{}{}
+	for _, v := range ra.Vars() {
+		s, err := ra.findVarValueFromResources(v)
+		if err != nil {
+			return nil, err
+		}
+		result[v.Name] = s
+	}
+	return result, nil
+}
+
+func (ra *ResAccumulator) Transform(t resmap.Transformer) error {
+	return t.Transform(ra.resMap)
+}
+
+func (ra *ResAccumulator) ResolveVars() error {
+	replacementMap, err := ra.makeVarReplacementMap()
+	if err != nil {
+		return err
+	}
+	if len(replacementMap) == 0 {
+		return nil
+	}
+	t := newRefVarTransformer(
+		replacementMap, ra.tConfig.VarReference)
+	err = ra.Transform(t)
+	if len(t.UnusedVars()) > 0 {
+		log.Printf(
+			"well-defined vars that were never replaced: %s\n",
+			strings.Join(t.UnusedVars(), ","))
+	}
+	return err
+}
+
+func (ra *ResAccumulator) FixBackReferences() (err error) {
+	if ra.tConfig.NameReference == nil {
+		return nil
+	}
+	return ra.Transform(
+		newNameReferenceTransformer(ra.tConfig.NameReference))
+}
+
+// Intersection drops the resources which "other" does not have.
+func (ra *ResAccumulator) Intersection(other resmap.ResMap) error {
+	otherIds := other.AllIds() //nolint:revive
+	for _, curId := range ra.resMap.AllIds() {
+		toDelete := true
+		for _, otherId := range otherIds {
+			if otherId == curId {
+				toDelete = false
+				break
+			}
+		}
+		if toDelete {
+			err := ra.resMap.Remove(curId)
+			if err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/builtins/AnnotationsTransformer.go b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/AnnotationsTransformer.go
new file mode 100644
index 0000000000..0910c472b8
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/AnnotationsTransformer.go
@@ -0,0 +1,38 @@
+// Code generated by pluginator on AnnotationsTransformer; DO NOT EDIT.
+// pluginator {(devel)  unknown   }
+
+package builtins
+
+import (
+	"sigs.k8s.io/kustomize/api/filters/annotations"
+	"sigs.k8s.io/kustomize/api/resmap"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/yaml"
+)
+
+// Add the given annotations to the given field specifications.
+type AnnotationsTransformerPlugin struct {
+	Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"`
+	FieldSpecs  []types.FieldSpec `json:"fieldSpecs,omitempty" yaml:"fieldSpecs,omitempty"`
+}
+
+func (p *AnnotationsTransformerPlugin) Config(
+	_ *resmap.PluginHelpers, c []byte) (err error) {
+	p.Annotations = nil
+	p.FieldSpecs = nil
+	return yaml.Unmarshal(c, p)
+}
+
+func (p *AnnotationsTransformerPlugin) Transform(m resmap.ResMap) error {
+	if len(p.Annotations) == 0 {
+		return nil
+	}
+	return m.ApplyFilter(annotations.Filter{
+		Annotations: p.Annotations,
+		FsSlice:     p.FieldSpecs,
+	})
+}
+
+func NewAnnotationsTransformerPlugin() resmap.TransformerPlugin {
+	return &AnnotationsTransformerPlugin{}
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/builtins/ConfigMapGenerator.go b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/ConfigMapGenerator.go
new file mode 100644
index 0000000000..dc18bce858
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/ConfigMapGenerator.go
@@ -0,0 +1,39 @@
+// Code generated by pluginator on ConfigMapGenerator; DO NOT EDIT.
+// pluginator {(devel)  unknown   }
+
+package builtins
+
+import (
+	"sigs.k8s.io/kustomize/api/kv"
+	"sigs.k8s.io/kustomize/api/resmap"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/yaml"
+)
+
+type ConfigMapGeneratorPlugin struct {
+	h                *resmap.PluginHelpers
+	types.ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+	types.ConfigMapArgs
+}
+
+func (p *ConfigMapGeneratorPlugin) Config(h *resmap.PluginHelpers, config []byte) (err error) {
+	p.ConfigMapArgs = types.ConfigMapArgs{}
+	err = yaml.Unmarshal(config, p)
+	if p.ConfigMapArgs.Name == "" {
+		p.ConfigMapArgs.Name = p.Name
+	}
+	if p.ConfigMapArgs.Namespace == "" {
+		p.ConfigMapArgs.Namespace = p.Namespace
+	}
+	p.h = h
+	return
+}
+
+func (p *ConfigMapGeneratorPlugin) Generate() (resmap.ResMap, error) {
+	return p.h.ResmapFactory().FromConfigMapArgs(
+		kv.NewLoader(p.h.Loader(), p.h.Validator()), p.ConfigMapArgs)
+}
+
+func NewConfigMapGeneratorPlugin() resmap.GeneratorPlugin {
+	return &ConfigMapGeneratorPlugin{}
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/builtins/HashTransformer.go b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/HashTransformer.go
new file mode 100644
index 0000000000..ec23312651
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/HashTransformer.go
@@ -0,0 +1,40 @@
+// Code generated by pluginator on HashTransformer; DO NOT EDIT.
+// pluginator {(devel)  unknown   }
+
+package builtins
+
+import (
+	"fmt"
+
+	"sigs.k8s.io/kustomize/api/ifc"
+	"sigs.k8s.io/kustomize/api/resmap"
+)
+
+type HashTransformerPlugin struct {
+	hasher ifc.KustHasher
+}
+
+func (p *HashTransformerPlugin) Config(
+	h *resmap.PluginHelpers, _ []byte) (err error) {
+	p.hasher = h.ResmapFactory().RF().Hasher()
+	return nil
+}
+
+// Transform appends hash to generated resources.
+func (p *HashTransformerPlugin) Transform(m resmap.ResMap) error {
+	for _, res := range m.Resources() {
+		if res.NeedHashSuffix() {
+			h, err := res.Hash(p.hasher)
+			if err != nil {
+				return err
+			}
+			res.StorePreviousId()
+			res.SetName(fmt.Sprintf("%s-%s", res.GetName(), h))
+		}
+	}
+	return nil
+}
+
+func NewHashTransformerPlugin() resmap.TransformerPlugin {
+	return &HashTransformerPlugin{}
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/builtins/HelmChartInflationGenerator.go b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/HelmChartInflationGenerator.go
new file mode 100644
index 0000000000..5811e73eca
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/HelmChartInflationGenerator.go
@@ -0,0 +1,383 @@
+// Code generated by pluginator on HelmChartInflationGenerator; DO NOT EDIT.
+// pluginator {(devel)  unknown   }
+
+package builtins
+
+import (
+	"bytes"
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"regexp"
+	"slices"
+	"strings"
+
+	"sigs.k8s.io/kustomize/api/resmap"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/errors"
+	"sigs.k8s.io/kustomize/kyaml/kio"
+	kyaml "sigs.k8s.io/kustomize/kyaml/yaml"
+	"sigs.k8s.io/kustomize/kyaml/yaml/merge2"
+	"sigs.k8s.io/yaml"
+)
+
+// Generate resources from a remote or local helm chart.
+type HelmChartInflationGeneratorPlugin struct {
+	h *resmap.PluginHelpers
+	types.HelmGlobals
+	types.HelmChart
+	tmpDir string
+}
+
+const (
+	valuesMergeOptionMerge    = "merge"
+	valuesMergeOptionOverride = "override"
+	valuesMergeOptionReplace  = "replace"
+)
+
+var legalMergeOptions = []string{
+	valuesMergeOptionMerge,
+	valuesMergeOptionOverride,
+	valuesMergeOptionReplace,
+}
+
+// Config uses the input plugin configurations `config` to setup the generator
+// options
+func (p *HelmChartInflationGeneratorPlugin) Config(
+	h *resmap.PluginHelpers, config []byte) (err error) {
+	if h.GeneralConfig() == nil {
+		return fmt.Errorf("unable to access general config")
+	}
+	if !h.GeneralConfig().HelmConfig.Enabled {
+		return fmt.Errorf("must specify --enable-helm")
+	}
+	if h.GeneralConfig().HelmConfig.Command == "" {
+		return fmt.Errorf("must specify --helm-command")
+	}
+
+	// CLI args takes precedence
+	if h.GeneralConfig().HelmConfig.KubeVersion != "" {
+		p.HelmChart.KubeVersion = h.GeneralConfig().HelmConfig.KubeVersion
+	}
+	if len(h.GeneralConfig().HelmConfig.ApiVersions) != 0 {
+		p.HelmChart.ApiVersions = h.GeneralConfig().HelmConfig.ApiVersions
+	}
+	if h.GeneralConfig().HelmConfig.Debug {
+		p.HelmChart.Debug = h.GeneralConfig().HelmConfig.Debug
+	}
+
+	p.h = h
+	if err = yaml.Unmarshal(config, p); err != nil {
+		return
+	}
+	return p.validateArgs()
+}
+
+// This uses the real file system since tmpDir may be used
+// by the helm subprocess.  Cannot use a chroot jail or fake
+// filesystem since we allow the user to use previously
+// downloaded charts.  This is safe since this plugin is
+// owned by kustomize.
+func (p *HelmChartInflationGeneratorPlugin) establishTmpDir() (err error) {
+	if p.tmpDir != "" {
+		// already done.
+		return nil
+	}
+	p.tmpDir, err = os.MkdirTemp("", "kustomize-helm-")
+	return err
+}
+
+func (p *HelmChartInflationGeneratorPlugin) validateArgs() (err error) {
+	if p.Name == "" {
+		return fmt.Errorf("chart name cannot be empty")
+	}
+
+	// ChartHome might be consulted by the plugin (to read
+	// values files below it), so it must be located under
+	// the loader root (unless root restrictions are
+	// disabled, in which case this can be an absolute path).
+	if p.ChartHome == "" {
+		p.ChartHome = types.HelmDefaultHome
+	}
+
+	// The ValuesFile(s) may be consulted by the plugin, so it must
+	// be under the loader root (unless root restrictions are
+	// disabled).
+	if p.ValuesFile == "" {
+		p.ValuesFile = filepath.Join(p.absChartHome(), p.Name, "values.yaml")
+	}
+	for i, file := range p.AdditionalValuesFiles {
+		// use Load() to enforce root restrictions
+		if _, err := p.h.Loader().Load(file); err != nil {
+			return errors.WrapPrefixf(err, "could not load additionalValuesFile")
+		}
+		// the additional values filepaths must be relative to the kust root
+		p.AdditionalValuesFiles[i] = filepath.Join(p.h.Loader().Root(), file)
+	}
+
+	if err = p.errIfIllegalValuesMerge(); err != nil {
+		return err
+	}
+
+	// ConfigHome is not loaded by the plugin, and can be located anywhere.
+	if p.ConfigHome == "" {
+		if err = p.establishTmpDir(); err != nil {
+			return errors.WrapPrefixf(
+				err, "unable to create tmp dir for HELM_CONFIG_HOME")
+		}
+		p.ConfigHome = filepath.Join(p.tmpDir, "helm")
+	}
+	return nil
+}
+
+func (p *HelmChartInflationGeneratorPlugin) errIfIllegalValuesMerge() error {
+	if p.ValuesMerge == "" {
+		// Use the default.
+		p.ValuesMerge = valuesMergeOptionOverride
+		return nil
+	}
+	for _, opt := range legalMergeOptions {
+		if p.ValuesMerge == opt {
+			return nil
+		}
+	}
+	return fmt.Errorf("valuesMerge must be one of %v", legalMergeOptions)
+}
+
+func (p *HelmChartInflationGeneratorPlugin) absChartHome() string {
+	var chartHome string
+	if filepath.IsAbs(p.ChartHome) {
+		chartHome = p.ChartHome
+	} else {
+		chartHome = filepath.Join(p.h.Loader().Root(), p.ChartHome)
+	}
+
+	if p.Version != "" && p.Repo != "" {
+		return filepath.Join(chartHome, fmt.Sprintf("%s-%s", p.Name, p.Version))
+	}
+	return chartHome
+}
+
+func (p *HelmChartInflationGeneratorPlugin) runHelmCommand(
+	args []string) ([]byte, error) {
+	stdout := new(bytes.Buffer)
+	stderr := new(bytes.Buffer)
+	cmd := exec.Command(p.h.GeneralConfig().HelmConfig.Command, args...)
+	cmd.Stdout = stdout
+	cmd.Stderr = stderr
+	env := []string{
+		fmt.Sprintf("HELM_CONFIG_HOME=%s", p.ConfigHome),
+		fmt.Sprintf("HELM_CACHE_HOME=%s/.cache", p.ConfigHome),
+		fmt.Sprintf("HELM_DATA_HOME=%s/.data", p.ConfigHome)}
+	cmd.Env = append(os.Environ(), env...)
+	err := cmd.Run()
+	errorOutput := stderr.String()
+	if slices.Contains(args, "--debug") {
+		errorOutput = " Helm stack trace:\n" + errorOutput + "\nHelm template:\n" + stdout.String() + "\n"
+	}
+	if err != nil {
+		helm := p.h.GeneralConfig().HelmConfig.Command
+		//nolint:govet
+		err = errors.WrapPrefixf(
+			fmt.Errorf(
+				"unable to run: '%s %s' with env=%s (is '%s' installed?): %w",
+				helm, strings.Join(args, " "), env, helm, err),
+			errorOutput,
+		)
+	}
+	return stdout.Bytes(), err
+}
+
+// createNewMergedValuesFile replaces/merges original values file with ValuesInline.
+func (p *HelmChartInflationGeneratorPlugin) createNewMergedValuesFile() (
+	path string, err error) {
+	if p.ValuesMerge == valuesMergeOptionMerge ||
+		p.ValuesMerge == valuesMergeOptionOverride {
+		if err = p.replaceValuesInline(); err != nil {
+			return "", err
+		}
+	}
+	var b []byte
+	b, err = yaml.Marshal(p.ValuesInline)
+	if err != nil {
+		return "", err
+	}
+	return p.writeValuesBytes(b)
+}
+
+func (p *HelmChartInflationGeneratorPlugin) replaceValuesInline() error {
+	pValues, err := p.h.Loader().Load(p.ValuesFile)
+	if err != nil {
+		return err
+	}
+	chValues, err := kyaml.Parse(string(pValues))
+	if err != nil {
+		return errors.WrapPrefixf(err, "could not parse values file into rnode")
+	}
+	inlineValues, err := kyaml.FromMap(p.ValuesInline)
+	if err != nil {
+		return errors.WrapPrefixf(err, "could not parse values inline into rnode")
+	}
+	var outValues *kyaml.RNode
+	switch p.ValuesMerge {
+	// Function `merge2.Merge` overrides values in dest with values from src.
+	// To achieve override or merge behavior, we pass parameters in different order.
+	// Object passed as dest will be modified, so we copy it just in case someone
+	// decides to use it after this is called.
+	case valuesMergeOptionOverride:
+		outValues, err = merge2.Merge(inlineValues, chValues.Copy(), kyaml.MergeOptions{})
+	case valuesMergeOptionMerge:
+		outValues, err = merge2.Merge(chValues, inlineValues.Copy(), kyaml.MergeOptions{})
+	}
+	if err != nil {
+		return errors.WrapPrefixf(err, "could not merge values")
+	}
+	mapValues, err := outValues.Map()
+	if err != nil {
+		return errors.WrapPrefixf(err, "could not parse merged values into map")
+	}
+	p.ValuesInline = mapValues
+	return err
+}
+
+// copyValuesFile to avoid branching.  TODO: get rid of this.
+func (p *HelmChartInflationGeneratorPlugin) copyValuesFile() (string, error) {
+	b, err := p.h.Loader().Load(p.ValuesFile)
+	if err != nil {
+		return "", err
+	}
+	return p.writeValuesBytes(b)
+}
+
+// Write a absolute path file in the tmp file system.
+func (p *HelmChartInflationGeneratorPlugin) writeValuesBytes(
+	b []byte) (string, error) {
+	if err := p.establishTmpDir(); err != nil {
+		return "", fmt.Errorf("cannot create tmp dir to write helm values")
+	}
+	path := filepath.Join(p.tmpDir, p.Name+"-kustomize-values.yaml")
+	return path, errors.WrapPrefixf(os.WriteFile(path, b, 0644), "failed to write values file")
+}
+
+func (p *HelmChartInflationGeneratorPlugin) cleanup() {
+	if p.tmpDir != "" {
+		os.RemoveAll(p.tmpDir)
+	}
+}
+
+// Generate implements generator
+func (p *HelmChartInflationGeneratorPlugin) Generate() (rm resmap.ResMap, err error) {
+	defer p.cleanup()
+	if err = p.checkHelmVersion(); err != nil {
+		return nil, err
+	}
+	if path, exists := p.chartExistsLocally(); !exists {
+		if p.Repo == "" {
+			return nil, fmt.Errorf(
+				"no repo specified for pull, no chart found at '%s'", path)
+		}
+		if _, err := p.runHelmCommand(p.pullCommand()); err != nil {
+			return nil, err
+		}
+	}
+	if len(p.ValuesInline) > 0 {
+		p.ValuesFile, err = p.createNewMergedValuesFile()
+	} else {
+		p.ValuesFile, err = p.copyValuesFile()
+	}
+	if err != nil {
+		return nil, err
+	}
+	var stdout []byte
+	stdout, err = p.runHelmCommand(p.AsHelmArgs(p.absChartHome()))
+	if err != nil {
+		return nil, err
+	}
+
+	rm, resMapErr := p.h.ResmapFactory().NewResMapFromBytes(stdout)
+	if resMapErr == nil {
+		return rm, nil
+	}
+	// try to remove the contents before first "---" because
+	// helm may produce messages to stdout before it
+	r := &kio.ByteReader{Reader: bytes.NewBuffer(stdout), OmitReaderAnnotations: true}
+	nodes, err := r.Read()
+	if err != nil {
+		return nil, fmt.Errorf("error reading helm output: %w", err)
+	}
+
+	if len(nodes) != 0 {
+		rm, err = p.h.ResmapFactory().NewResMapFromRNodeSlice(nodes)
+		if err != nil {
+			return nil, fmt.Errorf("could not parse rnode slice into resource map: %w", err)
+		}
+		return rm, nil
+	}
+	return nil, fmt.Errorf("could not parse bytes into resource map: %w", resMapErr)
+}
+
+func (p *HelmChartInflationGeneratorPlugin) pullCommand() []string {
+	args := []string{
+		"pull",
+		"--untar",
+		"--untardir", p.absChartHome(),
+	}
+
+	switch {
+	case strings.HasPrefix(p.Repo, "oci://"):
+		args = append(args, strings.TrimSuffix(p.Repo, "/")+"/"+p.Name)
+	case p.Repo != "":
+		args = append(args, "--repo", p.Repo)
+		fallthrough
+	default:
+		args = append(args, p.Name)
+	}
+
+	if p.Version != "" {
+		args = append(args, "--version", p.Version)
+	}
+	if p.Devel {
+		args = append(args, "--devel")
+	}
+	return args
+}
+
+// chartExistsLocally will return true if the chart does exist in
+// local chart home.
+func (p *HelmChartInflationGeneratorPlugin) chartExistsLocally() (string, bool) {
+	path := filepath.Join(p.absChartHome(), p.Name)
+	s, err := os.Stat(path)
+	if err != nil {
+		return "", false
+	}
+	return path, s.IsDir()
+}
+
+// checkHelmVersion will return an error if the helm version is not V3
+func (p *HelmChartInflationGeneratorPlugin) checkHelmVersion() error {
+	stdout, err := p.runHelmCommand([]string{"version", "-c", "--short"})
+	if err != nil {
+		return err
+	}
+	r, err := regexp.Compile(`v?\d+(\.\d+)+`)
+	if err != nil {
+		return err
+	}
+	v := r.FindString(string(stdout))
+	if v == "" {
+		return fmt.Errorf("cannot find version string in %s", string(stdout))
+	}
+	if v[0] == 'v' {
+		v = v[1:]
+	}
+	majorVersion := strings.Split(v, ".")[0]
+	if majorVersion != "3" {
+		return fmt.Errorf("this plugin requires helm V3 but got v%s", v)
+	}
+	return nil
+}
+
+func NewHelmChartInflationGeneratorPlugin() resmap.GeneratorPlugin {
+	return &HelmChartInflationGeneratorPlugin{}
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/builtins/IAMPolicyGenerator.go b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/IAMPolicyGenerator.go
new file mode 100644
index 0000000000..cfb1fa81b6
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/IAMPolicyGenerator.go
@@ -0,0 +1,33 @@
+// Code generated by pluginator on IAMPolicyGenerator; DO NOT EDIT.
+// pluginator {(devel)  unknown   }
+
+package builtins
+
+import (
+	"sigs.k8s.io/kustomize/api/filters/iampolicygenerator"
+	"sigs.k8s.io/kustomize/api/resmap"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/yaml"
+)
+
+type IAMPolicyGeneratorPlugin struct {
+	types.IAMPolicyGeneratorArgs
+}
+
+func (p *IAMPolicyGeneratorPlugin) Config(h *resmap.PluginHelpers, config []byte) (err error) {
+	p.IAMPolicyGeneratorArgs = types.IAMPolicyGeneratorArgs{}
+	err = yaml.Unmarshal(config, p)
+	return
+}
+
+func (p *IAMPolicyGeneratorPlugin) Generate() (resmap.ResMap, error) {
+	r := resmap.New()
+	err := r.ApplyFilter(iampolicygenerator.Filter{
+		IAMPolicyGenerator: p.IAMPolicyGeneratorArgs,
+	})
+	return r, err
+}
+
+func NewIAMPolicyGeneratorPlugin() resmap.GeneratorPlugin {
+	return &IAMPolicyGeneratorPlugin{}
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/builtins/ImageTagTransformer.go b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/ImageTagTransformer.go
new file mode 100644
index 0000000000..ffde73a7a1
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/ImageTagTransformer.go
@@ -0,0 +1,41 @@
+// Code generated by pluginator on ImageTagTransformer; DO NOT EDIT.
+// pluginator {(devel)  unknown   }
+
+package builtins
+
+import (
+	"sigs.k8s.io/kustomize/api/filters/imagetag"
+	"sigs.k8s.io/kustomize/api/resmap"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/yaml"
+)
+
+// Find matching image declarations and replace
+// the name, tag and/or digest.
+type ImageTagTransformerPlugin struct {
+	ImageTag   types.Image       `json:"imageTag,omitempty" yaml:"imageTag,omitempty"`
+	FieldSpecs []types.FieldSpec `json:"fieldSpecs,omitempty" yaml:"fieldSpecs,omitempty"`
+}
+
+func (p *ImageTagTransformerPlugin) Config(
+	_ *resmap.PluginHelpers, c []byte) (err error) {
+	p.ImageTag = types.Image{}
+	p.FieldSpecs = nil
+	return yaml.Unmarshal(c, p)
+}
+
+func (p *ImageTagTransformerPlugin) Transform(m resmap.ResMap) error {
+	if err := m.ApplyFilter(imagetag.LegacyFilter{
+		ImageTag: p.ImageTag,
+	}); err != nil {
+		return err
+	}
+	return m.ApplyFilter(imagetag.Filter{
+		ImageTag: p.ImageTag,
+		FsSlice:  p.FieldSpecs,
+	})
+}
+
+func NewImageTagTransformerPlugin() resmap.TransformerPlugin {
+	return &ImageTagTransformerPlugin{}
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/builtins/LabelTransformer.go b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/LabelTransformer.go
new file mode 100644
index 0000000000..c45731b54b
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/LabelTransformer.go
@@ -0,0 +1,38 @@
+// Code generated by pluginator on LabelTransformer; DO NOT EDIT.
+// pluginator {(devel)  unknown   }
+
+package builtins
+
+import (
+	"sigs.k8s.io/kustomize/api/filters/labels"
+	"sigs.k8s.io/kustomize/api/resmap"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/yaml"
+)
+
+// Add the given labels to the given field specifications.
+type LabelTransformerPlugin struct {
+	Labels     map[string]string `json:"labels,omitempty" yaml:"labels,omitempty"`
+	FieldSpecs []types.FieldSpec `json:"fieldSpecs,omitempty" yaml:"fieldSpecs,omitempty"`
+}
+
+func (p *LabelTransformerPlugin) Config(
+	_ *resmap.PluginHelpers, c []byte) (err error) {
+	p.Labels = nil
+	p.FieldSpecs = nil
+	return yaml.Unmarshal(c, p)
+}
+
+func (p *LabelTransformerPlugin) Transform(m resmap.ResMap) error {
+	if len(p.Labels) == 0 {
+		return nil
+	}
+	return m.ApplyFilter(labels.Filter{
+		Labels:  p.Labels,
+		FsSlice: p.FieldSpecs,
+	})
+}
+
+func NewLabelTransformerPlugin() resmap.TransformerPlugin {
+	return &LabelTransformerPlugin{}
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/builtins/NamespaceTransformer.go b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/NamespaceTransformer.go
new file mode 100644
index 0000000000..d839fb9751
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/NamespaceTransformer.go
@@ -0,0 +1,76 @@
+// Code generated by pluginator on NamespaceTransformer; DO NOT EDIT.
+// pluginator {(devel)  unknown   }
+
+package builtins
+
+import (
+	"fmt"
+
+	"sigs.k8s.io/kustomize/api/filters/namespace"
+	"sigs.k8s.io/kustomize/api/resmap"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/errors"
+	"sigs.k8s.io/yaml"
+)
+
+// Change or set the namespace of non-cluster level resources.
+//
+//nolint:tagalign
+type NamespaceTransformerPlugin struct {
+	types.ObjectMeta       `json:"metadata,omitempty" yaml:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+	FieldSpecs             []types.FieldSpec                `json:"fieldSpecs,omitempty" yaml:"fieldSpecs,omitempty"`
+	UnsetOnly              bool                             `json:"unsetOnly" yaml:"unsetOnly"`
+	SetRoleBindingSubjects namespace.RoleBindingSubjectMode `json:"setRoleBindingSubjects" yaml:"setRoleBindingSubjects"`
+}
+
+func (p *NamespaceTransformerPlugin) Config(
+	_ *resmap.PluginHelpers, c []byte) (err error) {
+	p.Namespace = ""
+	p.FieldSpecs = nil
+	if err := yaml.Unmarshal(c, p); err != nil {
+		return errors.WrapPrefixf(err, "unmarshalling NamespaceTransformer config")
+	}
+	switch p.SetRoleBindingSubjects {
+	case namespace.AllServiceAccountSubjects, namespace.DefaultSubjectsOnly, namespace.NoSubjects:
+		// valid
+	case namespace.SubjectModeUnspecified:
+		p.SetRoleBindingSubjects = namespace.DefaultSubjectsOnly
+	default:
+		return errors.Errorf("invalid value %q for setRoleBindingSubjects: "+
+			"must be one of %q, %q or %q", p.SetRoleBindingSubjects,
+			namespace.DefaultSubjectsOnly, namespace.NoSubjects, namespace.AllServiceAccountSubjects)
+	}
+
+	return nil
+}
+
+func (p *NamespaceTransformerPlugin) Transform(m resmap.ResMap) error {
+	if len(p.Namespace) == 0 {
+		return nil
+	}
+	for _, r := range m.Resources() {
+		if r.IsNilOrEmpty() {
+			// Don't mutate empty objects?
+			continue
+		}
+		r.StorePreviousId()
+		if err := r.ApplyFilter(namespace.Filter{
+			Namespace:              p.Namespace,
+			FsSlice:                p.FieldSpecs,
+			SetRoleBindingSubjects: p.SetRoleBindingSubjects,
+			UnsetOnly:              p.UnsetOnly,
+		}); err != nil {
+			return err
+		}
+		matches := m.GetMatchingResourcesByCurrentId(r.CurId().Equals)
+		if len(matches) != 1 {
+			return fmt.Errorf(
+				"namespace transformation produces ID conflict: %+v", matches)
+		}
+	}
+	return nil
+}
+
+func NewNamespaceTransformerPlugin() resmap.TransformerPlugin {
+	return &NamespaceTransformerPlugin{}
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/builtins/PatchJson6902Transformer.go b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/PatchJson6902Transformer.go
new file mode 100644
index 0000000000..04625e5109
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/PatchJson6902Transformer.go
@@ -0,0 +1,105 @@
+// Code generated by pluginator on PatchJson6902Transformer; DO NOT EDIT.
+// pluginator {(devel)  unknown   }
+
+package builtins
+
+import (
+	"fmt"
+
+	jsonpatch "gopkg.in/evanphx/json-patch.v4"
+	"sigs.k8s.io/kustomize/api/filters/patchjson6902"
+	"sigs.k8s.io/kustomize/api/ifc"
+	"sigs.k8s.io/kustomize/api/resmap"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/errors"
+	"sigs.k8s.io/kustomize/kyaml/kio/kioutil"
+	"sigs.k8s.io/yaml"
+)
+
+type PatchJson6902TransformerPlugin struct {
+	ldr          ifc.Loader
+	decodedPatch jsonpatch.Patch
+	Target       *types.Selector `json:"target,omitempty" yaml:"target,omitempty"`
+	Path         string          `json:"path,omitempty" yaml:"path,omitempty"`
+	JsonOp       string          `json:"jsonOp,omitempty" yaml:"jsonOp,omitempty"`
+}
+
+func (p *PatchJson6902TransformerPlugin) Config(
+	h *resmap.PluginHelpers, c []byte) (err error) {
+	p.ldr = h.Loader()
+	err = yaml.Unmarshal(c, p)
+	if err != nil {
+		return err
+	}
+	if p.Target.Name == "" {
+		return fmt.Errorf("must specify the target name")
+	}
+	if p.Path == "" && p.JsonOp == "" {
+		return fmt.Errorf("empty file path and empty jsonOp")
+	}
+	if p.Path != "" {
+		if p.JsonOp != "" {
+			return fmt.Errorf("must specify a file path or jsonOp, not both")
+		}
+		rawOp, err := p.ldr.Load(p.Path)
+		if err != nil {
+			return err
+		}
+		p.JsonOp = string(rawOp)
+		if p.JsonOp == "" {
+			return fmt.Errorf("patch file '%s' empty seems to be empty", p.Path)
+		}
+	}
+	if p.JsonOp[0] != '[' {
+		// if it doesn't seem to be JSON, imagine
+		// it is YAML, and convert to JSON.
+		op, err := yaml.YAMLToJSON([]byte(p.JsonOp))
+		if err != nil {
+			return err
+		}
+		p.JsonOp = string(op)
+	}
+	p.decodedPatch, err = jsonpatch.DecodePatch([]byte(p.JsonOp))
+	if err != nil {
+		return errors.WrapPrefixf(err, "decoding %s", p.JsonOp)
+	}
+	if len(p.decodedPatch) == 0 {
+		return fmt.Errorf(
+			"patch appears to be empty; file=%s, JsonOp=%s", p.Path, p.JsonOp)
+	}
+	return err
+}
+
+func (p *PatchJson6902TransformerPlugin) Transform(m resmap.ResMap) error {
+	if p.Target == nil {
+		return fmt.Errorf("must specify a target for patch %s", p.JsonOp)
+	}
+	resources, err := m.Select(*p.Target)
+	if err != nil {
+		return err
+	}
+	for _, res := range resources {
+		internalAnnotations := kioutil.GetInternalAnnotations(&res.RNode)
+
+		err = res.ApplyFilter(patchjson6902.Filter{
+			Patch: p.JsonOp,
+		})
+		if err != nil {
+			return err
+		}
+
+		annotations := res.GetAnnotations()
+		for key, value := range internalAnnotations {
+			annotations[key] = value
+		}
+		err = res.SetAnnotations(annotations)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func NewPatchJson6902TransformerPlugin() resmap.TransformerPlugin {
+	return &PatchJson6902TransformerPlugin{}
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/builtins/PatchStrategicMergeTransformer.go b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/PatchStrategicMergeTransformer.go
new file mode 100644
index 0000000000..d68f2425ea
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/PatchStrategicMergeTransformer.go
@@ -0,0 +1,89 @@
+// Code generated by pluginator on PatchStrategicMergeTransformer; DO NOT EDIT.
+// pluginator {(devel)  unknown   }
+
+package builtins
+
+import (
+	"fmt"
+
+	"sigs.k8s.io/kustomize/api/resmap"
+	"sigs.k8s.io/kustomize/api/resource"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/yaml"
+)
+
+type PatchStrategicMergeTransformerPlugin struct {
+	loadedPatches []*resource.Resource
+	Paths         []types.PatchStrategicMerge `json:"paths,omitempty" yaml:"paths,omitempty"`
+	Patches       string                      `json:"patches,omitempty" yaml:"patches,omitempty"`
+}
+
+func (p *PatchStrategicMergeTransformerPlugin) Config(
+	h *resmap.PluginHelpers, c []byte) (err error) {
+	err = yaml.Unmarshal(c, p)
+	if err != nil {
+		return err
+	}
+	if len(p.Paths) == 0 && p.Patches == "" {
+		return fmt.Errorf("empty file path and empty patch content")
+	}
+	if len(p.Paths) != 0 {
+		patches, err := loadFromPaths(h, p.Paths)
+		if err != nil {
+			return err
+		}
+		p.loadedPatches = append(p.loadedPatches, patches...)
+	}
+	if p.Patches != "" {
+		patches, err := h.ResmapFactory().RF().SliceFromBytes([]byte(p.Patches))
+		if err != nil {
+			return err
+		}
+		p.loadedPatches = append(p.loadedPatches, patches...)
+	}
+	if len(p.loadedPatches) == 0 {
+		return fmt.Errorf(
+			"patch appears to be empty; files=%v, Patch=%s", p.Paths, p.Patches)
+	}
+	return nil
+}
+
+func loadFromPaths(
+	h *resmap.PluginHelpers,
+	paths []types.PatchStrategicMerge) (
+	result []*resource.Resource, err error) {
+	var patches []*resource.Resource
+	for _, path := range paths {
+		// For legacy reasons, attempt to treat the path string as
+		// actual patch content.
+		patches, err = h.ResmapFactory().RF().SliceFromBytes([]byte(path))
+		if err != nil {
+			// Failing that, treat it as a file path.
+			patches, err = h.ResmapFactory().RF().SliceFromPatches(
+				h.Loader(), []types.PatchStrategicMerge{path})
+			if err != nil {
+				return
+			}
+		}
+		result = append(result, patches...)
+	}
+	return
+}
+
+func (p *PatchStrategicMergeTransformerPlugin) Transform(m resmap.ResMap) error {
+	for _, patch := range p.loadedPatches {
+		target, err := m.GetById(patch.OrgId())
+		if err != nil {
+			return err
+		}
+		if err = m.ApplySmPatch(
+			resource.MakeIdSet([]*resource.Resource{target}), patch); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func NewPatchStrategicMergeTransformerPlugin() resmap.TransformerPlugin {
+	return &PatchStrategicMergeTransformerPlugin{}
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/builtins/PatchTransformer.go b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/PatchTransformer.go
new file mode 100644
index 0000000000..05d96f23ca
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/PatchTransformer.go
@@ -0,0 +1,174 @@
+// Code generated by pluginator on PatchTransformer; DO NOT EDIT.
+// pluginator {(devel)  unknown   }
+
+package builtins
+
+import (
+	"fmt"
+	"strings"
+
+	jsonpatch "gopkg.in/evanphx/json-patch.v4"
+	"sigs.k8s.io/kustomize/api/filters/patchjson6902"
+	"sigs.k8s.io/kustomize/api/resmap"
+	"sigs.k8s.io/kustomize/api/resource"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/errors"
+	"sigs.k8s.io/kustomize/kyaml/kio/kioutil"
+	"sigs.k8s.io/yaml"
+)
+
+type PatchTransformerPlugin struct {
+	smPatches   []*resource.Resource // strategic-merge patches
+	jsonPatches jsonpatch.Patch      // json6902 patch
+	// patchText is pure patch text created by Path or Patch
+	patchText string
+	// patchSource is patch source message
+	patchSource string
+	Path        string          `json:"path,omitempty"    yaml:"path,omitempty"`
+	Patch       string          `json:"patch,omitempty"   yaml:"patch,omitempty"`
+	Target      *types.Selector `json:"target,omitempty"  yaml:"target,omitempty"`
+	Options     map[string]bool `json:"options,omitempty" yaml:"options,omitempty"`
+}
+
+func (p *PatchTransformerPlugin) Config(h *resmap.PluginHelpers, c []byte) error {
+	if err := yaml.Unmarshal(c, p); err != nil {
+		return err
+	}
+
+	p.Patch = strings.TrimSpace(p.Patch)
+	switch {
+	case p.Patch == "" && p.Path == "":
+		return fmt.Errorf("must specify one of patch and path in\n%s", string(c))
+	case p.Patch != "" && p.Path != "":
+		return fmt.Errorf("patch and path can't be set at the same time\n%s", string(c))
+	case p.Patch != "":
+		p.patchText = p.Patch
+		p.patchSource = fmt.Sprintf("[patch: %q]", p.patchText)
+	case p.Path != "":
+		loaded, err := h.Loader().Load(p.Path)
+		if err != nil {
+			return fmt.Errorf("failed to get the patch file from path(%s): %w", p.Path, err)
+		}
+		p.patchText = string(loaded)
+		p.patchSource = fmt.Sprintf("[path: %q]", p.Path)
+	}
+
+	patchesSM, errSM := h.ResmapFactory().RF().SliceFromBytes([]byte(p.patchText))
+	patchesJson, errJson := jsonPatchFromBytes([]byte(p.patchText))
+
+	if ((errSM == nil && errJson == nil) ||
+		(patchesSM != nil && patchesJson != nil)) &&
+		(len(patchesSM) > 0 && len(patchesJson) > 0) {
+		return fmt.Errorf(
+			"illegally qualifies as both an SM and JSON patch: %s",
+			p.patchSource)
+	}
+	if errSM != nil && errJson != nil {
+		return fmt.Errorf(
+			"unable to parse SM or JSON patch from %s", p.patchSource)
+	}
+	if errSM == nil {
+		p.smPatches = patchesSM
+		for _, loadedPatch := range p.smPatches {
+			if p.Options["allowNameChange"] {
+				loadedPatch.AllowNameChange()
+			}
+			if p.Options["allowKindChange"] {
+				loadedPatch.AllowKindChange()
+			}
+		}
+	} else {
+		p.jsonPatches = patchesJson
+	}
+	return nil
+}
+
+func (p *PatchTransformerPlugin) Transform(m resmap.ResMap) error {
+	if p.smPatches != nil {
+		return p.transformStrategicMerge(m)
+	}
+	return p.transformJson6902(m)
+}
+
+// transformStrategicMerge applies each loaded strategic merge patch
+// to the resource in the ResMap that matches the identifier of the patch.
+// If only one patch is specified, the Target can be used instead.
+func (p *PatchTransformerPlugin) transformStrategicMerge(m resmap.ResMap) error {
+	if p.Target != nil {
+		if len(p.smPatches) > 1 {
+			// detail: https://github.com/kubernetes-sigs/kustomize/issues/5049#issuecomment-1440604403
+			return fmt.Errorf("Multiple Strategic-Merge Patches in one `patches` entry is not allowed to set `patches.target` field: %s", p.patchSource)
+		}
+
+		// single patch
+		patch := p.smPatches[0]
+		selected, err := m.Select(*p.Target)
+		if err != nil {
+			return fmt.Errorf("unable to find patch target %q in `resources`: %w", p.Target, err)
+		}
+		return errors.Wrap(m.ApplySmPatch(resource.MakeIdSet(selected), patch))
+	}
+
+	for _, patch := range p.smPatches {
+		target, err := m.GetById(patch.OrgId())
+		if err != nil {
+			return fmt.Errorf("no resource matches strategic merge patch %q: %w", patch.OrgId(), err)
+		}
+		if err := target.ApplySmPatch(patch); err != nil {
+			return errors.Wrap(err)
+		}
+	}
+	return nil
+}
+
+// transformJson6902 applies json6902 Patch to all the resources in the ResMap that match Target.
+func (p *PatchTransformerPlugin) transformJson6902(m resmap.ResMap) error {
+	if p.Target == nil {
+		return fmt.Errorf("must specify a target for JSON patch %s", p.patchSource)
+	}
+	resources, err := m.Select(*p.Target)
+	if err != nil {
+		return err
+	}
+	for _, res := range resources {
+		res.StorePreviousId()
+		internalAnnotations := kioutil.GetInternalAnnotations(&res.RNode)
+		err = res.ApplyFilter(patchjson6902.Filter{
+			Patch: p.patchText,
+		})
+		if err != nil {
+			return err
+		}
+
+		annotations := res.GetAnnotations()
+		for key, value := range internalAnnotations {
+			annotations[key] = value
+		}
+		err = res.SetAnnotations(annotations)
+	}
+	return nil
+}
+
+// jsonPatchFromBytes loads a Json 6902 patch from a bytes input
+func jsonPatchFromBytes(in []byte) (jsonpatch.Patch, error) {
+	ops := string(in)
+	if ops == "" {
+		return nil, fmt.Errorf("empty json patch operations")
+	}
+
+	if ops[0] != '[' {
+		// TODO(5049):
+		//   In the case of multiple yaml documents, return error instead of ignoring all but first.
+		//   Details: https://github.com/kubernetes-sigs/kustomize/pull/5194#discussion_r1256686728
+		jsonOps, err := yaml.YAMLToJSON(in)
+		if err != nil {
+			return nil, err
+		}
+		ops = string(jsonOps)
+	}
+	return jsonpatch.DecodePatch([]byte(ops))
+}
+
+func NewPatchTransformerPlugin() resmap.TransformerPlugin {
+	return &PatchTransformerPlugin{}
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/builtins/PrefixTransformer.go b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/PrefixTransformer.go
new file mode 100644
index 0000000000..33700bb4b1
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/PrefixTransformer.go
@@ -0,0 +1,96 @@
+// Code generated by pluginator on PrefixTransformer; DO NOT EDIT.
+// pluginator {(devel)  unknown   }
+
+package builtins
+
+import (
+	"errors"
+
+	"sigs.k8s.io/kustomize/api/filters/prefix"
+	"sigs.k8s.io/kustomize/api/resmap"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/resid"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+// Add the given prefix to the field
+type PrefixTransformerPlugin struct {
+	Prefix     string        `json:"prefix,omitempty" yaml:"prefix,omitempty"`
+	FieldSpecs types.FsSlice `json:"fieldSpecs,omitempty" yaml:"fieldSpecs,omitempty"`
+}
+
+// TODO: Make this gvk skip list part of the config.
+var prefixFieldSpecsToSkip = types.FsSlice{
+	{Gvk: resid.Gvk{Kind: "CustomResourceDefinition"}},
+	{Gvk: resid.Gvk{Group: "apiregistration.k8s.io", Kind: "APIService"}},
+	{Gvk: resid.Gvk{Kind: "Namespace"}},
+}
+
+func (p *PrefixTransformerPlugin) Config(
+	_ *resmap.PluginHelpers, c []byte) (err error) {
+	p.Prefix = ""
+	p.FieldSpecs = nil
+	err = yaml.Unmarshal(c, p)
+	if err != nil {
+		return
+	}
+	if p.FieldSpecs == nil {
+		return errors.New("fieldSpecs is not expected to be nil")
+	}
+	return
+}
+
+func (p *PrefixTransformerPlugin) Transform(m resmap.ResMap) error {
+	// Even if the Prefix is empty we want to proceed with the
+	// transformation. This allows to add contextual information
+	// to the resources (AddNamePrefix).
+	for _, r := range m.Resources() {
+		// TODO: move this test into the filter (i.e. make a better filter)
+		if p.shouldSkip(r.OrgId()) {
+			continue
+		}
+		id := r.OrgId()
+		// current default configuration contains
+		// only one entry: "metadata/name" with no GVK
+		for _, fs := range p.FieldSpecs {
+			// TODO: this is redundant to filter (but needed for now)
+			if !id.IsSelected(&fs.Gvk) {
+				continue
+			}
+			// TODO: move this test into the filter.
+			if fs.Path == "metadata/name" {
+				// "metadata/name" is the only field.
+				// this will add a prefix to the resource
+				// even if it is empty
+
+				r.AddNamePrefix(p.Prefix)
+				if p.Prefix != "" {
+					// TODO: There are multiple transformers that can change a resource's name, and each makes a call to
+					// StorePreviousID(). We should make it so that we only call StorePreviousID once per kustomization layer
+					// to avoid storing intermediate names between transformations, to prevent intermediate name conflicts.
+					r.StorePreviousId()
+				}
+			}
+			if err := r.ApplyFilter(prefix.Filter{
+				Prefix:    p.Prefix,
+				FieldSpec: fs,
+			}); err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+func (p *PrefixTransformerPlugin) shouldSkip(id resid.ResId) bool {
+	for _, path := range prefixFieldSpecsToSkip {
+		if id.IsSelected(&path.Gvk) {
+			return true
+		}
+	}
+	return false
+}
+
+func NewPrefixTransformerPlugin() resmap.TransformerPlugin {
+	return &PrefixTransformerPlugin{}
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/builtins/ReplacementTransformer.go b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/ReplacementTransformer.go
new file mode 100644
index 0000000000..ef0c932128
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/ReplacementTransformer.go
@@ -0,0 +1,78 @@
+// Code generated by pluginator on ReplacementTransformer; DO NOT EDIT.
+// pluginator {(devel)  unknown   }
+
+package builtins
+
+import (
+	"fmt"
+	"reflect"
+
+	"sigs.k8s.io/kustomize/api/filters/replacement"
+	"sigs.k8s.io/kustomize/api/resmap"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/yaml"
+)
+
+// Replace values in targets with values from a source
+type ReplacementTransformerPlugin struct {
+	ReplacementList []types.ReplacementField `json:"replacements,omitempty" yaml:"replacements,omitempty"`
+	replacements    []types.Replacement
+}
+
+func (p *ReplacementTransformerPlugin) Config(
+	h *resmap.PluginHelpers, c []byte) (err error) {
+	p.ReplacementList = []types.ReplacementField{}
+	if err := yaml.Unmarshal(c, p); err != nil {
+		return err
+	}
+
+	for _, r := range p.ReplacementList {
+		if r.Path != "" && (r.Source != nil || len(r.Targets) != 0) {
+			return fmt.Errorf("cannot specify both path and inline replacement")
+		}
+		if r.Path != "" {
+			// load the replacement from the path
+			content, err := h.Loader().Load(r.Path)
+			if err != nil {
+				return err
+			}
+			// find if the path contains a a list of replacements or a single replacement
+			var replacement interface{}
+			err = yaml.Unmarshal(content, &replacement)
+			if err != nil {
+				return err
+			}
+			items := reflect.ValueOf(replacement)
+			switch items.Kind() {
+			case reflect.Slice:
+				repl := []types.Replacement{}
+				if err := yaml.Unmarshal(content, &repl); err != nil {
+					return err
+				}
+				p.replacements = append(p.replacements, repl...)
+			case reflect.Map:
+				repl := types.Replacement{}
+				if err := yaml.Unmarshal(content, &repl); err != nil {
+					return err
+				}
+				p.replacements = append(p.replacements, repl)
+			default:
+				return fmt.Errorf("unsupported replacement type encountered within replacement path: %v", items.Kind())
+			}
+		} else {
+			// replacement information is already loaded
+			p.replacements = append(p.replacements, r.Replacement)
+		}
+	}
+	return nil
+}
+
+func (p *ReplacementTransformerPlugin) Transform(m resmap.ResMap) (err error) {
+	return m.ApplyFilter(replacement.Filter{
+		Replacements: p.replacements,
+	})
+}
+
+func NewReplacementTransformerPlugin() resmap.TransformerPlugin {
+	return &ReplacementTransformerPlugin{}
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/builtins/ReplicaCountTransformer.go b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/ReplicaCountTransformer.go
new file mode 100644
index 0000000000..c87d64251c
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/ReplicaCountTransformer.go
@@ -0,0 +1,73 @@
+// Code generated by pluginator on ReplicaCountTransformer; DO NOT EDIT.
+// pluginator {(devel)  unknown   }
+
+package builtins
+
+import (
+	"fmt"
+
+	"sigs.k8s.io/kustomize/api/filters/replicacount"
+	"sigs.k8s.io/kustomize/api/resmap"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/resid"
+	"sigs.k8s.io/yaml"
+)
+
+// Find matching replicas declarations and replace the count.
+// Eases the kustomization configuration of replica changes.
+type ReplicaCountTransformerPlugin struct {
+	Replica    types.Replica     `json:"replica,omitempty" yaml:"replica,omitempty"`
+	FieldSpecs []types.FieldSpec `json:"fieldSpecs,omitempty" yaml:"fieldSpecs,omitempty"`
+}
+
+func (p *ReplicaCountTransformerPlugin) Config(
+	_ *resmap.PluginHelpers, c []byte) (err error) {
+	p.Replica = types.Replica{}
+	p.FieldSpecs = nil
+	return yaml.Unmarshal(c, p)
+}
+
+func (p *ReplicaCountTransformerPlugin) Transform(m resmap.ResMap) error {
+	found := false
+	for _, fs := range p.FieldSpecs {
+		matcher := p.createMatcher(fs)
+		resList := m.GetMatchingResourcesByAnyId(matcher)
+		if len(resList) > 0 {
+			found = true
+			for _, r := range resList {
+				// There are redundant checks in the filter
+				// that we'll live with until resolution of
+				// https://github.com/kubernetes-sigs/kustomize/issues/2506
+				err := r.ApplyFilter(replicacount.Filter{
+					Replica:   p.Replica,
+					FieldSpec: fs,
+				})
+				if err != nil {
+					return err
+				}
+			}
+		}
+	}
+
+	if !found {
+		gvks := make([]string, len(p.FieldSpecs))
+		for i, replicaSpec := range p.FieldSpecs {
+			gvks[i] = replicaSpec.Gvk.String()
+		}
+		return fmt.Errorf("resource with name %s does not match a config with the following GVK %v",
+			p.Replica.Name, gvks)
+	}
+
+	return nil
+}
+
+// Match Replica.Name and FieldSpec
+func (p *ReplicaCountTransformerPlugin) createMatcher(fs types.FieldSpec) resmap.IdMatcher {
+	return func(r resid.ResId) bool {
+		return r.Name == p.Replica.Name && r.Gvk.IsSelected(&fs.Gvk)
+	}
+}
+
+func NewReplicaCountTransformerPlugin() resmap.TransformerPlugin {
+	return &ReplicaCountTransformerPlugin{}
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/builtins/SecretGenerator.go b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/SecretGenerator.go
new file mode 100644
index 0000000000..2a4ef1c903
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/SecretGenerator.go
@@ -0,0 +1,39 @@
+// Code generated by pluginator on SecretGenerator; DO NOT EDIT.
+// pluginator {(devel)  unknown   }
+
+package builtins
+
+import (
+	"sigs.k8s.io/kustomize/api/kv"
+	"sigs.k8s.io/kustomize/api/resmap"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/yaml"
+)
+
+type SecretGeneratorPlugin struct {
+	h                *resmap.PluginHelpers
+	types.ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+	types.SecretArgs
+}
+
+func (p *SecretGeneratorPlugin) Config(h *resmap.PluginHelpers, config []byte) (err error) {
+	p.SecretArgs = types.SecretArgs{}
+	err = yaml.Unmarshal(config, p)
+	if p.SecretArgs.Name == "" {
+		p.SecretArgs.Name = p.Name
+	}
+	if p.SecretArgs.Namespace == "" {
+		p.SecretArgs.Namespace = p.Namespace
+	}
+	p.h = h
+	return
+}
+
+func (p *SecretGeneratorPlugin) Generate() (resmap.ResMap, error) {
+	return p.h.ResmapFactory().FromSecretArgs(
+		kv.NewLoader(p.h.Loader(), p.h.Validator()), p.SecretArgs)
+}
+
+func NewSecretGeneratorPlugin() resmap.GeneratorPlugin {
+	return &SecretGeneratorPlugin{}
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/builtins/SortOrderTransformer.go b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/SortOrderTransformer.go
new file mode 100644
index 0000000000..90e290719e
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/SortOrderTransformer.go
@@ -0,0 +1,238 @@
+// Code generated by pluginator on SortOrderTransformer; DO NOT EDIT.
+// pluginator {(devel)  unknown   }
+
+package builtins
+
+import (
+	"sort"
+	"strings"
+
+	"sigs.k8s.io/kustomize/api/resmap"
+	"sigs.k8s.io/kustomize/api/resource"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/errors"
+	"sigs.k8s.io/kustomize/kyaml/resid"
+	"sigs.k8s.io/yaml"
+)
+
+// Sort the resources using a customizable ordering based of Kind.
+// Defaults to the ordering of the GVK struct, which puts cluster-wide basic
+// resources with no dependencies (like Namespace, StorageClass, etc.) first,
+// and resources with a high number of dependencies
+// (like ValidatingWebhookConfiguration) last.
+type SortOrderTransformerPlugin struct {
+	SortOptions *types.SortOptions `json:"sortOptions,omitempty" yaml:"sortOptions,omitempty"`
+}
+
+func (p *SortOrderTransformerPlugin) Config(
+	_ *resmap.PluginHelpers, c []byte) error {
+	return errors.WrapPrefixf(yaml.Unmarshal(c, p), "Failed to unmarshal SortOrderTransformer config")
+}
+
+func (p *SortOrderTransformerPlugin) applyDefaults() {
+	// Default to FIFO sort, aka no-op.
+	if p.SortOptions == nil {
+		p.SortOptions = &types.SortOptions{
+			Order: types.FIFOSortOrder,
+		}
+	}
+
+	// If legacy sort is selected and no options are given, default to
+	// hardcoded order.
+	if p.SortOptions.Order == types.LegacySortOrder && p.SortOptions.LegacySortOptions == nil {
+		p.SortOptions.LegacySortOptions = &types.LegacySortOptions{
+			OrderFirst: defaultOrderFirst,
+			OrderLast:  defaultOrderLast,
+		}
+	}
+}
+
+func (p *SortOrderTransformerPlugin) validate() error {
+	// Check valid values for SortOrder
+	if p.SortOptions.Order != types.FIFOSortOrder && p.SortOptions.Order != types.LegacySortOrder {
+		return errors.Errorf("the field 'sortOptions.order' must be one of [%s, %s]",
+			types.FIFOSortOrder, types.LegacySortOrder)
+	}
+
+	// Validate that the only options set are the ones corresponding to the
+	// selected sort order.
+	if p.SortOptions.Order == types.FIFOSortOrder &&
+		p.SortOptions.LegacySortOptions != nil {
+		return errors.Errorf("the field 'sortOptions.legacySortOptions' is"+
+			" set but the selected sort order is '%v', not 'legacy'",
+			p.SortOptions.Order)
+	}
+	return nil
+}
+
+func (p *SortOrderTransformerPlugin) Transform(m resmap.ResMap) (err error) {
+	p.applyDefaults()
+	err = p.validate()
+	if err != nil {
+		return err
+	}
+
+	// Sort
+	if p.SortOptions.Order == types.LegacySortOrder {
+		s := newLegacyIDSorter(m.Resources(), p.SortOptions.LegacySortOptions)
+		sort.Sort(s)
+
+		// Clear the map and re-add the resources in the sorted order.
+		m.Clear()
+		for _, r := range s.resources {
+			err := m.Append(r)
+			if err != nil {
+				return errors.WrapPrefixf(err, "SortOrderTransformer: Failed to append to resources")
+			}
+		}
+	}
+	return nil
+}
+
+// Code for legacy sorting.
+// Legacy sorting is a "fixed" order sorting maintained for backwards
+// compatibility.
+
+// legacyIDSorter sorts resources based on two priority lists:
+// - orderFirst: Resources that should be placed in the start, in the given order.
+// - orderLast: Resources that should be placed in the end, in the given order.
+type legacyIDSorter struct {
+	// resids only stores the metadata of the object. This is an optimization as
+	// it's expensive to compute these again and again during ordering.
+	resids []resid.ResId
+	// Initially, we sorted the metadata (ResId) of each object and then called GetByCurrentId on each to construct the final list.
+	// The problem is that GetByCurrentId is inefficient and does a linear scan in a list every time we do that.
+	// So instead, we sort resources alongside the ResIds.
+	resources []*resource.Resource
+
+	typeOrders map[string]int
+}
+
+func newLegacyIDSorter(
+	resources []*resource.Resource,
+	options *types.LegacySortOptions) *legacyIDSorter {
+	// Precalculate a resource ranking based on the priority lists.
+	var typeOrders = func() map[string]int {
+		m := map[string]int{}
+		for i, n := range options.OrderFirst {
+			m[n] = -len(options.OrderFirst) + i
+		}
+		for i, n := range options.OrderLast {
+			m[n] = 1 + i
+		}
+		return m
+	}()
+
+	ret := &legacyIDSorter{typeOrders: typeOrders}
+	for _, res := range resources {
+		ret.resids = append(ret.resids, res.CurId())
+		ret.resources = append(ret.resources, res)
+	}
+	return ret
+}
+
+var _ sort.Interface = legacyIDSorter{}
+
+func (a legacyIDSorter) Len() int { return len(a.resids) }
+func (a legacyIDSorter) Swap(i, j int) {
+	a.resids[i], a.resids[j] = a.resids[j], a.resids[i]
+	a.resources[i], a.resources[j] = a.resources[j], a.resources[i]
+}
+func (a legacyIDSorter) Less(i, j int) bool {
+	if !a.resids[i].Gvk.Equals(a.resids[j].Gvk) {
+		return gvkLessThan(a.resids[i].Gvk, a.resids[j].Gvk, a.typeOrders)
+	}
+	return legacyResIDSortString(a.resids[i]) < legacyResIDSortString(a.resids[j])
+}
+
+func gvkLessThan(gvk1, gvk2 resid.Gvk, typeOrders map[string]int) bool {
+	index1 := typeOrders[gvk1.Kind]
+	index2 := typeOrders[gvk2.Kind]
+	if index1 != index2 {
+		return index1 < index2
+	}
+	if (gvk1.Kind == types.NamespaceKind && gvk2.Kind == types.NamespaceKind) && (gvk1.Group == "" || gvk2.Group == "") {
+		return legacyGVKSortString(gvk1) > legacyGVKSortString(gvk2)
+	}
+	return legacyGVKSortString(gvk1) < legacyGVKSortString(gvk2)
+}
+
+// legacyGVKSortString returns a string representation of given GVK used for
+// stable sorting.
+func legacyGVKSortString(x resid.Gvk) string {
+	legacyNoGroup := "~G"
+	legacyNoVersion := "~V"
+	legacyNoKind := "~K"
+	legacyFieldSeparator := "_"
+
+	g := x.Group
+	if g == "" {
+		g = legacyNoGroup
+	}
+	v := x.Version
+	if v == "" {
+		v = legacyNoVersion
+	}
+	k := x.Kind
+	if k == "" {
+		k = legacyNoKind
+	}
+	return strings.Join([]string{g, v, k}, legacyFieldSeparator)
+}
+
+// legacyResIDSortString returns a string representation of given ResID used for
+// stable sorting.
+func legacyResIDSortString(id resid.ResId) string {
+	legacyNoNamespace := "~X"
+	legacyNoName := "~N"
+	legacySeparator := "|"
+
+	ns := id.Namespace
+	if ns == "" {
+		ns = legacyNoNamespace
+	}
+	nm := id.Name
+	if nm == "" {
+		nm = legacyNoName
+	}
+	return strings.Join(
+		[]string{id.Gvk.String(), ns, nm}, legacySeparator)
+}
+
+// DO NOT CHANGE!
+// Final legacy ordering provided as a default by kustomize.
+// Originally an attempt to apply resources in the correct order, an effort
+// which later proved impossible as not all types are known beforehand.
+// See: https://github.com/kubernetes-sigs/kustomize/issues/3913
+var defaultOrderFirst = []string{ //nolint:gochecknoglobals
+	"Namespace",
+	"ResourceQuota",
+	"StorageClass",
+	"CustomResourceDefinition",
+	"ServiceAccount",
+	"PodSecurityPolicy",
+	"Role",
+	"ClusterRole",
+	"RoleBinding",
+	"ClusterRoleBinding",
+	"ConfigMap",
+	"Secret",
+	"Endpoints",
+	"Service",
+	"LimitRange",
+	"PriorityClass",
+	"PersistentVolume",
+	"PersistentVolumeClaim",
+	"Deployment",
+	"StatefulSet",
+	"CronJob",
+	"PodDisruptionBudget",
+}
+var defaultOrderLast = []string{ //nolint:gochecknoglobals
+	"MutatingWebhookConfiguration",
+	"ValidatingWebhookConfiguration",
+}
+
+func NewSortOrderTransformerPlugin() resmap.TransformerPlugin {
+	return &SortOrderTransformerPlugin{}
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/builtins/SuffixTransformer.go b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/SuffixTransformer.go
new file mode 100644
index 0000000000..31b5b8fea0
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/SuffixTransformer.go
@@ -0,0 +1,96 @@
+// Code generated by pluginator on SuffixTransformer; DO NOT EDIT.
+// pluginator {(devel)  unknown   }
+
+package builtins
+
+import (
+	"errors"
+
+	"sigs.k8s.io/kustomize/api/filters/suffix"
+	"sigs.k8s.io/kustomize/api/resmap"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/resid"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+// Add the given suffix to the field
+type SuffixTransformerPlugin struct {
+	Suffix     string        `json:"suffix,omitempty" yaml:"suffix,omitempty"`
+	FieldSpecs types.FsSlice `json:"fieldSpecs,omitempty" yaml:"fieldSpecs,omitempty"`
+}
+
+// TODO: Make this gvk skip list part of the config.
+var suffixFieldSpecsToSkip = types.FsSlice{
+	{Gvk: resid.Gvk{Kind: "CustomResourceDefinition"}},
+	{Gvk: resid.Gvk{Group: "apiregistration.k8s.io", Kind: "APIService"}},
+	{Gvk: resid.Gvk{Kind: "Namespace"}},
+}
+
+func (p *SuffixTransformerPlugin) Config(
+	_ *resmap.PluginHelpers, c []byte) (err error) {
+	p.Suffix = ""
+	p.FieldSpecs = nil
+	err = yaml.Unmarshal(c, p)
+	if err != nil {
+		return
+	}
+	if p.FieldSpecs == nil {
+		return errors.New("fieldSpecs is not expected to be nil")
+	}
+	return
+}
+
+func (p *SuffixTransformerPlugin) Transform(m resmap.ResMap) error {
+	// Even if the Suffix is empty we want to proceed with the
+	// transformation. This allows to add contextual information
+	// to the resources (AddNameSuffix).
+	for _, r := range m.Resources() {
+		// TODO: move this test into the filter (i.e. make a better filter)
+		if p.shouldSkip(r.OrgId()) {
+			continue
+		}
+		id := r.OrgId()
+		// current default configuration contains
+		// only one entry: "metadata/name" with no GVK
+		for _, fs := range p.FieldSpecs {
+			// TODO: this is redundant to filter (but needed for now)
+			if !id.IsSelected(&fs.Gvk) {
+				continue
+			}
+			// TODO: move this test into the filter.
+			if fs.Path == "metadata/name" {
+				// "metadata/name" is the only field.
+				// this will add a suffix to the resource
+				// even if it is empty
+
+				r.AddNameSuffix(p.Suffix)
+				if p.Suffix != "" {
+					// TODO: There are multiple transformers that can change a resource's name, and each makes a call to
+					// StorePreviousID(). We should make it so that we only call StorePreviousID once per kustomization layer
+					// to avoid storing intermediate names between transformations, to prevent intermediate name conflicts.
+					r.StorePreviousId()
+				}
+			}
+			if err := r.ApplyFilter(suffix.Filter{
+				Suffix:    p.Suffix,
+				FieldSpec: fs,
+			}); err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+func (p *SuffixTransformerPlugin) shouldSkip(id resid.ResId) bool {
+	for _, path := range suffixFieldSpecsToSkip {
+		if id.IsSelected(&path.Gvk) {
+			return true
+		}
+	}
+	return false
+}
+
+func NewSuffixTransformerPlugin() resmap.TransformerPlugin {
+	return &SuffixTransformerPlugin{}
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/builtins/ValueAddTransformer.go b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/ValueAddTransformer.go
new file mode 100644
index 0000000000..1d70c98c2c
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/ValueAddTransformer.go
@@ -0,0 +1,141 @@
+// Code generated by pluginator on ValueAddTransformer; DO NOT EDIT.
+// pluginator {(devel)  unknown   }
+
+package builtins
+
+import (
+	"fmt"
+	"path/filepath"
+	"strings"
+
+	"sigs.k8s.io/kustomize/api/filters/namespace"
+	"sigs.k8s.io/kustomize/api/filters/valueadd"
+	"sigs.k8s.io/kustomize/api/resmap"
+	"sigs.k8s.io/kustomize/api/resource"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/yaml"
+)
+
+// An 'Add' transformer inspired by the IETF RFC 6902 JSON spec Add operation.
+type ValueAddTransformerPlugin struct {
+	// Value is the value to add.
+	// Defaults to base name of encompassing kustomization root.
+	Value string `json:"value,omitempty" yaml:"value,omitempty"`
+
+	// Targets is a slice of targets that should have the value added.
+	Targets []Target `json:"targets,omitempty" yaml:"targets,omitempty"`
+
+	// TargetFilePath is a file path.  If specified, the file will be parsed into
+	// a slice of Target, and appended to anything that was specified in the
+	// Targets field.  This is just a means to share common target specifications.
+	TargetFilePath string `json:"targetFilePath,omitempty" yaml:"targetFilePath,omitempty"`
+}
+
+// Target describes where to put the value.
+type Target struct {
+	// Selector selects the resources to modify.
+	Selector *types.Selector `json:"selector,omitempty" yaml:"selector,omitempty"`
+
+	// NotSelector selects the resources to exclude
+	// from those included by overly broad selectors.
+	// TODO: implement this?
+	// NotSelector *types.Selector `json:"notSelector,omitempty" yaml:"notSelector,omitempty"`
+
+	// FieldPath is a JSON-style path to the field intended to hold the value.
+	FieldPath string `json:"fieldPath,omitempty" yaml:"fieldPath,omitempty"`
+
+	// FilePathPosition is passed to the filter directly.  Look there for doc.
+	FilePathPosition int `json:"filePathPosition,omitempty" yaml:"filePathPosition,omitempty"`
+}
+
+func (p *ValueAddTransformerPlugin) Config(h *resmap.PluginHelpers, c []byte) error {
+	err := yaml.Unmarshal(c, p)
+	if err != nil {
+		return err
+	}
+	p.Value = strings.TrimSpace(p.Value)
+	if p.Value == "" {
+		p.Value = filepath.Base(h.Loader().Root())
+	}
+	if p.TargetFilePath != "" {
+		bytes, err := h.Loader().Load(p.TargetFilePath)
+		if err != nil {
+			return err
+		}
+		var targets struct {
+			Targets []Target `json:"targets,omitempty" yaml:"targets,omitempty"`
+		}
+		err = yaml.Unmarshal(bytes, &targets)
+		if err != nil {
+			return err
+		}
+		p.Targets = append(p.Targets, targets.Targets...)
+	}
+	if len(p.Targets) == 0 {
+		return fmt.Errorf("must specify at least one target")
+	}
+	for _, target := range p.Targets {
+		if err = validateSelector(target.Selector); err != nil {
+			return err
+		}
+		// TODO: call validateSelector(target.NotSelector) if field added.
+		if err = validateJsonFieldPath(target.FieldPath); err != nil {
+			return err
+		}
+		if target.FilePathPosition < 0 {
+			return fmt.Errorf(
+				"value of FilePathPosition (%d) cannot be negative",
+				target.FilePathPosition)
+		}
+	}
+	return nil
+}
+
+// TODO: implement
+func validateSelector(_ *types.Selector) error {
+	return nil
+}
+
+// TODO: Enforce RFC 6902?
+func validateJsonFieldPath(p string) error {
+	if len(p) == 0 {
+		return fmt.Errorf("fieldPath cannot be empty")
+	}
+	return nil
+}
+
+func (p *ValueAddTransformerPlugin) Transform(m resmap.ResMap) (err error) {
+	for _, t := range p.Targets {
+		var resources []*resource.Resource
+		if t.Selector == nil {
+			resources = m.Resources()
+		} else {
+			resources, err = m.Select(*t.Selector)
+			if err != nil {
+				return err
+			}
+		}
+		// TODO: consider t.NotSelector if implemented
+		for _, res := range resources {
+			if t.FieldPath == types.MetadataNamespacePath {
+				err = res.ApplyFilter(namespace.Filter{
+					Namespace: p.Value,
+				})
+			} else {
+				err = res.ApplyFilter(valueadd.Filter{
+					Value:            p.Value,
+					FieldPath:        t.FieldPath,
+					FilePathPosition: t.FilePathPosition,
+				})
+			}
+			if err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+func NewValueAddTransformerPlugin() resmap.TransformerPlugin {
+	return &ValueAddTransformerPlugin{}
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/builtins/doc.go b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/doc.go
new file mode 100644
index 0000000000..37a8dc6e7d
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/doc.go
@@ -0,0 +1,8 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+// Package builtins holds code generated from the builtin plugins.
+// The "builtin" plugins are written as normal plugins and can
+// be used as such, but they are also used to generate the code
+// in this package so they can be statically linked to client code.
+package builtins
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/generators/configmap.go b/vendor/sigs.k8s.io/kustomize/api/internal/generators/configmap.go
new file mode 100644
index 0000000000..47498aaa58
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/generators/configmap.go
@@ -0,0 +1,52 @@
+// Copyright 2020 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package generators
+
+import (
+	"sigs.k8s.io/kustomize/api/ifc"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+// MakeConfigMap makes a configmap.
+//
+// ConfigMap: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#configmap-v1-core
+//
+// ConfigMaps and Secrets are similar.
+//
+// Both objects have a `data` field, which contains a map from keys to
+// values that must be UTF-8 valid strings.  Such data might be simple text,
+// or whoever made the data may have done so by performing a base64 encoding
+// on binary data. Regardless, k8s has no means to know this, so it treats
+// the data field as a string.
+//
+// The ConfigMap has an additional field `binaryData`, also a map, but its
+// values are _intended_ to be interpreted as a base64 encoding of []byte,
+// by whatever makes use of the ConfigMap.
+//
+// In a ConfigMap, any key used in `data` cannot also be used in `binaryData`
+// and vice-versa.  A key must be unique across both maps.
+func MakeConfigMap(
+	ldr ifc.KvLoader, args *types.ConfigMapArgs) (rn *yaml.RNode, err error) {
+	rn, err = makeBaseNode("ConfigMap", args.Name, args.Namespace)
+	if err != nil {
+		return nil, err
+	}
+	m, err := makeValidatedDataMap(ldr, args.Name, args.KvPairSources)
+	if err != nil {
+		return nil, err
+	}
+	if err = rn.LoadMapIntoConfigMapData(m); err != nil {
+		return nil, err
+	}
+	err = copyLabelsAndAnnotations(rn, args.Options)
+	if err != nil {
+		return nil, err
+	}
+	err = setImmutable(rn, args.Options)
+	if err != nil {
+		return nil, err
+	}
+	return rn, nil
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/generators/secret.go b/vendor/sigs.k8s.io/kustomize/api/internal/generators/secret.go
new file mode 100644
index 0000000000..9afaff156a
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/generators/secret.go
@@ -0,0 +1,59 @@
+// Copyright 2020 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package generators
+
+import (
+	"sigs.k8s.io/kustomize/api/ifc"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+// MakeSecret makes a kubernetes Secret.
+//
+// Secret: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#secret-v1-core
+//
+// ConfigMaps and Secrets are similar.
+//
+// Like a ConfigMap, a Secret has a `data` field, but unlike a ConfigMap it has
+// no `binaryData` field.
+//
+// All of a Secret's data is assumed to be opaque in nature, and assumed to be
+// base64 encoded from its original representation, regardless of whether the
+// original data was UTF-8 text or binary.
+//
+// This encoding provides no secrecy. It's just a neutral, common means to
+// represent opaque text and binary data.  Beneath the base64 encoding
+// is presumably further encoding under control of the Secret's consumer.
+//
+// A Secret has string field `type` which holds an identifier, used by the
+// client, to choose the algorithm to interpret the `data` field.  Kubernetes
+// cannot make use of this data; it's up to a controller or some pod's service
+// to interpret the value, using `type` as a clue as to how to do this.
+func MakeSecret(
+	ldr ifc.KvLoader, args *types.SecretArgs) (rn *yaml.RNode, err error) {
+	rn, err = makeBaseNode("Secret", args.Name, args.Namespace)
+	if err != nil {
+		return nil, err
+	}
+	t := "Opaque"
+	if args.Type != "" {
+		t = args.Type
+	}
+	if _, err := rn.Pipe(
+		yaml.FieldSetter{
+			Name:  "type",
+			Value: yaml.NewStringRNode(t)}); err != nil {
+		return nil, err
+	}
+	m, err := makeValidatedDataMap(ldr, args.Name, args.KvPairSources)
+	if err != nil {
+		return nil, err
+	}
+	if err = rn.LoadMapIntoSecretData(m); err != nil {
+		return nil, err
+	}
+	copyLabelsAndAnnotations(rn, args.Options)
+	setImmutable(rn, args.Options)
+	return rn, nil
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/generators/utils.go b/vendor/sigs.k8s.io/kustomize/api/internal/generators/utils.go
new file mode 100644
index 0000000000..b570c7e91b
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/generators/utils.go
@@ -0,0 +1,124 @@
+// Copyright 2020 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package generators
+
+import (
+	"fmt"
+	"path"
+	"strings"
+
+	"github.com/go-errors/errors"
+	"sigs.k8s.io/kustomize/api/ifc"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+func makeBaseNode(kind, name, namespace string) (*yaml.RNode, error) {
+	rn, err := yaml.Parse(fmt.Sprintf(`
+apiVersion: v1
+kind: %s
+`, kind))
+	if err != nil {
+		return nil, err
+	}
+	if name == "" {
+		return nil, errors.Errorf("a configmap must have a name")
+	}
+	if _, err := rn.Pipe(yaml.SetK8sName(name)); err != nil {
+		return nil, err
+	}
+	if namespace != "" {
+		if _, err := rn.Pipe(yaml.SetK8sNamespace(namespace)); err != nil {
+			return nil, err
+		}
+	}
+	return rn, nil
+}
+
+func makeValidatedDataMap(
+	ldr ifc.KvLoader, name string, sources types.KvPairSources) (map[string]string, error) {
+	pairs, err := ldr.Load(sources)
+	if err != nil {
+		return nil, errors.WrapPrefix(err, "loading KV pairs", 0)
+	}
+	knownKeys := make(map[string]string)
+	for _, p := range pairs {
+		// legal key: alphanumeric characters, '-', '_' or '.'
+		if err := ldr.Validator().ErrIfInvalidKey(p.Key); err != nil {
+			return nil, err
+		}
+		if _, ok := knownKeys[p.Key]; ok {
+			return nil, errors.Errorf(
+				"configmap %s illegally repeats the key `%s`", name, p.Key)
+		}
+		knownKeys[p.Key] = p.Value
+	}
+	return knownKeys, nil
+}
+
+// copyLabelsAndAnnotations copies labels and annotations from
+// GeneratorOptions into the given object.
+func copyLabelsAndAnnotations(
+	rn *yaml.RNode, opts *types.GeneratorOptions) error {
+	if opts == nil {
+		return nil
+	}
+	for _, k := range yaml.SortedMapKeys(opts.Labels) {
+		v := opts.Labels[k]
+		if _, err := rn.Pipe(yaml.SetLabel(k, v)); err != nil {
+			return err
+		}
+	}
+	for _, k := range yaml.SortedMapKeys(opts.Annotations) {
+		v := opts.Annotations[k]
+		if _, err := rn.Pipe(yaml.SetAnnotation(k, v)); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func setImmutable(
+	rn *yaml.RNode, opts *types.GeneratorOptions) error {
+	if opts == nil {
+		return nil
+	}
+	if opts.Immutable {
+		n := &yaml.Node{
+			Kind:  yaml.ScalarNode,
+			Value: "true",
+			Tag:   yaml.NodeTagBool,
+		}
+		if _, err := rn.Pipe(yaml.FieldSetter{Name: "immutable", Value: yaml.NewRNode(n)}); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// ParseFileSource parses the source given.
+//
+// Acceptable formats include:
+//  1. source-path: the basename will become the key name
+//  2. source-name=source-path: the source-name will become the key name and
+//     source-path is the path to the key file.
+//
+// Key names cannot include '='.
+func ParseFileSource(source string) (keyName, filePath string, err error) {
+	numSeparators := strings.Count(source, "=")
+	switch {
+	case numSeparators == 0:
+		return path.Base(source), source, nil
+	case numSeparators == 1 && strings.HasPrefix(source, "="):
+		return "", "", errors.Errorf("missing key name for file path %q in source %q", strings.TrimPrefix(source, "="), source)
+	case numSeparators == 1 && strings.HasSuffix(source, "="):
+		return "", "", errors.Errorf("missing file path for key name %q in source %q", strings.TrimSuffix(source, "="), source)
+	case numSeparators > 1:
+		return "", "", errors.Errorf("source %q key name or file path contains '='", source)
+	default:
+		components := strings.Split(source, "=")
+		return components[0], components[1], nil
+	}
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/git/cloner.go b/vendor/sigs.k8s.io/kustomize/api/internal/git/cloner.go
new file mode 100644
index 0000000000..2098cdd31e
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/git/cloner.go
@@ -0,0 +1,56 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package git
+
+import (
+	"sigs.k8s.io/kustomize/kyaml/filesys"
+)
+
+// Cloner is a function that can clone a git repo.
+type Cloner func(repoSpec *RepoSpec) error
+
+// ClonerUsingGitExec uses a local git install, as opposed
+// to say, some remote API, to obtain a local clone of
+// a remote repo.
+func ClonerUsingGitExec(repoSpec *RepoSpec) error {
+	r, err := newCmdRunner(repoSpec.Timeout)
+	if err != nil {
+		return err
+	}
+	repoSpec.Dir = r.dir
+	if err = r.run("init"); err != nil {
+		return err
+	}
+	// git relative submodule need origin, see https://github.com/kubernetes-sigs/kustomize/issues/5131
+	if err = r.run("remote", "add", "origin", repoSpec.CloneSpec()); err != nil {
+		return err
+	}
+	ref := "HEAD"
+	if repoSpec.Ref != "" {
+		ref = repoSpec.Ref
+	}
+	// we use repoSpec.CloneSpec() instead of origin because on error,
+	// the prior prints the actual repo url for the user.
+	if err = r.run("fetch", "--depth=1", repoSpec.CloneSpec(), ref); err != nil {
+		return err
+	}
+	if err = r.run("checkout", "FETCH_HEAD"); err != nil {
+		return err
+	}
+	if repoSpec.Submodules {
+		return r.run("submodule", "update", "--init", "--recursive")
+	}
+	return nil
+}
+
+// DoNothingCloner returns a cloner that only sets
+// cloneDir field in the repoSpec.  It's assumed that
+// the cloneDir is associated with some fake filesystem
+// used in a test.
+func DoNothingCloner(dir filesys.ConfirmedDir) Cloner {
+	return func(rs *RepoSpec) error {
+		rs.Dir = dir
+		return nil
+	}
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/git/gitrunner.go b/vendor/sigs.k8s.io/kustomize/api/internal/git/gitrunner.go
new file mode 100644
index 0000000000..134eb41c5f
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/git/gitrunner.go
@@ -0,0 +1,55 @@
+// Copyright 2020 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package git
+
+import (
+	"os/exec"
+	"time"
+
+	"sigs.k8s.io/kustomize/api/internal/utils"
+	"sigs.k8s.io/kustomize/kyaml/errors"
+	"sigs.k8s.io/kustomize/kyaml/filesys"
+)
+
+// gitRunner runs the external git binary.
+type gitRunner struct {
+	gitProgram string
+	duration   time.Duration
+	dir        filesys.ConfirmedDir
+}
+
+// newCmdRunner returns a gitRunner if it can find the binary.
+// It also creats a temp directory for cloning repos.
+func newCmdRunner(timeout time.Duration) (*gitRunner, error) {
+	gitProgram, err := exec.LookPath("git")
+	if err != nil {
+		return nil, errors.WrapPrefixf(err, "no 'git' program on path")
+	}
+	dir, err := filesys.NewTmpConfirmedDir()
+	if err != nil {
+		return nil, err
+	}
+	return &gitRunner{
+		gitProgram: gitProgram,
+		duration:   timeout,
+		dir:        dir,
+	}, nil
+}
+
+// run a command with a timeout.
+func (r gitRunner) run(args ...string) error {
+	//nolint: gosec
+	cmd := exec.Command(r.gitProgram, args...)
+	cmd.Dir = r.dir.String()
+	return utils.TimedCall(
+		cmd.String(),
+		r.duration,
+		func() error {
+			out, err := cmd.CombinedOutput()
+			if err != nil {
+				return errors.WrapPrefixf(err, "failed to run '%s': %s", cmd.String(), string(out))
+			}
+			return err
+		})
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/git/repospec.go b/vendor/sigs.k8s.io/kustomize/api/internal/git/repospec.go
new file mode 100644
index 0000000000..ba6156cc5b
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/git/repospec.go
@@ -0,0 +1,387 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package git
+
+import (
+	"fmt"
+	"log"
+	"net/url"
+	"path/filepath"
+	"regexp"
+	"strconv"
+	"strings"
+	"time"
+
+	"sigs.k8s.io/kustomize/kyaml/errors"
+	"sigs.k8s.io/kustomize/kyaml/filesys"
+)
+
+// Used as a temporary non-empty occupant of the cloneDir
+// field, as something distinguishable from the empty string
+// in various outputs (especially tests). Not using an
+// actual directory name here, as that's a temporary directory
+// with a unique name that isn't created until clone time.
+const notCloned = filesys.ConfirmedDir("/notCloned")
+
+// RepoSpec specifies a git repository and a branch and path therein.
+type RepoSpec struct {
+	// Raw, original spec, used to look for cycles.
+	// TODO(monopole): Drop raw, use processed fields instead.
+	raw string
+
+	// Host, e.g. https://github.com/
+	Host string
+
+	// RepoPath name (Path to repository),
+	// e.g. kubernetes-sigs/kustomize
+	RepoPath string
+
+	// Dir is where the repository is cloned to.
+	Dir filesys.ConfirmedDir
+
+	// Relative path in the repository, and in the cloneDir,
+	// to a Kustomization.
+	KustRootPath string
+
+	// Branch or tag reference.
+	Ref string
+
+	// Submodules indicates whether or not to clone git submodules.
+	Submodules bool
+
+	// Timeout is the maximum duration allowed for execing git commands.
+	Timeout time.Duration
+}
+
+// CloneSpec returns a string suitable for "git clone {spec}".
+func (x *RepoSpec) CloneSpec() string {
+	return x.Host + x.RepoPath
+}
+
+func (x *RepoSpec) CloneDir() filesys.ConfirmedDir {
+	return x.Dir
+}
+
+func (x *RepoSpec) Raw() string {
+	return x.raw
+}
+
+func (x *RepoSpec) AbsPath() string {
+	return x.Dir.Join(x.KustRootPath)
+}
+
+func (x *RepoSpec) Cleaner(fSys filesys.FileSystem) func() error {
+	return func() error { return fSys.RemoveAll(x.Dir.String()) }
+}
+
+const (
+	refQuery         = "?ref="
+	gitSuffix        = ".git"
+	gitRootDelimiter = "_git/"
+	pathSeparator    = "/" // do not use filepath.Separator, as this is a URL
+)
+
+// NewRepoSpecFromURL parses git-like urls.
+// From strings like git@github.com:someOrg/someRepo.git or
+// https://github.com/someOrg/someRepo?ref=someHash, extract
+// the different parts of URL, set into a RepoSpec object and return RepoSpec object.
+// It MUST return an error if the input is not a git-like URL, as this is used by some code paths
+// to distinguish between local and remote paths.
+//
+// In particular, NewRepoSpecFromURL separates the URL used to clone the repo from the
+// elements Kustomize uses for other purposes (e.g. query params that turn into args, and
+// the path to the kustomization root within the repo).
+func NewRepoSpecFromURL(n string) (*RepoSpec, error) {
+	repoSpec := &RepoSpec{raw: n, Dir: notCloned, Timeout: defaultTimeout, Submodules: defaultSubmodules}
+	if filepath.IsAbs(n) {
+		return nil, fmt.Errorf("uri looks like abs path: %s", n)
+	}
+
+	// Parse the query first. This is safe because according to rfc3986 "?" is only allowed in the
+	// query and is not recognized %-encoded.
+	// Note that parseQuery returns default values for empty parameters.
+	n, query, _ := strings.Cut(n, "?")
+	repoSpec.Ref, repoSpec.Timeout, repoSpec.Submodules = parseQuery(query)
+
+	var err error
+
+	// Parse the host (e.g. scheme, username, domain) segment.
+	repoSpec.Host, n, err = extractHost(n)
+	if err != nil {
+		return nil, err
+	}
+
+	// In some cases, we're given a path to a git repo + a path to the kustomization root within
+	// that repo. We need to split them so that we can ultimately give the repo only to the cloner.
+	repoSpec.RepoPath, repoSpec.KustRootPath, err = parsePathParts(n, defaultRepoPathLength(repoSpec.Host))
+	if err != nil {
+		return nil, err
+	}
+
+	return repoSpec, nil
+}
+
+const allSegments = -999999
+const orgRepoSegments = 2
+
+func defaultRepoPathLength(host string) int {
+	if strings.HasPrefix(host, fileScheme) {
+		return allSegments
+	}
+	return orgRepoSegments
+}
+
+// parsePathParts splits the repo path that will ultimately be passed to git to clone the
+// repo from the kustomization root path, which Kustomize will execute the build in after the repo
+// is cloned.
+//
+// We first try to do this based on explicit markers in the URL (e.g. _git, .git or //).
+// If none are present, we try to apply a historical default repo path length that is derived from
+// Github URLs. If there aren't enough segments, we have historically considered the URL invalid.
+func parsePathParts(n string, defaultSegmentLength int) (string, string, error) {
+	repoPath, kustRootPath, success := tryExplicitMarkerSplit(n)
+	if !success {
+		repoPath, kustRootPath, success = tryDefaultLengthSplit(n, defaultSegmentLength)
+	}
+
+	// Validate the result
+	if !success || len(repoPath) == 0 {
+		return "", "", fmt.Errorf("failed to parse repo path segment")
+	}
+	if kustRootPathExitsRepo(kustRootPath) {
+		return "", "", fmt.Errorf("url path exits repo: %s", n)
+	}
+
+	return repoPath, strings.TrimPrefix(kustRootPath, pathSeparator), nil
+}
+
+func tryExplicitMarkerSplit(n string) (string, string, bool) {
+	// Look for the _git delimiter, which by convention is expected to be ONE directory above the repo root.
+	// If found, split on the NEXT path element, which is the repo root.
+	// Example: https://username@dev.azure.com/org/project/_git/repo/path/to/kustomization/root
+	if gitRootIdx := strings.Index(n, gitRootDelimiter); gitRootIdx >= 0 {
+		gitRootPath := n[:gitRootIdx+len(gitRootDelimiter)]
+		subpathSegments := strings.Split(n[gitRootIdx+len(gitRootDelimiter):], pathSeparator)
+		return gitRootPath + subpathSegments[0], strings.Join(subpathSegments[1:], pathSeparator), true
+
+		// Look for a double-slash in the path, which if present separates the repo root from the kust path.
+		// It is a convention, not a real path element, so do not preserve it in the returned value.
+		// Example: https://github.com/org/repo//path/to/kustomozation/root
+	} else if repoRootIdx := strings.Index(n, "//"); repoRootIdx >= 0 {
+		return n[:repoRootIdx], n[repoRootIdx+2:], true
+
+		// Look for .git in the path, which if present is part of the directory name of the git repo.
+		// This means we want to grab everything up to and including that suffix
+		// Example: https://github.com/org/repo.git/path/to/kustomozation/root
+	} else if gitSuffixIdx := strings.Index(n, gitSuffix); gitSuffixIdx >= 0 {
+		upToGitSuffix := n[:gitSuffixIdx+len(gitSuffix)]
+		afterGitSuffix := n[gitSuffixIdx+len(gitSuffix):]
+		return upToGitSuffix, afterGitSuffix, true
+	}
+	return "", "", false
+}
+
+func tryDefaultLengthSplit(n string, defaultSegmentLength int) (string, string, bool) {
+	// If the default is to take all segments, do so.
+	if defaultSegmentLength == allSegments {
+		return n, "", true
+
+		// If the default is N segments, make sure we have at least that many and take them if so.
+		// If we have less than N, we have historically considered the URL invalid.
+	} else if segments := strings.Split(n, pathSeparator); len(segments) >= defaultSegmentLength {
+		firstNSegments := strings.Join(segments[:defaultSegmentLength], pathSeparator)
+		rest := strings.Join(segments[defaultSegmentLength:], pathSeparator)
+		return firstNSegments, rest, true
+	}
+	return "", "", false
+}
+
+func kustRootPathExitsRepo(kustRootPath string) bool {
+	cleanedPath := filepath.Clean(strings.TrimPrefix(kustRootPath, string(filepath.Separator)))
+	pathElements := strings.Split(cleanedPath, string(filepath.Separator))
+	return len(pathElements) > 0 &&
+		pathElements[0] == filesys.ParentDir
+}
+
+// Clone git submodules by default.
+const defaultSubmodules = true
+
+// Arbitrary, but non-infinite, timeout for running commands.
+const defaultTimeout = 27 * time.Second
+
+func parseQuery(query string) (string, time.Duration, bool) {
+	values, err := url.ParseQuery(query)
+	// in event of parse failure, return defaults
+	if err != nil {
+		return "", defaultTimeout, defaultSubmodules
+	}
+
+	// ref is the desired git ref to target. Can be specified by in a git URL
+	// with ?ref=<string> or ?version=<string>, although ref takes precedence.
+	ref := values.Get("version")
+	if queryValue := values.Get("ref"); queryValue != "" {
+		ref = queryValue
+	}
+
+	// depth is the desired git exec timeout. Can be specified by in a git URL
+	// with ?timeout=<duration>.
+	duration := defaultTimeout
+	if queryValue := values.Get("timeout"); queryValue != "" {
+		// Attempt to first parse as a number of integer seconds (like "61"),
+		// and then attempt to parse as a suffixed duration (like "61s").
+		if intValue, err := strconv.Atoi(queryValue); err == nil && intValue > 0 {
+			duration = time.Duration(intValue) * time.Second
+		} else if durationValue, err := time.ParseDuration(queryValue); err == nil && durationValue > 0 {
+			duration = durationValue
+		}
+	}
+
+	// submodules indicates if git submodule cloning is desired. Can be
+	// specified by in a git URL with ?submodules=<bool>.
+	submodules := defaultSubmodules
+	if queryValue := values.Get("submodules"); queryValue != "" {
+		if boolValue, err := strconv.ParseBool(queryValue); err == nil {
+			submodules = boolValue
+		}
+	}
+
+	return ref, duration, submodules
+}
+
+func extractHost(n string) (string, string, error) {
+	n = ignoreForcedGitProtocol(n)
+	scheme, n := extractScheme(n)
+	username, n := extractUsername(n)
+	stdGithub := isStandardGithubHost(n)
+	acceptSCP := acceptSCPStyle(scheme, username, stdGithub)
+
+	// Validate the username and scheme before attempting host/path parsing, because if the parsing
+	// so far has not succeeded, we will not be able to extract the host and path correctly.
+	if err := validateScheme(scheme, acceptSCP); err != nil {
+		return "", "", err
+	}
+
+	// Now that we have extracted a valid scheme+username, we can parse host itself.
+
+	// The file protocol specifies an absolute path to a local git repo.
+	// Everything after the scheme (including any 'username' we found) is actually part of that path.
+	if scheme == fileScheme {
+		return scheme, username + n, nil
+	}
+	var host, rest = n, ""
+	if sepIndex := findPathSeparator(n, acceptSCP); sepIndex >= 0 {
+		host, rest = n[:sepIndex+1], n[sepIndex+1:]
+	}
+
+	// Github URLs are strictly normalized in a way that may discard scheme and username components.
+	if stdGithub {
+		scheme, username, host = normalizeGithubHostParts(scheme, username)
+	}
+
+	// Host is required, so do not concat the scheme and username if we didn't find one.
+	if host == "" {
+		return "", "", errors.Errorf("failed to parse host segment")
+	}
+	return scheme + username + host, rest, nil
+}
+
+// ignoreForcedGitProtocol strips the "git::" prefix from URLs.
+// We used to use go-getter to handle our urls: https://github.com/hashicorp/go-getter.
+// The git:: prefix signaled go-getter to use the git protocol to fetch the url's contents.
+// We silently strip this prefix to allow these go-getter-style urls to continue to work,
+// although the git protocol (which is insecure and unsupported on many platforms, including Github)
+// will not actually be used as intended.
+func ignoreForcedGitProtocol(n string) string {
+	n, found := trimPrefixIgnoreCase(n, "git::")
+	if found {
+		log.Println("Warning: Forcing the git protocol using the 'git::' URL prefix is not supported. " +
+			"Kustomize currently strips this invalid prefix, but will stop doing so in a future release. " +
+			"Please remove the 'git::' prefix from your configuration.")
+	}
+	return n
+}
+
+// acceptSCPStyle returns true if the scheme and username indicate potential use of an SCP-style URL.
+// With this style, the scheme is not explicit and the path is delimited by a colon.
+// Strictly speaking the username is optional in SCP-like syntax, but Kustomize has always
+// required it for non-Github URLs.
+// Example: user@host.xz:path/to/repo.git/
+func acceptSCPStyle(scheme, username string, isGithubURL bool) bool {
+	return scheme == "" && (username != "" || isGithubURL)
+}
+
+func validateScheme(scheme string, acceptSCPStyle bool) error {
+	// see https://git-scm.com/docs/git-fetch#_git_urls for info relevant to these validations
+	switch scheme {
+	case "":
+		// Empty scheme is only ok if it's a Github URL or if it looks like SCP-style syntax
+		if !acceptSCPStyle {
+			return fmt.Errorf("failed to parse scheme")
+		}
+	case sshScheme, fileScheme, httpsScheme, httpScheme:
+		// These are all supported schemes
+	default:
+		// At time of writing, we should never end up here because we do not parse out
+		// unsupported schemes to begin with.
+		return fmt.Errorf("unsupported scheme %q", scheme)
+	}
+	return nil
+}
+
+const fileScheme = "file://"
+const httpScheme = "http://"
+const httpsScheme = "https://"
+const sshScheme = "ssh://"
+
+func extractScheme(s string) (string, string) {
+	for _, prefix := range []string{sshScheme, httpsScheme, httpScheme, fileScheme} {
+		if rest, found := trimPrefixIgnoreCase(s, prefix); found {
+			return prefix, rest
+		}
+	}
+	return "", s
+}
+
+func extractUsername(s string) (string, string) {
+	var userRegexp = regexp.MustCompile(`^([a-zA-Z][a-zA-Z0-9-]*)@`)
+	if m := userRegexp.FindStringSubmatch(s); m != nil {
+		username := m[1] + "@"
+		return username, s[len(username):]
+	}
+	return "", s
+}
+
+func isStandardGithubHost(s string) bool {
+	lowerCased := strings.ToLower(s)
+	return strings.HasPrefix(lowerCased, "github.com/") ||
+		strings.HasPrefix(lowerCased, "github.com:")
+}
+
+// trimPrefixIgnoreCase returns the rest of s and true if prefix, ignoring case, prefixes s.
+// Otherwise, trimPrefixIgnoreCase returns s and false.
+func trimPrefixIgnoreCase(s, prefix string) (string, bool) {
+	if len(prefix) <= len(s) && strings.ToLower(s[:len(prefix)]) == prefix {
+		return s[len(prefix):], true
+	}
+	return s, false
+}
+
+func findPathSeparator(hostPath string, acceptSCP bool) int {
+	sepIndex := strings.Index(hostPath, pathSeparator)
+	if acceptSCP {
+		colonIndex := strings.Index(hostPath, ":")
+		// The colon acts as a delimiter in scp-style ssh URLs only if not prefixed by '/'.
+		if sepIndex == -1 || (colonIndex > 0 && colonIndex < sepIndex) {
+			sepIndex = colonIndex
+		}
+	}
+	return sepIndex
+}
+
+func normalizeGithubHostParts(scheme, username string) (string, string, string) {
+	if strings.HasPrefix(scheme, sshScheme) || username != "" {
+		return "", username, "github.com:"
+	}
+	return httpsScheme, "", "github.com/"
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/image/image.go b/vendor/sigs.k8s.io/kustomize/api/internal/image/image.go
new file mode 100644
index 0000000000..4a88050b48
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/image/image.go
@@ -0,0 +1,66 @@
+// Copyright 2020 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package image
+
+import (
+	"regexp"
+	"strings"
+)
+
+// IsImageMatched returns true if the value of t is identical to the
+// image name in the full image name and tag as given by s.
+func IsImageMatched(s, t string) bool {
+	// Tag values are limited to [a-zA-Z0-9_.{}-].
+	// Some tools like Bazel rules_k8s allow tag patterns with {} characters.
+	// More info: https://github.com/bazelbuild/rules_k8s/pull/423
+	pattern, _ := regexp.Compile("^" + t + "(:[a-zA-Z0-9_.{}-]*)?(@sha256:[a-zA-Z0-9_.{}-]*)?$")
+	return pattern.MatchString(s)
+}
+
+// Split separates and returns the name and tag parts
+// from the image string using either colon `:` or at `@` separators.
+// image reference pattern: [[host[:port]/]component/]component[:tag][@digest]
+func Split(imageName string) (name string, tag string, digest string) {
+	// check if image name contains a domain
+	// if domain is present, ignore domain and check for `:`
+	searchName := imageName
+	slashIndex := strings.Index(imageName, "/")
+	if slashIndex > 0 {
+		searchName = imageName[slashIndex:]
+	} else {
+		slashIndex = 0
+	}
+
+	id := strings.Index(searchName, "@")
+	ic := strings.Index(searchName, ":")
+
+	// no tag or digest
+	if ic < 0 && id < 0 {
+		return imageName, "", ""
+	}
+
+	// digest only
+	if id >= 0 && (id < ic || ic < 0) {
+		id += slashIndex
+		name = imageName[:id]
+		digest = strings.TrimPrefix(imageName[id:], "@")
+		return name, "", digest
+	}
+
+	// tag and digest
+	if id >= 0 && ic >= 0 {
+		id += slashIndex
+		ic += slashIndex
+		name = imageName[:ic]
+		tag = strings.TrimPrefix(imageName[ic:id], ":")
+		digest = strings.TrimPrefix(imageName[id:], "@")
+		return name, tag, digest
+	}
+
+	// tag only
+	ic += slashIndex
+	name = imageName[:ic]
+	tag = strings.TrimPrefix(imageName[ic:], ":")
+	return name, tag, ""
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/commonannotations.go b/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/commonannotations.go
new file mode 100644
index 0000000000..97c1d6b22d
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/commonannotations.go
@@ -0,0 +1,47 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package builtinpluginconsts
+
+const commonAnnotationFieldSpecs = `
+commonAnnotations:
+- path: metadata/annotations
+  create: true
+
+- path: spec/template/metadata/annotations
+  create: true
+  version: v1
+  kind: ReplicationController
+
+- path: spec/template/metadata/annotations
+  create: true
+  kind: Deployment
+
+- path: spec/template/metadata/annotations
+  create: true
+  kind: ReplicaSet
+
+- path: spec/template/metadata/annotations
+  create: true
+  kind: DaemonSet
+
+- path: spec/template/metadata/annotations
+  create: true
+  kind: StatefulSet
+
+- path: spec/template/metadata/annotations
+  create: true
+  group: batch
+  kind: Job
+
+- path: spec/jobTemplate/metadata/annotations
+  create: true
+  group: batch
+  kind: CronJob
+
+- path: spec/jobTemplate/spec/template/metadata/annotations
+  create: true
+  group: batch
+  kind: CronJob
+
+`
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/commonlabels.go b/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/commonlabels.go
new file mode 100644
index 0000000000..b2a78f5681
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/commonlabels.go
@@ -0,0 +1,113 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package builtinpluginconsts
+
+const commonLabelFieldSpecs = `
+commonLabels:
+- path: spec/selector
+  create: true
+  version: v1
+  kind: Service
+
+- path: spec/selector
+  create: true
+  version: v1
+  kind: ReplicationController
+- path: spec/selector/matchLabels
+  create: true
+  kind: Deployment
+
+- path: spec/template/spec/affinity/podAffinity/preferredDuringSchedulingIgnoredDuringExecution/podAffinityTerm/labelSelector/matchLabels
+  create: false
+  group: apps
+  kind: Deployment
+
+- path: spec/template/spec/affinity/podAffinity/requiredDuringSchedulingIgnoredDuringExecution/labelSelector/matchLabels
+  create: false
+  group: apps
+  kind: Deployment
+
+- path: spec/template/spec/affinity/podAntiAffinity/preferredDuringSchedulingIgnoredDuringExecution/podAffinityTerm/labelSelector/matchLabels
+  create: false
+  group: apps
+  kind: Deployment
+
+- path: spec/template/spec/affinity/podAntiAffinity/requiredDuringSchedulingIgnoredDuringExecution/labelSelector/matchLabels
+  create: false
+  group: apps
+  kind: Deployment
+
+- path: spec/template/spec/topologySpreadConstraints/labelSelector/matchLabels
+  create: false
+  group: apps
+  kind: Deployment
+
+- path: spec/selector/matchLabels
+  create: true
+  kind: ReplicaSet
+
+- path: spec/selector/matchLabels
+  create: true
+  kind: DaemonSet
+
+- path: spec/selector/matchLabels
+  create: true
+  group: apps
+  kind: StatefulSet
+
+- path: spec/template/spec/affinity/podAffinity/preferredDuringSchedulingIgnoredDuringExecution/podAffinityTerm/labelSelector/matchLabels
+  create: false
+  group: apps
+  kind: StatefulSet
+
+- path: spec/template/spec/affinity/podAffinity/requiredDuringSchedulingIgnoredDuringExecution/labelSelector/matchLabels
+  create: false
+  group: apps
+  kind: StatefulSet
+
+- path: spec/template/spec/affinity/podAntiAffinity/preferredDuringSchedulingIgnoredDuringExecution/podAffinityTerm/labelSelector/matchLabels
+  create: false
+  group: apps
+  kind: StatefulSet
+
+- path: spec/template/spec/affinity/podAntiAffinity/requiredDuringSchedulingIgnoredDuringExecution/labelSelector/matchLabels
+  create: false
+  group: apps
+  kind: StatefulSet
+
+- path: spec/template/spec/topologySpreadConstraints/labelSelector/matchLabels
+  create: false
+  group: apps
+  kind: StatefulSet
+
+- path: spec/selector/matchLabels
+  create: false
+  group: batch
+  kind: Job
+
+- path: spec/jobTemplate/spec/selector/matchLabels
+  create: false
+  group: batch
+  kind: CronJob
+
+- path: spec/selector/matchLabels
+  create: false
+  group: policy
+  kind: PodDisruptionBudget
+
+- path: spec/podSelector/matchLabels
+  create: false
+  group: networking.k8s.io
+  kind: NetworkPolicy
+
+- path: spec/ingress/from/podSelector/matchLabels
+  create: false
+  group: networking.k8s.io
+  kind: NetworkPolicy
+
+- path: spec/egress/to/podSelector/matchLabels
+  create: false
+  group: networking.k8s.io
+  kind: NetworkPolicy
+` + metadataLabelsFieldSpecs
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/defaultconfig.go b/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/defaultconfig.go
new file mode 100644
index 0000000000..2f220cb29a
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/defaultconfig.go
@@ -0,0 +1,42 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package builtinpluginconsts
+
+import (
+	"bytes"
+)
+
+// GetDefaultFieldSpecs returns default fieldSpecs.
+func GetDefaultFieldSpecs() []byte {
+	configData := [][]byte{
+		[]byte(namePrefixFieldSpecs),
+		[]byte(nameSuffixFieldSpecs),
+		[]byte(commonLabelFieldSpecs),
+		[]byte(templateLabelFieldSpecs),
+		[]byte(commonAnnotationFieldSpecs),
+		[]byte(namespaceFieldSpecs),
+		[]byte(varReferenceFieldSpecs),
+		[]byte(nameReferenceFieldSpecs),
+		[]byte(imagesFieldSpecs),
+		[]byte(replicasFieldSpecs),
+	}
+	return bytes.Join(configData, []byte("\n"))
+}
+
+// GetDefaultFieldSpecsAsMap returns default fieldSpecs
+// as a string->string map.
+func GetDefaultFieldSpecsAsMap() map[string]string {
+	result := make(map[string]string)
+	result["nameprefix"] = namePrefixFieldSpecs
+	result["namesuffix"] = nameSuffixFieldSpecs
+	result["commonlabels"] = commonLabelFieldSpecs
+	result["templatelabels"] = templateLabelFieldSpecs
+	result["commonannotations"] = commonAnnotationFieldSpecs
+	result["namespace"] = namespaceFieldSpecs
+	result["varreference"] = varReferenceFieldSpecs
+	result["namereference"] = nameReferenceFieldSpecs
+	result["images"] = imagesFieldSpecs
+	result["replicas"] = replicasFieldSpecs
+	return result
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/doc.go b/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/doc.go
new file mode 100644
index 0000000000..4b7b5faac5
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/doc.go
@@ -0,0 +1,8 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+// Package builtinpluginconsts provides builtin plugin
+// configuration data.  Builtin plugins can also be
+// configured individually with plugin config files,
+// in which case the constants in this package are ignored.
+package builtinpluginconsts
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/images.go b/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/images.go
new file mode 100644
index 0000000000..a60370ef7c
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/images.go
@@ -0,0 +1,22 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package builtinpluginconsts
+
+const (
+	imagesFieldSpecs = `
+images:
+- path: spec/containers[]/image
+  create: true
+- path: spec/initContainers[]/image
+  create: true
+- path: spec/volumes[]/image/reference
+  create: true
+- path: spec/template/spec/containers[]/image
+  create: true
+- path: spec/template/spec/initContainers[]/image
+  create: true
+- path: spec/template/spec/volumes[]/image/reference
+  create: true
+`
+)
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/metadatalabels.go b/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/metadatalabels.go
new file mode 100644
index 0000000000..d070cca4b8
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/metadatalabels.go
@@ -0,0 +1,51 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package builtinpluginconsts
+
+const metadataLabelsFieldSpecs = `
+- path: metadata/labels
+  create: true
+
+- path: spec/template/metadata/labels
+  create: true
+  version: v1
+  kind: ReplicationController
+
+- path: spec/template/metadata/labels
+  create: true
+  kind: Deployment
+
+- path: spec/template/metadata/labels
+  create: true
+  kind: ReplicaSet
+
+- path: spec/template/metadata/labels
+  create: true
+  kind: DaemonSet
+
+- path: spec/template/metadata/labels
+  create: true
+  group: apps
+  kind: StatefulSet
+
+- path: spec/volumeClaimTemplates[]/metadata/labels
+  create: true
+  group: apps
+  kind: StatefulSet
+
+- path: spec/template/metadata/labels
+  create: true
+  group: batch
+  kind: Job
+
+- path: spec/jobTemplate/metadata/labels
+  create: true
+  group: batch
+  kind: CronJob
+
+- path: spec/jobTemplate/spec/template/metadata/labels
+  create: true
+  group: batch
+  kind: CronJob
+`
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/nameprefix.go b/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/nameprefix.go
new file mode 100644
index 0000000000..59a25a61fa
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/nameprefix.go
@@ -0,0 +1,11 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package builtinpluginconsts
+
+const (
+	namePrefixFieldSpecs = `
+namePrefix:
+- path: metadata/name
+`
+)
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/namereference.go b/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/namereference.go
new file mode 100644
index 0000000000..383dcf83ea
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/namereference.go
@@ -0,0 +1,434 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package builtinpluginconsts
+
+// LINT.IfChange
+const (
+	nameReferenceFieldSpecs = `
+nameReference:
+- kind: Deployment
+  fieldSpecs:
+  - path: spec/scaleTargetRef/name
+    kind: HorizontalPodAutoscaler
+
+- kind: ReplicationController
+  fieldSpecs:
+  - path: spec/scaleTargetRef/name
+    kind: HorizontalPodAutoscaler
+
+- kind: ReplicaSet
+  fieldSpecs:
+  - path: spec/scaleTargetRef/name
+    kind: HorizontalPodAutoscaler
+
+- kind: StatefulSet
+  fieldSpecs:
+  - path: spec/scaleTargetRef/name
+    kind: HorizontalPodAutoscaler
+
+- kind: ConfigMap
+  version: v1
+  fieldSpecs:
+  - path: spec/volumes/configMap/name
+    version: v1
+    kind: Pod
+  - path: spec/containers/env/valueFrom/configMapKeyRef/name
+    version: v1
+    kind: Pod
+  - path: spec/initContainers/env/valueFrom/configMapKeyRef/name
+    version: v1
+    kind: Pod
+  - path: spec/containers/envFrom/configMapRef/name
+    version: v1
+    kind: Pod
+  - path: spec/initContainers/envFrom/configMapRef/name
+    version: v1
+    kind: Pod
+  - path: spec/volumes/projected/sources/configMap/name
+    version: v1
+    kind: Pod
+  - path: template/spec/volumes/configMap/name
+    kind: PodTemplate
+  - path: template/spec/containers/env/valueFrom/configMapKeyRef/name
+    kind: PodTemplate
+  - path: template/spec/initContainers/env/valueFrom/configMapKeyRef/name
+    kind: PodTemplate
+  - path: template/spec/containers/envFrom/configMapRef/name
+    kind: PodTemplate
+  - path: template/spec/initContainers/envFrom/configMapRef/name
+    kind: PodTemplate
+  - path: template/spec/volumes/projected/sources/configMap/name
+    kind: PodTemplate
+  - path: spec/template/spec/volumes/configMap/name
+    kind: Deployment
+  - path: spec/template/spec/containers/env/valueFrom/configMapKeyRef/name
+    kind: Deployment
+  - path: spec/template/spec/initContainers/env/valueFrom/configMapKeyRef/name
+    kind: Deployment
+  - path: spec/template/spec/containers/envFrom/configMapRef/name
+    kind: Deployment
+  - path: spec/template/spec/initContainers/envFrom/configMapRef/name
+    kind: Deployment
+  - path: spec/template/spec/volumes/projected/sources/configMap/name
+    kind: Deployment
+  - path: spec/template/spec/volumes/configMap/name
+    kind: ReplicaSet
+  - path: spec/template/spec/containers/env/valueFrom/configMapKeyRef/name
+    kind: ReplicaSet
+  - path: spec/template/spec/initContainers/env/valueFrom/configMapKeyRef/name
+    kind: ReplicaSet
+  - path: spec/template/spec/containers/envFrom/configMapRef/name
+    kind: ReplicaSet
+  - path: spec/template/spec/initContainers/envFrom/configMapRef/name
+    kind: ReplicaSet
+  - path: spec/template/spec/volumes/projected/sources/configMap/name
+    kind: ReplicaSet
+  - path: spec/template/spec/volumes/configMap/name
+    kind: DaemonSet
+  - path: spec/template/spec/containers/env/valueFrom/configMapKeyRef/name
+    kind: DaemonSet
+  - path: spec/template/spec/initContainers/env/valueFrom/configMapKeyRef/name
+    kind: DaemonSet
+  - path: spec/template/spec/containers/envFrom/configMapRef/name
+    kind: DaemonSet
+  - path: spec/template/spec/initContainers/envFrom/configMapRef/name
+    kind: DaemonSet
+  - path: spec/template/spec/volumes/projected/sources/configMap/name
+    kind: DaemonSet
+  - path: spec/template/spec/volumes/configMap/name
+    kind: StatefulSet
+  - path: spec/template/spec/containers/env/valueFrom/configMapKeyRef/name
+    kind: StatefulSet
+  - path: spec/template/spec/initContainers/env/valueFrom/configMapKeyRef/name
+    kind: StatefulSet
+  - path: spec/template/spec/containers/envFrom/configMapRef/name
+    kind: StatefulSet
+  - path: spec/template/spec/initContainers/envFrom/configMapRef/name
+    kind: StatefulSet
+  - path: spec/template/spec/volumes/projected/sources/configMap/name
+    kind: StatefulSet
+  - path: spec/template/spec/volumes/configMap/name
+    kind: Job
+  - path: spec/template/spec/containers/env/valueFrom/configMapKeyRef/name
+    kind: Job
+  - path: spec/template/spec/initContainers/env/valueFrom/configMapKeyRef/name
+    kind: Job
+  - path: spec/template/spec/containers/envFrom/configMapRef/name
+    kind: Job
+  - path: spec/template/spec/initContainers/envFrom/configMapRef/name
+    kind: Job
+  - path: spec/template/spec/volumes/projected/sources/configMap/name
+    kind: Job
+  - path: spec/jobTemplate/spec/template/spec/volumes/configMap/name
+    kind: CronJob
+  - path: spec/jobTemplate/spec/template/spec/volumes/projected/sources/configMap/name
+    kind: CronJob
+  - path: spec/jobTemplate/spec/template/spec/containers/env/valueFrom/configMapKeyRef/name
+    kind: CronJob
+  - path: spec/jobTemplate/spec/template/spec/initContainers/env/valueFrom/configMapKeyRef/name
+    kind: CronJob
+  - path: spec/jobTemplate/spec/template/spec/containers/envFrom/configMapRef/name
+    kind: CronJob
+  - path: spec/jobTemplate/spec/template/spec/initContainers/envFrom/configMapRef/name
+    kind: CronJob
+  - path: spec/configSource/configMap
+    kind: Node
+  - path: rules/resourceNames
+    kind: Role
+  - path: rules/resourceNames
+    kind: ClusterRole
+  - path: metadata/annotations/nginx.ingress.kubernetes.io\/fastcgi-params-configmap
+    kind: Ingress
+
+- kind: Secret
+  version: v1
+  fieldSpecs:
+  - path: spec/volumes/secret/secretName
+    version: v1
+    kind: Pod
+  - path: spec/containers/env/valueFrom/secretKeyRef/name
+    version: v1
+    kind: Pod
+  - path: spec/initContainers/env/valueFrom/secretKeyRef/name
+    version: v1
+    kind: Pod
+  - path: spec/containers/envFrom/secretRef/name
+    version: v1
+    kind: Pod
+  - path: spec/initContainers/envFrom/secretRef/name
+    version: v1
+    kind: Pod
+  - path: spec/imagePullSecrets/name
+    version: v1
+    kind: Pod
+  - path: spec/volumes/projected/sources/secret/name
+    version: v1
+    kind: Pod
+  - path: template/spec/volumes/secret/secretName
+    kind: PodTemplate
+  - path: template/spec/containers/env/valueFrom/secretKeyRef/name
+    kind: PodTemplate
+  - path: template/spec/initContainers/env/valueFrom/secretKeyRef/name
+    kind: PodTemplate
+  - path: template/spec/containers/envFrom/secretRef/name
+    kind: PodTemplate
+  - path: template/spec/initContainers/envFrom/secretRef/name
+    kind: PodTemplate
+  - path: template/spec/imagePullSecrets/name
+    kind: PodTemplate
+  - path: template/spec/volumes/projected/sources/secret/name
+    kind: PodTemplate
+  - path: spec/template/spec/volumes/secret/secretName
+    kind: Deployment
+  - path: spec/template/spec/containers/env/valueFrom/secretKeyRef/name
+    kind: Deployment
+  - path: spec/template/spec/initContainers/env/valueFrom/secretKeyRef/name
+    kind: Deployment
+  - path: spec/template/spec/containers/envFrom/secretRef/name
+    kind: Deployment
+  - path: spec/template/spec/initContainers/envFrom/secretRef/name
+    kind: Deployment
+  - path: spec/template/spec/imagePullSecrets/name
+    kind: Deployment
+  - path: spec/template/spec/volumes/projected/sources/secret/name
+    kind: Deployment
+  - path: spec/template/spec/volumes/secret/secretName
+    kind: ReplicaSet
+  - path: spec/template/spec/containers/env/valueFrom/secretKeyRef/name
+    kind: ReplicaSet
+  - path: spec/template/spec/initContainers/env/valueFrom/secretKeyRef/name
+    kind: ReplicaSet
+  - path: spec/template/spec/containers/envFrom/secretRef/name
+    kind: ReplicaSet
+  - path: spec/template/spec/initContainers/envFrom/secretRef/name
+    kind: ReplicaSet
+  - path: spec/template/spec/imagePullSecrets/name
+    kind: ReplicaSet
+  - path: spec/template/spec/volumes/projected/sources/secret/name
+    kind: ReplicaSet
+  - path: spec/template/spec/volumes/secret/secretName
+    kind: DaemonSet
+  - path: spec/template/spec/containers/env/valueFrom/secretKeyRef/name
+    kind: DaemonSet
+  - path: spec/template/spec/initContainers/env/valueFrom/secretKeyRef/name
+    kind: DaemonSet
+  - path: spec/template/spec/containers/envFrom/secretRef/name
+    kind: DaemonSet
+  - path: spec/template/spec/initContainers/envFrom/secretRef/name
+    kind: DaemonSet
+  - path: spec/template/spec/imagePullSecrets/name
+    kind: DaemonSet
+  - path: spec/template/spec/volumes/projected/sources/secret/name
+    kind: DaemonSet
+  - path: spec/template/spec/volumes/secret/secretName
+    kind: StatefulSet
+  - path: spec/template/spec/containers/env/valueFrom/secretKeyRef/name
+    kind: StatefulSet
+  - path: spec/template/spec/initContainers/env/valueFrom/secretKeyRef/name
+    kind: StatefulSet
+  - path: spec/template/spec/containers/envFrom/secretRef/name
+    kind: StatefulSet
+  - path: spec/template/spec/initContainers/envFrom/secretRef/name
+    kind: StatefulSet
+  - path: spec/template/spec/imagePullSecrets/name
+    kind: StatefulSet
+  - path: spec/template/spec/volumes/projected/sources/secret/name
+    kind: StatefulSet
+  - path: spec/template/spec/volumes/secret/secretName
+    kind: Job
+  - path: spec/template/spec/containers/env/valueFrom/secretKeyRef/name
+    kind: Job
+  - path: spec/template/spec/initContainers/env/valueFrom/secretKeyRef/name
+    kind: Job
+  - path: spec/template/spec/containers/envFrom/secretRef/name
+    kind: Job
+  - path: spec/template/spec/initContainers/envFrom/secretRef/name
+    kind: Job
+  - path: spec/template/spec/imagePullSecrets/name
+    kind: Job
+  - path: spec/template/spec/volumes/projected/sources/secret/name
+    kind: Job
+  - path: spec/jobTemplate/spec/template/spec/volumes/secret/secretName
+    kind: CronJob
+  - path: spec/jobTemplate/spec/template/spec/volumes/projected/sources/secret/name
+    kind: CronJob
+  - path: spec/jobTemplate/spec/template/spec/containers/env/valueFrom/secretKeyRef/name
+    kind: CronJob
+  - path: spec/jobTemplate/spec/template/spec/initContainers/env/valueFrom/secretKeyRef/name
+    kind: CronJob
+  - path: spec/jobTemplate/spec/template/spec/containers/envFrom/secretRef/name
+    kind: CronJob
+  - path: spec/jobTemplate/spec/template/spec/initContainers/envFrom/secretRef/name
+    kind: CronJob
+  - path: spec/jobTemplate/spec/template/spec/imagePullSecrets/name
+    kind: CronJob
+  - path: spec/tls/secretName
+    kind: Ingress
+  - path: metadata/annotations/ingress.kubernetes.io\/auth-secret
+    kind: Ingress
+  - path: metadata/annotations/nginx.ingress.kubernetes.io\/auth-secret
+    kind: Ingress
+  - path: metadata/annotations/nginx.ingress.kubernetes.io\/auth-tls-secret
+    kind: Ingress
+  - path: spec/tls/secretName
+    kind: Ingress
+  - path: imagePullSecrets/name
+    kind: ServiceAccount
+  - path: parameters/secretName
+    kind: StorageClass
+  - path: parameters/adminSecretName
+    kind: StorageClass
+  - path: parameters/userSecretName
+    kind: StorageClass
+  - path: parameters/secretRef
+    kind: StorageClass
+  - path: rules/resourceNames
+    kind: Role
+  - path: rules/resourceNames
+    kind: ClusterRole
+  - path: spec/template/spec/containers/env/valueFrom/secretKeyRef/name
+    kind: Service
+    group: serving.knative.dev
+    version: v1
+  - path: spec/azureFile/secretName
+    kind: PersistentVolume
+
+- kind: Service
+  version: v1
+  fieldSpecs:
+  - path: spec/serviceName
+    kind: StatefulSet
+    group: apps
+  - path: spec/rules/http/paths/backend/serviceName
+    kind: Ingress
+  - path: spec/backend/serviceName
+    kind: Ingress
+  - path: spec/rules/http/paths/backend/service/name
+    kind: Ingress
+  - path: spec/defaultBackend/service/name
+    kind: Ingress
+  - path: spec/service/name
+    kind: APIService
+    group: apiregistration.k8s.io
+  - path: webhooks/clientConfig/service
+    kind: ValidatingWebhookConfiguration
+    group: admissionregistration.k8s.io
+  - path: webhooks/clientConfig/service
+    kind: MutatingWebhookConfiguration
+    group: admissionregistration.k8s.io
+
+- kind: Role
+  group: rbac.authorization.k8s.io
+  fieldSpecs:
+  - path: roleRef/name
+    kind: RoleBinding
+    group: rbac.authorization.k8s.io
+
+- kind: ClusterRole
+  group: rbac.authorization.k8s.io
+  fieldSpecs:
+  - path: roleRef/name
+    kind: RoleBinding
+    group: rbac.authorization.k8s.io
+  - path: roleRef/name
+    kind: ClusterRoleBinding
+    group: rbac.authorization.k8s.io
+
+- kind: ServiceAccount
+  version: v1
+  fieldSpecs:
+  - path: subjects
+    kind: RoleBinding
+    group: rbac.authorization.k8s.io
+  - path: subjects
+    kind: ClusterRoleBinding
+    group: rbac.authorization.k8s.io
+  - path: spec/serviceAccountName
+    kind: Pod
+  - path: spec/template/spec/serviceAccountName
+    kind: StatefulSet
+  - path: spec/template/spec/serviceAccountName
+    kind: Deployment
+  - path: spec/template/spec/serviceAccountName
+    kind: ReplicationController
+  - path: spec/jobTemplate/spec/template/spec/serviceAccountName
+    kind: CronJob
+  - path: spec/template/spec/serviceAccountName
+    kind: Job
+  - path: spec/template/spec/serviceAccountName
+    kind: DaemonSet
+
+- kind: PersistentVolumeClaim
+  version: v1
+  fieldSpecs:
+  - path: spec/volumes/persistentVolumeClaim/claimName
+    kind: Pod
+  - path: spec/template/spec/volumes/persistentVolumeClaim/claimName
+    kind: StatefulSet
+  - path: spec/template/spec/volumes/persistentVolumeClaim/claimName
+    kind: Deployment
+  - path: spec/template/spec/volumes/persistentVolumeClaim/claimName
+    kind: ReplicationController
+  - path: spec/jobTemplate/spec/template/spec/volumes/persistentVolumeClaim/claimName
+    kind: CronJob
+  - path: spec/template/spec/volumes/persistentVolumeClaim/claimName
+    kind: Job
+  - path: spec/template/spec/volumes/persistentVolumeClaim/claimName
+    kind: DaemonSet
+
+- kind: PersistentVolume
+  version: v1
+  fieldSpecs:
+  - path: spec/volumeName
+    kind: PersistentVolumeClaim
+  - path: rules/resourceNames
+    kind: ClusterRole
+
+- kind: StorageClass
+  version: v1
+  group: storage.k8s.io
+  fieldSpecs:
+  - path: spec/storageClassName
+    kind: PersistentVolume
+  - path: spec/storageClassName
+    kind: PersistentVolumeClaim
+  - path: spec/volumeClaimTemplates/spec/storageClassName
+    kind: StatefulSet
+
+- kind: PriorityClass
+  version: v1
+  group: scheduling.k8s.io
+  fieldSpecs:
+  - path: spec/priorityClassName
+    kind: Pod
+  - path: spec/template/spec/priorityClassName
+    kind: StatefulSet
+  - path: spec/template/spec/priorityClassName
+    kind: Deployment
+  - path: spec/template/spec/priorityClassName
+    kind: ReplicationController
+  - path: spec/jobTemplate/spec/template/spec/priorityClassName
+    kind: CronJob
+  - path: spec/template/spec/priorityClassName
+    kind: Job
+  - path: spec/template/spec/priorityClassName
+    kind: DaemonSet
+
+- kind: IngressClass
+  version: v1
+  group: networking.k8s.io/v1
+  fieldSpecs:
+  - path: spec/ingressClassName
+    kind: Ingress
+
+- kind: ValidatingAdmissionPolicy
+  group: admissionregistration.k8s.io
+  fieldSpecs:
+  - path: spec/policyName
+    kind: ValidatingAdmissionPolicyBinding
+    group: admissionregistration.k8s.io
+`
+)
+
+// LINT.ThenChange(/examples/transformerconfigs/README.md)
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/namespace.go b/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/namespace.go
new file mode 100644
index 0000000000..35774a7db3
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/namespace.go
@@ -0,0 +1,20 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package builtinpluginconsts
+
+const (
+	namespaceFieldSpecs = `
+namespace:
+- path: metadata/name
+  kind: Namespace
+  create: true
+- path: spec/service/namespace
+  group: apiregistration.k8s.io
+  kind: APIService
+  create: true
+- path: spec/conversion/webhook/clientConfig/service/namespace
+  group: apiextensions.k8s.io
+  kind: CustomResourceDefinition
+`
+)
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/namesuffix.go b/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/namesuffix.go
new file mode 100644
index 0000000000..11592bd2b9
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/namesuffix.go
@@ -0,0 +1,11 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package builtinpluginconsts
+
+const (
+	nameSuffixFieldSpecs = `
+nameSuffix:
+- path: metadata/name
+`
+)
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/replicas.go b/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/replicas.go
new file mode 100644
index 0000000000..76549c21fa
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/replicas.go
@@ -0,0 +1,23 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package builtinpluginconsts
+
+const replicasFieldSpecs = `
+replicas:
+- path: spec/replicas
+  create: true
+  kind: Deployment
+
+- path: spec/replicas
+  create: true
+  kind: ReplicationController
+
+- path: spec/replicas
+  create: true
+  kind: ReplicaSet
+
+- path: spec/replicas
+  create: true
+  kind: StatefulSet
+`
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/templatelabels.go b/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/templatelabels.go
new file mode 100644
index 0000000000..5d3c9c1957
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/templatelabels.go
@@ -0,0 +1,8 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package builtinpluginconsts
+
+const templateLabelFieldSpecs = `
+templateLabels:
+` + metadataLabelsFieldSpecs
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/varreference.go b/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/varreference.go
new file mode 100644
index 0000000000..f4011d825d
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/varreference.go
@@ -0,0 +1,223 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package builtinpluginconsts
+
+const (
+	varReferenceFieldSpecs = `
+varReference:
+- path: spec/jobTemplate/spec/template/spec/containers/args
+  kind: CronJob
+
+- path: spec/jobTemplate/spec/template/spec/containers/command
+  kind: CronJob
+
+- path: spec/jobTemplate/spec/template/spec/containers/env/value
+  kind: CronJob
+
+- path: spec/jobTemplate/spec/template/spec/containers/volumeMounts/mountPath
+  kind: CronJob
+
+- path: spec/jobTemplate/spec/template/spec/initContainers/args
+  kind: CronJob
+
+- path: spec/jobTemplate/spec/template/spec/initContainers/command
+  kind: CronJob
+
+- path: spec/jobTemplate/spec/template/spec/initContainers/env/value
+  kind: CronJob
+
+- path: spec/jobTemplate/spec/template/spec/initContainers/volumeMounts/mountPath
+  kind: CronJob
+
+- path: spec/jobTemplate/spec/template/volumes/nfs/server
+  kind: CronJob
+
+- path: spec/template/spec/containers/args
+  kind: DaemonSet
+
+- path: spec/template/spec/containers/command
+  kind: DaemonSet
+
+- path: spec/template/spec/containers/env/value
+  kind: DaemonSet
+
+- path: spec/template/spec/containers/volumeMounts/mountPath
+  kind: DaemonSet
+
+- path: spec/template/spec/initContainers/args
+  kind: DaemonSet
+
+- path: spec/template/spec/initContainers/command
+  kind: DaemonSet
+
+- path: spec/template/spec/initContainers/env/value
+  kind: DaemonSet
+
+- path: spec/template/spec/initContainers/volumeMounts/mountPath
+  kind: DaemonSet
+
+- path: spec/template/spec/volumes/nfs/server
+  kind: DaemonSet
+
+- path: spec/template/spec/containers/args
+  kind: Deployment
+
+- path: spec/template/spec/containers/command
+  kind: Deployment
+
+- path: spec/template/spec/containers/env/value
+  kind: Deployment
+
+- path: spec/template/spec/containers/volumeMounts/mountPath
+  kind: Deployment
+
+- path: spec/template/spec/initContainers/args
+  kind: Deployment
+
+- path: spec/template/spec/initContainers/command
+  kind: Deployment
+
+- path: spec/template/spec/initContainers/env/value
+  kind: Deployment
+
+- path: spec/template/spec/initContainers/volumeMounts/mountPath
+  kind: Deployment
+
+- path: spec/template/spec/volumes/nfs/server
+  kind: Deployment
+
+- path: spec/template/metadata/annotations
+  kind: Deployment
+
+- path: spec/rules/host
+  kind: Ingress
+
+- path: spec/tls/hosts
+  kind: Ingress
+  
+- path: spec/tls/secretName
+  kind: Ingress
+
+- path: spec/template/spec/containers/args
+  kind: Job
+
+- path: spec/template/spec/containers/command
+  kind: Job
+
+- path: spec/template/spec/containers/env/value
+  kind: Job
+
+- path: spec/template/spec/containers/volumeMounts/mountPath
+  kind: Job
+
+- path: spec/template/spec/initContainers/args
+  kind: Job
+
+- path: spec/template/spec/initContainers/command
+  kind: Job
+
+- path: spec/template/spec/initContainers/env/value
+  kind: Job
+
+- path: spec/template/spec/initContainers/volumeMounts/mountPath
+  kind: Job
+
+- path: spec/template/spec/volumes/nfs/server
+  kind: Job
+
+- path: spec/containers/args
+  kind: Pod
+
+- path: spec/containers/command
+  kind: Pod
+
+- path: spec/containers/env/value
+  kind: Pod
+
+- path: spec/containers/volumeMounts/mountPath
+  kind: Pod
+
+- path: spec/initContainers/args
+  kind: Pod
+
+- path: spec/initContainers/command
+  kind: Pod
+
+- path: spec/initContainers/env/value
+  kind: Pod
+
+- path: spec/initContainers/volumeMounts/mountPath
+  kind: Pod
+
+- path: spec/volumes/nfs/server
+  kind: Pod
+
+- path: spec/template/spec/containers/args
+  kind: ReplicaSet
+
+- path: spec/template/spec/containers/command
+  kind: ReplicaSet
+
+- path: spec/template/spec/containers/env/value
+  kind: ReplicaSet
+
+- path: spec/template/spec/containers/volumeMounts/mountPath
+  kind: ReplicaSet
+
+- path: spec/template/spec/initContainers/args
+  kind: ReplicaSet
+
+- path: spec/template/spec/initContainers/command
+  kind: ReplicaSet
+
+- path: spec/template/spec/initContainers/env/value
+  kind: ReplicaSet
+
+- path: spec/template/spec/initContainers/volumeMounts/mountPath
+  kind: ReplicaSet
+
+- path: spec/template/spec/volumes/nfs/server
+  kind: ReplicaSet
+
+- path: spec/ports/port
+  kind: Service
+
+- path: spec/ports/targetPort
+  kind: Service
+
+- path: spec/template/spec/containers/args
+  kind: StatefulSet
+
+- path: spec/template/spec/containers/command
+  kind: StatefulSet
+
+- path: spec/template/spec/containers/env/value
+  kind: StatefulSet
+
+- path: spec/template/spec/containers/volumeMounts/mountPath
+  kind: StatefulSet
+
+- path: spec/template/spec/initContainers/args
+  kind: StatefulSet
+
+- path: spec/template/spec/initContainers/command
+  kind: StatefulSet
+
+- path: spec/template/spec/initContainers/env/value
+  kind: StatefulSet
+
+- path: spec/template/spec/initContainers/volumeMounts/mountPath
+  kind: StatefulSet
+
+- path: spec/volumeClaimTemplates/spec/nfs/server
+  kind: StatefulSet
+
+- path: spec/nfs/server
+  kind: PersistentVolume
+
+- path: metadata/labels
+
+- path: metadata/annotations
+`
+)
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/kusterr/yamlformaterror.go b/vendor/sigs.k8s.io/kustomize/api/internal/kusterr/yamlformaterror.go
new file mode 100644
index 0000000000..aa76d1dd7f
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/kusterr/yamlformaterror.go
@@ -0,0 +1,55 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+// Package error has contextual error types.
+package kusterr
+
+import (
+	"fmt"
+	"strings"
+)
+
+// YamlFormatError represents error with yaml file name where json/yaml format error happens.
+type YamlFormatError struct {
+	Path     string
+	ErrorMsg string
+}
+
+func (e YamlFormatError) Error() string {
+	return fmt.Sprintf("YAML file [%s] encounters a format error.\n%s\n", e.Path, e.ErrorMsg)
+}
+
+// MalformedYamlError represents an error that occurred while trying to decode a given YAML.
+type MalformedYamlError struct {
+	Path     string
+	ErrorMsg string
+}
+
+func (e MalformedYamlError) Error() string {
+	return fmt.Sprintf("%s in File: %s", e.ErrorMsg, e.Path)
+}
+
+// Handler handles YamlFormatError
+func Handler(e error, path string) error {
+	if isYAMLSyntaxError(e) {
+		return YamlFormatError{
+			Path:     path,
+			ErrorMsg: e.Error(),
+		}
+	}
+	if IsMalformedYAMLError(e) {
+		return MalformedYamlError{
+			Path:     path,
+			ErrorMsg: e.Error(),
+		}
+	}
+	return e
+}
+
+func isYAMLSyntaxError(e error) bool {
+	return strings.Contains(e.Error(), "error converting YAML to JSON") || strings.Contains(e.Error(), "error unmarshaling JSON")
+}
+
+func IsMalformedYAMLError(e error) bool {
+	return strings.Contains(e.Error(), "MalformedYAMLError")
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/loader/errors.go b/vendor/sigs.k8s.io/kustomize/api/internal/loader/errors.go
new file mode 100644
index 0000000000..2463debdbb
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/loader/errors.go
@@ -0,0 +1,11 @@
+// Copyright 2022 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package loader
+
+import "sigs.k8s.io/kustomize/kyaml/errors"
+
+var (
+	ErrHTTP     = errors.Errorf("HTTP Error")
+	ErrRtNotDir = errors.Errorf("must build at directory")
+)
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/loader/fileloader.go b/vendor/sigs.k8s.io/kustomize/api/internal/loader/fileloader.go
new file mode 100644
index 0000000000..69b8295eb7
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/loader/fileloader.go
@@ -0,0 +1,334 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package loader
+
+import (
+	"fmt"
+	"io"
+	"log"
+	"net/http"
+	"net/url"
+	"path/filepath"
+	"strings"
+
+	"sigs.k8s.io/kustomize/api/ifc"
+	"sigs.k8s.io/kustomize/api/internal/git"
+	"sigs.k8s.io/kustomize/kyaml/errors"
+	"sigs.k8s.io/kustomize/kyaml/filesys"
+)
+
+// IsRemoteFile returns whether path has a url scheme that kustomize allows for
+// remote files. See https://github.com/kubernetes-sigs/kustomize/blob/master/examples/remoteBuild.md
+func IsRemoteFile(path string) bool {
+	u, err := url.Parse(path)
+	return err == nil && (u.Scheme == "http" || u.Scheme == "https")
+}
+
+// FileLoader is a kustomization's interface to files.
+//
+// The directory in which a kustomization file sits
+// is referred to below as the kustomization's _root_.
+//
+// An instance of fileLoader has an immutable root,
+// and offers a `New` method returning a new loader
+// with a new root.
+//
+// A kustomization file refers to two kinds of files:
+//
+// * supplemental data paths
+//
+//	`Load` is used to visit these paths.
+//
+//	These paths refer to resources, patches,
+//	data for ConfigMaps and Secrets, etc.
+//
+//	The loadRestrictor may disallow certain paths
+//	or classes of paths.
+//
+// * bases (other kustomizations)
+//
+//	`New` is used to load bases.
+//
+//	A base can be either a remote git repo URL, or
+//	a directory specified relative to the current
+//	root. In the former case, the repo is locally
+//	cloned, and the new loader is rooted on a path
+//	in that clone.
+//
+//	As loaders create new loaders, a root history
+//	is established, and used to disallow:
+//
+//	- A base that is a repository that, in turn,
+//	  specifies a base repository seen previously
+//	  in the loading stack (a cycle).
+//
+//	- An overlay depending on a base positioned at
+//	  or above it.  I.e. '../foo' is OK, but '.',
+//	  '..', '../..', etc. are disallowed.  Allowing
+//	  such a base has no advantages and encourages
+//	  cycles, particularly if some future change
+//	  were to introduce globbing to file
+//	  specifications in the kustomization file.
+//
+// These restrictions assure that kustomizations
+// are self-contained and relocatable, and impose
+// some safety when relying on remote kustomizations,
+// e.g. a remotely loaded ConfigMap generator specified
+// to read from /etc/passwd will fail.
+type FileLoader struct {
+	// Loader that spawned this loader.
+	// Used to avoid cycles.
+	referrer *FileLoader
+
+	// An absolute, cleaned path to a directory.
+	// The Load function will read non-absolute
+	// paths relative to this directory.
+	root filesys.ConfirmedDir
+
+	// Restricts behavior of Load function.
+	loadRestrictor LoadRestrictorFunc
+
+	// If this is non-nil, the files were
+	// obtained from the given repository.
+	repoSpec *git.RepoSpec
+
+	// File system utilities.
+	fSys filesys.FileSystem
+
+	// Used to load from HTTP
+	http *http.Client
+
+	// Used to clone repositories.
+	cloner git.Cloner
+
+	// Used to clean up, as needed.
+	cleaner func() error
+}
+
+// Repo returns the absolute path to the repo that contains Root if this fileLoader was created from a url
+// or the empty string otherwise.
+func (fl *FileLoader) Repo() string {
+	if fl.repoSpec != nil {
+		return fl.repoSpec.Dir.String()
+	}
+	return ""
+}
+
+// Root returns the absolute path that is prepended to any
+// relative paths used in Load.
+func (fl *FileLoader) Root() string {
+	return fl.root.String()
+}
+
+func NewLoaderOrDie(
+	lr LoadRestrictorFunc,
+	fSys filesys.FileSystem, path string) *FileLoader {
+	root, err := filesys.ConfirmDir(fSys, path)
+	if err != nil {
+		log.Fatalf("unable to make loader at '%s'; %v", path, err)
+	}
+	return newLoaderAtConfirmedDir(
+		lr, root, fSys, nil, git.ClonerUsingGitExec)
+}
+
+// newLoaderAtConfirmedDir returns a new FileLoader with given root.
+func newLoaderAtConfirmedDir(
+	lr LoadRestrictorFunc,
+	root filesys.ConfirmedDir, fSys filesys.FileSystem,
+	referrer *FileLoader, cloner git.Cloner) *FileLoader {
+	return &FileLoader{
+		loadRestrictor: lr,
+		root:           root,
+		referrer:       referrer,
+		fSys:           fSys,
+		cloner:         cloner,
+		cleaner:        func() error { return nil },
+	}
+}
+
+// New returns a new Loader, rooted relative to current loader,
+// or rooted in a temp directory holding a git repo clone.
+func (fl *FileLoader) New(path string) (ifc.Loader, error) {
+	if path == "" {
+		return nil, errors.Errorf("new root cannot be empty")
+	}
+
+	repoSpec, err := git.NewRepoSpecFromURL(path)
+	if err == nil {
+		// Treat this as git repo clone request.
+		if err = fl.errIfRepoCycle(repoSpec); err != nil {
+			return nil, err
+		}
+		return newLoaderAtGitClone(
+			repoSpec, fl.fSys, fl, fl.cloner)
+	}
+
+	if filepath.IsAbs(path) {
+		return nil, fmt.Errorf("new root '%s' cannot be absolute", path)
+	}
+	root, err := filesys.ConfirmDir(fl.fSys, fl.root.Join(path))
+	if err != nil {
+		return nil, errors.WrapPrefixf(err, ErrRtNotDir.Error()) //nolint:govet
+	}
+	if err = fl.errIfGitContainmentViolation(root); err != nil {
+		return nil, err
+	}
+	if err = fl.errIfArgEqualOrHigher(root); err != nil {
+		return nil, err
+	}
+	return newLoaderAtConfirmedDir(
+		fl.loadRestrictor, root, fl.fSys, fl, fl.cloner), nil
+}
+
+// newLoaderAtGitClone returns a new Loader pinned to a temporary
+// directory holding a cloned git repo.
+func newLoaderAtGitClone(
+	repoSpec *git.RepoSpec, fSys filesys.FileSystem,
+	referrer *FileLoader, cloner git.Cloner) (ifc.Loader, error) {
+	cleaner := repoSpec.Cleaner(fSys)
+	err := cloner(repoSpec)
+	if err != nil {
+		cleaner()
+		return nil, err
+	}
+	root, f, err := fSys.CleanedAbs(repoSpec.AbsPath())
+	if err != nil {
+		cleaner()
+		return nil, err
+	}
+	// We don't know that the path requested in repoSpec
+	// is a directory until we actually clone it and look
+	// inside.  That just happened, hence the error check
+	// is here.
+	if f != "" {
+		cleaner()
+		return nil, fmt.Errorf(
+			"'%s' refers to file '%s'; expecting directory",
+			repoSpec.AbsPath(), f)
+	}
+	// Path in repo can contain symlinks that exit repo. We can only
+	// check for this after cloning repo.
+	if !root.HasPrefix(repoSpec.CloneDir()) {
+		_ = cleaner()
+		return nil, fmt.Errorf("%q refers to directory outside of repo %q", repoSpec.AbsPath(),
+			repoSpec.CloneDir())
+	}
+	return &FileLoader{
+		// Clones never allowed to escape root.
+		loadRestrictor: RestrictionRootOnly,
+		root:           root,
+		referrer:       referrer,
+		repoSpec:       repoSpec,
+		fSys:           fSys,
+		cloner:         cloner,
+		cleaner:        cleaner,
+	}, nil
+}
+
+func (fl *FileLoader) errIfGitContainmentViolation(
+	base filesys.ConfirmedDir) error {
+	containingRepo := fl.containingRepo()
+	if containingRepo == nil {
+		return nil
+	}
+	if !base.HasPrefix(containingRepo.CloneDir()) {
+		return fmt.Errorf(
+			"security; bases in kustomizations found in "+
+				"cloned git repos must be within the repo, "+
+				"but base '%s' is outside '%s'",
+			base, containingRepo.CloneDir())
+	}
+	return nil
+}
+
+// Looks back through referrers for a git repo, returning nil
+// if none found.
+func (fl *FileLoader) containingRepo() *git.RepoSpec {
+	if fl.repoSpec != nil {
+		return fl.repoSpec
+	}
+	if fl.referrer == nil {
+		return nil
+	}
+	return fl.referrer.containingRepo()
+}
+
+// errIfArgEqualOrHigher tests whether the argument,
+// is equal to or above the root of any ancestor.
+func (fl *FileLoader) errIfArgEqualOrHigher(
+	candidateRoot filesys.ConfirmedDir) error {
+	if fl.root.HasPrefix(candidateRoot) {
+		return fmt.Errorf(
+			"cycle detected: candidate root '%s' contains visited root '%s'",
+			candidateRoot, fl.root)
+	}
+	if fl.referrer == nil {
+		return nil
+	}
+	return fl.referrer.errIfArgEqualOrHigher(candidateRoot)
+}
+
+// TODO(monopole): Distinguish branches?
+// I.e. Allow a distinction between git URI with
+// path foo and tag bar and a git URI with the same
+// path but a different tag?
+func (fl *FileLoader) errIfRepoCycle(newRepoSpec *git.RepoSpec) error {
+	// TODO(monopole): Use parsed data instead of Raw().
+	if fl.repoSpec != nil &&
+		strings.HasPrefix(fl.repoSpec.Raw(), newRepoSpec.Raw()) {
+		return fmt.Errorf(
+			"cycle detected: URI '%s' referenced by previous URI '%s'",
+			newRepoSpec.Raw(), fl.repoSpec.Raw())
+	}
+	if fl.referrer == nil {
+		return nil
+	}
+	return fl.referrer.errIfRepoCycle(newRepoSpec)
+}
+
+// Load returns the content of file at the given path,
+// else an error. Relative paths are taken relative
+// to the root.
+func (fl *FileLoader) Load(path string) ([]byte, error) {
+	if IsRemoteFile(path) {
+		return fl.httpClientGetContent(path)
+	}
+	if !filepath.IsAbs(path) {
+		path = fl.root.Join(path)
+	}
+	path, err := fl.loadRestrictor(fl.fSys, fl.root, path)
+	if err != nil {
+		return nil, err
+	}
+	return fl.fSys.ReadFile(path)
+}
+
+func (fl *FileLoader) httpClientGetContent(path string) ([]byte, error) {
+	var hc *http.Client
+	if fl.http != nil {
+		hc = fl.http
+	} else {
+		hc = &http.Client{}
+	}
+	resp, err := hc.Get(path)
+	if err != nil {
+		return nil, errors.Wrap(err)
+	}
+	defer resp.Body.Close()
+	// response unsuccessful
+	if resp.StatusCode < 200 || resp.StatusCode > 299 {
+		_, err = git.NewRepoSpecFromURL(path)
+		if err == nil {
+			return nil, errors.Errorf("URL is a git repository")
+		}
+		return nil, fmt.Errorf("%w: status code %d (%s)", ErrHTTP, resp.StatusCode, http.StatusText(resp.StatusCode))
+	}
+	content, err := io.ReadAll(resp.Body)
+	return content, errors.Wrap(err)
+}
+
+// Cleanup runs the cleaner.
+func (fl *FileLoader) Cleanup() error {
+	return fl.cleaner()
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/loader/loader.go b/vendor/sigs.k8s.io/kustomize/api/internal/loader/loader.go
new file mode 100644
index 0000000000..60b254fa7e
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/loader/loader.go
@@ -0,0 +1,35 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+// Package loader has a data loading interface and various implementations.
+package loader
+
+import (
+	"sigs.k8s.io/kustomize/api/ifc"
+	"sigs.k8s.io/kustomize/api/internal/git"
+	"sigs.k8s.io/kustomize/kyaml/errors"
+	"sigs.k8s.io/kustomize/kyaml/filesys"
+)
+
+// NewLoader returns a Loader pointed at the given target.
+// If the target is remote, the loader will be restricted
+// to the root and below only.  If the target is local, the
+// loader will have the restrictions passed in.  Regardless,
+// if a local target attempts to transitively load remote bases,
+// the remote bases will all be root-only restricted.
+func NewLoader(
+	lr LoadRestrictorFunc,
+	target string, fSys filesys.FileSystem) (ifc.Loader, error) {
+	repoSpec, err := git.NewRepoSpecFromURL(target)
+	if err == nil {
+		// The target qualifies as a remote git target.
+		return newLoaderAtGitClone(
+			repoSpec, fSys, nil, git.ClonerUsingGitExec)
+	}
+	root, err := filesys.ConfirmDir(fSys, target)
+	if err != nil {
+		return nil, errors.WrapPrefixf(err, ErrRtNotDir.Error()) //nolint:govet
+	}
+	return newLoaderAtConfirmedDir(
+		lr, root, fSys, nil, git.ClonerUsingGitExec), nil
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/loader/loadrestrictions.go b/vendor/sigs.k8s.io/kustomize/api/internal/loader/loadrestrictions.go
new file mode 100644
index 0000000000..a016a96254
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/loader/loadrestrictions.go
@@ -0,0 +1,35 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package loader
+
+import (
+	"fmt"
+
+	"sigs.k8s.io/kustomize/kyaml/filesys"
+)
+
+type LoadRestrictorFunc func(
+	filesys.FileSystem, filesys.ConfirmedDir, string) (string, error)
+
+func RestrictionRootOnly(
+	fSys filesys.FileSystem, root filesys.ConfirmedDir, path string) (string, error) {
+	d, f, err := fSys.CleanedAbs(path)
+	if err != nil {
+		return "", err
+	}
+	if f == "" {
+		return "", fmt.Errorf("'%s' must resolve to a file", path)
+	}
+	if !d.HasPrefix(root) {
+		return "", fmt.Errorf(
+			"security; file '%s' is not in or below '%s'",
+			path, root)
+	}
+	return d.Join(f), nil
+}
+
+func RestrictionNone(
+	_ filesys.FileSystem, _ filesys.ConfirmedDir, path string) (string, error) {
+	return path, nil
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/plugins/builtinconfig/doc.go b/vendor/sigs.k8s.io/kustomize/api/internal/plugins/builtinconfig/doc.go
new file mode 100644
index 0000000000..f41f79b0c1
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/plugins/builtinconfig/doc.go
@@ -0,0 +1,10 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+// Package builtinconfig provides legacy methods for
+// configuring builtin plugins from a common config file.
+// As a user, its best to configure plugins individually
+// with plugin config files specified in the `transformers:`
+// or `generators:` field, than to use this legacy
+// configuration technique.
+package builtinconfig
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/plugins/builtinconfig/loaddefaultconfig.go b/vendor/sigs.k8s.io/kustomize/api/internal/plugins/builtinconfig/loaddefaultconfig.go
new file mode 100644
index 0000000000..434941b6e0
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/plugins/builtinconfig/loaddefaultconfig.go
@@ -0,0 +1,42 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package builtinconfig
+
+import (
+	"sigs.k8s.io/kustomize/api/ifc"
+	"sigs.k8s.io/yaml"
+)
+
+// loadDefaultConfig returns a TranformerConfig
+// object from a list of files.
+func loadDefaultConfig(
+	ldr ifc.Loader, paths []string) (*TransformerConfig, error) {
+	result := &TransformerConfig{}
+	for _, path := range paths {
+		data, err := ldr.Load(path)
+		if err != nil {
+			return nil, err
+		}
+		t, err := makeTransformerConfigFromBytes(data)
+		if err != nil {
+			return nil, err
+		}
+		result, err = result.Merge(t)
+		if err != nil {
+			return nil, err
+		}
+	}
+	return result, nil
+}
+
+// makeTransformerConfigFromBytes returns a TransformerConfig object from bytes
+func makeTransformerConfigFromBytes(data []byte) (*TransformerConfig, error) {
+	var t TransformerConfig
+	err := yaml.UnmarshalStrict(data, &t)
+	if err != nil {
+		return nil, err
+	}
+	t.sortFields()
+	return &t, nil
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/plugins/builtinconfig/namebackreferences.go b/vendor/sigs.k8s.io/kustomize/api/internal/plugins/builtinconfig/namebackreferences.go
new file mode 100644
index 0000000000..eb0f307338
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/plugins/builtinconfig/namebackreferences.go
@@ -0,0 +1,112 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package builtinconfig
+
+import (
+	"strings"
+
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/resid"
+)
+
+// NameBackReferences is an association between a gvk.GVK (a ReferralTarget)
+// and a list of Referrers that could refer to it.
+//
+// It is used to handle name changes, and can be thought of as a
+// a contact list.  If you change your own contact info (name,
+// phone number, etc.), you must tell your contacts or they won't
+// know about the change.
+//
+// For example, ConfigMaps can be used by Pods and everything that
+// contains a Pod; Deployment, Job, StatefulSet, etc.
+// The ConfigMap is the ReferralTarget, the others are Referrers.
+//
+// If the name of a ConfigMap instance changed from 'alice' to 'bob',
+// one must
+//  - visit all objects that could refer to the ConfigMap (the Referrers)
+//  - see if they mention 'alice',
+//  - if so, change the Referrer's name reference to 'bob'.
+//
+// The NameBackReferences instance to aid in this could look like
+//   {
+//     kind: ConfigMap
+//     version: v1
+//     fieldSpecs:
+//     - kind: Pod
+//       version: v1
+//       path: spec/volumes/configMap/name
+//     - kind: Deployment
+//       path: spec/template/spec/volumes/configMap/name
+//     - kind: Job
+//       path: spec/template/spec/volumes/configMap/name
+//       (etc.)
+//   }
+type NameBackReferences struct {
+	resid.Gvk `json:",inline,omitempty" yaml:",inline,omitempty"`
+	// TODO: rename json 'fieldSpecs' to 'referrers' for clarity.
+	// This will, however, break anyone using a custom config.
+	Referrers types.FsSlice `json:"fieldSpecs,omitempty" yaml:"fieldSpecs,omitempty"`
+
+	// Note: If any new pointer based members are added, DeepCopy needs to be updated
+}
+
+func (n NameBackReferences) String() string {
+	var r []string
+	for _, f := range n.Referrers {
+		r = append(r, f.String())
+	}
+	return n.Gvk.String() + ":  (\n" +
+		strings.Join(r, "\n") + "\n)"
+}
+
+type nbrSlice []NameBackReferences
+
+func (s nbrSlice) Len() int      { return len(s) }
+func (s nbrSlice) Swap(i, j int) { s[i], s[j] = s[j], s[i] }
+func (s nbrSlice) Less(i, j int) bool {
+	return s[i].Gvk.IsLessThan(s[j].Gvk)
+}
+
+// DeepCopy returns a new copy of nbrSlice
+func (s nbrSlice) DeepCopy() nbrSlice {
+	ret := make(nbrSlice, len(s))
+	copy(ret, s)
+	for i, slice := range ret {
+		ret[i].Referrers = slice.Referrers.DeepCopy()
+	}
+
+	return ret
+}
+
+func (s nbrSlice) mergeAll(o nbrSlice) (result nbrSlice, err error) {
+	result = s
+	for _, r := range o {
+		result, err = result.mergeOne(r)
+		if err != nil {
+			return nil, err
+		}
+	}
+	return result, nil
+}
+
+func (s nbrSlice) mergeOne(other NameBackReferences) (nbrSlice, error) {
+	var result nbrSlice
+	var err error
+	found := false
+	for _, c := range s {
+		if c.Gvk.Equals(other.Gvk) {
+			c.Referrers, err = c.Referrers.MergeAll(other.Referrers)
+			if err != nil {
+				return nil, err
+			}
+			found = true
+		}
+		result = append(result, c)
+	}
+
+	if !found {
+		result = append(result, other)
+	}
+	return result, nil
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/plugins/builtinconfig/transformerconfig.go b/vendor/sigs.k8s.io/kustomize/api/internal/plugins/builtinconfig/transformerconfig.go
new file mode 100644
index 0000000000..b5d4b7aec1
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/plugins/builtinconfig/transformerconfig.go
@@ -0,0 +1,202 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package builtinconfig
+
+import (
+	"log"
+	"sort"
+	"sync"
+
+	"sigs.k8s.io/kustomize/api/ifc"
+	"sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/errors"
+)
+
+// TransformerConfig holds the data needed to perform transformations.
+//
+//nolint:tagalign
+type TransformerConfig struct {
+	// if any fields are added, update the DeepCopy implementation
+	NamePrefix        types.FsSlice `json:"namePrefix,omitempty" yaml:"namePrefix,omitempty"`
+	NameSuffix        types.FsSlice `json:"nameSuffix,omitempty" yaml:"nameSuffix,omitempty"`
+	NameSpace         types.FsSlice `json:"namespace,omitempty" yaml:"namespace,omitempty"`
+	CommonLabels      types.FsSlice `json:"commonLabels,omitempty" yaml:"commonLabels,omitempty"`
+	Labels            types.FsSlice `json:"labels,omitempty" yaml:"labels,omitempty"`
+	TemplateLabels    types.FsSlice `json:"templateLabels,omitempty" yaml:"templateLabels,omitempty"`
+	CommonAnnotations types.FsSlice `json:"commonAnnotations,omitempty" yaml:"commonAnnotations,omitempty"`
+	NameReference     nbrSlice      `json:"nameReference,omitempty" yaml:"nameReference,omitempty"`
+	VarReference      types.FsSlice `json:"varReference,omitempty" yaml:"varReference,omitempty"`
+	Images            types.FsSlice `json:"images,omitempty" yaml:"images,omitempty"`
+	Replicas          types.FsSlice `json:"replicas,omitempty" yaml:"replicas,omitempty"`
+}
+
+// MakeEmptyConfig returns an empty TransformerConfig object
+func MakeEmptyConfig() *TransformerConfig {
+	return &TransformerConfig{}
+}
+
+// DeepCopy returns a new copy of TransformerConfig
+func (t *TransformerConfig) DeepCopy() *TransformerConfig {
+	return &TransformerConfig{
+		NamePrefix:        t.NamePrefix.DeepCopy(),
+		NameSuffix:        t.NameSuffix.DeepCopy(),
+		NameSpace:         t.NameSpace.DeepCopy(),
+		CommonLabels:      t.CommonLabels.DeepCopy(),
+		Labels:            t.Labels.DeepCopy(),
+		TemplateLabels:    t.TemplateLabels.DeepCopy(),
+		CommonAnnotations: t.CommonAnnotations.DeepCopy(),
+		NameReference:     t.NameReference.DeepCopy(),
+		VarReference:      t.VarReference.DeepCopy(),
+		Images:            t.Images.DeepCopy(),
+		Replicas:          t.Replicas.DeepCopy(),
+	}
+}
+
+// the default transformer config is initialized by MakeDefaultConfig,
+// and must only be accessed via that function.
+var (
+	initDefaultConfig sync.Once          //nolint:gochecknoglobals
+	defaultConfig     *TransformerConfig //nolint:gochecknoglobals
+)
+
+// MakeDefaultConfig returns a default TransformerConfig.
+func MakeDefaultConfig() *TransformerConfig {
+	// parsing is expensive when having a large tree with many kustomization modules, so only do it once
+	initDefaultConfig.Do(func() {
+		var err error
+		defaultConfig, err = makeTransformerConfigFromBytes(
+			builtinpluginconsts.GetDefaultFieldSpecs())
+		if err != nil {
+			log.Fatalf("Unable to make default transformconfig: %v", err)
+		}
+	})
+
+	// return a copy to avoid any mutations to protect the reference copy
+	return defaultConfig.DeepCopy()
+}
+
+// MakeTransformerConfig returns a merger of custom config,
+// if any, with default config.
+func MakeTransformerConfig(
+	ldr ifc.Loader, paths []string) (*TransformerConfig, error) {
+	t1 := MakeDefaultConfig()
+	if len(paths) == 0 {
+		return t1, nil
+	}
+	t2, err := loadDefaultConfig(ldr, paths)
+	if err != nil {
+		return nil, err
+	}
+	return t1.Merge(t2)
+}
+
+// sortFields provides determinism in logging, tests, etc.
+func (t *TransformerConfig) sortFields() {
+	sort.Sort(t.NamePrefix)
+	sort.Sort(t.NameSuffix)
+	sort.Sort(t.NameSpace)
+	sort.Sort(t.CommonLabels)
+	sort.Sort(t.Labels)
+	sort.Sort(t.TemplateLabels)
+	sort.Sort(t.CommonAnnotations)
+	sort.Sort(t.NameReference)
+	sort.Sort(t.VarReference)
+	sort.Sort(t.Images)
+	sort.Sort(t.Replicas)
+}
+
+// AddPrefixFieldSpec adds a FieldSpec to NamePrefix
+func (t *TransformerConfig) AddPrefixFieldSpec(fs types.FieldSpec) (err error) {
+	t.NamePrefix, err = t.NamePrefix.MergeOne(fs)
+	return err
+}
+
+// AddSuffixFieldSpec adds a FieldSpec to NameSuffix
+func (t *TransformerConfig) AddSuffixFieldSpec(fs types.FieldSpec) (err error) {
+	t.NameSuffix, err = t.NameSuffix.MergeOne(fs)
+	return err
+}
+
+// AddCommonLabelsFieldSpec adds a FieldSpec to CommonLabels
+func (t *TransformerConfig) AddCommonLabelsFieldSpec(fs types.FieldSpec) (err error) {
+	t.CommonLabels, err = t.CommonLabels.MergeOne(fs)
+	return err
+}
+
+// AddLabelsFieldSpec adds a FieldSpec to Labels
+func (t *TransformerConfig) AddLabelsFieldSpec(fs types.FieldSpec) (err error) {
+	t.Labels, err = t.Labels.MergeOne(fs)
+	return err //nolint:wrapcheck
+}
+
+// AddAnnotationFieldSpec adds a FieldSpec to CommonAnnotations
+func (t *TransformerConfig) AddAnnotationFieldSpec(fs types.FieldSpec) (err error) {
+	t.CommonAnnotations, err = t.CommonAnnotations.MergeOne(fs)
+	return err
+}
+
+// AddNamereferenceFieldSpec adds a NameBackReferences to NameReference
+func (t *TransformerConfig) AddNamereferenceFieldSpec(
+	nbrs NameBackReferences) (err error) {
+	t.NameReference, err = t.NameReference.mergeOne(nbrs)
+	return err
+}
+
+// Merge merges two TransformerConfigs objects into
+// a new TransformerConfig object
+func (t *TransformerConfig) Merge(input *TransformerConfig) (
+	merged *TransformerConfig, err error) {
+	if input == nil {
+		return t, nil
+	}
+	merged = &TransformerConfig{}
+	merged.NamePrefix, err = t.NamePrefix.MergeAll(input.NamePrefix)
+	if err != nil {
+		return nil, errors.WrapPrefixf(err, "failed to merge NamePrefix fieldSpec")
+	}
+	merged.NameSuffix, err = t.NameSuffix.MergeAll(input.NameSuffix)
+	if err != nil {
+		return nil, errors.WrapPrefixf(err, "failed to merge NameSuffix fieldSpec")
+	}
+	merged.NameSpace, err = t.NameSpace.MergeAll(input.NameSpace)
+	if err != nil {
+		return nil, errors.WrapPrefixf(err, "failed to merge NameSpace fieldSpec")
+	}
+	merged.CommonAnnotations, err = t.CommonAnnotations.MergeAll(
+		input.CommonAnnotations)
+	if err != nil {
+		return nil, errors.WrapPrefixf(err, "failed to merge CommonAnnotations fieldSpec")
+	}
+	merged.CommonLabels, err = t.CommonLabels.MergeAll(input.CommonLabels)
+	if err != nil {
+		return nil, errors.WrapPrefixf(err, "failed to merge CommonLabels fieldSpec")
+	}
+	merged.Labels, err = t.Labels.MergeAll(input.Labels)
+	if err != nil {
+		return nil, errors.WrapPrefixf(err, "failed to merge Labels fieldSpec")
+	}
+	merged.TemplateLabels, err = t.TemplateLabels.MergeAll(input.TemplateLabels)
+	if err != nil {
+		return nil, errors.WrapPrefixf(err, "failed to merge TemplateLabels fieldSpec")
+	}
+	merged.VarReference, err = t.VarReference.MergeAll(input.VarReference)
+	if err != nil {
+		return nil, errors.WrapPrefixf(err, "failed to merge VarReference fieldSpec")
+	}
+	merged.NameReference, err = t.NameReference.mergeAll(input.NameReference)
+	if err != nil {
+		return nil, errors.WrapPrefixf(err, "failed to merge NameReference fieldSpec")
+	}
+	merged.Images, err = t.Images.MergeAll(input.Images)
+	if err != nil {
+		return nil, errors.WrapPrefixf(err, "failed to merge Images fieldSpec")
+	}
+	merged.Replicas, err = t.Replicas.MergeAll(input.Replicas)
+	if err != nil {
+		return nil, errors.WrapPrefixf(err, "failed to merge Replicas fieldSpec")
+	}
+	merged.sortFields()
+	return merged, nil
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/plugins/builtinhelpers/builtinplugintype_string.go b/vendor/sigs.k8s.io/kustomize/api/internal/plugins/builtinhelpers/builtinplugintype_string.go
new file mode 100644
index 0000000000..ddcfcc190c
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/plugins/builtinhelpers/builtinplugintype_string.go
@@ -0,0 +1,41 @@
+// Code generated by "stringer -type=BuiltinPluginType"; DO NOT EDIT.
+
+package builtinhelpers
+
+import "strconv"
+
+func _() {
+	// An "invalid array index" compiler error signifies that the constant values have changed.
+	// Re-run the stringer command to generate them again.
+	var x [1]struct{}
+	_ = x[Unknown-0]
+	_ = x[AnnotationsTransformer-1]
+	_ = x[ConfigMapGenerator-2]
+	_ = x[IAMPolicyGenerator-3]
+	_ = x[HashTransformer-4]
+	_ = x[ImageTagTransformer-5]
+	_ = x[LabelTransformer-6]
+	_ = x[NamespaceTransformer-7]
+	_ = x[PatchJson6902Transformer-8]
+	_ = x[PatchStrategicMergeTransformer-9]
+	_ = x[PatchTransformer-10]
+	_ = x[PrefixSuffixTransformer-11]
+	_ = x[PrefixTransformer-12]
+	_ = x[SuffixTransformer-13]
+	_ = x[ReplicaCountTransformer-14]
+	_ = x[SecretGenerator-15]
+	_ = x[ValueAddTransformer-16]
+	_ = x[HelmChartInflationGenerator-17]
+	_ = x[ReplacementTransformer-18]
+}
+
+const _BuiltinPluginType_name = "UnknownAnnotationsTransformerConfigMapGeneratorIAMPolicyGeneratorHashTransformerImageTagTransformerLabelTransformerNamespaceTransformerPatchJson6902TransformerPatchStrategicMergeTransformerPatchTransformerPrefixSuffixTransformerPrefixTransformerSuffixTransformerReplicaCountTransformerSecretGeneratorValueAddTransformerHelmChartInflationGeneratorReplacementTransformer"
+
+var _BuiltinPluginType_index = [...]uint16{0, 7, 29, 47, 65, 80, 99, 115, 135, 159, 189, 205, 228, 245, 262, 285, 300, 319, 346, 368}
+
+func (i BuiltinPluginType) String() string {
+	if i < 0 || i >= BuiltinPluginType(len(_BuiltinPluginType_index)-1) {
+		return "BuiltinPluginType(" + strconv.FormatInt(int64(i), 10) + ")"
+	}
+	return _BuiltinPluginType_name[_BuiltinPluginType_index[i]:_BuiltinPluginType_index[i+1]]
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/plugins/builtinhelpers/builtins.go b/vendor/sigs.k8s.io/kustomize/api/internal/plugins/builtinhelpers/builtins.go
new file mode 100644
index 0000000000..a98a23d398
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/plugins/builtinhelpers/builtins.go
@@ -0,0 +1,115 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package builtinhelpers
+
+import (
+	"sigs.k8s.io/kustomize/api/internal/builtins"
+	"sigs.k8s.io/kustomize/api/resmap"
+)
+
+//go:generate stringer -type=BuiltinPluginType
+type BuiltinPluginType int
+
+const (
+	Unknown BuiltinPluginType = iota
+	AnnotationsTransformer
+	ConfigMapGenerator
+	IAMPolicyGenerator
+	HashTransformer
+	ImageTagTransformer
+	LabelTransformer
+	NamespaceTransformer
+	PatchJson6902Transformer
+	PatchStrategicMergeTransformer
+	PatchTransformer
+	PrefixSuffixTransformer
+	PrefixTransformer
+	SuffixTransformer
+	ReplicaCountTransformer
+	SecretGenerator
+	ValueAddTransformer
+	HelmChartInflationGenerator
+	ReplacementTransformer
+)
+
+var stringToBuiltinPluginTypeMap map[string]BuiltinPluginType
+
+func init() { //nolint:gochecknoinits
+	stringToBuiltinPluginTypeMap = makeStringToBuiltinPluginTypeMap()
+}
+
+func makeStringToBuiltinPluginTypeMap() (result map[string]BuiltinPluginType) {
+	result = make(map[string]BuiltinPluginType, 23)
+	for k := range GeneratorFactories {
+		result[k.String()] = k
+	}
+	for k := range TransformerFactories {
+		result[k.String()] = k
+	}
+	return
+}
+
+func GetBuiltinPluginType(n string) BuiltinPluginType {
+	result, ok := stringToBuiltinPluginTypeMap[n]
+	if ok {
+		return result
+	}
+	return Unknown
+}
+
+var GeneratorFactories = map[BuiltinPluginType]func() resmap.GeneratorPlugin{
+	ConfigMapGenerator:          builtins.NewConfigMapGeneratorPlugin,
+	IAMPolicyGenerator:          builtins.NewIAMPolicyGeneratorPlugin,
+	SecretGenerator:             builtins.NewSecretGeneratorPlugin,
+	HelmChartInflationGenerator: builtins.NewHelmChartInflationGeneratorPlugin,
+}
+
+type MultiTransformer struct {
+	transformers []resmap.TransformerPlugin
+}
+
+func (t *MultiTransformer) Transform(m resmap.ResMap) error {
+	for _, transformer := range t.transformers {
+		if err := transformer.Transform(m); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (t *MultiTransformer) Config(h *resmap.PluginHelpers, b []byte) error {
+	for _, transformer := range t.transformers {
+		if err := transformer.Config(h, b); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func NewMultiTransformer() resmap.TransformerPlugin {
+	return &MultiTransformer{[]resmap.TransformerPlugin{
+		builtins.NewPrefixTransformerPlugin(),
+		builtins.NewSuffixTransformerPlugin(),
+	}}
+}
+
+var TransformerFactories = map[BuiltinPluginType]func() resmap.TransformerPlugin{
+	AnnotationsTransformer:         builtins.NewAnnotationsTransformerPlugin,
+	HashTransformer:                builtins.NewHashTransformerPlugin,
+	ImageTagTransformer:            builtins.NewImageTagTransformerPlugin,
+	LabelTransformer:               builtins.NewLabelTransformerPlugin,
+	NamespaceTransformer:           builtins.NewNamespaceTransformerPlugin,
+	PatchJson6902Transformer:       builtins.NewPatchJson6902TransformerPlugin,
+	PatchStrategicMergeTransformer: builtins.NewPatchStrategicMergeTransformerPlugin,
+	PatchTransformer:               builtins.NewPatchTransformerPlugin,
+	PrefixSuffixTransformer:        NewMultiTransformer,
+	PrefixTransformer:              builtins.NewPrefixTransformerPlugin,
+	SuffixTransformer:              builtins.NewSuffixTransformerPlugin,
+	ReplacementTransformer:         builtins.NewReplacementTransformerPlugin,
+	ReplicaCountTransformer:        builtins.NewReplicaCountTransformerPlugin,
+	ValueAddTransformer:            builtins.NewValueAddTransformerPlugin,
+	// Do not wired SortOrderTransformer as a builtin plugin.
+	// We only want it to be available in the top-level kustomization.
+	// See: https://github.com/kubernetes-sigs/kustomize/issues/3913
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/plugins/execplugin/execplugin.go b/vendor/sigs.k8s.io/kustomize/api/internal/plugins/execplugin/execplugin.go
new file mode 100644
index 0000000000..f6c1dba3ce
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/plugins/execplugin/execplugin.go
@@ -0,0 +1,208 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package execplugin
+
+import (
+	"bytes"
+	"fmt"
+	"log"
+	"os"
+	"os/exec"
+	"runtime"
+	"strings"
+
+	"sigs.k8s.io/kustomize/api/internal/plugins/utils"
+	"sigs.k8s.io/kustomize/api/resmap"
+	"sigs.k8s.io/kustomize/kyaml/errors"
+	"sigs.k8s.io/yaml"
+)
+
+const (
+	tmpConfigFilePrefix = "kust-plugin-config-"
+	maxArgStringLength  = 131071
+)
+
+// ExecPlugin record the name and args of an executable
+// It triggers the executable generator and transformer
+type ExecPlugin struct {
+	// absolute path of the executable
+	path string
+
+	// Optional command line arguments to the executable
+	// pulled from specially named fields in cfg.
+	// This is for executables that don't want to parse YAML.
+	args []string
+
+	// Plugin configuration data.
+	cfg []byte
+
+	// PluginHelpers
+	h *resmap.PluginHelpers
+}
+
+func NewExecPlugin(p string) *ExecPlugin {
+	return &ExecPlugin{path: p}
+}
+
+func (p *ExecPlugin) ErrIfNotExecutable() error {
+	f, err := os.Stat(p.path)
+	if err != nil {
+		return err
+	}
+	// In Windows, it is not possible to determine whether a
+	// file is executable through file mode.
+	// TODO: provide for setting the executable FileMode bit on Windows
+	// The (fs *fileStat) Mode() (m FileMode) {} function in
+	// https://golang.org/src/os/types_windows.go
+	// lacks the ability to set the FileMode executable bit in response
+	// to file data on Windows.
+	if f.Mode()&0111 == 0000 && runtime.GOOS != "windows" {
+		return fmt.Errorf("unexecutable plugin at: %s", p.path)
+	}
+	return nil
+}
+
+func (p *ExecPlugin) Path() string {
+	return p.path
+}
+
+func (p *ExecPlugin) Args() []string {
+	return p.args
+}
+
+func (p *ExecPlugin) Cfg() []byte {
+	return p.cfg
+}
+
+func (p *ExecPlugin) Config(h *resmap.PluginHelpers, config []byte) error {
+	p.h = h
+	p.cfg = config
+	return p.processOptionalArgsFields()
+}
+
+type argsConfig struct {
+	ArgsOneLiner string `json:"argsOneLiner,omitempty" yaml:"argsOneLiner,omitempty"`
+	ArgsFromFile string `json:"argsFromFile,omitempty" yaml:"argsFromFile,omitempty"`
+}
+
+func (p *ExecPlugin) processOptionalArgsFields() error {
+	var c argsConfig
+	err := yaml.Unmarshal(p.cfg, &c)
+	if err != nil {
+		return err
+	}
+	if c.ArgsOneLiner != "" {
+		argsTolenSlice, err := ShlexSplit(c.ArgsOneLiner)
+		if err != nil {
+			return fmt.Errorf("failed to parse argsOneLiner: %w", err)
+		}
+		p.args = argsTolenSlice
+	}
+	if c.ArgsFromFile != "" {
+		content, err := p.h.Loader().Load(c.ArgsFromFile)
+		if err != nil {
+			return err
+		}
+		for _, x := range strings.Split(string(content), "\n") {
+			x := strings.TrimLeft(x, " ")
+			if x != "" {
+				p.args = append(p.args, x)
+			}
+		}
+	}
+	return nil
+}
+
+func (p *ExecPlugin) Generate() (resmap.ResMap, error) {
+	output, err := p.invokePlugin(nil)
+	if err != nil {
+		return nil, err
+	}
+	rm, err := p.h.ResmapFactory().NewResMapFromBytes(output)
+	if err != nil {
+		return nil, err
+	}
+	return utils.UpdateResourceOptions(rm)
+}
+
+func (p *ExecPlugin) Transform(rm resmap.ResMap) error {
+	// add ResIds as annotations to all objects so that we can add them back
+	inputRM, err := utils.GetResMapWithIDAnnotation(rm)
+	if err != nil {
+		return err
+	}
+
+	// encode the ResMap so it can be fed to the plugin
+	resources, err := inputRM.AsYaml()
+	if err != nil {
+		return err
+	}
+
+	// invoke the plugin with resources as the input
+	output, err := p.invokePlugin(resources)
+	if err != nil {
+		return fmt.Errorf("%v %s", err, string(output))
+	}
+
+	// update the original ResMap based on the output
+	return utils.UpdateResMapValues(p.path, p.h, output, rm)
+}
+
+// invokePlugin writes plugin config to a temp file, then
+// passes the full temp file path as the first arg to a process
+// running the plugin binary.  Process output is returned.
+func (p *ExecPlugin) invokePlugin(input []byte) ([]byte, error) {
+	f, err := os.CreateTemp("", tmpConfigFilePrefix)
+	if err != nil {
+		return nil, errors.WrapPrefixf(
+			err, "creating tmp plugin config file")
+	}
+	_, err = f.Write(p.cfg)
+	if err != nil {
+		return nil, errors.WrapPrefixf(
+			err, "writing plugin config to "+f.Name())
+	}
+	err = f.Close()
+	if err != nil {
+		return nil, errors.WrapPrefixf(
+			err, "closing plugin config file "+f.Name())
+	}
+	//nolint:gosec
+	cmd := exec.Command(
+		p.path, append([]string{f.Name()}, p.args...)...)
+	cmd.Env = p.getEnv()
+	cmd.Stdin = bytes.NewReader(input)
+	var stdErr bytes.Buffer
+	cmd.Stderr = &stdErr
+	if _, err := os.Stat(p.h.Loader().Root()); err == nil {
+		cmd.Dir = p.h.Loader().Root()
+	}
+	result, err := cmd.Output()
+	if err != nil {
+		//nolint:govet
+		return nil, errors.WrapPrefixf(
+			fmt.Errorf("failure in plugin configured via %s; %w",
+				f.Name(), err), stdErr.String())
+	}
+	return result, os.Remove(f.Name())
+}
+
+func (p *ExecPlugin) getEnv() []string {
+	env := os.Environ()
+	pluginConfigString := "KUSTOMIZE_PLUGIN_CONFIG_STRING=" + string(p.cfg)
+	if len(pluginConfigString) <= maxArgStringLength {
+		env = append(env, pluginConfigString)
+	} else {
+		log.Printf("KUSTOMIZE_PLUGIN_CONFIG_STRING exceeds hard limit of %d characters, the environment variable "+
+			"will be omitted", maxArgStringLength)
+	}
+	pluginConfigRoot := "KUSTOMIZE_PLUGIN_CONFIG_ROOT=" + p.h.Loader().Root()
+	if len(pluginConfigRoot) <= maxArgStringLength {
+		env = append(env, pluginConfigRoot)
+	} else {
+		log.Printf("KUSTOMIZE_PLUGIN_CONFIG_ROOT exceeds hard limit of %d characters, the environment variable "+
+			"will be omitted", maxArgStringLength)
+	}
+	return env
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/plugins/execplugin/shlex.go b/vendor/sigs.k8s.io/kustomize/api/internal/plugins/execplugin/shlex.go
new file mode 100644
index 0000000000..c1841e206c
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/plugins/execplugin/shlex.go
@@ -0,0 +1,62 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package execplugin
+
+import (
+	"fmt"
+	"strings"
+	"unicode"
+)
+
+// ShlexSplit splits a string into a slice of strings using shell-style rules for quoting and commenting
+// Similar to Python's shlex.split with comments enabled
+func ShlexSplit(s string) ([]string, error) {
+	return shlexSplit(s)
+}
+
+func shlexSplit(s string) ([]string, error) {
+	result := []string{}
+
+	// noQuote is used to track if we are not in a quoted
+	const noQuote = 0
+
+	var current strings.Builder
+	var quote rune = noQuote
+	var escaped bool
+
+	for _, r := range s {
+		switch {
+		case escaped:
+			current.WriteRune(r)
+			escaped = false
+		case r == '\\' && quote != '\'':
+			escaped = true
+		case (r == '\'' || r == '"') && quote == noQuote:
+			quote = r
+		case r == quote:
+			quote = noQuote
+		case r == '#' && quote == noQuote:
+			// Comment starts, ignore the rest of the line
+			if current.Len() > 0 {
+				result = append(result, current.String())
+			}
+			return result, nil
+		case unicode.IsSpace(r) && quote == noQuote:
+			if current.Len() > 0 {
+				result = append(result, current.String())
+				current.Reset()
+			}
+		default:
+			current.WriteRune(r)
+		}
+	}
+
+	if quote != noQuote {
+		return nil, fmt.Errorf("unclosed quote in string")
+	}
+	if current.Len() > 0 {
+		result = append(result, current.String())
+	}
+	return result, nil
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/plugins/fnplugin/fnplugin.go b/vendor/sigs.k8s.io/kustomize/api/internal/plugins/fnplugin/fnplugin.go
new file mode 100644
index 0000000000..0ec067562b
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/plugins/fnplugin/fnplugin.go
@@ -0,0 +1,201 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package fnplugin
+
+import (
+	"bytes"
+	"fmt"
+
+	"sigs.k8s.io/kustomize/kyaml/errors"
+
+	"sigs.k8s.io/kustomize/api/internal/plugins/utils"
+	"sigs.k8s.io/kustomize/api/resmap"
+	"sigs.k8s.io/kustomize/api/resource"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/fn/runtime/runtimeutil"
+	"sigs.k8s.io/kustomize/kyaml/runfn"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+// FnPlugin is the struct to hold function information
+type FnPlugin struct {
+	// Function runner
+	runFns runfn.RunFns
+
+	// Plugin configuration data.
+	cfg []byte
+
+	// Plugin name cache for error output
+	pluginName string
+
+	// PluginHelpers
+	h *resmap.PluginHelpers
+}
+
+func bytesToRNode(yml []byte) (*yaml.RNode, error) {
+	rnode, err := yaml.Parse(string(yml))
+	if err != nil {
+		return nil, err
+	}
+	return rnode, nil
+}
+
+func resourceToRNode(res *resource.Resource) (*yaml.RNode, error) {
+	yml, err := res.AsYAML()
+	if err != nil {
+		return nil, err
+	}
+
+	return bytesToRNode(yml)
+}
+
+// GetFunctionSpec return function spec is there is. Otherwise return nil
+func GetFunctionSpec(res *resource.Resource) (*runtimeutil.FunctionSpec, error) {
+	rnode, err := resourceToRNode(res)
+	if err != nil {
+		return nil, fmt.Errorf("could not convert resource to RNode: %w", err)
+	}
+	functionSpec, err := runtimeutil.GetFunctionSpec(rnode)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get FunctionSpec: %w", err)
+	}
+	return functionSpec, nil
+}
+
+func toStorageMounts(mounts []string) []runtimeutil.StorageMount {
+	var sms []runtimeutil.StorageMount
+	for _, mount := range mounts {
+		sms = append(sms, runtimeutil.StringToStorageMount(mount))
+	}
+	return sms
+}
+
+// NewFnPlugin creates a FnPlugin struct
+func NewFnPlugin(o *types.FnPluginLoadingOptions) *FnPlugin {
+	return &FnPlugin{
+		runFns: runfn.RunFns{
+			Functions:      []*yaml.RNode{},
+			Network:        o.Network,
+			EnableExec:     o.EnableExec,
+			StorageMounts:  toStorageMounts(o.Mounts),
+			Env:            o.Env,
+			AsCurrentUser:  o.AsCurrentUser,
+			WorkingDir:     o.WorkingDir,
+		},
+	}
+}
+
+// Cfg returns function config
+func (p *FnPlugin) Cfg() []byte {
+	return p.cfg
+}
+
+// Config is called by kustomize to pass-in config information
+func (p *FnPlugin) Config(h *resmap.PluginHelpers, config []byte) error {
+	p.h = h
+	p.cfg = config
+
+	fn, err := bytesToRNode(p.cfg)
+	if err != nil {
+		return err
+	}
+
+	meta, err := fn.GetMeta()
+	if err != nil {
+		return err
+	}
+
+	p.pluginName = fmt.Sprintf("api: %s, kind: %s, name: %s",
+		meta.APIVersion, meta.Kind, meta.Name)
+
+	return nil
+}
+
+// Generate is called when run as generator
+func (p *FnPlugin) Generate() (resmap.ResMap, error) {
+	output, err := p.invokePlugin(nil)
+	if err != nil {
+		return nil, err
+	}
+	rm, err := p.h.ResmapFactory().NewResMapFromBytes(output)
+	if err != nil {
+		return nil, err
+	}
+	return utils.UpdateResourceOptions(rm)
+}
+
+// Transform is called when run as transformer
+func (p *FnPlugin) Transform(rm resmap.ResMap) error {
+	// add ResIds as annotations to all objects so that we can add them back
+	inputRM, err := utils.GetResMapWithIDAnnotation(rm)
+	if err != nil {
+		return err
+	}
+
+	// encode the ResMap so it can be fed to the plugin
+	resources, err := inputRM.AsYaml()
+	if err != nil {
+		return err
+	}
+
+	// invoke the plugin with resources as the input
+	output, err := p.invokePlugin(resources)
+	if err != nil {
+		return fmt.Errorf("%v %s", err, string(output))
+	}
+
+	// update the original ResMap based on the output
+	return utils.UpdateResMapValues(p.pluginName, p.h, output, rm)
+}
+
+func injectAnnotation(input *yaml.RNode, k, v string) error {
+	err := input.PipeE(yaml.SetAnnotation(k, v))
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// invokePlugin uses Function runner to run function as plugin
+func (p *FnPlugin) invokePlugin(input []byte) ([]byte, error) {
+	// get function config rnode
+	functionConfig, err := bytesToRNode(p.cfg)
+	if err != nil {
+		return nil, err
+	}
+
+	// This annotation will let kustomize ingnore this item in output
+	err = injectAnnotation(functionConfig, "config.kubernetes.io/local-config", "true")
+	if err != nil {
+		return nil, err
+	}
+	// we need to add config as input for generators. Some of them don't work with FunctionConfig
+	// and in addition kio.Pipeline won't create anything if there are no objects
+	// see https://github.com/kubernetes-sigs/kustomize/blob/master/kyaml/kio/kio.go#L93
+	// Since we added `local-config` annotation so it will be ignored in generator output
+	// TODO(donnyxia): This is actually not used by generator and only used to bypass a kio limitation.
+	// Need better solution.
+	if input == nil {
+		yml, err := functionConfig.String()
+		if err != nil {
+			return nil, err
+		}
+		input = []byte(yml)
+	}
+
+	// Configure and Execute Fn. We don't need to convert resources to ResourceList here
+	// because function runtime will do that. See kyaml/fn/runtime/runtimeutil/runtimeutil.go
+	var ouputBuffer bytes.Buffer
+	p.runFns.Input = bytes.NewReader(input)
+	p.runFns.Functions = append(p.runFns.Functions, functionConfig)
+	p.runFns.Output = &ouputBuffer
+
+	err = p.runFns.Execute()
+	if err != nil {
+		return nil, errors.WrapPrefixf(
+			err, "couldn't execute function")
+	}
+
+	return ouputBuffer.Bytes(), nil
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/plugins/loader/load_go_plugin.go b/vendor/sigs.k8s.io/kustomize/api/internal/plugins/loader/load_go_plugin.go
new file mode 100644
index 0000000000..3757cfc646
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/plugins/loader/load_go_plugin.go
@@ -0,0 +1,62 @@
+// Copyright 2024 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+//go:build !kustomize_disable_go_plugin_support
+
+package loader
+
+import (
+	"fmt"
+	"log"
+	"plugin"
+	"reflect"
+
+	"sigs.k8s.io/kustomize/api/internal/plugins/utils"
+	"sigs.k8s.io/kustomize/api/konfig"
+	"sigs.k8s.io/kustomize/api/resmap"
+	"sigs.k8s.io/kustomize/kyaml/errors"
+	"sigs.k8s.io/kustomize/kyaml/resid"
+)
+
+// registry is a means to avoid trying to load the same .so file
+// into memory more than once, which results in an error.
+// Each test makes its own loader, and tries to load its own plugins,
+// but the loaded .so files are in shared memory, so one will get
+// "this plugin already loaded" errors if the registry is maintained
+// as a Loader instance variable.  So make it a package variable.
+var registry = make(map[string]resmap.Configurable) //nolint:gochecknoglobals
+
+func copyPlugin(c resmap.Configurable) resmap.Configurable {
+	indirect := reflect.Indirect(reflect.ValueOf(c))
+	newIndirect := reflect.New(indirect.Type())
+	newIndirect.Elem().Set(reflect.ValueOf(indirect.Interface()))
+	newNamed := newIndirect.Interface()
+	return newNamed.(resmap.Configurable) //nolint:forcetypeassert
+}
+
+func (l *Loader) loadGoPlugin(id resid.ResId, absPath string) (resmap.Configurable, error) {
+	regId := relativePluginPath(id)
+	if c, ok := registry[regId]; ok {
+		return copyPlugin(c), nil
+	}
+	if !utils.FileExists(absPath) {
+		return nil, fmt.Errorf(
+			"expected file with Go object code at: %s", absPath)
+	}
+	log.Printf("Attempting plugin load from %q", absPath)
+	p, err := plugin.Open(absPath)
+	if err != nil {
+		return nil, errors.WrapPrefixf(err, "plugin %s fails to load", absPath)
+	}
+	symbol, err := p.Lookup(konfig.PluginSymbol)
+	if err != nil {
+		return nil, errors.WrapPrefixf(
+			err, "plugin %s doesn't have symbol %s",
+			regId, konfig.PluginSymbol)
+	}
+	c, ok := symbol.(resmap.Configurable)
+	if !ok {
+		return nil, fmt.Errorf("plugin %q not configurable", regId)
+	}
+	registry[regId] = c
+	return copyPlugin(c), nil
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/plugins/loader/load_go_plugin_disabled.go b/vendor/sigs.k8s.io/kustomize/api/internal/plugins/loader/load_go_plugin_disabled.go
new file mode 100644
index 0000000000..5531b7967f
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/plugins/loader/load_go_plugin_disabled.go
@@ -0,0 +1,25 @@
+// Copyright 2024 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+// The build tag "kustomize_disable_go_plugin_support" is used to deactivate the
+// kustomize API's dependency on the "plugins" package. This is beneficial for
+// applications that need to embed it but do not have requirements for dynamic
+// Go plugins.
+// Including plugins as a dependency can lead to an increase in binary size due
+// to the population of ELF's sections such as .dynsym and .dynstr.
+// By utilizing this flag, applications have the flexibility to exclude the
+// import if they do not require support for dynamic Go plugins.
+//go:build kustomize_disable_go_plugin_support
+
+package loader
+
+import (
+	"fmt"
+
+	"sigs.k8s.io/kustomize/api/resmap"
+	"sigs.k8s.io/kustomize/kyaml/resid"
+)
+
+func (l *Loader) loadGoPlugin(_ resid.ResId, _ string) (resmap.Configurable, error) {
+	return nil, fmt.Errorf("plugin load is disabled")
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/plugins/loader/loader.go b/vendor/sigs.k8s.io/kustomize/api/internal/plugins/loader/loader.go
new file mode 100644
index 0000000000..2edf8791ff
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/plugins/loader/loader.go
@@ -0,0 +1,290 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package loader
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"sigs.k8s.io/kustomize/api/ifc"
+	"sigs.k8s.io/kustomize/api/internal/plugins/builtinhelpers"
+	"sigs.k8s.io/kustomize/api/internal/plugins/execplugin"
+	"sigs.k8s.io/kustomize/api/internal/plugins/fnplugin"
+	"sigs.k8s.io/kustomize/api/konfig"
+	"sigs.k8s.io/kustomize/api/resmap"
+	"sigs.k8s.io/kustomize/api/resource"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/errors"
+	"sigs.k8s.io/kustomize/kyaml/filesys"
+	"sigs.k8s.io/kustomize/kyaml/resid"
+)
+
+// Loader loads plugins using a file loader (a different loader).
+type Loader struct {
+	pc *types.PluginConfig
+	rf *resmap.Factory
+	fs filesys.FileSystem
+
+	// absolutePluginHome caches the location of a valid plugin root directory.
+	// It should only be set once the directory's existence has been confirmed.
+	absolutePluginHome string
+}
+
+func NewLoader(
+	pc *types.PluginConfig, rf *resmap.Factory, fs filesys.FileSystem,
+) *Loader {
+	return &Loader{pc: pc, rf: rf, fs: fs}
+}
+
+// LoaderWithWorkingDir returns loader after setting its working directory.
+// NOTE: This is not really a new loader since some of the Loader struct fields are pointers.
+func (l *Loader) LoaderWithWorkingDir(wd string) *Loader {
+	lpc := &types.PluginConfig{
+		PluginRestrictions: l.pc.PluginRestrictions,
+		BpLoadingOptions:   l.pc.BpLoadingOptions,
+		FnpLoadingOptions:  l.pc.FnpLoadingOptions,
+		HelmConfig:         l.pc.HelmConfig,
+	}
+	lpc.FnpLoadingOptions.WorkingDir = wd
+	return &Loader{pc: lpc, rf: l.rf, fs: l.fs}
+}
+
+// Config provides the global (not plugin specific) PluginConfig data.
+func (l *Loader) Config() *types.PluginConfig {
+	return l.pc
+}
+
+func (l *Loader) LoadGenerators(
+	ldr ifc.Loader, v ifc.Validator, rm resmap.ResMap) (
+	result []*resmap.GeneratorWithProperties, err error,
+) {
+	for _, res := range rm.Resources() {
+		g, err := l.LoadGenerator(ldr, v, res)
+		if err != nil {
+			return nil, fmt.Errorf("failed to load generator: %w", err)
+		}
+		generatorOrigin, err := resource.OriginFromCustomPlugin(res)
+		if err != nil {
+			return nil, fmt.Errorf("failed to get origin from CustomPlugin: %w", err)
+		}
+		result = append(result, &resmap.GeneratorWithProperties{Generator: g, Origin: generatorOrigin})
+	}
+	return result, nil
+}
+
+func (l *Loader) LoadGenerator(
+	ldr ifc.Loader, v ifc.Validator, res *resource.Resource,
+) (resmap.Generator, error) {
+	c, err := l.loadAndConfigurePlugin(ldr, v, res)
+	if err != nil {
+		return nil, err
+	}
+	g, ok := c.(resmap.Generator)
+	if !ok {
+		return nil, fmt.Errorf("plugin %s not a generator", res.OrgId())
+	}
+	return g, nil
+}
+
+func (l *Loader) LoadTransformers(
+	ldr ifc.Loader, v ifc.Validator, rm resmap.ResMap,
+) ([]*resmap.TransformerWithProperties, error) {
+	var result []*resmap.TransformerWithProperties
+	for _, res := range rm.Resources() {
+		t, err := l.LoadTransformer(ldr, v, res)
+		if err != nil {
+			return nil, err
+		}
+		transformerOrigin, err := resource.OriginFromCustomPlugin(res)
+		if err != nil {
+			return nil, err
+		}
+		result = append(result, &resmap.TransformerWithProperties{Transformer: t, Origin: transformerOrigin})
+	}
+	return result, nil
+}
+
+func (l *Loader) LoadTransformer(
+	ldr ifc.Loader, v ifc.Validator, res *resource.Resource,
+) (*resmap.TransformerWithProperties, error) {
+	c, err := l.loadAndConfigurePlugin(ldr, v, res)
+	if err != nil {
+		return nil, err
+	}
+	t, ok := c.(resmap.Transformer)
+	if !ok {
+		return nil, fmt.Errorf("plugin %s not a transformer", res.OrgId())
+	}
+	return &resmap.TransformerWithProperties{Transformer: t}, nil
+}
+
+func relativePluginPath(id resid.ResId) string {
+	return filepath.Join(
+		id.Group,
+		id.Version,
+		strings.ToLower(id.Kind))
+}
+
+func (l *Loader) AbsolutePluginPath(id resid.ResId) (string, error) {
+	pluginHome, err := l.absPluginHome()
+	if err != nil {
+		return "", err
+	}
+	return filepath.Join(pluginHome, relativePluginPath(id), id.Kind), nil
+}
+
+// absPluginHome is the home of kustomize Exec and Go plugins.
+// Kustomize plugin configuration files are k8s-style objects
+// containing the fields 'apiVersion' and 'kind', e.g.
+//
+//	apiVersion: apps/v1
+//	kind: Deployment
+//
+// kustomize reads plugin configuration data from a file path
+// specified in the 'generators:' or 'transformers:' field of a
+// kustomization file.  For Exec and Go plugins, kustomize
+// uses this data to both locate the plugin and configure it.
+// Each Exec or Go plugin (its code, its tests, its supporting data
+// files, etc.) must be housed in its own directory at
+//
+//	${absPluginHome}/${pluginApiVersion}/LOWERCASE(${pluginKind})
+//
+// where
+//   - ${absPluginHome} is an absolute path, defined below.
+//   - ${pluginApiVersion} is taken from the plugin config file.
+//   - ${pluginKind} is taken from the plugin config file.
+func (l *Loader) absPluginHome() (string, error) {
+	// External plugins are disabled--return the dummy plugin root.
+	if l.pc.PluginRestrictions != types.PluginRestrictionsNone {
+		return konfig.NoPluginHomeSentinal, nil
+	}
+	// We've already determined plugin home--use the cached value.
+	if l.absolutePluginHome != "" {
+		return l.absolutePluginHome, nil
+	}
+
+	// Check default locations for a valid plugin root, and cache it if found.
+	dir, err := konfig.DefaultAbsPluginHome(l.fs)
+	if err != nil {
+		return "", err
+	}
+	l.absolutePluginHome = dir
+	return l.absolutePluginHome, nil
+}
+
+func isBuiltinPlugin(res *resource.Resource) bool {
+	// TODO: the special string should appear in Group, not Version.
+	return res.GetGvk().Group == "" &&
+		res.GetGvk().Version == konfig.BuiltinPluginApiVersion
+}
+
+func (l *Loader) loadAndConfigurePlugin(
+	ldr ifc.Loader,
+	v ifc.Validator,
+	res *resource.Resource,
+) (c resmap.Configurable, err error) {
+	if isBuiltinPlugin(res) {
+		switch l.pc.BpLoadingOptions {
+		case types.BploLoadFromFileSys:
+			c, err = l.loadPlugin(res)
+		case types.BploUseStaticallyLinked:
+			// Instead of looking for and loading a .so file,
+			// instantiate the plugin from a generated factory
+			// function (see "pluginator").  Being able to do this
+			// is what makes a plugin "builtin".
+			c, err = l.makeBuiltinPlugin(res.GetGvk())
+		default:
+			err = fmt.Errorf(
+				"unknown plugin loader behavior specified: %s %v", res.GetGvk().String(),
+				l.pc.BpLoadingOptions)
+		}
+	} else {
+		switch l.pc.PluginRestrictions {
+		case types.PluginRestrictionsNone:
+			c, err = l.loadPlugin(res)
+		case types.PluginRestrictionsBuiltinsOnly:
+			err = types.NewErrOnlyBuiltinPluginsAllowed(res.OrgId().Kind)
+		default:
+			err = fmt.Errorf(
+				"unknown plugin restriction specified: %v",
+				l.pc.PluginRestrictions)
+		}
+	}
+	if err != nil {
+		return nil, err
+	}
+	yaml, err := res.AsYAML()
+	if err != nil {
+		return nil, errors.WrapPrefixf(err, "marshalling yaml from res %s", res.OrgId())
+	}
+	err = c.Config(resmap.NewPluginHelpers(ldr, v, l.rf, l.pc), yaml)
+	if err != nil {
+		return nil, errors.WrapPrefixf(
+			err, "plugin %s fails configuration", res.OrgId())
+	}
+	return c, nil
+}
+
+func (l *Loader) makeBuiltinPlugin(r resid.Gvk) (resmap.Configurable, error) {
+	bpt := builtinhelpers.GetBuiltinPluginType(r.Kind)
+	if f, ok := builtinhelpers.GeneratorFactories[bpt]; ok {
+		return f(), nil
+	}
+	if f, ok := builtinhelpers.TransformerFactories[bpt]; ok {
+		return f(), nil
+	}
+	return nil, errors.Errorf("unable to load builtin %s", r)
+}
+
+func (l *Loader) loadPlugin(res *resource.Resource) (resmap.Configurable, error) {
+	spec, err := fnplugin.GetFunctionSpec(res)
+	if err != nil {
+		return nil, fmt.Errorf("loader: %w", err)
+	}
+	if spec != nil {
+		// validation check that function mounts are under the current kustomization directory
+		for _, mount := range spec.Container.StorageMounts {
+			if filepath.IsAbs(mount.Src) {
+				return nil, errors.Errorf("plugin %s with mount path '%s' is not permitted; "+
+					"mount paths must be relative to the current kustomization directory", res.OrgId(), mount.Src)
+			}
+			if strings.HasPrefix(filepath.Clean(mount.Src), "../") {
+				return nil, errors.Errorf("plugin %s with mount path '%s' is not permitted; "+
+					"mount paths must be under the current kustomization directory", res.OrgId(), mount.Src)
+			}
+		}
+		return fnplugin.NewFnPlugin(&l.pc.FnpLoadingOptions), nil
+	}
+	return l.loadExecOrGoPlugin(res.OrgId())
+}
+
+func (l *Loader) loadExecOrGoPlugin(resId resid.ResId) (resmap.Configurable, error) {
+	absPluginPath, err := l.AbsolutePluginPath(resId)
+	if err != nil {
+		return nil, err
+	}
+	// First try to load the plugin as an executable.
+	p := execplugin.NewExecPlugin(absPluginPath)
+	if err = p.ErrIfNotExecutable(); err == nil {
+		return p, nil
+	}
+	if !os.IsNotExist(err) {
+		// The file exists, but something else is wrong,
+		// likely it's not executable.
+		// Assume the user forgot to set the exec bit,
+		// and return an error, rather than adding ".so"
+		// to the name and attempting to load it as a Go
+		// plugin, which will likely fail and result
+		// in an obscure message.
+		return nil, err
+	}
+	// Failing the above, try loading it as a Go plugin.
+	c, err := l.loadGoPlugin(resId, absPluginPath+".so")
+	if err != nil {
+		return nil, err
+	}
+	return c, nil
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/plugins/utils/utils.go b/vendor/sigs.k8s.io/kustomize/api/internal/plugins/utils/utils.go
new file mode 100644
index 0000000000..8182f203eb
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/plugins/utils/utils.go
@@ -0,0 +1,240 @@
+// Copyright 2020 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package utils
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+	"path/filepath"
+	"runtime"
+	"strconv"
+	"time"
+
+	"sigs.k8s.io/kustomize/api/konfig"
+	"sigs.k8s.io/kustomize/api/resmap"
+	"sigs.k8s.io/kustomize/api/resource"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/filesys"
+	"sigs.k8s.io/yaml"
+)
+
+const (
+	idAnnotation       = "kustomize.config.k8s.io/id"
+	HashAnnotation     = "kustomize.config.k8s.io/needs-hash"
+	BehaviorAnnotation = "kustomize.config.k8s.io/behavior"
+)
+
+func GoBin() string {
+	return filepath.Join(runtime.GOROOT(), "bin", "go")
+}
+
+// DeterminePluginSrcRoot guesses where the user
+// has her ${g}/${v}/$lower(${k})/${k}.go files.
+func DeterminePluginSrcRoot(fSys filesys.FileSystem) (string, error) {
+	return konfig.FirstDirThatExistsElseError(
+		"plugin src root", fSys, []konfig.NotedFunc{
+			{
+				Note: "relative to unit test",
+				F: func() string {
+					return filepath.Clean(
+						filepath.Join(
+							os.Getenv("PWD"),
+							"..", "..",
+							konfig.RelPluginHome))
+				},
+			},
+			{
+				Note: "relative to unit test (internal pkg)",
+				F: func() string {
+					return filepath.Clean(
+						filepath.Join(
+							os.Getenv("PWD"),
+							"..", "..", "..", "..",
+							konfig.RelPluginHome))
+				},
+			},
+			{
+				Note: "relative to api package",
+				F: func() string {
+					return filepath.Clean(
+						filepath.Join(
+							os.Getenv("PWD"),
+							"..", "..", "..",
+							konfig.RelPluginHome))
+				},
+			},
+			{
+				Note: "old style $GOPATH",
+				F: func() string {
+					return filepath.Join(
+						os.Getenv("GOPATH"),
+						"src", konfig.DomainName,
+						konfig.ProgramName, konfig.RelPluginHome)
+				},
+			},
+			{
+				Note: "HOME with literal 'gopath'",
+				F: func() string {
+					return filepath.Join(
+						konfig.HomeDir(), "gopath",
+						"src", konfig.DomainName,
+						konfig.ProgramName, konfig.RelPluginHome)
+				},
+			},
+			{
+				Note: "home directory",
+				F: func() string {
+					return filepath.Join(
+						konfig.HomeDir(), konfig.DomainName,
+						konfig.ProgramName, konfig.RelPluginHome)
+				},
+			},
+		})
+}
+
+// FileYoungerThan returns true if the file both exists and has an
+// age is <= the Duration argument.
+func FileYoungerThan(path string, d time.Duration) bool {
+	fi, err := os.Stat(path)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return false
+		}
+	}
+	return time.Since(fi.ModTime()) <= d
+}
+
+// FileModifiedAfter returns true if the file both exists and was
+// modified after the given time..
+func FileModifiedAfter(path string, t time.Time) bool {
+	fi, err := os.Stat(path)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return false
+		}
+	}
+	return fi.ModTime().After(t)
+}
+
+func FileExists(path string) bool {
+	if _, err := os.Stat(path); err != nil {
+		if os.IsNotExist(err) {
+			return false
+		}
+	}
+	return true
+}
+
+// GetResMapWithIDAnnotation returns a new copy of the given ResMap with the ResIds annotated in each Resource
+func GetResMapWithIDAnnotation(rm resmap.ResMap) (resmap.ResMap, error) {
+	inputRM := rm.DeepCopy()
+	for _, r := range inputRM.Resources() {
+		idString, err := yaml.Marshal(r.CurId())
+		if err != nil {
+			return nil, err
+		}
+		annotations := r.GetAnnotations()
+		annotations[idAnnotation] = string(idString)
+		if err = r.SetAnnotations(annotations); err != nil {
+			return nil, err
+		}
+	}
+	return inputRM, nil
+}
+
+// UpdateResMapValues updates the Resource value in the given ResMap
+// with the emitted Resource values in output.
+func UpdateResMapValues(pluginName string, h *resmap.PluginHelpers, output []byte, rm resmap.ResMap) error {
+	mapFactory := h.ResmapFactory()
+	resFactory := mapFactory.RF()
+	resources, err := resFactory.SliceFromBytes(output)
+	if err != nil {
+		return err
+	}
+	// Don't use resources here, or error message will be unfriendly to plugin builders
+	newMap, err := mapFactory.NewResMapFromBytes([]byte{})
+	if err != nil {
+		return err
+	}
+
+	for _, r := range resources {
+		// stale--not manipulated by plugin transformers
+		if err = removeIDAnnotation(r); err != nil {
+			return err
+		}
+
+		// Add to the new map, checking for duplicates
+		if err := newMap.Append(r); err != nil {
+			prettyID, err := json.Marshal(r.CurId())
+			if err != nil {
+				prettyID = []byte(r.CurId().String())
+			}
+			return fmt.Errorf("plugin %s generated duplicate resource: %s", pluginName, prettyID)
+		}
+
+		// Add to or update the old map
+		oldIdx, err := rm.GetIndexOfCurrentId(r.CurId())
+		if err != nil {
+			return err
+		}
+		if oldIdx != -1 {
+			rm.GetByIndex(oldIdx).ResetRNode(r)
+		} else {
+			if err := rm.Append(r); err != nil {
+				return err
+			}
+		}
+	}
+
+	// Remove items the transformer deleted from the old map
+	for _, id := range rm.AllIds() {
+		newIdx, _ := newMap.GetIndexOfCurrentId(id)
+		if newIdx == -1 {
+			if err = rm.Remove(id); err != nil {
+				return err
+			}
+		}
+	}
+
+	return nil
+}
+
+func removeIDAnnotation(r *resource.Resource) error {
+	// remove the annotation set by Kustomize to track the resource
+	annotations := r.GetAnnotations()
+	delete(annotations, idAnnotation)
+	return r.SetAnnotations(annotations)
+}
+
+// UpdateResourceOptions updates the generator options for each resource in the
+// given ResMap based on plugin provided annotations.
+func UpdateResourceOptions(rm resmap.ResMap) (resmap.ResMap, error) {
+	for _, r := range rm.Resources() {
+		// Disable name hashing by default and require plugin to explicitly
+		// request it for each resource.
+		annotations := r.GetAnnotations()
+		behavior := annotations[BehaviorAnnotation]
+		var needsHash bool
+		if val, ok := annotations[HashAnnotation]; ok {
+			b, err := strconv.ParseBool(val)
+			if err != nil {
+				return nil, fmt.Errorf(
+					"the annotation %q contains an invalid value (%q)",
+					HashAnnotation, val)
+			}
+			needsHash = b
+		}
+		delete(annotations, HashAnnotation)
+		delete(annotations, BehaviorAnnotation)
+		if err := r.SetAnnotations(annotations); err != nil {
+			return nil, err
+		}
+		if needsHash {
+			r.EnableHashSuffix()
+		}
+		r.SetBehavior(types.NewGenerationBehavior(behavior))
+	}
+	return rm, nil
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/target/errmissingkustomization.go b/vendor/sigs.k8s.io/kustomize/api/internal/target/errmissingkustomization.go
new file mode 100644
index 0000000000..8b939db1eb
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/target/errmissingkustomization.go
@@ -0,0 +1,44 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package target
+
+import (
+	"fmt"
+	"strings"
+
+	"sigs.k8s.io/kustomize/api/konfig"
+	"sigs.k8s.io/kustomize/kyaml/errors"
+)
+
+type errMissingKustomization struct {
+	path string
+}
+
+func (e *errMissingKustomization) Error() string {
+	return fmt.Sprintf(
+		"unable to find one of %v in directory '%s'",
+		commaOr(quoted(konfig.RecognizedKustomizationFileNames())),
+		e.path)
+}
+
+func IsMissingKustomizationFileError(err error) bool {
+	e := &errMissingKustomization{}
+	return errors.As(err, &e)
+}
+
+func NewErrMissingKustomization(p string) *errMissingKustomization {
+	return &errMissingKustomization{path: p}
+}
+
+func quoted(l []string) []string {
+	r := make([]string, len(l))
+	for i, v := range l {
+		r[i] = "'" + v + "'"
+	}
+	return r
+}
+
+func commaOr(q []string) string {
+	return strings.Join(q[:len(q)-1], ", ") + " or " + q[len(q)-1]
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/target/kusttarget.go b/vendor/sigs.k8s.io/kustomize/api/internal/target/kusttarget.go
new file mode 100644
index 0000000000..5f1d1095a1
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/target/kusttarget.go
@@ -0,0 +1,582 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package target
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+	"strings"
+
+	"sigs.k8s.io/kustomize/api/ifc"
+	"sigs.k8s.io/kustomize/api/internal/accumulator"
+	"sigs.k8s.io/kustomize/api/internal/builtins"
+	"sigs.k8s.io/kustomize/api/internal/kusterr"
+	load "sigs.k8s.io/kustomize/api/internal/loader"
+	"sigs.k8s.io/kustomize/api/internal/plugins/builtinconfig"
+	"sigs.k8s.io/kustomize/api/internal/plugins/builtinhelpers"
+	"sigs.k8s.io/kustomize/api/internal/plugins/loader"
+	"sigs.k8s.io/kustomize/api/internal/utils"
+	"sigs.k8s.io/kustomize/api/konfig"
+	"sigs.k8s.io/kustomize/api/resmap"
+	"sigs.k8s.io/kustomize/api/resource"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/errors"
+	"sigs.k8s.io/kustomize/kyaml/openapi"
+	"sigs.k8s.io/yaml"
+)
+
+// KustTarget encapsulates the entirety of a kustomization build.
+type KustTarget struct {
+	kustomization *types.Kustomization
+	kustFileName  string
+	ldr           ifc.Loader
+	validator     ifc.Validator
+	rFactory      *resmap.Factory
+	pLdr          *loader.Loader
+	origin        *resource.Origin
+}
+
+// NewKustTarget returns a new instance of KustTarget.
+func NewKustTarget(
+	ldr ifc.Loader,
+	validator ifc.Validator,
+	rFactory *resmap.Factory,
+	pLdr *loader.Loader) *KustTarget {
+	return &KustTarget{
+		ldr:       ldr,
+		validator: validator,
+		rFactory:  rFactory,
+		pLdr:      pLdr.LoaderWithWorkingDir(ldr.Root()),
+	}
+}
+
+// Load attempts to load the target's kustomization file.
+func (kt *KustTarget) Load() error {
+	content, kustFileName, err := LoadKustFile(kt.ldr)
+	if err != nil {
+		return err
+	}
+
+	var k types.Kustomization
+	if err := k.Unmarshal(content); err != nil {
+		return err
+	}
+
+	// show warning message when using deprecated fields.
+	if warningMessages := k.CheckDeprecatedFields(); warningMessages != nil {
+		for _, msg := range *warningMessages {
+			fmt.Fprintf(os.Stderr, "%v\n", msg)
+		}
+	}
+
+	k.FixKustomization()
+
+	// check that Kustomization is empty
+	if err := k.CheckEmpty(); err != nil {
+		return err
+	}
+
+	errs := k.EnforceFields()
+	if len(errs) > 0 {
+		return fmt.Errorf(
+			"Failed to read kustomization file under %s:\n"+
+				strings.Join(errs, "\n"), kt.ldr.Root())
+	}
+	kt.kustomization = &k
+	kt.kustFileName = kustFileName
+	return nil
+}
+
+// Kustomization returns a copy of the immutable, internal kustomization object.
+func (kt *KustTarget) Kustomization() types.Kustomization {
+	var result types.Kustomization
+	b, _ := json.Marshal(*kt.kustomization)
+	json.Unmarshal(b, &result)
+	return result
+}
+
+func LoadKustFile(ldr ifc.Loader) ([]byte, string, error) {
+	var content []byte
+	match := 0
+	var kustFileName string
+	for _, kf := range konfig.RecognizedKustomizationFileNames() {
+		c, err := ldr.Load(kf)
+		if err == nil {
+			match += 1
+			content = c
+			kustFileName = kf
+		}
+	}
+	switch match {
+	case 0:
+		return nil, "", NewErrMissingKustomization(ldr.Root())
+	case 1:
+		return content, kustFileName, nil
+	default:
+		return nil, "", fmt.Errorf(
+			"Found multiple kustomization files under: %s\n", ldr.Root())
+	}
+}
+
+// MakeCustomizedResMap creates a fully customized ResMap
+// per the instructions contained in its kustomization instance.
+func (kt *KustTarget) MakeCustomizedResMap() (resmap.ResMap, error) {
+	return kt.makeCustomizedResMap()
+}
+
+func (kt *KustTarget) makeCustomizedResMap() (resmap.ResMap, error) {
+	var origin *resource.Origin
+	if len(kt.kustomization.BuildMetadata) != 0 {
+		origin = &resource.Origin{}
+	}
+	kt.origin = origin
+	ra, err := kt.AccumulateTarget()
+	if err != nil {
+		return nil, err
+	}
+
+	// The following steps must be done last, not as part of
+	// the recursion implicit in AccumulateTarget.
+
+	err = kt.addHashesToNames(ra)
+	if err != nil {
+		return nil, err
+	}
+
+	// Given that names have changed (prefixs/suffixes added),
+	// fix all the back references to those names.
+	err = ra.FixBackReferences()
+	if err != nil {
+		return nil, err
+	}
+
+	// With all the back references fixed, it's OK to resolve Vars.
+	err = ra.ResolveVars()
+	if err != nil {
+		return nil, err
+	}
+
+	err = kt.IgnoreLocal(ra)
+	if err != nil {
+		return nil, err
+	}
+
+	return ra.ResMap(), nil
+}
+
+func (kt *KustTarget) addHashesToNames(
+	ra *accumulator.ResAccumulator) error {
+	p := builtins.NewHashTransformerPlugin()
+	err := kt.configureBuiltinPlugin(p, nil, builtinhelpers.HashTransformer)
+	if err != nil {
+		return err
+	}
+	return ra.Transform(p)
+}
+
+// AccumulateTarget returns a new ResAccumulator,
+// holding customized resources and the data/rules used
+// to do so.  The name back references and vars are
+// not yet fixed.
+// The origin parameter is used through the recursive calls
+// to annotate each resource with information about where
+// the resource came from, e.g. the file and/or the repository
+// it originated from.
+// As an entrypoint, one can pass an empty resource.Origin object to
+// AccumulateTarget. As AccumulateTarget moves recursively
+// through kustomization directories, it updates `origin.path`
+// accordingly. When a remote base is found, it updates `origin.repo`
+// and `origin.ref` accordingly.
+func (kt *KustTarget) AccumulateTarget() (
+	ra *accumulator.ResAccumulator, err error) {
+	return kt.accumulateTarget(accumulator.MakeEmptyAccumulator())
+}
+
+// ra should be empty when this KustTarget is a Kustomization, or the ra of the parent if this KustTarget is a Component
+// (or empty if the Component does not have a parent).
+func (kt *KustTarget) accumulateTarget(ra *accumulator.ResAccumulator) (
+	resRa *accumulator.ResAccumulator, err error) {
+	ra, err = kt.accumulateResources(ra, kt.kustomization.Resources)
+	if err != nil {
+		return nil, errors.WrapPrefixf(err, "accumulating resources")
+	}
+	tConfig, err := builtinconfig.MakeTransformerConfig(
+		kt.ldr, kt.kustomization.Configurations)
+	if err != nil {
+		return nil, err
+	}
+	err = ra.MergeConfig(tConfig)
+	if err != nil {
+		return nil, errors.WrapPrefixf(
+			err, "merging config %v", tConfig)
+	}
+	crdTc, err := accumulator.LoadConfigFromCRDs(kt.ldr, kt.kustomization.Crds)
+	if err != nil {
+		return nil, errors.WrapPrefixf(
+			err, "loading CRDs %v", kt.kustomization.Crds)
+	}
+	err = ra.MergeConfig(crdTc)
+	if err != nil {
+		return nil, errors.WrapPrefixf(
+			err, "merging CRDs %v", crdTc)
+	}
+	err = kt.runGenerators(ra)
+	if err != nil {
+		return nil, err
+	}
+
+	// components are expected to execute after reading resources and adding generators ,before applying transformers and validation.
+	// https://github.com/kubernetes-sigs/kustomize/pull/5170#discussion_r1212101287
+	ra, err = kt.accumulateComponents(ra, kt.kustomization.Components)
+	if err != nil {
+		return nil, errors.WrapPrefixf(err, "accumulating components")
+	}
+
+	err = kt.runTransformers(ra)
+	if err != nil {
+		return nil, err
+	}
+	err = kt.runValidators(ra)
+	if err != nil {
+		return nil, err
+	}
+	err = ra.MergeVars(kt.kustomization.Vars)
+	if err != nil {
+		return nil, errors.WrapPrefixf(
+			err, "merging vars %v", kt.kustomization.Vars)
+	}
+	return ra, nil
+}
+
+// IgnoreLocal drops the local resource by checking the annotation "config.kubernetes.io/local-config".
+func (kt *KustTarget) IgnoreLocal(ra *accumulator.ResAccumulator) error {
+	rf := kt.rFactory.RF()
+	if rf.IncludeLocalConfigs {
+		return nil
+	}
+	remainRes, err := rf.DropLocalNodes(ra.ResMap().ToRNodeSlice())
+	if err != nil {
+		return err
+	}
+	return ra.Intersection(kt.rFactory.FromResourceSlice(remainRes))
+}
+
+func (kt *KustTarget) runGenerators(
+	ra *accumulator.ResAccumulator) error {
+	var generators []*resmap.GeneratorWithProperties
+	gs, err := kt.configureBuiltinGenerators()
+	if err != nil {
+		return err
+	}
+	generators = append(generators, gs...)
+
+	gs, err = kt.configureExternalGenerators()
+	if err != nil {
+		return errors.WrapPrefixf(err, "loading generator plugins")
+	}
+	generators = append(generators, gs...)
+	for i, g := range generators {
+		resMap, err := g.Generate()
+		if err != nil {
+			return err
+		}
+		if resMap != nil {
+			err = resMap.AddOriginAnnotation(generators[i].Origin)
+			if err != nil {
+				return errors.WrapPrefixf(err, "adding origin annotations for generator %v", g)
+			}
+		}
+		err = ra.AbsorbAll(resMap)
+		if err != nil {
+			return errors.WrapPrefixf(err, "merging from generator %v", g)
+		}
+	}
+	return nil
+}
+
+func (kt *KustTarget) configureExternalGenerators() (
+	[]*resmap.GeneratorWithProperties, error) {
+	ra := accumulator.MakeEmptyAccumulator()
+	var generatorPaths []string
+	for _, p := range kt.kustomization.Generators {
+		// handle inline generators
+		rm, err := kt.rFactory.NewResMapFromBytes([]byte(p))
+		if err != nil {
+			// not an inline config
+			generatorPaths = append(generatorPaths, p)
+			continue
+		}
+		// inline config, track the origin
+		if kt.origin != nil {
+			resources := rm.Resources()
+			for _, r := range resources {
+				r.SetOrigin(kt.origin.Append(kt.kustFileName))
+				rm.Replace(r)
+			}
+		}
+		if err = ra.AppendAll(rm); err != nil {
+			return nil, errors.WrapPrefixf(err, "configuring external generator")
+		}
+	}
+	ra, err := kt.accumulateResources(ra, generatorPaths)
+	if err != nil {
+		return nil, err
+	}
+	return kt.pLdr.LoadGenerators(kt.ldr, kt.validator, ra.ResMap())
+}
+
+func (kt *KustTarget) runTransformers(ra *accumulator.ResAccumulator) error {
+	var r []*resmap.TransformerWithProperties
+	tConfig := ra.GetTransformerConfig()
+	lts, err := kt.configureBuiltinTransformers(tConfig)
+	if err != nil {
+		return err
+	}
+	r = append(r, lts...)
+	lts, err = kt.configureExternalTransformers(kt.kustomization.Transformers)
+	if err != nil {
+		return err
+	}
+	r = append(r, lts...)
+	return ra.Transform(newMultiTransformer(r))
+}
+
+func (kt *KustTarget) configureExternalTransformers(transformers []string) ([]*resmap.TransformerWithProperties, error) {
+	ra := accumulator.MakeEmptyAccumulator()
+	var transformerPaths []string
+	for _, p := range transformers {
+		// handle inline transformers
+		rm, err := kt.rFactory.NewResMapFromBytes([]byte(p))
+		if err != nil {
+			// not an inline config
+			transformerPaths = append(transformerPaths, p)
+			continue
+		}
+		// inline config, track the origin
+		if kt.origin != nil {
+			resources := rm.Resources()
+			for _, r := range resources {
+				r.SetOrigin(kt.origin.Append(kt.kustFileName))
+				rm.Replace(r)
+			}
+		}
+
+		if err = ra.AppendAll(rm); err != nil {
+			return nil, errors.WrapPrefixf(err, "configuring external transformer")
+		}
+	}
+	ra, err := kt.accumulateResources(ra, transformerPaths)
+	if err != nil {
+		return nil, err
+	}
+	return kt.pLdr.LoadTransformers(kt.ldr, kt.validator, ra.ResMap())
+}
+
+func (kt *KustTarget) runValidators(ra *accumulator.ResAccumulator) error {
+	validators, err := kt.configureExternalTransformers(kt.kustomization.Validators)
+	if err != nil {
+		return err
+	}
+	for _, v := range validators {
+		// Validators shouldn't modify the resource map
+		orignal := ra.ResMap().DeepCopy()
+		err = v.Transform(ra.ResMap())
+		if err != nil {
+			return err
+		}
+		newMap := ra.ResMap().DeepCopy()
+		if err = kt.removeValidatedByLabel(newMap); err != nil {
+			return err
+		}
+		if err = orignal.ErrorIfNotEqualSets(newMap); err != nil {
+			return fmt.Errorf("validator shouldn't modify the resource map: %v", err)
+		}
+	}
+	return nil
+}
+
+func (kt *KustTarget) removeValidatedByLabel(rm resmap.ResMap) error {
+	resources := rm.Resources()
+	for _, r := range resources {
+		labels := r.GetLabels()
+		if _, found := labels[konfig.ValidatedByLabelKey]; !found {
+			continue
+		}
+		delete(labels, konfig.ValidatedByLabelKey)
+		if err := r.SetLabels(labels); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// accumulateResources fills the given resourceAccumulator
+// with resources read from the given list of paths.
+func (kt *KustTarget) accumulateResources(
+	ra *accumulator.ResAccumulator, paths []string) (*accumulator.ResAccumulator, error) {
+	for _, path := range paths {
+		// try loading resource as file then as base (directory or git repository)
+		if errF := kt.accumulateFile(ra, path); errF != nil {
+			// not much we can do if the error is an HTTP error so we bail out
+			if errors.Is(errF, load.ErrHTTP) {
+				return nil, errF
+			}
+			ldr, err := kt.ldr.New(path)
+			if err != nil {
+				// If accumulateFile found malformed YAML and there was a failure
+				// loading the resource as a base, then the resource is likely a
+				// file. The loader failure message is unnecessary, and could be
+				// confusing. Report only the file load error.
+				//
+				// However, a loader timeout implies there is a git repo at the
+				// path. In that case, both errors could be important.
+				if kusterr.IsMalformedYAMLError(errF) && !utils.IsErrTimeout(err) {
+					return nil, errF
+				}
+				return nil, errors.WrapPrefixf(
+					err, "accumulation err='%s'", errF.Error())
+			}
+			// store the origin, we'll need it later
+			origin := kt.origin.Copy()
+			if kt.origin != nil {
+				kt.origin = kt.origin.Append(path)
+				ra, err = kt.accumulateDirectory(ra, ldr, false)
+				// after we are done recursing through the directory, reset the origin
+				kt.origin = &origin
+			} else {
+				ra, err = kt.accumulateDirectory(ra, ldr, false)
+			}
+			if err != nil {
+				return nil, errors.WrapPrefixf(
+					err, "accumulation err='%s'", errF.Error())
+			}
+		}
+	}
+	return ra, nil
+}
+
+// accumulateComponents fills the given resourceAccumulator
+// with resources read from the given list of paths.
+func (kt *KustTarget) accumulateComponents(
+	ra *accumulator.ResAccumulator, paths []string) (*accumulator.ResAccumulator, error) {
+	for _, path := range paths {
+		// Components always refer to directories
+		ldr, errL := kt.ldr.New(path)
+		if errL != nil {
+			return nil, fmt.Errorf("loader.New %q", errL)
+		}
+		var errD error
+		// store the origin, we'll need it later
+		origin := kt.origin.Copy()
+		if kt.origin != nil {
+			kt.origin = kt.origin.Append(path)
+			ra, errD = kt.accumulateDirectory(ra, ldr, true)
+			// after we are done recursing through the directory, reset the origin
+			kt.origin = &origin
+		} else {
+			ra, errD = kt.accumulateDirectory(ra, ldr, true)
+		}
+		if errD != nil {
+			return nil, fmt.Errorf("accumulateDirectory: %q", errD)
+		}
+	}
+	return ra, nil
+}
+
+func (kt *KustTarget) accumulateDirectory(
+	ra *accumulator.ResAccumulator, ldr ifc.Loader, isComponent bool) (*accumulator.ResAccumulator, error) {
+	defer ldr.Cleanup()
+	subKt := NewKustTarget(ldr, kt.validator, kt.rFactory, kt.pLdr)
+	err := subKt.Load()
+	if err != nil {
+		return nil, errors.WrapPrefixf(
+			err, "couldn't make target for path '%s'", ldr.Root())
+	}
+	subKt.kustomization.BuildMetadata = kt.kustomization.BuildMetadata
+	subKt.origin = kt.origin
+	var bytes []byte
+	if openApiPath, exists := subKt.Kustomization().OpenAPI["path"]; exists {
+		bytes, err = ldr.Load(openApiPath)
+		if err != nil {
+			return nil, err
+		}
+	}
+	err = openapi.SetSchema(subKt.Kustomization().OpenAPI, bytes, false)
+	if err != nil {
+		return nil, err
+	}
+	if isComponent && subKt.kustomization.Kind != types.ComponentKind {
+		return nil, fmt.Errorf(
+			"expected kind '%s' for path '%s' but got '%s'", types.ComponentKind, ldr.Root(), subKt.kustomization.Kind)
+	} else if !isComponent && subKt.kustomization.Kind == types.ComponentKind {
+		return nil, fmt.Errorf(
+			"expected kind != '%s' for path '%s'", types.ComponentKind, ldr.Root())
+	}
+
+	var subRa *accumulator.ResAccumulator
+	if isComponent {
+		// Components don't create a new accumulator: the kustomization directives are added to the current accumulator
+		subRa, err = subKt.accumulateTarget(ra)
+		ra = accumulator.MakeEmptyAccumulator()
+	} else {
+		// Child Kustomizations create a new accumulator which resolves their kustomization directives, which will later
+		// be merged into the current accumulator.
+		subRa, err = subKt.AccumulateTarget()
+	}
+	if err != nil {
+		return nil, errors.WrapPrefixf(
+			err, "recursed accumulation of path '%s'", ldr.Root())
+	}
+	err = ra.MergeAccumulator(subRa)
+	if err != nil {
+		return nil, errors.WrapPrefixf(
+			err, "recursed merging from path '%s'", ldr.Root())
+	}
+	return ra, nil
+}
+
+func (kt *KustTarget) accumulateFile(
+	ra *accumulator.ResAccumulator, path string) error {
+	resources, err := kt.rFactory.FromFile(kt.ldr, path)
+	if err != nil {
+		return errors.WrapPrefixf(err, "accumulating resources from '%s'", path)
+	}
+	if kt.origin != nil {
+		originAnno, err := kt.origin.Append(path).String()
+		if err != nil {
+			return errors.WrapPrefixf(err, "cannot add path annotation for '%s'", path)
+		}
+		err = resources.AnnotateAll(utils.OriginAnnotationKey, originAnno)
+		if err != nil || originAnno == "" {
+			return errors.WrapPrefixf(err, "cannot add path annotation for '%s'", path)
+		}
+	}
+	err = ra.AppendAll(resources)
+	if err != nil {
+		return errors.WrapPrefixf(err, "merging resources from '%s'", path)
+	}
+	return nil
+}
+
+func (kt *KustTarget) configureBuiltinPlugin(
+	p resmap.Configurable, c interface{}, bpt builtinhelpers.BuiltinPluginType) (err error) {
+	var y []byte
+	if c != nil {
+		y, err = yaml.Marshal(c)
+		if err != nil {
+			return errors.WrapPrefixf(
+				err, "builtin %s marshal", bpt)
+		}
+	}
+	err = p.Config(
+		resmap.NewPluginHelpers(
+			kt.ldr, kt.validator, kt.rFactory, kt.pLdr.Config()),
+		y)
+	if err != nil {
+		return errors.WrapPrefixf(
+			err, "trouble configuring builtin %s with config: `\n%s`", bpt, string(y))
+	}
+	return nil
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/target/kusttarget_configplugin.go b/vendor/sigs.k8s.io/kustomize/api/internal/target/kusttarget_configplugin.go
new file mode 100644
index 0000000000..1ba028a36f
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/target/kusttarget_configplugin.go
@@ -0,0 +1,457 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package target
+
+import (
+	"fmt"
+	"path/filepath"
+
+	"sigs.k8s.io/kustomize/api/internal/plugins/builtinconfig"
+	"sigs.k8s.io/kustomize/api/internal/plugins/builtinhelpers"
+	"sigs.k8s.io/kustomize/api/resmap"
+	"sigs.k8s.io/kustomize/api/resource"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/errors"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+// Functions dedicated to configuring the builtin
+// transformer and generator plugins using config data
+// read from a kustomization file and from the
+// config.TransformerConfig, whose data may be a
+// mix of hardcoded values and data read from file.
+//
+// Non-builtin plugins will get their configuration
+// from their own dedicated structs and YAML files.
+//
+// There are some loops in the functions below because
+// the kustomization file would, say, allow someone to
+// request multiple secrets be made, or run multiple
+// image tag transforms.  In these cases, we'll need
+// N plugin instances with differing configurations.
+
+func (kt *KustTarget) configureBuiltinGenerators() (
+	result []*resmap.GeneratorWithProperties, err error) {
+	for _, bpt := range []builtinhelpers.BuiltinPluginType{
+		builtinhelpers.ConfigMapGenerator,
+		builtinhelpers.SecretGenerator,
+		builtinhelpers.HelmChartInflationGenerator,
+	} {
+		r, err := generatorConfigurators[bpt](
+			kt, bpt, builtinhelpers.GeneratorFactories[bpt])
+		if err != nil {
+			return nil, err
+		}
+
+		var generatorOrigin *resource.Origin
+		if kt.origin != nil {
+			generatorOrigin = &resource.Origin{
+				Repo:         kt.origin.Repo,
+				Ref:          kt.origin.Ref,
+				ConfiguredIn: filepath.Join(kt.origin.Path, kt.kustFileName),
+				ConfiguredBy: yaml.ResourceIdentifier{
+					TypeMeta: yaml.TypeMeta{
+						APIVersion: "builtin",
+						Kind:       bpt.String(),
+					},
+				},
+			}
+		}
+
+		for i := range r {
+			result = append(result, &resmap.GeneratorWithProperties{Generator: r[i], Origin: generatorOrigin})
+		}
+	}
+	return result, nil
+}
+
+func (kt *KustTarget) configureBuiltinTransformers(
+	tc *builtinconfig.TransformerConfig) (
+	result []*resmap.TransformerWithProperties, err error) {
+	for _, bpt := range []builtinhelpers.BuiltinPluginType{
+		builtinhelpers.PatchStrategicMergeTransformer,
+		builtinhelpers.PatchTransformer,
+		builtinhelpers.NamespaceTransformer,
+		builtinhelpers.PrefixTransformer,
+		builtinhelpers.SuffixTransformer,
+		builtinhelpers.LabelTransformer,
+		builtinhelpers.AnnotationsTransformer,
+		builtinhelpers.PatchJson6902Transformer,
+		builtinhelpers.ReplicaCountTransformer,
+		builtinhelpers.ImageTagTransformer,
+		builtinhelpers.ReplacementTransformer,
+	} {
+		r, err := transformerConfigurators[bpt](
+			kt, bpt, builtinhelpers.TransformerFactories[bpt], tc)
+		if err != nil {
+			return nil, err
+		}
+		var transformerOrigin *resource.Origin
+		if kt.origin != nil {
+			transformerOrigin = &resource.Origin{
+				Repo:         kt.origin.Repo,
+				Ref:          kt.origin.Ref,
+				ConfiguredIn: filepath.Join(kt.origin.Path, kt.kustFileName),
+				ConfiguredBy: yaml.ResourceIdentifier{
+					TypeMeta: yaml.TypeMeta{
+						APIVersion: "builtin",
+						Kind:       bpt.String(),
+					},
+				},
+			}
+		}
+		for i := range r {
+			result = append(result, &resmap.TransformerWithProperties{Transformer: r[i], Origin: transformerOrigin})
+		}
+	}
+	return result, nil
+}
+
+type gFactory func() resmap.GeneratorPlugin
+
+var generatorConfigurators = map[builtinhelpers.BuiltinPluginType]func(
+	kt *KustTarget,
+	bpt builtinhelpers.BuiltinPluginType,
+	factory gFactory) (result []resmap.Generator, err error){
+	builtinhelpers.SecretGenerator: func(kt *KustTarget, bpt builtinhelpers.BuiltinPluginType, f gFactory) (
+		result []resmap.Generator, err error) {
+		var c struct {
+			types.SecretArgs
+		}
+		for _, args := range kt.kustomization.SecretGenerator {
+			c.SecretArgs = args
+			c.SecretArgs.Options = types.MergeGlobalOptionsIntoLocal(
+				c.SecretArgs.Options, kt.kustomization.GeneratorOptions)
+			p := f()
+			err := kt.configureBuiltinPlugin(p, c, bpt)
+			if err != nil {
+				return nil, err
+			}
+			result = append(result, p)
+		}
+		return
+	},
+
+	builtinhelpers.ConfigMapGenerator: func(kt *KustTarget, bpt builtinhelpers.BuiltinPluginType, f gFactory) (
+		result []resmap.Generator, err error) {
+		var c struct {
+			types.ConfigMapArgs
+		}
+		for _, args := range kt.kustomization.ConfigMapGenerator {
+			c.ConfigMapArgs = args
+			c.ConfigMapArgs.Options = types.MergeGlobalOptionsIntoLocal(
+				c.ConfigMapArgs.Options, kt.kustomization.GeneratorOptions)
+			p := f()
+			err := kt.configureBuiltinPlugin(p, c, bpt)
+			if err != nil {
+				return nil, err
+			}
+			result = append(result, p)
+		}
+		return
+	},
+
+	builtinhelpers.HelmChartInflationGenerator: func(
+		kt *KustTarget, bpt builtinhelpers.BuiltinPluginType, f gFactory) (
+		result []resmap.Generator, err error) {
+		var c struct {
+			types.HelmGlobals
+			types.HelmChart
+		}
+		var globals types.HelmGlobals
+		if kt.kustomization.HelmGlobals != nil {
+			globals = *kt.kustomization.HelmGlobals
+		}
+		for _, chart := range kt.kustomization.HelmCharts {
+			c.HelmGlobals = globals
+			c.HelmChart = chart
+			p := f()
+			if err = kt.configureBuiltinPlugin(p, c, bpt); err != nil {
+				return nil, err
+			}
+			result = append(result, p)
+		}
+		return
+	},
+}
+
+type tFactory func() resmap.TransformerPlugin
+
+var transformerConfigurators = map[builtinhelpers.BuiltinPluginType]func(
+	kt *KustTarget,
+	bpt builtinhelpers.BuiltinPluginType,
+	f tFactory,
+	tc *builtinconfig.TransformerConfig) (result []resmap.Transformer, err error){
+	builtinhelpers.NamespaceTransformer: func(
+		kt *KustTarget, bpt builtinhelpers.BuiltinPluginType, f tFactory, tc *builtinconfig.TransformerConfig) (
+		result []resmap.Transformer, err error) {
+		if kt.kustomization.Namespace == "" {
+			return
+		}
+		var c struct {
+			types.ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty"`
+			FieldSpecs       []types.FieldSpec
+		}
+		c.Namespace = kt.kustomization.Namespace
+		c.FieldSpecs = tc.NameSpace
+		p := f()
+		err = kt.configureBuiltinPlugin(p, c, bpt)
+		if err != nil {
+			return nil, err
+		}
+		result = append(result, p)
+		return
+	},
+
+	builtinhelpers.PatchJson6902Transformer: func(
+		kt *KustTarget, bpt builtinhelpers.BuiltinPluginType, f tFactory, _ *builtinconfig.TransformerConfig) (
+		result []resmap.Transformer, err error) {
+		var c struct {
+			Target *types.Selector `json:"target,omitempty" yaml:"target,omitempty"`
+			Path   string          `json:"path,omitempty" yaml:"path,omitempty"`
+			JsonOp string          `json:"jsonOp,omitempty" yaml:"jsonOp,omitempty"`
+		}
+		for _, args := range kt.kustomization.PatchesJson6902 {
+			c.Target = args.Target
+			c.Path = args.Path
+			c.JsonOp = args.Patch
+			p := f()
+			err = kt.configureBuiltinPlugin(p, c, bpt)
+			if err != nil {
+				return nil, err
+			}
+			result = append(result, p)
+		}
+		return
+	},
+	builtinhelpers.PatchStrategicMergeTransformer: func(
+		kt *KustTarget, bpt builtinhelpers.BuiltinPluginType, f tFactory, _ *builtinconfig.TransformerConfig) (
+		result []resmap.Transformer, err error) {
+		if len(kt.kustomization.PatchesStrategicMerge) == 0 {
+			return
+		}
+		var c struct {
+			Paths []types.PatchStrategicMerge `json:"paths,omitempty" yaml:"paths,omitempty"`
+		}
+		c.Paths = kt.kustomization.PatchesStrategicMerge
+		p := f()
+		err = kt.configureBuiltinPlugin(p, c, bpt)
+		if err != nil {
+			return nil, err
+		}
+		result = append(result, p)
+		return
+	},
+	builtinhelpers.PatchTransformer: func(
+		kt *KustTarget, bpt builtinhelpers.BuiltinPluginType, f tFactory, _ *builtinconfig.TransformerConfig) (
+		result []resmap.Transformer, err error) {
+		if len(kt.kustomization.Patches) == 0 {
+			return
+		}
+		var c struct {
+			Path    string          `json:"path,omitempty" yaml:"path,omitempty"`
+			Patch   string          `json:"patch,omitempty" yaml:"patch,omitempty"`
+			Target  *types.Selector `json:"target,omitempty" yaml:"target,omitempty"`
+			Options map[string]bool `json:"options,omitempty" yaml:"options,omitempty"`
+		}
+		for _, pc := range kt.kustomization.Patches {
+			c.Target = pc.Target
+			c.Patch = pc.Patch
+			c.Path = pc.Path
+			c.Options = pc.Options
+			p := f()
+			err = kt.configureBuiltinPlugin(p, c, bpt)
+			if err != nil {
+				return nil, err
+			}
+			result = append(result, p)
+		}
+		return
+	},
+	builtinhelpers.LabelTransformer: func(
+		kt *KustTarget, bpt builtinhelpers.BuiltinPluginType, f tFactory, tc *builtinconfig.TransformerConfig) (
+		result []resmap.Transformer, err error) {
+		if len(kt.kustomization.Labels) == 0 && len(kt.kustomization.CommonLabels) == 0 {
+			return
+		}
+
+		type labelStruct struct {
+			Labels     map[string]string
+			FieldSpecs []types.FieldSpec
+		}
+
+		for _, label := range kt.kustomization.Labels {
+			var c labelStruct
+
+			c.Labels = label.Pairs
+			fss := types.FsSlice(label.FieldSpecs)
+
+			// merge labels specified in the label section of transformer configs
+			// these apply to selectors and templates
+			fss, err := fss.MergeAll(tc.Labels)
+			if err != nil {
+				return nil, fmt.Errorf("failed to merge labels: %w", err)
+			}
+
+			// merge the custom fieldSpecs with the default
+			if label.IncludeSelectors {
+				fss, err = fss.MergeAll(tc.CommonLabels)
+			} else {
+				// merge spec/template/metadata fieldSpecs if includeTemplate flag is true
+				if label.IncludeTemplates {
+					fss, err = fss.MergeAll(tc.TemplateLabels)
+					if err != nil {
+						return nil, errors.WrapPrefixf(err, "failed to merge template fieldSpec")
+					}
+				}
+				// only add to metadata by default
+				fss, err = fss.MergeOne(types.FieldSpec{Path: "metadata/labels", CreateIfNotPresent: true})
+			}
+			if err != nil {
+				return nil, fmt.Errorf("failed to merge labels: %w", err)
+			}
+			c.FieldSpecs = fss
+			p := f()
+			err = kt.configureBuiltinPlugin(p, c, bpt)
+			if err != nil {
+				return nil, err
+			}
+			result = append(result, p)
+		}
+
+		var c labelStruct
+
+		c.Labels = kt.kustomization.CommonLabels
+		c.FieldSpecs = tc.CommonLabels
+		p := f()
+		err = kt.configureBuiltinPlugin(p, c, bpt)
+		if err != nil {
+			return nil, err
+		}
+		result = append(result, p)
+		return
+	},
+	builtinhelpers.AnnotationsTransformer: func(
+		kt *KustTarget, bpt builtinhelpers.BuiltinPluginType, f tFactory, tc *builtinconfig.TransformerConfig) (
+		result []resmap.Transformer, err error) {
+		if len(kt.kustomization.CommonAnnotations) == 0 {
+			return
+		}
+		var c struct {
+			Annotations map[string]string
+			FieldSpecs  []types.FieldSpec
+		}
+		c.Annotations = kt.kustomization.CommonAnnotations
+		c.FieldSpecs = tc.CommonAnnotations
+		p := f()
+		err = kt.configureBuiltinPlugin(p, c, bpt)
+		if err != nil {
+			return nil, err
+		}
+		result = append(result, p)
+		return
+	},
+	builtinhelpers.PrefixTransformer: func(
+		kt *KustTarget, bpt builtinhelpers.BuiltinPluginType, f tFactory, tc *builtinconfig.TransformerConfig) (
+		result []resmap.Transformer, err error) {
+		if kt.kustomization.NamePrefix == "" {
+			return
+		}
+		var c struct {
+			Prefix     string            `json:"prefix,omitempty" yaml:"prefix,omitempty"`
+			FieldSpecs []types.FieldSpec `json:"fieldSpecs,omitempty" yaml:"fieldSpecs,omitempty"`
+		}
+		c.Prefix = kt.kustomization.NamePrefix
+		c.FieldSpecs = tc.NamePrefix
+		p := f()
+		err = kt.configureBuiltinPlugin(p, c, bpt)
+		if err != nil {
+			return nil, err
+		}
+		result = append(result, p)
+		return
+	},
+	builtinhelpers.SuffixTransformer: func(
+		kt *KustTarget, bpt builtinhelpers.BuiltinPluginType, f tFactory, tc *builtinconfig.TransformerConfig) (
+		result []resmap.Transformer, err error) {
+		if kt.kustomization.NameSuffix == "" {
+			return
+		}
+		var c struct {
+			Suffix     string            `json:"suffix,omitempty" yaml:"suffix,omitempty"`
+			FieldSpecs []types.FieldSpec `json:"fieldSpecs,omitempty" yaml:"fieldSpecs,omitempty"`
+		}
+		c.Suffix = kt.kustomization.NameSuffix
+		c.FieldSpecs = tc.NameSuffix
+		p := f()
+		err = kt.configureBuiltinPlugin(p, c, bpt)
+		if err != nil {
+			return nil, err
+		}
+		result = append(result, p)
+		return
+	},
+	builtinhelpers.ImageTagTransformer: func(
+		kt *KustTarget, bpt builtinhelpers.BuiltinPluginType, f tFactory, tc *builtinconfig.TransformerConfig) (
+		result []resmap.Transformer, err error) {
+		var c struct {
+			ImageTag   types.Image
+			FieldSpecs []types.FieldSpec
+		}
+		for _, args := range kt.kustomization.Images {
+			c.ImageTag = args
+			c.FieldSpecs = tc.Images
+			p := f()
+			err = kt.configureBuiltinPlugin(p, c, bpt)
+			if err != nil {
+				return nil, err
+			}
+			result = append(result, p)
+		}
+		return
+	},
+	builtinhelpers.ReplacementTransformer: func(
+		kt *KustTarget, bpt builtinhelpers.BuiltinPluginType, f tFactory, _ *builtinconfig.TransformerConfig) (
+		result []resmap.Transformer, err error) {
+		if len(kt.kustomization.Replacements) == 0 {
+			return
+		}
+		var c struct {
+			Replacements []types.ReplacementField
+		}
+		c.Replacements = kt.kustomization.Replacements
+		p := f()
+		err = kt.configureBuiltinPlugin(p, c, bpt)
+		if err != nil {
+			return nil, err
+		}
+		result = append(result, p)
+		return result, nil
+	},
+	builtinhelpers.ReplicaCountTransformer: func(
+		kt *KustTarget, bpt builtinhelpers.BuiltinPluginType, f tFactory, tc *builtinconfig.TransformerConfig) (
+		result []resmap.Transformer, err error) {
+		var c struct {
+			Replica    types.Replica
+			FieldSpecs []types.FieldSpec
+		}
+		for _, args := range kt.kustomization.Replicas {
+			c.Replica = args
+			c.FieldSpecs = tc.Replicas
+			p := f()
+			err = kt.configureBuiltinPlugin(p, c, bpt)
+			if err != nil {
+				return nil, err
+			}
+			result = append(result, p)
+		}
+		return
+	},
+	// No kustomization file keyword for this yet.
+	builtinhelpers.ValueAddTransformer: func(
+		kt *KustTarget, bpt builtinhelpers.BuiltinPluginType, f tFactory, tc *builtinconfig.TransformerConfig) (
+		result []resmap.Transformer, err error) {
+		return nil, fmt.Errorf("valueadd keyword not yet defined")
+	},
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/target/multitransformer.go b/vendor/sigs.k8s.io/kustomize/api/internal/target/multitransformer.go
new file mode 100644
index 0000000000..3bc0a87159
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/target/multitransformer.go
@@ -0,0 +1,41 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package target
+
+import (
+	"sigs.k8s.io/kustomize/api/resmap"
+)
+
+// multiTransformer contains a list of transformers.
+type multiTransformer struct {
+	transformers []*resmap.TransformerWithProperties
+}
+
+var _ resmap.Transformer = &multiTransformer{}
+
+// newMultiTransformer constructs a multiTransformer.
+func newMultiTransformer(t []*resmap.TransformerWithProperties) resmap.Transformer {
+	r := &multiTransformer{
+		transformers: make([]*resmap.TransformerWithProperties, len(t)),
+	}
+	copy(r.transformers, t)
+	return r
+}
+
+// Transform applies the member transformers in order to the resources,
+// optionally detecting and erroring on commutation conflict.
+func (o *multiTransformer) Transform(m resmap.ResMap) error {
+	for _, t := range o.transformers {
+		if err := t.Transform(m); err != nil {
+			return err
+		}
+		if t.Origin != nil {
+			if err := m.AddTransformerAnnotation(t.Origin); err != nil {
+				return err
+			}
+		}
+		m.DropEmpties()
+	}
+	return nil
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/utils/annotations.go b/vendor/sigs.k8s.io/kustomize/api/internal/utils/annotations.go
new file mode 100644
index 0000000000..8a2d5bb4ba
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/utils/annotations.go
@@ -0,0 +1,29 @@
+// Copyright 2022 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package utils
+
+import "sigs.k8s.io/kustomize/api/konfig"
+
+const (
+	// build annotations
+	BuildAnnotationPreviousKinds      = konfig.ConfigAnnoDomain + "/previousKinds"
+	BuildAnnotationPreviousNames      = konfig.ConfigAnnoDomain + "/previousNames"
+	BuildAnnotationPrefixes           = konfig.ConfigAnnoDomain + "/prefixes"
+	BuildAnnotationSuffixes           = konfig.ConfigAnnoDomain + "/suffixes"
+	BuildAnnotationPreviousNamespaces = konfig.ConfigAnnoDomain + "/previousNamespaces"
+	BuildAnnotationsRefBy             = konfig.ConfigAnnoDomain + "/refBy"
+	BuildAnnotationsGenBehavior       = konfig.ConfigAnnoDomain + "/generatorBehavior"
+	BuildAnnotationsGenAddHashSuffix  = konfig.ConfigAnnoDomain + "/needsHashSuffix"
+
+	// the following are only for patches, to specify whether they can change names
+	// and kinds of their targets
+	BuildAnnotationAllowNameChange = konfig.ConfigAnnoDomain + "/allowNameChange"
+	BuildAnnotationAllowKindChange = konfig.ConfigAnnoDomain + "/allowKindChange"
+
+	// for keeping track of origin and transformer data
+	OriginAnnotationKey      = "config.kubernetes.io/origin"
+	TransformerAnnotationKey = "alpha.config.kubernetes.io/transformations"
+
+	Enabled = "enabled"
+)
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/utils/errtimeout.go b/vendor/sigs.k8s.io/kustomize/api/internal/utils/errtimeout.go
new file mode 100644
index 0000000000..a0d861c7bf
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/utils/errtimeout.go
@@ -0,0 +1,29 @@
+// Copyright 2020 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package utils
+
+import (
+	"fmt"
+	"time"
+
+	"sigs.k8s.io/kustomize/kyaml/errors"
+)
+
+type errTimeOut struct {
+	duration time.Duration
+	cmd      string
+}
+
+func NewErrTimeOut(d time.Duration, c string) *errTimeOut {
+	return &errTimeOut{duration: d, cmd: c}
+}
+
+func (e *errTimeOut) Error() string {
+	return fmt.Sprintf("hit %s timeout running '%s'", e.duration, e.cmd)
+}
+
+func IsErrTimeout(err error) bool {
+	e := &errTimeOut{}
+	return errors.As(err, &e)
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/utils/makeResIds.go b/vendor/sigs.k8s.io/kustomize/api/internal/utils/makeResIds.go
new file mode 100644
index 0000000000..ec7320c404
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/utils/makeResIds.go
@@ -0,0 +1,68 @@
+// Copyright 2022 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package utils
+
+import (
+	"fmt"
+	"strings"
+
+	"sigs.k8s.io/kustomize/kyaml/resid"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+// MakeResIds returns all of an RNode's current and previous Ids
+func MakeResIds(n *yaml.RNode) ([]resid.ResId, error) {
+	var result []resid.ResId
+	apiVersion := n.Field(yaml.APIVersionField)
+	var group, version string
+	if apiVersion != nil {
+		group, version = resid.ParseGroupVersion(yaml.GetValue(apiVersion.Value))
+	}
+	result = append(result, resid.NewResIdWithNamespace(
+		resid.Gvk{Group: group, Version: version, Kind: n.GetKind()}, n.GetName(), n.GetNamespace()),
+	)
+	prevIds, err := PrevIds(n)
+	if err != nil {
+		return nil, err
+	}
+	result = append(result, prevIds...)
+	return result, nil
+}
+
+// PrevIds returns all of an RNode's previous Ids
+func PrevIds(n *yaml.RNode) ([]resid.ResId, error) {
+	var ids []resid.ResId
+	// TODO: merge previous names and namespaces into one list of
+	//     pairs on one annotation so there is no chance of error
+	annotations := n.GetAnnotations(
+		BuildAnnotationPreviousNames,
+		BuildAnnotationPreviousNamespaces,
+		BuildAnnotationPreviousKinds)
+	if _, ok := annotations[BuildAnnotationPreviousNames]; !ok {
+		return nil, nil
+	}
+	names := strings.Split(annotations[BuildAnnotationPreviousNames], ",")
+	ns := strings.Split(annotations[BuildAnnotationPreviousNamespaces], ",")
+	kinds := strings.Split(annotations[BuildAnnotationPreviousKinds], ",")
+	// This should never happen
+	if len(names) != len(ns) || len(names) != len(kinds) {
+		return nil, fmt.Errorf(
+			"number of previous names, " +
+				"number of previous namespaces, " +
+				"number of previous kinds not equal")
+	}
+	apiVersion := n.GetApiVersion()
+	group, version := resid.ParseGroupVersion(apiVersion)
+	ids = make([]resid.ResId, 0, len(names))
+	for i := range names {
+		gvk := resid.Gvk{
+			Group:   group,
+			Version: version,
+			Kind:    kinds[i],
+		}
+		ids = append(ids, resid.NewResIdWithNamespace(
+			gvk, names[i], ns[i]))
+	}
+	return ids, nil
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/utils/stringslice.go b/vendor/sigs.k8s.io/kustomize/api/internal/utils/stringslice.go
new file mode 100644
index 0000000000..3dc4227255
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/utils/stringslice.go
@@ -0,0 +1,44 @@
+// Copyright 2020 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package utils
+
+// StringSliceIndex returns the index of the str, else -1.
+func StringSliceIndex(slice []string, str string) int {
+	for i := range slice {
+		if slice[i] == str {
+			return i
+		}
+	}
+	return -1
+}
+
+// StringSliceContains returns true if the slice has the string.
+func StringSliceContains(slice []string, str string) bool {
+	for _, s := range slice {
+		if s == str {
+			return true
+		}
+	}
+	return false
+}
+
+// SameEndingSubSlice returns true if the slices end the same way, e.g.
+// {"a", "b", "c"}, {"b", "c"} => true
+// {"a", "b", "c"}, {"a", "b"} => false
+// If one slice is empty and the other is not, return false.
+func SameEndingSubSlice(shortest, longest []string) bool {
+	if len(shortest) > len(longest) {
+		longest, shortest = shortest, longest
+	}
+	diff := len(longest) - len(shortest)
+	if len(shortest) == 0 {
+		return diff == 0
+	}
+	for i := len(shortest) - 1; i >= 0; i-- {
+		if longest[i+diff] != shortest[i] {
+			return false
+		}
+	}
+	return true
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/utils/timedcall.go b/vendor/sigs.k8s.io/kustomize/api/internal/utils/timedcall.go
new file mode 100644
index 0000000000..cda53f864b
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/utils/timedcall.go
@@ -0,0 +1,23 @@
+// Copyright 2020 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package utils
+
+import (
+	"time"
+)
+
+// TimedCall runs fn, failing if it doesn't complete in the given duration.
+// The description is used in the timeout error message.
+func TimedCall(description string, d time.Duration, fn func() error) error {
+	done := make(chan error, 1)
+	timer := time.NewTimer(d)
+	defer timer.Stop()
+	go func() { done <- fn() }()
+	select {
+	case err := <-done:
+		return err
+	case <-timer.C:
+		return NewErrTimeOut(d, description)
+	}
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/validate/fieldvalidator.go b/vendor/sigs.k8s.io/kustomize/api/internal/validate/fieldvalidator.go
new file mode 100644
index 0000000000..5ccfc3ce7b
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/internal/validate/fieldvalidator.go
@@ -0,0 +1,68 @@
+// Copyright 2020 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package validate
+
+import (
+	"sigs.k8s.io/kustomize/api/ifc"
+)
+
+// FieldValidator implements ifc.Validator to check
+// the values of various KRM string fields,
+// e.g. labels, annotations, names, namespaces.
+//
+// TODO: Have this use kyaml/yaml/internal/k8sgen/pkg/labels
+//  which has label and annotation validation code, but is internal
+//  so this impl would need to move to kyaml (a fine idea).
+type FieldValidator struct {
+}
+
+var _ ifc.Validator = (*FieldValidator)(nil)
+
+func NewFieldValidator() *FieldValidator {
+	return &FieldValidator{}
+}
+
+// TODO(#FieldValidator): implement MakeAnnotationValidator
+func (f FieldValidator) MakeAnnotationValidator() func(map[string]string) error {
+	return func(x map[string]string) error {
+		return nil
+	}
+}
+
+// TODO(#FieldValidator): implement MakeAnnotationNameValidator
+func (f FieldValidator) MakeAnnotationNameValidator() func([]string) error {
+	return func(x []string) error {
+		return nil
+	}
+}
+
+// TODO(#FieldValidator): implement MakeLabelValidator
+func (f FieldValidator) MakeLabelValidator() func(map[string]string) error {
+	return func(x map[string]string) error {
+		return nil
+	}
+}
+
+// TODO(#FieldValidator): implement MakeLabelNameValidator
+func (f FieldValidator) MakeLabelNameValidator() func([]string) error {
+	return func(x []string) error {
+		return nil
+	}
+}
+
+// TODO(#FieldValidator): implement ValidateNamespace
+func (f FieldValidator) ValidateNamespace(s string) []string {
+	var errs []string
+	return errs
+}
+
+// TODO(#FieldValidator): implement ErrIfInvalidKey
+func (f FieldValidator) ErrIfInvalidKey(s string) error {
+	return nil
+}
+
+// TODO(#FieldValidator): implement IsEnvVarName
+func (f FieldValidator) IsEnvVarName(k string) error {
+	return nil
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/konfig/doc.go b/vendor/sigs.k8s.io/kustomize/api/konfig/doc.go
new file mode 100644
index 0000000000..8c5f8f2cdf
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/konfig/doc.go
@@ -0,0 +1,7 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+// Package konfig provides configuration methods and constants
+// for the kustomize API, e.g. the set of file names to look for
+// to identify a kustomization root.
+package konfig
diff --git a/vendor/sigs.k8s.io/kustomize/api/konfig/general.go b/vendor/sigs.k8s.io/kustomize/api/konfig/general.go
new file mode 100644
index 0000000000..712bfe7894
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/konfig/general.go
@@ -0,0 +1,49 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package konfig
+
+// RecognizedKustomizationFileNames is a list of file names
+// that kustomize recognizes.
+// To avoid ambiguity, a kustomization directory may not
+// contain more than one match to this list.
+func RecognizedKustomizationFileNames() []string {
+	return []string{
+		"kustomization.yaml",
+		"kustomization.yml",
+		"Kustomization",
+	}
+}
+
+func DefaultKustomizationFileName() string {
+	return RecognizedKustomizationFileNames()[0]
+}
+
+const (
+	// An environment variable to consult for kustomization
+	// configuration data.  See:
+	// https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html
+	XdgConfigHomeEnv = "XDG_CONFIG_HOME"
+
+	// Use this when XdgConfigHomeEnv not defined.
+	XdgConfigHomeEnvDefault = ".config"
+
+	// A program name, for use in help, finding the XDG_CONFIG_DIR, etc.
+	ProgramName = "kustomize"
+
+	// ConfigAnnoDomain is internal configuration-related annotation namespace.
+	// See https://github.com/kubernetes-sigs/kustomize/blob/master/cmd/config/docs/api-conventions/functions-spec.md.
+	ConfigAnnoDomain = "internal.config.kubernetes.io"
+
+	// If a resource has this annotation, kustomize will drop it.
+	IgnoredByKustomizeAnnotation = "config.kubernetes.io/local-config"
+
+	// Label key that indicates the resources are built from Kustomize
+	ManagedbyLabelKey = "app.kubernetes.io/managed-by"
+
+	// An environment variable to turn on/off adding the ManagedByLabelKey
+	EnableManagedbyLabelEnv = "KUSTOMIZE_ENABLE_MANAGEDBY_LABEL"
+
+	// Label key that indicates the resources are validated by a validator
+	ValidatedByLabelKey = "validated-by"
+)
diff --git a/vendor/sigs.k8s.io/kustomize/api/konfig/plugins.go b/vendor/sigs.k8s.io/kustomize/api/konfig/plugins.go
new file mode 100644
index 0000000000..30bd3b6e38
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/konfig/plugins.go
@@ -0,0 +1,138 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package konfig
+
+import (
+	"os"
+	"path/filepath"
+	"runtime"
+
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/filesys"
+)
+
+const (
+	// Symbol that must be used inside Go plugins.
+	PluginSymbol = "KustomizePlugin"
+
+	// Name of environment variable used to set AbsPluginHome.
+	// See that variable for an explanation.
+	KustomizePluginHomeEnv = "KUSTOMIZE_PLUGIN_HOME"
+
+	// Relative path below XDG_CONFIG_HOME/kustomize to find plugins.
+	// e.g. AbsPluginHome = XDG_CONFIG_HOME/kustomize/plugin
+	RelPluginHome = "plugin"
+
+	// Location of builtin plugins below AbsPluginHome.
+	BuiltinPluginPackage = "builtin"
+
+	// The value of kubernetes ApiVersion to use in configuration
+	// files for builtin plugins.
+	// The value for non-builtins can be anything.
+	BuiltinPluginApiVersion = BuiltinPluginPackage
+
+	// Domain from which kustomize code is imported, for locating
+	// plugin source code under $GOPATH when GOPATH is defined.
+	DomainName = "sigs.k8s.io"
+
+	// Injected into plugin paths when plugins are disabled.
+	// Provides a clue in flows that shouldn't happen.
+	NoPluginHomeSentinal = "/No/non-builtin/plugins!"
+)
+
+type NotedFunc struct {
+	Note string
+	F    func() string
+}
+
+// DefaultAbsPluginHome returns the absolute path in the given file
+// system to first directory that looks like a good candidate for
+// the home of kustomize plugins.
+func DefaultAbsPluginHome(fSys filesys.FileSystem) (string, error) {
+	return FirstDirThatExistsElseError(
+		"plugin root", fSys, []NotedFunc{
+			{
+				Note: "homed in $" + KustomizePluginHomeEnv,
+				F: func() string {
+					return os.Getenv(KustomizePluginHomeEnv)
+				},
+			},
+			{
+				Note: "homed in $" + XdgConfigHomeEnv,
+				F: func() string {
+					if root := os.Getenv(XdgConfigHomeEnv); root != "" {
+						return filepath.Join(root, ProgramName, RelPluginHome)
+					}
+					// do not look in "kustomize/plugin" if XdgConfigHomeEnv is unset
+					return ""
+				},
+			},
+			{
+				Note: "homed in default value of $" + XdgConfigHomeEnv,
+				F: func() string {
+					return filepath.Join(
+						HomeDir(), XdgConfigHomeEnvDefault,
+						ProgramName, RelPluginHome)
+				},
+			},
+			{
+				Note: "homed in home directory",
+				F: func() string {
+					return filepath.Join(
+						HomeDir(), ProgramName, RelPluginHome)
+				},
+			},
+		})
+}
+
+// FirstDirThatExistsElseError tests different path functions for
+// existence, returning the first that works, else error if all fail.
+func FirstDirThatExistsElseError(
+	what string,
+	fSys filesys.FileSystem,
+	pathFuncs []NotedFunc) (string, error) {
+	var nope []types.Pair
+	for _, dt := range pathFuncs {
+		if dir := dt.F(); dir != "" {
+			if fSys.Exists(dir) {
+				return dir, nil
+			}
+			nope = append(nope, types.Pair{Key: dt.Note, Value: dir})
+		} else {
+			nope = append(nope, types.Pair{Key: dt.Note, Value: "<no value>"})
+		}
+	}
+	return "", types.NewErrUnableToFind(what, nope)
+}
+
+func HomeDir() string {
+	home := os.Getenv(homeEnv())
+	if len(home) > 0 {
+		return home
+	}
+	return "~"
+}
+
+func homeEnv() string {
+	if runtime.GOOS == "windows" {
+		return "USERPROFILE"
+	}
+	return "HOME"
+}
+
+func CurrentWorkingDir() string {
+	// Try for full path first to be explicit.
+	pwd := os.Getenv(pwdEnv())
+	if len(pwd) > 0 {
+		return pwd
+	}
+	return filesys.SelfDir
+}
+
+func pwdEnv() string {
+	if runtime.GOOS == "windows" {
+		return "CD"
+	}
+	return "PWD"
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/krusty/doc.go b/vendor/sigs.k8s.io/kustomize/api/krusty/doc.go
new file mode 100644
index 0000000000..bf516ca94b
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/krusty/doc.go
@@ -0,0 +1,11 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+// Package krusty is intended as the entry point package
+// for those seeking to add kustomize ability to other
+// programs.
+//
+// To use, follow the example of the kustomize CLI's 'build'
+// command.  Also, see the high level tests in this package,
+// which serve a dual purpose as examples.
+package krusty
diff --git a/vendor/sigs.k8s.io/kustomize/api/krusty/kustomizer.go b/vendor/sigs.k8s.io/kustomize/api/krusty/kustomizer.go
new file mode 100644
index 0000000000..999cbf4537
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/krusty/kustomizer.go
@@ -0,0 +1,163 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package krusty
+
+import (
+	"fmt"
+	"log"
+
+	"sigs.k8s.io/kustomize/api/internal/builtins"
+	fLdr "sigs.k8s.io/kustomize/api/internal/loader"
+	pLdr "sigs.k8s.io/kustomize/api/internal/plugins/loader"
+	"sigs.k8s.io/kustomize/api/internal/target"
+	"sigs.k8s.io/kustomize/api/internal/utils"
+	"sigs.k8s.io/kustomize/api/konfig"
+	"sigs.k8s.io/kustomize/api/provenance"
+	"sigs.k8s.io/kustomize/api/provider"
+	"sigs.k8s.io/kustomize/api/resmap"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/errors"
+	"sigs.k8s.io/kustomize/kyaml/filesys"
+	"sigs.k8s.io/kustomize/kyaml/openapi"
+)
+
+// Kustomizer performs kustomizations.
+//
+// It's meant to behave similarly to the kustomize CLI, and can be
+// used instead of performing an exec to a kustomize CLI subprocess.
+// To use, load a filesystem with kustomization files (any
+// number of overlays and bases), then make a Kustomizer
+// injected with the given filesystem, then call Run.
+type Kustomizer struct {
+	options     *Options
+	depProvider *provider.DepProvider
+}
+
+// MakeKustomizer returns an instance of Kustomizer.
+func MakeKustomizer(o *Options) *Kustomizer {
+	return &Kustomizer{
+		options:     o,
+		depProvider: provider.NewDepProvider(),
+	}
+}
+
+// Run performs a kustomization.
+//
+// It reads given path from the given file system, interprets it as
+// a kustomization.yaml file, perform the kustomization it represents,
+// and return the resulting resources.
+//
+// Any files referenced by the kustomization must be present on the
+// filesystem.  One may call Run any number of times, on any number
+// of internal paths (e.g. the filesystem may contain multiple overlays,
+// and Run can be called on each of them).
+func (b *Kustomizer) Run(
+	fSys filesys.FileSystem, path string) (resmap.ResMap, error) {
+	resmapFactory := resmap.NewFactory(b.depProvider.GetResourceFactory())
+	lr := fLdr.RestrictionNone
+	if b.options.LoadRestrictions == types.LoadRestrictionsRootOnly {
+		lr = fLdr.RestrictionRootOnly
+	}
+	ldr, err := fLdr.NewLoader(lr, path, fSys)
+	if err != nil {
+		return nil, err
+	}
+	defer ldr.Cleanup()
+	kt := target.NewKustTarget(
+		ldr,
+		b.depProvider.GetFieldValidator(),
+		resmapFactory,
+		// The plugin configs are always located on disk, regardless of the fSys passed in
+		pLdr.NewLoader(b.options.PluginConfig, resmapFactory, filesys.MakeFsOnDisk()),
+	)
+	err = kt.Load()
+	if err != nil {
+		return nil, err
+	}
+	var bytes []byte
+	if openApiPath, exists := kt.Kustomization().OpenAPI["path"]; exists {
+		bytes, err = ldr.Load(openApiPath)
+		if err != nil {
+			return nil, err
+		}
+	}
+	err = openapi.SetSchema(kt.Kustomization().OpenAPI, bytes, true)
+	if err != nil {
+		return nil, err
+	}
+	var m resmap.ResMap
+	m, err = kt.MakeCustomizedResMap()
+	if err != nil {
+		return nil, err
+	}
+	err = b.applySortOrder(m, kt)
+	if err != nil {
+		return nil, err
+	}
+	if b.options.AddManagedbyLabel || utils.StringSliceContains(kt.Kustomization().BuildMetadata, types.ManagedByLabelOption) {
+		t := builtins.LabelTransformerPlugin{
+			Labels: map[string]string{
+				konfig.ManagedbyLabelKey: fmt.Sprintf("kustomize-%s", provenance.GetProvenance().Semver()),
+			},
+			FieldSpecs: []types.FieldSpec{{
+				Path:               "metadata/labels",
+				CreateIfNotPresent: true,
+			}},
+		}
+		err = t.Transform(m)
+		if err != nil {
+			return nil, err
+		}
+	}
+	m.RemoveBuildAnnotations()
+	if !utils.StringSliceContains(kt.Kustomization().BuildMetadata, types.OriginAnnotations) {
+		err = m.RemoveOriginAnnotations()
+		if err != nil {
+			return nil, errors.WrapPrefixf(err, "failed to clean up origin tracking annotations")
+		}
+	}
+	if !utils.StringSliceContains(kt.Kustomization().BuildMetadata, types.TransformerAnnotations) {
+		err = m.RemoveTransformerAnnotations()
+		if err != nil {
+			return nil, errors.WrapPrefixf(err, "failed to clean up transformer annotations")
+		}
+	}
+	return m, nil
+}
+
+func (b *Kustomizer) applySortOrder(m resmap.ResMap, kt *target.KustTarget) error {
+	// Sort order can be defined in two places:
+	// - (new) kustomization file
+	// - (old) CLI flag
+	//
+	// We want the kustomization file to take precedence over the CLI flag.
+	// Eventually, we may want to move away from having a CLI flag altogether:
+	// https://github.com/kubernetes-sigs/kustomize/issues/3947
+
+	// Case 1: Sort order set in kustomization file.
+	if kt.Kustomization().SortOptions != nil {
+		// If set in CLI flag too, warn the user.
+		if b.options.Reorder != ReorderOptionUnspecified {
+			log.Println("Warning: Sorting order is set both in 'kustomization.yaml'" +
+				" ('sortOptions') and in a CLI flag ('--reorder'). Using the" +
+				" kustomization file over the CLI flag.")
+		}
+		pl := &builtins.SortOrderTransformerPlugin{
+			SortOptions: kt.Kustomization().SortOptions,
+		}
+		err := pl.Transform(m)
+		if err != nil {
+			return errors.Wrap(err)
+		}
+	} else if b.options.Reorder == ReorderOptionLegacy || b.options.Reorder == ReorderOptionUnspecified {
+		// Case 2: Sort order set in CLI flag only or not at all.
+		pl := &builtins.SortOrderTransformerPlugin{
+			SortOptions: &types.SortOptions{
+				Order: types.LegacySortOrder,
+			},
+		}
+		return errors.Wrap(pl.Transform(m))
+	}
+	return nil
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/krusty/options.go b/vendor/sigs.k8s.io/kustomize/api/krusty/options.go
new file mode 100644
index 0000000000..086242c8ed
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/krusty/options.go
@@ -0,0 +1,70 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package krusty
+
+import (
+	"sigs.k8s.io/kustomize/api/internal/plugins/builtinhelpers"
+	"sigs.k8s.io/kustomize/api/types"
+)
+
+type ReorderOption string
+
+const (
+	ReorderOptionLegacy      ReorderOption = "legacy"
+	ReorderOptionNone        ReorderOption = "none"
+	ReorderOptionUnspecified ReorderOption = "unspecified"
+)
+
+// Options holds high-level kustomize configuration options,
+// e.g. are plugins enabled, should the loader be restricted
+// to the kustomization root, etc.
+type Options struct {
+	// When true, sort the resources before emitting them,
+	// per a particular sort order.  When false, don't do the
+	// sort, and instead respect the depth-first resource input
+	// order as specified by the kustomization file(s).
+
+	// Sort the resources before emitting them. Possible values:
+	// - "legacy": Use a fixed order that kustomize provides for backwards
+	//   compatibility.
+	// - "none": Respect the depth-first resource input order as specified by the
+	//   kustomization file.
+	// - "unspecified": The user didn't specify any preference. Kustomize will
+	//   select the appropriate default.
+	Reorder ReorderOption
+
+	// When true, a label
+	//     app.kubernetes.io/managed-by: kustomize-<version>
+	// is added to all the resources in the build out.
+	AddManagedbyLabel bool
+
+	// Restrictions on what can be loaded from the file system.
+	// See type definition.
+	LoadRestrictions types.LoadRestrictions
+
+	// Options related to kustomize plugins.
+	PluginConfig *types.PluginConfig
+}
+
+// MakeDefaultOptions returns a default instance of Options.
+func MakeDefaultOptions() *Options {
+	return &Options{
+		Reorder:           ReorderOptionNone,
+		AddManagedbyLabel: false,
+		LoadRestrictions:  types.LoadRestrictionsRootOnly,
+		PluginConfig:      types.DisabledPluginConfig(),
+	}
+}
+
+// GetBuiltinPluginNames returns a list of builtin plugin names
+func GetBuiltinPluginNames() []string {
+	var ret []string
+	for k := range builtinhelpers.GeneratorFactories {
+		ret = append(ret, k.String())
+	}
+	for k := range builtinhelpers.TransformerFactories {
+		ret = append(ret, k.String())
+	}
+	return ret
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/kv/kv.go b/vendor/sigs.k8s.io/kustomize/api/kv/kv.go
new file mode 100644
index 0000000000..61a0463c3c
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/kv/kv.go
@@ -0,0 +1,197 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package kv
+
+import (
+	"bufio"
+	"bytes"
+	"fmt"
+	"strings"
+	"unicode"
+	"unicode/utf8"
+
+	"sigs.k8s.io/kustomize/api/ifc"
+	"sigs.k8s.io/kustomize/api/internal/generators"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/errors"
+)
+
+var utf8bom = []byte{0xEF, 0xBB, 0xBF}
+
+// loader reads and validates KV pairs.
+type loader struct {
+	// Used to read the filesystem.
+	ldr ifc.Loader
+
+	// Used to validate various k8s data fields.
+	validator ifc.Validator
+}
+
+func NewLoader(ldr ifc.Loader, v ifc.Validator) ifc.KvLoader {
+	return &loader{ldr: ldr, validator: v}
+}
+
+func (kvl *loader) Validator() ifc.Validator {
+	return kvl.validator
+}
+
+func (kvl *loader) Load(
+	args types.KvPairSources) (all []types.Pair, err error) {
+	pairs, err := kvl.keyValuesFromEnvFiles(args.EnvSources)
+	if err != nil {
+		return nil, errors.WrapPrefixf(err,
+			"env source files: %v",
+			args.EnvSources)
+	}
+	all = append(all, pairs...)
+
+	pairs, err = keyValuesFromLiteralSources(args.LiteralSources)
+	if err != nil {
+		return nil, errors.WrapPrefixf(err,
+			"literal sources %v", args.LiteralSources)
+	}
+	all = append(all, pairs...)
+
+	pairs, err = kvl.keyValuesFromFileSources(args.FileSources)
+	if err != nil {
+		return nil, errors.WrapPrefixf(err,
+			"file sources: %v", args.FileSources)
+	}
+	return append(all, pairs...), nil
+}
+
+func keyValuesFromLiteralSources(sources []string) ([]types.Pair, error) {
+	var kvs []types.Pair
+	for _, s := range sources {
+		k, v, err := parseLiteralSource(s)
+		if err != nil {
+			return nil, err
+		}
+		kvs = append(kvs, types.Pair{Key: k, Value: v})
+	}
+	return kvs, nil
+}
+
+func (kvl *loader) keyValuesFromFileSources(sources []string) ([]types.Pair, error) {
+	var kvs []types.Pair
+	for _, s := range sources {
+		k, fPath, err := generators.ParseFileSource(s)
+		if err != nil {
+			return nil, err
+		}
+		content, err := kvl.ldr.Load(fPath)
+		if err != nil {
+			return nil, err
+		}
+		kvs = append(kvs, types.Pair{Key: k, Value: string(content)})
+	}
+	return kvs, nil
+}
+
+func (kvl *loader) keyValuesFromEnvFiles(paths []string) ([]types.Pair, error) {
+	var kvs []types.Pair
+	for _, p := range paths {
+		content, err := kvl.ldr.Load(p)
+		if err != nil {
+			return nil, err
+		}
+		more, err := kvl.keyValuesFromLines(content)
+		if err != nil {
+			return nil, err
+		}
+		kvs = append(kvs, more...)
+	}
+	return kvs, nil
+}
+
+// keyValuesFromLines parses given content in to a list of key-value pairs.
+func (kvl *loader) keyValuesFromLines(content []byte) ([]types.Pair, error) {
+	var kvs []types.Pair
+
+	scanner := bufio.NewScanner(bytes.NewReader(content))
+	currentLine := 0
+	for scanner.Scan() {
+		// Process the current line, retrieving a key/value pair if
+		// possible.
+		scannedBytes := scanner.Bytes()
+		kv, err := kvl.keyValuesFromLine(scannedBytes, currentLine)
+		if err != nil {
+			return nil, err
+		}
+		currentLine++
+
+		if len(kv.Key) == 0 {
+			// no key means line was empty or a comment
+			continue
+		}
+
+		kvs = append(kvs, kv)
+	}
+	return kvs, nil
+}
+
+// KeyValuesFromLine returns a kv with blank key if the line is empty or a comment.
+func (kvl *loader) keyValuesFromLine(line []byte, currentLine int) (types.Pair, error) {
+	kv := types.Pair{}
+
+	if !utf8.Valid(line) {
+		return kv, fmt.Errorf("line %d has invalid utf8 bytes : %v", line, string(line))
+	}
+
+	// We trim UTF8 BOM from the first line of the file but no others
+	if currentLine == 0 {
+		line = bytes.TrimPrefix(line, utf8bom)
+	}
+
+	// trim the line from all leading whitespace first
+	line = bytes.TrimLeftFunc(line, unicode.IsSpace)
+
+	// If the line is empty or a comment, we return a blank key/value pair.
+	if len(line) == 0 || line[0] == '#' {
+		return kv, nil
+	}
+
+	data := strings.SplitN(string(line), "=", 2)
+	key := data[0]
+	if err := kvl.validator.IsEnvVarName(key); err != nil {
+		return kv, err
+	}
+
+	if len(data) == 2 {
+		kv.Value = data[1]
+	} else {
+		// If there is no value (no `=` in the line), we set the value to an empty string
+		kv.Value = ""
+	}
+	kv.Key = key
+	return kv, nil
+}
+
+// ParseLiteralSource parses the source key=val pair into its component pieces.
+// This functionality is distinguished from strings.SplitN(source, "=", 2) since
+// it returns an error in the case of empty keys, values, or a missing equals sign.
+func parseLiteralSource(source string) (keyName, value string, err error) {
+	// leading equal is invalid
+	if strings.Index(source, "=") == 0 {
+		return "", "", fmt.Errorf("invalid literal source %v, expected key=value", source)
+	}
+	// split after the first equal (so values can have the = character)
+	items := strings.SplitN(source, "=", 2)
+	if len(items) != 2 {
+		return "", "", fmt.Errorf("invalid literal source %v, expected key=value", source)
+	}
+	return items[0], removeQuotes(items[1]), nil
+}
+
+// removeQuotes removes the surrounding quotes from the provided string only if it is surrounded on both sides
+// rather than blindly trimming all quotation marks on either side.
+func removeQuotes(str string) string {
+	if len(str) < 2 || str[0] != str[len(str)-1] {
+		return str
+	}
+	if str[0] == '"' || str[0] == '\'' {
+		return str[1 : len(str)-1]
+	}
+	return str
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/provenance/provenance.go b/vendor/sigs.k8s.io/kustomize/api/provenance/provenance.go
new file mode 100644
index 0000000000..09bb4e236c
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/provenance/provenance.go
@@ -0,0 +1,141 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package provenance
+
+import (
+	"fmt"
+	"runtime"
+	"runtime/debug"
+	"strings"
+
+	"github.com/blang/semver/v4"
+)
+
+// These variables are set at build time using ldflags.
+//
+//nolint:gochecknoglobals
+var (
+	// During a release, this will be set to the release tag, e.g. "kustomize/v4.5.7"
+	version = developmentVersion
+	// build date in ISO8601 format, output of $(date -u +'%Y-%m-%dT%H:%M:%SZ')
+	buildDate = unknown
+)
+
+const (
+	// This default value, (devel), matches
+	// the value debug.BuildInfo uses for an unset main module version.
+	developmentVersion = "(devel)"
+
+	// ModulePath is kustomize module path, defined in kustomize/go.mod
+	ModulePath = "sigs.k8s.io/kustomize/kustomize/v5"
+
+	// This is default value, unknown, substituted when
+	// the value can't be determined from debug.BuildInfo.
+	unknown = "unknown"
+)
+
+// Provenance holds information about the build of an executable.
+type Provenance struct {
+	// Version of the kustomize binary.
+	Version string `json:"version,omitempty" yaml:"version,omitempty"`
+	// GitCommit is a git commit
+	GitCommit string `json:"gitCommit,omitempty" yaml:"gitCommit,omitempty"`
+	// BuildDate is date of the build.
+	BuildDate string `json:"buildDate,omitempty" yaml:"buildDate,omitempty"`
+	// GoOs holds OS name.
+	GoOs string `json:"goOs,omitempty" yaml:"goOs,omitempty"`
+	// GoArch holds architecture name.
+	GoArch string `json:"goArch,omitempty" yaml:"goArch,omitempty"`
+	// GoVersion holds Go version.
+	GoVersion string `json:"goVersion,omitempty" yaml:"goVersion,omitempty"`
+}
+
+// GetProvenance returns an instance of Provenance.
+func GetProvenance() Provenance {
+	p := Provenance{
+		BuildDate: buildDate,
+		Version:   version,
+		GitCommit: unknown,
+		GoOs:      runtime.GOOS,
+		GoArch:    runtime.GOARCH,
+		GoVersion: runtime.Version(),
+	}
+	info, ok := debug.ReadBuildInfo()
+	if !ok {
+		return p
+	}
+
+	for _, setting := range info.Settings {
+		// For now, the git commit is the only information of interest.
+		// We could consider adding other info such as the commit date in the future.
+		if setting.Key == "vcs.revision" {
+			p.GitCommit = setting.Value
+			break
+		}
+	}
+	p.Version = FindVersion(info, p.Version)
+
+	return p
+}
+
+// FindVersion searches for a version in the depth of dependencies including replacements,
+// otherwise, it tries to get version from debug.BuildInfo Main.
+func FindVersion(info *debug.BuildInfo, version string) string {
+	for _, dep := range info.Deps {
+		if dep != nil && dep.Path == ModulePath {
+			if dep.Version == developmentVersion {
+				continue
+			}
+			v, err := GetMostRecentTag(*dep)
+			if err != nil {
+				fmt.Printf("failed to get most recent tag for %s: %v\n", dep.Path, err)
+				continue
+			}
+
+			return v
+		}
+	}
+
+	if version == developmentVersion && info.Main.Version != "" {
+		return info.Main.Version
+	}
+
+	return version
+}
+
+func GetMostRecentTag(m debug.Module) (string, error) {
+	for m.Replace != nil {
+		m = *m.Replace
+	}
+
+	split := strings.Split(m.Version, "-")
+	sv, err := semver.Parse(strings.TrimPrefix(split[0], "v"))
+
+	if err != nil {
+		return "", fmt.Errorf("failed to parse version %s: %w", m.Version, err)
+	}
+
+	if len(split) > 1 && sv.Patch > 0 {
+		sv.Patch -= 1
+	}
+	return fmt.Sprintf("v%s", sv.FinalizeVersion()), nil
+}
+
+// Short returns the shortened provenance stamp.
+func (v Provenance) Short() string {
+	return fmt.Sprintf(
+		"%v",
+		Provenance{
+			Version:   v.Version,
+			BuildDate: v.BuildDate,
+		})
+}
+
+// Semver returns the semantic version of kustomize.
+// kustomize version is set in format "kustomize/vX.X.X" in every release.
+// X.X.X is a semver. If the version string is not in this format,
+// return the original version string
+func (v Provenance) Semver() string {
+	return strings.TrimPrefix(v.Version, "kustomize/")
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/provider/depprovider.go b/vendor/sigs.k8s.io/kustomize/api/provider/depprovider.go
new file mode 100644
index 0000000000..0102c89ce0
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/provider/depprovider.go
@@ -0,0 +1,42 @@
+// Copyright 2020 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package provider
+
+import (
+	"sigs.k8s.io/kustomize/api/hasher"
+	"sigs.k8s.io/kustomize/api/ifc"
+	"sigs.k8s.io/kustomize/api/internal/validate"
+	"sigs.k8s.io/kustomize/api/resource"
+)
+
+// DepProvider is a dependency provider, injecting different
+// implementations depending on the context.
+type DepProvider struct {
+	resourceFactory *resource.Factory
+	// implemented by api/internal/validate.FieldValidator
+	// See TODO inside the validator for status.
+	// At time of writing, this is a do-nothing
+	// validator as it's not critical to kustomize function.
+	fieldValidator ifc.Validator
+}
+
+func NewDepProvider() *DepProvider {
+	rf := resource.NewFactory(&hasher.Hasher{})
+	return &DepProvider{
+		resourceFactory: rf,
+		fieldValidator:  validate.NewFieldValidator(),
+	}
+}
+
+func NewDefaultDepProvider() *DepProvider {
+	return NewDepProvider()
+}
+
+func (dp *DepProvider) GetResourceFactory() *resource.Factory {
+	return dp.resourceFactory
+}
+
+func (dp *DepProvider) GetFieldValidator() ifc.Validator {
+	return dp.fieldValidator
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/resmap/factory.go b/vendor/sigs.k8s.io/kustomize/api/resmap/factory.go
new file mode 100644
index 0000000000..9cc860749c
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/resmap/factory.go
@@ -0,0 +1,145 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package resmap
+
+import (
+	"sigs.k8s.io/kustomize/api/ifc"
+	"sigs.k8s.io/kustomize/api/internal/kusterr"
+	"sigs.k8s.io/kustomize/api/resource"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/errors"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+// Factory makes instances of ResMap.
+type Factory struct {
+	// Makes resources.
+	resF *resource.Factory
+}
+
+// NewFactory returns a new resmap.Factory.
+func NewFactory(rf *resource.Factory) *Factory {
+	return &Factory{resF: rf}
+}
+
+// RF returns a resource.Factory.
+func (rmF *Factory) RF() *resource.Factory {
+	return rmF.resF
+}
+
+func New() ResMap {
+	return newOne()
+}
+
+// FromResource returns a ResMap with one entry.
+func (rmF *Factory) FromResource(res *resource.Resource) ResMap {
+	m, err := newResMapFromResourceSlice([]*resource.Resource{res})
+	if err != nil {
+		panic(err)
+	}
+	return m
+}
+
+// FromResourceSlice returns a ResMap with a slice of resources.
+func (rmF *Factory) FromResourceSlice(ress []*resource.Resource) ResMap {
+	m, err := newResMapFromResourceSlice(ress)
+	if err != nil {
+		panic(err)
+	}
+	return m
+}
+
+// FromFile returns a ResMap given a resource path.
+func (rmF *Factory) FromFile(
+	loader ifc.Loader, path string) (ResMap, error) {
+	content, err := loader.Load(path)
+	if err != nil {
+		return nil, err
+	}
+	m, err := rmF.NewResMapFromBytes(content)
+	if err != nil {
+		return nil, kusterr.Handler(err, path)
+	}
+	return m, nil
+}
+
+// NewResMapFromBytes decodes a list of objects in byte array format.
+func (rmF *Factory) NewResMapFromBytes(b []byte) (ResMap, error) {
+	resources, err := rmF.resF.SliceFromBytes(b)
+	if err != nil {
+		return nil, err
+	}
+	return newResMapFromResourceSlice(resources)
+}
+
+// NewResMapFromConfigMapArgs returns a Resource slice given
+// a configmap metadata slice from kustomization file.
+func (rmF *Factory) NewResMapFromConfigMapArgs(
+	kvLdr ifc.KvLoader, argList []types.ConfigMapArgs) (ResMap, error) {
+	var resources []*resource.Resource
+	for i := range argList {
+		res, err := rmF.resF.MakeConfigMap(kvLdr, &argList[i])
+		if err != nil {
+			return nil, errors.WrapPrefixf(err, "NewResMapFromConfigMapArgs")
+		}
+		resources = append(resources, res)
+	}
+	return newResMapFromResourceSlice(resources)
+}
+
+// FromConfigMapArgs creates a new ResMap containing one ConfigMap.
+func (rmF *Factory) FromConfigMapArgs(
+	kvLdr ifc.KvLoader, args types.ConfigMapArgs) (ResMap, error) {
+	res, err := rmF.resF.MakeConfigMap(kvLdr, &args)
+	if err != nil {
+		return nil, err
+	}
+	return rmF.FromResource(res), nil
+}
+
+// NewResMapFromSecretArgs takes a SecretArgs slice, generates
+// secrets from each entry, and accumulates them in a ResMap.
+func (rmF *Factory) NewResMapFromSecretArgs(
+	kvLdr ifc.KvLoader, argsList []types.SecretArgs) (ResMap, error) {
+	var resources []*resource.Resource
+	for i := range argsList {
+		res, err := rmF.resF.MakeSecret(kvLdr, &argsList[i])
+		if err != nil {
+			return nil, errors.WrapPrefixf(err, "NewResMapFromSecretArgs")
+		}
+		resources = append(resources, res)
+	}
+	return newResMapFromResourceSlice(resources)
+}
+
+// FromSecretArgs creates a new ResMap containing one secret.
+func (rmF *Factory) FromSecretArgs(
+	kvLdr ifc.KvLoader, args types.SecretArgs) (ResMap, error) {
+	res, err := rmF.resF.MakeSecret(kvLdr, &args)
+	if err != nil {
+		return nil, err
+	}
+	return rmF.FromResource(res), nil
+}
+
+func newResMapFromResourceSlice(
+	resources []*resource.Resource) (ResMap, error) {
+	result := New()
+	for _, res := range resources {
+		err := result.Append(res)
+		if err != nil {
+			return nil, err
+		}
+	}
+	return result, nil
+}
+
+// NewResMapFromRNodeSlice returns a ResMap from a slice of RNodes
+func (rmF *Factory) NewResMapFromRNodeSlice(s []*yaml.RNode) (ResMap, error) {
+	rs, err := rmF.resF.ResourcesFromRNodes(s)
+	if err != nil {
+		return nil, err
+	}
+	return newResMapFromResourceSlice(rs)
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/resmap/resmap.go b/vendor/sigs.k8s.io/kustomize/api/resmap/resmap.go
new file mode 100644
index 0000000000..ea913ba6ba
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/resmap/resmap.go
@@ -0,0 +1,333 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+// Package resmap implements a map from ResId to Resource that
+// tracks all resources in a kustomization.
+package resmap
+
+import (
+	"sigs.k8s.io/kustomize/api/ifc"
+	"sigs.k8s.io/kustomize/api/resource"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/kio"
+	"sigs.k8s.io/kustomize/kyaml/resid"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+// A Transformer modifies an instance of ResMap.
+type Transformer interface {
+	// Transform modifies data in the argument,
+	// e.g. adding labels to resources that can be labelled.
+	Transform(m ResMap) error
+}
+
+// A TransformerWithProperties contains a Transformer and stores
+// some of its properties
+type TransformerWithProperties struct {
+	Transformer
+	Origin *resource.Origin
+}
+
+// A Generator creates an instance of ResMap.
+type Generator interface {
+	Generate() (ResMap, error)
+}
+
+// A GeneratorWithProperties contains a Generator and stores
+// some of its properties
+type GeneratorWithProperties struct {
+	Generator
+	Origin *resource.Origin
+}
+
+// Something that's configurable accepts an
+// instance of PluginHelpers and a raw config
+// object (YAML in []byte form).
+type Configurable interface {
+	Config(h *PluginHelpers, config []byte) error
+}
+
+// NewPluginHelpers makes an instance of PluginHelpers.
+func NewPluginHelpers(
+	ldr ifc.Loader, v ifc.Validator, rf *Factory,
+	pc *types.PluginConfig) *PluginHelpers {
+	return &PluginHelpers{ldr: ldr, v: v, rf: rf, pc: pc}
+}
+
+// PluginHelpers holds things that any or all plugins might need.
+// This should be available to each plugin, in addition to
+// any plugin-specific configuration.
+type PluginHelpers struct {
+	ldr ifc.Loader
+	v   ifc.Validator
+	rf  *Factory
+	pc  *types.PluginConfig
+}
+
+func (c *PluginHelpers) GeneralConfig() *types.PluginConfig {
+	return c.pc
+}
+
+func (c *PluginHelpers) Loader() ifc.Loader {
+	return c.ldr
+}
+
+func (c *PluginHelpers) ResmapFactory() *Factory {
+	return c.rf
+}
+
+func (c *PluginHelpers) Validator() ifc.Validator {
+	return c.v
+}
+
+type GeneratorPlugin interface {
+	Generator
+	Configurable
+}
+
+type TransformerPlugin interface {
+	Transformer
+	Configurable
+}
+
+// ResMap is an interface describing operations on the
+// core kustomize data structure, a list of Resources.
+//
+// Every Resource has two ResIds: OrgId and CurId.
+//
+// In a ResMap, no two resources may have the same CurId,
+// but they may have the same OrgId.  The latter can happen
+// when mixing two or more different overlays apply different
+// transformations to a common base.  When looking for a
+// resource to transform, try the OrgId first, and if this
+// fails or finds too many, it might make sense to then try
+// the CurrId.  Depends on the situation.
+//
+// TODO: get rid of this interface (use bare resWrangler).
+// There aren't multiple implementations any more.
+type ResMap interface {
+	// Size reports the number of resources.
+	Size() int
+
+	// Resources provides a discardable slice
+	// of resource pointers, returned in the order
+	// as appended.
+	Resources() []*resource.Resource
+
+	// Append adds a Resource. Error on CurId collision.
+	//
+	// A class invariant of ResMap is that all of its
+	// resources must differ in their value of
+	// CurId(), aka current Id.  The Id is the tuple
+	// of {namespace, group, version, kind, name}
+	// (see ResId).
+	//
+	// This invariant reflects the invariant of a
+	// kubernetes cluster, where if one tries to add
+	// a resource to the cluster whose Id matches
+	// that of a resource already in the cluster,
+	// only two outcomes are allowed.  Either the
+	// incoming resource is _merged_ into the existing
+	// one, or the incoming resource is rejected.
+	// One cannot end up with two resources
+	// in the cluster with the same Id.
+	Append(*resource.Resource) error
+
+	// AppendAll appends another ResMap to self,
+	// failing on any CurId collision.
+	AppendAll(ResMap) error
+
+	// AbsorbAll appends, replaces or merges the contents
+	// of another ResMap into self,
+	// allowing and sometimes demanding ID collisions.
+	// A collision would be demanded, say, when a generated
+	// ConfigMap has the "replace" option in its generation
+	// instructions, meaning it _must_ replace
+	// something in the known set of resources.
+	// If a resource id for resource X is found to already
+	// be in self, then the behavior field for X must
+	// be BehaviorMerge or BehaviorReplace. If X is not in
+	// self, then its behavior _cannot_ be merge or replace.
+	AbsorbAll(ResMap) error
+
+	// AddOriginAnnotation will add the provided origin as
+	// an origin annotation to all resources in the ResMap, if
+	// the origin is not nil.
+	AddOriginAnnotation(origin *resource.Origin) error
+
+	// RemoveOriginAnnotation will remove the origin annotation
+	// from all resources in the ResMap
+	RemoveOriginAnnotations() error
+
+	// AddTransformerAnnotation will add the provided origin as
+	// an origin annotation if the resource doesn't have one; a
+	// transformer annotation otherwise; to all resources in
+	// ResMap
+	AddTransformerAnnotation(origin *resource.Origin) error
+
+	// RemoveTransformerAnnotation will remove the transformer annotation
+	// from all resources in the ResMap
+	RemoveTransformerAnnotations() error
+
+	// AnnotateAll annotates all resources in the ResMap with
+	// the provided key value pair.
+	AnnotateAll(key string, value string) error
+
+	// AsYaml returns the yaml form of resources.
+	AsYaml() ([]byte, error)
+
+	// GetByIndex returns a resource at the given index,
+	// nil if out of range.
+	GetByIndex(int) *resource.Resource
+
+	// GetIndexOfCurrentId returns the index of the resource
+	// with the given CurId.
+	// Returns error if there is more than one match.
+	// Returns (-1, nil) if there is no match.
+	GetIndexOfCurrentId(id resid.ResId) (int, error)
+
+	// GetMatchingResourcesByCurrentId returns the resources
+	// who's CurId is matched by the argument.
+	GetMatchingResourcesByCurrentId(matches IdMatcher) []*resource.Resource
+
+	// GetMatchingResourcesByAnyId returns the resources
+	// who's current or previous IDs is matched by the argument.
+	GetMatchingResourcesByAnyId(matches IdMatcher) []*resource.Resource
+
+	// GetByCurrentId is shorthand for calling
+	// GetMatchingResourcesByCurrentId with a matcher requiring
+	// an exact match, returning an error on multiple or no matches.
+	GetByCurrentId(resid.ResId) (*resource.Resource, error)
+
+	// GetById is shorthand for calling
+	// GetMatchingResourcesByAnyId with a matcher requiring
+	// an exact match, returning an error on multiple or no matches.
+	GetById(resid.ResId) (*resource.Resource, error)
+
+	// GroupedByCurrentNamespace returns a map of namespace
+	// to a slice of *Resource in that namespace.
+	// Cluster-scoped Resources are not included (see ClusterScoped).
+	// Resources with an empty namespace are placed
+	// in the resid.DefaultNamespace entry.
+	GroupedByCurrentNamespace() map[string][]*resource.Resource
+
+	// GroupedByOriginalNamespace performs as GroupByNamespace
+	// but use the original namespace instead of the current
+	// one to perform the grouping.
+	GroupedByOriginalNamespace() map[string][]*resource.Resource
+
+	// ClusterScoped returns a slice of resources that
+	// cannot be placed in a namespace, e.g.
+	// Node, ClusterRole, Namespace itself, etc.
+	ClusterScoped() []*resource.Resource
+
+	// AllIds returns all CurrentIds.
+	AllIds() []resid.ResId
+
+	// Replace replaces the resource with the matching CurId.
+	// Error if there's no match or more than one match.
+	// Returns the index where the replacement happened.
+	Replace(*resource.Resource) (int, error)
+
+	// Remove removes the resource whose CurId matches the argument.
+	// Error if not found.
+	Remove(resid.ResId) error
+
+	// Clear removes all resources and Ids.
+	Clear()
+
+	// DropEmpties drops empty resources from the ResMap.
+	DropEmpties()
+
+	// SubsetThatCouldBeReferencedByResource returns a ResMap subset
+	// of self with resources that could be referenced by the
+	// resource argument.
+	// This is a filter; it excludes things that cannot be
+	// referenced by the resource, e.g. objects in other
+	// namespaces. Cluster wide objects are never excluded.
+	SubsetThatCouldBeReferencedByResource(*resource.Resource) (ResMap, error)
+
+	// DeAnchor replaces YAML aliases with structured data copied from anchors.
+	// This cannot be undone; if desired, call DeepCopy first.
+	// Subsequent marshalling to YAML will no longer have anchor
+	// definitions ('&') or aliases ('*').
+	//
+	// Anchors are not expected to work across YAML 'documents'.
+	// If three resources are loaded from one file containing three YAML docs:
+	//
+	//   {resourceA}
+	//   ---
+	//   {resourceB}
+	//   ---
+	//   {resourceC}
+	//
+	// then anchors defined in A cannot be seen from B and C and vice versa.
+	// OTOH, cross-resource links (a field in B referencing fields in A) will
+	// work if the resources are gathered in a ResourceList:
+	//
+	//   apiVersion: config.kubernetes.io/v1
+	//   kind: ResourceList
+	//   metadata:
+	//     name: someList
+	//   items:
+	//   - {resourceA}
+	//   - {resourceB}
+	//   - {resourceC}
+	//
+	DeAnchor() error
+
+	// DeepCopy copies the ResMap and underlying resources.
+	DeepCopy() ResMap
+
+	// ShallowCopy copies the ResMap but
+	// not the underlying resources.
+	ShallowCopy() ResMap
+
+	// ErrorIfNotEqualSets returns an error if the
+	// argument doesn't have the same resources as self.
+	// Ordering is _not_ taken into account,
+	// as this function was solely used in tests written
+	// before internal resource order was maintained,
+	// and those tests are initialized with maps which
+	// by definition have random ordering, and will
+	// fail spuriously.
+	// TODO: modify tests to not use resmap.FromMap,
+	// TODO: - and replace this with a stricter equals.
+	ErrorIfNotEqualSets(ResMap) error
+
+	// ErrorIfNotEqualLists returns an error if the
+	// argument doesn't have the resource objects
+	// data as self, in the same order.
+	// Meta information is ignored; this is similar
+	// to comparing the AsYaml() strings, but allows
+	// for more informed errors on not equals.
+	ErrorIfNotEqualLists(ResMap) error
+
+	// Debug prints the ResMap.
+	Debug(title string)
+
+	// Select returns a list of resources that
+	// are selected by a Selector
+	Select(types.Selector) ([]*resource.Resource, error)
+
+	// ToRNodeSlice returns a copy of the resources as RNodes.
+	ToRNodeSlice() []*yaml.RNode
+
+	// ApplySmPatch applies a strategic-merge patch to the
+	// selected set of resources.
+	ApplySmPatch(
+		selectedSet *resource.IdSet, patch *resource.Resource) error
+
+	// RemoveBuildAnnotations removes annotations created by the build process.
+	RemoveBuildAnnotations()
+
+	// ApplyFilter applies an RNode filter to all Resources in the ResMap.
+	// TODO: Send/recover ancillary Resource data to/from subprocesses.
+	// Assure that the ancillary data in Resource (everything not in the RNode)
+	// is sent to and re-captured from transformer subprocess (as the process
+	// might edit that information).  One way to do this would be to solely use
+	// RNode metadata annotation reading and writing instead of using Resource
+	// struct data members, i.e. the Resource struct is replaced by RNode
+	// and use of (slow) k8s metadata annotations inside the RNode.
+	ApplyFilter(f kio.Filter) error
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/resmap/reswrangler.go b/vendor/sigs.k8s.io/kustomize/api/resmap/reswrangler.go
new file mode 100644
index 0000000000..f6443539f1
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/resmap/reswrangler.go
@@ -0,0 +1,767 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package resmap
+
+import (
+	"bytes"
+	"fmt"
+	"reflect"
+
+	"sigs.k8s.io/kustomize/api/filters/annotations"
+	"sigs.k8s.io/kustomize/api/resource"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/errors"
+	"sigs.k8s.io/kustomize/kyaml/kio"
+	"sigs.k8s.io/kustomize/kyaml/resid"
+	kyaml "sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+// resWrangler implements ResMap.
+type resWrangler struct {
+	// Resource list maintained in load (append) order.
+	// This is important for transformers, which must
+	// be performed in a specific order, and for users
+	// who for whatever reasons wish the order they
+	// specify in kustomizations to be maintained and
+	// available as an option for final YAML rendering.
+	rList []*resource.Resource
+}
+
+func newOne() *resWrangler {
+	result := &resWrangler{}
+	result.Clear()
+	return result
+}
+
+// Clear implements ResMap.
+func (m *resWrangler) Clear() {
+	m.rList = nil
+}
+
+// DropEmpties quickly drops empty resources.
+// It doesn't use Append, which checks for Id collisions.
+func (m *resWrangler) DropEmpties() {
+	var rList []*resource.Resource
+	for _, r := range m.rList {
+		if !r.IsNilOrEmpty() {
+			rList = append(rList, r)
+		}
+	}
+	m.rList = rList
+}
+
+// Size implements ResMap.
+func (m *resWrangler) Size() int {
+	return len(m.rList)
+}
+
+func (m *resWrangler) indexOfResource(other *resource.Resource) int {
+	for i, r := range m.rList {
+		if r == other {
+			return i
+		}
+	}
+	return -1
+}
+
+// Resources implements ResMap.
+func (m *resWrangler) Resources() []*resource.Resource {
+	tmp := make([]*resource.Resource, len(m.rList))
+	copy(tmp, m.rList)
+	return tmp
+}
+
+// Append implements ResMap.
+func (m *resWrangler) Append(res *resource.Resource) error {
+	id := res.CurId()
+	if r := m.GetMatchingResourcesByCurrentId(id.Equals); len(r) > 0 {
+		return fmt.Errorf(
+			"may not add resource with an already registered id: %s", id)
+	}
+	m.append(res)
+	return nil
+}
+
+// append appends without performing an Id check
+func (m *resWrangler) append(res *resource.Resource) {
+	m.rList = append(m.rList, res)
+}
+
+// Remove implements ResMap.
+func (m *resWrangler) Remove(adios resid.ResId) error {
+	var rList []*resource.Resource
+	for _, r := range m.rList {
+		if r.CurId() != adios {
+			rList = append(rList, r)
+		}
+	}
+	if len(rList) != m.Size()-1 {
+		return fmt.Errorf("id %s not found in removal", adios)
+	}
+	m.rList = rList
+	return nil
+}
+
+// Replace implements ResMap.
+func (m *resWrangler) Replace(res *resource.Resource) (int, error) {
+	id := res.CurId()
+	i, err := m.GetIndexOfCurrentId(id)
+	if err != nil {
+		return -1, errors.WrapPrefixf(err, "in Replace")
+	}
+	if i < 0 {
+		return -1, fmt.Errorf("cannot find resource with id %s to replace", id)
+	}
+	m.rList[i] = res
+	return i, nil
+}
+
+// AllIds implements ResMap.
+func (m *resWrangler) AllIds() (ids []resid.ResId) {
+	ids = make([]resid.ResId, m.Size())
+	for i, r := range m.rList {
+		ids[i] = r.CurId()
+	}
+	return
+}
+
+// Debug implements ResMap.
+func (m *resWrangler) Debug(title string) {
+	fmt.Println("--------------------------- " + title)
+	firstObj := true
+	for i, r := range m.rList {
+		if firstObj {
+			firstObj = false
+		} else {
+			fmt.Println("---")
+		}
+		fmt.Printf("# %d  %s\n%s\n", i, r.OrgId(), r.String())
+	}
+}
+
+type IdMatcher func(resid.ResId) bool
+
+// GetByIndex implements ResMap.
+func (m *resWrangler) GetByIndex(i int) *resource.Resource {
+	if i < 0 || i >= m.Size() {
+		return nil
+	}
+	return m.rList[i]
+}
+
+// GetIndexOfCurrentId implements ResMap.
+func (m *resWrangler) GetIndexOfCurrentId(id resid.ResId) (int, error) {
+	count := 0
+	result := -1
+	for i, r := range m.rList {
+		if id.Equals(r.CurId()) {
+			count++
+			result = i
+		}
+	}
+	if count > 1 {
+		return -1, fmt.Errorf("id matched %d resources", count)
+	}
+	return result, nil
+}
+
+type IdFromResource func(r *resource.Resource) resid.ResId
+
+func GetCurrentId(r *resource.Resource) resid.ResId { return r.CurId() }
+
+// GetMatchingResourcesByCurrentId implements ResMap.
+func (m *resWrangler) GetMatchingResourcesByCurrentId(
+	matches IdMatcher) []*resource.Resource {
+	return m.filteredById(matches, GetCurrentId)
+}
+
+// GetMatchingResourcesByAnyId implements ResMap.
+func (m *resWrangler) GetMatchingResourcesByAnyId(
+	matches IdMatcher) []*resource.Resource {
+	var result []*resource.Resource
+	for _, r := range m.rList {
+		if r.RNode.IsNilOrEmpty() {
+			continue
+		}
+
+		for _, id := range append(r.PrevIds(), r.CurId()) {
+			if matches(id) {
+				result = append(result, r)
+				break
+			}
+		}
+	}
+	return result
+}
+
+func (m *resWrangler) filteredById(
+	matches IdMatcher, idGetter IdFromResource) []*resource.Resource {
+	var result []*resource.Resource
+	for _, r := range m.rList {
+		if matches(idGetter(r)) {
+			result = append(result, r)
+		}
+	}
+	return result
+}
+
+// GetByCurrentId implements ResMap.
+func (m *resWrangler) GetByCurrentId(
+	id resid.ResId) (*resource.Resource, error) {
+	return demandOneMatch(m.GetMatchingResourcesByCurrentId, id, "Current")
+}
+
+// GetById implements ResMap.
+func (m *resWrangler) GetById(
+	id resid.ResId) (*resource.Resource, error) {
+	r, err := demandOneMatch(m.GetMatchingResourcesByAnyId, id, "Id")
+	if err != nil {
+		return nil, fmt.Errorf(
+			"%s; failed to find unique target for patch %s",
+			err.Error(), id.String())
+	}
+	return r, nil
+}
+
+type resFinder func(IdMatcher) []*resource.Resource
+
+func demandOneMatch(
+	f resFinder, id resid.ResId, s string) (*resource.Resource, error) {
+	r := f(id.Equals)
+	if len(r) == 1 {
+		return r[0], nil
+	}
+	if len(r) > 1 {
+		return nil, fmt.Errorf("multiple matches for %s %s", s, id)
+	}
+	return nil, fmt.Errorf("no matches for %s %s", s, id)
+}
+
+// GroupedByCurrentNamespace implements ResMap.
+func (m *resWrangler) GroupedByCurrentNamespace() map[string][]*resource.Resource {
+	items := m.groupedByCurrentNamespace()
+	delete(items, resid.TotallyNotANamespace)
+	return items
+}
+
+// ClusterScoped implements ResMap.
+func (m *resWrangler) ClusterScoped() []*resource.Resource {
+	return m.groupedByCurrentNamespace()[resid.TotallyNotANamespace]
+}
+
+func (m *resWrangler) groupedByCurrentNamespace() map[string][]*resource.Resource {
+	byNamespace := make(map[string][]*resource.Resource)
+	for _, res := range m.rList {
+		namespace := res.CurId().EffectiveNamespace()
+		if _, found := byNamespace[namespace]; !found {
+			byNamespace[namespace] = []*resource.Resource{}
+		}
+		byNamespace[namespace] = append(byNamespace[namespace], res)
+	}
+	return byNamespace
+}
+
+// GroupedByOriginalNamespace implements ResMap.
+func (m *resWrangler) GroupedByOriginalNamespace() map[string][]*resource.Resource {
+	items := m.groupedByOriginalNamespace()
+	delete(items, resid.TotallyNotANamespace)
+	return items
+}
+
+func (m *resWrangler) groupedByOriginalNamespace() map[string][]*resource.Resource {
+	byNamespace := make(map[string][]*resource.Resource)
+	for _, res := range m.rList {
+		namespace := res.OrgId().EffectiveNamespace()
+		if _, found := byNamespace[namespace]; !found {
+			byNamespace[namespace] = []*resource.Resource{}
+		}
+		byNamespace[namespace] = append(byNamespace[namespace], res)
+	}
+	return byNamespace
+}
+
+// AsYaml implements ResMap.
+func (m *resWrangler) AsYaml() ([]byte, error) {
+	firstObj := true
+	var b []byte
+	buf := bytes.NewBuffer(b)
+	for _, res := range m.rList {
+		out, err := res.AsYAML()
+		if err != nil {
+			m, _ := res.Map()
+			return nil, errors.WrapPrefixf(err, "%#v", m)
+		}
+		if firstObj {
+			firstObj = false
+		} else {
+			if _, err = buf.WriteString("---\n"); err != nil {
+				return nil, err
+			}
+		}
+		if _, err = buf.Write(out); err != nil {
+			return nil, err
+		}
+	}
+	return buf.Bytes(), nil
+}
+
+// ErrorIfNotEqualSets implements ResMap.
+func (m *resWrangler) ErrorIfNotEqualSets(other ResMap) error {
+	m2, ok := other.(*resWrangler)
+	if !ok {
+		return fmt.Errorf("bad cast to resWrangler 1")
+	}
+	if m.Size() != m2.Size() {
+		return fmt.Errorf(
+			"lists have different number of entries: %#v doesn't equal %#v",
+			m.rList, m2.rList)
+	}
+	seen := make(map[int]bool)
+	for _, r1 := range m.rList {
+		id := r1.CurId()
+		others := m2.GetMatchingResourcesByCurrentId(id.Equals)
+		if len(others) == 0 {
+			return fmt.Errorf(
+				"id in self missing from other; id: %s", id)
+		}
+		if len(others) > 1 {
+			return fmt.Errorf(
+				"id in self matches %d in other; id: %s", len(others), id)
+		}
+		r2 := others[0]
+		if !reflect.DeepEqual(r1.RNode, r2.RNode) {
+			return fmt.Errorf(
+				"nodes unequal: \n -- %s,\n -- %s\n\n--\n%#v\n------\n%#v\n",
+				r1, r2, r1, r2)
+		}
+		seen[m2.indexOfResource(r2)] = true
+	}
+	if len(seen) != m.Size() {
+		return fmt.Errorf("counting problem %d != %d", len(seen), m.Size())
+	}
+	return nil
+}
+
+// ErrorIfNotEqualLists implements ResMap.
+func (m *resWrangler) ErrorIfNotEqualLists(other ResMap) error {
+	m2, ok := other.(*resWrangler)
+	if !ok {
+		return fmt.Errorf("bad cast to resWrangler 2")
+	}
+	if m.Size() != m2.Size() {
+		return fmt.Errorf(
+			"lists have different number of entries: %#v doesn't equal %#v",
+			m.rList, m2.rList)
+	}
+	for i, r1 := range m.rList {
+		r2 := m2.rList[i]
+		if err := r1.ErrIfNotEquals(r2); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+type resCopier func(r *resource.Resource) *resource.Resource
+
+// ShallowCopy implements ResMap.
+func (m *resWrangler) ShallowCopy() ResMap {
+	return m.makeCopy(
+		func(r *resource.Resource) *resource.Resource {
+			return r
+		})
+}
+
+// DeepCopy implements ResMap.
+func (m *resWrangler) DeepCopy() ResMap {
+	return m.makeCopy(
+		func(r *resource.Resource) *resource.Resource {
+			return r.DeepCopy()
+		})
+}
+
+// makeCopy copies the ResMap.
+func (m *resWrangler) makeCopy(copier resCopier) ResMap {
+	result := &resWrangler{}
+	result.rList = make([]*resource.Resource, m.Size())
+	for i, r := range m.rList {
+		result.rList[i] = copier(r)
+	}
+	return result
+}
+
+// SubsetThatCouldBeReferencedByResource implements ResMap.
+func (m *resWrangler) SubsetThatCouldBeReferencedByResource(
+	referrer *resource.Resource) (ResMap, error) {
+	referrerId := referrer.CurId()
+	if referrerId.IsClusterScoped() {
+		// A cluster scoped resource can refer to anything.
+		return m, nil
+	}
+	result := newOne()
+	roleBindingNamespaces, err := getNamespacesForRoleBinding(referrer)
+	if err != nil {
+		return nil, err
+	}
+	for _, possibleTarget := range m.rList {
+		id := possibleTarget.CurId()
+		if id.IsClusterScoped() {
+			// A cluster-scoped resource can be referred to by anything.
+			result.append(possibleTarget)
+			continue
+		}
+		if id.IsNsEquals(referrerId) {
+			// The two objects are in the same namespace.
+			result.append(possibleTarget)
+			continue
+		}
+		// The two objects are namespaced (not cluster-scoped), AND
+		// are in different namespaces.
+		// There's still a chance they can refer to each other.
+		if roleBindingNamespaces[possibleTarget.GetNamespace()] {
+			result.append(possibleTarget)
+		}
+	}
+	return result, nil
+}
+
+// getNamespacesForRoleBinding returns referenced ServiceAccount namespaces
+// if the resource is a RoleBinding
+func getNamespacesForRoleBinding(r *resource.Resource) (map[string]bool, error) {
+	result := make(map[string]bool)
+	if r.GetKind() != "RoleBinding" {
+		return result, nil
+	}
+	subjects, err := r.GetSlice("subjects")
+	if err != nil || subjects == nil {
+		return result, nil
+	}
+	for _, s := range subjects {
+		subject := s.(map[string]interface{})
+		if ns, ok1 := subject["namespace"]; ok1 {
+			if kind, ok2 := subject["kind"]; ok2 {
+				if kind.(string) == "ServiceAccount" {
+					if n, ok3 := ns.(string); ok3 {
+						result[n] = true
+					} else {
+						return nil, errors.Errorf("Invalid Input: namespace is blank for resource %q\n", r.CurId())
+					}
+				}
+			}
+		}
+	}
+	return result, nil
+}
+
+// AppendAll implements ResMap.
+func (m *resWrangler) AppendAll(other ResMap) error {
+	if other == nil {
+		return nil
+	}
+	m2, ok := other.(*resWrangler)
+	if !ok {
+		return fmt.Errorf("bad cast to resWrangler 3")
+	}
+	return m.appendAll(m2.rList)
+}
+
+// appendAll appends all the resources, error on Id collision.
+func (m *resWrangler) appendAll(list []*resource.Resource) error {
+	for _, res := range list {
+		if err := m.Append(res); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// AbsorbAll implements ResMap.
+func (m *resWrangler) AbsorbAll(other ResMap) error {
+	if other == nil {
+		return nil
+	}
+	m2, ok := other.(*resWrangler)
+	if !ok {
+		return fmt.Errorf("bad cast to resWrangler 4")
+	}
+	for _, r := range m2.rList {
+		err := m.appendReplaceOrMerge(r)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// AddOriginAnnotation implements ResMap.
+func (m *resWrangler) AddOriginAnnotation(origin *resource.Origin) error {
+	if origin == nil {
+		return nil
+	}
+	for _, res := range m.rList {
+		or, err := res.GetOrigin()
+		if or != nil || err != nil {
+			// if any resources already have an origin annotation,
+			// skip it
+			continue
+		}
+		if err := res.SetOrigin(origin); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// RemoveOriginAnnotation implements ResMap
+func (m *resWrangler) RemoveOriginAnnotations() error {
+	for _, res := range m.rList {
+		if err := res.SetOrigin(nil); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// AddTransformerAnnotation implements ResMap
+func (m *resWrangler) AddTransformerAnnotation(origin *resource.Origin) error {
+	for _, res := range m.rList {
+		or, err := res.GetOrigin()
+		if err != nil {
+			return err
+		}
+		if or == nil {
+			// the resource does not have an origin annotation, so
+			// we assume that the transformer generated the resource
+			// rather than modifying it
+			err = res.SetOrigin(origin)
+		} else {
+			// the resource already has an origin annotation, so we
+			// record the provided origin as a transformation
+			err = res.AddTransformation(origin)
+		}
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// RemoveTransformerAnnotations implements ResMap
+func (m *resWrangler) RemoveTransformerAnnotations() error {
+	for _, res := range m.rList {
+		if err := res.ClearTransformations(); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (m *resWrangler) appendReplaceOrMerge(res *resource.Resource) error {
+	id := res.CurId()
+	matches := m.GetMatchingResourcesByAnyId(id.Equals)
+	switch len(matches) {
+	case 0:
+		switch res.Behavior() {
+		case types.BehaviorMerge, types.BehaviorReplace:
+			return fmt.Errorf(
+				"id %#v does not exist; cannot merge or replace", id)
+		default:
+			// presumably types.BehaviorCreate
+			return m.Append(res)
+		}
+	case 1:
+		old := matches[0]
+		if old == nil {
+			return fmt.Errorf("id lookup failure")
+		}
+		index := m.indexOfResource(old)
+		if index < 0 {
+			return fmt.Errorf("indexing problem")
+		}
+		switch res.Behavior() {
+		case types.BehaviorReplace:
+			res.CopyMergeMetaDataFieldsFrom(old)
+		case types.BehaviorMerge:
+			// ensure the origin annotation doesn't get overwritten
+			orig, err := old.GetOrigin()
+			if err != nil {
+				return err
+			}
+			res.CopyMergeMetaDataFieldsFrom(old)
+			res.MergeDataMapFrom(old)
+			res.MergeBinaryDataMapFrom(old)
+			if orig != nil {
+				res.SetOrigin(orig)
+			}
+
+		default:
+			return fmt.Errorf(
+				"id %#v exists; behavior must be merge or replace", id)
+		}
+		i, err := m.Replace(res)
+		if err != nil {
+			return err
+		}
+		if i != index {
+			return fmt.Errorf("unexpected target index in replacement")
+		}
+		return nil
+	default:
+		return fmt.Errorf(
+			"found multiple objects %v that could accept merge of %v",
+			matches, id)
+	}
+}
+
+// AnnotateAll implements ResMap
+func (m *resWrangler) AnnotateAll(key string, value string) error {
+	return m.ApplyFilter(annotations.Filter{
+		Annotations: map[string]string{
+			key: value,
+		},
+		FsSlice: []types.FieldSpec{{
+			Path:               "metadata/annotations",
+			CreateIfNotPresent: true,
+		}},
+	})
+}
+
+// Select returns a list of resources that
+// are selected by a Selector
+func (m *resWrangler) Select(s types.Selector) ([]*resource.Resource, error) {
+	var result []*resource.Resource
+	sr, err := types.NewSelectorRegex(&s)
+	if err != nil {
+		return nil, err
+	}
+	for _, r := range m.rList {
+		curId := r.CurId()
+		orgId := r.OrgId()
+
+		// It first tries to match with the original namespace
+		// then matches with the current namespace
+		if !sr.MatchNamespace(orgId.EffectiveNamespace()) &&
+			!sr.MatchNamespace(curId.EffectiveNamespace()) {
+			continue
+		}
+
+		// It first tries to match with the original name
+		// then matches with the current name
+		if !sr.MatchName(orgId.Name) &&
+			!sr.MatchName(curId.Name) {
+			continue
+		}
+
+		// matches the GVK
+		if !sr.MatchGvk(r.GetGvk()) {
+			continue
+		}
+
+		// matches the label selector
+		matched, err := r.MatchesLabelSelector(s.LabelSelector)
+		if err != nil {
+			return nil, err
+		}
+		if !matched {
+			continue
+		}
+
+		// matches the annotation selector
+		matched, err = r.MatchesAnnotationSelector(s.AnnotationSelector)
+		if err != nil {
+			return nil, err
+		}
+		if !matched {
+			continue
+		}
+		result = append(result, r)
+	}
+	return result, nil
+}
+
+// ToRNodeSlice returns a copy of the resources as RNodes.
+func (m *resWrangler) ToRNodeSlice() []*kyaml.RNode {
+	result := make([]*kyaml.RNode, len(m.rList))
+	for i := range m.rList {
+		result[i] = m.rList[i].Copy()
+	}
+	return result
+}
+
+// DeAnchor implements ResMap.
+func (m *resWrangler) DeAnchor() (err error) {
+	for i := range m.rList {
+		if err = m.rList[i].DeAnchor(); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// ApplySmPatch applies the patch, and errors on Id collisions.
+func (m *resWrangler) ApplySmPatch(selectedSet *resource.IdSet, patch *resource.Resource) error {
+	var list []*resource.Resource
+	for _, res := range m.rList {
+		if selectedSet.Contains(res.CurId()) {
+			patchCopy := patch.DeepCopy()
+			patchCopy.CopyMergeMetaDataFieldsFrom(patch)
+			patchCopy.SetGvk(res.GetGvk())
+			patchCopy.SetKind(patch.GetKind())
+			if err := res.ApplySmPatch(patchCopy); err != nil {
+				return err
+			}
+		}
+		if !res.IsNilOrEmpty() {
+			list = append(list, res)
+		}
+	}
+	m.Clear()
+	return m.appendAll(list)
+}
+
+func (m *resWrangler) RemoveBuildAnnotations() {
+	for _, r := range m.rList {
+		r.RemoveBuildAnnotations()
+	}
+}
+
+// ApplyFilter implements ResMap.
+func (m *resWrangler) ApplyFilter(f kio.Filter) error {
+	reverseLookup := make(map[*kyaml.RNode]*resource.Resource, len(m.rList))
+	nodes := make([]*kyaml.RNode, len(m.rList))
+	for i, r := range m.rList {
+		ptr := &(r.RNode)
+		nodes[i] = ptr
+		reverseLookup[ptr] = r
+	}
+	// The filter can modify nodes, but also delete and create them.
+	// The filtered list might be smaller or larger than the nodes list.
+	filtered, err := f.Filter(nodes)
+	if err != nil {
+		return err
+	}
+	// Rebuild the resmap from the filtered RNodes.
+	var nRList []*resource.Resource
+	for _, rn := range filtered {
+		if rn.IsNilOrEmpty() {
+			// A node might make it through the filter as an object,
+			// but still be empty.  Drop such entries.
+			continue
+		}
+		res, ok := reverseLookup[rn]
+		if !ok {
+			// A node was created; make a Resource to wrap it.
+			res = &resource.Resource{
+				RNode: *rn,
+				// Leave remaining fields empty.
+				// At at time of writing, seeking to eliminate those fields.
+				// Alternatively, could just return error on creation attempt
+				// until remaining fields eliminated.
+			}
+		}
+		nRList = append(nRList, res)
+	}
+	m.rList = nRList
+	return nil
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/resource/doc.go b/vendor/sigs.k8s.io/kustomize/api/resource/doc.go
new file mode 100644
index 0000000000..32d34b1626
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/resource/doc.go
@@ -0,0 +1,5 @@
+// Copyright 2020 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+// Package resource implements representations of k8s API resources.
+package resource
diff --git a/vendor/sigs.k8s.io/kustomize/api/resource/factory.go b/vendor/sigs.k8s.io/kustomize/api/resource/factory.go
new file mode 100644
index 0000000000..a42f93bb8e
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/resource/factory.go
@@ -0,0 +1,302 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package resource
+
+import (
+	"encoding/json"
+	"fmt"
+	"log"
+	"strings"
+
+	"sigs.k8s.io/kustomize/api/ifc"
+	"sigs.k8s.io/kustomize/api/internal/generators"
+	"sigs.k8s.io/kustomize/api/internal/kusterr"
+	"sigs.k8s.io/kustomize/api/konfig"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/kio"
+	"sigs.k8s.io/kustomize/kyaml/resid"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+// Factory makes instances of Resource.
+type Factory struct {
+	hasher ifc.KustHasher
+
+	// When set to true, IncludeLocalConfigs indicates
+	// that Factory should include resources with the
+	// annotation 'config.kubernetes.io/local-config'.
+	// By default these resources are ignored.
+	IncludeLocalConfigs bool
+}
+
+// NewFactory makes an instance of Factory.
+func NewFactory(h ifc.KustHasher) *Factory {
+	return &Factory{hasher: h}
+}
+
+// Hasher returns an ifc.KustHasher
+func (rf *Factory) Hasher() ifc.KustHasher {
+	return rf.hasher
+}
+
+// FromMap returns a new instance of Resource.
+func (rf *Factory) FromMap(m map[string]interface{}) (*Resource, error) {
+	res, err := rf.FromMapAndOption(m, nil)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create resource from map: %w", err)
+	}
+	return res, nil
+}
+
+// FromMapWithName returns a new instance with the given "original" name.
+func (rf *Factory) FromMapWithName(n string, m map[string]interface{}) (*Resource, error) {
+	return rf.FromMapWithNamespaceAndName(resid.DefaultNamespace, n, m)
+}
+
+// FromMapWithNamespaceAndName returns a new instance with the given "original" namespace.
+func (rf *Factory) FromMapWithNamespaceAndName(ns string, n string, m map[string]interface{}) (*Resource, error) {
+	r, err := rf.FromMapAndOption(m, nil)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create resource from map: %w", err)
+	}
+	return r.setPreviousId(ns, n, r.GetKind()), nil
+}
+
+// FromMapAndOption returns a new instance of Resource with given options.
+func (rf *Factory) FromMapAndOption(
+	m map[string]interface{}, args *types.GeneratorArgs) (*Resource, error) {
+	n, err := yaml.FromMap(m)
+	if err != nil {
+		return nil, fmt.Errorf("failed to convert map to YAML node: %w", err)
+	}
+	return rf.makeOne(n, args), nil
+}
+
+// makeOne returns a new instance of Resource.
+func (rf *Factory) makeOne(rn *yaml.RNode, o *types.GeneratorArgs) *Resource {
+	if rn == nil {
+		log.Fatal("RNode must not be null")
+	}
+	resource := &Resource{RNode: *rn}
+	if o != nil {
+		if o.Options == nil || !o.Options.DisableNameSuffixHash {
+			resource.EnableHashSuffix()
+		}
+		resource.SetBehavior(types.NewGenerationBehavior(o.Behavior))
+	}
+
+	return resource
+}
+
+// SliceFromPatches returns a slice of resources given a patch path
+// slice from a kustomization file.
+func (rf *Factory) SliceFromPatches(
+	ldr ifc.Loader, paths []types.PatchStrategicMerge) ([]*Resource, error) {
+	var result []*Resource
+	for _, path := range paths {
+		content, err := ldr.Load(string(path))
+		if err != nil {
+			return nil, err
+		}
+		res, err := rf.SliceFromBytes(content)
+		if err != nil {
+			return nil, kusterr.Handler(err, string(path))
+		}
+		result = append(result, res...)
+	}
+	return result, nil
+}
+
+// FromBytes unmarshalls bytes into one Resource.
+func (rf *Factory) FromBytes(in []byte) (*Resource, error) {
+	result, err := rf.SliceFromBytes(in)
+	if err != nil {
+		return nil, err
+	}
+	if len(result) != 1 {
+		return nil, fmt.Errorf(
+			"expected 1 resource, found %d in %v", len(result), in)
+	}
+	return result[0], nil
+}
+
+// SliceFromBytes unmarshals bytes into a Resource slice.
+func (rf *Factory) SliceFromBytes(in []byte) ([]*Resource, error) {
+	nodes, err := rf.RNodesFromBytes(in)
+	if err != nil {
+		return nil, err
+	}
+	return rf.resourcesFromRNodes(nodes), nil
+}
+
+// DropLocalNodes removes the local nodes by default. Local nodes are detected via the annotation `config.kubernetes.io/local-config: "true"`
+func (rf *Factory) DropLocalNodes(nodes []*yaml.RNode) ([]*Resource, error) {
+	var result []*yaml.RNode
+	for _, node := range nodes {
+		if node.IsNilOrEmpty() {
+			continue
+		}
+		md, err := node.GetValidatedMetadata()
+		if err != nil {
+			return nil, err
+		}
+
+		if rf.IncludeLocalConfigs {
+			result = append(result, node)
+			continue
+		}
+		localConfig, exist := md.ObjectMeta.Annotations[konfig.IgnoredByKustomizeAnnotation]
+		if !exist || localConfig == "false" {
+			result = append(result, node)
+		}
+	}
+	return rf.resourcesFromRNodes(result), nil
+}
+
+// ResourcesFromRNodes converts RNodes to Resources.
+func (rf *Factory) ResourcesFromRNodes(
+	nodes []*yaml.RNode) (result []*Resource, err error) {
+	return rf.DropLocalNodes(nodes)
+}
+
+// resourcesFromRNode assumes all nodes are good.
+func (rf *Factory) resourcesFromRNodes(
+	nodes []*yaml.RNode) (result []*Resource) {
+	for _, n := range nodes {
+		result = append(result, rf.makeOne(n, nil))
+	}
+	return
+}
+
+func (rf *Factory) RNodesFromBytes(b []byte) ([]*yaml.RNode, error) {
+	nodes, err := kio.FromBytes(b)
+	if err != nil {
+		return nil, err
+	}
+	nodes, err = rf.dropBadNodes(nodes)
+	if err != nil {
+		return nil, err
+	}
+	return rf.inlineAnyEmbeddedLists(nodes)
+}
+
+// inlineAnyEmbeddedLists scans the RNode slice for nodes named FooList.
+// Such nodes are expected to be lists of resources, each of type Foo.
+// These lists are replaced in the result by their inlined resources.
+func (rf *Factory) inlineAnyEmbeddedLists(
+	nodes []*yaml.RNode) (result []*yaml.RNode, err error) {
+	var n0 *yaml.RNode
+	for len(nodes) > 0 {
+		n0, nodes = nodes[0], nodes[1:]
+		kind := n0.GetKind()
+		if !strings.HasSuffix(kind, "List") {
+			result = append(result, n0)
+			continue
+		}
+		// Convert a FooList into a slice of Foo.
+		var m map[string]interface{}
+		m, err = n0.Map()
+		if err != nil {
+			return nil, fmt.Errorf("trouble expanding list of %s; %w", kind, err)
+		}
+		items, ok := m["items"]
+		if !ok {
+			// Items field is not present.
+			// This is not a collections resource.
+			// read more https://kubernetes.io/docs/reference/using-api/api-concepts/#collections
+			result = append(result, n0)
+			continue
+		}
+		slice, ok := items.([]interface{})
+		if !ok {
+			if items == nil {
+				// an empty list
+				continue
+			}
+			return nil, fmt.Errorf(
+				"expected array in %s/items, but found %T", kind, items)
+		}
+		innerNodes, err := rf.convertObjectSliceToNodeSlice(slice)
+		if err != nil {
+			return nil, err
+		}
+		nodes = append(nodes, innerNodes...)
+	}
+	return result, nil
+}
+
+// convertObjectSlice converts a list of objects to a list of RNode.
+func (rf *Factory) convertObjectSliceToNodeSlice(
+	objects []interface{}) (result []*yaml.RNode, err error) {
+	var bytes []byte
+	var nodes []*yaml.RNode
+	for _, obj := range objects {
+		bytes, err = json.Marshal(obj)
+		if err != nil {
+			return
+		}
+		nodes, err = kio.FromBytes(bytes)
+		if err != nil {
+			return
+		}
+		nodes, err = rf.dropBadNodes(nodes)
+		if err != nil {
+			return
+		}
+		result = append(result, nodes...)
+	}
+	return
+}
+
+// dropBadNodes may drop some nodes from its input argument.
+func (rf *Factory) dropBadNodes(nodes []*yaml.RNode) ([]*yaml.RNode, error) {
+	var result []*yaml.RNode
+	for _, n := range nodes {
+		if n.IsNilOrEmpty() {
+			continue
+		}
+		if _, err := n.GetValidatedMetadata(); err != nil {
+			return nil, err
+		}
+		if foundNil, path := n.HasNilEntryInList(); foundNil {
+			return nil, fmt.Errorf("empty item at %v in object %v", path, n)
+		}
+		result = append(result, n)
+	}
+	return result, nil
+}
+
+// SliceFromBytesWithNames unmarshals bytes into a Resource slice with specified original
+// name.
+func (rf *Factory) SliceFromBytesWithNames(names []string, in []byte) ([]*Resource, error) {
+	result, err := rf.SliceFromBytes(in)
+	if err != nil {
+		return nil, err
+	}
+	if len(names) != len(result) {
+		return nil, fmt.Errorf("number of names doesn't match number of resources")
+	}
+	for i, res := range result {
+		res.setPreviousId(resid.DefaultNamespace, names[i], res.GetKind())
+	}
+	return result, nil
+}
+
+// MakeConfigMap makes an instance of Resource for ConfigMap
+func (rf *Factory) MakeConfigMap(kvLdr ifc.KvLoader, args *types.ConfigMapArgs) (*Resource, error) {
+	rn, err := generators.MakeConfigMap(kvLdr, args)
+	if err != nil {
+		return nil, err
+	}
+	return rf.makeOne(rn, &args.GeneratorArgs), nil
+}
+
+// MakeSecret makes an instance of Resource for Secret
+func (rf *Factory) MakeSecret(kvLdr ifc.KvLoader, args *types.SecretArgs) (*Resource, error) {
+	rn, err := generators.MakeSecret(kvLdr, args)
+	if err != nil {
+		return nil, err
+	}
+	return rf.makeOne(rn, &args.GeneratorArgs), nil
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/resource/idset.go b/vendor/sigs.k8s.io/kustomize/api/resource/idset.go
new file mode 100644
index 0000000000..5d6bd63edc
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/resource/idset.go
@@ -0,0 +1,30 @@
+// Copyright 2020 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package resource
+
+import "sigs.k8s.io/kustomize/kyaml/resid"
+
+type IdSet struct {
+	ids map[resid.ResId]bool
+}
+
+func MakeIdSet(slice []*Resource) *IdSet {
+	set := make(map[resid.ResId]bool)
+	for _, r := range slice {
+		id := r.CurId()
+		if _, ok := set[id]; !ok {
+			set[id] = true
+		}
+	}
+	return &IdSet{ids: set}
+}
+
+func (s IdSet) Contains(id resid.ResId) bool {
+	_, ok := s.ids[id]
+	return ok
+}
+
+func (s IdSet) Size() int {
+	return len(s.ids)
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/resource/origin.go b/vendor/sigs.k8s.io/kustomize/api/resource/origin.go
new file mode 100644
index 0000000000..f0a4ae75d5
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/resource/origin.go
@@ -0,0 +1,106 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package resource
+
+import (
+	"path/filepath"
+	"strings"
+
+	"sigs.k8s.io/kustomize/api/internal/git"
+	kyaml "sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+// Origin retains information about the origin of resources and transformer configs
+// that contributed to the output of `kustomize build`
+type Origin struct {
+	// Path is the path to the resource. If a local resource, this path is
+	// rooted from the directory upon which `kustomize build` was invoked. If a
+	// remote resource, this path is rooted from the root of the remote repo.
+	Path string `json:"path,omitempty" yaml:"path,omitempty"`
+
+	// Repo is the remote repository that the resource or transformer originated from if it is
+	// not from a local file
+	Repo string `json:"repo,omitempty" yaml:"repo,omitempty"`
+
+	// Ref is the ref of the remote repository that the resource or transformer originated from
+	// if it is not from a local file
+	Ref string `json:"ref,omitempty" yaml:"ref,omitempty"`
+
+	// The following fields only apply to resources that have been
+	// generated by fields other than the `resources` field, or to transformer
+	// configs.
+
+	// ConfiguredIn is the file path to the generator or transformer config that created the
+	// resource
+	ConfiguredIn string `json:"configuredIn,omitempty" yaml:"configuredIn,omitempty"`
+
+	// ConfiguredBy is the ObjectReference of the generator or transformer config
+	ConfiguredBy kyaml.ResourceIdentifier `json:"configuredBy,omitempty" yaml:"configuredBy,omitempty"`
+}
+
+// Copy returns a copy of origin
+func (origin *Origin) Copy() Origin {
+	if origin == nil {
+		return Origin{}
+	}
+	return *origin
+}
+
+// Append returns a copy of origin with a path appended to it
+func (origin *Origin) Append(path string) *Origin {
+	originCopy := origin.Copy()
+	repoSpec, err := git.NewRepoSpecFromURL(path)
+	if err == nil {
+		originCopy.Repo = repoSpec.CloneSpec()
+		absPath := repoSpec.AbsPath()
+		path = absPath[strings.Index(absPath[1:], "/")+1:][1:]
+		originCopy.Path = ""
+		originCopy.Ref = repoSpec.Ref
+	}
+	originCopy.Path = filepath.Join(originCopy.Path, path)
+	return &originCopy
+}
+
+// String returns a string version of origin
+func (origin *Origin) String() (string, error) {
+	anno, err := kyaml.Marshal(origin)
+	return string(anno), err
+}
+
+// Transformations is a list of Origin
+type Transformations []*Origin
+
+// String returns a string version of Transformations
+func (transformations *Transformations) String() (string, error) {
+	anno, err := kyaml.Marshal(transformations)
+	return string(anno), err
+}
+
+// OriginFromCustomPlugin takes a custom plugin defined as a resource
+// and returns an origin object to describe it
+func OriginFromCustomPlugin(res *Resource) (*Origin, error) {
+	origin, err := res.GetOrigin()
+	if err != nil {
+		return nil, err
+	}
+	var result *Origin
+	if origin != nil {
+		result = &Origin{
+			Repo:         origin.Repo,
+			Ref:          origin.Ref,
+			ConfiguredIn: origin.Path,
+			ConfiguredBy: kyaml.ResourceIdentifier{
+				TypeMeta: kyaml.TypeMeta{
+					APIVersion: res.GetApiVersion(),
+					Kind:       res.GetKind(),
+				},
+				NameMeta: kyaml.NameMeta{
+					Name:      res.GetName(),
+					Namespace: res.GetNamespace(),
+				},
+			},
+		}
+	}
+	return result, nil
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/resource/resource.go b/vendor/sigs.k8s.io/kustomize/api/resource/resource.go
new file mode 100644
index 0000000000..9884a672c5
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/resource/resource.go
@@ -0,0 +1,547 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package resource
+
+import (
+	"fmt"
+	"log"
+	"strings"
+
+	"sigs.k8s.io/kustomize/api/filters/patchstrategicmerge"
+	"sigs.k8s.io/kustomize/api/ifc"
+	"sigs.k8s.io/kustomize/api/internal/utils"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/kio"
+	"sigs.k8s.io/kustomize/kyaml/kio/kioutil"
+	"sigs.k8s.io/kustomize/kyaml/resid"
+	kyaml "sigs.k8s.io/kustomize/kyaml/yaml"
+	"sigs.k8s.io/yaml"
+)
+
+// Resource is an RNode, representing a Kubernetes Resource Model object,
+// paired with metadata used by kustomize.
+type Resource struct {
+	kyaml.RNode
+	refVarNames []string
+}
+
+var BuildAnnotations = []string{
+	utils.BuildAnnotationPreviousKinds,
+	utils.BuildAnnotationPreviousNames,
+	utils.BuildAnnotationPrefixes,
+	utils.BuildAnnotationSuffixes,
+	utils.BuildAnnotationPreviousNamespaces,
+	utils.BuildAnnotationAllowNameChange,
+	utils.BuildAnnotationAllowKindChange,
+	utils.BuildAnnotationsRefBy,
+	utils.BuildAnnotationsGenBehavior,
+	utils.BuildAnnotationsGenAddHashSuffix,
+
+	kioutil.PathAnnotation,
+	kioutil.IndexAnnotation,
+	kioutil.SeqIndentAnnotation,
+	kioutil.IdAnnotation,
+	kioutil.InternalAnnotationsMigrationResourceIDAnnotation,
+
+	kioutil.LegacyPathAnnotation,
+	kioutil.LegacyIndexAnnotation,
+	kioutil.LegacyIdAnnotation,
+}
+
+func (r *Resource) ResetRNode(incoming *Resource) {
+	r.RNode = *incoming.Copy()
+}
+
+func (r *Resource) GetGvk() resid.Gvk {
+	return resid.GvkFromNode(&r.RNode)
+}
+
+func (r *Resource) Hash(h ifc.KustHasher) (string, error) {
+	return h.Hash(&r.RNode)
+}
+
+func (r *Resource) SetGvk(gvk resid.Gvk) {
+	r.SetKind(gvk.Kind)
+	r.SetApiVersion(gvk.ApiVersion())
+}
+
+func (r *Resource) GetOrigin() (*Origin, error) {
+	annotations := r.GetAnnotations()
+	originAnnotations, ok := annotations[utils.OriginAnnotationKey]
+	if !ok {
+		return nil, nil
+	}
+	var origin Origin
+	if err := yaml.Unmarshal([]byte(originAnnotations), &origin); err != nil {
+		return nil, err
+	}
+	return &origin, nil
+}
+
+func (r *Resource) SetOrigin(origin *Origin) error {
+	annotations := r.GetAnnotations()
+	if origin == nil {
+		delete(annotations, utils.OriginAnnotationKey)
+	} else {
+		originStr, err := origin.String()
+		if err != nil {
+			return err
+		}
+		annotations[utils.OriginAnnotationKey] = originStr
+	}
+	return r.SetAnnotations(annotations)
+}
+
+func (r *Resource) GetTransformations() (Transformations, error) {
+	annotations := r.GetAnnotations()
+	transformerAnnotations, ok := annotations[utils.TransformerAnnotationKey]
+	if !ok {
+		return nil, nil
+	}
+	var transformations Transformations
+	if err := yaml.Unmarshal([]byte(transformerAnnotations), &transformations); err != nil {
+		return nil, err
+	}
+	return transformations, nil
+}
+
+func (r *Resource) AddTransformation(origin *Origin) error {
+	annotations := r.GetAnnotations()
+	transformations, err := r.GetTransformations()
+	if err != nil {
+		return err
+	}
+	if transformations == nil {
+		transformations = Transformations{}
+	}
+	transformations = append(transformations, origin)
+	transformationStr, err := transformations.String()
+	if err != nil {
+		return err
+	}
+	annotations[utils.TransformerAnnotationKey] = transformationStr
+	return r.SetAnnotations(annotations)
+}
+
+func (r *Resource) ClearTransformations() error {
+	annotations := r.GetAnnotations()
+	delete(annotations, utils.TransformerAnnotationKey)
+	return r.SetAnnotations(annotations)
+}
+
+// ResCtx is an interface describing the contextual added
+// kept kustomize in the context of each Resource object.
+// Currently mainly the name prefix and name suffix are added.
+type ResCtx interface {
+	AddNamePrefix(p string)
+	AddNameSuffix(s string)
+	GetNamePrefixes() []string
+	GetNameSuffixes() []string
+}
+
+// ResCtxMatcher returns true if two Resources are being
+// modified in the same kustomize context.
+type ResCtxMatcher func(ResCtx) bool
+
+// DeepCopy returns a new copy of resource
+func (r *Resource) DeepCopy() *Resource {
+	rc := &Resource{
+		RNode: *r.Copy(),
+	}
+	rc.copyKustomizeSpecificFields(r)
+	return rc
+}
+
+// CopyMergeMetaDataFieldsFrom copies everything but the non-metadata in
+// the resource.
+// TODO: move to RNode, use GetMeta to improve performance.
+// TODO: make a version of mergeStringMaps that is build-annotation aware
+//   to avoid repeatedly setting refby and genargs annotations
+// Must remove the kustomize bit at the end.
+func (r *Resource) CopyMergeMetaDataFieldsFrom(other *Resource) error {
+	if err := r.SetLabels(
+		mergeStringMaps(other.GetLabels(), r.GetLabels())); err != nil {
+		return fmt.Errorf("copyMerge cannot set labels - %w", err)
+	}
+
+	ra := r.GetAnnotations()
+	_, enableNameSuffixHash := ra[utils.BuildAnnotationsGenAddHashSuffix]
+	merged := mergeStringMapsWithBuildAnnotations(other.GetAnnotations(), ra)
+	if !enableNameSuffixHash {
+		delete(merged, utils.BuildAnnotationsGenAddHashSuffix)
+	}
+	if err := r.SetAnnotations(merged); err != nil {
+		return fmt.Errorf("copyMerge cannot set annotations - %w", err)
+	}
+
+	if err := r.SetName(other.GetName()); err != nil {
+		return fmt.Errorf("copyMerge cannot set name - %w", err)
+	}
+	if err := r.SetNamespace(other.GetNamespace()); err != nil {
+		return fmt.Errorf("copyMerge cannot set namespace - %w", err)
+	}
+	r.copyKustomizeSpecificFields(other)
+	return nil
+}
+
+func (r *Resource) copyKustomizeSpecificFields(other *Resource) {
+	r.refVarNames = copyStringSlice(other.refVarNames)
+}
+
+func (r *Resource) MergeDataMapFrom(o *Resource) {
+	r.SetDataMap(mergeStringMaps(o.GetDataMap(), r.GetDataMap()))
+}
+
+func (r *Resource) MergeBinaryDataMapFrom(o *Resource) {
+	r.SetBinaryDataMap(mergeStringMaps(o.GetBinaryDataMap(), r.GetBinaryDataMap()))
+}
+
+func (r *Resource) ErrIfNotEquals(o *Resource) error {
+	meYaml, err := r.AsYAML()
+	if err != nil {
+		return err
+	}
+	otherYaml, err := o.AsYAML()
+	if err != nil {
+		return err
+	}
+	if !r.ReferencesEqual(o) {
+		return fmt.Errorf(
+			`unequal references - self:
+%sreferenced by: %s
+--- other:
+%sreferenced by: %s
+`, meYaml, r.GetRefBy(), otherYaml, o.GetRefBy())
+	}
+	if string(meYaml) != string(otherYaml) {
+		return fmt.Errorf(`---  self:
+%s
+--- other:
+%s
+`, meYaml, otherYaml)
+	}
+	return nil
+}
+
+func (r *Resource) ReferencesEqual(other *Resource) bool {
+	setSelf := make(map[resid.ResId]bool)
+	setOther := make(map[resid.ResId]bool)
+	for _, ref := range other.GetRefBy() {
+		setOther[ref] = true
+	}
+	for _, ref := range r.GetRefBy() {
+		if _, ok := setOther[ref]; !ok {
+			return false
+		}
+		setSelf[ref] = true
+	}
+	return len(setSelf) == len(setOther)
+}
+
+func copyStringSlice(s []string) []string {
+	if s == nil {
+		return nil
+	}
+	c := make([]string, len(s))
+	copy(c, s)
+	return c
+}
+
+// Implements ResCtx AddNamePrefix
+func (r *Resource) AddNamePrefix(p string) {
+	r.appendCsvAnnotation(utils.BuildAnnotationPrefixes, p)
+}
+
+// Implements ResCtx AddNameSuffix
+func (r *Resource) AddNameSuffix(s string) {
+	r.appendCsvAnnotation(utils.BuildAnnotationSuffixes, s)
+}
+
+func (r *Resource) appendCsvAnnotation(name, value string) {
+	if value == "" {
+		return
+	}
+	currentValue := r.getCsvAnnotation(name)
+	newValue := strings.Join(append(currentValue, value), ",")
+	if err := r.RNode.PipeE(kyaml.SetAnnotation(name, newValue)); err != nil {
+		panic(err)
+	}
+}
+
+// Implements ResCtx GetNamePrefixes
+func (r *Resource) GetNamePrefixes() []string {
+	return r.getCsvAnnotation(utils.BuildAnnotationPrefixes)
+}
+
+// Implements ResCtx GetNameSuffixes
+func (r *Resource) GetNameSuffixes() []string {
+	return r.getCsvAnnotation(utils.BuildAnnotationSuffixes)
+}
+
+func (r *Resource) getCsvAnnotation(name string) []string {
+	annotations := r.GetAnnotations()
+	if _, ok := annotations[name]; !ok {
+		return nil
+	}
+	return strings.Split(annotations[name], ",")
+}
+
+// PrefixesSuffixesEquals is conceptually doing the same task as
+// OutermostPrefixSuffix but performs a deeper comparison of the suffix and
+// prefix slices.
+// The allowEmpty flag determines whether an empty prefix/suffix
+// should be considered a match on anything.
+// This is used when filtering, starting with a coarser pass allowing empty
+// matches, before requiring exact matches if there are multiple
+// remaining candidates.
+func (r *Resource) PrefixesSuffixesEquals(o ResCtx, allowEmpty bool) bool {
+	if allowEmpty {
+		eitherPrefixEmpty := len(r.GetNamePrefixes()) == 0 || len(o.GetNamePrefixes()) == 0
+		eitherSuffixEmpty := len(r.GetNameSuffixes()) == 0 || len(o.GetNameSuffixes()) == 0
+
+		return (eitherPrefixEmpty || utils.SameEndingSubSlice(r.GetNamePrefixes(), o.GetNamePrefixes())) &&
+			(eitherSuffixEmpty || utils.SameEndingSubSlice(r.GetNameSuffixes(), o.GetNameSuffixes()))
+	} else {
+		return utils.SameEndingSubSlice(r.GetNamePrefixes(), o.GetNamePrefixes()) &&
+			utils.SameEndingSubSlice(r.GetNameSuffixes(), o.GetNameSuffixes())
+	}
+}
+
+// RemoveBuildAnnotations removes annotations created by the build process.
+// These are internal-only to kustomize, added to the data pipeline to
+// track name changes so name references can be fixed.
+func (r *Resource) RemoveBuildAnnotations() {
+	annotations := r.GetAnnotations()
+	if len(annotations) == 0 {
+		return
+	}
+	for _, a := range BuildAnnotations {
+		delete(annotations, a)
+	}
+	if err := r.SetAnnotations(annotations); err != nil {
+		panic(err)
+	}
+}
+
+func (r *Resource) setPreviousId(ns string, n string, k string) *Resource {
+	r.appendCsvAnnotation(utils.BuildAnnotationPreviousNames, n)
+	r.appendCsvAnnotation(utils.BuildAnnotationPreviousNamespaces, ns)
+	r.appendCsvAnnotation(utils.BuildAnnotationPreviousKinds, k)
+	return r
+}
+
+// AllowNameChange allows name changes to the resource.
+func (r *Resource) AllowNameChange() {
+	r.enable(utils.BuildAnnotationAllowNameChange)
+}
+
+// NameChangeAllowed checks if a patch resource is allowed to change another resource's name.
+func (r *Resource) NameChangeAllowed() bool {
+	return r.isEnabled(utils.BuildAnnotationAllowNameChange)
+}
+
+// AllowKindChange allows kind changes to the resource.
+func (r *Resource) AllowKindChange() {
+	r.enable(utils.BuildAnnotationAllowKindChange)
+}
+
+// KindChangeAllowed checks if a patch resource is allowed to change another resource's kind.
+func (r *Resource) KindChangeAllowed() bool {
+	return r.isEnabled(utils.BuildAnnotationAllowKindChange)
+}
+
+func (r *Resource) isEnabled(annoKey string) bool {
+	annotations := r.GetAnnotations()
+	v, ok := annotations[annoKey]
+	return ok && v == utils.Enabled
+}
+
+func (r *Resource) enable(annoKey string) {
+	annotations := r.GetAnnotations()
+	annotations[annoKey] = utils.Enabled
+	if err := r.SetAnnotations(annotations); err != nil {
+		panic(err)
+	}
+}
+
+// String returns resource as JSON.
+func (r *Resource) String() string {
+	bs, err := r.MarshalJSON()
+	if err != nil {
+		return "<" + err.Error() + ">"
+	}
+	return strings.TrimSpace(string(bs))
+}
+
+// AsYAML returns the resource in Yaml form.
+// Easier to read than JSON.
+func (r *Resource) AsYAML() ([]byte, error) {
+	json, err := r.MarshalJSON()
+	if err != nil {
+		return nil, err
+	}
+	return yaml.JSONToYAML(json)
+}
+
+// MustYaml returns YAML or panics.
+func (r *Resource) MustYaml() string {
+	yml, err := r.AsYAML()
+	if err != nil {
+		log.Fatal(err)
+	}
+	return string(yml)
+}
+
+// Behavior returns the behavior for the resource.
+func (r *Resource) Behavior() types.GenerationBehavior {
+	annotations := r.GetAnnotations()
+	if v, ok := annotations[utils.BuildAnnotationsGenBehavior]; ok {
+		return types.NewGenerationBehavior(v)
+	}
+	return types.NewGenerationBehavior("")
+}
+
+// SetBehavior sets the behavior for the resource.
+func (r *Resource) SetBehavior(behavior types.GenerationBehavior) {
+	annotations := r.GetAnnotations()
+	annotations[utils.BuildAnnotationsGenBehavior] = behavior.String()
+	if err := r.SetAnnotations(annotations); err != nil {
+		panic(err)
+	}
+}
+
+// NeedHashSuffix returns true if a resource content
+// hash should be appended to the name of the resource.
+func (r *Resource) NeedHashSuffix() bool {
+	return r.isEnabled(utils.BuildAnnotationsGenAddHashSuffix)
+}
+
+// EnableHashSuffix marks the resource as needing a content
+// hash to be appended to the name of the resource.
+func (r *Resource) EnableHashSuffix() {
+	r.enable(utils.BuildAnnotationsGenAddHashSuffix)
+}
+
+// OrgId returns the original, immutable ResId for the resource.
+// This doesn't have to be unique in a ResMap.
+func (r *Resource) OrgId() resid.ResId {
+	ids := r.PrevIds()
+	if len(ids) > 0 {
+		return ids[0]
+	}
+	return r.CurId()
+}
+
+// PrevIds returns a list of ResIds that includes every
+// previous ResId the resource has had through all of its
+// GVKN transformations, in the order that it had that ID.
+// I.e. the oldest ID is first.
+// The returned array does not include the resource's current
+// ID. If there are no previous IDs, this will return nil.
+func (r *Resource) PrevIds() []resid.ResId {
+	prevIds, err := utils.PrevIds(&r.RNode)
+	if err != nil {
+		// this should never happen
+		panic(err)
+	}
+	return prevIds
+}
+
+// StorePreviousId stores the resource's current ID via build annotations.
+func (r *Resource) StorePreviousId() {
+	id := r.CurId()
+	r.setPreviousId(id.EffectiveNamespace(), id.Name, id.Kind)
+}
+
+// CurId returns a ResId for the resource using the
+// mutable parts of the resource.
+// This should be unique in any ResMap.
+func (r *Resource) CurId() resid.ResId {
+	return resid.NewResIdWithNamespace(
+		r.GetGvk(), r.GetName(), r.GetNamespace())
+}
+
+// GetRefBy returns the ResIds that referred to current resource
+func (r *Resource) GetRefBy() []resid.ResId {
+	var resIds []resid.ResId
+	asStrings := r.getCsvAnnotation(utils.BuildAnnotationsRefBy)
+	for _, s := range asStrings {
+		resIds = append(resIds, resid.FromString(s))
+	}
+	return resIds
+}
+
+// AppendRefBy appends a ResId into the refBy list
+// Using any type except fmt.Stringer here results in a compilation error
+func (r *Resource) AppendRefBy(id fmt.Stringer) {
+	r.appendCsvAnnotation(utils.BuildAnnotationsRefBy, id.String())
+}
+
+// GetRefVarNames returns vars that refer to current resource
+func (r *Resource) GetRefVarNames() []string {
+	return r.refVarNames
+}
+
+// AppendRefVarName appends a name of a var into the refVar list
+func (r *Resource) AppendRefVarName(variable types.Var) {
+	r.refVarNames = append(r.refVarNames, variable.Name)
+}
+
+// ApplySmPatch applies the provided strategic merge patch.
+func (r *Resource) ApplySmPatch(patch *Resource) error {
+	n, ns, k := r.GetName(), r.GetNamespace(), r.GetKind()
+	if patch.NameChangeAllowed() || patch.KindChangeAllowed() {
+		r.StorePreviousId()
+	}
+	if err := r.ApplyFilter(patchstrategicmerge.Filter{
+		Patch: &patch.RNode,
+	}); err != nil {
+		return err
+	}
+	if r.IsNilOrEmpty() {
+		return nil
+	}
+	if !patch.KindChangeAllowed() {
+		r.SetKind(k)
+	}
+	if !patch.NameChangeAllowed() {
+		r.SetName(n)
+	}
+	r.SetNamespace(ns)
+	return nil
+}
+
+func (r *Resource) ApplyFilter(f kio.Filter) error {
+	l, err := f.Filter([]*kyaml.RNode{&r.RNode})
+	if len(l) == 0 {
+		// The node was deleted, which means the entire resource
+		// must be deleted.  Signal that via the following:
+		r.SetYNode(nil)
+	}
+	return err
+}
+
+func mergeStringMaps(maps ...map[string]string) map[string]string {
+	result := map[string]string{}
+	for _, m := range maps {
+		for key, value := range m {
+			result[key] = value
+		}
+	}
+	return result
+}
+
+func mergeStringMapsWithBuildAnnotations(maps ...map[string]string) map[string]string {
+	result := mergeStringMaps(maps...)
+	for i := range BuildAnnotations {
+		if len(maps) > 0 {
+			if v, ok := maps[0][BuildAnnotations[i]]; ok {
+				result[BuildAnnotations[i]] = v
+				continue
+			}
+		}
+		delete(result, BuildAnnotations[i])
+	}
+	return result
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/types/builtinpluginloadingoptions_string.go b/vendor/sigs.k8s.io/kustomize/api/types/builtinpluginloadingoptions_string.go
new file mode 100644
index 0000000000..033a451234
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/types/builtinpluginloadingoptions_string.go
@@ -0,0 +1,25 @@
+// Code generated by "stringer -type=BuiltinPluginLoadingOptions"; DO NOT EDIT.
+
+package types
+
+import "strconv"
+
+func _() {
+	// An "invalid array index" compiler error signifies that the constant values have changed.
+	// Re-run the stringer command to generate them again.
+	var x [1]struct{}
+	_ = x[BploUndefined-0]
+	_ = x[BploUseStaticallyLinked-1]
+	_ = x[BploLoadFromFileSys-2]
+}
+
+const _BuiltinPluginLoadingOptions_name = "BploUndefinedBploUseStaticallyLinkedBploLoadFromFileSys"
+
+var _BuiltinPluginLoadingOptions_index = [...]uint8{0, 13, 36, 55}
+
+func (i BuiltinPluginLoadingOptions) String() string {
+	if i < 0 || i >= BuiltinPluginLoadingOptions(len(_BuiltinPluginLoadingOptions_index)-1) {
+		return "BuiltinPluginLoadingOptions(" + strconv.FormatInt(int64(i), 10) + ")"
+	}
+	return _BuiltinPluginLoadingOptions_name[_BuiltinPluginLoadingOptions_index[i]:_BuiltinPluginLoadingOptions_index[i+1]]
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/types/configmapargs.go b/vendor/sigs.k8s.io/kustomize/api/types/configmapargs.go
new file mode 100644
index 0000000000..69877769fb
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/types/configmapargs.go
@@ -0,0 +1,10 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package types
+
+// ConfigMapArgs contains the metadata of how to generate a configmap.
+type ConfigMapArgs struct {
+	// GeneratorArgs for the configmap.
+	GeneratorArgs `json:",inline,omitempty" yaml:",inline,omitempty"`
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/types/doc.go b/vendor/sigs.k8s.io/kustomize/api/types/doc.go
new file mode 100644
index 0000000000..22c38a6510
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/types/doc.go
@@ -0,0 +1,9 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+// Package types holds the definition of the kustomization struct and
+// supporting structs.  It's the k8s API conformant object that describes
+// a set of generation and transformation operations to create and/or
+// modify k8s resources.
+// A kustomization file is a serialization of this struct.
+package types
diff --git a/vendor/sigs.k8s.io/kustomize/api/types/erronlybuiltinpluginsallowed.go b/vendor/sigs.k8s.io/kustomize/api/types/erronlybuiltinpluginsallowed.go
new file mode 100644
index 0000000000..9e6ffacffe
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/types/erronlybuiltinpluginsallowed.go
@@ -0,0 +1,29 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package types
+
+import (
+	"fmt"
+
+	"sigs.k8s.io/kustomize/kyaml/errors"
+)
+
+type errOnlyBuiltinPluginsAllowed struct {
+	name string
+}
+
+func (e *errOnlyBuiltinPluginsAllowed) Error() string {
+	return fmt.Sprintf(
+		"external plugins disabled; unable to load external plugin '%s'",
+		e.name)
+}
+
+func NewErrOnlyBuiltinPluginsAllowed(n string) *errOnlyBuiltinPluginsAllowed {
+	return &errOnlyBuiltinPluginsAllowed{name: n}
+}
+
+func IsErrOnlyBuiltinPluginsAllowed(err error) bool {
+	e := &errOnlyBuiltinPluginsAllowed{}
+	return errors.As(err, &e)
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/types/errunabletofind.go b/vendor/sigs.k8s.io/kustomize/api/types/errunabletofind.go
new file mode 100644
index 0000000000..b91bb68ff4
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/types/errunabletofind.go
@@ -0,0 +1,36 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package types
+
+import (
+	"fmt"
+	"strings"
+
+	"sigs.k8s.io/kustomize/kyaml/errors"
+)
+
+type errUnableToFind struct {
+	// What are we unable to find?
+	what string
+	// What things did we try?
+	attempts []Pair
+}
+
+func (e *errUnableToFind) Error() string {
+	var m []string
+	for _, p := range e.attempts {
+		m = append(m, "('"+p.Value+"'; "+p.Key+")")
+	}
+	return fmt.Sprintf(
+		"unable to find %s - tried: %s", e.what, strings.Join(m, ", "))
+}
+
+func NewErrUnableToFind(w string, a []Pair) *errUnableToFind {
+	return &errUnableToFind{what: w, attempts: a}
+}
+
+func IsErrUnableToFind(err error) bool {
+	e := &errUnableToFind{}
+	return errors.As(err, &e)
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/types/fieldspec.go b/vendor/sigs.k8s.io/kustomize/api/types/fieldspec.go
new file mode 100644
index 0000000000..8b78889ea0
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/types/fieldspec.go
@@ -0,0 +1,100 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package types
+
+import (
+	"fmt"
+
+	"sigs.k8s.io/kustomize/kyaml/resid"
+)
+
+// FieldSpec completely specifies a kustomizable field in a k8s API object.
+// It helps define the operands of transformations.
+//
+// For example, a directive to add a common label to objects
+// will need to know that a 'Deployment' object (in API group
+// 'apps', any version) can have labels at field path
+// 'spec/template/metadata/labels', and further that it is OK
+// (or not OK) to add that field path to the object if the
+// field path doesn't exist already.
+//
+// This would look like
+// {
+//   group: apps
+//   kind: Deployment
+//   path: spec/template/metadata/labels
+//   create: true
+// }
+type FieldSpec struct {
+	resid.Gvk          `json:",inline,omitempty" yaml:",inline,omitempty"`
+	Path               string `json:"path,omitempty" yaml:"path,omitempty"`
+	CreateIfNotPresent bool   `json:"create,omitempty" yaml:"create,omitempty"`
+
+	// Note: If any new pointer based members are added, FsSlice.DeepCopy needs to be updated
+}
+
+func (fs FieldSpec) String() string {
+	return fmt.Sprintf(
+		"%s:%v:%s", fs.Gvk.String(), fs.CreateIfNotPresent, fs.Path)
+}
+
+// If true, the primary key is the same, but other fields might not be.
+func (fs FieldSpec) effectivelyEquals(other FieldSpec) bool {
+	return fs.IsSelected(&other.Gvk) && fs.Path == other.Path
+}
+
+type FsSlice []FieldSpec
+
+func (s FsSlice) Len() int      { return len(s) }
+func (s FsSlice) Swap(i, j int) { s[i], s[j] = s[j], s[i] }
+func (s FsSlice) Less(i, j int) bool {
+	return s[i].Gvk.IsLessThan(s[j].Gvk)
+}
+
+// DeepCopy returns a new copy of FsSlice
+func (s FsSlice) DeepCopy() FsSlice {
+	ret := make(FsSlice, len(s))
+	copy(ret, s)
+	return ret
+}
+
+// MergeAll merges the argument into this, returning the result.
+// Items already present are ignored.
+// Items that conflict (primary key matches, but remain data differs)
+// result in an error.
+func (s FsSlice) MergeAll(incoming FsSlice) (result FsSlice, err error) {
+	result = s
+	for _, x := range incoming {
+		result, err = result.MergeOne(x)
+		if err != nil {
+			return nil, err
+		}
+	}
+	return result, nil
+}
+
+// MergeOne merges the argument into this, returning the result.
+// If the item's primary key is already present, and there are no
+// conflicts, it is ignored (we don't want duplicates).
+// If there is a conflict, the merge fails.
+func (s FsSlice) MergeOne(x FieldSpec) (FsSlice, error) {
+	i := s.index(x)
+	if i > -1 {
+		// It's already there.
+		if s[i].CreateIfNotPresent != x.CreateIfNotPresent {
+			return nil, fmt.Errorf("conflicting fieldspecs")
+		}
+		return s, nil
+	}
+	return append(s, x), nil
+}
+
+func (s FsSlice) index(fs FieldSpec) int {
+	for i, x := range s {
+		if x.effectivelyEquals(fs) {
+			return i
+		}
+	}
+	return -1
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/types/generationbehavior.go b/vendor/sigs.k8s.io/kustomize/api/types/generationbehavior.go
new file mode 100644
index 0000000000..f8f3627803
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/types/generationbehavior.go
@@ -0,0 +1,46 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package types
+
+// GenerationBehavior specifies generation behavior of configmaps, secrets and maybe other resources.
+type GenerationBehavior int
+
+const (
+	// BehaviorUnspecified is an Unspecified behavior; typically treated as a Create.
+	BehaviorUnspecified GenerationBehavior = iota
+	// BehaviorCreate makes a new resource.
+	BehaviorCreate
+	// BehaviorReplace replaces a resource.
+	BehaviorReplace
+	// BehaviorMerge attempts to merge a new resource with an existing resource.
+	BehaviorMerge
+)
+
+// String converts a GenerationBehavior to a string.
+func (b GenerationBehavior) String() string {
+	switch b {
+	case BehaviorReplace:
+		return "replace"
+	case BehaviorMerge:
+		return "merge"
+	case BehaviorCreate:
+		return "create"
+	default:
+		return "unspecified"
+	}
+}
+
+// NewGenerationBehavior converts a string to a GenerationBehavior.
+func NewGenerationBehavior(s string) GenerationBehavior {
+	switch s {
+	case "replace":
+		return BehaviorReplace
+	case "merge":
+		return BehaviorMerge
+	case "create":
+		return BehaviorCreate
+	default:
+		return BehaviorUnspecified
+	}
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/types/generatorargs.go b/vendor/sigs.k8s.io/kustomize/api/types/generatorargs.go
new file mode 100644
index 0000000000..eae221bed8
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/types/generatorargs.go
@@ -0,0 +1,27 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package types
+
+// GeneratorArgs contains arguments common to ConfigMap and Secret generators.
+type GeneratorArgs struct {
+	// Namespace for the resource, optional
+	Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"`
+
+	// Name - actually the partial name - of the generated resource.
+	// The full name ends up being something like
+	// NamePrefix + this.Name + hash(content of generated resource).
+	Name string `json:"name,omitempty" yaml:"name,omitempty"`
+
+	// Behavior of generated resource, must be one of:
+	//   'create': create a new one
+	//   'replace': replace the existing one
+	//   'merge': merge with the existing one
+	Behavior string `json:"behavior,omitempty" yaml:"behavior,omitempty"`
+
+	// KvPairSources for the generator.
+	KvPairSources `json:",inline,omitempty" yaml:",inline,omitempty"`
+
+	// Local overrides to global generatorOptions field.
+	Options *GeneratorOptions `json:"options,omitempty" yaml:"options,omitempty"`
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/types/generatoroptions.go b/vendor/sigs.k8s.io/kustomize/api/types/generatoroptions.go
new file mode 100644
index 0000000000..683d89bfde
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/types/generatoroptions.go
@@ -0,0 +1,76 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package types
+
+// GeneratorOptions modify behavior of all ConfigMap and Secret generators.
+type GeneratorOptions struct {
+	// Labels to add to all generated resources.
+	Labels map[string]string `json:"labels,omitempty" yaml:"labels,omitempty"`
+
+	// Annotations to add to all generated resources.
+	Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"`
+
+	// DisableNameSuffixHash if true disables the default behavior of adding a
+	// suffix to the names of generated resources that is a hash of the
+	// resource contents.
+	DisableNameSuffixHash bool `json:"disableNameSuffixHash,omitempty" yaml:"disableNameSuffixHash,omitempty"`
+
+	// Immutable if true add to all generated resources.
+	Immutable bool `json:"immutable,omitempty" yaml:"immutable,omitempty"`
+}
+
+// MergeGlobalOptionsIntoLocal merges two instances of GeneratorOptions.
+// Values in the first 'local' argument cannot be overridden by the second
+// 'global' argument, except in the case of booleans.
+//
+// With booleans, there's no way to distinguish an 'intentional'
+// false from 'default' false.  So the rule is, if the global value
+// of the value of a boolean is true, i.e. disable, it trumps the
+// local value.  If the global value is false, then the local value is
+// respected.  Bottom line: a local false cannot override a global true.
+//
+// boolean fields are always a bad idea; should always use enums instead.
+func MergeGlobalOptionsIntoLocal(
+	localOpts *GeneratorOptions,
+	globalOpts *GeneratorOptions) *GeneratorOptions {
+	if globalOpts == nil {
+		return localOpts
+	}
+	if localOpts == nil {
+		localOpts = &GeneratorOptions{}
+	}
+	overrideMap(&localOpts.Labels, globalOpts.Labels)
+	overrideMap(&localOpts.Annotations, globalOpts.Annotations)
+	if globalOpts.DisableNameSuffixHash {
+		localOpts.DisableNameSuffixHash = true
+	}
+	if globalOpts.Immutable {
+		localOpts.Immutable = true
+	}
+	return localOpts
+}
+
+func overrideMap(localMap *map[string]string, globalMap map[string]string) {
+	if *localMap == nil {
+		if globalMap != nil {
+			*localMap = CopyMap(globalMap)
+		}
+		return
+	}
+	for k, v := range globalMap {
+		_, ok := (*localMap)[k]
+		if !ok {
+			(*localMap)[k] = v
+		}
+	}
+}
+
+// CopyMap copies a map.
+func CopyMap(in map[string]string) map[string]string {
+	out := make(map[string]string)
+	for k, v := range in {
+		out[k] = v
+	}
+	return out
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/types/helmchartargs.go b/vendor/sigs.k8s.io/kustomize/api/types/helmchartargs.go
new file mode 100644
index 0000000000..86afc52cf2
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/types/helmchartargs.go
@@ -0,0 +1,204 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package types
+
+import "path/filepath"
+
+const HelmDefaultHome = "charts"
+
+type HelmGlobals struct {
+	// ChartHome is a file path, relative to the kustomization root,
+	// to a directory containing a subdirectory for each chart to be
+	// included in the kustomization.
+	// The default value of this field is "charts".
+	// So, for example, kustomize looks for the minecraft chart
+	// at {kustomizationRoot}/{ChartHome}/minecraft.
+	// If the chart is there at build time, kustomize will use it as found,
+	// and not check version numbers or dates.
+	// If the chart is not there, kustomize will attempt to pull it
+	// using the version number specified in the kustomization file,
+	// and put it there.  To suppress the pull attempt, simply assure
+	// that the chart is already there.
+	ChartHome string `json:"chartHome,omitempty" yaml:"chartHome,omitempty"`
+
+	// ConfigHome defines a value that kustomize should pass to helm via
+	// the HELM_CONFIG_HOME environment variable.  kustomize doesn't attempt
+	// to read or write this directory.
+	// If omitted, {tmpDir}/helm is used, where {tmpDir} is some temporary
+	// directory created by kustomize for the benefit of helm.
+	// Likewise, kustomize sets
+	//   HELM_CACHE_HOME={ConfigHome}/.cache
+	//   HELM_DATA_HOME={ConfigHome}/.data
+	// for the helm subprocess.
+	ConfigHome string `json:"configHome,omitempty" yaml:"configHome,omitempty"`
+}
+
+type HelmChart struct {
+	// Name is the name of the chart, e.g. 'minecraft'.
+	Name string `json:"name,omitempty" yaml:"name,omitempty"`
+
+	// Version is the version of the chart, e.g. '3.1.3'
+	Version string `json:"version,omitempty" yaml:"version,omitempty"`
+
+	// Repo is a URL locating the chart on the internet.
+	// This is the argument to helm's  `--repo` flag, e.g.
+	// `https://itzg.github.io/minecraft-server-charts`.
+	Repo string `json:"repo,omitempty" yaml:"repo,omitempty"`
+
+	// ReleaseName replaces RELEASE-NAME in chart template output,
+	// making a particular inflation of a chart unique with respect to
+	// other inflations of the same chart in a cluster. It's the first
+	// argument to the helm `install` and `template` commands, i.e.
+	//   helm install {RELEASE-NAME} {chartName}
+	//   helm template {RELEASE-NAME} {chartName}
+	// If omitted, the flag --generate-name is passed to 'helm template'.
+	ReleaseName string `json:"releaseName,omitempty" yaml:"releaseName,omitempty"`
+
+	// Namespace set the target namespace for a release. It is .Release.Namespace
+	// in the helm template
+	Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"`
+
+	// AdditionalValuesFiles are local file paths to values files to be used in
+	// addition to either the default values file or the values specified in ValuesFile.
+	AdditionalValuesFiles []string `json:"additionalValuesFiles,omitempty" yaml:"additionalValuesFiles,omitempty"`
+
+	// ValuesFile is a local file path to a values file to use _instead of_
+	// the default values that accompanied the chart.
+	// The default values are in '{ChartHome}/{Name}/values.yaml'.
+	ValuesFile string `json:"valuesFile,omitempty" yaml:"valuesFile,omitempty"`
+
+	// ValuesInline holds value mappings specified directly,
+	// rather than in a separate file.
+	ValuesInline map[string]interface{} `json:"valuesInline,omitempty" yaml:"valuesInline,omitempty"`
+
+	// ValuesMerge specifies how to treat ValuesInline with respect to Values.
+	// Legal values: 'merge', 'override', 'replace'.
+	// Defaults to 'override'.
+	ValuesMerge string `json:"valuesMerge,omitempty" yaml:"valuesMerge,omitempty"`
+
+	// IncludeCRDs specifies if Helm should also generate CustomResourceDefinitions.
+	// Defaults to 'false'.
+	IncludeCRDs bool `json:"includeCRDs,omitempty" yaml:"includeCRDs,omitempty"` //nolint: tagliatelle
+
+	// SkipHooks sets the --no-hooks flag when calling helm template. This prevents
+	// helm from erroneously rendering test templates.
+	SkipHooks bool `json:"skipHooks,omitempty" yaml:"skipHooks,omitempty"`
+
+	// ApiVersions is the kubernetes apiversions used for Capabilities.APIVersions
+	ApiVersions []string `json:"apiVersions,omitempty" yaml:"apiVersions,omitempty"`
+
+	// KubeVersion is the kubernetes version used by Helm for Capabilities.KubeVersion"
+	KubeVersion string `json:"kubeVersion,omitempty" yaml:"kubeVersion,omitempty"`
+
+	// NameTemplate is for specifying the name template used to name the release.
+	NameTemplate string `json:"nameTemplate,omitempty" yaml:"nameTemplate,omitempty"`
+
+	// SkipTests skips tests from templated output.
+	SkipTests bool `json:"skipTests,omitempty" yaml:"skipTests,omitempty"`
+
+	// debug enables debug output from the Helm chart inflator generator.
+	Debug bool `json:"debug,omitempty" yaml:"debug,omitempty"`
+
+	// allow for devel release to be used.
+	Devel bool `json:"devel,omitempty" yaml:"devel,omitempty"`
+}
+
+// HelmChartArgs contains arguments to helm.
+// Deprecated.  Use HelmGlobals and HelmChart instead.
+type HelmChartArgs struct {
+	ChartName        string                 `json:"chartName,omitempty" yaml:"chartName,omitempty"`
+	ChartVersion     string                 `json:"chartVersion,omitempty" yaml:"chartVersion,omitempty"`
+	ChartRepoURL     string                 `json:"chartRepoUrl,omitempty" yaml:"chartRepoUrl,omitempty"`
+	ChartHome        string                 `json:"chartHome,omitempty" yaml:"chartHome,omitempty"`
+	ChartRepoName    string                 `json:"chartRepoName,omitempty" yaml:"chartRepoName,omitempty"`
+	HelmBin          string                 `json:"helmBin,omitempty" yaml:"helmBin,omitempty"`
+	HelmHome         string                 `json:"helmHome,omitempty" yaml:"helmHome,omitempty"`
+	Values           string                 `json:"values,omitempty" yaml:"values,omitempty"`
+	ValuesLocal      map[string]interface{} `json:"valuesLocal,omitempty" yaml:"valuesLocal,omitempty"`
+	ValuesMerge      string                 `json:"valuesMerge,omitempty" yaml:"valuesMerge,omitempty"`
+	ReleaseName      string                 `json:"releaseName,omitempty" yaml:"releaseName,omitempty"`
+	ReleaseNamespace string                 `json:"releaseNamespace,omitempty" yaml:"releaseNamespace,omitempty"`
+	ExtraArgs        []string               `json:"extraArgs,omitempty" yaml:"extraArgs,omitempty"`
+}
+
+// SplitHelmParameters splits helm parameters into
+// per-chart params and global chart-independent parameters.
+func SplitHelmParameters(
+	oldArgs []HelmChartArgs) (charts []HelmChart, globals HelmGlobals) {
+	for i, old := range oldArgs {
+		charts = append(charts, makeHelmChartFromHca(&oldArgs[i]))
+		if old.HelmHome != "" {
+			// last non-empty wins
+			globals.ConfigHome = old.HelmHome
+		}
+		if old.ChartHome != "" {
+			// last non-empty wins
+			globals.ChartHome = old.ChartHome
+		}
+	}
+	return charts, globals
+}
+
+func makeHelmChartFromHca(old *HelmChartArgs) (c HelmChart) {
+	c.Name = old.ChartName
+	c.Version = old.ChartVersion
+	c.Repo = old.ChartRepoURL
+	c.ValuesFile = old.Values
+	c.ValuesInline = old.ValuesLocal
+	c.ValuesMerge = old.ValuesMerge
+	c.ReleaseName = old.ReleaseName
+	return
+}
+
+func (h HelmChart) AsHelmArgs(absChartHome string) []string {
+	args := []string{"template"}
+	if h.ReleaseName != "" {
+		args = append(args, h.ReleaseName)
+	} else {
+		// AFAICT, this doesn't work as intended due to a bug in helm.
+		// See https://github.com/helm/helm/issues/6019
+		// I've tried placing the flag before and after the name argument.
+		args = append(args, "--generate-name")
+	}
+	if h.Name != "" {
+		args = append(args, filepath.Join(absChartHome, h.Name))
+	}
+	if h.Namespace != "" {
+		args = append(args, "--namespace", h.Namespace)
+	}
+	if h.NameTemplate != "" {
+		args = append(args, "--name-template", h.NameTemplate)
+	}
+
+	if h.ValuesFile != "" {
+		args = append(args, "-f", h.ValuesFile)
+	}
+	for _, valuesFile := range h.AdditionalValuesFiles {
+		args = append(args, "-f", valuesFile)
+	}
+
+	for _, apiVer := range h.ApiVersions {
+		args = append(args, "--api-versions", apiVer)
+	}
+	if h.KubeVersion != "" {
+		args = append(args, "--kube-version", h.KubeVersion)
+	}
+
+	if h.IncludeCRDs {
+		args = append(args, "--include-crds")
+	}
+	if h.SkipTests {
+		args = append(args, "--skip-tests")
+	}
+	if h.SkipHooks {
+		args = append(args, "--no-hooks")
+	}
+	if h.Debug {
+		args = append(args, "--debug")
+	}
+	if h.Devel {
+		args = append(args, "--devel")
+	}
+	return args
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/types/iampolicygenerator.go b/vendor/sigs.k8s.io/kustomize/api/types/iampolicygenerator.go
new file mode 100644
index 0000000000..f1d27ba7b7
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/types/iampolicygenerator.go
@@ -0,0 +1,36 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package types
+
+type Cloud string
+
+const GKE Cloud = "gke"
+
+// IAMPolicyGeneratorArgs contains arguments to generate a GKE service account resource.
+type IAMPolicyGeneratorArgs struct {
+	// which cloud provider to generate for (e.g. "gke")
+	Cloud `json:"cloud" yaml:"cloud"`
+
+	// information about the kubernetes cluster for this object
+	KubernetesService `json:"kubernetesService" yaml:"kubernetesService"`
+
+	// information about the service account and project
+	ServiceAccount `json:"serviceAccount" yaml:"serviceAccount"`
+}
+
+type KubernetesService struct {
+	// the name used for the Kubernetes service account
+	Name string `json:"name" yaml:"name"`
+
+	// the name of the Kubernetes namespace for this object
+	Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"`
+}
+
+type ServiceAccount struct {
+	// the name of the new cloud provider service account
+	Name string `json:"name" yaml:"name"`
+
+	// The ID of the project
+	ProjectId string `json:"projectId" yaml:"projectId"`
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/types/image.go b/vendor/sigs.k8s.io/kustomize/api/types/image.go
new file mode 100644
index 0000000000..e40ed324df
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/types/image.go
@@ -0,0 +1,25 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package types
+
+// Image contains an image name, a new name, a new tag or digest,
+// which will replace the original name and tag.
+type Image struct {
+	// Name is a tag-less image name.
+	Name string `json:"name,omitempty" yaml:"name,omitempty"`
+
+	// NewName is the value used to replace the original name.
+	NewName string `json:"newName,omitempty" yaml:"newName,omitempty"`
+
+	// TagSuffix is the value used to suffix the original tag
+	// If Digest and NewTag is present an error is thrown
+	TagSuffix string `json:"tagSuffix,omitempty" yaml:"tagSuffix,omitempty"`
+
+	// NewTag is the value used to replace the original tag.
+	NewTag string `json:"newTag,omitempty" yaml:"newTag,omitempty"`
+
+	// Digest is the value used to replace the original image tag.
+	// If digest is present NewTag value is ignored.
+	Digest string `json:"digest,omitempty" yaml:"digest,omitempty"`
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/types/kustomization.go b/vendor/sigs.k8s.io/kustomize/api/types/kustomization.go
new file mode 100644
index 0000000000..6caa296644
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/types/kustomization.go
@@ -0,0 +1,357 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package types
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"reflect"
+
+	"sigs.k8s.io/kustomize/kyaml/errors"
+	"sigs.k8s.io/kustomize/kyaml/filesys"
+	"sigs.k8s.io/yaml"
+)
+
+const (
+	KustomizationVersion        = "kustomize.config.k8s.io/v1beta1"
+	KustomizationKind           = "Kustomization"
+	ComponentVersion            = "kustomize.config.k8s.io/v1alpha1"
+	ComponentKind               = "Component"
+	MetadataNamespacePath       = "metadata/namespace"
+	MetadataNamespaceApiVersion = "v1"
+	MetadataNamePath            = "metadata/name"
+	NamespaceKind               = "Namespace"
+
+	OriginAnnotations      = "originAnnotations"
+	TransformerAnnotations = "transformerAnnotations"
+	ManagedByLabelOption   = "managedByLabel"
+)
+
+var BuildMetadataOptions = []string{OriginAnnotations, TransformerAnnotations, ManagedByLabelOption}
+
+// Kustomization holds the information needed to generate customized k8s api resources.
+type Kustomization struct {
+	TypeMeta `json:",inline" yaml:",inline"`
+
+	// MetaData is a pointer to avoid marshalling empty struct
+	MetaData *ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty"`
+
+	// OpenAPI contains information about what kubernetes schema to use.
+	OpenAPI map[string]string `json:"openapi,omitempty" yaml:"openapi,omitempty"`
+
+	//
+	// Operators - what kustomize can do.
+	//
+
+	// NamePrefix will prefix the names of all resources mentioned in the kustomization
+	// file including generated configmaps and secrets.
+	NamePrefix string `json:"namePrefix,omitempty" yaml:"namePrefix,omitempty"`
+
+	// NameSuffix will suffix the names of all resources mentioned in the kustomization
+	// file including generated configmaps and secrets.
+	NameSuffix string `json:"nameSuffix,omitempty" yaml:"nameSuffix,omitempty"`
+
+	// Namespace to add to all objects.
+	Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"`
+
+	// Deprecated: Use the Labels field instead, which provides a superset of the functionality of CommonLabels.
+	// CommonLabels to add to all objects and selectors.
+	CommonLabels map[string]string `json:"commonLabels,omitempty" yaml:"commonLabels,omitempty"`
+
+	// Labels to add to all objects but not selectors.
+	Labels []Label `json:"labels,omitempty" yaml:"labels,omitempty"`
+
+	// CommonAnnotations to add to all objects.
+	CommonAnnotations map[string]string `json:"commonAnnotations,omitempty" yaml:"commonAnnotations,omitempty"`
+
+	// Deprecated: Use the Patches field instead, which provides a superset of the functionality of PatchesStrategicMerge.
+	// PatchesStrategicMerge specifies the relative path to a file
+	// containing a strategic merge patch.  Format documented at
+	// https://github.com/kubernetes/community/blob/master/contributors/devel/sig-api-machinery/strategic-merge-patch.md
+	// URLs and globs are not supported.
+	PatchesStrategicMerge []PatchStrategicMerge `json:"patchesStrategicMerge,omitempty" yaml:"patchesStrategicMerge,omitempty"`
+
+	// Deprecated: Use the Patches field instead, which provides a superset of the functionality of JSONPatches.
+	// JSONPatches is a list of JSONPatch for applying JSON patch.
+	// Format documented at https://tools.ietf.org/html/rfc6902
+	// and http://jsonpatch.com
+	PatchesJson6902 []Patch `json:"patchesJson6902,omitempty" yaml:"patchesJson6902,omitempty"`
+
+	// Patches is a list of patches, where each one can be either a
+	// Strategic Merge Patch or a JSON patch.
+	// Each patch can be applied to multiple target objects.
+	Patches []Patch `json:"patches,omitempty" yaml:"patches,omitempty"`
+
+	// Images is a list of (image name, new name, new tag or digest)
+	// for changing image names, tags or digests. This can also be achieved with a
+	// patch, but this operator is simpler to specify.
+	Images []Image `json:"images,omitempty" yaml:"images,omitempty"`
+
+	// Deprecated: Use the Images field instead.
+	ImageTags []Image `json:"imageTags,omitempty" yaml:"imageTags,omitempty"`
+
+	// Replacements is a list of replacements, which will copy nodes from a
+	// specified source to N specified targets.
+	Replacements []ReplacementField `json:"replacements,omitempty" yaml:"replacements,omitempty"`
+
+	// Replicas is a list of {resourcename, count} that allows for simpler replica
+	// specification. This can also be done with a patch.
+	Replicas []Replica `json:"replicas,omitempty" yaml:"replicas,omitempty"`
+
+	// Deprecated: Vars will be removed in future release. Migrate to Replacements instead.
+	// Vars allow things modified by kustomize to be injected into a
+	// kubernetes object specification. A var is a name (e.g. FOO) associated
+	// with a field in a specific resource instance.  The field must
+	// contain a value of type string/bool/int/float, and defaults to the name field
+	// of the instance.  Any appearance of "$(FOO)" in the object
+	// spec will be replaced at kustomize build time, after the final
+	// value of the specified field has been determined.
+	Vars []Var `json:"vars,omitempty" yaml:"vars,omitempty"`
+
+	// SortOptions change the order that kustomize outputs resources.
+	SortOptions *SortOptions `json:"sortOptions,omitempty" yaml:"sortOptions,omitempty"`
+
+	//
+	// Operands - what kustomize operates on.
+	//
+
+	// Resources specifies relative paths to files holding YAML representations
+	// of kubernetes API objects, or specifications of other kustomizations
+	// via relative paths, absolute paths, or URLs.
+	Resources []string `json:"resources,omitempty" yaml:"resources,omitempty"`
+
+	// Components specifies relative paths to specifications of other Components
+	// via relative paths, absolute paths, or URLs.
+	Components []string `json:"components,omitempty" yaml:"components,omitempty"`
+
+	// Crds specifies relative paths to Custom Resource Definition files.
+	// This allows custom resources to be recognized as operands, making
+	// it possible to add them to the Resources list.
+	// CRDs themselves are not modified.
+	Crds []string `json:"crds,omitempty" yaml:"crds,omitempty"`
+
+	// Deprecated: Anything that would have been specified here should be specified in the Resources field instead.
+	Bases []string `json:"bases,omitempty" yaml:"bases,omitempty"`
+
+	//
+	// Generators (operators that create operands)
+	//
+
+	// ConfigMapGenerator is a list of configmaps to generate from
+	// local data (one configMap per list item).
+	// The resulting resource is a normal operand, subject to
+	// name prefixing, patching, etc.  By default, the name of
+	// the map will have a suffix hash generated from its contents.
+	ConfigMapGenerator []ConfigMapArgs `json:"configMapGenerator,omitempty" yaml:"configMapGenerator,omitempty"`
+
+	// SecretGenerator is a list of secrets to generate from
+	// local data (one secret per list item).
+	// The resulting resource is a normal operand, subject to
+	// name prefixing, patching, etc.  By default, the name of
+	// the map will have a suffix hash generated from its contents.
+	SecretGenerator []SecretArgs `json:"secretGenerator,omitempty" yaml:"secretGenerator,omitempty"`
+
+	// HelmGlobals contains helm configuration that isn't chart specific.
+	HelmGlobals *HelmGlobals `json:"helmGlobals,omitempty" yaml:"helmGlobals,omitempty"`
+
+	// HelmCharts is a list of helm chart configuration instances.
+	HelmCharts []HelmChart `json:"helmCharts,omitempty" yaml:"helmCharts,omitempty"`
+
+	// HelmChartInflationGenerator is a list of helm chart configurations.
+	// Deprecated.  Auto-converted to HelmGlobals and HelmCharts.
+	HelmChartInflationGenerator []HelmChartArgs `json:"helmChartInflationGenerator,omitempty" yaml:"helmChartInflationGenerator,omitempty"`
+
+	// GeneratorOptions modify behavior of all ConfigMap and Secret generators.
+	GeneratorOptions *GeneratorOptions `json:"generatorOptions,omitempty" yaml:"generatorOptions,omitempty"`
+
+	// Configurations is a list of transformer configuration files
+	Configurations []string `json:"configurations,omitempty" yaml:"configurations,omitempty"`
+
+	// Generators is a list of files containing custom generators
+	Generators []string `json:"generators,omitempty" yaml:"generators,omitempty"`
+
+	// Transformers is a list of files containing transformers
+	Transformers []string `json:"transformers,omitempty" yaml:"transformers,omitempty"`
+
+	// Validators is a list of files containing validators
+	Validators []string `json:"validators,omitempty" yaml:"validators,omitempty"`
+
+	// BuildMetadata is a list of strings used to toggle different build options
+	BuildMetadata []string `json:"buildMetadata,omitempty" yaml:"buildMetadata,omitempty"`
+}
+
+const (
+	deprecatedWarningToRunEditFix              = "Run 'kustomize edit fix' to update your Kustomization automatically."
+	deprecatedWarningToRunEditFixExperimential = "[EXPERIMENTAL] Run 'kustomize edit fix' to update your Kustomization automatically."
+	deprecatedBaseWarningMessage               = "# Warning: 'bases' is deprecated. Please use 'resources' instead." + " " + deprecatedWarningToRunEditFix
+	deprecatedImageTagsWarningMessage          = "# Warning: 'imageTags' is deprecated. Please use 'images' instead." + " " + deprecatedWarningToRunEditFix
+	deprecatedPatchesJson6902Message           = "# Warning: 'patchesJson6902' is deprecated. Please use 'patches' instead." + " " + deprecatedWarningToRunEditFix
+	deprecatedPatchesStrategicMergeMessage     = "# Warning: 'patchesStrategicMerge' is deprecated. Please use 'patches' instead." + " " + deprecatedWarningToRunEditFix
+	deprecatedVarsMessage                      = "# Warning: 'vars' is deprecated. Please use 'replacements' instead." + " " + deprecatedWarningToRunEditFixExperimential
+	deprecatedCommonLabelsWarningMessage       = "# Warning: 'commonLabels' is deprecated. Please use 'labels' instead." + " " + deprecatedWarningToRunEditFix
+)
+
+// CheckDeprecatedFields check deprecated field is used or not.
+func (k *Kustomization) CheckDeprecatedFields() *[]string {
+	var warningMessages []string
+	if k.Bases != nil {
+		warningMessages = append(warningMessages, deprecatedBaseWarningMessage)
+	}
+	if k.CommonLabels != nil {
+		warningMessages = append(warningMessages, deprecatedCommonLabelsWarningMessage)
+	}
+	if k.ImageTags != nil {
+		warningMessages = append(warningMessages, deprecatedImageTagsWarningMessage)
+	}
+	if k.PatchesJson6902 != nil {
+		warningMessages = append(warningMessages, deprecatedPatchesJson6902Message)
+	}
+	if k.PatchesStrategicMerge != nil {
+		warningMessages = append(warningMessages, deprecatedPatchesStrategicMergeMessage)
+	}
+	if k.Vars != nil {
+		warningMessages = append(warningMessages, deprecatedVarsMessage)
+	}
+	return &warningMessages
+}
+
+// FixKustomization fixes things
+// like empty fields that should not be empty, or
+// moving content of deprecated fields to newer
+// fields.
+func (k *Kustomization) FixKustomization() {
+	if k.Kind == "" {
+		k.Kind = KustomizationKind
+	}
+	if k.APIVersion == "" {
+		if k.Kind == ComponentKind {
+			k.APIVersion = ComponentVersion
+		} else {
+			k.APIVersion = KustomizationVersion
+		}
+	}
+
+	// 'bases' field was deprecated in favor of the 'resources' field.
+	k.Resources = append(k.Resources, k.Bases...)
+	k.Bases = nil
+
+	// 'imageTags' field was deprecated in favor of the 'images' field.
+	k.Images = append(k.Images, k.ImageTags...)
+	k.ImageTags = nil
+
+	for i, g := range k.ConfigMapGenerator {
+		if g.EnvSource != "" {
+			k.ConfigMapGenerator[i].EnvSources =
+				append(g.EnvSources, g.EnvSource) //nolint:gocritic
+			k.ConfigMapGenerator[i].EnvSource = ""
+		}
+	}
+	for i, g := range k.SecretGenerator {
+		if g.EnvSource != "" {
+			k.SecretGenerator[i].EnvSources =
+				append(g.EnvSources, g.EnvSource) //nolint:gocritic
+			k.SecretGenerator[i].EnvSource = ""
+		}
+	}
+	charts, globals := SplitHelmParameters(k.HelmChartInflationGenerator)
+	if k.HelmGlobals == nil {
+		if globals.ChartHome != "" || globals.ConfigHome != "" {
+			k.HelmGlobals = &globals
+		}
+	}
+	k.HelmCharts = append(k.HelmCharts, charts...)
+	// Wipe it for the fix command.
+	k.HelmChartInflationGenerator = nil
+}
+
+// FixKustomizationPreMarshalling fixes things
+// that should occur after the kustomization file
+// has been processed.
+func (k *Kustomization) FixKustomizationPreMarshalling(fSys filesys.FileSystem) error {
+	// PatchesJson6902 should be under the Patches field.
+	k.Patches = append(k.Patches, k.PatchesJson6902...)
+	k.PatchesJson6902 = nil
+
+	if k.PatchesStrategicMerge != nil {
+		for _, patchStrategicMerge := range k.PatchesStrategicMerge {
+			// check this patch is file path select.
+			if _, err := fSys.ReadFile(string(patchStrategicMerge)); err == nil {
+				// path patch
+				k.Patches = append(k.Patches, Patch{Path: string(patchStrategicMerge)})
+			} else {
+				// inline string patch
+				k.Patches = append(k.Patches, Patch{Patch: string(patchStrategicMerge)})
+			}
+		}
+		k.PatchesStrategicMerge = nil
+	}
+
+	// this fix is not in FixKustomizationPostUnmarshalling because
+	// it will break some commands like `create` and `add`. those
+	// commands depend on 'commonLabels' field
+	if cl := labelFromCommonLabels(k.CommonLabels); cl != nil {
+		// check conflicts between commonLabels and labels
+		for _, l := range k.Labels {
+			for k := range l.Pairs {
+				if _, exist := cl.Pairs[k]; exist {
+					return fmt.Errorf("label name '%s' exists in both commonLabels and labels", k)
+				}
+			}
+		}
+		k.Labels = append(k.Labels, *cl)
+		k.CommonLabels = nil
+	}
+
+	return nil
+}
+
+func (k *Kustomization) CheckEmpty() error {
+	// generate empty Kustomization
+	emptyKustomization := &Kustomization{}
+
+	// k.TypeMeta is metadata. It Isn't related to whether empty or not.
+	emptyKustomization.TypeMeta = k.TypeMeta
+
+	if reflect.DeepEqual(k, emptyKustomization) {
+		return fmt.Errorf("kustomization.yaml is empty")
+	}
+
+	return nil
+}
+
+func (k *Kustomization) EnforceFields() []string {
+	var errs []string
+	if k.Kind != "" && k.Kind != KustomizationKind && k.Kind != ComponentKind {
+		errs = append(errs, "kind should be "+KustomizationKind+" or "+ComponentKind)
+	}
+	requiredVersion := KustomizationVersion
+	if k.Kind == ComponentKind {
+		requiredVersion = ComponentVersion
+	}
+	if k.APIVersion != "" && k.APIVersion != requiredVersion {
+		errs = append(errs, "apiVersion for "+k.Kind+" should be "+requiredVersion)
+	}
+	return errs
+}
+
+// Unmarshal replace k with the content in YAML input y
+func (k *Kustomization) Unmarshal(y []byte) error {
+	// TODO: switch to strict decoding to catch duplicate keys.
+	// We can't do so until there is a yaml decoder that supports anchors AND case-insensitive keys.
+	// See https://github.com/kubernetes-sigs/kustomize/issues/5061
+	j, err := yaml.YAMLToJSON(y)
+	if err != nil {
+		return errors.WrapPrefixf(err, "invalid Kustomization")
+	}
+	dec := json.NewDecoder(bytes.NewReader(j))
+	dec.DisallowUnknownFields()
+	var nk Kustomization
+	err = dec.Decode(&nk)
+	if err != nil {
+		return errors.WrapPrefixf(err, "invalid Kustomization")
+	}
+	*k = nk
+	return nil
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/types/kvpairsources.go b/vendor/sigs.k8s.io/kustomize/api/types/kvpairsources.go
new file mode 100644
index 0000000000..9898defade
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/types/kvpairsources.go
@@ -0,0 +1,36 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package types
+
+// KvPairSources defines places to obtain key value pairs.
+type KvPairSources struct {
+	// LiteralSources is a list of literal
+	// pair sources. Each literal source should
+	// be a key and literal value, e.g. `key=value`
+	LiteralSources []string `json:"literals,omitempty" yaml:"literals,omitempty"`
+
+	// FileSources is a list of file "sources" to
+	// use in creating a list of key, value pairs.
+	// A source takes the form:  [{key}=]{path}
+	// If the "key=" part is missing, the key is the
+	// path's basename. If they "key=" part is present,
+	// it becomes the key (replacing the basename).
+	// In either case, the value is the file contents.
+	// Specifying a directory will iterate each named
+	// file in the directory whose basename is a
+	// valid configmap key.
+	FileSources []string `json:"files,omitempty" yaml:"files,omitempty"`
+
+	// EnvSources is a list of file paths.
+	// The contents of each file should be one
+	// key=value pair per line, e.g. a Docker
+	// or npm ".env" file or a ".ini" file
+	// (wikipedia.org/wiki/INI_file)
+	EnvSources []string `json:"envs,omitempty" yaml:"envs,omitempty"`
+
+	// Older, singular form of EnvSources.
+	// On edits (e.g. `kustomize fix`) this is merged into the plural form
+	// for consistency with LiteralSources and FileSources.
+	EnvSource string `json:"env,omitempty" yaml:"env,omitempty"`
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/types/labels.go b/vendor/sigs.k8s.io/kustomize/api/types/labels.go
new file mode 100644
index 0000000000..35f7fb2a5b
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/types/labels.go
@@ -0,0 +1,30 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package types
+
+type Label struct {
+	// Pairs contains the key-value pairs for labels to add
+	Pairs map[string]string `json:"pairs,omitempty" yaml:"pairs,omitempty"`
+	// IncludeSelectors indicates whether the transformer should include the
+	// fieldSpecs for selectors. Custom fieldSpecs specified by
+	// FieldSpecs will be merged with builtin fieldSpecs if this
+	// is true.
+	IncludeSelectors bool `json:"includeSelectors,omitempty" yaml:"includeSelectors,omitempty"`
+	// IncludeTemplates indicates whether the transformer should include the
+	// spec/template/metadata fieldSpec. Custom fieldSpecs specified by
+	// FieldSpecs will be merged with spec/template/metadata fieldSpec if this
+	// is true. If IncludeSelectors is true, IncludeTemplates is not needed.
+	IncludeTemplates bool        `json:"includeTemplates,omitempty" yaml:"includeTemplates,omitempty"`
+	FieldSpecs       []FieldSpec `json:"fields,omitempty" yaml:"fields,omitempty"`
+}
+
+func labelFromCommonLabels(commonLabels map[string]string) *Label {
+	if len(commonLabels) == 0 {
+		return nil
+	}
+	return &Label{
+		Pairs:            commonLabels,
+		IncludeSelectors: true,
+	}
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/types/loadrestrictions.go b/vendor/sigs.k8s.io/kustomize/api/types/loadrestrictions.go
new file mode 100644
index 0000000000..6617abdac2
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/types/loadrestrictions.go
@@ -0,0 +1,24 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package types
+
+// Restrictions on what things can be referred to
+// in a kustomization file.
+//
+//go:generate stringer -type=LoadRestrictions
+type LoadRestrictions int
+
+const (
+	LoadRestrictionsUnknown LoadRestrictions = iota
+
+	// Files referenced by a kustomization file must be in
+	// or under the directory holding the kustomization
+	// file itself.
+	LoadRestrictionsRootOnly
+
+	// The kustomization file may specify absolute or
+	// relative paths to patch or resources files outside
+	// its own tree.
+	LoadRestrictionsNone
+)
diff --git a/vendor/sigs.k8s.io/kustomize/api/types/loadrestrictions_string.go b/vendor/sigs.k8s.io/kustomize/api/types/loadrestrictions_string.go
new file mode 100644
index 0000000000..d2355950be
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/types/loadrestrictions_string.go
@@ -0,0 +1,25 @@
+// Code generated by "stringer -type=LoadRestrictions"; DO NOT EDIT.
+
+package types
+
+import "strconv"
+
+func _() {
+	// An "invalid array index" compiler error signifies that the constant values have changed.
+	// Re-run the stringer command to generate them again.
+	var x [1]struct{}
+	_ = x[LoadRestrictionsUnknown-0]
+	_ = x[LoadRestrictionsRootOnly-1]
+	_ = x[LoadRestrictionsNone-2]
+}
+
+const _LoadRestrictions_name = "LoadRestrictionsUnknownLoadRestrictionsRootOnlyLoadRestrictionsNone"
+
+var _LoadRestrictions_index = [...]uint8{0, 23, 47, 67}
+
+func (i LoadRestrictions) String() string {
+	if i < 0 || i >= LoadRestrictions(len(_LoadRestrictions_index)-1) {
+		return "LoadRestrictions(" + strconv.FormatInt(int64(i), 10) + ")"
+	}
+	return _LoadRestrictions_name[_LoadRestrictions_index[i]:_LoadRestrictions_index[i+1]]
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/types/objectmeta.go b/vendor/sigs.k8s.io/kustomize/api/types/objectmeta.go
new file mode 100644
index 0000000000..4f5d41f4a3
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/types/objectmeta.go
@@ -0,0 +1,13 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package types
+
+// ObjectMeta partially copies apimachinery/pkg/apis/meta/v1.ObjectMeta
+// No need for a direct dependence; the fields are stable.
+type ObjectMeta struct {
+	Name        string            `json:"name,omitempty" yaml:"name,omitempty"`
+	Namespace   string            `json:"namespace,omitempty" yaml:"namespace,omitempty"`
+	Labels      map[string]string `json:"labels,omitempty" yaml:"labels,omitempty"`
+	Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"`
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/types/pair.go b/vendor/sigs.k8s.io/kustomize/api/types/pair.go
new file mode 100644
index 0000000000..63cfb776e0
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/types/pair.go
@@ -0,0 +1,10 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package types
+
+// Pair is a key value pair.
+type Pair struct {
+	Key   string
+	Value string
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/types/patch.go b/vendor/sigs.k8s.io/kustomize/api/types/patch.go
new file mode 100644
index 0000000000..5310a6e66d
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/types/patch.go
@@ -0,0 +1,34 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package types
+
+import "reflect"
+
+// Patch represent either a Strategic Merge Patch or a JSON patch
+// and its targets.
+// The content of the patch can either be from a file
+// or from an inline string.
+type Patch struct {
+	// Path is a relative file path to the patch file.
+	Path string `json:"path,omitempty" yaml:"path,omitempty"`
+
+	// Patch is the content of a patch.
+	Patch string `json:"patch,omitempty" yaml:"patch,omitempty"`
+
+	// Target points to the resources that the patch is applied to
+	Target *Selector `json:"target,omitempty" yaml:"target,omitempty"`
+
+	// Options is a list of options for the patch
+	Options map[string]bool `json:"options,omitempty" yaml:"options,omitempty"`
+}
+
+// Equals return true if p equals o.
+func (p *Patch) Equals(o Patch) bool {
+	targetEqual := (p.Target == o.Target) ||
+		(p.Target != nil && o.Target != nil && *p.Target == *o.Target)
+	return p.Path == o.Path &&
+		p.Patch == o.Patch &&
+		targetEqual &&
+		reflect.DeepEqual(p.Options, o.Options)
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/types/patchstrategicmerge.go b/vendor/sigs.k8s.io/kustomize/api/types/patchstrategicmerge.go
new file mode 100644
index 0000000000..81a5ba456d
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/types/patchstrategicmerge.go
@@ -0,0 +1,9 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package types
+
+// PatchStrategicMerge represents a relative path to a
+// stategic merge patch with the format
+// https://github.com/kubernetes/community/blob/master/contributors/devel/sig-api-machinery/strategic-merge-patch.md
+type PatchStrategicMerge string
diff --git a/vendor/sigs.k8s.io/kustomize/api/types/pluginconfig.go b/vendor/sigs.k8s.io/kustomize/api/types/pluginconfig.go
new file mode 100644
index 0000000000..9721eb724a
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/types/pluginconfig.go
@@ -0,0 +1,49 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package types
+
+type HelmConfig struct {
+	Enabled     bool
+	Command     string
+	ApiVersions []string
+	KubeVersion string
+	Debug       bool
+}
+
+// PluginConfig holds plugin configuration.
+type PluginConfig struct {
+	// PluginRestrictions distinguishes plugin restrictions.
+	PluginRestrictions PluginRestrictions
+
+	// BpLoadingOptions distinguishes builtin plugin behaviors.
+	BpLoadingOptions BuiltinPluginLoadingOptions
+
+	// FnpLoadingOptions sets the way function-based plugin behaviors.
+	FnpLoadingOptions FnPluginLoadingOptions
+
+	// HelmConfig contains metadata needed for allowing and running helm.
+	HelmConfig HelmConfig
+}
+
+func EnabledPluginConfig(b BuiltinPluginLoadingOptions) (pc *PluginConfig) {
+	pc = MakePluginConfig(PluginRestrictionsNone, b)
+	pc.HelmConfig.Enabled = true
+	// If this command is not on PATH, tests needing it should skip.
+	pc.HelmConfig.Command = "helmV3"
+	return
+}
+
+func DisabledPluginConfig() *PluginConfig {
+	return MakePluginConfig(
+		PluginRestrictionsBuiltinsOnly,
+		BploUseStaticallyLinked)
+}
+
+func MakePluginConfig(pr PluginRestrictions,
+	b BuiltinPluginLoadingOptions) *PluginConfig {
+	return &PluginConfig{
+		PluginRestrictions: pr,
+		BpLoadingOptions:   b,
+	}
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/types/pluginrestrictions.go b/vendor/sigs.k8s.io/kustomize/api/types/pluginrestrictions.go
new file mode 100644
index 0000000000..0e4ee42e41
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/types/pluginrestrictions.go
@@ -0,0 +1,60 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package types
+
+// Some plugin classes
+// - builtin: plugins defined in the kustomize repo.
+//   May be freely used and re-configured.
+// - local: plugins that aren't builtin but are
+//   locally defined (presumably by the user), meaning
+//   the kustomization refers to them via a relative
+//   file path, not a URL.
+// - remote: require a build-time download to obtain.
+//   Unadvised, unless one controls the
+//   serving site.
+//
+//go:generate stringer -type=PluginRestrictions
+type PluginRestrictions int
+
+const (
+	PluginRestrictionsUnknown PluginRestrictions = iota
+
+	// Non-builtin plugins completely disabled.
+	PluginRestrictionsBuiltinsOnly
+
+	// No restrictions, do whatever you want.
+	PluginRestrictionsNone
+)
+
+// BuiltinPluginLoadingOptions distinguish ways in which builtin plugins are used.
+//go:generate stringer -type=BuiltinPluginLoadingOptions
+type BuiltinPluginLoadingOptions int
+
+const (
+	BploUndefined BuiltinPluginLoadingOptions = iota
+
+	// Desired in production use for performance.
+	BploUseStaticallyLinked
+
+	// Desired in testing and development cycles where it's undesirable
+	// to generate static code.
+	BploLoadFromFileSys
+)
+
+// FnPluginLoadingOptions set way functions-based plugins are restricted
+type FnPluginLoadingOptions struct {
+	// Allow to run executables
+	EnableExec bool
+	// Allow container access to network
+	Network     bool
+	NetworkName string
+	// list of mounts
+	Mounts []string
+	// list of env variables to pass to fn
+	Env []string
+	// Run as uid and gid of the command executor
+	AsCurrentUser bool
+	// Run in this working directory
+	WorkingDir string
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/types/pluginrestrictions_string.go b/vendor/sigs.k8s.io/kustomize/api/types/pluginrestrictions_string.go
new file mode 100644
index 0000000000..b9dba7dfc6
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/types/pluginrestrictions_string.go
@@ -0,0 +1,25 @@
+// Code generated by "stringer -type=PluginRestrictions"; DO NOT EDIT.
+
+package types
+
+import "strconv"
+
+func _() {
+	// An "invalid array index" compiler error signifies that the constant values have changed.
+	// Re-run the stringer command to generate them again.
+	var x [1]struct{}
+	_ = x[PluginRestrictionsUnknown-0]
+	_ = x[PluginRestrictionsBuiltinsOnly-1]
+	_ = x[PluginRestrictionsNone-2]
+}
+
+const _PluginRestrictions_name = "PluginRestrictionsUnknownPluginRestrictionsBuiltinsOnlyPluginRestrictionsNone"
+
+var _PluginRestrictions_index = [...]uint8{0, 25, 55, 77}
+
+func (i PluginRestrictions) String() string {
+	if i < 0 || i >= PluginRestrictions(len(_PluginRestrictions_index)-1) {
+		return "PluginRestrictions(" + strconv.FormatInt(int64(i), 10) + ")"
+	}
+	return _PluginRestrictions_name[_PluginRestrictions_index[i]:_PluginRestrictions_index[i+1]]
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/types/replacement.go b/vendor/sigs.k8s.io/kustomize/api/types/replacement.go
new file mode 100644
index 0000000000..b110322e78
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/types/replacement.go
@@ -0,0 +1,90 @@
+// Copyright 2021 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package types
+
+import (
+	"fmt"
+	"strings"
+
+	"sigs.k8s.io/kustomize/kyaml/resid"
+)
+
+const DefaultReplacementFieldPath = "metadata.name"
+
+// Replacement defines how to perform a substitution
+// where it is from and where it is to.
+type Replacement struct {
+	// The source of the value.
+	Source *SourceSelector `json:"source,omitempty" yaml:"source,omitempty"`
+
+	// The N fields to write the value to.
+	Targets []*TargetSelector `json:"targets,omitempty" yaml:"targets,omitempty"`
+
+	// Used to define an static value
+	SourceValue *string `json:"sourceValue,omitempty" yaml:"sourceValue,omitempty"`
+}
+
+// SourceSelector is the source of the replacement transformer.
+type SourceSelector struct {
+	// A specific object to read it from.
+	resid.ResId `json:",inline,omitempty" yaml:",inline,omitempty"`
+
+	// Structured field path expected in the allowed object.
+	FieldPath string `json:"fieldPath,omitempty" yaml:"fieldPath,omitempty"`
+
+	// Used to refine the interpretation of the field.
+	Options *FieldOptions `json:"options,omitempty" yaml:"options,omitempty"`
+}
+
+func (s *SourceSelector) String() string {
+	if s == nil {
+		return ""
+	}
+	result := []string{s.ResId.String()}
+	if s.FieldPath != "" {
+		result = append(result, s.FieldPath)
+	}
+	if opts := s.Options.String(); opts != "" {
+		result = append(result, opts)
+	}
+	return strings.Join(result, ":")
+}
+
+// TargetSelector specifies fields in one or more objects.
+type TargetSelector struct {
+	// Include objects that match this.
+	Select *Selector `json:"select" yaml:"select"`
+
+	// From the allowed set, remove objects that match this.
+	Reject []*Selector `json:"reject,omitempty" yaml:"reject,omitempty"`
+
+	// Structured field paths expected in each allowed object.
+	FieldPaths []string `json:"fieldPaths,omitempty" yaml:"fieldPaths,omitempty"`
+
+	// Used to refine the interpretation of the field.
+	Options *FieldOptions `json:"options,omitempty" yaml:"options,omitempty"`
+}
+
+// FieldOptions refine the interpretation of FieldPaths.
+type FieldOptions struct {
+	// Used to split/join the field.
+	Delimiter string `json:"delimiter,omitempty" yaml:"delimiter,omitempty"`
+
+	// Which position in the split to consider.
+	Index int `json:"index,omitempty" yaml:"index,omitempty"`
+
+	// TODO (#3492): Implement use of this option
+	// None, Base64, URL, Hex, etc
+	Encoding string `json:"encoding,omitempty" yaml:"encoding,omitempty"`
+
+	// If field missing, add it.
+	Create bool `json:"create,omitempty" yaml:"create,omitempty"`
+}
+
+func (fo *FieldOptions) String() string {
+	if fo == nil || (fo.Delimiter == "" && !fo.Create) {
+		return ""
+	}
+	return fmt.Sprintf("%s(%d), create=%t", fo.Delimiter, fo.Index, fo.Create)
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/types/replacementfield.go b/vendor/sigs.k8s.io/kustomize/api/types/replacementfield.go
new file mode 100644
index 0000000000..303e5c9e23
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/types/replacementfield.go
@@ -0,0 +1,9 @@
+// Copyright 2022 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package types
+
+type ReplacementField struct {
+	Replacement `json:",inline,omitempty" yaml:",inline,omitempty"`
+	Path        string `json:"path,omitempty" yaml:"path,omitempty"`
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/types/replica.go b/vendor/sigs.k8s.io/kustomize/api/types/replica.go
new file mode 100644
index 0000000000..8267366b5d
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/types/replica.go
@@ -0,0 +1,16 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package types
+
+// Replica specifies a modification to a replica config.
+// The number of replicas of a resource whose name matches will be set to count.
+// This struct is used by the ReplicaCountTransform, and is meant to supplement
+// the existing patch functionality with a simpler syntax for replica configuration.
+type Replica struct {
+	// The name of the resource to change the replica count
+	Name string `json:"name,omitempty" yaml:"name,omitempty"`
+
+	// The number of replicas required.
+	Count int64 `json:"count" yaml:"count"`
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/types/secretargs.go b/vendor/sigs.k8s.io/kustomize/api/types/secretargs.go
new file mode 100644
index 0000000000..62dbe26a73
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/types/secretargs.go
@@ -0,0 +1,19 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package types
+
+// SecretArgs contains the metadata of how to generate a secret.
+type SecretArgs struct {
+	// GeneratorArgs for the secret.
+	GeneratorArgs `json:",inline,omitempty" yaml:",inline,omitempty"`
+
+	// Type of the secret.
+	//
+	// This is the same field as the secret type field in v1/Secret:
+	// It can be "Opaque" (default), or "kubernetes.io/tls".
+	//
+	// If type is "kubernetes.io/tls", then "literals" or "files" must have exactly two
+	// keys: "tls.key" and "tls.crt"
+	Type string `json:"type,omitempty" yaml:"type,omitempty"`
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/types/selector.go b/vendor/sigs.k8s.io/kustomize/api/types/selector.go
new file mode 100644
index 0000000000..2c07f0b01b
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/types/selector.go
@@ -0,0 +1,124 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package types
+
+import (
+	"fmt"
+	"regexp"
+
+	"sigs.k8s.io/kustomize/kyaml/resid"
+)
+
+// Selector specifies a set of resources.
+// Any resource that matches intersection of all conditions
+// is included in this set.
+type Selector struct {
+	// ResId refers to a GVKN/Ns of a resource.
+	resid.ResId `json:",inline,omitempty" yaml:",inline,omitempty"`
+
+	// AnnotationSelector is a string that follows the label selection expression
+	// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+	// It matches with the resource annotations.
+	AnnotationSelector string `json:"annotationSelector,omitempty" yaml:"annotationSelector,omitempty"`
+
+	// LabelSelector is a string that follows the label selection expression
+	// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+	// It matches with the resource labels.
+	LabelSelector string `json:"labelSelector,omitempty" yaml:"labelSelector,omitempty"`
+}
+
+func (s *Selector) Copy() Selector {
+	return *s
+}
+
+func (s *Selector) String() string {
+	return fmt.Sprintf(
+		"%s:a=%s:l=%s", s.ResId, s.AnnotationSelector, s.LabelSelector)
+}
+
+// SelectorRegex is a Selector with regex in GVK
+// Any resource that matches intersection of all conditions
+// is included in this set.
+type SelectorRegex struct {
+	selector       *Selector
+	groupRegex     *regexp.Regexp
+	versionRegex   *regexp.Regexp
+	kindRegex      *regexp.Regexp
+	nameRegex      *regexp.Regexp
+	namespaceRegex *regexp.Regexp
+}
+
+// NewSelectorRegex returns a pointer to a new SelectorRegex
+// which uses the same condition as s.
+func NewSelectorRegex(s *Selector) (*SelectorRegex, error) {
+	sr := new(SelectorRegex)
+	var err error
+	sr.selector = s
+	sr.groupRegex, err = regexp.Compile(anchorRegex(s.Gvk.Group))
+	if err != nil {
+		return nil, err
+	}
+	sr.versionRegex, err = regexp.Compile(anchorRegex(s.Gvk.Version))
+	if err != nil {
+		return nil, err
+	}
+	sr.kindRegex, err = regexp.Compile(anchorRegex(s.Gvk.Kind))
+	if err != nil {
+		return nil, err
+	}
+	sr.nameRegex, err = regexp.Compile(anchorRegex(s.Name))
+	if err != nil {
+		return nil, err
+	}
+	sr.namespaceRegex, err = regexp.Compile(anchorRegex(s.Namespace))
+	if err != nil {
+		return nil, err
+	}
+	return sr, nil
+}
+
+func anchorRegex(pattern string) string {
+	if pattern == "" {
+		return pattern
+	}
+	return "^(?:" + pattern + ")$"
+}
+
+// MatchGvk return true if gvk can be matched by s.
+func (s *SelectorRegex) MatchGvk(gvk resid.Gvk) bool {
+	if len(s.selector.Gvk.Group) > 0 {
+		if !s.groupRegex.MatchString(gvk.Group) {
+			return false
+		}
+	}
+	if len(s.selector.Gvk.Version) > 0 {
+		if !s.versionRegex.MatchString(gvk.Version) {
+			return false
+		}
+	}
+	if len(s.selector.Gvk.Kind) > 0 {
+		if !s.kindRegex.MatchString(gvk.Kind) {
+			return false
+		}
+	}
+	return true
+}
+
+// MatchName returns true if the name in selector is
+// empty or the n can be matches by the name in selector
+func (s *SelectorRegex) MatchName(n string) bool {
+	if s.selector.Name == "" {
+		return true
+	}
+	return s.nameRegex.MatchString(n)
+}
+
+// MatchNamespace returns true if the namespace in selector is
+// empty or the ns can be matches by the namespace in selector
+func (s *SelectorRegex) MatchNamespace(ns string) bool {
+	if s.selector.Namespace == "" {
+		return true
+	}
+	return s.namespaceRegex.MatchString(ns)
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/types/sortoptions.go b/vendor/sigs.k8s.io/kustomize/api/types/sortoptions.go
new file mode 100644
index 0000000000..64dd48808c
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/types/sortoptions.go
@@ -0,0 +1,28 @@
+// Copyright 2021 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package types
+
+// SortOptions defines the order that kustomize outputs resources.
+type SortOptions struct {
+	// Order selects the ordering strategy.
+	Order SortOrder `json:"order,omitempty" yaml:"order,omitempty"`
+	// LegacySortOptions tweaks the sorting for the "legacy" sort ordering
+	// strategy.
+	LegacySortOptions *LegacySortOptions `json:"legacySortOptions,omitempty" yaml:"legacySortOptions,omitempty"`
+}
+
+// SortOrder defines different ordering strategies.
+type SortOrder string
+
+const LegacySortOrder SortOrder = "legacy"
+const FIFOSortOrder SortOrder = "fifo"
+
+// LegacySortOptions define various options for tweaking the "legacy" ordering
+// strategy.
+type LegacySortOptions struct {
+	// OrderFirst selects the resource kinds to order first.
+	OrderFirst []string `json:"orderFirst" yaml:"orderFirst"`
+	// OrderLast selects the resource kinds to order last.
+	OrderLast []string `json:"orderLast" yaml:"orderLast"`
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/types/typemeta.go b/vendor/sigs.k8s.io/kustomize/api/types/typemeta.go
new file mode 100644
index 0000000000..0ddafd3d80
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/types/typemeta.go
@@ -0,0 +1,11 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package types
+
+// TypeMeta partially copies apimachinery/pkg/apis/meta/v1.TypeMeta
+// No need for a direct dependence; the fields are stable.
+type TypeMeta struct {
+	Kind       string `json:"kind,omitempty" yaml:"kind,omitempty"`
+	APIVersion string `json:"apiVersion,omitempty" yaml:"apiVersion,omitempty"`
+}
diff --git a/vendor/sigs.k8s.io/kustomize/api/types/var.go b/vendor/sigs.k8s.io/kustomize/api/types/var.go
new file mode 100644
index 0000000000..0ca5579c0d
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/api/types/var.go
@@ -0,0 +1,211 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package types
+
+import (
+	"fmt"
+	"reflect"
+	"sort"
+	"strings"
+
+	"sigs.k8s.io/kustomize/kyaml/resid"
+)
+
+// Var represents a variable whose value will be sourced
+// from a field in a Kubernetes object.
+type Var struct {
+	// Value of identifier name e.g. FOO used in container args, annotations
+	// Appears in pod template as $(FOO)
+	Name string `json:"name" yaml:"name"`
+
+	// ObjRef must refer to a Kubernetes resource under the
+	// purview of this kustomization. ObjRef should use the
+	// raw name of the object (the name specified in its YAML,
+	// before addition of a namePrefix and a nameSuffix).
+	ObjRef Target `json:"objref" yaml:"objref"`
+
+	// FieldRef refers to the field of the object referred to by
+	// ObjRef whose value will be extracted for use in
+	// replacing $(FOO).
+	// If unspecified, this defaults to fieldPath: $defaultFieldPath
+	FieldRef FieldSelector `json:"fieldref,omitempty" yaml:"fieldref,omitempty"`
+}
+
+// Target refers to a kubernetes object by Group, Version, Kind and Name
+// gvk.Gvk contains Group, Version and Kind
+// APIVersion is added to keep the backward compatibility of using ObjectReference
+// for Var.ObjRef
+type Target struct {
+	APIVersion string `json:"apiVersion,omitempty" yaml:"apiVersion,omitempty"`
+	resid.Gvk  `json:",inline,omitempty" yaml:",inline,omitempty"`
+	Name       string `json:"name" yaml:"name"`
+	Namespace  string `json:"namespace,omitempty" yaml:"namespace,omitempty"`
+}
+
+// GVK returns the Gvk object in Target
+func (t *Target) GVK() resid.Gvk {
+	if t.APIVersion == "" {
+		return t.Gvk
+	}
+	versions := strings.Split(t.APIVersion, "/")
+	if len(versions) == 2 {
+		t.Group = versions[0]
+		t.Version = versions[1]
+	}
+	if len(versions) == 1 {
+		t.Version = versions[0]
+	}
+	return t.Gvk
+}
+
+// FieldSelector contains the fieldPath to an object field.
+// This struct is added to keep the backward compatibility of using ObjectFieldSelector
+// for Var.FieldRef
+type FieldSelector struct {
+	FieldPath string `json:"fieldPath,omitempty" yaml:"fieldPath,omitempty"`
+}
+
+// defaulting sets reference to field used by default.
+func (v *Var) Defaulting() {
+	if v.FieldRef.FieldPath == "" {
+		v.FieldRef.FieldPath = DefaultReplacementFieldPath
+	}
+	v.ObjRef.GVK()
+}
+
+// DeepEqual returns true if var a and b are Equals.
+// Note 1: The objects are unchanged by the VarEqual
+// Note 2: Should be normalize be FieldPath before doing
+// the DeepEqual. spec.a[b] is supposed to be the same
+// as spec.a.b
+func (v Var) DeepEqual(other Var) bool {
+	v.Defaulting()
+	other.Defaulting()
+	return reflect.DeepEqual(v, other)
+}
+
+// VarSet is a set of Vars where no var.Name is repeated.
+type VarSet struct {
+	set map[string]Var
+}
+
+// NewVarSet returns an initialized VarSet
+func NewVarSet() VarSet {
+	return VarSet{set: map[string]Var{}}
+}
+
+// AsSlice returns the vars as a slice.
+func (vs *VarSet) AsSlice() []Var {
+	s := make([]Var, len(vs.set))
+	i := 0
+	for _, v := range vs.set {
+		s[i] = v
+		i++
+	}
+	sort.Sort(byName(s))
+	return s
+}
+
+// Copy returns a copy of the var set.
+func (vs *VarSet) Copy() VarSet {
+	newSet := make(map[string]Var, len(vs.set))
+	for k, v := range vs.set {
+		newSet[k] = v
+	}
+	return VarSet{set: newSet}
+}
+
+// MergeSet absorbs other vars with error on name collision.
+func (vs *VarSet) MergeSet(incoming VarSet) error {
+	for _, incomingVar := range incoming.set {
+		if err := vs.Merge(incomingVar); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// MergeSlice absorbs a Var slice with error on name collision.
+// Empty fields in incoming vars are defaulted.
+func (vs *VarSet) MergeSlice(incoming []Var) error {
+	for _, v := range incoming {
+		if err := vs.Merge(v); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// Merge absorbs another Var with error on name collision.
+// Empty fields in incoming Var is defaulted.
+func (vs *VarSet) Merge(v Var) error {
+	if vs.Contains(v) {
+		return fmt.Errorf(
+			"var '%s' already encountered", v.Name)
+	}
+	v.Defaulting()
+	vs.set[v.Name] = v
+	return nil
+}
+
+// AbsorbSet absorbs other vars with error on (name,value) collision.
+func (vs *VarSet) AbsorbSet(incoming VarSet) error {
+	for _, v := range incoming.set {
+		if err := vs.Absorb(v); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// AbsorbSlice absorbs a Var slice with error on (name,value) collision.
+// Empty fields in incoming vars are defaulted.
+func (vs *VarSet) AbsorbSlice(incoming []Var) error {
+	for _, v := range incoming {
+		if err := vs.Absorb(v); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// Absorb absorbs another Var with error on (name,value) collision.
+// Empty fields in incoming Var is defaulted.
+func (vs *VarSet) Absorb(v Var) error {
+	conflicting := vs.Get(v.Name)
+	if conflicting == nil {
+		// no conflict. The var is valid.
+		v.Defaulting()
+		vs.set[v.Name] = v
+		return nil
+	}
+
+	if !reflect.DeepEqual(v, *conflicting) {
+		// two vars with the same name are pointing at two
+		// different resources.
+		return fmt.Errorf(
+			"var '%s' already encountered", v.Name)
+	}
+	return nil
+}
+
+// Contains is true if the set has the other var.
+func (vs *VarSet) Contains(other Var) bool {
+	return vs.Get(other.Name) != nil
+}
+
+// Get returns the var with the given name, else nil.
+func (vs *VarSet) Get(name string) *Var {
+	if v, found := vs.set[name]; found {
+		return &v
+	}
+	return nil
+}
+
+// byName is a sort interface which sorts Vars by name alphabetically
+type byName []Var
+
+func (v byName) Len() int           { return len(v) }
+func (v byName) Swap(i, j int)      { v[i], v[j] = v[j], v[i] }
+func (v byName) Less(i, j int) bool { return v[i].Name < v[j].Name }
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/LICENSE b/vendor/sigs.k8s.io/kustomize/kyaml/LICENSE
new file mode 100644
index 0000000000..8dada3edaf
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/LICENSE
@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "{}"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright {yyyy} {name of copyright owner}
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/comments/comments.go b/vendor/sigs.k8s.io/kustomize/kyaml/comments/comments.go
new file mode 100644
index 0000000000..97334d0f08
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/comments/comments.go
@@ -0,0 +1,83 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package comments
+
+import (
+	"sigs.k8s.io/kustomize/kyaml/openapi"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+	"sigs.k8s.io/kustomize/kyaml/yaml/walk"
+)
+
+// CopyComments recursively copies the comments on fields in from to fields in to
+func CopyComments(from, to *yaml.RNode) error {
+	// from node should not be modified, it should be just used as a reference
+	fromCopy := from.Copy()
+	copyFieldComments(fromCopy, to)
+	// walk the fields copying comments
+	_, err := walk.Walker{
+		Sources:            []*yaml.RNode{fromCopy, to},
+		Visitor:            &copier{},
+		VisitKeysAsScalars: true}.Walk()
+	return err
+}
+
+// copier implements walk.Visitor, and copies comments to fields shared between 2 instances
+// of a resource
+type copier struct{}
+
+func (c *copier) VisitMap(s walk.Sources, _ *openapi.ResourceSchema) (*yaml.RNode, error) {
+	copyFieldComments(s.Dest(), s.Origin())
+	return s.Dest(), nil
+}
+
+func (c *copier) VisitScalar(s walk.Sources, _ *openapi.ResourceSchema) (*yaml.RNode, error) {
+	to := s.Origin()
+	// TODO: File a bug with upstream yaml to handle comments for FoldedStyle scalar nodes
+	// Hack: convert FoldedStyle scalar node to DoubleQuotedStyle as the line comments are
+	// being serialized without space
+	// https://github.com/GoogleContainerTools/kpt/issues/766
+	if to != nil && to.Document().Style == yaml.FoldedStyle {
+		to.Document().Style = yaml.DoubleQuotedStyle
+	}
+
+	copyFieldComments(s.Dest(), to)
+	return s.Dest(), nil
+}
+
+func (c *copier) VisitList(s walk.Sources, _ *openapi.ResourceSchema, _ walk.ListKind) (
+	*yaml.RNode, error) {
+	copyFieldComments(s.Dest(), s.Origin())
+	destItems := s.Dest().Content()
+	originItems := s.Origin().Content()
+
+	for i := 0; i < len(destItems) && i < len(originItems); i++ {
+		dest := destItems[i]
+		origin := originItems[i]
+
+		if dest.Value == origin.Value {
+			// We copy the comments recursively on each node in the list.
+			if err := CopyComments(yaml.NewRNode(dest), yaml.NewRNode(origin)); err != nil {
+				return nil, err
+			}
+		}
+	}
+
+	return s.Dest(), nil
+}
+
+// copyFieldComments copies the comment from one field to another
+func copyFieldComments(from, to *yaml.RNode) {
+	if from == nil || to == nil {
+		return
+	}
+	if to.Document().LineComment == "" {
+		to.Document().LineComment = from.Document().LineComment
+	}
+	if to.Document().HeadComment == "" {
+		to.Document().HeadComment = from.Document().HeadComment
+	}
+	if to.Document().FootComment == "" {
+		to.Document().FootComment = from.Document().FootComment
+	}
+}
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/errors/errors.go b/vendor/sigs.k8s.io/kustomize/kyaml/errors/errors.go
new file mode 100644
index 0000000000..c292d7c681
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/errors/errors.go
@@ -0,0 +1,50 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+// Package errors provides libraries for working with the go-errors/errors library.
+package errors
+
+import (
+	"fmt"
+
+	goerrors "github.com/go-errors/errors"
+)
+
+// Wrap returns err wrapped in a go-error.  If err is nil, returns nil.
+func Wrap(err interface{}) error {
+	if err == nil {
+		return nil
+	}
+	return goerrors.Wrap(err, 1)
+}
+
+// WrapPrefixf returns err wrapped in a go-error with a message prefix.  If err is nil, returns nil.
+func WrapPrefixf(err interface{}, msg string, args ...interface{}) error {
+	if err == nil {
+		return nil
+	}
+	return goerrors.WrapPrefix(err, fmt.Sprintf(msg, args...), 1)
+}
+
+// Errorf returns a new go-error.
+func Errorf(msg string, args ...interface{}) error {
+	return goerrors.Wrap(fmt.Errorf(msg, args...), 1)
+}
+
+// As finds the targeted error in any wrapped error.
+func As(err error, target interface{}) bool {
+	return goerrors.As(err, target)
+}
+
+// Is detects whether the error is equal to a given error.
+func Is(err error, target error) bool {
+	return goerrors.Is(err, target)
+}
+
+// GetStack returns a stack trace for the error if it has one
+func GetStack(err error) string {
+	if e, ok := err.(*goerrors.Error); ok {
+		return string(e.Stack())
+	}
+	return ""
+}
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/ext/ext.go b/vendor/sigs.k8s.io/kustomize/kyaml/ext/ext.go
new file mode 100644
index 0000000000..c946577cce
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/ext/ext.go
@@ -0,0 +1,10 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package ext
+
+// IgnoreFileName returns the name for ignore files in
+// packages. It can be overridden by tools using this library.
+var IgnoreFileName = func() string {
+	return ".krmignore"
+}
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/fieldmeta/fieldmeta.go b/vendor/sigs.k8s.io/kustomize/kyaml/fieldmeta/fieldmeta.go
new file mode 100644
index 0000000000..c537c33725
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/fieldmeta/fieldmeta.go
@@ -0,0 +1,275 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package fieldmeta
+
+import (
+	"encoding/json"
+	"fmt"
+	"reflect"
+	"strconv"
+	"strings"
+
+	"k8s.io/kube-openapi/pkg/validation/spec"
+	"sigs.k8s.io/kustomize/kyaml/errors"
+	"sigs.k8s.io/kustomize/kyaml/openapi"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+// FieldMeta contains metadata that may be attached to fields as comments
+type FieldMeta struct {
+	Schema spec.Schema
+
+	Extensions XKustomize
+
+	SettersSchema *spec.Schema
+}
+
+type XKustomize struct {
+	SetBy               string               `yaml:"setBy,omitempty" json:"setBy,omitempty"`
+	PartialFieldSetters []PartialFieldSetter `yaml:"partialSetters,omitempty" json:"partialSetters,omitempty"`
+	FieldSetter         *PartialFieldSetter  `yaml:"setter,omitempty" json:"setter,omitempty"`
+}
+
+// PartialFieldSetter defines how to set part of a field rather than the full field
+// value.  e.g. the tag part of an image field
+type PartialFieldSetter struct {
+	// Name is the name of this setter.
+	Name string `yaml:"name" json:"name"`
+
+	// Value is the current value that has been set.
+	Value string `yaml:"value" json:"value"`
+}
+
+// IsEmpty returns true if the FieldMeta has any empty Schema
+func (fm *FieldMeta) IsEmpty() bool {
+	if fm == nil {
+		return true
+	}
+	return reflect.DeepEqual(fm.Schema, spec.Schema{})
+}
+
+// Read reads the FieldMeta from a node
+func (fm *FieldMeta) Read(n *yaml.RNode) error {
+	// check for metadata on head and line comments
+	comments := []string{n.YNode().LineComment, n.YNode().HeadComment}
+	for _, c := range comments {
+		if c == "" {
+			continue
+		}
+		c := strings.TrimLeft(c, "#")
+
+		// check for new short hand notation or fall back to openAPI ref format
+		if !fm.processShortHand(c) {
+			// if it doesn't Unmarshal that is fine, it means there is no metadata
+			// other comments are valid, they just don't parse
+			// TODO: consider more sophisticated parsing techniques similar to what is used
+			// for go struct tags.
+			if err := fm.Schema.UnmarshalJSON([]byte(c)); err != nil {
+				// note: don't return an error if the comment isn't a fieldmeta struct
+				return nil
+			}
+		}
+		fe := fm.Schema.VendorExtensible.Extensions["x-kustomize"]
+		if fe == nil {
+			return nil
+		}
+		b, err := json.Marshal(fe)
+		if err != nil {
+			return errors.Wrap(err)
+		}
+		return json.Unmarshal(b, &fm.Extensions)
+	}
+	return nil
+}
+
+// processShortHand parses the comment for short hand ref, loads schema to fm
+// and returns true if successful, returns false for any other cases and not throw
+// error, as the comment might not be a setter ref
+func (fm *FieldMeta) processShortHand(comment string) bool {
+	input := map[string]string{}
+	err := json.Unmarshal([]byte(comment), &input)
+	if err != nil {
+		return false
+	}
+	name := input[shortHandRef]
+	if name == "" {
+		return false
+	}
+
+	// check if setter with the name exists, else check for a substitution
+	// setter and substitution can't have same name in shorthand
+
+	setterRef, err := spec.NewRef(DefinitionsPrefix + SetterDefinitionPrefix + name)
+	if err != nil {
+		return false
+	}
+
+	setterRefBytes, err := setterRef.MarshalJSON()
+	if err != nil {
+		return false
+	}
+
+	if _, err := openapi.Resolve(&setterRef, fm.SettersSchema); err == nil {
+		setterErr := fm.Schema.UnmarshalJSON(setterRefBytes)
+		return setterErr == nil
+	}
+
+	substRef, err := spec.NewRef(DefinitionsPrefix + SubstitutionDefinitionPrefix + name)
+	if err != nil {
+		return false
+	}
+
+	substRefBytes, err := substRef.MarshalJSON()
+	if err != nil {
+		return false
+	}
+
+	if _, err := openapi.Resolve(&substRef, fm.SettersSchema); err == nil {
+		substErr := fm.Schema.UnmarshalJSON(substRefBytes)
+		return substErr == nil
+	}
+	return false
+}
+
+func isExtensionEmpty(x XKustomize) bool {
+	if x.FieldSetter != nil {
+		return false
+	}
+	if x.SetBy != "" {
+		return false
+	}
+	if len(x.PartialFieldSetters) > 0 {
+		return false
+	}
+	return true
+}
+
+// Write writes the FieldMeta to a node
+func (fm *FieldMeta) Write(n *yaml.RNode) error {
+	if !isExtensionEmpty(fm.Extensions) {
+		return fm.WriteV1Setters(n)
+	}
+
+	// Ref is removed when a setter is deleted, so the Ref string could be empty.
+	if fm.Schema.Ref.String() != "" {
+		// Ex: {"$ref":"#/definitions/io.k8s.cli.setters.replicas"} should be converted to
+		// {"$openAPI":"replicas"} and added to the line comment
+		ref := fm.Schema.Ref.String()
+		var shortHandRefValue string
+		switch {
+		case strings.HasPrefix(ref, DefinitionsPrefix+SetterDefinitionPrefix):
+			shortHandRefValue = strings.TrimPrefix(ref, DefinitionsPrefix+SetterDefinitionPrefix)
+		case strings.HasPrefix(ref, DefinitionsPrefix+SubstitutionDefinitionPrefix):
+			shortHandRefValue = strings.TrimPrefix(ref, DefinitionsPrefix+SubstitutionDefinitionPrefix)
+		default:
+			return fmt.Errorf("unexpected ref format: %s", ref)
+		}
+		n.YNode().LineComment = fmt.Sprintf(`{"%s":"%s"}`, shortHandRef,
+			shortHandRefValue)
+	} else {
+		n.YNode().LineComment = ""
+	}
+
+	return nil
+}
+
+// WriteV1Setters is the v1 setters way of writing setter definitions
+// TODO: pmarupaka - remove this method after migration
+func (fm *FieldMeta) WriteV1Setters(n *yaml.RNode) error {
+	fm.Schema.VendorExtensible.AddExtension("x-kustomize", fm.Extensions)
+	b, err := json.Marshal(fm.Schema)
+	if err != nil {
+		return errors.Wrap(err)
+	}
+	n.YNode().LineComment = string(b)
+	return nil
+}
+
+// FieldValueType defines the type of input to register
+type FieldValueType string
+
+const (
+	// String defines a string flag
+	String FieldValueType = "string"
+	// Bool defines a bool flag
+	Bool = "boolean"
+	// Int defines an int flag
+	Int = "integer"
+)
+
+func (it FieldValueType) String() string {
+	if it == "" {
+		return "string"
+	}
+	return string(it)
+}
+
+func (it FieldValueType) Validate(value string) error {
+	switch it {
+	case Int:
+		if _, err := strconv.Atoi(value); err != nil {
+			return errors.WrapPrefixf(err, "value must be an int")
+		}
+	case Bool:
+		if _, err := strconv.ParseBool(value); err != nil {
+			return errors.WrapPrefixf(err, "value must be a bool")
+		}
+	}
+	return nil
+}
+
+func (it FieldValueType) Tag() string {
+	switch it {
+	case String:
+		return yaml.NodeTagString
+	case Bool:
+		return yaml.NodeTagBool
+	case Int:
+		return yaml.NodeTagInt
+	}
+	return ""
+}
+
+func (it FieldValueType) TagForValue(value string) string {
+	switch it {
+	case String:
+		return yaml.NodeTagString
+	case Bool:
+		if _, err := strconv.ParseBool(string(it)); err != nil {
+			return ""
+		}
+		return yaml.NodeTagBool
+	case Int:
+		if _, err := strconv.ParseInt(string(it), 0, 32); err != nil {
+			return ""
+		}
+		return yaml.NodeTagInt
+	}
+	return ""
+}
+
+const (
+	// CLIDefinitionsPrefix is the prefix for cli definition keys.
+	CLIDefinitionsPrefix = "io.k8s.cli."
+
+	// SetterDefinitionPrefix is the prefix for setter definition keys.
+	SetterDefinitionPrefix = CLIDefinitionsPrefix + "setters."
+
+	// SubstitutionDefinitionPrefix is the prefix for substitution definition keys.
+	SubstitutionDefinitionPrefix = CLIDefinitionsPrefix + "substitutions."
+
+	// DefinitionsPrefix is the prefix used to reference definitions in the OpenAPI
+	DefinitionsPrefix = "#/definitions/"
+)
+
+// shortHandRef is the shorthand reference to setters and substitutions
+var shortHandRef = "$openapi"
+
+func SetShortHandRef(ref string) {
+	shortHandRef = ref
+}
+
+func ShortHandRef() string {
+	return shortHandRef
+}
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/filesys/confirmeddir.go b/vendor/sigs.k8s.io/kustomize/kyaml/filesys/confirmeddir.go
new file mode 100644
index 0000000000..ea6eff90ba
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/filesys/confirmeddir.go
@@ -0,0 +1,79 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package filesys
+
+import (
+	"os"
+	"path/filepath"
+	"strings"
+)
+
+// ConfirmedDir is a clean, absolute, delinkified path
+// that was confirmed to point to an existing directory.
+type ConfirmedDir string
+
+// NewTmpConfirmedDir returns a temporary dir, else error.
+// The directory is cleaned, no symlinks, etc. so it's
+// returned as a ConfirmedDir.
+func NewTmpConfirmedDir() (ConfirmedDir, error) {
+	n, err := os.MkdirTemp("", "kustomize-")
+	if err != nil {
+		return "", err
+	}
+
+	// In MacOs `os.MkdirTemp` creates a directory
+	// with root in the `/var` folder, which is in turn
+	// a symlinked path to `/private/var`.
+	// Function `filepath.EvalSymlinks`is used to
+	// resolve the real absolute path.
+	deLinked, err := filepath.EvalSymlinks(n)
+	return ConfirmedDir(deLinked), err
+}
+
+// HasPrefix returns true if the directory argument
+// is a prefix of self (d) from the point of view of
+// a file system.
+//
+// I.e., it's true if the argument equals or contains
+// self (d) in a file path sense.
+//
+// HasPrefix emulates the semantics of strings.HasPrefix
+// such that the following are true:
+//
+//   strings.HasPrefix("foobar", "foobar")
+//   strings.HasPrefix("foobar", "foo")
+//   strings.HasPrefix("foobar", "")
+//
+//   d := fSys.ConfirmDir("/foo/bar")
+//   d.HasPrefix("/foo/bar")
+//   d.HasPrefix("/foo")
+//   d.HasPrefix("/")
+//
+// Not contacting a file system here to check for
+// actual path existence.
+//
+// This is tested on linux, but will have trouble
+// on other operating systems.
+// TODO(monopole) Refactor when #golang/go/18358 closes.
+// See also:
+//   https://github.com/golang/go/issues/18358
+//   https://github.com/golang/dep/issues/296
+//   https://github.com/golang/dep/blob/master/internal/fs/fs.go#L33
+//   https://codereview.appspot.com/5712045
+func (d ConfirmedDir) HasPrefix(path ConfirmedDir) bool {
+	if path.String() == string(filepath.Separator) || path == d {
+		return true
+	}
+	return strings.HasPrefix(
+		string(d),
+		string(path)+string(filepath.Separator))
+}
+
+func (d ConfirmedDir) Join(path string) string {
+	return filepath.Join(string(d), path)
+}
+
+func (d ConfirmedDir) String() string {
+	return string(d)
+}
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/filesys/doc.go b/vendor/sigs.k8s.io/kustomize/kyaml/filesys/doc.go
new file mode 100644
index 0000000000..bd39634416
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/filesys/doc.go
@@ -0,0 +1,7 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+// Package filesys provides a file system abstraction,
+// a subset of that provided by golang.org/pkg/os,
+// with an on-disk and in-memory representation.
+package filesys
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/filesys/file.go b/vendor/sigs.k8s.io/kustomize/kyaml/filesys/file.go
new file mode 100644
index 0000000000..5044c653e7
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/filesys/file.go
@@ -0,0 +1,15 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package filesys
+
+import (
+	"io"
+	"os"
+)
+
+// File groups the basic os.File methods.
+type File interface {
+	io.ReadWriteCloser
+	Stat() (os.FileInfo, error)
+}
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/filesys/fileinfo.go b/vendor/sigs.k8s.io/kustomize/kyaml/filesys/fileinfo.go
new file mode 100644
index 0000000000..57646d2440
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/filesys/fileinfo.go
@@ -0,0 +1,34 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package filesys
+
+import (
+	"os"
+	"time"
+)
+
+var _ os.FileInfo = fileInfo{}
+
+// fileInfo implements os.FileInfo for a fileInMemory instance.
+type fileInfo struct {
+	node *fsNode
+}
+
+// Name returns the name of the file
+func (fi fileInfo) Name() string { return fi.node.Name() }
+
+// Size returns the size of the file
+func (fi fileInfo) Size() int64 { return fi.node.Size() }
+
+// Mode returns the file mode
+func (fi fileInfo) Mode() os.FileMode { return 0777 }
+
+// ModTime returns a bogus time
+func (fi fileInfo) ModTime() time.Time { return time.Time{} }
+
+// IsDir returns true if it is a directory
+func (fi fileInfo) IsDir() bool { return fi.node.isNodeADir() }
+
+// Sys should return underlying data source, but it now returns nil
+func (fi fileInfo) Sys() interface{} { return nil }
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/filesys/fileondisk.go b/vendor/sigs.k8s.io/kustomize/kyaml/filesys/fileondisk.go
new file mode 100644
index 0000000000..8ed92d90ee
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/filesys/fileondisk.go
@@ -0,0 +1,27 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package filesys
+
+import (
+	"os"
+)
+
+var _ File = &fileOnDisk{}
+
+// fileOnDisk implements File using the local filesystem.
+type fileOnDisk struct {
+	file *os.File
+}
+
+// Close closes a file.
+func (f *fileOnDisk) Close() error { return f.file.Close() }
+
+// Read reads a file's content.
+func (f *fileOnDisk) Read(p []byte) (n int, err error) { return f.file.Read(p) }
+
+// Write writes bytes to a file
+func (f *fileOnDisk) Write(p []byte) (n int, err error) { return f.file.Write(p) }
+
+// Stat returns an interface which has all the information regarding the file.
+func (f *fileOnDisk) Stat() (os.FileInfo, error) { return f.file.Stat() }
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/filesys/filesystem.go b/vendor/sigs.k8s.io/kustomize/kyaml/filesys/filesystem.go
new file mode 100644
index 0000000000..c29d5ad8a7
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/filesys/filesystem.go
@@ -0,0 +1,154 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package filesys
+
+import (
+	"fmt"
+	"path/filepath"
+
+	"sigs.k8s.io/kustomize/kyaml/errors"
+)
+
+const (
+	Separator = string(filepath.Separator)
+	SelfDir   = "."
+	ParentDir = ".."
+)
+
+// FileSystem groups basic os filesystem methods.
+// It's supposed be functional subset of https://golang.org/pkg/os
+type FileSystem interface {
+
+	// Create a file.
+	Create(path string) (File, error)
+
+	// MkDir makes a directory.
+	Mkdir(path string) error
+
+	// MkDirAll makes a directory path, creating intervening directories.
+	MkdirAll(path string) error
+
+	// RemoveAll removes path and any children it contains.
+	RemoveAll(path string) error
+
+	// Open opens the named file for reading.
+	Open(path string) (File, error)
+
+	// IsDir returns true if the path is a directory.
+	IsDir(path string) bool
+
+	// ReadDir returns a list of files and directories within a directory.
+	ReadDir(path string) ([]string, error)
+
+	// CleanedAbs converts the given path into a
+	// directory and a file name, where the directory
+	// is represented as a ConfirmedDir and all that implies.
+	// If the entire path is a directory, the file component
+	// is an empty string.
+	CleanedAbs(path string) (ConfirmedDir, string, error)
+
+	// Exists is true if the path exists in the file system.
+	Exists(path string) bool
+
+	// Glob returns the list of matching files,
+	// emulating https://golang.org/pkg/path/filepath/#Glob
+	Glob(pattern string) ([]string, error)
+
+	// ReadFile returns the contents of the file at the given path.
+	ReadFile(path string) ([]byte, error)
+
+	// WriteFile writes the data to a file at the given path,
+	// overwriting anything that's already there.
+	WriteFile(path string, data []byte) error
+
+	// Walk walks the file system with the given WalkFunc.
+	Walk(path string, walkFn filepath.WalkFunc) error
+}
+
+// ConfirmDir returns an error if the user-specified path is not an existing directory on fSys.
+// Otherwise, ConfirmDir returns path, which can be relative, as a ConfirmedDir and all that implies.
+func ConfirmDir(fSys FileSystem, path string) (ConfirmedDir, error) {
+	if path == "" {
+		return "", errors.Errorf("directory path cannot be empty")
+	}
+
+	d, f, err := fSys.CleanedAbs(path)
+	if err != nil {
+		return "", errors.WrapPrefixf(err, "not a valid directory")
+	}
+	if f != "" {
+		//nolint:govet
+		return "", errors.WrapPrefixf(errors.Errorf("file is not directory"), fmt.Sprintf("'%s'", path))
+	}
+	return d, nil
+}
+
+// FileSystemOrOnDisk satisfies the FileSystem interface by forwarding
+// all of its method calls to the given FileSystem whenever it's not nil.
+// If it's nil, the call is forwarded to the OS's underlying file system.
+type FileSystemOrOnDisk struct {
+	FileSystem FileSystem
+}
+
+// Set sets the given FileSystem as the target for all the FileSystem method calls.
+func (fs *FileSystemOrOnDisk) Set(f FileSystem) { fs.FileSystem = f }
+
+func (fs FileSystemOrOnDisk) fs() FileSystem {
+	if fs.FileSystem != nil {
+		return fs.FileSystem
+	}
+	return MakeFsOnDisk()
+}
+
+func (fs FileSystemOrOnDisk) Create(path string) (File, error) {
+	return fs.fs().Create(path)
+}
+
+func (fs FileSystemOrOnDisk) Mkdir(path string) error {
+	return fs.fs().Mkdir(path)
+}
+
+func (fs FileSystemOrOnDisk) MkdirAll(path string) error {
+	return fs.fs().MkdirAll(path)
+}
+
+func (fs FileSystemOrOnDisk) RemoveAll(path string) error {
+	return fs.fs().RemoveAll(path)
+}
+
+func (fs FileSystemOrOnDisk) Open(path string) (File, error) {
+	return fs.fs().Open(path)
+}
+
+func (fs FileSystemOrOnDisk) IsDir(path string) bool {
+	return fs.fs().IsDir(path)
+}
+
+func (fs FileSystemOrOnDisk) ReadDir(path string) ([]string, error) {
+	return fs.fs().ReadDir(path)
+}
+
+func (fs FileSystemOrOnDisk) CleanedAbs(path string) (ConfirmedDir, string, error) {
+	return fs.fs().CleanedAbs(path)
+}
+
+func (fs FileSystemOrOnDisk) Exists(path string) bool {
+	return fs.fs().Exists(path)
+}
+
+func (fs FileSystemOrOnDisk) Glob(pattern string) ([]string, error) {
+	return fs.fs().Glob(pattern)
+}
+
+func (fs FileSystemOrOnDisk) ReadFile(path string) ([]byte, error) {
+	return fs.fs().ReadFile(path)
+}
+
+func (fs FileSystemOrOnDisk) WriteFile(path string, data []byte) error {
+	return fs.fs().WriteFile(path, data)
+}
+
+func (fs FileSystemOrOnDisk) Walk(path string, walkFn filepath.WalkFunc) error {
+	return fs.fs().Walk(path, walkFn)
+}
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/filesys/fsnode.go b/vendor/sigs.k8s.io/kustomize/kyaml/filesys/fsnode.go
new file mode 100644
index 0000000000..608b8e38ac
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/filesys/fsnode.go
@@ -0,0 +1,647 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package filesys
+
+import (
+	"bytes"
+	"fmt"
+	"io"
+	"log"
+	"os"
+	"path/filepath"
+	"regexp"
+	"sort"
+	"strings"
+
+	"sigs.k8s.io/kustomize/kyaml/errors"
+)
+
+var _ File = &fsNode{}
+var _ FileSystem = &fsNode{}
+
+// fsNode is either a file or a directory.
+type fsNode struct {
+	// What node owns me?
+	parent *fsNode
+
+	// Value to return as the Name() when the
+	// parent is nil.
+	nilParentName string
+
+	// A directory mapping names to nodes.
+	// If dir is nil, then self node is a file.
+	// If dir is non-nil, then self node is a directory,
+	// albeit possibly an empty directory.
+	dir map[string]*fsNode
+
+	// if this node is a file, this is the content.
+	content []byte
+
+	// if offset is not nil the file is open and it tracks
+	// the current file offset.
+	offset *int
+}
+
+// MakeEmptyDirInMemory returns an empty directory.
+// The paths of nodes in this object will never
+// report a leading Separator, meaning they
+// aren't "absolute" in the sense defined by
+// https://golang.org/pkg/path/filepath/#IsAbs.
+func MakeEmptyDirInMemory() *fsNode {
+	return &fsNode{
+		dir: make(map[string]*fsNode),
+	}
+}
+
+// MakeFsInMemory returns an empty 'file system'.
+// The paths of nodes in this object will always
+// report a leading Separator, meaning they
+// are "absolute" in the sense defined by
+// https://golang.org/pkg/path/filepath/#IsAbs.
+// This is a relevant difference when using Walk,
+// Glob, Match, etc.
+func MakeFsInMemory() FileSystem {
+	return &fsNode{
+		nilParentName: Separator,
+		dir:           make(map[string]*fsNode),
+	}
+}
+
+// Name returns the name of the node.
+func (n *fsNode) Name() string {
+	if n.parent == nil {
+		// Unable to lookup name in parent.
+		return n.nilParentName
+	}
+	if !n.parent.isNodeADir() {
+		log.Fatal("parent not a dir")
+	}
+	for key, value := range n.parent.dir {
+		if value == n {
+			return key
+		}
+	}
+	log.Fatal("unable to find fsNode name")
+	return ""
+}
+
+// Path returns the full path to the node.
+func (n *fsNode) Path() string {
+	if n.parent == nil {
+		return n.nilParentName
+	}
+	if !n.parent.isNodeADir() {
+		log.Fatal("parent not a dir, structural error")
+	}
+	return filepath.Join(n.parent.Path(), n.Name())
+}
+
+// mySplit trims trailing separators from the directory
+// result of filepath.Split.
+func mySplit(s string) (string, string) {
+	dName, fName := filepath.Split(s)
+	return StripTrailingSeps(dName), fName
+}
+
+func (n *fsNode) addFile(name string, c []byte) (result *fsNode, err error) {
+	parent := n
+	dName, fileName := mySplit(name)
+	if dName != "" {
+		parent, err = parent.addDir(dName)
+		if err != nil {
+			return nil, err
+		}
+	}
+	if !isLegalFileNameForCreation(fileName) {
+		return nil, fmt.Errorf(
+			"illegal name '%s' in file creation", fileName)
+	}
+	result, ok := parent.dir[fileName]
+	if ok {
+		// File already exists; overwrite it.
+		if result.offset != nil {
+			return nil, fmt.Errorf("cannot add already opened file '%s'", n.Path())
+		}
+		result.content = append(result.content[:0], c...)
+		return result, nil
+	}
+	result = &fsNode{
+		content: append([]byte(nil), c...),
+		parent:  parent,
+	}
+	parent.dir[fileName] = result
+	return result, nil
+}
+
+// Create implements FileSystem.
+// Create makes an empty file.
+func (n *fsNode) Create(path string) (result File, err error) {
+	f, err := n.AddFile(path, nil)
+	if err != nil {
+		return f, err
+	}
+	f.offset = new(int)
+	return f, nil
+}
+
+// WriteFile implements FileSystem.
+func (n *fsNode) WriteFile(path string, d []byte) error {
+	_, err := n.AddFile(path, d)
+	return err
+}
+
+// AddFile adds a file and any necessary containing
+// directories to the node.
+func (n *fsNode) AddFile(
+	name string, c []byte) (result *fsNode, err error) {
+	if n.dir == nil {
+		return nil, fmt.Errorf(
+			"cannot add a file to a non-directory '%s'", n.Name())
+	}
+	return n.addFile(cleanQueryPath(name), c)
+}
+
+func (n *fsNode) addDir(path string) (result *fsNode, err error) {
+	parent := n
+	dName, subDirName := mySplit(path)
+	if dName != "" {
+		parent, err = n.addDir(dName)
+		if err != nil {
+			return nil, err
+		}
+	}
+	switch subDirName {
+	case "", SelfDir:
+		return n, nil
+	case ParentDir:
+		if n.parent == nil {
+			return nil, fmt.Errorf(
+				"cannot add a directory above '%s'", n.Path())
+		}
+		return n.parent, nil
+	default:
+		if !isLegalFileNameForCreation(subDirName) {
+			return nil, fmt.Errorf(
+				"illegal name '%s' in directory creation", subDirName)
+		}
+		result, ok := parent.dir[subDirName]
+		if ok {
+			if result.isNodeADir() {
+				// it's already there.
+				return result, nil
+			}
+			return nil, fmt.Errorf(
+				"cannot make dir '%s'; a file of that name already exists in '%s'",
+				subDirName, parent.Name())
+		}
+		result = &fsNode{
+			dir:    make(map[string]*fsNode),
+			parent: parent,
+		}
+		parent.dir[subDirName] = result
+		return result, nil
+	}
+}
+
+// Mkdir implements FileSystem.
+// Mkdir creates a directory.
+func (n *fsNode) Mkdir(path string) error {
+	_, err := n.AddDir(path)
+	return err
+}
+
+// MkdirAll implements FileSystem.
+// MkdirAll creates a directory.
+func (n *fsNode) MkdirAll(path string) error {
+	_, err := n.AddDir(path)
+	return err
+}
+
+// AddDir adds a directory to the node, not complaining
+// if it is already there.
+func (n *fsNode) AddDir(path string) (result *fsNode, err error) {
+	if n.dir == nil {
+		return nil, fmt.Errorf(
+			"cannot add a directory to file node '%s'", n.Name())
+	}
+	return n.addDir(cleanQueryPath(path))
+}
+
+// CleanedAbs implements FileSystem.
+func (n *fsNode) CleanedAbs(path string) (ConfirmedDir, string, error) {
+	node, err := n.Find(path)
+	if err != nil {
+		return "", "", errors.WrapPrefixf(err, "unable to clean")
+	}
+	if node == nil {
+		return "", "", notExistError(path)
+	}
+	if node.isNodeADir() {
+		return ConfirmedDir(node.Path()), "", nil
+	}
+	return ConfirmedDir(node.parent.Path()), node.Name(), nil
+}
+
+// Exists implements FileSystem.
+// Exists returns true if the path exists.
+func (n *fsNode) Exists(path string) bool {
+	if !n.isNodeADir() {
+		return n.Name() == path
+	}
+	result, err := n.Find(path)
+	if err != nil {
+		return false
+	}
+	return result != nil
+}
+
+func cleanQueryPath(path string) string {
+	// Always ignore leading separator?
+	// Remember that filepath.Clean returns "." if
+	// given an empty string argument.
+	return filepath.Clean(StripLeadingSeps(path))
+}
+
+// Find finds the given node, else nil if not found.
+// Return error on structural/argument errors.
+func (n *fsNode) Find(path string) (*fsNode, error) {
+	if !n.isNodeADir() {
+		return nil, fmt.Errorf("can only find inside a dir")
+	}
+	if path == "" {
+		// Special case; check *before* cleaning and *before*
+		// comparison to nilParentName.
+		return nil, nil
+	}
+	if (n.parent == nil && path == n.nilParentName) || path == SelfDir {
+		// Special case
+		return n, nil
+	}
+	return n.findIt(cleanQueryPath(path))
+}
+
+func (n *fsNode) findIt(path string) (result *fsNode, err error) {
+	parent := n
+	dName, item := mySplit(path)
+	if dName != "" {
+		parent, err = n.findIt(dName)
+		if err != nil {
+			return nil, err
+		}
+		if parent == nil {
+			// all done, target doesn't exist.
+			return nil, nil
+		}
+	}
+	if !parent.isNodeADir() {
+		return nil, fmt.Errorf("'%s' is not a directory", parent.Path())
+	}
+	return parent.dir[item], nil
+}
+
+// RemoveAll implements FileSystem.
+// RemoveAll removes an item and everything it contains.
+func (n *fsNode) RemoveAll(path string) error {
+	result, err := n.Find(path)
+	if err != nil {
+		return err
+	}
+	if result == nil {
+		// If the path doesn't exist, no need to remove anything.
+		return nil
+	}
+	return result.Remove()
+}
+
+// Remove drop the node, and everything it contains, from its parent.
+func (n *fsNode) Remove() error {
+	if n.parent == nil {
+		return fmt.Errorf("cannot remove a root node")
+	}
+	if !n.parent.isNodeADir() {
+		log.Fatal("parent not a dir")
+	}
+	for key, value := range n.parent.dir {
+		if value == n {
+			delete(n.parent.dir, key)
+			return nil
+		}
+	}
+	log.Fatal("unable to find self in parent")
+	return nil
+}
+
+// isNodeADir returns true if the node is a directory.
+// Cannot collide with the poorly named "IsDir".
+func (n *fsNode) isNodeADir() bool {
+	return n.dir != nil
+}
+
+// IsDir implements FileSystem.
+// IsDir returns true if the argument resolves
+// to a directory rooted at the node.
+func (n *fsNode) IsDir(path string) bool {
+	result, err := n.Find(path)
+	if err != nil || result == nil {
+		return false
+	}
+	return result.isNodeADir()
+}
+
+// ReadDir implements FileSystem.
+func (n *fsNode) ReadDir(path string) ([]string, error) {
+	if !n.Exists(path) {
+		return nil, notExistError(path)
+	}
+	if !n.IsDir(path) {
+		return nil, fmt.Errorf("%s is not a directory", path)
+	}
+
+	dir, err := n.Find(path)
+	if err != nil {
+		return nil, err
+	}
+	if dir == nil {
+		return nil, fmt.Errorf("could not find directory %s", path)
+	}
+
+	keys := make([]string, len(dir.dir))
+	i := 0
+	for k := range dir.dir {
+		keys[i] = k
+		i++
+	}
+	return keys, nil
+}
+
+// Size returns the size of the node.
+func (n *fsNode) Size() int64 {
+	if n.isNodeADir() {
+		return int64(len(n.dir))
+	}
+	return int64(len(n.content))
+}
+
+// Open implements FileSystem.
+// Open opens the node in read-write mode and sets the offset its start.
+// Writing right after opening the file will replace the original content
+// and move the offset forward, as with a file opened with O_RDWR | O_CREATE.
+//
+// As an example, let's consider a file with content "content":
+// - open: sets offset to start, content is "content"
+// - write "@": offset increases by one, the content is now "@ontent"
+// - read the rest: since offset is 1, the read operation returns "ontent"
+// - write "$": offset is at EOF, so "$" is appended and content is now "@ontent$"
+// - read the rest: returns 0 bytes and EOF
+// - close: the content is still "@ontent$"
+func (n *fsNode) Open(path string) (File, error) {
+	result, err := n.Find(path)
+	if err != nil {
+		return nil, err
+	}
+	if result == nil {
+		return nil, notExistError(path)
+	}
+	if result.offset != nil {
+		return nil, fmt.Errorf("cannot open previously opened file '%s'", path)
+	}
+	result.offset = new(int)
+	return result, nil
+}
+
+// Close marks the node closed.
+func (n *fsNode) Close() error {
+	if n.offset == nil {
+		return fmt.Errorf("cannot close already closed file '%s'", n.Path())
+	}
+	n.offset = nil
+	return nil
+}
+
+// ReadFile implements FileSystem.
+func (n *fsNode) ReadFile(path string) (c []byte, err error) {
+	result, err := n.Find(path)
+	if err != nil {
+		return nil, err
+	}
+	if result == nil {
+		return nil, notExistError(path)
+	}
+	if result.isNodeADir() {
+		return nil, fmt.Errorf("cannot read content from non-file '%s'", n.Path())
+	}
+	c = make([]byte, len(result.content))
+	copy(c, result.content)
+	return c, nil
+}
+
+// Read returns the content of the file node.
+func (n *fsNode) Read(d []byte) (c int, err error) {
+	if n.isNodeADir() {
+		return 0, fmt.Errorf(
+			"cannot read content from non-file '%s'", n.Path())
+	}
+	if n.offset == nil {
+		return 0, fmt.Errorf("cannot read from closed file '%s'", n.Path())
+	}
+
+	rest := n.content[*n.offset:]
+	if len(d) < len(rest) {
+		rest = rest[:len(d)]
+	} else {
+		err = io.EOF
+	}
+	copy(d, rest)
+	*n.offset += len(rest)
+	return len(rest), err
+}
+
+// Write saves the contents of the argument to the file node.
+func (n *fsNode) Write(p []byte) (c int, err error) {
+	if n.isNodeADir() {
+		return 0, fmt.Errorf(
+			"cannot write content to non-file '%s'", n.Path())
+	}
+	if n.offset == nil {
+		return 0, fmt.Errorf("cannot write to closed file '%s'", n.Path())
+	}
+	n.content = append(n.content[:*n.offset], p...)
+	*n.offset = len(n.content)
+	return len(p), nil
+}
+
+// ContentMatches returns true if v matches fake file's content.
+func (n *fsNode) ContentMatches(v []byte) bool {
+	return bytes.Equal(v, n.content)
+}
+
+// GetContent the content of a fake file.
+func (n *fsNode) GetContent() []byte {
+	return n.content
+}
+
+// Stat returns an instance of FileInfo.
+func (n *fsNode) Stat() (os.FileInfo, error) {
+	return fileInfo{node: n}, nil
+}
+
+// Walk implements FileSystem.
+func (n *fsNode) Walk(path string, walkFn filepath.WalkFunc) error {
+	result, err := n.Find(path)
+	if err != nil {
+		return err
+	}
+	if result == nil {
+		return notExistError(path)
+	}
+	return result.WalkMe(walkFn)
+}
+
+// Walk runs the given walkFn on each node.
+func (n *fsNode) WalkMe(walkFn filepath.WalkFunc) error {
+	fi, err := n.Stat()
+	// always visit self first
+	err = walkFn(n.Path(), fi, err)
+	if !n.isNodeADir() {
+		// it's a file, so nothing more to do
+		return err
+	}
+	// process self as a directory
+	if err == filepath.SkipDir {
+		return nil
+	}
+	// Walk is supposed to visit in lexical order.
+	for _, k := range n.sortedDirEntries() {
+		if err := n.dir[k].WalkMe(walkFn); err != nil {
+			if err == filepath.SkipDir {
+				// stop processing this directory
+				break
+			}
+			// bail out completely
+			return err
+		}
+	}
+	return nil
+}
+
+func (n *fsNode) sortedDirEntries() []string {
+	keys := make([]string, len(n.dir))
+	i := 0
+	for k := range n.dir {
+		keys[i] = k
+		i++
+	}
+	sort.Strings(keys)
+	return keys
+}
+
+// FileCount returns a count of files.
+// Directories, empty or otherwise, not counted.
+func (n *fsNode) FileCount() int {
+	count := 0
+	n.WalkMe(func(path string, info os.FileInfo, err error) error {
+		if err != nil {
+			return err
+		}
+		if !info.IsDir() {
+			count++
+		}
+		return nil
+	})
+	return count
+}
+
+func (n *fsNode) DebugPrint() {
+	n.WalkMe(func(path string, info os.FileInfo, err error) error {
+		if err != nil {
+			fmt.Printf("err '%v' at path %q\n", err, path)
+			return nil
+		}
+		if info.IsDir() {
+			if info.Size() == 0 {
+				fmt.Println("empty dir: " + path)
+			}
+		} else {
+			fmt.Println("     file: " + path)
+		}
+		return nil
+	})
+}
+
+var legalFileNamePattern = regexp.MustCompile("^[a-zA-Z0-9-_.:]+$")
+
+// This rules enforced here should be simpler and tighter
+// than what's allowed on a real OS.
+// Should be fine for testing or in-memory purposes.
+func isLegalFileNameForCreation(n string) bool {
+	if n == "" || n == SelfDir || !legalFileNamePattern.MatchString(n) {
+		return false
+	}
+	return !strings.Contains(n, ParentDir)
+}
+
+// RegExpGlob returns a list of file paths matching the regexp.
+// Excludes directories.
+func (n *fsNode) RegExpGlob(pattern string) ([]string, error) {
+	var result []string
+	var expression = regexp.MustCompile(pattern)
+	err := n.WalkMe(func(path string, info os.FileInfo, err error) error {
+		if err != nil {
+			return err
+		}
+		if !info.IsDir() {
+			if expression.MatchString(path) {
+				result = append(result, path)
+			}
+		}
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+	sort.Strings(result)
+	return result, nil
+}
+
+// Glob implements FileSystem.
+// Glob returns the list of file paths matching
+// per filepath.Match semantics, i.e. unlike RegExpGlob,
+// Match("foo/a*") will not match sub-sub directories of foo.
+// This is how /bin/ls behaves.
+func (n *fsNode) Glob(pattern string) ([]string, error) {
+	var result []string
+	var allFiles []string
+	err := n.WalkMe(func(path string, info os.FileInfo, err error) error {
+		if err != nil {
+			return err
+		}
+		if !info.IsDir() {
+			match, err := filepath.Match(pattern, path)
+			if err != nil {
+				return err
+			}
+			if match {
+				allFiles = append(allFiles, path)
+			}
+		}
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+	if IsHiddenFilePath(pattern) {
+		result = allFiles
+	} else {
+		result = RemoveHiddenFiles(allFiles)
+	}
+	sort.Strings(result)
+	return result, nil
+}
+
+// notExistError indicates that a file or directory does not exist.
+// Unwrapping returns os.ErrNotExist so errors.Is(err, os.ErrNotExist) works correctly.
+type notExistError string
+
+func (err notExistError) Error() string { return fmt.Sprintf("'%s' doesn't exist", string(err)) }
+func (err notExistError) Unwrap() error { return os.ErrNotExist }
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/filesys/fsondisk.go b/vendor/sigs.k8s.io/kustomize/kyaml/filesys/fsondisk.go
new file mode 100644
index 0000000000..10ce83f122
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/filesys/fsondisk.go
@@ -0,0 +1,141 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package filesys
+
+import (
+	"fmt"
+	"log"
+	"os"
+	"path/filepath"
+
+	"sigs.k8s.io/kustomize/kyaml/errors"
+)
+
+var _ FileSystem = fsOnDisk{}
+
+// fsOnDisk implements FileSystem using the local filesystem.
+type fsOnDisk struct{}
+
+// MakeFsOnDisk makes an instance of fsOnDisk.
+func MakeFsOnDisk() FileSystem {
+	return fsOnDisk{}
+}
+
+// Create delegates to os.Create.
+func (fsOnDisk) Create(name string) (File, error) { return os.Create(name) }
+
+// Mkdir delegates to os.Mkdir.
+func (fsOnDisk) Mkdir(name string) error {
+	return os.Mkdir(name, 0777|os.ModeDir)
+}
+
+// MkdirAll delegates to os.MkdirAll.
+func (fsOnDisk) MkdirAll(name string) error {
+	return os.MkdirAll(name, 0777|os.ModeDir)
+}
+
+// RemoveAll delegates to os.RemoveAll.
+func (fsOnDisk) RemoveAll(name string) error {
+	return os.RemoveAll(name)
+}
+
+// Open delegates to os.Open.
+func (fsOnDisk) Open(name string) (File, error) { return os.Open(name) }
+
+// CleanedAbs converts the given path into a
+// directory and a file name, where the directory
+// is represented as a ConfirmedDir and all that implies.
+// If the entire path is a directory, the file component
+// is an empty string.
+func (x fsOnDisk) CleanedAbs(
+	path string) (ConfirmedDir, string, error) {
+	absRoot, err := filepath.Abs(path)
+	if err != nil {
+		return "", "", fmt.Errorf(
+			"abs path error on '%s' : %v", path, err)
+	}
+	deLinked, err := filepath.EvalSymlinks(absRoot)
+	if err != nil {
+		return "", "", fmt.Errorf(
+			"evalsymlink failure on '%s' : %w", path, err)
+	}
+	if x.IsDir(deLinked) {
+		return ConfirmedDir(deLinked), "", nil
+	}
+	d := filepath.Dir(deLinked)
+	if !x.IsDir(d) {
+		// Programmer/assumption error.
+		log.Fatalf("first part of '%s' not a directory", deLinked)
+	}
+	if d == deLinked {
+		// Programmer/assumption error.
+		log.Fatalf("d '%s' should be a subset of deLinked", d)
+	}
+	f := filepath.Base(deLinked)
+	if filepath.Join(d, f) != deLinked {
+		// Programmer/assumption error.
+		log.Fatalf("these should be equal: '%s', '%s'",
+			filepath.Join(d, f), deLinked)
+	}
+	return ConfirmedDir(d), f, nil
+}
+
+// Exists returns true if os.Stat succeeds.
+func (fsOnDisk) Exists(name string) bool {
+	_, err := os.Stat(name)
+	return err == nil
+}
+
+// Glob returns the list of matching files
+func (fsOnDisk) Glob(pattern string) ([]string, error) {
+	var result []string
+	allFilePaths, err := filepath.Glob(pattern)
+	if err != nil {
+		return nil, err
+	}
+	if IsHiddenFilePath(pattern) {
+		result = allFilePaths
+	} else {
+		result = RemoveHiddenFiles(allFilePaths)
+	}
+	return result, nil
+}
+
+// IsDir delegates to os.Stat and FileInfo.IsDir
+func (fsOnDisk) IsDir(name string) bool {
+	info, err := os.Stat(name)
+	if err != nil {
+		return false
+	}
+	return info.IsDir()
+}
+
+// ReadDir delegates to os.ReadDir
+func (fsOnDisk) ReadDir(name string) ([]string, error) {
+	dirEntries, err := os.ReadDir(name)
+	if err != nil {
+		return nil, err
+	}
+	result := make([]string, len(dirEntries))
+	for i := range dirEntries {
+		result[i] = dirEntries[i].Name()
+	}
+	return result, nil
+}
+
+// ReadFile delegates to os.ReadFile.
+func (fsOnDisk) ReadFile(name string) ([]byte, error) {
+	content, err := os.ReadFile(name)
+	return content, errors.Wrap(err)
+}
+
+// WriteFile delegates to os.WriteFile with read/write permissions.
+func (fsOnDisk) WriteFile(name string, c []byte) error {
+	return errors.Wrap(os.WriteFile(name, c, 0666)) //nolint:gosec
+}
+
+// Walk delegates to filepath.Walk.
+func (fsOnDisk) Walk(path string, walkFn filepath.WalkFunc) error {
+	return filepath.Walk(path, walkFn)
+}
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/filesys/fsondisk_unix.go b/vendor/sigs.k8s.io/kustomize/kyaml/filesys/fsondisk_unix.go
new file mode 100644
index 0000000000..15935a462a
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/filesys/fsondisk_unix.go
@@ -0,0 +1,15 @@
+// Copyright 2022 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+//go:build !windows
+// +build !windows
+
+package filesys
+
+import (
+	"path/filepath"
+)
+
+func getOSRoot() (string, error) {
+	return string(filepath.Separator), nil
+}
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/filesys/fsondisk_windows.go b/vendor/sigs.k8s.io/kustomize/kyaml/filesys/fsondisk_windows.go
new file mode 100644
index 0000000000..8c8a33c4db
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/filesys/fsondisk_windows.go
@@ -0,0 +1,18 @@
+// Copyright 2022 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package filesys
+
+import (
+	"path/filepath"
+
+	"golang.org/x/sys/windows"
+)
+
+func getOSRoot() (string, error) {
+	sysDir, err := windows.GetSystemDirectory()
+	if err != nil {
+		return "", err
+	}
+	return filepath.VolumeName(sysDir) + `\`, nil
+}
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/filesys/util.go b/vendor/sigs.k8s.io/kustomize/kyaml/filesys/util.go
new file mode 100644
index 0000000000..0713ffe2cb
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/filesys/util.go
@@ -0,0 +1,143 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package filesys
+
+import (
+	"os"
+	"path/filepath"
+	"strings"
+)
+
+// RootedPath returns a rooted path, e.g. "/foo/bar" as
+// opposed to "foo/bar".
+func RootedPath(elem ...string) string {
+	return Separator + filepath.Join(elem...)
+}
+
+// StripTrailingSeps trims trailing filepath separators from input.
+func StripTrailingSeps(s string) string {
+	k := len(s)
+	for k > 0 && s[k-1] == filepath.Separator {
+		k--
+	}
+	return s[:k]
+}
+
+// StripLeadingSeps trims leading filepath separators from input.
+func StripLeadingSeps(s string) string {
+	k := 0
+	for k < len(s) && s[k] == filepath.Separator {
+		k++
+	}
+	return s[k:]
+}
+
+// PathSplit converts a file path to a slice of string.
+// If the path is absolute (if the path has a leading slash),
+// then the first entry in the result is an empty string.
+// Desired:  path == PathJoin(PathSplit(path))
+func PathSplit(incoming string) []string {
+	if incoming == "" {
+		return []string{}
+	}
+	dir, path := filepath.Split(incoming)
+	if dir == string(os.PathSeparator) {
+		if path == "" {
+			return []string{""}
+		}
+		return []string{"", path}
+	}
+	dir = strings.TrimSuffix(dir, string(os.PathSeparator))
+	if dir == "" {
+		return []string{path}
+	}
+	return append(PathSplit(dir), path)
+}
+
+// PathJoin converts a slice of string to a file path.
+// If the first entry is an empty string, then the returned
+// path is absolute (it has a leading slash).
+// Desired:  path == PathJoin(PathSplit(path))
+func PathJoin(incoming []string) string {
+	if len(incoming) == 0 {
+		return ""
+	}
+	if incoming[0] == "" {
+		return string(os.PathSeparator) + filepath.Join(incoming[1:]...)
+	}
+	return filepath.Join(incoming...)
+}
+
+// InsertPathPart inserts 'part' at position 'pos' in the given filepath.
+// The first position is 0.
+//
+// E.g. if part == 'PEACH'
+//
+//	             OLD : NEW                    : POS
+//	 --------------------------------------------------------
+//	         {empty} : PEACH                  : irrelevant
+//	               / : /PEACH                 : irrelevant
+//	             pie : PEACH/pie              : 0 (or negative)
+//	            /pie : /PEACH/pie             : 0 (or negative)
+//	             raw : raw/PEACH              : 1 (or larger)
+//	            /raw : /raw/PEACH             : 1 (or larger)
+//	 a/nice/warm/pie : a/nice/warm/PEACH/pie  : 3
+//	/a/nice/warm/pie : /a/nice/warm/PEACH/pie : 3
+//
+// * An empty part results in no change.
+//
+//   - Absolute paths get their leading '/' stripped, treated like
+//     relative paths, and the leading '/' is re-added on output.
+//     The meaning of pos is intentionally the same in either absolute or
+//     relative paths; if it weren't, this function could convert absolute
+//     paths to relative paths, which is not desirable.
+//
+//   - For robustness (liberal input, conservative output) Pos values
+//     that are too small (large) to index the split filepath result in a
+//     prefix (postfix) rather than an error.  Use extreme position values
+//     to assure a prefix or postfix (e.g. 0 will always prefix, and
+//     9999 will presumably always postfix).
+func InsertPathPart(path string, pos int, part string) string {
+	if part == "" {
+		return path
+	}
+	parts := PathSplit(path)
+	if pos < 0 {
+		pos = 0
+	} else if pos > len(parts) {
+		pos = len(parts)
+	}
+	if len(parts) > 0 && parts[0] == "" && pos < len(parts) {
+		// An empty string at 0 indicates an absolute path, and means
+		// we must increment pos.  This change means that a position
+		// specification has the same meaning in relative and absolute paths.
+		// E.g. in either the path 'a/b/c' or the path '/a/b/c',
+		// 'a' is at 0, 'b' is at 1 and 'c' is at 2, and inserting at
+		// zero means a new first field _without_ changing an absolute
+		// path to a relative path.
+		pos++
+	}
+	result := make([]string, len(parts)+1)
+	copy(result, parts[0:pos])
+	result[pos] = part
+	return PathJoin(append(result, parts[pos:]...)) //nolint: makezero
+}
+
+func IsHiddenFilePath(pattern string) bool {
+	return strings.HasPrefix(filepath.Base(pattern), ".")
+}
+
+// Removes paths containing hidden files/folders from a list of paths
+func RemoveHiddenFiles(paths []string) []string {
+	if len(paths) == 0 {
+		return paths
+	}
+	var result []string
+	for _, path := range paths {
+		if !IsHiddenFilePath(path) {
+			result = append(result, path)
+		}
+	}
+	return result
+}
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/fn/runtime/container/container.go b/vendor/sigs.k8s.io/kustomize/kyaml/fn/runtime/container/container.go
new file mode 100644
index 0000000000..62aa76f53a
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/fn/runtime/container/container.go
@@ -0,0 +1,208 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package container
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"sigs.k8s.io/kustomize/kyaml/errors"
+	runtimeexec "sigs.k8s.io/kustomize/kyaml/fn/runtime/exec"
+	"sigs.k8s.io/kustomize/kyaml/fn/runtime/runtimeutil"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+// Filter filters Resources using a container image.
+// The container must start a process that reads the list of
+// input Resources from stdin, reads the Configuration from the env
+// API_CONFIG, and writes the filtered Resources to stdout.
+// If there is a error or validation failure, the process must exit
+// non-zero.
+// The full set of environment variables from the parent process
+// are passed to the container.
+//
+// Function Scoping:
+// Filter applies the function only to Resources to which it is scoped.
+//
+// Resources are scoped to a function if any of the following are true:
+// - the Resource were read from the same directory as the function config
+// - the Resource were read from a subdirectory of the function config directory
+// - the function config is in a directory named "functions" and
+//   they were read from a subdirectory of "functions" parent
+// - the function config doesn't have a path annotation (considered globally scoped)
+// - the Filter has GlobalScope == true
+//
+// In Scope Examples:
+//
+// Example 1: deployment.yaml and service.yaml in function.yaml scope
+//            same directory as the function config directory
+//     .
+//     ├── function.yaml
+//     ├── deployment.yaml
+//     └── service.yaml
+//
+// Example 2: apps/deployment.yaml and apps/service.yaml in function.yaml scope
+//            subdirectory of the function config directory
+//     .
+//     ├── function.yaml
+//     └── apps
+//         ├── deployment.yaml
+//         └── service.yaml
+//
+// Example 3: apps/deployment.yaml and apps/service.yaml in functions/function.yaml scope
+//            function config is in a directory named "functions"
+//     .
+//     ├── functions
+//     │   └── function.yaml
+//     └── apps
+//         ├── deployment.yaml
+//         └── service.yaml
+//
+// Out of Scope Examples:
+//
+// Example 1: apps/deployment.yaml and apps/service.yaml NOT in stuff/function.yaml scope
+//     .
+//     ├── stuff
+//     │   └── function.yaml
+//     └── apps
+//         ├── deployment.yaml
+//         └── service.yaml
+//
+// Example 2: apps/deployment.yaml and apps/service.yaml NOT in stuff/functions/function.yaml scope
+//     .
+//     ├── stuff
+//     │   └── functions
+//     │       └── function.yaml
+//     └── apps
+//         ├── deployment.yaml
+//         └── service.yaml
+//
+// Default Paths:
+// Resources emitted by functions will have default path applied as annotations
+// if none is present.
+// The default path will be the function-dir/ (or parent directory in the case of "functions")
+// + function-file-name/ + namespace/ + kind_name.yaml
+//
+// Example 1: Given a function in fn.yaml that produces a Deployment name foo and a Service named bar
+//     dir
+//     └── fn.yaml
+//
+// Would default newly generated Resources to:
+//
+//     dir
+//     ├── fn.yaml
+//     └── fn
+//         ├── deployment_foo.yaml
+//         └── service_bar.yaml
+//
+// Example 2: Given a function in functions/fn.yaml that produces a Deployment name foo and a Service named bar
+//     dir
+//     └── fn.yaml
+//
+// Would default newly generated Resources to:
+//
+//     dir
+//     ├── functions
+//     │   └── fn.yaml
+//     └── fn
+//         ├── deployment_foo.yaml
+//         └── service_bar.yaml
+//
+// Example 3: Given a function in fn.yaml that produces a Deployment name foo, namespace baz and a Service named bar namespace baz
+//     dir
+//     └── fn.yaml
+//
+// Would default newly generated Resources to:
+//
+//     dir
+//     ├── fn.yaml
+//     └── fn
+//         └── baz
+//             ├── deployment_foo.yaml
+//             └── service_bar.yaml
+type Filter struct {
+	runtimeutil.ContainerSpec `json:",inline" yaml:",inline"`
+
+	Exec runtimeexec.Filter
+
+	UIDGID string
+}
+
+func (c Filter) String() string {
+	if c.Exec.DeferFailure {
+		return fmt.Sprintf("%s deferFailure: %v", c.Image, c.Exec.DeferFailure)
+	}
+	return c.Image
+}
+func (c Filter) GetExit() error {
+	return c.Exec.GetExit()
+}
+
+func (c *Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) {
+	if err := c.setupExec(); err != nil {
+		return nil, err
+	}
+	return c.Exec.Filter(nodes)
+}
+
+func (c *Filter) setupExec() error {
+	// don't init 2x
+	if c.Exec.Path != "" {
+		return nil
+	}
+
+	if c.Exec.WorkingDir == "" {
+		wd, err := os.Getwd()
+		if err != nil {
+			return errors.Wrap(err)
+		}
+		c.Exec.WorkingDir = wd
+	}
+
+	path, args := c.getCommand()
+	c.Exec.Path = path
+	c.Exec.Args = args
+	return nil
+}
+
+// getCommand returns the command + args to run to spawn the container
+func (c *Filter) getCommand() (string, []string) {
+	network := runtimeutil.NetworkNameNone
+	if c.ContainerSpec.Network {
+		network = runtimeutil.NetworkNameHost
+	}
+	// run the container using docker.  this is simpler than using the docker
+	// libraries, and ensures things like auth work the same as if the container
+	// was run from the cli.
+	args := []string{"run",
+		"--rm",                                              // delete the container afterward
+		"-i", "-a", "STDIN", "-a", "STDOUT", "-a", "STDERR", // attach stdin, stdout, stderr
+		"--network", string(network),
+
+		// added security options
+		"--user", c.UIDGID,
+		"--security-opt=no-new-privileges", // don't allow the user to escalate privileges
+		// note: don't make fs readonly because things like heredoc rely on writing tmp files
+	}
+
+	for _, storageMount := range c.StorageMounts {
+		// convert declarative relative paths to absolute (otherwise docker will throw an error)
+		if !filepath.IsAbs(storageMount.Src) {
+			storageMount.Src = filepath.Join(c.Exec.WorkingDir, storageMount.Src)
+		}
+		args = append(args, "--mount", storageMount.String())
+	}
+
+	args = append(args, runtimeutil.NewContainerEnvFromStringSlice(c.Env).GetDockerFlags()...)
+	a := append(args, c.Image) //nolint:gocritic
+	return "docker", a
+}
+
+// NewContainer returns a new container filter
+func NewContainer(spec runtimeutil.ContainerSpec, uidgid string) Filter {
+	f := Filter{ContainerSpec: spec, UIDGID: uidgid}
+
+	return f
+}
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/fn/runtime/exec/doc.go b/vendor/sigs.k8s.io/kustomize/kyaml/fn/runtime/exec/doc.go
new file mode 100644
index 0000000000..2747a96fba
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/fn/runtime/exec/doc.go
@@ -0,0 +1,5 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+// Package exec contains the exec function implementation.
+package exec
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/fn/runtime/exec/exec.go b/vendor/sigs.k8s.io/kustomize/kyaml/fn/runtime/exec/exec.go
new file mode 100644
index 0000000000..562dab30f7
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/fn/runtime/exec/exec.go
@@ -0,0 +1,58 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package exec
+
+import (
+	"io"
+	"os"
+	"os/exec"
+	"path/filepath"
+
+	"sigs.k8s.io/kustomize/kyaml/errors"
+	"sigs.k8s.io/kustomize/kyaml/fn/runtime/runtimeutil"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+type Filter struct {
+	// Path is the path to the executable to run
+	Path string `yaml:"path,omitempty"`
+
+	// Args are the arguments to the executable
+	Args []string `yaml:"args,omitempty"`
+
+	// Env is exposed to the environment
+	Env []string `yaml:"env,omitempty"`
+
+	// WorkingDir is the working directory that the executable
+	// should run in
+	WorkingDir string
+
+	runtimeutil.FunctionFilter
+}
+
+func (c *Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) {
+	c.FunctionFilter.Run = c.Run
+	return c.FunctionFilter.Filter(nodes)
+}
+
+func (c *Filter) Run(reader io.Reader, writer io.Writer) error {
+	cmd := exec.Command(c.Path, c.Args...) //nolint:gosec
+	cmd.Env = append(os.Environ(), c.Env...)
+	cmd.Stdin = reader
+	cmd.Stdout = writer
+	cmd.Stderr = os.Stderr
+	if c.WorkingDir == "" {
+		return errors.Errorf("no working directory set for exec function")
+	}
+	if !filepath.IsAbs(c.WorkingDir) {
+		return errors.Errorf(
+			"relative working directory %s not allowed", c.WorkingDir)
+	}
+	if c.WorkingDir == "/" {
+		return errors.Errorf(
+			"root working directory '/' not allowed")
+	}
+	cmd.Dir = c.WorkingDir
+	return cmd.Run()
+}
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/fn/runtime/runtimeutil/doc.go b/vendor/sigs.k8s.io/kustomize/kyaml/fn/runtime/runtimeutil/doc.go
new file mode 100644
index 0000000000..89f9036a4c
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/fn/runtime/runtimeutil/doc.go
@@ -0,0 +1,5 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+// Package runtimeutil contains libraries for implementing function runtimes.
+package runtimeutil
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/fn/runtime/runtimeutil/functiontypes.go b/vendor/sigs.k8s.io/kustomize/kyaml/fn/runtime/runtimeutil/functiontypes.go
new file mode 100644
index 0000000000..cd6cb8e28e
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/fn/runtime/runtimeutil/functiontypes.go
@@ -0,0 +1,304 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package runtimeutil
+
+import (
+	"fmt"
+	"os"
+	"sort"
+	"strings"
+
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+	k8syaml "sigs.k8s.io/yaml"
+)
+
+const (
+	FunctionAnnotationKey    = "config.kubernetes.io/function"
+	oldFunctionAnnotationKey = "config.k8s.io/function"
+)
+
+var functionAnnotationKeys = []string{FunctionAnnotationKey, oldFunctionAnnotationKey}
+
+// ContainerNetworkName is a type for network name used in container
+type ContainerNetworkName string
+
+const (
+	NetworkNameNone ContainerNetworkName = "none"
+	NetworkNameHost ContainerNetworkName = "host"
+)
+const defaultEnvValue string = "true"
+
+// ContainerEnv defines the environment present in a container.
+type ContainerEnv struct {
+	// EnvVars is a key-value map that will be set as env in container
+	EnvVars map[string]string
+
+	// VarsToExport are only env key. Value will be the value in the host system
+	VarsToExport []string
+}
+
+// GetDockerFlags returns docker run style env flags
+func (ce *ContainerEnv) GetDockerFlags() []string {
+	envs := ce.EnvVars
+	if envs == nil {
+		envs = make(map[string]string)
+	}
+
+	flags := []string{}
+	// return in order to keep consistent among different runs
+	keys := []string{}
+	for k := range envs {
+		keys = append(keys, k)
+	}
+	sort.Strings(keys)
+	for _, key := range keys {
+		flags = append(flags, "-e", key+"="+envs[key])
+	}
+
+	for _, key := range ce.VarsToExport {
+		flags = append(flags, "-e", key)
+	}
+
+	return flags
+}
+
+// AddKeyValue adds a key-value pair into the envs
+func (ce *ContainerEnv) AddKeyValue(key, value string) {
+	if ce.EnvVars == nil {
+		ce.EnvVars = make(map[string]string)
+	}
+	ce.EnvVars[key] = value
+}
+
+// HasExportedKey returns true if the key is a exported key
+func (ce *ContainerEnv) HasExportedKey(key string) bool {
+	for _, k := range ce.VarsToExport {
+		if k == key {
+			return true
+		}
+	}
+	return false
+}
+
+// AddKey adds a key into the envs
+func (ce *ContainerEnv) AddKey(key string) {
+	if !ce.HasExportedKey(key) {
+		ce.VarsToExport = append(ce.VarsToExport, key)
+	}
+}
+
+// Raw returns a slice of string which represents the envs.
+// Example: [foo=bar, baz]
+func (ce *ContainerEnv) Raw() []string {
+	var ret []string
+	for k, v := range ce.EnvVars {
+		ret = append(ret, k+"="+v)
+	}
+
+	ret = append(ret, ce.VarsToExport...)
+	return ret
+}
+
+// NewContainerEnv returns a pointer to a new ContainerEnv
+func NewContainerEnv() *ContainerEnv {
+	var ce ContainerEnv
+	ce.EnvVars = make(map[string]string)
+	// default envs
+	ce.EnvVars["LOG_TO_STDERR"] = defaultEnvValue
+	ce.EnvVars["STRUCTURED_RESULTS"] = defaultEnvValue
+	return &ce
+}
+
+// NewContainerEnvFromStringSlice returns a new ContainerEnv pointer with parsing
+// input envStr. envStr example: ["foo=bar", "baz"]
+func NewContainerEnvFromStringSlice(envStr []string) *ContainerEnv {
+	ce := NewContainerEnv()
+	for _, e := range envStr {
+		parts := strings.SplitN(e, "=", 2)
+		if len(parts) == 1 {
+			ce.AddKey(e)
+		} else {
+			ce.AddKeyValue(parts[0], parts[1])
+		}
+	}
+	return ce
+}
+
+// FunctionSpec defines a spec for running a function
+type FunctionSpec struct {
+	DeferFailure bool `json:"deferFailure,omitempty" yaml:"deferFailure,omitempty"`
+
+	// Container is the spec for running a function as a container
+	Container ContainerSpec `json:"container,omitempty" yaml:"container,omitempty"`
+
+	// ExecSpec is the spec for running a function as an executable
+	Exec ExecSpec `json:"exec,omitempty" yaml:"exec,omitempty"`
+}
+
+type ExecSpec struct {
+	Path string `json:"path,omitempty" yaml:"path,omitempty"`
+
+	// Args is a slice of args that will be passed as arguments to script
+	Args []string `json:"args,omitempty" yaml:"args,omitempty"`
+
+	// Env is a slice of env string that will be exposed to container
+	Env []string `json:"envs,omitempty" yaml:"envs,omitempty"`
+}
+
+// ContainerSpec defines a spec for running a function as a container
+type ContainerSpec struct {
+	// Image is the container image to run
+	Image string `json:"image,omitempty" yaml:"image,omitempty"`
+
+	// Network defines network specific configuration
+	Network bool `json:"network,omitempty" yaml:"network,omitempty"`
+
+	// Mounts are the storage or directories to mount into the container
+	StorageMounts []StorageMount `json:"mounts,omitempty" yaml:"mounts,omitempty"`
+
+	// Env is a slice of env string that will be exposed to container
+	Env []string `json:"envs,omitempty" yaml:"envs,omitempty"`
+}
+
+// StorageMount represents a container's mounted storage option(s)
+type StorageMount struct {
+	// Type of mount e.g. bind mount, local volume, etc.
+	MountType string `json:"type,omitempty" yaml:"type,omitempty"`
+
+	// Source for the storage to be mounted.
+	// For named volumes, this is the name of the volume.
+	// For anonymous volumes, this field is omitted (empty string).
+	// For bind mounts, this is the path to the file or directory on the host.
+	Src string `json:"src,omitempty" yaml:"src,omitempty"`
+
+	// The path where the file or directory is mounted in the container.
+	DstPath string `json:"dst,omitempty" yaml:"dst,omitempty"`
+
+	// Mount in ReadWrite mode if it's explicitly configured
+	// See https://docs.docker.com/storage/bind-mounts/#use-a-read-only-bind-mount
+	ReadWriteMode bool `json:"rw,omitempty" yaml:"rw,omitempty"`
+}
+
+func (s *StorageMount) String() string {
+	mode := ""
+	if !s.ReadWriteMode {
+		mode = ",readonly"
+	}
+	return fmt.Sprintf("type=%s,source=%s,target=%s%s", s.MountType, s.Src, s.DstPath, mode)
+}
+
+// GetFunctionSpec returns the FunctionSpec for a resource.  Returns
+// nil if the resource does not have a FunctionSpec.
+//
+// The FunctionSpec is read from the resource metadata.annotation
+// "config.kubernetes.io/function"
+func GetFunctionSpec(n *yaml.RNode) (*FunctionSpec, error) {
+	meta, err := n.GetMeta()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get ResourceMeta: %w", err)
+	}
+
+	fn, err := getFunctionSpecFromAnnotation(n, meta)
+	if err != nil {
+		return nil, err
+	}
+	if fn != nil {
+		return fn, nil
+	}
+
+	// legacy function specification for backwards compatibility
+	container := meta.Annotations["config.kubernetes.io/container"]
+	if container != "" {
+		return &FunctionSpec{Container: ContainerSpec{Image: container}}, nil
+	}
+	return nil, nil
+}
+
+// getFunctionSpecFromAnnotation parses the config function from an annotation
+// if it is found
+func getFunctionSpecFromAnnotation(n *yaml.RNode, meta yaml.ResourceMeta) (*FunctionSpec, error) {
+	var fs FunctionSpec
+	for _, s := range functionAnnotationKeys {
+		fn := meta.Annotations[s]
+		if fn != "" {
+			if err := k8syaml.UnmarshalStrict([]byte(fn), &fs); err != nil {
+				return nil, fmt.Errorf("%s unmarshal error: %w", s, err)
+			}
+			return &fs, nil
+		}
+	}
+	n, err := n.Pipe(yaml.Lookup("metadata", "configFn"))
+	if err != nil {
+		return nil, fmt.Errorf("failed to look up metadata.configFn: %w", err)
+	}
+	if yaml.IsMissingOrNull(n) {
+		return nil, nil
+	}
+	s, err := n.String()
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "configFn parse error: %v\n", err)
+		return nil, fmt.Errorf("configFn parse error: %w", err)
+	}
+	if err := k8syaml.UnmarshalStrict([]byte(s), &fs); err != nil {
+		return nil, fmt.Errorf("%s unmarshal error: %w", "configFn", err)
+	}
+	return &fs, nil
+}
+
+func StringToStorageMount(s string) StorageMount {
+	m := make(map[string]string)
+	options := strings.Split(s, ",")
+	for _, option := range options {
+		keyVal := strings.SplitN(option, "=", 2)
+		if len(keyVal) == 2 {
+			m[keyVal[0]] = keyVal[1]
+		}
+	}
+	var sm StorageMount
+	for key, value := range m {
+		switch {
+		case key == "type":
+			sm.MountType = value
+		case key == "src" || key == "source":
+			sm.Src = value
+		case key == "dst" || key == "target":
+			sm.DstPath = value
+		case key == "rw" && value == "true":
+			sm.ReadWriteMode = true
+		}
+	}
+	return sm
+}
+
+// IsReconcilerFilter filters Resources based on whether or not they are Reconciler Resource.
+// Resources with an apiVersion starting with '*.gcr.io', 'gcr.io' or 'docker.io' are considered
+// Reconciler Resources.
+type IsReconcilerFilter struct {
+	// ExcludeReconcilers if set to true, then Reconcilers will be excluded -- e.g.
+	// Resources with a reconcile container through the apiVersion (gcr.io prefix) or
+	// through the annotations
+	ExcludeReconcilers bool `yaml:"excludeReconcilers,omitempty"`
+
+	// IncludeNonReconcilers if set to true, the NonReconciler will be included.
+	IncludeNonReconcilers bool `yaml:"includeNonReconcilers,omitempty"`
+}
+
+// Filter implements kio.Filter
+func (c *IsReconcilerFilter) Filter(inputs []*yaml.RNode) ([]*yaml.RNode, error) {
+	var out []*yaml.RNode
+	for i := range inputs {
+		functionSpec, err := GetFunctionSpec(inputs[i])
+		if err != nil {
+			return nil, err
+		}
+		isFnResource := functionSpec != nil
+		if isFnResource && !c.ExcludeReconcilers {
+			out = append(out, inputs[i])
+		}
+		if !isFnResource && c.IncludeNonReconcilers {
+			out = append(out, inputs[i])
+		}
+	}
+	return out, nil
+}
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/fn/runtime/runtimeutil/runtimeutil.go b/vendor/sigs.k8s.io/kustomize/kyaml/fn/runtime/runtimeutil/runtimeutil.go
new file mode 100644
index 0000000000..6a06b81c39
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/fn/runtime/runtimeutil/runtimeutil.go
@@ -0,0 +1,281 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package runtimeutil
+
+import (
+	"bytes"
+	"fmt"
+	"io"
+	"os"
+	"path"
+	"strings"
+
+	"sigs.k8s.io/kustomize/kyaml/comments"
+	"sigs.k8s.io/kustomize/kyaml/errors"
+	"sigs.k8s.io/kustomize/kyaml/kio"
+	"sigs.k8s.io/kustomize/kyaml/kio/kioutil"
+	"sigs.k8s.io/kustomize/kyaml/order"
+
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+// FunctionFilter wraps another filter to be invoked in the context of a function.
+// FunctionFilter manages scoping the function, deferring failures, and saving results
+// to files.
+type FunctionFilter struct {
+	// Run implements the function.
+	Run func(reader io.Reader, writer io.Writer) error
+
+	// FunctionConfig is passed to the function through ResourceList.functionConfig.
+	FunctionConfig *yaml.RNode `yaml:"functionConfig,omitempty"`
+
+	// GlobalScope explicitly scopes the function to all input resources rather than only those
+	// resources scoped to it by path.
+	GlobalScope bool
+
+	// ResultsFile is the file to write function ResourceList.results to.
+	// If unset, results will not be written.
+	ResultsFile string
+
+	// DeferFailure will cause the Filter to return a nil error even if Run returns an error.
+	// The Run error will be available through GetExit().
+	DeferFailure bool
+
+	// results saves the results emitted from Run
+	Results *yaml.RNode
+
+	// exit saves the error returned from Run
+	exit error
+
+	ids map[string]*yaml.RNode
+}
+
+// GetExit returns the error from Run
+func (c FunctionFilter) GetExit() error {
+	return c.exit
+}
+
+// functionsDirectoryName is keyword directory name for functions scoped 1 directory higher
+const functionsDirectoryName = "functions"
+
+// getFunctionScope returns the path of the directory containing the function config,
+// or its parent directory if the base directory is named "functions"
+func (c *FunctionFilter) getFunctionScope() (string, error) {
+	m, err := c.FunctionConfig.GetMeta()
+	if err != nil {
+		return "", errors.Wrap(err)
+	}
+	var p string
+	var found bool
+	p, found = m.Annotations[kioutil.PathAnnotation]
+	if !found {
+		p, found = m.Annotations[kioutil.LegacyPathAnnotation]
+		if !found {
+			return "", nil
+		}
+	}
+
+	functionDir := path.Clean(path.Dir(p))
+
+	if path.Base(functionDir) == functionsDirectoryName {
+		// the scope of functions in a directory called "functions" is 1 level higher
+		// this is similar to how the golang "internal" directory scoping works
+		functionDir = path.Dir(functionDir)
+	}
+	return functionDir, nil
+}
+
+// scope partitions the input nodes into 2 slices.  The first slice contains only Resources
+// which are scoped under dir, and the second slice contains the Resources which are not.
+func (c *FunctionFilter) scope(dir string, nodes []*yaml.RNode) ([]*yaml.RNode, []*yaml.RNode, error) {
+	// scope container filtered Resources to Resources under that directory
+	var input, saved []*yaml.RNode
+	if c.GlobalScope {
+		return nodes, nil, nil
+	}
+
+	// global function
+	if dir == "" || dir == "." {
+		return nodes, nil, nil
+	}
+
+	// identify Resources read from directories under the function configuration
+	for i := range nodes {
+		m, err := nodes[i].GetMeta()
+		if err != nil {
+			return nil, nil, err
+		}
+		var p string
+		var found bool
+		p, found = m.Annotations[kioutil.PathAnnotation]
+		if !found {
+			p, found = m.Annotations[kioutil.LegacyPathAnnotation]
+			if !found {
+				// this Resource isn't scoped under the function -- don't know where it came from
+				// consider it out of scope
+				saved = append(saved, nodes[i])
+				continue
+			}
+		}
+
+		resourceDir := path.Clean(path.Dir(p))
+		if path.Base(resourceDir) == functionsDirectoryName {
+			// Functions in the `functions` directory are scoped to
+			// themselves, and should see themselves as input
+			resourceDir = path.Dir(resourceDir)
+		}
+		if !strings.HasPrefix(resourceDir, dir) {
+			// this Resource doesn't fall under the function scope if it
+			// isn't in a subdirectory of where the function lives
+			saved = append(saved, nodes[i])
+			continue
+		}
+
+		// this input is scoped under the function
+		input = append(input, nodes[i])
+	}
+
+	return input, saved, nil
+}
+
+func (c *FunctionFilter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) {
+	in := &bytes.Buffer{}
+	out := &bytes.Buffer{}
+
+	// only process Resources scoped to this function, save the others
+	functionDir, err := c.getFunctionScope()
+	if err != nil {
+		return nil, err
+	}
+	input, saved, err := c.scope(functionDir, nodes)
+	if err != nil {
+		return nil, err
+	}
+
+	// set ids on each input so it is possible to copy comments from inputs back to outputs
+	if err := c.setIds(input); err != nil {
+		return nil, err
+	}
+
+	// write the input
+	err = kio.ByteWriter{
+		WrappingAPIVersion:    kio.ResourceListAPIVersion,
+		WrappingKind:          kio.ResourceListKind,
+		Writer:                in,
+		KeepReaderAnnotations: true,
+		FunctionConfig:        c.FunctionConfig}.Write(input)
+	if err != nil {
+		return nil, err
+	}
+
+	// capture the command stdout for the return value
+	r := &kio.ByteReader{Reader: out}
+
+	// don't exit immediately if the function fails -- write out the validation
+	c.exit = c.Run(in, out)
+
+	output, err := r.Read()
+	if err != nil {
+		return nil, err
+	}
+
+	// copy the comments and sync the order of fields from the inputs to the outputs
+	if err := c.copyCommentsAndSyncOrder(output); err != nil {
+		return nil, err
+	}
+
+	if err := c.doResults(r); err != nil {
+		return nil, err
+	}
+
+	if c.exit != nil && !c.DeferFailure {
+		return append(output, saved...), c.exit
+	}
+
+	// annotate any generated Resources with a path and index if they don't already have one
+	if err := kioutil.DefaultPathAnnotation(functionDir, output); err != nil {
+		return nil, err
+	}
+
+	// emit both the Resources output from the function, and the out-of-scope Resources
+	// which were not provided to the function
+	return append(output, saved...), nil
+}
+
+func (c *FunctionFilter) setIds(nodes []*yaml.RNode) error {
+	// set the id on each node to map inputs to outputs
+	var id int
+	c.ids = map[string]*yaml.RNode{}
+	for i := range nodes {
+		id++
+		idStr := fmt.Sprintf("%v", id)
+		err := nodes[i].PipeE(yaml.SetAnnotation(kioutil.IdAnnotation, idStr))
+		if err != nil {
+			return errors.Wrap(err)
+		}
+		err = nodes[i].PipeE(yaml.SetAnnotation(kioutil.LegacyIdAnnotation, idStr))
+		if err != nil {
+			return errors.Wrap(err)
+		}
+		c.ids[idStr] = nodes[i]
+	}
+	return nil
+}
+
+func (c *FunctionFilter) copyCommentsAndSyncOrder(nodes []*yaml.RNode) error {
+	for i := range nodes {
+		node := nodes[i]
+		anID, err := node.Pipe(yaml.GetAnnotation(kioutil.IdAnnotation))
+		if err != nil {
+			return errors.Wrap(err)
+		}
+		if anID == nil {
+			anID, err = node.Pipe(yaml.GetAnnotation(kioutil.LegacyIdAnnotation))
+			if err != nil {
+				return errors.Wrap(err)
+			}
+			if anID == nil {
+				continue
+			}
+		}
+
+		var in *yaml.RNode
+		var found bool
+		if in, found = c.ids[anID.YNode().Value]; !found {
+			continue
+		}
+		if err := comments.CopyComments(in, node); err != nil {
+			return errors.Wrap(err)
+		}
+		if err := order.SyncOrder(in, node); err != nil {
+			return errors.Wrap(err)
+		}
+		if err := node.PipeE(yaml.ClearAnnotation(kioutil.IdAnnotation)); err != nil {
+			return errors.Wrap(err)
+		}
+		if err := node.PipeE(yaml.ClearAnnotation(kioutil.LegacyIdAnnotation)); err != nil {
+			return errors.Wrap(err)
+		}
+	}
+	return nil
+}
+
+func (c *FunctionFilter) doResults(r *kio.ByteReader) error {
+	// Write the results to a file if configured to do so
+	if c.ResultsFile != "" && r.Results != nil {
+		results, err := r.Results.String()
+		if err != nil {
+			return err
+		}
+		err = os.WriteFile(c.ResultsFile, []byte(results), 0600)
+		if err != nil {
+			return err
+		}
+	}
+
+	if r.Results != nil {
+		c.Results = r.Results
+	}
+	return nil
+}
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/fn/runtime/runtimeutil/types.go b/vendor/sigs.k8s.io/kustomize/kyaml/fn/runtime/runtimeutil/types.go
new file mode 100644
index 0000000000..5edc4ebc33
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/fn/runtime/runtimeutil/types.go
@@ -0,0 +1,8 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package runtimeutil
+
+type DeferFailureFunction interface {
+	GetExit() error
+}
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/kio/byteio_reader.go b/vendor/sigs.k8s.io/kustomize/kyaml/kio/byteio_reader.go
new file mode 100644
index 0000000000..230ab891bb
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/kio/byteio_reader.go
@@ -0,0 +1,349 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package kio
+
+import (
+	"bytes"
+	"fmt"
+	"io"
+	"regexp"
+	"sort"
+	"strings"
+
+	"sigs.k8s.io/kustomize/kyaml/errors"
+	"sigs.k8s.io/kustomize/kyaml/kio/kioutil"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+const (
+	ResourceListKind       = "ResourceList"
+	ResourceListAPIVersion = "config.kubernetes.io/v1"
+)
+
+// ByteReadWriter reads from an input and writes to an output.
+type ByteReadWriter struct {
+	// Reader is where ResourceNodes are decoded from.
+	Reader io.Reader
+
+	// Writer is where ResourceNodes are encoded.
+	Writer io.Writer
+
+	// OmitReaderAnnotations will configures Read to skip setting the config.kubernetes.io/index
+	// annotation on Resources as they are Read.
+	OmitReaderAnnotations bool
+
+	// KeepReaderAnnotations if set will keep the Reader specific annotations when writing
+	// the Resources, otherwise they will be cleared.
+	KeepReaderAnnotations bool
+
+	// PreserveSeqIndent if true adds kioutil.SeqIndentAnnotation to each resource
+	PreserveSeqIndent bool
+
+	// Style is a style that is set on the Resource Node Document.
+	Style yaml.Style
+
+	// WrapBareSeqNode wraps the bare sequence node document with map node,
+	// kyaml uses reader annotations to track resources, it is not possible to
+	// add them to bare sequence nodes, this option enables wrapping such bare
+	// sequence nodes into map node with key yaml.BareSeqNodeWrappingKey
+	// note that this wrapping is different and not related to ResourceList wrapping
+	WrapBareSeqNode bool
+
+	FunctionConfig *yaml.RNode
+
+	Results *yaml.RNode
+
+	NoWrap             bool
+	WrappingAPIVersion string
+	WrappingKind       string
+}
+
+func (rw *ByteReadWriter) Read() ([]*yaml.RNode, error) {
+	b := &ByteReader{
+		Reader:                rw.Reader,
+		OmitReaderAnnotations: rw.OmitReaderAnnotations,
+		PreserveSeqIndent:     rw.PreserveSeqIndent,
+		WrapBareSeqNode:       rw.WrapBareSeqNode,
+	}
+	val, err := b.Read()
+	rw.Results = b.Results
+
+	if rw.FunctionConfig == nil {
+		rw.FunctionConfig = b.FunctionConfig
+	}
+	if !rw.NoWrap && rw.WrappingKind == "" {
+		rw.WrappingAPIVersion = b.WrappingAPIVersion
+		rw.WrappingKind = b.WrappingKind
+	}
+	return val, errors.Wrap(err)
+}
+
+func (rw *ByteReadWriter) Write(nodes []*yaml.RNode) error {
+	w := ByteWriter{
+		Writer:                rw.Writer,
+		KeepReaderAnnotations: rw.KeepReaderAnnotations,
+		Style:                 rw.Style,
+		FunctionConfig:        rw.FunctionConfig,
+		Results:               rw.Results,
+	}
+	if !rw.NoWrap {
+		w.WrappingAPIVersion = rw.WrappingAPIVersion
+		w.WrappingKind = rw.WrappingKind
+	}
+	return w.Write(nodes)
+}
+
+// ParseAll reads all of the inputs into resources
+func ParseAll(inputs ...string) ([]*yaml.RNode, error) {
+	return (&ByteReader{
+		Reader: bytes.NewBufferString(strings.Join(inputs, "\n---\n")),
+	}).Read()
+}
+
+// FromBytes reads from a byte slice.
+func FromBytes(bs []byte) ([]*yaml.RNode, error) {
+	return (&ByteReader{
+		OmitReaderAnnotations: true,
+		AnchorsAweigh:         true,
+		Reader:                bytes.NewBuffer(bs),
+	}).Read()
+}
+
+// StringAll writes all of the resources to a string
+func StringAll(resources []*yaml.RNode) (string, error) {
+	var b bytes.Buffer
+	err := (&ByteWriter{Writer: &b}).Write(resources)
+	return b.String(), err
+}
+
+// ByteReader decodes ResourceNodes from bytes.
+// By default, Read will set the config.kubernetes.io/index annotation on each RNode as it
+// is read so they can be written back in the same order.
+type ByteReader struct {
+	// Reader is where ResourceNodes are decoded from.
+	Reader io.Reader
+
+	// OmitReaderAnnotations will configures Read to skip setting the config.kubernetes.io/index
+	// and internal.config.kubernetes.io/seqindent annotations on Resources as they are Read.
+	OmitReaderAnnotations bool
+
+	// PreserveSeqIndent if true adds kioutil.SeqIndentAnnotation to each resource
+	PreserveSeqIndent bool
+
+	// SetAnnotations is a map of caller specified annotations to set on resources as they are read
+	// These are independent of the annotations controlled by OmitReaderAnnotations
+	SetAnnotations map[string]string
+
+	FunctionConfig *yaml.RNode
+
+	Results *yaml.RNode
+
+	// DisableUnwrapping prevents Resources in Lists and ResourceLists from being unwrapped
+	DisableUnwrapping bool
+
+	// WrappingAPIVersion is set by Read(), and is the apiVersion of the object that
+	// the read objects were originally wrapped in.
+	WrappingAPIVersion string
+
+	// WrappingKind is set by Read(), and is the kind of the object that
+	// the read objects were originally wrapped in.
+	WrappingKind string
+
+	// WrapBareSeqNode wraps the bare sequence node document with map node,
+	// kyaml uses reader annotations to track resources, it is not possible to
+	// add them to bare sequence nodes, this option enables wrapping such bare
+	// sequence nodes into map node with key yaml.BareSeqNodeWrappingKey
+	// note that this wrapping is different and not related to ResourceList wrapping
+	WrapBareSeqNode bool
+
+	// AnchorsAweigh set to true attempts to replace all YAML anchor aliases
+	// with their definitions (anchor values) immediately after the read.
+	AnchorsAweigh bool
+}
+
+var _ Reader = &ByteReader{}
+
+// splitDocuments returns a slice of all documents contained in a YAML string. Multiple documents can be divided by the
+// YAML document separator (---). It allows for white space and comments to be after the separator on the same line,
+// but will return an error if anything else is on the line.
+func splitDocuments(s string) ([]string, error) {
+	docs := make([]string, 0)
+	if len(s) > 0 {
+		// The YAML document separator is any line that starts with ---
+		yamlSeparatorRegexp := regexp.MustCompile(`\n---.*\n`)
+
+		// Find all separators, check them for invalid content, and append each document to docs
+		separatorLocations := yamlSeparatorRegexp.FindAllStringIndex(s, -1)
+		prev := 0
+		for i := range separatorLocations {
+			loc := separatorLocations[i]
+			separator := s[loc[0]:loc[1]]
+
+			// If the next non-whitespace character on the line following the separator is not a comment, return an error
+			trimmedContentAfterSeparator := strings.TrimSpace(separator[4:])
+			if len(trimmedContentAfterSeparator) > 0 && trimmedContentAfterSeparator[0] != '#' {
+				return nil, errors.Errorf("invalid document separator: %s", strings.TrimSpace(separator))
+			}
+
+			docs = append(docs, s[prev:loc[0]])
+			prev = loc[1]
+		}
+		docs = append(docs, s[prev:])
+	}
+
+	return docs, nil
+}
+
+func (r *ByteReader) Read() ([]*yaml.RNode, error) {
+	if r.PreserveSeqIndent && r.OmitReaderAnnotations {
+		return nil, errors.Errorf(`"PreserveSeqIndent" option adds a reader annotation, please set "OmitReaderAnnotations" to false`)
+	}
+
+	output := ResourceNodeSlice{}
+
+	// by manually splitting resources -- otherwise the decoder will get the Resource
+	// boundaries wrong for header comments.
+	input := &bytes.Buffer{}
+	_, err := io.Copy(input, r.Reader)
+	if err != nil {
+		return nil, errors.Wrap(err)
+	}
+
+	// Replace the ending \r\n (line ending used in windows) with \n and then split it into multiple YAML documents
+	// if it contains document separators (---)
+	values, err := splitDocuments(strings.ReplaceAll(input.String(), "\r\n", "\n"))
+	if err != nil {
+		return nil, errors.Wrap(err)
+	}
+
+	index := 0
+	for i := range values {
+		// the Split used above will eat the tail '\n' from each resource. This may affect the
+		// literal string value since '\n' is meaningful in it.
+		if i != len(values)-1 {
+			values[i] += "\n"
+		}
+		decoder := yaml.NewDecoder(bytes.NewBufferString(values[i]))
+		node, err := r.decode(values[i], index, decoder)
+		if err == io.EOF {
+			continue
+		}
+
+		if err != nil {
+			return nil, errors.Wrap(err)
+		}
+		if yaml.IsMissingOrNull(node) {
+			// empty value
+			continue
+		}
+
+		// ok if no metadata -- assume not an InputList
+		meta, err := node.GetMeta()
+		if err != yaml.ErrMissingMetadata && err != nil {
+			return nil, errors.WrapPrefixf(err, "[%d]", i)
+		}
+
+		// the elements are wrapped in an InputList, unwrap them
+		// don't check apiVersion, we haven't standardized on the domain
+		if !r.DisableUnwrapping &&
+			len(values) == 1 && // Only unwrap if there is only 1 value
+			(meta.Kind == ResourceListKind || meta.Kind == "List") &&
+			(node.Field("items") != nil || node.Field("functionConfig") != nil) {
+			r.WrappingKind = meta.Kind
+			r.WrappingAPIVersion = meta.APIVersion
+
+			// unwrap the list
+			if fc := node.Field("functionConfig"); fc != nil {
+				r.FunctionConfig = fc.Value
+			}
+			if res := node.Field("results"); res != nil {
+				r.Results = res.Value
+			}
+
+			items := node.Field("items")
+			if items != nil {
+				for i := range items.Value.Content() {
+					// add items
+					output = append(output, yaml.NewRNode(items.Value.Content()[i]))
+				}
+			}
+			continue
+		}
+
+		// add the node to the list
+		output = append(output, node)
+
+		// increment the index annotation value
+		index++
+	}
+	if r.AnchorsAweigh {
+		for _, n := range output {
+			if err = n.DeAnchor(); err != nil {
+				return nil, err
+			}
+		}
+	}
+	return output, nil
+}
+
+func (r *ByteReader) decode(originalYAML string, index int, decoder *yaml.Decoder) (*yaml.RNode, error) {
+	node := &yaml.Node{}
+	err := decoder.Decode(node)
+	if err == io.EOF {
+		return nil, io.EOF
+	}
+	if err != nil {
+		return nil, errors.WrapPrefixf(err, "MalformedYAMLError")
+	}
+
+	if yaml.IsYNodeEmptyDoc(node) {
+		return nil, nil
+	}
+
+	// set annotations on the read Resources
+	// sort the annotations by key so the output Resources is consistent (otherwise the
+	// annotations will be in a random order)
+	n := yaml.NewRNode(node)
+	// check if it is a bare sequence node and wrap it with a yaml.BareSeqNodeWrappingKey
+	if r.WrapBareSeqNode && node.Kind == yaml.DocumentNode && len(node.Content) > 0 &&
+		node.Content[0] != nil && node.Content[0].Kind == yaml.SequenceNode {
+		wrappedNode := yaml.NewRNode(&yaml.Node{
+			Kind: yaml.MappingNode,
+		})
+		wrappedNode.PipeE(yaml.SetField(yaml.BareSeqNodeWrappingKey, n))
+		n = wrappedNode
+	}
+
+	if r.SetAnnotations == nil {
+		r.SetAnnotations = map[string]string{}
+	}
+	if !r.OmitReaderAnnotations {
+		err := kioutil.CopyLegacyAnnotations(n)
+		if err != nil {
+			return nil, err
+		}
+		r.SetAnnotations[kioutil.IndexAnnotation] = fmt.Sprintf("%d", index)
+		r.SetAnnotations[kioutil.LegacyIndexAnnotation] = fmt.Sprintf("%d", index)
+
+		if r.PreserveSeqIndent {
+			// derive and add the seqindent annotation
+			seqIndentStyle := yaml.DeriveSeqIndentStyle(originalYAML)
+			if seqIndentStyle != "" {
+				r.SetAnnotations[kioutil.SeqIndentAnnotation] = seqIndentStyle
+			}
+		}
+	}
+	var keys []string
+	for k := range r.SetAnnotations {
+		keys = append(keys, k)
+	}
+	sort.Strings(keys)
+	for _, k := range keys {
+		_, err = n.Pipe(yaml.SetAnnotation(k, r.SetAnnotations[k]))
+		if err != nil {
+			return nil, errors.Wrap(err)
+		}
+	}
+	return n, nil
+}
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/kio/byteio_writer.go b/vendor/sigs.k8s.io/kustomize/kyaml/kio/byteio_writer.go
new file mode 100644
index 0000000000..ec4cafe303
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/kio/byteio_writer.go
@@ -0,0 +1,198 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package kio
+
+import (
+	"encoding/json"
+	"io"
+	"path/filepath"
+
+	"sigs.k8s.io/kustomize/kyaml/errors"
+	"sigs.k8s.io/kustomize/kyaml/kio/kioutil"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+// ByteWriter writes ResourceNodes to bytes. Generally YAML encoding will be used but in the special
+// case of writing a single, bare yaml.RNode that has a kioutil.PathAnnotation indicating that the
+// target is a JSON file JSON encoding is used. See shouldJSONEncodeSingleBareNode below for more
+// information.
+type ByteWriter struct {
+	// Writer is where ResourceNodes are encoded.
+	Writer io.Writer
+
+	// KeepReaderAnnotations if set will keep the Reader specific annotations when writing
+	// the Resources, otherwise they will be cleared.
+	KeepReaderAnnotations bool
+
+	// ClearAnnotations is a list of annotations to clear when writing the Resources.
+	ClearAnnotations []string
+
+	// Style is a style that is set on the Resource Node Document.
+	Style yaml.Style
+
+	// FunctionConfig is the function config for an ResourceList.  If non-nil
+	// wrap the results in an ResourceList.
+	FunctionConfig *yaml.RNode
+
+	Results *yaml.RNode
+
+	// WrappingKind if set will cause ByteWriter to wrap the Resources in
+	// an 'items' field in this kind.  e.g. if WrappingKind is 'List',
+	// ByteWriter will wrap the Resources in a List .items field.
+	WrappingKind string
+
+	// WrappingAPIVersion is the apiVersion for WrappingKind
+	WrappingAPIVersion string
+
+	// Sort if set, will cause ByteWriter to sort the nodes before writing them.
+	Sort bool
+}
+
+var _ Writer = ByteWriter{}
+
+func (w ByteWriter) Write(inputNodes []*yaml.RNode) error {
+	// Copy the nodes to prevent writer from mutating the original nodes.
+	nodes := copyRNodes(inputNodes)
+	if w.Sort {
+		if err := kioutil.SortNodes(nodes); err != nil {
+			return errors.Wrap(err)
+		}
+	}
+
+	// Even though we use the this value further down we must check this before removing annotations
+	jsonEncodeSingleBareNode := w.shouldJSONEncodeSingleBareNode(nodes)
+
+	// store seqindent annotation value for each node in order to set the encoder indentation
+	var seqIndentsForNodes []string
+	for i := range nodes {
+		seqIndentsForNodes = append(seqIndentsForNodes, nodes[i].GetAnnotations()[kioutil.SeqIndentAnnotation])
+	}
+
+	for i := range nodes {
+		// clean resources by removing annotations set by the Reader
+		if !w.KeepReaderAnnotations {
+			_, err := nodes[i].Pipe(yaml.ClearAnnotation(kioutil.IndexAnnotation))
+			if err != nil {
+				return errors.Wrap(err)
+			}
+			_, err = nodes[i].Pipe(yaml.ClearAnnotation(kioutil.LegacyIndexAnnotation))
+			if err != nil {
+				return errors.Wrap(err)
+			}
+
+			_, err = nodes[i].Pipe(yaml.ClearAnnotation(kioutil.SeqIndentAnnotation))
+			if err != nil {
+				return errors.Wrap(err)
+			}
+		}
+		for _, a := range w.ClearAnnotations {
+			_, err := nodes[i].Pipe(yaml.ClearAnnotation(a))
+			if err != nil {
+				return errors.Wrap(err)
+			}
+		}
+
+		if err := yaml.ClearEmptyAnnotations(nodes[i]); err != nil {
+			return err
+		}
+
+		if w.Style != 0 {
+			nodes[i].YNode().Style = w.Style
+		}
+	}
+
+	if jsonEncodeSingleBareNode {
+		encoder := json.NewEncoder(w.Writer)
+		encoder.SetIndent("", "  ")
+		return errors.Wrap(encoder.Encode(nodes[0]))
+	}
+
+	encoder := yaml.NewEncoder(w.Writer)
+	defer encoder.Close()
+	// don't wrap the elements
+	if w.WrappingKind == "" {
+		for i := range nodes {
+			if seqIndentsForNodes[i] == string(yaml.WideSequenceStyle) {
+				encoder.DefaultSeqIndent()
+			} else {
+				encoder.CompactSeqIndent()
+			}
+			if err := encoder.Encode(upWrapBareSequenceNode(nodes[i].Document())); err != nil {
+				return errors.Wrap(err)
+			}
+		}
+		return nil
+	}
+	// wrap the elements in a list
+	items := &yaml.Node{Kind: yaml.SequenceNode}
+	list := &yaml.Node{
+		Kind:  yaml.MappingNode,
+		Style: w.Style,
+		Content: []*yaml.Node{
+			{Kind: yaml.ScalarNode, Value: "apiVersion"},
+			{Kind: yaml.ScalarNode, Value: w.WrappingAPIVersion},
+			{Kind: yaml.ScalarNode, Value: "kind"},
+			{Kind: yaml.ScalarNode, Value: w.WrappingKind},
+			{Kind: yaml.ScalarNode, Value: "items"}, items,
+		}}
+	if w.FunctionConfig != nil {
+		list.Content = append(list.Content,
+			&yaml.Node{Kind: yaml.ScalarNode, Value: "functionConfig"},
+			w.FunctionConfig.YNode())
+	}
+	if w.Results != nil {
+		list.Content = append(list.Content,
+			&yaml.Node{Kind: yaml.ScalarNode, Value: "results"},
+			w.Results.YNode())
+	}
+	doc := &yaml.Node{
+		Kind:    yaml.DocumentNode,
+		Content: []*yaml.Node{list}}
+	for i := range nodes {
+		items.Content = append(items.Content, nodes[i].YNode())
+	}
+	return encoder.Encode(doc)
+}
+
+func copyRNodes(in []*yaml.RNode) []*yaml.RNode {
+	out := make([]*yaml.RNode, len(in))
+	for i := range in {
+		out[i] = in[i].Copy()
+	}
+	return out
+}
+
+// shouldJSONEncodeSingleBareNode determines if nodes contain a single node that should not be
+// wrapped and has a JSON file extension, which in turn means that the node should be JSON encoded.
+// Note 1: this must be checked before any annotations to avoid losing information about the target
+//         filename extension.
+// Note 2: JSON encoding should only be used for single, unwrapped nodes because multiple unwrapped
+//         nodes cannot be represented in JSON (no multi doc support). Furthermore, the typical use
+//         cases for wrapping nodes would likely not include later writing the whole wrapper to a
+//         .json file, i.e. there is no point risking any edge case information loss e.g. comments
+//         disappearing, that could come from JSON encoding the whole wrapper just to ensure that
+//         one (or all nodes) can be read as JSON.
+func (w ByteWriter) shouldJSONEncodeSingleBareNode(nodes []*yaml.RNode) bool {
+	if w.WrappingKind == "" && len(nodes) == 1 {
+		if path, _, _ := kioutil.GetFileAnnotations(nodes[0]); path != "" {
+			filename := filepath.Base(path)
+			for _, glob := range JSONMatch {
+				if match, _ := filepath.Match(glob, filename); match {
+					return true
+				}
+			}
+		}
+	}
+	return false
+}
+
+// upWrapBareSequenceNode unwraps the bare sequence nodes wrapped by yaml.BareSeqNodeWrappingKey
+func upWrapBareSequenceNode(node *yaml.Node) *yaml.Node {
+	rNode := yaml.NewRNode(node)
+	seqNode, err := rNode.Pipe(yaml.Lookup(yaml.BareSeqNodeWrappingKey))
+	if err == nil && !seqNode.IsNilOrEmpty() {
+		return seqNode.YNode()
+	}
+	return node
+}
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/kio/doc.go b/vendor/sigs.k8s.io/kustomize/kyaml/kio/doc.go
new file mode 100644
index 0000000000..9c11a14630
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/kio/doc.go
@@ -0,0 +1,35 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+// Package kio contains libraries for reading and writing collections of Resources.
+//
+// Reading Resources
+//
+// Resources are Read using a kio.Reader function.  Examples:
+//  [kio.LocalPackageReader{}, kio.ByteReader{}]
+//
+// Resources read using a LocalPackageReader will have annotations applied so they can be
+// written back to the files they were read from.
+//
+// Modifying Resources
+//
+// Resources are modified using a kio.Filter.  The kio.Filter accepts a collection of
+// Resources as input, and returns a new collection as output.
+// It is recommended to use the yaml package for manipulating individual Resources in
+// the collection.
+//
+// Writing Resources
+//
+// Resources are Read using a kio.Reader function.  Examples:
+//  [kio.LocalPackageWriter{}, kio.ByteWriter{}]
+//
+// ReadWriters
+//
+// It is preferred to use a ReadWriter when reading and writing from / to the same source.
+//
+// Building Pipelines
+//
+// The preferred way to transforms a collection of Resources is to use kio.Pipeline to Read,
+// Modify and Write the collection of Resources.  Pipeline will automatically sequentially
+// invoke the Read, Modify, Write steps, returning and error immediately on any failure.
+package kio
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/kio/ignorefilesmatcher.go b/vendor/sigs.k8s.io/kustomize/kyaml/kio/ignorefilesmatcher.go
new file mode 100644
index 0000000000..5ef48d7e36
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/kio/ignorefilesmatcher.go
@@ -0,0 +1,105 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package kio
+
+import (
+	"errors"
+	"os"
+	"path/filepath"
+	"strings"
+
+	gitignore "github.com/monochromegane/go-gitignore"
+	"sigs.k8s.io/kustomize/kyaml/ext"
+	"sigs.k8s.io/kustomize/kyaml/filesys"
+)
+
+// ignoreFilesMatcher handles `.krmignore` files, which allows for ignoring
+// files or folders in a package. The format of this file is a subset of the
+// gitignore format, with recursive patterns (like a/**/c) not supported. If a
+// file or folder matches any of the patterns in the .krmignore file for the
+// package, it will be excluded.
+//
+// It works as follows:
+//
+// * It will look for .krmignore file in the top folder and on the top level
+//   of any subpackages. Subpackages are defined by the presence of a Krmfile
+//   in the folder.
+// * `.krmignore` files only cover files and folders for the package in which
+//   it is defined. So ignore patterns defined in a parent package does not
+//   affect which files are ignored from a subpackage.
+// * An ignore pattern can not ignore a subpackage. So even if the parent
+//   package contains a pattern that ignores the directory foo, if foo is a
+//   subpackage, it will still be included if the IncludeSubpackages property
+//   is set to true
+type ignoreFilesMatcher struct {
+	matchers []matcher
+	fs       filesys.FileSystemOrOnDisk
+}
+
+// readIgnoreFile checks whether there is a .krmignore file in the path, and
+// if it is, reads it in and turns it into a matcher. If we can't find a file,
+// we just add a matcher that match nothing.
+func (i *ignoreFilesMatcher) readIgnoreFile(path string) error {
+	i.verifyPath(path)
+	f, err := i.fs.Open(filepath.Join(path, ext.IgnoreFileName()))
+	if err != nil {
+		if errors.Is(err, os.ErrNotExist) {
+			i.matchers = append(i.matchers, matcher{
+				matcher:  gitignore.DummyIgnoreMatcher(false),
+				basePath: path,
+			})
+			return nil
+		}
+		return err
+	}
+	defer f.Close()
+
+	i.matchers = append(i.matchers, matcher{
+		matcher:  gitignore.NewGitIgnoreFromReader(path, f),
+		basePath: path,
+	})
+	return nil
+}
+
+// verifyPath checks whether the top matcher on the stack
+// is correct for the provided filepath. Matchers are removed once
+// we encounter a filepath that is not a subpath of the basepath for
+// the matcher.
+func (i *ignoreFilesMatcher) verifyPath(path string) {
+	for j := len(i.matchers) - 1; j >= 0; j-- {
+		matcher := i.matchers[j]
+		if strings.HasPrefix(path, matcher.basePath) || path == matcher.basePath {
+			i.matchers = i.matchers[:j+1]
+			return
+		}
+	}
+}
+
+// matchFile checks whether the file given by the provided path matches
+// any of the patterns in the .krmignore file for the package.
+func (i *ignoreFilesMatcher) matchFile(path string) bool {
+	if len(i.matchers) == 0 {
+		return false
+	}
+	i.verifyPath(filepath.Dir(path))
+	return i.matchers[len(i.matchers)-1].matcher.Match(path, false)
+}
+
+// matchDir checks whether the directory given by the provided path matches
+// any of the patterns in the .krmignore file for the package.
+func (i *ignoreFilesMatcher) matchDir(path string) bool {
+	if len(i.matchers) == 0 {
+		return false
+	}
+	i.verifyPath(path)
+	return i.matchers[len(i.matchers)-1].matcher.Match(path, true)
+}
+
+// matcher wraps the gitignore matcher and the path to the folder
+// where the file was found.
+type matcher struct {
+	matcher gitignore.IgnoreMatcher
+
+	basePath string
+}
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/kio/kio.go b/vendor/sigs.k8s.io/kustomize/kyaml/kio/kio.go
new file mode 100644
index 0000000000..9e00509ebe
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/kio/kio.go
@@ -0,0 +1,447 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+// Package kio contains low-level libraries for reading, modifying and writing
+// Resource Configuration and packages.
+package kio
+
+import (
+	"fmt"
+	"strconv"
+
+	"sigs.k8s.io/kustomize/kyaml/errors"
+	"sigs.k8s.io/kustomize/kyaml/kio/kioutil"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+// Reader reads ResourceNodes. Analogous to io.Reader.
+type Reader interface {
+	Read() ([]*yaml.RNode, error)
+}
+
+// ResourceNodeSlice is a collection of ResourceNodes.
+// While ResourceNodeSlice has no inherent constraints on ordering or uniqueness, specific
+// Readers, Filters or Writers may have constraints.
+type ResourceNodeSlice []*yaml.RNode
+
+var _ Reader = ResourceNodeSlice{}
+
+func (o ResourceNodeSlice) Read() ([]*yaml.RNode, error) {
+	return o, nil
+}
+
+// Writer writes ResourceNodes. Analogous to io.Writer.
+type Writer interface {
+	Write([]*yaml.RNode) error
+}
+
+// WriterFunc implements a Writer as a function.
+type WriterFunc func([]*yaml.RNode) error
+
+func (fn WriterFunc) Write(o []*yaml.RNode) error {
+	return fn(o)
+}
+
+// ReaderWriter implements both Reader and Writer interfaces
+type ReaderWriter interface {
+	Reader
+	Writer
+}
+
+// Filter modifies a collection of Resource Configuration by returning the modified slice.
+// When possible, Filters should be serializable to yaml so that they can be described
+// as either data or code.
+//
+// Analogous to http://www.linfo.org/filters.html
+type Filter interface {
+	Filter([]*yaml.RNode) ([]*yaml.RNode, error)
+}
+
+// TrackableFilter is an extension of Filter which is also capable of tracking
+// which fields were mutated by the filter.
+type TrackableFilter interface {
+	Filter
+	WithMutationTracker(func(key, value, tag string, node *yaml.RNode))
+}
+
+// FilterFunc implements a Filter as a function.
+type FilterFunc func([]*yaml.RNode) ([]*yaml.RNode, error)
+
+func (fn FilterFunc) Filter(o []*yaml.RNode) ([]*yaml.RNode, error) {
+	return fn(o)
+}
+
+// Pipeline reads Resource Configuration from a set of Inputs, applies some
+// transformation filters, and writes the results to a set of Outputs.
+//
+// Analogous to http://www.linfo.org/pipes.html
+type Pipeline struct {
+	// Inputs provide sources for Resource Configuration to be read.
+	Inputs []Reader `yaml:"inputs,omitempty"`
+
+	// Filters are transformations applied to the Resource Configuration.
+	// They are applied in the order they are specified.
+	// Analogous to http://www.linfo.org/filters.html
+	Filters []Filter `yaml:"filters,omitempty"`
+
+	// Outputs are where the transformed Resource Configuration is written.
+	Outputs []Writer `yaml:"outputs,omitempty"`
+
+	// ContinueOnEmptyResult configures what happens when a filter in the pipeline
+	// returns an empty result.
+	// If it is false (default), subsequent filters will be skipped and the result
+	// will be returned immediately. This is useful as an optimization when you
+	// know that subsequent filters will not alter the empty result.
+	// If it is true, the empty result will be provided as input to the next
+	// filter in the list. This is useful when subsequent functions in the
+	// pipeline may generate new resources.
+	ContinueOnEmptyResult bool `yaml:"continueOnEmptyResult,omitempty"`
+}
+
+// Execute executes each step in the sequence, returning immediately after encountering
+// any error as part of the Pipeline.
+func (p Pipeline) Execute() error {
+	return p.ExecuteWithCallback(nil)
+}
+
+// PipelineExecuteCallbackFunc defines a callback function that will be called each time a step in the pipeline succeeds.
+type PipelineExecuteCallbackFunc = func(op Filter)
+
+// ExecuteWithCallback executes each step in the sequence, returning immediately after encountering
+// any error as part of the Pipeline. The callback will be called each time a step succeeds.
+func (p Pipeline) ExecuteWithCallback(callback PipelineExecuteCallbackFunc) error {
+	var result []*yaml.RNode
+
+	// read from the inputs
+	for _, i := range p.Inputs {
+		nodes, err := i.Read()
+		if err != nil {
+			return errors.Wrap(err)
+		}
+		result = append(result, nodes...)
+	}
+
+	// apply operations
+	for i := range p.Filters {
+		// Not all RNodes passed through kio.Pipeline have metadata nor should
+		// they all be required to.
+		nodeAnnos, err := PreprocessResourcesForInternalAnnotationMigration(result)
+		if err != nil {
+			return err
+		}
+
+		op := p.Filters[i]
+		if callback != nil {
+			callback(op)
+		}
+		result, err = op.Filter(result)
+		// TODO (issue 2872): This len(result) == 0 should be removed and empty result list should be
+		// handled by outputs. However currently some writer like LocalPackageReadWriter
+		// will clear the output directory and which will cause unpredictable results
+		if len(result) == 0 && !p.ContinueOnEmptyResult || err != nil {
+			return errors.Wrap(err)
+		}
+
+		// If either the internal annotations for path, index, and id OR the legacy
+		// annotations for path, index, and id are changed, we have to update the other.
+		err = ReconcileInternalAnnotations(result, nodeAnnos)
+		if err != nil {
+			return err
+		}
+	}
+
+	// write to the outputs
+	for _, o := range p.Outputs {
+		if err := o.Write(result); err != nil {
+			return errors.Wrap(err)
+		}
+	}
+	return nil
+}
+
+// FilterAll runs the yaml.Filter against all inputs
+func FilterAll(filter yaml.Filter) Filter {
+	return FilterFunc(func(nodes []*yaml.RNode) ([]*yaml.RNode, error) {
+		for i := range nodes {
+			_, err := filter.Filter(nodes[i])
+			if err != nil {
+				return nil, errors.Wrap(err)
+			}
+		}
+		return nodes, nil
+	})
+}
+
+// PreprocessResourcesForInternalAnnotationMigration returns a mapping from id to all
+// internal annotations, so that we can use it to reconcile the annotations
+// later. This is necessary because currently both internal-prefixed annotations
+// and legacy annotations are currently supported, and a change to one must be
+// reflected in the other if needed.
+func PreprocessResourcesForInternalAnnotationMigration(result []*yaml.RNode) (map[string]map[string]string, error) {
+	idToAnnosMap := make(map[string]map[string]string)
+	for i := range result {
+		idStr := strconv.Itoa(i)
+		err := result[i].PipeE(yaml.SetAnnotation(kioutil.InternalAnnotationsMigrationResourceIDAnnotation, idStr))
+		if err != nil {
+			return nil, err
+		}
+		idToAnnosMap[idStr] = kioutil.GetInternalAnnotations(result[i])
+		if err = kioutil.CopyLegacyAnnotations(result[i]); err != nil {
+			return nil, err
+		}
+		meta, _ := result[i].GetMeta()
+		if err = checkMismatchedAnnos(meta.Annotations); err != nil {
+			return nil, err
+		}
+	}
+	return idToAnnosMap, nil
+}
+
+func checkMismatchedAnnos(annotations map[string]string) error {
+	path := annotations[kioutil.PathAnnotation]
+	index := annotations[kioutil.IndexAnnotation]
+	id := annotations[kioutil.IdAnnotation]
+
+	legacyPath := annotations[kioutil.LegacyPathAnnotation]
+	legacyIndex := annotations[kioutil.LegacyIndexAnnotation]
+	legacyId := annotations[kioutil.LegacyIdAnnotation]
+
+	// if prior to running the functions, the legacy and internal annotations differ,
+	// throw an error as we cannot infer the user's intent.
+	if path != "" && legacyPath != "" && path != legacyPath {
+		return fmt.Errorf("resource input to function has mismatched legacy and internal path annotations")
+	}
+	if index != "" && legacyIndex != "" && index != legacyIndex {
+		return fmt.Errorf("resource input to function has mismatched legacy and internal index annotations")
+	}
+	if id != "" && legacyId != "" && id != legacyId {
+		return fmt.Errorf("resource input to function has mismatched legacy and internal id annotations")
+	}
+	return nil
+}
+
+type nodeAnnotations struct {
+	path  string
+	index string
+	id    string
+}
+
+// ReconcileInternalAnnotations reconciles the annotation format for path, index and id annotations.
+// It will ensure the output annotation format matches the format in the input. e.g. if the input
+// format uses the legacy format and the output will be converted to the legacy format if it's not.
+func ReconcileInternalAnnotations(result []*yaml.RNode, nodeAnnosMap map[string]map[string]string) error {
+	useInternal, useLegacy, err := determineAnnotationsFormat(nodeAnnosMap)
+	if err != nil {
+		return err
+	}
+
+	for i := range result {
+		// if only one annotation is set, set the other.
+		err = missingInternalOrLegacyAnnotations(result[i])
+		if err != nil {
+			return err
+		}
+		// we must check to see if the function changed either the new internal annotations
+		// or the old legacy annotations. If one is changed, the change must be reflected
+		// in the other.
+		err = checkAnnotationsAltered(result[i], nodeAnnosMap)
+		if err != nil {
+			return err
+		}
+		// We invoke determineAnnotationsFormat to find out if the original annotations
+		// use the internal or (and) the legacy format. We format the resources to
+		// make them consistent with original format.
+		err = formatInternalAnnotations(result[i], useInternal, useLegacy)
+		if err != nil {
+			return err
+		}
+		// if the annotations are still somehow out of sync, throw an error
+		meta, _ := result[i].GetMeta()
+		err = checkMismatchedAnnos(meta.Annotations)
+		if err != nil {
+			return err
+		}
+
+		if _, err = result[i].Pipe(yaml.ClearAnnotation(kioutil.InternalAnnotationsMigrationResourceIDAnnotation)); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// determineAnnotationsFormat determines if the resources are using one of the internal and legacy annotation format or both of them.
+func determineAnnotationsFormat(nodeAnnosMap map[string]map[string]string) (bool, bool, error) {
+	var useInternal, useLegacy bool
+	var err error
+
+	if len(nodeAnnosMap) == 0 {
+		return true, true, nil
+	}
+
+	var internal, legacy *bool
+	for _, annos := range nodeAnnosMap {
+		_, foundPath := annos[kioutil.PathAnnotation]
+		_, foundIndex := annos[kioutil.IndexAnnotation]
+		_, foundId := annos[kioutil.IdAnnotation]
+		_, foundLegacyPath := annos[kioutil.LegacyPathAnnotation]
+		_, foundLegacyIndex := annos[kioutil.LegacyIndexAnnotation]
+		_, foundLegacyId := annos[kioutil.LegacyIdAnnotation]
+
+		if !(foundPath || foundIndex || foundId || foundLegacyPath || foundLegacyIndex || foundLegacyId) {
+			continue
+		}
+
+		foundOneOf := foundPath || foundIndex || foundId
+		if internal == nil {
+			f := foundOneOf
+			internal = &f
+		}
+		if (foundOneOf && !*internal) || (!foundOneOf && *internal) {
+			err = fmt.Errorf("the annotation formatting in the input resources is not consistent")
+			return useInternal, useLegacy, err
+		}
+
+		foundOneOf = foundLegacyPath || foundLegacyIndex || foundLegacyId
+		if legacy == nil {
+			f := foundOneOf
+			legacy = &f
+		}
+		if (foundOneOf && !*legacy) || (!foundOneOf && *legacy) {
+			err = fmt.Errorf("the annotation formatting in the input resources is not consistent")
+			return useInternal, useLegacy, err
+		}
+	}
+	if internal != nil {
+		useInternal = *internal
+	}
+	if legacy != nil {
+		useLegacy = *legacy
+	}
+	return useInternal, useLegacy, err
+}
+
+func missingInternalOrLegacyAnnotations(rn *yaml.RNode) error {
+	if err := missingInternalOrLegacyAnnotation(rn, kioutil.PathAnnotation, kioutil.LegacyPathAnnotation); err != nil {
+		return err
+	}
+	if err := missingInternalOrLegacyAnnotation(rn, kioutil.IndexAnnotation, kioutil.LegacyIndexAnnotation); err != nil {
+		return err
+	}
+	if err := missingInternalOrLegacyAnnotation(rn, kioutil.IdAnnotation, kioutil.LegacyIdAnnotation); err != nil {
+		return err
+	}
+	return nil
+}
+
+func missingInternalOrLegacyAnnotation(rn *yaml.RNode, newKey string, legacyKey string) error {
+	meta, _ := rn.GetMeta()
+	annotations := meta.Annotations
+	value := annotations[newKey]
+	legacyValue := annotations[legacyKey]
+
+	if value == "" && legacyValue == "" {
+		// do nothing
+		return nil
+	}
+
+	if value == "" {
+		// new key is not set, copy from legacy key
+		if err := rn.PipeE(yaml.SetAnnotation(newKey, legacyValue)); err != nil {
+			return err
+		}
+	} else if legacyValue == "" {
+		// legacy key is not set, copy from new key
+		if err := rn.PipeE(yaml.SetAnnotation(legacyKey, value)); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func checkAnnotationsAltered(rn *yaml.RNode, nodeAnnosMap map[string]map[string]string) error {
+	meta, _ := rn.GetMeta()
+	annotations := meta.Annotations
+	// get the resource's current path, index, and ids from the new annotations
+	internal := nodeAnnotations{
+		path:  annotations[kioutil.PathAnnotation],
+		index: annotations[kioutil.IndexAnnotation],
+		id:    annotations[kioutil.IdAnnotation],
+	}
+
+	// get the resource's current path, index, and ids from the legacy annotations
+	legacy := nodeAnnotations{
+		path:  annotations[kioutil.LegacyPathAnnotation],
+		index: annotations[kioutil.LegacyIndexAnnotation],
+		id:    annotations[kioutil.LegacyIdAnnotation],
+	}
+
+	rid := annotations[kioutil.InternalAnnotationsMigrationResourceIDAnnotation]
+	originalAnnotations, found := nodeAnnosMap[rid]
+	if !found {
+		return nil
+	}
+	originalPath, found := originalAnnotations[kioutil.PathAnnotation]
+	if !found {
+		originalPath = originalAnnotations[kioutil.LegacyPathAnnotation]
+	}
+	if originalPath != "" {
+		switch {
+		case originalPath != internal.path && originalPath != legacy.path && internal.path != legacy.path:
+			return fmt.Errorf("resource input to function has mismatched legacy and internal path annotations")
+		case originalPath != internal.path:
+			if _, err := rn.Pipe(yaml.SetAnnotation(kioutil.LegacyPathAnnotation, internal.path)); err != nil {
+				return err
+			}
+		case originalPath != legacy.path:
+			if _, err := rn.Pipe(yaml.SetAnnotation(kioutil.PathAnnotation, legacy.path)); err != nil {
+				return err
+			}
+		}
+	}
+
+	originalIndex, found := originalAnnotations[kioutil.IndexAnnotation]
+	if !found {
+		originalIndex = originalAnnotations[kioutil.LegacyIndexAnnotation]
+	}
+	if originalIndex != "" {
+		switch {
+		case originalIndex != internal.index && originalIndex != legacy.index && internal.index != legacy.index:
+			return fmt.Errorf("resource input to function has mismatched legacy and internal index annotations")
+		case originalIndex != internal.index:
+			if _, err := rn.Pipe(yaml.SetAnnotation(kioutil.LegacyIndexAnnotation, internal.index)); err != nil {
+				return err
+			}
+		case originalIndex != legacy.index:
+			if _, err := rn.Pipe(yaml.SetAnnotation(kioutil.IndexAnnotation, legacy.index)); err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+func formatInternalAnnotations(rn *yaml.RNode, useInternal, useLegacy bool) error {
+	if !useInternal {
+		if err := rn.PipeE(yaml.ClearAnnotation(kioutil.IdAnnotation)); err != nil {
+			return err
+		}
+		if err := rn.PipeE(yaml.ClearAnnotation(kioutil.PathAnnotation)); err != nil {
+			return err
+		}
+		if err := rn.PipeE(yaml.ClearAnnotation(kioutil.IndexAnnotation)); err != nil {
+			return err
+		}
+	}
+	if !useLegacy {
+		if err := rn.PipeE(yaml.ClearAnnotation(kioutil.LegacyIdAnnotation)); err != nil {
+			return err
+		}
+		if err := rn.PipeE(yaml.ClearAnnotation(kioutil.LegacyPathAnnotation)); err != nil {
+			return err
+		}
+		if err := rn.PipeE(yaml.ClearAnnotation(kioutil.LegacyIndexAnnotation)); err != nil {
+			return err
+		}
+	}
+	return nil
+}
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/kio/kioutil/kioutil.go b/vendor/sigs.k8s.io/kustomize/kyaml/kio/kioutil/kioutil.go
new file mode 100644
index 0000000000..510ecae18f
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/kio/kioutil/kioutil.go
@@ -0,0 +1,420 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package kioutil
+
+import (
+	"fmt"
+	"path"
+	"sort"
+	"strconv"
+	"strings"
+
+	"sigs.k8s.io/kustomize/kyaml/errors"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+type AnnotationKey = string
+
+const (
+	// internalPrefix is the prefix given to internal annotations that are used
+	// internally by the orchestrator
+	internalPrefix string = "internal.config.kubernetes.io/"
+
+	// IndexAnnotation records the index of a specific resource in a file or input stream.
+	IndexAnnotation AnnotationKey = internalPrefix + "index"
+
+	// PathAnnotation records the path to the file the Resource was read from
+	PathAnnotation AnnotationKey = internalPrefix + "path"
+
+	// SeqIndentAnnotation records the sequence nodes indentation of the input resource
+	SeqIndentAnnotation AnnotationKey = internalPrefix + "seqindent"
+
+	// IdAnnotation records the id of the resource to map inputs to outputs
+	IdAnnotation AnnotationKey = internalPrefix + "id"
+
+	// Deprecated: Use IndexAnnotation instead.
+	LegacyIndexAnnotation AnnotationKey = "config.kubernetes.io/index"
+
+	// Deprecated: use PathAnnotation instead.
+	LegacyPathAnnotation AnnotationKey = "config.kubernetes.io/path"
+
+	// Deprecated: use IdAnnotation instead.
+	LegacyIdAnnotation = "config.k8s.io/id"
+
+	// InternalAnnotationsMigrationResourceIDAnnotation is used to uniquely identify
+	// resources during round trip to and from a function execution. We will use it
+	// to track the internal annotations and reconcile them if needed.
+	InternalAnnotationsMigrationResourceIDAnnotation = internalPrefix + "annotations-migration-resource-id"
+)
+
+func GetFileAnnotations(rn *yaml.RNode) (string, string, error) {
+	rm, _ := rn.GetMeta()
+	annotations := rm.Annotations
+	path, found := annotations[PathAnnotation]
+	if !found {
+		path = annotations[LegacyPathAnnotation]
+	}
+	index, found := annotations[IndexAnnotation]
+	if !found {
+		index = annotations[LegacyIndexAnnotation]
+	}
+	return path, index, nil
+}
+
+func GetIdAnnotation(rn *yaml.RNode) string {
+	rm, _ := rn.GetMeta()
+	annotations := rm.Annotations
+	id, found := annotations[IdAnnotation]
+	if !found {
+		id = annotations[LegacyIdAnnotation]
+	}
+	return id
+}
+
+func CopyLegacyAnnotations(rn *yaml.RNode) error {
+	meta, err := rn.GetMeta()
+	if err != nil {
+		if err == yaml.ErrMissingMetadata {
+			// resource has no metadata, this should be a no-op
+			return nil
+		}
+		return err
+	}
+	if err := copyAnnotations(meta, rn, LegacyPathAnnotation, PathAnnotation); err != nil {
+		return err
+	}
+	if err := copyAnnotations(meta, rn, LegacyIndexAnnotation, IndexAnnotation); err != nil {
+		return err
+	}
+	if err := copyAnnotations(meta, rn, LegacyIdAnnotation, IdAnnotation); err != nil {
+		return err
+	}
+	return nil
+}
+
+func copyAnnotations(meta yaml.ResourceMeta, rn *yaml.RNode, legacyKey string, newKey string) error {
+	newValue := meta.Annotations[newKey]
+	legacyValue := meta.Annotations[legacyKey]
+	if newValue != "" {
+		if legacyValue == "" {
+			if err := rn.PipeE(yaml.SetAnnotation(legacyKey, newValue)); err != nil {
+				return err
+			}
+		}
+	} else {
+		if legacyValue != "" {
+			if err := rn.PipeE(yaml.SetAnnotation(newKey, legacyValue)); err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+// ErrorIfMissingAnnotation validates the provided annotations are present on the given resources
+func ErrorIfMissingAnnotation(nodes []*yaml.RNode, keys ...AnnotationKey) error {
+	for _, key := range keys {
+		for _, node := range nodes {
+			val, err := node.Pipe(yaml.GetAnnotation(key))
+			if err != nil {
+				return errors.Wrap(err)
+			}
+			if val == nil {
+				return errors.Errorf("missing annotation %s", key)
+			}
+		}
+	}
+	return nil
+}
+
+// CreatePathAnnotationValue creates a default path annotation value for a Resource.
+// The path prefix will be dir.
+func CreatePathAnnotationValue(dir string, m yaml.ResourceMeta) string {
+	filename := fmt.Sprintf("%s_%s.yaml", strings.ToLower(m.Kind), m.Name)
+	return path.Join(dir, m.Namespace, filename)
+}
+
+// DefaultPathAndIndexAnnotation sets a default path or index value on any nodes missing the
+// annotation
+func DefaultPathAndIndexAnnotation(dir string, nodes []*yaml.RNode) error {
+	counts := map[string]int{}
+
+	// check each node for the path annotation
+	for i := range nodes {
+		if err := CopyLegacyAnnotations(nodes[i]); err != nil {
+			return err
+		}
+		m, err := nodes[i].GetMeta()
+		if err != nil {
+			return err
+		}
+
+		// calculate the max index in each file in case we are appending
+		if p, found := m.Annotations[PathAnnotation]; found {
+			// record the max indexes into each file
+			if i, found := m.Annotations[IndexAnnotation]; found {
+				index, _ := strconv.Atoi(i)
+				if index > counts[p] {
+					counts[p] = index
+				}
+			}
+
+			// has the path annotation already -- do nothing
+			continue
+		}
+
+		// set a path annotation on the Resource
+		path := CreatePathAnnotationValue(dir, m)
+		if err := nodes[i].PipeE(yaml.SetAnnotation(PathAnnotation, path)); err != nil {
+			return err
+		}
+		if err := nodes[i].PipeE(yaml.SetAnnotation(LegacyPathAnnotation, path)); err != nil {
+			return err
+		}
+	}
+
+	// set the index annotations
+	for i := range nodes {
+		m, err := nodes[i].GetMeta()
+		if err != nil {
+			return err
+		}
+
+		if _, found := m.Annotations[IndexAnnotation]; found {
+			continue
+		}
+
+		p := m.Annotations[PathAnnotation]
+
+		// set an index annotation on the Resource
+		c := counts[p]
+		counts[p] = c + 1
+		if err := nodes[i].PipeE(
+			yaml.SetAnnotation(IndexAnnotation, fmt.Sprintf("%d", c))); err != nil {
+			return err
+		}
+		if err := nodes[i].PipeE(
+			yaml.SetAnnotation(LegacyIndexAnnotation, fmt.Sprintf("%d", c))); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// DefaultPathAnnotation sets a default path annotation on any Reources
+// missing it.
+func DefaultPathAnnotation(dir string, nodes []*yaml.RNode) error {
+	// check each node for the path annotation
+	for i := range nodes {
+		if err := CopyLegacyAnnotations(nodes[i]); err != nil {
+			return err
+		}
+		m, err := nodes[i].GetMeta()
+		if err != nil {
+			return err
+		}
+
+		if _, found := m.Annotations[PathAnnotation]; found {
+			// has the path annotation already -- do nothing
+			continue
+		}
+
+		// set a path annotation on the Resource
+		path := CreatePathAnnotationValue(dir, m)
+		if err := nodes[i].PipeE(yaml.SetAnnotation(PathAnnotation, path)); err != nil {
+			return err
+		}
+		if err := nodes[i].PipeE(yaml.SetAnnotation(LegacyPathAnnotation, path)); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// Map invokes fn for each element in nodes.
+func Map(nodes []*yaml.RNode, fn func(*yaml.RNode) (*yaml.RNode, error)) ([]*yaml.RNode, error) {
+	var returnNodes []*yaml.RNode
+	for i := range nodes {
+		n, err := fn(nodes[i])
+		if err != nil {
+			return nil, errors.Wrap(err)
+		}
+		if n != nil {
+			returnNodes = append(returnNodes, n)
+		}
+	}
+	return returnNodes, nil
+}
+
+func MapMeta(nodes []*yaml.RNode, fn func(*yaml.RNode, yaml.ResourceMeta) (*yaml.RNode, error)) (
+	[]*yaml.RNode, error) {
+	var returnNodes []*yaml.RNode
+	for i := range nodes {
+		meta, err := nodes[i].GetMeta()
+		if err != nil {
+			return nil, errors.Wrap(err)
+		}
+		n, err := fn(nodes[i], meta)
+		if err != nil {
+			return nil, errors.Wrap(err)
+		}
+		if n != nil {
+			returnNodes = append(returnNodes, n)
+		}
+	}
+	return returnNodes, nil
+}
+
+// SortNodes sorts nodes in place:
+// - by PathAnnotation annotation
+// - by IndexAnnotation annotation
+func SortNodes(nodes []*yaml.RNode) error {
+	var err error
+	// use stable sort to keep ordering of equal elements
+	sort.SliceStable(nodes, func(i, j int) bool {
+		if err != nil {
+			return false
+		}
+		if err := CopyLegacyAnnotations(nodes[i]); err != nil {
+			return false
+		}
+		if err := CopyLegacyAnnotations(nodes[j]); err != nil {
+			return false
+		}
+		var iMeta, jMeta yaml.ResourceMeta
+		if iMeta, _ = nodes[i].GetMeta(); err != nil {
+			return false
+		}
+		if jMeta, _ = nodes[j].GetMeta(); err != nil {
+			return false
+		}
+
+		iValue := iMeta.Annotations[PathAnnotation]
+		jValue := jMeta.Annotations[PathAnnotation]
+		if iValue != jValue {
+			return iValue < jValue
+		}
+
+		iValue = iMeta.Annotations[IndexAnnotation]
+		jValue = jMeta.Annotations[IndexAnnotation]
+
+		// put resource config without an index first
+		if iValue == jValue {
+			return false
+		}
+		if iValue == "" {
+			return true
+		}
+		if jValue == "" {
+			return false
+		}
+
+		// sort by index
+		var iIndex, jIndex int
+		iIndex, err = strconv.Atoi(iValue)
+		if err != nil {
+			err = fmt.Errorf("unable to parse config.kubernetes.io/index %s :%v", iValue, err)
+			return false
+		}
+		jIndex, err = strconv.Atoi(jValue)
+		if err != nil {
+			err = fmt.Errorf("unable to parse config.kubernetes.io/index %s :%v", jValue, err)
+			return false
+		}
+		if iIndex != jIndex {
+			return iIndex < jIndex
+		}
+
+		// elements are equal
+		return false
+	})
+	return errors.Wrap(err)
+}
+
+// CopyInternalAnnotations copies the annotations that begin with the prefix
+// `internal.config.kubernetes.io` from the source RNode to the destination RNode.
+// It takes a parameter exclusions, which is a list of annotation keys to ignore.
+func CopyInternalAnnotations(src *yaml.RNode, dst *yaml.RNode, exclusions ...AnnotationKey) error {
+	srcAnnotations := GetInternalAnnotations(src)
+	for k, v := range srcAnnotations {
+		if stringSliceContains(exclusions, k) {
+			continue
+		}
+		if err := dst.PipeE(yaml.SetAnnotation(k, v)); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// ConfirmInternalAnnotationUnchanged compares the annotations of the RNodes that begin with the prefix
+// `internal.config.kubernetes.io`, throwing an error if they differ. It takes a parameter exclusions,
+// which is a list of annotation keys to ignore.
+func ConfirmInternalAnnotationUnchanged(r1 *yaml.RNode, r2 *yaml.RNode, exclusions ...AnnotationKey) error {
+	r1Annotations := GetInternalAnnotations(r1)
+	r2Annotations := GetInternalAnnotations(r2)
+
+	// this is a map to prevent duplicates
+	diffAnnos := make(map[string]bool)
+
+	for k, v1 := range r1Annotations {
+		if stringSliceContains(exclusions, k) {
+			continue
+		}
+		if v2, ok := r2Annotations[k]; !ok || v1 != v2 {
+			diffAnnos[k] = true
+		}
+	}
+
+	for k, v2 := range r2Annotations {
+		if stringSliceContains(exclusions, k) {
+			continue
+		}
+		if v1, ok := r1Annotations[k]; !ok || v2 != v1 {
+			diffAnnos[k] = true
+		}
+	}
+
+	if len(diffAnnos) > 0 {
+		keys := make([]string, 0, len(diffAnnos))
+		for k := range diffAnnos {
+			keys = append(keys, k)
+		}
+		sort.Strings(keys)
+
+		errorString := "internal annotations differ: "
+		for _, key := range keys {
+			errorString = errorString + key + ", "
+		}
+		return errors.Errorf(errorString[0 : len(errorString)-2])
+	}
+
+	return nil
+}
+
+// GetInternalAnnotations returns a map of all the annotations of the provided
+// RNode that satisfies one of the following: 1) begin with the prefix
+// `internal.config.kubernetes.io` 2) is one of `config.kubernetes.io/path`,
+// `config.kubernetes.io/index` and `config.k8s.io/id`.
+func GetInternalAnnotations(rn *yaml.RNode) map[string]string {
+	meta, _ := rn.GetMeta()
+	annotations := meta.Annotations
+	result := make(map[string]string)
+	for k, v := range annotations {
+		if strings.HasPrefix(k, internalPrefix) || k == LegacyPathAnnotation || k == LegacyIndexAnnotation || k == LegacyIdAnnotation {
+			result[k] = v
+		}
+	}
+	return result
+}
+
+// stringSliceContains returns true if the slice has the string.
+func stringSliceContains(slice []string, str string) bool {
+	for _, s := range slice {
+		if s == str {
+			return true
+		}
+	}
+	return false
+}
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/kio/pkgio_reader.go b/vendor/sigs.k8s.io/kustomize/kyaml/kio/pkgio_reader.go
new file mode 100644
index 0000000000..609a791f39
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/kio/pkgio_reader.go
@@ -0,0 +1,360 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package kio
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"sigs.k8s.io/kustomize/kyaml/errors"
+	"sigs.k8s.io/kustomize/kyaml/filesys"
+	"sigs.k8s.io/kustomize/kyaml/kio/kioutil"
+	"sigs.k8s.io/kustomize/kyaml/sets"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+// requiredResourcePackageAnnotations are annotations that are required to write resources back to
+// files.
+var requiredResourcePackageAnnotations = []string{kioutil.IndexAnnotation, kioutil.PathAnnotation}
+
+// PackageBuffer implements Reader and Writer, storing Resources in a local field.
+type PackageBuffer struct {
+	Nodes []*yaml.RNode
+}
+
+func (r *PackageBuffer) Read() ([]*yaml.RNode, error) {
+	return r.Nodes, nil
+}
+
+func (r *PackageBuffer) Write(nodes []*yaml.RNode) error {
+	r.Nodes = nodes
+	return nil
+}
+
+// LocalPackageReadWriter reads and writes Resources from / to a local directory.
+// When writing, LocalPackageReadWriter will delete files if all of the Resources from
+// that file have been removed from the output.
+type LocalPackageReadWriter struct {
+	Kind string `yaml:"kind,omitempty"`
+
+	KeepReaderAnnotations bool `yaml:"keepReaderAnnotations,omitempty"`
+
+	// PreserveSeqIndent if true adds kioutil.SeqIndentAnnotation to each resource
+	PreserveSeqIndent bool
+
+	// PackagePath is the path to the package directory.
+	PackagePath string `yaml:"path,omitempty"`
+
+	// PackageFileName is the name of file containing package metadata.
+	// It will be used to identify package.
+	PackageFileName string `yaml:"packageFileName,omitempty"`
+
+	// MatchFilesGlob configures Read to only read Resources from files matching any of the
+	// provided patterns.
+	// Defaults to ["*.yaml", "*.yml"] if empty.  To match all files specify ["*"].
+	MatchFilesGlob []string `yaml:"matchFilesGlob,omitempty"`
+
+	// IncludeSubpackages will configure Read to read Resources from subpackages.
+	// Subpackages are identified by presence of PackageFileName.
+	IncludeSubpackages bool `yaml:"includeSubpackages,omitempty"`
+
+	// ErrorIfNonResources will configure Read to throw an error if yaml missing missing
+	// apiVersion or kind is read.
+	ErrorIfNonResources bool `yaml:"errorIfNonResources,omitempty"`
+
+	// OmitReaderAnnotations will cause the reader to skip annotating Resources with the file
+	// path and mode.
+	OmitReaderAnnotations bool `yaml:"omitReaderAnnotations,omitempty"`
+
+	// SetAnnotations are annotations to set on the Resources as they are read.
+	SetAnnotations map[string]string `yaml:"setAnnotations,omitempty"`
+
+	// NoDeleteFiles if set to true, LocalPackageReadWriter won't delete any files
+	NoDeleteFiles bool `yaml:"noDeleteFiles,omitempty"`
+
+	files sets.String
+
+	// FileSkipFunc is a function which returns true if reader should ignore
+	// the file
+	FileSkipFunc LocalPackageSkipFileFunc
+
+	// FileSystem can be used to mock the disk file system.
+	FileSystem filesys.FileSystemOrOnDisk
+
+	// WrapBareSeqNode wraps the bare sequence node document with map node,
+	// kyaml uses reader annotations to track resources, it is not possible to
+	// add them to bare sequence nodes, this option enables wrapping such bare
+	// sequence nodes into map node with key yaml.BareSeqNodeWrappingKey
+	// note that this wrapping is different and not related to ResourceList wrapping
+	WrapBareSeqNode bool
+}
+
+func (r *LocalPackageReadWriter) Read() ([]*yaml.RNode, error) {
+	nodes, err := LocalPackageReader{
+		PackagePath:         r.PackagePath,
+		MatchFilesGlob:      r.MatchFilesGlob,
+		IncludeSubpackages:  r.IncludeSubpackages,
+		ErrorIfNonResources: r.ErrorIfNonResources,
+		SetAnnotations:      r.SetAnnotations,
+		PackageFileName:     r.PackageFileName,
+		FileSkipFunc:        r.FileSkipFunc,
+		PreserveSeqIndent:   r.PreserveSeqIndent,
+		FileSystem:          r.FileSystem,
+		WrapBareSeqNode:     r.WrapBareSeqNode,
+	}.Read()
+	if err != nil {
+		return nil, errors.Wrap(err)
+	}
+	// keep track of all the files
+	if !r.NoDeleteFiles {
+		r.files, err = r.getFiles(nodes)
+		if err != nil {
+			return nil, errors.Wrap(err)
+		}
+	}
+	return nodes, nil
+}
+
+func (r *LocalPackageReadWriter) Write(nodes []*yaml.RNode) error {
+	newFiles, err := r.getFiles(nodes)
+	if err != nil {
+		return errors.Wrap(err)
+	}
+	var clear []string
+	for k := range r.SetAnnotations {
+		clear = append(clear, k)
+	}
+	err = LocalPackageWriter{
+		PackagePath:           r.PackagePath,
+		ClearAnnotations:      clear,
+		KeepReaderAnnotations: r.KeepReaderAnnotations,
+		FileSystem:            r.FileSystem,
+	}.Write(nodes)
+	if err != nil {
+		return errors.Wrap(err)
+	}
+	deleteFiles := r.files.Difference(newFiles)
+	for f := range deleteFiles {
+		if err = r.FileSystem.RemoveAll(filepath.Join(r.PackagePath, f)); err != nil {
+			return errors.Wrap(err)
+		}
+	}
+	return nil
+}
+
+func (r *LocalPackageReadWriter) getFiles(nodes []*yaml.RNode) (sets.String, error) {
+	val := sets.String{}
+	for _, n := range nodes {
+		path, _, err := kioutil.GetFileAnnotations(n)
+		if err != nil {
+			return nil, errors.Wrap(err)
+		}
+		val.Insert(path)
+	}
+	return val, nil
+}
+
+// LocalPackageSkipFileFunc is a function which returns true if the file
+// in the package should be ignored by reader.
+// relPath is an OS specific relative path
+type LocalPackageSkipFileFunc func(relPath string) bool
+
+// LocalPackageReader reads ResourceNodes from a local package.
+type LocalPackageReader struct {
+	Kind string `yaml:"kind,omitempty"`
+
+	// PackagePath is the path to the package directory.
+	PackagePath string `yaml:"path,omitempty"`
+
+	// PackageFileName is the name of file containing package metadata.
+	// It will be used to identify package.
+	PackageFileName string `yaml:"packageFileName,omitempty"`
+
+	// MatchFilesGlob configures Read to only read Resources from files matching any of the
+	// provided patterns.
+	// Defaults to ["*.yaml", "*.yml"] if empty.  To match all files specify ["*"].
+	MatchFilesGlob []string `yaml:"matchFilesGlob,omitempty"`
+
+	// IncludeSubpackages will configure Read to read Resources from subpackages.
+	// Subpackages are identified by presence of PackageFileName.
+	IncludeSubpackages bool `yaml:"includeSubpackages,omitempty"`
+
+	// ErrorIfNonResources will configure Read to throw an error if yaml missing missing
+	// apiVersion or kind is read.
+	ErrorIfNonResources bool `yaml:"errorIfNonResources,omitempty"`
+
+	// OmitReaderAnnotations will cause the reader to skip annotating Resources with the file
+	// path and mode.
+	OmitReaderAnnotations bool `yaml:"omitReaderAnnotations,omitempty"`
+
+	// SetAnnotations are annotations to set on the Resources as they are read.
+	SetAnnotations map[string]string `yaml:"setAnnotations,omitempty"`
+
+	// FileSkipFunc is a function which returns true if reader should ignore
+	// the file
+	FileSkipFunc LocalPackageSkipFileFunc
+
+	// PreserveSeqIndent if true adds kioutil.SeqIndentAnnotation to each resource
+	PreserveSeqIndent bool
+
+	// FileSystem can be used to mock the disk file system.
+	FileSystem filesys.FileSystemOrOnDisk
+
+	// WrapBareSeqNode wraps the bare sequence node document with map node,
+	// kyaml uses reader annotations to track resources, it is not possible to
+	// add them to bare sequence nodes, this option enables wrapping such bare
+	// sequence nodes into map node with key yaml.BareSeqNodeWrappingKey
+	// note that this wrapping is different and not related to ResourceList wrapping
+	WrapBareSeqNode bool
+}
+
+var _ Reader = LocalPackageReader{}
+
+var DefaultMatch = []string{"*.yaml", "*.yml"}
+var JSONMatch = []string{"*.json"}
+var MatchAll = append(DefaultMatch, JSONMatch...)
+
+// Read reads the Resources.
+func (r LocalPackageReader) Read() ([]*yaml.RNode, error) {
+	if r.PackagePath == "" {
+		return nil, fmt.Errorf("must specify package path")
+	}
+
+	// use slash for path
+	r.PackagePath = filepath.ToSlash(r.PackagePath)
+	if len(r.MatchFilesGlob) == 0 {
+		r.MatchFilesGlob = DefaultMatch
+	}
+
+	var operand ResourceNodeSlice
+	var pathRelativeTo string
+	var err error
+	ignoreFilesMatcher := &ignoreFilesMatcher{
+		fs: r.FileSystem,
+	}
+	dir, file, err := r.FileSystem.CleanedAbs(r.PackagePath)
+	if err != nil {
+		return nil, errors.Wrap(err)
+	}
+	r.PackagePath = filepath.Join(string(dir), file)
+	err = r.FileSystem.Walk(r.PackagePath, func(
+		path string, info os.FileInfo, err error) error {
+		if err != nil {
+			return errors.Wrap(err)
+		}
+
+		// is this the user specified path?
+		if path == r.PackagePath {
+			if info.IsDir() {
+				// skip the root package directory, but check for a
+				// .krmignore file first.
+				pathRelativeTo = r.PackagePath
+				return ignoreFilesMatcher.readIgnoreFile(path)
+			}
+
+			// user specified path is a file rather than a directory.
+			// make its path relative to its parent so it can be written to another file.
+			pathRelativeTo = filepath.Dir(r.PackagePath)
+		}
+
+		// check if we should skip the directory or file
+		if info.IsDir() {
+			return r.shouldSkipDir(path, ignoreFilesMatcher)
+		}
+
+		// get the relative path to file within the package so we can write the files back out
+		// to another location.
+		relPath, err := filepath.Rel(pathRelativeTo, path)
+		if err != nil {
+			return errors.WrapPrefixf(err, pathRelativeTo)
+		}
+		if match, err := r.shouldSkipFile(path, relPath, ignoreFilesMatcher); err != nil {
+			return err
+		} else if match {
+			// skip this file
+			return nil
+		}
+
+		r.initReaderAnnotations(relPath, info)
+		nodes, err := r.readFile(path, info)
+		if err != nil {
+			return errors.WrapPrefixf(err, path)
+		}
+		operand = append(operand, nodes...)
+		return nil
+	})
+	return operand, err
+}
+
+// readFile reads the ResourceNodes from a file
+func (r *LocalPackageReader) readFile(path string, _ os.FileInfo) ([]*yaml.RNode, error) {
+	f, err := r.FileSystem.Open(path)
+	if err != nil {
+		return nil, err
+	}
+	defer f.Close()
+
+	rr := &ByteReader{
+		DisableUnwrapping:     true,
+		Reader:                f,
+		OmitReaderAnnotations: r.OmitReaderAnnotations,
+		SetAnnotations:        r.SetAnnotations,
+		PreserveSeqIndent:     r.PreserveSeqIndent,
+		WrapBareSeqNode:       r.WrapBareSeqNode,
+	}
+	return rr.Read()
+}
+
+// shouldSkipFile returns true if the file should be skipped
+func (r *LocalPackageReader) shouldSkipFile(path, relPath string, matcher *ignoreFilesMatcher) (bool, error) {
+	// check if the file is covered by a .krmignore file.
+	if matcher.matchFile(path) {
+		return true, nil
+	}
+
+	if r.FileSkipFunc != nil && r.FileSkipFunc(relPath) {
+		return true, nil
+	}
+
+	// check if the files are in scope
+	for _, g := range r.MatchFilesGlob {
+		if match, err := filepath.Match(g, filepath.Base(path)); err != nil {
+			return true, errors.Wrap(err)
+		} else if match {
+			return false, nil
+		}
+	}
+	return true, nil
+}
+
+// initReaderAnnotations adds the LocalPackageReader Annotations to r.SetAnnotations
+func (r *LocalPackageReader) initReaderAnnotations(path string, _ os.FileInfo) {
+	if r.SetAnnotations == nil {
+		r.SetAnnotations = map[string]string{}
+	}
+	if !r.OmitReaderAnnotations {
+		r.SetAnnotations[kioutil.PathAnnotation] = path
+		r.SetAnnotations[kioutil.LegacyPathAnnotation] = path
+	}
+}
+
+// shouldSkipDir returns a filepath.SkipDir if the directory should be skipped
+func (r *LocalPackageReader) shouldSkipDir(path string, matcher *ignoreFilesMatcher) error {
+	if matcher.matchDir(path) {
+		return filepath.SkipDir
+	}
+
+	if r.PackageFileName == "" {
+		return nil
+	}
+	// check if this is a subpackage
+	if !r.FileSystem.Exists(filepath.Join(path, r.PackageFileName)) {
+		return nil
+	}
+	if !r.IncludeSubpackages {
+		return filepath.SkipDir
+	}
+	return matcher.readIgnoreFile(path)
+}
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/kio/pkgio_writer.go b/vendor/sigs.k8s.io/kustomize/kyaml/kio/pkgio_writer.go
new file mode 100644
index 0000000000..ce6fa45a5e
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/kio/pkgio_writer.go
@@ -0,0 +1,150 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package kio
+
+import (
+	"bytes"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"sigs.k8s.io/kustomize/kyaml/errors"
+	"sigs.k8s.io/kustomize/kyaml/filesys"
+	"sigs.k8s.io/kustomize/kyaml/kio/kioutil"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+// LocalPackageWriter writes ResourceNodes to a filesystem
+type LocalPackageWriter struct {
+	Kind string `yaml:"kind,omitempty"`
+
+	// PackagePath is the path to the package directory.
+	PackagePath string `yaml:"path,omitempty"`
+
+	// KeepReaderAnnotations if set will retain the annotations set by LocalPackageReader
+	KeepReaderAnnotations bool `yaml:"keepReaderAnnotations,omitempty"`
+
+	// ClearAnnotations will clear annotations before writing the resources
+	ClearAnnotations []string `yaml:"clearAnnotations,omitempty"`
+
+	// FileSystem can be used to mock the disk file system.
+	FileSystem filesys.FileSystemOrOnDisk
+}
+
+var _ Writer = LocalPackageWriter{}
+
+func (r LocalPackageWriter) Write(nodes []*yaml.RNode) error {
+	// set the path and index annotations if they are missing
+	if err := kioutil.DefaultPathAndIndexAnnotation("", nodes); err != nil {
+		return err
+	}
+
+	if !r.FileSystem.Exists(r.PackagePath) {
+		return errors.WrapPrefixf(os.ErrNotExist, "could not write to %q", r.PackagePath)
+	}
+	if !r.FileSystem.IsDir(r.PackagePath) {
+		// if the user specified input isn't a directory, the package is the directory of the
+		// target
+		r.PackagePath = filepath.Dir(r.PackagePath)
+	}
+
+	// setup indexes for writing Resources back to files
+	if err := r.errorIfMissingRequiredAnnotation(nodes); err != nil {
+		return err
+	}
+	outputFiles, err := r.indexByFilePath(nodes)
+	if err != nil {
+		return err
+	}
+	for k := range outputFiles {
+		if err = kioutil.SortNodes(outputFiles[k]); err != nil {
+			return errors.Wrap(err)
+		}
+	}
+
+	if !r.KeepReaderAnnotations {
+		r.ClearAnnotations = append(r.ClearAnnotations, kioutil.PathAnnotation)
+		r.ClearAnnotations = append(r.ClearAnnotations, kioutil.LegacyPathAnnotation)
+	}
+
+	// validate outputs before writing any
+	for path := range outputFiles {
+		outputPath := filepath.Join(r.PackagePath, path)
+		if r.FileSystem.IsDir(outputPath) {
+			return fmt.Errorf("config.kubernetes.io/path cannot be a directory: %s", path)
+		}
+
+		err = r.FileSystem.MkdirAll(filepath.Dir(outputPath))
+		if err != nil {
+			return errors.Wrap(err)
+		}
+	}
+
+	// write files
+	buf := bytes.NewBuffer(nil)
+	for path := range outputFiles {
+		outputPath := filepath.Join(r.PackagePath, path)
+		err = r.FileSystem.MkdirAll(filepath.Dir(filepath.Join(r.PackagePath, path)))
+		if err != nil {
+			return errors.Wrap(err)
+		}
+
+		buf.Reset()
+		w := ByteWriter{
+			Writer:                buf,
+			KeepReaderAnnotations: r.KeepReaderAnnotations,
+			ClearAnnotations:      r.ClearAnnotations,
+		}
+		if err = w.Write(outputFiles[path]); err != nil {
+			return errors.Wrap(err)
+		}
+
+		if err := r.FileSystem.WriteFile(outputPath, buf.Bytes()); err != nil {
+			return errors.Wrap(err)
+		}
+	}
+
+	return nil
+}
+
+func (r LocalPackageWriter) errorIfMissingRequiredAnnotation(nodes []*yaml.RNode) error {
+	for i := range nodes {
+		for _, s := range requiredResourcePackageAnnotations {
+			key, err := nodes[i].Pipe(yaml.GetAnnotation(s))
+			if err != nil {
+				return errors.Wrap(err)
+			}
+			if key == nil || key.YNode() == nil || key.YNode().Value == "" {
+				return errors.Errorf(
+					"resources must be annotated with %s to be written to files", s)
+			}
+		}
+	}
+	return nil
+}
+
+func (r LocalPackageWriter) indexByFilePath(nodes []*yaml.RNode) (map[string][]*yaml.RNode, error) {
+	outputFiles := map[string][]*yaml.RNode{}
+	for i := range nodes {
+		// parse the file write path
+		node := nodes[i]
+		value, err := node.Pipe(yaml.GetAnnotation(kioutil.PathAnnotation))
+		if err != nil {
+			// this should never happen if errorIfMissingRequiredAnnotation was run
+			return nil, errors.Wrap(err)
+		}
+		path := value.YNode().Value
+		outputFiles[path] = append(outputFiles[path], node)
+
+		if filepath.IsAbs(path) {
+			return nil, errors.Errorf("package paths may not be absolute paths")
+		}
+		if strings.Contains(filepath.Clean(path), "..") {
+			return nil, fmt.Errorf("resource must be written under package %s: %s",
+				r.PackagePath, filepath.Clean(path))
+		}
+	}
+	return outputFiles, nil
+}
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/kio/tree.go b/vendor/sigs.k8s.io/kustomize/kyaml/kio/tree.go
new file mode 100644
index 0000000000..a14181578e
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/kio/tree.go
@@ -0,0 +1,519 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package kio
+
+import (
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+	"sort"
+	"strings"
+
+	"github.com/xlab/treeprint"
+	"sigs.k8s.io/kustomize/kyaml/kio/kioutil"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+type TreeStructure string
+
+const (
+	// TreeStructurePackage configures TreeWriter to generate the tree structure off of the
+	// Resources packages.
+	TreeStructurePackage TreeStructure = "directory"
+
+	// TreeStructureOwners configures TreeWriter to generate the tree structure off of the
+	// Resource owners.
+	TreeStructureGraph TreeStructure = "owners"
+)
+
+var GraphStructures = []string{string(TreeStructureGraph), string(TreeStructurePackage)}
+
+// TreeWriter prints the package structured as a tree.
+// TODO(pwittrock): test this package better.  it is lower-risk since it is only
+//   used for printing rather than updating or editing.
+type TreeWriter struct {
+	Writer          io.Writer
+	Root            string
+	Fields          []TreeWriterField
+	Structure       TreeStructure
+	OpenAPIFileName string
+}
+
+// TreeWriterField configures a Resource field to be included in the tree
+type TreeWriterField struct {
+	yaml.PathMatcher
+	Name    string
+	SubName string
+}
+
+func (p TreeWriter) packageStructure(nodes []*yaml.RNode) error {
+	for i := range nodes {
+		if err := kioutil.CopyLegacyAnnotations(nodes[i]); err != nil {
+			return err
+		}
+	}
+	indexByPackage := p.index(nodes)
+
+	// create the new tree
+	tree := treeprint.New()
+	tree.SetValue(p.Root)
+
+	// add each package to the tree
+	treeIndex := map[string]treeprint.Tree{}
+	keys := p.sort(indexByPackage)
+	for _, pkg := range keys {
+		// create a branch for this package -- search for the parent package and create
+		// the branch under it -- requires that the keys are sorted
+		branch := tree
+		for parent, subTree := range treeIndex {
+			if strings.HasPrefix(pkg, parent) {
+				// found a package whose path is a prefix to our own, use this
+				// package if a closer one isn't found
+				branch = subTree
+				// don't break, continue searching for more closely related ancestors
+			}
+		}
+
+		// create a new branch for the package
+		createOk := pkg != "." // special edge case logic for tree on current working dir
+		if createOk {
+			branch = branch.AddBranch(branchName(p.Root, pkg, p.OpenAPIFileName))
+		}
+
+		// cache the branch for this package
+		treeIndex[pkg] = branch
+
+		// print each resource in the package
+		for i := range indexByPackage[pkg] {
+			var err error
+			if _, err = p.doResource(indexByPackage[pkg][i], "", branch); err != nil {
+				return err
+			}
+		}
+	}
+
+	_, err := io.WriteString(p.Writer, tree.String())
+	return err
+}
+
+// branchName takes the root directory and relative path to the directory
+// and returns the branch name
+func branchName(root, dirRelPath, openAPIFileName string) string {
+	name := filepath.Base(dirRelPath)
+	_, err := os.Stat(filepath.Join(root, dirRelPath, openAPIFileName))
+	if !os.IsNotExist(err) {
+		// add Pkg: prefix indicating that it is a separate package as it has
+		// openAPIFile
+		return fmt.Sprintf("Pkg: %s", name)
+	}
+	return name
+}
+
+// Write writes the ascii tree to p.Writer
+func (p TreeWriter) Write(nodes []*yaml.RNode) error {
+	switch p.Structure {
+	case TreeStructurePackage:
+		return p.packageStructure(nodes)
+	case TreeStructureGraph:
+		return p.graphStructure(nodes)
+	}
+
+	// If any resource has an owner reference, default to the graph structure. Otherwise, use package structure.
+	for _, node := range nodes {
+		if owners, _ := node.Pipe(yaml.Lookup("metadata", "ownerReferences")); owners != nil {
+			return p.graphStructure(nodes)
+		}
+	}
+	return p.packageStructure(nodes)
+}
+
+// node wraps a tree node, and any children nodes
+type node struct {
+	p TreeWriter
+	*yaml.RNode
+	children []*node
+}
+
+func (a node) Len() int      { return len(a.children) }
+func (a node) Swap(i, j int) { a.children[i], a.children[j] = a.children[j], a.children[i] }
+func (a node) Less(i, j int) bool {
+	return compareNodes(a.children[i].RNode, a.children[j].RNode)
+}
+
+// Tree adds this node to the root
+func (a node) Tree(root treeprint.Tree) error {
+	sort.Sort(a)
+	branch := root
+	var err error
+
+	// generate a node for the Resource
+	if a.RNode != nil {
+		branch, err = a.p.doResource(a.RNode, "Resource", root)
+		if err != nil {
+			return err
+		}
+	}
+
+	// attach children to the branch
+	for _, n := range a.children {
+		if err := n.Tree(branch); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// graphStructure writes the tree using owners for structure
+func (p TreeWriter) graphStructure(nodes []*yaml.RNode) error {
+	resourceToOwner := map[string]*node{}
+	root := &node{}
+	// index each of the nodes by their owner
+	for _, n := range nodes {
+		ownerVal, err := ownerToString(n)
+		if err != nil {
+			return err
+		}
+		var owner *node
+		if ownerVal == "" {
+			// no owner -- attach to the root
+			owner = root
+		} else {
+			// owner found -- attach to the owner
+			var found bool
+			owner, found = resourceToOwner[ownerVal]
+			if !found {
+				// initialize the owner if not found
+				resourceToOwner[ownerVal] = &node{p: p}
+				owner = resourceToOwner[ownerVal]
+			}
+		}
+
+		nodeVal, err := nodeToString(n)
+		if err != nil {
+			return err
+		}
+		val, found := resourceToOwner[nodeVal]
+		if !found {
+			// initialize the node if not found -- may have already been initialized if it
+			// is the owner of another node
+			resourceToOwner[nodeVal] = &node{p: p}
+			val = resourceToOwner[nodeVal]
+		}
+		val.RNode = n
+		owner.children = append(owner.children, val)
+	}
+
+	for k, v := range resourceToOwner {
+		if v.RNode == nil {
+			return fmt.Errorf(
+				"owner '%s' not found in input, but found as an owner of input objects", k)
+		}
+	}
+
+	// print the tree
+	tree := treeprint.New()
+	if err := root.Tree(tree); err != nil {
+		return err
+	}
+
+	_, err := io.WriteString(p.Writer, tree.String())
+	return err
+}
+
+// nodeToString generates a string to identify the node -- matches ownerToString format
+func nodeToString(node *yaml.RNode) (string, error) {
+	meta, err := node.GetMeta()
+	if err != nil {
+		return "", err
+	}
+
+	return fmt.Sprintf("%s %s/%s", meta.Kind, meta.Namespace, meta.Name), nil
+}
+
+// ownerToString generate a string to identify the owner -- matches nodeToString format
+func ownerToString(node *yaml.RNode) (string, error) {
+	meta, err := node.GetMeta()
+	if err != nil {
+		return "", err
+	}
+	namespace := meta.Namespace
+
+	owners, err := node.Pipe(yaml.Lookup("metadata", "ownerReferences"))
+	if err != nil {
+		return "", err
+	}
+	if owners == nil {
+		return "", nil
+	}
+
+	elements, err := owners.Elements()
+	if err != nil {
+		return "", err
+	}
+	if len(elements) == 0 {
+		return "", err
+	}
+	owner := elements[0]
+	var kind, name string
+
+	if value := owner.Field("kind"); !value.IsNilOrEmpty() {
+		kind = value.Value.YNode().Value
+	}
+	if value := owner.Field("name"); !value.IsNilOrEmpty() {
+		name = value.Value.YNode().Value
+	}
+
+	return fmt.Sprintf("%s %s/%s", kind, namespace, name), nil
+}
+
+// index indexes the Resources by their package
+func (p TreeWriter) index(nodes []*yaml.RNode) map[string][]*yaml.RNode {
+	// index the ResourceNodes by package
+	indexByPackage := map[string][]*yaml.RNode{}
+	for i := range nodes {
+		meta, err := nodes[i].GetMeta()
+		if err != nil || meta.Kind == "" {
+			// not a resource
+			continue
+		}
+		pkg := filepath.Dir(meta.Annotations[kioutil.PathAnnotation])
+		indexByPackage[pkg] = append(indexByPackage[pkg], nodes[i])
+	}
+	return indexByPackage
+}
+
+func compareNodes(i, j *yaml.RNode) bool {
+	metai, _ := i.GetMeta()
+	metaj, _ := j.GetMeta()
+	pi := metai.Annotations[kioutil.PathAnnotation]
+	pj := metaj.Annotations[kioutil.PathAnnotation]
+
+	// compare file names
+	if filepath.Base(pi) != filepath.Base(pj) {
+		return filepath.Base(pi) < filepath.Base(pj)
+	}
+
+	// compare namespace
+	if metai.Namespace != metaj.Namespace {
+		return metai.Namespace < metaj.Namespace
+	}
+
+	// compare name
+	if metai.Name != metaj.Name {
+		return metai.Name < metaj.Name
+	}
+
+	// compare kind
+	if metai.Kind != metaj.Kind {
+		return metai.Kind < metaj.Kind
+	}
+
+	// compare apiVersion
+	if metai.APIVersion != metaj.APIVersion {
+		return metai.APIVersion < metaj.APIVersion
+	}
+	return true
+}
+
+// sort sorts the Resources in the index in display order and returns the ordered
+// keys for the index
+//
+// Packages are sorted by package name
+// Resources within a package are sorted by: [filename, namespace, name, kind, apiVersion]
+func (p TreeWriter) sort(indexByPackage map[string][]*yaml.RNode) []string {
+	var keys []string
+	for k := range indexByPackage {
+		pkgNodes := indexByPackage[k]
+		sort.Slice(pkgNodes, func(i, j int) bool { return compareNodes(pkgNodes[i], pkgNodes[j]) })
+		keys = append(keys, k)
+	}
+
+	// return the package names sorted lexicographically
+	sort.Strings(keys)
+	return keys
+}
+
+func (p TreeWriter) doResource(leaf *yaml.RNode, metaString string, branch treeprint.Tree) (treeprint.Tree, error) {
+	meta, _ := leaf.GetMeta()
+	if metaString == "" {
+		path := meta.Annotations[kioutil.PathAnnotation]
+		path = filepath.Base(path)
+		metaString = path
+	}
+
+	value := fmt.Sprintf("%s %s", meta.Kind, meta.Name)
+	if len(meta.Namespace) > 0 {
+		value = fmt.Sprintf("%s %s/%s", meta.Kind, meta.Namespace, meta.Name)
+	}
+
+	fields, err := p.getFields(leaf)
+	if err != nil {
+		return nil, err
+	}
+
+	n := branch.AddMetaBranch(metaString, value)
+	for i := range fields {
+		field := fields[i]
+
+		// do leaf node
+		if len(field.matchingElementsAndFields) == 0 {
+			n.AddNode(fmt.Sprintf("%s: %s", field.name, field.value))
+			continue
+		}
+
+		// do nested nodes
+		b := n.AddBranch(field.name)
+		for j := range field.matchingElementsAndFields {
+			elem := field.matchingElementsAndFields[j]
+			b := b.AddBranch(elem.name)
+			for k := range elem.matchingElementsAndFields {
+				field := elem.matchingElementsAndFields[k]
+				b.AddNode(fmt.Sprintf("%s: %s", field.name, field.value))
+			}
+		}
+	}
+
+	return n, nil
+}
+
+// getFields looks up p.Fields from leaf and structures them into treeFields.
+// TODO(pwittrock): simplify this function
+func (p TreeWriter) getFields(leaf *yaml.RNode) (treeFields, error) {
+	fieldsByName := map[string]*treeField{}
+
+	// index nested and non-nested fields
+	for i := range p.Fields {
+		f := p.Fields[i]
+		seq, err := leaf.Pipe(&f)
+		if err != nil {
+			return nil, err
+		}
+		if seq == nil {
+			continue
+		}
+
+		if fieldsByName[f.Name] == nil {
+			fieldsByName[f.Name] = &treeField{name: f.Name}
+		}
+
+		// non-nested field -- add directly to the treeFields list
+		if f.SubName == "" {
+			// non-nested field -- only 1 element
+			val, err := yaml.String(seq.Content()[0], yaml.Trim, yaml.Flow)
+			if err != nil {
+				return nil, err
+			}
+			fieldsByName[f.Name].value = val
+			continue
+		}
+
+		// nested-field -- create a parent elem, and index by the 'match' value
+		if fieldsByName[f.Name].subFieldByMatch == nil {
+			fieldsByName[f.Name].subFieldByMatch = map[string]treeFields{}
+		}
+		index := fieldsByName[f.Name].subFieldByMatch
+		for j := range seq.Content() {
+			elem := seq.Content()[j]
+			matches := f.Matches[elem]
+			str, err := yaml.String(elem, yaml.Trim, yaml.Flow)
+			if err != nil {
+				return nil, err
+			}
+
+			// map the field by the name of the element
+			// index the subfields by the matching element so we can put all the fields for the
+			// same element under the same branch
+			matchKey := strings.Join(matches, "/")
+			index[matchKey] = append(index[matchKey], &treeField{name: f.SubName, value: str})
+		}
+	}
+
+	// iterate over collection of all queried fields in the Resource
+	for _, field := range fieldsByName {
+		// iterate over collection of elements under the field -- indexed by element name
+		for match, subFields := range field.subFieldByMatch {
+			// create a new element for this collection of fields
+			// note: we will convert name to an index later, but keep the match for sorting
+			elem := &treeField{name: match}
+			field.matchingElementsAndFields = append(field.matchingElementsAndFields, elem)
+
+			// iterate over collection of queried fields for the element
+			for i := range subFields {
+				// add to the list of fields for this element
+				elem.matchingElementsAndFields = append(elem.matchingElementsAndFields, subFields[i])
+			}
+		}
+		// clear this cached data
+		field.subFieldByMatch = nil
+	}
+
+	// put the fields in a list so they are ordered
+	fieldList := treeFields{}
+	for _, v := range fieldsByName {
+		fieldList = append(fieldList, v)
+	}
+
+	// sort the fields
+	sort.Sort(fieldList)
+	for i := range fieldList {
+		field := fieldList[i]
+		// sort the elements under this field
+		sort.Sort(field.matchingElementsAndFields)
+
+		for i := range field.matchingElementsAndFields {
+			element := field.matchingElementsAndFields[i]
+			// sort the elements under a list field by their name
+			sort.Sort(element.matchingElementsAndFields)
+			// set the name of the element to its index
+			element.name = fmt.Sprintf("%d", i)
+		}
+	}
+
+	return fieldList, nil
+}
+
+// treeField wraps a field node
+type treeField struct {
+	// name is the name of the node
+	name string
+
+	// value is the value of the node -- may be empty
+	value string
+
+	// matchingElementsAndFields is a slice of fields that go under this as a branch
+	matchingElementsAndFields treeFields
+
+	// subFieldByMatch caches matchingElementsAndFields indexed by the name of the matching elem
+	subFieldByMatch map[string]treeFields
+}
+
+// treeFields wraps a slice of treeField so they can be sorted
+type treeFields []*treeField
+
+func (nodes treeFields) Len() int { return len(nodes) }
+
+func (nodes treeFields) Less(i, j int) bool {
+	iIndex, iFound := yaml.FieldOrder[nodes[i].name]
+	jIndex, jFound := yaml.FieldOrder[nodes[j].name]
+	if iFound && jFound {
+		return iIndex < jIndex
+	}
+	if iFound {
+		return true
+	}
+	if jFound {
+		return false
+	}
+
+	if nodes[i].name != nodes[j].name {
+		return nodes[i].name < nodes[j].name
+	}
+	if nodes[i].value != nodes[j].value {
+		return nodes[i].value < nodes[j].value
+	}
+	return false
+}
+
+func (nodes treeFields) Swap(i, j int) { nodes[i], nodes[j] = nodes[j], nodes[i] }
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/openapi/Makefile b/vendor/sigs.k8s.io/kustomize/kyaml/openapi/Makefile
new file mode 100644
index 0000000000..c616a6c6d3
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/openapi/Makefile
@@ -0,0 +1,62 @@
+# Copyright 2020 The Kubernetes Authors.
+# SPDX-License-Identifier: Apache-2.0
+
+MYGOBIN = $(shell go env GOBIN)
+ifeq ($(MYGOBIN),)
+MYGOBIN = $(shell go env GOPATH)/bin
+endif
+KIND_VERSION := "v0.11.1"
+API_VERSION ?= "v1.21.2"
+
+.PHONY: all
+all: \
+	kustomizationapi/swagger.go \
+	kubernetesapi/swagger.go \
+	kubernetesapi/openapiinfo.go
+
+.PHONY: clean
+clean:
+	rm kustomizationapi/swagger.go
+	rm kubernetesapi/openapiinfo.go
+
+# This will remove all currently built-in schema,
+# so think twice before deleting.
+# To replace what this will delete typically requires the ability
+# to contact a live kubernetes API server.
+.PHONY: nuke
+nuke: clean
+	rm -r kubernetesapi/*
+
+$(MYGOBIN)/go-bindata:
+	go install github.com/go-bindata/go-bindata/v3/go-bindata@latest
+
+$(MYGOBIN)/kind:
+	( \
+		set -e; \
+		d=$(shell mktemp -d); cd $$d; \
+		wget -O ./kind https://github.com/kubernetes-sigs/kind/releases/download/$(KIND_VERSION)/kind-$(shell uname)-amd64; \
+		chmod +x ./kind; \
+		mv ./kind $(MYGOBIN); \
+		rm -rf $$d; \
+	)
+
+.PHONY: kubernetesapi/openapiinfo.go
+kubernetesapi/openapiinfo.go:
+	./scripts/makeOpenApiInfoDotGo.sh
+
+kustomizationapi/swagger.go: $(MYGOBIN)/go-bindata kustomizationapi/swagger.json
+	$(MYGOBIN)/go-bindata \
+		--pkg kustomizationapi \
+		-o kustomizationapi/swagger.go \
+		kustomizationapi/swagger.json
+
+.PHONY: kubernetesapi/swagger.pb
+kubernetesapi/swagger.pb: $(MYGOBIN)/kind $(MYGOBIN)/kustomize
+	./scripts/fetchSchemaFromCluster.sh $(API_VERSION)
+
+.PHONY: kubernetesapi/swagger.go
+kubernetesapi/swagger.go: $(MYGOBIN)/go-bindata kubernetesapi/swagger.pb
+	./scripts/generateSwaggerDotGo.sh $(API_VERSION)
+
+$(MYGOBIN)/kustomize:
+	$(shell cd ../.. && MYGOBIN=$(MYGOBIN) make $(MYGOBIN)/kustomize)
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/openapi/README.md b/vendor/sigs.k8s.io/kustomize/kyaml/openapi/README.md
new file mode 100644
index 0000000000..3bffb952ca
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/openapi/README.md
@@ -0,0 +1,84 @@
+# Sampling New OpenAPI Data
+
+[OpenAPI schema]: ./kubernetesapi/
+[Kustomization schema]: ./kustomizationapi/
+[kind]: https://hub.docker.com/r/kindest/node/tags
+
+This document describes how to fetch OpenAPI data from a
+live kubernetes API server. 
+The scripts used will create a clean [kind] instance for this purpose.
+
+## Replacing the default openapi schema version
+
+### Delete all currently built-in schema
+
+This will remove both the Kustomization and Kubernetes schemas:
+
+```
+make nuke
+```
+
+### Choose the new version to use
+
+The compiled-in schema version should maximize API availability with respect to all actively supported Kubernetes versions. For example, while 1.20, 1.21 and 1.22 are the actively supported versions, 1.21 is the best choice. This is because 1.21 introduces at least one new API and does not remove any, while 1.22 removes a large set of long-deprecated APIs that are still supported in 1.20/1.21.
+
+### Generating additional schema
+
+If you'd like to change the default schema version, then in the Makefile in this directory, update the `API_VERSION` to your desired version.
+
+You may need to update the version of Kind these scripts use by changing `KIND_VERSION` in the Makefile in this directory. You can find compatibility information in the [kind release notes](https://github.com/kubernetes-sigs/kind/releases).
+
+In this directory, fetch the openapi schema, generate the
+corresponding swagger.go for the kubernetes api, and update `kubernetesapi/openapiinfo.go`:
+
+```
+make all
+```
+
+If you want to run the steps individually instead of using `make all`, you can run
+the following commands:
+
+```
+make kustomizationapi/swagger.go
+make kubernetesapi/swagger.go
+make kubernetesapi/openapiinfo.go
+```
+
+You can optionally delete the old `swagger.pb` and `swagger.go` files if we no longer need to support that kubernetes version of
+openapi data. Make sure you rerun `make kubernetesapi/openapiinfo.go` after deleting any old schemas.
+
+
+#### Precomputations
+
+To avoid expensive schema lookups, some functions have precomputed results based on the schema. Unit tests
+ensure these are kept in sync with the schema; if these tests fail you will need to follow the suggested diff
+to update the precomputed results.
+
+### Run all tests
+
+At the top of the repository, run the tests.
+
+```
+make prow-presubmit-check >& /tmp/k.txt; echo $?
+```
+
+The exit code should be zero; if not, examine `/tmp/k.txt`.
+
+## Partial regeneration
+
+You can also regenerate the kubernetes api schemas specifically with:
+
+```
+rm kubernetesapi/swagger.go
+make kubernetesapi/swagger.go
+```
+
+To fetch the schema without generating the swagger.go, you can
+run:
+
+```
+rm kubernetesapi/swagger.pb
+make kubernetesapi/swagger.pb
+```
+
+Note that generating the swagger.go will re-fetch the schema.
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/openapi/kubernetesapi/openapiinfo.go b/vendor/sigs.k8s.io/kustomize/kyaml/openapi/kubernetesapi/openapiinfo.go
new file mode 100644
index 0000000000..e8b3d8360c
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/openapi/kubernetesapi/openapiinfo.go
@@ -0,0 +1,18 @@
+// Copyright 2020 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated by ./scripts/makeOpenApiInfoDotGo.sh; DO NOT EDIT.
+
+package kubernetesapi
+
+import (
+	"sigs.k8s.io/kustomize/kyaml/openapi/kubernetesapi/v1_21_2"
+)
+
+const Info = "{title:Kubernetes,version:v1.21.2}"
+
+var OpenAPIMustAsset = map[string]func(string) []byte{
+	"v1.21.2": v1_21_2.MustAsset,
+}
+
+const DefaultOpenAPI = "v1.21.2"
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/openapi/kubernetesapi/v1_21_2/swagger.go b/vendor/sigs.k8s.io/kustomize/kyaml/openapi/kubernetesapi/v1_21_2/swagger.go
new file mode 100644
index 0000000000..b599e539a5
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/openapi/kubernetesapi/v1_21_2/swagger.go
@@ -0,0 +1,249 @@
+// Code generated by go-bindata. (@generated) DO NOT EDIT.
+
+ //Package v1_21_2 generated by go-bindata.// sources:
+// kubernetesapi/v1_21_2/swagger.pb
+package v1_21_2
+
+import (
+	"bytes"
+	"compress/gzip"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"strings"
+	"time"
+)
+
+func bindataRead(data []byte, name string) ([]byte, error) {
+	gz, err := gzip.NewReader(bytes.NewBuffer(data))
+	if err != nil {
+		return nil, fmt.Errorf("read %q: %v", name, err)
+	}
+
+	var buf bytes.Buffer
+	_, err = io.Copy(&buf, gz)
+	clErr := gz.Close()
+
+	if err != nil {
+		return nil, fmt.Errorf("read %q: %v", name, err)
+	}
+	if clErr != nil {
+		return nil, err
+	}
+
+	return buf.Bytes(), nil
+}
+
+type asset struct {
+	bytes []byte
+	info  os.FileInfo
+}
+
+type bindataFileInfo struct {
+	name    string
+	size    int64
+	mode    os.FileMode
+	modTime time.Time
+}
+
+// Name return file name
+func (fi bindataFileInfo) Name() string {
+	return fi.name
+}
+
+// Size return file size
+func (fi bindataFileInfo) Size() int64 {
+	return fi.size
+}
+
+// Mode return file mode
+func (fi bindataFileInfo) Mode() os.FileMode {
+	return fi.mode
+}
+
+// ModTime return file modify time
+func (fi bindataFileInfo) ModTime() time.Time {
+	return fi.modTime
+}
+
+// IsDir return file whether a directory
+func (fi bindataFileInfo) IsDir() bool {
+	return fi.mode&os.ModeDir != 0
+}
+
+// Sys return file is sys mode
+func (fi bindataFileInfo) Sys() interface{} {
+	return nil
+}
+
+var _kubernetesapiV1_21_2SwaggerPb = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xec\xfd\x79\x78\x1c\xd7\x79\xe0\x0b\x3f\xdd\x00\x45\xf2\x48\xb2\xa9\xa3\xc5\x51\x5b\x4b\xa9\x29\x11\x40\x13\x68\xb0\xc1\x1d\x5c\xd1\x00\x49\xa1\x09\x92\x30\x21\x91\xb6\x23\x89\x2a\x54\x1d\x34\x8a\xec\xae\x53\xaa\xaa\x06\x05\xe7\xf3\xcc\xc4\xb2\x3d\x9e\x6f\x1e\x3b\x1e\x27\x5e\xee\x38\xd7\xe3\x6c\x1e\x3b\xf1\xc8\x71\xe2\x3b\x49\x1e\x4f\x96\x9b\x1b\x67\x94\x91\xa3\xc4\x71\x66\x9c\x71\x12\x27\x4e\x9c\x79\x32\x9e\x9b\x9b\x78\x32\xb9\x71\x56\xdf\xe7\x2c\xb5\x75\x57\xa3\x1a\x60\x77\xa3\xc1\x7e\xff\x91\xc0\xae\xaa\x53\xa7\xce\xf2\x9e\xf7\xfc\xde\xe5\xa0\x81\x89\xfc\x3e\x7c\x3f\x42\xe7\x6b\x8b\xc4\x36\x89\x4b\x1c\xbc\x7d\xa5\x90\x9f\x28\xe4\x27\x8a\xbf\xff\xa7\x3f\x9c\xc2\x7f\xb1\x07\xdd\x3b\xae\x5a\xc6\xf8\x4a\x61\xbc\x62\x54\x0d\xd7\x56\xcd\x32\x71\xf0\xef\xec\xc1\x5f\x1c\x40\xdb\x35\x6a\x93\x6b\x2b\x85\xcc\x70\xc5\x70\x5c\x85\xda\xca\x4d\xd5\xd5\x96\x15\xba\x78\x9d\x68\xae\xa3\xd0\x25\xe5\x86\x61\xea\xca\x1c\x7b\xf2\x32\x7b\x32\xf7\x38\xbb\x73\x9a\xda\xe4\x4a\x21\xf8\xf5\x2c\xb5\xa7\x2a\x95\x8b\x6a\x95\x38\x96\xaa\x11\x67\x62\x97\x6a\x59\x15\x43\x53\x5d\x83\x9a\xe3\xd7\x1d\x6a\x46\x7f\x59\x55\xab\x95\x89\xdd\xe1\x5f\x56\x4c\x3d\x7f\xc3\xff\x88\xbc\x65\x53\x97\x2e\xd6\x96\x26\x1e\xae\x2f\xe8\x98\xe3\xda\x44\xad\x9e\xe0\x15\x9d\xd8\xd7\x42\x19\x91\x27\x26\x07\x72\xe3\xb9\xd2\xb3\xe8\x0d\x68\xe0\xc0\xbe\x02\xde\x85\x5e\x87\xee\x7a\xda\x54\x6b\xee\x32\xb5\x8d\xb7\x11\x1d\x15\xd1\xc0\xc4\xbe\x7d\xf8\x18\x3a\x8a\xd2\x97\xce\xe3\xfd\xa8\x80\xc6\x77\x8f\xeb\x64\xc9\x30\x0d\xf6\x16\x67\xdc\xa0\xf9\x1b\x47\x9c\xbc\x6a\x19\x79\xd6\x7c\xf9\x95\x42\x3e\x68\x89\x39\xc3\x71\x2f\x6f\x5b\x76\x5d\xcb\xb9\xfe\x08\xba\xf7\xc5\xb1\xa0\x42\x63\xaa\xc6\x0a\xc0\xdb\xf1\x36\xd6\x86\xe8\xfa\x1c\x7a\x34\x72\xbd\x6c\xd3\x9a\x35\xb6\x42\x6c\xc7\xa0\xe6\x18\x6b\x78\x3c\x82\x87\xd8\xff\x27\x43\x3d\x80\xe4\x0d\x93\xca\x4a\x01\xf1\x47\x26\x95\x6c\x16\x95\xde\x31\x88\xbe\x33\x80\xff\x7e\x20\xf3\x37\x03\x78\xdb\x0b\x35\x62\xaf\x66\x5e\x1b\x50\x2b\x15\x7a\xf3\x2a\xfb\xf0\x22\xa5\x37\xaa\xaa\x7d\xc3\x51\x6c\xf2\x42\x8d\x38\xae\x23\xfb\x9a\xac\x10\x93\xfd\xc3\x70\x97\x15\x77\xd5\x22\x4a\xb6\x78\xe9\xd2\xf9\x0b\x53\x97\xcf\x67\xf3\xca\x02\xb1\xd9\xeb\x14\x77\x59\x75\x15\x9d\x2a\x26\x75\x15\xa3\x6a\x55\x48\x95\x98\xae\xb2\xe8\x97\x59\x55\x57\x15\xa3\x6c\x52\x9b\x28\xee\xb2\xe1\x28\x4b\x15\xb5\xac\xa8\xa6\x1e\xba\x45\xb5\x89\xe2\xb0\xa7\x54\x57\x71\x97\xd9\xdf\xac\xe8\x21\x47\xd1\x0d\x47\xb3\x09\x6b\x9a\xbc\x32\x5d\x31\x78\x6d\x9c\x65\x5a\xab\xe8\xfc\x75\xaa\xe3\xd4\xaa\xa4\xae\x20\x9b\xb8\x35\xdb\x24\x3a\x2b\x4c\x35\x57\x15\xc7\x22\x9a\xb1\x64\x68\x8a\x61\xba\xc4\x5e\x51\x2b\xa3\x8a\x49\x6d\x5e\x2d\x77\x99\xac\x7a\x85\x04\xef\x55\x6e\x1a\x95\x0a\xab\x8f\xce\x9f\xf7\x3e\x59\xb4\x86\xa2\xd7\x6c\xc3\x2c\x2b\xaa\xe2\x10\xc7\xe1\x15\x9b\x5d\x12\x1f\x66\x38\xa2\x52\xa2\xf1\x46\xe5\xd7\x1a\xa4\xa2\xb3\x4b\xa2\x09\x74\x79\x3b\x51\x96\x88\xea\xd6\x6c\xa2\x94\x55\x97\x28\x75\xdd\x20\x4b\x22\xa6\xba\x58\x21\xba\x62\x98\x8a\x6a\x19\xa2\x72\xcd\x8a\xcd\xde\x1b\xd3\x9f\x13\xdb\x17\x29\xad\x10\xd5\xfc\x78\x2a\x55\xfa\xf3\x9d\xe8\xff\xde\x89\xff\xfb\xce\xcc\x7f\xdb\xe9\x0d\x82\xff\xb8\xf3\xa9\x65\xa2\x68\xd4\x74\x0d\xb3\x46\x14\x6a\xb1\x96\xf6\x1a\x78\x91\xb5\x87\xab\xdc\x5c\x26\x26\x6b\x53\xdb\x20\x2b\xec\xc3\xab\x94\xb7\xb1\x53\xab\xb8\x8e\xb2\x64\xd3\x6a\xa8\xe5\xf2\xca\x82\x61\x6a\xb2\x9f\x57\xd4\x4a\x8d\xb0\x2a\xca\x56\xe5\xf3\x84\xe8\xa3\x8a\x26\x3b\x92\xf5\x00\x35\x2b\xab\x4a\xcd\x11\xcd\xef\x57\x44\x3c\xca\x0b\x57\x15\xcb\x26\x2b\x06\xad\x39\x0a\xaf\xb3\x7c\xb5\x18\x93\x86\x4e\x4c\xd7\xd0\xd4\x8a\xbc\x66\xa9\xb6\x5a\x25\x2e\x1b\x95\xc3\xe4\x45\x8d\x58\xae\xb2\x44\x6d\x5e\xb6\x28\x92\x2e\xf9\x2f\x19\xe1\x63\x30\xd4\xeb\xac\x3a\x36\x61\xc2\x4d\x51\xeb\xab\x62\xb0\x11\x4e\x44\xaf\xd8\x44\xa3\x65\xd3\x78\x1b\xf1\xbb\x52\x8e\x30\xa2\x37\x3c\xc6\x9e\x50\x2a\xd4\x2c\x13\x9b\xfd\x64\xe8\xac\x39\xdd\x65\xd6\x1a\x35\xa2\xb8\x54\x21\x2f\x5a\x86\xcd\x45\x94\x32\x5c\x26\x26\xb1\xd5\x4a\x65\x55\x59\x32\x56\xf8\xd5\x25\x63\xc9\x25\xc4\x54\xaa\x86\x59\x73\x89\x33\xc2\xa4\x30\xaf\xdb\x92\x51\xae\xc9\xc7\xb4\x65\x36\xf3\x15\x6a\x86\xbe\x65\xb4\x61\x34\xdb\xc4\xb1\xa8\xa9\x8b\x66\x53\x95\x03\x85\x7d\xca\x65\xe2\xd0\x9a\xad\x91\x33\xac\x0a\x44\x57\x88\x6d\xb3\xb6\xa2\x65\x51\x41\x79\xa7\xff\x45\x2e\xbd\x41\x4c\xff\x93\x45\x1f\x2a\x26\x21\xba\x23\xee\x72\x0c\xc7\x65\x3f\x31\xf9\x35\xca\x1a\xac\x5a\x73\x58\x63\x39\xae\x6a\xf3\x59\x6d\xd8\xfc\x1a\x2f\x98\xd6\xdc\x68\x8f\xf3\xf1\x9c\x57\x2e\xb1\x57\xdf\x34\x1c\x32\x1a\x7e\x0b\xeb\x19\x39\x1d\x29\xaf\x1b\x2f\x47\xca\x2a\x29\x9d\x96\x65\x0d\x59\xf7\x10\x63\x85\xe8\xc1\xef\xec\x63\xf9\xc7\x25\x36\x0b\x2f\x97\x57\x98\x8d\x74\x7f\x70\x9b\xe4\x45\x57\xb9\x41\x56\x47\x95\xc5\x9a\x1b\xfc\x5c\x51\x5d\xf6\x7e\xc7\x54\x2d\x67\x99\xba\xa3\xca\xcd\x65\x43\x5b\xe6\x93\xd2\x0c\x35\x88\x7f\xbf\x3f\x90\x65\xf5\xc5\x14\x1a\xf3\x57\x54\x2e\x48\x99\x04\xd3\x6c\xa2\xba\x6c\xa6\x54\xa9\xce\xc7\xd5\x28\xeb\x78\x9d\x54\x88\xcb\xc4\xda\x92\x4b\xc4\x98\x5e\x32\x6c\xc7\xad\x6f\x8c\x4a\x85\xcd\x5c\xc3\xd4\x2a\x35\x5d\xc8\x0e\x76\xab\xf8\x50\xd6\xae\xaa\xc3\x07\x24\xfb\xbf\xe8\x94\x1b\x64\x55\x08\xce\xa0\xe0\xac\xf7\xc5\xd9\x3c\x42\x4f\x45\xe4\x0d\x9b\x01\x4e\xcd\xb2\xa8\xcd\xea\xc2\x85\x83\x58\x2b\x0c\x47\x71\xed\x1a\x09\xe4\x34\xef\x35\xde\xf9\x52\x22\x86\x5b\x4e\x34\x00\x1f\x7f\x57\xc4\x9a\x25\xa7\x8c\x2f\xbd\x17\x57\xc3\xbd\xc5\xe6\x2a\x7b\x75\xd5\x70\x1c\x2e\x95\x45\xd3\x88\xd5\xdd\xc9\x67\x77\x78\x23\x69\xe2\x0e\xc7\x65\x02\x9a\x49\xbc\x7f\x9e\x42\xef\x4c\xe1\xef\x4d\x65\xfe\xa9\x27\xf0\x9e\x99\x52\x1c\x52\x21\x9a\xcb\x47\x3a\x1f\x9d\xb6\xa1\x89\xb1\x28\xd4\x9c\xa5\xa0\x06\x5e\xbf\x88\x9a\x18\xb6\x68\x04\x27\xaf\xcc\x90\x25\x95\xf7\x1d\x9b\xc0\x2b\xc4\x5e\x75\x97\x0d\xb3\x9c\xcf\xde\xcd\x6f\x58\x90\x2f\xe8\x64\x4d\x2a\xea\x22\xa9\xac\x55\x13\x7e\x43\x5c\x4d\xfe\x16\xa1\xbf\x46\xf8\x7f\xa1\xcc\xb7\x90\x57\x95\xdf\x46\x5c\xfb\x63\x3d\xa8\x2a\x55\xf5\x45\xa3\x5a\xab\x2a\x66\xad\xba\x48\x6c\x51\x0b\x31\x74\x1c\x51\x4f\x56\x25\x2e\x55\xe5\x74\xd1\xd4\x4a\x85\x8b\x05\xbe\x30\x18\x2e\xa9\x3a\x0a\x79\x91\x0b\x81\xc6\x25\x55\x7c\xdf\xf3\x5e\x67\x3d\x2f\xc7\x95\x14\x5e\xbc\xbc\x2a\x71\x55\x5d\x75\x55\xf6\x36\x55\x0e\x0a\x3e\x33\x34\xd5\x64\x23\xbb\xe6\x84\xe7\xb6\xa3\x56\xd9\x60\x37\x5c\xc3\x5f\x04\x44\x2d\xd9\x72\x45\x82\xd9\xcb\x5e\x2d\xbe\x85\x35\x17\x53\x5e\x5c\x57\x2c\xe3\xe2\xdb\x85\xf0\x17\xdf\x46\x6e\xf2\x69\xa0\x7a\x33\x87\xcf\x2c\x36\xf1\xaa\xb4\x66\xf2\x62\xc4\x57\x0e\xd7\x2c\xf6\xb2\xb7\x11\x9b\x8a\x5f\x46\xbc\xd9\x26\x34\x05\x95\x0b\x18\xef\x69\xaf\x0f\xd9\x4c\x5b\x32\x2a\x2e\x61\x32\x97\xc9\x41\x36\xb4\xb5\xa8\x6e\x13\x59\x15\x2d\x9b\x38\x84\xad\xaa\x74\x29\x46\x66\xb2\x1a\xe8\x6c\xc9\xab\x1a\x26\xf1\x57\x97\xc8\x22\xcd\xe7\xf6\x8a\x6a\x54\x98\x36\x11\xe8\x6d\xec\x93\xb5\x65\x4a\x1d\xc2\x67\x96\x4b\xbd\x79\x2d\xfb\x82\x35\x8b\x6a\x97\x6b\x5c\x9d\x53\xb9\x90\xe4\x1f\xc4\x1b\x89\x7d\x9b\xac\x8f\x5f\x74\xd0\xba\xb3\x4b\x8a\x3f\xa4\x82\xc5\xd1\x5b\x6f\xeb\x3e\xc0\x70\x14\x52\xb5\xdc\xd5\xa8\x62\xe0\x6b\x65\xaa\xcb\xd6\xd0\xb5\x3e\x68\x2d\x01\x65\x2c\xd5\x89\x27\x26\xcf\xfc\x51\x59\xae\xa9\xb6\x6a\xba\x84\x48\xe1\xcb\x6a\xe7\xf5\x93\x3f\xf9\xb8\x8c\xab\x39\x6c\xb4\xf8\x35\xf7\xc5\xac\xaf\x80\xb8\x54\x31\x1c\xa7\x26\x55\x43\xc3\x2c\x57\x48\x30\x3f\xfc\x35\xcf\x1b\x6e\x63\xe2\x7d\x86\xc3\x74\x51\xff\x95\xeb\x93\xfb\x9e\xc8\xe7\x9a\xa7\x53\x23\x7a\xac\xf0\xe7\x1a\x70\x6d\xd1\x61\x37\x9b\xae\xff\x05\xba\xaf\xea\xcb\xf6\x63\x3d\x45\xab\xc4\x35\xaa\x84\x7d\xfb\x12\xb1\xd9\xf8\x64\x73\xb0\x6e\x7d\x0f\x96\x3b\xd6\x9f\xc4\x74\x6a\xb6\xd7\x7c\xaa\xb7\x60\xcb\x8f\x93\xad\x26\x3e\x99\x4f\x4b\xbe\x34\x2b\x4e\x55\xad\x54\x88\xad\x68\xcb\x35\xf3\x06\xdf\x49\xaa\x0a\x13\x5e\x4a\x45\xb5\xcb\x5e\x37\xf3\xf9\x2e\x8a\x17\x7a\xba\x43\x08\x1f\x76\x16\x75\x1c\x83\x0d\x37\xd9\x6c\x7c\xb8\x85\x67\x57\xcd\xd2\x59\x33\x06\x9a\x3a\x7f\x0f\xd1\x45\x7f\x70\x65\x50\x2e\x39\x72\x04\x8b\x87\x45\xad\x6f\xaa\x8e\x9c\x71\xfe\x6e\x84\xb5\x49\xe3\x7a\x2b\xb4\x50\xd5\x61\x1d\xac\xd5\x2a\xfc\x8d\x46\x30\x6c\xf2\xd9\x6d\xfc\xbb\x27\xb6\xb3\x6d\x47\x99\xd8\x4c\xf8\x5e\x42\x17\xf0\xf9\xcc\xac\x27\x78\xc7\x66\x97\x94\x21\x36\x2a\x87\xb8\xac\x14\xb2\x83\xd6\x5c\xab\xc6\x5b\xcf\xb2\x89\xeb\xae\x2a\x96\xcd\x4a\xd0\xf3\xd9\x3b\xc4\x0f\x61\x69\xfe\x77\x29\xf4\xed\x14\xfe\xab\x54\xe6\x7f\xa6\xbc\x42\xbf\x98\xaa\x5f\x58\x1d\xe2\x7a\x7d\xe8\xda\xaa\xc1\x44\x98\xa9\xdc\x64\x1f\xeb\xdd\xe9\x35\x08\xbb\xcd\x1b\x56\x6c\x12\x2e\xca\x99\xa2\xf3\xa5\x9b\x89\x0e\xa2\xf0\xfd\xeb\xe4\xf8\x78\x68\x37\x6d\xd0\x71\x9d\x6a\xce\x38\x1f\x36\x4c\x54\x8d\xf3\x8e\x1f\x53\x2d\x63\x5c\xb5\x8c\x31\x8d\x9a\x4c\x17\x77\xc6\x77\x7b\x2f\x1c\xf3\x5f\xb8\xc4\x47\xb8\xab\x1a\x15\x27\x8f\x50\x78\x3d\xab\x99\x0e\x71\xb3\xaf\xaf\xfb\x9a\xf0\xd7\x7f\x35\x8d\xbe\x92\xc6\xbf\x9d\xce\x7c\x29\xed\x7d\xfd\x27\xd2\x75\xf7\x5f\xe0\xb3\xdf\x97\x90\x8e\xb2\x4c\x6f\x36\xa8\x1e\x6c\xe5\xb3\xac\x8a\x21\x46\xbc\x3f\x6d\xd9\xd0\xe2\x3d\xb1\x6c\x94\x97\x2b\xab\x5c\xf3\xaf\x56\x89\xc9\xa6\x96\x1b\x6e\xbf\xc8\xbb\xe4\xbe\x89\x7d\x58\x50\x12\x93\x22\x42\x82\xd5\xbf\x98\xdd\xbb\x09\xed\x7a\x5f\x5c\xdd\xc3\x8d\xfb\xb1\x14\xfa\x68\x0a\x7f\x24\x95\xf9\xa0\x3f\xb4\xac\xa7\x8c\x2a\x61\x62\xcc\xdb\x54\xb1\xef\x1b\x17\xf2\x55\xa8\x01\x5c\x94\xf0\x71\xcf\xb5\x4b\x36\x05\xc5\x2e\xc5\x5b\xbb\xd4\x4a\x65\x54\xb1\x49\x59\xb5\xf5\x0a\x71\xc4\xdc\x37\x57\x15\x55\x73\x8d\x15\xc3\x5d\x65\xf2\xce\x30\xbd\x7f\xe5\xb3\xaf\x73\xc5\x1b\x17\x88\x46\x4d\xdd\x89\x4c\xa6\xcf\xa6\xd0\xcb\x29\xfc\x13\xa9\xcc\x27\xfd\x0a\xfe\xcb\xd4\x55\xa1\x68\x52\x5b\xee\x8b\xf8\x17\xf3\x9a\x10\x47\xb3\x8d\x45\x2e\xf8\xc4\x87\x3b\x5c\x80\xc9\xf5\xcc\x5d\x26\x55\x21\xea\x04\x11\xe2\x15\xd3\xf5\x51\x29\x4c\x46\xe5\xbd\x55\xba\xc2\x57\xcb\x90\xea\xa9\x2c\xf0\x05\x6e\xb5\xbe\x6f\xf3\xd9\x6d\x82\x43\x85\xf6\xe0\xf8\xa7\x87\xd1\x88\x87\xdc\xf8\xd5\x71\xd3\x07\x63\xe3\xdf\xe3\xff\xfd\xf6\x71\x8b\xea\x0e\x7e\xd7\x30\xfe\xf0\x60\x00\xe2\xa8\x5c\xc9\x4c\xdd\x58\x31\xf4\x9a\x5a\x09\x7f\xa3\xea\x6b\x8d\xf3\x54\xcf\x2b\x3a\xb1\x6c\xa2\x31\xa1\x34\xe9\x2b\x12\x43\xfc\xf9\xa1\x60\x97\x1c\xd9\xf6\x50\x8b\xc8\xbe\x32\x4c\xc7\x25\xaa\x9e\xcf\x3d\xc4\x1f\x10\x40\xcf\x07\x78\xfa\x3c\xd5\xe7\x0c\xc7\xed\x75\x8e\x77\x03\xcd\x0b\x5c\x37\x8b\xce\x71\x5c\x37\x85\x4e\xa1\x13\xcd\x70\x5d\x55\xd5\x96\x0d\x93\xd8\xab\x79\xeb\x46\x99\xfd\xe0\xe4\x99\x22\x9a\x5f\x29\xe4\xf9\x90\x3a\xc3\x34\xba\xa6\x64\xd0\xa3\x7a\xbb\xe3\xa9\xde\x5d\x18\xf1\x8a\x09\xb4\x77\x26\x19\xed\x65\xb1\x12\xd0\x3b\x01\xf9\xe6\xa9\x1e\xa1\x7b\xc0\xf4\x80\xe9\x01\xd3\x03\xa6\x07\x4c\x0f\x98\x1e\x30\x3d\x60\x7a\xc0\xf4\x80\xe9\x01\xd3\x03\xa6\x07\x4c\xaf\xcb\x4c\xef\x79\xf4\x1c\x7e\x26\xfb\xd6\x1d\x29\x3c\x68\xa9\xee\x72\x66\x52\xbe\x99\x6d\xe6\x79\x73\xb2\x6d\xa2\xe2\x68\xd4\x22\xa3\x8a\x53\xd3\x96\x59\xeb\x73\x0d\x96\xa8\x55\xc1\x20\x2c\x9b\xf2\x2f\xcd\xee\xf4\x09\x40\x4e\x8a\xf7\x8f\x00\x35\x04\x6a\x08\xd4\xb0\xbf\xa9\xe1\xb7\x86\xd1\x69\xd6\x75\xce\xb8\x46\xa9\xad\x1b\x26\x2f\x84\xa3\x2b\x83\x26\xa2\xc4\x0a\x51\x1d\xe2\xe0\x4f\x0f\xe3\x5f\x18\x44\xaf\x0f\x97\x70\x6d\xa5\x90\x79\xa1\x35\xa8\x38\xc7\x0a\x69\x13\x56\xdc\x23\xb1\x62\x50\x91\x30\x5e\xe4\x6f\x02\xc0\x78\x0b\x80\xf1\xcd\xc9\x80\xf1\x20\xde\x2f\x01\x63\xcc\x88\x92\xc4\x91\x77\x04\x30\x47\x60\x8e\xc0\x1c\x81\x39\x02\x73\x04\xe6\x08\xcc\x11\x98\x23\x30\x47\x60\x8e\xc0\x1c\x81\x39\x02\x73\x04\xe6\x08\xcc\x11\x98\x23\x30\xc7\xdb\x94\x39\xfe\xf5\x33\x68\x8f\x60\x8e\x8e\x4b\x6d\xb5\x4c\x42\xb8\x51\xfe\xa2\x55\x54\xc7\x21\x0e\xfe\xe2\x33\xf8\x5f\xed\x41\x48\xfe\x7a\x6d\xa5\x90\xc9\xad\x1d\x32\xbc\x20\xee\x9c\x66\xcf\xe7\x1e\x64\xf7\xca\x5f\xae\x14\xc2\x97\x7a\x1c\x00\x16\x81\x86\x01\x0d\x2b\x02\x0d\x03\x1a\x06\x34\x0c\x68\x58\xdf\xd0\xb0\x62\xcf\xd0\xb0\xb6\xd7\x64\xc3\x34\xac\x08\x34\x0c\x68\x18\xd0\x30\xa0\x61\x40\xc3\xba\x4f\xc3\x8a\x7d\x8d\x96\x8a\x80\x96\x3a\x87\x96\x8a\xbd\x8e\x96\x8a\x5b\x10\x2d\x95\x16\xd1\x39\xe1\x38\x75\x1a\x9d\xe4\x8e\x53\x47\xd0\x21\x74\xa0\x69\x22\x35\x8f\x3f\xad\x14\xf2\x61\x3a\x34\x67\x38\xc9\xfe\x52\x49\x69\xd6\xde\x9a\xec\x2a\x75\x18\x1f\x94\xae\x52\x51\x10\x26\xbd\xa4\xc2\x55\x8a\x38\x4b\x65\xff\xc5\xce\x08\x13\xbb\x5f\xac\x43\x8a\x1a\xc5\x5f\x6f\x14\x3f\x77\x16\x80\x09\x5e\x75\x16\xcd\xa0\x22\x1e\x5c\xa4\xfa\x6a\x86\xff\x57\x49\xe5\x26\xd0\xbe\xf5\x36\x7c\xf1\x63\x69\xf4\xd1\x34\xfe\x48\x3a\xf3\x41\x5f\xe2\x7c\x3b\x75\x95\xad\xe7\x52\xc4\x8f\x72\x77\x42\x8d\x6d\xe4\x84\x88\x88\x6c\x2b\xc2\xa8\x69\x91\x28\x16\x6b\x33\xa6\xcb\xe5\x95\x29\x53\x31\x4c\xb1\xa1\xa7\xb6\x52\x33\x7d\x26\xa0\x2b\xba\xbd\x7a\xb9\x66\x2a\xba\x61\x13\x36\x2f\x88\xbf\xd1\x64\xeb\x05\x5f\x90\xe5\x4e\xdb\xd3\xab\xe5\xde\x46\x59\xaa\xd9\x5c\x77\xb3\x6c\xaa\x11\x87\xaf\x9c\x72\x1a\x4a\x19\x9f\x57\xae\xf0\x37\x72\x9d\x98\x2f\x75\x93\xca\x98\x32\x55\xa9\x4c\xf2\x75\x51\xb7\x57\x15\xbb\x66\xb2\x3d\x17\x9b\x48\x9e\x32\x20\x8b\x23\x7a\xf6\x0e\x51\xb5\xb0\xd4\xf8\x50\x1a\x7d\x7f\x1a\xbf\x3f\x9d\x79\xaf\xdf\x40\xdf\x4c\x71\x55\xea\x82\x6a\xaa\x65\x62\x8b\x4d\x81\xb0\xd6\x38\x0e\xd5\x0c\xbe\xce\xf9\xea\xb7\xca\xf7\x2f\xd4\x56\x98\x1a\xe4\xae\xfa\x0b\x7f\x55\xbd\xc1\xea\xef\x2e\x13\x87\x78\x53\x9b\x89\x1b\x0f\x8c\x70\x36\xb0\x48\x14\x2e\x54\xb8\xaa\x4d\x6d\xa5\x30\x71\x84\xdd\x6b\xab\x1a\x27\x38\x6c\x97\x2a\x26\x32\x57\x87\x99\xe6\xa2\x1a\xa6\x30\xdd\x70\x75\x33\xb8\x97\xef\x6a\x25\x5f\x62\x9b\x24\x4f\x38\x97\x69\x45\x35\xcb\x79\x6a\x97\xc7\xad\x1b\xe5\xf1\x9a\x69\x68\x54\x27\xe3\xbb\x67\x9d\x79\x56\x4a\x3e\x7b\x57\xf8\x5b\xc3\xa4\xfe\x2f\x53\x68\x5a\x4c\xfd\xe3\x68\x92\x4f\xfd\x03\x68\x03\x23\x10\x3d\xc9\x0a\x29\x70\x87\xcb\xed\xd3\x42\xbd\xdb\x60\x49\xb3\xac\xa4\x09\x5c\x44\xa7\xd1\x8e\x29\x8d\x2d\x24\x1b\x2e\x6a\xe3\xb2\xc8\xa2\x1d\x96\x45\xb9\xdf\x19\x8d\xc8\xa2\xc7\x84\xf6\xab\x68\xb4\xc2\xf6\xb2\x72\x6d\x8a\xc8\xa5\x27\xc4\x2d\xbe\x5c\x9a\xf6\x6f\xed\xa0\x84\x7a\x0a\x5d\x46\xf3\x61\x09\x95\x2b\xa2\xd3\x1b\xf0\xa8\x9d\xe1\x75\xbf\xc4\xc1\xab\x03\x88\x16\x10\x2d\x20\x5a\x40\xb4\x7d\x84\x68\x41\x43\x4b\xd0\xd0\x7a\x87\x61\x7f\x23\x8d\xbe\x9e\xc6\x5f\x4b\x67\x7e\xd7\xef\xaa\xcf\xa6\x9f\x0a\xef\x1a\x0d\x53\x71\xc4\xce\x4f\x59\x24\x4b\xc2\xe0\xeb\xd3\x95\x60\xc9\x92\xb3\x84\x37\x56\x48\x17\x34\xa9\x39\x66\x92\xb2\xca\xbb\x44\x6e\x1c\xc3\x3a\xa3\xe0\xac\xfe\x60\x90\x8a\x81\x51\xad\x12\x9d\x69\xa5\x95\xd5\xc0\x12\x1b\x88\x76\xa3\x32\x2a\xf7\x93\xfc\x73\x95\xb2\xad\x6a\x7c\x9c\x18\x54\xf7\x17\x9e\x60\x71\xe0\x46\x6e\xaf\x5f\x6a\x0e\xab\x64\xb8\xa1\x54\xf6\xa4\xf7\x41\xf2\x25\x4b\x62\xbe\x79\x45\xe4\x45\x3d\xab\x44\x35\x63\xeb\x98\xc5\xbc\x0a\xf3\xbc\x06\x71\xfb\x64\x30\x15\x80\xa9\x00\x4c\x05\x60\x2a\x00\x53\x41\x5f\x9b\x0a\xbe\x94\x46\xaf\xa5\xf1\xab\xe9\xcc\x2b\xfe\x6a\xfb\xf1\xf4\x4c\x28\xa8\xd5\xe2\xd1\xb2\xfe\xd4\x9f\xb7\xa9\xa5\x96\xf9\x3a\x3c\x4f\x2b\x86\xb6\x1a\x71\x14\xf2\xba\x3b\x88\x8a\x65\x1d\x5e\xc8\x1f\xce\x2b\x0b\x42\x8e\x88\x45\xd2\x22\x26\x1b\xa6\xc1\x2a\x42\x14\x6a\x5b\xcb\xaa\xe9\x39\x2e\xd9\x35\x32\xbe\xa4\x56\x3c\xed\x3f\x2b\xae\x66\x95\x25\xc3\x54\x2b\xc6\xdb\x3c\xf1\xbd\x48\x14\x55\xe7\xdc\x9d\x8e\x0b\x0c\xab\x07\xaa\xa5\x28\x7c\xc8\x09\x1e\x12\xfa\x76\x5e\x39\x63\x70\x91\x14\xaa\x38\xb5\x1b\xbf\x2c\xb0\x75\xb8\x42\xdd\xe7\xda\x1f\x75\x97\xf3\xd9\x5d\xa2\x3e\x33\xde\x87\x44\x3d\xa0\xde\x33\x88\xde\x35\x88\xdf\x31\x98\xf9\x8e\xef\x06\xf7\x95\x81\xab\x52\x0e\xb2\x21\xba\x4c\x6f\x2a\x65\xd5\x5e\x54\xcb\x11\xe2\xe0\x2b\x6a\xc4\x5e\xa2\x76\x95\xb5\x45\x6c\x4d\x2f\xd5\xbd\xbc\x79\x45\xb9\x5a\xe3\xe9\x24\x96\xf8\x2a\x83\xe9\x0b\x9a\xa1\x07\x8a\x35\x5f\x1b\xf9\x36\xc7\x6f\x5d\xb6\x38\xc9\x95\xc3\x5b\xfd\xf2\xa1\x66\xf4\xe4\xa6\x6f\x60\xf0\x9d\xdf\xa2\x2f\xcb\x2b\x02\x21\x71\x59\x1c\xd6\x56\x87\xc4\x37\x0c\xb1\x3d\x0f\xff\x2b\x3a\x30\x9c\x63\xca\x50\x51\xd5\x6e\x94\x6d\x5a\x33\x75\x76\x17\xf7\x3a\xe3\x37\xd5\x35\x9c\x50\x56\xa4\x06\x14\x2d\xc4\xfb\x82\x45\xbf\xa4\x63\xca\xd0\x59\x6a\x93\x50\xb1\x8a\xa6\x3a\x9a\xaa\xb3\xaf\x97\xed\x23\xfc\x0c\x79\x79\x8e\x50\xa7\x1b\x0a\x5c\xf2\xcb\xc8\x67\xef\xb1\xea\xc7\x4d\x58\xb7\x01\x4b\x1c\x58\xe2\xfa\xd4\x12\x57\x2a\xa3\x39\x81\xb6\xcf\xa0\x69\x8e\xb6\x4f\xa0\x63\xe8\xe8\x06\xe0\xe5\x82\xab\xba\xb5\x64\x9c\x9c\x8b\xc7\xc9\xf7\xe2\x7b\xc4\x6c\x0e\x24\x6d\x47\xd1\x72\xdb\x23\x45\xf0\x7f\x4a\xa3\x6d\x3c\x47\x2e\xfe\xa5\x34\xfe\xf9\x34\x1a\xd4\xa8\x4d\x32\x99\x32\x71\x43\x9a\xee\xd4\xfc\xac\x2f\x25\x72\xb8\x4c\xf8\xb1\x53\x53\xf3\xb3\x72\xf8\xb4\x11\x4c\x37\x14\x34\xd9\x50\xd0\x64\x2b\x05\x95\x2a\xe8\x4d\x62\x80\x94\xd0\x93\x7c\x80\x14\xd1\x69\x74\x72\x03\x03\x24\xf4\x99\x49\xa3\x04\x7f\xea\xbb\xd1\xdd\x5e\xc2\x61\x93\xea\xc4\xc1\x1f\xfe\x6e\xfc\x7b\x4f\x04\x49\x85\xb3\x6b\xbb\xea\x5f\xa4\x3a\xc9\xbd\x2e\x38\xd7\x8b\xfd\x1b\xfc\xf2\xc1\x2f\x1f\xfc\xf2\xc1\xe8\x03\x46\x1f\x30\xfa\x80\xd1\xa7\x67\x8c\x3e\xbd\x63\xd3\x00\xd8\x0e\xb0\x1d\x60\x3b\xc0\x76\x80\xed\x7d\x0d\xdb\x81\x06\x02\x0d\xec\x53\x1a\xb8\x25\xfd\xf2\xaf\xa2\xe3\x02\x50\x1d\x44\xfb\x39\xa0\x1a\x43\x7b\xd1\x48\xe2\x01\xe7\x17\xa9\x4e\xda\xe2\x8c\x7f\x36\x99\x52\xee\xc6\x8f\xd5\x1f\x8c\xc4\x5e\x1f\x75\xbc\xff\xe9\x1d\x01\xde\xba\xdb\xf7\xba\xe7\x24\x6b\x97\xf8\x67\x07\x58\x96\x40\x4f\xc7\xd0\x51\x74\xb8\xce\xc5\x7e\x08\x3d\xd1\x52\x1b\x82\xd7\x16\xf8\xd5\x6f\xd0\xaf\xfe\xb7\x52\xe8\x88\x98\xba\x05\x34\xce\xa7\xee\x08\x6a\x75\xd8\xa1\x13\xc2\x99\xfe\x10\x3a\x10\x38\xd3\xaf\xe3\xf1\x93\xc2\x83\xfe\x30\x3a\x18\xf2\xa0\x5f\xc7\xf3\x49\x52\xa3\x4d\x52\x21\xc9\xfd\x3e\xf7\xf2\x68\x20\x35\x1e\x8c\xf5\x8f\xe7\x12\x24\x23\x2e\x09\x09\x12\x38\xc5\x77\x40\x96\x80\x33\x3c\x70\x51\xe0\xa2\xc0\x45\x81\x8b\x82\x33\x3c\x38\xc3\x83\x33\x3c\x38\xc3\x03\x9f\x07\x3e\x0f\x7c\x1e\xf8\x3c\xf0\x79\x70\x86\x07\x67\x78\x70\x86\x07\x67\x78\x30\x7f\x81\xf9\xab\x07\xcd\x5f\x3d\xed\x0c\xdf\x26\xa0\xdc\x7e\xc7\xf7\xbf\x1f\x46\xc7\x3c\x5f\xed\x35\x4f\x74\xb4\x89\x8f\x90\x99\x06\x65\xb3\x8f\xb3\x1d\xfc\x1f\x86\xf1\x6b\x83\x01\xc4\xfe\xde\x54\x6b\x47\x3b\x5e\x0e\x4a\x9b\xf6\x4b\x6b\xd3\x51\x8f\x79\x79\xd4\x23\x37\xb7\xf9\x47\x3c\xc6\xbe\x11\x8e\x7c\x8c\x1f\xda\x57\x93\x87\xeb\x01\x3c\x51\x3f\x5c\x63\x9b\x38\x6a\x10\x69\xe5\x2c\x49\x38\xf1\x11\x7c\xe9\xe1\xc4\x47\xb0\x19\x81\xcd\x08\x6c\x46\x7d\x64\x33\x82\x13\x1f\xe1\xc4\x47\x60\xf5\xc0\xea\x81\xd5\x03\xab\xef\x09\x56\x0f\x27\x3e\x6e\x31\xfe\x09\x27\x3e\xc2\x89\x8f\x5b\xcb\xfd\x1f\xff\xf6\x08\x3a\x2d\x4e\x7c\x5c\xe4\xf0\x71\xa5\xb0\x48\x5c\x35\x01\x45\x6a\x36\x35\xaf\xd3\x45\xf9\xe3\xdb\xf1\xf7\x8d\xe0\xff\x31\x88\xee\xe6\x25\x5c\x93\x25\x64\x5e\x96\x24\x32\x8c\x1f\x4d\x4f\x76\x7a\x99\x26\xa6\x6d\x6a\x96\xe8\x62\x5b\xc0\xe3\x68\xa0\x27\x71\x5d\x50\xae\xaa\x4c\xd5\x0a\x14\xc0\xa1\x88\xce\x1d\x2a\x3b\x9f\xcb\xf2\xd7\x15\xd9\x7f\xae\x88\x6f\x08\xe0\xa5\xac\x27\xa0\xca\x46\x54\xf9\x68\x3c\x51\xdc\x81\xef\xe0\x15\x43\xd7\xdf\x94\xcc\x32\xf3\x78\x54\xb2\x4c\x3e\x86\x24\xce\x94\x8d\x1e\x06\x98\xbc\x5b\x00\x50\x02\xa0\x04\x40\x09\x80\x12\x00\x25\x00\x4a\x00\x94\x00\x28\x01\x50\x02\xa0\x04\x40\x09\x80\x12\x00\x65\xb7\x01\xe5\x01\x34\x81\xf7\x65\xf3\x3e\xa0\xbc\x97\x93\x49\x59\x0b\xb9\x7d\xcb\x0e\xb2\x1f\xc3\xd0\x11\xb0\x26\x60\x4d\xc0\x9a\x80\x35\x3b\x88\x35\x3f\xfc\x2c\x1a\x17\x58\x53\xb5\x2c\x87\xe7\xc1\x8d\x47\x99\xba\x4a\xaa\x4c\x19\x74\x1d\xfc\xc7\xcf\xe0\xbf\x7f\x02\x6d\x67\x0f\x5c\x5b\x29\x64\x86\xd6\xce\x91\x3b\xc3\x1f\x5c\x20\x6e\xee\x61\x76\xe3\x94\x65\x39\x61\x6f\x47\xff\x72\x8f\x23\x43\xc8\x9b\x0b\x28\x0d\xf2\xe6\x02\x4a\x03\x94\x06\x28\xad\x8f\x50\x5a\x0f\xa5\x3f\xe8\x19\x94\x06\x71\xf9\x80\xd2\x00\xa5\x01\x4a\x03\x94\x06\x79\x73\x21\x70\xf8\xf6\x21\x4c\x3d\x1f\x38\xbc\x25\xf3\xe6\x3e\x83\xa6\x84\xab\xd5\x24\x3a\xc2\x5d\xad\x26\xd0\x3e\x94\x6f\x9a\xfd\x52\xb5\x2c\x87\xe7\x65\xf4\xb8\x50\x4b\xc9\x73\x2f\x24\xbb\x4e\xe5\xf0\x70\x38\xc0\x53\xba\x51\xb1\xd7\x49\x2f\x2a\xff\x8d\x6b\x65\xc3\xe4\x71\x9f\xd9\x3f\xda\x11\xe0\x2f\xec\xe7\xd0\x0d\x48\xd7\xa3\xe2\xb7\xce\xb3\x2e\x81\xa6\x4e\xa3\x93\xe8\x78\x5d\x5e\xdd\x51\x94\x6b\xbd\x8d\x21\x0b\x1c\x24\xd7\xdd\x60\x72\xdd\xaf\xa7\xd0\xb4\xc8\x71\x7b\x1c\x4d\x86\x72\xdc\xe6\xd1\xba\x46\x60\xd3\x19\x2e\x12\xf0\xee\xe3\x09\x78\x99\xf4\x58\x6f\xb9\x45\x91\xbf\xf7\x18\x3a\x1a\xe4\xef\x5d\x67\x19\xc9\x19\xba\x79\x8e\xdc\x36\x0b\xa1\xdc\xaf\x8d\x06\x42\xe6\x91\xd8\x94\xbb\x81\xc0\x19\x11\xd7\x85\xc0\x09\xe5\xdd\xed\xb8\xe8\x81\x34\xbc\x80\x59\x01\xb3\x02\x66\x05\xcc\x0a\x69\x78\x21\x0d\x2f\xa4\xe1\x85\x34\xbc\x80\xfb\x01\xf7\x03\xee\x07\xdc\x0f\xb8\xbf\x2d\xb8\x1f\xd2\xf0\x42\x1a\x5e\x48\xc3\x0b\x69\x78\xc1\x9a\x06\xd6\xb4\x3e\x4a\xc3\xdb\x1a\x4b\x5e\x8b\x1f\x47\xb2\xf1\x6e\xbd\x48\x12\xfc\x97\x77\x06\xf9\x7e\x9b\xf8\xa4\x33\xd1\x62\x68\x44\xd5\x34\xb6\xcb\xf0\xb2\x6c\x8c\x73\xb8\x86\x7f\xfa\xce\xec\x7b\xb6\x05\xf9\x7e\xa5\xa6\x28\xc9\x1b\xd7\x9f\x16\xc4\xe3\x53\xe2\xf1\xdc\x48\xe4\xf4\x4b\x9f\x9c\x47\xef\x7a\x8a\x3d\xde\x66\x86\x7e\x01\x9d\x47\xb3\x75\xe6\xbb\xa3\xe8\x70\x73\x03\x45\x8d\xb5\xa8\x2b\xcb\x66\x03\x90\xd7\xea\xb2\x90\xbb\xa5\xf7\xa4\x45\x72\x8b\x09\x9e\xdc\x22\xb0\xc8\xf0\xd3\x37\x37\x58\x68\x73\xf3\x4c\x49\x4c\xa1\x69\x34\xc5\xa7\xd0\x2d\xbd\xe4\x92\xb0\xd5\x3c\x89\xce\x06\xb6\x9a\x5b\x29\xd0\x9b\x78\x6a\xf2\x64\x3a\x89\x8f\x7b\x93\x29\x5a\x24\x7b\x93\x41\xe5\xec\x8a\xd4\x76\x3d\xe7\x27\x96\x80\xef\xad\xcd\xf7\x4a\x60\x60\x6d\x62\x60\x3d\x8a\x0e\xe3\x83\xd9\xfd\xbe\xe8\xfe\xae\x70\xe8\x60\x78\x40\xde\x0e\xf1\x83\xf8\x17\x87\xd1\x09\x2f\x1e\xc9\x20\x2f\xba\xc4\xe4\xda\x88\x9c\x86\x41\xee\x77\xad\xe6\xb8\xb4\xea\xa9\x20\x21\xe9\x80\xff\x61\x08\x7f\x6b\x10\xed\x8a\x3c\xce\x16\x80\x77\xb6\x98\xf0\x7d\x9a\x97\xec\x59\x9c\x66\xfc\x92\xdb\x94\xf3\x7d\x1f\x7f\x60\x2a\x5c\xbb\x2b\x85\x66\xef\x84\xac\xef\xf1\x9a\x54\x25\x59\xa0\xcf\xe2\x73\xbe\x76\xd4\x38\x90\xbc\xc4\x49\x4d\xda\x1d\x52\xc1\x43\x78\x18\x64\x5a\x02\xbf\x05\xf0\x5b\x00\xbf\x05\xf0\x5b\x80\x4c\x4b\x90\x69\x09\xec\xc5\x60\x2f\x06\x7b\x31\xd8\x8b\x7b\xdd\x5e\x0c\x19\x8d\x20\xa3\xd1\x56\xb1\x90\x41\x46\xa3\x4e\x64\x34\xfa\x8b\x34\xca\x08\x82\x68\x52\x9d\x04\xe0\x50\xa4\x6b\xc7\x5f\x4a\xe3\xd7\xd2\xe8\x2e\x76\xcd\xcf\xc0\xfe\x86\x32\x71\xa3\x6b\xac\xa8\x7d\x2e\x53\x26\xee\x45\xaa\x13\x99\xe6\x7c\x6a\x7e\xd6\xdb\xd1\x39\xed\xb3\x01\x35\x14\x34\xd9\x50\xd0\x64\x2b\x05\x95\x2c\xf4\xb4\x20\x71\x17\xd1\x1c\x27\x71\x67\xd1\x0c\x2a\x6e\x80\xc4\x85\xbe\xb3\x95\xe8\x3b\xfc\x8f\xc3\xe8\xb0\x68\x72\x47\x5b\x26\x7a\xad\xc2\x14\xe4\x7a\x62\x6b\xd9\x06\xb5\x0d\x77\x55\xab\xa8\x8e\x43\xfc\x94\xf8\xbf\x3c\x8c\xff\x76\x10\xdd\x1d\x3c\x78\x6d\xa5\x90\xf9\x5c\x2b\x29\xf1\xe7\x65\x81\xd3\xac\xc0\x9e\x48\x8c\xff\x08\x7f\xdd\x82\xff\x29\x57\x0a\x91\x3a\x02\xc9\xdd\x40\x52\xfc\xe7\x92\x51\xef\x31\x7c\x54\xa2\xde\x86\xe1\x27\x39\x6f\xa4\x1b\xa2\x96\x71\xe0\xb6\xc0\x6d\x81\xdb\x02\xb7\x05\x6e\x0b\xdc\x16\xb8\x2d\x70\x5b\xe0\xb6\xc0\x6d\x81\xdb\x02\xb7\x05\x6e\xdb\x5d\x6e\x3b\x89\x8e\xe0\x43\xd9\x03\xbe\xaf\xda\x83\x61\x37\xb7\xc8\xfe\xad\xd1\xcf\x0d\x98\x2f\x30\x5f\x60\xbe\x7d\xcc\x7c\x7f\xf1\x39\x74\x30\x21\x56\xc0\x26\x3e\x12\x63\x82\xde\xa6\x4c\xcc\x3a\xf8\x5d\xcf\xe1\x1f\xdf\x13\x44\x09\xec\x5f\x3b\x97\xfd\xe5\xa0\x90\x69\xbf\x90\xdc\x08\x7b\xa8\x3e\x6c\x20\xf6\xd6\x1e\x27\x80\x90\xe3\x1e\x60\x18\xe4\xb8\x07\x18\x06\x30\x0c\x60\x58\x1f\xc1\xb0\x1e\xca\x2d\xd4\x33\x30\x0c\x92\xde\x00\x0c\x03\x18\x06\x30\x0c\x60\x18\xe4\xb8\x87\xac\x1c\xb7\x0f\x7f\xea\xf9\xac\x1c\x5b\x32\xc7\xfd\x32\xba\x20\x3c\xa7\xce\xa2\x19\xee\x39\x75\x12\x1d\x47\x93\x4d\xb3\x16\x68\xd4\x26\xf9\x95\x42\x3e\x96\x11\xb5\x94\xef\x3e\x21\x41\xfd\xf5\xab\xc9\x5e\x53\x07\xf0\x84\xf4\x9a\xca\x66\xa5\x9b\x54\x6c\x7d\x22\xee\x52\xd9\xcf\xed\x0c\x60\xd9\x23\x7e\xe6\xfb\x78\x2e\xb6\x37\x3e\xa1\x46\x67\xc9\x98\x00\x59\x73\xa8\x84\x9e\xac\x4b\xa9\x71\x04\x1d\xda\x58\x8f\x40\x72\x56\xc8\x8e\xbf\xc1\xe4\x0d\xef\x4a\xa3\x59\x21\x19\x8a\xe8\x34\x97\x0c\x93\x68\xc3\xe3\x10\x5d\x14\xf9\x51\xce\xa1\x33\x41\x7e\x94\x5b\x29\xef\x92\x48\x13\xf3\x24\x3a\x1b\x4a\x13\x73\x2b\x05\x6e\x5c\x6c\x89\x0c\xfa\x9d\x12\x5b\xb9\xff\x31\x1a\x88\xad\x5c\x6c\x2e\xfd\x78\x11\x76\x50\xdc\x2b\x44\x58\x5c\x5e\xfd\x6e\x08\x33\xc8\xb1\x0f\x98\x17\x30\x2f\x60\x5e\xc0\xbc\x90\x63\x1f\x72\xec\x43\x8e\x7d\xc8\xb1\x0f\xe6\x06\x30\x37\x80\xb9\x01\xcc\x0d\x60\x6e\x68\x8b\xb9\x01\x72\xec\x43\x8e\x7d\xc8\xb1\x0f\x39\xf6\xc1\x9a\x07\xd6\xbc\x3e\xca\xb1\xdf\x29\xda\xbc\x15\xf3\x2e\xff\xd5\x83\xe8\x94\x97\x77\xd9\x72\xd6\xca\xb9\xef\xaa\x2e\x59\xaa\x55\x98\xbc\xf2\x12\xee\x3b\xbc\x6f\xf0\x67\x1f\xc4\x7f\x97\x0e\xce\xac\x1d\xb6\x89\xaa\x2b\xe2\x9a\x37\xb4\x02\xad\x7b\x41\x96\xb3\x40\xdc\xdc\x13\xec\xce\xfa\xc3\xb2\x43\x37\x88\xbe\x6f\x2f\x55\x2f\xbd\x15\x9d\x12\x23\xf3\x08\x3a\xc4\x47\xe6\x3e\x94\x47\xa3\x89\xa7\x02\x87\xaa\x95\x38\x18\x1f\x8e\x1f\x8c\x77\xe0\xc1\x32\x71\xd1\xf5\x4b\xc9\xe3\x6f\x14\xe7\x1a\xcf\x78\x08\x57\x21\x3c\xee\x32\xbf\x1a\x3a\x96\x7c\xaf\x4d\xac\x8a\xaa\x91\x96\x3a\x60\x58\xde\xdc\xe5\x3e\x28\x16\xd1\x69\x74\xb2\xce\x4c\xbb\xce\x4e\x00\xaa\x07\xc6\xd9\x0d\x1a\x67\x3f\x9e\xba\x75\x11\x30\x23\x4c\xb2\x6c\x55\xf3\x4d\xb2\xdd\x14\x24\x56\xad\x03\x82\xa4\xf8\xb7\x77\x06\x82\xe4\x80\xa5\xda\xae\xc1\xed\x50\x62\x07\xdb\x92\x44\xd9\x63\x89\x34\xf7\x5d\x93\x27\x6f\xac\x2f\x68\x8c\xd7\x60\x2f\x4f\xa8\xf5\x50\xf8\x62\x95\xd8\x65\x12\xbe\xba\x27\x7c\x95\x69\xdf\x2e\x29\x1b\xda\x58\xc3\x7d\x91\x52\xd8\xdf\xab\xf2\x2a\xab\x65\xf1\x22\x9a\x43\xa5\x3a\x59\x36\x89\x8e\x6c\x40\xd5\x99\xe7\xb1\x39\x20\xd7\x12\xe4\xda\x67\x06\xd0\xa7\x07\xf0\xa7\x06\x32\x9f\xf0\x77\xd8\x2f\x0d\xf4\x8f\x5c\xab\xe3\x8b\xac\x9d\xb9\xdd\x96\x33\x70\x36\x38\x83\x20\xbd\xe1\x26\x03\x77\x84\x83\x02\x61\xe6\x57\x2b\xfc\x49\x93\x9a\x63\xe2\x69\x7e\x07\x37\x52\x38\xca\x70\xc9\xa1\xe6\xbc\x88\x56\xbb\xc0\xa6\x85\xfc\x7b\xc1\x9b\x2c\xc1\x8f\x23\xcd\x05\x6e\xf1\xb5\x14\x7a\x35\x85\x5f\x49\x65\xbe\xe0\xef\x56\x3e\x99\x3a\x4b\xd9\xde\xd6\x70\x94\x32\xe5\xcd\x4e\x95\xec\x12\xfb\x29\xab\x4c\x45\xbe\x82\x6f\xf3\x84\xa9\xa3\xe6\x04\x06\xdb\x31\x55\xe3\x1f\xce\xcd\xe0\x15\x43\x93\x0c\x83\x54\x74\x47\xa1\x37\x65\x9b\x0a\x33\xb1\x45\xa8\x55\x21\x79\x45\xbc\x91\x87\x17\x7a\x7d\xc9\xb7\x5b\xb1\x0d\xe0\xbf\x3e\xbb\x8d\x57\x2b\xe2\xf7\xd7\x05\x1d\xb2\x79\x82\x34\x4b\x24\x48\x6b\xb7\xf0\x2f\x1d\x41\x87\xf0\x81\xec\x84\xbf\x7b\x79\x43\x38\x12\x3f\xf4\xd4\x6d\x71\xde\xcc\x1f\xa4\x11\x96\xfb\x9e\x9a\x4b\x1d\x4d\xad\x18\x66\x79\x1c\xbf\x92\xc6\x5f\x48\xa3\x3b\x43\xbf\x65\x32\x65\x8e\xc3\x96\xa8\x5d\xf5\x77\xcb\xaa\xc2\xdb\x35\xf7\x40\x99\xb8\x53\xc1\xbd\x53\xf3\xb3\xe7\xd8\xef\x3d\x98\x23\xd2\x10\x4e\x64\xfb\xb8\x13\x19\x1b\xb1\xa7\xd0\x09\x74\x6c\x63\x39\x22\xf9\x37\x26\x26\x87\xfc\xa3\x37\xa0\x37\xfa\xb1\xd9\x54\x27\xf5\xbb\xc6\x5f\x7e\x03\xfe\x72\x3a\xf0\xce\x7a\x6c\xcd\x5d\xe3\x45\xaa\x93\xdc\x7d\xec\x16\xe9\x55\x4a\x75\xd2\x91\xdd\xe1\x02\x3a\x22\xda\xa9\x80\xc6\x79\x3b\x8d\xa0\x21\xf4\x44\xa2\x5b\x1c\xab\x4f\xe2\x94\x3e\x9b\x3c\x63\x77\xe3\xc7\xea\xb9\x03\x2f\x3a\x72\x2e\xcd\xda\xdb\xcb\xcc\xfb\x77\x04\xad\xfa\x78\xd2\x6e\x90\x37\xec\x1b\xe4\x5d\x9d\x6d\xdb\x22\x3f\xd2\xad\x4e\x53\x6a\xb5\x71\x41\x2d\x82\xed\xde\x06\xb7\x7b\x1f\x48\xdd\xc2\x9c\x3e\x21\xf6\x79\x87\xd0\x81\x60\x9f\xd7\x46\x91\x90\xb0\xc1\x6b\x4d\x62\x34\x91\x13\x81\x20\x29\xfe\xd6\x9d\x81\x48\x18\x6b\x79\x5f\xc7\x65\xc3\xfd\x5c\xdd\xe8\x9c\x64\x80\xfd\x5b\xbf\x09\x2a\xd8\xbf\xc1\xfe\x6d\x93\xf7\x6f\x9d\xd4\xf2\x12\x37\x6e\x6d\x52\x03\x4b\x05\x34\x8e\xc7\xb2\x7b\xfd\x5d\xd7\xae\xf0\x7e\x8d\xdd\xde\xf9\x84\x69\xf8\x1b\x43\xe8\xd1\xa8\xf9\x48\x24\x7d\xd7\x89\x55\xa1\xab\x55\x62\xba\x0e\xfe\xa5\x21\xfc\xb9\xc1\x80\x2b\xae\xb4\x76\x1c\xe7\x8c\x5f\x42\x9b\x0e\xe0\x1c\xb9\x19\x90\xc9\xa0\xf0\x39\xc3\x71\xcf\x52\x7b\xaa\x52\xf1\x69\x25\xe4\x6b\x8f\x19\xd5\x17\x93\x07\xed\x5e\x3c\x12\xa3\x7e\x84\xcf\x28\xf7\x5b\x1d\xce\xd6\x84\xb4\x54\x90\xa3\x1d\xe2\x95\x20\x5e\x09\xe2\x95\x20\x5e\x09\x72\xb4\x43\x8e\x76\x88\x13\x81\x38\x11\x88\x13\x81\x38\x91\x5e\x8c\x13\x81\x3c\xeb\x90\x67\x7d\xab\x78\xc6\x43\x9e\xf5\x4e\xe4\x59\xff\x97\xcf\xa1\x03\x02\xf3\xd9\x8b\xaa\x96\xf7\xf0\x10\x2f\xaa\xfe\xa4\x4d\xad\x52\x73\x5c\xb6\x6f\xa9\x10\x07\xff\xd6\xb3\xf8\xe7\xf7\xa0\x07\xd9\x53\x53\xe1\x87\xfc\x23\x38\x47\xd6\x4e\xbc\x3e\x2d\x0a\xbb\x4c\x2b\x24\x37\xc4\x6e\xbd\x5c\x5f\x92\x3c\xa2\x33\x74\x63\x8f\xe3\x3b\x48\xb6\x0e\x54\x0b\x92\xad\x03\xd5\x02\xaa\x05\x54\xab\x8f\xa8\x56\x0f\x25\x99\xe9\x19\xaa\x05\xd9\x4f\x80\x6a\x01\xd5\x02\xaa\x05\x54\x0b\x92\xad\x43\x7a\x86\xdb\x07\x42\xf5\x7c\x7a\x86\x2d\x99\x6c\x5d\x43\x4f\x0a\xb7\xa7\x29\x74\x8a\xbb\x3d\x1d\x45\x87\xd1\xc1\xa6\x4e\x7b\x9c\x54\x49\xcc\x94\x0f\xe1\xa1\x96\xf2\xac\x1b\xc9\xee\x4e\x67\xf1\x8c\x74\x71\x6a\xca\xc4\xa4\xdf\x53\xe8\xe5\x61\x0f\x3e\x5e\x33\x94\x94\xd2\x3d\xfb\xb3\x3b\xd7\xe2\x67\xf7\xf9\xb9\xd8\xc3\xa8\x6c\x44\xfc\xda\x4d\x58\x26\xd8\xd6\x39\x74\x06\x4d\xd7\x39\x53\xef\x47\x85\x75\x77\x12\x78\x51\x43\xb8\xc7\x06\xc3\x3d\xfe\xdf\x94\x48\xbd\x5e\xe0\xa9\xd7\xfd\xa0\x8d\x83\x68\x23\xe3\x10\x95\x44\xaa\xf4\x69\x34\x15\x4a\x95\xbe\xc1\xb2\x9a\x09\x1d\x91\x4c\x60\x1f\x4f\x26\xc0\xe4\xda\xc6\x8a\x6f\x35\xd7\x7a\x6b\xa2\xad\x05\xc9\x95\x28\xfd\x72\x2f\x8d\xad\x25\xba\x94\xd8\x7c\xec\x61\x31\xb6\x5f\xdc\xd1\x54\x8c\xf9\x0f\x76\x4e\xa0\x41\x0e\x76\xa0\xbf\x40\x7f\x81\xfe\x02\xfd\x85\x1c\xec\x90\x83\x1d\x72\xb0\x43\x0e\x76\xb0\x42\x80\x15\x02\xac\x10\x60\x85\x00\x2b\x44\x5b\xac\x10\x90\x83\x1d\x72\xb0\x43\x0e\x76\xc8\xc1\x0e\x46\x3e\x30\xf2\xf5\x51\x0e\xf6\xee\x51\xe8\xf6\x27\xbd\xf8\xeb\x61\x74\x32\x2e\xe9\x45\x93\xcc\xe9\x9a\x9f\x2d\xde\x26\x2b\x06\x1f\x7c\xf8\x73\xc3\xf8\x57\x43\x39\x31\xfe\x49\x6b\x39\x31\x82\xbc\xf3\x97\x65\x49\x6d\xca\x8d\xb1\xf7\x66\x5c\xd6\xde\xc6\xd7\xcd\x19\x8e\xdb\xe3\xee\xf5\xa5\x1b\xcd\xed\x2c\x6d\x4f\x9b\xe1\x8d\xfc\x2b\xc9\xa3\x79\x3f\x2e\x34\x66\xc4\x68\x6c\xe1\x68\xa6\x3f\xc8\x92\x01\xf1\x04\x90\x25\x03\x2c\x4a\x60\x51\x02\x8b\x12\x58\x94\x20\x4b\x06\x64\xc9\x00\x92\x0f\x24\x1f\x48\x3e\x90\xfc\xde\x23\xf9\x5b\xf0\x14\x04\xc8\xc3\x01\x74\x14\xf2\x70\x6c\x9d\x10\x08\xfc\xae\x11\x74\x46\x90\x47\x8d\x52\x5b\x37\xcc\xd8\x0c\x1c\x6b\xd2\x48\x6e\x4d\x74\xf0\xe7\x87\xf1\xaf\x0f\xa2\xfb\xc2\xc5\xf8\x8e\xb9\x2f\xb4\x46\x23\xe7\x58\x49\x6d\x05\x90\xd3\xa1\xda\x48\x1f\xdf\x80\x46\xf2\xd7\x6d\x0d\x00\xd9\xfd\xf4\xbc\xcf\x26\x03\xc8\x49\x7c\x44\x02\xc8\x98\xb1\x23\x79\x24\x6f\xe3\x98\x18\x15\xe0\x90\xc0\x21\x81\x43\x02\x87\x04\x0e\x09\x1c\x12\x38\x24\x70\x48\xe0\x90\xc0\x21\x81\x43\x02\x87\x04\x0e\x09\x1c\x12\x38\x24\x70\x48\xe0\x90\xfd\xc5\x21\x3f\x34\x8c\x86\x04\x87\x74\x5c\x6a\xab\x65\x12\x20\xc8\x71\xcd\x31\xc2\xc7\xfd\xe2\x6f\x0e\xe1\x6f\xa4\x11\x92\x37\x5e\x5b\x29\x64\x32\xfc\xa8\xdf\xe8\x9e\x76\x7a\x61\x36\x38\xe3\x77\x41\xdc\x7b\xa5\x20\x7f\x6d\xf3\x19\xbf\x6f\x41\x27\x05\xa0\x3b\x8c\x0e\x72\x40\x37\x8e\xc6\xd0\xde\xa6\x09\x17\xbc\x4f\x5c\x29\xe4\x65\x7d\x6e\xe1\x58\xcf\x32\x71\xd1\xf5\xa7\x93\x69\xdd\x04\xde\x27\x69\x5d\xb4\x85\x3d\xc7\x41\x59\x91\xb0\xb7\x60\xe6\xdf\xed\x88\x34\xf3\xc3\xde\xd9\xbf\xf1\x2d\xed\x1d\xfa\xdb\xd9\xc6\x2e\x72\xf8\x59\x97\x11\x66\x7d\xad\x0d\xb1\xc3\x90\x0b\x66\x83\xb9\x60\x3e\x96\xba\xe5\xa9\x3e\x2d\x72\xc9\x1c\x47\x93\x41\x2e\x99\x2e\xca\x0b\x7e\x0c\x70\x6b\xf2\x22\xe6\xf0\xbd\x35\x65\x47\xee\x8f\x5f\x1f\x91\x17\xbb\x64\x0c\x8f\xea\x8b\x88\x07\xc4\x2f\x1d\x96\x10\x9d\x49\xb1\x02\x42\x23\x41\x68\x40\x98\x7f\x57\xc2\xfc\x21\xbe\x13\xe2\x3b\x21\xbe\xb3\x53\xf1\x9d\xa5\x7f\x73\xeb\x2b\xfc\x8c\x48\xf1\x76\x02\x1d\x0b\xa5\x78\x6b\xfb\x12\xdf\x99\x35\xfc\xba\x12\xaf\x39\xec\xc4\xdb\x45\x0b\xa3\xe2\x1f\xdf\x19\x59\xe5\xf7\x34\x1c\xff\x1f\xbf\x3d\x10\xe7\xfe\x77\x6e\xe9\x87\x73\xff\xfb\x4d\xe1\x80\x73\xff\xe1\xdc\xff\x4d\x3e\xf7\xbf\xf3\xe4\xa7\x33\x68\xe7\xfa\xa3\xf1\x62\x7e\x07\xbe\x83\x7f\x35\x2a\x1d\x40\x13\x78\x5f\x36\xef\x43\xff\x7b\xf9\x34\x92\x73\x5a\x16\x99\x1d\x64\x3f\x76\x12\xe4\xe3\x1f\x1b\x41\x85\x71\xd5\x32\xc6\x57\x0a\x4d\x1d\x10\x8d\xaa\xe1\xda\x7c\x96\x7a\x88\xf0\xcf\x87\xf1\x9f\xa4\xd1\x76\x8d\xda\x1e\xb8\x6a\xe0\x83\x73\xec\xa9\xcb\xec\xa9\xdc\x23\xec\xf2\x34\xb5\x49\x38\x56\x39\xb8\xbe\xb9\xb0\x90\x7d\x03\x1b\x2f\x41\x7d\x6e\x15\x16\xce\x25\x8f\xa8\x11\x3c\x14\xa3\x38\x64\xb3\x9e\x57\x5f\x50\x97\xcc\xcb\x3b\x82\x76\x56\xe2\x01\x61\xa8\xa9\x1f\x93\x77\x74\xab\xb5\xd7\x4d\x0b\x1b\x9b\x1b\xd6\x61\xa0\x85\x5d\xa2\x85\x31\x73\x7d\xfd\xb4\xb0\xad\x02\x83\xd3\xc2\xb6\x0a\x8c\xdc\x3f\xdb\x15\x08\x8c\x7b\x7d\x42\x18\x92\x11\x72\x2b\xd7\x35\x11\x01\xb8\x10\x70\x21\xe0\x42\xc0\x85\x80\x0b\x01\x17\xae\x1b\x17\x7e\x3e\xd5\xe6\x9c\x58\x97\x05\x3c\x3c\x8f\x66\x43\xf0\xb0\xc3\x79\xb6\x5a\x5b\xe0\xd7\x58\xd4\x23\x5b\xcb\x64\x82\xf8\x8d\x3b\x03\x15\x60\x24\x01\x1f\x86\x14\x83\x47\x2d\x11\xd3\xd5\x79\xbd\x00\x58\x62\xbf\x69\x23\xc0\x12\x81\x25\x6e\x2d\x96\xb8\x81\x7d\x5e\x12\xf4\x6b\xef\x42\x50\x3a\x8c\x0e\xe2\xfd\xd9\x82\x8f\x10\x1f\x08\x23\xc4\xe0\xa1\x46\x8a\xb8\xf5\x1c\x8e\xf1\x2f\xe7\xd0\x69\xe1\xc0\x48\x5e\x74\x89\xc9\x7d\x4d\xfd\xf8\xe9\x26\xe0\xd2\x30\xcb\x36\x13\x48\x3e\xb6\xfc\x87\x11\xfc\xcf\x07\x10\x0e\x4a\xf0\x23\xa8\xe3\x3c\x1c\x67\xc5\xe3\xb9\x3d\xec\xda\x19\xff\x99\x86\x38\x67\x79\x5f\x9b\x31\xa6\x8a\xce\x8a\xd1\x7a\x0a\x9d\xe0\xa3\x95\x8d\xda\xfd\x4d\x47\x6b\xf0\x4d\xfe\x51\x53\xb2\x5e\xb7\x8a\x33\xd7\x95\x2a\x31\xa8\x86\x1c\xbb\x5e\x25\x1a\x42\x94\x33\x7f\xb8\x23\xb6\x27\x9a\x38\x41\x7a\x9d\x31\x22\x2f\x77\xbb\x3f\x8a\xb3\xe8\x1c\x3a\x53\xa7\x31\x6c\xac\x43\x40\x59\x00\xe0\xb9\x41\xe0\xf9\x72\xaa\x6d\x52\xe1\xbc\x00\x9f\x33\xa8\x18\x80\xcf\x8e\x89\x98\x0e\xc9\x90\x04\xb0\x9a\xfb\xe8\xae\x58\x11\x73\x8f\x47\x45\x4d\x5f\xac\x0c\x8b\x9f\xba\x2e\x55\x80\x8d\x02\x1b\x05\x36\x0a\x6c\x14\xd8\x28\xb0\xd1\x8d\xb0\xd1\x6e\xd2\xcc\xf6\x82\x58\x4f\x35\x48\xa4\x99\x2d\x2a\x0f\x09\xaa\x42\xa3\x6e\x51\x7c\xf7\x5d\xb1\xda\x41\x92\xbf\xa5\xa7\x32\x0c\xf1\x3d\x7d\x37\x35\x06\xa0\xa6\xfd\xa6\xa7\x00\x35\x05\x6a\xba\xc9\xd4\xb4\x7b\x1c\xaa\x53\x9b\xc4\x5b\x73\xc5\x94\xe5\xde\x16\x10\xf5\xa5\x11\x34\x25\x20\xaa\x50\x47\x12\x4f\xc2\xb1\xa8\xae\x1b\x8e\x5d\xe3\xd3\x67\xb1\xa6\x97\x89\xeb\xe0\x9f\x1f\xc6\xbf\x31\x88\x76\x8a\x22\xae\xad\x14\x32\xff\xb4\xb5\xf4\x93\xf3\x54\x9f\xf1\x0b\x2b\xf2\xc2\xda\x94\x8c\x32\xcf\x1f\x10\x0a\x52\xd8\x74\x19\xf3\x46\xc8\x47\x19\x3f\xf9\xde\x92\x3c\xf9\x0e\xe1\x03\x72\xf2\x89\xae\x97\x13\x2f\xa6\x91\xe1\x4c\x1c\xc8\x45\x09\xb9\x28\x21\x17\x25\xe4\xa2\x84\x5c\x94\x90\x8b\xd2\x85\x5c\x94\x90\x8b\x12\x72\x51\x42\x2e\x4a\xc8\x45\x09\xb9\x28\x21\x17\x25\xe4\xa2\x84\x5c\x94\x90\x8b\xb2\x8f\x73\x51\x7e\x65\x08\xbd\xc1\x0b\x39\x17\xf4\x91\x98\xba\x45\x0d\xd3\x75\xf0\xe7\x87\xf0\x67\x06\x83\xe0\x85\x5a\x6b\x64\xf1\x8c\xf7\x7c\x9b\x78\xe2\xf0\xcd\x20\x10\xc2\x2f\x7b\xce\x70\xdc\xb3\xd4\x9e\xaa\x54\x7c\xc0\xd8\x3e\xdb\xde\x6d\x44\x12\xcf\x27\x93\xc4\x61\xbc\xa7\xde\xc7\xd9\x6f\x66\x60\x87\xc0\x0e\x81\x1d\x02\x3b\x04\x76\x08\xec\x10\xd8\x21\xb0\x43\x60\x87\xc0\x0e\x81\x1d\x02\x3b\x04\x76\xd8\xf3\xec\x10\xc8\x1e\x90\x3d\x20\x7b\x7d\x4c\xf6\xfe\x00\xa1\x7d\xc2\xbf\x50\xad\xb1\x19\xef\xca\x62\xea\xcf\xbb\xe6\x5b\x19\xb6\x5d\x20\x37\x1d\xfc\xe3\x28\xfb\x83\xdb\xd0\x03\xd1\x27\x7c\x6f\xfc\xfb\xc4\xaa\xa1\xa8\xca\x53\xec\xa1\xcb\xfc\xa1\xdc\x1e\xf1\xeb\x54\xe4\x19\xe9\x80\x1f\xba\xaf\xcd\xc1\x7a\x6f\x42\x4c\xc2\x45\xdd\xdf\x4f\xa0\x63\x4d\x7d\x61\xeb\x1a\xc1\xf3\x87\x0d\x55\xb0\xf4\x03\x69\x74\x51\x10\xba\x73\xe8\x0c\x27\x74\xa7\xd0\xad\x15\x89\x16\x44\x60\xe7\x1c\x2a\x05\x81\x9d\xb7\x5c\xe8\x53\x22\xce\xe4\x02\x3a\x1f\x8a\x33\xb9\xe5\x52\x93\x50\x22\x49\x46\x89\x45\x7c\x5a\xa2\xc4\xd8\x21\x27\xe9\x62\xf8\xa5\x8d\x0e\xc2\x8f\xc4\x43\xc6\xed\x78\x9b\x45\x1d\x17\x95\x20\x4c\x61\xed\x30\x85\x12\xc4\x6b\x37\x89\xd7\x6e\xbb\x07\xf7\xd7\x9f\x45\x47\x65\x1a\x0c\x0e\xaf\xeb\x25\x6b\x13\x3f\x6e\x71\x33\xfe\x91\x67\xf1\xf7\xed\x41\xaf\x13\xff\xf2\x45\xec\x6e\xb1\x21\xb7\xe5\x56\xc2\xd3\x35\xe9\x92\xc2\x26\x8f\xc2\xa9\x7f\x8e\x2f\x86\xfc\xcf\xc6\x40\x27\xfe\x73\x8f\x9b\x42\x8a\x60\x24\x00\x23\x41\x11\x8c\x04\x60\x24\x00\x23\x01\x18\x09\xfa\xc6\x48\x50\xec\x19\x23\x41\xdb\x6b\xb2\x61\x23\x41\x11\x8c\x04\x60\x24\x00\x23\x01\x18\x09\xc0\x48\xd0\x7d\x23\x41\xb1\xaf\x99\x7e\x11\x98\x7e\xe7\x98\x7e\xb1\xd7\x99\x7e\x71\x0b\x32\xfd\xd2\x35\x71\xdc\xe2\x3e\x9e\xee\x27\x7d\xe9\x3c\x3e\x88\xf6\xa3\x42\xf3\xfc\x0f\x02\x4b\x79\xb4\x97\xa3\xa1\x39\xc3\x49\x76\x1b\x6d\x0e\x61\xb9\x93\xe7\xf5\xab\xc9\x2c\xf8\x00\x9e\xf0\xb2\x43\x84\xe1\x98\xe7\x61\xca\xbd\x57\x1b\xe8\x6f\xf6\x3b\x3b\x1a\x88\xd8\xeb\x3d\xa3\x83\x29\xe9\x57\x56\xfc\xd0\x15\xfe\x25\x70\xd5\x34\x9a\x42\xa7\xea\x6c\x0d\xe3\x68\x6c\x5d\xed\x0e\xf9\x75\x20\xd1\xe8\x06\xc1\xf5\x37\x53\xcd\xd3\x80\x9d\x16\xf2\xe0\x28\x3a\xcc\xe5\x41\x01\xad\x77\x5c\xa2\x33\xc2\x44\x75\x12\x1d\x0f\x4c\x54\x1b\x28\xe6\xac\x30\x4a\x9d\x42\x27\x42\x46\xa9\xf5\x97\x93\x2c\x81\xb8\x19\xa8\x63\x12\x28\xf7\x5f\x47\x1b\x24\x50\x46\xe6\x9c\x0b\x25\xf0\xa3\x4b\x52\x18\x8d\xca\x5c\xa5\x61\x61\x34\xed\xdf\xd7\x59\xb1\xd4\x99\x7c\xa5\x80\x65\x01\xcb\x02\x96\x05\x2c\xdb\x3f\x58\x16\x34\xb3\x04\xcd\xac\x77\xb8\x35\xe4\x8a\xee\x4a\xae\x68\x30\x0f\x80\x79\x00\xcc\x03\x60\x1e\x00\xf3\x40\x5f\x9b\x07\xe0\xc8\x00\x38\x32\x00\x8e\x0c\xe8\xd4\x91\x01\x60\x7d\x03\xeb\x5b\xbf\x5a\xdf\x4a\xe5\x36\x9f\x24\x9c\x64\xd1\xea\x14\x2f\xbe\x9e\x8b\x07\xd5\xf7\x62\x79\xb0\x55\x20\xc2\xd1\x16\xcc\xe7\x85\x3f\x3d\x82\xa6\x85\x8f\xfb\x52\x85\xde\x64\xea\x98\x4d\x2b\x79\xdf\xfb\xb7\xde\xe5\x5d\xa4\x10\x62\xb7\x3a\xda\x32\xa9\xaa\xfe\x69\x8f\xdf\x18\xc6\xff\x66\x1b\x7a\x28\x54\xc8\x94\x57\x86\xcf\xd9\x3f\x9b\x92\xa3\x31\x94\x56\xc8\xf4\xb4\x1d\xcf\x03\xfe\x6c\x85\xde\x5c\xe0\x65\xb7\x25\xbf\xd0\x68\xb0\xb9\xe1\x1b\x38\xa9\x0a\xb3\xfd\x51\xb0\x6b\x1b\x8a\xf0\x88\x50\xd9\xf9\x5c\x8e\xbf\xee\x6c\xcc\x67\x49\x63\x40\x50\xdf\x1e\x77\xca\xdf\x94\xfc\x44\xcd\x8f\x03\xb8\x29\x0e\x69\xbd\x91\x3c\x6f\x9f\xc4\x67\xc5\x14\x0d\x9a\xba\xe9\x91\x33\x6b\x0d\x62\xc8\x5d\x04\x61\x09\x90\xbb\x08\xec\x5f\x60\xff\x02\xfb\x57\x3f\xd9\xbf\x20\x77\x11\xe4\x2e\x02\xbb\x03\xd8\x1d\xc0\xee\x00\x76\x87\x9e\xb0\x3b\x94\x0e\xa3\x83\x78\x7f\xb6\xe0\x73\x92\x07\xc2\x67\xc0\x05\xbb\xbc\xc6\x63\xe0\x20\xe9\x11\x24\x3d\xda\x22\x88\x16\x92\x1e\x75\x22\xe9\xd1\xab\xc3\x68\x3c\x9a\xce\xbc\x49\x12\x0e\xb1\x39\xac\xaa\x96\x83\x3f\x3c\x8c\x3f\xb5\xfe\x34\xe7\xd3\xbc\x80\x0b\xaa\xd5\xa6\x34\xe7\xd9\x50\x9a\xf3\xc0\x6d\xd8\x7f\x0b\x1c\x95\x18\x0f\x10\x5b\xc9\x49\xde\x62\x16\xf4\x70\xae\xf3\xfa\x8c\xe8\x7e\x3f\x00\x24\x04\x48\x08\x90\x10\x20\x21\x40\x42\x80\x84\x00\x09\x01\x12\x02\x24\x04\x48\x08\x90\x10\x20\x21\x40\x42\x38\x1c\x11\x68\x22\xd0\x44\xa0\x89\xb7\x11\x4d\xfc\xa5\x11\x34\x23\x53\xa8\x5b\x06\x79\xd1\x25\x26\xef\xad\xc0\xe9\x51\x32\x46\xad\xe6\xb8\xb4\xea\x95\x18\xc6\x5d\xd2\xfb\xf1\xaf\x87\xf1\x8f\x6e\x43\xbb\x22\xa5\x5c\x5b\x29\x64\x7e\xb1\x15\x8f\xc7\x69\x5e\xba\xb7\xc3\x9c\xf1\x4b\xef\x09\xff\xc7\x51\xfe\xba\xa9\xf0\x87\x5d\x29\x34\xab\x31\x00\xcc\x46\x80\x59\x49\x66\x93\xb3\xf8\x9c\x97\x56\x3d\x66\x18\x7a\x84\xb2\x49\x9b\x47\x8f\x70\x4c\xf2\xb7\x04\xba\x09\x74\x13\xe8\x26\xd0\x4d\xa0\x9b\x40\x37\x81\x6e\x02\xdd\x04\xba\x09\x74\x13\xe8\x26\xd0\x4d\xa0\x9b\x5d\xa6\x9b\x67\xd0\x34\x9e\xca\x9e\xf2\xe9\xe6\xe3\x61\x17\xc8\x66\x7b\x3d\x70\x88\x04\x84\x09\x08\x13\x10\x66\x08\x61\xfe\xe6\x08\x3a\xe9\x21\x4c\xcb\x49\x74\x8b\x74\x5c\xd5\x25\x4b\xb5\x0a\x9b\xc1\x1e\xbc\x7c\xef\x08\xfe\x93\x41\xb4\x9d\x3d\x7f\x6d\xa5\x90\xf9\xa9\x56\x98\xe5\x82\x2c\x67\x81\xb8\x3d\x81\x29\x15\x89\x29\x2d\x27\xec\x5d\x19\xaa\x25\xa0\xc9\x46\x34\x79\x29\x19\x4d\x8e\xe2\x9c\x8f\x26\x2d\x47\xa2\xc8\x50\xb3\x02\x7d\x04\xfa\x08\xf4\x11\xe8\x23\xd0\x47\xa0\x8f\x40\x1f\x81\x3e\x02\x7d\x04\xfa\x08\xf4\x11\xe8\x23\xd0\xc7\x9e\xa6\x8f\x47\xd0\x21\x7c\x20\x3b\xe1\xd3\xc7\x37\x84\xe9\x63\x68\x7b\xd7\x08\x1c\xc1\x2b\x13\x90\x26\x20\x4d\x40\x9a\x1d\x44\x9a\x5f\x4d\xa3\xfb\x05\xd2\x74\x5c\x6a\xab\x65\xe2\xf9\x63\xe2\x5f\x4a\xe3\x9f\x4f\xa3\xed\xf2\xe7\x4c\xa6\xcc\x13\x15\x2f\x51\xbb\xea\x37\xa0\xaa\x70\x5e\x95\xc3\x65\xe2\x2e\x88\xfb\xa6\xe6\x67\xcf\xb1\xdf\xda\x77\x3a\x53\x43\x41\x93\x0d\x05\x4d\xb6\x52\x50\xc9\x68\x7e\xf0\xd7\x45\x81\x03\xcf\xa1\x33\x1c\x07\x9e\x42\x27\xd0\xb1\x0d\xe0\x40\xef\xe3\x25\xf3\xc3\x1f\x1c\x42\xbb\x45\xe3\x6a\x94\xda\xba\x61\xf2\x0a\x86\x3c\x5e\x79\xc6\x6f\x07\xff\xd9\x1e\xfc\xf5\x01\xf4\xfa\xf0\x4d\xd7\x56\x0a\x99\xdd\x62\x4b\x60\x4b\x65\xc6\x5b\xed\x3c\x2c\x3c\xc7\x1e\xce\x0d\xb1\x9b\xa6\x43\x4f\x5e\x29\xf0\x0b\x67\xa9\x3d\x55\xa9\xf8\x78\xd6\xe9\x75\x26\xfb\xbc\x38\x3b\x6d\x1f\x3f\x3b\x8d\x75\xc2\x21\x74\x00\x4d\x34\x3d\xee\x2c\xd2\xa0\x2b\x85\x3c\xff\xe6\x96\x8e\x63\x7c\x73\x32\x88\x3d\x88\xf7\x4b\x10\x1b\xd3\x6f\x92\xcb\xf2\x17\x46\x89\x6c\xc2\x41\x8f\x00\x64\x01\xc8\x02\x90\x05\x20\x0b\x40\x16\x80\x2c\x00\x59\x00\xb2\x00\x64\x01\xc8\x02\x90\x05\x20\x0b\x40\xb6\xcb\x40\x16\xa0\x27\x40\x4f\x80\x9e\x7d\x0c\x3d\x7f\xe2\x19\xa4\xc4\x42\xcf\x95\xc2\xb8\xe6\x18\x26\xd5\x89\x83\xdf\xfd\x0c\xfe\x87\x27\x10\x92\x77\x5c\x5b\x29\x64\x9e\x58\x9b\xc7\x4d\x2f\xcc\x5e\xa4\x3a\xc9\xdd\xc7\x6e\x93\x38\xf4\x4a\x41\xfe\xda\xe3\xf8\xad\x08\x6c\x0a\xd8\x54\x11\xd8\x14\xb0\x29\x60\x53\xc0\xa6\xfa\x86\x4d\xf5\xd0\x61\xfc\x3d\xc3\xa6\xe0\x94\x78\x60\x53\xc0\xa6\x80\x4d\x01\x9b\xda\x8c\x53\xe2\xfb\x1a\x25\xc1\x31\xd6\xfd\x7c\x8c\x75\x71\x0b\xa2\xa4\xd2\xb3\xa8\x28\xdc\x96\x8e\xa1\xa3\xdc\x6d\x69\x3f\x2a\xa0\xf1\xa6\x6e\x4b\x1e\x6f\x5a\x29\xe4\x25\x18\x6a\xc9\x67\xe9\xe9\x64\x9f\xa5\x09\xbc\x4f\xe6\xae\x13\xe5\xa2\x98\x13\x38\xa2\xb4\x2b\xd1\x61\x29\xfb\xdf\x76\x44\xf8\xd7\x2e\xb1\xfa\x28\xaa\x8f\xba\x1e\x10\xbf\x74\x0c\x76\x09\x36\xc5\xa3\x73\xf1\xe0\x22\xd5\x57\x33\xfc\xbf\x4a\x2a\x37\x86\xf6\xae\xa3\x91\x8b\x1f\x4b\xa3\x8f\xa6\xf1\x47\xd2\x99\x0f\xfa\x82\xe5\xdb\xa9\xab\x6c\xd9\x96\x92\x7c\x94\x9f\x51\xa3\xb1\xfd\x9a\x90\x04\x91\xdd\x43\x98\x28\x2d\x12\xc5\x62\x4d\xcb\x54\xb6\xbc\x32\x65\x2a\x86\x29\xf6\xed\xd4\x56\x6a\xa6\xbf\xf5\xd7\x15\xdd\x5e\xbd\x5c\x33\x15\xdd\xb0\x09\x1b\xfe\xc4\xdf\x4f\xb2\x65\x81\xaf\xbb\x72\x43\xed\xa9\xcf\x72\x0b\xa3\x2c\xd5\x6c\xae\xa2\x59\x36\xd5\x88\xc3\x17\x48\x39\xdb\xa4\x28\xcf\x2b\x57\xf8\x1b\xb9\xea\xcb\x57\xb4\x49\x65\x4c\x99\xaa\x54\x26\xf9\xf2\xa7\xdb\xab\x8a\x5d\x33\xd9\xd6\x8a\xcd\x17\x6f\xcd\x97\xc5\x11\x3d\x7b\x87\xa8\x5a\x58\x38\x7c\x28\x8d\xbe\x3f\x8d\xdf\x9f\xce\xbc\xd7\x6f\xa0\x6f\xa6\xb8\xc6\x74\x41\x35\xd5\x32\xb1\x85\xee\x2f\x3c\xcf\x1d\x87\x6a\x06\x5f\xce\x7c\x2d\x5b\xe5\xdb\x14\x6a\x2b\x4c\xdb\x71\x57\xfd\xf5\xbd\xaa\xde\x60\xf5\x77\x97\x89\x43\xbc\x19\xcc\xa4\x8a\xc7\x3f\x38\x02\x58\x24\x0a\x97\x1d\x5c\xa3\xa6\xb6\x52\x98\x38\xc2\xee\xb5\x55\x8d\x83\x1a\xb6\x19\x15\xf3\x95\x6b\xbd\x4c\x41\x51\x0d\x53\x58\x64\xb8\x56\x19\xdc\xcb\x37\xaf\x12\x23\xb1\xbd\x90\x27\x83\xcb\xb4\xa2\x9a\xe5\x3c\xb5\xcb\xe3\xd6\x8d\xf2\x78\xcd\x34\x34\xaa\x93\xf1\xdd\xb3\xce\x3c\x2b\x25\x9f\xbd\x2b\xfc\xad\x61\x00\xff\x8d\x14\x3a\x29\x66\xf8\x61\x74\x90\xcf\xf0\x71\xb4\xbe\xc1\x87\xa6\xd9\xf3\x05\x7c\x1c\x4d\xa2\xed\xd3\x42\x81\x5b\x7f\x21\x33\xac\x90\x09\x7e\xb2\xff\x8e\x29\x8d\xad\x12\x1b\x29\xa5\x3d\x82\x26\x5e\x9c\x34\x17\x3f\x6b\x08\x1a\x8b\x3a\x2e\xca\xfd\xda\x68\x44\xd0\x3c\x24\x14\x5a\x25\x38\xee\x9f\x1f\x12\x25\x85\x8e\x54\x77\x03\xa1\xe3\xdf\xd5\x19\xf1\xf3\x14\xba\x8c\xe6\xc3\xe2\x27\x57\x44\xa7\x37\xe0\x1d\x3c\xc3\xab\x7d\x89\x13\x54\x07\x58\x2b\xb0\x56\x60\xad\xc0\x5a\xfb\x88\xb5\x82\x0e\x96\xa0\x83\xf5\x0e\x8c\xfe\x46\x1a\x7d\x3d\x8d\xbf\x96\xce\xfc\xae\xdf\x55\x9f\x4d\x3f\x15\xde\xfe\x19\xa6\xe2\x88\x2d\x9c\xb2\x48\x96\x84\xe5\xd6\xc7\x24\xc1\x92\x25\x67\x09\x6f\xac\x90\xb6\x67\x52\x73\xcc\x24\x65\x95\x77\x89\xdc\x01\x86\xb5\x42\x01\x4c\xfd\xc1\x20\xd5\x01\xa3\x5a\x25\x3a\xd3\x3b\x2b\xab\x81\x49\x35\x10\xed\x46\x65\x54\x6e\x0c\xf9\xe7\x2a\x65\x5b\xd5\xf8\x38\x31\xa8\xee\x2f\x3c\xc1\xe2\xc0\xad\xd5\x5e\xbf\xd4\x1c\x56\xc9\x70\x43\xa9\xec\x49\xef\x83\xe4\x4b\x96\xc4\x7c\xf3\x8a\xc8\x8b\x7a\x56\x89\x6a\xc6\xd6\x31\x8b\x79\x15\xe6\x79\x0d\xe2\x36\xbc\xc0\xfc\x81\xf9\x03\xf3\x07\xe6\x0f\xcc\xbf\xaf\x99\xff\x97\xd2\xe8\xb5\x34\x7e\x35\x9d\x79\xc5\x5f\x6d\x3f\x9e\x9e\x09\xe5\xf9\xb3\x78\x9c\xa8\x3f\xf5\xe7\x6d\x6a\xa9\x65\xbe\x0e\xcf\xd3\x8a\xa1\xad\x46\x3c\x7e\xbc\xee\x0e\x12\x05\xb2\x0e\x2f\xe4\x0f\xe7\x95\x05\x21\x47\xc4\x22\x69\x11\x93\x0d\xd3\x60\x15\x21\x0a\xb5\xad\x65\xd5\xf4\x3c\x90\xec\x1a\x19\x5f\x52\x2b\x9e\xf6\x9f\x15\x57\xb3\xca\x92\x61\xaa\x15\xe3\x6d\x9e\xf8\x5e\x24\x8a\xaa\x73\x80\x4e\xc7\x05\x4f\xd5\x03\xd5\x52\x14\x3e\xe4\x04\x0f\x09\x7d\x3b\xaf\x9c\x31\xb8\x48\x0a\x55\x9c\xda\x8d\x5f\x16\x18\x2d\x5c\xa1\xee\x73\xed\x8f\xba\xcb\xf9\xec\x2e\x51\x9f\x19\xef\x43\xa2\xae\x4c\xef\x19\x44\xef\x1a\xc4\xef\x18\xcc\x7c\xc7\xf7\x67\xfb\xca\xc0\x55\x29\x07\xd9\x10\x5d\xa6\x37\x95\xb2\x6a\x2f\xaa\xe5\x08\x67\xf0\x15\x35\x62\x2f\x51\xbb\xca\xda\x22\xb6\xa6\x97\xea\x5e\xde\xbc\xa2\x5c\xad\xf1\x74\x12\x4b\x7c\x95\xc1\xf4\x05\xcd\xd0\x03\xc5\x9a\xaf\x8d\x7c\x9b\xe3\xb7\xae\xc3\x03\xae\xf9\x55\x6f\xf5\xcb\x87\x9a\xd1\x93\x9b\xbe\xa5\xc0\xf7\x62\x8b\xbe\x2c\xaf\x08\x5c\xc4\x65\x71\x58\x5b\x1d\x12\xdf\x30\xc4\xf6\x3c\xfc\xaf\xe8\xc0\x70\x8e\x29\x43\x45\x55\xbb\x51\xb6\x69\xcd\xd4\xd9\x5d\xdc\x7d\x8c\xdf\x54\xd7\x70\x42\x59\x91\x1a\x50\xb4\x10\xef\x0b\x16\xfd\x92\x8e\x29\x43\x67\xa9\x4d\x42\xc5\x2a\x9a\xea\x68\xaa\xce\xbe\x5e\xb6\x8f\x70\x18\xe4\xe5\x39\x42\x9d\x6e\x28\x70\xc9\x2f\x23\x9f\xbd\xc7\xaa\x1f\x37\x61\xdd\x06\x4c\x6a\x60\x52\xeb\x53\x93\x5a\xa9\x8c\xe6\x04\xbc\x3e\x83\xa6\x39\xbc\x3e\x81\x8e\xa1\xa3\x1b\x80\x97\x0b\xae\xea\xd6\x9c\x36\xf1\xe3\x64\xd3\x54\x94\x25\x5f\xcf\xc5\xf3\xe3\x7b\xf1\x3d\x42\x48\x04\x02\x1c\xb5\x3d\xba\x03\x7f\x6b\x0f\x7a\x90\x0d\x25\xee\x1d\x4e\xab\x16\x35\x99\x1c\xe2\xed\x41\x1c\xfc\xe5\x3d\xf8\x3f\x0e\xa0\xed\x1a\xb5\x39\xba\x7e\x5c\xec\xd2\xea\x5d\xc3\xbd\xc7\x44\x33\xe6\x1e\x14\x49\x1b\x6c\x4e\xaf\x23\x97\x7a\xdc\x4f\xbc\xb4\x88\xce\x89\x01\x75\x1a\x9d\xe4\x03\xea\x08\x3a\x84\x0e\xac\x91\xa6\xc1\x16\xf6\x87\xe8\x57\xb6\x64\xf4\x4c\xb0\x4e\x5e\x7f\x53\xf2\x58\xcb\xe3\xd1\x98\xb1\x96\xcd\x7a\xe3\x2b\x5a\x2b\xc8\xd0\x00\x5e\xf0\x90\xa1\x01\x2c\x33\x60\x99\x01\xcb\x4c\x3f\x59\x66\x20\x43\x03\x64\x68\x00\x22\x0e\x44\x1c\x88\x38\x10\xf1\x9e\x20\xe2\x90\xa1\x01\x32\x34\x6c\x15\x06\x08\x19\x1a\x3a\x91\xa1\xe1\x1b\x43\xe8\xd1\xb8\x93\xb6\x6c\xc2\xa1\x15\x9b\xa9\xf8\x97\x86\xf0\xe7\x42\x47\x69\xad\xc8\xf5\xcb\xd4\x8d\x15\x43\xaf\xa9\x95\xc8\xa1\x5a\xbe\xae\x78\x59\x94\xd0\xae\xb3\xb4\xf2\xb9\x91\xd0\x69\x58\x41\xe1\x73\x86\xe3\x6e\xb5\x14\xac\x9b\x71\x2c\xd6\xc5\x64\x88\xb7\x17\x8f\x34\x1e\x8b\x15\xb4\x74\xd4\xd3\x78\x77\x3c\x34\xbc\x0b\x23\xfe\xa1\x90\x88\x15\x30\x1f\x60\x3e\xc0\x7c\x80\xf9\x00\xf3\x01\xe6\x03\xcc\x07\x98\x0f\x30\x1f\x60\x3e\xc0\x7c\x80\xf9\x00\xf3\x01\xe6\x03\xcc\x07\x98\xaf\xab\x98\xef\x57\x1e\x44\xc7\x05\xe6\x5b\xe4\x78\x6f\xa5\xd0\xec\x2c\x7d\xcd\xa6\xe6\x75\xba\xe8\x9d\xa3\x3f\x2e\xfc\xef\xf0\x4b\x0f\xe2\x3f\x4f\xa3\x1d\xfc\x69\xee\x7e\x67\x13\x55\x57\xc4\x45\xaf\x91\x83\x15\x77\xda\xa6\x66\x89\x2e\xe6\xb2\xec\xae\x22\x7b\x26\x7c\x80\xbd\xbc\xda\x66\x3f\x3c\x81\xd6\xae\xa2\xe3\x02\xad\x1d\x44\xfb\x39\x5a\x1b\x43\x7b\xd1\x48\x53\xb7\x39\xfe\x3d\xdc\x6f\x4e\xd4\x29\x11\xa3\x3d\x1c\x8f\xbd\xee\xc0\x83\x65\xe2\xa2\xeb\x73\xc9\x94\x6d\x04\x0f\x49\xca\xc6\x5f\xee\x79\xc8\xc9\xf7\x87\x19\x5b\xe6\x73\x3b\x42\x2d\x3e\x64\x13\xab\xa2\x6a\x24\xb1\xd1\x9f\x90\x37\x76\xb3\xdd\x8b\xfc\x24\xaf\xba\xd4\x21\xeb\x69\x78\x08\x5a\x85\xc4\x21\x1b\x4c\x1c\xf2\xaf\x53\xb7\x38\xe7\xa7\x44\xda\x90\x49\x74\x24\x48\x1b\xd2\x35\xb1\x61\xd5\xda\x2d\x36\x8a\xff\xcf\x9d\x21\xb1\xb1\xcf\x52\x6d\xb6\x49\x65\x1b\x3b\xbe\xa4\x24\xca\x8f\xdd\x16\x67\xb9\x5d\x92\x1e\x6f\xac\x2f\x68\x8c\xbf\x7e\x2f\x3f\x80\xf0\xa1\xf0\xc5\x2a\xb1\xcb\x24\x7c\x75\x4f\xf8\x2a\x53\x31\x5d\x52\x36\xb4\xb1\x86\xfb\x22\xa5\xb0\xbf\x57\xe5\x55\x56\xcb\xe2\x45\x34\x87\x4a\x75\x92\x6b\x12\x1d\xd9\x80\x35\x66\x9e\xb7\x1b\x08\xb2\x04\x41\xf6\x99\x01\xf4\xe9\x01\xfc\xa9\x81\xcc\x27\x7c\xa3\xd0\x4b\x03\xfd\x23\xc8\xea\xb0\x01\x6b\x67\x8e\xc1\x39\xda\x62\x83\x33\x30\x86\x0d\x37\x19\xb8\x23\x9c\x07\x0b\xab\x89\x5a\xe1\x4f\x9a\xd4\x1c\x13\x4f\xf3\x3b\xb8\xd5\xcc\x51\x86\x4b\x0e\x35\xe7\x85\x55\xe8\x02\x9b\x16\xf2\xef\x05\x6f\xb2\x04\x3f\x8e\x34\x97\xb0\xc5\xd7\x52\xe8\xd5\x14\x7e\x25\x95\xf9\x82\xaf\xf1\x7e\x32\x75\x96\xb2\x0d\x9c\xe1\x28\x65\xca\x9b\x9d\x2a\xd9\x25\xf6\x53\x56\x99\x8a\x7c\x05\xdf\xcb\x88\xd0\xfd\x9a\x13\xf0\xef\x31\x55\xe3\x1f\xce\xad\x0a\x15\x43\x93\x31\x79\xa4\xa2\x3b\x0a\xbd\x29\xdb\x54\x50\x77\x8b\x50\xab\x42\xf2\x8a\x78\x23\x37\xe3\x79\x7d\xc9\xf7\x14\xb1\x0d\xe0\xbf\x3e\xbb\x8d\x57\x2b\x62\x92\xea\xb4\x96\xf8\x68\xbc\xb8\xdf\x81\xef\xe0\x95\x6b\xb3\xc0\x2f\x1d\x40\x13\x78\x5f\x36\xef\x1f\x5f\x7d\x6f\xf8\xe0\x6b\xf9\xc4\xed\x70\xe8\x35\xfe\xbe\x0c\x9a\x8a\x6e\x63\x16\x89\xab\xae\x77\x2f\xf3\x6b\x0f\xe2\x97\x06\xd0\xdd\xde\x12\xc9\x8b\x68\x71\x43\x33\x14\xda\xd0\xf0\xe7\xba\xb3\xab\x79\x46\xe8\x28\xfb\xb8\x8e\xc2\xc6\xeb\x04\xda\x87\xf2\x89\xe3\x95\xd7\xb0\x5d\x5b\x9b\x75\x47\x01\xf1\xb7\xa3\x35\xc6\x70\xe6\xb7\x76\xd4\xf7\x42\xcb\x9b\x9c\x5c\x74\x93\xd3\xbd\xbe\x28\xce\xa0\x22\x3a\x5d\xa7\x2f\xac\xbb\x33\x40\x4b\x80\xed\xce\x06\xb7\x3b\x3f\x9a\x6a\x87\x30\x38\x2b\xf6\x3c\x6c\xdb\xee\xef\x79\xba\x2b\x54\xf8\xc6\xa7\x35\xa1\xd2\xda\x3a\x28\xe4\x4d\xf1\x1d\x77\xd5\x0b\x95\xf5\x6f\x81\x86\xc3\x5b\xa0\xee\xc8\x16\xd8\x07\xf5\x9b\x84\x83\x7d\x10\xec\x83\x36\x79\x1f\xd4\x15\xbd\xb2\xfd\x32\x3e\x71\x7f\xd5\x3f\x3b\xa2\xff\x34\x8c\xf2\x5e\xce\x04\xe1\xb9\xdd\x64\x2f\x44\x4c\xdd\xa2\x86\xe9\x3a\xf8\xc3\xc3\xf8\x53\x83\x41\x22\x85\x5a\x6b\xee\xdc\x67\xbc\xe7\xdb\xe4\xcd\x9d\xe5\x0f\x88\xd4\x0c\xc1\xe2\xea\xbf\x65\xce\x70\x5c\x70\xe3\x6e\x9c\x4c\xad\xb8\x5d\x5f\x3f\x9f\x3c\xe3\x86\xf1\x9e\xfa\x24\x0d\x7e\xdb\x47\xe1\x02\xf8\x70\x83\x0f\x37\xf8\x70\x83\x0f\x37\xf8\x70\x83\x0f\x37\xf8\x70\x83\x0f\x37\xf8\x70\x83\x0f\x37\xf8\x70\x83\x0f\x37\xf8\x70\x77\xd7\x87\x7b\xeb\xc1\x09\xf0\x12\x07\x2f\x71\xf0\x12\xdf\x42\x5e\xe2\x9f\x1b\x41\x07\x5a\x82\x89\x6c\xda\x19\xfe\x8f\x6f\xc7\x7f\x37\x8c\xbf\x12\x42\x8a\x2f\xa7\x64\xab\x87\x40\xa2\xe9\x49\x4a\x2f\x55\xeb\x82\x28\xa3\x2d\x38\x71\x34\xd0\x8a\xb8\xe6\x27\xd7\x50\xa6\x58\x05\xea\xde\x50\x44\xc3\x0e\x95\x9d\xcf\x3d\x14\x0b\x23\x65\x0d\x01\x43\xae\xc7\xc1\xe9\xa6\x70\x70\x9a\x4d\x46\x90\x7b\xf0\xe3\xf5\x08\x52\xb6\x38\x00\x48\x00\x90\x00\x20\x01\x40\x02\x80\x04\x00\x09\x00\x12\x00\x24\x00\x48\x00\x90\x00\x20\x01\x40\x02\x80\xdc\x4c\x00\xb9\xa6\x4f\x95\xdc\xb9\xdd\x0e\x3e\x55\x80\x2d\x01\x5b\x02\xb6\xdc\x42\xd8\xf2\x2f\x86\x50\x36\x2e\x2a\x4c\x20\x4c\x2f\x08\x0c\xff\xda\x10\xfe\xf9\xc1\xfa\xd8\x00\xa7\x35\xef\x47\xe9\x32\xda\x26\xdf\xc7\xd1\x9b\xf5\xe1\x05\xb2\x7c\x48\x66\xdb\x46\x2f\xc8\xd6\xfc\x8e\x13\x5c\x8d\x23\x6e\xc9\x80\x22\x01\x45\x02\x8a\x04\x14\x09\x28\x12\x50\x24\xa0\x48\x40\x91\x80\x22\x01\x45\x02\x8a\x04\x14\x09\x28\x12\xf2\xd9\x02\xf2\x03\xe4\x07\xc8\xaf\x5b\xc8\xef\xa3\xc3\xe8\xa0\x40\x7e\x8e\xb6\x4c\xf4\x5a\x85\x69\x6b\xe2\x48\xfb\x3a\xfc\x67\xd9\x06\xb5\x0d\x77\x55\xab\xa8\x8e\x43\x1c\xfc\xf5\x21\xfc\x9f\x07\x11\x0e\x1e\xf3\x51\xe0\x6a\x6b\x28\x70\x5e\x16\x38\xcd\x0a\x6c\x13\x10\x14\x0f\x2c\xf8\x75\x92\x54\x30\xf2\x2a\x88\x88\x8e\x67\x81\x5a\x32\xe6\x3b\x8d\x4f\x4a\x8e\xd7\x30\x5a\xa4\xe3\x61\xa4\xa5\x63\x12\x0e\xc0\x69\x57\x40\x07\x81\x0e\x02\x1d\x04\x3a\x08\x74\x10\xe8\x20\xd0\x41\xa0\x83\x40\x07\x81\x0e\x02\x1d\x04\x3a\x08\x74\x10\xe8\x20\xd0\x41\xa0\x83\xbd\x44\x07\xbf\x37\x87\x2e\x0a\x3a\x68\x12\xf7\x26\xb5\x6f\x44\xe8\xe0\xda\xa1\xcd\xf2\x09\x8b\x56\x0c\xcd\x08\x22\x9c\x5f\x1e\xc1\xef\xdc\x86\xee\x0e\xca\xbb\xb6\x52\xc8\x7c\xae\x95\x38\xe7\x8b\xe2\x91\x79\x56\xe0\x6a\x4f\x44\x3b\x0f\xf3\xd7\x5d\xf4\x3f\x25\x1c\xf3\x1c\xa9\x2d\xe0\xc6\x0d\x44\x3e\x3f\x97\xcc\x23\x8f\xe1\xa3\x92\x47\x36\x8c\x4f\xc9\x23\x23\xdd\x00\xe1\xd0\x40\x19\x81\x32\x02\x65\x04\xca\x08\x94\x11\x28\x23\x50\x46\xa0\x8c\x40\x19\x81\x32\x02\x65\x04\xca\xb8\x99\x94\x71\x12\x1d\xc1\x87\xb2\x07\xfc\xc0\xe6\x07\xc3\xe1\xd0\x91\xfd\x1b\x04\x45\x03\x03\x05\x06\x0a\x0c\xb4\xab\x0c\xf4\x37\x9f\x41\x4f\x78\xb9\x1c\x9b\x1d\x09\xc3\x89\x10\xfe\xc4\x33\xf8\x9b\x4f\x04\xc9\x1b\x77\x0b\x8d\xd5\x96\x6b\xad\x27\x8c\x3d\x9c\xc9\x29\x59\xee\x41\x76\x53\xc3\xe1\x2d\xec\x52\x8f\x33\xc3\x22\xe0\x33\xc0\x67\x45\xc0\x67\x80\xcf\x00\x9f\x01\x3e\xeb\x1b\x7c\x56\xec\x19\x7c\xd6\xf6\x9a\x6c\x18\x9f\x15\x01\x9f\x01\x3e\x03\x7c\x06\xf8\x0c\xf0\x59\xf7\xf1\x59\xb1\xaf\x79\x52\x11\x78\x52\xe7\x78\x52\xb1\xd7\x79\x52\x71\x0b\xf2\xa4\xd2\x9b\xd1\x09\xe1\x6b\x75\x08\x1d\xe0\xbe\x56\x79\x34\x8a\x72\x4d\x8f\x8a\xd6\xa8\x4d\xf2\x2b\x85\x3c\x67\x42\x73\x86\x93\xec\x58\x75\x2e\xd9\x6f\xea\x71\x9c\x6d\x38\xb4\x96\x3b\x6d\x85\x1d\xa4\xae\x3f\x12\xef\xa1\xb5\x1d\x6f\xe3\x61\x9a\xd9\x2f\xec\x08\x60\xd7\xeb\xc5\x3a\xa3\xa8\xa6\x04\x5b\x6f\x14\x3f\x74\x16\x6d\x09\x12\x75\x1c\x4d\xa2\x23\x75\x07\xee\x0f\xa3\x3d\xad\x35\x29\x1c\xaf\x9f\x74\xbc\xfe\x87\xd2\xe8\xfb\xd3\xf8\xfd\xe9\xcc\x7b\xfd\x06\xfa\x66\xaa\x7f\x8e\xd7\x6f\x7a\x8a\x7d\xe9\x3f\xa7\xd0\x51\x31\x95\x27\xd0\x3e\x3e\x95\x73\xa8\xe5\x71\x87\x4e\xb2\x47\x0b\xf8\x30\x3a\x88\xb6\x4f\x0b\x25\x6d\x5d\xcf\x9f\x62\xcf\x4f\xe0\x23\xe8\x10\xda\x31\xa5\xb1\x45\x60\x9d\x05\x24\xc9\x91\xe6\xd3\xdf\xa2\x8e\x8b\xda\x26\x67\x72\x9f\x1f\x0d\xe4\x48\x46\x68\xa6\x8a\x46\x2b\x6c\x9f\x29\xd7\x0d\x21\x52\x9e\x10\xd7\x84\x48\x99\xf6\x6f\xe8\xac\x70\x79\x0a\x5d\x46\xf3\x61\xe1\x92\x2b\xa2\xd3\x1b\xf0\x8c\x9d\xe1\x75\xbf\xc4\x69\xa8\x03\xdc\x14\xb8\x29\x70\x53\xe0\xa6\x7d\xc4\x4d\x41\xcd\x4a\x50\xb3\x7a\x07\x2c\x7f\x23\x8d\xbe\x9e\xc6\x5f\x4b\x67\x7e\xd7\xef\xaa\xcf\xa6\x9f\x0a\x6f\xe5\x0c\x53\x71\xc4\x76\x4c\x59\x24\x4b\xc2\x0a\xeb\x23\x8f\x60\xc9\x92\xb3\x84\x37\x56\x48\xa1\x33\xa9\x39\x66\x92\xb2\xca\xbb\x44\xee\xe6\xc2\x8a\x9f\x80\x9f\xfe\x60\x90\x1a\x81\x51\xad\x12\x9d\xa9\x96\x95\xd5\xc0\x3c\x1a\x88\x76\xa3\x32\x2a\x37\x79\xfc\x73\x95\xb2\xad\x6a\x7c\x9c\x18\x54\xf7\x17\x9e\x60\x71\xe0\x96\x67\xaf\x5f\x6a\x0e\xab\x64\xb8\xa1\x54\xf6\xa4\xf7\x41\xf2\x25\x4b\x62\xbe\x79\x45\xe4\x45\x3d\xab\x44\x35\x63\xeb\x98\xc5\xbc\x0a\xf3\xbc\x06\x71\x9b\x57\xe0\xf7\xc0\xef\x81\xdf\x03\xbf\x07\x7e\xdf\xd7\xfc\xfe\x4b\x69\xf4\x5a\x1a\xbf\x9a\xce\xbc\xe2\xaf\xb6\x1f\x4f\xcf\x84\x82\x5b\xad\x0a\x51\x1d\xe2\x4f\xfd\x79\x9b\x5a\x6a\x99\xaf\xc3\xc2\x2b\x36\xe2\xbd\xe3\x75\x77\x10\x1d\xcb\x3a\xbc\x90\x3f\x9c\x57\x16\x84\x1c\x11\x8b\xa4\x45\x4c\x36\x4c\x83\x55\x84\x28\xd4\xb6\x96\x55\xd3\xf3\x26\xb2\x6b\x64\x7c\x49\xad\x78\xda\x7f\x56\x5c\xcd\x2a\x4b\x86\xa9\x56\x8c\xb7\x79\xe2\x7b\x91\x28\xaa\xce\x61\x38\x1d\x17\x6c\x54\x0f\x54\x4b\x51\xf8\x90\x13\x3c\x24\xf4\xed\xbc\x72\xc6\xe0\x22\x29\x54\x71\x6a\x37\x7e\x59\x60\x80\x70\x85\xba\xcf\xb5\x3f\xea\x2e\xe7\xb3\xbb\x44\x7d\x66\xbc\x0f\x89\xba\x25\xbd\x67\x10\xbd\x6b\x10\xbf\x63\x30\xf3\x1d\xdf\x37\xed\x2b\x03\x57\xa5\x1c\x64\x43\x74\x99\xde\x54\xca\xaa\xbd\xa8\x96\x23\xa8\xc1\x57\xd4\x88\xbd\x44\xed\x2a\x6b\x8b\xd8\x9a\x5e\xaa\x7b\x79\xf3\x8a\x72\xb5\xc6\xd3\x49\x2c\xf1\x55\x06\xd3\x17\x34\x43\x0f\x14\x6b\xbe\x36\xf2\x6d\x8e\xdf\xba\x6c\x71\x92\x2b\x87\xb7\xfa\xe5\x43\xcd\xe8\xc9\x4d\x9f\xfa\xfb\x1e\x69\xd1\x97\xe5\x15\xc1\x86\xb8\x2c\x0e\x6b\xab\x43\xe2\x1b\x86\xd8\x9e\x87\xff\x15\x1d\x18\xce\x31\x65\xa8\xa8\x6a\x37\xca\x36\xad\x99\x3a\xbb\x8b\xbb\x82\xf1\x9b\xea\x1a\x4e\x28\x2b\x52\x03\x8a\x16\xe2\x7d\xc1\xa2\x5f\xd2\x31\x65\xe8\x2c\xb5\x49\xa8\x58\x45\x53\x1d\x4d\xd5\xd9\xd7\xcb\xf6\x11\xce\x7f\xbc\x3c\x47\xa8\xd3\x0d\x05\x2e\xf9\x65\xe4\xb3\xf7\x58\xf5\xe3\x26\xac\xdb\x80\x79\x0c\xcc\x63\x7d\x6a\x1e\x2b\x95\x9b\x32\x5e\x34\x27\xc0\xf5\x19\x34\xcd\xc1\xf5\x09\x74\x0c\x1d\xdd\x00\xd5\x5c\x70\x55\xb7\xe6\x78\xc4\x38\x17\x4f\x8c\xef\xc5\xf7\x88\xd9\x1c\x48\xda\xf6\xd1\xe3\x2d\x18\x02\x82\xbf\x7e\x27\x1a\x4f\x70\x29\xb7\xa8\xee\xa5\xcc\x18\x27\x2f\x12\x0d\xff\xbb\x3b\xf1\xfb\xd3\x21\xe7\x72\x8d\x9a\x26\xfb\xcc\x73\x67\x9e\x0a\x3c\xac\x39\xc4\x24\x1a\xcf\xae\x4b\xf5\xdc\x63\xf2\x26\x41\xcc\xcf\x11\x37\x40\xe5\xf3\x54\x3f\xf3\x22\xd1\x26\x06\x72\xe3\x39\x91\x03\xe2\x30\x7a\x48\x8c\x89\xfb\xd1\xbd\x7c\x4c\xdc\x8d\xee\xfc\xa9\xd4\x0e\x24\xeb\x9d\x68\x2e\x78\x2c\xbe\xf3\x11\xde\x21\x6b\x81\xae\xcf\x27\xf7\xf9\x18\xde\x5b\xdf\xe7\xb2\xaa\x12\x9d\x47\x3a\x3f\xfb\x81\x50\x93\x3c\xee\x35\xc9\xfc\xa5\x85\xe6\x6d\x92\x8d\xb4\xc9\x3c\x75\x3a\xda\x28\x6d\xff\xe2\x16\x9a\xb9\x54\x43\x0e\x7e\x21\x43\xbd\xf1\x7a\x79\x9a\x56\xab\x6c\x98\x1b\x8e\x54\x19\xaa\x94\x5b\x58\xc4\xaf\xb2\x7d\x6a\x2e\xc9\xb3\xad\xdd\x8a\xa2\xda\xb6\xba\x9a\x57\x2e\x52\xd7\xbb\x20\xf6\xd6\x6c\xe3\xa0\x38\xcb\xa4\x52\xc9\x67\xb7\xcb\xa7\xc3\xe6\xb0\x8f\xa4\xd0\x07\x53\xf8\x03\xa9\xcc\xf7\x05\xe2\x70\x5a\x18\xe4\x08\x93\x59\x12\xc9\x06\xef\x93\x1b\x3f\x5e\x50\x14\x5b\x84\x8d\x79\xec\x59\x2e\x1a\x6d\x0e\x7a\xf8\x25\x6a\x92\xf0\x65\x31\x05\x2d\xaa\xe7\xb3\x3b\xfd\x9f\xc3\x55\x3b\x86\x8e\xe2\xc3\xd9\x83\xbe\x8c\xc8\x84\x43\xcc\xa2\xad\xbd\x19\x31\x66\x2f\x20\x8a\xab\x99\x1b\x5e\xab\x5d\xbc\x4c\x04\xb2\x14\x34\xc3\x55\x4d\x5d\xb5\x3d\x9b\x40\xe0\x9b\x20\xbf\x59\x2e\x35\x86\x23\x17\x98\x70\x3b\xf2\xdd\x6d\xf6\x0e\xc7\xd5\x89\x6d\x47\xbc\x10\xea\x5e\x79\x29\xfe\x95\x86\xc9\x84\xda\xba\x5e\xc9\xf7\x0c\xf9\xec\x36\xc7\xd5\x0d\x33\xf2\x4a\x1b\x59\xd8\xcc\x54\x12\x5e\x29\x05\xe9\x06\x3f\x93\xd6\xdc\xc8\x3b\x5f\x44\x2b\xd8\xcd\xd8\xde\x3b\xdf\xfc\xd4\x53\x6f\xe1\xa3\xc9\xae\x91\x7a\xdc\xac\x2a\x4c\x6c\xfb\x9b\x9a\x4a\x85\x8a\xed\x93\xb7\x92\x73\x21\xd2\xf4\x7b\x07\x98\x88\x0f\x87\x0d\x7d\x72\x14\x9d\x17\xa9\x93\xd4\x9a\x4b\x1d\x4d\xad\x18\x66\x79\x0d\x81\xcf\x05\x07\x1b\xbb\x15\x8b\xea\xde\x23\xc4\xf6\xf3\x26\xfd\xce\x5e\xfc\x33\x03\xe8\x75\xa1\xc2\x98\xcc\xcb\xd9\x44\xd5\xeb\xd0\xe6\x93\x7e\x49\xf3\x54\x9f\xf2\x4b\xca\x4d\xb0\x7b\xa7\x82\xe7\xc3\x6e\x19\x4d\x9e\x69\xaf\x2d\xb5\x54\x45\x97\x85\x34\x3d\x8f\x66\xb9\x34\x9d\x46\x53\xe8\x54\x53\x73\x75\xe8\x5b\x99\xae\xd1\xa4\x8e\x89\x32\xf8\xe1\x78\x89\x79\x07\x1e\x2c\x13\x17\x5d\x5f\x4c\x16\xd1\xa7\xf0\x09\x29\xa2\x43\x55\x92\xb2\xba\x59\xad\xc2\x42\x3b\xf3\xc9\x9d\x0d\x3d\x37\x66\x13\xab\xa2\x6a\xa4\xc5\xce\x3b\x28\x6f\xdf\xcc\xfe\x2b\x3e\x8d\x16\xd0\x9b\xea\x1c\x6d\x6e\xbd\x03\xc1\x34\x04\x1e\x38\x1b\xf4\xc0\xf9\xd5\x14\xba\x2a\xdc\x68\xe6\xd1\xc5\xc0\x8d\xa6\xa3\x62\xa5\x13\x32\x2c\x59\x54\x59\xb5\xee\x88\xaa\xdc\x2f\xec\x6a\x10\x55\x1e\xdb\x51\x9b\x4a\xa7\x03\xe2\x8e\x4d\x15\x4e\x9d\x71\xd4\x01\xd9\x94\x20\x9b\xc0\x58\xdc\x15\x63\x31\x58\x09\xc0\x4a\x00\x56\x82\x4e\x59\x09\x4a\x9f\x4f\xb5\x97\x88\x0a\x25\x61\x82\x2b\x09\x81\x77\xee\x2d\x96\x99\xb4\xd1\x51\xe2\xb5\x87\x9d\x78\xbb\x68\xa6\xae\x28\x10\xc5\x7f\x7f\x57\x83\x02\x71\xc8\x52\x6d\xd7\xe0\xde\x94\xc2\x0e\xdb\xe2\xa6\x67\xbf\xa5\xba\xda\xf2\x66\x69\x15\x6f\xac\x2f\x68\x8c\x57\x67\x2f\xfb\x73\xf2\xa1\xf0\xc5\x2a\xb1\xcb\x24\x7c\x75\x4f\xf8\xaa\xe3\xda\xaa\x4b\xca\x86\x36\xd6\x70\x5f\xa4\x14\xf6\xf7\xaa\xbc\xca\x6a\x59\xbc\x88\xe6\x50\xa9\x6e\xbb\x35\x89\x8e\x6c\x60\x00\xcd\xf3\x0c\x0e\xa0\xcb\x24\xe8\x32\x9f\x19\x40\x9f\x1e\xc0\x9f\x1a\xc8\x7c\xc2\x5f\x10\x5e\x1a\xe8\x9f\x7d\x56\x9d\xd3\x0c\x6b\x67\xee\x8c\xcc\x1d\xbb\xd8\xe0\x0c\xa0\xfa\x70\x93\x81\x3b\xc2\xd7\x35\xe1\xbb\xae\x56\xf8\x93\x4c\x81\x13\x4f\xf3\x3b\xb8\x32\xe5\x28\xc3\x25\x87\x9a\xf3\x22\xa7\xc9\x05\x36\x2d\xe4\xdf\x0b\xde\x64\x09\x7e\x1c\x69\xbe\x01\x2c\xbe\x96\x42\xaf\xa6\xf0\x2b\xa9\xcc\x17\x7c\xe6\xfc\xc9\xd4\x59\x6a\x6b\x5c\xcf\x2b\x53\xde\xec\x54\xc9\x2e\xb1\x9f\xb2\xca\x54\xe4\x2b\xb8\xed\x52\xa8\x64\x35\x27\xf0\x42\x1e\x53\x35\xfe\xe1\xdc\xb7\xbb\x62\x68\x72\xc9\x25\x15\xdd\x51\xe8\x4d\xd9\xa6\xc2\xf7\xd9\x22\xd4\xaa\x90\xbc\x22\xde\xc8\x93\xd0\x78\x7d\xc9\x6d\x88\xb1\x0d\xe0\xbf\x3e\xbb\x8d\x57\x2b\x02\x2c\x37\x07\x91\x35\xcf\xc5\x6d\x89\x5c\xdc\x5d\x58\x38\x4a\x33\xa8\x88\x4f\x67\x4f\xfa\x9c\x7d\x77\x18\xd2\x37\x29\xe1\x76\xc8\x08\x87\xbf\xba\x07\xdd\x2b\x50\xf1\x22\x4f\xa8\xbf\x52\x18\xbf\x4e\x17\x1d\xfc\xcb\x7b\xf0\xbf\x1f\x40\x3b\xf8\x8f\x6c\x19\x7d\x6c\xed\x84\x52\x25\xba\x98\x7b\x84\xdd\x52\x64\x97\xaf\x14\x4a\x74\xf1\x2c\xb5\xa7\x2a\x15\x7f\xcd\x74\x7a\x3c\xa7\x54\xe9\x2a\x3a\x2e\x46\xff\x41\xb4\x9f\x8f\xfe\x31\xb4\x17\x8d\x34\x1d\xfd\xbc\x65\xd8\xb8\x2f\xd1\xc5\x96\x42\x23\x13\x22\x1a\xaf\x3f\x99\x3c\xcc\x9f\xc0\xbb\xe5\x30\xe7\x6f\x97\x03\xbc\x44\x17\x21\xb9\x3c\x64\xc7\x82\xe4\xf2\x10\xe5\x05\x51\x5e\x10\xe5\xd5\xaf\x51\x5e\x90\x5c\x1e\x92\xcb\x43\x74\x0d\x44\xd7\x40\x74\x0d\x44\xd7\xf4\x44\x74\x0d\xa4\x6f\x87\xf4\xed\x5b\x25\x9e\x00\xd2\xb7\x77\x22\x7d\xfb\xdf\x0f\xa3\x63\x9e\xaf\xfd\x9a\xe7\x55\x7a\xf6\x0c\xd3\x5d\xa1\x95\x5a\x95\x68\x15\xd5\xa8\x3a\xf8\x3f\x0c\xe3\xd7\x06\x03\x27\xf3\xef\x95\x27\x55\x1a\xa6\x6e\xac\x18\x7a\x4d\xad\x44\x0e\xad\xf4\x15\xc9\x79\xbf\xb4\x2b\xbc\xb4\x69\x56\x5a\x5b\x0e\xad\xcc\xe7\xf2\xfc\x81\xfa\xcc\x5a\xb1\x6f\x9c\x33\x9c\x5e\x4f\x24\xbf\x29\x87\x4f\x5e\x4d\x06\x7d\x07\xf0\x44\x98\xe8\x35\xf8\xe8\xc7\x35\x37\xba\xbe\x3b\x9e\x30\xde\x85\x11\xff\x62\x8e\x19\x01\x0e\x02\x1c\x04\x38\x08\x70\x10\xe0\x20\xc0\x41\x80\x83\x00\x07\x01\x0e\x02\x1c\x04\x38\x08\x70\x10\xe0\x60\x97\xe1\xe0\xd6\xf3\x15\x02\xfc\x08\xf8\x11\xf0\xe3\x16\xc2\x8f\xaf\x8d\xa1\x69\x19\x06\x6e\x19\xe4\x45\x97\x98\xbc\xb7\x38\xcd\x32\xe8\xf8\x4a\x61\x91\xb8\x6a\x61\x5c\xab\x39\x2e\xad\x7a\x05\x86\xc9\x97\x0c\xff\x7e\xf7\x18\xfe\x9f\x03\xe8\xfe\x48\x21\xd7\xe4\xd3\x99\xbd\x31\x51\xe0\xd3\xbc\x44\x6f\x53\x39\xe3\x97\x98\xdb\xc7\xc3\xc0\xc3\xe5\x5c\x11\xc5\x34\x7b\xa2\xcd\x41\xe0\x1f\x48\x35\x0f\xad\xbc\x29\x40\xa0\x85\x4c\x0e\x02\x97\xd1\x12\xd2\x9b\x81\xc0\xa0\xfe\x63\x3e\x8d\x09\x98\x60\xb4\xb5\x65\x43\xe5\x9b\x7d\x62\x8b\xa1\xe2\x2f\x24\x53\xc3\x8b\x78\xce\xf3\x82\x8d\xe9\x6f\xc9\x0e\x9b\x55\x23\xec\x42\xc8\x2b\x8c\x32\x9f\x46\xcd\x3a\x3d\x1f\x1f\x40\xde\xb4\xdf\xf7\x7b\x11\xe4\x9b\xd6\xf5\xc5\xb7\xa1\x17\xd1\x4a\x5d\x40\x43\x97\x7a\x18\x82\x1f\x20\xc8\x7c\x83\x41\xe6\xef\x4f\xf7\x9e\xc0\x42\xff\x3f\x11\xf6\x5e\x43\x4e\x10\xf6\xde\x43\xe2\x92\x87\xab\x77\x5f\x5c\xe6\xbe\xbc\xab\x99\xb8\x7c\xcc\x0f\x62\x6f\x2a\x21\x27\x64\x14\xfb\xe6\x09\x48\x88\x61\x87\x18\x76\x88\x61\x87\x18\x76\x88\x61\x87\x18\x76\x88\x61\x8f\x8f\x61\xef\xbe\x56\x51\xfc\xd6\x5d\xcd\xb4\x8a\xc3\x09\x91\xed\x4d\x75\x8d\x82\x08\x6d\xdf\x14\x55\x03\x02\xdb\xfb\x4d\xc1\x81\xc0\x76\x08\x6c\xdf\xe4\xc0\xf6\x0f\xa4\x36\x6f\xb3\x7c\xcb\xe1\xef\xdd\x5f\x73\x4a\x67\xd0\x34\x9e\xca\x9e\xf2\x6d\x53\x8f\x87\xa3\xe1\x9b\x95\xd3\x18\x0e\xdf\xf6\x60\xf5\x77\x0c\xa0\xdd\x02\x68\x2f\x55\xe8\x4d\x36\x5b\x6d\x5a\xc9\x07\x7d\x24\xc1\x36\xfe\x6a\x1a\x7f\x25\x8d\xee\x0b\xdd\x34\xe5\xdd\x93\xc9\x94\xb9\xca\xc7\x14\x4f\xdf\x58\xa0\x2a\xbc\xf9\x72\x8f\x96\x89\x7b\x36\xe6\xa1\xa9\xf9\xd9\x73\xec\x86\xf6\x2d\x83\x0d\x05\x4d\x36\x14\x34\xd9\x4a\x41\x25\x03\x5d\x14\x23\xfb\x1c\x3a\xc3\x47\xf6\x29\x74\x02\x1d\xdb\xc0\x6a\xe6\x7d\x63\xd2\x80\xc5\x7f\xb5\x07\xdd\xe7\x39\x35\x5b\x54\x77\x49\xd5\xe2\xde\x4f\xf8\xf7\xf6\xe0\xdf\x1c\x08\xbc\x95\x47\xd6\xce\x18\x30\x4f\xf5\xa7\xe4\xa3\xb9\x27\xd8\xad\x5e\x52\x6c\xff\xe7\xad\x96\x40\xe0\x39\x34\x2d\xba\xe2\x38\x9a\xe4\x5d\x71\x00\x4d\xa0\x7d\x89\x07\xa2\x86\xbe\xb8\xa5\x3c\x02\x17\x92\xe5\x41\x0e\x0f\xc7\xa4\xf5\xf6\xde\xb2\xae\x83\x96\xc1\x5f\x18\xfc\x85\xc1\x5f\x18\xfc\x85\xc1\x5f\x18\xfc\x85\xc1\x5f\x18\xfc\x85\xc1\x5f\x18\xfc\x85\xc1\x5f\x18\xfc\x85\xc1\x5f\x18\x92\x09\x80\x37\x2f\x78\xf3\x82\x37\x6f\xb7\xbc\x79\x7f\x61\x04\x1d\x6a\x29\x99\x80\xd8\xe3\x55\x55\xcb\x77\xe0\x7d\x69\x04\xff\x7e\x28\x8f\xc0\x4f\xca\x3c\x02\xe1\xe4\x01\xa6\x27\xc9\x3c\x3e\x37\xcd\x4b\xb9\xa0\x5a\x6d\x49\x1c\x30\x1a\xe8\x2d\x5c\x37\x93\xab\x1c\x53\x7d\x02\x85\x6c\x28\xa2\x03\x87\xca\xce\xe7\x1e\x89\x4d\x3b\xe0\xd7\xb1\xd7\xd1\xe0\x66\xa4\x19\x38\x9f\xcc\x09\x87\xf1\x9e\x7a\x4e\xe8\x37\x69\x94\x12\x36\xb7\x52\xf0\xaf\x04\x4c\x08\x98\x10\x30\x21\x60\x42\xc0\x84\x80\x09\x01\x13\x02\x26\x04\x4c\x08\x98\x10\x30\x21\x60\x42\xc0\x84\xdd\xc6\x84\x87\xd0\x01\x3c\x91\xdd\xe7\xbb\x6e\xdd\x1f\x71\xdd\xf2\x36\x77\xb7\xc3\xd1\x25\x00\x30\x01\x60\x02\xc0\xdc\x42\x00\xf3\xcf\x87\xd1\xac\x4c\x47\xa0\x33\x25\xdb\xa0\xa6\x4d\xca\x06\xf7\xe4\x67\xcf\xf8\x69\x09\x24\xde\xac\xd6\x5c\x95\x69\x50\x37\xc9\xe2\x32\xa5\x37\x22\x7b\x52\x07\xff\xd0\x30\xfe\xe0\x36\xf4\x5d\xb1\x45\x5d\x5b\x29\x64\xde\xd3\x62\xb2\xd4\x0b\xf2\x2d\x57\xc5\x5b\xa6\xc3\x6f\x69\x53\xce\xd4\xe3\xfc\x81\xa9\xb8\x9a\x5e\x29\xac\xf5\x7e\xc8\xa0\x1a\x8f\x36\x5b\x49\x74\x7a\xfd\xc5\x64\xfe\xf9\x34\x5e\x88\x49\xb3\xba\xd6\xe8\x94\x94\x74\xad\x4e\x03\x16\x0a\x2c\x14\x58\x28\xb0\x50\x60\xa1\xc0\x42\x81\x85\x02\x0b\x05\x16\x0a\x2c\x14\x58\x28\xb0\x50\x60\xa1\xe0\x32\x09\xc4\x11\x88\x23\x10\xc7\xae\x11\xc7\x77\xaa\xe8\xc9\x96\x88\xa3\x48\x84\xba\x36\x70\xfc\x99\xe7\xf1\xc7\x86\xd0\xc3\xcd\x80\xa3\xc8\xc9\x32\xb9\x76\xd0\xf3\x5a\xdc\x28\x77\x9c\x3d\xdb\x84\x12\xf2\xd2\xd7\x7a\xba\xc7\x31\x61\x11\x98\x18\x30\xb1\x22\x30\x31\x60\x62\xc0\xc4\x80\x89\xf5\x0d\x13\x2b\xf6\x0c\x13\x6b\x7b\x4d\x36\xcc\xc4\x8a\xc0\xc4\x80\x89\x01\x13\x03\x26\x06\x4c\xac\xfb\x4c\xac\xd8\xd7\x08\xab\x08\x08\xab\x73\x08\xab\xd8\xeb\x08\xab\xb8\x05\x11\x56\xe9\x5d\x29\x74\x5d\xf8\x57\x69\x48\xe5\xfe\x55\xdf\x8d\xde\x82\xae\x36\xcd\x2a\x17\x0f\xba\xbc\x2c\x95\x49\xce\x66\x89\x9e\x57\x09\xd9\xe2\xae\xbf\x3d\xd9\xe9\xea\xad\xf8\xcd\x6d\x72\xb4\x6a\x48\x5c\x99\xfd\x47\x94\x04\xe8\x9e\x10\x2b\x9c\xa2\xae\xcd\xe2\x4e\x8a\xdb\x36\x9d\xc6\x09\x78\x66\xa0\x32\x22\x75\x39\x8b\x9f\x46\x0b\x1d\x18\x04\x90\xce\x18\x8e\xaa\xd9\xe0\x51\x35\xbf\xb7\xc6\x51\x35\x4b\x42\x84\x5d\x43\xcf\x72\x11\x76\x15\x75\x66\xf4\xa2\x1b\xe2\x64\x1a\x1d\x2d\x06\x27\xd3\x74\xec\x65\x15\x91\xa2\x9e\x20\x2d\x94\xa2\xbe\x53\x6f\x4b\x16\xc0\x16\xdd\x7c\x01\x9c\xfb\x3f\xc7\x92\x04\x70\x41\x1e\x61\x10\x3a\x0f\x22\xc1\x0b\x3b\xf7\xa4\x3c\x1b\x67\x0d\x61\x3c\xed\x97\xd6\x45\xb1\xdc\x99\x13\x73\x00\x92\x03\x24\x07\x48\x0e\x90\xbc\x7f\x20\x39\xe8\x9c\x09\x3a\x67\xef\x58\x11\xe0\xb4\xb2\xae\x9c\x56\x06\xc6\x1a\x30\xd6\x80\xb1\x06\x8c\x35\x60\xac\xe9\x6b\x63\x0d\x1c\x5a\x09\x87\x56\xc2\xa1\x95\x9d\x3a\xb4\x12\x6c\xa1\x60\x0b\xed\x57\x5b\x68\xa9\xdc\xe6\xf3\x5a\x93\x0c\x87\xb9\x78\x6e\x7d\x2f\xbe\x47\xcc\xe6\x40\xd2\x6e\x36\xc3\x6e\xff\xb1\x75\xaf\x0c\x05\x27\xa6\x89\xd4\x26\xc2\xab\x1d\x7f\x66\x08\xff\x48\x28\x2f\xf3\x0b\xad\x65\x2c\xe1\x39\x32\xda\x94\x9a\xe4\xf1\x50\x5e\x65\x5e\xee\x9c\xe1\xb8\x5b\xed\xe0\xb5\x9e\x4d\x41\x72\x2e\x79\x20\x3f\x8e\xb3\xf5\x29\x98\x45\x05\xc2\x89\x49\x20\xa3\x08\x44\x4f\x40\x46\x11\x30\x0c\x81\x61\x08\x0c\x43\x7d\x64\x18\x82\x8c\x22\x90\x51\x04\x80\x3c\x00\x79\x00\xf2\x00\xe4\x7b\x02\xc8\x43\x46\x11\xc8\x28\xb2\x55\x10\x24\x64\x14\xe9\x44\x46\x91\xdf\xb8\x86\x8e\x8b\x8c\x22\x1a\xb1\x65\x29\xc4\xa9\x4f\x24\x12\xbe\x66\x94\x4d\xc3\x2c\x7b\xc2\x1a\xbf\xef\x1a\xfe\xb3\x3d\xe8\xbe\xf0\x1d\xbe\x6b\xec\xe1\xb5\x93\x87\x4c\x07\xcf\x2c\x88\x52\x2f\x8b\x52\x73\xfb\xd8\x83\xa1\xcb\x8e\xe7\x15\xdb\xec\x89\x1e\x27\x7a\x90\x2d\x04\x78\x17\x64\x0b\x01\xde\x05\xbc\x0b\x78\x57\x1f\xf1\xae\x1e\xf2\xf3\xed\x19\xde\x05\x0e\xa8\xc0\xbb\x80\x77\x01\xef\x02\xde\x05\xd9\x42\xc0\x43\xee\xf6\xc1\x53\x3d\xef\x21\xb7\x25\xb3\x85\xac\xa2\xe7\x84\x27\xd4\x55\xf4\x34\xf7\x84\xba\x84\x2e\xa0\xf3\x4d\xc3\xd1\x23\x0c\xcb\x8b\x42\x6f\x0a\x8d\xda\x92\x20\xe4\x85\x64\x97\xa8\x8b\x78\x4e\xba\x44\xc5\x30\x36\xef\x98\xfa\x66\x95\x8c\x49\x0a\xf2\xe3\xa8\x09\x6f\xcb\xfa\xb9\x40\x9a\xa3\xb5\x09\x71\xcf\xa6\xc0\x35\xc1\xc2\x9e\x45\xdf\x8d\xde\x52\x97\xfc\x63\x16\x9d\x6b\x53\xa7\x42\xf0\x25\x24\xfc\xd8\x60\xc2\x8f\x9f\x4d\xa3\xb7\x0a\x69\xb3\x80\xde\xc4\xa5\xcd\x79\xd4\xbe\x81\x89\xae\x89\x5c\x1e\x6f\x46\x57\x82\x5c\x1e\x6d\x7d\xc1\xf3\x22\x7f\xc7\x5b\xd0\xd5\x50\xfe\x8e\xb6\xbe\x61\xe3\xc2\x52\x24\xf3\xe8\xbe\xb0\xcc\xfd\xef\x63\x4d\x84\x65\x3e\x36\x6f\x47\x73\xc1\x79\x5c\xdc\x1f\x27\x38\xfd\x12\xba\x25\x42\x21\x51\x07\xf0\x69\xe0\xd3\xc0\xa7\x81\x4f\x43\xa2\x0e\x48\xd4\x01\x89\x3a\x20\x51\x07\xd8\x49\xc0\x4e\x02\x76\x12\xb0\x93\x80\x9d\xa4\x2d\x76\x12\x48\xd4\x01\x89\x3a\x20\x51\x07\x24\xea\x00\x33\x24\x98\x21\xfb\x28\x51\x47\xf7\xf9\x74\xfb\x93\x73\x7c\x75\x08\x1d\x10\x1e\xfd\xf6\xa2\xaa\xe5\xbd\x06\x89\x3d\x20\xd4\xa6\x15\xb2\xc8\x36\xb5\x66\xd9\xc1\x3f\x34\x84\x3f\x38\x88\x1e\x64\x4f\x4d\x85\x1f\xf2\x89\xf9\xc8\xda\xee\xfc\x97\x69\x85\x14\x45\x61\x39\xee\xf9\x7f\xb9\xbe\x24\xc9\xcb\x43\x37\x6e\xb5\xcc\x1c\x1a\x7a\x52\x0c\xde\x29\x74\x8a\x0f\xde\xa3\xe8\x30\x3a\xd8\xd4\xbc\xc2\x7b\xc0\x33\xab\x84\x3e\xbb\x25\xcb\xb3\x91\x3c\x18\xcf\xe2\x19\x39\x18\x9b\xf6\xb5\x1c\x92\xa1\x97\x37\x0e\xc2\x24\x23\x37\xa4\xeb\x80\xf0\x05\x48\xd7\x01\xe6\x21\x30\x0f\x81\x79\xa8\x8f\xcc\x43\x90\xae\x03\xd2\x75\x00\x96\x07\x2c\x0f\x58\x1e\xb0\x7c\x4f\x60\x79\x48\xd7\x01\xe9\x3a\xb6\x0a\x88\x84\x74\x1d\x9d\x48\xd7\xf1\xea\x08\x3a\x21\xe0\x9e\x6a\x59\x4e\x90\x7f\xd7\xf4\x09\xda\xf8\xf7\xf8\x7f\xbf\x7d\x5c\x27\x56\x85\xae\xb2\x05\x58\xfe\xfe\x76\xfc\x2f\x46\xf0\x1f\x0d\xa2\xed\xec\xf1\x6b\x2b\x85\xcc\x67\x53\xb2\xf9\x43\x89\x79\x4d\x4f\xa0\x79\x64\x6f\xc6\x2f\xa6\x2d\x59\x7a\x47\x03\xfd\x85\xeb\x68\x72\xb5\x63\x2a\x50\xa0\x98\x0d\x45\x74\xe1\x50\xd9\xf9\xdc\xa3\xfc\x75\x53\x96\xe5\x5c\x29\xf8\xe8\x50\x0f\x2a\xd9\xeb\x10\x71\x33\xd2\xfb\x3e\x1a\x4f\xf8\x76\xe0\x3b\x78\xc5\xd0\xf5\x8b\xc9\xb4\x71\x2f\x1e\xf1\x72\x54\x5b\x96\x23\xc1\x62\xd0\xec\x90\xe1\x17\x90\x21\x20\x43\x40\x86\x80\x0c\x01\x19\x02\x32\x04\x64\x08\xc8\x10\x90\x21\x20\x43\x40\x86\x80\x0c\x37\x13\x19\x1e\x46\x07\xf1\xfe\x6c\x61\x47\x0a\x0f\x5a\xaa\xbb\x9c\x79\x80\xc7\x75\xcb\x5a\x04\x9b\xb7\xec\x20\xfb\x3d\x27\xa5\xf6\x47\x52\xa9\xd2\xf3\xe8\x39\xfc\x4c\xf6\xad\xfe\x83\x93\xb2\xca\x22\x2e\x9c\x69\x46\x35\x77\x59\x71\x34\x6a\x91\x51\xc5\xa9\x69\xcb\xac\xdb\xb8\xea\x4b\xd4\xaa\x60\x23\x96\x4d\x79\x13\x65\x77\xfa\x4c\x22\xfc\x06\xa0\x99\x40\x33\x81\x66\xf6\x31\xcd\xfc\xb9\xe7\xd0\x4c\xab\xae\x8a\x4d\x08\xa7\x4d\x2b\xc4\xc1\x7f\xf1\x2c\xfe\x89\x3d\x6b\xb9\x2e\x66\x93\x5d\x17\x73\xb9\xb5\x7c\x16\x03\xce\xc8\xee\xed\x71\xc2\x08\xe9\x86\x01\xbe\x41\xba\x61\x80\x6f\x00\xdf\x00\xbe\xf5\x11\x7c\xeb\xa1\x6c\x05\x3d\x03\xdf\x20\x8c\x1e\xe0\x1b\xc0\x37\x80\x6f\x00\xdf\x20\xdd\x30\xc4\xf9\xde\x3e\x40\xaa\xe7\xe3\x7c\xb7\x64\xba\xe1\x67\xd0\x94\xf0\xcc\x9a\x44\x47\xb8\x67\xd6\x04\xda\x87\xf2\xad\x87\x77\xb6\x25\xa3\xf0\x62\xb2\x27\xd6\x29\x7c\x62\x1d\x71\x9f\x31\x29\x84\xff\xd5\xce\xb5\x68\xd9\xdd\x7e\x1e\x61\x0e\xc6\x46\xc5\x3f\xbb\x8c\xc6\x04\xc9\x3a\x8d\x4e\xa2\xe3\x75\xc9\x82\x47\x51\x6e\x1d\x11\xb7\x90\xe3\x0d\xf2\x01\x6f\x2c\x1f\xf0\xd7\x53\x68\x5a\xa4\xd4\x3d\x8e\x26\x43\x29\x75\xf3\x68\x5d\x23\xb0\xa9\x40\x40\x27\x84\xb0\x39\x84\x0e\x70\x61\xb3\xde\x72\x8b\x22\xa1\xf0\x31\x74\x34\x48\x28\xbc\xce\x32\x5a\x4d\xdc\xdb\x05\x99\x94\xfb\xf6\xe8\x5a\x32\xe9\xc1\xd8\x74\xbd\x5c\x3e\x1d\x12\x97\x9a\xc9\xa7\x20\x3d\x6f\x47\x25\x15\xe4\xe4\x05\x88\x0b\x10\x17\x20\x2e\x40\x5c\xc8\xc9\x0b\x39\x79\x21\x27\x2f\xe4\xe4\x05\x63\x02\x18\x13\xc0\x98\x00\xc6\x04\x30\x26\xb4\xc5\x98\x00\x39\x79\x21\x27\x2f\xe4\xe4\x85\x9c\xbc\x60\xab\x03\x5b\x5d\xdb\x73\xf2\x36\x65\xd4\x6d\x4d\xd6\xbb\x91\x9c\xbc\x5d\x40\xcf\x5b\x30\xd6\x05\xbf\x6f\x18\x15\xbc\x4c\x20\x86\x4d\xca\x06\x13\x48\x51\xc7\x79\x99\x1b\x44\xba\x12\x1b\x1a\x71\xf0\xef\x0c\xe1\x2f\x0e\x22\x5c\xf7\xc8\xb5\x95\x42\x66\x45\x6a\xba\xa6\x6e\xac\x18\x7a\x4d\xad\x44\x52\x82\xf8\xbb\xca\xa9\xf9\xd9\x05\x51\x58\x5b\x52\x81\xe4\x73\x8f\xcb\x64\x1e\x91\x0a\x5d\x29\x04\xef\x99\x33\xda\x78\x7c\xde\x6d\x94\xd1\x63\x77\xfc\x1c\xba\x0b\x23\x5e\x31\x61\x4b\x7e\x3e\x79\xf2\x9c\xc0\xc7\xc4\xdc\x08\x9a\x1c\xf9\x69\x3e\xe2\x46\x16\xe4\xf9\x80\x50\x03\xc8\xf3\x01\x56\x2a\xb0\x52\x81\x95\xaa\x5f\xad\x54\x90\xe7\x03\xf2\x7c\x80\x75\x00\xac\x03\x60\x1d\x00\xeb\x40\x4f\x58\x07\x20\x99\x06\x24\xd3\xd8\x2a\x3c\x14\x92\x69\x74\x22\x99\xc6\x3f\x0e\xa1\x11\x01\x04\x35\x4a\x6d\xdd\x30\xe3\x69\x20\xb7\x11\x3a\xf8\x37\x87\xf0\xaf\x0c\xa2\xd7\x87\x6f\xbd\xb6\x52\xc8\xbc\xd0\x1a\x05\x9c\x63\x85\xb4\x09\x00\x8e\xf2\x07\xa6\x43\x15\xb9\x52\xe0\xe5\xcf\x19\x8e\xbb\xd5\xce\x07\xdb\x0c\x10\xf8\xe6\x64\xc6\x77\x10\xef\xf7\x0e\xad\x6b\x1c\x1b\x12\x8d\xf3\x36\x8f\xb0\xbd\x96\x10\x23\x00\x40\x00\x80\x00\x00\x01\x00\x02\x00\x04\x00\x08\x00\x10\x00\x20\x00\x40\x00\x80\x00\x00\x01\x00\x02\x00\x04\x00\x08\x00\x10\x00\x20\x00\xc0\x6e\x01\xc0\xbf\x4f\xa3\x47\xa4\x47\x60\x7c\x22\xdd\x71\xfc\x5f\xd3\xf8\xbf\xa4\xd1\x2e\xb5\x2e\xc2\x3e\xf3\x86\x32\x71\xa3\x6b\xad\xf8\x8a\xdc\x23\x65\xe2\xd6\xc5\xd4\x4f\xcd\xcf\x7a\xbb\xbb\xf6\xe1\xb8\xc9\x86\x82\x26\x1b\x0a\x9a\x6c\xa5\xa0\x92\x85\x9e\x16\x04\xee\x22\x9a\xe3\x04\xee\x2c\x9a\x41\xc5\x0d\x10\xb8\xd0\x77\xb6\x92\xd6\x05\xff\xcd\x30\x9a\x13\xcd\xbf\x54\xa1\x37\xd9\x5a\x68\xd3\x4a\xde\x67\x2b\xf5\xf9\x8c\x05\x8d\xb5\x6c\x83\xda\x86\xbb\x5a\x21\x2b\xa4\x12\xd9\x7b\x3b\xf8\x93\xc3\xf8\x07\xb7\xa1\x87\x42\xa5\x4d\x79\x85\xf9\x59\x11\xde\x9d\x6a\x0d\xd8\xce\xcb\xf7\xcc\xb1\xf7\x4c\x87\xdf\xd3\x26\x8a\x7b\x92\x3f\x70\x36\xa6\xae\x32\x0b\x43\xf3\x1a\x6c\x0d\x07\xcf\xa6\x0e\xd2\x6d\x07\xbe\x1e\xd7\xfd\x9e\x64\xae\xfb\x66\x7c\x45\xc0\xdb\xe6\xad\xdb\xe8\xed\x2c\x49\xf0\x5a\xa3\x14\xd0\x2f\xa0\x5f\x40\xbf\x80\x7e\x01\xfd\x02\xfa\x05\xf4\x0b\xe8\x17\xd0\x2f\xa0\x5f\x40\xbf\x80\x7e\x01\xfd\x02\xfa\x05\xf4\x0b\xe8\x17\xd0\x6f\x6f\xa1\xdf\x0f\x8f\xa0\xb3\x82\x3d\x8a\xcc\x18\x75\x94\xb1\xc9\xd9\x69\x16\xd5\x75\xc3\xb1\x6b\x7c\x7b\xbe\x58\xd3\xcb\xc4\x75\xf0\x17\x87\xf1\xd7\x06\xd1\xeb\x44\x39\x3e\x67\xfc\xa7\x2d\x62\x46\xaa\xcf\xf8\x25\x16\x79\x89\x6d\xe2\x8b\xfb\xf9\x03\x22\x6b\x47\x43\xde\xe9\x98\xd7\x6e\x0d\xa8\xd8\xa3\x51\xe3\xcf\x25\x93\xc7\x63\xf8\xa8\xe4\x88\x62\xa4\x48\x27\xd2\x98\x9e\x88\x49\xb7\x00\xdc\x10\xb8\x21\x70\x43\xe0\x86\xc0\x0d\x81\x1b\x02\x37\x04\x6e\x08\xdc\x10\xb8\x21\x70\x43\xe0\x86\xc0\x0d\xbb\xcb\x0d\xb7\x5e\xda\x3b\x20\x93\x40\x26\x81\x4c\x6e\x21\x32\xf9\x81\x11\xb4\x8f\x75\xdd\xf8\x4a\xa1\x19\x86\x14\xfb\xc7\xaa\x6a\xc9\x9f\xdf\x8e\x7f\x7f\x18\x7f\x3d\x8d\xb6\x6b\xd4\x26\xd7\x56\x0a\x99\x87\x6c\xa2\xea\x75\x3b\x5b\xe1\xe3\x76\x41\xb5\x72\x0f\xb3\xab\xd3\xd4\x26\x57\x42\x44\xd0\xbf\xdc\xde\x43\x9e\x4a\x6f\x5e\xdf\x99\x5d\xec\x0b\xf2\x2b\x85\xbc\x5f\x9d\x44\x3e\xf7\x70\x3c\x9f\xbb\x03\x0f\x96\x89\x8b\xae\x9f\x4f\x26\x73\xc3\x78\x8f\x24\x73\xd9\xac\xa4\x72\xc1\xeb\xc3\xe1\xdd\x99\x4f\xee\x08\xda\xf8\x51\x9b\x58\x15\x55\x23\x4d\x9b\x59\x91\x37\x74\xa9\xa5\xd7\x7d\xf0\x5f\x43\x53\xc3\x41\x32\x70\xf0\xdf\x06\x0f\xfe\xfb\xc1\xd4\xad\x4e\xf3\xf5\x1f\xcd\xd7\x4e\x51\x61\xd5\xda\x2c\x2a\x72\xff\xf0\xfa\x40\x54\x60\x99\xc1\x5d\x0d\x49\x87\x47\xc5\x6f\xdd\x12\x0e\x9d\x39\x6b\x0f\x04\x46\x82\xc0\x80\xf3\x9e\xba\x72\xde\x13\x1c\xf4\x01\x07\x7d\xc0\x41\x1f\x9d\x3a\xe8\xa3\xf4\xf9\x54\x97\x4e\x3b\x40\x97\xc5\xe9\xc1\xe7\xd1\x6c\xe8\xf4\xe0\xf6\x9c\xa0\xa0\xc4\x2f\xfe\x3b\xf1\x76\xd1\x4c\xad\xae\xff\xe1\x55\xbe\xb9\x2e\x50\xfc\xc3\x3b\x83\xf5\x7f\xd8\x52\x6d\xd7\xe0\x86\x41\xb1\x57\x6c\xba\x67\x78\xc4\x12\xa9\xbd\x3a\xae\x14\xbc\xb1\xbe\xa0\x31\xfe\xe6\xbd\x3c\x90\xf0\xa1\xf0\xc5\x2a\xb1\xcb\x24\x7c\x75\x4f\xf8\x2a\xcf\x74\x4f\xca\x86\x36\xd6\x70\x5f\xa4\x14\xf6\xf7\xaa\xbc\xca\x6a\x59\xbc\x88\xe6\x50\xa9\x6e\xb7\x32\x89\x8e\x6c\xa0\x9b\xe7\xb9\xc5\x1c\x54\x91\x04\x55\xe4\x33\x03\xe8\xd3\x03\xf8\x53\x03\x99\x4f\xf8\xf2\xfc\xa5\x81\xfe\xd9\xbb\xd4\x19\x19\x58\x3b\x73\xa3\x39\x37\x84\xb1\xc1\x19\xb8\xce\x0c\x37\x19\xb8\x23\x7c\x59\x12\x3e\x16\x6a\x85\x3f\xc9\xf4\x2f\xf1\x34\xbf\x83\xeb\x42\x8e\x32\x5c\x72\xa8\x39\x2f\x7c\x48\x2e\xb0\x69\x21\xff\x5e\xf0\x26\x4b\xf0\xe3\x48\xf3\x4d\x55\xf1\xb5\x14\x7a\x35\x85\x5f\x49\x65\xbe\xe0\xd3\xab\x4f\xa6\xce\x52\x5b\xe3\x6a\x5a\x99\xf2\x66\xa7\x4a\x76\x89\xfd\x94\x55\xa6\x22\x5f\xc1\xb9\xa4\xd0\xa8\x6a\x4e\x60\x2d\x1f\x53\x35\xfe\xe1\xdc\x07\xa1\x62\x68\x72\xc5\x24\x15\xdd\x51\xe8\x4d\xd9\xa6\xc2\x46\x6f\x11\x6a\x55\x48\x5e\x11\x6f\xe4\x4e\x3f\x5e\x5f\x72\x3e\x18\xdb\x00\xfe\xeb\xb3\xdb\x78\xb5\x22\x0e\x2c\x1d\x67\x41\xed\xdc\xc1\x5d\x7f\x34\x7e\xc1\xd8\x81\xef\xe0\x9f\x8a\x4a\x87\xd0\x01\x3c\x91\xdd\xe7\x1b\x03\xee\xe7\x73\x47\x4e\x64\xbf\xd0\xec\x20\xfb\x39\x8c\xf8\xb7\x9e\x11\x01\xbf\x6f\x3b\x3a\x94\x00\x25\x2d\xaa\x7b\x38\x72\xdc\xa2\xb6\xbb\x44\xed\x9b\xaa\xad\xe3\x2f\xdf\x81\x7f\x2c\x84\x26\x73\x1a\x35\x4d\xf6\xb5\xe7\xce\x3c\x15\x4c\x39\x97\x2a\xa1\x67\xa4\x63\x64\x6e\x58\xde\x2b\xd6\xc3\x73\xc4\x8d\x38\x30\xce\x07\x0f\x4c\xb0\x3d\xae\xe0\x8d\x87\xd1\x43\x62\x8c\xdd\x8f\xee\xe5\x63\xec\x6e\x74\xe7\x4f\xa5\x76\x20\xf9\x31\x89\x43\xe8\x6a\xf2\x10\x3a\x80\x27\xea\x87\x90\xac\xce\x59\x51\x1d\xb9\x3d\x8e\x0e\xa7\xc7\xe2\x87\x13\xc2\x3b\xe4\x57\xa2\xec\xbf\x0d\xb5\xd3\x5e\xaf\x9d\xe6\x2f\x2d\x24\x36\xd4\x48\xa4\xa1\xe6\xa9\xd3\x5a\x4b\x35\x55\xea\xd6\x6c\xc2\x1e\x68\xa9\x52\x11\x9d\xc6\x27\xb3\xc7\xfd\x29\xf4\x58\x78\xea\xc5\xbe\x62\x33\xa6\xe1\x5b\xd0\x55\xfc\x74\x66\xc1\x9b\x86\x87\xe7\xa4\x5b\x08\xeb\x41\xde\x95\x5e\x37\x5e\xf6\x56\xa3\x90\xa9\xfa\x2a\x59\x5c\xa0\xda\x0d\xe2\x3a\xd9\x6d\xfc\x81\xf0\x8e\x17\xff\x64\x06\x15\x13\x26\xa4\x4d\xfc\x55\x4c\x46\xad\x57\x88\xed\x4f\x51\x47\x53\x2b\x04\xff\xf7\x07\xf1\xf7\x0d\x04\x83\xae\xc0\xed\x06\xfc\x92\xd7\x98\x81\x96\x7a\x39\x28\x6f\xda\x2f\x2f\x97\x8f\x33\x26\xc4\xde\xba\xc0\x8a\x6d\xb3\x75\xe1\xbb\xd1\x69\x31\x54\x8f\xa2\xc3\x7c\xa8\x16\xd0\x38\x1a\x6b\xba\xa2\xa8\x35\x97\xb2\xaf\x33\xcc\x32\xdf\x20\xb0\x1a\xdd\xaa\x81\x61\x3e\x79\x1a\x8c\xe1\xbd\xde\xf9\x50\x41\x05\xe4\x7c\x10\x75\x88\x58\x19\x7e\x2f\x64\x65\x38\xe0\x59\x19\xd6\xd5\x29\x85\x26\xa6\x87\x6e\xf5\x4b\x71\x1a\x4d\xa1\x53\x75\xda\xfd\x7a\x3b\x06\x54\x7a\x30\x47\x6c\xd0\x1c\xf1\xc3\xa9\x36\xc8\x85\x33\xc2\x22\x71\x12\x1d\x0f\x2c\x12\x1d\x10\x2f\x6d\x97\x1f\x09\x66\x8e\xe2\xfb\xee\x0a\xc4\xcb\x89\x06\x32\xb1\x2e\x39\x33\x1e\x8b\x2b\xba\x21\x65\x80\x5f\xf4\x9b\xb0\x03\x7e\x01\xfc\x62\x93\xf9\x45\x37\xb4\xcd\x24\xea\xd0\xfe\xf5\xa2\x34\x81\xf6\xe1\x7c\x76\xd4\xdf\x08\xdd\x13\xde\x4c\xf1\xfb\x6f\x0b\x86\xf1\x1b\xc3\x81\x63\xd5\x9a\x51\x9e\xdc\x39\xcd\xe6\x82\x00\xff\xeb\x61\xfc\xe9\xc1\x60\xbd\x6c\xf1\xcc\xdf\x39\x56\xc2\x65\x76\xa1\x4d\xc1\x9c\xbb\x6f\xc6\x2d\xb4\xc1\x6b\x20\x78\xf3\x16\x82\x37\xe7\x92\x67\xd4\x08\x1e\x92\x67\x7e\xf8\x4d\x8e\xe2\x0d\x41\x10\xaa\x09\xa1\x9a\x10\xaa\x09\xa1\x9a\x10\xaa\x09\xa1\x9a\x10\xaa\x09\xa1\x9a\x10\xaa\x09\xa1\x9a\x10\xaa\x09\xa1\x9a\x10\xaa\x09\xa1\x9a\x10\xaa\x09\xa1\x9a\x10\xaa\x79\xfb\x84\x6a\x7e\x79\x18\x8d\x89\x24\x72\x8e\x4b\x6d\xb5\x4c\x1a\xce\x0e\xd6\x1c\xc3\xa4\x3a\xf1\xe3\x34\x7f\x68\x18\xff\xc1\x20\x42\xf2\xf6\x6b\x2b\x85\xcc\xcb\xf2\x3c\x8a\x30\x47\x34\x3d\x29\x49\x97\x94\x1b\x86\xa9\x2b\xd3\x0b\xb3\x17\xa9\xde\x1e\x98\x38\x1a\x68\x44\x5c\xeb\x93\xeb\x27\x53\xaa\x02\x55\x6f\x28\xa2\x5d\x87\xca\xce\xe7\xee\xe7\xaf\x5b\x10\x5f\x70\xa5\x20\xab\x06\xf0\x71\x3d\x28\xff\xa6\x40\xf9\x4f\x27\x83\xc7\x09\xbc\x4f\xb2\xc5\xe8\x10\xf3\x5c\x17\x45\xeb\x47\x79\x3e\x10\x48\x20\x90\x40\x20\x81\x40\x02\x81\x04\x02\x09\x04\x12\x08\x24\x10\x48\x20\x90\x40\x20\x81\x40\x02\x81\xec\x2e\x81\x3c\x80\x26\xf0\xbe\x6c\xde\x27\x90\xf7\x46\xe2\xc3\xc4\xce\xad\xd1\xb3\x0a\xa8\x22\x50\x45\xa0\x8a\x7d\x4c\x15\xbf\x38\x84\xee\x8f\xfa\x29\x3a\x44\xb3\x89\xeb\xe0\x9f\x1a\xc2\x9f\x08\x39\x23\xda\xad\x39\x23\x2e\xf0\xa7\xdb\xe4\x88\xf8\x44\xc8\x11\x51\x14\x3c\x67\x38\xee\x59\x6a\x4f\x55\x2a\xbe\x63\x62\xfb\x4e\x39\xbe\x8d\x0e\xa7\x6d\xc9\x15\xf1\xc9\x64\x22\xf8\x04\xde\x5d\x1f\x53\x29\x3a\x02\x20\x20\x40\x40\x80\x80\x00\x01\x01\x02\x02\x04\x04\x08\x08\x10\x10\x20\x20\x40\x40\x80\x80\x00\x01\x01\x02\x6e\x26\x04\x04\x9c\x07\x38\x0f\x70\x5e\x1f\xe3\xbc\x9f\x7b\x1e\x4d\x0b\x27\x41\x55\x67\xaa\xac\x41\x4d\x9b\x94\x0d\x9e\x78\x82\x3d\x13\xb8\x0c\x56\x6b\xae\xca\x34\x94\x9b\x64\x71\x99\xd2\x1b\x91\x3d\x9f\x83\xbf\x75\x0d\xff\xff\x87\xd0\x77\xc5\x16\x72\x6d\xa5\x90\x99\x14\x2a\xa4\x2d\x17\x3f\x4f\x3a\x7a\x2e\x84\x17\x64\xe1\x57\x45\xe1\xd3\xe1\xc2\x73\x87\xd9\xb3\x53\x71\x25\x5f\x29\xac\xf5\x60\x8f\x73\xbe\x22\x40\x30\x80\x60\x45\x80\x60\x00\xc1\x00\x82\x01\x04\xeb\x1b\x08\x56\xec\x19\x08\xd6\xf6\x9a\x6c\x18\x82\x15\x01\x82\x01\x04\x03\x08\x06\x10\x0c\x20\x58\xf7\x21\x58\xb1\xaf\x99\x55\x11\x98\x55\xe7\x98\x55\xb1\xd7\x99\x55\x71\x0b\x32\xab\xd2\x3f\x4b\x21\x22\xfc\xa0\x9e\x43\xcf\x70\x3f\xa8\x2b\xe8\x29\x74\xb9\x79\xa6\xc3\x58\xb2\xb5\x52\xc8\xaf\x05\x8f\xe6\x0c\x27\x39\x86\xf2\x91\x78\xaf\xa9\xed\x78\x9b\x70\x98\x7a\x31\xd9\x61\xea\x69\xbc\x10\x93\xaa\x6d\x2d\x18\x27\xdd\xaa\xd6\xaa\x3c\xca\xfe\x2e\x5a\x03\xc6\x3d\x21\x96\x34\x45\x5d\x9b\xbb\x1d\x15\xb7\x6d\x26\x79\x13\xa0\x4c\x47\x8b\xe8\xf9\xba\x6c\xb6\xf3\xe8\x62\x7b\x3b\x1c\x72\xdc\x42\x42\xef\x0d\x26\xf4\xfe\xf5\x34\x52\x85\x40\x7a\x2b\x7a\x33\x17\x48\x97\x51\xdb\xc7\x27\x5a\x12\x19\xbf\xaf\xa1\x67\x83\x8c\xdf\x9d\x78\x4f\x59\x9c\x72\xf6\x3c\x7a\x2e\x74\xca\x59\x27\x5e\xb4\x71\xe9\x6a\xd1\xd6\xa5\x6b\x9b\x24\x6a\xe4\xf8\xd4\x9f\x1a\x5b\x43\xba\x16\xe4\x41\x79\xa1\x53\x07\xe9\xd2\xda\x92\x76\x5a\x3c\xd2\x44\xd2\x4e\xfb\x05\x75\x51\xe6\x76\xe6\x48\x56\xa0\xdd\x40\xbb\x81\x76\x03\xed\xee\x1f\xda\x0d\x5a\x65\x82\x56\xd9\x3b\xe6\x00\x38\x0e\xbb\x2b\xc7\x61\x83\xd5\x05\xac\x2e\x60\x75\x01\xab\x0b\x58\x5d\xfa\xda\xea\xf2\xa5\x34\x7a\x2d\x8d\x5f\x4d\x67\x5e\xf1\x57\xdb\x8f\xa7\x67\x42\x51\xc0\x56\x85\xa8\x0e\xf1\xa7\xfe\x7c\xfd\x19\xf0\x11\x9f\x2b\xaf\xbb\x83\x30\x62\xd6\xe1\x85\xfc\xe1\xbc\xb2\x20\xe4\x88\x1b\x3e\xb7\x3e\x58\x45\x88\x3c\x1c\xdf\xf3\x01\xb3\x6b\x64\x7c\x49\xad\x78\xda\x7f\x56\x5c\xcd\x86\xce\xed\xf7\x5e\xa5\xea\xdc\x84\x41\xc7\x05\xd1\xd6\x03\xd5\x52\x14\x3e\xe4\x28\xa1\xe3\xfc\x59\x4b\xe5\x95\x33\x06\x17\x49\xa1\x8a\x53\xbb\xf1\xcb\x02\xb3\x91\x2b\xd4\x7d\xae\xfd\x51\x77\x39\x9f\xdd\x25\xea\x33\xe3\x9f\x97\x1f\x71\x26\x7b\xcf\x20\x7a\xd7\x20\x7e\xc7\x60\xe6\x3b\xbe\x47\xe1\x57\x06\xae\x4a\x39\xc8\x86\xe8\x32\xbd\x59\x7f\xb8\x3f\xeb\x7b\x5f\x51\x23\xf6\x12\xb5\xab\xac\x2d\x62\x6b\x7a\xa9\xee\xe5\xcd\x2b\xca\xd5\x1a\x4f\x27\x91\xa7\xfe\x1b\x4c\x5f\xd0\x0c\x3d\x50\xac\xf9\xda\x28\xce\x48\xf2\x5a\x97\x2d\x4e\x72\xe5\xf0\x56\xbf\x7c\xa8\x19\x3d\xb9\xe9\xdb\x6a\x7c\x3f\xc2\xe8\xcb\xf2\x8a\x40\x57\x5c\x16\x87\xb5\xd5\x21\xf1\x0d\x43\x6c\xcf\xc3\xff\x8a\x0e\x0c\xe7\x98\x32\x54\x54\xb5\x1b\x65\x9b\xd6\x4c\x9d\xdd\xc5\x1d\xf8\xf8\x4d\x75\x0d\x27\x94\x15\xa9\x01\x45\x0b\xf1\xbe\x60\xd1\x2f\xe9\x98\x32\x74\x96\xda\x24\x54\xac\xa2\xa9\x8e\xa6\xea\xec\xeb\x65\xfb\x08\x97\x4d\x5e\x9e\x23\xd4\xe9\x86\x02\x97\xfc\x32\xf2\xd9\x7b\xac\xfa\x71\x13\xd6\x6d\xc0\xa8\x09\x46\xcd\x3e\x35\x6a\x96\xca\x68\x4e\xe0\xf8\x33\x68\x9a\xe3\xf8\x13\xe8\x18\x3a\xba\x01\x78\xb9\xe0\xaa\x6e\xcd\x49\x04\xd5\xb9\x78\x50\x7d\x2f\xbe\x47\xcc\xe6\x40\xd2\x6e\x22\xb4\x6e\xff\x91\x65\x1f\x7a\x1e\x1d\x96\xb1\x03\x96\x41\x5e\x74\x89\xc9\x07\x58\x28\x66\x40\xab\x39\x2e\xad\x7a\xe3\x29\xd4\xfc\xf8\xab\xd7\xf0\x5f\xef\x41\xbb\x22\x0f\x5e\x5b\x29\x64\x0e\xad\x1d\x27\x30\xcd\x0b\xf4\xa8\xe1\x8c\x5f\x60\x6e\x2f\x8f\x11\x08\x97\x76\xa5\xd0\xec\x66\x88\x0b\x80\xb8\x00\x88\x0b\x00\x4b\x09\x58\x4a\xc0\x52\x02\x96\x92\x9e\xb1\x94\xf4\x8e\x21\x00\x08\x35\x10\x6a\x20\xd4\x40\xa8\x81\x50\xf7\x35\xa1\x06\x84\x06\x08\xad\x4f\x11\xda\x96\x8c\x0b\xf8\x57\x29\xb4\x22\xb8\x1f\x45\x55\xce\xfd\xca\x88\x20\xad\x19\xf7\x0b\x50\xd1\x98\xbf\x5f\x0f\x10\x60\x14\x69\xad\x14\xf2\xcd\x68\x52\x5b\x02\x05\x2a\xc9\x54\x70\x16\x9f\x93\xa7\x2a\x35\xa9\x48\xdc\x91\xef\x71\x60\x0e\x65\xff\x0e\xc5\x90\xb7\xc7\xfc\xa0\x80\xa6\x90\x6d\x4c\x06\x04\x74\x19\xb3\x09\x2a\x56\x43\x0e\x7a\xa1\x2e\x08\x40\x45\xd7\x3a\xdc\xbb\xe0\xbf\x05\x51\x01\x1b\x8c\x0a\xf8\x67\x03\xc8\x16\xe2\xe8\x06\x32\xb8\x38\xd2\x50\xe7\x07\x2c\xba\x29\xc2\x04\x2c\x64\x06\x61\x02\x5d\x79\xf1\x8b\x22\x6e\xe0\x05\x44\x43\x71\x03\x5d\x79\xf3\xad\x06\x12\xb4\x26\x7d\xd7\x12\xa9\xeb\x90\xcc\xb9\xf7\x8d\xc5\x48\xdf\xb1\xd8\xa0\x81\xa6\x92\xf8\xb0\x0c\x18\xa8\x93\xc4\xfe\xc3\x5d\x92\xc9\x10\x24\x00\xe8\x1b\xd0\x37\xa0\x6f\x40\xdf\x10\x24\x00\x41\x02\x10\x24\x00\x41\x02\x60\x82\x01\x13\x0c\x98\x60\xc0\x04\x03\x26\x18\x08\x12\x80\x20\x01\x08\x12\x80\x20\x01\xb0\x70\x82\x85\xb3\x07\x2d\x9c\x3d\x1d\x24\xd0\x55\x20\xdd\xfe\xc0\x80\xff\x35\x8a\x4e\x6e\x30\x30\x60\xfc\x7b\x4c\xb5\x4a\xde\x8e\x3f\x3b\x8a\xbf\x36\x10\xc3\xc9\xf7\xda\x44\xd5\xeb\xb6\xab\xcd\x83\x02\xd8\xcd\x9b\x62\xad\x2c\xbd\x37\xd5\xfc\x10\xcf\x4d\xb0\x0a\x79\x83\xf0\xe1\xf8\x41\x78\x07\x1e\x2c\x93\x6e\x1b\x42\x32\xef\x8b\x33\x43\xe7\x6d\x62\x55\x54\x8d\xb4\xda\xc7\xde\xfd\x60\x94\x06\x5e\x08\x46\xe9\x44\xa3\xf4\xbb\xd3\xfd\x65\x94\x4e\x5a\x95\x9b\x0b\x44\xab\xd6\xb2\x40\x6c\xd5\xf1\x26\x41\x38\xe6\x7e\x65\x57\x9c\x5f\x8e\xdc\x3c\xac\xe5\x97\x13\x6f\x0d\xde\xca\x36\x60\x90\x70\x09\x12\x0e\xec\x10\x5d\xb1\x43\x00\x80\x02\x00\x05\x00\xaa\x53\x00\xaa\xf4\xf9\x54\x9b\x77\xe1\x97\x85\x13\xda\x79\x34\x1b\x72\x42\xeb\xf0\xce\x5e\x89\xd7\x21\x76\xe2\xed\xa2\x99\xba\xbc\xaf\x2a\xfe\xfe\x5d\x31\x6a\xc4\x61\x4b\xb5\x5d\x83\x3b\xed\x08\xdc\xdf\xea\x06\x6b\xd4\x52\x5d\x6d\xb9\xeb\xba\xc5\x1b\xeb\x0b\x1a\xe3\xf5\xd8\xcb\xfe\x9c\x7c\x28\x7c\xb1\x4a\xec\x32\x09\x5f\xdd\x13\xbe\xca\xb3\x26\x90\xb2\xa1\x8d\x35\xdc\x17\x29\x85\xfd\xbd\x2a\xaf\xb2\x5a\x16\x2f\xa2\x39\x54\xaa\xdb\xda\x4d\xa2\x23\x1b\x18\x46\xf3\x3c\xca\x1b\x34\x9a\x04\x8d\xe6\x33\x03\xe8\xd3\x03\xf8\x53\x03\x99\x4f\xf8\xcb\xc2\x4b\x03\xfd\xb3\x67\xab\xb3\xca\xb2\x76\xe6\xde\x6e\xdc\x73\x80\x0d\xce\x20\xdd\xc3\x70\x93\x81\x3b\xc2\x57\x37\xe1\x1c\xa9\x56\xf8\x93\x4c\x8d\x13\x4f\xf3\x3b\xb8\x4a\xe5\x28\xc3\x25\x87\x9a\xf3\x22\xef\xc1\x05\x36\x2d\xe4\xdf\x0b\xde\x64\x09\x7e\x1c\x69\xbe\x99\x2c\xbe\x96\x42\xaf\xa6\xf0\x2b\xa9\xcc\x17\x7c\xc6\xfb\xc9\xd4\x59\x6a\x6b\x5c\xdb\x2b\x53\xde\xec\x54\xc9\x2e\xb1\x9f\xb2\xca\x54\xe4\x2b\x38\x1c\x17\x8a\x59\xcd\x09\xdc\xdc\xc6\x54\x8d\x7f\x38\x77\x1e\xac\x18\x9a\x5c\x78\x49\x45\x77\x14\x7a\x53\xb6\xa9\x70\xae\xb3\x08\xb5\x2a\x24\xaf\x88\x37\xf2\x44\x15\x5e\x5f\x72\x48\x1d\xdb\x00\xfe\xeb\xb3\xdb\x78\xb5\x22\x11\x24\xef\x4d\x6d\xca\xee\x38\x69\x81\x79\x34\x7e\x81\xd9\x81\xef\xe0\xdf\xd4\x6d\x5e\x7c\x06\x4d\xe3\xa9\xec\xa9\x1d\x29\x3c\x68\xa9\xee\x72\xe6\x71\x3e\x25\xa5\x7c\x68\x56\x44\x76\x90\xdd\x95\x93\xa3\xe7\x23\x1d\x38\x7b\x1a\xff\xda\x08\xda\x27\xb0\xb3\x49\xdc\x9b\xd4\x66\xd3\x3e\xc4\x9c\x0d\xb3\x6c\x13\xc7\xd1\x2a\xaa\xe3\x10\x1f\x34\xff\xc0\x08\x7e\xe7\x00\xba\x3b\x78\x82\x2d\x96\x8f\xc6\x50\xe6\x59\xf1\xf8\x34\x7b\x3c\xf7\x10\xbb\xe1\xa2\xff\xcc\x95\x42\xf8\x6a\x9b\x51\xb2\x8a\xce\x8a\x31\x79\x0a\x9d\xe0\x63\xf2\x30\x3a\x88\xf6\x37\xcd\xc5\x1f\xfa\xf6\x95\x42\x3e\x5c\xaf\xc4\x71\xf6\x6c\xf2\x30\x9a\xc4\x47\xe4\x30\x6a\x68\x63\x39\x86\x22\x6f\x0c\x8f\x9b\x04\xf8\x9c\xf9\xfd\x1d\xf5\xdd\x90\x8d\x67\xc1\x91\x9e\x78\x54\xde\xd3\x9d\xce\x28\xce\xa2\x73\xe8\x4c\x9d\x56\xb0\xb1\xde\x00\x85\x00\x20\xee\x06\x21\xee\xcb\xa9\xb6\x89\x84\xf3\x02\xcc\xce\xa0\x62\x00\x66\x6f\x3f\xf9\x62\xd5\x5c\x94\xfb\xc8\xae\x7a\xf9\xf2\x80\x87\x56\xcd\xa8\x4c\x79\x44\xfc\xde\x25\x91\x02\x00\x15\x00\x2a\x00\x54\x00\xa8\x00\x50\x01\xa0\xf6\x27\x40\xed\xb0\x5e\x90\xc8\x67\x8b\x2f\xdd\x55\xaf\x1a\xec\x4d\xc0\xa5\x11\x7d\xe1\x61\xbe\x0d\xef\xbc\xba\x00\x4c\xb4\xdf\x94\x14\x60\xa2\xc0\x44\x37\x99\x89\xde\x36\xf8\x29\x89\xa2\x96\x8e\xa2\xc3\xf8\x60\x76\xbf\xcf\x35\xbf\x2b\xcc\x35\xc3\xe5\x76\x81\x65\x7e\x6b\x04\xcd\x09\x96\x69\x2f\xaa\x5a\xde\x6b\xac\x70\x02\xf0\xf1\x95\x82\x70\x9e\x1e\x67\xb5\x71\x2c\x55\xf3\xa8\x26\xff\xfb\xed\xe3\x36\xad\x04\x9c\xf3\xe3\x23\xf8\x3b\x83\xe8\x3e\x56\xda\x54\xb8\x30\xb6\xd8\xfd\x44\x4a\x3a\x61\x07\x59\x9d\xd8\x8c\x17\xfb\x02\x2f\xf5\xf6\x65\xca\xc6\x95\x1e\xd2\xdc\x3d\x95\x7d\x88\x3f\x3d\x14\x24\x35\x88\x44\xa9\x53\x8b\xf8\xfb\x29\xc7\x25\xaa\x3e\x1a\x44\xf3\xf1\x3d\x88\x8c\xfd\x32\x5c\x52\x0d\x04\xd7\x50\x24\x00\x37\x54\x76\x3e\xb7\x87\xbf\xee\x72\xfd\x87\x5c\x29\x5c\xf4\x3e\x5d\x67\x75\xed\xf1\x2c\xdf\xa5\x1b\x68\x5e\xcc\xab\x59\x74\x8e\xcf\xab\x29\x74\x0a\x9d\xd8\xc0\x52\xca\xb3\x72\x9d\x59\x21\x66\x72\x1a\xaa\xe6\x53\xe0\xa6\x30\x24\xac\x6b\x0a\x36\x1d\x99\x72\x2a\xb2\x5e\x88\x5a\x0e\x20\xb3\x39\x64\x36\x2f\x41\x7a\x17\x48\xef\x02\xe9\x5d\x20\xbd\x4b\xdf\xa4\x77\x29\xf5\x4c\xf6\x92\xb6\xd7\x64\xc3\x69\x35\x4a\x90\x56\x03\xd2\x6a\x40\x5a\x0d\x48\xab\x01\x69\x35\xba\x9f\x56\xa3\x54\x40\xe3\x78\x2c\xbb\xd7\x27\x1d\xbb\xc2\xa4\x83\x6d\xdb\x1a\x09\xc7\xf3\xe8\x39\xfc\x4c\xf6\xad\xfe\x23\x93\xb2\xb2\x02\x3d\x32\x9d\xa8\xe6\x2e\x2b\x8e\x46\x2d\x32\xaa\x38\x35\x6d\x99\x75\x18\x57\x7a\x89\x5a\x15\x06\x1d\xcb\xa6\xbc\x71\xb2\x3b\x7d\x48\xd1\x49\x86\x52\xea\xeb\xec\x06\x25\xc8\x6e\xd0\xb9\xec\x06\xa5\x9e\xcf\x6e\xb0\x05\xf3\xb7\xe3\x7f\x3b\x84\x1e\x61\x5d\x37\xbe\x52\x18\xf7\x6c\x39\xa6\xbb\x42\x2b\xb5\x2a\xd1\x2a\xaa\x51\x75\xf0\x3b\x87\xf0\xb7\x07\xd0\x76\x8d\xda\xe4\xda\x4a\x21\xb3\x7f\xed\xd3\x02\xe7\xfd\x42\xae\xf0\x42\xa6\x59\x21\xb9\x71\xf6\xd0\x34\xb5\xc9\x95\x42\xec\x0d\x67\xa9\x3d\x55\xa9\xf8\x30\xb1\x7d\xf6\xbb\x0e\x81\xc4\x65\x74\x41\x80\xc4\xb3\x68\x86\x83\xc4\x93\xe8\x38\x9a\x6c\x0a\xe8\x59\xdb\x71\x0b\x5c\xdc\xb7\xb7\x94\xcc\xfe\x6a\x32\x24\x3c\x80\x27\x24\x24\xcc\x66\x25\x0d\x8c\x7d\x5f\x94\xd0\x27\x64\xc9\x07\x7c\x08\xf8\x10\xf0\x21\xe0\x43\xc0\x87\x80\x0f\x01\x1f\x02\x3e\x04\x7c\x08\xf8\x10\xf0\x21\xe0\x43\xc0\x87\x5d\xc6\x87\x40\xea\x80\xd4\x01\xa9\xeb\x63\x52\xf7\x7f\x8d\xa0\xc3\x1e\xa9\x5b\xd3\x05\x91\xb7\xa1\xcd\xbf\xc0\x73\x44\xfc\xe7\x23\xf8\x0f\x07\x03\x84\xf7\xd9\x56\x7c\x0f\xe7\x58\x31\x97\xd9\x0d\x3d\xe1\x81\xf8\x28\x7f\x9d\x40\x88\x81\xd3\x61\x50\xc9\x5e\x27\x86\x3d\xe9\x7a\x38\x97\x4c\x15\x47\xf0\x50\x3d\x55\x0c\x1a\x1d\x3c\x0d\x01\x15\x02\x2a\x04\x54\x08\xa8\x10\x50\x21\xa0\x42\x40\x85\x80\x0a\x01\x15\x02\x2a\x04\x54\x08\xa8\x70\x33\x51\xe1\x61\x74\x10\xef\xcf\x16\x7c\xb7\xc1\x07\xc2\x9e\x86\xc1\xe6\x0d\xfc\x0d\x81\x62\x02\xc5\x04\x8a\xd9\x55\x8a\xf9\x7f\x0c\xa3\xfd\xf2\x98\xa2\x9a\x4b\x1d\x4d\xad\x18\x66\x39\x40\x9a\x1c\x60\x51\xd3\x55\x2b\x16\xd5\xbd\x3b\x88\xed\xe0\x7f\x18\xc2\xdf\x1a\x44\xaf\x0b\x3d\x74\x6d\xa5\x90\x79\x49\x82\x4c\xc3\xd4\x8d\x15\x43\xaf\xa9\x95\x08\xd3\xf4\x55\xdc\x27\xfd\x62\xe7\xa9\x3e\xe5\x17\xdb\x16\xb0\x99\xcf\x09\xcc\x37\x15\x54\xed\x4a\xa1\xc9\x0b\xe7\x0c\xc7\xdd\x6a\xae\x8e\x9b\x01\x2e\x77\xc7\x83\xcb\xbb\x30\xe2\x15\xe3\x9e\x89\xd7\x17\x93\xe1\xe5\x29\x7c\xc2\x4b\xc0\x1a\xf4\x8e\xa4\x98\x4d\xba\x08\x90\x26\x20\x4d\x40\x9a\x80\x34\x01\x69\x02\xd2\x04\xa4\x09\x48\x13\x90\x26\x20\x4d\x40\x9a\x80\x34\x01\x69\x82\xf7\x23\x70\x43\xe0\x86\xc0\x0d\x37\x85\x1b\x7e\x65\x18\x1d\xf2\x8e\x37\xb7\x9c\xe4\x34\x8c\x84\xa3\x2e\x36\x81\xf1\x0f\x0e\xe3\x97\x07\xd1\x76\xf6\xdc\xb5\x95\x42\x66\xa5\x35\x64\x78\x59\x94\xb0\x40\xdc\x36\x51\xc2\xdd\x82\x12\x5a\x96\x13\xc9\x9a\xe8\xbf\x66\xce\x70\x5c\x60\x81\x8d\x2c\xf0\x62\x32\xe6\xdb\x8b\x47\xfc\x73\x96\x2c\xc7\xcb\x84\xe8\xb7\x6c\x34\xe0\xb9\x15\xb6\x08\xdc\x0f\xb8\x1f\x70\x3f\xe0\x7e\xc0\xfd\x80\xfb\x01\xf7\x03\xee\x07\xdc\x0f\xb8\x1f\x70\x3f\xe0\x7e\xc0\xfd\xba\xcc\xfd\xc0\x23\x11\xc8\x22\x90\x45\x20\x8b\x1d\x24\x8b\xbf\x99\x46\x77\x0b\xb2\x28\xce\x8a\x1b\xc7\xbf\x90\xc6\x9f\x4f\xa3\x3b\xc4\x3f\x33\x99\x32\x3f\x36\x6f\x89\xda\x55\xbf\xdd\x54\x85\xf3\xa6\xdc\x3d\x65\xe2\x8a\xf3\xe1\xa6\xe6\x67\xcf\xb1\x9f\xda\x77\xf0\x58\x43\x41\x93\x0d\x05\x4d\xb6\x52\x50\xc9\x40\x17\x05\xb4\x3b\x87\xce\x70\x68\x77\x0a\x9d\x40\xc7\x36\x00\xed\xbc\x6f\x4c\x42\x76\xf8\xbd\x23\xe8\x58\xf3\x43\xc1\x17\x89\xab\x7a\xf8\x36\xfe\x7c\xf0\x5f\x1f\xc6\xef\xde\x86\x70\xe4\x74\x38\xfe\x54\xe6\xa7\x5b\x89\x5c\x0f\x1f\x1b\xd4\x13\xb1\xeb\xd9\x9b\xf5\x67\xd5\xf1\xaf\xe9\xc8\x81\x75\xb7\x11\xf9\x4d\x0c\x5f\x5f\x97\x07\xe8\x7a\x0f\xaf\xe2\x5d\x04\x24\x18\x48\x30\x90\x60\x20\xc1\x40\x82\x81\x04\x03\x09\x06\x12\x0c\x24\x18\x48\x30\x90\x60\x20\xc1\x40\x82\xbb\x4d\x82\x7b\xe8\xa0\x60\x40\xbc\x80\x78\x01\xf1\x6e\x21\xc4\xfb\xfd\x6f\x44\xb3\x11\xc4\xbb\x52\x68\xe6\x38\x6a\x51\x5d\x37\x1c\xbb\xc6\xb7\xf3\x8b\x35\xbd\x4c\x5c\x0f\x4b\x8e\x3b\xae\xea\xd6\x1c\xfc\x85\x0c\xfe\x91\x01\xb4\x53\x14\x75\x6d\xa5\x90\xd9\x67\x13\x55\x57\xc4\x55\xaf\xc9\x83\xa5\x7b\x9e\xea\x33\x7e\x89\x45\x5e\x62\x6e\x9c\x3d\x21\xc0\x71\xd8\x19\x34\xe6\xd6\x05\x5e\x6a\xfb\xa8\x32\x87\x79\x7a\x53\xf4\x86\x66\x05\xe5\x2b\xa2\xd3\x9c\xf2\x4d\xa2\x23\xe8\x50\xd3\x63\x6d\x44\x13\xf0\x83\x6d\x1a\x6b\xee\x51\xbc\x87\xe3\x29\xde\x1d\x78\xb0\x4c\x5c\x74\xfd\x2d\xc9\x0c\xef\x10\x3e\x20\x19\x9e\x78\xa1\x77\xb8\x4d\xe3\x3b\x23\x9e\x9e\x99\x77\xec\x0c\xf7\xd2\x7e\x9b\x58\x15\x55\x23\xeb\xea\xa8\x09\xf9\xd0\xa6\xf5\x55\x71\x0e\x95\xd0\x93\x78\x70\x91\xea\xab\x19\xfe\x5f\x25\x95\xdb\x70\x9f\x14\x3f\x96\x46\x1f\x4d\xe3\x8f\xa4\x33\x1f\xf4\x65\xf7\xb7\x53\x57\xd9\x22\x28\x17\xee\x51\xee\x18\xad\xb1\xed\xb9\x10\xb6\x91\xcd\x62\x18\x20\x2e\x12\xc5\x3b\x30\x4a\xcf\x2b\x53\xa6\x62\x98\x02\xd3\x50\x5b\xa9\x99\x3e\xe9\xd1\x15\xdd\x5e\xbd\x5c\x33\x15\xdd\xb0\x09\x93\x30\xc4\xc7\x07\x4c\x0b\xe0\x6a\x96\xe4\x27\xde\x6e\x49\xee\x58\x95\xa5\x9a\xcd\x35\x72\xcb\xa6\x1a\x71\xb8\x3e\x24\x3b\x4d\xae\x96\x79\xe5\x0a\x7f\x23\xdf\xe9\x70\x05\x66\x52\x19\x53\xa6\x2a\x95\x49\xae\xed\xe8\xf6\xaa\x62\xd7\x4c\xd6\xe1\x4c\x24\x79\x2a\x9e\x2c\x8e\xe8\xd9\x3b\x44\xd5\x42\xf2\xb7\xf8\xa1\x34\xfa\xfe\x34\x7e\x7f\x3a\xf3\x5e\xbf\x81\xbe\x99\xe2\x0a\xf2\x05\xd5\x54\xcb\xc4\x16\x5b\x3d\x61\x7f\x76\x1c\xaa\x19\x5c\x7b\xf1\x37\x55\x2a\xdf\x95\x52\x5b\x61\xca\xad\xbb\xea\xab\x73\x55\xf5\x06\xab\xbf\xbb\x4c\x1c\xe2\x09\x49\x26\xb8\x3d\xdc\xc5\x89\xcf\x22\x51\xb8\x78\xe6\x1b\x28\x6a\x2b\x85\x89\x23\xec\x5e\x5b\xd5\x38\x97\xab\x50\xb3\x2c\x44\x22\xdf\xe4\x30\x7d\x54\x35\x4c\xa1\xa9\xf0\x4d\x44\x70\x2f\x67\x15\x92\x1a\xb2\xad\xaf\xb7\xcc\x95\x69\x45\x35\xcb\x79\x6a\x97\xc7\xad\x1b\xe5\xf1\x9a\x69\x68\x54\x27\xe3\xbb\x67\x9d\x79\x56\x4a\x3e\x7b\x57\xf8\x5b\xc3\x0b\xd3\xe7\x52\x6d\x94\x0d\xc2\x22\x55\xe0\x16\xa9\xed\xd3\x42\x75\xbf\xa5\xf2\x92\x4c\x09\xcd\x85\x90\x55\x6b\x59\x08\xb5\x26\x76\xa2\xa2\xaa\xf8\xc3\x77\x85\x85\xd0\x71\x4b\xb5\xd9\x7e\x9b\xed\x51\xf9\x12\xb7\x2e\x69\xb4\xcf\x62\x4b\xdb\xa6\xc8\xa2\x37\xd6\x17\x34\xc6\xeb\xb2\x97\x1b\x26\x1f\x0a\x5f\xac\x12\xbb\x4c\xc2\x57\xf7\x84\xaf\x32\x5d\xd8\x25\x65\x43\x1b\x6b\xb8\x2f\x52\x0a\xfb\x7b\x55\x5e\x65\xb5\x2c\x5e\x44\x73\xa8\x54\x27\x07\x27\xd1\x91\x0d\x58\xa0\xe6\x39\xe7\x07\x49\x98\x20\x09\x3f\x33\x80\x3e\x3d\x80\x3f\x35\x90\xf9\x84\x6f\xf8\x7a\x69\xa0\x7f\x24\x61\x1d\x1a\x61\xed\xcc\x51\x3f\xc7\x77\x6c\x70\x06\x06\xbf\xe1\x26\x03\x77\x84\x33\x6f\x61\x19\x52\x2b\xfc\x49\x93\x9a\x63\xe2\x69\x7e\x07\xb7\x0c\x3a\xca\x70\xc9\xa1\xe6\xbc\xb0\x7c\x5d\x60\xd3\x42\xfe\xbd\xe0\x4d\x96\xe0\xc7\x91\xe6\x22\xba\xf8\x5a\x0a\xbd\x9a\xc2\xaf\xa4\x32\x5f\xf0\x55\xf3\x4f\xa6\xce\x52\xb6\xd3\x34\x1c\xa5\x4c\x79\xb3\x53\x25\xbb\xc4\x7e\xca\x2a\x53\x91\xaf\xe0\x9b\xae\x2a\x51\x4d\x47\xa9\x39\x01\xe3\x1f\x53\x35\xfe\xe1\xdc\x72\x52\x31\x34\x41\xf7\x39\xcc\x55\xe8\x4d\xd9\xa6\xc2\xb2\x60\x11\x6a\x55\x48\x5e\x11\x6f\xe4\xa6\x4a\xaf\x2f\xf9\xe6\x27\xb6\x01\xfc\xd7\x67\xb7\xf1\x6a\x45\xcc\x6e\xed\x54\x47\x13\x97\x88\xce\x29\xa2\x6b\x18\xb2\x79\x23\xa0\xd2\x69\x74\x12\x1f\xcf\x4e\xfa\x70\xe3\xd1\x30\xdc\x88\x29\xfe\x76\x48\xdd\x87\xdf\x3b\x8c\xf2\x75\xbb\xb2\xb0\x6b\x88\x45\x75\x87\x68\x35\xdb\x70\x57\xf9\x75\x83\x38\xf8\xab\x43\xf8\xb5\x41\xf4\x3a\x7f\x3d\x15\x4e\x21\x6f\x6f\x2d\xa2\x6f\x9e\xea\x0b\xb2\x40\xb1\x84\xb6\x29\xb0\x4f\x3c\xe0\xad\xca\xbc\x4a\x0d\xaf\xda\x1a\xc1\x7d\x4d\x77\x85\x6d\xf7\xfd\xf0\x26\xdd\x33\xc9\x93\xee\x28\x3e\xdc\x64\xd2\x45\x9b\xb8\xd1\x77\x03\x42\xfd\xc0\xc1\x03\x1c\x3c\xc0\xc1\x03\x1c\x3c\xc0\xc1\x03\x1c\x3c\xc0\xc1\x03\x1c\x3c\xc0\xc1\x03\x1c\x3c\xc0\xc1\x03\x1c\x3c\x7a\xd1\xc1\x03\xbc\x34\xc0\x4b\x03\xbc\x34\xfa\xd8\x4b\xe3\x5b\x43\xe8\x41\xef\x80\xd3\x7a\xef\x8c\xb7\xe3\x2f\x0f\xe1\xaf\xa4\x83\x23\x4c\x1f\xe2\x3e\x17\xd1\x0d\xa6\x6f\x10\xcb\xdd\xcb\xae\xd6\x9d\x15\xda\x66\x1f\x8a\x37\xa3\x13\x02\x8a\x1d\x42\x07\x38\x14\xcb\xa3\x51\x94\x6b\xca\xa6\x59\xbd\xf3\x2b\x85\xbc\x5f\x9d\x5b\x30\x59\x72\xbf\x89\xf3\xc9\xe4\x6c\x18\xef\xa9\x3f\xba\x33\x78\x7d\xc4\x53\xe2\x63\x3b\x82\x96\x7d\xd4\xf3\x93\x68\xd6\xb8\x0f\xc8\x1b\x3a\xda\xbe\xc5\xd3\xe8\x24\x3a\x5e\x67\xef\x5b\x57\x03\x83\x85\x0f\x7c\x1d\x36\xe8\xeb\xf0\x83\x29\x54\x14\x0e\x0a\xc7\xd0\xd1\xc0\x41\xa1\x5d\x33\xfc\x16\x25\x47\x8b\x3e\x0d\xed\x14\x10\xb9\xbf\x7c\x7d\x20\x20\xb0\x50\xba\x15\x35\x24\x13\xee\x17\xbf\x75\x56\x24\x3c\x85\x2e\xa3\xf9\xb0\x48\xc8\x15\xd1\xe9\x0d\x98\x21\x66\x78\x5d\x2f\x71\xa0\xeb\x80\x98\x48\x12\x13\xdf\x48\xa3\xaf\xa7\xf1\xd7\xd2\x99\xdf\xf5\x1b\xe8\xb3\xe9\xa7\xc2\x0a\x8c\xc1\xf4\x68\xae\x84\x28\x8b\x64\x49\x18\x33\xfc\x9d\x43\x40\xcc\xe5\x66\x8d\x57\x31\x24\x06\x4c\x6a\x8e\x99\xa4\xac\xf2\x86\x90\x3a\x4c\x58\x5c\x08\x86\xe0\x77\x81\x1c\x7d\x46\xb5\x4a\x74\x26\x90\x2a\xab\x81\x95\x21\x20\xcb\x46\x65\x54\xaa\x36\x5c\xb9\x53\xca\x36\x5b\xd2\x2c\x62\x1b\x54\xf7\x55\xb4\x60\x75\xe3\x06\x1c\xaf\x35\x6a\x0e\xab\x64\x58\x2d\x54\xd9\x93\xde\x07\xc9\x97\x2c\x89\xdd\xb4\x57\x44\x5e\xd4\x53\x58\xd0\x63\xea\x98\xc5\xbc\x0a\xf3\xbc\x06\x31\x2a\x5b\xf1\x4b\x69\xf4\x5a\x1a\xbf\x9a\xce\xbc\xe2\x37\xf3\xc7\xd3\x33\x21\x03\xa5\x55\x21\xaa\x43\x7c\xf4\x31\x6f\x53\x4b\x2d\xf3\x0e\x10\x06\xb0\x88\xf5\xc3\xfb\x96\xc0\xc2\xc9\x7a\xa9\x90\x3f\x9c\x57\x16\x44\x87\x88\xd6\xb1\x98\xc6\xce\x76\x3d\x1e\x45\x23\x0a\xb5\xad\x65\xd5\xf4\xac\x31\x76\x8d\x8c\x2f\xa9\x15\x8f\x3a\x67\xc5\xd5\xac\xb2\x64\x98\x6a\xc5\x78\x9b\x87\xaf\x16\x09\x53\x09\xf9\x1e\x61\x5c\xa8\x82\x7a\x80\x34\x45\xe1\x43\x4e\xf0\x90\xe0\xbc\x79\xe5\x8c\xc1\x87\x73\xa8\xe2\xd4\x6e\xfc\xb2\x60\xbf\xe5\x0a\xcc\xcc\x27\x1b\x75\x97\xf3\xd9\x5d\xa2\x3e\x33\xde\x87\x44\xcc\x3a\xc5\xf7\x0c\xa2\x77\x0d\xe2\x77\x0c\x66\xbe\xe3\xdb\xf6\xbe\x32\x70\x55\x72\x20\x36\xa5\xd8\x86\xa7\xac\xda\x8b\x6a\x99\x28\x1a\xad\x54\x08\x97\xa1\xc1\xbc\x20\xf6\x12\xb5\xab\xac\x2d\x62\x6b\x7a\xa9\xee\xe5\xcd\x2b\xca\xc7\xb3\x37\x18\x85\x21\x93\x8d\x53\x9d\x68\x86\x1e\x00\x5d\xce\x06\x85\x87\x85\xd7\xba\x0e\xcf\x3e\xc1\xaf\x7a\xf4\x2f\x1f\x6a\x46\x8f\x1b\xf9\x9b\x1c\xdf\xa2\x17\x7d\x59\x5e\x99\xd2\xd8\x7e\x88\xaf\x9d\x61\xe1\x30\x24\xbe\x61\x48\x19\x93\x1d\x1f\x1d\x18\xce\x31\x65\xa8\xa8\x6a\x37\xd8\x3a\x61\xea\xec\x2e\x6e\x4a\xe3\x37\xd5\x35\x9c\x80\xb5\x72\xe8\x47\x0b\xf1\xbe\x60\xd1\x2f\xe9\x98\x32\x74\x96\xda\x24\x54\xac\xa2\xa9\x8e\xa6\xea\xec\xeb\x65\xfb\x08\xe3\x29\x2f\xcf\x11\xd2\xab\xa1\xc0\x25\xbf\x8c\x7c\xf6\x1e\xab\x7e\xdc\x84\xd7\xf4\xcf\xa7\xd0\x9c\x58\x76\xcf\xa0\x69\xbe\xec\x9e\x40\xc7\xd0\xd1\x0d\x2c\x1f\xc2\xb5\x0e\x5d\x66\xa5\x4d\xe0\xf3\x68\x16\xed\x10\x6d\x4b\xf4\x5b\x2d\x33\x69\x4f\xd0\xce\x35\xfd\xba\x12\xaf\x3f\xec\xc4\xdb\x45\x9b\xa3\xe2\x7f\xb9\x33\x58\xf5\x87\x1b\x3c\x17\x9b\xed\x0f\xee\xe3\x4e\x2d\x1d\x53\x05\xc0\x13\xb1\xdf\x14\x10\xf0\x44\x04\x4f\xc4\x4d\xf6\x44\xec\x38\xed\x69\xab\x64\x4f\xf4\x37\x3c\x84\x0e\xe0\x89\xec\x3e\xdf\x5b\xf0\xfe\xb0\xbf\xa1\x5f\x68\xe7\x23\x29\xf1\x0f\x0f\xa3\x8c\xc7\xfc\x64\x42\x7f\xaa\x07\xd0\xef\xa5\x61\xfc\x2b\x83\xc1\x1a\xf4\x13\xad\x64\x7f\xba\x48\x75\xd2\x13\x59\x9f\x5e\x7f\x33\xb4\x0e\x52\xbd\x7d\x4b\x60\x3f\xa5\x78\x3a\x9b\x3c\x2f\x76\xe3\xc7\x1a\xe6\x05\xd5\x09\x1c\xe4\x09\x5e\x7e\xe0\xe5\x07\x5e\x7e\xe0\xe5\x07\x5e\x7e\xe0\xe5\x07\x5e\x7e\xe0\xe5\x07\x5e\x7e\xe0\xe5\x07\x5e\x7e\xe0\xe5\xb7\x99\x5e\x7e\x05\x34\x8e\xc7\xb2\x7b\x7d\xf2\xb0\x2b\x42\x1e\xa8\xde\x05\xe8\x00\x8e\x81\xe0\x18\x08\x8e\x81\x5b\xc8\x31\xf0\x2f\xd2\x02\x12\x3a\xe3\xba\xe1\x68\x94\xc9\xc9\x20\x9b\xfc\x38\xfe\x52\x1a\xbf\x96\x46\x77\xf9\xd7\xae\xad\x14\x32\x6f\x28\x13\x37\xba\x2c\x8b\xda\xe7\x32\x65\xe2\xce\x78\x77\x5e\x29\x4c\xcd\xcf\x7a\x9b\xc0\x36\x26\xcb\x68\x5b\xea\x7e\x0b\x3d\x2d\x90\xdc\x45\x34\xc7\x91\xdc\x59\x34\x83\x8a\x1b\x4b\xdd\xef\x7d\xe7\x9c\xe1\x24\x72\x39\xfc\xae\x11\x74\xa6\x79\x93\xaf\x79\xf4\x2a\x31\x75\x8b\x1a\xa6\xeb\x54\x0c\x8d\x38\xf8\xf3\xc3\xf8\xd7\x07\xeb\x7a\x67\xb5\xb5\x80\xed\x33\xb2\xa4\x05\x56\x52\x9b\x82\xb5\xf7\xf2\x07\x42\x23\x20\xc8\xa2\x12\x79\xdd\xd6\x08\xd8\xee\x3e\xb0\x6d\x25\xa4\xfa\xfa\xb3\xc9\xd0\x76\x12\x1f\x11\xa8\x36\xd2\xea\x71\x89\x74\xea\x07\x20\xb0\x5c\x60\xb9\xc0\x72\x81\xe5\x02\xcb\x05\x96\x0b\x2c\x17\x58\x2e\xb0\x5c\x60\xb9\xc0\x72\x81\xe5\x02\xcb\x85\xc3\x59\x01\xfd\x02\xfa\x05\xf4\x7b\x1b\xa1\xdf\x3f\xc9\xa1\x09\xc1\x21\x55\xb6\xad\x2b\x1b\xdc\x6b\x9f\xdd\x1d\xd0\x48\x09\x13\x8c\x50\xb0\xf8\xcb\x39\xfc\x63\x03\x08\xd7\x3d\x73\x6d\xa5\x90\x79\x38\x26\x6e\x7c\x6a\x7e\x76\x41\x14\x90\x7b\x94\x5d\x9e\x8a\x3e\xc6\x29\xb1\xbc\xa1\xcd\x41\xe4\xab\xe8\x39\x41\xf0\xae\xa2\xa7\x39\xc1\xbb\x84\x2e\xa0\xf3\xb1\x04\x8f\x95\x31\xa6\x96\xcb\x6c\x2c\xb8\xd4\x0e\x20\x5e\x7d\xc3\x08\xda\x2b\xeb\x7b\xab\x51\xe6\xcf\x27\x93\xbc\x13\xf8\x98\x24\x75\xf1\x5d\x14\x61\x7a\x82\xf9\x85\xea\x97\x79\x79\x67\x6c\x3f\x29\xf1\x51\xe8\xa1\xae\xca\xca\x3b\xba\xd6\x5b\x45\x15\x5d\x43\xcf\xd6\x05\x7e\xb4\xb7\xbb\x20\x16\x04\x62\xd6\x37\x18\xb3\xfe\xb5\x54\xf3\x78\xf3\x4e\x0b\x19\x4d\x04\xcb\x3f\x83\xde\x1a\x04\xcb\xb7\xfb\x25\x2d\x46\xbd\xb7\x26\xb0\xd6\x14\x49\x6b\x4b\xb3\xdc\x0f\xed\x8a\x15\x58\xf7\x79\x51\xf1\x66\x58\x48\x3d\x26\x7e\xed\x9e\x8c\x82\x18\x79\x88\x91\x87\x18\x79\x88\x91\x87\x18\x79\x88\x91\xef\xcf\x18\xf9\xc4\xb0\xf6\xce\x6f\x6a\x8a\x3f\x7a\x57\xac\x8e\x30\x92\x10\x43\x1f\x52\x1c\x44\x50\x6a\x57\xf4\x06\x08\xa8\xef\x37\x6d\x05\x02\xea\x21\xa0\x7e\x93\x03\xea\x57\x37\x6d\xb7\x9a\x1c\x7a\x2c\x82\xe4\x3b\xbf\x4c\x94\x0e\xa3\x83\x78\x7f\xb6\xe0\x1b\x50\x1e\x08\x3b\xc3\x07\x37\x76\x21\x0e\xff\xcf\x86\xd1\x29\xc1\x59\x85\x93\x5c\x80\x57\xc3\x47\xf2\x34\xf3\xf8\xe4\x8f\xe0\x4f\x0d\xe3\xcf\x0f\xa2\xd7\x89\x7f\xf9\x87\xf3\xbc\xd0\xa2\xaf\x27\x7b\xaa\x4d\x3e\x9e\x4f\xdc\xf4\xfd\x19\x1d\x79\x20\x4f\xc8\xcb\x93\xfd\x0c\xde\x9d\xb7\xe0\xdd\x79\x35\x79\x5e\x1c\xc0\x13\x72\x5e\x44\x86\x93\x9c\x02\xa2\x2e\x0d\xc7\xf5\x80\x5f\x27\xf8\x75\x82\x5f\x27\xf8\x75\x82\x5f\x27\xf8\x75\x82\x5f\x27\xf8\x75\x82\x5f\x27\xf8\x75\x82\x5f\x27\xf8\x75\x82\x5f\x27\xf8\x75\x82\x5f\x27\xf8\x75\x82\x5f\xe7\xed\xe3\xd7\xf9\xbe\x01\xf4\xb8\xf4\xeb\xac\xb1\x19\xef\xca\x62\xea\xb9\x23\xfe\x93\x34\xfe\xa3\x34\x7a\x20\x7a\x97\x0f\x17\x9b\x86\xf9\x3f\x5e\x26\xee\x54\xe4\x19\x09\x02\x21\xe0\x3f\x3e\xe0\xff\x07\x9e\x45\x43\xa2\x43\x1c\x97\xda\x6a\x99\xd4\xf7\x84\xe6\x18\xba\x6d\xb0\x69\x85\xff\xf4\x19\xfc\xbf\xed\x41\xaf\x97\x37\xfa\x9d\x31\x24\x36\x04\xb6\x54\x65\xbc\xb5\xce\xcb\xcb\x3a\xbd\x30\x3b\xc3\x0b\xc8\xbd\x91\xdd\xb8\x20\x9e\x96\xdd\xe2\x5f\xec\x71\x2a\x5b\x04\x46\x09\x8c\xb2\x08\x8c\x12\x18\x25\x30\x4a\x60\x94\x7d\xc3\x28\x8b\x3d\xc3\x28\xdb\x5e\x93\x0d\x33\xca\x22\x30\x4a\x60\x94\xc0\x28\x81\x51\x02\xa3\xec\x3e\xa3\x2c\xf6\x35\xf0\x2b\x02\xf0\xeb\x1c\xf0\x2b\xf6\x3a\xf0\x2b\x6e\x41\xe0\x57\xd2\xd1\xac\x00\x5b\x45\x74\x9a\x83\xad\x49\x74\x04\x1d\x6a\x7a\x80\x92\x07\xa1\x24\x5b\xca\xfb\x7c\xa8\x15\x98\x75\xfd\x99\x64\x0f\xb5\xa3\xf8\xb0\xf4\x50\x8b\xf2\x2e\xe9\xa2\xe6\xbf\xaf\xd1\x4d\xed\xfa\x23\xf1\x4e\x72\xdb\xf1\x36\xee\x1f\x97\xfd\xf0\xce\x46\x36\x86\xc5\x82\xa4\xa8\x21\x0c\xf6\xb0\xf8\xad\xd3\x20\x4c\x70\xab\x27\xd1\x59\x34\x53\xe7\x63\x7f\x00\x4d\xac\xbf\x03\xc0\xbb\x1e\x42\x94\x37\x18\xa2\xfc\x37\x29\x74\x46\x08\x81\x93\xe8\x38\x17\x02\x87\xd0\x86\xc6\x20\x2a\x89\x80\xe3\x69\x34\x15\x04\x1c\x6f\xb4\xac\xf3\x22\x46\x69\x06\x15\x43\x31\x4a\x1b\x2d\x2c\x49\x32\x35\x97\x1d\x16\x75\x5c\xd4\xa2\xe4\x4a\x94\x51\xf1\xa2\x2d\xf7\xb5\xd1\x46\xc9\xf4\x88\x0c\x46\x0b\x45\xf6\xd1\xa5\x90\x94\x1a\x12\xd7\xeb\xa4\x94\x7f\x73\xa7\xe4\x55\x67\xe2\x98\x01\xdc\x02\xb8\x05\x70\x0b\xe0\xb6\x7f\xc0\x2d\x68\x6b\x09\xda\x5a\xef\x90\x6d\xc8\x21\xd1\x95\x1c\x12\x60\x40\x00\x03\x02\x18\x10\xc0\x80\x00\x06\x84\xbe\x36\x20\x40\x2a\x21\x48\x25\x04\xa9\x84\x3a\x95\x4a\x08\xec\x73\x60\x9f\xeb\x57\xfb\x5c\xa9\xdc\xe6\x2c\x5a\x49\x50\x39\x17\x0f\x95\xef\xc5\xf7\x88\xd9\x1c\x48\xda\x56\x01\xf3\x06\x4d\x63\xed\xcf\x4b\xf2\x8b\x7b\xd1\xe1\x84\xfc\xcf\xc2\x3d\x3d\x26\x09\xf4\x4b\x7b\xf1\xcf\x0d\xa0\x37\x34\xe6\xe1\x12\xe0\x3b\x21\x13\xf4\xe3\xb1\x99\xa0\xbd\x18\x82\xce\xa4\x83\xfe\x27\x22\x93\xea\x3e\x9e\x49\x95\x0d\x1c\x4e\xc1\x6f\x35\xf7\x8d\xb0\x51\xac\x23\x27\x34\x49\x1e\x23\x45\x7c\xba\xe5\xc4\x37\x62\x6c\x34\x64\xbf\x49\x48\x3d\x9d\xf9\xe2\xce\xe6\x7d\x97\x9c\x1d\x7a\xa8\x59\x76\xe8\x8e\xf6\x60\x71\x09\xe9\x68\xb1\xce\xcc\xda\x81\x2e\x04\xac\x07\x46\xd8\x0d\x1a\x61\xff\x34\xd5\x1d\x21\xb3\x2c\x4c\xb4\x2a\xba\x16\x98\x68\xfb\x54\x9c\x59\x35\x17\xe5\x7e\x72\x57\x73\x71\x16\x9f\x3b\x7a\x4f\x93\xdc\xd1\x9d\x95\x60\x90\x40\x1a\x12\x48\xdf\xbe\xf0\x1f\xa8\x0f\x50\x1f\xa0\x3e\x90\x40\xba\x07\xf4\x85\xc4\x3c\xd5\xc5\x9f\xbd\xab\xb9\xca\xb0\x8e\x54\xd2\x4f\xc4\xa7\x92\xee\x98\x1a\x01\xf9\xa4\xfb\x4d\x79\x81\x7c\xd2\x90\x4f\x7a\x93\xf3\x49\xff\x93\xe6\xf9\xa4\xbb\xb1\xdd\xed\xf2\xda\x91\x94\xbb\xba\x87\x32\x4b\xff\xf1\x30\x3a\x2a\x08\xee\x22\xcf\x21\xdd\x52\x46\x69\xcd\xa6\xe6\x75\xba\xe8\xe0\x1f\x1b\xc6\x3f\x33\x88\xee\xe6\x8f\xfa\x6b\x9f\xd3\x5a\x4a\xe9\x69\x9b\x9a\x25\xba\xd8\xa6\xa4\xd2\x7b\xf8\x03\x45\xf6\x9f\x86\x9c\xd2\xf2\x4d\x90\x55\xfa\x16\xb2\x4a\xbf\x29\x79\xe6\xe4\xf1\xa8\x9c\x39\x7c\x3c\x78\xf6\x08\xd1\xf8\x90\x4f\x1a\x72\xb5\x40\x3e\x69\x70\xf9\x07\x97\x7f\x70\xf9\xef\x6b\x97\x7f\xc8\x27\x0d\xf9\xa4\xc1\xd5\x1a\x5c\xad\xc1\xd5\x1a\x5c\xad\x7b\xc2\xd5\x1a\xf2\x49\x6f\x31\xf7\x55\xc8\x27\x0d\xf9\xa4\xb7\x56\x7a\x19\xfc\xd2\x08\x3a\x23\x28\xa3\xbd\xa8\x6a\xf9\xff\x8f\xbd\x7f\x8f\x6f\xe3\x3a\xef\xfc\xf1\x17\x48\x2a\x92\x1e\x2b\x6b\xeb\xc8\x8e\x6d\x48\xb2\x61\xc8\x26\x41\x88\x04\x09\xea\x4e\x5d\x09\x52\x94\x08\xd1\x32\x43\xda\x74\x9a\xd8\x51\x86\xc0\x08\x82\x0c\x61\x90\x19\x90\x8a\xda\xcd\xbe\xd2\x66\xb3\xc9\x6e\xf7\x92\x66\xb3\xe9\xb6\xdb\xa4\xd9\xb4\x75\xe3\xd6\x89\x93\x6e\xba\x6d\xe2\xb6\x69\xbb\x4d\xe2\xad\x5b\xff\x72\x69\xda\x74\xd3\xa4\x49\x9b\xfc\xb6\x6d\x7a\x4f\xb7\x49\xb3\xed\xe6\xfb\x9a\x73\xe6\x0a\xcc\x70\x00\x68\x00\x82\xc2\xe7\x9f\x44\xe6\xcc\x1c\xcc\x9c\x33\xf3\x9c\x73\xde\xcf\xe7\x79\x1e\x93\x41\xd5\x48\x45\xd7\x87\x8e\xaa\x52\x92\x35\xf6\xd1\x04\x7b\x71\x80\xee\xd4\x9b\x99\x72\xb6\x72\x69\x2d\x1d\xad\x34\x06\x1e\x17\x15\x7d\x7e\x0e\x85\x3a\x26\xf9\x05\x8b\xb5\x37\xb3\xec\x80\x8f\xfa\xaf\x6d\x0e\xf2\xe8\x4b\xe8\x43\x47\x92\x26\x79\x7c\x32\x18\x2a\x4e\xb2\xa3\xce\x22\x8d\x06\x60\xf4\x7d\x8b\x0c\xe8\xa8\x77\x3a\x35\x04\x36\x41\x21\x41\x21\x41\x21\x41\x21\x41\x21\x41\x21\x41\x21\x41\x21\x41\x21\x41\x21\x41\x21\x41\x21\x41\x21\x41\x21\x41\x21\x41\x21\x41\x21\x6f\x1d\x0a\xf9\xf7\x43\xb4\x7f\xdd\x22\x6a\x82\x3f\xe6\xb4\x62\x59\xc9\xcb\x1a\xfb\xe4\x10\xfb\xd8\x40\x7d\x4a\xd6\x46\xf5\x8d\x4b\x73\x17\x95\x7c\x58\xa4\xf1\x3e\x7e\x41\x5d\x32\x6a\xfd\x17\x36\x07\x5d\xec\x52\x5d\xe3\xab\x83\x11\xe4\x11\x76\xa8\xc1\x0c\xbe\x56\x06\x06\x7d\x58\x80\x16\x81\x16\x81\x16\x81\x16\x81\x16\x81\x16\x81\x16\x81\x16\x81\x16\x81\x16\x81\x16\x81\x16\x81\x16\x3b\x8d\x16\x01\xfe\x00\xfe\x00\xfe\x7a\x18\xfc\xfd\xe8\x93\x94\xd4\x87\x6e\x6c\x2d\xed\xa7\x2e\xe4\xbd\xa7\xf2\x7b\x67\xdf\x78\x82\xfd\xbf\x87\x68\x6b\x4e\x51\xe5\x4b\x6b\xe9\x68\x42\x2c\x0c\x55\x63\x4a\x33\x6d\x9e\x72\x39\xf6\x54\xb1\x9c\x8f\xcd\xeb\x57\x2e\xea\x57\x26\xef\xd3\xcf\x9c\x56\x54\xd9\x29\x00\xb4\x8f\x77\x39\xa4\xcb\x80\x57\x81\x57\xa1\x06\x17\x78\x15\x78\x15\x78\x55\xef\xf0\xaa\x2e\x2a\x31\xd5\x35\xbc\x0a\xb5\x8f\xc0\xab\xc0\xab\xc0\xab\xc0\xab\x36\xa2\xf6\x51\x4f\xe3\x25\x14\x67\xe9\xe5\xe2\x2c\x99\x4d\x88\x97\xb2\x4f\x52\x46\x88\x9b\x8e\xd3\x31\x2e\x6e\x3a\x40\x69\x1a\xf3\x2d\x4f\x9e\x53\x54\x39\xb5\x96\x4e\xd9\x60\x68\xbe\xa8\x05\xcb\x99\xfc\x6b\x93\x0b\x25\xd3\x7c\xb0\x92\x69\x98\x0d\x19\xc2\xa5\x78\xdc\x10\x2b\xd9\x37\xe1\xcc\xd0\x46\xf1\xff\xbd\xcd\x06\x60\xbb\xc4\x8c\x13\x93\x9c\xac\xcb\x98\x86\x3a\x40\xbb\x04\x9c\xe2\x82\xb1\x9a\xac\xb1\xa3\xb4\xbf\x89\x5e\x46\xa2\x58\x54\xe5\x68\xb1\x2a\xc7\xd7\x22\x74\x4a\x7c\xe2\x47\xe8\x10\xff\xc4\xc7\xa8\xb9\x97\x8f\xa6\x45\xc1\x8d\x13\x34\x69\x17\xdc\x68\xba\x91\x19\x91\x6f\xfb\x24\x1d\x77\xe4\xdb\x6e\xba\x95\xd6\x2d\x4d\x45\x09\xdd\xd2\x24\x7f\x73\xc4\xb6\x34\xf7\x1b\x99\xd3\x1d\x69\xe8\x95\xcb\x4e\xab\x93\x14\x27\x08\xab\x33\x6d\x9d\xd5\x01\xfb\xd3\x9e\xc2\x1b\xa0\xad\xa0\xad\xa0\xad\xa0\xad\xbd\x43\x5b\xb1\x08\x0b\x58\x84\x75\x0f\x8e\x46\xd1\xa3\x8e\x14\x3d\x02\xf5\x07\xf5\x07\xf5\x07\xf5\x07\xf5\xef\x69\xea\x8f\xda\x77\xa8\x7d\x87\xda\x77\xed\xaa\x7d\x07\xa7\x1a\x9c\x6a\xbd\xea\x54\xcb\x16\xfc\x73\x7b\x86\x5a\x0f\xd2\x04\xc8\xa1\x02\xe2\xab\x49\x6f\x1c\xbd\x8b\xed\x14\xb6\xc1\xb6\xdb\xb4\x09\xb3\xc8\xb0\xb7\x3d\x49\x29\x77\x05\xae\xc0\xb2\x5b\x9f\x7f\x82\x7d\xfb\x21\xda\x66\x96\xdd\x8a\x3e\xb4\xbe\x42\xdd\x28\xc1\x94\xdc\xa3\x9f\x66\x94\xc8\xaa\xab\x8e\x05\x71\x3a\xc4\xe9\x10\xa7\xc3\x5d\x02\x77\x09\xdc\x25\x70\x97\x74\x8d\xbb\xa4\x7b\xbc\x01\xc0\xd4\xc0\xd4\xc0\xd4\xc0\xd4\xc0\xd4\x3d\x8d\xa9\xc1\xd1\xc0\xd1\x7a\x94\xa3\x6d\x4a\x71\xfa\x6b\xe8\x8c\x40\x7c\xc7\xe8\x08\x47\x7c\x69\x1a\xa3\x51\x5f\xb9\x28\x67\x4a\xa9\xb5\x74\xca\x51\x34\xbd\xb3\xd2\xf4\x80\xe2\xe1\x14\xff\xe2\x36\x07\xfa\xba\xc3\xd2\xa6\x9b\x94\xeb\x3e\xf1\x97\xb6\x73\x2e\x81\xa5\x4e\xd3\x49\x3a\x5e\x23\x4b\xdf\x4f\xc3\x0d\xf7\x2f\xf4\x50\x10\xa5\xb7\x28\x4a\xff\x72\x84\xa6\x84\xa8\x7c\x92\x8e\xda\xa2\xf2\x51\x6a\xe6\xfd\x13\xa1\x2b\x13\x3c\x74\xc5\x96\x94\x37\xd9\x86\xaf\x77\xe1\x84\x30\x3d\x87\xe8\x00\x37\x3d\xcd\x35\xdb\x16\x39\x7a\x90\x75\x49\x7e\x72\xc4\x61\x5d\xf6\x78\xea\xd1\x4d\x4b\x93\x10\x47\x0d\x4b\xe3\xa5\x46\x6f\x8f\xcd\x81\x14\x1d\x6c\x15\x6c\x15\x6c\x15\x6c\x15\x52\x74\x48\xd1\x21\x45\x87\x14\x1d\x8c\x1f\x8c\x1f\x8c\x1f\x8c\x1f\x8c\x1f\x52\x74\x48\xd1\x21\x45\x87\x14\x1d\x2e\x34\xb8\xd0\xba\xd0\x85\x96\x2d\x84\xab\x38\x0f\x74\x4d\x35\x21\x1e\x6f\x10\x24\x3b\x69\xf1\x3a\x50\x79\x33\x4a\xd1\x3f\xbb\x9b\xce\x0a\x29\x7a\x4e\x56\x0d\x8f\xa3\xac\xd9\x55\x12\x5d\x7f\x2e\x16\xca\xc5\x72\xc1\x5c\x9e\x09\xa1\xfa\x1b\xc7\x34\x3e\x2c\xec\x6d\xbb\xd9\xa7\xfb\xe9\x76\xe7\xf9\x97\xd6\xd2\xd1\xc3\xaa\x2c\xe5\x63\xe2\x1c\xf3\xed\xb2\x17\xde\xd3\xf6\xd9\x4b\xa2\xf5\x45\xd1\x7a\x32\xad\x5f\xe7\x38\xac\x2d\xa7\x7d\x4f\x16\x2f\x46\xb8\xc8\x3d\x5b\xa1\xc7\xc4\x6b\x7b\x91\xe6\xf9\x6b\x3b\x4b\x33\x94\xf1\x4f\xba\xe3\xec\xbe\xb5\x74\xca\xf7\x66\x03\xdf\xdf\xbd\xde\xef\xef\xcb\xd8\x40\x41\xae\xd2\xd5\x52\xf0\x2b\x3b\xc7\xce\x19\xaf\xa9\xc7\xa0\x9a\x2f\xad\xef\xfd\x39\xdf\xf6\xe8\xa7\xb6\xd7\x0f\xe9\x31\x55\xae\x94\xa4\x9c\xdc\xc2\xa8\x1e\x34\x2e\xdd\xc0\x81\xcd\xbc\x8a\x96\xe9\xd1\x1a\xff\x6d\x28\x23\x0b\xba\x08\xc7\x6e\x8b\x8e\xdd\xdf\x8a\xd0\xab\x85\x63\x77\x89\x5e\x69\x3b\x76\xdb\x6d\x72\xda\x64\xe2\x82\x2d\x59\x65\xb5\xd3\x96\x2c\xf3\xff\xdb\x51\x6f\xc9\x32\x15\x49\xad\x16\xb9\x83\x4d\x6c\xcd\x5b\x30\x69\x13\x15\x7d\x29\xb0\x41\x06\x6d\x77\x6d\x43\xa3\xfc\x6e\xf6\xeb\xff\x9c\xdc\xe3\x3c\x78\x4d\x56\x0b\xb2\xf3\xe8\xa0\xf3\xa8\xbe\xe1\xa8\xca\x85\x62\x6e\xb4\xee\x3c\x57\x2b\xfa\xbf\x6f\x18\x47\xf5\xbb\xcc\xe8\x6f\x4e\xb6\xc6\x98\x4e\xd2\xd1\x16\x56\x77\x0b\x3c\x06\x08\x26\x34\xc0\x84\x3e\xd7\x4f\xcf\xf6\xb3\x67\xfa\xa3\x4f\x5b\x50\xe1\xcd\xfd\xbd\x63\x42\x6b\x90\xaa\xde\xcf\xdc\x55\xcd\xb1\xbf\xfe\x72\xda\xc1\x80\x09\x9f\x17\x77\x98\xb3\x11\xa1\x6c\x90\x4a\xfc\xca\xb2\x52\x1e\x15\x57\xf3\x33\xb8\x5f\x46\x8b\x25\xb2\x9a\x52\x5e\x10\x51\x71\x0f\xeb\x9f\x85\xf1\xef\x25\xf3\x63\xb1\xff\x38\xec\x6f\xdb\x33\x2f\x45\xe8\xc5\x08\x7b\x21\x12\xfd\x84\xb5\x41\x7b\x7f\x64\x56\xd1\xb7\xf3\x45\x2d\x56\x50\x78\xb7\x2b\xb1\xf8\x65\xfd\x4f\xf1\xd8\x94\xeb\x29\xf8\xce\x56\x78\x77\x56\x35\xdb\x47\x3d\x2a\xe5\xf8\x83\x73\xcf\x7f\xa9\x98\x33\xb0\x8d\x5c\xca\x6b\x31\xe5\xba\xd1\xa7\xc2\x33\x5e\x91\x95\x4a\x49\x4e\xc5\xc4\x2f\xf2\x30\x46\x73\x2c\xf9\x0e\xd3\xb3\x03\xac\x9f\x8f\x6f\xe1\xb7\xe5\xd2\x17\x56\x36\x6a\x3e\xb9\xdf\x7b\x3e\xd9\xc6\x5e\xc6\xef\xba\xc3\x33\x4a\x76\x96\x66\x58\x26\x7e\xc6\xda\xee\x3d\xc4\x3f\x3a\xc3\x02\xf8\xb6\x11\x1f\xd0\x4f\x6b\xeb\xa6\xee\xdd\x7b\x28\xbb\xde\xa6\x4e\x94\xbe\x6f\x78\x67\xf7\xd2\x6e\xf6\xb5\x7e\xba\xb3\x66\xf2\x14\x95\xf1\x5b\xdd\xde\x1d\xae\xdf\xde\x89\x02\xf7\x1d\xdd\xe3\xad\x8a\x55\xd7\x38\x5f\x75\xe9\x2f\xec\x05\x9a\xa3\x73\x8d\xbe\xb0\xfc\x86\xdb\xb7\xd1\x7b\x7d\xf0\xcb\x7c\x91\xcd\x87\xf3\x32\x8b\x12\xf7\xd1\xaf\x6f\xf7\x19\xe6\x9b\xd8\xf2\x1d\xf3\xdc\xf2\x75\x7e\xb0\x33\x4f\xd2\x6b\xe8\x7b\x6a\x96\x2a\xe1\x8d\x36\x56\x2e\xd8\xfc\xb5\xb8\xf9\xfb\xdd\x48\x5b\xcd\xd0\x25\xb1\xb1\x7c\x15\x2d\xdb\x1b\xcb\x2e\xb1\x73\x7c\x1b\xd8\x98\x9d\x6b\xda\x98\xad\x63\x18\x33\x7f\xbc\xc3\xc7\xce\x85\xb1\x21\x3c\xe2\xb1\x21\xec\xac\xb9\xc3\xae\xb0\xd7\x6c\x2b\x76\x85\xd8\x15\x6e\xf0\xae\x70\x63\xd7\xd2\x81\x5b\xc3\xc6\x66\x99\x66\x66\x91\xa0\x19\xa9\x7b\xf7\x87\x5f\x4c\xd0\x11\xb1\x3f\x94\x2a\x15\x6d\x6c\x2d\x2d\x7c\xc3\x7e\x49\xa8\xf4\x29\x50\xbe\xbc\x5a\xd2\xe4\xaa\xc6\x7e\x3c\xc1\x3e\x3c\x40\x5b\xf5\x0b\x2f\xad\xa5\xa3\xd7\x0d\x0d\x5b\x39\x5f\x5c\x2b\xe6\x57\xa5\x92\x33\x24\x52\xb2\xf4\xa2\x4b\x46\x13\x4b\x72\x35\xe5\x50\x05\x4d\x5a\x7a\xa2\x21\xde\xce\x90\x1d\xaf\xe1\x12\xe0\x2b\x15\xd9\xd2\xfc\x6a\x55\x59\xca\xa7\x92\x0f\xf2\x0b\xa6\x2a\x15\xcd\x19\xf1\xe7\xf8\x9d\xf9\xa2\x56\xed\xf2\x0c\x57\xd9\xa7\x68\x41\x7c\x33\x73\x74\x8e\x7f\x33\xbc\xe4\x4d\x0b\xd3\x24\x8f\x48\x3d\xbb\x26\x97\x83\xbf\x94\x7d\xde\x5f\xca\x0e\x46\xfc\xc6\x44\xf8\xe6\x23\xc1\x5f\xcb\x08\x4b\x1a\x1f\x87\xfe\x2e\x18\x5f\x83\xa3\xff\xdd\xac\x04\xb9\xbc\x90\xcb\x2b\x8b\x78\x33\xc4\x9b\x21\xde\x0c\xf1\x66\x3d\x13\x6f\x96\xed\x9a\x70\xaa\xd0\xef\xa4\xe5\x38\x9f\x2c\xe2\x7c\x10\xe7\x83\x38\x1f\xc4\xf9\x20\xce\xa7\xf3\x71\x3e\x9b\x50\xa2\x9c\xed\xe9\xd8\x89\x2c\x62\x27\xda\x17\x3b\x91\xed\xfa\xd8\x89\x4d\x98\x7e\x8c\x7d\x64\x8c\x98\x3e\x74\xee\xb4\xf6\xec\xdd\x63\xec\xaf\x1f\xb2\xeb\xbe\x0e\xad\x9f\xc0\xde\x42\x7a\xc9\x5d\xfa\x89\x35\x35\xa7\xbb\x9c\xeb\x21\x73\x3d\x68\x17\x32\xd7\x83\x76\x81\x76\x81\x76\xf5\x10\xed\xea\xa2\xe4\x41\x5d\x43\xbb\x90\xd5\x06\xb4\x0b\xb4\x0b\xb4\x0b\xb4\x0b\x99\xeb\x91\x76\xe3\xd6\x41\x47\x5d\x9f\x76\x63\x53\x66\xae\x7f\x42\xa4\xb7\x1e\xe7\xe9\xad\xfb\x1e\xb9\xc0\x26\x68\x9c\x52\xfe\x1a\x42\x45\x95\x53\x6b\xe9\x94\xc5\x85\x1a\x4a\x5d\x7f\x21\x58\xdb\x94\x60\x83\xb5\xa5\x2a\xad\xdf\x70\x57\xaa\x0c\xc8\x83\x1f\xff\xdd\x6d\x36\xf2\x62\x56\xe2\x7a\x9b\x6e\xdd\x25\xfe\xd6\x2e\xbe\x25\x70\xd4\x19\x3a\x45\x27\x6a\xe4\xd8\x23\x94\x6c\xbc\x5f\x21\xc0\x46\x70\x4b\x8b\xc1\x2d\x5f\x8d\xd0\x49\xf1\x4d\x1f\xa6\x83\xfc\x9b\x4e\x51\x53\xef\x9e\x48\x57\x9f\xe6\xe9\xea\xad\xf8\x95\x66\xdb\x98\x16\x29\xef\x4f\xd0\xa4\x23\xe5\x7d\xb3\x8d\x74\x89\x61\xe1\x29\xf0\xc3\x17\x05\x7f\x7a\x88\x5e\x61\x62\x7b\x21\x07\xd6\xd7\x36\xc5\x9c\xac\xb1\x9f\x1f\x62\xcf\x0c\xd8\x76\x4c\x6b\x50\xf3\x2b\x2e\x0f\x49\xef\x3b\xc8\x2f\x10\x76\xd2\x68\x59\xb7\xf6\xb3\x8a\x3a\x55\x2a\x59\x7d\x18\x5e\x10\xcd\x2d\xa4\xf8\x9d\x0b\x7e\x2f\x07\xd9\x83\xb5\xef\xa5\xd1\xc9\xee\xb7\xb2\x11\xf1\x30\xb4\xbe\xf0\x7e\x40\xeb\x0b\xef\x07\xbc\x1f\xf0\x7e\xf4\x90\xf7\x03\x5a\x5f\x68\x7d\xe1\xfd\x80\xf7\x03\xde\x0f\x78\x3f\xba\xc2\xfb\x01\x25\x2e\x94\xb8\x9b\xc5\x9d\x02\x25\x6e\x3b\x94\xb8\xbf\xbe\x83\x96\x8c\x38\x7f\x03\x0a\xf1\x56\x6a\x13\xc1\xf9\x84\xfd\x97\x94\x9c\x54\xd2\x56\xb9\xb5\x92\x72\x39\x59\xd3\xf4\x1d\x85\x7c\x5d\x63\x7f\x76\x5b\xfc\x3b\x5b\xe8\x2e\x57\xa3\x56\x0a\x9d\x07\x2c\x2f\xc7\xbc\xde\xc0\x92\x68\x60\x8a\x37\xb0\xc8\x1b\x48\x9e\x10\xa7\x4c\x39\xaf\x37\x72\xe4\xd8\xa1\xfc\x7e\x57\x6f\x70\x56\x30\x77\x4f\x9a\x89\x2b\xfc\x6e\x36\xfb\x8b\x7d\xf4\x3a\xc1\x9e\xbf\x87\x1e\x77\xb0\xe7\xf5\x93\x63\x34\xf7\x23\xfe\xe9\x18\x9b\xca\xc8\xd1\xe4\x8f\x36\x9f\x56\xaa\xb9\x1f\x30\xe9\x65\x53\x69\xf0\xbc\xde\x73\x83\x67\xfa\x3e\x48\x5d\xce\x8f\x40\xf6\x0e\x6f\xd8\xfa\xde\xb0\x2c\xbc\x61\x3e\xde\xb0\xcd\x17\x7e\xc5\x7e\x61\x94\x1e\x16\x93\xc8\xe5\x92\x72\x5d\xef\x2e\x55\x29\xa5\x2c\x42\x5c\x3b\x99\x54\xd4\xa2\xa2\x16\xab\x37\x4a\xf2\x9a\x5c\x72\xb1\x43\x33\xad\x28\xfb\xfa\x08\xfb\xeb\x7e\xda\xe3\x68\x6e\xca\x6c\xcd\x9a\x45\x46\x79\x5e\x51\x37\xee\x5c\x30\x9a\x9e\xd7\x9b\x9e\x76\x36\x9d\x3c\xa6\x9f\x3e\xeb\xd1\xa0\x31\xad\xf8\x5f\xba\xb1\x19\x45\x9d\x5d\x6a\x1a\x44\xff\x7b\x0d\xf4\xf4\x7c\x5f\xb0\xad\x7c\x15\x5b\x36\x6c\xe5\x7a\xc3\x69\xd8\xcc\x75\x6e\xa5\xde\x6a\xae\x9f\xce\x34\xfa\x37\xdb\x03\x86\x7c\xdc\xcc\x31\xda\xf0\xa8\x9f\x30\xae\xe8\x82\x81\x6f\x7a\x1d\xd1\xdc\xc8\x43\x80\x01\x01\x46\xeb\xd9\x45\x9b\x5f\xaa\x85\x64\x97\xda\x69\x0c\x1b\xcc\x2e\xba\x91\x26\x31\xf9\x57\x77\x04\xd8\xbc\x7d\x46\xc1\x3a\x69\x3d\x33\x77\x5c\x9c\xd4\x0d\x56\xee\x51\x5a\xa4\x05\xa7\x95\x4b\x66\xe8\x4c\x0b\xea\x85\x19\xfe\x44\x8f\x70\x0f\xb0\x06\xe3\x16\x64\xdc\x50\x0b\xbb\x23\xb5\xb0\x51\x04\x15\x45\x50\x51\x04\xb5\x5d\x45\x50\xb3\xcf\x47\x42\xae\x04\xb9\x28\xc8\x9a\xbe\xaa\xb0\xc9\x5a\x9b\xab\x4b\xc6\xbc\x97\x1b\xdb\xd9\x56\xd1\x4d\x1b\xbb\xe2\xc8\xfc\xd5\x8e\x80\x15\xc7\xb1\xba\x0c\xe7\x0d\x6f\xb7\x26\x79\x2a\xdd\x0d\x5e\x86\x20\xb7\x79\xaf\x2d\x7e\x90\xdb\x1c\xb9\xcd\x37\x57\x6e\xf3\x90\xa9\x5e\x60\x6e\xf3\x8d\x9c\x71\xb2\xe7\xe8\x2c\x9b\x8e\x4f\x59\x48\x7b\xd0\x99\xe5\xdc\xbf\xa5\x0e\xa4\x39\xff\xc1\x27\x69\xb8\x3e\x11\x91\xcb\xc7\x29\x00\xf5\x35\xa9\xa2\xb1\x2f\x3d\xc1\xbe\xd3\x78\x7e\x22\xf1\x2c\x0f\x4b\x95\xe4\x5e\x8f\xfc\x44\x79\xeb\x70\x97\xc7\x23\x20\x53\x11\xb4\xfa\xc8\x54\x04\xad\x3e\xb4\xfa\xd0\xea\xf7\x90\x56\x1f\x99\x8a\x90\xa9\x08\x5a\x7d\x68\xf5\xa1\xd5\x87\x56\xbf\x2b\xb4\xfa\xc8\x54\x04\x69\x3d\x32\x15\x6d\x1e\x69\x7d\xab\x99\x8a\x2c\x2e\xd4\x50\xa6\xa2\x80\xe4\x42\x2d\x26\x1c\xb1\xee\xc1\x95\xda\x21\xfe\x15\xcf\x4c\x45\x36\xe7\xba\xdf\x33\x53\x51\x1b\x48\xd7\xcd\xe5\x2c\xb2\xee\x07\x8e\x15\x48\xe6\x3a\x9c\xb3\xc8\xfe\xb2\x5a\xcf\x59\x64\xb7\x71\x13\x39\x8b\xec\x46\xda\x93\xb3\xc8\xdb\x84\x04\xc5\x4d\x24\x3f\x35\x62\x9b\x98\xfb\x0c\x95\x82\x43\xf2\xa1\x5c\x76\x98\x9b\x61\x71\x5c\x98\x9b\x69\xeb\xa4\xf6\x1b\x9e\xf6\x48\xdc\x80\x58\x81\x58\x81\x58\x81\x58\x7b\x07\xb1\x62\xf9\x15\xb0\xfc\xea\x1e\x06\x0d\x79\x71\x47\xe4\xc5\x40\xfd\x40\xfd\x40\xfd\x40\xfd\x40\xfd\x3d\x8d\xfa\x11\x65\x82\x28\x13\x44\x99\xb4\x2b\xca\x04\x9e\x34\x78\xd2\x7a\xd5\x93\x96\x2d\x84\x1c\x60\x15\x44\x8f\x93\xde\xc0\x77\x17\xdb\x29\xbe\x66\xdb\xd2\x86\xeb\xac\xda\x8c\x79\x54\x7e\x69\x98\x1e\xb1\x92\x71\x29\x5a\x4e\x2a\x15\xcb\x85\xb1\xb5\x89\x15\xb9\x2a\x4d\x18\x19\xf7\x7d\x54\xea\xbc\xd7\x95\x72\x55\x2a\x55\x94\xbc\x79\xb5\xac\x6a\xec\x4f\x12\xec\x3b\x03\xb4\xcb\xd1\xe0\x25\xa3\xc1\xe8\x9b\x23\x8d\x65\xe9\x3f\x6f\xb5\xbd\xa0\xe4\xa7\xac\xb6\x43\xca\xda\x7f\x82\x5f\x30\x65\xdf\xdf\xb2\xb8\x3d\x1b\xe3\xfb\xfc\xfe\x7c\x51\xab\x76\xb9\x76\x7e\x43\x72\xf9\x37\x92\x80\xff\x6a\x21\xf8\x53\x9b\x61\x19\x3b\x65\x96\x39\x38\xc6\x37\xe7\x33\x24\x8e\x2f\x50\x0c\x22\x32\xfd\x23\x7a\x00\x99\xfe\xe1\xda\x82\x6b\x0b\xae\xad\x5e\x72\x6d\x21\xd3\x3f\x32\xfd\xc3\xa5\x00\x97\x02\x5c\x0a\x70\x29\x74\x85\x4b\x61\x13\xe2\x10\xd4\x12\x00\xa6\x45\x2d\x81\xcd\x13\xf0\xc0\x9e\x1e\xa6\x8b\x02\x5f\x6a\x55\x45\x95\x0a\x72\x6d\xe2\xe7\x75\x09\x66\x4e\xb7\xf2\xfc\xb2\x9c\x54\x91\x72\xc5\x6a\x51\xd6\xd8\xe7\x12\xec\xeb\x03\x74\xbb\x71\xc0\xca\x50\xf5\x2f\x1a\x03\x97\xd3\x4b\x73\x4b\xe2\xca\x69\xd1\xe4\x8d\x90\x98\xe5\x01\x7e\x81\xd1\x76\x5d\x59\x82\xfa\x9f\xdd\x1c\xa8\xd2\x37\x45\x6b\xe8\x0c\xd3\x44\x95\x72\x30\x85\xcc\xb0\x33\x06\x85\x74\xbf\x54\x26\xfc\xaf\xeb\x6b\x8f\xb4\xd3\x28\x49\x0a\x50\x09\x50\x09\x50\x09\x50\x09\x50\x09\x50\x09\x50\x09\x50\x09\x50\x09\x50\x09\x50\x09\x50\x09\x50\x09\x50\x09\x50\x09\x50\xd9\x5b\xa0\xf2\xed\x49\x7a\xa5\x00\x95\xf9\xa2\x96\x53\x74\xb3\xda\x14\xaa\x94\xcb\xf9\x8a\x52\x2c\x57\xb5\x52\xd1\x3a\xf4\x46\xf6\xb1\x61\xf6\xf6\x2d\xb4\xd3\x6a\xd2\xa2\x95\x1f\x31\x74\x96\x4e\x46\x59\x36\x0d\xaa\x99\x2d\xf8\xac\xd1\xe6\x92\xde\x66\x28\x98\x72\xc4\x5e\x42\xf1\x65\xa2\x31\xe1\xea\xab\x30\x7b\x6d\x38\xe4\x5a\x8e\x3b\xda\x4e\x25\x47\xf8\xcf\xcd\x98\x8f\x53\x87\x39\x5d\x77\xdc\xfd\x74\xb3\xf3\x42\x4c\xff\xa4\xdc\xd7\x45\x52\xee\x95\x60\xfc\x79\x9a\x9d\x34\xf0\x67\xed\xab\x6a\x00\x50\xd7\x28\x78\xe4\xde\x06\xd6\x04\xd6\x04\xd6\x04\xd6\x04\xd6\x04\xd6\x04\xd6\x04\xd6\x04\xd6\x04\xd6\x04\xd6\x04\xd6\x04\xd6\xec\x2c\xd6\x9c\xa4\xa3\xec\x70\xfc\xa0\x85\x35\xef\x75\xd6\x40\x72\x6d\xe2\xea\xcb\x1e\x01\x89\x02\x89\x02\x89\x02\x89\xb6\x11\x89\xfe\xe9\x30\xcd\x0a\x24\x2a\xbf\xa1\x2a\x97\xf9\x50\x35\x06\x43\x8b\xe5\x82\x2a\x6b\x9a\xcd\x41\xdf\x33\xcc\xbe\x33\x40\xcc\x6e\xc7\x02\xa1\x1f\x6c\x04\x84\xce\x89\xf6\xba\x02\x81\x8a\x9f\x3b\x6b\x3d\x49\x1d\x03\x35\x6e\x16\xf4\xb3\x05\xfa\xb9\x1c\x4c\x3f\x0f\xb0\xb4\x41\x3f\xed\xb7\xc9\xe0\x9e\x46\xcf\x83\x78\x82\x78\x82\x78\x82\x78\x82\x78\x82\x78\x82\x78\x82\x78\x82\x78\x82\x78\x82\x78\x82\x78\x82\x78\x6e\x38\xf1\x3c\x48\x13\x6c\x3c\x9e\xb2\xa8\xe5\x2e\x27\xf1\x34\xb6\x6f\x60\x9d\x60\x9d\x60\x9d\x60\x9d\x1d\x65\x9d\x6f\xdd\x4f\x27\x05\xeb\xbc\x5c\x52\xae\xeb\x93\x84\xaa\x94\x52\x16\x74\xa8\x95\x82\xea\x27\x69\xb9\x2b\xf2\x35\xc9\x42\x9c\x9f\x48\xb2\x0f\xf5\xd3\x1e\xc7\xe5\x53\xe6\xd5\x16\xec\xdc\xab\xca\x52\xbe\x66\xc7\x3c\x5b\x52\xae\x2f\xf1\xa6\x92\xc3\xfa\xe1\x59\x8f\x06\x0c\xc6\x68\x9f\x1a\x6e\xf1\xaa\xac\x4c\x59\xc1\x02\xa7\x69\x8a\xb3\xc0\xe3\x74\x8c\x8e\xf8\xd6\x0b\x73\x76\x91\xf1\x68\x29\xfb\xde\x02\x29\xe0\x5e\x6f\x0a\xf8\x32\x36\x50\x90\xab\x74\xf5\xa9\x60\x06\x78\x9e\xcd\xd6\x31\x3e\x03\x0a\xae\x37\x7c\x06\x26\x74\xdc\x6a\xf4\x87\xb6\x07\x0c\x59\x4c\x95\x2b\x25\x29\x27\xfb\x8f\xda\x88\x71\xc6\x06\x0c\x5c\xe6\x61\xba\x40\x73\x35\xe5\x0e\x5b\x1f\x39\x14\xdf\x41\xed\xc3\x16\x6b\x1f\xfe\xf7\x48\xa8\x26\xe4\x11\x51\x08\xf1\x3c\xcd\xda\x85\x10\x37\xc8\x26\x55\x56\x1b\xb6\x49\x2d\x99\xa0\x3a\x43\x96\xfc\xf8\x1d\x01\x36\x69\x97\x91\x44\x5f\x72\x9a\xa1\xfd\xe2\x8f\x1b\x61\x85\xda\x53\xfb\x10\xc6\x28\xc0\x18\xa1\xfe\x56\x47\xea\x6f\xa1\xf0\x0a\x0a\xaf\xa0\xf0\x4a\xbb\x0a\xaf\x64\x9f\x8f\x84\x5c\x7d\x62\x51\x14\x40\xbe\x40\x73\x8e\x02\xc8\x6d\xae\x68\x11\xf3\x5e\x3e\x6c\x67\x5b\x45\x37\x75\x76\x05\x91\x79\x6e\x47\xc0\x0a\x62\xb8\x22\xa9\xd5\x22\x77\xb5\x8a\x7d\xb4\xff\xf6\x26\x59\xd1\x37\xcb\x1d\x5e\x56\xec\xae\x6d\x68\x94\xdf\xc5\x7e\xfd\x9f\x93\x7b\x9c\x07\xaf\xc9\x6a\x41\x76\x1e\x1d\x74\x1e\xd5\xaa\xaa\x54\x95\x0b\xc5\xdc\x68\xdd\x79\xae\x56\xf4\x7f\xdf\x30\x8e\xea\x77\x99\xb9\x48\xf3\x94\xad\xd9\x58\x4d\xd2\xd1\x16\xde\xa0\x05\x2e\x48\xc0\x62\x26\x60\x31\xf3\x5c\x3f\x3d\xdb\xcf\x9e\xe9\x8f\x3e\x6d\xcd\x08\x6f\xee\xef\x9d\x9d\x55\x8d\x0f\x47\xef\x67\xae\x49\xe0\x7e\x46\xfd\xe5\xb4\x95\x49\x09\x9f\x17\x77\x98\x4f\x6c\x42\xc2\x22\x95\xf8\x95\xfa\x0a\x4e\x5c\xcd\xcf\xe0\xab\x29\x2d\x96\xc8\x6a\x4a\x79\x41\x48\x74\x1e\xd6\x3f\x0b\xe3\xdf\x4b\xe6\xc7\x62\xff\x71\xd8\x7f\xcb\x97\x79\x29\x42\x2f\x46\xd8\x0b\x91\xe8\x27\x2c\xcc\xf7\xfe\xc8\xac\xa2\xe6\xf8\x42\xaf\xa0\xf0\x6e\x57\x62\xf1\xcb\xfa\x9f\xe2\xb1\x29\xd7\x53\x70\x80\x2b\xd6\x64\xab\x9a\x2d\x46\x18\x95\x72\xfc\xc1\xb9\xc4\xa3\x54\xcc\x19\x73\xae\x5c\xca\x6b\x31\xe5\xba\xd1\xa7\x42\x02\x51\x91\x95\x4a\x49\x4e\xc5\xc4\x2f\x72\x4d\x95\x39\x96\x1c\xa4\x7a\x76\x80\xf5\xf3\xf1\x2d\xfc\xb6\x5c\xfa\xa0\xce\x52\x30\x7f\x2d\x5c\x45\x68\xe1\x1a\x9b\x31\x82\x67\x83\x46\xe6\x94\xec\x11\x3a\xc4\x0e\xc4\xd3\x96\x8b\xe5\x15\x4e\xc7\x8c\xdd\x7a\xbd\x6f\x26\xf4\x82\x47\xff\x7d\x98\xc6\x04\x89\x2d\x2b\xf9\xba\x74\xa1\xea\x6a\xb9\x5a\xbc\x26\xe7\x4a\x92\x53\x5e\xfa\x03\xc3\xec\x4d\xfd\xb4\x43\xbf\xc0\x9a\xe2\xee\xf7\x60\xad\x8b\xe2\xea\x69\xfd\xea\xe4\x6e\xfd\x84\x8b\x4a\xde\x4c\xd6\xe9\x3c\x18\x32\x5f\x7d\x1d\x9d\x15\x6f\xd6\x29\x3a\xc1\xdf\xac\xc3\x74\x90\x26\x7c\xdf\x2c\xfe\xe0\xe6\x2b\xe5\xbc\xad\x9b\x45\xab\x4f\x04\xbf\x52\xc7\xd8\x11\xe3\x85\x71\x74\xbf\xb1\xe6\x70\xdd\x4a\xdd\x7b\x16\xfd\xbd\x6d\x35\x43\x10\xf7\x66\xa7\xae\x51\xb8\xcf\x38\xa7\x23\x03\x91\x39\x4f\xb3\x34\x53\x33\xad\xb7\x34\x12\x98\xd0\x81\x4a\x5b\x44\xa5\xcf\x46\xc2\xb2\x06\x59\x41\x49\xf5\xe9\xca\xa2\xa4\x9d\xb7\x2c\x1c\x90\xb6\xd5\xb2\x24\xdf\x79\x47\x8d\x65\xb9\xcb\x22\xa0\x2e\x63\xb2\x57\xfc\xb9\x33\xb6\x04\xd4\x13\xd4\x13\xd4\x13\xd4\x13\xd4\x13\xd4\x13\xd4\xd3\x9b\x7a\xb6\x75\x59\x90\xf9\xee\x6d\x35\xcb\x82\xfd\x01\x58\xd3\xb5\x58\xd8\xc3\xf7\xd9\x6d\x5f\x2b\x00\x65\xf6\xda\x0a\x05\x28\x13\x28\x73\x83\x51\x66\xc7\x80\x53\x20\xc5\x6c\xeb\x0c\x90\x3d\x46\x47\xd8\xa1\xf8\x01\x0b\x5b\xde\xe3\xc4\x96\xce\x6b\x3b\x00\x2e\xbf\x9e\xa4\x73\x06\xb8\x94\xab\xd7\x15\x55\xff\x58\x6b\xf1\x65\xa3\xf1\xf2\x3f\x92\x64\xff\xbe\x9f\x98\xdd\x90\x35\xc5\x45\x3d\xb0\xa6\x21\x9c\x4f\x0e\x72\xa2\x69\x5d\xd3\xf6\xc8\x74\x01\x37\x25\x9a\x15\xef\xda\x69\x3a\xc9\xdf\xb5\x23\x74\x88\x0e\xf8\xbf\x6b\x76\xe7\x98\x6f\x9c\x19\xb7\x1d\xf4\xb2\x3d\x19\xfc\x2e\x4d\xb2\xa3\xe6\xbb\x54\x3b\x08\x41\x41\xe2\x01\xf0\x34\xfa\xbf\xb7\x79\x0e\xc8\x5e\x6f\xc8\x69\x8e\xc9\xb0\xc9\x37\x3b\x3c\x2c\x99\x39\x3a\x47\x67\x6b\xa6\xfd\xd6\xc6\x05\x33\x3e\x58\x67\x8b\xac\xf3\x83\x91\xd0\x8c\xc3\x05\x01\x3b\x67\x28\x63\xc3\xce\x5b\xcf\xd2\x54\x56\xab\x94\x7c\xdf\x1d\x9e\x96\x66\xa7\x09\x3d\xcb\x96\x75\x49\x18\xc0\xb3\xd3\xc6\x05\xec\x13\xec\x13\xec\x13\xec\x13\xec\x13\xec\xb3\x37\xd9\x67\x9b\x57\x08\x81\x68\x35\xf3\xef\x76\x78\x2e\x12\x06\x03\x10\xa8\xb9\x72\x18\x12\xf4\xb3\x83\x0b\x07\x80\xd0\x5e\x5b\xae\x00\x84\x02\x84\x6e\x30\x08\xed\x1c\x9c\x0a\x24\xa1\xed\x9d\x31\x7a\x26\xb5\x06\xfb\xc8\x30\x4d\x0b\xce\xaa\xae\x48\xb9\x94\x39\x12\xfc\xdb\xb1\x79\xab\x91\xa0\x34\x57\x5a\xd5\xaa\xba\x45\x2c\xc9\x2b\xba\x31\x2e\x17\x2c\xc6\xfa\xe7\x09\xf6\xe3\x5b\xe8\x4e\xbd\x91\x29\x67\x1b\x97\xd6\xd2\xd1\x8f\x36\x92\x95\x74\x5a\xb4\xbd\xa8\x94\xe4\x8c\x68\xbb\x2b\x12\x94\x26\xf9\xcf\x2d\xd6\x3e\xd6\x72\xba\xfe\x7e\x91\xa3\xb4\x85\x1c\xa5\x4d\x45\xf2\xf8\xbe\xa2\x66\xad\xfa\xba\x31\x71\x7e\xda\x48\x5c\x8a\xc4\xa5\x48\x5c\x8a\xc4\xa5\x48\x5c\x1a\xd4\x2d\x48\x5c\x8a\xc4\xa5\x48\x5c\x8a\xc4\xa5\x48\x5c\x8a\xc4\xa5\x48\x5c\x8a\xc4\xa5\x61\x27\x2e\x3d\x4d\x27\xd9\xf1\xf8\x31\x8b\x93\xdc\xe7\xa4\x2b\xf5\x9b\xb8\xf6\xcb\xcd\x90\x61\x14\x19\x46\x91\x61\x74\x13\x65\x18\xfd\xa1\x61\x3a\xd1\x0a\xb6\xb4\x78\xe5\xa7\x13\xec\xdf\xf8\xf1\xca\x9f\x6b\x92\x57\x76\x05\xa8\xdc\xd7\x00\xa8\xec\x7e\x42\xe9\xc7\x13\xc3\x47\x97\x26\xa1\xcc\x07\x03\xc8\x29\x76\xda\x89\x11\x9b\x87\x91\x14\xc8\x41\x81\x26\x81\x26\x81\x26\x81\x26\x81\x26\x81\x26\x81\x26\x81\x26\x81\x26\x81\x26\x81\x26\x81\x26\x81\x26\x3b\x8c\x26\x8f\xd2\x61\x76\x30\x3e\x61\xa1\xc9\xbb\x7d\xd0\x24\x98\x24\x98\x24\x98\x24\x98\xa4\x83\x49\xfe\xd4\x30\x4d\x05\x33\x49\x67\xc1\x77\x2f\x30\xf9\x87\x09\xf6\x23\x5b\xe8\x5e\x2f\x30\x29\x62\x12\x36\x25\x9d\x4c\xf8\xd1\x49\xfe\x4c\x40\x94\xeb\x22\xca\x40\x11\x65\x31\x98\x61\xce\xb2\x99\x16\xb8\x25\x6a\xbf\x83\x53\x82\x53\x82\x53\x82\x53\x82\x53\x82\x53\x82\x53\x82\x53\x82\x53\x82\x53\x82\x53\x82\x53\x82\x53\x82\x53\x82\x53\x82\x53\x6e\x42\x4e\xf9\xb5\x21\xba\x5f\x1f\x3a\x5b\x20\x69\x66\xcb\x28\x57\xd7\x94\xd2\xea\x35\x59\x63\xbf\x3a\xc4\x3e\x32\x40\x5b\x73\x8a\x2a\x5f\x5a\x4b\x47\xff\xb9\x31\xf3\x95\xf3\xc5\xb5\x62\x7e\x55\x2a\xb9\xe8\xa3\xb5\xca\x5c\xb0\xda\x59\xe6\xed\x84\x82\x1e\x53\xc9\xfb\xf9\x05\xd3\x8a\x2a\x2f\xa7\x6b\x7f\x62\xbe\xa8\x55\xbb\x9f\x19\x76\x3e\xf0\x7a\x9f\x37\x33\xdc\xc1\x88\xdf\x98\xde\xd5\x74\x75\x31\x98\x1b\x8e\xb1\x51\x83\x1b\xc6\xe3\x06\x20\xac\x1d\x02\xc4\x58\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x6e\x24\x20\x04\xe6\x03\xe6\x03\xe6\xeb\x61\xcc\xf7\x27\x43\xb4\xc7\x8d\xf9\xcc\xab\x5e\xbf\xaa\x54\x25\x8d\x7d\x6a\x88\x3d\xef\x60\x7c\x37\x1a\x63\x7c\xe6\x56\xee\x95\x7a\x23\x21\x01\xbe\x11\x07\xe0\x73\xb5\x3f\x5f\xd4\xaa\xb3\x8a\x3a\x55\x2a\x59\xa9\x94\xc3\xcb\xa1\xdc\x6b\xb4\xef\x91\x60\xda\x37\xc2\x92\xb5\xb4\xcf\x35\x1e\x40\x7d\x40\x7d\x40\x7d\x40\x7d\x40\x7d\x40\x7d\x40\x7d\x40\x7d\x40\x7d\x40\x7d\x40\x7d\x40\x7d\x40\x7d\x40\x7d\x40\x7d\x40\x7d\x40\x7d\x1b\x82\xfa\x7e\xa2\x9f\xf6\x8b\xc8\x63\x29\xaf\x2f\x65\x8b\x4a\x59\x95\x0b\x45\x5e\xdb\xcb\x23\xf8\x98\x7d\xb3\x8f\xfd\x75\x1f\xed\xf5\x3c\xd9\x8a\x33\xbe\xbb\x20\x57\xdd\xb3\xb0\x78\xbe\xe4\xfe\x82\x5c\x9d\xf2\xba\xd4\x88\xe6\x9d\x5a\x98\x33\x37\x81\x21\x16\x3c\xab\x6b\x68\xb2\xae\xa1\xc9\x46\x1a\xca\x56\xe8\x31\xc1\xe7\x2e\xd2\x3c\xe7\x73\xb3\x34\x43\x99\x16\xf8\x9c\xe3\x39\xe7\x8b\x5a\x20\xa4\x63\xff\x32\x41\x43\xc6\x28\x55\x2a\x9a\x23\x3d\xa5\x52\xae\xaa\x8a\x3e\x75\xe9\x3b\x39\xfe\x9d\xb1\x2f\x0c\xb1\xdf\x1a\xa0\xad\xfa\x89\x97\xd6\xd2\xd1\x7f\xd1\x18\x9b\x9d\xb6\x5a\x5a\x34\x5a\x0a\x09\xd0\xa6\xf9\x05\x53\x95\x8a\xb6\x9c\xae\xff\x11\x50\xda\x10\x29\xed\x72\x30\xa5\x3d\xc0\xd2\x06\xa5\xd5\xdf\x0f\x33\x6c\xbb\x6e\x58\x00\x6b\x01\x6b\x01\x6b\x01\x6b\x01\x6b\x01\x6b\x01\x6b\x01\x6b\x01\x6b\x01\x6b\x01\x6b\x01\x6b\x01\x6b\x01\x6b\x01\x6b\x01\x6b\x01\x6b\x37\x04\xd6\xfe\xf2\x30\x1d\x72\xeb\x32\xad\x4a\xdf\x46\x12\x48\xfe\xef\x37\x8e\xc9\xe5\x7c\x45\x29\x96\xab\x56\x6a\xc8\x37\x0f\xb3\x2f\x39\x04\x9b\x1f\x6a\x24\x11\xe4\x59\xb3\x91\xae\x48\x03\x79\x9f\x43\xe8\x69\xb1\xc2\xbc\x75\x8f\x80\x86\x2d\x54\xd0\xbe\x10\x0c\x0c\x13\x6c\xb0\x56\xd6\x69\xf5\x39\x28\x21\x28\x21\x28\x21\x28\x21\x28\x21\x28\x21\x28\x21\x28\x21\x28\x21\x28\x21\x28\x21\x28\x21\x28\xe1\x46\x52\xc2\xc3\x74\x90\x4d\xc4\xc7\xad\xf4\x8e\x77\x39\xd3\x3b\x5a\x7b\xb7\xfa\xe4\x8e\xaf\xa3\xd7\xb2\x27\xe2\xaf\xb6\xae\x9b\x34\xee\x98\x5f\xae\x0f\x83\xbe\xc1\x8c\x69\x39\xa5\x22\x8f\xc4\xb4\xd5\xdc\x15\x7d\xd4\xf8\xca\x57\x96\xae\x09\x1a\x52\x51\x15\xde\x43\xf1\xed\x16\x8b\x40\xfa\x48\xf0\x4b\xf0\x4b\xf0\x4b\xce\x2f\x7f\x72\x98\x52\x42\xc6\xa8\x55\x15\x55\x2a\xc8\xb5\xf2\xd2\x9c\x56\xcc\xab\x45\x7d\x14\x4d\x70\xf9\x37\x09\xf6\xa6\x7e\xba\xdd\x38\xdf\x52\x98\xee\x51\x65\x29\x5f\xb3\x2f\x9e\x5e\x9a\x9b\xe1\x17\x27\x77\xeb\x47\x97\xc4\x25\x66\x9d\x18\xf3\x60\x78\xb2\x52\xce\xf5\x5e\x47\x67\x05\xd7\x3b\x45\x27\x38\xd7\x3b\x4c\x07\x69\xc2\x8f\xeb\xa5\xcc\xe7\x36\x9e\x23\x65\xdd\x56\x20\xcc\x7b\x22\x98\xd5\x1d\x63\x47\x0c\x56\xe7\xee\x5e\x53\xe6\x67\xfd\x56\x5d\x6d\x96\xab\x7b\xbd\x51\xe1\xcb\xd8\x40\x41\xae\x52\xf4\xf7\xb6\xd5\x0f\xc1\xfd\xaa\x5c\x29\x49\x39\xd9\x77\x14\xee\x33\x4e\xe8\xc8\x40\x64\xce\xd3\x2c\xcd\xb0\x81\x15\x25\x7f\x23\xca\xff\x37\x16\x49\xb6\x34\x12\x99\xf7\xf4\xd1\x7f\xe9\x63\xff\xb9\x2f\xfa\x9f\x2c\xbb\xfa\xed\xc8\xe3\xfa\x04\x65\xcc\xd9\x23\x5c\x4d\x9b\xd3\x77\xe6\xc2\x10\xba\xf6\x89\x4e\x76\xb8\x22\xc7\xcc\x04\xa9\xf9\x54\x6c\xaa\x1c\x2b\x96\x05\xa1\x51\xd4\xd8\x6a\xd9\x82\x3c\xf9\x58\x5e\xbd\xb1\xb8\x5a\x8e\xe5\x8b\xaa\xac\x7f\xfd\xb2\x45\x0e\xf4\x05\x00\x5f\x61\x19\xe8\xc4\xdc\x28\x19\x9b\xd5\xd8\xe5\x55\x95\x2f\xc6\x2b\xaa\x92\x93\x35\xbe\x14\x32\x8c\x8d\x31\x93\xa5\x62\xcb\xfc\x17\xf9\x26\x87\xaf\x5d\x26\x63\xa3\xb1\xa9\x52\x69\x92\x2f\x74\xf2\xea\x8d\x98\xba\x5a\xd6\x37\xd1\xba\xb9\x30\x57\x77\x46\x73\x72\x3e\xfe\x32\x71\x6b\x0e\xdb\x98\x79\x57\x1f\xfd\xc7\x3e\xf6\xf6\xbe\xe8\xbf\xb3\x3a\xe8\xcf\x22\x7c\x6d\xfc\xb0\x54\x96\x0a\xb2\x2a\x76\x79\x62\xe1\xa0\x69\x4a\xae\xc8\x17\x2e\xd6\x7e\x4a\xe2\x1b\x52\x45\x8d\xe9\xeb\xda\xea\x0d\x6b\x25\x77\x4d\x7a\x4a\xbf\xff\xea\x15\x59\x93\x4d\x03\xa6\x1b\x55\x93\x74\x71\xd8\xb3\x22\xc7\xb8\xe9\xe4\x7b\x27\x45\x8d\xa5\x27\x8e\xea\xe7\xaa\x52\x8e\x23\xb9\x92\x52\x2e\x08\x73\xc5\xf7\x37\xfa\x52\x54\x2a\x96\xc5\x2a\x82\xef\x1f\xec\x73\x39\xa6\x30\x80\xa1\xbe\xeb\x35\xa7\xa0\x82\x52\x92\xca\x85\x94\xa2\x16\xc6\x2a\x4f\x15\xc6\x56\xcb\xc5\x9c\x92\x97\xc7\xf6\xcd\x69\x0b\x7a\x2b\xa9\xf8\x0e\xe7\xb3\x3a\x27\x8d\x67\x23\x61\x59\x83\xac\xde\x4c\x9a\x4d\xd3\x14\x6d\x9d\x16\x2b\xf6\x5b\xce\xb2\x54\x56\xab\x94\xfc\x57\x77\xd4\x5b\x16\x26\x76\x23\x31\xc9\x61\x4c\xf6\x8a\xbf\x75\xc6\x96\x3c\x4a\x8b\xb4\xe0\xb4\x25\xc9\x0c\x9d\x69\xc1\x57\x33\xc3\xef\xf9\x11\x4e\xbc\x35\xd8\x95\x20\xbb\xf2\xb5\x3e\xfa\x6a\x1f\xfb\x72\x5f\xf4\x8b\x56\x07\x7d\xb8\xef\x51\xe7\x3a\xaa\xa8\x2f\xe7\xf9\x5a\x28\xb6\x22\x5f\x16\xde\x1e\x6b\x6b\x65\xbb\x14\x8c\xdd\x2c\xbf\x45\x87\xdd\x28\x2b\xe5\xd1\xb2\x5c\x90\x78\x47\x18\x4b\x29\xa7\x7d\x11\x90\xc5\x1a\x02\xe3\x2d\x2c\x5e\xbb\x26\xe7\x75\x0b\x56\xba\x61\xbb\x61\x6c\xf4\x5e\x2c\x8d\x18\x2b\x2c\xbe\xc6\x8c\x15\x54\x7d\x4e\xac\xc8\x6a\x51\xc9\x5b\x2b\x45\x7b\x7a\xe4\x1e\x2e\xb3\x37\x56\x35\xfd\x26\x9d\xab\x53\x49\xbf\xd2\x7c\x20\xe3\x47\x2e\x0b\xdc\x60\x36\x91\x12\xf7\x79\x4d\x96\xca\x9e\xf7\x18\x67\xfc\x16\x16\xf8\x1d\x78\xac\x1c\x33\x9f\xe9\xa3\x97\xfa\xd8\x8b\x7d\xd1\x17\xac\x6e\x7e\x6f\xdf\x8c\xc3\xc3\x5b\x29\xc9\x92\x26\x5b\x6c\x68\x41\x55\x2a\x52\x81\x0f\xc0\x82\x52\x2a\xe6\x6e\xb8\xdc\x43\xe6\xb3\xd8\x2e\x62\x7d\x94\xd2\xa9\x23\xa9\xd8\x92\x18\x10\xd1\x3b\x15\x7d\xe3\xa0\x6f\xbe\x4c\xcc\x28\xc7\x14\xb5\x72\x45\x2a\x9b\xee\x2a\x75\x55\x1e\xbb\x2c\x95\x4c\x2c\x1f\x17\x47\xe3\xb1\xcb\xc5\xb2\x54\x2a\x7e\xaf\xc9\xf7\x56\x64\x7d\x65\xca\xb7\x2a\x63\x62\x45\x9a\xb7\x99\xaf\x68\x7c\x48\xb3\x2f\x12\x20\x3c\x15\x3b\x5b\xe4\xaf\xb3\xe3\xc6\x15\xb5\xfe\xc9\xec\x6d\x5f\x55\x70\x78\xfe\xb1\x29\xd5\x2b\xa9\xf8\x1d\xe2\x7e\x66\xcc\x07\x71\xf9\xbd\x32\x6f\x1b\xa0\xb7\x0c\xb0\x1f\x18\x88\x7e\xd7\x72\x7e\xfe\x5e\xff\xe3\x06\x28\xd3\x3f\x29\x7d\xdf\x55\x90\xd4\x15\xa9\x20\xc7\x72\x4a\xa9\x24\x73\x33\x68\x7f\x17\xb2\x7a\x59\x51\xaf\xe9\x7d\xe1\x79\xa7\x8f\xd4\xfc\xb8\xff\x8d\xf2\xf7\xd9\x7c\x19\x2b\xe2\xa9\x8a\xfa\x8b\x92\x2b\xe6\x6d\xe2\xcd\xe1\x29\xf7\x3f\x58\xbd\xab\xef\xc4\x0c\xb4\x68\xe2\xd1\x94\xa3\x1b\x4d\xb0\x66\xed\xb5\x2c\x97\xa7\xfb\xc7\x52\xb1\xa9\x9c\xbe\x2d\xe3\x93\xad\xd3\x38\x0c\x89\x67\x18\x8a\x8d\x1a\x03\xef\x7e\x31\xb4\xe3\xb1\xa1\x8c\x94\x7b\x4a\x9f\x67\xca\x79\xfd\x2c\xee\x6b\xe4\x27\xd5\x74\x9c\xa0\xd9\xc6\xab\xef\x6e\xc4\x7c\x82\x15\xab\xa5\xe3\xb1\xa1\x59\x45\x95\x1d\xcd\xc6\x72\x92\x96\x93\xf2\xfa\xd3\x1b\xfd\x23\xbc\xcb\xbc\x3d\x4d\x58\xaf\xba\x06\x2f\x5b\x6d\xa4\xe2\x3b\x2b\xb5\xef\x8d\x73\x11\xf0\x81\xd0\x16\x01\x17\xf4\x66\x26\xd8\x0c\x65\x68\x9b\xe8\xd4\x36\xae\x02\x62\xde\xf3\xf4\x76\xb6\x55\x74\x0c\xb5\x77\x9d\x90\xf9\xee\x6d\xf5\x0b\x81\x44\x45\x52\xab\x45\xee\xad\x14\x1b\x51\xdf\xbd\xc6\x9e\x8a\xbe\xd9\x6c\xfb\xea\x60\x77\x6d\x43\xa3\xfc\x77\xf7\xf3\xa0\xc2\x3d\xce\x83\xd7\x64\xb5\x20\x3b\x8f\x0e\x3a\x8f\xf2\xb0\x47\xb9\x50\xcc\x8d\xd6\x9d\xe7\x6a\x45\xff\xf7\x0d\xe3\xa8\x7e\x97\x99\x8b\x34\x4f\xd9\x9a\x5d\xce\x24\x1d\x6d\x61\x6d\xb2\xc0\x9d\xf8\x58\x93\x04\xac\x49\x9e\xeb\xa7\x67\xfb\xd9\x33\xfd\xd1\xa7\x2d\xc3\xfe\xe6\xfe\xde\xd9\xeb\xd4\xf8\x3d\xf4\x7e\xe6\x7e\x7c\xee\x9b\xd3\x5f\x4e\x5b\xcd\x93\xf0\x79\x71\x87\xf9\xfc\x24\x64\x1f\x52\x89\x5f\xa9\x2f\xc4\xc4\xd5\xfc\x0c\xbe\x28\xd2\x62\x89\xac\xa6\x94\x17\x84\xac\xe5\x61\xfd\xb3\x30\xfe\xbd\x64\x7e\x2c\xf6\x1f\x87\xfd\x37\x61\x99\x97\x22\xf4\x62\x84\xbd\x10\x89\x7e\xc2\x02\x63\xef\x8f\xcc\x2a\x6a\x8e\xaf\xd7\x0a\x0a\xef\x76\x25\x16\xbf\xac\xff\x29\x1e\x9b\x72\x3d\x05\x47\x9e\x62\x69\xb5\xaa\xd9\x0e\xfc\x51\x29\xc7\x1f\x9c\xcb\x22\x4a\xc5\x9c\x31\x75\xca\xa5\xbc\x16\x53\xae\x1b\x7d\x2a\x64\x03\x15\x59\xa9\x94\xe4\x54\x4c\xfc\x22\xd7\x21\x99\x63\xc9\xd1\xa3\x67\x07\x58\x3f\x1f\xdf\xc2\x6f\xcb\xa5\xa9\xe9\x18\x62\xf2\xd7\x8b\x55\x84\x5e\xac\xad\x33\xc0\xfa\x8e\x0b\xeb\xc2\xf6\x57\xa5\x62\xef\x1c\xa6\xe3\xeb\x62\x4a\xa1\xbd\x14\x05\x6f\xa4\x6a\x55\xca\x5d\xb9\x26\x3b\xc4\x96\xbf\x93\x60\xff\x7a\x4b\xfd\x6c\xf6\x0b\x8d\x88\x2e\x45\x5d\x94\x29\xab\xd1\xae\xd0\x5e\xee\xbb\x5e\x3f\xbb\xd6\xde\x28\x04\x98\x2d\x08\x30\x73\xc1\x1f\xd4\x19\x76\x4a\x7c\x3a\xb5\x1d\x5e\xff\x05\x79\x7f\x78\x10\x66\x42\x98\x09\x61\x26\x84\x99\x10\x66\x42\x98\x09\x61\x26\x84\x99\x10\x66\x42\x98\x09\x61\x26\x84\x99\x10\x66\x76\x58\x98\x79\x92\x8e\xb3\x63\xf1\x23\x16\xdf\xd8\xe3\xe4\x1b\xb5\xbb\x3b\x14\xdf\x86\x7a\x12\xea\x49\xa8\x27\x1d\xea\xc9\xff\xf4\x24\x25\x04\x96\x2c\x2b\xf9\x3a\x26\xa9\xae\x96\xf5\xe7\xcd\x95\x24\x4d\x93\x35\xf6\x27\x4f\xb0\x1f\x19\xa4\x1d\xfa\x99\x16\x80\x4c\x8a\xa5\xa5\x6a\x4c\x8a\xa6\xd5\x34\xd1\xe3\xa2\x68\x61\x5a\x6f\x21\xb9\x5b\x3f\xf7\xa2\x92\x37\x71\x9f\xf3\x60\x97\xa3\xbe\x0c\x80\x17\x80\x57\x06\xc0\x0b\xc0\x0b\xc0\x0b\xc0\xab\x67\x80\x57\xa6\x6b\x80\x57\xe8\x77\xd2\x32\xf0\xca\x00\x78\x01\x78\x01\x78\x01\x78\x01\x78\x75\x1e\x78\x65\x7a\x1a\x30\x65\x00\x98\xda\x07\x98\x32\xdd\x0e\x98\x32\x9b\x10\x30\x65\xf3\x34\x27\x24\x52\x19\x3a\xc3\x25\x52\x93\x74\x94\x0e\xfb\x0a\x0d\x39\x85\x32\x55\x86\x4e\x3e\xd4\x48\x49\x93\xab\xf7\x79\x6b\xa3\xb6\xb2\x2d\xa2\x98\x45\x53\x5a\x43\x07\x10\x33\x6b\x0f\x3b\xee\xa7\x5e\x29\x15\xff\xe1\xed\x35\x6c\xec\x2e\x31\x1b\xc5\x24\x37\x06\xdb\x2b\xfe\xdc\x6e\x10\xd6\x5a\x08\xab\xef\x00\x40\xd6\x8d\x10\xd6\x16\x43\x58\xff\x21\xd2\x4a\xd8\x89\xef\x9b\xe8\x6b\x06\x9a\xd3\x34\xfb\xb7\xdf\x7c\xa0\xac\x6f\x5b\x2d\xc5\xc3\x36\x6b\x79\xd6\xb1\x7b\x15\x45\xab\x52\xf2\xcb\x23\x35\x96\xe9\x01\x23\xd0\xc9\x11\x35\xa6\x5c\x76\x5b\xa9\x21\x71\x8a\xc3\x4a\x4d\x5b\x27\xb7\xd1\x5e\xb5\x27\x4c\x16\xe0\x16\xe0\x16\xe0\x16\xe0\xb6\x77\xc0\x2d\x56\x6b\x01\xab\xb5\xee\x21\xdb\x48\x51\xd0\x91\x14\x05\x70\x20\xc0\x81\x00\x07\x02\x1c\x08\x70\x20\xf4\xb4\x03\x01\x99\x6a\x90\xa9\x06\x99\x6a\xda\x95\xa9\x06\xfe\x39\xf8\xe7\x7a\xd5\x3f\x97\x2d\xf8\x93\xe9\x79\x41\xa6\xcf\xd2\x34\x27\xd3\x27\xe9\x38\x1d\x6b\x81\x6a\x2e\x55\xa5\xea\xaa\x05\x95\x93\xde\xd8\x77\x17\xdb\x29\xbe\x66\xdb\xd2\xb6\xd9\xf5\xd5\x86\x74\x19\x49\x5a\x12\xba\x74\x75\x45\xca\xa5\xcc\x9e\xe4\x43\x67\xab\xd4\xd7\x2f\x58\xa6\x2a\x25\x79\x45\xdf\xd7\x96\x0b\x56\x1a\x8d\x5f\x1a\x66\xef\xdc\x42\x77\xea\x8d\x4e\x39\xdb\xbc\xb4\x96\x8e\xfe\x5c\x23\xb9\x34\x16\x95\x92\x9c\x11\x8d\x76\x45\x1a\x8d\x51\xfe\x73\x8b\xb5\xcf\xe3\xac\x67\xe6\xb8\xe5\x2e\x57\xd9\x77\x67\x42\x8d\x7c\xf0\xa7\x33\xc5\x4e\x1b\x9f\x8e\xef\xeb\x6a\x7e\x48\xf6\x60\xa0\xd4\x19\x02\x0c\x90\x51\x03\x7e\x2a\xf8\xa9\xe0\xa7\xea\x55\x3f\x15\x32\x6a\x20\xa3\x06\xfc\x03\xf0\x0f\xc0\x3f\x00\xff\x40\x57\xf8\x07\xb2\x47\xe9\x30\x3b\x18\x9f\xb0\x32\x6a\xdc\xed\xcc\xa8\xe1\xd8\xbd\xa1\xd8\xd9\x66\xa7\xb5\x48\xd7\x81\x74\x1d\x9b\x2b\x9a\x82\x7d\x65\x88\xa2\xfa\xd0\xd9\xec\xb3\xa2\xe4\xab\xf2\xb5\x0a\xdf\xe7\xb0\x5f\x1b\x62\x3f\x3f\x40\x5b\x73\x8a\x2a\x5f\x5a\x4b\x47\xaf\x1b\xd3\x6a\x39\x5f\x5c\x2b\xe6\x57\xa5\x92\x0b\x6d\x5a\x4b\xd8\x05\x25\xff\xa8\xd1\x44\x28\x48\x33\x95\x4c\xf2\x0b\xa6\x15\x55\x5e\x4e\x3b\x5a\x9f\x2f\x6a\xd5\x59\x45\x9d\x2a\x95\x2c\x38\xd9\xed\x79\x3f\x36\x84\x48\x3e\x1c\x0c\x1c\x93\x2c\x21\x78\xa2\xa3\x7b\x5d\x3c\xd1\xc0\x91\xf1\x38\x5d\xdd\xe7\x0d\x38\x77\x30\xe2\xcf\xc9\x43\x63\x80\x1f\x81\x1f\x81\x1f\x81\x1f\x81\x1f\x81\x1f\x81\x1f\x81\x1f\x81\x1f\x81\x1f\x81\x1f\x81\x1f\x81\x1f\x3b\x8c\x1f\x81\xf8\x80\xf8\x80\xf8\x7a\x18\xf1\xfd\x40\x3f\xc5\x84\xf2\x51\xd2\x37\x5d\x85\x22\xaf\xeb\xe8\x96\x3d\xb2\x2f\xf5\xb1\xff\xd5\x47\xac\xe6\x8c\x4b\x6b\xe9\xe8\xdd\x05\xb9\xea\x9e\x6f\xc5\x93\x24\x63\x05\xb9\x3a\xe5\x3e\x7f\x39\x3d\xb5\x30\x67\xee\xf1\x42\x0c\xe4\xaf\x6b\x68\xb2\xae\xa1\xc9\x46\x1a\xca\x56\xe8\x31\x01\xdf\x2e\xd2\x3c\x87\x6f\xb3\x34\x43\x99\x16\xe0\x9b\xe3\x39\x1b\x49\x24\xc3\x7e\xb0\x9f\xf6\x19\x83\xe0\xad\x3c\x15\xf9\x91\xd9\x1f\xf7\xb1\xaf\xf4\xd1\x5d\x52\x8d\x94\x54\x24\x59\xf0\x1d\x8a\x7d\xfa\x50\xb8\xd5\x9a\xfc\x8a\xae\x1f\x0d\x5f\x79\x73\x7b\x86\xc9\x1c\x8d\x7f\x4c\xd2\x79\x23\x49\xb5\x5c\xbd\xae\xa8\x4f\xe9\x1b\x18\xfb\x6b\xf0\x91\xff\x1a\xe7\xf2\x20\x87\xa2\x6c\x29\x80\x9f\x4b\xb2\x77\xf4\xd3\xcb\xed\x96\xf4\xaf\x26\xa6\xca\x52\xbe\x06\xd4\x5c\x14\x67\x88\x10\x87\xe4\x90\x7e\xc6\x45\xeb\x22\xa7\xbe\xd6\x75\x62\xb8\xe9\x30\xb2\x2b\x74\x4e\x74\xed\x19\x3a\xc5\xbb\xf6\x28\x1d\xa6\x83\xfe\x79\x48\xec\xfe\x59\x4b\xa7\x5c\x37\x16\x48\x9d\xfd\x8b\xea\x17\xe4\x2a\x5d\x7d\x6d\x30\x94\x3e\xce\x8e\x09\x28\xed\xfe\x61\x0f\x2c\x5d\x37\x8e\x14\xfd\x8b\x6d\xb5\x83\xb2\x4f\x95\x2b\x25\x29\x57\x5b\xa0\xd7\x3d\x2e\x49\xe3\xa4\x8e\x0f\x4d\x26\x4b\xe7\x69\xb6\x26\xb3\x52\x8b\x63\x83\x68\x7d\xe4\x56\x6a\x31\xb7\xd2\x87\x22\xe1\x59\x88\x79\x91\xf7\xe8\x2c\x4d\xdb\x79\x8f\x36\xc2\xde\x54\x56\x1b\xb6\x37\xbe\xf6\x24\xc8\x10\x25\x7f\xf2\x8e\x5a\x7b\xf3\x0a\x23\xa6\x4e\xaa\x31\x31\xc3\x46\x26\xa4\x8e\x5b\x98\xf6\xe4\x42\x82\xad\x09\xb0\x35\xc8\xc7\xd1\x91\x7c\x1c\x08\xc4\x46\x20\x36\x02\xb1\xdb\x15\x88\x9d\x7d\x3e\x12\x6e\xd0\x29\x2d\x8a\x14\x8e\x17\x68\xce\x91\xc2\xf1\x26\xdb\x0c\x5a\x23\xc4\xbc\xd7\x08\xdb\xd9\x56\xd1\x4d\x6d\xdf\x96\x64\x7e\x68\x47\xed\x32\x61\xa4\x22\xa9\xd5\x22\x77\xc2\x0b\xf2\xb3\xee\xfe\x24\xc1\xcb\xdc\x77\x74\xed\xb0\xbb\xb6\xa1\x51\x7e\x0f\xfb\xf9\xde\x7f\x8f\xf3\xe0\x35\x59\x2d\xc8\xce\xa3\x83\xce\xa3\x1c\x13\xc9\x85\x62\x6e\xb4\xee\x3c\x57\x2b\xfa\xbf\x6f\x18\x47\xf5\xbb\xcc\x5c\xa4\x79\xca\xd6\xec\x8c\x26\xe9\x68\x0b\xaf\xc9\x02\xd7\xaa\x60\xc5\x12\xb0\x62\x79\xae\x9f\x9e\xed\x67\xcf\xf4\x47\x9f\xb6\xcc\xfe\x9b\xfb\x7b\x67\x77\x54\xe3\xde\xd3\xfb\x99\xcb\x55\xb8\x0b\x5a\x7f\x39\x6d\xd1\x5a\xc2\xe7\xc5\x1d\xe6\xb3\x97\x50\x37\x49\x25\x7e\xa5\xbe\x4c\x13\x57\xf3\x33\xf8\x92\x49\x8b\x25\xb2\x9a\x52\x5e\x10\xea\xad\x87\xf5\xcf\xc2\xf8\xf7\x92\xf9\xb1\xd8\x7f\x1c\xf6\xdf\xb6\x65\x5e\x8a\xd0\x8b\x11\xf6\x42\x24\xfa\x09\x8b\x4c\xbf\x3f\x32\xab\xa8\x39\xbe\x9a\x2b\x28\xbc\xdb\x95\x58\xfc\xb2\xfe\xa7\x78\x6c\xca\xf5\x14\xdc\xe7\x20\x16\x5e\xab\x9a\xad\x53\x19\x95\x72\xfc\xc1\xb9\xfa\xa7\x54\xcc\x19\x13\xab\x5c\xca\x6b\x31\xe5\xba\xd1\xa7\x42\x1d\x53\x91\x95\x4a\x49\x4e\xc5\xc4\x2f\x72\xb9\x9d\x39\x96\x9c\xfd\x7b\x76\x80\xf5\xf3\xf1\x2d\xfc\xb6\x5c\xd2\xb1\x0e\x82\xaa\x36\xef\x0c\xd7\x09\x08\xe7\xfd\x40\xd9\x49\x3a\xca\x0e\xc7\x0f\x5a\x42\xff\x7b\x9d\x21\x02\xae\x86\x6f\x85\x20\x01\xf6\xaf\x86\x69\xd6\x1f\xbf\x0a\x12\xbe\x6e\x22\x86\x62\xb9\xa0\xca\xbc\x82\xe0\xf3\x09\xf6\xdb\x03\xc4\x5c\x13\xaa\x80\xe5\x5a\x63\x5a\xe5\x39\xd1\x54\x48\x3a\xe5\xfd\xd7\x6b\x27\x67\x7e\x33\xf6\x0c\x6d\xfc\xdc\x7c\x51\xab\x42\xa8\x5c\xff\x25\x36\xa2\x2c\xbe\xfa\x64\xf0\xe7\x3a\xc9\x8e\x06\x7c\xae\xc6\x40\x78\xa4\x1e\x81\x70\x19\xc2\x65\x08\x97\x21\x5c\x86\x70\x19\xc2\x65\x08\x97\x21\x5c\x86\x70\x19\xc2\x65\x08\x97\x21\x5c\x86\x70\xb9\xb3\xc2\xe5\xcd\x07\x36\x20\x8d\x86\x34\x1a\xd2\xe8\x4d\x24\x8d\x7e\xdb\x93\x94\x30\xb3\x1f\xf8\xa0\x46\xb9\x9c\xaf\x28\xc5\x72\x55\x63\x5f\x7c\x82\x7d\xe7\x21\x3b\x17\xc2\x90\x58\x78\xaa\xc6\x94\x69\xda\x54\x33\xad\xeb\x59\xf3\xba\xe4\x5e\xfd\x44\x91\xba\xc0\xe6\x80\xd6\xe1\x2e\xa7\x80\x19\xd0\x30\xd0\x30\x54\xbb\x03\x0d\x03\x0d\x03\x0d\xeb\x1d\x1a\xd6\x45\xc5\xdc\xba\x86\x86\xa1\xca\x18\x68\x18\x68\x18\x68\x18\x68\xd8\x46\x54\x19\xeb\x69\xb4\x84\x32\x48\xbd\x5c\x06\x29\xb3\x09\xd1\x52\xf6\x09\x9a\x12\xea\xa9\x49\x3a\xca\xd5\x53\x13\x34\x4e\x29\x5f\xf9\x62\x4e\x51\xe5\xd4\x5a\x3a\x65\x71\xa1\x46\xa2\xca\xd7\x29\xd3\x2f\x94\x52\x17\x82\x95\x52\x09\x36\x68\x67\x76\x14\xd2\x28\xeb\x1e\x5c\x2a\xc6\xf8\x97\xb7\xd9\xf0\xeb\x0e\x31\xdf\x38\x28\xd7\xfd\xe2\x2f\xed\xe7\x5c\x02\x4b\x9d\xa1\x53\x74\xa2\x46\x11\x3e\x42\xc9\xc6\xfb\x17\x1a\x70\x44\xc8\xb6\x18\x21\xfb\xd5\x08\x4d\x8b\xd0\x95\x13\x34\xe9\x08\x5d\x49\x51\x53\x6f\xa0\x7f\xf2\x83\x93\xc2\x72\x1c\xa6\x83\xdc\x72\x34\xdb\x6e\x46\x44\xdd\x1e\xa7\x63\x76\xd4\x6d\x93\x6d\x04\x1b\x98\x8a\x12\xb6\x81\x49\x7e\x6a\xc4\x36\x30\xf7\x19\x51\x50\x8e\x90\x32\xe5\xb2\xc3\xdc\x18\x21\xb4\xc2\xdc\x4c\x5b\x27\xb5\xdf\xf0\xb4\x27\x84\x16\x80\x15\x80\x15\x80\x15\x80\xb5\x77\x00\x2b\x96\x5f\x01\xcb\xaf\xee\x21\xd0\x48\x5f\xd0\x91\xf4\x05\x00\xfd\x00\xfd\x00\xfd\x00\xfd\x00\xfd\x3d\x0d\xfa\x91\xc5\x06\x59\x6c\x90\xc5\xa6\x5d\x59\x6c\xe0\x47\x83\x1f\xad\x57\xfd\x68\xd9\x42\xc8\x09\x9c\x82\xdc\x53\x49\x6f\x7a\xbc\x8b\xed\x14\x5f\xb3\x6d\x69\x1b\x25\xc9\xde\x05\xc9\x6a\xa9\xf2\x26\x0c\x1d\x61\x1f\x4f\xd0\x88\xbb\x10\x9f\x8f\x20\x5d\x93\x73\xaa\x5c\xd5\xd8\xbf\x4f\xb0\xf7\x3a\x4a\xf3\xa9\x8d\xa5\xbb\x58\xe2\x57\x87\x94\xed\xe2\x7e\x47\x55\x3e\x9b\xbc\x8b\x9f\x40\x86\x8b\x9b\xc8\x70\x71\x3e\xf8\x63\x78\x88\xed\xab\xfd\x00\x44\xc7\xbb\x7c\x2a\x48\x66\x01\xf9\x3e\x92\x59\xc0\xbb\x04\xef\x12\xbc\x4b\x3d\xe4\x5d\x42\x32\x0b\x24\xb3\x00\xd5\x07\xd5\x07\xd5\x07\xd5\xef\x0a\xaa\xbf\x09\x89\x04\x92\x59\x80\x94\x22\x99\xc5\xe6\x89\x38\x60\x7f\x7a\x2f\x9d\x34\xeb\xfc\x55\xb4\x75\x52\x5a\xe4\xe5\x4a\x49\xb9\xa1\x4f\xee\x66\x0d\xb3\x31\x2d\x27\x95\x64\xf6\xd3\xf7\xb2\x7f\xe8\xa3\xad\xfa\xe5\x97\xd6\xd2\xd1\x41\x5e\xc3\x8c\x1f\x32\xfb\xd8\x9e\xd2\x67\xac\x46\x92\xfb\xf4\xf3\xa6\x2a\x15\xcd\x49\x01\xed\xe3\x4b\x7a\x03\x21\x57\x31\x7b\x8d\xbf\x78\xfa\x8c\x40\x7a\xc7\xe8\x08\x47\x7a\x69\x1a\xa3\x51\x5f\xe1\xb3\xb4\x5a\x55\xf4\x07\x34\xd2\x46\xf3\x5b\x35\x49\xdd\x42\x30\x84\x1b\x65\xfb\x0d\x08\xe7\x68\xc8\xa4\x71\x7a\x5b\xee\x3c\xd0\xeb\x17\x44\x8b\x7e\x72\x9b\xdd\xf7\xc3\x66\xa9\xb2\xe0\xee\x1f\x34\x4e\xed\xe8\x08\x64\xa6\x69\x8a\x4e\xd7\x04\x60\x34\xdb\xd3\x10\x01\x22\x06\xa3\xc5\x18\x8c\xf7\x45\xe8\xac\x08\x73\x38\x45\x27\xec\x30\x87\xe6\xbf\xf6\x0e\x18\x92\x80\xba\x64\xa1\xdb\x99\xcc\xb7\x6f\xb3\x0d\xc9\x44\x5d\x71\x91\x60\x8b\xf2\x20\x4f\x4b\xdf\x31\x7b\x82\xf2\x22\xbd\x66\xd6\x50\x5e\x04\xe5\x45\x36\xb8\xbc\xc8\x6b\x6e\xde\xbe\x07\xfa\x7a\xc3\x5f\x41\x06\x56\x12\x99\xa0\x71\x96\x8a\x8f\x58\x9c\x61\xa7\xb3\x92\x08\x6f\xf0\x96\xa8\x20\xf2\x97\x83\x74\xb7\xd8\xeb\xac\x70\xad\xc4\x5a\x7a\x2c\xa7\x2a\xe5\xab\xca\x8a\xc6\x3e\x3b\xc8\x3e\xd9\x4f\xdb\xf8\x01\x7d\x06\x7c\x68\xfd\x44\x7d\xd3\xaa\x52\xce\x2a\x2b\xc9\xb8\x7e\x5a\x46\x3f\x65\x39\x6d\xfc\x6d\x56\x51\xa7\x4a\x25\x6b\x06\xec\xf6\x5c\x7d\xcd\xbe\xd3\xbc\x87\xf4\xb7\xd9\x78\xdc\x86\x42\xce\xe7\x83\xdf\xe9\x61\x36\x64\xbc\xd3\xfc\x17\x8c\xb7\xd9\xf8\x11\xf7\xfb\x1c\x10\xc0\x0e\xf9\x02\xe4\x0b\x90\x2f\x40\xbe\x00\xf9\x02\xe4\x0b\x90\x2f\x40\xbe\x00\xf9\x02\xe4\x0b\x90\x2f\x40\xbe\x00\xf9\x42\x87\xe5\x0b\x10\x17\x40\x5c\x00\x71\x41\x0f\x8b\x0b\xfe\xf5\x6e\x9a\x0e\xa8\x94\xa1\xca\x16\xb3\xd2\x8d\xb5\xaa\xe8\xa6\xd2\x56\x18\xf0\x90\x31\xf6\x6b\x51\xf6\x5f\xfb\xed\xa8\xa5\x09\x21\x31\xe0\xc7\xea\x5d\x52\x8b\x76\x8b\xd3\x56\x8b\xc9\x31\xfd\x9a\xda\xa0\x23\xcf\x53\x45\x98\x5a\xc8\xd2\x83\x3c\xcd\x09\xc8\x96\xa1\x33\x1c\xb2\x4d\xd2\x51\x3a\x1c\x98\x5a\xcd\xf3\x06\x03\x69\xdb\xe3\xc1\xb4\xed\x20\x9b\xa8\x0d\x04\xf2\xfe\xad\x66\xa4\x08\x6f\xda\x6e\x8f\xd1\x21\x4b\x8a\xd0\xd4\x30\x4d\x18\x97\x6d\xd8\x48\x65\xe6\x29\x4b\xe7\x6b\xdc\x7a\x2d\x0f\x15\x9c\x7a\xd0\x2a\xb4\xa8\x55\xf8\x48\x24\x4c\x93\x71\x51\xc8\x1e\xce\xd1\x59\x5b\xf6\x70\x8b\x99\xa0\xca\x6a\x95\x32\xef\xdd\x61\x9b\xa0\x53\xf5\x22\x86\xa6\x6c\xd1\x78\xc5\x2b\x50\xb5\x23\x96\x08\xe2\x86\x5e\xb3\x83\x10\x37\x40\xdc\xb0\xc1\xe2\x86\x8e\xae\x51\x83\x34\x09\x0d\xce\x20\xeb\xa5\x76\xf0\xbe\xb1\x6c\x86\xce\xb0\x53\xf1\x13\x96\x70\xe1\x01\xa7\xd8\xc1\xf3\x9a\x5b\x42\xfc\xf0\xf4\x93\x34\xde\xac\xd0\x9b\xfd\xcd\x13\xec\x4d\x83\xb6\x2c\x30\xb1\xbe\x28\xc2\x21\x06\xbc\x4f\x3f\xd3\x5f\x0b\xd8\xe5\x9a\x08\xd4\x2f\x84\x82\x00\xf5\x0b\xa1\x20\x80\x82\x00\x0a\x82\x1e\x52\x10\x74\x51\xf6\xe8\xae\x51\x10\x20\xad\x31\x14\x04\x50\x10\x40\x41\x00\x05\x01\xea\x17\x22\xef\xea\xad\xe3\xf0\xef\xfa\xbc\xab\x9b\xb2\x7e\xe1\x93\xfe\x81\xb1\x19\xc1\x16\x8f\xd3\x31\xce\x16\x0f\x50\x9a\xc6\xfc\x03\xa7\x2a\x15\x4d\xd4\xbb\x32\x89\xd1\x7c\x51\xab\x36\x5a\xc0\xf0\x62\x30\x3a\xdc\xcf\x86\xcd\x08\xaa\x4a\x45\x33\x80\xa1\xfd\x6b\xee\x1a\x86\x7f\xea\x08\xb1\xdf\x65\xd4\x30\x94\x9c\xb4\xcb\x98\x88\x3a\xc0\xbb\x04\x9e\xe2\x19\x47\x6b\xbc\x33\xa3\xb4\xbf\x89\xee\x84\x43\x06\x8e\xe9\x16\x1d\xd3\x5f\x8b\xd0\x29\xf1\x2d\x1f\xa1\x43\xfc\x5b\x1e\xa3\xe6\x5e\x3e\x51\x08\x31\xcd\x0b\x21\x5a\xde\xe8\xa6\x1b\x99\x11\xd5\x14\x4f\xd2\x71\x47\x35\xc5\xa6\x5b\x69\xbd\x58\xaa\xa8\x65\x18\xb2\xad\x49\xfe\xd6\x88\x6d\x6b\xee\xf7\x2c\x67\xe8\xb0\x3b\x49\x71\x82\xb0\x3b\x5e\xf5\x0c\xdb\x66\x81\x50\xd0\x10\xc4\x15\xc4\x15\xc4\x15\xc4\x15\x05\x0d\x51\xd0\x10\x05\x0d\x51\xd0\x10\xe4\x1f\xe4\x1f\xe4\x1f\xe4\x1f\xe4\x3f\x14\xf2\x8f\x82\x86\x28\x68\x88\x82\x86\x28\x68\x08\xc7\x1a\x1c\x6b\xa1\x17\x34\xf4\x75\x52\x85\x5a\xe9\xb0\x95\x82\x86\x8d\xe1\x64\x0f\xd5\xbb\x37\x5a\xde\x8c\x42\xf5\x6f\x0d\xd2\x5e\x21\x54\x17\x6a\x6a\xde\xdf\x45\x65\x6c\x2d\x6d\xfc\x81\x7d\x7e\x90\xfd\xcf\x7e\xda\x2e\xfe\xeb\xd2\x5a\x3a\xba\x6f\x7d\x5d\x3a\xaf\xb1\x97\x7c\x40\x3f\x89\xff\x53\x5b\x4e\xf3\xff\xdf\x6c\x99\xfa\x5e\x4d\xa7\xc5\xfb\x79\x94\x0e\xf3\xf7\x73\x9c\x52\x34\xe2\xeb\xed\x30\xba\x6f\x2d\x9d\xe2\x4f\xdb\x50\xa2\xbe\xc5\xe0\xf7\x6f\x8c\x8d\x1a\xef\x9c\x6b\x7c\xcc\x7a\x9a\x6b\xb5\x2e\x0d\xa4\xeb\x83\xd8\x1e\xe9\xfa\xe0\xfa\x81\xeb\x07\xae\x1f\xb8\x7e\x90\xae\x0f\xe9\xfa\x80\xdc\x81\xdc\x81\xdc\x81\xdc\xbb\x0b\xb9\x23\x5d\x1f\xd2\xf5\x6d\x16\xc8\x88\x74\x7d\xed\x48\xd7\xf7\x8e\x24\xcd\x0a\xf2\xa6\xae\x48\xb9\x94\x49\x87\x78\x53\x0e\x0a\xe7\x97\xc9\x4f\x29\x99\x7f\x79\x23\xfb\xd4\x30\xfb\x7f\x7d\x74\xa7\xde\xce\x94\xb3\x99\x4b\x6b\xe9\xe8\xdd\x3c\x7d\x9f\x7b\x6b\xba\xa8\x94\xe4\xe4\x43\xfa\x81\xc5\xda\x4b\x5c\xc9\x97\x94\xd0\x8b\x02\x2e\xd1\x51\x01\xd5\xd2\x34\xc6\xa1\xda\x30\x0d\xd1\x43\xbe\x50\x8d\xf7\xcc\x5a\x3a\xa5\xdf\x49\x20\x4d\x7b\x32\x98\xa6\x4d\xb2\xa3\x06\x4d\xf3\xed\x73\x33\x9d\x89\xd2\x64\x65\xc0\xe7\xb7\xf9\x0c\x40\xd4\xcc\xcd\xe7\x31\x06\x09\xe3\x58\x87\x87\x21\x73\x9c\x8e\xd1\x91\x9a\x90\x86\x46\xc7\x01\x2a\x3a\x04\x33\xb4\x18\xcc\xf0\x8e\x88\xbf\x33\xa8\x75\xbb\x70\x52\xc4\x37\x1c\xa6\x83\x76\x7c\x43\xe3\x97\x37\x58\x01\xb0\xbd\xc6\x25\xf9\xe3\x77\xf8\x58\x8f\x97\x1b\x3e\x6d\x49\x18\x8c\x21\xf1\x9f\x9d\xb6\x17\xed\x09\x40\x80\x21\x09\x30\x24\x10\xc1\x76\x44\x04\x0b\xf5\x13\xd4\x4f\x50\x3f\xb5\x4b\xfd\x94\x7d\x3e\x12\xae\xd2\x83\x16\x45\x2c\xe2\x05\x9a\x73\xc4\x22\xde\x64\x9b\x41\x9b\x8b\x98\xf7\xf2\x60\x3b\xdb\x2a\xba\xa9\xdd\x2b\x84\xcc\x3f\xdd\xe6\xb3\x42\xd8\x57\x97\x78\xd7\x63\xa3\x31\xc8\xf3\x3c\x76\x70\xd9\x80\x9c\xba\xbd\xb6\x58\x41\x4e\x5d\xe4\xd4\xdd\xe0\x9c\xba\xed\xa4\x4b\x81\x29\x74\xdb\x6b\xff\xb3\x69\x1a\x63\xa3\xf1\xfd\x96\xb6\xf0\x0e\x57\x22\x5d\xe5\x16\x29\x1a\xfc\xbe\x24\x3d\x26\xa0\xa8\x56\x55\x54\xa9\x20\xdb\x24\x74\x45\xae\x4a\x69\x41\x98\xfd\xa0\x68\x4e\xb7\xa9\xfc\xb2\x9c\x54\x91\x72\xc5\x6a\xd1\x66\xa4\x2f\x0c\xb3\x1f\xd9\x42\xb7\x1b\xc7\x2f\x19\xed\x45\x3f\x1a\x31\x98\xb5\x8d\x88\x75\x0b\x22\x3a\xca\xaa\x3f\xbc\x34\xb7\x24\xae\x9b\x16\xed\xde\x48\x39\x96\xf7\x93\xd6\xc6\x60\x88\xb7\x35\x64\x6b\x8f\x5c\x62\x12\xa5\x22\x5b\xbb\x36\xad\x2a\x4b\xf9\x11\xdb\xf9\xcb\x77\x3a\x86\xab\xb0\x58\x95\xaf\xd9\x66\x71\xc8\x25\x24\x70\xb4\x9d\x4a\x8a\xce\x30\xee\x6c\x59\x3c\x90\x3d\x9f\xd7\xdf\x74\xb7\x2b\x2e\x9f\xa2\x05\xf1\xf9\xce\xd1\x39\xfe\xf9\xf2\xcc\x2b\x2d\xcc\xd8\x9c\xfc\x0b\x6d\x64\xd0\x67\x2d\x07\x7f\xb5\x19\x76\xc6\xf8\x6a\xdd\xef\xa4\x59\x34\xb9\xae\x9f\x9d\x1f\x2e\x1f\x94\xf5\x8a\x82\x5f\x17\x45\xc1\x21\xcb\x84\x2c\x13\xb2\x4c\xc8\x32\x21\xcb\x84\x2c\x13\xb2\x4c\xc8\x32\x21\xcb\x84\x2c\x13\xb2\x4c\xc8\x32\x21\xcb\xec\xac\x2c\xf3\x34\x9d\x64\xc7\xe3\xc7\x2c\x66\x72\x9f\x13\xb3\xd4\x6f\xf5\x6e\x05\xe8\x02\xe5\x28\x94\xa3\x50\x8e\x6e\x22\xe5\xe8\x17\x86\xe8\x1e\xb3\xd0\xb3\xe0\xa1\x62\xbf\x79\x4d\xaa\x68\xec\xf9\x21\xf6\xdc\x80\x5d\x96\x73\xd5\x98\x5b\xcb\xf9\xe2\x5a\x31\xbf\x2a\x95\x5c\xa4\xd3\x5a\xc7\x4e\xf3\x06\x1e\x96\x2a\xa1\x80\xcd\x54\x32\x71\xdd\xae\xe6\x69\xb5\x3d\x5f\xd4\x36\x5d\x14\xf8\x53\xfe\x8a\xb5\xd0\x61\xa5\xc9\x24\xf7\x79\xc3\xc2\x1d\x8c\xf8\x8d\x89\xb4\xdb\x17\x82\xc1\x65\x82\x0d\xd6\x56\xe9\xb3\xc6\xc2\xed\x5c\x00\x7d\x04\x7d\x04\x7d\x04\x7d\x04\x7d\x04\x7d\x04\x7d\x04\x7d\x04\x7d\x04\x7d\x04\x7d\x04\x7d\x04\x7d\xec\x2c\x7d\x04\xda\x03\xda\x03\xda\xeb\x61\xb4\xf7\xf9\x7b\xe9\xa4\xd0\x3f\x4a\x95\x8a\xb6\x4e\xfc\x77\x5e\x92\xaf\xe9\x8b\xae\xaa\x29\x70\x1c\xd3\x78\x20\x03\xfb\x8f\xf7\xb2\x6f\xf6\xd9\x55\x8d\x06\x79\xf8\xb7\x38\x66\x76\xb2\x3d\xe3\xce\xf0\x56\x96\xe4\x6a\x72\x9f\x7e\x5e\x5d\x49\x35\xf3\xb0\x08\x92\x08\x39\x16\xfc\x55\x22\x72\x73\x9c\x47\x6e\xf6\x3d\x72\x81\xa5\x68\x84\x92\xc1\xe5\xa4\xcc\x9b\x0a\xd4\xf6\xad\x1f\xb1\x7d\xf5\xe1\x60\x82\x96\x64\x09\x23\xcb\xa7\xf5\xa3\x7e\xd9\x40\xa3\x1f\x73\xd4\xad\x1b\x36\x63\xbe\x83\x3b\x7e\xd0\x38\xb5\xa3\x7d\x9f\x39\x43\xa7\xe8\x44\x4d\x74\x44\x53\x9d\x8f\x78\x08\x44\x81\xb7\x18\x05\xfe\x63\xeb\x44\x81\xdf\xa4\x45\xc8\x88\x50\xf0\xe3\x74\xcc\x0e\x05\x6f\xb2\x0d\xd3\x78\x84\x6b\x1d\x02\xc2\xcb\x33\x7f\x7b\x9b\x6d\x3c\x26\xea\x02\xba\x82\xad\xc8\x83\x3c\x08\xa1\x63\x36\x04\xd1\x5d\xbd\x66\xcd\x10\xdd\x85\xe8\xae\x0d\x8e\xee\x6a\xfb\x7a\x31\x30\xc4\xab\xb1\x39\xc1\x23\x47\xbc\xe7\xfc\x90\x3d\x4c\x07\xd9\x44\x7c\xdc\x92\x0a\xdd\xe5\xd4\x1a\x59\xd7\xdc\x0a\x12\x23\xf6\x4b\x49\x5a\x36\xf6\x35\xab\x55\x45\xcb\x49\xa5\x62\xb9\x30\xb6\x36\xb1\x22\x57\xa5\x89\xf5\x83\xba\xf8\x20\xe9\x9f\x74\xa9\xa2\xe4\xcd\xab\x65\xd5\x0a\xec\xfa\xea\x30\xfb\xc0\x16\xda\xe5\x68\xf7\x92\xd1\x6e\xf4\x57\x1a\x09\xee\x3a\x6f\xb5\xbf\xa0\xe4\xa7\xac\xf6\xbb\x22\xc2\xeb\x28\xff\xb9\x29\xfb\xd1\x96\xc5\x93\xd9\x53\xbc\xcf\xdd\x77\xbf\xac\xa2\xf3\xa1\x5e\x41\x31\x58\x57\x0b\xc1\x9f\xf7\x0c\xcb\x98\x9f\xb7\x3d\x28\xc6\x57\xee\x33\x14\x8e\x6f\x5e\x0c\x1e\xe4\x16\x90\x5b\x40\x6e\x01\xb9\x05\xe4\x16\x90\x5b\x40\x6e\x01\xb9\x05\xe4\x16\x90\x5b\x40\x6e\x01\xb9\x05\xe4\x16\x9d\x96\x5b\xcc\x50\x86\x9d\x89\x9f\xb2\x40\xca\x3e\x27\x80\xf1\xd9\xce\xdd\x0a\x38\x06\xb2\x10\xc8\x42\x20\x0b\xd9\x44\xb2\x90\x2f\x0e\x53\xda\x48\x8b\x95\xbb\x22\xe7\x57\x4b\xfa\xaa\xd2\xae\x11\x50\x51\x8b\x8a\x5a\xac\xde\xc8\x95\x24\x4d\xb3\x53\x5e\xfd\xd4\x30\x7b\x5b\x3f\xbd\xdc\xbe\xe4\xd2\x5a\x3a\x1a\xf3\xa8\x07\xb0\x60\x5c\x3f\xad\x5f\x9f\xdc\xab\x9f\xb1\x64\x5d\xb4\x9c\x76\x1d\x0e\x59\x04\xb2\x42\xe7\x04\x08\x3c\x43\xa7\x38\x08\x3c\x4a\x87\xe9\xa0\x2f\xd4\x77\x3c\xfe\x5a\x3a\xe5\xba\xb1\x9b\x95\x83\xbc\x36\x98\xfe\x1d\x67\xc7\xcc\x4c\x50\xb5\xc3\x60\x30\x40\xf7\x1d\x39\x69\x7f\xf4\x8f\xb7\xd5\x0e\xc5\x3e\xef\xca\x00\xee\xd1\x88\x19\x27\x75\x68\x40\x32\x59\x3a\x4f\xb3\x35\x9e\xd5\x16\x47\x04\x5e\x55\x68\x44\x5a\xd4\x88\x7c\x28\x12\x9e\x5d\x98\x17\xa2\x90\xb3\x34\x6d\x8b\x42\xda\x67\x65\xda\x6c\x46\x02\x84\x24\xc9\x1f\xbd\xa3\xd6\xca\xbc\xc2\xaa\x20\xe0\x36\x2c\xf7\x8b\xbf\x77\xca\xae\xa0\x84\x00\x4a\x08\xa0\x84\x00\x4a\x08\xa0\x84\x00\x4a\x08\xa0\x84\x80\x77\x09\x81\x36\xaf\x1d\x32\x6f\xdd\x51\xbb\x38\x18\x09\x28\x1e\xe0\x5e\x32\xdc\xc7\x75\x50\x1d\x58\x31\x40\x5f\xda\x6b\xeb\x14\xe8\x4b\xa1\x2f\xdd\x60\x7d\x69\x07\x51\x54\xa0\xd2\xb4\xb1\x99\x20\xc8\xe0\xfb\xce\x14\xd9\x49\x3a\xca\x0e\xc7\x0f\x5a\x3e\x8b\x7b\x9d\x9e\x0f\x57\x83\xf5\xfe\x8e\xd0\xc5\xa1\x7f\x9b\xa0\x29\x41\x37\xcb\x72\xf5\xba\xa2\x3e\xe5\xa6\x9b\xeb\xaa\x43\x8b\xe5\x82\xaa\x1b\x15\x8d\x3d\x9b\x60\xbf\x32\x40\x2f\xb7\x9b\xd0\xe7\x37\xad\xb1\xf4\x57\x73\xa2\x95\x90\x92\x5f\x0d\xf2\x0b\x2e\x5a\x37\xe2\x0c\xc9\x30\x7e\x69\xbe\xa8\x55\xa1\xd1\xac\xff\x30\x1a\x4a\x7d\xf5\xaa\xe0\x8f\xe3\x10\x3b\x20\x3e\x0e\xa3\xbf\xbd\x3e\x8b\xba\x97\x0d\xc2\x4c\x08\x33\x21\xcc\x84\x30\x13\xc2\x4c\x08\x33\x21\xcc\x84\x30\x13\xc2\x4c\x08\x33\x21\xcc\x84\x30\x13\xc2\xcc\x4e\x0b\x33\x21\xa9\x84\xa4\x12\x92\x4a\x48\x2a\xdb\x28\xa9\xfc\xc8\x10\xed\x72\x27\xd1\x2f\x2b\x79\x59\x63\x3f\x36\xc4\xde\xee\xc8\x9f\x5f\x69\x0c\x20\x5e\x54\xf2\x72\x48\xf4\x70\x97\x23\x75\xbe\xde\x2c\x50\xe1\x4d\xa0\xc2\xd9\x60\x54\xb8\x8f\x3d\xe0\x01\x07\xad\x8c\xf9\xfa\x10\x00\x0c\x02\x0c\x02\x0c\x02\x0c\x02\x0c\x02\x0c\x02\x0c\x02\x0c\x02\x0c\x02\x0c\x02\x0c\x02\x0c\x02\x0c\x22\x41\x3e\xb0\x1d\xb0\x1d\xb0\x5d\xc7\xb0\xdd\x57\x5f\x47\x27\xcc\x04\xf9\x45\xf9\x0d\x55\xb9\xcc\x47\xcb\x96\x0b\xae\xc8\x55\x29\x3d\x96\x5b\xd5\xaa\xca\x35\xb3\x41\x07\x86\x62\xef\x7d\x1d\xfb\xc1\x21\xba\xcb\x75\xf5\x25\xe3\xb2\xe8\x61\xb1\x70\x54\x8d\x29\xcf\xb4\x89\x66\xaa\xc8\x69\xde\xaa\xb9\xed\x9b\xb1\x5a\x4d\x8e\xeb\xd7\x4d\x39\x9b\x5c\x16\x2d\xfa\x5d\xd1\xe5\x40\x2f\x03\xde\x05\xde\x95\x01\xef\x02\xef\x02\xef\x02\xef\xea\x19\xde\x95\xe9\x1a\xde\x15\xfa\x9d\xb4\xcc\xbb\x32\xe0\x5d\xe0\x5d\xe0\x5d\xe0\x5d\xe0\x5d\x9d\xe7\x5d\x99\x9e\xc6\x53\x19\xe0\xa9\xf6\xe1\xa9\x4c\xb7\xe3\xa9\xcc\x26\xc4\x53\xd9\x77\x45\xe8\xfb\x84\x12\xaa\x4a\x2a\x57\x42\x95\xe8\x2a\x5d\xf1\x53\x42\xd9\xbc\x68\xd4\xda\xaf\xdb\xa2\x28\x37\xe1\x32\x18\x55\xca\x0f\x29\xcd\x17\xb5\x60\xd1\xd4\x7d\xde\xa2\xa9\xad\x6c\x8b\xd0\x4b\xbd\x3e\x58\x2f\x75\x91\xcd\x3b\xf4\x52\xfc\x9e\xec\x52\x67\xf5\x48\xce\x90\x51\xf9\xdd\x35\xc5\xdf\x73\x9b\x1f\x8d\x7b\x40\x4c\x6f\x31\xc9\x1f\xbc\x4d\x88\x53\x36\x04\xbd\x09\x52\xf6\xbd\xf4\x06\x5a\xab\xc9\x14\x71\x99\xf2\x9d\x18\x71\x64\x95\x40\x7e\xbd\x16\xf3\xeb\xfd\x87\x7e\xba\x2e\xec\x54\x85\xca\xdc\x4e\x5d\xa1\x0e\xbd\xb5\xf4\xcf\x45\x3e\xbe\x55\xd2\xec\x7c\x7c\x9d\xfb\xf5\x37\x8a\xcc\x3f\x6b\x54\x75\x64\xfe\xe9\xdc\xcf\x07\x19\xe8\xc6\x0c\x70\x80\x4d\x6d\xca\x3e\xaf\x33\x27\x54\x14\xad\x4a\xc9\x77\x8f\xfa\x19\xe8\x51\x23\x5f\x94\x23\xf9\x96\x72\xd9\xdf\x58\x9f\x10\xa7\x7b\x1a\x6b\xab\x85\x0e\x99\xed\xf6\xa4\x23\x04\x31\x07\x31\x07\x31\x07\x31\xef\x1d\x62\x8e\x25\x68\xc0\x12\xb4\x7b\x5c\x0a\x48\x05\xdb\x91\x54\xb0\xf0\xdc\xc0\x73\x03\xcf\x0d\x3c\x37\xf0\xdc\xf4\xb4\xe7\x06\x19\xc1\x91\x11\x1c\x19\xc1\xdb\x95\x11\x1c\x8e\x51\x38\x46\x7b\xd5\x31\x9a\x2d\x84\x9c\x0c\x3f\x1c\x26\x7d\x13\x3e\xc0\x3a\x5e\x7d\x35\xe9\xcd\xa4\x77\xb1\x9d\xc2\x80\xd8\xc6\x9d\xc2\xcf\x47\xfc\xc5\x28\x9d\x13\x31\x06\xf6\x93\x58\x91\x05\x41\x79\x88\x8d\xe2\x6b\x63\x1a\xef\x5b\xf6\x1f\xa2\xec\x87\xfb\x89\x79\xc0\xf3\x07\x79\x21\x36\x71\x9a\xf9\x96\xd8\x0b\x68\x23\x6f\x6d\x72\x44\x3f\xeb\x6c\x2d\x2e\xaf\xcb\x27\x2c\x46\x32\xe4\xda\x6c\x12\xcd\x8a\xf7\xec\x34\x9d\xe4\xef\xd9\x11\x3a\x44\x07\x7c\x13\x62\x7b\xb8\x41\xcc\xec\xbb\x37\x59\x9a\x6d\x39\xf8\x05\x3c\xc0\xd2\xc6\x0b\x68\xdf\x06\xf9\xa6\x00\x16\x6f\x59\xf4\xaf\xb7\x79\x8e\xcc\x90\x59\x97\x2d\x68\x70\xc6\x8c\x13\x37\x66\x7c\x32\x73\x74\x8e\xce\xd6\xb8\x9e\x5b\x1b\x20\x60\x3c\x78\x92\x5b\xf4\x24\x7f\x30\x12\x9a\x95\xb8\x20\x1c\xc3\x33\x94\xb1\x1d\xc3\x6d\x33\x39\x6d\xb2\x29\x01\xf5\xd9\x32\xef\xda\xe1\x69\x72\xc6\xeb\xea\xb0\x04\xd9\x1e\x51\xf4\xa1\xf3\x96\x07\xa5\x59\x7a\xcd\xf4\xa1\x34\x0b\x4a\xb3\x6c\x70\x69\x16\xc9\xd7\x9c\x87\x35\xf9\x34\x37\x2d\x04\x4c\x02\xf5\xb3\x46\x60\xc5\x97\xec\x41\x9a\x60\xe3\xf1\x94\x95\xf2\x74\x97\xb3\x22\x8b\xf1\x4b\xb7\x42\xed\x79\xf6\x6c\x94\xe6\xd6\xa9\xf6\xd2\xe4\xfe\xea\xcb\xf7\xb2\x7f\xd3\x5f\x5b\xf5\xa5\xb1\xad\xd5\x90\x7e\xd6\xba\x55\x5a\xda\xb2\xab\x7a\x82\xa6\xc4\x2b\x3b\x49\x47\xf9\x2b\x3b\x41\xe3\x94\xf2\x7d\x65\x1d\x9d\xb4\x16\xda\x86\xaa\xb1\x0a\x2a\xbe\x75\x52\xfc\x4b\xab\x44\x7f\x7f\x5b\xed\x60\x34\xbc\x9b\x4a\x1a\x27\x76\x7c\x48\x32\xfa\x8a\xf3\x4c\xcd\x92\xa2\xe9\x31\xc1\x42\x02\x7b\xa8\x16\xf7\x50\x3f\x19\x09\xc3\x26\xcc\x8a\xed\x93\x3e\x13\x5a\xdb\xa7\x76\xd8\x96\xb6\x19\x8f\xa0\xbd\xd3\xbf\xde\x51\x6b\x5b\x9a\xdf\x36\x25\x2a\x81\xb5\xb9\xb0\x63\xc2\x8e\x09\x3b\x26\xec\x98\x36\xf5\x8e\xa9\x23\xab\xcc\xb6\x15\xe2\xc3\x76\xc9\xda\x2e\xfd\x55\x1f\xdd\x65\x24\xbc\x5a\xad\x2a\x5a\x4e\x2a\x15\xcb\x05\x7d\xa3\xc4\x3e\xdf\xc7\x3e\xdb\x47\xff\xcc\xf1\x67\x7d\x4a\xbc\xbb\x20\x57\xdd\x3a\x2d\x11\x0c\x99\xdc\x53\x90\xab\x53\xf6\xb9\xcb\xe9\xa9\x85\x39\xd3\x17\x17\xe2\x6c\x57\xd7\xd0\x64\x5d\x43\x93\x8d\x34\x94\xad\xd0\x63\xe2\x0d\xd6\xa7\x2f\xfd\x0d\x9e\xa5\x19\xca\xb4\x30\x69\x39\x9e\xb3\x91\x18\x49\xf6\x03\xa3\xb4\xe0\xd1\xe3\x13\xfa\xde\x7e\xc2\x6f\x7f\xca\xdb\xd0\x6d\x69\xa9\xa2\xe4\xcd\xeb\x64\xd5\xdc\xae\xb2\x0f\x8c\xb0\x17\xfb\x69\x97\x6b\xb0\x44\x8b\xd1\x24\xdf\xad\xba\x97\x2b\xe7\xad\xe6\x16\x94\xfc\x94\xd5\x5c\xf2\x88\x7e\xae\x73\x14\x45\x1b\xf6\x1a\xc6\xe7\xc2\x90\xf7\xb0\xaa\x3f\x8f\x79\x5c\x0c\xda\x02\x5d\xe4\x83\x76\x9e\x66\x69\xc6\xd7\xec\x38\xba\x23\x65\x74\x47\xca\xe7\x09\x1a\xdc\xd9\x16\x82\x4d\xd2\x0c\xcb\xd8\x46\x48\xfc\xa8\x15\x20\x65\xdf\x8f\xb1\x4e\xf5\xb9\x1b\x8a\x7e\x72\xbb\xf7\x68\x8e\x9a\xdb\xdd\xc6\x06\x74\xd2\x38\x7d\xc3\xc7\x34\xf3\x6a\x7a\x15\x2d\xd7\xac\x12\x43\x1a\x3b\xac\x18\xb1\x35\x6e\x71\x6b\xfc\xe9\x48\xdb\x2c\x0a\x3d\x21\x36\xcc\x8f\xd1\x92\xbd\x61\x0e\xaf\xf5\xd6\x11\x9d\xbe\xd9\x6d\xd0\x90\x35\x6d\xb7\xea\x2c\x5f\xf2\xb7\xef\xf0\x36\x64\xa6\xf4\x4f\xf2\xb5\x5d\xc7\x8c\x78\xce\x0d\x37\x5d\xed\x09\xe6\x84\xd1\x0a\x30\x5a\x08\x28\xea\x48\x40\x11\x94\xe4\x50\x92\x43\x49\xde\x2e\x25\x79\xf6\xf9\x48\xc8\x72\xda\x45\x91\x61\xe2\x02\xcd\x39\x32\x4c\xb4\x59\xa2\x1b\xf3\x5e\x4c\x6c\x67\x5b\x45\x37\x75\x6e\x3d\x91\xf9\xcd\x1d\xde\xeb\x89\xc3\x75\xac\xbe\xb1\x1d\xd2\x51\x4e\x7c\x36\x74\x91\x01\x82\xdf\x6b\x4b\x1b\x10\x7c\x10\xfc\x0d\x26\xf8\x6a\xfb\x36\xbe\x41\xb3\x49\x10\x7d\xef\xd8\x64\x92\x9d\xa1\x0c\x3b\x13\x3f\x65\x01\xfb\x7d\x4e\xcc\xef\xd3\xcc\x2d\x81\xfd\xff\x6e\x98\xe6\x05\x84\xce\x29\x8a\x9a\x2f\x96\xf9\x07\x56\x5b\xe6\xc2\x28\x5c\xeb\x8d\xa4\xf9\xae\xc0\x02\xd0\x3f\x31\xcc\xbe\x7f\x0b\xdd\xe9\x6c\xcd\x52\x1f\x3f\x1b\x31\x42\x99\x1c\xa5\x6d\xcb\xe6\xae\xc6\x2c\x7e\x31\xaf\x37\x17\x4a\x8d\xdb\x11\x3b\x28\x9e\x6f\xa1\x8c\x10\xea\x62\x55\xbe\x66\x5b\xd0\x21\x57\x1e\x0b\x47\xdb\xa9\xe4\x90\x51\x21\xd7\x7e\x92\x3a\xf1\x33\xbf\xd9\x2e\x2f\xb2\xb1\x21\x55\x73\xfd\x3f\xed\xeb\xe2\xd3\x7e\x32\xf8\xd3\x9e\x64\x47\xc5\x77\xcc\x7b\xd9\x57\xfe\xe8\xf1\xe2\xa2\x90\x2e\x0a\x8b\xa0\x90\x2e\xd2\xa4\x21\x4d\x1a\xd2\xa4\xf5\x52\x9a\x34\x14\xd2\x45\x21\x5d\xa4\xa7\x42\x7a\x2a\xa4\xa7\x42\x7a\xaa\xae\x48\x4f\x95\x9d\xa0\x71\x96\x8a\x8f\x58\x48\x64\xa7\x13\xac\xf0\x7d\xdd\xad\x80\x51\x50\xde\x17\x69\x82\x50\xde\x77\xf3\xd4\x4f\x61\x4f\x27\xe8\x80\xc0\x9e\xf9\xa2\x96\x53\x74\x53\xec\xcd\x3c\xe5\x72\xbe\xa2\x14\xcb\x55\xad\x54\xcc\xc9\x1a\xfb\xcb\x21\xf6\x47\x03\xb4\xd3\xba\xc8\x42\x9b\x37\x8c\x39\xb7\x9c\x2f\xae\x15\xf3\xab\x52\xc9\x05\x39\xad\xf5\xed\x59\xa3\xb9\x25\xbd\xb9\x50\x20\x67\x2a\x79\x98\x5f\x30\x63\xde\x92\xc1\x28\x5d\xbf\x34\x5f\xd4\xaa\xb3\x8a\x3a\x55\x2a\x59\xe8\x32\x3c\x29\xf6\x2d\x44\x2d\x57\x82\xa1\xe4\x69\x76\xd2\xe0\x8e\xb5\x6f\x8e\xe1\x74\x70\x75\xbc\x47\xe2\x8e\x7d\xde\x64\x74\x07\x23\xfe\xf0\xbc\x3e\x0e\xf0\x25\xf0\x25\xf0\x25\xf0\x25\xf0\x25\xf0\x25\xf0\x25\xf0\x25\xf0\x25\xf0\x25\xf0\x25\xf0\x25\xf0\x65\x87\xf1\x25\x40\x21\x40\x21\x40\x61\x0f\x83\xc2\x5f\x7a\x2d\x9d\xf1\xcf\x22\xd7\x58\xaa\x6e\xf6\xad\x27\xd9\x4f\x0f\x12\x73\xe5\x14\x12\xd8\xf0\x21\xb1\x72\x54\x8d\x39\xcf\x34\x8a\xa6\x16\xd2\xcc\x26\x34\xa8\x9f\xe6\x4c\x26\xe4\x9d\x83\xb5\xcb\x91\x5e\x06\x54\x0b\x54\x0b\xb5\x4b\x41\xb5\x40\xb5\x40\xb5\x7a\x87\x6a\x75\x51\x69\xce\xae\xa1\x5a\xa8\x19\x09\xaa\x05\xaa\x05\xaa\x05\xaa\xb5\x11\x35\x23\x7b\x1a\x42\xa1\xa8\x5d\x2f\x17\xb5\xcb\x6c\x42\x08\x95\x95\xfd\xd3\x20\x66\x85\x46\x6a\x9a\xa6\xb8\x46\xea\x38\x1d\xa3\x23\x8d\x65\x5f\x75\x95\xa5\x98\x2f\x6a\x55\x53\x04\x75\x9f\xb7\x40\x69\x2b\xdb\xc2\xb5\x49\x0d\x46\x6e\x36\x9f\x97\x5b\xe8\xa3\xe2\xcf\x6c\xf7\x24\x65\x3b\xc5\xac\x14\x93\xca\x76\x8e\x6d\xf1\xa7\x0e\x72\xb1\xd6\xea\xa1\xf9\x77\x3b\x12\x64\x20\x61\x61\x8b\x09\x0b\xff\xb1\xc9\x7a\x68\xfe\x2f\x61\x0b\xf5\xd0\xd6\x69\x6c\x5e\x64\x25\x3a\x4b\xd3\x8e\xac\x44\x2d\xb7\x16\x24\xd8\x6c\xaf\x2d\x5a\xc7\x14\x56\x14\xad\x4a\xc9\x6f\x8c\x78\xda\xaa\x3d\x46\x0e\x2a\x47\x42\x2f\xe5\xb2\x65\xb6\x26\xc4\xd1\x3a\xb3\x35\x6d\x9d\xdd\x6e\x03\xd6\x9e\x3c\x86\x00\xbb\x00\xbb\x00\xbb\x00\xbb\xbd\x03\x76\xb1\x7a\x0b\x58\xbd\x75\x0f\xf9\x46\x0e\xd9\x8e\xe4\x90\x85\x83\x01\x0e\x06\x38\x18\xe0\x60\x80\x83\xa1\xa7\x1d\x0c\x48\x25\x8e\x54\xe2\x48\x25\xde\xae\x54\xe2\xf0\xdf\xc1\x7f\xd7\xab\xfe\xbb\x6c\x21\xe4\x2c\xfa\x41\x84\x39\xe9\x8d\x80\x77\xb1\x9d\xe2\x6b\xb6\x2d\x6d\xbb\x3d\x63\x9b\x30\x2f\x0e\x7b\x66\x9c\x86\xf4\x97\x76\x9d\x8a\xeb\xba\xa9\xe1\xb9\x35\xfe\x69\x8c\xfd\xed\x43\xb4\x35\xa7\xa8\xf2\xa5\xb5\x40\x69\xfc\x92\xb8\x2c\xb9\x5b\x3f\x6d\x5a\x51\x65\x67\x85\x5d\xe3\x20\xf4\xf0\xd0\xc3\x43\x0f\x0f\xb7\x09\xdc\x26\x70\x9b\xc0\x6d\xd2\x35\x6e\x93\xee\xf1\x0a\x00\x57\x03\x57\x03\x57\x03\x57\x03\x57\xf7\x34\xae\x06\x4f\x03\x4f\xeb\x51\x9e\xb6\x29\xf5\xf0\xaf\xa6\xd3\x82\x01\x1e\xa5\xc3\x9c\x01\x8e\x53\x8a\x46\x7c\xf5\xa5\x39\x45\x95\x39\xf1\x13\x54\x68\xbe\xa8\x05\x67\x02\x0d\x12\xc1\xcf\x05\xa3\xbe\x41\xf6\xa0\x81\xfa\xe2\x71\x83\xed\x19\x77\xe0\x64\x7b\x14\xff\xec\x36\x1b\x7a\xdd\x61\xaa\xdc\x2d\xbe\xb5\x57\xfc\xa5\xdd\x84\x4b\x00\xa9\x53\x74\x82\x26\x6b\x94\xed\x49\x4a\x34\xda\xb3\x10\x44\x41\xce\xde\xa2\x9c\xfd\x8b\x11\x3a\x2e\xbe\xe9\x83\x34\xc1\xbf\xe9\x11\x6a\xe2\xcd\xa3\x33\x42\xc3\x7e\x8c\x8e\xd8\x1a\xf6\xe6\x5a\x98\x12\xc2\xf5\x49\x3a\xea\x10\xae\x37\xd7\x44\xeb\x46\x85\xcb\xc9\x43\x34\x2a\x9b\xd1\x57\xf0\xc2\x10\xdd\x63\xfa\x0a\x6a\x0b\x0e\xb2\x9f\x1d\x62\x3f\x3e\x60\xdb\xc9\xd5\xc6\xd2\x6d\x5b\xf6\x32\xa4\x54\xdb\xf7\x18\x15\x01\x5d\xb6\x58\x9f\x4f\xba\xdc\xd3\xb0\x21\xc9\xb4\x1b\x49\x74\x7d\xf5\x42\xf0\x2b\x9f\x60\x83\xb5\xaf\xbc\xd5\xf7\xee\x97\x1e\xfe\x14\xf8\x53\x90\x35\x1b\xfe\x14\xf8\x53\xe0\x4f\xe9\x1d\x7f\x0a\xb2\x66\x23\x6b\x36\xfc\x29\xf0\xa7\xc0\x9f\x02\x7f\x4a\x57\xf8\x53\x90\x35\x1b\x59\xb3\x37\x8b\x83\x06\x59\xb3\xdb\x91\x35\xfb\x73\x09\x4a\xfb\xa1\x3c\x97\xf8\xb7\xa2\xe4\xab\xf2\xb5\x0a\xdf\x62\xb0\x77\x27\xd8\x73\x0e\xc6\x77\xbd\x31\xc6\xb7\xa0\xe4\x1f\x35\x9a\x08\x89\xf2\x3d\xe8\x45\xf9\xf2\x8e\xdf\xd9\x1c\xc4\xcf\x37\x67\x54\xe8\x28\xb0\x29\xe2\xf7\x70\x30\xf1\x4b\xb2\x44\x2d\xf1\x73\xf4\x3e\x98\x1f\x98\x1f\x98\x1f\x98\x1f\x98\x1f\x98\x1f\x98\x1f\x98\x1f\x98\x1f\x98\x1f\x98\x1f\x98\x1f\x98\xdf\x46\x32\xbf\xcd\x27\x38\x02\x55\x04\x55\x04\x55\xdc\x44\x54\xf1\x57\x87\x88\xb9\xa9\x62\x45\xc9\x6b\xec\x99\x21\xf6\x6e\x07\x36\x54\x1a\xc6\x86\x21\xe1\xc2\xb8\x03\x17\x2e\x28\xf9\xf9\xa2\x56\x9d\x55\xd4\xa9\x52\xc9\x62\x87\xdd\x5e\x98\x6f\x43\xe4\x81\x67\x83\x39\x60\x9c\xc5\x2c\xfa\xe7\xa2\x7e\x36\x1d\x6c\x88\x39\x02\x12\x02\x12\x02\x12\x02\x12\x02\x12\x02\x12\x02\x12\x02\x12\x02\x12\x02\x12\x02\x12\x02\x12\x02\x12\x42\x18\x08\x84\x07\x84\x07\x84\xd7\x29\x84\xf7\xf1\x04\x9d\xd4\x87\x4e\x1b\xcb\xc9\xaa\xd1\x8a\xac\x19\x09\x50\x6d\xae\xe7\x3c\x58\x2c\x94\x8b\xe5\x82\x69\xad\xd9\x3f\x0d\xb1\xbf\x19\xa0\xdb\x9d\x67\x5c\x5a\x4b\x47\xdf\x12\x69\x0c\xfb\x4d\xdb\xd7\x2d\x89\x96\x17\xcd\x60\xff\x50\x60\xe0\xb8\x80\x81\x8e\xbb\x5b\x4e\xfb\xfe\xe6\xe6\xd0\x11\x76\x69\xe4\x70\x29\x98\x1f\xce\xb1\x73\x06\x29\xf4\x78\xdb\x0c\x61\xa1\xef\xe0\x40\x66\x08\x82\x08\x82\x08\x82\x08\x82\x08\x82\x08\x82\x08\x82\x08\x82\x08\x82\x08\x82\x08\x82\x08\x82\x08\x82\x08\x82\x08\x82\x08\x82\xb8\x21\x04\xf1\x5b\x51\xba\x28\x08\x62\x5d\x01\xa5\x31\xa3\x52\x92\x5f\xb0\x71\x51\x54\x56\x32\xff\xfa\xc6\x31\x8d\x97\x80\x62\x3f\x19\x65\xef\xe9\xf7\x2c\xe4\xff\xa0\x2a\x4b\xf9\x98\x38\xcd\x1c\x00\x7b\x36\x36\x0b\xfa\x8f\xe8\x67\xd5\x95\xf3\xaf\x2b\xe2\x2f\x0a\x4e\x85\x9b\xb1\x35\x2b\xd1\xac\xc0\x73\xa7\xe9\x24\xc7\x73\x47\xe8\x10\x1d\xf0\xcd\x58\xe9\xe8\x33\xe3\x19\x53\x66\xbd\xa9\x20\x28\xb7\xd7\x1b\xca\xbd\x8c\x0d\x14\xe4\x6a\xa3\xb5\xaf\x02\x4a\x5c\xf9\x96\xc6\x8a\x7e\x6b\x9b\xe7\x00\x0d\xa9\x72\xa5\x24\xe5\xe4\xc0\x31\x1a\x33\x4e\xdc\x98\x61\xca\xcc\xd1\x39\x3a\x5b\x93\x58\xb7\xb5\x71\x42\x8e\x5d\xe4\xd8\x6d\x31\xc7\xee\x07\x23\xa1\x19\x8b\x0b\x22\xdd\xee\x0c\x65\xec\x74\xbb\x1b\x60\x79\x2a\xab\x0d\x5b\x9e\xc6\x6d\x8d\xdb\x46\x65\xde\xbd\xc3\xd3\xf2\x8c\x57\x24\x55\xdf\x32\xeb\xdb\x4c\x3e\xc1\x05\x9a\xa0\xd1\x8a\x3e\x99\x75\xde\x00\xed\xae\x6d\x48\xdc\xc8\x7e\xfd\x9f\x93\x7b\x9c\x07\xaf\xc9\x6a\x41\x76\x1e\x1d\x74\x1e\xd5\x97\xbe\x55\xb9\x50\xcc\x8d\xd6\x9d\xe7\x6a\x45\xff\xf7\x0d\xe3\xa8\x7e\x97\x99\x8b\x34\x4f\xd9\x1a\xe3\x37\x49\x47\x5b\xf0\x21\x2d\x70\x36\x0f\x0b\x18\x60\x01\x9f\xeb\xa7\x67\xfb\xd9\x33\xfd\xd1\xa7\x2d\x67\xd5\x9b\xfb\x7b\xc7\x02\xd6\xe0\x0c\xbd\x9f\x39\x9e\xe7\xc8\x4d\x7f\x39\x6d\x27\x5d\xc2\xe7\xc5\x1d\xe6\x9c\x5a\x78\x73\xa4\x12\xbf\xb2\xac\x94\x47\xc5\xd5\xfc\x0c\xee\xcd\xd3\x62\x89\xac\xa6\x94\x17\x84\xb7\xea\x61\xfd\xb3\x30\xfe\xbd\x64\x7e\x2c\xf6\x1f\x87\xfd\x4d\x73\xe6\xa5\x08\xbd\x18\x61\x2f\x44\xa2\x9f\xb0\x56\xe2\xef\x8f\xcc\x2a\xfa\xc6\xb2\xa8\xc5\x0a\x0a\xef\x76\x25\x16\xbf\xac\xff\x29\x1e\x9b\x72\x3d\x05\xdf\x63\x5d\x93\xa5\xb2\x16\x5b\xd5\x6c\x2e\x3f\x2a\xe5\xf8\x83\x73\x6f\x47\xa9\x98\x33\x8a\x31\xcb\xa5\xbc\x16\x53\xae\x1b\x7d\x2a\xbc\x01\x15\x59\xa9\x94\xe4\x54\x4c\xfc\x22\x77\x2f\x9a\x63\xc9\xf7\x3a\x9e\x1d\x60\xfd\x7c\x7c\x0b\xbf\x2d\x97\xab\xac\x73\xeb\xd2\xf6\x9a\xff\xab\xf7\x7b\x4f\x3e\xdb\xd8\xcb\x78\x2f\x50\xf6\x20\x4d\xb0\xf1\x78\xca\x0a\x7c\xdc\xc5\x3f\x2b\xe3\x1b\x37\x9a\x89\x0f\xe8\x7f\x74\x06\x33\x6e\xbe\x70\x49\xf6\xe3\xc3\x34\x2f\x76\x5e\xea\x8a\x94\x4b\x99\x23\xc1\xbf\x9d\x3a\x05\x87\xcf\x16\x4c\x55\x4a\xf2\x8a\x6e\x9c\xcb\x05\x8d\xbd\x94\x60\x5f\x19\xa0\x3b\xf5\xd6\xa6\x9c\x8d\x35\x91\xfc\x69\x51\x29\xc9\x19\xd1\x5e\x48\x02\x8e\x34\xbf\x60\xb1\xf6\x9e\x9c\x99\xa0\x1c\x3f\xba\x39\x14\x1c\x5d\x9a\x09\x2a\x1f\xfc\xe5\x4e\xb1\xd3\xc6\x87\xea\xfb\xce\x19\x1f\xac\x63\x50\xa0\xdc\x80\x72\x03\xca\x0d\x28\x37\xa0\xdc\x80\x72\x03\xca\x0d\x28\x37\xa0\xdc\x80\x72\x03\xca\x0d\x28\x37\xa0\xdc\xd8\x48\xe5\xc6\xe6\x23\x1e\xd0\x86\x40\x1b\x02\x6d\xc8\x26\xd2\x86\xbc\x35\x41\xe3\x82\x50\x6a\xb9\x2b\x72\x7e\xb5\xe4\xd2\x86\x98\x39\xa3\xd4\xa2\xa2\x16\xab\x37\x72\x25\x49\xd3\x64\x8d\x7d\x76\x88\x7d\x72\x80\x5e\x6e\x5f\x71\x69\x2d\x1d\xbd\xd1\x60\x12\x29\xa3\xad\x69\xbd\xad\x50\xd3\x49\x2d\x59\xb7\xb3\x9c\x76\xfd\xca\xe6\x20\x8e\x9d\x8f\x19\x7b\x6d\x30\x4c\x3c\xce\x8e\x19\x30\xb1\xee\xf5\x30\xb3\xcc\x3b\x7b\xda\x85\x11\x91\x67\x0a\xac\x11\xac\x11\xac\x11\xac\x11\xac\x11\xac\x11\xac\x11\xac\x11\xac\x11\xac\x11\xac\x11\xac\xb1\x1b\x59\x23\x48\x20\x48\x20\x48\x60\x0f\x93\xc0\x3f\x48\x50\xd2\x88\x12\x53\xf2\xb2\x83\x01\xaa\xab\x65\xfd\x51\x0d\xf8\x67\x04\x82\xb1\x0f\x24\xd8\x9f\xf7\xd1\x56\xfd\xdc\x4b\x6b\xe9\xe8\xfd\x3c\xec\xcb\xbd\xe3\x5c\x14\x17\x72\x32\x94\x7c\x05\x8f\xf8\x52\xf2\xf2\x72\xda\xf9\xf7\x90\x63\xbb\x5e\x43\x67\x04\x46\x3b\x46\x47\x38\x46\x4b\xd3\x18\x8d\xfa\x6b\x68\xf5\x27\x5d\x4b\xa7\x9c\x77\x74\xb3\x51\x5d\x8f\x07\x53\xb5\x83\x6c\xc2\x23\x35\xbb\xa3\xdb\x4d\x81\x9e\xf3\xb6\xa2\x1f\xdd\x66\x77\x77\xdc\x0c\xe2\x5a\xa7\xc7\xef\x35\xe3\xb7\xda\xdc\xe9\x99\x69\x9a\xa2\xd3\x35\xc1\x0a\xcd\xf6\x3a\x22\x14\x10\xa3\xd5\x62\x8c\xd6\xfb\x22\x21\x7c\xf4\x67\x45\x74\xd6\x29\x3a\x61\x47\x67\xb5\xc1\x76\xb4\xcb\x38\x04\x04\x7c\x25\xdf\x72\x87\x6d\x3b\xee\x12\xab\xf6\x98\xe4\x36\x17\xf7\x88\x3f\xb7\xdd\x5a\x3c\x4a\x8b\xb4\xe0\xb4\x16\xc9\x0c\x9d\x69\xc1\xd1\x31\xc3\x6f\xf7\x11\xce\x85\x61\x3e\x02\xcd\xc7\xd7\xfa\xe8\xab\x7d\xec\xcb\x7d\xd1\x2f\x5a\x1d\xf4\xe1\xbe\x47\x9d\xeb\xa0\xa2\xbe\x1c\xe7\x6b\x99\xd8\x8a\x7c\x59\xf8\x44\xac\x0d\x88\x0d\xde\x8d\x3d\x1f\xbf\x45\x87\x79\x28\x2b\xe5\xd1\xb2\x5c\x90\x78\x47\x18\x4b\x21\xa7\x19\x11\x28\xc2\x1a\x02\xe3\x1d\x2c\x5e\xbb\x26\xe7\x75\x43\x55\xba\x61\x3b\x2b\x6c\x40\x5d\x2c\x8d\x18\x2b\x24\xbe\x46\x8c\x15\x54\x7d\xce\xab\xc8\x6a\x51\xc9\x5b\x2b\x3d\x7b\xfa\xe3\x7e\x20\xb3\x37\x56\x35\xfd\x26\x9d\xab\x4b\x49\xbf\xd2\x7c\x20\xe3\x47\x2e\x8b\x4d\xb9\xd9\x44\x4a\xdc\xa7\x88\x0c\xf2\xb8\xc7\x38\xe3\xb7\xb0\xc0\xef\xc0\x63\xe5\x97\xf9\x4c\x1f\xbd\xd4\xc7\x5e\xec\x8b\xbe\x60\x75\xf3\x7b\xfb\x66\x1c\x4e\xce\x4a\x49\x96\x34\xd9\x22\x28\x0b\xaa\x52\x91\x0a\x7c\x00\x16\x94\x52\x31\x77\xc3\xe5\x44\x31\x9f\xc5\xf6\x92\xea\xa3\x94\x4e\x1d\x49\xc5\x96\xc4\x80\x88\xde\xa9\xe8\x0b\x7f\x7d\xf3\x64\xc2\x38\x39\xa6\xa8\x95\x2b\x52\xd9\x74\xea\xa8\xab\xf2\xd8\x65\xa9\x64\xc2\xeb\xb8\x38\x1a\x8f\x5d\x2e\x96\xa5\x52\xf1\x7b\x4d\x0a\xb6\x22\xeb\x2b\x4b\xbe\xd5\x18\x13\x2b\xca\xbc\x4d\x46\x45\xe3\x43\x9a\x7d\x91\xc0\xc5\xa9\xd8\xd9\x22\x7f\x9d\x1d\x37\xae\xa8\xf5\x4f\x66\x6f\xdb\xaa\x82\x56\xf3\x8f\x4d\xa9\x5e\x49\xc5\xef\x10\xf7\x33\x63\x3e\x88\xcb\x3b\x94\x79\xdb\x00\xbd\x65\x80\xfd\xc0\x40\xf4\xbb\x96\x8b\xf0\xf7\xfa\x1f\x37\x70\x92\xfe\x49\xe9\xfb\xa6\x82\xa4\xae\x48\x05\x39\x96\x53\x4a\x25\x99\x1b\x3f\xfb\xbb\x90\xd5\xcb\x8a\x7a\x4d\xef\x0b\xcf\x3b\x7d\xa4\xe6\xc7\xfd\x6f\x94\xbf\xcf\xe6\xcb\x58\x11\x4f\x55\xd4\x5f\x94\x5c\x31\x6f\x73\x61\x8e\x18\x45\xe4\x98\xd9\xbb\xfa\x4e\xca\x00\x70\x26\x44\x4c\x39\xba\xd1\xc4\x4f\xd6\x5e\xc9\x72\x0c\xba\x7f\x2c\x15\x9b\xca\xe9\xdb\x2a\x3e\xa7\x3a\x8d\xc3\x90\x78\x86\xa1\xd8\xa8\x31\xf0\xee\x17\x43\x3b\x1e\x1b\xca\x48\xb9\xa7\xf4\xc9\xa4\x9c\xd7\xcf\xe2\x1e\x39\x7e\x52\x4d\xc7\x09\xe6\x6b\xbc\xfa\xee\x46\xcc\x27\x58\xb1\x5a\x3a\x1e\x1b\x9a\x55\x54\xd9\xd1\x6c\x2c\x27\x69\x39\x29\xaf\x3f\xbd\xd1\x3f\xc2\x07\xcb\xdb\xd3\x84\xf5\xaa\x6b\xf0\xb2\xd5\x46\x2a\xbe\xb3\x52\xfb\xde\x38\xe7\xfa\xe7\x23\x34\x2f\xe6\xfa\xb3\x34\xcd\xe7\xfa\x93\x74\x9c\x8e\xb5\x30\x7d\x88\x90\x61\x5a\xd4\x5b\x9b\x60\x17\x68\x8e\xb6\x89\xbe\x95\xf3\x37\xdb\x66\xd0\x22\x20\xe6\x3d\x57\x6f\x67\x5b\x45\x37\x35\xba\x87\x68\x6c\x69\xe0\x5c\x4c\x64\xbe\x71\x9b\xbd\x0e\xd8\x5f\x17\x8e\xbd\xce\x66\xe2\x6e\x11\x89\xdd\xc6\xc5\x01\x62\xae\x7b\x6d\x49\x82\x98\x6b\xc4\x5c\x6f\x70\xcc\x75\x27\x78\x51\x50\x38\x74\xdb\x36\x85\xd9\x63\x74\x84\x1d\x8a\x1f\xb0\xf4\xc3\xf7\x38\xe3\xac\x9d\xa7\xd6\x07\x5b\x87\x1e\x0a\xfd\xa9\x04\x8d\x98\x95\x28\x7d\x22\x9d\x85\xa4\xcb\x04\x8c\xef\x4a\xb0\xcf\xf4\xd9\x35\x2a\xef\xf1\x00\x8c\x5c\xe6\x96\xbc\x57\x3f\x22\x6a\x49\xda\x01\xc7\xfc\x50\xc8\x70\xf1\x51\x3a\x26\x5e\x96\x09\x1a\xe7\x2f\x4b\x92\x12\x34\xe8\xfb\xb2\xe8\x77\xae\xbf\x2c\x8d\x89\xf1\x02\xa8\xe2\xb9\xe0\x77\xe4\x41\x16\xf7\x2e\xf8\x28\x5e\x0d\x71\x1b\xd1\xb7\x6f\xb3\xfb\x74\xb7\x37\x45\x14\xdd\xba\xc7\x38\xd8\x81\x9e\xcd\x9c\xa0\x49\x3a\x5a\x33\xf5\x36\xdc\xb5\x98\x68\x81\x0e\x5b\x44\x87\xef\x8c\xdc\xcc\x27\x7d\x4a\x30\xc3\x23\x74\xc8\x66\x86\x61\x9a\x84\xc6\xbe\x79\xef\xef\xdc\x25\xc4\x0d\x80\x83\x7f\x7b\xbb\x6d\x12\x6e\x37\xe1\x60\xd9\x30\x03\xbb\xc5\x1f\x3a\x61\x05\x40\x06\x41\x06\x41\x06\x41\x06\x41\x06\x41\x06\x5b\x21\x83\x9d\x64\x79\xe1\x62\xc8\xd0\x67\xfc\x40\xc4\x98\xf9\xf4\x6d\xf6\xa4\xff\x60\x00\x09\x14\x2b\x81\x68\xc5\x2e\xda\xdf\xb6\x85\x00\x28\x60\xaf\x2d\x3f\x40\x01\x41\x01\x37\x98\x02\xb6\x15\xec\x04\xe2\xbf\xb0\x8c\x7e\x76\x82\xc6\x59\x2a\x3e\x62\xe1\xbe\x9d\x4e\xdc\xc7\xcf\xbf\x25\x92\x2a\x7e\x65\x98\xce\x19\x05\x31\x15\x45\xcd\x17\xcb\x4d\xa5\x53\xe4\x8b\x6c\x0b\x32\xbe\x73\x98\xfd\xed\x00\xdd\xee\x6c\x48\x9f\x10\x9f\x35\x4a\x63\x3a\x23\x98\xcb\xe6\xfe\x40\xb9\x1c\xd3\x87\x20\x36\xaf\xb7\x14\x4a\x04\xf3\x88\x1d\x75\xc1\x37\x23\x86\x46\xbf\x58\x95\xaf\xd9\x76\x6e\xc8\x15\xc1\xe3\x68\xdb\x8c\x7f\x9e\x76\x3c\x84\x73\x86\xe6\xf7\x89\xf8\xe7\x66\xbe\xcc\xeb\xe2\xcb\x7c\x55\xf0\x97\x79\x88\x1d\x30\xeb\x65\xd6\xbf\x8c\xc6\xa7\xca\x07\x00\x19\x16\x11\xf5\x8c\xa8\x67\x44\x3d\x23\xea\x19\x51\xcf\x88\x7a\x46\xd4\x33\xa2\x9e\x11\xf5\x8c\xa8\x67\x44\x3d\x23\xea\x79\x23\xa3\x9e\xd7\x45\x26\x7c\xdf\x76\x2b\x20\x13\xc4\x62\x23\x16\x1b\xb1\xd8\x9b\x28\x16\xfb\x1d\x09\x4a\xad\x87\x38\x45\xcd\x4e\xc1\x39\x05\xd0\x64\x7f\x38\xc4\x3e\x37\x40\x77\xd6\x90\x4c\x51\x78\xed\xf5\x8d\xa5\x66\x0c\x0f\x68\x9a\x35\x61\xdc\x48\x92\xdf\x0c\xff\x91\xf9\xa2\x56\x9d\x55\xd4\xa9\x52\xc9\xc2\x94\xe1\x45\x12\xdc\x42\x84\xb2\xa1\x9a\x30\x8d\x55\x73\x6a\x9e\x52\x8a\xa2\x4f\x40\x95\x40\x95\x40\x95\x40\x95\x40\x95\x40\x95\x40\x95\x40\x95\x40\x95\x40\x95\x40\x95\x40\x95\x40\x95\x48\xd0\x08\x28\x08\x28\x08\x28\xd8\x29\x28\xf8\xc7\x7d\x74\x8f\x91\xa0\xb1\xb6\x02\xf7\x18\xfb\x64\x1f\xfb\x1f\x7d\x44\xf6\x91\x68\xb4\xc0\x23\x4b\x2e\x2b\xea\x35\xab\x1b\xa5\x18\xc7\x40\xc9\xbb\x0a\x72\xf5\xa2\x75\xea\xd4\xc2\xdc\x39\xfd\xcf\xe1\xa9\xf8\xeb\x1a\x9a\xac\x6b\x68\xb2\x91\x86\xb2\x45\xba\x28\xa0\xdb\x39\x3a\xcb\xa1\xdb\x69\x3a\x49\xc7\x5b\x80\x6e\xe6\x33\x06\x21\x37\xf6\x99\x3e\x62\xf5\x69\x30\xd9\xc7\xfa\xd8\x2f\xf4\xd1\x80\xfe\xb7\x75\x7b\xf6\x76\xbd\x67\x95\xbc\x8c\x3e\x75\xf4\xe9\x6f\x0f\xd2\x0e\x33\xf6\xbf\xa2\xe4\x35\xf6\x4b\x83\xec\x43\xfd\x76\xfc\xc9\x03\x62\xd3\xa2\x1a\xcb\x2d\x73\x3e\x36\x85\xb6\x0b\x4a\x3e\xb9\x57\x3f\x45\xc4\x9e\x2c\x28\xf9\xcd\xc6\x8e\x97\xe9\xb8\xe8\xf2\x83\x34\xc1\xbb\x7c\x84\x92\x94\x08\x14\x98\x2f\x28\xf9\xf9\xa2\x16\x8c\x89\xef\xf3\xc6\xc4\x5b\xd9\x16\x41\x88\xcf\x06\x13\xe2\x38\x8b\xd5\x2a\xcc\x17\x94\x3c\x44\xab\x20\xc1\x20\xc1\x20\xc1\x20\xc1\x20\xc1\x20\xc1\x20\xc1\x20\xc1\x20\xc1\x20\xc1\x20\xc1\x20\xc1\x20\xc1\x20\xc1\x20\xc1\x20\xc1\x1b\x42\x82\x7f\xeb\x09\xb3\x54\xcf\x0a\x97\x80\xfa\xa7\xd4\xbc\xaa\xac\x68\xec\xdd\x4f\xb0\x3f\x79\x88\xb6\xf1\x73\x1b\xc0\x6d\x59\x65\x25\x79\x8f\x7e\x4a\x46\x3f\xec\x8c\x24\xcf\x2a\x2b\x5d\x4e\xda\x32\x60\x54\x60\x54\x19\x30\x2a\x30\x2a\x30\x2a\x30\xaa\x9e\x61\x54\x99\xae\x61\x54\xa1\xdf\x49\xcb\x8c\x2a\x03\x46\x05\x46\x05\x46\x05\x46\x05\x46\xd5\x79\x46\x95\xe9\x69\xa4\x94\x01\x52\x6a\x1f\x52\xca\x74\x3b\x52\xca\x6c\x42\xa4\x94\x7d\x9c\x4e\x08\x85\xd2\x21\x3a\xc0\x15\x4a\xa3\xb4\x9f\x86\x7d\x15\x4a\x9c\x25\xa5\xd6\xd2\xa9\xac\xb2\xd2\x90\x44\xe9\x7c\xb0\x04\xe9\x21\xb6\xcf\x90\x20\xf1\xd6\x0d\x15\x52\x56\x59\x71\xa7\x36\x0e\x10\x3b\xc5\x3f\xbe\xcd\x81\xba\x76\x88\x89\x26\x26\x71\xaa\x15\x15\xff\xd5\x56\xae\x25\x30\xd4\x71\x3a\x46\x47\x6a\xb2\x08\x0f\xd1\x43\x0d\xf5\x27\x52\x06\xa3\x9e\x49\x8b\xf5\x4c\x3e\x1b\xa1\xa3\xe2\x33\x4e\xd3\x18\xff\x8c\x87\xa9\xd1\xd7\x8e\x4e\x8a\x72\x26\x87\xe9\xa0\x5d\xce\xa4\x89\xcb\x4f\x89\xec\xeb\x47\xe8\x90\x23\xfb\x7a\x13\xd7\xb7\x2e\x72\xac\x28\x5a\x95\xc2\xb3\x30\xc9\x8f\x8d\x38\x2c\x88\x51\x16\xd9\x59\x3d\x40\xb9\xcc\xad\xc9\x83\xe2\x88\x61\x4d\xa6\xad\xe3\xed\xb4\x2b\xed\x29\x91\x02\x5e\x0a\x5e\x0a\x5e\x0a\x5e\xda\x3b\xbc\x14\x4b\xac\x80\x25\x56\xf7\x00\x65\x94\xa7\xea\x48\x79\x2a\x70\x7b\x70\x7b\x70\x7b\x70\x7b\x70\xfb\x9e\xe6\xf6\xa8\x52\x88\x2a\x85\xa8\x52\xd8\xae\x2a\x85\x70\x8b\xc1\x2d\xd6\xab\x6e\xb1\x6c\x21\xdc\x9a\x99\x81\xc0\x38\xe9\x0d\x8c\x77\xb1\x9d\xe2\x6b\xb6\x2d\x6d\x88\xf0\x78\x13\x66\x07\x67\x9f\x1f\xa6\x39\x23\xdb\xb0\xac\x1a\x1e\x44\x59\xf3\xce\x36\xec\x3c\xa3\x58\x28\x17\xcb\x05\x73\x95\x66\x96\x54\x7b\xeb\x30\xfb\x6f\x5b\xe8\x4e\xe7\x89\x56\x22\xe2\x5f\x6d\xa4\xae\xda\xb4\x7d\xe5\x92\xf8\x89\x45\x13\x73\x74\x41\xad\x35\x23\xb1\xb1\xe3\xe9\x8c\xc4\xc6\xbe\xb7\xdd\xe5\x92\xf9\xee\x2c\xbd\xf6\xfa\xe0\x0f\xf2\x22\x9b\xaf\xcb\x56\x6c\x66\x39\xae\x7f\x8f\x8d\xef\xd5\x77\x94\x90\xde\x02\xa1\x03\x48\x6f\x01\x57\x18\x5c\x61\x70\x85\xf5\x92\x2b\x0c\xe9\x2d\x90\xde\x02\x2e\x08\xb8\x20\xe0\x82\x80\x0b\xa2\x2b\x5c\x10\xd9\x59\x9a\x61\x99\xf8\x19\x8b\xa0\x3c\xe4\xac\xc9\xe6\xbb\x7f\xab\xaf\xd3\x86\x34\x19\x48\x93\xb1\x49\xe0\x2d\xd2\x64\xb4\x23\x4d\xc6\x6f\xec\xa7\x0b\x82\x6b\xe6\x8b\x5a\x4e\xd1\x8d\x67\x2d\xd4\xf4\x49\x9b\x21\x97\xf3\x15\xa5\x58\xae\x6a\xa5\xa2\x75\xe8\x8d\xec\xef\x92\xec\x7d\xfd\xb4\xd3\x6a\xcc\xc2\x9a\x31\x55\x96\xf2\x35\x9b\xdc\xb3\x46\x13\x4b\x7a\x13\xc9\xfd\xfa\x19\x33\xe6\x85\x06\x31\xb4\x85\xc2\xae\x93\xc3\x95\x0c\x67\x2f\xfb\xc2\x38\xba\x20\xb8\xdf\x0c\x65\x38\xf7\x3b\x41\x93\x74\xd4\x57\xac\x6d\xf7\xa1\xf1\xd8\x29\xd7\x5d\x9b\x64\x6f\x25\x18\xdc\x9d\x66\x27\x05\x8c\x73\x35\x50\x5f\x7a\xcc\x80\x79\xb5\x83\x47\x57\xf7\x7a\xd3\xc3\x97\xb1\x81\x82\x5c\xa5\xe8\x5b\xb6\x7b\x0d\xd2\x3e\x55\xae\x94\xa4\x9c\xbc\xee\x38\xa5\x8c\x93\x36\x64\xa8\x32\x17\x69\x9e\xb2\x35\x51\x23\x37\x31\x24\x50\x39\x22\x90\xa4\xc5\x40\x92\x5f\x8c\x08\xa7\x40\x9a\x3b\x05\xac\x70\x90\x9b\xb2\x10\x9d\xb5\x43\xfe\x36\xa2\xb2\x5a\xa5\x4e\x98\xa9\xe4\x87\xef\xf0\xb2\x43\x77\x1b\xda\x04\xa9\x5c\x63\x7b\x46\xc5\x81\x8d\x31\x3d\xed\x09\x2c\x81\x01\x0a\x30\x40\x10\x37\x77\x44\xdc\x0c\x55\x1b\x54\x6d\x50\xb5\xb5\x4b\xd5\x96\x7d\x3e\x12\xb2\xb4\x67\x51\xc4\x92\x5e\xa0\x39\x47\x2c\x69\x9b\xe5\x42\x31\xef\x05\xc3\x76\xb6\x55\x74\x53\xa3\x6b\x06\xbf\xe5\x40\x43\x6b\x89\xcc\x7f\xdd\xe1\xb5\x66\x18\xa9\x48\x6a\xb5\xc8\xbd\x9e\x62\x8b\xbc\xee\x26\x66\xa4\xa2\x6f\x85\x3b\xbe\x8e\xd8\x5d\xdb\xd0\x28\xbf\x8f\xfd\xbc\x56\xcd\x1e\xe7\xc1\x6b\xb2\x5a\x90\x9d\x47\x07\x9d\x47\xb5\xaa\x2a\x55\xe5\x42\x31\x37\x5a\x77\x9e\xab\x15\xfd\xdf\x37\x8c\xa3\xfa\x5d\x36\xbb\x7d\x5a\xe7\x95\x59\xe0\x02\x01\xac\x5e\x02\x56\x2f\xcf\xf5\xd3\xb3\xfd\xec\x99\xfe\xe8\xd3\xd6\x14\xf0\xe6\xfe\xde\xd9\x3e\xd5\xf8\x54\xf4\x7e\xe6\x1a\x01\xee\xf7\xd3\x5f\x4e\x5b\x29\x94\xf0\x79\x71\x87\xf9\x4c\x26\x24\x25\x52\x89\x5f\xa9\x2f\xd9\xc4\xd5\xfc\x0c\xbe\x7c\xd2\x62\x89\xac\xa6\x94\x17\x84\x64\xe6\x61\xfd\xb3\x30\xfe\xbd\x64\x7e\x2c\xf6\x1f\x87\xfd\xf7\x75\x99\x97\x22\xf4\x62\x84\xbd\x10\x89\x7e\xc2\xc2\x78\xef\x8f\xcc\x2a\x6a\x8e\xaf\xec\x0a\x0a\xef\x76\x25\x16\xbf\xac\xff\x29\x1e\x9b\x72\x3d\x05\x07\xb4\x62\x11\xb6\xaa\xd9\xe2\x80\x51\x29\xc7\x1f\x9c\x4b\x2e\x4a\xc5\x9c\x31\xc9\xca\xa5\xbc\x16\x53\xae\x1b\x7d\x2a\x24\x09\x15\x59\xa9\x94\xe4\x54\x4c\xfc\x22\xd7\x38\x99\x63\xc9\x41\xa9\x67\x07\x58\x3f\x1f\xdf\xc2\x6f\xcb\xa5\xd7\xb9\x1c\xea\xe6\xf1\x26\x74\x6b\x15\xa1\x5b\xeb\xc0\x1c\x91\x9d\xa4\xa3\xec\x70\xfc\xa0\xe5\x20\xb9\xd7\xe9\x20\x71\x5d\x5c\xef\x14\xd9\x84\xf2\xd4\xff\x70\x1b\x1d\x16\x18\xd7\x1c\x0f\xfe\x19\xd9\x28\x77\x4c\x93\x4b\x97\xb5\x55\xfe\x20\x52\x4e\x37\x57\xaa\xbc\x56\x94\xaf\x6b\xec\x77\x28\xfe\xc9\x2d\x74\x87\xeb\xba\x4b\x6b\xe9\x68\xcc\x4a\x0b\xb3\x24\x97\x2e\x2f\x89\x4b\xa7\xf8\xa5\x8b\xfc\xd2\xe4\x88\x38\x63\xca\x79\xe5\x72\xda\xe7\xec\x90\xf7\xe2\x8f\xd3\x63\xb4\x54\x33\x8f\x4d\xd3\x94\xef\x4b\xed\xee\x16\x7d\xc5\xe3\x7d\x9b\xd9\xa7\xfb\xe8\x51\xf1\xb5\x3c\x4c\x17\xf8\xd7\xa2\xaf\xd7\x6e\xbe\x61\xfa\x1e\xc1\x8a\x16\x69\xc1\x66\x45\x21\x35\xfd\x6a\xb1\x14\x5c\xa2\x57\x3a\x96\x82\x21\xb5\x7d\xb3\x29\x47\x9e\x0a\xfe\xd8\xcf\xb3\x59\xe3\x63\xf7\x7a\x79\x8d\x0f\xde\xef\xfe\x5c\xc2\x72\xac\x46\xd6\x5f\x8d\x64\x01\x73\x7d\x60\x6e\xe8\x16\xf9\xe9\x01\x8a\x99\xf5\x1c\x73\xca\xb5\x8a\x52\xd6\xf7\x8d\x7c\x9b\x65\x7b\xcb\xbe\x7f\x80\xfd\x55\x9f\x5d\xe3\x31\xee\xe1\x23\x9b\x36\xaf\x15\x5b\xb4\xe4\xbd\xfa\x39\xa2\xc8\x63\xcd\xa1\x90\x7d\x62\xaf\xa5\x69\x61\x07\xf5\xd5\x82\x6e\x07\x0f\xd2\x04\x8d\x07\xd6\x63\xac\xb9\xa9\x40\xfb\xb1\xbe\x9f\xea\xea\x2b\x83\xcd\x47\x8a\x8d\xd4\x96\x65\xac\xbd\x09\x97\x91\x38\x41\x93\xec\x68\xfc\xb0\x35\xbd\xef\x76\x69\x27\xdc\x57\xb6\x5f\x31\xc1\xbe\xda\x47\x77\xd5\x17\x53\x5d\x4b\x8f\xb1\x4f\xf5\xb1\xdf\xe8\xa3\xad\xfa\x9f\xf5\xb7\xe3\xee\x82\x5c\x75\x6b\xa4\x84\xd7\x58\x54\xaa\x55\xf2\xf2\x72\x7a\x6a\x61\xce\x14\xe3\x86\xf8\x3a\x84\x56\x55\xb5\x42\x8f\x89\x57\x4a\xdf\x85\xea\xaf\xd4\x2c\xcd\x50\xa6\xb5\xaa\xaa\xe6\x73\x36\x92\x59\x8f\x7d\x28\x41\x93\xa2\x8f\xd5\x15\x29\x97\xf2\x59\x23\xb9\x62\x78\x4a\xab\x5a\x55\xb7\xdb\x25\x59\x63\x7f\x33\xc4\xbe\x3e\x40\xf7\xea\xd7\x4e\xd5\x2c\x93\x04\x7b\xb8\x6e\x48\xc3\xca\xf9\xe2\x5a\x31\xbf\x2a\x95\x5c\xd1\x3b\x96\x0c\x73\x5a\x34\xba\xa8\xe8\xeb\xfb\x10\xe2\x74\x52\xc9\x11\x7e\xc1\x62\xed\x8d\x99\xe1\x36\xf6\xef\xe9\xdd\x84\x20\x9b\x7a\xf3\xb3\xcf\xdb\xfc\xec\x60\xc4\x6f\x4c\xd4\x86\x2d\x06\x1b\xa1\x59\x36\x63\x18\x21\xdf\x37\xcc\xb4\x4d\xf6\xa0\x78\xec\x5b\x10\x60\x83\x00\x1b\x04\xd8\x20\xc0\x06\x01\x36\x08\xb0\x41\x80\x0d\x02\x6c\x10\x60\x83\x00\x1b\x04\xd8\x20\xc0\x06\x01\x36\x9d\x0d\xb0\x41\x60\x0c\x02\x63\x10\x18\xd3\xc3\x81\x31\x7f\x9e\xa0\x94\xc9\xef\x7d\x22\x60\xf4\x0f\xce\x19\xfb\xf2\xd1\x04\xfb\x7d\x07\xcd\x8f\x7a\xd0\xfc\x25\x71\x49\x72\xb7\x4d\xf1\x6d\xcd\x91\x71\x30\x64\x8e\xbf\x4c\xc7\x05\x55\x3b\x48\x13\x9c\xaa\x8d\x50\x92\x12\x81\x1c\xdf\xb8\x99\x9b\xe5\xf7\x73\xc1\xe8\x6c\x90\x3d\x68\xba\xf8\xc4\x4f\x3a\x69\xbd\x4d\xf6\xa3\x3f\xb6\xcd\xee\xdb\xbd\xde\x81\x2a\x66\xf7\xde\x67\x1c\xee\x48\x0f\x67\x4e\xd1\x09\x9a\xac\xf1\x45\x37\xd1\xc5\xd0\x50\x21\x04\xa5\x45\xaf\xe5\x7f\x8e\xdc\xdc\xc7\x7d\x46\x68\x12\x8e\xd1\x11\x5b\x93\xd0\x29\xf3\xc0\x43\x4c\x1a\x33\x0f\xb5\xee\x3d\x2f\x43\x91\xfc\xd6\xed\xb6\x79\xb8\xc3\x8c\x1f\xb1\x2c\xc2\x5e\xf1\x97\xce\x18\x04\x04\x8a\x20\x50\x04\x81\x22\x08\x14\x41\xa0\x08\x02\x45\x7a\x33\x50\x24\xbc\x79\x3d\x38\xe6\x24\xf3\x85\xdb\xec\x99\x7f\x30\x20\x0a\xc4\x5c\x0f\xec\xe1\x5a\xe4\xb6\x2f\x07\x10\xef\xd1\x6b\x8b\x10\xc4\x7b\x20\xde\x63\x83\xe3\x3d\xda\x4c\x7c\x02\xe3\x3b\xc2\x33\xfe\xd9\x83\x34\xc1\xc6\xe3\x29\x4b\xab\xb9\xcb\xa9\xd5\x34\xae\xb8\x25\x02\x38\xde\xf5\x24\x1d\x14\x0a\x45\xa1\xe4\x72\xe8\x40\xfd\xf2\xef\xf0\xf3\xd8\x97\x9e\x60\xff\xf7\x21\xda\x2e\xfe\x4b\x9f\x01\xf7\x09\x9f\xb4\x6a\x78\xd3\xcc\xf5\xb2\x99\x39\x9c\xcb\xe2\x92\xbb\xf5\x93\xf8\x3f\x35\xe7\xfc\xc7\xff\xd2\xe5\x32\xc1\x0c\x24\x72\x90\xc8\xa1\x1c\x2b\x24\x72\x90\xc8\x41\x22\xd7\x3b\x12\xb9\x2e\xaa\x36\xda\x35\x12\x39\x94\xc1\x84\x44\x0e\x12\x39\x48\xe4\x20\x91\xdb\x88\x32\x98\x3d\xad\x68\x43\x9d\xbe\x5e\xae\xd3\x97\xd9\x84\x8a\xb6\xec\xab\xe9\xb4\xc0\x82\x47\xe9\x30\xc7\x82\xe3\x94\xa2\x11\x5f\x2c\x68\x70\xa8\xb5\x74\x8a\x53\xa1\x46\xe2\x6c\xd7\x49\x06\x21\x02\x29\x17\x83\xc9\xe0\x18\x1b\x35\xc8\xa0\x0b\x84\x99\x69\x5f\x78\x50\xa7\x13\x11\xc6\xff\x60\x9b\x93\x7e\xdd\x6e\x66\x2d\x29\x1b\xa4\x6b\xaf\xf8\x43\xbb\x59\x57\x6b\x4a\xb0\x9a\x3e\x86\x77\x05\x4a\xb0\x16\x95\x60\x5f\x8c\xb4\x20\xe6\xaa\x79\xfd\x68\x4a\x78\x8a\x27\xe9\xa8\xc3\x53\xdc\x5c\x13\xbe\xf9\x8b\x9b\x72\x49\xd4\xb4\xda\x68\xae\x99\x36\x98\x97\xe4\x6f\x8e\x38\xcd\x4b\xd4\x50\x0d\x38\x24\x18\xca\x65\xc3\xd2\x0c\x89\x63\xa6\xa5\x99\xb6\x4e\x69\xaf\xcd\x69\x8f\xd8\x0c\x7c\x15\x7c\x15\x7c\x15\x7c\xb5\x77\xf8\x2a\xd6\x5e\x01\x6b\xaf\xee\x01\xd0\x10\xfa\x76\x44\xe8\x0b\xce\x0f\xce\x0f\xce\x0f\xce\x0f\xce\xdf\xd3\x9c\x1f\xf1\x1e\x88\xf7\x40\xbc\x47\xbb\xe2\x3d\xe0\x46\x83\x1b\xad\x57\xdd\x68\xd9\x42\xc8\xa1\x4e\x41\xfe\xa9\xa4\x37\x40\xde\xc5\x76\x8a\xaf\xd9\xb6\xb4\x6d\x81\xc9\x9b\x51\x98\xfe\xc3\x09\x53\x98\x5e\x96\xab\xd7\x15\xf5\x29\x7d\xab\xe6\x99\x32\xb7\x58\x2e\xa8\xb2\xa6\xe5\x4a\x92\xa6\xc9\x1a\xfb\xf2\x10\xfb\xec\x00\x31\xfb\x2a\x2b\x5b\xee\x1b\x1a\xcb\x96\x3b\x27\xda\x9b\xd6\xdb\x0b\x29\x5d\xee\x20\xbf\xe0\xa2\x75\x4b\x46\x9e\x5c\xe7\x2f\x21\x51\xae\xf7\xa7\xd3\x4c\x31\x48\x67\x7f\xfa\xd6\x82\xac\x7b\x9d\xa8\xa1\x64\xbc\xc8\x90\x0b\xf9\x3f\x32\xe4\xc2\x3d\x05\xf7\x14\xdc\x53\x3d\xe4\x9e\x42\x86\x5c\x64\xc8\x85\x5b\x00\x6e\x01\xb8\x05\xe0\x16\xe8\x0a\xb7\x00\x32\xe4\x22\x43\xee\x66\x01\xa1\xc8\x90\xdb\x8e\x0c\xb9\xdf\x18\xa2\x61\xcf\xc2\x65\x02\x07\xaa\xab\x65\xfd\x81\x4d\x1c\xf8\xcb\x43\xec\xc3\x03\x76\x31\xb3\x06\x19\xe0\xa2\x68\x24\x4c\x06\xb8\x5b\x30\x40\x5e\x2f\xcd\xd9\x3c\xc0\xdf\x4d\x54\xc8\x7a\x3c\x98\x0e\x1e\x64\x13\x1e\x89\x7d\x1d\xaf\x8e\x81\xcd\x9d\x63\x02\xda\x07\xda\x07\xda\x07\xda\x07\xda\x07\xda\x07\xda\x07\xda\x07\xda\x07\xda\x07\xda\x07\xda\x07\xda\x07\xda\x07\xda\x07\xda\x07\xda\xd7\x31\xda\xf7\xab\x09\x93\xf6\x69\x55\x45\x95\x0a\x4e\xe0\x97\xd3\x8a\x79\xb5\xa8\x0f\xa0\x59\x0a\xeb\x1d\x09\xf6\xe7\x7d\x44\xc6\xa9\x97\xd6\xd2\xd1\x3d\x1e\xd5\xb0\xa6\x97\xe6\x66\xf8\x75\xc9\x57\xe8\x47\x97\xc4\xd9\xcb\x69\xeb\xef\x21\x97\xc2\x7a\x8d\xc8\x91\x30\xce\x73\x24\xf4\x3d\x72\x81\xa5\x69\x8c\x46\x7d\xb3\x10\x98\x0f\xba\x96\x4e\x59\x77\x14\x88\xcb\x1a\x23\x61\x06\xfd\x72\x77\xa5\x59\x20\xde\xfa\x2d\x57\x1e\xfc\xf5\x0b\x6d\x45\x3f\xba\xcd\xd5\xdd\xf7\x7b\x17\xc8\xb2\x7b\xfc\x5e\xe3\x84\x76\x77\x7a\x66\x9a\xa6\xe8\x74\x4d\x4e\x94\x66\x7b\x1d\xc1\xb9\x48\x8c\xd2\x62\x62\x94\xf7\x45\x42\xf8\xe8\xcf\x8a\xd4\x2a\xa7\xe8\x84\x9d\x5a\xa5\x0d\xb6\x23\xa0\x58\x56\xbb\x4c\x4b\xf2\x2f\x6e\x77\xd9\x0e\x66\x55\xcf\xb2\xcd\xc5\x3d\xe2\x6f\x6d\xb7\x16\x28\x9d\x85\xd2\x59\xb7\x6e\x44\x3d\x42\x29\x11\x4a\x89\x50\xca\xb6\x95\xce\xfa\x89\x08\xcd\x8a\x14\x66\xa7\xe9\xa4\x23\x85\x59\x88\x53\xf5\xcd\x2f\x26\xcc\xc9\x3e\xb0\xae\x55\xdb\xe6\xfb\xcc\x37\x6e\x73\xcd\xf7\x89\x80\x9a\x59\xf6\x2a\xe0\x6e\x5e\xe1\xa5\x9d\x8b\x00\x14\xcc\xea\xb5\xa5\x07\x0a\x66\xa1\x60\xd6\x06\x17\xcc\xea\x04\x17\x0a\xac\x9a\xd5\x2e\x6b\x9f\x3d\x4c\x07\xd9\x44\x7c\xdc\x0a\x3a\xbe\xcb\x59\x43\xcb\xba\xa6\xbe\x8a\x56\xe8\xa1\xc4\xdf\x1d\xa4\x57\x98\x25\xf5\xcd\xb5\xcc\xeb\x57\x95\xaa\xa4\xb1\xaf\x0d\xb2\x2f\xf4\xdb\x55\x1c\xf7\xaf\x5f\xc3\xca\xd4\x7f\xbc\x52\xbf\x38\x39\xa4\x9f\x2c\x2a\x39\xba\x0e\xcc\x2a\xea\x54\xa9\x64\x25\xdf\xd4\xba\x5d\xdc\xf7\x3a\x81\x19\xc6\x39\x66\xd0\xdf\xc2\xc3\x74\x90\x26\x02\xcb\xb6\xb9\x9e\xb9\xa1\x2c\xcd\x8f\x04\xbf\x69\x23\x2c\x59\x5b\x9f\xcd\xf5\x3b\x6e\x34\x19\x90\xf6\x19\x22\x3e\x88\xf8\x20\xe2\x83\x88\x0f\x22\x3e\x88\xf8\x20\xe2\x83\x88\x0f\x22\x3e\x88\xf8\x20\xe2\x83\x88\x0f\x22\x3e\x88\xf8\x20\xe2\x83\x88\x0f\x22\xbe\x4e\x89\xf8\xde\x3b\x4c\xe3\x26\x81\x13\x51\xba\x3e\xc5\xe5\x2b\x4a\xde\xd2\xf2\x7d\x23\xc1\x5e\x1c\xb0\xd9\xdc\xcf\x44\x8c\x1e\x77\xc4\xeb\x96\x4d\x1b\x66\x12\xba\x05\x25\x1f\x4a\xb8\xee\x88\xbd\x56\xe1\xeb\x31\x63\x66\xd3\x97\x3b\xf6\x22\x6c\xc8\xb5\xee\x75\xb4\x9d\x4a\xde\xc3\x7f\x4e\xc0\x41\xbb\x0c\xcf\x82\x92\xef\x76\x18\xf8\x94\xbf\x07\x32\xf4\x10\x60\x93\x0b\x9e\x0d\xe6\x82\x71\x16\xab\xe5\x82\x0b\x4a\xde\x4d\x03\xfd\x49\x37\x7f\x3e\xe0\x40\xe0\x40\xe0\x40\xe0\x40\xe0\x40\xe0\x40\xe0\x40\xe0\x40\xe0\x40\xe0\x40\xe0\x40\xe0\x40\xe0\xc0\x4e\xe3\xc0\x71\x4a\xb1\x91\x78\xd2\x12\x06\xdd\xee\x14\x06\x2d\x28\xf9\x7a\x49\xd0\xe6\xab\x5f\x00\x44\x09\x44\x09\x44\xb9\x89\x10\xe5\x77\xfb\xe8\x7e\x11\x67\xac\xdb\x12\x31\x9f\x71\xe2\x62\x87\x1b\xb3\x2f\xf6\xb1\x2f\xf4\xd1\x4e\xf7\x09\x97\xd6\xd2\xd1\xbb\x0b\x72\xd5\xbd\x02\x10\xcf\x91\xbc\xbf\x20\x57\xa7\x5c\xa7\x2f\xa7\xa7\x16\xe6\xcc\x4d\x67\x78\xda\xc0\xc9\xba\x86\x26\xeb\x1a\x9a\x6c\xa4\xa1\x6c\xc5\x9f\x00\x3e\x26\x08\xe0\x45\x9a\xe7\x04\x70\x96\x66\x28\xd3\x02\x01\x74\x74\xc0\x7c\x51\x33\x31\x20\xfb\xb7\xc3\x74\x48\x8c\xc0\x0a\x47\xc4\x6b\x69\x3f\x4a\x9c\x53\x95\xf2\x55\x65\xc5\x22\xc5\x9f\x4d\xb0\x3f\xec\xa3\x6d\xfc\x32\x5e\x2d\xdd\x2b\xe6\x5b\x55\xca\x59\x65\x25\xc9\xe3\xc1\x33\xfa\x99\x4e\x32\x6b\x1c\x0d\x39\xee\xfb\x71\xff\xae\x3c\x21\xba\xf2\x10\x1d\xe0\x5d\x39\x4a\xfb\x69\xd8\x57\x72\xc9\x1f\x8c\xcb\x7e\xc5\x6d\x06\xc7\x6d\x16\xe4\x2a\x5d\x9d\x0f\xe6\xaa\xc3\x6c\xc8\xd0\xf0\x8a\x96\xc9\x23\x55\x22\xff\x75\x8a\xfe\xe4\x36\x47\x0f\xef\xf5\x09\xf3\x36\x3a\xd9\x8c\x02\xef\x4c\x3f\x67\x4e\xd3\x49\x3a\x5e\x13\x3b\xd1\x4c\x7f\x22\x58\x02\x61\xde\x2d\x86\x79\xff\x68\xe4\xe6\x3e\x65\x9a\x12\x21\xde\x93\x74\xd4\x0e\xf1\x6e\xb2\x89\x9b\x0c\xef\x6e\xcc\x4c\xb8\x8c\x81\xbf\xcd\x48\xfe\xe3\xed\x0e\x33\x71\x87\x1d\xd1\x6d\x58\x86\xfb\xc4\x5f\x3a\x64\x18\x10\xd5\x8d\xa8\x6e\x44\x75\x23\xaa\x1b\x51\xdd\x88\xea\x6e\x3a\xaa\xfb\xf9\x48\xc8\x55\x42\x17\x45\x8c\xf8\x05\x9a\x73\xc4\x88\xb7\xb9\xf2\x68\xa8\x93\x7b\x70\xec\x78\xe6\xcb\xb7\x39\xa6\xff\xc1\xa0\x00\x6f\x63\x51\xb0\x97\x87\x22\xb6\x7f\x4d\x80\x20\xef\x5e\x5b\x89\x20\xc8\x1b\x41\xde\x1b\x1c\xe4\xfd\xf8\x4d\x6e\x10\x6f\x3a\xc0\x3b\xd4\x29\x20\x7b\x90\x26\xd8\x78\x3c\x65\xb9\x62\x76\xb9\xa2\xba\xc5\x15\xb7\x82\x03\x87\xfd\xa1\x51\x80\x3a\x50\xb3\xaa\xc9\xea\x5a\x31\x27\x4b\xb9\x9c\xb2\x5a\xae\x6a\xec\xe9\x04\xfb\x45\x87\x6e\xf5\x7b\x1b\xab\x38\xb3\x24\x5a\x99\x12\xad\x84\x54\x73\x66\xc8\x53\x86\xea\xfe\x29\xd4\x9f\xb9\x89\xfa\x33\x0b\xc1\xdf\xd6\x28\xdb\x5f\x2b\x5d\x75\x0f\x80\xfb\xfb\x82\x48\x15\x22\x55\x88\x54\x21\x52\x85\x48\x15\x22\x55\x88\x54\x21\x52\x85\x48\x15\x22\x55\x88\x54\x21\x52\x85\x48\xb5\xb3\x22\xd5\xcd\x47\x2c\x20\x39\x85\xe4\x14\x92\xd3\x4d\x24\x39\xfd\x1f\x09\x1a\x6d\x86\x30\x6a\xec\x87\x12\xec\x27\x1c\x68\x51\x6b\x0a\x2d\x86\xc4\x14\x63\xeb\x31\x45\xc0\xc4\x9b\x80\x89\x73\xc1\x30\x71\x90\x3d\xe8\xa1\xd0\xac\x05\x8b\xa0\x88\xa0\x88\xa0\x88\xa0\x88\xa0\x88\xa0\x88\xa0\x88\xa0\x88\xa0\x88\xa0\x88\xa0\x88\xa0\x88\xa0\x88\xa0\x88\xa0\x88\xa0\x88\xa0\x88\xb7\x10\x45\xfc\xc1\x7e\xda\x67\x04\xae\x57\x8a\xf2\x1b\xaa\x72\x99\x8f\x96\x1d\xb7\xbe\x22\x57\xa5\xf4\x18\xfb\xe3\x3e\xf6\x95\x3e\xba\xcb\x75\xd2\x25\xe3\xa8\x7f\x00\xfb\xbe\x82\x5c\x9d\x72\x5e\xb2\x2c\xae\xe8\xfa\x20\xf6\xf6\xc4\xaa\x07\x81\x3e\xf6\xf7\x7d\xb4\x47\x8c\x86\x40\x69\x75\xc3\xf0\xf9\x3e\xf6\xd9\x3e\xfa\x67\xe2\x68\x70\xff\xef\x29\xc8\x55\x8e\x18\xd1\xf1\xeb\x77\xfc\x3f\x24\xe8\xb0\xe8\xf8\xb2\x5c\xbd\xae\xa8\x4f\xe9\xdb\x22\x3b\x77\x83\xe0\xeb\xc5\x72\x41\x95\x35\x2d\x57\x92\x34\x4d\xb6\xd2\x07\xfc\x4a\x82\x7d\x6b\x80\x5e\x6e\x5f\x77\x69\x2d\x1d\xfd\x6f\x8d\xa4\x9b\x9d\x13\xed\x4d\xeb\xed\x75\x45\xde\xd9\xbd\xfc\xe7\x2e\x5a\x4f\xb2\x9c\x76\xde\x22\xc8\x7c\x33\xf2\x79\x91\x35\xf6\xea\x93\xc1\x54\x7e\x92\x1d\x35\x48\x7c\xdd\xbb\x67\x80\x79\xe7\x28\x40\xef\x0b\x52\x0f\x52\x0f\x52\x0f\x52\x0f\x52\x0f\x52\x0f\x52\x0f\x52\x0f\x52\x0f\x52\x0f\x52\x0f\x52\xbf\x91\xa4\xfe\x18\x1d\x61\x87\xe2\x07\x2c\x52\x7f\x8f\x33\xae\xd9\xb9\x7d\x6b\x7f\xc1\x6a\x20\x78\x20\x78\x20\xf8\x4d\x84\xe0\xdf\x99\xa4\x87\x05\x7b\x14\x79\x88\x2c\xda\x1b\x54\xeb\x2a\x5f\xd4\xd4\x55\xbe\xb3\x5f\x59\xcd\x17\xe4\xaa\x85\x24\x7f\x7d\x98\xbd\x63\x0b\xfd\x33\xd1\x9c\x45\x89\x3f\xd6\x60\x09\xac\x19\xab\xd9\x0c\x6f\xb6\x2b\xd0\xa4\xe8\x0c\x91\x66\xc9\x60\xd9\xae\xca\x58\xb5\x37\x0d\x58\x59\x0f\x2b\x5f\x1b\xcc\x22\x8f\xb3\x63\x06\x8b\x14\x2f\x8f\x5d\x2d\xab\xb6\x83\x9d\x1c\x92\x0f\x07\x4a\x68\x81\x56\x82\x56\x82\x56\x82\x56\x82\x56\x82\x56\x82\x56\x82\x56\x82\x56\x82\x56\x82\x56\x82\x56\x76\x1d\xad\x3c\x43\xa7\xd8\x89\xf8\xa4\x45\x2b\xef\xaf\x29\xa1\x55\xbb\xd7\xbb\x15\x32\x32\x02\x8b\x02\x8b\x02\x8b\x6e\x22\x2c\xfa\xa6\x61\x91\xdf\x40\x1b\xd3\xaa\x8a\x2a\x15\x64\x87\x1e\xd3\xf8\x4b\x8d\x12\xf3\xa5\x04\xfb\x76\x1f\x91\x71\xf0\xd2\x5a\x3a\x7a\xbf\x47\x29\xa7\x25\x71\x98\x7b\x63\x92\xf7\xea\x27\x18\x7f\x59\x4e\x3b\x0f\x85\x5c\xcc\xe9\xb5\x34\x2d\x78\xdf\x09\x9a\xe4\xbc\xef\x20\x4d\xd0\xb8\x6f\x1e\x5f\xf3\x91\x79\xaa\x76\xfb\xa6\x6e\xa2\x58\x0b\xaf\xe9\xf4\xea\x60\x02\x78\x84\x1d\x32\x08\xa0\xbb\xdb\xcd\x1c\x01\xce\xbb\x71\x4a\x11\xa3\x2f\x6e\x73\x75\x7d\xdc\xbb\xc6\x93\xab\xf7\xf7\x18\xe7\x74\x60\x00\x32\x5c\x49\x5c\x93\x3c\xbd\x85\x11\x40\xd2\x74\x14\x7b\x6a\xb1\xd8\xd3\xfb\x23\xe1\xd8\x80\xf3\xa2\xe6\xd3\x14\x9d\xb6\x6b\x3e\x75\xda\x9a\xf0\xd2\x4f\x6d\xb4\x26\xc9\x7f\xbc\xdd\x65\x4d\xee\xb2\x4a\x41\xb9\x0c\xc8\x6e\xf1\xe7\x4e\xd8\x0f\x14\x83\x42\x31\x28\x14\x83\x42\x31\x28\x14\x83\x42\x31\xa8\xa6\x8b\x41\x3d\x13\xd2\xd4\x3f\x27\x6a\x40\x65\xe8\x8c\xa3\x06\x54\x7b\xe6\xfe\x36\x4e\xee\x0d\x14\x82\xfa\xd6\x6d\xae\xe9\x7f\x7f\x40\x29\x28\xd7\xa2\x20\xca\x2b\x97\xb4\x79\x4d\x80\x62\x50\xbd\xb6\x12\x41\x31\x28\x14\x83\xda\xe0\x62\x50\x1d\x82\x48\x81\x35\xa1\xda\x38\x37\xac\xaf\xa4\x76\x5e\xd6\x7e\x25\x35\xfb\xa7\x27\x29\xe5\x83\x20\x85\x42\x73\x4d\x29\xad\x5e\x93\xa5\x6a\x55\xca\x5d\xb9\xa6\x2f\x0d\xd8\x6f\x3e\xc9\x7e\x7e\x90\x6e\xb7\xe7\x2e\xa1\xbd\x4c\x09\x5f\xba\x6a\x78\x01\xcd\x05\xaf\xa9\xba\x5c\xe6\xed\x4c\x59\xed\x24\xe3\xfa\xf9\xd6\x14\xc6\xdb\xa8\x3d\xa7\xcb\x15\x8e\x19\x88\xfd\x20\xf6\xcb\x40\xec\x07\xb1\x1f\xc4\x7e\x10\xfb\xf5\x8c\xd8\x2f\xd3\x35\x62\xbf\xd0\xef\xa4\x65\xb1\x5f\x06\x62\x3f\x88\xfd\x20\xf6\x83\xd8\x0f\x62\xbf\xce\x8b\xfd\x32\x3d\xad\x7b\xcb\x40\xf7\xd6\x3e\xdd\x5b\xa6\xdb\x75\x6f\x99\x4d\xa8\x7b\x6b\x32\x32\xd4\x01\xf9\x38\x25\x4a\xd5\x62\xa2\x46\xd2\x1f\x5e\xbd\xcf\x9b\xf8\x6d\x65\x5b\x44\x6d\x99\x5c\x30\xf0\x3b\xc3\x4e\xad\x07\xfc\x6a\x6f\xab\x3e\x7c\x34\xfe\xc2\xf6\x7a\x6e\x76\xaf\x98\x9e\x62\x52\x3d\x22\x7b\x50\x1c\xea\x10\x24\x13\x4c\xeb\x11\x7a\x98\x2e\xd4\x38\x5d\x8e\xd3\xb1\x96\x07\x07\x5e\x17\xa8\xc9\x5a\x54\x93\xfd\xfb\x3e\x9a\x17\x76\xe2\x2c\x4d\x73\x3b\x71\x92\x6e\xe6\x55\xa4\x57\x0a\x59\x59\x96\xce\xdb\xb2\xb2\x9b\x6c\x72\x51\xb8\xab\x2f\xd0\x9c\xc3\x5d\x7d\x93\x6d\x06\x99\xb2\x4e\x98\xaa\x75\xec\x65\x45\xd1\xaa\x94\xfc\xe6\x48\xbd\x29\x7b\xc8\x10\x27\x38\x94\x1e\xca\xe5\x7a\xb3\x96\xaa\x91\xb4\xf1\x8b\xa7\xad\x6b\xda\x6c\xe0\xda\xa3\x72\x03\x05\x06\x05\x06\x05\x06\x05\xee\x1d\x0a\x8c\x75\x5d\xc0\xba\xae\x7b\x30\x39\x14\xc6\x1d\x51\x18\xc3\x1b\x01\x6f\x04\xbc\x11\xf0\x46\xc0\x1b\xd1\xd3\xde\x08\x04\x9a\x20\xd0\x04\x81\x26\xed\x0a\x34\x81\xb3\x0f\xce\xbe\x5e\x75\xf6\x65\x0b\x4d\x01\xf1\x75\xe0\xe5\x52\x55\xaa\xae\x06\xcb\xe4\x3b\x42\x9a\x93\xde\xa4\x79\x17\xdb\x29\x4c\x86\x6d\xce\x29\x7c\xfd\xfb\x97\x86\xe9\x90\xfe\x62\x8d\xad\xa5\xfd\xd2\x10\xeb\xe6\xa0\x98\x93\xa5\x5c\x4e\xdf\x19\x58\xa9\x38\x7e\x62\x98\xfd\x9f\x3e\xda\x9a\x53\x54\x1e\xbf\xf5\x80\x57\x1e\x0e\x71\xe5\x94\xb8\x32\x19\xd7\x4f\x99\x56\x54\x79\xd9\x91\xd8\xd7\x7d\x4e\xc8\x29\x39\x9e\xa4\x8c\x78\x5f\x8e\xd3\x31\xfe\xbe\x1c\xa0\x34\x8d\xf9\x7a\x26\xf4\x67\xe1\x6f\x87\xeb\x9e\x6e\x36\x23\xc7\x42\xf0\x4b\x34\xca\xf6\x3b\x23\x24\x8c\x17\x2a\x1e\x37\x43\x29\xdc\xf7\x13\xfd\xe4\x36\xbb\xdf\x1f\xf4\x49\xc2\xe1\xee\xfa\x87\x8c\xb3\x3a\xd9\xfb\x19\xfd\x23\x9d\xaa\x71\xa5\x36\xdf\xfd\x00\x6d\x70\xa0\xb6\xe8\x40\x7d\x3a\x12\xca\xf7\x7f\x4e\xb8\x4d\xcf\xd0\x29\xdb\x6d\xda\x61\x43\xc2\x93\x71\x34\x66\x48\x3c\x4d\x86\xb7\x75\x49\x7e\xfb\x76\xdb\x90\xdc\x6d\xe7\xdf\x70\xdb\x8e\x07\xc5\x81\x8e\x9a\x0e\xa4\xe2\x40\x2a\x8e\x5b\x17\x94\x83\x90\x80\x90\x80\x90\xb4\x2d\x15\xc7\x4f\x87\x33\xed\x9f\x17\xd2\xa6\x29\x3a\xed\x90\x36\xb5\x65\xde\x6f\x6c\x62\x0f\xd8\x15\x34\x99\x7e\xe3\xef\x6e\xb3\xa7\xfe\xd1\xa0\xdc\x1b\xee\x05\xc1\x3e\x1e\x23\xde\xa9\xf5\x00\xd2\x70\xf4\xda\x2a\x04\x69\x38\x90\x86\x63\x83\xd3\x70\x74\x06\x1c\x85\x6f\xf7\x83\xf2\x7a\x64\x8f\xd3\x31\x76\x24\x7e\xc8\xca\xbd\x11\x75\xe5\xde\x70\xb5\x7c\x2b\xa4\x04\x67\xcf\x27\x68\xbf\xc9\x37\xd7\x2d\xb6\x26\x72\x52\xb0\x1f\x4c\xb0\x77\x0f\xd8\x33\xe3\xeb\x0d\xbf\x7a\x39\x5f\x5c\x2b\xe6\x57\xa5\x92\xab\xb4\x9a\xa5\x61\xe1\xc5\xb9\x42\x29\xa2\x96\x4a\xde\x77\xdd\x6b\x76\xe5\xbf\x30\x5f\xd4\xba\x3d\x27\xc8\x86\x54\x3d\xdb\xe7\xfd\xd6\xef\x60\xc4\x6f\x4c\x04\xb8\x9c\x0b\xfe\xd8\x1e\x64\xf1\xda\x8f\x4d\xdc\x80\x2b\x7d\x0d\xb2\x9e\x20\xeb\x09\x4a\x9c\x41\xef\x0e\xbd\x3b\xf4\xee\xbd\xa3\x77\x47\x89\x33\x94\x38\x83\xce\x18\x3a\x63\xe8\x8c\xa1\x33\xee\x0a\x9d\xf1\x26\xa4\x11\x28\x50\x06\xed\x26\x0a\x94\x6d\x9e\x44\x2d\xec\xc5\x24\x9d\x16\xd9\x81\xa5\x4a\x45\x5b\x47\x23\xa9\xcf\x04\xaa\xa2\xdb\x61\x7d\x5b\xc2\x87\xd4\xd4\x49\xbe\x35\xc9\xde\xda\x4f\x5b\xf5\x06\x2e\xad\xa5\xa3\x0f\x79\xe8\x24\xa7\xad\xab\x17\x8d\xab\x93\x83\xfa\x69\x53\x95\x8a\xe6\x84\x80\xf5\xe7\x85\xac\x97\x94\x68\x56\xc0\xbb\xd3\x74\x92\xc3\xbb\x23\x74\x88\x0e\xf8\x62\x6f\xfd\x99\x52\x6b\xe9\x54\xfd\x7d\x05\x22\xbb\xe5\x60\x1a\x77\x80\xa5\x0d\x1a\xa7\xff\x8e\xc1\xe3\x3c\x7e\xca\x05\xc0\xd7\xd7\x62\x46\xbf\xb2\xcd\x1e\x89\x84\xb7\x72\xd2\x63\x30\x86\x8d\x33\x3b\x3d\x1e\x99\x39\x3a\x47\x67\x6b\x5c\x8f\xad\x0d\x08\xbc\x8e\x50\x51\xb6\xa8\xa2\xfc\x60\x24\x34\xab\x70\x41\x28\x29\x67\x28\x63\x2b\x29\xdb\x66\x62\x02\xd4\x94\x8d\x59\xa0\x86\xac\x8e\xd3\x4c\x25\x7f\xf4\x0e\xdb\xc4\xec\xb6\x34\x95\x1e\x56\x25\x21\x0e\x76\xdc\xa8\x40\x5b\x09\x6d\x25\xb4\x95\xd0\x56\x42\x5b\x09\x6d\x65\xd3\xda\xca\xe7\x23\x21\x87\xe0\x35\x9f\x40\xee\xe6\xc3\xfa\x02\xd5\x91\xed\xda\x9e\x64\xfe\xd5\x0e\x7b\x71\x90\x0e\x50\x5d\x7a\x2c\x19\x86\xb8\x8a\xa7\x93\x2b\x06\xa8\x2f\x7b\x6d\x9d\x02\xf5\x25\xd4\x97\x1b\xac\xbe\xec\x1c\x86\x0a\xac\x83\xd6\xa6\x89\x20\x7b\x9a\x4e\xb2\xe3\xf1\x63\x96\xf3\xe2\x3e\xa7\x0e\xb3\xfe\xe2\x5b\x42\x8b\xf9\xae\x21\x7a\x50\xd0\xd4\xb2\x5c\xbd\xae\xa8\xba\x3d\xb0\xcb\xad\x8d\x15\xcb\x05\x55\xb7\x4a\x1a\xfb\x8b\x41\xf6\xd5\x7e\x7a\xb9\x7d\x16\x07\xa7\xeb\xd7\x57\x9b\x13\x57\x27\x87\xf4\xd3\x2e\x5a\x57\x2e\xa7\x8d\x03\xb3\x8a\x3a\x55\x2a\x59\x93\x66\x78\x75\x42\xdb\xa4\xa3\x7c\x1d\x9d\x15\xdf\xc0\x29\x3a\xc1\xbf\x81\xc3\x74\x90\x26\x7c\xbf\x01\x47\x8f\xae\xa5\x53\xc6\x33\x87\x92\x18\xfc\x55\xc1\x5f\xc0\x21\x76\xc0\x03\x87\xd4\x0d\xb2\xf1\x69\x18\x37\x07\x21\x25\x84\x94\x10\x52\x42\x48\x09\x21\x25\x84\x94\x10\x52\x42\x48\x09\x21\x25\x84\x94\x10\x52\x42\x48\x09\x21\x65\xa7\x85\x94\x90\x39\x42\xe6\x08\x99\x63\x0f\xcb\x1c\xbf\x7e\x2f\x9d\x6a\x48\xe6\xa8\xca\x1c\x65\xe9\x9f\xae\x21\x6f\x1c\xd3\xb8\xcb\x8d\xbd\xef\x5e\xf6\xad\x3e\xdb\xb7\x35\xc4\x55\x8e\xe2\x98\xd9\xcb\xf6\x94\xbb\x28\x9a\x59\x92\xab\xc9\x07\xbd\x74\x8e\xf6\x71\xe1\xd0\x0b\x59\xe5\xf8\x3d\x74\x4a\xa0\xb5\x23\x74\x88\xa3\xb5\x31\x1a\xa5\xfd\x81\x78\xd9\xbe\xab\x9b\xcd\x08\x79\x31\x18\xa9\xed\x67\xc3\xf5\x50\xd9\x71\x07\x4e\xde\x16\xfd\x55\x87\xaa\x31\x69\xaa\x1a\x1b\xe8\xfc\x21\x1f\x5d\x63\x7b\xfb\x3f\xc3\x23\xc2\x6b\x5c\x7a\xcd\x0d\x00\xbc\x78\x50\x33\xb6\xa8\x66\x7c\x4f\xe4\xa6\xbf\xfe\x69\xa1\x62\x3c\x41\x93\xb6\x8a\x31\x74\x13\xd2\x98\x8d\xf0\x53\x21\xd6\xd9\x8b\x00\x35\x64\xe6\xef\x6f\xb3\x4d\xc8\x81\x3a\x61\x42\x03\xb6\xe4\x21\x4f\x69\x42\xfb\x2c\x09\x84\x09\xbd\x66\xd2\x20\x4c\x80\x30\x61\x83\x85\x09\xed\x5f\x39\x06\x0a\x12\x42\x5e\x3b\x66\x8f\xd0\x21\x76\x20\x9e\xb6\x74\x04\xaf\x70\x0a\x11\xec\x8b\x6e\x09\x01\xc2\x37\x87\xe9\xac\x7b\x9f\xb3\x6e\x4a\xa8\x75\x82\xba\x9e\x19\x66\xdf\x19\xb0\x67\xcc\x8f\x46\x8c\xed\xa6\x23\x39\x54\xd9\x04\x38\xa6\x42\xa1\x5e\xd5\x11\x4a\xc6\xa8\x11\x9b\xdb\x72\x36\x6d\x50\xbe\x62\x55\xbe\x66\xdb\xbe\x21\x97\x0f\xc0\xd1\x76\x2a\x29\x7e\xae\x83\x9a\xc2\xb6\x25\x9e\xf2\xfb\xb6\xc2\xcf\x48\x15\xfc\xb5\x5e\x6f\xaf\x7c\x08\xd2\x09\x48\x27\x20\x9d\x80\x74\x02\xd2\x09\x48\x27\x20\x9d\x80\x74\x02\xd2\x09\x48\x27\x20\x9d\x80\x74\x02\xd2\x89\xce\x4a\x27\x7a\x30\x8c\x03\xea\x0e\xa8\x3b\xa0\xee\xd8\x44\xea\x8e\xff\xff\x10\xed\x13\xd4\x53\xd0\x1f\x47\xc8\x95\xc0\x9f\x46\xea\xfb\x5f\x19\x62\x3f\x37\x40\xdb\xc5\x7f\x6d\x50\xf2\xfb\xc1\xeb\x16\x63\xd3\x96\xd3\x56\xd2\xfb\xcd\x16\xbc\xd5\xb5\x49\xf0\x17\x83\x79\xe4\x18\x1b\x35\x78\xa4\xeb\x75\x41\x3e\x7c\xb0\x48\xb0\x48\xb0\x48\xb0\x48\xb0\x48\xb0\x48\xb0\x48\xb0\x48\xb0\x48\xb0\x48\xb0\x48\xb0\xc8\x6e\x61\x91\x00\x7d\x00\x7d\x00\x7d\x3d\x0c\xfa\xbe\xd9\x47\xbb\x05\xe8\xd3\x72\x57\xe4\xfc\x6a\xc9\x9d\x5f\x89\x7d\xae\x8f\x7d\xba\x8f\x5e\x6e\x1f\xbc\xb4\x96\x8e\xde\x5d\x90\xab\xee\x59\x56\xdc\x7f\x72\x77\x41\xae\x2e\x59\xa7\x2e\xa7\xa7\x16\xe6\xcc\x4d\x5d\x88\x32\xfe\xba\x86\x26\xeb\x1a\x9a\x6c\xa4\xa1\x6c\xc5\x5f\xfe\xf7\x98\x60\x71\x17\x69\x9e\xb3\xb8\x59\x9a\xa1\x4c\x0b\x2c\xce\xd1\x01\xf3\x45\xcd\xd4\x00\xb2\x7f\xdb\x47\xf1\xb1\xd4\x75\xb9\x54\x1a\x7d\xaa\xac\x5c\x2f\x8f\x29\x15\xb9\x5c\xcc\x8f\xba\x36\xd2\x63\xec\xeb\x11\xf6\x47\x11\xda\xfe\xb8\x5c\x2a\x5d\xd0\x4f\x8b\x3e\xae\x77\xbc\x26\x2a\xae\xc6\x24\x51\x72\x55\xcc\xb5\x6a\xec\x91\x8a\x5c\x9e\x9b\x71\xef\xc5\x47\x62\x52\x49\x53\x62\xfc\x37\x8c\xfd\x55\x6c\xe8\x91\xb9\x99\x69\xce\xb1\x14\x3e\xc5\xe5\x95\xdc\x50\x32\xa9\x0f\x9c\xab\x92\xeb\x1c\x6f\x55\x34\x3a\xed\x6c\xb3\x7e\x1c\xb3\x47\x68\x8f\xe8\xae\xbb\x68\x17\xef\xae\x97\xd3\x6d\x3f\x17\xd9\x46\xc6\xc7\x1b\x84\x21\xd9\xdf\x0f\x51\xd2\x2c\xb8\xea\xa3\xab\xad\x28\x79\x4b\x48\xfb\xa9\x21\xf6\x3f\xfb\xec\x7a\xab\xaf\xf0\xa8\x8e\xb0\xa0\xe4\x93\x77\xeb\x7f\xaf\xad\x89\xba\xa0\xe4\x43\x8e\x0c\x5c\xa4\x23\xe2\xe1\xc7\x29\xc5\x1f\x3e\x41\x83\xf4\x60\x60\xd9\xdf\x05\x25\x1f\x88\x67\xcf\x06\x93\xd7\x38\x8b\xd5\x96\x1f\xd5\x5b\x6e\xa6\xbe\xc1\xbf\xdc\x66\xf7\xe5\xbd\xde\xf5\x0d\xf4\xee\x8c\x1a\x87\xda\xde\xa3\x99\x49\x3a\x4a\x87\x6b\xa2\x64\x1a\xec\x52\x44\xc4\x20\xc8\xaf\xc5\x20\xbf\xb7\x47\x5a\xff\x90\x4f\x88\xe8\xbe\x43\x74\xc0\x8e\xee\xdb\x44\x66\xa0\xb2\x5a\xa5\xe4\xaf\xdd\x6e\x9b\x81\x1d\x56\x0d\x02\xfd\xcb\xbf\x57\xfc\x57\xfb\x3f\x7c\x54\x19\x40\x95\x01\x54\x19\x40\x95\x01\x54\x19\x40\x95\x81\xa6\xab\x0c\xfc\xd0\x4d\xcc\xdf\x27\x45\x41\x81\xc3\x74\xd0\x51\x50\x20\xbc\x09\x3c\xb8\x76\x40\x38\x53\x7c\xe6\x85\xdb\xec\x39\x3c\x1e\x50\x2a\x40\x9f\xd9\xef\xe1\x01\xa2\x6d\x9d\xd8\x11\x73\xdf\x6b\xcb\x09\xc4\xdc\x23\xe6\x7e\x83\x63\xee\x37\x9c\xc9\x78\xe4\x58\x71\x59\xed\xc0\x98\xfd\xec\x38\xa5\xd8\x48\x3c\x69\x89\xbc\x6f\x77\xaa\xc4\x17\x94\xfc\xad\x20\x0b\x67\x1f\xb8\x8d\x0e\x34\x0e\xfe\xc6\xe4\xb5\xa2\xe8\xa6\xff\x43\xf1\x97\x06\xec\xa9\xee\x1e\xe1\xa7\x8c\x99\xc7\x85\x03\x4f\x9f\xe0\x1e\x10\x47\x3c\x66\xb8\xb3\xc6\xb9\x21\x6f\x61\x39\x28\xae\x99\x6d\x26\x68\xdc\xf7\xd5\x33\x16\x6f\x6b\xe9\x15\xb9\x2a\xa5\x53\xe6\x5d\x65\xbf\x19\xf1\x67\xd3\xd3\xe2\xdd\x3e\x41\x93\xfc\xdd\x3e\x48\x2d\xfc\x00\x9d\x17\xc8\x62\x8a\x4e\xdb\xc8\xa2\xb5\x96\xe6\xc4\xe2\x29\x43\x67\x1c\x8b\xa7\x96\x9a\x0a\x2e\x2f\x50\x51\xb4\x2a\x5d\x5d\x0a\xfe\x06\xc7\x59\xca\xf8\xee\xc4\x6f\x59\x52\x54\xe3\xa6\x1d\x1f\x28\xbf\x07\xca\x62\x5e\x5f\x7f\x5e\xcf\x82\x1c\xfa\x90\xc3\x43\x74\x80\xa5\xe3\x63\x96\xe1\xbd\xd3\x69\xaa\xcd\x37\xee\x96\xb0\xd7\x3f\x73\x17\x1d\x0f\xb0\xd7\x86\x77\xca\xb2\xd9\x15\x55\x79\xc3\x8d\xb1\xef\xd3\x9f\xf0\x8d\xec\xcf\xee\x64\x3f\xed\xf0\xdc\x24\x72\x4a\xb9\xac\x3f\xf2\xb9\xb3\x8f\xda\xab\xa2\xaa\x12\xe3\x17\xe9\x3d\x68\xf8\xa4\x92\x29\xe3\x4c\x61\xc8\xcf\xc9\x55\xdb\x96\x1b\xa7\x2c\xe8\x97\x3c\x5e\xac\x5e\x59\x90\xaa\x57\x26\x74\x5b\x2c\xdc\x33\x37\xe9\x9b\xba\xfa\x80\xb7\x2d\x22\xb6\xcd\xb8\x25\xba\xfa\x58\xb0\x39\x9a\x60\xe3\xc2\x00\x39\xef\xd6\x00\x94\x5e\x65\x61\xe3\x71\x8a\x7a\xf6\xd4\xc2\x63\x4d\xf5\xd4\xc2\x6a\x33\x3d\xe5\x3b\xe3\xac\xdb\x85\xa1\xf7\x54\xed\x82\x29\xa8\xcf\xe2\xcf\x38\x7a\x6a\xd8\xea\xa9\x47\x96\x02\xba\x6a\xcc\xdd\x55\x8a\xd6\x03\x7d\x95\xfc\x80\xa3\xaf\xf6\x9b\x7d\x35\x73\x76\xfe\xec\xa3\x67\xd7\xef\xad\xb4\xab\xb7\x04\x62\xdf\x7c\x5f\x61\xb3\xfd\x35\xf1\x9c\xa3\xbf\x46\xcc\xfe\x7a\x64\xe1\xd1\xb9\x47\x2e\x2e\xad\xdf\x61\x13\xae\x0e\x33\x1a\xbf\xf5\x7b\x6c\xd2\xf3\x6b\x3c\x7f\x76\x6a\xa6\x99\xaf\xf1\xbc\x2c\xe5\x6f\xfd\xbe\xca\xfc\xac\xa3\xaf\x92\x96\xe5\x9a\x7a\x74\xfa\xfc\xfa\x9d\x35\xee\x36\x5d\xfa\x96\xf1\xd6\xef\xad\xec\x19\x3a\xc5\x4e\xc4\x27\xad\x15\xd3\xfd\xce\x85\x96\xc7\xd5\x1b\xb1\xe6\xaa\x5b\x0c\xea\xff\x6b\x6a\xbe\x4c\x88\x1f\xe7\xc7\x9c\x97\x7d\xba\x8f\x7e\xbb\x8f\xfd\x66\x5f\xf4\x53\xd6\xe2\xfa\xd9\x3e\x7d\xe0\xb8\x4e\xf8\x8a\x1c\xab\x48\x2a\x57\x7a\x3f\xb6\x38\x6f\x6c\x3f\x0c\x51\xad\xa5\x07\x92\xcb\xf9\x8a\x52\x2c\x57\x35\xfd\xce\x2f\x5f\x2e\xbe\x41\xd6\xc4\x92\xd8\x11\x84\x54\x55\xb8\x7b\xc9\xf4\x8f\xe5\x56\x55\x55\x2e\x57\x8d\xf7\xcb\x14\x5a\x56\x15\xb3\x4d\xce\x64\x62\xf2\x1b\xa4\x6b\x95\x92\xe1\x1f\xba\x7e\x45\x29\x59\xbb\x0c\xfd\x6e\xb8\x1c\xb1\x5a\xad\x4c\x8e\x8d\x95\x94\x9c\x54\xba\xa2\x68\x55\x8f\x35\xa2\xfe\x36\x8c\x6a\x37\xb4\xaa\x7c\xcd\x5e\x23\xca\x25\x49\xab\x16\x73\x9a\x2c\xa9\xb9\x2b\xa3\x25\xa5\x50\x28\x96\x0b\x63\x97\xc4\x7f\x9f\x7e\xfd\xc9\x55\x4d\x56\x27\x9f\x2a\x5e\xcb\x5d\xb9\x91\x8a\x99\xbd\xe1\x7d\x58\x74\xa9\x73\xb1\xfa\x7f\x93\x74\x52\x48\xdb\xd4\x15\x29\x97\x32\x5f\x64\xbe\x5d\x73\x48\xdc\x72\xa5\x55\xad\xaa\xef\xb2\x4a\xf2\x8a\xbe\xc1\x2b\x17\x2c\xa1\xd1\x47\x93\xec\xd9\x7e\xba\x53\xbf\x7c\xca\x79\x35\x2f\x2d\xe8\xa1\x3a\x9a\x16\x4d\x2d\x2a\x25\x39\x23\x9a\x4a\x0e\xeb\xa7\x2d\xd6\x36\xb0\x9c\xae\x3f\x35\x64\x59\x52\x93\xf5\x30\x79\x17\xad\xa5\x53\xf5\xf7\x75\xb3\x89\xcb\x9f\x0a\xb6\x05\xe7\xd9\xac\x61\x0b\x7c\x47\xca\xcc\x71\x57\x7f\x7b\xae\xac\xe6\x6f\xd9\xee\x33\x5c\x09\x6f\x61\x93\xc7\x88\x8d\x18\x67\x6e\xc0\xa0\x65\xe6\xe8\x1c\x9d\xad\xa1\x47\xad\x8d\x1a\xdc\x14\x10\x42\xb5\x88\x33\x3e\x18\x09\xcd\x74\x5c\x10\x90\x71\x86\x32\x36\x64\xdc\x00\x3b\x54\x59\xed\xb0\x1d\x4a\x7e\xfc\x0e\x1f\x3b\xb4\xdb\x52\x56\x79\x98\x9e\xfd\xe2\xe0\x46\x58\x1e\x48\xaf\x20\xbd\x82\xf4\x0a\xd2\x2b\x48\xaf\x20\xbd\x6a\x5a\x7a\xf5\x7c\x84\xe6\xc5\x8a\xe1\x2c\x4d\xf3\x15\xc3\x49\x3a\x4e\xc7\x5a\x98\x3e\x44\xc5\x0f\x5a\x14\x2e\xc5\x0b\x34\xe7\x70\x29\xde\x64\x9b\x41\xcb\x87\x4e\xae\x0f\x82\x15\x61\x99\x9f\xdd\xe1\xb3\x82\x48\x07\xe8\xba\x3c\xd6\x15\x49\xae\x29\xe8\xf0\xb2\x02\xc2\xaf\x5e\x5b\xcc\x40\xf8\x05\xe1\xd7\x06\x0b\xbf\x3a\x47\xbd\x02\x8b\xae\x74\x72\x3e\x09\xc8\x29\x5a\x77\x71\x3d\x18\x0f\x5d\x2a\xf0\xf1\xd7\xd2\xa1\x20\x69\x97\x61\x02\xcb\xd5\x35\xa5\xb4\x7a\x4d\xce\x95\xa4\xe2\x35\x8d\xbd\xe5\xb5\xec\x67\x06\x6d\xb7\xc8\x01\x91\x7c\x46\x35\xd2\x66\x98\x8b\x69\xb3\x42\xca\x82\xd5\xc8\x32\x6f\x64\x5a\x6f\x24\x39\xac\x5f\x54\xa7\xfa\xf2\x3a\xb5\xcb\xd3\x02\x66\x90\x29\x0f\x99\xf2\x32\xc8\x94\x87\x4c\x79\xc8\x94\x87\x4c\x79\x3d\x93\x29\x2f\xd3\x35\x99\xf2\x42\xbf\x93\x96\x33\xe5\x65\x90\x29\x0f\x99\xf2\x90\x29\x0f\x99\xf2\x90\x29\xaf\xf3\x99\xf2\x32\x3d\x9d\xd8\x2e\x83\xc4\x76\xed\x4b\x6c\x97\xe9\xf6\xc4\x76\x99\x4d\x98\xd8\x2e\x7b\x85\x1e\x16\x24\x70\x96\x66\x38\x09\x3c\x45\x27\x68\x32\x38\x04\xd4\x8b\x11\xcd\x17\xb5\xe0\x5a\x0a\x8f\x07\xf3\xbe\x83\x6c\x62\xdd\xc0\x50\xaf\xdf\xa6\x75\xa2\xe1\x78\x7d\x86\xf8\x47\xb6\xdb\xb0\xec\x3e\x23\x12\x52\xf2\xe1\x62\xfb\x7d\xe2\x21\xdb\x4a\xc6\x04\xc8\x9a\xa7\x2c\x9d\xaf\x71\xc7\x1c\xa5\xc3\xad\x8d\x08\x9c\x31\x90\xb7\xb5\x28\x6f\x7b\x4b\x9f\x7f\xec\xce\x9c\x30\x19\x19\x3a\xc3\x4d\x06\x4f\x44\xd7\xda\x0b\x4a\x17\x85\xf4\xed\x1c\x9d\xb5\xa5\x6f\x37\xd3\xde\x23\xc2\x25\x7e\x9e\x66\x1d\x2e\xf1\x9b\x68\xb0\xd1\x58\xdb\xc6\xcc\x5a\x63\xa6\xcc\x25\x91\xfb\xc6\x88\x23\xf4\xc1\x50\x36\x38\x64\x22\xca\x65\x1f\x13\x76\xc8\x99\x8d\x6c\xda\xba\xa0\xb3\xc6\xac\x3d\x72\x39\x60\x5e\x60\x5e\x60\x5e\x60\xde\xde\xc1\xbc\x58\xc6\x05\x2c\xe3\xba\x87\x83\x43\xaa\xdc\x11\xa9\x32\xdc\x0d\x70\x37\xc0\xdd\x00\x77\x03\xdc\x0d\x3d\xed\x6e\x40\xc4\x0a\x22\x56\x10\xb1\xd2\xae\x88\x15\x78\xf3\xe0\xcd\xeb\x55\x6f\x5e\xb6\x10\x72\xb0\x56\x90\x63\x2c\xe9\x4d\x98\x77\xb1\x9d\xe2\x6b\xb6\x2d\x6d\xfb\x68\xf3\x66\x4c\xb6\xf7\xb9\x04\x65\x44\xfe\x92\x9c\xac\x1a\x7e\x50\xd9\x51\x89\x9f\xe7\xad\x34\xca\xf1\x3b\xcf\x28\x16\xca\xc5\x72\xc1\x5c\xb4\xb1\x7f\x9b\x60\x6f\xda\x42\x77\x3a\xcf\xb8\x64\x5c\x1c\x7d\x4b\xa4\xb1\x72\xfd\xd3\xf6\xc5\x4b\xa2\xf9\x45\x93\x78\x84\x52\xc2\xff\x10\xbf\xc0\xf1\x2b\xda\xb2\xb8\x43\xdf\x1f\x9e\x2f\x6a\xd5\x2e\x97\xee\x77\x6f\x45\xff\xd7\x07\x7f\x65\x17\xd9\xbc\xf1\x95\x79\xbc\x7c\x66\x50\x8a\xdf\xe0\x78\x64\x57\x45\x18\x03\xc2\x18\x50\xf0\x1f\xfe\x2d\xf8\xb7\xe0\xdf\xea\x1d\xff\x16\x0a\xfe\xa3\xe0\x3f\xfc\x0a\xf0\x2b\xc0\xaf\x00\xbf\x42\x57\xf8\x15\x50\xf0\x1f\x05\xff\x37\x0b\x49\x45\xc1\xff\x76\x14\xfc\xff\x6e\x1f\xdd\x2f\xa8\xa2\x55\x02\xbe\x16\x29\xb2\x2f\xf6\xb1\x2f\xf4\xd1\x4e\xeb\x04\x8b\x17\xfa\x16\xfe\xbf\xbf\x20\x57\x67\xcc\xd3\x0d\x76\xd7\xf5\xc5\xff\xdb\x53\xe3\x3f\xb0\xda\xfd\x7f\x1d\xa2\xb8\x18\x01\xf9\x0d\x55\xb9\xcc\x3f\x16\xab\xef\x39\xb9\xd5\x34\x59\x63\xdf\x19\x64\x7f\xd9\x4f\xcc\x3e\xc7\x1a\x85\x87\xd6\xcf\x88\x32\x27\x9a\x48\x8e\xe8\xa7\x9d\xb5\x2e\x37\x46\xc5\x38\x3a\xab\xa8\x53\xa5\x92\x25\x9a\x0e\x6f\x80\xda\xc4\x52\x65\xca\x8a\xd1\x9a\xa6\x29\x3e\x5a\xc7\xe9\x18\x1d\xf1\x95\xbe\xdb\xbd\x66\x15\x99\x32\x1e\xbc\xa1\x58\x9e\x80\x90\x9b\xab\xcb\xc1\x00\xf5\x00\x4b\x1b\x00\xd5\xbe\x17\x83\x9b\x1a\x77\x02\x4a\x0a\x4a\x0a\x4a\x0a\x4a\x0a\x4a\x0a\x4a\x0a\x4a\x0a\x4a\x0a\x4a\x0a\x4a\x0a\x4a\x0a\x4a\x0a\x4a\x0a\x4a\x0a\x4a\x0a\x4a\x0a\x4a\xba\x71\x94\xf4\xbd\x43\xf4\x80\x60\x74\x52\xa5\xa2\xf1\x32\x71\x4a\xb9\xaa\x2a\xba\x39\xd4\x77\x07\x7c\xec\x0c\x44\xb7\x55\x3f\xe5\xd2\x5a\x3a\x3a\xbe\x3e\x97\x9b\xb6\x5a\x58\x34\x5a\x10\x88\x6e\xaa\x52\xd1\x96\xd3\xf5\x47\x6f\x71\x44\xa7\xf7\x1a\xcf\xbd\x5d\xf7\xe0\x9d\x47\x74\xfa\xbd\x98\xa2\xc6\xba\xdb\x71\x0b\x89\x81\xe8\x80\xe8\x80\xe8\x80\xe8\x80\xe8\x80\xe8\x80\xe8\x80\xe8\x80\xe8\x80\xe8\x80\xe8\x80\xe8\x80\xe8\x80\xe8\x80\xe8\x80\xe8\x80\xe8\x3a\x84\xe8\x7e\x38\x41\xe3\x02\xd1\x95\xe5\xea\x75\x45\x7d\x4a\x5f\xad\x59\x4a\x46\x23\x2e\xda\x38\xc4\x53\x48\x14\x65\x8d\xfd\xd1\x10\xfb\xdd\x01\x7a\xb9\x7d\xc5\xa5\xb5\x74\xf4\x46\x63\x41\xd0\x17\xc5\x45\x0b\x46\x06\x8d\x50\x02\x9f\x27\xf8\x05\x17\xad\xdb\x59\x4e\xbb\x7e\x65\xbe\xa8\x55\x37\x1b\x06\xdc\x88\xa8\xe7\xd7\x06\xc3\xbe\xe3\xec\x98\x01\xfb\xea\x5e\x17\x83\xfc\xb9\x7a\xde\x5d\xae\xb5\x91\xa8\x6a\x90\x41\x90\x41\x90\x41\x90\x41\x90\x41\x90\x41\x90\x41\x90\x41\x90\x41\x90\x41\x90\x41\x90\x41\x90\x41\x90\x41\x90\x41\x90\x41\x90\xc1\x8e\x91\xc1\x61\xca\x0a\x32\xa8\xae\x48\xb9\x94\x89\x8b\x78\x53\xde\xe9\x13\xad\x84\x8e\xda\xd8\xf7\x59\xff\x7e\xe3\x98\xaa\x94\x64\x8d\xbd\x90\x60\xff\x6b\x80\xee\xd5\xdb\x9a\x72\x36\x65\xc5\xe3\x56\x1a\xe3\x87\x8b\x8a\x3e\x8f\x86\x82\x0d\xc5\x6d\x2f\xd6\xde\x91\x11\xe2\x6b\x97\x42\xd2\x7f\x12\x99\x12\xbd\x99\xe1\x4a\x30\x33\x3c\xcd\x4e\x0a\x34\xa8\xf7\x63\x7d\xb8\xae\xc1\x13\x7d\x5f\x32\x70\x43\x70\x43\x70\x43\x70\x43\x70\x43\x70\x43\x70\x43\x70\x43\x70\x43\x70\x43\x70\x43\x70\x43\x70\xc3\xae\xe4\x86\x9b\xaf\x44\x04\xc8\x24\xc8\x24\xc8\xe4\x26\x22\x93\xbf\x90\xa4\x43\x82\x4c\x6a\x55\x45\x95\x0a\x72\x2d\x8e\x5c\xe3\xf5\x6b\xa4\x6a\x55\xca\x5d\xd1\xa7\x76\x83\x47\xbe\x91\xfd\xd3\x30\xfb\xb1\x7e\xba\xdd\xb8\xcc\x42\x8f\xfb\x54\x59\xca\xd7\x6c\x73\x45\x0d\x9c\x29\xab\x8d\x64\x5c\x3f\x69\x49\x5c\x69\x20\xc2\xda\x73\xc2\x2d\x8f\xde\x64\x89\xa1\x94\xd9\x19\x66\xaa\xbe\xda\xbb\x0b\x64\x79\xb9\x60\x96\x77\x86\x9d\x32\x78\x9d\xbb\xeb\x0d\xf1\x5f\xdd\x4f\xd6\xd1\xbe\xab\x7b\xbd\x61\xde\xcb\xd8\x40\x41\xae\x52\xf4\xfb\xb7\xd7\x0f\xcf\xa0\x2a\x57\x4a\x52\x4e\x0e\x1a\xa1\x87\x8c\xf3\x3a\x39\x48\x99\x47\xe8\x61\xba\xe0\xac\x61\x1f\x8b\x24\x6f\x66\x94\x50\xcc\x39\xa8\x98\xf3\xbb\xfa\xe8\x3f\xf6\xb1\xb7\xf7\x45\xff\x9d\xd5\x41\x7f\x16\xe1\x6b\xe3\x87\xa5\xb2\x54\x90\x55\xb1\xcb\x13\x0b\x0e\x4d\x53\x72\x45\xbe\x70\xb1\xf6\x53\x12\xdf\x90\x2a\x6a\x4c\x5f\xd7\x56\x6f\x58\x2b\xb9\x6b\xd2\x53\xfa\xfd\x57\xaf\xc8\x9a\x6c\x1a\x3e\x67\xe9\x64\xb3\xc4\x32\x37\xb9\x7c\xef\xa4\xa8\xb1\xf4\xc4\x51\xfd\x5c\x55\xca\x71\x24\x57\x52\xca\x05\x61\xe6\xf8\xfe\x46\x5f\x8a\x4a\xc5\xb2\x58\x7d\xf0\xfd\x83\x7d\x2e\xc7\x14\x06\x30\xd4\x77\xbd\xe6\xd4\x55\x50\x4a\x52\xb9\x90\x52\xd4\xc2\x58\xe5\xa9\xc2\xd8\x6a\xb9\x98\x53\xf2\xf2\xd8\xbe\x39\x6d\x41\x6f\x25\x15\xdf\xe1\x7c\x56\xe7\x64\xf3\xb1\x48\xc8\x06\xe3\x95\x7a\x6b\x69\x96\xa5\xf3\xb4\x75\x5a\x2c\xdc\x6f\x71\x1b\x54\x59\xad\x52\xf2\x99\x3b\xea\x6d\xd0\xbd\x46\x0d\x46\xa9\xde\xec\x3c\x28\x0e\x75\xd4\xea\x3c\x4a\x8b\xb4\xe0\xb4\x3a\xc9\x0c\x9d\x69\xc1\xd3\x33\xc3\x6f\xfd\x11\x0e\xc5\x35\x98\x9e\x20\xd3\x83\xea\xed\x1d\xa9\xde\x8e\xb2\xbd\x28\xdb\x8b\xb2\xbd\xed\x2a\xdb\x9b\x7d\x3e\xec\x75\xc2\xa2\xde\xda\x04\xbb\x40\x73\xb4\x4d\xf4\x6d\xfb\x17\x0a\x31\xef\x39\x7c\x3b\xdb\x2a\xba\x89\x3a\xb2\x94\xc8\xfc\x97\x1d\xf5\x6b\x85\xb1\x8a\xa4\x56\x8b\xdc\xcb\x29\x36\xbe\x41\x1b\x97\x7d\x15\x7d\x8f\xdb\xa9\x05\xc4\xee\xda\x86\x46\xf9\xcf\xef\xe7\x65\x00\xf6\x38\x0f\x5e\x93\xd5\x82\xec\x3c\x3a\xe8\x3c\xaa\x55\x55\xa9\x2a\x17\x8a\xb9\xd1\xba\xf3\x5c\xad\xe8\xff\xbe\x61\x1c\xd5\xef\x32\x73\x91\xe6\x29\x5b\xb3\x65\x9a\xa4\xa3\x2d\x2c\x5f\x16\xb8\x14\x00\xcb\x96\x80\x65\xcb\x73\xfd\xf4\x6c\x3f\x7b\xa6\x3f\xfa\xb4\x65\xfb\xdf\xdc\xdf\x3b\x3b\xa6\x1a\xef\x89\xde\xcf\x5c\x0d\xc0\x3d\x7c\xfa\xcb\x69\x6b\x82\x12\x3e\x2f\xee\x30\x9f\xc2\x84\x78\x44\x2a\xf1\x2b\xf5\xb5\x9a\xb8\x9a\x9f\xc1\xd7\x4d\x5a\x2c\x91\xd5\x94\xf2\x82\x10\xc7\x3c\xac\x7f\x16\xc6\xbf\x97\xcc\x8f\xc5\xfe\xe3\xb0\xff\x56\x2e\xf3\x52\x84\x5e\x8c\xb0\x17\x22\xd1\x4f\x58\x58\xee\xfd\x91\x59\x45\xcd\xf1\x25\x5d\x41\xe1\xdd\xae\xc4\xe2\x97\xf5\x3f\xc5\x63\x53\xae\xa7\xe0\xc0\x55\xac\xbe\x56\x35\x5b\x06\x30\x2a\xe5\xf8\x83\x73\x71\x45\xa9\x98\x33\x66\x57\xb9\x94\xd7\x62\xca\x75\xa3\x4f\x85\xf8\xa0\x22\x2b\x95\x92\x9c\x8a\x89\x5f\xe4\x6a\x26\x73\x2c\x39\xf8\xf4\xec\x00\xeb\xe7\xe3\x5b\xf8\x6d\xb9\x94\x39\xdd\xc9\xb2\xfc\xc4\x68\x8d\xcd\x06\x57\xef\xf7\x9e\x83\xb6\xb1\x97\xf1\x1e\xa1\xec\x49\x3a\xce\x8e\xc5\x8f\x58\xce\x90\x3d\xfc\x13\x33\xbe\xf7\xda\xf6\xe2\x03\xfa\xd1\xb6\x16\xc3\xfe\x99\x61\x9a\x18\x93\x2a\x45\x47\x68\xb7\xb7\x66\x53\xa8\xe2\x4c\x6c\xfa\xcd\x04\xfb\xcc\x00\x6d\xcd\x29\xaa\x3e\xc9\x45\x9f\x35\xea\x5d\x3b\xf5\x99\x65\x73\x4b\x60\xe6\x69\xe4\xf2\xc1\x50\x84\x9a\x23\xb6\x2f\x99\xef\x3f\x0c\xcf\x63\xb1\x2a\x5f\xb3\x4d\xd4\x90\x4b\x97\xe0\x68\x3b\x95\x8c\x8a\xb2\xd8\x8a\x2a\x2f\x3b\x44\x9d\xfc\xfe\xa0\xe8\xac\xff\x72\xfc\x5f\x6a\x7e\x63\x74\xf5\x5c\xf0\xa7\xf5\x20\x8b\xd7\x56\x97\x17\x3f\x8e\x24\x90\x90\x6c\x42\xb2\x09\xc9\x26\x24\x9b\x90\x6c\x42\xb2\x09\xc9\x26\x24\x9b\x90\x6c\x42\xb2\x09\xc9\x26\x24\x9b\x1b\x28\xd9\x9c\xa0\x71\x96\x8a\x8f\x58\x94\x62\xa7\x93\x52\xf0\x7d\x5b\x3d\x9a\x80\xcc\x13\x32\x4f\xc8\x3c\x21\xf3\x6c\xa3\xcc\xf3\xf9\x84\xa8\xb1\xed\x0f\x2b\xdf\xc8\x7e\x38\xc1\x3e\xe7\x20\x93\x1f\x6a\x84\x4c\x5a\x0c\xb0\x2b\xe8\xe4\x9d\x5e\x74\xb2\xfb\xb9\xa4\x1f\x45\x0c\x1f\x58\x36\xcc\x25\x2f\x04\x73\xc9\x04\x1b\x34\xb2\x54\x9a\x3d\xed\x22\x92\x36\xb3\x04\x9b\x04\x9b\x04\x9b\x04\x9b\x04\x9b\x04\x9b\x04\x9b\x04\x9b\x04\x9b\x04\x9b\x04\x9b\x04\x9b\x04\x9b\xec\x30\x9b\x3c\x4c\x07\xd9\x44\x7c\xdc\xe2\x8c\x77\x39\xd9\xa4\xb5\x8b\x6b\xbf\x74\x0a\xf4\x10\xf4\x10\xf4\x70\x13\xd1\xc3\x7f\xd9\x4f\xfb\x8c\xda\xd3\x79\x7d\x09\x5c\x54\xca\xaa\x5c\x28\x72\xd1\xba\x23\x83\x25\xfb\x83\x3e\xf6\xfb\x7d\x74\x97\xe7\x49\xd1\x68\x81\x87\x9c\x5c\x56\xd4\x6b\x56\xe7\x4a\x31\x8e\x89\x92\xb1\x82\x5c\x9d\xf2\xba\x6a\x6a\x61\xee\x9c\x7e\x46\x78\x8a\xfd\xba\x86\x26\xeb\x1a\x9a\x6c\xa4\xa1\x6c\x91\x2e\x0a\x3c\x77\x8e\xce\x72\x3c\x77\x9a\x4e\xd2\xf1\x16\xf0\x9c\xf9\x8c\x41\x6a\x42\xf6\xad\x61\x7a\xd8\xbf\xbe\x50\x03\xd9\x43\x8b\xe5\x82\x2a\x6b\x9a\x8d\x7c\x7f\x6a\x98\x7d\xff\x16\x62\xae\xe2\x43\x22\xee\xe2\x83\x8d\xd0\xdf\x39\xd1\x5e\x57\xb0\xdf\xa1\xba\xba\x45\x35\x99\x47\x8d\x9b\xed\x7e\x1c\xdc\x85\x32\xd5\x27\x83\x71\xf0\x24\x3b\x1a\x50\xcd\xc8\x18\x80\xfa\xc0\x1f\x00\x62\x00\x62\x00\x62\x00\x62\x00\x62\x00\x62\x00\x62\x00\x62\x00\x62\x00\x62\x00\x62\x00\x62\x00\xe2\x0e\x03\xe2\x83\x34\xc1\xc6\xe3\x29\x0b\x10\xef\x72\x02\x62\x63\xfb\x06\xf9\x2a\x00\x34\x00\x34\x00\x74\x47\x01\xf4\x3f\xf4\x51\x2c\xa8\x7e\x12\xfb\x9d\x3e\xf6\x99\x3e\xda\x59\x57\x15\x69\x5d\xf2\xbc\xa7\x20\x57\xeb\xaa\x16\x81\x3a\x3b\xa8\xf3\x97\x12\x34\xe6\x93\x21\xd6\xa0\xcd\x39\xad\x98\x57\x8b\xfa\x27\x64\x72\xe5\x67\x12\xec\xeb\x03\x44\x76\x32\x9f\xc6\xd4\xc4\xd3\x4b\x73\x33\xbc\xa1\xae\x20\xca\x77\x5f\x77\x65\x12\xb2\x6e\x0e\x04\xb9\x05\x82\xfc\x78\x30\x41\x3e\xc8\x26\xd6\x4b\x19\x62\xf5\x3f\x12\x1f\x80\x1d\x83\x1d\x83\x1d\x83\x1d\x83\x1d\x83\x1d\x83\x1d\x83\x1d\x83\x1d\x83\x1d\x83\x1d\x83\x1d\x77\xad\xb8\xd8\xda\xbb\x41\x5c\x0c\xb6\x0b\xb6\x0b\xb6\xeb\x60\xbb\xdf\x1d\xa2\xa4\xbf\xaa\xd5\x40\x8c\x96\x72\x95\x7d\x7a\x88\xfd\xc6\x00\xbd\xdc\x25\x59\x8d\x6a\x8d\xd5\xbb\x0f\x53\xaf\x9a\x4a\x8e\xd4\x29\x4e\x8d\xf6\xe7\x8b\x5a\x75\x56\x51\xa7\x4a\x25\x4b\x7d\x0a\xd9\xa9\x07\x34\x6c\xa4\x16\xfd\xd5\x57\x05\x83\xc3\x43\xec\x40\xf3\xd2\x53\x90\x43\x90\x43\x90\x43\x90\x43\x90\x43\x90\x43\x90\x43\x90\x43\x90\x43\x90\x43\x90\x43\x90\x43\x90\xc3\x4e\x93\x43\x10\x40\x10\x40\x10\xc0\x1e\x26\x80\x7f\xfd\x24\xa5\x82\xe2\xda\x0d\x00\x98\x2b\x49\x9c\x02\xfe\xf2\x93\xec\xc3\x83\x9e\x81\xeb\x49\xb1\x4e\x54\x8d\x19\xce\x34\x81\x35\x21\xeb\xd3\x7a\x3b\xc9\x07\xf4\x73\xeb\x42\xc6\x9d\xa7\x74\x39\xb6\xcb\x80\x61\x81\x61\x65\xc0\xb0\xc0\xb0\xc0\xb0\xc0\xb0\x7a\x86\x61\x65\xba\x86\x61\x85\x7e\x27\x2d\x33\xac\x0c\x18\x16\x18\x16\x18\x16\x18\x16\x18\x56\xe7\x19\x56\xa6\xa7\x91\x53\x06\xc8\xa9\x7d\xc8\x29\xd3\xed\xc8\x29\xb3\x09\x91\x53\xf6\x2a\x3d\x22\xe4\x4e\xe7\x69\x96\xcb\x9d\xce\xd0\x29\x3a\xe1\x5b\x42\xdd\xc1\xa5\xcc\x2a\xea\x4e\x4a\x34\x5f\xd4\x82\xd5\x4e\xf7\x79\xab\x9d\xb6\xb2\x2d\x42\xe8\xb4\x12\x2c\x74\x3a\xcd\x4e\x36\x26\x74\xe2\x77\x55\x9f\x68\x2f\xfe\xeb\xdb\x3d\x99\xd9\x2b\xc4\xfc\x14\x93\xca\x6e\x3e\xb6\x4f\xfc\xbd\x33\x84\x4c\x00\xad\x8b\x34\x4f\x59\x36\xb0\xa2\xe4\x6f\x44\xf9\xff\xc6\x22\xc9\x49\x3a\xda\xea\xc8\x64\xde\xd3\x47\xff\xa5\x8f\xfd\xe7\xbe\xe8\x7f\xb2\x4c\xd3\xb7\x23\x8f\xeb\x13\xbf\x31\x17\x8c\x70\xd5\x60\x4e\xdf\xf1\x09\x5b\xe2\xda\x7f\x38\x99\xd4\x8a\x1c\xab\xe8\x3d\xaa\x2f\xfa\x52\xb1\xa9\xf2\xff\xc7\xde\xdb\xc7\xb7\x71\x9d\x77\xbe\x1f\x82\x54\x2c\x3d\x56\x62\xf9\x38\x69\x6c\x58\xb6\x61\xc8\x26\x48\x88\x04\x05\xea\x9d\x7a\x25\xf8\x22\x11\x92\x25\x5a\x94\x29\xc7\x95\xc2\x0c\x81\x21\x34\x12\x88\x41\x66\x40\x2a\xca\x6e\xb6\x89\xb3\xe9\xa6\x6d\xd2\xdb\x4d\xb6\x69\xf7\xb6\xdb\x9b\xf4\x6d\x93\x36\x4d\x36\x6f\x6d\x6f\x93\x6d\xda\xbd\x9b\xd6\xad\x1b\xb7\x69\xda\xe6\x73\x6f\xba\xd9\xa6\xeb\x6d\x9a\x6e\xdb\xcd\xde\x6e\x9b\x9b\x7c\xd2\xcd\xfd\xcc\x39\xf3\x0a\xcc\x60\x40\x08\x00\x41\xe1\xf7\x8f\x3f\x32\x31\x73\xe6\xcc\x99\x33\xcf\x9c\xf3\x7d\x9e\xe7\xf7\xc4\x94\x92\xd8\xf9\xab\x5a\x6c\xad\x64\xc3\x83\x7c\x2c\xaf\xdd\xbe\xb4\x56\x8a\xe5\x15\x4d\x36\x5e\x20\xd9\xde\x91\x1a\x1f\x16\xfe\xe5\x36\xb7\xe4\xd6\x02\xdc\xdc\x04\xc5\x56\xd6\x34\xbe\xc8\x2b\x6b\x6a\x4e\xd6\xf9\x27\xd6\x7c\x5f\xcd\x8f\x41\x2a\xb6\xc8\xaf\xc8\x17\xcf\xfc\x9b\x38\x11\x1b\x8d\x4d\x16\x8b\x13\xfc\x03\x9a\xd7\x6e\xc7\xb4\xb5\x92\xb1\x39\x33\xde\x38\x6b\xd5\x60\x36\x27\xe7\xe3\xaf\x10\x5d\x73\x9b\x97\xf7\x45\xe8\xbd\x11\xf6\x23\x91\xe8\xbb\xed\x01\xfa\xab\x3e\xbe\xe6\x7a\x4a\x2a\x49\x05\x59\x13\xbb\x07\x21\xe6\xa1\xeb\x6a\x4e\xe1\x1f\x44\x7b\x9d\x2e\xf1\x8d\x8e\xaa\xc5\x8c\xf5\x52\xe5\xb6\xbd\x42\x58\x95\x8c\x87\x62\x1c\xa2\xcb\x96\x0d\x30\xec\x92\x45\x50\x38\x44\x58\x96\x63\xdc\xfa\xf0\x35\xb9\xaa\xc5\xd2\xe3\x47\x8c\x63\x35\x29\xc7\x51\x8f\xb1\x9d\x15\x6f\x3c\x5f\x37\x1b\x4b\x1c\x49\x29\x09\xdf\x0f\x5f\x97\x3a\xc7\xf2\xed\xaf\x09\xa2\x8c\xdd\x94\x65\xc5\x0b\x6a\x51\x2a\x15\x52\xaa\x56\x18\x2b\xdf\x2c\x8c\xad\x95\x94\x9c\x9a\x97\xc7\xf6\xcc\xe9\xf3\x46\x2b\xa9\xf8\x4e\xf7\xbd\xba\x51\xff\x0f\x45\xe8\x9c\xb0\x11\xd3\x94\xe1\x36\xe2\x38\xdd\xc1\x4c\x14\xf1\x95\x69\x1e\x5f\x79\xcf\x94\x58\x0f\xde\x61\x8b\x4f\x1b\x2d\x8e\xb3\x2c\x9d\xa5\xed\x93\x39\xe3\x0b\x74\xc7\x4d\x36\x6f\xc4\xca\x6a\x87\x8c\x58\xf2\x1b\x23\xbe\x46\xec\x71\xb1\x9c\x8e\xe5\xd4\xa2\xb1\x39\x36\x3f\x76\x1e\x7b\x36\x2a\x0e\xa9\xb1\x67\x53\xf6\x29\x6d\xb4\x6c\x97\xe9\x12\xcd\xbb\x2d\x5b\x32\x43\xa7\x9b\x08\xb0\x9d\xe6\xf7\x70\x91\x13\x5d\x1d\xec\x17\xec\x17\xec\x17\xec\xb7\x87\xd8\x2f\x56\x74\x21\x2b\xba\xee\x81\xe3\x2f\x47\xe8\xab\x11\xf6\x95\x48\xf4\xcb\xf6\xa3\xfa\x58\xe4\xb2\x7b\x3b\xaa\x94\x62\xba\xd8\x52\xc6\x96\xe5\x15\xe1\x49\xb6\xb1\x8d\xf3\xc9\x32\xdf\x12\x3e\x58\xae\xb5\x63\x49\x2d\x8d\x96\xe4\x82\xc4\x1f\x89\xb9\x23\x75\xaf\x31\x05\xc0\xb5\x27\x83\xb9\x40\x50\x56\x57\xe5\xbc\xb1\x8a\x2d\xde\x76\x5c\xbc\x8e\x69\x57\x8a\x23\xe6\x46\x95\xdf\x6e\xac\xa0\x49\x39\x3e\x4f\x14\x35\x6f\x7f\x78\x9c\x8f\x03\xf7\x9e\x5b\xcf\x65\x4d\x37\x3a\xe9\x1e\x28\xc9\x38\xd3\xba\x21\xf3\x22\x2b\xe2\x7d\xb3\x9a\x48\x89\x7e\xae\xca\x52\xc9\xb7\x8f\x71\xc6\xbb\x30\xcf\x7b\xe0\xb7\x01\x87\x0f\x02\x3e\x08\xf8\x20\xe0\x83\x80\x0f\xa2\xa7\x7d\x10\x5f\x88\xd0\x4b\x11\xf6\x62\x24\xfa\x82\xfd\xb5\x7d\x7f\x64\xda\x95\xe9\x5a\x2e\xca\x92\x2e\xdb\xaf\xfe\xbc\xa6\x96\xa5\x02\xff\x0e\xcf\xab\x45\x25\x77\xdb\x13\x81\x64\x3d\x6e\x27\x55\xd6\x78\xe0\xe9\xd4\xe1\x54\x6c\x41\xd8\x11\xf1\x91\x2c\xcb\x25\x63\x9a\x3a\x5f\x11\x39\xa6\x6a\xe5\xeb\x52\xc9\x8a\x88\xd2\xd6\xe4\xb1\x15\xa9\x68\xad\xfe\xe3\xe2\xd7\x78\x6c\x45\x29\x49\x45\xe5\xcd\x96\xf9\x5e\x96\x63\x52\x9e\x03\x7d\x75\x4c\xf0\xdd\xbc\xb3\xb4\x14\x8d\x27\x74\xe7\x24\xb1\xde\x4e\xc5\x66\x14\x6e\x92\x5c\x1d\x57\xb5\xda\x3b\x73\x9c\x28\x15\xb1\xdc\xe7\xab\x3f\xb5\x72\x3d\x15\xdf\x25\xfa\x33\x6d\xdd\x88\x37\xb4\xea\x9d\x03\xf4\x8e\x01\xf6\xfc\x40\xf4\xbb\x76\x7c\xdd\x97\xfa\xaf\x98\x76\xd0\x98\xa2\xd7\xd5\x5b\xb1\x82\xa4\x2d\x4b\x05\x0f\x79\xb0\x17\x6a\xb2\xb6\xa2\x6a\xab\xc6\x58\xf8\xf6\xf4\x62\xd5\xc5\x83\x3b\xca\x97\x35\xd6\x9a\xa4\x2c\xee\x4a\x31\xd6\x0b\x39\x25\xef\x2c\xac\xf9\xb7\x91\x6f\x73\xec\xd1\xd5\xb9\xf8\x25\xff\xd5\xfa\xfa\xa5\x5c\xc3\x68\xd9\x4d\xdb\x73\x61\x47\xd5\x79\x2f\x96\x8a\x09\xc4\xc4\x6d\xb1\x7b\xb5\x9a\x10\xf7\x90\x30\xf6\x3c\xfc\x5f\xde\x89\xa1\x1f\x8b\x25\x32\x52\xee\x66\x41\x53\xd7\x4a\x79\xe3\x28\x1e\xce\xc6\x0f\xaa\x1a\x38\xb1\x58\x31\x57\x40\xde\x46\xac\x3b\x58\xb6\x5b\x3a\x16\x4b\xcc\xaa\x9a\xec\x6a\x36\x96\x93\xf4\x9c\x94\x37\xee\xde\x1c\x1f\x11\xc0\xc8\xdb\xd3\xc5\x72\xba\xa6\xc1\x15\xbb\x8d\x54\xfc\xfe\x72\xf5\xbc\x71\xaf\x6d\xe0\xe2\x83\x8b\xaf\x47\x5d\x7c\xd9\x02\x9d\x17\x28\x7c\x86\xa6\x38\x0a\x3f\x41\xc7\xe8\x68\x13\xf0\x72\xa1\x22\x55\xd6\xc2\x31\x73\x07\x30\xf2\x8d\xa4\x3f\xca\x7e\x80\xdd\x2f\x2c\x86\x63\xcd\xa9\xe5\x29\x2a\xec\x1d\x49\x7a\x3a\x4c\xd0\xb8\xa1\x92\x6e\x9a\x5a\x74\xca\xb9\x7d\x74\x98\xfd\xf0\x36\x7a\xa8\x46\x01\xd9\x66\xe4\xbf\xd8\x88\x0a\xef\x25\xd5\x58\xf7\x76\x81\x00\xef\x5e\x7e\xb9\x1a\x75\xe6\x9a\xca\x6e\x46\x87\xbb\x3c\x50\xbf\x3b\x45\x79\x37\xf4\x9a\x05\x4e\x54\xf3\x75\x33\x9e\x02\x6a\xbb\x21\x43\x01\x2a\x1b\xf0\x52\xc1\x4b\x05\x2f\x55\x4f\x7b\xa9\xa0\xb2\x01\x95\x0d\x78\x07\xe0\x1d\x80\x77\x00\xde\x81\xae\xf0\x0e\x64\xd3\x34\xc6\x46\xe3\x7b\x6d\x7d\xde\x5d\x6e\x7d\x5e\x63\xef\x86\xc2\x6e\x5b\x1d\xd2\x42\xfa\x03\xd2\x1f\x5b\x2b\x0f\x83\xbd\x7d\x98\x2e\x08\x0e\x2a\xe5\x8d\xf5\xb5\xa2\x96\x34\xb9\xa0\x18\xef\x65\x30\x0a\x5d\x5d\xab\x48\xc6\x0a\xea\x96\xbc\x7c\x5d\x55\x6f\x7a\xf6\xa4\x3a\xfb\x77\x43\xec\x67\xb7\xd1\x23\xbe\xed\xd9\x20\xf4\x9d\x7d\x8d\x29\x06\x3f\x65\x5e\xea\x8a\xb8\xd4\x94\xfb\x52\x2d\x92\x11\x9e\xe4\x27\x4c\xfa\x75\xd7\x24\x9d\xf5\x3a\x71\x5e\xd1\x2b\x60\x9f\x4d\x6a\x0b\xbf\x25\x9c\x7f\x3e\xc7\x9e\x15\x78\xb3\xde\x43\xa8\xc5\x9e\x26\x33\xad\x37\xa9\x81\x46\x81\x46\x81\x46\x81\x46\x81\x46\x81\x46\x81\x46\x81\x46\x81\x46\x81\x46\x81\x46\x81\x46\x81\x46\x21\x40\x0c\x0a\x09\x0a\x09\x0a\xd9\x31\x0a\xf9\x3b\x43\x74\xc4\xa4\x90\x6b\x15\x55\xcf\x49\x45\xa5\x54\x18\x5b\x1f\x77\x43\x47\xce\x97\xd4\x52\x45\x2a\x96\xd5\xbc\x75\x98\xac\xe9\xec\x5d\x43\xec\xad\xdb\xe8\x01\xd7\x99\x4b\xe6\x99\xd1\xb7\x37\x48\x19\xcf\xda\x6d\xcf\xab\xf9\x49\xbb\xed\x16\x01\xc6\x8c\x00\x8c\x4e\xff\x16\x45\xf7\x02\xae\x8a\xea\x65\x2d\x24\x8c\x85\x70\xc2\x38\xcd\x32\x16\x2d\x74\x1e\x91\x19\x53\x19\xf0\x88\x5c\xbc\x71\x1c\x61\x96\x60\x89\x60\x89\x60\x89\x60\x89\x60\x89\x60\x89\x60\x89\x60\x89\x60\x89\x60\x89\x60\x89\x60\x89\x60\x89\x60\x89\x60\x89\x60\x89\x9d\x65\x89\x7f\x79\x3f\xed\x33\x1e\xdd\xd8\x7a\x3a\x28\x67\xbb\xac\xe6\xad\x94\xed\xb1\xb2\xa6\xbe\xe9\x36\xfb\xc4\xfd\xec\xbd\x11\xba\x27\xa7\x6a\xf2\xd2\x7a\x3a\xfa\x44\x4e\x2d\x95\x0c\x7b\x75\x66\xe6\xb2\x03\x6c\x2a\x6a\x8c\x1f\x6d\x74\x7c\x5e\xcd\x27\xe3\xe6\x51\x53\xaa\x26\x2f\xa6\xcf\xc8\x15\x27\x23\x7a\x5e\xcd\xcf\x1b\x87\x8e\xf7\x27\xc7\x92\x02\x91\x1d\xa6\xdd\x02\x91\xbd\x86\x1e\xe0\x88\xec\x95\x74\xef\xc7\xfb\xb6\x93\x39\x1f\x42\x71\xd7\xe3\xfe\xb8\x8b\xd8\x76\xb3\x1b\x74\xe3\xe9\x70\xd8\x95\x62\x23\x26\xec\x8a\xc7\x4d\xc6\x65\xf5\xd5\x54\x34\xf5\xd4\xe8\x8f\xfa\x8e\xca\xfc\x33\x0d\x8f\xca\xfc\xda\x5d\x38\x2a\xf1\x1f\x75\x8d\xca\x93\xf6\xa8\x5c\x5c\xa8\x33\x2c\x7b\xbc\xc3\xa2\xea\x77\xe1\xb8\x24\xff\xb5\x6b\x5c\x12\xd6\xb8\x4c\xcf\x9c\x9f\xb9\x3c\x13\x3c\x32\x4f\x7a\x46\x46\xa8\xeb\xde\x7d\x63\x33\xfe\x13\xae\xb1\x19\xb2\xc6\xe6\xe2\xfc\xe5\xb9\x8b\x17\x16\x82\x07\x67\xd0\x33\x38\x66\xc3\x5b\x63\x74\xdc\x77\x1f\x36\x52\x13\xbe\x6f\xd4\xd9\x99\xc9\xe9\x46\xdf\xa8\xb3\xb2\x94\xdf\x1a\xe3\xb2\x91\x59\x93\xf9\x31\xd7\xb8\x0c\xda\x96\x66\xf2\xf2\xd4\xd9\xe0\x81\x79\xc2\x6b\x6a\x8c\x2f\x64\xc8\xc8\x04\xdd\x7b\xfd\x21\xdb\xd4\x91\xc9\x1e\xa7\x09\x76\x24\x7e\xc8\x4e\x8e\x7a\xd8\x9d\x4f\x55\x75\xe6\x66\xa4\x56\x49\xb4\xc4\xae\x45\xbf\xd7\x5a\x37\x4d\xce\x4b\x15\xb1\x45\xbe\x2e\xc7\x9e\xb9\x74\x3e\x66\x5c\x96\xaf\x15\x75\xd9\x5e\xec\xe5\xd6\x34\xcd\xd8\x15\x89\xc7\x69\x6d\x13\x8c\xe7\xab\xe6\x53\x71\xde\x53\xb7\x88\xcd\x6f\x5f\xa3\xd1\x90\xa5\x8e\xb5\x62\x7a\xe3\x9a\x5a\x91\x74\xf6\xa3\xd7\xd8\x0f\x0e\x3a\x33\x6a\x6f\xfd\x5a\xad\x16\xbe\x7e\xda\x38\x59\x14\x6b\x15\x73\xca\x25\xfd\xe2\x3e\xa4\xcb\xbd\x94\x28\xd6\x0a\x1f\x1d\x8a\xb5\xc2\x47\x07\x1f\x1d\x7c\x74\x3d\xe4\xa3\xeb\x22\x3d\xfa\xae\xf1\xd1\x41\x28\x1d\x3e\x3a\xf8\xe8\xe0\xa3\x83\x8f\x0e\xc5\x5a\xa1\xe4\x7c\xf7\xb8\xd4\xba\x5e\xc9\x79\x4b\x16\x6b\x7d\x03\xcd\x08\x0e\x78\x92\x8e\x73\x0e\x78\x88\x0e\xd0\x78\x60\x8d\xc3\x9c\xaa\xc9\xa9\xf5\x74\xca\xc3\x86\x5a\x52\xa2\xf5\x62\x38\x46\x1c\x61\xc9\x6a\x8c\xe8\xe9\x87\xd7\x91\xf3\x9d\xed\x0e\x0c\xb3\x8b\xb0\x56\x71\x2f\xb3\x08\x6b\x67\xc8\x97\x00\x55\xd3\x94\xa1\xd3\x55\x45\x58\xf7\x51\x6a\x63\x23\x8e\x42\x5d\x28\xbd\xda\x64\xe9\xd5\xbf\xe9\xa3\x33\xa2\xb6\xe9\x69\x3a\xe9\xaa\x6d\x3a\x4e\x1b\x9e\x85\xc1\xbe\x85\x49\x61\x53\x26\xe8\x08\xb7\x29\xcd\xb4\x3d\x2b\x4a\xba\x9e\xa2\x13\x4e\x49\xd7\x26\xda\x69\xb4\xb8\x6a\xab\xcd\x4f\xf2\x8b\x23\x8e\xf9\x89\xfb\x96\x4f\xf5\x9a\x22\xb3\x7e\xaa\x30\x45\x4e\xd1\xd4\xce\x18\x25\xd4\x4f\x05\x8e\x05\x8e\x05\x8e\x05\x8e\x45\xfd\x54\xd4\x4f\x45\xfd\x54\xd4\x4f\x85\x5b\x00\x6e\x01\xb8\x05\xe0\x16\x80\x5b\xa0\x25\x6e\x01\xd4\x4f\x45\xfd\x54\xd4\x4f\x45\xfd\x54\x78\xdd\xe0\x75\xdb\xe2\xf5\x53\x5b\x4d\x8a\x37\x54\x2c\x75\xeb\x95\x0d\x61\x1f\x49\xd0\x90\x10\x00\xcb\x2b\x7a\x4e\x35\x96\x3b\x4e\xe9\x81\x31\xb9\x94\x2f\xab\x4a\xa9\xa2\x17\x95\x9c\xac\xb3\xb7\x25\xd8\xdf\xf7\xd3\x4e\xfb\xc8\x06\x22\xd9\x67\xcc\x16\x16\x8c\x16\x92\x23\xc6\xc1\xd3\xd6\xe9\x8b\x69\xcf\xaf\x5b\x4d\x7a\x4b\xa6\xac\x98\xda\x53\x34\xc9\xa7\xf6\x31\x3a\x4a\x87\x03\x1d\x20\xce\xf8\xae\xa7\x53\x9e\x1b\x6f\x89\x87\xf6\x5a\xf8\xc4\x9f\x60\x47\xcc\x89\x5f\xfd\xac\xcd\xd7\xc0\xd3\x2b\x6f\xd2\x07\x22\xf8\x11\xc1\x0f\x95\x2d\xb8\x8c\xe0\x32\x82\xcb\xa8\x77\x5c\x46\x50\xd9\x82\xca\x16\x50\x3d\x50\x3d\x50\x3d\x50\x7d\x57\xa0\x7a\xa8\x6c\x41\x65\x6b\xab\xc0\x49\xa8\x6c\xb5\x43\x65\xeb\x67\x87\x68\xbf\x00\x76\xda\xb2\x94\x4b\x59\xa0\xa8\x4e\xd1\x50\x4d\x2d\xca\x3a\xfb\xeb\x04\xfb\xb3\x01\x7a\xc8\x38\x69\xd2\x7d\x8e\x5d\x18\xb4\xdc\x98\x62\xff\x25\xd5\xf8\x60\xb6\x44\x9e\xff\x20\x3f\xe1\x52\x75\x8f\xcc\xda\x9f\xc6\x85\xa0\xc8\xdf\x42\x45\xfe\xe5\x70\x42\x78\x8a\x9d\x30\x09\x61\xe0\xe4\xb2\x88\xb9\x5a\x94\x6b\x8b\x7f\x02\x13\x02\x13\x02\x13\x02\x13\x02\x13\x02\x13\x02\x13\x02\x13\x02\x13\x02\x13\x02\x13\x02\x13\x02\x13\x02\x13\x02\x13\x02\x13\x02\x13\x76\x0a\x13\x7e\xbe\x8f\x76\x8c\x99\xcf\x68\x8c\x7d\xb6\x8f\x7d\xa6\x8f\xee\x31\xff\x3f\xfa\xea\x82\x6c\xed\x8a\xf2\xf6\x2b\x99\x7c\x55\x41\xae\x4c\xa9\x79\x7b\xfe\xd7\x70\xb6\x89\x9a\xbf\x6c\x50\xa0\xc4\x0b\xbb\xcc\xeb\xa6\xe6\x4a\x2b\x6a\x18\xe1\x62\xdf\x89\xd0\xa3\x66\xa1\xd2\xb2\x22\xbf\xa9\x22\x97\xf8\xec\x73\xc5\x2a\xb2\xff\x3b\xc2\xfe\x24\x42\xbb\x3c\xbf\x2f\xad\xa7\xa3\xaf\x35\xee\xd6\xb3\x76\x10\x4f\x25\xf9\x68\x41\xae\x4c\xba\x8f\x5e\x4c\x4f\xce\xcf\x59\xbb\xd5\xd6\x81\xc6\xda\x71\x9b\xa8\x69\x68\xa2\x91\x86\xb2\xe5\x60\x51\x87\x67\xc4\x73\xb8\x40\xe7\xf9\x73\x98\xa5\x69\xca\x34\x01\x1d\x5d\x03\x70\x5e\xd1\x2b\xd6\xf0\xff\xc6\x10\xa5\xc5\xf0\x2f\x73\xa6\x1c\xac\x7b\x7c\x43\x5d\xb6\x4a\x3c\xb0\x1f\x1c\x62\xbf\x1f\xa1\xed\xfc\x14\x2e\xf4\xa2\xc9\x52\xbe\x0a\x64\x64\xd5\xe5\xe4\x83\xc6\xdf\x33\xc6\x51\x6e\x9d\x97\xac\xba\xdc\x5a\x21\x85\xec\x02\x1d\x11\xa3\x94\xa6\x31\x3e\x4a\xc3\x94\xa0\x27\x03\x23\x36\x79\xbf\x8d\x41\xc9\xaa\xcb\xa1\x08\xf6\x6c\x38\x5d\x7d\x92\xed\xf1\x91\x66\xe7\x57\x31\xa9\xaa\x71\xa1\x1b\x8f\xf8\xc3\xdc\x57\xb0\x81\x82\x5c\xa1\xe8\xbb\xb6\xbb\x46\xf4\x21\x4d\x2e\x17\xa5\x9c\xec\x33\xa8\x0f\x9b\x3f\xb5\x7f\x5c\x33\x3c\xf0\xb5\x4a\x35\xa7\xd1\x81\x45\x56\x36\xc4\x72\x9a\x14\xcb\x79\x4f\xdf\x1d\xbc\xcf\x27\x84\x82\x8d\xf1\xbd\xb2\x15\x6c\x3a\x6e\x0e\x02\x4c\x80\x27\x01\x21\xd8\x1c\x94\xd7\x2a\x94\xfc\xc6\x7d\x2e\x73\xb0\xd3\x4c\x81\x92\xb8\x05\x88\x8a\xff\xeb\x80\x01\x68\x8f\x42\x0d\x2c\x43\x88\x65\x80\x4a\x42\x47\x54\x12\x90\x1e\x8b\xf4\x58\xa4\xc7\xb6\x2b\x3d\x36\xfb\xe9\x3e\xba\x24\x34\xef\xce\xd1\x9c\x4b\xf3\xae\x4d\x99\x82\xad\x4d\x48\xb4\xbe\xf7\x31\xff\xaf\xf4\x0e\x76\x8f\x18\x26\x6a\xdd\x8a\x20\xf3\xd2\xbd\xae\x4f\x7e\xbc\x2c\x69\x15\x85\x3b\x73\x05\x41\xf0\xd9\x0a\x3c\x54\xe6\xce\xfa\xb6\xae\x03\x1e\xae\x6e\x68\x94\x5f\x74\x2f\xdf\xee\xee\x76\xff\xb8\x2a\x6b\x05\xd9\xfd\xeb\xa0\xfb\x57\xbd\xa2\x49\x15\xb9\xa0\xe4\x46\x6b\x8e\xf3\xb4\x62\xfc\xfb\xb6\xf9\xab\xd1\xcb\x8c\xb1\xf3\xcd\x56\x6d\x42\x26\xe8\x48\x13\x4f\x96\x17\x6e\xc2\xea\x23\x6c\xf5\xf1\xd1\x7e\xfa\x70\x3f\xfb\x50\x7f\xf4\xe7\x6d\x13\xfe\xf6\xfe\xde\xd9\x97\x54\x79\x83\x8c\x71\xe6\xd1\x0d\xdc\x63\x69\x4c\x4e\x27\xc6\x69\x28\x60\xe2\x0e\xf3\x2f\x91\x08\x86\x91\x8a\xfc\x4c\x63\xc9\x25\xce\xe6\x47\xf0\xe5\x8f\x1e\x1b\xca\xea\x6a\x69\x5e\x04\xfb\x3c\x65\xbc\x16\xe6\xbf\x17\xac\x97\xc5\xf9\xe3\x70\xf0\x86\x29\xf3\x52\x1f\xbd\xd8\xc7\x5e\xe8\x8b\x7e\xce\x06\x99\x1f\xec\x9b\x55\xb5\x1c\x5f\x99\x15\x54\x3e\xec\x6a\x2c\xbe\x62\xfc\x29\x1e\x9b\xf4\xdc\x05\x47\xd4\x62\x11\xb5\xa6\x3b\x61\x0d\xa3\x52\x8e\xdf\x38\x0f\x16\x29\x2a\x39\xf3\x23\x29\x17\xf3\x7a\x4c\xbd\x65\x8e\xa9\x08\xa6\x28\xcb\x6a\xb9\x28\xa7\x62\xe2\x8a\x3c\x3a\xcb\x7a\x96\x1c\x15\xfb\x0e\x80\x7d\xf9\xf8\x36\xde\x2d\x4f\xa4\x51\x3b\x81\xce\x63\xfe\x16\x7d\x3b\x7b\x05\xef\x58\x0b\x0d\x7a\x76\x1f\xa5\xd8\x48\x3c\x69\xe7\x8d\xdf\xe7\xae\xa8\x96\x55\x97\x37\xa3\x8a\x5a\xcb\x33\xcd\x3f\x33\x42\x53\x02\x21\xe6\x64\xcd\xe4\xda\xb2\x5e\x1d\xb2\xea\xfe\x4d\x29\x94\x94\x52\xc1\x9a\x00\x16\x54\xfc\x9f\x7b\xd9\x1f\xf5\xd3\xab\xdd\x07\xda\x31\xac\x23\x3e\x80\x71\xca\x39\x70\x41\xb4\x78\x49\xb4\x98\xdc\x67\x1c\xed\xfa\x59\x37\x23\x4f\x03\xcf\x68\x31\x8e\x5c\xa3\xe7\xc4\xec\x5d\xa0\xa7\xf9\xec\x35\xd6\x3f\x67\x82\x15\x74\xdd\xc3\x66\xde\x71\x2a\xb0\xaf\xa1\xf3\xbb\x3e\x66\xbc\xf1\xc6\xf0\xd9\x7d\x81\x9d\x37\x67\xb7\xcf\x13\x35\xe7\x7a\x70\xff\x6a\x82\x47\xa3\x7f\xbc\x23\xe0\xb1\x8e\xf9\x53\xce\xe0\x27\xbb\xdf\x3c\x61\xf3\x1e\x6e\xe6\x1a\x7d\x2f\xbd\xae\x6a\x39\xd2\xba\xa7\x8b\xd5\x09\xa8\x69\x93\xd4\xf4\x4f\xfa\xda\x6a\x76\x96\x04\x57\x7d\x96\x16\x1d\xae\xda\x51\xbb\xd6\x98\xe1\xda\xb0\x75\xaa\x63\xe9\xc2\x10\xed\x17\x77\x05\xd8\xb5\xb8\x8d\x6b\x83\x4d\xd9\xb8\xa9\x3c\xbe\x79\x96\x0c\x70\x17\x70\x17\x70\x17\x70\x17\x70\x17\x70\xb7\x19\xb8\xdb\x5a\x01\xb8\x4e\xa2\xe2\xc6\xe1\x6e\xe7\x17\x1d\x99\x2f\xee\x0c\x58\x55\x1c\x09\x21\xc2\xc1\x6b\x8d\x34\x27\x1b\x9b\xb3\xd4\x00\x3f\xee\xb5\x05\x0e\xf8\x31\xf8\xf1\x26\xf3\xe3\xcd\x25\x70\xa1\x84\xb9\xf3\x0c\x2e\x3b\x4b\xd3\x2c\x13\x3f\x6d\x83\xe5\x27\xdd\x28\x3a\xb0\xa1\x5a\x40\xdd\x72\x7c\xfc\x7c\x1f\xdd\x37\x56\x54\x0b\xfa\xd8\x3f\x29\xaa\x05\xa3\x6f\x6f\x61\x2a\x3b\x42\x03\xc6\xdf\x92\xaf\x2a\xaa\x85\x59\xa5\x28\x9f\x95\x4a\xf9\xa2\xac\x65\x1f\x0a\x1b\xfc\xec\x7e\x4a\xb3\xb1\xf8\xa8\xc3\xdc\x8d\xff\x5a\x31\xdc\x45\xb5\x10\xbf\xc7\xbc\x8c\xeb\xae\xd8\xbf\x79\x03\xcd\x99\x51\xc8\x6b\x15\x55\xcf\x49\x45\xa5\x54\x18\x5b\x1f\x37\x06\x6f\x3c\x28\x22\x96\x5f\xd8\x30\x20\xc5\xb2\x9a\xb7\xce\x93\x35\x9d\xfd\xfe\x12\x7b\x79\x90\x1e\x70\x35\xb5\x64\x36\x15\x3d\x58\x5f\x55\xf5\xac\xdd\xe4\xbc\x9a\x9f\xb4\x9b\x4c\x1e\x36\x4e\x9b\x74\xda\x5b\x14\xcd\x39\x2e\xdf\x80\x13\xbb\x5c\x53\x21\x03\x59\x01\xc8\x0a\xa0\x60\x1d\x64\x05\x20\x2b\x00\x59\x81\xde\x91\x15\xe8\xa2\x7a\x6c\x5d\x23\x2b\x80\x42\x61\x90\x15\x80\xac\x00\x64\x05\x20\x2b\xb0\x19\x85\xc2\x7a\x5a\x05\x00\x95\x8c\x7a\xb9\x92\x51\x66\x0b\xaa\x00\x64\xd7\xe9\x7b\x05\xdf\xbc\x4c\x97\x38\xdf\x3c\x4f\x59\x3a\x1b\xc8\x37\x5d\x24\x2a\x65\x92\xa8\x54\x00\x31\x6a\x49\xcd\x9a\x42\x38\xdf\x9c\x66\x19\x93\x6f\xba\x3a\x67\x72\xcd\x80\xae\xb9\xa8\xa6\xb8\x07\x8a\xff\x38\xf9\x63\x36\xf3\x8b\x15\x93\x02\x89\xda\x51\x71\xc4\x66\x32\x35\x81\xc0\x9e\xa3\x67\x69\xb1\xca\x3d\x35\x4b\xd3\xad\x78\x96\x70\x55\x21\x98\xb0\xc9\x60\xc2\x8f\x46\x82\xf3\xac\xae\x08\xd3\x33\x4f\x17\xb8\xe9\x39\x4b\x2d\x9a\xae\x74\x55\x84\x18\x3e\x43\x0b\x4e\x88\x61\xeb\x5a\xbf\x26\x02\x0c\x16\xe9\xb2\x2b\xc0\xa0\x65\xcd\x5b\xa6\xb1\x53\xa6\xaf\x8e\x0d\x2e\xab\x7a\x85\x92\x3f\x36\xea\x6f\x1a\x47\xcc\x88\x12\x57\x78\x8e\xba\x12\x68\x26\xa7\xc4\xd1\xb5\x66\x72\xca\x3e\xbd\xd3\x06\xb3\x3d\x61\x8b\x80\xd0\x80\xd0\x80\xd0\x80\xd0\xbd\x03\xa1\xb1\x38\x0c\x59\x1c\x76\x0f\xa5\x47\xc8\x78\x47\x42\xc6\xe1\x0c\x81\x33\x04\xce\x10\x38\x43\xe0\x0c\xe9\x69\x67\x08\x32\x87\x90\x39\x84\xcc\xa1\x76\x65\x0e\xc1\xd7\x08\x5f\x63\xaf\xfa\x1a\xb3\x85\x0e\xab\x97\x75\x8c\x46\x27\xfd\x69\xf4\x03\xec\x7e\x61\x36\x1c\x93\x4e\x5b\x51\xe3\xe6\xcf\x13\x34\x28\xf2\x03\xf4\x8a\xaa\x49\x05\xd9\xa5\x4f\x2e\x8a\x31\xe6\x74\xa5\xa4\xe6\x65\x9d\xfd\x4a\x82\xfd\xe2\x00\x91\x79\xdc\xd2\x7a\x3a\xaa\x37\x56\x80\x71\x6a\x61\xee\x82\x9a\x6f\x55\x0d\xc6\x87\xf8\x09\x0b\xa2\x17\x8b\x69\xb3\xf1\xf3\x4a\x0b\x53\xfb\x7a\xad\xce\xe2\x33\xe1\x2f\xd3\x38\xdb\x67\xbe\x4c\xde\x79\x62\x25\xec\x88\xa7\xe0\x15\x89\x42\x0e\x04\x72\x20\x50\x5a\x11\xee\x27\xb8\x9f\xe0\x7e\xea\x1d\xf7\x13\x4a\x2b\xa2\xb4\x22\xb0\x3f\xb0\x3f\xb0\x3f\xb0\x7f\x57\x60\x7f\x94\x56\x44\x69\xc5\xad\x02\x3a\x51\x5a\xb1\x1d\xa5\x15\xbf\x15\xa1\x47\x02\x20\x9f\xd0\xb0\x66\x7c\x42\xd3\x7d\x0e\xdb\x13\xc2\x5c\x81\x85\x08\x1f\x29\xc8\x15\x1b\xc1\xf1\x63\x51\x87\xd0\xbf\x0e\xe1\x0f\x3c\x2c\x44\xc4\xeb\x14\x20\xb4\x22\xcc\x4a\x95\x75\xb5\xb8\xb6\x2a\xe7\x8a\x92\xb2\x6a\xa9\x87\x8f\xe9\x9c\x7b\xb3\xdf\x8c\xb2\x0f\xf4\xd3\x3d\x39\x55\xe3\xe8\x75\x9c\xeb\x86\x8b\xdf\xac\x69\xee\xac\x79\xe6\xed\x16\x17\x79\x8b\x53\x46\x8b\xc9\x31\xae\x1e\xae\x6a\xb2\xbb\xa4\x86\xef\xa1\x82\xb5\xb7\x58\x3c\x3c\x4f\x73\x62\xa4\x33\x74\x9a\x8f\xf4\x04\x1d\xa1\x43\xc1\xd2\x45\xaa\x26\x73\x6d\x32\xbf\x0e\xde\xa9\x56\xf8\x95\x70\xe2\x79\x80\x8d\x9b\xc4\x33\x1e\x37\x29\xa7\x7f\x57\xdc\xcc\x33\xfa\xd6\x1d\xce\x33\x3a\x68\x89\x80\x6f\xec\x31\x8d\x5b\x52\xe0\x9b\xf5\xa4\x32\x3c\xe7\xaa\x2a\x73\xa7\xe9\x47\x85\x70\x4c\xe4\xea\x34\x99\xab\xf3\xc9\xbe\x56\x9a\x8c\x0b\x22\x09\xe7\x0c\xcd\x38\x49\x38\xed\x34\x41\xed\xb2\x31\x21\xe2\xdd\x99\xf7\xef\x74\x4c\xd0\xc9\x1a\x65\xcd\x8d\xd9\xa2\x7d\x42\x5f\x73\x33\x2c\x11\xe4\x35\x7b\xcd\x0e\x42\x5e\x13\xf2\x9a\x9b\x2c\xaf\xd9\xd1\x35\x6a\xdb\x3e\x10\x61\x32\x9d\xd9\x0c\x9d\x66\x27\xe3\xc7\xed\x40\x95\xc7\xdd\x9a\x99\xbe\x17\xb8\x2b\x0a\x3a\xfd\xab\x7e\x2b\xd8\x45\xca\xaf\x2a\xdc\x8f\xae\xc9\x05\x85\x7f\x21\x8c\xbd\xb3\xab\x34\xff\xd7\x23\xec\x2f\x22\xf4\xa0\xef\x71\x75\x4b\xf4\x0f\x16\xe4\xca\xa4\xdf\x59\x5b\xa0\x54\x7f\x7b\x76\xc2\x61\xef\x01\xfb\xe2\x10\x65\xcc\xc7\x52\x56\xe4\x37\x55\xe4\x12\x87\x49\xd5\x90\xc2\x0c\x47\x5a\xd3\x2b\xea\xaa\x35\xde\xae\xbe\xb1\x77\x0d\xb1\xb7\x6e\xa3\xd7\x78\xda\xb0\x49\xc6\x3f\xef\x6b\x30\x56\x89\x37\x6f\x75\x7f\xda\x6e\xbe\x45\xc1\x4b\x07\xf9\x09\x93\xee\x2e\x5a\x82\xe5\x01\x17\x46\x60\xd3\x9d\x14\xcd\xb1\x02\x00\x7d\xe6\x95\x15\xb9\x14\x30\xee\xb5\x4a\xc3\x0d\xc5\x52\x21\xe8\x09\x41\x4f\x08\x7a\x42\xd0\x13\x82\x9e\x10\xf4\x84\xa0\x27\x04\x3d\x21\xe8\x09\x41\x4f\x08\x7a\x42\xd0\x13\x82\x9e\x10\xf4\x84\xa0\x27\x04\x3d\x21\xe8\xa9\x53\x41\x4f\x9f\x49\xd2\x62\x50\xe5\x23\x0b\x26\x6e\xb0\xfe\x91\x55\xd0\xff\xab\xc3\xec\x97\xb6\xf9\x89\x10\xa6\xa3\xbf\x6e\x72\x46\x37\x5c\x2c\x59\x56\x2f\xa4\x18\x52\x4b\x18\xe3\x88\xb3\xe2\xe1\xab\x3a\xf3\xfb\x68\x2c\x9a\x9c\xa5\x5c\xc2\xb3\x7a\x76\xb5\x9d\x4a\x1e\x11\x84\xb2\x5a\x16\x31\xbd\xd5\x2b\x32\x6d\x0a\xa4\xec\x4c\x96\x72\x5d\x8f\xcf\x2d\xe1\xf1\x01\x96\x04\x96\x04\x96\x04\x96\x04\x96\x04\x96\x04\x96\x04\x96\x04\x96\x04\x96\x04\x96\x04\x96\x04\x96\xec\x2c\x96\x9c\xa6\x0c\x3b\x1d\x3f\x69\x47\xcd\xed\x71\x47\xde\x05\xec\xf7\xee\x86\xd8\x3b\xe0\x53\xe0\x53\xe0\xd3\x2d\x84\x4f\xff\x3e\x41\xe3\xc1\xf8\x34\xb0\x42\xfc\xaf\x27\xd8\xc7\x07\xfc\xd1\x68\x93\x15\xe2\x4f\xf8\x56\x88\x4f\x07\x1c\x3e\xab\x6a\x93\xc5\xa2\x0d\x2b\x5b\x17\x67\xdb\x26\x2a\x79\xc7\xf5\xce\xd2\x77\x41\xbd\x33\x68\xc5\x81\x4f\x82\x4f\x82\x4f\x82\x4f\x82\x4f\x82\x4f\x82\x4f\x82\x4f\x82\x4f\x82\x4f\x82\x4f\x82\x4f\x22\x6c\x12\xdc\x0f\xdc\x0f\xdc\xaf\x73\xdc\xef\xcf\x1e\xa6\x33\x82\xfb\xe5\x64\xcd\x6c\x45\x76\xe5\x62\x7b\xfe\xac\x14\x4a\x4a\xa9\x60\xd9\x69\x4b\xb1\x4c\x2a\x97\x35\x75\x5d\x2a\xb2\x7f\xf5\x30\xfb\xa3\x7e\xba\xcf\x7d\xc6\xd2\x7a\x3a\x7a\x84\x6b\x97\x59\x47\xd5\x4a\xd1\x4c\x39\xc7\x2f\x88\x2b\x5c\x12\x57\x48\xee\xe7\x0a\x66\xae\xe6\x16\xd3\x81\x07\x4f\x9a\xed\xb7\x58\xc5\x6c\x63\x59\xf2\x29\xcf\x20\xae\xa7\x53\x81\xdd\x0d\x45\x75\xc5\x70\x14\x37\xc7\xce\x98\x28\xce\xe7\xd9\x59\xf9\xce\x81\x1d\x68\x50\x63\xa8\x20\x57\x28\xfa\xe2\x8e\xda\xc7\x7a\xcc\x92\x3b\x6b\xe6\xc9\x1e\xb2\x44\xcf\x36\xf3\xe1\x66\x9e\xa5\x45\xba\x5c\x25\xf9\xd3\x92\xa7\x0b\xf1\x1f\x88\xa0\x35\x29\x82\xf6\x7b\x7d\xed\xb2\x38\xcf\x09\x41\xb4\x05\x7a\xda\x11\x44\xeb\x94\x35\xab\xaf\x61\xd6\x59\x63\x97\xf9\xe2\xce\x5a\x6b\x36\x5d\xa3\x9c\xd6\x8c\x59\x3b\x20\xf4\xd3\x36\xcb\xa8\x41\x43\xad\xd7\xcc\x28\x34\xd4\xa0\xa1\xb6\xc9\x1a\x6a\x9b\xb6\x42\x0e\x93\x3d\xeb\xec\x57\x25\x3b\x4b\xd3\x2c\x13\x3f\x6d\x07\x69\x3d\xe9\x0e\xf5\x0a\x6c\xa3\x36\xd8\xab\xe5\x32\x68\x1f\x4d\xd0\x13\x62\x8b\x27\xaa\xa0\x1a\xbb\xba\xb2\x9a\xcf\x2b\xba\xb6\xc6\xa7\xfd\xf2\x5a\xbe\x20\x57\x74\xf6\xfd\x09\xf6\xed\x7e\xda\x21\x8e\x32\x3e\x8a\xe9\xfa\x21\x1c\xf3\x6a\x7e\xda\x6e\x24\xc3\x1b\x49\x8e\x19\xa7\x88\x5a\xa9\x8b\x69\x9f\x03\xb6\x5a\xc0\xc6\x75\x7a\x4a\xcc\x6e\x63\x56\x1b\xb3\xfb\x24\x1d\xa7\x89\xc0\xd9\x6d\x96\xc6\x35\x3e\x60\xb5\xf7\xde\x92\x10\x8d\xd7\x85\x4f\xea\x43\xec\x80\x39\xa9\x45\x77\x2c\x25\xc1\xda\x1e\xa1\x80\x1f\x82\x32\x10\x94\x81\xa0\x0c\x04\x65\x20\x28\x03\x41\x19\x08\xca\x40\x50\x06\x82\x32\x10\x94\x81\xa0\x0c\x04\x65\x20\x28\x03\x41\x19\x08\xca\x40\x50\xc6\xa6\x04\x65\x7c\xe8\x1a\xed\x0d\x2b\x22\xa7\xe6\x2b\xf2\x6a\x99\x6f\x2e\xd8\xb7\xae\xb2\xe7\x07\x9d\x2a\x40\xc3\xa1\xd8\xee\xb2\x79\x6a\xf2\x31\xe3\xd0\x9a\x7a\x3f\xce\x01\x5d\x8e\xe7\x32\x40\x56\x40\x56\x19\x20\x2b\x20\x2b\x20\x2b\x20\xab\x9e\x41\x56\x99\xae\x41\x56\x2d\xef\x49\xd3\xc8\x2a\x03\x64\x05\x64\x05\x64\x05\x64\x05\x64\xd5\x79\x64\x95\xe9\x69\xc2\x94\x01\x61\x6a\x1f\x61\xca\x74\x3b\x61\xca\x6c\x41\xc2\x94\x7d\x3d\x4d\x89\xb0\xa6\xe3\x34\xc1\xc3\x9a\x0e\xd0\x38\xed\x0b\x2f\x7c\xea\x90\xa1\x96\x04\x33\x3d\x15\x1e\xcc\x94\x64\x43\x35\x25\x51\x9d\x5e\x78\x02\x98\xe2\x7f\xbb\xdd\x81\x60\xaf\x16\xdf\x9c\x98\xe4\xe1\x5d\x8f\x8b\xbf\x76\x82\x78\x09\x40\x95\xa1\xd3\x74\xb2\x2a\x22\x3a\x45\x23\x1b\x19\x69\x44\x41\x23\x99\xa4\xc9\x64\x92\xaf\xf5\xd1\x29\xf1\x9e\x1f\xa1\x43\xfc\x3d\xdf\x47\x1b\x9c\x7d\x34\x2d\xd2\x46\x4e\xd0\x31\x27\x6d\x64\xe3\xad\xcc\x18\xad\x8c\xf3\xe8\xc9\xed\x93\x39\xe3\x6b\xd1\x54\x33\x61\x06\xa7\xb5\x06\xa5\x8e\xfd\x2a\xab\x7a\x85\x92\x9f\x1f\x71\x0c\x8e\xb9\x9c\x8d\xe5\xd4\xa2\xb1\x39\x35\x3f\x36\x6e\xe3\xb3\x57\x1c\x21\x8c\xcf\x94\x7d\x58\x27\xcc\xd0\x65\xba\x44\xf3\x6e\x33\x94\xcc\xd0\xe9\x26\xd2\x32\xa6\xf9\x1d\x5c\xe4\x38\x55\x07\x78\x05\x78\x05\x78\x05\x78\xed\x21\xf0\x8a\xa5\x58\xc8\x52\xac\x7b\xc8\xf4\xcb\x11\xfa\x6a\x84\x7d\x25\x12\xfd\xb2\xfd\xa8\x3e\x16\xb9\xec\xde\x0b\x2a\xa5\x98\x2e\xf6\x73\xb1\x65\x79\x45\xb8\x71\x6d\x66\xe2\x7c\xb2\xcc\xb7\x84\x0f\x96\x6b\xd1\x57\x52\x4b\xa3\x25\xb9\x20\xf1\x47\x62\x6e\x07\xdd\x8b\x43\x41\x4f\xed\xc9\x60\xae\x0e\x94\xd5\x55\x39\x6f\x2c\x3f\x8b\xb7\x1d\xff\xaa\x63\xda\x95\xe2\x88\xb9\x4b\xe4\xb7\x1b\x2b\x68\x52\x8e\xcf\x13\x45\xcd\xdb\x1f\x1e\xe7\xe3\xc0\x5d\xd7\xd6\x73\x59\xd3\x8d\x4e\xba\x07\x4a\x32\xce\xb4\x6e\xc8\xbc\xc8\x8a\x78\xdf\xac\x26\x52\xa2\x9f\x22\xa7\xcc\xa7\x8f\x71\xc6\xbb\x30\xcf\x7b\xe0\xb7\xfb\x85\x03\x00\x0e\x00\x38\x00\xe0\x00\x80\x03\xa0\xa7\x1d\x00\x5f\x88\xd0\x4b\x11\xf6\x62\x24\xfa\x82\xfd\xb5\x7d\x7f\x64\xda\x55\xdf\xb0\x5c\x94\x25\x5d\xb6\x5f\xfd\x79\x4d\x2d\x4b\x05\xfe\x1d\x16\xd9\xa2\x9e\xf0\x1f\xeb\x71\x3b\x05\x12\x8d\x07\x9e\x4e\x1d\x4e\xc5\x16\x84\x1d\x11\x1f\xc9\xb2\x5c\x32\xa6\xa9\xf3\x15\x91\x63\xaa\x56\xbe\x2e\x95\xac\x70\x24\x6d\x4d\x1e\x5b\x91\x8a\xd6\xea\x3f\x2e\x7e\x8d\xc7\x56\x94\x92\x54\x54\xde\x6c\x99\xef\x65\x39\x26\xe5\x39\x4d\x57\xc7\x04\x5c\xcd\x3b\x4b\x4b\xd1\x78\x42\x77\x4e\x12\xeb\xed\x54\x6c\x46\xe1\x26\xc9\xd5\x71\x55\xab\xbd\x33\xc7\x83\x51\x11\xcb\x7d\xbe\xfa\x53\x2b\xd7\x53\xf1\x5d\xa2\x3f\xd3\xd6\x8d\x78\xe3\x9a\xde\x39\x40\xef\x18\x60\xcf\x0f\x44\xbf\x6b\x07\xb7\x7d\xa9\xff\x8a\x69\x07\x8d\x29\x7a\x5d\xbd\x15\x2b\x48\xda\xb2\x54\xf0\x60\x07\x7b\xa1\x26\x6b\x2b\xaa\xb6\x6a\x8c\x85\x6f\x4f\x2f\x56\x5d\x3c\xb8\xa3\x7c\x59\x63\xad\x49\x44\x52\xa9\x31\x23\xf2\x72\x4e\xc9\x3b\x0b\x6b\xfe\x6d\x14\xa9\xe7\xd6\xe8\x1a\x1f\x27\xf3\xcb\x61\x7d\xfd\x52\xae\x61\xb4\xec\xa6\xed\x36\xb0\x43\xda\xbc\x17\x4b\xc5\x04\x33\xe2\xb6\xd8\xbd\x5a\x4d\x88\x7b\x48\x18\x7b\x1e\xfe\x2f\xef\xc4\xd0\x8f\xc5\x12\x19\x29\x77\xb3\xa0\xa9\x6b\xa5\xbc\x71\x14\x8f\x25\xe3\x07\x55\x0d\x9c\x58\xac\x98\x2b\x20\x6f\x23\xd6\x1d\x2c\xdb\x2d\x1d\x8b\x25\x66\x55\x4d\x76\x35\x1b\xcb\x49\x7a\x4e\xca\x1b\x77\x6f\x8e\x8f\x88\x1e\xe4\xed\xe9\x62\x39\x5d\xd3\xe0\x8a\xdd\x46\x2a\x7e\x7f\xb9\x7a\xde\xb8\xd7\x36\xf0\xaf\xc1\xbf\xd6\xa3\xfe\xb5\x6c\x21\x90\xfa\xd2\x79\x01\xb7\x67\x68\x8a\xc3\xed\x13\x74\x8c\x8e\x36\x41\x35\x17\x2a\x52\x65\x4d\xb7\x18\x72\xd2\x1f\xfa\x3e\xc0\xee\x17\x6f\xb3\x63\x69\x1b\x75\x60\xb9\x99\x72\x3d\xf6\xbc\x05\x0b\xfd\xb0\x7f\x48\xd2\xf1\x90\x58\x75\x4d\xb6\x29\xb5\xb1\x48\xd3\x8c\xf1\x73\xaa\x2b\x7f\x2a\xc9\xfe\x65\xbf\x83\xd1\x87\xb8\x5a\xa0\x77\x9b\x7b\xc9\x69\x60\xca\x6e\x20\x39\xcc\xd5\x01\xab\x3c\x79\xbe\x87\xb6\x58\x13\x30\x4f\x73\x62\xde\x65\xe8\x34\x9f\x77\x13\x74\x84\x0e\x85\xfa\x31\x7c\xbb\x16\xea\xd1\xb8\x12\x3e\xc3\x0e\xb0\xf1\xea\x59\xe5\x7f\xad\x8d\x48\xfe\x7d\xc3\xe5\x4b\xdd\x6b\x49\xfd\x35\xf2\x58\x46\x2c\x69\xbf\xce\x3f\x99\x0c\xaf\xa6\x52\xe5\x6d\x6d\xfa\xd1\x00\xf6\xc1\xef\xda\xa4\xdf\xf5\x93\x7d\xad\x34\x11\x17\x84\x07\xf6\x0c\xcd\x38\x1e\xd8\x76\x9a\x9c\x10\xb1\xbe\x76\x59\xa4\xe4\x07\x76\x39\x26\xe7\x51\x73\x25\x2e\x05\x58\x19\x8f\x2f\xb5\xb3\x46\xa6\x3d\xbe\x54\x18\x9b\x10\x63\x03\x9e\xdf\x11\x9e\x0f\x90\x03\x90\x03\x90\xd3\x2e\x90\x93\xfd\x74\x5f\x6b\x37\xad\x74\x49\x04\x56\x9d\xa3\x39\x57\x60\xd5\x1d\xb6\x19\xb6\x40\x88\xf9\x2f\x10\x76\xb0\x7b\xc4\x30\xb5\x6f\x8d\x90\xf9\x91\x9d\xce\x1a\xe1\x40\x8d\x66\x6f\x23\xfb\x93\xa4\xd0\xe8\xed\xec\xc2\x01\xca\xbc\xbd\xb6\x5c\x81\x32\x2f\x94\x79\x37\x59\x99\xb7\xa3\x9c\x2a\x54\x8d\xb7\x5d\x9f\x84\x6c\x86\x4e\xb3\x93\xf1\xe3\x36\x34\x7d\xdc\x2d\xbc\xeb\x7b\xfe\xdd\x50\x61\x9d\xbd\x27\x49\x57\xcc\x8a\xcd\xf9\x55\x85\x2b\x36\x68\x72\x41\xe1\x5f\x08\x45\x2d\x39\x25\x5c\x44\x09\x67\x4e\xef\xc7\xb8\x61\x95\x8c\x59\x78\x4b\x5e\xbe\xae\xaa\x37\x3d\x91\x9f\x36\x93\xfd\xe5\x61\xf6\x9f\xb6\xd1\x23\xbe\x0d\x2f\x99\x2d\x46\x3f\xd7\x67\x7a\x04\x9c\x04\x17\xc3\xda\x88\x81\xb3\xc4\x46\x16\xed\x0b\x5e\x11\x17\x9c\x72\x5f\x30\xe5\xda\x18\x4c\xd8\x5b\x8a\x04\x6f\x37\xe1\xc4\xde\x7a\x82\x29\xd5\xb2\x6c\xef\xf7\xf4\x8a\x2c\xe5\x47\x9c\xa0\x13\xbe\x47\x32\x43\x14\x94\x8a\xbc\xea\x98\xd3\x84\x27\x4e\xcc\xd5\x76\x2a\x79\x8a\x5f\x6e\xd2\xef\x5e\x17\xc5\xad\xd6\xbf\x89\x2e\xd7\x48\xc9\xde\xa4\x79\x61\x06\xe6\xe8\x0c\x37\x03\x93\x74\x8a\x4e\x34\xf1\xe5\xe7\x39\x4d\x33\xeb\x72\x29\x3c\xf1\xe7\xfb\xc2\x5f\xf6\xab\xec\x39\xab\x90\x74\x9d\xf9\x6b\x9a\x81\xfa\x4f\xc0\x6d\x0f\x44\x81\xe9\x3a\xe6\x88\x8f\x0c\xc4\x8e\xa1\x1c\x03\xb1\x63\x24\x30\x20\x81\x01\x09\x0c\xbd\x94\xc0\x00\xb1\x63\x88\x1d\x23\x70\x1c\x81\xe3\x08\x1c\x47\xe0\x78\x57\x04\x8e\x67\xcf\xd1\x1c\x3b\x13\x9f\xb1\xc9\x4b\xd2\x4d\x6f\xea\x6f\xfb\xda\x5f\x3b\x09\xca\xc9\x88\xbb\x85\x72\xf2\xd6\xd1\xb5\x61\xff\xe2\x5e\x3a\x68\x42\x51\x93\x49\x55\xc1\xd0\x31\x5d\x2e\xae\xe8\x6b\xdc\xba\x69\x6b\x45\x59\x37\x36\x20\xf2\x2d\x9d\x7d\x9e\xe2\x9f\xdd\x46\xbb\x3c\xa7\x2d\xad\xa7\xa3\x8f\xd9\x3a\x32\x0b\x72\x71\x65\x41\x9c\x79\xc9\x38\xf3\x12\x3f\x33\xb9\x57\x1c\x30\xe9\x3e\x71\x31\xed\x7f\x70\x8b\x23\x91\x16\xe9\x32\x5d\xaa\x72\xea\xd5\x89\x45\x4a\x79\xc7\x64\x3d\x9d\xf2\xef\x65\xf6\x67\x22\xc1\x21\xd7\x0b\x82\x25\x9e\xa7\x2c\x67\x89\xd3\xd4\x82\x0b\xd2\xb3\x22\xc2\xed\x69\xba\xe8\x44\xb8\xb5\xa6\xe5\xd7\x09\xf7\xf8\x25\x9a\x77\xb9\xc7\x5b\xd2\x74\xb8\xc6\x11\xd7\x08\xb9\x71\x23\x1c\x85\x9e\x61\x33\x16\x0a\xf5\x99\xb5\x26\x02\x0d\xb8\x41\x8f\x2b\x04\x5e\xd9\xfa\x5e\xd9\x2c\x22\x56\x03\x22\x56\x5b\xee\x9e\x7a\xdb\x30\x1d\x11\x96\x58\xaf\xa8\x9a\x54\x90\xfd\x1d\x52\xe6\x8f\xb9\xa2\xa4\xeb\xb2\xed\x7f\xfa\x8f\x43\xec\x1f\x07\xe8\x3e\xf3\x47\xdb\xe3\xf4\x89\x46\x3c\x4e\x0b\xe2\xa4\x29\xa3\xc5\xae\xf0\x2f\x3d\xc6\x2f\x67\x76\xcb\xf4\x28\xb9\x3b\x09\xff\xd1\x46\xbc\xc9\xc2\x7d\x73\x63\x29\xdc\xaa\x1e\x67\x13\xa6\x55\xf5\xce\x40\xcb\x9e\xba\x1e\x41\xad\x03\x09\xfe\x21\xf8\x87\xe0\x1f\x82\x7f\x08\xfe\x21\xf8\x87\xe0\x1f\x82\x7f\x08\xfe\x21\xf8\x87\xe0\x1f\x82\x7f\x08\xfe\xa1\x0e\xfb\x87\x8e\xd2\x61\x76\x30\xbe\xdf\xf6\x0f\x3d\xe8\xf6\x0f\xb9\xf7\x70\xf0\x06\xc1\x1b\x04\x6f\x10\xbc\x41\x2e\x6f\xd0\x97\x86\xe9\x98\xa5\x4d\x22\x70\x63\x80\x42\x89\xf1\xda\x29\x39\x59\xca\xe5\x8c\xe5\x8a\x8d\x21\x7f\x6c\x98\xfd\xf5\x80\x93\x6f\xf6\xa9\x86\xf0\xa3\x68\x6a\x52\x34\xd5\x15\x00\x72\xcf\x2d\xbf\x8c\x37\x6f\x47\x01\x21\x6b\x21\xe4\x7c\x38\x63\x1c\x65\x7b\x2d\xef\x8c\x7b\x34\xc9\x5f\xf1\x07\x51\xe9\xa0\x8e\xa0\x8e\xa0\x8e\xa0\x8e\xa0\x8e\xa0\x8e\xa0\x8e\xa0\x8e\xa0\x8e\xa0\x8e\xa0\x8e\xa0\x8e\xdd\x46\x1d\x8f\xd1\x51\x76\x38\x7e\xd0\xa6\x8e\x51\x0f\x75\xf4\xec\xf5\xee\x06\x31\x01\x90\x4d\x90\x4d\x90\xcd\x2d\x44\x36\xbf\x39\x44\xe7\x1a\x12\xff\x68\x4c\xf7\x83\xfd\xdb\x21\xf6\x13\xdb\xe8\xc1\x20\xc1\x8f\xe8\x0f\x9a\xe8\x53\x29\xe5\x95\x75\x25\xbf\x26\x15\x3d\x14\xd4\x5e\x08\x77\x40\xee\x23\x95\x3c\x59\x4f\xb0\xa3\x7e\x0f\xce\x2b\x3a\x50\xa7\x0f\xea\x7c\x73\x38\xea\xbc\xc2\x9e\x69\x87\x5e\x07\xdd\xd8\xe3\x0f\x45\x77\x32\xe2\x83\xc2\x2b\x05\x03\x8c\x02\x8c\x02\x8c\x02\x8c\x02\x8c\x02\x8c\x02\x8c\x02\x8c\x02\x8c\x02\x8c\x02\x8c\x02\x8c\x02\x8c\x76\x18\x8c\x82\x3c\x82\x3c\x82\x3c\xf6\x30\x79\xfc\xfe\x25\x9a\x16\xe4\x31\xaf\xe8\x39\xd5\x30\x7a\xd5\x99\xdd\x01\x41\x96\x72\x29\x5f\x56\x95\x52\x45\x2f\x2a\x39\x59\x67\xff\xfe\xf5\xec\xd3\x83\x74\xbf\xdd\x8a\x9d\xe5\xbd\x57\x2c\x1e\x35\xf3\xb3\x67\xd9\x45\x2b\xc0\x72\xc6\x6c\x66\xc1\x68\x26\xc9\x0f\x9e\xb6\xda\x30\xb3\xab\x9d\x20\x47\xcf\xc1\x5d\x0e\xfe\x32\x60\x5c\x60\x5c\x19\x30\x2e\x30\x2e\x30\x2e\x30\xae\x9e\x61\x5c\x99\xae\x61\x5c\x2d\xef\x49\xd3\x8c\x2b\x03\xc6\x05\xc6\x05\xc6\x05\xc6\x05\xc6\xd5\x79\xc6\x95\xe9\x69\x24\x95\x01\x92\x6a\x1f\x92\xca\x74\x3b\x92\xca\x6c\x41\x24\x95\xbd\x41\x17\x45\xc0\xd4\x59\x9a\xe5\x01\x53\xa7\xe9\x24\x1d\x0f\xd4\xf7\x74\xb8\x95\x49\x9c\x52\x1e\x4a\x74\x5e\xd1\xc3\xe3\xa5\x82\x45\x3f\x79\xb8\xd2\x8d\xe5\xf0\x78\xaa\x53\xec\x84\x19\x4f\x55\x0d\xd2\xcc\x18\x2a\x4f\xaf\x6a\x15\xea\xe2\xbf\xb7\xc3\x8f\x9e\xbd\xd6\xd2\xab\x2d\x55\x91\xb2\x51\xf1\x43\xa7\x59\x99\x40\x5b\x1b\x2c\x3f\x19\xf6\x8c\x50\x7e\x12\xa5\xf9\x9b\x14\x3a\xfd\xa1\x3a\xda\xc6\xe7\x84\x19\x99\xa6\x0c\x37\x23\xc7\xe9\x0e\xa6\xa8\x08\xe2\x4c\xf3\x20\x4e\x5b\xd3\xf8\xce\x5a\x7c\x5a\x68\x19\x67\xe9\xac\x4b\xcb\xf8\x8e\x9a\xb4\xcc\x59\x63\xe6\xaa\x21\xb3\x14\x64\xd3\xc2\x74\x92\x93\xdf\x1e\xf1\x33\x67\x71\xb3\x90\xb3\xab\x2a\xb6\xba\x52\x65\xd9\x0e\x8b\x63\xaa\x2d\xdb\x94\x7d\x4a\x67\x6c\xdc\x65\xba\x44\xf3\x6e\x1b\x57\x4f\x8b\xbb\x4e\xd8\xee\x34\xbf\x9b\x8b\x9c\xf2\xea\xe0\xc1\xe0\xc1\xe0\xc1\xe0\xc1\x3d\xc4\x83\xb1\xb6\x0b\x59\xdb\x75\x0f\x30\x7f\x39\x42\x5f\x8d\xb0\xaf\x44\xa2\x5f\xb6\x1f\xd5\xc7\x22\x97\xdd\x5b\x54\xa5\x14\xd3\xc5\x36\x33\xb6\x2c\xaf\x08\xef\xb2\x8d\x72\x9c\x4f\x96\xf9\x96\xf0\xc1\x72\xad\x22\x4b\x6a\x69\xb4\x24\x17\x24\xfe\x48\xcc\x5d\xaa\x7b\xb5\x29\xa0\xae\x3d\x19\xcc\xb5\x82\xb2\xba\x2a\xe7\x8d\xf5\x6c\xf1\xb6\xe3\xf6\x75\x4c\xbb\x52\x1c\x31\x37\xaf\xfc\x76\x63\x05\x4d\xca\xf1\x79\xa2\xa8\x79\xfb\xc3\xe3\x7c\x1c\xb8\x47\xdd\x7a\x2e\x6b\xba\xd1\x49\xf7\x40\x49\xc6\x99\xd6\x0d\x99\x17\x59\x11\xef\x9b\xd5\x44\x4a\xf4\x53\x54\x07\xf7\xe9\x63\x9c\xf1\x2e\xcc\xf3\x1e\xf8\x6d\xca\xe1\x97\x80\x5f\x02\x7e\x09\xf8\x25\xe0\x97\xe8\x69\xbf\xc4\x17\x22\xf4\x52\x84\xbd\x18\x89\xbe\x60\x7f\x6d\xdf\x1f\x99\x76\x65\xd4\x96\x8b\xb2\xa4\xcb\xf6\xab\x3f\xaf\xa9\x65\xa9\xc0\xbf\xc3\xf3\x6a\x51\xc9\xdd\xf6\x44\x25\x59\x8f\xdb\x49\xc9\x35\x1e\x78\x3a\x75\x38\x15\x5b\x10\x76\x44\x7c\x24\xcb\x72\xc9\x98\xa6\xce\x57\x44\x8e\xa9\x5a\xf9\xba\x54\xb2\xa2\xa4\xb4\x35\x79\x6c\x45\x2a\x5a\xab\xff\xb8\xf8\x35\x1e\x5b\x51\x4a\x52\x51\x79\xb3\x65\xbe\x97\xe5\x98\x94\xe7\x90\x5f\x1d\x13\xcc\x37\xef\x2c\x2d\x45\xe3\x09\xdd\x39\x49\xac\xb7\x53\xb1\x19\x85\x9b\x24\x57\xc7\x55\xad\xf6\xce\x1c\xc7\x4a\x45\x2c\xf7\xf9\xea\x4f\xad\x5c\x4f\xc5\x77\x89\xfe\x4c\x5b\x37\xe2\x0d\xb7\x7a\xe7\x00\xbd\x63\x80\x3d\x3f\x10\xfd\xae\x1d\x73\xf7\xa5\xfe\x2b\xa6\x1d\x34\xa6\xe8\x75\xf5\x56\xac\x20\x69\xcb\x52\xc1\x03\x21\xec\x85\x9a\xac\xad\xa8\xda\xaa\x31\x16\xbe\x3d\xbd\x58\x75\xf1\xe0\x8e\xf2\x65\x8d\xb5\x26\x29\x8b\xbb\x52\x8c\xf5\x42\x4e\xc9\x3b\x0b\x6b\xfe\x6d\xe4\xdb\x1c\x7b\x74\x8d\x8f\x93\xf9\xe5\xb0\xbe\x7e\x29\xd7\x30\x5a\x76\xd3\xf6\x66\xd8\x91\x76\xde\x8b\xa5\x62\x82\x29\x71\x5b\xec\x5e\xad\x26\xc4\x3d\x24\x8c\x3d\x0f\xff\x97\x77\x62\xe8\xc7\x62\x89\x8c\x94\xbb\x59\xd0\xd4\xb5\x52\xde\x38\x8a\x87\xb8\xf1\x83\xaa\x06\x4e\x2c\x56\xcc\x15\x90\xb7\x11\xeb\x0e\x96\xed\x96\x8e\xc5\x12\xb3\xaa\x26\xbb\x9a\x8d\xe5\x24\x3d\x27\xe5\x8d\xbb\x37\xc7\x47\x04\x35\xf2\xf6\x74\xb1\x9c\xae\x69\x70\xc5\x6e\x23\x15\xbf\xbf\x5c\x3d\x6f\xdc\x6b\x1b\xb8\xfd\xe0\xf6\xeb\x51\xb7\x5f\xb6\x40\xe7\x05\xfb\x9e\xa1\x29\xce\xbe\x4f\xd0\x31\x3a\xda\x04\xbc\x5c\xa8\x48\x95\x35\x3d\xd4\x7f\xd6\x09\xe0\x9c\xf4\x07\xce\x0f\xb0\xfb\x85\xc5\x70\xac\x39\x6d\x41\xc9\x1e\xf6\xa1\xd7\xd3\x21\x11\x88\xaf\x2d\x4b\xb9\x54\x50\xbd\xcb\x5c\x71\x4d\xaf\xc8\x9a\xa6\x16\xe5\x65\x63\xa7\x5c\x2a\xe8\xec\x6f\xaf\xb1\xcf\x0d\xd2\xab\x8d\xf3\x26\xab\xeb\x5d\xee\xab\x1f\x7d\x3f\x25\x9a\xbb\xa4\x16\xe5\x8c\x68\x2e\x39\x6c\x9c\x71\xa9\xba\xad\xc5\x74\xed\xa1\x08\xc0\x47\x00\x3e\x02\xf0\xe1\x70\x81\xc3\x05\x0e\x17\x38\x5c\xba\xc6\xe1\xd2\x3d\xfe\x04\x80\x6e\x80\x6e\x80\x6e\x80\x6e\x80\xee\x9e\x06\xdd\x20\x71\x20\x71\x3d\x4a\xe2\xb6\x64\x00\xbe\x4c\x59\x41\x0f\xa7\x68\x92\xd3\xc3\x63\x74\x94\x0e\x07\x06\xa5\x72\x5e\xb5\x9e\x4e\xd5\x02\xa2\x96\xc4\xde\xdf\x0c\x67\x8b\x67\xd9\xac\x89\x0d\x03\xd9\x99\x19\x84\x5f\xdb\x47\x8f\x78\x69\xfc\xb7\x76\x04\x70\xb4\x87\xad\x38\x7c\x3f\x64\xb6\x57\xfc\xd8\x59\x68\x26\x18\xd7\x1c\x9d\xa1\x99\xaa\x48\xfc\x83\xb4\xbf\x89\x87\x85\x40\x2d\x04\xe1\x37\x19\x84\xff\x9d\x3e\x9a\x15\x16\xe3\x14\x9d\xe0\x16\xe3\x30\x35\x37\x09\x45\xcc\x7e\x9a\xc7\xec\xdb\x61\xf6\x4d\x37\x76\x5e\x44\xd8\xcf\xd0\x94\x2b\xc2\xbe\xe9\xd6\x9a\x37\x64\x3c\x22\xbe\xa3\x86\x2c\xf9\x03\xa3\x01\x86\x2c\xe1\x1b\x81\xef\x63\xd4\x0e\x8a\x03\xfd\x8c\x9a\x7d\x6a\xdb\xcd\x1b\x82\xf0\xc1\x84\xc1\x84\xc1\x84\xc1\x84\x11\x84\x8f\x20\x7c\x04\xe1\x23\x08\x1f\xbe\x09\xf8\x26\xe0\x9b\x80\x6f\x02\xbe\x09\x04\xe1\x23\x08\x1f\x41\xf8\x08\xc2\x87\xeb\x0f\xae\xbf\x2e\x74\xfd\x75\x3c\x08\x7f\x03\x01\xf2\x0d\xb2\xe8\x86\x50\x73\x28\xb0\x6e\x7d\xac\xfc\x37\x92\x74\xdc\x98\x60\x63\xeb\x81\xea\xf4\x16\xa2\x28\x55\xd6\xd5\xe2\xda\xaa\x9c\x2b\x4a\xca\xaa\x79\xc8\x5b\xd8\x47\x93\xec\x5f\xf6\xd3\x3d\x39\x55\x93\x97\xd6\xd3\xd1\x21\x4d\x96\xf2\x55\x5b\xd4\x79\xbb\x81\x45\xde\xc0\x94\xd1\x40\x72\xd8\x38\x72\x4a\xd5\xe4\x45\x97\xd2\x96\xef\xa1\xad\x05\xe1\xd9\x3c\xcd\x89\xc9\x94\xa1\xd3\x7c\x32\x4d\xd0\x11\x3a\x14\xe8\xc6\x30\xee\xcc\x98\x3a\xbe\x5d\x0b\x9d\x49\x8f\xf8\xcf\xa4\x57\xb0\x81\x82\x5c\xa1\x1b\x57\xc2\x27\xcf\x01\x36\x6e\xce\x8b\x78\xdc\xf4\x58\xf8\x77\xc5\x3d\x93\xa2\xdf\xd8\xee\x3c\x93\xbd\x9a\x5c\x2e\x4a\x39\xb9\xa1\xc7\x32\x62\x1e\xbc\x09\x4f\x26\x73\x9e\xb2\x74\xb6\xca\x03\xdb\xf4\xa3\x01\xa8\x83\x13\xb6\x49\x27\xec\x27\xfb\xe8\x82\x70\x9e\x9e\xa1\x19\xc7\x79\xda\x0e\x3b\xd1\x42\x5b\x64\x99\x9c\x76\xd9\x94\x3a\xb6\xac\xbc\x56\xa1\xe4\x4f\xec\x72\x4c\xce\xa3\xe6\x2a\x5a\x0a\xb0\x32\x7b\xc5\xef\x9b\x61\x64\xda\xe3\x07\x85\xb1\x09\x31\x36\x60\xf1\x1d\x61\xf1\x80\x30\x80\x30\x80\x30\xed\x82\x30\xd9\x4f\xf5\x09\x45\xe5\x71\xae\xa8\xec\x44\x42\xf5\xfa\xd2\x20\xe6\xbf\x34\xd8\xc1\xee\x11\x23\x4f\x99\x1f\xd9\xe9\xac\x0e\x0e\x94\x25\xad\xa2\xf0\xa0\x14\x81\xb3\x1b\xda\x99\x24\xcb\x52\x25\x77\xbd\xc3\x4b\x86\x87\xab\x1b\x1a\xe5\xbd\xd8\x6b\xfc\x73\x62\xb7\xfb\xc7\x55\x59\x2b\xc8\xee\x5f\x07\xdd\xbf\xea\x15\x4d\xaa\xc8\x05\x25\x37\x5a\x73\x9c\xa7\x15\xe3\xdf\xb7\xcd\x5f\x8d\x5e\x6e\x54\x1f\xba\xce\x82\x65\x9e\x67\xf6\x62\xa1\x12\xb2\x50\xf9\x68\x3f\x7d\xb8\x9f\x7d\xa8\x3f\xfa\xf3\xb6\xb5\x7f\x7b\x7f\xef\xec\x8a\xaa\x1c\x8e\xc6\x38\xf3\x40\x2e\xee\x14\x37\x26\xa7\x93\xe2\x3f\x14\x30\x71\x87\xf9\x47\x4b\xc4\xfd\x49\x45\x7e\xa6\xb1\x3a\x13\x67\xf3\x23\xf8\x4a\x49\x8f\x0d\x65\x75\xb5\x34\x2f\x72\xdd\x9f\x32\x5e\x0b\xf3\xdf\x0b\xd6\xcb\xe2\xfc\x71\x38\x78\xbb\x96\x79\xa9\x8f\x5e\xec\x63\x2f\xf4\x45\x3f\x67\xe3\xcb\x0f\xf6\xcd\xaa\x5a\x8e\x2f\xe2\x0a\x2a\x1f\x76\x35\x16\x5f\x31\xfe\x14\x8f\x4d\x7a\xee\x82\x73\x5f\xb1\xde\x5a\xd3\x9d\x08\xae\x51\x29\xc7\x6f\x9c\xc7\xc5\x15\x95\x9c\xf9\x3d\x95\x8b\x79\x3d\xa6\xde\x32\xc7\x54\xc4\x8d\x95\x65\xb5\x5c\x94\x53\x31\x71\x45\x2e\x4e\x60\x3d\x4b\xce\x5f\x7d\x07\xc0\xbe\x7c\x7c\x1b\xef\x96\x27\x6b\xa0\xa3\x84\xaa\x6d\xdf\x84\xc7\xfc\xbf\x09\xdb\xd9\x2b\xf8\x10\x50\x36\x43\xa7\xd9\xc9\xf8\x71\x5b\x5a\xe4\x71\xfe\x4e\x99\x2f\xb8\xef\x05\xe2\x03\xc6\x21\x6e\xf1\x90\x2d\x28\x4f\xf2\xef\x47\x29\x2b\xe4\x49\xa4\xfc\xaa\xc2\x25\x20\x34\xb9\xa0\xf0\x2f\x84\x57\xa1\x64\x75\xad\x22\x19\x13\xef\x96\xbc\x7c\x5d\x55\x6f\x7a\x42\x34\x6d\x00\xfb\xb7\x23\xec\x1b\xfd\xf4\xa0\x6f\x5b\xc6\xc7\x76\xcc\x87\xc8\x3e\x65\x36\x7c\x45\x34\x3c\xe5\x6e\x38\x79\xd8\x38\x61\xd2\xaf\xb9\xc5\x74\xbd\x13\x5b\x8c\x69\xff\x29\x49\xe2\x25\x78\x8e\x9e\xe5\x2f\xc1\x25\x9a\xa7\x0b\x81\x2f\x81\xff\x58\xae\xa7\x53\xf5\xba\x7c\xa7\xf8\xf6\x4d\xe1\xef\xce\x33\x6c\x41\xbc\x31\x75\xfb\xe1\xe3\x05\xa8\x37\x39\x28\xfa\xdd\x1d\x75\x1e\xf9\xb8\x3f\xf0\xad\xfb\xd4\x27\xcc\x73\x36\xfd\xc1\x67\xf2\xb4\x4c\x6f\xa8\x5a\xf1\xb4\xfc\xc9\x63\x1d\x04\x3a\xdc\x24\x1d\x7e\xb9\x8f\x56\x04\x1d\x5e\xa2\x6b\x0e\x1d\xee\xa4\x79\xea\x80\x69\xb4\x2c\xe0\xa6\x99\xb8\x30\xdc\xfc\x97\xbb\xea\x58\xc0\x27\x6d\xfe\x5c\xd7\xe8\x1d\x15\x87\x6d\xbe\xcd\x03\x94\x06\x94\x06\x94\x06\x94\x06\x94\x06\x94\xde\x30\x94\xfe\x74\x5f\x8b\xc3\xa3\x2e\x09\xc4\x7d\x8e\xe6\x5c\x88\xbb\xcd\x21\x57\xa1\x04\xb9\xc1\x95\x48\x23\x4b\x8b\x0d\xae\x56\x32\xff\x7d\x67\x9d\xa5\xc6\xb1\x10\x98\x5d\x77\x01\x72\x84\xa3\x90\x4d\x5d\x7f\x80\x70\xf7\xda\xaa\x07\x84\x1b\x84\x7b\x93\x09\xf7\x3f\xed\x86\xad\x6d\x18\xa0\xde\xbc\x2f\x4e\x76\x8e\xce\xb0\x99\xf8\x94\x8d\xb5\x87\xdc\x68\xbc\x5e\x33\xb5\x84\xbc\xe5\xfc\xfa\xe5\xdd\x34\x63\xf2\xeb\xb2\x22\xbf\xa9\x22\x97\x78\x18\xba\x5b\x59\x7b\x4d\xaf\xa8\xab\xd6\xba\xcd\xfd\xe8\x04\xb3\x1e\xd3\xf9\x9a\x80\xfd\xef\xbb\xd9\xdf\xf6\xd3\x2e\x4f\x33\xc6\x27\xf5\x20\x47\xd6\xe2\x20\xeb\xa6\x9d\x0f\xea\x14\x6f\xdd\x12\x1a\x98\xb6\x5b\x4f\xa6\x39\xb8\x76\x37\xb6\x98\x0e\x3a\x58\xac\x4a\x5a\x8c\xac\xdf\xdd\x47\x9a\x98\xbd\x37\x49\xe1\xb3\x37\x47\x12\x2d\x05\xcd\x5e\xa7\x9f\xa3\xb6\x3a\xb3\xf3\x51\xf3\x0e\xee\x7a\x3a\x15\x74\x2b\x77\x0a\xb1\x8b\xe1\xb3\x7c\x8e\x9d\x31\x03\xd8\x83\xfa\xe0\x47\x77\x7c\x66\x07\x45\x7f\x8a\x7c\x1e\xf8\x11\x0b\x58\x6f\xf8\x99\x1f\xb0\xb0\xf5\xe6\x3d\xf6\xcc\x1a\xe9\xf4\xc6\xaa\x05\x4c\xfb\x1f\x3b\xd6\x39\x20\xd8\x4d\x12\xec\xef\x8f\x6c\x8a\x9d\xba\x25\xa8\x79\x99\x4a\x0e\x35\xef\x72\x03\x59\x5e\xeb\xb4\x81\xcc\xfc\xcd\x4e\x1f\x03\x39\x59\xb3\xc9\xdc\xb0\xa5\x1c\x17\x5b\xcd\xcd\xb1\x93\xd8\x64\xf6\x9a\xf1\xc5\x26\x13\x9b\xcc\x4d\xde\x64\x76\xe9\x72\xbc\xb1\xcf\x49\xbd\x6f\xc4\x06\x3e\x35\xe1\x51\x58\x33\x34\xc5\x26\xe3\xa7\xec\xad\xe6\x13\xee\xad\x66\xd0\x35\x3a\xb0\xcd\x7c\xef\x10\x8d\x89\x6d\x66\x49\xae\xdc\x52\x35\xe3\xb5\x77\xf6\x98\xbc\xc2\x95\xc8\x47\x1e\x53\x4a\x05\xcd\xb0\x43\x3a\xfb\xcf\x09\xf6\xc5\x01\x62\xce\x09\x4b\xe6\x91\x51\xdd\x14\x4a\x29\xe5\x95\x75\x25\xbf\x26\x15\xdd\x7a\xc1\x92\x2d\x4a\x34\x27\x9a\x4a\xb9\x9c\x4b\x13\xb6\x5b\x2a\xc1\xdb\x48\x38\x82\x80\x1e\x85\x37\xb5\x2c\xdb\x3e\x43\xbd\x22\x4b\xf9\x54\x32\xcd\x4f\xb8\x60\xf7\x66\x51\x74\xc6\xbc\xc8\x79\x45\xaf\xcc\xaa\xda\x64\xb1\x68\x47\x33\xb7\xee\x8b\xdb\x9e\x3a\x50\xd9\x9b\x34\x2f\xde\xa8\x39\x3a\xc3\xdf\xa8\x49\x3a\x45\x27\x9a\xf8\x8a\x72\xdd\xe6\x99\x75\xb9\x14\xae\x6a\x7c\x2d\xfc\x7d\x99\x60\x47\xcc\xf7\xa5\x66\xae\x98\x2f\x8b\x39\xe6\xb5\x45\xd2\x6e\xec\xf1\x7f\x41\x76\x32\xe2\xf7\xcd\x95\x93\xb3\xa8\x7f\x85\xfa\x57\x59\x68\x9d\x42\xeb\x14\x5a\xa7\xd0\x3a\xed\x19\xad\xd3\x6c\xd7\x48\x79\xb6\xbc\x27\x4d\x6b\x4c\x66\xa1\x31\x09\x8d\x49\x68\x4c\x42\x63\x12\x1a\x93\x9d\xd7\x98\x6c\x39\x65\xc8\xf6\xb4\xaa\x5e\x16\xaa\x7a\xed\x53\xd5\xcb\x76\xbd\xaa\xde\x16\x2c\xa8\xc5\x3e\x7e\x8d\x86\x05\x15\xd4\x2b\xaa\x26\x15\x64\x57\xd8\x89\x90\xa7\x93\x2a\x15\x29\x77\xdd\xf8\xe6\xea\xec\x9f\x5f\x63\x1f\x18\x24\x32\x0f\x5d\x5a\x4f\x47\x53\xf5\x8b\xb8\x8b\x5c\xd3\x49\xbb\x89\xe4\x23\xc6\xf1\x0b\xe2\xfc\xc5\x74\xf5\xcf\x5d\x8e\xeb\x50\xb6\x1d\xd8\x0a\x65\xdb\x81\xad\x80\xad\x80\xad\x7a\x08\x5b\x75\x51\x05\x9a\xae\xc1\x56\x28\x8d\x02\x6c\x05\x6c\x05\x6c\x05\x6c\x85\xb2\xed\xa8\xdd\x70\xf7\x50\xa6\xae\xaf\xdd\xb0\x25\xcb\xb6\xaf\x88\xe2\xc9\xfb\x78\xf1\xe4\xc8\xc5\x73\xec\x38\xd5\x09\x16\x4e\x59\x28\x6a\x3d\x9d\xaa\x26\x44\x2d\xa9\xdb\xfe\xfa\xf0\x08\xa8\x63\xec\xa8\x4f\x84\xb9\x97\x91\x99\xa1\x50\xd5\x5d\xa4\xf8\xcf\xed\xf0\x30\xb2\x87\xec\x02\xed\x35\x38\xec\x31\xf1\x53\xfb\x81\x98\xe0\x57\x59\x3a\x4b\xb3\x55\x51\xdb\x87\xe8\x40\x33\x0f\x02\x11\xdb\x48\x97\x69\x32\x5d\xe6\xbb\x7d\x74\x46\x98\x83\xd3\x74\x92\x9b\x83\x23\xd4\xe4\x2c\x14\x42\x0d\x69\x2e\xd4\x60\xe7\xc0\x34\xdf\xda\x53\x42\xa8\x61\x96\xa6\x5d\x42\x0d\xcd\x37\x17\x66\xa7\x1a\xb3\x43\x1b\xb2\x3d\x9e\x58\xe5\x90\xb2\xef\xc9\x97\x47\x3c\x76\xea\x49\xdf\xfa\xeb\x35\x36\x6b\x58\x1c\x66\xdb\x2c\xa7\xe6\x7a\x9b\xad\x17\x2a\xae\x03\xe7\x02\xe7\x02\xe7\x02\xe7\xa2\xe2\x3a\x2a\xae\x43\x50\x0f\x15\xd7\xe1\x56\x80\x5b\x01\x6e\x05\xb8\x15\xe0\x56\x68\x89\x5b\x01\xba\xaa\xd0\x55\x85\xae\x2a\x2a\xae\xc3\x6b\x07\xaf\xdd\x16\xaf\xb8\xde\x18\x5a\x6e\x00\x22\xfb\xd3\xe7\x8d\x54\x74\x6f\x83\x62\xe2\x30\x8d\x07\x04\xad\x0b\x1d\x0b\xf3\xcf\xb9\xa2\xa4\xeb\xb2\x5d\xd9\xe7\x97\x86\xd9\xbb\xfa\xe9\x3e\x87\x78\x0b\x29\x8b\xc7\x7c\x0a\xfa\x98\x70\x7b\xca\x68\x20\xf9\xa8\x71\x80\x8d\xbb\xf9\x49\xee\xdf\x5b\x2c\x7a\x98\xa3\xb3\x62\xa6\x4c\xd2\x29\x3e\x53\x8e\xd2\x61\x3a\xd8\x80\xff\x81\x77\x2c\xe5\xee\xd9\x9d\x2a\x19\x2e\x85\x4f\xa2\xe3\x6c\xa2\x9e\x7f\xc2\xd3\x9b\x1a\xad\x88\xe8\xd7\xb7\xd7\x3e\x8e\xb8\x7f\xb1\x1d\xcf\x13\x79\xdc\x3c\xa6\x53\x0f\x25\x73\x8e\xe6\xe8\x4c\x95\xe3\xb4\xd9\xa7\x02\xfe\x06\xcf\x69\x93\x9e\xd3\x8f\xf7\xb5\xd0\x38\x3c\x25\x5c\xa7\xb3\x34\xed\xb8\x4e\x37\xc5\xd6\x70\x51\xc0\x76\xdb\x9a\xe4\x8f\xee\xaa\xb5\x35\xaf\xb1\xcb\xda\x78\xcc\x4b\xac\xca\xc3\xd9\x6e\xeb\x82\x6a\x35\xa8\x56\x73\xf7\xc2\x75\x50\x15\x50\x15\x50\x95\xb6\x55\xab\xf9\x44\x2b\xd7\x04\x17\x44\x00\xd4\x19\x9a\x71\x05\x40\xb5\x71\x51\x10\x5e\xa5\xa6\xdd\xeb\x82\xcc\x0f\xed\xac\x5d\x17\xec\x0d\xa9\x41\xe3\x59\x2d\x3c\xc6\x85\x1f\x3b\xb1\x58\x80\xea\x6f\xaf\x2d\x51\xa0\xfa\x0b\xd5\xdf\x4d\x56\xfd\xed\x24\x8f\x6a\xb7\xb1\x0f\x57\xef\x3d\x4a\x87\xd9\xc1\xf8\x7e\x5b\xbd\xf7\x41\xb7\x7a\xaf\xbb\xf1\x0e\x28\xf6\xfe\xa7\xab\xf4\xd0\x98\x54\x56\xc6\xd6\xd3\x63\x65\xbb\x7c\xbb\x50\xe5\xd0\xd9\x67\xaf\xb2\x77\x0d\xd2\x3d\x39\x55\x6b\x44\x88\xa3\xba\xfc\x7b\x32\x6a\x1c\x3f\xa5\x6a\xf2\x62\xba\xfa\x37\xa8\x70\x40\x85\x03\x2a\x1c\x08\xdb\x46\xd8\x36\xc2\xb6\x11\xb6\xdd\x35\x61\xdb\xdd\x13\x95\x8c\x70\x59\x84\xcb\x22\x5c\x16\xe1\xb2\x08\x97\xed\xe9\x70\x59\xc4\xf3\x21\x9e\xaf\x47\xe3\xf9\xb6\xa4\x0a\xc7\x06\x49\x5e\x4e\xd5\x78\x5a\x7b\x35\x1e\x6a\x89\x04\xc7\xa5\x70\xd2\x37\xc6\x46\x4d\xd2\x17\x8f\x9b\x74\xaf\xba\x2b\x9e\x48\xc5\xf8\xbf\xd8\xe1\xe0\x30\x47\x73\xa3\x86\x7c\xed\x16\x3f\xb5\x99\x7d\x09\x54\x75\x86\x66\x68\xaa\xca\x61\xb2\x9f\xd2\x1b\x1e\x73\x78\x4a\x10\x33\xd6\x64\xcc\xd8\x3f\xf4\xd1\xb4\x78\xed\x4f\xd0\x31\xfe\xda\x1f\xa4\x66\xa6\x20\xcd\x89\x78\xb1\x0c\x9d\x76\xe2\xc5\x9a\x6c\x2a\x2b\xdc\xcc\x53\x34\xe9\x72\x33\x37\xd9\x56\xf3\x96\x88\x8b\x60\x34\x68\x89\x7c\x42\xa2\x83\xad\x52\xf2\x0f\x47\x1c\x4b\xe4\xaf\xaa\x51\x63\x95\x06\xc5\x61\xc2\x2a\x39\x92\x1a\x6d\xb6\x4f\x90\xd4\x00\x9b\x05\x9b\x05\x9b\x05\x9b\x85\xa4\x06\x24\x35\x10\xf5\x0b\x49\x0d\xf8\x08\xe0\x23\x80\x8f\x00\x3e\x02\xf8\x08\x5a\xe2\x23\x40\xf2\x07\x92\x3f\x90\xfc\x01\x49\x0d\xb8\xe0\xe0\x82\x6b\xb9\xa4\x46\x10\xfa\x6d\xad\xd6\x86\x05\x92\xdb\xe0\xb2\xda\x5c\x19\x8d\xdf\x8d\xd0\xbd\x42\x46\x43\x2a\x97\xf5\x31\xf6\x6b\x11\xf6\x2b\x11\x1a\x30\xfe\x27\x1a\x2d\x70\x0b\x6d\x7c\x27\xec\x07\x28\xc5\xf8\xcd\x25\xef\x2b\xc8\x95\xc9\x72\x59\x9f\x9c\x9f\x3b\x63\xfc\xa1\x75\x4c\xba\xa6\xa1\x89\x9a\x86\x26\x1a\x69\x28\xab\x88\x4c\xb6\x7d\x3c\x93\xcd\x98\x02\xa7\xe8\x04\x1d\x6b\x62\x0a\x58\xf7\x18\xe6\x66\x60\x9f\x1d\xa2\x7d\x62\x30\x97\x8d\xf7\x61\x6c\x3d\x2d\x5e\x8c\xb1\x92\xb4\x2a\xeb\x65\x29\x67\xe9\x90\xf0\x7f\xbf\x65\xec\x86\xba\xac\xb3\x1f\x1c\x62\x3f\x39\x40\xdb\xf9\x19\x4b\xeb\xe9\xa8\x6a\xae\xdc\x4b\x79\x65\x5d\xc9\xaf\x49\x45\xb7\x23\x59\xb2\x77\xc9\x59\x75\x39\xe5\x5a\x03\x4d\xd8\xab\xa7\x04\x3f\x3f\xe1\xd0\x69\x0f\x6e\x54\xcb\xb2\x4d\x38\xf4\x8a\x2c\xe5\x53\xc9\x47\xf8\x09\x19\xe3\x3f\x8b\xe9\x0b\x56\xef\xf2\x59\x75\xf9\xbc\xa2\x77\x7b\x39\xce\xec\x4d\x9a\x17\x4f\x79\x8e\xce\xf0\xa7\x3c\x49\xa7\xe8\x44\x13\x4f\x99\x3b\xee\x67\xd6\x1b\xd1\x6c\x3f\x1b\x6e\x05\x9e\x64\x7b\x4c\x2b\xc0\x1f\xac\x69\x08\xb2\xea\xb2\xf7\xdd\xdf\xe3\xff\xee\xef\x64\xc4\x6f\x91\xfb\xc9\xb3\xc8\x75\x40\xae\x43\x16\xfe\x34\xf8\xd3\xe0\x4f\x83\x3f\xad\x67\xfc\x69\xd9\xae\x71\x17\xb5\xbc\x27\x4d\xfb\x31\xb2\xf0\x63\xc0\x8f\x01\x3f\x06\xfc\x18\xf0\x63\x74\xde\x8f\x91\x7d\x03\xbd\x9e\x5d\x8d\x3f\x67\xeb\x02\x4c\x98\x57\x16\xf1\xa4\xc6\x02\x67\xad\x72\x3d\xa6\xe7\xd4\xb2\x3c\x12\xd3\xd7\x72\xd7\x8d\xd1\xe7\x2b\x58\x59\x5a\x15\x40\xbb\xac\xa9\xfc\x4e\xe3\x3b\x6c\x0c\xd0\x4e\xf9\x80\x6c\x4f\xb3\xe1\x2c\xd8\x70\xfb\xd8\x70\xb6\xeb\xd9\xf0\x16\x4c\xcf\x60\x5f\x4d\xd2\xac\x20\x88\x39\x55\xd5\xf2\x4a\x89\x37\x52\x2d\x6d\x1c\x80\x13\xb9\x17\xd5\x56\x3a\x7e\x5f\x92\xfd\x70\x3f\xbd\xda\xdd\x8e\xad\x6d\xf5\xa0\x8f\xdc\xf1\x79\xe3\xec\xe4\xa0\xf1\xcb\x94\xeb\x1c\x53\xcc\xca\xe1\x82\xfc\xb8\x16\xeb\x1d\x4b\x34\x2b\x20\xde\x29\x3a\xc1\x21\xde\x61\x3a\x48\xfb\xeb\xc4\x81\xbb\xc6\xc6\x12\x99\xe1\xfd\xba\x53\xb5\xe3\x6b\xe1\x64\x6f\x82\x1d\x31\xc9\x9e\xcf\x23\x32\x39\x9f\xe8\x4b\xad\xd6\xf1\xd7\xb6\x07\x3c\x90\x87\xfd\x05\x8f\xc5\x33\x19\x36\x7f\xec\xf4\x63\xc9\xcc\xd1\x19\x9a\xa9\xca\x5c\x69\xee\xb9\x20\x38\x12\xb9\x2b\x4d\xe6\xae\x7c\xa4\xaf\x65\xc6\xe1\x9c\xc8\x5e\x99\xa6\x8c\x93\xbd\xb2\x09\x96\x86\x6b\x1d\xb7\xd7\xd2\x24\x3f\xb0\x2b\xc0\xd2\xbc\xca\x96\x3b\x16\xc6\x65\xc8\xca\x39\xe9\xb0\x6d\x81\xde\x31\xf4\x8e\xef\xde\xc8\x67\x84\xbc\x21\xe4\x0d\x21\x6f\x6d\xd3\x3b\xfe\x74\x1f\x5d\x12\xe9\xa3\xe7\x68\xce\x95\x3e\xda\xa6\x82\x3a\xed\x89\x25\x6a\xef\x0a\x20\x5c\x56\x39\xf3\xee\x9d\x01\x6b\x84\x27\x42\xa4\x8f\xc5\xca\x21\xc1\xe5\x32\x3b\xb9\x70\x80\xf6\x71\xaf\x2d\x57\xa0\x7d\x0c\xed\xe3\x4d\xd6\x3e\xee\x1c\x9b\x6a\xf3\x07\x21\x54\xf7\x78\x9c\xf6\xb1\x54\x7c\xc4\xf6\x6f\xdc\xef\xd6\x3d\xe6\xad\xd6\x0a\x1e\x6f\x3d\x9f\x08\xfb\xab\x41\xba\xdf\x92\x54\x96\x4b\xf9\xb2\xaa\x94\x2a\x3a\xfb\xa3\x41\xf6\x42\xbf\xa3\xd8\x90\xa8\x2f\xa5\x3c\x63\x9d\x97\xdc\xe3\x68\x28\xdb\x7f\x9c\x55\xb5\xc9\x62\xd1\xfe\x0c\xb6\x4e\xfd\xbf\x4d\x31\x94\x57\x69\x52\x4c\xf1\x09\x3a\xc2\xa7\xf8\x38\xed\xa3\x54\xa8\x0c\x87\x7d\xbf\x2d\x51\x03\x3a\x17\x3e\xfb\x87\xd8\x60\x75\x68\xb5\xdd\x07\x4f\x5c\x25\x42\x26\x11\x32\x89\x90\x49\x84\x4c\x22\x64\x12\x21\x93\x08\x99\x44\xc8\x24\x42\x26\x11\x32\x89\x90\x49\x84\x4c\x22\x64\xb2\xc3\x21\x93\x08\x68\x44\x40\x23\x02\x1a\x7b\x38\xa0\xf1\x4b\x83\xf4\x2a\x1b\xb6\x71\xb8\xc2\xfe\xe3\x20\xfb\x55\x17\x69\xdb\x13\x42\xda\x8c\x93\x92\x8f\xb9\x28\x9b\xf1\x87\xad\x46\xd8\x9e\xa5\x13\x82\xb0\x1d\xa2\x03\x9c\xb0\xa5\x68\x84\x92\xe1\x84\xcd\xb8\xd7\x96\xd0\xb5\x33\xe1\x74\xed\x09\x16\xaf\xa1\x6b\x3c\x1d\x1a\x64\x0d\x64\x0d\x64\x0d\x64\x0d\x64\x0d\x64\x0d\x64\x0d\x64\x0d\x64\x0d\x64\x0d\x64\x0d\x64\x0d\x64\x0d\x64\x0d\x64\x0d\x64\x0d\x64\x6d\x33\xc8\xda\x0f\x0d\xd3\xbc\xa9\xdc\x98\x37\x96\xb2\x8a\x5a\xd2\xe4\x82\xc2\x63\x9b\x7d\x72\x86\x85\x10\x21\xdf\x38\x4a\xc6\x72\xe5\x96\xbc\x7c\x5d\x55\x6f\x7a\x36\x80\x3a\xfb\xe5\x21\xf6\x0b\xdb\xe8\x11\xdf\x16\xed\xf0\xf0\x1f\xec\x6b\x4c\xa2\x70\xd1\xbe\xd8\x15\x71\xb1\x29\xf7\xc5\x5a\xa4\x5e\x38\xc5\x4f\x98\xf4\xeb\xb0\x19\x8e\x5e\xbf\x1b\xd0\x38\xf4\x07\x8a\x8d\x28\x13\xde\xf8\xbe\x70\xaa\x78\x95\x3d\x67\x52\xc5\x7a\xd3\xd4\xe4\x8d\xf5\x1f\x55\x6d\x4c\x2b\x68\x24\x68\x24\x68\x24\x68\x24\x68\x24\x68\x24\x68\x24\x68\x24\x68\x24\x68\x24\x68\x24\x68\x24\x68\x24\x68\x24\x68\x24\x68\x24\x68\x64\xa7\x68\xe4\x3b\x87\xe9\xa0\xa0\x91\x42\xef\xa3\x8a\x3b\x96\xd5\xbc\x2e\xe7\xd6\x34\xa5\x72\x9b\xff\xae\x38\x3a\x85\x2f\x0d\xb1\xe7\xb7\xd1\xab\xc4\x69\x36\x63\xfc\x55\x93\x31\xba\xc1\x62\xc9\xb2\x67\x56\x6c\xe0\x3c\x17\xdf\xe1\xad\xce\x9b\xc2\x28\x2d\x60\x8a\x23\xce\x2a\x86\xaf\xd4\xcc\x6f\x9e\xb1\x10\x72\x96\x67\x09\xcf\x8a\xd8\xd5\x76\x2a\xb9\x87\x5f\x4e\x74\xc8\x44\x90\x35\x1d\x05\x71\xac\x25\x8e\xc1\xf9\xe9\xbc\x63\x74\xe3\x6a\x38\x6d\x3c\xca\x0e\x9b\xb4\x51\xcc\x27\xab\x00\x53\xf5\xf8\x03\x25\x02\x25\x02\x25\x02\x25\x02\x25\x02\x25\x02\x25\x02\x25\x02\x25\x02\x25\x02\x25\x02\x25\x02\x25\x6e\x3a\x4a\x3c\x49\xc7\xd9\x44\xfc\x88\xad\x28\xf6\x88\x5b\x85\xac\x66\x23\x57\xab\x48\x06\x14\x09\x14\x09\x14\xd9\xc3\x28\xf2\xaf\x23\xf4\xb0\x55\xd2\x5a\x91\xdf\x54\x91\x4b\xfc\x69\x59\x01\x91\xec\xf7\x22\xec\x77\x22\xf4\x4a\xcf\x8f\x75\x6b\x5d\x3f\xc8\x6b\x5d\xbb\x8e\x46\xd1\x6b\x57\xd1\xeb\x7f\xfe\x10\x1d\xa9\x2a\x7a\x5d\xa7\xdc\xb5\x49\x7d\xc7\x74\x2e\x85\xcc\x7e\xfb\x41\xf6\x9f\x23\xae\xe2\xd7\x31\x5e\x98\x46\xfc\x68\xcd\x67\x67\x71\x94\x55\x97\x93\x8f\x1a\x47\xf8\x15\xab\x16\xe2\xca\x2d\x2e\x4c\xb3\x40\x47\xc4\x70\xa6\x69\x8c\x0f\xe7\x30\x25\xe8\xc9\xc0\xbc\x6d\x7e\x1f\xc6\xe8\x65\xd5\xe5\x3b\x2d\x45\xd3\xb2\x22\xd3\xd1\x9f\xdc\xee\x1a\xe1\x3d\x56\xa5\x99\x7a\x83\xfc\xb8\x79\x50\xa7\xc6\x39\x73\x8c\x8e\xd2\xe1\x2a\x61\xe5\x46\x07\x1a\x2a\xca\xa8\x2d\xd3\x64\x6d\x99\xf7\xf4\x09\x5d\x86\x34\xd7\x65\xb0\x6b\xc2\xb4\xe0\x25\x6f\xde\x6e\x34\x58\x3f\xa6\x31\xf3\xe0\x6f\x11\x3c\x46\x23\xf3\x95\x7b\x5d\xe6\x61\xa4\x46\xfa\xbd\x9e\x9d\x78\x8c\x2b\x07\x77\xc2\x4a\x40\xfa\xbd\xd7\x8c\x16\xa4\xdf\x21\xfd\xbe\xc9\xd2\xef\xed\x5c\xfd\x85\xa9\xb1\xb7\x6e\xfd\x97\xdd\x47\x29\x36\x12\x4f\xda\x44\xe5\x3e\x37\x51\xc9\xaa\xcb\x77\x85\xaa\xfb\x77\x76\xd3\x65\xb1\x0d\x59\x29\xaa\xb7\x8c\x37\x52\x53\x8b\x29\xdb\x25\x5c\x9d\x0e\x57\xd6\x14\x55\x53\x2a\xb7\x8b\xf2\xba\x5c\xf4\x26\xc1\x55\x6d\x51\x7e\x66\x37\x7b\xeb\x00\xed\x76\xb5\x3a\x69\x35\x6a\x47\xab\x1c\xae\xbb\x6d\x99\x37\xaf\x75\xde\xb8\x96\x27\xa3\x29\x79\xca\x38\x71\xd6\xa7\x69\x2b\x70\x24\xf0\xd4\xb6\x6c\x77\xd6\xe8\x39\x31\xe1\x17\xe8\x69\x3e\xe1\xcf\xd1\x1c\x9d\x09\x9c\xf0\xee\x91\xb6\x4a\x1d\x04\xf7\xf8\x4e\x37\x44\xff\x24\xfc\x85\x78\x96\x2d\x9a\x2f\x44\xbd\x49\x60\x05\x85\x04\xf7\xb4\xb6\x72\xe7\xdb\x28\x64\x0a\x4c\x84\xed\xab\xea\xcc\x82\x8c\x79\x6e\xd7\x4c\x84\xcc\x35\xfa\x5e\x7a\x5d\xd5\x6a\xa7\x75\x33\x01\x8b\x1f\xec\xd8\x9a\xdc\xb1\xfd\x49\x5f\x5b\x4d\xd4\x92\xd8\x0d\x3e\x4b\x8b\xce\x6e\xb0\x4b\x6c\x20\xdf\xf5\x35\x66\x03\x6b\xcc\x57\x4b\x8c\x62\xe6\xbb\x3b\x43\x6c\xe0\x54\xc3\x9b\xc7\x3a\xc6\xf0\x34\x5f\xff\x74\x85\x29\xc4\xa6\xb3\xd7\xec\x2e\x36\x9d\xd8\x74\x6e\xf2\xa6\x73\x73\xd7\xe0\xa1\xdb\xd2\xcd\x5c\x85\x67\xcf\xd0\x0c\x9b\x8a\x4f\xda\xfb\xd2\x41\x4f\x6c\x40\x60\x4b\xed\x0f\x12\x60\x3f\x32\x44\xc9\xaa\xfc\x07\x27\xf5\x21\xaf\xe8\xda\x1a\x7f\x23\x96\xd7\xf2\x05\xb9\xa2\xb3\xaf\x26\xd8\x1f\x0f\xd0\x0e\x3b\xe9\x21\xfa\x7d\x8d\x49\xaa\xcc\xab\xf9\x69\xbb\xb1\x0c\x6f\xac\x45\x3a\x2a\x07\x3c\x59\x0b\x3e\xd7\x39\xaf\xe8\x5b\x4e\x76\xb9\x6b\x85\x53\x5e\x17\xfe\x16\x1d\x62\x07\x02\x52\x19\xaa\x9f\x0c\x04\x9a\x91\xc7\x80\x3c\x06\xe4\x31\x20\x8f\x01\x79\x0c\xc8\x63\x40\x1e\x03\xf2\x18\x90\xc7\x80\x3c\x06\xe4\x31\x20\x8f\x01\x92\x28\xc8\x43\x40\x1e\x02\xf2\x10\x36\x25\x0f\xe1\x0f\x87\x69\xc2\x2a\x7d\x26\x50\x60\x40\x5c\xbc\xd5\xd8\x1b\xd7\xd4\x8a\x64\xeb\xa2\xbc\x77\x98\x7d\x7d\xc0\x29\x93\xf6\xc9\x46\x04\x51\xac\x6d\xde\xd3\x46\x4b\x5d\x21\x86\x12\xe7\x97\x13\x95\xdb\x9c\x00\x51\x4f\x3f\xbb\x1f\x22\x06\x06\xf9\xb6\x9c\x2e\x5a\x10\xf1\x62\x38\x1f\x1c\x61\xc9\xea\x72\x6d\x9e\x61\xf5\x50\xc1\x50\x71\x15\x60\x43\x60\x43\x60\x43\x60\x43\x60\x43\x60\x43\x60\x43\x60\x43\x60\x43\x60\x43\x60\x43\x60\x43\x60\xc3\x0e\x63\xc3\x09\x3a\xc2\x0e\xc5\x0f\xd8\x21\x4e\x0f\xb9\x43\x9c\x3c\x1b\xbc\xbb\x21\x6d\x07\x50\x13\x50\x13\x50\x73\x0b\x41\xcd\x8f\x0e\xd3\xfe\x86\xa0\xa6\x2e\xe7\x34\xb9\x62\xd3\xcc\x6f\x0e\xb1\x3f\x72\xd1\xcc\x5f\x6a\x84\x66\x2e\xf0\x26\xba\x02\x63\x3e\xec\x8b\x31\x45\x07\xbb\x9f\x5f\x76\xa1\x96\xf3\x86\xb2\x5b\x6d\xc0\x29\x06\x1c\xf1\x8e\x00\x97\x00\x97\x00\x97\x00\x97\x00\x97\x00\x97\x00\x97\x00\x97\x00\x97\x00\x97\x00\x97\x00\x97\x9b\x09\x2e\xf7\x53\x9a\x8d\xc5\x47\x6d\xf8\xc8\xdc\xe0\x52\x6c\xdc\x40\x2c\x41\x2c\x41\x2c\x41\x2c\x3b\x4a\x2c\x3f\x1f\xa1\x9d\x6e\x7d\x62\xf6\x99\x08\xfb\x3f\x23\xb4\x8d\xff\x5f\x5d\xdd\xe7\x5d\x05\xb9\xc2\xb5\x2d\xa1\xf7\xec\xd2\x7b\xfe\x17\x49\x9a\x14\xe3\x99\x53\x55\x2d\xaf\x94\x78\x07\x1d\x7d\xb5\x20\x20\x5c\x94\x25\xdd\xa9\xfa\xf7\x9b\xc3\xec\xdb\x11\xba\xcf\xdd\xc4\xd2\x7a\x3a\xfa\x20\x17\x52\xf3\x72\x87\xf3\xc6\x89\xc9\xc7\x8d\x5f\xa6\x5c\x87\xbb\x41\x2c\x3f\xa4\xc5\x5a\x68\x57\x69\x52\x8c\xec\x04\x1d\xe1\x23\x3b\x4e\xfb\x28\x15\xa8\xc3\xe0\x19\x8c\xf5\x74\x8a\x77\xe9\x4e\x25\xcf\x9e\x0d\xa7\xa4\x07\xd9\x7e\x93\x92\xfa\x3c\x0e\x13\x9b\x8a\xbe\x78\x34\xa1\x7f\x67\x7b\xed\xe0\x3f\x6c\x49\x98\xf9\x8d\xff\x13\xe6\x8f\x1d\x7c\x04\x99\x69\xca\xd0\xe9\x2a\xf9\x9b\x0d\x3f\x03\x88\xde\x40\x6c\xac\x49\xb1\xb1\x9f\xed\x6b\x85\x0d\x98\x15\x9a\x62\x86\x61\xb6\x35\xc5\xda\x61\x4b\xda\x66\x2c\x42\x44\xc9\x92\xef\xd9\x55\x6b\x4b\x5e\x25\x76\x76\x31\xc9\x34\x1f\x7b\xc4\xff\x77\xd2\x7a\x5c\xa6\x4b\x34\xef\xb6\x1e\xc9\x0c\x9d\x6e\xe2\xcb\x38\xcd\x7b\x7e\x91\xfb\x0f\x74\x58\x93\x30\x6b\xf2\x72\x84\xbe\x1a\x61\x5f\x89\x44\xbf\x6c\x0f\xd0\xc7\x22\x97\xdd\x0b\x53\xc5\xd8\x1f\xf1\xc5\x65\x6c\x59\x5e\x11\xbe\x33\x7b\xa3\xea\x38\x68\x4c\x36\xc0\xbb\xe8\xb2\x16\x25\xb5\x34\x5a\x92\x0b\x12\x1f\x08\x73\x6d\xea\xb6\x2a\x02\x59\xd9\x8f\xc0\x9c\x87\xca\xea\xaa\x9c\x37\xec\x56\xf1\xb6\xe3\xd4\x72\x1c\x19\x4a\x71\xc4\x5c\xb2\xf2\x45\x7b\xac\xa0\x19\xdf\xc1\xb2\xac\x29\x6a\xde\x5e\x7a\x3b\x9f\x44\xee\x2f\xb4\x46\x63\x4d\x37\x3a\xe9\x5e\xee\x4b\xc6\x99\xd6\x0d\x99\x17\x59\x11\xf0\xc6\x6a\x22\x25\xfa\x29\xb4\xa7\x7c\xfa\x18\x67\xbc\x0b\xf3\xbc\x07\x3e\x4b\xf1\xcc\x17\x22\xf4\x52\x84\xbd\x18\x89\xbe\x60\x0f\xf3\xfb\x23\xd3\x2e\x4f\x79\x99\x2f\xb8\x6c\xd2\x36\xaf\xa9\x65\xa9\xc0\x1f\x80\x10\xf9\xf1\x38\xdb\xac\x7b\x71\x5c\xed\xc6\x53\x4a\xa7\x0e\xa7\x62\x0b\xe2\x81\x88\xd1\x29\x1b\x3b\x31\x63\x37\x6b\x41\x5b\x39\xa6\x6a\xe5\xeb\x52\xc9\x72\xfe\x69\x6b\xf2\xd8\x8a\x54\xb4\x9c\x1c\x71\xf1\x6b\x3c\xb6\xa2\x94\xa4\xa2\xf2\x66\x8b\x96\x2e\xcb\xc6\x52\x9f\xef\xfd\xc6\xc4\x12\x3f\xef\x10\x74\xd1\x78\x42\x77\x4e\x12\x6e\x85\x54\x6c\x46\xe1\xd3\xd9\xd5\x71\x55\xab\xbd\x33\x67\x1f\x5d\x11\x5e\x0d\xfe\xb2\xa9\x95\xeb\xa9\xf8\x2e\xd1\x9f\x69\xeb\x46\x3c\x5e\xc4\xcc\x3b\x07\xe8\x1d\x03\xec\xf9\x81\xe8\x77\x6d\x57\xf2\x97\xfa\xaf\x98\xd8\xd1\x78\xa5\x8c\x8d\x6c\x41\xd2\x96\xa5\x82\x1c\xcb\xa9\xc5\xa2\xcc\x0d\xa1\xf3\x5e\xc8\x9a\xb1\x91\x30\xc6\xc2\xb7\xa7\x17\xab\x2e\x1e\xdc\x51\x3e\x9f\xad\xc9\x28\xf4\x7f\x8c\x79\x9a\x97\x73\x4a\xde\xf1\x1f\x70\x14\x2d\xb4\xc9\xac\xd1\xd5\xf9\x76\x86\xff\x6a\xc1\xe6\x94\x6b\x18\x2d\x4c\x69\x6f\x5e\x6d\x07\xb2\xf7\x62\xa9\xd8\x64\xce\xd8\xe7\xf2\x4f\xac\xdb\x38\x24\xc4\x3d\x24\x62\xa3\xe6\x83\xf7\x4e\x0c\xfd\x58\x2c\x91\x91\x72\x37\x8d\xaf\x4c\x29\x6f\x1c\xc5\x3d\xb7\xfc\xa0\xaa\x81\x13\xbe\x01\x73\xea\x7b\x1b\xb1\xee\x60\xd9\x6e\xe9\x58\x2c\x31\xab\x6a\xb2\xab\xd9\x58\x4e\xd2\x73\x52\xde\xb8\x7b\x73\x7c\x84\xaf\x9e\xb7\xa7\x0b\xeb\x55\xd3\xe0\x8a\xdd\x46\x2a\x7e\x7f\xb9\x7a\xde\xb8\x3f\xfd\x9f\xee\xa3\xf3\xe2\xd3\x3f\x43\x53\xfc\xd3\x7f\x82\x8e\xd1\xd1\x26\x3e\x1f\x42\x94\x92\x2e\x19\xad\x8d\x73\x31\xb7\xed\x62\x6c\xe5\xfc\x9d\xb6\x19\xb6\x22\x88\xf9\x7f\xb7\x77\xb0\x7b\xc4\x30\xb5\x71\x83\x91\xf9\xd6\xbd\xb5\x8b\x82\x27\x6a\xf4\x41\xfd\x76\x1a\xf1\xb2\x88\xb5\xe9\xc8\x4a\x01\x12\x9f\xbd\xb6\x3e\x81\xc4\x27\x24\x3e\x37\x59\xe2\xb3\x23\x68\x29\x54\xc9\xb3\x6d\xb6\x3f\x3b\x4e\xfb\x58\x2a\x3e\x62\x7b\x75\xee\x77\xbb\x82\xf8\xf1\x77\x83\x27\x88\xbd\x2f\x49\x63\x55\x9a\x9f\x66\x71\x09\x35\xaf\x9b\x55\x4a\xf9\x2f\x8a\xc3\x3d\xff\x7c\x98\xfd\x68\x3f\xbd\xca\x16\xfe\x14\xc2\xd9\x4f\xf8\x60\xcf\x9a\x52\xa7\xc9\xb8\x71\x94\xa5\xd0\x29\xa4\xb0\xab\x8f\x69\x31\x03\x2d\x6c\x68\x11\x94\x32\xd7\x8e\xb6\x0c\x6d\x75\xef\xee\x14\x87\x5e\x0d\x9f\xb1\x47\xd9\xe1\x00\xd5\xcc\xaa\xae\xd4\x96\x78\xf8\xf6\xf6\x9a\xe7\x92\xf0\x27\xa2\xb5\x8f\xe6\x49\xf3\xc0\x4e\x3e\x9d\xcc\x45\x7a\x8a\xce\x55\x2d\x1d\xee\xe4\xf1\x60\xed\x00\x52\xda\x24\x29\xfd\xb5\x3e\x7a\x5a\x60\xce\x2c\x9d\x75\x30\x67\x9b\xcc\x45\x6b\xad\x52\x83\xa5\x17\x1a\x33\x3e\x41\xa5\x17\x42\xac\x51\xf2\xa7\x77\xd5\x18\x9f\xa8\x8d\x50\x6b\xed\xcd\x13\xe2\xb7\x8e\x9a\x1b\xf0\x54\xf0\x54\xf0\x54\xf0\x54\xf0\x54\xf0\xd4\x76\xf3\xd4\xf0\xb5\xc1\xc6\x79\xea\x9d\x6f\x4f\xc2\x79\x6a\x5b\x77\x28\x99\x7f\xb5\xb3\x66\x91\xb0\x2f\x04\xa9\xd6\x2e\x1d\xf6\x94\xdd\x85\x1e\xda\xbd\x72\x00\x5f\xed\xb5\xf5\x0a\xf8\x2a\xf8\xea\x26\xf3\xd5\x4e\x63\xab\xb6\x5a\xfd\x50\x90\x9b\x3d\x49\xc7\xd9\x44\xfc\x88\x8d\x4e\x1f\xf1\x54\x45\xaa\xbe\x42\x07\x8a\x21\x7d\x7b\x98\x32\x0d\x89\x04\x58\xe6\xaf\x54\x59\x57\x8b\x6b\xab\x72\xae\x28\x29\xab\x36\x2b\xfd\xc4\x30\x7b\xdb\x36\x47\x33\xe0\x33\x8d\x68\x06\xcc\xdb\x2d\x2e\xf2\x16\xa7\x8c\x16\xbb\x42\x42\x20\xe9\x2b\x21\xe0\xdb\x5f\x28\x0a\x34\xa1\x28\x70\x25\xfc\x25\x3c\xc0\xc6\xab\x15\x05\x7c\xc7\x1f\x02\x03\x10\x18\x80\xc0\x00\x04\x06\x20\x30\x00\x81\x01\x08\x0c\x40\x60\x00\x02\x03\x10\x18\x80\xc0\x00\x04\x06\x20\x30\xb0\x99\x02\x03\x19\x3a\xcd\x4e\xc6\x8f\xdb\x98\xe3\x71\x0f\xe6\xf0\xdb\xc7\xdd\x0d\x51\x66\xd0\x1b\x80\xde\x00\xf4\x06\xb6\x90\xde\xc0\xfb\x87\xe9\x90\x88\x0a\x95\xca\x65\xbd\x4e\x42\x7c\x5e\x92\x57\x8d\xa5\xa1\x23\x92\xfa\x5f\x87\xd8\x7f\x89\xd0\x3d\xc6\x79\x4b\xeb\xe9\xe8\x6e\x9f\xa8\xd0\x69\x7e\xd2\x82\x5c\x49\x3e\x62\xfc\x3a\x59\x2e\xeb\x6e\x9c\x68\xff\xdc\xe2\x40\xd0\x67\xe9\x84\x20\x7e\x87\xe8\x00\x27\x7e\x29\x1a\xa1\x64\x20\x51\x37\xee\x80\x87\xfa\x58\xdd\xb9\xd3\xc8\xcf\xa7\xc2\xe1\x5e\x92\x0d\x99\x70\xcf\xb8\xba\x89\xf7\x9c\x0e\x78\xb2\xdf\x7f\x61\xbb\x33\xca\x8f\xf9\xc7\x78\x3a\x03\x1d\x33\x0f\xe8\xd0\x58\x67\x4e\xd3\x49\x3a\x5e\xe5\xb1\xdc\xd0\x60\xc3\x47\x89\x38\xce\x26\xe3\x38\x7f\xb2\xef\x4e\x5f\xf4\x8c\x08\x03\x3d\x46\x47\x9d\x30\xd0\xce\x19\x0b\x1e\xa9\xd9\x5a\x63\x91\xfc\xee\x7d\x8e\xb1\x60\x76\x4c\xa6\x63\x1f\x1e\x13\x7f\xeb\x94\x79\x40\x18\x26\xc2\x30\x11\x86\x89\x30\x4c\x84\x61\x22\x0c\xb3\x37\xd3\xda\x5b\xfb\x7d\x0f\x8f\xea\xcc\xfc\xf9\xbd\xce\x0a\x60\x28\x24\xe0\xd2\x59\x17\x3c\xca\xc3\x73\x3a\xb0\x2c\x40\x8c\x65\xaf\x2d\x46\x10\x63\x89\x18\xcb\x4d\x8e\xb1\x6c\x3b\x11\x6a\xb1\x95\x0f\x8d\xa2\x3c\x44\x07\xd8\x78\x7c\x9f\xed\x1a\x78\x8d\xdb\xbd\x60\x37\x7a\x37\xb8\x14\xd8\x07\x93\xf4\xb4\x89\x28\xd7\x2a\xaa\x9e\x93\x8a\x4a\xa9\x10\x1a\xac\xc9\x9f\x8f\xf1\x36\x17\xcb\x6a\xde\x3a\x51\xd6\x6c\x7a\xf9\x87\xc3\xec\xa7\xb6\xd1\xab\x5c\x4d\x1a\xdf\xcb\x5f\x6f\x24\x6a\xf3\xac\xdd\xf4\xbc\x9a\x9f\xb4\x9b\xee\x8a\xb8\xcd\xfd\xfc\x72\x93\xce\x5d\xb9\xbf\xe6\x01\x1d\x47\x00\x67\xed\xfb\xbc\x1c\xfe\x3e\x9f\x62\x27\xac\xf7\xd9\x19\x6e\xf3\xb5\x0e\x18\x69\x54\xb9\x47\x2c\x27\x62\x39\x11\xcb\x89\x58\x4e\xc4\x72\x22\x96\x13\xb1\x9c\x88\xe5\x44\x2c\x27\x62\x39\x11\xcb\x89\x58\xce\xae\x8e\xe5\x9c\xa6\x0c\x3b\x1d\x3f\x69\x43\x93\x3d\x6e\xd8\x12\xb0\xd5\xbb\x1b\xd0\x0b\xa2\x39\x11\xcd\x89\x68\xce\x2d\x14\xcd\xf9\xfc\x28\xcd\xfb\xa0\xd2\x71\x21\xf4\xd9\x24\x29\xfd\xa5\x11\xf6\x62\x3f\x3d\xe0\x21\xa5\xa2\xc5\x68\xd2\x27\xe6\x33\xc0\x1e\x26\x0f\xf3\x08\x50\x17\x98\x14\x6d\x74\x8e\x4e\x0a\x98\xa8\xd1\x15\x01\x13\xe7\xe9\x02\x87\x89\x67\x69\x96\xa6\x83\x3d\x01\x4e\x87\x53\xe6\x5d\xa7\x82\xe0\xde\x1d\x46\x8d\x16\xc2\x91\xe3\x34\xcb\x38\x04\x71\xdc\x23\xd9\xd7\x38\x83\x8c\xfe\xd6\x0e\xff\xa7\x39\xea\x1f\x5b\x1a\xf4\x40\x27\xac\x48\xd3\xcd\x7e\xa6\x99\xe7\xe8\x59\x5a\xac\xf2\xe8\xb6\xe8\xa1\xc2\xbb\x8b\xe8\xd4\x26\xa3\x53\xff\xa0\x8f\xae\x8a\xf0\xd2\x67\x68\xc1\x09\x2f\x6d\xbf\xbd\x69\x9b\x85\x6b\x30\xa2\xb5\x31\x43\x76\x07\xbe\x13\xd3\xf2\x25\x3f\xbf\xcb\xdf\x90\xc5\xec\xb8\xd7\x20\xdb\x75\xd4\x8c\x82\xdd\x74\xd3\x85\xf8\x58\xc4\xc7\x22\x3e\x16\xf1\xb1\x88\x8f\x45\x7c\x6c\x6f\xc6\xc7\x76\x6a\xb5\xd0\x40\xe4\xec\xef\xee\xf4\x5f\x4f\x1c\x0a\x89\xa2\x0d\x5a\x65\x1c\x29\x57\x07\xe3\x74\x7c\x91\x81\x68\xdb\x5e\x5b\xda\x20\xda\x16\xd1\xb6\x9b\x1c\x6d\xbb\x89\x8c\xad\xb1\xaf\xc9\x06\x3f\x1d\x3e\x1f\x9f\xf0\x08\xdd\x5e\x75\x1a\xb1\x17\x86\xad\x92\xfb\x22\x0e\xd1\x55\x6c\xbf\x6e\xc4\xae\x38\xda\xa2\xce\xcf\x0f\xb3\x3f\x1b\xa0\x1d\xe2\x8f\x4b\xeb\xe9\xe8\x87\x1b\x09\xcd\xe5\xc1\x9d\x5d\x11\x88\xbb\xfb\x96\x1d\x6c\xea\xc9\xa8\xe1\x7f\x41\xc4\x6d\xed\x9b\x7b\x29\xfc\xcd\x1d\x63\xa3\xe6\xab\xe8\x99\x59\xe6\x4a\x50\x5c\x06\x11\xb6\x88\xb0\x45\x84\x2d\x22\x6c\x11\x61\x8b\x08\x5b\x44\xd8\x22\xc2\x16\x11\xb6\x88\xb0\x45\x84\x2d\x22\x6c\x11\x61\xdb\xcd\x11\xb6\x75\x6b\x70\xf3\x8d\xdd\xdd\x80\x46\x10\x4f\x8b\x78\x5a\xc4\xd3\x6e\xa1\x78\xda\x6f\x26\x68\x44\xa0\x4c\xbd\xa2\x6a\x52\x41\xae\x61\x99\xe6\xdf\x73\x45\x49\xd7\x65\x9d\xfd\x56\x82\xfd\xda\x00\x91\xf9\xd7\xa5\xf5\x74\xf4\x4d\xe6\x57\xb6\x94\x57\xd6\x95\xfc\x9a\x54\xf4\x00\x4c\x7b\x45\xbb\x20\xce\x98\x32\xda\x69\x09\xbf\x4c\x25\x1f\xe5\x27\x98\x0d\x2f\xa6\xdd\x57\x38\xaf\xe8\x60\x90\x3e\x0c\x72\x8f\x3f\x2f\xdc\xc9\x88\x77\xcc\x18\x69\xba\xf1\x5c\x38\xa8\x3c\xcc\x0e\x9a\xa0\xd2\x3b\x6f\x4c\x52\xe9\x7e\x14\xa8\xde\x04\x1e\x09\x1e\x09\x1e\x09\x1e\x09\x1e\x09\x1e\x09\x1e\x09\x1e\x09\x1e\x09\x1e\x09\x1e\x09\x1e\xb9\x99\x3c\x12\xe4\x0f\xe4\x0f\xe4\xaf\x87\xc9\xdf\xc7\x1f\xa4\x98\x55\x14\xbe\x3a\x5e\xf1\x2d\x63\x3a\x4f\x6d\x60\xef\x7e\x90\x7d\x2d\xe2\x94\x7c\x1f\xe4\xd9\xf0\xe2\x37\x6b\x1c\x9d\x8f\xaa\x1d\x02\x98\x7c\xc8\x38\xae\xaa\xb4\xba\x48\x96\xd8\xdc\x3a\x48\xc6\x7d\xa4\xd6\xd3\x29\xbb\x53\x77\x9a\xd1\x7e\x2e\x9c\x94\x0d\xb1\x41\x37\x00\xab\x2e\x78\xee\x74\x25\xfa\x91\xed\xce\x48\x0f\x5b\x99\xea\xe1\x83\xbd\xdb\x3c\xb4\x03\xe3\xbd\xe1\x5a\x48\x35\x03\x8e\xec\x06\x64\x9b\x77\xa8\x16\x52\xed\xcb\xbe\xf1\x5a\x48\x1b\x37\x18\x8d\x59\x84\x60\x2b\xe0\x89\xee\xad\x9f\x86\x9e\xf9\x8b\x7b\x1d\x83\x31\x5e\x93\xc1\x15\x6e\x39\xa2\x3c\x90\xbf\xcd\x76\x03\xf9\x59\xbd\x66\xc1\x90\x9f\x85\xfc\xac\xad\x55\x0d\x61\xe3\x66\x3e\x2c\x39\xaa\xa5\x2b\xc3\xfa\xb5\x10\xec\xe3\x6a\x03\x88\x5a\x9e\xf9\xf4\x77\x83\xf4\xa0\xb7\x98\xaa\x53\x35\x95\xfd\xc9\x20\xfb\xdd\x7e\xa7\x32\x4f\x42\xb0\x63\xcd\xa4\x5e\x16\x16\xb1\x12\x99\x9c\xc2\x3c\x7b\x8c\x03\x45\x5d\x1e\xfb\x8f\xb3\xaa\x36\x59\x2c\xda\xb7\xd6\xba\xef\x51\x9b\x7c\xf9\x57\x69\x52\x4c\xb8\x09\x3a\xc2\x27\xdc\x38\xed\xa3\x54\xe3\xe5\x37\xce\x2b\x7a\xc7\x4b\x70\x3c\xea\x3f\x87\xef\x61\xdb\x78\x18\x00\x5c\xf5\x70\xd5\xc3\x55\x0f\x57\x3d\x5c\xf5\x70\xd5\xc3\x55\x0f\x57\x3d\x5c\xf5\x70\xd5\xc3\x55\x0f\x57\x3d\x5c\xf5\x70\xd5\xc3\x55\x0f\x57\x3d\x5c\xf5\x9d\x72\xd5\xbf\x38\x4c\x27\xbc\xd4\xad\xae\xcc\x90\x26\x73\x82\x65\xbc\xc0\x96\xd6\xd0\x0f\x0c\xb3\x3f\x1f\x70\xd0\xdc\xc7\x1a\x51\x1a\xba\x24\x9a\x59\x90\xbb\x43\x6e\xe8\xb1\x5b\x7e\xe5\xbb\x9d\x4e\x76\x3b\x21\xdc\x8c\x6c\x9f\x0b\xe1\xc0\x70\x2f\x1b\xae\x05\x86\xce\xa8\x42\x6d\x08\xc8\x10\xc8\x10\xc8\x10\xc8\x10\xc8\x10\xc8\x10\xc8\x10\xc8\x10\xc8\x10\xc8\x10\xc8\x10\xc8\xb0\xab\x91\xe1\x61\x3a\xc8\xf6\xc7\xd3\x76\xc0\xd0\xf7\xb8\x03\x86\x9c\xdd\x1d\x24\x87\x40\x33\x41\x33\x41\x33\x3b\x4a\x33\xbf\x78\x8d\xf6\x0b\x9a\xb9\xcc\x29\xe6\x7a\xba\x6e\xf1\xce\x9c\xa6\x96\x6e\xa8\xcb\x3a\xfb\x89\x6b\xec\x5d\x83\xf4\x4a\x7e\xd2\x92\x79\x52\xf4\xc9\xfa\x41\x86\x53\x9a\x5a\xca\xaa\xcb\xc9\xc7\x8d\xc3\x32\xc6\x21\x8b\xe9\xaa\x02\x25\xe6\x21\x5d\x8e\x0f\x33\x20\x6b\x20\x6b\x19\x90\x35\x90\x35\x90\x35\x90\xb5\x9e\x21\x6b\x99\xae\x21\x6b\x2d\xef\x49\xd3\x64\x2d\x03\xb2\x06\xb2\x06\xb2\x06\xb2\x06\xb2\xd6\x79\xb2\x96\xe9\x69\xda\x94\x01\x6d\x6a\x1f\x6d\xca\x74\x3b\x6d\xca\x6c\x41\xda\x94\x7d\x03\xcd\x88\xb0\xab\x93\x74\x9c\x87\x5d\x1d\xa2\x03\x34\x1e\x98\x98\xc9\xe9\x52\xca\xa4\x4b\x29\x93\x0d\x35\x94\x9c\x19\x92\x4d\x79\xe3\xe9\xf0\x58\xac\x14\x1b\x31\x63\xb1\x78\x37\xcc\x60\x2c\xb3\x13\xee\x48\x2c\x51\xb4\x31\xfe\xbf\xb6\x57\xe3\xb0\x5d\xe2\xfb\x13\x93\x6c\xf2\xb5\x47\xfc\xa5\x33\xec\x4b\xa0\xaa\x69\xca\xd0\xe9\x2a\xc1\x85\x7a\xc9\xb0\xbe\x63\x0e\x99\x05\x08\xc5\x34\x29\x14\xf3\x37\x7d\x74\x46\x94\xf9\x3e\x4d\x27\x5d\x65\xbe\xeb\xa7\x64\xfb\xce\xc2\xc0\xb7\x7e\x63\xe9\xde\xfe\x6d\xcf\x0a\x39\x9a\x53\x74\xc2\x91\xa3\x69\xa2\x9d\x70\x03\x54\x56\xdb\x63\x80\x92\x7f\x3c\x52\x6d\x80\x76\x9b\x95\xe4\x5d\x65\xf9\xd5\x15\xdb\x18\x8d\x8a\x5f\xdd\xc6\x68\xca\x3e\xb0\xdd\x66\xe9\x32\x5d\xa2\x79\xb7\x59\x4a\x66\xe8\x74\x13\xf1\xb7\xd3\xfc\x1e\x2e\x72\xd0\xaa\x03\xc9\x02\xc9\x02\xc9\x02\xc9\xf6\x10\x92\xc5\xc2\x2c\x64\x61\xd6\x3d\xcc\xfa\xe5\x08\x7d\x35\xc2\xbe\x12\x89\x7e\xd9\x7e\x54\x1f\x8b\x5c\x76\xef\x12\x95\x52\x4c\x17\x3b\xbd\xd8\xb2\xbc\x22\x1c\xbc\x36\x4d\x71\x3e\x59\xe6\x5b\xc2\x07\xcb\xb5\x04\x2c\xa9\xa5\xd1\x92\x5c\x90\xf8\x23\x31\x37\x8a\xee\xa5\xa2\xe0\xaa\xf6\x64\x30\xd7\x06\xca\xea\xaa\x9c\x37\x16\xa3\xc5\xdb\x8e\xe7\xd5\x31\xed\x4a\x71\xc4\xdc\x3f\xf2\xdb\x8d\x15\x34\x29\xc7\xe7\x89\xa2\xe6\xed\x0f\x8f\xf3\x71\xe0\x4e\x6d\xeb\xb9\xac\xe9\x46\x27\xdd\x03\x25\x19\x67\x5a\x37\x64\x5e\x64\x45\xbc\x6f\x56\x13\x29\xd1\x4f\x21\x61\xe5\xd3\xc7\x38\xe3\x5d\x98\xe7\x3d\xf0\xdb\x17\xc3\x35\x00\xd7\x00\x5c\x03\x70\x0d\xc0\x35\xd0\xd3\xae\x81\x2f\x44\xe8\xa5\x08\x7b\x31\x12\x7d\xc1\xfe\xda\xbe\x3f\x32\xed\xca\x9c\x2d\x17\x65\x49\x97\xed\x57\x7f\x5e\x53\xcb\x52\x81\x7f\x87\xe7\xd5\xa2\x92\xbb\xed\x09\x0c\xb2\x1e\xb7\x93\x7a\x6b\x3c\xf0\x74\xea\x70\x2a\xb6\x20\xec\x88\xf8\x48\x96\xe5\x92\x31\x4d\x9d\xaf\x88\x1c\x53\xb5\xf2\x75\xa9\x64\x05\x2a\x69\x6b\xf2\xd8\x8a\x54\xb4\x56\xff\x71\xf1\x6b\x3c\xb6\xa2\x94\xa4\xa2\xf2\x66\xcb\x7c\x2f\xcb\x31\x29\xcf\x39\xbb\x3a\x26\xb0\x6b\xde\x59\x5a\x8a\xc6\x13\xba\x73\x92\x58\x6f\xa7\x62\x33\x0a\x37\x49\xae\x8e\xab\x5a\xed\x9d\x39\xbe\x8d\x8a\x58\xee\xf3\xd5\x9f\x5a\xb9\x9e\x8a\xef\x12\xfd\x99\xb6\x6e\xc4\x1b\xf1\xf4\xce\x01\x7a\xc7\x00\x7b\x7e\x20\xfa\x5d\x3b\xec\xed\x4b\xfd\x57\x4c\x3b\x68\x4c\xd1\xeb\xea\xad\x58\x41\xd2\x96\xa5\x82\x07\x3a\xd8\x0b\x35\x59\x5b\x51\xb5\x55\x63\x2c\x7c\x7b\x7a\xb1\xea\xe2\xc1\x1d\xe5\xcb\x1a\x6b\x4d\x52\x16\x77\xa5\x18\xeb\x85\x9c\x92\x77\x16\xd6\xfc\xdb\x28\x94\x2e\xad\xd1\x35\x3e\x4e\xe6\x97\xc3\xfa\xfa\xa5\x5c\xc3\x68\xd9\x4d\xdb\xa1\x60\x07\xbb\x79\x2f\x96\x8a\x09\x90\xc5\x6d\xb1\x7b\xb5\x9a\x10\xf7\x90\x30\xf6\x3c\xfc\x5f\xde\x89\xa1\x1f\x8b\x25\x32\x52\xee\x66\x41\x53\xd7\x4a\x79\xe3\x28\x1e\x65\xc6\x0f\xaa\x1a\x38\xb1\x58\x31\x57\x40\xde\x46\xac\x3b\x58\xb6\x5b\x3a\x16\x4b\xcc\xaa\x9a\xec\x6a\x36\x96\x93\xf4\x9c\x94\x37\xee\xde\x1c\x1f\x11\x57\xc8\xdb\xd3\xc5\x72\xba\xa6\xc1\x15\xbb\x8d\x54\xfc\xfe\x72\xf5\xbc\x71\xaf\x6d\xe0\x79\x83\xe7\xad\x47\x3d\x6f\xd9\x42\x30\x88\x3e\x2f\x40\xf4\x0c\x4d\x71\x10\x7d\x82\x8e\xd1\xd1\x26\xa8\xa6\x90\xfd\xb6\x58\x72\xd2\x9f\x25\x3f\xc0\xee\x17\x6f\xb3\x63\x69\xdb\xc1\x95\xb7\x60\x16\x0a\xfb\x5a\x84\x5e\x2b\xa2\xda\x45\xc4\xb5\xab\x8e\x2e\x7b\x31\xc2\x5e\x88\xd0\x0e\xf1\xc3\xd2\x7a\x3a\xfa\xda\x82\x5c\xf1\xae\xac\x85\x7f\x34\x69\xfc\xc0\xa5\x1d\xf4\xc5\xf4\xe4\xfc\x9c\x05\x13\x5b\x28\xc7\x5e\xd3\xd0\x44\x4d\x43\x13\x8d\x34\x94\x2d\xd3\x33\x62\xe6\x5d\xa0\xf3\x7c\xe6\xcd\xd2\x34\x65\x9a\x98\x79\xae\xfb\x6c\xc4\xd1\xca\xfe\xd7\x35\x1a\x33\x4b\x16\xe7\xae\xcb\xf9\xb5\xa2\xb1\x27\xb6\x47\x5b\xe4\x12\x94\x35\x45\xd5\x94\xca\x6d\xab\x6a\xf1\xef\x5e\x63\x9f\x1a\x24\xe6\x9c\x60\x3b\x2c\xf6\xd6\x4f\x20\x98\x37\x1b\xe2\x95\x6c\x93\x71\xe3\xe0\x05\xbb\x11\xd3\x85\xe1\x39\x06\x79\x04\xc8\x23\x40\x1e\x01\x9c\x56\x70\x5a\xc1\x69\x05\xa7\x55\xd7\x38\xad\xba\xc7\x27\x03\x67\x01\x9c\x05\x70\x16\xc0\x59\x00\x67\x41\x4f\x3b\x0b\x40\x33\x41\x33\x7b\x94\x66\x6e\xc9\x3c\x82\x8d\xc9\xb7\xa6\x5c\x68\xca\x0a\xd7\xf5\x60\xa2\x96\xa4\x14\xe4\xc2\xc9\xeb\x69\x76\xb2\x06\xaf\x9a\x28\xb6\x86\x9e\x99\x58\xd6\xd3\x4f\x8a\xbf\xb0\xc3\x97\x9b\x7d\x8f\x9d\x69\xe0\x45\x64\x4f\x88\xbf\x77\x08\x92\x09\xa6\x75\x91\x9e\xa2\x73\x55\x09\x07\x75\x28\x78\xe8\xc3\x41\x88\x1b\x72\x0f\x9a\xcc\x3d\xf8\xe1\xc8\x86\x1c\x32\xa1\x53\x91\x9e\x16\x49\x02\x59\x3a\xeb\x24\x09\xdc\x61\x93\x97\x44\x72\xc4\x39\x9a\x73\x25\x47\xdc\x61\x9b\xcd\x9b\x32\x91\x9c\xd0\x98\x29\xdb\x90\xe5\xaa\x4d\x57\xf8\xbb\x11\x5f\x53\x16\xf7\xcd\x59\xf0\x9a\xb5\x94\x38\xa6\xc6\xac\x39\xe9\x0b\xed\x34\x70\x48\x5d\x00\x05\x06\x05\x06\x05\x06\x05\x46\xea\x02\x52\x17\x90\xba\x80\xd4\x05\x78\x23\xe0\x8d\x80\x37\x02\xde\x08\x78\x23\x90\xba\x80\xd4\x05\xa4\x2e\x20\x75\x01\xce\x3e\x38\xfb\xba\xd0\xd9\x97\x2d\xb4\x36\x43\x21\x94\x34\x6f\x24\x75\xa1\x13\x0e\xb4\xd6\xa7\x1a\xfc\xb7\x41\x62\xc6\xc4\x1a\x5b\x4f\x8f\x09\xf4\xb7\x2a\x95\x75\xf6\x47\x83\xec\x85\x7e\xba\x27\xa7\x6a\xf2\xd2\x7a\x3a\x9a\x08\x51\xc6\xe7\x27\x3e\x25\x95\x93\x7b\x8c\x03\xa7\x54\x4d\x5e\x4c\xdb\x7f\x9c\x55\xb5\xc9\x62\xd1\x56\xe4\xe9\xf6\xa8\xf6\xec\xd5\x8d\xe9\x31\x19\x63\x64\x4c\x29\xfb\x7e\x5b\xe2\x8e\x3d\x17\x3e\x9b\x86\xd8\xa0\x39\x79\xe2\x71\x2b\x0b\xc6\xea\x83\xa7\xd4\x26\x2a\x69\x22\x4e\x1f\x95\x34\xe1\xa1\x81\x87\x06\x1e\x9a\x1e\xf2\xd0\xa0\x92\x26\x2a\x69\x82\x8c\x83\x8c\x83\x8c\x83\x8c\x77\x05\x19\x47\xb9\x4a\x94\xab\xdc\x2a\x2c\x10\xe5\x2a\xdb\x51\xae\xf2\xbb\x44\xe3\x16\x6d\x0b\x28\x51\x59\x56\xf3\xe6\x1f\xde\x32\xb6\xac\x94\xf2\x4a\xa9\xc0\x5e\xa0\xf8\x4f\x0f\x38\x34\xee\xb5\x66\xb8\xbc\xf9\xb3\x30\xa0\xf3\x6a\x3e\x69\x7e\x41\x04\x7f\x73\x24\xb0\xe7\xd5\x7c\x46\x1c\xda\xe2\x50\xd2\x93\x74\x9c\x26\xaa\x62\xe5\x93\x34\x14\x8a\xca\xcc\xde\x64\xbf\xdc\x17\x2c\x45\x73\x4c\x30\xb8\x03\x34\xce\x19\xdc\x08\x6d\xa0\x61\x3a\x2d\x02\x9d\x8f\xd2\x61\x27\xd0\x79\x63\x2d\x4c\x8a\xb8\xe6\x09\x3a\xe2\x8a\x6b\xde\x50\x13\x16\xe9\x9b\x0b\x27\x79\x83\xec\x89\x6a\x92\x67\xf5\xc3\xcd\xf1\xc2\x02\x9f\xb3\x08\x49\xab\x1f\x92\x96\x45\xaa\x41\x40\xaa\xc1\x01\x1a\x67\xfb\xe2\x29\x5b\x24\xe9\x01\x77\x8d\x6f\x73\x2e\xde\x0d\x05\xbe\xd9\xd7\x77\xd3\x15\x21\xf8\x23\xad\x55\x54\x3d\x27\x15\x95\x52\x61\x6c\x7d\xbc\x6e\xd9\x60\x6e\x93\x8c\xe7\x51\x2c\xab\x79\xeb\x3c\x59\xb3\xed\xb4\xce\xbd\x49\xec\xdd\xbb\xd9\x97\xfb\xe9\x01\x57\xc3\x4b\x66\xc3\xd1\x03\x9a\x2c\xe5\x63\xe2\x38\x6b\x58\x9d\x9d\xd1\x59\xbb\xfd\x79\x35\x3f\x69\xb7\x9f\x3c\x61\x9c\x35\xe9\x34\xb7\x38\x5e\x55\x73\x25\xe0\x44\xe1\xdd\x6a\xad\xb1\xcf\x6a\x74\x45\x98\xe4\x79\xba\xc0\x4d\xf2\x59\x9a\xa5\xe9\x40\x6b\xe8\x1a\x85\x94\x39\x0a\xa9\x80\xee\x86\x3a\x4b\x0a\xe1\x26\x74\x9a\x65\x4c\x13\xea\xba\xb0\x69\x4b\x83\x2e\xeb\xd8\x56\xd1\x3f\xba\xf1\x88\xbf\x81\x7d\x05\x1b\x28\xc8\x15\x8a\xfe\xc9\x0e\xff\xa7\x7b\x58\x93\xcb\x45\x29\x27\x6f\xf8\x01\x9f\x36\x4f\xec\x92\x67\x9c\x79\x8e\x9e\xa5\xc5\xaa\x0f\x7a\x8b\x1e\x32\xe2\xa5\x91\x07\xd7\xe4\xc7\xe9\x0f\xfa\xda\x67\x7a\xae\x8a\x95\xe2\x33\xb4\xe0\xac\x14\x3b\x67\xd8\x82\xed\x4d\x79\xad\x42\x1d\xb3\x7b\x99\xff\x67\xa7\xbf\x61\x3b\x5d\x96\xb4\x8a\xc2\x7d\x52\x62\x23\xb4\x61\x0b\x77\xb2\x6c\x6c\x82\xba\xc0\xbe\x3d\x5c\xdd\xd0\x28\xef\xd9\x5e\x2e\x5b\xb8\xdb\xfd\xe3\xaa\xac\x15\x64\xf7\xaf\x83\xee\x5f\xf5\x8a\x26\x55\xe4\x82\x92\x1b\xad\x39\xce\xd3\x8a\xf1\xef\xdb\xe6\xaf\x46\x2f\x33\x17\xe8\x3c\x65\xab\x6c\xeb\x04\x1d\x69\x22\x78\x65\x9e\x3b\x79\x61\x4f\x43\xec\xe9\x47\xfb\xe9\xc3\xfd\xec\x43\xfd\xd1\x9f\xb7\xa3\x1e\xde\xde\xdf\x3b\xf6\xb4\x8a\x8b\x1b\xe3\xcc\xfd\xbc\xdc\x77\x63\x4c\x4e\x27\xda\x63\x28\x60\xe2\x0e\x73\x87\xa7\x08\x0b\x90\x8a\xfc\xcc\x92\x5a\x1a\x15\x67\xf3\x23\x78\x58\x88\x1e\x1b\xca\xea\x6a\x69\x5e\x84\x3d\x3c\x65\xbc\x16\xe6\xbf\x17\xac\x97\xc5\xf9\xe3\x70\xb0\xa1\xcf\xbc\xd4\x47\x2f\xf6\xb1\x17\xfa\xa2\x9f\xb3\x91\xce\x07\xfb\x66\x55\x2d\xc7\x5d\xe9\x05\x95\x0f\xbb\x1a\x8b\xaf\x18\x7f\x8a\xc7\x26\x3d\x77\xc1\x61\x9d\x48\x5e\x59\xd3\x1d\x07\xef\xa8\x94\xe3\x37\xce\xdd\xe6\x45\x25\x67\x46\xa5\xca\xc5\xbc\x1e\x53\x6f\x99\x63\x2a\xdc\xca\x65\x59\x2d\x17\xe5\x54\x4c\x5c\x91\xc7\xa9\x58\xcf\x92\x43\x33\xdf\x01\xb0\x2f\x1f\xdf\xc6\xbb\xe5\x89\xb9\xe8\x85\x35\xf3\x63\xfe\xdf\xb0\xed\xec\x15\x7c\x80\x28\x3b\x4d\x19\x76\x3a\x7e\xd2\xde\x25\xee\x71\xef\x2d\x03\xae\x73\x57\xec\x35\x7f\x3b\x41\xa3\x62\xaf\x99\x57\xf4\x9c\xba\x6e\x18\xf3\x2a\x6d\x59\xb9\x94\x2f\xab\x4a\xa9\xa2\x17\x95\x9c\xac\xb3\x1f\x4d\xb0\x1f\x18\xa0\xfb\xed\xc3\x1b\x55\x96\x9d\x31\x9b\x59\x30\x9a\x49\xa6\x8d\x83\xa7\xad\x36\xcc\xe4\x72\xcf\x21\x5b\x2d\x24\xef\x06\x5d\x14\xef\x91\xf1\xfe\x18\xef\xd1\x69\x3a\x49\xc7\x03\xdf\x23\x67\xb8\x2d\x81\x01\xcf\xdd\x37\x14\xa0\xb7\x1c\xfe\xfe\x9c\x62\x27\xc4\xcb\xe2\x69\xbd\x56\x2b\xc0\x7c\xc9\xaa\x27\x41\x3d\x9e\xc7\x83\x00\x11\xb7\x87\xb8\x3d\xc4\xed\x21\x6e\x0f\x71\x7b\x88\xdb\x43\xdc\x1e\xe2\xf6\x10\xb7\x87\xb8\x3d\xc4\xed\x21\x6e\x0f\x71\x7b\x88\xdb\x43\xdc\x1e\xe2\xf6\x10\xb7\xd7\xa9\xb8\xbd\x7f\xec\xa3\x5d\x63\x6a\x59\x2e\x29\xf9\xb1\xf5\xf4\xd8\x8d\x5b\x37\xf5\x31\xf6\x97\x7d\xec\xbf\xf6\xd1\x2b\xc4\x9f\xa3\x57\x0b\x72\x85\xbf\x75\x4a\x4e\x8e\x49\xb9\x1c\x5f\x73\x70\x03\xaf\xc5\x2e\x96\xe5\xd2\xdc\x74\x2c\xbb\x70\xf1\x42\xec\x8a\xbc\x1c\x3b\x27\xdf\x36\x56\x32\xb1\x21\x93\xfb\xeb\xb1\xf2\xda\x72\x51\xc9\x99\x5b\xa1\x75\x59\xb3\x3b\xca\x97\xf9\xc3\xc9\x3d\x05\xb9\xb2\x20\x1a\x9f\x14\x6d\xcf\xf1\xa6\x45\xcb\xe7\xe4\xdb\xba\x5c\x19\x7f\xd0\xc3\xde\x6e\xdd\x1c\xd5\xe5\x0a\xf7\x4c\x65\x0f\x07\xc7\xd9\xed\x16\x60\xed\x35\xf4\x00\x07\x6b\xaf\xa4\x7b\x3f\xde\xb7\x9d\xcc\x09\x65\x97\xc9\x1a\xa6\x4b\x66\xd4\x4c\xde\x58\xca\x2b\x6a\x49\x93\x0b\x0a\xf7\x85\x19\x63\xe6\xd4\x27\xe3\x63\x37\xc6\xf7\xcc\x92\xb1\x52\xbb\x25\x2f\x5f\x57\xd5\x9b\x9e\xbd\xaf\x15\x37\xc3\xfe\xed\x30\x7b\x69\x1b\x3d\xe8\xdb\xe6\xd2\x7a\x3a\xfa\xb9\x3e\x73\x92\x3a\x73\x42\x2a\x59\x66\xdf\x62\x9f\x8b\xf6\xb5\xae\x88\x6b\x4d\xb9\xaf\x95\x72\x09\x87\x4c\xd8\x6b\xb3\x04\x6f\x37\xe1\x80\x07\xcf\x4e\x52\x2d\xcb\xb6\x2c\x98\x5e\x91\xa5\xfc\x88\xb3\xf2\xe3\xab\x5b\x73\x9d\x60\x2c\x1e\x9d\x25\x6d\xc2\xb3\x8b\x70\xb5\x9d\x4a\x4e\xf0\xcb\x4d\xfa\xdd\xe6\x62\xba\x7e\xff\xbb\x9d\xcc\x6e\x4c\xca\xba\x8e\x53\x93\x5b\x00\x5e\xae\x2e\x14\xcd\xbe\x39\x1c\xcd\x5e\x61\xcf\x58\xae\x8d\x3a\x13\xd6\xf4\x75\xd4\x7f\x02\xde\x10\xcc\x60\x6f\xc7\x2d\xe1\xed\x00\xb3\x05\xb3\x05\xb3\x05\xb3\x05\xb3\x05\xb3\x05\xb3\x05\xb3\x05\xb3\x05\xb3\x05\xb3\x05\xb3\x05\xb3\xed\x2c\xb3\x3d\x47\x73\xec\x4c\x7c\xc6\x8e\x17\x4b\xba\xa3\xce\xea\xef\xf8\x6a\x83\xcf\x00\x80\x01\x80\x01\x80\x7b\x18\x00\xff\xca\xbd\x74\xcc\x4e\x1b\xe4\x38\xaa\x0a\x7c\x8a\x70\x4e\x5d\x2e\xae\xe8\x6b\xdc\xc4\x49\xb9\x9c\xac\xeb\xc6\x36\x44\xbe\xa5\xb3\x6f\x52\xfc\xeb\xdb\xe8\x35\x9e\x93\xed\xe0\xce\x98\x5d\xfe\x6c\x41\x2e\xae\x2c\x88\xf3\x27\xf9\xf9\x97\xf8\xf9\xc9\xb4\x38\x62\xd2\x7d\xba\x19\xd7\x19\x70\x4a\x8b\x13\xc3\xae\xd2\x73\xf4\x6c\x55\xf2\xc2\x59\x9a\xad\x17\xc9\xec\x1a\x25\x2b\x0a\x33\xa0\xaf\xd9\x4f\x45\x68\x49\xe4\x5b\x3f\x4b\x8b\xae\x7c\xeb\x2c\xb5\xec\x1a\xc1\x00\xfc\x75\x82\x5f\x5e\xa2\x79\xce\x2f\x5b\x79\xcd\xd7\x8b\xe4\xa2\x2b\xf4\x8c\x93\x5c\xd4\xc2\xf6\x1b\xad\x87\x55\x0e\xe7\xa5\x4f\xb1\x73\x4e\x28\x78\xcd\xfc\x36\x39\x69\xd0\x6d\xd6\x04\xbc\x22\x11\x1d\x89\xe8\x4d\xe6\xfa\xb5\x3c\x08\xff\xf7\x87\xe8\x80\xb0\xdc\xcb\xc2\x35\x65\xf9\xa8\x02\x72\xbd\x73\x9a\x5a\xba\xa1\x2e\xeb\xec\x7d\x43\xec\x83\x03\xb4\x9d\x9f\xb5\xb4\x9e\x8e\xea\xe6\xe6\xa6\x94\x57\xd6\x95\xfc\x9a\x54\xf4\xb8\xa5\x6c\x90\x30\xa5\xa9\xa5\xac\xba\xdc\x12\xbf\x53\x2a\xf9\x38\x3f\x21\x63\xfc\xc7\xad\xe8\x61\x5e\xe4\xbc\xa2\x57\xba\xdf\x41\x14\x68\x79\x5b\xee\x39\xb2\x0c\xe2\x1e\x7f\x83\xb8\x93\x11\xef\x98\x50\xd8\x3d\x1f\x6e\x15\x87\x59\xc2\xb4\x8a\x7c\x16\x58\x22\xbb\x62\xf0\x21\xb1\x0b\xb7\x0f\xdc\x3e\x70\xfb\xc0\xed\x03\xb7\x0f\xdc\x3e\x70\xfb\xc0\xed\x03\xb7\x0f\xdc\x3e\x70\xfb\xc0\xed\xb3\x99\x6e\x9f\xad\x27\x13\x00\x5f\x10\x7c\x41\xf0\x05\x6d\x21\x5f\xd0\x6f\x0c\x5b\xbe\xa0\x8d\x11\x45\x2b\xea\xfd\xad\xc3\xec\x4f\xdd\x60\xf1\x23\x8d\x44\xb9\xb7\x12\x2b\xde\x69\x38\xfb\x23\x75\xa1\x64\xf7\x03\xc9\xce\x47\xac\x87\x45\x8d\x03\x46\x02\x46\x02\x46\x02\x46\x02\x46\x02\x46\x02\x46\x02\x46\x02\x46\x02\x46\x02\x46\x02\x46\x02\x46\x6e\x69\x18\x59\xb7\xaa\x86\xb9\x73\xbb\x1b\x94\x4e\x81\x30\x81\x30\x81\x30\xb7\x10\xc2\xfc\xa9\xd7\xd3\x11\x33\x9c\xbd\x5c\xd6\xeb\x54\x23\x33\xbe\x1f\x9a\x6a\x58\x6f\x63\x33\xc3\x1f\x29\xfb\xea\x35\xf6\xfe\x41\xba\xc7\x38\x73\x69\x3d\x1d\xdd\x57\x5f\x9a\x78\xca\x6e\xe1\x92\xd9\x42\x72\xd0\x38\x63\xb2\x5c\xd6\x3d\xf4\xb0\xe6\xb8\x2e\x07\x89\x19\x50\x36\x50\xb6\x0c\x28\x1b\x28\x1b\x28\x1b\x28\x5b\xcf\x50\xb6\x4c\xd7\x50\xb6\x96\xf7\xa4\x69\xca\x96\x01\x65\x03\x65\x03\x65\x03\x65\x03\x65\xeb\x3c\x65\xcb\xf4\x34\x7c\xca\x00\x3e\xb5\x0f\x3e\x65\xba\x1d\x3e\x65\xb6\x20\x7c\xca\xca\xc1\x19\xa1\x59\x11\x99\x35\x45\x93\x3c\x32\xeb\x18\x1d\xa5\xc3\xc1\xb9\xf2\xe5\xb2\x9e\x5a\x4f\xa7\x6a\xc9\xd1\x79\x45\xaf\x84\x27\xc7\x8b\x34\xd0\xc5\xf0\xc8\xab\xfd\x2c\x6d\x25\xc7\x97\xcb\xba\x15\x78\x55\x73\x55\x4f\x0c\x56\xfc\x03\x3b\x1c\x44\xf6\xb0\x2d\xf0\xe0\x43\xc3\x86\x4c\x6d\x87\xce\xf1\x30\x81\xaf\xe6\xe8\x0c\xcd\x54\x49\x3a\x1c\xa4\xfd\x4d\x0c\x37\x4a\x51\xa2\xb4\x6f\x93\xe9\xfe\xdf\xe9\xa3\x59\xf1\xce\x9f\xa2\x13\xfc\x9d\x3f\x4c\xcd\x4d\x42\x3a\x27\xc4\x36\xa6\x29\xe3\x88\x6d\x34\xdd\xd8\x79\x21\x47\x32\x43\x53\x2e\x39\x92\xa6\x5b\x0b\x0b\x0f\x6d\x93\x0d\x0a\x13\x06\x49\xbe\x3c\xe2\xd8\xa8\x84\x58\x11\xc7\x72\x46\x7b\x39\xeb\x7b\xe5\x63\xaf\xc6\xc5\x81\xc2\x5e\x4d\xd9\x47\x77\xd0\x72\x5d\xa6\x4b\x34\xef\xb6\x5c\xc9\x0c\x9d\x6e\x22\x80\x77\x9a\xdf\xc8\x45\xce\x67\x75\x90\x5c\x90\x5c\x90\x5c\x90\xdc\x1e\x22\xb9\x58\xb6\x85\x2c\xdb\xba\x07\x75\xbf\x1c\xa1\xaf\x46\xd8\x57\x22\xd1\x2f\xdb\x8f\xea\x63\x91\xcb\xee\xcd\xa5\x52\x8a\xe9\x62\x83\x18\x5b\x96\x57\x84\x5f\xd8\x86\x30\xce\x27\xcb\x7c\x4b\xf8\x60\xb9\x16\x88\x25\xb5\x34\x5a\x92\x0b\x12\x7f\x24\xe6\xfe\xd2\xbd\x90\x14\x38\xd6\x9e\x0c\xe6\x5a\x41\x59\x5d\x95\xf3\xc6\x52\xb5\x78\xdb\x71\xd8\x3a\xa6\x5d\x29\x8e\x98\xdb\x4e\x7e\xbb\xb1\x82\x26\xe5\xf8\x3c\x51\xd4\xbc\xfd\xe1\x71\x3e\x0e\xdc\x17\x6e\x3d\x97\x35\xdd\xe8\xa4\x7b\xa0\x24\xe3\x4c\xeb\x86\xcc\x8b\xac\x88\xf7\xcd\x6a\x22\x25\xfa\x29\x8a\x80\xfb\xf4\x31\xce\x78\x17\xe6\x79\x0f\xfc\xb6\xd3\xf0\x28\xc0\xa3\x00\x8f\x02\x3c\x0a\xf0\x28\xf4\xb4\x47\xe1\x0b\x11\x7a\x29\xc2\x5e\x8c\x44\x5f\xb0\xbf\xb6\xef\x8f\x4c\xbb\x12\x6f\xcb\x45\x59\xd2\x65\xfb\xd5\x9f\xd7\xd4\xb2\x54\xe0\xdf\xe1\x79\xb5\xa8\xe4\x6e\x7b\xe2\x89\xac\xc7\xed\x64\xee\x1a\x0f\x3c\x9d\x3a\x9c\x8a\x2d\x08\x3b\x22\x3e\x92\x65\xb9\x64\x4c\x53\xe7\x2b\x22\xc7\x54\xad\x7c\x5d\x2a\x59\xf1\x4d\xda\x9a\x3c\xb6\x22\x15\xad\xd5\x7f\x5c\xfc\x1a\x8f\xad\x28\x25\xa9\xa8\xbc\xd9\x32\xdf\xcb\x72\x4c\xca\x73\x3c\xaf\x8e\x09\x5a\x9b\x77\x96\x96\xa2\xf1\x84\xee\x9c\x24\xd6\xdb\xa9\xd8\x8c\xc2\x4d\x92\xab\xe3\xaa\x56\x7b\x67\x8e\x4b\xa4\x22\x96\xfb\x7c\xf5\xa7\x56\xae\xa7\xe2\xbb\x44\x7f\xa6\xad\x1b\xf1\x06\x4a\xbd\x73\x80\xde\x31\xc0\x9e\x1f\x88\x7e\xd7\x8e\x96\xfb\x52\xff\x15\xd3\x0e\x1a\x53\xf4\xba\x7a\x2b\x56\x90\xb4\x65\xa9\xe0\x81\x10\xf6\x42\x4d\xd6\x56\x54\x6d\xd5\x18\x0b\xdf\x9e\x5e\xac\xba\x78\x70\x47\xf9\xb2\xc6\x5a\x93\x94\xc5\x5d\x29\xc6\x7a\x21\xa7\xe4\x9d\x85\x35\xff\x36\xf2\x6d\x8e\x3d\xba\xc6\xc7\xc9\xfc\x72\x58\x5f\xbf\x94\x6b\x18\x2d\xbb\x69\xfb\x21\xec\x18\x39\xef\xc5\x52\x31\x41\x94\xb8\x2d\x76\xaf\x56\x13\xe2\x1e\x12\xc6\x9e\x87\xff\xcb\x3b\x31\xf4\x63\xb1\x44\x46\xca\xdd\x2c\x68\xea\x5a\x29\x6f\x1c\xc5\x83\xd3\xf8\x41\x55\x03\x27\x16\x2b\xe6\x0a\xc8\xdb\x88\x75\x07\xcb\x76\x4b\xc7\x62\x89\x59\x55\x93\x5d\xcd\xc6\x72\x92\x9e\x93\xf2\xc6\xdd\x9b\xe3\x23\xc2\x11\x79\x7b\xba\x58\x4e\xd7\x34\xb8\x62\xb7\x91\x8a\xdf\x5f\xae\x9e\x37\xee\xb5\x0d\x1c\x76\x70\xd8\xf5\xa8\xc3\x2e\x5b\x10\x68\x79\x1f\x47\xcb\x91\x8b\xe7\xd8\x09\x3a\x46\x47\x9b\x80\x97\x0b\x15\xa9\xb2\xa6\x87\xa2\xe5\xa4\x3f\x02\x7e\x80\xdd\x2f\xde\x66\xc7\xd2\xb6\xcd\x15\xb6\x05\x13\x5a\xd8\x9f\x26\x68\xd4\xd6\x7b\x57\xf5\x9c\x54\x54\x4a\x85\xb1\xf5\xf4\x18\x1f\x5e\xb5\x54\x91\x8a\x65\x35\x6f\xfd\x26\x6b\x3a\xfb\x85\x04\xfb\xa9\x01\x7a\x95\xeb\xf0\xa5\xf5\x74\xf4\x60\xfd\xe0\xf8\xb3\x76\x6b\xf3\x6a\x7e\xd2\x6e\x2d\x79\x84\x47\xc8\x3b\x4d\x2d\xa6\x03\x8e\x9c\x55\xb5\xc9\x62\xd1\x66\xef\x7a\x97\xc7\xcc\x67\xdf\x48\x8b\x62\xfa\x5f\xa4\xa7\xf8\xf4\x3f\x43\x33\x34\x55\x4f\x0e\xdd\x1a\x02\x63\xce\x07\x0c\xc2\x79\x45\x0f\x97\xe0\x58\x0e\x9f\xdc\xa7\xd8\x09\xf7\xbc\x75\x04\xd1\xad\x3e\x98\xf3\x3d\xa0\x1b\xf5\xfc\x2d\xdc\xd7\x0c\x5d\x0e\x64\x0c\x40\x97\x03\x7e\x26\xf8\x99\xe0\x67\xea\x21\x3f\x13\x74\x39\xa0\xcb\x01\xbe\x0f\xbe\x0f\xbe\x0f\xbe\xdf\x15\x7c\x1f\xfa\x17\xd0\xbf\xd8\x2a\x44\x13\xfa\x17\xed\xd0\xbf\xf8\x4e\x94\xa6\x05\xde\x5b\x29\xaa\xb7\x4c\x91\x8b\x94\xbd\xb9\xaf\x2e\xeb\x68\x1c\xa4\xe7\xae\xcb\xab\x92\x25\xe2\x3b\xa6\x73\xfc\xca\x3e\x11\x65\xbf\xd1\x4f\xbb\x5d\xad\x4c\x5a\x8d\xd8\xe5\x1d\x13\x9a\x2c\xe5\x63\xe2\x04\xeb\x01\x38\x5f\xe3\xd9\xa2\x7a\x6b\x81\xb7\x9d\x1c\x33\x0e\x9c\xf5\x69\xca\x2c\xf5\xe8\x1c\x2a\xe0\x6f\x6b\xc3\x6a\xb3\xf2\xc6\xd2\x2f\xdc\x23\x67\x15\x2a\x74\x7a\x18\xca\xe3\x6e\x86\xf3\xb8\xb3\x6c\xd6\x64\x70\xf5\x9e\x92\x09\xe5\x5c\x97\xae\xa9\x47\x78\xe3\x11\x7f\x30\xf7\x0a\x36\x50\x90\x2b\x14\xfd\xc0\x8e\x90\x47\x98\xd4\xe4\x72\x51\xca\xc9\x8d\x3c\xc5\x71\xf3\xd8\x4d\x7b\x90\x99\xa7\xe8\x1c\xcd\x55\x65\x76\x34\xff\x24\x11\x26\x88\xec\x8e\x26\xb3\x3b\x7e\xb9\x8f\x2e\x8a\xac\x8c\xb3\x34\xeb\x64\x65\xb4\xc5\xae\xb4\xd2\x78\x6d\xcc\x46\x85\xdb\x9f\x46\xac\x58\x1d\x1b\x55\x5e\xab\x50\xe6\xb3\x3b\x43\x6c\xd4\xfe\xb2\xa4\x19\xdb\x6f\x63\xcb\xca\x3f\x96\x8d\x18\xab\x7d\x65\xe3\xdb\xb8\x29\xa6\xea\xe1\xea\x86\x46\x79\x5f\xf6\x1a\xff\x9c\xd8\xed\xfe\x71\x55\xd6\x0a\xb2\xfb\xd7\x41\xf7\xaf\xc6\x62\xba\x22\x17\x94\xdc\x68\xcd\x71\x9e\x56\x8c\x7f\xdf\x36\x7f\x35\x7a\x99\xb9\x40\xe7\x29\x5b\x65\x26\x27\xe8\x48\x13\xbe\xd8\x79\x4e\xfb\x61\x27\x43\xec\xe4\x47\xfb\xe9\xc3\xfd\xec\x43\xfd\xd1\x9f\xb7\xdd\x5f\x6f\xef\xef\x1d\x3b\x59\x05\x48\x8c\x71\xe6\xc0\x9f\x43\x3c\x63\x72\x3a\x6e\xbf\xa1\x80\x89\x3b\xcc\xc9\xb7\xf0\x0f\x49\x45\x7e\x66\x49\x2d\x8d\x8a\xb3\xf9\x11\xdc\x3f\xa8\xc7\x86\xb2\xba\x5a\x9a\x17\xfe\xaf\xa7\x8c\xd7\xc2\xfc\xf7\x82\xf5\xb2\x38\x7f\x1c\x0e\x36\xe0\x99\x97\xfa\xe8\xc5\x3e\xf6\x42\x5f\xf4\x73\xf6\xda\xfe\x83\x7d\xb3\xaa\xb1\x55\x55\xf4\x58\x41\xe5\xc3\xae\xc6\xe2\x2b\xc6\x9f\xe2\xb1\x49\xcf\x5d\xf0\x5d\x9b\x88\xc5\x5e\xd3\x1d\xd2\x3f\x2a\xe5\xf8\x8d\x73\xff\x49\x51\xc9\x99\x41\x56\x72\x31\xaf\xc7\xd4\x5b\xe6\x98\x0a\xff\x42\x59\x56\xcb\x45\x39\x15\x13\x57\xe4\x0e\x4b\xeb\x59\xf2\xdd\x93\xef\x00\xd8\x97\x8f\x6f\xe3\xdd\xaa\xca\x3d\xee\xe4\x1a\x37\xb8\xec\x43\x59\x94\x7d\xe8\xe4\x22\x38\x7b\x98\x0e\xb2\xfd\xf1\xb4\x1d\x86\xf1\x3d\x6e\x35\x52\xe7\xcc\x5a\x41\xd2\x96\x47\x57\xfc\xd2\x4e\x4a\x1b\xdb\xaf\x3a\xc2\x83\x65\x35\x6f\xef\xb5\xa4\x4a\x45\xca\x5d\x67\xdf\xbc\x97\xbd\x2f\x42\xf7\xe4\x54\x4d\x5e\x5a\x4f\x47\x9f\xcc\xa9\xa5\x92\x9c\xab\xc4\xce\xcc\x5c\x76\xde\x9c\x8a\x1a\x13\x87\x1b\x37\x36\xaf\xe6\x93\x7b\xcc\xc3\xa6\x54\x4d\x5e\x4c\x9f\x91\x2b\x4e\xa2\xe2\xbc\x9a\x9f\xe4\xc7\x8e\x1b\xcb\x66\xb1\x09\x3a\x1c\xbc\xc0\xd8\x2d\x66\xce\x6b\xe8\x01\x3e\x73\x5e\x49\xf7\x7e\xbc\x6f\x3b\x99\xb7\x65\x3d\xf2\xc7\xfd\x1f\x39\xb1\xed\x66\x3f\xe8\xc6\xa5\xf0\x87\x3e\xc6\x46\xcd\x87\x1e\x8f\x9b\x8f\xd6\xee\xac\x99\xaf\xe8\xcd\x36\xff\x71\xd7\xc0\x0c\x5a\x03\x33\x7f\x71\xa1\xde\xc8\x3c\xe1\x19\x99\x79\x55\xbf\x2b\x87\x26\xfb\x93\x7d\xf4\xaf\xfb\xd8\xfb\xfa\xa2\xef\xb5\x6d\x58\xc5\x72\xb7\x4b\xc6\x07\xdd\xf8\x4e\x0a\x97\x21\x77\x04\xcb\xb9\xb5\x8a\xe5\x07\x5f\x5d\x95\x4a\x55\x69\x28\xee\xcf\x83\x71\x2e\x7f\x7d\x34\x6e\x0f\xf9\x4f\x6a\xa9\xaa\x69\xee\x3b\x50\xf3\xa9\xf8\x0e\xfb\xcf\xee\x35\xf2\x09\x3a\xc6\x8e\xc6\x0f\xdb\x6f\xe5\x6e\xf7\x5b\x59\x7d\x67\x9b\x21\x16\xfc\xf6\x3e\x7a\x6b\x1f\xfb\x67\xd1\x7f\x6a\x8d\xde\xd2\x42\x25\x2f\x6b\xe2\xd6\xb5\x35\xb9\x7a\x51\xa3\x9b\xbf\xf2\xd1\x5a\x36\xd6\x13\x62\x75\x22\x3b\x39\x3f\xe6\x3c\x14\xac\xca\x3d\xb8\xdc\x35\x10\x7f\x85\x68\xc2\x63\xb8\xdf\xd6\x47\xdf\xc7\xde\x12\xfd\x27\xee\x4e\x28\x25\xab\x0f\x23\xf6\x55\x04\xef\xd2\x2b\x52\x29\x2f\x69\xf9\x98\x52\x32\xac\x92\xc3\x92\xcc\x87\x61\xf6\x44\xd1\x7d\xfa\xc0\x23\xac\x53\xf1\x6d\xba\x71\x01\x4f\x1f\x7c\x47\x42\x35\xac\x5e\xe0\x48\xa8\xc2\x26\xde\xc9\x48\xa8\x6b\x15\x4f\x2f\xbe\xd1\x47\x7f\xd3\xc7\xfe\xaa\x2f\xfa\x35\x17\x6b\xbe\x7c\xf9\x75\x41\xbd\x90\x62\x86\x39\xb6\x23\xc3\x8b\x45\x55\xc4\xa0\xfb\x76\xc1\xf2\x41\x94\x25\x63\x11\x17\xab\x5c\xd7\xd4\xb5\xc2\x75\xdb\x5d\x24\x26\xb5\xb6\x56\xe2\x2c\x5e\x17\x48\xcf\x68\x5e\xd1\x5d\x2d\x9b\x6e\xc4\x5b\xaa\x76\x53\x36\xbe\xcf\x79\xd9\xf2\x22\xd7\xb4\xe1\x3b\xf4\xfd\xc6\xe7\xc2\x8d\xeb\xbe\x3a\x48\xbb\xac\xef\x85\xf1\xd9\x53\x72\xb2\xce\x7e\x6f\x90\xfd\x46\xbf\xeb\x73\x50\x3f\xd2\x6e\x41\x9c\x96\x7c\xdc\x38\x4c\x58\x3c\xf3\x4f\x5b\x2d\x84\xee\x39\x3a\x25\xac\xed\x11\x3a\xc4\xad\xed\x3e\x4a\xd1\x48\xe0\x12\xc6\x18\x1f\x1e\x2f\x2a\xee\xb6\xa1\x58\xb9\xb9\x70\x33\x3c\xc8\x9e\xa8\x36\xc3\xe6\x15\x1a\x95\x20\x40\x48\x1c\x42\xe2\x10\x12\x87\x90\x38\x84\xc4\x21\x24\x0e\x21\x71\x08\x89\x43\x48\x1c\x42\xe2\x10\x12\x87\x90\x38\x84\xc4\x21\x24\x0e\x21\x71\x08\x89\x43\x48\x5c\x47\x43\xe2\xfe\x34\x42\xf7\x8b\x90\x38\xf9\x4d\x15\xb9\xc4\x1f\xd5\x18\xfb\xad\x08\xfb\xbf\x22\x44\xce\x9f\xa2\xd1\x02\x57\x41\x58\x51\xb5\x55\x7b\xfc\xa4\x18\x67\x41\xc9\xd7\x14\xe4\xca\x8c\x7d\xe8\xe4\xfc\xdc\x19\xe3\xcf\xad\x0b\x19\xa8\x69\x68\xa2\xa6\xa1\x89\x46\x1a\xca\x2a\x74\x41\x30\xb4\x33\x34\xc3\x19\xda\x29\x3a\x41\xc7\x9a\xf0\xfc\x5b\xf7\x18\x86\xd4\xd8\x9f\x5f\xa3\x21\x31\xbc\x42\x51\xc1\x8e\x2d\x2c\xab\x79\x5d\xce\xad\x69\x4a\xe5\x36\xff\x45\x91\x75\xf6\xa9\x6b\xec\x23\x83\xf4\x2a\x71\xa4\x1d\xe0\x31\x56\x9f\x70\xce\x73\x49\x2b\xde\x90\x90\x5c\x48\xc6\x8d\x13\xc4\xbf\xcd\x68\x8e\x9a\x63\xba\x1c\x76\xa2\xc6\x16\xf0\x20\x6a\x6c\x01\x0f\x02\x0f\x02\x0f\xf6\x10\x1e\xec\x22\xe1\xd1\xae\xc1\x83\x50\xc4\x04\x1e\x04\x1e\x04\x1e\x04\x1e\x44\x8d\x2d\x48\xf6\xdd\x3d\x34\xaf\xeb\x25\xfb\xb6\x64\x8d\xad\x9b\x34\x2f\x00\xd7\x1c\x9d\xe1\x80\x6b\x92\x4e\xd1\x89\xc0\x20\x31\x53\x98\xd4\x0a\x71\xaf\xc1\x44\x0d\x45\x8d\x85\x55\xda\xba\x1a\x1e\x55\x76\x94\x1d\x0e\x4a\x9e\x12\x5d\x74\x22\x7e\xbd\x1d\xa4\xf8\x6f\xee\xa8\x01\x66\x51\xbb\xec\x56\x2d\x1b\x7b\x42\xfc\xd6\x21\x3a\x26\x60\xd6\x45\x7a\x8a\xce\x55\x25\x1c\xd5\x11\x7f\x0c\x7d\x2a\xc8\x38\x42\x66\x66\x93\x99\x99\x3f\x1c\xd9\x90\x0e\x69\xe8\x54\xa4\xa7\x45\x9e\x67\x96\xce\x3a\x79\x9e\x77\xd8\xe4\x25\x51\x83\xeb\x1c\xcd\xb9\x6a\x70\xdd\x61\x9b\xcd\xdb\x30\x5e\x31\xab\xbd\x36\x2c\xf9\xd7\x23\x35\x36\x6c\xd0\xb7\x2c\x57\xad\x3d\x4b\x89\xe3\x3c\xf6\xcc\x29\xce\xd5\x6e\xcb\x86\x8a\x5c\xe0\xbe\xe0\xbe\xe0\xbe\xe0\xbe\xa8\xc8\x85\x8a\x5c\xa8\xc8\x85\x8a\x5c\xf0\x3f\xc0\xff\x00\xff\x03\xfc\x0f\xf0\x3f\xb4\xc4\xff\x80\x8a\x5c\xa8\xc8\x85\x8a\x5c\xa8\xc8\x05\xf7\x1e\xdc\x7b\x3d\x54\x91\xab\x31\xdc\xdc\x18\x5d\xae\x15\x84\x6a\xb9\xae\xd3\x0b\xc3\x74\x20\x44\xd7\xc9\x9a\x2e\x6f\x5c\x53\x2b\xb6\x9a\x2e\xfb\xdf\x86\xd9\xff\x70\x29\x18\xc5\xb8\x62\xae\x77\x2f\x6a\xc1\xbf\xa7\x8d\x13\x93\x8f\x1b\x47\x08\x19\x0f\x47\xb4\xc8\x73\x48\x8b\xc5\x71\xaf\xd2\xa4\x98\x25\x13\x74\x84\xcf\x92\x71\xda\x47\xa9\x50\xd5\x0d\x4f\x97\x42\xa7\x46\x7d\x99\xda\x1b\x17\xc3\x67\xc3\x08\x4b\xfa\x94\xb0\xb2\x25\x3a\xbc\xdd\x89\xfe\xc6\x76\x67\xcc\xf7\x58\x12\xb7\xf5\x86\xfd\x09\xf3\xa0\x0e\x8e\x7c\x66\x9a\x32\x74\xba\xca\x6b\xba\xe1\xa1\x07\x59\x83\xab\xb4\x49\x57\xe9\xcf\xf6\xb5\xe2\xd5\x9f\x15\xfe\xd1\x53\x74\xc2\xf1\x8f\x76\xd6\x84\x94\xd7\x1a\x36\x21\xf5\xcd\x86\xdb\xc0\x24\xff\xee\x3e\xc7\x84\x7c\x8f\xb9\xbc\x95\xaa\xac\xc6\x1e\xf1\xf7\x4e\x1a\x8d\xf6\x38\x24\x61\x44\x42\x8c\x08\xa0\x78\x47\xa0\x38\x68\x08\x68\x08\x68\x48\xbb\x68\x48\xf6\xe7\x5a\xf2\xc5\x3f\x23\xc2\x97\x4e\xd3\x49\x57\xf8\x52\x3b\x3e\xf9\x31\xff\x4f\xfe\x0e\x76\x8f\x18\x90\xd6\x7f\xf5\x33\xdf\xb8\xd7\xf9\xea\x8f\xd4\xe8\xce\xd7\xdb\x41\xc4\xb9\xf2\x71\x87\x96\x02\x90\x98\xef\xb5\x05\x08\x24\xe6\x21\x31\xbf\xc9\x12\xf3\x57\x83\x65\xb2\xef\xfc\xab\xd2\xb0\xb2\x7c\xab\x4d\x7e\x76\x82\x8e\xb0\x43\xf1\x03\xb6\xd0\xf4\x43\x6e\x9d\x6a\xcf\x79\x9b\x21\x52\xdd\x72\x94\xf9\xd9\x14\x3d\x2d\xf4\x3a\xa4\xfc\xaa\xc2\xf5\x12\x34\xb9\xa0\xf0\x2f\x81\xa2\x96\xaa\x2b\x84\x71\xd3\x29\x19\xf3\xec\x96\xbc\x7c\x5d\x55\x6f\x7a\x42\x1e\x6d\xce\xf9\xf5\x51\xf6\xee\x01\x7a\xc4\xb7\x49\x3b\xe4\x37\xed\x43\x3f\x17\xed\xf6\xaf\x88\xf6\xa7\xdc\xed\x27\x4f\x1a\xa7\x4c\xfa\xb5\x6a\x86\x02\xd7\x3f\xbf\xc5\xac\xf4\xed\x7d\x74\x5d\xcc\x74\x89\x96\xf8\x4c\x7f\x1d\x5d\xa1\x67\x82\xab\xfc\xfb\x8e\xb0\x15\xc4\x5d\xbf\xeb\x77\xca\x54\xbf\x2f\xfc\x3d\xb9\xca\x9e\x33\xdf\x93\x7a\x53\xc1\x7c\x83\x42\x7a\x5b\x03\xe1\xa3\x1f\xa2\xb0\xf9\x70\xc0\x9f\xcc\x86\x4c\x89\x49\xf3\xac\x6e\x99\x15\x99\x9b\xa4\x50\xa1\x6a\x2d\xd4\xae\x59\x81\x85\x12\x70\x6f\x93\xb8\xf7\xff\xed\x0b\xfe\x7e\x77\xce\xaa\xad\x0a\x5c\xbc\x42\x79\x07\x17\xb7\xef\x72\x96\xad\xdc\x6c\x63\x18\x42\xaf\x93\xff\xb8\x2b\xcc\x56\x26\x6c\x04\x1d\x62\x1e\x4f\x8b\x03\xbb\xc6\x3a\x02\x58\x03\x58\x03\x58\x03\x58\x03\x58\x03\x58\x6f\x18\x58\x7f\xba\xaf\xc5\x31\x4c\x1b\x4f\xbd\xbd\xf3\xb8\xa8\x70\x8c\xbd\xd9\xcb\x93\xcc\xbb\x5e\x19\xb6\xfe\x38\x11\x02\xc3\x43\x56\x25\xa7\x38\xbd\xe9\x86\x45\x09\xd0\x79\xaf\x2d\x85\x80\xce\x81\xce\x37\x19\x9d\x77\x15\x38\x0c\x45\xec\x9b\xfd\x39\xca\x9e\xa3\x39\x76\x26\x3e\x63\x63\xf5\xa4\x1b\xc9\xd7\x6f\xad\x03\x45\x5e\x7f\x75\x88\x8e\x0b\x82\x5e\xaf\x70\xad\x4d\xd0\x79\xf8\x37\x3f\x54\xe7\x65\x68\x75\xf6\xcd\x04\xfb\x6f\x03\x21\x45\xcf\xd7\xcd\x1c\xb5\x52\x5e\x59\x57\xf2\x6b\x52\xd1\x2d\xc7\x24\xd9\xf9\xa0\x4e\x75\xdb\x94\x6b\xd7\x30\x61\xef\x37\x12\xbc\x99\x84\x23\xc7\xe0\xc9\xaf\x57\xcb\xb2\xbd\x19\xd4\x2b\xb2\x94\x4f\x25\x53\xb7\x1a\xae\x9b\x7e\x5e\xd1\x2b\x5d\x2e\xb3\xbd\x41\xb9\xa8\x3a\xdf\x5a\x2e\x8b\x35\xb3\x2e\x97\xc2\xe5\xa2\xf6\xf8\xbf\x5f\x3b\x19\xf1\x8e\x09\xcd\xa8\x4e\x56\xe0\x47\x2d\x42\x88\x8d\xa3\x16\x21\x44\x67\x20\x3a\x03\xd1\x99\x1e\x12\x9d\x41\x2d\x42\xd4\x22\x84\xd8\x07\xc4\x3e\x20\xf6\x01\xb1\x8f\xae\x10\xfb\x40\x2d\x42\xd4\x22\xdc\x2a\xf2\x06\xa8\x45\xd8\x8e\x5a\x84\x7f\x3f\x44\x07\x05\x3a\x2c\xa9\x79\xd9\x9f\x14\x6a\x6b\x25\xe3\xae\x73\x45\x49\xd7\x65\x3b\xc0\xf6\xd3\x43\xec\x7f\x0e\xd0\x4e\xe3\x34\x9b\x11\x7e\xa2\xcf\x1c\x7b\x17\x19\x2c\x59\xd6\xcc\xaa\x9e\x77\x49\x34\x37\x65\x34\xd7\x12\x46\x38\xe2\x2c\x5f\xf8\x12\xcd\xfc\xd8\x19\x2b\x20\x67\x5d\x96\xf0\x2c\x85\x5d\x6d\xa7\x92\xbb\xf9\xe5\x2e\xa8\x79\xd9\x24\x8a\xee\x1e\x82\x27\xd6\xf2\xc4\x0d\x69\x65\xb8\xe6\x95\x15\xfa\xee\x1a\x5e\x9f\xc8\xb4\x60\x6f\x00\xbf\x6d\xc0\x43\xc0\x43\xc0\x43\xc0\x43\xc0\x43\xc0\x43\xc0\x43\xc0\x43\xc0\x43\xc0\x43\xc0\x43\xc0\x43\xc0\xc3\x4e\xc3\xc3\xa3\x74\x98\x1d\x8c\xef\xb7\x83\xa2\x1e\xf4\xe4\x29\xbb\x36\x79\xed\x0f\x81\x02\x77\x04\x77\x04\x77\xdc\x42\xdc\xf1\x37\x13\x34\x26\xb8\xa3\xb6\x2c\xe5\x52\x16\x63\xaa\xca\xf8\x1f\xd3\xd4\xa2\xbc\xac\x94\xf2\x4a\xa9\xa0\xb3\x77\x27\xd8\xdb\x06\xe8\xd5\xc6\x09\x93\xee\xe3\x97\xd6\xd3\xd1\x61\xb1\xca\xd4\xcc\xef\xa3\x65\x40\x6d\xe6\xa8\x16\xe5\x8c\x68\x27\x39\x6e\x1c\x7a\xa9\xba\x91\xc5\xb4\xeb\x98\x59\x55\x9b\x2c\x16\x6d\xd1\x9c\xae\x87\x80\xaf\xa7\x29\x01\x01\x8f\xd3\x04\x87\x80\x07\x68\x9c\xf6\x05\x06\xf3\xf2\x21\x5f\x4f\xa7\x5c\x77\xdc\x50\xd9\xc9\x7c\x38\xf7\x9b\x64\xa7\x4c\xee\x17\xf8\x5c\x2d\x0a\xe8\x5c\xdc\x23\x7f\x11\x56\xdc\x12\xf8\x0f\xf8\x0f\xf8\x0f\xf8\x0f\xf8\x0f\xf8\x0f\xf8\x0f\xf8\x0f\xf8\x0f\xf8\x0f\xf8\x0f\xf8\x0f\xf8\x0f\xb1\x83\x60\x78\x60\x78\x60\x78\x9d\x62\x78\x9f\x4a\xd2\x21\xc1\xf0\xf4\xdc\x75\x39\xbf\x56\x34\x56\x6b\x55\x11\x84\x65\x4d\x51\x35\xa5\x72\xbb\x2a\x78\xf0\xdb\xc3\xec\x27\xfb\x89\x39\xe7\xd9\x21\x84\x7e\x05\x89\xe6\xcd\x46\xb8\x33\x21\x19\x37\x8e\x58\xb0\xcf\x34\x63\xf6\x3c\xc7\xb4\x58\x65\x73\x63\x75\xab\x52\xae\xd1\xb0\x12\xe4\x3d\xbd\x0b\xe5\x6c\xb9\x70\xce\x76\x9a\x9d\x34\x39\x5b\xcd\xd8\x5b\x65\xa9\x3c\x97\xdc\x88\x00\x5c\x41\xae\x50\xf4\x6d\x3b\x7c\x1f\x4f\x40\xed\x22\xef\x13\x7a\xd2\x3c\xa8\x93\x0f\x29\x73\x91\x9e\xa2\x73\x55\x2a\x26\x77\xf2\x94\x20\x63\x02\x61\xcb\x26\x85\x2d\x7f\x6d\x63\x22\x51\xe1\x06\xe3\x69\xa1\x51\x99\xa5\xb3\x8e\x46\x65\x9b\x6d\x50\x48\x75\xa3\x4e\x98\xa8\xe4\x87\x76\xf9\xda\x20\xa7\xf8\x91\xd7\xec\x3c\x21\xfe\xde\x51\xab\x03\x31\x49\x88\x49\x42\x4c\x12\x62\x92\x10\x93\x84\x98\x64\x6f\x8a\x49\x76\x64\xb3\x12\xaa\x58\x99\xf9\x89\x9d\xbe\x6b\x85\xb0\x92\x49\xde\x15\xc4\x1e\xae\x37\xd6\xa9\x05\x04\x84\x1f\x7b\x6d\xd9\x02\xe1\x47\x08\x3f\x6e\xb2\xf0\xe3\x5d\xc9\xb2\xc2\x04\x24\xeb\x97\x54\xf2\xb4\xde\x01\xb9\xc6\x4f\x0c\xd3\x61\xb3\xe0\x51\xb9\xac\xd7\xa9\xe0\x9e\x97\xcb\x45\xf5\xf6\xaa\xb1\xb8\xb0\xc0\xe9\x37\x87\xd8\xd7\x22\x74\x8f\x71\xe2\xd2\x7a\x3a\xfa\x88\x0f\x2d\x9d\xb6\xcf\x4a\x3e\xca\x8b\x15\x95\xcb\xba\xbb\x02\xa0\xf3\x7b\x8b\x31\xe9\xeb\xe8\xa4\x98\x5a\x87\xe9\x20\x9f\x5a\x63\x34\x4a\x7b\x83\x25\x45\xcb\x65\x5d\x6c\x7d\xad\xfe\xdc\x69\x85\xa1\x0b\xe1\x73\x6d\x2f\x1b\xb6\x64\x42\xcb\x65\xdd\x9c\x5e\xae\x1e\xb8\x23\x11\xa3\xff\x6e\xbb\x33\xd2\x31\x7f\xf0\xe9\x1a\xec\xc7\xad\x32\x40\x1d\x1a\xef\x0c\xcf\xf4\xae\xfa\x7c\x6f\x6c\xc0\xf1\xc5\x06\xe3\x6c\x92\x71\xfe\x54\x9f\x88\x39\x4e\xf3\x98\x63\x9b\x4a\xb6\xec\x95\xbf\x53\x5b\xd2\x20\xc7\x6c\xcc\x64\xd4\x35\x13\x6e\x7b\x92\x7c\x7e\x97\x63\x32\x1e\xb0\x39\xa5\xcb\x4a\x98\x9b\xc7\x8e\x19\x09\x00\x4a\x00\x4a\x00\x4a\x00\x4a\x00\x4a\x00\xca\xde\x04\x94\x8d\x7d\xe2\x83\xbe\xe8\x35\x9f\xfe\x06\x58\xe4\x5f\xdc\xeb\x2c\x02\x86\x43\x00\xa4\x6b\x69\xf0\x98\x28\x49\xd3\x81\x95\x01\xc8\x63\xaf\xad\x47\x40\x1e\x41\x1e\x37\x99\x3c\xb6\x1f\x0f\xb5\x98\xff\x84\x63\xc5\xc3\x74\x90\xed\x8f\xa7\x6d\xac\xf8\x3d\x6e\xac\xe8\xb4\x7a\x57\x94\x69\xff\x56\x84\x1e\x11\xd4\x32\x27\x6b\x66\xcc\xa8\xac\xbb\x72\xb5\x19\x0f\x5f\xa6\xfb\xdc\x3f\x1b\x5f\xc0\xd7\x16\xe4\x8a\x37\xaf\x42\x44\xac\x26\x1f\x29\xc8\x95\x29\xd7\xc1\x8b\xe9\xc9\xf9\x39\x2b\x91\xaf\x85\x7e\xb6\x9a\x86\x26\x6a\x1a\x9a\x68\xa4\xa1\x6c\x99\x9e\x11\x33\xd8\xf8\x7c\x19\x33\x78\x96\xa6\x29\xd3\xc4\x47\xcb\x75\x9f\x8d\x24\x5e\xb3\xaf\x47\x28\x6a\x8e\xbd\xaa\x6a\x79\xa5\xe4\xc9\x93\x67\xbf\x1b\x61\xbf\x1d\xa1\x9d\xee\xdf\xa2\xd1\x02\x5f\x03\x1b\x2b\x71\x3b\x68\x59\x8a\xf1\xb9\x9f\x34\x9e\xc8\x94\xeb\xe0\xc9\xf9\xb9\x33\xc6\x0f\x5d\x38\xe4\x0a\x5d\x10\x43\x7e\x86\x66\xf8\x90\x9f\xa2\x13\x74\xac\xb9\x21\xe7\xf7\x18\x3a\xd6\x9f\x4c\x50\xd2\x54\x44\x95\x2b\xb7\x54\xed\xa6\x27\xaa\xd9\xfa\x23\x5f\x6d\x2b\xb2\xce\xde\x91\x60\xdf\xea\xa7\x57\x3a\xc7\x1a\x53\x7e\x6f\x7d\x35\x82\x0b\xe2\x60\xb1\xde\x4e\x8e\x1a\x07\x5f\xb0\xcf\x5f\x4c\x7b\x7e\xde\x6a\x52\x04\x2b\x74\x4e\x3c\xb0\x69\xca\xf0\x07\x76\x9c\xea\x2c\xec\x52\xae\x31\x5e\x4f\xa7\x3c\x77\xde\x90\x24\x41\x88\x58\xc0\x8d\xd7\x87\x7f\x12\x8e\xb1\xa3\x96\x54\x69\xf5\x03\x37\xbf\x0f\x9e\x6e\x79\x3e\x11\x10\x23\x80\x18\x01\xc4\x08\x20\x46\x00\x31\x02\x88\x11\x40\x8c\x00\x62\x04\x10\x23\x80\x18\x01\xc4\x08\x20\x46\x00\x31\x02\x88\x11\x40\x8c\x00\x62\x04\x10\x23\xe8\x94\x18\xc1\x7f\xb8\x46\x7b\x4d\x31\x82\x8a\xaa\x49\x85\x9a\x5a\x46\xe6\x9f\x4d\x21\x02\xf6\x9e\x6b\xec\xe7\x06\xe9\x3e\xf3\xaf\x76\xbe\x48\xb2\x3e\xb9\x5b\x10\x87\x8b\x6c\x91\x47\x8d\x63\xcd\xbf\x98\x99\x22\xee\xdf\xbb\x9c\xd4\x65\x80\xae\x80\xae\x32\x40\x57\x40\x57\x40\x57\x40\x57\x3d\x83\xae\x32\x5d\x83\xae\x5a\xde\x93\xa6\xd1\x55\x06\xe8\x0a\xe8\x0a\xe8\x0a\xe8\x0a\xe8\xaa\xf3\xe8\x2a\xd3\xd3\xa4\x29\x03\xd2\xd4\x3e\xd2\x94\xe9\x76\xd2\x94\xd9\x82\xa4\x29\x5b\x08\xce\x59\xdc\x58\x6a\xbd\xc9\xa9\xac\xbc\x7a\x37\x3b\x3a\xaf\xe8\x76\x06\xe3\x52\x78\x08\xd3\x71\x36\x61\x65\xd0\x7b\xe0\x97\x19\xbf\xe4\x6e\xd9\x27\x7b\x3e\x24\x86\x2a\xfe\xe1\x1d\xb5\x9c\xec\x35\xe2\xb3\x14\x93\xbc\x48\xcc\xfc\x5a\x75\x00\x8a\x09\x86\x75\x8e\xe6\xe8\x4c\x55\x1e\xc1\x61\x3a\xd8\xd4\x98\x23\x89\x00\xc9\xd0\x4d\x26\x43\x3f\x1f\x11\x61\xaa\xe3\x3c\x4c\xd5\xc9\x6c\x3a\x4a\xcd\x4e\xc6\x60\x1b\x73\x56\xd8\x98\x49\x3a\xc5\x6d\xcc\x1d\x5c\xe2\x29\x91\xbf\x3d\x4b\xd3\x4e\xfe\x76\xf3\xcd\x85\x47\x64\x96\x55\xbd\x42\x0d\x9a\xb3\x1a\x2b\xd5\xb0\x7d\x4b\x7e\x6d\xa4\xd6\x5c\x3d\x6e\x66\xd8\xb9\xd2\x15\xd5\x15\xaf\xe9\x4a\x9a\xea\x91\x1e\xd3\x35\x65\x1f\xdf\x46\x23\xd6\x9e\x14\x6d\x90\x5d\x90\x5d\x90\x5d\x90\xdd\xde\x21\xbb\x58\xbf\x85\xac\xdf\xba\x07\x7d\x43\x1e\xa3\x23\xf2\x18\xf0\x30\xc0\xc3\x00\x0f\x03\x3c\x0c\xf0\x30\xf4\xb4\x87\x01\x2a\x49\x50\x49\x82\x4a\x52\xbb\x54\x92\xe0\xc0\x83\x03\xaf\x57\x1d\x78\x1b\x94\x93\xbe\x73\x31\xaf\xa4\x3f\x5d\x7e\x80\xdd\x2f\xde\x66\xc7\xd2\x36\x4a\x9a\x9b\x77\x9c\xb5\x5e\x63\xe5\x4f\x13\xf4\x90\x31\xa9\xc6\xd6\xd3\xe2\x89\x8e\xf1\xc7\xa8\x71\x8f\x08\xfb\xf5\x04\xfb\xf8\x00\xdd\x93\x53\x35\x79\x69\x3d\x1d\x5d\x37\x57\x98\xa5\xbc\xb2\xae\xe4\xd7\xa4\xa2\xdb\x5d\x2a\xd9\xbb\xb9\xf3\x46\x0b\x97\x8c\x1f\x52\xae\x4f\xf6\x84\xfd\xb1\x4f\xf0\x66\x12\x0e\x4c\xf5\xd0\x31\xb5\x2c\xdb\x1b\x72\xbd\x22\x4b\xf9\x54\x72\x98\x9f\x30\xa5\x6a\xf2\x62\xda\x69\xfc\xbc\xa2\x57\xb6\x9a\x56\xc5\x4d\x9a\x17\x93\x77\x8e\xce\xf0\xc9\xcb\x15\x95\x9b\x98\xbc\xdc\x63\x3d\xb3\xde\x88\x46\xd1\xf9\xf0\x49\x39\xcc\x12\x3e\x6a\x74\xf1\xb8\x39\x29\x9d\x31\xa7\x1b\x7b\xfc\x5f\x87\x9d\x8c\xf8\x6d\x72\xff\x2d\x34\x2a\x10\xe8\x0f\x8d\x0a\xb8\x83\xe0\x0e\x82\x3b\xa8\x87\xdc\x41\xd0\xa8\x80\x46\x05\x30\x3c\x30\x3c\x30\x3c\x30\x7c\x57\x60\x78\x68\x54\x40\xa3\x62\xab\x80\x47\x68\x54\xb4\x43\xa3\xe2\xcb\x43\xb4\xdf\x8b\xf7\x02\x0a\xbf\x59\x8d\xbd\x71\x4d\xad\x48\x3a\xfb\x99\x21\xf6\x29\x17\xf8\xbb\xdd\x18\xf8\xb3\x76\x78\x4f\x1b\x8d\xb4\x88\xfd\x0d\xba\xd8\x9f\x53\xa2\xc0\x73\xa5\xf3\x8a\xde\xba\x4a\x05\x77\x11\xf8\xbb\x18\x0e\xfe\x46\x58\x52\x20\x3e\xcf\x80\xfa\x15\x9b\x8a\xc7\xc1\xfe\xc0\xfe\xc0\xfe\xc0\xfe\xc0\xfe\xc0\xfe\xc0\xfe\xc0\xfe\xc0\xfe\xc0\xfe\xc0\xfe\xc0\xfe\xc0\xfe\xba\x92\xfd\x6d\xbd\x82\x4f\xa0\x8b\xa0\x8b\xa0\x8b\x5b\x88\x2e\xfe\x55\x92\x66\x85\x02\x6e\x5e\xd1\x73\xaa\x61\x56\xdd\x75\xab\xfc\x49\xa3\x5c\xca\x97\x55\xa5\x54\xd1\x8b\x8a\xfd\xd3\x5b\xd8\xff\x91\x64\x3f\xdc\x4f\x3b\xed\x76\x96\xd6\xd3\xd1\x98\x26\x4b\xf9\xaa\x4d\xef\x8c\x79\xf6\x82\x71\x76\x72\xd0\x38\x62\xda\x3a\xc7\x0d\x08\x3d\xc7\xb5\x36\x7b\x3e\x2b\xd1\xac\x60\x79\xa7\xe8\x04\x67\x79\x87\xe9\x20\xed\x0f\x94\x30\x70\xc6\x66\x3d\x9d\xf2\xf4\x2b\x94\xe0\x05\x97\x92\x2f\xc8\x15\xba\x71\x2d\x1c\xf0\x4d\xb0\x23\x26\xc0\xab\x7e\x44\x66\x6c\x9f\xb7\x43\x6e\xf0\x17\xfd\xda\xf6\xaa\x07\xb2\x47\x93\xcb\x45\x29\x57\x5d\x50\xd6\xfb\x4c\x86\xcd\x83\x3a\xfd\x58\x32\x73\x74\x86\x66\xaa\x94\x59\x9a\x7b\x2e\xc8\xeb\x85\x2e\x4b\x93\xba\x2c\x1f\xe9\x6b\x99\x71\x38\x27\xc4\x52\xa6\x29\xe3\x88\xa5\x6c\x82\xa5\x29\xaf\xb5\xdd\xd2\x24\x7f\x7a\x57\x95\xa5\x79\xad\x99\x79\x23\x95\xaa\xac\xcb\x90\xf8\xa1\xe3\xc6\xa5\x3d\x8a\x29\xb0\x33\x21\x76\x06\x59\xfb\x1d\xc9\xda\x47\xba\x26\xd2\x35\x91\xae\xd9\xae\x74\xcd\xec\xa7\xfb\x5a\x9c\xb3\x76\x49\x48\xbf\x9d\xa3\x39\x97\xf4\x5b\x9b\xf3\xe0\x62\xfe\x2b\x84\x1d\xec\x1e\x31\x4c\xed\x5e\x24\x64\xde\xbd\xb3\x6a\x91\x30\x52\x96\xb4\x8a\xc2\x9d\x98\x62\x5f\x5b\x77\x5f\x92\xe0\x15\xd4\x3b\xb9\x70\x78\xb8\xba\x21\x51\xd6\x7f\x2f\xaf\x4e\xbd\xdb\xfd\xe3\xaa\xac\x15\x64\xf7\xaf\x83\xee\x5f\x75\xab\x8c\xff\x68\xcd\x71\x9e\x56\x78\x5d\x7c\xf3\x57\xa3\x97\x99\x0b\x74\x9e\xb2\x55\x3b\xa2\x3a\xa5\x91\xeb\xcc\x91\x79\xee\xea\xc7\x72\x25\x64\xb9\xf2\xd1\x7e\xfa\x70\x3f\xfb\x50\x7f\xf4\xe7\x6d\x9b\xff\xf6\xfe\xde\xd9\x16\x55\x79\x47\x8c\x71\xe6\xde\x7e\xee\xc1\x33\x26\xa7\x13\xf3\x33\x14\x30\x71\x87\xf9\xa7\x4b\x04\x87\x48\x45\x7e\xa6\xb1\x46\x13\x67\xf3\x23\xf8\x7a\x49\x8f\x0d\x65\x75\xb5\x34\x2f\x82\x5f\x9e\x32\x5e\x0b\xf3\xdf\x0b\xd6\xcb\xe2\xfc\x71\x38\x78\xbf\x96\x79\xa9\x8f\x5e\xec\x63\x2f\xf4\x45\x3f\x67\x63\xb7\x0f\xf6\xcd\xaa\x5a\x8e\x2f\xe5\x0a\x2a\x1f\x76\x35\x16\x5f\x31\xfe\x14\x8f\x4d\x7a\xee\x82\x03\x55\xb1\xea\x5a\xd3\x1d\x37\xff\xa8\x94\xe3\x37\xce\x83\x27\x8a\x4a\xce\xfc\xaa\xca\xc5\xbc\x1e\x53\x6f\x99\x63\x2a\x82\x0b\xca\xb2\x5a\x2e\xca\xa9\x98\xb8\x22\x8f\x56\xb2\x9e\x25\x07\x9b\xbe\x03\x60\x5f\x3e\xbe\x8d\x77\xcb\x13\x79\xd3\x39\x38\xd5\x5e\x73\x7f\xe3\x31\xff\xef\xcd\x76\xf6\x0a\x3e\x0a\x94\x9d\xa0\x23\xec\x50\xfc\x80\xed\xe0\x78\x88\xbf\x56\xe6\x3b\xee\x69\x38\x3e\x60\xfc\xe4\x76\x5d\x6c\x3d\xe7\x08\xfb\x76\x82\x86\x04\x6c\x15\x91\x72\xd5\xd5\xc6\x44\x78\xa7\xf8\x8d\x7d\x3e\xc1\x7e\x73\x80\x5e\x25\xfe\xcf\xd6\x24\x7d\x63\x63\x61\x9c\x3c\xba\xb0\x45\xe1\x9b\x7b\x6f\xd9\xf1\x8a\xba\xa9\x70\xca\xff\x07\xc9\xdb\x8d\xc5\x70\x36\x12\x72\x79\xe3\x4a\xf8\x9b\x78\x80\x8d\x9b\x6f\xa2\x67\xf6\x58\xaf\x21\xef\x4b\xad\xdc\x00\x62\x39\x11\xcb\x89\x58\x4e\xc4\x72\x22\x96\x13\xb1\x9c\x88\xe5\x44\x2c\x27\x62\x39\x11\xcb\x89\x58\x4e\xc4\x72\x22\x96\xb3\xb3\xb1\x9c\x88\xb4\x44\xa4\x25\x22\x2d\x7b\x38\xd2\xf2\x43\x0f\xd1\x41\x2b\x8f\x3b\x20\xae\xd2\x78\xe1\x5c\x11\x95\x63\x3a\x77\xeb\xb1\xff\xfe\x20\xfb\x7a\xc4\xc9\xe4\x7e\x82\xc7\x54\x8a\xdf\xac\xc1\x75\xbe\xb4\x0b\xa2\x8d\xe4\xe3\xc6\x51\xd5\x39\xd7\xe6\x8f\xc2\x5d\xd8\xe2\x90\xca\x45\x3a\x26\xd0\xda\x01\x1a\xe7\x68\x6d\x84\x92\x34\x14\x48\xad\x8d\xbb\xe1\xae\x4b\xd1\xa5\x3b\x8d\xa3\x9c\x0b\xe7\x67\x83\xec\x89\x6a\x55\x44\xeb\xe2\x9e\x98\xc9\x0f\x6f\x77\xc6\x3a\x61\x85\x4b\x86\x0d\xf7\x13\xe6\x81\x1d\x1c\xf1\xcc\x49\x3a\x4e\x13\x55\xbe\xc1\x0d\x0c\x39\x7c\x81\x08\x91\x6c\x32\x44\xf2\xc7\xfb\xee\xec\x65\x3f\x2d\xe2\x22\x8f\xd2\x61\x27\x2e\xb2\x53\xe6\x82\x07\x43\xb6\xce\x5c\x64\xfe\xf2\x5e\xc7\x5c\xec\xab\x09\x67\x08\xb3\x1b\xf1\xb2\x9f\x36\x46\x9b\xac\x06\xa2\x19\x7a\xcd\x82\x21\x9a\x01\xd1\x0c\x9b\x1c\xcd\xd0\xe6\x75\x61\xeb\x2c\x79\x78\xb8\xc2\x01\x1a\x67\xfb\xe2\x29\x3b\xe4\xe0\x01\x77\xb8\x82\xd9\xe4\x5d\x11\xa8\xf0\x5f\x46\xe9\xbc\x08\x54\x90\xf2\xab\x0a\xf7\x75\x6a\x72\x41\xe1\x76\xdf\xd8\xdf\x38\x19\x62\xdc\x46\x4a\xc6\x84\xba\x25\x2f\x5f\x57\xd5\x9b\x1e\x0f\x95\x9d\x1b\xf6\x9e\x51\xf6\xff\xf5\xd3\x83\xbe\xad\x19\x1f\xce\xb4\x4f\x9e\xd8\xa2\xdd\xf4\x15\xd1\xf4\x94\xbb\xe9\xe4\x51\xe3\x94\x49\xbf\x06\x17\xd3\xf5\x4f\x6d\xf1\xc6\xe7\x9f\x51\x4e\x4c\xf0\xab\xf4\x1c\x9f\xe0\x3c\xd1\x20\x70\x82\xfb\x8f\xe8\x7a\x3a\x55\xbf\xd3\x77\xba\x41\x7a\x73\xf8\x7b\x72\x85\x3d\x63\xbe\x27\xf5\x9e\xba\xf9\x06\x85\xf4\xd6\xb3\xa3\xfa\x21\xaa\xf3\xe8\x0f\xf8\x67\xa4\x85\x3c\xfd\xe3\xe6\x59\x5d\x30\x01\x32\x2b\x94\xa7\xe5\xaa\x55\x4d\x1b\x66\x00\x56\x3b\xd8\xaf\x35\xb9\x5f\xfb\xcb\xbe\xe0\xd2\xe0\x1d\x31\x5e\xd7\xc5\x86\x4f\xa2\x25\x67\xc3\xd7\x96\x2b\x35\xb8\xff\xdb\x44\x6b\x98\xfc\xdb\x5d\x75\xac\x61\xc2\xca\x9a\x0b\x33\x80\xc7\xc4\x81\xdd\x60\xff\x90\x58\x87\xc4\x3a\x24\xd6\x21\xb1\x0e\x89\x75\x48\xac\x6b\x26\xb1\xae\x93\xa9\x70\xad\xcd\xe2\x6b\x3c\xb1\xae\xb1\x05\xc7\x86\x17\x13\x8d\xac\x50\x32\xdf\xdc\x59\x67\xc1\x71\x22\x24\x03\x2f\x64\x19\x32\xc1\xd1\xc8\x26\xaf\x42\xc0\xb5\x7b\x6d\xed\x03\xae\x0d\xae\xbd\xc9\x5c\xbb\x4b\xb0\xdf\x26\xee\x64\xc3\x81\xf9\x39\x9a\x63\x67\xe2\x33\x36\xfa\x4e\xba\x81\x79\xfd\x2b\xd5\x72\xf4\x96\x53\xee\x8f\xd8\xe9\x78\x39\x55\xd5\xf2\x4a\xa9\x0a\x6e\x8b\xa4\x3c\xbe\xba\xd7\xd9\xdb\x12\xec\xef\xfb\xe9\xd5\xee\x23\xed\xa4\xbc\x3d\x22\x6a\x5b\x33\xe3\x4d\xad\x35\xbb\xba\x12\x33\xc6\x34\x76\xde\x68\x21\x39\x62\x1c\x34\xe5\x3a\xdd\xcc\xa5\xe3\xbf\x6e\xb5\x3c\x3a\x99\xb2\x62\xf2\x4f\xd1\x24\x9f\xfc\xc7\xe8\x28\x1d\xae\xe3\xd4\x71\x8d\xaf\x39\x6a\x29\x7e\xe3\xe7\x15\x3d\x3c\x83\xae\xb1\x34\x55\xb3\xd0\xa9\xd1\x6a\x6d\x1e\x9c\xf9\x02\xf8\x3c\x68\xba\xf1\xa8\xff\x34\xbe\x87\x6d\x43\x39\x04\xa4\xd0\x21\x85\x0e\x29\x74\x48\xa1\x43\x0a\x1d\x52\xe8\x90\x42\x87\x14\x3a\xa4\xd0\x21\x85\x0e\x29\x74\x48\xa1\x43\x0a\x1d\x52\xe8\x90\x42\x87\x14\xba\x8e\xa6\xd0\x7d\x67\xd8\x0a\x4b\xf5\x2b\x56\x50\xb7\x38\xaa\x7f\xc9\x82\x5f\x1c\x66\x6f\xdb\x56\x25\x49\xf9\xc9\x3e\xf3\x91\xb8\x74\xb5\x4a\x96\x91\xb3\x90\x9e\x47\x9b\xac\x25\x3a\x5b\x23\xce\xb2\x86\x2f\xdd\xcc\x8f\xa0\xb1\x32\x72\xd6\x6b\x09\xcf\x12\xd9\xd5\x76\x2a\x29\x2e\xd7\x41\x6d\xcc\xbb\x48\xa1\x2b\x98\x63\xf3\x8e\xb5\x5b\x16\x15\x80\x11\x80\x11\x80\x11\x80\x11\x80\x11\x80\x11\x80\x11\x80\x11\x80\x11\x80\x11\x80\x11\x80\x11\x80\xb1\xc3\x80\xb1\xb7\xe4\xc8\x81\x3f\x81\x3f\x81\x3f\xb7\x10\xfe\xfc\x1f\xd7\xe8\x98\xc0\x9f\x25\xb9\x72\x4b\xd5\x6e\x1a\x6b\xc9\xd0\x62\xad\x4a\xa9\xa0\xc9\xba\x2e\xeb\xec\x63\xd7\xd8\x7b\x07\xe9\x95\xce\xc9\x4b\xeb\xe9\xe8\x93\xf5\x63\x17\xe7\xc4\xd9\xc9\xc7\x8d\xc3\x2e\xd8\x67\xba\xf1\xa2\x79\x48\x97\x83\xc5\x0c\x20\x1b\x20\x5b\x06\x90\x0d\x90\x0d\x90\x0d\x90\xad\x67\x20\x5b\xa6\x6b\x20\x5b\xcb\x7b\xd2\x34\x64\xcb\x00\xb2\x01\xb2\x01\xb2\x01\xb2\x01\xb2\x75\x1e\xb2\x65\x7a\x9a\x3a\x65\x40\x9d\xda\x47\x9d\x32\xdd\x4e\x9d\x32\x5b\x90\x3a\x65\xdf\x40\x33\x22\x20\xeb\x24\x1d\xe7\x01\x59\x87\xe8\x00\x8d\x07\xa6\x7a\xba\xd0\xd4\x7a\x3a\x65\xb2\xa1\x86\xb2\x3c\x9f\x0d\x0f\xb2\x3a\xc8\xf6\x8b\x60\x2a\xb3\x5d\x3f\x2d\x8c\x1a\x36\x16\x9a\xe0\x19\xff\xfe\x1d\xd5\x54\xec\x7e\xf1\x19\x8a\x49\x25\x9b\x80\xed\x11\x7f\xea\x0c\x03\x13\xc8\x6a\x9a\x32\x74\xba\x4a\x56\x62\x1f\xa5\x36\x36\xf6\x10\x93\x80\x6c\x60\x93\xb2\x81\x7f\xd3\x47\x93\xe2\xdd\x9f\xa0\x23\xfc\xdd\x1f\xa7\x0d\xcf\x3f\x51\xcc\x38\xcd\x8b\x19\xdb\xda\x7f\xcd\xb4\x73\x46\xc8\x04\x9d\xa6\x93\x2e\x99\xa0\x66\x1a\x0a\x33\x44\xc1\xe6\xa2\xac\xea\x15\x6a\xd0\x50\x05\x9a\xa3\x60\x0b\x96\xfc\xd3\x91\x6a\x43\xb4\xdb\xd4\x6d\x72\x89\x60\xa9\x2b\xb6\x4d\x1a\x15\xbf\xba\x6d\xd2\x94\x7d\x60\xbb\xad\x53\x7b\x64\xff\x40\x68\x41\x68\x41\x68\x41\x68\x7b\x87\xd0\x62\x7d\x16\xb2\x3e\xeb\x1e\x84\x0d\xc9\xd5\x8e\x48\xae\xc2\x53\x00\x4f\x01\x3c\x05\xf0\x14\xc0\x53\xd0\xd3\x9e\x02\x28\x6f\x43\x79\x1b\xca\xdb\xed\x52\xde\x86\x23\x0e\x8e\xb8\x5e\x75\xc4\x65\x0b\xad\xd5\x81\x0f\x45\xca\x49\x7f\xa4\xfc\x00\xbb\x5f\xbc\xcd\x8e\xa5\x6d\x23\x5e\xde\x82\x39\x2a\xec\xdb\xc3\x94\xb1\xaa\x66\xd7\x15\xf8\xd0\x64\x1b\x5b\x1b\xab\x36\xcd\x18\x50\xcd\x16\xfa\xf8\x04\x17\xfa\xb0\xeb\xb4\x7e\xa6\x11\x8d\x8f\x4b\x4e\x8b\x53\x76\x8b\x5d\xa1\xf5\x91\xbc\xe5\x57\x34\xd6\xb7\xbf\x5d\x1e\x95\x9f\xbd\x19\x5c\xa9\xa1\xe5\x3a\x20\x0d\xcb\x7d\x5c\x09\x7f\x03\x0f\xb0\x71\x1f\xdf\xb3\x5d\x5f\xd2\xf7\x59\x40\xe8\x03\x39\x08\x10\xfa\x80\x87\x0b\x1e\x2e\x78\xb8\x7a\xc9\xc3\x05\xa1\x0f\x08\x7d\xc0\xb3\x00\xcf\x02\x3c\x0b\xf0\x2c\x74\x85\x67\x21\x9b\xa1\xd3\xec\x64\xfc\xb8\x0d\x42\x1e\x77\x0b\x7d\xf8\xee\xdd\x20\xf8\xb1\xd5\x89\x2f\x04\x3f\x20\xf8\xb1\xb5\x52\x2f\xd8\xaf\x24\x68\x54\x08\x7e\x68\xcb\x52\x2e\x65\xb1\x31\xdf\x32\x65\x9a\x5a\x94\x75\xf6\x8e\x04\xfb\x56\x3f\x3d\x64\x1c\x3e\xe9\x3e\xda\x2e\x55\x16\xaf\x2f\xf7\x71\x49\x2d\xca\xc9\x7d\xc6\x31\x97\xaa\x9b\x30\xcb\x95\x19\x47\x6c\xb5\x6a\x65\x57\x37\x16\xc6\xce\x07\xdb\xaa\x52\x66\xdc\x6f\x43\xe9\x2b\x21\x49\x26\x37\x96\xc3\xa1\xe2\x29\x76\xc2\x04\x89\x81\xcf\xdb\xe2\x8b\x6a\xd1\xa7\xc8\x19\xf8\x22\xf8\x22\xf8\x22\xf8\x22\xf8\x22\xf8\x22\xf8\x22\xf8\x22\xf8\x22\xf8\x22\xf8\x22\xf8\x22\xf8\x22\x2a\x95\x81\xdc\x81\xdc\x81\xdc\x75\x8a\xdc\xfd\x9b\x37\xd0\x9c\x20\x77\xd2\x5a\x45\xd5\x73\x52\x51\x29\x15\xc6\xd6\xc7\x05\xab\x0b\x08\x61\xe4\xb0\x47\x2d\x55\xa4\x62\x59\xcd\x5b\xe7\xc9\x9a\xce\x7e\x7f\x89\xbd\x3c\x48\x0f\xb8\x9a\x5a\x32\x9b\x8a\x1e\xac\xcf\xf3\xce\xda\x4d\xce\xab\xf9\x49\xbb\xc9\xe4\x61\xe3\xb4\x49\xa7\xbd\x45\xd1\x9c\x13\x4c\x18\x70\x62\x97\x93\x3e\x88\xfc\x02\x80\x41\xe4\x17\x00\x0c\x00\x0c\x00\xac\x87\x00\x58\x17\x29\x24\x74\x0d\x00\x43\xea\x3e\x00\x18\x00\x18\x00\x18\x00\x18\x44\x7e\x91\x5b\x7c\xf7\xf0\xaa\xae\xcf\x2d\xde\x92\x22\xbf\xeb\xf4\xbd\x22\x42\xea\x32\x5d\xe2\x11\x52\xe7\x29\x4b\x67\x03\x23\xa4\x5c\x24\x2a\x65\x92\xa8\x54\x00\x31\x6a\x49\xec\x54\x21\x3c\x76\x6a\x9a\x65\x9c\x78\x28\xd1\x25\x2b\x2b\xd3\xd5\x5b\x33\x7c\x2a\xa0\xaf\x14\xff\x71\xf2\xc7\x6c\x31\x4b\x0f\x38\x90\xa8\x1d\x15\x47\x6c\x26\x53\x13\x08\xec\x39\x7a\x96\x16\xab\x44\x83\x67\x69\xba\x15\xcf\x12\x52\x75\x90\x12\x6e\x52\x4a\xf8\xa3\x11\xba\x22\x2c\xcc\x3c\x5d\xe0\x16\xe6\x2c\xb5\x68\x56\xd2\x55\x21\x30\xfc\x0c\x2d\x38\x02\xc3\xad\x6b\xfd\x9a\x90\x1d\x5e\xa4\xcb\x2e\xd9\xe1\xd6\x35\x7f\xa7\x62\xc4\x8d\x99\xc6\x0d\x5b\xc2\x1a\x5b\x9a\xfc\xb1\x51\x7f\xd3\x38\xe2\xab\x50\x1c\x64\x26\xa7\xc4\xd1\xb5\x66\xd2\x4f\xb7\xb8\x33\x06\x13\x3a\xc6\x80\xd0\x80\xd0\x80\xd0\x80\xd0\xd0\x31\x86\x8e\x31\x74\x8c\xa1\x63\x0c\x67\x08\x9c\x21\x70\x86\xc0\x19\x02\x67\x48\x4b\x9c\x21\xd0\x31\x86\x8e\x31\x74\x8c\xa1\x63\x0c\x5f\x23\x7c\x8d\x3d\xa4\x63\xdc\x29\xa7\xdd\x16\x54\xe2\x61\x7f\x17\xa1\x87\x45\x7e\x40\x8d\x80\xf3\xd8\x7a\x7a\x8c\x7d\x31\xc2\xfe\x20\x52\x5d\x0b\xf0\xb5\x05\xb9\xe2\x5d\x77\x0b\x7f\x71\xf2\xe1\x82\x5c\x71\xd7\x00\x9c\x9c\x9f\xb3\x70\x63\x0b\x8b\xfe\xd5\x34\x34\x51\xd3\xd0\x44\x23\x0d\x65\xcb\xf4\x8c\x98\xb4\x17\xe8\x3c\x9f\xb4\xb3\x34\x4d\x99\x26\x26\xad\xeb\x3e\x1b\x71\x33\xb3\x9f\x5e\xa2\x73\x8d\xea\xa9\x04\xc9\x4c\xab\x45\x79\x59\x29\x19\x1f\x33\x9d\xfd\xe1\xeb\xd9\x6f\x0f\xd6\x53\x5b\x19\x0e\x57\x5b\xc9\x88\xc6\x92\xe9\x7a\xa2\x2b\x2e\x91\x67\xe7\x14\xe4\x62\x20\x17\x03\xb9\x18\x70\x83\xc1\x0d\x06\x37\x18\xdc\x60\x5d\xe3\x06\xeb\x1e\x2f\x0f\xdc\x0f\x70\x3f\xc0\xfd\x00\xf7\x03\xdc\x0f\x3d\xed\x7e\x00\x1f\x05\x1f\xed\x51\x3e\xba\x25\x73\x31\x72\x74\x56\xe0\xb1\x49\x3a\xc5\xf1\xd8\x51\x3a\x4c\x07\x1b\x57\xab\x35\xf1\x50\x4b\x12\x2f\x94\x70\x86\x3b\xcb\xa6\x37\x20\x5a\x6b\x76\xae\x56\xbb\x36\xfe\x1f\x76\xd4\x23\x69\xaf\xb6\x13\x30\xdc\xd0\x6c\xbf\xf8\xeb\xe6\x60\x33\x41\xb9\xce\xd0\x0c\x4d\x55\xa5\x5b\xec\xa7\xf4\x86\x1f\x17\xc2\xe7\x90\x5b\xd1\x64\x6e\xc5\x3f\xf4\xd1\xb4\xb0\x18\x27\xe8\x18\xb7\x18\x07\xa9\x99\x29\x48\x73\x22\x91\x22\x43\xa7\x9d\x44\x8a\x26\x9b\xca\x8a\xac\x89\x29\x9a\x74\x65\x4d\x34\xd9\xd6\x9d\xa6\x48\x34\x66\xc4\x6a\x2c\x52\x13\x56\x2d\xf9\xee\xd1\x7a\x46\x2c\xe6\x9b\x2a\xe1\x36\x68\x27\xc4\x11\x41\x06\xcd\x2f\x49\xa2\x7d\xa6\x0d\x89\x11\x20\xc2\x20\xc2\x20\xc2\x20\xc2\x48\x8c\x40\x62\x04\x12\x23\x90\x18\x01\xcf\x04\x3c\x13\xf0\x4c\xc0\x33\x01\xcf\x04\x12\x23\x90\x18\x81\xc4\x08\x24\x46\xc0\xf1\x07\xc7\x5f\x17\x3a\xfe\xba\x3a\x31\xa2\x31\x1e\xdd\x80\xcf\x2c\x94\x50\x6f\xc5\xd4\x88\x7f\xd9\x4f\x4f\x9a\xa5\x13\xca\x8a\x26\x17\x14\xc3\x2e\xf9\x45\xe8\xb3\xaf\x45\xd8\xcb\x11\x7a\x6d\xd5\x61\x36\x6d\x0f\x4c\x97\x78\xb2\x20\x57\x26\xbd\x27\x99\x7c\x1d\x89\x13\xfe\x89\x13\x5f\x1c\xa2\x83\xd6\x33\x29\xeb\x63\xeb\x69\xf1\x5e\x07\x25\x49\xe4\x25\x79\xd5\xd8\x22\x57\x74\xf6\xaf\x87\xd8\x2f\x0e\xd0\x3d\xc6\x69\x4b\xeb\xe9\xe8\x9a\xb9\xfb\x28\xe5\x95\x75\x25\xbf\x26\x15\xdd\x2e\x78\xc9\xde\xe9\x4f\xf3\x06\x16\xe4\x4a\xca\xb5\x9a\x9b\xb0\xd7\x81\x09\xde\x4a\xc2\xe1\xec\x1e\x70\xaa\x96\x65\x9b\xd5\xe8\x15\x59\xca\xa7\x92\x71\x7e\xc2\x64\xb9\xac\x2f\xba\x9c\xc2\xf6\x55\x8c\x31\xe8\xf2\x6c\x8a\xec\x4d\x9a\x17\xcf\x7e\x8e\xce\xf0\x67\x3f\x49\xa7\xe8\xc4\xff\xcf\xde\xbf\x87\xb9\x71\x9e\xf7\xdd\xf8\xb5\x07\x49\xe4\x2d\x59\x87\x47\x92\x65\x41\x94\x04\x81\xd2\x1e\xc0\x5d\xec\x62\x79\x58\x72\x79\x5c\xec\x81\x5c\x70\x49\xae\xb8\x24\x65\xc9\x12\xe9\x59\x60\x16\x04\x89\xc5\xc0\x18\xec\x52\x6c\x7f\xba\x7e\xb6\x15\xbf\xb1\x9b\xb4\x75\xd3\x24\x75\x53\xd7\x71\x9c\xd6\xb1\x53\xbd\xb6\x63\xbb\x71\xae\xb8\x75\xdd\x37\x3e\xc8\x51\xea\x38\x7d\x9b\xb8\x3e\xc4\x6f\xea\x26\xb1\x9d\xbc\x49\x9a\x34\xa9\x5d\x27\x6d\xde\x6b\x9e\xe7\x99\x13\x30\x83\x01\xb0\x00\x16\x4b\x7c\xff\xe1\xb5\xc4\xcc\x3c\x33\xf3\xcc\x33\xf7\x3c\xcf\xe7\xfe\xde\xf7\xdd\xc0\xb3\xe7\xea\x87\x39\x63\x45\x1e\x68\xd4\xce\x04\x1b\xaa\x28\x1b\x32\x03\xb6\x0a\x05\x5d\xba\xc4\xac\x8e\x75\x9a\x2c\xba\xb6\xdb\xdb\x46\xde\xc5\x88\xdf\x27\x57\x1c\xa0\x84\x2d\xa2\x46\x50\xc2\x16\x3e\x42\xf8\x08\xe1\x23\xec\x22\x1f\x21\x4a\xd8\xa2\x84\x2d\x7c\x33\xf0\xcd\xc0\x37\x03\xdf\x4c\x47\xf8\x66\xb6\x21\x39\x42\x91\x5c\xf0\x6e\x14\xc9\xdd\x3e\x81\x2e\xec\xab\x43\x74\xa0\x1e\xaa\xa8\x16\x72\xda\x4d\xe3\x13\xaf\xb3\xf7\x0e\xb1\x8f\x38\xb0\xe2\x46\x8d\x58\xd1\x6a\xa1\x49\x5c\x71\xb7\x37\x57\xb4\x4e\x03\xb0\xe8\x0d\x16\xcf\x06\x83\xc5\x3d\x6c\xd8\x03\x2c\x5a\x3d\x0b\xb2\x08\xb2\x08\xb2\x08\xb2\x08\xb2\x08\xb2\x08\xb2\x08\xb2\x08\xb2\x08\xb2\x08\xb2\x08\xb2\x08\xb2\x08\xb2\x08\xb2\x08\xb2\x08\xb2\xd8\xcd\x64\xf1\x7d\xbb\xe8\xbc\x24\x8b\x76\x1a\xf1\xb1\x0d\xdf\xac\xce\x57\xad\xd4\xe2\x05\x2d\xad\x58\xa9\xc5\xe5\x4e\x2f\x8d\xe9\x5c\x04\xcc\xbe\xf8\x08\xfb\x62\x1f\xdd\xed\xaa\x82\x19\x0f\xed\x2b\xaa\x4a\x3a\x2c\x76\x31\x1f\x80\xfd\xbd\xf7\x2b\x84\x79\xd0\x38\xca\x59\x06\x33\xb8\x50\xb0\x90\x22\x37\x37\xc9\x43\x72\x8d\xce\x0b\xfc\x77\x9a\x16\x38\xfe\x9b\xa1\x69\x3a\x5e\x5b\x69\xd3\xc6\xab\x9a\xae\x04\x03\xc0\xe3\xec\x68\xad\x25\x4a\x3d\x93\xc6\x5f\x7b\xd4\x1b\x0a\xde\xce\xfa\x33\x6a\x89\x42\xbf\xb2\xb3\xe2\x49\x4e\x16\xd5\x42\x4e\x49\xa9\x75\x3f\xcc\xc3\xf2\xc0\xad\x7f\x9e\x89\x8b\xb4\x4c\x4f\x97\xe5\x23\xda\xfc\x03\x45\x0c\x3b\xb2\x13\x35\x98\x9d\xe8\x0b\x3d\x2d\xb1\x30\xcf\x88\x5c\x45\x4b\x74\xd6\xce\x55\xd4\x16\xd3\xe5\x6f\x56\x0a\xeb\x25\xaa\xd1\xb2\x05\xd8\xae\xea\x86\x2f\xf1\x85\xbb\x2a\x4c\xd7\x89\x82\x52\x34\x96\xff\xc6\x92\x99\x7f\x4a\xeb\xb6\x61\x87\x0a\xdc\x97\xb5\xa5\x16\xec\x91\xf2\x86\x46\xf9\x45\xed\xe1\x41\x13\xbb\x9c\x1b\xd7\xd4\x62\x46\x75\x6e\x1d\x70\x6e\xe5\x61\x1d\x6a\x26\x9b\x1a\xad\xd8\xcf\xd5\x8a\xf1\xf7\x4d\xb9\xd5\xb8\xca\xc4\x59\x5a\xa4\x64\x99\xf5\x9c\xa2\x83\x0d\x78\xc3\x96\xb8\x0f\x02\x66\x33\xc0\x6c\x7e\xb4\x8f\x5e\xe9\x63\x1f\xee\x0b\x7d\xd0\x72\xca\xbd\xdc\xd7\x3d\x66\xb3\x0c\xdb\x18\xfd\xcc\xdd\x10\x1c\x2d\x1a\x83\xd3\x76\x46\x0e\xf9\x0c\xdc\x61\xce\xe3\x85\xd7\x4a\xc9\xf1\x23\xf3\x5a\x7e\x54\x1c\xcd\xf7\xe0\x5e\x4b\x3d\x3c\x94\xd4\xb5\xfc\x92\xf0\xca\x9d\x31\x5e\x0b\xf9\xf7\xb2\xf9\xb2\xd8\x3f\x0e\xfb\xdb\xf3\xc4\x97\x7b\xe8\xb5\x1e\xf6\x6a\x4f\xe8\xf3\xd6\x7a\xe0\x43\x3d\xf3\x9a\xb1\xbc\xcd\xea\xe1\x8c\xc6\xbb\x5d\x0b\x47\x56\x8d\x9f\x22\xe1\x69\xd7\x5d\xf0\x95\x9e\xc8\x1b\xb2\xae\xdb\xfe\x87\x51\x25\xc5\x6f\x9c\x7b\x75\x72\xd9\x94\x0c\x08\x56\x73\x69\x3d\xac\xdd\x90\x7d\x2a\xbc\x1e\x05\x55\x2b\xe4\xd4\x58\x58\x9c\x91\xbb\x51\xcd\x67\xc9\x57\x5c\x9e\x1d\x60\x9d\x3e\x72\x1b\xbf\x2c\x97\x4b\x70\x6b\x66\xc0\x8f\x7b\x7f\x46\x76\xb0\xdb\xf9\x25\xd7\xfa\x21\xd9\x44\x61\xff\x38\x25\x67\x29\xc1\x4e\x44\x8e\x59\x28\x66\x37\x7f\xcf\xe4\x4b\xef\xd3\x42\xa4\xdf\xd8\xc9\x89\x5b\xb6\x1f\xd0\x61\x9f\x7d\x81\xc6\x82\x2b\x01\x8d\xa5\x72\xeb\x7a\xc9\x30\x96\x39\x55\x67\x3f\xfe\x02\xfb\xf0\x00\x3d\xe0\x95\xde\x2f\xa8\xd0\xcf\x8c\x68\xe7\xbc\x96\x53\xa3\x11\x9f\x42\x3f\x8e\x7d\x3a\x5c\x32\x82\xca\x3e\x50\x52\xa0\xb2\x0f\x94\x14\x50\x52\x40\x49\xd1\x45\x4a\x8a\x0e\x4a\x53\xd8\x31\x4a\x0a\xe4\xcf\x83\x92\x02\x4a\x0a\x28\x29\xa0\xa4\x40\x65\x1f\x24\xf8\xba\x75\x64\x09\x1d\x9f\xe0\x6b\x5b\x56\xf6\xb9\x4c\x33\x82\x34\x1e\xa1\x29\x4e\x1a\xf7\xd1\x04\x8d\x07\x15\xc4\x88\x39\xc8\x50\x53\x8a\xfa\xa4\x83\xc9\xe2\x34\x3b\x5e\x63\xf9\x0b\xc7\xc5\xb9\xd8\x62\xe4\xa7\x76\xfa\xb0\x32\xbb\x94\x8f\x13\x8b\x3d\xe9\x5b\xca\xa7\x15\x60\x4c\x70\xac\x04\x9d\xa0\x63\x65\xde\x9e\x18\x8d\xd4\xf3\x40\xe0\xe1\x81\x63\xbc\x41\xc7\xf8\x77\x7a\x68\x4e\x54\xc9\x39\x46\x47\x1c\x55\x72\xc6\xa9\xce\x31\xe8\x6b\x10\xe8\xb8\x30\x37\x07\xe9\x00\x37\x37\xf5\xb7\x3c\x2b\xbc\xec\x47\xe9\xb0\xed\x65\xaf\xbb\x95\x5a\xeb\xf4\xb4\xc5\x2e\x45\xff\x72\xc4\xc7\x2e\x79\x57\xe7\x71\xda\xa8\x98\x6f\x75\x1e\xbb\x30\x4f\xeb\xac\x15\xca\xf1\x00\xe3\x02\xe3\x02\xe3\x02\xe3\xa2\x1c\x0f\xca\xf1\xa0\x1c\x0f\xca\xf1\xc0\x9d\x00\x77\x02\xdc\x09\x70\x27\xc0\x9d\xd0\x14\x77\x02\xca\xf1\xa0\x1c\x0f\xca\xf1\xa0\x1c\x0f\xbc\x75\xf0\xd6\x6d\xf3\x72\x3c\xb5\xa1\x64\x8f\x28\xac\x7a\xb0\x72\x3d\x45\x7f\x9a\x2f\x61\xff\xc4\x30\x4d\xba\xb3\x27\xfa\x04\x37\x17\x55\x0e\x98\x0d\xcb\x22\xe3\x99\xd9\xf7\x87\xd8\x77\x7a\xed\xf4\x89\x8f\xf2\x08\x66\xf7\xb2\xf4\xbc\x38\x6a\x59\x2d\x45\x1f\xe3\xa1\xca\x65\x49\x0e\xed\xed\x4d\x0e\x48\x7e\xd6\xdf\x9d\x71\x4c\x8c\xa1\x49\xda\xcf\xc7\xd0\x18\x8d\xd2\x1e\xff\x38\x8d\x42\x41\x37\x46\x8c\x7d\xa1\xc1\x11\x7c\x19\xb5\x44\x0d\x27\x27\xb4\x4f\xe4\x72\x38\x84\x3e\xb6\xc3\xee\xe9\xb0\x19\x61\xec\xdb\xd9\x4f\x98\xa1\xc4\x6d\xea\xef\x04\x4f\xf7\x58\xe6\x04\xad\xaf\x5f\x41\xd4\xe0\x03\x6d\xd0\x07\xfa\xbe\x9e\xcd\xbe\xd4\x42\x52\x11\xe7\x92\x0a\xcb\x45\x59\x77\x23\x9b\x0c\xfa\xad\xcd\x64\x54\x35\x13\x4e\x7b\x12\x7d\xfb\xbd\xb6\xc9\xb8\x5f\xce\x67\x15\xa7\x95\x90\x93\xd2\xb6\x19\x89\xd6\xf8\x1e\x61\x37\x02\xec\x06\xf8\x77\x5b\xf8\x37\xc0\x07\xc0\x07\xc0\x47\xab\xc0\x47\xf2\xd3\x3d\x4d\x5e\xfd\x9d\x17\xb2\xa9\xd3\xb4\xe0\x90\x4d\xb5\x78\x45\xd9\xe4\x55\xc1\xb5\xb0\xf7\x8c\x62\x27\xbb\x43\x74\x3b\x25\xfe\xf0\x4e\x7b\x12\x30\x5c\x91\xde\xc3\x77\x01\xf1\x78\xc1\x2b\x27\x7d\x2b\x66\x06\xc8\xd6\xd1\x6d\xf3\x11\x64\xeb\x40\xb6\x8e\x2d\xce\xd6\xf1\xec\xa6\x17\x8c\x9b\xce\xcc\xd1\xe4\x4f\x41\x72\x92\xf6\xb3\xbd\x91\xb8\x95\x3f\xe3\xf5\xce\x2c\x1c\xf6\x41\xb7\x44\xe2\x8d\x1f\x1d\xa4\x5d\x82\x5a\xae\xf0\x5a\x2f\x66\x31\xef\x54\x51\xcb\x5f\xd3\x56\x74\xf6\x87\x03\xec\xeb\x7d\xf4\x3a\xbe\xd5\x2a\xe5\xfd\x54\x40\x7a\x8d\xa2\x96\x4f\x6a\x2b\xd1\x41\x63\xb7\x84\xb1\x8b\xac\xe7\x2d\x37\xcc\x6b\xc5\xe9\x5c\xce\xfa\x18\x36\x2f\x61\x55\x8b\x4a\xb2\xbc\x59\x08\xc3\xc7\xb9\x30\xdc\x18\xe3\x07\x68\x1f\x4d\xf8\x8e\x71\xde\x57\x31\xd9\x57\x31\x79\xcf\x35\x45\x8a\x3c\x1d\x3c\x92\x63\x6c\x44\x8e\x64\x7e\x1a\x13\x83\x8b\x93\x54\x96\xa4\x0f\x0a\x3e\x41\x15\x16\xe4\x0e\x41\x15\x16\x88\xce\x21\x3a\x87\xe8\xbc\x8b\x44\xe7\xa8\xc2\x82\x2a\x2c\x10\xfb\x42\xec\x0b\xb1\x2f\xc4\xbe\x1d\x21\xf6\x45\x8d\x14\xd4\x48\xd9\x2e\xf2\x46\xd4\x48\x69\x45\x8d\x94\x9f\x8f\xd2\x7e\x41\xe2\xf2\x6a\xe9\x86\x56\xbc\x6e\xcc\xd6\xac\xd4\xb7\x82\xca\x65\xf3\x99\xa2\xaa\xeb\xa9\x9c\xa2\xeb\xaa\xa5\x1e\xfc\xde\x30\x7b\x4f\x1f\x31\xfb\x30\x8b\xd3\x3d\xee\x21\x24\x5c\x10\x6d\xcc\x18\x6d\x44\x9f\x30\x76\x38\x6b\x1d\x28\x31\x9d\x73\x97\x26\xab\x09\x57\xe9\xb4\x40\x69\xb3\x94\xe0\x28\xed\x08\x55\xf1\x10\xc5\x1c\x5d\x61\xf2\x34\xe7\xc5\x6d\x42\x27\xc4\xa5\x85\x75\xe5\x74\xae\x78\x2c\x92\xbd\xb9\x2e\xa8\x02\xc0\x85\xfe\x7a\x87\xe7\xa3\x89\x78\x2b\x0f\x5d\x4f\xe7\x49\xb9\x4f\x1b\x1f\x50\xbd\x3e\xbc\xa0\x27\x04\x1f\x1e\xb4\x88\x0d\x6a\x11\x7f\xa5\xa7\xb9\xb6\x62\x49\x08\x13\x17\xe8\xa4\x2d\x4c\xdc\x2a\xeb\x53\x47\x69\x92\x4d\x59\x9f\xe8\x2f\xdc\xeb\x69\x7d\x5e\x6f\x8a\x18\xf3\x6e\x8b\xb3\x5b\xfc\xde\x4e\x83\x03\x29\x23\xa4\x8c\x90\x32\x42\xca\x08\x29\x23\xa4\x8c\xdd\x29\x65\x6c\xc3\x3c\xa0\x06\x79\xe3\x3f\xb9\xcb\x73\xa6\xb0\x27\x40\xe9\xe8\x9a\x3e\x44\xb8\x22\xa7\x4d\xb3\x07\xc8\x1d\xbb\x6d\xce\x02\xb9\x23\xe4\x8e\x5b\x2c\x77\x6c\x33\xbf\x6a\x6e\x55\xb2\xc6\xbe\x1d\xc9\x43\x34\xc9\xf6\x47\xf6\x5a\xb2\xc6\x37\x38\xf5\x90\xce\x63\x2b\x15\x91\x4d\xd7\x2b\x7e\x73\x0f\x9d\x14\x94\x54\x4c\x27\x2c\x34\xea\x13\x6c\x5d\xd0\xd2\xe9\xac\x5e\x5c\xe7\x23\x7e\x65\x3d\x9d\x71\x44\x5d\xbf\x7b\x0f\xfb\x85\x3e\xba\x5b\x34\x64\x7d\xf0\x06\x3c\x98\xe9\x92\x96\x9e\xb5\x5a\x49\xf0\x56\xa2\x31\x63\x3f\x31\x23\x91\x9f\x39\x5b\xdd\xef\xb1\x7f\x93\x39\x6a\x96\xce\x8a\x71\x78\x92\xe6\xf8\x38\x3c\x4e\x47\xe9\xb0\xef\x38\x94\xd3\x45\x73\x0c\x7a\x5c\xdf\x66\x51\xea\xe5\xe0\x81\x78\x98\x1d\x92\x03\x51\x5c\x8e\x1c\x7d\x5e\x17\x53\x89\x51\xdf\xbd\xb3\xe2\x49\x0d\x7b\x23\x54\xaf\x87\x15\x97\xbb\x6e\xd5\xf3\x4a\x3c\x4d\xc6\xab\xe0\x9e\x2b\x6c\xee\x81\x61\xba\x00\xb2\xda\x20\x59\xfd\x4c\x8f\x7f\x4e\x87\x66\x9b\x95\x65\x41\x5d\x17\x29\x69\x53\xd7\xcd\x36\x5a\x23\x5f\x6d\xb1\x49\x8a\x7e\xfc\xde\x0a\x93\xb4\xcb\x0a\x0e\xf7\xb2\x42\xe3\x62\xeb\x96\x19\x21\xa0\x56\xa0\x56\xa0\x56\xa0\x56\xa0\x56\xa0\xd6\x46\x50\xab\xef\xa4\xa1\xe3\x19\xac\x39\x63\x08\xc4\xa0\x35\x4e\x1a\x2a\x26\x03\xb5\xce\x22\x12\x1f\xbc\xab\x62\xd2\x30\x11\x80\x58\xbd\xa6\x12\x63\x7c\xfd\xbf\x15\x33\x09\x60\xd7\x6e\x9b\xbf\x00\xbb\x02\xbb\x6e\x31\x76\x6d\x3f\xee\x0a\x24\xaf\x2d\x5e\x5d\x26\x4f\xd0\x31\x76\x24\x32\x65\x51\xd7\xc7\x9d\xd4\xd5\xa3\x89\x5b\x22\x1c\xfd\xc7\x86\x28\x2e\xf0\xae\x5e\xd2\x8a\x4a\x46\x2d\x57\xc0\x72\xdd\xac\xb9\x51\xea\x60\xd9\x6f\x0f\xb2\x2f\xf5\xd3\x3d\xf2\x57\xeb\xbb\xfa\xa2\x0c\xef\xc8\xa7\xb3\x1b\xd9\xf4\xba\x92\x73\x0a\x7f\x15\x2b\x94\x6a\x59\x1c\xc6\x09\x76\xcc\x31\xdf\x9f\xb2\x56\x0a\x83\xbc\xa1\x41\x3b\x86\xd4\x15\x14\xa8\x15\x54\x6b\x19\xa7\x97\x54\x25\x1d\x8b\xee\xe6\x07\xc8\x86\xe5\xe7\xd9\x79\x9a\xc5\xac\xde\xbc\x2f\x72\x8b\x82\xde\xaf\x0b\xc1\xdc\x38\x17\xcc\x19\xaf\x1c\x4f\x4c\xd9\xc0\x57\x96\xeb\xae\xe7\x36\xd4\x7c\xf0\x4b\xb7\xdb\xfb\xa5\xbb\x8b\x11\xbf\x30\x51\x2e\xf1\x4a\xf0\x8b\x77\x84\x4d\xc9\x17\xcf\x3d\x8c\xe4\x0b\xe8\x7c\x14\x1e\x6f\x1e\x42\xe2\x11\x12\x8f\x90\x78\x84\xc4\x23\x24\x1e\x21\xf1\x08\x89\x47\x48\x3c\x42\xe2\x11\x12\x8f\x90\x78\x84\xc4\x23\x24\x1e\x21\xf1\x08\x89\x47\x48\x3c\x42\xe2\xdb\x14\x12\xff\xd7\xbd\xf4\xb0\xa0\x81\xea\x8b\x25\x35\xcf\x1f\x95\x45\x02\xd9\xef\xf6\xb2\xaf\xf7\x12\xb3\x37\x59\xe0\xef\xa1\x8c\x5a\x72\x7f\x68\xc5\x2d\x44\xc3\x19\xb5\x34\x67\xed\x2f\xc1\xdc\xf4\xd2\x82\xb9\xb8\x6b\x62\x74\x42\x45\x43\x53\x15\x0d\x4d\xd5\xd2\x50\xb2\x40\x17\x05\x87\x3b\x4b\x8b\x9c\xc3\xcd\xd3\x2c\x25\x1a\xe0\x70\x8e\xfb\xac\x25\x19\x25\xfb\xb7\x97\xe9\x80\xe8\xfd\xd5\x9c\x76\xc3\xf8\x14\x16\xb5\x5c\xcc\x42\x2b\xe5\x64\xd6\xd8\x49\x4f\x5d\x55\xd7\x14\x9d\xbd\xfd\x32\xfb\xd2\x00\xed\x72\x1c\x37\x6d\x1e\x66\x3d\xa4\xa1\xea\x39\x44\xe7\x73\xda\x8d\x65\xde\x5c\x74\xd8\xd8\x73\xde\xa3\x2d\xf9\x00\xed\x5d\x3b\x9c\xa9\x26\x40\x16\x41\x16\x13\x20\x8b\x20\x8b\x20\x8b\x20\x8b\x5d\x43\x16\x9b\x5e\xcf\xbe\x61\xb2\x88\xca\xfa\x20\x8b\x20\x8b\x20\x8b\x20\x8b\x5d\x4d\x16\x51\xfa\x1b\x20\xb0\x5b\x4b\x7f\x27\xb6\x21\x08\xac\x57\xfe\xe9\xe4\x55\xa6\x06\xd4\x86\x44\x35\x55\x62\x09\x28\x9b\x72\xed\x7a\xb0\x08\xed\x14\x9b\x97\x22\xb4\x6a\xfc\x4c\x4a\xd2\xec\xcb\xab\x14\xa4\x45\x7e\x67\x67\x00\x4b\xbb\x5f\x7c\xb1\xc2\x8a\x13\x9b\xed\x11\x3f\xb6\x17\x9c\x09\xce\x75\x86\x4e\xd3\x42\x99\x44\xff\x10\x4d\x36\xf8\xc0\xa0\xd0\x47\xa4\x73\x83\x91\xce\xef\xec\xa5\xa4\xb0\x1c\x33\x34\xcd\x2d\xc7\x61\x6a\x7c\x20\xd2\x39\x11\xcc\x7c\x8a\xe6\xed\x60\xe6\x4d\x35\xb8\x24\x42\x9d\x16\xe8\xa4\x23\xd4\x69\x53\x2d\x36\x6e\xd8\x0a\x5a\xbb\x0d\x5b\xf4\x5d\xa3\x01\x86\xed\x71\x19\x0d\xe7\x08\x2d\xd4\x56\x9d\x46\x6e\xbf\xd8\xa1\x8a\x91\x9b\xb1\x0e\x6d\x99\xb9\x6b\x4d\x5c\x35\x38\x31\x38\x31\x38\x31\x38\x71\xf7\x70\x62\xcc\xf3\x02\xe6\x79\x9d\x03\xd2\x91\xd3\xa2\x2d\x39\x2d\xe0\xaf\x80\xbf\x02\xfe\x0a\xf8\x2b\xe0\xaf\xe8\x6a\x7f\x05\x52\x1b\x21\xb5\x11\x52\x1b\xb5\x2a\xb5\x11\xdc\x81\x70\x07\x76\xab\x3b\x30\x99\x69\x72\xf2\xae\x20\xfe\x1c\xf5\xe6\xcf\xf7\xb3\xfb\xc4\xdb\x6c\x5b\xda\xf6\xb2\xe8\xe6\xe7\x32\x79\x4f\x1f\x0d\x09\xfd\x7c\x71\x45\x49\xc5\xcc\xae\xe0\x4f\xb2\x5c\x3c\xcf\xfe\xb8\x97\x7d\xb7\x97\x1e\x36\xf6\x9c\x76\xee\x18\x1c\xd3\x30\x98\x51\x4b\xe7\xcb\x0f\xdb\x2e\xa1\x0d\xbe\x19\xe5\x5a\x13\xf3\x60\x86\x36\xbc\x7b\x88\x62\xc1\x8f\x46\x26\x9b\x29\x6a\x39\x55\x67\xbf\x3b\xc8\x7e\xab\x9f\x1e\xf0\x7a\x40\xa1\x42\x6d\x89\x66\xce\x6b\xc6\xaa\xa3\x29\x09\x66\xc6\xf9\x01\x1e\x8f\xdd\x38\x87\x71\xa7\xf3\x5a\x71\x3a\x97\xb3\x52\xc2\x35\xef\xe9\xb7\x2c\xdb\x8c\xef\x50\x68\x7a\x1a\x9a\xba\xb2\xcd\xbc\x10\x6c\x83\xa6\xd8\x41\x69\x83\x7c\x47\x93\x34\x40\xc6\xd3\x71\x9a\x1e\xe4\x9a\x41\x44\x08\x72\xcd\xc0\xd3\x07\x4f\x1f\x3c\x7d\xdd\xe4\xe9\x43\xae\x19\xe4\x9a\x81\x87\x05\x1e\x16\x78\x58\xe0\x61\xe9\x08\x0f\x0b\x72\xcd\x20\xd7\xcc\x76\x61\xca\xc8\x35\xd3\x8a\x5c\x33\xff\x6b\x80\x42\x02\x09\x2a\x85\x82\x3e\xb6\x11\x1f\xd3\x4b\x4a\x49\x5d\x5d\xcf\x19\x2f\x29\xfb\xd6\x00\xfb\x8f\x7d\x74\x87\xb1\xed\xca\x46\x3c\x34\x5c\x3d\x79\xc9\xb2\x3c\x74\x59\x2d\x45\x9f\x32\x76\x9d\x2e\x14\xf4\x4b\x71\xc7\xcf\xdb\x8d\xcf\x5d\xa6\x19\x81\xe1\x8e\xd0\x14\xc7\x70\xfb\x68\x82\xc6\x7d\x45\xea\x46\x3f\x99\x4e\x01\x79\xc7\x4d\x09\xbb\x39\x17\x4c\xe3\x46\x58\x54\xd2\x38\xe3\x22\xac\x8c\xcf\xd6\x75\x80\xbf\x81\xbf\x81\xbf\x81\xbf\x81\xbf\x81\xbf\x81\xbf\x81\xbf\x81\xbf\x81\xbf\x81\xbf\x81\xbf\x81\xbf\x81\xbf\x81\xbf\x81\xbf\x81\xbf\x6d\x09\x7f\xfb\xbd\x5e\x7a\x48\xf0\xb7\x74\x56\x4f\x69\x86\xd1\x33\x95\x78\xec\x73\xbd\xec\xdf\xf7\xd2\x4e\x6b\x43\x28\x94\xe1\xca\xf7\x55\xad\xb8\x66\x75\xa2\x12\xe6\xd8\x27\xfa\x40\x46\x2d\xcd\x9a\x7b\x4e\x2f\x2d\x9c\x34\x7e\xed\x40\xf1\x63\x7d\x39\x6d\xaa\x6b\x1c\xf9\x3d\x06\x26\x74\xfe\xa7\xc3\x94\xf4\xe9\x62\x77\x79\x3d\xab\xd6\x9f\x3e\xf6\x77\xad\xbf\x5f\x1a\x53\xf3\xe9\x82\x96\xcd\x97\xf4\x5c\x36\xa5\xea\xec\xd7\x87\xd8\x37\xfb\xe9\x3e\xab\x2d\x4b\xaa\x7a\xb3\x36\x39\xe4\x9c\x6c\x6e\xd9\x68\xae\xa9\xba\x48\xeb\xf1\x57\x54\xc6\x75\x9d\x73\x7b\x54\xe1\xeb\x50\x5d\xe4\x4a\x30\x89\x3d\xce\x8e\x4a\x12\x5b\x3e\xde\x24\x95\x75\x3d\x0d\x14\xe2\x03\x9c\x05\x9c\x05\x9c\x05\x9c\x05\x9c\x05\x9c\x05\x9c\x05\x9c\x05\x9c\x05\x9c\x05\x9c\x05\x9c\xdd\x72\x38\xfb\x66\xba\xcc\x9e\x8f\x3c\xb7\xa3\x87\xf5\x17\x94\xd2\xd5\xd0\x94\x3c\xb3\xc8\x27\x6a\x4c\x70\xd6\x4b\x57\xc3\x7a\x4a\x2b\xa8\x23\x61\x7d\x3d\x75\xd5\xe8\x7d\x3e\x83\x55\x95\x35\x01\x93\x0a\x45\x8d\xdf\x69\x64\xa7\x05\x14\xa2\xd2\xbc\xbf\x07\xf8\x17\xf8\x17\xf8\xb7\xbb\xf1\xef\x8f\x45\x29\x21\xd8\x64\x5e\x2d\xdd\xd0\x8a\xd7\x8d\xf9\xa0\x1d\x89\xed\x43\x24\xb3\xf9\x4c\x51\xd5\x75\xf3\xd7\x97\xd8\xe7\x86\xd9\x0f\x7b\xe9\x75\x76\x1b\x57\x36\xe2\xa1\x50\x51\x55\xd2\x65\x2b\xde\x05\x71\x64\xf4\x09\x63\xdb\x59\x6b\xf7\x4b\x0e\x56\x28\x77\x69\x6e\xae\xd8\xe4\xf3\x34\x2d\xb8\xdd\x14\x1d\xe4\xdc\x6e\x82\xc6\x29\xe6\x2b\xa4\x74\xf4\xc6\x46\x3c\x26\x2f\x29\x50\x46\xf9\xc6\x60\x38\xb7\x9f\xed\x95\x70\xae\xa2\xc3\x25\x9d\x33\x4f\xe6\xd4\x4b\x5e\x7b\xd4\x9b\x0d\xde\xce\xfa\x33\x6a\x89\x42\x5f\xda\x51\xde\xf9\x8f\x16\xd5\x42\x4e\x49\xa9\x3e\xfd\xff\xa4\xdc\xdc\xc6\x47\x90\x98\xa5\x04\x9d\x28\xcb\x4e\x5e\xf7\x33\x40\xb2\x4a\x24\x25\x6f\x30\x29\xf9\xbf\xe8\x69\x86\x0d\x98\x17\xb9\xc8\x8f\xd3\x51\x3b\x17\x79\x2b\x6c\x89\xff\x1b\x5f\x58\x2f\x51\xeb\x4c\x4d\xf4\x1f\xdf\x5b\x6e\x4b\x64\x8a\x18\x63\x98\x9b\xf6\x63\xb7\xf8\xa9\x9d\xe6\xa3\x35\xd9\xbe\x61\x4e\x02\xcc\x09\x32\xce\xb6\x25\xe3\x2c\x52\x0d\x22\xd5\x20\x52\x0d\xb6\x2a\xd5\x60\xf2\xd3\x3d\x4d\xce\xb7\x76\x5e\x54\x10\x39\x4d\x0b\x8e\x0a\x22\x2d\xce\xe1\x16\xf6\x9e\x12\xec\x64\x77\x88\x6e\xaa\x75\x56\xe0\xfc\xdc\xd7\x38\x43\x48\xfc\xcf\x3b\xcb\x67\x05\x03\x05\xa5\x58\xca\x72\x07\xa4\x58\x93\xfa\x2c\x35\x22\x05\x63\xd5\xd9\xa6\x99\xc2\x23\xe5\x0d\x8d\xf2\xb3\xef\xe1\x8a\xa1\x5d\xce\x8d\x6b\x6a\x31\xa3\x3a\xb7\x0e\x38\xb7\xea\xa5\xa2\x52\x52\x33\xd9\xd4\x68\xc5\x7e\xae\x56\x8c\xbf\x6f\xca\xad\xc6\x55\x26\xce\xd2\x22\x25\xcb\x16\x39\x53\x74\xb0\x81\x41\xb1\xc4\x7d\xf3\x98\x9f\x04\xcc\x4f\x3e\xda\x47\xaf\xf4\xb1\x0f\xf7\x85\x3e\x68\x19\xf9\x97\xfb\xba\x67\xb9\x53\xe6\xce\x30\xfa\x99\xbb\xe7\xb9\xcb\xcd\x18\x9c\xb6\x48\x67\xc8\x67\xe0\x0e\xf3\x6f\x95\x50\x73\x28\x39\x7e\xa4\x31\x29\x13\x47\xf3\x3d\xf8\x04\x49\x0f\x0f\x25\x75\x2d\xbf\x24\xd4\x2a\x67\x8c\xd7\x42\xfe\xbd\x6c\xbe\x2c\xf6\x8f\xc3\xfe\xeb\xb0\xc4\x97\x7b\xe8\xb5\x1e\xf6\x6a\x4f\xe8\xf3\x16\x27\xfb\x50\xcf\xbc\x56\x4c\xf1\xb9\x5b\x46\xe3\xdd\xae\x85\x23\xab\xc6\x4f\x91\xf0\xb4\xeb\x2e\x38\x01\x15\xd3\xac\x75\xdd\xf6\xcb\x8f\x2a\x29\x7e\xe3\x5c\xed\x90\xcb\xa6\xe4\x67\x54\xcd\xa5\xf5\xb0\x76\x43\xf6\xa9\x50\x03\x14\x54\xad\x90\x53\x63\x61\x71\x46\x2e\x2f\x32\x9f\x25\x27\x91\x9e\x1d\x60\x9d\x3e\x72\x1b\xbf\x2c\x97\x54\xa6\x83\xd8\x92\xff\xba\xce\xd7\xd0\x5f\x7b\xdc\xfb\xb3\xb2\x83\xdd\xce\xef\x9d\x92\xfb\x68\x82\x8d\x47\x62\x96\x1f\xe2\x7e\xfe\x32\xc9\x37\x5b\x9e\x2b\xd2\x6f\xfc\xe8\xf4\x2d\x6c\x3f\xef\x05\xfb\x4f\xbd\xb4\x63\x4c\x29\x64\xc7\x36\xe2\x63\xec\x8b\xbd\xec\x73\xbd\x74\x47\x4a\x2b\xaa\xc6\xe7\xce\x37\x11\xe8\x83\x19\xb5\x34\xa3\x15\xd5\x4b\x9d\x9f\xf6\xb3\x35\xd9\x3d\x03\x05\xb0\x1f\x7c\x81\xc6\xdd\x31\xfe\x3e\x5c\xb9\xa8\xf2\xbb\xe0\x91\xff\x7f\xfe\x3c\x7b\xeb\x80\x1d\xf9\x3f\x54\x3d\xf2\xff\xbc\x38\x72\x59\x2d\x45\x1f\xb3\x03\xff\xed\x89\x86\xbd\xbd\xc3\x95\xa7\x09\x88\x2f\x21\xbe\x44\x0d\x3a\x88\x2f\x21\xbe\x84\xf8\xb2\x7b\xc4\x97\x1d\x54\x62\xad\x63\xc4\x97\xa8\xfd\x05\xf1\x25\xc4\x97\x10\x5f\x42\x7c\xb9\x15\xb5\xbf\xba\x5a\xc9\x88\xe2\x44\xdd\x5c\x9c\x28\xb1\x0d\x95\x8c\xc9\x17\x28\x21\xe8\xd6\x61\x3a\xc4\xe9\xd6\x5e\x8a\xd3\x58\x60\xa6\x44\x1b\x0c\xd5\x94\x28\xf1\x6c\x30\x85\xdd\xc3\x86\x65\xd5\x11\xab\x69\x2f\x10\xcb\xb3\x24\x06\x25\x5e\x8c\x7c\x6f\x87\x8d\xc0\xee\x17\xdf\x9c\xb0\xe2\xa4\x5d\xf2\x43\xd4\x06\xde\x25\xf0\x14\x0f\x77\x2e\xf3\x6f\x8d\xd2\x9e\x3a\xfa\x19\x2e\x2d\x28\xf8\x1a\x54\xf0\xfd\x7e\x0f\x1d\x13\x2f\xf9\x24\xed\xe7\x2f\xf9\x18\xd5\x37\xf8\x44\x3a\xd5\x38\x4f\xa7\x6a\xc9\xf7\xea\x6e\x64\x56\x38\xff\x8f\xd2\x61\x87\xf3\xbf\xee\x56\x9a\x63\x6b\xfc\x4c\x4b\x85\x0d\xaa\x62\x6b\x0a\x9a\x5e\xa2\xe8\x6f\x8c\xd8\xb6\xe6\x71\x29\xe4\x70\xa8\x62\xb4\x55\xa7\xdd\x89\x8a\x1d\x84\xdd\x99\xb1\xf6\x6a\x83\x05\x6a\x8d\x0e\x10\xc4\x15\xc4\x15\xc4\x15\xc4\xb5\x7b\x88\x2b\xa6\x61\x01\xd3\xb0\xce\x41\xd2\xd0\x60\xb7\x45\x83\x0d\xf2\x0f\xf2\x0f\xf2\x0f\xf2\x0f\xf2\xdf\xd5\xe4\x1f\xa1\x38\x08\xc5\x41\x28\x4e\xab\x42\x71\xe0\x58\x83\x63\xad\x5b\x1d\x6b\xc9\x4c\x93\xa3\xd0\xda\x8d\x90\xa3\xde\x08\xf9\x7e\x26\x43\xc4\x6d\xcb\x4d\xdb\x51\xff\xff\xed\x3d\x74\x4c\x08\xd5\x53\x6a\x51\x7a\x22\x55\xdd\x91\x0f\xc5\xf9\x73\x36\x93\xe7\x79\x50\xc4\x04\xcd\xcc\x84\xf2\xb3\x7b\xd8\x67\xfb\xe8\x1e\xe7\x8e\x57\x36\xe2\xa1\x11\x8f\x5c\x28\x33\xf6\x3e\xcb\xa2\xb1\xf3\xa2\xb1\xe8\x1e\x63\x6f\xc7\x66\xfd\x52\xdc\x77\xe7\x26\xe7\x49\xf1\x4f\x67\x5d\x57\xf4\x40\xcc\xd5\x81\x1b\xf1\x98\xef\xf5\x07\xe7\x3b\xc8\x18\x23\x2f\x17\x3c\x92\x17\xd8\x49\x39\x7a\x3d\x9e\x9e\x1c\xcc\xbe\x97\xe1\x72\xd1\x86\x3e\xb5\xb3\xf2\x11\x8e\x79\x67\x54\xf1\x7f\x8a\x31\x79\xc0\x96\x3c\xc8\xc4\x1b\xe9\x12\x5d\x28\x73\xd4\x36\xe5\x81\x01\x1c\xc2\x7f\xdb\xa0\xff\xf6\x37\x7a\x5a\x64\x44\xe8\x39\xe1\xd6\x5d\xa6\xa7\x6d\xb7\x6e\xb3\xda\xde\x64\xa6\x96\xb6\x5a\xae\xe8\xe7\xee\xad\xb4\x5c\x11\x33\x7f\x4b\x15\x63\x35\x2a\xf6\xd9\x1a\x5b\x85\xd4\x2e\x48\xed\x72\xeb\xba\x15\xc0\x93\xc0\x93\xc0\x93\x90\xda\x65\x73\xa9\x5d\xda\x3a\x8d\x48\xfc\xbb\xbb\x2a\xa7\x11\x07\x03\x12\xbe\xf8\x4f\x2e\x46\x78\x22\x81\xb6\xcf\x2d\x90\x0c\xa6\xdb\x66\x34\x48\x06\x83\x64\x30\x5b\x9c\x0c\xa6\xbe\x2c\x1b\x4d\x5c\x86\x06\xa5\x71\x69\xef\x17\x24\x39\x4f\xb3\x2c\x11\x39\x61\xe1\xdf\xa7\x9c\x49\x63\x7c\xdb\xa8\x4c\x23\xd3\x74\xc8\xfb\xfe\xcb\x74\x48\x40\x5e\xf5\xc5\x92\x9a\xe7\xae\x07\xab\x10\x5f\x50\xc2\x6b\xf6\xed\x17\xd8\xfb\x07\x88\xd9\x87\x5a\xe5\xf7\x9e\xaa\x9e\xa1\xc4\x4c\x87\x36\x60\xec\x36\x67\x1d\x5e\x51\x2a\xaf\xd9\x29\xd1\x90\xa6\xc4\xa1\x70\x42\x9a\x12\xa4\x29\x81\x68\x1e\xa2\x79\x88\xe6\x21\x9a\x47\x9a\x12\x88\x95\x21\x56\x86\x58\x19\x62\x65\x88\x95\xb7\xaf\x58\x19\x6a\x4a\xa8\x29\xbb\x54\x4d\xb9\x2d\xd3\x94\xa8\x94\x14\x78\x70\x86\xa6\x39\x1e\x3c\x4c\x87\x68\xd2\x17\x0f\xda\x9c\x29\x26\x39\x93\x99\x30\xba\xa6\x74\x25\x01\xe9\x45\xae\x5d\x0a\x46\x82\x7b\x59\x5c\x22\x41\xfb\x5a\xfc\xcb\x07\xf1\x4b\xa4\xc8\x07\x76\x7a\x22\xb2\xfb\xcc\x0c\x26\x76\x21\xa1\x21\xf1\x53\x1b\x81\x98\xe0\x57\x0b\x74\x92\xe6\xca\x5c\x33\xfb\x69\x6f\x03\x0f\x02\x5e\x19\xe8\xe1\x1a\xd4\xc3\xfd\x4d\x8f\x28\x27\x36\xce\xcb\x89\x19\xd6\x60\x92\x1a\x1b\x84\x74\x5a\x08\xe0\x66\x29\x61\x0b\xe0\x1a\x6e\x6c\x51\x78\xc0\xe7\x68\xc6\xe1\x01\x6f\xb8\xb5\xc6\x8d\x14\xcf\x4b\xd2\x2a\x23\x15\xfd\xfd\x11\x4f\x23\xb5\xcb\x33\xf5\x89\x69\xaf\x26\xc4\xd6\x0a\x7b\xe5\x95\x02\x65\x3b\xd5\x41\x03\xca\x05\xca\x05\xca\x05\xca\xed\x1e\x94\x8b\x69\x1b\xf2\x9f\x40\xa8\x8c\xfc\x27\x70\x29\xc0\xa5\x00\x97\x02\x5c\x0a\x70\x29\x20\x5e\x05\xf1\x2a\x88\x57\x41\xfe\x13\x78\xec\xe0\xb1\xbb\x35\xf2\x9f\xd4\x91\xaf\xa4\x55\x98\x79\x3b\xe6\x41\xf9\xd6\x10\x0d\x98\x75\x50\xf9\x50\x19\x33\xf1\x46\xbe\xb4\xa1\xe5\xd6\xd7\x54\x2b\xdf\xc9\x27\x86\xd8\x77\xfb\xed\x2a\xa9\x9f\xea\x91\x43\xcb\xf6\xbd\x2a\x79\x73\xea\x62\x4a\xe1\x97\xac\xc6\x2e\xf1\xc6\x62\x8e\xc9\xc1\x94\x35\xad\x18\xe4\x2d\x0d\xda\xd8\xd6\xc5\xe1\xb4\x82\x6a\x2d\xfd\xf5\x92\xaa\xa4\x47\xec\xf5\x0a\x5f\x93\xc9\xd9\xad\xb1\xe4\xb1\x17\x62\x83\x2e\xc4\xe0\x68\x3b\x16\x7d\x84\x9f\x4e\x14\x72\x2d\xbf\xc0\x0e\x17\xe3\x27\xaf\xfb\x27\x6d\x59\x12\xef\xdb\x02\x9d\xe4\xef\x1b\x2f\xdf\xd0\xc0\xfb\xc6\xbd\xea\x73\xc6\x82\x31\x38\xdc\xe4\x86\x08\x37\x39\x1f\xfc\x3e\x8d\xb1\x51\xf9\x3e\x45\x22\xf2\x3d\x2a\xef\x7a\x77\x50\x09\xa2\x0e\x10\x75\x90\x84\xab\x0a\xae\x2a\xb8\xaa\xe0\xaa\xea\x1a\x57\x55\xb2\x63\x3c\x31\x4d\xbf\x92\x86\x5d\x04\x49\xb8\x08\xe0\x22\x80\x8b\x00\x2e\x02\xb8\x08\xda\xef\x22\x48\x1e\xa5\xc3\xec\x50\x64\xd2\x62\x1a\xbb\x9c\xc1\xfd\xe5\x4b\xb8\xd6\xc7\xf4\x27\xbb\x9a\xa9\x26\xc1\x54\x5b\xc7\x54\x93\x1d\xcf\x54\xb7\x61\x14\x04\x7b\xd7\x10\x3d\xe9\x06\x8c\x45\xd5\x02\x5f\x86\x69\x2f\x6a\x86\x61\xd5\xd9\xef\x0d\xb2\xff\xe4\xc0\x8b\x6f\x93\x78\x31\x9b\x4f\x67\x37\xb2\xe9\x75\x25\xe7\x22\x8d\xd6\x84\xf3\xbc\xdd\xda\x8c\xd5\x5a\x53\x30\x63\x2c\xba\xcf\x01\x0a\x3d\xcf\xb3\x98\xd5\x4b\xf3\x5a\x71\x3a\x97\xb3\xa4\xc0\x9d\x9e\xce\x23\x79\xbd\xf9\xa0\x30\x10\xce\x3f\x13\x0c\x08\xf7\xb1\x89\x72\x40\xe8\xd9\xe5\x2e\x4a\x78\x6d\xb7\x37\x9a\xbc\x8b\x11\xbf\x63\x1e\xfa\x02\x94\x08\x94\x08\x94\x08\x94\x08\x94\x08\x94\x08\x94\x08\x94\x08\x94\x08\x94\x08\x94\x08\x94\x08\x94\xd8\x66\x94\x08\x16\x08\x16\x08\x16\xd8\xc5\x2c\xf0\x07\x03\xf4\xb0\xc8\xc7\xab\x14\x0a\xfa\xd8\x46\x7c\x2c\xad\x16\x72\xda\x4d\xe3\x1b\xab\xb3\xaf\x0f\xb0\x2f\xf7\xd1\x1d\xc6\xa6\x2b\x1b\xf1\xd0\x50\xf5\x24\xbb\xb3\xd6\x91\xd1\x27\x8d\x3d\xa7\x0b\x05\xfd\x52\xdc\xfe\x75\xbb\x61\xb9\x17\x28\x21\xb0\xdc\x61\x3a\xc4\xb1\xdc\x5e\x8a\xd3\x98\x6f\x12\x06\xa3\x97\x44\x68\xbf\x79\xc3\x35\x65\x89\x69\x46\x95\x40\xfb\x94\x14\x94\x75\x06\xe8\x0d\xe8\x0d\xe8\x0d\xe8\x0d\xe8\x0d\xe8\x0d\xe8\x0d\xe8\x0d\xe8\x0d\xe8\x0d\xe8\x0d\xe8\x0d\xe8\x0d\xe8\x0d\xe8\x0d\xe8\x0d\xe8\xad\x5d\xe8\xed\x7b\xbd\x14\x12\xe8\xcd\xa3\xdc\xd7\x18\xfb\xf5\x5e\xf6\xc5\x5e\xba\xcb\xb9\x2d\x14\xca\xf0\x34\x10\xab\x5a\x71\xcd\xea\x4a\x25\xcc\x79\x50\xf4\xa1\x8c\x5a\x72\x16\x79\x9c\x5e\x5a\x38\x69\x6c\x68\x5e\x02\xcc\x8a\x86\xa6\x2a\x1a\x9a\xaa\xa5\xa1\x64\x96\xce\x0a\xb0\x76\x92\xe6\x38\x58\x3b\x4e\x47\xe9\x70\x03\x7a\x37\xf3\x1e\x83\x20\x1b\xfb\x91\x2b\x34\xe9\xdf\xd7\x1b\x71\xd7\xcf\xa2\x26\x9a\xf9\x4d\x64\xaf\x5e\x66\x5f\x1b\xa8\x2c\xc8\x39\x59\x1d\x86\xfa\xd7\xe3\xdc\x63\x1c\xd8\xee\x72\x9c\x28\x44\x06\x98\x88\x42\x64\x80\x89\x80\x89\x80\x89\x80\x89\x9b\x84\x89\x1d\x94\x9c\xb5\x63\x60\x22\xb2\x86\x02\x26\x02\x26\x02\x26\x02\x26\xa2\x10\x19\xd2\x1a\xde\x3a\xec\xaf\xe3\xd3\x1a\x6e\xcb\x42\x64\x25\x7a\x56\x10\xb0\xf3\xb4\xc4\x09\x58\x92\x4e\xd1\xbc\xaf\xb4\xcc\x05\xad\x36\xe2\x31\x5f\x5e\xd4\x94\xba\x64\xb9\x60\x45\xda\x02\x3b\x29\x55\x68\x1e\x3c\x4d\x8a\xd2\x7c\x2f\xd2\x15\x2f\x1a\xf9\x51\xaa\x64\x6b\x11\xb3\x54\x59\x15\x8c\x36\x2a\xf6\x69\x37\x48\x13\xdc\xeb\x8d\x74\x89\x2e\x94\x15\x30\x9b\xa5\xc4\xe6\x1f\x20\x0a\x63\xa0\x9e\x59\x83\xf5\xcc\x3e\xdc\x4b\x17\x85\x51\x39\x4b\x8b\xdc\xa8\xcc\x53\x53\xc6\x24\x3d\x27\xca\x9b\x2d\xd3\xd3\x76\x79\xb3\x66\xb5\xfd\x26\x51\xed\xec\x02\x9d\x77\x54\x3b\x6b\x56\xe3\x9b\x2d\x7e\x56\x9b\x25\xac\xc7\xdc\x55\xb1\x9a\xd1\x7f\x30\x5a\x69\x09\x63\x9e\xf5\xd0\xfc\xad\xe2\xa4\xd8\xbf\xcc\x2a\x5a\x07\xb7\xcb\x3e\xa2\x4c\x1a\x40\x33\x40\x33\x40\x33\x40\x33\xca\xa4\xa1\x4c\x1a\xca\xa4\xa1\x4c\x1a\x1c\x1e\x70\x78\xc0\xe1\x01\x87\x07\x1c\x1e\x4d\x71\x78\xa0\x4c\x1a\xca\xa4\xa1\x4c\x1a\xca\xa4\xc1\x9f\x08\x7f\xe2\x36\x2f\x93\xd6\x56\x77\x5b\x3d\x45\xd9\x9a\x5f\xda\xec\x07\x43\x74\x5c\xc8\xf0\xed\x12\x6e\x63\xb2\x56\x9b\x4c\x45\x6c\xd5\x58\x93\x45\xce\xf8\xdf\x2f\x8d\x65\x45\x85\x37\x55\x67\x9f\x1c\x62\x5f\xe8\x27\x66\x37\x70\x45\x36\x10\xd2\x6b\x4b\x4f\x2c\x8b\xc5\x35\x29\x21\xf1\x1e\x7e\xc0\x9c\x75\x35\x97\xc4\xc5\x58\x59\x4e\xd2\xf2\x74\x8b\xd9\x8e\x57\xf3\x6f\x49\x25\xb3\x5a\xd2\x05\xb7\xac\x3a\x20\xc2\x17\x10\xbe\x80\x5c\x28\xf0\x2a\xc1\xab\x04\xaf\x52\xf7\x78\x95\x90\x0b\x05\xb9\x50\x40\xf3\x41\xf3\x41\xf3\x41\xf3\x3b\x82\xe6\x6f\xc3\x2a\xed\xc8\xb6\x02\x42\x8a\x6c\x2b\xdb\x27\xe2\x82\xfd\x5e\x2f\xdd\x2b\xd0\xa3\xf0\x97\x8c\x6d\xc4\xc7\xd8\x6b\xbd\xec\xd5\x5e\xda\x29\x7e\xb9\xb2\x11\x0f\x3d\x94\x51\x4b\xee\x0f\xb7\xb8\x60\x9e\x5d\x45\xb8\x49\x2e\xc5\xa7\x97\x16\xcc\x35\x62\xf3\x72\x18\x37\x2f\xbb\x4a\xa1\x2e\x19\x78\xf5\xec\x2a\xe6\x7d\xd6\x12\x57\xc2\xfe\x6b\x2f\xbd\x41\x74\xb1\x9e\xba\xaa\xa6\xd7\x73\xc6\x94\xdb\x4c\x67\xf3\x85\x5e\xf6\x6b\xbd\x44\xf6\x96\xaa\xc9\x6c\x1e\xcc\xa8\xa5\x65\x6b\x57\xa4\xb2\x71\xf4\xf2\x27\x86\xe9\x69\xd1\xcb\xc5\x15\x25\x15\x33\x77\xe0\x97\x69\x27\xb4\xa9\x01\xa9\x17\xb5\x9c\xba\x92\xcd\xa7\xb3\xf9\x8c\xce\x7e\x77\x88\xfd\x59\x3f\x3d\x6c\x34\x39\xed\x6c\xd1\x82\xeb\x37\x6a\xac\xfd\xa7\xe5\xd4\x84\x68\xb4\x49\x80\xfd\x00\x3f\xe0\x7c\xf9\x85\x55\x70\x76\xc7\x99\xb7\x07\x6b\x6f\x7f\xcd\xbf\x6c\x30\x46\x9f\x67\xb3\x12\xa3\xfb\x8e\x2e\xb3\x14\xa0\xdd\xdf\x95\x64\x1d\x55\x00\x81\xdf\x81\xdf\x81\xdf\x81\xdf\x81\xdf\x81\xdf\x81\xdf\x81\xdf\x81\xdf\x81\xdf\x81\xdf\x81\xdf\x81\xdf\x81\xdf\x81\xdf\x81\xdf\xbb\x0c\xbf\x7f\xf2\x01\xda\x67\x3c\xba\xb1\x8d\xb8\x1f\x8f\x34\x5e\xb8\xac\xf5\xe3\x4b\x63\x85\xa2\xf6\xe2\x4d\xf6\xd7\xf7\xb3\x9f\xed\xa5\x3b\x52\x5a\x51\xe5\x25\x08\x53\x5a\x3e\x6f\xd8\xa6\x93\x73\x17\x6c\x2c\x54\xd2\xc2\x7c\x6f\xe3\xe2\x97\x45\x33\xd1\x01\xb9\xe7\x8c\x56\x54\x2f\xc5\x4f\xaa\x25\x1b\x15\xca\x5d\x96\x8c\x43\x26\xfa\xa2\x63\x51\x81\xe4\x26\x69\x97\x40\x72\x0f\xd2\xfd\x1c\xc9\xbd\x8e\xee\xfc\x78\xcf\x0e\x92\x63\x23\x10\xaf\x3d\xe1\xcd\xbc\x88\xed\x90\x97\x42\xd7\x2e\x06\x13\xb8\x09\x36\x2e\x09\x5c\x24\x22\x51\x9b\xf3\x7a\x65\x2e\x0c\x97\xa8\x3b\xe4\xd9\x43\x4b\x17\xeb\xea\xa1\xa5\xf5\x6d\xd4\x43\x1e\x29\x55\xaa\xf6\x56\xe4\xe7\x1c\x3d\x34\x6c\xf5\xd0\xb9\xe5\x80\x2e\x1a\x74\x77\x91\xa6\xb7\xbe\x8f\x5a\x33\x44\x6a\xe8\xfa\xe8\xbf\x74\xf4\xd1\x1e\xb3\x8f\x66\xe7\x16\xe7\x2e\xcc\x55\xef\xa5\x61\x57\x2f\x89\x9c\x2d\xdb\x67\x2c\xd5\xdb\x95\x13\xbf\xe0\xe8\xa7\x11\xb3\x9f\xce\x2d\x5d\x58\x38\x77\x76\xb9\x7a\x47\x45\x5d\x1d\x25\x1b\xbf\x75\x7b\x6a\xca\xf3\xad\x3b\x35\x37\x3d\x5b\xcf\x5b\x77\x4a\x55\xd2\xb7\xee\x5b\x97\xf8\x79\x47\x1f\x45\x2d\xcb\x34\x7d\x61\xe6\x54\xf5\x4e\x1a\x72\x9b\x26\xe3\x8b\xdb\x21\xbd\x54\x5b\xdf\xd8\x7d\x59\x43\x2f\x25\x4f\xd0\x31\x76\x24\x32\x65\x2d\x51\x1e\xe7\x6b\x13\x39\xb9\xf2\x38\x55\xa4\xdf\xd8\xc1\xb9\x04\x69\xfd\x22\xe7\x2b\xbd\xf4\x1f\x7a\xd9\xaf\xf7\x86\xbe\x68\xcd\xca\x5f\xe9\x5d\x52\x4a\x62\x95\x7f\x55\x0d\x17\x94\x22\xe7\x34\x17\xcf\x2f\xca\xa5\xa9\x5c\x12\x87\xe5\xdc\x27\xac\xe6\xd3\x05\x2d\x9b\x2f\xe9\xc6\x25\xac\xae\x66\x5f\x54\x75\x31\x03\x73\xb8\x10\x8c\x99\xac\xae\x5a\x53\xd1\xd4\x7a\xb1\x68\xac\x0a\xc5\x00\x31\x17\x31\x25\xcd\x6c\x33\x16\x9e\xd7\x8a\x61\xf5\x45\x65\xad\x90\x93\xfc\xfa\xc6\x55\x2d\x67\x11\x24\xe3\x6a\xf8\x54\xbf\x54\x2a\x4c\x8d\x8d\xe5\xb4\x94\x92\xbb\xaa\xe9\x25\x8f\xd9\x9a\xf1\x88\x46\xf5\x9b\x7a\x49\x5d\xb3\x67\x6b\x6a\x4e\xd1\x4b\xd9\x94\xae\x2a\xc5\xd4\xd5\xd1\x9c\x96\xc9\x64\xf3\x99\xb1\x2b\xe2\xff\xc7\xdf\x72\x74\x5d\x57\x8b\x53\xd7\xb3\x6b\xa9\xab\x37\x63\x61\xb3\x37\xbc\x37\x47\xf8\x93\x71\x06\x8c\x7d\x73\x90\x1e\x15\xce\xee\x15\xee\xca\xde\x30\x7d\xda\xa9\xa2\x96\xbf\xa6\xad\xe8\xec\x57\x07\xd9\x47\xfa\x69\x07\xdf\x6c\xbc\x42\x35\x06\x81\xcd\x14\xb5\x7c\x52\x5b\x69\x92\x8f\x5a\x1c\x90\x30\xfe\xb9\x14\x97\x4d\x2f\x66\xf5\x6d\x57\xf1\x7a\x2b\x9c\xd2\x35\x05\x80\x2d\x06\x1b\x9e\x61\x36\x28\x4d\x0a\x1f\x0b\x66\x54\xa4\x78\x18\x2e\xcb\x03\xbf\x33\xfc\xce\xf0\x3b\xc3\xef\x0c\xbf\x33\xfc\xce\xf0\x3b\xc3\xef\x0c\xbf\x33\xfc\xce\xf0\x3b\xc3\xef\x0c\xbf\x33\x4a\x60\xc3\x2b\x0c\xaf\x30\xbc\xc2\xed\xf2\x0a\x7f\xb5\x97\x1e\x90\xf9\xa0\x38\x5a\xb1\xa2\x85\x3e\xd3\xcb\x3e\xdd\x4b\xb7\x8b\x5f\xab\x46\x0a\xdd\x97\x51\x4b\x1c\x34\xa1\xe0\xb5\x33\x4a\xe8\x1d\x43\x34\x14\x90\x69\xcb\x4e\xa9\xf5\x9f\x07\xd9\x6f\x74\x50\x4a\xad\xb8\x77\x4a\x2d\x47\x22\x2d\x70\xd5\x26\x71\x55\x24\xd6\x02\x61\x05\x61\x05\x61\x05\x61\x05\x61\x05\x61\x05\x61\x05\x61\x05\x61\x05\x61\x05\x61\x05\x61\x05\x61\x05\x61\x05\x61\x05\x61\xdd\xee\x84\xf5\x32\xcd\x07\x67\x0b\xaa\x29\x45\xd0\x8f\x5f\x66\x9f\x18\xa0\x07\xbc\x52\x04\x85\x86\xc5\x0c\xb2\x28\xbf\x7d\xa6\x71\xd4\x56\xc3\xd7\xb3\xf9\xb4\x33\x57\x4c\x74\xc4\xd8\xd5\x23\x9d\x8f\x67\x26\x9f\x0e\x07\x7b\x09\x70\x2e\x70\x2e\x94\x25\x06\xe7\x02\xe7\x02\xe7\xea\x1e\xce\xd5\x41\x55\x77\x3b\x86\x73\xa1\x1c\x2c\x38\x17\x38\x17\x38\x17\x38\xd7\x56\x94\x83\xed\x6a\x2c\x85\x7a\x95\xdd\x5c\xaf\x32\xb1\x0d\xb1\x54\xf2\x32\xcd\x08\x41\xd4\x11\x9a\xe2\x82\xa8\x7d\x34\x41\xe3\x7e\x82\xa8\x18\x67\x57\x1b\xf1\x58\x59\x8e\xe7\x40\x0d\x54\x3a\x58\xde\x34\xcd\x8e\x7b\x44\xa5\xd7\x93\xfc\xf8\xda\x63\xde\x4a\xab\x3b\xd8\x6d\x5c\x64\x15\xf9\xd9\x9d\x3e\xd4\xec\x01\xf1\x5d\x0a\x2b\x2e\x40\x16\x13\xbf\xb6\x1d\x91\x09\xa2\x95\xa0\x13\x74\x8c\xf5\xaf\x68\xe9\x9b\x21\xfe\x6f\xb8\x27\x1a\xa3\x91\x7a\x1e\x4d\xe2\x7d\xbd\xf4\xcf\x7a\xd9\x7b\x7a\x43\x3f\x65\xd9\xa3\x1f\xf4\x3c\x63\x7c\xed\xe5\x07\x60\x84\x2b\x0a\x79\x11\x53\x61\x40\x5c\x8b\x0e\x27\x88\x12\x65\xa5\xf9\x27\x32\x1d\x0b\x4f\xe7\xc3\xd9\xbc\x58\xee\x6b\xc5\xf0\x7a\xde\x22\x06\xe9\x70\xba\x78\xf3\xfc\x7a\x3e\x9c\xce\x16\x55\xe3\xad\x51\xad\x65\xa8\xf1\x35\xe1\x9f\x6b\xb9\x0e\x37\x67\xdd\x72\xe5\x13\x5e\x5d\x2f\xf2\x99\x5d\xa1\xa8\xa5\x54\x9d\x7f\x57\xe5\x4b\x2a\xbf\x00\xb1\xf0\x25\x7e\x46\x67\x1d\xe8\xd1\xf0\x74\x2e\x37\x25\xca\x2c\x17\x6f\x86\x8b\xeb\x79\x63\x45\x66\xbc\x66\x56\x31\x6c\xd1\x9c\x9a\x8e\xdc\x2e\x2e\xcd\x69\x53\x7e\xba\x97\xfe\x71\x2f\x7b\x77\x6f\xe8\xef\x5b\x1d\xf4\x47\x3d\x7c\xa2\x75\x46\xc9\x2b\x19\xb5\x28\x96\x0c\x22\x35\x81\xae\x6b\xa9\x2c\xff\x0a\x5a\x93\x73\x85\xaf\x6e\xb4\x62\xd8\x98\x24\x95\x6e\x5a\xd3\x82\x35\xe5\xba\x71\xfd\xa5\xab\xaa\xae\x9a\x2f\xbe\x28\xa6\x2d\xa6\xfb\x9c\x1c\xac\xa8\x61\x6e\x72\xf8\x44\x5c\x2b\x86\xe3\x13\x07\x8d\x7d\x8b\x4a\x8a\xf3\x1d\x63\x0d\x2b\x5e\x73\x3e\x59\x36\xe6\x35\x4a\x36\x2f\x9c\x42\x7c\x32\x6a\xef\xcb\xd7\xbc\x92\x3e\x19\x4b\x28\xd3\x74\x67\xb4\x9c\x92\xcf\xc4\xb4\x62\x66\xac\x70\x3d\x33\xb6\x9e\xcf\xa6\xb4\xb4\x3a\xb6\x7b\x41\x5f\x32\x5a\x89\x45\xee\x72\xde\xab\xd3\x07\xf0\x9d\x1e\x9a\x35\x0c\x43\x9c\x17\xdd\xbd\x63\x46\xcc\xdb\xd8\x38\xd5\x39\x04\x69\xce\x68\x65\x82\x1d\xa3\x23\xb4\x43\xd4\xf2\x6e\xa8\x19\xdf\x7a\xa8\xc7\x85\xf9\x3a\x48\x07\xb8\xf9\xaa\xbb\x65\xd3\x42\xf9\xdb\x8e\x82\xa6\x97\xa8\x46\x0b\x56\x35\x23\x7b\xb0\x4d\x8b\xfe\xef\x11\x1f\x0b\x65\x16\x28\x77\x54\x7b\x77\x27\xf9\x8f\x1e\x14\x7b\x78\x58\xab\x19\xeb\x98\x76\xd8\xad\x0b\x74\x9e\x96\x9c\x76\x2b\x9a\xa0\x13\x0d\x28\x6c\x45\xf6\x22\x99\x45\x04\x68\x17\x68\x17\x68\x17\x68\xb7\x8b\xd0\x2e\xe6\x6e\x01\x73\xb7\xce\x61\xdf\xbf\xdf\x4b\xff\xa5\x97\x7d\xab\x37\xf4\x0d\xeb\x51\xfd\x52\xef\x05\xe7\x6a\x33\x9b\x0f\xeb\x62\xc5\x18\x5e\x51\x57\x85\xa3\xd8\xa2\x32\xf6\x27\x4b\xbe\x25\xbc\xb3\x1c\xb3\xc4\xbc\x96\x1f\xcd\xab\x19\x85\x3f\x12\xb9\xe0\x74\xce\x26\x05\x9f\xb5\x06\x83\x9c\x2a\x64\xd7\xd6\xd4\xb4\x31\x5f\xcd\xdd\xb4\x3d\xb8\xb6\x69\xcf\xe6\x46\xe4\x3a\x94\xdf\x6e\x38\x53\x54\x52\x7c\x9c\x64\xb5\xb4\xf5\xe1\xb1\x3f\x0e\xdc\x39\x6e\x3e\x97\x75\xdd\xb8\x48\x67\x47\x29\xc6\x91\xe6\x0d\xc9\x93\xac\x8a\xf7\xcd\x6c\x22\x26\xae\x73\x4d\x55\xf2\x9e\xd7\x18\x61\xfc\x12\x96\xf8\x15\x78\xad\xaf\xe1\x62\x80\x8b\x01\x2e\x06\xb8\x18\xe0\x62\xe8\x6a\x17\xc3\x6f\xf5\xd2\x97\x7b\xd9\x6b\xbd\xa1\x57\xad\xaf\xed\xfb\x7b\x67\x1d\xf1\xae\x85\x9c\xaa\xe8\xaa\xf5\xea\x2f\x15\xb5\x82\x92\xe1\xdf\x61\x51\x38\xd2\x25\x30\x32\x1f\xb7\x1d\x30\x6b\x3c\xf0\x78\x6c\x32\x16\x5e\x16\x76\x44\x7c\x24\x0b\x6a\xde\x18\xa6\xf6\x57\x44\x0d\x6b\xc5\xc2\x55\x25\x6f\x0a\x9e\x8a\xeb\xea\xd8\xaa\x92\x33\x67\xff\x11\xb1\x35\x12\x5e\xcd\xe6\x95\x5c\xf6\xef\x98\xe6\x7b\x45\x0d\x2b\x69\xce\xeb\xb5\x31\x81\x6f\xd3\xf6\xd4\x52\x34\x3e\xa8\xdb\x07\x89\xf9\x76\x2c\x3c\x97\xe5\x26\xc9\x71\xe1\x5a\xb1\xf2\xce\x6c\x1f\x49\x49\x4c\xf7\xf9\xec\x4f\x2b\x5d\x8d\x45\xee\x15\xd7\x33\x6b\xde\x88\x5b\x39\xf5\xce\x7e\x7a\x47\x3f\x7b\x7b\x7f\xe8\x6f\x2d\xf9\xdc\x57\xfb\x9e\x91\x76\xd0\x18\xa2\x57\xb5\x1b\xe1\x8c\x52\x5c\x51\x32\x2e\x06\x61\x4d\xd4\xd4\xe2\xaa\x56\x5c\x33\xfa\xc2\xf3\x4a\xcf\x95\x9d\xdc\xff\x42\xf9\xb4\xc6\x9c\x93\x88\x7a\xa0\xc6\x88\x48\xab\xa9\x6c\xda\x9e\x58\xf3\x6f\x23\x5f\xe6\x58\xbd\xab\xf3\xd0\x74\xbe\xd5\xfc\xfa\xc5\x1c\xdd\x68\xda\x4d\xcb\x31\x61\x89\xe6\xdc\x27\x8b\x85\x05\xa5\xe2\xb6\xd8\x39\x5b\x1d\x14\xf7\x30\x68\xac\x79\xf8\x5f\xee\x81\xa1\x1f\x0e\x0f\x26\x94\xd4\xf5\x4c\x51\x5b\xcf\xa7\x8d\xbd\xb8\x5a\x8d\xef\x54\xd6\x71\x62\xb2\x22\x67\x40\xee\x46\xcc\x3b\x58\xb1\x5a\x3a\x1c\x1e\x9c\xd7\x8a\xaa\xa3\xd9\x70\x4a\xd1\x53\x4a\xda\xb8\x7b\xd9\x3f\x42\x9f\xc8\xdb\xd3\xc5\x74\xba\xa2\xc1\x55\xab\x8d\x58\xe4\xbe\x42\xf9\xb8\x71\xce\x6d\xe0\xc1\x83\x07\xaf\x4b\x3d\x78\xc9\x0c\x2d\x0a\x9c\x3c\x47\x33\x1c\x27\x1f\xa5\xc3\x74\xa8\x01\x78\xb9\x5c\x52\x4a\xeb\x7a\xa0\x5b\x2c\xea\x0d\x9d\xef\x67\xf7\x89\xb7\xd9\xb6\xb4\xb5\x02\xe8\xcd\xd5\x0c\xa5\x6d\x58\x81\x86\xbd\x77\x88\xf6\xd7\xa0\xac\x97\xe9\x8a\x73\xeb\x7a\x49\x2d\x16\xb5\x9c\xaa\xb3\x6f\x0f\xb2\xdf\xe9\xf7\x01\xee\x35\x96\xd9\x9d\x11\xed\x19\xfd\xd9\xd4\x14\xc6\x5e\x18\xdf\x3e\x15\xea\xea\x6e\x22\xd5\x46\xcb\x7c\xd1\x8e\x07\x84\xc4\x1b\x08\x48\x40\xe2\x0d\x78\xad\xe0\xb5\x82\xd7\xaa\x9b\xbc\x56\x48\xbc\x81\xc4\x1b\xf0\x16\xc0\x5b\x00\x6f\x01\xbc\x05\x1d\xe1\x2d\x40\xe2\x0d\x24\xde\xd8\x2e\x7c\x14\x89\x37\x5a\x91\x78\xe3\x0f\x87\x28\x6c\x96\x50\x33\x55\x50\xf9\xd2\x86\x96\x5b\x5f\xb3\x4a\xdc\xb2\x7f\x3f\xc4\xfe\xbb\xa3\xfc\xdf\xee\xa2\xaa\xa4\xcb\xd6\x99\x4b\xd6\xb1\x97\xf8\xb1\xd1\x90\xb1\x93\x2c\xfa\x57\xb6\xad\xb9\x92\xda\xe4\x15\xa1\xc5\x1e\xe7\x38\xba\xf7\xdc\x69\xb6\x9f\xf6\x52\xdc\x57\xe5\x6c\xdc\x45\x6c\x23\x1e\x2b\xbf\xaa\x40\x7c\xf6\xa8\x37\x3e\xbb\x9d\xf5\x67\xd4\x12\x5d\x3b\x1f\x0c\xce\xc6\xd8\x68\x79\x69\xc6\x8a\xab\x70\x15\xcc\x7d\x75\x87\xdd\xeb\x03\x45\xb5\x90\x53\x52\x6a\x50\xc7\x3f\x2a\xf7\x6b\x47\xdf\x27\x4e\xd2\x1c\xcd\x94\x85\x61\x34\xd2\xf9\xd0\xf3\x21\x16\xa3\xc1\x58\x8c\x5f\xec\x69\xd2\xfb\xbf\x20\x22\x3a\x12\x74\xc2\x8e\xe8\x68\x91\x29\x69\x81\xad\xa8\x62\x9e\x0a\xeb\x25\x8a\xfe\xe0\x1e\xdb\x94\x3c\x2c\xbd\xeb\x4a\xa5\xf5\xd8\x25\x36\xb5\xc5\x78\xb4\x26\x16\x02\x96\x24\xc0\x92\x40\x8f\xdb\x16\x3d\x2e\x84\x58\x10\x62\x41\x88\xd5\x2a\x21\x56\xf2\x5f\x35\xeb\xb3\x9f\x14\x21\x98\x33\x34\xed\x08\xc1\xdc\x46\xdf\xfd\xb0\xf7\x77\x7f\x27\xbb\x43\x74\x35\x25\xfe\xe2\x4e\xfb\xd3\x3f\x56\x50\x8a\xa5\x2c\xf7\xe9\x89\x85\x64\xd0\x72\xe2\x91\x82\xb1\x66\x6c\xf5\x7c\xe0\x91\xf2\x86\x46\xf9\x69\xf7\xf0\x6a\x36\xbb\x9c\x1b\xd7\xd4\x62\x46\x75\x6e\x1d\x70\x6e\xd5\x4b\x45\xa5\xa4\x66\xb2\xa9\xd1\x8a\xfd\x5c\xad\x18\x7f\xdf\x94\x5b\x8d\xab\x4c\x9c\xa5\x45\x4a\x96\x2d\x64\xa6\xe8\x60\x03\xb3\x11\x5e\xe2\x1e\xb3\x90\xa0\x59\xc8\x47\xfb\xe8\x95\x3e\xf6\xe1\xbe\xd0\x07\x2d\x53\xfe\x72\x5f\xf7\xac\x67\xca\x7c\x04\x46\x3f\x73\x9f\x37\xf7\x63\x19\x83\xd3\x56\xbe\x0c\xf9\x0c\xdc\x61\xfe\x45\x12\x12\x09\x25\xc7\x8f\x34\xa6\x5e\xe2\x68\xbe\x07\x9f\x06\xe9\xe1\xa1\xa4\xae\xe5\x97\x84\x04\xe4\x8c\xf1\x5a\xc8\xbf\x97\xcd\x97\xc5\xfe\x71\xd8\x7f\xa1\x95\xf8\x72\x0f\xbd\xd6\xc3\x5e\xed\x09\x7d\xde\xc2\x5b\x1f\xea\x99\xd7\x8a\x29\x3e\x43\xcb\x68\xbc\xdb\xb5\x70\x64\xd5\xf8\x29\x12\x9e\x76\xdd\x05\x07\x97\x62\x32\xb5\xae\xdb\xce\xee\x51\x25\xc5\x6f\x9c\x4b\x08\x72\xd9\x94\xfc\x58\xaa\xb9\xb4\x1e\xd6\x6e\xc8\x3e\x15\x2e\xf6\x82\xaa\x15\x72\x6a\x2c\x2c\xce\xc8\x35\x3b\xe6\xb3\xe4\x00\xd1\xb3\x03\xac\xd3\x47\x6e\xe3\x97\xe5\xd2\x9f\xb4\x0b\x1c\x3d\xee\x6d\xa1\x77\xb0\xdb\xf9\x45\xb6\x04\x1d\x25\x8f\xd2\x61\x76\x28\x32\x69\x49\x15\x77\xf1\x37\x49\xbe\xd6\xe5\x87\x46\xfa\x8d\xad\x2d\xd5\x21\x7e\x61\x98\x8e\x08\x1d\xa2\x52\x28\xe8\xb6\xe4\xd0\x27\xa5\x6f\x5a\x51\xd7\x0c\x13\x55\xb2\x20\xe4\x3b\x86\xd9\xff\xd3\x4f\x77\x18\x47\x1b\x1f\xb2\x8f\xf5\x48\xcc\xeb\xd0\x1d\xe6\xcd\x29\xbd\x99\xd0\x77\x96\xb7\xb2\xac\x96\x9a\xa2\x3e\x1c\xb1\xdd\xa4\x7c\x0d\x21\x9d\x6a\xd9\x92\xba\x66\xdb\xa5\x41\x97\xcb\xdd\xd1\x76\x2c\xfa\x18\x3f\xdd\x74\xa1\xa0\x3b\x73\xa4\x58\xd7\xd8\xf9\x92\x45\xdf\x34\x13\x4d\xd7\x32\x9a\xaf\xce\x99\xe0\x37\x23\xca\x86\xe4\x9b\x61\x0c\x0d\xf9\x6e\x58\x9d\xea\x9e\x2b\xf9\xbf\x89\xfc\x3e\xa1\x4b\x84\x2e\x11\xba\x44\xe8\x12\xa1\x4b\x84\x2e\x11\xba\x44\xe8\x12\xa1\x4b\x84\x2e\x11\xba\x44\xe8\x12\xa1\x4b\x6c\xb7\x2e\xf1\x00\xed\x63\x13\x91\x71\x8b\x5e\x3c\xe8\xa4\x17\xd6\xe2\xae\x12\x5b\x6c\xbf\x00\x4d\x28\x26\xa1\x98\x84\x62\x72\x1b\x29\x26\xbf\x39\x6c\x96\x2a\x13\xd0\xc7\x0e\xa2\xe6\x45\xe5\xab\x63\x4d\x71\x88\x89\x34\xff\xd1\x30\xfb\xb3\x7e\xba\x5b\xfc\x78\x45\x36\x10\x7a\xa5\x16\xb2\xc9\x29\x59\x47\x50\xcd\x27\x6e\x58\xd4\x4e\xbf\x24\x6e\xc1\x86\x9b\xfc\xe7\xce\x07\x9b\xed\x8f\xc5\x7e\x26\x18\x6c\xee\x63\x13\x12\x6c\xba\x06\x9a\x24\x9c\xe2\x34\x0e\xba\xc9\x7b\x1e\x88\x13\x88\x13\x88\x13\x88\x13\x88\x13\x88\x13\x88\x13\x88\x13\x88\x13\x88\x13\x88\x13\x88\x13\x88\xb3\xe3\x10\xe7\x04\x8d\xb3\x58\x64\xc4\x42\x95\xf7\x39\x11\x27\x5f\xdd\x01\x6f\x02\x6f\x02\x6f\x02\x6f\xb6\x15\x6f\xfe\xfa\xf3\xb4\x5b\xe0\xcd\xbc\x96\x56\x1d\x19\x22\x8b\xeb\x79\xe3\x56\x53\x39\x45\xd7\x55\x9d\x7d\xe0\x79\xf6\x8e\x01\xba\xc3\xd8\xe9\xca\x46\x3c\x14\x15\xf3\xd4\xa2\xfc\xc2\x9a\x26\xd8\xc4\x95\xe7\xc5\xc1\x33\xc6\xc1\xd1\xd7\x1b\xfb\x9e\xd5\xd2\xea\xa5\xb8\xf3\xf7\x0e\xc7\x84\x09\x80\x33\x80\x33\x54\xda\x02\x38\x03\x38\x03\x38\xeb\x1e\x70\xd6\x41\x85\xa4\x3a\x06\x9c\xa1\xc2\x11\xc0\x19\xc0\x19\xc0\x19\xc0\xd9\x56\x54\x38\xea\x6a\xa2\x84\x12\x2c\xdd\x5c\x82\x25\xb1\x0d\x89\x52\xbd\x61\xd6\x1c\x3b\x6d\xc4\x63\x4e\x34\xb4\x98\xd5\x83\x25\x55\xfe\x35\xca\x45\x65\x8b\xba\x24\x57\x0e\xf8\x65\x16\x85\x71\x5c\x8f\x2b\xaa\x34\xf2\x97\x3b\x6c\x0e\xf6\xa0\xf8\xfc\x84\x15\x37\xf2\x7a\x83\xf8\xb9\x85\xd0\x4b\x30\xaa\x19\x9a\xa6\xe3\x65\x69\x2c\xc6\x68\xb4\xae\xce\x46\xee\x0a\xe4\xe2\x6b\x30\x17\xdf\x1f\xf5\xd0\x9c\xc8\xa2\x77\x8c\x8e\xd8\x59\xf4\xe2\x54\xef\x18\xa4\x79\x91\x95\xe7\x38\x1d\x75\x64\xe5\x69\xa0\x1d\xdf\x90\xf5\x13\xc2\x26\x1d\xa2\x49\x6e\x93\xea\x6f\x3a\xd8\xec\x14\xb4\x56\x9a\x9d\xe8\x6f\x8e\xd8\x66\xe7\x09\x99\xa6\xc9\x91\xf3\x4a\x5b\x75\x9b\xa0\x88\xd8\x45\x98\xa0\x19\x6b\xbf\x16\x1a\xa3\xd6\xe4\xf7\x03\x81\x05\x81\x05\x81\x05\x81\xed\x1e\x02\x8b\xf9\x58\xc0\x7c\xac\x73\x10\x35\x72\xab\xb6\x25\xb7\x2a\x3c\x01\xf0\x04\xc0\x13\x00\x4f\x00\x3c\x01\x5d\xed\x09\x40\x8a\x6d\xa4\xd8\x46\x8a\xed\x56\xa5\xd8\x86\xa3\x0d\x8e\xb6\x6e\x75\xb4\x25\x33\xb4\x28\x00\xf1\x1c\xcd\x70\x40\x7c\x94\x0e\xd3\xa1\x06\xe0\xe5\x72\x49\x29\xad\xfb\x73\xe8\xfa\xf2\x01\x04\x20\x61\x0f\x88\x7c\x2d\xea\x8d\xa7\xef\x67\xf7\x09\x33\x61\x9b\x70\x6a\x7e\xd2\xdf\x5f\x92\x62\xf2\xb1\x8d\xb8\x5f\x46\x8c\x82\x96\xd6\xd9\xbb\x9e\x67\xdf\x7e\xca\x4e\x52\xff\x44\x75\x31\xf9\x92\x96\x8e\x3e\x64\xec\x22\xb2\xd2\xdb\xd9\x26\x96\xb4\x34\x44\xe4\x10\x91\x43\x44\x0e\x17\x06\x5c\x18\x70\x61\xc0\x85\xd1\x31\x2e\x8c\xce\x21\xf4\x40\xc7\x40\xc7\x40\xc7\x40\xc7\x40\xc7\x5d\x8d\x8e\xc1\xb6\xc0\xb6\xba\x94\x6d\x6d\x4b\x11\xf9\x25\x7f\x25\xe7\x61\x01\xea\xf6\xd1\x04\x07\x75\x23\x14\xa5\xa1\xe0\x22\x5e\x5a\x7a\x31\xab\x97\x6a\xd5\x8e\xcf\x05\xe3\xb9\x08\x0b\x57\x54\xe8\xd2\xd2\x6e\xa5\xf8\x2f\x3b\xea\xb9\xdf\x65\x29\xc5\x97\xb4\x74\xf4\x61\xf1\xbf\x56\x12\x2d\x01\xa0\xa6\xe8\x20\x1d\x28\x53\x88\x0f\xd0\x93\xb5\x74\x18\x84\x48\x10\x86\x37\x28\x0c\xff\xcd\x1e\xff\xf7\x77\x52\xbc\xbf\xe3\x14\xe3\xef\xef\x10\xd5\x38\x1c\xe9\x88\x90\x9a\xef\xa7\xbd\xb6\xd4\xbc\xf6\xa3\x8f\x0a\x85\xf9\x01\xda\xe7\x50\x98\xd7\x7c\xb8\x69\x38\x6a\x33\x0c\xde\xe6\xc0\x36\x17\x41\x22\xf2\xe8\xbf\x1e\xb1\x0d\xc7\x1b\x3c\xb5\xde\x86\x11\xd9\xed\x2c\xde\x6e\x4b\xbc\x5b\x69\x4e\xa0\xf1\x06\x20\x05\x20\x05\x20\x05\x20\x85\xc6\x1b\x1a\x6f\x68\xbc\xa1\xf1\x06\xa8\x07\xa8\x07\xa8\x07\xa8\x07\xa8\x87\xc6\x1b\x1a\x6f\x68\xbc\xa1\xf1\x86\x1f\x0c\x7e\xb0\x0e\xf4\x83\xb5\x5d\xe3\x5d\x87\x14\xbb\x49\x0e\xa7\x6d\x58\x30\x80\x7d\xeb\x79\x1a\x08\xd0\x8c\xeb\x6a\xaa\xa8\x96\x74\xf6\x89\xe7\xd9\x9f\x3a\x64\xe3\x4f\x56\x97\x8d\x2f\xf3\xa3\xa2\x21\x2f\xe5\xb8\xd8\x06\xf1\x38\xc4\xe3\x10\x8f\xc3\x37\x02\xdf\x08\x7c\x23\xf0\x8d\x74\x8c\x6f\xa4\x73\xd0\x3f\x98\x34\x98\x34\x98\x34\x98\x34\x98\x74\x57\x33\x69\x40\x33\x40\xb3\x2e\x85\x66\xdb\x52\x3c\xfe\x2c\x1d\x13\xa0\x6f\x92\xf6\x73\xd0\x37\x46\xa3\xb4\x27\x50\xe6\x29\xa0\x50\x53\x72\x8f\x9f\x0a\xc6\x79\x4f\xb1\xdd\xe5\x38\x4f\x5c\x80\x5b\x42\xfe\x9a\x43\x42\x7e\x8f\x25\x21\x97\x6c\x6b\x97\xb7\x8a\xbc\xc9\x74\x4b\xc0\x28\x0e\x4b\xcb\x84\xe4\xc3\x34\x58\x63\xaf\x42\xf0\x04\x2d\x79\x83\x5a\xf2\xff\xdc\x43\x53\xe2\x75\xde\x4b\x71\xfe\x3a\xef\xa1\xda\x07\x1e\x1d\x17\xaa\xf1\x83\x74\xc0\x56\x8d\xd7\xd5\xc0\x09\x21\x1c\x3f\x44\x93\x0e\xe1\x78\x5d\x2d\x34\x6e\x4d\x44\x4a\xf1\xda\xac\x89\xb7\xd4\xdc\x65\x59\xa2\x9f\x71\xe8\xca\x1f\xf1\xd4\x95\x4b\xcb\x32\x10\x24\x2d\x6f\x89\x8d\x81\xba\x1c\x04\x15\x04\x15\x04\x15\x04\x15\xea\x72\xa8\xcb\xa1\x2e\x87\xba\x1c\x24\x1f\x24\x1f\x24\x1f\x24\x1f\x24\x1f\xea\x72\xa8\xcb\xa1\x2e\x87\xba\x1c\x8e\x32\x38\xca\x3a\xd0\x51\xd6\xd1\xea\xf2\xa6\xb9\xa3\xb6\xa3\xc0\xfc\xdf\x0f\xd3\xac\x31\x3e\xf5\xb1\x94\x5a\x94\x3e\x45\x55\x97\x09\xd3\xc7\x36\xe2\x62\xc4\xb8\x36\x66\x33\xf9\x6c\x3e\x63\x4e\xd0\x84\x16\xfd\x25\xf6\x83\x21\xf6\x2f\x6e\xa3\x7b\x9c\x3b\x5e\xd9\x88\x87\x3e\xdb\x23\x87\x9c\xed\x0a\x55\xf2\xe6\x94\xc6\x14\xa3\xcf\xd8\x07\x2d\x8b\xd6\xcf\x9b\x70\x23\xed\x98\x7e\x98\xf3\x8e\x41\xde\xe4\xa0\xcd\x75\x5d\xa0\x4e\x2b\xa8\x16\x1b\xd0\x4b\xaa\x92\x1e\xb1\x17\x34\x7c\xd1\x26\xa7\xbf\xc6\x9a\xc8\x5e\xa9\x0d\xba\x18\x84\xa3\xed\x58\x74\x84\x9f\xce\x71\x8d\xfa\xa5\xb8\xef\x15\x77\xb8\x6a\x3e\x79\x9d\x96\xc4\x8b\xb8\x40\x27\xf9\x8b\x38\x4d\xc7\xe9\x68\x03\x2f\x22\xf7\x72\xcf\x19\x2b\xc9\xc0\x97\xf1\x71\xef\x97\x71\x07\xbb\x9d\x5f\x18\x5d\xcb\x05\xbf\x81\x0b\xec\xa4\x7c\x03\x3d\xc6\xa9\x7c\x25\x7d\x1f\x8a\xfb\x2d\x45\xe0\x00\x02\x07\x92\x70\x7b\xc1\xed\x05\xb7\x17\xdc\x5e\x5d\xe3\xf6\x4a\x76\x8c\x57\xa7\xe9\x57\xd2\xb0\xbb\x21\x09\x77\x03\xdc\x0d\x70\x37\xc0\xdd\x00\x77\x43\xfb\xdd\x0d\xc9\x79\x9a\x65\x89\xc8\x09\x8b\x96\x3c\xc5\x31\x89\xbc\x0a\xdf\xb5\x5c\xa4\xdf\xd8\xad\x95\x4c\x24\xd9\xd5\xa0\x36\x09\x50\xdb\x3a\x50\x9b\xec\x78\x50\xbb\x0d\x23\x1a\xd8\x9f\xf5\xd2\x83\x82\x61\x0a\xb7\xcd\xd8\x46\x7c\x45\x2d\x29\xf1\x31\xf6\xdb\xbd\xec\x3f\xf6\xd2\xdd\xe2\xe7\x2b\xf2\xe7\xd0\x43\x19\xb5\xe4\xfe\x50\x8b\x4b\x8f\xee\xca\xa8\x25\xe1\xb7\xb9\x24\x76\x9d\x5e\x5a\x30\x17\x86\x7a\xf3\xd4\xbc\x15\x0d\x4d\x55\x34\x34\x55\x4b\x43\xc9\x02\x5d\x14\x30\xef\x2c\x2d\x72\x98\x37\x4f\xb3\x94\x68\x00\xe6\x39\xee\xb3\x96\x08\x0f\xf6\xd3\xc3\x74\x54\xf4\xb8\x62\x2c\x97\x33\x59\xc3\x06\x72\x30\x65\x81\x63\xf1\x04\x04\x3d\x96\xbc\x26\x6b\xa5\x2e\x79\x89\xfd\xa7\x21\xf6\x0f\x6f\xa3\x87\xca\x0e\xb7\x1e\xd1\x2f\xd5\x82\x8d\xa7\x97\x16\x96\x45\xb3\x1d\xc1\x89\x9f\xe2\xa7\x9b\x76\xdf\x91\x3d\x90\xe4\xa5\x02\x10\x57\x02\x62\x35\x98\xff\x26\xd8\x09\x07\xc4\xe5\x7d\x2a\xa9\xaf\xdd\xb5\xa6\xb0\xdf\x7b\x4c\x52\x20\x87\x06\x19\x06\x19\x06\x19\x06\x19\x06\x19\x06\x19\x06\x19\x06\x19\x06\x19\x06\x19\x06\x19\x06\x19\x06\x19\x6e\x33\x19\x9e\xa4\xfd\x6c\x6f\x24\x6e\x91\xe1\xd7\x3b\xc9\xb0\xbd\xde\x03\x0a\x06\x0a\x06\x0a\x06\x0a\x76\xa0\xe0\xaf\x0d\xd1\x94\x00\x93\x82\xc9\x54\x08\x59\x7d\x92\x28\x8b\xbd\xd9\xcf\x0c\xb1\x57\xfa\x69\xa7\xf8\xdf\x95\x8d\x78\xe8\x2d\xf2\xab\x98\x4f\x67\x37\xb2\xe9\x75\x25\xe7\x22\x92\xd6\x0c\x94\x63\xae\xa6\x40\xc8\x58\x54\x7c\x88\x79\x8b\xba\x33\x6f\x0d\xff\x65\x31\x0b\x89\xa9\x17\x41\xdc\xed\x8d\xf6\xee\x62\xc4\x2f\x4c\xe4\x1d\x3a\x1f\x8c\x19\xc7\xd8\xa8\x84\x88\xae\xf1\x23\x51\xa3\xb8\x16\x88\x49\x81\x0c\x81\x0c\x81\x0c\x81\x0c\x81\x0c\x81\x0c\x81\x0c\x81\x0c\x81\x0c\x81\x0c\x81\x0c\x81\x0c\xb7\x10\x19\x6e\xbf\xd0\x5b\xb0\x45\xb0\x45\xb0\xc5\x6d\xc4\x16\x7f\x38\x44\x23\x82\x2d\xea\x25\xad\xa8\x64\xd4\x72\xb1\x63\x4a\xcf\xe6\xb5\xb4\xad\x71\xfc\xd2\x10\xfb\x41\x2f\xdd\x23\xf7\xb6\xb4\x8d\xa1\xa2\xaa\xa4\xcb\x56\xb7\x33\xcb\x0b\x67\xb5\xb4\x1a\x7d\xd8\xd8\xb6\x2c\x0e\x90\xd2\x41\xb9\xa9\xb9\xc9\x64\x93\x97\x69\x46\x40\xba\x23\x34\xc5\x21\xdd\x3e\x9a\xa0\x71\xdf\x9c\xbd\xe6\x1d\xcb\x7b\x88\xc9\x8b\x0a\xe4\x72\x8f\x7a\x73\xb9\xdb\x59\x7f\x46\x2d\xd1\xb5\xe7\x82\x89\xdc\x24\xdb\x2f\x89\x9c\xbb\xd7\xcd\x98\x6f\x79\x21\x15\xe2\xc0\xd0\x6b\x3b\x2a\xbb\xfe\xd1\xa2\x5a\xc8\x29\x29\xd5\xa7\xf7\x77\xc9\xcd\x6d\x78\x00\x09\x2e\xd5\x2d\xcb\x18\xde\xc0\x13\x40\x36\x4b\xa4\x0e\x6f\x30\x75\xf8\x87\x7a\x9a\x63\x03\x4e\x89\x1c\xe2\xd3\x74\xdc\xce\x21\xde\x6e\x6b\x52\x58\x6f\xad\x35\x89\xfe\xcd\x3d\x95\xd6\xe4\x5e\x99\x69\x4a\xb1\x0c\x88\xcc\x1a\xde\x0e\xfb\xd1\x9a\x6c\xe0\xb0\x26\x01\xd6\x04\x19\x69\xdb\x92\x91\x16\xa9\x08\x91\x8a\x10\xa9\x08\x5b\x95\x8a\x30\xf9\xe1\x1e\x5a\x10\x85\x3b\x12\x74\xc2\x51\xb8\xa3\xb9\x9f\xed\xa6\x4c\x2f\xcc\x6f\x7f\xd8\xfb\xdb\xbf\x93\xdd\x21\x3a\xa5\xa5\x9f\xff\xc4\xf7\xef\xac\xfc\xfc\x0f\x14\x94\x62\x29\xcb\xbd\x8a\x62\xa1\xe9\xb3\xaa\x08\x15\x8c\xa5\x64\x8b\xe7\x04\x8f\x94\x37\x34\xca\xcf\xba\x87\x87\x17\xee\x72\x6e\x5c\x53\x8b\x19\xd5\xb9\x75\xc0\xb9\x95\x07\x4d\xa9\x99\x6c\x6a\xb4\x62\x3f\x57\x2b\xc6\xdf\x37\xe5\x56\xe3\x2a\x13\x67\x69\x91\x92\x65\xeb\x99\x29\x3a\xd8\xc0\x8c\x64\x89\x3b\xda\x31\x13\x09\x98\x89\x7c\xb4\x8f\x5e\xe9\x63\x1f\xee\x0b\x7d\xd0\x32\xe7\x2f\xf7\x75\xcf\xba\xa6\xcc\x37\x61\xf4\x33\xf7\xb5\x73\xff\x99\x31\x38\x6d\xc5\xcd\x90\xcf\xc0\x1d\xe6\x5f\x25\x21\xcd\x50\x72\xfc\x48\x63\xfa\x25\x8e\xe6\x7b\xf0\xa9\x90\x1e\x1e\x4a\xea\x5a\x7e\x49\x48\x4f\xce\x18\xaf\x85\xfc\x7b\xd9\x7c\x59\xec\x1f\x87\xfd\x17\x5c\x89\x2f\xf7\xd0\x6b\x3d\xec\xd5\x9e\xd0\xe7\x2d\xe8\xf5\xa1\x9e\x79\xad\x98\xe2\xb3\xb4\x8c\xc6\xbb\x5d\x0b\x47\x56\x8d\x9f\x22\xe1\x69\xd7\x5d\x70\x9c\x29\x26\x54\xeb\xba\xed\x64\x1f\x55\x52\xfc\xc6\xb9\x74\x21\x97\x4d\xc9\x0f\xa6\x9a\x4b\xeb\x61\xed\x86\xec\x53\xe1\xda\x2f\xa8\x5a\x21\xa7\xc6\xc2\xe2\x8c\x5c\x2b\x64\x3e\x4b\x8e\x15\x3d\x3b\xc0\x3a\x7d\xe4\x36\x7e\x59\x2e\xdd\x4b\x9b\x20\x92\x7f\xdc\x66\x41\xe4\x0f\xac\xcd\xf2\x07\xd8\x78\xef\x0f\x43\x72\x1f\x4d\xb0\xf1\x48\xcc\x72\x2c\xdc\xef\xca\x52\x21\x1a\x6b\xbd\x10\x99\xfd\x8f\x61\x3a\x20\xe0\x63\x71\x45\x49\xc5\xcc\x4e\x2a\x0b\xba\x1e\x4b\xe5\xd6\xf5\x92\x61\xa3\x72\x36\x86\xfc\xf4\x30\x7b\x77\x1f\x3d\x60\x1c\x37\xed\x3c\xec\xca\x46\x3c\xf4\x98\x17\x8b\x14\x6d\x9c\xd7\x72\x6a\x34\x62\x6c\x3f\x5f\x7e\xe4\xa5\xb8\x63\x9f\x26\x83\xc9\xe7\x44\x4d\xb2\x71\x5e\x93\xcc\x18\x53\xe3\x14\xa3\x11\xdf\x31\xc5\x7b\x63\x23\x1e\x73\x5c\xd0\x66\xa1\x64\x3a\x78\x34\x4d\xb3\xe3\x72\xb8\xf8\x3e\x0d\x73\x4a\xe1\xb8\x2e\xa7\x70\x30\xf4\x8d\x1d\x3e\x8f\xe4\x09\x1f\x46\xe9\x78\x2a\x4f\xc9\x5d\xda\xf9\x60\x12\xc6\x4c\xf1\x58\xd9\x07\xbe\xce\x27\x83\x8f\x3a\x60\x65\x83\xb0\xf2\xfd\x3d\x9b\xb7\x0b\xb3\x02\x54\x1e\xa5\xc3\x36\xa8\x6c\xbe\x75\x69\x8b\xf9\x08\x40\xa1\xd1\x5f\xbc\xd7\xc7\xba\x3c\x60\x33\x4b\x87\x41\x79\x52\xfc\xda\x56\x7b\x02\x80\x09\x80\x09\x80\x09\x80\x09\x80\x09\x80\x59\x37\xc0\xfc\x74\x4f\x93\x0b\x4a\x9c\x17\x38\xf4\x34\x2d\x38\x70\x68\x8b\x8b\x54\x04\x23\xcd\xb6\xcc\x25\x12\xff\xf0\x2e\x9f\xc9\x42\x34\x88\x70\x3a\xa6\x10\xbb\xf9\x5a\xbc\x5d\x33\x08\xe0\xce\x6e\x9b\xb7\x00\x77\x02\x77\x6e\x31\xee\x6c\x03\x9a\x0a\x44\x9d\xb5\x7d\x11\xaa\x1b\xfc\xc0\xef\x45\xf2\x20\x1d\x60\xfb\x22\x13\x16\xf4\x7c\xc8\x05\x3d\xed\x66\xdb\x00\x3e\xdf\x37\x48\x43\x35\x80\x4f\x4e\x3c\xd9\x9f\x0f\xb0\x3f\xf0\x43\x9d\x11\x11\xfb\x53\x94\x51\x0b\xe6\x14\xd9\x4c\x26\xc9\x3f\x62\x7b\x8c\x7d\x3c\xbe\x61\xc6\xc6\x79\xad\x38\x9d\xcb\x59\xf1\xd8\xcd\xcb\x07\xda\xa2\x30\xec\x67\xe8\x88\x18\xad\xfb\x69\x2f\x1f\xad\xa3\xb4\x87\x86\x03\x47\xab\x71\xab\xb5\xe4\x00\xbd\xf6\x98\xf7\x50\xbd\x83\xdd\x26\xa2\xad\x5f\x08\x1e\xa9\x53\xec\x60\x8d\x73\x97\x8a\x31\x8c\xc0\x6b\x04\x5e\x23\xf0\x1a\x81\xd7\x08\xbc\x46\xe0\x35\x02\xaf\x11\x78\x8d\xc0\x6b\x04\x5e\x23\xf0\x1a\x81\xd7\x08\xbc\x6e\x73\xe0\x35\xc2\xa2\x11\x16\x8d\xb0\xe8\x2e\x0e\x8b\xfe\xac\x95\x72\xb1\x1a\xa0\x73\x96\x83\x29\x6a\x39\x75\x25\x9b\x4f\x67\xf3\x19\x9d\xbd\x6d\x88\xfd\x55\x3f\x3d\xec\x85\xec\x84\xcc\xfe\x46\x6d\x29\x18\xb9\xbe\x4c\x34\xda\xa4\x44\x8c\x47\x6e\xf8\x78\xb4\xf8\x75\x39\xce\xb7\x98\xd5\x4b\xdb\x8d\x0e\x5e\xf7\x8f\xda\x68\x7a\xf6\xc6\xba\x92\x34\x66\x83\xb1\xe1\x3c\x9b\xad\x03\x1b\xca\x87\x54\x29\xf8\x05\x42\x04\x42\x04\x42\x04\x42\x04\x42\x04\x42\x04\x42\x04\x42\x04\x42\x04\x42\x04\x42\x04\x42\x04\x42\x04\x42\x04\x42\x04\x42\x04\x42\x6c\x17\x42\xfc\xc2\x30\x1d\x34\xcb\x49\x17\xf4\xb1\x8d\xb8\x5f\x99\x16\xbd\xa4\x94\xd4\xd5\xf5\x9c\xf1\xee\x9a\xe1\xcd\xef\x1a\x66\x7f\xdc\x4b\x77\x18\x47\xfa\x45\x34\x2f\xcb\xc3\x96\xd5\x52\xf4\x71\x63\xfb\x74\xa1\xe0\xaa\xad\xe2\xd8\x61\x6b\xc3\x99\x8d\xbb\x30\x23\x08\xe4\x05\x05\x0a\xf1\xce\x05\x13\xb3\x11\x16\xb5\x6a\x23\x17\x74\x09\xc7\x9c\xe7\xa8\x31\xb6\x30\xa3\x96\x28\xf4\xcb\x3b\xec\xde\xf6\x09\x56\x76\x76\x78\x44\xee\xd2\xb6\x3e\xaf\x3b\x52\xd9\xa3\xd3\xa1\xc7\x47\xa4\x72\x9b\x22\x95\xbd\x5e\xf9\xfa\x23\x95\x3b\xdc\x70\xf0\xa0\xe4\x77\xdc\x6b\x1b\x0e\x3b\x0e\xd9\x69\x2b\x9e\x10\xbf\xb6\xcf\x54\x20\x08\x19\x41\xc8\x08\x42\x46\x10\x32\x82\x90\x11\x84\x8c\x20\x64\xef\x20\xe4\x66\x4f\x13\x12\x7f\x74\xa7\x3d\x0f\x08\x0a\x31\x76\xce\x0e\x44\x8c\x5e\x5b\x26\x07\x88\x2f\xee\xb6\x29\x09\xe2\x8b\x11\x5f\xbc\xbd\xe2\x8b\x1b\x59\xf2\x05\xc6\x17\xd7\x66\xec\x3d\xa2\x89\x7d\x0c\x7f\xf5\x50\x62\xc7\x9e\x95\xa1\xc4\xdb\xaf\xa4\x13\xfb\xee\x20\x85\xdd\x20\x53\x28\x1e\x9d\xdc\x92\xfd\xda\x20\xfb\x54\xbf\xfd\x05\xac\x51\xdf\xe8\xe8\xaa\x26\xe9\x1b\xa3\x37\xec\xcf\xa9\xa3\xf5\xed\xa9\x66\x6c\x7f\xc9\xe9\xa6\xd3\x93\x5a\xe4\x91\xd0\x2c\x42\xb3\x08\xcd\x22\x34\x8b\xd0\x2c\x42\xb3\x08\xcd\x22\x34\x8b\xd0\x2c\x42\xb3\x08\xcd\x22\x34\x8b\xd0\x2c\x42\xb3\x08\xcd\x22\x34\x8b\xd0\x2c\xb6\x4b\xb3\xf8\xbd\x5d\xf4\x8c\x44\x7d\xeb\x25\x4d\x4f\x29\xb9\x6c\x3e\x33\xb6\x31\xb1\xa2\x96\x94\x09\x3f\xfd\x22\x47\x48\x5a\xbe\xa4\xe4\x0a\x5a\xda\x3c\x4e\x2d\x9a\x5a\x46\xce\x09\xd7\x75\xf6\xf7\x77\xb1\x6f\xf4\xd1\xfd\x8e\x86\xaf\xc8\x86\x43\xfb\xb8\xbc\x51\xec\x67\x3e\x0a\xfb\xbb\x7c\xca\x6a\x7f\x49\x4b\x4f\x5b\xed\x47\x8f\x72\xd1\xa3\xdd\xdc\x25\xd1\x9a\xed\x44\xf3\x39\x50\xf8\x10\x9b\x2c\x89\x2c\xd2\x33\x02\xd6\x2d\xd1\x59\x0e\xeb\x4e\xd1\x3c\xcd\xfa\x63\x6e\xfb\xb2\x63\xb2\x17\x62\x3e\x97\xbb\xd9\xca\x2f\x99\x60\xa4\x37\xcb\x12\x26\xd2\xb3\xaf\x4b\x92\x3d\xbf\xab\xb2\x29\x9f\xb8\x7c\x0a\xfd\xce\x4e\xef\xa7\x3b\x69\xca\x29\xeb\x7d\xc0\x27\x4c\x91\x65\x67\x3c\xe3\xc4\x73\xf4\x46\xba\x54\xe6\xbe\x6c\xd2\x43\x86\x2b\x13\xd2\xcc\x06\xa5\x99\x5f\xe9\x69\x9d\xe9\x79\x5e\x48\x36\x2f\xd2\xb2\x2d\xd9\x6c\x9f\x61\xab\xcd\x72\xd5\x69\xa6\x3c\x0c\x5d\x80\xc4\x33\xf1\xf5\xbb\xbc\x0d\xdb\x89\x0a\x99\x47\xbd\x16\xee\x98\x10\x7f\x6c\xbd\x7d\x83\x34\xa4\xdb\xec\x29\xa4\x21\x90\x86\x6c\xb1\x34\x64\x0b\xe7\xcc\x81\x92\x91\x76\xcd\x9a\x93\xb3\x94\x60\x27\x22\xc7\x2c\x41\xc8\x6e\xa7\x94\xc4\xa7\x99\x5b\x42\x56\xf2\xbb\xbd\x74\x8f\x58\x6b\xae\x70\x39\xc9\x46\x7c\x8c\x7d\xa9\x97\x7d\xa1\x97\x76\xf0\x1f\xae\x6c\xc4\x43\x0f\x65\xd4\x92\x1b\xe0\x8a\xa5\x71\xf4\xf5\x19\xb5\x94\x30\xf6\xba\x14\x9f\x5e\x5a\x30\x5d\x85\x4d\xfc\x20\x56\x34\x34\x55\xd1\xd0\x54\x2d\x0d\x25\x0b\x74\x51\x0c\x72\xe3\x0b\x67\x0c\xf2\x79\x9a\xa5\x44\x03\xdf\x35\xc7\x7d\xd6\x92\xca\x9e\xfd\xf0\x7e\x8a\x19\xfd\x5b\x25\xf2\xb0\xa0\xa5\xad\x55\x7a\x4e\xcb\xb0\x2f\xde\xcf\x3e\xd7\x4b\x77\xa4\xb4\xa2\x6a\xf4\xfe\xa3\x7c\x59\x9e\xd3\x32\x95\x13\x9a\x25\x2d\x1d\x0d\x19\x9b\x67\xb4\xa2\xea\x14\xae\x2e\x69\xe9\x45\x2d\x33\x41\x25\xf5\xc5\xd2\x58\x21\xa7\x64\xf3\x4d\x5e\x68\x4f\xd2\x2e\xd1\x9f\x0f\xd2\xfd\xbc\x3f\x5f\x47\x77\x7e\xbc\x67\x07\xc9\x91\x15\xf8\xe6\xcf\x05\xbf\xd8\x11\x16\x16\x6f\xf1\x92\x96\xf6\xaa\x31\x11\x89\x04\x85\x13\x26\xdf\xdd\x43\x7f\xbf\x87\xfd\xbd\x9e\xd0\x8f\x5a\xb6\xfa\xaa\xa9\x65\x50\x8c\x07\xcc\x5f\x3e\xe1\x90\x2d\x69\x26\xd4\xc9\x69\x99\x32\xa7\x99\xf3\xfb\x67\x7c\x92\xf9\x73\x28\x72\x83\xaf\xe5\x9d\xcd\x49\xcf\x4e\x41\x4b\xc7\x22\x3b\xad\x9f\x9d\xeb\x84\x67\xe8\x22\x5b\x0e\x3d\x6d\x5e\xce\xbe\x79\xcd\x12\xa8\x1b\x8f\xd8\xe6\x4a\x66\x3b\xae\x0b\xe1\xa1\x0d\xb1\xc8\xed\xab\xfc\x28\x97\x19\xff\xf1\xdb\xe8\x5d\xb7\xb1\xff\xe3\xb6\xd0\xcb\xb7\x99\x8d\xff\x66\x7f\x36\xaf\xab\xa9\xf5\xa2\xba\x7c\x3d\x5b\xb8\xb0\xb8\x7c\x49\x2d\x66\x57\x6f\x26\x94\xd4\x75\x35\x9f\x2e\x9f\x79\xf1\xe9\x84\x29\x20\x71\xce\xbc\xb8\x92\xa0\xb8\x66\x0a\x24\xb2\x69\x8e\xe0\x56\x2d\xc7\x1d\xf7\x79\xa8\x45\x89\xbb\x2c\xab\xb9\x62\x9e\x86\x9b\xa2\x94\x96\xcf\xab\xe2\xc3\x56\xd2\x62\x61\xf1\xe1\xe7\x9f\xbf\x35\xe5\xba\x00\xe7\xa7\x2e\x5c\x58\x5a\xb6\x76\xd4\xf2\xe1\x15\xb5\x74\x43\x95\x46\xcd\xbe\x32\xd3\x41\x64\xb5\x2f\xef\x51\x4e\x26\xc4\xd7\xd5\x7d\x48\x4a\xc9\x1b\x37\xb2\xc1\x6f\xdf\xea\x6b\xee\x3f\x14\x57\x27\x7c\x0e\xfc\x46\x0c\x53\x6d\xb9\xa0\x8b\xaa\x92\x0b\x1b\xe3\x2b\xa7\x96\x62\x61\x53\xd6\x20\x7f\x90\xb7\xc5\x55\x16\x82\x09\x3b\x4e\x60\x9d\x7c\x50\x0f\x5f\x58\x5c\x0e\xa7\x8a\x2a\xf7\x02\x29\x39\x7d\xc4\x25\x14\x31\xae\xd7\x74\x78\x99\x37\x2e\x69\xa4\xf3\xec\xc6\xc9\x36\xd6\x73\x79\xb5\xc8\x6d\x30\x77\x7b\xae\x29\x79\x2b\xd8\x22\x9b\x4e\xe7\xd4\xb0\x52\x2a\x29\xa9\xeb\xe1\x21\x35\x96\x89\x19\x13\x5d\xf1\x7f\xa3\x07\xac\xa7\xc9\xf5\x4d\x5c\xf4\x22\xe7\x8f\xeb\x4a\xce\xee\x8e\x94\xb6\xe6\x12\x35\x38\x2f\x61\x38\x16\xd9\x55\x6d\x40\xb9\x86\xe3\x5b\x7b\xe9\x7f\xf5\xb0\x1f\xf6\x84\xbe\x6f\xbd\x7a\xbf\xdd\xb3\xb0\x2a\x62\x4d\xb8\xc3\xd5\x72\x1d\xaf\xdc\x2c\x99\x6e\x63\x25\x5d\x2e\x16\xb2\x42\xb4\x38\x99\x57\x4a\x72\x56\x2b\xec\x21\xff\xd0\x99\xcf\x5d\xb9\xc9\xef\x2f\x9d\xd5\x0b\x39\xe5\x26\x77\x65\xac\x15\x78\x74\x07\x0f\x40\x09\xe7\xb2\x79\x3e\x36\x73\x5a\x26\x93\x35\x67\xb6\x0e\x8f\xae\x9e\xcb\x66\xae\x96\x72\x37\x85\x17\x51\x2b\xda\x3f\xd8\x93\x64\xb7\xf9\xe5\x08\x3b\x16\x11\x8e\xf1\x84\x71\x17\x2e\xf4\x3c\x4e\x31\x36\x12\x89\x5a\xb3\x81\x7b\x9c\x73\x8a\x25\x2d\x7d\x2b\xcc\x1f\x92\x2b\xf4\x66\x76\x39\xf4\xbc\xd9\xe0\xd1\xf3\xa2\x33\x2d\x15\x8b\xf9\xdc\xa4\xec\x49\x98\xc9\x4a\x0b\x2b\x0d\xdb\x0e\xf3\x38\xd7\x58\xfa\x0f\xbd\xf4\xeb\xbd\xec\x8b\xbd\xa1\xcf\x39\x62\xcd\xa6\xc3\x45\x35\x27\xa2\xf0\xb8\xeb\xcd\x3b\xaa\x2f\xb5\x5e\x2c\x72\x5f\x63\xd6\x7c\xad\x6d\x6b\x7f\x55\xbb\x21\xaf\xc4\x1d\x90\x57\x30\xac\x41\x5a\xd5\x6d\xb7\x9e\x62\x58\x62\xee\xc6\xe3\x52\x15\xee\x72\x35\x3e\x09\xc6\xd1\x61\x5d\x8a\xd9\xb8\xb9\x96\x5a\x16\x73\xed\x67\xf9\xf9\x2a\x63\xfe\xcc\x90\xa0\xf5\xd2\x7a\x51\x1d\x11\x0a\xb0\x8c\xee\x71\xe4\x39\xe3\x4c\x9a\x18\xbb\xfc\x5c\xd2\xcd\xc1\x87\xa8\xf1\xff\x0b\xc6\x25\x9a\x8e\x38\x2b\xc0\x2f\x72\x97\x73\x67\xd7\xc0\x7c\xb5\x87\x3e\xdf\xc3\xfe\xaf\x9e\xd0\xbf\xb3\xde\xcd\xf7\xf9\xbc\x9b\x39\xee\x0d\xb3\xde\x49\xc3\xde\xca\x01\xcc\xaf\x56\x76\x23\xbf\x3d\x57\x7c\xe1\x88\xd8\xce\x25\x9b\x57\xb5\x1b\x79\xbb\x09\xee\xbe\x76\x3a\x7b\xac\x51\x61\xde\x8f\xd7\xfd\x45\x76\x96\x94\x6c\x6e\xd1\xb8\x1a\xd7\xad\xfc\xb3\x1e\x7a\x4f\x0f\xfb\xa9\x9e\xd0\x4f\x58\xb7\xf2\x16\x19\x07\x38\x12\x56\xd2\x69\xc3\x08\x9e\x9f\x9f\xd9\xbb\x77\xef\x21\xa3\x3d\xf9\xe7\x59\x25\xaf\xf1\x27\xab\x97\x94\xb5\x82\xe9\xc1\x5d\x51\x33\xd9\x7c\x5e\x2e\xfb\x55\xe1\x6a\xb6\x6d\x86\x65\x6d\x3c\x86\x2d\x59\x6d\xb9\x06\x2e\xfb\xea\x20\xc5\xc5\xe4\xda\x5d\xfa\xdf\x4a\x5a\x9b\xd2\xb3\x72\x4b\x4a\x29\x28\xa9\x6c\x29\xab\xea\xec\xe7\x06\xd9\x4f\xf5\xd3\x3d\x72\x83\x95\xac\x76\xbc\x7a\x91\xa9\x99\xe5\x85\x65\x71\xc4\x8c\x68\xea\x66\x74\x9f\x71\x84\xfc\x51\xa6\x96\xad\xdc\x6b\xbb\xe9\xb1\xd7\x44\x28\xdb\x38\x0f\x65\x33\x66\x9e\x33\x34\x4d\xc7\x7d\x97\xab\x66\xc7\xcb\x5e\x8c\x55\x76\x40\x53\x2a\x52\xa9\xc1\xf3\xd9\x04\x3b\x21\x67\xae\xee\xc1\x60\x96\xd0\xac\xb8\x30\xa4\x95\x85\x44\x1b\x12\x6d\x48\xb4\x21\xd1\x86\x44\x1b\x12\x6d\x48\xb4\x21\xd1\x86\x44\x1b\x12\x6d\x48\xb4\x21\xd1\x86\x44\x1b\x12\x6d\x48\xb4\x21\xd1\xde\x3a\x89\xf6\x27\xae\xd0\xa9\xaa\x64\xcf\xc7\xd7\xeb\x09\xfc\xfe\xf0\x32\xfb\xe2\x40\x33\x80\x5f\xac\x12\xf8\xd9\x3e\xe1\xca\xfd\x3b\x1c\xf5\x25\x40\xbb\x40\xbb\x12\xa0\x5d\xa0\x5d\xa0\x5d\xa0\x5d\x5d\x43\xbb\x12\x1d\x43\xbb\x9a\x7e\x25\x0d\xd3\xae\x04\x68\x17\x68\x17\x68\x17\x68\x17\x68\x57\xfb\x69\x57\xa2\xab\xe1\x54\x02\x70\xaa\x75\x70\x2a\xd1\xe9\x70\x2a\xb1\x0d\xe1\xd4\xb6\x96\x48\x55\x68\x9e\xea\xd4\x4c\x45\x7e\x6f\x67\x25\x49\x7b\x44\x7c\xa2\xc2\x8a\x17\x34\x1b\x17\x1b\xb7\x00\x9b\x09\xca\xf5\x34\x9d\xa3\x33\x65\x31\x97\x47\xe9\xf0\x26\x1e\x17\xc2\x2e\x11\xc6\xde\x60\x18\xfb\x4f\xf6\xd2\x59\x61\x3b\x4e\xd2\x1c\xb7\x1d\xc7\x69\x73\x83\x91\x96\x45\xf4\xfa\x22\x25\xed\xe8\xf5\x4d\x37\x7a\x41\x94\x33\x38\x43\xa7\x1d\xe5\x0c\x36\xdd\x6a\x90\x89\x6b\x8f\xca\xb3\x8a\x25\x2d\x68\x7a\x89\xa2\x2f\x8f\x56\x9a\xb8\x41\x59\xc9\xc2\x51\x16\x44\x5b\xf5\x32\x77\x53\x62\xc7\x32\x59\xb0\x75\x54\x1b\x0d\x5f\x6b\x0a\x24\x81\x17\x83\x17\x83\x17\x83\x17\x77\x0f\x2f\xc6\x6c\x2f\x60\xb6\xd7\x39\x40\x1d\xc5\xe9\xda\x52\x9c\x0e\x7e\x0b\xf8\x2d\xe0\xb7\x80\xdf\x02\x7e\x8b\xae\xf6\x5b\xa0\x46\x29\x6a\x94\xa2\x46\x69\xab\x6a\x94\xc2\x2d\x08\xb7\x60\xb7\xba\x05\x93\x99\x26\x97\xe7\xed\x10\xf2\x1c\xf5\x26\xcf\xf7\xb3\xfb\x84\xd1\xb0\x0d\x3a\x6d\xc3\x64\x35\xec\x53\xf7\xd1\x13\x56\x32\x36\x2d\xad\x5a\x69\xd7\x0a\x45\xed\xc5\x9b\x63\x7f\xd7\xb8\x8f\x97\xd8\x3f\xba\x8f\xfd\xa4\x23\xff\xda\x53\x32\x31\x53\xf8\xe4\xdc\x05\x5b\x69\x5e\xd2\xc2\xfc\x20\x63\x10\x9d\xd5\xd2\x6a\xf4\x09\xb9\x9b\x48\xc5\x76\x52\x2d\x19\xbf\x2e\x19\xbb\x3c\x93\x2d\x5d\x5d\x52\x4a\x57\x27\xfa\xa2\x63\xd1\xe6\xa4\x4f\x7b\xc2\xfb\x39\x11\xdb\x21\xaf\x82\xae\x9d\x0f\x1e\x31\x63\x6c\xd4\xce\xa5\x26\x46\x89\x75\xd1\x12\xa7\xbb\x12\xaf\x85\x3c\xbb\x65\xe9\x62\xed\xdd\xb2\xb4\xbe\x3d\xba\xc5\x3b\xdd\x9c\x4f\x17\x45\x7e\xda\xd1\x2d\x03\x56\xb7\x9c\x5b\xae\xd6\x2f\x11\x77\xbf\x68\xfa\x2d\xd8\x31\xd1\x9f\x71\x74\xcc\x90\xd9\x31\xb3\x73\x8b\x73\x17\xe6\xaa\x74\xcd\x93\xae\xae\x11\xde\x9d\x6d\xd1\x39\x75\xbd\x4c\x13\xef\x75\x74\xce\xb0\xd9\x39\xe7\x96\x2e\x2c\x9c\x3b\xbb\x5c\xa5\x77\x9e\x72\xf5\x8e\x6c\xb9\x95\xdd\xd3\x82\x7b\xaf\xa1\xcb\xa7\x3c\x5f\xaa\x53\x73\xd3\xb3\x35\xbf\x54\xa7\x54\x25\x7d\xeb\x75\x4c\xe2\x3d\x8e\x8e\x19\xb4\xac\xcd\xf4\x85\x99\x53\x55\x7a\x66\xb7\xdb\xdc\x18\xb3\xa6\x5b\xef\x95\x4a\x1e\xa5\xc3\xec\x50\x64\xd2\x9a\x92\xec\x72\x66\xdc\x2b\x3f\xb4\x32\xfd\xde\x7e\xda\xcb\xe2\x91\x31\xeb\xf0\x07\x8c\x7f\xed\x64\x8c\x62\xca\x1a\xe1\xdb\x9c\x87\x95\xa5\xc0\x4b\x18\x7d\xc9\x01\xd8\x55\x35\x7c\xf1\xfc\x62\xd8\x6c\x65\x5d\x57\xad\xc9\xab\x99\x97\x4e\x3c\x25\x73\xd9\x53\xd2\xc2\xc6\xb4\x24\x26\xce\xe1\x9c\xb9\x7c\xfa\x32\x1d\x17\xf1\x86\xe9\xac\x9e\xd2\x36\x8c\xb9\xa4\x15\x71\xe8\x17\x6c\xa8\xe6\xd3\x05\x2d\x9b\x2f\xe9\xb9\x6c\x4a\xd5\xd9\xf7\x5f\x60\xbf\x30\x40\x77\x59\x0d\x18\x03\x68\x4f\xf5\x18\xc3\x39\xd9\xc2\xb2\xd1\x42\x74\xc0\xd8\x79\xd6\x3c\xdc\x99\x6f\xd6\xb5\x1f\xc2\x0a\x11\x56\x88\xb0\x42\xc8\x44\x20\x13\x81\x4c\x04\x32\x91\x8e\x91\x89\x74\x8e\x0a\x02\xee\x79\xb8\xe7\xe1\x9e\x87\x7b\x1e\xee\xf9\xae\x76\xcf\xc3\x7f\x08\xff\x61\x97\xfa\x0f\xb7\x65\x58\xa1\x4a\x49\x01\x05\x67\x68\x9a\x43\xc1\xc3\x74\x88\x26\x7d\xe3\x6d\x6c\x50\xb5\x11\x8f\xb9\x00\x51\x53\xc2\x09\x5f\x08\xe6\x87\x53\xec\xa0\xe4\x87\xe5\xd0\x4c\xd2\x44\xd7\x55\xb9\x50\x62\xe4\xc3\x3b\xcb\x48\xd9\x43\x66\x0c\x61\xbe\x8c\x8a\x0d\x89\x0d\x6d\xe4\x62\x02\x63\x2d\xd0\x49\x9a\x2b\x8b\x1b\xdc\x4f\x7b\x1b\x78\x1e\x50\x90\x23\x5e\xb0\xc1\x78\xc1\xbf\xe9\xa1\x79\x61\x14\x8e\xd3\x51\x6e\x14\x26\xa9\xb1\x41\x48\xa7\x45\x9c\xe0\x2c\x25\xec\x38\xc1\x86\x1b\x5b\x14\xf1\x81\x73\x34\xe3\x88\x0f\x6c\xb8\xb5\xc6\x6d\x15\x0f\xd8\x6b\xb1\xad\x8a\xfe\xf1\x48\x99\xad\x8a\x78\x06\x03\xba\xcd\xd6\x84\xd8\xc7\x61\xb6\xbc\x82\x00\x5b\x69\xc0\x10\xff\x07\xb0\x0b\xb0\x0b\xb0\x0b\xb0\x8b\xf8\x3f\xc4\xff\x21\xfe\x0f\xf1\x7f\x70\x30\xc0\xc1\x00\x07\x03\x1c\x0c\x70\x30\x20\xfe\x0f\xf1\x7f\x88\xff\x43\xfc\x1f\xfc\x77\xf0\xdf\x75\xa0\xff\xae\xed\xf1\x7f\x75\x04\xe6\xb5\x98\x36\x6f\xc7\xb8\xbf\x4f\xbc\x40\x51\x59\xad\x27\x75\x55\x4d\xaf\xe7\x8c\x55\x9b\x2d\x9f\x2f\x14\xb3\x5a\x31\x5b\xba\x99\xca\x29\xba\xae\xea\xec\x47\x5e\x60\x3f\x37\x40\xaf\xb3\xf7\xad\x41\x29\xbf\x24\xdb\x98\x31\xda\x88\x3e\xca\x0b\xf1\x58\xc7\x5f\x8a\xbb\x36\x43\x20\x0f\x81\x3c\x04\xf2\xf0\xa3\xc0\x8f\x02\x3f\x0a\xfc\x28\x1d\xe3\x47\xe9\x1c\x37\x01\xf8\x35\xf8\x35\xf8\x35\xf8\x35\xf8\x75\x57\xf3\x6b\x00\x36\x00\xb6\x2e\x05\x6c\xdb\x52\x20\xbf\x2a\x34\xac\xe3\x5c\xc3\xda\x7b\xee\x34\x3b\x42\x53\x74\xd0\xbf\x20\x85\xcd\xa2\x36\xe2\x31\x17\x21\xaa\x49\x21\x7f\x39\x98\xf3\x1d\x66\x87\xcc\x9c\x60\xe5\xe0\x4b\x82\x3e\xd7\x69\xdd\xb9\x48\x02\x14\xf8\x91\x7f\xb9\xb3\x9c\x91\xbd\xde\xaa\xb3\xe3\xc6\x61\x8f\xcb\x12\x3b\x2d\x07\x62\x82\x5f\x25\xe9\x14\xcd\x97\x29\xe3\x0f\xd0\xbe\x46\x1e\x04\xc4\x55\x90\xc6\x37\x28\x8d\xff\xdb\x1e\x3a\x29\xcc\xc1\x09\x3a\xc6\xcd\xc1\x41\x6a\x70\x14\x0a\x67\x43\x9c\x3b\x1b\x2c\x6d\x7c\xe3\xad\x9d\x11\xe2\xf8\x79\x9a\x75\x88\xe3\x1b\x6f\x6e\xb3\xea\xf8\x16\xdb\xb1\xe8\xef\x8f\x94\xdb\x29\x6f\x7d\xbc\xdb\x66\x0d\xcb\x3a\x39\x0e\x9b\x65\x0b\xe4\x5b\x69\xbd\x20\x8b\x07\xce\x05\xce\x05\xce\x05\xce\x85\x2c\x1e\xb2\x78\xc8\xe2\x21\x8b\x87\x5b\x01\x6e\x05\xb8\x15\xe0\x56\x80\x5b\x01\xb2\x78\xc8\xe2\x21\x8b\x87\x2c\x1e\x5e\x3b\x78\xed\x3a\xd0\x6b\xd7\x76\x59\x7c\xab\x5d\x60\xf5\xd4\xc3\x69\xba\x6a\xfd\xed\x7d\x14\xf6\x57\xad\xf3\x8a\x3d\x63\xec\x77\x7b\xd9\xd7\x7b\x89\xb9\xf8\xb6\xa8\x08\xff\x50\x46\x2d\xb9\xa7\xc5\xc2\x31\x1a\x0d\x67\x54\x97\x36\x9d\xef\x3e\xbd\xb4\x60\x22\xc1\x26\x02\xed\x8a\x86\xa6\x2a\x1a\x9a\xaa\xa5\xa1\x64\x81\x2e\x8a\x81\x75\x96\x16\xf9\xc0\x9a\xa7\x59\x4a\x34\x30\xb0\x1c\xf7\x59\x8b\x93\x95\x7d\xf4\x51\x4a\x8a\x87\xa0\x14\xb2\xea\x8b\x25\x35\xcf\xdf\xe5\xf2\xe7\x90\x5a\xd7\x4b\xda\x9a\xd9\xc7\xce\xab\x92\x15\x86\x74\x3e\xa0\xd9\xef\xed\x62\x6f\xef\xa7\x07\x5d\x6d\x59\x4f\x6c\x7f\x51\x55\xd2\x61\xb1\xa7\xf9\x76\xda\x0b\x97\x19\x7e\x0a\xf3\xe2\x67\xad\x53\x44\x0f\x18\x87\x4d\x3b\x5b\x34\xab\xfa\xfb\x1c\x21\x5e\xae\xe6\xba\x2d\x92\x3f\xd1\x43\x37\xc4\x23\x2a\x50\x9e\x3f\xa2\xab\xb4\x4a\x69\xbf\x47\x64\x5f\xec\xa8\x25\x56\xb7\x9f\x96\xbb\xaf\x65\xff\xc4\xfc\xee\x27\xd0\x4c\x3c\xea\xfd\x1a\xdf\xce\xfa\x33\x6a\x89\xae\xbd\x25\xd8\x8a\x9c\x65\x8b\xd2\x8a\x78\x0d\x03\xb3\xc4\x96\xdf\xf5\x55\x14\xda\x0a\xfd\x1b\xf2\x1b\x04\x07\x8b\x6a\x21\xa7\xa4\xd4\xfa\xc7\xc1\x21\x79\xe4\x56\x0f\x85\xc4\xdf\xa1\x17\x69\xa3\xcc\xff\xde\xa6\xa1\x00\xea\x0b\x7f\x7d\x83\xfe\xfa\x77\xf7\x6e\x9d\x01\xfb\xff\x09\xff\xfe\x3a\xe9\xb6\x7f\x7f\x3b\x98\xcf\xc2\x7a\xcd\xe6\xb3\xc2\x06\x6e\xc2\x9e\x26\xde\xf6\x3a\x3f\xf3\x39\x5d\x50\x8a\xa5\x2c\xf7\xa3\x0a\x02\x53\xbf\x1d\x9d\x2c\x18\xb3\xe7\xad\xb4\xa2\x8f\x94\x37\x34\xca\x2f\x69\x0f\x9f\x41\xed\x72\x6e\x5c\x53\x8b\x19\xd5\xb9\x75\xc0\xb9\xd5\x58\x5b\x96\xd4\x4c\x36\x35\x5a\xb1\x9f\xab\x15\xe3\xef\x9b\x72\xab\x71\x95\x09\x63\x96\x95\x2c\xb3\xe0\x55\xa4\x6c\x55\xe6\x5b\xbc\xd4\x14\xac\x72\x90\x55\xfe\x68\x1f\xbd\xd2\xc7\x3e\xdc\x17\xfa\xa0\xc5\x8f\x5e\xee\xeb\x1e\xab\x5c\x46\xcf\x8d\x7e\xe6\xaa\x04\xee\xe1\x31\x06\xa7\x1d\x6a\x3a\xe4\x33\x70\x87\x39\x06\x13\x22\x16\x25\xc7\x8f\xcc\x6b\xf9\x51\x71\x34\xdf\x83\xbb\xe0\xf4\xf0\x50\x52\xd7\xf2\x4b\x22\xe6\xf2\x8c\xf1\x5a\xc8\xbf\x97\xcd\x97\xc5\xfe\x71\xd8\xff\x73\x91\xf8\x72\x0f\xbd\xd6\xc3\x5e\xed\x09\x7d\xde\x5a\x8b\x7f\xa8\x67\x5e\x2b\xa6\xb8\x77\x30\xa3\xf1\x6e\xd7\xc2\x91\x55\xe3\xa7\x48\x78\xda\x75\x17\x1c\x62\x08\x47\xde\xba\x6e\xcb\x11\x46\x95\x14\xbf\x71\x2e\xf2\xc8\x65\x53\x92\xd0\xa9\xb9\xb4\x1e\xd6\x6e\xc8\x3e\x15\x22\x88\x82\xaa\x15\x72\x6a\x2c\x2c\xce\xc8\x83\x64\xcd\x67\xc9\x61\x82\x67\x07\x58\xa7\x8f\xdc\xc6\x2f\xcb\xa5\x5e\xed\xe4\x09\xfc\xe3\xde\x5f\xa0\x1d\xec\x76\x7e\x63\x5b\xf1\x0d\x4a\xce\xd1\x0c\x9b\x8e\x1c\xb7\xe2\xe0\x9f\x74\x16\x9b\xf3\x3b\xac\xb2\xe8\x5c\xd3\xb1\xc1\x9f\xf5\xd2\x2e\xb9\x62\x5d\x37\x5a\x28\xc9\x97\xc5\x5c\xb2\x32\x0e\xff\xe9\x6e\xf7\xd6\x50\x28\xc3\xf9\xef\xaa\x56\x5c\xb3\xf0\x90\x12\xe6\x1d\x14\x7d\x38\xa3\x96\xa6\x5d\xbb\x4f\x2f\x2d\x9c\x34\x36\x75\x20\x2a\xc8\xd2\x59\x31\x8c\x4f\xd2\x1c\x1f\xc6\xc7\xe9\x28\x1d\x6e\x0c\x15\xf0\x7b\x0c\x64\x04\x7f\x3e\x44\xfb\x24\xa8\x71\x55\x5e\xb6\xe8\x00\xc7\x71\x63\x29\x3d\x9b\x2e\x66\x8d\x31\x28\xa1\x00\xfb\x95\x21\xf6\x97\xfd\x74\x8f\x3c\xca\x9a\xc3\x7c\xac\x47\xf2\x3b\x5b\xe4\x6e\x18\x66\xe1\x1f\x32\x13\x0e\xcc\x2c\x2f\xcc\xf2\xd6\x62\x0e\xd7\xcb\x94\xe5\xb4\x19\xe4\x4d\x0c\xda\xa2\x38\x97\xca\x49\x2b\xa8\x96\xb0\x42\x2f\xa9\x4a\x7a\xc4\xf6\x06\x73\x8f\xb7\xf4\x1d\x66\x4b\xea\x9a\xfd\x91\x19\x74\x09\x38\x1c\x6d\xc7\xa2\xbb\xf8\xe9\x64\x81\x69\x73\xb6\x64\x5e\x61\x87\xe7\x3b\x48\x5e\xa7\x25\x31\x62\x16\xe8\x24\x1f\x31\xd3\x74\x9c\x8e\x36\x30\x62\x78\x7c\xc2\xdc\x86\x9a\x0f\x16\xef\xfb\x5b\xb4\x1b\xc2\xa2\x3d\x1f\x6c\xd1\x0e\xb1\xc9\x80\x8a\xdf\xa2\xff\x2b\xf9\x43\x12\x29\x1e\x90\xe2\x21\x09\x4d\x30\x34\xc1\xd0\x04\x43\x13\xdc\x35\x9a\xe0\x64\xc7\x48\x5e\x9b\x7e\x25\x0d\x6b\x31\x93\xd0\x62\x42\x8b\x09\x2d\x26\xb4\x98\xd0\x62\xb6\x5f\x8b\x99\x3c\x40\xfb\xd8\x44\x64\xdc\x82\x48\x0f\xba\x20\x92\xb9\x80\x6b\x3d\x35\x4a\x76\xb5\x6a\x2d\x09\xd5\x5a\xeb\x54\x6b\xc9\x8e\x57\xad\x6d\xc3\x5c\x13\xec\xfb\x0f\xd3\xa4\x0f\x73\x1c\xdb\xd0\x72\xeb\x6b\xaa\x52\x2a\x29\xa9\xab\xc6\xb7\xba\x5c\x84\xf4\xe9\x87\xd9\x7b\xfa\x88\x6c\xec\x18\x1a\xad\xaa\x3c\xba\xc4\xdb\x9b\xb6\xda\x8b\xee\x36\x76\xb7\x60\x5f\xf9\xe6\x96\xc8\x8b\x56\xea\x0c\xa6\x97\x9d\xb2\x11\x8f\x95\x5f\xde\x66\xd5\x42\xf5\x69\x0e\xbd\xc0\x5c\xc5\x15\x39\x35\x87\xa1\xff\xbe\xc3\xf5\x68\xc6\x83\xf4\x40\x15\x4f\x67\x40\x1e\xd1\xd6\x07\x54\x7f\xd2\x0d\xff\x27\x04\x77\x31\x44\x3c\x0d\x8a\x78\x3e\x56\x6f\xd2\x8d\x2a\x76\xa2\x81\xa4\x1b\x2d\xb1\x3a\x5c\x64\xd3\x62\xab\x93\xf8\x27\x77\xb9\xac\xce\xa1\x9a\x65\x34\x15\xe6\xe7\xc9\x82\xcb\x15\xd4\x6a\xe3\x03\xad\x4c\xb7\x19\x3f\x68\x65\xa0\x95\xd9\x62\xad\x4c\x1b\x67\xa3\xb5\x19\xfe\x1a\x4c\xbc\xf7\xb7\x21\x50\x5a\x93\x3c\x4a\x87\xd9\xa1\xc8\xa4\x85\x28\x76\x39\x11\x45\xf9\x19\xdb\xa0\x6f\xf9\x93\x21\xda\xeb\xb7\xf2\x11\x42\x0b\xf9\xbb\x2c\xe7\x60\x8a\x2d\xfe\xf5\x10\xfb\xd3\x7e\xd7\x47\xee\x13\xb5\xe8\x2c\xe4\x87\x8c\x07\x07\x75\x84\xd4\x22\xe4\x96\x5a\x38\xaf\x0f\x42\x8b\xca\xf7\xe7\xb9\xe0\xf7\x67\x92\xed\xaf\x36\x71\x72\xf6\xb0\x3b\x3c\x2c\x48\xc4\x01\x99\x05\x64\x16\x90\x59\x40\x66\x01\x99\x05\x64\x16\x90\x59\x40\x66\x01\x99\x05\x64\x16\x90\x59\x40\x66\x01\x99\x45\x9b\x65\x16\x87\x68\x92\xed\x8f\xec\xb5\x18\xc6\x1b\x9c\x0c\xc3\xb9\xbe\x83\xd2\x02\x4a\x0b\x28\x2d\xa0\xb4\x70\x28\x2d\x3e\xa0\x58\x19\x60\xd2\xc6\x2c\x38\xab\xe5\x8b\x6a\x26\xcb\xfd\x45\x8e\xb0\x3a\x33\xd6\x8b\xaf\x36\x15\x63\x8e\x73\x43\x5d\xb9\xaa\x69\xd7\x5d\xab\x46\x9d\xfd\xdf\x6f\x66\x1f\x1c\xa4\x47\x3d\xdb\xb2\x22\xc0\x8e\x54\x2f\x36\x7b\xc9\x3a\xc7\x33\xe2\x1c\x33\xce\x73\x44\x8f\x19\x47\x4f\x7b\x9d\x40\x46\x66\x55\x3f\xbe\xc3\x29\x22\xca\xd3\x02\xaa\xa1\x3c\x2d\xa0\x1a\xa0\x1a\xa0\x5a\x17\x41\xb5\x0e\x4a\xd7\xdf\x31\x50\x0d\x79\xe4\x01\xd5\x00\xd5\x00\xd5\x00\xd5\x50\x9e\x16\x89\xae\x6f\x1d\x90\xd5\xf1\x89\xae\xb7\x65\x79\xda\x1f\xed\xa1\x9c\x90\x5f\xa9\x94\xe2\xf2\xab\x17\xe8\x4d\xf4\xac\xaf\x6a\xd1\x1b\x77\x99\xb9\xbc\xaa\x33\xa4\x9a\x0a\xd8\x06\x14\x98\xbd\xf6\xff\x0f\x96\x6e\x3d\xcf\x9e\x33\x73\x78\x55\x81\x73\xa6\x02\xbe\xea\x25\x57\x66\xc9\x89\xfc\xf8\x9d\x41\xa0\x6e\xd0\xaa\x78\x1b\xc0\xe4\x4e\x88\x1d\x3b\x80\xca\x09\x88\x76\x9d\xb2\x94\x29\x53\xad\x3f\x43\x17\x5b\x32\x18\x20\x69\x47\x3c\x4f\x83\xf1\x3c\xdf\xee\xa5\xab\xc2\x66\x29\x74\x85\xdb\xac\x67\xa9\x55\xc3\x94\xd6\x44\xc0\xcf\x2a\xa5\xed\x80\x9f\x16\x9e\x2e\x2f\xca\xf0\x66\x48\x75\x94\xe1\x6d\xe1\xf9\x36\x5b\xa7\x77\xab\xcd\x71\xf4\x8b\xa3\x41\xe6\x78\xaf\x67\x61\xdf\x00\xd3\x9c\x14\x07\x55\x33\xcd\x76\xe5\xdf\xb6\x1a\x69\x94\x02\x06\x3a\x07\x3a\x07\x3a\x07\x3a\x47\x29\x60\x94\x02\x46\x29\x60\x94\x02\x86\x0b\x07\x2e\x1c\xb8\x70\xe0\xc2\x81\x0b\xa7\x29\x2e\x1c\x94\x02\x46\x29\x60\x94\x02\x46\x29\x60\x78\x48\xe1\x21\xdd\xe6\xa5\x80\xeb\x28\xd5\x5b\x23\xc9\x6e\x8c\x52\xd7\xc2\xbf\x9b\x9f\x14\xe5\x53\x44\x7b\xaa\x15\xfd\xd9\x88\x8f\x71\x2a\x56\x54\x37\xb2\xea\x0d\x9d\xfd\x28\x45\xfe\x67\x3f\xdd\xe7\xde\xf9\xca\x46\x3c\xf4\x80\xe5\xd0\xbc\x60\xec\x7f\x9e\xef\x1f\x7d\x42\x7a\x2f\x5d\xbb\x5f\x8a\x3b\x76\x69\x32\xf9\x5e\xa4\x24\x9d\x2a\x73\x4f\x1e\xa4\x03\xfe\x8e\x11\xf7\x5d\x6f\xc4\x63\x8e\x6b\x4b\xbe\xa3\x97\x16\xc4\x60\x4c\xd0\x09\x3e\x18\xa7\xa8\xe1\xd6\x44\x79\xa1\x38\x2f\x2f\x64\xb9\x89\x36\xd3\xde\x39\xe1\x07\x3a\x45\xf3\x0e\x3f\xd0\x66\x1a\xdc\xac\xa3\xe7\xcd\xc1\xaf\xc7\x51\x76\xd8\x1c\xe8\x5e\xe3\x4d\x7a\x78\x9c\x17\xe5\x4c\x9c\x92\x04\x90\xab\x0e\xe4\x92\x70\x08\xfb\x38\x84\x9b\x6e\x39\xff\x6a\x90\x26\x2c\xcb\xa9\xe9\x29\x25\x97\xcd\x67\xc6\x36\x26\x0c\x6b\x3e\x31\xc6\xdf\x1c\xe3\x06\x73\x05\x2d\x6d\xee\xa0\x16\x75\xf6\x99\x41\xf6\xf1\x7e\xba\xdf\x71\xcc\x15\x79\x4c\x68\x7f\xf5\xe0\xad\x53\x56\x93\x4b\x5a\x7a\xda\x6a\x32\x7a\x94\x47\x6d\xd9\xed\x5d\x12\xcd\xf9\xec\x3e\xaf\x15\xa7\x73\xb9\xb3\xca\x9a\xaa\x17\x94\x66\xd6\x6c\x6f\x51\xea\xa7\x0d\x7a\x93\xb0\xc0\x17\xe8\x3c\xb7\xc0\xdc\xc2\x57\x33\x70\x66\x3f\xc4\x64\xbf\xc6\x7c\x7a\xa2\x29\x52\xa3\x4c\xb0\xc9\x9b\x65\x09\xdb\xe4\x99\x17\x27\x0d\x9d\xcf\xa5\x39\x8c\x9e\xb8\x07\x64\x84\x42\xf0\x1a\x32\x42\xc1\x03\x0f\x0f\x3c\x3c\xf0\xdd\xe4\x81\x47\x46\x28\x64\x84\x82\xe7\x13\x9e\x4f\x78\x3e\xe1\xf9\xec\x08\xcf\x27\xd2\x3a\x21\xad\xd3\x76\xf1\xf5\x20\xad\x53\x2b\xd2\x3a\xfd\xf4\x15\x3a\x21\xb8\x9f\xf0\xfc\x5a\x09\x9c\xf2\x16\x53\x13\x99\xe3\xf9\xdf\x2f\x8d\x15\xb4\x74\x3a\xab\x17\xd7\xf9\xc2\x7c\x65\x3d\x9d\x51\x4b\x3a\xfb\xad\xcb\xec\xb3\x03\x74\xb7\x68\xc1\x8a\x42\x88\x57\x07\x80\x4b\x5a\x7a\xd6\x6a\x29\xc1\x5b\x8a\xc6\x8c\x43\x84\x03\x59\x86\x1c\x58\x68\x2f\xed\xb1\x7f\x87\xd3\x3e\xa4\x68\x02\xe5\x42\x8a\x26\x50\x2e\x50\x2e\x50\xae\x2e\xa2\x5c\x1d\x14\x46\xd1\x31\x94\x0b\xfa\x7e\x50\x2e\x50\x2e\x50\x2e\x50\x2e\xa4\x68\x82\x00\xf9\xd6\x81\x52\x1d\x2f\x40\xde\x96\x29\x9a\xd6\xe8\xbc\x50\x49\x9d\xa6\x05\xae\x92\x9a\xa1\x69\x3a\xee\xab\x92\x92\x61\x16\x66\xfe\x0f\x0f\x50\x54\x93\x38\xaa\xae\xda\xc2\xe2\x9c\x52\xf7\xe4\x71\xc6\x4a\x45\x74\x90\xf8\x2a\xf2\xb5\x9d\x15\x08\x6d\x97\x25\x43\xf6\xa2\x65\xe3\x62\xeb\x16\xf0\x32\x81\xb7\x9e\xa6\x73\x74\xa6\x4c\x9d\x7c\x94\x0e\x6f\xe2\x39\x21\x44\x1d\x29\x92\x1a\x54\xc4\xfe\x64\xaf\xef\x0b\x2e\xa4\xea\xe3\x5c\xaa\x6e\x58\x93\xe3\xb4\xb9\x51\x4a\xcb\x42\xfa\xbe\x48\x49\x5b\xfa\xbe\xe9\x46\x2f\x08\xfd\xfb\x19\x3a\xed\xd0\xbf\x6f\xb6\xd5\x46\xca\xe7\xd6\x64\xcd\xdc\x66\x30\x48\x4b\x1f\xfd\x9b\x91\x0a\xdb\x36\xe4\x99\xa4\xc8\xcb\xce\x4d\x89\x3d\x5d\x76\xce\x4e\x45\xd4\x4e\x8b\x87\x4c\x44\x20\xc4\x20\xc4\x20\xc4\x20\xc4\xc8\x44\x84\x4c\x44\xc8\x44\x84\x4c\x44\xf0\x54\xc0\x53\x01\x4f\x05\x3c\x15\xf0\x54\x34\xc5\x53\x81\x4c\x44\xc8\x44\x84\x4c\x44\xc8\x44\x04\x47\x20\x1c\x81\xdb\x3c\x13\x51\xab\xdd\x69\x75\x64\x3a\x4a\xbe\x99\x2e\xb3\xe7\x23\xcf\x59\x85\xcf\xa7\xe4\x07\x5d\xb8\x49\xf2\x69\x9e\xbe\x25\xac\xa7\xb4\x82\x3a\x12\xd6\xd7\x53\x57\x8d\x49\x0d\x7f\x6a\xaa\xb2\x26\xec\x6b\xa1\xa8\xf1\x8f\x63\x64\xa7\xa5\x86\x6f\x65\x7d\x74\xf6\x97\x97\xe9\xb0\x10\xe6\x17\x57\x94\x54\xcc\xec\x5f\xcf\x62\xcb\xa9\xdc\xba\x5e\x52\x8b\x45\x2d\xa7\xae\x18\x4b\xe5\x7c\x46\x67\x9f\xbc\xcc\xbe\x36\x40\x0f\x1b\x07\x4f\x3b\x8f\xb5\xf8\xfb\x78\x75\x79\xfe\x8c\x68\xf3\xbc\x96\x53\x13\xa2\x4d\xa1\xce\x3f\x5f\xde\xa0\x09\xe4\x2b\xf6\x87\x3a\x1f\xea\x7c\xa8\xf3\xe1\x7b\x81\xef\x05\xbe\x17\xf8\x5e\x3a\xc6\xf7\xd2\x39\xae\x05\x30\x6f\x30\x6f\x30\x6f\x30\x6f\x30\xef\xae\x66\xde\x80\x72\x80\x72\x5d\x0a\xe5\xb6\xa5\x3a\xff\x9a\x48\xd5\x3c\xce\x53\x35\xf7\x9e\x3b\xcd\x4e\xd0\x31\x3a\xe2\x2b\x52\xe5\xf8\xca\x94\xa8\x56\x52\xa2\xa6\xe4\x2d\x2d\x04\xb3\xc6\x33\xec\xb4\x64\x8d\xbe\x3c\x4d\xe2\xc7\xca\x6b\xf4\xa8\x89\xfc\xbd\x9d\xd5\xd8\xda\x23\x96\x6e\xdf\x03\xa3\x49\xd9\xfe\x16\x80\x34\xc1\xbd\xce\xd2\x22\x25\xcb\x64\xfb\x53\x74\xb0\xd1\x07\x08\x31\x17\x34\xfb\x0d\x6a\xf6\x7f\xac\x97\x4e\x0b\x53\x32\x4b\x09\x6e\x4a\x8e\xd0\x26\x46\x22\x2d\x09\x5d\xfe\x02\x9d\xb4\x75\xf9\x9b\x6b\xf1\x69\x21\xca\x4f\xd2\x29\x87\x28\x7f\x73\x4d\x06\xd9\xba\xda\x6c\x59\xed\xa6\x2a\xd0\xea\x05\x8a\xf7\xdf\x33\x5a\xcd\xd6\x0d\x7a\xea\xf8\x3d\xec\x9e\x94\xf1\xfb\xda\x3d\xeb\xf8\x96\x5b\x40\xc8\xf8\x81\x92\x81\x92\x81\x92\x81\x92\x21\xe3\x87\x8c\x1f\x32\x7e\xc8\xf8\xe1\xd2\x80\x4b\x03\x2e\x0d\xb8\x34\xe0\xd2\x80\x8c\x1f\x32\x7e\xc8\xf8\x21\xe3\x87\xc7\x10\x1e\xc3\x0e\xf4\x18\x76\x74\x41\xe1\xb6\xa3\xeb\xe6\xcb\xee\x3f\x49\x34\x68\x8c\xb2\xb1\x0d\xdf\x14\xf8\x96\xc4\xfe\x9d\x14\x79\x4f\x3f\xdd\x91\xd2\x8a\xea\x95\x8d\x78\xe8\x5e\xcb\xe9\x67\x12\xef\x47\xc5\x2f\x33\x5a\x51\xbd\xe4\xc8\xcc\xd5\x1a\xa8\x7d\x8c\x8e\xd0\x54\x99\x5b\x2f\x4a\x43\xbe\x7e\x0a\xe3\xb2\x8d\x71\x20\xaf\x26\xf9\x8d\x1e\x3a\x2c\x46\xd6\x3e\x9a\xe0\x23\x6b\x84\xea\x38\x9e\x4e\x08\xe7\xcb\x21\x9a\xb4\x9d\x2f\xf5\xb5\x30\x2d\x9c\x2d\x53\x74\xd0\xe1\x6c\xa9\xaf\x89\xcd\xd6\xfc\x5d\x08\x1e\xc1\x03\xec\x49\x67\x11\x5f\x39\x46\x23\x11\xe9\x3d\x36\xaf\x04\xc5\x7d\x51\xdc\xb7\x41\xb7\xe8\x76\x8c\x56\x1a\xa6\x25\x59\x3e\xb8\x4a\xc5\x77\xc3\xa8\xf2\xef\xe6\xd8\xda\x7a\x89\x17\x93\xbf\x21\x8a\xc9\xbb\x3c\x2e\xd2\xda\xbe\xc4\x7e\x76\x98\xbd\x7a\x1b\xbd\xc1\xb3\x45\xc3\xe0\xfe\x5a\x8f\xfc\x08\xdb\x2a\x19\xe3\x61\x8a\xce\x32\xe3\x98\xce\xc8\x33\x79\x95\xad\x8f\x39\x96\x54\x53\xd6\x62\x6c\x90\xb7\x3a\x68\x3b\xbb\x5c\xde\x0b\xad\xa0\x5a\xc0\x54\x2f\xa9\x4a\x7a\xc4\xa6\x3c\x9c\x64\x49\x26\x90\x2d\xa9\x6b\xf6\x58\x1d\x74\x81\x59\x47\xdb\xb1\xe8\x41\x7e\xba\x69\xaf\x9b\xbc\x14\xaf\x76\xf5\x1d\x1e\x5f\x95\xbc\x2e\xfc\xf1\xe3\xdc\x1f\x6f\x7c\x4f\xa6\xe9\x38\x1d\x6d\x60\xa6\xc2\xf5\x50\x73\x1b\x6a\x3e\x58\x28\xf4\xb8\xb7\x7d\xdf\xc1\x6e\xe7\x17\x46\xd7\x5e\x0c\x36\xf0\x17\xd9\xb2\x59\xe1\xb8\xca\x58\x96\xe6\xbe\xda\x03\x72\x17\x7b\x47\xb8\x19\xc2\xcd\x50\xf2\x18\x1a\x01\x68\x04\xa0\x11\xe8\x1e\x8d\x00\x4a\x1e\xa3\xe4\x31\x7c\xb3\xf0\xcd\xc2\x37\x0b\xdf\x6c\x47\xf8\x66\x93\x0b\x74\x92\xcd\x45\x66\x2c\xba\x32\xc4\xb1\x8a\xbc\x8a\x6a\xcb\xb9\x48\xbf\xb1\x67\x2b\x31\x0a\xaa\x27\xc3\xb1\x85\xea\xc9\xdb\x27\x14\x8e\xfd\x9b\x61\x3a\x27\xb1\xe7\x7a\x49\xd3\x53\x4a\x2e\x9b\xcf\x8c\x6d\x4c\x88\xb4\x4c\x02\x75\xfa\x78\x91\x38\xb8\xd2\xf2\x25\x25\x57\xd0\xd2\xe6\xd1\x6a\x51\x67\xdf\x1d\x62\x3f\xec\xa7\xfb\x1d\x0d\x5e\x91\x0d\x86\x5e\x96\xc0\x33\x9b\x4f\x67\x37\xb2\xe9\x75\x25\xe7\x62\x9f\xd6\x9c\xf5\x94\xd5\xf6\x92\x96\x9e\xb6\xda\x6e\x0a\xee\x8c\x45\x8f\x08\x60\x69\x5f\xdf\xa5\x89\xb2\xd2\x33\x3e\xe7\x5f\xcc\xea\x9d\x5e\xb2\x79\x4b\xa0\x65\x26\x98\x49\xce\xb2\x84\xc9\x24\xed\x7e\x97\x08\xd2\xa7\xb7\x1d\xf4\x71\x42\xa6\x4c\xdb\xed\x4d\x47\xef\x62\xc4\x7b\x80\xc7\x52\x82\x53\x82\x53\x82\x53\x82\x53\x82\x53\x82\x53\x82\x53\x82\x53\x82\x53\x82\x53\x82\x53\x82\x53\x82\x53\xb6\x99\x53\x6e\x3f\x15\x18\xf0\x25\xf0\x25\xf0\xe5\x36\xc2\x97\xaf\x0c\xd3\xa4\xc0\x97\x2b\x1c\x55\x6e\x04\x30\xcb\x6b\xda\x8a\x25\xce\xfc\x6f\x43\xec\x2b\xfd\xb4\x83\x1f\x78\x65\x23\x1e\xfa\xc5\x5a\xc4\x98\x49\x6d\xa5\x23\x34\x97\x0f\xf3\xd3\x25\x8c\x7f\x9c\xc2\xfc\xa4\xb6\x02\x3e\xd9\x80\xa8\xf2\x54\x30\xc0\x7c\x8a\xed\x96\x00\x93\x8f\x18\x89\x2e\x93\xda\x0a\x44\x92\x80\x8f\x80\x8f\x80\x8f\x80\x8f\x80\x8f\x80\x8f\x80\x8f\x80\x8f\x80\x8f\x80\x8f\x80\x8f\x80\x8f\x5b\x09\x1f\xc7\x29\xc6\x46\x22\x51\x0b\x3e\xde\xe3\x14\x49\x26\xb5\x95\x4a\x2d\x24\x70\x25\x70\x25\x70\x25\x70\x65\x0b\x71\xe5\x07\x86\xe8\x80\x54\x5b\x1a\x0b\x41\xaf\xf0\x72\xa7\xf0\x52\x92\x88\x6c\x4a\xd5\xd9\x77\x06\xd9\x37\xfa\xe9\xa1\xb2\xe3\xac\x1c\xd6\x1b\xb5\xe9\x2a\xa7\x97\x16\x96\x45\x8b\x4d\x92\x52\x0e\x0b\x29\xa5\xfb\xaa\x64\x3e\x6c\xfb\x64\xd0\x4d\x7a\x73\x49\x35\x18\x3b\x26\xd8\x89\x8a\xac\x32\x02\x3d\xda\xdd\x6b\xa6\xf0\xf0\x1e\x54\x50\x4d\x02\x5c\x02\x5c\x02\x5c\x02\x5c\x02\x5c\x02\x5c\x02\x5c\x02\x5c\x02\x5c\x02\x5c\x02\x5c\x02\x5c\x76\x24\xb8\x04\x24\x04\x24\x04\x24\xec\x62\x48\xf8\xda\x65\x3a\x2c\x20\xa1\xc8\x3c\x5e\x25\x91\x6f\x41\x4b\xa7\xb3\x7a\x71\x9d\xaf\xc9\x57\xd6\xd3\x19\xb5\xa4\xb3\x1f\xbb\xcc\x5e\x19\xa0\x9d\xe2\xe0\x2b\x1b\xf1\x50\x5c\xcc\x15\x8b\xf2\x2b\x67\x9a\x41\x53\xd2\xb8\xa4\xa5\x67\xad\x46\x12\xbc\x91\xe8\xb0\x71\x88\x48\x5b\xee\x94\x17\x7a\xec\xda\xe1\x58\x2f\x01\xac\x05\xac\x85\xc2\x86\xc0\x5a\xc0\x5a\xc0\x5a\xdd\x83\xb5\x3a\xa8\x6e\x5f\xc7\x60\x2d\x14\x94\x03\xd6\x02\xd6\x02\xd6\x02\xd6\xda\x8a\x82\x72\x5d\x4d\xa1\x50\xf1\xaa\x9b\x2b\x5e\x25\xb6\x21\x85\x4a\x5e\xa5\x33\x42\x0e\x35\x4f\xb3\x5c\x0e\xc5\xab\x33\xf9\x96\x31\x92\x75\xfd\x36\xe2\x31\x0f\x46\xb4\x98\xd5\x83\xb5\x50\xcf\x06\x6b\xa1\x0e\xb0\x7d\x52\xe9\x24\x4e\x27\x85\x50\x1e\x67\x74\xc5\x64\x56\xa9\x99\xc4\xa5\x4f\x91\x5f\xde\xe9\xc4\x65\xbb\xac\x2a\x58\x5e\x64\x6c\x8f\xd8\xda\x5e\x36\x26\x50\xd6\x22\x25\xe9\x54\x59\x7d\xac\x83\x74\xa0\xb1\x67\x82\xd2\xe7\x41\xa5\xcf\x51\xdd\xc9\xa7\xba\xd3\x3b\x7a\x7d\x5f\x66\x5a\x10\x46\x23\x41\x27\xb8\xd1\x98\xa2\x86\x07\x28\x9d\x15\xe5\xd8\x4e\xd2\x9c\x5d\x8e\x6d\x33\xed\x9d\x13\xc5\xd9\x4e\xd1\xbc\xa3\x38\xdb\x26\x1a\xac\xb5\x22\x5b\xeb\x0c\x5b\xf4\x4f\x46\x9c\x86\x6b\x48\x56\x3b\x75\x94\x8e\xd5\x56\x3d\x8d\xd8\x7e\xb1\xa7\x69\xc4\x66\xac\x03\xda\x69\xce\x2e\xd0\x79\x5a\x72\x9a\xb3\x68\x82\x4e\x34\xa0\xb7\x9d\xe5\xf7\x72\x8e\x5f\xa8\x0e\xd4\x0b\xd4\x0b\xd4\x0b\xd4\xdb\x45\xa8\x17\x13\xb9\x80\x89\x5c\xe7\xb0\xf0\xdf\xef\xa5\xff\xd2\xcb\xbe\xd5\x1b\xfa\x86\xf5\xa8\x7e\xa9\xf7\x82\x73\xf5\x99\xcd\x87\x75\xb1\x82\x0c\xaf\xa8\xab\xc2\x71\x6c\x51\x1a\xfb\x93\x25\xdf\x12\xde\x59\x8e\x29\x63\x5e\xcb\x8f\xe6\xd5\x8c\xc2\x1f\x89\x5c\x80\x3a\xa7\x96\x82\xd7\x5a\x83\x41\xce\x17\xb2\x6b\x6b\x6a\xda\x98\xbc\xe6\x6e\xda\x1e\x5d\xdb\xb4\x67\x73\x23\x72\x5d\x2a\x4a\xb8\x67\x8a\x4a\x8a\x8f\x93\xac\x96\xb6\x3e\x3c\xf6\xc7\x81\x3b\xcb\xcd\xe7\xb2\xae\x1b\x17\xe9\xec\x28\xc5\x38\xd2\xbc\x21\x79\x92\x55\xf1\xbe\x99\x4d\xc4\xc4\x75\xae\xa9\x4a\xde\xf3\x1a\x23\x8c\x5f\xc2\x12\xbf\x02\xaf\xf5\x36\x5c\x0e\x70\x39\xc0\xe5\x00\x97\x03\x5c\x0e\x5d\xed\x72\xf8\xad\x5e\xfa\x72\x2f\x7b\xad\x37\xf4\xaa\xf5\xb5\x7d\x7f\xef\xac\x23\xea\xb5\x90\x53\x15\x5d\xb5\x5e\xfd\xa5\xa2\x56\x50\x32\xfc\x3b\x2c\x56\xc6\x2e\xc1\x91\xf9\xb8\xed\xb0\x59\xe3\x81\xc7\x63\x93\xb1\xf0\xb2\xb0\x23\xe2\x23\x59\x50\xf3\xc6\x30\xb5\xbf\x22\x6a\x58\x2b\x16\xae\x2a\x79\x53\x00\x55\x5c\x57\xc7\x56\x95\x9c\x39\xfb\x8f\x88\xad\x91\xf0\x6a\x36\xaf\xe4\xb2\x7f\xc7\x34\xdf\x2b\x6a\x58\x49\x73\x7e\xaf\x8d\x09\x9c\x9b\xb6\xa7\x96\xa2\xf1\x41\xdd\x3e\x48\xcc\xb7\x63\xe1\xb9\x2c\x37\x49\x8e\x0b\xd7\x8a\x95\x77\x66\xfb\x4c\x4a\x62\xba\xcf\x67\x7f\x5a\xe9\x6a\x2c\x72\xaf\xb8\x9e\x59\xf3\x46\xdc\x4a\xaa\x77\xf6\xd3\x3b\xfa\xd9\xdb\xfb\x43\x7f\x6b\xc9\xe9\xbe\xda\xf7\x8c\xb4\x83\xc6\x10\xbd\xaa\xdd\x08\x67\x94\xe2\x8a\x92\x71\x81\x08\x6b\xa2\xa6\x16\x57\xb5\xe2\x9a\xd1\x17\x9e\x57\x7a\xae\xec\xe4\xfe\x17\xca\xa7\x35\xe6\x9c\x44\x40\x10\x63\x44\xa4\xd5\x54\x36\x6d\x4f\xac\xf9\xb7\x91\x2f\x73\xac\xde\x35\x3e\x4e\xf2\xcb\x61\x7e\xfd\x62\x8e\x6e\x34\xed\xa6\xe5\xa8\xb0\x44\x74\xee\x93\xc5\xc2\x02\x22\x71\x5b\xec\x9c\xad\x0e\x8a\x7b\x18\x34\xd6\x3c\xfc\x2f\xf7\xc0\xd0\x0f\x87\x07\x13\x4a\xea\x7a\xa6\xa8\xad\xe7\xd3\xc6\x5e\x5c\xbd\xc6\x77\x2a\xeb\x38\x31\x59\x91\x33\x20\x77\x23\xe6\x1d\xac\x58\x2d\x1d\x0e\x0f\xce\x6b\x45\xd5\xd1\x6c\x38\xa5\xe8\x29\x25\x6d\xdc\xbd\xec\x1f\xa1\x57\xe4\xed\xe9\x62\x3a\x5d\xd1\xe0\xaa\xd5\x46\x2c\x72\x5f\xa1\x7c\xdc\x38\xe7\x36\xf0\xe8\xc1\xa3\xd7\xa5\x1e\xbd\x64\x86\x16\x05\xe8\x9e\xa3\x19\x0e\xba\x8f\xd2\x61\x3a\xd4\x00\xbc\x5c\x2e\x29\xa5\x75\xbd\x49\xce\x31\x27\x1b\xae\x95\x27\x5f\x8b\x7a\xe3\xeb\xfb\xd9\x7d\xc2\x50\xd8\x46\x9c\xb6\x61\x8a\x1c\xf6\x1f\xaf\xd0\xac\x47\x81\x33\x5f\x49\xbd\x6f\x55\xb3\x77\x5d\x61\x5f\x19\xa0\xbb\x5d\x55\xcd\xe2\xa1\xfd\xd5\xb5\xf5\x3e\x95\xad\xa2\x13\xc6\x61\xce\x02\x64\xc1\xb5\xc7\x20\xb4\x87\xd0\x1e\x42\x7b\x78\x5f\xe0\x7d\x81\xf7\x05\xde\x97\x8e\xf1\xbe\x74\x8e\x73\x01\xd4\x1b\xd4\x1b\xd4\x1b\xd4\x1b\xd4\xbb\xab\xa9\x37\xb0\x1c\xb0\x5c\x97\x62\xb9\x6d\x29\xb4\x7f\x0b\x5d\x12\x28\xf1\x1c\x9d\xe1\x28\xf1\x24\xcd\xd1\x8c\xaf\x24\xd5\xc1\x9f\x62\x1b\xf1\x58\x95\x42\xf5\x81\x50\x31\x40\x16\x7f\x6d\x25\x18\x3a\x1e\x67\x47\x37\x51\xd5\x3d\x4e\x91\xbf\xda\x59\x81\xd4\xc2\x96\xfe\xde\x8f\x9e\xed\x13\x7b\x6c\x11\x3f\x13\xb8\xeb\x22\x2d\xd3\xd3\x65\x62\xfc\x69\x3a\xbe\xc9\xe7\x06\x31\x17\x54\xf9\x0d\xaa\xf2\xdf\xdf\x4b\xe7\x85\x21\x39\x4d\x0b\xdc\x90\xcc\xd0\xe6\x07\x24\x3d\x23\x54\xf8\x4b\x74\xd6\x56\xe1\x37\xa5\xe1\x37\x0a\x39\xfe\xd3\x74\xce\x21\xc7\x6f\x4a\xcb\x8d\xdb\x3d\x21\xd8\xaf\xcd\xee\xd5\x6e\xe4\x3c\x2c\x64\xf4\x9d\xa3\x15\x76\x6f\xc4\x53\xbe\xef\x67\x03\x8f\x89\xbd\x5d\x36\xd0\x4b\xc7\xdf\x1e\x6b\x08\x2d\x3f\x68\x32\x68\x32\x68\x32\x68\x32\xb4\xfc\xd0\xf2\x43\xcb\x0f\x2d\x3f\xbc\x1a\xf0\x6a\xc0\xab\x01\xaf\x06\xbc\x1a\xd0\xf2\x43\xcb\x0f\x2d\x3f\xb4\xfc\x70\x1a\xc2\x69\xd8\x81\x4e\xc3\xb6\x6b\xf9\xeb\x10\xdc\xb7\xc3\x05\xb7\x1d\x45\xfd\xaf\x0c\xd1\x7e\x21\xea\x2f\xae\x28\xa9\x98\xd9\xc7\x65\xa5\x34\x65\x15\xcd\xa2\x96\x53\x57\x8c\x85\x72\x3e\xa3\xb3\xbf\x18\x64\x7f\xd8\x4f\x0f\x18\x87\x4d\x3b\x8f\xba\xb2\x11\x0f\xdd\xa8\xad\x86\xe6\x79\x2d\xa7\x26\x44\x7b\x4d\x2a\xa2\x39\xc9\x0f\x38\x5f\x7e\x4d\x97\xe2\x8e\x53\x2d\x66\xf5\xd2\xbc\x56\x9c\xce\xe5\x2c\xb6\xaf\x77\x78\x48\x40\xf2\xba\x7f\x9e\xa8\xa6\xd7\xda\x34\xdf\xae\x5a\x6a\x5d\x5e\x4b\x07\xbf\x56\xd3\xec\xb8\x7c\xad\x7c\x87\x98\x7c\xc9\x1c\x0f\xc9\xfd\x62\x21\x22\x02\x11\x11\xa8\xa8\x09\x1f\x16\x7c\x58\xf0\x61\x75\x8f\x0f\x0b\x15\x35\x51\x51\x13\xbe\x03\xf8\x0e\xe0\x3b\x80\xef\xa0\x23\x7c\x07\xa8\xa8\x89\x8a\x9a\xdb\x85\x96\xa2\xa2\x66\x2b\x2a\x6a\x7e\xe9\x79\x8a\x08\x5c\xa8\x97\xb4\xa2\x92\x51\x1d\x8c\x30\xa5\x67\xd3\xc5\xac\xf1\x00\xd9\x07\x9e\x67\xef\x18\x20\x92\xfb\x5c\xd9\x88\x87\x06\xab\x67\xf7\x98\x59\x5e\x98\xe5\xc7\x46\x5f\x6f\xec\xb8\x2c\x0e\xbc\x14\xb7\x7e\xef\x70\x40\x87\x9c\x1d\x20\x54\xc8\xd9\x01\x42\x05\x42\x05\x42\xd5\x45\x84\xaa\x83\x44\xc4\x1d\x43\xa8\xa0\x6e\x05\xa1\x02\xa1\x02\xa1\x02\xa1\x42\xce\x0e\xc8\xef\x6e\x1d\xa0\xd4\xf1\xf2\xbb\x6d\x99\xb3\xe3\x0a\xcd\x0a\xfd\xd2\x51\x3a\xcc\xf5\x4b\xfb\x69\x2f\xc5\x7d\xe3\xd6\x4d\xea\xb4\x11\x8f\x59\x68\xa8\xa6\x0c\x1d\xcf\x04\xeb\x94\xf6\xb1\x09\xa9\x53\x72\xb3\x2d\x29\x4e\xb2\xce\x57\x5f\x45\xcc\xbf\xdc\xe1\xe2\x60\xcc\x4a\xc9\x61\x23\xaf\x37\x88\xdf\x5a\x08\xbd\x04\xa3\xe2\x29\x01\xca\x12\x6d\x8c\xd1\x68\x5d\x9d\x8d\xb8\x4a\xa4\xd5\x68\x30\xad\xc6\x1f\xf5\xd0\x09\xf1\xae\x1f\xa2\x49\xfe\xae\xc7\xa9\xde\xe1\x47\x73\x22\x89\xc6\x31\x3a\x62\x27\xd1\x68\xa0\x99\x79\x91\x32\xe3\x38\x1d\x75\xa4\xcc\x68\xa0\x9d\x0e\x34\x3b\x3c\xf3\x46\xf4\x37\x47\x5c\x66\xe7\x31\xcf\x8c\x18\xb6\x09\x8a\x88\xed\xb6\x09\xb2\xf6\x6b\x95\x31\x42\x9e\x0b\x10\x58\x10\x58\x10\x58\x10\x58\xe4\xb9\x40\x9e\x0b\xe4\xb9\x40\x9e\x0b\x78\x02\xe0\x09\x80\x27\x00\x9e\x00\x78\x02\x9a\xe2\x09\x40\x9e\x0b\xe4\xb9\x40\x9e\x0b\xe4\xb9\x80\xa3\x0d\x8e\xb6\x2e\xca\x73\x51\x1b\x71\xf6\x48\xaa\x1c\x40\x9f\x9b\x9f\x7a\xe2\x0f\x76\x0a\x2d\xb9\x57\x09\xc9\x97\xc6\x4c\x9b\xcc\x3e\xb3\x33\xf4\x83\x3e\xba\x23\xa5\x15\x39\xc9\xde\x53\x54\x0b\x39\x63\x09\x6a\xee\x60\x3e\x60\x7b\xee\x6b\xa5\x75\x88\x3e\x26\x77\x9e\xd1\x8a\xaa\x23\xb1\xfd\xbc\x3c\xb4\xc9\x48\xfb\x04\x1d\xa3\x23\x65\xfe\xb5\x11\x8a\xfa\x7a\x14\x8c\x5b\x32\x46\x81\x75\x5d\xc9\xf7\xf6\xd0\x51\x31\xb2\x0e\xd0\x3e\x3e\xb2\x62\x54\x57\x0b\x94\x10\xfe\x91\xc3\x74\xc8\xf6\x8f\xd4\xdb\x46\xd0\x70\x7c\xd4\x7b\x38\xde\xce\xfa\x0b\xeb\x25\xba\x76\x3a\x78\x04\x0e\xb1\x01\x39\xea\x22\x11\x39\xd2\xec\xd3\xbb\x32\x3f\x00\x6f\x55\xc7\x5b\x49\xb8\x1b\x7d\xdc\x8d\x07\x68\x1f\x9b\x88\x8c\x5b\xc9\x78\x1e\xe4\x5d\x20\x9f\x87\x35\xda\x22\xfd\xc6\xcf\x2d\x4d\xb1\xf3\x6a\x2f\xdd\x2e\x62\x66\xd8\xbf\xed\x65\xbf\xda\x4b\xfd\xc6\x7f\x42\xa1\x8c\x5a\x72\xac\xe7\xa7\x97\x16\xac\xb9\x50\xf4\xee\x8c\x5a\x9a\x5e\x5a\x90\x1f\xc8\xe6\x65\xa7\x99\xaa\x68\x68\xaa\xa2\xa1\xa9\x5a\x1a\x4a\xae\xd5\x55\x22\xa1\xca\x27\x70\x7a\x69\xe1\xa4\x61\x0a\x6a\x51\x71\xb0\x77\x46\xe9\xa2\x2c\x41\x9c\x5e\xcb\xf2\xe0\x90\xa2\x9a\xc9\x1a\x93\x4b\x77\xc2\xa2\x15\xb5\xa4\x98\x59\x8b\xd6\xd6\x4b\x8a\xb1\x08\xb8\xa1\xae\x5c\xd5\xb4\xeb\x2e\xcf\x92\xf9\xb9\x61\x1f\x19\x66\x5f\xbd\x8d\x1e\xf5\x6c\xf6\x8a\x6c\x2f\xf4\x6b\x3d\x72\xc6\xe1\x48\x66\x94\x37\x57\xb4\x66\x28\xd3\x19\x79\xba\x67\xc4\xe9\x66\x9c\xa7\x6b\x4a\x96\xa3\x11\x1b\x69\x71\x6c\x27\x01\x48\xb6\xa4\xae\xd9\xaf\xf5\xa0\x8b\x42\x3b\xda\x8e\x45\x45\xd8\xd2\xb4\xd7\x9d\x5e\x12\x37\x5a\xed\x16\x3a\x3c\x10\x6b\x4b\x32\x25\x3d\xee\xfd\x41\xdc\xc1\x6e\xe7\x17\x46\xd7\x5e\x0a\xfe\x24\x3e\xc7\xde\xe8\xf8\xf0\xf1\xc7\x60\x95\xbb\xa8\x32\xd6\xe5\xd7\xb3\xda\x13\x43\xfa\x24\x04\xa7\x21\x7d\x12\xa4\x11\x90\x46\x40\x1a\xd1\x4d\xd2\x08\xa4\x4f\x42\xfa\x24\xb8\xa4\xe1\x92\x86\x4b\x1a\x2e\xe9\x8e\x70\x49\x27\x17\xe8\x24\x9b\x8b\xcc\x58\x48\x6a\xc8\x89\xa4\xaa\x2d\xe1\x5a\x4f\xa9\x90\x89\x09\xfe\x3c\x64\x62\xda\x3e\x81\x73\xec\xa3\x77\xd2\x94\x44\xa1\xde\x39\xdb\x05\x02\xd5\xd5\xdc\xaa\xbe\xce\x0d\x5c\x71\x3d\xa7\xea\xc6\x1a\x44\xbd\xa1\xb3\xff\x46\x91\x6f\xdf\x46\x0f\x2a\x65\x99\xdb\x05\xe7\x7c\xdc\x0a\x52\x5b\x56\x73\xab\xcb\xe2\xf0\xf3\xc6\xe1\xe7\xf9\xe1\xd1\x71\xab\x6c\xb4\x33\xc7\x3a\x3f\xd8\xfb\x88\x26\x7b\xda\xde\x44\xcf\xd2\x33\x65\x9e\xb6\x93\x34\x57\xad\xdc\xad\xa3\x8b\xe4\x6d\xc6\xbc\x2f\x35\xf9\xf1\x5e\x51\x51\x77\x9c\x57\xd4\xed\x3d\x77\x9a\x13\xc3\xe6\x34\x4e\x2f\x08\xff\xdc\x25\xba\x60\xfb\xe7\x9a\xd8\xfc\x65\x11\xd7\xf4\x0c\x5d\x74\xc4\x35\x35\xb1\xfd\xcd\x16\x04\xd6\x82\x41\xe8\x22\x4b\xda\x55\x18\xfc\x32\xc5\xfb\x5c\x5e\x05\x41\x85\xff\x10\xfe\xc3\x06\xfd\x87\x4d\xf7\x03\x7e\x69\x88\x0e\x5a\x16\xdb\x2c\x2f\x32\xb6\x31\x61\x8c\xd4\x09\xe9\xab\xba\x6a\x95\x19\x29\x68\x69\xc5\x2a\x33\xa2\xb3\x1f\x1f\x62\x6f\xbd\x8d\xee\x77\x15\xba\x16\x47\x86\x5e\xee\xa9\xad\xda\x86\x4f\x09\x93\x26\x55\xde\x48\x08\xaf\x92\xa3\x88\xb6\xb8\x3c\x9f\xb3\xa2\x08\x47\x13\x8b\x70\x64\x82\xad\xea\x2c\x4b\x6c\xa2\xb6\x8d\x78\x94\x70\x24\xc1\x91\x04\x47\x12\x1c\x49\x70\x24\xc1\x91\x04\x47\x12\x1c\x49\x70\x24\xc1\x91\x04\x47\x12\x1c\x49\x70\x24\xa1\x0e\x07\xbc\x3f\xf0\xfe\xc0\xfb\xd3\x36\xef\xcf\xcf\xf5\xd1\x1e\xc1\x12\x57\x73\xda\x0d\xc3\x18\x17\xb5\x5c\xcc\x5a\xdc\x97\x7b\x81\xd8\x9f\xf7\xb2\x3f\xed\xa5\x5d\x8e\x9d\xa7\xcd\x7d\x2d\xaf\xcf\x43\xee\x80\x04\xeb\xf6\xa2\xd1\x8c\x5a\x9a\xf7\x38\x52\x7a\x7c\xa6\x97\x16\xcc\x25\x60\x27\x46\x2a\x14\xe8\xa2\x80\x73\x67\x69\x91\xc3\xb9\x79\x9a\xa5\x44\x63\x91\x0a\xe6\x7d\xd6\x14\xac\xf0\xe7\x7b\xe8\x7c\x70\x69\x65\xf1\x80\xca\xe3\xdf\xf8\xdf\x2f\xb9\x0a\x2e\x9b\x91\x0a\x3f\xb3\x87\x7d\xa4\x8f\x1e\xf6\xaa\xbb\x2c\x9e\xe3\x63\x45\x55\x49\x97\xf1\x04\x47\x65\xdd\x68\xdc\xd8\xee\x51\x22\x99\x1f\x6d\xd1\xd8\xb4\xe3\x90\xe6\x7a\xef\x92\x57\xfc\x39\x6a\x5d\xc9\x40\x79\xb7\x9a\x0e\x2b\xc7\xe5\x9a\xec\x34\x1b\x8c\x45\xe7\xd9\xac\x9f\xea\xbe\x9e\x62\xc5\x55\x42\xe2\x32\x6a\x89\x42\x2f\xef\xac\xf6\xc0\x9e\x30\x43\x1a\xfd\x9f\xd9\x3e\xb9\xcb\x16\x3e\xb6\xc4\x49\x9a\xa3\x99\x32\xa7\x6b\x23\x8f\x07\x29\xab\x90\x42\xb4\x41\x9f\xdc\x2f\xf6\x34\xc7\x42\xd0\x82\x70\xc3\x27\xe8\x84\xed\x86\x6f\xb0\xa9\x4d\x46\xcb\xd6\x66\xa4\x36\x57\x40\x5d\xd8\xb5\xe8\xaf\xdd\x5b\xcd\x0a\x3d\x20\x33\x4d\x28\x2e\xc3\xb3\x57\xfc\xba\x95\x76\xa7\x35\x99\x42\x61\x84\x02\x8c\x10\xb2\xd5\xb5\x25\x5b\x1d\xd2\x14\x21\x4d\x11\xd2\x14\xb5\x2a\x4d\x51\xf2\xd3\x3d\x4d\xce\xd5\x72\x5e\x28\xec\x4e\xd3\x82\x43\x61\xd7\xe2\xfc\x2f\x61\xef\x29\xc4\x4e\x76\x87\xe8\xa6\x76\xce\x22\x12\xff\xe7\x5d\xd5\x66\x11\xd1\x82\x52\x2c\x65\xb9\xf3\x59\x10\x8f\x2a\x8b\x9a\x89\x82\x52\x4a\x5d\xdd\xa2\xa9\xc5\x23\xe5\x0d\x8d\xf2\xab\xd9\xc3\x51\xc3\x2e\xe7\xc6\x35\xb5\x98\x51\x9d\x5b\x07\x9c\x5b\x79\x3c\xb6\x9a\xc9\xa6\x46\x2b\xf6\x73\xb5\x62\xfc\x7d\x53\x6e\x35\xae\x32\x71\x96\x16\x29\x59\xb6\x9c\x9a\xa2\x83\x0d\x8c\xa2\x25\xae\xd5\xc0\x84\x26\x60\x42\xf3\xd1\x3e\x7a\xa5\x8f\x7d\xb8\x2f\xf4\x41\xeb\xab\xf0\x72\x5f\xf7\xac\xaa\xca\xdc\x5b\x46\x3f\x73\xb9\x06\x77\xc1\x1a\x83\xd3\x16\x6d\x0d\xf9\x0c\xdc\x61\xfe\x71\x13\xea\x1e\x25\xc7\x8f\x34\x66\x71\xe2\x68\xbe\x07\x9f\x51\xe9\xe1\xa1\xa4\xae\xe5\x97\x84\x7a\xe9\x8c\xf1\x5a\xc8\xbf\x97\xcd\x97\xc5\xfe\x71\xd8\x7f\xb9\x97\xf8\x72\x0f\xbd\xd6\xc3\x5e\xed\x09\x7d\xde\x22\xb3\x1f\xea\x99\xd7\x8a\x29\x3e\xd9\xcb\x68\xbc\xdb\xb5\x70\x64\xd5\xf8\x29\x12\x9e\x76\xdd\x05\x67\xee\x62\x5e\xb6\xae\xdb\x3a\x8d\x51\x25\xc5\x6f\x9c\xab\x5f\x72\xd9\x94\xfc\xee\xaa\xb9\xb4\x1e\xd6\x6e\xc8\x3e\x15\xea\x90\x82\xaa\x15\x72\x6a\x2c\x2c\xce\xc8\xe5\x66\xe6\xb3\xe4\xec\xdb\xb3\x03\xac\xd3\x47\x6e\xe3\x97\xb5\x99\x6a\x37\x0d\xaf\x39\xdb\xf7\x39\xa8\x92\xfb\x82\xf7\x07\x25\x0f\xd2\x01\xb6\x2f\x32\x61\x05\x3d\x3d\xe4\x0c\x7a\x72\xb4\x5d\x19\xe3\xf4\x66\xba\xcc\x9e\x8f\x3c\x67\x1d\x39\x25\x67\xe2\xe2\x0d\xcd\xa7\xb9\x40\x3c\xac\xa7\xb4\x82\x3a\x12\xd6\xd7\x53\x57\x8d\x37\x83\x4f\xf2\x55\x65\x4d\xcc\x91\x0a\x45\x8d\x4f\x70\x23\x3b\x2d\xaa\xda\xd2\x5c\x3f\xff\x34\x46\xe7\xea\x48\x50\x53\x53\x6a\x9a\xcf\x8f\xb2\x77\xf4\x07\xa5\xa6\x19\xf3\x80\xbe\xd5\x22\xca\xa2\x47\x8c\x03\xb6\x3c\x09\x8c\x00\xc2\x6f\xeb\xa1\x55\xf1\x5e\x5c\xa1\x17\xf8\x7b\xf1\x0c\x5d\xa4\x65\xff\x90\x05\xcf\xbe\x35\x5f\x94\xaa\xb9\x50\x1a\xa7\x35\x19\xb5\x54\x6b\x22\x97\x26\xe5\x6d\xa9\x78\xd9\x42\xff\x9c\x82\xc6\xc1\x84\x37\x4b\xae\x3a\x14\x8e\xcb\x63\x3a\x63\x34\x24\xb2\x94\x21\xb5\x6c\x62\xd4\x9a\xd1\x80\x39\x13\x48\x74\x83\x24\xfa\x4f\xdb\x67\xb2\xae\x0b\x56\x9d\xa6\x15\x9b\x55\x77\xa0\x7d\xe4\x34\x7b\x6b\xed\x63\xf4\xfb\xf7\x06\xd9\xc7\xa7\x2c\xca\x5d\xd5\x24\x1e\x13\xbb\x75\x88\x45\x04\x01\x07\x01\x07\x01\x07\x01\x07\x01\x07\x01\x07\x01\xf7\x26\xe0\x5b\x9b\x62\x33\xf1\x23\xaf\x0b\x9a\x79\x1c\x0e\x20\xe3\x55\xe7\x23\x47\x0b\x1d\x91\xb3\x15\xd4\xbc\xeb\x26\x41\xa0\xe6\xa0\xe6\x5b\x4c\xcd\x3b\x08\x0f\x6e\xed\xfa\x36\x18\xb6\x77\x70\x86\x31\xf6\x4f\xf6\xd0\x99\x60\x3d\x74\x3d\x52\xe8\xcf\x47\xd9\xcf\xf4\xd1\x03\x5e\xde\xe8\x40\x15\xf4\x88\x8f\x0a\xba\x1d\x02\xe8\xe7\xe8\xb8\x18\xcf\x07\xe9\x00\x1f\xcf\xe3\x14\xa3\x91\x20\x37\x50\x5d\x1e\xa0\x74\xf0\x40\x9d\x66\xc7\x37\xe7\x01\x0a\x94\x3d\xff\xc1\x0e\x9f\x87\x53\x83\xe2\x79\xcc\x5f\xf1\xdc\x0e\xd1\x61\x82\x4e\xd0\xb1\xb2\x79\x46\x9d\xcf\x08\x73\x0b\xd0\xe5\x06\xe9\xf2\xfb\x7b\x36\x6f\x21\x66\x05\x36\x36\x16\x66\x16\x36\xbe\xf5\xec\x4c\x61\xbd\x44\xd1\x4f\xde\xeb\x63\x67\xbc\x35\xcd\x31\x5f\x4d\x33\xe4\xcc\xb7\xac\xad\x01\xcc\x05\xcc\x05\xcc\x05\xcc\xdd\xf6\x30\xd7\x37\x76\xb2\xe3\x29\x6f\x7b\xe7\x0c\x81\xc8\x38\xf1\x4f\xef\xf2\x99\x36\xd4\x23\x62\x1e\xf5\x13\x31\x43\xbf\x0c\x12\x0b\x12\x0b\x12\x7b\x2b\x91\xd8\x5b\x06\x5c\x41\xb5\xec\x24\xb3\xff\x6f\x94\x4e\x37\x21\x53\x85\xc5\x65\xdf\x1b\x65\x3f\x51\x35\x45\xc5\x43\x3e\x70\x36\x1a\xad\x3d\x37\x45\x93\x99\xec\x1b\xeb\xab\xbc\x5c\x21\xcd\x0f\x1c\xd8\x2b\xc1\x03\xfb\x38\x3b\x6a\x8f\xdb\x4a\xfc\x1f\x38\xe8\x83\x78\xec\xd7\x76\x54\x7b\x28\x21\x7f\x28\x1b\x1d\xad\x2b\xff\xc4\x16\xd7\xd5\xae\x0c\x9b\xc0\xdc\x02\x24\xb6\x31\x12\x5b\x6f\x45\xf6\x4a\xbb\x50\x7f\x45\xf6\xfa\x6d\x4b\x80\x2a\xb7\x36\xd3\x53\xc7\x37\xd5\x43\x7a\xfb\x91\xaa\xc9\x25\x5e\xe7\x02\xb1\xd1\x91\x7a\xb2\x4a\x80\xbf\xde\x0a\x16\x06\xfc\x15\xfc\x15\xfc\x15\xfc\x75\xdb\xf3\xd7\x8e\xc7\xac\x4d\x5a\x89\x6c\x6a\x3a\x50\x03\x7d\xfd\x47\x55\xf3\x48\xec\xae\x01\xc1\x46\xf7\xd4\x91\x40\x02\xe4\x15\xe4\x15\xe4\x15\xe4\x75\x9b\x92\xd7\x96\xe3\xa9\x20\x22\xda\x8e\xaf\x46\x32\x4e\x63\x6c\x34\xb2\xc7\x62\xa7\xf7\x96\x53\xd7\x5b\x02\xb7\xfe\xef\x41\x1a\x15\xb8\x55\x2f\x69\x45\x25\xa3\x96\x33\x56\x51\x0b\x2e\xa5\x67\xd3\xc5\xac\xd1\x49\xec\x37\x06\xd9\x67\xfb\xe9\x1e\xb9\xbb\xf5\x91\x5c\xaf\xad\xf0\xdb\xcc\xf2\xc2\x2c\x6f\xa8\x49\xa5\xde\x44\x25\x84\x65\x71\x31\xf2\x63\x6b\x9d\x63\x31\xab\x97\x3a\xbf\x90\x5b\xd3\xeb\xb5\x05\xbe\x5f\x35\x15\x72\x7b\x3e\xf8\x1d\x3b\xc4\x26\xe5\x3b\xe6\x1e\x3c\xf2\xc5\xb2\x9e\x83\xc7\xdb\x85\xea\x6d\xa8\xde\x86\xea\x6d\xa8\xde\x86\xea\x6d\xa8\xde\x86\xea\x6d\xa8\xde\x86\xea\x6d\xa8\xde\x86\xea\x6d\xa8\xde\x86\xea\x6d\x4e\x4f\x23\xaa\xb7\xa1\x7a\x1b\xaa\xb7\xa1\x7a\x5b\x0b\xab\xb7\xfd\xf6\x1e\x4a\xd4\xaa\xb7\x4c\xe5\xd6\xf5\x92\xb1\x6e\xa9\x0c\x7f\xff\x07\x7b\xd8\x67\xab\xca\x2c\x9f\xf2\x90\x59\xce\x88\xf6\x5c\xf1\x90\xd5\x44\x97\x95\xfb\x37\x59\x78\xb9\xea\x1f\xd1\x72\x5a\x50\xba\x59\x4a\x70\x4a\x77\x84\xaa\x78\xb9\xdc\xc8\xbb\xf2\xaa\x4d\x0e\x57\x08\x46\x6c\x67\xd8\xe9\x1a\x31\x76\xe5\x69\x3c\x5c\xa1\x01\xa2\xcc\x9f\xaf\x5a\x1b\x6c\xc8\x5b\x94\xe9\xf1\x14\xe3\x01\x12\xcd\x56\x3f\xc8\x7a\xdd\x92\x41\x0f\x0c\x6e\x49\x88\x36\x1b\x14\x6d\xfe\x4a\x8f\x00\xfc\x71\x0e\xf8\x2d\xd5\xe5\xa6\xec\x47\x7b\xad\x54\x80\xa0\xb3\x36\x23\xd6\x68\x65\x43\x8f\x9b\x8f\x7e\xb9\xaa\xbc\xf3\x11\x4b\xde\xe9\x61\x98\xc6\xab\x8b\x3d\x5b\x6e\x97\x20\xf8\x84\xe0\x13\x82\x4f\x08\x3e\x21\xf8\x84\xe0\xb3\x3b\x05\x9f\xc1\xd9\x53\xdb\xbe\x2a\x4a\xfc\xbb\xaa\xf2\xcf\x78\x80\xfc\xd3\x63\x9a\x31\x56\x55\x0c\xda\xca\x59\x06\x04\xa1\xdd\x36\xb7\x81\x20\x14\x82\xd0\x2d\x16\x84\xae\x36\x75\xdd\xb9\x79\x79\x68\xdb\xbf\x20\xc9\xe3\x74\x94\x1d\x8e\x1c\xb2\x94\x9f\x8f\x39\xc5\xa2\x95\x2d\xb4\x21\xc3\xe9\xbb\x42\x74\x78\x4c\x29\x64\xab\xa5\x31\x95\x13\xae\xb7\xac\x6b\x25\xc5\x24\xb9\x63\x3a\xff\x8e\xb3\x2f\x3d\xcc\xde\xd6\x47\x77\xa4\xb4\xa2\xca\xd3\xd0\x70\x7c\x2b\xb6\x99\xf7\xe5\x88\x80\x90\x2d\x3d\x6d\xb4\x14\x1d\x34\xf6\x9d\xd1\x8a\xaa\x2b\xf1\x8c\x73\x17\x31\x57\x68\x32\xbc\x7d\x9e\xa6\xc5\x28\x9c\xa2\x83\x7c\x14\x4e\xd0\x38\xc5\x7c\x47\xa1\x71\x67\x3c\x21\x84\xf3\xc2\x36\x5b\x93\xeb\x5c\xf0\xc8\x1b\x61\x51\xa9\x3b\x76\x9d\xd8\x99\x12\x42\x8e\xcc\x48\x84\x42\x5f\xd9\x61\x3f\x03\x33\xf0\xbd\xc6\xc7\x10\x95\xbb\xb7\xfd\x49\x24\x0c\x33\x70\xa2\x6c\x0e\x50\xf7\xa3\xc0\x97\x1f\xcc\xb5\x41\xe6\xfa\x2f\x7a\x9a\x61\x0a\xe6\x05\xb6\x3d\x4e\x47\x6d\x6c\xdb\x0a\x93\x52\x9b\xcd\xf0\xb6\x0f\x5e\x96\x24\x00\xd8\x26\xde\x7a\x97\x6d\x52\x0e\x54\xac\x6d\x6a\xb3\x2d\x43\xfc\x4b\xdb\x56\xcb\x82\x95\x4d\xb7\xd9\x37\xac\x6c\xb0\xb2\xd9\xe2\x95\x4d\x5b\xe6\x94\x81\xeb\x99\xda\xbe\x10\xd5\xbf\x0a\xce\xef\x47\x72\x8a\x0e\xb2\x03\x91\x7d\xd6\x72\xe5\x61\x57\x6c\x9b\xf3\xb8\x5b\x22\xc8\xed\x0f\x1e\xa6\x63\xb2\x12\x72\xa1\xa0\x57\x59\x11\xa5\xd5\x42\x4e\xbb\xb9\xa6\xe6\x4b\xe5\xcb\xa1\x0f\x3c\xcc\xbe\xdf\x4b\x77\x18\xc7\x1b\xdf\xcd\xc1\xaa\xcb\xa1\x59\xab\x99\xe8\x93\xbc\xb4\x71\xa1\xa0\x3b\xbf\x93\xf6\xf6\x96\x2c\x84\x9e\xa5\x63\x62\xd0\x4e\xd2\x7e\x3e\x68\xc7\x68\x94\xf6\xf8\x97\x28\x29\x14\x74\xe1\x53\x34\xaf\x2a\x70\xc4\x9e\x0d\x1e\x90\x7b\xd8\xb0\x59\x7a\xa4\x50\xd0\xe5\x90\x74\x9c\xa2\x9e\xda\x0d\x9f\xdd\x61\xf7\x7c\x34\x68\x11\xe4\xe8\xfc\x41\xb3\x98\x70\x5b\xfb\x3f\xc1\x23\xf8\xca\x26\x0a\xf5\x3d\x00\xcc\x0d\xb0\xf6\x69\x70\xed\xf3\xbe\x9e\x4d\xbf\xfd\x33\x62\xe1\x73\x84\xa6\xec\x85\x4f\xd3\x4d\x48\x80\xaa\xa4\xc9\x16\x26\xf1\x3f\xee\xb4\x4d\xc8\xde\x9a\x17\x3d\x0e\x5b\xf2\x94\xa8\x7a\xd7\x36\x4b\x82\xe5\x4e\xb7\x99\x34\x2c\x77\xb0\xdc\xd9\xe2\xe5\x4e\xeb\x67\x8e\x81\x6b\x9d\xda\x0c\x7f\x55\x63\xef\xfc\x2a\x24\x27\x69\x3f\xdb\x1b\x89\x5b\xcb\x95\xd7\x3b\x97\x3a\x76\x03\xb7\xc4\x3a\xe7\x43\xc3\x94\x94\xeb\x9c\xf5\x92\xa6\xa7\x94\x5c\x36\x9f\x31\x96\x3b\x22\x89\x87\xcf\xa2\x87\x3f\x21\xe3\x85\xce\x15\xb4\xb4\x79\xa0\x5a\xd4\xd9\xd7\x86\xd8\x1f\xf7\xd3\xdd\x8e\xb6\x8c\xaf\xe7\xcb\x3d\xb5\x65\xfa\x38\x65\x35\xbb\xa4\xa5\xa7\xad\x66\x9b\x94\xf7\x63\x92\x1f\x30\x6d\x5f\x9a\xf3\xab\xec\x73\x6a\xa4\x03\x69\x42\x0e\x36\xc7\x68\x90\x53\x2e\x9f\xde\x76\xaf\xf0\x6a\x49\x39\x82\xa4\x20\x48\x0a\x82\xa4\x20\x48\x0a\x82\xa4\x20\x48\x0a\x82\xa4\x20\x48\x0a\x82\xa4\x20\x48\x0a\x82\xa4\x20\x48\x0a\x82\xa4\x20\x6d\x4e\x0a\xb2\xfd\xd0\x07\xd2\x8e\x20\xed\x08\xd2\x8e\x6c\xa3\xb4\x23\xef\x1d\x16\xf2\x74\x7d\x4c\xc0\x1b\x3b\xd5\x88\x1f\xa6\x14\xfb\x99\xf9\x46\xbe\x39\xc4\xbe\xdd\x4b\x3b\xc5\x8f\x57\x36\xe2\xa1\x37\x78\xe4\x17\xe1\xf8\x2b\xfa\x88\xb1\x85\xff\xe9\x72\xdd\xf1\x5f\x9a\xac\xbc\xb8\x44\x87\x05\xbd\xdb\x47\x13\x9c\xde\x8d\x50\x94\x86\x7c\xf9\xb9\xbc\xf5\x8d\x78\xac\x36\x50\x17\x20\x3e\x3f\x1f\xcc\xf1\xc6\xd8\xa8\xe4\x78\xae\x6e\x97\x24\x4f\x5c\x85\x93\xdb\x85\xfe\xe5\x0e\x67\x27\x3f\xe2\x9d\x01\x44\xf4\xf3\x63\x72\x63\x5b\xba\x3a\x71\x8c\x8e\xd0\x54\x99\x7b\xb2\x8e\xbe\x86\x3b\x12\x0a\x8b\x06\x15\x16\xef\xa9\x52\xf7\x7a\x53\xaf\xff\x09\xa1\xbb\x38\x44\x93\xb6\xee\xa2\xae\x16\x6a\xd4\x56\xb4\xc0\x4e\x44\xdf\x76\xaf\xd3\x4e\xdc\x63\xe6\xe0\xc8\x4b\xdb\xf0\xa8\xf8\xa1\x3d\xa6\x01\x49\x36\x90\x64\x03\x49\x36\x90\x64\x03\x49\x36\x90\x64\xa3\x91\x24\x1b\xed\x4c\x8b\xd1\xdc\x8c\x1e\xb5\x27\xd9\xa8\x6d\x0e\xe0\xf7\xb9\xf7\x9c\x1b\x24\xfe\xcb\x9d\xce\x39\xc0\x93\x01\x69\x33\xc4\xc4\x60\x57\xc1\xd2\x29\xb4\x72\x5e\x00\x35\x65\xb7\xcd\x46\xa0\xa6\x84\x9a\x72\x8b\xd5\x94\x2d\xa6\x41\x81\x52\xca\x16\xac\xf3\x92\x13\x34\xce\x62\x91\x11\xcb\x35\x70\x9f\x53\x4e\xc9\xf7\xbf\x25\x94\x94\x7f\xf6\x02\x4d\x09\x3c\x99\xd2\xb4\x62\x3a\x9b\x2f\xcb\x87\xec\x07\x29\xf9\xd4\x5b\x67\x1f\x7b\x81\xfd\xe3\x01\xba\xc7\x79\xac\xf1\x49\xdc\x2d\x3c\xe6\x45\xe9\xeb\x33\xe7\xd2\xda\x6a\xd8\xe8\xef\xf0\xa2\x71\x70\xf4\x09\x63\xa7\x19\xc7\x91\xce\xcf\x22\xdf\xa5\xc3\x35\x8c\x09\xc8\xf8\x20\xe3\x4b\x40\xc6\x07\x19\x1f\x64\x7c\x90\xf1\x75\x8d\x8c\x2f\xd1\x31\x32\xbe\xa6\x5f\x49\xc3\x32\xbe\x04\x64\x7c\x90\xf1\x41\xc6\x07\x19\x1f\x64\x7c\xed\x97\xf1\x25\xba\x5a\x13\x97\x80\x26\xae\x75\x9a\xb8\x44\xa7\x6b\xe2\x12\xdb\x50\x13\x97\x7c\xb3\xbf\x97\x68\x4e\x80\xc4\x63\x74\x84\x83\xc4\x03\xb4\x8f\x26\xaa\x64\xa1\x72\x20\xab\x8d\x78\x8c\x43\xa3\xc5\xac\x6e\xe9\x43\x1e\xf3\x26\x87\x77\xb0\xdb\x44\xe9\xf7\x37\x06\x83\xc3\xfd\x6c\xaf\x87\x43\xc8\x03\x96\x49\x94\xc8\xaf\x81\x22\xef\xd8\x59\x49\xc5\xee\x16\x1f\xa2\xb0\x22\x01\xd8\x6e\xf1\xff\xf6\x20\xb0\x46\x13\x96\x7a\xf4\x30\x7c\x32\x90\x94\x35\x28\x29\xfb\x93\x2a\x92\xb2\x3a\x13\xd0\x79\x0c\xcc\x86\x32\x99\x7a\xb5\x73\x52\x38\xc6\x4f\xd0\x31\x87\x63\xbc\x81\x86\x82\xed\x50\x41\xab\xdd\x0e\xd5\x68\x7b\x5c\x72\xb5\x6f\x8e\x54\xda\xa1\x90\x94\x24\x38\xf4\x1d\xda\xaa\xb4\x49\xa3\x62\x9b\xdb\x26\xcd\x58\x3b\xb6\xd6\x3a\xb5\x46\xcf\x06\x40\x0b\x40\x0b\x40\x0b\x40\xdb\x3d\x80\x16\xf3\xb3\x80\xf9\x59\xe7\x10\x6c\x68\x89\xdb\xa2\x25\x86\xa3\x00\x8e\x02\x38\x0a\xe0\x28\x80\xa3\xa0\xab\x1d\x05\x08\x29\x41\x48\x09\x42\x4a\x5a\x15\x52\x02\x3f\x1c\xfc\x70\xdd\xea\x87\x4b\x66\x9a\x5c\xb2\x38\x48\x14\x1f\xf5\x46\xca\xf7\xb3\xfb\xc4\xdb\x6c\x5b\xda\x16\xe2\xe5\xed\xa8\x78\x7f\x75\x90\x86\x85\xe2\x5d\x98\xc0\x31\x59\xdb\x72\xac\xa0\xa5\xd3\x59\xbd\xb8\xce\x61\xf0\xca\x7a\x3a\xa3\x96\x74\xf6\x33\x83\xec\x1f\xf4\xd3\xdd\x62\x57\xbb\x52\x72\x75\x7d\xfb\x92\x96\x9e\xb5\x5a\x4a\xf0\x96\xa2\xfb\x8c\x43\x84\xc9\x94\xd5\x91\x3d\xf6\x9a\xd7\x8a\xd3\xb9\x9c\x05\xd9\x9b\x97\x65\xbf\x45\x49\x7c\xd7\x44\x08\xe1\x38\x0f\x21\x34\x06\xfd\x0c\x4d\xd3\x71\x5f\x1f\x89\xfc\x4c\x9a\x15\x51\x3d\x3a\x60\x31\xab\x07\xc7\x83\x04\x79\x75\x2f\x07\x0f\xf7\xc3\xec\x90\x1c\xee\xe2\x9a\xe4\x08\xf7\xb8\x22\x8f\x1a\xa8\x90\xfd\x43\xf6\x8f\xec\xbd\xf0\x2a\xc1\xab\x04\xaf\x52\xf7\x78\x95\x90\xbd\x17\xd9\x7b\x41\xf3\x41\xf3\x41\xf3\x41\xf3\x3b\x82\xe6\x23\xb7\x2e\x72\xeb\x6e\x17\x7e\x89\xdc\xba\xad\xc8\xad\xfb\xd6\x61\x3a\x20\x50\x9e\x5e\xd2\x8a\x4a\x46\x75\xe4\xad\x10\x95\xc0\x36\xb4\xdc\xfa\x9a\xaa\x94\x4a\x4a\xea\xaa\xb3\xda\x31\xfb\xfc\x10\xfb\x61\x3f\x91\x3c\xee\xca\x46\x3c\xf4\x29\x59\xee\xcb\x59\xe3\x2b\x6f\x1a\x33\x93\xec\x5d\xe2\xed\x4d\x5b\xed\x35\xa5\xc8\xd7\x88\x3d\x83\xe1\xb3\x34\xf9\xbd\x33\x26\x41\xf6\xd4\x6c\xd0\x35\x1b\x76\xb4\x1d\x8b\x3e\xc6\x4f\xb7\x2c\x6e\xe5\x52\xbc\xfc\x1a\x3b\x1d\x22\x6e\x45\x25\xb0\xba\x10\xa1\x7b\x70\x49\x54\x58\xde\xcb\xee\x2a\x60\xfe\x29\x6b\xf8\x8d\x83\x21\x82\x21\x82\x21\x82\x21\x82\x21\x82\x21\x82\x21\x82\x21\x82\x21\x82\x21\x82\x21\x82\x21\x82\x21\xb6\x9b\x21\x1e\xa5\xc3\xec\x50\x64\xd2\x12\x30\xed\x72\xa6\xf9\x2c\x5f\xe3\x55\x66\xfc\x04\x82\x04\x82\x04\x82\xec\x62\x04\xf9\x2d\x46\x93\xc6\xa3\xab\x92\x2a\xb7\xa0\xa5\x4d\xec\x38\x56\x28\x6a\x2f\xde\x1c\xfb\xbb\x86\xa9\x79\x89\x7d\x80\xb1\x7f\xd6\x4b\x77\xa4\xb4\x22\x07\x90\x4f\xa6\xb4\x7c\xde\xb0\x7a\x27\xe7\x2e\xd8\xd8\xa7\xa4\x85\xf9\x41\xc6\xf5\x2f\x69\xe9\x68\x54\xee\x35\xa3\x15\xd5\x4b\xf1\x93\x6a\xc9\x0e\xc9\x5f\xd2\xd2\x4b\xc6\xae\xcf\x64\x4b\x57\x97\x94\xd2\xd5\x89\xbe\xe8\x58\x54\x30\xb6\x49\xda\x25\x18\xdb\x83\x74\x3f\x67\x6c\xaf\xa3\x3b\x3f\xde\xb3\x83\xe4\xf0\x08\xe4\x65\x4f\x78\xf3\x2c\x62\x3b\xe4\xe5\xd0\xb5\xa7\x83\x91\x5a\x8c\x8d\x78\xe4\x52\x89\x44\x6c\xf5\x1d\xbf\x7e\x19\xb8\x4f\x21\xcf\xde\x59\xba\x58\x73\xef\x2c\xad\xb7\xa7\x77\x6a\xbb\xf5\xa0\xdb\x75\x01\xc4\xe0\x0e\x8f\xfc\x73\x47\xef\x3c\x65\xf5\xce\xb9\xe5\x2a\xdd\xb3\xc7\xdd\x3d\x9a\xbe\xcd\x46\x4f\x3d\x5d\x18\xfd\x39\x47\xff\x0c\x9a\xfd\x33\x3b\xb7\x38\x77\x61\xce\xbf\x87\x46\x5d\x3d\x24\x12\x49\xdc\xba\x7d\x34\xf1\xf3\x8e\x3e\x1a\x32\xfb\xe8\xdc\xd2\x85\x85\x73\x67\x97\xfd\x3b\x29\xe6\xea\x24\xd9\xf0\xf6\xea\xa5\xe0\xbe\xb1\xfb\x71\xca\xf3\x4d\x3b\x35\x37\x3d\x5b\xeb\x9b\x76\x4a\x55\xd2\xdb\xab\x7f\xea\x19\x45\x89\x9f\x75\xf4\xcf\x80\x65\x89\xa6\x2f\xcc\x9c\xf2\xef\xa0\x11\xb7\x29\x32\x3e\xac\xb7\x6e\x0f\x25\x8f\xd0\x14\x3b\x18\x39\x60\x2d\x33\x1e\x71\x2e\x33\xca\x8e\xdc\x8a\xba\x02\xfb\x69\x2f\x8b\x47\xc6\xac\x33\x3c\x60\xfc\x6b\xce\xb4\xcc\x79\x50\x84\x6f\x73\x1e\xa6\xd0\x15\xf6\x42\xe8\x4d\xe6\x6c\x6d\xda\x78\x56\x7c\x5d\x7f\x55\x0d\x5f\x3c\xbf\x18\x36\x5b\x59\xd7\x55\x6b\x8a\x99\x5a\x2f\x16\x8d\xa5\x9c\x18\x0d\xe6\xe2\xc4\x18\x1e\x5a\x3a\x26\x4e\xe1\x0c\xd7\xf8\x91\x41\x7a\xc8\x9c\x60\x19\x4b\x97\x6c\x4a\x55\x52\x29\x6d\x3d\x5f\xd2\xd9\x77\x07\xd8\x37\xfb\xec\xa1\x37\x52\x3d\x2a\x63\x59\x1c\x3d\x2d\x8e\x8e\x0e\x89\xf2\x03\xc6\xe8\x73\x6f\xd9\x6e\x41\x18\x8a\x48\x7b\x35\xce\xd3\x5e\x19\x6f\xc4\x24\xed\xa7\xbd\x55\x12\x55\x15\x55\x1e\x67\xe4\xba\xe9\x9a\x02\x2f\x96\x82\x5f\x8c\x51\xb6\xa7\xda\x14\xcf\x7d\x52\x0a\x0a\xe5\x80\x9b\x14\x6e\x52\xb8\x49\xe1\x26\x85\x9b\x14\x6e\x52\xb8\x49\xe1\x26\x85\x9b\x14\x6e\x52\xb8\x49\xe1\x26\x85\x9b\x14\xa1\x16\xf0\x73\xc2\xcf\x09\x3f\x67\xbb\xfc\x9c\xbf\x7a\x99\xf6\x88\x50\x0b\xc5\x58\x74\x65\xb2\xbc\x40\xb4\xbb\x54\xa8\x5c\xea\x67\x53\xaa\xce\xfe\xde\x65\xf6\x99\x01\x62\x65\x3b\x73\x37\x43\x75\x4a\x37\xbd\xb4\x20\x21\x51\xf4\x71\x63\xcf\x69\x77\x0b\x97\xe2\xf6\x0e\x1d\x0e\xe6\x50\x1e\x14\xf0\x0a\xe5\x41\x01\xaf\x00\xaf\x00\xaf\xba\x08\x5e\x75\x50\x72\xf5\x8e\x81\x57\xc8\xfa\x0d\x78\x05\x78\x05\x78\x05\x78\x85\xf2\xa0\x48\x4b\x7c\xeb\xb0\xa6\x8e\x4f\x4b\xbc\x2d\xcb\x83\xbe\xe4\x5f\x23\x70\x45\x28\x9d\xde\x44\xcf\x72\xa5\xd3\x32\x3d\x4d\xe7\x3c\x95\x4e\xc6\x00\x19\x55\x32\x19\xa3\x17\x4b\x5a\xd1\x4e\x16\x51\x8e\xaf\x36\xe2\x31\x9b\x28\x39\x6b\x87\xbe\x39\x58\xec\x74\x94\x1d\x96\x02\x27\x6f\x28\xe6\xd2\x00\x0a\x01\x94\x7d\xae\x40\xf1\x53\xe4\x9d\xe4\x09\xd0\x1e\x30\xcb\x88\xe6\x9d\xb0\xec\x09\xf1\x6b\x3b\x70\x99\xa0\x5b\x0a\x5d\xa1\x17\xca\x4a\x89\x9e\xa1\xd3\x4d\x7c\x1a\xa8\x63\x85\x3a\xa3\x0d\xd6\x19\xfd\x5c\x2f\x5d\x16\xa6\xe2\x19\xba\xc8\x4d\xc5\x39\x6a\xee\xe0\xa4\x94\xa8\x35\xfa\x3c\x3d\x67\xd7\x1a\x6d\xfa\x49\xd2\xa2\x10\xe9\x0b\xf4\x26\x47\x21\xd2\xa6\x9f\xa5\xf1\x84\xdb\xa2\x7c\x69\x6d\xa6\xb2\xc2\x00\xd6\x6e\x3b\xa3\x7f\x34\xe2\x69\x0a\x1f\xf7\xac\x64\xea\xb0\x8a\x7b\xc4\x0e\x15\x56\xd1\xae\x68\xda\x32\xfb\x88\x62\xa6\xc0\xc9\xc0\xc9\xc0\xc9\xc0\xc9\x28\x66\x8a\x62\xa6\x28\x66\x8a\x62\xa6\x70\x6b\xc0\xad\x01\xb7\x06\xdc\x1a\x70\x6b\x34\xc5\xad\x81\x62\xa6\x28\x66\x8a\x62\xa6\x28\x66\x0a\xaf\x21\xbc\x86\x5d\x54\xcc\xb4\xe5\x7e\xb9\xe6\x97\x1c\xfd\x57\xbb\x68\x51\x88\xe7\x53\x6a\x51\xba\x45\x55\xdd\x56\xce\x8b\xfa\xa3\xce\x6d\xd9\x4c\x3e\x9b\xcf\x98\xb3\x2a\x33\x7b\x98\x52\x28\x14\xb5\x0d\x25\xc7\xbe\xfe\x08\xfb\x6e\x1f\x3d\xe0\x3c\xc2\xaa\x4d\x7a\xb0\xa8\x2a\xe9\xb0\xb9\xab\x39\x3a\xec\x89\xf3\x8c\x7d\xd0\xb2\x38\xcd\x79\x71\x9a\x28\x3f\xd2\xb1\x59\x97\x85\x4a\x7d\x8f\x98\x96\x27\x69\x2e\x39\x4f\xae\xd3\x73\x62\xf4\x2d\xd3\xd3\x7c\xf4\x9d\xa6\x05\x3a\xe9\x9f\xd0\xc2\xd9\xa7\x66\x6d\x51\xdf\x6b\x0e\x1c\x8b\x6f\x09\x1e\x5f\x67\xd9\xa2\x59\x2c\xb7\xf2\x79\xca\x01\xe5\x7f\x01\x15\x05\x45\xaf\x3d\xea\x3d\xfc\x6f\x67\xfd\x19\xb5\x44\xa1\xef\xed\xf4\x79\xd4\x87\x8b\x6a\x21\xa7\xa4\xd4\x86\x9e\xb6\x79\xf0\xd6\x3f\xf0\xc4\x0b\xf4\x26\x7a\xb6\xcc\x95\xdc\xbc\x27\x0e\x82\x08\x37\x72\x83\x6e\xe4\xdf\xe9\x69\xa9\x29\xba\x22\x5c\xc8\x6f\xa4\x4b\xb6\x0b\xb9\x7b\x6d\x5d\x61\xbd\x44\x89\xef\xdc\xe5\x63\xeb\x66\x0b\x4a\xb1\x94\xe5\x8e\x35\xb1\x24\x6f\xc8\xe8\x1d\x2a\x18\x33\xaa\xad\x35\x79\x8f\x94\x37\x34\xca\x2f\x6a\x8f\xf1\xe7\xd4\x2e\xe7\xc6\x35\xb5\x98\x51\x9d\x5b\x07\x9c\x5b\xf9\xa4\x46\xcd\x64\x53\xa3\x15\xfb\xb9\x5a\x31\xfe\xbe\x29\xb7\x1a\x57\x99\x38\x4b\x8b\x94\x2c\x33\xb7\x53\x74\xb0\x81\xe9\x1d\x4f\xdb\x06\xfb\x1a\x64\x5f\x3f\xda\x47\xaf\xf4\xb1\x0f\xf7\x85\x3e\x68\x51\x85\x97\xfb\xba\xc7\xbe\x96\x31\x55\xa3\x9f\xb9\xaf\x9a\x73\x7f\x63\x70\xda\x01\x90\x43\x3e\x03\x77\x98\xc3\x11\x21\x6d\x50\x72\xfc\xc8\xbc\x96\x1f\x15\x47\xf3\x3d\xb8\x63\x46\x0f\x0f\x25\x75\x2d\xbf\x24\x22\x01\xcf\x18\xaf\x85\xfc\x7b\xd9\x7c\x59\xec\x1f\x87\xfd\x0d\x7f\xe2\xcb\x3d\xf4\x5a\x0f\x7b\xb5\x27\xf4\x79\x6b\x85\xf6\xa1\x9e\x79\xcd\x58\xcf\x67\xf5\x70\x46\xe3\xdd\xae\x85\x23\xab\xc6\x4f\x91\xf0\xb4\xeb\x2e\xf8\xd2\x56\xb8\x77\xd6\x75\xdb\x49\x3d\xaa\xa4\xf8\x8d\x73\xd7\x7f\x2e\x9b\x92\xdc\x46\xcd\xa5\xf5\xb0\x76\x43\xf6\xa9\x70\x8d\x17\x54\xad\x90\x53\x63\x61\x71\x46\x1e\xba\x69\x3e\x4b\xbe\xc4\xf4\xec\x00\xeb\xf4\x91\xdb\xf8\x65\xb9\x34\x95\x5b\x3b\xa7\xf6\x2f\x87\xc5\x2f\x9d\x6a\xfc\x10\x55\x7c\x4d\x36\xf1\x65\x4a\xce\xd3\x2c\x4b\x44\x4e\x58\x29\x0f\x9f\x72\xa6\x64\xf4\x3d\xae\xf5\x29\xe0\xd9\x77\x86\x68\xc2\xa7\xaa\x9d\x58\x28\x8a\xd2\x76\x29\x3d\x9b\xd7\xd2\xaa\x55\xd1\xee\x63\x43\xec\x4f\xfb\xe9\x1e\xbb\xa2\x9d\xf8\x6e\x7e\xa4\x96\xb2\x76\x33\xcb\x0b\x67\xb5\xb4\xda\x11\xd5\xec\x42\xee\x6a\x76\xe2\xeb\x2c\xae\xaf\xc3\x03\xbe\xb7\xa4\x92\x5d\x50\xa5\xb9\x6b\xcf\x05\xbf\x5a\x93\x6c\x7f\xb5\x52\x77\xb2\xf7\x2b\x27\x73\x48\xcf\x88\x08\x77\xa4\x67\x84\x24\x11\x92\x44\x48\x12\xbb\x48\x92\x88\xf4\x8c\x48\xcf\x08\x29\x18\xa4\x60\x90\x82\x41\x0a\xd6\x11\x52\xb0\xe4\x3e\x9a\x60\xe3\x91\x98\xc5\x32\xee\x77\xb1\x0c\xb1\x7c\x43\xf1\x3a\x24\x75\xdc\xb6\x92\x19\x24\x75\x6c\x45\x52\xc7\x8f\x0e\xd2\xb0\x20\x8d\x79\xb5\x74\x43\x2b\x5e\x37\xe6\x78\x65\xb0\x91\xcb\x50\x74\x5d\xd5\xd9\xdb\x06\xd9\x5f\xf5\x11\xb3\x77\xb5\x18\xe3\x53\xd5\x53\x3a\x2e\x88\x26\xa2\xbc\x3e\xcb\x59\xeb\x70\xc9\xf6\xe4\xd6\xed\x56\x75\xc5\x3f\x6a\x96\x92\x02\x02\xce\xd0\x34\x87\x80\x87\xe9\x10\x4d\xfa\x92\x76\x47\xcf\x9b\x9c\x5d\xf6\x88\x33\x19\x41\x40\xaa\x80\x6b\x2f\x04\x43\xbe\x29\x76\x50\x42\xbe\x8a\x87\x2d\x39\x9f\x3c\x2f\x38\x1f\x38\x1f\x38\x1f\x38\x1f\x38\x1f\x38\x1f\x38\x1f\x38\x1f\x38\x1f\x38\x1f\x38\x1f\x38\x1f\x38\xdf\x96\x73\x3e\x10\x3b\x10\x3b\x10\xbb\x2e\x26\x76\x6f\x8d\xd2\x29\x41\xec\x44\xc8\xeb\xd8\x86\x29\x07\xb4\xca\x3a\x4b\x41\x20\xff\xfb\xa5\xb1\x82\x96\x4e\x67\xf5\xe2\x3a\x5f\x99\xaf\xac\xa7\x33\xaa\x15\x4e\xc6\x3e\x31\xcc\x5e\xbe\x8d\x76\x8a\x96\xae\x6c\xc4\x43\xbf\x5a\x8b\x56\x70\x49\x4b\xcf\x5a\x2d\x26\x78\x8b\x1d\xa1\x1b\x8c\xf2\xd3\x89\x38\xde\x4b\x71\x57\x2d\xf1\xf2\xeb\xed\x74\xb6\xd8\x91\x3a\xc2\x67\x83\x11\xe3\x01\xb6\xcf\xa3\xf8\xb3\x18\x5f\x76\x95\xf4\xf2\xa7\x01\xbc\x08\xbc\x08\xbc\x08\xbc\x08\xbc\x08\xbc\x08\xbc\x08\xbc\x08\xbc\x08\xbc\x08\xbc\x08\xbc\x08\xbc\xd8\x6e\xbc\x78\x82\x8e\xb1\x23\x91\x29\x4b\x46\xf8\xb8\x53\x46\xe8\xb1\x72\xab\x94\x14\xbe\x99\x2e\xb3\xe7\x23\xcf\x59\x2d\x4c\xc9\x6b\x17\xa1\xcd\xc6\x14\x69\xbd\x74\x35\xac\xa7\xb4\x82\x3a\x12\xd6\xd7\x53\x57\x8d\xe7\xc7\xe7\xc0\xaa\xb2\x26\x80\x4a\xa1\xa8\xf1\xbe\x8a\xec\xb4\x30\x06\x44\x8b\x40\xa0\x40\xa0\x40\xa0\x1c\x81\x7e\xeb\x11\x3a\x5b\x86\x40\x85\x52\xb1\x7e\x02\x3a\xa6\xf3\xf4\x64\xec\xc7\x1e\x61\x9f\xea\xa3\xbb\x2d\x10\x2a\x54\x8d\xe3\x3c\x91\x96\xd8\xa5\x32\xc7\x88\x87\x39\x8c\xee\x33\x8e\x30\x09\x24\x6f\xa4\x2a\x86\x14\xc9\xd1\x9a\x9c\x3c\x2b\x4b\x67\x05\x3b\x3c\x49\x73\x9c\x1d\x1e\xa7\xa3\x74\xd8\x57\x7e\x28\x93\x3d\x9a\xd2\x43\x2f\x3c\x17\x44\x0e\xab\x67\xaf\xba\x76\x39\x98\x1b\x1e\x66\x87\x6a\x65\x85\x15\xda\xc4\xd0\xfb\x77\x56\x3c\xb9\xbd\x66\x5e\xac\x7a\x1e\xde\xa4\x3c\x68\x6b\x9f\x5f\xe2\x69\x32\xbe\x70\xee\xe4\x2c\x9b\x7b\x80\xc8\xcf\x82\xfc\x57\x0d\xe6\xbf\xfa\x4c\x4f\xd3\xad\xc9\xb2\xc8\x79\xb5\x48\x49\x3b\xe7\xd5\x16\x9a\xa8\xc2\x7a\xeb\x4d\x54\xe2\x97\xef\xaa\x30\x51\x47\x2a\xd2\x59\xd5\x63\xab\xf6\x17\x9c\xbe\xae\xf6\x5b\x2a\xa4\xb0\xea\x36\x13\x89\x14\x56\x48\x61\xb5\xc5\x29\xac\xda\x3f\xb3\x0d\x4c\x5b\xd5\xe2\x0f\x47\x57\x02\x19\xf6\x13\xc3\x74\x44\xe6\xbf\x4a\x5d\x55\xd3\xeb\x39\x8f\xa8\x34\xa1\x79\x29\x14\xb3\x5a\x31\x5b\xba\x99\xca\x29\xba\x6e\x67\xc2\xfa\xad\x21\xf6\xae\xdb\x88\xd9\x47\x5b\x5f\xdd\x4f\xd6\x24\x70\x91\xad\xce\x18\xad\x76\x84\xb4\x65\xb7\x48\x89\x65\xdd\x8f\xfc\xe4\xbb\x2e\x14\x9a\x96\xca\xf7\x37\x15\xfc\x7a\x9e\x60\xc7\xcc\xd4\x57\xe5\x83\xcd\x7c\x53\x9d\xbd\xec\x91\xd0\x34\x48\x38\x03\x75\x0b\xd4\x2d\x50\xb7\x40\xdd\x02\x75\x0b\xd4\x2d\x50\xb7\x40\xdd\x02\x75\x0b\xd4\x2d\x50\xb7\x40\xdd\x02\x75\x4b\x9b\xd5\x2d\x53\x74\x90\x1d\x88\xec\xb3\x50\xc8\xc3\x2e\x98\xe2\x5c\xe5\x21\x55\x16\x54\x27\x50\x9d\x40\x75\xe2\x50\x9d\xbc\xb3\x8f\x22\xb2\x84\x9b\xa6\x15\xd3\xd9\xbc\xb3\x9e\x9c\x85\x25\x19\x2f\x7f\x4e\x0f\x38\xf7\xb1\xe0\xe3\x43\x19\xb5\xe4\xfe\x5e\x8b\xbb\x89\x46\x32\x6a\x69\xc6\x71\x84\xc4\x7b\xd3\x4b\x0b\xe6\x2a\xb1\x89\xae\xbb\x8a\x86\xa6\x2a\x1a\x9a\xaa\xa5\xa1\x64\x81\x2e\x0a\xa0\x77\x96\x16\x39\xd0\x9b\xa7\x59\x4a\x34\x00\xf4\x1c\xf7\xb9\x98\x0d\x2e\x26\xc1\xfe\xeb\xb0\x19\x03\xe9\x95\xb5\xac\x7a\x38\xa4\x95\xcd\xcc\x64\xc5\x3f\x3d\xcc\xfe\xa2\x9f\x5e\xe7\x4a\x6a\x56\x5b\xcd\x04\x99\x2d\xab\x23\x00\x71\x84\x9f\xce\x99\x5a\xcd\x76\x07\xcb\xeb\x04\x1f\x6e\x20\xe6\xf1\x8d\xc1\x00\x79\x3f\xdb\x5b\x7f\x5a\x35\x40\x61\x40\x61\x40\x61\x40\x61\x40\x61\x40\x61\x40\x61\x40\x61\x40\x61\x40\x61\x40\x61\x40\x61\x40\xe1\x8e\xaa\x9c\x20\x57\x6e\xb7\x82\xaa\x0e\xc0\x19\xc0\x19\xc0\x79\x1b\x01\xe7\xbf\x37\x4c\x27\x1b\xa5\x9c\xf2\x08\x2e\x38\xce\xaa\x3a\xfb\xcc\x10\xfb\x4a\x05\xe4\xbc\x29\xbf\xc2\xf9\x74\x76\x23\x9b\x5e\x57\x72\x2e\xdc\x69\xcd\x78\x25\x54\x14\xb1\x26\x4d\x81\x9d\xb1\xe8\x48\x15\x5c\xe9\x3a\xdf\x62\x56\x47\xb2\x36\x0f\x70\x59\x9b\xee\x5c\xe0\x47\x57\x87\x92\x47\x7e\xb6\x4a\x6e\x79\x6d\xb7\x37\x18\xbd\x8b\x11\xbf\x71\x5e\x73\x02\x08\x13\x08\x13\x08\x13\x08\x13\x08\x13\x08\x13\x08\x13\x08\x13\x08\x13\x08\x13\x08\x13\x08\x13\x08\xb3\xcd\x08\x13\x30\x12\x30\x12\x30\x12\x30\xb2\x85\x30\xf2\x5d\x7d\xb4\x5b\xc0\xc8\xe2\x8a\x92\x8a\x99\x40\xaa\x4c\x03\x6b\xc9\x5f\x8d\x9d\xa6\x9d\xfb\x5c\xd9\x08\x90\xbf\x9e\x2f\x3f\xe2\x12\xe4\xaf\x3e\xf2\xd7\xef\xbd\x81\xe2\xc6\xb3\x30\x3a\xdc\x3f\xe5\x5d\x79\x8a\xbb\x4f\xbc\x81\x7d\xad\x97\xee\x48\x69\x45\xd5\x78\x18\xe1\xa0\xdc\x76\xd1\x47\x8d\x3d\x66\xb4\xa2\x5a\x56\x4b\xa3\x25\x49\xeb\xce\xd3\xa4\xe8\xcc\x71\x8a\xf1\xce\x1c\xa2\x01\x7a\xd2\x37\xb5\x87\x71\x17\x3c\x77\x8f\x96\xde\x6c\x76\xba\xb9\x60\x92\x1a\x61\x61\x49\x4a\x23\x11\x3b\x7b\x87\x8b\xa4\x86\x7e\x72\x87\xdd\xb7\xbb\x6b\xc8\x3e\x17\x0d\xcb\x9d\xda\xd4\xc3\x89\x29\x3a\x48\x07\xca\x12\x26\xd5\xd8\xc5\x48\x8e\x84\xfc\x71\x0d\xe6\x8f\x7b\x77\x4f\xe3\x2f\xf6\x11\x91\x28\x6e\x3f\xed\xb5\x13\xc5\xb5\xc3\x2c\xf0\x8c\x70\xb5\x99\x05\x0f\x67\x8a\xcb\x44\x24\xfe\xf3\x9d\xb6\x59\x18\xa9\x27\xe3\x5b\xf4\x31\x9e\x61\xa8\x0d\xd6\x01\xa9\xdc\xba\xcd\x5a\x21\x95\x1b\x52\xb9\x6d\x71\x2a\xb7\x16\xce\xf7\x6a\xb3\xdc\xde\xd3\x38\xdb\x86\x07\xa6\x7e\x4b\x8e\x53\xec\xff\x63\xef\xcf\xe3\xe3\xc8\xaa\xbb\x61\xfc\x53\x2d\xaf\x77\x56\x0a\xc2\x30\x9a\xad\xa6\x3c\x63\x2d\x96\x5a\x96\xed\x19\xdb\xf2\x78\x3c\x6a\x49\xb6\x25\x6f\x42\xf2\xd8\xc3\x30\x33\x76\xa9\xfb\xaa\x55\xe3\x52\x55\x53\x55\x2d\x59\x2c\x09\x30\x84\x40\x58\x03\x09\x10\xc3\x43\x12\xe0\x19\x06\xc2\x12\x48\x42\x02\x24\x64\xe1\x47\x02\x21\x21\x04\x92\x90\x10\xc8\xf2\x23\x4f\x12\x92\xbc\x3c\x7c\x42\x12\xc2\x24\x6f\xf2\x7e\xee\xb9\xb7\x6e\xdd\xea\xae\x5e\xd4\x6e\xc9\xf2\xe8\xcc\x1f\x9e\x56\x2d\xf7\xde\xba\xcb\xb9\xe7\x7e\xcf\xf7\x9c\xa3\xf7\x99\xbd\x12\x75\xb9\xa1\x22\x34\xdb\x33\x81\x34\xa6\xff\x73\x17\xb9\x2d\x3a\x6b\x70\xc6\x49\x40\xfd\x05\x3b\x4f\xad\x7c\xde\x2b\xbb\x61\xa0\xff\x5e\x97\xfe\x99\x0d\xf1\x26\xf7\xe2\xe6\x48\x25\xd3\xbc\x94\x61\x5e\x4a\x9b\x58\x25\xfd\x8b\xf1\x96\x99\xac\x80\x9d\xab\x0e\x7b\xfe\xb0\xe3\xc8\xad\x14\xfd\xe1\x52\xd6\x4e\x33\xb4\x8f\xc7\x27\x1b\x2f\xb0\x7e\x7d\x07\x5f\x60\xc9\x61\xa8\xb1\xd6\x90\x48\x82\x44\x12\x24\x92\x20\x91\x04\x89\x24\x48\x24\x41\x22\x09\x12\x49\x90\x48\x82\x44\x12\x24\x92\x20\x91\x04\x89\x24\xab\x4c\x24\x41\x9a\x07\xd2\x3c\x90\xe6\xb1\x8e\x69\x1e\xbf\xfc\x28\xa7\x16\x04\x03\x56\xa9\x14\xd4\x21\x18\x04\xa1\x15\xd2\xd9\xb2\xc3\xd6\xae\xfe\x3f\x8f\xe8\xaf\xda\x4e\x36\xb3\x57\xce\x2d\x0c\x76\xf6\x70\xfd\xd0\x17\x3b\x5b\x24\xfa\xa2\xb0\x59\xd3\xe2\xd5\x69\x1a\xf6\xde\xc1\x1e\x1d\x2e\x95\x02\xd5\xc6\xa5\x3c\xb0\xc6\x31\xba\x1c\x02\x57\x08\x5c\xe5\x10\xb8\x42\xe0\x0a\x81\x2b\x04\xae\xd6\x0d\x70\x95\x5b\x33\xc0\x55\xdb\x5b\xd2\x32\x70\x95\x43\xe0\x0a\x81\x2b\x04\xae\x10\xb8\x42\xe0\x6a\xf5\x81\xab\xdc\xba\xc6\x99\x72\x88\x33\xad\x1c\xce\x94\x5b\xeb\x38\x53\xee\x2a\xc4\x99\x26\x1e\x23\x23\x9c\xdb\x74\x1f\x19\x02\x6e\xd3\x1e\xb2\x8b\xec\xac\x49\xff\xb3\x4a\xa5\x20\xbb\x30\x98\x55\x90\xa1\x66\x3c\x65\x1e\xbf\x3d\x9d\xce\xb4\x59\xdf\xc8\x99\x4c\xa7\x1a\x33\x99\xfa\xf4\x5e\x41\x54\x62\x8d\x10\xd4\x6e\xa5\x1d\x09\x4a\x93\xf9\xdd\x2d\x31\x0c\xf6\x1c\xbe\xeb\x18\x56\x02\xf1\xba\x93\x5f\x5d\x0d\xcc\x8b\x43\x54\x39\xf2\x00\xb9\xbf\x82\x5d\x9d\x25\x7d\xcb\xe9\x6b\x64\x54\xa3\xff\x47\x8b\xfe\x1f\x7f\xaf\xd5\x5c\xa4\xe4\x10\x17\x01\xfb\xc8\xbd\x20\x02\x76\x92\x65\x4e\x4b\x32\xca\x1d\x44\x0e\x92\x03\xb1\x83\xc8\xf2\x4b\x19\x63\xa5\xec\xd2\xef\x27\xf7\x91\x2d\xc3\x79\xb6\x91\xb4\x52\x4c\x63\x91\x53\xf2\x56\x42\xe4\xf4\xfe\x61\x5f\x2c\x72\x84\x4a\x6b\xe4\x3d\x87\x1d\x50\xc5\x86\xa3\x8a\x9f\x1d\xfc\x09\x2e\x7e\x46\xe4\x63\xab\x21\x88\x4e\x93\x29\x32\xa9\x0a\xa2\xde\x1c\x79\xa0\x05\x3a\xeb\x28\x7c\xc1\x29\x80\x54\x03\x04\x5f\x11\x7c\x45\xf0\x15\xc1\xd7\x75\x04\xbe\xa2\x32\xd6\x40\x19\x5b\x3b\xe8\xf4\xdf\x66\x08\x04\x44\xe8\xfc\x0b\x39\x54\x1f\xcb\x9c\x56\xcf\x83\xb6\x6b\x04\xfc\x4c\x67\xcc\xd0\x59\x6e\xca\x95\xb8\x49\xbc\x65\x89\x55\x02\x9d\xa5\xa8\x7d\xae\xe7\xf6\xbb\xb4\x68\xc1\x90\x88\x23\xa1\xaa\x1e\x72\x04\x55\x4e\x06\xa1\x1d\xd8\xf3\xf3\xb4\xc0\x14\x50\x67\x29\xb6\xb1\xc6\xa2\xdd\x76\xfa\xc4\x49\x11\x3e\xd7\x28\xfa\x56\x1e\xe6\x89\xed\x15\xe4\xc6\x13\x6f\x0e\x60\xbe\x8e\xc6\xa5\x1c\xb0\x46\xaa\x1d\x65\xb1\x37\xa3\x0f\x12\x95\xcc\xf2\xf5\x16\x15\x91\xe5\xed\xe4\x1e\x6a\x29\x6d\x34\x75\x68\xc2\x24\xb4\x20\xed\x04\x8c\x46\x00\x34\x02\xa0\x11\x00\x8d\x00\x68\x04\x58\xd7\x46\x80\x3f\xca\x90\x2f\x65\xf4\x2f\x66\x3a\x3f\x2f\x77\xdb\x9f\xcd\x8c\x2a\x8e\xa5\x25\x87\x5a\x01\x95\x4b\x7f\xd2\xf7\x4a\x56\x11\xf6\x61\x1e\x1b\x3b\x41\x01\x8a\x86\x3b\xf6\x4c\x65\x03\x3e\x98\xdd\x9b\x35\xa6\xb9\x1c\xe1\x9b\x64\x89\xba\x6c\x9a\xc6\xbb\x08\x35\x3c\xbf\x34\x67\xb9\x11\x25\xc9\x2f\xd3\x81\x59\xcb\x89\xb4\x7f\x93\xdf\x35\x8d\x59\xdb\xb5\x1c\xfb\xc5\x91\xf8\x9e\xa1\x86\x55\x00\x44\xdd\x1b\xe0\x00\x6b\x21\x56\x2d\x79\xe1\x5d\x41\xfc\x12\xd7\xb7\xb3\xc6\x98\x0d\x22\x49\x69\xb8\xe7\x57\x7f\x59\x6c\xc5\x08\xb9\xba\x0f\xda\x9f\x17\xce\x65\xcd\x1b\x79\x7b\x46\xa3\x0f\x49\x72\x9b\x5e\xb3\x81\xfc\xe8\x06\xfd\x95\x1b\x3a\xff\x47\x12\xdc\xbe\xd6\x71\x56\xc8\x41\x36\x45\xe7\xbc\x45\xa3\x68\xf9\x33\x56\x31\x01\x3b\x48\x45\x8d\xfa\xb3\x9e\x3f\xcf\xfa\x22\xb5\xa5\xa7\x2a\x2a\xaf\xdd\x50\x50\x6b\x22\x9d\xa4\xc4\xbf\xca\x66\xfa\x42\xde\x2e\xc4\x8a\x35\xec\x8d\xdc\x91\x3d\xea\x5d\xb6\x39\x89\x9d\x23\xda\xfd\xb2\x4a\x37\x46\x72\x53\x9a\x0e\x24\xad\x2d\x59\x59\xd6\xe0\xe0\x10\xc8\x62\x55\x5b\xed\xe2\xdf\xd0\xc5\xce\x3c\xf0\x2b\x39\x31\x82\x03\x46\x57\xce\xca\x5f\x28\xfa\x5e\xd9\x2d\xb0\xa7\x80\x4f\x06\x0f\x55\x74\x1c\x57\x56\x84\x06\x94\x2c\x24\xfa\x82\x19\x59\xd2\x01\xa3\xeb\xb0\xe7\x53\xa5\x58\x23\x6f\x05\x79\xab\xc0\xbe\x5e\xf4\x0f\x67\x10\x42\x79\x01\x57\xa7\xab\x0a\x9c\x95\x65\x64\xcd\x67\x95\x2a\xe7\x8d\xaa\xdb\xa0\x8d\x0d\x6d\x6c\xeb\xd4\xc6\x36\x51\x24\xc7\x39\x58\x3d\x46\x46\x00\xac\x3e\x48\x0e\x90\xfd\x2d\x80\x97\x3c\x78\x4f\x43\xc3\x55\x73\x28\x71\x7d\x64\x58\xc5\x90\x1f\xef\x4d\x87\xa5\x9f\xad\x3f\x8b\x8b\x87\x58\x74\x93\xab\x31\x4c\xc5\x7f\x67\x48\xa7\xe0\xad\x97\x43\x2f\xc8\x5b\x8e\xed\x16\x07\x16\x76\xcd\xd0\xd0\xda\x35\xa0\xff\x55\x46\xff\x46\x86\x3c\x5b\xb9\x77\x4e\xdc\xab\x1d\x94\xf0\xce\x22\x0d\x87\xe3\x17\xce\xf0\xe7\x31\x26\x61\x7a\x4c\xc2\xa7\x7a\xc9\x43\x8d\xe3\x43\xf2\x1c\xe9\x75\x33\xd7\xf8\x9e\x43\x67\x6c\x97\xed\x62\x32\x45\xf7\x17\x7b\xf4\xf7\x6e\x24\x37\xa7\x05\x95\xe4\x89\xd5\x3f\xde\x4c\xba\xee\x29\xcf\xa1\x39\x5e\xf2\x9a\x48\xd9\xbd\x0b\xaa\x4b\x89\x7b\x09\xdf\x14\x5b\x64\x94\x76\xaf\x71\x77\x88\x2b\x12\xb2\xc4\x6e\x2c\x2a\x0f\xeb\xa3\x42\x18\xd6\x9c\x9c\xc2\xca\xa6\xf4\xb5\x2a\x4b\x61\x44\xea\x85\x04\xe2\xd9\xc2\x31\x8e\x09\xba\x83\x60\x1c\x13\xb4\x48\xa2\x45\x12\x2d\x92\xeb\xc8\x22\x89\x71\x4c\x30\x8e\x09\x5a\x82\xd0\x12\x84\x96\x20\xb4\x04\xad\x09\x4b\xd0\xc4\x3e\x72\xaf\xbe\xc7\xdc\x25\x11\xac\x9b\xd4\xd0\xac\xca\x19\xef\x99\x10\xa2\x15\x63\xac\x20\x2e\x8f\x31\x56\xae\x1e\xdf\x17\xfd\x17\xbb\xc9\x5e\x0e\x95\x06\xa1\xe7\x5b\x45\x9a\x8e\x8f\xe6\xd9\x46\x00\xf7\xf3\x56\xc9\xca\xdb\xa1\x4d\x03\xfd\xfb\x5d\xfa\x3f\x6d\x20\x37\x88\x1b\x12\xff\xfc\xe1\xe6\x82\x2e\x8f\x4c\x8f\x4f\xf3\x37\x47\x78\x91\xed\x4a\xe7\xbd\x1f\x5e\x10\x65\x0b\x00\xb3\xba\x32\x0c\xc2\xdc\x1c\xa2\x49\x1b\x23\x9a\x39\xfd\x01\x81\x68\x26\xe7\x90\x80\x31\xab\xfb\x3e\x05\xcd\xc4\x14\xdf\x88\x68\x22\xa2\x89\x88\x26\x22\x9a\x88\x68\x22\xa2\x89\x88\x26\x22\x9a\x88\x68\x22\xa2\x89\x88\x26\x22\x9a\x6b\x10\xd1\x44\xd4\x10\x51\x43\x44\x0d\xd7\x31\x6a\x78\x94\x6c\x1a\x70\xbc\x62\x30\xa0\xdf\xaf\xdf\x47\x36\xb0\x9f\xbd\xba\xe3\x15\x0f\xdb\x0e\x30\x34\x8f\x5a\x6e\xc1\xa1\xfe\xc4\xcd\x0d\xa9\x9a\xff\xb3\x83\x9c\xaa\x8b\x3f\xd6\x60\x66\xa6\x01\x92\x11\x43\xf3\xe7\x77\xe8\x1f\xe9\xa8\xc6\x25\xef\x86\x24\xd3\xc9\x83\x6e\x35\x36\xd5\x9b\x65\x8f\x25\xd1\xc3\x98\xfe\x58\xfd\x7c\x9b\x53\x4f\xdb\xe4\x24\x87\xf8\x8e\x90\x31\x80\xf8\x0e\x91\x83\xe4\x40\xcd\xd8\x1f\x51\xa7\x89\x6f\xcc\xa6\x60\x6d\x97\x99\x91\x7a\x75\xf0\xbf\xce\xb7\x6f\xad\x1e\xb0\xee\x28\x73\x75\xc3\x31\x1b\x14\x4f\x5e\xa9\x61\xcb\x3d\x9f\xb0\x3d\x31\x19\xd7\xe8\xf2\xc6\x0d\x3d\xeb\x31\xcc\x51\x8b\x61\x8e\x3e\xa3\xb5\x5d\x88\x4c\xf3\xe0\x46\xc7\xc9\x44\x1c\xdc\xe8\x0a\x4a\x26\x48\x8a\xdd\x9c\x64\x6a\x5e\x06\xa5\xcb\xb0\xde\x4f\xde\x58\x2d\x99\x6e\x11\x6e\x71\x56\x9a\x30\xda\xc9\x6f\x5e\x31\x59\xb4\x32\xa1\x8d\x50\x1c\x35\x10\x47\x18\x5e\x63\x55\xc2\x6b\xa0\x5f\x35\xfa\x55\xa3\x5f\xf5\x4a\xf9\x55\x4f\x7c\x5a\x6b\xb3\x73\xe9\x14\x0f\x68\x78\x8c\x8c\x2b\x01\x0d\x57\xd8\x61\xd5\x48\x57\x1c\xb6\xea\x9b\x79\x37\x35\xab\x3b\x34\xa9\x22\xd4\x54\x31\x72\x1f\xbe\xb6\x5a\x77\x18\x2c\x59\x7e\x68\x83\x7d\x94\x1f\xca\x1b\x1f\x6f\x06\x4a\xd5\x8c\x96\xd5\x51\x28\x6e\xa9\x2c\xa8\x1f\x9a\xb2\x03\xdc\x42\x6f\x55\x6f\xce\x53\xbf\x48\xd5\xbb\xdb\xd5\xbb\x41\xe8\x5b\x21\x2d\xda\xf9\xfe\xaa\xe7\x12\xa5\x40\xca\x7e\x71\x97\xb5\x32\x77\x92\x1c\x27\x13\x15\x07\xab\x21\xb2\xaf\x85\xb9\x33\x09\x94\x02\x54\x63\x1a\xa8\x31\x1f\xed\x20\x1f\xea\xd0\x3f\xd0\xd1\xf9\xa4\xdc\x0b\x9e\xe8\x58\x3f\xa7\xaa\x0a\x2b\x0c\xeb\x67\x60\x15\x80\xa5\x90\x4d\xce\x98\x5b\xd4\x5d\x63\xe2\xf6\xc0\x96\xc6\x49\x28\x96\x03\x6f\x32\xdd\x8d\xbf\x0d\x4f\x80\x1e\x15\x18\xdd\x13\x81\xe7\x4e\x72\x92\xcd\x09\xb6\x2c\xc4\xef\xe9\x68\xb1\xc4\x17\x7b\x6a\x1f\xf7\x72\x5f\xd2\xc8\x17\x35\xfd\xf3\x5a\xe7\xe7\x24\x80\xf8\x94\x76\xd8\xf3\xf3\xa0\xe2\x15\x3d\xe8\x76\xcf\x30\x67\xd9\x25\xd3\x18\x4e\x7c\x05\x40\xc3\x5c\x1b\x2b\x07\x31\x9d\xa0\xdf\xca\xc3\x87\x03\x49\xc3\xb1\xf3\x62\xb7\xa5\x4e\x21\x30\xbc\x45\xd1\xa7\x9c\xc4\x50\xa2\x5e\xc9\xa1\x59\x83\xd7\x08\xac\xa8\x68\x2c\x01\xa2\x4d\xed\x00\x59\xbd\xb9\x11\x9a\x95\x60\xf8\xac\x3e\x06\xb6\x3a\xdb\x41\x1d\x97\xdd\x12\x77\xd9\x3d\x44\x0e\xea\x07\xcc\xfd\x92\xf0\x7d\xbb\x4a\x15\xaf\x2e\xf1\x99\xc0\x18\xd7\xff\xf4\x51\x92\x1d\xb0\x4a\x76\xbd\xfc\x7e\xd4\x5f\xb0\xf3\xd4\xca\xe7\xbd\xb2\x1b\x06\xfa\x7b\x1f\xd5\xdf\xb8\x9d\x6c\xce\x7b\x3e\xdb\x56\x3b\xfb\x1a\xa4\xf8\xe3\x6f\x0f\xf3\xb7\x7b\x4d\xf6\xf4\x88\xe7\xd3\x44\xc4\xf3\xc4\x33\x6b\x9c\x07\x8a\x89\xfe\x90\x07\x89\x89\xfe\x90\x07\x89\x3c\x48\xe4\x41\xae\x23\x1e\xe4\x1a\x0a\xa5\xbc\x66\x78\x90\x18\xe3\x17\x79\x90\xc8\x83\x44\x1e\x24\xf2\x20\x31\xd1\x1f\x06\x21\x7d\xe6\xd0\x16\xd7\x7c\x10\xd2\xab\x32\xd1\x9f\x55\x3b\xfd\xd7\x61\x8e\x38\x1e\x22\x07\x01\x71\xdc\x4b\xee\x21\xbb\x6b\x22\x8e\x79\xcf\xa7\x60\x8e\x4a\xa0\x46\xc7\xed\x40\x26\xde\x9a\x6c\x0c\x28\xf6\xeb\x3b\x52\x02\xa4\x9a\x66\x94\x62\x2b\x51\x36\x69\x94\x3d\xd0\x7c\x62\x6b\x0c\x88\xdd\x14\x27\xfb\x4b\x62\x5f\x77\xf1\x1b\xab\x84\x7e\x71\xb0\x6a\x8c\x8c\x90\xe1\x0a\x0b\xce\x20\x19\x58\x66\xe7\xa2\xe1\x06\xe9\x70\x2d\xd2\xe1\xbe\xab\x91\x1c\x5f\xdd\x07\xc8\x7e\x58\xdd\xbb\xc9\xf2\x27\x20\x39\xc2\x29\x70\x0f\x90\xfb\x63\x0a\x5c\x4b\x05\x1d\xe5\x16\xf1\x61\x72\x48\xb1\x88\xb7\x54\x52\xeb\x19\x47\x79\xfa\xbf\xe6\xa4\x54\xaa\x3c\x4a\x17\x5d\xbd\x7f\xda\x17\x4b\xa1\x6d\xe9\xf9\xff\x92\x12\x29\xcb\x1f\xe2\x12\x29\x35\x05\xe0\x4a\xca\x26\xcc\x02\x88\xc8\x2c\x22\xb3\x88\xcc\x22\x32\x8b\x59\x00\x31\x0b\x20\xd2\x94\x31\x0b\x20\x5a\x08\xd0\x42\x80\x16\x02\xb4\x10\xa0\x85\xa0\x2d\x16\x02\xf4\x56\x41\x6f\x15\xf4\x56\xc1\x2c\x80\x68\x80\x43\x03\xdc\x55\x9e\x05\x70\x19\x49\xfb\x9a\x04\x96\x1b\x98\xbc\x54\x88\xf9\x6a\x24\xb6\xff\xd6\x8d\x3c\x0d\x20\x10\xdb\xbd\x82\x8c\x4f\x32\x50\xf2\xbd\x8b\x4b\xfa\x7b\x6e\xd4\x5f\x9f\x89\xd1\xf2\xbb\xf3\x9e\xeb\xb2\x2f\x3a\x32\x76\x3a\xe6\x6d\x87\x9e\x01\x4f\xb3\x89\x72\xd2\x2b\xd0\xde\x9b\xc5\x63\x1c\x30\x3f\x42\x43\x76\x75\x92\x3d\xb2\xab\xa3\x77\xa0\x97\x07\x11\xd9\x4b\x6e\xe5\x53\xe3\x87\xc8\xb3\x61\x6a\x5c\x47\xae\xf9\xb8\xb6\x85\x88\xc6\x35\x1c\xea\x3b\xd3\x87\x9a\xe8\x5b\x44\xed\xe4\xf1\xa9\xc6\x23\x3c\xa0\xf7\xf3\x71\x95\x4d\x14\x00\x79\x0d\xe3\x41\x67\x6a\x77\x4c\x3e\xd8\x7c\x77\x4c\x96\xd7\x76\x77\x54\x4e\xf8\xba\x1d\x63\xbe\x51\xe9\x8e\xed\xb2\x3b\x4e\x4d\xd7\xeb\x8f\xce\x64\x7f\x78\xc1\x33\xa8\x43\x7a\xdf\xa2\x74\x48\x77\xd4\x21\xa3\x63\xc7\xc7\x4e\x8f\xd5\xe9\x92\x5b\x13\x5d\xc2\x2d\x35\x2b\xd1\x29\x2b\xf0\xc5\x4d\x74\xf4\xae\x9f\x54\x3a\xa5\x27\xea\x94\x53\x93\xa7\xc7\x4f\x9d\x9c\xae\xd3\x2b\xb7\x25\x7a\x45\x54\xfe\xcc\xe9\x96\xa1\xd4\xc5\x73\x74\x6c\x78\xb4\xe9\xc5\x73\x94\x5a\x85\x67\x4e\x87\xe4\xde\xac\x74\x48\x97\x94\x26\xc3\xa7\x47\x8e\xd6\xe9\x91\x5b\x92\xe2\x84\x69\x3a\x57\xae\x4b\x96\xb5\x99\x34\xd1\x25\x13\x07\xc9\x01\x7d\xbf\xb9\x57\xea\x14\xb7\xaa\xde\x76\x95\xf5\x54\xfb\xda\xcd\x90\xf3\xfa\x63\x9d\x8f\x44\x0a\x43\x6e\xd2\x0a\x39\xea\x34\x47\x8d\x07\xa7\x8e\x1b\xac\x4c\x50\x38\x03\x2a\x35\xc6\x7c\xd9\xf7\xd9\xc9\x9c\x77\x73\x74\xd6\x08\x3d\x83\x29\x08\x59\x13\xda\xa1\xea\x10\x1f\x3e\x4f\x0e\xf3\xf0\x68\xb3\x8e\xb7\x98\xf7\xdc\xd0\xf7\x9c\xac\xf4\x1e\xaa\x0c\x96\x56\xf2\x6d\xcf\xb7\xc3\x25\x87\x2e\x50\x27\x61\xbd\x0c\xf4\xff\xff\x39\xfd\xb5\x5d\xe4\x56\xa5\x9c\xe1\xa8\x18\xe9\x9b\xbe\xaf\xbe\x27\xdd\xa4\x28\xfe\x38\x2b\x7e\x44\x2d\xbe\x77\x3f\x7b\xf3\x70\x4a\xd9\xc2\x5d\xbd\xf6\xab\xe8\x6c\x87\xce\x76\xe8\x6c\x87\x94\x0e\xa4\x74\x20\xa5\x03\x29\x1d\x6b\x86\xd2\xb1\x76\x18\x0b\x68\x4a\x47\x53\x3a\x9a\xd2\xd1\x94\x8e\xa6\xf4\x75\x6d\x4a\x47\x5b\x1f\xda\xfa\xd6\xa9\xad\xef\xaa\x74\xb6\xab\x1d\x75\x8b\x3c\xc6\xd1\xc2\xb3\xe4\x41\x40\x0b\x4f\x91\x13\xe4\x58\x4d\xdf\x17\x15\xf8\x8a\x42\x7c\xd5\x46\x93\x54\x27\xbc\x97\x34\x86\x15\x1f\xd2\xcf\x08\xcc\xb0\x1e\xbe\x26\x30\xd8\xda\xb5\xa6\x24\xb4\x6c\xe4\xaf\xf7\x3b\xa4\x01\x16\xb7\x4d\x3a\xf1\xd5\x81\xdd\x0e\xf0\x87\xae\x2c\xf0\xc6\x71\xb2\x47\xc9\x0b\xc9\x0b\x2a\xfc\xfc\xc6\xc9\x91\x36\x8d\x2b\x52\xcc\xd1\xff\xaf\x45\xff\xbf\x5f\xcd\x90\x87\xb9\xc0\x99\x26\xcf\x07\x81\x73\x8c\xb4\x6f\x62\x92\x73\xdc\x2f\xf0\x21\x72\x26\xf6\x0b\x6c\x6b\x05\xe7\xb9\xbf\xe0\x0b\xc8\x59\xc5\x5f\xb0\xad\x35\x5c\xae\x1f\x61\x73\x82\xb6\x56\xf8\xc4\xcb\x93\xbc\xbd\x9f\xec\x6f\x20\x48\x07\x52\xfd\x10\xeb\x08\xd5\x31\xfe\x42\x1d\xa1\x1a\x3b\x2a\xae\x9a\x78\x45\x57\x45\xc4\xb5\x11\xd7\x46\x5c\x1b\x71\x6d\x74\x55\x44\x57\x45\x74\x55\x44\x57\x45\xb4\xaf\xa0\x7d\x05\xed\x2b\x68\x5f\x41\xfb\x0a\xba\x2a\xa2\xab\x22\xba\x2a\xa2\xab\x22\x9a\x2f\xd1\x7c\xb9\x06\xcd\x97\x6b\xda\x55\xf1\x4a\x1a\x09\xdb\xef\x73\xf8\xbe\x6e\x32\xc0\xfd\x05\xb8\x0c\x93\x9e\x01\x30\xf4\x03\x25\xaf\x50\xb0\x03\xbf\x0c\x98\xee\x4c\xb9\x50\xa4\x61\xa0\x7f\xb7\x4b\xff\xdb\x0d\xe4\x7a\xfe\x82\x44\xcd\x7f\x44\xa8\xa6\x6e\xc1\x5e\xb0\x0b\x65\xcb\x51\xad\xcc\x96\x3c\x06\x4e\x7a\x85\x51\x59\x62\x0e\x4a\xcc\x2a\x9b\xfe\x90\x54\x17\xba\xa0\xbc\xae\x18\x8e\x4d\xe0\x6b\x5e\x89\xca\x23\x7d\x10\x52\xab\x90\xed\xdd\x0f\x2f\x70\x41\x1a\xd9\x32\xab\x2b\x3b\x6e\x07\xe1\x61\xcf\x1f\x76\x1c\x19\x32\x30\x58\xe3\x1e\x05\x13\x17\xc8\x24\x5f\x0e\xe3\xe4\x08\x2c\x87\x61\x72\x88\x1c\x6c\x61\x39\x00\x03\x60\x8c\x9d\xe7\x1a\x2e\x89\x6d\xe9\x4b\xe2\x5a\x9d\x40\xc3\xc0\x26\xfd\xf8\x63\x8d\xd7\xc2\x01\x7d\xbf\x58\x0b\x7c\xbe\x44\xb3\xbe\x7a\x64\x52\xa6\x3b\xba\x52\xa0\x2b\xc5\x04\x9a\x9c\xd0\xe4\x84\x26\x27\x34\x39\xad\x1b\x93\xd3\xc4\x9a\xb1\xa8\xb4\xbd\x25\x2d\x43\xfd\x13\x08\xf5\x23\xd4\x8f\x50\x3f\x42\xfd\x08\xf5\xaf\x3e\xd4\xdf\x76\xd8\x61\x62\x5d\x83\x9b\x13\x08\x6e\xae\x1c\xb8\x39\xb1\xe6\xc1\xcd\xab\xd0\x37\x43\xff\xce\xa3\xe4\x10\x87\x09\xfd\x19\x2b\x9f\x8d\xe0\x22\x28\x2a\x8e\x29\x52\x2b\x1d\xb7\xef\x39\x34\xd0\x3f\xf8\xa8\xfe\xf6\xed\xe4\x39\xac\x80\x61\xf5\xfd\x73\x0b\x83\x9d\x66\xfd\x38\x22\x53\x9e\x43\x7b\xef\x66\xcf\x4c\x55\xbe\xad\xa6\x25\x62\x8f\xad\x71\x2c\x0f\xa3\x83\x20\xa4\x85\xd1\x41\x10\xd2\x42\x48\x0b\x21\xad\x75\x04\x69\xad\x21\x92\xf0\x9a\x81\xb4\x90\xbd\x8a\x90\x16\x42\x5a\x08\x69\x21\xa4\x85\xd1\x41\x90\x5e\xf7\xcc\x41\xa0\xd6\x3c\xbd\xee\xaa\x8c\x0e\x72\xb6\x76\x74\x90\xfb\x38\x39\xea\x1e\xb2\x1b\xc8\x51\xfd\x64\x07\xe9\xa9\xe9\xe9\x0e\xf8\xd5\xc2\x60\x76\xca\x73\xa8\x1a\xfb\xe3\xd1\xc6\x54\xa6\x21\x7d\x9f\xa0\x32\xd5\x04\xc1\x04\xbb\x89\x15\x9e\x0c\xb8\xdc\x28\xba\xc7\x77\xb6\xd4\x40\xc6\xae\x93\x51\x3d\x00\x04\xeb\xe2\x7f\xae\x1e\x0c\xc6\x51\xab\x03\x64\x3f\xd9\x5b\x11\xab\xa3\x8b\xdc\xdd\x54\x2f\xa3\x07\x25\x46\xe2\x68\x31\x12\xc7\x57\xb4\xda\xab\x7e\x1f\x5f\xf5\x83\x64\x00\x56\x7d\x0f\x69\x76\x3e\x92\x83\x3c\x00\xc7\xbd\x64\x4f\x1c\x80\x63\x19\xaf\xdf\xcf\xc3\x6b\xec\x25\xf7\x28\xe1\x35\x9a\x7f\xbf\xd9\x18\x19\x2b\x2b\x90\x7a\xbf\xdd\x57\x43\xe0\xdc\x9c\x1a\xfd\x02\x84\xcf\x20\xbf\x95\x22\x7c\xd2\x12\x71\xaf\x80\x18\xc2\x98\x16\x88\xc6\x22\x1a\x8b\x68\x2c\xa2\xb1\x18\xd3\x02\x63\x5a\x60\x4c\x0b\x8c\x69\x81\x56\x01\xb4\x0a\xa0\x55\x00\xad\x02\x68\x15\x68\x8b\x55\x00\x63\x5a\x60\x4c\x0b\x8c\x69\x81\x31\x2d\xd0\xe8\x86\x46\xb7\xab\x3c\xa6\xc5\x0a\x1b\xb4\x96\x11\x32\xe3\x6a\xcc\xc5\xfd\x96\x6e\x92\xe5\x84\xf7\x82\x1d\xe4\x3d\xa6\xfc\x28\x3c\x77\x1e\x1c\x83\xba\x85\x92\x67\xbb\x61\xe0\xd8\x79\x1a\xe8\x7f\xd5\xa5\x7f\x75\x03\xb9\x56\x3e\x7f\x6e\x61\xb0\x73\xa9\xb9\xa0\x18\x63\xa2\xa4\x69\x56\x52\x9b\xc2\x61\x0c\xc2\x0b\xa3\x51\x6b\xce\x0c\x26\x2a\xc1\x30\x18\x6d\x0c\x83\xb1\xac\xa5\x56\x39\x9f\xc4\x0a\x4b\x8c\x4e\x32\x95\x3d\xba\x0c\xa0\xcb\x00\x46\xc1\x40\x23\x15\x1a\xa9\xd0\x48\xb5\x7e\x8c\x54\x18\x05\x03\xa3\x60\xa0\x71\x00\x8d\x03\x68\x1c\x40\xe3\xc0\x9a\x30\x0e\x60\x14\x0c\x8c\x82\x71\xb5\xc0\xa1\x18\x05\x63\x25\xa2\x60\xfc\xef\x47\x49\x0f\x07\x05\x5d\x1a\x2e\x7a\xfe\x05\xa6\xad\xc5\xa8\xa0\xed\x16\x7d\x1a\x04\x79\xc7\x0a\x02\x1a\xe8\xdf\x7f\x44\xff\x5f\xdb\xc9\x75\xf1\xa3\xe7\x16\x06\x3b\x7b\xeb\x07\xba\x18\xe7\x45\x8c\xb0\x22\x7a\x6f\x65\xcf\x9e\x94\xaf\x9f\x19\x54\xef\xae\x71\xb0\x0e\xe3\x5c\x20\x68\x85\x71\x2e\x10\xb4\x42\xd0\x0a\x41\xab\x75\x04\x5a\xad\x21\xe2\xf0\x9a\x01\xad\x90\xd1\x8a\xa0\x15\x82\x56\x08\x5a\x21\x68\x85\x71\x2e\x90\x72\xf7\xcc\xc1\x98\xd6\x3c\xe5\xee\xaa\x8c\x73\x41\xc9\x04\x27\x39\x8d\x90\x61\x20\x39\x41\xe8\x85\x9a\x9e\xe5\x0a\x10\xb5\x30\x98\x55\x01\xa2\xe3\x76\xd0\x98\xde\xd4\x20\x2c\xc5\xf2\x98\x4d\x55\xa0\x98\xa0\x36\xa9\xad\x4a\x30\x9b\xcc\x9f\xd9\x5a\x89\x8f\x3d\x37\x0a\x77\xe1\x26\xb1\xb0\xdb\xf9\xf5\x15\x47\xc3\x38\x78\x35\x4e\x8e\x90\xb1\x8a\x70\x17\xf7\x90\xdd\x2d\x8c\x02\xba\x5a\x62\xf0\x8b\x16\x83\x5f\xfc\x97\x46\x0e\x73\x51\x70\x88\x1c\x04\x51\xb0\x97\xb4\x36\x09\xc9\x31\x1e\xf1\x62\x94\xe4\xe2\x88\x17\x2d\x17\x76\x9c\xc7\xbf\x18\x23\x23\x4a\xfc\x8b\x96\x4b\x6b\x2b\x8d\x79\xd9\x12\xa8\x51\x14\x8e\xde\xbf\xe9\xab\x94\x50\x77\xa6\xc6\xc7\x48\x08\xab\x6e\xfe\x88\x2a\xac\xe2\x00\x19\x2b\x28\xb6\x30\x3c\x06\x82\xb8\x08\xe2\x22\x88\x8b\x20\x2e\x86\xc7\xc0\xf0\x18\x18\x1e\x03\xc3\x63\xa0\x31\x01\x8d\x09\x68\x4c\x40\x63\x02\x1a\x13\xda\x62\x4c\xc0\xf0\x18\x18\x1e\x03\xc3\x63\x60\x78\x0c\xb4\xd5\xa1\xad\x6e\x3d\x85\xc7\x58\x3e\xae\xbc\x9c\xf0\x18\x6d\x0f\x5e\xf1\xee\x1e\xb2\x8b\x4d\xa9\x3a\x29\x19\x4b\x5e\x21\xa4\xf3\x25\x80\xa2\xf8\x8d\x97\xe9\x7f\xdf\xad\x7f\x3b\x43\x36\xe7\x3d\x9f\x9e\x5b\x18\xec\xbc\xdd\xa7\x56\xa1\xe2\x28\x3a\xe9\x15\x4e\x8b\xd7\x7a\xef\x60\xf7\x47\x3c\x9f\xaa\xb1\xe7\x95\x07\xda\x0b\x6e\x4f\x3c\x4c\x0e\xf1\x09\xb2\x8f\xdc\x0b\x13\x64\x27\xc9\x92\xbe\x9a\x26\x07\xf6\x15\x6c\x3a\x28\x0d\x6a\x38\x27\x6e\x4b\x1f\xb4\x4d\xfa\x86\x22\x0d\xc9\xe3\x27\x1a\x4f\x99\x5e\xbd\x5b\x9d\x06\x62\xfa\x98\xa6\x98\x2f\x6a\x63\x3a\x7f\x69\x4b\xdc\xd7\x77\xfa\xb4\xe4\x58\x79\x5a\xa7\xbb\x4d\xf1\xc8\xaa\xf5\x78\x2e\x47\x1e\x20\xf7\x57\x58\x41\x97\xd9\xe5\x08\xa5\xa1\xf9\xb3\x45\xf3\xe7\xcf\x6a\x97\xbf\xe0\x47\xb9\xdd\x93\x6d\x25\xd2\xee\xb9\x9a\x62\xa3\x54\x6e\x5a\x6c\xd4\x13\x15\xc9\xc0\xfd\x37\xc4\x62\xe3\x39\x42\x93\xb5\x12\x92\x42\x58\x28\x57\x4f\x50\xac\x8c\xdd\x11\x45\x47\x03\xd1\x81\xd8\xf7\xaa\x60\xdf\x08\x7a\x20\xe8\x81\xa0\xc7\x4a\x81\x1e\x13\x3f\xa7\x91\x31\xce\x28\xba\x9f\xdc\xa7\x30\x8a\xda\xb7\x4f\x5f\xb6\x1e\x11\x6d\xf4\x46\xfa\x46\xbf\x55\xdf\xcc\x3b\xa3\xdd\x7b\x7d\xee\x1f\xae\x89\xf7\xfa\xde\x92\xe5\x87\x36\xd0\x3c\x38\x40\x5c\xe7\xac\x60\x94\xd8\x29\x7e\x55\x14\x80\x5b\x2a\x0b\xea\x87\xba\x77\xb0\x9f\x43\xb7\xaa\x37\xe7\xa9\x5f\xa4\xea\xdd\xed\xea\xdd\x20\xf4\xad\x90\x16\xed\x7c\x7f\xd5\x73\x89\x52\xd8\xef\x25\x71\x97\xb5\x32\x77\x92\x1c\x27\x13\x15\xa7\x94\x21\xb2\xaf\x05\xf5\x63\x12\x1c\x59\x51\xed\x68\xa0\x76\x7c\xb4\x83\x7c\xa8\x43\xff\x40\x47\xe7\x93\x52\x76\x3f\xd1\xb1\x7e\x4e\x2c\x15\xe6\x3a\xd6\xcf\x40\x83\x02\x93\x32\x9b\x9c\xb1\x47\x7b\x77\x8d\x89\xdb\x03\x5b\x10\x67\xcd\x59\x0e\xbc\xc9\x74\x2d\xfe\x36\x3c\x01\x7a\x4f\x60\x74\x4f\x04\x9e\x3b\xc9\x5d\xbb\x4f\xb0\x65\x21\x7e\x4f\x47\x8b\x25\xbe\xd8\x53\xfb\x28\x95\xfb\x92\x46\xbe\xa8\xe9\x9f\xd7\x3a\x3f\x27\xc1\xbf\xa7\xb4\xc3\x9e\x9f\x07\x95\xac\xe8\x41\xb7\x7b\x86\x39\xcb\x2e\x99\xc6\x70\xe2\x2b\x00\x35\xe5\xda\x53\x39\x88\xf9\x4f\xfd\x56\x1e\x3e\x1c\x58\x65\x8e\x9d\x17\xbb\x23\x75\x0a\x81\xe1\x2d\x8a\x3e\xe5\xac\xab\x12\xf5\x4a\x0e\xcd\x1a\xbc\x46\xf0\xc5\x8f\xc6\x12\xd0\xcb\xd4\x0e\x90\xd5\x9b\x1b\xa1\x59\x09\x92\xfc\x2a\x60\x41\xed\x05\x7b\x1e\xbf\x23\x7d\xeb\xd8\xa2\x6f\x82\xcf\x25\x13\xfb\xc8\xbd\xfa\x1e\x73\x97\x8c\x91\x7b\x13\xac\x1f\xb1\x98\x95\xa2\xcc\x0d\xec\x86\x1a\xfb\xf6\x2a\x8c\xae\xfb\xe7\xdd\xa4\xbf\x01\x40\x19\xd0\xbc\x4f\x43\x89\x4d\xbe\xbf\x5b\xff\x13\x05\x9b\xbc\x39\x05\x9b\x9c\x86\x37\x7a\x3b\xd3\x60\x49\x7e\xaf\xcd\x88\xe4\x83\x64\x88\xcf\xc2\xdd\x64\x10\x66\xe1\x0e\xd2\x43\xba\x1a\xce\x42\xde\x96\xcb\x05\x23\x8f\x36\x9e\x9f\x77\xeb\xdb\xf8\x4c\x14\x35\xa6\x4f\xd6\xce\xb7\x29\x38\xe4\xad\xe9\x38\xa4\xe8\xda\xdb\x6a\x40\x90\x2b\xd1\xbb\x39\xc0\xff\x2b\xf6\xf5\xe6\xbb\x17\xb7\x71\x04\x1e\x5b\x04\x1e\xdf\xa6\x5d\xd6\xba\x3e\xc4\x31\x47\xb6\x33\x49\xcc\x71\x95\x04\x03\xc0\x8d\xcd\x09\x86\xca\xcd\x2a\x45\x44\xf4\xfe\xab\x82\x34\xde\x20\x91\x46\x21\x0b\x6e\x4d\x07\x19\x57\x44\x14\x20\xbe\x88\xf8\x22\xe2\x8b\x88\x2f\x22\xbe\x88\xf8\xe2\xb2\xf1\xc5\x4f\x6b\x6d\x66\x96\x4c\x71\xb4\xf2\x18\x19\x57\xd0\xca\x15\x66\xab\x34\x46\x1e\x9b\xdb\xf6\xeb\x9d\x57\x85\x0a\x90\xfb\x63\x05\x74\xbc\xbb\x01\xe8\x28\x94\x81\x5b\x52\xf1\xc6\x76\xeb\x02\x08\x35\xae\x37\x0d\x04\xa1\x46\x84\x1a\xaf\x30\xd4\xb8\xb2\x20\x4f\x23\x58\xb0\x7d\xa7\xb9\x89\xdd\x64\x50\x1f\x30\xfb\x25\x4c\xa8\xab\x00\x23\x7f\xe1\x19\x81\x2d\xbe\xb6\x9b\xdc\x15\x61\x8b\x3c\x4f\x57\x24\x18\xdd\x70\xc1\x73\xca\xf3\x34\xef\x58\xf6\x7c\xa0\xff\x75\x97\xfe\xc7\x1b\xe2\xad\xee\x15\x5a\x73\xb9\xba\x26\x65\x69\x67\xa0\xb4\x11\x56\x5a\x9b\x72\x76\xed\x59\x8c\xf7\xd1\xd4\x7a\x30\x6d\x57\x1b\xd3\x76\x9d\x6d\xbc\xb6\xf6\xe8\xbb\xaa\x60\xfd\xb4\x71\xc1\x84\x5d\x18\xfb\x18\x13\x76\x61\xd8\x0c\x0c\x9b\x81\x61\x33\xd6\x6b\xd8\x0c\x4c\xd8\x85\x09\xbb\x30\x5c\x01\x86\x2b\xc0\x70\x05\x18\xae\x60\x4d\x84\x2b\xc0\x84\x5d\x98\xb0\xeb\x6a\x71\xd0\xc6\x84\x5d\x2b\x91\xb0\xeb\xb3\xb7\x90\xfb\x79\xc2\x2e\x8b\x1d\xba\x8a\x36\x98\x7e\xd8\xd3\x32\x6b\xd7\x0c\x0d\xad\xc1\x01\x71\xde\xb7\x25\x0b\xf1\x65\x03\x01\x58\xe6\xf4\x97\xdf\xa2\x7f\xa1\x83\xdc\x54\xf1\xfe\x39\xf1\x62\x67\x17\x10\x11\xf9\xb3\x51\xaf\xc7\x5b\xf0\xf0\xe4\xf8\x34\x2f\xb6\xb7\x97\x3d\x38\x9c\x2c\xe5\x0c\x2f\x24\x7e\x8a\x5b\x03\xdb\x4c\x53\xfc\x61\x92\xe7\xf8\xdb\x23\xe4\x61\xc0\xdf\x80\x4e\x93\x8a\xbf\xb1\x32\xfa\xad\x62\x91\xcd\x98\xd0\xf3\x63\x08\xae\xb2\xfb\xc4\xe7\x67\xe3\xa6\x37\x84\xe4\x68\x63\xb4\x2d\xa7\x3f\x20\xd0\xb6\xf4\xe1\x52\x51\x36\xa8\x5f\x40\x72\x4a\x2b\x1a\xd0\x26\x3b\xbf\xb1\xb5\xf6\x58\xf6\x46\xe4\xc7\x26\x86\xb3\x5f\x3c\x7b\x25\x46\x34\x37\x4b\x0a\x64\xa6\xc2\x0e\xb9\x02\x43\x8a\xf6\x49\xe4\x50\xb6\xc8\xa1\xfc\x07\x6d\x75\x84\xce\x1c\x27\x5b\x5a\xe4\x5c\x4c\xb6\x5c\xa7\xe2\xad\x54\x0e\x49\xee\xf3\xd7\xd6\x16\x6f\xbb\xab\xb8\x1c\x4d\xc8\xb9\x1d\x60\x87\x5c\x6d\x29\x87\x4c\x8f\xf5\x26\x49\x91\xe9\x81\x4c\x8f\x2b\xcc\xf4\x58\x5f\x7a\x72\x43\x87\xb4\xbd\xe4\x1e\x7d\xb7\x39\x28\xa9\x1f\xcf\x55\xf9\x22\x71\x49\xd5\x9c\x91\xb6\x33\x3a\xbe\xb1\x9d\xdc\x10\x31\x3a\x84\x5b\x98\xfe\xf9\xed\xfa\xaf\x75\xc4\xe4\x8d\xbb\xea\xa7\x55\x16\x34\x45\x38\x40\x73\x76\x05\xbf\x72\xb5\x51\x29\x5e\x40\xee\xe7\x53\x74\x2f\xb9\x07\xa6\xe8\x00\xe9\x27\x3b\x9a\x24\x23\xb5\x25\x21\x50\xdb\xdc\xce\x90\x24\x81\x24\x09\x24\x49\x20\x49\x02\x49\x12\x48\x92\x40\x92\x04\x92\x24\x90\x24\x81\x24\x09\x24\x49\x20\x49\x02\x49\x12\x48\x92\x40\x92\x04\x92\x24\x90\x24\xb1\x5a\x24\x89\xdf\x7b\x8c\x0c\x73\x92\x44\x55\x98\xfb\x3a\xf1\x99\xc4\xb3\xe0\xb1\x6d\xd3\x40\x7f\xd5\x63\xfa\xcf\x6f\xaf\xcc\x95\xba\xa3\x3e\x2c\x27\x12\xa4\x72\x9f\xed\xde\x2e\xf6\xb0\x9a\x33\x35\xf6\x24\x4e\x3c\xb8\xc6\x41\xba\x1c\x02\x5b\x08\x6c\x61\xd2\x5c\x04\xb6\x10\xd8\x42\x60\x6b\xfd\x00\x5b\x6b\x28\x27\xec\x9a\x01\xb6\x30\x59\x29\x02\x5b\x08\x6c\x21\xb0\x85\xc0\xd6\x95\x48\x56\xba\xae\x71\x28\xcc\xa6\xb8\x9e\xb3\x29\xe6\xae\x42\x1c\x6a\x62\x96\x1c\xe3\xe4\xa6\x51\x92\x03\x72\xd3\x7d\xa4\x0e\xe5\x36\xab\x80\x55\x0b\x83\xd9\x04\x42\xd4\x16\xa6\xd3\x63\x8d\x99\x4e\x07\xf4\xfd\x9c\xe9\x94\xa8\x3d\x8d\xf0\x54\x9d\x40\xd2\xfc\xe8\xd6\x4a\xb4\xec\xb9\x7c\x4b\x32\xac\x0a\x60\xac\x87\x5f\x5f\x4d\x68\x8c\x23\x59\x13\xe4\x28\x39\x5c\xc1\x82\xbe\x97\xec\x69\x65\x48\x90\x01\x8d\xbe\x24\x2d\xfa\x92\xfc\x8f\x46\x8e\x70\xc1\xf0\x00\xb9\x1f\x04\xc3\x3e\xd2\xe2\x2c\xe4\x91\x40\x07\x21\x12\xa8\xf4\x17\x69\xbd\xb4\x13\x3c\x12\xe8\x61\x32\xaa\x44\x02\x6d\xbd\xb8\xd6\x25\x56\xc9\x6b\x5e\x62\x35\x48\x69\x5b\x5b\x94\xf5\x7e\xa7\xaf\x52\x62\x99\x22\xe8\xab\x12\x41\xd7\x9b\xad\x90\x5e\xbb\xf9\x33\xaa\xf4\x1a\x91\x8f\xaf\x8e\x1c\x5b\x99\xf8\xe1\x08\xf1\x22\xc4\x8b\x10\x2f\x42\xbc\xeb\x07\xe2\x45\x1d\xae\x81\x0e\xb7\x76\x30\x70\xcc\xdd\xb0\x2a\xb9\x1b\xd0\xd4\x80\xa6\x06\x34\x35\xa0\xa9\x01\x4d\x0d\xeb\xda\xd4\x80\x29\x7c\x30\x85\x0f\xa6\xf0\x59\xa9\x14\x3e\x68\xc9\x43\x4b\xde\x7a\xb5\xe4\x4d\x14\xdb\x9c\xbd\xaa\x11\xc8\xbc\xc2\x20\xf2\xe3\xbd\xe9\x20\xf6\xb3\xf5\x67\x71\x69\x11\x4b\x72\x72\x35\x66\x1f\x79\xcf\xcd\xa4\x2b\x8a\x55\x51\x99\x77\xa4\x32\xb4\xe0\xbf\x3f\x4f\x7f\x42\x89\x61\xd1\x5f\x37\x94\x60\x65\xda\x89\x5e\x23\xce\x73\x5c\x79\x6f\x45\xc2\x08\x9e\x23\xa3\x7c\x22\xb2\x09\xc8\x26\xe2\x3d\x64\x37\x19\x6c\x9c\x73\xbb\xa2\x6d\x97\x9b\xf7\x78\xaa\xf1\xfc\x1c\xd0\xfb\x1b\x25\xed\x48\xcc\xc9\xce\x3f\x53\x32\x20\xef\x6c\x14\x04\xb0\x6a\x20\xb6\x25\xb2\x22\xaf\xc6\x58\xe4\x8e\x90\x31\x32\x52\x61\x98\x6d\x65\x30\x10\xd1\x43\xab\x6c\x8b\x56\xd9\x0f\x6a\x6d\x92\x07\xe3\xdc\x24\x9b\x23\x0f\xc4\x26\xd9\x15\x12\x2d\x2b\x20\x3b\x1a\x05\xe4\x7b\xe5\xb5\xb1\x68\xd9\xdf\x74\x00\xbe\x2a\x19\x73\x67\xa9\x76\x62\x28\x0c\xbe\x87\xc1\xf7\x30\xf8\x1e\x06\xdf\xbb\xaa\x83\xef\xad\x96\x76\xd9\x30\xe1\x62\x73\x7b\x44\x13\x3b\x83\x12\xea\xec\x20\x39\xa0\xef\x37\xf7\xca\x73\xcc\xad\x6a\x28\xbd\xca\x42\x56\x21\xa0\xde\x97\x7b\xc9\x01\xee\xf1\xeb\xcf\x58\xf9\x6c\xd4\x4b\xa9\x91\xd1\xf3\x4e\x39\x08\x99\xa8\x72\xe4\xf9\x45\x7f\x73\xaf\xfe\xbe\x0e\x72\x33\x7b\x79\x58\x7d\x57\x86\x9a\xbd\x1d\x8e\x32\xc9\x3d\x6d\x84\x17\x34\xe5\x39\xb4\x17\xa2\xa6\x4f\x55\xbe\x2e\xc2\xca\x2a\x0f\xb6\xfd\x08\x53\x6b\x7a\x2c\x6f\xf6\x41\xaf\x45\xa1\x1d\x95\xe6\x36\x79\x84\xb1\x1b\x4f\xb1\xc3\xfa\xa8\x98\x3f\x35\x47\x48\x68\x27\x4a\xf5\xd5\x61\x1f\x3b\x7f\xb0\xa5\xde\x30\xdd\x19\x9d\x75\x6a\x8f\x54\x14\x13\x7d\xd5\x07\x6b\xd9\x67\x9c\x5a\x83\x82\xdb\x3f\x9e\x71\x56\xe9\x8c\x53\x6b\x0a\xb6\x70\xc6\xa9\x59\x54\xeb\xf0\x09\x3b\x8f\xac\xa2\xec\xe9\xfd\xe4\x8d\xf5\x64\xcf\x73\x84\xb1\xc1\x4a\x88\x9b\x1e\x7e\x75\xf5\xa5\xcd\xca\x50\x44\x51\xf4\x34\x10\x3d\x48\x53\x5a\x15\x9a\x12\xda\xa7\xd1\x3e\x8d\xf6\xe9\x95\xb2\x4f\x4f\x7c\x5a\x6b\xb3\x91\x6e\x8a\x3b\x96\x1c\x23\xe3\x8a\x63\xc9\x0a\x1b\xfe\x8c\x74\xc5\x61\xab\xbe\x99\x77\xd3\x6a\xea\x0e\xb9\xf7\x5e\x5b\x4f\x77\xe8\xad\x02\x52\x6b\x1f\x60\xba\xe1\x5c\xbf\xaa\x0a\x05\x02\xa8\xeb\x4d\x8d\x41\x00\x15\x01\xd4\xab\x0b\x40\x6d\xf9\x7c\xb9\x7a\x9b\x40\xe3\x14\x25\xfb\xc8\xbd\xfa\x1e\x73\x97\xc4\x55\x6f\x52\x71\x55\xa5\xec\x55\x80\x54\xbf\xda\x43\x76\x72\x48\x35\x08\x3d\xdf\x2a\x52\x25\x82\x22\x67\x7f\x58\x61\x68\xe5\xe7\xe6\x99\x86\x11\xe1\xa8\xef\xee\xd1\x5f\xd3\x41\x88\x78\xe3\xdc\xc2\x60\xe7\xb6\x14\xe0\x94\xc3\xc2\xc3\xf2\xf5\xde\xdb\xd8\x43\xd3\xfc\xa5\x33\x83\x95\xb7\xdb\x8c\x99\xce\xd4\xc6\x4c\x97\xe5\x95\x1b\x75\xcb\xc2\x60\xb6\xb2\xc5\x2d\x51\x8f\x92\xdd\x2c\xe6\x53\x65\xc9\xcd\x9a\x6a\x21\x35\xe4\xb7\xb6\x24\x86\x62\x7b\x3a\x38\x5a\x35\x1a\x86\x78\x6e\x95\x06\x64\xd9\x4e\xf9\x75\x3a\x1e\x37\x76\x84\x46\x5b\x84\x46\x7f\x41\x6b\xc1\x97\xbe\xce\x54\x5c\x3d\x29\xd3\x00\x20\x5d\x61\x21\xd4\xfb\xe6\x1b\x13\x52\xe6\x66\x09\x83\x56\x09\x96\x3b\xf8\xad\xd5\x92\x2b\x88\x80\x22\x02\x8a\x08\x28\x22\xa0\x88\x80\x22\x02\xba\x6c\x04\xf4\x63\xcb\x8c\xd1\x53\x4f\x13\x68\x21\xaa\x4e\x2b\x8a\x45\xf3\xb8\x67\x73\x2a\x41\x0a\xf7\xa7\x39\xf5\x20\xf7\x63\xd7\x26\x54\x82\x81\x06\xe8\x66\x95\xa2\x70\x3b\x1c\x87\x57\x41\x4f\x40\x60\x73\xbd\x69\x27\x08\x6c\x22\xb0\x79\x85\x81\xcd\x99\xf6\xed\x2c\x97\x4d\x0e\x5d\xe1\xc3\x61\x7d\xa2\x68\xe5\xab\xab\x80\x6a\xbe\xbf\x8b\xdc\x1e\x79\xb3\xf9\x54\xce\x6f\xb6\xd4\x7c\xa6\x96\xf8\x81\xfe\xaa\x2e\xfd\x3f\x14\x27\xb6\xdd\xf5\x33\xbe\x4c\xc5\x85\x8c\xc8\x42\x7a\x07\xe2\xbc\xcc\xa9\x0f\x5c\x6d\x69\x9a\xe7\xb8\x0e\xb3\x13\x74\x18\x36\x65\xef\x27\xf7\x91\xa1\x86\x64\xe6\xd4\x6f\x6f\x4b\x2c\xd3\xb3\x8d\xe7\xed\x1e\x7d\x57\xa5\xe3\x4b\x6a\x7b\x92\x13\x16\x73\xdd\x60\xae\x1b\x4c\xe2\x8c\x81\x10\x31\x10\x22\x06\x42\x5c\x3f\x81\x10\x31\x89\x33\x26\x71\xc6\x00\x74\x18\x80\x0e\x03\xd0\x61\x00\xba\x35\x11\x80\x0e\x93\x38\x63\x12\xe7\xab\x25\xe4\x16\x26\x71\x5e\x89\x24\xce\xff\xfe\x08\xb9\xbb\x06\xff\x50\xf8\x71\x07\xb6\xeb\x15\x68\xa0\xff\xfe\x23\xfa\x4f\x6c\x27\x37\xc4\x06\x27\xce\xa9\xbf\xbb\x3e\x70\x37\x32\x3d\x7e\xd2\x2b\xd0\xde\x9b\xd9\x63\xd2\xd4\xc4\x39\xf4\xfc\xd6\x1a\x07\xe5\x30\x2d\x33\x42\x55\x98\x96\x19\xa1\x2a\x84\xaa\x10\xaa\x5a\x47\x50\xd5\x1a\x4a\x49\xb1\x66\xa0\x2a\xcc\x95\x80\x50\x15\x42\x55\x08\x55\x21\x54\x85\x69\x99\x31\x98\xfb\x33\x07\x59\x5a\xf3\xc1\xdc\xaf\xca\xb4\xcc\xed\x77\x00\x15\x4e\xc7\x1c\x36\x3a\x6e\x07\x61\xb3\x34\xa6\x87\x1b\xd3\x98\xf6\xea\xf7\xd4\xa3\xdf\x89\x4a\xab\x9d\x8d\xcd\xd7\x6e\xad\xc6\xc4\x6e\x94\x09\x99\x23\xf8\xeb\x16\x7e\x65\x65\x01\x30\x8e\x57\x1d\x26\xa3\x24\x57\xc1\x75\xde\x45\x76\x2e\xb7\x7f\x91\xe3\x8c\x3e\x9e\x2d\xfa\x78\x7e\x4f\xab\xbd\xf4\x47\xf8\xd2\xbf\x8f\x0c\xc1\xd2\xdf\x43\x5a\x98\x9a\xe4\x28\xf7\x20\x1d\x26\x87\x62\x0f\xd2\xd6\x4a\x1a\xe7\x3e\x23\x39\xf2\x80\xe2\x33\xd2\x52\x51\xcd\x26\x5b\x6e\x4e\x16\x55\xc9\x99\x66\x84\x53\xef\x9f\xf5\x55\xcb\xa2\x5b\x53\x53\x2d\x47\x72\xe9\xee\x0a\x5f\x51\x2e\x97\xe4\xa3\x2b\x23\xa1\x30\xad\x32\x42\xb4\x08\xd1\x22\x44\x8b\x10\x2d\xa6\x55\xc6\xb4\xca\xe8\xad\x8f\x69\x95\xd1\x54\x80\xa6\x02\x34\x15\xa0\xa9\x00\x4d\x05\x6d\x31\x15\x60\xd0\x16\x0c\xda\x82\x41\x5b\x30\xad\x32\x5a\xe2\xd0\x12\x77\x95\xa7\x55\x5e\x46\xda\xe3\x95\x34\x73\xb5\x3f\x44\xc4\x3f\x66\xc8\xf3\x6a\x05\xbe\xd5\xff\x20\xa3\xff\x5e\x26\x11\xdc\xe8\xa6\x22\x0d\x93\x2a\x30\x37\x6c\xf6\x3e\xaf\x48\x63\x5e\xf9\xf0\xe4\x78\x04\xfb\xb5\x31\xb1\x65\x55\x41\x43\x55\x05\x0d\x35\x53\xd0\x44\x89\x3c\xc8\x27\xcf\x49\x72\x1c\x26\x0f\xd8\xea\x5a\x98\x3c\xca\x77\x36\x13\xe7\x41\xff\xe3\x1e\x32\xce\x3b\xdb\x2a\xd9\xf4\x62\x48\x5d\x58\xaf\x95\x5c\x7f\x58\x54\x03\xf9\x72\x10\x7a\xf3\x51\x0f\xab\x6d\x13\xe1\x87\x5f\xdd\xa3\xff\xe2\x46\xf2\x43\x89\xa2\xa4\xbd\xe1\x37\x34\xb1\x34\x63\x9b\xb4\xe5\x46\xaa\x9f\xf4\x0a\x80\x2a\xa2\x4f\x18\x95\x55\x64\x15\x25\x6b\x48\xaa\x67\x5d\x50\x62\x57\x0c\x7f\x27\xf0\x4c\xaf\x44\x25\x84\x12\x84\xd4\x2a\xf4\xc5\xe7\x3e\x38\xdb\x8a\x53\x02\x3b\x3a\xc6\x07\xda\xae\x04\x54\xa3\x94\x9d\xed\x1d\x84\xea\x86\xd5\xaf\x8b\x0c\x23\x35\x9a\xbd\xc6\x5d\x18\x26\x2e\xd4\xb6\xc7\x4d\xf2\x09\x39\x4e\x8e\xc0\x84\x1c\x26\x87\xc8\xc1\x16\x26\x24\x70\x11\xc6\x16\x94\x70\xa9\xb5\x63\xe2\x2c\xf2\x98\x38\x2f\x6a\x2c\xad\x4e\xea\xc7\x6b\x19\xc2\xd2\xe6\x71\x24\xc4\x6a\x8c\x12\x46\x1d\x41\x57\x0e\x8c\x3a\x82\x76\x42\xb4\x13\xa2\x9d\x70\x3d\xd9\x09\x31\xea\x08\x46\x1d\x41\xfb\x0c\xda\x67\xd0\x3e\x83\xf6\x99\x35\x61\x9f\x99\x18\x23\x23\xfa\xb0\x79\x48\x86\x2b\xbd\x2b\x91\x7f\xa9\xc6\xf1\x6d\xe5\xc3\x96\x62\xf0\x12\x04\xb6\x31\x78\xc9\xd5\xe3\x62\xa2\xbf\xfa\x5c\x94\x3c\xcd\x62\x67\xb7\xa2\x0d\x01\xe2\xe3\x6c\x71\x12\xd8\x14\xb0\x81\x9d\xa7\x81\xfe\x47\x8f\xe9\x5f\xdd\x4e\x6e\xaa\x78\x43\xe2\x97\xdd\xf5\xe3\x99\x0c\x4f\x8e\x4f\xf3\x92\x7a\xef\x62\x4f\x0e\x27\x8b\x11\x40\x61\xfc\xd4\x1a\x87\x06\x31\xba\x09\x42\x62\x18\xdd\x04\x21\x31\x84\xc4\x10\x12\x5b\x47\x90\xd8\x1a\x62\x86\xaf\x19\x48\x0c\x29\xcb\x08\x89\x21\x24\x86\x90\x18\x42\x62\x18\xdd\x04\x39\x95\xcf\x1c\xe8\x69\xcd\x73\x2a\xaf\xca\xe8\x26\xaf\xd4\x48\x91\x53\xa7\xce\x93\xc7\x80\x3a\xf5\x10\x39\x43\x4e\xa7\x52\xa7\xd8\x44\xe8\xb7\x8a\x45\xd6\x5b\xa1\xe7\xc7\xec\xa9\x4a\xd4\x2a\x0a\x29\x10\xc3\x47\x6d\xc9\xe2\x44\x1b\x33\xad\x72\xfa\x03\x31\xb1\x2a\x05\x49\xab\x66\x84\x72\xae\x55\xdc\x52\x62\xfe\x3c\xa9\x8d\xaa\x3d\x27\x8a\x88\xe2\xaa\x08\xda\x76\x7e\x75\xd5\x30\x34\x0e\x79\xcd\x92\x02\x99\xa9\x08\x90\x32\x45\x26\xdb\x3d\x74\xe8\x9e\x8b\x01\x54\x5a\x0c\xa0\xf2\xd5\x4c\x6d\xc2\x66\x9e\x4b\x9d\x47\xc8\xc3\x20\x75\x20\x96\x46\xbb\xa7\x2e\x99\xe3\x01\x56\x2c\x72\x2e\x0e\xb0\xb2\x32\x35\xd9\x3c\x00\xcb\x0c\x39\xaf\x04\x60\x59\x91\xaa\x22\x69\xd9\x9c\x34\x6c\x2c\xef\xea\xcb\xcb\x46\x71\x60\x7a\x7f\xd0\x57\x5b\x5a\xde\x91\x1a\xb3\x45\x11\x9c\x3b\xf9\x03\xe9\x82\x33\x0e\xdf\xb2\x62\x22\x14\x23\xb8\x20\x0c\x8d\x30\x34\xc2\xd0\x08\x43\x63\x04\x17\x8c\xe0\x82\x11\x5c\x30\x82\x0b\x9a\x43\xd0\x1c\x82\xe6\x10\x34\x87\xa0\x39\xa4\x2d\xe6\x10\x8c\xe0\x82\x11\x5c\x30\x82\x0b\x46\x70\x41\x6b\x23\x5a\x1b\xdb\x1e\xc1\xa5\x26\xb6\xde\xd6\xd0\x2e\xad\x44\x70\x59\x1d\x4b\x5d\xfb\x83\xb9\xfc\x75\x17\xb9\x3d\x22\xe2\x97\x82\x81\x85\x28\x94\x48\xc1\xa2\xf3\xec\x44\x14\x06\xfa\xaf\x77\xe9\x1f\xdb\x40\x36\xb3\xfb\xe7\x16\x06\x3b\xcb\x42\xd9\x74\x0b\xf6\x82\x5d\x28\x5b\x4e\x22\x60\x88\x3c\xd8\x8d\x42\x01\xd3\x34\x6c\x4b\x64\x90\x6c\x6f\xb7\x88\xed\x51\x0a\xce\x0c\xca\xb2\x8f\xdb\x41\x78\xd8\xf3\x87\x1d\xe7\xa4\x35\x4f\x83\x92\xd5\xce\xe8\x31\x2b\x16\xd2\xa3\xed\x91\x3b\x1a\xda\x99\xb7\xa5\xcf\xe4\x6b\x75\x02\x0d\xe3\xc6\xe6\x13\x8d\xa7\x70\xaf\xde\x2d\xa7\x70\x29\x10\xf3\x53\x8e\x86\x3a\x81\x31\x64\x07\xfa\x27\x60\xc8\x0e\x34\x0c\xa1\x61\x08\x0d\x43\xeb\xc9\x30\x84\x21\x3b\x30\x64\x07\x02\xf2\x08\xc8\x23\x20\x8f\x80\xfc\x9a\x00\xe4\x31\xd6\x06\xc6\xda\xb8\x5a\x20\x48\x8c\xb5\xb1\x12\xb1\x36\x2e\x5d\x4b\x4e\x0a\x88\x4f\x00\x43\x15\x91\x36\x06\x5c\x09\x9e\xf1\x40\xc1\xf0\xfb\x65\x03\x8e\x97\xb7\x9c\xa0\x0c\x82\xca\xca\xe7\x69\x10\xb0\xc3\x04\x5d\x0c\xf4\xdf\xbd\xc6\xfc\xda\x46\x72\x63\xa2\xbc\x73\x0b\x83\x9d\x77\xca\xf4\xa9\xc7\xd9\xbb\xd3\xfc\xdd\x61\x78\x77\x0a\xde\xed\xdd\x2b\x3c\x07\xd4\x57\xcf\x0c\x4a\xf8\xae\x50\xeb\xc5\x36\xf3\x60\xc1\xe7\xa3\xc2\x95\xa0\x4e\x44\xe7\x6c\xb2\xeb\x16\x06\xb3\xb5\xda\x39\xf1\x81\x0c\x79\x21\xa7\x46\x9f\x26\x53\x0a\x35\xba\x6e\xc4\xe8\xe6\xcb\xaf\x8d\x81\x2f\x27\x42\xf5\x32\xea\x7b\x98\x33\xca\xa7\xc9\xf3\x63\x46\x79\x9b\xca\x6e\x36\xf3\xa6\xd3\x18\x99\x1c\xd7\x8f\x44\xc8\x64\xca\x24\x17\x48\x65\xcd\x6f\x4c\x00\x97\x48\xed\xab\x4f\xed\x9b\x40\xef\x8f\x1a\xde\x1f\xe7\xc9\x63\xfa\x23\xe6\xc3\x32\x3a\xda\x90\x50\xf2\x78\x4f\xb8\x05\x98\x9b\x46\x90\xf7\x4a\xb4\xcf\x08\xca\xf9\x39\xd6\x02\xd8\xd7\xa8\x35\xcf\xb7\x86\x92\xef\x81\x52\x69\x6e\x95\x82\x78\x25\x03\xa7\xe9\xff\x92\x21\xb7\xd5\x0d\xc4\xa4\x7f\x39\xa3\xff\x41\x86\xdc\x50\x71\xbb\xb3\xb3\x08\x16\xfd\x59\xcf\x9f\x97\xbb\xad\x65\xc0\x1a\xec\x65\xf7\x2a\x3c\x1c\x86\x27\xc7\x8f\xb0\x7b\x6b\x30\xb6\xbf\x4d\x4e\x72\xc9\x79\x84\x8c\x81\xe4\x3c\x44\x0e\x92\x03\xad\xc5\xf6\x87\x6f\x6c\x18\xd4\xff\x9f\x33\xe4\x39\xbc\xd3\x67\xc0\xd8\x16\x05\xbb\xd2\xbf\x9a\xd1\xbf\x9c\x21\xd7\xc1\x55\xe9\x53\x52\x33\x81\xc2\x2d\x45\x1a\xe6\xd8\xa3\xb1\xdf\x1d\xe6\x50\x48\xe9\xee\xff\xe8\x24\xfb\x1b\x04\x1b\x53\xe3\x8c\x89\x64\x09\x03\x01\x18\x83\xf5\x4f\x75\xea\xbf\xdc\x41\xf4\x6a\x8f\x9f\xce\x2e\x9f\x5a\x05\x83\x3f\x16\x49\xdd\x18\x79\x50\x9c\x7e\xee\x66\x0f\x56\xb9\xfc\xc4\x0f\x70\xb3\x73\x7b\x35\x9c\x89\x25\xf2\x18\xef\xee\xb3\xe4\x41\xe8\xee\x53\xe4\x04\x39\x76\xb9\xbe\x59\xaa\x07\x58\x23\xab\xe3\xf9\xc6\xdb\xf6\x41\xfd\x40\xd3\x36\xf1\x6a\x73\xf8\xe3\xb7\xa5\x2b\x0e\x9b\xf4\x0d\x45\x1a\x92\xce\xcf\x6c\x4d\x1d\xb7\x5e\x9f\x96\x1c\x2b\x4f\x9b\x19\xba\x6e\xf1\xec\x2a\x8f\x5e\xce\x22\xe7\xc8\xa3\x15\xfa\x69\x7b\x87\x0f\x5d\x18\xd0\xcb\xb5\x45\x3d\xe7\x2f\xb5\xda\xa7\x90\x95\x16\x3a\x79\x7e\x1c\x79\x84\x3c\x1c\x1f\x47\xda\x5d\x49\x24\xc0\x6a\x8b\x97\x52\x39\x24\x2b\x2f\xdf\x72\xbf\x74\x6d\xaa\x00\xdb\x5d\xb2\xfc\xd0\x06\xab\x2d\x87\x0a\x9a\x91\x64\xdb\x4b\x22\x39\xce\x6a\xc9\xb1\x5b\x2a\x0b\xea\x87\x16\xec\x00\x1d\xe2\x56\xf5\xe6\x3c\xf5\x8b\x54\xbd\xbb\x5d\xbd\x0b\x6d\xa5\x45\x3b\xdf\x5f\xf5\x5c\xa2\x14\xf6\x7b\x49\xdc\x65\xad\xcc\x31\x3d\x63\xa2\x42\x86\x0e\x91\x7d\x2d\x68\x1c\x93\xc0\x70\x40\x81\xd9\x40\x60\x7e\xb4\x83\x7c\xa8\x43\xff\x40\x47\xe7\x93\x92\xf2\xf3\x44\xc7\xfa\x11\x98\x15\x46\x21\xd6\xcf\x40\x72\x00\xc3\x25\x9b\x9c\x31\xd5\xa9\xbb\xc6\xc4\xed\x01\x6b\x3f\xe7\xc4\x58\x0e\xbc\xe9\x7a\x6e\x3f\x7f\x1b\x9e\x00\x4e\x54\x60\x74\x4f\x04\x9e\x3b\xc9\x39\x3f\x27\xd8\xb2\x10\xbf\xa7\xa3\xc5\x12\x5f\xec\xa9\x2d\xc9\x73\x5f\xd2\xc8\x17\x35\xfd\xf3\x5a\xe7\xe7\x24\x9e\xf9\x94\x76\xd8\xf3\xf3\xc0\x23\x29\x7a\xd0\xed\x9e\x61\xce\xb2\x4b\xa6\x31\x9c\xf8\x0a\x40\xaa\xb9\xc3\x58\x39\x88\xd9\x0d\xfd\x56\x1e\x3e\x1c\x38\x23\x8e\x9d\x17\x4c\x70\xea\x14\x02\xc3\x5b\x14\x7d\xca\x39\x15\x25\xea\x95\x1c\x9a\x35\x78\x8d\x40\xd2\x8a\xc6\x12\x10\xe3\xd4\x0e\x90\xd5\x9b\x1b\xa1\x59\x09\xc2\xd1\x95\xd7\x7a\x6b\xa7\xcf\x2a\xf1\xf4\x59\x2b\xbe\x6d\x4c\xec\x25\xf7\xe8\xbb\xcd\x41\x89\x43\x3c\x57\x8d\xd2\x1e\x3f\xb8\xf2\x71\xd9\xd9\x49\xf7\x96\x3a\xd8\xb3\xfe\xfb\x19\xfd\x0b\x19\x72\x5d\xe2\x66\x5d\x68\xe1\x79\x45\x1a\x26\xb0\x63\x04\x16\x94\x93\xee\xdf\x74\x47\x61\xb5\x5d\xaf\xa0\xe6\x65\xe4\xa4\x5e\xbf\xec\x86\xf6\x3c\xcd\x3b\x56\x10\xc8\x73\xae\xfe\xa1\x6e\xfd\xff\x6c\x20\x9b\xd9\x1b\x4c\xb9\xf8\xc5\x66\xd2\x00\x4e\xf1\x92\x46\x58\x49\x6b\x22\xf5\xdf\x4d\x50\xdd\x49\xaf\x40\xcf\x0c\xaa\x8d\x43\x36\xf0\x72\x24\x94\x48\xf0\x77\xb6\xb1\x84\xda\xa3\xef\xe2\x72\x47\xed\xec\x84\x58\x12\x02\x4c\x99\x88\xc8\x09\x46\x4e\x30\x72\x82\x91\x13\x8c\x9c\x60\xe4\x04\x23\x27\x18\x39\xc1\xc8\x09\x46\x4e\x30\x72\x82\x91\x13\x8c\x9c\xe0\xd5\xe6\x04\xef\x27\x7b\xf5\x7b\xcc\xdd\x12\x20\x7a\x9e\x0a\x10\xa9\x27\x3a\x4c\xdd\x87\x74\x62\xa4\x13\x23\x9d\x58\xa1\x13\xff\x4f\x17\xc9\xa6\x61\x8c\x9c\xc2\x94\x06\x34\xea\xbf\xdf\xa5\xff\xe6\x06\x72\xad\x40\x18\x39\xab\xe9\x62\x73\x61\x04\xda\x0e\x34\x66\x7b\x0d\x05\x2a\x84\xb6\xa8\x75\x1c\xb7\x83\x10\x31\xc3\x16\x23\x08\x3c\xd2\x18\x37\xdc\xaf\xef\x4d\x01\x06\xeb\x43\x89\x3c\x18\x06\x82\x87\x08\x1e\x22\x78\x88\xe0\x21\x82\x87\x08\x1e\x22\x78\x88\xe0\x21\x82\x87\x08\x1e\x22\x78\x88\xe0\x21\x82\x87\x18\x50\x00\x11\x40\x44\x00\x11\x01\x5c\x2d\x04\xf0\x2d\x5d\xdc\x7d\x11\x42\x07\x78\x85\x98\x49\xf8\x83\xed\xfa\x67\x33\x64\x73\xde\xf3\x81\x49\x78\x13\xf8\xc7\x25\xcf\x96\x27\xbd\x02\xed\xbd\x9e\xdd\x18\xf1\x7c\x7a\x66\x90\xfd\xdd\x66\xc7\xb7\x69\xb2\x8f\xc3\x63\x83\x64\x00\xe0\xb1\x1e\xd2\x45\xee\xae\xe9\xad\xce\x5a\x9b\x5d\x18\xcc\xb2\x96\x34\x84\xc1\xea\x3b\x9c\x3d\x7e\xb8\x31\x00\xb6\x4d\xbf\x53\x00\x60\xa6\x29\x70\x2f\xa8\x59\xa5\xce\x75\xbe\x7c\x4b\xdc\x8b\x9d\x91\xb7\x5a\x4a\x47\x3e\x4b\xdc\x5b\xa9\xbe\xcc\x1d\x20\xfb\xc9\xde\x0a\x17\x8a\x66\x3b\x13\xfd\x25\xd0\xc1\xac\x45\x07\xb3\xb7\x68\x97\xb1\x86\x0f\x72\x0f\xb1\x7b\xc9\x9e\xd8\x43\xac\x8d\x22\xa0\x4d\x6b\xbc\x81\x73\x59\xef\xdf\xde\x10\x8b\x80\xeb\x44\x34\x7a\x8b\xaf\xfa\x1b\xf9\x9f\x2b\xb6\xe8\x57\x26\x47\x20\x4a\x83\x06\xd2\x00\xf3\x54\xad\x4a\x9e\x2a\x4c\x50\x82\x09\x4a\x30\x41\xc9\x4a\x25\x28\x99\xf8\x74\x1d\xdf\xf0\xb6\x66\x69\x20\x53\x3c\xca\xd6\x31\x32\xae\x44\xd9\x6a\x4f\xe6\x87\x76\xed\xf1\x46\xfa\x1e\xbf\x55\xdf\xcc\xbb\x9b\xe4\x7e\xfb\x9a\x78\x9b\xdf\x56\xe5\xd6\x9d\xa2\xf2\xdf\x00\x5e\x84\x2b\xb1\xf7\xa3\xbf\xf6\x7a\xd3\x38\xd0\x5f\x1b\xfd\xb5\xaf\xb0\xbf\xf6\x4a\x82\x35\x0d\x3d\xb1\x9b\x13\xf3\x35\x84\x7b\x2c\xfd\x27\x06\xc9\x80\xde\x6f\xee\x90\x74\xda\x1b\x55\x3a\x2d\x7b\x71\x15\x3c\xad\xbf\x9e\x21\xd7\x27\x13\xf9\xe8\xbf\x9b\xd1\xff\x7f\x99\x38\x71\x4f\xcd\x38\x62\x3f\x04\xe1\xda\x4a\xc1\x19\x8c\x20\x56\xc3\xaf\xfa\xff\x12\xb2\xab\x7e\x08\xd5\xd4\x30\xa9\xbf\x4a\xcc\x0f\xa6\x85\x49\xbd\x55\x86\x49\x4d\x8b\x90\xda\x9d\x1a\x21\x75\xe5\x43\xa2\x4e\x93\xe7\x93\x53\x15\xdb\x6f\x1d\x5e\x61\x75\x98\xcf\xb4\x68\xa8\x97\x32\xcb\x22\x2b\x36\x55\x28\x9f\x05\x83\x30\x0b\x24\xc2\xd3\x86\x62\xcf\x70\x85\xf2\x14\x39\xa1\x28\x94\x6d\x28\xb7\x91\x9c\x6a\x14\xfe\xb4\xd8\x58\x4c\x8d\xea\xb9\x14\xd9\x54\x27\x14\x6a\x5a\x3b\x31\xf2\x29\x46\x3e\x6d\x11\xb0\x6d\xfb\x76\xf6\xf6\x6b\xc8\xde\xba\x12\x97\xd3\xcd\x53\xc5\xee\x5f\x10\xf3\x0f\x36\x92\x1f\xaa\x14\xbb\x9c\x77\x5e\x5f\xf6\xf6\xa7\xca\x5e\x78\x73\xed\xc7\xa4\x86\x66\xa6\x4a\xe1\xf6\xc4\xa4\xae\x59\xfe\x0a\xc5\xa4\xae\x5d\xdf\xe5\xc7\xa4\xae\x59\x76\x24\x94\x9b\x8b\x39\x5d\x5b\x98\x56\xf1\xd7\xeb\xc9\xe4\x46\x5b\x00\x4a\x66\x94\xcc\x6b\x45\x32\xff\x5d\x0f\x19\x4a\x0b\x5e\x5c\x23\x89\x40\xde\xf7\xdc\xc7\xbd\x19\xc9\x11\x78\x7f\x8f\xfe\xbd\xaa\x10\xc7\x9d\x29\x4c\x81\x11\xdf\x73\x27\xbc\x99\xde\x3b\xd9\x3d\x35\xcc\x71\x9c\x2b\x40\x3c\xd2\x66\xfe\xc0\x23\x64\x98\x4b\xad\x21\xb2\x0f\xa4\xd6\x2e\xb2\x93\x64\x6b\x4a\x16\xf8\x12\x29\x51\x44\x93\x2e\x97\x48\xf0\xfc\xc6\xd2\x27\xab\xf7\x09\x91\x02\x2d\x10\x7a\x5d\x54\x7f\x95\xf8\xe9\xfc\xed\x2d\x95\xbd\x7e\x5b\x3a\xb3\x20\xea\xf8\xbb\xc4\xed\x55\xec\xfb\xdc\x28\xc9\x91\x07\x2a\xb6\xc0\x65\x77\x3e\x02\x7f\x48\x3c\x68\x51\x5a\xbe\x4f\x23\x87\xb9\x6e\x71\x88\x1c\x8c\x75\x8b\x76\x4a\x80\x36\x48\x97\x26\xe3\xd3\xb6\x5f\x88\xf4\xbe\xee\xc6\x4a\x21\x72\xa3\xe4\x26\x44\x72\x63\x1b\xbf\xb2\x9a\x62\x03\x19\x0b\xc8\x58\x40\xc6\x02\x32\x16\x90\xb1\x80\x8c\x85\xf5\xc9\x58\x68\xff\x5e\xdf\x04\x79\xe1\x5f\xae\xa9\xd4\x06\xb6\x37\xa0\x30\x44\x3a\x82\x09\x16\xb8\x55\x52\x11\x90\xd8\xb0\xde\x14\x13\x24\x36\x20\xb1\xe1\x0a\x13\x1b\x56\x05\x45\x6a\xc8\x70\x68\xff\xb6\x30\xb1\x87\xec\xd2\x77\x9a\x59\x49\x76\x78\xb6\x4a\x76\x10\xaf\x55\xf3\x1d\xae\xc2\xd4\x78\xbf\xda\x4d\xee\xe3\x40\xa7\x3f\x63\xe5\xb3\xb5\x2c\xff\x3c\xe2\x51\xde\x29\x07\x21\x13\x80\x0e\x9d\x61\xb2\xd7\x2d\x06\xfa\xf7\xbb\xf4\x7f\xda\x40\x9e\xc3\xde\x1e\xae\xa4\x00\xfc\x70\x73\xe1\x8f\x46\x78\xb1\x53\x9e\x43\x73\xbc\xd8\x36\x05\x41\xca\xc2\x0b\x53\x95\x4d\x3b\x33\x58\x5d\x23\x86\x44\xba\x8c\x90\x48\x17\x1a\x2f\xc0\xa3\xfa\x61\xb1\x00\x6b\xce\xb3\x68\x51\x56\x8d\x4d\x32\x73\x29\x46\x48\xc2\x08\x49\x18\x21\x09\x23\x24\x61\x84\x24\x8c\x90\x84\x11\x92\x30\x42\x12\x46\x48\xc2\x08\x49\x18\x21\x09\x23\x24\x61\x84\x24\x8c\x90\x84\x11\x92\x30\x42\x12\x46\x48\x5a\xa5\x08\x49\xbf\xdf\x4d\x86\x1b\x43\x87\x6a\xc4\xf4\x34\xfc\xf0\xd5\xdd\xfa\xd3\x1b\xc8\xcd\x69\xf8\x21\xb7\xb6\x5d\x69\x10\x71\x77\x2d\x10\x11\x9a\x87\x48\x62\x5b\x91\xc4\x52\x63\x24\xf1\x84\x7e\xac\x2d\x48\x22\x06\x5c\x47\x38\x11\xe1\x44\x84\x13\x11\x4e\x44\x38\x11\xe1\x44\x84\x13\x11\x4e\x44\x38\x11\xe1\x44\x84\x13\x11\x4e\x44\x38\x11\xe1\x44\x84\x13\x11\x4e\x5c\x5d\x38\xf1\x4d\x3d\x64\x40\x06\x5c\x4f\x77\xb3\xa6\x6e\xa1\xe4\xd9\x6e\x28\xfd\xac\xff\xa2\x5b\xff\x1b\x25\x16\xfb\xad\x29\x1e\xd6\x63\xd1\x3b\xbd\xb7\x29\x01\xd9\x25\x0f\x5f\xde\x6e\xb3\x7f\xf5\x43\x3c\x42\xf3\x4e\x88\xd0\x9c\x39\x75\x4c\xcf\x92\x3e\xd2\xdb\x30\xe4\x97\x6c\xce\xe5\xfa\x56\x1f\x6b\x0c\xa4\x75\xeb\xdb\x2b\x83\x3b\xc6\xd5\x27\x22\xb5\x3f\xa5\x44\x6a\xbf\x23\xdd\x9f\x3a\xee\x66\x23\x19\xae\x7d\xa5\x7b\x3a\xf7\x00\xb9\x9f\xdc\x57\xe1\x77\xb0\xac\xae\x46\x4f\x03\xf4\xa4\x6e\xd1\x93\xfa\x5d\xda\xe5\x2e\xf3\x1c\x77\xc4\x3e\x40\xf6\xc7\x8e\xd8\xed\x16\x15\xed\x94\x05\x8d\x22\xba\xff\xa7\x12\xd1\x3d\xf2\x9a\x8e\x65\xc3\x1d\x89\xa0\xee\x2b\x2e\x1a\xd0\x63\x1a\x3d\xa6\xd1\x63\x1a\x3d\xa6\xd1\x63\x1a\x3d\xa6\x5b\xf1\x98\x5e\xf3\x8e\xd1\xab\xbb\xf5\x37\xf6\x95\xfe\x6b\x25\xd0\x7b\x77\x03\x2f\xe9\x58\x2b\xb8\x5d\x8d\xf6\xbe\x92\x4a\x01\xfa\x48\xaf\x37\x55\x04\x7d\xa4\xd1\x47\xfa\x0a\xfb\x48\xaf\x38\x12\xd4\x56\x19\xdf\xc8\xd9\x7a\xe2\x5e\xb2\x47\xdf\x65\xee\x94\x3e\xce\x3f\xa4\x7a\x46\xcb\x42\x9f\x11\xbe\xd1\xbf\xdf\x45\x6e\x4e\x06\x81\x14\x3c\xc6\xc7\xbd\x99\x40\xff\x48\x97\xfe\x9e\x0d\x64\x4b\x14\x1a\xa4\xd3\x6b\x8e\xa7\x38\xe1\xcd\xb4\x89\x98\xb8\x6d\x51\x09\x2f\x32\xe1\xcd\x1c\xb7\x83\xf0\xb0\xe7\x0f\x3b\x8e\xdc\x44\xdb\xb7\x77\xae\x37\x22\xe2\xd1\xc6\x8b\xea\x6e\x7d\x5b\x4a\x4c\x81\x8a\x78\x02\x48\x30\x44\x82\x21\x12\x0c\x91\x60\x88\x04\x43\x24\x18\x22\xc1\x10\x09\x86\x48\x30\x44\x82\x21\x12\x0c\x91\x60\x88\x04\x43\x24\x18\x22\xc1\x10\x09\x86\x48\x30\x5c\x35\x82\xe1\xbf\xf7\x90\x07\x38\x9c\xc7\xa1\x95\x4a\x1f\xe5\x5a\xa4\x43\x78\x38\x62\x1c\x7e\xac\x47\xff\xf7\x0c\xb9\x9e\x5f\x94\x3e\xca\xcf\x4b\x23\x1e\xb2\x47\x7a\x0d\x76\x07\x7e\x06\x55\x31\x80\xe1\x72\x9b\x79\x87\x2f\x24\x0f\x70\x40\x6d\x3f\xd9\x0b\x80\xda\x20\x19\x20\xfd\x35\xd1\x66\xd1\x13\x51\x48\xce\xe6\x00\xb4\x06\xd4\xc3\xb3\x8d\xa1\xb3\x3d\xfa\x2e\x01\x9d\x25\x86\x22\x82\xa6\xa1\x15\xd5\xc9\x5d\x3e\xbb\xa5\xaa\xe3\x6f\xa9\xc1\x46\x84\xbe\xdf\x26\x6e\xae\x5e\xf7\xe7\x46\xc8\x30\x39\x54\x61\xe0\x5b\x6e\xff\xa3\x55\x0f\xf9\x88\x2d\xf2\x11\xdf\xa3\xb5\x61\xf9\x8f\x71\x4a\xe2\xfd\xe4\xbe\x98\x92\xb8\x02\x52\xa4\x39\x31\x51\x57\x22\xa4\xca\x90\x46\x0c\xc5\x37\xdf\x58\x25\x45\x6e\x88\xd2\xbb\xb8\x42\x72\x98\xfc\xc2\x2a\x0a\x0e\xa4\x2a\x22\x55\x11\xa9\x8a\x48\x55\x44\xaa\x22\x52\x15\xd7\x27\x55\xb1\x21\xbb\x70\xc5\x0e\x16\xb9\x7f\xbb\xa6\x4a\x25\xb8\xab\x11\x7b\x11\xf4\x84\x3b\x4b\x92\x76\xb0\xe2\x6a\x02\x92\x17\xd7\x9b\x72\x82\xe4\x45\x24\x2f\x5e\x61\xf2\xe2\x6a\xc0\x49\x0d\xf3\xbb\xac\x94\xdc\x9f\xd8\x45\x76\xea\x59\xb3\x4f\x72\x12\x9f\x95\xe0\x32\xb2\x97\x9e\x11\x3c\xc6\x57\xee\x20\x39\x0e\x7c\x72\xe5\xa3\x8e\x87\x75\xc9\x2b\x14\xec\xc0\x2f\xc3\x8a\x99\x29\x17\x8a\x34\x86\x3e\x3f\xdd\xab\xbf\xb5\x83\x6c\xe5\x65\x9c\x5b\x18\xec\xdc\x9e\x82\x7a\x4e\x7a\x85\x51\x59\x40\x0e\x0a\xe8\xed\x61\xcf\x71\xad\x45\x25\xf8\xa7\x3c\xda\x66\x30\xb4\x40\xc6\xf9\xec\xcd\x91\x07\x60\xf6\x0e\x91\x7d\xe4\xde\x9a\xb3\x57\x68\x93\x6c\x83\xaa\x6e\x5a\xc3\x69\xfc\x82\xc6\xb3\xf4\x5e\x7d\x8f\x98\xa5\xbc\x2a\x31\x3d\xd3\x6a\x6b\xd2\xe7\x92\x3d\xda\xf9\x2f\x5b\xd4\x51\xe9\x49\x87\x44\xd3\x06\xa6\x4f\x3c\x7a\x05\xc6\x26\x77\x9c\x4c\x90\xa3\x15\xda\x44\xcb\x83\x83\xba\x04\x42\xa6\x2d\x42\xa6\xbf\xa4\xb5\x53\x48\x9c\xe4\xd8\xe9\x11\x32\x16\x63\xa7\x2b\x29\x74\x1a\x24\xc7\x5e\x39\x99\xd4\xfb\xde\x1b\x55\xa1\x73\xab\x4c\x90\x9d\x26\x67\x76\xf0\xbb\x57\x42\xcc\x20\xae\x8a\xb8\x2a\xe2\xaa\x88\xab\x22\xae\x8a\xb8\x2a\xe2\xaa\xe9\xb8\xea\xca\x69\x09\xb9\xb7\x5c\xab\x6a\x09\xbb\x1a\x80\xaa\x69\xba\x43\x2f\x80\x00\xab\xac\x3a\x20\xd6\xba\xde\x14\x16\xc4\x5a\x11\x6b\xbd\xc2\x58\xeb\x33\x05\xad\x6a\xe8\x42\xfe\x00\xb9\x5f\xbf\xcf\x1c\x92\x10\xea\x1d\x2a\xec\x9a\x52\xfc\x33\x02\x84\xfd\xda\x79\x32\xc6\x41\x58\xab\x30\x6f\x83\xf7\xaa\x4f\x8b\x36\xec\x10\xc9\x5c\xdb\x20\x4d\x2d\x36\xf5\x16\xe9\xcc\x9c\xe7\x5d\x48\xf8\x1c\x06\xfa\x1b\xce\xeb\x6f\xe9\x22\xcf\x4b\x2d\x86\xed\xb2\xf7\x71\x17\x26\x5f\x38\x5f\x44\x5a\xba\x37\x6b\xb0\x01\xe4\xa2\x13\x8a\x3f\xcb\x8b\x1f\x51\x8b\xef\xdd\xcf\xde\x1e\x4e\x2b\xfb\xcc\x60\xfd\x57\xd7\xb8\xaf\x79\x0e\x1d\xb1\xd1\x11\x3b\x87\x8e\xd8\xe8\x88\x8d\x8e\xd8\xe8\x88\xbd\x6e\x1c\xb1\x73\x6b\xc6\x11\xbb\xed\x2d\x69\xd9\x11\x3b\x87\x8e\xd8\xe8\x88\x8d\x8e\xd8\xe8\x88\x8d\x8e\xd8\xab\xef\x88\x9d\x5b\xd7\x7e\xd3\x39\xf4\x9b\x5e\x39\xbf\xe9\xdc\x5a\xf7\x9b\xce\x5d\x85\x7e\xd3\x13\xaf\xd4\x48\x91\x03\x93\xe7\xc9\x63\x00\x4c\x3e\x44\xce\x90\xd3\x35\x81\xc9\x74\x7c\x6b\x61\x30\x5b\x1f\x3e\x3a\x6e\x07\x8d\x61\xcb\xdb\xd3\xb1\xc5\xcd\xfa\x46\x1e\xb6\xef\xc5\x8d\x61\xcd\xb3\xfa\x83\x2a\x5c\x29\x20\xce\x7a\xa0\x9c\x00\x3e\xeb\x37\x9f\x98\xdf\x26\x75\x40\xb9\x2e\xbe\xad\x19\x56\x23\xfc\xed\x00\x7f\xf0\xca\x22\x70\x1c\x30\x9b\x25\x05\x32\x53\x61\x84\x9a\x22\x93\xed\x1e\x78\x34\x4e\x21\x79\xaf\x45\xf2\xde\x57\x33\x24\xcf\x45\xd3\x23\xe4\x61\x10\x4d\xc0\xf7\x6a\xf7\x0c\x25\x73\x9c\xd6\x67\x91\x73\x31\xad\x6f\x65\x6a\xb2\x39\x43\x60\x86\x9c\x57\x18\x02\x2b\x53\x55\x23\x59\xdb\x9c\x2c\x6d\x9b\xfc\x4c\xd8\x90\x6a\xcb\xf9\x92\x17\x84\xa4\xf7\x57\xfb\xeb\xc8\xda\xdd\x82\x4f\xa2\x90\x73\xbc\xd9\x46\x72\x77\x8c\xbf\x54\x43\xee\x8e\xc8\xa2\x56\x55\x02\xaf\x0c\x7b\x11\x31\x70\xc4\xc0\x11\x03\x47\x0c\x7c\xfd\x60\xe0\xa8\x61\x36\xd0\x30\xd7\x8e\x91\x00\x99\xe3\xab\xc2\x1c\x47\x5b\x0c\xda\x62\xd0\x16\x83\xb6\x18\xb4\xc5\xac\x6b\x5b\x0c\x3a\x10\xa1\x03\x11\x3a\x10\xad\x94\x03\x11\x9a\x3a\xd1\xd4\xb9\x5e\x4d\x9d\x13\xc5\x36\xfb\xce\x35\x82\xab\x7b\xd3\x21\xe3\x67\xeb\xcf\xe2\xab\x39\x96\xb4\xcd\x9a\x09\x97\x0d\x5b\x37\x83\x85\xb7\xdf\xb3\xe0\x3f\xb6\x47\x69\xea\xac\x52\x29\x18\x58\x18\x1c\xf0\x29\xe0\xcb\x4c\xb0\xe8\x5f\xdf\xae\x7f\xa9\x83\x6c\x66\xb7\x20\x2b\x6b\x7d\xe7\x80\x29\xfe\xe6\x34\x0d\x7b\xef\x02\x47\x80\x52\x29\x38\x33\x18\x5f\xbd\xda\xf2\xcb\x3d\xca\x13\xec\xef\x84\x04\xfb\x6c\x12\xee\x26\x83\x64\xa0\xb6\x29\xa5\x54\x0a\xd8\x94\x8b\x3f\xb8\x2d\x56\xe9\x93\x8d\xa7\xdb\x0e\xbd\x27\x9a\x3d\xa5\x52\x20\x2c\x26\x71\x33\x30\xa5\x1c\x7a\x32\x60\x4a\x39\xb4\xe2\xa0\x15\x07\xad\x38\xeb\xd5\x8a\x83\x29\xe5\x30\xa5\x1c\xa2\xe7\x88\x9e\x23\x7a\x8e\xe8\xf9\x9a\x40\xcf\x31\xa5\x1c\xa6\x94\xbb\x5a\xf0\x42\x4c\x29\xb7\x12\x29\xe5\x9e\xe8\x26\x03\x1c\x7a\x73\x69\xb8\xe8\xf9\x17\x98\xb6\x16\x47\xf2\x80\x17\x06\x6c\xb7\xe8\xd3\x20\xc8\x3b\x56\x10\xd0\x40\xff\xc3\x2e\xfd\xb3\x1b\xc8\x75\xf1\x0b\xe7\x16\x06\x3b\x2f\x8a\x5d\xcd\x2d\xd8\x0b\x76\xa1\x6c\x39\xea\xf7\x5a\x52\x83\x1c\xe7\x45\x8d\xb0\xa2\xb2\x8a\x99\x6d\x48\x6a\x17\x5d\x50\x50\x57\x7c\x74\x4e\x9c\x85\xbc\x12\x95\x24\x9a\x20\xa4\x56\x21\xdb\x7b\x27\xbc\x70\x52\xb6\xe6\xcc\xa0\x5a\xc9\x71\x3b\x68\x5f\x58\xad\x15\xc2\xf8\x2e\x90\x49\x8e\xf1\x8d\x93\x23\x80\xf1\x0d\x93\x43\xe4\x60\x0b\x40\xf3\x59\x99\xcc\xa1\x21\xe2\xb7\x2d\x1d\xf1\xbb\x56\x27\xd0\x30\x0e\xfb\x3d\xda\x18\xf6\x1b\xd2\xf7\x09\xd8\xaf\x6a\x02\x09\x0c\x50\x1d\x0d\x44\x01\x11\x05\x44\x14\x10\x51\x40\x44\x01\x11\x05\x44\x14\x10\x51\x40\x44\x01\x11\x05\x44\x14\x10\x51\x40\x44\x01\x11\x05\x44\x14\x10\x51\x40\x44\x01\xaf\x08\x0a\xf8\x83\x0c\xb9\x8d\xa3\x80\x79\xcf\xf3\x0b\xb6\x5b\x19\xd1\x57\x87\x09\x4d\x6e\x50\x6f\x9f\x5b\x18\xec\xbc\xa9\x48\xc3\xe4\x4e\xcb\xbf\xa1\xf7\xb6\x22\x0d\x47\x94\x87\xcf\x0c\x0e\x4f\x8e\x47\x47\xbb\xf6\x91\xee\x86\xaa\x0a\x1a\xaa\x2a\x68\xa8\x99\x82\x26\x4a\xe4\x41\x8e\xc1\x9d\x24\xc7\x01\x83\x3b\x4c\x46\x49\xae\x05\x0c\x4e\xf9\xce\x66\xa8\x77\xfa\xa7\x1e\x23\x87\xea\xf5\x3d\x64\xfa\xab\x95\xed\x0e\x7c\x1b\x02\xfd\xdf\x1f\xd5\xdf\xbf\x9d\x3c\xa7\x62\x74\x78\x1e\xd8\x6d\xf5\xf9\x92\xc7\x59\x09\xbd\xdb\xd9\x43\xc9\xf1\xaa\xc8\x05\x0b\xcf\xad\x71\x20\x15\x03\x24\x23\xa0\x88\x01\x92\x11\x50\x44\x40\x11\x01\xc5\x75\x04\x28\xae\xa1\xd8\x07\x6b\x06\x50\x44\xa7\x7c\x04\x14\x11\x50\x44\x40\x11\x01\x45\x0c\x90\x8c\x5e\xc3\xcf\x1c\xfc\x6f\xcd\x7b\x0d\x5f\x95\x01\x92\x29\x99\xe0\xe0\xd7\x08\x19\x06\xf0\xeb\x00\xd9\x4f\xf6\xd6\x74\x32\x4d\x00\x55\x02\x67\xca\x02\x40\xd4\x16\x67\xd3\x65\xb1\xce\x52\x40\x33\xc1\x3b\x83\x06\xa9\x84\x33\x68\x27\x31\x9f\xda\x5a\x03\x29\xbb\x5e\x46\x38\xe6\xa0\x58\x37\xff\x7b\x15\x61\x31\x8e\x62\x8d\x93\x23\x64\xac\x22\x6a\xf1\x3d\x64\x77\x0b\xc3\x81\x61\xe3\x30\x30\x71\x8b\x81\x89\xff\x4b\x23\xc7\x78\xcc\xe0\x51\x92\x8b\x63\x06\xef\x25\xad\xcd\x44\x1e\x4a\x61\x17\x84\x52\x88\xc3\x02\xb7\x5c\x5a\x2d\x11\x43\x0e\x73\x39\x76\x88\x1c\x04\x39\xd6\x6a\x05\x8d\x45\x15\x44\xf1\x5d\x61\x51\xd5\xfb\x4f\x7d\x35\x44\x55\x67\x6a\x80\x60\x2e\xb6\x76\xf1\x7b\x29\x62\x2b\x8e\x01\xbc\xb2\x02\x0c\x83\xfe\x22\xae\x8b\xb8\x2e\xe2\xba\x88\xeb\x62\xd0\x5f\x0c\xfa\x8b\x41\x7f\x31\xe8\x2f\xda\x17\xd0\xbe\x80\xf6\x05\xb4\x2f\xa0\x7d\xa1\x2d\xf6\x05\x0c\xfa\x8b\x41\x7f\x31\xe8\x2f\x06\xfd\x45\xf3\x1d\x9a\xef\xae\xf2\xa0\xbf\x2b\x8b\x20\x2f\x27\xa6\xf0\xc4\x79\xf2\x98\xfe\x88\xf9\xf0\x16\x4d\xdf\x50\xb2\xc2\xb9\xce\x21\xb1\x9f\x73\xe3\x87\x5b\x30\x58\xeb\x8d\x20\xef\x95\x68\x9f\x11\x94\xf3\x73\x4c\xa7\x81\x41\xa3\xd6\x3c\x17\xaf\x25\xdf\x83\xbd\xd1\xdc\x2a\x49\xea\xbd\x62\xf4\xdf\xb1\x02\x8e\x46\xfa\xab\x65\xf8\x92\x20\xf4\x7c\xab\x48\xab\x62\x97\x2c\x78\x4e\x79\x9e\x5a\x61\x68\xe5\xe7\x98\x06\x1e\xe8\x5f\xe9\xd2\x7f\x67\x03\x21\xe2\x85\x73\x0b\x83\x9d\x2f\x6d\x2e\x76\xc9\x19\x28\x6a\x58\x16\xd5\xa6\xf8\x25\x26\xbc\x30\xcd\x9b\x73\x66\xb0\xb2\x96\xab\x23\x80\x49\x4d\x83\x4c\xdb\x23\x9b\x2c\x2b\x80\xc9\x63\x8d\x57\xd7\x01\x7d\xbf\x58\x5d\xc9\x29\x14\xe5\x7c\xac\x18\x0e\x8c\x60\x82\x0e\x07\x18\xc1\x04\x0d\x53\x68\x98\x42\xc3\xd4\x7a\x35\x4c\x61\x04\x13\x8c\x60\x82\x06\x01\x34\x08\xa0\x41\x00\x0d\x02\x6b\xc2\x20\x80\x11\x4c\x30\x82\xc9\xd5\x02\x81\x62\x04\x93\x95\x88\x60\xf2\xdd\x9b\xc9\xfd\xc9\x14\x62\x35\x22\x66\x04\xa1\x15\xd2\xd9\xb2\xc3\xd6\x2e\xbf\xf1\xb2\x81\x20\x6f\x39\x54\xff\xf0\xcd\xfa\x7f\x66\xe2\x3c\x63\x5d\x3e\xb5\x0a\x06\xdc\x8a\x3a\x39\xde\x71\xa7\x45\x29\x90\x66\x8c\x3d\xc8\xd3\x8c\xc5\xb4\x5a\xe5\x81\x69\x56\x44\x7b\x19\xb6\x13\x2f\x24\x0f\x70\x5c\x6d\x3f\xd9\x0b\xb8\xda\x20\x19\x20\xfd\xb5\xb3\x82\x95\x43\x8f\x7d\x09\x53\x61\x17\x06\xb3\xd0\xa2\x86\xc8\xf4\x64\x63\xec\xac\x5f\xdf\x11\xe5\xfc\x8a\x6b\x10\xc0\x19\xaf\x44\x45\xcb\x1e\xbf\x2d\x1d\xb2\xdb\xa4\x6f\x28\xd2\x90\x74\x7e\x7e\x4b\xdc\xfb\xbd\x3e\x2d\x39\x56\x9e\x36\x33\x00\x5d\xe2\xd9\xd5\x1d\x83\xdc\x08\x19\x26\x87\x2a\xdc\x34\x96\x3b\x08\x48\xf1\x43\x07\x8d\x16\x1d\x34\xde\xa3\xb5\x41\x06\x8c\x71\x17\x8f\xfb\xc9\x7d\xb1\x8b\xc7\x55\x2e\x4a\x4a\xe5\x90\xe4\x9e\xbe\x26\x16\x25\xbb\x4b\x96\xcf\x4e\xb1\xec\xe4\x07\x7b\x4e\x33\x32\xe5\xee\x12\xdb\x62\x56\x4f\xa2\xdc\x52\x59\x50\x3f\x34\x60\x07\x84\xb4\xba\x55\xbd\x39\x4f\xfd\x22\x55\xef\x6e\x57\xef\x42\xb2\x4e\x5a\xb4\xf3\xfd\x55\xcf\x25\x4a\x61\xbf\x97\xc4\x5d\xd6\xca\xdc\x49\x72\x9c\x4c\x54\x48\xb3\x21\xb2\xaf\x05\x53\xcd\x24\x20\xe5\x28\xd8\x1a\x08\xb6\x8f\x76\x90\x0f\x75\xe8\x1f\xe8\xe8\x7c\x52\x9a\x8e\x9e\xe8\x58\x3f\x82\xad\x02\x5c\x60\xfd\x0c\x60\x39\x00\x60\x6c\x72\xc6\x26\xb3\xee\x1a\x13\xb7\x07\x50\x63\x6e\x5b\xb1\x1c\x78\xd3\xf5\xdc\x7e\xfe\x36\x3c\x01\xb6\xb5\xc0\xe8\x9e\x08\x3c\x77\x92\xdb\x8e\x4e\xb0\x65\x21\x7e\x4f\x47\x8b\x25\xbe\xd8\x53\x5b\xe2\xe6\xbe\xa4\x91\x2f\x6a\xfa\xe7\xb5\xce\xcf\x49\xbd\xf8\x29\xed\xb0\xc7\x8e\x79\x76\x60\x14\x3d\xe8\x76\xcf\x30\x67\xd9\x25\xd3\x18\x4e\x7c\x05\x9c\x78\x38\xf1\xb9\x1c\xc4\x28\x79\xbf\x95\x87\x0f\x07\xdb\x83\x63\xe7\x05\xa3\x89\x3a\x85\xc0\xf0\x16\x45\x9f\x72\x6c\xbe\x44\xbd\x92\x43\xb3\x06\xaf\x11\x8c\x7d\xd1\x58\xc2\xc9\x23\xb5\x03\x64\xf5\xe6\x46\x68\x56\xc2\x70\xb5\x1a\x5a\xe4\x1d\xe9\x82\x7a\x8b\xbe\x09\x1a\x48\x9a\xdc\x1b\xd2\x92\x14\xd7\xd8\x27\x26\x76\x91\x9d\x7a\xd6\xec\x93\x3c\x86\x67\xc1\x1a\x12\x0b\x1a\x9e\x31\x37\xb0\x4b\x2a\x33\xe1\x2a\xe4\x3e\xbc\xb9\x8b\x98\xfc\xc8\xc3\xad\xc9\x95\x21\x03\xf9\x55\xfd\xdb\xdb\xf5\x6f\x76\x90\xeb\xf9\x5f\xcd\x46\x05\x04\x4b\x3b\x8f\x0a\x08\x3f\x03\xe1\x41\x08\x7f\x5c\x6d\x29\x94\xcf\x91\x51\x3e\xcd\x0f\x92\x03\x30\xcd\xef\x21\xbb\xc9\x60\xcd\x69\x2e\x7a\x33\xf2\x07\x85\x4f\x6e\x8b\x5f\xfb\xd9\xc6\x33\x7d\x8f\xbe\x4b\xcc\xee\xc4\x98\x8a\xf9\xcd\x33\xbb\x54\x91\x7c\x90\x85\x80\x2c\x04\x64\x21\x20\x0b\x01\x59\x08\xc8\x42\x40\x16\x02\xb2\x10\x90\x85\x80\x2c\x04\x64\x21\x20\x0b\x01\x59\x08\xc8\x42\x40\x16\x02\xb2\x10\x90\x85\xb0\x5a\x2c\x84\x57\x76\x10\xa3\x76\x36\x65\x0e\xcb\xe9\xdf\xcc\xe8\x5f\xcf\x10\x3d\x91\x3e\x99\x83\x72\x35\xb3\xa9\x18\x45\x1a\xaa\x09\x8e\xe1\x71\x4c\xa8\x92\x9e\x50\xe5\x1f\xbb\x48\x77\x7d\x9f\xb0\x7c\x60\x17\x7c\x9b\xad\x25\xfd\xd7\xbb\xf4\x8f\x25\x9d\xc1\xca\xcd\x39\x83\x8d\x4c\x8f\x8f\x42\x19\x6d\xf2\x02\xbb\x25\xe9\x05\x26\x8b\xbf\x3a\xdc\xbf\xd6\x68\xfe\xea\x65\x21\xae\xa9\xee\x5f\x72\x1c\xd0\xef\x0b\x11\x57\x44\x5c\x11\x71\x45\xc4\x15\x11\x57\x44\x5c\x11\x71\x45\xc4\x15\x11\x57\x44\x5c\x11\x71\x45\xc4\x15\x11\x57\x44\x5c\x11\x71\x45\xc4\xf5\xca\x20\xae\x3d\x64\x5f\xe4\xf7\x65\xfb\xb4\x68\x03\x01\x3e\x99\xbc\x9a\x83\x7e\xe2\xc0\x6f\x4b\x87\xb0\x97\xe9\x9f\xeb\xd6\x5f\xbe\x91\xe8\x15\x6f\x9e\x5b\x18\xec\xfc\x98\x26\x06\x41\x81\xfe\xdc\x48\xac\x45\x24\xc9\xe1\xc9\xf1\x69\x5e\x62\x5b\x30\xc0\xbe\x58\x8b\x01\x4d\x4d\xec\x79\x4c\x11\x8a\xd5\xb3\xae\x84\x46\xac\x94\x9d\xed\xe5\xfb\xf2\x70\xf2\x63\x20\xef\xb6\x68\x25\xc2\x88\xcb\xa1\x27\x2f\x72\x7a\xf2\xf9\xc6\x10\xe2\x41\xfd\x40\x44\x49\x4e\x9d\x83\x09\xe8\x90\xc3\x8a\xf1\xa0\x20\x96\x88\x58\x22\x62\x89\x88\x25\x22\x96\x88\x58\x22\x62\x89\x88\x25\x22\x96\x88\x58\x22\x62\x89\x88\x25\x22\x96\xb8\xda\x58\xe2\x5e\x72\x8f\xbe\xdb\x1c\x94\x2e\xa0\xcf\x55\xdd\x46\xe3\x03\x5b\xb5\xef\x28\x82\x90\x08\x42\x22\x08\xb9\x8e\x41\xc8\xff\xce\x90\x4e\x01\x42\xc6\x3e\xe9\x03\x0b\xbb\x04\xe1\xf3\xaf\x32\xfa\x37\x32\xe4\xd9\xca\xbd\x73\xe2\x5e\x6d\xc6\xe7\x9d\x45\x1a\x0e\xc7\x2f\x9c\xd9\x85\x94\xcf\x3a\x94\xcf\xd7\x74\x44\xae\xf0\x79\xea\x8b\x61\xa4\x55\x0e\xf1\x3a\x64\xe8\x23\xcf\x51\x9f\x69\xcc\xbd\x35\x8b\x34\x1c\x51\xde\x40\xf6\x6d\xdd\xa1\xf8\xaf\x1e\x32\xcd\x87\x62\xd6\xf1\x16\x99\x46\xe3\x7b\x4e\x56\x22\x64\x95\x63\xc2\xb1\xf9\x92\x6f\x7b\xbe\x1d\x2e\x39\x74\x81\x3a\x09\x04\x45\x62\xf5\xef\xeb\xd1\xff\x70\x23\xb9\x55\x29\x74\x38\x2a\x53\x8e\xe1\x6f\x35\x83\xda\x4f\x8a\xba\x8e\xb3\xba\x46\xd4\xba\xd6\x04\x8a\x3f\x04\xd5\x1d\x4e\xf9\x4c\x31\xf1\x6a\xb7\x7f\xed\xe3\xfb\xab\x9f\x25\xe2\x25\x8d\xe1\xfb\x87\xf4\x33\x02\xbe\xaf\x37\x63\x05\x70\x5f\xbb\xf7\x53\x92\xaf\x34\x32\x2e\x20\xf4\x8f\xd0\x3f\x42\xff\x08\xfd\x23\xf4\x8f\xd0\x3f\x42\xff\x08\xfd\x23\xf4\x8f\xd0\x3f\x42\xff\x08\xfd\x23\xf4\xbf\xca\xd0\xff\x11\x32\xa6\x8f\x98\xc3\x12\xfa\xdf\xae\x42\xff\xb5\x8f\x7c\x68\x0a\x40\x53\x00\x9a\x02\xd0\x14\xa0\x98\x02\x3e\xdf\x43\x8e\x72\xf8\xd3\x9f\xb1\xf2\xd9\x08\xe2\xaa\xa0\x24\xab\xd8\x67\xde\x29\x07\x21\x3b\x06\x39\x74\xc6\x76\x0b\xb6\x5b\x94\x98\xe7\x7f\x76\xeb\x1f\xd9\x48\x6e\x66\x25\x0d\xab\x05\x49\xc0\xf3\x93\xcd\x00\x9e\x23\xbc\x82\x29\xcf\xa1\x39\x5e\xc1\x9a\x00\x3a\xf9\xe7\x4f\x55\x7e\x9b\x40\x39\xab\x1b\xbd\xf6\xd1\xcd\x35\xc8\x5e\x2e\x35\x86\x3f\x4f\xe8\xc7\x04\xfc\x59\x73\xc6\x46\xb1\x10\xaa\xc6\x04\x63\xd1\x22\xa4\x89\x90\x26\x42\x9a\x08\x69\x22\xa4\x89\x90\x26\x42\x9a\x08\x69\x22\xa4\x89\x90\x26\x42\x9a\x08\x69\x5e\x71\x48\xf3\x10\x39\xa8\x1f\x30\xf7\x4b\x48\xf3\x76\x15\xd2\xac\x3e\xc9\x21\x94\x89\x50\x26\x42\x99\x08\x65\x26\xa1\x4c\x08\xad\x10\x87\x50\xa8\x91\x52\xb7\xe4\x15\x42\x3a\x5f\x82\x33\x4a\x04\x5d\xbe\xae\x47\xff\xd6\x06\xb2\x39\xef\xf9\x10\x54\xf5\xe3\x4d\x31\x33\xbd\xc2\x69\x51\xce\x9a\x40\x28\xf9\x76\x3e\xe2\xf9\x54\xcd\x01\xa9\xb4\x12\x21\xc9\x16\x20\xc9\x13\x8d\x21\xc9\x5e\xbd\x3b\x25\xdf\x9b\x69\x46\x1c\xcc\x78\x04\x10\x6f\x44\xbc\x11\xf1\x46\xc4\x1b\x11\x6f\x44\xbc\x11\xf1\x46\xc4\x1b\x11\x6f\x44\xbc\x11\xf1\x46\xc4\x1b\x11\x6f\x5c\x6d\xbc\x71\x1f\xb9\x57\xdf\x63\xee\x92\x78\xe3\x4d\x09\x0a\x65\x7c\x62\x7b\x26\xa4\xde\x46\x28\x13\xa1\x4c\x84\x32\xaf\x22\x28\xf3\xdb\x37\x93\x83\x51\x94\xd8\x52\x30\xb0\x30\x58\x0b\xca\xf4\x29\xe0\x6c\x6c\xe9\x0a\x24\x73\x20\xc8\x5b\x0e\xd5\xdf\x7f\xb3\xfe\x83\x0c\xd9\xcc\x5e\x3f\xb7\x30\xd8\xb9\xdd\xa7\x56\xc1\x80\x5b\x51\x1f\xc7\xca\xc0\x14\x2f\x64\x9a\x86\xbd\xdb\xd8\x73\xc3\xa5\x52\xa0\x22\x88\xf1\xfd\x69\x56\x40\xfb\xa2\x07\x00\xe8\xf7\x42\xf2\x00\x07\xfd\xf6\x93\xbd\x00\xfa\x0d\x92\x01\xd2\x5f\x33\xdb\xbd\x12\x95\x22\xbb\x30\x98\x85\x16\x35\x04\xf9\x26\x1b\x63\x78\xfd\xfa\x8e\x28\x28\x6a\x5c\x83\x00\xf0\x78\x25\x2a\xc4\xf7\xf8\x6d\xe9\xb0\xe1\x26\x7d\x43\x91\x86\xa4\xf3\x77\xb6\xc4\x7d\xdf\xc3\x06\xc9\xca\xd3\x26\xba\x7f\xbb\x78\x74\x55\x47\x20\x37\x42\x86\xc9\x21\x7d\xc3\x8c\x57\x58\xea\x84\x7f\x0d\xad\x77\xb9\x43\x90\x7b\x77\x86\xbc\x33\xa3\xbf\x23\xd3\xf9\x53\x52\xc8\xfe\x87\x76\x96\xed\x56\x62\x0b\xef\x83\x14\x65\x10\x92\x82\x4b\xc5\xc4\xb1\x51\x85\x12\x67\xa8\x51\x62\x7d\xcd\x74\xf5\xac\x31\xec\x1a\xb6\xcb\x01\x1b\xcf\x37\xca\xae\xc4\x7c\x0a\x46\xc1\x5f\x9a\x2a\xbb\x46\xc1\xf6\x29\x13\x05\x54\x02\x09\x4c\x1f\x00\x85\x4b\x20\x29\xd1\xb9\x49\x9c\x5d\x8d\xd9\xb2\x0f\xba\x79\xc9\xf7\xf2\x34\x00\xcd\x48\x0c\x8b\xd8\xd6\xb2\xc6\x19\xa8\x11\xce\x3c\xa0\xca\x0c\x19\xfd\xc6\xb0\xe3\x0c\x81\xde\x53\xf0\x97\x0c\xbf\xec\xb2\x33\x35\x93\x1d\x91\xb2\x27\x8a\xa3\x05\x73\x13\x6f\x9a\x22\x28\x73\x6f\xcb\x90\xb7\x66\xf4\x37\x67\x3a\xdf\x20\x3b\xe8\x1f\x35\x50\x95\x4f\x58\xae\x55\xa4\x3e\x3f\xf4\x71\x2d\x22\x08\xbc\xbc\x0d\x7a\x8c\x3c\x5e\x59\x70\x3e\xf5\x7c\x83\xa9\xb9\xe1\x92\x54\xec\xe6\xad\x0b\xac\xfd\xe1\x1c\x0d\x68\x24\xcd\x98\x84\x8d\x80\x2f\xc0\x7e\x66\xa8\x01\x72\x14\x8e\x52\x9e\x6f\x0c\xee\xda\xc7\x9e\xf5\xad\x3c\x20\x74\x8e\xe7\x16\xb9\xec\x82\xe3\x0e\xd3\x4c\x2d\xdb\xe5\x2a\x05\x1c\x27\xe2\x67\x01\xb5\x10\xf8\x21\x3b\x04\x47\xfb\x51\xd1\x73\x2c\xb7\x98\xf5\xfc\xe2\x40\xe9\x42\x71\xa0\xec\xda\x79\xaf\x40\x07\xb6\x8d\x07\x93\xac\x94\xac\x79\xad\xfa\xad\xea\x0e\xf2\x1e\xad\x0d\x12\x60\x8c\x95\x30\xa8\xdf\x4f\xee\x23\x9b\x47\xb8\xee\xbe\x12\x82\xa4\xf6\xb2\x2f\x95\x43\xd2\x7e\x39\x93\xfb\x8f\x6b\x62\x41\xb2\xab\x64\xf9\xec\x70\xcd\x0e\xa4\xb0\xdd\x34\x21\x51\xee\x2a\xf1\x20\xdb\xab\x24\x4f\x6e\xa9\x2c\xa8\x1f\xea\xdf\x01\xa1\x61\x6e\x55\x6f\xce\x53\xbf\x48\xd5\xbb\xdb\xd5\xbb\x10\x91\x9a\x16\xed\x7c\x7f\xd5\x73\x89\x52\xd8\xef\x25\x71\x97\xb5\x32\x77\x92\x1c\x27\x13\x15\xb2\x6c\x88\xec\x6b\xc1\x86\x34\x09\xf0\x3d\x8a\xb5\x06\x62\xed\xa3\x1d\xe4\x43\x1d\xfa\x07\x3a\x3a\x9f\x94\xf6\xac\x27\x3a\xd6\x8f\x58\xab\x40\x3c\x58\x3f\x03\x82\x0f\xa8\x1c\x9b\x9c\xb1\x1d\xaf\xbb\xc6\xc4\xed\x01\x28\x9b\x1b\x7c\x2c\x07\xde\x74\x3d\xb7\x9f\xbf\x0d\x4f\x80\xc1\x2f\x30\xba\x27\x02\xcf\x9d\xe4\x06\xad\x13\x6c\x59\x88\xdf\xd3\xd1\x62\x89\x2f\xf6\xd4\x96\xb7\xb9\x2f\x69\xe4\x8b\x9a\xfe\x79\xad\xf3\x73\x52\x21\x7e\x4a\x3b\xec\xb1\xf3\x9d\x1d\x18\x45\x0f\xba\xdd\x33\xcc\x59\x76\xc9\x34\x86\x13\x5f\x01\x47\x9d\x79\x6a\xb9\x81\x51\x0e\x62\xe8\xbe\xdf\xca\xc3\x87\x83\x41\xc4\xb1\xf3\x1c\xb4\x07\x8c\xd6\xf0\x16\x45\x9f\x72\x83\x41\x89\x7a\x25\x87\x66\x0d\x5e\x23\x58\x20\xa3\xb1\x84\x23\x47\x6a\x07\xc8\xea\xcd\x8d\xd0\xac\x84\x35\x6d\x35\x34\xc8\xda\x66\xe2\x12\x37\x13\xb7\x5d\xf4\x4f\xec\x22\x3b\xf5\xac\xd9\x27\x71\x86\x67\xa9\x08\x05\x3c\xff\x4c\xc0\x26\xf4\x4b\xdd\x64\x4f\x8d\xf4\xb7\xaa\xdb\xd9\x82\xe7\x94\xe7\xa9\x15\x86\x56\x7e\x6e\x9e\xba\x61\xa0\xff\x4d\x97\xfe\x27\x1b\xc8\x0d\x71\x2a\x5c\xee\x63\xf6\xd2\xe6\xf2\xe1\x9e\x81\xf2\x86\x65\x79\x6d\x4a\x8b\xdb\x95\x4c\x8b\x0b\x4d\xaa\xac\x0a\x53\xe4\x5e\x46\x8a\xdc\x7c\xe3\x75\xf6\x80\x7e\x7f\xbd\x14\xb9\x95\xc3\x81\x4e\x61\x48\xd2\x40\x92\x06\x92\x34\x90\xa4\x81\x24\x0d\x24\x69\x20\x49\x03\x49\x1a\x48\xd2\x40\x92\x06\x92\x34\x90\xa4\x71\xc5\x49\x1a\x48\x84\x40\x22\x04\x12\x21\xd6\x2f\x11\x62\xe2\xd7\xbf\xbf\x93\xbc\x7f\x23\x31\x15\xf8\x36\xef\xf9\x34\xbb\x30\x98\x3d\x79\x78\x9a\x23\x39\xd3\x50\x8a\xfe\xf2\x8d\xe6\xcb\xb5\x29\x2a\x64\x11\x6b\xac\x71\xf2\xf0\xb4\xc1\x75\x10\x98\x7d\x4c\x8b\x0e\xc4\x38\xcc\x82\xe4\xe6\xa2\xb4\xe4\x15\xb2\xf0\x2c\xc7\x18\x83\x08\x9c\x89\xb6\x77\x6f\xd1\xa5\x7e\x30\x67\x97\x8c\x79\x40\xd3\x61\x83\xf7\x7c\x63\x7a\xec\xb8\xed\x96\x2f\x1a\x3e\x05\xed\x91\x29\x92\x97\xb4\x4d\x7c\xab\xbc\xa4\x01\x00\xfb\x71\x6d\x0b\xd9\xc4\xc5\xe5\xef\x69\x7f\xd9\x41\x5e\xae\x11\xb8\xae\x5f\x34\x2f\x4c\x5a\xa0\x93\x71\xc9\x4f\x2f\x8a\x0d\x58\xa8\xf1\xac\x39\x11\x46\x70\x02\x14\x45\x77\xd6\x1b\xaa\x37\xe9\xe5\xe4\x16\xa0\x97\x40\x4c\x83\x6d\xee\x6c\x00\xcd\xe0\x53\x95\x7c\x56\x23\x5b\x7c\x6a\x15\x4e\xb9\xce\x92\xfe\x09\xcd\x7c\xbf\x36\x25\xfe\x32\x60\xc9\xc1\xa6\x08\x20\xbb\x6c\x08\x6f\x1c\x9b\x19\x33\x94\x77\x68\xa4\x52\xb2\x82\xfa\x41\xfb\x2a\x31\x79\x01\x00\x4f\x85\x9a\x3d\x6b\x39\x01\x6d\xcf\x47\x6c\x25\xd1\xdc\x20\x6f\xd1\x88\xe8\x69\xfd\xc7\x34\xf3\xc5\x5c\x47\x03\xa5\x65\x8e\x1a\x73\x5e\x10\x72\xb0\xdc\x37\xc6\x27\xd9\xbc\xf4\xc5\xda\x59\xd9\xae\xfd\xbc\x46\xee\x52\x66\x6a\xc1\x0e\xf2\x1e\xdb\xa7\xb3\x02\x58\xcc\x1e\xf6\xfc\x87\x3d\x97\xea\x3f\xa3\x99\xc7\xc5\x6f\xa3\xe4\x7b\x0b\x76\x81\x06\xd0\x0c\x7f\x9e\x2f\x7f\x6b\x86\x89\x0d\x7e\x3e\x7e\xb1\xc7\xc4\xb0\xd0\x74\xd9\xa6\xc4\xf5\x3c\x36\x69\xdc\x42\xc9\xb3\xdd\x30\x7b\x49\x03\x4b\x40\x62\xb6\xdd\x47\x86\x08\x5c\xd5\x77\x99\x77\x43\x6f\xf8\xf1\xe2\x00\x3d\x5f\x31\x27\xb0\x3a\xb2\xea\xa7\x3c\x79\x07\xb9\x43\xf9\x14\x0e\x6c\xca\xef\x00\x3c\x57\x7f\xe5\x1d\xe6\x67\x3a\xe0\x27\x3f\x0a\xf9\x94\x2f\x97\x59\xb0\x50\xc2\x75\xa6\x22\x71\x49\x2e\x34\x7d\x11\x3d\x0e\x36\x8a\x18\xbf\x29\x50\xd7\x0b\x29\xd7\xa8\xd8\x19\x38\x8c\x4c\x7e\xd1\x6b\xc1\x52\x10\xd2\xf9\xac\x31\xc6\x01\xd6\x39\x6b\x81\x46\xba\x21\x48\x28\xa6\x69\xb1\x7e\x83\x45\x0d\x7a\xb3\x6f\x17\x8b\x4c\x6b\x67\x7f\xcc\xd3\x20\x00\x8b\x26\xdb\xa3\xe9\x82\xe7\x80\x4d\x95\xad\x3e\x7b\x9e\x66\x0d\x5e\x6a\xd4\xb5\x7e\x02\x31\xf5\xa9\xb3\x14\x1d\xb7\x42\x7b\x5e\x98\x54\xe5\xf7\x09\x1c\xa4\x68\x2f\x50\xd7\x98\xa2\x56\xe0\xb9\x4c\x19\x64\xc7\x48\xa1\x4a\xc5\x8a\x60\xd9\x2d\x50\xdf\x59\x02\xf3\x1a\x6f\x1d\xa8\xab\xaa\x86\x5f\xe0\x27\xc1\xe8\xf4\x92\x80\x93\x99\xa0\xe0\x35\x44\x2d\x0e\x14\xe4\x31\xe4\xaa\x30\x13\xc9\x72\x1e\x2d\xd0\x3e\x63\x86\x06\x61\x3f\x9d\x9d\xf5\xfc\xb0\x0f\x04\x1a\x87\x9b\x2d\xc7\x60\x67\xc6\xec\x25\x6d\x2b\x54\xc2\x36\xaa\xc4\xec\xf9\x9d\x4e\xf2\x52\xb2\xc9\x87\xfa\x74\xdf\xa4\xfc\x17\x1b\xe7\xc5\xb9\xa5\xc8\x70\xcb\x7a\x9c\x69\x74\xa1\xc5\xa1\x2e\xbe\xf7\x97\xe7\x2d\xb7\x9f\x09\x86\xaa\xd3\x06\xd3\x50\xf9\xd0\x85\xc6\xbc\x17\x84\x15\xf6\xda\xc4\x04\xfc\x23\x8d\x6c\x66\x82\x35\xa4\x05\xfd\x73\x1a\xd9\x59\xd3\x9c\x17\xed\x07\xa7\xa0\xe5\x53\xd1\xd6\x6f\xbe\x59\x13\xaf\x47\x52\x41\x5a\x58\x03\xd8\x1c\x2d\x7f\x29\x52\x64\xd9\xf6\x07\x07\xa6\xbc\x37\x5f\x72\xe8\x45\xf1\x6d\x41\xd6\x18\xcb\x16\xb3\x11\xa2\xcb\xf6\x60\x18\x7f\xa1\xfd\xca\x19\xc6\xcf\x21\xb0\x6b\x8b\xd3\x87\xd8\xc1\xa3\x06\xf0\x37\xb2\xe4\x93\x1a\x79\x36\x5f\x24\xb6\x5b\x1c\xe1\x89\x3b\x1c\xea\xeb\x3f\xa7\x99\x6f\xd5\x52\x6e\x44\x2d\x57\x57\x6a\x3e\xbe\x0b\x53\x82\xce\xdb\x61\x08\xfa\x95\x1d\xf0\x69\xd1\x67\x50\xd6\xea\xf3\x49\x41\xc6\xfe\x72\x68\x78\xbe\x72\x40\x04\x33\x01\x4e\x94\xdc\xf4\x4a\x17\xc5\xf4\x4a\x0a\x04\x8d\x6c\x12\x06\x99\x77\x6a\xe6\x1b\x34\x31\xfc\x30\x21\xd8\x51\xa6\x62\x36\x0c\xcc\x5a\xb6\x03\x4b\x33\xea\x36\xa1\x57\x54\xf6\x63\x34\x6d\x84\x09\xe9\xf2\x27\xce\x6b\x34\x72\x43\x6c\xca\x1b\x61\xbb\x95\x5e\xd6\x37\xda\x6e\xb8\x7b\x97\x79\xbe\xe2\x4e\xd4\xc3\xf1\x65\x51\x23\x3b\x4e\xc3\x69\x68\xc6\xca\x5f\x58\xb4\xfc\x02\xcc\x0d\x2b\xb4\x67\x6c\x87\xe9\x5d\xb0\x26\xc5\xd4\x13\xf2\x23\x5c\x2a\x31\x19\xba\x95\x44\x4a\x17\xf9\x0d\x8d\xdc\x14\x97\x7c\xdc\x0a\x60\x9d\x05\xa1\x35\x5f\xd2\xdf\xab\x91\xbd\x2d\x98\xd3\x58\x01\xe6\x5c\x8d\x42\xdb\xfe\x35\xe4\x2b\x1a\xd9\x12\x01\x4c\x6c\x19\xb6\x62\x01\xe4\x0b\xf3\x04\x0d\x2d\xf3\x09\x6d\x3a\xb4\xd8\xd2\x8b\xd6\x44\x57\x20\xf1\xab\xd4\xcd\xb8\x68\x87\x91\x39\x98\x1d\x25\xca\xae\x1d\x2e\x0d\xc0\x12\xb0\x67\xca\xa1\xe7\x07\x03\x05\xba\x40\x9d\x81\xc0\x2e\xf6\x5b\x7e\x7e\xce\x0e\x69\x3e\x2c\xfb\x34\x52\xf7\x17\xf8\xbe\x10\x64\xe7\x0b\xdb\xa2\x8a\xc8\x6f\x69\xe4\x79\x71\x17\x1d\x66\x87\xd4\x78\x5c\xde\x77\x19\xe3\x62\xd7\x2a\xb5\xfd\x03\xf3\x76\x8d\xc4\x92\x5b\x7f\xad\x46\xee\x6b\xa1\xd1\x27\xec\xbc\xef\x41\xcb\xc7\x65\x59\x51\x53\x61\x27\x5d\xe4\x87\xec\x48\xb2\xc0\xf2\xe6\x87\x7a\x6f\x86\x1f\x74\xa3\xe5\x1b\x11\x5f\xb2\xe4\x93\x19\xb2\x01\xcc\xb0\xbf\x90\x31\xdf\x93\x39\x66\xbb\x05\xae\x1d\xf0\xe5\x29\x51\x6b\xa1\x8a\x08\x8e\x8f\x31\x35\x36\x7d\x3a\x3e\x5e\x43\x95\x42\xce\xc6\x5a\x4b\x12\x8a\xb3\xdd\x59\x90\x81\xb6\x62\x55\x8b\x14\x22\xd5\x18\x12\x94\x67\xe0\x78\x25\x4d\xb5\xa1\x97\x35\x46\xa4\xe0\x13\xe0\x47\xd6\x18\x77\x8d\x11\x6b\x9e\x3a\x23\x56\x0d\x75\xb5\x9d\x73\x11\x08\x3d\x60\xad\x4e\x28\x90\x9f\xc9\x10\x62\x95\x6c\x71\x22\xd2\x3f\x9a\x31\x7f\x2e\x33\x3c\x39\x1e\x9d\x7e\xb9\x45\x30\x50\x21\x19\x5a\x30\x82\xfc\x1c\x9d\xb7\xf8\xfe\x00\x23\x21\xfa\x4b\x1e\x24\x65\xe4\x8a\xb8\x03\x63\x6d\x72\x81\xfa\x8a\x89\x2e\x2a\x4d\x1e\x03\x85\xcd\x06\x4c\xc1\x6c\xef\x84\xe1\xe3\xa7\x3b\xc5\xfe\x97\xa0\xaf\x71\x72\xd9\x8a\x77\xa1\x3c\x96\x56\xec\x52\x37\xc6\x8b\x4c\x9c\x0c\x7f\x42\x23\x7d\x0d\xd5\x07\x98\xe0\xfc\x05\xd3\xaa\x2c\xa2\xfd\xeb\xf7\x13\x19\xb2\x55\x6e\x85\xfa\x53\x99\x16\x14\x9c\xef\x69\xf1\x5e\x2a\xa8\x6d\x41\x12\x9e\x93\xeb\x96\x2d\x40\x76\xa2\x80\x59\x0e\x1b\x68\xde\x0a\xd8\x91\x83\x09\x60\xcb\x35\x4e\xc9\xa5\xc6\x55\x10\x55\xcb\x90\x14\x85\x40\x28\x16\x31\x79\x74\x24\xed\x29\xe5\x7e\x20\x20\x6c\x76\x54\x89\xda\x11\xe9\x2b\x33\x34\x6f\x95\x03\xb0\x14\x5b\xf9\x30\x60\x3a\x36\x68\xff\x11\x0c\x61\xbb\x86\xa5\x14\x25\x75\xa8\x9f\xe1\x07\x3f\x9b\x06\xfa\x4f\x6a\x64\x77\xcd\x5e\x4b\x3b\xb1\x4c\xc3\x7b\xe6\xa3\xfc\x7d\xd6\x1a\x30\x9c\xf0\xc3\x16\xeb\x39\xde\x5b\xe2\xb6\xd2\x6e\xe5\xe4\xc4\x34\x24\xdb\x31\xec\x59\xd1\x79\x02\xbb\x0e\x3d\x97\xbf\x9d\x25\xbf\xae\x91\x0d\xec\x38\xa3\xff\x92\x66\x3e\xa9\xb1\x5f\x5c\x00\x26\x15\x63\x01\xb0\x94\x54\xb4\x87\x9d\x7c\xca\x81\x5c\xc9\x92\x5e\x94\x35\x4e\x58\x17\xed\x79\xcb\x31\x1c\xea\x16\xc3\xb9\xe8\xf9\xa8\xec\xc1\x0b\x39\x6e\x6a\x75\xec\x19\xdf\x82\xc6\xc7\x27\x83\x92\x4f\x4b\x96\xc0\xa6\xe7\x2c\xb7\xe0\xd0\x88\xfe\xc9\xcd\x31\xf7\xee\xb9\x90\x4b\x28\x50\xbf\xad\x91\x67\xc9\x99\x30\xee\x06\xa1\xe5\xe6\xa9\xfe\x21\xcd\x7c\xb7\x56\x75\x39\x5a\x18\xe3\xa3\x29\xfa\xa9\x2d\x1e\x52\x15\x52\x87\x86\xfd\x17\x97\x5e\x3c\xbb\x1c\x3d\x14\x66\x91\x1d\x2e\x4b\x0b\x7c\xb5\x46\x36\xb0\x95\xa6\xff\xb0\xf9\x22\x60\xe2\x44\xdb\x1a\xfb\x1d\x75\x30\x1f\xdc\xee\x93\xec\xb8\xe4\xf4\x19\x67\x2d\xdf\xb5\xdd\x62\x4f\x1f\xd4\xcd\x39\x97\xf9\xa8\x1b\xad\x82\x62\x1d\x9e\x2d\x33\xa9\x54\x53\x75\x55\x1a\xf2\xb4\xf6\x68\x63\xc2\xd2\x90\xbe\xaf\xdf\x10\x94\x25\x31\x6f\x05\x63\xc9\x30\x38\x67\x89\x13\xa8\x0c\xa3\x8a\xaa\x44\xbe\xd3\x41\x0e\xa9\xc2\x42\xcd\x27\x1a\x4d\x7e\x25\x1d\xe8\xb4\x5d\x64\xdf\x38\xc5\x37\xc3\x69\x98\x70\xfa\x07\x3b\x12\x67\xbf\x77\x76\x90\x77\x68\xe4\x1a\xa5\x28\xfd\x35\x9a\xbe\x61\x66\x29\xa4\xe6\xa9\xf1\xd9\xd8\x76\x6e\x01\x0c\xec\x7b\x0b\xb4\xd0\x57\x39\xf8\x00\x23\x71\xbf\x17\x76\x47\x58\x5c\x94\x32\x01\x6d\x4a\x76\xd5\x36\xf2\xdc\x44\x57\x39\x76\x10\xf6\xc3\x28\x6e\xd5\x37\x5b\xa1\x37\x6f\xe7\x09\xf9\x7f\x35\x42\xd8\xf9\x8d\x2f\x79\xfd\x3b\x9a\x79\xff\x88\xfc\x53\x85\xa5\x15\x63\x64\xcc\x75\xe4\xed\xb5\x1c\x7e\x54\x73\x6d\xcb\xc9\x7e\x5c\xdb\x4c\x36\x5a\xbe\x6f\x2d\x7d\x4a\x3b\x4d\xa6\xc8\x64\x6d\x49\xbc\xac\xce\x95\xad\x7a\x5a\xeb\x22\x9d\xd5\x1f\x36\x6f\x95\xfa\x2f\xd0\xa5\x80\x7d\x5c\x3f\x4c\x37\xf2\xb4\x66\xd4\xec\x82\x4d\xfa\x86\x79\xab\x44\xc8\x47\x48\x2a\x1c\x3a\xe2\xcd\x97\x3c\x97\x09\x39\x3e\xa6\x3f\x46\xcc\xa5\x8a\x6b\x46\x37\x5b\x48\x15\x17\x8f\xdb\x41\xd8\x63\xcc\x79\x4e\x21\x50\x01\x1a\xce\xbe\x89\xc8\x8d\xb3\x5e\xd6\x18\x55\xe8\x91\xb0\x74\x87\x27\xc7\x41\x84\xc6\x7b\xa2\xed\x1a\x0b\x83\xd9\xc1\xfd\x3b\x12\xd3\xe9\xbd\x5b\x50\xaf\xb9\x5c\xbd\xe6\x4b\xc9\x49\xff\x1b\x9a\x79\xf7\x71\x41\x7a\xc8\x47\xe3\x69\xc4\x0f\x48\xf5\x5c\x9d\xdb\x7b\xc9\x3d\x75\xf6\xcb\xaa\x79\x94\x98\xbe\xb7\x26\x26\x25\x50\x9e\x85\x67\xc6\x05\xba\xa4\x6f\xd6\x37\x8a\xe9\xdb\x45\x6e\x49\x79\x52\x78\x73\x2c\xe9\x5b\xf4\x4d\xf0\x16\xc1\x53\xc2\x65\x9c\x12\x9e\x89\x87\xf2\xa7\xb5\xb3\x8d\xf7\xc9\x3d\xfa\x2e\xb9\x4f\x9a\xa6\xdc\x1c\x2b\x24\x5a\x72\x9b\x24\xe4\x1d\x9b\x48\x6f\x9a\xfd\xc8\x2b\xd0\x88\xf0\x33\xc5\x4f\xaf\x4c\x7f\xd5\xbf\xbd\xd1\x5c\x1c\x36\x5c\xaf\x40\x63\xc2\x91\x1f\xdf\x17\xd3\x54\x52\x91\x80\x69\x13\x69\xdf\x5c\x44\xf4\x19\x16\x67\xbf\x01\xe1\xde\x15\x7a\x5c\xf4\x30\x07\x05\xb9\xb0\xbb\x40\x97\xe0\x21\x21\x5a\x2e\x69\x1d\x17\xe8\xd2\x25\x6d\x4b\xf4\x46\x42\x8e\x7e\x79\x03\xf9\xcf\x0c\xd9\xc4\x9f\xd5\xbf\x9b\x31\xbf\x9a\x19\x76\x0d\x58\xdc\x4c\x0e\xa8\x2b\x27\x90\xbc\x43\x59\xb7\x1d\xb0\xb9\xeb\xf9\xc6\x49\x2f\x1c\x77\xfb\x62\x8e\x67\x20\x8a\x88\x9c\x30\x5c\xcf\xed\x07\x2d\x2c\xb5\x8c\xb1\x8b\x76\xc0\xb5\xe0\x51\x8f\x06\x27\xbd\x70\x2c\xa6\x2e\xa5\x16\x57\xbb\xa8\x23\x60\x44\x3b\x5e\xf3\x65\x01\xf2\x0b\x6e\x08\xe5\xc7\x8b\x88\x34\x18\x53\x37\x42\xea\x97\x7c\x2a\xb0\x6f\xcb\x35\x04\xf8\x26\xf4\x4b\x5e\x1e\xdf\x3e\x98\x32\xa2\xb0\x1c\xa4\x8f\x99\x01\x32\x89\x7b\x9a\x24\xb4\x81\xeb\xc8\x35\xea\xba\x3b\x44\xd8\xf0\xe8\xfb\xcc\x1d\xa7\x61\x07\x99\xa1\x0e\x8c\xa0\xa4\xc2\xc8\x59\xc1\xb5\x10\x10\x22\x6a\x01\x6f\xd4\x88\x1c\x5a\xfd\x15\x9a\x19\xaa\xe6\x4a\x56\x54\x57\xc0\xa7\x07\x5b\x1d\x73\x76\x49\x84\x81\xe4\x54\xac\x68\x60\xb9\x07\x57\x54\x0c\x67\x70\xb0\x01\x15\xe3\xca\x07\xa8\x2f\x31\x3c\x59\xe3\x88\xa0\x9f\x1c\x0f\x13\x0d\x7a\xcb\x3d\xa4\x2b\x65\x69\x4c\x0a\x37\x35\x37\x14\x16\xd6\x12\xcd\xeb\x7f\xb7\xc7\x1c\x4e\xbb\x11\x69\xd6\x11\x6d\x3c\xde\x9e\xa5\xbb\x9b\x1b\x0a\xd3\x6a\x36\x31\xa1\x7f\x72\x0f\xf9\xdf\x1a\xb9\x9e\x1d\x29\x16\x3d\xff\x22\x2f\x52\x7f\x8b\x46\xee\x69\xb8\x4b\x4d\x26\xde\x11\xc7\xf6\x17\x24\xaf\xaa\xa7\x36\xcb\x88\x6a\x11\x2d\x31\xb8\x27\x89\x60\x59\x45\x36\x4d\xcf\x35\xc4\x21\x25\x00\x23\x62\xa4\xda\x93\x27\x35\xb2\x19\x9c\x2d\xc7\x4f\xe9\x97\x34\x72\x7f\xc3\x06\x4e\xf3\x87\xab\x3a\x8c\xb7\xf4\x21\x71\x3b\xd9\xc4\xe8\x62\x55\xb7\xd5\x6c\xec\x31\x29\x2e\x41\x60\x05\x59\xf2\x8a\x0c\xd9\x2a\xac\x94\x5e\xa0\x7f\x4f\x23\x0f\x34\x6e\x2a\x7f\xfc\xd4\x74\x8d\xc6\x7e\x44\x93\x4f\x54\xb4\x57\x5e\x16\xcd\x8c\x8c\xd9\xb2\xb9\x42\xd9\x12\x7d\xda\x95\xec\xd4\xc4\xc7\xd8\xae\x78\xb6\xe4\x15\xd2\xf6\x1c\x7a\xd1\x9a\x2f\x39\x34\x90\xce\x41\xdc\x02\x3b\x20\xbf\x75\x60\x6a\x6c\x78\xf4\xc4\x58\x76\xbe\x40\xbe\xa3\x91\x6b\xa1\xdc\x53\x25\xae\x2e\x7d\x53\x33\x7f\x53\x1b\x96\x34\x51\x41\x4b\xe4\x37\xc5\xe1\xf4\x85\xa6\xef\x99\x7d\x86\x19\x78\xb3\xa1\xf9\x68\x96\xad\xa6\x48\x05\xa6\x05\xa3\x5f\xbc\xc3\x59\x99\xf6\x7c\xc9\x59\x32\x66\x2d\x0e\x03\x78\x2e\xe5\x14\x66\x78\xbc\x65\x93\x72\x3c\xe8\xfd\xd1\xb7\x6d\x83\x4a\xfb\x45\x43\xeb\x08\xa6\xdf\xd2\x48\x87\x3b\x1b\xe8\x9f\x6c\xc6\x4e\x56\xc1\x9b\x30\x5f\xa5\x9d\x3c\x9c\x1c\x58\x95\x38\x21\x4c\x9f\x6c\xdc\xb2\xc6\xa4\xef\x2d\xd8\x42\x3b\x9f\x61\x3b\x97\x61\x15\xe6\x6d\xb7\x1d\x66\x74\xf2\x36\x8d\x6c\xca\xd3\xd2\xdc\x6c\xa0\xbf\xae\x8e\x4a\x13\xeb\xa9\xb4\x34\x77\xb8\xd6\x94\x9d\xe0\x77\x93\xd3\x95\x5d\x33\xd2\x3e\x8c\xcf\xdb\x60\xce\xf2\x29\x97\x14\x85\xae\x40\x52\x44\xc8\xaf\x67\xc8\xb3\x8a\x79\x1a\xd7\x34\x6a\x07\x17\xf4\xf7\x67\x9a\x10\x02\x47\x46\xc6\x92\xaf\x25\x1a\xf9\xb7\x5a\xd5\xfd\x64\x83\x8f\x8c\x8c\x19\xe2\xaa\xd4\x78\xab\x17\x98\x55\x6f\x79\x01\x4b\x8e\x5e\x2c\x79\x41\xbc\x1a\x81\xee\xb2\x52\x43\x59\xcc\xd3\x78\x26\x17\xec\xe0\x02\xf9\x5b\x8d\x5c\xcb\x84\xd3\xf0\x2c\xf4\xd5\x92\xfe\xd5\x7a\xb0\x5d\xd4\x75\xbc\xa7\x4e\x2a\xef\x99\xef\xd4\xd4\x3f\xe5\xa1\x31\xa6\xe9\x09\x56\x25\xa7\x4f\x2e\x72\x22\x6c\x21\x02\xf2\x84\x88\x12\xa4\x68\x2b\xcf\x3d\x9a\x05\x4f\x4f\x65\xc4\xba\xb3\x4e\x99\xba\x79\xa1\xa1\xb1\x63\x63\xa1\xec\x08\xbb\x7f\xc9\x2b\x88\x4a\x38\xd9\x58\x96\x9b\x25\x1f\xcb\x90\xe7\x58\x8b\xc1\x98\x63\x05\xa1\x9d\xcf\x39\x5e\xfe\x02\x93\x8f\x54\x7f\x47\x86\x0c\x37\xfc\xdc\xe1\xb3\xd3\x55\x6f\x26\x26\xcb\x57\xb4\xb4\x47\x2a\x96\xed\xf0\xd9\xe9\x15\x9b\x30\x97\x39\x2f\xac\xc5\x80\xf2\xd6\xcf\xb0\xd6\xb3\xdb\x94\xfc\x69\x86\x6c\xc9\x3b\x96\x3d\x3f\x45\x67\xf5\x2f\xb4\x82\x81\xff\x64\x66\x44\xbc\x0f\x04\x50\x4b\xd0\x4f\x8c\x19\xbb\x5f\xb8\xcf\x83\xc5\x5f\x24\x2a\x34\x66\x68\xb8\x48\xa9\x6b\x54\x8a\x0d\xf8\xf4\xca\x8b\x50\x72\xd6\x18\xbb\x58\xa2\xf9\x90\xf7\x86\x50\x8f\x5d\xdb\xe1\xa6\xb1\x19\xaf\xec\x16\xb2\x06\x7c\x43\x34\x65\xad\xd8\x86\x26\x5c\x1c\x43\xe0\x62\x40\x23\xe2\x16\x9c\xe1\x75\x9e\x19\x69\xe3\x8e\xb1\x4d\x7c\x27\xf9\xa0\x46\x32\xb3\x79\xfd\xbd\x1a\x19\x68\xd8\xa5\x87\x47\x12\x13\xad\x74\x78\x24\x29\x85\x0e\xdb\x33\x3e\x35\x46\xe6\x2c\xd7\xa5\xce\x0a\xcc\x2c\xf2\xff\x68\x64\xf3\x2c\x9b\x14\xd4\xd7\xff\x46\x23\x7b\x1a\xb7\x98\x3f\x9c\x68\xf6\x53\x9a\xb8\x5a\xd1\x78\x71\xb1\x52\x8f\x6a\xd4\xd8\xea\x76\x02\x26\x6d\x87\x81\x51\x0e\xac\x62\xc4\x4e\x28\xd0\x12\x75\x0b\x41\xb4\x99\x44\xb5\x09\x18\x14\x58\x66\x76\x9e\x1a\x33\x94\x4d\x3e\xbf\xec\xba\x6c\x70\x7e\x34\x43\xb6\x16\x39\xca\x36\x1b\xe8\xdf\x6f\x46\x45\x3b\x12\x3d\x5e\x63\xbf\xfb\xb8\x26\x9f\xa8\xd8\x42\xe4\xe5\x3a\x2a\x9a\xc5\xbf\x3f\xfd\xbb\x97\xb7\x55\xd4\x52\xd3\xe4\xf7\x2a\x6a\xda\x4b\xc9\x46\xc7\xcb\x5b\x8e\x1e\x90\x5d\x0d\x7b\xe0\x38\x7b\x32\xf1\xcd\x07\xe1\x92\xfa\xb9\x7c\xc5\x3b\x4b\xfd\xf2\xe3\xc4\x52\xe1\x66\x38\x38\xd2\x5b\x62\xfb\x20\x5f\xd0\x08\xe1\xad\x3b\xe1\x15\xa8\xfe\x29\xcd\xfc\x90\x16\xff\x2d\x77\x17\x1b\xb8\xf6\xbc\xef\x40\xcb\x0b\x05\x9d\xd9\x4b\xfa\xd6\x58\x06\x27\x5d\x71\xd3\xa0\x43\x39\x61\xcd\x88\x9c\x95\xe6\x2d\x9b\x9d\x4c\x0d\xdf\x5a\x34\x40\x00\x72\x96\x1b\x9c\xe6\xb8\x9b\xe5\xe1\xf8\x25\x56\xcf\x3c\x87\xb1\x41\xca\x80\xa3\xb0\xe2\xa2\xc0\x4e\x5a\x89\x63\xdc\x77\x35\xb2\x25\x6f\x95\xac\x3c\xdb\x5e\xbf\xa5\x99\x6f\xd5\x86\xd3\xcc\x4b\x55\xe7\x0a\x38\x6e\xaa\xe4\xde\xa8\x90\x76\xca\xa4\xa8\xcc\x0f\x6a\x87\xc8\x41\x72\xa0\x69\xac\x2a\x1b\x35\x2d\xfb\xfc\xb2\x05\xb1\x41\x94\xc3\x23\xf9\x3a\x53\x17\x6d\xb7\x40\x7d\xfd\x0f\x9b\x52\x17\xe1\xd9\x1a\xcb\xe7\x0d\x1a\xbf\x9d\x5c\x3b\xbc\xf8\x96\xce\x8b\x4d\xad\x8d\xf9\xa5\xe0\x45\x4e\x3f\xaf\xa5\xbf\x54\x50\x56\xc6\x9b\x34\xb2\xf9\x45\x65\x6f\x66\x29\xa4\xfa\x13\xcd\x48\xc4\xe7\xf3\x87\x13\x1f\x75\x4c\x5c\x4c\x7e\x54\x74\x71\x99\x4a\xf0\xbb\x34\xb2\xd5\x7a\x71\xd9\xa7\xa0\xfc\xbe\x51\x23\xf7\x36\x56\x69\xa2\xc7\x13\xad\x3a\x2d\x2f\x57\xea\x2e\xec\xba\x31\x6a\x85\x16\x57\x61\xaa\x1b\x08\x2e\xf0\x76\xd4\xfb\x89\x2d\xe4\x4f\x34\xb2\xd1\x0e\xf2\x81\xad\x7f\xb1\x0e\x13\x46\x36\x6d\x7c\x7a\x64\x7a\xbc\xc6\x5c\xf8\x71\x0d\xee\x56\xb4\x8e\x5f\x5b\x6d\x65\x9c\x3c\xa5\x91\x1b\xc5\xd2\x1a\x71\xac\x20\x60\xca\x85\xfe\x56\xcd\xfc\x51\xed\xa4\xa0\x04\x4e\x2b\x77\x59\x99\x1c\x1d\x03\xcd\xb4\x1a\x46\x98\xa1\x8e\xe7\x16\x83\xac\x31\x06\x56\x56\x11\x48\x07\x82\xb9\x08\x0c\x2b\x56\x94\xa5\xfb\x36\x7f\x89\x67\x40\x59\x4a\xd4\x97\x90\x41\xbf\xa6\x91\x6b\xb8\x56\xcd\xe4\x67\xa0\x7f\x48\x33\xdf\xa4\x0d\xc7\x17\x62\x90\x14\xfc\xbb\xac\x25\x61\xee\x49\xa8\xe5\x62\x5d\xb5\x53\xfc\xf0\x36\xf5\xcf\xb3\x36\xd4\x39\x42\xff\x5b\x86\x6c\x61\x03\x36\x69\x85\x73\xfa\x3f\x64\x9a\x80\xa0\x8e\x8a\xa7\x93\x58\x49\x26\xba\x9c\x5c\x76\x7c\x6b\xf2\xfc\xa5\xfa\x07\x6a\x03\x80\x73\xaf\x44\x21\x22\x52\x48\x39\x55\x3a\xf2\x37\x2b\x07\x74\xb6\xcc\x03\x04\x71\x50\xb4\xdf\xe5\x5b\x15\xbc\x23\xdd\x0e\xd9\x6b\x70\x5e\x71\x9d\xa5\x3b\x8d\x53\x6e\x3f\x4c\xc4\x68\x2b\xac\xf6\xf8\xe3\x3e\x6f\x8b\x16\x87\xa2\xcf\x8e\x1f\x3f\x6e\x9c\x3c\x75\xda\x38\x7b\x6a\xea\x18\x67\x61\xcc\x97\x9d\xd0\xe6\x75\x49\xfa\xf6\x65\x1e\x07\x58\x93\x4a\x56\x38\x47\xbe\xaa\x91\x0e\x7f\xa6\xc0\xd6\xed\x50\xc3\x2e\x9f\xca\x8d\xd6\x58\xb5\xaf\xd7\xa6\x72\xa3\xc9\x2e\x9f\xb2\x0a\x5e\x60\xc0\x59\xc9\x18\xa5\xa0\x87\x2d\x4f\xe8\x2d\x4b\xc1\xf1\x67\x54\x01\xfe\x09\x8d\x90\x59\x87\x46\x90\xe6\xfb\xb5\xda\xfb\x9e\xa2\xd5\xd2\x8b\x35\xbe\x6e\xee\xb0\x2c\x2b\xf9\x8d\xc0\xa0\xb7\xf3\xd1\x2a\xaa\x12\x4d\xa5\x78\x7e\x0d\x48\x31\xc5\x9d\x0c\x2d\x26\x8a\x68\xde\x98\xb1\x98\x34\x2a\x39\xe5\x22\x13\x38\xbf\xd6\x41\x6e\x2b\x55\x34\x62\x8a\xc2\xf9\x66\xd2\x73\xec\xfc\x92\x7e\xa9\xc3\x7c\x7d\xc7\x59\x56\xfe\x9c\x55\x2a\x51\x57\x84\xd5\xa9\x16\x36\x82\x35\xed\x50\x2b\x3a\x67\x83\xfa\xcc\xcf\x4a\x12\xc5\x16\x56\x7b\x9f\x1a\x53\x14\x82\x73\x75\x17\xb8\xef\x08\x27\x65\x5b\x6e\x19\x1c\x04\x84\xa7\x67\xd5\x19\x2d\xe8\xe9\x33\x46\xc1\xdf\x33\xf9\x62\x61\xc9\xb5\xe6\xed\x3c\xbc\xab\x74\x42\xea\xfb\x6c\xd6\x4f\xd1\xfc\x52\xde\x81\x42\x22\x6b\x76\x4f\x56\x5e\x8d\x6c\x19\xf1\xa2\x11\x5e\x3a\xe2\x53\x79\xef\x25\x08\xfe\x6c\xc9\x56\x56\xd6\x4e\xb1\xe6\xf3\x41\xb1\xdd\x62\x85\x99\xf8\x39\xa5\x39\x2f\xf4\xdc\x0a\xb8\xea\x97\xb5\x26\x40\x88\xc9\x94\x37\x93\x67\xc3\xb4\x27\x92\x33\x92\x3f\xa1\x10\xc3\x94\x89\x51\x60\x4f\x2f\x0f\x77\xff\x90\x46\xae\x5b\x08\x4a\x73\x34\x82\x43\xf4\x4b\x1a\x39\xd4\x18\x3d\x12\xaf\xd8\x7e\x58\xb6\x9c\xaa\xef\x38\x7b\x46\x2d\x32\xf9\x01\x0b\xd3\x70\xab\x35\x33\xc1\x07\x22\x35\x89\x69\xf3\xfa\x3b\x9b\x39\xda\x0d\x47\x8f\xd7\x58\xfb\x67\xe5\x03\xa9\x0a\x13\xdc\x98\x16\xe7\xcc\x65\xe9\x4c\x6f\xd3\x48\x07\xd3\x98\xde\xd8\x8c\xe4\xad\xad\x2f\x4d\x56\x28\x4b\xd1\x3e\x13\x89\x20\x4e\x39\x8b\xf4\x1a\x7a\x51\xf0\x2d\xd8\x5b\x05\xdf\x5e\xa0\xbe\xd1\x9d\xa3\xa1\x15\x85\xf7\xe9\xc9\x92\x4f\x5c\x4b\x9e\x9b\x6a\xf2\x29\xe8\xef\xbc\xd6\x5c\x9c\xf4\x04\x55\x20\xcf\x26\x58\x3e\x3a\xe0\x08\xf5\x42\x06\x58\x62\x1a\x85\x5f\x76\x59\x6f\x58\x62\xb7\x3d\xcd\x69\x24\x81\xa4\x74\x46\x52\x65\x66\x49\xba\xd2\xb3\x0e\x13\x98\x1f\x0c\x74\xe8\xc1\xcb\x41\xd2\x72\xf5\x39\x82\x94\x96\xcb\xa5\xb4\x20\x03\x04\x19\x20\x09\xb7\x8c\x3f\xd5\xc8\x86\xa0\x44\xf3\xfa\x1f\x68\xa4\xbb\x09\x0b\x70\x61\xba\x44\xf3\xe6\xcf\x6a\xd3\x95\x86\x67\xe1\xbe\x0c\x41\x9a\x66\xe8\x9c\xb5\x60\x7b\xbe\xc4\x40\x6a\x60\xd9\xed\xfc\x22\xf6\x11\xfd\x96\x5b\xe8\xe7\x7c\x5e\xf2\xf6\x0c\x1b\x38\x60\xe5\xbd\x3e\x43\x7a\x9b\xfa\x34\x78\xdc\xfc\xa6\x76\xc2\x83\xe0\x09\x79\xea\x86\xce\x92\xa4\x75\x25\x98\xc2\xe2\xa3\x38\x20\xc9\xce\xcf\x6c\xd6\xcb\x59\x0b\xf1\x4e\x00\x6a\x9a\xf4\x4a\x22\xec\x42\x14\x2a\x48\x38\x55\x4e\x45\x4e\xbc\xab\xdd\x33\x4f\x6b\xc7\x1a\x93\x7e\xba\xf5\xed\xfd\x86\x4c\xa4\x58\x41\xee\x31\x14\x3a\x10\x79\xfb\xe6\x84\xcf\xaa\xd2\x9d\x92\xcb\xa6\x7f\x6f\x93\x39\xaa\x5e\x88\x8f\xa5\xc2\xf9\x5f\xfa\xea\xe7\xcb\xbe\x9f\x60\xd5\x49\xb1\xcd\xba\xfb\x92\x06\xf4\xe2\x4b\x9a\x18\xd9\xc4\xf6\xf0\xc6\x4d\xe4\x21\xb2\x59\x78\x9d\xea\x27\xcc\x07\x8e\x26\xa9\xdf\xe2\x4e\x14\x39\x98\xc9\xb6\xa8\x76\xce\x45\x87\x78\x4f\xa1\x6f\xb9\x01\xd4\x9c\x38\x68\x3f\x26\xdd\x32\x4f\x9b\x47\x1e\x74\xed\x17\x31\x21\xef\xb9\xb4\x7f\xd1\xf3\x0b\x7d\xb1\x6c\x32\x84\xcb\xe6\x6c\xec\x63\xca\xbf\x83\x1d\x71\xea\x94\xff\x2b\x9a\x9c\xad\xc0\xf9\x16\xdc\xd1\x88\xe5\x91\x98\x78\xb2\x4c\x90\x94\x6c\xc2\x9d\xf6\x59\x73\x0e\x5b\x4e\x40\xfb\x8c\x07\xdd\x0b\xae\xb7\xb8\x7c\xa3\xe2\xa2\xe7\x5f\x70\x3c\xab\x10\x0c\x94\x3c\xfe\x4f\x3f\x3b\x94\x81\x32\xbe\x8d\xfd\x15\x33\x1d\xd5\x96\xbf\x35\xe2\x7c\xff\xb8\x66\xbe\xec\x74\x2a\xe9\x3b\xd1\xe4\xd5\x69\x95\x4b\xae\x63\xdd\x3d\xe9\x7b\x33\x14\x9c\xb5\x1e\x6d\xdd\xc1\xcc\x3c\x0e\x03\x07\xae\x59\xe0\x39\x3e\x43\x0b\x15\x5f\x45\x7e\x42\x23\x3a\xab\xf0\xb4\x1c\x5e\xa8\xf5\x25\xad\xd7\xfa\x40\x5c\x6b\xa2\x2e\x65\x06\x45\x27\x3c\xcf\x95\x53\x04\x00\x23\x08\x3f\x97\x25\xdf\xce\x90\x8a\x08\xbc\x73\x3c\x0e\x10\x34\x99\xd5\xe3\x5d\xa0\x6e\x92\x94\xfe\xcb\x19\x73\x4f\xf5\xe5\x68\x48\x45\x3c\x19\x30\xf6\x45\x71\xec\x78\x88\xeb\x4b\xda\x46\xb8\x70\x49\x7b\x76\x1c\x2c\x50\x7a\xe2\x25\xd6\xe9\x57\x34\xa6\x05\xa7\x3d\xa6\xff\x48\xeb\xdd\x35\x3a\x56\x5d\x5e\xc2\xab\xce\x9b\x55\xc3\x18\xca\x08\xdd\x22\x7c\x12\x8f\x1b\x48\xf6\x12\xfe\x19\x7a\xd6\xbc\x13\xba\x21\x76\x63\xb6\x5e\x54\xa6\xc6\x0c\xb5\x7c\xa6\xd7\xc0\xd3\xea\x7c\xfb\xc0\x46\xb2\xb3\x56\xb4\xe3\x5d\x33\x34\xb4\x76\x65\x4f\xd0\xd0\xb7\xf3\x60\x7a\x10\x9d\xfd\xaf\x1b\xcc\x7b\xab\xae\xaa\xac\x70\x21\x0c\x45\xa0\x49\x88\x66\x36\x0f\xcf\x27\x3a\xf4\xc3\x1b\xc8\x3f\x6b\x44\xb7\x16\x28\x3b\x03\x3c\x18\xda\x8e\xfd\x62\xf8\x4a\xfd\x4f\xb4\xc8\x05\xf7\x37\x34\x51\xd8\x70\xd5\x53\xd1\x27\x26\x6b\x93\x61\xb3\xe0\xf1\xb8\xbf\x84\x0e\xc8\x9b\x61\x58\x79\xdf\x0b\x02\x11\x43\xcc\xa1\x0b\x96\x1b\x82\xb9\xbe\x2f\x56\x0c\x05\x45\x90\x1d\x49\xd9\x7e\x9a\x28\x2c\x8a\x3a\x96\xa8\x52\xd6\x11\xc9\x50\x56\x60\xd2\xc5\xf7\x57\x34\x72\xad\x68\x19\xf4\x9c\xfe\x64\x1d\xac\xa7\x09\x1b\x87\x59\x54\x4b\x5b\x4e\x87\x34\xe8\x07\xa3\x1b\xbe\xfd\x45\xa2\x9e\x1e\xf2\x0a\x8d\x6c\x84\xf2\xf4\x8b\x97\xd7\xe2\xfd\x0b\x0d\x9b\x2a\xda\x56\xd1\x04\x80\x9b\xee\x4c\x63\xa4\xf1\xc0\x2a\x11\x7d\xeb\x6d\x1d\xe6\x7d\xc9\x4b\x00\x18\x85\x11\x09\x33\x10\xd6\xb8\x0a\xdf\x0f\x79\x22\x4c\x4c\xd1\x2f\x64\xc8\xf3\xc9\x46\x87\xa9\x2c\xfa\x51\xf3\xc0\x71\xf6\x83\xb5\x3d\x0a\xe6\x02\x77\x04\xb9\x93\x07\xe9\x92\x5c\xce\x64\xa9\x89\x45\x37\x49\x36\xf8\x9e\x43\x59\x89\x53\x9e\x23\x1c\xbe\x64\x7c\x18\x76\xa5\x85\x12\x61\x2f\x3b\x6a\x1e\x88\xb6\xb2\xb8\x44\xd8\xd0\x5a\x28\xb1\x1c\x50\x9f\x95\xf8\x60\x10\xc5\xe5\x8f\x4a\x84\x60\xee\xcb\x2d\xf1\xaf\x33\xe4\xee\x1a\xf1\x4e\xb2\x63\xe2\x88\x75\xd4\x76\xc3\x40\xff\x44\xc6\x3c\x96\xb8\x12\x87\x3d\x99\x83\x3f\x45\xb8\x21\xa6\x0a\xcd\x79\x8b\x00\x15\x44\x67\xb4\xd8\x95\x4d\x44\xe8\x28\x24\x0f\xe3\x5f\xd7\xc8\xd7\x34\xb2\x65\x96\xc7\x53\x09\xf4\xdf\xd3\xcc\x42\xf4\x47\x22\x39\x03\x0f\x73\xd2\x1d\xf4\x24\xa3\xa7\xa4\x54\x00\x1a\xb2\x27\xe2\x09\x1b\xa1\x57\xf2\x1c\xaf\xb8\x64\x58\x8b\x10\x2f\xd9\x2b\x33\x95\x2d\xc1\x14\xae\x1f\x71\x3e\xd1\x31\x22\xee\x4b\x93\xde\x4e\xdf\xda\x4c\x72\x97\xef\x81\xa4\xbf\x6b\xb3\x50\x58\x13\x3d\xf7\xea\xcd\xe4\x13\x99\x54\x6d\xe1\x67\x32\xad\xef\x7f\xdf\xd2\xaa\x0b\x4c\xec\x7f\x49\x25\xa2\x42\x17\xad\xaf\x49\x18\xe3\xb3\x3c\x1e\x57\x1f\xc7\x97\x2d\x70\xd5\x53\x34\x92\x68\xa9\x80\xb7\x1e\xdb\xa6\x5c\x1e\x52\x45\x38\xb5\x4a\x0d\x38\x90\xda\x04\x77\x38\x2d\x24\xa2\x6f\x16\x64\xfc\x22\x36\x51\xa2\x35\x20\x24\x1b\xd8\x06\xc8\x4b\xc9\xf5\xac\xe5\x0f\x02\x2c\x00\x7d\xf6\x78\xeb\x5d\x36\x10\x4a\x45\x41\x86\x0a\x63\xdd\x22\xd2\xbc\x40\x03\xec\x20\xfe\x00\x32\x1d\x1f\x2f\x8e\x9a\x07\xc0\xb3\xd4\xa8\x3a\x5e\x00\x31\x21\x79\xb0\x50\x36\x3b\xce\x40\x50\x97\xf3\x7e\x79\xb2\x18\x30\xcd\x19\xdf\xa6\xb3\x95\x67\x88\x9a\xaf\x7e\x25\x3e\x34\xfc\xae\x66\x7e\x32\x3a\x34\x54\xea\xdc\x70\x50\x61\x57\xd3\x8f\x09\xc3\xd2\x99\x70\x94\xba\x10\xce\xd1\x72\x0b\xc6\x61\x1e\x49\x44\xf1\x6e\x52\x0e\xb8\x26\x94\x61\xb2\xa1\x36\x45\x39\x66\x32\xfe\x94\xc9\xea\x32\xd5\x99\x93\x1a\x35\x47\x3c\xa6\x7e\xd4\x9c\x10\xc1\xe7\xcd\xe9\x1a\x27\x88\x63\xac\x3e\xb5\x65\x82\xa6\x61\x98\xd1\xa7\x98\x7d\x86\xc9\x3f\xc6\xe4\x5f\x63\xf2\xcf\x49\xd6\xf4\x2a\x42\x96\xcb\x71\xd5\xbf\xbc\xd5\x7c\x43\x22\xde\x99\x20\xb8\xc6\x3c\x92\xe6\x42\x9f\xc1\x6b\x92\x20\x74\x79\xc1\xcf\xb6\xcc\x7b\xae\x1d\x7a\x7e\xf2\x38\xfc\xe4\x16\xf2\xa4\x46\xe4\x3d\xfd\xa7\x35\xf3\x65\xc2\xe3\xa6\x30\x64\x9c\x10\x97\xd3\x40\x5d\xf8\xa2\xe8\xbd\xe5\x98\xe3\x38\x93\x38\xb6\xc8\x6d\x9b\xf3\x16\xfb\x43\xaf\xbf\x1c\xd0\x7e\x3b\xac\x63\x07\xa6\x22\x3e\xdb\xa3\xe6\xe4\x29\x11\x2f\x68\xc8\x78\x30\xe0\x73\x04\x54\x19\x61\x03\xf0\x3d\x2f\xec\x33\x7c\x0b\xc2\xc7\xca\xe0\xb7\xb3\x65\xc7\xe1\xad\x0e\x7d\x4a\xfb\x22\x41\xc2\xbe\x6d\xa0\xc2\x50\x13\x07\x61\xfb\x2d\xcd\xfc\xb8\x16\xd7\x56\x15\x3c\xcd\xe8\x66\x8f\x0e\x2c\xfa\x76\x48\x7b\x38\x5c\x53\x33\x5c\x9b\xbc\x19\x88\x80\xbd\xb6\x2b\x12\x1e\x9c\x60\x0d\x4f\xc7\x7a\x5b\xed\x45\x25\x1e\xdb\x67\x34\x42\x02\x9a\xf7\x69\x08\xa6\x8f\x8f\x6a\xe6\xcf\x29\x9f\x34\x2d\xef\x44\x1b\x41\x09\x82\xdf\x79\xe0\x3f\x03\x78\x2f\x13\x31\x4c\x2d\x49\xf6\x19\x0d\xf3\xd0\x8a\x01\xa6\x9f\x64\x79\x05\xed\xfc\x82\x78\x44\xfe\x4e\x23\x5b\x79\xf9\x53\x74\x56\xff\xb3\x66\x98\xf4\xd3\xd1\xe3\x82\x8c\xfa\xde\xaa\x2f\x16\xbc\x54\x19\x8f\x32\xda\x4a\x92\x07\x60\x43\x7c\x57\x6a\x17\x08\xff\xa9\xb6\x7d\x33\x79\x87\x26\xf4\xc0\x37\x69\xe6\x2b\xb4\xc4\x24\x97\x01\xa7\x7c\xb0\x9d\x83\x4e\xe8\x5a\xf3\xc9\x79\x0c\xd4\x94\x95\x19\x83\xff\xec\x20\x9d\x69\x4c\x0b\x30\x21\xf9\xfa\x37\x3a\xcc\x7b\xc5\x6f\x69\x5f\xb1\xe2\x74\x15\x22\x04\x95\x30\xe9\x4b\x11\x6f\x5d\xa0\x6e\x42\x1c\xfd\x54\x07\xf9\x09\x8d\x6c\x0d\xf3\xa5\x69\x2f\x7f\x81\x86\xfa\x13\xcd\x0c\xf6\xe9\x91\x49\xfe\xf8\x30\x54\x63\x9e\x92\x17\x64\xc4\x66\x30\xcb\x45\x71\xb1\xdc\x05\xcf\x59\xe0\x8e\x66\xa7\x47\x26\xc1\xfd\x28\x0b\xbf\xe6\x3c\xef\x02\xe7\x60\x2c\x51\x85\x87\xc1\xda\xb4\x81\x5e\xa4\x79\xfd\x35\x1a\xd9\xd1\x38\x5c\xc9\x45\x9a\x17\x2d\x79\xc1\x29\xc1\x2f\x82\x38\x8c\x62\x83\x05\x61\xe4\x39\x8e\xb7\xc8\xda\xa0\x64\xa8\x88\xa2\x4b\x67\x0d\x56\x84\xd2\x76\x25\xa6\x1b\x9b\xa5\xd6\x05\x9a\x25\x17\xc8\x66\x36\xba\x47\x68\xa8\x9f\x27\xd9\xc6\x94\x98\xd3\xa7\x27\x8f\xc8\x1e\x8a\xfe\xac\xa8\x83\x15\x28\x15\x89\xd0\x63\xa7\xf1\x59\xcf\x9f\xcf\x92\xbf\xcf\x24\xe0\x5b\x7f\xc6\xca\x4b\x15\x97\x1d\xaa\xd8\xba\xfc\x6c\xc6\x3c\x24\x7e\xc7\xc8\xad\x1a\x38\x11\x46\x1f\xd4\x7a\xa9\xb7\xc1\xf1\x8b\x53\x70\xcb\x01\x2d\x5c\xd2\xb6\x58\x25\xfb\x88\xef\x95\x4b\x97\x34\xb0\x40\xa5\x45\x4f\xfc\xba\x46\x26\x89\x7c\x50\x1f\x35\xf7\x0e\x4f\x8e\xc3\xef\x68\x8d\x00\xf0\xac\x68\x46\x02\x2a\x10\x5c\xdf\x68\xc5\x17\xd4\xf9\x9d\x13\x16\xaf\x21\xb3\x3f\xb2\x77\xa9\xf0\x64\xb3\x65\x40\x50\xc7\x21\xb3\x5f\xa5\x9a\x47\x21\xe2\x9a\x2a\xe3\xcf\x3b\xc8\x76\xa5\xa7\xa3\x2c\x39\xf2\x3c\x31\x3d\x0e\xce\xb1\x25\x9a\xd7\x3f\xd2\x61\x3e\xa2\xfc\x2d\x20\xa1\xea\x50\x95\xe9\x1e\x80\x8e\x6a\xe8\x0d\x78\x40\x10\x87\x1b\x56\x99\xea\xee\x15\xe8\x25\x6d\xb3\xb8\x9b\xe8\xfe\x5f\xc9\x90\x5f\xca\x90\xe8\x96\xfe\x54\xc6\xfc\x71\x4d\x96\x12\x28\x69\x9c\xd4\x96\x28\x35\x8e\x8a\x67\xa5\xee\x2f\x2b\x04\x45\x90\x27\xbb\x8b\x1a\x25\xf4\xa2\x80\x27\x93\x28\xbb\xb2\x99\x22\x77\x0c\x27\xa7\xe5\xbd\xf9\xc8\x9b\x55\xd5\x1f\x86\xc8\xbe\x3a\x64\xc8\x1a\x5d\xcb\x9b\xd7\xbc\xbb\x7c\x53\x2e\xf8\x6c\x0a\x10\xf2\xca\x2d\xe4\x60\xcb\x07\xc6\xe3\x76\x10\xea\xbf\xb9\xf9\x92\xb6\x11\xe2\xf3\x27\x86\xe4\xe7\x37\x11\x8b\xf0\xeb\xfa\x43\x6a\x0f\x1c\x23\xe3\xe4\x48\x9b\x62\x66\xa0\x55\xf8\x32\xac\xc2\xe3\x8a\x51\x78\x39\x4c\xeb\xf8\x30\xca\xc6\xff\x04\x0d\x2d\x64\x37\x5c\x26\xbb\xe1\x69\xed\x25\x8d\x2d\x9b\x0f\xe9\x67\x64\x38\x83\xc4\x32\xa9\x08\xfe\x53\x77\xb9\xa6\x06\x05\xfa\xd7\x9b\xc8\xf3\x6a\xc5\x38\xd3\xbf\x76\x93\xf9\xda\x96\xc3\xf6\x62\x04\xde\xb6\x47\xe0\x95\x8b\xf6\x92\x76\x3d\x57\x1b\x69\x81\x93\x33\x92\xe1\x1f\x9e\x4d\x26\xc8\xc6\x3c\xc4\x33\x1d\x8e\x8c\x29\x7d\xa7\xd9\xde\x2f\x53\xcf\xf0\x6c\x14\x4a\x6c\xab\x39\x2b\x30\xbc\x3c\x20\x57\x85\xa4\xe1\xe2\xc1\x18\x41\x9a\x30\x0f\x0e\x5f\x4e\x74\xb2\x67\x3c\x33\xe5\x4d\x1a\xd9\xc4\xd7\xb8\xfe\xaa\xe5\xc6\x12\x3c\xcd\x33\xc6\x45\x31\x7a\xe2\x10\x7b\xf1\x28\x65\x8d\x69\x39\x8b\x2c\x36\xa3\xfc\xd8\x6f\x00\xa6\x6c\x00\x7d\xc0\x86\x85\xf7\x72\x16\xe5\xf3\xe5\xb2\xcf\x7e\x4a\xe3\x66\xf9\xd8\xe2\xfb\xc4\x65\x04\x7e\x3d\x7a\x3a\xc2\xb6\xad\x50\xba\x60\x50\x1e\xa4\x8e\x93\x77\xa2\x55\x28\xf3\x12\xc9\x25\xba\x68\x05\xd0\xad\x7e\x81\x16\xb2\xc4\x8f\xa3\x5e\x17\x5b\xf0\x87\xdd\x7d\x6a\xf9\x41\xae\x49\x89\xe8\x4a\xf0\x69\x31\x53\xf5\x87\xcd\x13\x27\xdb\x19\x77\x5a\xed\xfd\x07\xd3\x22\x0c\x3e\x60\xee\x6e\x21\x8c\x60\x45\x7c\x95\x28\x36\xe4\x13\xcd\xaf\x53\x1e\x14\x72\x7a\x74\x05\x42\x41\x9e\x91\x31\xb3\x8f\x9b\x87\xce\x2e\x2b\x4e\xf6\x54\x65\x9c\x6c\xf5\x43\x2d\x81\x4c\xbf\xc0\x3c\x7e\xba\x8d\x01\x0d\xd5\x2a\x7e\x5a\x93\xd6\x80\x37\x6a\xe6\xcb\x35\xa0\x97\x05\x95\x72\xaa\xaf\xbe\xa0\xe2\x53\x85\xed\xcd\x11\x6b\x23\x61\x4e\x88\xad\x3e\x71\xfc\x0f\x29\xe6\x23\x73\x0b\xdf\x76\x2a\x63\x91\x5f\x3f\x9b\x0c\xdb\xfc\xd6\xcb\x58\xbd\x0f\xa5\xaf\x5e\x5a\x11\xf2\x58\x2e\x52\xa3\xfb\xb4\x00\xd0\x85\xb9\x08\xf2\x34\x95\x78\x66\x29\xd7\x60\x23\xc2\x36\xaf\x6c\x0f\x79\x9c\x54\xec\xe8\xfa\x43\x2d\x2c\xea\xbb\x4e\x57\xe4\x5c\x4a\x46\x54\xe5\x91\x5d\xf1\xe4\x74\x19\x27\xa7\xb2\x1a\x4c\x7b\xee\x32\x63\x69\xf3\xd9\xd1\x44\xe8\xec\xa7\xb5\x13\x8d\x0f\x09\xbd\x7a\x77\x7f\xed\x20\xa0\x49\x02\xe4\xa7\x36\x91\xac\x32\x9f\x5c\x1a\x2e\x7a\xfe\x05\x9e\xe7\x9c\x1f\xbc\xc7\xdd\xa2\x4f\x83\x00\xdc\xf7\x00\xdf\xf9\xb1\x4d\xe6\x68\xe5\xc5\x7a\x29\x49\xf8\x00\x5b\x51\x26\x22\x43\xbc\x9b\xb4\xc8\x7f\x7c\x23\x79\xb2\x03\x02\x16\x46\x19\x0e\xde\xde\x61\xbe\xb6\x43\xf1\x0a\x01\x5c\x4a\xea\x0e\xf5\xf2\x1b\x08\x91\x23\x22\xd7\x72\x3c\x06\x9c\x0f\x45\x7c\x2f\xc7\xf1\x16\x45\xf6\x26\x7b\x16\x56\x4c\x68\x98\xb3\x8e\xb5\xe0\xf9\x81\xa9\xa4\x08\x8d\x8a\x8d\xd9\xaf\xac\xd2\xb8\x36\x48\x48\x6f\x08\x0c\xbb\xcf\x58\xf2\xca\x30\xdb\xe1\x9c\x13\x97\x3c\x19\x27\xcc\x8d\x84\x18\xcf\xa8\x18\x85\x3f\x4e\x06\x4f\x16\x8d\x4c\x81\x5f\x39\x13\xa9\xe0\xcd\x5b\xb6\xdb\x5f\xf2\xe9\xac\x7d\x91\x16\xb8\x55\x24\xca\xde\x07\x46\xa5\x5d\xf7\xec\x54\x42\xdc\x32\xf1\xc2\x43\x00\x8b\xcd\xd0\xb4\xf2\xf3\x94\xad\x0c\x9b\x8f\x43\x7f\x5c\xb7\x59\x99\xe8\xcf\x9e\x9f\x2f\x87\x95\xf1\x69\xc9\xab\x33\x84\xc4\x69\x80\xf5\xef\x6b\xe4\x58\x4d\x01\xd5\x60\x42\xc5\x9d\x13\xcb\xae\xf7\x6b\x4a\x97\x09\xe4\xce\xbd\xc0\x7d\xc6\xf2\xe5\x20\xf4\xe6\x63\xe9\x23\x00\x5d\x38\xb6\x15\xb8\x45\xd5\x72\x2a\xb2\xf7\x2a\x6c\xd6\x64\x1f\xc3\x89\x44\xbc\x62\x57\x4d\x25\x25\x19\x31\xd8\x1d\x0d\x7a\x31\xf4\x2d\x25\xff\x71\x96\xfc\xdd\x96\x44\x98\xc0\x54\x32\x4b\x1c\x68\x56\xff\x95\x2d\xe6\x48\xf5\xe5\xca\x1c\x3b\xa9\x24\x62\x85\xdc\x92\x5c\x37\xdf\xda\x4c\xbe\x9a\x21\x1b\xd9\x21\x6c\x49\xff\x42\xc6\xfc\x54\x06\x7e\x26\x48\x2c\x52\xfc\x47\x22\x97\x27\xbe\x93\x21\x9e\xa3\x9c\x81\xa1\x6f\xcd\xce\xda\xf9\x3e\xc3\xca\xb3\x6d\x4b\x68\x16\x8b\x73\x56\x48\xd9\x96\x15\x87\x1a\x00\xb3\x6e\xb4\x1d\xc8\x76\x19\xc3\xa0\xdb\x08\x6a\x97\xac\xdf\x72\x8d\x32\xb7\xb2\x47\x01\x0c\x92\x01\xc5\xab\x4e\xf0\x32\x3e\x1f\x6f\x75\xe2\x65\x03\x34\x5f\xab\xb0\xc4\xd7\x5e\x32\x72\x3a\x57\x15\x80\xbe\xc7\xba\x20\x02\x04\xa0\xf1\x33\xd4\x30\x43\xbf\x4c\x4d\x3e\x1d\x20\x53\x1d\xa7\x51\x47\xed\x17\x2c\xbd\xc8\x3a\xf9\xe7\x19\xb2\x19\x82\x71\xb8\x45\xfd\x0f\x32\xe6\x67\x32\xe2\x0f\x58\x16\x6a\x4a\x4a\x5e\x99\x48\x85\xcd\x5d\x98\xc2\x28\xe9\x5c\x32\x0b\x1b\xe8\x2f\x4a\xcd\xfc\x8b\xbc\x59\xa5\x09\x7c\x62\xc6\x43\x9f\xcc\x13\xce\x64\x9f\x2f\xc9\x94\xa2\xe2\x78\x1f\xe5\xde\x53\x4a\x0d\x00\x5c\xbb\xb6\xd3\x57\xdd\xc9\x05\x0a\x5b\x72\x14\xf2\x98\x95\xa4\x90\x14\x2a\xf2\xa8\xcc\x50\x99\x27\x5d\x66\x85\x8d\x26\xf2\xb4\x63\xe7\xe9\xe9\xb8\xce\x98\x26\xaf\x66\x5f\x4f\xf6\xed\x47\x32\xe4\x1a\xa5\x99\xfa\xbb\x33\xe6\x9b\x32\x6a\xcf\x34\x9a\xbd\x89\x6f\x6c\x76\xda\x8d\x2c\x6b\xa2\x85\x1e\xb8\xb9\xc7\x91\x1a\xd5\xfa\x21\x99\xab\xda\x86\x15\xee\xb0\x7f\xda\x42\x6a\x91\xc3\x44\xac\xfa\x55\x93\x36\xb8\x2e\x70\x5d\xac\x99\x75\x81\x5b\xdf\x4a\x6c\x7d\xbf\x90\x21\xb7\xa8\x2a\x9c\x57\xe0\x67\xcc\x05\xea\xcf\x51\xab\xa0\xbf\x39\x63\x4e\x45\x7f\xb0\xb3\x62\x19\xce\x4e\x95\x92\x45\xea\x68\x5e\xf4\xa8\x15\x04\x5e\xde\xb6\xe2\x4c\x90\x3c\xba\x95\x48\xa7\x99\xf4\x0a\xd0\xc8\x07\x35\xb2\xa5\xe4\x15\x0e\x33\x2d\x57\xff\x5f\x9a\x79\x72\x52\xfc\x51\x59\xd1\xac\xb8\xb8\xbc\xea\xda\x1b\x5b\xe8\xab\x5b\xc8\xee\x7a\xde\x2a\x5c\x4a\x0b\xdf\x94\x05\x9b\x2e\x0a\x27\x8a\x77\x6e\x31\x47\xab\xae\x56\x3b\xac\x80\x84\x04\x8f\x8e\x0a\x1a\x50\xe4\xc1\x92\x4c\xc4\xb7\x99\xbc\x65\x23\xd9\x6a\x95\x0b\x36\x44\x25\xd4\x5f\xb5\xd1\xfc\xfb\x0d\xc3\xd1\x9f\x3c\xb7\xb7\xf8\x4b\xc8\xec\x59\x9b\xcd\xc2\xfc\x9c\x17\x50\x37\x3a\xed\x28\x55\x45\x81\xa8\x2d\x81\x05\xb2\x89\xe7\x08\x73\xcc\x8c\x27\x16\xb2\xf2\x1d\xdc\x9a\x03\x7e\x26\xc6\xb0\xab\xd4\x01\xfa\xbc\xbb\x94\xb8\xc2\xe1\x24\x98\xfa\x41\xcc\xe3\xab\x28\x11\x0e\x99\x56\xfc\x09\x22\xcf\x39\xd4\xd1\x15\xc4\x77\xd8\x52\x14\x68\x42\x75\x21\x90\x7f\x80\x1f\x11\x69\x18\x87\x20\xce\xc6\xe5\x72\x51\x25\x96\x4f\x14\xcc\x55\x66\xde\x8e\xbf\x3c\xa5\xfb\xd4\xcc\xd4\x32\x07\x25\x07\xa2\x2a\xcb\x07\x9e\xb8\xc8\xba\x2d\xa4\xa8\xda\xca\x40\x66\x26\x95\xd5\x00\x8d\x9c\xf3\x10\x12\x8f\xf2\x0a\x41\xd2\xf0\x34\x28\x15\x35\x8a\x0a\xb9\x61\x4e\xde\x93\xe3\xca\x33\x1d\x72\xe9\xd0\xa7\xcc\x32\x3b\xe0\x1f\x6f\x58\x45\xcb\x76\x45\x46\x6f\x59\xa6\xe8\x58\x25\x92\x30\xeb\x57\x91\x1f\xb5\x0e\x51\xb2\x48\xae\x4b\xd4\xad\x9f\x31\x8f\x0e\x27\x1b\x53\x29\xba\xa3\x06\x41\xde\x90\x8a\xf5\x6c\x19\x5c\x3a\x02\xcf\x2f\x21\xc0\x8e\x92\x8d\xd4\xf7\x3d\x5f\x3f\x64\xee\x1a\x63\x3f\x6a\x17\x0c\xd8\xa6\xdb\x05\xf8\x52\x7e\x8e\xe6\x2f\x24\x69\x2f\x2f\x15\xc4\xb7\x90\xec\xab\x79\xc4\xad\xb1\xd8\x1f\x0c\xa8\x3f\xee\xce\x7a\xe6\x3e\x95\x26\x17\x5d\xad\xfa\x1a\x60\x38\x72\x10\x45\x3a\x74\x7d\xef\xda\x7a\xc4\x8c\x66\x48\xfc\x1f\xbb\xd6\x7c\xac\xf1\x63\x32\x73\xb3\xc8\x61\xae\x68\x82\xb5\x2d\xc9\x02\xf4\xab\xeb\xd5\xfa\xf1\x6b\xc8\x6c\x6c\x34\x7c\xa1\x79\x32\xe2\x99\xc7\x91\x9d\x8c\x36\x31\xd1\x8f\x4b\xec\x39\x67\xde\x13\xa5\x1e\x8d\x77\x62\x63\x79\xe4\xf4\xb7\xc5\xe4\xf4\xd7\x69\xe6\x0f\xd7\x70\x61\x5d\x25\x6e\xba\xda\xb0\x77\x6c\x14\x38\xfe\x9b\x36\x9a\xaf\xd8\xd8\x2c\xc7\x9c\xc9\xed\x26\xf8\xe5\x84\x0c\xbb\xca\x73\xca\x54\x90\xfe\x11\x0b\xb6\x05\xb5\x0d\xc8\xac\x38\x41\x79\x26\xda\x1a\xfb\x54\xf7\x64\xb5\x7f\xd5\xb4\x3f\x3c\x5e\x86\xd4\xdf\x45\x96\x9f\x08\x61\xb3\x8b\x2e\xf5\x59\x43\x64\x1b\xdb\xdb\x8a\x02\x14\xaa\xb6\x41\xf4\x7c\xed\x76\x88\xde\xa9\xdb\x0e\x31\x41\xea\xb5\x82\x17\x69\x08\xe3\x4d\xe8\xf1\x1a\xf9\xd0\xc5\x6b\x8c\x55\xa9\x76\x14\xef\x84\xca\xb1\x9c\x2f\x87\x3c\xc8\x11\xbd\x98\x77\xca\x81\xbd\x40\x9b\x9f\x6d\x71\xe2\x2c\x9e\x6b\xbd\x60\x78\xb0\xc3\x14\xc0\x98\x48\x4e\x45\x8c\xd0\x0a\x39\xc0\xd9\x12\xd2\x59\xc6\x71\xbc\xc5\xc8\xab\x4a\x4c\x4d\xf4\x0b\x6a\xd1\x2f\xe8\xf5\x5a\x95\x63\xd0\x8b\x5b\xef\xb3\x43\xc9\xa2\x2a\xdd\x88\x1b\x3b\x0a\xfd\xf5\xd6\x54\x0f\xcb\xe3\xf6\xbc\x1d\x4e\xb1\x0f\x04\xca\xdf\xa7\xb6\x9a\xfd\xc9\x4b\x49\x96\x65\x7c\xcf\x00\x02\x60\x36\x95\x21\xf8\x4e\x4c\xf4\x74\xd9\xbc\x84\x2f\x68\x11\xc7\xf2\x37\x34\xf3\xe5\xda\x38\xfb\x59\x73\x2c\x78\xa7\xa4\xb7\xb4\x5e\x24\x83\x04\xa4\x3e\xc0\xfd\x7a\xfa\x65\x73\xfa\xe3\x50\x4a\x03\xaa\x02\x38\x40\xfa\x9b\x20\xa6\xc7\xcd\x43\x8b\xe4\x65\x58\x24\xff\x50\xe5\x51\xfd\xf6\x72\x7c\xca\xab\xd9\x9c\xe6\x2b\x63\x16\x15\xcc\xa2\x55\x63\x50\x29\x1f\xf7\xb4\x76\xa6\xb1\xb1\x73\xb7\x3e\x98\x96\xe0\x29\x29\x9a\x2a\xf3\x3b\xbd\xaf\x8f\xdc\xa3\x6a\xf0\x85\x79\x3b\x60\x77\x7d\x5a\xb4\x81\x4a\x2d\x62\x4c\x9c\x11\x19\xed\xdc\xe2\x59\x3a\x33\xe7\x79\x17\xf4\x7f\xdc\x61\x9e\xaf\xba\xaa\xea\xcf\x3c\x10\x2b\x94\x66\x2c\x8a\xdb\xd1\x69\x35\x19\x39\x59\xb2\xe1\x02\xc8\x68\x1a\xe7\xff\x11\xce\x05\x97\xb4\x6b\xf9\x2c\x1c\x81\xb5\x77\x49\xbb\x26\xb0\x0b\x74\x6c\x76\x96\x2d\xe0\x4b\xda\x4d\xb2\x1e\x7e\x16\x14\x02\x33\x29\x5f\x3f\xdd\x4b\xfe\xad\x83\xa8\x2f\xea\xff\xa7\xc3\xfc\x5a\xc7\x74\x7c\x81\x2b\xbf\x01\xdb\x04\x85\x63\x9a\x1d\xc8\x96\xcf\x59\x81\xc1\x5e\x36\x28\x7f\x38\x6b\x0c\xe7\x99\x40\x00\x55\x5d\xe6\x5f\xa2\x43\xc6\x49\xcf\xa5\x7d\xf0\xef\x29\x77\xd4\x5f\x9a\x2a\xbb\x46\xb7\x28\x24\x0e\x9a\xc6\xd4\x25\x71\x3c\x82\x55\x68\x39\x81\x27\xec\x9b\x4b\xc6\xb4\xc7\x36\x28\x3f\x52\x9f\x7b\xb2\xc6\xd9\xe8\x7d\x38\x0b\xa8\xcd\x30\x4e\x3c\x38\x7d\x3a\xb6\xa0\x02\xe8\xcb\x44\x95\xed\xd8\xc2\x3d\x0a\x00\xbb\x3e\x23\xb0\x41\xb7\x91\x2a\x20\xab\x15\x34\x9f\xc7\x79\x80\x7e\x88\xa0\xca\x99\x2c\x46\x10\xd2\x52\x74\x70\x8f\xc7\x30\x3f\x67\x41\xb8\xd3\x82\x50\xe2\x94\x46\xb0\xee\xa2\xb3\x6c\x39\xb8\x34\x8e\xef\xed\x16\x3c\x97\x66\x8d\xa9\x48\x62\xc8\xd3\x5d\x81\x77\x8b\x15\xf2\x65\x41\x65\x42\x2a\xab\x1c\x7a\xfd\xb2\x49\xdc\x12\xb9\x64\xcc\x5b\x61\x9e\x1d\x72\xa3\xa1\x90\x9d\x10\x8d\xdb\xc1\x83\x51\x5f\x81\x73\xa5\x37\x9f\xb4\xd2\xbe\x2b\x43\xae\x67\x9b\xbe\x57\x0e\xa7\x81\xd8\x15\xe8\xaf\xcd\x44\x24\xd0\xef\x69\xa7\x13\xb7\x2a\x1c\x6e\xc4\x7b\xe2\x9c\x14\xcf\x87\xac\x31\x3c\x1b\x52\x3f\xf1\x4c\xc9\x0a\x02\x1a\x70\x9d\x27\x6a\x6b\x1e\x02\xf6\x46\xf9\xb6\x8a\xae\xe7\x73\x15\x8a\x3d\x33\x3c\x39\xae\xdc\x87\x94\x38\x3c\xa0\xa8\x20\xec\xb2\x2b\x6c\x38\x4a\x10\x3c\x34\x6b\x9c\x56\xea\x12\xe1\x87\x45\x6c\xcd\x28\x31\xc2\x20\x0c\xcf\xee\x9d\x82\xc0\x16\x48\x67\x5e\x36\x24\x83\xf1\xe5\x04\x99\xf5\x6d\x1b\x48\xad\x15\xa4\x3f\xdd\x61\x7e\xb3\x63\x38\xfd\x26\x47\xb0\x0c\xcf\x2f\x50\xf6\x51\xd1\x16\x5b\x02\x7a\x02\xbb\x72\xbe\xe2\xc5\xf3\x91\xe8\xe1\x5d\x1b\x89\x0c\x0a\x39\x22\xd8\x82\x92\xd8\x09\xef\x91\xd0\x87\x40\x02\xe5\x80\x0a\xf2\x87\x78\x3d\xe1\x75\xc2\x29\x47\xb6\x74\x06\xe3\xd9\xdb\x5c\xc5\x93\x4b\x56\x1a\xf3\x07\x6c\xc1\x2e\x81\x12\x12\x81\x49\xe3\x36\xf4\xa9\x59\x3c\xe3\x11\x92\x13\x21\x52\xaa\xc6\xd5\x64\x5d\x85\x78\xe0\x13\x96\x77\xc5\xcb\x8d\x9f\x17\xe2\x56\xb1\x11\x93\x16\xf6\xc8\x05\xda\x72\x97\xe2\x27\xf8\xcc\x16\x2a\x19\x6b\xe0\xb4\x68\x20\x9b\x3c\x52\x57\x8b\x57\x47\xd4\x54\x88\x5f\x49\xd9\xce\xcd\xd9\x4f\x5e\xda\xac\xaa\x83\x52\x7d\x48\x23\xd7\x89\xa7\xa3\xf8\xb5\x9a\xf9\x7a\xed\xb0\x7a\x49\x6a\xa5\x73\xde\x62\x52\x11\x04\xdc\x49\x51\x2a\x62\x41\x22\xd5\x0b\x76\x80\x8b\x42\x5c\xf6\xc7\x3d\x23\x85\xa9\x31\x0e\x0b\x86\xad\x17\x56\x69\xd2\x35\x1d\xae\xa8\xcd\xfd\x7b\x4d\x78\x77\xfd\xa5\x66\x7e\x59\x3b\x5d\x41\x8d\xa9\xda\x8b\xb2\x06\x30\x34\xe3\xf3\xf7\x6c\x99\x9d\x23\x5f\x54\xb6\x1c\x98\x24\x9c\x24\xd2\x67\xd8\xf3\x56\x91\x8a\xce\x4a\xe8\x85\x7d\x02\x4c\x34\x95\x27\xcc\x4a\x97\x32\x65\x64\xb8\xde\x9c\x28\x22\xed\x69\xcf\x2f\x5a\xae\x88\xe9\xc3\x85\xa7\xed\x57\x9c\x2f\xbf\xbd\x91\x5c\xcf\xa7\x5f\x94\x83\x51\xff\xd3\x8d\xb5\xc3\xa5\xd6\xd3\x72\xac\x19\xea\x44\x85\x98\x3f\xb1\xf1\x54\xa2\x54\xa3\x40\xf3\x40\x65\x92\x3b\xa2\x07\x61\x41\xd5\xe9\x26\x25\x96\xe0\x8d\x08\x75\x93\x6d\x97\x20\xb7\x99\x66\xca\x03\xcd\x64\x8d\x64\x9b\xc1\x41\x97\x0d\x36\x67\xfe\x0b\x7c\x55\x82\xe8\x9e\x23\x68\x7f\xd0\x6d\x2e\x5d\x3c\xa5\x90\xf8\x16\x63\xa3\x67\x1c\x99\x35\xd1\xcf\xfc\x20\xc7\x76\x09\x61\xe0\xe2\xbb\x88\x3d\x6b\x50\x1b\xbe\x45\x34\x14\x2e\x47\xf9\x8a\x44\xcb\xc0\x8a\x55\x76\x9c\xe8\x99\xee\xb8\x2d\x91\x4b\x87\x15\xc0\x80\xf1\xfd\x1c\x1c\x21\xe2\x16\x56\x3c\x53\x80\x10\xcb\x3d\xe2\xe0\xac\x52\x11\x05\x00\x01\x34\x29\x11\x8c\xa7\xdb\xb1\x2f\xb0\x6d\x7a\x94\x96\x1c\x6f\x89\x6d\xe9\x53\x9e\xe3\xcc\x58\xf9\x0b\xf0\xbe\x31\xe9\x15\x26\x7d\xef\xe2\x52\x14\xcb\x87\x17\xd7\x13\x99\x1c\x53\x3e\x39\x6b\x3c\x18\x50\x75\x68\x64\xa2\x45\x70\x79\xb5\x13\x73\x54\x30\x81\xfa\x6d\xb7\x4f\x26\x99\xa7\x6e\x01\x90\x65\x7e\x5e\x08\x2e\xd8\xa5\xf4\x05\xc5\xc4\x67\xe4\x38\x1f\xca\xf0\x42\x89\x2d\x08\x0e\x17\x80\xce\x27\x26\x5e\x94\x97\x32\x1a\x0b\xba\x40\xfd\xa5\x70\x0e\xc8\xfa\xdf\xde\x40\x36\xfa\x65\x87\x06\xfa\x5f\x6d\x30\x7f\x6c\xc3\x14\xfb\xa9\x68\x99\x90\xa9\x4a\xd1\x1f\x59\x73\x78\xa2\x50\xa1\x60\x0e\x28\x48\x54\x50\xb1\x35\x43\xe0\x72\x9e\xda\xff\x74\xfa\x8d\x38\x03\xa9\xcd\xa7\xb8\x1d\xcf\x98\x73\x96\xbb\x74\xce\x60\x0d\xca\x1a\x47\xbd\x45\x0a\x22\xd9\x16\x1b\x22\x38\xe7\xfa\x9c\x66\x1a\x6b\xc9\x72\x43\x94\x0a\x1d\x9b\xaa\x27\xca\x61\x8d\xbb\x20\x3c\x4b\xe5\xb8\x4f\xa3\x04\xd3\x10\x5a\x9e\x1b\x43\x79\xd7\xa9\x58\x16\x30\x22\x22\xc8\x87\x29\x4b\xec\x43\x38\x71\x3d\xa4\xce\x92\x51\xb0\x03\x6b\xc6\x89\x8a\xe4\xf1\xb7\xfb\x2e\xa3\x95\x16\xe8\x7d\x6c\xdb\xce\xc7\x0e\xaa\x72\x76\xc8\x03\x23\xdb\x39\xab\x0e\x0c\x23\x89\x6d\x52\xad\x27\xf5\x81\xe8\xd0\xae\xee\x5a\x47\xc9\x61\x32\x5a\xdb\x26\x51\xeb\x44\xc3\x06\xee\xac\x1d\xce\x9d\x92\x93\x87\xfc\xb4\x46\x12\x07\x0d\xfd\x35\x1a\x19\x5b\x7e\xc9\x51\xcb\x95\x92\xcc\x43\xea\x5f\x89\x4d\x33\xf4\x0c\x71\x54\x84\xc4\xee\x52\x49\xe6\x7b\x54\x24\xff\xc9\xbb\x36\x93\x6b\x60\xe6\x89\xad\xf8\xf5\x9b\xcd\xff\xde\xa4\x5c\x48\x96\x39\x47\x0d\x13\x56\x8d\xc9\x75\x1c\x9e\x00\x41\x95\x83\x6e\xde\x9b\xe7\x4e\xce\x7c\x78\xb2\xc6\x70\xf5\xfe\x6b\x8e\x5d\xb4\xf2\x21\x07\xe1\xc7\x5e\x54\xb6\x17\x2c\x87\xba\xa1\x99\x25\xa4\xdf\x80\x5b\x43\x52\x39\x8f\xce\x15\x91\x50\xb1\x43\x83\xb2\x27\x9c\x25\xb9\x60\x2c\x45\x03\xf3\x61\xd9\x24\x58\xa3\x36\x13\x95\x91\xd4\x0b\xe2\xac\x16\x05\xfe\x06\x3b\x32\x59\xa5\x52\x30\xb0\x30\xd8\x17\xfd\x80\x03\x54\x9f\x48\xbe\x14\x52\x17\xf4\xa5\xf8\xfa\x4c\x39\x94\xdd\xc0\xdb\x15\x25\x02\x3a\x1f\x39\xa7\x07\x43\x2f\x34\x59\x61\xe6\xa3\xac\xd0\x08\x7b\x63\x57\x17\x06\xd9\x35\x29\x3a\x86\x8c\x17\x9a\x4a\xf3\xcc\x47\xcf\xf7\x29\x5f\x1d\x7a\x89\x26\x19\xf0\x5d\x95\x0d\x12\xbb\x96\x58\xa7\x29\x3b\x17\xef\x57\xd9\xcf\xd5\x9d\x6b\xcf\x46\xfd\xc1\x7d\x0f\x05\xce\xe3\x70\xd5\xd3\x76\xa1\x5b\x83\x3e\xa0\xb7\xf3\x0e\xe3\x10\x2f\x68\x8d\xdc\xe7\xde\xf3\x23\xc5\x72\xc5\xbb\x1f\x2c\x2a\x6b\xae\xfb\x79\xa4\xb2\x05\xea\x8b\xb4\x74\xe2\x45\x6e\x08\x49\x1d\x93\x44\x40\x24\x65\x19\xa8\x2a\xd9\x37\xb6\x92\x67\x31\x2d\x2e\x28\x59\x79\x99\x19\x5b\xff\x9d\xad\x6d\xd0\xca\x5e\xb1\xf5\x64\x65\xc1\xcd\x28\x66\x20\x4e\xa3\x3d\x5f\x6a\x69\x31\xb6\xc1\xb5\x4e\x28\x56\x1c\x6a\xac\xb0\xbe\x52\x34\x9e\xd0\xf0\xec\x30\xa0\xce\x2c\x07\x25\x65\x49\xfc\xf0\x2b\x15\x3f\x9e\x48\x67\xd6\xf3\xe7\x79\xed\xe2\xcc\x24\x21\xb4\x48\x45\xa8\x28\x39\x90\xf3\x36\xda\xef\x82\xbc\x57\x52\xa8\x2d\x7d\x4c\xbc\xf0\x2d\x87\xe9\x23\x41\xc5\x80\x25\xe6\x75\xad\xae\x89\x7c\xbb\x58\x27\x7a\x81\xda\x1b\x42\x97\xaa\xb4\x4b\x9b\x7e\xd9\x85\x00\x87\x26\xd3\xea\xcc\x9d\x5c\x2c\x0e\x9a\x07\x0c\x20\xbc\xf3\xf4\xb6\xb4\x32\x99\x75\x20\x22\x89\x04\x43\x86\x59\x35\x41\xcc\x21\xe3\x25\xc4\x30\x4c\xe8\xb0\xb1\x8b\x25\x9f\xc2\x86\x12\x98\x43\xc6\x0b\x89\x61\x18\x70\x97\xfd\x67\x5e\xa0\x4b\xe6\x90\xd2\x84\xbe\xe8\x46\x94\xcb\x9a\xdd\x85\x2c\xd6\xf1\x2d\x2e\xc8\x65\x59\x70\x6d\xa7\xbc\x6d\xb0\xb6\x8b\xdf\x8f\xc2\xff\x5f\x46\xd8\xaf\x97\x11\x32\x3e\x0b\x7e\x63\xd4\x2a\xf0\x2f\xb3\xf8\xaa\x80\x35\xbc\xfc\xbe\x4c\xb3\xef\x9b\xd4\x5d\xb0\x7d\xcf\x65\x8b\x99\x77\x67\xc9\xf7\x0a\xbc\x47\x83\x10\x78\x65\xe6\x81\xd5\xeb\x56\xb5\x35\xa9\x3d\xdb\xa8\x5b\xa1\xf5\x4a\xcf\x46\xdf\x90\xde\xbf\xd3\x94\x36\x65\x6a\x60\x7a\xdc\x82\x4d\x17\x07\x84\xe3\x40\x3f\xeb\xbf\x7e\xd1\xd5\x03\xe2\xc4\x20\x5d\x13\xa3\x10\x42\xac\x3b\x79\x30\xca\xa8\xbb\x82\x58\x88\xb5\xa8\x85\xff\xdf\x2d\x89\xf0\x32\x33\x70\xb0\x58\x18\xcc\x8e\xf8\x9e\x3b\xe1\xcd\x80\x1d\xec\x8b\x5b\xcc\x1e\xe5\xef\xd4\x3c\x13\xbe\xe7\x1a\x8f\x7b\x33\x35\x6c\x60\xbf\xb0\x19\x6d\x60\x97\x6b\x03\xcb\x47\x26\xb0\x87\xcd\xdb\xed\xc8\x00\x26\xd1\x32\x6f\xd6\x10\x43\x94\xd4\xa1\xfb\xc9\x0e\xd2\x53\x53\xd3\xad\x1c\x6e\x34\x4e\x5d\x86\x71\xea\x8b\xaa\x71\xea\x33\x97\x69\x9c\xfa\x91\x2b\x64\x9b\x8a\x2a\x5a\xb6\x61\x0a\xa6\x52\x1c\x9c\x23\x16\x17\x95\x86\xa9\x5f\xd9\x48\x76\x29\x53\x70\xd6\xf1\x16\x85\x4b\x92\xe4\x95\x1d\x76\xbc\xc5\x69\x58\xac\x31\xcd\xeb\xe5\x1b\xcd\xa1\x94\xeb\x0a\x62\xa0\x10\x40\x38\x4b\x3e\x7e\x3c\x49\x1e\xfd\xe5\x0d\xe4\x23\xe9\xe1\xe0\xdf\x7e\x19\xfe\xb2\x8f\x9c\xaf\x2e\xf0\xbc\x5c\xa3\x97\x1b\x2b\xbe\x18\x73\xcc\x1e\x31\x4f\x9d\x17\xbf\xcf\xf3\xd5\x39\xd7\xc6\x44\x0a\x8e\x24\x99\xcd\x98\x0f\x9e\xe7\x3f\x45\x35\xe5\xf6\xa7\x55\x98\x95\x1c\x34\xf6\x55\xfc\xe7\xf9\xcb\xcb\xaa\x90\x0a\xac\x8e\x08\x4a\xd9\x01\x33\x7b\x9e\xfd\x38\xdf\x20\x09\x42\x6a\x21\x3f\xba\x91\xf4\x28\x33\x57\x40\xc7\xd1\xa4\x15\xa7\xec\x28\xd3\xa1\xfe\xb5\x0d\xe6\x9b\xb4\x8a\x8b\x89\x6d\x0e\x52\x51\x45\x99\x1e\xe3\xb9\xcb\x61\x50\x61\x58\x8a\x5c\x09\xc0\x88\xc7\x2b\x84\x3e\xe6\x29\xd7\xc1\x84\x92\x35\xc6\xa5\x03\x9f\x12\x45\x92\x7b\x4f\x0a\x8b\x1d\xaf\xb6\x82\x80\xfe\x89\x0e\xf2\x61\x70\x73\x0c\xe7\x26\xe1\x61\xfd\xdd\x19\xf3\xcd\x99\xf8\xef\x44\x54\xca\xa8\xbc\x88\x5b\xaa\xb6\x1e\xac\x55\x02\x93\x1c\x0f\x63\xa3\x47\x14\x2d\xf5\x7c\xef\xf9\xac\x71\xda\xb7\x6c\xc0\xa6\x02\xc7\x0a\xe6\x04\x0e\x11\xfa\xf6\xfc\x7c\x94\xd1\x77\x41\x62\x48\x55\xd5\x0a\x36\x2c\x54\xca\xae\x67\x09\x19\x13\x5a\xd1\x90\x71\x7e\x60\xd6\xf3\xce\x8b\x53\x20\x18\x1b\xc4\xa5\x3e\xfe\xff\x81\xf3\xb0\xa9\xf3\xdf\x33\x96\x7f\x3e\xf9\x06\x1c\x09\xe2\xb7\x0a\xe7\x99\xb2\x7a\x1e\x82\x6c\xb2\xa7\xd4\x19\xf0\x84\x1a\xa0\x74\xd1\xb4\xa1\xd9\x8a\x7b\x4e\x1f\x1f\x38\x5e\x9a\xd2\x43\x0a\x64\x1e\x7d\x99\xe8\xe2\x08\x55\xb1\x1c\x47\xf6\x26\x84\x24\x85\xee\x89\xea\x4a\x72\x7f\xbf\xb5\x95\x0c\xd6\x9e\x87\x93\x5e\x61\xd4\x0e\xfc\x32\xe0\xc8\xb9\x72\xa1\x48\x43\xf0\x69\xfe\xf0\x56\x33\x57\xe3\x1e\x5f\xde\x15\xc1\x6d\x00\x92\xae\x7c\xba\x22\xc6\xf8\x16\xf2\xdd\x0c\xb9\x7e\xde\xba\xf8\xa0\x6b\x2d\x58\xb6\xc3\x26\xab\xfe\xcd\x4c\xb3\xf1\x6d\xca\xa1\xed\x64\x6d\x37\x0c\x42\x3f\x3b\xee\x86\xa7\xfc\x69\xe8\x66\xf3\x9d\x99\x61\xd7\xa0\x0b\x76\x5e\x52\x11\x05\x82\xc5\x3a\x2a\xe4\xee\x25\x66\xb2\x56\x93\x2f\x09\xae\x18\xf3\x05\x63\x46\x5a\xb2\x29\x22\xd8\xc9\x87\x0d\x4b\x9a\x78\xa3\x5a\xfa\x0c\x3b\x4b\xb3\x1c\x5f\xb1\x5d\xc3\x9a\x09\x54\x1e\x38\x3c\x45\x0b\x3c\xa5\x50\xe2\x10\x0a\x34\x42\xcb\x95\x90\x70\x34\x8e\x6e\x68\xf9\x4b\xb2\xf4\x00\x20\x74\xce\x02\x60\x93\x60\x67\xec\x9e\x6b\xa5\x30\x1d\x25\xda\xce\x8f\xa7\xf3\xb6\x3b\x2c\xbf\x33\x4b\x7e\x37\x43\xae\x55\x2f\xe9\x9f\xb8\xec\x0e\xff\x57\xad\x6e\x87\x3b\xd4\x82\x1e\x57\xdb\x51\xb7\xbf\xf9\xd9\x2e\x8c\x8c\xff\xcd\xf7\x3b\xd8\x1f\xea\xf4\xbd\x31\xed\x81\xfc\x13\xfd\x0f\x07\xc9\xe5\x77\xbf\x39\xb8\x73\xe7\xdd\x66\x96\x5c\xea\x20\x5b\xa2\x46\xeb\x6f\xe8\x68\x03\xa4\xf3\xae\x0c\xfc\x6d\xbc\xa8\x4c\xfd\x25\xf0\xd3\xe1\xfd\xc4\x4f\xcf\x71\x7b\x80\xe1\x0a\x0c\x33\xc9\xc7\x2d\xc8\xa5\x66\xcc\xf0\xb5\x16\x19\xab\xe4\xe1\x98\xff\x60\xb2\x95\xe7\xdc\x30\x86\xa5\x4f\x44\xf4\x48\xf7\x4b\x5e\xd6\x23\x48\x27\xc9\x87\xa3\x43\x20\xf7\xda\x17\x6a\x77\x10\x29\x99\x6a\x42\x30\xfe\x22\xb8\x11\x39\x8e\xa8\x68\xdc\x15\xbb\x0f\x47\x09\xab\xaa\x15\x87\x79\x07\xac\x7a\xe2\xad\x68\x3c\xe5\x29\x3e\xfb\xb4\xd6\x53\x3f\xb4\x23\xd1\xb7\xf8\xb4\xe4\x58\x79\x4a\xc8\x87\x37\x54\x66\xc7\xa9\x91\xb1\x65\x5c\xfa\xa7\xe8\x3f\xe8\x30\x0f\x57\x5e\x4c\xec\xb9\x60\x8f\xe5\xcc\x24\xee\x15\xef\x28\x1f\xa1\x26\x70\x49\x8b\x7e\xfa\xce\x0e\xb2\x5f\x58\xa2\x07\xcd\xbb\xdc\x94\x38\xa3\xec\x37\x67\x11\x2b\x69\x60\xc4\xde\xf1\xcd\x8c\x32\xd9\xbe\x9c\x69\xc3\x64\x7b\x5d\x26\x50\x2c\xae\x5c\x63\x62\x55\xf5\x53\x37\xef\x15\x98\x42\xe9\xf9\xf3\x5c\x94\xcb\x81\x8e\xfb\xbe\x02\x4a\x90\xaa\x9b\xda\x7e\xe3\xac\xd8\xe0\xfa\x84\x67\x2b\x30\x61\x78\x98\x06\x57\x0d\x47\x20\x43\x06\x44\x87\x6b\xfe\x7e\x10\xd1\x3e\x24\x96\x21\xe3\x12\xcb\x07\xf2\x5e\x09\xfc\x28\xa1\x2a\xc1\x56\x7e\xbc\x2c\x1c\x72\xf8\x53\x60\xcf\x8f\x54\xa2\xc8\xdc\x51\xe4\x41\xc6\x45\x39\x59\xf2\x9a\x2d\x89\x73\x45\xc4\xbc\x3c\xc2\x81\xc6\xd9\xa0\x46\xc0\xf8\x3f\xda\x6c\xbe\x2e\x19\x30\x5e\xbe\xd1\x64\xa8\xf8\xac\xf2\x46\x3b\xc2\xc5\xff\x7f\xec\xbd\x0b\x94\x25\x59\x59\x26\xba\xe2\x64\x56\x55\xd6\xee\x87\x74\xc0\xc0\x2c\x70\x60\x1b\xcd\x58\x99\x90\x27\x2a\xb3\xb2\xaa\xba\x3b\x9b\xa6\xc9\xce\xac\xea\x4e\xba\x1e\x49\x66\x56\x37\x74\xd3\x90\x71\xce\xd9\x79\x32\xa8\x38\x11\x87\x88\x38\x95\x75\x9a\xee\xb9\x02\x32\x20\xf2\x94\x77\x31\x88\x30\x5e\xd4\x06\x01\x75\x68\x75\x8d\xa8\x3c\xbc\x3a\xea\x28\x17\x14\xf5\xaa\x80\x20\xea\x20\x73\xf5\xfa\x40\x6d\x07\xbd\x6b\xff\xff\xbf\x77\xec\x1d\x27\x4e\x66\x76\x67\x75\xb7\xcb\xc9\x5e\x0b\x2a\x4f\x3c\x76\xec\xe7\xbf\xff\xfd\x3f\xbe\xef\xa0\xce\x59\xbc\xe4\x00\xec\xba\x35\x09\x3f\xb0\x9f\xbd\xa3\xc6\x5c\xfd\x8c\x36\x21\xbb\xff\xe4\x78\x7f\xe9\x9c\x18\xb8\x6e\xce\x51\xbc\x80\x2e\x6a\x95\x9e\x52\x54\xbe\xc8\xf5\x5c\x24\x83\x8b\x46\xc9\x80\xe5\x8e\x36\x60\xf5\x85\xe2\x03\x2d\xc3\x8c\x9e\x2b\xec\x8f\xe2\x73\x04\x11\xdf\x48\x7a\x71\x8b\x2f\xdd\x31\xff\xb0\x60\xbb\xdb\xaa\x76\x06\x52\x36\xfa\xe6\xeb\x41\xbd\x9b\xb4\x4a\xda\x19\xc2\xd4\xbf\xc2\x8b\x41\xdb\xa6\x96\x97\x87\x07\x35\xc8\x47\xab\x16\x9f\x37\x75\xc4\x5f\x72\xbc\x07\x9d\x2d\xa1\xe9\x07\x2a\x87\x1a\xbb\x02\xd4\xc7\xb4\x4e\x45\x45\xc8\xbb\x22\x25\xdf\x64\xe6\x0f\x42\xe2\x5f\xe6\x36\x19\x2a\xe7\x87\x1d\x56\x4c\x4b\xf7\x7d\x8e\xf7\x66\x7b\xa6\xa9\xae\xd6\x36\x1c\x90\x88\x30\xd1\xd4\xd1\xb3\x68\xa8\x62\x8e\x79\xd4\x86\xe0\x8d\x57\xb3\x53\x85\x28\x28\x1c\x46\x75\x29\x4c\x31\x87\x4f\x8b\x56\xeb\x81\x21\x4e\x5e\xf7\xe7\xae\xf2\xee\xac\xb8\x5e\x2c\xa2\x7c\x43\xd8\x80\xdb\x09\xef\x04\x10\xef\xb1\x7a\x6a\x45\x3e\x16\x93\xad\x54\x1b\xca\x95\x53\xc3\x5a\xdc\xbf\x75\x25\xfb\xab\x31\x36\xd2\x4b\x23\xf7\x1b\x63\xde\x1f\x8c\xf5\xd2\xc8\xc0\x09\x8b\x12\x9b\xcd\x53\x87\xc5\x84\x71\x21\xe0\xcf\x2d\x9f\x42\xb9\x3f\xbe\x06\xf6\x4e\x31\x7b\xf8\xb0\x3c\x89\xcc\x4a\x41\x74\x58\xce\xfc\xb5\x09\x1f\x7d\xbc\x05\x2e\xfa\x5a\x2f\x8d\xf0\xd8\x93\x21\x69\xf2\x5a\xc1\xee\xad\xa1\xd1\x19\x5b\xdd\x10\x7c\x4d\x16\xb6\x66\x43\x91\x12\x9e\x40\xc0\xe9\x6d\x9d\x87\x6c\xe3\xa4\xde\x08\x11\x7f\xf2\x42\xf1\x19\x92\x30\xe8\x94\xc0\x68\x0d\xe4\x8e\x0e\xdb\x1b\x14\xf5\x90\x01\x52\x18\xf8\x29\x35\x51\xf2\xc2\x99\x15\x68\x75\x22\xb7\x73\x35\xa8\x19\x1f\xc7\xc8\x2e\x00\xc3\x2b\x06\x7b\x4d\x05\x51\x50\x59\x3c\x8c\xeb\xca\xff\x24\x0b\x0a\xb2\x52\xec\x51\xc0\xa3\xa0\x2f\xd0\xe2\x19\x26\x11\x74\xfa\x84\xaf\x9a\xae\xc3\x7a\xe5\x93\x31\x5f\x5c\x92\x1b\x21\xc0\x3d\x31\xb6\x04\xc4\xee\xb2\x5b\x68\xf6\x23\xad\xfc\x9a\x1c\xba\x08\x5f\x97\xbd\x3c\x7d\xe4\x3a\x7f\xca\x9f\xf2\xa7\xd7\x10\xf1\x88\x4a\x0e\x33\x9e\x86\xd9\xf9\x3e\xef\xc5\x00\x1c\x21\xb5\xdb\x5c\x4e\xa3\xb6\x9c\xe8\x10\xbe\x52\x78\xbd\x8c\x10\xe6\x24\x06\xa5\x0b\x28\x99\x49\xcd\x93\xcf\xc8\x2d\x5a\xf5\x81\x72\x01\x40\xb7\xaa\x58\x5e\x98\xa2\x46\xac\xa1\x19\x05\xbb\xd2\x83\x60\x02\xc0\xfc\x46\x7d\x35\x0a\xcf\x8b\xa8\x4f\xf2\x29\x4e\xe2\xba\x9c\x51\x52\xad\x47\x1d\x7e\x12\x26\x83\x08\x32\x78\x24\xef\xa5\x31\xef\x75\x31\x9e\x05\xb2\x8e\x08\x2b\x17\x67\x11\x4e\x4d\x3d\xc9\x3c\x58\xfd\xde\x8d\x98\x3f\xba\x7c\x4a\xdd\x68\x87\xb4\x62\x3c\x25\x1e\x20\x83\x0f\x4d\x03\x06\xb6\x11\x45\x86\x41\x8c\x2a\xb8\x7a\x29\x08\x3a\x88\xfb\xca\x74\xad\x24\xa7\x3c\x86\x40\xa5\xce\x2d\x9f\xf2\xf9\x8b\x08\xd0\x4a\x4d\x4c\x45\xc0\x21\xf5\x1c\xe8\xbf\xb4\x11\xe6\xa9\x3c\x4b\x28\xe8\xbe\x52\x44\xda\xba\x79\x18\x0c\x8a\x30\x1e\xad\x7e\xca\xfa\xe6\xb9\xdc\x3f\xe9\x75\xf9\xa9\x00\x59\x24\x92\x94\x37\x82\x2c\x6c\x42\x1e\x3a\x41\x57\xc9\x1b\xb3\xf2\xf3\x9b\x49\xda\x7a\x9e\xa7\x7d\x96\x94\x8d\xc6\x4f\xa6\x41\x1b\x1d\xf9\xe3\xde\xb5\xbe\xef\x7b\x13\xd0\x76\x3c\x70\x14\xc8\x4d\x7c\xdc\xbb\x99\xee\xa6\xc2\x2c\x61\x92\xc2\xe4\x2c\xcb\xd6\x67\x1c\x36\xd6\x0c\x6e\xe9\xc5\x2d\x79\x9c\x74\xdc\xd1\x46\x3f\x17\xde\x07\x1d\x75\x0d\x0f\xaa\x4b\x27\x4e\x73\xa5\x5a\xce\xcf\xf1\x06\xde\xc2\x89\x55\xd6\xce\x8c\xc4\x72\xdd\x5b\x87\xb4\x3a\x68\x66\x03\x52\x92\x9a\x12\x33\x93\x0a\x89\x22\x4f\xe5\x1c\x48\x93\x24\xcf\x54\xdc\x74\x31\x9b\xe1\x40\x9f\x95\xec\x73\xef\x54\xb8\x2d\x4d\xe1\xbe\xbe\xc6\xee\x1c\xa6\x60\x3f\xcc\x0d\x81\x78\xe4\x0b\xf4\xae\x8f\x3a\x4a\xce\x11\x52\x74\x89\xc7\x44\xdd\x1d\x0c\x2d\x3f\x81\x11\x8a\xea\x81\x24\xe5\x52\xc2\x57\x89\xda\xc5\x81\xe8\x3d\x25\x53\xe5\x7a\xb0\xe5\x2a\xe8\x65\x31\x48\x0b\x12\xcb\x72\x8e\x69\x19\xeb\xb3\x87\x6a\xec\x8e\x47\xda\x7c\x82\xa6\x07\x50\xb2\x65\x72\xf1\xdc\xa1\xe3\xa7\xdd\xf7\xd7\xbc\xd3\xc3\x6e\xda\x19\x5a\x46\xd0\x75\x47\xe4\x1b\xf2\x80\x28\x3b\xc8\x7e\xb9\x04\x99\xf7\x29\x87\xfd\xbc\xc3\xbe\x23\xe9\x8a\x78\x6e\x69\xf1\x8e\x19\xb4\xe6\xbb\x0f\x38\xec\xee\xcb\x33\xb8\xd8\xba\xe7\xaf\x9c\x3d\x83\x45\x2f\xa5\x49\x37\xf3\x6e\x2f\x7d\x50\x69\x37\x67\xf1\x32\xbf\x30\xa3\x3c\x93\x2a\x8a\x3d\x49\xcd\xf6\xc9\x05\xd9\x4d\x7b\x31\x78\x58\x2f\x3d\xc1\x64\x1e\xdd\xe2\x70\x37\xb7\xb4\xa8\xba\xc1\xfd\xfa\x77\x78\xcf\x37\x7e\x97\x72\x17\xd4\x71\xd3\x88\x14\x92\x9f\x54\x21\x20\x78\x54\xd3\x0a\x78\xcb\xc8\xb6\x91\xbb\x51\x2f\x0a\xd2\x33\xf0\x93\x15\xcf\x68\xd2\x8f\x7d\x17\x44\xda\xb0\xbd\xb7\xbf\x7b\x35\xdb\x60\x0c\x90\x4d\x41\xe9\x77\xef\xf2\x9e\x5b\xfc\xb2\x47\x39\xeb\xb5\xdb\xc8\x19\x8a\x88\xcd\xf0\x85\x32\x73\xe8\x56\xb1\xe9\xbf\x3e\xc2\x5c\xe2\x87\x20\xdf\xf0\x6d\x41\xb6\xe1\x7e\x62\xc4\xfb\x91\x11\xd0\x0e\x82\x6c\xc3\xa6\xd1\xa4\xa7\x95\x97\x69\xd2\xf4\x21\x2b\xbf\x31\xf5\x12\xc6\x0e\x17\x21\x42\x60\xbf\xdd\x4c\xc3\x3c\x17\x3a\x0e\x1f\xc8\xc2\x65\x99\xc2\xe7\x77\x58\xc9\x18\x06\x96\xb9\xa2\x9b\xed\x93\xa3\x32\xf3\x39\x68\xf8\x02\xa2\xcc\xf3\x3e\x02\x69\xa4\x61\x26\xb5\x35\x5c\xac\x9a\x0f\x14\x26\x8a\x61\x00\x94\x9b\x77\x77\x23\xd0\x18\x40\xca\x01\x8d\xa9\xb6\xb0\x49\x14\x89\xcc\x16\x32\x2d\xea\x4b\xfa\x90\xd6\x2d\x53\x99\x17\xf2\xd2\x8c\x08\x5e\x19\xe8\x5d\x0b\x7e\x08\x8e\x7b\xe8\x76\xb0\xc0\x8d\x40\xc2\xa7\xa2\x13\x84\x71\x81\x29\x88\x76\x3b\x08\x0a\x6c\xa7\x41\xab\x07\xb8\x0d\xe6\x70\x7e\xd8\x61\x38\xa3\xdc\x0f\x38\xde\xf7\x3a\xf0\x67\x79\xc6\xa8\x2c\x0d\xa9\xb5\x71\x7c\x62\x1c\xc6\x8d\xc2\xca\x32\xde\x16\xf9\x24\xbc\x30\xc9\x37\x83\xbc\xb9\x31\xa9\xe3\xb3\xd1\x03\x3c\xc9\xbb\x78\x19\x43\xb2\xd5\xbf\x45\x8c\xc2\x24\xad\xc9\xe4\x62\x7f\x62\x8b\xc9\x77\x13\x99\x77\x8e\x79\xe3\xa6\x79\xa7\x1b\xf5\xd2\x20\xb2\xac\x3c\xc6\x54\x2e\x5e\x5f\x65\xc6\x8a\x72\x4f\x7a\xd7\x17\xbf\x0c\xa0\x86\xd0\x5a\xb8\xd6\x4a\x85\x70\xf3\x24\xb7\xcd\xfd\x2d\x72\xc9\xbf\xd8\x3b\x7b\xde\xe0\xc7\x81\xbf\x07\x88\x76\x40\x03\xe6\x87\x4e\x26\xc9\xa1\x81\x07\x8d\xaf\x1e\x5a\x4f\x92\x43\x13\x66\xdd\x7f\xb0\xc6\x2c\xe9\xe0\xbe\xb1\xe6\xfd\xb3\x63\x5e\xd1\x46\x26\xba\x56\xdd\x1f\xdc\x42\x20\xa5\xd5\x21\xd7\x16\x61\x95\x52\x5f\x42\x50\x9e\x2a\x08\x57\x53\x44\x99\x50\xe5\x6f\x12\x3c\x77\x9a\x2a\xbc\xee\x02\x2d\x5e\x79\x08\x63\x0d\x33\x0d\x99\xd8\x98\x20\x93\x40\x32\x19\x7d\x02\x86\x9f\x3e\x2d\xd7\x18\xd9\xb7\x75\xf0\x81\x9c\x7b\xcd\x3c\xe2\xf3\xa7\x16\x31\x22\x64\x3d\x28\x0d\xee\xf7\xd5\xd8\x01\x92\x2a\xee\xb7\x1d\xef\x2f\x1c\x9d\xb4\x44\x93\x44\xa7\x47\xa9\x1b\x83\x5d\x73\x02\xac\xa6\x61\x87\xf2\x20\x0d\x39\x65\xe0\xbc\x12\xd8\xa7\x15\x04\x0a\x4e\x07\x33\xe0\x9d\x48\x78\x34\x18\x6b\x60\xc0\xb1\x52\x20\x8b\xa1\x9a\xce\xf2\x0b\xd3\x7c\x7c\x73\x03\xa8\xe6\x20\x91\x80\x17\x69\x8a\x03\x55\x48\x8b\x3a\x1f\xca\xd0\xbf\x3f\x61\x43\x74\xdc\xcf\x98\x9c\xcb\xed\x04\x50\xc5\x13\x6f\xa5\xf8\x65\x2f\xee\x5c\x51\x42\x19\x31\x7e\x59\x49\x28\x37\x44\x94\xc4\x6d\x98\x23\x34\x7b\x83\x28\x3a\xb4\xd5\x32\xfd\x65\x87\xed\x83\x52\xdd\x4f\x3a\xde\xc7\x9c\xb6\x49\x40\x55\x0c\x03\x85\xc5\xee\x60\x10\xac\x27\x87\x0d\x81\xbf\xeb\x31\x58\x69\x06\x51\x89\x4c\xf3\xfd\xfb\x4d\xf8\x9b\x9d\x5a\x7e\xc9\x3b\x2d\x8f\x01\xee\x1f\xee\xf3\x2e\xce\x95\x6d\xb9\x69\xf1\x00\xc5\xef\xa8\x3b\xb6\xed\x0f\xe3\x99\xe4\xc1\xe5\xbc\xe8\xa3\x8c\xd4\x79\x11\xea\x61\x04\xde\x27\x51\x22\xfa\xf0\x10\xc5\x41\x5d\x72\x46\xce\x8b\xfe\x25\x67\x4c\xbd\x61\xa9\x0d\x9f\x19\x65\x97\x1c\x26\x9f\x70\x7f\xc0\xf1\x8e\xc8\x77\x75\x34\x84\xac\xad\xbc\xa0\xdd\xc9\x45\x00\x60\x91\x24\x6c\x31\xc7\xec\x9c\x14\xea\xbb\xb7\x21\x85\xda\xef\x8e\x9e\x17\x7d\xc6\xde\xe4\x30\x5d\x71\xf7\x95\x8e\x97\xeb\x76\xa7\xa6\x39\xf8\xbc\xe8\x1f\xca\xb0\x17\xa4\xd2\xb8\x11\x76\x95\xad\x43\xa9\xb5\x10\x12\x06\x6a\xaf\xee\x3a\xca\x72\x8b\x27\x39\x84\x6e\x4e\xf2\x13\x17\x43\x79\x38\x07\xbc\x93\x44\x64\x67\x92\x1c\xae\x58\x93\xe1\x07\x6a\x6c\x3f\x16\xe7\xbe\xb6\xe6\x7d\xc3\xa1\x78\x7d\xd2\x11\xe4\x4a\x80\xfd\xd2\x08\xc5\x32\x22\x6c\x55\xdd\xc3\x8c\x2f\x42\xb6\x2c\x7d\x58\xab\x1e\x19\x15\xa1\xb4\x19\x79\x82\x27\x1a\xc5\x8a\x32\xa8\xbe\x49\x6a\x55\x77\x8b\xe2\xa8\x28\x14\xfe\x70\x07\x03\xf6\x22\xd8\xd7\x5a\xbd\x14\x71\xe9\x68\xc0\xc0\x01\x90\xb6\x05\xee\xdb\x5b\xe9\x83\x9f\xa8\xb1\xe3\x25\x24\xaa\x24\x55\x59\x74\x4a\x81\x3f\x93\xc4\x4a\x55\x9e\x53\xb9\xc7\x99\xfb\x90\xe3\xbd\xa2\xf2\x4e\xa1\x58\xe4\x04\x02\xa7\x8b\x2c\x72\x97\x33\xc3\x6f\xb9\x0e\xfb\x72\xac\xd1\x20\xcc\x78\x34\x28\x63\x8e\xca\x80\x0c\x1e\xda\x3d\xac\xc5\x90\xb0\xeb\xc9\x38\x3d\xe5\x5d\x6b\x1a\xa7\xcf\x2d\x9f\x42\xab\x83\x4d\xba\x6f\x76\xc1\x0c\x1b\x95\x5a\x91\xfb\x6c\xef\xe9\x77\x88\xb4\x61\x84\xc7\xa0\xc9\xef\xb6\xd5\xd5\x25\xd0\x9b\xcc\x97\x3e\x3e\xca\x5e\xf8\x88\x8f\xbc\xf6\xa1\x6c\xa5\x90\x79\x84\xe9\xf7\x85\x11\xef\x97\x46\xb6\x79\xa8\x9c\x0b\x03\x1f\x35\xe3\x7a\x0c\x51\x5a\x79\x12\xe4\x05\x54\xa0\x5e\x90\x85\x6e\xbb\xe6\xab\x68\x21\x79\x7a\x23\x8b\x10\x6e\x6d\x08\xea\x65\x95\xe6\x1b\x9e\xac\x67\x71\x71\xb1\x9b\x64\x90\x69\x51\x81\x6a\x54\xc4\x30\x95\x80\xb8\x9f\xc5\x97\xce\xad\x0e\x8c\x7c\x55\x09\x39\x9a\x7e\xcb\x05\xe0\x5c\x20\x5b\x15\x26\xc0\xa2\x8e\x4f\xa1\x5e\x18\x93\x5b\xe0\xc9\x16\x3d\x95\x07\xf1\xbd\x01\x56\xe0\xf0\xd2\xd9\x95\xd5\xc3\x4b\x73\xab\xf3\xb7\x0d\xd4\xa5\xfc\xc1\xc1\x8f\x0c\x14\x6a\x22\x3c\x7e\x8e\x59\x40\xf9\x55\x1e\xd7\xdb\x96\xe6\x56\xf0\x12\xe4\xeb\xb9\xef\x63\xde\xdb\x47\x4a\x17\x75\x86\xb4\xca\x33\xc0\x7b\x85\x8f\x79\x1d\x52\x14\x05\x6f\x85\x29\x6a\xe7\xa0\xf7\x65\x82\xe3\xeb\xa0\x9f\xc1\x2e\xd0\xa2\x80\x81\x66\x10\x35\xe5\xc9\x46\x96\xb2\x20\xb2\x30\x15\xad\x65\xd1\x8d\xc2\x66\x40\x7e\x6c\xe5\x4c\x54\x43\x77\xdb\xd2\x1c\x94\xd9\x87\xe0\x00\xa0\xe3\xb2\xaa\x72\x41\x44\x49\x53\x1e\xd3\xec\xb8\x00\x75\x1b\x5c\xdd\xa1\xc8\x8c\x32\x54\x80\xc1\x7a\x14\x74\xbb\xd0\x1a\xeb\x4d\xea\xd7\x46\x18\x29\x39\xb2\x19\xc6\xad\x64\x73\x92\x67\x49\xb1\xc9\x15\x94\x54\xa9\xaa\x3e\x99\xf7\xe4\x66\x82\x8c\x2e\x79\xd4\x9f\x54\xf6\x70\x42\x59\x0a\xd6\x45\xa6\x80\x01\xb4\xc2\x5a\xf5\x35\x04\x68\x4a\x32\x11\xdb\x66\x94\xbf\xdb\x2f\x8f\xd5\x4f\xb5\x5e\xb9\x13\xde\x50\xb0\x09\x3f\x3e\xa2\x60\x13\xde\x35\xb2\x32\xf4\x31\xed\x4a\xd4\xed\x20\xdc\x01\xe8\x78\x34\x04\x76\x03\x22\x05\xe9\x74\x44\xdc\xa2\xe4\xcd\x22\x17\xdb\xc8\x63\x45\x75\x54\xf5\x39\x66\x30\xa9\x5f\x2d\x08\xe5\xdb\xa2\x26\x6a\xdb\x01\xcb\xb8\xe2\x9a\x96\xca\x96\x3c\x80\xcb\x99\x7e\xaf\x48\x13\x58\x69\x60\x49\x1f\xb8\x3d\x73\x7c\x6a\x8a\x8f\xcb\x59\xb8\x91\xf4\xd2\x09\xc2\x16\xc8\x51\x42\x28\x6b\xb0\xe2\xf7\xc5\x0d\x6f\x96\xd7\x51\x05\x94\x6a\x1c\xef\x75\x67\xf9\x14\x1f\x87\xe8\x95\x38\x29\x0d\x47\x98\xf1\x56\x12\x8b\x09\xdf\x7a\x45\x36\x6a\x96\xcf\x4c\xa9\xd7\xb6\x1a\x46\xf9\x94\xea\x5c\xa9\x1e\x4f\xd8\xd0\x0e\x6f\xad\xb1\x31\x35\x4b\xdd\xef\xad\x79\x3f\xe5\xa8\x5f\xb6\xfe\xdd\x4d\x80\x81\x2e\x88\xec\xb9\x2d\xb2\x22\xbb\x54\x5b\x6d\x69\x8f\x56\x4b\x9e\xcf\xa9\xc0\x1f\xd9\x4b\x14\x7b\x38\x60\xaa\x9c\xe4\x10\xa0\xba\x19\x52\x97\x95\x65\x81\xb2\x0b\xb7\xc2\xac\x19\xa4\x2d\xc5\x04\x07\x36\x10\x73\xd7\x9f\x63\x37\x0f\x0f\x62\xda\x46\x14\x61\x9e\x24\x7b\xab\xc3\xae\x44\x35\x92\x32\x29\xbf\xc7\xf1\x32\xf3\x82\x99\x2c\xa9\x20\x59\x68\xd2\xe2\xfd\x62\x9a\x82\x6d\xd9\x9a\x13\x03\xf3\x81\x9f\x0e\x2e\x62\xb9\xa8\x96\xab\xd2\x6d\xe2\xb7\x7d\xec\x68\x15\x47\x36\x64\x3d\xe9\xad\xb3\x42\xad\x7f\xcf\x3e\xef\x2d\xce\x1c\xa5\x47\x15\x7a\xc7\x2e\x34\x7c\x28\x8a\x88\xab\xb7\x55\xf4\x8b\x87\x6d\x7d\xff\x20\xdc\x40\xeb\x61\xb5\xd6\xff\x95\x11\x88\x92\xd4\x8a\xf5\xa6\xf7\x32\x2b\xba\x02\x0a\xb8\x6c\x0a\xf5\xe4\x70\x6d\xfa\x34\x2b\x2a\xeb\x3e\xcf\x9b\x29\xe3\x46\x60\x13\x77\x7a\x00\x61\xaf\x2b\x94\xf3\x6f\x3b\xde\x57\x9c\xb9\xff\x7d\x55\xf2\x5f\xbc\x8a\xdd\xf9\x28\xa8\x96\x52\x46\xba\x7f\x7c\xa5\xf7\x92\xad\x1f\xd9\x42\xaf\x84\xdb\xdb\xa9\x95\x97\x9c\x27\xc8\xc5\xaf\x14\x08\xa9\x8b\x5f\x72\x5c\x54\x8a\xcc\x8b\xd6\xac\xfe\xef\x57\xb0\x3f\xda\xc7\xae\x89\xcc\x53\x38\x44\x79\xff\xda\x3e\xef\x93\xfb\x06\x2e\x5b\x31\x67\xd5\xfa\x69\x59\x57\xa3\x65\x9b\xa6\x22\xeb\x82\xd4\xcf\x13\x34\x18\x70\x0a\x8b\xf7\xd5\x0c\x5d\x23\x5b\xb3\x2e\x37\xd3\x58\x00\x70\x9c\x81\x91\x8e\x13\x4a\x92\x32\xac\x5d\x3e\x3f\x4d\x33\x23\xc0\x97\xa1\xaa\x40\x51\x66\xa8\xd3\x09\xfc\xe8\x8a\xe6\x5a\xf1\x3c\x85\x38\x6f\x26\x29\x81\x34\xdd\x26\x0f\x3b\x52\xc6\x44\x4b\x49\x6b\x8e\xa4\x33\xb2\xce\x28\x83\x34\xc4\x81\x28\x7d\x3d\xcc\x8c\x6e\xe8\xe8\x5a\xd0\xc2\xc1\x17\xc6\xc1\x4b\xa9\x89\xf8\x8a\xa8\x47\x80\x5f\x9f\x50\x3b\x56\x01\xab\x9b\x89\x34\x0c\x22\x48\xcc\x2a\xd9\x3f\x20\x20\x02\x8b\x4e\xd2\xce\x4e\x91\x00\xf3\x20\x3b\x9f\x1d\x0e\x9a\x4d\x91\x65\xa6\x01\x21\xe8\x86\x87\x71\xb8\x0a\x38\xc0\xf2\x85\xba\xb1\x73\x5d\x0b\x9d\x51\x37\x27\x22\x2e\xe7\x94\x52\x50\x69\x03\xc1\x9e\x2f\x62\xee\x68\x8e\x54\xa9\xf2\x93\x14\x36\x51\x9a\x09\x1a\x8e\x1f\x6f\x1f\x86\x0f\xaf\x59\x4b\x00\x36\xe0\x56\x55\x8e\x20\xb1\x66\x9a\x2b\xfb\x6b\x35\x36\xb0\x38\xdc\xdf\xa8\x79\xbf\x58\x2b\x5f\xbd\xcc\x33\xbc\x2b\x9a\xbe\xd2\x89\x1f\xad\xf9\x8d\x53\xfa\x32\x8d\xc4\xd0\xae\x46\xb8\x72\x08\x91\x05\x58\xee\x24\xe6\xb7\x9e\x58\xb5\x7a\xf9\x7b\xc0\xc5\x55\x96\x37\xee\xff\xa8\x79\xbf\x5f\x1b\xbc\xfe\xa8\xc8\x92\x47\xbb\xaf\x51\x96\x5c\xb6\xde\x2e\xd7\xfa\x11\xcc\xfb\x29\x6b\x08\xbe\x39\x6a\xd1\x5a\x6d\x83\x6f\xee\x7e\x72\xd4\xbb\x4b\xc3\x9a\x23\xd9\x7f\x39\xe2\xab\xc0\xef\x86\xd0\x8e\x58\x88\x16\x61\x20\x6b\x08\x3f\x75\xd3\x87\x62\x4a\x5e\x06\xb5\xd3\x7c\x7e\x84\xc5\x6c\x1f\x10\x71\xb9\xc2\xbb\x61\x2e\xee\x9b\x71\xb6\xe6\x17\x35\x94\x7a\x15\x99\x81\xff\x80\xf3\x9d\xec\xa9\xc3\x37\x71\xf3\xdc\xff\x02\xb6\x1f\x2c\xe0\x99\x7b\xab\xf7\x6c\xa5\x26\x81\xd3\x16\x2f\x13\x53\x07\x41\xbc\x03\x3f\x98\xd4\xd4\xb6\x52\x11\x3e\xea\xb0\x91\x5e\xd8\x72\x3f\xe4\x78\xef\x76\xe6\x28\x73\x8c\x46\x0d\xd9\x6a\x54\x80\x8c\x59\x7a\xd0\x4c\x13\x79\x58\x03\xf6\x6b\x15\x83\xaa\xbe\x8b\x2e\xbd\x16\xe9\xae\x88\x22\x00\xf7\x4c\xe6\x3a\xe5\xb5\x03\x44\x63\x98\x3c\x7d\x9c\x09\x25\xc6\xba\x73\x8b\x0b\xb6\x9f\xf2\xc5\x6c\x4c\x16\x06\xde\xbf\x25\x6f\x5e\x2b\x8b\x18\xc4\x05\xd5\x8f\xfa\x43\x6a\xdd\x49\x28\x56\x3e\x68\xe6\xe1\x05\x1c\x63\xbb\xf4\xff\x35\x62\x83\x71\x9a\xc7\x19\x48\xbe\xcd\x32\x72\xc7\x96\x58\x2e\xdd\x4f\x8f\x78\x8d\x2d\xee\x17\xdb\xa1\x88\x93\x5e\x7b\xa3\x1c\x84\x18\x89\x1c\xe2\x42\xa8\xe2\x7d\x32\x31\x92\x87\x44\x3b\x45\xb4\xf7\x7f\x30\xe8\xfd\x53\x35\xf6\x6e\x87\x3c\x90\x6f\x76\xbc\x57\x3a\x90\x14\xac\x8d\x95\xd8\x9f\x37\x3e\x86\x29\xb7\x9e\x9d\xad\x88\x0e\xdb\x96\x77\xe7\x19\xcb\x1b\x39\xa4\x5e\xd5\x1b\xbf\x1c\xb0\x7a\xbb\x17\xb6\xc4\x61\x83\x2b\xe4\x5a\x58\x06\xe6\xd7\x8e\x5b\x29\xec\xe3\xde\xd3\x20\x18\xa4\xec\xed\xc3\x4f\x5b\x18\x22\x07\x98\x67\x0e\x7f\xb7\x8b\x81\x45\x79\x90\x8b\xf5\x5e\xb4\x22\x80\xb3\xde\xfd\xc4\x01\x6f\xaa\x74\xad\x2a\xd7\xde\x78\x64\x48\xba\xfd\x5b\xf6\xef\xa5\xdb\xef\x36\xdd\xfe\xa4\x4a\xb7\xbf\xc9\x14\x73\x53\xcc\xdf\x82\x41\xb9\x62\x60\xf7\x32\xea\x77\x91\x51\xbf\x68\x24\xd4\x3f\x1c\x22\xa3\xc1\x7c\xfa\x87\x9c\x17\x6d\x9f\xce\x7e\xdc\x3d\xaa\xd3\xd9\xe5\x50\xea\x6c\xf6\xd2\xa2\x2c\x67\xb4\x7f\xed\x2a\x0b\x43\x83\xe2\x91\x40\xb2\xaf\x2c\x2e\xa4\xe1\x05\x91\xba\xbf\x70\x95\xf7\x1b\x35\xfd\x93\x37\x83\x6e\x0e\x06\xf2\x41\x15\x22\xe0\xf3\x0a\x69\x5c\x85\xea\xf0\x45\xa5\x2b\xf0\xf1\xf9\x95\xc5\x09\x95\x2a\xd0\xc2\xc2\x10\x3e\xa9\x80\x97\x55\xa1\xb6\x26\x7d\x4d\x90\xe7\x41\x13\xd9\x46\xe8\x10\x45\x1c\xa0\xbd\x4c\x6d\x66\x89\x46\x13\x6d\x09\xa4\xd0\x12\x3a\xa4\x8c\x5e\x0f\x33\x65\x78\x6a\x61\xe9\x72\x7f\xd9\x59\x09\xdd\xa4\x65\x35\x56\x2a\x48\x19\x05\x13\x53\x56\x51\x12\x63\xda\x83\xcf\x8b\x8e\x52\xf0\x33\x18\xc5\x1a\xd7\xed\xa8\x36\xa9\xd3\x5b\x92\xef\xef\x0f\xee\x49\xbe\xdd\x4a\xbe\x3d\x89\xf5\xc8\x25\xd6\x7b\x46\x0d\x91\xf5\x86\xd1\x9d\xe6\xe5\x5a\x32\x0b\x55\x3c\x40\x01\xf9\xd5\x11\x0d\x03\xa2\x00\xbc\x34\x10\x88\xfe\x0b\xe3\xa4\x0c\xf6\x27\xdb\xce\x39\xbf\xb2\xa8\x04\x45\x41\x16\xa8\x87\x86\x08\xa7\x6f\xe4\x61\x8e\x88\xe3\x0d\x51\xd2\xa6\x35\xe1\x17\xe9\xd9\xb2\xbc\x5b\x45\xbe\x04\xe8\x92\xf2\xdb\xe3\x13\x08\x76\xad\xb1\xc6\xf0\x6b\x68\x0b\xa2\x2f\x43\x49\xca\xee\x73\x7c\xc6\x24\x6f\x4e\x52\x70\xd1\x4c\x62\xb8\x3f\xd2\xd7\xc5\x2d\x39\x13\x74\x06\xb4\x0a\x91\x8c\x7b\x1d\x91\x86\xcd\xe2\x6d\x3e\x7e\x77\x50\xbf\x77\xaa\x7e\xc3\x5c\xfd\xae\x7b\x26\x88\x50\x09\xd1\x05\xc6\xeb\x13\x93\xbc\x95\xe4\x19\x1f\xf7\x27\xc8\xe2\x6d\x94\x91\x29\x68\xed\xc7\x0c\x51\x85\xdd\xc3\x40\x5e\xb9\xe7\xd8\xf4\x50\x0d\xa2\x6a\xef\x58\xe9\x8a\xa6\xc7\x57\x28\x71\xd2\xca\x00\x92\x63\x81\x0f\xf9\x0f\x39\xf7\x6c\xbf\xc3\xcd\xba\xd7\xeb\x1d\x4e\x7d\x0a\xdb\x59\x20\xb7\xa8\xcf\x96\x77\xb9\x4f\x5e\xc9\xea\x46\x4d\x2b\xc2\xa8\x6f\x5b\x5d\x5d\x22\xe6\x6b\x30\x68\x7c\xff\x95\x5e\x52\xba\x56\x60\x86\xe1\x41\x32\xdf\x50\xd0\x0e\x8d\xa0\x79\x5e\xc4\xb0\x8c\x09\xc0\xb2\x97\x46\x15\xb8\x09\xb0\x13\xac\x27\xe9\x26\x7a\x93\x48\xc4\xaa\xb7\x2f\x39\x07\xe8\x4f\x6b\x5b\x78\xe5\x15\xec\x87\x1d\xa6\x6e\xb9\xef\x76\xd8\xec\xd0\x21\xa8\x68\x18\x35\xe0\x16\x7c\xdd\xbb\x8b\xfe\xb0\xf6\x12\x9d\x05\xd0\xd2\xe1\xfd\x85\x30\x4b\xc8\x78\x29\x1f\x24\x1e\x4e\xed\x19\x33\xdb\xe2\xb3\x1f\xac\x51\x98\xc8\x3b\x6a\xde\x6b\x6b\x2a\x50\x04\x91\xbb\x6c\xae\x3a\x15\x34\x12\xc4\x03\x98\x9f\x3e\x9f\x47\xf6\x1d\x79\x64\x05\x34\x62\x75\x4e\x34\x17\x5e\x2b\xcc\x06\xc2\x20\x8b\xb9\x1b\x44\xdc\x93\x9f\xf0\xd4\x71\x1f\x53\x66\x78\xa0\x02\x3b\x40\x20\x2c\x9f\x9c\xe7\x33\x37\x5c\x7f\xdc\x07\xfb\x4f\x36\x90\xb7\x13\xf0\x43\x87\x0f\x15\xb9\xbd\x85\xd7\x10\x92\xc4\xe1\x15\xf8\xf6\x00\x6a\x29\x65\xc8\x43\xb3\x6d\x0a\xa6\x03\x6c\x4c\xbe\xb8\xda\xef\x0a\xf7\xc7\x0e\x78\xef\x3d\xb0\x44\xbf\x0a\xa5\x43\x59\x67\x88\x69\xd4\x5a\x32\xd0\xa5\x6a\x56\x61\xb5\xe1\x65\xf2\x84\x1a\xf0\xf2\x88\x43\x57\x38\x76\x66\xf9\xb3\x14\x36\xea\x69\x03\x46\x51\x07\xf0\x10\x2a\xaa\xcf\x9f\xc5\x11\xdc\xa3\x78\x4e\xa3\x34\x06\xc5\xe3\x84\x6c\x92\x75\xa3\x30\x97\x5d\x09\x1d\x75\xba\x00\x58\x64\x1c\x7c\xc8\xf8\x16\x7e\x80\xec\x48\x8d\x7e\xf1\x67\x90\x85\x40\x08\x69\x3d\x40\x62\x1d\xbd\xf5\x8c\x6b\x6f\x30\x01\xcb\x91\xd9\x0c\x5e\xd1\x9f\x97\x57\x0e\x1d\x3e\xc4\x33\xd1\x0d\xc0\xe5\x24\x4b\xd5\xf0\xa4\x19\x0f\x18\x27\xd4\x52\xc0\x9f\x81\x16\x00\xe8\xf6\x05\x48\x3c\xa2\x28\x35\xaa\x41\x1d\xfc\xc1\xd4\xc2\x64\x9d\xab\xe0\x4a\xc6\x75\x91\x98\x83\x7b\x46\x27\xca\x85\x06\x6f\x93\x6a\x07\x0d\x84\xca\xf6\x0a\xa4\x2a\x40\xd3\x80\x5b\x44\x4f\xea\x85\x30\xb6\xca\x57\x59\xeb\xe8\x58\xc0\xda\x63\x88\xa9\x82\x82\x51\x8d\x12\x99\xbe\x74\xb8\x11\xdc\x8b\x08\xb3\x1a\xc7\x06\xdf\x54\x0f\x34\x82\x7b\x27\x7c\xf6\x2c\xbe\xa8\x0c\x7b\x30\xbf\x94\x7c\x9e\x45\x65\x7d\xeb\x79\x07\xbe\xe2\x2e\xcf\xa5\xd8\x95\x37\x49\xc0\xcc\x47\x41\x96\xf9\xa5\x82\x11\xb1\x15\x72\x0f\x70\xef\x0e\xd0\xf7\x01\xc3\x24\xf4\x04\x96\x3d\x92\xd2\x63\x61\x5e\xf0\x54\x63\xc6\x9e\x42\x9b\x49\x71\x06\x53\x9e\x9b\xd4\x61\x7c\x56\xfe\x1c\x02\xcf\xa0\x96\x0f\x0e\x36\x4a\x62\x57\x4b\x96\xde\xb3\xd2\x8f\xab\xfb\xc2\x5a\xb8\x3f\xcc\x2c\xa6\xc7\x2a\xdc\xaf\xa5\x34\x4c\xd2\x30\xef\x9f\x92\x9b\xab\x85\x0f\x0d\xf6\x91\xaf\x1e\xf4\xce\x6e\xfd\x88\x1d\xfc\x30\xfc\x59\x0d\x37\x5d\x69\x3e\xf9\xff\x0e\xb0\xaf\x9a\x58\x6e\xbf\xbd\x4b\x2c\xb7\x77\x38\x6b\xaa\xac\xb5\x81\xe0\x3d\xfc\xe8\xa1\xec\xb1\x87\x78\xdb\x3b\x29\xed\xf6\xa4\xf4\x06\x4d\x4b\xf6\x2a\xc7\x1b\x5f\x83\x3f\xd7\xec\x39\x48\xe2\xa8\xde\xc5\xb9\x18\x0a\x1b\x9e\xf1\x76\xb6\xc8\x6e\x1d\xaa\x8a\x3c\xbc\x35\xb2\x77\x70\x7b\xe4\x07\xb7\x87\x9c\xd7\x38\xdb\xab\xcf\x0d\x77\x4d\xab\xcf\xe6\xd8\x14\x71\x0f\x25\x65\x7a\x6b\x69\x65\x6b\xd8\x30\xbc\x8c\xbd\xa5\xc6\xc6\x2b\x22\x86\xb4\x4d\x08\x6c\x51\x77\x06\x21\xb0\xe7\x7f\xcd\xf1\xae\xaf\xbc\x83\x03\xbf\x49\x3f\x90\x4f\x00\x5d\x85\xea\x69\xdb\xeb\x74\xc9\x61\x67\x0b\x84\xc1\x05\xef\xba\xd3\x84\x21\x98\x8a\x76\x80\x64\xf1\x9b\x1b\x7d\x33\x3f\x02\x9d\x32\x72\x28\xfb\x22\x57\xc9\xa9\x96\xc0\xbf\x55\x23\x09\xde\xe4\x4d\x8d\x03\x39\xed\x84\xc2\x09\x7c\x58\x05\xfd\xd7\xab\xd8\xb5\x15\x5d\x52\x06\x74\x71\xdf\x76\x95\xf7\x13\x4e\xf9\x2a\x1f\x5f\xba\x63\x42\xad\x03\xb4\xa6\xe9\xc9\x0e\x1e\x34\x92\x6b\x8d\xbe\x22\x36\x8b\x11\xf3\x1f\x80\xb1\x09\xb3\x3a\x88\x92\x76\x42\x88\x8c\x1c\xc8\xe2\x1f\x2e\xb9\x20\x7d\xfb\x70\x57\x57\xaf\x4e\xc8\x16\xd6\x38\xfc\x2d\xdb\x93\xca\x7b\xf6\xab\xc7\xcf\x7e\xf5\x79\x53\xef\xf9\x25\x67\xb7\xf6\xab\x57\x3b\x2b\xff\x02\xf4\x9c\xd7\xd7\xc8\xf2\xf2\xca\x1a\x3b\xb6\x2d\x55\xe7\x00\x4e\x54\x57\x34\xbd\x5f\x76\x00\x27\x51\x2d\x3e\x4d\x78\x51\x98\x63\x0a\xaa\xb0\x58\xe3\x62\x26\x9b\x86\xdd\x4c\x5b\xe5\x97\xb6\x93\x3a\x97\x4d\xb4\x5c\x3b\x78\x89\xbd\xad\xa6\x21\x57\x5f\xb7\x05\x6d\xf1\xf0\xee\x80\x77\xbd\x5f\x77\x28\x3b\xc3\xc8\x95\xca\x0d\xda\x5f\xc3\xd4\xaf\x32\x24\x54\x70\xfe\x40\x3f\xf9\x7c\xa9\x9c\xb9\x8c\x18\x10\x3e\x5f\x56\xc8\x47\x8f\x6e\xaf\x3c\xe4\xbc\x70\xfb\xdd\xff\x98\x3b\x53\x45\xc3\x59\xee\xa0\xb2\xdd\xec\x53\xfb\xd9\x73\xb7\x0b\x65\xae\x8e\xa6\xbb\x85\x12\x26\xdc\x7f\xda\xe7\xbd\xc7\xd9\xe6\xa1\x6d\xb3\x2e\xe8\x1c\x9a\x07\x69\x1b\x92\x0d\x30\x41\xf6\x5c\x97\x72\xd2\x36\xe3\x22\x1f\x23\xe3\xe3\x50\x38\xdd\x84\xbf\xe1\x09\x08\xd4\x83\xd4\xcd\xae\x80\x58\x87\xa8\x3f\x61\x2b\x12\x5f\x18\x65\x1f\xaf\xb1\x83\xfa\x15\xf7\x83\x35\xf6\x9c\x47\x18\xd7\x0d\x11\xe4\xde\x1f\x39\xc5\xf7\xc3\xcc\x8e\x63\x47\x30\x5c\x75\x69\x01\x92\x06\xb6\x0e\xda\x46\x82\x6a\x04\x68\x95\x67\x5b\x1d\x98\x0f\x78\x38\x61\xac\xf3\x4a\x08\x33\x11\x8d\x58\x45\x34\x7e\x75\xc0\xfe\x38\x02\xe0\xc8\xcf\x6d\x84\xed\x0d\x31\x90\x02\xa1\x27\x3f\x98\x2b\x66\xa6\xa6\x32\x44\x5d\xed\x65\xa2\x35\xe1\xb3\xf7\xd5\xd8\x01\xea\x71\xf7\xad\xbb\xed\xb0\xcf\x39\x6a\xf0\xb6\xee\xae\x73\xdd\x9d\x74\x96\x6a\x92\x9c\x40\xb3\x8c\xf3\x67\xf1\x30\x6e\xa6\x84\x72\x84\xb9\xd9\x90\x5c\x71\x14\x31\x1f\xbb\x22\xe5\xc7\x75\xea\x02\x3c\xdf\x4a\x7a\x8d\x48\x94\x12\x47\xaa\x1e\x3e\x53\x91\x46\x01\x11\xf5\xec\x9f\xc6\xd8\x33\x2b\x60\xeb\x09\x9b\xc4\xa0\x2a\xf8\xed\x5d\x53\x15\x7c\xe2\xc0\xbf\x2e\x20\xf7\x3d\x7d\x72\xb7\xfa\xe4\x86\x3a\xe4\xbf\xf4\xe1\x10\x2f\x1c\x61\x53\xcc\xdf\x96\x78\xc1\x9a\xc1\x7b\x9a\xeb\x6e\x0e\xf0\x77\x6f\xbf\x83\x5f\xef\x1e\x7f\xb8\x7c\x05\x74\x2a\xff\xed\x83\xec\xbb\xb6\xa4\x75\x5f\xcc\x45\xc7\xfd\xd8\x41\x6f\xc5\xbe\x64\x68\x8c\x9d\x30\x3e\xdc\x09\x2e\xf2\x1e\x9c\xab\x31\x27\x11\x50\x39\xe2\x7e\x29\x72\x57\x59\xa4\x93\x18\x6a\xe7\x5f\x72\x00\xbc\xde\x12\x53\x9f\x1d\x63\x3f\xe9\xb0\x03\x24\xaf\xdd\x0f\x39\xde\x9d\x8a\x08\xc6\x4a\x52\x56\x39\x42\xf8\x3d\x9c\x41\x0d\xe3\x83\x18\x30\xb9\x6e\x42\x1d\x74\xd0\x68\x9e\x74\xc2\x5c\x8e\xee\x03\xce\xcd\xec\xe1\x04\xdf\xf8\x3a\xaa\xf0\x05\xbd\x20\xce\xc3\xbc\x6f\xc6\x9a\x7e\xc1\x61\x57\x53\xa5\x89\x3e\xda\xfd\x45\xc7\x7b\xf9\x82\x75\x49\x2d\xb0\xd6\x56\x2d\x52\x86\xfe\x1d\xb4\xc9\x70\x63\x3c\x3a\xad\xfa\x7e\x87\x8d\x74\x82\x8b\xee\xab\x1d\xef\xe8\x69\x3d\xc6\xcd\x24\x96\x3a\x7d\x18\x2b\x04\xb3\x30\x43\x30\x96\x72\x65\x2f\x73\x6d\x7e\xa7\xc6\x9e\xd4\x09\x2e\xe2\x4c\xc4\xa6\x2f\x4b\xc1\xed\xfe\x7c\xcd\xfb\x7f\x9d\xd3\x15\x77\x64\x6f\x19\xce\x39\x15\x42\x50\x44\x88\xa2\x63\x8f\x50\x2e\x54\x77\x42\x76\x25\xe5\xd6\x06\x48\xfa\x0b\x3a\x65\x9c\xc4\x75\x48\xbf\x44\x1a\x5d\x7c\xa4\x15\xea\x60\x65\x63\x38\xaa\x93\x33\x51\x1e\xf5\x3a\x22\x45\x4e\x75\x39\xc2\x37\x96\x76\x22\x9c\x21\x72\x41\x35\x7a\x69\x96\x6b\x05\xcb\xae\xf7\xa3\x31\xce\x61\x8c\xe3\x1c\xc6\x8f\xf3\x38\xcf\x11\xa9\xc5\x0d\xde\xe4\x2a\xd1\x58\xd8\x82\x84\xa8\xb0\x3b\x36\xf7\xbe\xb9\xb7\x7d\xf6\x49\x56\x64\xaa\x11\x7e\x40\xa1\x67\xe0\x92\x72\xdf\xf7\x24\xef\x6b\x8e\x79\xc5\xa0\x5d\x41\x0f\x9d\xc6\x1d\x44\xa0\xa1\x26\x3c\x04\xa9\x71\x68\x73\x2b\x12\x84\xcb\xe7\x25\xcd\x48\xd8\xea\xc7\x41\x87\x5c\x56\x86\x65\xce\x67\xcc\xfc\xb2\xa8\x8a\x05\xbb\x71\x20\xea\x45\x7d\x17\x2b\x12\x34\x9b\x09\x5a\x31\xf3\x84\x8b\xbc\x09\xfb\x6a\x18\xf3\xc2\x54\x01\x51\x34\xfe\x25\xe7\x8a\xe2\xcb\x76\x5e\xe3\x4f\x5f\xc3\x62\xf6\x24\x38\x38\x60\xbd\x4f\x5c\xec\x06\x10\x27\xe0\xde\xe1\xdd\x36\x57\x71\x5d\x2a\x44\x9b\x99\x45\xcc\x57\xaa\x15\x9c\x42\xc8\x56\x20\xe4\x6b\x36\xe8\xee\x9e\xe6\xb6\x4b\xcd\xed\x9b\x0e\xbb\x12\x22\x0a\x89\x54\xd9\xfd\x7d\xc7\xfb\x79\x67\xa1\x7a\x9e\x55\x4c\x4c\xd5\x89\xa5\x61\x4b\x05\xc1\x8f\x15\xbc\x77\x19\x21\x36\xd3\x87\x90\x62\x9c\xdf\xed\xa5\x89\x37\xc9\xbd\x2c\x59\xcf\xbd\x7b\xc0\xdb\xad\x81\x31\x5b\xbc\x4e\xf8\xe2\xca\x41\x7c\x07\x65\x4b\x67\x61\xa7\x1b\xf5\x91\xe9\x3d\x5c\x87\x88\x84\x50\xe7\x4c\x6f\x95\x74\xf1\xf7\x0e\xbb\x06\x67\xd3\x2d\x21\x44\x4f\x9d\x4e\x5a\xc2\xfd\xaa\xe3\xfd\x96\x73\x47\xf9\xb2\x11\x30\xb6\x91\x6c\x0e\xb4\x7d\x3e\x0a\xc2\x8e\x99\xb7\x6f\x76\x14\xa2\x6b\xf5\xe2\x96\xcf\x2d\xd4\x76\xeb\x23\x8b\x9d\x8e\x68\x85\x84\x27\x87\xe9\xd4\xab\x16\xa4\x38\x40\xd2\x6d\x24\x71\x92\xe2\xae\xa0\x30\x7c\x41\x72\x21\x00\x1d\xf4\x0b\x99\x9d\x9a\x1b\xa2\xd5\x83\x73\x2b\x81\xd5\x59\x72\xec\xf5\x23\xec\x1a\x0a\x66\x59\x45\x74\xe9\x50\x64\xee\xdf\xd4\xbc\x0f\xd7\x96\x85\x7c\xa6\x49\x08\x0c\xb2\xe9\xb9\x7e\x82\x76\xa8\x0b\x3b\x13\x44\xfc\x44\xd0\xdc\xd0\x18\xe2\x10\xff\xa6\x17\xa1\x54\x93\x93\xcd\xd8\x40\xb3\x53\x28\xd7\xb6\xa9\xd0\x24\x6d\xa0\x9a\xf6\x55\xe6\xe8\xaa\x48\x3b\xea\x94\x18\x20\xa8\xb4\xce\x9c\xd2\xa5\xa5\xd4\x1c\x82\xcd\xb8\xcc\x3d\x5a\xcc\xad\x1b\xd8\x75\x3b\x30\x96\x56\x35\x61\xef\x18\xb3\x67\x80\xb7\x4d\x10\x6f\x75\x18\x2b\x54\x04\xf7\x55\x8e\x27\x96\x0a\x8d\xa1\xc8\xa7\x2b\xa9\x11\x70\xa9\xd8\x8e\x71\x1e\xab\xbd\x0a\x04\xb0\x5e\xb9\x95\x92\xda\x7f\x60\x8b\xa4\xb7\x33\xcc\xdc\xea\xdd\x9b\xbd\x23\x4b\xc6\xa7\xec\x70\x5a\x93\x24\xcc\x78\xc9\x92\x40\xef\x72\xd8\x55\xa9\x68\x4a\xb9\x49\xf0\x13\xaf\x71\xbc\x8b\x8f\xc2\x5e\x03\x9b\xba\xf1\x1d\x3b\x10\x67\x01\xb2\xe4\x6c\xe8\xb4\xb5\xed\x4f\xc6\x37\xb9\x37\x6e\x17\x18\x6a\x2a\x61\x65\x1b\xf7\x0f\x15\xb1\x3d\x08\xbd\xde\x6e\xa7\xa2\x0d\xde\x0c\x13\x09\xa0\xcc\xa7\x3e\xb7\xb4\x48\xe0\xca\xee\x97\x0e\x7a\x77\x17\x3f\x6d\x04\x36\x83\x43\x04\x93\x0f\xc3\x26\x60\x3a\x02\xd1\xf4\x1d\x8a\xf3\xfa\x8c\x19\x62\xec\x29\x2a\x6c\x68\x93\x67\xdb\xa8\xbf\x6f\x8c\xdd\x6e\xac\xb2\x2d\x80\x47\x76\xb4\xc8\xd8\x07\x1d\xf2\x2f\xbd\xc7\x61\x67\x2b\x8b\x7a\x64\x9d\x02\x9e\xa7\x93\xe0\x78\xd2\x69\x7e\x66\x0a\x85\xec\x10\xe4\x04\xa0\x98\xe9\x82\x6e\xbe\x08\x9d\xa6\xde\x93\xf3\x53\xf9\x7d\xde\xe0\xb0\x17\x5c\xce\x6a\xa2\x47\xe8\x3a\x72\x08\xe9\xaa\xb6\x44\x1a\x22\x64\xed\x40\x8a\x4b\x0c\xbc\xe5\x54\xb3\x3d\x35\x77\xcf\xe1\xfd\xf8\x99\x0d\xd7\xb7\x17\x8e\xf3\xee\x5c\x9d\x84\x60\x31\xeb\x4b\x22\x90\x17\x89\x63\xf6\x52\x21\x29\xca\xbe\xf0\x94\xed\x72\x40\x81\xa5\xef\x23\x4f\xf1\xae\x9f\xe3\xa5\xab\x3a\x68\x70\xd0\xe9\x6c\x3c\xe9\x5f\x72\x34\xc1\xd4\x25\x67\x2c\x17\x9d\xae\x9c\xc8\x97\x9c\x2b\x28\x20\xfd\x4c\x39\xb7\xf7\x17\x9e\xcc\xde\x5c\x63\x63\x2a\xad\xde\x7d\x55\x4d\xa1\x80\x7d\xd3\x31\x11\xca\xd0\x16\x07\xb8\x6b\x55\x18\x66\x16\xf1\xd5\x2a\x7d\x56\x61\xba\x61\x34\xa9\x2a\x0b\x23\x7f\x32\x11\x67\x05\xf4\x4e\x1f\x9e\x21\xf4\xb3\x90\x82\x50\xd5\x31\x5e\x0a\x75\x55\x24\x46\xe5\xca\xad\xf9\x42\xd8\xea\x05\x51\x51\x2e\xd0\x71\x90\x75\x0a\x10\xc6\xd0\xbd\x8c\x41\xb0\x04\xa7\x63\x85\x9f\x9b\x94\x45\xd3\x36\xb4\xd6\x8f\xd7\xd8\x93\x52\x81\x3b\xf5\x6d\xa1\xdc\x0c\xfb\x60\x2f\x73\xdf\xae\x7b\xe7\x9f\x9c\xaa\x07\x54\x4f\x75\x82\x8b\x61\xa7\xd7\xb1\x7a\x0a\x9f\x2e\x91\x7b\x76\x82\x10\x23\xa0\x34\xac\xb7\x31\x9a\x00\x91\x84\xaf\xf1\x0d\xfc\x0a\x66\xd4\x94\xaf\xaa\x06\x43\x9f\x05\x80\x40\xa1\xbe\x86\x9c\x27\x16\x74\x62\xa0\x3c\xf4\x51\x5f\x83\xec\x95\x67\x9b\xda\x3b\x31\x81\xa7\xec\x11\x9c\x9e\xb2\xfb\xeb\x47\x4d\x5e\xb3\xf7\x5e\x0e\x5e\xb3\x2f\x3a\x26\xaf\x59\x40\xe0\x2e\x65\x4a\x3d\x53\x1b\xc4\x00\x6d\x4c\xc3\x80\x29\xc1\x9b\x98\x48\xb8\x98\x1b\xe4\xa4\xa8\xbf\x25\x2d\xae\x96\xc6\x21\x22\x41\xab\x96\xdb\xbb\x25\x70\x3f\x7c\x2d\xfc\x5b\xd7\x64\xed\xec\x1f\x6b\xcc\x5c\x8b\xee\x9f\xd7\xbc\x3f\xac\x19\x17\xaa\xe8\xe4\x54\x32\x09\x34\xb7\x2d\xbf\x1b\x53\xb6\xa5\xb9\xf4\xf1\x24\xa8\x9e\x85\x26\x8b\x8b\x21\xe8\x42\xeb\xe8\xa2\xb5\x26\x17\x61\x50\xa2\x27\x5f\x4e\x1f\x05\x72\x0a\x5f\x17\x39\x00\xfd\xa8\xd5\x53\xd4\x24\xf7\xf9\x92\xec\xfa\xb6\xc8\xf9\xc2\x99\x15\xe0\x15\x42\xac\x08\xa8\x1d\x26\x4c\xa8\x90\x7d\xb9\x77\xce\xca\xee\xae\x2b\xb1\x55\x27\xc4\x19\xa3\xc5\x3e\x4d\x2f\x3f\xbb\xd0\xf4\x55\x84\x0c\x90\xe5\xd0\xd1\xdc\xab\x28\xc0\xc3\x94\x18\x8b\x3d\xd1\x68\x9c\x91\xdd\x6a\x69\xe8\x1f\xa9\x31\x2d\x14\xdd\xf7\xd7\xd8\xd4\xf6\xb1\x2f\x49\x4b\xc9\x1e\xd0\xc5\xbe\xe1\xa8\xf7\xd5\x48\xa9\x8c\x57\x24\xba\xb2\x4c\xa2\x72\x9e\x99\xab\x5d\xa9\xf1\xe1\xba\x94\x75\xbd\xf5\xf5\xb0\x19\xa2\x1f\x43\x09\xb1\x14\x53\x58\x9a\xb9\xb6\x35\xc8\x42\xb2\x3c\xe8\x74\x45\x8b\x4b\xc5\xa9\xa2\xb1\x48\x27\xd6\x8b\xd6\xe5\xbf\x30\x2f\x6c\x71\x49\x52\x91\x10\x38\xf4\x98\xea\x0d\x3c\x15\x05\x52\xb7\x39\xa3\xd8\xd7\x1d\x76\x35\x6e\xd5\x2b\x0a\x64\xf9\xf3\x5b\xe5\x4d\x55\xec\x68\xe7\xac\xd7\xbd\xb7\x39\x76\x79\xa5\x53\xd6\xd0\x17\x4b\x94\xc8\x1d\xca\x76\xce\x13\x52\x25\x70\x52\x0e\x8a\x50\xa4\x77\x08\x0a\x89\x09\xd3\x06\x0c\x40\xc5\x36\xc5\xfe\x69\x84\x3d\xe9\x42\x61\xf4\x52\x37\x32\xf7\xeb\x23\xde\x7b\x47\xaa\xee\xd8\x11\xde\x4d\x34\x95\x41\x1d\x41\x30\x99\xf8\xf2\x79\x52\x24\x86\xa1\x3c\xad\x9e\xa8\x55\x6b\xb1\x43\x48\xa3\xa5\xf5\x88\x56\x7c\xf5\x59\xa0\x32\xda\x0c\xfa\xca\x73\x18\x9a\x84\x64\xc6\x02\x26\xa6\xc2\x13\x90\xad\x03\xef\x62\x87\x81\x83\x20\xcb\x4d\xff\x8e\x09\xfb\xa8\x13\x56\xc6\x1b\x7d\x10\x4b\x2a\xf7\xfc\x34\x98\x2e\xc3\x18\x09\x70\x8b\x48\x5e\x1c\x84\x5c\x2b\x01\x73\x55\x1f\xcb\x83\xf3\x22\xe3\xdd\x54\x34\x45\x0b\xa9\x5e\x81\xd3\x27\xee\xeb\xf3\x7c\xa9\x9c\xc9\x82\x37\x4d\x27\xa6\x5a\xd6\xaa\x59\x76\x3d\x3b\xfe\xb0\x63\xd9\x60\x58\xd9\xcf\x8e\xb2\x27\x76\x93\xd6\x69\xcd\xcc\x48\xe7\xf7\x0f\x8c\x7a\x6f\x1b\xad\xb8\xa1\x86\x0d\x2d\xa7\x7a\xc8\xd5\xfa\x26\x5c\x3d\xa8\x07\xe1\x6e\x4a\x9d\x77\x12\x67\x23\xc2\xef\x61\x44\x4e\x0b\xdc\x45\x71\xd2\x12\xd9\x24\x07\xff\x88\x88\x4b\x08\xa8\xe6\x0e\xdc\xd5\x20\x96\x6b\x67\x53\x80\x50\x5d\x16\x41\xab\xbf\x36\x49\xa2\x72\xa0\x26\x61\xac\x62\x75\x64\x81\x89\x7c\x87\x8f\x4b\x79\x3a\x45\x8c\x41\xf2\xef\xe9\x49\x2e\xf2\x26\x92\x48\xa9\xa8\x6c\x9a\x93\xb0\xe2\x36\x83\x50\x1e\x75\xf2\x30\xe2\x42\x89\x24\x98\xac\x41\xab\xaf\x76\x17\xf9\x4e\x18\xf7\x0a\x1a\x4f\xb3\x11\x93\x4a\x1c\xaa\xcc\x22\x8b\xc8\x24\xe9\x76\x93\x2c\xcc\x05\x56\x0f\x1b\x1c\x44\x70\xee\x02\x2c\x1d\xa3\xd1\x4b\x41\x1a\x44\x91\x88\xd6\x4c\xca\x29\xb2\x03\x29\xbe\xd9\x2e\x3d\x83\xec\x66\x6a\xcf\x57\xba\x2b\x8e\x85\x02\xb8\xa2\xe8\x78\xdc\x0b\x93\xd8\x8c\x05\x23\xf0\xa8\x48\xe4\xa2\xa0\xb3\x0d\xe4\x92\x28\x91\x42\x3c\x38\xca\x26\xb7\xc2\x91\xf2\x57\x93\xf3\x22\x5e\x16\x52\x57\x00\xfd\xfe\x35\xa3\xde\x89\xd2\xb5\x4a\xf6\x6d\x98\xfd\xf2\x39\x6e\x97\xa9\x53\x3c\x2d\x45\xfe\x63\x23\xec\xaf\x6b\xec\x60\xd0\x6b\x85\x72\x3d\x65\xee\xd7\x6b\xde\xaf\xd4\xe6\xd4\xcf\x41\x4e\x06\x03\xe6\xa6\x80\xc0\x34\x50\x46\xc1\xe0\x52\x28\x8e\x7a\xf5\x61\x95\x0c\x18\xa4\x20\xf3\xb9\xfa\x4e\x3d\xd8\x44\x86\xba\x52\xb5\x93\x94\x3c\x1b\x17\x44\x8a\x18\x44\xf4\x41\x7c\x72\x13\x0e\x06\xb9\x88\x89\xb2\xd6\x96\x40\x54\xe1\xa0\x68\x8b\x21\x49\x28\x80\xcd\xb8\x2b\x2b\xa0\x80\xb1\x26\xad\x37\x2b\x91\xf0\xf4\x4d\xfa\x8c\x89\x98\xa1\x93\x3a\xb6\x70\xb9\x5c\xc7\xf6\x41\x23\x5c\xdf\xfb\xae\x55\xec\x1b\x52\x0c\x88\x20\x48\x04\x29\x90\x23\x9e\x57\x98\xcc\xf4\xe2\x7f\x74\xd9\xd3\xab\x80\x61\x51\x35\x5a\x4a\xd2\xdc\xfd\xda\x35\xde\x8c\xf1\xbb\xda\x06\x24\xe7\x2d\x3e\x73\x28\xe3\xdd\x24\x95\xa7\xc0\x51\xf9\xaf\x35\x3f\xde\x7d\x0d\xfb\xea\x28\x63\x18\xfb\x09\x85\x7f\x61\xc7\xd8\x04\xc3\x38\xc3\xdf\x3a\x7a\x86\x0e\x38\x36\x13\x0c\xe4\x0a\xe6\x09\x47\x1c\x45\x85\x49\x82\x2a\x3b\x7c\xdf\x88\xf2\xc5\x9a\xfb\x9c\x4a\x52\xd6\x3b\x92\x0d\x29\xf0\x1f\x4d\xcb\xc2\x8e\x1f\x3b\x36\x73\xac\x64\xe3\x0b\x62\xbe\x38\x77\x66\xee\xa5\x2b\x77\xcc\xbf\xf4\xcc\xdc\xe9\x13\x05\x64\x98\x61\xfd\x80\x14\x50\xa5\x3a\x44\x49\x72\x5e\xb4\x78\xaf\x8b\x39\x94\x18\x2a\x00\xf5\x55\xfb\x0d\x06\xc7\x2e\x25\xad\x43\x99\xb1\xab\xc9\x47\x32\xab\x78\x08\x9a\xb4\x03\x26\x2c\x4e\xaa\x43\xf2\x95\x43\x85\x6b\x06\x60\x87\xc7\x83\xb8\xd8\x93\x3b\x41\x77\xa2\xec\xc0\x41\xbc\x76\x5c\x04\xd4\x37\x88\xc7\xa7\x82\xc7\x17\x97\x6e\x3a\x93\xc4\x64\x8a\x2a\x9c\x73\x14\xd4\x02\x00\xda\x22\xb7\xe3\x28\xcc\x9a\x3c\xfc\x20\x6a\xaa\x44\x9d\x74\x90\x30\x6e\xab\x6b\x87\xaf\xc5\xc9\x13\xb7\xeb\x41\x9d\xae\xb1\x4f\x8e\xb0\x2b\x82\x6e\x77\x29\x4d\xf2\xa4\x99\x44\xee\x8f\x8f\x78\xef\x07\xd6\x2e\x38\x6a\x36\x35\x6e\x1d\xdc\x2d\xf8\xf1\x60\xde\x9a\x7d\x81\x27\x89\xac\xc8\x92\xbc\x7d\x80\xb6\xba\x1f\xe7\xc1\x45\x9f\x9f\x8b\xeb\x98\x66\x2c\x5a\x04\x5b\x87\x9b\x0c\x2c\x5d\xec\x49\x39\x49\x8a\x92\xd4\x19\x09\x1f\x1e\x0f\x30\x0a\x75\xf9\xe4\x7c\xfd\xf8\xcc\xcc\x31\xe8\x58\x02\x0a\xdb\xdc\xdc\xf4\xc3\x20\x0e\xfc\x24\x6d\x1f\x0e\xb2\x2c\x6c\xc7\x40\xbc\xa8\x7a\x00\xe3\x0f\x26\x7c\x7e\x26\x89\xeb\xba\x7c\xd5\xba\xcc\xe4\xe2\x2b\x55\x31\xeb\x35\x37\xe4\x14\xec\xf4\x81\x26\x2c\xee\xfb\xcd\xa4\x73\xb8\xd3\xaf\x13\xa8\xa8\x2a\xc3\x20\x09\xe3\x0d\x91\x07\xd4\x3b\x98\x2f\x9d\xf1\x76\x0f\x71\x03\xd4\xa9\x00\xab\x35\x57\xf4\xbf\xcd\xeb\x85\xa8\x1a\x40\xec\x25\x5f\x51\x27\x2f\x53\x2a\xfd\x64\x8d\xf0\xd4\x7e\xac\xe6\xbd\xb7\x66\x23\x26\xd3\x38\x99\xfc\x83\x7a\xfd\x42\x35\x0b\x58\xd7\x85\x33\x2b\x2f\x3d\x35\x77\xcb\x89\x53\x3e\x9f\x83\xdd\x33\xcd\x33\xf5\x5e\xc0\x0d\xeb\xb6\xa1\x76\xd2\x01\x05\x3a\x88\xb4\x08\x85\x15\xaf\x2c\x96\x9a\x80\x98\x5c\x01\x54\x90\xa2\xe1\xb1\xcf\xf9\x87\x64\x49\x7a\x05\x62\x7d\x15\x65\xf1\x12\xcc\xb7\xb3\x8a\xc4\x0c\x9c\xec\x44\x86\x6b\x0a\xdc\xb0\x80\x3a\x50\x61\x3d\xaa\xc5\x66\xa7\xbd\x6a\x1f\x1b\x93\x4a\x1c\xc8\xd5\xbf\x1d\x55\x46\xa2\x2f\x8f\xae\x2a\x69\x98\xc4\xa8\x3b\x81\xf7\x39\x89\x35\x18\x84\x71\x64\x0f\x33\x62\xa5\x68\xa1\x1a\x08\x2e\xa7\x30\xe3\x67\xa8\x60\xb9\xb6\x4f\x25\x41\xeb\x96\x20\x0a\xe2\xa6\xd4\x94\xf8\xb9\xac\x07\x7e\x25\x9c\x9a\x83\xb9\x13\x8b\x52\xeb\xd7\x66\x1b\x43\x5a\x85\x71\x1d\x44\x2b\x8a\x11\x29\xca\x20\x94\x49\x98\xa2\x52\x0a\xac\x32\xb6\x3b\x82\x51\x63\xd8\xbb\x3c\x74\x06\x61\xe4\x73\x1d\x42\x6e\x60\x3b\xa8\x89\x82\x45\xc9\xb3\x50\x53\x1d\x7d\xd1\x72\xa1\xbd\x3c\x10\xce\x27\x37\x09\x81\x25\xd9\xac\xe3\xba\x4c\xec\x13\xd0\xf5\x10\xb3\x5a\x95\x80\x3d\xa9\x13\xf5\x81\xd8\x36\xcc\x89\x1e\xae\x54\xd3\x32\x97\x5d\x43\xaa\x04\x5d\x55\x38\x1c\x25\xed\xc2\xf3\x44\xea\x16\x51\x12\xb7\x09\xd0\x53\x76\x10\xe2\x07\x00\xa5\x06\xcc\x4b\x39\x4e\x70\x98\xd6\x23\x95\x27\x7c\x5e\x89\xeb\x89\xcb\x2b\x72\xe5\xd7\xea\x72\x16\xe1\x0e\x6f\x58\xe1\x6e\x67\xb0\xeb\xbb\xf3\x6a\xfa\xf9\x7a\xf6\xd9\xa7\x67\x9a\x64\x0a\x95\xb9\x98\xd0\x46\x61\x2f\x63\x63\x4a\x04\xb9\x2f\xf1\x5e\x20\x4b\x5a\x5c\x1a\x2a\xb7\x57\x30\xe4\x21\xe3\xde\xea\xfc\x92\x37\xc9\xbd\x73\x0b\xf2\x1f\x39\xb7\xbc\x95\xf9\xd5\x25\x4f\x7b\x28\xe5\x98\xae\xce\x2f\x59\xab\xe7\x4f\x1d\x0b\x89\xb5\x2a\xe5\xf9\x5c\x26\xd2\x95\x1e\xa8\x32\xee\xcf\x38\xde\x4d\xc6\x6f\x72\x1e\x23\xc7\x78\xc9\xd7\x24\xab\x09\xc8\x8e\x10\x8b\x97\xe1\x0b\x7e\x15\xc6\x65\x8b\x35\x48\xee\xdd\xe5\x9d\x5e\x93\x7f\xe8\x3c\x7d\x05\x0a\x6a\x45\xe6\xc2\x69\xcd\x7b\x96\x57\x9c\x32\xe4\x21\x41\x3d\x9a\xf9\x7c\x59\x81\xa4\x59\x5c\x5f\xff\xc6\x4a\x62\x80\x34\x52\xd5\xc4\x65\x79\xc2\xea\x50\xb4\xdd\xb7\x9e\xe4\xfd\xee\x88\x79\xc5\x88\x22\xd6\x81\x75\x85\x76\x92\xe2\x93\x46\xe8\x49\x58\xc2\x81\x93\x03\x68\x95\x67\x10\x21\x98\x48\x6d\x06\xbe\xb6\x51\xae\xf1\x30\xb0\x4a\xcb\x53\x97\x7a\x88\x0c\x10\x60\x5b\x30\xbf\x40\xfb\xf0\xb8\x36\x36\x4f\xf0\x4e\x10\xa3\xbc\x32\xe0\x63\x0a\x1e\x64\x45\x9c\x6c\xb8\xd7\x71\x0a\x19\xb8\x3a\xd4\xac\xa5\xa4\x25\xf7\x0e\x6c\x96\x02\xa1\xab\xb0\x9f\x20\xdb\xb7\x76\x77\x19\xb5\x3b\x83\xb8\x56\x0a\x43\x95\x4e\xb1\x8a\x60\x97\xd4\x55\x9f\x03\x75\x07\x64\xb8\x10\x87\xfd\x24\xcf\x84\xa8\xf2\x4e\x89\x78\x43\x4a\x65\x54\x0f\xce\x8b\x6e\x06\x2e\x29\x39\xc2\x87\xa9\x17\xeb\x18\x91\xd0\x69\x5d\x72\x0e\x20\x13\xa2\x1d\x5e\xf8\xbe\x27\xec\xf9\x41\x77\xeb\x07\xfd\xdc\x28\x53\x7d\xeb\x7e\x76\xd4\x7b\x70\xf4\x36\xfc\x51\x62\xcf\x05\xf8\xe9\x08\x68\x7b\xd4\x14\x47\xe7\xb9\x09\x10\xa2\xcf\xa8\xf3\xcb\x8b\x05\x84\xb3\xb1\xa7\x00\x47\x4c\xc1\x6a\x09\xc6\x1c\x1a\x04\x1c\x6a\x8e\x02\x98\x28\xc7\x35\x41\x43\xe1\xc5\x53\xbd\x0c\x5a\xc1\x77\xc3\x87\xac\x3a\xc8\x1d\x11\x33\x98\xb2\xac\x27\x4f\x2a\x18\x65\x0d\x60\xc6\xd0\x2e\x32\x35\x6a\x96\x32\xa9\x66\x80\x7d\x4f\x96\x88\xc3\xa4\x9f\x34\xfd\x69\x48\xeb\x91\x0a\x79\x50\x08\x2f\x04\x11\x40\xed\x98\xef\x22\xd5\xa1\x41\x6b\x4e\xc5\x00\xce\x9b\x68\x71\x2f\xed\xc5\x4d\x8f\xc8\xe4\x15\x93\x4a\x61\x46\xe8\xc5\x4d\x7e\x76\x7e\x51\xf7\xee\x38\x92\xe0\x93\x45\xe7\x54\x18\xf7\x2e\x1a\x12\x64\x62\x80\x3b\x1c\xf9\xed\x45\xb5\x94\x91\xbd\xaa\xc6\x55\x69\x9c\x51\xb2\x29\xd2\x66\x90\x89\x49\xe8\xc1\x24\xed\xa8\xbe\x5d\x38\xb3\xc2\xc1\xb9\xc4\xc7\x97\x4f\xce\xf3\xe9\xe9\x23\x33\x13\x66\x16\x41\xa6\x3d\x21\x61\xa7\xd3\x03\x36\x7b\x7f\xcf\xb5\x7e\x79\x42\xd9\x3e\x61\x86\xb2\xfd\xe8\xae\x43\xd9\xda\x8f\x55\xb4\xda\xdf\xd4\xd8\x58\x72\x41\xa4\x1b\x22\x68\xb9\x7f\x5a\xdb\x22\x8b\xcb\xda\xc2\xcf\xd2\x2b\xde\x7f\xa9\xa9\x3f\xcb\xd9\x0a\x05\x13\x9c\x7a\x40\xc3\xe1\x91\x8d\x4d\xed\x41\x30\xd9\xe9\x98\x83\x7e\x75\x73\xff\xf2\x2f\xcb\xce\x74\x64\x6a\xfa\x86\xa9\x23\x47\x8e\xd7\xbb\x49\xab\xae\x6a\xe4\x77\x5a\x25\xa3\x04\xa0\x26\xd6\x23\xd9\x8f\x1c\x9d\xfd\xc6\x61\xfc\xc2\xb4\x3f\x7d\x4c\xaf\xa1\x9d\x06\xa0\x2e\x25\x2d\xdd\x45\x2a\xf6\x94\xbd\xb7\xc6\x58\xa6\x63\x52\xdd\x37\x6c\xe5\xa0\xb3\x3a\xbe\x08\x64\xf5\x7e\xc7\x31\xa2\x5a\x8b\xb8\xc2\xa2\x58\x2b\x57\x23\x4f\xb8\x88\xb3\x5e\x2a\x0c\xe7\x8d\xc9\xb2\x8f\xeb\xd1\x52\x9c\x40\x7e\x63\x69\x28\xab\xc0\x7a\x4f\xbe\x68\xc2\xc9\x0a\xd1\x2c\x69\x7c\x34\xcc\x78\x1c\x46\x93\x15\xe5\x99\xd2\x1d\xa0\x70\x0b\x25\x4e\xaa\x47\x51\x84\x1f\xf0\x1f\x72\x1a\xdb\xc7\xa9\xdc\xec\xde\xa4\x83\xf8\xa0\x87\x4a\x11\x7c\xe6\x97\x2b\xb3\xdc\x7e\x77\x8c\x3d\xc5\xe8\xe5\xb4\x11\x34\xe5\x22\x5c\x4e\x22\xe1\xfe\xdc\x98\xb7\x21\xff\x40\xf9\x57\xa4\x5e\x4c\xf2\x28\x69\x87\xcd\x20\xc2\x2f\x83\xa7\x61\x9d\xa3\xa7\x04\x29\xc0\x90\x8d\x02\x43\xab\x0d\x6d\x0e\x4c\x70\x72\xc5\xa2\x22\x28\xcb\xa6\xd0\x71\xdb\xb6\xfd\x87\x7b\x60\xe6\x7b\x11\x62\x8f\xe3\x36\xb6\x61\xec\x62\x2f\xde\xed\x26\xf6\xb4\x2d\xc2\xb1\x59\xce\xf6\xa5\xc0\xaa\x79\xde\xab\xe3\xd2\x41\x11\x16\x80\x67\x5f\x58\x8b\x4a\x9f\xc1\xe5\xba\x31\x1d\x14\x87\x59\x9d\x3d\x7b\xa8\xe0\x54\x4b\xba\x28\xea\x21\xa7\xb9\xbd\x64\x79\x9e\xfb\xdc\x7a\x75\xb8\x1b\x14\x68\x93\xf2\x96\xa5\x4e\x12\x09\xc6\x3e\x31\xca\xee\x79\xa4\x9c\x61\x94\x24\xbd\xc7\x49\xfb\xbf\x21\x27\xed\x67\xf6\xb1\x9b\xb7\xc4\xbf\x98\x1e\x86\x9e\x32\x9f\xc4\x48\x9b\xe3\xfe\xf3\xa8\x27\xb6\x7b\xa8\x14\xbd\x63\x20\xa6\x0d\x79\x93\x07\x40\x56\x26\x52\x80\xd5\x05\x09\xa7\x12\xb5\x2f\x39\x14\x69\x6d\xed\x63\xff\x30\xc2\x3e\xec\x30\x37\x0a\xb2\x7c\x35\x0d\xe2\x0c\x3e\xbb\x1a\x76\x84\xfb\x76\x67\x38\x0e\xcf\x16\x62\x45\xbe\xeb\xbd\x68\xb0\xbc\x82\x65\x3d\xcb\x81\x4b\x47\x1d\xa6\xa8\xa5\xb9\x7e\x5a\x21\xff\x26\xb1\x1e\x01\x18\x74\x30\xfb\xb2\x76\x01\x08\xf7\x62\xef\x2c\xfd\x89\xfb\xc6\x46\xaf\x13\xc4\xf5\x54\x04\x2d\xd0\xe9\xc4\xc5\x6e\x14\xc4\xb8\xb1\x1a\xf4\xf9\xa4\x9b\x1a\xd4\x48\xc5\xa7\x4d\x09\xbb\xa4\x81\xe2\x4e\x7a\x37\x10\x40\x5c\xa8\x34\x66\xf8\xa5\xa7\xbf\x6a\x04\x44\xee\xc9\xe6\xe9\x02\xad\x63\xdb\x8a\x8e\x75\x5f\xf4\x9e\x93\xe9\x25\x6b\xcc\xb4\x82\xec\x9f\x7a\x65\x7c\x35\x95\x3b\xf8\xc9\x20\x92\xc7\xc8\x73\xf1\xf9\x38\xd9\x8c\x27\xcc\x42\x6f\xa0\x74\xdb\x69\xef\x99\x39\xc2\x0d\x9b\x33\x46\x01\x1f\xe9\x12\xcd\x57\xbf\x72\x85\x15\xfc\x6b\xc4\x97\xcd\xc5\x79\x38\xb7\x0e\x23\xdf\x77\x7f\xf6\x0a\x6f\x71\x29\x69\xf1\x20\xce\x43\x1e\xd0\x55\xec\x71\x10\xb7\xb2\xd6\xa0\x72\xc0\xe9\xc0\x7e\xca\x50\x37\x61\x13\xb1\x95\xa8\x2f\x33\xf6\xb5\x51\xe6\x2b\x58\xd7\x05\x88\x51\x29\x74\xe5\x45\x74\x3c\xe2\xe5\x13\x17\x45\xb3\x07\x0b\xe7\xe3\xa3\xde\x37\x47\x88\x89\x52\x7e\xad\xae\xbf\x66\x1e\xa1\x0d\x33\xbd\xb2\x2a\xe3\xe1\x01\xf3\x74\x01\xf3\x44\xae\x16\xa3\x86\x72\x56\xea\xb8\x10\x3c\xff\xd3\xd6\x5f\x28\xd7\x49\x6c\xd8\x47\x34\x21\xe6\x23\xa8\x46\x13\xc0\x6a\x50\xbd\x56\x55\x49\x3a\x02\xd7\xac\x0a\xd7\x91\xf5\x10\xaa\xe1\x64\xe4\x6f\xf5\x04\x22\xfe\xc9\x9b\xe8\x76\x44\xcd\x64\x62\xd2\x70\xb4\x80\xe2\x03\xe1\x5a\xc0\x94\xc6\xf3\x14\x10\x77\x81\x2e\x1a\x0d\x9e\xe2\x82\x4a\x3f\x84\x43\x1d\xe0\x5d\xe7\x19\xb5\x0b\xf6\x00\xcc\xf4\x03\xc8\xeb\x5e\x94\x87\x5d\xb9\xa6\x22\x65\xa0\xc8\x09\x6a\x04\x26\x2d\x9e\x37\x0a\x6e\x37\x95\xd3\x4c\xa1\x39\x6a\x2a\x41\x2a\x21\x86\x55\xe7\x22\xcd\x20\xa6\x70\x92\x03\xeb\x30\x68\x13\x22\xed\x14\x0e\xbb\x2c\xc8\xc3\x4c\x76\x9c\x15\xe9\x70\x94\x1d\xd9\x59\x88\xa4\xf9\x4d\xf6\xad\x7d\xec\x70\x57\x11\x4c\xed\x70\x9a\x7d\x7a\x9f\xf7\x2d\x70\x96\xa9\xc1\xa7\xd0\x23\x2c\x07\x61\x9a\xf0\x06\x85\x11\xd8\xc7\x2e\xa8\x7d\xbf\x62\x76\x88\x8b\x72\x87\xc6\x50\xe8\x21\x93\x83\x42\xca\x73\x18\xbd\xe6\x46\x92\x64\x82\x10\x1e\xb1\xf0\x0b\x61\x82\x21\x7f\x10\x8a\x42\x67\x6e\x92\x1d\x46\xf1\x68\x96\x2a\x5e\x0b\x33\xde\x49\xb2\x9c\xeb\x9e\xd0\x61\x21\xb1\x28\x82\x69\x90\xbb\x3a\x93\xea\x70\x47\x16\xba\x29\xc2\xf6\x86\x1c\x71\x18\x27\x29\xf3\x0a\xaf\x21\xba\x1f\x84\xc8\x51\x1d\xd4\x1c\xb6\xc5\xa2\x37\x97\xc2\x78\x19\xfa\x62\x92\x0f\x5b\xfa\xc3\xfb\x0c\x02\xc3\xfc\x89\x49\x60\xe4\xec\xe5\xc0\xd7\xd9\xeb\xc8\xfe\x0b\x73\x70\x04\xc2\x31\x21\x05\xda\x31\xe8\x0f\x9a\xb1\xfa\xc8\x45\x52\x20\x6e\x01\x83\x5d\xdc\xe6\x1e\xb6\xd0\xd3\xbb\x7e\xaf\xa3\x70\xbf\xa1\x91\x1b\x84\xbb\x45\xae\x88\x8e\x81\xb2\x6e\xcf\xf8\xd2\x4c\xbf\x51\x17\x31\x9e\x4d\x14\xfd\xab\xa0\xb8\xe4\x67\x02\x0a\x82\xb6\x87\xc5\x9a\xf0\xcf\x61\xb3\xec\xfa\x6d\x27\xfc\x9d\xd0\x04\xd1\x2a\x4f\xfc\x9f\xbb\xba\x12\xb7\x95\xf0\xc4\x64\x71\xf3\x3a\xb2\xce\x7d\xf3\xd5\xde\xd9\xca\x3b\x03\x70\x7a\x36\x6a\xf5\x3a\x44\xb3\x16\xa1\x14\xe5\x48\x67\x25\xee\x7f\xf3\xca\xbd\x33\xf3\xde\x99\xf9\xf1\x3b\x33\x7f\xb9\x66\x1c\x9a\x3f\x5f\xdb\xed\xa9\xf9\x2d\x35\xda\xfd\x4f\x21\x81\x01\xac\x83\xea\xf5\x03\x6e\x8d\x4e\x37\xef\x4f\x16\xa9\x45\x14\xe9\xa2\x6d\x6c\xda\x11\x12\x64\xca\x1c\x29\xe5\x86\x11\x07\x59\xb5\xc2\x28\xe3\x00\xcf\x80\x8f\x7b\x4a\xf5\x1b\x14\xa6\xe9\xab\x6b\x5b\xc4\xe4\x6f\x29\x85\x20\xa5\xe1\xb3\x36\xb0\x69\x65\x96\x99\x19\x42\x5b\x86\x93\x1c\x22\x8d\x1e\xed\x7e\x90\x75\xac\x07\x71\xab\x8e\xea\x3c\xfb\x52\x81\x6a\xfa\x85\xad\xf0\x13\xb7\xee\x10\x4c\x64\xfd\x81\xda\x8a\x75\x62\x80\x2d\x23\x15\x4d\x4c\x9a\x4a\x1a\x14\x5a\x66\x1f\x24\x86\xf5\x03\xd8\xd2\xe5\x88\xc1\x5a\x6f\x08\x48\xe3\x48\xd6\x39\xe4\x2d\x34\xfa\xa8\x89\x12\x8a\xa4\x2c\x2a\xdc\x05\x1c\xea\xa3\xd8\xc1\x0f\x9b\x5d\xc8\x00\x48\xad\xec\xeb\x72\x06\xf9\x6b\x6a\x16\xc0\x1a\x86\x7d\x17\x04\x3c\x0b\x80\xa8\xe6\x7e\xd9\xf1\x8e\xd3\xdf\x2a\xca\xd7\x84\x56\xc3\x0d\x4a\xe5\x5e\x60\xf8\x68\xb2\xce\x17\x17\x32\xff\x92\x33\xd2\x09\x63\xf9\xff\xc1\x45\x6b\xab\x7c\x83\xc3\x4e\x20\xa8\xd3\x73\x21\x74\xe6\xf8\x51\x6f\xa2\x13\xc6\xc6\x71\x31\xd5\x51\xd3\x14\x35\x15\xc6\xcd\xa8\x97\x85\x17\x4a\x51\x33\xf3\x88\x01\xf6\x1c\x55\xcc\x21\x59\x25\x2a\x46\x18\x9c\xa9\x5b\x16\xf2\xae\xab\xd9\x0b\x76\x67\x27\xbb\x53\x34\x36\x92\xe4\xfc\x3c\xec\x1a\x88\x39\xef\x7e\xea\x2a\xef\xce\x8a\xeb\x45\x48\x71\x5e\x62\x33\x86\xc0\x16\x30\x18\xad\x9e\x5a\x91\x8f\xc5\x04\xa0\xa9\x95\xab\x4d\x2c\xce\xd6\x3b\x7e\xef\x4a\xf6\x19\x87\x8d\x35\x83\x5b\x7a\x71\x2b\x12\xee\x83\x8e\x3b\xda\xe8\xe7\xc2\xfb\xa0\xa3\xae\xe1\x26\xba\x74\xe2\x34\x17\x71\x33\x69\x89\x16\x9f\x9f\xe3\x0d\xbc\x65\xc4\xf5\x1b\xee\x60\x85\x98\x63\x7e\xf6\x50\xa6\x82\xd4\x9b\x22\xcd\x51\x5a\x89\xc1\x34\x4f\x3a\xa1\xe5\xa9\x3c\xe9\xa4\x49\x92\xeb\x78\x64\xdd\x9d\xb0\x43\x00\x3e\x8d\xb9\x81\xbd\xb7\xc6\x0e\x50\x68\x94\xfb\xe6\x1a\x7b\xf1\x30\x81\xf2\x48\x06\x88\xc2\xcb\x34\x87\xaf\xf7\x51\xc7\x88\x02\x0c\x8c\xc0\x14\xa5\x26\xd3\x5d\x6d\xf3\x55\x7d\xcf\x4f\x84\x00\x2d\xa5\x1e\x48\x52\xde\x4b\xa3\xe2\x5c\xa7\x3a\xc2\x67\x8c\x36\x50\x7a\x13\xec\x97\x86\xa7\xcb\x0e\x18\xa2\xec\x90\x7e\xd2\x33\x63\x58\xd7\xe8\x2b\x6b\x3e\xfb\xab\x31\x36\xd2\x4b\x23\xf7\x1b\x63\xde\x1f\x8c\xc9\x2f\xb6\xc3\x0b\xb4\x79\x20\x1e\x41\xb1\x6f\xd0\x07\x27\x91\x92\x9f\xf6\xcd\x73\xcb\xa7\x80\x98\x9f\x8f\xaf\x81\x8e\x28\x66\x0f\x43\x2e\xe1\x6c\x37\x49\xf3\xc3\xdd\x20\xdf\x58\x9b\xf0\x91\xa9\x86\xc2\x32\x93\x75\xbe\xd6\x4b\xa3\x35\xd9\x44\x5d\x91\xca\x86\xca\x83\xd8\x9a\x2c\x6c\x4d\x55\x1e\xb3\x60\xe9\x24\x19\xe8\xce\x52\xed\xb7\xdb\x7e\x23\x06\x76\x6c\x18\xed\xd5\x31\xa4\x59\x2e\x02\x8a\x40\x90\x1f\xa0\xf8\x87\x86\xa0\x48\x23\xa9\xaf\x86\x01\x97\x23\x0e\xfa\xed\xc2\x99\x15\x68\xb5\x94\xf0\x7a\x72\x64\x68\x5b\x98\xe4\x6b\x08\xb6\xa0\xae\xaf\xf1\x26\xaa\x72\x54\x16\x0f\xe3\xba\x8a\x89\x92\x05\x05\x2a\x77\x58\xc5\x7c\x07\x3c\x0a\xfa\x18\x1b\x8b\x87\xd4\x30\x89\x27\x7c\xd5\x74\xb9\xd9\x40\x52\x34\xc5\xc9\x2f\xc9\x23\x98\x3c\xd8\xf9\x8c\x2d\x45\x84\xde\xab\xa8\x97\x30\x3c\x63\x0d\xd2\x2e\xf1\x75\xd9\xcb\xd3\x47\xae\xf3\xa7\xfc\x29\x7f\x7a\x0d\x5d\x75\x54\xb2\x9c\x39\x61\x76\xbe\xcf\x7b\x31\x80\xf7\xc9\x59\x02\xb6\x65\x38\xcd\xf2\x26\x66\x80\x50\x0c\x47\x31\x57\x81\xc6\x2a\x8a\xa0\xe3\xd4\xf9\x0e\xa2\xc9\x62\x63\x29\xd2\xb1\x0f\xba\x15\xe2\x2d\x95\x18\x6a\x06\x51\x44\xe7\x08\x73\xfa\xaf\xf4\x9a\x1b\x98\x38\x2e\x6f\x07\x80\x35\x78\x5e\x20\xe3\x51\x03\x31\xe2\xe4\x8c\x0a\x1a\x91\xc0\x43\xf5\x24\x4c\x06\x11\x64\xf0\x08\x10\xf5\xf7\xba\x18\x5c\x12\x8b\x4d\x1d\x30\x87\xb3\x08\xa7\x66\x01\x29\x02\xdb\xac\x87\x67\x4d\x39\x83\xcb\x5c\x67\x9e\xda\x87\x3d\x9f\xb1\x39\xcd\x5a\x95\x50\x98\x31\xd9\xd8\xd7\x55\x5a\x8d\x52\x08\x82\xb8\xaf\xce\x14\x5d\x91\x76\x42\x0a\x18\x0a\x89\x2c\xcc\xe7\x2f\x4a\x7a\xf0\xac\x9a\x98\xc8\xc1\x94\x00\x6b\x2a\xf4\x5f\xda\x08\xf3\x34\x48\x75\x31\x24\x36\xf4\xd2\x5b\xb7\x83\x79\xd4\xb4\x2a\x72\x80\x64\x7d\xf3\x5c\xaa\xcd\xf4\x7a\x0f\xcc\x20\x2a\x36\xaf\x11\x64\x61\x13\x12\x7a\x10\xd6\xcc\x93\x37\x66\xe5\xe7\x37\x93\xb4\xf5\x3c\x4f\x53\x6c\xe1\xc6\xeb\xf3\x93\x69\xd0\x26\x43\x84\x77\xad\xef\xfb\x1e\xa6\x97\x61\x06\xb7\x01\xf2\x33\xee\xdd\x4c\x77\xc9\x52\x48\x25\x4c\x72\x01\x82\xcd\x12\xc9\x7f\xf9\x04\x76\xd4\xd4\xe4\x0a\xb9\x0f\x69\xa7\xf3\xc5\xef\x95\xb0\x2d\x57\xb6\xc2\x17\xfd\xe9\x27\x78\x1f\xd9\x37\xf4\xb6\x66\x98\x25\x7d\x42\xaa\x13\xa2\xb9\x11\xc4\x61\x06\x51\x44\x49\x03\x0c\xfc\x17\x8f\x4d\xdd\x60\xee\x35\x19\x28\x6f\x70\x24\xa3\xa8\x61\xe3\x26\xcf\xf0\x13\x85\xf5\x05\x63\xb1\x20\x18\x31\xcc\x79\x90\xf5\xe3\xe6\x46\x9a\xc4\x49\x2f\xc3\x3c\xfc\x14\x72\xe2\x30\x8c\x22\xeb\x81\x20\xa3\xc8\xc6\x8c\xc6\x3d\xcc\x00\x33\x45\xd7\x68\x96\xf1\x69\x5f\x9d\x0d\xad\x8a\x49\x29\x57\x24\x5f\xc1\x6a\xb4\x65\x0d\x1f\xd7\xbb\xb8\x67\x87\x22\xdb\xcf\xd5\xb1\x74\xd0\xfa\x22\x91\x7b\xd0\x2c\x91\x9e\x09\x3a\x62\xc2\x67\xfc\x88\x8f\xb2\x34\x6e\xdb\xdf\x97\xd3\x4d\x6a\x0d\x45\xb8\x7e\xe9\xf3\xc4\x47\x18\x13\x57\x70\x26\x9a\xbd\x54\xae\xda\x2d\xab\x15\x89\xbc\x4e\x9f\x2b\x55\x84\xad\xaa\xce\xa1\x20\x03\x1d\x47\x46\x23\xfc\x58\x74\x92\x55\x27\x88\x0f\x2e\xe6\x8e\xdd\x3b\xf2\x8c\x4f\x4e\x31\x29\xa0\x8c\x60\x1a\x2c\x21\xab\x24\x36\xfe\xf6\xc1\xcb\x8b\x59\xf4\x61\x75\x7e\xfc\x60\x8d\x9d\x1c\x7e\x5c\xda\xe9\x22\x83\xb3\xe4\xef\x38\x99\x85\x55\x04\xdb\xaa\xb1\x2a\xac\xd5\x60\x86\xdc\xf1\x60\x5d\x0a\x24\x15\xb4\xef\xf3\xb3\x71\xd4\xa7\x63\x15\xbd\x52\xf4\x2e\xbe\x0e\xc8\xab\x99\x22\x24\xa0\x81\xcf\x04\x04\x32\x1a\xe5\x80\x7a\x44\x0f\xa1\x29\x00\x31\x89\x1a\x7d\x2b\xd5\x2f\x6e\xa9\xed\xb7\x21\xcf\x7b\x2d\x6d\x29\x96\x92\x2e\xf3\xd9\xab\x8a\xe3\xe5\xdf\x39\xec\xb6\xcb\xd0\x5f\x78\xd4\x7c\xc0\xc9\x4a\xa0\x49\x83\x60\x49\x26\x7e\xa8\xc9\xc7\xa8\x84\x46\x92\xf2\x96\x88\x31\xf1\x42\xe5\xf0\x1a\x9d\x8e\xf2\x44\x1f\x24\xa1\x1b\x71\x7e\x6e\x08\x48\x8c\xe8\xa5\xa6\x1b\x8c\x52\xf2\x81\x35\x0a\x9e\x55\xcf\xf8\x7b\x16\xc5\x3d\x8b\xe2\xe3\x88\xd3\x94\x6e\x6f\x7f\x38\xeb\x9e\xd6\xf6\x07\x6b\x25\x96\x29\x8e\x87\xad\xca\xb2\x51\xe2\xa7\x47\x87\xb9\x6d\x4d\x58\x10\xf7\x2d\xa3\xde\x0b\x4a\xd7\x4a\xce\x61\x30\x00\xa1\x1f\x91\x26\x37\xe4\xbc\x15\x59\x4d\xca\x13\x1f\x68\xc8\x03\x4b\xfa\x7f\x74\x84\x7d\x51\x81\xcc\xfd\x77\x87\x8d\xef\xc4\x2d\x07\x22\xf9\x87\x9c\x4a\xde\xe8\x61\xd6\x3c\x88\xb0\x7e\x8c\x4d\x77\xff\x2a\x11\x2f\xbf\xf9\x94\x4a\xca\xba\x33\x49\x4b\xa0\xe9\x85\x82\x96\x3e\xfb\x14\xef\xce\xf2\xc5\x8a\x50\x14\x2b\x60\x61\x3d\x6c\x5b\x39\x7f\xf2\x7d\x1f\x32\x62\xa8\x14\x8c\x2e\xb2\x26\xd0\x1f\x3c\x99\x7d\xaa\xc6\xf6\x07\x40\xda\xe3\x3e\x58\xdb\x82\x82\xbc\xa2\xae\x50\xa0\xf7\x3d\xb5\x39\x78\x5d\xca\x1d\xc8\xf7\x82\xfa\x6c\x88\xe6\x79\x90\x2c\x42\xa5\x50\x14\xfe\x3c\x29\xdd\x88\x26\x08\x0f\x99\x3e\xa7\x22\xc0\xc6\xa3\xe5\x17\xa9\xfb\x56\x1c\x05\x2d\x44\xd5\xee\x39\xd5\x60\xfc\x86\xde\xc1\xd4\xe3\xa7\x82\x2c\xbf\x3d\x4e\x36\xe3\x5b\x93\xa4\x78\xa8\x25\xba\xc4\x23\x0f\x59\x97\xb8\x91\x06\x03\x47\x9d\x8a\x0f\x48\x89\x0b\x00\x61\x21\x9c\x51\x45\x9a\x26\xa9\xcf\xfe\x61\x94\x8d\xa9\xae\x77\xbf\x39\xfa\x48\x7a\xf1\xc1\x51\xfd\xa5\x1d\xf7\x23\xf4\x16\xc5\x15\xf4\x32\x15\x34\x50\x3d\xee\x48\x2d\x0c\x92\x7b\xb2\x28\xa1\x28\x1e\x3f\x67\xc4\x9d\xd3\xc7\xba\x41\x3f\x4a\x02\xd0\x9b\x11\x7f\xa9\x15\x66\xe7\x27\x79\x10\x25\x05\x94\xa4\xdc\x47\xd3\x96\xa9\x23\x68\xdc\x06\x2c\xc5\xf0\x83\x13\x07\xb5\x3a\xb3\xd3\xab\x79\xa2\xbc\xec\x72\xe3\xa1\x4f\x17\x95\x53\x29\x5f\xaa\x5f\x8a\x17\xc3\x58\x8f\x90\x5f\x8c\x15\x04\x9c\x63\x6b\x0b\x70\x39\x5c\x2f\xa8\x52\xa2\xd2\x04\x25\x6c\x04\x19\x6f\x08\x29\x70\xcd\xae\xce\x13\x68\x68\x11\x87\x51\xca\x28\xcb\x83\x14\x43\x27\x72\x9e\xa7\x04\xbd\x03\x26\x89\xaa\x39\x03\xd7\x70\x82\xd3\x95\x46\x9f\xcb\x5e\x55\x00\x9d\x64\xca\x54\x5b\xbb\x55\x13\x35\x00\xfa\x58\x0e\x8b\x5b\x37\x9a\xfd\xd0\x18\xdb\x07\xd3\xd0\x7d\xe7\x98\xf7\xba\xb1\x13\xf2\x4f\x43\x54\x04\x31\x20\xcc\x36\x22\xd1\xc1\x4e\x8b\x9b\x61\xa4\x3e\x34\x38\x4b\x48\x83\xb2\x6a\xeb\x73\x28\x14\x95\x88\xa4\xd9\xec\xa5\x65\xdb\x81\xb5\x72\x8a\xda\x0f\x2f\x1f\xa7\x92\x31\xe3\xe5\x50\x6c\x51\x10\xda\x37\xb0\x23\xca\xb9\x11\x03\x1f\x29\x97\x03\x6f\x25\xa9\x6d\x30\x1e\x10\x1c\x22\x6f\x0e\x36\x94\x07\x39\x6f\x85\xeb\x60\x78\xcd\x39\x2d\x94\xcd\x8d\x30\x12\x5c\x9e\xd5\x29\x73\x00\xfb\x28\x48\xa3\x50\xa4\x28\x12\x32\x15\x2a\x94\x6c\xc6\xea\xf3\x45\x73\x20\x72\x12\x1e\x9b\x28\x82\x9c\x50\xb0\xa0\x7d\x27\x4d\xa2\xa8\x11\x34\xcf\xcb\xda\x5b\x12\xcc\x54\x62\xd1\x1e\x18\x34\xd3\x24\xcb\xf4\xec\x4c\x05\x4c\x47\x9f\x9f\x0a\xf2\x72\x65\xd4\x8c\x2b\xba\x82\x2c\x14\x83\x32\x66\x42\x49\xe2\x1d\xd4\x09\x14\x41\x52\xbb\xe1\xb8\x06\x09\x57\x88\x7b\xd8\xa3\x5c\x74\x9d\xef\x06\xc7\x6f\xac\x39\xa8\x9f\x30\x5b\x1b\x7d\xbe\x1e\x5e\xd4\xb3\xbf\xb4\x95\x85\xf1\xe0\x10\xa3\xf5\x4b\x1e\xef\xd6\x43\x8a\x23\x51\x49\xfb\xa5\x4c\xdf\x96\x68\xf4\xda\x90\x92\x0d\x89\x27\xb0\x53\x2b\xdc\x00\xf8\xb8\x0e\x60\xb4\x97\x79\x94\xa8\x79\x5f\x19\xda\x58\x01\xcb\x83\xc5\x41\x84\xe8\x8d\x9c\x94\x12\x3c\x82\x42\x07\xeb\x7d\x26\x49\x61\xbc\x75\xd9\xe4\x96\x6e\xf4\x72\xdb\x32\x0d\x26\x6e\x25\xba\x1a\x61\x64\x40\xee\xe1\xbb\xb9\xb8\x98\x97\xc7\x9f\xb6\xc7\xcc\x32\x91\x7d\x6b\x3f\xbb\x2a\x32\x87\xcc\xfd\xe3\xfd\x8f\x64\x8f\xfa\xe8\x7e\x7b\x3b\x7d\x78\x1b\xd5\x7a\x10\x45\x5c\xcd\x20\x50\x71\xc3\x1c\x9c\x3d\x3d\x88\x45\xd3\xdb\xe9\xce\x36\x62\xdc\x52\xca\x92\xb6\x21\x9a\x49\x87\x14\xa4\xaa\xad\x9f\x40\x14\x54\xbd\x74\x92\xb3\x81\x76\x54\x2e\x12\xb0\xb7\xd1\x1a\x01\xd9\xa0\x69\x0a\x87\x52\x85\xc0\x51\xc0\x66\xea\x6c\x50\x95\xc4\x32\x3d\x55\xef\x84\x71\x2f\x17\x3c\x4b\x82\xf3\xbc\x2b\xd2\x10\x71\xfb\x52\xc4\x61\x56\x55\x41\x61\x48\xdb\x51\xb2\x5e\x55\x83\xe2\xcc\x55\xa9\xf6\xc8\x47\x48\x64\x53\x2b\xb4\x63\x31\xcc\xe8\xc3\xb0\x24\x87\xf6\x0f\x90\x50\xa8\x28\xb5\xf5\x0a\xc1\x8d\xdb\x9e\x00\xcb\x5c\x1c\x46\x7c\x5c\x8e\x0b\x69\x04\x04\x9a\x4a\xe1\x8f\x76\xbf\x87\x84\xc2\x1a\x2a\xde\x87\xa8\x6f\x15\x34\x29\xeb\x14\xa8\x41\xb6\x0a\x34\x1a\x17\x44\x9b\x41\xbf\xc8\x89\x6a\x43\x8d\x5f\x54\x38\xa2\x20\x9c\x14\x1c\x93\xf2\x09\x24\xdb\x30\xe2\x8b\xe5\x60\xa3\xbe\xbf\x91\x40\xbf\xa8\x81\x2f\x04\xb8\xb1\xc8\x8c\x71\x8e\x45\x96\x4d\xa2\x93\x25\xcc\x28\x18\x10\xdd\xc7\x29\xf5\x65\x11\x8a\x45\xd6\x79\xb0\x9f\xf4\x30\x77\xed\x1d\x57\xb3\xa9\x1d\x1d\x54\x0a\x7b\x49\xe6\x7e\xe5\x2a\xef\x8d\x8e\x71\x81\x82\x3c\x0d\xfb\x49\x56\x10\x2b\xe9\x2c\xdf\xc9\x82\xbf\x12\x8f\xf1\x19\xe9\x30\x4d\x00\xd1\x83\x49\xb3\xb4\x28\xa7\x87\x3c\xa0\x4c\x92\x4f\x45\x85\x53\x27\x49\x8e\xfe\x03\x12\x30\x91\x68\x07\xcd\x3e\xbf\x30\x2d\x5f\xf2\x2f\x39\x63\xea\xcb\x97\x9c\xa7\xa2\x7d\x73\x0e\xfd\x46\xb7\xf4\xc9\x71\xbc\xb8\xb0\x6c\xc7\xb5\x7f\xe6\x0a\xf6\x22\xa6\xdf\x73\x4f\x7b\xd3\xba\xf6\x2a\xe8\x2e\xe8\x86\x5b\x35\x69\x2b\x80\xad\x3d\xa3\xd3\x9e\xd1\xe9\x71\x0b\x63\xfb\xb3\x7d\x6c\x8b\x55\xe0\xfe\xb7\x7d\xde\xff\x18\x0d\x78\x27\xe8\x22\x0e\x28\xb4\x4f\xde\xd2\xa9\x45\xa9\x72\xbb\xea\xb0\x60\xe5\x31\x81\x8e\x02\x5b\x55\xb1\xc5\xe4\x09\xdf\x10\x51\x57\xaf\xeb\x14\xc2\x7f\x95\xdf\x98\x44\x0e\x44\x23\x11\x36\x4c\x5d\x68\x14\xd9\xcd\xa0\x50\xbe\x7c\x3e\x4f\x25\x48\xa5\x44\x89\x5c\x30\x18\x77\x53\xa0\xe4\x29\x55\x8e\x40\xb0\xe4\x53\x58\x7d\x8d\xcc\x0d\x21\xb8\x30\x18\x52\xdb\x93\xcd\xd4\x01\xea\x1a\x0b\x45\x55\xd7\x88\x15\x40\x11\x1f\xb7\x85\x82\x64\x92\x4d\x96\x45\xe3\x6e\x4e\x9f\x4f\x45\xde\x4b\x63\x4a\x1b\xce\x37\xe4\xa9\x10\x3a\x96\x3a\x0b\xf8\xcb\xe2\xf3\xc6\x96\xad\x1c\x39\x41\xac\x2a\x66\xe0\x14\xcc\x62\xf7\x04\xe0\xdb\x24\xad\x16\x3c\xbc\x41\x5c\x2c\xd6\xc5\x25\x6c\xa1\xfc\xe4\xa4\x8a\x3d\xa6\x62\xa1\xbb\x95\xd1\x05\x6b\x88\x9e\x71\xbb\x00\x35\xed\x01\x4d\x0e\x50\x21\x5f\x58\x3f\x99\xa4\x9b\x80\xc5\x25\xff\xe2\x1b\x22\x68\xa1\xfe\xf7\xc2\xfa\xb2\x08\xa2\xfa\x62\xd7\xb8\xa6\x00\x1c\x97\x45\x27\xc9\x85\x9c\x58\x7c\x3c\x24\xc0\x09\x00\xc1\x9c\x90\x13\xa1\x2d\xac\x26\x2f\x2e\x59\x42\x72\x89\x9d\x61\xa7\x1e\x81\x9d\x6c\x65\xd8\x64\x7e\xc8\x59\xd9\xde\xbe\x3a\xe5\xfa\x55\xf1\x5d\xc6\x16\x56\x36\xa0\xbe\x63\x84\x7d\x77\x25\xbd\x1c\x46\xc2\x10\x61\x1a\x1c\x6a\xbf\x51\xf3\x16\x8c\xdf\xbc\x19\x74\x73\x20\xb3\xd6\xea\xa2\x56\x21\x0b\x90\xd5\x40\x33\xad\x2b\x68\x2a\xdb\xec\xf5\x8e\x1a\xfb\xa8\x53\xa4\x31\x7d\xd0\xf1\xde\xee\x20\x7c\x21\x25\x27\xd9\x47\x84\x8a\x2f\xcc\xe5\xb9\x5c\x84\x49\xca\x17\x04\xfe\xa5\xbf\x44\x98\xdb\x58\x1c\x39\xf3\xa3\xa4\xdd\x86\xc0\xa3\x44\xce\x5f\x43\x69\x21\x07\x0f\x40\xdf\x87\xa0\xc0\x19\x07\x18\x4b\x89\x6f\xb0\xd1\x3c\xec\x08\xf7\xae\x47\x9e\x14\xf6\x8c\x55\x95\xf5\x85\xed\xda\x0c\x32\xb3\x6d\x3e\xfb\x15\x87\xad\xec\x2e\x88\xe9\xf9\x2b\x67\xcf\xac\xc0\xc6\xb8\x94\x26\xdd\xec\x6c\x7a\x4b\x92\x44\xee\xcb\xbd\xa4\xf2\x86\x19\xd6\x5e\x7a\x80\x03\xc6\x01\x51\xde\xe1\x76\x64\x33\xda\xe4\x69\xaf\xc8\x7f\x54\xcf\x49\x51\x26\xd2\xbc\xef\xb3\x37\x8e\x59\x81\x83\x0a\x85\x7a\x41\x74\xa3\xa4\x2f\xb5\x74\xe0\x85\xfe\xd3\x03\xde\xb8\x7d\xc9\xc6\x44\x2d\xee\x0d\xa1\x85\xfe\xb5\xbd\x2c\xf4\xcb\x49\xa4\xfc\x5d\x8b\x55\x44\xca\xe6\x28\xec\x3c\xa7\x79\x70\xc8\xf7\x94\x9e\x5d\x28\x3d\x0d\xc3\x1d\x73\xc7\xee\xb8\xcf\x9f\x32\x84\xfb\xfc\x21\xe7\x85\xdb\xef\x36\xc7\xdc\x99\x7a\x41\xaa\xd2\xcd\xf4\x7e\x63\xaf\xe3\xf2\x96\xf3\xc5\x27\x33\xbf\x2a\x90\xd8\x5f\x4a\x5a\x0b\x61\x96\xf6\xe0\xd0\x78\x4b\xaf\xd5\x16\xe4\x85\x77\xff\xf3\x93\xbd\xd7\x3b\x43\x6f\x9b\xb2\x6b\xd0\x3b\x6f\x7b\x68\x02\x5e\x51\x8c\x4e\x1a\x97\x33\x26\x4f\x83\x10\xb3\xf9\x83\x66\xde\x0b\x22\x33\xd3\x98\xa2\xbc\x2f\x39\x6e\x4b\x17\x91\xcd\x61\x48\xd4\x25\xe7\x6a\xb2\x40\xdc\x26\x82\x28\xdf\xe8\x5f\x72\xae\x26\x2f\x9e\xbe\x70\xa5\xb8\xd8\x85\x4c\xbf\xa5\xa4\x65\x4b\xaf\x4f\x3d\x89\x7d\xd5\x61\xae\x8a\x5d\xbf\x55\xc4\xb4\x89\xb9\xbf\xe6\xa8\x70\xe5\x4f\x38\xa7\x8b\x40\x77\xde\xd6\x8f\x14\x11\xef\x36\x4e\x22\xcc\xfa\xa5\x85\x5b\xa8\xf9\x3e\x5f\x18\xa8\x34\x22\x6b\x63\x88\x2a\x85\xd4\x1b\x1d\x18\x66\x68\x9e\x44\xfd\x2f\x5c\xe7\x83\xd5\x43\x28\x5b\x90\x77\x4b\x0b\xb7\x1c\xd2\xeb\xb1\xa8\x9d\x1d\x3d\xfd\x37\x63\x8c\xe9\x58\x86\xcc\xfd\xfa\x98\xf7\x37\xfb\x75\x8a\xb7\x8e\xb2\x28\xc2\x1d\x30\x58\x69\x69\xe1\x16\x42\x5a\xd7\x2d\x30\xf3\x3e\x32\x41\xa7\xf2\xa2\x81\xaa\x7d\xba\x20\x7c\x1f\x61\x6b\x41\x31\x49\x05\x87\x0c\x62\x05\xfc\xa5\x36\x30\x95\xd0\x0c\x21\xa5\xe3\x86\x3d\x13\x6f\xc8\x3a\xaa\x00\xcf\x56\xab\xc0\xbc\x43\x43\xc3\xc4\x2c\xaf\xf3\x95\x7e\xdc\x3c\x09\x68\x87\xb3\xf0\x51\xa3\xa6\xa6\xfe\x52\x58\xd9\xe2\x96\x54\x00\xe2\x43\x39\x0f\xc8\x32\x4b\x09\x7d\x8c\x5b\xff\x81\x01\x45\x73\xd6\xa8\x28\x7a\x63\x2a\x42\x23\x53\x04\xcb\x8b\x13\xf3\x8e\x6c\x6f\xa9\xb4\xc0\x98\x02\x95\x6e\x4c\x0a\x38\x51\xd1\xde\x90\x78\xed\xb3\x3a\x5f\x34\xc8\x31\xe4\x44\xc6\x56\x16\x15\xd3\x48\xf2\xe4\x34\x04\xb5\x99\x37\x84\xa2\x1e\xc1\x27\x4b\xb5\xc1\xff\x54\x0e\xa4\x8a\x86\xa9\x5c\xac\x67\xb6\x6b\xd9\x2e\xdb\xb7\x32\xd8\x3a\x95\xfb\x9b\x28\x14\x7f\x60\xc4\xde\x49\x6d\x2b\xaa\xb6\x5a\xf9\x79\xcc\x6e\x57\x95\x1d\x18\xe6\x8a\x72\x4a\x9d\xa0\x51\xd5\x55\x75\x06\x65\x54\xa1\x95\x99\x9b\xf7\xf3\xd8\x73\x87\x27\xe4\x6c\xb1\x8b\xe8\x75\xfb\x90\x73\x88\x3d\xd5\xda\x2d\xe4\x6e\x52\xef\x04\xdd\xfa\x79\xd1\xcf\xdc\x83\xee\x81\x3a\xe0\xb0\xb2\x87\x1c\xce\x9e\x3c\xf8\x24\x64\xed\xef\x77\x47\x3b\x41\x97\xc9\xc2\xbe\xd3\x7a\xa4\x2b\x4f\x92\xf5\x8e\x48\xdb\x42\x96\xe7\x1e\x70\xf7\x51\x61\x87\xd8\xd3\x2a\x9e\xcc\x14\x1b\xca\x98\xbb\x1f\xde\x62\xec\x04\x2b\x09\x67\x77\x46\xc1\xb0\x3e\x5d\x39\xa8\x8b\x2e\xdf\xc0\x67\x60\xa4\x2d\xe9\x75\x9a\x95\x44\xba\x7b\xa3\x2a\xe6\xbb\x3b\x61\x0c\xa4\x52\x83\x34\x5c\x43\x8b\x7b\xe3\x01\x76\x15\x0d\x12\x6e\x09\xee\x3f\xee\xf7\x3e\xb6\x7f\xc1\xbc\xb4\x55\xe0\x19\x65\xe2\xca\x63\x39\x64\xb0\xc3\x74\x0a\x20\x50\xb6\x29\xb2\xac\x98\x09\x05\x97\x5f\xf1\xa0\x09\x3d\xa2\xd0\x03\x91\x8e\x06\x63\x85\xfb\x22\x47\x6f\xac\xde\x5d\x86\xcf\x72\x2b\xa1\x6a\xae\x80\x0c\x50\x48\xf1\x60\xb1\xed\x16\x1a\x18\x60\x5e\x68\xab\xbb\x51\xbb\xa2\xe6\xa0\xa8\xa9\xba\xaa\xa8\x3a\xd2\xaa\xed\xd7\x89\xef\x22\x93\x75\x6d\xf4\x61\xc3\x33\x24\x6e\x90\xa9\xb0\x5e\x68\x4c\x27\x48\xcf\x13\xea\x38\xb0\x47\x00\x96\x80\x94\xc1\xe0\x8c\x0e\xa0\xe8\xa4\x97\x4f\xe0\x76\x71\x5e\xf4\xb5\x55\x27\xe8\x56\x91\x3f\x21\xcc\x03\x56\x57\x23\x39\xef\xa2\x89\xda\xaf\xa0\x6b\xd7\x0a\x5b\x72\x67\x20\x27\x68\xdc\xa2\x28\x25\x38\xd8\x22\xa3\x10\x70\x10\x17\x00\xc2\x8a\xbf\x43\xf7\x36\xa8\x76\x41\x2f\x4f\xe4\xe4\x41\xa6\x53\xd9\x4f\x5b\x0e\x23\x75\x08\xa4\x46\x60\xca\xdb\xe2\x3a\xe2\x4f\x22\xdc\x4c\x3b\x11\x19\xcf\x3a\x49\xa2\x40\xd8\x64\xff\x14\x78\xf7\x48\x9f\xac\xb6\x54\xb0\x88\x29\xca\x0c\x28\xec\x54\x90\xb6\x4d\x21\x27\x62\xf4\xdd\x1b\x9d\x8d\xda\x3b\xd2\x0f\x15\x7e\x73\xf0\x33\xcb\xf6\xab\xfe\xc9\xfc\x07\x9c\x1b\xd9\x0d\x8f\xf8\x28\x6e\x42\xd9\xac\xb1\x0a\xbd\xce\x7d\xbe\x5a\xe2\xc7\xce\x98\x5b\x9c\x25\x7e\xb5\xc9\xdc\xe0\x6e\xa3\x58\x7b\x6b\xc5\xdf\xcd\x2c\x15\xd0\xbd\x5d\x95\x7d\x3c\x4f\xf2\x20\x2a\x6f\xa2\xa8\x2c\x14\x88\x08\x86\xfa\xd3\x80\x11\xb3\x0a\xff\x23\x87\x3d\xa3\xc2\x79\x38\x1f\x74\xd1\x9f\x12\x8a\xcc\xfd\xa4\xe3\x3d\x67\xae\xd5\xca\x28\x8c\x43\xce\x94\x8c\x2f\x9d\x5d\x59\x7c\x21\x6f\x1a\xcf\xe1\xe4\x51\x09\x38\x05\xcc\xa7\x6d\xbc\x79\x39\x3b\xc6\x46\x82\x56\xcb\xf5\x3d\x77\x0e\x94\x21\xb3\x8c\x2d\x7c\x06\xd7\xb3\xd1\x56\x9a\x74\xdd\x29\xef\x49\xcb\x34\x5b\x77\xf8\xe6\x1b\xaf\xb6\xc2\xb6\x0a\x7b\x95\x3f\xbf\xb2\x78\x26\x69\x89\x85\x34\xbc\x20\x52\xf7\xeb\x57\x79\xf7\x58\x57\x08\xa9\x6b\xc8\xf9\xa0\x1c\x82\x97\xc4\x82\xcf\xaf\x2c\xf2\x16\xbe\x4b\x19\x2c\x08\x33\x8f\xe8\x13\x84\x52\x7d\xc9\xd9\x2f\x7f\x2d\x2e\x58\x1d\xf3\xa7\x57\xb2\x9f\x19\x65\x74\xc7\xfd\xf1\x51\xef\xfd\xa3\xf8\xb7\x5a\x05\xe0\xf3\xd4\x0b\x94\xbe\x82\x87\xd2\x64\x9d\x5f\x08\xc5\xa6\x85\x86\x8e\xc8\x8c\x99\x19\x11\x8d\x4a\x22\x91\xc9\x12\x64\x85\x62\x26\xc6\x63\x0a\xcd\xca\x56\x82\xe8\xef\x1b\xca\xd7\x83\x08\xb3\x49\x47\xc4\xcd\x08\xc9\x07\xd6\xc1\x11\xde\x12\x59\x09\x56\xd6\xf8\x1c\x5a\x2b\x74\x8a\x16\x22\x5e\x42\x2b\x82\x8c\x7b\xf2\x8f\x69\x0f\x3d\xe7\xa8\x6a\x99\x15\xb1\x5f\x36\xaa\x60\xbc\x3d\xe7\x51\x80\x8f\xf1\x4d\x08\x8c\x06\x48\xed\xa4\xd3\x01\x21\x9b\x54\x95\x2e\x2b\x84\x36\x40\x6d\x6c\xc4\x34\x32\x85\xe2\x8b\x60\xbb\x61\x6e\x18\xdb\x75\xcf\x2a\xfa\x2f\x0b\xea\x17\x04\x3c\x5a\x96\xe5\xb5\xc5\x85\xc2\xc0\x5d\xfa\x36\x02\x0d\xc7\x2d\x91\x42\xea\xdc\x24\xa5\xdf\x60\x8b\x54\x42\x9a\x1c\x52\xea\xa2\x32\x9f\x48\x5a\x05\x43\xfe\xe9\x7d\xec\x4a\xc5\x26\x7f\xbb\xd4\x9f\x7e\x62\x9f\xf7\xf6\x7d\xe6\x95\xb2\x59\x46\x6a\x59\x36\x30\x65\x31\xad\xa8\x5f\x03\x3d\x97\x33\xc5\x7c\x05\xe6\x26\x98\xd0\x3a\xad\x30\xcc\xcd\xac\x5d\x88\xd6\x5f\x2f\x98\xed\xe1\x33\xca\xf4\x5f\xb4\x5a\x45\xb5\x78\x26\x57\xc6\xbd\x49\x2c\xbc\x49\xfb\x5a\x2a\xda\x61\x12\x7b\x13\x3b\xa9\x92\x1e\x34\x5d\x1f\x3d\x71\xec\xfa\x18\xf1\x6f\xca\x74\xa6\x42\x30\x60\x74\x10\xb6\x4d\xbe\x9d\x0d\xbc\xaa\xd8\x25\xe5\x27\xc3\x3c\xe3\xf2\x38\x88\x14\x10\x64\xf0\x2b\x4f\x49\xe0\x31\xd0\x85\x20\x9b\x92\x06\x44\x57\x64\x36\xd6\x34\x43\x3a\xb5\x41\x14\x77\xfa\x70\x61\x83\xc6\x78\xa1\x0b\x86\x58\x30\x6a\x02\xe2\x1a\xd2\xc9\x54\xd8\x86\x39\xc0\x08\x42\xad\x23\x7b\x40\xb9\xd1\xa1\x52\x04\xc4\x83\xe1\x1b\xc5\x65\xab\x27\x68\x5a\x52\x92\x06\x6e\xde\xe1\xba\x1a\x1e\x4d\xde\xa0\xf0\x53\xd5\xbb\x5b\xb9\x85\x7f\xda\x61\x57\x10\xaf\x84\x94\x5d\xee\x8f\x6c\x01\xa1\x66\x8a\x71\xf4\x30\x48\xb9\xad\x31\xfd\xbc\xc8\x28\xa8\x8c\xbf\x42\x2b\x5e\x9b\x33\xd1\x50\x53\x20\xf2\xd8\x00\xdc\xc0\xdb\xa3\x91\x75\xca\xab\xb1\x21\xf5\x02\xf6\x80\x43\x54\x03\x1f\x70\xbc\xb7\x39\xda\xf5\x57\x52\xfc\x8c\xdd\x81\x84\x83\x69\x8c\xa4\xc8\x4a\xfa\xc0\xe9\x73\x2b\xab\x16\xac\x45\x8c\xf0\xf6\x79\x2f\x35\x58\x41\x64\x89\xb7\x8a\x7c\x29\xea\xb5\xc3\xf8\x4c\xd0\x11\xe3\x13\x90\x56\x49\x6a\x94\x14\xe5\x38\xde\x66\x37\xff\xf9\x18\x9b\xde\xd6\x7f\x83\x2e\x92\x8e\x88\x95\x3d\xed\x13\x63\xde\x7c\xf5\xad\x41\x10\xb6\x80\x97\x9f\xd4\xba\xea\x25\x67\x0c\x25\xaf\x68\x59\xdb\xdf\x17\x0f\xb0\x3f\x77\xd8\x15\x2d\xf0\xc7\xa0\xf3\xe8\xf7\x1d\x76\x74\x07\xc3\x3f\xe0\x75\xf2\x3e\xe8\xac\x2a\xa4\xbc\xa1\x2e\xa0\x56\xc9\xf1\x03\x7e\x43\x29\x74\xcc\xf1\x85\x64\x50\x30\x64\x51\x1e\x12\x75\x3b\xb1\x3d\x49\x39\x25\x35\x4a\x92\xf9\x15\x45\xfa\xc2\xc7\x17\x28\x7d\xb8\x4e\x6d\x4f\x7d\x68\x2d\xfe\x7a\x0c\x5a\x4b\x9b\xdd\xe5\x6c\x6d\x45\x91\x5b\xb4\xf6\x27\x1c\xa6\xc7\xdd\xfd\x61\xc7\x7b\x87\xb3\x68\xd1\x84\xd2\x92\x0c\x81\x46\x49\x9e\x75\xd6\x7b\xc0\x82\x43\xaf\x3c\x56\xf5\x04\xdd\x98\xdc\x51\xec\x33\x35\xe6\x06\x7a\x06\x9f\x56\xe6\xf3\x8f\xd4\xbc\x37\xd5\xce\x75\xe1\x38\xac\xaa\x4a\x5f\x99\x2c\x51\xdd\x74\x35\xe4\x07\xc6\x5a\xc7\x7d\x4b\x99\x2c\xaf\xe6\x72\x55\x09\x1f\x8c\x52\x95\xa5\x28\x07\xdb\x61\x9e\xc8\x83\x78\x26\x17\x54\x9c\xf3\x3b\x83\x30\x3f\x99\xa4\x85\x4b\x13\x49\x3c\x21\xb9\xfa\xb1\xea\xb6\x07\x4a\x92\xdc\x3c\x20\xfd\xcf\xe7\xb1\xd3\x97\xd5\x2b\xe9\xbe\xf7\x79\xde\xdd\x65\x7f\x23\x38\x82\xe4\xc5\x3a\x5e\x35\xac\xb6\x76\xae\xcc\x42\x1a\xac\xe7\xfc\x28\x1f\x27\x3e\xb0\x97\x65\x49\x5c\x47\x0f\x1c\x50\x82\x4d\x94\x38\x18\x6f\x66\x3f\x34\xca\xfe\x8d\x65\x31\xea\x04\x5d\xb4\x3e\xfd\xc7\x51\xef\xef\x47\x2a\x6f\x71\xf0\x02\x05\x98\x86\xa8\xf9\x84\x13\xbe\xde\x4b\xc1\xbc\xa9\x22\xbc\x41\x83\xd0\x5b\x23\x8e\x96\xee\x01\x7b\xc4\x7a\x03\x2c\x52\xc6\x36\x2f\xb5\x65\x48\x3e\x3a\x52\x26\xa7\x98\x65\x6c\x7a\x82\xaf\xb5\xd3\x20\xee\x45\x41\xba\x36\xcb\x94\x3d\x31\x83\x33\x33\xd1\x4d\xa0\xdb\x02\x7e\x8f\x9f\x17\xfd\x3a\xda\x25\xba\x41\x98\x66\x98\xe6\x0d\x51\x2b\x46\xce\x65\x18\x63\x1a\x86\x88\x73\x2c\x11\x54\x10\x78\x0a\x7d\x03\xe3\x10\x6a\x22\xd5\x03\xb8\x08\xcc\xe8\x71\x68\x40\xe0\x64\xa2\x1b\xa4\x40\x61\x06\x3c\xda\x13\x3a\x64\x86\x69\xc3\xb5\x0a\x25\xa4\x8c\xa6\x5e\x8a\xe0\xf9\x11\xd6\xd4\x67\x47\x26\xf8\x5a\x90\x27\x9d\xb0\xb9\x36\x5b\x28\xb7\x72\x3b\xa2\xf4\x2b\x88\xe4\x94\x4a\x79\xa4\xe6\xf9\x24\xa0\x09\xc8\xab\xcd\x20\x0a\x52\xb2\xb5\xce\x41\x21\xd8\x7e\x4d\xaa\x14\xe7\x61\x8a\x01\x8f\xdd\x28\x68\x5a\xae\x92\x92\xf6\x7d\x0d\xab\x85\x2d\xd7\xd2\x65\x3a\xca\x2d\xda\x62\x8d\xcb\x89\x33\x32\xe0\x89\x9f\x93\xaa\x14\x7b\x06\x1b\xeb\x04\x17\xc1\xff\xea\x3e\x91\x9c\x3f\xd6\x41\x9f\xb3\x83\x9d\xe0\xe2\x29\x11\xb7\xf3\x8d\xea\x27\x9e\xc9\xae\xea\x04\x17\x97\xd0\xda\x2b\xcf\xfd\x95\x4f\xf5\xd8\xbe\x24\x16\x67\xd7\xdd\xc8\x54\xe4\x5e\xca\xee\x61\x77\x3f\x8a\xcd\x64\x4f\x62\xfb\xf2\x30\x8f\x84\xdd\xc9\x4f\x66\x07\x9e\x89\x6b\xd7\xbe\x7e\x81\x7d\x47\xe1\x84\xc1\x4e\x69\xb2\xe0\x51\x1d\x86\x5b\x92\x24\x62\x4f\x95\x0a\x8c\x0e\x2d\xb7\xeb\xc4\xd9\x13\xc4\x45\x42\x07\x3a\x8d\x76\x5f\xf7\x4a\x6b\xbf\x69\xb1\x91\x38\xc9\xdd\x47\xb9\x27\x9f\xcc\x0e\x10\x8f\xbb\x5d\xbf\x27\xb2\xd1\x67\xa6\x62\xdd\xbe\xf8\x0a\xf6\xa4\xa2\x23\x8d\xa9\xf1\x98\xf4\x66\x8f\xed\x0b\xa2\xe8\x31\x9f\x6a\x4f\x67\x07\x3a\xc1\x45\x18\x9f\x27\xba\xfb\x5b\x49\xaf\x11\xa1\xc5\x8f\x7c\x50\xdf\xcd\xc6\xd4\x11\xdc\x7d\xea\x16\xa7\x99\x27\x12\xb2\xb0\x75\xf1\x4b\xfb\x87\xfa\x32\x3e\xb3\xdf\xfb\xc4\xfe\xea\x7b\xf6\x76\x02\x9f\xbb\x1c\xbb\x49\x12\x53\x74\xb2\xb5\x85\xcc\x0c\xd9\x42\x2e\xa7\xa0\xc5\xcf\xee\x50\xd2\x96\x1a\x82\x05\x51\x68\x96\x6a\x87\x54\xad\xa0\xa7\x92\x75\xac\xdb\x78\x96\xa7\xbd\x66\x3e\x49\x9f\x9f\xe4\xbe\xef\x4f\xe0\x8e\x91\x89\x5c\x6d\x83\x2b\x00\xbd\x9a\x0a\x1d\xa5\xad\xf4\x2d\x79\x74\x85\xde\xd0\x91\x91\x20\xcd\x4b\x8c\xe5\x14\xd8\x74\x22\x68\x6e\x60\x79\xb8\x6d\x16\x9c\x99\xea\xe3\x85\x12\x00\x05\x54\xeb\x0c\xaa\x87\x21\x78\x8a\x9a\x89\x63\x3d\xf8\x52\x31\x35\xd4\x5b\x3e\x9b\x99\xe0\x6b\x9d\xa0\x6b\x6f\xf1\x34\xc0\x84\xa2\x83\x3b\x5c\x58\x30\x61\x85\x69\x81\xf0\x8a\x44\xf1\x80\x5f\x21\x77\xf7\x8b\xf2\x98\x8f\x45\x29\xec\x0d\xca\x62\x03\xbd\xb1\xe3\x73\x20\x2c\x07\x3d\x57\x53\xb3\xf6\xa4\x5e\x0c\x0e\x34\xf4\x86\x74\x82\x2e\xcf\x83\x36\x8d\x59\xd5\x0c\xa4\x70\x2d\x68\xa2\x05\x36\x0b\xa3\x89\x36\x15\x66\x86\x8e\x61\x7b\x51\x13\x90\xbd\x63\x67\xcb\xfc\x56\x8d\x1d\x20\xb5\xc1\xfd\x95\x1a\x5b\xba\xdc\x92\xc2\xfb\x6b\xa7\x55\xf0\x1e\x06\x5a\x45\xc1\x91\x07\x76\xc2\x58\xf3\x8b\xe2\x90\xa3\xd6\xa4\xe3\xdf\x88\x3b\x46\x91\xbf\x12\x99\x2b\x98\xc6\xf0\x4c\x6f\xf1\x09\x18\x2f\x99\xbc\xaf\xfe\xe0\x63\xaa\x91\xd8\x95\x2a\xad\x43\x4f\x46\x95\x91\x5e\xd8\x28\x2f\x4c\x83\x1b\x2b\x16\x9b\x22\x9d\x18\x5a\x1e\xe4\x10\x80\xfa\x10\xc6\x5b\xa9\x0f\x1f\x1e\xdd\xd2\x9f\xfb\x86\x51\xef\x2f\x46\x86\xdf\xaf\x92\x70\x7a\xad\x0d\x9b\xf9\x72\xb2\x83\x26\x89\x64\x65\xaa\x5d\x50\x1e\x4c\xaf\x40\x61\xe0\xc9\xd9\x4c\x46\x98\x4e\xd0\x55\xe8\x32\x79\xd0\x46\x3b\x4b\xb5\x54\x84\x35\x02\x8b\x42\xbe\xe7\x55\xd7\xc2\x33\x24\x2c\xe5\xc5\x78\x9d\xa0\xeb\xf9\x7c\x2e\xca\x12\x83\x44\xda\x44\xab\xd6\x98\x6f\x41\x8e\x31\x5e\x83\x32\x03\xe6\x7f\x8b\x8e\x6e\x2a\xfe\x60\x23\x8c\x5a\x1c\x05\x9b\x9c\x08\xe3\x71\xc2\x63\x91\xa9\x19\xa5\x8d\xb9\x13\x84\x75\xd5\xd5\x1b\xb6\xf1\x6d\xf8\x10\x45\x59\x34\x44\x11\x8f\x90\xa4\x4a\x00\x58\x53\x7a\xd2\x22\x54\x4a\x32\xab\x54\x34\x65\x62\xb6\xb7\xd2\xcc\x71\x67\x90\xc2\x72\x2b\x53\xdf\xab\x1c\x76\x0d\xa9\x21\x86\x5a\xd1\x79\xe0\x51\xdf\xde\xcd\xa3\xe9\x2b\x18\xeb\x3e\x6e\x1f\xff\xc2\x08\x7b\xba\x35\xa5\x44\xa7\x21\x5a\x2d\xd1\xaa\x2b\xbb\xa4\xfb\xf1\x11\xef\x03\x23\x5b\x3f\x63\x04\xa8\x92\xb7\x41\x7b\x94\xe5\xc9\x8b\x1e\x37\xcd\xd1\xc4\xdf\x47\xe8\x0a\x93\xb8\xca\x56\xfb\x5d\x71\x5a\x8a\x23\xa9\x09\x14\xb8\x0b\x28\xc3\x61\xb1\xa9\xf9\xa9\xac\xdc\x44\x62\x48\x31\x22\x86\x32\x92\x0a\x39\xc4\x04\x8d\xaf\x2b\xa0\x5e\x3b\x1f\xc6\xad\x49\x5e\x04\xdc\xa2\xea\x41\xa6\x15\x98\x4f\x2a\xcf\xb7\x65\xbb\x9f\x7d\x5b\x0a\xa8\x1d\xa7\xde\x43\x4e\x87\x3a\x1d\x4d\xed\x3a\x35\x04\x04\x1a\xa3\x93\x49\x9b\xa4\x71\x49\xc3\x5d\xca\x15\x20\x41\x1d\x66\x1c\xcd\x4e\xc5\x6a\x19\xef\x75\x01\x45\xaa\x54\xed\x49\x5d\xe7\x09\xdb\x66\x14\xb2\x51\x11\xf7\x3a\x6e\x60\xce\xfd\x55\xb6\x7c\xf9\x37\x22\x96\xb1\x2b\x95\x25\x66\x21\x69\x5e\x76\x9d\xfc\x44\x51\x76\x4f\xb3\x64\xb2\x07\xaf\x61\xfb\xd1\x80\xe5\x7e\xf8\x1a\xef\x7d\xd7\xe0\xdf\x34\xdd\xce\x76\x45\x3c\xb7\xb4\xc8\x2f\xcc\x70\xba\x8e\xab\xdd\x57\xcc\x1b\x74\x99\x2c\x08\xc8\x1b\x50\x0e\xb2\x33\x1f\xd1\x73\x61\x96\xb1\x3a\x6f\x64\x49\x8c\x23\x15\xb6\x66\xe5\xfe\x99\x25\x5a\xad\x5a\x5c\x50\x44\x08\xfc\xc8\x51\xde\xdc\x08\xd2\xa0\x09\x79\xa9\x1b\xe2\xa2\x0a\x10\xae\xf3\x5e\x1a\xce\xca\x8a\x9e\x5b\x5e\x84\xf4\x98\x20\xa5\x80\x97\x5b\x93\x28\x88\xdb\x3c\x16\xf9\xe1\x5e\x1a\xf9\x4b\xf2\x06\xc1\xc7\xc8\x67\xeb\x5c\x74\x82\x30\x9a\xc5\x35\x15\x84\x91\x95\x64\x53\x55\x8a\x7c\x08\x8b\xa1\xbc\x0c\x5e\x07\x94\xc4\x38\xe8\x88\x59\x64\xf0\x0e\x5b\xe5\xc0\x71\x10\xa1\x31\x5f\x84\xc8\x6f\x91\x23\x1e\x65\x8c\xe8\x58\x99\xc9\xb0\x0b\xac\x97\x53\x33\x47\x27\x79\x46\x08\xae\x33\xfe\x34\xbf\x7b\xf9\xe4\xbc\xbc\x7a\x8f\xcf\xeb\x3c\xec\x5e\x38\x3a\x8b\x28\x91\x17\x8e\x02\x54\x64\x75\x4d\xb1\x92\x8b\x4b\xf8\xca\x71\xf5\xca\xf1\x9d\xbd\xd2\x0c\x5b\xa9\x6c\x0e\xa4\xdf\x6c\xf9\x38\x3c\x51\xe7\x9d\xa0\x29\x9f\x3f\x3d\x37\xbf\x5d\x17\xe2\x6b\xf2\xc1\x3a\xef\xf5\x60\xc4\x63\x7e\xee\x9c\x72\xac\xc2\x2a\xcf\x78\xaf\xdb\x45\x92\x50\xb3\x7b\x30\x24\xb3\x2d\x2e\xf2\xf1\x9b\xc3\x89\x97\xdc\x3d\x55\xbf\x21\xa8\xaf\xdf\xf3\x8a\xeb\xef\xaf\xdf\xac\x7f\x1c\xdd\xd9\x8f\xe9\x23\xf7\x3f\x93\x6a\x30\xa3\xab\x30\x73\x19\xeb\x30\xa3\x7f\xcd\xec\xa4\x12\x47\x75\x25\x8e\x5e\xc6\x4a\x1c\xb5\x2b\x71\xfd\x0d\x41\xe3\x9e\xea\x7a\x19\x55\x39\xa6\xab\x72\xec\x32\x56\xe5\xd8\xc3\xad\x4a\x98\x35\x62\x9c\xb6\x2b\xb7\x9c\x99\x9e\x92\x8a\x0c\xfc\x35\xa3\x22\x63\x68\xf9\xc3\xf9\xc7\x9b\x9a\x39\x32\x7d\xdd\xb1\xe9\xa9\xa3\x33\x1e\xf0\x7d\xdf\x70\xdd\xf5\x75\x7d\x6d\xda\xa3\xf2\xa6\xa7\xcc\x12\xb7\x2b\x87\xde\x99\x29\xde\xa9\xfe\xf6\xe0\xb7\x9a\xa9\x68\x85\x79\x33\x48\x41\xa0\xe1\x2f\x2e\x7f\xaa\xf7\x2b\x7b\xf0\x25\xe3\x37\xcf\xc2\x88\x41\x1f\x8c\xdf\x3c\x8b\x7f\xcf\xdc\x3f\x71\xf3\x7d\xc7\xee\x9e\xae\x1f\xbb\x87\x6e\x1e\xbd\xff\xbe\xe3\xe3\x37\xcf\x4e\x4d\x4f\xdf\x07\xdd\x8a\xd7\x27\xf4\xab\xf7\xcd\xdc\x7d\xf4\x3a\xf5\xf0\xcc\xfd\xf7\xcd\xc8\x87\xef\x9e\xaa\x1f\xbb\xe7\xbe\xbb\x8f\x5f\x6f\x3f\x3d\x7d\xff\x7d\xe3\x37\xcf\x1e\x99\x9e\x99\xbe\x6f\xfa\xfa\xa9\xa9\xfb\x66\x8e\xbd\xb8\x25\x3f\xf9\xe2\x96\xbc\x37\xf1\xcc\xc2\xc5\x11\x43\x04\x5a\x5b\xb6\xa4\x90\xc3\x9d\xf0\x22\x06\x3e\xd7\x79\x96\xc9\xf1\xe2\xe7\xfc\x15\x9f\x03\x18\x48\x84\x68\x91\x61\xde\x57\xcd\x2e\xb6\x03\xa3\xd5\xf0\xbd\xbb\xeb\xfc\x9e\x9b\x5f\xdc\x7a\xc5\x11\xfd\xd7\x51\x98\x05\x1b\xe2\x62\x33\x89\x92\x14\xc6\x60\x43\x5c\x0c\x5a\xa2\x19\x76\x82\x88\xc3\x55\xde\x4c\x5a\x74\x02\xf6\xae\x3d\x09\xff\xcd\x56\x7f\xe4\xda\x9b\xc7\x69\x82\xcd\xd5\x4f\xca\x3e\xbd\xcf\xfc\x79\x5c\x36\xb4\xce\xd3\x76\xa3\xf8\xd8\xf2\xad\xb7\x0c\x7c\x24\x6d\x37\xe8\x6b\x69\xbb\x31\x7e\xe4\xd8\xb1\x49\xfa\xdf\x0d\x72\xd4\x1b\xfd\x5c\xcc\xf2\x46\x90\x89\xe3\x47\x35\x60\x76\x23\x8c\x83\xb4\x8f\xa0\x62\x75\xae\x70\x58\x67\xa1\x47\x81\xeb\x3e\x59\x2f\x36\x32\xb9\x29\xca\x3e\x04\x40\x14\x6b\x8e\x1d\x99\x9a\x3a\x5e\x9f\x9a\xae\x4f\x1d\xf1\x4a\x9b\x86\x54\x6d\xea\xf0\x42\x18\xcb\x1d\x64\x66\x66\xe6\x06\x59\x14\xf1\x90\x40\x71\x8a\x93\xc4\x2e\xf2\x08\x8f\x33\xaf\x52\x4e\x83\x26\x09\x82\x7a\x41\xd3\x99\xa4\xe0\x4a\x0a\x72\xb0\x20\x21\xc6\x8b\x3c\xd1\x14\x85\x93\x6e\x80\xad\x90\x25\xe8\x96\x20\xe3\xbd\xdd\x9c\xe9\xa3\xf5\xe9\x23\xf5\xe9\x63\xab\xd3\x37\xcc\xce\x4c\xcd\x1e\x99\xf2\xa7\xa6\xa6\xee\x2a\x37\x4e\xbe\x5e\x47\x62\x7b\xdd\x38\xcb\x2e\xf0\x6f\xd9\x58\xdc\x8b\xc0\xa3\x5f\x32\xbb\xf6\xd8\xbe\x20\xee\x3f\xe6\x66\xc6\x7b\xd8\x01\x0a\x9a\x72\x1f\x0d\xed\xd0\x32\x37\x93\x39\xd3\x6e\xf7\x33\xd8\x58\x27\x8c\xb7\x70\x19\x3c\x9d\x1d\xa0\x00\xe5\x6a\x43\xe8\x6b\x47\x4a\x27\xfe\x30\xce\xeb\x49\x5a\xc7\x1e\x77\xff\xac\xe6\xfd\x5e\x6d\xf8\x7d\x8b\xbf\x5d\x05\x43\xe8\xc3\x8b\x4a\x03\xc0\x24\xdd\x36\x26\xd9\x06\x5a\x9f\x5c\xa4\xcc\x3b\xb0\x40\x62\x0c\x3c\x85\xa0\x28\xe7\x98\x15\xc9\x0f\x26\xd4\x8c\xce\xcf\x90\x9e\xd7\x3f\xbb\xce\x11\x5c\xa3\x13\xe6\xf2\xb0\x11\xae\x1b\xf2\x80\xc0\xc9\x73\x4b\x31\xa5\xe3\x2a\x99\x43\xa1\x08\xb0\xb4\x61\x98\xfa\x2c\xd7\x9e\x96\xe2\x12\xcd\xbd\x23\x13\x1c\x0c\xd9\xf4\x78\xf1\x6a\xe5\xcb\x03\xaf\xc3\x15\xdf\xf7\xf9\xbd\x22\x4d\x14\x5f\x95\x35\x94\xef\x1e\x61\xcf\xdc\xc9\xf1\xc8\xfd\x8b\x9a\xf7\x95\xda\x8e\x0e\x52\x59\x9e\x74\xb3\x72\x1c\x72\x4b\x34\x13\x00\x21\xca\x72\x41\xa1\xd9\xdd\xb4\x07\xf1\x9e\xf4\x1a\x06\x2a\x29\xe4\xe7\xe2\x1c\x45\x41\xba\x0a\xb9\x48\x8a\x18\xf4\xb9\xa2\x71\x37\x58\x5f\x07\xb8\x66\x2a\x25\x95\xdb\x41\x06\x10\x73\x04\xad\xb3\x19\x22\x6b\x94\x0a\x65\x8a\xa5\x0c\x89\xf4\xd7\x0b\x07\x61\xb8\x0e\x26\x91\x22\x6f\x41\x4e\xb0\x24\xe5\x55\x6e\x0c\x93\xb8\xbf\xa8\xa3\x55\x31\xf0\x5f\x6a\x63\x09\x64\xad\x9a\x26\x3e\x1f\x33\x40\xe0\xe4\x98\xa4\x8d\xb0\xd5\x12\xb1\x7d\x20\xbc\x8f\x5d\x61\xac\xec\xc7\xda\xc8\xf0\x7a\x87\x5d\xa9\xfc\xb4\xcd\x50\x64\xee\xbd\x0f\x38\x11\x7b\x19\xdb\x78\x54\xbd\x37\x98\x8c\x0d\x8e\x49\xb3\x32\xcf\x64\x57\x75\xc2\x78\x3b\x07\xe3\x77\x31\xa6\x6c\xee\x67\xd7\xab\x05\xcf\xd3\xd8\x15\xbd\x38\x7c\x79\x4f\xa0\xf0\xb2\xc5\xda\x4f\x5c\xc9\x66\x1f\x19\xb7\x28\xc0\x7e\xfe\xd5\x15\xde\x4b\xb7\xb8\x5f\x86\x00\xa5\xc4\x8d\xf5\x5e\xdc\xc4\xd9\x65\xe0\x3c\x0d\x29\xc6\xbf\xe4\x5c\x0d\x7f\xad\x06\x69\x5b\xe4\xcb\x62\xfd\x92\x73\x45\x27\xb8\x48\x8c\x2a\x76\x8e\xdf\xd7\x18\xfb\x31\x87\x99\xb7\xdd\xf7\x38\x2a\x00\xfc\xd5\x8e\x71\x5d\x45\x61\x81\xf6\xcd\xa3\xb0\x13\xe6\x3a\x98\xbe\x08\x11\x4f\xd5\xd3\x80\xe2\x24\xd7\x2a\x04\x7b\x14\x04\xa8\x72\xc2\xc3\x9f\xbc\xd7\x05\x2b\x4f\x01\xa1\x1c\x69\xc8\x8b\x4e\x18\xab\xcf\xda\xb1\xea\x0f\x8e\xb2\x03\x1d\x91\xa7\x61\x33\x73\x1f\x18\xf5\xbe\x3c\x42\x3f\x6c\xf8\x68\x2b\x74\x1a\xb3\xe8\xa8\x2e\x04\x18\x95\xf0\x66\x10\x35\x21\x54\xc0\xea\x66\xaa\x3d\xc6\xb8\x43\x84\x01\x27\x57\x5d\xe9\x16\xe1\x6a\x41\xa4\x00\xd5\xc0\x24\x20\x99\xf0\x31\xa3\xaa\xba\x5c\x58\xf6\xf4\xf9\x96\x72\x00\x69\xeb\x32\x28\x31\xbc\x21\xf2\x4d\x41\x89\x1a\x39\x8c\x23\xed\x5d\x1a\xad\x59\x21\x5e\xc2\x55\x52\xdf\x07\xd3\x86\xba\x49\x2b\xf3\x39\x3f\x91\xb6\x93\x49\x5d\x55\x30\x43\x83\xc1\xad\x25\x9a\x29\xf0\x3a\x90\x25\xbb\x0b\x58\x58\x54\xc9\x30\xc6\x9b\x84\x2b\x77\x21\x6c\x0a\x48\xb6\x0d\x7c\xce\x57\x84\x50\xa6\xef\xf0\x42\xd8\x82\xe0\x0e\x28\x9d\xab\x44\xe8\x7e\x97\x12\x18\x3b\x2a\x21\xd9\x8e\x71\xdf\x48\x36\x31\x72\x43\xb9\xd5\xe8\x7d\xa8\x17\xb1\xf6\x59\x16\xde\x2d\x33\x2a\x2a\xd7\xe1\x69\x28\x51\x2e\x2b\xf6\x57\x35\x76\x85\x31\xab\xdc\xaf\xd6\xd4\x24\xff\xf5\x9a\x71\x5d\x07\x31\x27\x9b\x97\x67\x92\xb7\x92\xcd\xd8\xe7\x72\x9e\xb7\x0c\x17\xd3\x34\x62\xe6\xf2\xd2\x97\x6d\xcb\xe2\x94\xb2\x1e\x06\x51\x77\x23\xb0\xbc\x33\xfc\xb6\xa5\xb9\x15\x58\xe2\xc9\x5d\x72\xcf\x96\x0a\x0d\x84\xe3\x13\x71\x62\xce\x23\x11\x80\x2f\x4c\x90\xb5\x55\xee\x2a\xca\xe2\xa6\x7a\x3a\xcc\x34\x3c\x95\xdc\x69\x40\x8d\x56\xce\x23\x82\x0b\xcb\x00\x90\x05\xbc\xaf\x66\x99\x54\x40\x61\x0a\x36\x40\x99\x8c\xd5\xfa\x1f\x6b\xac\x24\x89\xdc\xbf\xde\x0a\x08\xbd\x6a\x0c\xe7\xe5\x42\x23\xab\x28\x36\xa5\xa0\xc0\xf9\x90\x63\x97\xae\x20\x18\x55\x4a\x16\xae\x9b\x22\x37\x3f\xc1\x41\xd1\x50\xf2\xca\xed\x48\x33\xdf\x94\x14\x6a\xa9\x14\xe9\x43\xcd\x24\x8a\x88\x11\x35\xc8\xf8\xa6\x88\x22\x8e\x33\x00\x63\x9b\x22\x0d\xfe\x95\x17\xc4\x5e\xb8\x96\x7c\xf6\x3f\xed\x88\xd8\xaa\x76\x6a\xa3\xb8\x9c\xb1\x68\x9e\xff\xe9\x31\xef\xfb\x9c\xc1\xeb\x3a\x03\xa9\x20\x24\x87\xa9\x06\xbe\x4e\x1a\x19\xda\x45\x10\xed\xa4\xd0\xc6\x94\x35\x73\xdc\x02\xe8\xdc\x08\xf3\xac\xde\x15\x69\x3d\x13\xcd\x24\x26\x77\x37\x5f\x8c\xdb\x60\x3e\xc3\x57\x26\xfc\x4b\xce\x7e\xec\xd0\x4b\x0e\xc3\xaf\x9c\x81\x5c\x93\x2b\xf0\xea\x1d\x72\x2e\x58\x5b\xcb\xdf\xef\x67\x7f\x50\x63\x63\x99\x90\xdd\x96\xa4\xee\x6f\xd6\xd8\xf3\x1e\x09\x2e\x40\xd0\x10\xd1\x0a\x15\xe2\xbd\xbe\xa6\xca\x2b\xa2\x82\xa5\x32\x50\x57\xc7\x5c\x60\x08\xc2\xc4\x78\x05\x23\x60\xb4\x1f\xf9\x78\x75\x11\x6a\x69\x63\xea\x08\xf5\x5d\xc1\xaf\x8e\x28\x95\x14\x17\x19\xa0\xe7\xb0\xc8\xbd\xd6\x94\x24\x6a\x0a\xe9\x39\x83\xca\xac\x96\x7d\x3a\xe9\x43\x3f\xd0\x4c\xba\x72\x68\xe0\x4b\xbd\x18\xbe\xf5\x32\x29\xf6\x8a\x52\x64\xdf\x0e\x70\x5a\xb5\x03\x50\x14\xa9\x18\x9f\x7d\x8f\xc3\x68\x4c\xdc\x0b\x97\x71\x59\x3d\x8b\x16\x4e\xa8\x75\x10\xd0\x48\x2c\x2f\x8f\x72\x9c\xbf\xc1\x61\xe6\x04\x70\xef\x7f\x18\xd8\x0f\xbe\x5a\x99\xfe\x0b\x7a\x01\xc4\x74\x78\xcf\x35\xca\xd2\x59\x8b\xe6\xf6\xa7\x9c\xac\x38\x54\xe3\x10\x16\xf2\x72\x7a\x7b\xc2\x67\x0f\x3a\xec\xca\xe0\x82\x48\x83\xb6\xc0\xfa\xfc\x9f\xce\xee\x2a\xb4\x6e\x96\xb6\x55\x8d\xe8\xb9\x52\x05\x0d\x3d\x21\x15\x91\xb8\x10\xc4\x94\x21\x5b\xaa\x39\x3b\xc5\x8c\x45\xe5\x3e\xd7\x9b\x36\xa6\x41\x45\xa4\xbf\x92\xe0\x31\x07\x1f\x42\x19\x0d\xe8\xcd\x07\xd9\x84\x31\x01\x2a\x74\x6a\x5a\xdd\x00\x73\xf3\x47\x63\xde\x21\xe3\x37\x06\x0f\x90\xb8\xa3\xdc\x33\xba\x5d\x8d\x72\xf3\xf3\x07\xd8\xe7\x4c\x38\xf6\xcf\x3c\x9c\x3e\xaf\x00\x00\xf9\x97\x01\xc6\xbe\x07\xdc\xb3\x4b\xe0\x9e\x48\x45\xa8\x36\xbd\x7f\x57\x09\xdc\xa3\x26\x95\xa9\xe4\x5d\xc7\x8e\xb1\x99\xa1\x92\x6c\xf8\x44\xde\x03\xef\xd9\x0d\x4d\xc6\xda\xf6\xc0\x3a\x37\xb9\x37\x6a\x60\x9d\x62\x18\x34\xbc\x8e\x21\x3f\x6c\x6c\x1d\x18\x25\xc6\xfe\x74\x94\xfd\x7b\x7b\x4b\x52\x2c\x4a\x52\x76\x5d\x98\xf6\xcf\x65\x22\x5d\x8c\xd7\x13\xf7\x93\xa3\xde\x5d\xea\x07\x25\xc8\xe6\x1b\x55\x07\x08\x38\x8c\x66\x22\x05\xd2\x37\x8a\x1f\x53\x20\xbb\xfa\xa6\x0f\xc5\xc0\x92\x59\x0f\xca\xfc\x06\x9f\x1f\x61\x31\xdb\x27\x2e\xe6\x69\xe0\x0a\xef\x86\xb9\xb8\x3f\x0c\x2b\xba\x0c\x63\x61\xd4\x3f\x49\xfd\x07\x9c\xef\x64\x5b\x44\x6a\x9a\x36\x8a\x17\xb0\xfd\xd0\x89\x99\x7b\xab\xf7\xec\x55\x92\xea\x10\x8f\x86\x97\x71\x66\x41\xb3\x60\xfa\x76\x91\x48\x74\xab\x50\x97\x8f\x3a\x6c\xa4\x17\xb6\xdc\x0f\x39\xde\xbb\x9d\x39\x8e\x96\x0b\x9a\xf0\x98\x18\xa9\xb0\xe1\xcd\xd2\x69\x67\xd2\x79\xf4\xd6\x77\x21\x91\x5d\x1d\x26\x62\x8c\xb7\x87\x7b\x8a\x10\x48\x27\x8c\xc9\x4a\xb6\x5a\xc4\x1a\xd0\x47\x8d\x05\xe2\x1f\x8a\xac\xbe\x73\x8b\x0b\x76\x08\xdd\x8b\xd9\x98\x2c\x0c\xf2\xd9\x96\xbc\x79\xd5\x0b\x44\x2b\x08\xd5\x8f\xfa\x43\x6a\xdd\x81\xe3\x88\xd4\xbd\xf1\x84\x82\x54\x4b\x66\xe9\xdf\xcb\x2a\x33\xce\xcf\x24\x2d\xa1\xa8\xd7\xdd\xaf\x1c\xf4\x6e\x3c\x03\xa9\xbe\x8a\xc1\x1e\x3a\x1b\x86\x40\x8e\x45\x6c\xdd\x33\xf9\xf2\x7b\x91\x28\x25\x9c\xbf\xfd\x20\xfb\xd2\x3e\x76\x58\xb3\xc3\x97\xa9\xf2\x17\x31\x0c\x01\x2f\x9f\xb8\x28\x9a\x3d\x88\xdd\x7e\x60\x9f\xf7\xa5\xd1\xd5\x82\x8d\x5f\xc1\x4f\x76\x75\xea\xaf\xba\x41\xe0\x2e\x89\xca\x9a\x94\xbd\x94\x05\x79\x98\xad\xd3\x5c\xac\x60\xe1\x37\xac\x8e\x2a\x4f\x1f\x4c\x9f\x68\xed\x0c\x73\x02\x2b\x06\x4e\x05\x33\x33\x11\x49\x21\xe5\x84\x8c\x85\xb2\x04\x6b\x04\xf3\xa2\x78\x83\xb1\x41\x41\x94\xda\x14\xf9\x4a\xd4\xcb\x62\x74\x98\x1d\x70\x3d\x2a\x6a\xfd\x64\x9d\x23\xaf\x7f\x46\x81\x15\x70\x24\x09\x9a\x1b\x46\xb1\x1d\x01\xe1\xb3\x51\xa4\xaa\x60\x8e\x04\xc6\x95\x11\x61\xa0\x16\xe1\x9a\xfa\x4b\xc5\x9d\x95\x87\xa3\xb2\xbb\x10\xdf\x7f\x62\x52\x61\x1c\xc9\x7d\xa3\xd7\x91\x5d\x17\xe6\x90\x9f\x04\xdb\x45\x9a\xf4\xda\xd8\x12\x2b\x8e\xb4\xc8\x80\x0a\x08\x6c\x3e\x6e\x73\x0f\x1b\xe7\xe9\xfc\xf0\x5e\x47\x1d\xe7\xa1\x7d\x84\x83\x8a\x3b\x46\x92\x92\xbd\x03\x31\x21\xf3\xe6\xc6\x89\xa2\x6e\x37\xea\x97\xc6\x81\x10\x80\x3a\x73\x23\x6c\x6f\xa8\xbe\x54\x59\xf4\xf6\x18\x58\x32\xe3\x39\x6c\x96\x5d\xbf\x3d\x01\x90\x7a\xb7\xe8\xaf\x55\x91\x76\xd8\xc7\x47\x98\x3f\xac\x43\x87\xcc\xef\x6f\xd7\x58\x7d\x47\x18\xf2\xfa\x68\xf7\x6b\x8a\xaf\x5d\x8f\x90\x35\xc6\x43\x66\xb4\xf6\x05\x74\x44\xce\xe5\xca\x28\x46\x5a\xca\xb6\x49\x6d\xd6\xd2\x54\x0a\x8d\x62\xcd\xc9\xb3\xae\x91\x64\xaf\x81\x4e\x1e\x5e\x0d\x9a\x60\x41\x43\xa3\x8d\xaa\x45\xd2\x11\x84\x9d\x40\x19\x92\xb2\x0a\x42\xf5\x8e\xe2\x7f\xe8\x21\x2c\x80\x0a\x45\x27\x88\x74\x03\xa1\x40\x2e\xc1\xa0\x0f\xd5\x26\x26\x17\x21\xf7\x73\xb4\x37\x00\x4e\x8b\x6e\x1f\x68\x23\x52\xe3\x80\x96\xb0\xd7\x1e\x64\xcf\x34\x7a\x9c\xb0\x7f\xe1\x08\x68\x6b\xff\x5f\xda\xa5\xf6\xff\xb3\x07\xf6\x54\xe5\xdd\xaa\xca\x6d\xa5\x2a\xbf\xe4\x61\xa8\xca\x47\xd8\x14\xf3\x87\x2e\xb1\xca\x01\xdf\xd3\x92\x77\x01\x71\xf9\xaf\xef\x8c\xfb\x90\xd3\xd8\x5e\xf1\xbf\xd9\xbd\x49\x2b\xfe\xc6\xa4\x2a\xb1\xe3\x0d\xd5\xff\x19\xfb\x45\x9b\xa4\x5f\x43\x00\x29\x00\x9f\xc5\x4e\xd0\x16\xee\xa5\x9a\xf7\xd4\x05\x95\x67\x14\x14\xf0\x3e\x3c\x94\xb7\x2f\x39\xfb\x40\x51\xb6\x11\x6d\x1c\xf6\x01\x87\xe1\x0d\xf7\x5d\x8e\xf7\x8a\x33\xa0\x4b\x37\xfa\xda\x28\x0f\x74\xa1\x40\xdf\x92\x21\xb0\xa2\x8f\x60\x28\x77\x7b\xb2\x36\xed\x66\x2a\xbb\x73\xa3\xdf\x15\xa9\xec\x83\xd9\x0b\xd3\xfe\x94\x7f\x9d\x37\xc9\xbd\x56\xd2\x3c\x2f\xd2\x8d\x5e\x43\x3e\xd0\x4e\x92\x76\x24\x5e\x5a\x20\x0e\x0d\xbe\x72\xcf\x16\xfa\xf9\x1c\x3b\x98\x85\xf7\x8a\x5b\xfa\xb9\xc8\xdc\xa3\x0a\x38\xf3\x19\xa0\xfb\x85\xf7\x6a\xf5\x8a\x2a\x1a\x43\xf4\x4e\xc9\xed\xf5\x73\xfb\x2d\x44\x6c\xd5\x85\xb7\x86\xf9\xb2\xe8\x26\x98\xac\x4f\x46\xe3\xb7\xee\xf7\xfe\xae\xb6\x5c\xe0\x51\x14\xf8\x33\xa4\xa8\x95\x72\xc6\x73\x02\x83\x54\xea\x4c\xc0\xdb\x21\xac\xeb\x24\x0b\xf3\x24\xed\xfb\xfc\x56\xfa\x4d\x05\x65\x1a\xbd\x87\x90\x37\x92\x4d\xd9\x27\x1b\x61\x97\x77\x82\x38\x68\xc3\x66\x59\xf1\x96\x7a\x7c\xe5\xc4\xa9\x30\xee\x5d\xe4\xa9\x00\x63\xac\x9c\x4b\x8c\x2d\x9c\x58\x5a\x3e\x31\x3f\xb7\x7a\x62\x61\x96\x53\xab\xf0\x1c\xd2\x4d\x45\x93\x92\xb4\x92\x02\xd5\xc4\x9a\x20\x44\x33\xa6\xaa\x3d\xc9\x3b\xe8\xa2\x8b\xf9\x89\x4e\x37\xef\x2f\x84\x29\xe6\xb4\x83\x4d\x3b\xcc\xf5\xbc\xc3\x1e\x69\x46\x89\xda\x9b\xa0\xba\x98\xbe\xd2\x0e\x73\xe2\xb3\xc7\xc2\xe4\x6d\xbb\xb4\x1c\x51\xe7\x0e\x65\x45\x4d\xfc\x4b\x0e\x2b\x3a\xce\x9a\xaa\xff\x58\x63\xdf\x5f\x63\x07\x5b\x61\x0a\xba\x4e\xdf\xfd\xb6\xe3\xfd\x85\x83\x8e\x0b\xae\xaf\xc2\x31\xc8\xe7\xa7\x55\x82\x98\x42\x1e\x45\xe2\xa0\x94\x92\x98\x0e\xf9\xfe\x21\x9f\x4b\x55\xe5\x90\x7f\x48\xe5\x65\x44\xa1\x62\x6e\xa3\xe1\x2e\x0a\x55\x56\x64\x34\x74\xdb\x63\x8b\x5c\xb7\x9b\x21\x70\x32\xad\x17\x1a\x8e\x55\x14\x14\xa0\xea\x32\x58\x8a\x8e\x6b\xe8\x35\xcc\x8f\x2a\xa5\x1f\x51\x99\x64\xc3\xcc\x45\x31\xc1\x8c\xae\x72\x9f\xe6\x5d\xbd\x5c\x94\x77\x6e\xf9\x94\xf9\xe8\xf3\xd8\x58\x2a\x70\xdc\xdd\xa3\xde\xa1\xf9\xa4\xd3\x09\x01\x12\x70\x43\xdb\xef\x0b\xcd\x4c\x3d\x69\x7d\xec\x17\xc6\x2c\x74\x5f\x45\x7b\xd2\x2f\x62\xd1\x69\x6b\x5a\x89\xc2\xa6\x00\xad\xe8\x0d\x63\xde\xf1\x81\xab\x26\xce\x4b\x81\x02\xae\xf7\xb5\x4c\x3e\x97\x55\x2a\x49\xbf\xb1\x07\x04\xbe\x6b\x25\xe9\xbc\x52\x92\x1a\xde\x53\x4e\x55\xf7\xfd\xce\x4f\x3c\xdb\xcc\x81\x3d\x45\xe9\x5f\x3a\x16\x78\xb4\xbd\xe6\xb2\xe8\xde\x5a\x27\xf5\x64\x60\x29\x57\x19\x29\xb9\x52\x73\x8a\xc9\x41\x5a\x0e\xfb\xf4\x41\x6b\x03\xb6\x95\xeb\x33\xf8\x6b\x09\x40\xc3\xdd\x77\x1d\xf4\x16\xad\x2b\x46\x48\xcf\xa6\xdc\x71\xe8\x65\x9e\xa7\xf2\x98\xd9\x34\x1d\xff\xeb\x18\x84\x88\x10\x67\x03\x78\xdc\x5f\x3c\xf0\xaf\x93\xf6\xf6\x95\x8a\xa4\xb8\xbf\xc5\x82\xdd\xa2\xcb\x81\xb3\xf8\xa6\x9d\x51\x16\xeb\xcc\x48\xab\x84\x3d\x9a\xf2\x3d\xc6\xa8\xc7\xd3\xff\xd2\xda\x5e\x98\xcd\xb9\x37\x2b\x61\x66\x4d\xdd\xd2\x69\x8b\x0f\x3f\xaa\xb1\xcf\x8c\x5a\x07\xb1\x06\x90\x21\x5d\x80\x58\x80\xf8\xf9\x49\x83\x70\xd8\xde\x37\xea\xdd\x60\x5d\x29\xa3\xdb\xa9\x20\x33\x83\x83\xa0\x99\x26\x31\x7f\x59\xd2\xb0\x2d\xe3\x5f\x18\x91\xe7\x33\x45\x1f\xfd\x4e\xc7\xab\xcf\x69\xa5\x09\xb9\x20\x91\xea\xb7\xc0\xa7\x55\xe0\xae\x2f\x4b\x1a\xb6\xad\xe3\x28\x3b\xc2\xa6\xb6\x35\x27\x96\x02\x19\x1e\x72\xae\x1d\x0a\x86\x71\xd0\x3d\x80\x79\xfe\x8c\xbd\xd3\x61\x4f\x88\x82\x2c\x27\x93\xa6\x58\x0d\x3b\xc2\x7d\xe5\x16\xd0\x80\xdb\x11\xe9\x9c\x5c\x34\x3c\x47\x80\x34\xb1\x49\xe1\x75\x00\xa2\x96\x2b\x9a\x9d\x97\x25\x0d\xb8\x63\x21\x92\x69\xd3\xa4\xcf\xde\xe6\x30\x17\x2a\xa6\xef\x43\xd5\xee\x7f\xe4\x35\xbb\xe5\x61\xd4\xcc\xaa\x15\x81\x77\xc9\x5a\x7d\x71\x8c\x3d\xad\x6a\x16\x3d\x3f\x69\x80\xe6\xfc\xe0\x98\xc7\xe9\xef\x2a\x5b\x22\x0c\x6d\xa5\x8e\xfc\xa3\x7b\x86\xc4\x5d\x4b\xe1\xbb\x95\x8e\xbc\xec\x3d\x35\xac\x32\x24\x3e\xbf\xbc\xb2\x26\xd8\x21\xf6\xef\x87\xae\x2c\x73\x74\xf7\x44\xfc\x2e\x74\xe2\x5f\x33\x15\xb7\x9f\xdf\xa5\xf1\xf0\xff\x18\xa2\x15\x3f\x76\x76\xc3\xe5\xed\x37\xac\xc3\x6e\x5d\xdb\x0d\x61\x1a\x69\x5b\x21\x49\x87\xb2\x9d\xf0\x75\x8c\x95\xa2\xd6\x36\x92\x34\xbc\x57\x47\x08\xac\xf4\x60\xda\xcc\x81\x58\x5a\x16\x17\x42\xb1\xe9\xfe\xd6\x41\x6f\xa9\xe2\x3a\xf2\x0d\x67\x65\x52\xe5\x00\x9d\xc8\x49\x4a\x9e\xde\x66\x10\xf3\xae\x48\x21\x64\x30\x88\xc1\xa5\x9c\xc4\xfe\x25\x07\xb4\x51\x4b\x36\xfd\xaf\x03\xec\x47\x1c\x39\x98\xb0\x45\xfe\x27\x87\xcd\x6f\x15\x6d\xb7\x6d\xbd\x71\x63\xf5\xce\x15\xf8\xa6\xeb\x21\x40\x79\x83\xf9\x0f\x4d\x1a\x44\xb6\x18\xb7\x8c\x78\x4f\xd5\x1e\xb4\x56\x21\xff\x80\x71\x7c\xc0\x66\xee\x49\xd1\x3d\x5d\xf6\xf1\x13\x74\xb7\x1b\x72\xee\xe6\x5d\x9e\x4f\xd9\x6b\xd4\xc9\xf0\x7e\x36\xb7\xbb\x05\x27\x8f\x88\xd7\x43\x82\xcd\x56\x98\xfb\x6a\x4d\x35\x04\x90\xf0\xcb\x81\x96\x3d\xfb\x90\xd3\xd9\x5e\xde\x3d\xdf\xbd\xad\x60\x1e\xb3\xaa\x54\x72\x95\x54\x54\xaf\x2c\x0a\xbf\xef\x8a\xe1\xf1\xe2\x43\xd3\x8b\xdc\x2f\x30\xaf\xae\xf9\xa6\xf5\xb2\xe5\x1b\xfa\x71\x64\x06\x29\x12\x85\x2c\x11\xf7\xc0\xc1\x3d\xc1\xb1\x27\x38\xfe\xe5\xb8\x57\x77\x69\xda\x7a\x65\xd9\xb4\xf5\x38\x18\xb6\x7e\x4f\x89\xaf\xcf\x6d\xa3\x30\xec\x60\x75\x83\x04\x7b\x9d\x53\x24\xa2\xca\x95\x55\x2c\xe5\x47\xbb\x4d\xb2\x19\xf5\x20\x6e\xd5\x89\xb7\x8f\xdd\xa7\xb5\xa1\x94\x9d\xd8\x6d\xdb\x50\x1d\x9a\x50\x96\x85\x6a\xe1\x6c\xb4\xf6\x21\x67\x63\x7b\x81\x7c\xc2\x9d\xaf\x57\xdb\x46\x8c\x5a\x69\xa9\x3c\xa4\x6a\x8c\xbd\x7a\xd4\x64\xe9\x2f\xa8\x21\xd1\x6b\x70\x72\xe5\x56\x59\xe6\x0a\xd1\x7b\x9d\x45\xee\x1d\xf7\x37\x46\xbc\x17\x55\xdf\xb2\xa4\xa8\x62\x05\xa3\x0c\xf2\xb8\xc5\x13\x7a\x4a\xa5\x7c\x20\xaa\x9e\xf5\xb0\x2d\xb6\xff\xb8\xc6\xfe\xce\x61\xfb\xd3\x20\x6e\x8b\xcc\xfd\xa6\xe3\xfd\x98\x83\x7f\x17\x3c\xfa\xa4\x1d\xd2\xe5\x64\x9d\xaf\x13\x89\x78\x86\x6e\xc4\x7e\xd2\xe3\x9b\x20\x90\x01\x13\x21\x4f\xf8\x7a\x22\x25\x91\x06\xdc\x54\xcf\xa3\x47\x14\xdc\x8d\xfd\xe2\x2e\x94\x5b\x02\xae\x44\x77\x25\xe0\x3a\xc7\x2d\x9f\x2f\x2b\x10\xb8\xf5\x24\x05\xf7\xe6\x72\x2f\x9e\xb3\xcf\xa1\x33\x6c\x9a\x1d\x1e\x3a\x8f\x4a\xbd\xbe\xb8\xb0\x2c\x3f\xca\x36\xd8\x68\xda\x8b\x84\xbb\xe6\xad\xc8\x7f\x8d\x94\x20\xea\xd6\x8d\x80\x18\x37\x5a\x61\x13\xcc\x55\x60\x81\xa7\x91\xd1\x29\x60\xe4\xc0\x5c\x21\x90\x90\xf9\x24\xce\xc5\xc5\xdc\x72\x21\xfe\xd4\x41\x76\xc8\xa8\x4f\xda\x08\x9a\xba\x36\xcb\x49\x24\x6e\x09\x21\x7a\x0f\x2c\x20\xaf\x3d\xe8\xfd\xb0\x53\xba\x58\x65\x0a\x31\x1e\xc9\xf8\x82\x76\x75\xcb\xea\x5c\x98\xf6\xa7\xaf\x93\x7f\xac\x07\x17\x12\xcc\x39\x94\x5f\xac\xd2\x2b\x0e\x5f\x98\xe6\xa5\x8f\xe1\x06\x49\x01\x6f\x48\xa9\x9e\x22\x28\x3b\x60\x68\x62\xf9\x47\x8e\x54\x9b\x61\xbe\xb0\xe7\xaa\xbc\x9c\xa9\x0f\xcf\xd0\xf1\x5c\x85\xc7\xd8\x1c\x78\x73\x0d\x1c\x63\x33\x6c\x7a\xe8\x1a\x18\x36\xe7\xf6\xb4\x8e\x5d\x68\x1d\xeb\x86\xd2\x71\xd7\xee\xac\x32\x4f\xdb\xc2\x97\xf6\x90\x93\x6d\xbf\x61\x2d\xb9\x67\xf4\x09\x62\xe8\x72\xd7\x1b\x56\x69\xcd\x57\x66\x5d\xbc\x9b\xb1\x3b\x1f\x29\xf6\x82\x6f\x03\xb6\xce\x27\x51\xaf\x13\x17\xb0\xad\xee\xcf\x1d\xf4\x6e\xdf\xfa\x11\x03\x81\x05\x44\x5f\xaf\x83\x10\x74\x64\xda\xc8\xc2\x96\xe0\xdd\x34\x84\x29\xe9\x6b\xee\x32\x00\xb5\xbe\xe4\x8c\xbd\x2c\x4b\xe2\xa5\x20\xdf\xb0\x84\xd3\x2f\x8f\xb1\x37\xd6\xd8\x58\x37\x0d\x13\x29\xa9\xdd\xef\xd1\x69\xdc\xdf\x70\xd4\x45\x02\x0b\x54\xb8\x2e\x38\xa0\x1a\x84\x29\x0a\x90\x47\xbf\xd3\x4d\xd2\x3c\x88\x9b\x42\x4b\x2c\xaa\x21\x80\x0b\xa5\xb8\xfb\x42\xe6\x43\xe6\xf3\x53\x90\x0e\x8e\x09\xe0\xb8\xb1\x36\x93\x58\xd6\x5f\x3e\x07\x91\xd8\x29\x57\x9f\xf7\x39\xf6\x83\x82\x32\x40\x1c\xe9\x44\xc1\xc0\xc4\x98\x55\x2e\x45\x5c\x37\x68\x0a\x9e\x35\x45\x1c\xa4\x61\x62\xa6\x1a\x63\xcc\x4c\xa0\x8b\xa4\xc8\xf9\x14\x19\x5e\xa7\xec\xd8\xb0\x8f\x39\x84\x03\x0e\xf9\x1f\x1a\x9e\xa6\x40\x4b\x84\x4b\xc5\xb4\x2e\x5c\xa0\xd8\x60\x1f\x72\xf9\x8d\x25\xb7\xd1\x6b\x00\x33\xd6\xd9\xb9\xc5\xc3\x54\x46\xdd\x72\xae\x1e\x6e\x44\x49\xe3\x70\x27\xc8\x72\x91\x1e\xa6\x49\x97\x1d\x3e\xe2\x4f\xc9\x75\x26\xa7\x7b\xbd\x48\xfe\x6f\x89\x3c\x08\x23\x3b\x43\xe3\x4e\x1b\xc5\xfe\x36\xef\x46\xe3\x27\x8a\xae\x8d\x5e\x07\xb8\x6c\x83\x16\x50\x24\x99\xf7\xed\xe1\xb2\x0a\xfe\x99\x9a\x06\x8f\xfc\xf1\x9a\xf7\xfe\x9a\x05\x1e\x89\x9a\x55\x10\xed\xbc\x5f\x56\x37\x04\x3f\x24\x27\xe5\x21\x6e\x94\x84\xb1\x56\x3a\x6d\x3c\x0d\x3b\x41\x6a\x64\xab\xa4\x6a\x1e\xe5\x09\x0f\xb2\x0c\xb6\xfe\x98\x24\x63\xa6\x01\xae\x91\xc1\x10\x9e\x0b\x55\xf0\x19\x49\x62\x8c\x01\x7b\xac\xc7\xe4\x01\x87\xe9\x15\xe7\xbe\xcf\xf1\xde\xec\xa8\x5f\xb4\x97\x40\x6a\x15\x30\xa0\xf0\xae\xbc\x3a\x0e\x49\x1b\x18\x7b\x07\x68\xca\x00\xaf\x1c\x26\xf1\x04\x45\x5f\x86\x59\x61\x40\xe1\x41\x3b\x08\xe3\x2c\xc7\x04\x8f\x26\x48\x0d\x2b\x2f\xbf\x9b\x26\xad\x5e\x13\xf5\xd5\x02\xe9\x7a\xd8\x38\xdf\x42\x64\x58\xb3\x5e\x5d\x27\x21\x95\xa7\x0c\xdc\x50\xf1\x61\x15\x65\xfc\xd9\x08\xbb\x69\x47\xf2\x1d\x54\x45\x52\x7d\x4e\x26\xe9\x82\x8a\x0d\x71\x3f\x34\xe2\x6d\x9a\x37\x6d\x0c\x12\x0f\x04\xb9\x1a\x0a\x0f\x54\x15\x4f\xff\xa2\xad\x19\xec\x33\x74\x51\x41\xde\x76\x82\x96\xc0\xcd\xbb\x87\x9c\x2e\xe7\x85\xe8\xaa\x94\x3b\x60\xa3\xec\xfb\x97\x9c\x2b\xdb\xc6\x97\x2f\x39\x07\xa8\x10\x4b\x58\xbe\xa6\xc6\x42\x66\x3d\xe8\xbe\xc8\x3b\x65\xfe\xb6\x30\xb2\x10\x89\x09\x15\x7d\xc0\xfb\xa0\x67\x14\x99\x78\x92\x76\xca\xad\x32\x3b\xf4\x5d\x0e\x53\xb5\x70\xbf\xdf\xf1\xfe\xc3\x85\xca\x4f\x54\x15\x9a\xac\x17\x3d\xa3\x49\x5a\x20\x03\x4a\x61\x63\xab\xe5\x03\xc9\xd7\x29\xe0\xf5\x00\x5c\x5d\x37\x0a\x73\xad\xd0\x98\x63\x61\x0d\xf5\xff\x35\x66\x65\x43\x0f\xe6\x1e\xae\x26\xe7\x45\x4c\x70\xac\xee\xbb\xc7\xbc\x59\xf3\x42\xa1\xc6\x04\x3c\x97\xd7\x29\x4a\x07\x85\xb4\xdc\xcb\x42\x79\x56\x6a\x22\xd4\x43\x95\xf3\xe0\x0f\xf6\xef\xa9\x68\xff\x52\x2c\xca\x27\xc8\x22\x73\xd3\x70\x5d\x6f\x9b\x09\x02\x70\x32\x8b\xda\xfa\xb1\x45\x8d\xb6\x2b\x08\x0a\xd8\x3b\x6c\xed\xf2\xb0\xf5\x90\xd3\xde\x5e\xb5\x5e\x70\x6f\xb1\x8c\xf3\xc6\xa8\x94\xd4\x6a\x73\x84\xca\x66\xf9\x77\x8e\xb0\x99\xaa\xac\xb9\x8d\x24\x4f\xe2\x25\xf9\x64\x96\x8b\x38\x5f\x08\xb3\xf3\x56\x4c\xfe\x97\x6a\xde\xf5\x56\x48\x3e\xbe\xc1\xe7\x0b\x6a\xeb\xae\x7e\x9b\xb7\xc2\xec\xbc\x5e\xf5\x52\xa0\x74\x5b\x25\x2a\xdf\x37\xd5\xd8\x22\x83\xcb\xee\x9c\x77\x54\x21\x16\x1b\x09\xb3\xdb\x96\x6f\xae\xaf\x5f\x74\xd8\xfe\xf5\x6c\x55\xaa\x90\x9f\x70\xbc\x1f\x71\x4e\x86\x91\x50\x34\xb6\x52\x45\xca\x13\x0c\x82\xa7\xc0\x74\x48\xcf\x58\x2f\x3d\x33\xc0\xf3\x0a\xd0\xd2\x44\xee\x16\xb7\x29\xa5\xcd\xe7\x27\x2e\xfa\xdc\x13\x17\xf3\xa3\xde\x24\xf7\x2e\xae\x67\xf2\x9f\x38\x5f\xcf\x3c\x9f\x2f\x76\xba\x51\xd8\x0c\xf3\x88\xa4\x58\xaa\x81\x90\xf0\x05\x1e\xae\xf3\x5e\xac\x23\xbd\x2d\x09\xff\x9f\x0f\x6e\x83\xc9\x76\x64\x98\xe9\x11\x0c\x36\x7f\x3c\xe6\xdd\xbe\xc5\x7d\xfb\xf0\x3e\xd4\x9d\x42\x0b\x6e\x48\x74\xcb\x1b\x0e\xb0\x77\x3b\xca\x2c\xf0\x26\xc7\xbb\xae\x32\x3c\x63\xfb\xc2\x4d\x7b\xc1\x6d\xec\x24\x5b\x78\x18\xb0\x2f\x43\x7b\x61\x6f\x7f\xda\xc5\xfe\x94\x1a\xfb\xd3\xfa\xee\x4c\x08\x87\x34\x53\x41\x41\x79\x5a\x15\xe8\xb1\xb7\x69\xec\x7a\xd3\x78\xf9\xf6\x9b\xc6\x19\xf7\x54\xfd\x11\xb8\x0c\x06\xac\x31\xb8\xf6\x18\xfb\xc1\xa7\xb3\xeb\xcd\xed\x43\xa4\x39\x9e\xdf\x04\xda\x5b\x8a\xdf\x2b\x61\x3b\x0e\xe3\xb6\xa1\x71\xb8\x7f\xf4\xef\xbc\x9b\xb7\x7c\xc2\x3e\x7e\x18\x85\x1b\xd4\xb8\x07\xe8\xcf\x4b\x0e\xcb\xc2\x76\x2c\xd2\x33\x41\xc7\x06\xed\x7a\xe8\x3b\xd9\x5f\x39\x4c\x3d\xe7\xfe\x89\xe3\x8e\x36\xfa\xb9\xf0\x3e\xe2\x28\xdf\xb8\xfe\x4c\x10\xf3\x8b\xc7\xa6\x6e\xb0\x3e\x95\x61\xb5\xb4\x23\x5d\xa1\x72\x85\x31\x0f\xb8\x37\x7f\x62\x79\x75\xf1\xe4\xe2\xfc\xdc\xea\x09\xbe\x7c\xe2\x05\xe7\x4e\xac\xac\x7a\x7c\xe9\xc4\x69\xde\x88\x92\xe6\x79\x5f\x21\x6f\xa5\x8a\x74\x3b\xc8\xf0\xc0\x99\xa4\xfc\x45\x73\xa7\x4f\x61\x52\x92\x5a\x1e\x05\x52\x47\xd4\x27\xac\x6b\x05\x02\xe6\x5b\x23\xbd\xa3\x20\xd0\xb7\x7c\x07\x33\xba\xc4\x7d\xe5\x77\x78\x7f\x7d\x75\xf1\xdb\x08\xc1\x31\xc2\x04\xe4\x22\x80\x47\x34\xa0\x1c\x20\x3a\x45\x98\x89\x04\xe7\x78\xc6\xe4\x6c\x38\xbc\x19\xe4\xcd\x8d\x42\x98\xc9\x03\xc4\xd0\xb1\x44\x4c\xd8\xf5\x30\xca\xa5\xd4\x8f\xcd\x44\x73\xcc\x4d\x0b\xb8\x27\x77\x41\xbf\xa8\xde\x4d\x67\xe6\x4e\x9f\xf0\xf0\x21\x95\x4e\xef\x33\x76\xa7\x88\xa2\x3a\xf2\x62\x18\xc8\x5d\xf8\x1a\x58\xb1\x66\x19\x9f\xf6\xb9\x57\xf4\x8d\x5c\x6f\xf2\x57\x61\x1f\xac\xa3\x40\xf6\x66\x15\xf3\x3d\x09\x68\x73\xf2\x52\x22\x1d\x12\x75\x2b\xc7\x95\xa1\x65\x81\x0a\x61\x17\xeb\x33\xce\x97\xcd\xee\x80\x56\x62\xd5\x30\xa3\x5f\x40\xf4\x53\x2f\x4f\xea\x41\xb7\x9b\x26\x17\x50\xb5\x80\x52\x9a\x5a\xad\xa9\x63\xc6\x61\x3a\xa9\xbe\x0e\x95\xd4\x4a\x88\xd7\xcc\x52\x9a\x91\x1e\x2f\xde\x92\xb3\x71\x48\x41\x3e\xe3\x47\x76\xd6\x23\x30\xa3\x22\xb1\x93\x9e\xa1\x27\x33\x85\x3d\xba\x8b\xae\xa1\x66\x0e\xf4\x8b\x6a\x2d\x5e\xdb\x79\x7b\x71\xe6\x5e\xbe\xce\x9b\xa9\xec\xbc\x48\xe4\x75\x38\x28\xcb\xa2\xa8\xb7\xe8\xf7\x0e\xba\x0b\xba\x85\xaf\x9e\x5a\xd1\x9a\x42\x36\x49\x36\x26\xbb\xe7\xa0\x1d\xcd\x24\x8e\x89\x0c\x17\x40\xff\x45\xd4\xbf\xec\x93\xed\xb2\xf6\x19\x83\xed\x8f\x6c\x72\x25\x6a\xf8\x20\xd7\x3b\x22\xed\x86\xad\xa4\x99\x1d\x4e\x55\x84\xfb\xe1\x00\x82\x88\xea\x72\x46\xc5\xf0\xff\xf7\x1e\x36\x3a\xb4\x4e\x75\xa9\x2b\xc9\x73\xf8\x5a\x43\x0e\x92\x20\x60\x0c\xad\xf8\xbc\x90\x27\x28\x82\x82\x28\x03\xf5\xbb\x50\xb9\x39\xe6\x2c\x43\xbf\x91\x8a\x81\x22\x64\x35\x05\x30\xd9\x30\xc3\xfd\x19\xb6\x3d\xc0\xa6\x84\xeb\xe3\xf3\x73\xbc\xd1\x8b\x5b\x91\xc8\x26\xa0\x81\xfa\x41\xd1\xc2\x05\xb7\xa4\x61\xd2\x33\x0c\x8e\xca\x66\xa1\x93\x75\xda\x0e\xc4\xaa\x07\xf2\x45\xe5\xcd\xa6\x07\x79\x98\x15\xe2\x18\x27\xa0\x72\x36\x4f\x16\xe8\xeb\x93\x1c\x53\x7f\x10\x40\x1b\xb7\xad\xc2\xd9\xa1\x8c\x51\x6a\xd3\x1a\x0f\xe3\x66\xd4\x03\x30\x16\x15\x70\x49\x5f\x9b\x8b\x72\xec\x1f\x18\x26\xac\x89\x9a\x8b\xa0\x1d\x4e\x6a\x7a\x2a\x28\x38\x89\xb5\xf7\x1d\x95\x9d\x89\xed\x9a\x55\x90\xbd\x95\x1a\x76\x74\x27\x0d\x3b\x2f\xfa\xbc\x97\x05\x6d\x91\xf1\xc3\x58\x94\xdc\x7c\x8b\xab\x3e\xe3\xc7\xe4\x21\xac\x1b\x62\x80\x98\x39\x59\x78\x14\xae\x13\x5b\x82\x6a\x35\xe2\x5f\xae\x03\xb3\x86\x0a\x4b\xa5\x0d\x4f\xc7\x99\xc9\x69\xaa\x40\xb1\x5a\x9d\x30\xf6\x19\x3f\x0e\x3b\xb9\x19\x78\x6b\xef\x7c\x73\xf6\xa2\x37\xfa\xd2\x3a\xd4\xbd\x87\x70\xad\xde\xea\x78\xaf\x76\x7a\x61\xcb\x56\x70\xe4\x05\x4a\xf2\x82\xa0\x5e\xdc\x83\x88\x83\x50\x5e\x1d\xba\xc1\xfa\x7c\x29\x31\x68\xa2\x73\x1b\x82\x3e\x89\xb1\x14\xc5\x1d\x16\x76\x3a\xbd\x9c\xa0\x6d\x0d\x90\xa9\xfd\x6c\x3f\x76\xa9\xfb\x0f\xfb\xbc\x07\xf7\x51\xa7\x9b\x0e\x2f\xca\xe2\x33\x86\xa4\x50\x1b\x68\xc2\x91\xf0\x30\x7a\xc3\x67\xcc\x92\x54\x52\xea\x55\xee\x2b\xfd\x2e\xd2\x96\xa9\x42\x67\xb9\x07\x94\x28\x41\x04\x43\x04\x50\xc1\xf2\x70\x2d\x3f\x2f\xe2\x66\xd8\xdd\x10\x69\x47\x6e\xe4\x93\xdc\xa3\x02\xa5\xb8\xf0\xaa\x3e\x58\x2d\x9a\x2b\xbe\x58\x55\x78\x65\x2d\x54\x30\x33\x7d\xf1\x0e\x20\xa7\x22\xd6\x42\xd4\x43\x3c\x25\x36\x87\x15\x41\x18\x05\xbc\x09\xe9\xdf\xf8\x35\x56\x5d\x05\x79\x2d\x68\xa7\x42\xe8\x3a\x49\x95\xd1\x7e\x8a\x71\x4f\x36\x0f\xbe\x01\xc5\xa7\x91\xfe\x5b\x3d\x09\xb4\x8d\xf0\xbe\x28\x5d\x08\xe2\x3e\x14\x61\xb6\xab\xd4\xb1\xf0\x85\xa4\xa5\x55\x62\x28\x18\xa8\xbd\xba\x69\x92\x63\x10\x08\x74\xcd\xe1\x4e\xd8\x11\xf0\x78\xd8\xcd\x44\x53\x6e\x72\x64\x2e\x91\xb7\xf1\x5a\xde\x8b\x63\x11\x15\xbf\xe5\x8c\x87\x57\xe4\x7a\xcd\xf2\xa0\xd3\xa5\x2f\x24\xcd\xac\x6b\x7e\xb1\x13\x36\xd3\x24\x4b\xd6\x73\x9e\xb5\x9b\x60\x6c\x11\x79\xd6\x0c\xba\x02\x7e\x0f\x07\xad\xd8\xa1\xd6\xfc\xc3\x8e\x01\xe5\xf6\x2e\xc7\xfb\x3e\x47\xfd\xb2\x17\xab\x09\x5d\xfa\x38\xac\xd6\x5f\x72\x14\xca\xdf\x7f\x75\xbc\x37\x39\xf0\x67\x51\x41\xfc\xa9\x99\x32\xb3\xc7\xb8\xa2\x0f\x03\x3c\xf0\x0f\x1d\x8d\x1e\xf8\x79\xc7\x7b\xb3\x43\x90\x81\xba\x25\xe8\xbb\xe9\x08\x70\x53\x6f\x84\xdd\xc7\xbc\xcb\x77\x39\x9d\xbe\x6a\x07\x59\x69\xfb\xaa\xb6\x5d\xa2\x55\x15\xd3\xcc\x0e\x7a\x37\x54\xdd\xb0\x8d\x75\xe5\x27\x88\x38\xb4\xd2\x42\xf7\x9a\xb1\x3d\xb3\xca\x6e\x03\x9f\x7e\x4a\x9b\x38\x7f\xcc\xf1\x84\x42\x69\x30\x8c\xcf\x84\x06\x53\x59\x3b\xfb\xe0\x00\x9a\x6e\x33\x89\x9b\xa2\x9b\x67\x87\xb3\x3c\x49\x83\xb6\x38\x5c\x14\x55\xa7\xa2\x76\x1e\x40\x35\x6c\x3e\xed\x59\x3f\x77\x61\xfd\xfc\x4d\x33\x6c\xfb\xd3\xbb\x4c\x6c\x7b\x95\xf3\x38\x65\xb6\x19\x8d\x7b\xc8\x79\xf1\xf6\xa6\xc1\x1b\xdc\xeb\xb4\x69\xd0\xf3\xb4\x45\xb0\x4a\x20\x95\x9d\x48\x1f\xdc\xc7\x6e\xa7\x5e\xc1\xe3\x6b\xbb\x9d\x8a\x36\xe0\xc8\x9a\xb1\x58\xa9\x68\x87\x10\xc7\x8a\x9e\x43\x8c\xfa\x9b\x5b\x5a\x5c\x41\x87\xf3\x7c\x12\xa3\xf9\xcb\xfd\xfc\xa8\x77\xa6\xe2\x7a\x89\x48\xa6\x48\xd6\x06\xc2\xed\x15\xe5\xb6\xce\x09\x63\x36\x6c\xf6\xa2\x20\xc5\xb4\x6c\x1d\x83\x45\x3e\x4e\x9b\x30\x66\x84\xbd\x90\x1d\xe8\x88\x4c\xea\xb4\xee\x69\xef\x79\xb7\xf5\x3a\x41\x5c\xd7\x71\x17\x74\x47\x59\xcc\xe4\x62\xd1\x67\x5b\x08\xe5\xc6\x4c\xe3\x34\x88\xb3\x70\x00\xb7\xfc\x25\x6c\x7f\x2a\x82\x2c\x89\xdd\x55\xef\xd6\x73\x80\x04\x3b\xc9\x93\x58\xd4\x37\x93\xb4\x35\x59\x4c\x76\x8e\x4f\x19\xf1\x1d\xd4\xea\x43\xd9\x96\xe5\xdf\xa5\xdd\xb6\x4b\xde\x7c\x91\x7c\xa7\x3a\xa8\xa7\xf7\x7e\x5d\x20\xac\x3b\xb9\xe8\x56\x81\x06\x0c\xd8\x98\x26\x15\xdd\xac\x55\xf6\x75\x14\x86\x75\xd8\xf3\x56\x29\x08\x2b\x57\xe4\xc6\x03\xa5\x9a\x2f\xbe\x95\xd2\xbc\x57\x75\x9d\x21\xcd\xfb\x15\x8f\x3c\xcd\xfb\x79\xa7\xac\x6c\x6e\xfd\x59\xa3\x5b\x04\x01\x46\x26\xb1\x6e\x3a\x40\x64\x41\xc4\x9b\xcf\x3e\x5e\x2b\x27\x20\xd9\x29\x56\x67\x92\x58\x45\xfd\xcd\x69\xc5\xc9\x7d\xc8\xf1\x5e\x51\x79\x87\xe3\x89\x9a\xe6\xa2\x55\x9a\xa9\x78\x15\x86\x8f\x75\x38\x38\xc6\xf5\x32\xae\xab\xde\x17\xe7\xa8\x0c\x30\xae\x10\xb8\xb3\x35\x4f\x13\x76\x3d\x1b\xed\x06\xf9\x86\x3b\xe5\x5d\xab\xe2\x98\xe4\x9b\xe7\x96\x4f\x61\x04\x13\x0d\x0a\x95\x6c\x8e\xc8\x0c\x1b\xbd\x20\xd2\x86\xfb\x6c\xef\xe9\x77\x88\xb4\x31\xe0\x8c\xb9\x6d\x75\x75\x49\x2e\xea\x86\xf9\xd2\x6f\x8c\xb2\xeb\xb6\xcc\x4a\x13\xd1\xfa\x90\xcc\x34\xf7\x07\x46\xbd\x0f\x39\x5b\x3c\x80\xdb\xd1\x40\x14\x1c\x84\x9d\x88\x4c\x6f\x14\x3e\xe7\x27\x2e\x06\xcd\x3c\xea\x2b\x86\x39\x3d\x14\x66\x6d\x8c\x71\x91\x7a\x84\x39\x62\x43\x1e\x53\xe4\xdc\x99\xc8\xad\x4e\xfe\x7f\x6a\xec\x01\x87\xfd\x9b\xb8\x72\x36\xbc\xc5\x61\x37\xef\x3c\x69\xaf\x72\xde\x78\xa7\xab\xa7\x53\x21\xdb\xcc\x54\x11\x8c\xcb\xb1\xa6\x8d\xdd\x3f\xb2\xb2\x6e\x3a\x58\xd3\xb7\x39\xec\x39\x3b\xaf\x69\x45\x35\x57\xb6\xeb\xc0\xad\x2a\x3c\xac\xb2\xff\x3c\x66\xc1\x75\x90\x06\x04\x9e\xa2\x95\xc5\x33\x49\x0b\xf5\xe0\xdf\x1b\xf3\x0e\x1b\xbf\xab\xf2\x0c\xe8\xf6\xd6\xfe\xe9\x8f\xed\xa1\x2f\xec\x5a\xfb\x6d\x2a\xe5\xf7\x2e\xef\x3b\x2b\xdd\xfb\x34\x12\xa6\xca\x7a\x98\xd5\xd9\xb3\x87\x4e\xbe\xc1\x41\xdf\x53\x56\x77\xa1\xac\xfe\xaa\xa9\xac\x7e\x72\x97\xca\xea\x7f\xa8\xd6\x55\x1f\x3b\x10\x86\x97\x6e\xaf\xa7\x3e\xc7\x9d\xd5\x7a\xaa\x9a\x4b\xa5\x80\x27\x43\x78\x94\x55\xd5\x4f\x5d\xc1\xee\xd8\x1d\x75\x63\x39\x41\x20\x56\x11\xa2\x7f\xc2\xbc\xd3\xc3\x6e\x1a\xd2\x92\x08\xae\x94\xa4\x28\x48\x05\x54\x88\x33\x86\xd0\xce\x2f\xfb\x97\x9c\x31\x95\xf6\x65\xc9\xb5\x6f\x1f\x64\xff\x69\x94\xfd\xdb\xa6\x2e\x1d\x77\x55\x12\x6a\x99\xfb\xcf\x23\xde\x57\x47\x86\xdd\x55\xa1\xe3\x29\x46\xfa\x6b\xf0\x22\x0d\x73\xbf\x36\x5f\x7a\x73\xad\xa8\x99\x5c\x23\x77\x8a\xc6\x46\x92\x9c\xe7\xe2\x62\x17\x44\x2f\x78\x50\x0c\x63\x0a\xe4\x68\x81\x9f\x6b\x43\xf0\xf5\x30\xcd\xf2\x72\x84\x2c\x7c\x93\x22\xaa\x35\xe6\x6a\x06\x48\xe5\xb1\x41\x23\xab\xbf\x5a\xa2\x1b\x0d\x33\x2c\x01\x98\x48\xcd\x20\xad\xa2\x12\x93\xbc\x68\x3e\x56\x68\x3d\x08\xa3\x42\xb7\xb6\xa3\xb5\xe1\xcb\x81\x3e\xd2\xb7\x74\x13\xed\xcc\x73\xc3\x12\xae\x1c\x20\xaa\x86\x52\x7a\xb7\x12\x91\x81\x67\x80\x14\x43\x60\xa1\xd6\x4f\xa0\xcf\x5a\x69\x7a\x4b\x8b\x24\x97\x26\x79\x33\x88\x22\xbd\x39\x6c\xd2\x87\x75\x95\x7d\xbe\x60\x70\xec\xad\xdd\xed\xd1\x2c\xf4\xee\x59\xdb\x8a\x3f\xe3\xff\x1e\x61\x7a\xea\xb8\x9f\x1d\xf1\x1e\x1c\xd1\xf9\x83\x45\x2b\xe4\x44\x2c\xf5\x84\x4e\x04\x91\x53\x13\x30\xe6\x90\xb2\x51\x35\xc3\xe7\x73\x96\xef\x07\x2c\xdd\xbc\xce\xd7\xce\x24\xb1\x58\x9b\x85\xa9\xa0\xde\x46\xd3\xb2\xc9\x20\x57\x6c\xc4\x98\xcc\x07\x3b\x26\xe0\xc0\x27\xbd\x26\xf2\xa0\x23\x2f\x07\x86\x06\xd0\x6c\x19\x18\xac\x3a\x5f\xa3\x01\x5a\x9b\x35\xba\x92\x30\x5d\x83\x28\x22\x00\x7a\xa1\xb8\x01\x55\xaf\xe6\x09\x6f\x25\xea\xf8\xa0\x43\xd4\xe7\x2a\xe9\x51\x18\x97\x0b\x85\x68\x58\xb4\x83\x15\x13\x2e\x28\xa0\x9b\x80\xf4\x71\x7e\xfa\x8a\x14\x98\xce\x51\x27\x91\x95\x17\xa3\xfd\xd6\xf1\x88\x25\x1b\x0d\xcf\x1a\x9f\xa7\xba\xcd\xc3\xc6\x33\x0f\xf3\x8d\x5e\xca\x84\x9d\xae\xf9\xda\x1a\x7b\x62\xc5\xd3\xee\x5f\x38\xec\xa5\x97\x93\x9a\xf6\xce\xc1\x6f\x78\xdf\xef\x54\xd5\x33\x54\x34\x36\x18\xd8\xaf\x89\x49\x95\x84\x83\xa1\x30\x66\x75\xb8\x5e\xa4\xb1\x86\x59\x31\x8a\x46\x32\x2d\x78\x0f\xd7\xd4\x53\x6b\x00\x05\x2c\xc0\xf3\x5d\x3c\xcd\xfe\xf2\x2a\xe6\x55\xd9\xc0\x92\x96\x62\x43\x59\x15\x69\xc7\xfd\x6f\x57\x79\x5f\xae\x2d\x90\x86\xa7\x9d\x57\x48\x55\x16\xcb\x6d\xbb\xcf\xf3\x8d\x24\x23\xe2\x0a\xa5\x55\x44\x26\x37\x5f\x91\x5c\x45\x0b\xb4\x80\xfe\x85\x54\xa7\xf1\x6c\x62\xc2\xa0\xe2\xee\x26\x2d\x8b\x5d\xb1\x1e\x25\x98\xfe\x3a\xae\xd8\x17\x26\x94\xfb\xd0\xba\x19\xe7\x61\xbd\x78\x62\x33\xcc\x37\x26\x65\x4f\xa4\x56\x19\x61\x41\xde\x1e\x64\x1a\x56\x0e\x80\xa3\x81\x7e\x63\x13\xda\x62\x11\xb8\x21\x35\x20\x24\xb4\x9c\x17\x7d\xfe\x9c\x3c\xe9\x26\x51\xd2\xee\xdf\x2e\xfa\xcf\x35\xe8\x3a\x82\x9c\x08\xbe\xb1\x20\xc0\x51\x03\x4a\x6a\x68\x90\xe2\x29\x31\xba\x2f\xd4\xdf\xbf\xe4\x5c\x61\x14\x6a\xed\x52\xbf\xca\xd8\x9b\x1c\x76\x95\xd5\x9f\xee\xfd\x97\x81\x2f\xf1\x86\x39\x6a\xd8\xcb\x7b\x22\xed\xf3\x04\xdc\x55\xaa\x7e\x5a\x92\x4d\xea\xcd\xa2\x19\x64\x48\x38\xe3\xb3\xbf\x1d\x61\xd7\xe8\xc1\xd3\x95\xfa\xf2\xc8\x65\xa8\xd5\xa5\x91\x8a\x6a\x19\x1d\xa7\x3f\xab\xb9\xdb\x05\xcf\x45\xda\xa1\xec\x2b\xd4\x31\x57\xd5\xc5\xc1\xac\xac\x5e\x6c\x9c\x91\x8d\xc2\x90\xf8\x71\x90\x42\x84\x38\x75\x01\x09\x3c\x0a\x4d\x17\xad\xf1\x32\x3c\xeb\xf3\xb8\x17\x19\x0c\x92\xf2\x55\xb8\x92\xa4\x44\x10\x6f\xbc\x41\x7a\x61\x10\x67\xdc\x53\x73\xfe\x50\x56\x3c\xe1\xf9\x7c\x4e\xf1\xca\xeb\x12\xc7\x5f\x71\xff\x84\x9e\x6f\x52\x2a\x14\x05\x92\x2c\x25\x89\x9f\x21\x31\x6c\x3d\x92\xaa\xa3\x8a\x40\x83\x6d\x64\x23\x01\x4a\x16\x14\x10\xc6\x4a\x3f\x53\x1e\x4d\x4d\x2a\x5b\x10\xc8\xfa\xec\x97\x6a\x8c\x15\xdf\x74\x1f\xac\x79\xef\xa9\x99\x7d\x68\xfa\xb8\xe5\x31\xaf\xa9\xf5\x22\xfd\x14\xb1\x5a\x5d\xd6\xb1\x33\xc7\xa5\x7a\xe4\xcc\xd1\x1d\x98\xb8\xfe\x36\xc3\xa4\x07\x72\xe0\xcd\x2d\x47\x70\x0b\xbd\xe2\x5b\x35\x66\xae\x77\xf7\x4f\x6a\xde\xef\xd6\x56\x2f\xaf\xe8\xc3\x1c\x44\x29\x66\xb6\x90\xcb\x0a\x9f\x5d\x6b\x86\x45\xdb\x1f\x15\xd1\x69\x34\x7a\x27\x82\x33\xee\x17\x62\x93\x06\xb0\x24\x38\x7d\xc4\xde\xb7\x0a\x0e\x51\x7f\xac\x0a\x1c\xf9\xc8\x41\xcb\x78\xb9\x05\x72\x30\xb1\x56\x2c\xf7\x22\xe1\x7e\x6b\xcc\xfb\x2f\xce\xb0\xbb\xc6\x91\xc4\xb2\x97\x93\xbc\x52\x50\xce\x8a\x63\xc1\x20\x72\xb6\x07\x08\x27\x67\xc0\x07\xf0\x8b\x0f\xc1\xac\x28\x26\x2b\x2c\x10\x2a\x15\xac\x6f\xf0\x3a\x6f\x24\xf9\x06\x87\x13\x00\x4c\x58\x79\x30\xb7\xe1\x40\x3e\x7e\x80\xfd\xde\x08\x1b\x95\x37\xdc\xcf\x8d\x78\xdf\x3b\xa2\x7c\x70\x4a\x67\xc5\x4e\x2f\x66\x1f\x98\x5b\x81\xc5\xb8\x89\xf4\xeb\x54\x5d\x3d\x16\x5a\x9f\x4b\x7b\x91\xd4\xfe\xd1\xae\x51\x3e\x5b\x34\x93\x4e\x03\xe6\x8c\x8a\x51\x8d\x92\x76\xd8\x0c\x22\x7e\x76\x59\xa5\x81\x40\x8a\xa3\xc5\x97\x25\xa5\x0e\x0c\xac\x5c\x64\x61\x26\xdf\x9c\x2c\xbe\x65\x09\x41\x55\xfd\x71\xd5\x29\x18\x56\x84\xb1\x56\xd8\xab\xf8\xc8\x44\xc5\x47\xc8\xc0\x81\x71\x7b\x3a\x7c\xd9\x24\xb4\x0e\x73\xd1\x31\x3f\x0d\x03\x98\xe9\x11\x00\xa9\x4a\xf4\x5d\x7a\x54\x54\xed\xca\xe5\xe8\xdc\xc6\x34\xe9\x40\x07\x3d\x0c\x22\xae\x2d\xe6\xea\x92\x10\xa9\x3c\xab\xec\x83\xe1\x77\x7f\x79\xc4\xfb\xc7\x9a\x76\xb0\xc2\x8c\x28\x0f\x2d\x66\x92\xc2\xb8\x86\x0d\x24\x88\xde\x76\x78\x4f\x04\x70\xd0\x54\xad\x50\x43\x0c\x79\xb8\x43\x47\x78\x17\xe3\x8a\x35\xdf\x62\x54\xe5\x03\xbb\x1b\x53\x11\x5f\x86\x81\x05\xea\x12\xe3\x48\x7e\x99\xc6\x34\x49\x73\xf6\x87\xac\x92\xdc\x05\xf8\xdd\x17\xcf\x5a\x89\x64\x3f\xc9\xbc\xd9\x8a\xeb\x36\x2f\x85\xe1\x6d\xa7\x67\xc9\xeb\x7e\xc9\x39\xd0\x0e\x72\xb1\x19\xf4\x2f\x39\xfb\x31\xc4\xe8\x92\x73\x30\x13\xcd\x14\xd8\xd3\x2d\x39\xf2\x2b\x07\xd9\xe7\x1c\x56\xdc\x74\x3f\xed\xb0\x63\xdb\x7a\xd6\x4f\x25\xcd\x20\x2a\xd3\x49\xbf\xce\x59\x51\xa5\x70\x1d\xb9\xaa\x4f\xf1\xf8\x05\x98\x86\xaa\xb6\xc8\xf4\x18\xb7\xe8\x80\x9b\x09\xf0\x59\x5d\xb0\x38\x40\x8b\x19\x41\x1b\x81\x62\xe8\x9c\xe4\xa7\x92\x76\x18\x17\x42\xc7\xb0\x0f\xb0\x1f\x70\xd8\x15\x64\x06\x3b\x9d\xb4\x84\xfb\x2a\xc7\xeb\x2d\x56\xa2\x6b\xd2\x53\x64\xa2\x27\x22\x94\x62\x69\xad\x6e\x84\xcd\xf3\x4b\x8a\x8e\x06\xa1\x37\x57\x37\xc2\xd8\xb8\xa4\xad\x11\xb2\x86\xe5\x7b\xe6\x76\xf5\x81\x22\xff\xee\x9d\x8e\xf7\xba\xc7\x2b\xff\xce\xa8\x2d\xdc\xb1\xea\xb8\xc0\xd4\xd4\x71\x6f\xf0\x26\x57\xd5\x07\x82\x56\x0b\x39\xe2\x71\x05\xa9\x01\x9c\x5b\x5a\xe4\xb7\xe2\xe3\x56\x29\x6b\x8c\x65\x59\x74\x02\x15\x4d\x77\xd9\x5b\x38\x19\x05\x70\x82\x47\xdd\xf3\x70\x2b\xcc\x60\x3b\x5a\x59\x39\xc5\xc9\x4e\xda\x54\x63\x98\x6f\xa8\x22\x27\xa5\x7e\x02\x55\x05\x53\x01\x80\x61\x34\x92\x24\x12\x41\xcc\xee\xd6\xe3\xbb\x94\x24\x91\x7b\xca\xbb\x79\xd5\xa8\xd7\x0a\x0d\xaa\xbc\xc7\x83\x2c\x4b\x9a\xa1\x4d\x84\xf4\xff\xb3\xf7\xee\x61\x96\x64\x55\x9d\xe8\x17\x27\xb3\xba\x2a\x77\x3f\x68\x02\x1d\x1d\x07\x75\xdf\x00\xad\xcc\xe6\x9c\x93\xf5\xea\xa2\xbb\xfa\x81\xd9\x59\xd5\xdd\x09\x55\x59\x49\x66\x56\x23\xd3\x34\x9d\x91\x27\xf6\xc9\x13\x54\x9c\x88\xd3\x11\x71\x32\xeb\x20\x68\xf3\x10\xe4\x21\xa0\x80\x0c\xa5\x80\x30\x32\x8d\x2d\x82\x33\x82\x80\xe2\x8b\x0b\x0c\x17\x04\x01\xf5\x02\x8a\x0f\x50\xc0\xd7\xa7\x33\x57\x1d\xef\x6d\x75\xe6\x7e\x7b\xad\xb5\x5f\x71\x4e\x3e\xaa\xb2\x1f\x8c\x5f\xf6\x1f\xd5\x79\xe2\xb1\x63\x3f\xd6\x5e\x7b\x3d\x7f\xcb\x84\xe6\xf1\x28\xeb\x86\xb1\xeb\xa8\x3d\xcb\x68\xd7\xf8\xa7\x82\x1b\x96\x2b\x61\x6d\x8a\x60\x68\x55\xc2\x42\x1b\xc4\x50\x68\xa5\x3e\x38\x0d\xbe\xc8\x63\x0c\x49\x0b\x92\x4e\x8a\xa0\x6d\xb7\xaa\xc9\x2e\x4c\x72\x11\x46\x03\x1d\xbc\xa5\xe0\xaa\x68\x54\x8a\x0e\x94\xec\x31\x34\xae\xb8\xd0\x04\x8c\x56\x21\x17\x00\xe7\x5a\x33\xea\x93\x30\x68\x7f\x31\x38\x55\x1d\x9e\xfa\xd8\x82\x99\x21\x7c\xd8\xf6\xc1\xab\xe1\x2a\x4b\xb3\xfd\x9d\x0b\xec\x80\x1c\xc5\xd9\x34\x19\xf8\x49\xf0\x5c\xdb\x52\x07\xcb\xc8\x27\xe5\xed\xe9\x8d\x3c\x2e\xe5\x19\xbe\x48\xcf\x72\x10\x4f\x71\x0b\x67\x39\x21\x44\xe8\x9b\x85\xc0\xf4\xff\x38\xe5\xc8\x0f\xcf\xc8\x8d\x42\xc5\xb3\x14\x4d\xbc\xf6\x3b\x46\x5a\x40\x2a\x68\x5f\xfe\x9f\xff\xdb\xe0\xcb\x5e\xe5\x22\x81\x85\x16\x74\xb5\x62\xe3\x34\xe8\x62\x72\x4f\x1a\x2d\xc6\x2a\x4e\xd5\xe4\x4b\x59\x57\xe0\xa9\x85\xf6\x42\x75\x6e\xc5\x29\x0a\x73\xd5\x2f\x4a\xbe\xb7\x20\x25\x41\x17\x8b\x8c\x63\x72\x14\xbc\x02\xb6\x5c\x51\xd6\x0d\x5a\x06\x08\x64\xd5\x96\xca\xf0\x3c\x7c\xae\x25\x22\xc9\x71\x5d\x39\xf1\xa1\x6f\x63\xef\xf4\x18\xeb\xe5\xf1\x7a\x9c\x88\x35\x11\x49\xde\xf3\x72\x6f\xb1\x9f\xda\xa5\xd7\x52\x6e\x1e\xe0\x5d\xa8\x90\xb9\x90\x67\x52\xa0\xc0\x4f\x5a\x77\x4d\x75\x34\xe8\x9f\x7c\x24\x2d\x63\xac\x53\x79\x5f\x3f\x5e\x0f\x13\x28\xcb\x9c\xf1\x3c\xcb\x4a\x25\x8a\x48\x26\xe2\x5a\x6d\x81\x16\xdc\xf5\x7b\x65\x8d\x4d\xf4\xf2\xac\x05\x6b\xeb\xff\xb3\x17\xfc\x8d\xa7\x7f\xf2\x48\xa4\x99\x4a\xcb\x52\xa1\x16\xf2\xae\xaa\xdb\x95\x81\x75\xdd\xa2\x51\xea\x24\x4a\xd8\x91\xe1\x79\xd4\x89\x05\xdd\x32\x4a\x53\xfd\x42\x17\x69\x55\xb3\x92\xf7\x53\x08\xad\x88\x54\xb7\xdb\x60\xfb\x0a\x23\x10\x26\x7a\x61\xd9\x29\xc8\x43\x59\x9c\x97\xba\x8c\xbc\x50\xb5\x82\xca\x16\xf5\xa7\x20\x5c\x44\x69\xe2\x6d\x62\x89\xab\x42\x6b\xe4\xf6\x36\xfa\xd5\x31\x76\x55\xde\x4f\x67\x8a\xf9\x2c\x5d\xcc\xb2\xd2\x7f\xf7\x58\xf0\x96\xb1\x39\x2b\x3d\x8d\x54\x6e\xd3\x5f\x50\x1f\xf2\x7e\x2a\x79\x12\xb9\xc7\xe5\x12\x40\x75\x6c\x38\x45\x21\xb2\x45\xbe\xf3\x0c\xcc\xbc\x41\x9a\x5e\x0f\x93\x38\x52\xd8\x83\x58\x9c\x2e\x2c\xf5\xe0\x81\x69\x17\xfd\x5c\xd5\x95\x2b\x8d\x49\x9f\x3e\x75\x6e\xee\x24\x3f\xc4\x27\xe5\xb7\x30\xeb\x01\xbc\x0a\x65\x46\xd8\x80\x6e\x1f\xe3\xb6\x6a\x02\xba\xd4\x4f\x41\xb1\xca\x95\x31\x38\xcd\x78\xd1\x6f\x75\x54\x9f\xf4\xa9\xbe\x2a\x14\x7e\xb7\x3c\x6f\xcf\x84\x03\x93\xb4\x22\x60\x8b\x8d\xdc\x49\x73\x6d\x75\xfb\x12\x76\xa0\xb5\xdb\x5c\x1f\xcb\xa8\x6d\x57\xb8\xfb\xce\x22\xe6\x5f\xa8\xb1\x09\x58\xbf\x73\x85\xc8\xfd\x77\xd4\x54\x39\xc0\x57\xd7\x24\x3d\xca\x39\x93\x5b\xa4\x9f\x92\xbb\xb5\xcc\x07\xe8\x70\x35\x11\x44\x34\x63\x3d\xdc\x87\xee\xee\x01\xc9\xc9\xe9\x1d\x2e\x9c\x49\x2b\x76\x73\xe8\xbf\xa9\xa7\x4c\x01\x5c\xfd\x7d\x8d\x5d\x53\x08\x28\x1a\xa8\xe0\x35\xbf\x52\xdb\x02\x2b\x52\x33\xf8\x53\xf6\x3b\xc1\xcf\xc3\x0c\xab\xea\x83\x2d\xf5\xe9\xac\xc2\xbc\x9d\x59\x56\xc4\xe8\x96\xc5\x1b\x66\x05\x40\x8c\x52\xb5\x80\x44\x9a\x90\xe7\x61\x1a\x65\xdd\xa1\x8f\xe9\x12\xd7\xd6\x07\xbe\x59\x97\x80\x7d\xc3\x93\xd3\xde\x6a\x65\xdd\xde\x42\x9e\x49\x81\xd3\xff\x5d\x6f\x27\xd3\xee\xbc\x13\xfc\xb4\xb7\x8c\x52\xbe\xbc\xa8\xe1\x4d\x89\x2f\x2b\x33\xac\x3b\xe1\xd5\x87\xf1\xd8\xa4\x02\xfc\x61\x89\xe3\x27\x4d\x96\x7f\xaf\xb5\x1c\x60\x09\xad\xae\x91\x6a\x25\x5b\x17\x79\x1e\x47\x42\xbf\x49\x37\x9a\xec\xf7\x6a\xec\xdb\x41\x2f\x5c\x50\xc7\xd9\xa9\xa2\x15\x26\xc0\x67\xfc\x0f\xd6\x82\x9f\xad\xcd\x6c\x72\x57\xe5\xf8\x19\xdd\x21\x54\x1b\x13\x52\xe8\xd6\xa4\x80\x04\x35\xd4\xf5\x49\x59\x20\x88\x5b\x5c\x16\xbc\x17\x82\x2b\x5b\xef\x64\x38\x22\x24\xa3\xa0\xe2\x8d\x50\x77\x85\xda\xd7\xb5\xc3\xef\x4d\xc5\xc6\xbd\xb2\xb5\x02\x8f\x0a\xc5\x07\x81\x61\xa6\x9b\x31\x89\x4d\x07\x10\x17\xc0\xff\x79\x98\x6c\x84\x83\x02\x2d\xc6\x15\xd6\x5c\x9c\xe0\x87\xa7\x14\x57\x5f\x30\x27\xfe\x91\x29\xde\x09\x0b\x3e\x3b\xb3\x70\xef\xd2\xb3\x97\xee\x9d\x39\x79\x66\x6e\xde\xe1\x75\x1f\xf7\xd8\x55\xad\xb0\x17\x02\x68\x55\x2c\x0a\xff\xfd\xde\x0e\x6a\x82\xcf\x5a\x6f\x04\x2f\x01\xea\xb1\x1b\x01\x01\x2b\x8a\xa6\xa3\x3c\xeb\x61\x77\x95\x89\xd2\x3e\xdc\x6d\xa6\x58\x5a\x07\x3d\xd9\xeb\x9c\x06\xd7\xf2\x30\xb5\x34\xa7\xa1\xdd\xdd\x64\x1f\xad\xb1\x6b\x36\xe2\x34\xca\x36\x0a\xc5\x81\xfe\x73\x8d\xdd\xba\xed\x50\x9e\x85\xef\x54\xf6\x9a\x62\x48\x7f\x03\x63\xa3\x67\xd4\xee\x6c\x29\x99\xd6\xb1\x8b\x87\xa6\x00\x27\x0c\x6f\x14\x57\x52\x74\xae\x83\x75\x86\xb9\x81\x26\x96\x7e\x01\x11\x39\x8f\x32\x47\xb9\x8f\xfd\x1b\xa5\x02\x48\xd1\xc5\xe8\xb9\xfe\xb3\x82\xb9\x67\x69\xe5\xdb\xe6\x07\x40\x61\x21\x48\x57\x0d\x10\xaf\x40\x74\x31\xda\xaf\xa3\xb6\x8e\x90\x1d\x5f\x5f\x63\x0c\x8e\x5b\x00\x07\xf3\x5f\xaa\xcf\x5b\x9c\xfc\x3b\x2e\xe3\xbc\x3d\x27\x25\xc2\x8a\x0c\x48\xe7\xaa\x28\xff\xf7\x38\x51\x5f\xb6\x8f\xf1\xcd\x4b\x85\x2f\xdc\x96\x64\xad\xf3\xfe\x57\xc6\x83\x3f\xf5\xe8\xc7\x66\xe6\xef\xd9\xb9\x93\x8b\x7c\x12\x8c\x0a\x87\x6f\x3c\xd2\x3c\x7c\xfc\x86\xe6\xe1\xe6\xe1\xe9\x23\xc7\x82\x7a\x70\xe4\xd0\xa1\xc3\x27\xa2\xd5\x1b\x4f\x9c\x98\x3e\x7e\x2c\x98\x7a\x98\x6d\xe3\xe2\x42\x4b\xf4\x4a\x5c\x31\xab\x77\xb2\x43\x24\x04\x93\xb1\x86\xc2\xd0\x28\xce\x04\x75\xe2\xd8\xb2\x08\x36\x2f\x7a\xe3\xad\x38\xca\x1d\xed\xe8\x6b\x35\xb6\xce\xe0\xb2\x9f\x06\x21\x8c\xd2\x8e\xb1\x1b\x8a\xae\x9b\x5b\xe0\x38\x4f\x98\xd9\x28\x2e\x84\xdd\x5e\x42\x01\x22\xd5\x99\x91\x62\x6d\x65\x72\x6c\x01\xff\x2f\x3d\x76\x05\x0e\xce\xff\x63\x2f\xf8\x88\x77\x0a\x07\x8a\x9f\x4f\x62\xc4\x2b\xdd\xf1\x30\xc3\x74\xb7\x7d\xe3\xd4\x01\xd2\x33\x15\x07\xc1\xd0\x4b\x49\x7c\xb0\x51\x06\xd0\x5c\xd6\x2f\x0b\x75\xc2\xc2\xa4\x01\x34\xf8\x16\x2e\xb2\x0f\x4c\x38\x84\xd8\xca\xb2\x3c\x8a\x53\x1d\x69\x7b\x5a\x84\x85\xf0\x7f\x7c\x22\xf8\x2e\xf8\x4b\x47\xa0\x86\x60\x98\x85\xdd\x29\xfb\xe6\x6a\xb6\x2f\xde\x4b\xe3\xda\xab\x63\xf1\x18\xc6\x98\xbe\xdf\x8e\x31\x7d\xd7\xae\xeb\x58\xac\x3d\x5a\xc5\x2a\x3e\xa9\x8a\x55\xfc\xa6\xc7\x8e\x6c\x21\xda\x8c\xd8\xa2\x50\x9b\xe2\x95\xde\xc8\x0a\xac\xf0\xc0\xa3\x5d\x9e\xe2\x21\xef\xb9\xdb\xc7\xc6\xde\xe4\xdf\xa8\x63\x63\x9d\x61\x55\x02\x64\x61\x04\xd5\xd0\xd8\xd7\x8f\x8f\x34\x2a\x9a\x08\x0b\x4c\x33\xfa\xeb\xb1\xe0\x8e\xca\x35\xb9\x93\x46\x17\xb8\xb0\x0b\x6b\xf6\x29\xb2\x55\xbf\xec\x32\xb9\x37\x8c\xb1\x7f\xf0\x18\xd3\x99\x3d\x85\xff\x75\x2f\x38\xbd\xe8\x16\xea\x24\xa6\x63\xb2\x6a\xb2\xd5\x42\xe4\xeb\x61\x69\x02\x67\x75\x24\xc0\xc1\xc2\xad\xeb\xe9\xf8\xb7\x9e\xca\xae\x67\x47\xb7\x95\x76\x75\x57\x75\x0e\xda\x43\xde\x41\xf6\x44\x67\x19\x7a\xf2\xa0\x6f\x74\x45\xbe\x26\x1a\xe7\xc5\xc0\xdf\xef\xef\x93\xdb\x88\xc9\x27\xff\xdd\x88\x27\x75\x5c\xe6\x01\xff\x0a\x78\x8b\xb1\x37\x7b\x6c\x5f\xaf\x23\x0f\x86\xd7\x7a\xc1\x8b\xbc\x05\xf9\xa7\x8a\xae\x53\x43\x48\xe2\xb6\x68\x0d\x5a\x89\xe0\xf0\xe4\x50\x34\xc9\x4e\xd3\x4f\xcb\xb0\x38\x5f\x4c\x03\xae\x45\x5c\x94\x80\xfd\xd3\x07\x84\x65\x13\x41\x31\xed\xa4\x72\x3d\x9e\x7d\xe7\x26\xd5\x13\x89\x20\xfe\xf6\xda\xe0\xd0\xa5\x54\x56\x7d\x7a\xb5\xa8\xea\x7b\xae\x65\xbf\xb4\xcf\x59\xf9\x07\xf6\x05\x7f\x35\xb6\xbc\xa3\xf5\x4e\x0d\x34\xbd\xbb\xda\x68\x5d\x86\xcf\x81\x9d\xae\xa8\x73\x2b\xb8\xd8\x7c\x0c\xcf\xff\x0e\xe0\xf2\x0e\x7a\x82\x07\xb7\x87\x71\x22\x22\x84\x37\x56\x79\x64\x79\xdf\x6d\x30\x2e\x78\xd1\x2f\x7a\x00\x46\xb2\xd3\x76\x97\xd4\x0b\x43\x4d\xdf\x64\x94\x54\x6a\x3c\x17\x45\xbf\xab\xd4\x20\x3b\x8f\x0f\x35\x09\xca\x7d\x23\xc9\xa5\x05\xf6\x78\xd0\x14\x2a\x7d\xd4\x35\x4e\x77\xda\xc7\x59\x7a\x61\xc4\xe8\x2f\x31\xbb\x59\xca\xbb\x49\x16\x46\xc5\xb4\x41\x08\x2a\xa6\x9f\x97\xad\x16\x8d\xbc\x9f\x36\xca\xac\x41\x9d\x8b\xb3\x74\xda\xde\x99\x47\xd8\x21\xd6\xdc\x51\xf5\x4e\x6b\x53\xee\x24\x17\xff\x11\xd9\xba\x67\xd8\x15\x6d\xa0\x17\x7f\x56\xc1\xf6\x37\xc1\xd1\x04\xc0\xfa\x3a\x62\x12\x2d\xef\xb9\x08\x41\x27\xc0\x1d\x8c\x74\xe6\xaa\x31\x5f\xab\xb1\x09\x30\x26\x43\xbe\xe4\x17\x6a\x97\x9f\x30\xf9\x93\x35\x9b\x75\x82\x45\x4f\xd1\xd8\xf3\xb2\x55\x1b\xc9\x09\xbe\x27\x7b\x85\xea\x20\x46\x42\x3c\x2f\x5b\x1d\x22\x26\xd7\x57\xa7\xe9\x1f\xf7\x5b\xbd\x12\xcc\x20\xe5\x18\xa9\x0d\x4a\xad\x32\xb1\x72\x01\xa0\x2b\x71\x69\x11\x79\x35\x04\x50\x76\xba\xe4\x62\x5d\xe4\x03\x7c\x3a\xac\xec\x0a\x14\xac\xf0\xfb\x36\xcc\xb8\x66\x3d\xd8\xc9\xc5\xdb\x67\x8f\x1e\x3d\x7a\x23\xa7\x5a\x98\x11\x9e\x52\xfc\xdc\xf2\x6c\x93\x2d\xb1\x09\x28\x06\x2c\x22\x11\xf9\xb7\xab\x95\x3b\xbc\xc3\x95\x5b\x52\xaf\xba\x8b\x37\xab\x0b\x43\xdf\xa8\x5a\x7c\xb2\xdb\x22\xde\xb6\xaa\x42\x43\x58\xaa\xd3\xc8\x97\xc7\xd8\xb5\x7a\xdb\xce\xa5\x91\xb8\x20\x20\x32\xe6\x43\x63\xb3\x95\xab\xe4\xc9\xc3\x1d\x4d\xb7\x78\x4c\xf7\x60\xb1\x9b\x14\x6d\xae\xf6\xd9\x99\x2c\x12\xfc\x16\x1e\x60\x03\x51\x80\x18\x86\xca\x8e\xdb\x0d\x4b\x54\x44\x55\x1b\x52\xff\xb1\xe7\x34\x2c\x78\x24\x5a\x71\x17\x22\xe5\xa1\xb7\x05\x2f\x44\x2f\xcc\x15\xac\x86\x94\x79\x42\xf2\x43\xd9\x95\x25\x4c\x9c\x63\x9c\x4a\x2a\x02\x1a\x83\x0c\x14\xf9\x6c\x2e\x04\x44\xd5\x64\x54\x83\x42\xb4\xfa\x10\x1a\xe1\xd6\xa6\xe8\xca\x7e\x14\x02\xe3\x23\xed\x5e\x91\x8d\x0b\xa9\x4b\xde\x84\x6c\x69\x91\x00\x54\x8e\x09\xc3\xcb\x63\x51\xd4\xdd\xee\x86\xbc\x33\xe8\x75\x44\xda\xe4\xb7\x67\xb9\xd2\x22\xeb\xca\x2e\x39\x3c\xa7\xb2\x23\x87\xeb\xfc\x68\x9d\x1f\xab\xf3\xeb\xe1\x5b\x4f\xad\x1b\x55\xb1\x32\x55\xc1\xe1\xfa\xd1\xc6\xf5\xf5\xa7\xba\x51\x07\x1f\xa9\xb1\x6b\xcc\x82\xc0\x2e\x7f\xef\x2e\x76\xf9\xdf\x79\x5b\xee\xf2\x8d\xd0\x3a\x03\xd4\x36\x91\x3b\x73\xad\x1f\x82\x89\x50\x03\x12\x93\xe1\xa6\x13\xf6\xe4\xa6\x6a\xac\x8a\xb6\x5c\x0e\x58\x23\x1e\xb6\xf2\xac\x30\x4b\x6d\xe2\x50\x8a\x4b\xdf\x79\x94\x22\xa2\x26\x80\xd8\x01\x05\xf9\xca\x4e\x38\xfd\x97\x53\x52\x74\x84\x5b\x4f\xbc\xc9\xfe\xcf\x03\xec\x98\x75\x26\xb4\x93\x6c\x83\xf8\x99\xce\x62\xb0\x92\x6c\xd1\xea\x02\x01\x91\xaf\x3c\x10\x7c\xa0\x36\xf2\x16\x2a\x83\xbd\x5c\x44\x84\x61\x88\x85\x4e\x30\x6c\x6a\x74\xda\x76\xd8\x6a\x81\x84\xbd\x46\x1a\x71\x9c\x43\x02\xb5\x0e\xe0\x2d\xc3\x7c\x4d\x94\xee\xcb\xe7\x16\x4f\x37\xf9\x0c\x1f\xdd\x05\x1d\xa5\x65\x0a\xe1\xb6\x31\x68\x88\x42\xba\xc0\xac\x36\x19\x4e\xb9\x71\x5c\x08\x8e\x23\x29\x5d\x7e\xbe\xb0\xe2\x53\x0d\xfe\x9b\x6c\x65\x72\x75\xd3\x17\xad\x6c\xe7\x73\x8b\xa7\x47\x36\xd1\xbc\xe8\xed\x83\xf6\x2f\x7a\x8f\xab\x3c\xee\x08\x73\x0f\xec\x63\x9f\x1d\x63\xd5\x47\xfc\x0f\x8f\x05\xff\x5c\x5b\xa9\x5c\x5d\x21\x15\x1c\x2d\xd8\xfd\x3c\x81\x34\xb4\xf8\x82\x72\xfa\x52\x71\x63\x32\x49\x80\x98\xa2\x62\x3a\x33\x6d\x68\x20\x85\x19\xa2\xf3\x9c\x9d\x7c\x82\x71\xde\xe0\xc1\x74\x47\x84\x49\xd9\x79\x7e\x20\x3f\x96\x88\xb5\x30\x31\xd7\xaf\x83\x8b\x71\x52\xb9\x6c\x1e\xe5\xab\x7d\x9b\x0c\xca\x0e\x82\xe5\xd2\x73\xd3\xd7\x05\x68\x18\xdd\xf4\x09\xf9\x61\xf9\x94\x13\x1f\x28\x85\xee\xac\xdb\xcb\x52\xc9\xa0\xf0\x21\xaa\xee\xdc\x64\x41\xe5\x61\x87\x7a\xfa\x79\x52\x34\xc9\xb1\x6c\xe2\x05\xeb\xf2\xa7\x4a\x67\xc7\xc8\xf1\x64\x80\x66\x44\x93\x59\xb3\x25\x92\x11\xdf\x54\x7a\xba\xc2\x1f\x2f\x44\xc9\xd8\xe7\x3c\x86\xab\xef\xff\x57\x2f\x78\xb9\xb7\x02\x7f\xaf\xb8\xc0\x44\x3a\x5c\x1b\xc9\x70\xf4\xfa\x54\xc7\x07\xcf\x82\xdd\xfe\x51\x1f\xd3\x3f\x31\x76\xf7\xc3\x99\x0a\x6a\xaa\x44\x81\xda\xe8\xff\x24\x0b\xbe\x7f\xcb\x27\x2a\x10\xbc\x94\x60\xa0\xd0\x41\x41\x9c\xda\xec\xfd\x8b\xde\x15\xbd\xa4\x9f\x87\xc9\x45\x0f\xac\x5a\xce\x16\x7c\xc7\x04\xfb\x7b\xa9\x49\x4b\x59\x35\x93\xe7\x9e\xff\x35\x2f\xf8\x84\x67\x7e\xbb\xeb\x06\xf6\x02\x11\x59\x49\x80\xa8\x66\x54\x4a\xda\xac\x8a\x24\x4b\xd7\xa0\x83\x93\xa2\xb9\xd6\xe4\x07\xc3\x24\x39\x38\x65\xaa\x9b\xf4\xfa\xab\x89\xe4\xd6\x70\x04\xcc\x2c\xcc\xf1\x48\xd5\x95\xe1\x51\xd6\xea\xcb\xe3\xb8\x40\xfb\x20\x00\xea\x4a\x79\x41\xd5\x40\xc9\x54\xb4\x1f\x8f\xd3\xf5\xac\x45\xea\x1d\x94\x6e\x5c\x91\x6b\xd8\x2a\x13\x2e\x79\x69\x98\x24\x5b\xe6\x3d\xfe\x9a\x47\x46\x3e\x40\xfd\x3f\x4f\x46\x3e\x25\x00\x10\x04\x33\x5c\xd6\x48\x19\x3a\x05\x94\xce\xc6\xbc\x0b\x01\x3e\x06\x97\x05\x14\xa1\x38\x5d\xeb\x27\x61\xde\xa4\x05\x31\xb3\x12\xa7\x05\x94\xdc\x2a\xec\xbc\xd7\xb8\x20\x7b\x62\x88\x1f\x5f\x91\x9f\x5c\x31\xb0\x20\x6a\x82\x20\xf7\xd3\x11\x0f\xee\x63\x07\xe4\xb2\x3c\x43\x8e\x41\x04\xdf\xaf\xfe\xde\x66\x14\xb0\x92\x26\xea\x59\x8f\xc9\x76\x19\x06\xd8\x89\xd3\x71\x51\xba\x12\xc9\x8f\xd6\x18\xd1\x92\xff\xe2\x5a\xf0\xf7\x1e\xfe\xad\xbe\x48\xbf\xec\xb8\x39\xbb\xc8\x11\x90\x2a\x1d\xea\xa3\x52\x49\xa9\x3c\x63\x3f\x95\x72\xc4\xca\xb4\xdc\x4b\xd3\x37\x03\xc1\xdd\x3a\x7d\x33\x59\x9f\x6e\x9d\x6e\x36\x9b\xd3\x37\xe3\x97\x6e\x5d\xa1\x98\x50\x4c\x0e\x28\x2b\x31\x7b\x9b\xed\x07\x3e\x69\x57\xdf\x59\xb9\x19\xf6\x52\x93\x9a\x6c\xd2\x17\x57\xa6\xac\x78\xd3\x24\xe1\x49\xb6\x21\xf2\x56\x58\xb8\x51\x7d\x5f\xf1\x18\x2b\x3a\x59\x8e\xb0\xa8\xfe\xe7\xbd\xe0\xfd\x9e\xf9\x8d\xa3\x92\x3f\x69\xbf\xaa\x38\x2c\x35\xee\x3a\x17\x17\x7a\x59\xf1\x48\xee\x82\x9b\xe1\xfb\xf2\xf3\x72\xb6\xe6\x0c\xa3\xac\x0e\x6a\xd3\x7d\x72\xbf\xc7\x0e\x28\x9a\xf6\xcb\x60\x4d\xfd\xad\xe9\x4c\xfd\x1e\xb5\xee\x5b\x7c\xd2\xa1\x38\x7d\x39\xa2\x0d\xe0\x4c\xf3\x6f\x8d\xb3\xef\xb1\x21\x49\x7a\x3d\x40\x8c\x3f\x19\x8a\x6e\x96\x2e\x89\xd2\xa0\x41\xbd\x63\x3c\x98\x1b\xbe\xbc\x29\x18\x14\xd7\xcf\x22\x14\x54\x4b\xe4\x65\x18\xa7\x88\x03\xd5\xdc\x12\x08\xea\x83\x63\xdf\x94\xc8\x45\xcf\x36\xe0\x54\xf3\xc1\xcc\x4c\xb5\x2c\xd8\xb6\xf0\x54\x94\x09\x30\x0a\x3d\xea\x76\x8d\x4e\x75\x73\x30\xbd\xdc\xb9\x6c\x14\xaa\xd3\x1a\x85\xea\xb6\xe0\xfa\xa5\xd1\xb8\x53\xda\x06\xb5\x2d\xee\xd4\x61\xc2\x9d\x9a\x0a\x9e\xb8\x4c\x01\x90\x66\x51\x47\x23\x4e\xbd\xf5\x4a\xf6\x6d\x9b\x98\x89\xfc\x17\x5f\x19\x1c\x7e\x7a\xb6\x3a\x64\x9a\x1c\xae\x2b\x4f\xe5\x7f\x9f\x57\xb5\x50\xfe\xed\x04\xfb\xbc\xed\x03\xf9\xd8\xae\x7d\x20\x2f\xa9\xd6\xf2\xb6\x4b\x6b\x3e\x6a\xd5\xbc\x7f\x4f\x39\x48\x7e\xcb\x63\x53\x3b\xb2\xb9\x81\x5f\xe4\xad\xa3\xfd\x22\x91\x28\x20\x89\x5b\x63\x41\xc3\x9c\x82\x25\xe9\xd1\xf5\x95\xb0\x8f\x78\x9a\x1e\x3f\xe0\x6d\x81\x45\x33\x6c\xcd\x0e\x5e\xee\xcd\x8e\xf0\x59\x3c\x16\x83\xd8\x73\xf9\xee\xb9\x7c\x1f\x2b\x97\xef\x43\xde\xfc\xf6\xde\xc6\xa7\xf8\x53\xda\xdb\x08\x3b\x49\xfb\x17\x9f\x9e\xad\x56\xbd\x8b\x9f\x5f\x63\xdf\x35\x32\xb4\x12\x50\x1b\x01\x32\xee\xbd\x6b\xc1\xed\xd6\xef\xca\x09\x6f\x81\xea\xd9\xc6\x01\xb4\x4a\x23\x2e\xbd\x2a\x5d\xe8\x32\xef\x2f\xb6\xd9\x17\xf6\xb3\xc7\x27\x59\x18\xdd\x16\x26\x52\x58\xcf\x67\x93\xb0\x28\xfc\xdf\xdc\x1f\xfc\xe2\xfe\xa1\xcb\xda\xf1\x06\x3f\x94\x84\x9d\x85\x11\x5f\xa5\xc7\x38\x14\x0e\xed\xea\x5d\x05\x2b\xaf\xe0\x27\x8d\x9a\x84\xd1\x68\x6e\x44\x9b\x95\x63\xac\x4d\xde\x5a\x94\xc2\xa4\xe3\x46\x51\x0e\x12\x61\x55\x5f\xad\x53\x49\x52\xab\xde\x2b\x9a\x49\xea\x1c\xf4\xb0\x40\xed\xc7\xc6\x7a\xdc\xc3\x78\x17\xb2\x80\x40\x7d\x55\xe7\x6e\x93\x9f\x4b\xc9\xc6\x42\x39\xd3\x64\xba\x24\x41\x1d\xc2\x79\xd3\xa8\x21\xa7\xd6\xcd\xcd\x6f\xc9\xef\x4b\x25\x9c\x8c\x85\xda\x4e\xa7\x06\xae\xca\xf4\x1e\x3c\x6d\xcd\xe8\x41\x42\xf5\x29\x4d\x76\x87\x8a\x2f\xdb\x72\x4a\xa9\x8c\x7d\x9d\x97\x59\x14\x0e\x74\x56\x9c\x41\x6c\x8f\xa4\x2c\x51\x76\xf2\xac\xbf\xd6\xa1\xe5\xca\xfa\x91\x8a\xa9\x45\x04\xc5\x35\x3c\xda\xeb\x60\xc4\x21\x26\x17\x42\xa1\x7f\x48\x81\x4b\x07\x26\xd6\xcd\xf9\xba\x0a\x23\xac\x93\x4d\x22\x2c\xd0\xed\x40\x64\xb7\x5d\xc7\x37\x94\x1d\x04\x12\x00\x71\x76\x0a\x5a\x43\x63\x24\x01\xf2\x6a\xf2\x19\xab\x17\x5b\x36\x8c\x3a\xb7\x3b\xca\x62\x4a\x0d\x2b\x5e\x4b\x25\x9b\xd0\x5f\xc3\x38\x2a\x51\x5a\x74\xb6\xfd\x6a\x22\x06\x36\x98\xe6\x91\x19\xa1\x2b\x48\x2f\x70\x86\x6b\x5c\x5d\xe0\xb3\x69\x4b\xe8\xe9\x92\x0d\x13\x3f\x43\xe4\x1f\xf7\xbb\x2a\xd6\x6a\x23\xee\x29\x30\x07\xbd\x6b\x61\xd1\x91\x07\x62\xca\x51\x9a\xa5\x95\x8f\x41\x07\x1c\xb9\xef\x4f\x6b\xec\x1a\x7b\x0b\xcf\x2d\xf8\x9f\xad\x05\x1f\xa9\x41\x2e\x95\x81\x67\xd0\x83\x90\xf2\xe4\x09\x6e\x37\xea\xfe\x80\x0e\x4a\x25\x4b\x79\xbb\x74\x22\xdd\xdc\xc2\x08\x20\x2a\x67\x66\x29\xdd\x25\x12\x3d\x91\x46\x05\xc2\x01\x98\xf4\x4b\xd0\x81\x13\x2c\x93\x2c\x57\xb1\xa1\x69\x55\x21\x60\x51\xfb\x03\x0d\x79\xe0\x8c\x4b\xcd\x56\x85\x4a\xb4\x5f\x6e\xe4\x3c\x23\x5d\x44\xda\xa7\xe1\x7e\x58\xe7\xb7\x28\xbd\x13\x34\x68\x1c\x86\x33\xcb\xaf\x1f\x63\xdf\x6e\xf7\x06\x73\x74\x17\xe5\xfa\x16\xfe\xff\xa8\x05\x5f\xaa\xd9\xac\x0e\x4d\x26\xd5\xf4\xcd\x5e\x12\x96\x52\x3b\x27\x47\x21\xf4\x50\xe5\x45\x5b\x68\x03\x95\x1d\x6d\x3a\x2b\xbf\xdf\x58\x75\xd6\x09\x82\xf6\x74\x66\xb5\xca\xbe\xd5\xdd\xa0\x63\x77\x6e\xa1\x78\xb8\xe7\x26\xb8\xb4\x60\x0b\xaa\x68\x23\xa9\x11\x25\x66\x1d\x74\xa1\x33\x0c\x1b\xee\xe7\x1b\xed\x38\x17\x1b\x61\x92\x4c\x6f\xa1\xc5\xff\xdc\x18\x3b\xa0\x30\x56\xfc\xb7\x8e\x05\xf7\x8f\x2d\x66\xfd\x52\xe8\xfd\xa4\x27\x35\x23\x57\xa6\x24\x65\x04\xb6\x38\x2f\x06\x68\xa1\xa5\x18\x48\x0b\x6a\x23\x2e\x34\x70\x0b\x30\x42\x9d\xf6\x8e\x29\xc9\x64\x9e\x25\x6b\x94\xda\xb7\x9a\x45\x66\x64\xa6\xb7\xe0\xb7\x54\xf6\x00\x94\x07\x82\xd4\xc6\xb2\x18\xae\x7b\x64\x95\xf3\x82\x05\x92\x5f\xeb\x66\x51\xdc\x1e\x48\x0e\xe3\x6e\x66\xac\xfb\x3d\x8b\x73\x38\xb7\x50\xe7\xf3\x59\x24\x16\xb2\xbc\x44\x59\xd4\xde\xd0\x4d\x3e\x67\x2d\x33\x1d\x51\xa7\xa8\x6b\xf3\x50\x97\xfc\x52\x61\xdb\x89\xc7\x36\x4c\x8c\xb1\xba\x36\xfd\xe0\x16\x95\x0e\xde\x59\x63\x8f\x2b\x44\x21\x25\x22\x05\x5e\xe3\xff\x58\x2d\x78\x49\x6d\x49\x6d\xff\x00\xd1\xb5\xe6\x16\xa8\xb4\xf6\x7c\x96\x8a\x00\xa2\xb3\x61\x62\xbb\x61\x0c\x91\xdb\x9c\x5a\xe1\x0a\x37\xa5\xc9\x31\xff\xd8\x10\x3c\x14\x8f\x8b\x46\x3c\xa8\xcc\x5f\xea\x4b\x72\x5d\xe5\x67\x5c\xcb\x0d\x5e\x79\x18\xe7\xe5\x49\xeb\x71\x5e\xf6\xc3\xa4\x11\xf7\x0a\x54\x71\xf0\x86\xa4\xf7\x0b\xb1\x2b\xb5\xff\xde\x7e\x76\x95\x85\x8a\x52\xf8\x1f\xdd\x1f\x3c\xb0\xdf\xbe\xa2\x7d\x75\x94\x78\xdf\x40\x37\xa5\xb2\x67\xab\x47\x91\xc8\x09\x67\xd0\x39\x4c\x41\xac\x53\xfd\x55\x47\x28\x95\xe6\x52\xcd\x52\xa2\x67\x21\xb7\xbe\x26\x56\xe2\xc1\x2d\x15\x27\x61\x4b\x7e\xd5\xe3\x0f\xcc\x7b\x94\xb9\x58\x84\x5d\x41\xb1\x0c\x85\xde\x18\xcb\xb8\x3d\xd1\x01\x78\x0b\xe0\x0c\x34\xf9\xb2\xd3\x79\x25\x1a\x42\x92\x60\x75\xeb\x86\x72\x83\x14\x25\x3f\x7c\x9c\x1e\x0e\x07\x95\xda\x56\xa7\x74\xbf\xc1\x87\xde\xc9\x0a\x91\x12\x69\x50\x5e\x0d\xc5\x64\x58\x1f\x25\x41\x45\x07\x5c\xad\x86\xad\xf3\xf2\x38\x1b\x81\x57\xe1\x32\xfc\x30\x49\xc0\x41\x03\xd0\x82\x92\x07\xa4\x99\x7e\xd9\x72\xa7\xa2\x35\x4a\x7d\x50\xd9\x88\x80\x1c\x5d\xae\xd2\x09\x0b\xa7\x09\x34\x49\x85\xa5\xa2\x72\x42\xc9\x48\x05\x21\xcf\xd1\x32\x22\x6a\xe2\xb2\x3a\x08\x94\x96\x4a\x8e\xa7\x81\x5d\xcf\xaf\x2b\xc2\x14\x0a\xdf\xe8\xfe\xa8\x5a\xed\x2d\x08\xf7\x09\x13\xad\xe2\xc6\x6d\x92\x47\x41\x68\xea\x42\x2a\x42\x21\xd2\x42\x9b\xf8\xc1\x38\x86\x5f\xb2\x21\x35\xaa\x90\x0e\x66\xca\x14\x6a\x13\x64\x82\xea\xf9\x68\x65\x69\x51\xe6\x21\xd2\x9a\x9b\x86\x7d\xa9\x48\x59\xab\x03\x02\xc3\xa4\xd9\xc7\xd4\x5b\x5b\x64\xd7\xb4\xa6\x8e\xb5\xca\x17\x22\xa9\xef\x22\x82\x12\xe0\x35\xea\x23\xb7\x0b\xe5\xe4\x20\x78\xa4\xdd\x07\x99\x67\x5d\xd7\xa8\xdf\xf4\xb4\xfa\xcd\x31\xf6\xad\x23\x49\xdf\x7f\x60\x2c\x78\xf3\xd8\xc8\x5b\x3a\x17\x3a\x6e\xbb\x5a\x16\x9a\x9a\x0a\x4c\xbe\x96\x67\x9e\x3e\x6d\xac\x43\x2f\xcd\x22\x01\x18\x50\x80\x91\x45\x47\x6e\x63\x23\x8e\x8c\x7a\x5e\x34\x79\x00\x3b\x2f\xe0\x0a\xc0\xb1\x70\x54\x76\xb4\x02\xcc\x2d\x20\x89\xaf\x67\x71\x84\x1e\xeb\x56\x96\x46\xbc\x93\xf5\x80\x2c\x1d\x09\x12\xf1\xc7\x23\x81\x42\x03\x20\x59\x10\xa7\x41\x45\x24\x8f\x8b\xf3\x05\xef\x65\xa5\xe6\x31\x71\x97\xc4\x9a\x48\xf7\xbe\xe8\xe5\x22\x8c\x00\x27\x2a\xa0\x73\x2e\xe0\xd9\x6a\xd1\xea\xe7\x5b\x75\x50\x12\x78\x2b\x94\x9c\xcc\xe9\xa3\x31\x26\xc3\x9c\x38\x0a\x11\x6c\xd5\xb5\x2c\x8b\x20\x9b\x10\xcd\xf9\x61\xd4\x30\x1d\xb0\xd7\xf0\xaf\xae\x66\xac\xa5\x8e\xdd\xc2\xff\xf2\xd5\xc1\x9b\xaf\xd6\xc7\x70\xc5\xad\x28\xbb\x84\x58\x1a\x02\xe4\x83\x78\x2d\x55\x42\x5a\x5c\xa8\x39\xc1\x03\x5b\x72\xa7\x7e\xd1\x87\xc9\xd0\x4f\x62\xc2\x69\x32\xc0\xc4\xa2\x30\xd5\xc8\x1c\x0e\xe7\xe9\x86\x29\xbc\x57\xc7\x18\x93\x06\xa4\x67\xf0\xc9\xb0\xe0\x3d\x29\x59\x23\x8e\x84\x63\xe9\x9d\xd2\xa5\x4d\x11\xac\x55\x6e\x6c\xe0\xdd\x7a\xbf\x25\x0a\x37\x4c\xe3\xb9\x40\x5f\x6f\x42\xf0\x96\x8d\xb8\x10\xa6\x5c\x90\x89\x2f\x02\xba\xb4\x80\x5b\xad\xbd\x64\xb9\xc1\x49\x29\xd2\x82\x2e\x2a\x3c\x05\xef\xa7\x89\xc2\xaa\x02\x9a\xb1\xb6\x39\x24\x5e\x81\xda\xa0\xde\xcd\x1c\x09\x86\x4f\xaa\x18\x35\x9d\x89\xaf\xbf\x4c\x59\xf7\x92\xd1\x00\xfe\xda\x70\xfb\x6e\xd3\x60\xbf\x72\x1b\x8f\x15\xaa\x19\xe0\x28\x96\xee\xa8\x94\x45\x22\x71\x8f\x9e\x3a\xc6\x8a\xa1\xf9\x86\x87\xab\xd9\xba\x98\x6a\x72\x5e\x2d\x92\x46\x22\x4e\x5d\xe1\x05\xa2\x5d\x6e\x32\x08\xa6\xa0\x08\x60\x48\xe7\x9e\xa1\xa4\x26\xe7\x4b\x84\x8f\x01\x1d\x29\x33\x6a\x82\x58\x72\xc8\x83\x8e\x08\x23\x98\x4a\x5a\x92\x80\x4f\xa6\x19\x27\xf9\x83\xcf\x2d\x4c\x29\x81\x13\x4d\x0c\xed\x7e\x82\x87\x3a\xe6\xa7\x1a\xbb\x9d\x7d\xb4\x10\xc8\x05\x01\x24\x4b\xea\x91\x72\x0b\xe8\x69\x44\x46\xb9\x0a\x49\xe0\xbb\x14\x56\x37\x3f\x63\x5d\x15\xdd\xa8\xe5\x19\xc9\xb5\xf6\xaa\xd5\x0d\x81\x8e\xa6\xc8\x11\x7a\xf8\x16\x1a\xbf\x2b\x2f\x0f\x77\xd2\x39\xd9\x9c\xbd\x04\x46\x77\xf2\x58\x6b\xdb\xa8\xe6\x20\x4a\x7d\xde\x62\xd8\x75\xed\x1e\x05\x59\xc8\x06\x68\x30\x8c\xe8\xee\x43\xf7\xa0\x38\xa0\x1b\xc6\x90\x66\x25\x79\x01\xc5\x35\x19\x3b\x67\x36\x59\x30\xb7\xb0\x7e\xfc\x64\x3f\x4c\x96\xca\xb0\x75\x3e\xd0\xca\xfb\x5a\x58\xda\xd0\x91\xd5\xa8\xd6\x24\xee\xc6\xc4\x19\xb2\x54\x28\xe9\x00\x09\xca\x0e\x57\x81\xcf\x86\xc5\x56\xc3\x15\x3b\xfa\xa6\xdc\x64\x9d\x2c\x89\xc0\x74\x74\x21\xee\xf6\xbb\xb0\xe0\x1b\x99\x96\xb5\x26\x23\x29\x58\x17\x72\x18\x52\xd5\x05\xdc\x53\x11\x53\xa9\xca\x48\xe4\x72\xe3\x2d\x77\x44\x21\x0f\x09\x9a\xc5\x56\x96\xe7\xa2\xe8\xc9\xe3\x81\x58\x1c\xed\x49\xe2\x66\x71\xef\xf6\xb0\x1b\x03\x01\x53\x97\x6f\xcb\xca\x8e\x35\xe1\xc8\x41\xcd\x53\x72\x83\xac\xc9\xf3\x23\x35\xfa\x3e\xdd\x1e\xd0\x49\x4e\x0d\x3d\xaa\x4a\xc5\x2e\x6b\xb7\xbd\x71\x1f\x7b\x02\x86\x67\xcd\x76\x44\xeb\xbc\xda\xb7\xfe\xbf\x8c\xab\xf0\xde\x6f\x8c\x8f\xb8\x6f\xc1\x89\xca\x79\xc0\x27\x20\xbe\x0b\x4e\x5f\x78\x44\xf9\x57\x95\xc1\x1a\xf7\x66\x66\xb3\x0e\x34\xb0\x92\xc6\x4a\x20\xc8\x43\x82\xc6\x68\xa9\xc9\x7e\x01\xb4\x0a\xc0\x37\x27\xe9\xd4\xd9\x5c\xd6\xa1\xb9\xdd\xb1\x88\x09\xd6\xda\x9c\x6b\xb1\x7a\x6a\x59\x9f\x9f\xfd\x32\xeb\x86\x25\x19\x6a\xf5\x69\x0a\x95\x5c\x48\x48\xc3\x73\xb9\x20\xa3\xa6\x63\xd9\x29\xa6\x40\x89\xd2\x81\x34\x28\x46\x65\x3c\x12\xa5\xc8\xbb\x71\x2a\x20\x28\x52\x01\x31\x67\x91\xa0\x30\x68\xa3\xa3\x99\x72\xc8\x8a\x43\x82\xed\x62\x4b\x36\xb3\x29\x77\xc5\xad\xad\x8d\x41\xa9\x90\x82\x6f\xf9\xf0\xf1\xd7\x34\xe3\x49\x96\xae\x49\xc9\x0c\x9b\x56\x86\x5e\x79\x20\xc3\x39\x37\xe8\x89\x29\x37\x44\xfc\x7f\xd4\xd8\xb7\x2a\xab\xbe\x2b\x49\x7f\xb9\x16\x7c\xa6\x36\x37\xea\x96\x45\x94\xda\xde\x05\xbb\xd9\x78\xf3\xb4\xec\xa9\x21\xe1\x40\xb4\xd6\xd9\xfa\x66\x86\xb3\xdc\x96\xad\xad\xeb\xa9\x14\xd7\x8c\xc0\x0a\xef\x17\xc3\x5f\x00\xeb\xae\x35\x09\x4e\xeb\x46\x22\xa7\xd7\x47\x4b\xf4\xee\x57\xeb\xfa\x29\xa9\xb7\xe4\x59\xaf\x87\x16\x9f\x74\x93\x77\xd0\xe9\x11\x46\x03\x17\x34\x49\x6f\x11\x3d\x06\x47\xfc\xfd\x91\x7d\xec\x1a\x97\xad\xf9\xff\x30\x1e\x7c\x63\x7c\x6e\xc1\x61\x75\x95\x38\x03\xc3\x9f\x1b\xa9\x55\x0c\x07\x75\x40\x25\x38\x68\xdc\x90\x25\x5b\x30\x8e\x0b\x38\x1c\x4c\x31\xee\x2d\x4e\x2d\x7d\xae\x20\xf6\xb1\x14\x7a\x60\x34\x06\x45\xd0\xe0\x46\xba\x44\x4a\xbc\x62\x09\x82\x1f\xa0\xe5\xa6\xf1\x24\x50\x51\xf0\xc0\xba\x1b\xf0\x49\x1d\x2a\x21\x4f\x35\x18\xfb\x54\x9d\x07\x0b\x20\x23\x59\xfd\x9b\x94\x07\x95\x7a\x24\x46\x2f\x9d\x75\x5c\x59\xf8\x6a\x44\x8d\x05\xca\x7d\xd5\xc6\xe5\x7b\x78\x4d\xbd\x49\x8f\xa3\xa0\x18\x50\x44\xe8\xae\xbe\x5c\xb7\xc4\x7b\xb9\x9f\xa7\x28\x19\xc2\x3a\xe5\x6c\x11\xa3\x50\x08\x68\x68\xee\x57\x06\x95\x11\x0e\x3e\x38\x7f\x77\xc8\x19\x8a\xad\x24\x2f\x07\x10\x78\x1f\xfb\x76\x0a\xb8\x9c\xcf\xca\x45\x49\xca\x33\x4a\xdb\xf2\x5f\xbb\x2f\xb8\x7f\xdf\x66\x77\x9d\xa8\xd3\xb0\x04\x3f\x58\xb8\x26\x34\x3c\x58\x24\xc2\x84\x6c\xc5\x23\x78\xaa\xda\xb5\xc4\x24\xa2\xb8\xc8\xc5\x5a\x98\x47\xd0\x8c\x8a\x40\x22\x0b\x1b\x6c\xb0\xe9\x34\x2b\x1b\xd6\x56\xeb\xe5\x71\x37\xcc\x07\xc0\xe0\x41\xa3\x90\x4d\x17\xb6\x50\xaf\xb9\x33\x02\x55\x2e\x95\x61\x29\xc5\xf4\x25\x51\x1e\x2c\xf8\x9d\x4a\xbc\xb7\xd8\x47\x2f\xcf\x7a\x21\x08\x51\x4b\x8b\x77\xf1\x93\xf3\x4b\x10\xc2\x90\x93\xcd\x28\x2e\x0b\xbe\x90\x45\x26\x52\xaf\xd7\xcf\x7b\x19\x66\x50\xf6\x84\xc8\x4d\x80\x1e\x76\xd0\x32\x44\x5b\x99\x6b\x38\x57\x6b\x22\x15\x90\x02\x61\x59\xd6\xd2\x48\xff\x5a\x02\x30\x03\x13\x01\xe9\x38\x00\x81\x0b\xf6\x72\xe5\x93\x53\xf6\x27\x5c\x83\xa4\xca\x9c\x5a\x59\x5a\xc4\x58\xa2\x25\x80\xd9\x0b\xb8\x90\x27\x1e\x31\x6f\x18\x50\xd9\x11\xdd\x42\x24\xeb\x24\x80\xc1\x19\x37\xb3\x26\x52\x8d\x9b\x2b\x1b\xe9\x77\x29\x78\xda\x1a\x97\x1a\x46\x64\x7d\xd4\xf6\xbc\x9c\xb2\x39\xfd\x66\x83\x93\x8c\xa1\x08\xdb\x02\x75\xf6\x7e\x97\xce\x6b\x15\xfc\xe3\x82\x96\xbc\x62\x9c\x7d\xa7\x92\x04\x6c\x21\x46\xc9\x4c\x85\xff\x8d\xb1\xe0\x8b\x63\x5b\x3e\xa2\x23\x5e\xe2\x36\x37\x17\xb7\x91\x3a\x88\xbc\x6c\x27\x2c\x6c\x2c\x57\xed\x72\x90\x42\xcb\xbc\x2f\x02\x0c\x72\x0c\x07\x16\x7f\x0c\x20\xc5\x32\xa8\x9e\x9f\xae\x5f\xca\x40\xc6\x09\x64\x5b\xba\xa7\x4d\xbe\xf5\xe8\x40\x9d\xb6\x5c\xb2\x3b\xe8\xb8\x63\x96\x6b\x25\x22\xb4\xdc\x59\x4a\x72\xb4\x8c\x06\xa6\xc0\x0a\xb8\x51\x1f\x76\x7b\xe2\xe9\xdb\xd4\x68\x66\x71\xe3\x58\xbe\x44\x8b\x16\x2e\x7a\xec\x5b\x2b\x8e\x10\x2a\x65\x72\xbf\xc7\x8e\xef\x00\x8c\x6b\xc4\xab\xc1\xed\x23\x5b\x74\x4b\x76\x3b\x66\x20\xf2\x01\x54\x1c\x24\xec\xbf\x1f\x60\xcc\xb0\x7c\xff\xab\x07\x82\xb7\x1d\xa0\xe3\x7d\x28\x70\xde\x3e\x5e\x50\x6a\x9b\x5b\x58\x3f\x56\x97\xff\x1e\x9f\xda\xc6\xe4\x75\x89\x27\xbb\xbb\x54\x43\xb6\x32\x97\xf8\xb5\x85\x5f\x91\xa8\x1b\xe9\xa8\xf2\x93\x46\x2b\x68\x5b\xc8\xc8\xc6\xd6\x66\xe5\x05\xc9\x2d\x86\x67\x74\x6c\x57\xbb\x54\xc5\x7b\xb0\x07\x75\x5b\x61\x54\x1f\x24\xdc\xea\xb8\x1c\x52\x33\x2e\xd1\xd2\x56\x99\x1d\x1d\x20\x0a\x93\x41\x95\xbc\x4f\xc8\x6f\xd0\x17\xe1\x5c\x89\x22\x8a\x74\x00\x73\xb6\x3a\x7d\xe5\xbb\xf2\x74\xd2\x92\x07\xda\x4a\x6d\x2c\x48\x68\xc4\x92\xcf\xad\x33\xcd\x92\x57\xda\xf6\xc6\x18\x69\xfa\x92\xb4\x42\x8e\x3e\xb9\xf6\x81\x3b\x8e\x6c\x74\xfc\x42\xa1\xcc\x3d\x3b\xb4\x28\xd5\x4d\x69\x2a\x8c\x7c\x91\x7c\x4c\x99\xc8\x02\xcd\x5f\x2e\x45\x44\xd9\xd2\x38\xc4\xd8\xf2\xe5\xda\x2e\xd4\x56\xda\xc2\x80\xa1\x77\xdb\x8e\xac\x18\x55\x51\x0d\xbc\x38\x96\x77\xec\xe1\xb2\x69\xec\xda\xce\xf0\xff\xd4\xd8\x95\x4a\x91\x9f\x5b\x28\xfc\xaf\xd6\x82\x8f\xd5\xac\x0b\x5b\xd8\xd5\x25\x29\xe3\x59\x2f\xd5\x9c\xa2\xb2\xed\x14\x88\x63\x81\xb5\x10\x7a\x26\xce\xa2\xaa\x23\x3b\x36\x22\x12\x26\xd0\x61\x8f\x83\x37\xc2\x03\x3e\x89\xb1\x77\x98\x6c\xd2\x93\xa2\x8a\xaa\x70\x0b\x06\x3a\xdc\x17\xa1\xf9\x5c\x98\xe7\xf1\x3a\xe2\xcf\xab\x92\x1b\x1a\xc7\x79\x6e\xa1\xc9\xf9\x0c\xe4\x0e\x67\xa9\xca\xdd\x03\x73\x98\xb2\x16\xb8\xf6\x01\x92\x98\xa8\x8f\xbd\x30\xd7\x49\xbe\x96\x84\x43\x50\x6a\x5b\xb8\xa3\x3e\x58\x63\x57\x09\x8b\x74\xfd\x07\x6a\xc1\x9b\x6b\xf6\x15\x15\x08\xa8\xfb\xa1\x1d\xce\xd8\x05\x93\xd8\xd1\x15\x92\x1d\xc4\x45\x57\x87\xb5\x94\xfd\x1c\xc1\x69\x53\x1e\x26\x71\x38\xc2\x28\x81\x07\x46\x08\xe2\xea\xec\xfc\xcc\x99\x53\x24\xb4\x4e\x35\xf9\x7c\x66\xec\xcb\xc6\x90\xba\x9e\x25\xeb\x60\x45\x31\x90\xe9\x3a\xc3\x82\x2f\xde\x3e\xdb\x38\x7c\xf8\xc8\x51\x80\x1f\x86\xa4\x8d\x49\x65\x5e\x2b\xb3\x2c\x29\x9a\xb1\x28\xdb\xcd\x2c\x5f\x9b\xee\x94\xdd\x64\x3a\x6f\xb7\xe4\xd3\x53\x94\x4c\x4d\x7e\x83\x15\x49\x98\x2b\xe4\x33\x08\xec\x7d\xed\xaa\xc1\x6f\xd4\x15\x1b\x5e\x35\x16\xbc\x0d\x50\xe7\x12\xa7\x6a\x83\x5e\x21\x95\x0a\xa3\x94\x5b\x4d\x6d\x8f\x91\x19\xf0\x10\x6b\xb2\xfa\x0e\x24\x0c\x68\x40\x72\xd4\x87\xbc\x23\xec\x3b\x86\x77\x70\x37\xec\x35\xce\x8b\x41\xe1\x7f\x8b\xef\x37\x60\xd0\xac\x01\x48\xeb\x59\x2b\x4b\xd8\x36\xc9\x87\xdd\xb0\xb7\x33\x2c\x0a\x68\xf7\x12\xb0\x28\x5e\x75\x80\xf2\x26\x5e\x7c\x20\xf8\xfb\xfd\xc0\x9c\xb5\xd5\x8c\xea\x4e\x5a\xf1\x9a\xb0\xc3\x60\x79\xdc\xe0\x0f\x7d\xae\x34\xe9\xd0\xb2\x31\x4b\x5d\x27\xc3\x0e\x9d\x1a\x81\x7e\x2e\xd0\x32\x30\x94\xf4\x25\x8f\xac\xb6\x0f\x19\xd6\x06\xfb\xc5\xda\xf7\x94\x65\x6d\x19\x89\xdc\xd8\x06\x3d\x4e\xcd\xaa\x75\xf1\xa9\x2c\x47\x91\x38\x2c\x47\xb8\x2a\x56\x07\x24\xd5\x90\xe7\xbd\xdf\xb2\xe2\xe4\x2d\x35\x08\x03\xc0\x87\xb4\x21\x55\x7e\x58\x4a\x4d\xc6\xcc\x2f\x95\x08\x72\x6c\x39\xae\x27\x05\x15\x68\x5c\xea\x76\xa4\x38\xb9\x99\x74\x12\x65\x68\xa5\x46\x9b\x67\xf2\x90\x02\x0a\x25\x67\xb1\xda\x6e\xca\x4f\xe2\x12\x04\x7c\xb5\x1f\x27\x18\x80\xa8\x67\x5e\x85\x68\xe8\xc9\x07\xbb\xaa\x64\xb8\xc0\xc1\xa8\x0c\x12\xb8\x11\xc9\xea\x96\x19\x47\x86\xd5\xc5\x8a\x4b\x03\x8c\x75\x66\xad\xed\x4f\x6b\x73\x38\x98\x4d\x28\x4a\xdb\x8e\x0b\x73\x15\xa7\x49\x79\x38\xeb\x98\x41\x5d\xfb\x11\x53\x31\x20\x38\x6e\xea\x32\x3b\xe8\x30\x32\x64\xc7\xca\x49\x6a\x9b\x5b\x9c\xd0\x41\xe1\x78\xbc\x96\x04\xb8\xc6\xed\xea\x94\x05\x8f\x32\x14\x07\x95\x58\xe5\x78\x4d\x8d\x60\xf5\x70\x72\x3a\x22\x8e\x38\x5d\x6b\xe8\xe7\x14\xb7\x03\xa1\xd0\xc9\x63\x3c\xc0\x26\xf4\x34\xf8\xbf\x73\x20\xf8\xd8\x01\x87\x44\x29\xa6\xb5\x52\xef\x42\xcd\x08\xe9\x28\x5b\x78\xe5\xf7\x9c\xf2\xbb\x73\xca\xaf\x26\x61\x7a\xfe\x5f\x87\x53\x7e\xcf\x27\xff\x58\xfb\xe4\x1f\xa3\x58\xcd\x37\x3f\x81\x35\xb6\xc8\x7c\x6c\xea\x94\xe1\x67\xf6\xc3\xb4\x8c\xcb\x81\xff\x0d\x3f\xf8\x92\xaf\x7e\xa1\x62\x03\xc9\x28\x0d\x5c\xe1\x11\xf9\x6a\x84\x03\x04\x06\x39\xf2\x65\x14\x98\xab\x96\x42\x04\x54\x37\xcc\x8b\x4e\x98\xc8\x21\xf4\x53\xf3\x43\x32\x91\xa7\x2f\x9d\x9d\x87\x05\x7d\xf6\xcc\x99\xd3\xa0\x57\x86\x91\x4a\xbe\xcd\xf8\x12\x8c\x61\x12\x85\xe0\x99\x62\x2e\x2d\x8f\x1f\x93\xbf\x20\xba\x33\xcb\x0b\x50\x66\x4d\xce\x3d\xf6\x08\x71\x92\x78\x5c\x9c\x60\xec\xe6\xfb\x68\x1c\xb7\x72\xfa\xef\xc4\x89\x5b\xf8\xcd\xc8\x29\xe7\xa1\xd7\xb7\xde\x5c\xf4\xdb\xed\xf8\xc2\xad\x8c\xf3\xc9\xf9\x4c\x01\xcb\xa8\xab\xca\xc2\x48\x91\x80\x3a\x42\x22\x08\x70\x63\xc7\x29\xbf\x99\x20\x97\x96\xe6\x6e\x6d\x4e\xb1\x9b\xa3\x78\x2d\x2e\xf5\xf7\xe8\x93\x87\xf8\x0b\xf8\x61\xfe\x02\xde\x6c\x36\xf9\x0b\xf8\x8d\x1c\x9f\x2a\x6e\x75\x9f\x52\xef\xbe\x40\xfd\xa5\x1f\xbb\x19\xa7\x78\xe4\xf3\x85\x79\xa1\xb8\xb5\x39\xea\x9a\xfc\xb0\x69\x4a\x8e\xde\xee\x1f\x34\x15\x3c\x25\xe0\x2f\xe0\x41\x23\xa8\xcc\x8e\xfe\x94\xea\xc0\x0b\xa8\x01\x7d\x41\xcf\x94\xdb\xb5\xd5\x38\x0d\xf3\xc1\xd2\x1c\x76\x04\x67\xe8\xd4\x05\x84\x54\xb1\xaf\xc9\x27\xac\x87\xad\x26\x9e\x11\xf3\x17\xf0\x33\xf2\x9f\x3b\xe4\x3f\xcb\xf2\x9f\x05\xf9\xcf\xa9\x58\xae\x15\x39\x51\x29\xdf\x6a\x09\x8f\xac\xac\xcd\xfb\x69\x5c\x16\x37\xf1\x25\x21\x70\xa7\x9d\x98\x9e\xee\x75\x06\x45\xdc\x2a\x9a\x69\x5c\x94\xcd\xb5\x6c\x7d\xba\xd5\xef\x4f\x9f\x93\xcf\x4d\xe3\x97\x9b\x52\xe7\x92\x6b\x67\xfa\x64\xfa\xd1\x95\x13\x23\x67\xe7\xbc\xec\x8f\xec\x8e\xec\x8d\xec\x8c\xec\x8b\x4b\x36\x87\x0f\x1d\x39\xc6\x6f\xe1\x87\x9f\x11\x83\x55\xea\xf0\xa1\x43\x87\xe4\xcf\xf3\x37\xf1\x39\x1e\xc5\x51\x7a\xb0\xe4\xad\x4e\x96\x51\xed\xf5\x56\xd8\x8b\x4b\x4d\xb9\x4d\xd3\x01\x33\x51\xb0\x36\x62\x68\x55\x5e\xc0\x83\x53\xd5\x8b\x8c\xcd\x03\xce\x0d\x98\x15\x80\x59\xd3\x29\x5b\x02\x80\x97\xa0\x36\x61\x83\x14\x26\x7f\x2b\xcd\xb8\xda\x25\x94\x23\xaa\xab\xdc\x29\x5c\xb4\x35\x90\x0d\x49\xa6\x3d\xf2\xdc\xe3\x47\x1b\x87\x25\xe1\x77\xc3\xb5\x34\x2e\xfb\x11\xd4\x4a\xc9\x31\xd1\xb2\xc4\xc0\x1e\x80\x0a\x83\xc7\x8f\x6a\x44\xb2\x5e\x82\xe5\x64\xe7\x09\x35\x2c\x09\xf3\x35\xb0\x20\xa9\x62\x05\xa2\x25\x65\x04\x6d\x2d\x0f\xc1\x45\x9c\xe5\x52\x9c\x04\x14\xbb\x7e\xaf\xc9\x27\x4f\x35\xd7\x9a\x27\xf8\xa1\xe6\xe1\x2e\x69\xf2\xfa\xa6\xe4\x18\x87\xbb\xcd\x29\xe4\xd8\x6a\xdf\x5e\x28\x11\x02\x4f\xa1\x4f\x60\x34\x6c\xdc\xe6\x1b\x42\x9d\x3f\x56\x4f\x8a\x6e\x08\x88\x7b\x34\x23\xb1\x90\x3c\x86\x40\xf6\x6c\x9e\xd8\x0b\xf3\x42\x9d\xfb\x2a\x5d\xd5\x48\x43\xb9\x20\xe0\xa6\xd2\x2a\x10\x84\xdb\x04\x67\x28\xaa\x1b\xc7\x80\x2a\xc4\x8f\x11\xe8\xf2\xe1\x10\x2a\x38\xc0\xf1\x82\xe9\x6d\x06\x54\xa4\xc9\xd8\x6d\x08\xfc\xa5\xae\xc1\x87\x75\xd7\x74\x81\x9a\x3e\xc8\x68\x41\x2b\x4c\xb3\x14\x0a\x26\xca\x55\x57\xc1\xd3\x58\x5b\x16\x08\x56\x51\xda\x34\x75\x4f\x4b\x73\xd1\xf3\xfa\x60\x3a\xee\xf7\xe4\xbc\x44\xd9\x46\xca\x27\x29\x43\xce\x98\xf5\x90\x8b\x03\x60\x1c\x04\x71\x44\x82\xfe\x8e\x53\x7e\x46\x76\xa9\x28\xc2\x29\xac\xa2\x23\xbf\x76\x82\x71\x1e\x92\xf5\x44\x2e\x36\xa5\xe3\x25\x59\x51\x32\xce\x57\xe1\x4e\x3b\x0f\x5b\xb4\xa7\x91\x63\xe9\x2e\x89\x6e\x5c\x96\x22\x62\x9c\xb7\x14\x1c\x3b\x51\xf4\xa4\x5c\x39\xe8\xff\x14\xa6\xba\xe0\x8a\xca\x3f\x7a\x19\xd6\xa1\x6c\xe2\x49\x11\xaf\x99\x22\x3e\x19\xb6\x67\xcb\x90\x44\xef\x50\x57\x7e\x0d\xca\x8a\x37\x19\x3b\x45\xe0\xe5\xb2\xf7\x87\x9b\xd7\x5b\x4e\x79\x0d\xf5\x02\x60\x72\xd7\x1f\x3a\xd4\x0d\xf0\x99\x3b\xe2\xcd\x9f\x3a\x7a\xfc\x4c\x1c\xc8\xbd\xaa\x78\x86\xfc\xf0\x7d\xce\x02\xce\x9f\xba\xeb\xd4\x22\xda\x94\x50\x84\x48\x06\x55\x40\xbd\x90\xb7\x93\x0c\x25\x0f\x3c\x97\xd5\x19\xbc\x4c\x6a\xb4\x6c\x75\xa3\x93\x25\x82\x5b\xb5\x05\xc0\xa2\x20\x72\xb9\xcf\x9a\xb2\x0b\x69\xc3\x10\x88\x8d\xb5\x5e\x94\xf2\x5f\x20\x72\x98\xcd\x4c\x0a\x38\xd0\x26\x02\xe9\x6d\x08\x2c\x8d\x06\x00\xa8\x92\xd1\x99\xc8\xf3\x06\x2d\x13\x6d\xb8\x38\xe7\x2e\x0d\x36\xf9\xe4\x52\xa6\x2a\x7f\xa0\x8b\xd9\xbe\x5d\x47\x6a\x93\x8c\x32\x8a\xdb\xed\xe6\x94\xb2\x57\xab\x53\x1d\xe6\x04\x76\x34\x24\xdc\x9c\x07\xa8\x4a\xf9\x68\xdc\xea\x27\xba\xf6\x56\x09\xa6\x52\x85\x4f\x28\xe9\x36\x93\xbd\xcc\x63\x2c\x4c\x98\x41\x59\x3a\xb4\x4b\xaa\x24\x84\x4e\x98\x46\x09\x96\xf4\x88\xb4\x77\xa4\x93\xf5\x4c\x7d\x2b\x55\x78\x0d\xe3\xb7\x75\xc2\x4a\x96\x23\x18\x88\xd4\x38\x30\xb0\x1b\x93\x77\x71\xde\x2b\x89\xab\xb6\x6c\xf6\xa5\x71\xa7\x64\x70\xd8\x2f\xb3\xa2\x05\xa2\x51\x73\xfd\xc8\xaa\x28\xc3\x23\x06\x8f\x22\x8f\x5b\x54\x8e\xf3\x3f\x8e\x07\xaf\xf0\x86\xaf\x5b\x41\x03\x54\xdd\x5f\xb6\x25\x30\xeb\xba\x0b\x0f\x2a\xd5\x02\xc5\x55\x23\x7d\x2a\xe3\xc9\x64\xdb\x06\x59\xec\xc4\x65\xd1\xe8\x89\xbc\x41\x61\xea\x19\x02\xfb\x63\x79\x62\x7a\x65\xaa\x79\xd1\x7b\x9c\x52\x58\x22\xec\xd4\x45\xef\x0a\xc4\xd5\xbb\xe8\x5d\x81\xdf\x75\x72\xbd\xff\xac\xc6\xee\x61\xd5\x77\xfc\xa7\xb3\x3b\x37\x35\xfa\x8d\x9a\x97\xd9\x3c\x2b\x0a\xc2\x59\xa8\x94\xfe\x64\x2f\xf1\x18\x7d\xd8\x1f\x6c\x0e\x02\x32\xb2\x59\x9c\xd0\x39\x9d\xd8\x1d\xdc\x40\x33\xa7\x73\xbd\x49\xd7\x44\xe0\x40\xba\x49\x95\xbf\x31\xa9\x92\x8c\x5a\xec\x85\x8c\xa6\xc1\x2f\xd8\x8d\x97\xd1\x89\x65\x78\x39\x38\x4e\x9f\x72\x23\x16\xe9\x22\x86\xb2\xa8\xa8\x09\x0c\xb8\xc3\x3e\xb1\xf7\x8c\xb1\xc9\x11\x86\xd3\x99\xe7\xf7\x73\x71\x7b\x9c\x08\xa7\xc2\xeb\x8b\xc6\x82\x67\xe9\x3b\x4e\x5d\xd7\x94\xc3\x75\x0e\x37\x94\x82\x83\x55\xee\xac\x6a\x7a\x30\xf2\xd5\x38\x8d\x4c\x01\xbc\x12\xab\x6c\x34\x2f\x7a\x0c\x8b\xad\x4a\x2d\xe8\xa2\x37\x51\x74\xc2\x1c\x0a\x4f\x3a\x44\x71\x7f\xed\x31\x2c\xd5\xf8\x5c\x66\x75\xd1\x5f\x08\x66\x6d\x48\x2b\xaa\x14\x8b\xe1\xcc\xca\x55\x8d\x73\xa2\x0a\x7b\xce\xb4\x5a\x30\xea\x79\x45\x03\xcf\x10\x03\x7b\x9b\x3f\x99\x99\x51\xfb\xdf\x16\xb0\x25\xf9\x83\xeb\x39\xa0\xa7\x5e\x72\x0d\xab\x8f\x58\xb0\x05\x5d\x57\x17\x07\x30\x9b\x84\x71\x17\xb0\x18\x3e\x7f\x75\xf0\x22\x6f\xd3\xdb\x15\x68\x06\xf2\xdd\x58\x08\x0d\x72\x6c\x34\x80\x48\xa0\xe3\x52\x19\x20\x37\xa4\xce\x47\x5c\x45\x12\x97\x4e\x79\xd5\xe5\x82\x4c\x3b\xce\x32\xfe\xfa\x55\xec\x53\x1e\xbb\x12\xf5\xb3\x33\x59\x24\x0a\xff\x57\xbc\xe0\xad\xde\x8c\xb9\xe0\xfa\xfb\x15\x1e\x0d\x61\x46\x76\xe1\x09\xf0\x13\x3a\xb5\x6f\xa5\x48\x79\xe9\x1a\x34\x8e\x6e\xda\x54\x26\x6e\x60\xab\xc5\x93\x28\xdd\x17\x3e\xd7\x38\xbc\x85\x0b\xea\x77\xc7\x19\x8b\xc2\x32\xa4\x7d\xf2\xb1\x71\x76\x62\x5b\xdf\xc4\xf2\xa0\x27\xa2\x91\x35\x89\x5f\x36\x5e\xc9\xef\xb7\x32\xdd\x28\xb1\x9c\xdc\xaa\x27\xf8\x75\x7c\x26\xe5\xe2\x42\x5c\x00\xfd\xd2\x6e\x4d\xc3\x5e\xd1\xc9\x4a\xcd\xaf\x0b\xba\xd0\x54\xb5\x4f\x09\x72\xc4\x7d\x7c\xaa\xd2\xd8\xc2\x5d\xb3\x7c\x72\x24\xe1\x54\x9f\xac\x02\x0c\xa2\x89\x5e\x1d\x68\x05\x87\xea\x7e\xbd\xac\xd7\xa7\xba\x5e\x93\x33\x49\xaf\x13\x4e\xf1\xb9\x94\x70\x69\xe9\x34\x1e\x6a\x67\xa0\x4f\x55\xdd\x5a\xb5\x31\x0c\x61\x98\x49\x07\xd8\xbf\x93\x7a\x15\xdc\xa0\x7c\x15\xd2\xaf\xca\x56\xaa\xc8\xfd\x9e\xae\x7b\x0c\x72\xbd\x6d\xd5\xb6\x80\xb5\x21\x42\xca\xca\x1e\x37\x76\x23\xe8\x8d\xc2\x8b\x53\x72\x3d\xda\xc8\xa5\x5e\x24\x36\x14\x89\x3a\xc9\x9a\x50\x73\x0f\xdc\x11\xed\xcd\xdb\x6b\xb2\x3f\xf2\xd8\x84\x0e\xd3\xf2\x3f\xbb\x93\x22\xd7\x0a\x50\x8f\xe2\x28\x61\xfe\x83\x9f\xf0\x16\x75\xb0\x57\x25\xa4\xb5\x1b\xa7\xe0\xce\xb7\x21\x23\x1f\xe9\x6d\xa5\xbf\x25\x8f\x60\x93\xf7\xbe\xc1\xbe\xef\x32\x90\xb8\x4e\x87\xab\x22\x51\xe5\x97\x82\xa3\x33\x94\x5b\x7b\x5f\x5f\xe4\x03\x48\x84\xa3\xc1\xc0\x09\xa1\x62\xf1\x80\x5d\xc9\x83\x48\x9e\xa7\xec\x67\x3c\x76\x2d\x75\x17\x70\x63\x80\x01\x43\xfd\x86\x79\xbb\xc8\xb0\xf5\x44\x25\xd8\x17\x20\x66\xe2\xee\xc3\x39\x47\x00\x2a\x22\x79\x8e\x61\x32\x6f\xd1\x05\x99\xa1\x3c\xf8\x6b\xbc\xe0\x7e\xcf\xfc\xd6\x31\x75\x1b\x20\x84\x92\x32\x49\x0b\x19\x6f\xda\xe3\xbb\x54\x94\xab\x55\xd8\x5b\x0a\xcf\x5d\x2c\xef\x06\xca\x25\x1a\xf2\xa9\x76\x53\x9c\xe2\xab\x40\xb3\x8e\x98\xfa\x3c\xa7\x5e\xf4\x73\x02\xaa\x02\x6f\x3b\xe0\x69\xca\x6d\xff\x3b\x8a\x00\x55\x36\x03\xc9\xc2\xda\x10\x8d\x7d\xb5\xbf\xf5\xf1\x09\xdb\x5c\x39\x12\x37\xfa\xf6\x24\xdb\x58\x02\xd4\xab\xd3\x71\x51\xfa\x6f\x98\x08\xa6\xdd\x4b\x6e\x30\x86\xb9\xa7\x7d\x81\x17\xbd\x7d\x71\x29\xba\xee\xd9\xf5\xbb\xfb\xe5\xb6\x34\x00\x72\x9f\xf3\xd8\x4d\x97\x43\xb6\x71\x81\xf0\x71\x3f\xe6\xad\xa8\xb6\x56\x34\x68\xa3\x02\x94\x83\xce\x3d\xfa\x60\x72\x7b\x78\x65\xbb\xc4\x2b\x2b\x19\x52\x8e\x7f\x3e\xf8\x3f\x56\xe0\xaf\x95\xcd\xa8\xad\x70\x42\x5b\x6e\x62\x37\x6e\x8e\x4f\xb9\x0d\x99\xef\xa1\xa4\xed\x06\x25\xad\xbf\x3d\x4a\xda\xa2\xbf\xa0\x51\xd2\xec\xa5\x30\x28\xd3\x95\xe2\x4c\x2e\xbf\x71\x71\xd4\x60\xf5\x18\xfb\x9d\xab\xd9\x93\x37\xaf\x76\x88\x4a\x34\x00\xde\x3f\x78\x75\xf0\xd7\x9e\x75\xa1\x7a\x90\xe7\xfd\x04\xd0\x5f\x7a\x3d\x1d\xcb\x08\xc5\xbe\x11\xb0\x37\xb4\x44\x0c\xd0\xc4\x68\x5f\xe5\x22\xc1\xd8\x55\xc4\x66\xb0\xbc\xdd\x73\x69\x2b\xeb\x22\xaf\x56\x28\xf9\xb9\x42\x99\x10\x92\x94\x74\x4c\x76\x88\x2d\x02\x26\x04\xa5\xa6\x98\x74\x23\xe0\xfa\xd4\xf8\x70\xf1\x7f\x61\xe0\x6a\xac\xa1\xc1\x99\xe4\x22\xbf\xbd\xfb\x4a\xf6\x55\xc6\xc6\xe5\x87\xfc\x2f\xb1\xe0\x53\xec\xce\xac\xd0\xe6\x2b\xa8\x25\xc0\xef\xeb\x87\x09\xc9\x50\x58\xfb\x5f\xa9\x66\x52\x0c\x83\x59\x85\x7e\x92\xef\xb4\xad\x22\x4c\x16\x6f\x9f\xe5\x47\x6f\xbc\xe1\x78\x93\x93\xa5\x4d\xea\x32\x52\xb9\x41\xf4\xd5\xf5\x38\xac\x54\x2e\x0d\x64\x2b\x81\x13\xae\x76\x6e\x71\xce\x6e\x15\xeb\x26\x40\xab\x27\xf8\xe1\xa6\x13\x89\x47\x05\x26\x9b\x9c\xb0\x29\x93\x81\x65\x2d\xd1\x83\x37\xa8\x5e\x2a\x28\x81\x71\xae\xfc\xfc\x64\x72\x02\xed\x8d\x3a\x40\xc5\x7a\xa9\x99\x26\x3b\x82\x86\xcf\x95\x13\x2b\x3c\x12\x98\xe9\x9a\x1b\x67\xaa\x24\x05\x58\x74\x81\x16\x2a\x0c\xf5\xaa\xf6\x90\x4d\x70\xab\x93\xa8\xa7\xe3\x90\x2d\xf3\x8e\x12\x15\x5a\xb1\x7c\xe8\xc4\x0d\x87\x80\x22\xe4\xbe\x95\xbc\x59\x36\x71\xe2\xd8\xb1\xa3\xfa\x62\xd1\x64\xb7\x51\x7d\xe4\x42\x20\xc6\x01\x78\xc6\x5d\xab\xfb\x66\xc4\xa7\x0a\x71\x82\xdd\xbb\x28\x8d\x59\x81\x6a\x5c\xc0\xfc\x54\xc9\x48\x09\xfa\x1d\x22\x98\xa1\xd2\xb4\x6a\x28\x14\x8c\x12\x26\x26\xbb\xcd\x91\xd9\xcd\x06\x1a\xfa\x06\x43\x72\x54\x09\x56\xe4\xa1\x08\x8c\x2b\x3c\x74\x68\x52\x99\x19\xc1\x42\x03\xc1\x4e\x84\xf5\x9b\x95\xc3\xf4\x4a\xe1\x85\x41\x3b\xcb\x9a\xab\x61\xde\x6c\x65\xdd\x00\x62\x0d\x82\x8d\x38\x89\x5a\x61\x1e\x05\xf5\xcd\x3e\xa4\xf1\x01\xc9\x20\x4f\xc9\x58\xea\x45\x12\x95\xe9\x03\xd7\x35\xe5\x27\xa0\x79\xa4\x1e\xfd\x58\xab\x13\xe6\x61\x4b\x92\xd0\xc1\xeb\x0e\xa2\x26\x15\xf6\x7a\x22\xcc\xe5\xfe\x89\xcb\x42\x24\x6d\x15\xad\x83\xfc\xe1\xe4\xfc\x12\xb5\x8d\x07\x34\x16\x09\x40\x7a\x56\x9d\x80\xfb\x4d\xfe\xec\xac\x2f\xe7\x4d\x12\x1e\xc2\x4d\x55\x7b\x67\x3e\x81\xfd\x84\x99\xbe\xe5\x16\x1e\x5c\x17\x4c\x61\x01\x01\xa0\x0f\x65\x58\x1e\x45\x23\xf0\x0a\xf9\xfc\xd3\xca\x0e\xdf\x08\x07\xb8\x47\xdb\x5c\xb1\x14\x5a\x3e\x27\x36\xde\xaa\xa3\x41\xa5\x59\x55\x76\x06\xd0\x3a\x2c\x54\x47\x84\x11\x6e\x33\x21\x79\x91\xe4\x7e\xb2\xc9\x26\x3f\xe2\x34\x6f\x46\xa8\xf3\xf8\x2e\xf3\x33\x65\x66\xbe\x04\x14\x8a\xae\x99\x49\x1d\x07\x6f\x56\x04\xe6\x72\x4a\xb1\x0b\x3d\xc5\x50\x63\xd6\x16\x5c\x4e\xb1\x71\xf9\x25\xff\x96\xcd\x85\xda\xca\x19\x75\xe7\xf2\xf2\x42\x75\x43\xb0\x5f\xbe\xda\x81\x04\x77\xde\x40\xb1\x85\x5e\xf1\x5f\x77\x75\x70\x7f\xcd\xe2\x26\x21\x6f\x49\x95\x5b\x07\xef\xe1\xb1\xa6\x52\xab\xb2\x0d\x1e\xa7\xab\x59\xbf\x02\x18\x54\x66\x58\xd6\xa9\x12\x85\x67\x71\xf9\x50\x1d\x42\x4d\x3e\x63\xb8\x17\x6d\x58\x2b\x85\xb0\xcc\xc0\x3c\x6a\xd2\x75\x94\x35\x20\x19\x34\xe0\x13\x90\x12\xd1\xcf\x93\xa2\xee\xc0\xf7\x29\x96\x51\xd7\x1b\x5a\xf0\xa5\xa5\xd3\x75\x9e\xb5\xa5\xac\x04\xbb\x11\xb9\x89\x8a\x95\x91\x6b\x29\xd7\x48\x94\x2d\xf7\xa8\xfb\x0f\x6c\x4f\xfe\xde\xc3\x0b\x7e\xec\x4a\xc4\xfe\xab\x84\x47\xff\x43\x05\x8f\xfe\xbb\xde\x16\xfa\xd5\xe6\x7c\x0a\xc0\xd2\xff\x03\x80\xa5\x2b\xa9\x53\xd9\xa4\x75\xbd\x02\x4b\x98\x78\xd4\x11\xc6\xff\xd4\xc0\xa4\x7f\xd1\xdb\xc2\x8f\xb4\xc5\x08\x11\x34\xfd\xa2\x67\x0a\xc1\x96\xa3\xaa\x7e\x3e\x86\xa3\x7c\xc8\x6b\x6d\xaf\xa4\x7d\x9f\x7f\xab\x56\xd2\xac\xd1\x56\x34\x33\x1a\xc1\x48\x95\xec\xcf\x0e\x54\xea\x7e\xa3\x65\x55\xc7\x90\x83\x39\xe9\xd7\x0f\x04\xdf\xe3\x5c\x71\xf5\x7b\x13\xde\x3e\xd2\x88\xf4\xb3\xfb\xd9\x6f\xdb\xdb\xec\x23\xbb\x34\x22\xbd\xd8\x6c\xb2\x47\xd7\x64\x64\xf1\x90\xbd\x53\x6b\xb7\xa7\xd6\xf7\x2b\xab\xd1\xd9\xc0\x3f\x3d\x44\x48\xb6\x99\xa8\xc9\xea\xec\xba\x6d\x7d\x01\x9a\x3e\xf7\xce\xc3\xdd\x58\x86\xce\x6d\xcf\x74\x8e\xf8\x87\x1a\x0e\x48\x3e\x57\x2c\x28\x08\x34\xcf\x71\xd8\x05\x63\x1f\xbd\x6a\x64\x91\xee\x8a\x33\xd0\x7f\xcb\x55\xc1\x3d\x95\x6b\xc6\x37\x2a\x52\x88\x72\xb7\x2b\x76\x97\x19\x4f\x44\xc9\x07\x59\x9f\xc7\xa0\xea\x96\x18\x39\x17\xc5\xed\x01\xa9\x1a\x14\x69\x4d\xdb\xca\x61\x4c\xef\xbd\x92\xbd\xd4\x63\xe3\x52\x5e\xf5\x5f\x10\x64\xf3\x4e\xd1\x20\x44\x53\xbd\x64\x2f\x47\xb6\x2e\x85\x69\xb1\x31\x4d\xbc\xb8\x21\xb5\xd1\x06\x19\xd9\xb1\x58\xf5\xf4\x93\xe0\x7f\xf6\x66\x78\x8d\xc7\x26\x74\x21\x6b\xff\x7e\x2f\x28\x74\x09\xef\x47\xa3\x47\xc3\xe5\xb3\xbf\xee\xb1\xc7\xa9\xcd\xa0\x78\xdc\xe7\xbd\xe0\xa3\xba\x82\x0a\xaf\xdc\x95\x4b\x81\x8a\x39\xb1\x36\xb5\x7c\x10\x75\x18\x21\x16\x69\x98\x0e\x1e\x71\xc2\x96\xe3\x86\x63\xbc\x35\x68\x90\xcd\x12\x4e\x55\xf0\x86\x15\xa5\xbc\x6e\x0f\xf4\x45\x1e\x1b\xeb\xc7\x91\xff\xfc\xa0\x7b\x6e\xee\xe4\xa3\xb3\xfc\xfd\xd8\x15\x42\x9f\xea\x1c\x25\x53\xc1\x13\x67\x16\xe6\xd4\x06\x1b\xea\x51\xc5\x13\x3f\x01\xaa\xfe\x42\x58\x76\xfc\x8f\x8f\x07\x1f\x1c\x9f\x6b\x13\xcd\x53\xea\x59\xc8\x7b\xb1\x40\x2a\xd2\x87\x0b\x54\x7f\x13\x61\x44\x17\xe5\xe4\xe5\x2a\x29\x8c\x50\xdc\x88\x57\x9a\xc3\x07\x10\x9c\x55\x12\xc5\xd3\x97\xce\xce\x4f\xdf\x91\x91\x99\x81\xe2\x14\x40\x68\xea\x02\x1e\x2e\xc4\x36\x62\xd6\x86\x94\x1a\x01\x0a\xa5\xd9\x0d\xd3\xb8\x2d\x8a\xb2\x49\xad\x89\xbc\xb8\xfb\xc8\x3d\xa3\x8b\xd8\x6a\xce\x6b\x51\x11\x0c\x46\xbf\x0b\x56\x1e\xe8\x52\x2f\x53\xd0\x73\x1b\xd0\xd9\x32\x3c\x4f\x01\x5e\xc8\xe9\x93\xf8\xbc\x38\xc1\x03\xaa\x29\xac\x3e\xfd\x03\x72\x2d\x5e\x18\xf0\xc9\x0d\x88\x95\x09\x52\xc8\xb2\x82\x0f\xea\x13\xd5\xae\x22\x66\x3e\x4c\x19\xc2\xf1\xda\x1a\xc0\x9c\x00\xd7\x97\x04\x38\x45\x29\x7b\x69\x66\x3d\x9c\x92\x3f\xd0\xd8\xd3\xaa\x1d\xb9\xfb\xc8\x3d\x01\x9f\x74\xc7\x85\xa5\x7b\xf9\x11\x8d\xd7\xdf\xcb\x22\x55\xb1\xb0\x18\xa4\x65\x78\x01\x21\x32\x00\x18\x19\x2c\x4d\x0a\xc0\x1c\x82\xf8\x36\x44\x92\x34\x94\x3d\x60\x23\x1c\x20\xa8\x0d\x4e\x25\x86\xb9\x29\x7b\xae\x91\x37\x6c\xb2\x7a\x93\x2a\x47\x08\x5e\xd7\x67\x38\x75\x07\xb7\xd8\x17\x8f\x82\xba\xf6\x0b\x13\xac\x39\x32\x0e\x40\x43\xd4\xcf\xea\x38\x06\x2a\xf3\xff\x2f\x07\x82\xbb\xb6\xb8\xbf\x55\xe1\x7f\x55\x45\x29\x37\xaf\x5b\x71\x12\xcd\x8b\xde\x01\xba\xe3\xca\xbb\xaf\x3a\xc0\x5e\xe7\xb1\xc7\x6b\x50\x09\xfa\x7a\xe1\xff\x80\xc2\xdf\x6b\x57\xca\x6b\x6b\xf8\x09\xd5\x1e\xc6\x75\x51\xc1\x0f\x55\xfb\xb6\x1b\xa7\x00\x89\xb4\x04\xa1\x87\xc5\x94\x5d\x3a\x71\x64\x07\x1d\xf4\xb5\xd7\xd4\x18\x33\x15\xf4\xfd\xff\xe5\x05\xcf\x5e\x74\x87\x4e\x02\xa4\xe9\x4d\xb6\x5a\x88\x7c\xdd\xc0\x8e\x6c\x36\x13\x07\x0b\x57\x73\x72\xa4\xb7\x59\x36\xc3\x9e\xb6\x83\x48\x8e\x11\x2b\x64\x15\xca\x7f\x04\x4a\xe0\xbf\xc9\x63\xdf\x02\xce\x14\x08\xaa\x10\x91\x5e\xa6\x1f\x52\xcb\xf4\xbc\x11\x75\xd5\x61\xf7\xc3\x56\x03\x2b\xa3\x53\x82\x40\x5f\x53\x8e\x8a\x2c\xe2\xa5\xe8\xf6\x12\x4b\x9b\xdc\xc9\x52\xbd\xca\x63\x3e\xce\xbd\x88\xee\x40\xcc\x23\x79\x30\xf4\xa1\x5f\xc7\x8f\x05\x2b\x67\x87\x6e\xca\x9d\x99\xc8\x33\x06\x83\x1e\xcd\x75\xfa\x2c\x20\xae\xe7\xa2\x85\xfe\x0d\xd5\xf8\x8e\x7a\xd3\x62\x57\x03\x31\xea\xf9\x59\x54\xf3\x73\x8b\x3b\x3f\x48\xb2\x9a\x84\x2f\x89\x3a\xbf\xe0\x31\xbd\x99\xfc\x4f\x7a\xea\x0b\xef\xf3\xd4\x57\x95\x8a\x5e\x1d\x08\x8e\xc3\xee\x04\x3e\x7f\xc9\x27\xb7\x3c\xb0\x93\x2c\x8c\x8a\x69\x0b\x3e\x6b\xda\xea\xbb\xb9\xfc\xa4\x8d\x4e\x58\x36\xe2\xa2\x11\x36\x46\xde\x77\x46\xf6\x07\x57\xb1\xeb\x76\x64\x93\xc0\xe2\x4e\xef\xbe\x2a\xf8\xbb\x9a\x7d\x65\x88\x41\xd9\xf5\x9d\xe8\xc1\xba\x39\x29\x75\xc8\x8b\x32\xfb\x4a\x81\x8d\x1c\x64\x31\x5e\xc2\x12\x3e\xee\x5c\xc4\x45\x83\xc0\x04\x1b\x70\x7b\x85\x83\x7e\x42\x8b\xe6\x46\xe5\xa9\x98\x6a\x85\xc3\xc6\x9d\xee\x1a\x18\x46\x0b\x0b\x8c\xda\x6e\x72\xca\x1a\x51\x40\x79\xee\x38\x49\xf7\xea\x84\xe4\x12\xb0\xba\x40\x58\x56\x25\x94\x60\x4c\xc5\x86\x71\x64\xe9\x50\x2e\xe5\x68\x0a\x69\x8a\xac\x74\x47\x95\xbe\xa1\xa1\x8d\x3a\x00\x13\x8f\xd8\x59\x38\x1d\x0e\x07\xff\xf0\x81\x3d\xfd\x7e\xcf\x2a\xbd\x67\x95\x7e\x58\xad\xd2\xdf\x50\x56\xe9\x3f\xf2\xd8\xcd\x97\x61\xb3\x05\x2e\x01\xa6\xe9\xb7\xec\xd8\x34\x3d\x8b\xd5\xca\x1e\x6d\xcb\x6d\x67\x7b\x23\xca\x29\x7f\xb6\x31\x6c\x8e\xe5\x3b\x36\xe6\xc2\xc8\x18\xfb\x7a\x8d\x1d\xb4\x66\xaf\x07\x00\x4f\x7a\xe6\xee\xcc\x8a\x72\x21\xcb\x4b\xa8\x78\xe5\xff\x72\x2d\x78\x9d\xe7\x5c\xd2\x6c\x2c\xe4\x88\x75\x90\xb5\xd1\xed\x6a\xe1\xe1\xe8\x44\x33\x8c\x25\x46\xff\x62\x8f\x80\xa4\xb2\x9c\xa4\x22\x08\x69\x6e\x72\x3e\x57\x1a\xe8\x80\x55\x0a\x7e\x90\x2b\x43\x78\x1a\x22\x55\x30\x02\xa4\x9e\x34\x2f\x7a\x63\xdd\x38\x95\xff\x86\x17\x1c\x1e\xfc\x6a\x8f\xcd\x32\x79\xd5\xbf\x59\x49\x03\x07\xbb\xa8\xf8\xd0\x16\xd7\x22\x15\xc2\x40\x43\xd0\x66\x11\xaf\x0b\x57\xb2\x38\xc5\xe4\x07\xfc\x5b\x55\x23\x53\xdd\x38\xb5\x42\x0f\x4d\x5c\xcb\xd6\xcd\xfc\xcd\x04\x3b\xb6\xa3\x7d\x37\xb3\x30\xa7\xe2\x8f\xc1\x76\xfe\xfe\x89\xe0\x3f\x79\x95\x8b\xae\xf9\xdc\xba\xa9\x4a\xf7\xa9\xa3\x16\x91\x6e\x86\x94\x51\x73\xe8\x39\xd0\x23\x3a\xee\xa9\x85\x64\x84\x95\xb2\x90\xc6\x08\xa8\xa2\x52\x0a\x3d\x2e\xb8\x36\x00\xc9\xb5\xb8\x0a\xde\xa3\x43\xee\xa2\x37\xe1\x72\x76\xb5\x34\x3f\xb2\x9f\x3d\xe0\x04\x6b\xbf\xd9\x0b\xee\xb4\x10\x36\xed\x64\x86\xd1\xdd\x36\x7d\xc1\xd4\x39\xab\x13\xb6\xee\x70\x1b\xfb\x3e\x76\xeb\x65\xf0\x3e\x6b\x46\xf7\x0e\xf2\xdd\x1e\xe4\xf7\x32\x87\x2a\xfc\xb3\xc1\x6d\xf6\x6f\xb5\x97\x86\x28\x0e\xa7\x6e\x04\xe5\xb7\x01\x65\x75\x4f\x52\x78\x58\xec\xf5\xcf\xda\xfe\xa8\x39\xe6\x1f\xd9\xde\x5e\x5f\x59\x27\xc6\x3e\x7d\x80\x3d\x71\x94\x9b\x45\x76\x0a\x18\xdb\xbb\x0f\x04\xdf\xa5\x7f\x55\x1c\x82\xeb\x62\x53\x6f\xe0\xdb\xf7\xef\x6d\xc9\xdd\x6e\xc9\x05\xe5\x3b\xbb\x23\xb8\xe6\xb4\x33\xe7\x36\xf7\xbc\x8e\x4d\xb2\xef\xdd\xde\x6f\x26\xdf\xdb\xdb\x83\xbb\x90\xd6\xff\xd5\x39\xb7\x1f\xf2\x9e\xb9\x3d\x57\x69\xfa\xf5\xc6\x28\xbf\x9f\xe2\x08\xd5\x42\xda\xff\xe0\xb1\x27\x8d\x4a\xe5\xcc\xa2\x45\xa8\xd8\x25\x8a\xe2\x8e\xb0\x14\xfe\xa7\xbd\xe0\x44\xf5\xa2\x2b\x52\x38\xf9\x34\x60\xff\x37\xd8\xb9\x17\xbd\xab\xf5\xdf\xcb\x83\x9e\x9b\x50\x5b\xb0\xfb\x98\x7b\xdb\x5f\x09\x96\x66\xed\x0b\x96\x07\x20\x34\xad\xaa\x48\xca\x5e\x16\x1d\xb4\x80\x7a\x71\x85\xc0\x60\x6f\xac\x80\xd5\x4a\xbf\x1f\xbb\x9a\x3d\xc7\x8c\x1b\x90\x37\xe4\xa4\x14\x0d\x13\x48\xaf\xa9\xc1\x79\x40\x4b\xf1\xb3\x90\x28\xa8\xb8\xf3\x52\x7f\x55\xed\xb8\xa5\x56\x98\x08\xff\xcf\xae\x0a\x9e\xbb\xf5\x23\x9a\xa3\xaa\x1c\x78\xf9\x59\x14\x80\xe1\x76\x61\x9e\x07\x91\xde\x6d\x4d\xf2\xf1\x6b\xa5\x60\xa9\x4c\x71\x0b\x61\xd9\xb9\xe8\xf9\xa8\xec\xd8\x17\x9d\xc9\xfe\xf4\x95\xec\xfe\x31\x36\xe2\x29\xff\x2f\x6a\xc1\x1f\xd4\x86\xaf\x3b\x7c\x1f\x20\x90\x7a\x21\xb8\x42\x8a\x38\xa2\xd0\xf6\x91\xa9\x97\x06\x78\x03\x11\x87\x61\x48\x2b\xd8\x7e\x53\x99\x03\x57\xa8\x1a\xab\x6e\xb7\x70\x02\x93\x81\x63\x72\x6d\x6d\x92\x22\xa9\x8e\x5d\x37\xb8\xa5\xf0\x32\x74\x15\xf3\x0c\x56\x9a\xf8\x95\x95\xe6\xe8\x12\x16\xf8\x94\xc9\x42\xa7\xf1\x90\x9f\xc1\x19\x0a\xc6\xdf\x0e\xf5\xda\x2d\xcd\xb8\x32\x0d\xeb\xb5\xe2\x2c\x18\xe8\x67\xca\x96\x55\x66\xfc\x90\x43\x7d\x5f\xd9\xc7\x1e\x9f\xd8\x49\x83\xb0\x02\x9f\xda\x17\xfc\xea\xbe\xa1\xcb\x8f\xc8\x02\xa8\x84\xc7\x47\x76\x01\x78\x06\x3f\x7a\xa2\xb5\x62\x9e\x27\x9b\x21\x04\x97\xc3\x26\xbd\x33\xcb\xe3\xe7\x4b\x4e\x92\x2c\x64\xd1\x0c\x81\x0c\x20\x3c\x88\x02\xb1\x83\x83\xc8\x42\x7e\x35\xd3\x60\xca\xdd\xd3\x99\x88\x2f\x4c\x42\x16\x01\x6f\x65\xdd\x5e\x22\x2e\x18\xf8\x4e\x04\xe5\x9c\x32\x15\x0d\x90\x7f\x85\x36\xf4\x09\xc6\x7c\xeb\x57\xe2\x54\x37\x0d\x90\x20\x97\x51\xab\xd9\x62\xd9\x61\x2f\x9e\xc6\xe5\x6a\x68\x19\xa2\x7a\xa1\x61\x9d\x53\x4f\x82\xc9\x68\xd8\xa4\xf5\xf0\x12\xb5\xa6\x84\xcb\x20\x6a\x10\x13\x2c\x5c\xbf\x6a\x2d\xf5\x21\xfe\xe4\x7f\xa6\x16\xfc\x46\xad\x7a\xf5\x61\xa6\xf0\x9e\x68\x3d\xe2\x0c\x06\x49\xfa\x61\x5a\x89\x4d\xa7\x5a\x21\x3f\xa7\x5c\xe4\x79\x96\xf3\x2c\xe5\x77\x9c\x5a\x76\x66\xf9\x65\xfb\xd9\xa1\x1d\x89\x32\xe8\x57\x9d\x0d\xfb\x85\xf0\x3f\x77\x45\x70\xc1\xfa\x6d\x80\xf0\xba\x8a\xb6\x55\x24\x4f\xb8\x0a\xb6\xfb\x94\x4b\xe1\x80\x5c\xb3\xed\x30\x4e\xfa\xb9\xb2\xc9\x40\x2e\x6d\x0b\x40\x50\x21\x51\xb7\xdb\x4f\xca\xb8\x97\x08\xec\x32\x26\xcd\x88\x14\x50\x27\x44\x0e\x86\x04\xeb\x34\xfa\xc4\x3e\xf6\x4b\x63\x6c\x1f\xec\x59\xff\xdd\x63\xc1\x5b\xc7\xcc\x9e\xaf\x58\x27\x94\x8b\xaf\x40\x48\x1b\xf2\x16\xc0\x47\x20\x9d\x2a\x0d\xbb\xc8\x20\xa4\x7c\x0a\x2b\xe6\x40\xed\x35\xf9\x19\x90\x73\x21\x83\x18\xb2\x5c\x00\xe4\x31\x2b\xca\x76\x7c\xc1\x50\x80\x3c\x67\x53\xac\x43\x60\x70\x23\x9a\x7c\x46\xd2\x09\x8e\xe5\xf9\x22\xcf\x1a\x10\x08\x00\x58\x90\xb7\x23\x7c\xab\x14\xa2\x29\x1f\xc5\xc0\x89\x65\x10\x22\x01\xeb\x87\x84\x96\xb5\xb1\xf3\x05\x8f\xfa\x20\x26\x11\xf8\x6b\x27\x84\x54\x89\xca\xd4\x35\xf9\x59\x82\xde\xac\x00\x3b\x51\x54\x44\x83\x72\x2b\xe4\x64\xd1\xa5\xcc\x05\xba\x55\x73\x27\xdf\x01\xcd\xe4\xee\x43\xf7\x34\xb7\x7b\x19\x93\x35\xb0\xc3\x22\x2d\xf3\x01\x80\x73\xc1\xeb\x81\x4d\x79\x3f\xc4\xf6\x77\x45\x51\x84\x6b\xc2\x2f\x83\xb5\x19\xde\xe9\x77\xc3\x14\x6a\xf3\x80\x97\x1a\x31\x3d\x7a\xb6\xb7\x13\x33\xbd\xe8\x07\x8c\xd1\xad\x14\x40\x30\x68\x06\x3b\x2a\x2c\x1a\x2a\xc2\x24\x87\x8c\x13\x87\xf4\x5f\xe5\xb1\x2b\x72\x11\x16\x59\x0a\xa1\x59\x33\x9c\xa8\xff\x92\xfb\xa0\x20\x39\x75\xbd\x2e\xe4\x69\xf6\xd6\x76\xf6\x84\xf2\xc4\x3b\xbd\x79\xf0\x5a\xf6\x6f\x47\xa2\x7f\xb7\x72\x51\xfa\xaf\xbe\x56\xaa\x10\x88\xcf\x82\x15\xe6\x08\xac\x05\xb0\x16\x90\xc5\x89\x1c\xa2\x79\x54\x35\x15\x49\x20\x65\x98\xf0\xd5\x41\x69\xaa\x10\x10\xf0\x15\xb1\x93\x93\xf2\x65\x9a\x3b\xe2\x56\x04\x0f\x16\xa6\xfc\x4c\x78\x01\x3f\xb8\x14\x3f\x5f\x60\x2b\xee\xe6\x7b\xe0\x9a\x3d\xfd\x72\xcf\x1b\xe4\x7a\x83\x3e\x59\x63\x0c\xc7\x27\x69\xcb\xff\x95\x5a\xf0\x96\x9a\xf9\xad\x10\x77\x08\x00\x46\xd2\x43\x9a\xa5\x0d\xc4\xa5\x74\x28\xba\x2a\x34\xcd\x51\x56\x1b\x16\x8f\x43\x34\x72\x80\x47\x6a\x40\x9c\x54\x9c\xf6\xfa\x2a\x3d\x4e\xb2\x60\x0d\xc8\xda\x12\x4d\x3e\x93\x58\x65\xea\x2d\x64\x61\x08\x18\x89\x78\x9c\x92\x24\x12\x99\xdd\x90\xa5\xd8\x7a\x1d\xd0\x37\x14\x94\x5a\x98\x0e\x0c\x5e\x8c\x32\x14\x01\xd4\x9e\x19\xa1\xa9\x42\x2b\xd6\x45\xce\xb3\x7e\x29\x7b\x06\x27\x1b\x95\xb0\x36\x14\x3c\xb3\x30\xd7\x7c\xb0\x02\xc3\x63\xed\x30\x76\x86\x00\xf4\x4f\x05\x37\x9c\x23\xcf\x41\x3b\x6c\xc5\x49\x0c\x2e\xb1\x5e\x9e\xad\xe5\x61\x17\x0a\xed\x18\x40\x37\x03\xe3\x04\x0b\x6f\x13\xdc\x9e\x7d\x6e\x97\xf6\xb9\xcf\xd4\xd8\x38\xee\x56\x39\x75\xb0\xdc\x8e\x05\xc3\x9e\x78\x7e\x2a\x6c\x75\x24\xd9\xa9\xea\x30\x10\xa6\x0a\x13\x96\xf4\x3a\x61\xda\xef\x8a\x3c\x6e\x99\xb4\xd4\xa2\xce\x0f\x36\x0e\xd6\xf9\xc1\x7b\x0f\x4a\xad\xe7\x60\xf3\x20\x91\x96\xd1\x2b\xe4\x4e\x30\x60\xe2\xd6\x5e\x29\x20\x35\xb0\x10\xc7\x8f\x81\xa4\x14\x81\xd7\x14\x51\x3a\x87\x78\x6f\x98\xaf\xc6\x65\x2e\xb7\xdb\x24\xc1\x45\x0e\x60\x0f\xe2\x0b\x53\xd8\x22\xf2\x6d\x79\x7c\x35\xf9\x49\x85\x5e\x27\xf7\xe4\x36\x55\x3c\x8e\x1d\x3f\x76\xc3\x93\x0a\xcc\x68\x6c\x1c\x7b\xd0\x7b\x02\x7b\xbc\x3f\x2e\x4f\x8e\x4d\x08\xfc\x6b\x1e\x9b\x88\xbb\x54\x13\xc9\xff\x82\x17\x7c\xc2\x9b\x53\x3f\xb1\x3e\x8e\x1d\x1f\x82\xd5\x96\xc9\x7f\x89\x18\x43\x25\xd4\x02\x53\xc9\xe4\x38\x27\xad\x2a\xbb\xe7\x93\xc0\x23\xe8\x88\x51\xac\x4a\x85\xbf\x40\x54\x79\x2c\xa2\xa9\xa6\x2e\x26\x6b\x7f\xd4\x48\x39\x95\xe7\x39\x15\x2b\x2c\xe3\xae\xd0\x25\x2b\x70\x93\xa6\x71\xe2\xa0\xae\x3d\xe4\xcd\x6f\x6f\x78\x7b\x8a\x3f\xb5\xbd\x39\x1f\x87\xc8\xd8\xd7\x26\xd8\x91\x51\xc2\x02\x62\xf1\x9c\x5d\xaa\x42\xd1\x10\xa6\xd7\x7b\x26\x82\x23\x56\x74\x60\xc8\xf5\x0b\xdc\xc0\xf7\x28\xbc\x1d\x8d\x96\xed\x1c\xfa\x7f\x75\x80\xfd\x86\xc7\xae\x68\x17\x60\x67\x7b\xbf\x17\x3c\xe0\x59\xa8\x3b\x00\xd9\x53\x66\x08\x8d\x67\xab\x40\xed\xca\x33\xc6\xc1\x49\x71\x4d\xe0\x9f\xce\x7a\x10\xdf\x96\xae\xa9\x8a\x39\xfc\xd4\x85\x26\x0f\xc4\x85\xf2\x58\x50\xe7\xc1\x85\x76\x21\xff\x97\x96\xed\x22\x68\xf2\x39\x93\xb3\x0f\xe2\x01\xa5\xbe\xae\x0a\x7a\x41\xd2\x8f\x95\x28\xef\xb0\xc2\xc7\x0e\x80\xef\x93\x1e\x9b\xc0\xcd\xbb\x28\xda\xfe\x87\x3d\x76\x68\x5b\x53\x7e\x15\x5a\xed\xe5\x24\x08\x2e\x8a\x76\x05\x2a\x51\x01\xf8\x21\x12\x99\x3c\x08\xb3\x55\xc9\x9e\xd4\xe6\x37\xcb\x3d\xb3\x30\xc7\x5b\xb9\x00\xa4\xc7\x30\x29\x46\x56\x52\x76\xca\xd0\x5a\xa5\x0d\xcb\x52\xca\xb7\x22\x6a\x4a\x09\xda\x86\x4b\x7a\x61\xd0\x1b\x86\x4b\xaa\x88\xf5\xe9\x30\x1a\xd5\xd9\x25\x22\xb9\x26\xa7\x89\x43\xc7\x31\x1c\xd2\xb0\x75\xfb\x69\x7c\x5f\x5f\x98\xd8\x70\xed\x57\x76\x16\xf5\xb3\x63\xec\x71\xa6\x37\x98\x73\xf1\xe1\xb1\xe0\x3d\x63\x77\xb9\x17\xab\x93\xd6\xca\x7a\xba\x4b\x44\xfb\xf4\x25\xdd\x41\x35\x3f\xe6\xcb\x6e\xf4\xb7\xce\x81\x5f\x00\x53\xb2\x79\xaa\x52\xae\x1a\x94\x15\x12\x82\x4a\xb7\x46\x14\x4c\x8c\xec\x0b\x45\xf8\x4b\x56\x13\x4b\xfd\x82\xa0\x0f\xec\xee\x60\x10\x66\xbc\xd6\x51\x15\x93\xd7\x72\x52\x52\x97\x44\xc9\xad\x35\xa0\x32\x8b\x29\xfd\x2d\x85\x99\x3c\x8e\x04\x05\xd8\xe0\xf2\x52\x89\xcc\x7e\x8e\x6f\x97\x19\x0f\xe8\x16\x6c\xa1\x41\xd6\xd7\xb0\x1a\xfd\x02\x44\x36\x9d\x5b\x32\x62\x9e\xe6\xcd\x4d\xe4\xd3\x58\x97\xa4\x97\x8b\x06\x88\x4e\xc3\x63\xd1\x18\xd8\x00\x38\xe7\xee\xd3\xff\xfe\x2d\xec\xbb\xed\x28\xa2\x2c\xc2\xb0\xe2\x7e\x2a\xd9\x2e\x86\x56\x7e\xfa\x5b\x82\x4f\x8d\xd9\x57\xac\xf0\x17\x1d\x55\x69\x02\xf1\x73\x7c\x72\x44\x75\x17\xac\xbf\x80\xc7\xae\xd3\x9e\x15\xb9\x61\xea\x7e\x3b\x16\x40\xab\x5d\xeb\xe1\xbc\x9f\x02\x14\x87\xc9\x0a\xe0\x2a\xb5\xa1\xe9\x7c\x41\x09\xa4\x54\xa8\xc4\x4d\xfa\x87\xda\x66\x52\xa6\xa5\x2a\x6a\x16\xda\x5f\x9d\x2a\x66\xe9\x20\xd1\x58\x53\xa1\x89\x0f\x95\x34\x96\x88\x72\x54\x79\x34\xc9\xe2\x13\x8d\xb2\x60\xf7\x08\xa8\xc7\x78\x64\x08\x9c\x24\xef\xa7\x9a\x97\xc0\x20\x20\xcb\x03\x0c\x16\x91\x28\xc3\x38\x29\xea\xbc\x10\x62\x47\x81\xb9\x66\x52\xa6\x69\xea\x30\x44\x75\xfa\xa2\xb7\x1f\xa4\x59\x91\x3b\x07\xcf\xcb\xae\xdd\x13\x60\x77\x2b\xc0\x7e\x76\x9c\xa9\xb9\xf5\x3f\x3a\x1e\xfc\xd2\xf8\x9d\xf8\xa3\xc2\x11\xc1\x02\x99\x80\x7a\xa6\xa8\x3a\x44\xb4\x0a\xab\x6e\xa7\x86\xf3\x9e\x5d\x9c\xab\x00\x3f\x5b\x58\xef\x19\x6a\x26\x02\xe3\xc9\xd4\x22\x60\x6c\x2e\x16\x60\x26\xcc\x72\x5b\x31\xd3\xe1\x4e\x2a\x61\x27\x8b\x04\xff\x5e\xf8\x90\xd3\x07\x0c\x4c\x03\x10\xf4\xa2\xdf\x05\x36\x4c\xd5\x8b\x69\x90\xd8\x9c\x95\xf9\x60\x17\x98\xc2\x65\xd2\x4f\x2a\xc1\x3a\xa4\xe3\x07\x0d\x8f\xf7\xf5\xe3\xf5\x30\x11\x69\xa5\x38\x55\x25\xbd\x29\x54\xcd\xf0\x56\x98\x24\x50\x24\xb9\x9f\xb6\x02\xde\x95\x2c\x5a\xc3\x9d\xea\x19\x93\x37\xf9\xd9\xd9\x39\x3d\xbb\x93\x8a\xb1\x96\xf1\xba\xe0\xa7\xe3\xb4\x7f\xc1\x62\x1a\x53\xce\x29\xa2\x18\x8b\x93\xbd\x64\x33\x16\x39\xab\x6a\x5d\xb5\x55\x47\x95\xe6\xab\xc3\x0c\x4a\x45\x82\xe6\xf6\xe4\xfc\x12\x3f\x8d\x10\x3a\x8b\xb7\xcf\x72\xac\xc3\x97\x5b\xc0\x9b\xba\x14\x92\x16\xd4\xf7\xa2\x7c\x1e\x26\x0b\xd0\xfb\x6d\x0b\xd0\xbb\x76\x6d\x01\x5a\x7b\xb4\x8c\x3c\x5f\xad\xb1\x03\x52\x94\xe8\x88\x30\xf2\x7f\xaf\xc6\xa6\x36\x0f\xfb\xa5\x03\xfb\x2c\x3d\x1d\x3c\x50\x53\x7f\x0e\x61\xbf\x29\x6a\x50\x2d\x0f\x41\xad\xa9\xd3\x07\x63\x03\x10\xb5\x0d\x5d\x24\xf6\xc9\xd5\x1c\x7d\x26\xb1\x9d\x81\x99\xb6\x3a\x22\xea\x27\x71\xba\xd6\x10\xeb\x31\xe8\xb1\xd3\xbd\x2c\x6a\xa8\x3e\x4d\x33\xb7\xb8\x6f\x2c\x55\x42\x50\x44\xc3\x1c\xad\x42\x87\x9b\x87\x6f\xb8\xd4\x82\xd5\x0b\x59\xa4\x67\x45\xd5\xa8\x66\x3f\x51\x63\xcc\x74\xc7\x7f\x79\x8d\x3d\x65\xdb\x69\x5e\xd2\xcf\x07\x5f\xf0\xcc\x0f\xb2\x18\xa3\xb0\xab\x2f\x62\x89\xc1\x10\xcb\xad\x67\xa4\x5d\x63\xdf\x80\x59\xab\xe9\x36\xb5\x51\x1d\xa1\x08\x18\x35\xb6\x46\x5a\x2f\x01\x5a\x87\xa5\x86\x19\x8e\x4b\x50\xaa\xad\x8f\xc6\x85\xd4\x8e\xeb\x23\xda\xb3\xd9\x38\x48\xbf\x8e\x8a\x28\x99\x3a\x7c\xa0\xf9\x90\x77\xcf\xf6\xca\xf4\x09\xff\x06\x03\xa0\x21\x27\xa7\x12\x6d\x6d\x7f\xb9\x1a\xd1\xf2\x4f\x1e\xfb\xae\x11\x5a\xd8\x7c\x16\x89\x19\x2c\x31\xe6\x7f\xd1\x0b\x6e\xb0\x7e\x1b\x2b\x90\x6d\xe6\x57\x50\xf5\xf2\xfb\x07\x0b\x5d\x9e\xec\xa2\x07\x46\xbd\x8b\xde\x7e\xba\xe2\x48\x39\x3f\xc4\xa6\x98\xba\xe1\x7f\x57\xf0\xf8\x65\x75\xfc\xa9\xd7\x6d\xfe\xb1\x48\xf6\xc1\xa7\x07\xb7\xcc\x5b\xcf\x80\x86\x5d\xe7\x59\x0a\x5a\xcd\x9d\x54\x82\xb5\xae\x6b\x74\xcd\x2d\x48\x71\x92\x4a\x0a\x25\x73\x0b\x4e\x9b\x3f\xc9\x76\x0e\xcd\x0e\xf1\x82\x7f\x39\x11\xcc\x6e\x7a\xd7\x8d\x1f\x1c\xf9\x18\x07\xcf\xd0\xe8\xa0\xc2\x07\xf7\x12\x76\x76\x2d\xf3\x7d\xd1\x53\x51\x85\x9f\xf1\x82\x97\x7a\x33\xa6\x38\xee\x90\xc5\x07\x20\x8a\x2f\xa3\x48\xe4\xe6\x08\xd0\xe6\x12\x5e\xc1\x2f\xd8\xd1\x8c\x27\xd8\x0d\x3b\xa8\xb2\x3f\x92\x72\xf6\x64\x8f\xbd\xe8\x46\x3b\xba\x31\xdc\xfe\x5c\xb8\xd5\xbf\xb9\x41\x47\xc0\xa6\x3c\xab\x72\x1e\xd8\x66\x58\xf6\xd6\x31\x27\xeb\x33\xec\xf5\x0a\x39\x11\x27\x43\xd1\xcd\xd2\x25\x51\x9e\x83\x25\x5e\x52\x59\xc9\x7f\x5b\x0b\xbe\x7f\x93\x7b\x9a\x52\xfb\x92\x59\x90\x5c\x4f\xb9\xa6\xa8\x84\xc1\xe3\x5c\x65\x38\x93\xbc\xa3\x5b\x73\xad\xb2\x2f\xab\xb1\x8c\x0e\x83\xb5\xe0\xdf\x2f\x13\x70\x7a\x04\x0f\x83\x3d\x1b\x5b\x03\x6a\x04\x0b\xe9\x62\x96\xc8\xf3\x18\xfb\x14\x00\x14\xe7\xd9\xf4\xa4\x48\x44\x29\x02\x6d\xcd\x96\x7d\x74\x1e\x74\x4e\x8a\x1f\xf7\xd8\xd5\xb9\x7d\xd7\xbf\x7f\x2b\x5c\x32\x35\x57\x4e\x83\x7a\x38\xc1\x29\xba\xae\xc6\x8d\x8a\x1e\xef\x85\x79\x28\x59\xd2\x02\x95\x69\x43\x6f\x1f\xd5\xb3\xbc\xa5\x3a\x8e\x26\xfb\xb3\x27\x8c\x3c\xbe\x66\x97\xe6\x36\x31\x89\xff\xe2\x13\x82\x45\xcb\x24\xae\xca\x84\xa8\x02\xcd\x56\xd1\x79\xbb\xac\xc2\xec\xd2\x9c\x62\x9a\x51\x1e\xaf\x8b\x9c\x4f\xde\x26\xe5\x40\x92\xde\xa6\x2e\x7a\x57\xe0\xf5\x8b\xde\x55\xf8\x1c\x6a\x64\xce\xa2\x7d\xd0\x67\x3f\x3f\xc6\xbe\xc3\x24\x18\x2f\x60\x41\x5d\x6d\xdd\xf5\x5f\x33\xb6\x03\xf3\xb0\x7e\x9c\xcc\xc3\x5f\xaa\xcd\x6e\xda\x22\x52\xdd\x10\x72\x3d\xd9\x8d\x89\x0d\x92\x34\x03\x66\x78\x91\x16\x31\x28\xa5\x15\x78\x9e\x9e\x14\xd9\xe8\x6d\x39\x19\x34\x0b\x40\xc3\x52\x27\x26\x14\x62\x79\x6b\xa8\x37\x64\xe3\x95\x07\xa6\xb9\x77\x2e\xed\x39\x77\xa5\x22\x5d\x38\x05\x49\x25\x9f\xa6\x78\x16\x73\xda\xaa\x6a\x95\x84\xd0\x41\x03\xb1\x4a\x05\x68\xec\xdc\x91\x63\x2c\x9c\x68\x1b\xf5\x50\x1d\xc4\x4d\xfc\x9b\x4a\xbb\x86\x45\x21\xa2\x26\xfb\x2f\x1e\x73\xd6\xd3\x7f\xbb\x17\xbc\xde\xbb\xcb\xba\xa2\xcc\xde\x64\xb2\x5e\x37\xf6\x6c\x8a\xc6\x32\x2e\x0f\x8b\x88\x7a\x49\x7f\x2d\x4e\xbf\x7a\xff\x9b\x0b\x3e\x0b\x66\x50\x9a\x05\x00\x05\x6d\xe3\xc4\x5a\xe6\xe9\x0c\xed\x8a\x45\x7f\xb5\x90\x47\x4d\x5a\xaa\xe9\x5a\x54\xa3\xae\xa0\x10\x29\x7f\xcd\x4b\xbc\x60\xfd\xb1\x71\xd7\x54\x2a\xf6\x7f\x8b\x14\x6a\x87\xe8\xfd\x9f\x6b\x97\x41\xef\xff\xb5\x36\x3f\xa2\xad\xc7\x82\xd2\xad\x7e\x58\x34\x2e\xaf\xfe\xef\x41\xdd\x6f\x1f\x63\xbe\x5c\x97\xa5\x32\x5c\x13\x66\x55\x5e\x79\x39\x5c\xe8\xf7\x60\x55\xdc\x96\x1e\xab\x35\x81\x5e\x54\x56\x64\xd4\xb5\x73\x69\x61\x5d\xfd\xe6\x5c\xa3\x8a\xe7\x52\x45\xf8\x9d\x00\xb3\x1f\x4a\xbc\xd6\x04\x6d\xc2\x7b\x09\x71\x5a\x1f\xf4\x9b\x39\x3e\x1d\xcf\xe5\x39\x76\x2d\xb2\x9f\x19\x1d\xd8\xe8\xcf\x04\x4f\x9e\x71\xca\x6c\x59\x4c\x4a\x76\x03\x3f\xba\x65\x90\xcb\x17\xc6\xd8\xbf\x35\x47\xe0\xa9\x0b\xbd\x30\x8d\x0c\xed\x7d\xe8\x72\x68\xef\xa5\x63\xb3\x9b\x35\xf8\xd8\x1e\x80\xd8\x19\x8b\xbe\x88\xbc\x00\x14\x03\x03\x43\x14\xf8\x16\xf8\x75\x28\xe3\x1a\x4c\x45\xb2\x37\xf8\xfe\xec\xd2\xdc\x5d\x54\x0e\xc8\x2e\x0f\xf5\x4d\x47\xaa\xcf\x66\x24\x04\xf9\x67\x83\xdb\x4e\xe2\xfc\xc4\xc3\xe9\xc3\x66\xe6\x94\xd3\x1a\x83\x29\xc9\x25\x3c\xf2\x48\xfb\xd2\x3e\x76\xdb\x36\x35\x45\x16\xf2\x38\xcb\xe3\x72\x70\x5a\x2a\x13\xb3\xb6\xdb\x40\x67\x06\xf9\x3f\xbe\x2f\x38\xbd\x83\xe7\x1c\x2b\x83\x49\x13\x92\x3a\x34\xbd\xcc\x13\xf9\xb6\x2b\x93\xbf\x7f\x9c\xad\x99\x10\xd7\xe7\x04\x67\x57\xe8\x6f\x2a\xa3\x52\x71\x8c\xd3\x4d\x05\xc3\x82\x95\x1b\xc0\x7e\x49\x41\xd4\x49\x58\x94\xbc\xcc\x43\x20\xc8\x4a\x75\xcd\x44\x47\xb2\xae\x06\xe7\x56\xf0\x4f\xfa\x0c\x0a\x22\x60\x0e\x6a\x6c\x64\x79\x54\x37\xba\x27\xc7\x07\xb5\xa5\x4a\x0f\xed\x60\xb1\xe5\xd7\xda\x1a\xa7\x57\x8e\x4a\xe5\x6a\x98\xe4\x7b\x42\xd8\x72\x9a\xd4\xaa\xc7\x32\x84\xd5\xdc\x2e\x99\x4d\x9d\x9f\x4b\xcf\xa7\xd9\x46\xba\xc9\x2a\xcf\x92\x4a\x73\x53\xd0\x5c\x91\x7f\xe8\x6f\xa8\xca\x50\x95\x2f\x8c\x6c\xe4\x3d\x1e\xf3\xe5\x60\x96\xf5\x58\x96\xe3\xae\xf0\xdf\xb4\x85\xae\xb2\x85\xca\x2b\xdf\x0d\x9e\xb3\x32\xdc\xa0\xee\x1b\x4e\x5c\xdc\x15\x15\x6a\x31\x73\xa9\x6a\x29\xc3\x1e\xc2\xd9\x02\x3f\x7d\x56\x76\x44\xde\x64\x6f\x1c\x67\x36\x93\x53\xe5\xee\x14\x5d\xdf\xa5\x78\x70\xd8\xea\x74\x45\x5a\x42\x7d\xc4\xaf\x8c\x05\x77\x8e\xba\xa1\x17\x85\x3c\x6a\x56\x1d\xfb\xea\xe3\xca\x6a\xd1\xbc\xe8\x1d\x08\xe1\xaa\xd4\x5e\xae\x40\x33\xc9\x45\xef\x80\x14\x0c\x86\x6a\x59\xfe\x45\x8d\xbd\xc9\x63\xfa\x79\xff\x95\x5e\xf0\xc2\x19\xfa\x61\x15\x69\xad\x6e\x79\x57\x75\x02\x5d\xeb\xcc\xb9\xa5\x65\xe5\x2b\x24\xa3\x1d\x9d\x51\x8a\x43\xea\x46\x6c\x39\xfa\x0e\x51\x2e\x80\xec\x2c\xbb\x36\x39\xe5\xac\xfc\x9d\x4c\x77\xda\xbf\x39\x98\xd6\xa6\x54\xed\x87\x73\x2b\xc4\x61\x68\x4b\x08\x95\x17\xca\xcc\x69\xe9\xc5\x1e\xa3\x89\xf0\x2f\x6c\x81\x7a\xb6\xed\x52\x41\x13\xc1\xf5\x54\xdb\xaf\xe2\x00\x51\xc7\x26\x18\xd0\x87\xba\xd4\x64\xff\x74\xad\x53\x8f\x20\x8a\x8b\x56\xb6\x2e\x89\xd4\x42\xc9\x5d\x4a\xe2\x96\xf0\x3f\x77\x6d\xf0\x65\xcf\xb9\xe4\xd4\x39\x45\xbd\x41\x03\x64\x98\x5a\x03\x95\x22\x85\xa1\xaa\x20\x80\x2e\x15\xe5\x6c\xa1\x8b\x14\xde\x4e\xe7\x8a\x4e\x3d\x70\x3f\x4b\x08\x99\x75\xca\x86\xc2\x35\x43\x34\x35\x55\xf0\x43\xb9\x28\x9f\x97\x41\xc8\x83\x3c\x5a\xf3\x2c\xea\x53\x70\x55\xbb\x0f\x87\xcb\x10\x1e\xf5\x95\x64\xeb\x5e\x06\x53\xfa\x84\xbe\xe5\x50\xe7\x9f\x5e\xcd\xfe\x5b\x8d\xd9\x8f\xfa\x7f\x52\x0b\x3e\x5f\xb3\x2e\x54\x6b\xcd\x12\x63\x51\x96\xf4\x56\x98\xe7\xb1\x95\x37\xe6\x8c\x0e\x23\x8b\xe9\x51\x15\x54\x1f\x17\xbc\x80\xa1\xab\x71\x95\x76\xb9\xf3\xea\x19\xad\x7d\xaa\x3c\x6c\x97\x22\xc7\x18\x18\xe0\x65\xcb\x4e\x85\x0f\xdb\xb2\x8f\x87\x6c\x4b\x57\xb5\xd1\xba\xd9\x09\x7e\x1d\x9f\x5b\x58\x3f\x76\x82\x2f\x3a\x55\x6d\xe5\x35\x4e\xae\x8a\x26\x3e\x73\x7c\xc4\x33\xc7\xed\x67\x6e\x7f\xe6\xc9\x79\xf7\x19\x7e\x3b\x54\x28\x7a\xa6\xae\x50\x74\x12\x8b\xb4\xc8\xed\xb5\x17\x66\xfc\x70\x5a\xec\xff\xd8\x63\x86\xa0\xfd\xcf\x79\xc1\xf3\xcc\x16\x75\xfc\x29\x64\x63\xb0\xee\xda\x14\x48\x21\xc8\x44\x8d\x56\xf2\x52\xc8\xbb\xe1\x05\x28\x98\x99\xb5\xf9\xe1\x43\x87\x0e\x6d\x02\xd0\x7d\x84\x1d\x62\xcd\x4d\x99\xdd\x48\xfe\xf3\x90\xf7\x24\xf6\x6f\x1c\x23\xac\xec\x6b\x03\x4e\xf1\x09\x7f\x7f\x58\x66\xdd\xb8\xc5\xf6\x0c\xf7\xbb\x30\xdc\x77\x2c\xbb\xfd\x73\x76\x1b\x32\xf0\xef\xb6\xc8\x19\x61\x3f\x33\xc6\xf6\x01\x62\x94\x7f\x71\x2c\x78\x4f\x0d\xc1\xa3\x5c\x7e\xa9\x28\x51\x15\x7b\xc2\x67\x10\xde\x08\xb8\x26\x54\xb4\xd1\x53\x3e\x8a\x3e\xc1\x51\x0c\xcc\x92\x6a\x27\x11\x55\xcb\xa3\x9e\x80\x05\xb1\x55\x95\x57\x85\x60\x4a\x96\x6c\x81\xa7\x79\x2e\x28\x4c\x51\x47\xcf\xc1\x6b\x1a\x9b\x10\x1d\xd2\xa6\xa0\x0e\x95\x93\x4a\xe3\x04\x6f\x11\x53\x70\xda\x0e\xa4\x6a\x03\xcd\x04\x3b\xde\x4d\xf4\x59\x7b\x23\x1d\x67\xc7\xd8\x91\x4b\xdb\x48\x0b\x59\xbe\xc3\xcd\x74\xc9\x05\x25\xcc\xf7\x2a\x4e\x71\xe7\x70\xab\x7a\xc5\xbf\x36\xe6\x20\x92\x55\x45\x9d\xe5\xec\xbc\x48\xc9\xac\xe0\x7f\x68\x2c\xb8\xd9\xbe\x60\x14\x48\x30\xe7\x8b\x92\xe2\xad\xb4\x80\xc1\x43\x2a\x2b\x5e\xca\xb7\x40\x02\xed\x47\x90\xbd\xe3\x9c\xe7\x5f\xa9\xb1\x4f\x78\xec\xf1\xe2\x42\x2f\x46\x0d\x8d\x20\x73\xfd\xff\xe2\x29\x0c\xd5\x9f\xf2\x4e\x55\xef\x6a\x40\xb9\xbe\xc1\x4e\x05\xbc\x6b\xa9\xb7\x91\x0c\x04\xdf\x85\x3c\x45\xbb\xdf\x80\x4a\x07\xb9\x47\x1d\x2a\x0d\x06\x07\xb9\x13\x17\x2d\x5b\x08\x86\xbe\x19\x8c\x6e\xcb\x81\x1e\x7b\xbd\x14\x9c\x69\x98\xfe\xcb\xbc\x60\x30\x43\x3f\x54\x87\xe5\x83\x29\x64\x3b\xa9\x1b\x3b\xec\xed\xa8\x34\x6b\xd5\x06\x4c\xbc\x24\x16\x6e\x80\x2a\x6c\xf6\xf2\x8d\xab\x47\x42\x31\xcf\x2d\x6d\xee\x42\x79\xdf\xd5\xc1\x7b\xbc\x2d\x1e\xa8\x14\xd9\x87\x27\x25\x15\x9e\x6f\xd2\xdf\xaa\xb8\xb1\x2e\x18\xb8\x4a\x75\xf7\x31\xd3\xcb\x58\xa4\x20\x23\xb6\xfa\x96\x0a\x36\xc9\x36\x52\x91\x17\x9d\xb8\x47\x4e\x1b\x94\x61\xd3\x88\x2f\x9d\xc2\x88\xba\x5c\x80\xe4\x19\xa7\x6b\xcd\x8b\xde\x55\x65\x98\xaf\x09\xd8\x67\x61\x72\xd1\x1b\x8b\xef\x4b\x2f\x7a\x63\x49\x3f\x75\x28\xee\x4b\x57\xb2\xbb\xd8\xe3\x5b\x9d\xb0\x37\xd3\x2f\x3b\x27\xd5\xce\xf1\x67\x82\xa3\x1b\x1d\x21\xb9\x8e\x89\x75\x81\x4e\xe9\x47\xf8\xec\x9d\x33\x0b\x3c\xec\x97\x1d\xc9\xd2\x51\xf1\x72\xcc\x69\xef\xaf\x69\xab\xfc\x83\xb5\xe0\xa7\x6a\x55\xb3\x7c\xc5\x98\x26\xb9\xdc\x20\xeb\xf3\x8d\x10\xb6\x89\x32\xd9\x2f\xc7\x3d\xb9\x71\x4d\xe8\x0e\xe6\xab\xb8\x4d\xc5\xc5\x25\x18\xf0\x29\x4d\xf8\xe1\xca\xba\xb8\xdc\x60\x02\x15\x41\x10\x17\xad\x22\x76\xc0\xf1\x3d\x76\x35\xb0\xd1\xb0\xcc\x72\xd0\xed\x3e\xe2\x05\xef\xf3\x10\xdc\x84\x56\x61\x4e\xdd\x47\xe9\x94\xcf\xb5\xb9\xf3\x8a\x1b\xbc\x8f\xd0\xec\xf2\x3b\x10\x13\xd3\x86\x14\x81\x58\x6a\x34\x61\x2a\xb2\x7e\x91\x0c\x10\x9b\x16\xdb\x8e\xf5\x33\x37\x23\x09\x01\xc3\x0f\x93\x5b\x4f\xdc\x6c\x39\x7b\x6e\xad\x86\xb5\xdb\x46\x16\xaa\xf9\xe6\xec\xbb\x43\x4c\x92\xa0\x3f\x15\x3c\x71\x19\x5b\xc5\xaf\x19\x71\x7b\x48\xce\x4e\xd9\x35\x6e\xa7\xfd\xe7\x04\x67\xd5\xf8\x55\x1f\x31\x0b\x40\x12\x06\xa4\x8d\x87\x29\xb5\x0b\xd6\x08\xd9\x71\xd7\x06\x7c\x90\xb8\xc6\x41\x3e\x59\xb6\x7a\xae\x3a\x7d\x8c\xc9\xed\xe1\x37\x14\xe2\xe2\xb7\x63\x4b\xd4\xdd\xd3\xfd\x94\xe0\x9a\x5d\x80\xc5\x5f\xf4\xd8\x7e\x9c\xa0\xc2\x7f\xc0\x0b\x5e\xe9\x39\x6f\xe1\xf6\xe3\xa7\x63\x54\xf4\x85\xba\x20\xcf\xfa\x18\xb6\x17\xe8\x26\x00\xc1\xdf\xbb\x57\x6a\x41\x27\x70\xb3\x29\x24\x6e\x3c\xd3\xc1\x72\x82\x86\x49\xc5\xf6\x26\xcb\x41\x2f\x6e\x41\x34\xfd\xf2\xec\x02\x89\x10\x37\x1c\x3f\x04\x1c\xe1\xe8\x91\xe3\x87\xa6\x9c\x23\xda\xb5\x4f\xb3\xf3\x96\x95\xfd\xde\xe0\x99\xbb\xcb\xff\x19\xb6\xb2\xbb\x86\xf5\xe7\xdb\x19\x41\xdd\xcb\xb0\x77\xdf\x08\xbc\x86\xd2\xdf\x24\x9d\xd1\x1a\xe3\x1c\x43\x30\xa2\xde\x10\x2e\x47\x62\x3f\xe3\x31\x87\x13\xfa\xaf\xf7\x82\x1f\x1e\xb5\x46\x8f\xc5\xf2\xd8\x91\x6e\x8f\x53\x4c\x78\x49\x14\xa0\x57\x3e\x2d\x38\x3c\x9a\x05\xd3\x03\xdb\x32\xe0\xaf\x4e\x8c\x2c\x91\xa5\x13\x58\x20\xba\xed\x57\x27\x82\xef\x75\xae\xb8\x1a\x98\xc9\x76\x19\x1d\xc0\xf6\x9f\xf6\x02\xd8\x76\xad\x0e\xff\xae\x0e\x60\xfb\xa4\x17\xbc\xda\x9b\x93\x7f\x6a\x63\x6b\x75\x1d\x94\xc5\x49\x65\xc2\x24\xc0\x59\x1e\xb9\xd2\x3a\x97\x5a\xce\x4a\x77\x74\x4f\x07\xde\x0b\x5e\xb3\x83\xd7\x76\x5a\xa0\x0b\x55\x35\x87\x25\x6d\x15\xb0\xf6\xce\x09\x1b\xde\xa7\x52\xf6\x76\x1e\x7f\x2d\x00\xea\xf3\x29\x53\xa6\xfd\xbf\x1d\x08\x3e\xeb\x6d\x72\x93\x30\x51\x56\x21\xbd\xae\x17\xe6\x65\xdc\xea\x27\x61\xae\x6c\xb4\xaa\xea\xb4\x8a\x9f\x22\x34\x24\x9e\xf5\x4b\x5d\x6b\x43\x95\x37\x86\xec\x36\xe7\x33\x52\x85\x39\x08\x65\x71\x14\x80\x19\x01\x99\x50\xab\x60\x26\x80\xd7\x11\x85\x9a\x8a\x7e\x03\xfa\x34\x99\x56\x95\xc0\x2b\xd5\xd2\x06\x78\xe5\x24\x2b\x38\xdc\xbc\xc1\xe1\xcb\xaf\xd9\xcf\xde\xab\xad\x1b\xef\x1c\x0b\xbe\x54\x53\x78\x9b\x91\x28\x4a\xa8\x65\x9d\x29\xbb\x03\xa4\xd1\xf6\xcb\xb5\x0c\xf6\x20\xf6\x84\xac\x01\x92\x2d\x69\xa3\x46\x42\xa7\x43\x2b\xeb\xae\x82\x85\x01\x93\x7a\x42\x9e\x64\x6b\xf2\xa8\xe3\x67\x17\x0d\x54\x8c\xb6\x00\xa3\x43\x36\xcb\x79\x37\x2e\x0a\x48\xd9\x37\x65\x93\x55\x21\x65\x6d\x85\xe0\x93\x6a\x26\xa8\x08\x7a\x99\xc7\xca\xaa\x2e\x1f\x98\x1a\xf1\x01\xe2\x0a\x2a\x83\x8b\xf0\xca\x54\xf1\x99\x2c\x15\x30\x0a\x5d\xc6\x59\x7d\x5b\x25\xa9\xd2\xf7\x74\xdc\x9d\xbd\x1a\xaa\x7b\x76\x63\x78\x10\x5b\xcc\xd7\xe6\x91\x37\xb3\x13\xec\x86\x1d\xd6\x64\x76\x08\x43\xca\x1d\xec\x4b\x63\xac\x56\x66\xfe\xe7\xc7\x82\x97\x8d\x8d\x58\xae\xd1\x2b\xa5\xa9\x4e\x7b\x20\x4c\x01\x93\x7e\x22\x75\x03\x3c\x4f\xec\x45\x04\xfb\xfa\xe6\xab\xa8\xd4\xa6\x2c\xdd\xc5\x7a\x3a\x1d\xdf\x62\x59\xad\xe7\x76\xb7\xba\xbb\x5d\x58\x43\xeb\x10\x35\xf1\x30\xae\xad\x10\x39\x7b\x8d\xc7\x8e\xdb\xc1\xa2\xfd\xb2\x93\xe5\x0a\x7a\x0b\x44\xde\xa4\xbd\xd4\xc7\x44\xf8\x7e\x22\x8a\x45\x21\x0f\x68\xf0\x7d\x2e\x3b\x3b\xfb\x76\x76\xd2\xae\xb9\xf7\xd4\xe0\x3a\x23\x1b\x94\x19\x17\xf2\x5c\x0d\x4b\x41\x35\xb9\xdb\x92\xc3\x8c\x74\x1b\x3f\x74\x80\xfd\xbb\x4d\xb2\x40\x40\x30\xfc\xfd\x03\xc1\x59\xf5\x43\x49\x23\x1b\x9d\x2c\x31\x32\x89\x5c\xe5\x79\xc8\x89\x41\x47\x17\x98\x37\x57\x05\x00\xc1\xac\xc5\x05\xa0\x99\x29\x94\x51\x48\x3c\x1e\x29\x41\xbe\x6d\xaf\xca\xea\x9e\x4c\x3c\x24\x13\xcf\x2b\x91\xf8\x54\x70\xb5\x62\x85\x90\x1e\x65\xef\xc8\x29\x76\x90\x7d\xcf\xf6\x12\x69\x16\xed\x09\xa3\xbb\xc2\x6a\x5f\xd8\x5e\x74\x6b\xf8\x4f\x19\x85\xaa\xac\x18\x48\xd5\xd8\xfe\xc6\x71\xf6\xe4\x11\x4b\x75\x3a\x6b\x85\x89\x63\x7a\xfd\xeb\xb1\xe0\x34\x5c\xb5\x6d\xac\x51\x9c\x8b\x56\x99\x0c\x1a\x3a\x9c\x41\x45\xb5\x03\xb7\xc1\x74\xb2\x36\x10\xc5\x60\x28\x6e\x7d\xbc\x57\x45\xfc\xfd\x91\x31\x76\xbf\xb1\x55\xfe\x83\x17\x7c\x63\x0b\xc4\x97\xb9\x92\x87\xbd\x5e\x12\x0b\xca\x7e\xdc\xd0\xc0\x18\x80\x62\x09\x48\x45\x49\xd6\x3a\xcf\x23\x81\x91\x05\x8f\x28\x44\xcc\x72\xa7\x6a\xad\x27\x38\xc0\x7e\x99\x35\x50\x20\xa0\x0f\xe3\x77\xb7\x40\x8c\x79\xb1\xc7\x60\x6a\xfc\xe7\x07\xdd\x65\x15\x98\x00\xd0\x9c\x43\xa1\xd9\x2a\xe9\x0f\x66\x83\x50\x83\x94\xb9\x84\x16\x27\xcb\x41\x46\xb0\xa7\x82\x4f\x46\x71\x71\xbe\x8e\x32\x75\x09\xa5\x3d\x9a\xcd\xa6\x6b\x06\xf9\xc3\xab\xd9\xd4\x8e\x8a\xea\x80\x18\xff\xde\xab\x83\xbf\xf6\xac\x0b\x43\x19\xb7\x70\x04\x76\xc3\x5e\x4f\x63\x3a\x00\xc0\x29\x02\x90\x86\x96\x85\x14\x66\x9e\xc6\x99\x8b\x04\xec\x99\xab\x61\xeb\xbc\x48\x23\xe5\xc2\x29\xe4\x66\x6c\x65\x5d\x00\x0d\x50\xbb\x56\x0a\x52\x08\x07\xa9\xce\x5d\x95\xb7\x0b\x2d\x82\x9c\x41\x92\x67\x9e\xf5\x09\x3d\x49\x7e\x44\x35\x5e\x4d\x01\x96\xf7\x34\x26\xb7\x35\xb4\xbb\xe4\xe2\xba\xe1\x77\xff\xf9\x4a\xf6\x55\xc6\xc6\xe5\x87\xfc\x2f\xb1\xe0\x53\xec\xce\xcc\x9c\xd4\x50\x20\x90\xdf\xa7\x8d\xab\x11\xc6\x32\xa8\x18\xa5\x50\x3b\x34\xe5\xeb\x75\xac\x79\xaa\x21\x39\x16\x6f\x9f\xe5\x47\x6f\xbc\xe1\x78\x93\xcf\x67\x14\xe6\x69\x22\x35\xe4\x62\x2a\x71\x54\x71\xb8\x40\xb6\x12\xe8\xea\x9c\xf2\xd2\xb9\xc5\x39\xbb\xd5\x38\xd5\xad\x9e\xe0\x87\x9b\x7c\x6e\xa1\xd0\xa0\x2b\x1a\x50\x76\x56\x87\x7c\x98\xe2\x6c\x7a\xf0\xc6\x79\x22\xf7\xdf\x80\x97\x19\xe3\x1c\x3e\x35\xb7\xa0\x01\xb2\x7a\xa2\xa5\x8b\x18\x86\x80\xf0\xa9\xaa\xe0\xb3\x23\x54\x4c\xee\xc4\x0a\x8f\x44\x12\x77\xe3\x12\xa3\x35\x49\x22\xed\x51\xf4\x8e\x40\xfc\x4b\x52\xbc\x2a\x3d\x64\x13\xdc\xea\xa4\xb6\x00\xe2\xd1\xac\x2a\xbb\x41\xd4\x8b\xf6\x21\x9c\xb8\xe1\x10\x50\x84\xe4\xd7\xf2\xb4\x95\x4d\x9c\x38\x76\xec\xa8\xbe\x58\x34\xd9\x6d\x54\x70\xa8\x40\xc7\x6b\xab\x03\x35\x8d\x68\x4c\xed\x3e\xa4\x4b\x6f\x42\x7c\x4a\xd5\x0c\xd7\xa4\x60\x5c\x1a\x36\x42\x80\x26\xa5\xa9\x29\x65\xc8\x48\x05\xc1\x76\x88\x60\x2c\x96\x50\xb7\xdf\x40\x9a\x45\x71\x5e\x89\xce\xab\x61\x21\x22\xc5\x04\xcc\x06\x1a\xfa\x06\x43\x72\x24\xee\x10\xf4\x72\xd1\x8a\x0b\x11\x90\xa8\x08\x7c\xd2\xa6\x49\x1b\x73\x18\x01\x68\x28\x42\x34\x2b\x87\xe9\x95\x4f\x8a\xe6\x5a\x93\x07\xed\x2c\x6b\xae\x86\x79\xb3\x95\x75\x03\xa8\x62\x1b\x6c\xc4\x49\xd4\x0a\xf3\x28\xa8\x6f\xf6\xa1\x5e\x2e\xda\xf1\x05\xe3\x1e\xa7\x8a\x7e\xea\x45\xc2\xb6\xa6\x0f\x5c\xd7\x94\x9f\x80\xe6\x91\x7a\xf4\x63\x1a\xd6\x8e\x1f\xbc\xee\x20\xaa\xed\x84\x6e\x8b\x00\xbb\x22\x69\x73\x72\xa9\x22\x7f\x38\x39\xbf\x44\x6d\xa3\xc8\x85\x0a\x08\xd2\xb3\xea\x04\xdc\x6f\xf2\x67\x67\x7d\x85\xf1\x46\x11\x03\x95\xde\x99\x4f\x60\x3f\x61\xa6\x6f\xb9\x85\x07\xd7\x05\x53\x28\xed\x03\x7d\x28\x07\xcd\x28\x1a\x81\x57\x48\xc9\x4a\x2b\x3b\x7c\x23\x1c\xe0\x1e\xc5\xdc\x6a\xd2\xc2\xe4\xf2\xd5\x89\x41\xa2\xd3\x5b\x0d\xc2\xa8\x5e\xa4\x66\x01\xad\xc3\x42\x75\x00\x94\x16\xd4\x46\xc9\x8b\x24\xf7\x93\x4d\x36\xf9\x11\xa7\x79\x33\x42\xad\xa6\x5f\xe6\x67\xa4\x06\xa4\xbe\x04\x14\xda\x6f\xb7\xe3\x0b\x7c\x32\x17\xdd\x4c\xe3\x00\xe1\x8a\xc0\x5c\x4e\x29\x76\xa1\xa7\x18\x94\x66\xfb\x4c\x7a\x3a\x1b\x97\x5f\xf2\x6f\x63\xdf\x77\x29\xd5\xdf\xee\x5c\x5e\x5e\xa8\xee\x0a\xf6\x62\xd7\x24\x9f\xaf\x86\x2d\xfd\xc2\x62\x96\xa0\xe6\xf5\x87\x07\x82\xd7\x7a\xea\x17\x4e\x4f\x2b\x4b\x12\xf4\xa9\xc9\xfe\xca\x7b\x05\x3f\x29\x0f\xbb\x56\x48\x00\x4f\xeb\x87\x9b\x87\x9f\x2a\xff\x68\x87\xeb\x19\x56\x14\x95\x8d\xbb\x7a\x26\x09\x8a\xeb\x87\xb9\x6a\x1e\x35\x00\xa0\x94\x34\xe3\x49\x96\xae\x89\x1c\x31\xe8\xa1\x3e\x29\x36\x7c\xe4\xc8\x68\xd5\xed\x63\x57\xb0\xb6\xa5\xb9\xfd\xfb\xdd\x29\x6e\x5b\x86\xea\xec\x29\x54\xbb\x54\xa8\x9e\xab\x14\xaa\x73\xc1\xb7\x6b\x0f\x83\xf1\xf3\x00\x49\xed\xdc\xda\x3f\x44\xb8\x7b\x0a\xd6\x6e\x14\xac\x64\x7b\x05\x6b\xce\xbf\x43\x2b\x58\x9b\xee\x6c\x03\xff\x41\xdb\xdb\xd5\xbb\xb0\x56\x23\x7b\xcd\x04\xfb\xde\x2d\x22\x9d\x66\x97\xe6\xb4\x11\xe8\x4f\x0f\x04\xd3\xd6\xef\x51\xcc\x88\x6e\x2b\xbf\xd4\x68\x4e\xf1\xbe\xbd\xe2\x59\xbb\xde\xc1\x1d\xb5\x83\xef\x0d\x9e\x18\x8f\xf2\x11\xd2\x4a\xd8\xbb\xf8\x18\x3b\xb2\x85\xbb\x7d\x93\x95\xdf\xdb\xcb\xbb\xf0\xdc\x7d\xd2\xb6\x65\xfe\xea\x2e\x6d\x99\x3f\x38\xda\x94\xf9\x68\x81\x9d\x3f\xe4\x45\xdb\x33\xa6\x19\xff\x69\xca\x69\x67\x71\x8a\x51\x8c\x47\xfb\xed\x14\xdd\x11\xd3\x62\x9f\x3e\xc0\x8e\x6e\x69\x1b\x47\xbb\xf8\x0c\xd4\x8a\xb1\x0c\xe3\x6f\x3c\x10\xbc\xc3\xdb\xe4\x26\x49\xfe\xc3\xf5\x0d\xb0\xe2\x8c\xc9\xbe\xe1\xa7\x2e\x84\x2d\xa8\xc9\x8e\x70\x42\xaa\x7c\xd4\x8c\xdd\x0b\x2b\x07\x14\x73\x69\xd3\xed\x1e\xeb\x9a\x62\x3e\x6e\x88\xe7\x15\xec\x41\x8f\x7d\x6b\x6a\xb5\x60\xb2\x4d\x5f\xe7\x6d\x91\x7c\x33\x34\x2d\xf3\xa3\xda\x08\xce\x8c\xbc\x6c\x79\x35\xab\x10\x4e\x21\xc0\x63\xeb\x8d\xeb\xce\x8f\xec\xac\x9f\x0f\xf7\xf4\xf5\x5b\xd5\x42\x1e\xea\xe9\x88\x6e\x2e\x6d\x37\x81\x5b\x75\x78\xb3\xce\xde\xca\xc6\xfa\x71\xe4\x3f\x35\xb8\xee\xdc\xdc\xc9\x11\x65\x5a\x2c\xb5\x02\x90\x38\x8a\x4a\x6c\xe8\xcf\x79\x6c\x5c\x5e\xf4\xdf\xe1\x05\x6f\xf0\xce\x15\x26\x9f\x13\x30\x4a\x07\x59\xff\xa0\xd4\xa9\xe9\xf5\x36\x95\xc6\x18\x64\x7d\x0d\x81\x18\xc8\x97\x02\xbe\xda\x2f\xc1\x70\x10\xdc\x21\x29\xbe\x08\x48\xad\x89\x0b\x0c\xbf\x2e\x45\xde\xcb\x05\x45\x7f\x06\xcf\x02\x57\x72\x9b\xc3\xf7\x36\x84\xb2\x39\xf0\xae\xe8\xae\x8a\x1c\x4f\xb9\x01\xee\x1d\x87\xd5\x7c\xdc\x63\xfb\xc4\x85\x32\x0f\xfd\x0f\x7b\xc1\x6b\xbd\x53\xf2\xcf\x6a\xc9\x1f\xd5\xf7\xe6\x5c\xda\xce\x9a\x77\x88\x12\x9e\x9a\x9c\x92\xbc\xa4\x93\x45\x86\xef\x5a\x71\x44\x50\x75\x64\x29\x4e\x5b\x06\x25\x04\xcb\x0f\xe8\x48\x5b\x5c\x31\x39\x3b\x25\x4f\x85\x88\x28\xe5\x58\x49\x05\x80\xab\xfe\xa0\xf7\x44\xf6\x1d\x9b\x47\xa0\xd9\x19\xd2\xf3\xec\x0a\x1c\x9d\x7f\x32\x98\xc4\x19\x73\xaa\xb3\x16\xa3\x66\x7e\x8b\xe0\xb6\x17\x8d\x8d\x04\x38\x83\x12\x7f\x4b\x22\x8f\x45\xe1\xff\x51\x2d\xb8\xcf\xfa\xad\x5c\x8b\x0e\xcd\x00\xb2\x0c\xdc\xd5\x65\x2a\xeb\x3c\x6e\x8a\xa6\x3c\xb2\xe0\xd0\x0b\x4b\xbe\x11\x16\xd3\x71\xc1\x3b\x52\xfb\x4f\x09\x75\xae\x8c\xd3\x3e\x84\x55\x02\xb9\x16\x59\x57\x20\x88\xba\xc3\x08\xbe\xec\xb1\x15\xb6\x0f\xa2\xc2\xfd\x67\xa9\x90\xc3\xdb\xe6\xfb\x6a\xcd\xb3\x16\x66\x40\xb5\xec\xc4\x2b\xec\x4e\xbf\x67\x44\x18\xd4\x7e\xf3\x72\x55\x84\x98\x95\xe9\x04\x27\x5e\x60\xd7\xca\x47\xce\xae\xa2\x3e\x07\x89\xa1\xd1\xe6\x3b\x77\x8b\x33\xe9\x4c\xdc\xca\x33\x48\x0e\x7d\xb2\xfc\x57\x71\x53\xe8\x80\xe9\x2a\xcf\xe8\x4b\xec\xf3\xae\x25\x77\x44\x79\x40\x52\x8e\x81\x93\xff\xcc\xd5\xc1\x4d\xd6\x6f\x6b\xf3\xdb\xe6\x28\xbd\x11\x37\xe2\x02\x2c\x02\x19\x56\xab\x70\x27\xf6\x8b\x57\xb1\x5f\xae\xb1\xfd\x64\x61\xf5\xdf\x53\x63\x27\x36\xe5\x54\x9b\x77\xeb\x36\x7c\x3d\xf8\x5b\x6f\xc6\x00\x49\x93\xd1\xb6\x15\xf6\x10\x6d\xb5\x4d\xc6\x61\xc7\x2c\x47\xa8\xd0\xe9\x41\x15\xc9\x21\x77\x2f\xba\xe2\x67\x6c\x7f\x73\xd6\xe6\x07\xa9\x45\xac\x88\x00\xe6\xea\x83\xe6\xe4\x30\x21\xc6\xa3\xf3\xde\xc1\xd0\x9f\x24\xd9\x06\xae\x44\x16\x46\xab\x61\x12\xa6\x2d\x91\x73\x83\x37\x20\x5b\xa6\xfe\xcb\x5e\x82\x93\x1f\x6a\x29\x12\xc3\x0a\xf9\x5a\x92\xad\x86\x3a\x9c\xbe\xc9\xde\xb7\x8f\x5d\x1b\x5b\xc5\xda\x21\x04\xf9\x6d\xfb\x82\x1f\xdb\x37\x57\xb9\x3a\x2a\xd9\xdd\x7e\x46\x23\x3a\x6b\xa4\x7d\x30\xa2\x59\x36\x6f\xe7\x69\xa5\x02\x18\xe0\x69\x1a\x02\x98\x27\x4c\xda\x66\x69\x81\x69\xd2\xdc\xe4\xa2\x97\x10\x24\xb7\xe0\x91\x31\x8c\xac\xb8\x51\x70\x34\xac\x26\xc0\xf3\xae\x70\x90\x20\x29\xce\xe1\xf6\x2c\x87\xf5\xdd\x08\xf3\x08\x42\x5c\x7a\x61\x19\xaf\xc6\x49\x5c\x0e\xea\xca\xc9\x03\x05\x11\x74\x25\x2c\xd8\x8f\x25\x24\xd4\xa8\x25\xa3\x7a\x66\xb9\x68\x89\x08\xb7\xc3\xba\x16\x70\xe5\xea\xe1\xf8\xad\x91\x49\x29\x58\x74\x63\xc9\xed\x37\xc2\x1c\xf8\x07\x19\xb7\x0c\x4a\x82\xf5\x49\x30\x07\x46\x71\x1b\xe2\x62\x4b\xad\x8d\xcc\x39\xe0\xc4\x06\x85\x78\x66\x61\x4e\x69\x43\xf1\x5a\x2a\x65\x46\x9a\x6f\x61\x8a\xbc\x29\x08\x71\x8b\xda\x66\x52\x77\x5d\xf4\x69\xab\x52\x61\xc3\xfc\x3c\x1e\x5d\x44\x33\xca\xd8\x4a\xc6\x5e\x05\xf6\x55\x88\x12\x44\x30\xdb\x3d\xa5\x63\x53\x68\x3e\x34\x94\xa9\xc5\x78\xeb\x2e\x24\x90\x4b\x23\x59\xab\xaf\x47\xda\xac\xc2\x00\xc2\x0e\xf2\x3f\xe3\x05\x2f\xb1\x60\x00\xc1\x42\x88\xae\x20\x0b\x86\x0c\x50\x10\x1c\xfb\x38\x9c\xe5\x8e\x29\x3c\xcb\x79\x9a\x39\x91\x2d\x75\xc7\x16\x0e\x14\x90\xea\x73\xb1\xc2\x26\x9c\x13\xea\x26\x76\xe3\x16\xd0\x61\x9b\xb3\xa1\xc5\x7e\x22\xd8\xcb\xc6\xd8\x58\x99\x14\xfe\xff\xac\x05\xef\xab\x2d\x9f\x5e\xaa\x82\x44\xbb\x2e\x09\xc5\x2d\xc1\xb6\x4c\x3e\xc6\xc2\x18\x99\xe5\xfb\xf2\x52\x9d\x1f\x3b\x76\x14\xc6\xac\x53\x9b\x51\xe0\x30\xf4\x03\x33\xa8\x18\x85\x21\x3b\x39\xa1\x05\x48\x34\x03\x63\x63\xa6\x36\x2e\x58\xce\x01\x30\xb7\x67\x79\x09\xc9\x4f\x79\x44\xb0\xff\xca\xf1\x80\xe5\x00\xac\x02\x03\x79\xd6\x5f\x43\x07\xd8\xd2\xfc\x1c\x74\x53\x4f\x4b\x5d\xed\x0a\xda\xc0\xf6\x16\x6a\xf7\x93\x76\x8c\xc8\x6a\xf6\x13\x7a\xe0\x4b\xf3\x73\xcd\x9d\xe3\x31\x6e\xbe\x12\xcb\xa7\x97\xd8\x03\x13\x0e\x3a\xde\x16\x31\x3f\x60\x3d\xf9\x7f\x0f\x04\xd7\x0f\x5d\xad\xc4\x57\xdb\xb7\xb7\xb6\xa1\xfc\xfa\x9e\x0d\x65\xd7\x36\x94\x5c\xd9\x50\xe2\x20\x18\x61\x05\x55\x53\x45\xcb\x60\x93\xcd\x0d\xec\x38\x3b\x76\x39\xd1\x5f\x7b\xd6\x94\x5d\x58\x53\x3e\x65\x5b\x53\x7e\x6d\x97\xd6\x94\x1f\x7a\x8c\x02\xc3\x8c\x39\xa5\xb3\xbd\x39\xe5\x94\x3f\x6b\x80\x9d\x0d\x55\x55\xec\xbb\x43\x5c\xa5\x1a\x60\xf3\x79\x8f\xdd\x72\xb9\xd5\xbb\x9b\x4f\x5f\x3a\x3b\xef\xbf\xce\x0b\x7e\xd4\x83\x32\xa1\x4e\x76\xe3\x00\x53\x4b\xb1\x80\xe8\x3a\xba\x93\x97\xc1\x75\x6d\xa0\x1b\x2c\xc0\x86\xd5\x2c\x4b\xea\x1c\x52\x57\xeb\xbc\x9d\x64\x21\xfc\xa1\x8a\x77\xdd\x7d\x8f\x4e\x36\xfb\x81\x17\xd6\x79\x37\xec\xdd\x8d\xb7\xec\xeb\xc0\x4c\xd2\x38\x69\xb2\xf7\x5f\x61\x17\x85\xda\x6a\xc9\xed\x12\xd1\xfe\xff\xdc\x17\x7c\x4a\xca\x03\x95\xaa\xc5\xb0\xf1\xe1\xda\x7d\x7d\x91\x0f\x50\x56\x0b\x55\x9c\xb7\x66\x1f\x28\xb3\xe5\xa2\x90\x47\x7b\xd6\x46\x49\x00\x3e\x50\x18\x57\xee\xa9\x0b\x72\x8a\x60\x02\x61\x06\x66\xe6\x4f\x92\x24\x85\xe1\xb2\x95\x6f\xdb\x71\xb2\x8a\xd9\xf0\x19\x9e\xf6\x93\x64\xb3\x47\xd3\xcc\x62\x4b\xd6\xa9\xf0\xcf\x63\xec\xff\xf2\xd8\xb5\xd5\x5e\xf8\xef\xf3\x82\xbb\x86\xba\xe6\x30\xbb\xca\x87\xec\x92\x08\x6a\xcc\xe6\x8a\x35\x2a\x9b\x2b\x9e\x65\x67\xd8\x33\x2e\x67\x4f\xda\x0b\xb4\x68\xbe\xc3\x7e\xbe\xc6\xae\xb4\x66\xd8\x7f\x4b\x2d\xf8\x5f\x9e\x3d\xe5\x30\x84\x6e\xd8\x93\x23\xf8\x81\xf3\x62\x50\x07\x1a\x7c\x21\xef\x85\x71\x0e\x93\x48\x62\x8e\x7d\x8f\x3c\xdc\x76\x33\xb2\x05\xf4\x4a\xab\xf2\x17\x80\x50\xc4\x05\xe9\x18\x6a\xa1\xad\xd9\x93\x52\x6e\x56\x08\x28\x79\xa7\x75\xb1\xe0\xbc\x18\xa0\x75\x87\x02\xb7\x90\xb2\x82\xb9\x34\xc0\x53\xb0\xec\x58\x95\x3f\xf2\x70\x60\x82\x98\x41\x3e\x0b\xe0\x5e\xb0\xe5\x84\x6f\x01\x2e\xf7\x90\x17\xb0\x6f\x75\x58\x4a\x37\xec\x0d\xa1\x51\xbc\x72\xdc\x71\xf8\x28\x7b\x88\xb2\xc0\x3d\xb3\x9f\x95\x21\x96\x2e\xf6\xff\x78\x2c\xb8\x7d\xc4\x75\x47\xb4\x10\x29\xe4\x06\x46\xbc\x83\xbc\x14\x4e\x13\x39\x56\xa5\xfc\x4b\x39\xbb\x59\x0d\xb1\xfb\x13\x8f\x8d\xcb\x17\xfc\x2f\x78\xc1\xcb\xbd\x3b\xe5\xab\x0a\xbb\x49\xa1\xdf\x8c\x68\x56\xea\x0b\x00\xb1\x80\xd5\x8b\x8d\xda\x77\x89\x19\x4f\x3d\xe0\x94\xd3\xba\x80\xf8\x7d\x72\x6c\xc5\xf4\x83\xde\xd3\xd8\x2d\x97\x70\xaa\x34\x75\x07\x9e\xd9\x0f\xd3\x32\x2e\x07\xb6\x1d\xeb\x1d\x68\x3e\x8c\xfc\x37\x7b\xc1\xd3\xa1\xa0\x25\x8d\x50\x95\x1b\xd6\x13\x84\x85\x6b\xfb\x80\x87\x56\x2d\xe3\x4c\xd4\x6a\x4a\x80\x3d\xbc\x9d\xfc\x7d\x17\xe1\x59\x11\xc3\xb3\x04\x54\xdb\x8a\x16\xb2\x68\x86\x42\x27\x97\x45\xde\xf5\x7f\x6e\x2c\x58\x87\xc8\x17\xb8\x5f\xa8\xb8\x6f\xea\xb4\x0a\x2d\xd9\xe4\x6d\x55\xbe\x19\x8a\xd4\x44\x91\x88\x78\x4f\xe4\x0d\xc4\xa8\xca\x78\x3b\xa6\xfd\xd1\x95\x1a\x5a\x0f\x94\xbe\x5c\x44\x10\x5a\x38\x59\x4c\x5d\xf4\xae\xc0\x8f\x5e\xf4\x1e\xd7\x73\xdb\x75\x68\xeb\x15\x35\xd6\x67\xf4\xa8\x7f\x5e\x59\xd2\xee\xc2\x0b\x43\x01\x76\x3a\xb8\x0e\x53\x95\x95\xb1\x54\x5e\xa9\x7c\xa4\xae\x56\x22\x87\x70\xac\xc3\x8d\xc3\x87\x0e\xb9\xa9\xbf\xaf\xf5\x58\xb5\x67\xfe\x0b\x76\x90\xde\x5a\x99\xa5\xe0\x4e\x1d\xa0\xcf\x67\xa0\xf4\x87\x0e\x5e\x2d\xa1\x1f\xa3\x82\x04\xdd\xae\xe3\x60\x9b\xec\x43\xd7\xb2\xc3\xdb\xc0\x06\xaa\xdd\x8d\xb2\x03\xc4\x51\xbe\xe4\xda\xe0\xa7\xc7\x86\xaf\x23\xaf\xed\xe5\x02\xd1\x42\xd0\x00\xa2\xce\x23\xb0\x6a\x6a\x9a\x55\xb2\x64\x5d\x9b\x68\x2d\x53\xfb\xc1\x42\xca\x26\xab\x9a\x1d\x52\xda\xae\xd9\xcb\x33\x7c\xc4\xc7\xf5\x19\x39\xf4\x15\xa9\x0c\x02\xbb\xc1\xcc\x8e\x13\x7c\x32\x9c\x72\x53\x39\x8c\xe5\x5c\x7e\xb8\xb0\x42\x88\x74\x23\x75\x3e\xb9\xba\xe9\x5b\x61\x2f\x26\x33\xf4\xe8\x37\x5b\x9b\xbe\xa9\xc5\x86\xd1\x6f\xca\x6e\x4f\x46\x53\x23\x5f\xb5\xaa\xce\x8d\x78\x57\xea\x84\x30\x98\x8b\xde\x84\xee\xde\x45\x6f\xc2\x55\x73\x74\x6c\xe8\x55\xec\x7d\x35\x76\x15\xd9\xdf\x96\x5a\x59\x4f\xf8\xff\xb1\x16\xbc\xa1\xb6\x62\x5f\x5a\xb1\x90\x60\x54\xaa\x71\x99\x91\xd5\xb2\x6a\xcf\xb4\x8a\x27\x0e\xec\x0a\x85\x7c\x52\x65\x7f\xf4\x7a\x22\xd5\x79\xd3\x2a\x90\xd2\x65\x6d\x18\x6e\xa9\xdf\x8d\x38\x61\x06\xa8\x95\x45\xd2\x40\xc1\xc8\xcc\xc7\xa8\xbc\xa0\xac\x1b\x97\x25\x36\x80\xb8\xae\x3a\x6e\x6c\xc5\xbc\xb8\x62\xd7\xfe\x56\x26\x7e\xf4\x77\x91\x5c\x86\xd6\x63\x2b\x69\xfa\x1f\xc7\x18\x33\x0d\xf8\x7f\x3e\x16\xbc\x6b\xcc\x69\xd1\x91\xa1\x88\x94\xd3\x4a\x4d\x40\x95\xe1\xa4\x57\xb2\xc9\xf9\x8c\x19\x24\x00\xe0\x69\x98\xa1\x70\xa8\x15\x37\x3c\x30\x6e\xab\x39\x95\x74\x6e\x0c\x33\x56\x65\xde\xb0\x1c\x6e\x23\xcb\x81\xc2\x47\x3c\x1f\x5c\x17\x34\xb9\x0a\xed\x0d\x4b\xf9\xdb\xec\xb6\x74\x60\x19\x65\x4c\x6b\xab\x7d\x49\x03\x02\xd7\x8f\xcc\xda\xee\x80\xee\xd5\xb7\x89\x48\xee\x75\xa9\xa4\x10\x48\x0c\x15\x0a\x34\x25\xad\x65\x2b\x53\x64\xcf\x45\x05\xcd\x42\x74\xad\x43\x0f\xd4\x7c\x54\xa9\xb8\x80\x5a\xb6\x5b\xb8\x84\x1e\xf2\xf8\xa6\x48\x43\x57\xf8\xe3\x85\x28\x19\xfb\x74\x8d\x99\xdd\xe4\xff\xba\x14\x3c\x57\xf4\xef\xca\xba\xeb\x53\xc4\xec\xf7\xc9\xb8\x29\x9a\x75\x53\x88\x0c\xf6\x7a\x2f\xe9\xe7\x61\x32\x05\x6c\x1b\x8c\x58\x91\x28\x24\xa3\xaf\x4b\x2d\xdc\x30\x40\xb7\xd8\xda\xdd\x3c\x50\x31\xe7\x10\xea\x9f\x45\xa2\x98\x46\x1c\xcd\x80\xdf\xa3\x8a\x6c\xea\x29\x22\xbd\x1d\xa6\xa9\xe9\x2e\x66\x92\x58\x1d\x0c\xd3\x08\xba\x40\xca\x5c\xdd\x01\xf0\x83\x99\x15\x69\x99\x0f\x9c\x74\xb1\xdd\xcc\xe7\x6f\x79\x0c\x39\x96\xff\x11\x2f\x78\xb1\xb7\x02\x7f\x6f\x36\x8f\xc8\xa7\x95\xd9\x68\xeb\x21\xe9\x67\x1f\xd5\xe1\xfc\x91\xc7\x0c\xe3\xf5\x3f\xeb\x05\xaf\xf3\x56\xf4\xef\xcd\x86\x35\xb3\x30\xa7\x5c\x98\x3b\x1b\x9b\xfb\xc2\xa3\x3a\xc0\x7f\x9c\x60\x0d\x4b\x76\x40\x89\xd9\xa0\x0d\x67\xd1\xc9\xb8\xc8\xfb\xe0\x7b\xba\xad\x1f\xad\x89\xd2\xff\xd8\x44\xd0\x19\x71\x9d\xd0\x9e\xc9\x5c\x55\x2a\xbc\x32\x12\x18\x2f\xf0\x48\x3f\x8f\x9c\x83\xdc\x06\x70\x5e\x80\x79\xbe\x1a\x62\xd6\xcb\x22\xf7\x78\xfb\xda\x9e\x29\x74\xd7\xa6\xd0\x3d\xb3\xe4\xe5\x9b\x25\x9f\x61\x59\x25\x9f\xb6\x4b\x88\x42\xf6\xa3\x1e\x1b\x97\x47\xa6\xff\xd2\xad\xa2\x7f\xb6\xdf\x8e\x00\x8f\x36\xb3\x54\x05\x42\x46\xcf\x14\x9c\x3a\xaa\x12\x72\xae\xae\x8f\x68\xa5\xc9\x7e\xc4\xd3\xe8\xd7\x3f\xc8\x66\x76\xd3\x21\x3c\xb2\x6e\x3c\x03\x0e\x38\xd1\x42\x17\x95\xd6\x81\x5d\x1c\xed\x51\x5d\xd9\x79\xfc\x19\x19\x4c\xb1\x4f\xda\x4a\x3a\xa2\xcd\x91\x01\xb1\x3f\x5c\x67\x27\xec\xf0\xa5\x08\x52\xdb\xb3\x14\xd3\x98\x73\x15\xc6\x44\x98\xc7\x61\x12\x47\x90\x9c\xf2\x2c\xb1\xda\xc9\xb2\xf3\xfe\xc7\x9f\x12\xac\x0c\x5d\xb5\x61\x24\x52\xae\x9b\xe4\x1b\x74\x5b\x29\x43\xce\xf9\x6c\x12\xef\x21\x50\x48\x25\x1a\x96\x59\xf3\xa2\x37\x2e\x65\xa9\x8b\xde\x55\xb8\x5d\x10\xc7\xdd\xf5\x0f\x5d\xc7\xfe\x62\x1f\xbb\x06\x7f\x6a\xe3\xe7\xff\xbd\x6f\xf3\xb4\x85\x9d\x1a\xe8\x82\x1f\xdb\x77\xd6\x69\x95\x47\xa2\x15\x47\xae\xd6\xa0\x4a\xb6\xaa\x01\xea\x44\x21\x72\xdd\x11\x9b\xe8\x84\x85\x39\x1e\x11\x28\xb9\xc9\xdd\x3e\x83\x61\x4e\xa7\xd3\xa9\xac\x95\x55\x4a\x92\xe2\x59\x12\x61\x6f\xd0\x30\x2c\x36\xe8\x17\x86\xe3\x28\x58\x69\xdb\x31\x4b\x5d\xd2\x85\x5e\x5b\x59\x5a\xc4\x91\x20\x64\x37\x94\x66\x8d\x94\x4d\x1d\xb5\x75\xb0\x42\x83\x75\x90\x91\x96\x9e\x99\x34\x7d\x51\x35\xb6\xa5\xe4\x97\xb5\x09\x14\x0d\x5d\xc8\xba\x87\x95\x67\x22\xa8\x46\x05\x89\x4b\xd6\x71\x49\x27\xa2\xce\xfe\xc1\x39\xe2\x93\x49\x7c\x5e\xf0\x90\x9f\x14\xbd\x24\x1b\x74\x45\x5a\x2e\x66\x49\xb2\x1a\xb6\xce\xc3\xfb\x92\xd6\x17\xf2\xec\xc2\x00\xeb\x65\x28\xae\x3c\xa5\x54\xae\x11\x43\x6e\xf2\x73\xa4\x9f\xd1\xa7\xb5\x29\xd8\x86\x4c\x50\xcb\x89\x71\x27\x8d\x38\xad\x6b\xd5\x4e\xa4\x60\xe9\x23\x3e\x5f\x9c\x8f\x7b\x18\x1e\x36\x44\xeb\xab\x06\x3a\x0c\x0f\x4a\x5c\xf5\x93\x2e\x80\x23\x6a\x64\x0e\xe1\x69\x08\x6d\x5a\x0b\xa8\x4f\x0c\xc1\x57\x4d\xf6\x37\xe3\xca\xdf\xff\x67\xe3\xc1\xcb\xc7\x01\x34\xc1\xda\x74\x1b\x72\x1e\xad\xed\x24\xbb\x43\xaa\x19\xee\xb7\x69\x4b\x02\x2f\x9c\xa1\xb6\xc2\x5c\x50\x4d\x02\xca\xfa\x1a\xbe\x01\x2b\xa6\x5a\x97\x73\x15\x1b\x8a\xb9\x37\x4c\x07\xf7\xf2\x45\x88\xf8\xb9\x33\xdb\x90\x9d\x06\x5b\x52\x96\x47\xb8\x55\x7a\x39\x44\x93\x71\xc3\x34\x66\xd4\x9c\x11\xf7\x40\x6e\x70\xa6\x5f\x6e\x72\x17\x4e\xd2\x5e\xdf\xcc\xa9\x8a\xb4\x01\xfd\x56\x72\x56\x61\x62\x32\xe8\x04\x95\x72\xc7\x3a\x50\x00\xbc\xad\x02\x40\x54\x35\x8f\x64\x20\x05\x33\xaa\xc3\x01\xa9\x8d\x00\x3b\x5f\xdf\x45\x2f\x21\x7d\x52\x0e\x5f\x55\x8d\xce\x6c\x4e\xa8\x0f\x7a\xa9\xfc\x0d\xf1\x4f\xa7\x50\x85\xf3\x9d\x91\x0f\x8c\x72\xd9\x9e\x61\xcf\x60\x73\x9b\x07\xa9\x6e\xc9\xe5\xe5\xea\x3d\x2b\x2e\x3b\x67\x35\x05\xb1\x9f\xaa\xb1\x6b\xca\xb8\x2b\xb2\x7e\xa9\x60\x59\x5f\x51\x53\xe6\xc6\xbf\xf3\x96\x9d\x5b\x55\xd8\x75\xbc\x69\xc2\x5f\x88\xa4\x9a\x7c\x06\x60\xd1\xed\x67\xa0\xba\x08\xc6\x57\x58\x94\x97\x24\x3a\xd6\x02\x63\x79\xb4\xed\x44\xaa\x0c\xe6\x7e\x3b\x8c\x13\x37\x49\x53\x5e\xe9\xe7\x82\x0e\x47\xc2\x1b\xa2\x6f\xa1\x94\xa7\x14\x8b\x55\x51\x6e\x08\x91\xf2\xc3\x08\x52\x77\x88\x17\x38\x18\x67\xab\x5a\x97\x1d\x63\xe8\x2f\x8c\xb3\x6f\xd3\x73\x8a\x71\xd8\x24\x8c\x17\xfe\x1b\xc6\x83\x7f\x1c\x9b\x19\x7d\x53\x69\x0b\x39\x72\x27\x5d\xbc\x53\x9b\x83\x57\x2a\x2f\xae\xa8\x13\x1c\xa7\x56\x9d\xb7\xe2\x42\x8f\xfc\x68\x0b\x73\x54\x88\x18\x67\xa4\xcc\x07\xba\xf6\x0a\x24\xfe\xd1\xeb\x36\x88\x8f\xca\x16\xd5\x95\x7d\x31\x1a\x28\xa5\x38\x3d\x4b\x8b\xb0\x71\x35\x1d\x4c\x1d\x27\x9b\xdf\xf4\xa1\x8e\xfe\x52\xab\x6c\x3c\xac\x90\x26\x04\xa5\x6e\xcc\xb5\x79\xa8\x2b\x96\x46\x66\xe1\x1d\x2a\xb7\x8c\x46\x04\x3b\xa5\x7b\x25\x57\x4c\x5b\x60\x34\x74\x73\x3a\x30\x4f\x40\x21\x12\xc5\x6c\x65\x07\x97\xa8\x83\x50\x07\xaa\x72\x56\x5a\x5d\x95\x2d\x43\xb5\x62\xad\xcf\x8d\xa2\x2a\x8b\x42\x56\xee\x3e\x48\xdb\xe8\xe0\x3d\x2b\x5b\xc5\xe9\xbe\xd5\x63\x8e\x38\xe3\xff\xa8\xc7\x9e\x7e\x99\x1b\x56\x71\x05\xab\xb9\xe0\x69\xf6\x2f\xad\x12\x76\xb2\x0d\xaa\x62\x24\x75\x03\xb0\x6c\x6b\xab\x3a\xee\x49\xa5\x50\xb3\x37\xed\x27\x6f\x24\xda\xa5\xfd\x97\xef\x0f\xfe\xbf\x2b\xac\x0b\x6e\x9b\x1d\xc1\x03\x38\x91\x02\x0d\x95\xa5\x34\x5a\x92\x31\xaa\x29\xdc\x50\x60\x01\xd7\x51\xb9\x08\x05\x0f\x20\x21\x01\x4b\x56\x9e\xd2\xfe\xc9\xa0\xc9\x58\x03\x73\x15\x4e\x0c\x19\xe0\xd4\x81\x1d\x97\x5c\x50\x36\x83\x31\x9f\x1b\x7a\xc5\x20\x54\xc7\xd6\x04\x26\x29\x25\x51\x14\x4a\x15\xef\x66\x11\xbe\xb1\x1e\x87\x52\x0a\x2d\xa6\xd7\x0f\xd7\xd5\x1f\x30\xdf\x28\x4b\x99\xb0\x01\x73\x7d\xb5\x5f\xea\x69\xc0\x7e\x21\x31\x46\xdc\x98\x4b\x4e\xdc\x1d\xc8\xc6\x82\x7b\x64\xa3\x4a\x87\x97\x57\xd7\x0f\xcb\x6b\xfa\x58\x3e\xc1\xef\x0e\xac\xee\x05\xf7\xac\xd4\x6d\xb3\x63\xe6\x74\x89\xc3\xb8\xaa\x1d\x22\x89\x90\xce\xc0\x11\x52\x21\xce\xab\x9e\xe7\xe1\xc9\x8d\xdb\x6a\x3e\x1c\x67\x44\x82\x1b\x35\x4e\x31\xb6\xb0\x0e\x11\xe2\x38\x61\x58\xe8\xc6\xd8\x72\x64\xcf\x68\x1b\x3e\xe2\xd3\x2f\xaf\x7f\xf3\x4d\xff\xaa\x50\x06\x14\xb2\xf0\xe0\x8b\xd0\xdb\xd1\x6b\x62\x43\xca\xd2\x8e\x70\xa2\x3d\xc7\xd8\x95\x52\xa0\x3d\xd5\x6e\x4b\xae\xef\x7f\x62\x2c\xf8\xe5\xb1\x25\x73\x01\x65\x20\x4b\x41\xb1\x0e\x5d\xd0\x41\xe4\xcb\x5c\xe0\xc3\x4d\x3e\xd3\x6a\x89\x1e\xd6\x29\x31\x3b\xf1\x84\xaa\xde\x54\xe7\xf3\x59\x2a\xea\x7c\x29\xeb\x0a\xfc\xfb\x6c\x7a\x32\x1f\x2c\xf6\x53\xae\x65\x1d\x60\x21\x76\xa3\x58\xf0\xc7\x2e\x36\x23\x05\xb0\xb4\x15\x27\x31\x31\x73\x80\x64\xa9\xf3\x02\x32\x2d\x42\x2b\xdf\x7d\x80\xe2\xda\xf3\x74\x41\x99\x90\x50\x20\x78\x51\x8a\x9e\x3a\xb7\x8c\x24\xd5\xea\x80\x5f\x83\x34\x4a\xa7\x13\x50\x37\x00\x90\x20\x52\xa1\x81\xac\xfb\x69\x94\xa5\xc2\x41\x0a\x20\xfe\x17\xe1\xa8\x42\x95\x86\xa3\x65\x0e\x00\x94\xd1\x5d\x42\xdd\x60\xa0\xb7\x8a\x39\x34\x68\x12\xd4\x2a\xdc\x72\x8b\x9a\x43\x49\x1e\x72\xfe\x5c\xb0\x60\x55\x1e\xab\x52\xcf\xea\x6a\x3a\x5d\x88\xed\xfe\x94\x17\xbc\xc6\xbb\xdd\xbe\xe4\x30\x5e\xc7\xa4\x26\xf2\x3c\xcb\x2d\x53\x93\x99\x25\x6d\x74\x92\x4c\x16\x0b\x31\x45\xbc\x61\x4e\x52\xc3\x81\xe7\x30\x58\x3a\xcb\xb9\xfc\xa8\xdb\x63\xbc\xe7\x22\xca\x7b\x0c\x94\x73\xff\x8f\xbc\xe0\xb3\xde\x72\x25\x20\x7e\x48\x1d\x6a\x22\x66\xb5\xa9\x80\x54\xc1\x6a\xa9\x73\xd1\x5c\x6b\xd6\x79\xdc\x0d\xd7\x04\x1d\xaf\x4e\x68\x03\xc4\xa3\xcb\x83\xc2\x7a\x22\x18\x15\x8b\xef\xe8\xbd\x4e\x13\xa3\x9e\xce\xf2\xb5\x30\x55\x49\x5b\xa3\x31\xe3\xbe\x3c\xc1\x1e\xaf\x5d\x3a\xda\xc4\xf0\xf1\x89\x87\xc1\xc4\xf0\xa2\x89\xf9\x6a\xc3\x3b\xb1\x32\x80\x6e\xa0\x14\x58\x2d\xf6\x9a\x5d\x6f\xc5\x51\x68\x27\xd3\xd6\x1a\xfe\x9c\x63\xae\x20\x9c\x0d\xb0\x8c\xea\x96\xea\x26\xf6\x01\x22\xf6\x0b\x29\xb8\xb5\xb3\xbc\x8b\x5f\x27\x91\x4e\xc7\x17\x2a\x7d\xb7\xd2\x72\xa1\x0f\x0a\xa5\xbc\x15\xad\xac\x67\x05\xb9\xd4\x31\xbd\x4a\x0a\xb2\x52\xb9\x2e\x2a\x1c\xd2\x39\x48\x36\x9b\x1a\x1d\x53\x4c\xc1\x4b\x66\x36\xc8\x30\x50\x8d\x2d\x08\xf2\x7e\x0a\xa8\xa2\x01\x14\x7e\x38\x84\x72\xc8\xe1\xe0\x26\x8e\xe8\xfc\x31\x95\xab\xb2\x27\x8d\x87\x05\xc1\x87\x14\x27\x78\x30\x44\x20\xc1\x09\xfe\x03\x8c\xf3\xa0\x1a\x50\x15\x9c\xe0\x77\x33\xce\x39\xdc\x95\xff\x41\x30\xd5\x09\xab\x0b\x75\x75\x43\xc5\x56\xc9\xbb\xf3\x59\x39\x97\x9a\x5b\xb8\x6f\x75\x5b\x70\xed\x90\xbe\xcd\x65\xdf\xe9\xef\x7b\xe0\xff\x2f\x64\xf2\xaf\x17\x32\x06\x98\xf9\x45\x29\xc2\xc8\xa9\x3b\x00\x87\xe6\xa5\xcf\xe5\xa8\x18\x8d\x40\xa4\xeb\x71\x9e\xa5\x92\xff\xe3\x74\xf6\xf2\x2c\xc2\x19\x2d\xca\x70\x2d\x4e\xd7\x82\x9b\x1e\xbd\x69\xb5\x7b\x33\x72\x66\xb7\x9b\x56\xe8\xbd\x35\xb3\x6a\x0c\xa3\xe7\x77\x49\x88\x87\x01\x8c\x9a\xcc\x5f\x6d\x95\x27\x42\x14\x5f\x0c\x47\x30\x16\x46\x6a\xb8\x4c\x93\xd2\x0f\x4f\x54\x50\xe9\x20\x6b\x41\x67\xb1\x9e\x16\x61\x81\xb0\x08\x5f\x3e\x10\x7c\x8f\xfe\xe5\xba\xfe\xe0\xf2\xd6\x81\xfc\x1f\xda\xf3\x5e\xed\xda\x7b\x95\xa8\x40\xfe\xd6\xa5\x06\xf2\x6f\x5d\xf4\x6b\xe4\x9a\xef\xf9\xca\xf6\x42\xf8\x55\x08\xff\xea\xf6\x1e\xa9\xa7\xf9\xb7\x34\x46\x03\x96\x3b\xd4\x55\x09\xe9\xd7\xfc\x84\xb1\x9f\x9b\x60\xdf\xb9\x69\x55\x0c\x60\x40\xaf\x98\x08\xbe\xdb\xfc\x74\x69\x1f\xaf\x8f\x66\x3d\xff\xbc\xc7\x7a\x76\xcd\x7a\x1e\xd4\xe5\x1a\x7e\xda\x0b\xda\xa3\x98\x8f\x5d\x5b\x7a\x74\x27\xb7\x3a\x0f\x1d\x93\xdf\x34\x36\x66\x33\xb0\xa7\xb0\x29\x76\x70\x87\x25\x54\xf6\x38\xd7\x5e\x11\x06\xbb\x08\xc3\xe2\xf6\xdc\x6b\xda\x6f\x8c\x42\xf2\x35\xdc\xa6\x9a\x6a\xf4\xba\x09\xf6\x24\x3b\x15\x2e\x8b\x30\xbb\xa0\x9f\x96\x71\x57\x40\xda\x2e\xf0\xac\x3f\x3f\x10\x1c\xad\x5e\xac\x80\x90\x59\x77\xb7\x16\xa1\x3e\xb8\xc7\xc7\x76\xcd\xc7\xce\x2b\x36\xb6\x7a\xa9\x22\xd4\x61\x36\xcd\x1a\x9b\xe7\x42\x8e\x20\x80\x3d\x3e\xb4\x27\x41\x29\x09\x2a\xdc\x9e\x07\xdd\xea\xdf\x6c\x92\x20\x25\x39\x55\xe1\xed\x2a\x6c\xa4\xca\x92\xde\x76\x45\x15\x50\x2a\x2b\x5a\x21\x14\x46\x5c\x3f\x82\xfe\xa2\x53\x17\x70\x97\x9e\x11\x65\x1e\xb7\x28\xfb\xe9\x1b\xfb\x82\x74\xd4\x8d\x4a\xa5\x77\x95\xce\xa3\xeb\x63\x6a\x10\x8d\x2e\xbc\x34\xd2\xb0\x12\xa6\x03\xfe\x0c\x3d\x6a\xc5\x65\x2e\x7a\x0c\xdf\x99\xa7\xe8\x1e\x6c\x1a\xd0\x42\x1d\x8e\xf7\x5b\xe3\xec\x35\x1e\x73\xee\xfb\x3f\xb8\xab\xa4\xa0\xe0\x69\x76\x63\xd5\x54\x25\x3d\x36\x30\x75\xe1\xb0\x26\x43\xb9\x65\xef\xa3\xf7\xa7\x58\xc4\xac\xce\xfb\x77\x05\x73\xe6\x57\xd5\xc0\x18\xaa\x36\xc0\x23\xd6\xc6\x3a\x6d\x6a\x51\x78\x9c\xaa\xdb\x84\x79\x6e\x93\xff\x03\x1e\xbb\x06\xef\x6a\x8b\xe3\x1b\xbc\x87\xc1\xe2\xb8\xe0\x36\x6a\xbb\xeb\xe2\x48\x52\x2e\xe4\x39\x90\xf7\xac\x05\x2e\x73\x05\xc0\x23\x17\x14\x22\x2d\x10\xf0\x03\x1b\x6a\xb2\x77\x79\xec\x09\x34\x7f\x33\xeb\x22\x0f\xd7\x10\xf5\xd5\x7f\xdd\xa5\xec\xd9\x11\x0b\xf5\xcc\x11\x8d\x6e\xba\x5e\x34\x91\x21\x3e\x1b\x51\x5a\x2b\x4d\x36\x14\x0d\x8e\x8a\x26\xfb\xeb\x6b\xd9\x53\xb6\xdc\x21\x47\x9a\xce\xce\xf8\xf0\xb5\xc1\xad\xce\x8e\x70\x11\x7a\x92\xb0\x28\x1b\xb9\x08\x23\x8a\x3d\xc1\xda\xb7\x98\x89\x49\xb3\x73\xd1\x1b\x97\xfc\xcd\x21\xea\xaf\x3f\x8e\x7d\x6a\x8c\x3d\x9e\x32\x13\x44\xae\xd2\x80\xfc\xf7\x8f\x6d\xe5\x08\x1e\xd1\xd9\xd9\x6a\x13\x76\x67\x83\xaf\xd7\xf4\x27\xec\x6c\xa2\xb6\x3c\x35\x20\xde\xd8\x40\x9c\x10\xa5\x17\xfd\x56\x07\x01\x9c\xb3\x42\xb8\x2e\x7f\x83\xbf\x9d\xaa\x34\xc5\x29\xe3\x5c\xb7\xb6\x38\x4d\x11\x56\xd7\xa1\xc9\x30\xfd\x88\x53\x4c\x6c\xec\x65\x1a\x82\x59\xad\x25\xac\x94\xca\xe8\x40\x88\xe7\xd9\x85\x73\x50\x73\x47\x74\xb3\x7c\x30\xd5\xe4\x4b\xb2\x7f\xd8\x59\xf4\x59\xac\xf6\xe3\x04\x23\xcc\xec\x3e\xa0\xf4\x01\x71\x64\x30\x86\x30\xe1\x6a\xcf\x65\x3d\x1d\x18\x55\x66\x3d\xdc\xe9\x72\xac\xe1\x7a\x18\x27\xe0\x09\x2b\x33\x9e\x66\x79\x37\x4c\x20\x6b\x4f\xf6\x53\x7d\x10\x4b\x06\x81\x89\x53\x92\x53\xc0\x89\x62\xd9\xdf\xd7\xd8\x01\x41\x0c\xd4\xff\x46\x6d\x8b\xf0\xd1\x51\x8b\x38\x8a\xf5\x06\x6f\xaf\xa9\x06\x9d\x15\x73\x19\xae\xc2\x29\xdb\x39\xe3\x85\x42\x0e\x58\x29\xc8\xe6\x44\x26\x6a\xd1\x02\x02\x23\xaf\x3d\x08\x14\xad\xac\xdb\xcb\x52\xf0\xd6\xe6\xfd\x14\x10\x7b\xb2\x7e\x09\x3e\xb7\xac\xad\x2d\xf9\x93\x6d\x63\x9c\xe7\x89\x48\xd7\xca\x8e\xbc\x7d\x5f\x5f\xf4\x21\xc1\xb3\x95\x64\x7d\x39\x9d\x45\x01\x16\x54\x55\x63\x00\xe2\x05\x9f\xb9\xb0\x84\x9f\x72\x10\x9d\x36\xff\xd8\x54\x93\x7d\xc4\x53\x7b\xca\xff\xc0\x36\x10\x82\x43\x93\xae\x23\x91\xcd\x94\x97\x5a\xc8\x32\xf3\x4d\x13\x3d\x8a\xa6\xcf\x57\x27\xd7\x19\x7e\x9d\x77\xe2\xb2\x68\x48\x12\xc2\xb8\x21\xf2\xd9\x68\x98\x1a\x0c\x54\x6c\xb2\x37\xd6\xd8\xb8\xa4\x26\xff\xd5\xb5\xcd\x43\xaa\x47\x0e\x61\x21\x8b\x0a\x67\x00\x9f\xf4\xa0\x22\xd6\xd6\xfd\xdf\xd9\xee\x73\x46\x02\x45\x65\x43\xc8\x4b\x28\x1a\xbd\x3c\x6b\x89\xa2\x10\x91\x35\xb6\x29\xc8\xce\xd1\x4e\x64\xed\x3d\x55\xcc\xb8\xcc\xd6\x04\xa5\xc7\x81\x53\x76\x55\x20\x64\x5c\xb7\x17\xe6\xa6\x38\x04\x7d\x1b\xd1\x15\xd8\x9b\xc7\xd8\x01\xc5\x9f\xfc\x57\x8f\x5d\xe2\x9e\x1a\xc9\x0f\x3f\x5e\x7b\x4c\xb8\xe0\xbf\x3e\x7e\xf7\xce\x1a\x83\x53\xcd\xff\xa9\x5a\xf0\x9a\x9a\x2a\xcd\x07\x6b\x48\x25\xae\x95\x5c\xa3\x32\xbd\x54\xf5\xf2\x55\xa1\x40\xe0\x82\xa1\xb3\x2b\xa8\xf3\x40\xf1\x42\xf9\x37\x6e\x51\xf9\xd7\x02\x7c\x3d\xcb\x79\x60\x3d\x0b\xd3\x5a\xc1\x7d\x0c\x8d\x7b\xd2\x41\xf9\x57\xdc\x6f\x3e\x2b\xc5\x89\x51\x9f\xd6\xf5\x05\xcd\xbc\xa0\x43\x95\x82\x09\xb1\x8e\x4e\x63\x4d\x9e\xf2\x77\x2e\xcc\xe8\x06\xce\xd0\x54\xc5\x05\x17\xa9\x7c\x2d\xb2\x65\xb8\xbf\xd9\xef\xd8\x08\x94\x91\xea\xf6\x44\x5c\x70\xca\xfd\x7c\x7c\x7f\xd0\x31\x17\x1d\xe4\x11\xbe\x26\x52\x21\xa7\x72\x5d\xdd\xd3\x6a\x61\x48\x35\x0a\xb2\xf5\x18\xf5\xfc\x69\x5d\x18\x88\x8a\xdb\xa5\x5c\x5c\x10\xaa\x78\x05\x06\xb6\x36\x2f\x7a\x57\x44\x79\xbc\x2e\x72\x47\x24\xf9\xe8\x15\xec\xa3\x9e\x2e\x06\xf4\x21\x2f\xf8\xb9\x2d\x8a\x01\x3d\x6a\xb5\x7d\xac\xe6\x23\xd1\x13\x72\x91\xb3\x94\x5b\x33\x85\x30\xb7\x8e\xdc\x7c\x96\xed\x27\x9a\xf7\x4f\x06\x07\xcf\x12\x68\xe0\x09\xae\x70\x42\xbb\x5d\xcc\x38\xa0\x74\x03\x40\x19\xdd\x0a\x6b\x82\xbd\xd8\xb3\x8a\x46\xaf\x07\x1d\xd3\xe4\x50\xfd\x67\x3e\x69\x6a\xda\x43\x49\x8a\xdd\x94\x97\x76\xf2\x73\x7f\xa7\x66\x17\x93\xfe\x58\x8d\x5d\xbf\xad\x29\x14\xea\x47\xe1\x1e\x32\x25\xa5\x5f\x55\x33\xdd\xd7\xe5\xa6\x79\x4c\x87\x06\x80\xf7\xa9\x12\x12\xb6\x39\x57\x09\x70\x78\x68\xa7\x45\x5c\xc6\xeb\x0e\x78\x1d\xc4\x77\x87\x85\x36\x0a\x21\xb1\xd1\xfa\x14\x94\xde\x6a\x67\xb6\xca\x99\x4f\xb3\xca\x57\x62\x07\x90\x8f\x02\x07\x46\x76\xa4\x40\xb7\x28\xd4\x9e\x96\x0c\x05\x1f\x42\x9c\x3a\xfc\x1b\xf9\x25\x44\x15\x47\x9b\xf4\x8a\x9d\x65\xb4\x17\xfc\x53\xc1\x0d\x27\xe1\xaf\x51\x21\x22\xf8\x8c\x8e\xa6\x55\x31\xac\xb8\x23\x1d\xe2\x7b\xe7\x18\x7b\xda\x36\x40\x04\x0b\x79\x9c\xe5\x71\x39\x38\x2d\xd6\x45\xe2\x44\x73\x93\xce\xf1\x95\x5a\x70\xd7\x76\x0f\x55\x4b\x3e\xe9\x23\xc5\xa8\x21\x01\x1d\x55\x8d\x1e\xb5\x15\xb8\xd8\x24\x0f\x79\xec\x1f\x3d\xc6\xe4\xf1\x8d\x34\xe4\xff\xb9\x17\xdc\xb0\x62\x7e\xaf\x54\x75\x2d\xdd\xf8\xc8\xa6\x8d\x9d\x6c\x99\x2d\xb2\x85\x4d\xc9\xf3\xd2\xe6\x64\x56\x75\xe7\x21\xef\x20\xfb\x8e\xe1\x54\xce\x6e\xd8\x6b\x9c\x17\x83\xc2\x9f\xf0\xf7\x37\x80\x07\xb1\x6d\x92\x3e\xbb\x61\x8f\xb1\x57\x5f\xc9\xbe\x67\xb8\xae\x43\x73\x16\x45\xcb\xc5\x2c\x11\xb7\xc5\x00\x31\xe1\x7f\x95\x05\x6f\xf3\x86\xaf\x9b\xfd\x22\x79\xb4\x75\xbf\xae\x41\x90\x35\xb6\x6e\x89\xe7\x5f\x2b\x4c\xad\x5d\xe6\xbc\xa4\x8e\x29\x92\xee\xad\x88\x1b\x40\xc2\x8c\x22\x88\xbd\x70\xf6\xdb\x7a\x1c\x72\xc2\x00\x6f\x5e\xf4\xf6\xe7\x59\x22\x16\x45\xdb\x59\xe1\x5f\xdc\x2b\x52\xbe\x97\x2e\xfa\x18\x1a\x70\x3b\x96\xfd\xf6\x39\xbb\x4c\x17\xdd\xba\x4c\xce\x47\x3c\xa6\x76\x80\xff\x4b\x1e\x9b\xdc\xae\x80\x0b\xd4\x6e\x59\x14\xed\xe0\x15\x1e\xfd\x65\xca\xac\x5d\xe2\x16\xd5\xc7\x94\xd5\x90\xce\x3c\x2a\xb2\x64\x5d\x15\x17\x9b\x31\xf0\xe1\x90\x78\x92\x8b\xb2\x9f\x83\x4a\x08\xb1\x9b\x4d\xf6\x52\x8f\x1d\xa0\x6c\x83\xc2\xbf\x10\xdc\x42\xbb\xbb\xe0\x9d\x2c\x89\x0a\x9b\xe1\xd0\x56\x52\x61\x59\x90\x4f\x29\xbb\x68\x25\x4e\xda\xfc\xb8\xce\xae\xdb\xc1\x94\xd0\xe7\x1e\xf2\xee\xdb\xde\x50\x3d\xef\x9f\xbe\x84\xaa\x2c\xc3\xdc\xb3\x6a\xb8\xfe\x17\xe6\x78\xfe\x55\x97\x2c\xac\x9e\x3f\x60\xc1\xdb\x3d\x0b\x26\x07\xe7\xc4\x11\x40\x00\xaf\xc5\x2e\x62\x8e\x21\xb3\x79\x5f\x31\x65\x9d\x27\x32\x0a\xf5\x1c\xd3\xdb\x24\x97\x2d\xa9\x84\xa2\x35\x9d\x52\xf5\xc0\xf8\x29\x13\xfc\x36\xe2\x31\x0d\x56\xe3\xb0\xe1\x9f\x9e\x60\x7f\xe7\x80\x28\x7c\xcd\x0b\x3e\xe1\xcd\x2c\xcc\xb9\x90\xef\xb6\xc0\xa1\x6e\x52\x5a\xa4\x41\x3c\x11\x36\x40\x9f\x03\x62\x6b\x23\x28\xe4\x96\xd2\x5a\x07\x43\x10\x2a\xef\x8a\x6b\x58\xe9\xa5\x56\xa6\x8f\x48\xfb\x5d\x29\xa7\x5b\xa1\x98\x00\xc1\x2e\xdf\x37\x31\xfd\x5a\xb7\xa7\xda\x80\x5b\xe4\xb9\x7c\x78\x8c\x3d\xce\x2a\xf8\x70\x6e\xf1\x74\xe1\xbf\x6b\x2c\x78\xd5\xd8\xbc\x7b\x91\x38\x2a\xc2\xa1\x41\x99\xcc\x30\xe1\xfd\x3c\x21\x88\x97\x10\xc1\xcf\xe9\x84\xc1\xd2\x70\x58\xff\x40\xf2\x3e\x7e\x1d\xe1\x6c\x61\x7f\x2c\xc0\x94\xd0\x94\x84\xac\xf3\x76\x2c\x0f\x1b\x3b\x8e\x1c\x6a\x7c\x22\xdc\xbf\x53\x08\x02\x7a\xa4\x2a\x20\x1a\xc8\x9e\x7a\x15\x88\x47\x95\x64\x8c\x5b\xa0\x2d\x4a\xa9\xd0\x22\x74\x6b\xbf\x52\xe2\x61\x38\x62\x1f\x34\x39\xe6\x6f\x4a\xe6\xa3\x2a\x89\x52\x95\x47\x98\x72\x0b\x66\x45\xd9\x24\x48\x13\x87\x58\x4a\x94\x73\xb1\x06\x60\x75\x0c\x54\xf3\xd3\xbc\x27\x19\x77\x30\x55\xe7\x5a\x3e\x59\xcd\xca\xce\x56\xcb\xf7\x2e\x8f\x5d\xad\x5a\x84\x20\x65\xff\x27\xbc\xe0\xf9\x8b\xf6\x15\x95\xc4\xa6\x90\xd9\x37\xe4\x31\xa1\x5d\xa9\x30\x79\x04\xd3\x33\x62\xb3\x70\x83\x13\x29\xd7\xbe\x2b\x42\x05\xea\x63\x82\x13\xe1\x03\xdb\x53\xda\xcb\x3c\x1b\xc3\x66\x10\xdc\xb3\x68\x08\xd8\x76\xee\xda\x89\xaf\xba\x6e\xba\xdd\x23\x5d\x9d\x23\x71\x2a\xef\x3a\x88\x32\x5b\x75\xe4\x7d\x1a\xfc\xe5\x41\x2f\xf8\x51\xef\x2e\x80\x6c\x71\xba\x80\x97\x90\xb0\xf5\x52\x9f\x3e\x4d\x2a\x21\x7e\x42\x8a\x19\x68\x61\xd2\x85\x41\x16\x09\x5a\x09\x94\x56\x65\x4d\x37\xa9\x78\x98\xe2\x04\x8d\x8f\xe8\x3a\x9c\xcc\x5b\x75\xfb\x4f\xae\x61\x4f\xdd\xa2\x90\x09\x0a\xe9\xa3\x4b\xb5\xfb\x3f\x73\x4d\xf0\x23\xfb\x46\xdf\x33\x2c\xc5\x41\x3c\x24\x4b\xa2\xa3\x5b\xc0\x16\x97\xdb\x80\x42\xca\x8d\xaf\xc9\x3a\x69\x11\x2c\x52\x1e\x9b\x56\xc6\xa4\x6a\x8d\x94\x4b\x48\x36\x83\xcc\x5e\x32\x19\x80\x11\x8c\xa0\xb9\x41\xe0\x3a\x58\x70\x67\x80\xbc\x9b\x45\x4a\xd2\x4e\x07\x2a\x93\x42\x5c\xe8\x89\x3c\xc6\xfd\x1b\xf5\x73\x25\xd9\x51\x82\x3e\xe4\x0a\x6c\x32\x68\x93\xe1\x00\x7e\xb5\xd5\x01\x3f\x37\x07\x87\x48\xd1\xc9\x36\xa6\x3b\x71\x24\x54\x9f\xc1\xee\x5d\x66\xfc\xbe\x7e\xdc\x3a\x9f\x0c\x78\x22\x20\xc1\x5a\x25\x98\xf3\x5c\x84\x85\x5d\xc4\x25\xce\xe5\xf4\x50\x5e\x45\x01\xb6\x7c\xfa\xd8\xfc\xd9\x65\x7e\x9b\xf9\xa0\x76\x1d\xa0\xf1\x04\xbe\x0e\x4a\x6c\x65\xe4\x91\x68\xc5\x94\x47\xa9\xb6\x44\x18\x17\x58\x17\xa4\x0d\x8d\x45\xa2\xd7\x2f\x07\x75\xde\x0a\x5b\x90\x33\xda\x16\x65\xdc\x15\xd3\xb9\x58\xcf\x5a\x84\x5a\x2f\x27\x0e\xcc\x70\xad\x32\x25\x90\xf2\x96\xc8\x65\xff\x46\xd4\x28\xc2\xc7\xc1\x34\x61\x5f\x06\x86\x5b\x2a\x7c\xbf\x56\xc9\x37\xc2\x01\x41\xe8\xa0\x1b\x6f\x64\xa7\xad\xa4\x4e\x02\xf7\xbd\xe8\x01\xa6\x88\x73\xfe\xbe\x6a\x4f\x0d\xda\x53\x83\xfe\xb5\xa0\xe6\xbc\x56\xa1\xe6\xbc\xcc\xdb\x2a\xc9\xff\x12\x18\x38\xe0\xe7\xdc\x08\xe5\x67\x86\x85\xea\xa1\xfa\x51\xe4\xba\xd1\x38\x25\x4d\xf6\x6e\x83\x9b\xf3\x76\x8f\xdd\x71\xa9\x7d\x1a\xee\x0f\xfa\x6a\xee\x52\x21\x28\x52\xe6\x02\x14\x85\x38\x55\x46\x65\x4a\x73\x07\x58\x13\x27\x42\xa5\x72\xc0\x84\x43\xc7\x4a\xf3\x21\xaf\xbf\xbd\x7a\xb3\xe8\x2f\x68\xf5\x66\x4b\xcd\x66\xf4\x8c\x8e\x04\xdb\xf9\xc8\x95\xec\xbb\x37\xf3\x59\x1d\x6e\x2e\xb5\xc2\x44\xf8\x6f\xbd\x32\x38\x02\x7f\xb9\x1e\x00\xe5\xca\x51\x4b\xe0\x16\x03\x73\xad\x7a\x2f\x66\x7b\x7b\x75\x17\x7b\xf5\x73\x76\xcc\xd9\x47\xbd\xdd\x1a\x2d\xac\xe8\x57\x95\x7c\x47\x8d\xdf\xf4\x68\x05\x9e\x35\xe5\x98\x90\x65\x7c\xc2\x63\x87\x77\xe6\x44\x25\x82\x04\xd6\xf0\xe3\x9e\x7d\x3c\x56\xa1\xb4\xc0\x87\xf9\x88\xaf\x96\xec\x7e\x23\x4c\xa3\x06\x32\x9a\x26\xfb\x7d\xc3\x74\x7e\xdb\x63\x47\x2f\x6d\x54\xc8\x60\xde\xe4\xd9\x76\x6d\x83\xc8\xf5\xd8\x8c\x08\xdc\x41\x0d\xa9\x54\xee\x15\x7d\xde\xad\xb4\xf2\x90\x77\xd7\xf6\x3c\xfe\xa8\x7f\xd8\xe6\xf1\x8a\x4a\x0c\x6b\x97\x64\x50\xb5\x53\xfd\xf9\x38\x9b\xbb\xec\xf2\x12\x4b\x18\xec\xa2\x7d\x71\xfe\xc5\xf1\xe0\xa6\xea\x45\x3a\x83\x43\xd7\x1f\x47\x4f\x35\x13\xb1\x16\xb6\x06\x34\x79\x17\xbd\x09\xad\x1b\x11\x4e\x9a\x73\x14\xfc\xca\x18\xbb\x95\x32\xb4\x8f\x07\x53\xe9\x26\x85\xcb\x28\x04\xc7\x64\x3e\xdb\xec\xf0\x0c\x33\x9f\xf0\xbf\x2f\x38\xea\xa4\x7e\xba\x59\xc6\x3b\x69\xee\xd9\x6c\xbc\x17\x96\x1d\xff\x99\xc1\x49\xb0\xbe\x54\xac\x07\xca\x6a\xc1\x43\x05\x4c\x33\x84\xcc\xb2\x4a\xa1\x64\xad\xb2\x92\xa2\xfd\x19\x8f\x8d\xf7\xb2\xbc\xf4\x3f\xe6\x29\x6c\xa2\xf7\x7a\x50\x85\xa9\xf2\x11\xea\x20\x55\x68\xda\xd9\x87\xf8\x8a\x7c\x7a\xc5\xd2\xec\x42\x2a\x07\x02\xad\xa4\x58\xbc\x70\xf2\x70\xe3\xf8\xf5\xd7\x1f\xbd\xbe\x8e\xd8\x13\x45\xbc\x2e\xa6\xdc\x24\xfa\x63\xc7\x8e\xc2\xe1\xad\x0a\xae\xb9\xf5\xd6\x5c\x5c\xa1\xcf\x8f\xb1\x59\x22\x35\x49\xc8\x8d\x70\x6d\x2d\x17\x6b\x50\xa5\xd2\x26\xb1\x0a\x28\xcc\x30\x91\xbd\x72\x6c\x57\x44\xe6\x50\xd4\xaf\xd5\xd8\x31\xa2\xa8\x7a\xf0\xdd\x9b\x95\xc2\xa3\x19\xb6\x57\x67\xd6\xa6\xa3\xe3\xc1\xd4\xfc\x4e\xe9\xc8\x6e\xe4\x37\xd4\x12\x7f\x40\x2f\xf1\xdb\xbd\xb9\xb6\x6d\xea\x04\xbb\x9e\x5c\x12\x4b\xe1\x8f\x55\xac\x44\x27\x43\x88\x76\x8d\x47\x60\x65\xcd\x6e\xb3\x32\xbb\x20\x00\x67\x51\x7f\xcd\xc5\x9a\xb5\x8a\x8f\xd2\xf2\x2d\x67\xe7\x45\x4a\xf8\x14\x50\x21\xf2\xd5\x13\xc1\x9d\xd5\x8b\xc6\x20\x4c\x12\x16\x84\x80\x40\x99\x81\x30\x0f\xbb\xa2\xa4\x62\x66\x21\x2f\xe5\x9b\x16\x94\xfa\x44\xd8\x8f\xc0\xa6\xe1\x5a\xa8\x1f\x38\xc0\xde\x38\xc6\xcc\x4d\xff\xe5\x63\xc1\x5f\xd6\x66\xd4\x4f\xad\x9c\xcb\x61\xa4\x91\x48\x23\xae\x1f\x55\xeb\x05\x5f\x6a\x02\xda\x77\x2b\xee\xc5\x54\x4b\x44\xf5\x00\x1c\x1e\x18\x5d\x5c\xb6\x41\x86\xef\x02\xbe\x00\x05\x2a\xaa\xc0\xe3\x18\xe3\x43\x4b\xab\xb8\xf7\xe8\x0f\xe1\xd1\x03\x28\x02\x1b\x71\xa1\x41\x25\xe8\x1c\x72\xfa\x83\x1d\x88\x8b\xa2\x4f\x01\xd8\xda\x62\x6e\x9a\x26\xd3\x91\xc6\xe1\x35\xcb\x22\xb4\xa1\x1c\xf2\xe0\x09\xda\x42\xbf\x48\x60\x38\xab\xfd\x12\x10\x4f\x10\x2a\xa7\x13\xaf\x75\x78\x24\xd6\x72\x81\xd4\x9c\x63\xb4\x0c\x62\x8c\x59\x71\x6e\xba\x99\xad\x2c\x73\xaf\x19\x63\xd7\xac\x66\xfd\x34\xd2\x81\x1c\xfe\x3f\xd5\xb6\xa9\x96\xec\x92\xd4\x6d\xce\xdb\x14\x06\xf2\x81\x9a\x7b\x19\x35\x04\x87\x1d\x54\xb0\x19\xf5\xa4\x6a\xfe\x08\xdd\x02\x61\x7e\xd9\xbd\x07\xa6\xf1\x55\x41\x3b\xa4\x8d\x19\xfd\x49\x96\xae\x29\x93\x3c\xbe\x49\xad\x43\x29\xd3\xa2\xc9\xe7\xcf\x2e\x9f\x3a\x01\x4d\x19\x7b\xce\xc1\x82\x13\xf1\x93\x39\x91\xb4\x0b\xf8\x0c\x01\x8c\x21\x69\xba\xc3\x21\x2f\x00\x1a\xd4\x9d\x65\x4e\xb3\xb2\xc9\x9f\x21\x44\x8f\x9f\xba\xd0\x8b\x29\xa4\x42\x61\xd7\x75\xc3\x24\xe1\x71\xdb\xe0\x22\xf4\xf2\xac\xdb\x93\x82\x91\xb2\x76\x35\xd9\x3f\x79\xec\xf1\xa2\xfa\xaa\xff\x35\x64\x49\xc7\x8f\x05\xbf\xed\x0d\x37\x1c\x3b\x25\x0d\xd0\xa0\xa8\xe5\x32\x18\x46\x5c\x0e\x4c\x41\x14\xaa\xd0\x6d\x66\x15\xa8\x37\x27\x51\x0b\xbd\x86\x7a\xbe\xe5\x06\x72\x6b\x63\x62\x6b\xfa\x13\x05\x00\x4b\x23\xa3\xc0\xa2\xc5\x65\xc6\x5b\x1d\xd1\x3a\x0f\x9f\x3b\x68\x06\x73\xd0\xc4\xcc\x81\x7a\xd9\xcb\x52\x28\x68\x63\x31\xb0\xaf\xef\x67\x37\x6c\x5a\xff\xcd\xae\x58\xb9\xa0\x39\x91\x39\x8a\x7e\x76\x7f\xf0\xc2\xff\x9f\xbd\x3f\x81\x8e\x24\xab\xee\x84\xf1\x13\x52\x2d\xaa\xd7\x0b\xdd\x01\x63\x7b\xc6\x78\x78\x13\x6d\xbb\x4a\x45\x66\xaa\x54\xd5\x1b\xd5\x4d\xd3\x6a\xa9\xaa\x5b\x50\x55\x2d\x24\x55\x35\x0d\x63\x50\x28\xe3\xa5\x32\x50\x64\x44\x12\x11\x29\x55\x82\x99\xe9\x61\x31\x86\xb1\x59\x3d\x78\x28\x0c\xc6\x36\x06\x1b\x63\x33\x98\xcd\x18\x83\x17\xdc\x36\x98\x01\xfc\xe7\xcf\x62\x1b\x9b\x61\x3c\x8c\x57\xbc\x8c\x61\xfc\xd9\xfd\x79\xf9\xce\xbb\xf7\xbe\x2d\x32\x53\x52\x95\xba\x1b\x8e\x8f\x38\x87\x2e\x65\xc4\x8b\xb7\xbf\xfb\xee\xfa\xbb\xdb\x94\x31\x94\x00\x6e\x6d\xb9\x13\x14\xd3\x0a\x1e\x44\xd5\x54\x9b\x3a\x2f\x83\xf2\x40\xce\x72\x73\x97\xd4\x2b\xc0\x22\x8d\x4b\x1e\x08\xc6\xc3\x98\xa5\x1f\x3c\xc0\x7e\xcd\xb3\x6f\xa9\xf7\x7a\xc1\xdb\xbc\xed\xef\x29\x2d\x31\xa3\x5e\xc4\x18\x7d\xaa\xd9\x6b\x29\xc9\x51\x84\x3e\x85\xd0\x33\x4a\xa5\x0a\x50\x4f\xba\xa5\x00\xb9\x6a\xf2\xb0\xeb\xa5\xb2\xc0\xf0\x4f\xc8\x9c\x14\x38\x7c\xd0\x97\x3c\xb6\x1f\x4a\xfa\x9f\xf5\x82\xdf\xf0\x20\x53\x80\xad\x4d\x88\xb5\x7c\x60\xfc\x5f\x87\xcd\x5d\x15\x94\xc5\xf5\xe0\xaa\x76\x81\x1f\x21\x8f\x3d\x30\x45\x59\x83\x69\xf0\xd3\x30\x01\xb4\x6e\xe4\x22\x89\xdb\xb6\x9a\x56\x17\xed\x6c\xb0\x29\x0a\xe5\x70\xc9\xd7\xc2\xd2\xf5\xb0\xfa\x3d\x8f\x4d\x28\x53\xaa\xff\x49\x2f\xf8\x65\x6d\x49\x75\x72\x67\x93\x97\xd6\x96\x0b\x34\xdf\xe2\xf6\xb7\x26\x87\x83\xe6\x25\x8c\xeb\x2f\xa8\x51\xd4\xaa\x28\x3f\x5e\x29\xda\x68\xcb\x28\x42\x9c\xc1\x35\xa1\xa0\xb7\xf2\xa8\xde\x0d\xf3\xb2\x8f\x39\xe2\x6a\x4e\x6b\xf9\x30\xa0\xa1\x59\xd2\xdc\xdc\x16\x34\x94\xde\xc6\x76\xaa\x1d\x3d\x96\x4a\x25\xc0\xa2\xdd\x16\x34\x86\xb1\x68\x3b\xab\xe4\x3f\xf9\xec\xdb\x86\xa5\xf0\xc9\xb3\x55\xe1\x7f\xe5\xfa\xe0\x01\x0f\xfe\x74\x0c\xee\x6d\x11\x26\x65\x5b\xd1\x16\x80\xdc\x32\x00\x41\xfa\x1e\xb5\x62\x41\x40\xc1\x5f\x8a\xbc\x13\xa7\x42\x83\x17\xc5\xc8\xb2\x27\xf1\x06\x40\x51\xe5\x22\x8c\xc0\x14\x90\x8b\xa6\x90\xcf\x28\x0b\xad\xab\xf6\xfa\xcc\x75\xec\x35\x1e\xdb\x27\x2e\x8a\xa6\xff\xfd\x1e\x7b\xe2\xb6\xce\x91\xa7\x2e\x8a\xe6\x0c\xa8\x09\x83\xfb\xef\x4d\x85\x49\xac\x63\x19\xc4\x11\x84\x06\x5c\x1e\x35\xdf\x67\xb9\x27\xca\x2a\x2a\x78\xa7\x64\x66\x97\x52\x73\xb8\x2e\x1a\xec\xed\x1e\xbb\x8e\x30\xbd\x96\xdb\xb9\x28\x24\xdf\xed\xbf\x56\xb3\xaf\x2f\x3c\x1b\xa7\x71\xa7\xd7\x01\x98\x62\xd1\xec\x81\x53\x25\x95\x2f\xf4\x0e\xee\xc2\x44\xe3\x7c\x5a\x78\xc6\xb2\x9c\x9c\x57\x00\x52\x6d\x87\x1b\xd0\xcf\x5e\xb3\x29\x44\x24\x7b\x67\xcb\x1d\x27\x1a\x5c\xb5\xb4\xa1\x82\xa8\xa6\x5d\xc2\xbe\xce\x0e\x4a\xf1\xfc\x6e\x51\xfa\x2b\x5b\xe2\x84\xe0\xf4\xdd\xb3\xbc\xbc\x70\xb7\x28\x69\x06\xd5\xcf\xca\x6c\xc8\x0a\x6d\xd8\x3c\xa5\x83\x65\x2f\x64\xd7\x74\x45\x1e\x67\x91\xba\x3e\x13\x35\x23\xf7\xdd\x93\x6d\xf2\xac\x55\x8a\x94\x1f\x89\x53\x85\xb8\x3a\x69\x7d\x6d\xa6\xc4\x61\xe0\xa7\x2d\xd4\xd6\xed\xc6\xfa\x87\xde\x00\xa2\xed\xa7\xf5\x9a\x7c\xd0\x33\xb9\xe8\xa9\x46\x9a\x63\x23\x29\xd2\x8a\xc4\x1d\xc9\x96\xf6\x4a\x77\xb2\xa7\xe9\xb3\xa1\xfd\xb8\x5c\x50\x04\x79\xbb\x26\x59\x18\x15\x53\xdd\x0c\xff\x53\x4f\xe2\x96\x68\xf6\x9b\x89\xb8\x41\x1f\xa4\x3a\x74\xa8\xa8\x0e\xf2\xb1\xb0\x82\x61\x32\x27\x92\xb0\xaf\x46\xfa\x5b\x7a\xa4\xef\x1d\x39\xd2\xb2\x6d\x47\x6c\x01\x6c\x60\x19\xa2\x57\x37\xc6\x6f\xc8\xc3\x09\xb6\x3e\x6c\x18\x04\x04\x6c\x0c\xc4\xe5\x47\x6d\x90\x9f\xf2\xd8\x75\xb0\xe7\x8b\xc2\x9c\xaf\x0f\xea\x11\xfe\x84\x37\xec\x80\xd1\x07\xdb\x9f\x30\x2a\xd8\xea\x25\xee\x29\xc3\x93\x57\x59\x75\xe3\x15\x3f\x0d\xf5\xea\x29\x02\xac\x47\x39\x7d\xf2\x8a\xd8\x6e\x6b\xbe\xc6\x63\x87\xca\x66\x77\x29\x6b\xae\x8b\xd2\x7f\xb1\xb7\x83\xac\x6a\xcb\xb3\x0b\x58\x9c\x0e\xe3\xbd\xfa\x81\x8d\x9b\x9b\x2a\xda\x14\xa7\x1b\x59\xb2\x81\x81\x4c\xcb\xb3\x0b\x20\xc0\x36\xe0\x2f\x04\x74\x94\xb7\x60\x5f\x58\xb8\xbe\xec\x6f\xf7\xb3\xef\x40\x22\x0d\x5c\xe2\xdd\x79\xd8\x14\x0b\xce\xf1\xfd\xec\x7e\xc5\xfd\x7e\x64\xbf\x72\x2f\x37\x0c\xa8\x39\xc7\x24\x9f\x47\x86\x0f\x55\xf5\xca\x5b\x3b\x6c\x0a\x84\x04\xec\x75\xb3\x94\xd6\x84\x88\x21\x32\xc3\x50\x84\x23\xe5\x50\xb7\xda\xb0\x56\xcc\x26\x56\xb1\x4a\x26\x68\x4d\x39\xff\x64\x11\xba\x49\x21\x44\xa5\x35\x3c\x5e\xc4\x6b\xb2\xfb\x3a\x6b\x5b\xdc\x11\x26\x0e\xc4\x54\x28\xbf\x6e\x65\x79\x33\x5e\x4d\xfa\xbc\x1d\x26\x26\xee\x8e\xaf\x03\xaa\x19\x54\xd3\xe0\x4b\x80\x6e\x16\x17\xb4\xe4\x52\x0c\x82\xce\x85\x58\x21\xc2\x37\x8b\x88\x37\x13\x11\xa6\xbd\x2e\xb6\x27\x37\x50\x3f\xeb\xe5\xaa\x3d\x93\x08\x4c\x6f\x9c\x34\x4e\x94\xbe\x23\x3a\x5c\xf0\x2d\x17\x48\x8b\x6c\x92\x6f\x6e\xf0\x7b\x95\xdc\x5c\xb3\xeb\xcc\x36\x44\x9e\x03\xee\x60\xa9\x22\xb9\x8c\x62\x81\x0c\x6f\x72\xda\xe4\xa6\x6a\xf0\x0b\x0e\x82\x76\x9a\xa5\xf5\x54\xac\x85\x14\x15\x00\x7b\xb9\x61\x22\xc2\xf8\xf3\x45\x9e\x59\xa6\xba\xa2\xcc\xba\x3c\xee\x74\x44\x24\x09\x46\xd2\x07\x67\x66\x59\xbf\x35\x73\xfc\x48\x9a\xf1\x0c\xf6\x60\x0f\x73\x02\x66\xbc\x68\x83\x17\xdf\x66\xaa\xf2\x65\xa1\x6e\x2f\x4c\xba\xed\x90\x38\x6d\xb9\x6c\xc4\x5a\x51\x44\x8e\x5c\x75\xe0\x55\x96\x87\x4e\x51\x95\xd3\xb4\x0e\xe3\xef\x4f\xb0\x9a\x75\xe0\x8a\x32\xcb\xc3\x35\x38\x73\x18\xa7\x31\x03\xd1\x36\x1d\x91\x52\xca\x0f\xff\x67\x26\x82\xd9\xe1\xaf\x74\xce\x4f\x6d\x6a\x08\x79\xb5\xa4\xa5\xa7\x99\x50\x81\x3c\x6e\x2c\xfc\x41\xf6\x47\x1e\xbb\x0a\xdf\x9d\xca\xf3\x2c\xf7\x3f\xef\xb1\xa9\x91\x14\x62\xa0\xc3\xf0\x4d\xf0\xe3\x80\xd5\x99\x84\x45\x89\xbe\x2e\x5c\xa4\xcd\xac\x97\x96\x40\xf3\xc8\xd5\x05\xdb\x30\x50\xff\x35\x15\x28\x63\x4b\x35\xb0\xfa\x4a\xd8\x97\x22\x01\xed\x12\x50\xf3\xf4\x15\xc2\xbe\x32\x30\x0e\xa9\xb2\x21\x1a\x74\x08\xd0\xae\x50\xa7\x61\xe7\x0d\xf6\x6e\xc9\xe6\xd3\x24\xf8\x6f\xf5\x82\xff\xe2\xcd\x3b\x96\x5e\x8a\x86\x92\xe2\x90\xa6\xd2\x49\x9f\xab\x4f\x1e\xad\x7e\x3a\x31\x3a\x1f\x1d\x63\x7e\xa8\x97\xf3\xac\x32\x23\xbe\x73\x2c\x78\xe5\xd8\x79\x49\xd3\xec\x0b\x05\xca\x55\x9d\x0a\xbb\x59\xb7\x97\xb8\x21\xbc\xb6\x35\x5e\xfb\x3e\xd1\x00\xaa\x5d\xa5\x54\x95\x74\x28\x29\xf4\x25\x4e\xe5\xc9\xe9\xad\x16\x72\x77\xa5\x25\xbf\x2f\x8c\xcb\xd3\x59\x3e\x43\xdf\xe6\x1c\xc2\x8d\x10\x0d\xfd\xd1\x9a\xb6\xad\xc2\xad\xe4\x16\x8f\xc4\x23\xbf\xc5\xb1\x8d\x87\x75\x8b\x0f\xa9\x72\x8b\x2d\xfe\xf2\x7d\xec\xf0\x30\xd6\x3a\x2b\xca\x85\xb0\x6c\x3b\x01\x82\x7f\x30\x1e\x6c\x2c\xda\x3e\x01\x10\x57\x07\xc6\x92\x4e\xd8\xed\xaa\x65\x0e\x25\x85\x6e\xf0\x7b\xf4\x4b\x3c\x26\x85\xce\x63\x89\x97\x3a\xcf\x36\x53\x91\x17\xed\xb8\xcb\x3b\x61\x1a\xae\x51\xee\xe7\x9c\x2f\x9d\x3a\x13\xa7\xbd\x8b\x3c\x17\x80\x31\x19\xa7\x6b\x8d\x4b\x1e\xd8\x6c\x1c\x42\xf4\xe9\x31\xf6\xa0\x47\xb6\x9c\x5f\xf2\x82\x9f\xf3\x64\x7f\x75\xb0\x54\x9c\x03\xb0\x44\x5f\x29\xe1\x65\x57\xb5\x97\xbc\xb6\xfb\xf0\xa2\xdf\x49\xe2\x74\x1d\xd0\x5e\x29\x34\x4e\x8a\x5b\xa4\xfd\x4d\xd7\x95\xed\x31\x17\x61\x02\x9f\x5d\x36\x5f\x49\x9b\x63\x8a\x26\xe1\x06\xd9\x11\x3d\x16\x92\x73\x5f\xe2\x51\x24\xeb\xf7\x06\xd9\xb2\x14\xb3\xe5\xd5\xab\x96\x80\x48\xb4\xc3\xe8\x05\xc1\x23\xd1\x8d\xdf\xb8\xa6\x02\xc1\x89\x7b\x61\x7e\x69\x76\x69\xde\xd9\x08\x6f\xba\x26\x78\xad\x67\xef\x84\x94\x43\x21\x1e\xc5\xc5\x7a\x83\xfe\x56\xab\xae\x63\x1a\x00\x5c\x5d\xee\xff\x88\x87\x05\x37\x31\x8a\x5c\xf6\xb1\xfa\xd5\x96\x9b\x44\xde\xaf\x43\x77\xc9\xd5\xa8\xd5\x5e\xc8\xf2\x32\x4c\x2e\x79\xe3\xf1\xf3\xd2\x4b\xde\x78\xd2\x4b\x9d\x9d\xf3\xa5\xab\x58\xca\xae\x8d\x8b\x66\x11\xcf\xab\x54\xf7\xfe\xbf\x0f\xee\x8d\xa1\x07\xfa\x11\x42\x45\x03\x35\xeb\x15\xc8\xbe\x62\x09\x88\x44\x47\x96\xd5\x5e\x94\xc3\xa4\x7e\x3a\xcc\x8f\x94\xcd\xee\xa4\xa3\xc9\xb8\x91\xc9\x5e\xf8\x75\x25\x14\x7c\x1b\xd6\xb4\x8c\x4a\xf8\x33\xbd\x94\xcc\x37\xee\xdd\xff\x1f\xed\x70\xcb\xfc\x4a\xa3\x2d\x9f\x34\x7b\xcf\xcc\x02\xc5\x59\xc2\xce\xa2\x51\x90\x01\x00\xfc\x97\x40\x6a\x42\x60\x18\x4b\x73\xcf\x8e\x31\x39\x85\xfe\x64\xf0\x78\xea\x29\x7e\xfa\x74\x05\x97\x0d\x53\xe4\x0c\xf4\x3d\x1e\x3b\xd8\x85\xe9\x2f\xfc\xb7\x7b\xc1\x2b\x3c\x67\xa0\xb8\x30\xfc\x4c\xac\x54\xcb\x58\x14\x02\x97\xc9\xf3\x3c\xe5\xf3\x0b\x92\x0a\xc4\xdd\xe7\x84\x51\x94\x9f\x44\xf3\x69\xcb\x58\xd5\xe2\x42\xeb\xb6\xc2\x54\x07\xe9\x1e\x29\xfb\xdd\x58\x5e\x1f\x7d\x2d\x50\x14\xfc\xd6\x9b\x8f\x61\x36\x95\xe3\x37\x1f\x9b\xdc\xca\xc0\xb1\x6e\x05\xd7\x3e\x27\x78\xfa\xee\x42\x66\x07\x23\x72\xdd\x1b\xfa\xad\x1e\x73\xf6\xa9\xff\x3a\x2f\x78\xe9\xb0\x79\xc2\x29\x5a\x78\x54\xa7\xc8\xcc\xc9\x05\x76\x7d\xb3\x1d\x76\x67\x7a\x65\x7b\x2e\x2e\x20\x7d\x51\xdf\x9f\x09\x4e\x28\x15\x99\x3a\xa1\xd8\x71\x5d\x84\xc3\x6e\x73\xf7\x91\x33\xfc\x45\xf6\x18\x55\xef\x12\xa2\x26\xfb\x4f\x09\xa6\x87\xd7\x4a\x05\xb6\xad\xf3\x7d\x63\x3a\x6a\xfc\x1d\x63\xc1\x8f\x8c\x55\xa3\xc6\x55\x1a\x19\xa4\xa4\x70\xa4\x6d\xd8\x69\x8a\x28\x5f\x8e\xbb\x27\xf9\xa9\xb4\xe8\xe5\xc2\x98\x9b\xaa\xc1\xe5\x71\x71\x19\xf1\xe5\x08\x97\x7c\x72\x54\x94\xf9\x7c\xa7\x9b\xc4\xcd\xb8\x4c\xc8\x8f\x2d\xd7\x59\x02\xf0\x03\xb9\xa8\xbd\xd4\xd2\xf6\xed\x92\xe8\x03\xc9\xb3\xd7\xf8\xb3\x1e\xbb\x46\x1f\x7e\x00\x92\xfa\x35\x2f\x78\xaf\x37\xdb\x2b\xca\xac\xc3\x15\x3d\x54\xc4\x01\x0e\x3b\x07\xe8\x6e\xeb\x13\x27\x5e\x1a\x59\x46\x97\xb4\xf2\x22\xee\xf4\x92\x32\x4c\x45\xd6\x2b\x92\x7e\x8d\xa7\x62\x93\xea\x8e\x75\x99\xdb\x89\x1c\x21\x41\xb8\xe3\xe4\xed\xb4\x56\x69\xd8\x11\x77\x18\x6f\x08\xc8\xec\x16\x69\x9d\x49\x33\x4b\x53\x4c\x55\xea\x6c\xdd\xd7\x0f\x67\x6a\xe4\x49\xda\xcc\x72\x17\xf5\xe0\xcf\xc6\x83\xdb\x86\xbd\x70\xbd\x1f\x55\x89\x2a\x00\x82\x14\x93\xf0\xd1\xfc\x9c\x73\xc7\xbc\x6e\x9c\x7d\xd2\x40\x19\xc0\xac\x9e\x5e\x82\xbb\xbd\x12\x34\x5d\xdd\x5f\x6a\x3b\x3e\x12\xf8\x06\x97\xbf\xe3\xec\x59\xbd\x68\x11\xc9\x24\x78\xf6\xa3\x88\x3b\x70\x37\xd3\x93\xec\xdf\x16\x10\x93\x3d\x3f\xc7\x7b\x69\xfc\xbc\x9e\x14\xdd\x6d\x83\x5d\x75\xad\xec\x21\xbc\xf3\x2a\x76\xe7\x0e\xb2\x1a\x35\xb6\x4a\x77\xe6\xff\x31\x0b\x5e\xe4\x6d\x99\x10\xcd\xc5\xe7\x72\xd3\x48\x65\x2d\x0a\xa7\xae\x26\xea\xc3\x68\x1c\xc8\x85\x82\x26\x07\x9d\x66\xb1\x13\xf6\x79\xb3\x1d\xa6\x6b\x76\xc6\xc0\x8a\xe9\x61\x62\xcf\xe3\x76\xcf\xe3\xd6\xf1\xb8\xfd\x27\x8f\x4d\xd0\xde\x2a\xfc\xff\xe3\x05\xf3\x3a\x5d\x8e\x13\x0a\xb6\x69\xa7\x13\x04\x19\x1a\xd2\xc7\x38\xf1\x97\x6e\x76\x54\x87\x91\x3a\xc5\x66\xb7\x02\x45\xda\xe1\x01\x7b\xc8\x3b\xcc\xbe\xdd\x71\x96\xec\x86\x65\xb3\x5d\x87\x4f\xc4\x5a\xdf\x9f\xf0\x0f\x74\x44\xbe\x26\x98\x2c\xf9\xf8\x21\x25\xe1\x6d\x7d\x5d\xf4\xfd\x83\xfe\x7e\x79\x69\xb0\x3d\x0f\xd6\x5d\x7b\xb0\xfe\x87\xed\x3d\x58\x9f\xe5\xdf\x6f\x3c\x58\x87\xae\x76\x25\x5a\x61\x2b\xc2\x59\xf5\x74\xfd\xa5\x03\x6c\x72\x74\x7e\x00\x8c\xdd\x00\xe8\x76\xf0\x52\x7b\xe5\x81\xe0\x88\xfe\x45\xb4\xaf\x9a\x90\x39\x44\xa8\x77\x97\x78\x7e\x6e\x3f\x13\xec\xda\x76\x96\x44\x22\x9f\x47\xff\xb0\xbe\xbf\x14\x9c\x76\x9f\xb8\x11\xd0\xb1\x7a\x4a\xac\x25\x96\xc5\x26\x94\x4b\x77\x62\x9a\x22\x3a\xf3\x31\x8f\x3d\x0e\x9e\xce\xf5\x5c\xd7\x9d\x77\x69\x73\xd1\x1b\xbc\x61\x05\x70\x38\xda\xce\xa0\x12\xd5\x46\xe0\x7b\x54\x50\x30\x06\x7c\xa8\x73\x4d\x6d\x86\x31\x30\xb7\x78\xe9\x86\x4d\x50\x47\x03\x0e\x88\xd2\x5a\x77\x44\x08\xbc\xae\xb2\x8a\x83\xd6\x1f\x52\x7b\x48\xd2\xa0\x52\x45\x2f\x8a\x54\x6c\x2e\xc7\x9d\x8a\x5e\x3a\x67\xd7\x41\x7b\xcb\x52\x18\x26\xec\x96\x67\xab\x41\xcc\x57\x5f\x69\xfb\xbf\x36\xf6\x95\xd6\x4b\x98\x35\xec\xbd\x72\x51\xc3\xf9\xac\xa4\xb9\x7c\x0b\x44\xd8\x52\x77\xfc\xd7\x7a\xec\xf6\x2b\xa0\xd3\x67\xe3\x66\x9e\xc9\x0a\x82\x45\x5d\x17\x4e\xaf\x6b\x65\x51\xab\x68\xaf\x2c\xf6\xb1\x1d\x16\x38\x47\x74\x87\xe1\xd9\x86\xc5\x66\x2f\xf7\xd8\x55\x34\xd7\xd0\xc9\xe7\xef\xb2\x8f\x27\xad\xca\xb6\xea\x25\xf6\x6c\x33\x2c\xd4\x4a\x47\x0d\xf6\x0b\xfb\x1c\xd3\x41\xd8\xed\xa2\x0b\x78\x19\x96\xa2\xd5\x4b\x96\x44\x79\x1e\x06\xb0\xa4\xa8\xec\xcb\xf6\x05\x9f\xf6\x46\xbe\xae\x86\x39\xa9\xc7\x5a\x54\xb2\xbe\xe4\x04\xae\x93\xa8\x44\xa0\xbd\x42\xd8\xf6\x73\x9c\x39\x8c\x1e\xa5\x24\x79\x05\x62\x04\x44\x88\xb4\x03\xea\x36\xed\x47\x9a\x8a\xa6\x28\x8a\x10\x93\x89\xda\x36\x78\xac\x47\xcb\x03\xaa\x87\x91\xee\x9d\x7b\xd2\xdf\x36\xc6\x3e\xe8\xb1\x6b\x64\xc7\xe2\x74\x0d\x87\xe7\xbf\xdd\xdb\xea\x06\xa3\x49\x5b\xb4\x3f\xb1\x06\xaa\x26\x27\x58\x75\x4a\xd8\x80\xb6\x76\xb2\x4b\x6b\x4c\xb0\x84\xcb\x24\x52\x6e\x57\xbd\x2c\xd7\x60\x6d\x52\x13\xae\x04\x28\x4a\xb8\x0b\x62\x4b\xba\x23\x17\xd1\xf8\x2b\x54\x5b\x75\x08\xd5\xcf\x5f\xc7\x9e\x6c\x53\x5e\x91\x97\x48\x47\x45\xa1\x29\xef\xac\x79\xb8\x14\xaf\xa5\x71\xba\x66\xfb\x0c\xff\xf5\x63\x82\x8f\x78\x48\x69\x2c\xe3\x81\xfc\xd9\xe9\xf4\x30\xdb\x9f\x31\x91\xea\x74\x8f\x85\x12\xf1\x1a\x1c\xc4\x03\x94\x15\xf0\xa5\xbc\x26\xcf\x17\xe1\x9a\x20\xbd\xb8\x76\xc4\x83\x80\xbb\x14\xbf\x04\x85\x37\x2a\x3f\xa8\x50\x98\x0b\x1e\x89\x3c\xde\x40\x79\xc9\x42\x47\x84\x98\x61\xcd\x90\xea\xc4\x8f\xab\x7d\xcc\xac\x0d\x88\x46\xd8\xb6\xb3\x89\x5e\x7f\x2d\x7b\xeb\x7e\x76\xa0\x07\x5d\xf1\xdf\xb0\x3f\xf8\xfc\x3e\x42\x07\xa0\xde\x59\x16\x6f\x15\x0c\x08\x85\xe1\x50\x88\x8b\x24\xf8\xad\x8b\xbe\x96\x6b\xb5\x93\xaa\x64\x2a\x84\xb9\xe2\xcb\x2c\x4b\x8a\x46\x2c\xca\x56\x23\xcb\xd7\xa6\xda\x65\x27\x99\xca\x5b\xcd\x9b\x8e\xdf\x7a\xec\x86\x02\x05\xdf\xfa\x8d\x8d\xe3\x8d\xe9\xc6\x09\xcc\x03\x75\xf9\x1f\x4e\x1f\x67\x90\xff\xd9\xce\xbd\xc8\x78\x50\xe0\x8a\x06\x35\xc6\x83\x28\x5e\x8b\xcb\x90\x6c\xa2\x92\x83\x80\xa7\x30\x98\x14\x72\x58\x77\xe2\x52\x25\xb6\x0a\xe4\xb0\x44\xda\x8c\xbb\x6d\x91\x3b\x0f\xc3\xb5\x5c\x08\xfd\x44\xf2\xa8\x83\xe5\xe4\x3e\x83\x66\xf0\x57\x9e\x98\x1f\xaa\x2c\xe8\x92\xb1\x0a\x51\x7d\x12\xa6\xf8\xaf\x0a\xcd\xec\x95\x6d\xac\x08\x25\x12\xf3\x3b\x8b\x04\xb7\x47\x28\x3a\x61\x9c\xf0\x6e\x9e\x95\x38\x37\x58\xcb\x54\x47\x52\x60\xf9\x67\xdc\x2d\x44\x13\x42\xe2\x51\xb6\xb6\x1e\x96\xbd\x34\xc5\x6c\x69\xf4\x40\xee\x1d\xf8\x09\xae\x39\x65\xd8\xe9\xaa\x56\xb2\x66\xd1\x75\x9a\xed\x48\x32\x5f\x64\xad\x92\x17\x6b\x4d\x78\x92\x8a\xb2\x68\x86\x52\xc6\x5f\x6b\x06\xa3\x15\x96\x0f\x79\x37\x8c\x44\x17\x3b\xe4\x1f\x0c\xcb\xac\x13\x37\x19\x8b\xd8\x84\xec\x0d\x38\xe2\x3d\x23\x78\xda\xfc\x56\x31\xb5\x52\x20\x94\x85\x61\x07\xe2\x5f\xb2\xbc\xa5\xa2\x69\x41\x56\xc0\x32\x8c\x93\xa2\x51\xc1\xbd\xd8\x2f\x2e\x96\x79\xe8\xbf\x30\x78\x3a\x02\x1c\x6e\x19\xbd\x7b\x79\x2d\xbd\xc3\x7b\x3c\xfb\x37\xa3\x67\xc2\x36\xda\xbd\xd9\x63\x07\x10\x7d\xc6\x7f\x9d\x17\x3c\x9d\xbc\x1c\x1f\xce\x41\xef\x72\x3d\x9a\x4c\x11\x14\xff\x19\xfe\xbe\xd5\x7e\x29\x82\x27\xdc\x15\x16\xe2\xe6\x1b\xeb\x22\x95\x9b\x32\xe2\x0b\x4f\x9b\x5d\xba\x61\xfa\x18\x9f\x5d\x5a\xe4\xf2\x8c\x5c\x7e\x23\xaf\xdd\xc7\x98\xdc\x64\x02\x15\x7a\x2f\xde\x17\xfc\xdf\xf1\x45\xed\xf4\x8d\x6f\x2c\xc7\x54\xf2\xf3\x9e\xa7\x74\x20\x3a\x13\x26\xba\x6a\x92\xa7\x8a\x9c\xc2\x93\x7c\x05\xdc\x71\xeb\xed\xac\x28\xe5\x4b\x29\x78\xc8\x7f\x57\x40\x27\x08\x18\x2a\xc6\x8e\xb6\xaa\xf1\x33\x45\x74\x92\xf1\x69\xd4\x1b\x96\x87\x65\x1b\x72\x04\x89\xe4\x11\xf0\x58\x5a\x97\x4b\x4d\x39\x5e\x16\xd0\xcf\x88\x61\x0a\x3d\x47\xc5\x89\x81\x48\x2a\xd4\xad\x8e\x95\xd4\xa9\xce\xa0\xc1\xf8\xf1\x61\x6d\x41\x10\x4e\xba\x76\x25\x8d\x25\xa2\xac\xd3\xe7\xb2\xfa\x13\x8e\xef\x8a\x5b\x45\xf5\x73\x8c\x62\xaa\xf7\x30\xd3\x6a\xd0\x60\x73\x52\x2e\x92\xe2\x19\xc9\x23\x18\x97\x21\x57\x03\x17\xa6\xe0\xed\xb0\xdb\x15\x29\xb8\xf4\xc9\x02\xab\x61\x1a\x35\xf8\xfd\x59\x0f\x2e\x3b\x4c\xb7\x87\x36\x4d\x6d\x1e\x46\x98\xd5\x15\x70\x89\x31\x0b\xbf\xe2\x9c\xd1\x26\x1b\xef\xc5\x91\xff\xef\x83\x7b\xcf\xcf\xcf\x3d\xbc\x67\xc2\x34\xf2\x7f\xf7\x0d\x05\x9a\x45\x75\xdd\x42\x9e\x3d\x17\x89\xab\xff\xc9\x7d\xc1\x3d\xe6\x27\xf9\x0b\xa0\x4f\x77\x17\x1f\x8b\x88\x87\x10\xab\x01\xea\xe4\xcc\xb6\x0c\x48\x99\x98\xd4\xf8\xfd\x6e\x25\x84\xe8\xeb\xe3\xec\xb5\x1e\x7b\x2c\x05\x5c\xcd\x34\xc1\xdc\x0e\xb1\x1b\xfe\x0b\xd8\x1d\x3b\x48\xdb\x34\xf0\x9d\xe9\x66\xf0\xa4\xe1\xb3\x36\xa4\x31\x38\xb8\xc0\xa9\xe2\xd7\xac\x64\x87\x50\x09\x78\x36\xec\xfa\x6b\xec\xc6\x6d\x7b\x32\xab\x4a\x5b\xed\x4f\x0d\x6f\x5f\x57\x3c\xd0\xea\xf3\xd9\x55\x51\xb6\x99\x6e\x86\x79\x34\xb3\x30\xef\xaf\xb3\x9b\xb7\x6d\x77\xce\x94\xb7\x5a\x9e\x1e\xde\xb2\x55\xf9\x40\xdb\xeb\xec\x00\x5a\x2e\xfd\x70\x8b\x70\x6f\x37\x5f\x96\xd5\x62\x6d\xd4\x5c\x83\x0d\xb3\xda\xd8\x07\xaf\x66\xa7\x76\x9c\xab\x7e\x4b\xd5\xee\x5f\x5d\x15\xfc\xf3\x37\x81\x6a\x97\xcf\x89\x6e\x2e\x50\x90\x89\x53\xbe\x31\xdd\x98\xbe\xb9\xc6\xbb\x49\x98\xa6\x64\xfc\xc8\x45\x27\xdb\x08\x13\xf5\xf6\x49\x0d\x7e\xbe\x10\x5b\x2a\x60\xa6\x36\xa6\xb7\xd4\xbd\xa8\x7c\xac\xae\xc0\xf4\x85\x3d\xd8\x9a\x3d\xd8\x9a\x3d\xc5\xfc\xc3\xaa\x98\x7f\xf1\x98\xa5\x98\xff\xdb\x47\x4a\x31\xff\x54\x76\x0f\x3b\x7d\xd9\x8a\xf9\xa1\x34\x72\xe7\x3a\xf7\xcb\xd1\xe3\xbf\xd8\xdb\x5e\xbb\xbc\xe2\x3f\xfb\x91\xd2\x2e\x13\x22\xce\xc7\xae\x66\x77\xef\x78\x5e\x2e\x60\xb0\xe7\xa8\xdb\xe3\x1f\xae\x0a\xbe\x7f\x6c\xeb\x32\x0f\xf7\xfd\x41\xbb\x58\xb2\x49\xf2\x92\x84\xab\x04\xcc\xa9\x8f\xdc\x25\xb2\xcd\x00\x87\x5e\x23\xbf\xbb\x77\x8d\xec\x5d\x23\x7b\xd7\xc8\xc3\x7a\x8d\xbc\xd4\xbe\x46\xfe\xee\x91\xba\x46\xce\xb0\xa7\xb2\x7b\xae\xf0\x1a\x19\xa0\x14\x8f\x84\x99\xf7\x21\xef\xa5\x3b\xb8\x48\x56\xfd\x95\xfa\x20\xf5\xe7\x97\x75\xb7\x6c\x4d\xf8\x18\xfb\xe9\x43\x4e\x5a\x37\xe3\x15\x4e\x20\x73\xf8\xdb\xe4\x64\xfd\xfb\x89\xe0\xc6\xea\x43\x5c\xbb\x66\x96\x24\x24\x1c\x67\x2d\x4e\x15\xf1\xa6\x2c\x24\x46\x24\x65\xfd\x95\x83\xec\xb7\xec\x4d\xfe\xe1\x5d\xa6\xaa\xfc\x0f\xc3\x53\x55\x3e\x5a\xdb\x7b\xef\xba\xd8\xed\x75\x51\xaa\x0c\xb3\xeb\xc1\x0d\x3a\xc3\xac\x0d\x6a\x62\x6f\x3d\xf9\xa9\x39\xf3\x4f\x62\xb7\x6c\xe1\x6b\xbc\xd5\xbe\xde\xbb\xa4\xae\xfc\x92\x7a\xc8\x8b\xb7\xa7\x63\xa7\xfd\x39\xcd\x10\xab\x85\xa8\xc2\x41\x56\x48\xca\x50\xb6\xf7\xbd\x8c\xdd\x75\xf9\xc0\x4e\xb8\xe0\x33\x0b\xf3\xa4\x29\xf3\xff\xe2\x50\xf0\x2c\xf3\xb3\x02\x18\x89\x46\x18\x74\x4d\x00\x40\xf5\x66\x2f\x09\x73\x0e\x6a\x79\x3a\xc7\x0d\xf4\xb1\x57\xc1\x42\x01\x75\xb4\x01\x23\xac\xa4\x8a\x79\xdd\x1e\x0f\xb9\xc7\x43\xfe\x4b\x41\xd0\x7d\xbb\x82\xc3\x7c\xb3\xc7\x96\x87\x56\xb5\x8b\x63\x09\x88\x99\xa7\x5d\x90\x2e\x5b\xa1\x0a\x91\xe1\x80\x25\x04\xe9\xd9\x22\xcb\x43\x21\x56\x3a\x77\x75\x7e\xd9\x8f\x18\x90\xcb\xd7\x78\xec\xc2\xc3\xde\x57\xc4\xc1\xbc\x85\x22\x54\x75\x7f\x95\xc5\x7e\x50\x11\x4c\x88\x3c\xd8\xbd\x87\xbc\xf5\xed\x89\xe6\x3d\xfe\x69\xa3\x45\xa8\xf4\xa8\x42\x3c\x4d\xc7\x86\x92\xcd\x77\xef\xdb\x26\xb7\xf5\x40\x1e\x55\x74\x32\xff\xfb\xf1\xe0\xb7\xbd\x61\x6f\x2c\x17\x8e\x76\xb6\x09\xe1\xc5\x00\xbd\x2b\x47\x7b\xd9\x09\xad\x1f\xe5\xcc\xa7\x97\xbc\x03\xd8\xc3\x4b\xde\x01\xf4\xde\x77\xe8\xf5\x4b\xc7\xd8\x8b\x3d\x46\x45\xfc\xfe\x65\xa6\x15\xc5\x49\x9a\xd7\x90\x6c\xc1\xad\x34\x1b\x96\xab\xb7\x05\x63\x46\x2f\x57\xfb\x68\xb6\x04\xb8\x03\xca\x2d\xcd\x5e\xc8\xa8\x7b\x7e\xc1\x9e\x74\x05\x9d\xc0\x98\x9c\xe0\x66\x6a\xca\x85\x17\xb1\xd3\x85\x6a\xab\xaa\x9d\x99\x9a\xbd\x92\xb1\xa3\x23\xd1\xaa\xce\xe1\x2f\xcc\x29\xb3\x20\x44\xee\xff\x8f\x43\x41\x32\xf0\xd4\x4d\x29\x23\x10\xb5\x26\xc4\x48\x45\x44\xa2\xe1\x65\x36\x25\x97\x8f\xfc\x66\x9a\x22\x87\xe4\x32\xcd\xac\xb3\x4a\x1e\x93\xe0\x66\x67\xf9\xc4\x90\xcf\x8a\xb3\x66\x7f\x38\xc1\x7e\xc6\x63\x07\xe3\xee\x5d\x49\xd6\x5c\xf7\x7f\xd4\xdb\x02\x85\xa5\x02\xbb\xb5\x00\x9f\x04\x1d\xfa\x43\x5f\xc6\x94\x00\x07\x36\xb4\xc5\x05\x50\x31\x83\x29\xa0\xc3\x8f\x01\xd6\xa9\x2d\x52\x9e\x52\xbc\x13\xb9\x34\x39\x4e\x3d\xe8\xf9\xd3\x60\xbf\x37\xce\xae\xd7\x70\x51\x3a\x45\xf9\xaf\x8f\x3f\x0c\x29\xca\xff\x79\x0c\xff\x2c\xb8\xc6\x85\x52\xc9\x48\xe9\x08\x28\x68\x2f\x08\x40\x74\xc3\x96\x31\x8c\x14\x20\x4b\x48\x8a\x92\x65\xf4\x9e\xe4\x85\xe8\x84\x69\x19\x37\x8b\xdb\x78\xdc\xe2\x74\x89\x02\x5e\x9c\xb1\xa3\x17\xd4\x7c\x98\x58\x99\x9e\x8a\x06\x63\xf3\x2d\xbe\x90\x45\x76\xee\xf4\x30\x29\x32\x39\x71\x35\x9c\x39\x39\x5d\x83\x7b\x08\x12\xc8\x6f\xb6\xb3\x44\xe8\xaa\x4b\x88\x2f\x8b\x0a\x93\xb0\xd4\xa9\x98\x6a\x32\xc3\xc7\xef\xd0\x47\xea\x5c\x75\xda\x2d\xbb\x78\xb5\xfb\xd0\xc6\xe5\x56\xc7\x3e\x3b\xce\xae\xea\x9a\xfe\x3c\x5c\xcb\xaa\x41\x1b\xaa\x8b\x82\xd8\x3a\xaa\xdf\xb2\xcf\x8f\xe8\x9a\x62\x32\x78\xb9\x9a\x03\x63\xff\x66\x5f\xd3\x1d\xb5\x81\x27\xff\x70\xc1\xb3\xcd\xd4\xd4\xdc\x60\x7f\x72\x88\x1d\x19\x06\x86\xd5\x6d\x8b\x8e\xc8\xc3\xc4\x09\xcf\xfa\xd0\xa1\xe0\xa9\x6e\xa4\xb1\x50\xe5\x9c\x70\xbe\xb8\xe0\xed\x30\x8d\x12\x1c\x47\xa8\x92\x09\x2b\xdd\x09\x26\xcf\x74\x05\x8a\x2f\x4f\xb0\x3f\x98\x60\x8f\xc5\x5a\x66\x93\x30\xee\x2c\x8b\x4e\x57\x72\xf4\xfe\x83\x13\x3b\x70\x17\x58\x90\xec\x41\x51\x8a\xb4\xbc\x30\x58\x45\xf0\xa2\x89\xfb\x2c\xbc\x13\xf0\x03\x05\xcf\x46\xe0\xb6\xc3\x34\xaa\x87\x49\x96\x0a\xbe\x70\x61\x96\x4c\xd9\x98\x3f\xd7\x8a\x53\x54\x11\xb2\xa0\xbe\x57\xb8\x4f\x71\xc1\x87\x4e\x14\xc4\x87\x76\x56\x45\x14\x01\x8b\x80\x2d\x03\xd9\xdc\x4c\x0d\x0d\x5d\xb8\x30\x6b\xc1\x01\xc8\xb6\x8d\xb3\x4e\x22\x4a\x3b\x49\x36\xb0\x19\x04\xb7\x42\x89\xb5\x6d\x7c\x5d\xfb\xdb\x95\xdb\x01\x4e\x27\xec\x88\x3b\xea\x4e\xdc\xde\x0a\xdf\x84\xe0\xaf\x95\xca\x53\x1b\x0c\x4e\xcb\x07\x2b\x72\x0b\x75\x45\x93\xfc\x45\x8a\x15\x0e\xea\x08\x2e\xd2\x32\xef\x37\xe4\x06\x53\x60\x9b\x60\x1a\x89\x21\xc3\x90\x86\x5a\x85\x69\x6a\x29\xa3\x8a\xe4\xa8\x52\xe0\x96\x14\xe2\xb4\x64\xa2\x2c\x28\x50\xe8\x7f\x25\xbf\x78\x96\x01\x30\xce\x64\x83\xb1\x99\x14\x11\x41\x61\x67\xc3\x48\x61\x32\x42\xcc\xc5\xe5\x64\xbc\x97\xf3\xeb\x40\xd3\x40\xcf\x8e\xa6\x59\x79\x54\x2f\xbe\x86\x78\xca\x10\xda\x75\x23\x8b\xad\xec\xc8\x52\x3a\x44\xbc\x0d\x9a\xa5\xd5\x3e\xef\xc4\x05\x80\xb7\xf1\xa5\x52\xde\x99\x24\x88\x75\x35\xe4\x50\xca\x57\xe5\xf5\x29\x22\xde\x4b\xcb\x38\x41\x5f\x68\x5d\x8f\xec\x32\x88\xba\x9d\x6c\x83\x30\x06\x31\x03\x97\xa4\x4a\x75\x15\x44\x49\xa5\x3a\x82\xa2\x60\xad\x5c\x41\xd4\x58\x4d\x2f\x75\x1b\x45\x5e\xe5\xf0\xae\x20\x73\x71\x73\x0d\x64\xed\x95\xfd\xcc\x52\x0a\xf5\x93\x3f\x34\xbc\x2a\x9c\x4a\xf0\xeb\x8d\xb5\x94\x4d\xc2\x9e\xf6\xf1\x46\xdc\xd4\xb8\xb4\x10\x71\x5b\xbd\x04\xfd\xa5\x3b\x61\xda\x83\x0a\xa4\x40\x9d\x16\x65\xde\x6b\xa2\x14\xc3\x57\x73\x70\xbd\xa1\xab\xb9\xc1\x58\x15\xf9\x92\x90\xed\x81\x37\x4c\x33\xf2\xba\x30\xa8\x44\x9d\x30\x12\x15\xff\x60\x1a\x8d\x1c\x3f\xba\x2a\xc7\x25\x4c\xc4\xaa\x10\xa9\xf6\x53\x66\x4c\x81\x8c\xd7\x50\x8f\xa1\x86\x13\x27\x0d\xf6\xb7\x57\xb1\xc7\x0f\x0b\xd3\x57\xc0\x62\xfe\xe7\xae\x0a\xde\x31\xa6\x7f\xda\x6c\x9e\x4e\x4f\x45\xce\xf5\x16\xfc\x01\xc5\x82\xd2\xf4\xc9\x7d\x82\x49\xe1\x11\x2b\x15\x5d\xce\x15\x6e\x9a\xc6\x30\xe3\x62\x03\xe5\xf4\xd3\xb4\x19\x17\xb2\xa2\x84\xdd\x05\x33\xb2\x90\x8b\xa5\x32\xeb\x5a\xe5\x91\x9c\xe6\x45\xcd\x81\xe7\xd0\x47\x8c\xea\x87\x6d\x58\x58\xbb\x50\x21\x7c\x15\x0a\x97\x44\xd4\x78\x2f\x4d\x20\x53\x9e\xf3\x25\xa1\x4a\x01\xba\x56\x51\x33\x34\xae\x19\x16\xb8\x71\xa8\x03\x70\x17\xae\x82\xe7\x97\x4b\xbf\xdf\x70\x88\xfd\xa7\x71\x76\xa8\xab\xc6\xe1\x7f\x6d\x6c\x8b\x0c\x93\x1a\xd9\x04\x6b\x0d\x7e\x63\xcc\x4c\x00\x60\xba\x62\x7a\x17\x0b\x0f\x0a\xd7\xdc\x86\x8a\xb4\xdd\xd3\x09\x4a\x44\x75\x92\x46\xe1\x0e\x31\x36\x90\x58\x42\xa1\x42\x29\x10\xbb\xb0\xd9\x84\x68\xa6\x35\xb9\x5e\xa8\x03\x81\x57\x74\x6d\xd2\xc5\x7b\x79\x73\x0f\xc6\x62\x35\xed\xc3\x55\x4c\x5b\x85\x8b\xeb\x9a\xad\x3f\x0d\x08\x5e\x1d\xcc\x48\x53\x16\x16\x1e\x3c\x60\xaf\x3d\xc0\x0e\x76\x71\xf7\xf8\xdf\x77\xe0\x32\x56\xe0\x77\xf7\xab\x4d\x37\x7c\xfe\x09\xe6\x2f\x1c\x39\xa1\x51\x4f\x61\x44\x63\x9a\x42\x0c\x13\xc8\x9c\x49\x83\x5d\xcf\x55\xfe\x41\x85\x87\x37\x45\x58\x78\x2e\xc0\x5b\x4d\x92\x47\xc9\xab\x41\x10\x81\x56\x78\x91\xa3\x3b\x3c\x14\x65\x13\xaf\x65\x6b\x73\x42\x32\x4f\xea\x7e\x75\x89\x9a\x79\x58\xb4\xa5\x80\x2e\x2f\x9a\x18\x73\x90\x0b\x95\x52\x0d\xae\x05\x0b\xf4\x2d\x2e\x2a\x99\xc2\xa9\x11\x85\x03\x51\x81\x58\x73\xa1\xe8\xc0\xfd\x30\x92\xac\xd6\xaa\x58\x8b\xd3\x42\x4d\x1f\x1c\x75\x9a\x67\xb9\x60\x02\xc8\xa1\xb8\x28\x9a\x3d\xd8\xc7\x8b\x62\x2d\xcc\x23\x38\x9f\x4a\xd0\xea\x95\xcd\xcc\xdc\xf4\xd4\x89\xea\xde\x06\xba\x09\xb3\x8b\x04\xd9\x80\xe8\x51\xd2\xbc\x72\xdb\x3e\x3f\x0c\x7b\x5c\x4e\xac\x79\x37\x72\x72\xf0\x02\x40\x4c\xae\x47\xe5\x50\xfc\xbe\xe7\x08\xfd\x74\xa6\xb5\xfa\x0b\x45\xef\xd9\xa5\x79\x4c\xf7\xee\xff\xac\x17\x2c\x56\x1f\x56\xb4\xe9\x71\xba\x06\xf9\x7f\x93\x38\x15\x1c\x10\x37\x28\x1f\x3c\xf1\x22\x24\xce\x5b\x17\x79\x63\x18\xc4\xf4\x1c\xbb\x8b\x90\x79\x4f\x06\x75\x1b\x99\x17\xb5\x62\x80\x4d\x65\xf3\x79\x80\xea\x03\x2d\xd9\xba\xd0\x57\xec\x73\x86\xb7\x15\x28\x5d\x57\x34\xfd\x2f\x8e\x07\xf7\x0c\x7b\xa1\x01\xe9\x06\xc3\x34\x77\x80\x4b\x97\x5f\xf2\x0e\xe0\x11\xbd\xe4\x4d\xa4\x59\x04\xd9\x40\x9d\xc1\xfe\xaf\x31\xf6\xc3\x06\xc2\x2d\xf7\x5f\xe1\x05\x2f\x9c\xa1\x1f\x95\xe0\x29\x7b\xcc\xc4\x86\x45\xd6\x04\x9f\x3d\xbf\xb4\x4c\x27\x41\x99\x11\x34\x40\x7a\xec\x66\xcf\xb5\xf1\xd1\xee\x16\xe5\x02\x64\xfb\x97\x5d\x3b\xe2\xe2\xab\xdc\xc3\x74\xa7\xfd\xdb\x83\x29\x60\xb0\xb3\xc8\x42\x1e\xa1\x6e\x58\xe9\x1e\x08\x57\x0e\x53\x2b\x9b\x9a\x5e\xc8\x68\x1e\xfc\x82\x9d\xdc\x39\x4a\x99\xb5\x16\xf0\x75\x70\xd3\x20\xf2\x45\x15\x35\x65\xb0\x33\x0d\xf6\x8b\x57\x69\x5b\xd2\x96\x31\xdf\xdb\x78\x4f\x7d\x8d\x05\x2f\xf7\xbe\x69\xbc\xa7\x9c\x7d\xf4\xd9\x3d\xd3\xd3\x9e\xe9\x69\xcf\x7d\xe9\x61\x75\x5f\x7a\xc0\x76\x5f\xfa\xda\x23\xe5\xbe\x74\x37\x3b\xc5\x66\x2f\x1f\x9e\x62\xa8\xe7\xd2\xc3\xef\x02\xfb\xc0\x0e\x3c\x97\xbe\xc7\x7f\xd6\xe5\xb9\xc0\x6e\xe3\xa6\x54\x81\x58\xf8\x9d\x43\xdb\x58\xb4\xa6\x1b\x2a\x21\x34\xd9\xad\xd0\x16\xf8\x96\x43\xc1\x1f\x8c\x0d\x7b\x53\xb9\x57\x55\x7c\x3a\xc1\xfb\xb6\xac\x9c\x91\xca\x68\x03\xb1\x51\x92\xaa\x19\xd1\xbb\x26\x99\x75\x03\x2a\x15\xa7\xe6\x98\xca\xc5\x4e\x62\x79\x74\x6b\xea\x3a\x80\x5c\xa0\x61\xb3\xad\x74\x65\x76\xbb\x68\x4e\x23\x2b\xcd\x11\xd1\x58\x6b\xf0\xd9\x85\xf3\x20\x24\x88\x4e\x96\xf7\x27\x1b\x9c\x2f\x49\xe9\x00\x3b\x83\xa6\x91\xd5\x5e\x9c\x94\x50\x53\xa5\x53\x29\xa5\x7e\x87\xae\x85\x89\x4e\x8a\x89\x89\xbd\x0a\x08\xcc\xca\xba\x48\xf0\xb3\x42\xf0\x70\x23\x8c\x13\x88\x75\x2e\x33\xa5\x92\xec\x8a\xbc\x2e\x3b\xaa\x1a\x44\x3d\x90\xec\x33\x65\x55\x37\x79\x42\xe4\x86\xba\xe4\x3d\x96\xc6\x32\xb3\x21\xe4\x05\x0e\xa0\xc7\xce\xf5\xf4\x43\x07\xd8\x17\xc6\xd8\xbf\x76\x8b\x9d\x2f\xe3\x84\x12\x86\xfa\x1f\x1c\xd3\x60\xe4\x63\x23\x4b\x29\x26\x66\x60\xc5\xe0\xd4\x61\xf1\x81\x84\x23\xb4\x84\x61\x33\xcf\x0a\x95\xa1\x3c\x11\x1b\x90\xb6\x26\x8b\x8a\x9a\x21\xd3\x88\xfa\x18\xca\xe1\x37\xe5\x15\x68\x57\xa6\x82\x13\x9d\x26\x75\x1b\x96\xf6\xac\x68\x70\x3e\x5f\xba\x09\x7e\x94\xa2\x3d\x6e\xf1\x15\x5c\x67\x7b\xa2\x56\x00\x13\xa1\x10\xa5\x95\x2f\x03\x35\x25\x20\x7b\x53\xff\x1d\x06\xd4\xc5\x9c\xf8\xda\x18\x1b\xb6\x00\xfe\x17\xc7\x2e\xc3\xc1\xae\xa1\xf1\xc2\x9e\xde\x0b\x01\x37\x24\x78\xe3\xd8\x90\x5a\x1f\x99\x35\x80\x79\xcf\xc3\x4d\xaa\xee\x08\xb9\x68\xc3\x69\xdc\x72\x49\x26\x6b\xbc\x88\x3b\x71\x12\xe6\x8a\xe9\xa0\x2d\xaa\xa6\x8d\xae\xe5\x7e\x57\x34\xf4\xba\x84\xc9\x66\xd8\x2f\x28\x2e\x5f\x6e\x80\xaa\x7c\xb9\x83\x15\xb0\x85\x94\x51\x39\x03\xf5\xf8\xe3\x94\x63\xe0\x62\x05\x05\xee\x35\x63\xec\xbb\x46\x86\x23\x9e\xcb\x22\x31\xd3\x82\xc5\xeb\xfb\x7f\xec\x05\xcf\x1e\x7c\xac\x99\x3a\xd4\x34\x86\x31\x32\xc4\x61\x89\xf4\x87\x6f\x82\x3e\x38\x8b\x54\x22\x7f\xe2\x93\x09\x94\x20\x44\x7c\xff\x08\xb8\x10\x97\x9d\xec\xb3\x4d\x36\xa1\x52\xaf\xf8\xeb\xac\xbe\xad\xca\x44\x76\x4b\x5b\xb0\x4e\x2a\x85\xa3\x65\x8a\x6e\xcb\xcb\x1c\xc4\x87\x81\xce\x2a\xe7\xaa\x8e\x28\x1b\xec\x7d\x63\x8c\xdb\x36\xdc\x2c\x32\x8e\x7c\xf7\x6e\x88\xbc\x2d\xc2\xc8\x7f\xf5\x58\xb0\xa8\x7e\x70\xd4\xb1\xf6\xf2\x01\xb1\x40\xcf\x7f\xa6\x8a\x56\x9d\x14\x94\xf3\x00\x02\x02\x3b\x53\xf0\xb3\x1e\x7b\x87\xc7\x26\xba\x59\x74\x3a\xbe\x28\x22\xff\x4d\x5e\x70\x6e\x81\x7e\x0c\x22\xe4\x5d\xb4\xae\xfb\x9d\x36\xf7\x0e\xef\x29\xec\xc9\xbb\x3a\xa2\x76\x68\xf9\x7f\xbd\xd6\x81\xc6\x1d\x02\xa5\x42\xf7\xe2\x5f\x5d\x13\xdc\x39\xf0\xb4\x3a\x22\x3b\xe7\x2b\x5d\x8a\xd6\x37\x52\xc4\xcd\x45\x37\x89\x9b\xa1\xeb\xe3\xfb\xba\x6b\xd8\xdf\x7b\x8c\x35\xe5\xc9\x41\xc0\x9d\x3f\xf3\x82\x73\x8b\x6e\xdd\x24\x16\x98\x9b\x07\x81\x7c\x42\x0b\x69\xa7\xa0\xb6\x0a\x51\x1e\x2e\xdc\xce\x34\x76\xee\x07\x3a\x64\x0e\x66\x55\xcf\x76\xc4\x2e\x49\xb2\x71\x19\xec\x12\x7b\xab\xc7\x1e\x43\x9d\x5d\x14\x68\x2d\xf3\x5f\xed\x05\x2f\xf2\x2a\x0f\x01\x43\x5b\xb2\xf1\xca\xec\xea\x62\xb6\x93\xc4\x36\x08\x94\xa2\x0d\x75\x6b\x22\x95\xcc\xa4\x70\xcc\xd6\x88\x5c\xde\x14\xfc\x59\xc7\x6a\xba\x41\x5c\x24\x57\xae\x7f\x97\xc7\x1e\x43\xd2\x83\x2a\xe0\xbf\x51\xc3\x3b\xbd\xd4\xab\xbc\x1b\x44\x46\x82\x56\x95\x91\x86\x8c\x31\x23\xa0\x75\xb4\x84\x63\xbf\x57\x23\x34\x60\x38\xab\x7d\x92\x67\xd4\x14\xb9\x57\x5c\x8b\xe9\xfd\xe6\x3f\x53\x75\xf4\x54\xfe\x30\x74\xd0\x6d\xe7\xdd\x1e\xbb\xd6\xed\x87\xff\x66\x2f\x78\xb5\xe7\x3e\x7b\xa4\x97\x4f\x8d\xab\x5e\x59\x88\x9a\x7a\x31\x69\xaf\xe6\x3f\x79\xec\xda\x66\x96\x24\xd0\xb5\xd9\xac\x97\x96\xfe\x9f\xeb\xc5\xfc\x9c\xe7\xbe\xd2\xd7\x37\xfc\xc8\x5a\xbc\x1d\x16\x6d\xae\xcb\x98\x5c\x2f\xf6\x69\x07\xe5\xee\x88\xf5\x05\xdc\x69\xcb\x3d\x26\x54\xd1\x01\x68\x2b\x06\x43\x62\x98\x02\x0f\xd0\x6c\x87\x69\x5c\x74\xd0\x4c\x16\xdb\x59\xf6\xd0\xec\x6c\x0c\xae\xd4\x87\x54\x6c\x4a\x42\x31\xab\x5b\x1b\xbe\x39\xfe\x9b\x7d\xea\x68\x93\xfc\x88\x9e\x81\xef\xf3\x2a\xef\x1e\xa5\xed\x5c\x39\xf2\x95\x94\x19\x1e\xf3\x15\x7c\xd9\xdd\xb8\x19\xe4\x5e\x7b\x50\xa7\x47\x7c\x97\x37\xf8\x5a\x75\xbc\x93\x15\xa0\x75\x91\x24\x71\xcd\xbc\xd5\x70\x68\x38\x7d\x71\xe1\xae\xe1\x7c\x69\xb1\x35\x5a\x45\x63\x15\x39\x5c\x58\xb5\xd5\xc8\xd4\x15\x17\xda\xa2\x9a\xa5\xbc\xd3\x23\xc5\x10\x4d\xd2\xcc\xc2\x3c\x69\x36\xdc\xe1\xfd\x80\xc7\xae\x81\x84\x64\x7a\x3d\x5e\xa0\x96\xa3\xe5\x3c\xdf\xd5\x5a\x60\xb6\x5a\x29\xec\x84\x80\xd6\xda\xe7\x9a\xba\xbb\xdd\x79\x9d\xc7\x6e\xab\xe4\xfe\xcc\x72\x92\x29\x4c\x90\x80\x48\x5a\x4b\x3d\x04\x26\xef\x25\xa2\xc0\x5c\x9a\xa0\x1c\x5e\x76\xee\xb8\xd3\x6c\xce\x4e\x80\x78\x4b\x70\xd4\xa4\x3f\x2c\x33\x2e\x24\x0b\x2b\xb7\x73\x2e\x6b\x41\xc4\xa4\xc5\x61\x49\xec\x5e\x32\xe1\x00\x58\xb5\x92\x6c\x93\x06\xa7\xfb\xb4\x90\xc7\x59\x1e\x97\xfd\x33\x62\x43\x24\x8e\x90\x0c\xfd\xfa\xb5\x83\xc1\xbd\x5b\x17\xa9\xb8\x02\x0e\xaa\x23\x79\x97\xbe\xe7\x89\xac\x40\x8a\x74\xf2\xd2\x73\x06\xfc\x77\xfb\xd9\x57\x3d\x76\x10\x58\x4a\x11\xf9\x5f\xf6\xd8\xb9\x91\x57\xee\xb0\x51\x9c\xc1\x0f\x47\xf7\x34\xf8\x41\x6f\x85\x6a\x5f\xb1\x39\xc6\x6c\xd3\x12\xaa\x73\xa1\xdd\x67\xd0\x3f\x82\xaa\xad\x8e\x60\x20\x2d\x05\xe5\xdd\x01\x5a\x8d\xb9\x2b\x28\x85\x1d\x88\x63\xfd\xae\x00\x6f\x8f\x95\x80\xea\x0b\x56\x1a\xec\xfb\xf6\x11\x8c\xd9\x3f\x8e\x07\x7f\x35\xae\x0a\x69\x2a\xaf\x90\xc0\xe1\x90\xb9\xcd\x23\xf8\x36\xe5\x83\xcd\x90\x0d\xa7\xd9\xd6\x1a\x02\x32\x6d\x41\x70\x01\x9f\x31\x12\xd4\x4a\x70\xea\xa2\xec\x65\xb0\x02\x1e\x0f\xc4\x1c\xeb\x19\x50\x3a\xda\x4a\x83\x72\x62\x30\x67\x85\x6e\x35\x24\xf6\xff\x08\x6a\xa4\x7a\x38\x7b\xa9\xd8\x10\x39\x7a\xda\x46\x93\x30\x0b\x94\xed\x22\x12\x65\x1e\x36\x4b\x43\xdb\x9a\x61\x37\x6c\xca\x16\xc0\xe3\xc0\xd1\x10\xa0\x8b\xa3\xdb\x85\xa2\x3a\x0c\x3d\x93\xf6\x38\x8e\x84\x93\xdb\x8e\xe5\x39\x61\x2e\x9e\x33\x30\x7f\xa8\x51\x39\xb2\x3a\xc9\x8b\xcc\x4d\x9f\x0d\x99\x6f\x69\xe7\x98\x5e\x43\xfe\x4d\xa7\xe3\xe2\x22\xe5\x99\x4e\xfa\x48\xf8\x06\x9a\x1e\x7e\x46\x1f\xf2\x56\xd8\x63\x1d\xd6\xaf\x97\x02\x57\x3b\xef\xdf\x5d\xe7\x51\x5c\x34\xf3\x18\xcc\x79\x59\x7e\x12\x64\x4c\xc6\xc9\xfd\xb3\x5e\x66\x75\xeb\xbd\xb8\xab\x7f\x12\xc0\x7b\xa8\xb3\x27\xd5\xee\x65\xec\x8d\xfb\xd8\xf1\xd1\x76\xb8\xc5\x5e\x3a\x53\x9c\x2f\x44\xae\xd0\xf1\x30\x6f\x58\xe1\x7f\x65\x3c\x78\xce\xa8\x97\x8e\xae\xdf\x80\x20\xf6\xbb\xe8\x76\x0c\xb9\x37\xa9\x64\xc5\xf3\xcb\xfe\x40\xd2\x02\x49\xc3\x1c\x5a\xf0\x17\x63\xec\x1f\x3d\x76\x20\x07\xcf\x14\xff\x6f\xbc\xe0\x5d\x1e\xfe\xad\x93\x5f\x2b\x2b\x1f\x3d\xce\x5a\xbc\x17\x47\x85\x03\xa1\x83\xe9\xb5\xe6\x29\x81\x30\x18\x13\x92\x78\x5d\x58\x50\xa0\xca\x98\xd8\x8b\x23\xf4\x25\x2a\x7a\xdd\x6e\xd2\x37\x2f\xa0\x76\xe3\x01\x56\x48\xb6\xa1\xd0\xae\x22\x22\x8d\xcc\x82\x02\xb9\x38\xdb\x2b\x4a\x98\x2e\x47\x7c\x38\xc1\xa6\xb7\x48\x9a\x53\x59\x8a\xf9\xb9\x45\xd9\x28\x5b\x67\x30\x2d\x7e\x33\xb8\x20\xff\x35\x29\xab\x6c\xb0\x49\xd0\x33\x44\x71\xb3\x54\xb3\x0a\xd3\x02\x9b\x51\xaf\x9a\xc2\xb3\xb3\xa7\xa6\x10\xa5\x73\x49\xfc\xae\xc7\xbe\x63\x44\x5e\xc9\x7b\x44\x18\x89\xdc\xff\x80\x17\xdc\x61\x7e\x3a\x6e\xd8\x4d\x04\xc9\x6f\xe3\x1b\xcb\x7f\x2a\x4e\xb9\xfc\x84\xd2\x12\x6a\x35\xde\xfe\x8d\x01\xc5\xdd\x33\xd9\x51\xd2\x73\x04\xc1\xbf\x02\xaf\x02\xac\x0c\xe9\xab\xb6\xdd\x52\x6f\x6b\x0c\xab\xf0\x6f\x08\xbe\x65\xa0\xb0\xa9\x9c\x4a\xff\xb5\xc7\xbe\x7b\x84\x26\x61\x2e\x14\x9d\x2c\x3d\x45\x46\x91\xc2\x7f\xd0\x0b\x4e\x0f\x79\x0e\x3a\xf8\x82\xf2\x44\x64\x5d\x41\x36\xcd\x08\x4a\x99\x64\x76\xe4\xb3\x28\x2b\x70\x65\xfc\x8c\x75\xd8\x63\x08\x40\x4b\x55\xea\x3f\x73\x8b\x2d\xa1\x51\x88\x9c\x7e\x04\x87\xd5\x5f\xb2\x29\x64\x9c\x9e\x46\xa8\x5e\x31\x65\x3f\x97\x1d\x69\xb0\xff\x3a\xc6\xfe\xdd\x90\xea\xc8\xe2\x1b\xa1\x86\x47\x1e\xab\x1b\xdd\x47\xce\xb2\x92\x16\xc7\xb2\xb5\x82\x37\x69\x24\xf4\x42\xb2\x48\x6c\xc4\x4d\xb1\x50\x4d\x48\xf4\x06\x8f\x09\x66\xbd\xf4\xef\x0b\x9e\x3a\xa7\x7f\x55\x75\x00\x58\x0e\x53\x11\xa1\x97\xe4\x70\x9b\xaf\x22\xb3\xf6\xda\x1e\xa3\x5d\x73\x24\xf8\xf6\x73\x96\x46\x4c\xf7\x79\x10\xf8\xfe\xf3\xc3\x7d\x6e\x2d\xbc\x27\x9c\x8a\xd3\x71\x22\xfc\x9f\x3e\x14\x3c\x63\xe8\x1b\x27\x87\xb3\x15\x98\xe3\x92\xb8\x96\x2c\x49\x0e\x11\xb6\xe7\x22\x6c\xd4\x61\x99\x9c\x3e\x38\xc1\xfe\xd2\x63\xd7\x29\x05\x0c\x24\x6b\x5e\x14\x2d\xff\x77\xbd\x1d\x40\x56\x2d\xda\x5f\x69\x1d\xd9\x9b\x3d\xe5\xbc\x6f\xd9\x1b\xaa\xce\x25\x27\x91\x53\x31\x86\x24\xeb\x42\xd4\x97\xe9\x11\x7c\xd8\x68\x76\x7b\x35\x2a\xd0\x40\xd3\x41\x4d\x17\x92\x2f\x9d\xaf\xa8\xc4\x24\xd0\x6d\x92\x55\x92\xbe\x81\x30\x6b\xb0\xb7\x79\x6c\xa2\xa5\x06\xfa\x06\x6f\x07\x98\x60\x68\xc0\x73\x87\x19\x2a\x32\x7c\x92\x9b\xf1\x22\x41\xc8\x54\x3e\x98\x88\x86\x09\xa6\x4d\x54\x03\xd5\x28\x64\xa1\x66\xa2\x65\x4c\xce\x6d\xc8\x48\x69\x3a\xfa\xa1\x71\xb6\xaf\x93\x45\xc2\xff\xf9\x71\x25\x65\xfc\xc8\xb8\xca\xaf\x79\x92\xcb\x57\x7c\x55\xce\x9a\x4e\x87\x2e\x4a\xde\x15\x39\x59\xaa\x0a\x0b\xac\x2e\x11\x35\xcd\x34\x86\x29\xcf\x9a\xa5\x32\x5b\x6b\xd8\xe7\x63\xc7\x8e\x61\x3e\x9a\x63\xb7\xdc\x72\x0b\x07\x4e\x34\x12\xcd\xb8\x33\x58\x10\x4a\xdd\x34\x3d\xdd\xe0\xf7\xcf\x9c\x3d\x43\xf6\xfd\x82\xaf\x66\x65\x9b\x6a\x06\x26\xcc\xfe\xb8\xa8\xf1\xa7\x2e\xdd\x7b\xce\xa4\x66\x74\xdf\xc2\x55\xa6\xc7\x03\x57\xe8\x90\x6c\xdc\xca\x39\x04\xc1\x0d\xcf\xca\xe2\x6e\x62\x4b\x4c\x51\x1e\xaf\xb5\x55\x96\x6e\x29\x17\x24\x31\xf9\x19\x10\x8f\xa7\x38\x04\xf4\x4d\x00\x93\xa6\x39\x3b\xb2\x0f\x35\xbc\xb4\x5b\x05\x84\xcb\xd6\xb4\xf9\x33\x17\x45\x2f\x29\x95\x92\x19\x2b\x33\x6b\x80\x17\x9c\x25\x9c\x7d\x49\x65\x48\xfb\x9c\x17\xfc\xa6\x67\x76\xcb\x02\x65\x40\xa3\x3a\x13\x4c\x9a\x09\xc4\xc8\xd6\xb1\x43\x77\x28\x25\xad\x72\x7c\x3c\x6b\x39\xb9\x86\xab\x45\x96\xf4\x4a\xc8\x91\x4d\xc7\x0a\xbe\x3b\xdc\x68\x1c\x56\xe9\xd2\x54\x12\xf9\xb2\x55\xbf\x95\x13\xcc\x25\x2a\x3d\x5a\x71\x5e\x94\x3c\x2e\x45\xc7\xe8\xf4\xed\x9e\x68\x77\x5a\xe4\x3d\x60\xfa\x64\xcd\x36\x61\x7b\xdb\xf5\x43\x69\xbe\x0b\xe5\xe7\x3f\x70\x7d\xf0\x8b\x9e\xfb\x8c\xaf\xc6\x28\xa9\xa3\xbf\xfb\x49\x7e\x54\xd2\xf9\xb0\x03\xee\xaa\x91\xc8\x8b\x32\xcb\x0c\x16\x30\x2e\x40\x57\xe4\xed\xb0\x5b\xc8\xa7\x5d\x91\x03\xf8\x6c\x98\x90\x3b\x6e\x51\x43\xc9\x29\x35\xd0\xf0\x47\x51\x02\x4c\x9b\x71\x37\x4c\x34\x66\x3b\xcc\x9b\x49\x65\x44\x8e\xa1\x4a\x6c\x16\x11\x7c\x46\xb0\xc1\x08\x78\xe7\x6a\x81\xbf\x78\xed\x9e\x33\xca\x6e\x9d\x51\xbe\xe0\xb1\xc7\x87\xbd\x32\x83\x4c\x3b\x43\x60\x1f\xfd\xf7\x7b\xc1\xdb\xbd\x99\x2d\x4a\x0c\x11\x58\xbb\x59\x64\xb8\xa2\x90\xf4\x76\x14\x62\x09\xee\xbe\x72\xd7\xd1\x8c\xa2\x62\x05\x1d\x57\x4b\xa8\x0f\xba\x13\x96\x94\xa0\x8b\x12\xe5\x81\x47\x0a\x1c\x74\xcc\x8b\x1b\xc9\x82\x26\xe0\x01\x85\x2b\x27\x55\xce\xff\x1e\x67\xd7\xc5\x9d\x70\x4d\x2c\xf4\x92\x04\x71\x15\x0b\xff\xb7\xc7\x83\x97\x8d\xcf\x57\x9e\xba\x7e\x16\xda\x87\xbf\x40\x1a\x4e\x45\x52\x23\x00\xa4\xb6\x1e\xa6\x57\xa0\x22\xb1\xdb\x03\x04\x71\x4c\x12\xda\x01\xf4\xeb\x38\xc5\x99\x20\xf9\x5a\x87\x06\x80\xce\xcc\x99\xc8\x06\x1f\xe8\x13\x80\x75\x43\xe0\x85\x12\x99\xd5\x9b\x55\xd1\x0c\x65\xab\xea\x37\x9d\x24\x95\x51\xd0\xa4\x54\xc6\xf0\x81\xa1\x35\xe3\x3d\xa8\x0c\x73\xa4\xff\x22\x0e\x75\x37\x8e\xa1\x38\xf2\xa9\x1b\xf0\xaa\xe8\xc7\xe9\x5a\x1d\x1e\xc9\xd9\xa1\xa9\xac\x67\x69\x3d\xac\x77\xb3\x68\xe7\x06\x96\xad\x92\xfa\xed\xb9\x53\xed\xc2\x9d\xea\x33\xb6\x3b\xd5\x83\xbb\x76\xa7\x7a\x71\xd5\x9d\xea\x70\xa1\x1d\xaa\x1e\xf1\x21\x6a\xc0\x9c\x5f\x1f\x63\x07\x69\xaf\xf9\xbf\x30\x16\xbc\xc5\xb3\x8e\x79\x69\xc1\xbe\xa8\xa3\x3d\xe8\x2f\x0c\xd7\x9a\x4d\xc3\x94\x67\xca\x90\x83\x7b\xf9\x67\xc5\x28\x24\xa7\xb0\x0b\xf6\x41\xb8\x91\x1d\xdf\x41\x92\xf9\xca\x19\x78\x64\xd0\xa4\x2e\x6c\xef\x92\x75\xc2\x9f\xae\x2b\xb0\x15\x67\x5e\x2a\xce\x55\x1a\x5e\x2a\x08\x18\xfb\xb9\x09\x16\x58\x63\xca\x57\xc3\x26\x20\xfd\x62\xbc\xd2\x62\x96\x08\x00\x85\x7a\xd9\x44\x30\x55\x79\x36\x0c\x13\xca\x2a\x52\x0c\xc5\x83\xfa\xd4\x81\x3d\x2e\x61\xb7\x5c\xc2\x9a\x82\x50\x7a\x76\xf0\x04\x0d\xa1\x64\xae\x4c\x7b\x0d\xec\xcd\x7c\x8c\x35\x58\x6d\xe4\x66\x1e\xb2\xf0\x7b\xc4\x7c\x17\xc4\xbc\x65\xd1\xf2\x67\xee\x0e\xf3\xec\xdb\xb7\xa0\xe3\x0f\x79\xe9\xf6\x84\xe1\x69\xfe\x7c\x7d\x38\x05\x80\x55\x77\x4d\x63\x15\xb7\xcd\xca\xa1\x67\xec\xa3\x87\xd8\x33\x4d\xff\xc5\xc5\x52\xa4\x20\x50\x1b\xec\x7b\x07\x67\xc5\x14\x30\x09\x5a\x40\x43\xa9\x14\x24\x73\x7a\x5e\x80\xd0\x7c\x65\x22\x78\xda\x56\x05\x2a\x7b\x7d\x44\x49\x9a\xa9\x11\xa0\x74\x2f\x3a\xb8\x47\x84\x76\x4b\x84\x3e\xe0\x29\x2a\xf4\xb3\x5e\x70\x33\xfc\x85\xab\x22\x05\x90\x8d\x38\xea\x85\xc9\xb6\xab\x63\x53\xa7\x36\x6b\xb1\x68\xd4\x29\x79\x38\x77\xd9\x1e\x55\xdb\x05\x55\x9b\xb7\xa8\xda\xe5\x78\xb1\x0d\x52\xb5\x87\xbc\x17\x6c\x4f\xb8\x9e\xe1\x5f\xb0\x11\x92\xac\x55\xae\x52\xa9\x2d\x28\xc6\x50\xc4\xa4\xb7\x5f\xcb\x6e\xde\x89\xc7\xfd\x62\x2f\x11\xf7\xc5\x65\xfb\x5e\xed\xc7\xef\x7f\xf5\x9a\xe0\x45\xde\xe0\x73\xca\x82\xd6\xeb\x26\xa0\xa6\xb2\x5e\xc8\x23\xac\xba\x56\xa8\x94\x26\xf2\x18\x77\x3a\x22\x8d\x90\xd7\xed\x84\xeb\x82\x9b\x0c\xcf\x61\x42\x91\x83\x50\x9d\xb8\xd8\x0d\x71\xdc\x20\x2e\x02\x5e\x80\x6b\xd3\xf8\x9d\xab\xd9\x2f\x79\xec\x2a\x43\xd1\x0a\xff\x9d\x5e\xf0\x2a\xcf\x90\x34\xcd\x70\x4b\xd1\x7e\x43\x3d\xb3\x1d\x26\xa5\x2c\x0b\xc9\x2d\xe4\xfe\x3b\x7c\xf4\x30\x45\xef\xe9\xc2\xa0\x79\xa4\xe7\xb4\xe3\x51\xf5\x68\x10\x9d\x40\x28\x4f\xe2\xa6\x81\xce\xcb\x52\xe1\x58\x59\x47\xa6\x3a\x7f\xcb\x18\x63\x26\x58\xc2\x7f\xcd\x58\xf0\x75\xcf\x9d\x5c\x88\x01\x35\x4f\xc0\xb2\xa0\x83\xaa\x30\xfc\x32\xcc\x45\x41\x70\x5c\x75\x3e\xbb\x78\x6a\x66\xf9\x54\x8d\x9f\x5f\x98\x83\x7f\xe7\x4e\x9d\x39\x25\xff\x9d\xbd\xf7\xdc\xb9\x53\xb3\xcb\x3c\xcb\xf9\x51\xd4\x8d\x25\x89\x71\x8d\xcf\xdc\x75\x0b\xd3\x3e\x6f\xf5\xc0\xcf\xd4\x34\xe6\xf4\x42\xae\x16\xbc\x8d\xc8\xbe\xf9\x88\x4d\xd1\xeb\xf7\xb1\x43\x7a\xb1\xfc\xef\xdf\x17\xfc\xf9\xb8\xde\x56\x55\xad\x89\x7a\x8c\x17\x55\x2f\x11\x3c\xec\x76\x13\x70\x09\xc9\x1a\x8c\x9d\x36\x08\x13\x27\xf9\x61\x29\x5d\x1d\x26\xb3\x3d\x7a\xb3\xc3\xa3\xa9\x24\x5b\x3b\xac\xad\xf9\x82\x27\xd9\x9a\x24\x56\xb6\xdd\x82\x4a\x1f\x55\xc5\xd0\xcb\x9b\x1a\x47\x8d\x07\xb9\x29\xe4\xe6\x00\x60\xe5\xce\x37\x76\x01\xbb\xde\x29\x88\x93\x70\x4a\x42\xe0\x44\xa5\xc2\xa3\x53\xc3\x7b\xa0\xd4\xd3\x71\xee\x7e\x01\xe8\x36\x9b\x71\x12\x35\x25\x57\x55\x5d\x2c\x0b\xce\x03\x66\x0e\x43\x8a\x31\xff\xba\xa9\x9a\xfc\x28\xb2\x0d\x91\x27\x61\x17\xb5\xc0\x10\xed\x01\xca\xef\x06\x63\x73\xa2\x2b\xd0\x97\x9c\x4c\x91\x22\x6d\x26\x19\xc8\xae\x78\x6c\x6b\xee\xb0\x51\x37\xaf\x34\xd8\x28\x06\xef\x6c\x63\xfc\xc4\x38\xdb\x0f\x98\x4f\xfe\x1b\xc6\x83\xff\x3c\x0e\x7f\x56\x9c\x80\xf0\x99\xe6\x5c\x7a\x89\x68\xf0\x6a\x7e\x35\x1e\x10\xb3\x17\xd4\x78\xa0\xdd\x9b\xa2\x00\x99\x90\xe0\x68\x60\x0a\xd8\x3e\x1e\xa0\xbd\xaa\x40\x4f\x99\x51\xc1\xe4\x01\x1c\x8f\xdd\xb4\x71\x9e\x92\xe4\x88\xd8\x01\xb4\x4a\x39\x15\x35\x9c\x8e\x0c\xb4\xaa\x75\x7f\xdb\xb7\x28\xbb\x6f\x7d\x5e\x82\x69\x13\xdd\x68\x68\x72\x72\x21\xa7\x13\xf1\x2d\x1a\x7c\xc9\x59\x1a\xaa\xcd\x99\x47\xb9\xab\xba\x61\x8e\x41\xc0\xe4\xa3\x6d\x67\x31\x0c\x8e\x06\x8e\x55\xff\xbd\x1e\x3b\x14\x76\xe3\xbb\x31\x13\xd8\xdb\xbc\xe0\xe5\x92\x3c\xe3\x4f\x9b\x38\x63\xaa\xb0\x1d\x91\x66\x2c\xfa\xc8\x52\x9d\x5f\x1a\x73\x23\xb1\x76\x98\x78\xd2\x7f\xc9\x58\xb0\xbe\x5d\xa1\x6d\xd3\x51\x02\x7d\xde\x51\x12\x4a\xe7\x3a\xfc\x7e\x8f\xbd\xd4\x63\x87\x00\xd7\x0d\x7c\x2c\x2f\x2a\x1b\x61\x73\x41\x3d\xab\x38\xf0\x62\x0a\xdf\x84\x87\xa5\xc6\x34\x72\x7d\x10\x8d\xed\x5b\x57\x2b\xf7\xa7\x5a\xf0\x0d\x15\x27\x73\xac\xe2\xf4\x39\xc1\xfe\xed\x68\x43\x10\x88\x3c\x1f\x9c\x08\xbe\xcb\xfa\x0d\x99\x5d\x6d\x6a\x4e\xba\xfa\x11\xc2\xcc\x4f\x1e\xdc\xe3\x68\x77\xc1\xd1\x7e\xda\x56\xba\xfe\xda\x2e\xd1\xc9\xad\x08\x56\x07\x9e\xfc\xd1\x1c\xdc\x9e\x68\xbb\x5b\xd1\x76\x59\x49\xb6\x4f\x0b\xae\x3b\x53\x39\x83\x36\xa1\xac\xb1\xa3\x3b\x80\x95\xa1\x93\xfd\x90\xb7\xb4\xbd\xbc\x73\xcc\x6f\x54\x34\xb8\x83\x02\x8c\xab\xbe\xfd\xd4\x35\x8e\xfa\xb6\x0a\x82\x3e\xbb\x34\x7f\x2e\x8b\x84\xff\xf6\x6b\x82\xdf\xda\x3f\x77\x6a\x61\xf1\xd4\xec\xcc\xf2\xa9\x39\x5e\x47\x77\x00\xa8\xc8\x8e\x5d\xa0\xf2\x92\x7c\x44\x26\x4d\xcb\x6a\x5f\x01\xd6\x4d\x6d\x4c\x4f\x51\x19\xcc\xc3\x47\xd6\x71\xcc\xf0\x9d\x95\xda\x5b\x81\x56\x8d\x3c\x71\x1a\xba\x62\xa4\x6d\x43\xd0\x73\x93\xc4\xc2\xf4\x28\x20\x5d\x0b\x62\xd7\x00\x42\x27\x04\x84\x39\x05\x88\xfd\x52\x59\xc5\x2d\x3f\x1f\xd5\x14\x11\xb3\x28\xce\x45\xb3\x4c\xfa\x0d\x3e\x53\x00\x90\x1a\xda\x40\x45\x1f\x73\x3f\x13\xbc\x45\x1d\xeb\xad\x2b\xf9\x2f\xe7\x45\x1c\x89\x66\x98\x1b\xb7\x9c\x9a\x6d\x96\xa3\x98\x42\xc7\x38\xda\xcd\xba\xbd\x64\x44\x2f\x54\x74\x83\x19\x82\xec\x86\xbc\x49\xe4\xb4\xab\x4a\xbb\x00\xca\xc1\x1d\x21\xd4\x4c\x5d\x58\xb8\x56\x4f\x0c\xbb\xc0\xa9\x21\xd8\x27\x6a\x0d\x3c\x3d\x0a\xc9\x6a\x02\xba\x23\xf2\x3d\x04\x5b\xea\x70\x3e\x06\xb0\xa5\xb0\x43\xb3\x52\x3d\x2f\x80\xc1\x2b\x7f\x28\xd7\x36\x1d\xf6\x20\x27\x73\x93\x8b\x34\xeb\xad\x11\x06\x5d\x5c\xf2\x28\x13\x45\x7a\xb8\x34\xcb\xa1\x2f\x15\x77\x1c\x61\xca\xef\xdd\x4c\x45\xbe\x68\xd9\x61\xc3\x92\x93\x83\x1f\x91\x0d\x37\x20\x33\x35\xb3\xd9\xb8\xe4\x01\x4a\xb5\x73\x0f\xfe\xcf\x03\xec\x7b\x2d\x52\xde\xdd\xad\xf9\x6c\x4a\x13\xef\xd4\xc6\x82\x57\x73\x41\x58\x6c\xd0\x2b\xc8\x3a\xca\x22\x82\xce\xfe\xf7\x5b\x38\x4d\x8d\x38\x9f\x80\x8c\xfd\x9d\xc5\x56\xd0\x33\x54\x72\x8f\xba\xef\x01\x7e\x7c\x03\x53\x41\xac\x6c\x7f\x87\x3d\xd9\xbf\x6d\xbb\x54\x10\x6a\x2f\x0f\x53\xcc\x7d\xe0\x80\x13\xd1\xda\xcc\x90\x31\x57\xfa\xb8\x33\xf2\xa6\x81\x38\x98\x57\x1e\x08\x8e\xe8\x5f\xb4\x84\x83\x78\x4d\x50\xc2\x15\x0e\x3e\xb7\x9f\xbd\xdc\x63\x57\x85\x4d\x90\x7d\x96\xe3\x8e\xf0\x9f\xcf\x6e\xbf\x02\x62\x71\x36\x6e\xe6\x99\xfc\x3e\x38\x69\x55\x46\x7a\x40\xf9\xd7\xa6\x02\xc8\x55\xb1\xac\x78\x4f\x6e\x4a\x02\xd8\x24\xc9\x8b\x09\x76\xad\xbc\x14\x45\x3e\x4f\xfe\x59\xfe\x52\x70\xda\x7d\x62\xe0\xe7\x65\x65\xda\x8f\x4b\x01\xa1\x41\x59\x1c\xae\xd3\x90\x23\x7d\x7e\xcc\x63\x8f\x83\xa7\x73\x2a\x52\x48\x34\xb3\x34\x2a\xfc\x77\xe9\xa0\xb9\x37\x78\xc3\x0a\xe0\x78\x22\x15\x3f\xa4\xdc\xc5\xa2\x38\x0a\xd5\x75\x1f\xd2\xc0\xd4\x65\xbc\x19\xc6\xa5\xe5\xd7\x8f\x43\x85\xdc\x6f\x0a\x95\xaa\x23\x42\x50\xa7\x84\x6b\x72\x58\x25\x4e\x57\xd6\xe2\x49\x28\xd9\x2d\x15\xd3\xb6\x28\x52\xb1\x29\xe7\xd4\x15\xa9\x72\x76\x1d\xb4\xb7\x9c\x87\x69\x41\x11\xc7\xcf\x56\x83\x98\xaf\xbe\x1a\x8c\x36\x2b\xad\x97\x30\x6b\xd8\x7b\xe5\xc2\x89\xf3\x59\xb8\x6d\xbe\xc5\x63\x87\x72\xd5\x1d\xff\xb5\xde\x2e\x37\xcc\xa2\xae\x6b\xab\xed\x62\xaf\x2c\xf6\x51\xde\x9d\x30\x47\x2a\x3e\x0f\xc5\x7c\xb9\xd8\xec\x6d\x63\x43\x41\x3d\xef\xc9\x8a\x72\x26\x89\xc3\xc2\x7f\xe9\x58\x90\xe9\x5f\xc4\x89\x41\x68\x61\xd8\xed\x4a\x3a\xa7\x26\x60\x7e\x01\x11\x45\x28\x9f\x76\x61\x05\x37\x80\xe7\xa8\xca\x84\x8c\xb0\xc7\x69\x99\xf7\x2d\x37\xa7\xc3\x05\x7c\x88\x7e\xb5\xee\xc1\x7b\xa9\xc7\xce\xb0\x43\xba\x5a\xff\x29\xc1\x0d\xf7\xe8\x36\x14\x83\x14\xae\x66\x1b\x02\xba\x10\x45\xb9\x28\xb6\xca\x6e\xce\x6e\x62\x63\x71\xd7\x9f\x0a\x02\x53\xdc\x1c\x8a\xa2\x44\x37\x51\xc4\xe9\xb5\x3f\x7b\xf1\xfe\x6d\xb3\x25\x0c\xc5\x96\xf9\xc4\xbe\x3d\x6c\x99\x47\x09\x5b\xe6\x20\x8d\xc5\xd9\x3f\x9f\xf0\xd8\x4b\x3c\xa6\x5e\xf9\xfd\x2d\xb0\xb0\x47\x67\x4d\x00\x3c\x13\x95\xdd\x43\xcd\x98\x43\x5f\xdd\xe5\x1b\x9a\x3b\x61\x04\x56\xe1\x65\xc1\x80\xfc\xb5\x37\x34\xf4\x61\x56\x89\x1b\xa0\x7b\x5a\x44\x97\x27\xff\xa3\x5e\x70\xeb\xd0\x37\x48\x3e\x94\x67\x94\x05\xdc\xa0\xc5\x16\xf7\x0c\xbe\x80\xf5\xd9\x21\xc2\x7a\x9d\x29\xfd\x84\xdd\x72\x05\x74\x0c\x48\xd8\x34\x50\x2f\x47\x5d\x66\xa1\x70\x2a\x3a\x75\x24\x17\xf5\x49\x6a\x8f\xbd\x68\xdc\xc9\x44\xe7\x66\x6a\x20\x81\xf7\xae\xb0\xb9\x2e\xd2\x68\x21\xcb\x4b\xff\x33\x63\xc1\xad\x83\x8f\x35\x8b\x4c\x2e\xac\x5d\xf9\x6c\x55\xc8\xf1\x6b\xb7\xce\x8a\x79\xec\xe5\x63\xec\x55\x1e\x3b\x80\x57\x80\xff\x12\x7d\xe3\x65\xe7\xf0\x52\x30\x57\x84\xc8\xa5\x30\x87\x75\xd2\x8d\x81\x27\xe8\xd6\x63\x93\x4a\x2e\xa2\x2e\x99\xdb\x2c\xe4\x9d\x1e\xc1\x8d\xea\xa0\x43\x5e\x88\xd2\xa4\xad\x01\x2d\x76\xe0\x5e\x29\x3d\xda\x44\x9d\x60\x65\xd4\x26\x82\x6e\xec\xa6\x55\x18\x81\xab\x86\xfe\xc4\x3e\x56\x1b\xb5\x08\x14\xf3\x96\xae\x49\x52\x4a\x53\xee\x5f\xda\x17\xcc\xb9\x8f\xec\xc0\x24\x30\x8d\xa8\xc8\x2c\x64\x06\xf0\xa8\x68\x0f\xe3\x34\x82\x71\xb8\x2b\xf2\xe0\x38\xfb\x3b\x8f\x4d\xa8\x53\xe2\xff\xb9\xb7\x05\x44\xa4\x3a\x1b\xcb\xfd\xae\x88\x86\xb9\x9d\x06\xef\xf4\x16\xf5\x79\x43\xe9\x52\x15\x40\x24\x5e\x0c\x48\xb0\xe4\x36\xfb\x78\xaa\x59\x47\x83\x04\x4d\x3d\x8d\x58\x8b\x45\xf3\x2d\xeb\x9b\xc2\x8e\xbe\xa0\x81\x9e\x33\x09\x5e\xe0\x37\x6c\x55\x1b\x79\x5b\x7f\xd2\x60\xf3\xec\x2a\xeb\x2b\x49\x46\x96\x1c\x6b\x8d\x4b\x48\xd4\x9e\x56\x35\x57\x40\x36\xaf\xb2\x1a\xf4\xd3\x9d\x8a\xbd\xbd\x32\x4e\x1a\x72\xd1\xca\xbc\x31\x9f\x96\xf7\xe6\x4b\x50\x5f\xb5\x27\xb8\x03\x47\xf6\x84\xbd\xf7\x20\x7b\xc2\xa0\x17\x19\x05\xd7\x63\x48\xaf\xff\xea\x83\xc1\x6f\x78\xf4\xc3\x90\xda\x70\x10\x9f\x9d\x24\xaa\x0c\x00\x26\x72\xc5\xe8\xc6\x10\xff\x96\x67\x89\x80\xd8\x08\x70\xeb\x36\xb6\x4c\x8e\xe7\xa1\x29\x59\x11\x54\x70\x48\xc6\x46\x72\xac\xa0\xf7\xb1\xec\x4b\xa6\xbd\x1a\x46\xf0\x18\x02\x9f\x66\x69\x5d\x19\xa1\x14\x26\x33\x74\x41\xae\x27\x2a\xc9\x60\x83\xc8\x0b\x4a\x8a\x30\xc3\x10\x6c\xdf\xb1\x9f\x7d\xd4\x63\x13\xca\xc2\xe3\xbf\xdf\x0b\x7e\x4a\x1b\x78\x2c\x6e\x4b\x9b\x78\x86\x4d\x6b\x4f\x27\xda\x07\xab\x02\xc8\xd8\x41\x00\x7d\xac\x84\x89\x50\xd1\xa2\x52\x76\xa4\x43\x17\x56\x72\x5e\x0d\x0a\x7b\xa5\x2b\xb1\x77\xd4\x97\x3d\x12\x90\xbf\xe0\x05\x1f\xf7\x40\x40\xce\x5a\x6a\x0e\x07\xe8\x2c\xbf\x80\xf6\x43\x54\x3c\x90\xf7\x7a\x5c\x58\xc3\x04\xcb\xa2\x6c\x38\xa8\xf1\x00\xda\x55\x16\x45\x77\x48\x81\xd6\x62\xcd\xa8\xa0\x93\x1c\x14\x4a\x70\x80\x2c\xed\x01\xa8\xe1\x64\xb7\x48\xd3\x50\xf9\x84\x14\x17\xb9\x80\xbd\x2b\xf7\x45\x9e\x67\xb9\x33\xc4\x27\x11\xe9\x9d\x0e\xbe\xd3\x0e\x54\x1c\x35\x46\xfb\xd3\x8f\x7a\x36\x0e\xc4\xfb\xbc\xe0\xed\xde\xb9\x2a\xed\xb0\x56\x54\x91\x8f\x8a\x82\x6e\x9d\xd4\x0e\x72\xe3\xe9\xda\x6a\x7a\xef\xe1\x74\xc9\x5d\xea\x4c\x18\xc2\x79\x29\x43\x93\xc6\xa2\xb9\x82\x09\xf8\xa1\x6f\x65\x33\x97\x9f\x24\xad\x92\xcb\xcd\xff\xd4\xb7\x04\x3f\xe1\xb9\xcf\x76\x9f\xd9\x8d\x32\x45\x81\x56\x03\x81\x15\x28\xe6\x4f\x2e\x34\x28\x1b\xfb\x59\x0f\x5d\x2e\x88\xc9\x8c\xe2\x02\xfe\x6c\x8a\xbc\x44\xf1\x1f\x74\x5f\x06\xb6\xed\x92\xf7\x38\xd8\x8a\x0a\x8c\xe2\x6c\x9c\xc6\x9d\x5e\xe7\x92\xf7\x18\xd2\x3f\xa8\x17\xce\x81\xfe\xeb\xc7\xb1\xaf\x7a\x6c\xa2\x19\xde\xd5\x4b\xa3\x44\xf8\xff\xc3\xf3\xf7\xad\xf6\x4b\x11\xfc\xa4\x37\x3b\x83\xcf\xf0\x1a\x5e\x38\x75\x56\x05\x90\xf1\xd9\x19\xbe\x8a\xaf\x90\x2d\xda\xac\x24\x5b\x21\xdf\x02\xe1\xa6\x8b\x3b\x4c\x01\x39\xe9\x9a\x3d\x08\x38\x0f\xbd\xd4\xbe\x6a\x30\xc3\x42\x99\xcb\x6b\x25\xcf\xb2\xb2\x50\xdc\x81\x76\x8b\x83\x99\x81\x88\x3f\x47\x71\x73\x03\xfb\x16\x47\x71\x93\xc4\x45\x59\x07\xb4\x8b\x43\xfe\xc1\xb0\xcc\x3a\x71\x93\xb1\x59\xb6\x1f\xe6\x49\x5e\x48\x48\x20\xaa\x66\x69\x95\x67\x84\x22\x88\x80\xda\x16\xa5\xa3\x5f\x7b\xf7\x7e\x36\x74\xb6\xfd\xff\xba\x5f\xb1\x5d\x2f\xda\x7f\x77\xb5\x40\xda\xeb\xa8\xc6\x34\x46\x43\x69\x4c\x14\x4e\x78\x12\xaa\x37\xca\x06\xbf\x27\x5e\x73\x80\x29\x5c\xfb\x3e\x7d\x8a\x46\xf1\x96\xc8\x73\x82\xe8\x01\xb5\x5b\x01\x8e\x1b\x3c\xc9\x36\xed\x0a\xb2\x54\x40\x36\x90\x92\xf4\xd1\xc8\x36\x68\x6f\x29\xa5\x3f\xc5\x8a\xd1\x5f\x83\x62\x6b\x00\x72\x9e\xb7\xb1\x43\x43\x47\x47\x7e\x16\x70\xc4\x75\x17\x31\x45\x12\xd6\xb7\x06\xe1\x0f\xaa\x0e\xd5\x27\xca\xb6\x93\xc7\x9d\x30\xef\xf3\x82\xf8\xdf\xd5\xb0\x40\xd3\xc8\x40\x53\x9d\x5e\x47\x5e\x6f\x11\x20\xa6\x43\x5d\x85\xe6\x64\xcb\x0c\x06\x2c\xd9\xf2\xe3\xc7\x14\x10\xff\xf4\xb1\x49\x6c\xa3\x00\x7d\xcf\xd0\x56\x10\xcb\xa0\xdb\x0e\x57\x05\x18\x3b\x00\xe8\x3e\xcc\xe3\xc2\x20\x5e\xa5\x03\x74\xb4\xc1\xf9\x91\x8d\xe9\xc6\x6a\x98\xab\xa6\x36\xa6\x1b\xad\x2c\x9b\xe4\xf7\x89\xc3\x91\x71\x80\x03\x80\x8f\x12\xb2\x35\x25\xf1\xba\x38\xc9\x8f\xd2\x95\xc5\x8f\x88\x8b\x80\x8e\x6d\xfc\xfe\x26\xe5\xea\x4f\xdf\xaa\xa2\x71\x17\xc2\x70\x49\x14\xfc\xc8\xbd\x5d\x91\x2e\xb5\xe3\x56\x59\xe3\x73\x22\x2e\x30\xbe\xb9\xe2\x61\xb7\xaa\x79\xbd\xe3\xc7\x8e\x1d\x2b\x1c\x56\xfc\x93\x1e\xfb\x57\x71\x5a\x88\x66\x2f\x17\x4b\xeb\x71\x77\xf9\xcc\xd2\x05\x49\x40\xfa\xfe\x7b\xbc\xe0\xad\xde\xfc\xb0\x57\x8a\xec\x14\x7c\xf9\xcc\xd2\x48\xda\x83\x4a\x9d\x21\xe4\xce\x3a\x43\x86\xa5\x2f\xca\x3c\x4b\xd7\x12\xa8\xbb\x99\xf5\xf2\x70\x4d\xde\xb0\xfc\xfe\xac\xa7\x4e\x80\xb2\x59\x19\x0a\x84\xa0\x99\x6e\xb4\xdd\xd7\x21\xe8\x06\x73\xe1\xfe\xc9\x18\x7b\xfa\x6e\xb3\x63\x2a\xe1\xcc\x30\xdc\xaf\x1d\x53\xc9\x75\xe3\xa1\xac\x9c\xe2\xfe\x35\x2c\x95\x21\x76\x88\x95\x0a\x9c\xb1\xed\xf3\x91\xa5\xc8\x6c\xde\x78\xe3\x09\xcd\x08\x58\x6d\xa4\x71\x52\x23\xd0\x0c\xed\x90\x06\xd0\x40\x72\x46\x95\x90\xae\xe9\x94\x65\xa5\x52\xf8\x41\xf2\xfe\x91\xb2\x92\x8a\xfb\x36\x73\x2f\x20\x4d\x06\x92\xea\x22\xee\x74\xe5\xfc\x8b\x44\xce\x8a\x1e\x0e\xe9\x31\x54\x76\x8d\x66\x3b\x44\x4d\xc9\xaa\xe0\xad\x5e\xd2\x8a\x93\x44\xb2\xf5\xcf\x60\x07\xa9\x61\xff\x6c\x70\xe7\x05\xd3\x87\x8a\xdf\xe5\x20\x01\x6d\x70\x7e\xda\x4e\xfa\x14\x6c\x4c\x07\x36\x51\xfd\xca\x41\x56\xbd\xab\xfc\xdf\x3e\xa8\xe8\xe9\x2f\x1e\xbc\xe0\xbe\x53\x80\x59\xda\xb5\x45\x80\x6d\x43\xd1\x2f\xbb\x2b\x71\xaa\x12\x68\xc6\x25\x51\xb6\x06\xd7\xd1\xd1\x6b\x60\xc7\x03\xd4\xad\x94\x3f\x5f\xe4\xd9\x36\xe4\xa8\xd2\x8f\x41\x4a\x34\x9a\x04\x2d\xc5\x72\xfb\xc4\xe5\xe1\xc2\xea\x53\x88\x3d\xaa\xd9\x1a\x5c\x8a\xb0\x2c\x3a\x61\x92\xd4\x00\xcd\x24\x5c\x4d\xb4\x0a\x72\xfa\x58\x01\xb6\x12\x48\xd7\x93\xb5\xb8\x78\x5e\x2f\xd4\x3e\xac\x8a\xaa\xc6\x82\x72\xe2\xa8\xe7\x64\xfc\xa9\xde\xd6\x92\xcc\xf5\xc8\xa0\x0b\x23\x51\x5d\x0b\xd5\x4c\xd1\x46\xad\xd4\x13\x17\x3c\x80\xe3\x25\x09\x5a\x00\x36\x58\xdc\x5d\xc0\x90\x81\x86\x33\xcd\x52\xbb\x4c\xa5\x86\x42\x41\xb1\x41\x78\x28\xcd\x61\x22\x2e\xc6\xcd\x6c\x2d\x0f\xbb\x6d\xb4\x38\x37\x78\xf0\xb4\x81\x1a\x0a\x3b\x2c\x3d\xe4\xc1\x46\x40\x99\xfa\x64\x55\x98\x2b\x50\x27\xa3\x23\x05\x07\x2a\x81\x9f\x9b\xe9\xab\x6e\x92\x3e\xc9\x08\x4f\x21\x41\x1e\x93\x46\x17\xc0\x55\x80\xec\xa9\x94\xf4\x02\xf2\x94\xc5\xdb\xd2\xa9\x34\x4e\xad\x4a\x61\xef\x14\x84\xe4\x00\x2c\x1d\x85\xda\xaf\xf6\xf9\xdd\x33\xfc\x0e\x2e\x2b\xe3\x77\xe0\x4d\xc3\x8f\x20\xfa\xc8\xdd\x33\x48\x61\xd4\xfc\xc0\xb0\xd2\x8c\x17\xbd\x56\x2b\xbe\xa8\x39\x66\xf8\x14\x7c\x79\xbb\xed\x70\x52\xe3\x12\x00\x68\x1d\x5d\x56\xe9\x9a\x3b\x48\x1a\xa3\xd3\xc7\x06\x87\x14\x6b\x98\xa9\x96\xfa\xa8\xdc\xb0\xd4\xfc\x9e\xe4\x1b\xd3\xc7\x6a\x7c\xe3\x78\x8d\x6f\x4c\xcb\xff\x83\xb8\x0b\xbf\x8e\xc9\xbf\x4e\xd4\xf8\xc6\x09\x90\x80\xe5\xa3\xe3\xd0\x23\x2c\x07\x7f\x1e\xaf\xf1\x56\x96\x4d\xe3\x7f\x2b\xce\x62\x7f\x7b\x0d\xbb\x7d\x07\x5e\xe9\x28\x5e\x2b\x18\x75\xe0\x67\x10\x5a\xcd\x7f\xdf\x35\xc1\x85\x21\xcf\x2b\x06\x24\x17\x22\x05\x5c\xcf\x43\xbc\xc5\xb2\x34\xa5\x60\x3e\x8d\xb2\x44\x48\xf7\x6e\x14\xdf\xd5\xec\x41\x9b\x35\xfe\x05\xc5\x1a\xbf\xd5\x5b\x51\x0f\x57\x76\xc1\x1c\x5b\xed\x1e\xd6\x84\xf2\x11\xe1\x8c\xd9\x0f\x58\x57\xe5\x03\x63\xec\xee\xcb\x06\xe5\x57\x40\x82\x95\x0b\xf2\xbd\xde\x0a\x55\xbb\xb2\xd3\x2b\x92\x46\xdc\xe0\xa7\x50\x91\x61\x2a\xc8\x72\xbe\xd2\xcb\x93\x15\xed\x85\x60\xe9\x92\x18\x91\x20\x95\x56\x24\x36\x81\xb2\x56\xc6\x23\x72\xab\xa5\x3d\xdf\x77\x19\x0a\xdd\x50\x83\x7d\x7d\x82\x8d\xf7\xf2\xc4\xff\xea\x44\xf0\xa5\x09\x6c\x73\x2d\xde\x10\xca\x01\xdc\x98\x56\xad\x26\x21\x49\x9a\xce\x3e\x7a\x7e\xf1\x8c\x1c\x52\x87\x1f\x59\x01\x47\x01\x71\x72\x6a\x4a\xde\x71\x27\xe5\xed\x3e\xd5\x0d\xcb\xf6\xca\x64\x83\x9f\xba\x18\x36\x4b\xb8\x8d\x11\x3e\x0e\x5a\xca\xec\x31\x0f\x1b\xaa\xbc\x7b\x56\x64\x65\x2b\x76\x92\x3e\x98\x59\x04\x44\x52\x73\xaa\x66\xc0\x1d\xfd\x6d\x9a\x7d\x32\xcd\x50\x26\x3e\xe2\xa2\x30\x87\x56\x56\x94\x06\x29\x25\x17\x45\x96\x6c\x88\x88\x6f\xc4\x21\x70\xa2\xe0\xe4\x30\x77\x6e\x09\x46\x9d\x75\xac\x1d\x56\xa0\xae\xb8\xc6\x57\x90\xb7\x52\xcf\x57\xe4\x9d\x85\x3d\x85\xba\x78\x9c\xd6\xa9\x4b\x50\x51\xa8\x4c\x6c\x1a\x5d\x89\x27\x61\x1f\xef\xec\x8d\x38\x4b\x60\xd2\x27\x1b\x6a\xe8\x9d\xb0\x8f\x59\x58\x11\xaf\xc6\xb2\x95\x31\xb6\x60\x5c\xb1\xb0\x4e\x34\xb5\xac\x00\xf7\x83\x9f\xcb\x59\x9e\x3e\x7e\x4b\xe3\x58\xe3\x58\x63\x7a\x05\x9d\x88\xa8\x66\xb9\x77\xe2\x62\xbd\xaf\x32\xe3\xc9\x7d\x02\x79\xfc\x80\x0f\x80\xf8\x0a\x39\xcf\x79\x2f\x75\x76\x2c\xf8\x68\x25\x09\x19\xfe\xf0\x6c\xcb\x32\x61\x6a\x9d\x3e\x7c\x4c\x4e\xee\xc2\x8a\x7a\x91\x57\x59\xa1\x11\xfa\xf4\x21\x00\x0b\x15\xb9\x81\xa1\x89\x4a\x5e\x73\x88\xe5\x47\xe8\x8e\x72\x47\x49\x16\x1c\x73\x87\xd6\x50\x23\x12\x16\x08\xf7\xd7\xcb\x53\x2e\xc5\x3f\x70\x1f\x13\x9b\x4e\x06\x46\x81\x3e\x2c\xc6\xab\x27\x00\x75\x43\x70\x1b\x6c\x0e\xb9\x83\xe9\xc5\x5a\x4c\x94\x30\x50\x5e\x16\x41\x83\xb1\x19\xc4\x81\x89\x0b\x7d\x41\xe2\x85\x63\xa5\xd7\x25\x64\xb7\x30\xed\xab\x5b\x53\x61\x0f\xad\x02\xd3\xce\x43\xd9\x4c\x03\x58\x7b\x59\x56\x6d\x4c\xa8\xb8\xcc\x20\xe1\x1a\xcc\x5f\xbe\x1a\x97\x39\xf0\x5a\x58\x0d\x11\x0f\x7d\xf4\x9c\x5c\xa1\xa1\x1a\xa5\x49\x47\x2e\x07\x3c\x53\x96\x90\x3e\x0e\x3f\x97\x4d\x85\xa8\xde\xcc\x72\xc9\xba\xc5\x4d\x80\x79\xe1\x60\xe7\x08\xe4\x8b\x93\xb2\xf9\xcd\x2c\x8f\xee\x0c\x94\xa6\x49\x07\x24\x9c\xce\xc3\xb5\x0e\x48\xd0\x47\x82\x1b\x1a\x8d\x46\x80\xb0\x92\xcf\xeb\x89\xbc\x6f\x1c\xb7\xe5\xdb\xa7\xd0\x5b\xc2\xaa\xa4\x1a\x6a\xa4\xa7\x75\xa8\xf0\x67\xf7\xb1\xc3\x3b\xc4\xf0\xf6\x7f\x6a\x5f\x70\x76\xd8\x8b\x4a\x16\x26\xcb\x16\x66\x01\x8b\x4b\xf9\x31\xd4\x69\xc8\xc1\x6c\xa1\xe0\x4f\x2f\x79\x07\x0a\xb0\x0b\x3a\x57\xdd\x2f\x8e\xb3\x13\x84\x0b\xfa\xc4\xe0\xdf\x2e\xf7\xd1\xfb\xdf\xae\xb1\x69\xe1\xcf\x5a\x28\xff\x1e\xf3\x93\xb0\x28\x8d\x27\x02\x78\x0e\xbc\xe0\xca\x0d\x6e\x77\x9e\x09\x95\xa7\x04\x19\xdb\x68\xdc\xc6\x9f\x81\x60\xfd\x81\xaa\xe2\x58\x2c\xf3\x47\x83\xdd\xcf\x0e\x62\x92\x7d\xe1\x9f\x0b\x66\x66\x78\xbb\xd7\x09\x53\x48\x41\x0a\xfa\x33\x7a\xa7\xac\xd9\x72\xbb\x44\xa2\x0c\xe3\x44\xc5\x54\x41\x44\x9a\x6e\xcc\x19\xee\x69\x76\x00\xb3\x07\xaa\x9c\x61\x76\x2e\x41\xbb\xb7\x87\xc9\x30\x38\xa2\x9e\x33\x8c\x16\xc1\xbf\x2b\xb8\x89\xac\xeb\x06\x1f\x0d\xab\xa8\xa9\x5b\x63\x39\xef\x89\x1a\x3f\x1d\x26\x85\xa8\xf1\xf3\x29\x18\xd5\x9d\xda\xfe\xc6\x63\x93\x3b\x9e\x60\xff\xd7\x3d\xff\x90\x64\x3f\xea\x72\x8e\x83\x9f\xf1\x8c\x7b\xc6\x66\x1e\x76\xbb\xc0\x41\x64\x3d\xc9\x58\xc6\x1d\x01\x9f\xa8\xd4\xdc\xa8\xa2\x2c\xd0\x63\xb1\x29\x4f\x7f\x5e\xb4\xd1\x4c\x5e\x66\x04\x04\x96\x46\x80\xf2\xd5\xe0\xfc\x3e\xac\x0d\x89\x1a\x64\x58\x8e\x08\xb0\xb2\x03\x28\x9d\x84\x71\x15\x36\xcb\x2c\xef\xf3\x8e\x28\xdb\x1a\xb7\x06\x56\x40\x36\xdc\x0d\x9b\xeb\x98\x18\xa3\x85\xbe\x2a\x16\x88\xd0\x38\xbb\xe7\xf2\x45\xfc\xe1\x6c\x8c\xff\x8a\xf1\xe0\xb6\xea\x43\x1d\xa0\xe0\xb0\x34\xca\x3e\x29\x05\xe7\x66\x9f\x54\x38\xce\x51\xfa\xc8\x18\xbb\x91\x14\xef\xb5\xe0\x09\xa3\x6c\x9e\x74\x33\xdb\x23\x9a\xb5\x55\xee\x37\x07\x93\x46\xe1\x6e\x7d\xef\x68\xe0\x87\x54\xf2\x2b\x1e\xdb\x27\x57\xc9\xff\x80\x36\xff\xfe\x98\x37\xdf\xaa\xe2\xa8\xd9\x26\x57\xc5\x4d\x20\xe6\x74\x86\x79\x97\xf5\x05\xa5\x22\x3f\xca\x8c\xdf\x78\xe3\x09\x58\xbf\xd5\xb0\xb9\xbe\x29\x99\x20\x10\x39\xca\x78\x35\x4e\x40\x85\xb7\x22\x6b\x5d\xb1\xe1\x13\x29\xe9\xb3\x63\x67\x9e\xae\xdf\x7c\xd3\x4d\x27\x6e\x92\xec\x14\x99\x73\x27\x5d\xf1\xe0\xeb\x13\x4e\x96\x0c\xcb\x65\xa0\x15\xaf\x9d\x0d\xbb\x10\x4d\xf2\xe9\x89\x60\xd6\x79\xa2\xd8\x4f\x2b\x6d\x28\x21\x20\x5a\x71\xf4\xea\x83\xad\x03\xe7\xdf\x78\x90\xb5\x94\x73\xfc\xf7\x04\x5c\x83\x4f\x94\x16\x90\x8b\xae\xca\x75\xdd\x69\xb0\x1a\x3b\xba\xad\x85\x57\x7f\xbc\xe7\xa6\xb9\x8b\x98\x96\xf7\xd8\x31\x2d\x6f\xdb\x65\x4c\xcb\xda\xa3\x85\x14\xb4\xe7\xd9\xbc\x3b\xcf\xe6\x87\xbc\xf3\xdb\x7b\xe7\x1e\xf7\x8f\xa9\x08\x13\x87\x48\x6c\x15\x63\xf2\xd1\xab\x1d\x38\x62\x2b\x61\xa7\x0a\x2f\xf9\xb1\xab\x83\x4f\xed\xdb\x0b\xf1\xd8\x0b\xf1\x78\x64\x43\x3c\x7e\x7f\x0f\x3c\x6a\x2f\xfc\xe1\x1b\x78\xaf\x7e\x63\xe3\x8b\x9e\x43\xf1\x45\xf7\x6d\x01\x55\x3e\x48\x9b\x77\x1e\x5a\xf4\x90\xf7\xac\xed\xef\x8f\x5b\xfd\x9b\xaf\x28\xba\x83\xb1\x3f\x1a\x67\xc7\x46\xe3\xec\x2f\x9d\x3a\x13\xa7\xbd\x8b\xd5\x84\x07\xef\x1e\x0f\xbe\x67\xf8\xab\x47\x30\xdd\xc1\x2f\x8d\xb1\x90\xe0\xfe\xef\x0f\xce\x5c\x11\xdc\x3f\xe2\x58\x6f\x09\xf2\xff\x79\x8f\x5d\x5b\x08\x18\x9a\x1a\xed\x47\xbd\x1d\xa0\xd0\xd3\x74\xd0\x37\xc1\xab\x3c\xb7\x12\x85\x22\x1d\x29\x45\x5d\x58\xdc\x66\x9e\x39\x59\x11\x76\x88\x96\x58\x86\xc5\xba\x81\x4a\x14\xf5\x6e\x16\xd5\xf5\x8d\x39\x05\x96\xf1\xb8\xec\xc3\x23\x71\xb1\x9c\x62\x7f\xb1\x8f\x9d\xdb\x1d\x74\xd3\x80\x14\x7a\x69\xdf\xae\xa4\xd0\x4b\x9e\x91\x1f\x87\xb9\xee\x7d\x68\x9c\xdd\x41\x82\xe9\xcd\xc1\xe4\xa8\xc4\x8e\xca\xe7\x51\xa3\x26\xd8\xab\x79\xd6\x16\x51\xef\x0c\x4e\xa4\x3b\x15\x51\x87\x57\x77\x3f\xc1\x63\x3f\x3d\x98\x53\xaa\xc6\xd0\x98\xe3\x40\x43\x09\xcf\x1d\xf7\x6b\xa5\x8d\x55\x66\x15\x58\xa4\x66\x59\x31\x78\x7c\x4a\xc9\xc1\x0f\x6a\x39\xf8\x5d\x5e\x97\x0c\xb9\x76\x23\x8e\x7f\xf5\x0e\x1b\xda\x85\xa4\xeb\xf8\x31\x6e\x23\x50\x3b\x52\xf1\xff\x6f\x6c\xa8\x54\xbc\xd4\xcc\xba\x3a\x39\xa5\xff\xce\xb1\x20\x9d\x21\xf4\x8e\x82\x1e\x56\x53\x1f\xcc\x9c\x9b\x33\x8b\x83\x45\x0a\x27\x51\x2c\x21\xf3\x22\x34\x49\x5d\x5f\x87\x56\x7d\xb0\x92\xa0\x1d\x1d\x96\x57\xf2\x3a\xc0\x11\x39\x75\x51\xd6\x88\x20\x4d\xff\xc5\x0b\xee\x9c\x31\x40\x0f\xd5\xee\x99\xea\x20\x06\xdb\xc2\x1e\x31\xd0\x20\x8e\x94\x7d\x9a\xcd\xb1\xbb\xb6\x27\x21\x30\x00\xe5\x31\xad\xe6\x68\xd1\x34\xc7\x1e\x3c\xc4\xb6\x0a\x5b\xad\x26\xea\x07\xc5\xc3\x6b\x0e\x05\x33\xc3\x5e\x0c\xc3\x09\xad\x96\xdb\x5a\xed\xf0\x9b\x7b\x78\x7d\xbb\xe6\xfb\x5e\xa0\xf4\x36\x79\xf0\xdd\x43\xf5\x36\xd5\x25\x71\xa0\x0e\x9e\xcc\x6e\x63\x4f\xda\x71\x54\x73\xb5\xaa\x3d\xa6\x73\x17\x4c\xe7\x6f\xd9\xca\x9c\x0f\xef\x52\x99\xf3\x1f\x86\xe3\x93\x3c\x5a\x68\xd0\x0f\x79\x9d\xed\x59\xcc\xa7\xfa\xf7\x6c\xc7\x62\x0e\x23\x33\x43\xa3\x89\xff\x9a\xb9\x0e\x15\x43\xd2\xc8\xeb\xb0\xaa\xa1\x31\x7f\xef\x62\xc1\x3f\x8c\x6d\x59\xe4\x1b\x14\xfc\xa7\x93\x62\x99\xa0\xab\x38\xfd\x97\x1c\x12\x38\x2c\xdb\xf9\x25\xef\x90\x1e\xbe\x9b\xbd\x70\x2f\xf5\xfc\x5e\xea\xf9\xbd\xd4\xf3\x55\xeb\xea\x2a\x33\xe7\xc5\x3f\x1f\xdc\x63\xd1\x8e\xc1\xda\x1c\xc2\xa2\x76\x9b\x66\x90\xe9\xc8\xe3\xf6\x72\x5c\x55\x0f\x39\x88\x44\xda\xb2\xb3\x44\x09\xbb\x96\x30\xe0\xef\xc3\x87\x82\x65\x2b\x45\x78\xa8\x66\xce\xf6\x31\xd2\x59\xcf\xca\x0c\x13\x6a\xd4\x78\x27\x4c\xc3\x35\xf2\x5f\x4c\x8d\x3b\x8e\xd1\xb9\x5e\xf2\x0e\xe0\x1f\x0e\x3d\xf8\xf4\x04\xfb\x71\x8f\xd1\x1b\xff\x87\xbd\xe0\xe5\x1e\xea\x44\x87\x0d\xdc\x52\xe0\x52\xb6\xd9\x54\xae\x96\x9d\x4d\xbf\xc1\x67\xb3\x14\x32\x1e\x81\x77\x48\x3f\xeb\xe5\x80\x0f\x6a\x1b\xbc\xd1\x14\xac\xb4\xb8\xa8\xf0\x05\x3f\x4e\xd7\x29\xc9\x0d\xce\xf4\xd8\x81\x56\xb1\xdc\xef\x0a\xff\x57\xbc\xe0\xe7\xbd\xd3\x71\x22\x94\x6b\x5b\xbf\x6b\x26\xa2\xc1\x4f\x5d\x6c\xf0\x40\x5c\x2c\x6f\x0c\x6a\x3c\xb8\xd8\x2a\xe4\x3f\x69\xd9\x2a\x02\x9d\x20\x4a\x59\x96\x51\xa9\x8d\x91\x42\x3a\x78\xa8\x1b\x16\xa4\x15\x81\x73\x64\x52\xd6\x5b\x83\xb7\x9c\xf4\x22\x51\x8a\xbc\x13\xa7\xa8\xe7\xa0\x24\x53\x10\x5f\xaf\x7a\x97\x41\x50\x9e\x1b\x68\xff\x93\xe3\xec\x71\x69\x16\x89\x85\xde\x6a\x12\x17\x6d\xcc\xfc\xb0\x28\x5a\xfe\x0f\x8c\x5f\x61\x7e\x91\xe0\x33\x63\xe7\x86\x54\x38\xd2\xc3\x4e\xbe\x57\x4c\xa3\x65\xf8\x2c\x04\xf8\x1e\x6c\x0c\xf8\x42\x82\xdb\x0d\x7d\x6d\x6f\x03\x74\x05\x4e\x84\xd1\xfc\x73\xab\x1f\x94\xae\x4f\xde\x8b\xf2\xe9\xf9\xb4\xeb\x3c\x07\x07\x27\x27\x45\xed\x80\xe7\x90\x52\x12\xe9\x7c\xb5\xa9\x4a\x76\x83\x58\xc1\x04\x16\xa2\x6c\x00\x43\x07\x56\x20\xec\x16\xb8\x6a\x83\x03\x08\x14\xaa\x21\x6a\x2a\x7e\x60\x65\xd3\x01\xdf\x03\xd8\x04\x0d\xd6\x61\x13\xb9\x08\xa3\x7b\xd3\xa4\xef\x87\xc1\x92\x89\x00\x0d\xc1\x39\xa4\x8e\x08\x9f\x4e\x1a\x61\xb5\xcd\xd5\x71\xb0\x85\xf7\x56\x98\x14\x82\x1f\x91\x9f\x4e\x6d\xe6\x71\xa9\xcc\xd8\x2a\x3a\xe1\xd7\x3c\x76\xdd\x86\xe2\xe0\x80\x9b\x14\x80\x22\xfe\x2a\xef\x42\xe5\x29\xf0\x7f\xa2\xa0\x65\xa8\x2b\x8a\x28\xb7\x76\x57\xe4\x65\x2c\x2c\x00\x5e\x77\x47\x9b\xc5\x33\x47\x15\x4e\x29\x3e\x3c\x5c\xf0\x28\x6b\xf6\x3a\x5a\x18\x94\xe3\xd1\x91\x66\x4a\x50\x7b\x47\x05\x70\xc2\x22\x29\xec\xa5\x87\xd8\xad\xf6\xa6\x35\xce\xa9\xe0\xb9\x34\x6b\x7e\x2f\xc5\x6b\x72\xd3\x2d\xe2\x05\x02\xa2\xf2\xc7\x26\x82\xc5\x2d\x4b\x0c\xcd\xad\x31\xea\x03\x25\x3c\x0f\x95\x9d\xbf\xb2\x67\x33\xd9\xb5\xec\xfc\x06\x8d\x75\xff\x2a\x2f\x38\x19\x9b\x94\x1b\x97\xb9\x40\x97\xa1\xa9\xd9\xe9\x76\xda\x13\xad\xbf\x49\xd0\xec\x37\xb6\x17\x6c\x97\xfc\xa7\x6b\xc1\xd6\x59\xe0\xaa\x01\x65\x2b\xca\x50\x35\xab\x7c\xe9\x50\x05\x2f\xcb\x4d\x3f\xfa\xf4\x5e\x56\x86\x40\x73\xde\x77\x28\x38\x31\xf0\xd4\x85\x0d\x77\x5e\x43\x02\xc4\x11\x0a\xb9\x1f\x9c\x60\x1f\xd2\x67\xe2\xdd\x5e\xd0\x1d\x92\x86\xc6\xad\x4c\xe9\xf7\x2e\x37\x43\x13\x9a\x89\xa6\xd4\x56\xad\x3f\x4f\xd6\x56\x4c\xd9\x27\xe9\x38\x3b\xc6\x1a\x3b\xce\xc7\x0a\xdd\xd9\x3b\x35\x7b\x88\xb9\x7b\x88\xb9\x0f\xa3\xe7\xd1\xfd\xdb\x53\xbf\x9b\xfd\x1b\xeb\x96\x57\x91\x22\x76\x03\x24\xa9\x4a\xe0\x5e\x7f\xc8\xf6\xe1\xdd\x02\xaf\x06\xa8\xdc\x9f\x4c\x04\x87\xad\xdf\xc3\xae\x69\x7a\x3d\x9c\xb2\x7d\x64\xcf\xd4\xb0\x6b\x76\x29\x51\x37\x43\x33\xf8\x8e\xa1\xa6\x06\xb5\x02\x36\x15\xbf\x85\xdd\xc4\x4e\x8c\xa4\xe2\xa3\x57\x7d\x8f\x94\xef\x82\x94\xff\xb6\x4d\xca\x3f\xba\x4b\x52\xfe\x4d\x91\x6f\xf2\x21\x6f\x6d\x7b\x52\x34\xe7\xdf\xa5\x9c\x20\x2d\x5a\x31\xcc\x80\xa0\xfd\x20\xad\x0d\x48\xdc\x1a\x7b\xed\x21\x36\xbd\x8d\x6d\x41\xbb\xfb\x18\x83\xc2\xef\x4f\x04\xaf\xf4\x06\x9f\x6f\x6f\x45\x20\xad\xa0\x63\x02\x30\xc3\x54\xbb\xf7\x88\x13\x0f\xd4\x8e\xcb\xa2\xde\x95\x92\x33\x60\x3b\x80\xa3\x65\x5a\x81\xb6\x9a\x6c\x5c\xf2\x0e\xa0\x1a\xef\x92\xc7\xb0\x95\x73\xa0\x71\xbf\x9a\x7a\x01\x7a\x58\x87\x4a\xfe\xf0\x41\xf6\x01\x8f\x5d\x1d\xda\xda\xdf\xcb\xf2\x33\x1e\xa2\xfd\x5d\x0b\xaf\x50\xeb\xbb\x8d\xb2\x97\x1f\x01\x8d\xee\xf3\xa8\x9d\x49\xf6\x2a\x8f\x39\x23\xf3\xff\xe3\xee\x3a\x7e\xa7\x5d\xd9\x96\x1d\xa7\x9e\x56\x3a\xd4\x60\x67\x98\x35\xef\xfe\x1d\xc1\xb4\xf9\x35\x4c\x3f\x49\xd5\x8c\x52\xf2\xfe\x3f\x63\x6c\x42\xf9\x10\xf8\x7f\x36\xc6\xee\xbc\x92\x43\x1d\xae\x8a\x44\xa7\xf3\xff\xc9\x31\xed\x93\x60\x1c\xa1\xe2\x74\xad\xae\x02\x7b\x21\xde\x53\x85\x5a\x21\x09\xb0\xb6\x26\x38\x43\x19\xb7\x86\x61\x88\x8a\xfc\xbe\x36\x40\xc6\x69\x9b\x84\x73\x42\x60\xc2\xc1\xcd\xd5\x68\x2e\xd1\xc3\x34\x8c\x30\x24\x28\x4c\xac\x9c\x21\x74\x6b\x2a\xcb\x12\xc5\x1f\x6a\x5c\x7a\xad\x45\xd2\x05\x9a\x59\x57\x9e\x5a\xec\x44\x2f\x05\x25\xfd\x73\x7b\x45\x69\x55\x03\x6b\x51\x8d\x57\x5e\x0b\x31\xcf\x3d\xd6\xd3\x60\x0f\x78\x8c\x4e\x92\xbf\xc1\xee\xb9\x0c\x70\xca\xe9\xc6\xac\xdc\xbc\xc4\x62\x54\x75\x9e\x47\xc9\x6e\x47\x73\xaf\xc2\xdc\x22\xdb\x4f\x90\x78\x0b\xf6\xc0\x3e\xb6\x1d\x0e\xe6\x42\x16\x15\x0e\x49\xfa\xef\xe3\xc1\x25\xaf\xfa\xf4\x4a\x08\xd2\xce\xac\x8f\x0e\x85\x82\x30\xb0\x10\x93\xee\xd4\xbb\x79\x86\x39\xb0\x2d\x9a\x05\xe4\x09\x9b\x1a\x01\x0b\xfa\x83\x63\xdf\x2c\xb0\xa0\x2f\xf6\x18\x75\xd5\xef\x8f\x76\x0f\xdd\xa2\x17\xf3\x3a\x6a\x33\xb8\x55\x9d\x72\xf5\x08\x7b\x41\x93\x48\x2f\x57\xfb\x64\x5f\x00\xd8\x41\x3c\x5f\xec\xe7\x0f\x38\x8e\x96\x4a\x00\xbe\x2f\x4e\xa3\x6c\xb3\x58\x22\x7f\xbd\x59\x74\xd7\x53\xae\x87\xff\xb8\x3f\xb8\x77\xcb\x12\x6a\x32\x38\x95\x32\xca\x58\x65\xf5\x05\x5c\xaf\x5c\x40\x7f\xc3\xa4\xe2\x00\xf5\xa6\xfd\xac\xc3\xbe\x65\xad\x53\x84\xb3\xba\xc8\x52\x57\x20\xc5\x5b\x0a\x4e\xdf\x7d\x76\x69\x66\xf0\xcd\x30\xea\x27\x4b\x5a\xed\xc0\x71\xa6\xb0\x56\x87\x0c\xfe\xf2\x18\xbb\x26\xef\xa5\x33\xc5\xf9\x42\xe4\xd0\xcc\xcf\x8e\x05\x3f\x3a\xb6\xdc\x16\x5c\x3d\xe1\x66\x38\x26\xac\x99\x10\x83\x91\xaf\x1b\x30\x85\xd1\x16\x75\x15\xde\xb2\x08\xc4\xd3\x3a\x16\x7c\x48\xb5\x6e\x5c\x2c\x62\x07\xb1\xa0\xc1\xcf\x5a\x51\xdc\x44\xf8\x16\xb2\xa8\x32\xf9\xa0\xf1\xa7\xb7\xab\x59\xd9\xe6\x95\xf7\x88\x82\x34\xf0\x99\xce\x63\xd6\x13\x6e\x9f\xaa\x9f\x97\xe1\xba\x00\x7c\xac\xa6\x9c\xcf\x0a\xb4\xe4\x9f\x7a\xcc\x1f\x5c\x31\xff\x33\x5e\xf0\xeb\xde\xe0\x7a\xc9\xb5\x42\xc8\x0e\xbd\x4a\x26\x63\x9e\xf2\x18\x3c\x62\xf1\x7e\xed\xde\x6a\xa3\x99\x75\x2c\xf5\x4f\xbd\x88\xd7\x8a\xa9\x4d\xda\x60\xb2\xe9\x49\x1e\xa7\x89\x16\xb7\xc0\xc5\x14\xb0\xbb\xb6\xd8\x0a\x72\xaf\x68\x57\xbd\x11\xdb\x0a\xac\x30\xce\x58\x7f\xfc\x80\x13\xe3\x02\x11\x17\xe0\x29\xd7\x16\x51\x4f\x9e\x54\xff\x81\x03\xc1\xb2\xf9\x39\x90\x5e\x4d\xbf\x68\x66\x69\x51\xe6\xa1\xc6\x43\x95\x55\x69\x14\x3b\x64\xdb\x16\x7b\x69\x19\x77\xc4\x6c\x12\x16\x95\x63\xf2\xc6\xfd\xec\x8f\xc7\xd8\xd5\xf2\x1b\xed\xba\xf8\xf9\xb1\xe0\x17\xc6\xec\x27\x20\x47\x15\xae\x8f\x31\x79\x8f\x2b\xcb\x7f\x96\x52\xbb\xf0\x96\x1a\x47\xe1\xc5\x69\x5c\xee\x9d\xc2\x4e\xa8\x6e\xbf\x05\xa4\x1d\xe5\x53\x40\x23\xc4\x8b\x0f\x43\x52\x30\x2d\x9a\x85\xf9\xa8\x48\x10\xc2\x28\x38\x55\x39\xfd\x07\x00\xf8\x7c\x4d\x44\x0a\xa4\x06\x71\xc3\xc5\xc5\x18\x43\x2c\xed\xc2\x0d\x3e\x93\xa2\xf1\x29\x89\x9b\x25\x65\x77\x6b\x86\x3a\x5e\x3e\x53\xe0\x5e\x28\x05\xe3\x36\xd7\x1b\x6f\x4b\x13\xce\xcf\x8d\xb1\xab\xca\x2c\xd1\x39\x27\xdf\x3c\x16\x7c\xd0\xb3\x1e\x20\xc8\x60\xb7\x8b\x10\x62\x47\x00\x64\x17\x0c\xf4\x51\xaf\x9b\xe0\xdd\x38\x09\x46\x43\x3b\x39\xbd\x01\xf7\x72\xc6\x1f\xf5\x40\x1a\xd5\x1d\xab\x71\xd1\x6a\x89\x66\x19\x6f\x88\xa4\xcf\x7b\x69\x9c\xa5\x4a\x34\x95\xc7\x3d\x6b\xa9\xf5\xc3\xee\x98\x1d\x2d\x07\x4c\xe0\x36\xd5\x7d\x64\x84\xe9\x29\x56\x67\x4f\xdc\x1e\x4e\x57\x0f\x75\x87\xf8\x80\x2f\x3b\x64\x03\xa7\x6f\x15\xe6\xe0\x04\xfe\xf8\x9f\x9e\x08\x7e\xd3\xab\x04\x03\xe9\xbb\x95\xc2\x8b\x2a\x86\xd8\x44\x80\xbd\x4e\x5d\x7f\x60\xed\xcf\x36\x53\x93\x3c\x11\x90\x7a\x9c\x27\xfa\x10\x10\xf7\xa1\x83\xa8\xd0\xed\x3a\x54\xdc\x13\xac\x67\x5a\x42\xd8\xd3\x6a\x35\xe1\x60\x8d\x17\x19\xc5\x4f\x01\xf0\x81\x55\x01\x12\x8d\x4b\x9e\xa5\x1c\x72\xe1\x60\x2f\x79\xe3\xbd\x38\x72\x73\x4d\x1c\x60\x09\xf9\x6d\x44\xc1\x7d\xe7\x06\x61\x7d\xcb\x01\xc9\x78\xb8\x42\x5c\x5e\x2f\xf5\xb5\x5e\x1c\x89\x29\x03\xed\x50\xdc\x00\xbd\xb3\xe9\x58\xcc\x64\x1f\xfc\xd5\xe0\xfc\xf9\xf9\xb9\x87\xb7\xad\x5e\xec\x2a\x0f\x6e\x71\xd4\x64\x93\xc1\xe3\x6d\x58\xb1\x6a\xcb\x8e\x07\xfa\x18\xf3\x57\x93\xac\xb9\x0e\x5b\x62\x4e\x24\x02\x5c\xb2\x3e\x30\x16\xfc\xd4\xd8\x7c\x8b\x97\x10\xd5\x3f\x73\x6e\x4e\x5e\x99\x10\xf1\x26\x8b\xe9\xd8\xb8\xa0\x95\xe5\x62\x0d\x02\xf1\xd5\xa7\x01\x6f\xc5\x69\x98\xc4\xcf\xd7\x00\x37\xe6\xb3\xa6\xd6\xbc\x44\xb2\xb4\x42\x48\x80\x38\x3f\xd1\xaf\xd3\x1d\x59\xca\x79\x91\xa7\x29\x51\xfa\x3b\xb5\x4f\xe1\x47\x27\xdb\xb0\x72\xfd\x19\x23\x77\x83\x2f\x67\x70\x5e\x4b\x6d\xdb\xaf\x29\x6c\x8d\x54\x88\xa8\xe0\x01\xb6\x1a\x68\xf8\x0f\x33\x37\xd0\xbf\x1a\x62\x4c\x6e\xc6\x85\xe0\x37\x1e\x3f\xce\x8f\x9c\x4f\x89\xc5\x00\x7f\xb9\x53\x28\x22\x6a\xc9\x23\x17\x65\x2f\x4f\x45\x05\xee\xef\x02\x63\x04\xf8\x96\x88\xdc\xbf\x27\x38\xa9\x67\xb1\x32\x18\x37\xf8\x0e\x7c\x69\xe8\xca\xa2\x8f\xdd\x7a\x7f\x58\x21\x01\xbf\xd2\x0b\x1e\xd0\x48\xc0\x5b\xee\xa8\x47\x49\x71\xf5\x33\x87\xd8\x77\x6f\x15\x3e\xbe\x90\x67\xcf\x45\x8d\xaf\xff\xc0\xa1\xe0\x7f\x8f\xcd\x44\x61\x17\xbc\x8c\x4c\xa0\x7b\x9c\xc2\x45\xd6\xc5\x92\x22\x52\xae\x0c\x88\x0f\x53\x65\x35\x88\xef\xd6\x9f\x1f\x2e\xf8\x9c\xe4\xea\xd0\x9f\x43\x2d\x8f\x71\xec\x03\x84\x97\x6a\xdd\x92\x06\x81\xcf\x8c\xe5\xed\xb8\x2e\xfa\x85\xa2\x58\x56\x8d\xb4\xd9\x21\x83\x05\x1c\xf2\x9a\xc2\xe4\x91\x8f\xd1\x04\x2d\x12\x70\xd6\x07\xa1\x98\xe2\x52\xe9\x46\x35\x22\x2e\xa6\xf6\x80\x61\x40\x4b\xe0\xe3\x52\xb6\x1d\x94\xd3\x92\xd0\x27\xf1\xb0\x37\xc3\x04\xaf\x78\x74\xf8\xe8\x84\x5d\xd5\x7b\x52\x96\xca\x16\x14\x1a\x88\xf2\x04\xea\x48\x7e\xc9\x85\xdc\x3f\xc0\xde\xb1\x4f\x29\x82\xdf\xb2\x2f\xf8\xc3\xf1\x2a\x64\x17\x48\x8b\xe6\x0c\x76\xc3\x38\x1f\x32\x11\x83\x90\xca\x66\x09\xcd\xb4\x67\xfa\xee\xa7\xbd\x6d\x26\x3c\xc4\x49\xdc\x04\x4f\x54\xdb\x73\x6e\x5d\xf4\x09\x8b\x18\x96\x5a\x3d\x86\xde\x20\xdf\xed\x22\x43\xc8\x2b\x51\x44\x38\x8d\x5b\xb4\x6c\xf8\x6d\x98\x68\x54\xd3\xf7\xd2\x81\xaf\x89\x2a\xd1\x96\x81\x06\x43\xe8\x93\x8d\x2e\x4f\x3e\x58\x84\xc1\xa3\xfd\x3a\x71\x96\xf4\x44\xd4\xec\x21\x17\xa2\xec\xd1\xd4\x00\xee\xb3\xda\x37\xa8\x3d\xe9\x84\xf9\xba\x88\xb4\xf7\x51\x83\x2f\xc8\x4e\xea\xab\x33\x17\x49\x08\x7e\x51\xca\xb6\x20\x9b\x55\x92\x9f\x6c\xe4\x70\xa3\x71\x18\x43\x8f\xb2\xdc\x06\x1a\x94\xcf\xaf\x00\xef\xe1\x69\xa2\xbf\x9c\xc9\x2e\x48\x11\x1e\xef\xc9\xef\x0d\xb2\x1d\xdd\x93\xdb\x59\x8e\xb3\x0d\x91\x6f\xc4\x62\x73\x8a\xf4\xb6\x75\xd9\x4f\x85\xf2\x3e\x05\x67\x6a\x6a\xf0\xfe\x5c\x62\x13\x6a\x6e\xfc\xbb\x83\x27\x2d\x11\xba\xef\x66\x5b\xa8\xc8\x6a\x1b\x2b\x23\x07\xd0\x4c\x58\x53\x35\x83\x84\x83\xee\xd0\xd1\x9f\x1a\x63\x37\x0c\x19\xfc\xb9\x2c\x12\x58\x19\xf9\x44\x3e\x30\x16\xf4\xaa\x0f\x2d\x41\x43\xfb\x48\x12\x77\xe8\xba\x64\xb9\x98\x6a\x45\x6f\x15\xcf\x8f\xc5\xb6\x2a\x51\x74\x52\x77\x16\xe0\xc7\xe3\x64\x48\x8a\x90\xa6\x1a\xa4\x9f\xec\x20\x31\x83\x9e\x92\x6a\xef\x83\x86\x45\x70\x07\x7c\xf4\x42\x70\x97\x3b\x5c\x98\x29\x65\x7f\x74\xc0\x49\x11\x32\x5a\x55\xb2\x8c\x7a\xb6\xf7\x1f\x08\x42\xfb\x81\x63\x9e\x23\xa2\xad\xcc\x65\xa4\x36\xa6\x9f\x59\xae\x9f\xf4\x2c\x97\x6f\xd4\x62\xba\x2a\x42\x02\x88\x72\x66\xe9\xc3\xfb\xd9\x03\x1e\xdb\x0f\x95\xf9\x9b\xbb\xd3\x20\xdf\xba\x61\xab\x8e\xed\x5e\x6f\xa7\x39\x7e\xc3\x18\xf3\xc3\x41\xef\xf6\x17\x69\xef\xf6\xaf\x7a\x83\xaf\xb7\x6a\xe8\x9b\xc7\xab\x7d\x16\xf5\x6d\xb0\x9f\x93\x3e\x45\x11\x42\x3a\xe8\x4a\x9f\x2c\x97\x6b\xc7\x4d\xfd\xfd\x55\x0b\xc5\x4f\xee\xd2\x42\xd1\x1a\x66\xa1\xd8\xc1\x24\x5e\xae\x81\xa2\x49\x78\x63\xcf\x0a\xce\x81\xd3\xaf\x15\xa6\x68\xd3\x21\xaa\x16\x8a\xc4\x05\xb7\x16\xb8\x86\x49\x19\x60\x8f\xdb\xbe\xf4\x36\xa1\xfb\xab\x27\xb0\xfa\xd6\x89\x29\x97\xf0\xd1\x6c\xd8\x0d\x9b\x71\xd9\xf7\x3f\xfc\x84\xe0\x4b\x07\x07\x9f\x2b\x1f\x4d\x5a\x4a\xc9\x0d\x64\x2d\xa0\x41\xb3\x4b\xf3\xfc\x6e\x51\xea\x82\xcd\x30\x49\x1a\x80\x73\xac\x72\xc4\xa8\xaa\xa4\x00\x4b\xcc\xaa\x0b\xe2\x66\x22\x47\x9a\xaa\x16\xe4\xac\xc2\xbc\x8c\x9b\x3d\x74\xc3\xef\x66\x49\xb6\xd6\xe7\x85\x00\x5c\x3a\x3b\x23\x88\xd2\xd5\x13\x08\x37\x60\xf7\x22\xd0\x2f\x2a\xaa\x32\x04\x21\x49\xcb\x38\x2c\x05\xa0\x04\x2e\x48\xf9\xa5\x90\xfc\x00\xfa\xa2\x16\x0d\xc6\x2c\x64\x66\xec\x23\x24\x1b\xc1\x28\x4e\x0e\xc0\xe5\x05\x21\x97\xd7\x9d\x11\xf1\x40\x59\x43\x02\x90\x5e\x82\xe9\xe3\x27\x6e\xe4\x77\xc7\x77\x05\xd6\xb8\xe2\x94\x07\x6a\x08\x0d\xf7\x3e\x7b\x7e\x96\x8a\x27\xf7\x8a\xba\x08\x8b\x72\x3a\x18\xa8\x1c\x20\x1d\x8b\x42\x57\x7e\x6c\x58\xd5\x6e\x8d\x2a\xf7\xda\x93\xd7\x01\x10\x25\x5c\x6d\x4e\x1f\x3f\x11\x20\xc7\x8b\xd0\xc0\xc8\x96\xe6\x42\x00\x80\x32\xee\x56\x84\xc4\x06\x56\x31\xcd\xac\x85\xb0\xf1\x44\x30\xf3\x8f\xc2\xd5\x6b\x66\x9d\x55\x4a\xda\x28\x27\x25\xcd\x94\x88\x0e\x2a\x9e\x82\x98\xd4\x5e\x5c\x52\x50\x10\xad\x20\xa8\xb1\x71\x8c\xbc\x89\x6a\x23\xc9\x09\xd4\x09\xe5\x37\x75\x6b\xa9\xf1\x55\xe2\x42\xed\x2e\x81\xf9\xe6\xf2\x3e\x79\xbe\xc8\x33\x9c\x83\x6e\x9e\x45\xbd\x26\x65\x09\x04\xac\x62\x95\x15\x46\x2e\x79\x24\x9a\x71\xa4\x30\xdf\xc2\x6e\x37\xcf\x42\xe4\xcd\xd0\xac\x44\xc3\x41\x01\xa2\x0f\xca\x23\xb9\xe5\x7a\x96\x3a\x12\xf0\xd8\x94\x26\x2d\x57\xf2\xed\x90\x33\x05\x70\xc6\x2d\x11\x4a\xb1\x88\x03\x10\x79\x5c\x70\x91\xca\xfa\x23\x52\x4f\x00\xca\x81\xed\xa4\x9e\x49\x09\x07\xd8\x50\x35\xb8\x7a\xb8\x09\x58\xcb\x46\x39\x09\x13\x3f\xbb\x34\x8f\xc1\x0f\x8d\x4a\xb3\x8d\x4b\xde\x75\x85\xb5\xc7\xce\x55\x03\xe5\xff\xfb\xb7\xb0\xdf\x24\xf5\xe4\x32\x2d\x9a\xff\xfe\x87\xc3\xc2\xf8\x7f\xbc\x73\x56\x9d\xfa\x12\xc7\xa9\x46\x4d\x18\xe6\x7e\x68\x36\x85\xf1\xd0\x57\x7b\x45\x6e\x3e\x2c\xaa\x97\x75\x13\x42\x2e\xd0\x9d\x5b\x47\x44\x80\x61\xcf\xfe\x50\x61\x5b\x42\xad\x80\xcc\x09\xca\x81\x30\xed\x23\x83\x55\x89\xd4\x90\xf5\x80\x87\xfe\x40\x2d\x03\x35\x00\x83\x1f\x89\x01\xb7\xff\xb8\xd3\xe9\xd1\x36\xf9\xec\x18\x1b\x98\x6d\xff\x97\xc7\x82\x77\x83\x8d\xc2\x36\x79\x38\xe7\x5e\xe3\x00\xaa\xe1\x99\x41\xdb\x69\x91\x14\xc4\x7e\x47\x88\xd2\xa8\xc3\x9c\x90\xf2\xd0\x35\xae\x84\x6e\x3b\xca\xa1\x40\xf2\x88\x34\xe8\xb9\x73\x4b\x92\xb1\x8c\xb2\x4e\x18\xa7\x93\x14\x8d\x10\xea\x38\x84\x34\x03\xf0\x25\x91\xeb\xd3\x36\x62\x77\x1b\x08\xa3\x6c\xb5\xc8\x20\xaa\x02\x8e\xbe\x06\x0d\x20\x8d\x8b\x3c\x36\x92\xc1\x06\xe0\x8e\x2c\x1f\x3d\x97\xf6\xc5\xb6\xe7\xbe\xb5\x4b\xf7\xad\xcf\x8c\xb3\x09\xb5\xa5\xfc\x07\xc7\x77\xc7\x33\xbd\x74\x7c\xd6\xa2\xb4\xc6\x2a\xa5\x37\x2f\x51\x46\x8b\x8e\xc5\x29\x2c\xba\xc5\x39\x2c\x42\x6c\x5c\xa1\x6e\x19\xe7\x0d\x3a\xd8\xa3\xd6\xdd\xbe\x47\x2c\x24\x5a\x42\x61\x29\x09\xbd\xa2\x9b\x8b\x8d\x38\xeb\xd1\x46\x2a\x14\x20\xb0\xe8\xc8\x2e\x83\x19\xab\xa9\x59\xcf\x23\xb2\x5f\x60\x56\x9a\x6e\x1c\x9f\xd4\x49\xae\xc2\xe2\x24\x98\x38\x06\xd9\x13\xc0\xc2\x5e\xed\x43\x9c\xac\x0a\x95\x23\x32\xa1\x32\xe7\xda\x1e\x04\x10\xa3\x05\xfb\x72\x83\xd8\x8d\x0a\xad\x0a\x4b\x47\x33\xee\x74\xae\x97\x9a\xf6\xc1\x24\x00\xf8\x36\x11\xf0\x22\x70\xa9\xe9\x5e\x35\xf6\xbc\xe4\x76\xa1\x6c\x7c\xff\x3e\x76\x7d\x27\xbc\x18\x77\x7a\x1d\x0a\x61\x8c\x9f\x2f\xfc\xb7\xec\xdb\xdd\xc9\xf8\xf2\xf8\xd9\x6a\x9d\xdf\xd4\x47\x04\x75\x84\xea\x04\x14\x90\xad\xc3\x3a\x1d\x37\x36\x8e\xa9\x0b\x25\x91\x22\x51\x51\xf2\x42\x0e\xc9\x86\x40\x82\x5d\x0f\xfc\xfb\x2c\x6c\x55\x1c\x39\x75\xb0\xa1\x36\xeb\x73\xf2\x30\x5d\x13\x0d\x15\xf4\xf6\x1c\x38\x4d\x44\xf5\x0d\x8a\x93\x8e\x0d\xd5\x89\x0a\xe0\x82\xb3\xc6\x04\xbd\xc9\x0a\xb8\xc5\x07\xe7\x83\x12\xbf\x38\x81\xb7\x24\x86\xe3\xa5\x6f\x39\xd7\xcc\x2c\xcc\xcb\xb1\x2b\xc1\x73\xd1\x86\x79\x59\x54\x1b\x18\xc6\x45\x7d\x6a\x26\x61\xdc\x69\xb0\x37\xed\xb3\xdc\x2b\x5f\xbd\x6f\xb7\x88\x61\x9f\x1a\xdf\xca\xc1\x52\x33\x0d\x52\x1a\x48\x33\x5b\x44\xea\x88\x30\x05\x07\xa7\x79\x63\x24\x03\x68\x1e\xe7\x42\xe7\x47\xa2\xac\x2c\x0c\x4c\xf7\xf1\x9b\x4e\xf0\x66\x3b\xcc\xc3\xa6\x9c\xce\x49\xb0\x75\x88\x14\xd2\x76\x2b\x1e\xc4\xa0\x0c\xda\x06\xda\xb2\x4d\x89\xb3\x6c\x30\xc7\x6c\x30\x0f\x81\xc9\xd0\x64\xd4\x12\x08\x4f\xde\x2c\xe2\xa2\x59\xbf\xbd\xd7\x8b\xa3\x3b\x6a\x52\x5a\x14\x29\x59\x41\xe5\x08\x29\x7d\x63\x2e\x64\xc5\xa2\x4e\xbd\x87\xb1\x23\x17\x28\xd2\xa8\x30\xfb\xa2\x97\xc6\xcf\xeb\x39\xc7\x07\xf1\xd4\xd8\xbd\xc4\xdb\xc3\x10\x94\x99\x2f\x6a\x30\xf6\xa8\xf9\xaa\xae\x6f\xef\xab\x7a\x8f\x7f\x7a\x07\x80\x6b\x15\x0e\x6b\x28\x16\xc6\x57\x0f\xb0\x7f\x37\x0c\x0c\x48\x34\x9b\x59\xa7\xbb\x90\x67\xad\x38\x11\xfe\x6f\x1c\x08\x5a\xee\x23\xcd\x32\x81\x9d\x7e\x4a\xfb\xc2\x40\x66\x0e\x28\x28\xaf\x31\x28\x49\xd9\x67\x0b\xca\xe1\x97\xa5\xc2\xbc\x22\x9d\x8d\x01\x43\x1b\xa6\x55\xfb\xff\xef\x63\xef\x1a\x63\xd7\xe9\x6c\x05\xaa\x57\x97\xc6\x82\x1f\x18\xab\x3e\xb5\x5c\xd4\x42\xdd\x8e\x22\x50\x70\x1c\xe1\x89\x05\x75\x69\xb1\x98\x90\x08\x84\x92\x19\xe1\x97\x96\x0f\x85\x06\x3b\x8b\x9c\xaf\xcb\x8c\x6f\x66\xf9\x7a\x43\xa7\x47\x0a\x41\x5d\x21\x90\x7a\x74\xc3\xb2\x5d\x33\x1a\x74\x62\xfe\x08\xf7\xf3\x70\xc1\xad\x4a\xab\xf3\xa6\x82\xde\xa9\x66\xed\x73\x21\x00\xc3\x41\x69\x78\x82\x33\x6a\x02\xdc\x8c\xbe\x6f\x1e\x23\x85\xd1\x7f\x19\x0b\x5e\x36\x86\xa5\xf5\xcc\xe0\x89\x58\x27\xdb\x5d\xb5\x61\x65\xc7\x40\xc9\x01\xb3\x79\xc6\x91\x71\xe9\xca\xc5\x49\xc6\x74\xb3\xbc\x7e\xc5\x13\x4d\xae\x0a\x0a\x33\xbb\x5e\x71\xab\xca\xf1\xb5\xb6\x27\xe9\x5d\x53\xa9\xe6\x7c\x0a\xb3\x28\xdb\x05\xb5\xc2\x60\x39\x35\x12\x27\x3c\x25\x67\x8f\x75\xce\x19\xf8\x5b\x14\xfe\xb3\xfc\xfb\xeb\x90\x6a\x2d\x8f\x3b\x71\x2a\x45\x8c\x93\x30\xd9\x8c\xd3\xc5\x57\x2f\xb3\xba\xf5\x5e\xdc\xd5\x3f\xc9\x38\xe7\xbc\xba\x13\x4f\xf2\x33\x95\x27\x8c\xfd\x89\xcf\xbe\xcb\x3a\x6e\x90\xd1\x6d\x43\x92\x78\xa5\x62\x3b\x45\x6c\x91\xff\x11\x3f\x38\xad\x7e\xd8\xca\x3e\x0d\xf1\x92\x64\x6b\x60\x96\x0b\x56\x31\xff\x72\x00\x2a\x19\xb8\x80\x08\x0a\x86\xb0\xe4\x2e\x79\x87\x28\x15\x88\x70\xc3\x5a\xbe\x78\x3d\xfb\x21\x8f\xed\x6f\xc7\x69\x59\xf8\xaf\xf0\xd8\xad\x23\x55\xfa\xa3\xfb\x79\x8f\xfc\x38\x38\x07\x75\x0c\x4f\xf3\x69\xc1\x08\x00\xf5\x6d\x67\x9b\x80\xd2\xa0\xc6\x66\x56\x49\x29\x46\x1a\xec\x53\x63\x6c\x42\xa9\xa5\xfc\x5f\x1d\x0b\xde\x33\xa6\x7e\x69\x69\x4c\x7d\xef\xc8\x7f\x36\x4b\x01\x39\x9e\xa0\xc2\x1c\x2c\x9d\x26\x21\x35\x66\x07\x95\xb3\xd4\x8b\x8b\xb6\x9d\xa9\x5a\x32\xa7\x60\x81\xc4\xab\x0a\x31\x71\xe2\x14\xae\x44\xb8\x0c\x26\xe5\x61\x4c\xca\xb8\x9b\x08\xeb\x3b\x3c\x4e\xca\xfb\x08\x58\x0e\xdd\x5f\x77\x78\x31\x26\xed\x6a\xf5\xd2\x35\xd0\x0b\x60\x0b\x1d\x55\xe5\x8c\x4a\x08\x89\x6d\x4e\x1a\xa2\x02\x39\x29\x21\x7d\x19\x32\x69\x45\x01\x9d\x02\x85\x09\x3f\xb2\x78\x7a\x96\x4f\x4f\x1f\x3f\x31\xa9\xb2\x25\x55\xdd\xbf\x7f\xcf\x63\x13\xf2\x08\x82\x3a\xe1\x93\x5e\xf0\xcb\x9e\xfa\x55\xc5\xbb\xb3\x55\x0c\x84\xdc\x5c\x94\xda\x13\xac\x32\xeb\x15\xc1\xc5\x00\x42\x98\xb9\x81\x53\x61\xec\x3a\xce\x72\xd1\xe7\x4a\x85\xa5\x2f\x67\xb5\xb9\x96\x92\xb8\x29\xce\xa9\x8e\xda\x9a\x2f\x67\x70\xaf\xf6\xd8\x21\xd4\xb8\x2f\x8a\x96\xff\x22\x8f\x1d\xdb\xd6\x36\x55\xf5\xa6\x3e\xa7\xbf\x1f\x6a\x91\x1a\xf0\xa9\x46\x66\xc7\x99\x3a\x7b\x76\xd8\xd7\x0e\xb0\x09\xc5\x56\xfb\x7f\x74\x20\xf8\xd8\x01\xcd\x64\x9b\x5c\xd7\x3a\x8b\x8b\x7e\xb7\xd5\xb9\xb1\x85\x26\x95\x34\x6d\x5d\xf4\xa7\x8c\xa1\xbc\x50\xf9\x13\xa1\x16\xf3\x15\xba\xda\x63\xcd\x8d\x87\xc1\x4c\x4a\x3e\x86\x5a\x31\x87\x22\x5e\x33\xe9\x41\x0e\x3c\x12\x8a\xe4\x1e\x9a\xbe\xb9\xda\x43\x95\xd5\x12\x4b\x93\xea\x95\x14\x6e\x80\x67\x65\xc0\x1a\x8c\xea\x79\x53\x24\x09\xe1\x63\xad\x8b\x7e\x71\x92\x1f\xe5\xc3\x35\xd8\x27\x2d\x41\xc9\xf5\x54\x77\xc9\x07\x5e\x47\x8c\x5b\xae\xa9\x9a\x1c\xc5\xb8\x65\x4b\x64\x04\x62\xad\xd1\x31\x72\x90\x23\x1e\x30\x8e\x57\x1b\xcc\x49\x83\x1d\xe5\x5b\xa8\xed\x47\x77\x4f\xbe\x35\x9d\x61\xfc\x8a\xbb\xb3\xb3\xce\xe4\x62\x0d\xb8\xc0\x51\xdd\xc1\xf7\x0f\x7f\x87\x5c\x4d\x5d\x24\x4f\x0f\xd4\x04\x34\xcd\x78\x33\xa1\x9a\x2f\x4e\x79\xab\x07\x07\x3e\xec\xc6\x3a\xcf\xde\x96\xbe\x9b\x7f\x39\xc6\xcc\x55\xe7\x7f\x79\x2c\x78\xcb\x98\xfe\x39\xf4\xe2\xa8\xba\xf4\xe8\xee\x85\xc0\xeb\x97\x22\xef\xe6\xe0\x1e\x16\x36\x9b\x59\x1e\x59\xa9\x96\xdc\x41\x3a\x04\x4b\x25\xde\x82\xb4\x40\xe8\x1f\x88\x68\x23\x70\x13\xc1\x11\x45\xf0\x20\x1e\xc5\x2d\xf4\x63\x00\x06\x03\xfa\x60\xfa\xab\x71\xb8\xd0\x29\x1b\x37\x6e\x9c\x73\x79\x0c\xa4\x54\x0c\xa8\xa7\xb1\x56\x26\xab\xa3\x0f\xa6\x16\x95\x0d\x19\x98\x6d\xaa\x12\x8e\x5a\x9a\x59\x78\x30\xd3\xc7\x8e\x39\xde\x19\xee\xc4\x3e\xe4\xf1\x91\xee\x9f\x07\xfc\x7d\x85\x28\x19\x7b\x83\x07\x4e\x66\x18\x6e\x03\x3c\xc4\xe8\x00\x87\xd1\x3c\x84\x4e\xd6\x54\x04\xf3\xa6\xb6\x11\xdc\x84\xce\x39\xa4\xe3\x48\x9c\x7c\x40\x86\x04\xff\xe8\x21\x76\x64\xd0\x79\x1b\x5b\xb6\x7d\x64\x21\x42\xf8\x6f\x26\x82\x13\xd5\x87\x15\xe4\x02\xdb\x71\x77\x4b\x60\xd2\x0f\x1f\x64\x5d\xe5\xe3\xb4\x16\x04\x43\x50\x10\x94\x62\x59\xe7\xd9\x37\x6b\x70\x33\xbb\x91\x1d\x1f\x1d\xf1\x3a\x6a\x10\x7b\xaa\xbc\x5d\xa8\xf2\x3e\x61\x07\xbc\x7e\x64\x97\x01\xaf\xff\xf1\x1b\x04\x5d\xb0\x97\x31\xe5\x61\xc3\x2d\x68\x6d\xaf\x80\x99\xf5\x67\xb4\x02\x06\x0e\x65\x45\xfb\x52\xa5\x25\x43\x75\x2f\x1f\x3a\xc4\x6a\xc3\xc0\xef\x1b\x0b\x59\x34\x17\x17\x79\x0f\x04\xee\xbb\x7a\xd1\x9a\x40\x84\xa8\x57\x1c\x0a\xee\x1c\xf1\x6e\x18\xa6\xc1\x90\xa2\x23\x48\xd6\x27\x0e\xee\x11\x90\xbd\x88\xf9\x3d\x2a\xf2\x30\x1a\x4c\xfb\x8a\x05\xe8\x06\x87\x87\xb0\x00\xc3\xce\xa6\xcd\x07\x9c\x64\xb7\xb2\x9b\x47\xf2\x01\x5b\x92\x8a\x87\xbc\xe6\xf6\x04\xec\x4e\xff\x0e\x4d\xc0\xb0\x36\x4d\xbb\x46\x50\x98\x2a\x04\xcb\xff\x1c\x77\x20\x3d\xad\x24\x23\xcb\xd9\xba\x48\xc9\x04\xe2\xff\xe2\x78\x70\xbb\xfd\xc0\xb0\x75\x96\x55\x06\xfd\x2b\x29\xb5\x80\xe4\xb5\x7b\x92\x18\xc8\xaf\x1a\x97\xbc\x89\xb0\x17\xc5\x52\x16\x77\x48\xd6\x1f\x8e\xb1\xd7\x79\x4c\xbf\xf3\xbf\xcf\x0b\xfa\x33\xf4\x43\x99\xcc\xe4\x5e\x81\x30\x2d\x55\x4a\x3b\xee\xcb\xaa\xc1\x15\xca\xee\x1a\x64\x45\x31\x00\xad\x91\x49\xe5\x07\x5e\x67\x54\x47\xa1\x12\x37\x99\x34\xb6\x8e\x36\xe2\xe3\x1e\xbb\x5e\x5c\xec\xc6\xe8\x80\xbb\x04\xf1\xca\x85\xff\x1e\xcc\xab\x70\xf3\x8d\xc1\x9b\xbc\x53\xd5\xb7\x3a\x88\x5b\x01\x29\x66\x2d\x54\xe4\x80\x5f\xc4\xce\xba\xec\x64\x89\x52\x5d\xd7\x0e\x88\xc1\x40\x9b\xc1\x88\xba\x1c\x6f\xc9\xbf\x99\x18\x0a\xdb\xba\x90\x45\xcb\xa2\xd3\x95\x27\x12\xee\xa5\x4f\x4c\x04\x47\x2b\xcf\x06\x76\xbb\x7a\x39\xe2\x06\xfa\xb9\x3d\x88\x9d\x5d\x93\x9c\xef\x51\x24\x67\x39\xf8\x57\x67\x68\xe6\x21\x14\x52\x4d\xbd\x4d\x60\x8e\xb1\x06\xab\x6d\xab\x27\xb3\x16\x6e\x8f\x43\xd8\x83\x47\x33\x83\x7b\xc8\xbb\x6f\xfb\x4b\xe6\x46\xff\xf8\x30\x74\xaf\x0a\xa9\xa8\x5e\x2c\x3f\xb1\xdf\x89\xba\x36\x5b\x31\x2f\x09\x9b\xe2\x3f\xed\xbf\xe4\x41\xba\x9a\x4b\xde\x44\x37\xcf\xca\xac\x99\x25\x0e\x35\xf9\xf2\x3e\x16\x53\x42\x9b\x50\x39\xbd\x9f\x59\xa0\x74\x36\xa5\x4a\xe8\x4a\x89\x67\xdc\xd4\x3b\x94\xeb\xb5\xa5\xb2\xf8\x12\xee\x45\x01\x64\x22\x97\x97\x49\x5b\xe4\xae\x4f\xf9\xeb\x3d\xa6\xbb\xe1\xbf\xdc\x0b\xbe\x77\x81\x7e\xe8\xd6\xd4\xef\x2b\x69\x0a\xd4\x54\x55\x14\x5a\x30\xc2\xf1\x60\x79\x76\x21\xa8\xf1\xe0\xfc\x1c\xfc\xb3\x34\xbb\xbc\x10\xd8\xbb\xee\x77\xc7\xd8\x7e\x08\xf7\xf1\x3f\x3d\x16\xfc\xea\xd8\x29\x88\xfc\x41\x83\x3a\x36\xa1\x7a\xb7\x9a\x08\x4b\x5f\xec\x74\x0f\xbd\x80\xf3\x4e\xa8\x71\x0f\x30\x80\xa8\x68\x87\x49\x82\x00\xc8\x7d\xf3\xa9\x51\xda\xe6\xbd\x44\x14\x27\x79\x1d\x13\x06\xd4\xe3\x94\xbe\xa3\xfe\xe3\xe7\xab\x15\x24\x02\xd2\xc0\x29\xd7\x25\x70\xd4\xc0\x92\xbd\x42\x30\x6e\xce\x31\x5a\x63\x58\x9d\x37\x93\xac\x17\x29\x54\xeb\xdc\xc4\x68\x38\x8d\x91\xce\x6d\x83\x3e\x23\xa7\x2b\xb7\xeb\x8c\xab\x61\xb6\xb2\xac\x41\x9e\xdd\x00\x45\x60\x88\x87\x3d\xb7\x7f\xf9\x44\x47\xbd\x34\xc4\x55\x1e\xdd\x69\x01\x1d\xe1\x57\x9f\x18\x1c\x77\x9e\x8c\x4c\xbb\x16\x5a\x8e\xb8\xce\x96\xfe\xa7\xa3\xec\xa7\xaf\x62\xd7\x76\xb3\x68\x3e\x6d\x65\xf7\xa6\x67\x25\x8f\xe4\xbf\xfe\xaa\xe0\x65\x57\x11\x1a\x84\xbc\xb4\x20\xbe\xd3\x2d\xe3\xe8\x76\xe3\x02\x5c\x1e\xc8\x23\x85\x3c\x1f\xc8\xa9\xa6\x70\x80\x73\x00\xb0\xc5\xe8\xdd\x8e\x80\xff\x58\x37\x8b\xce\x81\xaf\x45\x37\x8b\xce\xcf\xcf\xd5\xb8\x28\x9b\x8d\x49\x15\xc7\x0e\x20\xe4\x3c\xeb\xaa\x50\x79\x8d\x53\xa1\x22\x63\x6b\x03\xd5\x3a\x41\x6f\x88\xe1\x93\xa5\x0a\xcd\x5c\xd9\x85\xe5\x9e\xa0\xc0\x5a\xd7\xe3\xc9\x44\x41\x55\x86\x6c\xa5\xd8\xa4\xa2\x91\xe8\x26\x59\xbf\xa3\x82\xea\x70\xa2\x9e\x66\xe7\xf4\x04\x9b\x5a\xb5\x7f\x61\x41\x69\x45\x14\x36\x86\x8a\xb2\x1b\x86\xf5\x7d\x64\xd2\xa0\x7a\xbb\x9e\x59\xf2\x48\x83\x2b\x56\xac\xdc\xe2\xbb\x61\x0e\xd1\x9e\x72\x9f\x2b\x9b\x1d\xdd\x98\x76\xfb\x34\x27\xf1\x60\x4f\x1a\xdc\xf5\xcf\xd7\x2f\x65\x2f\x75\x24\x22\x7d\xde\x1a\xd8\x13\x85\xbd\x65\x48\x85\x8c\x97\x49\xbc\xd6\x2e\x25\xd1\xde\x34\x7e\xf1\xdd\x5c\xb4\xe2\x8b\x0e\xd2\x51\x83\x07\xcd\xc2\x6c\x7b\xba\x61\xba\x59\x04\x89\x0b\x03\x29\x54\x44\x0d\x30\xdb\x6d\x55\x0e\x9c\x6b\xac\xc2\x18\x53\x3f\xea\x8b\x5e\x1c\x05\x27\x89\xdd\x38\x22\x1f\x9c\x9f\x9f\x9b\x1c\x5a\x5a\x74\xdb\xa2\x23\xf2\x30\x09\x4e\xf2\x40\x8e\x30\x50\x6e\xf5\xb4\xf3\x31\xab\x99\x2e\x46\x80\x22\xf4\x16\xac\xf9\x5b\xfd\x4f\x79\x39\xac\xf6\xf1\xbc\xda\x39\x0c\xec\xd8\xed\x00\xb6\x6d\xc0\xd8\xd6\x7d\x44\x36\x2a\x15\x9b\xda\xc4\x19\xa7\xb6\xc9\x71\xba\x31\x7d\x33\xf0\xf8\x92\x77\x4a\x93\xbe\x9b\xb9\x4f\xf9\x52\x39\x59\xe7\x11\x17\x46\x0e\x38\x30\xc1\x2b\x01\xec\xb6\xe0\x94\x69\x18\x3b\x7e\x26\x6e\x89\x66\xbf\x99\x88\xb3\x60\xa0\xbd\x17\x6c\xdf\xaa\xda\x66\x98\xf2\x44\x48\xda\xa9\xce\x06\x8f\xe2\x02\x0d\xb6\x61\x1a\x4d\xc9\x1b\x65\x2d\x45\x9b\x82\x32\x9f\x40\xca\x5d\x77\x00\x37\xe9\x14\xb1\x0e\xee\x08\x45\xc7\xdb\x8d\xc1\x08\x55\xa1\x2c\x15\x10\x46\x8c\xc1\x3a\x78\x88\x91\x46\x60\x28\x87\x72\x1d\xd3\xe8\x17\xe6\x9c\x1b\x6b\xb4\x9a\x1b\xa8\x08\xbd\x67\x8b\x1a\xb7\x10\xa7\xf8\x46\x1c\x82\xf6\xac\xd3\xc1\xc4\x3a\xa9\xe5\x33\xa8\xae\x3d\x02\x8e\x67\x6c\xb4\xbf\xb9\x15\xdd\xf9\xcf\xe3\xec\x7a\x45\x57\x17\x05\x41\xff\xfb\x7f\x3a\x1e\xfc\xde\xf8\x62\xf5\x71\xc5\xfa\x66\x27\x5b\x08\xd3\xb2\xe0\x2b\x03\x94\x66\x85\xaf\x0a\xf0\x2e\x12\x79\x9c\x45\x94\x86\xb8\x89\x79\x93\xe1\x72\x6f\x25\x92\xc3\x0e\xd3\x3e\xef\x66\x14\x82\xd0\x6c\x87\xe9\x9a\x76\x64\x04\x12\x6b\xe2\xdb\x6d\xab\x7c\x34\x00\x68\xc0\xd8\xb9\xac\x14\x27\xf9\x4c\x0b\xa6\x5a\xce\x7d\x53\x14\x45\xab\x27\x0f\x4e\x0c\x28\x3b\x83\x89\x0f\x64\x77\x6a\x92\x49\x2f\x24\x7f\x9e\x96\x48\x1b\x65\xa5\x83\x65\x49\x22\x83\xa5\x47\xbe\xdd\xd8\xbe\xac\x78\x7b\xd5\xd9\x73\x62\x93\x2e\x1b\xe5\x80\x61\x5d\x23\x85\x10\x29\x9e\x4c\x85\xbe\xa2\x3d\x8a\x2c\x97\xd5\xd0\x8d\xa6\x09\x53\x6a\xdd\x38\x4f\x6f\x2a\xc8\x88\xd9\xa5\x79\x4a\x20\x39\x83\x9a\x09\x10\x9a\xcd\x59\xd5\x31\x38\xee\x0e\x78\xe0\x00\x7b\x4c\x51\x89\x96\xfb\xea\xfe\xe0\x0f\xf6\x57\xaf\xeb\x4a\x21\x67\x37\x50\x54\xc7\xe0\x9d\x8d\x3b\x43\x1e\x49\x2b\x90\x07\x32\x52\xa0\x93\x89\xe3\x64\xae\x63\x41\x74\x85\x03\xb7\x22\x4e\x21\x7a\x17\x83\xeb\x4c\x2e\xf0\x46\x1a\x19\xa9\x41\xce\x94\x56\x08\x9e\xbe\xb6\x14\x5c\x42\x5b\x34\xd7\xab\x4e\x1e\x71\xa7\x23\xa2\x38\x2c\x45\xd2\xb7\x0f\x35\xba\x2c\xa9\xe4\x0c\xf3\xa9\x72\x8c\x07\xa6\x41\xf9\xc3\x83\x3d\x59\x6c\x2a\xb7\x78\xec\x00\x64\xde\x5e\x8d\xd1\x10\x4b\x37\x79\xaf\x30\xc0\x1d\xc3\x06\xdb\x96\x0c\x02\xee\x40\x29\xf5\x67\x1d\x13\xa9\x35\x7a\xc0\x0d\xc6\x66\x12\xd0\x04\x20\x40\x4f\xcd\xae\x9c\x46\xa9\x29\x94\xe1\x88\xe1\x4c\x61\x00\x5a\x96\x53\x1a\x0c\xb9\xdd\x62\xed\xf7\xdf\x4a\xe2\x6e\x57\x44\x30\x92\x1c\x27\x65\x60\xe5\x6c\xa6\x40\xf6\x7e\x55\xee\x72\x3d\x84\x2d\xa8\xd2\xe0\x96\x47\x03\xf7\x36\x1b\xbe\x32\x03\x43\x36\x3b\xf0\x1f\x51\x95\x45\x73\x8e\xc0\x9f\x1d\x60\xd7\x94\x96\x86\xa9\xf0\x7f\xe7\x40\xf0\xa7\xfb\x6d\xa5\x53\x15\x52\xd0\x76\xc8\x05\xac\x94\x6e\x16\x15\x87\x87\xeb\x06\x35\x7c\x81\x7c\x04\x2a\x08\x3c\x22\x10\x32\x9c\x41\xa6\x78\x01\xa0\x29\x79\x9f\x87\xbd\xb2\x8d\x40\x16\xe8\x52\x39\xc8\xfa\x69\x25\x1b\x98\xde\x77\xce\xf5\x8d\xe0\xf9\x88\xa4\x49\x3e\x4f\xd8\x5c\x9e\xa8\xc8\x49\x4e\x43\x27\x87\x72\x33\x85\x43\x7d\x1a\xd8\xc9\xe0\x24\x7f\x01\xe3\x3c\xb8\x5d\xe9\x25\xef\xa0\x27\x9c\x07\x50\x22\x38\xc9\x6f\x87\x3f\xee\xa8\xe1\x53\xa3\x94\x5c\x8e\x3b\xa2\x28\xc3\x4e\x57\x96\x31\x8f\x79\xa9\x9e\xcb\x01\x2f\x9e\x9e\x3d\x71\xe2\xc4\x93\xe0\xeb\x17\xca\xff\x34\x1a\x0d\xf6\x42\x7d\x15\x68\x55\x2b\xe5\x97\x73\x74\xbc\xc6\xe9\xcd\xb8\x38\x40\x68\x62\xc9\x3b\x19\xb9\x25\x90\x42\xb3\xa0\xf4\x36\xc8\xd6\x81\x3f\x79\x2e\x9a\x02\xe0\x26\xe0\xb0\x63\xb9\x10\xae\x1e\xe8\x6b\xbf\xc6\x07\xaf\xd0\x8a\x27\x5a\x99\xc7\x6b\x6b\x22\x1f\xb2\x5a\xf6\x95\xf9\xc8\xdf\x07\x46\xdf\xf6\x24\x76\xcb\x16\xe9\x8d\xaa\xe2\xa3\x3d\x9b\x3b\xc4\xe1\x7a\xcf\x01\xf6\xb8\x8d\x41\x7e\xae\xf0\x2f\x1d\x08\xfe\x71\xff\x10\x4e\xaf\xb0\x22\x2a\xc3\x52\x7b\x03\x2b\xe2\x3a\x42\x58\x24\xce\xac\xa8\x9c\x7f\xbc\xa0\x13\xd2\xfc\x52\xc6\xa2\xc2\xe1\x3e\x6b\x06\xb7\x04\x3c\xf0\x0b\x49\xe0\x2c\x56\x5a\x9d\x30\x57\x26\x06\x52\xa9\x1c\x5b\x51\x14\xb2\x38\x4b\xc9\xb8\x61\x65\xbd\x30\xe1\x0b\x17\xa6\x16\x2e\xcc\xf2\x8e\x90\xbc\x4e\x5c\x74\xb0\x8f\xe8\xcb\x09\xcc\x9f\xec\x91\x61\x7f\xe9\x9e\x01\x0a\x12\x89\x9a\x1e\x79\x98\xdb\x8e\xcc\xc0\x0d\xc6\x70\xab\x92\xea\x28\xc2\xf0\x16\x15\x36\x6b\x73\xff\x8a\x0f\x8d\x73\x9e\xa8\xb9\x86\x01\xc7\xc6\xb1\xcd\xbc\xc8\x28\x54\x52\xca\x32\x7c\x46\xcd\x70\x1b\x15\xd0\xab\x82\x63\xa4\xae\xd2\x6d\xaf\x0a\x44\xb8\x8b\x8d\x20\xb0\x96\xd1\xb5\xbf\x26\x4a\x72\xb0\x1c\xa4\x4d\x94\xc6\x08\xd8\x65\xc5\x41\x9d\x56\xb8\xb7\x83\xbe\x35\x8e\x17\xb1\x35\x3b\x85\x10\x43\x7c\x07\xeb\x92\x5e\x11\x6e\xa3\x72\x23\xd4\x92\x4d\x1d\x9c\x3f\xeb\x2a\x8a\xad\x5d\x76\x12\x33\x4c\x79\x62\x6d\x36\x5f\xf5\x48\x47\x59\x77\x60\x8f\x82\xb2\x5d\x3e\xc7\x9f\xe4\xe1\x1b\x46\x91\xc9\x99\x86\x6e\x62\x5b\x72\xe6\xa3\x9c\x9c\xd8\xc7\xf7\xb3\x6b\x43\x48\x19\xaa\x32\x6e\xfb\xef\xdf\x1f\xbc\x7d\xbf\xfb\xec\x72\x74\x28\x29\xc7\x6f\x8d\x22\x84\x1f\xb1\x97\x4e\x4d\xaf\xb9\xef\x66\x35\xd2\x56\x55\x9d\xd0\x11\x65\x3b\x8b\x26\x6b\xb4\xad\x88\x79\xb3\xf6\x3f\x35\x15\x09\xf8\xc7\x40\x76\x69\x1b\x87\x5c\x7f\xb0\x5e\x61\x41\x25\xfe\xa6\xa5\xc8\x5b\x52\xd6\xa6\x08\x69\xc9\xa9\x15\x16\x8f\x1d\x9a\x24\xcc\xa4\x96\x04\x17\xbd\x30\x2e\x0b\x8b\xb1\xb2\x84\x69\x28\x2f\xcf\xb1\x68\xc9\xc5\x02\xb8\x32\xa1\x1c\xe6\xd4\x05\x6d\x2e\x49\x95\xa3\xaf\x4e\x1f\xe6\xbc\x99\x81\x83\x1d\x86\x27\xd0\xc9\xaa\xcc\x31\x60\x26\x81\x74\xb0\x75\x57\x35\xa5\x1e\x58\x88\xb8\xd0\x29\xdb\x74\xda\x34\xad\x6f\x5b\x84\x64\x7c\x79\x7f\x64\x88\xbd\x92\x31\x35\x30\x8b\xd1\x5d\x1a\x0d\xd7\xd0\x76\x95\xe6\xa4\x58\x07\x4e\x8f\x64\x6c\xd0\x11\x6c\x59\x1e\x45\xba\x9d\xca\x9c\x5f\x1c\x63\xd7\xb4\x8a\xbb\xf3\xac\xd7\x5d\x00\x93\xae\xff\xf1\xb1\xe0\x43\x63\x73\x44\xe5\x89\x46\xf7\xd2\x48\xe4\x49\xdf\xe2\x97\x14\x49\x47\x11\x11\xb0\x13\x37\x53\x91\x17\xed\xb8\x8b\xde\xe6\x03\x28\x75\xf4\x21\x2d\x36\xca\xa2\x24\x51\x36\x38\x78\x55\x73\x17\xf8\xaa\xc9\x4f\x2f\x59\x1d\x53\x8a\x59\x88\x4b\x34\x4a\x47\xb9\x8d\xe3\xc1\xac\x78\x61\xd2\x6d\x87\xf5\x44\x6c\x08\x4a\x8c\xa7\xc8\x5f\x3b\x4b\xb3\x1c\x2f\x8f\x82\x0c\x48\x70\x48\x70\xc1\xd4\xea\xe2\x69\x72\xdb\x77\x7c\xc9\xb7\x9a\x5e\x0b\xa0\xf0\x71\xec\xf0\x16\x37\xb6\x1d\x26\xef\xff\xf8\xe3\x82\xff\xe5\x39\x81\xf3\x2e\x82\x89\x65\xfa\x26\x8c\x0c\x74\x2b\x6c\x0d\x41\x2f\x18\x00\x1f\xd1\xb2\x46\x3f\x0d\x3b\x24\xfb\x6b\x11\x09\x76\x8b\xdd\x32\xdd\x67\x00\xea\xa4\xc3\xd9\x6e\x1b\x70\xf5\x77\x11\x36\x1c\x77\x57\x51\x36\x71\x5a\x52\x03\xc0\x1e\x82\xba\xae\x71\xc9\xbb\xca\xb4\xec\x26\xd7\xfc\xc0\xf5\x2c\x65\x8f\x83\xb8\x41\xec\xf7\xa9\x8b\xdd\x30\x05\xcb\xee\x85\xe0\x9e\x99\x21\xcf\x25\xcd\xda\x74\xd1\x6c\x2a\xbd\x92\x1f\xa9\xbd\x27\xe4\x67\x2e\xa2\xd6\x2b\xc6\xd9\xf5\x14\xa8\x48\xbe\xe9\xb1\x28\xfc\xaf\x8f\x05\x3f\x33\xb6\x28\xe4\x2a\x36\x4b\x3b\x6c\x4b\x95\x20\x3f\xe7\x8d\x9d\xcd\x2e\x3f\x65\xd1\xd1\x6e\xd2\x5b\x8b\x8d\x69\x5a\x52\xc7\x6c\x33\xb5\xac\x35\x06\x87\xc6\x66\x6a\x0a\xc0\x29\x45\x26\x49\x79\xd1\x2b\xd4\x8b\x65\x91\x77\x94\x59\x2f\x44\x94\x71\x0d\x3b\xaa\x6b\xcb\x69\x38\x20\xca\x54\x52\x48\xee\xf0\x60\x10\xd7\x62\x94\x07\x74\x24\x2e\x83\x69\x35\x90\xb1\x83\x43\xd8\xb3\xe6\xef\xd6\x9a\xbf\x67\x6e\xbf\x72\x73\xfb\x57\x3d\x76\x35\xdc\x47\x0a\xc9\xfe\x8b\x5e\xf0\x11\x6f\x6e\xf8\x91\x1e\x42\x61\xd5\x06\xac\xd0\x9f\x5c\x50\xa0\xb9\xd1\xef\x14\xa4\x4a\xa5\x86\x6a\x1c\x02\xba\x9e\x15\xe4\x59\x50\xe3\x41\x91\xb5\xca\xe0\x7b\x00\x56\x53\xcb\xff\x11\xaf\x2b\x4b\x19\x92\xde\x85\x0b\xa4\xc0\x2c\x10\x53\xa9\x15\xc6\x89\xbc\xac\x25\x53\x0c\x64\x17\xbe\xdc\x8a\x89\xfd\x8c\xed\x5d\xf0\xe0\x16\x4e\xf8\x3b\x0b\x29\xff\xe6\xf0\x40\x7c\x8d\xc7\x98\xb9\x27\xfd\x17\x79\x81\x58\x30\xd7\x66\x3b\x4b\xa2\xa1\x77\x29\x59\xb4\xd5\x9d\x44\x58\xe7\x44\x23\x10\x25\x60\x63\xab\x55\xde\x32\xc0\xe4\x1c\xb3\xef\x3b\xff\x29\xc1\xf1\x05\xab\x29\x57\x93\x05\x21\xb7\xb4\xc4\xd6\x47\x0e\x4f\xf1\xc3\x1e\xbb\x26\x17\x00\x0c\x40\x1c\xdb\x4b\xbd\xe0\xe2\x23\xb0\x4f\xd1\xa9\xc0\xb4\xe3\xc2\x16\x03\x64\xb2\xcb\xed\xfc\x9d\xc7\xae\xc7\x79\xba\x0b\x55\xab\x67\xb3\x48\xf8\x7f\xe8\x05\x9f\xa5\x7c\xbc\xd6\x63\x6b\xe0\xed\x6c\x10\x2d\x6d\x56\x36\x5b\x58\x3a\x21\x7b\x4c\x92\xfa\xae\x66\xbd\x34\x6a\x70\x27\xd3\x8a\xd3\xc8\xbc\xd2\x19\x03\x96\x57\xa1\x43\x8f\x1e\xce\x4b\xcf\xf2\xff\x16\xdb\x7b\xb6\xdc\xe5\xdf\xb9\x5d\x00\xbe\xcd\x84\x0d\x75\xff\x7e\xa7\xc7\x9e\x69\x8e\xa6\x94\x88\x80\x0d\x2a\xea\xc6\xaf\x50\x9f\x52\xa7\x80\xe6\x39\x9f\xba\x74\xef\xb9\x25\xb8\xe4\x16\xf2\xac\x5b\xdc\x9b\x2f\xc1\x08\x66\x24\x91\xf0\xcf\x05\x67\xb6\x7a\xef\xc6\x14\x57\x4a\x22\x96\x02\xdd\x34\x40\x73\x1a\xec\xab\xd7\xb0\x5b\x6c\x10\x4e\x05\x5a\x8f\x39\xcc\x09\x6e\x74\x63\xba\x71\x1f\x66\x75\x98\x85\x5b\x03\x31\x3c\xfd\xff\x76\x4d\x70\x61\xc8\x73\x37\x97\x4a\x05\xec\xbd\x13\xae\x0b\x1e\xf2\xe5\x33\x4b\xb2\x58\x4a\x6e\xed\x5a\xaf\x4e\xc9\x23\x1c\x9e\xf3\xe3\x57\xb3\x07\x3d\x36\xd1\x0c\xef\xea\xa5\x51\x22\xfc\x5f\xf0\xfc\x7d\xab\xfd\x52\x04\x6f\xf5\x56\xd4\xc3\x15\xbc\x45\x17\x4e\x9d\xe5\x2a\x51\xd1\xec\x0c\x5f\x85\x77\x76\x72\x73\x4b\x99\xe8\x68\x6e\xa9\xdd\xc3\x3a\x85\x90\x95\xb4\x15\x64\x4a\x07\xce\x58\x25\x42\xcf\x7b\x45\xc9\xf3\x2c\x2b\x35\xe6\x85\x5e\x64\x38\xae\xb0\xa9\xed\xf3\xf7\xb2\x31\x76\x90\xf4\xbe\xfe\xff\xeb\x6d\x91\x14\x78\xe4\x3a\x90\x8e\xd2\xc4\xb8\xbe\xd7\x5b\xa1\x1a\x57\x46\xa6\x46\x47\x2d\x3b\xd2\xd1\xb8\x50\x83\x6d\xf0\x53\x31\xf0\xe4\xa6\x82\x2c\xe7\x2b\xbd\x3c\x59\xd1\x00\x09\x26\x89\x09\x63\x24\x59\xab\xfc\x1e\xb1\x9b\x08\x21\x1e\x04\xfd\x48\x01\xd6\x9f\x28\x44\xaf\x10\xa6\xa1\x06\xfb\xfa\x04\x1b\xef\xe5\x89\xff\xd5\x89\xe0\x4b\x13\xd8\xe6\x5a\xbc\x41\x44\x56\x61\x24\x28\x42\x4b\x4d\x02\xe0\x92\xce\x3a\x75\x7e\xf1\x0c\x26\xa3\x3a\xb2\x02\x2c\xa1\x38\x39\x05\x21\xa3\x27\x25\x93\x3e\xd5\x0d\xcb\xf6\xca\xa4\x0b\x94\x9b\xb5\x68\x74\x99\x3d\xe6\x61\x43\x5d\x6e\x0b\xbe\x22\x2b\x5b\x51\xdd\x97\xfc\x50\xae\x44\x60\xe3\xd5\xac\x66\xc0\x1d\xfd\x6d\x3a\x6a\xdc\x34\x43\x54\x2d\x2d\x4a\x11\x92\x99\x05\x70\x16\xd0\x33\x63\x15\xb1\x51\x93\x0d\xc9\x9e\xc6\xa1\xd6\xa4\x40\x38\xb8\x1c\x75\xd6\xb1\x36\x57\x81\x11\xe6\x35\xbe\x02\x28\x83\xfa\xf9\x8a\x82\xc0\xa7\xba\x78\x9c\xd6\x95\x29\x5d\x56\x14\x12\xed\xdc\xd4\x08\x0a\x3c\x09\xfb\x08\x93\xb9\x11\x67\x09\x4c\xfa\x64\x43\x0d\xbd\x63\xa5\xad\x09\x53\x3e\xbf\xa0\x82\x0e\x1b\x8c\x2d\x24\x02\x1c\xb6\x34\xb2\x38\xc2\x9c\xaf\x68\xb8\x04\x9c\xe5\xe9\xe3\xb7\x34\x8e\x35\x8e\x35\xa6\x57\x10\x29\x96\x6a\x96\x7b\x27\x2e\xd6\xfb\x0a\xb0\x5a\xee\x93\x52\x52\x86\x35\x79\xc1\xf1\x66\x88\x88\x9d\x98\xa5\xc7\xec\x58\x48\x6a\x97\x24\x30\x71\xca\xfc\x2f\xcb\x84\xa9\x75\xf0\xc8\x2b\x00\xa6\x35\x15\x78\xd6\x81\xea\x68\x4b\xb5\x7b\x08\x96\x7a\xcd\x36\x62\x83\xca\xd7\xb2\xe5\x24\x5e\x17\x49\x9f\xb4\xb5\x52\xc4\x96\x3b\x4a\xde\x36\x35\x1e\x37\x44\xa3\x06\x9b\x41\x84\x05\x14\x29\x7b\x79\xca\x7b\x5d\xc4\xc6\x48\xc5\xa6\x46\x10\x24\xac\x31\xd8\x9a\x7a\x93\x05\xc0\x5c\x05\x28\xa9\xcb\x1d\x4c\x2f\xa4\xbc\x09\x44\x30\x50\xdc\x57\xd0\x60\x6c\x06\xe1\xb7\xe5\x55\x48\x40\xd5\xa4\x29\x69\x69\x7c\x70\xa5\x39\x4d\x95\xad\x45\xeb\x75\x08\x16\x34\x94\xcd\x34\xf8\xfd\x59\x0f\xca\xea\x64\x2a\x21\x40\x44\xa1\x91\x4c\xce\x9f\x0e\x5b\xa7\x6a\x88\x78\xe8\xa3\xe7\xa4\xf2\x32\x1e\x1a\x26\x6b\x84\xec\x6f\x59\x4a\xf1\x97\x3e\x97\x4d\x51\x82\x84\x2c\xe7\xab\x61\x11\x37\xc1\x60\x87\xcc\x74\x20\x5f\x9c\x94\xcd\x6f\x66\x79\x74\x67\xa0\x01\x1a\x51\xd4\x6f\xf0\xd3\x79\xb8\x86\x1a\xd5\x23\xc1\x0d\x8d\x46\x23\x98\x84\xb1\x3f\xaf\x27\xf2\xbe\xcd\x1e\x1e\x09\x9e\x42\x6f\x41\x21\x52\x1a\x54\x23\x01\xe4\xcd\x21\xc0\x2f\xd9\x57\xc5\x9c\x6e\x67\x39\x41\xe9\x22\x4e\x77\xaa\xa1\x9f\x7a\x89\xf0\x3f\x3b\x1e\x9c\xa9\x3c\x23\x26\xd5\xb9\xd7\xe4\x01\x30\xba\xa0\x10\xdc\x24\x35\xdf\x2a\x77\x90\x92\xdd\x2e\x79\xfb\x37\x44\xbe\xea\x7a\xc9\xff\xd5\x18\xfb\x84\xc7\x1e\x93\x9a\x76\xce\x2f\x9e\x29\xfc\x0f\x78\xc1\x25\xef\x9c\xfb\x90\x84\x45\x4c\x1b\x03\xb0\x4f\x61\xc2\x7b\xb9\xca\x0d\x44\xd3\x4d\x34\xcb\x85\xd1\x6c\x70\x7e\x94\xf2\xdc\xa8\x09\x5a\xed\x11\x00\x8d\x4a\x41\xd0\x4b\x92\x1a\x26\xd8\xe0\x45\x29\xba\x8a\xac\xc9\xcd\xd2\xe0\x3c\x38\x1a\x90\xfa\x22\x4c\x92\xad\x24\x97\x37\x7b\x0c\x87\xe9\xff\x90\x17\x5c\xbc\x20\xf2\x55\x37\x70\xc0\x4a\x18\x68\x4f\x0e\xa7\xac\x22\xab\x45\x8d\x40\x76\xd7\x24\xd3\xd8\xcd\x0a\xf9\xdf\x5e\x59\xa3\xbc\x1e\x35\xd9\xa1\x66\xbb\xc6\xdb\x22\x8c\x6a\x0a\xc1\xe6\x72\x3a\xf8\x63\xe3\x8c\x0f\x51\x79\x9c\x4a\x37\x4e\xe7\x59\x87\x20\xda\xff\x61\x2c\x38\xe9\x3c\xa9\x82\x6a\x18\x88\x76\xbd\x24\x1a\xdd\xdc\x5d\xe1\x77\x8f\xb1\x26\xbb\x5a\x03\xad\x2f\x8a\x96\xbf\xb4\x45\x0a\xdc\x01\xac\xf5\x53\xe9\x06\x81\xac\x3f\x7e\xd9\x81\xa5\x2f\x33\xca\xc4\x04\x52\x3e\x4b\xd9\x01\xf4\xea\xf3\xa3\xe0\xbe\x99\x54\x93\x0d\xeb\x98\x22\x14\x21\x64\xc6\x01\x35\x20\x65\x66\x18\x48\x34\x60\x23\x1f\xcd\x3e\x67\x7e\xee\xd4\xb9\xe5\xf9\xd3\xf3\xa7\x16\x9d\xe3\xf4\x4c\x76\xa8\x10\xcd\x1c\x21\x3a\xce\xee\x00\xa1\x63\x09\x4a\x9b\xe1\xfc\x6b\x39\x1c\x7c\x58\x1d\xcb\x1b\xf7\x0d\x75\x18\x3f\x75\x51\x34\x67\x30\xdd\xc7\xdf\x8f\x07\xd3\xe6\xa7\x73\x00\x03\x79\x2d\x00\x3a\x31\x39\x09\x05\x1c\x33\x0f\xba\xee\xb7\x1f\x18\x67\xef\x1d\x67\x07\xc9\x45\xcc\xff\xa9\xf1\xe0\x3f\x8f\xcf\x92\xbf\x98\xca\xee\x69\xbb\x8f\xc9\x09\xbb\x28\x9a\xbd\xd2\xb1\x1d\xea\x46\xd0\x4e\x40\xe8\x1a\x3c\x8a\x73\x50\x9c\xf5\x35\x25\x50\x75\xc1\xfd\x97\x65\x25\x3f\x72\x78\xea\xf0\xa4\x8d\x09\xa0\xd0\xb6\x20\x75\x08\x70\x99\x0a\xd0\x40\x77\x8a\xf4\x09\xb2\x1f\x87\x23\x95\x29\x13\x2e\x7d\x18\x32\xf4\x2a\xe4\x45\x5b\x80\xa3\x56\xc6\xcb\x3c\xd4\xaa\x78\x78\x0a\x97\x5d\xde\xc3\x44\x8c\xfc\xc8\xe1\xef\x3d\x0c\x1e\xbf\x93\x7c\x33\x4b\x0f\x97\x04\x7b\xb5\xac\xe8\x37\x55\x24\x6f\x68\x75\x9b\x8a\x8b\xdd\x24\x6e\xc6\x25\x79\xa7\x71\x88\xdd\xcf\x94\x4c\x2e\x92\x44\xb2\x5d\xb1\x1d\xc3\x7f\x0c\x66\x93\x84\xd7\xb0\xe0\x49\xbc\x21\xa6\xda\x22\x4c\xca\x36\xe2\x13\x4a\x32\x00\x30\x96\x00\xeb\x4c\x6f\xb6\x3a\xc1\x7f\x7f\x68\xe8\xee\x38\x13\x77\xe2\x72\x31\x4c\xd7\x84\xff\x85\x43\xc1\xbd\xe6\xa7\x3c\xa0\x85\x51\xa1\xa1\x99\x1a\xb0\x49\x50\xc1\x80\xe7\x80\x8c\xe5\xba\x18\xdc\x9f\xda\x85\xd5\xdd\x3b\x3f\x3e\xb1\xa7\x0d\xdd\xd3\x86\x7e\xe3\xb4\xa1\xff\x22\xd5\x83\x9f\xf4\xd8\x3e\x29\x88\xf9\xbf\xee\xb1\xa9\x6d\x6f\x13\x73\xbc\x21\xca\xf1\xd5\x1e\x04\x61\xd8\xc7\x8e\x4e\xb8\x90\xcc\x5a\x13\x52\x71\x3e\xb2\x03\x91\x7d\xaf\x87\x69\x54\x47\xda\xf7\x90\xb7\xb8\xbd\xd6\x69\xca\xaf\x0f\x8b\xa7\x32\x83\xab\x86\x52\x7d\x7c\x82\x35\x76\x94\x30\xdf\x20\xa1\xbc\x7e\x22\x38\x51\x7d\x38\x0c\x5c\xc0\x2e\x33\x2a\xa8\xf3\x8b\x07\xf6\x08\xdf\x6e\x09\xdf\x45\x15\xd4\x99\x05\xdf\xa9\xe3\xc8\xb5\xaf\xd5\xe0\x42\xd8\x37\xe1\xed\xec\xe4\x16\xa0\x7e\xdb\xec\x86\x3d\x92\xbb\x0b\x92\xbb\x6a\x51\xdc\x0b\xbb\x8b\xf6\xfc\xd6\x11\xc1\x9e\x0f\x79\xc9\xf6\x14\x63\xde\xbf\xdb\xe0\x94\x98\xf5\xae\xa8\xaa\xab\xe7\x7d\xa8\xba\xfa\xfb\xaf\xb3\x73\xc3\x6c\xd1\xf3\x99\x85\x79\x70\xb5\xf0\x3f\xff\x98\xe0\x7e\xf5\xc3\x55\xf5\x22\x60\x6f\xe9\x06\x36\x12\xc2\x57\x4d\xfb\xd9\x74\x41\x8d\x96\x9b\x77\x28\x40\xc1\x70\x1a\x3a\xbd\xe6\x84\xfa\xd0\x21\x3d\x2f\xbb\x76\x8f\xf4\xec\xf1\x5c\xdf\x38\x02\x70\x82\x12\xd7\x3d\x31\xf8\xb7\xe9\x88\x9c\xe5\xb8\x8f\xed\x8f\x7e\xd3\x63\xd7\xe9\x4d\xaf\xf6\xed\xcf\x7b\xec\x69\x57\x40\x3f\xe0\xd4\x51\x1d\xa7\xb3\x7c\x4e\xa1\xaf\x05\xcd\x6a\x0b\x1a\x60\x9e\x7e\x9a\x63\x47\x4e\xb9\x33\x0b\xf3\x64\xec\x50\x2e\xbc\xdd\x3c\x5b\x0d\x57\x13\x9d\xbe\x41\xd9\x1f\xa9\x8a\x06\xfb\x93\xfd\xec\xdf\xe0\x27\x33\xa8\x08\xbe\xab\x4f\x86\x9f\xf9\xb9\xc5\xc2\xff\xf8\xfe\xe0\x4f\xf7\x85\xbc\x13\x76\xe5\x64\xd0\xf2\xca\x57\x28\xda\xa3\x59\x84\x60\xeb\x28\x60\x0b\x15\xe9\xca\x25\x15\xe7\x8e\x2b\xef\xed\x32\xe3\x6d\x91\x74\xa9\x26\xb9\x43\xa4\x90\xa6\x54\xe0\x3a\xe4\xa9\x28\x15\x11\xac\x8b\x56\x2b\x6e\x42\xb3\x9b\xa1\x09\x92\x6a\xf0\x59\xaa\xa1\x19\xa6\x5a\x03\x0a\x59\x7d\xba\x39\x18\x20\x2b\x9d\x0b\x0b\xde\x55\x19\x00\xa1\xfb\xe4\xa3\xd9\x47\x3c\x44\xd8\x8b\x80\xda\x9a\xb5\x0c\xca\x2b\x66\xc8\x2e\x6a\xba\xbb\x96\xe1\x03\x8d\x1a\x29\x40\xe5\x43\x39\x88\xc1\x99\x9f\x5b\x44\xe9\x9e\x9a\xc7\x8c\xaf\x64\xf7\xc4\x30\x69\x98\x58\x9a\x2c\x08\xae\x4b\xd7\xad\x00\x22\x9a\x62\x39\x2a\xea\x98\x95\xbf\x0a\x81\x20\x3b\x21\xa8\x69\x29\x0e\x08\x94\xd5\x61\x6a\x68\xd5\xfc\x02\x8e\x50\x36\x59\x53\xbe\x84\x54\x2d\x4c\xb7\x4a\x7a\x8e\x3d\xec\x51\x74\xab\x5d\x81\x3a\xf5\x3c\xc9\xb2\xf5\x82\x87\x25\x7f\x46\xfd\x74\x96\x6f\x86\x79\x24\x22\xf9\x17\xa8\xe9\x50\x09\xfc\x8c\xfa\xa2\x08\x93\xfa\x7c\xd7\x7a\x46\xe7\xbe\xb1\x28\x3a\x59\x29\xe4\xc6\xe2\x47\x62\xd2\xa9\x66\x79\x24\xf2\x49\xe5\x0a\x6d\xf5\x6d\x7e\xc1\x61\x89\x16\xd8\x39\x76\xe6\x0a\x8e\xd3\xd2\xa8\xcd\xcc\xde\xe4\x31\x7d\x05\xf9\xaf\xf6\x82\xe3\xea\x07\x68\x50\xad\x83\x55\x58\x97\x9d\x8a\x75\x57\x34\xc0\x74\xf0\x5e\x76\xf6\x61\x3d\xef\x0f\x79\x0b\xdb\xb3\x09\x75\xff\x89\xc3\x04\x0b\x75\x79\x57\xc5\x8a\xdf\x19\x67\xdf\x39\xaa\x53\x8a\x04\xcc\xa7\xad\xcc\x7f\xd7\x78\xb0\x2c\xff\x30\xb7\x3f\xbd\x46\x4b\x98\x09\x18\x03\xc7\x81\x4d\x71\x38\x49\x20\xb2\x4d\x41\x34\x03\x3d\x16\x03\x19\x4f\xa4\xb4\xd1\x09\x9f\x9b\xe5\xf2\xdf\x38\x95\xff\xb2\xb5\xb8\xd4\xf9\xb7\x0f\xad\xc5\xe5\x6c\xd6\xe9\xc4\xe5\x25\xef\xea\xb5\xb8\x5c\xce\x85\x58\x2a\xc3\x52\x5c\xf2\x0e\xad\xf6\xe2\x24\x9a\xc3\xbf\xd7\x32\xfd\xc9\x44\x33\xeb\x74\xe3\x44\xe4\x97\xbc\x89\x6e\x12\x96\xb2\x2d\x87\xa1\xf8\x8a\xc7\xbe\x8d\x99\xaf\x7d\x47\xc7\xf4\x6d\xcc\x34\xe9\xbe\xf9\x76\xe6\x74\xc0\x7d\xf9\xaf\x99\xd5\x6d\xf7\xd5\xe3\x18\x8e\xd0\x7d\xfa\xad\x4c\xf7\x73\xb0\x03\xd9\xc8\x8a\xe4\x14\x0d\x54\xa4\x46\xe9\xbe\xf8\xd8\x7e\x27\x87\x72\xd8\xed\x16\x72\x77\xcd\xe9\xd8\x39\x0d\xd6\xe9\xbf\x69\x7f\xf0\xb4\x21\xcf\x2b\xae\xae\x52\xbc\x25\xcd\xb7\x15\x80\x07\x16\x08\x95\x18\x0e\x01\x3b\x09\xf9\xff\x92\x77\x00\x25\x62\x57\x2d\xbe\x8f\xdd\xcf\x0e\x76\x44\x51\x84\x6b\xc2\x3f\x17\xcc\xcc\xf0\x76\xaf\x13\xa6\x92\xf4\x44\xe0\xde\x41\xef\x94\x2f\x0a\xa8\x55\xd1\x9d\xd8\xc2\x0c\x2d\xf3\x30\x2d\xe2\x01\x74\xec\xd3\xec\x40\x2e\xc2\x22\x4b\xfd\xdb\x83\xa9\x65\x00\xc0\x95\xbf\x2c\x6d\x2c\x8d\xed\x70\xc1\x93\xb0\x28\x47\xd5\x73\x86\x51\xdf\xfd\xbb\x82\x9b\x96\x1c\x5c\x52\x5d\x45\x4d\x19\x98\x97\x21\xf8\xf3\x34\x7a\x8d\x9f\x4f\x01\xdf\xd8\xa9\xed\x38\x01\xf8\x1f\x0d\xbe\x63\x99\x7c\x89\xac\x19\xd4\x15\x3a\xdf\xbc\xc6\x63\xbe\xec\xe1\xb2\xee\xe0\x72\xdc\x11\xfe\x0b\xd8\x2d\x57\x40\x52\xe4\xa7\xc1\x9d\x67\x60\xc0\x71\x47\xb8\xe3\xb0\xe6\x40\xa5\x4f\x87\x14\xb3\x38\xea\x32\xe3\x61\x0a\x81\x37\x0d\xb6\xc1\xae\x95\x5d\x3a\x0f\xec\x19\x74\x27\xba\xf2\xee\x4c\x2e\x03\x1f\x6d\xba\x04\x2e\xfd\xaa\x4f\x9b\x61\xa1\xd9\x40\xf6\xb9\xef\x66\xdf\x6e\x6d\xe5\x55\xb8\xf7\x36\xa6\x1b\x4f\xcd\x56\x01\x94\xe3\x7d\xdf\x1d\xdc\x42\x7f\x5b\x7b\x56\x12\x22\x39\xd0\xe7\x66\xab\xa4\xc1\xd7\x0e\xf9\xf2\xda\x02\x73\x53\xe3\x92\x37\xa1\x40\x95\x5c\x50\xb2\xef\x62\x5f\xf4\x98\x7e\xe7\x7f\x6a\x27\x58\xe4\x16\x1c\x0e\x28\xa7\xde\xe0\xcd\xb9\xce\xe2\x19\xc5\x7e\xe8\xa8\x00\xe5\xdb\xd5\x16\xa9\xea\x23\x84\xcf\x3e\x37\x5b\xbd\xec\x8c\xc8\x92\x1b\x4a\xb2\x30\x2a\xa6\x4c\xf4\x48\x31\xf5\xdc\x6c\xb5\xa8\xe7\xbd\xb4\x5e\x66\x75\x8a\x98\x88\xb3\x74\x8a\x7d\x6d\x1f\xfb\xd6\xb2\x4c\x08\x43\x0c\xe2\xc1\x4f\xc7\x29\xc4\xa0\xfa\x5f\xd8\xa7\xa0\x76\x7e\x75\xdf\x88\x32\x4a\xcb\xa6\xc2\xa0\x60\x0d\x81\x36\x3c\x35\x5b\xc5\x41\xb6\x21\x1d\x3a\x15\x37\x0b\x70\x04\x4d\xb4\x7c\x96\xc2\x37\x24\x3f\x70\x3a\x8c\x13\x11\xa9\x94\x73\xb6\x3f\x18\xe6\xc9\x1a\xd1\x07\x0c\x25\x94\x5d\x90\x8d\x52\x5b\x85\xb2\x8f\x88\x24\x46\x68\x7e\x0a\xc1\xea\x95\x99\xbc\x74\xd0\x1b\x0f\xad\x8a\x51\x03\x5d\xd5\x54\x15\x10\x9b\x85\x04\x07\x5e\xd7\xc0\x11\xdc\x84\x79\xad\xf5\xc2\x3c\x4c\x4b\x21\xc8\x1b\x03\xed\xa6\xf1\xf3\x45\x5e\x98\x24\xfe\xe4\xbd\x36\x64\x30\xe4\x11\xa7\x5a\x43\xdb\xcb\xe8\xae\x0d\x9b\x0c\x39\x98\xe7\x8b\x3c\x33\xb5\xac\x8a\x66\xd6\x11\x03\xc3\xa5\x5a\x9c\x28\x6d\x9c\xaf\xb8\xd4\x53\xb5\x45\x7c\xc6\xe5\x86\x67\x2c\x2f\x9f\x71\x17\xc7\x38\xe4\x59\x00\x4b\xbf\x7c\x90\x5d\x6b\x76\x21\x78\x22\xbe\xf3\x60\xf0\xe6\x83\xb3\xce\x33\x0b\x0e\x06\xdc\x10\xb3\x88\x9b\x8f\x88\x1b\xcb\xc3\xe6\x3a\x4c\x92\x0e\xbe\x5e\x39\x97\xa5\xf3\x69\x24\x2e\x8a\x68\x85\x1f\xa1\x78\xc6\x49\x70\x49\x51\x8f\x1b\x8c\x39\xa5\x94\x63\x3e\xf1\xd6\xb4\x05\xac\xf4\x0e\x2a\xc6\x48\x47\x22\xe5\x02\x4d\xec\x10\xb5\xdd\x90\xfd\x6c\xd8\x5d\x33\x78\x0a\x49\x5f\x7f\x1c\xc9\x11\x14\x14\x6f\xe0\x0e\x46\x36\xd7\xce\x3a\x59\x92\xad\x65\x48\x6c\x4d\xd2\x0a\xd9\xd9\x51\x3d\x95\x15\x9a\xe3\x06\x31\x83\x4e\x9e\x01\xbb\x05\x59\x05\x92\xf5\x63\xb2\x81\x23\x83\xbd\xae\xf3\xe9\xc9\x9a\x9b\x59\x16\xa4\x25\x29\x8f\xa3\xba\x04\x49\xae\x4b\x7d\x9e\x9b\xad\x5a\x14\xa5\x0e\xed\xa0\x6c\xb3\xb3\x79\x84\xcd\x25\xb6\x98\x32\x63\xa4\xa3\xba\xe1\xac\xea\x98\x2d\x3d\x39\xb5\x21\x0b\x31\xe0\xe1\x05\xfb\x79\x05\x0b\x76\xc3\x3c\x4c\x12\x91\xc4\x45\xc7\xf8\x82\x25\x24\xa2\xa6\x72\xc7\x88\xe7\xf5\x30\xd7\xc5\xf4\xb1\x67\xdf\x34\x10\x56\xb4\x8b\x63\x42\x7d\x06\x7a\x65\x47\x2e\x21\xb1\xb7\x96\x0d\x83\x24\x69\x6b\x0f\x0b\x92\x54\x51\x6f\xb2\x2a\x2b\x5c\x30\x5b\x85\xa6\x0b\x1e\xda\x28\x29\xa5\x06\x6d\xd1\x1a\xa9\x9a\x36\x40\xab\x40\xc3\xf5\xb8\x5b\xe8\xb0\x3c\xc5\x31\x3d\x35\x5b\x75\xf8\x92\xdf\x1e\x67\x57\x59\x13\xed\xff\xca\xb8\xba\x2b\xde\x31\xbe\xa4\x8f\x2d\xe0\x29\x88\x02\x22\x2e\x0d\x38\x9b\xb3\xd4\xfa\x6a\x80\x24\xd9\xea\xa2\xb6\x92\x84\xf6\xd0\x3d\xaa\xc1\xff\x3f\xf6\xde\x05\x3a\x92\xec\xac\x0f\x3f\xd5\xd2\xbc\xee\xec\xc3\x2e\x13\xfe\x09\x10\xb8\x29\xaf\x19\x69\xd3\xdd\x92\xe6\xb9\xa3\x5d\xef\xa2\x91\x66\x76\x64\xcf\x43\x96\xb4\x6b\xbc\x0f\xef\x5c\x75\xdf\x96\xca\x53\x5d\xd5\xae\xaa\x96\xa6\xd7\xde\x84\x78\xb1\x79\xd8\x3c\x8c\x6d\x1e\x63\xcc\xcb\x76\x00\x1b\x42\x1c\xec\x04\x63\x07\x30\x8e\x71\x0e\x26\x86\x40\x0e\xe1\x61\x13\x63\xc0\xf8\x4f\x62\x20\x81\x84\xb0\xbc\xfe\xe7\x7e\xdf\x77\x6f\xdd\x5b\x5d\x2d\x69\x56\xbb\x6b\xfe\xe7\x8c\x0f\x9c\x1d\x55\x57\xdd\xf7\xfd\xee\x77\xbf\xc7\xef\xc7\x57\x90\x77\x4a\xcd\x47\x1c\x46\xe5\xbd\x40\xa5\xa2\x49\x6f\x80\x59\xbd\xe1\x7a\x2c\xa2\x6c\xe8\xe7\x28\x22\x3a\x73\x48\x61\x8f\xa2\x64\x0b\xc1\x4b\x69\x31\x80\xf5\x01\x02\x68\x10\x6e\x25\x04\xa6\x27\x58\x70\x6e\x2b\x66\xec\x36\xd8\x05\x00\xf6\x92\x21\xbf\x98\x31\x06\x50\xab\x11\x3a\x4f\x78\x54\x23\x69\x24\x9e\xdd\xe3\xdf\x11\xca\x1f\xdc\xc7\x6e\xeb\x8a\xb8\x2f\x0c\x61\xaf\xff\x2f\xf7\x05\xdf\xb5\xcf\x7d\xa6\x97\x4a\xa6\xe9\xda\xc8\x8c\xaa\xba\x42\x3c\x22\x90\x62\xa8\x7a\x46\x9f\x64\x4d\x7e\x01\x00\x87\xae\xb8\x45\x5d\x21\x14\x0d\x2b\x12\x10\x22\xdd\xe9\x16\x01\x49\xec\xfa\x61\x3b\x81\x74\x53\xd8\xfa\x08\xb9\x91\xa4\xf6\x41\x4a\x71\xb9\xbd\xb0\x75\x55\x37\x83\x18\xe1\x74\xd4\x9f\x5a\x56\x30\xdf\xbd\x1e\x30\xc7\xa1\x95\x85\xde\x25\x7b\xae\x0d\xae\xa9\xe3\xd7\x11\xd3\x05\x73\xd2\x47\x40\x7f\x85\x2d\x88\xfa\xa0\x0a\xad\x51\x40\xb1\x33\xd0\x96\x54\x3d\x20\x4d\x0e\xaa\x4e\x1f\x43\x1d\xa1\xcd\xc2\xf9\x1a\xac\xa8\x98\x61\x0c\x6d\x07\xf4\x02\x50\x97\xd4\x44\xc2\x06\x48\x72\xde\xe9\xc7\xe8\xbd\x03\xee\x8a\x56\x1e\x0d\x9a\x9c\x9f\x4f\xb6\x24\x18\xf6\x74\xd8\x5f\x26\x87\x06\xfe\xc5\xaa\x4f\x57\x94\x20\xc1\xe2\x40\x17\x95\x15\xc9\x30\x3c\x89\xda\xfc\x4a\x11\xa8\x3e\x45\xce\x83\x2b\x7c\x6e\x69\xf1\xd9\x5d\x9a\x2f\x2c\xc6\xae\x31\x48\xfa\x69\x23\xd9\x8a\x1b\xbd\xa4\xdd\xd0\x83\xe8\x64\x0a\xfe\xcb\x31\x76\xd8\xda\x80\xfe\x77\x1a\x71\xf4\x75\x25\x71\xa4\xd9\x6c\x86\xc5\x52\x95\x00\x82\x10\x53\xc4\x5d\x42\x2e\x7b\xa5\xe0\xe2\xe9\x26\x5a\xb9\x3a\x1c\x4a\xdf\x5b\x51\xc1\x10\xee\x3b\xa0\xfb\xb2\xd6\x0a\x8b\xe3\x05\x26\x96\xbe\x86\xe3\x70\xa2\xf2\x48\x6e\xe2\x05\xac\x59\x08\xcd\x49\x7e\x0f\x1f\x3a\xc0\x26\x31\x40\xb5\x48\x95\x56\x83\xcd\x23\xd9\xc9\x09\x39\x45\x89\x24\x53\x77\x57\x5c\xb3\xe5\xd5\x73\x28\x64\xde\x51\x63\x07\xf5\x0c\xfa\xdf\xfe\x4c\x90\x8a\x7f\xc2\x9b\xa3\x4d\x83\xf1\xa1\xc9\xa6\x4c\xf5\x5c\x16\x99\x42\x16\xeb\x29\x68\x5e\x80\x47\x78\x29\x49\xbb\x4a\xd7\x76\x44\x08\x44\x0b\x59\x0a\xb7\xda\xe1\x83\xa4\x7f\xc3\x63\xb4\x1b\xca\xa5\xa9\x17\xc2\x7f\xcd\x9a\xce\xd8\x5b\xf7\xb1\x03\x59\x3f\x53\x22\xca\xff\xc6\x7d\xc1\x5f\x8e\xaf\xe0\x1f\x96\x2e\x6c\xe7\xd3\x96\x4e\x7d\x37\x2d\x0a\xb5\xc3\x54\xc9\x0a\x50\x13\x84\xd1\xc8\xec\x6d\x9e\xe9\x0a\x6c\x08\xab\x38\xc1\xaf\xed\xcc\x23\x72\x1e\xb8\x55\xba\x05\x53\x59\xe6\x4e\x86\xa0\x53\xea\xb6\x07\x8b\x13\xd4\x96\x48\xac\xf3\xf5\x44\x92\x6b\x08\x65\x39\xd5\x3b\x59\xaf\xea\x14\x61\x77\x23\x81\x78\x14\x41\x34\xdf\x26\xf5\x6e\x98\x53\x2b\xcc\x40\x57\xe1\x0f\x64\x86\x9c\x47\x6d\xf5\x75\xd8\x15\x61\xca\xf5\xd2\x05\xcb\x72\x2a\x5a\x12\xd5\x10\x22\xf0\x51\xdf\x37\x39\x8d\x39\xde\xc1\xe1\x8a\x86\x36\xf4\x8c\x2c\xd1\x2b\xb9\x48\xf3\x55\x75\xd5\xc5\x25\x92\x18\x15\xac\xce\x65\xa7\x23\x5b\x88\x27\x85\x5f\x18\x3f\xda\x1c\x3c\x5e\x90\xa2\x1d\x85\xb1\xd4\x48\xe1\x4a\xa0\xa4\x3c\x4f\x92\xc2\xf9\xa1\x74\x78\xa5\x5a\x5a\xc8\x4e\x06\x8d\x02\xaa\xc7\xe6\x95\x95\x47\xba\xf1\x11\xb8\xc1\xdd\x16\x6c\x61\xee\x12\xea\x19\x5c\x35\x0b\x2f\x72\x61\x08\x23\xce\x91\xaf\x9f\xab\xb1\x7f\x20\xaa\xda\xef\xff\x52\x4d\xe3\xa0\xff\xdb\x5a\x49\xf1\xd3\xe0\xe7\x4a\x16\x52\x6f\xcb\xbc\x99\x99\x19\x49\xa3\xc7\x29\xe9\x4b\xa1\xed\x6a\x11\x84\x71\x3f\xe9\x67\xea\xd6\x8a\xd3\x4e\x10\x05\xd6\x86\xcd\x53\x64\xc3\xe7\x88\x0e\x08\x59\x65\xf9\xdd\x74\x41\x30\x74\x9f\x5a\x8d\x23\x41\x34\x6a\xdd\x4e\x88\xbc\x58\xb5\xa0\xfb\xa6\x49\x7f\x7d\x43\xcd\x09\xaa\xc4\xb0\x46\x43\x3d\x6f\xb0\x30\xec\x29\x5f\x03\xdf\x19\xa0\x7f\xe1\xbc\xa9\x51\xde\x2a\x19\x17\x52\x09\xb4\x88\x5c\xac\x8b\x30\x76\x6f\xc6\x29\xbb\x65\x4d\xb4\xae\x26\x9d\x0e\x04\x01\xf9\x6b\xfa\x1c\xbb\xe8\x0e\x6e\x71\xec\xa4\x12\x07\x80\x06\xa6\x2b\x30\x04\xd5\xe8\x3c\x1d\x30\xaa\xb8\x33\x7c\xd2\xa9\xf3\x3b\x9e\xc7\xbe\xf6\xe9\xe6\xad\x35\xe7\xfb\x59\x9e\x74\x75\xa0\xfa\x82\x91\xe5\xda\x76\xfd\x81\xdb\x83\x7b\x76\x78\xc7\x09\xdf\xd5\x4e\x4b\x25\x76\xe7\x97\x17\x8a\xb0\x80\xfd\xd0\x94\xf6\x75\xef\x00\x39\x27\x1d\x43\xdd\x27\x6f\x63\xef\x1b\x63\xff\xb0\xc0\x9e\x58\x4a\xc1\x51\x35\x9f\x44\xfd\x6e\x9c\xf9\x6f\x1d\x0b\xde\x5e\x1b\xf5\xab\x25\x5c\x2d\xf0\x8a\x16\xfd\x88\xbe\x33\xbc\x78\xad\xc2\x0d\x2e\xe9\xe7\xbd\x3e\xc4\x0b\x54\x21\xe8\x98\xa3\xc0\xa4\x63\x4d\x81\xf3\x4c\x0d\xa7\x76\x38\xe3\x11\xf1\x42\x04\xc6\x52\xbf\x19\x7f\x7d\x43\x64\x0d\xc8\x38\xc1\xbb\x97\x41\xd0\x00\xc2\x78\xd3\x26\x25\x97\xad\xac\x34\xc3\x21\x8a\xbf\xf3\x76\x98\xf5\x22\x61\xf4\x4e\xb1\x6e\x7c\xd4\x2d\x98\x0a\x2b\xcc\x35\xd3\xa9\x6a\x85\xc7\x2a\x64\xeb\x4c\x8e\x3a\x97\xf7\xb4\x3c\x70\xbc\x8b\x05\xc0\x3e\xe5\x31\x56\xd0\xc6\xf9\xff\xc9\x0b\x7e\xc6\xb3\x68\xe4\x4a\x28\x3d\x56\xd4\x48\x55\x5f\x88\xc0\xbb\xf8\x9e\xee\x0b\xce\xc9\xa6\x5e\xb2\xe2\x0d\xdc\x82\x0b\xa0\xb2\x2d\x91\x82\x1e\x47\xce\x4a\xba\x73\x1b\x6f\x2d\xd2\xb0\xef\x28\x36\xff\x75\x8d\xf9\xba\x39\x61\x12\xbf\x1c\x0b\xf5\xbf\xa7\x16\xbc\xb1\x36\xfc\x1c\x54\x97\x34\x6c\x9b\x8b\x33\x42\x71\xe9\xa6\x98\x75\x98\x27\xd0\x0b\x72\x36\x37\xf9\x45\x31\x70\xc8\x84\x41\xdc\x5c\x29\x86\xe1\x0a\x86\x60\xf7\xa5\x0b\xf1\xa5\xcb\x1d\x31\xc8\xc3\x84\x7e\x86\xc8\x1b\xd6\x8c\x61\x5e\x94\x5b\x80\x10\x07\xbb\xd3\x9e\x22\x34\x9e\x24\x29\x66\x76\x29\xed\x24\x47\x8e\x3b\x74\x37\x27\xb1\xe4\xf2\x5a\x98\x01\x5f\x5a\x61\x58\xf8\xb0\x47\x81\x16\x3f\xe9\x05\xef\xf6\xec\x50\x0b\x5d\x34\xc6\x1a\x81\xdd\xf5\xb3\x5f\xf7\xbd\x9b\x33\x9f\xfd\xba\x77\xd4\xe1\x5f\x47\xe1\x6e\x02\x7f\xca\xbc\x45\xd1\xf3\xee\x1a\xa1\x9d\x83\x6d\x05\xe0\x1c\xb7\xd3\x22\xe7\x57\xd4\x1e\xcd\xa6\xee\x01\xef\xe9\xbd\x53\xf7\xd0\x4f\xf7\x4e\x35\x9b\xcd\x2b\xaa\xe1\x57\xf0\xf3\x62\x54\xed\xe6\xff\x8e\xc7\xf6\x63\x90\x90\xff\x6b\x1e\x7b\xec\x59\xd9\x45\x0f\x1a\x4a\xd8\xa0\x47\xe1\x4d\x25\x17\x1d\x3e\x84\x74\xd7\x0e\xa2\xa6\xd3\x07\x75\xde\x4b\xfb\x6a\xd6\xd1\xf6\x41\x4b\x01\xd6\x5e\x67\x37\x7b\xac\xc9\x36\x18\x09\x62\xff\x95\xc1\x12\x0d\x24\x04\x11\x81\x62\x07\xca\x47\x18\xaf\x4f\x21\xa4\xb0\x39\x88\x8c\x54\x57\x3a\x1f\xda\xd6\xf5\x82\x09\x05\x46\x18\xcd\x2d\x2d\x66\xce\xe6\x79\x8f\xc7\xb4\xa8\xf7\xbf\xcf\x0b\xbe\xcd\xd3\x41\x29\x23\x16\xac\xcb\x22\x8d\xbb\xa0\x87\xa9\xeb\x00\x1a\x5b\x5e\x09\x79\x62\x32\xbd\xd5\x52\x49\x0b\x65\x41\x5a\x99\xa3\xba\x74\xd4\x95\xf1\xfd\x17\xd3\xb4\x5b\x8d\xfd\xa4\xc7\x6e\xc9\xfa\x6b\xa6\x74\xff\xdf\x7b\x4c\x3c\x2b\xb3\xbf\x62\xd5\x12\x7c\xad\x5d\xa7\x36\x37\xa0\xe5\xc4\xf9\xa5\x6a\x6a\x35\x22\x5e\x59\x8c\x6e\x88\x4d\xd9\x64\x1f\x3c\xc8\xce\x51\x8b\x31\xd3\x74\x7d\x3d\x95\xeb\x22\x4f\xdc\x96\x96\x92\x94\x31\xea\x74\x6e\x49\x03\x2a\x42\x04\xf2\x1f\x1f\x08\xa6\xdc\x47\x6e\x4e\x58\xf1\xdb\xf6\x3c\x8c\xef\xdf\xcf\x5e\xa5\x83\x67\x85\x7d\x60\xad\xb2\x65\xb6\x54\x39\xd8\x7b\x68\xfa\xcd\x68\xb9\x3d\x44\xcb\x2d\x5a\xe1\xb2\x2f\xde\x53\xb8\xec\xcd\xa8\xcf\x3d\xd3\x1f\x26\x3b\xc7\x0b\x5d\xf0\x5f\xd2\x28\x62\x84\xac\x9d\x5a\x15\x39\xcc\x75\x64\x51\x79\x13\x51\x14\x32\xfb\xf6\x03\x6c\xca\x4d\xb5\x4d\xb2\x96\x88\x20\x30\x1d\x0f\xe9\xa6\xba\xbd\x5f\x54\x37\x97\x16\x51\xc0\x7c\x6a\x7f\x70\xdd\x2b\x3f\x2d\x21\xb0\x68\x86\x58\xc3\x82\x25\x78\x17\xde\xd6\xe7\x9f\xda\x84\xe0\x29\x42\x68\x7b\xe7\x23\xd5\x02\xc9\x91\x16\x9c\x4f\x38\x39\xcd\x10\xf9\x80\x49\x82\x59\x03\x90\x0e\xb3\x4c\xb6\x1b\x3d\x99\x36\xf0\xe2\x3a\xd9\xbc\xee\x31\xac\xea\x12\x5c\x46\x5e\x40\xa5\xce\x6d\x4a\x75\x20\x3c\xa8\x1a\xe4\xc8\xaa\x6f\xd9\xc7\x3e\xe6\xb1\xaa\xd7\xfc\x1f\xbf\x11\xb6\xa0\xa6\x39\x79\x5f\xd6\x17\x71\x1e\xe6\x83\x20\xae\x28\xd4\xa4\x2c\x96\x47\x08\xd4\x7f\x7c\x51\xff\x49\x43\x26\x5a\x69\x82\x18\x6c\xea\x56\x2e\x37\x05\xa0\xaf\xb7\x33\x3e\x01\xe9\xfa\xaf\xa6\xea\x26\xd9\x4b\x99\xd5\x75\xff\xc5\xc1\x74\xf1\x57\x55\x14\x2c\x15\x1f\xc6\x1c\xc4\x54\x98\xc4\xb6\x60\xf8\xdf\xb6\xfd\xef\xf3\xcf\x84\xfd\xef\x9d\x35\x5d\x5e\x11\xbc\xaa\xaa\x6a\x68\x34\x10\x40\x8a\xc0\x4c\x5d\x1d\x78\x6f\x65\x21\xa3\xe9\xd0\x14\xa1\xfd\x5d\x68\xed\xa5\xbe\x98\x5b\x04\x2d\x29\x6b\x99\x12\x45\x04\x86\x1a\x10\x3b\x87\x40\x13\x8e\xc5\xbd\x62\xa8\x07\x48\x82\x60\xb9\x06\x71\xa4\xa3\xa1\x52\x0d\xb8\xa2\x79\xa1\x95\xf4\x0a\xc7\x07\xf9\x3b\x5e\xa5\xd4\x94\xa2\x18\x98\x88\x32\xc4\xc9\xba\x40\x90\x5c\x2c\xa7\xc9\xfe\xb4\xe6\x6c\xc9\x4e\x94\x6c\x91\x89\xcd\x1c\x7d\xe7\xa2\x64\x0b\x21\x63\x68\x4b\x7e\xb8\x16\xdc\x5b\x7e\x58\x4e\x84\xb6\x49\x9b\x69\x4b\x16\x9f\xb8\x59\x93\x5f\xf0\xd8\x1f\xb9\xf4\xd2\xbf\xed\x05\x77\x5f\x29\xfe\xbe\xe2\xaa\x05\x43\xc5\x83\x5f\xcc\x29\xbd\x50\x01\x16\xd8\x99\xd1\x6b\x69\x87\xee\x9a\x48\xb7\xa7\xbc\x23\xec\xcb\x86\x81\x99\xbb\xa2\xd7\xb8\x2a\x07\x99\x7f\xc8\x3f\xd0\x00\x18\x28\xb6\x03\x97\x76\x57\xf4\x18\xfb\xe0\x38\x7b\xd1\x28\x29\x38\xd3\x5c\x51\xe2\x88\x06\xfa\xdb\xc6\x83\x39\xeb\xef\xed\xc6\xb8\xaf\xb9\x15\x41\x9a\x59\x3a\x5e\xf3\xba\x77\x30\x95\xbd\x28\x6c\x09\x57\x6b\xfa\x37\x63\xec\x21\x66\x7e\xf2\x2f\x69\x83\xd2\xe9\x21\x07\x06\xf9\x8c\x11\xaa\x44\x68\x66\x44\xbc\x50\x88\x48\xea\xec\x40\xd7\x60\xf5\x6b\xf6\x86\xfe\x85\x5a\xf0\x53\xb5\x1b\x31\xc6\xeb\x66\x69\x8b\xbc\x36\x81\x02\xe9\x21\x41\x13\x94\x76\xe8\x5a\xdf\xec\x43\xd2\xc4\x88\xe6\x29\x4f\xb8\xd8\x4c\x42\xd5\xfc\x3c\x4d\xd4\x56\xc2\x98\x85\x41\x71\x53\x5e\x2d\x3e\xd2\x1b\x46\x17\x25\xba\x86\x16\x8b\xea\x85\x1e\x34\x60\xef\xf2\x6c\x10\xe7\xe2\x9a\x75\x7e\x53\x0c\xa2\xdb\xb6\x0c\x4f\xf5\x6a\x6b\x50\x3f\x93\x69\x63\xbd\x1f\xb6\x25\x19\xff\xcb\xb6\x7f\x5b\x4c\x7e\x74\x9c\x4d\x56\x45\x96\x95\x90\xb8\x68\xfd\xbc\x6d\x3c\x58\xa8\xfe\xa9\x7c\x2e\xd8\x4b\xa8\x67\xbe\xd0\x28\xd2\xce\xba\xf9\xb9\x31\xf6\xaa\x22\x42\xf3\xb1\x60\x99\x22\x34\x1b\xbb\x8f\xd0\xdc\xda\x40\x97\x41\x01\x2b\xac\xc3\xa4\x61\x3f\x3b\x17\xe7\x0f\x79\x6c\x5f\x6f\x43\x64\xd2\x7f\x9f\x17\xbc\xd3\x5b\x52\xff\xb4\x8e\xff\xb0\x63\xc0\xae\x41\x4a\xe8\x20\x95\x3a\x82\x8d\x21\x34\x0f\xe0\xa1\xd5\x31\xb2\x1c\x40\x6a\x88\xd1\x07\x9e\xdf\xb0\x03\x87\x2e\x7b\x53\xc5\x38\x69\xe0\xeb\x17\x42\x43\xed\xd6\xbf\xc5\x33\x11\xa7\xdf\xe8\x05\xaf\x59\xc6\x70\x53\x84\xa1\x4f\x43\xd9\xb1\x88\xce\x34\xc8\x4a\x09\x38\x24\x46\x9c\x40\x8d\x55\x1f\x66\x10\x5b\x90\xe3\xd9\x80\x67\xa1\xc3\x31\x95\x87\xed\x81\xb6\xf3\x19\x04\x87\x0b\x8b\xce\x98\xfe\xec\x98\x83\x70\x9b\xae\x89\x56\x71\xd1\xa1\x4b\x51\x98\xc4\x00\x77\xf2\x96\xb1\xe0\xc1\xd2\xb3\x72\x10\x65\x82\xe8\x4c\x92\xcf\x23\x02\xcc\x72\x12\xe1\x35\x5a\x5f\xb0\xc0\xba\x8e\x27\x9c\xf5\x8a\xb3\xaa\x7e\xac\xc6\x7e\xb4\xc6\xbe\xa4\x55\xfc\xac\x0f\xf2\xcc\xff\xf6\x5a\xf0\x61\x6f\xbe\xe2\x17\xc2\x5d\xb1\xf8\xf6\xcd\x2f\xd5\x00\x5f\x1d\x75\x59\x73\x5a\xa9\x86\x8c\xdc\x62\x20\x77\xfa\x91\x44\xa3\xaa\x1a\x78\xc3\xe2\xa7\x4b\xed\x22\xc8\x48\x6e\x18\x02\x8a\xa2\x8e\x64\x16\x7c\x72\x66\x6a\x86\xd0\x9c\x5d\x1f\x48\xbb\x55\x6e\xd8\xfb\x0e\x8d\x9e\x41\xab\x51\x70\xcd\x7e\xfd\xa1\xe0\x87\xbc\xd2\xc3\xaa\x44\x5f\x7b\x5c\x9a\x7c\xc1\xb6\xb6\xf2\xcd\x99\xe6\xcc\x29\xf5\x8f\x8e\xd8\x4c\xd0\xbd\xa0\xaa\x74\xc1\x72\xe8\xb6\xb2\x39\xe3\x14\x85\x17\x20\x22\xee\xc1\x94\x97\x14\x2d\x92\x74\xa6\xa8\xc2\x8f\x1e\xad\xbe\xda\xff\xda\xcd\xc4\xe2\x3d\x67\xf7\x45\xda\x36\xd2\x0a\xbe\xaa\x82\xa0\xda\x9e\x2b\x7b\xa1\x9e\x60\xc7\xd8\xcc\x48\xcd\x69\xd4\x8a\xbb\x69\x1d\xd9\x83\x75\xa4\x63\x59\x47\x1e\xda\x5b\x32\xf1\x97\x6f\x03\xdd\xf0\x94\x97\xed\x7c\xf3\x5f\xf2\x2f\x99\x4c\xa1\x91\x7b\xdd\x24\x10\x95\xc4\x4b\x65\x5e\xf1\x77\xdf\xc2\xbe\xa2\x2a\xe3\x44\xc8\x6e\x12\xaf\xc8\xdc\xff\x8b\xc3\xc1\x29\xf3\xd7\x90\xb2\x0b\x28\x44\x16\x6f\xb6\xe0\x6d\x78\x57\x5d\xc0\x5c\x0d\xe5\x37\xd9\xcd\x55\x78\x13\x45\xc4\x45\x11\xf9\x35\x8d\x22\xf2\x8b\x1e\x6b\x8e\xc6\xd8\x2c\xaf\x49\xc8\xd3\xf8\x2e\x6f\xd5\x8a\x57\x5d\x93\x1b\x62\x33\x4c\x52\x73\xb8\x58\xcb\xf0\x39\xc6\x12\x61\xff\xaa\x66\x12\x91\xde\x59\xdb\x26\x03\x65\xb8\x5f\xf0\x51\xf0\xc7\xde\x6a\xe5\x25\x60\xa8\x5f\xab\xf8\x20\x17\x3a\x04\x43\xa9\xf1\x49\x87\x03\x5a\xea\xda\x00\xc1\x28\xb7\xc2\xb8\x9d\x6c\xc1\xf7\x10\x0d\xb7\x94\xf4\xfa\x91\x1d\x22\xa4\xe1\xab\x96\xa5\x68\x37\x92\x38\x1a\x3c\xe7\x03\x76\x53\x99\xd8\xab\xd1\x78\x65\xe7\xa3\x63\xda\x6f\x36\x0a\x53\x70\x2f\x33\xa7\x84\x59\x7e\xe5\x3c\xd3\xb7\xb9\xd0\x5d\xc3\xc9\x88\xfe\x9f\x1d\x0c\xbe\xa6\xf8\x93\x82\x99\x32\xde\x96\xad\x48\xa4\x18\x3a\x64\x87\xa6\x63\x10\x58\xdc\xe6\xcb\x68\x48\x58\x91\xda\x9d\xac\x0f\x89\x4f\x1c\x60\x89\xd9\x3c\x72\x1b\x4d\x67\xb8\x31\xb4\x79\xa6\x2f\x26\x19\xcc\xac\x8c\xc1\x29\xa8\xad\x24\x99\x93\x0f\x58\x7c\xd6\xbc\xb9\xfa\x6e\x02\x55\xfc\x7d\x51\x2e\xf7\x78\xa8\xff\xa3\xd2\x99\x5e\x9c\xe8\x2c\xa3\x83\xf6\xea\x36\x68\x5d\x15\x7b\x4a\x1d\xb4\x77\xad\x94\x59\xd2\xf3\x91\x07\xaf\xb3\xb3\x9e\xf2\x56\x77\x16\x4b\x33\xfe\xd4\x08\xb1\x64\x0a\x2a\xcb\xa5\x2f\x3c\xcc\xbe\xac\x3a\x91\x13\x12\x4b\x3f\xf9\x70\x10\xd0\xbf\x71\x1d\xa2\x61\xa4\x57\xa8\xa8\xbd\xa4\xdd\xbc\xee\x31\x83\xe3\xe8\xde\x6e\xbf\xf5\x61\xf6\x77\xe3\xec\x05\x86\x46\x6d\xde\xbc\xe6\xff\xe1\x78\xf0\x4b\x63\x17\xe8\x8a\x56\xd0\x57\x17\x05\x11\xb6\x23\x2e\x52\xe0\x95\x3b\x5b\xf5\x16\x1d\xd7\xf4\xb2\x88\x31\xb4\x06\x40\x81\x13\x30\x89\xf4\x64\x0a\x8e\x10\x30\x43\x22\xc9\x2f\xc4\xf5\xb4\x4c\xc6\xda\x06\x17\x4a\xd0\xae\xf5\xd7\xd7\x89\xda\x4b\x53\x88\xb7\xcc\x4a\x2f\xf2\xa8\x20\xbc\xc2\x90\xca\xc2\x08\xd4\x2d\x1a\x54\x7a\xbf\x9b\xb4\xf1\xf5\x35\xe2\x01\xd6\x7b\x55\x93\xee\xc1\x9e\x01\xac\x07\x30\x24\xb5\xdb\x2e\x8d\xb7\xe9\x21\x26\x20\x3b\xbd\xaa\x17\x88\xc6\x49\xfb\x48\x56\x7c\x65\x0d\x8b\x6d\x20\x7f\xe6\x92\x1c\xcf\x0e\x4f\x64\x25\xdb\xce\x29\x76\x62\x17\x50\xaf\xc3\xa5\x3d\xe5\x1d\x61\x5f\xe1\x2c\x73\x40\xbd\x6d\x74\x65\xba\x2e\x1b\x57\xe5\xc0\x3f\xe0\xef\x8b\x45\x57\x32\xf5\xe6\x97\x57\xbc\x09\x2e\x59\xb9\x3e\xf0\x0f\xfa\xfb\xe1\x2b\xc6\xde\xe0\xb1\x83\x1b\x49\x96\x43\x70\xd5\xe3\x41\xd7\x8d\x27\xd5\xbf\x18\x0e\x93\xa4\x8d\x21\x87\xb9\x1d\x67\x58\x0c\xb6\x79\xdf\x30\xa1\x61\x90\x9d\x20\xe5\xaf\xa1\xa3\x4b\x30\x6d\xca\x16\x50\xdf\x74\x90\xdd\xa6\xc6\xc3\xda\x05\xff\xe7\x40\xf0\xfb\xfb\xf5\x2e\x20\x06\x6a\xba\x81\xda\x8b\x7c\x4d\x46\x09\xf2\x99\x15\xf9\x3a\x6a\x01\x85\xb9\xfd\x96\x48\xa5\x86\x6a\x05\xb3\x13\xae\xae\x5e\x1a\x22\x8b\xac\x53\x1e\x04\x22\xe5\x22\xd5\x89\xb6\x22\x1e\x40\xfd\xd6\xc2\xeb\x88\x30\xca\x4c\xd7\x4b\x09\x8d\x3a\x53\x0c\x83\x6c\xf5\x3a\xc2\x60\xf2\xb6\xcb\xba\x85\xe7\x07\x54\xa6\x29\x3b\x56\xb5\xeb\x14\x38\xc3\xe2\x72\xcd\x10\xba\x9f\x76\x9d\x6d\xa0\x43\x94\x28\x5b\x48\x74\x13\xb5\xfb\x22\x5b\x16\x0c\x8f\x88\x0e\xfa\x86\xa6\x1a\xca\x50\xbd\xf7\xeb\xa0\xa7\x2b\x8d\x24\x03\x1c\x20\x99\xd5\xf9\x85\x70\x53\x3a\x0f\x92\x14\xa3\xde\xfb\x3d\x7a\x84\xad\xd7\x9b\x8b\x78\x15\xbb\x9a\xdc\x7b\xb8\x33\x90\xad\x2b\x80\x21\x36\x56\xeb\x84\x78\x7f\xdb\x7d\x38\xd1\x2d\xce\xeb\x35\xc8\x09\x6c\x6b\x41\xb1\x11\xae\x6f\x48\xd0\xbf\xe0\xe8\x9d\x82\xbc\xba\x22\x25\xb4\x38\xee\x07\x3d\x69\x90\xc6\x62\x82\xab\xa1\x84\x1f\x70\x6e\x51\xca\x1d\x79\xc6\x89\x8e\xac\xdf\x35\x61\x8c\xa5\x91\xce\x9a\x08\xc3\x48\xb8\xd9\xbd\x5e\x44\xb4\x80\x61\x69\x70\x01\x28\x36\x0b\xbb\x61\x24\xd4\x62\xc9\x36\x00\xfe\xa4\x3c\x05\x24\x12\xe9\x0a\x16\x59\x9c\x97\xe0\xad\xe8\x26\x9b\x6a\x05\x56\xa8\x14\x4f\x3b\x33\xa7\x97\xb4\xb3\x29\xd5\xd8\x46\xd1\x8c\x29\x5b\x3a\x35\x59\x9d\xdd\xb9\x1b\x20\xea\x67\x51\x28\xfd\xd5\x18\x7b\x7e\x26\xf3\xf3\x24\x4d\xe6\xb2\x73\x2f\x5b\xb8\xe4\xff\xc1\x58\xf0\xeb\x63\x8b\x1d\x88\xae\xdc\x4e\xe6\x68\x5b\x11\xfa\xdc\x8b\x17\x55\x21\x75\x9e\x0a\x4a\x93\x11\x68\xc4\x8f\xa4\xe8\xe0\x76\x9b\xb0\xc2\x6b\x27\xe1\x04\xba\x10\xc6\xfd\x6b\xd6\x7c\x51\x90\x3f\xa6\x77\xda\x49\x1c\xaa\x68\xed\x6e\x31\xed\x71\xb2\x40\xae\xaa\x4e\x47\x58\x47\x9c\xb4\xa5\xfb\x06\xc2\x2f\xf3\x7e\x9e\xa9\xe7\x58\xf9\xcb\xe1\x3e\x9d\xed\xa6\xfa\x54\x53\x5a\x9a\x00\x8f\xa2\x11\xb4\xa6\xcd\x2b\x57\xe5\x80\x9f\x7f\xe9\xd9\x57\x3c\x76\xe1\xf2\xfc\xdc\x85\xc7\x2e\xce\xcd\x9f\x5f\xbc\x74\xf6\x91\x95\x57\xac\xac\x9e\xbd\xf8\xc8\x3c\xae\x44\xa2\x2a\x5d\x91\xf9\x23\x14\xf5\x93\x3d\xb2\xda\xea\x85\xbd\x47\x2c\x6e\xa6\x3c\x81\x7e\x53\xce\x84\x92\x82\xed\x44\x66\x85\x48\xc1\xf1\x86\x26\x6f\x08\x20\xb6\xc3\x94\x08\x13\x1f\x3d\x22\x3c\xfa\xff\xd4\xd8\xa1\x76\x9c\x11\x53\xd2\xe7\x6b\xc1\x6f\xd5\x56\x64\x0e\x7c\x15\x3d\xa2\x75\xd4\x04\x50\x49\x29\x83\x21\x20\x4b\xe4\xb9\x30\xcd\xf2\xa0\xc9\x21\x26\x56\xb3\x50\xaa\x1d\x7b\xc4\x7e\xe1\xe5\x61\xbe\xa1\xd6\xd8\x25\x99\x1f\xa9\xbb\x3f\xa9\xbf\xa9\xe0\x23\x6a\x2f\x1e\xb9\x94\xc4\xf2\x48\x13\x1b\x51\x0c\x01\xc6\x83\x84\xb1\x7a\x4e\x5c\x37\x7a\x15\xc2\x52\xb6\x72\x26\xa9\xe9\xe8\x4d\xd2\x3f\x2c\x5c\x5a\x31\x52\x9f\xce\x0c\x55\x03\x01\xd8\xc3\xe9\x29\xd4\xe1\x86\x6f\x6f\x60\x5b\xd5\x66\x46\xfc\x6d\xf8\x20\x4f\x4c\x84\xa7\x35\x44\x16\x24\x77\x9e\x8c\xee\xb6\x73\x04\xff\xb6\xc7\x7c\xd4\x67\x4c\xa8\x57\x7c\x35\xf3\xff\x83\x17\x7c\xc0\x3b\x3b\xf4\xdc\x72\xc3\xea\xdc\xb3\x61\x96\x61\x62\x3b\xb1\x69\xa1\xc2\xf8\x55\x38\x02\x20\xf1\x49\x49\x8b\x37\xc3\x34\x89\xbb\x18\xa4\x94\x86\x70\xbd\xaf\x17\xc8\x68\x68\x3e\x8a\x73\x14\xda\x0b\x49\xeb\xaa\x4c\x79\xa4\x5a\xd1\xe4\x97\x09\xd2\x7e\xd6\x59\x09\xc3\xb1\xb8\x6f\xf1\xd8\x6d\x2e\xc5\xba\xff\x75\x5e\x90\x15\x9e\x2e\x97\xed\x5b\xab\xf4\xea\x57\x52\x8a\xa3\x50\xa0\x7d\xc1\x7d\x13\x28\x32\x2d\x8f\xd9\x2c\x7f\x20\x33\x24\x3b\xd6\x3b\x86\xeb\xc5\x1e\xf3\xbf\x19\x67\xff\x58\x67\x28\x85\x49\x7c\x7f\x2a\x5a\x72\x09\xb8\xcb\x75\x2a\xd5\x6f\x8f\xeb\x54\xaa\x8f\x8d\xeb\xbe\x56\x66\x51\x69\x5d\x04\x09\xf5\x9d\xcc\xa7\x22\xa5\x0d\xf3\x02\x00\x02\x44\xa9\xe9\x19\x2a\x43\x94\x47\xa7\x91\xd7\xf8\x83\x4e\x96\x14\x90\x8a\x82\x07\xd8\xce\x94\x5a\x35\x14\xb9\x88\xd3\x6e\x56\x43\x96\x27\x3d\x07\x59\x44\xb3\x77\x5f\x45\xf6\xbb\x75\xd5\x81\x89\x38\xe1\x09\xc0\xa4\xc1\x6d\x17\x56\xf1\x46\x3f\xe7\xed\x64\x2b\xb6\xa0\x5e\x0c\x9e\x43\x1c\x46\x75\x27\xff\x01\xba\x44\x34\xef\xae\xa7\xd7\xa1\xd4\x71\x5e\x0b\x47\xa7\xa0\x15\x68\x31\x3a\xd2\x2f\x2b\x73\xf9\xa8\xb1\xc5\x3c\x81\x38\xe7\x82\x5b\xb3\xa6\x3b\xa5\x13\xfa\x01\xef\xc6\xa4\x77\x15\x05\xaa\xaf\x3b\x49\xda\x0a\xd7\x20\xb7\x30\x32\x72\x40\xd8\x63\xd3\xe4\x2b\x90\x51\x68\xba\x4f\x5e\x53\x73\x64\xc9\x6b\x3d\xdc\x41\x2d\xb5\xb0\xfb\x3d\xac\x8f\x32\x52\x53\x5d\x9f\x2b\x19\x8f\x4d\xeb\xae\xba\x81\x3a\x6f\x1d\x63\xcf\x07\x25\x38\xcc\x07\x00\x0c\x0b\xe1\x7c\x7f\x5b\x0b\xfe\xb4\xb6\xd8\xb1\x95\x7c\x37\xe6\x12\xb7\xad\xfe\xb0\xc9\x03\xd2\xef\xd5\xd1\xd6\x68\xa5\x21\xc0\xd5\x04\x30\x20\xfa\x27\x72\xee\xdb\xbf\x2a\xe5\x6f\x8b\xc4\x97\x88\xd4\xd1\xb4\x95\xa4\x6d\xed\xbe\xd7\x35\x3a\x0a\x1f\x55\x19\x6a\xfa\x68\x48\x1e\x4d\xd2\x2e\x78\x95\xcb\xda\x61\xd1\xbe\xb9\x78\x40\xa9\xf2\x70\x2a\xea\x95\x6d\xd1\xd2\x5b\x97\xd6\x25\x7b\x3c\xb4\x89\x83\x6a\x13\x39\x94\xd0\x1c\x7d\x0d\x32\xb5\x9a\x55\xa9\x97\x6c\x92\xd2\x56\x01\x95\xc0\xd0\xbd\xd2\xcf\x8e\x58\xf8\x9f\x63\xec\x79\x69\x3f\x56\x13\x5b\xcc\xca\xa7\xc6\x82\x4f\x8e\x2d\x97\x9e\x22\x09\x15\x06\x5c\x70\xfb\x47\xdd\x70\x5a\xbd\x6a\x66\xc8\xc8\x84\x66\x10\x0d\xf2\x59\x4a\x90\xb0\x59\x96\xe0\x7c\xa5\x1c\x33\xa7\x68\xa3\x5f\x13\xc6\xa5\x09\xf7\x6c\x23\x37\x61\x31\x18\xe4\xf9\xcf\xc9\x0c\xa1\xa9\xd3\x24\x8c\x06\x50\xe3\xe2\xbb\x41\x24\xd7\x45\x6b\x10\xb8\xf5\xd8\xfb\x5a\xb7\x17\x53\x61\xc3\x2e\x9e\x6f\xc4\x85\x88\xbb\x48\x93\xed\x16\xca\xab\xa6\xa2\x2a\x25\x4f\xd1\xd0\xd2\x95\x2c\xdd\xc9\x28\x27\xe3\x0d\x11\xb7\xf0\x1e\x33\x75\x55\xf6\x32\xb0\xc4\xa9\x11\x9d\xa2\x92\x1a\x48\x2a\xd9\x6d\x17\xe9\xba\x7c\x4d\xe6\xc2\xa4\xe2\x0a\xb8\x00\x59\x94\xee\x9b\x33\xcd\x99\xe3\xce\x9c\xaf\xb3\x83\xa2\x03\x0d\x1f\xf8\x0f\xb3\xc9\x1d\x75\xf0\x39\x7a\x39\x68\xba\x3b\xb5\xd8\x9f\xd6\xfd\x49\xdd\x4e\xf3\x54\x84\x71\x9e\xb1\x9f\xf3\xd8\x61\x4b\x97\xf0\xff\xb5\x17\xfc\xa0\x77\xde\x82\x4d\xc5\xbc\x32\x38\x0b\x28\x57\xa8\x58\x0e\x0f\x90\x75\x45\x15\x70\x24\xd3\x5f\x70\x43\x3a\x5d\xc8\x6e\xd4\x62\x0a\x9c\x2e\x68\x56\x9a\x67\x2e\xca\x19\x2c\xba\x61\xca\xb5\x1d\x74\xc4\x65\x76\x40\x35\x60\x69\x71\xc1\xbf\x3f\x38\x5d\x6a\x53\x2f\x6c\xdb\xed\x19\x52\x10\x46\x94\xf9\xcb\x35\x76\x50\xef\x5d\xff\xe7\x6b\x3a\x22\xf2\xc7\x6a\xab\x20\xc4\x69\x53\x13\xe0\xcb\x83\x22\x0d\x93\x7e\xa6\xb3\x8d\x5b\x49\xb7\x97\xc4\x70\xcf\xed\xbb\xa9\xd5\x3a\xee\x28\xb7\x0b\xd1\x7c\xa1\x89\x4e\x46\xd4\x22\x87\xcf\x69\x9e\x3f\x3e\x5f\xe4\xba\x17\xe4\xf4\x10\x53\xdc\x4b\xe5\xa6\xae\x2a\x25\x1b\x75\x71\x1d\xd0\x35\x13\x1e\x85\x29\xcf\xca\x9d\xef\x91\x6b\xce\x45\x34\x50\xc5\x2c\x95\x8f\x02\x22\xa6\x53\x02\x15\x8f\x47\xf2\x11\xe4\xee\x53\x23\x69\x9d\xc3\xe5\xd5\xec\x70\x9e\x44\x04\x07\x93\xf9\x6b\xc1\x1d\xa3\x56\xaa\xf5\x9a\x63\x2b\x9b\x62\x0d\xf6\x4f\x77\xc1\x4c\xad\xbf\x66\x1f\xaa\xe1\xda\x9e\x53\xca\x9a\xcc\xfc\xf7\xd6\x82\xb7\xc3\xda\xa6\x07\x24\x3e\x0c\x0f\x92\x8e\x83\x41\x06\x39\x75\x5e\x2d\x2e\x95\x56\xa8\xab\xb0\xba\x17\x4f\x24\xe6\x51\x12\xdd\x5a\xba\x5a\x04\x80\xe1\x10\xb2\xec\x60\x0f\x29\x35\xca\xda\x76\x10\x00\xdb\xbc\xf1\xab\xb7\xe9\xcc\x53\xde\x8b\x76\xb8\x7a\xef\xf3\xc7\xc2\xde\x8d\x5c\xbc\x69\x5b\x2d\x2e\xcd\x57\x6c\xab\xb0\xd7\x7a\x3a\xdb\xea\xbf\x8e\xb3\xe7\x85\x5d\xb1\x2e\x97\xfa\x51\x84\xcc\x4e\x99\xff\xf3\xe3\xc1\xbb\xc7\x16\x4b\x4f\x47\xcd\x8d\xc9\x98\xc6\xec\x3c\xfd\xb2\x15\xa2\x6b\x9a\xa5\x69\xe6\x00\x80\xa7\x1f\x45\x18\x17\x69\x36\x1c\xb4\x03\x73\x9b\xd1\x2b\x1d\x66\x9c\x4c\xf8\x20\xb7\xdc\xb5\x09\x5a\x3c\x56\xa6\xd7\x02\xc5\xf2\xe7\xa8\xef\x6e\x86\xed\xbe\x88\xa0\x22\xb5\x4b\xbb\xbd\x08\xce\x08\x5c\xc7\xfa\x96\xda\xa5\x36\x39\x58\xcc\x75\x93\x87\x42\xa8\xd1\x6d\xb8\xd3\xd4\x71\xcd\xe0\x05\x87\x2e\x94\x40\x30\xac\xdb\xa1\x54\x26\x03\x21\x78\x83\x46\x20\xcb\xe0\x83\xe3\x60\x83\xe9\xc0\x13\xd5\x11\xaa\xa9\x91\xc4\x0d\xd1\xe8\x25\xed\x1b\xe7\x89\xbf\x90\xb4\x44\x84\xde\x22\xc3\x4a\xba\xfb\x35\xb8\x7b\x83\x12\xfb\xde\x1a\xbb\x45\x1d\xc2\x06\x98\xea\x8d\xb5\xe0\x0b\xde\x25\xeb\x89\x66\xc7\xa3\xbf\x88\x09\x92\x0e\x1b\xb0\x23\x59\xa6\x04\x14\xd5\x39\x70\x4a\xa2\xba\xc4\x57\x2a\xbe\xc4\x30\x75\x7c\xe3\x48\xa6\x71\x9d\x4a\xe5\xac\x49\x7d\xf8\xca\x36\xd7\x6a\x08\x96\x79\xe3\xb3\x56\x44\x3e\x4d\x89\x4c\xdd\x11\x00\xf1\x08\xd4\x8f\xed\x58\xac\xbf\xbe\x06\x30\xf3\x40\xc0\x98\xc4\x64\x4e\xf9\x13\x2f\xf8\x5d\x6f\xa9\xf4\x54\x5f\x8c\x96\x0a\xf3\x8a\xfe\x10\x9d\x2a\xa4\x60\x45\xc9\x96\xb6\x99\x83\x56\x7d\x19\x21\x6e\x2f\x21\xb4\x14\x95\x7a\x41\xbd\xb4\x64\xde\xb1\x2f\x21\x55\x6f\x28\xd9\x09\x0a\x61\xd9\x13\xa3\xd4\x27\x74\xc4\xd4\x01\xc8\xc4\xc4\x91\x5c\x4a\xe2\x25\xd3\x3a\x53\x0c\x29\x5a\x8d\xf5\x72\x08\xf9\x9f\xd7\xd8\x3f\xc8\x36\x44\x2a\x97\xf0\x5e\x64\xd8\xbb\xfc\xdf\xaa\x05\x9f\xa8\xad\x6c\x80\x25\x57\x43\x25\xd0\xe5\xc9\x92\x28\x6b\x32\xdf\x92\x12\x79\x46\x0b\x94\x5f\xc7\xce\x5b\x9c\xe3\xb9\xce\x54\x90\x8e\x9d\xd7\xc4\x03\x13\x04\xe7\x66\x28\xb7\x10\x0a\x0c\x2f\x8e\xc5\x15\x11\x11\x76\xe1\xa6\xe2\xd6\x62\x64\x9d\x71\xa9\xc1\xd5\x27\x4c\xe1\x9e\x83\x8d\x0e\x63\x34\x7f\x17\xf6\x75\x5b\xfd\xc6\xb5\x23\xdb\x7c\x69\x71\x81\xcf\x34\xf9\x79\x54\xa0\xa0\xac\x95\xaa\x01\x32\x1e\xbb\x24\xdf\x20\x67\xce\xee\xc5\xfe\xdf\x8e\xb1\x7f\x94\x27\xbd\x24\x4a\xd6\x07\x2b\xbd\x54\x8a\xf6\x7c\xa1\x82\xfa\x9f\x19\x0b\x7e\xc5\x5b\x1d\xf5\x73\x29\xc4\x9c\xb8\x40\x0c\x9a\x56\xd2\x5f\xdf\x40\x76\x40\xf8\x50\xe7\xac\xe9\xda\x78\x3b\xe9\x8a\x30\xce\x9a\x9c\x18\xc0\xf5\x38\xe8\x1d\x89\xa5\xc0\xcc\x6d\x89\x01\xed\x6d\xb1\x06\x10\x0b\xb4\xc6\x2c\x75\xb9\xc9\xe7\xa2\x88\x8f\xec\x0a\x88\xe4\xb9\x4b\x0b\x25\xb4\x8c\x17\xb3\xbb\xd9\xe9\x5d\x28\x2e\xd5\xa5\x3e\xe5\x9d\xd9\x36\xe5\xe8\x0e\x3f\x68\x98\x26\xbd\x54\x0e\x58\x03\xcc\x0d\x0f\xc4\x99\xc8\xc3\xac\x03\xf6\xb3\xdd\x64\x23\x3d\xe5\x35\x77\x10\xb6\xb7\xf9\xb7\xd8\xf5\xdc\x80\x2e\xf1\x36\x8f\x7d\x05\x60\xd7\x26\xfd\x38\x77\x2d\x66\xab\xc9\x55\x19\xfb\xfd\x60\x7d\x6e\x9b\xdf\x2b\xec\x8b\x05\xcd\xb2\x76\x14\xe5\xf0\x66\x71\x85\x75\xc1\x72\xa1\x68\x98\x18\x6b\x61\xfe\x82\x07\xe6\x65\xa2\x2c\xff\x29\x8f\x35\x76\x03\xdd\x6c\x0c\xbc\xc1\x1b\x3c\xd7\x47\x5a\x32\x09\x1b\xc7\x3f\xb7\x4c\xe5\x85\x83\x1c\xee\xfd\x25\x1b\x31\x69\x95\x84\x9c\x28\xdb\x50\xa4\x1b\xf1\xba\x06\x96\xba\x24\xb6\x2c\xc6\xec\x93\x1e\x3b\x94\xf5\xd7\x70\xb5\xfb\x3f\xe7\x05\xff\xc6\x1b\x56\xaf\x11\xc7\xea\xd5\x7d\x11\x61\xfd\x4b\x49\x7b\xd8\x63\x12\xdc\xa3\x1f\xdd\xdb\xbc\xc7\x14\x79\x6f\xf3\x1e\x30\x27\x6a\x71\x70\x6f\x33\xdb\x6c\x35\xef\xd1\x44\xbf\xf4\x52\xb0\x9d\x29\xc4\x88\x1f\x04\xce\xa4\x6f\xa0\x6e\x91\x13\x27\x6b\x21\xa9\x7f\xd7\x63\xb7\x3a\xbe\x50\xff\x97\xbd\xe0\x23\xde\x32\x3e\xb2\x8d\xff\xae\x6b\xd3\xa6\x1b\x87\x91\xa7\x73\x69\x2e\xda\x12\x83\xac\xce\x2f\xc7\x84\xab\x58\xc7\xa3\xca\xb9\x5c\xe2\x4b\x7b\xf5\xa8\xa9\x03\xd9\x20\x41\x4f\xbd\x90\x7a\xd1\xc0\x26\xdb\x7d\x7c\xa7\xc7\x6e\xd5\x72\x28\x05\xab\xce\x9b\xbd\xe0\xc9\x8a\x89\xeb\x59\x66\xcd\x76\x98\xc1\x36\xa3\xf8\x03\xb3\x98\x4c\x41\x3b\xce\xc1\x50\x21\xda\x12\x52\x14\x61\xb7\xf2\xcf\x6a\xec\xb6\x54\xbb\x7f\xef\x57\x7b\xd0\xff\x4c\x2d\x78\x7b\xc9\x24\x88\x49\xc2\xda\x49\xbc\x8e\x5b\x95\x6a\x93\xea\x9e\x28\xb4\xf9\x40\xb5\xc3\xbc\xd9\xe4\x73\xda\x67\x9e\x02\x16\x22\x58\x4a\x55\x61\x61\x9e\x95\x5d\xf6\xf8\xc6\xdc\xa5\x05\x3d\xe7\x94\x15\x6a\x8d\x02\xcd\x7c\xb9\x25\xb0\xe4\x28\x1a\xcf\x20\xf6\x06\xab\x69\x5f\x06\x4f\xcf\xdc\x83\xd7\xb6\xa9\xe9\xe9\xe9\x53\xa0\x80\x41\xd3\x5e\x74\xf4\xcc\x8b\x8e\x9e\x69\x76\xdb\xbb\x4f\x9e\xb0\xa4\xca\xb2\x3d\xc6\xec\x57\x3c\xe6\x0f\xbb\x0d\xfc\x0f\x7a\xc1\x7b\xbd\x61\x97\x43\x55\x96\x75\xc9\x85\x41\x97\xa1\x21\x93\xde\xee\xd6\x7a\x2e\xb2\xab\x85\xfe\x29\xa1\xcf\x66\x76\xac\xe7\xd4\xe4\x06\xc9\xe4\x29\x7b\x21\xfd\x17\x8f\x1d\x54\x8a\x2a\x74\xe4\xe3\x5e\xf0\x41\x50\xcf\x75\xf3\x85\xb6\x32\xc1\x61\xae\x4f\x67\xdd\x4e\x9e\xc4\x18\x3a\xa2\xd3\x9f\x51\x7f\x5e\xec\x18\x8a\xdb\xb8\x61\x59\x10\xcd\x4a\xd6\x84\xb8\xfa\x41\x56\x2a\xd1\xe8\xe2\x75\xa5\x12\xf5\xbb\x26\xef\x0e\xb0\xcf\x6d\x52\xd8\xd4\x8a\x5f\x70\xf6\xc7\x9f\xee\x67\x07\x93\x4d\x99\x6e\x48\xd1\xf6\x7f\x6f\x7f\xf0\x96\xfd\x97\xe9\xaf\x72\xe2\x82\x29\x4b\xbf\x3e\x04\x4e\xa8\xbd\x0c\xe8\x42\x05\xe9\x46\x7e\x45\xdb\x14\xea\x68\xc7\x46\x9d\xec\xab\xb3\x59\x87\x59\x2b\x89\x6a\xac\x3d\x60\xde\x24\x65\xc6\x31\xa9\x56\x19\x84\x0c\x5c\xf4\x8e\x6f\x3a\xa6\x28\xd3\x25\xb8\x17\x59\xf8\x81\x61\x8c\x48\xe6\x98\x59\xa7\xc3\x23\xd1\x94\xb4\x73\x15\x04\xab\x08\xc6\xeb\x8a\x62\x48\x5f\x43\xdf\xe7\x86\x3d\xb0\x11\x0a\x0b\x50\x53\x17\x3b\x6e\x4d\x18\xa0\x63\xe2\x02\xe2\x76\xe1\x89\x2d\xd2\xf7\xd5\xc1\x5e\xe7\x66\x2a\x4b\x41\x4c\xc6\xfa\x65\xdc\x06\x86\xa7\x39\x45\xec\x2f\x08\x4f\xb1\xab\xad\x5b\x70\x8b\x61\xae\x7b\xa6\xce\x40\x32\x82\x83\x1e\x5f\xd0\x20\x3f\x2e\xd3\x64\x0f\xc6\xe8\xa3\xd3\x33\xa7\xa7\x8f\x1e\x3d\x09\x5b\x55\x8f\x8b\x31\x4a\x57\xc7\xb8\x55\xd9\xa5\x4f\xd6\x6f\x34\xf6\x6d\x29\x69\x9b\x61\xd3\x31\x6f\xef\xf1\xee\x63\x37\x82\xf2\x32\x0c\x6a\x61\xdf\x66\xff\xcc\x63\xb7\x67\xb2\xd5\x07\xeb\x64\x12\xe7\xf2\x5a\xee\xff\x37\x6f\x17\x81\x74\x4b\xe0\x4a\xb5\xbf\x0b\x7e\xd8\x2b\x3d\xa1\x54\x52\x38\xc5\x61\x58\x74\x4d\x5c\xe4\xc4\x4e\x44\xc9\xa2\x49\xb7\x6b\x47\x9f\x69\xbb\xeb\x48\x3f\x34\x08\x28\xc0\x07\xc7\x60\x24\x27\x48\x14\xa1\xfc\xf0\x20\xa6\x20\x85\xa4\x83\x57\x38\x34\xe1\xb2\x1f\xab\xb1\x03\x94\x5e\xec\xff\x40\x2d\x78\x83\xa7\xc3\xe1\xe8\x21\x4e\x04\x01\xc1\x93\xba\x0b\xde\xac\x9d\xc2\xe3\x9e\x66\xd6\x33\x55\x6b\x1f\x76\xff\x94\x4d\xb2\x23\x3b\xce\x02\xa6\x9f\xdf\x48\xb4\xd0\xd1\xed\x2f\x1a\x2f\xf0\x9f\x0f\x5f\xd5\x53\xa9\x7a\xfa\x52\x39\xc8\x18\xfb\x6b\x6f\x14\x20\xe9\x67\x3d\xed\x45\xff\x25\x6f\x57\x5e\x74\x0a\x9d\x25\x7c\xd1\xa4\x70\xa2\x39\x68\xa5\x05\xe6\xeb\x30\x02\x29\xec\x76\xa1\x21\x40\xf3\x14\x9c\xdc\x5d\x91\x5e\x85\x83\xa6\x08\x0d\x04\xd7\xaf\x43\xcf\x50\x04\x9b\xb9\x8e\x78\x31\x0c\x58\xea\xd8\xdb\x3f\x5c\x63\x56\xb0\xb1\xff\xe3\xb5\xe0\xed\x66\xc1\xec\xb8\x22\xe6\x6f\x34\x2c\xcd\x45\x47\x13\x39\x8f\xa4\x50\x75\xc5\x96\x81\x04\x6f\xd9\x4b\x49\x65\x14\xdb\xdf\xb7\xb0\xb3\x9f\x3e\xe8\xc0\x2b\x38\xc4\xb9\xc3\x0c\xca\x6f\x7a\x06\x19\x94\x7f\x7d\xff\xcd\xe4\x86\xbf\xdf\x34\xbc\x37\xb3\x77\xf6\x9a\xbd\x93\xe9\x44\xf4\x57\xdd\x38\xc3\xf5\xf6\x21\xf3\xa3\x37\xea\x53\xde\xfa\xce\x99\x21\x0b\xfe\x99\x3d\x93\x27\x33\xf6\xc7\x87\x59\x30\x2a\x43\x1e\xad\x19\x00\xa8\xf1\xf1\xc3\xc1\x0f\x7a\xc5\xdf\xa4\x78\xd8\x81\x73\x65\x08\x10\x6d\xf7\x48\xfb\x80\x6b\xd2\xcf\x8b\x30\x4b\x12\xb3\x15\x71\x77\x5b\x1b\x89\x41\xb4\xa0\x30\x65\x58\x37\xc6\x95\x61\x79\xcc\x86\x5f\x53\x42\x6a\x53\xa6\x6b\xae\x90\x7a\x13\x53\x4a\xd8\x21\xd1\x0b\x81\x2d\x32\xf3\xff\xc0\x0b\xfe\xa3\xa7\xc9\x23\xb3\xaa\xfb\xa8\xa1\x85\x46\x35\xc5\xe6\x86\x36\x6b\x04\x23\x4c\x0c\x6b\xea\xdc\xd2\x22\x4e\xc6\x30\x9c\x71\x3c\xa0\xe0\x74\x2b\x38\x01\xc0\xb2\xe9\xd4\xa1\x4a\x65\xdc\xef\x92\x21\xad\x80\xba\x84\xf4\x97\x41\x51\x7a\x71\x87\x8a\xa2\x64\xab\x74\x18\xb9\x3e\x15\xf6\xe1\x31\x76\x7b\x9c\xc4\x1a\x6a\xf3\x81\xe5\x0b\x99\xff\x23\x63\xc1\x1b\xc7\x2e\xb9\x0f\xb5\xb7\x09\x56\x73\x4f\xa4\x79\x28\x22\xde\x4f\x23\xd2\xd2\x04\x52\x85\xd0\xfe\x46\x8b\x18\x12\xbb\x28\xd1\xca\xef\xa4\x98\x72\x6c\x0f\xce\x34\xa8\xdf\x14\xc4\xdc\xe9\x47\x51\x1d\x39\xc5\x78\x96\xcb\x9e\x09\x4b\x13\xf9\x06\x5f\x09\xe3\x16\x06\xea\x99\xc3\x00\x5a\xa4\x4a\x54\x2b\xc5\x4c\x77\xbb\x5e\xa2\x0d\xc3\x2a\x7a\x90\x27\xa9\xa9\x4b\x1c\x8c\x14\xe3\x7d\xa5\x10\x01\x61\xff\x7c\x06\x63\xf2\x9b\x7c\x19\x2e\xda\x4a\x11\x25\x06\x37\x55\xe4\x40\x83\x12\x17\xf3\x30\xa1\x53\x8a\x82\x5e\xd2\xce\x02\xb5\x20\x03\x72\x39\x06\x93\x9c\xbc\xe4\x76\x1f\xa0\x7f\xf6\x77\x4a\xe0\x04\x93\x75\x0e\x03\xa4\xdd\x13\xdb\x4d\xdf\x8f\xa0\x59\x11\x4a\x04\xdf\x86\xff\x9d\x5e\xf0\xf8\xb2\xfd\xa4\xec\x79\xde\x52\xe2\xcd\x08\x26\x18\xbc\x02\x8a\xbe\xbc\x59\x38\x9f\xd3\x81\x47\x6a\xee\x2d\xf2\x1f\xb9\x29\xd3\x41\x0e\x11\xac\x70\xed\xda\x71\xa5\xfd\x2f\x8f\x1d\x2a\xc0\x62\x7f\xdf\x0b\x3e\xee\x2d\x17\x4b\xd8\xc6\xed\x28\x81\xb8\x0e\xb7\xe9\xc8\x9d\x47\x6c\x5b\x04\xda\xea\xac\xdd\x00\x8a\x6a\xc1\x7f\xa5\x37\x75\x93\x1f\xb9\x73\xaa\x93\x24\x47\xca\x86\x0c\x2b\x67\x8a\x1f\x81\x17\xb4\x21\x76\x57\xc5\x6e\xd3\xe9\xf7\x7b\x0c\xa5\x8d\xff\x1e\x2f\xf8\x16\xef\x41\xf5\x4f\xb7\xb3\xf8\x08\x37\x91\x59\x56\x17\x2e\xa0\x06\x44\xb5\x2b\x8d\x09\xef\x68\x73\xfa\xca\xb6\x2c\x55\x0d\x94\xca\xa6\x55\xd2\x82\x94\x57\x8d\x59\x93\x43\xe1\x73\xd0\x0d\x67\xb0\x40\xc9\xd8\xae\xd9\xbf\x3c\xc6\xfe\x89\x25\xf0\x35\x68\xb0\xd2\x52\x57\x16\xc1\x09\xdd\x93\x2d\xff\x47\xc7\x82\x47\xac\xbf\x2b\xe4\x7d\x41\x5b\x9a\x95\xf3\x1f\x55\x3b\xe6\x57\x16\x79\x3b\x0d\x89\xe1\x3a\xcb\x45\x44\x2e\x65\xf4\x40\x5f\xf7\x0e\xd0\xaf\x2e\xbc\x5b\x8d\xfd\x44\x8d\xe9\x9f\xfc\x77\xd6\x82\x6f\xf6\x4c\x29\xf6\xd0\xda\x2d\xb1\x6a\x5c\xa0\x77\x4d\x66\x9d\xe5\x14\x5f\xc4\xd7\x8a\x46\x15\xa7\xb8\x12\x37\xfd\xd8\x34\x93\x64\x0d\x5e\x4f\x5b\x49\x57\xd2\x75\x78\xf7\xb6\xd2\xe1\x51\xc5\x96\x3d\x2b\xfa\xff\x17\x3c\x76\xf9\x69\xc3\x31\xbf\x64\xe5\xf2\x25\x04\x0e\x5c\x4a\x93\x5e\x76\x39\x9d\x53\xfd\xf3\xbf\xc7\x0b\xbe\xd3\xab\xfe\xcd\x59\x71\xa4\xe0\x9b\xeb\x3c\x49\x51\xb8\xf4\x95\x3e\xe7\x98\x16\x06\xe3\xa7\xe6\xac\xf4\x73\x93\x5f\x14\x21\x98\x6d\x24\x86\x1b\xf3\x4c\xa6\x56\xe6\x5c\xaf\x9f\xf6\x12\xa5\x60\xb1\x5f\x18\x67\x47\xab\xe2\x0a\x1f\xef\xa7\xf2\x5c\x18\xc9\x21\xf0\x38\xd8\x68\xfe\xb7\x8d\x07\x2f\x37\xef\x38\x9d\x88\x39\x3c\xe7\xf0\x83\x06\x6f\x06\xab\x84\xbe\x40\x6f\x24\x19\x1a\xbd\xd6\xd4\x05\xa7\xab\xad\xd4\xfa\x12\x7a\xdd\x63\x78\x18\x20\x9e\xea\x21\xf0\xdb\xab\x7f\xbb\x89\xb3\x63\xec\x1a\x3b\x98\x4a\xd1\xbe\x1c\x47\x03\x3f\x0a\x5e\x39\x04\xb8\xcf\x27\xd4\xcf\x53\x5b\x69\x98\xcb\x49\x84\x9c\xb8\x6c\xc6\x04\x8e\xfe\x4e\x92\x92\xf2\x63\x7e\xd4\x31\x74\x61\xcc\xb1\xc3\x17\x55\xfb\x32\xd7\x7d\xf8\x4a\x66\x35\xd1\x5f\x0a\xe6\x6d\x9d\x07\x7f\x29\x69\x3b\x38\x26\x2b\x04\x53\xae\x6d\xf3\x60\x03\x57\x23\xf1\x52\xe9\x38\x88\xde\x88\x76\x2e\xaa\x00\x03\x15\xae\x05\x57\x75\x2d\xa8\xb3\x19\x68\xb2\xa7\x55\x9d\xb1\x39\x69\x64\x54\x0b\x56\x71\x29\x69\xdb\xad\xb9\x83\x15\x73\xe0\xff\x3f\x01\xc3\x68\x09\x33\x23\xda\xa9\x75\x68\x54\xa2\x34\xdc\x94\xbf\xfe\x50\xf0\x65\xf4\x6f\x57\xf8\x00\xf3\x65\xe5\x85\xf8\xef\x0e\xdc\xbc\x70\xed\xf5\xc2\xf5\xe3\x9e\xbe\x71\xbd\xd3\x0b\x22\x6d\x07\x82\xa8\xc3\x67\xb9\x3d\xb6\x7c\x9f\x60\x5f\xcd\xee\xd8\x8d\x91\xf6\xa6\x05\x64\x0f\x16\x90\x5f\xb6\x51\x9b\x7e\xfe\x46\xa0\xa4\x2b\x6c\x20\xaf\xf3\x46\x18\x41\x9e\xc3\xce\x3d\xe5\x5d\xde\xf9\xe6\x5e\xf7\xef\x34\x37\xf7\x20\x30\x57\x75\x92\x35\xe5\x1b\xfa\xeb\x0e\xb1\x17\x5a\x4b\x0f\x63\xa8\xcd\x1d\xfd\xac\xfa\x13\xc4\xd5\x6f\x1d\x0c\x5e\x64\xfe\x72\x05\x16\x3c\xde\x9e\x8e\xe0\xa7\x6e\x4a\xae\x3d\x4b\xae\xab\x5a\x70\xad\x05\x41\x38\x8c\x59\xa8\x87\x8a\xa6\xc1\x96\x36\x33\x6c\x6a\x9b\x78\x9e\xaa\x29\xbf\x29\x76\xf6\x20\x76\x3e\x61\x8b\x9d\x9f\xd9\xa3\xd8\xf9\xe7\x5f\x24\xa9\xa3\x2b\x7a\xca\x13\x3b\x8b\x9c\x7b\xfd\x7b\x1a\xdb\x70\x1f\xd0\x0a\x2b\xd9\x0e\x8d\x34\x61\xec\x33\x87\xd8\xd7\xec\x00\x41\x7e\x01\x39\x82\x75\x64\xeb\x05\xd5\x91\x79\x3b\x1a\xcc\x7f\xfb\xa1\xe0\xf3\xde\x8e\xaf\x95\x88\xd2\x01\x94\x02\xe8\x0c\x8b\x95\x05\x37\xea\x14\x2e\xf7\xb0\x76\xf3\x84\xa8\xfb\x81\x3a\x5d\xb4\xdb\x29\x46\xa5\xe6\x5b\x09\x0f\xb3\xac\x2f\xb3\x59\xc6\xef\xe4\xe7\x93\x2d\x0a\xce\xa1\x82\x8a\x14\x21\x1d\x8e\x8b\x6e\x54\xa2\x3b\xbe\x4f\x7d\xf4\x72\x0b\xea\x7b\x4d\xf2\x76\x12\x4b\x0a\x80\x70\x9a\x23\xaf\xb5\xa4\x6c\xd3\x95\xb2\x1b\xe6\xf7\x39\xd2\xf5\x07\x0f\xb0\xff\xb3\x8f\xfd\x43\x91\x65\xfd\x54\xb6\xe7\x13\x62\x3d\x68\x0d\x40\x31\xcd\xfc\xdf\xdc\xa7\xd3\x76\x3e\xba\xef\xca\xa8\xb7\xae\xf0\x89\xb9\xf9\x95\xc9\x22\x20\x20\xa3\xb4\x4a\xd9\xea\xc3\xc0\x41\xc5\x76\xbe\x19\x3e\x31\x5e\x40\x8b\x65\x8f\x9a\xae\xc5\x76\xa9\xff\xd0\x23\xf2\x24\xca\x6b\xb2\xdf\xc2\x0c\xc3\xdc\x84\x78\x20\x54\x1e\x9f\x9b\x5f\xa9\x72\xf2\x61\x45\x04\x50\x0e\xa2\xe4\x08\x18\x32\x74\x77\xa8\x59\x13\x2b\xf3\x17\x26\x81\x99\x2b\xdc\x0c\x81\x66\x13\xf0\x3f\x28\x8e\x55\xbf\xdc\x30\x21\x16\xed\x52\x33\xe1\x0e\xdf\x4b\x93\x5e\x92\xa2\x05\x1a\x0e\x8d\x30\xe5\x34\x80\x4e\x95\x70\x1d\xd0\xe1\x28\xbd\x34\x69\xf7\x5b\x34\x7e\x55\x6f\xa3\xf4\x9c\x98\x9b\x7f\x70\x92\x37\x1a\x8d\x51\xc3\x57\x1a\x27\x35\x0d\x7a\x9c\x20\x90\x45\x7d\x6a\xc0\x3d\xc0\x12\xe8\xf6\x60\x96\x31\x6e\xfd\x6f\x6e\xfe\xc1\x89\x68\x92\xbf\x98\xb7\x64\x18\x4d\xf0\x95\xf9\x0b\xfc\x4e\x35\xc6\xea\xe1\x14\x9f\xe0\x59\xbf\xfb\x70\x79\x08\xae\x3e\x0a\x6f\x5c\x9d\xe4\x93\x7c\x92\xb1\xb5\x70\x7d\x5d\xa6\xd4\x56\x98\x5f\x98\x23\x29\x62\xe4\x64\x50\x22\x1e\xf0\xde\x4c\x6f\xf3\xa2\x3b\x13\x64\x29\x94\xd7\x7a\x32\xc6\xfc\x0e\x30\x05\x52\x60\xf7\xd2\x85\x49\x27\x9c\x67\x43\x60\xaa\xb9\x15\x08\xa0\x3e\x39\x36\xed\x7a\x77\xdf\xed\xb1\x5b\x61\xc2\x97\x89\x68\xce\x7f\x8b\xc7\x66\x6f\x88\xdd\xe0\x82\xfd\x79\xf0\xc0\x15\xa7\xb8\x2b\x4e\xc4\xad\xd0\x14\xc1\x15\x7b\xb4\x25\x62\x1d\xee\x63\x20\x75\xd2\x70\x7d\x23\xe7\x71\xb2\xc5\xde\x7f\x1b\xbb\x63\x27\xef\x0c\xd8\xc6\xde\x78\x5b\x70\xb7\xf5\x77\x89\xae\x8c\x7e\x81\x7f\x83\xe1\x7c\x2b\xcc\x36\xd0\x8b\x01\x56\x29\x17\xd0\xef\x67\x6f\x65\xff\xad\xc6\x6e\xa3\x41\x3c\x23\x5a\x57\x65\xdc\xf6\x7f\xa9\xb6\x4d\xbe\x4a\x65\xc3\xe8\xcb\xe0\x3b\x6a\x0b\x4e\x51\xfa\xae\xbc\x46\x7f\xda\xc4\x05\x95\x62\xb5\x9d\xc4\x47\x4c\xb2\x48\x3c\x20\x6b\x23\x84\x25\x45\xb2\x30\xcc\x5b\xfe\x8d\x52\x85\x15\x39\x91\x8b\x9d\xf2\x4b\x21\x3a\x82\x4c\x82\x25\x34\x85\x88\xdb\xca\xed\x81\x37\x8b\x06\x91\x0d\x01\x30\xcf\x8b\x6c\xcc\x9e\x56\x19\xf5\xf0\x5b\x51\x62\xec\xfd\xfb\xd8\xf3\x42\xcb\x0f\x06\x56\x81\xef\xdf\x17\xbc\x79\xdf\x62\xe9\x69\x95\x33\xc8\x7e\x87\xeb\x28\x62\x1b\x87\x4b\xda\x51\x10\xce\xdb\x5a\x65\x46\x89\x5c\x8e\x15\x33\x89\x57\x8e\x63\x89\xb6\x58\x2a\x7b\x91\x68\x99\xfc\x5f\x03\x6b\x7e\xc5\x0d\x77\xa1\x6e\x35\x21\x8f\xf7\x0a\x07\x75\x0b\xb1\x8e\x21\x6d\x4b\x4d\xfb\x96\x48\xdb\x19\x64\x7a\x8a\x3c\xd4\x94\x85\x94\xe5\x0f\x6c\xe0\xfa\x13\x93\xf2\x1a\xe6\x66\x16\x51\xdc\xab\xda\x65\x5b\xc6\x14\x0f\x38\x94\xad\x69\xf5\x4c\x49\x43\xa9\xa4\x7b\xc1\x3a\x89\x79\xe3\x16\xff\xaf\x55\x25\xb8\x93\xda\x61\x07\x7c\x35\xb9\xd1\xde\x17\x4b\x39\x69\xfa\x9c\x9a\x5b\x5a\xd4\xab\x37\x5c\x8f\x95\x40\xa3\xf1\xa6\xbc\xfa\xa4\x9f\x23\x43\x42\x96\xd9\x0b\x70\x2e\x76\xe7\xc5\xca\x03\x07\xd9\xdd\x15\xe9\x55\x8c\x64\xa3\x8d\xa8\x0f\x51\x8a\x50\xd2\x19\xe6\x10\xfa\x56\x92\x78\x46\x87\xa0\xf1\x38\xa7\xe9\x6f\x2c\x13\x75\x1d\xbd\x51\xa5\x35\x4a\x6b\x24\x69\xf5\x4d\x4f\x9d\x68\xcd\xbf\xf4\xd8\x3e\x58\xe6\xfe\x9f\x78\xc1\x93\xde\x9c\x93\xf4\x49\x1b\x40\xb7\xcc\xe8\x04\x76\x05\x3a\x6b\xbd\xd8\xab\xe0\xa8\x42\xaf\x0b\xa5\xc0\x63\x38\x74\x9e\x8a\x4e\x27\x6c\xe1\x0a\x28\x6c\x9b\xba\xa7\x24\x3d\x9c\x2b\xcb\x49\x76\x9c\x1d\xbd\x31\x21\xa5\x44\xc8\x53\xde\x0b\x47\x66\x77\x1c\xf2\x0f\x88\x3c\xe9\x86\x2d\xc6\x7e\x78\x8c\x8d\xe5\x51\xe6\x7f\xff\x58\xf0\xfe\xda\xea\x85\x52\x5e\x41\x93\xcf\x9b\x18\x1f\x7b\xd3\x83\x53\x30\xeb\xf7\x30\x5f\xdb\x24\x47\xa9\xef\xd5\xa3\x3a\x3f\x7e\xfc\x58\xd3\x71\xdb\x76\xa5\x39\x28\x73\x83\x10\xa8\x71\x69\x8a\x75\x09\x39\xb3\x20\xaa\x0a\x78\x04\x5d\xc6\x35\x9d\x2a\x67\x12\x9d\xd2\xdc\x05\x4b\xcb\x6d\x78\xa5\xc2\xcb\xa4\xd9\x98\x21\x02\xfa\xd2\x22\x34\xd3\x18\xe7\xeb\x7a\xdb\x84\x43\x02\x8d\x77\xfa\x51\x27\x8c\x22\x7d\xa7\xd3\x6f\x98\x8e\xaf\x5c\x5a\xbc\x01\x5f\x45\xe5\x54\xad\x5e\x58\xd9\xe5\x4c\x3d\x79\x1b\x9b\xa8\xf4\x7c\x10\xca\xbe\xed\xfe\xf0\x7f\xfd\xd6\xe0\x51\xe7\xc9\x8d\x39\x96\x94\xee\x5d\x38\x96\xaa\xfd\x4a\x9a\x60\x59\xfd\xb5\xb8\xe0\x1c\xb6\xbf\x71\x0b\xfb\x11\x8f\x1d\x16\x11\x30\x7f\x88\xb5\x48\xfa\xdf\xed\xb1\x7b\x76\xe1\xc5\xc1\xbe\xa0\x75\x5d\x35\x7e\xb9\xe0\xac\xb4\x4a\x2b\xfb\x1e\x89\xe1\xa5\x70\x34\x42\x92\x0d\x04\xe3\x99\x2b\x8c\xe1\x7e\x41\x97\x87\x41\x3e\x68\xb2\xf7\x68\xee\xd8\x1f\xf4\x82\xb7\x78\x3a\x39\xbb\x7c\x3a\x59\xc3\x41\x9e\x5e\xfb\x4a\x4f\x10\x1b\x74\xa6\x5c\x7c\x60\x65\x15\x32\x48\xed\xfc\xe3\x82\x89\x97\xc2\xae\x55\x89\xf7\xcb\x7c\x29\xea\xaf\x87\xb1\x3a\x14\x27\x26\x79\x4b\xa0\xeb\x81\xce\x64\xa8\xcf\x91\x55\x3f\x35\xce\x68\xc4\xfd\x1f\x1f\x0f\xbe\x7f\x1c\xff\x5d\xc0\xd1\xb5\x65\x61\x3d\xa0\xe6\xa2\x05\x21\xe9\x40\x56\xa1\xa3\x58\x6a\x9c\x64\x2b\xbc\x17\x44\x1c\x5c\x98\x01\x5a\xc5\xe6\x2f\xa5\xb8\x45\x57\x5f\x00\x75\xdf\xea\x68\xd2\x95\x71\x2b\x42\x4c\x0b\x4c\x6a\x6f\xab\x73\xc6\x49\x6d\xb6\xaa\x43\xeb\x12\x89\x6c\x7d\xe9\x81\x5e\x88\x8c\x07\xea\x1f\x33\x01\x86\x3a\x40\x15\x4e\x43\xdc\x8f\xad\x26\x58\x5f\xcf\x05\x94\x78\x69\xd5\x89\x17\x55\x88\xc3\xeb\x76\x45\xdc\x2e\x58\xe5\x9d\xd2\x55\x83\xf2\x5c\x40\x2e\x2f\x2d\xb0\xe1\x74\x83\x3a\x01\x97\x56\xa0\x3a\x38\x2d\x83\x46\xc1\x2a\x28\x20\x06\x17\x17\x8a\x98\x81\x52\xdd\x20\xfa\x80\x68\x18\xc8\xe7\x88\xb7\x98\x7a\xa4\x01\x8c\xd4\x94\xd2\x10\x95\x73\x63\x29\x31\xc1\x85\x92\xfa\xf9\x7d\xcc\xce\xd5\xcb\xfc\xf7\xed\x0b\xde\xba\xcf\x7e\x52\x8e\xb8\xba\xaa\x9e\x91\xb4\x2b\xd6\x2d\xad\x4a\x1c\x57\x61\x64\x44\x56\x40\x70\x6a\x41\x41\x4a\x1c\x81\x52\x24\x9b\x90\x41\x69\x22\x60\x4c\x3e\x26\x54\xa3\x33\x2c\x8a\x5e\x67\x7c\x02\xbb\x0d\x2a\x55\x3c\x68\xb6\x92\xee\xd4\xe3\x49\x2c\x83\xba\xfb\x2c\x95\xeb\x61\x12\x07\x93\xbb\x69\x92\x99\x34\xd3\x1e\xb3\x70\xdc\xf6\x58\xb8\x6a\x5a\x59\x52\x6b\x28\x92\x14\xa6\x2f\xaf\xf5\x12\xc4\x3f\xc8\x86\x3e\x35\x59\xdf\x4a\xd7\x53\xb7\xff\x2d\x5a\xd4\xda\x40\x5b\x5e\x92\x10\xb1\x65\x0a\x11\x5b\x6a\x4f\x41\x03\xd5\x09\x05\xbc\xcb\xe5\x65\x06\x53\xa4\x2e\x60\x12\x71\xa6\x24\x29\x52\x54\x71\x68\x2e\x1f\x48\xf4\xbf\x69\x89\x05\xab\x25\xa0\x25\xf6\x94\x76\xa4\x34\x0f\xa3\x8d\xd0\x04\x2f\x22\x3d\x61\x92\x65\xa1\x96\x9b\xc5\x49\x0d\x1b\x5b\x67\x10\x15\x8f\x9d\x91\xa0\x65\x49\xca\x1d\x86\xc0\x84\x1d\x3d\x3d\x26\x4c\x8d\x56\x98\xf9\x76\xbb\xa8\x8a\x1f\xf6\xd8\x03\xcf\x9c\x0f\x7e\x05\x0a\x45\x4f\xfc\xa5\xe0\xc2\x76\xbf\xbb\xde\xf8\x2a\x97\xbb\xb6\x08\x43\xc3\x9b\xec\x3b\x6f\x61\xc7\x5d\x22\x3f\x8b\x20\x45\xc3\x20\xac\xa0\x61\x6d\x0e\xe2\xbc\x96\xa5\x92\xd0\xfe\xa7\x0f\x07\x7f\xe8\x8d\xfa\x95\xb7\x36\x64\xeb\x6a\x91\xf2\x0a\x22\xd6\xc4\x8e\x01\x6d\x7a\xd2\xef\xc1\x90\x6b\xec\x66\x11\xeb\xb0\x38\x08\xb6\x26\x19\x5b\x00\x75\x9c\x17\x9b\x98\x5f\x54\xf8\x8f\xb3\x56\xd2\xb3\xc2\xe3\x78\x57\x5c\x95\x19\x5e\x57\x5a\x1b\x5c\x8a\x2c\x44\xd1\xb6\x9e\x8a\x38\x1f\xfe\x8e\x22\x12\x71\x4b\xc7\xad\xa8\xaf\x96\x8a\xcd\x7f\x05\x9d\x50\x87\xef\x75\x0f\xe0\xc0\x1d\xed\xe1\xf3\x07\xd5\x2c\x6b\xf0\xfd\xef\xf5\xd8\xfc\x68\xa4\xf0\xf2\xa0\x56\x8c\x18\xe1\xf1\x3f\x50\x50\xdb\x29\x9d\x0e\xe3\x7c\x34\xf3\x04\x12\x6a\x42\x4e\xcb\x50\x52\x31\xde\x19\x31\x0d\xad\x88\xd2\xa2\x81\xbf\xe9\xcb\xb9\x09\xda\xff\xc5\x73\xaf\xbc\xd4\xf2\xae\xdc\xb7\x47\xd0\x7e\xf6\x3f\x35\x07\xce\xe7\x3d\x36\xb7\xb7\x1d\xd7\x93\xad\xe0\x87\xbc\x1d\xe3\xd9\xf4\xae\x42\x60\x3e\x93\x11\xdc\xe4\x88\xf1\x5e\x88\x15\xc3\xb0\xaf\xd3\x74\xdd\x68\x97\x41\xd2\xe7\x5d\xd1\x96\x4e\xa1\x14\xf8\x8b\xd1\xc3\x94\x06\x8a\x79\xa1\x74\xd9\x96\xed\xe6\x53\x5e\xba\xb3\x47\xe7\xb2\x7f\xb1\x20\x06\xd8\x8e\xe5\x6a\x94\xc8\x2e\xfb\x99\xdf\x71\x88\x1d\xdb\x66\x44\xf1\x0a\xa4\x2f\x3e\x26\x58\x31\xf3\xff\xe0\x60\x90\x0f\x3f\x2e\x04\x2c\xd8\xd8\xed\xc2\x9c\xe4\x34\xe7\xfa\xe3\x64\xb0\xd2\x2a\xc7\x80\x6c\xfa\x1e\x2e\x7d\xb9\x4c\x3b\xa2\xe5\xc6\x56\x7d\xe6\x00\x7b\x9d\xbe\x2f\x3d\x1e\x74\x47\xd9\xf2\x4c\x05\x38\xb7\x2e\x58\x9c\xe0\xc1\xba\xcc\x21\xb6\x17\x81\x45\xcd\x63\xfc\x33\x68\xf2\x20\xe0\x13\x30\x69\x93\x14\x2f\x5b\xc6\x02\xf8\xf3\x1a\x3b\x64\x56\x80\xff\xb9\x5a\xf0\x1b\xb5\x02\x97\xc4\x6a\x90\x13\x0f\x45\xc7\x60\xa9\x4d\x4d\x5e\x58\x39\xc0\xf4\x50\x20\x2f\x42\x70\xa3\xfe\x08\x61\x5e\xe2\xc4\x2a\x17\x8c\x6c\x51\x54\x3c\xc9\xec\x96\xdb\x6b\x0d\x7a\x38\x6a\x85\x94\xbf\x42\x4d\x49\x7d\xa1\x41\x31\x4b\x07\x72\x36\x3c\x40\x81\x88\xa2\x00\xaf\x5c\xa3\x8e\xf1\x4c\x07\x68\x57\xe9\x15\x00\x5b\x1b\x75\x2a\x7e\xb2\x87\xfd\x6b\xd9\x41\x5d\x9a\x7f\x21\xb8\x4f\x2f\x47\x0c\x14\x2f\x22\xec\x75\x54\xa8\x83\xb3\x9e\x35\x39\x0f\xee\x0c\x46\x4c\xe8\x2b\xd9\x61\x2b\x84\xd8\xbf\x1c\x9c\x59\xb1\x22\x8a\x77\x5d\xbe\x2e\x3e\x4e\x62\x17\xe6\xe7\x49\x8f\x8d\x6f\xca\x74\xcd\x7f\x4d\x10\x3f\x28\xd3\x35\x3c\x65\x2c\x4a\x6f\x53\xd6\xdc\xd2\xa2\xda\xb0\x6b\x75\x1e\x85\x57\xe5\x2c\x5f\x97\x79\x1d\xf4\xed\x3a\xdf\x42\x86\x4f\xcc\x38\xae\xd3\x61\x50\xa7\x55\x5c\x57\x2a\xfb\xb5\xc1\xb6\xbd\x5c\x61\x07\x48\x16\xf8\xe7\x83\xbb\xb5\x96\x40\xeb\x55\x55\xac\x1f\x51\x4f\x97\x8d\xb1\x7a\x9b\x42\x2f\xb2\x7d\x20\x9f\xfc\x85\xe0\x14\xa6\x53\x58\x05\xde\xaf\xa1\x71\x76\x5d\xdc\x5f\x7b\xec\xab\x77\xf4\xcf\xa0\x72\xf6\x9f\xbd\xe0\x2e\xe7\x89\xf1\xd1\xe0\x91\x5a\xa6\xf9\xb6\x6d\xa6\x8e\x58\xf9\x46\x8f\xbd\xde\x63\xb7\x44\x89\x68\x9f\x11\x91\x88\x5b\x32\xf5\xfb\xbb\x48\xde\xbd\x60\x7d\x40\x8a\xde\xbd\xf6\x33\x37\xa7\xa4\x8a\xca\x4c\x72\x55\x69\x63\x8d\x3e\x68\xb2\xdf\xfe\x52\x47\x3c\xa3\x2e\x6b\xa5\xea\xb4\x17\xc2\x2c\xed\x43\x26\xc0\x99\x7e\x7b\x5d\xb3\xa5\xf9\xef\xfc\xd2\xe0\x9b\xbd\x91\x3f\xdb\xd7\x87\x11\x46\x38\x8b\x64\xb9\xa2\x98\x26\xa7\x82\x94\x32\x93\xa7\x22\x8c\xb4\x48\xeb\x43\xc2\x87\x21\x52\x27\x1a\xb5\xeb\x9e\xdf\x36\x45\x64\x73\xa8\xb5\x5e\xf7\x6e\xa3\x31\x38\x2f\x45\x94\x6f\x0c\xae\x7b\xb7\x11\x81\x8e\x79\x70\x8b\x86\x0f\x5e\x4a\xda\x6e\xe8\xd2\x47\xbe\x84\xfd\xf9\x41\x87\x8a\xfd\x0f\x0e\x06\x7f\xbe\x7f\xbe\x00\xdd\xd0\x09\x47\x16\x0e\x07\xf0\x6d\x2d\x9c\x41\xff\x45\xd1\x22\xdb\xcc\x9a\x49\xb2\xe3\x15\x7d\xa6\xf6\x16\x05\xe1\xf7\x9d\x44\x3d\xc7\x4b\x96\xe4\x57\x63\x75\xb1\xa6\xc4\xe8\x02\xc8\x1e\x48\x94\xd1\x14\x32\x61\xd1\xe9\xe3\x0f\xc0\x19\x4e\x58\x40\x90\xb1\x4a\xe1\xe9\x9d\xbe\xd2\xbd\x26\x67\x79\x83\xaf\x0c\xe2\xd6\x39\x48\xbf\x9d\x2d\x3b\x5d\x64\x0c\xd1\xb2\x12\x31\x02\xb8\x4c\xd3\x04\xaf\x0d\x5b\x22\x8b\x8f\xe4\x06\xbf\xab\x95\x74\x7b\xfd\x5c\x3a\x4e\x67\x5e\x72\x6e\xeb\x8b\x84\x35\x4b\x94\x33\x0b\x89\xc2\x78\xfc\xe8\x5f\x54\x7f\x4b\xa5\xe9\xef\x35\xd4\x97\xbb\xa8\xcd\xc0\x19\x33\xfa\x39\xc0\xe0\x62\x0d\xbe\x18\x67\xfd\x4e\x27\x6c\x29\x75\x57\xcd\x31\xf6\xb2\x68\x18\xa0\x5f\x01\x1d\x0a\x65\xea\x00\x16\xef\x9a\x8c\x92\x2d\xab\x0b\xa5\xd6\xe0\xff\xb4\xdd\x49\x5f\xac\x2a\xd7\xf1\xa5\x9d\x7a\xb6\xc7\xfe\xad\x0c\xf7\x2e\x95\xd0\x21\x70\x17\x69\x5e\xf9\x78\x57\xad\xad\x68\xda\x6a\x65\xf5\xab\x69\xbf\x60\x12\x19\x9e\xe6\x8a\x72\x4a\x83\xa0\x2d\x52\x85\x9d\x6d\x68\xfb\x42\x10\x86\x4c\x4b\x19\x12\x5f\xc3\xee\x1d\x6d\x5b\xdf\x46\xf7\x37\xfb\xf6\x29\xef\xc8\xb6\x68\x62\x87\xfc\x03\x0d\x38\x61\x77\x07\x19\xb6\x8b\xcc\x0b\x2a\x6c\xd7\x99\x17\x67\x59\x49\x6e\xf9\xc7\x74\x1c\xcf\x57\x6a\xa1\x5e\x0c\xf9\x06\xbe\x03\x33\xed\x44\x48\x5c\x64\x25\x69\xe7\xdf\xad\x8b\xf9\xea\x6e\x18\x87\xdd\x7e\xd7\xf0\x89\xed\xa2\xb8\x6f\x39\xc0\x6e\xa5\x49\x42\x69\xe9\xff\xd5\xfe\xe0\x27\xf6\x2f\xd8\x8f\x8a\x03\x68\x58\xea\x23\x70\xe2\x46\x92\x49\x2e\x37\x31\x0f\x49\x09\x12\x83\xf6\x67\x56\x02\x78\x63\xd1\x46\x61\x5e\xb4\xf3\xad\x08\xa6\x1a\xec\xe4\x48\xa5\x91\xf3\x81\x54\x57\x26\x19\x17\xcc\x83\xa3\x57\xb9\x03\xf5\x32\xe7\xa0\x42\xe9\x64\xa8\xae\xe8\x15\xf7\x66\x17\xbf\xde\x6a\x5d\xd1\x72\x50\xd3\x74\x5b\x2d\x14\x9f\xe1\xcf\x09\xea\x29\x53\x6d\x5d\x1b\xa8\xb3\xc2\x96\xb8\x02\x80\x9a\x80\xe1\x47\xbd\x40\x0e\xe4\x8e\xbe\x3a\xa8\xd2\x27\x94\x0c\x06\x78\x7e\x8c\x06\x4a\xfa\xf9\x24\x1e\x17\x57\xa5\x21\xb9\x57\xed\xaf\xb8\xa7\x00\x66\x3f\xed\x59\xc3\x25\xb0\x87\x2e\x1a\xa4\x1c\xd3\xba\x76\xd8\x56\x27\x43\xd2\x6a\xf5\xf1\xa8\x10\xa6\xc7\xb9\x1a\x63\xba\x6f\x14\x70\xc2\x84\x9f\x50\x8c\x36\x66\x4e\x39\xc0\x75\x6a\x9c\xb6\x9d\x46\x1a\x10\x20\x5e\xc5\x18\xb2\xc5\x8e\x9d\x6e\xb8\x9e\xc8\x8c\x67\xdd\x24\x01\xd0\x7a\x9a\xdf\x22\xf8\xae\xb8\x80\xc0\xd8\x25\xe8\x0e\xd0\xe3\xd2\xe4\x17\x44\xba\x6e\x0b\x39\x19\xe7\x69\x58\x24\xf8\xa9\xc2\xd0\xe6\x42\x08\xfd\xbd\x34\x59\x8b\x64\x97\x60\x42\x81\x0a\x86\xc6\x27\x6b\xbe\xc7\xbb\x9b\x9d\x66\xa7\x9e\x86\x00\x5b\x0d\x9d\xc4\x1f\x76\x85\x55\xa8\x3c\xfe\x4b\xf4\x16\x3f\x71\xc9\x3e\xe2\x1c\xf1\x6b\xbc\x84\x05\xa4\x45\x91\x8d\x69\xed\xf8\x87\x99\xa3\x1d\xf9\x2f\xd5\x65\x9f\xcc\x93\x5c\x44\xe5\x43\xb4\x55\x00\xae\x20\x67\x6e\xa1\xfe\xac\xc1\x8c\x39\x85\x7f\xd6\x63\xbe\xde\xac\xf7\x23\xd6\x9f\xba\x27\x7c\xc2\x20\x93\x7c\xc0\xb3\x38\x45\x35\x1c\x20\x5c\x16\xf4\x16\x87\x05\x6b\x31\xe6\x85\x19\xec\x27\x3c\x3a\x9b\x96\x7e\x65\x4e\x14\xb5\x22\x31\xea\x8c\xce\x57\x5b\x4c\x21\xc3\x44\xd8\x46\x7f\x7f\xd8\xe1\xc3\xcd\x43\x9b\x0c\xa2\xb7\x2e\x9c\x39\x62\xcc\x70\x45\xeb\xdc\x11\xfc\xf4\xed\x4e\xf0\x57\x85\x17\x9b\x3c\xd8\xef\xbf\x3d\xf8\xe0\xb8\xf9\x93\xb7\x44\x2f\x87\x48\xcc\x61\x31\x2a\x0a\x68\x12\x93\xd6\xb4\xa8\x8d\x17\x7c\x62\x7e\x65\x71\x52\x3b\xf0\xb4\xe7\x01\x28\x1d\x8b\x70\x02\xba\x65\x37\x9d\x64\x4a\x72\x70\xc6\x92\x02\x3f\x10\x65\x8a\x1c\xb7\xd4\x2a\xea\x6c\x3b\x4c\x65\x2b\x8f\x06\x4d\xa5\x5b\x81\x6b\x0e\x02\x18\xd4\x16\xd0\x64\x83\xfa\x22\x8f\xa5\x37\x88\x6e\x49\xa4\x3c\x0b\xdb\xb2\x25\x2c\x34\x57\xf2\x0e\x99\x36\x12\x01\x88\xed\x8e\x2f\x8b\x03\x6c\x5b\x86\x6f\xb9\x4d\x1b\xb2\x9c\x6a\xe7\x8e\xe5\x7d\x22\x37\x67\x5b\xe6\xc2\x8d\x9e\x22\x5e\x84\xc2\xb8\x5a\x72\x38\x11\xea\x26\x7e\x6e\xbb\x1d\x8d\xab\x6c\x77\x25\x80\x40\xb4\xe6\xd5\x30\xd4\x14\x88\xda\x49\x8c\xd9\x80\xcd\xa1\x2e\xea\x58\xb9\xb8\x51\x24\xb1\x57\xfa\x15\xfe\xe6\xd0\x4d\x6b\xfd\x4d\x6b\xfd\x17\xcf\x5a\xff\x3d\xe3\x96\xb9\xfe\x4d\xe3\x7b\x25\xd9\xfd\xc5\xb1\x91\x2c\xbb\xc5\xbf\x88\x57\xca\xa6\xe6\xb9\xe1\xa0\x96\xbb\x95\xc0\x79\x86\x43\x5a\xd0\x1a\x80\x35\x3b\x8c\x3b\x27\x8f\xf1\xd6\x86\x48\x45\x0b\xc1\x72\x53\x1e\xc9\x2c\xab\xf3\x35\xb9\x1e\x12\x0c\x62\xdc\x56\x2b\x21\xd4\xce\x79\x11\x23\x5e\x1d\x80\x7a\x84\xad\xe2\x6b\x3e\xf1\xb0\x68\x3c\x3e\xdd\x38\x3d\xd7\x78\xe8\xd1\x49\x7c\xb9\x2d\x20\x44\x78\xa2\x31\x59\xe7\xed\x24\xcf\xf8\x44\x73\xb2\x4e\x56\xdc\xa2\x8c\x4c\x1b\x7b\x9f\xb3\xd4\x12\xb6\x46\xbe\x97\x87\xd8\xc9\x5d\x47\x49\x19\x41\x08\xfe\x16\x5e\xc9\x8e\x5c\xe4\xea\x37\x9f\xf2\xd6\x76\x76\x76\xdc\xe7\xbf\xd8\x38\x3b\x74\x7d\x25\x37\x87\xa9\xd6\xf5\x6b\x60\xa2\x0b\x7b\xfd\x2d\xec\xf4\x8e\xce\x0d\x32\x32\x43\xa4\xb3\xed\xa4\xf5\x3f\x7e\x38\xf8\xc3\xda\xa8\x5f\x87\xf0\x61\x80\x33\xa9\xc3\x05\x85\x68\x82\x53\x59\x87\x1c\xa8\x7f\xeb\xc0\x83\x30\x6e\x25\xdd\x1e\x30\x98\xb5\x65\x8f\x16\x8f\x8e\x24\xc4\x58\x14\x61\xfc\x1e\x99\xed\x11\x76\x51\x21\x69\xbd\xb5\x21\x3c\x1a\x6c\x3f\x19\x84\xf0\xa7\x21\xc2\x9f\x10\x2b\x29\x39\xb2\xc0\x68\x75\x46\xb6\x84\x52\x01\x5c\xbf\x4c\x6a\x42\xbc\xd1\x3e\xb5\x29\x21\x0a\x51\x18\x98\x0e\x29\x34\x74\x3c\x28\xff\x61\x7e\x24\xe3\x99\xe8\x60\x04\x52\x96\x41\x2c\xd2\x46\x91\x96\xb3\x21\x48\x85\x2d\x7c\xec\x75\x48\x35\xc2\xd8\x46\x91\x53\x31\x99\x35\x14\xcd\xeb\x9e\x41\x3d\x81\xa1\xbe\xee\x3d\xcf\x02\xb1\xa1\x47\xac\xf8\xc0\x39\x4b\xbf\xef\x20\x7b\x53\x8d\xdd\x5e\x74\xf5\xac\x1a\x0e\xff\xff\x7a\xc1\x1f\x79\x67\xdd\x87\x30\x0b\xd8\x27\x0e\xa6\xc1\xee\x9a\xa6\x45\x83\x01\x85\x9a\x30\xd8\xc4\xc8\x29\x63\x5b\x83\x6b\x53\x5a\x8c\x2d\x0c\x50\x51\x6b\xdd\x30\x50\xab\x3a\x0a\xdf\x15\x45\xa8\x49\x30\xca\xe9\xf0\x92\xa1\x6f\x85\x8e\xd3\x77\x3a\xad\x1e\x4f\x25\x29\xbf\x54\x1a\x0c\x1d\xc3\x6c\x0d\xa1\x2d\xdd\x3f\xed\x31\x6b\xb0\xfc\x4f\x7a\xc1\xcf\x7a\x8b\xc5\xc2\x53\xd7\xca\xb4\x6f\x5d\x29\x71\x0d\xb8\x02\x14\x62\x65\xa2\x08\x56\x86\x55\x8d\x21\x8c\x81\x8b\x18\x42\x4c\x46\x03\xc7\x18\x89\x10\xc9\xf6\x18\x38\x43\x23\xaf\x91\x7a\x61\xff\x5e\x35\x3e\x99\xbd\x7a\x1d\x5c\x83\xb7\xd7\xd8\xd0\xfa\xf0\xdf\x50\x0b\xde\xef\x0d\x0d\x54\x29\x8a\x4c\x93\x85\xdb\x2b\xd6\x0a\xa4\xb0\x58\xc6\x95\xea\x67\xc1\xfb\x10\x22\x2c\x96\x93\xb6\x65\x8a\x40\x39\xd0\xe6\x70\x3d\x06\x61\x17\xe7\x75\x98\x18\x6d\x79\x6e\xf7\x01\xa9\x28\x87\x80\xeb\xb8\xad\xa3\x97\x86\x67\xae\xb0\x9f\x9d\x61\x5f\xc3\xee\xdd\xb5\xc3\x1b\x25\x58\xa9\xcf\xec\x5b\x6b\xcc\xdd\x4d\xfe\x5f\x7b\xc1\x8f\x7b\xcf\xdc\xb8\x3c\xc7\x63\xb2\x2d\x32\xeb\x0e\x2e\x6b\x18\x90\x6f\xbb\xc5\x89\x56\x76\x9d\x48\xe7\x57\x57\x97\xc8\x0d\xb4\x24\xf2\x0d\xff\xb3\x87\x83\xa4\xf4\xac\x48\xf5\x00\x88\x33\xf5\x84\x2e\x42\x3a\x46\x9e\xc3\xee\x52\xdd\x07\x08\x2d\x87\x0b\x14\xde\x27\x36\xc5\x2d\x91\xb6\x0b\x10\x7d\xfd\xf5\x75\xef\x00\xfd\xd3\x8d\x5c\x66\xec\xfb\x3d\xa6\x7f\xf2\xdf\xe2\x3d\xdd\xfc\xa0\x87\x74\x06\x8e\x7d\xa7\xb0\xa0\xb2\x34\x51\x41\xa1\xd4\x26\x14\xc1\x07\x56\x16\x4a\x13\xd0\x36\x21\xbb\x1b\x4d\xf6\x7d\x35\x36\xae\x7a\xe8\xbf\xad\x16\x7c\x43\x0d\x46\x2b\xa4\x01\xb0\x10\xcf\xcc\x38\x68\x62\x6d\x1a\x2d\x63\xa9\x2a\x42\xfb\x29\xb8\xd0\x78\x6f\x0a\x05\xac\x1d\x66\x7a\x3d\x1a\x3d\xbc\xd0\x61\x44\xc4\x03\x55\x45\x00\x68\x66\x78\x16\x3f\xb0\x7c\x81\xf2\x3b\x34\x73\xe2\xf2\xb9\x79\x7e\xec\xf4\x5d\x27\x9b\x7c\x09\xa0\xba\x48\xd5\x5b\x0f\x63\x3d\xa5\x47\xa6\x8e\xd0\xad\xd7\x49\xa2\x50\xa2\x10\xd1\xbd\xa0\xee\x72\x0f\xf0\x04\xa5\x6e\x3b\xb2\xf8\x3b\x0e\xb0\x83\xea\xc3\xd5\x41\x4f\xfa\xaf\x3f\x10\xfc\xc5\xfe\x25\xfa\xab\xb8\x7c\x66\x14\xd2\x9f\xcb\xb4\x97\xca\xdc\xd1\x9a\x60\x48\xf5\x82\xc2\x66\xc3\xc7\xa4\x4f\x58\x9e\xe8\xc2\x21\x85\xb7\xb2\x59\x7e\x27\x3f\x7b\x4d\xb4\xf2\x59\x7e\xd1\xa2\x3e\xd4\x38\x65\x5c\xaa\xdf\xa2\x41\x93\xdf\xc9\x97\x52\xd9\x09\xaf\x15\xef\x19\x0a\x07\x51\xbc\xde\x83\x77\x78\xd6\x8b\xc2\x5c\x0d\x25\x0c\xd4\x45\xbd\xd2\xc3\x8c\x71\xcc\x93\x85\xaf\xb0\x02\xca\x74\x5a\x1b\x14\xff\x14\x59\x88\xa0\xfa\xf6\x0b\xa4\xde\xa3\x4c\x62\xdc\x48\x25\x1d\x40\x6a\x81\xc7\x99\xea\xd5\x93\x23\x53\x47\x78\x26\x7b\x22\x15\x79\x02\xd6\x62\x3b\x36\x8e\x71\x4a\x20\x03\x50\x7f\xe8\x81\x52\x41\x30\xb9\xb1\x47\x28\x6a\xd4\x82\x06\xa0\x5e\x53\x0f\x93\x0e\xd7\x4e\x6a\xc6\x4d\x91\xaa\x84\x26\xbf\x94\xe4\x14\xc7\x4f\x99\x1a\x91\xc8\x72\xd3\x0f\x6d\xc8\xa5\x5d\x20\x94\x28\xa5\x65\xc0\x8d\x87\xd7\xfe\x20\x8c\x9d\xf2\xeb\x06\x2d\x3e\xe7\x82\x5a\x8f\x71\xc7\x53\x9d\x24\x99\x5a\x13\xa9\xee\x94\xcc\xcc\xa3\xa9\x35\xf1\x78\x09\x6b\x11\xbf\xd4\x2f\xac\x89\xc7\x27\x9b\xec\xce\x52\x7e\x95\x56\xd1\x67\xd1\x3e\xb5\xfd\xba\x53\x8d\x82\x74\x3b\xc6\x79\x39\x99\x69\x38\x71\x4b\x2d\x4d\x00\x0a\x47\x35\x42\x60\x9c\x35\x4c\x93\x34\x0b\x58\x8d\x48\x4a\xaf\xa9\x5e\xb7\xd5\x36\x46\x13\x12\xb2\x2f\xc1\x54\xa4\xb8\x82\x71\x48\x31\xb0\x82\x95\xab\xd3\xd9\xdd\xe0\x2a\xc9\x13\xa3\x43\xe8\x2d\x4b\xdf\xd9\x9b\xf2\x77\xf6\x31\x5e\x85\xb5\x80\x30\x0b\x2b\x4a\x8b\xce\xfc\x0f\xee\x0b\x3e\x5f\xb3\x1e\x54\x42\x58\x26\x31\x40\x56\x11\x1a\x36\x94\x53\xe7\x61\x53\x36\x79\xbe\x61\xc0\xfa\xb7\x44\x36\x05\xcc\xe2\xbd\x9e\x8c\x89\xe1\x32\x0f\xe3\x7e\xd2\xcf\x22\x34\x6d\x5b\xc6\xf1\xf3\xc9\x16\x4f\x3a\xb9\x84\xdc\x66\x34\x1a\xc0\x98\xdb\x2d\xd1\xd3\x41\x76\x7f\xdc\x43\x10\x19\x9f\xd2\xa1\xac\xb3\xb8\xdc\x1f\xd5\x82\x0b\xf4\x85\x11\xac\x16\x8d\xf5\x64\x2a\x4f\x92\x28\x9b\xc2\xc6\xe3\x7f\x1e\x5b\x4b\x13\xd1\x6e\x09\xb0\x44\xae\x27\x01\xcf\x36\x92\x2d\x4a\xcd\xdf\x00\x77\x01\x70\xc0\x43\x33\xc0\xaa\xa1\xc6\x61\x43\x8a\x34\x5f\x93\x82\xb8\x09\xd5\x2a\x58\xef\x87\x6d\xc9\x5b\xfd\x2c\x4f\xba\x60\x2f\x2a\x1a\xe2\x4e\x62\xf3\xba\xb7\x0f\x34\xc8\xeb\xde\xf3\xd4\x0e\xb9\x4c\xc6\xdd\x92\x59\xfd\x17\xbd\x77\xd5\x58\xcc\xf0\x55\x5f\x6a\x8b\xf7\x92\x61\xc1\x76\xfd\x9d\xa4\xb1\xc7\x06\xef\x0f\x7c\x3b\x30\x82\xc5\xf0\xc1\x86\x34\x6d\xc7\x49\x70\xcc\xc4\xef\xf3\xd8\x50\x9b\xfc\xef\xdd\x26\x87\x68\x1b\x9b\xc9\xc5\xb0\x95\x26\xaa\x80\xe0\x91\x72\x91\xc3\xde\x1e\x68\x19\xc2\xb8\x98\x03\x8f\x9a\xbf\x25\xb4\x97\x0a\x3d\xf4\x6e\x27\x9a\xec\x8d\x2e\x7e\x8c\x0b\x4d\x87\x57\x66\xc0\x8f\xf9\xbd\x83\xc1\x31\xe7\x49\x15\x2a\xf4\x90\x95\xb3\x1a\x4d\xe6\x27\x0f\xdc\x34\xc9\xed\xc1\x24\xf7\x8b\x36\x3e\xc9\xbf\xdf\x23\x3e\xc9\x3f\xab\xc6\x27\x79\xce\x6c\x48\x37\x8d\xdb\x7b\x34\x6e\xaf\x6b\x58\xa1\x57\x06\x5f\x19\x56\x21\x50\x9b\x4d\xb9\x7b\x48\xa1\x2a\x29\xb0\x7b\x20\x99\x5d\x5a\xe2\xaa\xd0\xac\xfe\xa7\xc7\x56\x9e\x6e\xa2\x0c\xc1\x1f\x91\xd1\x60\xc1\x4e\x9c\xf6\xbf\xc7\x0b\x5e\x51\xf9\x0b\x5e\x5c\x0b\x3c\x60\x34\xd6\x16\xa6\x07\x23\x6c\x00\xa8\x43\x55\xa7\xee\x33\x15\x59\xd9\x5a\xb6\x4d\xb3\x2f\x63\x87\x2d\x3a\x0c\xdf\x49\x04\xf2\xd9\x58\x3f\x8d\xdc\x67\x7f\x77\x90\x9d\x70\xaf\xa9\x49\xd6\x12\x91\xbe\x75\xaa\x2b\xab\x52\x27\xa2\xa5\xa4\x3d\x47\xbf\xa1\xf5\xd4\xff\xd8\xc1\xa0\x31\x0c\xaf\xca\x37\xcc\x27\x18\x29\x60\x3e\x6a\x5e\xf7\x6e\x83\x7f\xad\x8a\x74\x5d\xe6\xcb\xb2\x73\xdd\x3b\xdc\x15\xd7\x96\x25\x5c\xb5\x5d\x21\xfd\xf9\x03\xec\xbf\x7a\xec\x2b\x73\x78\x75\x7e\xe9\x81\x07\xf2\x50\xa3\x6d\x2e\xc9\xb4\xa5\x7a\xbf\x2e\xfd\xf7\x7b\xfa\x68\xfd\x3e\x0f\x5f\xe5\x62\x53\x82\x37\x73\x7e\xe9\x01\xde\x2f\x3e\xe2\x13\x66\x9b\x62\x32\xbd\xe0\x3d\x53\x8e\x85\xec\x20\xdb\xea\xcb\x49\x84\x12\x10\x18\x6b\x00\x8e\xe9\xbb\x95\x26\xed\xa0\x4b\x50\xcc\x02\xea\x2f\xd6\xb8\xe9\x54\x1e\x9b\x8d\xdb\x3d\xa9\xbf\xc5\x63\x76\xc7\xfd\x7f\xa6\x7b\x11\xf6\x7b\x3d\x99\x12\x04\x8d\x0e\x25\x28\x39\xc8\x6d\x76\x92\x4c\x9a\x3b\x46\x31\xce\x77\x1b\x8e\x49\xc9\xb3\xae\x00\xaf\x24\xc4\x6e\x5d\x0c\x63\x5d\xa5\xdb\x9e\xff\x55\x63\x87\xbb\xc5\x8f\xfe\x67\x0d\x51\xf7\x2f\xd5\xac\xe7\x66\x6b\x03\x65\xe9\xa8\x46\xa6\xfa\x6d\xe7\x76\x5e\x34\x0f\xda\x0e\xff\xe4\xed\x64\x2b\x6e\x72\xbe\x98\xeb\x61\x84\x8f\x66\x88\x23\xbf\x54\xb3\x65\xe3\x59\x93\x7c\x5a\x5f\x6c\xc0\x09\x61\x28\xe1\xd7\x95\x16\x7a\x7e\x69\x6e\x05\xd6\x59\xf2\x90\x4c\x13\x8b\x5e\x09\x0d\xd1\x36\xa9\x06\xfa\x86\x50\x7f\xa7\x3d\xd7\x95\x79\x8a\x68\x03\x85\x19\xbb\xc9\xf9\x0a\x4d\xae\x6a\x09\xf2\x97\x88\x8c\x43\xbe\xa3\x5a\x4c\x76\x99\x54\x80\x09\x8d\x31\x69\x04\xee\xa0\xbf\xa1\xc6\x4a\xdb\xc1\xff\xb3\x1d\xf2\xb6\xec\x9d\x39\x9f\x26\x59\x46\xe7\x54\x89\x18\x38\x78\xaf\x67\xac\x26\xc8\x02\x26\x22\x2b\xa4\xfd\xee\xd1\x5b\x14\xd7\x6c\x24\x45\x1a\x3b\xc1\xbf\x46\x0e\xb5\x92\x38\xeb\x23\xcd\x2d\xc6\x70\x02\x07\xa8\xcc\x69\x2f\x94\xc3\xc0\x60\xc1\xae\x0d\x28\x81\x57\x69\x38\x30\x31\x76\x20\x56\x93\xfd\x34\x63\xf7\x8c\xea\xe7\x51\x25\x56\x8f\x8e\x14\x43\xe8\x01\xf9\xcb\x43\xc1\x43\xdb\xbe\x51\x42\xc1\x19\x0e\x69\xde\x5e\x6a\xdd\x4e\x1f\xe8\xd5\x78\xdd\xbb\x9d\xba\x5a\x3c\xb1\x22\x7c\x1d\x39\xf6\xe9\x83\xec\x5d\x1e\x2b\xbf\xef\x7f\xbb\x11\x5c\xaf\x29\xfd\xa4\x37\xd9\xf0\x60\x9a\x8d\xa5\x07\xb6\x2b\x62\xb1\x6e\xd9\xc1\x8b\x46\xd7\x31\x9f\x36\x53\x82\x22\x6a\x11\x97\xd9\x90\xa0\x70\xd7\xe3\x1f\x7b\xec\x56\xf5\x09\x6e\x1d\x75\x77\xf8\x94\xf7\xb4\x43\x8c\x82\x1f\xf0\x9c\xb2\x8c\xe8\x50\x6d\x82\x9b\x83\xfa\x6b\xc4\xa4\xe9\x05\x3b\x2c\xfc\xea\x16\xcd\xb8\x23\x53\x10\x65\x24\x4f\x93\x08\x2e\x7f\x74\x2f\x1d\x16\x9e\xe0\xe6\x12\xf1\xba\x6c\x37\xd9\xb5\xca\xd0\xa1\x35\x1d\x39\x74\xb1\x22\x70\x87\x7a\xd1\xdd\x21\xa4\x68\x78\x42\xdc\xa1\xfe\x6b\xcf\x89\x08\xff\x82\x17\xbc\xc9\xb3\xc2\xbf\x35\x84\xb0\xd4\x24\x43\xfa\x07\x63\x3d\x30\xb8\x2e\xee\x10\xa0\x54\x55\xdb\x0c\x0f\xc3\xfa\x88\xf4\x4c\x4a\x80\xcd\x21\x8c\xd2\x2a\x1f\x6c\x83\x32\x77\xac\xda\x2f\x63\x97\xd9\xc5\xdd\x09\xa5\xed\x37\xab\x09\x9d\x65\x3f\xe6\x99\xd0\xd4\x8b\x20\x2b\x33\xa5\x21\x5d\x74\x1f\x39\x2b\x06\x28\x89\x9d\x8c\x88\x2e\xbd\xe5\xd0\xce\x3b\xe3\xbd\x5b\xde\xe0\xaa\x2e\x60\x1b\x50\x78\xb0\xeb\x1e\x2b\x4b\x00\xff\x0d\x66\xff\xbe\xba\xf4\x13\x2c\xb1\xa1\xf0\xda\xa7\xb5\x77\x75\x78\xe7\x76\xbb\xf6\x7f\xef\x77\x10\xf3\x75\x8e\xc7\xb9\x79\x07\x5e\xfc\x97\xf7\x07\xef\xf5\x96\xed\x64\xec\x73\xe1\x5a\x2a\xf9\xfc\x86\x88\x63\x19\x51\xa8\x57\xb3\xf2\x29\xda\xc9\xc0\x7b\x66\xf1\xa1\x09\x24\x1a\x45\x34\x70\x9e\xc4\xad\x91\x5f\x6b\x33\x57\xb2\x15\xcb\x34\xdb\x08\x7b\xd4\x77\x30\x2c\x02\x4f\xf6\xd9\x0b\x61\xdc\xbf\x06\x1c\x60\x6b\x12\xe6\xc1\x11\xa1\xdf\xb1\x8f\xfd\x9c\xc7\xf6\x77\x32\x30\x4d\x7f\xc0\x0b\x7e\xd8\x3b\x17\x46\x52\x43\x4e\x0c\x7a\x70\xc8\x51\xa4\xd3\x45\x83\xf8\xd7\x29\xbd\x33\x84\xc9\x00\x48\x45\x49\x0f\x76\x6f\xbc\xae\x73\x40\xf8\xd9\x6b\x4d\x1e\xc8\x6b\xf9\xf1\xa0\xce\x83\x6b\x9d\x4c\xfd\x27\xce\x3b\x59\x80\x06\xc4\xb0\x15\x82\xf9\x5f\xdd\xec\x53\xa3\x8e\xe0\x07\xc4\xbb\x6e\xb0\x9d\x6c\x3d\x7b\x96\x8d\x45\xfd\xd8\x8a\xc1\x2e\xb8\xed\xce\xcd\xd3\x7e\xe5\x51\x3f\xa6\x45\xe3\x4c\xf2\xeb\x3c\x0b\x9a\x7d\x33\xd8\xa8\xa6\xc5\x7b\x96\x41\xda\x57\x19\xc3\x56\xbe\xfc\xe5\x97\x32\xff\x5c\x70\x67\x55\x07\xb6\x92\x34\x6a\x6f\x85\x04\xdc\x91\xf1\x09\xf5\xf2\xe4\x36\xd8\x04\x1f\xf0\xd8\xbe\xad\xad\xb0\x9d\xf9\xef\xf5\x82\x6f\xf5\x9c\x32\x29\x00\x11\xca\xe4\x50\x28\x5a\x5f\x3b\xa1\xba\x51\x4f\xc0\x67\x93\xfc\x2c\x66\x5c\xc0\x5f\x4a\xb2\xd9\xce\x72\x25\x2c\x4c\x9b\x61\xb1\xa9\x11\x36\x28\x70\x4a\x42\xda\x8c\x27\x3c\x0b\xbb\xfd\x28\x17\xb1\x04\x8b\xe7\x76\x98\x0a\xdf\x7d\x0b\xbb\x73\x14\x35\xd1\x30\x97\x8b\xff\xff\x1e\x0e\xbe\xab\x36\xfc\xbc\xf0\x6e\x65\x2e\x07\x4c\xd1\x2e\x63\xcc\xcd\x51\x53\x6e\x41\x12\x86\xd6\xee\x9c\x8f\xb4\x03\x62\x3d\x4a\xd6\x84\x95\x60\x49\xd1\x3a\x6d\x8c\x9c\x77\xcc\xc2\x9b\xa1\xc9\x6c\x6c\xf2\x85\x02\xc9\x2d\x8c\x81\xb4\xf2\x94\xfa\x47\x47\x6c\x26\x28\xc4\x54\x27\xab\xd2\x79\xa7\x36\x67\x2a\x08\x6c\xea\x85\x86\x18\x27\xa0\x2a\x23\xf9\x02\x1d\x92\x58\xc5\xd1\xa3\xcd\xeb\xde\x81\x34\x89\xe4\xb2\xec\x38\xdb\xfe\xdf\x1f\xbc\x69\x9d\xb9\x19\x7a\xf8\xc5\xb3\x73\x6e\x58\x66\xce\x47\xf6\x1a\x78\xf8\xe5\xa5\xb8\xc3\x23\x99\x45\x83\xf7\x71\x8f\xe9\x1d\xe0\x7f\x68\x3b\xee\x7c\x47\xca\x2c\xe3\x17\xc1\x37\x79\xf4\xaf\xe2\x9c\xbe\x41\xf9\x50\x50\x15\x17\x05\xd1\x8c\xa8\x55\x10\x6d\x6a\xea\x73\x2b\xd3\x1d\x64\x28\x46\xe2\x98\xc8\xa3\x26\xfb\x26\x8f\x1d\xa4\xb0\x8c\xcc\x7f\x22\x78\x31\x89\x96\x8c\x20\x0d\x2c\x69\x47\xfb\x49\x87\x23\x83\xa7\x3f\x71\xf9\x96\x76\x6f\x30\x74\xc6\x85\xea\x7c\xca\xdb\xdc\xd9\x60\xb8\xe2\xbf\xcc\x18\x0c\x47\x4a\xb7\xc2\x76\x38\x24\xe2\x2a\xc3\xf9\x9e\xbc\xc5\xf1\x69\x88\x5e\x0f\x5c\x76\x0b\x10\x9c\xae\xb4\x1e\xba\xb6\xfe\xf6\xe1\xe0\x7c\xf9\x61\xc5\x0d\x23\x1a\x14\x17\x0b\x37\x9f\xaf\xf8\xd8\x55\x98\x5e\x77\x98\x3d\xca\x6e\x05\xe2\x66\xa3\xb0\x5e\xd0\x7a\xc7\xa9\xd5\x52\xd6\x05\x12\x3c\xa3\x69\x09\xce\x4a\x3b\xf9\xc2\xae\xc1\x52\x48\x9e\x04\x85\x84\x8a\xde\xd2\x45\xaf\x95\x8b\x8e\x93\xb8\x81\xa1\x03\x70\xa8\xec\x54\x07\x9f\x40\x88\x64\x72\xa7\xa3\x77\x18\x6f\x42\x91\x6c\xe5\x49\x3a\xe9\xb6\xe2\x23\x35\xf6\x82\x7e\x6c\xcc\x2b\xa6\xaf\x3f\x6a\xcc\x57\x6f\xa9\x95\x9b\x64\xbd\xbf\x73\x9f\xb9\x0d\x6c\x57\x99\xad\x52\xa0\x7d\xe7\xc8\x43\xed\x5c\xd0\xa4\xdd\x39\xc0\x0a\xdf\x94\x7c\x66\x7a\xfa\x45\x16\xb4\x44\x4b\xf4\x44\x2b\xcc\x07\xe0\x0e\xc5\xfc\x87\x82\xa7\xc8\xad\x43\xb3\x9a\x6b\xd5\x60\x00\xe6\x4e\x5d\x50\x92\x5a\xaf\x63\x73\xa0\x3e\xdc\xc9\x32\xa6\x8c\x87\x92\x29\xf2\x4d\x1e\xbb\x9d\xc4\xae\x19\xbf\x81\x1e\xbe\xf6\x5e\x27\x14\xda\x62\x58\xc5\xb5\x49\x23\x97\xdd\x9e\x3a\x48\x11\xb2\xc4\x69\xce\x37\x7b\xec\xf9\xc3\x13\xda\xd7\x0d\xba\x52\x6e\x50\x69\x32\x27\x70\x31\x03\x32\x86\x36\xc9\x81\x19\x51\xb4\x07\xc4\x5a\x3c\xb9\xfb\x55\xfe\x3b\xea\x9e\x9a\x44\x11\x20\x8a\xcd\x83\x2b\xf7\x13\xe6\xde\xf7\x01\x6f\x1e\x49\x98\x3a\x7c\x43\x64\x1b\xdc\xbc\x58\xa4\x55\x2f\x38\x2b\xc9\xfe\xbb\x3a\x61\x84\x40\x68\xb5\x63\x13\x4a\xe3\x62\x33\x09\xdb\x42\xc9\xf2\xae\x6c\x6d\x88\x38\xcc\xba\xe8\x75\x0d\xf3\x22\xe7\xc3\x4a\xb4\x81\xc8\x70\x63\x95\x95\x5b\x4a\x5d\xa1\x81\x5c\x91\xa5\x0e\xfe\x85\x6b\x87\xf8\xbc\x17\x5c\x5c\x76\x51\x22\x49\xdf\xb1\x56\x19\x88\xa2\x02\xf9\x56\x58\xa3\x77\x24\x73\xd1\x0b\x1c\x09\x7e\x17\x3b\xc9\x8e\x8f\xbe\x84\x0f\x09\x49\x27\xd3\xf6\x19\x4f\x8e\xbd\x52\x69\xfb\x79\x89\xb6\xfd\x9c\x50\xd3\x35\xd2\xb2\xe3\x6c\x6b\x2b\x0d\xd4\x15\x4e\x5e\xe5\xc5\x7c\x41\xc8\x6e\x12\x9f\x25\xdd\xc8\x7f\xbb\x17\xcc\xbb\x8f\xb6\x4b\x7e\x35\xa0\xb1\xf8\x89\x51\xb1\x9a\xd7\xbd\xf1\xa5\x24\xcd\x9d\x53\x60\x8e\xdd\xc7\xe0\xa9\x7f\x4a\xaf\xd9\x40\xfd\x69\xed\x1e\x50\x06\x00\xda\xcc\x94\xe4\xf4\xe1\x17\x6a\x0e\xaa\x85\xee\x03\xea\x35\xe7\xd4\x6a\x5d\x21\xc9\xec\xbf\xbd\x16\xdc\x57\xf1\x9c\x44\x37\xf2\x98\x19\xcd\x5d\x09\x48\x58\xeb\x8e\x36\x7e\xdd\x3b\x04\x4f\x97\x44\xbe\xe1\xe2\x90\x7b\x6c\xc3\xb9\x08\x3c\x14\x5c\x2c\x61\x7e\x90\xd2\xaf\xfe\x79\x4e\x97\xa1\x04\xb7\xba\x07\xe7\x12\x50\xdc\x94\xdc\x52\x4b\xb6\xee\x38\x1b\x82\xcd\x99\xa0\x84\x36\x52\xb4\xc2\x3f\x17\x9c\x5e\xa2\x70\xc0\xdc\xa0\x44\x03\xd6\x72\x04\x91\xa7\x65\x6e\x46\x82\x41\xc9\xca\x68\xc9\xbf\xbf\xdf\xc9\xe0\xd3\x03\xa9\xa3\x3f\x5f\xd6\x4f\x72\x01\x3e\xb5\x0f\xed\x0f\xee\x1f\x7a\xea\x5c\x74\xb4\x10\xdd\x40\xa7\x39\xa8\xd3\x79\xc2\x65\x8c\xf7\x7a\xb5\xf3\xe1\x43\x57\x25\xf8\xbd\x7d\xec\xbf\x79\x6c\x5c\x7d\xe4\xff\xba\x17\xbc\xc1\x83\xcf\x5d\x43\x63\x55\xc9\x86\x20\x40\x89\x95\xb6\x85\x03\x7e\x83\x5c\xf7\xe8\x12\x9b\xd2\xdf\x37\x5e\xad\x9a\x98\x4d\xbd\x67\xfb\xa0\xd9\x21\xdd\xba\x69\x1a\xf0\xb2\xbe\x88\xf3\x30\x1f\xd8\xb9\xac\x9f\xaa\xb1\x5b\x01\xbe\xc7\xac\xca\x5f\xac\xb1\xe6\x8e\x78\x28\x2b\xf6\x27\xc1\x77\xd5\x9c\x22\xd0\xf3\x94\x25\x43\xc1\x26\x9d\x30\x82\x68\xcf\x28\xbc\x4a\xa0\x41\x9a\x72\x41\x69\xc6\xa8\xbb\xc0\xc8\xe9\x24\xbe\x54\xb4\xae\xa2\x04\x11\x1c\xba\x0f\xe7\xb8\xbc\xd6\x4b\x31\x35\x1a\x7d\x24\x4e\x63\x2e\x83\x71\x2a\xa9\xce\x01\x30\x18\x93\xfa\x82\x79\x0e\xf0\xa0\x8a\x7b\x5b\x82\xad\xa8\x93\x69\x03\x9b\x38\x77\x69\x81\xbb\x1d\x9c\x08\x3b\xd6\x0a\x0e\x91\xe2\x64\xb2\x6e\xac\x24\x3a\x58\x94\x7d\xbf\xc7\xf6\x63\x29\xfe\x5b\xbd\xe0\xda\xdc\x88\x01\xb9\xb1\x41\x80\xbb\x47\x09\xb4\x5f\xad\x49\x1c\x21\x1d\x43\x28\xa2\xa8\x92\x9a\xa8\x64\x94\xf9\xd3\xdb\x9d\x70\xb9\x76\x98\xb5\x92\x4d\xb5\x7c\x36\x67\x9a\x46\xe4\x7e\xe2\xf6\xe0\x9c\x11\xb6\x0e\x40\x25\x09\xd7\x28\x59\x0f\x5b\x22\xe2\x01\x45\x34\x07\x45\x10\x18\x62\x3e\x52\x1c\xb2\x12\x58\x86\xce\xc5\x75\x5e\xdf\xc6\xfe\xb8\xc6\x8a\x1f\xfd\xcf\xd4\x82\x1f\xa8\x15\xd4\x2f\xda\x36\x61\xa4\xae\xc1\x4c\x81\x96\xe8\x9f\x49\x1f\x48\xad\x90\x5b\xd9\x1e\x46\xef\x6e\x25\x69\x0a\x74\x13\xf0\x50\x77\x6d\x25\x0a\x5b\x52\xd3\xcd\x40\x24\x2e\x61\xc0\xcf\x83\x0b\x0f\x6e\xee\x6a\x92\x88\x68\xc1\x42\x23\x55\xd7\x61\x90\xcc\xa6\xbd\x24\xe7\xa0\x81\xd7\x74\xf8\x68\x98\x02\x46\xab\xd2\x5f\x01\xb8\x3f\x34\x0c\x26\x50\xae\xb6\x5b\x39\xae\x51\x2a\x92\x34\x58\xc4\x16\x01\xd7\xf4\xcc\xf4\xf4\x36\x13\xbb\x03\x84\x46\x26\x73\xc6\xde\xea\xea\x32\xaf\xf7\xd8\x5d\x23\x77\x7e\xe5\xc2\x28\x20\x79\x82\xc5\xd6\x10\x3c\xcf\x28\x04\xa2\x6a\x78\x24\x33\xb1\xec\x67\xc6\x98\x5f\x30\x24\xac\x12\x5a\xab\xff\xc3\x63\xc1\x37\x8d\x0d\x3f\xb7\xd2\xb5\xf4\x13\xbb\x5a\x1d\x31\x0e\x06\x2f\xbc\x6e\xaa\x23\xa7\x8c\x64\x5c\x94\x6b\x99\xe0\x2c\x94\x04\x93\x4f\x63\x95\x81\xa9\xc8\xf8\xfb\x44\x9c\xf0\x2c\x49\x62\x1d\x37\x60\x01\x7e\x6d\xce\x34\x8f\x1e\x9f\x6c\x72\xfe\xf2\x8d\x30\x72\xd0\x9b\x5b\x22\x86\x5b\x3e\x89\x23\x3b\x44\x58\x1d\xc2\x88\xf2\x63\x81\xca\x6f\x42\xb5\x75\x93\x1b\x26\x72\x75\x2d\xc0\xc3\x0c\x9d\x0a\x79\x62\x43\x3c\x64\x61\x44\x81\xf7\xc0\xad\xd0\x6e\xf2\xd5\xaa\x21\xa2\xc0\x88\x4e\xd2\x8f\x0d\x4e\xd1\xe3\xb0\xf4\xe2\x36\xe0\xef\x42\x76\x27\x34\x39\xd3\xa0\xd0\xcd\xf7\x94\xd6\x9b\x7d\xa8\x7c\x9b\xc7\xf6\x6d\x84\x71\x0e\x4b\x6a\x34\xb8\x56\xe5\x92\x3a\xaf\xbe\x0b\x2e\xc1\xe7\x23\x16\x52\x41\xce\x01\x42\x7d\x23\xd9\x02\x73\x8a\x96\x4f\x05\xbc\x04\x7a\xde\x95\x1c\xfe\x64\x8d\x1d\xd4\x88\xfd\xfe\x47\x6a\xc1\x4f\xd6\x0c\x7e\x7f\x95\x60\x31\x33\x44\xb9\x58\xda\x63\xd6\x32\x72\x00\xc0\x28\xf0\x03\x18\x7e\x84\xf0\x5b\xef\x87\xd9\x86\xf5\x03\x18\xf6\x50\x98\xc3\xf5\x14\x03\xbe\xc3\x98\x2f\x5c\x5a\x41\x5b\xd2\x64\x93\x5f\xd4\xdc\x05\xc5\x77\x18\x03\xa2\x73\xfa\x21\x0f\xb6\xe0\x1b\x70\xba\x17\xb6\x21\x2f\xab\xd3\x8f\xd7\xe1\x60\xc3\x1a\x0a\x16\x7b\x0d\x5b\x85\x75\x4e\x16\xce\x1e\x08\x48\x69\x89\x4c\x16\xd8\xcc\xaa\x51\x17\xc4\x9a\x8c\xf8\xc4\xf2\xb9\x79\x3e\x33\x73\xf4\xd8\x24\x02\x33\x0c\x73\x59\xfc\x96\xc7\x0e\xea\xa5\xe1\xff\x27\x2f\xf8\x59\xcf\x2c\x94\x12\x68\xbe\x9d\x07\x7c\x29\x69\x63\x4f\x0c\x6c\x44\x69\xd4\x4b\xfc\x1c\x45\x0a\x7f\x31\x36\x51\xd2\x42\x70\x4e\x01\xc5\x39\xd3\xa5\x11\xa0\x29\x74\x05\x96\x07\xc4\x57\xdb\x02\xfe\x92\x59\xd1\x56\x00\x8c\xd3\xb9\x6f\xf7\xd8\xa1\xdc\x44\x98\xbc\xce\x63\xd3\x3b\x2a\x44\xe5\x70\x92\x4b\xe6\x7b\xb4\x1e\x3b\xc1\x25\xc2\x46\x45\xd0\xc7\xbc\x52\x01\x9c\xa1\xb3\x47\x87\xbd\x84\x8d\xab\x2d\xe9\x9f\x09\x4e\xc0\xd6\xac\xc0\x98\x79\x48\x3d\x77\x3e\x43\x00\x43\x35\xf9\x4e\xf7\xde\x51\x63\x27\x77\x20\x68\x3a\x17\x25\x5b\x0b\xc5\x92\x96\xe9\x45\x99\x6f\x24\x6d\xff\xb3\x5e\x70\x76\xc4\x6f\x16\xcd\x1b\x39\x9b\xd5\x43\xb8\xee\xaa\x1a\xec\x1d\x02\x11\x22\xe3\xea\x28\x72\x54\x80\xd7\x7b\x80\xf9\x09\x47\xd4\xe3\x41\xf7\x8a\xfa\xc7\x15\x63\x4a\x52\xc7\xb1\x52\x99\x86\xca\xd2\x55\x01\x3b\x99\x71\x58\xe2\x91\xac\x14\x81\xe0\xcc\xe0\x81\x4c\xa6\x01\x2c\xf4\xe0\xcc\xc0\xe0\x77\x06\x4d\xbe\x5c\x05\x60\xff\xa7\x35\xf6\xb2\xa7\x8d\xfd\x3d\x0f\x01\xf1\xfa\x3e\xf2\xa0\xd9\x3d\xfe\xf5\x5a\x70\x71\xd4\x8f\x2e\xaf\x64\xb1\xe5\xa8\x6b\x78\xa7\x70\x3f\x2e\x01\x1b\x7e\xd8\x63\x1f\xf4\xd8\xed\x49\x4f\xc6\xea\xce\x78\x0c\x41\xc3\xfd\x77\x7b\xec\xc1\x51\x6b\x77\x6f\xa0\xe6\xc1\x4b\x4b\x75\xe9\x89\xba\x8c\x8f\xf9\xe6\x31\x73\xc3\x44\xf0\x76\xd5\x07\xab\x6b\x20\x76\xd2\x7e\x0c\xdc\x18\xff\xf9\x90\x73\xf3\xd7\xa6\x8d\xc2\x08\x03\x11\xed\xef\x3d\x14\x94\x1e\x55\x85\xb4\x17\x6f\x8c\x08\x66\xff\xa6\x9b\x5e\xb2\x3d\x7b\xc9\xfe\x9d\x21\x75\xfe\x71\x2f\x48\x34\xa9\xb3\x3d\xf4\x37\x7a\xdd\xdd\x4a\xd2\xab\x51\x22\xda\xd9\x54\x61\x1e\xca\xa6\xc8\x62\xae\x1a\x53\x3c\xb6\xb5\xde\x29\xd6\x60\xff\x74\x47\x1b\x59\xd1\xb0\x9b\xfe\xbd\x9b\xf4\xce\x36\xbd\xf3\xd7\xee\xec\xf1\x3a\xe1\x1f\x2b\x90\xb9\x7b\xbd\xcc\x38\xb7\x5c\x59\x54\x8e\x8c\xff\xc2\x61\xe7\x66\xbd\xa6\xee\xe5\x45\xbc\x43\x9a\xc4\x2f\x49\xd6\xfc\xff\x78\x38\x98\xa5\x7f\x97\x15\x27\x87\x21\x8b\x30\x57\xf1\xb6\xdd\x4a\x93\x98\xbf\x2a\x59\x73\x8f\x80\x77\xb2\x9b\x6b\x7b\x0f\x6b\xfb\x57\xed\xb5\xfd\x31\x6f\xaf\xde\xeb\x27\xbd\x6d\xdc\xd7\xcf\x59\xae\xce\x5f\x69\xb0\xfd\xff\xe5\x6d\x43\xee\x56\xb9\x34\x01\xed\xe5\x43\x5e\x25\xdc\x8b\x36\x7b\xae\xc9\x0d\xb1\x19\x62\xa4\x8b\x30\xcb\xb2\x4e\x58\xf1\x7a\x7d\x11\x09\xd6\xb3\x3f\xb3\xaa\xa7\x0d\x11\xb7\x1b\x68\x59\x60\xbf\x52\xd0\x7b\x7c\xcc\xdb\xc6\x93\x52\xdd\x7f\x84\x79\x7e\x93\x37\x5f\x11\xfa\x6c\x76\xe0\x73\xdd\xa5\x9b\x8a\xcb\xde\x14\x97\xa7\xbc\x97\xef\x2c\xf0\x8f\xfb\x47\x8d\xc0\x87\xb5\x51\x84\x33\xe0\xda\xa8\x8c\x61\xf8\x8d\x83\x6c\x72\x38\xc0\xa2\x22\xb2\x0d\x74\xd9\xf7\x1c\x0c\x5e\x5c\xfd\x53\x65\x9a\xe6\xd0\x9b\x59\xa5\x6a\xfb\xa9\xfd\x37\x57\xc8\x5e\x55\xdb\xbe\xd6\x6c\xa3\xe0\xab\x17\x87\x59\xff\x2b\xa6\xc2\xd6\x47\x4f\xb1\x13\xdb\x98\xbc\x46\x2f\x8a\x9b\x67\xf7\x1e\xce\xee\x8e\x75\x74\x3f\xb4\x37\xad\x74\xbb\xa8\xb3\xa7\xbc\xfe\xce\xc2\x63\xd9\x5f\xda\x53\x7c\x54\x95\x2a\xf9\x23\xfb\xd9\x63\x7b\x4b\xb2\x74\x8d\x07\x0b\x66\x78\x8c\x05\xdf\xff\x0f\xfb\x82\x57\xec\xf8\x56\x61\x91\x6d\xcb\x5c\x84\x51\x11\xb8\xa1\x8d\xfa\x05\x62\xb9\xe1\xa2\x4f\xda\xda\xdc\x73\xdd\xa3\xf3\xd8\x11\x5a\xbf\x38\xce\x5e\x4d\x66\x9f\x30\x78\x04\x0c\x3d\x25\xa3\x4f\x6e\x43\xa1\x37\xf9\x2a\xd8\x76\x88\x90\x86\x9f\xcd\x72\xb1\x16\x85\xd9\x86\x6c\xd7\x39\x18\x77\xe6\x5a\xea\x4a\x49\xb9\x6b\xab\x14\x7b\x63\x62\xe4\x69\xcd\xbc\xdb\x63\x7e\x24\xb2\x7c\x35\x15\x71\x06\x05\x43\x02\xcf\xb7\xee\x21\x81\x67\x65\xb8\xbc\x52\xf6\x4e\x31\x3a\xb9\x79\x4d\x63\xde\x24\xb1\x01\x9f\xcf\x13\x2e\x62\x30\x19\x37\x99\x64\x07\xba\x32\xcb\xc4\xba\xf4\x1f\x0a\x2e\xd2\x3f\x51\x34\x6c\xf4\xbb\x22\x6e\xa4\x52\xb4\xc1\x55\x60\x7e\xc3\xe4\x15\x25\x22\xf4\x2c\xa1\xf3\x05\xdb\x62\x2a\x76\x86\xe3\x55\x6c\x3f\x32\x17\xf8\x57\x82\x15\x22\x37\x80\x4a\xfa\x71\xf8\x6a\x25\xae\x93\x58\x36\xb6\x92\xb4\x5d\x2f\xb6\xbb\x21\x41\xd0\x6b\x40\xf7\xee\x48\xb6\x6d\x5d\x0f\x19\xb5\x6c\x29\x98\xcf\x9c\x20\xbe\x11\xe8\xfb\x20\x79\x0a\xf8\x7b\xc0\xe0\xaf\xf3\x07\x62\xa0\x66\x70\xca\xfe\xc3\x71\x36\xb3\x43\xa6\x8a\xd1\xd2\x4d\xbe\x8a\xff\xbe\xf1\xe0\x5b\xbd\xe1\xe7\x25\x48\x4b\xbd\xc6\x0d\x35\xbe\xd0\x89\x8b\x94\x2c\x87\xbe\xce\xab\x43\xc6\xdd\x89\x8e\xcd\x4b\xba\x11\xe6\x59\xa3\x27\xd3\x46\x06\xe1\x55\x80\xaa\x13\x17\x9c\xc7\xf0\xc9\x64\xf3\xba\xb7\x1f\x0b\xbf\xee\x1d\xa0\x8a\x31\x89\x0e\xb2\xf2\xda\xd8\x58\x67\x1f\xfd\x8f\x1a\xfb\x7a\x8f\xe9\x97\xfd\xc1\xf6\x68\x63\x23\x12\x78\x1e\x54\x7d\x23\xdd\xf7\x94\xb5\xa9\x87\xd9\x4d\x6c\xba\x6c\x1d\x13\x83\x2d\x66\x8f\xb2\x72\x43\xfd\x97\xb0\xf3\x37\xd4\x9a\x6d\x72\x35\xd9\x93\x1e\xa3\xb1\xf1\x07\xa3\xef\x69\xdb\x74\x72\xd1\xe4\x44\x04\x77\xe9\xdc\x55\xfd\x88\x24\x0f\xe6\x66\xd0\x8f\x6b\x03\xb4\xb4\x2b\x79\xa2\x03\x2b\xd9\xf7\xec\x67\xff\xa8\xc2\x13\x70\x36\xde\x7c\x50\xa4\xfe\x5f\xed\x0b\xe6\xf0\x9f\x8e\xc3\x3c\xe6\x32\xde\x0c\xd3\x24\xee\xe2\x10\xa6\x21\x46\xe2\xe1\x0b\x88\xc5\x68\x60\xa6\x9b\xc4\x7e\xec\xcc\xf2\x0f\xed\x63\x97\x88\x18\xeb\x5c\x70\xfa\x92\xe5\x00\xa8\x2a\xd9\xce\xee\x99\x7f\x6c\x71\xe1\xec\xa5\xd5\xc5\x73\x8b\x67\x97\x9d\x3d\xf3\xa1\x31\xb6\x0f\x66\xd3\x7f\xdf\x58\xf0\xce\xb1\x07\x75\xab\xac\xd8\xe3\x3b\x26\x1e\x9c\x5b\x7e\xec\xd2\xdc\xc5\xb3\x93\xc8\xd9\x71\xad\x27\x20\xb1\xbe\xe0\x99\xed\xa5\x72\x33\x4c\xfa\x05\x26\x57\x55\x7b\x1c\xc7\x38\x62\x69\x6b\x6f\x66\x01\x55\x56\xf1\x19\xc4\x3c\x88\x62\xc0\x46\x85\x5b\x17\x7e\x16\xaa\x27\x8c\x7b\xfd\x5c\x2b\x51\x26\xbd\x3c\xd6\x19\x8d\xe0\x35\xb0\x3b\x97\x0d\xe2\x5c\x5c\x33\x9e\xa4\xac\x25\x7a\x05\x38\x76\x3b\xe9\xab\xca\xef\xb8\xa3\xce\x43\x39\xcb\xef\xb0\x3e\x6c\xf2\xb3\xf4\xae\x35\x6a\x98\xc8\x21\x37\x31\x32\x55\x8f\x59\x9d\xa7\x72\x5d\xa4\xed\x08\xb6\x7b\xc7\x61\x80\x34\x1d\x24\xd7\x0d\xa6\x1d\x36\x9d\xa4\xa5\xc0\x8d\xbe\x7a\xb3\xc7\x0e\xc1\xec\x9d\x4b\x93\xae\xff\xe4\x76\xc1\xf0\xee\x1a\xc5\x44\xb7\x60\x79\xa5\xc0\x4b\x18\xb5\x8c\x8e\x64\xb8\xdd\x1d\x0d\x30\x93\x6d\x1e\x76\x8a\xa4\x6d\xf5\x1c\x10\xfd\x9b\xec\xf7\x5d\x10\x26\x5d\xef\xf9\xd5\xd5\xa5\xfb\x65\x3e\x07\xf7\x1a\xff\x67\xf7\x05\x2f\x76\x9e\x58\x39\xc7\x05\x99\xa8\xc1\x2b\x53\xaf\xf2\xfb\x65\x6e\x34\x52\xb5\x3d\x7a\xe5\x10\xbe\x3f\x1a\x67\xa7\x08\xb6\x6e\x2a\x08\x20\x12\x4d\x9d\xa6\xc0\x33\xa6\xc1\x58\xa1\x24\xd2\x9b\xec\x91\xfc\xb8\xc7\xa0\x40\xff\x67\x76\x6d\xfe\xe9\xe7\x61\xd4\x0c\xe3\x3c\xcb\xd3\xe6\x62\x9c\x6b\x2a\xd7\xe0\x09\xdc\x98\x69\x29\x72\x90\xf8\x67\x4b\xed\xb1\x30\xd9\x89\x3b\x40\x07\x12\xd1\x22\x4e\xd5\x62\xe5\x33\xea\xcb\x93\x27\x4e\x1c\x3b\xd1\x04\x3d\xc7\xbc\xa5\x4e\x8f\xb9\x4b\x73\x8f\xad\x3c\x38\x0f\x8b\xb1\xc9\x96\xd9\x7e\xb8\x84\x49\xff\x7c\x70\x37\xf8\x67\xa4\xed\x86\x69\x25\x71\xac\x2e\x97\x2e\x9d\xbd\xbb\xca\xd4\x20\x39\xa3\xf3\x04\x1b\x57\x6f\xf9\xfd\x60\xe3\x7c\x92\x21\x1d\x2b\x25\x11\xc7\x08\xb9\xee\x86\x09\x12\x0a\x04\x5f\x5c\x6a\xf2\x57\x24\x7d\x20\x67\x10\x6b\xd1\x80\x6f\x09\x0c\xed\xce\x64\xce\x03\x55\x54\xa0\xfa\xa9\xae\x0b\xe7\xa5\x68\x03\x5a\x1c\x05\x19\x94\x96\xf9\x61\xeb\x1d\xff\x5f\x78\xc1\x3c\xea\xab\x7c\x83\x3e\xa3\x32\xf5\xa0\x69\x00\x42\x98\x6e\x83\x1a\xd2\x83\x88\x6e\xfd\x4d\x73\xf7\xbe\x04\x7b\x11\x63\x23\xd8\xf7\x1d\x60\xcd\x8a\x37\x96\xd4\xb1\x95\xe5\x32\xce\x31\x35\x70\x3e\x12\x61\x97\x34\x8d\xff\xbe\x3f\xb8\xbc\xcd\xef\x5a\x0f\xaa\xca\xb7\xef\x99\xcf\x74\x9a\x5f\x4b\x7d\xe8\x5a\x81\xdf\xb8\x9f\xfd\xaa\xc7\x0e\xe3\x02\xbb\x98\xb4\x65\xe6\xff\xbc\x17\xbc\xdb\x9b\x2b\x1e\xb8\xc7\x39\x31\x7b\xd1\x8a\xec\x26\x9a\xe2\x91\xaa\x58\x13\xc0\xa0\x0b\x8f\x96\x1e\x9c\xe7\x1b\xe2\xc6\x5d\x3b\x84\x2b\x33\x55\x74\xa0\x41\x99\xae\x2f\xc4\x6a\x1b\x50\x6d\x63\x66\x9b\x38\xb5\xb7\x79\xec\xa0\x8e\xfb\xf7\xbf\xd1\x0b\x4e\x97\xa2\xae\xa9\x1b\x0e\x37\xbf\x7a\x0e\x3c\xdf\xd1\x00\xae\xd0\x98\xb1\xfb\xcc\x06\x50\x7e\xbc\xe6\xc4\x50\xfd\x54\x2d\x78\xb3\xb1\x18\xce\xdb\x77\xa1\x51\xb3\xa7\x0e\x36\xab\x91\xc3\xaf\x85\x99\x61\x92\xcc\xc0\x38\x92\xeb\x58\xa4\xf9\x21\x76\x28\x80\x95\x48\xf8\x91\x65\x78\x75\x25\x17\x69\x2e\xdb\x47\x9c\x45\x3e\xcf\xe6\xd8\x7d\x3b\x2e\xf2\xca\x25\xfa\xec\xc6\x97\x2f\xb3\x7d\xbd\x0d\x91\x49\x7f\x31\xb8\x67\x69\x03\xaf\x17\xae\x43\x84\x86\x15\xde\x52\x43\x5a\xd9\x48\x47\x68\x7c\xf6\x40\x65\x34\xf6\xcb\xfa\xc9\xda\x20\x97\x4e\xbe\xf7\xbf\x3b\x10\x7c\x83\x9b\xef\x4d\x6f\x61\x9a\x34\xe1\x5b\x8b\x4c\x47\xf9\x87\x1d\x09\xd7\x3a\xdc\x9a\x49\xbb\x69\xde\xd7\x59\xdc\xc4\xec\xb1\x6d\x32\x77\x92\x56\xe5\x72\x5f\xf7\x0e\x12\x73\xc7\xe0\xba\xb7\x1f\xcb\x73\x76\xf9\x37\xef\x67\x2f\x63\xe3\xfd\x4c\xa6\x6a\xb4\x1e\xc8\x10\xcb\xa0\x2b\x7a\x7a\xd1\xd0\x76\xce\x13\x47\xa6\x67\x32\x0d\x37\x5b\x52\xb4\x10\x54\x4f\x7d\x6f\x8f\x56\x9b\x51\x5d\x10\x2d\x6e\x56\x9f\xb1\x41\x51\x8c\x4a\x91\x7e\x1b\x73\x11\x61\xfa\x08\x25\xca\x94\xc6\x40\x2b\xce\xce\x9c\xdc\xaf\x69\x24\xef\x0d\x66\x90\x35\x72\x87\xa6\x13\x4b\x2a\x7c\x64\x17\x54\x4e\xf1\xde\x36\x71\xbb\xd4\x30\x4c\x41\xd7\x99\xf9\xa0\xde\xa9\xa2\x1a\x90\x0b\x68\x51\x88\x37\x87\xd3\xc5\xdd\x14\xef\xdf\x85\x46\xe0\x5c\xf9\xff\xc5\x0b\x7e\xc1\x5b\xa6\xbf\x2a\x03\x65\x93\xb4\x08\xce\xd2\x4d\x32\x1f\x90\x06\x9c\x59\xb1\xc5\xc2\x1a\x7e\x91\xc1\x31\x3d\x0b\xab\xa9\x27\xc2\x94\x4f\x74\x8b\xd8\x31\x64\x46\x82\xbc\x2a\xc2\xe3\xa4\x7e\xb5\x92\x6e\x57\x64\x93\x14\x54\x26\x20\xb3\x80\x36\x94\xfa\x0a\x84\x26\x35\x00\x42\x34\x70\xf5\xda\x03\xfd\xbd\x1e\xdb\x9f\xcb\x58\xc4\xb9\xff\x66\x2f\x78\xd2\x5b\x85\x7f\xab\x05\xad\x4f\x06\xbc\xfd\x95\xc6\x98\xce\x61\x8d\x50\xfc\x40\xa6\x5b\xd4\x1e\xc4\xa2\x4b\x80\xa0\xc0\x46\x47\x56\xe8\xd2\x06\xaa\x17\xaa\xa5\x05\xda\xd4\x03\xd2\x07\xbb\x79\x7f\x74\x1f\x3b\xff\x4c\x85\xb5\xf8\xef\xb8\x2f\x78\xb8\xcc\xba\x1f\x6a\x2a\xfe\x06\x85\xba\x14\x70\xbc\xae\x7b\x6c\x21\x15\x9d\x9c\x1f\xe7\x13\xea\x54\x9c\x9d\x9a\x7a\x55\x96\xc4\x0d\xb4\x86\x37\x93\x74\x7d\x6a\xd2\x3d\xab\xdf\x77\x2f\xbb\x83\xdd\xda\x0d\xe3\x25\xe4\xdb\x0b\x65\xe6\xbf\x80\xf2\x69\x9c\xa4\x92\x1e\xdb\x27\xe2\xc1\xe5\x8e\xbf\x6e\x4b\xf2\x87\xd8\xd7\x3e\x5b\xd1\x3d\xdb\x42\xa2\x7d\x2d\x3b\x40\xb6\x0c\xff\x22\x7b\xe9\x33\xd8\x00\xb6\xa1\x4d\xef\x8f\xb1\x47\x9f\x9d\x8e\x5d\x4e\xe7\xd4\xe0\xb1\xaf\x62\x07\xbb\xe2\x1a\x98\xf7\xab\x87\x9c\xb3\x43\x5d\x71\xed\x82\x8c\xd7\xf3\x8d\xea\x37\x9e\x60\xcf\xef\x89\x3c\x97\xa9\x3d\x7d\x1b\xef\x79\x36\xa7\xc5\x56\x3c\x62\x76\x8b\x2c\xf0\xf1\x32\xff\x95\xec\x91\x67\xa8\xd2\x4a\xd8\x3d\x58\xa9\xe2\xda\x4e\x2b\x55\x8d\x6b\x18\x6f\x33\xae\x5f\xc9\x0e\x10\x05\xa2\xff\x02\x7f\x3f\x5e\xa8\xa1\x5b\x44\xf7\xf9\x4f\x18\xd3\x42\xed\x72\xa7\xfa\x95\x2f\x65\x07\x68\xe0\xdd\x75\xf9\x02\x36\x7e\x47\x2a\x3b\xee\xc3\x36\x1b\x97\x71\xbf\xeb\x3f\x62\xef\x9c\xcb\xec\x19\x5e\xb8\x5f\xad\x0e\x01\x0c\x25\xf4\xbf\x6c\x1b\x2d\x56\xf5\x5e\x5c\x1b\xdd\x7b\xb5\xea\xc2\x78\xbb\x55\xf7\x02\xb2\x94\x3b\xc5\x7e\xc3\x58\x89\x58\x33\x8c\xf3\x46\x92\x36\xf0\x67\xff\xf3\xb5\xe0\x37\x6b\xa3\x7f\x77\x22\x37\x35\xb2\xb3\x11\xbd\x9a\x9d\x35\xe6\xd4\x04\x0e\x39\x33\xf8\x29\xa5\xc1\x53\xc6\x2f\x51\x93\x12\xad\x9f\x36\xe4\x3b\x04\xab\xea\x99\xc8\x78\x6b\x23\xd4\xa9\x6c\x83\xcb\x10\x22\x0b\x67\x6e\x9e\xa3\x49\xa1\x90\xaf\x95\x18\xe8\x34\xfb\xd9\x2c\x63\x33\x93\x58\xc4\x2c\xe3\x9c\x23\x7b\xe8\x2c\x37\x7b\xb8\x78\x44\x03\x75\x74\x52\x35\xc7\xbc\x5e\x7c\x5a\xf9\xf1\xd0\xe7\xf0\xa4\xd9\x6c\xf2\xc7\x65\x9a\xc0\x59\x9e\xa4\xd2\x51\x07\x7e\x67\xff\xc8\xac\x8b\x8f\xee\x0f\x3e\xb0\xbf\xfa\x37\x0e\x46\x15\x4d\x49\x02\x4b\x07\xd4\x8d\x7e\x0a\x63\x6f\xc8\xae\x31\x71\x0d\x43\xf8\x29\xf0\xd9\x2c\x46\xb4\x06\x68\xcc\xa1\x3e\x19\x4d\x22\xb0\x22\x69\x57\x2b\xa4\x15\x1f\x2b\xa7\x41\xe1\x30\x5e\x11\x79\xd2\x0d\x5b\x57\x66\x49\xbd\x45\x47\x74\x4e\x7a\x9d\xb0\x74\x18\x09\x97\x20\xa4\x2d\x57\x4f\x5b\x22\x12\x29\x31\xd8\xce\x41\x21\x54\xad\xbe\x95\xa8\x0f\x52\x09\x20\x0b\xbd\x48\xb4\x1c\x02\x41\xb4\xc1\xd9\x1d\xc1\x82\xec\xc8\x7b\x30\x90\x0f\x8c\x37\x08\xda\x36\x81\x38\xd5\x75\xaa\xbe\xae\xa6\x65\xb2\xa9\x26\xf8\x4a\x26\xf3\x2b\x34\xa9\x2b\x92\xe0\xfb\xb1\x41\x45\x9e\x95\x52\xcc\x61\x34\x8c\x06\x85\x48\xac\x26\x64\x1c\x82\xee\xc9\xe6\x75\x56\x40\x08\x00\xe7\xb4\x2b\x8c\xdd\xc5\x54\x6e\xdc\xe3\x58\x80\x33\xcb\x5d\xd1\xc3\x49\xd6\x23\x0c\x1b\x88\xba\x89\x73\x3d\xfc\x51\xb1\x34\xf4\x57\x4d\x76\x6c\x92\x5f\xe9\x8a\x9e\xee\xdb\xea\x86\xcc\x74\xc7\xb0\x8b\x57\x81\x12\x93\x4c\xac\xb0\x91\x65\x98\x6a\x40\xfa\x0c\xfb\x2b\x20\x21\x3d\x8c\xdb\xf2\x1a\xbf\x2a\x07\x58\x94\x8e\xb7\x27\x23\x38\x28\x5a\xdd\x26\xbf\x9c\xb6\x91\x9c\x08\xf4\x58\x48\xe6\xed\xf7\x20\x2a\x39\x5d\x97\x68\x3a\x55\x7a\x7b\x2e\xd6\x69\xce\xaa\x56\x20\x79\xce\xa1\x8b\xa6\x29\x6a\x4b\xc3\x6c\x62\x4c\x01\xb3\x95\x6c\xec\x2f\x26\xa4\xab\xd1\x71\xe1\xdd\xb7\x94\x62\x62\xc4\xf6\x73\x78\xde\x6e\x32\xd6\xfb\x62\x9c\xf3\x5f\xc2\xf6\xe5\x61\x1e\x95\x24\xfe\x7b\xc7\xb7\xa5\x52\x7e\xd3\x78\xf0\x27\x63\xa3\x7f\xaf\x92\x37\x66\xe5\x8f\x5a\x87\x6a\xe9\x29\x25\x1c\x4f\x8b\x81\x56\xfd\xa1\x3c\x98\x6c\xa1\xb9\x2e\xd4\xda\xd2\x98\x73\xa2\xd7\x64\x0c\x36\x78\x2e\xd6\x91\xde\xad\x5a\x46\xb9\xb8\x07\x41\x75\x2b\x02\x4b\xde\x91\xad\x23\xe8\x8a\x5e\xd0\xe4\x73\x51\x96\xd4\xc9\x84\x0e\x19\x2f\xc5\x1d\xaa\x40\xfe\xcb\x31\xe6\x60\x78\x07\xc3\x6a\xb4\x32\xac\xe1\x76\x04\x67\x14\x8a\x99\x7e\x2a\x21\xc5\x2b\x96\x98\xbb\x12\x66\x45\xaa\xc1\x24\x74\x50\xf2\x62\x75\x58\x75\x43\x45\x05\x38\x85\x01\xbb\x48\x52\xbd\x1d\x35\x1a\x2e\x45\xc5\x40\x5e\x72\xd6\x87\x24\xbf\x24\x73\x4a\x45\xf2\x6e\x74\x14\xc1\xee\x88\x22\xcd\xdb\x25\xbb\xdb\x26\x79\xbe\xde\x63\xb7\x20\x25\x99\x8c\x5b\x6a\xf9\xf6\xdf\xe3\xad\x33\xc9\x5a\xcf\x96\x92\x8d\x56\x70\x50\xb5\xed\xb5\xcc\xd9\xf3\xe4\xb5\x56\xd4\xcf\xc2\x4d\x79\x91\xb4\xc0\x5b\x9c\xf3\xb3\xc7\xf6\x25\xb1\x7c\x2e\x6f\x3a\xdf\x3d\xc6\xee\x70\x0d\x54\x24\xec\x1a\x7d\x74\x2f\x37\x30\xf3\xcd\xff\x93\x5a\xf0\x99\xda\x6e\xde\xe4\x59\xae\x6e\x8d\xb9\x4b\xe8\xdc\x96\xad\x04\x42\x22\xb3\x5c\x12\xc7\x35\xa5\x3f\xe8\xd4\x3a\xba\xa0\xa7\xb2\x84\x99\x4c\xf7\x68\x2b\x77\x82\xae\x94\x78\x70\x8a\x4e\x07\xe0\x02\xa8\x94\x54\xb6\xfa\xa9\x1a\xe0\x68\x80\x88\x68\xd9\x56\xa8\x99\x5f\x5a\x57\xd5\xfa\x8a\x93\xb4\x2b\x22\x53\x3b\x05\x71\xf6\x53\x40\x6b\x46\x3c\x67\x6b\xd5\xa9\x85\xd6\x46\xb3\x9f\x88\x96\xdc\xd5\x38\xd4\x46\xa7\x61\x2d\xa5\x0a\x9a\xa5\x0f\xb4\x64\x49\x0a\xb6\x4e\xf0\x0f\x36\xd1\x8d\xaf\xf6\x52\x27\x49\xd7\xc2\x76\x5b\x96\xb8\xc0\x5e\xcd\x6e\x2f\xaa\xc6\x3b\xc5\x33\x77\xcb\x19\x5a\xb3\x67\x92\x24\x82\x9b\xb6\x52\x10\x9f\xbb\xf5\xf7\x8e\x1a\x3b\x40\x32\xc0\x7f\x73\xed\x19\xbd\x96\x04\x1f\xf1\xda\x85\x09\xad\x24\x6a\x40\x84\x98\xc9\xd0\xea\x0b\x2e\x22\x63\xf5\xd2\xe8\xcd\x7c\x4d\xe6\x05\x62\x34\x98\xab\xd1\x02\x5d\x0e\x18\xd2\x1f\x39\xb9\x75\x76\x69\x24\x01\x51\x46\x36\xf5\x0e\xa2\x48\x8e\x73\xb8\x84\xd1\x38\x87\xc6\x36\xf6\x7c\x56\x0b\xdb\xee\xe1\xf7\x0f\xd9\xc1\xb8\x1f\x01\xb8\x4a\x49\x7c\xfc\xda\x18\xfb\x4a\x67\x8b\xca\xee\x9a\x6c\xb7\x65\xdb\x90\xbd\xf9\xff\x7a\x2c\xf8\xc1\xb1\xed\xdf\xb1\x82\x24\x51\x8b\xb2\x80\xa9\xd5\xed\x06\x5f\xb7\x93\xf8\xd2\x7e\x0c\xe4\x22\x18\xa9\x50\xc7\xc3\x74\x75\xd0\x93\x17\xd5\xb8\x29\xf5\xbb\x08\x0d\x47\xc5\x09\xce\x54\x7d\x0c\xe9\xd0\xca\xc5\x32\x33\x9b\xbe\x01\xa4\x52\x75\xbd\x85\x8d\x31\x0d\xd0\x9f\x5d\x0d\xe3\x76\x9d\x17\x41\x9f\xa8\xef\x6b\x5e\x08\xb5\x51\x49\x76\xc8\xb6\xcb\xe8\xdc\xe4\xbb\x92\x67\x43\x48\xe2\x78\xd3\x73\x78\x89\xf0\xe4\x86\x5f\x09\x65\x3c\x31\x54\x73\x9d\x7e\x14\x0d\x2c\x61\x31\x81\x36\xdf\x72\xb3\xeb\xa6\xcd\x93\xae\x1c\xf8\x81\x71\xf6\x0f\x2a\x55\x6a\xff\x0d\xe3\xc1\xff\x1d\xab\xd6\xb6\x1d\x15\xa7\x60\x85\xde\xeb\x9d\x0a\x13\xc1\xe9\x6a\x4b\xc5\x3a\xd7\xab\xa3\x23\xae\x57\xeb\xa9\x88\xfb\x91\x48\x5d\xf5\x1d\xf4\x75\x60\xe8\x44\xff\x15\xfc\x3d\x71\x55\x0e\x1a\xb8\xe4\x7a\x22\x4c\xb3\x49\x64\xa3\x15\xad\x0d\x2d\xe4\x11\xe0\x40\x1f\xe9\x39\x96\x38\x94\x6d\x0c\xec\xe0\x20\x85\xd5\x43\xc0\xa5\x88\xc3\x5e\x01\x6d\x6d\x88\x9b\x44\x2b\x4f\xd2\x6c\xd2\x80\x77\x61\x79\xb9\x85\xd5\x5f\x1c\x12\x5a\xf3\x50\x2d\xc5\xfb\xd6\x33\x79\x71\x84\xfe\xef\xf2\xde\x68\x8b\x84\x2f\x65\x07\xee\xc0\xc3\xc7\x15\x15\x9b\xec\x4b\xaa\x4e\xaf\x67\xfd\x1c\x71\x34\x1d\xb2\xf8\xb8\xa2\xea\xdf\x3e\x9f\xed\xc7\xa4\x76\xff\xbd\xcf\x0f\xde\xf1\x7c\xfc\x37\xc9\x18\x2b\x89\x92\x9e\x6b\x7b\x0b\x49\x4a\x7a\x4c\x2b\xc1\xa4\xf7\x3b\x66\x12\xfb\x15\x23\x00\x66\x19\x6b\xf0\xb5\x2c\x89\x71\xed\x86\xed\x59\x25\xdd\xb3\xc4\xec\x91\xc5\x05\x22\xb9\x12\xfc\xe8\x71\x9b\xa3\x6f\x43\x5e\xd3\x9e\x88\x06\xef\xa7\xe1\xac\x6a\xe8\x03\xcb\x8b\x6a\x8a\x7b\x22\xa5\x14\xf9\xfb\x93\x48\xc4\xeb\x3c\x96\xf9\x54\x3f\x8d\x9a\x4b\xea\x87\x65\xf4\xc4\xab\x77\x1b\x5c\x76\x45\x18\xcd\xa2\x20\x15\x61\x64\xf0\x2d\x46\x95\xa2\x5e\xc2\x62\xe6\xe8\xcd\x86\x49\x86\x9f\x85\x90\xa0\x28\x6c\x97\x23\xd6\x61\x91\xc6\x48\x7f\x16\xcb\x1c\x71\x8b\xd5\x17\xf5\x0a\xd2\xc0\x99\xe9\x63\xc7\xeb\x3c\xa3\x68\xfb\x63\xcd\x19\xfe\xf0\xf2\xb9\x79\xf5\xf4\xd1\x26\x6f\xf0\xb0\xb7\x79\x1c\xda\xbb\xb8\xb4\x79\x9c\x2f\x2e\x8d\x6a\x29\x36\x72\x71\x09\x3f\x39\xa9\x3f\x39\xb9\xbb\x4f\x5a\x61\x3b\x55\xdd\x99\x5f\x5c\x58\xde\xfe\x75\x78\xa3\xc1\xbb\xa2\xa5\xde\xbf\x38\x37\xbf\xd3\x10\xe2\x67\xea\xc5\x06\xef\xf7\x61\xc6\x63\xfe\xc0\x03\x8b\x0b\x04\x93\x87\x91\x11\x40\xa3\x01\x80\x00\xd6\xf0\x60\x1c\xc5\xba\xbc\xc6\x27\xee\x0b\x27\x5f\xf9\xf0\x74\xe3\xb4\x68\x74\x1e\x7d\xcd\x5d\x4f\x34\xee\x33\x7f\x1c\xdf\xdd\x1f\x33\x47\x9f\xb8\x83\x5a\x70\xcc\x34\xe1\xd8\x33\xd8\x86\x63\xe6\xaf\x63\xbb\x69\xc4\x71\xd3\x88\xe3\xcf\x60\x23\x8e\xbb\x8d\xb8\xeb\xb4\x58\x7b\xb4\xba\x5d\x56\x53\x4e\x98\xa6\x9c\x78\x06\x9b\x72\xe2\x46\x9b\x12\x66\x6b\x31\x2e\xdb\x95\x33\x97\x66\xa6\x95\xb6\x0e\xff\x3a\xa6\xa3\x98\x68\xfb\x83\xfc\x0e\xa6\x8f\x1d\x9d\x39\x75\x62\x66\xfa\xf8\xb1\x40\xbd\x19\x9c\x3e\x75\x57\xc3\x3c\x9b\x09\xa8\xbc\x99\x69\xbb\xc4\x9d\xca\xa1\x6f\x8e\x15\xdf\x54\xd7\x3d\x5c\x57\x2b\x95\xed\x30\x6f\x89\x14\x04\x1a\xfe\xc5\xd5\x9f\xfa\xfb\xca\x11\x7c\xe5\xc4\x7d\xb3\x30\x63\x30\x06\x13\xf7\xcd\xe2\xbf\x8f\x3d\x31\x79\xdf\x6b\x4f\x3c\x3c\xd3\x38\xf1\x28\xfd\x78\xfc\x89\xd7\x9e\x9c\xb8\x6f\x76\x7a\x66\xe6\xb5\x30\xac\xf8\x7c\xd2\x7c\xfa\xda\x63\x0f\x1f\x3f\xa5\x5f\x3e\xf6\xc4\x6b\x8f\xa9\x97\x1f\x9e\x6e\x9c\x78\xf4\xb5\x0f\x9f\xbc\xcb\x7d\x7b\xe6\x89\xd7\x4e\xdc\x37\x7b\x74\xe6\xd8\xcc\x6b\x67\xee\x9a\x9e\x7e\xed\xb1\x13\x8f\xb4\x55\x95\x8f\xb4\xd5\x6f\x93\x77\x68\x02\xf0\x01\x8f\x93\x98\xb7\xc3\x75\xd5\x93\x42\x0e\x77\xc3\x6b\x78\xe1\x6a\xf0\x2c\x53\xf3\xc5\x1f\x68\xae\x34\x39\x80\xa2\x44\x4a\x8c\xf5\xd3\x30\x1f\xe8\x6e\x17\xc7\x81\xd5\x6b\xa8\xef\xe1\x06\x7f\xf4\xbe\x47\xda\xaf\x39\x6a\xfe\x75\x1c\x56\xc1\x86\xbc\xd6\x4a\xa2\x24\x85\x39\xd8\x90\xd7\x44\x5b\xb6\x42\x75\x61\x84\xa7\xbc\x95\xb4\xc9\xd6\x18\xbc\xf0\x1c\xfc\x6f\xb6\xba\x92\x17\xde\x37\x41\x0b\x6c\xae\x71\x4e\x8d\xe9\x6b\xed\x3f\x4f\xaa\x8e\x36\x78\xba\xbe\x56\x54\xb6\x7c\xff\x99\xa1\x4a\xd2\xf5\x35\xaa\x2d\x5d\x5f\x9b\x38\x7a\xe2\x44\x9d\xfe\xff\xb4\x9a\xf5\xb5\x41\x2e\x67\x21\x44\xf0\xe4\x71\x20\xaa\x56\x6a\xf1\x5a\x18\x8b\x74\xc0\x41\xf9\x6d\x00\xb4\xc9\x56\x02\xcb\x22\x1e\x80\xce\xc9\x93\x4e\x71\x90\xa9\x43\x51\x8d\x21\x70\x31\x3a\x6b\xec\xe8\xf4\xf4\xc9\xc6\xf4\x4c\x63\xfa\x68\x50\x3a\x34\x94\x3e\xdb\x80\x0f\xc2\x58\x9d\x20\xc7\x8e\x1d\x3b\xad\x8a\xa2\x5c\x5d\x28\x4e\xe7\xed\xba\x45\x1e\xe5\x71\x16\x54\xca\x69\xb8\x3e\x80\xa0\x5e\x30\x29\xbf\x00\xcc\xde\x13\x39\x28\x93\xb0\x28\x56\x94\xca\x54\x14\x4e\xba\x01\xf6\x42\x95\x60\x7a\x02\xa1\x29\xa5\xee\xcc\x1c\x6f\xcc\x1c\x6d\xcc\x9c\x58\x9d\x39\x3d\x7b\x6c\x7a\xf6\xe8\x74\x73\x7a\x7a\xfa\xa1\x72\xe7\xd4\xe7\x0d\xf8\xbc\xe8\x9c\xa3\x6a\x3d\xc6\xc6\xe2\x24\xf7\x9f\xbd\x1b\xf1\x97\xb3\xc3\x98\x74\x80\x57\x7e\x57\x6d\x7a\xd3\x01\x76\xea\xc6\xb9\xb7\x30\xf6\xee\x57\xf6\x07\x8d\x1b\x22\xb2\xd9\x0d\x8f\x8d\xe3\xd1\xff\x63\xc0\x0c\xfc\x2a\xfa\x68\x24\x07\xd7\x87\x0c\x24\xea\xbb\x3d\xdd\xa0\x51\x24\x5c\x86\x55\x0b\xc9\x5c\x6e\x84\x92\xab\xce\x01\x0d\xe8\xd4\x34\xef\x4a\x11\x6b\x54\xdc\xd8\x54\xa5\x3a\x1b\x66\x14\xc2\x1d\x27\x5b\xfc\xd4\xf4\x8b\x54\x21\x56\xda\x17\x16\xe4\x42\x5c\x76\x86\xb9\x3d\x56\x74\x7f\xee\xdd\x13\x8f\xc7\x50\x3d\x65\x0e\xa0\xa2\x9e\x3d\x71\xfd\xb8\xf5\xfc\xe6\x10\x8b\xcf\xc7\xf7\x90\x04\xf4\x46\x6f\x8f\x84\x3d\x77\x3f\x93\x84\x3d\xaf\xac\x04\x6d\x3d\xaf\x41\x5b\x8f\xed\x95\x96\xe7\xa3\xfb\xd8\x7d\x7b\xe4\xb6\xf1\xff\x6e\x3c\x90\x3b\xbd\x54\xa2\xa3\x32\xbc\x36\x62\xe4\xf8\xaa\xa5\xce\x5b\x32\x05\x44\x3d\x03\xf9\x3a\x3a\x0b\xed\x2f\xc7\xd8\x7b\xab\x53\xc2\xde\xba\x87\xd5\xf0\x8a\x8a\x94\xb0\x4a\x5e\xa7\x1b\xce\x0c\x63\xeb\x45\x62\xd8\x23\xc1\xe5\xed\x12\xc3\xe4\xb5\x5e\x24\x08\x07\x93\x62\x7f\x87\x93\xc3\x72\xe4\x83\xa7\xaa\x6d\x81\xbf\x64\x52\xc3\xce\x05\xa7\x8b\xd4\x30\x3c\xea\x9f\x56\x02\xd8\x8a\x49\x00\x5b\x0c\xee\xd9\x55\x02\x18\x9f\xa8\xca\xfc\x9a\xb4\x0b\x3d\x4d\x91\x11\x33\xc1\x1d\x39\x52\xb0\x57\x11\x98\x99\x12\xed\x4f\xdf\xbe\x7f\x47\x3a\x35\x93\x94\xa3\x8d\x9d\x4e\xfe\xd8\x6f\xed\x0b\xfe\xba\xb6\xed\x2b\x3b\xa7\x92\x19\xeb\x23\x25\x1d\xe1\x3d\x3f\x4f\x2c\x3b\x23\xdc\x5e\x1d\xa3\x7b\xc1\x51\x1f\x6b\x00\xda\xba\x9b\x8d\xa6\x31\x43\x4c\xbe\x4d\x48\xf6\x20\x90\xfe\x2e\x67\x1d\x92\x61\x51\xee\x13\x42\xc9\xa9\xe3\x28\x49\x79\x57\x76\x93\x74\x30\xd9\xe4\x7c\xa5\xdf\xda\x30\x54\x52\x22\x95\x7c\xad\x1f\x46\x18\x74\x5f\x6a\x6a\xdc\x46\x8b\x18\x34\x58\xa9\xa6\x44\x07\x98\xf4\x10\x26\x52\xad\xf5\x84\xe8\xd8\x93\x4c\x5a\x88\xd9\x96\x93\x42\xa6\x0d\xd5\xd0\x82\xbb\x4a\x6b\x99\x81\x92\x75\x01\xa7\xd0\x6c\xca\x94\xb2\x73\xe5\x0e\x99\x2e\x3b\xfb\xfc\x27\xfe\xde\x64\xc9\x9d\xa1\x34\xae\xd9\xa0\x01\xe9\x1c\x15\x98\x6e\x66\x4d\x84\x31\x87\x89\x2e\xef\xa4\x35\x56\x74\xd3\x7f\x20\x38\x3f\x5f\x4c\xf3\x70\x69\xce\x1a\xa0\xf4\x8c\xac\x80\x83\xc6\xd9\xc1\xd9\x77\x90\x98\xc7\xd9\x11\x6b\x54\x62\x99\x6f\x25\xe9\x55\xd2\xb8\x28\x6d\x91\x82\x3c\xfd\x9f\x1a\x0f\x16\xdc\x47\x76\x52\x4f\x14\xd9\xe0\x88\x10\x47\x84\x23\xa2\x73\xbf\x00\x14\x2c\x49\x4b\xe4\x0c\xbf\x37\xc6\xde\x57\x63\x07\x8d\x09\xff\x5d\x35\x36\xbb\x63\x04\xfb\xea\xa0\x27\xdb\x17\x92\x96\x88\xca\xd8\x7c\x7f\xe0\x2d\x9b\x61\x45\x6b\x9b\x7e\xc1\x12\xaf\x8e\x75\xdf\x9a\x05\x3d\xa6\x80\x20\xa7\xc7\xce\xcd\xdd\x84\xa0\xa8\xd4\xaa\xc2\xc2\xe9\x2d\x90\x70\x2f\x15\x09\x85\xf8\x00\x80\xc6\x4d\x70\xca\x9a\xe5\x5d\x2b\x48\x15\x04\xef\xf6\xf3\x3e\x04\xce\x1a\xf3\xa2\xa1\xa2\x82\x1b\x42\xb0\x82\xc5\x05\x4d\xf6\x63\x1e\x3b\x40\x85\xfb\x3f\xb0\x0d\xa7\x79\xf5\x8c\x52\x39\x34\x8b\xc1\x15\xfa\xdb\xa5\x5f\xd2\x0f\x41\x13\xa5\x57\x6f\xa8\xb5\x7a\x26\x82\x26\xfb\xcd\x71\xf6\xe5\x15\xf3\x38\xd7\x81\x36\x0f\xfc\x0f\x8e\x07\x33\xfa\x0f\x2c\x1d\x22\xc2\x41\x78\xea\xc7\x04\x35\x03\x8e\xa6\x7e\x54\x06\xc9\xfb\x8b\x31\xf6\x7e\x8f\x1d\xee\x25\x6d\x53\xe8\xbb\x3c\x56\xdf\x39\x19\xa2\xf8\x20\xc8\x17\xcc\x72\x86\xbb\xc2\xa8\x9a\x49\x7c\xb6\x92\x46\x94\xb4\x90\x68\x00\x73\xe1\x8d\xab\x54\xcd\x7f\x9c\xb4\x65\x1d\xc0\x56\xeb\x5c\xe6\xad\x26\xc8\xf7\x44\xed\x58\x58\x83\xbd\xa4\x3d\x91\x4d\x4e\x36\xd9\xc7\x3c\x76\xbb\x6a\x76\x9c\x87\xa6\xe9\xef\xdb\x0d\x2e\xe5\x92\xfb\x51\xf0\x44\xa9\xf9\x71\x1e\x36\x76\xea\x03\xd0\x29\xf0\x5e\x3f\x2f\x60\x3b\x9f\x6e\x3f\x36\xd9\x2d\xea\x55\xd3\x87\xce\x2e\x92\x15\x2f\x59\x1f\x04\x27\x8a\xf6\xab\x82\xb6\x19\x7f\x2d\x72\x7b\x49\xbb\xc9\x3e\xb7\x8f\x4d\x54\x14\x7d\x3f\xa2\x2f\x74\x32\x27\x13\xe4\x83\xfb\x82\x37\xba\x99\x20\xe6\xbd\x5d\xe7\x82\x14\x5f\x3c\x13\xd9\x20\x87\x8c\xd4\xbc\xee\x41\x6e\xa3\x8b\x67\x38\xae\x34\xd7\xe2\x1d\xff\x1d\x5e\xf0\x6d\x9e\xc6\x3c\xcd\xec\xb3\xc5\x00\x7d\x60\xf2\x9e\xea\x86\xd6\x02\x8b\x16\x17\xde\xb0\x8a\x3c\x2f\x8a\xfc\xce\x0c\x8d\x19\x76\x6f\x6a\x5d\x7f\x3e\xb5\x7c\x76\x6e\xe1\xe2\xd9\x66\xb7\xfd\x42\x4c\x0a\x69\x08\x75\x82\xdb\x07\xca\x93\x1e\x65\x68\xbe\x26\x88\x35\xeb\x80\x6a\x5d\x79\xd0\xb8\x7a\xe9\x59\x6b\xc5\xaf\xda\xe9\x23\x1f\xf3\x82\x7f\xeb\x6d\x9b\x40\x32\xd4\xb8\xbd\xa4\x90\x3c\xb3\x7d\xb2\xcc\x23\xff\xfd\x10\x7b\x51\x15\x5e\x3f\xca\xe9\x39\x4c\xfc\x01\x00\xa2\x8f\x1c\x0a\x4e\x0e\x3f\x76\xb1\x6e\xdc\xdf\x35\x9c\x7c\x25\xf2\xd0\xdb\x0e\xb2\x8f\x1a\x4c\xc8\x0f\x7a\xc1\xd6\x85\xca\x32\x76\x9d\x3c\x98\x8b\xec\x2a\xa4\x10\x22\x9d\xb4\xea\x68\xc3\xe8\x2f\xd6\x73\x3a\xe0\x1a\x94\xd3\x34\x65\x87\x6d\x1c\x63\x33\x6c\x6a\x67\x2e\x03\xa7\x81\x37\x71\x78\x6e\xe2\x43\x16\x9d\xbb\x89\xa6\xb5\x67\xbc\xb5\x87\x76\x86\x4c\x3a\xe5\x9f\x68\x38\x80\x47\x5c\x03\x28\x05\x81\x41\x4a\x1a\x96\x55\x8c\xfd\xea\xad\x0e\xe4\x9a\xa3\xc7\x22\xee\x91\x56\x66\x7b\xb2\xe5\xbf\xeb\xd6\xe0\x6e\xeb\xef\x92\x81\x40\xeb\xf0\x90\x34\x9c\x01\xaf\x7b\xb6\x81\xac\x7b\x80\xc5\xe0\xaa\x92\xbf\x71\x0b\x7b\xff\x3e\xf6\xbc\x10\x3f\x9a\x8f\x44\x06\xe7\xac\xff\xfd\xfb\x82\x37\xef\x5b\x2c\x3d\xad\xba\x8b\xd9\xef\xf0\x16\x8a\x78\x8b\x2b\x66\x75\x43\xda\x40\xf7\xce\xdb\x7a\xd1\x61\xbc\xa0\x45\x8b\x05\x27\x96\x21\xde\x70\x2e\x90\xa4\x94\x53\x20\x85\xa6\xc5\x31\xdc\xa5\x57\x5c\x09\x4c\xdd\x6a\xb6\x54\x7d\x57\x74\x28\x0d\xe0\xf0\x9c\x4b\x52\x08\x24\xdc\x12\x69\x3b\x33\xfe\x89\x30\x82\xc0\x0e\x62\x49\x00\x2b\xb3\xfe\x84\xd2\xf7\x80\xdc\x40\xc7\x3b\xe1\xa5\x4f\xd5\x2e\xdb\x00\xd6\x01\x46\xee\x82\x19\xa1\x20\xf7\xa0\x9e\x01\xc5\x5b\x37\xcc\xb9\xe0\x5b\x22\x05\xeb\x55\x68\xf3\x0b\x21\x86\x88\xa9\x12\xcc\x0e\x05\x3d\x87\x5e\xff\x8b\x7a\x68\x0a\x2e\x2e\xa8\x13\xa2\x34\x71\xff\x61\x28\x85\x1e\x6f\x89\x09\x01\xc8\x23\x05\x83\x61\x5f\xca\xe6\x62\x77\x5e\x0a\x03\x0e\xe6\x2e\x74\x45\x7a\x15\xad\xf4\x14\x45\x53\xd7\x53\xe6\xa2\xdc\x67\x32\xaf\x0c\xce\xb3\xc7\xe3\x1c\x25\x9b\xd8\x4c\x08\x75\xbc\x8b\x69\xc1\xe0\xae\x11\x3b\x77\xcb\xb1\x18\xfc\x86\xc7\xf6\x81\x86\xec\x7f\xd2\x0b\x9e\xf4\xe6\xcc\x61\x0f\x31\x12\xa8\x3b\xeb\x96\x99\x63\xd6\xae\x80\x32\xd6\xad\x4b\x2d\x80\x94\xc0\xa7\x9a\x7d\xa6\x0e\x77\xfd\x3c\x55\xea\x79\x0b\x57\x00\x62\x3e\x38\x31\x45\x74\x5f\xb4\x8f\xec\xbb\xd9\xe9\xd1\xc6\xd6\x6d\x36\xf8\x72\x3f\x92\xec\x0d\x63\x6c\x2c\x8f\x32\xff\x6f\x6b\xc1\xfb\x6b\xab\x17\x56\x5c\x08\xdd\x26\xa7\xbc\xfc\x68\xe0\x5e\xda\x81\xce\x19\xd5\x72\x2b\x58\x49\x7d\xaf\x1e\xd5\xf9\xf1\xe3\xc7\xa0\xcf\x26\x55\xa4\x2b\xbb\x6b\x44\x02\x01\x73\x04\x23\x48\x61\xf1\xd6\xb2\x53\x03\x9a\x41\x4c\xfa\xc0\x84\x34\xe9\x32\xae\x61\xe8\xbb\xb9\x40\xc1\x9d\x60\x88\xa6\xa6\x20\x7d\x30\x36\x3f\x9b\x0f\x64\xe5\xd2\x22\x34\xd3\xb8\xd3\xea\x7a\x57\xd0\x06\xb6\xb7\x50\xa7\x1f\x75\xc2\x28\xd2\x0a\x8b\x7e\xc3\x74\x7c\xe5\xd2\xa2\x33\x13\xb3\xec\x2e\x76\xf2\x69\xcc\xc4\xea\x85\x15\xf6\xd3\x35\x76\x80\x66\xd7\xff\x57\xdb\x19\x6b\x46\x17\xa3\xed\x0e\x7f\xe2\xcd\x95\x17\x0c\xf2\xe7\x44\x20\x4a\x51\xfd\xd3\x81\xa5\xd2\x24\x12\xb4\x93\xf8\x88\x66\x53\x12\xf1\x00\x16\x67\x93\xcf\xd9\xc4\x3a\x49\x87\x1f\xa1\x12\x8f\xa8\x25\x7c\x04\xd6\xfe\x91\x82\xea\xba\x64\x7e\x31\x5c\x31\x09\x11\x6e\x83\xb5\x28\x8a\x92\x2d\x3c\x97\x13\xd1\x5e\x13\x91\x88\x5b\x32\xb5\xc7\x3d\x49\x75\xfb\xc1\x17\x9b\xac\x87\x2d\xd8\xf4\xb4\x5c\x84\xa6\x96\xa5\x97\x9a\xec\xbb\x0f\x39\xa0\x22\x2e\x7c\xa0\xc5\x80\x36\xa7\xb3\x19\x32\xff\x0f\x0e\x06\xf9\xf0\x63\x8d\x90\x97\x69\x47\x52\x51\x4e\x91\x0a\x91\x59\x66\x57\x25\x74\x8c\x10\xb3\xf4\x4d\x0c\x65\x2f\x88\x6c\x41\xf7\xe8\x88\x96\x8b\x49\xf0\x99\x03\x70\xb1\xdb\x94\xe9\x9a\xba\xd8\x3d\x28\xd3\x35\xd4\x9c\xaf\x56\x58\xd2\x88\xf5\x6d\x0d\x83\x01\x67\xf9\xba\x3a\x21\xd4\x3e\xaa\xf3\x2d\x64\xe0\xc2\x2b\x4e\x9d\x14\xdc\x3a\x6f\xcb\x48\xaa\xff\xf6\xd2\xe4\xda\xa0\xc9\x79\x70\x67\x40\x6e\x4d\x11\x45\x25\xef\xc2\x01\x52\x26\xfc\xf3\xc1\xdd\x5a\x55\x0b\x8b\x88\xfc\x12\x11\xde\xb2\x39\x23\xb7\x29\xf4\xa2\x46\x2d\x58\x08\x4e\x21\x6a\x81\x55\xe0\xfd\xda\x10\xb5\xeb\xe2\x5e\xe7\x91\xf1\xf7\xf1\xa0\xbb\xa3\xf1\x57\xc3\x7f\x68\x8f\x2c\x5a\x4e\x83\x75\x99\x07\xb8\xbc\x22\x69\x3d\xc6\x3f\x83\x26\x0f\x02\x3e\x01\xa9\x98\x93\x23\x1a\xf1\xe7\x35\x76\xc8\xd8\x32\xfd\xcf\xd5\x82\xdf\xa8\x19\x72\x0c\xbb\x41\x8e\xad\x53\xc3\x32\xb9\x6d\x6a\xf2\x42\xba\x82\xc8\x4b\x09\x12\x8a\xb8\x3a\xf4\x47\xf9\x96\x94\xb1\x7a\x5c\x94\x0b\x67\x77\x64\x71\x2b\x67\x76\xcb\x43\x73\x7a\x52\x0f\xc1\xa4\x4b\x84\xc5\x08\x6a\xb3\x2c\x37\x43\xb9\x55\xfe\x0a\x93\x50\x01\xed\x08\xb5\xab\x06\x10\xb1\xb5\x2d\x88\x98\xa1\x01\x0a\x44\x14\x05\xf0\x4d\xd1\xbc\xa1\xaf\xe0\xb6\x66\x28\xe0\xed\x26\x80\xfd\x46\x46\x9d\x8a\x9f\xdc\xfc\xf9\xc2\x94\x7d\x21\xb8\xcf\x36\x46\x5b\xe9\xae\xa0\x74\x12\xec\x0b\xdd\x2a\xd5\xbd\x64\xdb\x55\xf5\x4a\x76\x38\xeb\xaf\x99\xc2\x2f\x07\x67\x56\x8a\x3f\x77\x5f\xbe\x2e\x3e\x4e\x62\x17\xba\xe3\xad\x87\x1c\x7d\xbb\x95\xc0\x71\xa5\x25\x13\xca\xef\x0b\x52\x64\x12\x2c\x0c\x9f\x3b\x18\xbc\xc8\xfc\xe5\x1a\x16\xe0\xb1\xa1\xa7\xab\x34\x28\xfc\xcc\x81\x9b\x97\xaf\xbd\x42\x19\xbf\x5a\x1b\x64\x36\x82\xa0\x02\xca\x58\x0f\x55\x05\x4b\xe0\xf6\x30\xc6\xa3\x27\xfe\xa6\xf9\x64\x0f\xe6\x93\x4f\xd8\xe6\x93\x9f\xd9\xa3\xf9\xe4\x9f\x7f\x91\xac\x27\xba\xa2\xa7\xbc\xf5\x9d\x6f\xfe\x0b\xfe\x19\x03\x96\xec\x2c\xaa\x12\x4c\xb2\x11\x23\x95\xc8\xeb\x3f\xe2\x55\x1a\x3d\x97\x92\xf6\xc2\xa5\x95\x79\xb8\x03\x5c\x46\x1c\x93\x7f\x1e\x9c\x1e\x7e\x6a\x04\xc9\xc2\xa5\x15\x0d\x27\x99\x16\x5e\x6a\x6d\xd3\x77\xa4\xd3\x49\xf6\x95\x74\x80\x7f\x69\x70\xa8\x92\x45\xea\x4b\x34\xa6\xa6\x93\x8f\xf0\xeb\x87\x2b\x81\x11\x1d\xfe\x5a\xff\x7d\x87\x83\x73\xce\x13\x75\x45\xcc\xb8\x58\x5f\x4f\xe5\xba\xc8\x35\xd3\xa7\x4e\x0a\x82\x66\x12\x99\x6d\x9b\xf7\xa4\x75\x7a\xb9\x1c\xf7\xec\xa6\x44\xdd\xab\x44\xbd\x29\xde\x6e\x32\xac\x38\x0c\x2b\x1f\xd5\x0c\x2b\x3f\xbd\x1d\xc3\xca\x48\xf6\x6a\xd5\x8b\x51\x74\xd5\x44\xf6\xfb\x5c\xd0\x8a\xfc\x61\xc1\x94\xf2\xa9\xed\x98\x52\xaa\xfb\x81\x71\x30\xef\xf4\x28\xd2\xc9\xee\x0b\xa5\xb5\x19\xe9\x84\x92\x4b\xed\x6e\xb5\x6a\x75\x90\x4c\x3f\x13\xeb\xf2\x39\xe9\xe9\x53\xde\x03\x3b\x9f\x4a\x47\xfd\xe9\x46\x85\x05\xda\xe9\x74\x19\xa2\xff\xdd\xb7\x8c\x70\xbc\xb5\x52\x99\x3b\xee\xe5\xbf\x3a\x1c\x7c\xc1\x9b\x6b\x8b\x5e\x8e\x11\x14\xea\x05\x25\xff\x12\x2e\x34\x44\x25\x02\x0a\xb8\xe4\xc6\x26\x2e\x0b\xbf\x38\x92\xf1\x05\x91\x0b\xb2\x4a\x68\xf3\x52\x11\x1b\x0c\x48\xd2\x1a\x51\x2f\xe3\x9d\x10\xed\x7a\x0e\x6a\x03\x79\xf0\xad\x72\x08\xc2\x41\xbd\x8d\x87\x48\x53\x37\x50\xbb\xb1\xb7\xf5\x5f\xab\x79\xad\x70\x60\x3b\xa7\xd0\x5f\x1f\x62\x7f\x34\x06\x20\x1e\xea\x52\x77\x31\x69\x4b\xff\xb7\xc6\x74\x58\xef\x7f\x18\xbb\x4c\xc6\x95\x59\x80\x22\xe5\x6b\x6a\x99\xd8\x86\x52\xcb\xb1\xca\x93\xd8\xe0\x0e\x62\xff\xd6\x06\xc6\x8c\x52\xe0\x5e\xc7\x3c\x69\xe5\xfa\x64\x31\x57\xd0\xe9\xe9\xe9\x69\x68\xef\xf4\xa9\x53\xa7\x10\xd2\x48\xe7\x39\x94\x5e\x84\xb7\x4e\xcc\xcc\x34\xf9\x2b\xe6\x2e\x5e\x00\x78\x42\x35\x75\xc0\x10\x8e\x25\x0b\x88\x72\xb2\x3e\xce\xea\x00\x17\x57\x24\x3b\xbb\xbf\xc2\x0d\xd3\x74\xcf\xf5\x0f\x4f\x9f\x3c\x7e\xbc\xc9\x17\xc2\x14\x40\xc6\x43\xb2\x40\xeb\x78\x2d\x91\x17\x00\x01\x98\xf7\x6f\xc5\xe8\x52\x64\x8d\x66\x94\x0e\xd7\x37\x34\x86\x70\x2b\x89\x3b\x51\xa8\xd1\x69\x30\x26\x43\xeb\x37\x68\xae\x87\xb2\x8a\xb9\xef\x42\x3c\x07\x24\x0e\x74\x32\xb0\x6e\xe0\x91\x4c\x66\x89\x7e\x94\x6b\x23\x36\x16\x56\xcc\x55\x26\x73\x37\x42\xf8\x5d\xe3\xfa\x12\x72\x7d\x3c\xf8\xd4\x58\xd9\x76\x0c\xa1\x88\x6e\xbe\x6b\xc5\xba\x34\x16\x11\x8a\x3d\x6a\xeb\x65\x59\x2c\xfc\xe4\x55\x38\x1a\xb0\x93\x2c\x00\x5b\x08\x4d\x82\x4e\x6d\x41\x94\x61\x6c\x59\x5b\xae\xca\x01\x74\x8b\x76\x9a\x7e\x4c\xb0\x3f\x8b\x9d\x32\xc3\xba\xd2\xa4\x65\x1b\x37\xcf\x36\x35\x17\xd6\x5a\x35\x61\x14\x0a\xd9\x8f\x87\xbe\xa6\x43\x9a\x36\x2d\x41\x9c\xab\x36\xd9\x31\x63\xe4\x33\x20\x7c\x6d\x0b\x28\x1e\x2c\xc0\x30\x0a\x75\xbb\xbf\x99\xcc\xfb\x3d\x2c\x5f\xa6\x29\xe4\xf8\x03\xd0\x38\x72\x4b\x93\x4f\x42\x9b\x30\x9b\x7c\x49\xb5\xd0\xd8\x3c\xd5\xa6\xcd\xc3\x4d\x69\xf4\x2f\x55\xa7\xa6\x25\x57\x95\x1c\x69\x36\x8f\xe0\x32\x4c\x52\x9e\xe5\x22\xa5\x35\xa5\x9e\x3b\x17\xc8\x26\xab\xb3\x3b\x77\x3c\x47\x5e\x2a\x07\xab\x89\x6a\x02\x5b\x62\x07\x75\xa3\xfc\x85\xe0\xe4\x0a\x99\x47\x6d\x6c\x74\x9a\xf2\x24\x85\xb3\x03\x86\x51\xb7\x9b\xf2\x57\x9c\x50\x88\xb7\x78\x8c\x65\xf0\x09\x78\xe6\xbe\xde\x0b\xb6\x6c\xb4\xfc\x4c\x0b\x5e\x1d\x25\x74\x24\xb3\xac\x3e\x08\x96\xfd\xb4\x91\x8e\x35\xbc\x31\x56\xe2\x40\xb1\xdc\xca\xbe\x6c\x74\x10\x82\xff\xb9\x5b\x82\x3f\xf4\x74\x54\x1d\x68\x96\xaa\x4d\x6d\x2e\xd6\xb2\x3c\x15\x86\x0f\x2a\x4b\x3a\xf9\x16\x62\x7d\xe2\xab\x2e\xc3\x44\x77\x90\xbd\x3a\x9a\x44\x82\x68\x34\xf2\x24\x1d\x22\x4e\x06\xe1\x6d\xbf\xcd\x8f\x1d\x9b\x3e\x39\x59\x40\x1d\x80\x7d\x15\x57\x3a\x88\xd8\x62\xe3\x6b\xe6\x03\x13\x37\x84\xdc\xcc\xda\x11\x09\xc1\xa4\xb0\xee\x44\x9c\x6d\x81\x37\x93\x74\x52\x74\xfe\x58\x8e\x0b\xb4\xe1\x3a\xc7\xc2\xdb\x19\xfb\xdb\x42\x09\xf9\x33\x8f\x35\x77\x1b\xb8\x41\xea\xc7\xcf\x79\x17\x8b\x5c\x86\x68\x50\xa4\x30\xb8\x11\xe5\x3a\xda\x92\x2f\x25\x56\x26\x3c\xfc\x32\xc8\x72\xd9\x6d\xf2\x65\x1d\xc4\x73\x93\xdc\xed\xe6\xed\xec\xe6\xed\xec\xff\xd7\xb7\xb3\x8f\xe9\xdb\xd9\x87\x77\x13\xe7\xab\x05\x8a\xba\x97\xbd\x71\xf8\x5e\xe6\xb2\x5d\x1a\x41\xf2\x9c\xdc\x5a\x2e\xef\x7c\x6b\xa9\xfb\x77\x56\xdd\x5a\xa8\x53\xe5\xfb\xca\xa7\xdd\xd0\x99\x0a\xca\x30\xcb\xb3\xee\xff\xc4\xad\xc1\xff\xf0\xac\x07\x65\x68\x76\x0c\x1b\xe8\x8a\x5e\xcf\xb0\xc1\x80\x5e\x81\x48\x41\xc2\xd2\x66\x20\xca\x80\xa4\x0b\x68\x1b\x4a\x00\x93\x5f\x57\xe3\x5f\xab\x0d\xd1\x4a\xba\x8e\x57\x57\x1d\x76\x9d\x30\xcd\x72\x2e\xd5\x36\x16\x85\xc3\x0b\x4a\xec\xa2\xd3\x10\xa0\xf1\xd3\xa4\x9f\xe3\x85\x01\x66\x8d\x0a\xb7\xa2\x69\x0c\xd4\x1d\x7c\xa5\xaa\xb1\xba\x06\xa9\x1d\x25\x9c\xe6\xc3\xec\x25\x6c\x5c\xcd\xb3\x7f\x86\x7d\xcd\xc8\x65\x54\x31\x86\xe7\x57\x57\x97\xca\x65\xb3\xcf\x32\x62\xd2\xf8\x4d\x16\x7c\x82\x01\x97\x06\x29\x9e\x08\x94\xf3\xea\xbe\x88\x70\xb0\xda\x49\x57\x29\x5e\xda\x29\x28\x38\xf9\xcb\xa1\xcf\x55\x50\x16\xc7\x4e\xdf\x75\xb2\xc9\x2f\x25\x39\x46\x6c\x14\x79\xd9\x6d\xb9\x19\x52\xd4\x8b\x91\x58\xc1\x06\x70\x6f\xf4\x94\x12\x47\xa7\x23\xc1\x79\xe8\x52\x31\x03\x18\x4a\x9d\xe5\x33\x4d\xbe\xb8\x94\x15\xd7\x0f\x44\x04\xb2\xa3\x2a\x0a\x16\x2b\xd3\x59\xb8\x26\x40\x84\x85\xe8\xf5\xa2\x01\xcf\x13\x46\xc8\x32\x8b\x4b\x46\x89\x55\x1b\x4d\x13\xa4\x08\x30\x08\xe8\x50\x13\x76\x14\x43\x81\xae\xcc\x5e\xe1\x6d\x09\xf9\x4d\x98\xda\xa2\x5a\x90\x4a\xb5\xac\x60\x01\xc9\x96\xe8\x67\x18\x45\x31\xdc\x42\x76\x88\x97\x42\x3f\xf0\x06\xdb\xb1\x69\xb7\xc2\x0c\x22\xa7\xc2\x56\xa8\x5e\x9a\xbd\x6b\x1a\x56\x97\x9a\x73\x75\xda\xa9\x22\x66\x8f\x1f\x3f\x66\x1e\x66\x4d\x76\x26\xc1\x55\x94\x61\xc0\x0f\xa6\x5c\xea\x3e\x75\xfa\x6a\x6b\x8f\x5a\xc8\x18\x25\xd3\xe6\x62\x5d\x84\x71\x96\x9b\x58\x0f\xbe\x26\x3b\x89\x1b\x6d\x53\x2c\x49\x84\xda\xa5\x17\xc3\xcc\xbd\x46\xd9\x01\x2d\xb0\xfe\x33\x27\x02\xc7\x90\xe8\xb8\xd7\x93\xa1\x3a\x18\x2e\x47\xba\xdb\x05\xbd\x54\xb6\xc2\x4c\x06\xc5\x1d\x44\x38\x6b\x52\x07\x47\x81\x75\xa2\xe0\xd9\xe3\xed\x24\x1f\x5e\xaf\x94\x4d\x10\x74\x92\xa4\xb9\x26\xd2\x66\x2b\xe9\x06\x93\x80\x1c\xb1\x15\x46\xed\x96\x48\xdb\x41\x7d\x54\x45\xbd\x54\x76\x00\xf6\x80\x88\x98\x28\x46\x47\x7f\xc8\xc1\xd4\xa0\x2b\xb8\xb3\xa9\xaa\x80\xe2\x71\xf5\x98\xd7\x0c\x8a\x02\x3f\x72\x27\x05\x7a\x88\x5e\x4f\x8a\x54\xed\x9f\x30\xcf\x64\xd4\x29\x4c\x20\x4a\xd6\x2c\x5c\x5a\xa1\xb2\x51\xe5\x41\x20\x3d\x5c\xcf\xba\x11\xf0\x3b\x52\xdc\x10\x2b\x15\x21\x3b\x96\x5a\x57\x54\x81\xed\x84\x91\x7e\xf1\x8b\x79\x70\xa7\x6a\xe7\xb2\x5e\x1f\x26\x52\xa8\x62\x8d\xc0\x27\x14\x87\x12\x97\x76\xf8\x96\x18\xe0\x1e\xed\x70\x2d\x52\x68\xfa\x34\x33\x16\x54\x60\x3a\x81\xda\xa2\x92\xe5\x14\x33\x04\x6b\x1d\x26\x0a\xb9\x71\xc0\x89\xae\x64\x11\xb0\x01\x01\x3f\xd0\x51\xa7\xf8\xa2\x87\x24\x78\x9f\x76\x35\x79\x52\xd4\x04\x2b\xb4\xdf\xe9\x84\xd7\xf8\x44\x2a\xbb\xc9\xa6\x3e\x51\x70\x46\x60\x2c\x27\xb5\xb8\x30\x43\x0c\xf1\x3d\x4e\x8e\xc1\x21\xf6\x4f\x2a\x99\xaf\x50\x4b\x5b\xe9\xaf\x65\x32\xf7\x3f\x7d\x30\xf8\xc9\x31\xf7\x59\x39\xb5\x08\xb1\x75\xc8\x0e\x03\xc4\xbc\xdd\x2e\xa1\x8f\x42\xc2\x75\xaa\x94\xc3\xd5\x0d\x8b\x12\x8d\x7e\x2a\x32\xdd\x48\xba\xcf\x8b\x34\x97\x59\x28\x62\x75\xff\x69\xf7\x5b\xf0\xd6\x9c\x29\xff\x1a\x5f\xc2\xc2\xce\xd9\x57\x39\x08\x95\x9c\x65\x9c\xbf\x06\x70\xb2\xcc\xeb\xb3\xfc\xe1\xd7\x04\x61\x2f\x98\xe5\xc1\xcc\x74\x53\xfd\x5f\x73\x26\x78\xa2\xce\xdd\x87\x47\x9b\x47\x83\x27\x1e\xad\xc3\xa7\x50\xfa\x2c\x80\x6d\x3d\xfc\x9a\x40\x6d\x2b\xf5\x9e\x08\xea\x3c\x50\xbd\x08\x66\xf9\x5d\x27\x4f\x9d\x80\x22\xf4\x8f\x6b\xd6\x8f\xc7\xa6\x4f\x3f\xf1\x28\xe3\xfc\x09\xb0\x4d\xa2\x11\x08\xe0\x2c\xcb\xbd\x25\xe1\xb1\x19\x4a\x40\xfd\xce\x10\xef\x4c\xcc\xf2\x87\xb9\x69\xe9\xac\xaa\xaa\xce\x4d\x23\xe1\x6f\x4e\x0d\x5d\x73\x5f\x3d\x36\x7d\xda\x7e\xf3\xd8\xf4\x69\xfe\xa8\x73\x3c\x7f\xf7\x3e\xf6\xdf\x3d\x76\xc8\xcc\x94\xff\x69\x2f\xf8\x1e\x6f\x71\xc9\x9e\x3b\x10\x2b\x49\xa7\x43\xa6\x04\xad\x79\xe0\x81\x81\x26\xb0\xd4\x8e\xd8\x04\x56\x93\x26\x81\xb4\x15\x7d\xa3\x8b\xd3\x9a\xc4\xbb\x75\x5b\xa6\x6a\xbe\x45\x07\x63\xa7\xa2\x44\x28\x65\x06\x63\xc0\x30\x25\x17\x2f\x02\xb0\xc2\x11\xd4\x41\x3a\x56\x92\xe3\xec\xe8\x2e\x92\xb8\xf4\x02\xa5\xc9\x67\x3f\x5a\x63\xcf\x8f\x93\x5c\x5d\x54\x07\x66\x41\xf8\x6f\xa9\x05\xbf\x7c\x23\xbd\x5e\xeb\xe7\xe6\xa8\x6c\x99\xe3\xb1\x34\x04\xe6\x68\x85\x28\x46\x10\x6c\xea\xfd\x81\x54\x72\x28\x06\xd2\x55\x34\x03\x85\xf1\x7a\x1d\x7f\x37\x37\xf0\x8e\x08\x23\x55\x14\x94\xa4\xb4\xe8\x8c\xb7\x36\x64\xeb\x6a\xdd\xa0\xdf\x0e\xbf\x1a\xa9\xe5\x6e\xde\x7c\x06\xc6\xea\xb5\x6c\x1f\x74\xd7\xcf\x82\x63\x90\x61\x89\x60\x09\x76\xd8\x5b\x12\x3b\xa3\x63\x0f\xa1\xd3\x80\x19\x36\xb5\x2b\x6e\x3d\x6c\x80\xaa\x8c\xfd\x8f\xb1\x4a\xfe\xa1\x73\x51\xd2\xba\x2a\x53\xc7\x2d\xf0\x91\xb1\xe0\xa3\x6e\xd6\x19\xbd\xa5\x0d\x7b\x3a\xd3\x88\xcc\x15\xfa\x57\xb1\x0e\xb6\xc3\xcb\x31\x1a\xed\xe0\x6c\xa2\x30\x1f\x75\x05\xca\xd0\xfc\x85\x36\x6a\xfc\x1b\xa0\xbf\x8a\x95\x9c\xc9\xbc\x59\xaa\x6b\x2f\xd9\x6a\x2e\x25\xa9\xc7\xbe\xd1\x63\x87\xad\x86\xf8\x83\x20\xb2\xcd\x70\xf4\x13\xcf\xf2\x24\xc5\x75\x67\x80\x2b\x1b\xf7\x92\xe6\x1b\x3b\x6f\xaa\x9d\xa6\x9b\x5b\xb9\x1f\x41\x81\xd5\xa1\xed\x2e\x72\xcd\x61\x6b\x08\xfc\xa5\x60\x1e\x86\xc2\x6d\x49\x91\xbe\x8a\x20\x34\x05\x33\x28\x5d\xfc\x74\xdd\xf4\xbe\x5d\xc1\x9b\x6e\x71\xa6\x9b\xac\x81\x6a\xc6\x71\xaa\xe7\xf2\x5c\xb4\x36\xd4\xe0\xf9\xbf\x7b\x38\xf8\x2e\xaf\xfc\x94\xb7\x44\x4f\xe9\x8d\x1a\x48\x3b\xa7\xa8\x69\x01\x6f\x60\xac\x1f\xfc\xcb\x55\xe3\x4c\x42\xda\x94\xd1\xed\x8b\x1f\xe3\xa4\xad\xf4\xba\xa1\xaa\x28\xea\x87\x44\x40\xdc\x30\xb6\x4f\x60\x6b\x56\xdf\xbb\x24\xcd\x87\xd8\xaf\xd8\x16\x82\x8f\xee\xd9\x42\xf0\x2f\xca\x16\x82\x2f\x82\x7d\xe0\x5d\xda\x3e\xf0\x76\x8f\xdd\x35\x72\x6b\x6f\x33\x8f\x60\x2b\x78\xcc\x65\x01\xd2\xeb\x89\xdc\xb8\x38\x79\x53\x34\x73\x9a\x18\x8b\x6c\x09\x15\x76\x48\x2b\xf1\x9c\x4c\x92\x6a\xe4\xb5\x65\xf4\x63\xde\x36\xe1\xd4\xdb\x35\x14\xad\xa4\x6f\xd0\x4e\x5a\x6a\xe4\xd0\xb2\x30\xac\x89\x43\xed\x42\xf4\x4e\x48\xf9\x88\xa4\x31\x9e\x0d\x2d\xcd\xa4\x47\x20\x32\x04\x23\x89\xb1\x86\x68\x3f\x6c\xe0\xdb\x32\x6d\xde\xb4\x75\xde\xb4\x75\x7e\xd1\x6c\x9d\x4f\x79\xed\x9d\xcd\x69\x73\xfe\x7d\xc6\x9c\xa6\xf7\x55\x29\x2a\xad\xbc\x79\xca\x36\xb6\x6f\x1f\x73\xee\x20\x43\xbb\xf3\x6c\x9a\x26\xa9\xff\x47\xb5\x60\xc1\xfa\xbb\x38\x03\x44\x4c\x1e\x3c\x19\x43\xce\x1b\x1c\x6e\xed\x3e\x72\xc1\x69\x41\x62\xb6\x9b\x7b\xf0\xbe\xad\xc6\xfe\x95\x57\x00\x04\xfd\x90\x17\xbc\xd5\x43\x50\x7e\x4a\xf8\xd6\x0b\x62\x64\x0d\x73\x66\x63\x2f\x94\x36\x36\x9d\x90\xb4\xd0\x28\xd9\x29\x4a\xd6\xd7\x65\xbb\xce\xb3\x84\x87\xb9\xde\x74\xb6\xf7\x30\x93\x80\x04\xb4\xe9\xa4\x30\x95\xb0\x4c\xc6\xf3\xb0\x2b\xfd\x87\x9e\x3e\xdc\xd2\x57\xad\x6a\x3c\x25\xec\xd7\x96\xc8\xec\xbe\x35\xd9\x17\x0e\xd8\xf4\xf0\xdb\x14\x37\xb7\xb4\x08\x7e\x6f\x88\x64\xfe\x77\x07\x82\x65\xfb\x81\x1b\x46\xab\x7f\xa9\x17\x09\x21\x96\xda\xdf\x0e\xb3\x16\xa5\xb7\x61\xb2\x80\xc8\xf9\x14\x54\x75\xdd\xdb\x0f\xeb\xcb\x8d\x7b\xfe\xf3\x7d\x37\x65\xe3\x5e\x65\x63\x9f\xd1\xc8\xfa\x57\x83\x7f\x8c\xff\xaa\x9e\x32\x47\xbf\xbf\x31\x5a\xd8\xe1\xa5\x72\x53\x24\xef\x45\x24\xaf\xee\x2c\x92\x67\xfc\xa9\x2a\x0f\x87\xbd\x33\xcb\x22\xf8\x1b\x6e\x67\x5f\xb1\xcd\x25\x2d\xf3\x3f\x77\x5b\xf0\x37\xb5\xb3\xb6\xa9\x46\xf0\x56\x12\x45\xd2\xf8\xda\x8b\xdb\x3f\xd8\x09\xdc\xfc\x5a\x8a\x6f\x33\xce\xa0\xb3\x68\xb7\x99\x65\xfc\xff\x63\xef\x4d\xc0\x24\xb9\xaa\x33\xd1\x2f\xb2\xaa\xba\xbb\x6e\x4b\x02\x62\xc6\x33\xf3\x8c\xe7\xf9\x4e\xc8\xb8\xbb\x44\x56\x56\x6f\x6a\x49\x8d\x90\x28\xf5\x82\x0a\xf5\x52\xaa\xaa\x16\x66\xaf\xa8\xcc\x9b\x95\x41\x45\x46\xa4\x22\x22\xab\x3a\xc5\x60\x23\x04\x03\x06\xc6\xec\x3c\x28\x16\x83\x6d\x04\x02\x06\x8f\xcd\x66\x56\x03\x7e\x5e\xb0\xc1\x30\x5e\xb0\xdf\x78\x81\xf1\xb0\x3c\x83\x17\xc6\x60\x6c\x7a\x6c\xbf\xf7\xdd\x73\xce\xdd\x22\x33\x6b\xe9\x6e\x49\xd8\x5f\xd9\x1f\xea\xca\x58\x6e\xdc\xf5\xdc\x73\xcf\xf2\xff\x40\xd1\x7d\x8c\x07\xed\x5e\xbe\x5a\x0f\xaa\x8c\x73\xb4\x2f\xe5\xc7\xf8\xd3\xc0\xcc\x81\x06\x9d\xcb\x32\xe9\x68\xa3\xce\xe5\x18\x74\x38\x7f\x6e\x75\x8b\x15\x3a\x5c\x3b\xbc\xe5\x6f\xdf\x74\x78\xe8\x97\x6f\x38\x6a\x7d\xd8\xb5\xe5\xdc\xb7\x77\x47\xfa\xed\x68\x86\x3b\x5e\xf0\x2b\x7a\xca\x7d\xef\x28\xdb\x9d\xa3\xf0\xf1\x7f\x66\x34\xf8\xd2\xc8\x42\x4b\x28\xbb\xad\x8b\xc9\x46\x96\xea\x6e\xa2\x56\x4d\x1c\x73\x7a\xb3\x66\x99\xaa\x81\x89\x0a\x19\x19\x20\xe8\x8d\x1e\xe9\x4f\x60\x9e\x99\xcd\xd1\x72\x98\xb7\xc2\x4c\xd4\xf8\xb4\x72\x9a\x28\xc8\x7a\x30\xaa\xeb\xc4\x6a\xb0\xd4\x55\x09\x39\xaa\x69\x11\x22\xa1\x2d\x12\xd0\xd2\xfa\xee\xc9\x69\xb4\xdf\x31\x53\xd6\xe5\x33\x30\x25\x4d\x32\xb6\xc6\x8e\xc9\x27\xd0\xc5\x42\x61\x8c\xe4\x47\x51\xf5\xc1\xb4\xc6\x46\x94\x77\xe2\xb0\x87\x1e\x50\x53\x86\x6a\xa6\x82\x96\x32\x77\xc8\x0d\x70\x36\xb5\x1a\x16\xc7\xca\xb9\x14\x25\x18\x2d\x6a\x75\x60\xd2\xe0\x67\xcb\x16\x5c\x07\x51\x0b\xbf\x55\x43\x06\x43\xc7\x0f\xa1\x30\xf2\x68\x3f\x92\xe7\xf1\x2c\xca\x85\x15\x92\xb0\x7d\x0c\x1c\xd7\x05\x72\xd1\xbb\x73\xf3\xcd\xb8\xe6\x57\x07\x6d\xc6\x7a\x2b\x2d\xef\xc4\x3f\x33\x3a\x30\xf3\xc5\x09\xe2\xf2\xff\x71\x24\xb8\xc9\xb9\x32\x8c\x03\xde\x86\x6f\x36\xcd\xb6\x36\x92\xf7\x8d\xb0\xd7\xb8\xd4\xfc\x2f\xac\x04\x3f\xa0\x98\xf9\x55\xd8\x1c\xe0\xc8\xda\xdd\xf5\x04\x76\xcb\x70\xa0\xbc\x0d\xd6\xbc\x43\x8d\xbf\x11\x33\xdf\xb8\xbf\x1b\x49\x45\xd9\x45\x8f\x0f\xe5\x0a\xdd\xe5\x8f\xb6\xc3\x0e\x7b\x50\x78\xf6\xdf\xe0\xb1\xab\xe2\x34\x6c\xdc\x46\x8e\x0a\xff\xc5\xde\x86\xa9\x7e\x38\x4e\xa7\xad\x37\xc8\x96\x74\xa7\x7d\x6d\x30\xfa\xa5\x1b\x7b\x27\xbf\x3a\xa9\xfc\x23\x80\x55\x90\x26\x42\xf3\x4b\x26\x45\x8d\xbd\xb9\x32\xd0\x6b\x77\x3a\x6a\x47\xc5\x5c\x98\x2c\x43\x6c\x8e\xff\x77\x5e\x70\xd6\xbd\xa4\xb5\x82\x90\xb7\xa3\x64\xaa\x1d\x5e\xc0\x9c\x02\x84\x44\x75\x12\xdb\x15\x0b\x28\x40\x03\xa4\x09\x4c\x5b\x79\x14\x43\xf0\x54\x67\x0e\xbd\xdc\x63\x2f\xf3\x18\xdd\xf1\xef\xf5\x82\x5b\xe1\xab\x5a\x4c\xea\x6c\x56\x5d\x97\x99\x42\xb4\xb5\x65\x55\xbb\x95\x54\xf6\xc3\x25\x2c\x4c\xb7\x68\xf6\xf1\xab\xd8\xe4\xc6\xf0\x09\x56\xc4\xc9\x6c\x58\xb4\xfc\x97\x5e\x15\xa4\xa5\x6b\x26\x14\x06\xf0\xc3\xe5\x15\xf2\x6d\x2a\x44\x0e\x13\xb6\xd0\xcd\xe2\xdc\x84\xc9\x38\x31\xe8\xcd\x34\x5b\x0b\xb3\x46\x5f\xa4\x4d\x6d\xdd\x53\xe0\x0f\x4e\x6f\xde\xbb\x97\xfd\x9c\x67\x70\x21\x5e\xbf\x91\x21\x73\x73\x5c\x88\xa7\x1a\x78\x51\xa3\x0f\x5a\xf1\xe1\x6a\x85\x1b\x85\x24\xa5\x3d\xa3\x40\xa0\x63\x88\x8b\x50\xce\x76\xbb\x2d\x35\xf6\x96\x0a\xe1\xd3\xbd\xb6\x12\xbc\xa8\xa2\x10\xea\x06\x39\xe4\x31\x12\xba\x89\xec\xc8\x6e\xa4\x87\x1d\x18\x13\x61\x48\x85\x32\x85\x58\x64\x0e\x8d\x28\x57\xd4\x5a\x5a\x87\x32\xdb\x78\x18\xf3\x40\x7e\xc2\x04\xe9\x84\xfc\xfc\xdc\xe9\xa1\x81\x3f\x4e\x30\xf7\x72\x94\xa8\x71\xdd\x37\xb5\xaf\xc6\x9f\x0c\xdc\x49\x76\xd0\x08\xa0\xca\xc3\x2b\xf0\xed\x72\x0b\x9c\x58\x15\xc7\x52\xf3\xc1\xdd\x6c\x8f\x7c\x71\x41\xca\xaa\x07\x76\x07\x6f\xdc\x3d\x4b\xbf\xec\xb0\x60\xe5\xc3\xc8\x3a\x99\x28\x1c\xd3\x38\x74\xa9\x9a\x55\x58\x6d\x78\x59\xe5\x14\x0c\x22\x7d\x26\x32\x2d\x7e\x9d\x3c\x63\xd5\x8b\x63\xfc\x8c\x8e\x30\x10\xd0\x29\x30\x16\x42\xde\x8b\x7b\x35\x7e\x1d\x9f\x85\x98\x11\xf3\x9c\x8e\x81\x09\xcd\xe3\x18\x57\xc2\xf3\x4e\x1c\x15\xb2\x2b\xa1\xa3\xce\xa8\xe9\x0e\x44\x58\x0d\xa8\x4d\xa2\x56\x0a\x51\xd8\xca\x87\xf5\x9f\x61\x1e\x49\xf5\xc8\x7d\x00\xe6\xa2\x12\x15\x8c\x6b\x61\x01\x8e\x32\xbd\xd7\xc3\x2b\xfa\xf3\x10\x61\x3f\xb5\x4f\x11\x73\xa5\x99\x2c\x55\x45\x54\x48\x1d\x9e\x71\x12\x5c\x52\xa2\x61\x0b\xa4\x18\x15\xab\x22\xeb\xf1\x8e\x22\xa8\xc3\x1a\x4c\xae\x45\xb9\x8a\x9c\x81\x50\x05\xea\x53\xc6\x75\x91\x88\xaf\x48\xe1\x62\xf2\x6c\x4b\x72\x3a\xcc\x0b\xdd\x0e\x1d\x98\x55\x50\x5c\x8e\xd4\x4c\x14\x1d\x76\x3a\xe0\x05\x83\x4a\x0d\x2f\x55\x29\xf3\x00\x22\xb2\xa8\xf6\x18\x00\x33\xd5\x4c\xd3\xa9\xa5\x30\x53\x8d\x12\xb9\xbe\x34\xb5\x14\xde\x53\x22\x98\xc3\x37\xd5\x03\x4b\xe1\x3d\x13\x35\x76\x5d\x09\xd2\x49\xf9\x61\x8e\x21\xf3\xd3\xc6\xf3\x0e\x5c\x7c\x1d\x8c\x48\x2b\x4a\xf8\x49\xfd\x58\x51\x72\x6a\x02\xa7\x19\xe1\xe1\x43\x4f\x28\xfe\x34\x35\x81\x65\x8f\x64\xf4\x98\x6c\x35\x78\x0e\x81\x69\x4f\x8a\x9f\x59\x1a\x8a\x0c\x67\x30\x76\x29\x82\x2e\xb0\xf2\xe7\x50\xe9\x25\xb2\x58\xd0\xb0\xd1\x11\xab\x96\xac\x02\x6b\xb0\x53\x87\x06\xf7\x85\xb3\x70\xff\x71\x9c\x3d\xd6\x12\xb3\x9d\x34\x8e\xea\x3d\x2d\x62\x67\xd3\xc6\x3c\xd1\xc7\xcc\xc2\x1d\xff\x73\xe3\xc1\xeb\xbd\xbe\xcb\x7c\x39\x5d\x15\x19\x6d\xf5\x21\x82\x7f\xc9\x0a\xb4\xc3\x15\x51\xc2\xe1\xb1\x12\x8b\x54\x19\xfc\x78\x9a\x14\xe2\x02\xa1\xa8\x2a\x09\x1c\x76\x3a\x71\x84\x6d\x0d\x09\x9a\xb6\x61\x94\x76\xd9\x50\x0d\x56\x16\x25\xfc\x60\xed\xd0\xc1\x5a\x19\x2e\xe2\xd9\xe4\xcb\x5b\x1a\x7e\x6a\xdb\xb4\xc5\xe0\xcf\xfb\x0f\x79\x39\xf4\x17\x5f\x33\x1b\xf9\x8e\x91\x62\xc7\x48\xb1\x63\xa4\xb8\xb2\x70\x11\x4b\x9b\x9f\x39\x6f\xf5\x1f\xaf\xcf\x9c\xb8\x24\xf5\xb9\xb3\x6f\x25\x0f\x44\x8a\xf8\x1f\x8f\x74\x03\x34\x34\x68\x34\xe0\x45\x64\x51\x2a\xdf\x87\x1d\xc0\xff\xe0\x23\x83\xe7\x38\x57\xf4\xa2\x56\x61\xee\x04\x04\xd4\xa1\x87\x08\x20\x10\x91\x95\x53\xca\x73\xa2\x5b\x94\x0c\xa9\x32\x0b\x17\x34\xa5\x2c\x69\x3c\x61\xd2\x23\x22\x43\x7a\xb2\xb6\xee\x21\x7c\x84\x23\xe4\x3e\x7a\xcd\xce\xba\xd9\x59\x37\xae\x71\xef\x05\x15\xf6\xc8\x4e\x26\x44\x1b\xb2\x27\x69\xdf\xfe\x6b\x2f\xf8\x1f\xde\x6c\xe9\xaa\x3a\xb6\xd2\x2f\x50\x21\xe9\x91\x64\x59\xa5\xef\x15\x2d\x2e\x8f\x23\x99\x9e\xbb\x18\x5a\x96\x36\xf9\x59\xa9\x65\x56\x39\x95\x7a\x5a\x3e\x34\xab\x9f\xb1\xf5\x90\x41\x4f\x48\xd5\xb2\x9b\x98\xf0\x2a\x0d\xa6\x27\x17\xe6\x64\x2c\x9b\x5d\x05\xb2\x68\x1d\x6e\x72\x36\x4d\x66\x75\xed\x74\x31\xc4\x2b\x3d\x09\xbc\xd2\xf6\xd8\xbe\xd3\x53\x78\x2b\x6f\xd1\xe4\x5a\x2f\xf6\xcc\x42\x53\x9b\xae\xbb\x5a\x4d\xb0\x97\xe5\xcc\xd1\x8f\x80\x82\x02\xfd\x92\x89\xba\x88\x56\x85\x02\x38\x55\xa1\x90\x85\x83\xd8\x16\xe5\x24\x02\x50\xb7\x8f\x00\xf7\x1e\x79\xae\x9d\x8c\xe8\x1d\xdd\xe1\x32\x75\x87\x97\x7a\x6c\x2f\x82\xf7\x22\xaa\xcf\x7f\x0c\x52\xeb\x27\x9d\x82\xc2\x6c\x29\x2a\xb2\x30\xeb\x29\xd1\x08\xa3\xd9\xcd\x91\x8f\xa2\x93\xa5\xab\x51\x43\xe4\x7c\xb9\x1b\x35\x44\x0c\x1d\x9e\x26\x6a\x7c\xfb\xe6\x89\x15\x68\xd8\xcd\x4b\x87\xe1\xfb\x47\xd8\xd5\x88\xe1\x48\x8b\xc0\x7f\xcd\x48\xf0\xc2\x11\xe7\x92\x8e\xc7\xcb\xad\x8c\xe6\x28\xe7\xee\x06\x33\x2c\x9a\xb1\xb0\x40\x53\x75\xbd\x60\xf9\xca\xb9\x49\x78\x97\x86\x85\x5b\x6e\x26\xe5\x69\x7e\x4e\x85\x85\xba\x5f\xa4\xed\xc7\x04\xfd\x2e\x3a\xd5\x5e\xac\xf1\xdb\xd3\x35\x5c\xf7\x51\x13\x01\x68\x8b\x16\x64\xf4\x94\x4a\x12\x39\x02\xca\xe5\x3a\xb9\x2a\xca\xca\x85\xd1\xa2\xcf\x05\x26\x80\x01\x9f\x13\xd8\xbb\xdb\x61\x1c\xcb\xf9\xa7\x57\x6a\xde\xad\xb7\x4a\xb8\x98\x7d\x9f\x53\x07\x07\x00\x87\x18\xd2\x49\x0e\x8d\xf8\xf6\xa3\x7e\x8c\x76\x50\x0a\xfc\x71\xea\x52\x36\x74\x7f\x77\x2f\x3b\xb2\x11\x7e\x27\xa1\x03\xce\x75\x63\x41\xe0\x80\x64\xfc\xfe\xf8\xde\xe0\xeb\x95\x61\x77\x5d\xfb\x2a\x39\x2f\x90\x37\x0a\x72\xef\x30\x5e\x1a\xc5\x19\xfc\xad\xc6\x16\xac\x3a\x9d\x58\x14\x00\xf8\x2c\x12\x70\xcf\xa8\x4c\x20\xf2\x01\x69\x68\x4f\xe2\xe0\x02\xf9\x01\x3c\x72\x0a\x00\x58\x65\xde\x00\xce\x72\x0f\xa3\x6b\xe4\x90\x77\x44\x16\xa1\xc1\x8d\xc2\x86\x28\x3b\x0f\xc2\x84\x6e\x23\xa7\x8c\x0b\x3d\x8a\xf5\x05\xce\x73\x60\xe6\x5e\x15\x30\xb9\xb0\x21\xe4\x32\xc9\x11\xbf\x04\xc9\xc4\xe5\xbe\x0a\x31\xf6\xf2\x6c\x98\xe7\x5d\x8a\xf0\xc9\xb1\xa7\x78\x2b\xa4\x35\x60\xa0\x41\xaa\x5c\xac\x8a\x04\xcd\x19\x61\xa1\x39\xc9\x4d\x57\xd4\xd6\xbd\xab\x95\x68\x81\xae\x5e\xf7\x1e\x99\xa4\xc9\x9c\x7b\x89\x99\x17\x1c\x35\xec\x35\x7b\xd8\xcb\x2a\xec\x11\xa6\xa9\x18\xc8\xf5\xf7\x5e\xf0\x0d\xef\xa4\x7b\x11\x46\xc1\xb8\x81\xea\x69\x7b\x89\x20\xce\xb0\x43\xe1\x4b\x48\xfc\xaf\xf9\xc1\x74\xdc\x57\x5a\x07\x3b\xba\xee\x5b\xe8\x20\xf3\xd5\x2a\xae\x93\x10\xc5\x9d\x81\x67\x25\x81\x20\xf2\x64\x9f\x89\xe0\xee\x7b\x17\xb3\xfa\xc3\x82\x3b\x8d\x96\x97\xa7\xd2\x4c\xee\xbe\xee\x75\x0a\xf3\xb2\xba\xd0\x96\x81\x7f\xe2\x31\xab\xb3\xfc\xdf\xf6\x82\x5f\xf6\x66\xcc\xc4\x03\x3e\xf8\xae\xd9\x3e\x69\x0e\x64\xa2\xe8\x66\x89\x85\x60\x52\x0f\xe3\x98\xb8\xed\xf5\x67\xf4\x0e\x0d\x54\x85\x98\x7d\x13\xf7\x9c\x88\x35\x28\xd6\xe9\x03\xa7\x6b\x54\xf4\xa9\x73\x7f\x50\xff\xe4\xf6\xec\x75\xb0\x24\x5e\x57\x61\x7d\xf3\xc3\xbf\xb7\x12\xbc\xdf\xeb\xeb\xa8\x92\x6f\x20\xac\x2b\x98\x15\x33\x63\xa3\x5c\xe5\x26\xca\x29\xdd\x11\x59\x33\xcd\xda\x72\x4d\x26\x69\x32\xa9\x77\x3c\x3c\x26\x60\x39\x59\x43\x64\x68\xb2\x82\x3a\x47\xcb\x09\x84\x1b\x27\x45\x15\x73\x0f\xc9\xb0\xdc\xe8\x02\x05\xa6\xa6\x5f\xeb\xa4\x79\x1e\x2d\xc5\xfd\x23\x67\xdc\x10\x8f\x67\x8f\x63\x37\x6d\xc4\x80\xe6\x0a\xaf\x52\x73\xd9\x4f\x56\x98\xbb\x90\xfc\xbf\xf3\x82\xff\xe2\x5d\xb9\x2e\x79\x88\xbb\x63\x63\xd4\xeb\xa1\x58\xcc\xd8\x17\xa3\xec\xc0\x06\x0f\xa3\xc5\xa9\xd4\x81\xfe\xef\x8d\x04\xa7\x4b\xd7\x78\x2b\x8d\x1b\xb9\x1d\x26\xa9\x10\x37\x34\x91\x1a\x2e\x67\xe5\x87\xb6\xa7\x8d\x3c\x37\x8a\x6c\xc9\x75\x64\xfd\x75\x85\xfd\x96\xc7\x1e\x61\xcd\xe0\xf3\x73\xa7\x73\xff\x43\x5e\xb0\x6e\x4f\x60\x79\x91\x4e\x93\x94\xdd\x16\x66\x45\x14\xc6\xe8\x05\x42\x7b\x1e\x72\x23\x90\xa6\x82\xea\x06\xc0\xdc\xc2\xb9\x8f\x5f\x47\x82\x1d\x87\x12\x2d\xb8\x98\x2d\x69\x12\x9c\xab\xbc\x19\xc9\xd5\x98\x17\xa2\x63\x9b\xc1\x07\x20\xdb\x9a\x71\xb9\x9a\x39\x30\x8a\x6f\x91\xda\xbe\x6c\xa6\xff\x1a\x2f\xb8\x60\xa0\xa6\xd5\x14\xb3\x20\xa7\xed\xce\xd1\xb0\xd3\xb9\x83\x3b\xdd\x81\x6c\xea\x4e\xb7\xb0\x50\xa6\x31\x9f\xbc\x25\xc2\x46\x55\x41\x25\x6d\xa7\x82\xff\xe5\x11\xec\xd8\xa5\xf1\xa2\x82\x87\xf3\xaf\xae\x09\x9e\xb5\xc1\xfd\x12\x75\x85\xca\x34\x68\x76\x11\x67\x39\x04\x83\x2c\xd9\xbc\x87\x14\x53\x5b\xf7\xae\x81\xbf\x16\x00\x55\x6c\x4e\x34\xd7\xbd\xbd\xed\xf0\xc2\x40\x5a\xe3\x2f\x5d\xcd\xde\x5b\x61\x7b\x54\xd2\x82\xff\xb6\x0a\x3b\xbd\x2d\xd6\xc4\x21\x95\xb8\x8d\x0a\x0c\xbe\xe0\x69\x70\x05\xad\x72\x90\x80\x20\x5a\x42\x1b\x7c\xa1\x30\x60\x68\x2a\xb4\xe2\x3c\xa4\x69\xf3\x13\xe9\x5a\xc2\x1b\x00\x9e\x05\x22\x66\x3f\x7c\x87\x6e\xc2\xdf\xf0\x04\x28\xa2\xb9\x4a\x20\x8f\x56\x45\xdc\x9b\x80\xd4\x56\xc8\x79\x52\x80\x4a\x4a\x9b\xbc\x7d\x76\x7a\x1e\x6b\x31\xa7\x99\xc5\x90\x29\xb3\x6b\x15\xcc\x1b\xb2\x64\x39\xfb\xe1\x84\xc0\x1e\xf0\x98\xdd\x9f\xfe\x1b\xf4\xb1\xf4\x3e\xcf\xba\xae\x43\x6e\x3a\x1d\x91\x59\xee\xea\xc2\xe1\xf5\xd5\xdc\xc6\x8e\x17\xd3\xe2\x06\x96\x6a\x86\xaa\x13\xa8\x13\x75\x6d\x82\x89\x91\xd5\x24\x2c\x78\x3b\x4a\xd4\x67\xdd\x13\xe9\xbd\x63\x6c\x37\x31\x6c\xfa\x7f\x3b\x1a\xbc\x6b\x54\xd1\x6d\x3a\x4a\x67\x6e\x67\xb9\x60\x37\x50\x5d\x00\x2c\x09\x08\x23\xc2\xb8\x0e\x59\x23\xce\xbc\xa4\xda\x73\x64\x91\xda\x5f\x00\xf2\xc2\x85\xa8\xdd\x6d\x97\x6e\x85\xf5\x2c\xcd\x31\x73\x5d\xd5\xc0\x56\xf3\x27\x6a\x1c\x36\x81\xc1\xe5\xa2\xfe\x50\xa7\xa4\x15\x8a\x29\xea\x69\x52\x7a\x59\x6b\x0d\xea\x66\xcd\x20\x3c\x74\x28\x8c\x23\x97\xb6\x93\x4c\x11\xfd\x9c\xd6\xf2\xe0\x55\xe3\xfc\x64\xb6\x9c\x56\x2d\x6e\x52\xf8\x6e\x2e\x25\x75\x3d\x03\x84\xeb\x50\xb9\x0f\x1a\xa6\x92\x51\x82\x37\x1b\xb8\x29\x01\x7b\x95\x3c\x40\x84\x35\xce\xe7\x85\x20\xb7\x69\x23\x5a\x8d\x1a\xdd\x50\x75\x04\xb7\x31\xba\x09\x3f\xce\x65\x03\x21\x1a\xdf\x56\xba\x86\x98\x6a\xc0\x81\x9b\x36\xd5\xfb\x50\x2f\x39\xe1\x53\xf0\xef\x0f\x99\xea\xf4\xb0\xea\x74\x3a\xaa\xdd\x78\xe0\x31\xc3\xe8\xc9\xb7\x41\xde\x31\x9c\x4d\x55\x8a\x34\xf6\x37\x15\xb6\xd7\x9a\xa0\xfe\x9f\x55\xd4\x7a\xf9\x6c\xc5\xba\xae\x95\x09\x30\x52\x5d\x81\xf5\x22\x97\x6d\x8d\xcb\x25\xd3\xb0\x6c\x58\x07\x91\xc6\x8f\x97\xbe\x6c\xe9\x28\x4b\x82\x1f\x50\x0e\xd3\x30\xee\xb4\x42\x65\x9b\x02\x33\x96\x12\x1a\x62\x21\x7d\xaa\xc8\x52\xc8\xa5\x4f\xc2\x25\x48\x72\x95\x67\x28\x9b\x88\x02\x4d\x8a\xe8\x17\x24\x4d\x95\xc6\xc1\x39\x81\xc9\xe9\x41\xc2\x50\xd6\xa4\x8e\x38\x6d\x39\x8f\xd3\x64\x19\x34\x5d\xbb\x4c\x2a\x00\xa7\x71\x64\x65\xbb\xba\x0b\xff\x3f\x55\x58\x69\x17\xf0\xbf\xed\xb1\xdb\xb7\x35\x86\xc7\xe5\x9a\x25\xe3\x55\x99\x6a\xf5\x7e\xcf\x2d\x9d\xab\x48\xea\xd4\x5e\x82\xc6\x30\x9d\xe2\xa0\xe0\xca\x88\x0c\xf2\x63\xa1\xc8\x6a\x8d\xd0\x51\xab\xce\x36\x9a\x40\xd8\x36\x2c\xac\x9c\xaf\x09\x79\x96\x40\xc6\xec\x3a\xb1\x90\x12\x46\x07\x9e\xa0\x2d\xd9\x51\x63\x1f\x1d\x63\xc1\xe6\xd9\xc4\xfe\x6b\xc6\x82\x9b\x4b\xd7\x50\xf1\x28\xba\x9d\x58\x94\xd5\x34\x8a\x75\x34\x09\xc5\xb5\x75\xaf\x12\x75\x9c\xad\xf5\xd3\xa3\xec\x28\xdb\xa3\x88\x5e\xfc\xeb\x82\x7f\xbf\x40\x40\x0f\x8e\x61\x51\x99\xde\x6d\x1d\xe3\xad\x15\x56\x89\x3a\xfe\x1b\x2a\xc1\x4b\x2b\x0b\x88\xa8\x52\x7e\xbc\xc6\xcf\x10\x88\x1f\xa4\xe8\xa4\x9d\xa5\xb0\xbe\xc2\xf7\x1f\x3c\x74\x43\xed\x80\xfc\xff\xa9\x1b\x27\xa4\x26\x94\xac\x4c\x22\x3a\xdc\xfe\x83\x47\x6f\xaa\x1d\xba\xfe\x08\xdc\x3b\x78\x74\x02\x52\xb5\xad\xfb\x20\x55\xeb\x72\x92\xed\xdf\x7f\xe8\xd0\x11\x2a\xe4\xd0\x11\xb9\x7b\xce\xae\x1e\xc5\x25\x92\xa7\x04\x92\x29\x4f\x76\x5d\xa4\xb3\x45\x64\x1b\x3a\x6c\x51\x18\x46\x1c\xf3\x4e\x1c\x16\x52\x82\xe5\x35\x3e\x1d\xe7\x69\x55\x13\xb6\x5b\x0a\x9c\xd4\xd3\xd3\x44\x24\x05\x29\x6d\x70\x6f\x12\x20\xe4\xaa\x3a\x00\x14\xbe\x8e\x49\xfb\x76\x17\xad\xb1\x3d\x49\xda\x10\x90\x78\xbc\x12\x3c\xd3\x80\x8b\x9e\x4d\x1b\x88\xa4\xa2\x29\x4d\x4d\x97\xa1\x0d\xc5\xe5\x68\xd2\x61\x2d\x56\xb0\x2c\x76\x09\x38\xac\x21\xc9\xd6\xfe\x70\xcc\xc6\x0b\xbd\xa4\x9e\xb5\x85\xbc\xf5\xf2\xca\x79\xac\xfe\x53\x7e\x81\x9c\x35\x68\xb5\xd4\xa9\x5b\xaa\xc6\xec\x1d\xbb\x9c\xd9\x0b\xb5\x51\x07\x8e\x79\x6d\xc5\xf2\x9f\xb7\x2b\x58\x30\x3f\x2d\x9b\x24\x2a\x5a\xfa\x46\x3d\x4d\xf2\x22\x0b\x35\x4b\xb3\x2c\x4f\x23\xbf\x62\xf6\xd9\x5c\x37\x29\xa2\xb6\xc0\x60\x09\x17\xc8\x6f\x8c\x7d\xbd\x82\x34\xaf\xf3\x04\x18\xe8\x7f\xb1\x12\xfc\x52\xc5\xbe\x02\x8a\x7a\xae\x62\x61\x50\x39\x21\x28\x47\x85\x70\x09\xc7\xe1\x86\x0a\xd7\x53\xc7\x74\x18\x2a\xe7\xe3\x7c\x56\xca\x05\x85\x6c\x5b\xba\x6b\xe0\x87\x96\x74\x0b\x55\x90\x01\xf0\xc7\xaa\xa0\x2e\x83\xa1\x8a\x15\xc4\xd3\xa6\x53\x94\x53\xff\x28\xe7\x10\x4e\xa9\x11\x69\x10\x40\x52\x93\x6a\xd8\x0f\xd7\xf8\x74\xd2\xd3\x18\xac\xa4\xd2\xe8\x70\x65\x50\x0e\x70\x3f\x41\x3b\x3b\x81\xf7\x36\xc8\x96\x55\x7b\x57\xe9\x6c\x61\xf5\xb6\xd4\xca\xf7\x16\x69\x4c\x89\x79\xb9\xff\x96\x4a\xf0\x61\xcf\xba\x80\xa7\xb1\x4e\x47\x00\x30\xc9\x7e\x60\x61\x86\xf9\x63\x8e\xc6\x13\x70\xe0\x06\x27\x47\x37\x49\x34\x33\x73\x7f\x57\xaa\xcc\xc3\x86\x31\xb2\x41\x70\x07\xa8\xcf\x18\x32\xae\x66\x26\x1d\x1f\x69\xfc\xb0\x3a\xc6\xb3\xa3\xa2\x3b\x8a\x52\x0f\x3b\xba\xc4\x14\x9b\x64\x8f\xdd\x9c\xe4\x5b\x37\xf5\xa2\x77\xed\xd0\x68\xda\x71\x7f\x77\x58\xa4\xed\xa8\xce\xd8\xdb\x18\x3b\x65\xef\x67\xaa\x31\x99\x58\x8e\x20\x56\x96\x0e\xf6\x77\x85\x71\xd4\x00\x30\xa3\x27\x8b\xa5\x56\x9a\xae\x1c\xb7\xa9\xc4\x20\x29\xf0\x8b\xe3\xc1\xb9\xcd\x1f\x73\xcf\xa5\x1b\x3f\x3f\x98\x08\xe5\x6b\x3b\x44\x28\x97\xed\x31\x7a\x8d\xa6\xa6\x7d\x89\x17\xec\x3b\xbd\xb5\xd1\xb0\xa7\xe3\x02\x9b\x63\xb3\xc3\xd5\xa2\x4b\x9b\x46\x3b\xce\xfc\x1d\xae\x59\xd3\xb8\x8b\xde\x0b\xbc\xcd\x1d\x54\xa1\xff\xac\x21\x5c\xa9\x83\x27\x61\x39\x65\x7d\x53\x81\xc5\xd8\x67\xaf\x61\x87\x36\x74\x60\x19\x8a\x2b\xcb\x4d\xe5\xbf\xf6\x9a\xe0\xc5\x63\x83\xef\x71\x91\x74\xdb\xb0\x09\xe4\x8e\xdf\xc9\x32\x04\x1b\x2a\x00\x3a\x9d\x29\x1b\x30\xc1\x9f\x87\x06\x9c\x19\xf7\x66\xed\x3c\x28\x9b\x95\xfb\x3c\x15\x83\xfc\x5e\x72\x6d\xec\xcb\x4b\x9e\x29\x44\x3d\xdf\xdc\xc7\x05\xcb\xc7\xf2\x73\x0d\x69\xb4\xeb\x33\x96\xbb\xdf\xf9\x19\x10\xa0\x79\x2b\x5d\x9b\x6a\x45\x0d\x45\xa6\x96\x83\x9a\x5d\xa4\xfc\xee\x6e\x54\x5f\x89\x7b\x3c\x16\x05\x38\x2e\x92\x06\xf6\x47\x26\xc2\x5c\x9f\xf0\x29\xb4\xc0\x26\x18\x9f\xd1\x19\xf7\x67\xcf\x2d\xf0\xdb\xcc\x07\xb5\xeb\x03\x91\x44\x30\x21\x3d\x83\x83\xa3\xd3\xf2\x86\xa8\x47\x88\xa9\x1f\x2a\xc8\xb6\x30\xca\x05\x1e\x3f\xa1\xb0\x86\xe8\x74\x8b\x5e\x95\xd7\xc3\xba\xc5\x78\x3f\x95\x89\xd5\xb4\x6e\x79\x94\xea\x69\x96\x89\x7a\x91\x10\xf9\x64\x5d\x64\xb2\x7e\x03\x08\xd1\xf0\x71\x20\x73\x73\x28\xd4\x42\x82\x3f\xa4\x82\xf8\x5a\xd8\x43\xfd\x5b\x4a\xb0\x61\x95\x56\x14\x85\xb3\x33\x34\xb4\x03\x21\x6c\xee\xdd\xc3\xee\xb0\x64\xc6\xad\x97\x19\xff\xc3\x5e\xa2\xc0\x63\xee\xf5\xd8\x89\xad\xfb\x0c\x06\xcf\x16\x08\x3c\xbd\x09\x8c\xbb\xfd\xe6\x7f\x3d\xf0\x3a\xb2\x1a\xf3\xd4\x34\x14\x6a\x8d\xbd\xc3\x40\xc4\xbc\xc9\x63\xb7\x6d\xa3\x3a\x43\x1c\xce\xc1\x5d\xe4\x78\x86\x68\x9d\x38\x46\xb5\x54\x61\x65\xa3\x87\x18\x4e\xe9\xda\x6f\x39\x60\x65\x87\x7d\xeb\x79\x27\x74\x76\x27\x74\xf6\xe1\x84\x19\xe8\x6c\xbe\xc5\x9e\xf1\xef\x98\xd4\xe0\xc9\x83\xd6\x6a\x29\xe2\xc3\xec\xc0\xce\xda\xa2\x9d\x97\x7d\xf2\x2a\x76\xad\xb5\x00\xb3\xa5\xb0\xae\x0f\xe7\xc7\x91\x9a\x72\x2e\x8d\x85\xff\xfa\xab\x82\xef\x79\xd6\x05\xc2\x22\x20\x6a\x70\x0a\x91\x03\xfe\xd8\x30\xc6\x2f\x12\xb0\x3f\xc6\xf3\xa1\x6f\x02\x53\x42\xd1\x76\x61\x65\x43\x41\xba\x82\xec\x4f\xb9\x80\x43\x2e\x8b\xbf\x2d\xa2\x2d\x31\xe3\xd6\x47\xe9\x6a\x39\xde\x7e\xf5\x60\xed\xe0\x0d\xf2\x8f\x66\xb8\x8a\x3e\x18\x68\xc6\xa0\x06\x4f\xad\x1e\xb4\x0b\xc4\x65\x44\x74\x17\x60\xab\x14\x19\x9a\x96\x01\x9c\x1f\xcb\x3e\x74\xa8\x64\x43\x18\x97\x27\xdb\x47\x28\xc2\xb3\x28\x4d\xc0\x57\xba\x5e\x61\xd7\x0f\x15\x6c\x4e\xbf\x4e\xbb\x6f\x06\x5f\xf6\x4a\x57\x28\x48\x4c\x53\xf9\x62\x68\x52\xc9\x7e\xd7\x4a\xd7\xe0\x64\xde\x8d\x62\x75\x5a\x55\xfe\x1f\x58\x15\x56\x33\xc1\xa4\x3e\xe0\x1b\xca\xc2\x9e\x58\xef\xcb\x2d\xce\xe1\x36\x4f\xc2\x65\xb2\x0b\xa3\xeb\x8a\xec\x94\x20\x9f\xf0\x15\x6d\x90\x2f\xd2\x76\xc7\x9c\xa4\x4d\x29\x3b\x62\x75\x47\xac\x3e\x8c\x87\xb1\x96\xa5\x57\x3d\xfd\x72\xe3\xaa\x1f\xbd\x41\x58\x35\x7b\x9e\xa6\xaf\x5f\x0b\x8e\xe0\xe2\x40\x7d\x09\xe0\xae\x75\x74\xf3\xf0\x95\xba\x75\x48\x51\x47\xa2\x98\x62\x2f\x7a\xe9\xe6\x7b\xc8\x69\xff\x49\x3a\x8e\x70\xa8\xa8\xd4\xa7\x32\xab\x7a\x03\xd3\x16\xbe\xb7\x8b\xfd\x98\xa9\x98\xc1\x99\x9f\x94\x5d\x88\x0a\xaf\xee\x50\xe7\x01\xb3\xd1\x74\xa5\xe8\x50\x81\x1e\x16\x2b\x70\xee\xbf\x69\x57\xf0\x94\xe1\xb7\x1d\xc1\x41\xe9\xdc\xc6\xe7\x9d\xdb\x4f\xca\xde\x76\x0b\x2a\x99\x86\x7f\x71\x8c\xfd\x95\xc7\xc6\xe0\x55\xff\x2b\x1e\x7b\xf6\xb0\xae\xbf\xa2\x2d\x04\x37\x5c\xb0\x8a\x15\x76\xb5\xd5\x3a\xbc\x63\x96\x2f\x89\x36\xf8\x20\x0f\xf9\xe2\x14\xbc\xb4\x68\x37\x13\xf7\x08\x3c\x7c\xc2\x16\xb2\x68\xf9\xc4\xa6\x56\x0f\x2e\x82\x93\x4e\x71\x1b\xd7\xd8\x27\x46\xb4\x5e\xfe\xbe\x11\xb6\xf2\xd0\xb4\x18\x15\xf8\x5f\xa9\xd0\x78\x6d\xb7\xd1\xf0\x96\xd3\x6a\xca\x1e\x26\x17\x26\xe0\x8c\x97\xf9\xe1\xcb\xc5\x76\xb2\xa8\x1d\x66\x3d\x23\xda\xa2\xe5\x44\xca\x26\x6b\x6f\x93\xaf\x2d\xea\xaf\x15\x61\x72\x4f\xa8\xc2\x3b\xd4\xa6\x73\x68\xf3\x0f\x0d\xac\xf0\x80\xaf\x85\x49\xaf\x80\xbc\xcf\x94\xe2\xaf\xc3\x64\x0b\x35\x60\x9f\xd9\xd3\x47\xc7\x8f\x59\x9d\xea\x00\xb5\x90\xae\x88\xc4\x09\xe4\x7d\xdd\x9e\xe0\x44\xdf\x55\xe5\xb8\x36\xa1\xbb\xe0\x01\x95\x8f\x71\xb7\x50\x9d\x41\xee\x2c\x9e\x4f\xed\x66\xaf\x1a\x63\xe3\x61\xb7\x01\xc6\x88\xdc\x7f\xc1\x58\xf0\xf5\xd1\x69\xf5\x13\x2d\xfd\xf4\xcb\xc2\xac\xcd\x79\xbd\x95\xe6\x42\x9f\xdc\xac\x4f\x29\x26\x27\xd4\x47\xda\x9d\xb0\x88\x96\x62\x04\xf5\xc7\xa0\x1a\xf9\xbc\xd5\x0e\x34\xda\xcb\xdf\x35\x3e\x9d\xd8\xb8\xb8\xa0\x4c\xf5\x9c\x2b\x89\x49\xff\xce\x0d\x96\x56\xa9\x44\x38\xee\x86\xa6\x09\xe4\x14\x80\x6f\x80\x75\x86\xee\xd4\xf8\xb4\xda\x15\xfb\x0b\x81\x63\x3f\x3a\x89\x44\x61\x22\x55\x6a\xa6\x5c\x8a\x3b\xc7\x79\xbe\x8a\x16\x30\xa1\xe2\xd9\xac\x96\x0f\xe8\x3e\x1e\x59\x61\xaa\x0a\x9f\x05\xc6\xb3\xaf\xfc\x22\xe5\x22\xc9\xbb\x99\x30\x5c\x5a\x76\x2d\x4d\x50\xb5\xfe\x4c\xb8\x06\xa0\x38\x40\xfb\x66\x3f\x6a\x49\x17\x64\xb1\x2f\x7d\x51\x91\x3e\x02\xcb\xbe\xbe\xa7\xc7\x55\x80\xe2\x12\x14\x59\x57\x04\x55\x6b\x96\x45\x39\xe5\x98\xd9\x08\x06\xba\x4c\xea\x58\x0b\x7d\xd6\x32\xa7\x6c\x10\xe9\xb6\xcc\xae\x76\xbe\xed\xdf\x15\xdc\x3e\xed\x56\xc6\x12\x3f\xd4\x31\x58\xa1\x35\x79\x2c\x29\xd1\xb2\x84\x7c\x25\x49\xd7\x12\xb0\x1b\xb8\x31\xb8\xb7\xb3\x31\x30\xc9\xf9\xb7\x06\x87\x30\xb6\x7a\x68\xc1\x75\x39\xd2\xc9\x3e\xd0\x93\x20\x18\xde\xc5\x81\x5e\x63\xa3\xb2\x78\x3f\xdd\x00\xf7\xa4\x7f\x9d\x9f\xcf\x45\x36\x93\x34\xd3\xe0\x46\xf9\x97\x5a\xce\xea\xea\x40\x7e\x19\xca\x32\x51\xab\x86\x3d\x7f\xcc\x46\x9f\xb4\xd8\x54\xd1\x19\x17\xa5\xc9\x71\xad\xd1\x6b\x44\x19\xff\xb3\xa3\xc1\xd2\xc6\x8f\x94\xe2\x01\x01\xd5\x86\x92\x03\xcc\x7b\xf6\x99\x03\x67\x3e\xf9\xda\xd1\x89\xbc\xee\x8d\x4a\xe5\x6e\xdd\xa3\xed\xca\x11\x3e\x9f\x19\x61\xa7\xf5\x3e\x76\x5b\x70\xbd\x0b\x22\xac\x41\x76\xaa\x0a\xba\x61\x01\x92\x3b\x4e\x85\x71\x2e\xaa\xfc\x7c\x02\x43\xea\xf8\xc7\x6f\x61\xf0\x35\xff\x68\x30\xb1\x40\x81\x4a\x43\xaa\xaa\x0b\x77\xde\x7f\xad\xc7\xfc\x38\xcc\x8b\x85\x2c\x04\x58\xd1\x34\x59\x88\xda\xc2\xff\x89\x4b\x87\x0e\x3d\xb1\xa0\x80\x0c\x0a\x85\x21\xaa\x3f\xcd\x0b\xfd\x19\x05\xd4\x21\x1b\x4a\xdb\x2b\xec\x2d\xb0\xa9\xd4\xd8\x53\x0c\xe6\xea\xd9\x60\x7a\x9a\xb7\xba\xed\x30\x81\xc0\x04\x80\x9a\xa7\x7b\x6a\xe6\x1a\x38\xd6\xdc\xb2\xf1\x99\x8f\x39\x4d\x3e\xc5\x76\xa1\x1d\xd8\xbf\x39\x98\x42\x0b\x38\x58\x85\x55\xf4\x93\xae\xed\xbe\x9c\xda\x31\xb8\x9c\xaf\x56\xd8\xbe\x01\x93\x10\x1d\x01\x67\xc2\xce\x1d\xa2\xa7\x1d\xf7\x1f\xae\x04\x3f\x8c\x3f\x72\xa2\xa6\xa4\xa4\x57\xfd\x74\x6d\xdd\x1b\x59\x11\x3d\x17\xc4\xaf\xc2\x7e\x94\xc9\xab\xfe\x0f\x07\xfe\x02\xf1\x6c\x02\x7f\xab\x2c\xc9\xa9\xcc\x0b\x3c\xa2\x51\xff\x8f\x41\x6a\xc3\xc2\x93\xed\xa2\xd8\x36\x03\x63\xba\x2a\x32\x29\x44\xa7\x08\x3f\x66\x52\x2e\xc6\x49\x82\xe4\x99\x02\x1f\xc2\xd4\xb5\xf0\x8f\x5d\x8d\x39\x8b\x7d\xf2\x54\x70\xe3\x20\xf6\x49\xdd\x62\x8b\x80\x72\x43\xfe\xc9\x5f\xdb\xcd\xaa\x1b\xf5\xf3\xd9\xb4\x21\xf0\x07\x31\x00\xbc\x76\x77\x10\x0f\xbd\xeb\x86\x62\x3a\xb1\xe1\xa9\xb1\xf4\xd8\x23\x83\x46\x1f\x8c\x1f\x53\xe1\x83\x6a\xae\xc8\xd2\x6b\xeb\xde\xb8\xf6\xa9\xac\x7b\x30\x0c\xeb\xde\x23\x65\xe7\xc6\xa2\xc0\x62\xee\x28\x8d\xec\xdf\x8c\xb1\x0f\x7b\xac\xef\x19\xff\xe7\xbc\xe0\x75\xde\x1d\xa5\xab\xbc\x21\xea\x71\x98\x69\x22\x0a\xd9\x61\xfd\x44\xae\xa6\xbe\x60\xf2\x87\x00\x45\xad\xeb\x39\x45\x92\x93\x4a\x1e\xc8\xbb\x70\x40\x2d\xa5\x92\x6a\xbc\x8c\x08\x83\x8b\xea\x61\xae\x4e\x20\x34\xcc\x1d\x9a\x6c\xad\xe0\x69\x67\x2d\x1a\x58\x7d\xba\x4c\xfa\x67\xa0\x53\xc5\x72\xf2\xea\xe6\x5f\xfc\x09\x66\xfa\xd8\xcf\x02\x88\x44\x42\x86\xd1\x41\xdf\xc6\x3b\x57\xb4\x02\xbf\xe0\xb1\x47\x28\xa5\x58\xd9\x86\xde\xec\x05\x2f\xd7\x29\x1a\xca\x40\x54\xae\x4f\xf9\xfe\x36\x6a\xd5\x4c\xb3\xa5\xa8\xd1\x90\x2a\x47\x82\x53\x4d\x2e\x28\xb4\xfc\xd8\x35\xc6\x5b\xa8\xbf\x38\x34\x0a\x1e\x1b\xe9\x46\x0d\xa0\x6c\x3d\x3f\x73\xa2\xaf\x6a\x16\x69\xc3\x43\x51\x9d\x2f\x8f\xb3\xfd\x83\x90\xeb\x10\xce\xfb\xdc\xbc\x43\xe3\xf1\xbe\xf1\xe0\x90\xc3\xe2\xa1\x1f\xe3\x1d\xd9\x93\x39\x70\x3a\x10\x78\xb7\x3e\x5e\x39\x8b\xec\x5b\x7b\xd8\x27\x3d\xb6\xab\x99\x03\xbc\xd2\x07\xbc\xe0\x1d\xde\xa9\x28\x16\xe8\xc2\xc3\xb8\xde\x22\x45\x3a\x10\x8b\xe6\x1a\x29\xb0\xad\x67\x4c\xb0\x1d\xa9\xfe\x40\xba\x44\x28\xde\xc9\xb2\xe6\x3b\x3d\x79\xa1\xc6\x03\x71\xa1\x38\x12\x54\x79\x70\xa1\x99\xcb\x7f\x92\xa2\x99\x07\x08\x82\x43\x8c\x68\x60\xb5\xca\x74\xe8\x2b\xbe\x40\x59\xdd\x0a\x51\xca\xe9\xb5\x0b\x6c\x8f\xdc\xf6\xce\x25\x71\xcf\x8f\x83\x67\xda\x09\xe2\x4d\xa9\x17\xf0\xfd\xf2\xf6\xd4\x5a\x16\x15\x62\x02\x59\x57\x21\x49\x15\x94\x5a\xb0\x77\x02\xd6\x0a\x1a\xd9\xd4\x4d\xa2\xb8\x96\xa3\x85\xbd\x7e\x46\xf6\x42\xee\x2a\x8a\x9f\xf7\xd8\x38\x12\xef\xce\x89\xa6\xff\x29\x6f\x03\xa3\xb1\x41\xb7\xab\x87\x71\x39\x04\xef\x45\xde\xbc\x2a\xa5\x1c\x2b\x87\xdc\xc1\x14\xf7\x2e\x85\x6a\xba\x24\x85\xb3\x32\x0a\x9a\x31\x97\x3a\x74\x3d\x13\x70\x9e\x08\xe3\xbc\xc6\x75\xe8\xb5\x81\xe1\x52\xc1\xd7\x44\x0e\xae\x11\x71\x8a\x42\x6a\xff\xa2\x51\x63\x2f\xf5\x18\xc3\x29\x03\x91\x8c\xcf\x0d\x3a\x77\xe9\x5f\x6a\x75\x80\xa6\x31\xa9\x35\x0d\x5b\x94\x99\xea\x10\xbf\x3c\xa7\xde\x43\x9f\x3a\x1c\x00\x21\x48\x8e\x18\x4f\x06\xb8\xdc\xed\x91\xfd\xc2\x08\x7b\x84\xa9\x0d\x8a\xb6\x8f\x8d\x04\xef\x1d\xb9\xcb\xbd\xd8\x17\x60\x98\x76\x74\x95\x68\x01\xd0\x97\x74\x05\x55\xff\x58\x4c\xcc\x0e\x17\xb6\xb6\xa4\xcf\x96\xf8\x9a\xed\x34\x01\xc8\x12\x50\xc1\xda\x79\xf9\x54\x03\x1d\x23\xeb\x42\x30\xa5\x4b\x82\xb7\x23\x79\x9c\x20\xc5\xdd\xae\x0e\xee\x97\xd1\x72\x0b\x58\x07\x93\x42\x2c\x67\xda\xe5\x5f\x70\x6b\x0c\xd0\xbc\xa0\xb1\x3f\xa4\x12\x92\x45\x0d\xe1\xc4\xd6\x53\x06\x4b\x37\xc3\xb7\x8b\x94\x07\x74\x0b\xd6\x51\x2f\xed\xea\x68\x56\x8c\x66\xd4\xad\xcb\x07\xf4\xd3\x59\x73\xd3\x4e\x00\xef\x64\x62\x12\x82\x10\xfb\xdb\xa2\xba\x88\x28\xf3\x9d\x21\xfd\xa3\x71\x27\x80\xb4\x84\x92\x74\x72\x35\x82\x13\xbc\xff\xfe\xf1\xe0\x77\x3c\xf5\x8b\x8b\xd5\x08\xf5\xc2\x4e\x4a\x4a\xb1\x54\x8b\x20\xac\x52\xa5\xf5\x15\xa9\x75\xca\x90\xa2\x84\x4e\xf9\x79\xd8\x14\xc0\x25\xa2\x03\x4d\x4d\x9e\x67\xe8\xd8\x71\xc0\xbf\x25\x87\xd4\x00\xa1\x41\x9e\x89\x5c\x78\x98\xe3\x49\x15\xa1\x3d\x8c\x5a\x27\x65\xde\xec\xb9\xf9\x05\x1a\xe4\x5a\xad\x36\xd5\x49\x1b\xf9\xd4\xcd\xb2\xae\xb2\x63\x6f\x99\x52\x6f\x95\x8c\x94\xdf\xd9\xb5\xe3\x4a\xb9\x5c\x57\x4a\xc6\xae\xc6\x44\x3a\x0c\xb8\xce\xfd\x70\x38\x6d\xea\x06\xe7\xb2\x13\x76\x19\xc1\xbf\x77\x7e\xaa\x30\x1f\x75\xc4\xde\x71\xdf\x5c\x86\xfb\xe6\x79\x76\x2c\x5d\x71\xb9\xfe\x9b\xc3\xe6\xef\x92\x61\x02\x42\x9d\x01\x68\x30\xd7\x11\x2c\x51\x5d\x76\xc3\x45\xef\x29\x9b\x3b\x55\x8e\xfa\x47\x86\xc1\x3f\x29\xa1\x34\xd0\x7d\xf2\xd6\xab\x1c\xd4\x3b\xc3\xc3\x82\xe2\xad\x8f\x9b\xeb\x5b\xff\xcc\xb8\xb9\x7e\x6f\x7c\x47\x64\xed\x78\x7f\x1f\x3e\xf1\xf1\x2f\x90\x18\xee\x01\x15\xdb\xf7\xd6\x0d\x9a\xb3\xa9\x24\x79\x68\xd8\xe1\x7e\xdf\x84\xfe\xfd\xa6\xc7\x6e\xbd\xf4\xda\x7e\x7f\x51\xc4\x5d\xf4\xa2\xcd\xb7\x84\x53\xfe\x89\xcb\x63\xe9\xa2\x2d\xe2\xab\x3e\x3b\x7f\xa9\xde\xd8\x92\x23\xf6\x84\xee\x7d\x48\xe5\x7f\xa9\x1f\xcc\x6e\xf4\x40\x29\xde\x88\x22\x26\xd7\x42\x42\xbc\x8f\x32\x27\x3d\x12\xa1\x64\xd6\xbd\x31\x68\xf3\xba\x37\x06\x5b\xc3\xba\x37\x06\xa7\xab\x75\x6f\x0f\x35\xcd\x35\xdf\xbf\xe8\x51\xec\xed\x1e\x80\xe1\xd3\x6d\xff\x75\x1e\x7b\xd6\x95\xf1\x45\x97\x5a\x7f\x5c\x7f\x23\x38\x6c\xbe\xa7\x37\x20\xeb\x12\x9d\xe5\x0d\x9d\xc2\xf1\xb9\x13\x35\xf6\x55\x8f\x61\xdb\xfc\x3f\xf2\x82\xcf\x79\xc8\xc3\x4c\x47\x5c\x79\x98\xd6\xc4\xcc\x74\xb4\x02\x10\xec\x92\x4b\x18\x03\xc4\x4b\x17\x71\x37\xa5\xb0\xb3\x6e\xd2\x10\x19\x5f\x04\x1e\xae\xa9\x9b\xa1\xcc\x5b\xa6\x6a\xb5\xda\x22\x19\x54\x10\x6c\xb8\x68\xb9\xe7\xe8\x61\xc3\xc8\xf7\x6b\x36\xee\xac\xcd\x17\x6f\x86\x31\xa9\x75\xe2\x6e\x16\xc6\xb7\xd4\xa8\xf8\xc5\x09\xe7\xc4\xf5\x7e\x8f\xe1\xd8\xf9\xef\xf2\x58\xe3\x41\x19\x0a\x53\x41\x38\x2c\x06\xb7\xe1\x69\x3f\x27\xe3\x36\x39\xa3\x71\x6a\xc9\x6d\x59\x2e\x17\xb2\x08\x68\x9f\x42\xa9\x63\xd9\x03\xa3\xec\x07\x60\x63\xcb\x56\x05\xf9\x75\x4e\x01\x98\x82\xff\xf2\xd1\xe0\x79\xa3\x03\x6f\x95\xfd\x74\x24\xd4\x09\x84\xc1\x25\xf2\x30\xba\x11\x75\xe9\xb9\x8e\x48\xc0\x11\x89\xba\x8a\x89\xa9\x57\x9f\x22\xf8\x1f\x32\xae\xd1\x79\x4f\x89\x02\x6e\x74\xa2\x2a\xb4\xaf\x6a\xe8\x65\xa1\xc9\x89\x05\x07\x11\x01\xe6\x9a\xf5\x00\x20\x99\xac\x85\xbd\xdc\x7c\xac\x6c\x5b\x6c\x38\x61\x92\x3a\x3a\x52\xd9\xa9\x16\x2f\x4c\xaa\x57\x27\xbb\xd8\x27\x93\xf8\xb5\x45\x85\x81\x26\xdf\x5b\x04\x87\xb5\x5a\xba\x4f\xbb\xee\x19\x35\x6c\x6e\x2d\xc5\xd6\xdf\x75\x78\x1e\x7e\x2f\xd6\x00\x21\x60\x03\x3f\x48\x11\xe6\x2b\xf9\x14\x42\xb2\xd8\xa2\x33\xec\x44\x53\x38\x98\x06\x60\xa8\x7c\x61\xd2\x9e\x83\xd7\x76\xb2\x6e\x12\x25\xcb\x20\x6e\xbb\xb9\x6a\x86\xbc\xe2\x36\x04\xe6\x0a\x39\xb1\x5c\x3b\xdc\x1b\x21\xd6\x27\xed\x08\xff\x95\x5e\x70\x9f\x87\xf6\x1f\x33\x17\x6c\xe7\xca\x90\x85\x0c\x07\x7a\x8c\x8d\x9a\x94\xfb\x87\xd6\x83\x27\xa1\xb0\x46\x8d\x4f\x53\x42\x3e\xd9\xce\xe4\x90\x2d\x52\x34\xd5\x22\x8c\xf0\xa2\x36\x94\x34\x16\x9d\x05\xf8\xed\x5d\x4c\x0b\x4b\xff\x6b\xbb\x82\xbf\x18\x53\xbf\xfa\xf0\x8a\xe2\x58\x01\xc7\xe0\xfd\xcd\xa4\x8f\xd2\xba\x8d\x75\x4d\xa5\x11\xcb\x9d\xb1\x4b\xe8\x18\x80\x62\x24\x47\x1f\x57\x00\x4d\x66\xfd\x11\xf9\x9a\xac\x01\xce\x2c\xf9\x7d\xc5\x24\xd8\x83\x90\x01\x4b\x95\x57\x4a\x6a\x94\xf3\x00\x92\xa3\xe3\x68\x45\x04\x00\xbc\x0e\x46\x9f\x1c\x90\xc3\x97\x52\x20\xef\x4e\xec\x67\x4a\x25\xe4\x55\x6b\x39\x42\xfd\x44\x83\xc7\xe2\x42\x54\x4f\x97\xb3\xb0\xd3\x42\x2c\xf3\x1a\x0f\xee\xe8\x2b\x21\x47\x1a\x70\xe5\xc4\x0f\x56\x03\x8a\x7b\x45\xaa\x08\x1a\x26\x88\x3e\x26\x98\x06\xc2\x01\x79\x76\x9a\xa9\x32\x26\xe8\x15\xe5\x8a\x8b\x29\xd9\x00\x5b\x17\x00\xca\x42\x20\xe7\x41\x20\x77\xed\x80\x32\x75\x30\x9c\xc7\x29\x34\x4a\xac\x42\x15\x8b\x3b\x88\x7f\x34\x88\x37\xa3\x2c\x87\x50\xe8\x27\x4e\xf3\x5b\x00\x82\x94\xdf\x42\x20\x0e\xfb\x31\xaa\xe2\x89\xd3\xa8\xfe\xab\xfe\x81\x66\x25\x29\xcf\xbb\x4d\x20\x0c\x20\x74\x31\x78\x35\xcd\xf0\xdd\x09\x05\xaa\x86\xd1\x36\x10\x58\x42\x14\x99\x56\x23\xa9\x8d\x4e\x1d\x21\x9e\x86\x28\xff\x55\x1d\xd5\xec\x53\xfd\x2b\x95\x95\x03\x55\xbe\x7a\xa8\xca\x57\x0f\xca\xff\x81\xea\x02\xbf\x0e\xc8\xbf\x0e\x57\xf9\xea\x61\xd0\x66\xe4\xa5\x43\x50\x23\x7c\x0e\xfe\x3c\x54\xe5\xcd\x34\x3d\x88\xff\x3d\xe0\x04\x74\x3c\x9b\xb5\x58\xf3\x41\xde\x81\x68\x49\xb0\x2f\x8e\xba\xe0\x88\xc3\x12\x27\x89\x04\x48\x1b\xe3\xfd\x37\x8f\x06\x8f\x2b\x5f\x54\x91\x9f\x96\xff\xb3\x48\x39\x3d\x55\x8b\xc5\x72\x58\xef\x91\x36\x38\xc0\xd7\xe9\xc2\xc7\x8f\xb0\x27\x90\x73\xf0\xc6\xe0\xb1\x8b\xf2\x8f\x45\x25\x07\x6c\x15\x40\x13\xfd\xcd\x91\xe3\xc8\x16\x29\xe7\x6c\x67\xdf\x6d\xc1\xf5\x8b\xfa\x97\x53\x96\xe3\xe5\xdb\xb0\xc0\x26\xf1\x90\x3c\x33\xb8\x73\x51\xfe\xb1\x58\x0e\x5b\xd7\x44\x16\xb8\x6c\x0d\x6e\x0b\xf2\x30\x84\x49\xcf\xb6\x9a\x52\x86\xbb\xc5\x96\x44\xdf\xf9\xa4\xc7\x46\x3b\x69\x56\xf8\x1f\xd2\x20\x45\x6f\xf3\x66\x9a\xb6\x93\x02\xcd\x37\x59\x61\xa7\xd0\x45\x2a\x1c\x52\x01\x29\xac\x61\x4e\xa1\x86\x03\x96\x1f\x3d\x72\xe4\x30\x6c\x11\x4b\x61\x7d\x65\x4d\x9e\xe9\x54\xc0\x15\xd0\x06\xd4\xf8\xa2\x2c\x75\xd1\xda\xd8\x43\x8a\x52\xea\x18\xb6\x7e\xbe\xff\xe0\xe4\xd1\xeb\xaf\x3f\x7c\x7d\x95\x47\x89\xdc\x10\xa2\x55\x31\x51\x02\xd5\xdd\xcd\x36\x06\x2a\x01\xb0\xff\x9c\x00\x67\xd0\x57\xf7\x92\xdd\xc1\x57\xbd\xf2\x55\x6b\x87\xa2\xf8\x7f\x8c\x1c\x05\x0a\x10\x82\x55\x21\x95\x1d\x0c\x58\xf2\x40\xd3\x49\xb5\xbe\xa2\x99\x8f\xe0\x25\x02\x38\xd9\x2f\x3b\x80\xd6\x77\x15\xe3\x32\x28\x43\x6a\xb2\x93\xa5\x72\xaf\x16\x8d\xc9\x8e\xc8\x26\x73\x51\x4f\x93\xc6\x84\x85\x10\x6e\xf9\x83\x10\x81\x47\xee\x23\xcb\xb8\x73\x2e\x89\xa6\x3c\x0e\xa3\x25\x0d\xc5\x8d\x81\x4b\xb1\xe1\x8d\x6a\xeb\x1e\xc3\xaa\x9f\x05\x27\xbf\x8f\x37\xa7\xb1\xc4\xbb\xfa\x70\xc6\xff\xd7\x28\xbb\x83\x59\x6f\xf8\x8f\x0f\x0e\x98\x5f\x83\xd6\x85\x02\xac\x49\x38\xcc\xb6\x28\x4d\xec\xf9\xf5\xc7\x15\xb6\x47\x21\x2b\xf8\x9f\xaf\x5c\x92\x31\xf8\x74\xb8\x24\x62\x15\x98\x12\xbc\xa4\x92\x5b\x50\x0c\x66\x97\x98\x14\x49\x3d\x6d\x48\x11\x0f\xf8\x81\x40\x0f\xa6\x8c\x09\x16\xa6\x08\x00\x4f\x68\xb0\x07\xad\xee\x2e\x47\xab\x52\x34\x63\x5b\x20\xe2\x15\xf2\x37\x90\xc0\xa4\x13\xe6\x04\x35\x1b\x26\x04\x5d\x0a\x6b\xb0\x13\x66\x61\x5b\x14\x22\x53\x3d\xaf\x91\x69\x30\xe2\x4f\x83\x35\x29\xfc\x2c\xf3\x00\x79\xa1\x14\x33\x8f\xfc\xd6\xb3\xbb\x14\x98\x67\xf5\xb7\x03\x75\x5b\xa4\x7c\x39\x84\xe1\xa7\x62\x6a\xec\xd3\x1e\x1b\x30\xa2\xfe\xbb\xb7\x93\x14\x5d\xd3\xea\xcb\x9d\xdd\x10\x8e\xf1\x41\xdc\x5f\xa6\xea\x6c\x07\x3b\x8b\xa6\x80\x42\x88\x72\x67\x84\x05\xe9\x95\x89\x58\xac\x86\x09\x41\x6a\xef\x87\xf0\x94\xbb\xe9\x63\x13\xec\x57\x1f\x65\x53\x5b\x6d\x21\x69\xdb\x7f\xf5\xa3\x82\x9f\xf5\xd4\x2f\xeb\x18\xad\x15\x78\x0c\x0a\xed\x25\x45\x4b\x14\x51\xdd\x3a\x09\x42\xd8\x4e\x2b\x04\xe4\xd9\x44\x41\x62\x20\x24\x09\x40\x72\x85\x59\x94\x76\x73\xcd\x5e\x86\xd6\x58\xe4\xe2\x21\xc5\xb4\x1d\x12\x04\x78\xaa\x80\x95\xd3\x26\x7f\x8e\x31\x62\x55\xb9\xaa\xd8\x73\x5d\xf7\xd2\x9f\x3e\x82\x7d\x65\x94\xed\xa9\xa7\x49\x11\x25\x5d\xe1\xff\xc1\x68\xf0\x99\x51\xf5\x4b\x39\x35\x72\xa1\xb9\x78\x10\x6e\x51\x14\x00\x22\xd1\x8e\xb4\xfc\x35\x58\x57\x80\x6b\xa0\x83\x54\xab\x7d\x49\x99\x14\x19\x49\xb3\xb1\x15\xe6\x38\x1b\xf1\x88\xa3\x61\xa1\x2c\x4e\x82\x28\xe7\x69\x27\xbc\x9b\x50\xd1\xa8\x4a\x6a\xee\x45\x79\x0e\x37\x50\xeb\x72\x36\x17\xc7\x90\x19\x16\x4a\xa3\x85\x5d\x07\xb4\x19\x88\x54\x2a\xb2\x48\x28\xe8\x74\x71\xa1\xd0\x19\xa3\xaa\x26\xa6\xbb\x8f\x63\xaf\x20\xe0\x0c\x20\x62\x63\xf0\x04\x66\xe8\x1b\x5c\x23\x82\xf5\x14\xaa\xcb\xa8\xa5\x75\x27\x68\x48\xb6\x1b\x83\xc1\x1b\x5c\x2d\x48\x08\x01\x0f\x79\x53\xac\x49\x75\xac\x0b\x22\x5f\x8e\x29\xae\x74\x95\x66\xee\x86\xc1\xe0\xc9\x4f\x87\x04\xc3\xd9\xd3\x02\x9f\xd1\x23\x89\x5d\xa9\x56\xae\x66\x02\x52\x3d\x45\x3d\x4d\x66\x03\x50\x47\x31\xf6\x29\x17\x55\xde\x4d\x00\xb3\xaf\x97\x76\xb1\x3e\x84\x3e\x4f\x5d\x89\x21\xae\x18\x87\xa7\x90\x82\x29\xae\xd0\xd9\xd4\xbf\x34\xc6\xfc\x4c\xb4\x31\x2c\x61\xa6\x10\xed\xe3\x69\x37\x29\xfc\xdf\x18\x83\x2d\xfe\xe8\x91\xe0\x17\xc7\xfa\x6f\x6b\xd9\xae\xa7\x17\x10\x51\xde\xdd\x05\x8d\x02\x66\x1a\x55\x1a\x46\xc1\x3d\xbc\xe3\x5a\x52\x67\x77\x35\xea\xaa\x5d\xfa\xd4\x42\x57\x71\xe6\x28\x8a\x9f\x06\xc9\x64\x29\x8d\x09\x26\x1c\x85\x73\x6e\xe5\xcf\xd9\x00\x6f\x54\x73\x55\xa9\x9c\xd3\xb1\x54\x47\x91\x53\x90\x34\x8d\x40\x2c\x9a\x05\xca\x58\x78\x20\x6d\x47\x45\x61\x32\xfa\x73\x91\x45\xa1\xc6\xb4\x73\x2a\x1a\xe5\x5c\x03\x09\xec\x17\x11\x6d\xbc\xe8\x80\x36\xcc\x56\xf5\x56\x37\x59\xa1\x74\x4a\xc3\x45\x6a\xa8\x05\x20\x20\x13\x1e\x9a\x30\xed\xc9\x04\x75\x1d\x4e\xc7\x72\x9b\xb0\x21\xda\xda\x70\x49\x2d\x51\xae\x87\x34\x6e\xa8\x9c\x87\xd5\x83\xb5\x83\xd7\xab\x78\x01\x40\xf8\xd3\xdf\xc0\x29\x0f\xbe\x2d\x39\x8c\xb2\x11\x3a\xce\x6a\xd0\x4c\xb9\x4e\x6e\xf5\x6d\x08\x27\xba\x0e\x97\x5e\x74\x0f\x05\x1e\x1b\x0e\xed\x1a\x3f\x4e\x6c\xf8\xa4\xe3\xc9\xef\x66\x02\xc4\xe6\xb0\xb2\x31\x2e\x03\x44\x43\x46\x3f\x80\xd9\xcd\xd5\xf9\xde\x3e\xd2\x1f\xdb\xf6\xca\x91\xe0\xbe\x91\x79\x0b\xf1\x5f\xc7\xf2\xdb\xd8\xe6\xfb\x72\xcb\x31\x65\x07\xb8\x19\x07\x8e\x9d\x49\xab\xe0\x14\x6c\x5a\x7f\x0d\x08\x06\x22\x40\x79\xec\x60\xbd\x92\x9c\xa9\x71\xdc\x33\x55\x90\x68\x41\xa1\x09\xa1\x96\xaf\x56\x91\x80\x4f\x8c\x1a\x46\x37\x69\xa7\x0d\x34\x82\x01\x5c\x1b\x89\x0c\x3a\x7b\xf5\x5b\xdd\x55\x20\xd7\x9c\x08\x1b\x93\x72\x3f\x7a\xd0\xdd\x24\xf5\x34\x41\x3d\xb7\xde\x9b\xa4\x50\xed\xc9\x30\x69\x4c\x6a\x21\x5d\xef\xd9\x92\xe8\x1b\x1e\xa8\x7f\xcd\xd3\x51\xb2\xe2\xff\x89\x17\x7c\xde\x53\xbf\xf0\x90\x2d\x4f\x31\x25\xd7\x9a\x1e\x87\x2d\xb5\x97\xb1\x13\x27\x67\xe7\x4e\x1e\x9f\x5e\x38\x79\xc2\xf6\x90\xa0\xf5\xa3\x48\x3b\xbc\x93\xa5\x9d\x70\x39\x34\xa5\x93\x05\x0f\xa8\xc4\x0e\x80\x6a\x02\x78\x9d\x8e\xec\x90\x4a\x5f\x1c\x26\x89\x30\x00\x5d\xed\x74\xd5\x30\x90\xa9\xd7\x1c\xb1\xfb\x9d\xbd\xec\xdf\x0e\x88\x30\x3b\x9b\x36\x84\xff\x87\x7b\x83\x08\x90\xe7\xa0\xd9\x6b\x69\xb6\x22\x10\x5d\x4d\x96\x68\xea\x5d\xe3\x27\xe5\xa9\x02\x6e\x40\x13\x10\x67\x59\x85\x67\xf5\xa7\xd9\x20\x28\xc7\x7e\x70\xa6\x44\x09\x17\x45\xbd\x31\xe1\xaa\x1d\x2f\x67\x3b\x2e\xe2\x1d\x17\xf1\x0e\xf5\xd2\x15\x75\x12\xff\xb2\x72\x12\x7f\xd0\x63\x13\x9b\xc6\x98\xca\x85\x0f\x0e\xe1\x17\x7b\xf3\x65\x7e\x41\x1b\xdd\x9a\xd0\x24\x1f\x94\xaa\xcb\xda\x82\xa4\xc6\xa3\x0d\xfb\x7b\xe3\x3a\xfe\x4b\x6f\x0b\x78\x7b\xd0\x06\x74\x13\x7f\xdc\x3b\x93\x82\x1e\x57\x47\x8e\xdb\x74\x89\xf4\x7d\x97\xf3\x19\xdb\xf2\x7d\xb0\x67\x95\x9a\x7e\xd1\x3b\xbd\xb9\x77\x79\xc2\xdf\x37\x88\xe3\x5c\xf6\x42\x99\xf5\xe5\x1f\xaf\x1a\x98\xed\x31\x77\xdb\x89\x59\x1d\xf6\xed\x04\x8a\x7f\xf6\xaa\xe0\xc5\x9e\x13\x29\x3e\x17\x36\xd2\x9c\xdf\x16\xa7\xf5\x15\x7e\x42\x80\x75\xad\x8d\xda\x10\x90\x98\x84\x79\xa1\xfc\x12\x08\xbe\x84\x93\x05\x70\x8a\xe7\x6e\x3b\x41\xb1\x03\x1a\xa7\x93\xa7\x6b\x89\xc8\xf2\x56\xd4\x21\x84\x09\xf0\xdd\x4b\xd9\x3a\x7f\xf2\x74\x94\x74\x2f\xc8\xdd\x4b\xaa\xdc\x51\xb2\x5c\x5b\xf7\xf6\xb4\xd3\x24\x92\x5d\xba\xee\x8d\x45\xed\x70\xd9\x35\x08\xfd\xf4\x5e\xf6\x3c\xb0\x11\xa6\xb1\x7f\x21\x58\x81\x83\x11\xd4\x56\x5e\x01\x43\x90\xb1\xf9\xc9\x6d\x62\xa9\x31\x70\x3c\xc9\x04\x96\x6b\xa8\x10\xac\xf2\x54\xb6\xd4\x98\x9a\x3b\x39\x7d\xe2\xcc\x49\x39\x52\xad\x74\x6d\xb2\x48\x27\xbb\xb9\x98\x8c\x8a\x92\xcf\xd4\xc4\x94\xbf\xc3\x0b\x5e\xef\x5d\x5e\xd4\x38\xef\x0b\x4a\xbf\x72\xb5\xb6\xfc\x60\xdf\x71\xe2\xd1\xbf\xe6\x6d\x01\x0d\x56\x07\x9e\x53\x28\xfa\x2f\x58\xa1\xe8\x51\xee\x58\xde\x4a\xb9\xc3\x14\x9a\xde\x4c\x33\x39\x29\xce\xe7\x52\x63\x9c\x69\x9a\x4c\x44\x15\x9a\x0c\xf9\x4b\x19\x41\xbd\xe8\x81\x4b\xa2\xf8\x4a\x75\x01\x7b\xbe\x47\x69\x96\xf7\x04\x6d\x33\x61\xc0\x9e\xd1\x37\x61\xc2\x46\x3b\x4a\x1e\x8c\x29\xf3\xbe\x8a\x4e\xa4\x78\x67\x25\x58\xaf\x94\x13\x29\xdc\x70\x74\x58\x68\xf2\xd8\xbd\x16\xe2\x21\x84\x92\x2c\x16\xa2\xce\x31\x7e\xb2\x94\xdc\x5b\xce\xb7\x88\xf2\x6d\xa4\x5c\x60\xa3\x8e\x5d\xa9\xc4\x8b\xed\x66\xc9\x91\x7f\x5c\xf5\xe6\xb5\xd9\x52\xc3\x8d\xdf\x45\x19\xe0\x47\xc1\xd3\xcd\xd0\xc1\x25\x1a\xbb\x2b\x3f\x52\xef\xf6\xd8\x6e\x9a\x92\xfe\x4f\x7b\xc1\x2b\xbd\x3b\xf0\x87\x3a\x41\x23\xeb\x71\x0a\x59\x64\x70\xdd\x99\xe2\xd6\x5c\x9a\x12\x45\x7d\xaa\x2e\x3a\xad\x29\x3d\xc3\xaf\x7c\x6d\x7f\x4a\xea\x33\x24\x31\xfd\x7b\xbd\x40\x4c\x5b\x27\x5e\x39\xab\x8e\x8b\x4e\x8b\xab\x27\xae\x5c\x0d\x86\xa6\x61\x7f\x73\x84\x3d\xc6\x12\x24\x62\x15\xf4\x4a\x13\xc1\x2f\x92\x62\x5e\x64\x91\xc8\xfd\x4f\x8d\x04\x77\x5b\xbf\x35\x5b\x8e\x9d\x53\x08\x82\x04\xee\xa6\xc0\x2e\x0e\xe0\xdb\x14\xab\xa5\x4f\xd6\x6b\x61\x3e\x15\xc9\x23\x6f\xa7\x23\x12\xc2\x8d\x2e\xa2\xa4\x9b\x76\xf3\x18\xf9\xe9\xf2\x54\x2e\xaa\xa8\x2d\x6a\xeb\xde\x18\x20\xad\xaf\x7b\x8f\x94\x1b\xd9\x39\x52\x16\x16\xa2\x92\x1f\xee\xe7\x2a\x2c\x61\xf8\xa8\x2f\x94\x2f\x6a\xb6\x3e\xd8\x34\x45\xfc\x58\x90\x83\xaf\x4c\x4e\x54\x6d\x20\xf6\x36\x96\x97\x96\x08\xb3\x62\x09\xd8\xbb\x65\x6d\x1c\x2b\xc2\x2f\x78\xac\xaf\x4e\xfe\x9b\x3c\x76\xf3\x25\xa8\xa8\x67\xa2\x7a\x96\x42\x3a\xf1\xd3\xcb\x45\x6a\xd3\xb9\xfc\x1b\x6c\x06\x50\x33\x18\x09\xa3\xe7\x53\xf5\xd7\x42\xd9\x12\x91\x28\x17\x8f\xdb\x88\x1a\xfb\xde\x1e\x47\xdb\xd0\xf9\x1a\xb5\xd9\xb4\x71\x22\xca\xb3\x2e\x38\x08\x6f\xeb\x36\x96\x05\x04\x21\xfa\xbf\xb1\x27\xb8\x6d\xc8\x3d\x3c\xc4\xd8\x04\x8a\xa0\x57\x0c\x78\xda\x3d\x52\xfe\xed\x6e\xf6\xeb\x15\x76\x55\x3b\x4a\xa6\x95\xed\xd6\xff\x60\x65\xab\x9a\x7d\xb7\x88\xe2\x5a\x94\x14\x79\x91\xd5\x66\x92\xe2\x5c\x86\x36\x9b\xe0\x3b\xde\xb4\x9b\xd0\xa1\x28\x17\xa2\xa6\x61\x38\x08\xec\x8f\x06\xe8\x4f\x40\x7b\x21\x8a\xde\x40\x19\x0f\x03\x65\x02\xd0\x3e\x34\x65\x65\x0e\x9b\x05\xc5\x9e\xa8\x8f\xd1\x04\x47\xe6\x38\x3c\x57\x87\x4b\xb9\x8d\x8d\x40\xc1\xea\x44\x0d\x31\x9f\x72\xcb\xad\x07\xdb\x06\xe0\x1c\x66\xb0\x5e\xc0\xe3\x21\x97\x74\x52\x00\x0a\x8a\x4a\x36\x91\xd5\xa3\x08\x2c\x08\x6a\x38\x78\xe0\xc0\x63\x82\x1a\xfb\x80\xed\x21\x7b\xe7\x95\xf0\x90\x7d\xc8\x83\xdf\xfc\xee\xae\xc8\x7a\xb0\xed\x13\xc5\x6b\x2b\xcd\x85\x55\x9f\x30\x13\x1a\x82\x8c\x76\xad\x86\x1e\x77\xbe\x84\x03\xcf\xa7\x79\xd2\x8d\x2d\x8f\x19\x74\x2b\x46\xc9\x25\x08\x1f\x0e\xa1\x23\xb2\x63\x15\x68\xc5\xfe\xe7\x3c\x77\xa2\xf4\x02\xfe\x42\xe4\x7f\x45\x37\x4b\x5d\x6d\x52\xcd\x2e\x7a\x13\xec\xd1\x8e\x66\x0e\x64\x4c\x93\x10\x1e\x20\x96\x7b\x3e\xf3\xf7\x64\xa2\x13\x87\x75\xc1\xd8\xb7\x2a\xec\x9a\x76\x78\xe1\x7c\xa2\x47\xd6\xff\x93\xcb\x9e\x83\x6f\xac\x6c\x38\x07\x81\x88\x2e\x70\xbf\xba\xf1\x24\x84\x10\xa0\x64\x1b\x93\x6f\xa3\x89\x77\xca\xf6\x25\xa7\x89\xb8\x84\x59\x77\xc0\xce\xb6\x6a\x77\x89\x1d\x03\xd0\xe1\xf3\x68\x55\x68\x85\x19\xa2\x5e\xdc\xc5\x56\x63\xdf\xd8\xc5\xe6\xaf\x50\x7c\x88\x83\x43\xf5\xaa\x87\x0c\x87\xea\x9d\x63\xec\xcf\x35\x0e\xd5\x97\x3c\x26\x1e\x94\xe0\x97\xef\x1b\x08\xaa\x0f\x1b\x08\xaa\xf7\x8e\x3c\x48\x91\x3e\x3b\xe8\x53\x0f\x0e\xfa\xd4\x9b\xc7\x34\x5f\x01\x44\xed\x29\x48\xcc\xd4\x1d\x9a\x72\xf8\xd4\xf4\xec\x0c\x85\x41\x19\x18\x99\xdf\x19\x0d\xce\x0e\xb8\x3e\x14\x3b\x06\x82\x0e\xe9\x69\x04\x8c\x01\x3a\xc0\x7a\x37\x0e\x33\xc4\x8c\xd9\x10\x32\xe6\x7f\x8e\xb0\x57\x0e\x06\x69\x79\xce\xa5\x83\xb4\x3c\xe1\xf4\xe5\x02\xb4\xfc\x98\x01\x68\x39\x13\x3c\xe1\x76\x37\x69\x7a\x53\x78\x96\x8d\x70\x55\x9e\xa9\xf1\x59\x16\x82\x27\x9e\x07\x53\x3d\xc8\xe7\xc9\xb5\x34\x6b\x54\x8d\x09\xf6\x52\x71\x5b\x9e\xaa\x57\xf1\x6c\x70\xdc\xc5\x14\xcb\x07\xc3\xf1\x80\x35\x58\xaa\x3d\x9b\xc2\xf1\xdc\x40\x70\x3c\x53\x41\xb0\x40\x67\x59\xd0\x55\xad\x23\xf2\x60\x1c\x9e\xff\x67\x2f\x7b\xb4\xa5\x88\x2e\xc9\x9d\x1a\xa4\x43\x96\x26\x4f\x4a\x97\xfc\x0f\xef\x0d\x8e\xd1\xdf\x96\xbd\x5b\x15\x68\xf9\xe7\x31\x54\x07\x09\x93\xea\x59\x9a\xf0\x67\xa7\x4b\xae\xd4\x7e\x03\xdb\xb1\xc0\xef\x58\xe0\x5d\x0b\xfc\x77\x95\x05\xfe\x2f\x3d\x36\x39\xd4\xaa\x56\x9e\x95\x60\x85\xff\xa8\xb7\x61\x5e\x96\x6b\x91\x57\x33\xd2\x8e\x17\x2a\x0c\x69\xd2\x83\x3f\xa8\x65\xc3\xfd\x6f\x19\xc3\xfd\x27\x3d\x36\xb5\xf5\xa6\xe3\xe6\xfc\x32\xef\xb8\x8a\x53\xd4\xa2\xc3\xb4\xf2\x21\x6f\xcd\x8e\x6b\xf2\xf2\x5c\x93\x17\xbd\xb9\xcd\x9d\x19\x53\xfe\xa4\x76\x66\xc0\xb4\x30\xf0\xb3\x38\x37\xca\x2e\x8d\xfb\x77\x39\x69\xd3\x16\x80\x15\x44\xec\x64\x72\x2e\x89\x05\x88\x82\x00\xe0\xbf\xef\x8e\x05\xb7\x0c\xbb\x49\x2c\x79\xe6\xb7\x85\x51\xa7\x42\x80\xb2\xda\xba\xb7\x47\x5c\x88\x8a\xe3\x69\xc3\xb5\x0a\xbd\x69\x8c\xdd\xeb\xb1\x71\xc8\x30\x10\x8d\xe9\xc2\x2f\x2e\x5d\x85\xb8\x09\x8c\x31\xa1\x8a\x5d\x92\x07\x27\x08\xf6\x13\x17\x44\xbd\x6b\x4b\x02\x5d\x2d\x4e\xdf\x65\x73\x6c\xaf\xbe\x38\x73\xc2\x3f\x1e\x1c\xd5\xcd\xdd\x97\xf3\x99\x13\xdc\x4a\x03\x0b\x0b\xbe\xaf\x91\xd6\x57\x44\x76\x6c\x6a\xea\x66\xfd\xda\xb3\xa2\xc6\x2d\xfb\x6c\xb1\xfc\x64\xa6\x9b\xec\xdf\xa1\x0c\x5e\x47\x4f\x5e\x88\xf4\xd2\xd4\x3b\x10\x2a\x07\xd4\x85\x83\x2a\xea\x98\xb5\x0a\xc6\x64\xf7\xe4\x2d\xe8\xb0\xe6\xa5\x77\xd8\x63\xdd\x0e\x73\xbb\xc6\xa9\x93\x68\xb0\x73\x46\xbd\x3a\x11\xdc\x70\x86\xf4\x29\xa9\xb2\x66\x5a\x68\x6e\xa1\x1d\xa6\x7f\x66\xb5\x56\x75\x2a\xb8\x69\xff\x52\x16\x89\xe6\x84\xd6\xa0\xb6\xd1\x33\x4e\x89\x79\xb4\x0c\x48\x6f\xaa\xbf\x0f\xce\xc3\x85\x4b\xed\xea\x57\xfc\x08\xfb\xa1\x01\x0b\x65\x36\x6d\x10\x20\xec\x5f\x5f\x1b\x7c\xd0\xd3\x3f\x6d\x45\x68\x30\xcb\x87\x2d\x94\xe1\xcc\x4f\x2f\x4a\xd1\x53\x64\x61\x84\x48\xd7\x48\x6b\x69\xaf\x24\xf4\x2f\x54\x39\xf0\x1a\x47\x70\xa8\x8f\x8c\x1b\xd6\xc4\xea\x5b\xac\xb4\xa8\xac\x40\xbb\xea\x85\x6e\x63\x96\x02\x37\x63\x52\x42\xa6\x7a\x47\xc0\x96\xd9\x2e\x59\xc2\xcc\xac\xff\x8c\x60\xd6\x30\x5b\xaa\x0e\x02\x87\x87\x43\xba\x0a\xb1\xf1\x80\xf3\x19\x2d\x27\x52\x19\x3a\x09\xd6\xa1\x08\x61\x90\x7a\xa2\x30\xbc\x7c\x2e\x24\x8d\x5a\xf0\x70\x66\xf8\x9c\x77\xe9\x13\xf8\x95\xde\xdc\xa9\xe3\xfc\xf0\xe1\xc3\x37\x71\x00\x7e\x85\x20\x9f\xbe\x39\x4d\x2a\x21\x60\x92\xd6\xa5\x86\x1c\x8b\xc6\xb2\x9b\x77\x1d\x8b\xc2\x18\x4e\xc8\x32\x6b\xdd\xe3\x9d\x2e\xd0\xa4\xb8\x2b\x04\xbc\x26\xfb\xf3\x09\xad\xef\xcb\x01\x65\x17\xd8\x58\x27\x6d\xcc\xcc\xfa\x69\xb0\x64\xf5\x62\x18\xc7\x29\x66\x13\x1a\xd2\xd3\x1a\x9f\x4b\xbb\x05\xda\x8d\x94\x01\xd4\x32\x9c\x51\x7e\xdc\x80\x7e\xd5\x85\x39\xfd\xfa\xc6\x0a\x24\x02\xa3\x2e\x9f\xfb\x2f\xab\x04\x17\xb4\x2e\x40\x87\x3d\x3d\xa3\xe0\xeb\xdb\x74\x2d\xad\xa5\xd9\x4a\x9c\x86\x8d\x1c\x01\x77\x3a\x69\x63\x32\x8e\x9a\xa2\xde\xab\xc7\xe2\x5a\xf9\xcb\x7c\xdc\x76\x67\x1c\x64\x53\x1b\x68\x70\xd6\x92\xd2\x07\xd7\x8b\xde\x3e\xf6\x43\x03\xec\x84\xc0\xcb\x38\xb9\x22\x7a\xfe\x6e\x7f\x4c\x2a\xc3\x4c\x3e\xb9\xa1\x45\x71\x8f\xbf\x0b\xde\x62\xec\x3d\x15\xf6\xa8\xba\xbd\x87\x75\x73\x91\xfb\xaf\xab\x04\xbf\xe3\x2d\xa8\x88\xd0\x56\x98\xc3\xe9\x52\x24\x45\xd6\xe3\x1d\x0c\x35\x56\xa3\x8d\x83\xd2\x0e\x93\xa8\x09\x39\xf2\x10\xc9\x85\x4f\x46\xb9\xca\x0e\xa1\xc4\xb6\xb4\x5b\x74\xba\x10\xfd\xbc\x88\x5b\x05\x8f\xc0\xa7\x57\x2c\x5e\xf9\x5e\xa7\xf0\x3c\xac\xe6\xa4\x3a\xaf\x6f\x15\x0a\x7f\xe0\xde\xdf\xcd\xd9\x4f\x56\xd8\x0f\x8a\x4e\x4b\xb4\x45\x16\xc6\xc7\xfb\xfa\xed\x1b\x5e\x70\xbf\x42\x13\x90\xd3\x1f\x68\xb5\xd4\xe3\xa6\xd7\x28\x4a\x1d\x63\x9d\xbb\x89\xf6\xe5\xc0\xf4\x73\xf3\x6d\x21\x97\x6d\x12\xc8\x50\x14\x47\x30\x44\xe0\x77\xec\x00\x93\x9c\xb4\x3d\x28\x15\xad\x46\xd0\xdf\x27\xfb\x6a\x9a\x2b\xd2\xe6\xda\xe5\xf7\xc5\x3f\x54\xd8\x0f\xc8\xe7\xfb\xbb\xe1\xcf\x2a\xc1\x5b\x2a\x1b\x4c\x1f\xf9\xd6\x46\x73\x48\xbe\xda\x36\xc1\x36\x3c\xef\x42\x7e\x6f\xb3\x1b\x97\x5f\x35\xd1\x82\xc0\x85\xcb\x1f\x0f\x29\xc6\x98\xbd\xd5\x76\xc2\x75\x48\xa7\x19\xf8\xae\x16\xbb\x3c\x17\xdb\x47\x60\x7d\x98\xa6\xe2\x8a\xd1\x3c\x16\x83\xf9\xed\x23\xef\xae\xb5\x7a\xf6\x7e\xa5\xe6\xe0\x60\xb3\xc7\xe7\x46\xd9\xa3\x92\x94\x94\x9e\xb3\x8a\x61\xf8\x43\xa3\xc1\x03\xa3\x7d\x97\x89\x06\x06\xe7\xe9\x1a\x86\x7e\xe3\xe4\x96\xca\xa7\x68\x77\x8a\x9c\x8c\x82\xe0\x42\x50\xf9\x1d\xc0\x45\xb7\xd4\x2d\x78\x64\x93\xf9\x1b\x0e\xdb\x2c\x5a\x6e\x15\x3c\x5c\x0b\x7b\x3c\xcc\x55\x49\x52\x8d\x00\x9b\x3f\x64\x84\x40\xd6\x00\x47\x10\x89\xe5\x2c\xac\x0b\x39\x63\x6c\xad\xa6\x23\xb2\x08\x98\xec\xad\x45\xd6\x48\x05\x86\xb4\x2f\x77\xc3\x2c\x4c\x0a\x61\x85\x3c\xc8\x3a\xeb\x1c\x43\x5d\x93\x94\x5a\x84\xa1\x5e\x44\x30\x0c\xc4\x36\x00\x01\x0b\x38\x78\x29\x07\x87\x8d\x2e\x45\xc4\xb9\xc0\x4c\xdb\xa8\x49\xad\x47\xb6\xd8\x25\x51\x4f\xdb\xb6\xa3\x2e\x4f\x53\x79\x34\x28\x95\x0b\x2c\xd3\xa6\xf0\x65\x6a\xa8\x95\xe3\x63\xd7\x0a\x09\x7f\x5b\xd1\x32\xf4\x72\x16\xa5\x59\x54\xf4\x1c\x34\x2a\x05\x1b\x87\x9e\x19\xd3\x9b\x35\x3e\x8d\x09\xa6\x79\x37\x06\x26\x1f\xdd\x4f\x94\x17\xd3\x88\x9a\x88\x54\x8c\x26\x5d\xa9\xe4\x75\x44\xbd\xa6\x58\xa7\xd5\x80\xeb\x79\x35\x58\xd9\xf9\xb5\x71\x36\xd6\x69\x85\xb9\xf0\x3f\x36\x1e\xbc\x77\x5c\x2e\x78\xf8\xa9\x5d\xb1\x64\xe7\x8a\xd0\xeb\x23\x5b\x42\x42\x30\xef\xb6\xc1\xd0\x9d\x36\x09\x0f\xbe\x40\x74\x44\x9a\xc3\x51\x91\x73\xbd\xfa\x08\x17\x43\xef\xbf\x1c\x16\x5c\x95\x3a\x0e\x29\x06\xe5\x01\x97\x96\x0a\xe6\xf7\xeb\xa4\x66\x58\x3a\xab\x51\xa3\x6b\x8b\x6e\xed\x8a\x91\x25\x99\x58\x02\xcc\x30\x82\xf5\x65\xa9\xb5\xc8\x91\x4c\x80\xf5\xb2\x2e\x94\x00\xd1\x94\xa3\xa7\xb3\x78\xb0\xe1\x78\x9a\x3e\xc6\xd8\x2c\x52\x37\x1e\x83\xba\xcb\x4e\x6c\x41\xde\xb5\x48\x2c\x92\xf1\x21\xd0\x38\xb8\x7e\x20\x39\x8b\x32\x7e\xfa\x8e\x76\xa0\x9d\xe5\x50\x26\xae\x30\x91\x68\x80\x44\x52\xf5\x30\xa9\x25\x47\x95\xd1\x49\xb9\x34\x4b\xc0\xe6\x9b\x07\xb9\xd9\x91\x33\xa2\x91\xae\x25\x52\x12\x42\x14\x0b\x7e\x08\xfc\xb0\x98\xfb\x54\x48\x41\xa9\x12\xee\x01\xb1\x9e\x17\xe1\x8a\xe0\x21\x3a\x52\x6b\x7c\x0e\xf9\x98\x07\xb4\x7c\x29\xed\x26\x16\x8b\x35\x71\x56\xc6\x71\x5f\xfb\x28\x21\xc1\x6d\xd6\xb4\xd2\x22\xc1\x79\x68\xba\x22\x27\x3f\x39\xf1\x40\x03\x29\x65\xa4\xf3\x7d\x28\x51\x15\x52\x82\xe4\xfe\x40\xc9\x2e\x99\x50\xbf\x6a\x7c\x5e\xee\x4b\xa2\x21\x1a\xc7\xf8\x74\xec\xec\xef\x91\x59\x03\x50\x21\xcb\x10\x10\x25\x6a\x3f\x73\xa8\xc2\x0a\x8c\xb7\xa7\x6d\xaa\xc6\x4f\x85\x51\xbc\xad\x82\xa9\x53\x06\xb7\x55\xf6\xa4\x5b\x87\x66\x18\xc5\x52\x0f\x50\x4b\x84\x1e\xa4\x84\x1f\x79\x44\x57\xc0\xfe\x49\x9a\x4c\xde\x23\xb2\x54\x9f\xd2\x32\x38\x34\x58\xc5\x95\x62\x5c\xc9\xe0\x7e\x0c\x3c\xb7\x10\x12\x43\x8b\xcd\xf1\xb7\xe8\x13\x99\xce\x91\x59\x12\x04\x2b\x0b\xf9\xd7\xbd\x0e\xa2\x2f\xf0\x46\x97\xf0\x46\x29\xf7\x2b\x4a\x38\x19\x95\x68\x5f\xd3\xf4\x03\x18\x7d\xd6\x34\xa7\x0e\x76\xa5\xb7\x72\x58\xab\xb6\x20\x7b\xd1\x08\xdb\x05\x07\x9b\xdc\xff\x87\x4a\xf0\x2d\x0f\xff\xa6\x44\x7d\x59\x0f\x73\xd8\x11\xc3\x8e\x3b\x33\x4d\x27\x45\x23\x2f\xa7\xa1\x1f\x28\x94\x46\xdd\x76\xb1\x7a\xe0\x63\x2a\x93\x09\x68\xe1\x49\x48\x9b\xef\x28\xf7\xfd\x41\x72\x16\x40\x04\x07\x60\x52\x35\xf9\xcc\xec\xea\x11\x98\x34\x33\xb3\xab\x47\x69\xf5\xab\x14\x30\x61\x0e\x57\x1c\x1a\xa4\x97\x95\x29\xbb\x07\x11\x32\x46\x8f\xb9\x8e\xed\x67\x3f\xba\x95\x23\xcd\xcc\xec\x45\xef\x31\x9b\x9c\x65\xc6\xfc\x91\xa8\xb3\x9d\x93\xcc\x7d\x15\xb6\xe7\xee\x34\x07\x66\x75\xff\xbb\x5e\xf0\xff\xc2\x01\xe6\xce\x6e\x18\xcb\xbd\x2f\x6d\x2a\x9c\x04\xbe\xff\xce\x73\xf3\x13\xbc\x2e\x9f\x33\xd6\x70\x75\x5c\xb7\x06\x86\x2f\x85\x39\xee\xf6\xda\x97\x42\xe8\xd9\x6d\x30\x65\xcc\x0b\xd8\x78\xee\x3c\x37\x8f\x7c\xf1\xe0\x3c\x02\xad\x5f\xef\xe5\x77\x9e\x9b\xc7\x0f\x89\xfc\x52\xcd\xa4\xb2\x5a\x93\x9d\x2c\xed\xa4\x79\x18\xe7\x53\x52\xfc\x4d\x69\x00\x9b\xbb\xd3\xbc\xd6\x76\x22\x19\x57\xb5\xf9\x28\x0e\x9e\x35\xcd\xc1\x7e\x64\xb9\xe2\x2e\x55\x2b\x84\x55\x5b\xe3\xa2\xb6\x5c\xe3\xfb\x4e\x62\x74\x86\x63\xd6\xfb\xec\x38\x7b\xfa\x95\x64\x77\xb2\x30\xc3\xd0\xa4\xf4\xcd\x3d\xc1\xdc\xc6\x8f\x94\x99\x59\x6d\x41\x33\xec\x4d\xc7\xda\xf3\xe2\x3d\xec\x7b\x1e\xbb\x5a\x6d\xb3\x00\xa4\xe3\x7f\xdd\x63\xd1\x83\x47\x62\x55\x86\xac\xba\xc7\xf9\xb8\x26\x07\x46\x60\x1d\x4d\x5e\x84\x86\xb0\xb8\x47\xdb\xb2\x4a\x55\xc6\x98\x02\x0b\x35\x67\xa1\x25\x7a\x43\xf4\x36\x53\xaa\xdc\x8f\xa4\x06\xc7\xde\xe5\x1a\x4a\xde\x58\x09\xce\x5a\xaa\x93\xea\x5c\xea\x57\x39\xcf\x2d\xf7\x78\x08\xc7\x78\xb2\xe0\x0d\xef\x6c\x23\x2b\xee\x66\x29\x6b\x3f\x14\xfd\x6a\x99\x4f\x38\xfb\x37\x8e\x28\x91\xb2\x6e\x12\xdc\xc0\xbb\xfc\xd1\x76\x88\xd2\xe6\x07\xfb\x1f\x69\x87\x1d\x29\x92\x72\x7f\xdc\xdf\x3d\x09\xcb\x9c\xb1\x3f\x1e\x61\xd7\xe4\x45\x9a\x89\xc6\x5d\x0a\x53\xe9\x33\x23\xc1\x7b\x46\xdc\x6b\x2a\xc7\x3e\x8e\x1d\x30\xa5\x52\xb0\x0e\x45\x97\x4a\xed\x50\x40\xd8\x1a\x25\x50\x48\x8d\x2c\x0b\xeb\x2b\x64\x47\xce\x85\x05\x96\x84\x50\xdf\x21\x6f\x47\x04\xd1\x8d\xf1\xc2\x10\x84\x0a\x55\x30\xcf\x52\x82\x1c\xee\xf4\x7a\x8f\x69\x93\x89\x2d\x4f\x9d\x52\x6c\x22\x9a\x30\xe1\x68\x51\x77\x9e\x30\xc1\x05\x3a\x93\x74\x3f\xf0\x40\x01\x84\x77\xca\xd3\xb8\xe1\xe0\xb9\x42\xfa\xae\x9c\x64\x18\x82\x6d\x83\x06\x61\x7a\xa1\x3a\xc7\xe8\xad\x5b\xd7\x9c\xcc\xd3\xb4\x2d\x69\x9c\xa9\xdc\x4e\x86\x57\x29\x8a\xf0\xac\x8b\x2b\xb6\x48\x11\x7a\x85\x5c\x06\x08\x12\x6e\x27\x6a\x6f\x44\xf2\xf4\xfe\x23\xec\xf0\x56\x60\x7b\xce\x74\x0b\x9b\x5c\xde\xff\x87\xc3\xc1\x33\x4b\xd7\xac\x78\x13\xc0\xd1\xa0\x92\x14\x76\x8c\x3e\x6d\x58\xb8\x7d\x49\xc3\x40\x46\xe6\xf2\x3c\x1c\x76\x3a\x31\x24\xf4\xa6\x35\x4d\x5c\x72\x15\xfa\xe4\x91\x05\x62\xdd\xdb\x9b\x47\x0d\x71\xb2\xd9\x94\xfd\xbe\xee\xfd\x5b\xfd\x1d\xa4\xd8\xba\x6b\x10\x4a\xe2\xe7\x0f\xb1\x37\x55\xd8\x35\x52\x81\x4f\xbb\xc5\x3c\x40\xb1\xe4\xfe\x4f\x56\x94\x97\xe0\xdb\xde\x82\x73\xab\x84\x6f\x4f\xef\x19\xd2\x49\x8d\x86\x33\xad\xc3\xfd\xd4\x33\x90\xe9\x8b\x99\xed\xba\xe1\x52\xbb\x33\x80\x01\x10\x40\x04\x50\x05\x05\x21\x1f\x9a\xfb\x52\x57\x35\xbb\x31\x78\x9c\x50\x7b\x25\x54\x64\x9c\xda\xea\x5b\xab\x4e\x12\xf2\x92\x28\xd6\xa4\xda\x72\x10\xba\xf5\xf0\x01\x8e\x90\x33\xb9\x83\xd9\x73\xd0\x5c\x76\x1c\x1d\xaf\x1b\x65\xc3\x7a\xd2\xbf\x38\x12\xfc\xc9\xc8\xf4\xe0\x9b\x0a\xb6\x48\x21\x8a\x11\xb4\x55\x07\x70\x9b\xe4\x95\xc5\xd2\x8b\x8b\x66\xd2\xcb\xe6\xa9\xa9\x23\x2e\x74\x08\x89\x43\x53\x93\x61\x8f\x48\x65\x50\xb1\x31\x00\x98\x82\x5a\x8a\xfd\x60\x05\x51\xa1\xd2\x34\xf2\x1a\x92\x0d\x24\xa2\x6f\xa5\x95\x60\x08\x95\x22\xe8\xe4\x77\x98\x3a\x54\x15\xa9\x1c\x22\x85\xa9\x11\xd2\x13\x41\x79\xa1\x81\xe8\x4d\x4b\x33\x33\xf0\x2e\xbb\x8d\x9e\x54\x2a\xea\xd4\x48\xb9\xc4\x32\xcf\xd0\xb9\x14\x6c\xaa\xfa\x09\x44\x40\xb0\xe8\xf0\xe7\xa9\x82\x72\xf2\x68\xe7\xb6\xfa\xb0\xa9\xaa\x2c\x79\xc9\x81\xed\x1f\x30\xab\x36\x90\x0f\xef\xf1\xd8\xd5\xf4\x34\x12\xa5\xfa\xeb\x5e\xf0\x32\xef\x94\x7d\x49\xbb\xf1\x5b\xe9\x9a\xeb\x39\x87\x73\x8c\xe5\xe8\x34\x42\x41\x07\xdd\x48\xc9\xd9\x0a\x93\x86\x3c\x6c\x4f\x9a\x9e\x31\xa8\x7f\x33\x18\x71\x97\x66\x70\x52\x74\x53\xbb\xe0\x8a\x5d\xdd\x3f\x1f\x63\xd7\xe0\xa0\x68\xa6\xab\x2f\x8e\x5d\x81\x98\xeb\x57\x8e\x9d\x73\x4a\x25\x0b\x95\x85\x75\x98\x82\x81\xdb\x1e\x04\xbd\x8e\x23\x3b\xf2\x0f\x71\x5a\xa4\x6e\x0f\xd0\x34\xf2\x2b\x79\x8d\xbb\x75\x86\x73\x89\xec\x02\x3c\xd9\x10\xa9\x9f\x66\x6e\x4c\xe3\x06\xd6\x06\x46\x37\x11\x6b\xe7\x2c\x60\x83\x35\x85\xb6\x95\x13\x8c\xb9\x55\xa5\xaa\xb2\xac\x43\x3a\x3f\x2e\xd9\x22\xa5\x73\x56\xd4\x54\x67\x62\x85\xcd\x2c\x2f\x6b\x70\x05\xac\x99\x8e\x17\xa7\x67\xf6\x9b\xba\xe8\x8c\x75\x34\x6e\xa1\x51\x02\x4c\x0d\xa6\x86\xa5\x67\x90\x4a\x60\x02\x70\xf6\x92\x32\x3c\x83\x5c\x0a\x70\x18\xc3\x3e\xe2\xfb\xe3\x08\x6c\x28\x27\x44\x27\x4e\x7b\xf2\x64\x32\x97\xc6\x31\xe0\x28\xc8\xf7\xe5\x09\x65\x36\x4b\x2f\xf4\x14\x8d\x00\x16\x37\xa1\x71\x3c\xfa\x9b\x5c\xe3\xe7\x73\x61\x0f\x8d\x8e\x69\x07\x8b\x2e\x0d\x9b\x1a\x4e\x00\xcf\x29\x26\xa3\xa4\xaa\x71\x40\x44\x02\x50\x1a\x14\x5b\x96\xaf\x44\x9d\xd2\x2c\xd7\x53\xc1\xa4\x2a\xa2\x13\x1a\x47\xdd\x12\xcc\x10\x88\x06\x47\x51\x67\xe2\x29\x2b\x92\x1a\x0b\xa9\x36\x61\xb8\x69\x8d\xfd\xf9\xa8\x22\x4c\xfe\xd2\x68\xf0\xa2\x51\x24\x46\x36\x7b\xf0\x1a\x20\xb2\x9a\xdd\x55\x56\x07\xc3\x8b\x15\x4a\xa8\x13\x5b\xed\x6e\x58\x99\xa0\x73\x12\xee\x38\x03\x6e\x20\x5a\x1d\x95\x2e\xfb\x2a\x32\x33\xe6\x59\x61\xd2\x7b\x16\x10\x9c\xd7\xf8\xed\xe9\x9a\x00\x41\x15\xd1\x36\x01\x26\x63\x0a\x6a\xbf\x8b\xa4\x6b\xb2\xac\xb7\x09\xda\x11\x50\x26\x2a\x0d\xa3\xff\x2e\x88\x94\x4e\xd7\xf4\xa9\xa2\xd3\x07\x7a\x1b\x54\xdd\xc9\x00\xa7\x4d\xec\x52\x30\xad\xc2\x0c\x80\xb7\xd7\xa2\xa2\x25\x1b\xa2\x40\x60\xe2\x9e\x3c\x52\x84\x4b\xb1\x2a\xb2\x13\x77\x97\xe5\x70\x5f\x7a\x2d\x01\x04\x06\x54\x5d\x29\xa6\x51\x1a\x98\xd9\xa1\x83\x0b\xe5\x7e\x62\x3e\x42\x6f\xbb\xd4\x68\xf6\x77\x06\x3e\xa0\xc0\x95\x6c\x59\x7e\x3b\x3b\xc5\x4e\x0c\x27\xc2\x1c\xa6\xeb\xc9\x81\x7b\x72\x54\xb4\xce\xe9\xc9\xc3\x5e\xb1\x87\xf9\x99\x88\x92\xd5\x14\xcd\x08\xb4\x17\x7c\x6f\x77\xf0\xcd\xdd\xfd\xd7\x07\x62\xc1\x1a\xbd\xc9\x82\x04\xa4\x6e\x69\x77\xe3\x22\xea\xc4\xa8\xda\xe4\xe0\xf6\x08\xb3\xc2\x09\x1d\xb5\xb6\x0e\x94\x8c\x68\xc3\xef\xdf\x2f\x82\xb3\xb2\xc3\x11\x43\x34\x98\x69\x9e\x05\xbb\x65\x50\x63\x0c\xae\x1f\xeb\xdf\x27\x69\x76\xa8\xaa\x68\xfc\xa8\x14\x08\x63\x93\x4d\xaa\xc0\x98\xfa\xc6\x80\xa2\x4d\xb1\x8e\xb9\xd2\xc2\x98\xc3\x70\x05\xd3\xde\xd2\x2e\xa9\xbf\x53\xda\x44\xf0\x3c\x2c\x1f\x2c\x28\x06\xcb\x20\xcb\xf4\xc8\xed\x62\x8a\xc1\x89\x9c\x5b\xd9\x29\x30\x1f\xc2\xd8\x51\x51\x6b\x5c\xcf\x5b\x44\xf9\xd2\x70\xd2\x28\xfa\x64\x49\xd7\x49\x6d\xf3\x3a\x02\xbe\x6a\x77\xd2\x42\x24\x45\x95\xa3\x1f\x36\x35\x96\x64\x3a\x15\xc1\x79\x44\xc5\x61\xc5\x3d\x5d\xdf\x1a\x3f\x9b\x16\xe2\x18\x47\x68\x21\x93\xf6\x67\xf5\x8b\x99\x52\xb9\x92\xe0\xda\x6d\xd5\xb0\x81\x83\x10\xa4\xad\xc6\xaf\x83\x1c\x9e\xc1\x05\x10\x33\x73\x94\xf0\x66\x37\x43\x84\x3d\xe8\x2d\x75\x9f\xe4\x2f\x56\xbb\xaa\x3a\x25\xd7\xf0\x57\x7d\x5f\x96\x85\xaf\xa8\xad\x59\x7e\x7b\xcd\xe9\x39\x8d\x11\x45\xbd\x46\x96\x89\x4c\x28\x3d\x59\xee\x40\x51\x12\xb5\xa3\x7b\xc4\x96\xba\x40\x7e\xa2\x48\x0d\xc3\xb1\xd9\x2d\x71\x48\xe5\x01\xa2\xdd\x2d\x42\x93\xf8\x65\x55\x59\xc9\xb7\x2a\xd4\x2b\xd4\x2a\x2d\x4d\x20\x77\xa7\x92\x9a\x86\x08\x1b\x35\xc6\x6c\x3d\x8b\xd6\x94\xa3\x6a\xfd\xed\x08\xb3\x8f\x62\xfe\x57\x47\x82\x3f\x18\x99\x37\x17\x50\x08\x0f\x91\x00\x52\x09\x02\x4c\x6e\x81\x0f\xd7\xf8\x34\xd8\x83\x60\x26\x99\xc5\x7c\x8c\x9f\x4d\x13\x51\x85\xff\x9e\x4b\x4e\x64\xbd\xb9\x6e\xc2\xf7\xeb\xce\x56\xbe\xbd\xd5\x28\x54\x80\xff\xc6\x87\xa8\xa6\xef\x7c\xda\x06\xed\x91\x8c\xf5\x13\xd6\x34\x07\x7b\xba\x5d\x0d\x7e\xe6\xfc\xfc\x02\x07\x5f\x1c\x82\x2a\xc0\x9e\x91\xd4\xa3\x38\x22\x1d\x9e\xdc\x4f\x79\x84\x9c\x9c\x0a\xec\x4c\x8f\xf0\xb3\x75\x96\x58\xc8\x9b\x5d\xe0\xb2\xcc\x0b\xd1\xd1\x79\x87\xba\xc3\xeb\xad\x30\x32\x90\x66\x4e\x25\x00\x40\x0c\xbc\x51\x89\x99\x72\xdd\xa4\x01\xf3\x7c\x4e\x6d\x1a\xda\x19\xd0\xc0\x6e\x09\x0b\xb4\xa6\x1a\x6c\xba\xb0\x5b\xa4\x93\xba\x4a\x28\x40\x7a\xa4\xed\x85\x96\xa0\xa2\x4e\x50\xe3\xf6\xf8\xc7\xab\xbe\x92\xdd\x26\xbb\xcf\x19\xf7\x37\x78\xcc\x39\x91\xfb\x2f\xf6\xd8\xc9\xed\x6f\x32\x6a\x13\xb3\x4a\x0a\x6e\xb5\x7f\x39\xa7\x0a\x44\xd8\x26\x57\x88\xb0\x1d\x21\xf2\x18\xae\x10\x76\xd9\x9b\x76\xb3\xbd\xd0\x3e\xda\x9f\x5e\xb6\x3b\xf8\xa7\x5d\xd6\x05\xb7\xcc\x96\xe0\x01\x28\x50\x81\xf6\x06\x28\x0b\x23\xa9\xc4\x49\x3d\x6d\xcb\x75\xa2\x76\xea\xc1\x1b\xce\x49\x29\x87\x10\xbe\xfa\xe4\xdd\xdd\x68\x35\x8c\x45\x52\xc8\x1d\x67\x92\xc3\xad\x63\xba\xcf\xd5\x74\x51\xfa\x65\x54\x68\x21\xa6\x74\xa7\xd0\x3a\xa2\x66\xa0\x41\x39\x69\x81\x91\xd4\x9a\x95\x02\x9c\x2b\x18\x33\x2d\xfc\xe5\x4a\x08\x3b\x9d\x7c\x6a\xf5\x60\x55\xfd\x41\xd0\xd1\x72\xaa\x19\x73\xa2\xb9\xbe\xd4\x2d\x74\x37\x60\xbd\x14\xd8\xdf\x62\xd8\x89\x9e\x98\xa5\xdd\x4e\x7e\xec\x69\x81\x2c\x2c\x78\x46\xd5\xc2\xdd\x97\x57\x57\x0f\xca\x6b\x5a\x8b\x3c\xc6\x9f\x16\x58\xd5\x0b\x9e\xb1\x58\xb5\x5a\x8d\x2c\x17\xfa\xd3\x1c\xda\x55\xae\x10\x1d\x60\x54\x54\x44\xff\x21\x06\xfb\x55\xf7\x73\x7f\xe7\x46\x4d\xd5\x1f\xe4\xe0\x47\x97\x86\x81\x5c\x87\xc6\x56\x31\x25\x13\x3a\x8c\xac\x7c\x16\x0b\x85\x05\xe0\xfd\x20\x77\x3f\xa8\x29\xdf\x77\xdd\xbf\x24\x54\x28\x3d\xae\x07\x7a\x11\x13\x33\x07\x8e\x89\xb3\x5d\x58\xcb\xc0\x16\x1d\x5f\x57\x9c\xd0\x7f\xea\x05\x5f\x00\xaf\x95\x83\x77\x52\xde\x8c\x90\x0b\xd1\xd2\x16\x9b\xdd\x38\xee\xf1\xbb\xbb\x61\x4c\x4e\x43\x51\x5b\xae\x55\xd1\x03\x4f\xa6\x0c\xc7\xe9\x59\xa5\xc8\x89\xc0\x7a\x22\x18\x04\x72\xec\x9c\x8f\x9d\x22\x06\x3d\x9d\x66\xcb\x61\xa2\x81\x18\x95\xf0\x71\x84\xe4\x9f\x8c\xb3\x47\xe9\xc4\x67\x6d\x8a\xf8\xf5\xf1\x2b\x60\x8a\x78\xfe\xf8\xd9\x72\xc1\x5b\xb1\x46\xc0\x19\x42\xab\x8f\xca\x34\x61\x53\x35\x18\x04\x73\xb4\x6f\x19\x42\x8f\xc1\x96\x80\x19\x47\x23\x8d\x8a\x5c\xc4\x4d\x8c\x66\xd1\x25\x51\x7c\x9a\xb2\x76\x44\x39\xef\x88\xac\x99\x66\x6d\xfc\x3a\x99\xcf\x74\x76\x91\x3a\x17\x97\x4a\xce\xf5\x0a\x55\x87\x3c\x24\x89\xd0\x13\x1f\x80\x9c\xf1\x9c\x25\x0f\xe1\x79\x69\x6a\x3a\x2b\x78\x58\xd7\xf4\xb4\xd6\x8a\x79\xf4\x0e\x4f\xa9\x94\x46\x61\x9e\xa7\xf5\x28\xd4\xd1\x02\x41\xd6\x4d\x20\x52\x27\x90\xf3\x22\x38\x80\x1b\xc0\xc1\xe0\x71\x1c\x81\x66\x30\x2d\xbe\x70\x3a\x4d\x6a\xfa\x48\x99\x90\x1f\xe3\x41\xdf\x04\x09\x8e\xf1\xe7\x30\xce\x03\xe8\xb0\x93\x17\x3a\x99\x80\xf5\x90\x07\xc7\xf8\xd3\x18\xe7\x1c\xee\xca\xff\x0b\x56\x44\x2f\x38\x66\x55\xa1\xaa\x6e\xe0\x91\x1c\x8a\x0a\xce\xa6\xc5\x4c\x62\x6e\xe1\x96\xa5\xcb\x82\x6b\x07\xf4\x6d\x2e\xeb\x4e\x7f\x3f\x03\xfe\x7d\x2e\x93\x7f\x3d\x57\x1e\x70\x94\x5a\xe8\x40\xe8\x80\xb4\xda\x7e\x5f\x96\xfb\x11\xb6\x61\x91\xac\x46\x59\x9a\x48\xb1\x85\xdd\xd9\xc9\xd2\x06\xf6\x68\x5e\x84\xcb\x51\xb2\x1c\x3c\xee\xa1\xeb\x56\xbb\x36\x03\x7b\x76\xb3\x6e\x85\xda\x5b\x3d\xab\xda\x30\xb8\x7f\x37\x61\x7e\xd9\x22\x03\x3e\x2e\x9e\x29\x83\x4a\xae\x60\x68\x64\x7f\xba\xb0\xe8\xb9\x91\xd7\x97\x68\x7b\xfa\xd0\x5e\xc6\x6d\x2d\xaf\xd3\x81\xd4\xf1\x13\xa1\x68\xa7\xc9\x3c\x41\x93\xbc\x6a\x6f\x70\xd8\xb9\xa2\xb3\x5a\xcb\xf9\x79\x21\x6f\xc0\x73\x10\x96\xba\xee\x69\xc0\x8c\x75\x6f\x4f\x21\xda\x9d\x38\x2c\xdc\xb4\xa1\x5f\x62\xec\x55\x15\xf6\x88\x76\x94\xcc\x89\xb0\xd1\x53\x1e\x9d\x7f\xd2\x24\x07\x18\x13\x01\x67\xac\x6e\xdb\xc6\x3c\x26\x07\x8f\xec\x24\x82\x38\xe6\x89\x58\x8b\x7b\xfa\x2c\xa1\x2b\x0c\x91\x01\x66\xef\xc1\xb0\x5b\x65\x33\x82\x39\xde\x84\x20\x3c\x13\x52\x54\xcf\xc2\xbc\x05\xf1\x55\xb2\xf8\x48\x81\xdd\x5a\x96\x47\x0b\x95\xdb\xde\x2f\x0f\xf0\xfd\x76\x00\xe6\xa0\x17\xe4\x14\xcf\x53\x88\xdf\x20\x70\x62\xa8\x50\x89\x2b\xe1\x97\x3d\xf6\xaf\xe5\x71\x5b\x4e\xef\xdb\xa3\xbc\x48\xb3\xde\xe9\xa8\x1d\x15\xfe\xfd\xba\x67\x5e\x81\xfb\xae\x81\xda\x89\x1b\xbc\x85\x8f\x12\x8c\xb7\x3c\x97\xc8\x2d\x5f\xae\x27\x9e\x91\x8d\xd5\xc6\x95\x00\xc3\x3d\xee\x32\x0d\x64\x66\xea\x46\x79\x4b\x3b\xa0\xc4\x05\x84\xb8\xe2\x10\x4b\x05\x26\x6a\x9b\xff\xc9\x6d\x3a\x30\x96\x58\x2d\xf8\x94\x0d\x97\xf2\xfe\x2b\x01\x97\xf2\xd7\xde\x34\x4d\xff\x32\x60\x8a\x0e\x33\x28\xa3\xa4\x98\xb9\x68\x93\x86\xd9\x06\xcc\x25\x61\x1c\xc8\x8d\x1a\x9f\x29\x06\x44\x2c\x71\x35\x75\xf7\xe5\xda\xe2\xbb\xcd\x30\xad\x2d\xad\xf8\x6b\xe1\xdf\x49\xbd\xb8\xd9\x0b\x46\x98\x5e\x36\xfe\xdf\x55\xb6\x10\x72\x3d\x9b\x36\x16\xe8\x05\x48\xa1\xfd\x74\x65\xda\xb5\xc7\x0f\x61\x7b\x2d\x33\x4f\x83\xb1\xd8\xac\x20\xb8\x8d\xf7\x6c\x63\x0d\xaf\xa7\x9d\x9e\x4e\xef\x94\x85\x81\xa9\x4b\x0e\x8e\xc9\x66\xb2\x75\x0e\xab\x23\x91\x84\x5a\xc9\xfd\xfd\x60\xab\xb7\xdf\xc5\x40\x2e\xf7\x29\x3b\xd0\x6c\xe2\x32\xa2\xde\x4d\xc8\x40\x3e\x95\x09\x39\xc9\x41\x80\x99\xcb\x10\x39\xa7\x2a\xcb\x5e\xed\xb1\x6b\x30\x51\x7c\x5e\x05\x71\x3d\xcf\x63\x37\x0e\x3f\x2a\x97\x85\xe8\x79\xe7\xe5\xe0\xc4\x74\x42\x89\xe7\x5c\x45\x85\xe1\x8a\xc5\x00\x6c\xf0\xfb\x4b\x2d\xcb\x91\x60\x64\x27\x48\xc4\x1a\xfc\xaa\xb1\x2f\x56\xd8\x0f\x0f\x98\x01\x08\x9f\x88\xe0\x94\xfe\x2f\x56\x82\x27\xad\x5a\x17\x6c\xcf\x3e\x6f\x87\x1d\xe0\xb6\x00\xb1\x9d\x85\x6b\x7c\x09\x70\x2d\x1b\xf8\xa4\x66\x98\xb7\x73\x3f\xc9\x91\xcf\xf0\x99\xd9\xb0\x68\x39\xd2\xfc\x57\x3c\x16\x33\xeb\xa6\xff\xcc\xe0\x4e\xf3\xcb\x81\x89\x23\x26\xb7\xbe\x68\x5f\x1d\xc8\xae\xab\x81\x13\x53\x56\x16\x4e\x30\x8e\x76\x3e\x4f\xc7\x90\x3b\x82\x5b\x40\xaf\x6f\x0f\x66\x06\x34\x2e\x5d\x85\xf0\x79\x3c\x0e\xa3\xb6\x15\x9a\x6a\x17\xfa\xc0\x38\xbb\xce\xe6\xe4\xc4\x10\x62\xa0\xa9\x39\x58\x9b\xa5\xd0\x74\x08\xa0\x3b\x1d\xe5\x85\x7f\x71\x4f\x70\xb4\xef\x2a\xca\x57\x17\x6f\x4e\x47\xb5\x53\x7c\x5d\x6d\xdd\x1b\x03\x18\x79\xa7\x0f\x3f\xb9\x7b\x27\xd7\xfa\x72\x61\xa0\x0b\x86\x1d\xeb\xaf\x04\x3f\xa2\xc9\x07\x0a\x8b\x2f\xce\x19\x2f\xe1\xa4\xb6\xdc\xc8\x8e\xb2\x23\xc3\x09\x5a\x87\x4f\x86\x1d\xe8\x8b\xcb\x80\xbe\xf8\x4d\x1b\xfa\xe2\xe3\xdb\x61\xc5\xe9\x67\x9d\x09\x7e\x5c\xe3\x5e\x20\x0f\x89\x22\x9b\x79\x88\x20\x2f\x2e\x7a\xad\xcd\x53\xfd\x4f\xfa\xc7\x27\x9d\x5c\x7e\xae\x39\x72\xcd\x14\x2b\xd1\xe4\xf6\x49\x19\xc6\x3e\x58\x92\x55\x9a\x3f\xb8\x8f\x3a\x18\x64\xd5\x8b\xc6\x83\xe9\x41\x37\x06\x89\xab\x61\x94\xe7\x83\xc5\xd6\xa7\x77\xc4\xd6\x65\x8b\xad\x55\x25\xb6\xda\xc1\x8f\xce\x0c\x12\x5b\xe5\x21\xd9\x8e\xe0\x1a\x3e\x33\x76\x04\xd7\x8e\xe0\xda\xa6\xe0\xda\x1e\x9d\x37\x88\xaa\x12\x72\xc9\xbb\xaf\x62\x77\x3d\x38\xe1\xd3\xfe\x17\xf6\x06\x2f\xac\x0c\x25\x82\xce\x6c\x3c\x77\x17\xaf\xcf\xd8\x08\xc4\x85\x4e\x6a\xc5\x6e\x9a\x38\xc2\x1a\xe7\x33\x05\xa1\x7b\x83\x8b\x71\x49\x94\x20\x45\x6e\xae\x41\x44\xaf\x7c\xe2\x96\x1a\xfd\x40\x7a\x69\x79\x5e\xb6\xa9\x88\x57\x0f\xd6\x0e\x1e\xad\x6a\xfe\x92\x26\xa4\x6a\xb5\xd3\x55\xf0\x18\xcb\xbb\x87\x0e\x61\x60\x93\xdb\x7e\x85\x45\x7c\x70\x38\xd9\xb5\xf2\xfd\xae\x7b\x00\xbd\xe4\x5a\x5c\xf6\xb0\x3b\xac\x29\x7b\xeb\x65\xa2\x4c\xb1\xf7\x2a\x7c\xa7\xb7\x7b\xac\xf5\x50\x84\xc7\xc3\xb9\xf6\xa6\xbc\x9f\x97\xbd\x50\x5c\x6c\x9a\x99\xdd\x8a\x50\xd6\xc4\xec\xec\x23\x06\x97\xe9\xe7\x3d\xf6\xec\x87\xa4\xca\x08\xe9\x34\x3d\x10\x6e\xb1\x8c\x11\xb2\x51\xf2\xc7\xce\x1e\xbb\xc3\x10\xf3\xb0\xed\x75\x17\xbd\xb5\xcd\xb7\x87\x05\x7f\x6e\x52\x61\x56\x0d\x9b\xc4\xce\x56\x00\x2b\xc7\x68\xbf\x83\x64\x1d\x63\x7f\xcc\x6c\xe6\xc9\x9a\x4b\xa8\xa0\x97\xdf\x42\xba\x22\x28\x3a\xdd\x7f\x17\x0b\xde\xe1\x59\x17\x78\x58\x14\x98\xc8\x2f\x25\x81\x79\x5f\xf0\x90\xe8\xfa\x20\x57\x17\xa3\x25\xba\x00\x58\x8f\xa1\x4d\x76\x19\x7a\x90\x28\x4a\x04\x48\x9d\xb4\xb5\x51\x79\x4e\xb0\x38\xeb\x1b\x69\x46\x81\x5b\x6a\xab\x40\x9c\x50\x2d\x55\x06\x89\xe9\x7f\xd8\xd1\xa7\x77\xd6\xfa\xc3\xa8\xd7\x5e\x51\x1d\xe1\x3e\xa5\x23\x3c\x87\xdd\x3a\xdc\x6a\xba\xe9\xa2\x86\x9d\xff\x46\xf0\x3f\x61\xb6\xf2\x60\x68\x2e\x15\x26\x81\xa1\x95\x3a\xfc\x9e\x3d\x60\x36\xfe\xb7\x78\x6c\xfa\x72\x2a\x82\xfb\xf9\x53\x0c\xc4\x6b\x33\x82\xe0\xd0\x28\xd1\x99\xe5\x98\xfa\xe2\x32\xbd\xda\x4e\x7a\xcd\xae\x89\x91\x27\xb6\x48\x6a\xd4\x2e\x7a\x2b\x9b\x8b\xda\xdb\xfd\x53\x5a\x13\x2f\xd5\xb9\xa4\x90\x5b\x55\x1f\x24\x7c\xd9\x5f\x3c\xd2\x81\x11\x1c\xc4\xcc\x4d\xfc\xdb\xd8\x7d\x1f\x7b\x64\x70\x8b\x7d\xa1\xe4\x55\x88\xc3\xbc\x00\xc4\x5e\x07\xf8\x0c\x43\x6f\x91\x73\xb8\x46\xb8\xc4\x8e\xc8\xfb\xda\x23\xd8\x77\x2a\x6c\x8f\x14\xff\x52\xba\xf8\x5f\xaf\x6c\x3c\x48\x7d\x75\x3c\x49\x6f\xda\x55\x0b\xde\x56\x51\x05\x22\x07\x3d\x6e\x00\x7c\x39\x4e\x97\xc2\x58\x51\x20\x2b\x8c\x91\x41\xe1\x01\x61\xd2\xb3\x71\x2b\x74\xa6\x50\xa1\x53\x1a\x4d\x55\xac\x54\x11\x6b\x6a\x52\xec\x19\xc8\x86\x7a\xda\xee\xa4\x09\x1c\x3f\x08\xc4\x81\xa7\xdd\x42\xd9\xc2\x55\x58\x84\xcd\x46\xce\x63\x91\x2c\x17\x90\xfe\x7e\x77\x57\x20\x25\x6d\x3d\x4e\xbb\x0a\x05\x84\x28\x45\x57\xa3\x3a\x26\x69\xdc\x39\x3b\x8f\x9f\x8a\xd3\xb0\xb1\x14\xc6\x61\x52\x17\xd9\x06\x1f\x9b\x00\x76\x6a\x1a\x05\xff\x43\xde\xc6\x4b\xb4\xaf\xd3\xf5\x32\x37\x5d\x5e\x68\x79\x69\xfa\xbb\x9f\x96\x5d\x4f\x89\x95\x72\xe7\x96\xc8\xd8\x5b\x51\x91\x5b\xd4\xeb\x14\x00\x33\x93\x2c\x67\x26\x44\x79\xa2\xc6\x5e\x5b\x61\xa3\x9d\xb4\x91\xfb\x2f\xdb\x80\x5d\x60\x33\xd6\x79\x6c\xc0\x6f\x7a\xe0\x70\xd9\xb8\xfe\x0f\x12\xad\xfc\x95\xe6\x95\x67\x6f\x18\x61\x7b\xd4\x76\xe6\xbf\x6c\x64\x9b\x6b\x4a\xa9\x6f\x4e\xff\xfc\x5a\xc5\xc2\x17\x30\x7d\x64\xa8\xb7\xb1\xb3\xf6\xe7\xdd\x7a\x0b\x00\x57\x20\x78\xc4\xc9\xd8\xd3\x7b\xa0\x94\x90\x40\x9b\x9d\x4f\x98\xdc\x38\x6b\xbd\x6d\xbb\xc7\x21\xe3\xff\xf8\xec\x79\x40\x94\x11\xed\x34\xeb\x4d\x00\xee\x49\x4b\x93\xba\x87\xb2\xe7\xba\x11\x06\x92\x3b\x5f\x43\x5d\x06\x11\xb6\x10\x9f\x91\xab\x95\x9d\x76\x74\xf6\x4d\x91\x76\x50\xc1\x92\xad\x32\x8e\xfd\x22\xe5\x89\x5c\xf3\x31\x97\x03\x2a\xeb\xa9\x3e\xa8\xd8\xa7\x05\x0f\xe4\xc4\x0a\x38\x81\xe6\xb3\xb7\x57\x08\xd5\xfb\x4d\x95\xe0\xa7\x2a\xc5\x00\x5c\x6f\xea\x4a\x85\xb2\x2f\xc5\x8e\x9a\x15\x94\x15\x19\x68\x98\x2d\x35\x56\x41\x95\x07\x4a\x16\xca\xbf\x71\x89\xca\xbf\x66\xe1\xeb\x69\xc6\x03\xeb\x59\xe8\xd6\x7a\x9a\x21\x0b\x74\x43\x4d\x78\x15\xeb\xa5\x69\x58\x0b\x0b\x76\x1f\x75\xe3\x01\x9f\xd6\x44\x5b\x16\x5b\x78\x62\x20\x96\x08\xcb\x6d\x72\x59\xee\x0b\xb7\xcf\x4e\xeb\x02\xce\x50\x57\x45\xb9\x22\x11\xb0\xb5\x91\xdf\x1a\xb1\x30\xff\xd4\xb7\xfc\x0f\x8c\xb0\x27\x6d\x6b\x32\xf7\x55\xd7\x99\xd5\x5f\xab\x18\x37\xe4\xc3\x32\xbf\x0d\xba\xba\x0d\x34\xf7\x2f\x6f\xd6\xbf\x75\xd4\x21\xc2\x32\x70\x71\xb4\x35\x1a\x42\x84\xef\x8e\x04\x53\x33\x03\x95\x3c\xc3\x2b\x40\x00\xc5\xf4\x6e\x6d\x43\xc6\x83\xfb\x47\x58\x6e\x40\xe8\x5a\xc1\xd3\x14\xfc\xed\xa0\x82\x01\x18\xc5\x2a\xb9\x14\x40\xdc\x57\xad\x90\xb7\x44\x18\x17\x2d\x5e\x6f\x89\xfa\x8a\xe3\xa7\xbe\x47\x6b\x9e\x9d\x40\xe9\x4c\x65\xd0\xfe\xfe\xef\x41\x26\x99\xda\x0b\xe4\xdd\xe0\x76\xf8\x00\x84\xb6\x2d\x64\x5d\x58\xe8\x40\x19\x10\xc0\xce\x1f\x50\xb4\xbf\x9b\xde\x71\x96\x44\xcc\xa9\xe0\xa6\x05\x12\x2a\x5b\xfb\xe6\x31\xf3\x3d\xbb\xbc\x3a\x1b\x83\x6c\x60\xff\xa9\xc1\x19\x43\x51\x81\x40\x47\xf5\xb4\x21\x36\xe9\x37\xb7\x97\xac\xf7\x9c\x4a\xbf\x65\x8c\xed\x1f\x14\xde\x92\xa5\x98\x04\xe1\xf0\x74\xfe\xaf\xd1\xe0\x47\x1c\x9a\xce\x8e\x7a\x4c\xb1\x06\xe2\xcc\x73\xa6\xc2\xc7\x46\xd9\x6f\x8f\xb0\xbd\x0d\x0c\x61\x3a\x93\x36\x84\xff\x89\x11\x15\x5b\xf5\xce\x11\x79\x81\x2f\xc9\xd3\x9a\xc1\x2a\x29\xe4\x14\xa7\xd0\x66\x58\x12\x2a\xd4\x0c\x78\x06\xa5\xe6\x4f\xa5\x51\xb4\xd1\x12\xe6\xf7\xd4\x0b\x75\x54\xd6\x91\x55\x07\x0e\x1c\x38\x00\x8b\xee\xc0\x0d\x37\xdc\x80\x59\xaf\x0d\x51\x8f\xda\xfd\x0f\xc2\x53\xd7\x1f\x3c\x58\xe3\x4f\x99\x3e\x73\x9a\x00\xd5\x72\x4c\x21\xc6\x92\x21\xe5\xdc\x7e\x39\xaf\xf2\x27\xcd\x9f\x3b\xab\xa0\x7f\xf2\xd2\x5d\x8a\x2b\xa4\xe6\xd5\xf8\x89\x28\x83\xe8\x1a\x20\x35\x33\xa0\xb5\x10\xa5\xa1\xf2\xa6\x42\xc8\x28\x51\xa6\x0e\x44\x4b\x44\x40\x31\x08\x26\x6b\x03\xd0\x21\x9a\xc2\xeb\x69\xd2\x8c\xa3\x3a\x02\xe0\x52\x02\x9b\x92\x22\x18\xa7\x05\x65\xe1\x6e\x10\xc5\x10\x73\x2f\xaa\x1c\x72\x82\x9b\x39\x84\xc9\x57\x6d\x84\x89\x6e\xac\xcf\x48\xa9\xca\xf8\xa2\x91\xc9\x45\x89\x6d\x3e\x62\xbb\x15\x55\xd1\x33\x83\x1f\x54\x5e\x33\x9a\x03\x34\x29\xca\xa8\xb6\xd7\xb3\xc3\xec\xe0\xa6\x71\x55\x38\xdf\x66\x75\x11\xec\xe5\x23\x8e\xe3\xd5\x40\xd8\x68\x3e\x3f\x32\x00\xdc\x1e\x25\x45\xee\x7f\xb9\x12\xdc\xe1\x5c\x51\x74\x9f\x39\x6f\xc1\x4f\x6b\x1b\x68\xa5\x6b\x00\x1d\xa6\x2c\x08\x56\x92\x65\x9a\xe4\xdd\xb6\x8a\x50\x57\x33\xf9\x05\x15\x76\x6f\x85\xed\x69\xa6\xd9\x53\xd3\x44\xe4\xfe\x77\xbc\xe0\xc5\x9e\xfa\x55\x32\x36\xdf\x93\x26\x80\x74\x0c\x83\xb8\xc1\x17\x60\xa0\x53\x8d\xcc\x9a\x76\xd2\x38\x5d\xee\xf1\x70\x4d\xce\x88\x2c\xed\xe2\xe0\x9f\x09\x7b\x1a\x4f\x50\x6a\x0c\x17\x20\x48\x33\x6d\xf2\x1b\x01\xfd\x2b\x12\x6e\x16\xeb\x51\x76\x84\x1d\x1a\xda\xd5\xfd\x5d\x78\x0a\xdb\x70\xd1\xbb\x76\x28\x0c\xce\xb8\xbf\x3b\x2c\xd2\x76\x54\x67\xec\xa7\xf7\x3a\x00\x28\xcd\x38\x5d\xa3\x80\x2e\x5d\xe0\x9d\x5d\xd1\x8d\x92\x65\x27\xdf\xd6\xff\x3a\x0b\x8e\x0f\xba\x61\x21\xa2\xb9\xf0\x0f\x9d\x30\x0b\xdb\xa2\x00\x68\xda\x34\x83\x43\x59\x94\x2c\x3b\x43\xf2\x6a\xc6\x7e\x66\x8c\xed\x69\x85\x49\x63\x3e\xba\x47\xf8\xaf\x1d\x53\x92\xe5\xff\x1b\x5d\x54\x57\x17\xc9\x1a\xd5\x46\xb2\xb5\x3c\x2a\xa2\x55\x1d\xd0\x89\xc9\xf3\xf4\x5d\x15\xb1\xdf\xea\x36\x9b\xb1\xfc\x97\xa0\xda\xd3\xa6\xd1\x33\xa2\xa4\x48\xf1\x80\x98\xd7\xb8\x62\x63\xa2\xba\x59\xb9\x23\x10\x5d\x15\xe5\x26\x18\x09\x31\x2a\x2d\x8b\xc4\xbe\x9c\xcb\xbe\xb3\x39\xec\xf7\x6b\x9b\x59\x27\x8c\x32\xc8\xc4\x6f\x85\x79\x4b\x34\xf4\x42\x95\x3f\x49\x74\x59\xc9\x57\xaa\xc2\xb6\x0f\x1b\xab\x48\x52\x4b\x8a\x2f\x00\x8d\x50\xbb\x61\x1e\xdd\x63\x2b\x52\x2d\x91\x09\x3a\x12\xe9\xa4\xa0\x9c\x77\xba\x05\x36\xd7\xc2\x05\xc9\x5b\x69\x06\xc6\x49\x2a\x1f\xa4\x18\x20\x16\x27\x8d\x1a\xb7\xfa\x5c\xa1\xac\x24\x29\x8f\xa5\xee\x44\x44\x4f\x8b\xf8\xde\x22\xca\x1e\xb3\x20\xf2\x68\x39\x81\x08\x67\x84\xe4\x95\x63\x25\x3b\x24\x4f\x49\x98\xf1\xa6\x58\x93\x3b\xda\x6a\x0f\x7a\x2d\xe7\x8d\x14\xa3\x64\xa5\x9e\x2b\x95\xdc\xb6\x85\xf0\x87\xdf\x90\x87\xbc\x79\x21\xb4\xbf\x6a\xb2\x19\xd6\x01\xd6\x2c\xad\x77\xdb\xda\x54\x6b\x45\x7f\x83\x39\x7c\x55\xf0\xe5\x6e\xd4\x08\x81\x73\x2e\xb1\x50\x08\x14\x0c\x1f\xf4\x93\xc6\xe4\x6b\x85\x48\x19\x89\xb1\xe1\x38\x32\x72\x61\xba\x02\xf3\xd5\x15\xf6\x48\xa8\xd4\x69\xb0\x31\x60\x88\xb1\x1d\x7c\xbd\x58\xbe\xbb\xa8\x0e\x28\x6a\xb5\x9b\x00\x64\xa3\xf2\x52\x6a\x1d\x86\xd7\xae\x85\x91\xa2\x76\x0e\x01\x05\x36\x21\x3b\x86\x8e\x1b\x75\xa7\x22\xf4\x6a\x11\xb5\xc5\xe3\xb8\xb8\x00\x59\xc8\xa6\xe0\xcc\x64\x66\xaa\xe6\xba\xd8\x39\x6a\x19\xc9\x93\x52\xd3\x0d\x57\x86\xdc\x12\x75\x76\xa2\x8e\xc1\x4a\x5e\x5f\x0a\x5d\xfe\xfd\x0a\xdb\x85\x43\xe5\xff\xa6\x86\x16\x7a\x7f\x45\x4d\x91\x7e\x96\x53\x9a\x73\x1a\x4d\xc6\x6d\x11\x06\xd3\xd2\x33\x0a\xd4\xa9\x21\x3a\x22\x69\x20\xd0\x73\x58\xa0\x92\x6f\x3c\x02\xc6\x08\x30\xa8\x65\xf3\x8a\x2c\x1b\x91\x80\x28\xdd\x34\x5a\x15\x31\x24\x69\x13\x18\x2a\x2d\x3e\x2d\x2c\x70\xa9\x02\x45\xc1\x0a\x09\x14\x2b\xe8\x5b\x6e\xac\xa2\x68\xa5\xb0\x12\x2d\x13\x18\x88\x02\xe5\x06\x88\xb2\x4c\xc4\x62\x35\x94\x4a\xdd\x16\x26\xdb\xd1\x23\x6e\xbf\xae\x8f\xb3\x1f\x1d\x1c\x92\x32\x8f\x7f\x9a\xa0\xca\xbf\xde\x13\x1c\x29\x5f\x1c\x14\xa4\x44\x65\x6c\x1c\x52\xf9\xd1\xdd\x3b\xae\x80\x9d\x10\x17\xa4\xa3\xda\x71\xaa\x5d\xa6\x53\x2d\x55\x41\x6a\xcd\xe0\xda\x81\x41\x6a\xf6\xb2\x15\xdb\x40\x8d\x1f\x22\x0e\x2e\x7a\x8d\xcd\x5d\x21\xd3\xfe\xad\x9b\x05\x25\x95\xa5\x49\x39\x20\xe9\xe2\x38\xbb\xf9\x12\xcd\x47\x78\x0a\xfd\xf0\x78\xf0\xbb\x23\x1b\x3e\x62\xe9\xe2\x94\x0a\x8f\x36\x9c\x34\x19\x60\x5c\x1a\x60\x2b\xaa\x42\xee\xd0\x26\x56\xa6\xea\x15\xb2\x98\x5e\x31\x3b\xb4\xdc\xb0\xbe\x2f\xed\x50\x9c\x9f\x4b\x28\x8f\x25\xc0\xaa\x92\xf5\xd2\xd2\xfe\x20\x8b\x8d\xb2\x1e\xc6\x5d\xae\x22\xb5\xbb\x7c\x6a\x8c\x2d\x31\x73\xcf\x3f\x1f\xdc\xee\x20\x76\x97\x93\x8e\xfb\x58\x24\x90\x53\x80\xd4\x58\x6a\x2f\xd6\xc7\x5e\x77\xb7\x51\xaa\xc3\xb1\x60\x32\x09\x0d\x57\xb9\x5d\xb2\xe1\x36\x05\x15\x2b\x2f\xca\x9c\x08\xdf\xf2\xd8\xbf\xc3\x92\xa7\x71\x24\xcf\x17\x51\x4c\xf9\xcf\xfe\xef\x6a\xb5\xef\xe3\xde\xb0\x87\xb4\x75\xda\xf2\x30\xe8\xac\x6f\x7c\xba\xaf\x32\x34\x9f\xc3\x7a\x96\x22\x7d\x0e\x57\x4a\x04\x91\x52\x6b\x71\x8a\x28\xed\x90\xac\x51\x97\xd2\xd5\x2e\x0c\xda\xa3\x44\x5f\xdf\x37\x2c\xe2\x9e\x12\x1e\xe2\xcf\x56\x98\xef\xb4\xe6\x2e\x59\x80\xff\xb2\xca\x36\xb6\xb1\x9a\x66\xb9\xbd\xb3\x1b\x26\x45\x54\xf4\x82\xcf\x7a\xfd\x85\x3e\x28\x9d\x03\x1d\x92\x85\x6b\x54\xdc\x7e\x95\xbf\x0b\x5a\xda\x46\x7d\x35\x51\xe5\x79\xd4\x8e\xe2\x30\x53\xcb\x91\x66\xbf\xe3\x51\x80\x09\x5f\x63\x3f\x3d\xce\x8e\x6d\x22\xfc\x6e\x4f\xb3\xe8\x1e\x39\x75\xe3\xd9\xb4\x31\x4d\x0f\x88\x0c\xb4\xb5\x2f\xef\x09\x9e\x38\xe4\x3e\xaa\x59\x6a\x6f\x68\xe9\x87\x40\x2a\x85\xe6\xb1\x0d\x83\xcb\x5f\xb6\x13\x0c\x73\xd9\xfb\xf6\xeb\x3d\xb5\x71\xff\x94\x17\xdc\x30\x30\x2b\x66\xf3\xd1\xd9\x06\x26\xd9\xd6\xa7\xd0\x8e\x72\x7e\x19\xca\x79\x66\xe9\xe6\xcd\xcb\x53\xcd\xf7\x69\x65\xdc\x70\x16\x0f\x50\xd5\x6b\x17\xbd\xbb\x37\xd7\xc8\xce\xfa\xa7\xed\xe0\x14\x35\x17\xb4\x3a\xb6\x81\x38\x71\x34\xb3\x43\x14\xa2\xf2\xd5\x51\xc7\x21\xa0\x48\x53\x71\x62\x3d\x29\x5d\xb2\xb3\x5e\xfd\x5f\x1a\x0d\xee\x2c\x5d\x2b\x85\xa8\x40\x33\x43\xfe\xa4\x74\x49\x2d\x78\x50\x3b\xc0\x4f\xa9\xad\xfa\x72\x8e\x84\x7c\x60\xde\xfa\x17\x47\xd8\xf7\xec\x63\xd1\x5f\x5c\x36\x5b\xef\xbb\x36\x60\xeb\x55\xa2\xfd\xd9\xe9\x52\xee\x56\x0f\x26\xb3\xaa\xe1\x43\x47\xea\xfb\x07\x2a\xa0\xeb\xb7\x3d\x36\xb1\x39\xb3\xad\x22\xf4\x7d\xeb\xd6\x09\x7d\xa9\xb9\x0f\x39\xcf\xed\x4f\x57\xd8\xbf\x1b\x46\x01\xe1\x3f\xbf\x12\xdc\xef\x59\x5c\x80\xb6\x0f\x10\x02\x3d\xd0\xe8\xad\x14\xbb\xfd\x9d\xb8\x9b\x85\xf1\x04\x9f\x45\x8a\x0d\x32\xd3\xd9\x7c\x73\xc4\x5c\x73\x8c\x71\xce\x67\x66\x8f\xf1\xe9\x84\x5f\x19\xae\x41\x67\xb6\xde\xc1\x66\x58\x25\xea\xf8\xc7\x83\xa3\x51\x87\x90\x9e\xad\xcf\xec\x07\x5a\x8d\x34\x03\x56\x8d\x89\x41\xc4\x12\xb6\xc4\xf9\xe6\xd5\x6c\x62\x13\x3b\xfb\xa9\x38\x5d\x9b\x87\xdd\xd2\xff\xf8\xd5\xc1\xd7\x3c\xf3\xdb\xd9\xa8\xcd\xf6\x1c\x2a\xb8\xa6\x26\x5a\x51\x31\xc0\x40\x9b\x58\xc1\x1c\x2d\x65\x78\x43\x4a\x5f\x8a\x27\x13\xb0\x67\x45\x09\x32\xed\x4c\xcf\xce\x18\x79\x4d\x48\x68\xa8\xfd\x68\x38\xb5\x5c\x81\xe6\x6a\xcb\x36\xc1\xbb\x75\xc2\x08\x31\x25\xa0\x81\xf9\xb1\x3e\xc5\xda\xaa\x3f\x30\xd6\xf0\x00\xaa\xe4\x98\xcf\x02\xb7\xcb\xff\x1b\xdb\x51\x59\x76\xe2\x77\x1f\x3e\xbd\xe0\x2b\xf6\xee\xf4\x07\x97\xbd\x3b\xbd\xd6\x5b\x54\xa5\x2d\xf6\xa9\x07\x0f\x23\xbb\xfc\x3f\xa8\x8d\xe8\xdb\x1b\xd8\x25\x37\x91\x51\xb0\x35\xbd\xcf\x03\x26\x86\xc5\xa1\xc8\x36\xc3\x36\xaa\xd0\x92\x0e\x0f\xf9\x6e\xf5\x4d\x13\xd2\xfc\xe5\x0d\xc6\x78\xb3\x0e\xc0\xf8\xa7\xb7\x78\x8b\x58\x96\xee\x84\xfa\x00\x06\xfa\x87\xaf\xb5\x5b\xd7\x3b\x87\xa7\x97\xd8\x1d\x61\xdc\x2d\x25\x53\xa1\x69\x22\x93\x9a\xce\x6d\x97\x97\x14\xf6\xa4\xf9\x73\x67\xfd\x57\x78\xc1\x7f\xf6\x28\x2a\xc3\x04\xaa\x24\x3d\xc4\x70\xc5\x78\x0d\x8c\xd7\xe4\x0b\xc0\x9b\x02\xcb\x1a\x6c\x65\x9a\xd1\xe0\x18\x5f\x4a\xd3\xb8\x2a\xc5\xf7\xd1\x23\x55\xd9\x94\x10\xfe\xc0\x15\x5f\xe5\x4f\x7b\x06\x08\xf6\x66\x58\x17\xcf\x79\x6e\x95\xb7\xc3\xce\xd3\xf0\x96\x7d\x1d\x61\x7c\xa2\xb8\xc6\xbe\x55\x61\x07\x37\x8a\x7a\xaf\xdd\x26\x37\x56\x94\x01\x73\x02\x98\x78\xea\xc2\xff\x48\x25\x78\xd2\xa0\x1b\x28\x99\x33\xfd\x13\xe9\xcf\x6c\xe4\x19\x95\x67\x13\xe5\x9a\x1c\xcf\xdd\x32\xbf\xe4\xb1\x1b\x9c\x1d\x73\x22\xf8\x21\xb9\xad\x2b\xa2\x08\x6d\xdf\x40\x56\xa0\x72\x90\x13\x0c\xff\xa9\xe0\x26\xd8\x27\xca\xcf\x52\x5c\x13\x88\x49\xe8\xd5\x7d\xb3\x69\x63\x1f\x74\xc6\xbe\x79\x51\xcf\x44\xb1\xcf\x29\xef\x3a\xb2\xb6\x05\xc1\x0f\x9c\x75\x2c\x6c\x03\xbe\xbd\x9f\x8d\x74\xa3\x86\xff\x1f\x82\x7f\x7d\x7e\xe6\xc4\x86\x4f\xbe\x99\xb1\x23\xa5\x2e\x97\xc7\x20\x37\xcf\x60\x1e\x19\x1e\xa6\x81\x70\x8f\xb2\x99\xbe\x32\x1e\xcc\x0e\xb8\x8e\x31\x54\x26\xaf\x20\xcd\x30\x5a\x07\xd3\x20\xd3\x8c\xb4\xaa\x7a\x98\x28\xb8\x3e\x20\x74\x01\xef\xd9\xc0\xac\xa3\x17\xed\xd9\xd1\x5a\x76\xb4\x96\x7f\x21\x59\x47\x2f\x55\xba\xc1\xf3\x3d\x76\x6a\xc3\x6c\x9f\x2d\x2d\xc2\xcb\xcc\x3e\x7a\x8f\xd9\xaa\xdf\xe6\xb1\xdb\xaf\x40\x7d\x70\xd7\x3e\x7f\x25\x92\x90\x22\x13\xb4\x81\x32\xe4\xa2\x97\x6d\xbe\xd7\x9e\xf3\xcf\x6c\xb4\xd7\xba\x2d\x29\xbb\xe3\xfa\x1b\xc4\xd8\x5f\xed\xd9\x18\x8c\x10\x8c\xcd\x9f\xd9\x13\x4c\x3a\x57\x06\xc5\x05\x18\xe4\xb7\x21\x26\xe5\x07\x76\x4c\xca\x97\x2d\xe9\x9e\xae\x2c\xca\xf3\xc1\xbf\x99\xd6\x56\x64\xbb\xeb\x6d\x7b\x71\x8d\x55\xd9\x75\x5b\xc7\x4c\xdb\x91\xa3\x97\x21\x47\x7f\xcb\x3e\xfd\x7d\xe2\x32\x43\x36\x7e\x62\x70\xc8\xc6\x43\x76\xc8\xbb\xe8\x3d\x79\x73\x59\x74\xc4\x3f\x64\xec\xcd\x9d\x4e\xae\x05\x8d\x23\x2a\xca\x4e\xff\xb7\x5d\xcd\x6e\xda\xe4\x98\xa4\x40\x97\x4e\xcb\x7a\xbb\x91\xa3\xff\xf3\xaa\xe0\xf4\xf0\xdb\xb6\xa6\xdf\x1f\x44\x8a\xa8\x74\x6e\x9c\x98\x23\xa0\xee\xdd\xbb\x23\xa0\x76\x54\xb1\x1d\x03\xd2\x83\x6c\x40\x7a\x4d\x85\x94\xc4\x97\x56\xd8\x1d\xdb\xb2\x9f\x0c\x5f\xf9\xa0\x29\x7e\xf4\xd2\x0d\x4a\x01\xcd\x8f\x49\x25\x1f\x82\x87\xdc\xb0\x74\x5f\x45\x6b\xab\x7f\xef\xb1\x33\x57\xaa\x63\x50\x65\xbd\x7f\x4b\x86\xa6\x87\xbf\x17\x2e\x7a\xf7\x7a\x9b\xef\x3c\xcf\xf4\x9f\x3e\xb9\x2d\xf3\xd2\xf0\xfe\x19\x98\x9c\xff\xcd\xdd\xec\xf1\x56\x8f\x27\xa2\x20\x0c\x61\xdd\xe1\x94\x0a\x0d\xa1\x6d\xb3\x3a\x39\xc1\xd8\x6c\x1e\xd8\x1d\x3c\x77\x93\x67\x8c\x4f\x04\x9c\x43\xd3\xb3\x33\x7a\x93\x80\x38\x5f\xca\xc0\xd1\x81\xfd\x44\xc9\x13\xea\x8c\x75\x79\x6c\x50\x70\xed\x93\x25\x54\xff\xda\xba\x07\x62\x98\x22\xa9\x9c\x6d\xee\x3f\xef\x62\x9f\xf6\xd8\xb8\x7e\xd7\x7f\xbf\x17\xdc\xef\x9d\xb5\x71\xe6\x0b\x87\xd2\xa0\x1c\x41\x83\xe7\x2c\x6d\x78\x6a\xd4\xec\xc0\xe4\x28\x57\x59\x50\x0d\xf4\xed\x42\xcd\x38\x26\x30\x21\x1f\x92\x2a\x18\x79\xc6\x54\xb4\x75\x37\x91\x0f\x0c\x7e\xe5\x38\x36\xd9\xcd\xb2\xfb\x53\x8f\x8d\xc1\x93\xfe\xef\x79\xc1\xaf\x79\xf3\xf0\x92\xa5\x01\x44\x7a\x3f\x36\xf9\xa4\x83\xfa\xae\xcc\x88\xa0\x32\xac\x10\x70\xa6\x5c\x05\xbe\x9f\x82\xae\x81\x7a\xd1\x6a\x4c\x8d\x9f\x82\x0e\xa0\x71\xa3\x94\x5a\x74\x8c\xd9\x53\x41\xbf\xd1\x80\x49\x91\xab\x04\x5d\xbe\x1c\x16\x6e\x46\xde\x7f\xf7\xd8\x1e\xc5\x63\xe2\x7f\xce\x0b\x7e\xd9\x9b\x9e\x9d\x81\x5f\x6a\x8c\xd0\xd8\xa4\x42\xb1\x36\x18\xa0\x99\x26\xb7\xdf\x2d\x45\xe9\x5b\xc2\x52\x34\x38\x6c\xda\x6a\x54\x94\x8f\x53\x4a\x01\xcd\xf1\x82\xf9\x85\x80\xe3\xae\xe8\xa9\xb2\xc6\x64\x27\xcc\x8a\x1e\x5a\x51\xab\xce\xd7\xb2\x41\x2c\x1f\xc7\x49\x4f\x78\x5c\x50\x53\x5a\x82\x9d\x84\x3d\xbc\x2d\xa5\x42\xc0\x66\xf8\xb8\xa0\x76\x76\x40\x84\xde\xd6\x0a\xf9\xcb\x31\x76\xbd\xb5\xda\x89\x0c\x45\xad\xf4\xb9\x6e\x52\x44\x6d\x0c\x62\x55\x70\xd2\x44\x93\xe9\xbf\x6f\x2c\x88\x36\xb8\x4f\xea\x22\x6d\xbc\x0a\x75\x5a\x63\x7f\x37\xa2\x3a\x60\x75\x40\xb0\x5a\x1c\xa7\x6b\xe0\x61\xb6\xcb\xa3\x04\x87\x10\x9c\xd0\xeb\xde\xbf\x23\x83\x81\xfd\x08\xcc\x26\x67\x79\xbf\x65\x94\x7d\xa4\xc2\x86\x3e\xeb\xbf\xb9\x12\x3c\xaf\x32\xec\x2e\x79\xaa\xe1\xb6\x3a\x5d\xda\x0f\xd9\x24\xf3\x6a\x81\xe8\x89\x03\x41\xb5\xe0\x2f\x9f\x36\xa1\x78\xc1\x75\x01\x6f\x8b\x50\xa7\x22\x26\xbd\xfe\x02\x2d\x63\x48\xd5\x91\x09\x90\xff\x0e\xc4\x3e\x85\x68\xdb\xb4\xc5\x35\x3e\x9d\x10\xef\x02\x54\x53\x27\x5e\x82\x36\x59\x6a\x15\x49\x26\xc5\x05\x86\x39\x8c\x43\x59\x7b\xff\xd4\x63\xff\x96\x96\x78\xb9\x20\xff\xd3\x5e\xf0\x7e\x6f\xc8\x4d\x35\xf9\x54\x4e\x46\xdf\x7d\x4a\x68\x4d\x13\x13\x57\xb0\x60\x3d\xaf\xb0\x0d\x95\x55\x88\x0c\x4a\x43\x47\x8a\xba\xc1\xf4\x74\x12\xc5\x86\x08\x19\x18\xed\xb0\x03\x67\x53\x77\xbe\xdf\xbf\x97\xdd\x79\xa9\xfe\x95\x0d\x20\x20\x59\xf0\x1a\xef\xfb\x11\x02\x72\x90\xd1\xfd\xbd\x7b\x76\x0e\x2a\xdf\x2f\x36\xe3\x07\x94\xcd\xf8\xad\x1e\xab\x5f\x19\x68\xc8\x07\x0d\xc8\xf2\x03\xc6\xa2\xfc\x2e\x8f\x89\x07\xbb\xb6\x3b\x18\x96\xdf\x27\x66\x8d\xad\xdb\xe6\x37\xc2\x54\xe4\xdb\x42\x69\x64\xec\x35\xbb\x6c\x08\xc6\x0d\x56\x13\x28\x9e\xf9\x5d\x07\xfd\x3f\x1b\x0b\x7e\x6f\x4c\xfd\x82\xb4\x1c\x64\x45\xc4\xc0\x2d\xd8\x06\x73\xcc\x0a\x85\x18\xc7\xbc\xc8\xba\xd0\x0f\x9c\xf8\xc1\x17\xb2\x08\x70\x36\xd0\x3b\x8e\xb2\xb5\xc6\x18\x84\xcf\xad\x88\x1e\x40\xc5\x20\xcf\x79\xc8\xf7\xd5\xf6\xf5\xcb\x47\x3a\x03\x00\x9f\x19\x8e\x26\xa8\x3a\x61\xbc\x16\xf6\xa4\x3c\xec\x90\x97\x1a\xb7\xee\x5c\x14\x55\x84\x62\x20\xa9\xeb\x94\x17\x4a\x99\x38\x89\x25\x02\x27\x90\x68\xe3\x8e\x49\x0f\x23\x51\x3f\x50\x57\x59\x69\xc9\xb9\xdc\x13\xba\x19\x55\x3e\x3f\xc6\xf7\x35\x8f\xdd\x0c\xfb\xc2\x3e\x45\x69\x87\x3f\xcb\xca\x62\x68\x60\x77\x54\xcf\x40\xe5\xa0\xdd\x98\x6c\xdf\xe1\xfb\x56\x8f\xdd\x0c\xf3\xd0\x2a\x0d\x7f\xab\xe2\x80\xab\x85\x3f\x3b\xc7\xf8\xc4\x76\x58\x38\x29\x14\x14\x97\x0f\xea\xcc\xbe\xe8\xd8\xcd\x51\xd2\x10\x17\xac\xb2\xf0\x37\x64\x5c\x43\xf2\xa9\x32\x5b\x2a\xfd\x87\xde\xdf\xb7\x72\xec\xe6\x15\xd1\xcb\xad\x37\xe1\x27\x6e\x61\xb2\xa2\x69\x93\xdb\x1f\xdb\x97\x43\x3b\x68\x06\xe0\x1a\x8c\x32\xde\x4d\xa2\xbb\xbb\x3a\xe7\x68\x46\x7e\x69\x05\x68\x4e\x3b\xb9\x33\x50\x38\xa5\xd4\x22\x35\x03\x0d\x1b\xb8\x7c\xc3\x3e\x76\xb9\x84\xcc\x52\xdb\x62\x6c\x41\xf7\x0c\x6d\xd8\x91\xd2\x8e\xa1\xc3\xf3\x68\x59\xa3\x2c\xeb\x49\xd9\x98\x6c\x8b\x6c\x59\x4c\x36\xa2\x66\xd3\xda\xbd\xd9\x47\x47\x37\x8e\xa2\x18\x08\x62\xe8\xbf\x70\x34\x38\x59\xba\x86\xbd\x85\x1b\x41\xc7\xb6\x11\xf5\xc1\x89\x5a\x8c\xe3\xae\xc9\xf8\xe7\x47\xd8\xb7\x2b\x6c\x3c\xec\x36\x22\x79\xb0\xc8\xfd\xaf\x56\x82\xdf\xa8\x4c\xab\x9f\x6e\x2a\x86\x2c\xda\xa4\xf8\xe7\x86\x78\x45\x2b\x14\xe4\x3d\x34\xc9\x39\x9a\xe5\x8d\x02\x39\x2c\x93\x41\x5e\xe3\xea\x3b\x93\x08\x12\x31\x00\x05\x95\x12\xc9\x56\x45\x86\x6c\xd4\xf4\x41\x7c\x72\x2d\x04\x0c\x03\x91\x34\x08\x0b\xdb\x21\xda\x56\x69\x34\xa6\x2d\x09\x6e\x04\xa8\x78\x42\xae\xb7\x75\x57\x56\x80\x00\x36\xe8\x44\xa9\xee\xd1\x69\xc7\xe5\x4c\xd3\x37\xe9\x33\x16\x3c\x93\xd9\x32\x37\xd0\xd2\x6f\x60\x63\xd0\x08\xbf\x16\xfc\x87\x05\x15\xe4\x02\xc7\x85\x4e\x78\x37\xa0\xb9\x84\x19\xd0\x4d\xad\x08\x37\x21\xeb\x85\x57\xb3\xa3\x1b\x26\x4d\x1c\x1a\x96\x34\xe1\xff\xe6\x55\xc1\x6f\x7b\x1b\x24\xdd\xf4\xbb\x1c\xf0\xf4\x36\x34\xc9\x43\xb1\xc4\xc9\x2b\xed\x50\x0e\x59\x0c\x6c\xb6\x49\xb8\x2c\x94\x12\x02\x54\x49\xbc\x9e\x76\x13\xe4\x74\x4f\x7a\x56\xd2\x99\x22\x5b\x56\xe2\x17\x93\x0c\xf3\xee\x92\x39\xf9\x86\x96\x46\xad\xd2\xf3\x0c\x9f\x98\x33\x99\x2f\x8e\xef\x28\x0a\x3b\xfe\x8f\x87\xef\x58\xf1\x65\xdb\xff\xf1\xbb\x97\xed\xff\x78\xa5\x37\x34\xbb\x46\x71\xb3\x3e\xe4\xbe\x8f\x17\x28\xdf\xc7\xff\xde\x24\x20\x65\xab\x42\x09\x4e\x34\xef\xf5\xf2\xa1\x0c\x91\xca\x38\x48\xfe\x8e\x6e\x66\x04\xbb\x2a\xe3\xa1\x36\xf2\xd7\xd8\x2b\xcc\x39\xea\x85\xde\xb6\x10\x05\x87\x77\x04\x1e\x96\x6e\xc8\x75\x6c\x8e\xed\xe5\x18\x1c\x38\x64\x75\xc1\x45\xaf\xbd\xb9\x86\xff\x24\xff\xf6\x4b\xc9\xb0\xea\xcf\xae\x3a\xc4\xd8\x6f\x8c\x0c\x84\x5b\x53\xa7\x02\xd0\xb8\x34\xf9\xf1\x1b\x47\x82\xa7\x0e\xbc\x63\x2b\x5e\xfd\x50\x8a\x39\xdf\x5f\xef\x74\xab\x2a\xc3\x5c\x41\x07\x45\x19\x4f\xbb\x45\xa7\xab\x94\xb1\x75\x4f\xa3\x95\x3a\xfb\xc1\xdb\x2b\xec\x29\xec\x6a\x5d\x2c\x58\xc0\x6e\x0f\x1e\xa7\x13\xee\x41\x75\x3e\x66\xcc\xfd\x72\xaa\x21\xf2\x57\x5e\xa5\xf4\xf1\x30\xa6\x2c\x9d\x55\xbe\x1a\x66\xce\x6a\x7f\x85\xc7\x76\x37\xa2\xd5\x28\x4f\x33\xff\x05\xdb\x89\x97\x18\x90\x1b\x7c\x92\x92\x9c\x68\x6b\x72\x5a\xa7\xe6\xbb\xb2\x2e\xe9\xce\xa9\x2a\x9d\x04\x79\xb7\x0f\x06\xec\x7a\x0b\xb6\x75\x22\xf8\x21\xc5\x4e\x7d\xcc\x12\xcd\x29\x51\x23\xda\x2d\x79\xfe\x2e\xb6\x6f\x83\xa1\xa4\x62\x80\x3d\xc8\xff\xe2\x58\x30\x3d\xe8\x46\x29\x59\xae\x9e\xb6\x3b\xdd\x42\xd8\xa0\x98\xe6\xd9\x12\x16\xd9\x18\xfb\xae\xc7\x76\x21\x14\x81\xff\x4d\x2f\x78\xa3\x07\xb0\x41\xe5\x22\x15\x7a\x50\xd8\x56\xba\x44\xf9\x23\xda\x08\xbb\x6d\x9e\x47\x47\xeb\x99\x42\x05\x66\x52\x17\x3b\xa9\xa7\x50\x3e\xf5\x2e\xef\x56\xf6\xf8\xcb\x1a\x6c\xfb\x28\xf0\x62\x00\xda\xc5\x9d\xcd\xff\xdf\x95\xe0\xdd\x95\x39\xb5\xcf\x95\x1a\x4f\x6c\xb6\x1b\x35\x5e\xbb\x29\xa4\x6e\xab\xcb\x91\x5b\x71\x3b\x82\x53\x9c\x42\x59\xa4\xc6\x00\xba\x91\x3d\x85\xa8\xdb\xc1\xef\x84\x47\x1c\x45\xe7\x1a\xf7\x6c\x77\x0b\x38\x4d\xd6\xa2\x5c\x85\x6c\x6b\x35\x0e\xba\x6f\x52\x9d\x8b\x28\x38\xfd\x9f\xc9\x50\xbc\x73\xc4\xc1\x82\x53\x8b\x60\x81\x70\xec\x94\xc0\x02\x7e\x59\x6b\xe2\xfb\xdf\xaa\x04\x3f\x3e\x6d\xe0\xee\x72\x23\xd8\xf4\x33\xa4\x41\xa9\x3b\x0e\xc5\x29\xa2\x5b\x01\x8b\xab\x45\xb3\x9b\xf0\x30\xee\xb4\x42\xed\x5a\x53\xda\x62\xbd\x15\x26\xcb\xc6\x76\xdc\x95\x37\x6b\xeb\xde\xc8\x8a\xe8\xad\x7b\xbb\x50\x6f\x74\x16\xd7\xef\x78\xec\x56\x26\x6f\xfb\x37\x06\x8f\x5d\x00\x75\x74\x49\xc4\x70\xe4\xd5\x87\x29\xc3\xa4\xdd\xe9\xc4\x20\x82\x5c\xc6\xcc\x9f\xf2\x18\x15\xed\xdf\xe7\x05\xcb\xd3\x09\x87\x23\x8d\x49\x7f\xd3\x0a\xeb\xb9\xc4\x81\xa0\x32\xac\x9a\xf8\x55\x74\x60\xe0\xe7\x44\x39\xab\x91\xdf\x85\x87\xf8\x28\xe7\xe7\xe6\x40\xb3\x1f\x7a\x76\xba\x6f\x94\x1d\xb2\x86\x6a\x40\x02\xc5\xed\x0b\x0b\xb3\xe4\xb3\x9c\xeb\xc6\x04\xe0\xf0\xd9\x91\xe0\x67\x2b\x83\xee\x94\x00\x07\x8a\xa2\x63\xd8\xb2\x91\xf0\x18\xf4\xdc\x94\x2f\x85\xf5\x15\x91\x34\x72\x50\x37\xc9\x58\x22\xe7\x3e\xce\xec\x63\x53\x53\x37\xb7\xd2\xbc\xb8\x65\xea\xe6\x4e\x58\xb4\x6e\xb9\xf5\xe6\x5c\x48\xcd\xa2\x13\x66\xc5\x2d\x7c\xf2\x16\xf5\x3a\x59\x3c\xf0\xbf\xf2\xa6\x86\xf2\xe8\x66\xb1\x85\xaa\x2c\xbf\x38\x77\xea\x38\x3f\x7c\xd3\x8d\x47\xab\xea\x68\x42\xe2\x54\xc1\xab\x28\xef\x3a\x76\x75\xb8\x1c\x46\x49\x5e\x58\x6c\xdd\x3c\x6c\x16\x14\xb8\x1b\xcb\x83\xf1\xbe\x29\xcc\x60\x20\x10\x16\xb4\x84\x64\xf2\xc6\xad\xfb\x78\x9a\xf1\x7d\xd7\xee\xab\xad\x7b\x63\xb2\xfe\xee\x44\x7a\xb9\xc7\x5e\xe6\x31\xbc\xe1\x3f\xdf\x0b\x8e\x4c\x97\xa9\x4a\xe5\x1d\x35\xb7\x3b\xb6\xbe\x6e\xba\xcd\x1e\xd3\x0d\xd7\xee\x26\x63\x3a\x1b\x16\x2d\x76\xff\xd5\x4e\xe4\xaf\x13\xe4\xa0\xe2\x1b\xfc\x7b\xaf\x0e\x9e\x57\x51\xb8\xef\x03\x82\x7e\xb3\x6e\xac\xdc\x81\xc8\x79\xad\x92\x43\xeb\x69\x92\x10\xf4\x27\x12\xed\x86\x34\x95\xd5\x21\xc5\xd8\x7f\x20\x21\x94\xda\x08\x7e\x3d\xf5\x3d\xf2\xa4\x6b\x48\x46\x18\x29\xb9\xe0\x15\xf8\x7e\xce\x15\xd1\x40\xdc\x9b\x84\x4f\x80\x0b\xb5\x9b\xc5\x79\x15\xb0\xf8\x39\x81\xf1\xf3\x22\x0b\x9b\xcd\xa8\x5e\xe5\x85\xc8\xda\x51\x12\x16\x82\xcf\xcf\x9f\xae\xf2\xb4\xd9\x24\x3d\x86\x4e\xca\xab\x51\x06\x76\x75\x39\x11\x21\x9a\xbc\xa8\xbb\xdb\xed\x4f\xed\x64\x99\xee\x1c\x92\x1f\xc6\x43\xf2\xef\xd8\x87\xe4\x5f\xbd\xec\x43\xf2\x7d\x1b\x60\x20\x3c\x74\xc7\xe2\x3f\x54\x3e\xc0\xcf\x7b\x1b\xc0\xd5\x0e\x14\x51\x70\x00\x7e\xbd\x37\x6f\x1d\x80\x55\x88\x9f\xe3\x1b\xa3\xc7\x1f\xf2\xb0\xbe\x3f\x35\x47\xdd\xdf\xf5\x36\x60\x0b\x1d\xdc\x38\x3c\xd4\xae\x7b\xf3\x03\x4f\xb5\xdf\x0f\x0d\xbc\xe8\x3d\x73\xf3\x83\xf3\xe3\xfc\x9b\xf4\xc1\xd9\x6a\x68\xc9\x2f\x46\x2d\x28\xbb\xc1\xbe\x38\xea\x60\x58\xaa\xb4\x85\x39\x34\x8d\xce\x0b\x0b\xbc\xfe\xdd\xa3\xc1\xe9\x01\xd7\x4b\x87\x01\x8b\x22\x47\xd9\x57\x73\x51\x20\x0a\x6a\x5d\x64\x80\xad\x0c\x32\x62\x63\x64\xfb\x4f\x8c\xb0\xd7\x7a\xcc\x97\x7a\xc1\x42\x16\x26\xe8\xae\x59\x88\xda\xc2\xff\x09\x76\xc3\x25\xac\x4a\xf9\x6a\x70\x62\x41\xa9\x1a\x45\xd4\x16\xca\xa4\x4c\xcd\x28\xf4\x67\x14\x18\x49\x9a\x08\x15\xc1\x09\x67\x09\x38\x5a\xd4\xd8\x53\x0c\xe2\xfe\xd9\x60\x7a\x9a\xb7\xba\xed\x30\x91\x9b\x70\x03\x36\x48\xba\xa7\x3c\xca\x80\x84\x2b\x8a\x30\x8a\x73\xcb\x38\x62\x3e\xe6\x68\xb3\xa7\xd8\xae\x4c\x84\x79\x9a\xf8\x37\x07\x53\x88\x12\x1c\xe6\x96\x9d\x49\xd7\x76\x5f\x4e\xed\x18\x5c\xce\x69\xbd\x2c\x6e\x0b\xae\x1f\x82\xcf\x5f\x55\x8e\x88\x85\x4c\x6e\x67\x80\xbb\x5f\xe5\x04\xb9\xef\x94\x76\x98\x10\xf7\x1f\x1b\xfc\x9f\x0b\x3a\x82\xcc\x0c\xad\x2e\xd1\x79\xe9\x63\x7b\x1c\x13\x4c\x39\x0d\xcc\x1c\xe0\xbb\xb1\xf0\x5f\xbe\x27\x78\x8f\x67\x5f\x29\x43\x39\x85\x4a\xdb\x69\x81\x05\x1e\x36\xa6\xc8\x41\xe6\x55\x09\xa1\xe0\x4c\xa2\x6d\x11\x3d\x9a\x58\x46\xd6\x10\xb0\xff\x45\x79\xb2\xaf\xb0\x61\x90\xab\x78\x78\x21\xd8\xef\x46\x17\x1a\xa6\xd1\xfb\x3a\x69\x9e\x47\x4b\x71\x0f\xa3\x62\xe4\xb9\x36\x16\x85\x3c\xd6\x8c\xad\x8a\x6c\xc9\x9d\xb3\x9f\xd9\xc5\x3e\xec\xb1\xab\xd5\xe7\x31\x22\xec\x1d\x5e\xf0\x12\xdd\x34\x3b\x0c\x4c\xdb\x70\xd6\xa4\x44\xd0\x2d\xb5\x62\xc0\xc0\x47\x21\x3b\xc3\x3a\xfb\x70\x13\x9b\x25\xfb\xde\x0a\xfe\xb2\xf4\xea\xc8\x32\x36\x58\x31\x62\x61\x1c\x6f\x74\x72\xf9\x8a\xc7\xc6\x75\xd7\xf9\x5f\xf4\x82\x0f\xeb\x7a\x97\x7c\x6d\x56\xf4\x06\xa8\x5b\x7d\x75\x74\xbe\xa9\x4e\x84\x26\x96\x4d\xc5\x5d\xe6\x35\xc6\x83\xeb\xa6\x9a\x69\x1a\x94\xb3\x4b\x6c\x37\xcb\xbe\x66\x9a\xee\x43\x03\x01\x00\xca\xe9\x3a\x0d\x2f\x77\x83\x66\xbe\xd9\x63\x38\x76\xfe\xab\xbd\x60\xed\x2e\x91\x2d\xb9\x8d\xb3\xe8\x9b\x74\x0d\x28\x6d\x7b\x29\x47\x60\xff\x63\x7c\x59\x14\x55\x78\xa3\xca\xd7\xe4\xe9\xa6\x4a\x30\x46\x55\xd2\x67\xaa\xbc\x21\xe4\x44\xa9\xf2\x4e\x96\x5e\xe8\x6d\x67\x18\xee\xab\xb0\x71\xdd\x10\xff\x6f\xbd\xe0\x0f\x75\x64\x6a\x3e\x08\x25\x51\x07\x83\x2a\x88\x75\x39\x8f\x4b\x51\x36\x08\x1f\xdd\xee\xc6\x45\xd4\x89\xad\x58\x53\xca\xc8\x37\xd6\x93\x30\xe9\xd1\x5a\xb3\x30\x0a\xd5\xc9\xcd\x72\x5c\x8a\xa4\xdb\x16\x19\x40\xf9\x38\xe3\x21\xdf\xd7\xa5\x1b\x9c\xcd\xed\x4f\xc6\x6f\xed\x65\x37\x6e\x9e\x45\x2a\xe2\xe6\xa0\xf4\xf2\xf7\xed\x0d\xbe\xeb\x0d\xb9\x39\x20\xc7\xdc\xde\xf5\x21\x4e\x69\x70\x82\x39\xe7\x67\xd3\x02\x92\x52\x35\xfc\xb7\x8e\x8b\xc3\x58\x67\x6c\x59\x10\x41\x8c\xa7\x89\x81\xce\x03\x00\xb9\x8e\x9b\xa4\x88\x13\x16\x68\x3d\x94\x02\x77\x49\xd4\xc3\x6e\x8e\x01\x52\xfa\x50\x42\x21\x1d\xb2\xeb\x08\x0b\x14\xd9\x45\xac\x5c\xd7\xde\xe0\x5a\x0e\x0a\xc8\x7b\xf7\x4e\x16\xfc\xce\xa9\xea\x5f\x4a\x44\xe3\xcf\xab\xd3\xcc\xfd\x9b\xf8\xb6\xb6\x2e\x2f\xe0\x94\xf3\x63\x97\x9a\x09\x5f\xe3\x28\x34\xe4\xcc\x25\xa1\xaa\x22\xac\x61\x9f\xfe\x67\x97\x29\xbf\xba\xf9\x91\x63\xde\xbf\x73\x72\x6b\x69\xf1\x83\x7b\x7c\x60\x62\xd0\xbd\xa3\x9b\x80\xb6\x1e\xaa\x1d\xcf\xd2\x3c\x27\xa1\x55\x46\x72\xf9\xf4\x48\xb0\xb4\xc1\x7d\xb3\x33\x8a\x24\xed\x2e\xb7\x9c\x41\x2e\x52\x1e\x8b\x82\xf7\xd2\xae\x8a\x02\xea\x71\x8d\x7a\x92\x6d\x31\xf5\xe7\x53\x15\xf6\x7a\x8f\xa4\xc4\xcb\xbd\xe0\x5e\x6f\x10\x72\xcb\xe3\x1e\xc2\x35\xe8\xd0\x5c\xc5\x94\xcd\xd1\x08\x9e\x3c\x08\x01\xa6\xaf\x5e\x83\x3d\x21\xc0\xef\xb1\xdc\x8d\x1a\x62\xca\x0a\xb6\xba\x36\xd1\x89\x12\xf4\xb5\xa3\xce\x76\xb3\x3f\x78\xf4\x06\xc0\x37\xf6\x7b\xbf\xbe\x97\x1d\x18\xe0\xe8\x78\xe2\xf1\x93\xb3\xf2\xe5\xbc\x10\x49\x71\x22\xca\x57\x1c\xbe\xac\x57\xed\x0d\x3e\x55\x71\x08\xb3\xcc\xc3\x5c\x3e\xed\x20\x49\x3f\x31\x4d\x97\x63\xc1\x8f\x93\x8b\xea\x64\xb2\x1c\x25\xa2\xc6\xd8\x34\x7f\xe2\xf1\x93\x7c\xf6\x04\xae\x5e\xe4\xb5\x20\x4b\x34\xf8\xb5\xc8\xcc\x6e\xf9\xa8\x28\xc5\x40\x7e\x00\xde\x09\xe3\x3c\xb5\xa2\xe7\x73\xd9\xcd\xb2\x4c\x62\x6a\x82\xd5\x78\x8f\x54\xa2\x42\xdc\x69\x65\xff\xc6\x02\xf2\x0c\xe8\xd3\x72\x4b\x87\x94\x8c\x25\xfa\x28\x42\x48\xcb\xb3\xe5\xd4\x5a\x26\x8f\x09\x29\x84\x75\x65\x70\x69\x12\x1e\x6d\x4b\x9d\x4b\x9e\x67\xf3\x1a\x15\x93\x2b\x8c\x25\x9e\xae\x25\x22\xcb\x5b\x51\x87\xe2\x9e\xc0\xe1\x23\xab\x31\x7f\xf2\x74\x94\x74\x2f\xf0\x4c\x80\xf7\x43\xae\xb1\x75\x6f\x57\xa7\x71\xb6\x3c\xa9\x3f\xb8\x87\xfd\xa2\xc7\xe8\x8e\x3c\xcc\xbc\xc1\x3b\x8f\x71\x8d\xb6\x0e\x3a\x7b\xc2\xed\xe2\xe3\x27\x6b\xfc\x3c\x59\xff\x9d\x05\x05\x9d\xa5\x9e\xd8\xa6\xf3\x8d\x80\xf0\xa7\xc8\x0b\x7e\xed\x72\x5d\x74\xf4\x38\xcb\x82\xed\x89\xf4\x09\x8f\xed\x91\x7d\x74\x2e\x89\x7b\xfe\x2f\x78\xc1\xcf\x78\x73\xf4\x8b\xa3\x83\x03\xe3\x5b\x71\x5b\x16\x5c\xdf\x54\x3c\x34\x51\xc2\x71\x8e\x9d\x91\xc3\x90\xd7\xf8\x09\xcb\x17\xd9\x94\x67\xe5\x07\xa3\xfe\xe3\x6c\xf7\x52\x9a\xc6\x22\x4c\xd8\xa7\x2a\x6c\x57\x33\x97\xe7\x6d\xff\x83\x95\xe0\x9d\x95\x53\x51\x2c\xf2\x5e\x5e\x88\xb6\x4e\xe3\x02\x6d\x0d\xc9\xc0\x40\xf7\x97\xe2\x6b\x2d\x4c\x20\x0c\x10\x66\x4f\x8d\x2f\x44\x9d\x63\xfc\x64\x92\x77\x33\x61\xce\x94\xcd\x52\x51\x51\x6e\x40\xb9\xd4\x06\xd2\x02\x9a\x9f\x8e\xd4\xf1\x81\x90\x17\x1e\xaf\xf1\x93\xe8\x53\xca\x8f\xf1\x40\x5c\x28\x8e\x04\x55\x1e\x5c\x68\xe6\xf2\x9f\xa4\x68\x4a\x3d\x77\xa6\xad\x9d\xb2\xa0\xca\x64\x9a\x37\x07\x5f\xe0\x51\x93\x77\x13\x13\x23\xf7\xa0\x4e\x82\xef\x55\xd8\x78\x27\xcc\x0a\xb4\x5f\x7d\x53\x73\xdf\xfc\x7e\x65\xa1\x85\xde\x2d\x34\xfd\xd0\x82\xdd\xa4\x2f\x67\x9a\xca\x59\x5d\x75\x72\x91\xa2\x5c\x3f\x24\x7b\x8f\x4a\x91\xcb\xc3\xee\xaf\x53\x3a\x7e\x83\x4b\x69\x3e\x95\x37\xc2\x83\x55\xf8\x8c\x4a\x3e\x2d\x9c\x3a\x85\x39\x0f\x0e\x06\x35\x3e\x8f\xb0\x9f\x71\xaf\x6a\xd7\xd1\x3c\x27\x8f\xc5\xaa\x40\x59\x95\xe0\x40\xc0\xf7\xa7\x19\x94\x2c\xc5\x49\x2c\xc2\x55\x9c\xe3\x9d\x4c\x8e\x67\xd1\x43\xb5\x64\xe2\x41\x9a\xbf\x0a\xa8\xfe\x2b\xbb\xd8\x0f\x0f\x06\x9e\x3d\x71\x76\x1e\xb3\x84\xfd\x4f\xee\x0a\x9e\x65\x5f\x70\xce\x21\x27\xce\xce\xdb\xd4\x64\x08\x30\x81\xd4\x0f\x61\x43\xd9\xec\x52\xe2\x4d\x58\x16\x09\x1d\x47\x41\x6b\x3e\x71\x76\x7e\x16\x33\x0d\x1d\x61\xf6\x85\x31\xf6\x7f\x7b\x6c\x2f\xec\x56\xa8\x73\xfb\xef\xf7\x82\xff\xcb\x33\x60\x2f\xf2\xa3\x20\xd8\x48\x81\x32\xa8\xb2\x68\x4d\x8a\x2c\xf2\x88\x4e\x07\x83\x7b\xe9\x40\xb3\x14\xe6\x94\xd7\x4b\xea\xfc\xd0\x3a\xf1\x13\xca\xc8\xd4\x70\x5e\x50\x25\x67\xa2\x9d\xae\x6e\xec\x65\xfe\x40\x85\xed\x26\x0e\x09\xff\x81\x4a\xf0\x67\xa5\x26\x48\x61\x1c\xaf\x1a\xa6\xc2\x52\xd5\x21\xf4\xdb\x8a\x7f\x86\xaa\x2b\x4a\x8a\x2d\x55\x5b\x21\x03\x97\xab\xcc\xe7\xe4\x97\xbb\x78\x40\x54\x05\x42\x14\x41\x94\x70\x95\xb9\x09\x2f\xa5\xab\x22\xcb\xa2\x86\xa0\x01\x44\x2f\x27\x24\x02\xa9\xe5\x08\xb5\xb2\x47\xd2\xf4\xc6\x0d\xec\x7a\x76\x78\x53\x92\x43\x7b\x6a\xe1\xb7\xd9\x6f\x7b\x6c\x0f\x3a\xbe\x45\xee\x7f\xca\x0b\x7e\xae\xd4\x71\x78\x8f\x37\xd2\x36\xa8\x8a\x72\x71\x49\x49\x88\x14\x15\x71\x9a\xae\x74\x3b\x5b\x99\x06\x54\x0c\xba\x9d\xb7\xd4\xa1\xce\x1b\xdb\x98\x08\xdf\x64\x03\x15\xa6\xf9\x7a\x18\x8b\x99\x73\x46\x0f\x72\x14\xa6\x0f\xb2\xe0\xc4\x86\x4f\xb8\x29\x85\x66\x95\x73\x7a\x8b\xc4\xd0\xba\xb7\x7b\x39\x2c\xc4\x5a\xd8\x5b\xf7\x76\xe1\x16\xb1\xee\x8d\xe7\x80\x3f\x38\x27\x9a\xce\xda\xfb\xf4\x38\x7b\x1a\xdb\x4b\x32\x64\x36\x4d\x63\xff\x74\x70\xab\x14\xc3\xaa\x48\x22\xb4\xe1\xf2\x5e\x1f\x69\x3d\xc9\xaf\x82\x9c\xe3\x38\x3e\x8e\xbd\xf9\x5e\x8f\x31\xac\x15\x68\x2a\x79\xd0\x5c\x70\xf2\x4f\x48\x70\x86\xb1\xd4\x0a\x7a\x1a\x75\x9c\xe6\x9a\xaa\x84\xda\x16\x29\xc4\xa8\xbf\x1a\x51\xee\x72\xb0\x3a\x75\x68\xb2\x47\x9a\x4a\x9e\x80\x3a\xfa\x73\xc1\xc9\x85\x92\xc5\x4e\x7d\x6c\xd6\x34\x08\x1f\xb6\xed\xfc\xca\x2b\xaf\xe8\x7f\xec\xef\x5c\xb0\x74\x9b\x38\x78\x66\x9f\x6a\xc2\xf7\x1b\x8d\x71\xa2\xc6\x2f\x4f\xf3\x71\xb4\x92\x45\xc6\xf2\x3c\x3e\x89\xe9\xf7\xfe\x5c\x70\xe2\x54\x1c\x2e\x1b\x66\xcd\xa9\x46\x94\x83\xc5\x6a\x7e\xfe\x34\xa7\xa3\x0c\x85\xca\x42\xff\x3d\x11\x67\x8b\x0e\x0e\xc4\xea\x3a\x5f\x78\x95\xa7\x67\x09\x90\xd8\x3e\xdf\x0b\xba\x33\x03\x8f\xb0\x8a\x2b\x0d\x23\xc7\xd4\xa8\xe8\x84\xd7\x85\x56\x54\x5f\x99\xcd\xd2\xd5\x88\xcc\x59\x69\x26\xaf\x25\xd6\x25\xad\xd5\xc9\xb1\x2e\xdf\xb3\x3b\xfc\x1c\xa3\xe9\xed\x9f\x0c\x6e\x2c\x0f\xa7\xaa\x07\xcd\x9d\x30\xb7\x87\x2f\x4a\xd4\x70\x3b\x05\xbe\xd5\xd3\xda\xdd\x6b\xbd\xe0\x45\x5e\x59\xbb\x33\x5a\x87\x66\xde\xed\x53\xdb\xb6\xae\xb3\xd5\x86\x69\x6b\x56\xf3\xe1\x8e\x5d\xc5\x13\x4c\x2d\x6e\xff\xa6\xa0\xba\xa0\xca\x57\x20\xeb\xa5\xb9\x2c\xcf\x77\x34\xba\xb5\x12\x72\x97\x11\x08\xfe\xc7\xbd\x0d\x08\xb3\xb4\xec\x52\x8f\xe3\xc1\x3d\x78\xb1\xa7\xaf\x18\x94\x01\x6d\x47\xc4\xc2\x61\x12\xa8\xba\x68\x73\x0c\x02\x28\xe4\x22\x21\x2e\x52\xeb\xc8\x0f\xea\x5c\x41\x21\x6d\x49\x5a\x58\xe9\x35\xa7\xd3\xe5\x28\x51\xfd\x08\x33\x57\x2e\x98\x30\x8a\x6b\xec\x7d\xa3\xac\x3a\x28\x0e\xaf\xd7\x11\x8d\xd3\x69\x3d\x8c\xcb\x46\x89\xe7\x8f\x06\x3f\x3e\xf4\xee\x56\x4d\x12\x08\x9a\x8f\x7e\xc3\x1e\x82\x69\x28\xac\x05\x65\x4e\x8c\x92\x1c\xf7\x52\x3a\x76\x6a\xdb\xf3\x46\x06\x8b\xaf\x56\xfe\x65\xa3\x60\xdc\x46\xc6\x98\x63\xc1\xe4\xb6\x50\x30\x86\xd0\x54\x6d\x0b\x04\xc3\x2e\xe3\x8f\x46\x1d\x54\xb6\xb0\x41\x9c\xdb\x99\x58\x8e\x00\xba\xc2\xb5\x51\x42\xf4\x95\x99\x42\x6f\x1e\x0d\x1e\x57\xbe\x48\x76\xca\x12\x40\x31\x3d\x55\x8b\xc5\x72\x58\xef\x91\x45\x69\xdd\x33\x60\x34\x83\x26\xc1\x27\x46\xd8\x13\xa8\x8d\x37\x06\x8f\x5d\x94\x7f\x2c\x0e\x72\x33\x51\x54\x58\x8d\xab\xc0\x6d\x57\x3e\x5a\x88\x37\xb7\x05\xd7\x2f\xea\x5f\x8b\x43\x11\x6f\x36\x2c\xb0\xc9\x46\xa5\x2a\xe4\x3f\x33\xb8\x73\x51\xfe\xb1\x58\x76\x9a\x9e\x9f\x3b\x8d\x94\xde\x98\xe4\xa5\x34\xa6\x1c\xf3\x11\x28\x93\x0b\x4d\x9c\x20\x28\x00\xef\x06\x3f\x68\x7f\xe7\x93\x1e\x1b\x95\x42\xd4\xff\x90\x66\x0b\x7b\x9b\x37\xd3\x2c\xcf\x5c\x34\xa6\x24\x76\xbd\x89\x8e\x97\x22\xd9\xd6\xc4\x52\x2b\x4d\x57\x8c\x44\x2d\x52\x7e\xe4\xc8\x61\x58\x37\x4b\x61\x7d\x65\x2d\xcc\x1a\xc8\x27\x57\x44\x4b\x51\x1c\x15\xbd\x1a\x5f\x94\xa5\x2e\x5a\x3b\x56\x48\xe8\xd9\xf0\x35\x62\x63\xdd\x7f\x70\xf2\xe8\xf5\xd7\x1f\xbe\xbe\x8a\xdc\x1a\x79\xb4\x2a\x26\x4a\x9c\xb7\x23\xec\x31\x83\x80\x27\x45\x27\x4e\x7b\x6d\x91\x14\x0a\x38\xc5\xff\xf3\x4a\x70\x7b\xff\xe5\x72\xb2\x7e\x0a\xce\x7d\x39\x50\x60\x03\x03\x96\xe4\xb4\x41\x24\x14\x89\x80\x74\xe0\x52\x94\xfc\x2b\x2a\xac\x45\x31\x02\x8b\xc1\xbc\x8a\x11\x68\xe8\x4f\x81\x67\x02\x6c\x00\x73\x02\x15\xaf\x00\xf0\x7d\xe6\x52\xf0\xa5\x9d\x07\x67\x85\xbb\x1d\x39\xb7\x9c\x21\xfb\x59\x8f\x5d\x9d\xd9\x77\xfd\x57\x7a\xec\xc6\x4d\x81\x38\x9d\x02\x4d\x2f\x04\xe7\xe9\x06\xb9\x4c\x68\xef\xc6\x93\x67\x5e\xe3\xb3\xa8\x06\x13\x50\x4a\x93\xf7\xf7\x1f\x34\xf7\xf1\xa5\x0a\xb3\x57\x7b\x36\x9f\xfa\x06\xae\x8d\xd9\xb0\xa8\xb7\x7c\x11\xfc\x18\xfc\x01\x09\xbe\xb4\x13\xe9\x80\x4c\x30\x39\xca\x5d\x8e\x56\x24\x64\x9a\x90\x96\x50\x4a\xef\x9c\x9d\x5e\x38\x7e\xbb\xf1\x54\xa4\x0d\xe7\x04\xcc\xfe\xbb\xcf\xfe\xfd\x80\xfd\xeb\x6c\xda\x10\xe8\x4c\xf0\x7f\xc9\x0f\x1e\x6f\x7e\x02\xbb\xc8\x40\x67\xc8\x20\x84\xb3\x24\x6d\x08\x77\x62\x7c\xe3\x51\xec\x6e\xb6\x2b\x6a\x87\xcb\x22\xf7\x97\x83\xc7\x9c\xa6\xa3\x96\xc5\x19\x08\xf7\x70\x6d\xc1\xae\xd1\x10\xf6\x69\xe7\x30\x3b\xc8\xa6\x36\xd5\x18\x74\xd2\xcc\x8c\x2c\x8d\xfd\xbc\xc7\xf6\xc8\x82\x66\x92\x66\xea\xff\x8c\xb7\x85\x02\xa0\xc5\xa0\x2e\xc9\x77\x82\x74\x9e\xc8\x58\x1a\xf9\x54\xb7\x1b\x61\x52\x37\xa6\x73\xcb\x59\x60\x1b\x34\xa1\xcd\xdb\xb5\xa4\xc8\x97\xf0\xbf\x53\xd7\xca\xb7\x58\x83\x5d\x45\x56\x95\x99\xe4\x7c\x2e\xfc\x85\xe0\x46\xd5\x55\x61\x51\xa8\xd0\x5b\x7a\x44\xca\xb7\xae\x54\xf2\xc9\x42\x3c\xa1\xf4\x3f\xea\xff\xa1\x67\xc5\xb7\x57\x18\xd3\xc1\x3a\xb9\xff\xba\x4a\xf0\x3c\x4f\x87\x71\xe9\xd8\x7e\x15\x3e\xaf\x46\x38\x5d\x02\xfb\x44\x03\x8a\x37\xc1\x3e\x83\xfd\xb0\x5b\x6d\xb5\x2e\xc6\xae\xee\x21\x76\x80\xd5\xb6\x34\x56\xba\xd6\x17\xbd\x7d\xec\x87\x1c\x6f\x55\x47\x2e\x23\x4a\x6e\x5f\x11\x3d\x7f\xb7\x3f\x26\xd7\x0a\x93\x4f\x3e\x7a\xc0\x93\x0a\x3b\xca\xdf\xe3\xef\x82\xb7\x18\x2b\xd8\x23\x10\xf4\xf7\xa4\x0a\xa7\xf6\xc3\x0d\x82\x0b\xed\x8a\x9d\x70\xdf\x0b\x26\xf4\x9f\x06\x4a\x38\xe7\x59\x37\x49\x80\x05\x14\x77\x14\xf9\x62\x8d\xfd\x99\xc7\xf6\xd4\xc3\x4e\x58\x8f\x8a\x9e\xff\xfb\x5e\xf0\x42\xef\x38\xfd\x2a\xc7\xc6\x14\x69\x11\xda\x71\x30\x66\xf1\x5d\xaa\x49\xcf\x9c\xf0\x27\x95\x75\x4f\x55\xe5\xca\x26\xb2\xbc\xd2\x63\xbb\x50\xc2\xfa\xff\xc9\x63\x07\xb7\x3a\xd8\xcd\x68\x99\x9c\x9e\x77\xf6\x45\xb3\x49\x69\x5d\xa6\x78\x82\xa9\xba\x1a\x85\x68\xa7\xed\x25\x61\x3b\xaa\x83\x98\x8c\x31\x5e\x4d\xbe\x43\xe9\x2b\x35\xf6\x39\x8f\x8d\x75\x5a\x61\x2e\xfc\x5f\xf1\x82\x0f\x78\xf2\x93\xb3\xf2\xa7\xd2\x5c\x32\x51\x47\x5e\x73\xbd\x12\xe2\xa8\x29\xea\xbd\x7a\x2c\x38\xbc\xa7\x2a\x73\xd9\xb2\x00\x4b\x5b\x30\x50\x1f\x39\x4f\x04\x60\x16\xa4\x9d\x6e\x1c\x16\x0a\xc1\x2b\x41\xfe\xa8\x86\x9c\x16\x60\x3e\x72\x36\xc8\xfb\x3c\xf6\x08\x1a\xc5\x69\x10\x1e\xa2\xe1\x77\x82\x9a\x12\x28\x4a\x8a\xa0\xc5\x2d\x13\x24\x61\xdc\xce\xab\x6d\x5f\x08\xab\x6f\xa1\xf1\x80\xdd\x3f\xca\xc6\xb5\xe9\xd4\x7f\xfd\x68\xf0\x82\x11\x2d\xd2\xd4\x65\x6e\xd2\x0a\xec\x6f\xf3\x3b\xbb\x22\x8b\x94\xbd\xac\x1e\xa7\xdd\x86\xda\x14\xb3\xaa\xdc\x84\x35\x4b\xee\x65\xf5\xb6\xa9\xc6\xd9\xb4\x10\xc7\x4a\x38\x8b\x0d\x51\x8f\x81\xfc\x37\xcc\xd1\x5e\x2a\xbf\x57\xe5\x4b\xb4\xff\xc1\x25\x05\xdb\x02\x67\x9d\x6e\xb3\x19\xd5\x23\x9c\x29\xb8\x57\x28\x04\x82\x7a\x98\x70\x0c\xf2\x81\x7c\xe9\x7a\x9a\x65\x5d\x84\xc4\x00\x40\xc6\x08\x14\x1e\xb4\xc9\x4a\x4d\x29\x8e\xad\x40\x1a\xc5\x8f\x2a\xdf\x0e\x79\xb3\x1b\xc7\x93\xa4\x9e\x81\x2f\x0f\x64\x58\x8d\xcf\x0b\xa1\x9c\xb6\x1d\x85\xcf\x39\x75\xc3\x4d\x87\x6f\x3a\x88\xd6\x91\x44\x25\x03\x39\xe3\x7a\x80\xd5\x58\x75\x4b\x4b\x70\x1a\xbb\x6a\xeb\x32\x74\xeb\x72\x99\xfd\x9a\xc7\xf6\x12\x31\x9c\xec\x62\xff\x83\x5e\xb0\x3c\x6d\x7e\x97\x85\xdf\x00\xb1\x67\x4d\x65\x4d\x9f\x2c\x9b\x9d\xcb\xe9\xd8\x05\xe7\xa6\xe3\xbe\x53\x72\xb5\x76\x65\x65\xdb\x47\x46\x58\x60\xf5\x5f\xb6\x14\xd6\x61\x5d\x2c\x2f\x67\x62\x19\xf4\x27\x88\x75\x7d\xf5\x48\x70\x57\xe9\x5a\xbf\x0a\x4e\x47\x7e\xc2\xc5\x9c\x4b\x63\x42\xca\xa2\xf7\xe4\x94\xa7\x15\x63\x3d\xe2\xa8\x5e\xef\xa9\xb0\x07\x2a\xec\x5f\xd7\xcd\x6d\x95\x25\x98\xfb\xaf\xa8\x04\x1f\xf3\x8e\x0f\xb8\xa3\xcf\x95\xca\x26\x6e\x52\xcd\xdc\x73\x96\x4a\xed\x6a\xca\x73\xb5\x53\x4b\x29\x9f\x50\xc7\xd7\xf1\xab\x39\x18\x07\xe0\x2c\xdf\x74\x92\xfa\x72\x4c\x0d\x83\x33\x56\x52\x6e\xcd\xbe\x9c\x77\x44\x46\x47\x65\xcb\xde\xde\x68\xc8\xa3\xa2\x99\xc5\x27\xd8\x6d\xec\x09\x97\x82\x07\x1f\x2e\x89\x58\xb5\x9c\x7d\xb9\xe2\x0c\xde\x10\x5b\x94\xff\xe1\x4a\x10\x97\xae\xb9\xb6\x72\xbc\xc9\xf5\xdd\x1a\x9f\x29\x78\x2b\x1c\x66\xe2\xc9\x44\x91\x45\x62\x55\x9b\xb1\xe8\xe8\xaa\x0f\xcb\xce\x90\x7e\xcc\x63\x77\xd1\x51\xfd\x6c\x30\xad\xcc\x11\x04\x33\x44\x9c\x89\xa1\x75\xd0\x86\xf2\x55\x2d\x43\xf5\x09\x3d\x87\xed\x3d\x63\xc9\x3e\xc0\x9f\x0f\x6e\x37\x80\xb5\x0e\xc1\x21\x5c\xa1\x2f\xe1\x84\xb0\x4c\x70\x70\x36\x31\x80\xb3\xb2\x56\xce\x37\x7e\x8e\xb1\x99\x2d\x9b\x41\xce\x74\x0b\xb0\x62\x3e\x19\x0f\xd6\x0e\xac\x30\xd0\x66\x7c\x71\x3c\xb8\x63\xb3\x87\xdc\xc0\xde\x8d\x9e\x1e\x4c\xaa\xf1\xf5\x1d\x52\x8d\xcb\x0e\x9c\x7c\xad\xe6\x69\x7e\xa9\x67\x0e\x80\x1b\x8e\x85\xbd\xba\x9f\xcc\xce\xb3\xf9\xe1\x87\xfb\x4b\x9e\x43\x3b\x01\x9d\x97\x11\xd0\xf9\x79\x3b\x4d\xee\xd3\x97\x49\xc7\xf1\x7c\xef\x61\xe2\xe3\xb0\x1a\x77\xd1\x7b\xd1\x16\x90\xd1\x1b\xfe\xd2\x86\xfc\x40\x03\x27\x63\x29\x20\x72\x33\x91\xc5\xd8\x1f\x8e\xb0\xe3\xd4\x83\xb2\x3a\x93\x6a\xcf\x4f\x5d\x94\xcb\xd2\x8c\xaf\x4d\xcf\xce\x90\xfd\x97\x2c\x39\xaf\x18\x09\xa6\xcb\x17\x8d\xc7\xa1\x21\xb2\x68\x15\xfc\x53\x65\xeb\x0e\xc1\xa5\x63\x50\x82\x6b\x2a\xae\xb0\x8f\xba\x26\x84\xf7\x54\x82\x1f\x39\xae\x2c\x41\x64\x17\x35\x09\x60\x9d\x68\x5e\x9b\x5c\xcd\x8a\xfe\x31\x76\x17\x5b\x18\x38\x61\x2e\xad\xb9\x8e\x2d\xe0\x07\x9d\x31\x94\xf3\x69\xb2\x1d\x76\xa4\xc2\x99\xfb\xe3\xfe\xee\x49\x4e\xb6\x00\xce\xfe\x4d\xff\x93\x60\xc0\xdc\xe5\x8f\xb6\xc3\xce\x36\x14\xd8\x6d\x18\x16\xbe\xf1\x68\xc7\x54\x6b\xc5\x29\xcc\x8b\x7a\x37\x8b\x8a\xde\xf1\x34\x29\xc4\x85\xc2\xff\xe4\xa3\x83\xef\x78\xfd\xd7\x49\x3f\xeb\xa4\x8d\x49\xa0\x58\x91\x5b\x2f\xdc\x2f\xb3\x02\xcb\xc5\x91\x26\x96\x9d\x8d\xbc\xbb\x52\x38\xa5\x0a\xb4\x19\xb3\x3f\x20\x6a\x91\x64\x97\xd4\x3f\x4c\x78\x63\xee\x7e\xbc\xc6\x09\x84\x9d\x10\x0d\x6d\x3b\x5e\xf9\x59\x5e\x84\x2b\x42\x96\x5a\x17\x0d\x44\xa2\x93\xc7\xd8\x66\xe9\xf5\xfe\x06\xba\xe6\xc3\x8f\xfc\x1f\xec\x37\x46\xd8\xee\x66\x8e\xfe\xa9\x8f\x8d\x80\x8d\xfe\xe8\x91\xe0\xfe\x91\x69\x9d\x46\x91\x77\x3b\x0a\xe1\x23\x26\x6f\x95\x0a\x26\xa1\x84\x24\xc8\xc6\x30\xd8\x1c\x98\xba\x01\x10\xd1\xd0\x17\x2a\xec\x0b\x19\x2a\x21\xd1\x5e\x59\x55\x63\xc4\xa7\x27\x64\x0b\x40\xbf\xd1\x11\x95\x29\x21\x91\xa8\xd7\x21\xc8\x4d\xde\xd6\xfe\xd8\x4e\xda\x38\xc6\xd8\x41\x0c\x13\x4d\xd7\xc0\xe4\xf3\xc4\x99\x13\x5a\x95\x95\xcf\x9c\x9a\x47\x1f\xd6\x21\x42\xdf\x14\xc5\x72\xd4\xe0\x4b\x78\x26\xcc\x45\xc1\xf7\x27\x62\x0d\x5d\xbf\xe5\x98\x05\xfa\xb0\x2a\x4d\x7f\x9a\x8a\x9c\xe0\x87\xb1\x4c\xa3\x45\xcb\x72\x71\xd0\xcf\xcd\xed\xa3\x90\x86\x6c\x6d\x32\x5b\x9b\x9c\x9c\x9c\x64\x6c\xa6\x89\x00\xde\x55\xa7\xfd\x50\x3e\xa0\x5e\xa7\x0d\x65\xf5\x34\xbd\x00\x39\x72\x96\x9a\x4e\x28\x7a\x58\x37\xd7\x51\xf1\x5f\x47\xd8\xbf\xa2\xa1\x3c\x0e\x1d\x8a\x61\x30\xfe\xeb\x47\x82\x97\x8c\x0c\xb8\xa1\x95\x2b\x9b\x4d\x04\x86\x02\x6c\x67\x43\xaa\x50\x0a\x8c\xa4\x08\x5e\x8a\xd9\x27\x94\x22\xf2\x96\xce\xa6\x2e\xbb\x02\xc6\x25\x25\x71\x0f\xe6\x4e\x4f\x0e\xa9\x33\x37\x50\xe3\x55\xb1\xb5\x54\x63\x05\x02\xa8\xaa\xb3\xbf\xd4\x23\x13\x70\x02\x80\xa2\x81\x92\x3f\x49\xb9\x68\x36\xa5\xc6\x90\x26\x5c\x74\x5a\xa2\x2d\x32\xa9\xc5\xd9\x1f\xca\xbb\xf5\x16\x0f\xf3\x63\xa4\x59\x57\xc9\x64\x05\xc8\xa1\xb2\x78\x08\xe0\x6b\x44\x99\xa2\x01\xa5\x15\x25\x07\x36\x38\x97\xcc\xa5\x69\x71\x26\xca\xe1\x68\x85\x2c\x10\xc1\x34\xe4\x13\x05\x04\x2c\xe9\x38\x66\xd5\x3d\x38\x4a\xe4\x25\x53\xd2\x27\x2b\x6c\x3c\xeb\x26\xd3\xf9\xf9\x5c\x64\xfe\x2f\x56\xd4\xfa\x7b\x13\x04\x50\x9e\x9f\x39\x01\x67\x8c\x2e\xe1\x8d\x24\x45\xd6\x43\xbd\xc6\x58\xe7\x48\xfc\x74\xb2\xb4\x0e\xf9\xd3\xf6\x39\x1c\xfc\xf4\xc6\x29\x1c\x25\xe8\x0d\xe0\x06\x59\xae\x1c\x2b\x1a\xf6\x74\x90\x75\x8e\xa7\xa5\xb2\xfc\x80\x44\x37\xba\xb7\x94\x16\xad\xf2\x03\xd0\x1f\xfd\x72\x87\x82\x2b\x41\xe9\x73\x6a\x54\x7e\x5d\xca\xb5\xdc\x16\x6c\x4d\x05\x9a\x63\x64\xa1\x33\xeb\x5f\x38\xc2\xae\xc9\x05\x44\x5b\x2b\x66\x83\xbf\xa9\x6c\xc1\x9c\x46\x11\xda\xf4\x4e\xf0\x09\xe8\x71\x15\xb6\x5d\x57\xb5\x49\x29\x04\x2d\x8e\xf0\x3c\xee\x4a\x3a\x18\x6f\xab\x07\xab\xa5\x51\xc9\x10\xf7\x5e\xc1\x08\x93\xd1\x21\xe4\x59\x98\x34\xd2\x76\xdf\xd7\x00\x6c\x2c\xac\xb7\xec\x08\xf8\x7f\x2e\x63\xc2\x3e\x57\x61\xd7\xac\x45\x49\x23\x5d\xcb\xd5\x38\x7c\xa4\xc2\x6e\xd9\x74\x1c\x9e\x8c\xef\x94\xbe\xa9\x86\xe5\xef\x3c\x39\x2c\xf4\x8c\x06\x07\xd4\xbb\xed\x76\x87\x26\xd5\x11\x92\x74\x98\xd7\x2f\xec\xcb\xfb\x9a\x6d\xdb\x62\x6a\x0f\x71\x17\xd7\xd8\xcf\x56\x18\x03\xd1\x80\x7b\xf3\x6b\xb4\x6c\xf8\x27\xe8\x92\x27\x5e\x82\x6c\x38\x0f\x26\x61\x9a\x93\x3a\xba\x9a\x36\xa5\x7f\x9e\xab\xff\x23\x23\xec\x2a\xe8\xa5\xb3\x29\xc8\x65\xff\x81\x91\x60\x7d\x64\xc6\x02\x9b\xa7\x98\x7c\xd3\x1d\x60\x41\x91\xfd\x16\xe6\x60\xdf\x4c\x26\xb3\x34\xc5\xc4\x54\x0c\x5a\xca\x14\x4c\xb4\xb3\x43\x43\xe8\x80\xb2\xba\xa1\x1c\x0d\x0b\xdd\x9b\x10\xa1\x67\xb2\x00\xa2\xc2\x90\x59\xd0\xa7\xa4\x30\x3f\xc0\xf7\xcb\x6f\x21\x96\x61\x33\x8c\x00\x15\x2b\x2f\xc2\xac\x5c\xc7\xa8\xa9\x8a\x50\xf3\x58\x14\x3c\xcd\x30\x9c\xaf\x2a\xf7\x38\xd8\xc2\xa8\x4e\x3a\x88\x6a\x49\xa8\x84\xd5\xef\x53\x69\xee\x06\x3b\xfe\xb8\x94\xdc\xf5\x7a\xda\xee\xcc\x66\xa9\x54\xc1\xfc\x78\x2b\x82\xdb\x79\x25\xb8\x09\xd5\x3a\xb8\xa6\xd7\x37\x6e\x7e\x4a\x4f\x74\x55\x53\x30\x15\x48\xed\x94\x7d\xdd\x63\xbe\xad\xdd\x52\x4a\xf8\x17\xbc\xe0\xdd\x56\xd8\xb2\x4a\xe4\x36\x92\xa6\xd0\xc0\x59\xb4\xb4\x60\x8c\xa3\xa4\x24\xbc\xab\xfd\xa1\xf4\xc2\x11\x38\x9d\x2c\x6a\x87\x59\x4f\xae\x65\x1c\x09\x47\x5e\x25\xa9\xfa\xb4\x63\x9a\x45\xa8\x8c\x9e\xb3\x20\xcc\xe1\xef\x07\xd8\xbf\x22\x39\xe1\x2c\x93\xff\xe6\xb1\xdd\x79\x2f\xaf\x17\x71\xee\xff\xaa\x17\xbc\xc4\x9b\xc7\x1f\x70\xde\xb1\x4c\x78\xda\x46\xd9\xe0\xf4\x38\x5a\xa2\x55\x78\x1a\x28\xf5\xb3\x3a\x5a\xa5\x9b\x98\x18\x49\xf5\xfc\xfe\x72\xa7\xab\x35\x32\xc1\xdb\xd1\x72\xab\xd0\xf3\x3e\x0e\xbb\x49\xbd\xe5\xd4\xfe\xb1\x6c\x82\xed\xdb\x7c\x02\xc0\x97\xd8\x9b\x46\xd8\x8f\x0c\xb5\x28\xdf\x21\x34\x68\x9f\xff\xed\x4a\x50\xed\xbb\x4a\x36\xf2\x9c\x40\xe3\xc1\xd7\x81\x0f\x11\xa4\x9e\x73\x50\xfa\xaf\x15\xf6\x02\x8f\x4c\xc3\xff\x31\x48\x07\x52\xbc\x6f\xd7\x55\x26\x4f\x6c\xab\x91\x58\x9b\x22\x40\x99\x49\xd9\xa5\x93\xf8\xc5\x7c\x0a\x46\x62\xaa\x3f\xf1\xef\x1c\xdb\xa3\x62\xb4\xfc\xe3\xc1\xf5\xf3\x94\xdb\x62\xc7\xed\x92\x89\x1c\x58\x07\x10\x39\x5f\x19\x8d\x09\xb4\xcc\x59\x84\x77\x21\x42\xe0\xb9\xe0\x36\xb9\x90\xa8\x2f\x2c\xab\xb3\x06\x0d\x05\xf3\x9a\x54\x48\x74\xc0\xec\xff\xcf\xde\x9f\x80\xd9\x71\x95\x77\xc2\xf8\x53\xb7\xb5\x1e\xd9\x2c\x35\x84\xc9\x3f\xf9\xcf\xcc\x49\x79\x88\x24\x4f\x77\xb5\x24\xef\xb2\xb1\xd3\xea\x6e\xd9\x8d\xa5\x56\xd3\xdd\xb2\x43\x1c\x06\x55\xdf\x7b\xba\xbb\xac\xba\x55\xd7\xb5\x74\xeb\x9a\x90\x00\x36\x4b\xc2\x4e\x58\x95\x10\x08\x81\x4c\x86\x21\x90\x61\x86\x84\x75\x60\x42\x18\x08\x84\x30\x84\x6f\x12\xf8\x12\xb2\xf3\x65\x27\x1b\x49\xc0\xf9\x92\xef\x7b\xce\xfb\xbe\x67\xab\x5b\xb7\x17\xb5\x6c\xf3\xcd\x23\x9e\x07\xab\x6f\x2d\xe7\x9c\x3a\xeb\xbb\xfc\xde\xdf\x8b\x68\x2a\x7a\xee\xbc\x70\x81\xa9\xaf\x69\x35\x52\xc4\x2e\x08\x10\xdb\x27\x96\x61\x88\xfb\x14\xa8\xf2\x87\x5e\x70\x57\xe3\x9d\x0d\x93\xa2\x16\xe8\x41\x41\xb5\x24\xa2\xf7\x5c\x0d\xf7\x65\x1e\x7b\xa9\xc7\xf6\xa1\x0d\x70\x66\xce\xff\x81\xad\xa0\x5d\xe8\x61\x6c\x41\x30\xa3\x5e\x76\xb9\x1f\x06\x5b\x82\xef\xf1\x99\x39\x52\x59\x06\x5a\xc6\xde\xb6\x8b\x1d\xb6\x2a\x54\xd0\xf3\xb5\xa3\x21\x3a\x75\x67\xb3\x8e\xd0\x94\x20\xfe\xdf\x8c\x04\xcf\x68\xb8\xae\x08\x25\x1d\xa6\x10\x8e\x0c\xaa\x35\xb7\x9c\xe5\x8e\x76\xbb\xe5\x8d\x23\xec\x75\x23\x6c\x37\x10\xb3\xfb\x3f\x32\xa2\xa0\x79\x5f\x6f\x9d\x26\x9e\x55\x42\xc7\x65\xcb\x3a\xcb\x02\x79\xb5\x31\xce\x51\xab\xe0\x93\x0b\x33\xbc\x93\xc7\x6b\x42\x1d\xd3\x56\xde\x3f\xc8\xa8\x85\x0e\xe7\x09\x27\xf6\x2b\x2e\xf0\xb0\xd1\x8e\x71\xb0\xad\x53\x38\xa6\x7e\x4b\x3e\xd6\xce\x40\x93\x34\x41\x6e\x54\x70\x1b\x0e\xc1\x92\x97\xeb\x31\xa6\xbc\x23\x58\xae\xc3\x94\x82\xb8\x75\xa7\xfd\xba\xfe\x62\x15\x7d\xcf\xdd\x2c\x5d\x31\xbc\x1d\x80\xc3\xcb\xac\xe8\x52\x6c\xbd\x42\x32\x1b\xd0\xc0\x00\xf6\x96\xde\xd1\xbb\xa1\xe9\x3f\xd5\x71\x36\x02\x0b\xdd\x4a\xc0\x35\x08\x0a\xa1\xb5\x53\xff\xd1\x6e\x87\x89\xb4\x29\x48\x5b\xcd\x84\xd3\x40\x88\x4f\x21\x27\xef\xdd\x1d\x7c\x66\xa4\xe9\x8e\x15\x9f\x4e\xbe\x4f\xe4\xd9\x87\x7e\xd6\xd3\x07\xc9\xf5\x39\x70\x13\xc9\x67\x0c\xe4\x6d\x54\x0a\x2f\xce\x21\xaf\x2d\xe8\x72\xd8\x70\xde\x8d\x2a\x0f\x2b\x58\x01\xe4\x29\x48\x91\x64\x0e\x94\x0d\xea\x2d\xa3\x7c\x45\x94\xfc\x90\x08\x57\x42\x3e\x39\x77\x56\xee\x53\x44\xf1\x1c\x72\x18\x49\xd2\xb6\xf5\xa9\xb7\x26\x72\x98\x72\x65\xb6\x82\x9b\x9c\x63\x73\x00\xd0\x67\x6e\x0e\x66\x2c\x3f\xe4\x7c\x41\x4a\x48\x2a\x69\x80\x54\xdd\x97\xaa\x38\x01\x49\xa7\xfe\x7d\x69\x07\x4d\x07\xda\xe2\x85\x1d\xae\xa5\x09\x38\xbd\xc9\x20\x95\x15\xb6\x17\xbc\xcc\x78\x9a\xe5\xdd\x28\x91\x72\xd7\x98\xfc\x66\x55\x61\x55\x28\x97\x46\x20\x67\x55\xa0\xc2\x59\x38\x87\x60\x90\x2c\x15\x3c\xc0\xa6\x06\x14\x6d\xa0\x61\xaa\x05\x9c\x41\x70\xd8\x5c\xf4\xf6\xe0\x43\xce\xea\xfd\x84\x67\xc3\xa6\xd3\x06\xd8\xb4\x03\x25\x8f\x53\x0e\x03\x56\x67\x90\x7a\x1e\xa3\xc2\xfd\x82\xdd\xb2\x2d\x16\x73\x9c\x5f\x8b\xd8\xfc\x1b\x69\x44\x0b\x87\xc5\x9a\x2e\xa2\x8c\xa8\xc4\x07\x8c\x54\xc3\x2e\x62\x9f\x76\x99\xd1\x96\x00\x69\xa1\x5c\x4b\x93\x79\x96\x3e\x23\x5b\x22\x53\xfb\x5b\x76\x05\xb7\x38\x57\x06\x8e\x85\x3a\xa7\x5c\xc4\xdb\x79\x96\xf2\xfb\xb3\x25\x77\xe3\xfb\xe2\x08\xfb\x51\xa2\x3d\x5b\xa8\x80\x30\x61\xb9\x4a\x80\xf6\xec\x79\x97\x4e\x7b\x76\x62\xc6\x32\xf2\x03\xe4\x64\x9d\x22\xd0\x5d\x2e\xb4\xfb\xb3\x25\x29\xb7\x53\xad\x49\x9f\x2b\xba\xab\x4e\xc8\x7e\xd2\x63\x7b\xa2\x76\x19\xaf\x09\xff\x0d\x5e\x30\x66\xc4\x4f\x50\xea\x28\x05\x28\x7d\x66\xd2\xd7\x08\xb7\xfb\xb3\x25\x97\x8c\xe9\x7a\x76\x6c\x0b\x21\x20\xb5\x40\x89\x47\xbc\x6b\x86\xda\xeb\xf7\xfb\x7b\xa3\x32\xeb\xc6\x6d\xc6\xde\xe0\xb1\x27\x41\xcf\xe1\x01\x23\xa0\xdf\x5e\xe0\x5d\x7a\xc7\x9d\xdc\x46\xc7\xc9\x3b\x4e\xe7\xd1\x31\x27\x3b\xef\x55\xfb\xec\x5c\x53\xfa\x2b\x4f\x26\xe2\xc2\x90\x08\xbd\xaf\xec\x0d\x1e\xf2\x86\xdf\x77\x31\x07\x10\x60\x18\xb7\xed\x38\x3d\x3a\x4e\xdc\x64\x80\x0a\x5b\x8c\x5e\xea\x71\x7d\xbc\xe1\x5e\x00\x20\x21\xd1\x26\xe1\xa0\x97\x54\x2b\x71\x1a\x5e\xf4\xf6\xe0\xf1\xe9\xcc\xd2\x8f\xed\x61\x67\x18\xdd\xf0\xa7\x83\x9b\xa7\xf0\x84\x6d\x58\xe4\xea\xec\x45\x7d\x07\xd7\x99\x0e\xa1\x73\x56\xfb\x2f\x99\x88\xa8\x0f\x4a\x05\xe7\x71\x8a\x88\xb2\x93\x46\x5a\xc5\x77\x44\x4f\xa4\x78\xf8\xca\x51\xb9\x87\x82\xcd\x20\xb7\x51\x2d\x52\x4c\xc7\xe5\x4e\x05\x07\xcf\x90\x28\x7c\x9c\x4f\x5f\x28\xf3\x08\xdc\x32\x10\x98\x44\x3b\x77\x0c\xd6\xf2\xf0\x5d\x35\xa4\xae\x8d\x2a\x7a\xa1\x4d\x64\xb0\x16\xac\x9a\x22\x1f\xc3\xb0\xbf\x5f\x6d\xd9\x51\x5c\x1f\x6f\x5d\x42\x14\xd7\xcb\x5a\xa6\xe5\x26\x9e\x4b\x65\x10\x56\x21\x2c\x96\x60\x4f\x7e\x75\x12\x6a\x61\xf8\x9a\x02\xb9\x80\xfb\x2f\x2a\x34\x3c\x02\x27\x2e\x0d\x4d\xe1\xa6\x1b\x46\xde\xbc\x18\x92\x2b\xb9\xb5\xc4\x76\xde\x1e\x14\xa8\x86\x34\xa4\xe0\x5d\x24\xa7\x06\xaa\x0e\xa1\x4d\xf4\x51\x92\xd0\xdf\x94\xae\x29\x2a\x0a\x73\xea\xd7\x5a\xc5\x1e\xde\xc7\xbe\xb3\x01\x2b\x36\x9f\x25\x02\xd0\x2d\x7f\xb8\x37\xf8\x2e\xf5\xa3\x89\x1a\x1a\xb0\x56\x8d\x98\x95\x8f\xef\x61\xcb\x96\x77\xfe\xfb\x76\xe6\x9c\xff\xce\x0d\x08\x6c\xaf\x60\x63\x76\x8a\x8d\x79\x96\x82\xc6\xcc\x05\xdf\x3e\x23\xff\x70\x01\x4b\x30\xc8\xf6\xe1\x79\x98\x1d\x64\x4f\x1b\xba\xf2\xec\x49\x74\x05\xde\x72\xe9\xf0\x96\x47\xbc\x95\xcd\xb1\x20\x53\xfe\x09\xcd\x80\x05\x1d\xbf\x21\x0d\x96\x5a\xca\x75\xf6\xdd\x4d\x29\xaf\x8e\x7e\xcb\x53\x5e\xfd\x7f\x83\x57\xea\x5b\x98\x98\xeb\xa1\xbd\x8d\x44\x29\x2a\x70\x64\x2e\xcb\x4b\xff\x77\xf6\x04\x37\xd8\x17\x70\x2d\x97\x55\x2f\x21\xd1\xce\x00\x88\x23\x2e\xa5\xb9\x04\x63\x16\xe5\xd8\xc9\x7f\x9d\x41\x7b\xed\x1e\xb6\xc4\xf6\xf5\xf2\xac\xcc\xda\x59\xe2\xdf\x13\xcc\x48\xa1\x67\x66\x8e\xab\x4b\x46\x4e\x83\x32\xb4\xc0\x75\x76\x6a\x6e\x94\x2f\x4e\xce\x41\xe6\xce\x85\xc9\xc5\x39\x37\x7e\x7e\x72\xce\x91\x84\x3e\x3a\xc2\x0e\x44\xbd\xde\x9c\xaa\xe7\x67\x47\x82\xb7\x8e\xc8\x9a\xc0\xfe\x41\xac\x00\xc3\xaa\xb4\xbc\xf2\x98\x84\xb4\x30\xf9\xc5\xac\x70\x37\x4c\xdd\x51\xf4\xd3\x32\xba\x10\xf2\xb3\xe9\x58\x2f\x17\xcb\xf1\x05\xc5\xab\x02\x07\x71\x2e\x28\x6a\x43\x56\x31\x33\x31\x3b\x61\x4a\x52\x90\x25\x7c\xf8\x50\x04\x88\x63\x3e\x7f\x72\x72\xec\xc6\xeb\xae\xbb\x01\x15\x6f\x9c\xb2\xeb\xeb\xeb\x61\x1c\xa5\x51\x98\xe5\x2b\xe3\x18\x6d\x02\xd9\x82\xc6\xa9\x08\xd0\x72\x8b\xc3\x21\x9f\xcd\xd2\x31\x5d\xbe\xfa\x3a\x7d\x82\x49\x21\xb8\xd6\x44\xf2\xf5\xf3\x6e\x1f\x2c\x05\x69\x3f\x6c\x67\xdd\xf1\x6e\x7f\xac\x0d\x89\x6c\xc7\x54\x19\x56\x02\x16\x2e\x77\x06\x3b\x49\x68\x5c\xf0\x95\x2a\xca\x3b\x46\xf0\x25\x6c\xd4\x84\xe9\x7f\x9d\xae\x05\xe0\xe3\x80\x22\x40\x16\x07\xf9\x0a\x49\xbc\xce\xf8\xbd\x5b\x19\x94\x7f\xca\x0b\x5e\xef\xb9\xa4\x07\x7a\x9c\x48\xbc\x72\x13\xaa\x1c\x94\x0f\x1e\x34\x19\x5f\x29\xba\x9b\x32\x87\xc8\xb3\x86\x9a\x37\xe7\x4c\xaf\x88\x4f\xcd\x2e\x3c\xe7\xd4\xc4\x89\xe9\x53\x21\x57\xc2\xa2\x0e\xbc\x94\xb2\x56\x8f\xa6\x3e\xd9\x89\x9d\xe6\x3e\x9d\x02\x79\x6f\x50\xc6\x42\xc4\xbe\x58\xa1\xb4\x9a\xba\x16\xd7\x51\xcd\x51\xc7\xd8\x6d\x9b\xec\xc4\x1b\xe6\x46\xf3\xbf\xb9\x3f\xf8\xbe\x0d\x9f\xa8\x27\xa1\x6a\x08\xa0\x1c\x9a\xcb\x32\xbc\xe8\x3d\x91\x5e\x20\x06\xf6\xe2\xa2\xf7\x44\xa2\xe2\x37\x57\x2c\x68\x9e\xb3\xe2\xbf\xb2\x8f\xfd\xdf\x9e\x03\xdc\xfb\x0b\x2f\x78\xb9\xd7\x76\x62\xff\x50\xe2\x55\xe1\x99\xea\x86\x93\x7f\x0c\x06\xde\xb4\xca\x18\xeb\xe4\xc9\x8e\x16\x95\xd1\x21\x9c\x93\x48\x2e\x49\x06\x2a\xab\x7c\xb9\x42\xbb\xa2\x74\x6c\x04\xcf\x64\x67\xd8\xe9\x6d\x18\x7c\x86\x0e\x8d\x86\x06\xca\xc9\xfc\x04\xea\x40\x34\x0e\x15\xfe\x9b\xbd\xe0\xb4\x7b\x49\x93\x8e\x4b\xe5\x5e\xaa\x52\x6e\x0e\x00\x63\x3a\x53\xeb\xcc\xe9\x0d\xe7\x13\x9e\xce\x6e\xdd\x96\xcd\xea\x28\xd9\xac\x70\xaa\xb0\x8b\x1e\xab\x8f\xb7\xff\x62\x1d\xa1\xfe\x40\xed\x16\x58\xa2\x69\x3a\x99\xb9\x9e\xab\xbb\x60\xa4\xe9\xd4\x4c\xe3\x4e\xd3\xc1\x86\x0a\x5f\x5d\x08\xa1\x39\x44\x9d\x4f\xb3\x96\xca\x3b\x3c\x56\x9f\x7a\xfe\xab\x75\xe3\x9e\x5b\xbb\x55\xcf\x1b\xb1\xc3\x06\xb6\xa3\xa4\x8d\xa1\x70\x9b\x35\xf3\x6b\x1e\xbb\x1a\xad\x41\x11\x99\x82\x7e\x6b\x07\xa6\xa0\xb7\x79\x4e\x59\xce\x54\xd1\x76\xa0\x61\xe9\x6b\xe1\x9f\x0e\x1a\x47\xf4\xe7\xcb\x4f\x1e\xb5\x26\x93\xa8\xad\x2c\x10\x33\xb2\x04\xac\xe2\xd9\x72\x49\x26\x7c\xf7\x7d\x18\x79\x80\xcc\x75\x42\x76\x81\xf9\x2a\x42\xf1\x4e\xa4\x9c\x92\x32\xd2\x92\xc2\x65\x9c\x1e\xbc\xa9\xbe\xa2\x9b\xc1\x84\x6f\xcb\x09\xb4\x62\xee\xea\x78\xc7\xc6\xc9\x6e\x75\xf5\x4f\xec\x62\xdf\xb5\x51\x58\xb6\x9c\xd5\xc2\xff\xc6\x48\xf0\x4e\xcf\xbd\xa6\xe3\x8d\x88\x66\xdf\x42\x0f\x5b\x18\x23\x6d\x91\xce\x96\x61\xa7\xe9\x0a\xd9\x07\x5a\xab\x77\x15\xf7\xd4\xb0\x94\x77\x1d\xb5\xde\x25\xed\x93\x4f\xc5\x05\x77\x9b\x73\x6f\x14\x4b\x55\x28\xac\xcb\xb8\xcb\x6c\x2f\x19\x34\xfd\xfb\xd8\x8d\x5b\x0f\x47\x87\x42\xe7\xf1\xcd\xe0\xbb\xa6\x9c\x2c\x10\x91\xb6\x91\xea\x2f\x65\x19\x63\x3a\x85\x52\xc7\x8f\x36\xd8\x41\x9a\xab\x5a\xd4\x2f\x07\xff\xb6\x5e\x9b\x29\xd8\xaa\x70\x99\xed\x5d\xc7\x6f\xbe\x84\x0f\xa3\xde\x1a\xfc\x30\x2a\xd2\xaa\xe7\x8f\x0f\x34\x46\x57\x39\xe5\x55\x85\xff\xdf\x0f\x04\xcf\xa8\x5d\xb3\x11\xeb\x58\xcb\x72\x8d\xb1\xbd\xb0\x02\x82\x63\x2b\x51\xa7\xf1\x51\xec\x06\xca\xaf\x8b\xde\x55\xb9\x00\x30\xcb\x64\x56\xa5\xe5\x45\x6f\x37\xa0\x64\x2e\x7a\x7b\xe1\xdf\x99\x29\x97\xf7\x94\xb1\x05\x76\x40\x17\x36\x33\xe5\x4f\x05\x37\x4d\x5a\xe0\x88\x99\x29\x9d\xe9\x0e\x33\x61\x1e\xec\x64\xed\xf3\x22\x3f\x3e\x3e\x7e\x9b\x7e\xed\x39\x71\xe7\xf6\x83\x8e\x98\xf2\x20\xc3\x6a\xfd\x07\x82\xce\xa2\x46\xea\xd4\xd0\x35\x3a\x42\xfc\x52\x12\x14\xaa\x0c\x84\xc8\xac\x60\xd7\xfd\xb1\x16\x73\xba\xc0\x7f\x8f\x66\xc4\x7c\x13\xc0\x0b\x2d\x41\x29\xee\xea\x64\x99\xaa\x59\xab\x51\xc1\x97\xe4\xf9\x40\x65\xc8\x25\x65\x2c\xfe\x4e\x2e\x6c\x53\x50\x47\x1e\xa3\x16\xc0\x05\x59\x53\x10\x08\x5b\xf2\xbe\x28\x55\x91\xc4\x1f\x38\x9b\x95\x9a\xa9\x14\xc5\x5d\x6b\xc7\x07\x0b\x43\xad\xc4\x90\x9f\xa8\x2c\xb9\x42\xd5\x03\x79\x0d\x28\x51\x48\x99\xf1\x95\x28\x5f\x92\x1d\x6d\xac\x68\x24\x4f\xa3\x21\x04\x8c\xa3\x2b\x42\x1e\x2f\xbd\x9e\xe8\xf0\xa8\xe4\x37\xc8\x5d\xef\xce\x49\x77\xa3\xbb\x85\xa9\xc9\xe2\x87\xc1\x77\xcd\xe0\x9f\x03\x88\xb6\x83\x05\x0e\xab\x33\xf0\x7d\xb6\x1f\x4e\x10\xd8\x0a\xb7\x82\x23\x72\x17\x5b\x70\xcb\xd4\x40\x12\x19\xbb\x42\x3c\x88\x68\x8d\xc7\x08\xfd\xa7\xac\x2c\x2c\x27\x41\xfe\xfe\xe0\xd9\x46\x5c\xaf\x0b\xdc\xd3\x0e\x36\x48\x63\xe4\xf1\x61\x18\x30\xed\xab\x46\x6a\xd3\x41\xe3\x8d\xfd\xb9\xf7\x30\x5c\x75\xfe\xe9\xe0\x0e\x93\x3f\xd6\x86\x81\xb8\x13\x8b\xcc\xa5\x68\x22\x8a\x3a\x71\x2a\x0a\xf0\x56\x2c\xd5\x30\x59\x3f\xd7\x62\x7b\x69\xf6\xf9\xef\x68\x05\xaf\x6f\x6d\xb3\x70\x78\xb7\xea\x51\xd1\x7c\x46\x0e\x40\x94\x80\x25\x30\x2a\x14\x7e\x6d\x49\xb4\x33\x98\xff\x79\x25\x28\x49\x21\xbd\x37\x27\x5f\xab\x79\xfe\x8d\xd7\x07\xe8\x2f\x85\x6d\x91\x5f\x57\xae\x77\x77\x75\x9b\x05\x94\x01\x98\x8e\x98\xa0\x79\x92\x15\xa2\xa0\x33\xb0\x14\xdd\x5e\x96\x47\x79\x9c\xf4\x43\x3e\x53\xa8\x9c\x10\xd0\x26\x28\x36\xcd\x06\x5a\x65\x14\x23\xab\xcb\x12\xb6\x1b\x4a\xf4\xdb\xdb\x9f\x75\x47\x36\x9e\x75\x6a\x0f\xb6\x26\xdb\x7f\xdc\xed\xb8\x4d\x55\xb9\xa7\xb2\xa8\x73\x02\xf3\x05\xe6\x2a\xff\xe1\x3f\xef\x0a\x5e\xed\x35\xdc\x18\xc8\x05\x63\xa9\x48\x49\x16\x75\xc6\x28\xf1\xa0\x9c\xa5\xf8\x02\x28\x74\xc7\x55\x22\x42\xb0\xff\x02\x27\xa7\x3a\x2b\x74\x6c\x92\xe5\xc4\x46\x6e\xdf\x28\x75\x0b\x71\xcf\xfe\xdf\x1a\x61\xcf\x65\xfb\x56\xb3\xa2\x84\x05\x94\x05\x4b\x77\xd1\xdf\x2a\x3c\x43\xd6\xb0\x41\x9b\x2c\x9a\x85\xa9\xd9\x05\xda\x24\x0f\x95\xfd\x5e\xdc\x8e\x92\xa4\xcf\x27\xee\x5d\x70\x5f\x2f\x0e\xdb\xab\xe8\xb9\xac\x15\xf7\xfc\x2a\x58\x9d\x99\xdb\x7e\x85\x1a\xe8\x63\xd5\x77\xe7\xe4\xb4\x9c\x72\x67\x7a\x22\x5d\x28\xa3\xf6\xf9\x8d\x2a\xff\x1d\x8f\xed\x96\xfa\x73\xe1\xff\x2f\x2f\x78\x40\xea\xea\x03\x69\x80\xda\x59\xde\x21\x94\x13\x76\x30\x3c\x0f\x50\xc1\x42\xce\x6e\xc8\x49\x84\x4a\xb8\x4a\x48\x19\xa7\x4d\x23\x82\x1b\x4c\x6a\x12\xae\xc6\xa5\xad\x4e\x8d\xb3\x31\xf6\xef\xb6\xc0\xf7\x9a\x97\x0b\x94\x37\x6d\x4b\x0e\xe3\x17\xee\xb2\x49\x9a\x4c\x39\xca\x06\xba\xa0\x91\x4a\x52\xb2\xf2\xbf\x38\x12\xbc\xc7\xd3\xe9\x97\x7a\xda\x52\x6a\x01\x9a\xe4\x0e\xac\xd3\xe7\x46\x49\x42\xe6\x73\xc2\x23\xc6\x44\x8e\xcd\xd7\x05\x40\x0d\x8f\xf0\x43\x71\x28\x42\x1e\x97\x07\x11\xeb\x3b\x96\xf5\x0e\x87\x7c\x82\xa7\x55\x92\x6c\xa1\x82\x34\xd3\xe5\x53\x41\x05\x22\x6a\x75\x59\x17\xbd\x3d\x58\xd7\x45\x8f\xf5\xb4\xa7\xcd\x99\xe3\xff\xe4\xb1\x17\x7a\xcc\xba\xeb\x97\x5b\x24\x66\x51\x58\x45\xd9\x39\xc1\x1d\x13\x08\x1d\x32\x99\x84\x45\xde\x1d\x6d\x24\x72\x75\x6d\x41\xd8\xbe\x90\xad\x31\x6a\xaa\x9f\x28\xa9\xe4\xde\x7b\xb1\x9f\xea\x85\xc0\xf7\x2b\x9f\x85\x5b\x5a\x5a\x6b\xd7\xa8\x9a\x70\x39\x84\x70\x1d\x1d\x3b\x7a\xe4\x88\x7b\xa6\xff\xd8\x2e\x16\x36\x82\xde\x50\x2f\x6f\x42\xbe\xfd\xf1\xa3\x87\x7c\x7b\xc5\x08\xfb\x11\x8d\x7c\x7b\xbe\x46\xbe\xfd\xe9\x15\xe4\xdb\xd6\x90\x6f\x71\x72\x79\xf1\x6e\xaf\xbf\xde\xcd\x43\xb5\x9d\x80\x73\xff\x4b\xd7\x05\xff\xbe\x76\xcd\xb6\xd4\xa7\x26\x64\x58\x11\x08\x22\xb7\x9b\x43\x73\x82\x78\x01\xa1\x80\x9c\xb1\x1d\xd9\x68\x74\x9c\xab\xd0\xcf\x86\x98\x50\x17\x52\x74\x8c\xfd\xdc\x2e\xf6\x2f\x75\x55\x98\x81\x85\x5c\x28\x85\xff\xba\x5d\xc1\x3f\x8c\x4c\x34\xdf\x54\xa4\x8b\x39\x0e\xb4\x86\xfc\xe8\x8d\xe9\x5c\xed\xc5\x73\xca\x17\x83\x07\xb7\xfa\x66\x71\xa1\x27\x37\xa9\xd0\x0a\x2c\x46\x91\x5b\x6e\xf6\x0a\x1b\x02\x80\x75\xe5\xca\xa1\x45\x0b\x35\x62\xd8\x5d\x5c\xaa\xe1\x2c\xea\x7a\xbe\xa9\xd4\xc1\x01\xc2\xf0\x42\x09\x0e\x2e\xc4\xb4\x61\x74\x20\x40\x01\xb0\xdf\xda\xd2\xa9\xdc\xd0\x33\xcb\x16\x09\x76\x47\x0f\x95\x83\xb0\xb5\xe0\x65\x2a\x9f\x8e\x6e\x95\x1c\x41\x1d\x6e\x01\x34\x8e\x1d\x81\x51\x92\xea\x09\x8d\x6b\x2c\x31\xa1\x1b\xb9\x58\x47\xa5\xf2\x93\x68\xef\xb6\xaa\xd8\x34\x15\xb3\x65\xdb\x8a\x0e\x28\xa4\x51\x9c\x54\xb9\x5c\x34\x44\x33\x6e\x38\x29\xcf\xdd\x77\x90\x26\xeb\xc1\x67\x9f\xdb\x88\x2b\xee\x27\x3c\xe6\x4c\x29\xff\x15\x1b\xa6\x5b\xda\x70\x59\xa8\x58\x77\xab\xb8\xe0\x0e\xfb\x97\x86\x0a\x10\x02\xd4\x30\x47\x0b\x73\x6a\x20\xbf\xa6\x22\x0b\x65\x7f\xa4\xdc\x13\xbf\xed\x05\xff\xd3\xab\x73\x32\x0f\x2c\xac\x90\x83\x77\xd2\x08\x80\x08\xd2\x7a\xa0\x8a\x12\xb2\x0e\x89\x70\x25\x1c\x45\xc5\x8d\x3a\xce\x51\xb4\x47\x29\x27\x7a\x60\x3d\x11\x34\x41\x9e\xa8\x42\x34\x84\x3b\x45\x34\x3d\x9d\xe5\x2b\x51\xaa\xbc\xc6\xfa\xeb\x1c\x55\xea\x2b\xfb\xd9\x93\x75\xe0\x83\x8e\x1a\xf8\xd4\xfe\x9d\xb3\xde\x04\x2f\xdc\x3f\x5b\x2f\x98\x77\x44\x3b\xee\xd8\xea\x94\x89\xe2\x52\x13\x50\x9e\x04\x0a\xa5\x61\x14\x7f\x5b\xff\x32\x24\x34\x3a\x42\x8a\x1e\x57\xb2\x8b\xcd\x03\xa4\x11\x37\x0a\x8d\x53\x16\x3a\x5b\x9e\x2e\x09\xed\x77\xfa\xe8\x8f\x0b\x13\x4b\xc4\x33\x8d\x19\xd1\xe8\x14\x70\x0d\x16\x03\x25\x17\x2a\x8f\x2b\x27\x66\x24\x5e\xb4\xb3\x9e\xe5\xee\x1e\x95\x3b\x0d\xb2\xae\x15\xe7\xe3\x5e\x61\x7f\x78\xc8\xd8\xc9\x2c\x57\x5c\x5a\xa3\x43\xbb\xa6\x6f\xc4\x3e\xb0\x4b\x98\xde\x20\x70\x76\x5d\xa0\x09\xf2\x2a\x85\x80\xfe\x40\xce\x8b\xe0\x08\xd2\xa3\x1e\x0d\x6e\xe5\x98\x88\x24\x06\x70\x51\xe9\x74\x1a\xe8\xab\xe8\x1b\x3d\xce\x83\x81\x09\x12\x1c\xe7\xcf\x65\x9c\x07\xd0\x61\xd3\x17\xa4\x42\x05\x7b\x4d\x70\x9c\xdf\xc7\x38\xe7\x70\x57\xfe\x2f\x38\x2f\xfa\xc1\x71\xab\x09\xa3\xea\x06\x9e\x3a\x50\x54\x30\x9b\x95\x33\xa9\xb9\x85\xa8\x19\x5d\x16\x5c\x3b\xa2\x6f\x73\xd9\x76\xfa\xfb\xd9\xf0\xef\xf3\x98\xfc\xeb\x79\x10\x63\xae\x28\xcd\xec\x14\x2b\xe0\xe5\xdb\x7e\x5f\x36\x49\x97\x81\x48\xd7\xe2\x3c\x03\xff\x2c\x76\x67\x2f\xcf\x3a\xd8\xa3\x45\x19\xad\xc4\xe9\x4a\x70\xeb\x63\xd7\xad\x76\x6b\x1a\x7b\x76\xb3\x6e\x85\xd6\x5b\x3d\xab\xbe\xa1\xb9\x7f\x15\x13\xdc\xce\xa2\x7b\x70\xf1\x8c\xc3\xe2\x05\xb8\x1b\x4d\x79\xd0\xf5\xc8\xe9\xae\x38\xbc\x42\xc6\xac\x03\x06\x3c\xac\xa0\x1f\x39\x3b\x8d\xa2\xc2\x53\xab\xdf\x24\xab\x0d\xd9\x9f\xec\x66\x4f\xc0\x8a\xf5\xe6\xf6\xeb\xbb\x2f\xc3\xe6\xf6\x9a\xdd\x67\x9c\x52\xb7\xb2\xb3\xe9\xcd\x2c\x76\xb6\x8d\xd5\xa8\x30\x3b\x8f\xda\x59\xdc\x36\xcb\xe9\xa8\x73\x02\xea\x94\xa9\x20\x4d\x43\x41\x49\x07\x5b\x83\x04\x8e\x62\x9d\x7e\xc1\xd6\xb8\x5e\xb7\x4a\x0c\x9c\x23\x03\x12\x37\x7a\xdb\xe3\x65\x2e\x62\xf4\xaf\x6e\xb4\xbb\x92\x42\x49\xcf\x1c\x32\x6d\x51\xce\x79\x22\xb1\x54\x39\x6c\xb3\xdc\x6a\x61\xed\x19\xcc\x6b\x7b\x98\x23\xad\x60\x66\x7d\x45\x1b\x0d\x82\xa0\xca\x63\x1f\xf1\x43\x49\x7c\x1e\xec\x8c\x9a\x35\x79\x3e\x4b\x92\xa5\xa8\x7d\x1e\xde\xe7\x73\x59\x67\x2e\xcf\x2e\xf4\x55\x66\x18\x2c\xee\xb0\xda\x26\x1b\x3e\x19\xa2\x84\xed\xa1\xd1\xeb\x56\x01\x05\xec\xe1\x94\x42\x5c\xaf\x1c\x8b\x53\x93\x67\x55\xa4\x1d\xca\xb5\xda\x8d\xfa\xb0\xc5\x37\x0b\x0c\x52\x54\x54\xd8\x58\xf4\xf4\xe1\xa8\xef\x6c\xae\xbf\x7a\x1f\xf3\x73\x11\xa7\x6b\x19\x02\x60\x88\x02\xe3\x9b\x7b\x83\x3f\xdb\x3b\x78\xbd\x31\x77\x63\x5c\xe8\x26\x1a\x69\x46\xca\x89\xa2\x63\xf4\x25\xb4\xdf\x83\xe9\x33\x47\xce\x4d\x05\x0b\x32\x1f\x4a\xb3\x15\x04\x8f\x09\x25\xb3\x5a\x4c\x12\xb3\xb2\xe1\x44\x20\x31\xb3\x3c\x2b\x44\x47\x74\x82\x90\x31\xb8\x7e\x7c\x50\x22\x25\x6b\xb0\x6a\x8a\x85\x92\xc5\x20\x8f\x8d\x9b\x20\x8f\x06\xac\xa3\xa1\x68\x53\x6c\x54\xf2\x44\x44\x94\x8c\x58\x05\xaf\x46\x09\xfa\x60\xad\xef\x75\xc7\xd4\xd4\x53\x5b\xd8\x18\xa3\x23\x1f\x2c\x81\x59\xa5\x40\x96\x93\x18\x55\x05\x14\x14\x4c\x31\x88\xe2\x2d\xc8\x24\x0c\x81\xd6\x68\x3f\x36\x3a\x41\x94\x24\xa1\xd2\x7b\xc8\x16\x67\xf2\x7b\xe1\x74\x94\x25\x5d\xdb\xad\x8a\xf2\x5a\xc8\x7e\xd0\x11\xdd\x5e\x56\x8a\xb4\x1c\xd5\xc9\x7e\x55\xd8\xae\x3a\xf9\x20\xdd\x6f\x2f\x17\x6b\x71\x56\x15\x49\x5f\xb7\x37\x24\xe6\xd2\x6b\x6b\x4e\x17\xab\x5f\xcc\x94\xd2\x99\x2e\x56\xaa\x28\x8f\xd2\x52\x68\xd5\x5d\x5c\x88\xda\x25\xba\x58\x43\x7e\x2d\x80\xd2\x9b\x0b\xc8\x45\x51\x61\x88\xd2\x72\x95\x43\xdf\x60\x6f\xa9\xfb\xb4\x26\xb0\xd9\xa3\xaa\x53\x70\x3a\x35\xd6\x2c\x0b\x3f\xaf\xb6\x4b\x59\xf7\xba\xd3\x73\x55\x21\x9c\x5e\x23\x87\x6f\x2e\x94\x46\x2a\x77\x85\x38\x8d\xbb\xf1\x83\x62\x4b\x5d\x20\xab\x28\x33\x13\x2b\x6f\x76\x30\x1c\xd2\x28\x49\x78\xb7\x2a\x23\x83\x4d\xb1\x9a\xac\xa2\x61\x46\x89\x8c\x55\x29\x8f\x34\x81\xdc\xdd\x83\x84\x1c\x73\x38\x42\xef\xd0\x9a\x72\xc4\xfb\xaf\xed\x62\xbb\x81\x25\xd3\xff\xc3\x5d\xc1\x4b\x76\xcd\xcb\x3f\x2d\x2b\xc1\x3a\xc8\xce\x46\xff\x07\x41\x3b\x32\x34\x8e\xc5\xb8\x95\x2a\xdd\x91\x56\x79\x3b\xca\x05\x59\xee\xd1\x12\xd3\x70\x03\x93\x2a\x68\x3c\x00\xc4\xf5\xab\x8d\xeb\x39\x51\xda\x7f\x0e\x97\x0d\x0a\xf9\x5d\xd9\xba\x58\xa3\x98\x71\xe8\x7d\x9c\xa7\x62\x4d\x9e\x58\xf7\xe8\x9e\xd0\xf6\x00\xbd\x04\xe4\xf6\xa1\x6c\x20\x83\x77\xc1\xa3\xd7\xab\xcc\x36\xab\xa4\x72\xdc\x2f\xc0\x11\xa2\x49\x74\x69\x83\xc9\x45\x5b\x4a\x2f\xca\x1f\x28\x05\x17\xf9\x21\x6a\x78\x92\x3e\xc7\x2c\x44\xaa\x48\x5c\xb5\xa3\x3b\x68\x25\xcc\x5f\x50\x09\x68\x17\xca\x6c\xd3\x8d\x86\x34\x4b\x69\xc9\x54\xd2\xc4\xf0\xe6\xd4\xd3\xf8\x00\x2d\x79\x47\x35\x3f\xcd\xee\x66\x33\x97\xa8\x7b\xcb\xd1\xbb\x37\x2e\x57\xcf\xe8\x19\xc4\x7e\xbc\xc5\x9e\x20\xb7\xcb\xac\x2a\x17\x44\x3b\x4b\x3b\x85\xff\xc3\xda\x11\xfc\xb7\xde\xa2\x73\xab\x1e\x36\x87\x37\x8d\x8d\x44\xab\xd7\x13\x7a\x4f\x54\xcf\x80\xd7\xad\x18\xad\x4d\xc9\x24\xd1\x5b\x7a\xbc\x92\x66\x39\x26\x66\x52\x76\x0f\x73\x1f\xec\x1b\x8e\x53\xb9\x6e\xd6\x58\xb4\xea\x42\x37\xae\x72\x6c\x2e\x89\x72\x5d\x88\x94\x1f\x85\xfe\xbe\xee\x08\x2f\xf0\x63\x9c\xd3\xdb\xba\xec\x58\xfc\xde\xe3\xb1\xab\xa9\x2a\x3a\x9d\x7f\xdc\x0b\x5e\xe9\x9d\xb4\x2f\x39\x06\x0b\x27\x9c\x40\xe4\x79\x96\x5b\x58\x78\xeb\x0c\x52\xa8\x78\x39\x9b\x56\xa3\xb4\x23\x27\xd2\x98\xb1\x16\x99\x93\x77\x06\xfa\x45\x76\x8b\xac\xd4\xe5\x4c\xc2\x7b\xce\x06\xf2\xc6\xbd\xec\x00\x2c\x59\x6a\xee\x4b\xf6\x06\xdf\xdc\x63\x5d\x70\xad\x2b\x52\x43\x82\xed\x26\x40\xdb\x18\xd1\x3e\x59\x32\x65\xda\xce\xba\x98\xcc\x06\xe7\x75\xb3\x74\x30\x2d\x0f\x0d\xd4\xaa\xa6\x1f\xa8\xe2\xb5\x28\x91\x1a\x4e\xc8\xd8\x18\x87\x5b\xc7\xa9\xb8\x48\x67\xa3\x50\x02\x5a\x5c\xea\x13\x47\x7b\x4a\x2c\xcb\x5d\x0e\xfb\x8d\xa3\x67\xc7\x76\x32\x91\x42\x99\xb2\xf5\x49\xbd\x16\x47\x3c\xea\xf5\x8a\xf1\xb5\xa3\xa3\xea\x0f\x98\xfd\x28\x3b\x8b\x0b\xa5\x48\x41\x49\x33\xd7\x97\xaa\x52\x77\x03\xb6\x0b\xcd\x72\x1d\x7e\x4e\xa5\x43\x2a\x8e\xdf\x17\xc8\xc2\x82\x67\xcb\x42\x15\xe6\x5c\x5e\x5d\x3b\x2a\xaf\xe9\x3d\xf7\x38\xbf\x2f\xb0\x9a\x17\x3c\xfb\xdc\xa8\xf5\xd5\x65\xe6\x34\x89\xc3\x77\xd5\x1b\x44\x1a\x00\x6d\x70\x0d\x5a\x00\xf6\xab\xee\xe7\xc1\xce\x8d\x97\x55\x7f\x14\x76\xdc\x74\x82\x26\xcb\x38\x45\x22\x66\xf0\xc8\xa5\xd8\x61\x64\x06\xd1\x19\x97\x64\xcb\xc8\x20\xf9\xa8\x77\x3f\xc8\x94\xdf\x72\xdd\xbf\x24\x54\x88\x11\xd1\x98\xe0\x8b\xd0\xda\xe6\x31\x71\xce\x76\x5c\x11\xf6\xca\xfc\xd2\x08\x3b\x20\x15\x98\x69\x20\x7c\x2b\xfc\x4f\x8f\x04\x1f\x1a\x59\x30\x17\xf0\x80\x1b\x22\xdc\x4b\x9d\x13\x68\xea\x90\x2e\x4e\x2e\xc3\xb6\xd4\xdd\x31\x15\x88\x5e\x89\xc7\xf9\xd9\x14\xcc\xc7\xa3\x7c\x36\x4b\xc5\x28\x70\x1a\xe2\xdf\x67\xd2\xa9\xbc\x3f\x5f\xa5\x46\x1e\x05\x23\x89\x5d\x28\x3f\x7d\x76\x61\x11\xfc\x92\x94\x1b\x1a\x4e\xd7\xb4\x1d\x27\x31\x99\xb5\x21\xfe\x71\x54\x8a\xee\x40\x22\xad\xfa\x55\x8b\x62\xf2\xb8\x42\x69\x39\xe2\xcb\x15\x20\xcc\x8b\x52\xf4\x94\xda\x68\xf6\xbf\xf6\x6a\x14\xa7\xda\xbf\xe1\x34\x42\x7e\x3c\xc6\xcc\xa7\x46\x36\xac\xd2\x0e\x08\xa4\xf3\xea\x78\xd5\x16\x9e\x0e\x7e\x95\xa6\xbc\x34\xa1\xf8\x55\x99\x8d\xe9\x26\xa1\xa4\xdf\xd7\x4b\xc5\x68\x14\xd4\x09\x6a\x14\x9e\xfe\x74\xd5\x87\x10\xd8\x90\x75\x85\xbb\xe7\xd2\x4d\x67\xd3\x7d\xd1\xd5\xec\xc6\x4b\x03\x25\xfb\x9f\xb9\x2a\xf8\x55\x6f\x18\x54\x34\x6e\x60\xef\x20\x7f\xd9\x50\x74\xb8\x52\x38\xe5\x95\x6e\x54\x92\xab\x1f\xfd\x81\x8a\x34\x1f\xa0\xb6\x1c\xdc\x8a\x8a\xa3\xd1\x04\xe0\xab\xe1\x57\x12\x13\x82\xba\x2d\xb9\xd2\x3d\x88\x15\x10\xda\x00\x2f\x1d\x87\xd3\x23\xfb\xd9\xc3\x2d\xb6\x4b\xde\xf5\xff\xd1\x63\x77\x5d\x0e\x24\xf7\x42\x4f\xb4\x83\xf7\x78\xb2\x4c\x8d\x55\x27\xb2\x35\xd3\x45\xf2\x2a\x71\x45\x56\x1a\xee\x6f\x61\x56\x1f\xed\x08\x1f\xd9\xa2\xb1\x28\xed\x8c\x21\x60\x25\x64\xaf\xf6\xe4\x7c\x01\x68\xe3\x8b\x36\x74\x9f\x6c\x37\xda\x20\xb8\xa9\xd0\xf9\x99\x6c\x2c\x64\x73\xae\x26\xab\x0b\xae\xc4\x6c\xee\x34\x66\xf3\x4a\x60\xe5\xa5\xf3\x86\xff\xae\xcd\x1b\xfe\x45\x8f\x3d\xfd\x12\x6c\xbc\x68\x95\x84\xe0\xe4\xd7\x78\x86\x29\x54\x23\xc5\xec\x68\xe5\xc7\x8e\x4b\x5c\x55\xf4\x88\xd7\xdd\x3c\x76\xf4\x19\xfe\x5d\x3a\x76\xd4\x5a\xfa\x3a\x5a\x74\xc8\xd2\x77\x82\x47\x71\x97\x60\xec\x8b\xfb\xd9\x4d\x5b\xea\xb7\xd3\x08\x0f\x01\x06\xe7\x62\x3a\x2d\xf3\xbe\xff\xc6\xfd\x41\x31\x78\x19\xa7\xf3\x7a\x96\x9f\x5f\x4e\xb2\xf5\xb1\xb8\x23\xc5\x29\xb8\xbf\x20\x4a\x7d\x7e\xa3\xc8\x38\x10\x79\x69\xd3\x4d\x94\x2a\x8f\x51\x21\x1c\xcc\x82\x73\x58\xfc\xe8\x3e\xf6\x16\x8f\xed\xc3\xe7\xee\x39\xea\xbf\xfa\xd2\xd8\xe4\x4f\xd2\xfb\xc1\x33\xd5\x5f\x14\x5a\x50\x6a\x2e\xbc\x67\x2c\x9c\x99\xd5\x0d\x26\xcc\x76\x64\x2c\x2d\x1a\x99\x16\xe8\xb2\x80\x54\x22\x64\xf7\xb2\xbd\x78\x96\xe6\xfe\xa9\xe0\x0e\xec\xb0\x9c\xa0\x11\x26\x58\x55\xbb\x7f\xa9\xe3\xf0\xfc\xa5\xf5\x5f\xa8\x9e\x70\x64\x88\xf7\x79\x6c\xbf\xb6\xbd\xf8\xef\xf0\x82\x37\x78\x67\x7a\xb5\xd0\x0c\x95\xac\xd4\x4a\x47\x0b\x67\x7d\x22\xa2\x8e\xce\x6c\xd9\x30\x88\x44\x3e\x84\x8c\xd1\xc4\x40\x2d\x05\xed\x35\x9b\x30\x58\x6b\xf1\x88\x9f\x91\x7a\xdd\xc1\x89\x5e\x2f\xe9\x1f\x84\x71\x3e\x88\xc9\x0c\x5d\x00\xfb\x4f\x7b\x6c\x97\xd4\xba\xfd\xb7\xec\x20\x9a\x66\x49\xc7\xd0\xc4\x5d\x51\x94\x51\x17\xd8\x8b\x14\x58\x56\xf7\x16\x5f\x17\x39\xf2\x0d\xf1\x99\x52\x9d\x28\x84\x83\xb5\xe9\x1c\x9c\x5e\xa3\x2f\x60\x6f\x70\x4f\xba\x97\xb4\x82\x6f\x7a\x1b\x9f\x74\xd6\x01\xe7\xce\x63\xdd\x43\xb5\x99\x8c\xa9\xba\x70\x2a\xc5\x05\x0f\x60\x51\x8c\x53\x69\x01\xbf\xbf\x2a\x4a\x0e\x1e\x10\x18\xc9\xac\x47\xa4\xed\x56\x2b\xa0\x58\xf8\x3a\xc8\xf5\xd5\x16\x45\x11\x21\x26\xa6\xcc\xa3\xf6\xf9\x7a\xeb\x22\xab\x1d\xca\xa1\x11\x97\x96\x6d\xcc\x15\x01\xb5\x36\x53\xcf\x3d\xcd\xb0\x7f\x81\x6d\xe5\x35\x5e\xf0\x90\x77\x52\xff\xd6\xf1\x5a\xb1\x5c\x17\x00\x27\xcf\x72\x2d\x5e\x75\xe2\x65\x0c\x97\x56\x23\xa4\x16\x52\xda\x31\xca\xe3\x22\x00\x25\x4c\x50\x1a\x98\x96\x29\x84\x47\x07\xfa\xc0\x14\x3c\x6e\xad\x36\xbb\x89\x3f\x33\xc1\xb6\x7b\x1a\xf8\x5f\xff\x9e\x20\x31\x3f\x31\xa5\x16\x9d\x0e\x08\x89\x4d\x12\x0b\xc4\x63\x2c\xa6\x1a\xe0\xae\xc4\x68\xd2\x45\x5d\xfc\x26\xb9\x8c\xe4\xb3\xb8\xa8\xdc\x6d\xec\x1f\xee\x60\x6f\x1f\xb1\x73\xe8\xbc\x6e\x24\x78\xf1\xc8\x96\xb3\xe8\x00\x25\x59\x53\xfe\x1c\xae\xe1\xa6\x8e\xdf\x5b\x68\x4b\x80\x92\xa2\x02\x0a\x6c\x0a\x6c\xc0\x04\x58\x39\xf4\x0d\x25\x2b\x46\x69\x96\xca\x09\x52\x93\xe3\xc0\x99\xe0\x7c\x33\x46\x4f\x53\xfc\x27\x2a\x65\x04\x96\x28\x33\x27\xd1\xd0\x18\xce\x53\x10\x7d\x32\x07\x92\x87\xf3\x26\x2b\x84\x05\x84\x45\x5d\x0d\xbe\x2a\x64\xac\x31\xfa\xb7\x41\x7e\xd9\x2e\x8d\x80\x6e\x9d\x23\x81\xfc\x97\x16\x1b\xa9\xe2\x8e\xff\x9f\x5a\xc1\x5b\x5a\x67\x67\xa6\x54\xa7\x10\x16\x51\x1e\x01\x31\x65\x58\xc5\x4f\xb3\x09\xc2\x6c\x48\x18\x2c\x58\x83\xab\xa6\xa8\x39\x03\xbf\x24\x94\x9b\xd4\xa0\x75\x78\x00\xce\x1c\xbd\x94\xf5\x2e\x43\x0e\xde\x14\xbb\x1f\x2c\x6d\x26\xe9\x40\x96\xf2\xb9\xb3\x8b\x96\x07\x20\x64\x6c\x4e\xa5\x03\xd4\xb5\x11\xb1\xd1\xbc\x88\x3a\x63\x72\xad\x6d\xbf\xbf\x6c\xda\x85\x2a\x76\xe5\xb6\x8f\xb7\xd8\x01\x18\x11\x6c\x81\x14\x7d\x5f\xdb\x9a\x30\x17\xe8\x30\xac\xd2\xa2\xcc\x2b\x90\x91\x3a\xc0\xd4\x49\x56\xd9\xa8\x07\x39\xf2\x15\x48\x23\xaa\xed\xaf\x2a\x8c\x4f\xee\x69\x7d\xb0\xce\x80\x1e\x50\x66\x19\x42\xdf\xe0\x5d\xe8\x24\x9d\x2d\x2b\xca\x97\xe2\x32\x97\x3b\xa5\x91\xf0\x16\xa5\xae\xaf\x3c\x4d\x0f\x54\x22\xef\x83\xa5\x04\x86\x52\xfb\x49\x7b\x9a\x0d\x00\x0e\x1b\x4c\x69\x00\x78\x5c\xb2\xbb\x6f\xbb\xdf\xac\x7e\xd9\x88\xc6\xe9\x2d\x2d\x76\x80\x7c\x1b\x72\x57\xf0\x5f\xd1\x0a\xfe\x9f\x01\xd4\x9a\x72\x7e\x98\xd4\x5a\xda\x4d\x99\x64\xe9\x8a\x3a\x73\x30\x2e\x4a\x59\x6d\x3b\x98\xa4\xb9\x8a\x8b\x55\x6b\x57\x43\x23\x87\x4a\x05\x8f\xa0\x03\xb3\x83\xa4\xd6\x46\x4e\x95\x16\x61\x2d\x01\x22\x90\x48\x82\xc4\xd7\x47\xe4\x5b\x0e\x58\xec\x34\x5b\x87\xd2\xe4\x36\x8c\x73\x3c\x2e\xf8\x4a\x06\x82\x4e\x46\x26\x7d\x48\x69\xa8\x89\x9b\x29\x1b\x5c\x96\xab\x14\xcb\xa4\xaa\xb8\x5e\xb0\x11\xf6\x64\xb5\x3c\x16\x95\x50\xe0\x7f\x69\xe4\xd2\x65\x8c\x1f\x1f\x99\xac\x97\x47\xb4\x19\xfa\xe7\x80\x9a\x46\x5f\x84\xa4\xf8\x28\x8d\x18\x4d\x6d\x3d\x2a\x8c\x40\x45\x27\x76\x93\x53\x93\x3e\x7b\x35\xea\xf5\x44\x5a\x8c\x11\x1b\x24\x3a\xcd\xa2\x76\x9e\x15\x05\x2f\x44\x2f\xca\xa1\x53\xcc\xb2\x26\x7e\x56\xd4\xfe\x54\xe7\x97\x3a\x46\x4d\x55\xa9\xdb\x8c\x12\xeb\xfc\xc9\xc9\xeb\xae\xbb\xee\x16\x38\x87\xd5\x46\x12\xa7\xfc\xec\xe2\xe4\x16\xf7\x89\xd9\x0a\x79\xc1\xc0\x54\xfc\xe8\xeb\xd4\x6a\xbd\xb2\xdf\xde\x2b\xa5\x90\x14\x62\xaf\xf2\xc2\xff\xfc\xde\xe0\xa5\x7b\xd5\x59\x80\x27\x1e\x75\x9c\x8b\xde\x43\xf8\x49\xc7\xe8\xc4\xe4\xf5\xea\x53\x04\x9b\xd0\x2a\x8c\x23\x9c\x2b\xf9\x05\x23\x05\x50\x02\x69\x67\xdd\x5e\x96\xc2\x19\x0a\x20\x1c\x79\x30\x61\x1c\x22\x29\xdb\xb2\x24\x5d\x8f\xec\x1e\x8d\x26\x84\x56\x38\x33\x2b\xab\xc3\x0c\xd3\x2c\x1d\x03\x34\xba\x2c\x27\x16\x85\x8b\x48\x6e\x03\x2e\x22\x21\x1b\x2a\xc5\x3e\x9e\xd4\xdd\xa1\xf6\x44\x02\x02\x10\x10\x9f\x1e\x54\x49\x02\x61\x46\x85\x9c\x9f\x81\x99\x15\x17\x7c\xf6\xcc\x22\x17\x29\x70\xbc\x75\x6c\xf1\x30\x4e\xcb\x3c\xeb\x54\x72\x5b\x28\xe2\x95\x14\x8c\x66\x69\xc9\xf3\xb8\x38\x0f\xb1\x3b\x65\xd5\x3e\xcf\xcd\x58\x84\xd6\xdf\x64\xdb\x40\x4c\x3e\x6c\x0d\xa3\x50\x77\x04\x90\x1b\xd8\x64\xac\xd4\x2b\xf2\xab\xc8\x39\xcf\x63\xd3\x5b\xba\x38\xed\x71\x32\xdf\xa5\xdc\xc9\x1a\xb5\x1f\xa3\x83\x41\xe9\x37\x11\x2f\xe2\x52\x41\x37\xec\xa4\x83\x66\xf4\xec\x31\x55\xe3\x8c\x2a\x9f\xa9\xd8\xc6\x93\xc7\x85\x8e\x50\x46\xc3\xaa\xec\x94\x28\xe1\x87\xac\xf4\x44\xa3\xe6\x1c\x52\x16\xf0\x2c\x47\x3c\xc8\x61\xd9\x7a\xd9\x9b\x64\xf4\x1e\xde\x90\xc8\xfe\xf2\xa8\x74\x9b\x31\x4a\x68\x0a\xe2\xde\x8b\x20\xae\x35\xc9\xda\xe7\x43\x7e\x2f\x79\xb4\xf5\x58\x42\x0f\x41\x7b\xcd\xc0\xc8\x93\x6e\x39\x17\x80\x17\xa1\xbd\xa5\x2b\xcf\x08\xd0\xbb\xbb\x85\x48\xd6\x28\x76\x40\x1d\x89\x6b\x55\x22\x65\x14\x82\x98\xe8\x22\x51\xcc\x28\xec\xa6\x6d\x80\x0b\xdf\x46\xb2\xab\x9f\xdf\xcb\xae\x52\x62\x11\x1c\x79\xef\xdc\x1b\xbc\x71\xef\x9d\xd6\x15\x15\x5e\xa0\xa8\x5e\x90\x19\xc7\xe5\x44\x50\x48\xfd\x32\xd3\x32\x96\x1b\x88\xca\xcf\xcc\x9e\x7a\x16\x9f\x39\x09\x4f\x43\xa9\x38\x8c\xab\x51\x41\xfe\x34\x91\xea\x94\xfa\x0d\x11\x23\x18\xa8\xa6\x61\xd9\xb9\x28\xab\xdc\xca\x24\x4d\x56\x36\x25\xb5\x9a\x63\x13\xa0\x4d\xfa\x35\x8c\x30\x1d\x8c\x29\x56\xf9\x0d\xda\x59\x77\x09\xc2\xdf\x48\x02\xa2\x0f\x80\xa4\xc1\x17\x28\x4d\x93\x4a\xfb\x8f\xaf\xaf\x12\xd3\x28\x9c\xe1\x56\x9c\x02\x78\xcd\x38\xdd\x34\xdf\x6b\x0c\xa6\x4b\x82\x97\x79\x95\xb6\xed\x7d\x3f\x11\xe9\x4a\xb9\xaa\x99\xd3\xa1\x56\x47\xb4\xef\x46\xa4\xa5\x62\xe5\xd4\xbc\x2c\xb5\xc6\x00\x10\x5a\xb5\xce\x33\x5e\x5b\x6d\x17\xd2\x82\x30\xf4\x8b\xb8\x20\x4f\x95\x51\xfb\x70\x85\x7e\x91\x5b\x15\x76\x35\x8f\xf8\xf5\x47\x6e\xe1\x63\x0a\x31\x03\xf8\x6b\x78\x86\x90\x8d\xf4\xd8\xb1\x23\x47\xf9\x24\x25\xc0\xca\x72\x7e\xc3\x91\x23\xd8\x97\xf3\x22\x2a\xb2\x94\x4c\xa7\x84\x5d\x50\xb8\x39\x80\xe6\x38\x93\xa5\x6d\xfb\x59\x97\xb3\x2a\xd5\x66\x1f\x94\xfb\x93\x24\x2b\x75\x9a\x6d\xdb\xca\x8a\x12\xa4\x14\x40\xfb\xfc\x90\x9a\xb1\x49\xdf\x82\x82\x41\x01\x0a\xb0\xa7\x8b\x9d\x97\x6f\x8c\x21\x38\x62\x55\x44\x1d\x91\x1f\x0e\x19\x9b\xa0\x64\x0d\xca\x25\xae\x56\x83\x43\xdc\xfd\xa8\x9f\xc5\x1a\x7a\xd6\xee\xdb\xa2\xd8\x0b\x5b\x6c\x0f\xa2\x1d\xfd\x7f\xf0\x82\x2f\x7b\xa7\xa3\x1e\x1e\x13\xb0\x5f\x9c\x17\x7d\xdc\x57\xc8\x86\x34\x10\x5c\x06\x9b\x0b\x04\x35\xa0\xd8\x29\xbb\x63\x25\xcb\xe5\xcf\x43\xa0\x3e\x92\x3f\x35\x01\xa4\xa7\x91\xbb\x23\xe5\xa9\x33\xd9\x81\x0d\x49\x8c\x0a\x69\x2f\xf3\x0c\xd3\x63\x63\x19\x10\x43\x7a\x09\x42\x3b\x7e\xde\x46\xf2\xfa\x9f\x7a\x6c\x5f\x21\x92\xe5\x53\x71\x7a\xde\xff\x8a\x17\x7c\xde\x5b\xa0\x5f\x78\x24\x9e\x9d\x3f\x55\x17\x1f\x2d\xf5\x70\x0b\x82\x17\x63\x53\xd3\x73\xf3\xd3\x93\x13\x8b\xd3\x53\x36\xa5\x19\x82\xd2\xcb\x0c\x42\xd4\x7b\xd1\x4a\x64\x4a\xd7\x84\x5a\x47\xc3\x63\x47\x78\x2e\x12\x11\x15\x42\xcf\x54\xbd\x28\x7b\x49\x94\xa6\x5a\x1a\xb5\x84\x86\xa3\xe1\xb1\xa3\xea\x35\x47\xf8\xfe\x2b\x8f\x7d\x87\x12\x69\xee\xcc\xa3\xb6\x98\x13\x79\x0c\x59\x55\x00\x1d\xf4\x05\x4f\x71\xc8\x7c\xd8\x9b\xd5\x08\x3b\x02\xcf\x68\x95\xb5\xa6\x23\xc3\x8e\x2d\xcb\xc2\x40\x1b\x4d\x3f\xa2\xc4\xba\xd8\x6c\xaa\xaa\x89\x5a\xd6\x52\xbd\xa5\x08\x6a\x51\x16\x1f\x14\xba\x54\xb8\xab\x4e\x0f\xa4\x44\xaa\x62\x35\xcb\x4b\x91\xca\x35\x64\x7a\xdc\x25\x31\x3a\xc0\x9e\x3c\x50\xa0\xff\xca\x03\x97\xae\x6f\xfc\x1a\x9b\x6a\x6a\xe0\xfc\xc9\x49\x0e\x12\x7a\x47\xf1\xae\xe1\x4e\x53\x6a\x59\xc6\x36\x38\xea\x73\x06\xc5\xdc\xba\x4e\x46\x3a\xb2\xbd\x9b\xca\x9e\x89\x74\x4f\xeb\x4e\x42\x55\x01\xf4\x2c\x33\x0b\xe5\x0a\x18\xb5\xcd\x0d\x9d\x38\x17\x00\xc4\x29\x44\x89\xc0\x02\x14\x69\x60\xd3\xc3\x63\xc9\x78\x89\x0b\x8a\xe3\xd3\x53\x4b\xc9\xe2\x87\xd2\x8c\x4b\xfd\x54\xe4\x7c\x2d\x26\xf1\x47\x0e\xa5\x83\x42\x21\x22\x7b\xc8\x38\xa4\xb3\xfe\x2f\xa1\x5d\xeb\xf0\xe0\x36\x6a\xcd\xf8\x51\x44\x10\x3b\x92\x64\xa1\x45\x39\xb4\x23\xf1\x89\x02\x9a\xa0\x0e\xc6\xfa\x83\x9a\x45\x06\xf8\x56\x47\x9d\x6e\x5a\x92\x52\x97\xec\xeb\x33\xaa\x9a\xc6\x99\x46\x89\x11\xf5\xf9\xae\xd4\x34\x30\xd6\x51\xfe\x23\xd2\xfe\x14\x3a\x56\x27\x69\x47\x60\xc4\x28\x8f\x12\x29\xd9\xad\xac\x22\xca\xd2\x9d\xaa\xdc\xa8\x28\x94\xf3\x00\x1f\x50\xbd\xdc\xcb\xe3\x2c\xd7\x26\x7f\xd9\x4d\x35\x98\x4e\x84\x09\xf5\xd0\x69\x4a\xe8\x17\x30\x7c\x62\xb2\x03\xa3\x3b\xc5\xa9\x83\x89\x5b\xac\xa7\x92\x92\xe3\x53\x22\xfe\x1d\x83\xaa\xad\xf9\x65\x53\x8c\x90\xdc\x5c\xcf\x1c\xa4\x65\x49\xc8\xc6\xa3\x70\x81\x51\x69\x55\xda\x90\xbf\x4a\xd6\xc5\x23\xbe\x1a\xe5\x9d\xa6\x4a\x0e\x2d\xcc\xdc\x79\xf7\xcc\xa9\x53\x87\x07\xaa\x43\x21\x17\x6a\x69\x27\x22\x4a\xab\xde\xa8\xad\xc6\xc9\x6f\xd7\x1b\xcb\xc4\xdc\x0c\x78\x42\xe1\x06\xec\xdd\x6d\x30\xbe\xa4\xa2\x5c\xcf\xf2\xf3\x80\x1e\xc7\x85\x3f\xea\xec\x65\x10\x2a\x50\x82\x50\x22\x05\x1a\x3d\x5d\x6d\x0f\xc6\x28\xaf\xd2\x12\x62\x32\x01\xf4\x92\x22\x16\x33\x03\xea\x3b\x32\xcb\xc3\x28\x22\xb4\x5b\x9e\x98\x1d\x81\x1f\x2a\xdc\x71\x97\xf3\xde\xdd\x33\x3b\x26\x71\xa3\x9c\x84\x83\x8b\x3d\x1b\x88\x56\xd1\xa2\xaf\xde\x04\x86\xdb\x03\xb6\xb6\x89\x6c\x64\x5d\x7c\xd4\xac\x04\xaf\xf5\x18\x33\x8c\x64\xfe\x43\xfa\x24\x4a\x27\x78\x21\x5b\x26\x07\x90\x50\xdf\xce\x71\x1c\x99\x64\x7c\x36\xa3\x99\x52\xdf\x91\x8b\x0e\xe0\x57\x5b\x3a\xad\x9d\xb3\xe3\x1b\x23\xec\x89\x90\xef\x53\x33\xed\x16\xfe\x1f\x8e\x04\x1f\x69\xa9\xec\xe6\xca\xd6\x8d\xac\xf1\x16\x81\x9a\x15\x51\x3c\x71\xea\x94\x7e\xce\xd6\x4e\x21\x7c\x06\x46\x8e\x96\xab\x3b\x13\xd5\x01\x51\x23\x34\xb2\x55\x1b\x63\x83\xb0\x28\x01\x22\x4b\x7a\x22\x5d\xdb\xa6\xdb\x30\x96\x09\xa8\x80\x50\x06\x99\xa1\xd4\x52\x6f\x5a\x24\x0e\xea\xa2\xe5\x93\x02\xbf\x55\x25\x94\x0b\xc8\xf8\xa5\x5c\xce\x74\xed\x1a\x35\x85\x38\x3a\xe7\x34\x9b\x64\x13\x97\x82\x0d\x70\x06\x65\xeb\xba\xea\x23\xde\x77\x6f\x92\xec\x79\x8f\xbf\xab\x8a\x3b\x8c\x3d\xb4\x8b\x5d\xdd\xb5\xbd\xad\xfe\x5f\x8f\x04\x6f\x1a\x71\x1c\xb0\x1c\xf2\xb4\x5a\x0e\x74\xdb\x3b\x66\x48\xee\x61\xa6\x90\x17\x4d\x73\xb6\x38\x24\x0e\x10\x19\x86\xa5\x18\xb3\x6f\x37\x2b\xe4\x81\x2d\xa5\x2d\x0d\x99\x59\xcd\xaa\x42\x9c\x17\xa2\x17\xa7\x2b\x78\xcc\xa2\xbb\xca\xf8\x27\x50\x7f\x49\x0f\x96\x1a\x61\x47\x27\x56\x95\x76\x44\x0e\xb0\x09\xeb\xc4\x0d\xf9\x84\xf1\x63\x93\x6c\xaf\xe4\x87\x83\x05\x1c\xd9\xa3\xce\x8c\xd2\x17\x33\x13\xfe\x4b\x51\x47\x6a\x15\x62\x4a\xdd\x5e\x54\xae\xa2\x4b\x34\x68\xc7\x63\xed\x4e\xa0\xd3\x1e\x5b\xbd\x11\x6b\xb2\x23\x95\xe9\x58\xf5\x9d\x82\x15\xe8\xc6\x81\xc6\x51\x33\xe5\x9b\x9d\xd0\x99\x54\x33\xec\x4e\x36\x7d\x09\x93\x6a\xd0\xb9\xce\xfe\xae\x45\xb1\xe7\x7f\xde\x0a\x7e\xbb\x35\x3b\xe8\xb7\x33\x09\x3c\xb5\xd1\x1d\x38\x9c\xb4\xca\x0d\x4d\x46\x7b\x37\x20\xad\xc9\x6c\x6f\x49\x08\x45\xd6\xb5\x59\x20\xba\x90\x2c\x51\x7e\xb2\x12\xcf\x20\x7c\x51\x9f\xf3\xa2\xb6\xcd\xc9\x53\xa8\x27\x35\x88\x3c\x96\x72\x27\x3a\x01\x6c\xe7\x70\xa8\x95\x4e\x4c\xf3\x17\x03\x0a\xd7\xe2\x4d\xd2\xce\x2a\xa3\x26\x92\x42\xe7\x60\x13\x4d\x7f\x5e\x16\xb7\xdd\x86\xec\xdf\xaf\xd9\xcd\x9e\xa8\xba\x44\xf9\xf5\xff\x69\x57\xf0\x97\xbb\x26\x52\x9e\xf5\x22\x60\x13\x01\xd9\xac\xc4\x08\x19\x87\x45\xca\x00\xcc\x6a\xde\xfe\x5a\x0c\xa3\x56\x64\x97\xfa\xd4\xd3\xe0\x85\x32\x87\x35\x8c\x9d\xda\xba\x61\xbb\x56\x14\x9c\xa0\x83\xa8\xd7\x65\x1f\x66\xbd\x32\xee\xc6\x45\x19\xb7\x65\xaf\xa1\x3b\xbc\xdd\x1f\x55\xbe\x3d\x59\x26\x90\xd1\x19\x7b\xc3\x3a\xa8\xc0\x06\xed\xe1\xa6\xc1\x82\xbc\x80\x0e\xbd\x8c\xed\x37\x90\x53\xb0\x94\xa3\x46\x20\x0a\x05\x12\x2e\x54\xe7\x40\x6a\x6a\xe4\x42\xab\x52\x13\xe8\x06\x40\x83\xcc\x36\xf5\xa0\x33\xad\x6b\x69\x54\x88\x1b\x41\xab\x26\x48\x49\xed\x2a\x89\xf2\x8d\x5b\xb6\x35\x07\xc4\x3d\x4e\xe8\x46\x49\x26\x1e\xd3\x68\x6b\x18\x64\xfb\x1f\x75\xd9\xc3\x1a\xa8\x31\xda\xe1\x00\xd4\x09\xc1\xa8\xc5\x80\xb5\xe4\x33\xfb\xd8\x35\x36\x94\xb3\xd7\x2b\x20\x09\x03\xda\x2d\x16\x04\x31\x52\xf9\x6f\xdf\x17\xdc\x51\xbf\xb8\x51\x9a\x28\x45\x78\x66\xde\x09\x2f\x7a\xfb\x14\x67\xae\x03\x3e\xf8\xd4\x5e\xf6\x25\xc8\x12\x43\x64\xbc\x9f\xd5\x64\xbc\xef\xf7\xea\x34\xbc\x16\xd5\x6b\xd2\xe7\xd9\x12\x3a\x43\x07\x49\x79\xb7\xcd\x3c\x29\xb7\xe4\x24\x8b\x3a\xc8\x41\x49\x66\x9a\x71\xcb\x7c\x63\x2e\x8f\x5f\xb3\xbe\x1a\x95\x63\x71\x31\x16\x8d\x35\x3e\xe0\x26\xd0\xf6\xd8\x93\x75\x46\x33\x4d\x38\xdc\x53\x9f\x78\x9f\x4b\x5c\x69\x72\x9f\x69\x7a\x61\xc8\x8a\x83\x27\xa6\x8e\x1e\xed\xc6\xa9\x9c\x82\x7d\x32\x71\x1c\x36\xd6\x0b\x05\x95\x2e\x44\x8d\x21\xfc\x1b\x2e\x83\xf6\x9f\x78\xc1\xec\xbc\x3b\x7c\x84\x64\x35\x4d\x40\x02\x5d\x93\x81\x31\xb2\x4b\xb7\xe8\xf3\x50\x0e\xb5\x0f\xab\x9b\xd9\x8d\xec\xfa\xe1\x78\xe1\x81\x49\xa6\x99\xae\xa5\xd0\xb3\xb1\x28\xb3\xd7\xdf\x5d\xf6\x7b\x52\xe8\xd9\xb2\x29\xff\x65\x1e\x7b\x0a\xa8\x24\x10\xe7\x6c\xd1\x3e\x17\x6a\x14\xfe\xfd\xe2\x20\x37\xb1\xa1\xfa\xa4\x68\x70\x87\xb6\x8b\xae\x91\x44\x2e\xb5\xb4\x52\x74\x7b\x89\xc5\xb7\xad\x06\xb0\x3e\x10\x3f\xd4\xc8\x73\x1c\x2b\xcd\x60\xf1\xcc\x20\xcf\x71\x2e\x96\x13\x15\x69\xd0\xa0\x0f\xd4\x17\x05\x41\x04\xac\xa5\xe7\x34\xe0\x7b\xd9\xd5\x30\xa5\x74\x37\xdc\xa9\xba\xe1\x98\xdb\x0d\x38\xf1\xf4\x44\xdc\x7c\x8e\xbd\x7c\x97\xb3\x99\x0c\x23\x5b\x93\xda\xc6\x3b\x3d\x15\xd5\x9f\x2b\x84\xd0\x00\xfd\x5a\x03\x51\x9c\x32\xea\x80\x1c\x82\xf1\x3c\x8a\x2c\x59\xca\x9f\x13\xb3\x53\x0a\x2e\xb8\x98\xf5\xb2\x24\x5b\xe9\xdb\x15\x23\x1c\x51\xc7\x0b\x80\x6f\xb0\x5a\xa2\x8d\x1f\x1c\x12\xb5\x96\xba\x28\xa9\x9f\x6d\x41\x8e\xb6\x3a\x77\x86\xff\x02\x2f\xb8\xd1\x64\x94\x73\xbf\xc3\x69\xea\x12\x7e\xe5\xc1\x42\x85\xe3\xdb\x6b\xe6\x36\x76\x9c\xdd\xbc\x2d\xe2\xba\x79\x53\x36\x7b\x8d\x47\x51\x74\x24\xd7\x5f\x42\x9b\x34\xc4\xf3\x72\xb5\xe9\xab\xfb\x1d\x6a\x3a\x4a\xf0\x43\x79\x61\x10\xb6\x31\x9f\x25\xe2\x44\x0c\x66\x1a\x48\x1c\xf5\xbe\xfd\xc1\x87\xbc\xe6\x7b\x4d\x79\xa4\x06\x9f\x84\x20\xc9\x5e\x2e\xb4\x17\x63\xed\x68\x78\xf4\x26\x88\xf9\x8e\xd6\x32\x9c\xd6\xc3\xf2\xdd\x8c\xaf\x1d\x6d\x28\xf1\x14\x78\x3b\xe5\xd9\x4d\x34\x01\xca\x58\xb8\x44\xf2\x86\xaa\xe6\xd8\xb1\xb0\x31\xa5\xd5\xef\xed\xb9\x12\xb6\xb0\xd3\xb0\x85\x07\x55\xaa\xa9\x07\x82\xef\x6e\x48\x35\xd5\x30\x0f\xb6\x3e\x8d\x37\x99\x97\x57\x42\x26\x76\x10\x32\xf1\x18\xe5\x72\x7b\xc4\x7b\x70\xf3\xb8\x85\x7b\xfd\xb3\xdb\xc8\x79\xd5\xbc\x11\xb8\x19\xb0\x28\x88\xe1\xa3\xfb\xd9\xbd\xe6\x5b\x4c\x7c\xe6\x98\x06\x99\x99\xcf\x72\x1e\x00\xc6\x62\xc8\x93\xa3\x48\x38\xa7\x74\xf7\x90\xdc\xfd\x7b\xfb\x82\xf9\x8d\x1f\xb1\x58\x56\x28\x86\xc4\xc8\x20\xc3\xde\x74\xf6\xa7\x7f\xde\xcb\xde\xd9\x72\x84\xc3\x37\xb4\x82\x59\x3b\xbb\x0a\x55\x40\x65\x4b\x39\xc0\xd2\xa1\xa2\x02\xd8\x11\x51\x40\x1c\x5e\xa1\x59\x8d\x09\xbb\x9f\xad\x0e\x9b\x09\x97\xa9\xf7\x1c\x81\xf2\x3b\x06\xa9\x74\xbb\x51\x4f\x4a\x93\x85\xbf\xdf\xdf\x3b\xc6\x49\xa0\xe4\x43\x49\x77\xf7\xf8\xbb\xba\x51\x8f\xb1\xdf\x1a\x61\x4f\x40\x2c\xa8\x26\xa0\xfc\xe5\x91\xe0\xdd\x23\xee\x35\x74\x18\x01\x16\x59\x53\x24\xca\x4d\xca\x69\x2b\x09\x98\x10\x22\x00\xdc\x0c\x1a\xdc\x1d\xf2\xc5\x3c\x6a\x9f\x37\xb1\x17\x86\x89\x11\x53\x49\x45\xbc\x1b\xaf\x90\x08\x08\x16\x29\x20\x67\x45\x88\xaa\x7e\x36\x4e\xb9\x28\xdb\x24\x0c\x69\x0f\x5c\xb7\x42\x3f\x19\x90\xec\x9a\x52\x2c\x6b\x68\x3b\x4a\xb9\xec\xc5\x62\xd5\x79\x02\xb8\xa6\x31\xe4\x5a\x19\x20\x0e\x89\xb4\xa8\x72\x64\xad\xe5\x59\xd2\x71\x80\xd7\x89\x58\x06\x18\x21\xf1\xd1\x1e\xd6\x26\x82\xd4\xf6\x6e\xe4\xa2\x28\x07\x58\x30\x69\xf3\x23\x8b\x6e\xc8\x75\xb7\x5a\x2e\x2b\xc7\xe7\x7a\x4e\xce\xc0\x50\xbd\x7f\x8e\xaf\xaf\xc6\x90\x58\x4c\xf4\xc9\xdf\x61\x5b\x88\x37\x62\x8d\xfc\xba\xc7\xae\x8e\x20\x4a\x59\x74\x00\xfc\xee\xff\xbe\xc7\x3a\x8f\xf2\x54\x85\x8a\x82\x07\x9d\x7a\xa1\x0b\x95\x25\xd2\xb2\xaf\x46\xed\xb2\x02\x83\x28\xc6\xc7\x28\xc0\x02\xd4\x0d\x21\x0f\xd9\x9a\xdc\x44\x8d\xfd\x63\x38\xe6\x07\x66\x08\x74\x1c\x7b\x3d\x63\x53\x5b\x60\xe4\xa8\xf3\xc3\x3a\xcc\x1f\x20\xbd\xfd\xca\xfe\xe0\xee\xcd\x1e\x72\x0f\xee\x8d\x9e\x6e\x96\xa6\x7e\x7f\xef\x15\x69\x6a\xa7\xd2\xd4\xab\x3d\x25\x4e\xbd\xd8\x0b\x9e\x76\x6a\x2b\x63\x61\xaf\x9a\x79\x36\xc7\x66\xb7\x4d\xe8\xb2\xe1\xf4\xb9\x22\x64\xed\x40\xc8\xfa\xbc\x1d\x97\xfa\x8b\x97\x16\x81\xa8\xc5\xac\x17\x7a\x5a\xce\x82\x45\xfa\x98\xc5\xa0\x5a\x1f\xf7\x88\xf7\x42\x6f\x73\x79\xee\x39\xfe\xb3\x4d\x1c\x6a\xe3\xa4\xab\x89\x74\x9b\x6d\x4d\xf5\xf4\xa6\x3f\xcf\x9c\xbc\x50\x0d\xb6\xd1\x9e\x68\xfb\xaf\x66\xc1\xf5\xee\xa5\xe6\x10\xff\x06\x73\xa8\xd2\xc8\xdd\x0c\xc8\xfb\xd9\x43\x2d\xf6\xc4\x9a\x89\xcf\xff\x4b\x6d\x15\xfd\xb2\x77\x3a\x4e\x6b\x64\xea\x0a\xcd\x24\x25\x01\x62\x53\xe0\xa9\x58\x4f\xfa\x0a\xf2\x0f\x26\x2a\x13\x48\x82\xa6\x1d\xc5\x3d\x05\x70\x6c\x4c\x4e\x65\x70\x09\xed\x3c\x2a\x56\xc1\x23\x07\xce\xba\x92\x50\x33\x16\xa9\xa1\xb6\x14\xba\x7c\x13\x47\xf8\x21\x59\x99\x66\xbe\x6b\x78\x81\x47\x05\x2f\xb2\x2c\x95\xff\xc6\x14\x17\x10\x75\xfa\x87\x1d\x6b\xd2\x4f\xb6\x2c\xa3\xf0\xeb\x34\xc5\xd3\x3f\x0f\x18\x85\xed\x74\x3d\xe8\x19\x37\x66\x60\x93\x75\x92\x32\xfd\xd7\x63\x4e\x14\xd9\x92\xb8\x40\xc9\x0d\x1e\x14\x79\x86\x4e\xc8\xd4\xc2\x32\xda\x1f\x78\xf4\x5b\xc7\xba\xfc\x4f\x2d\xa6\x67\x91\xff\x57\xad\xcb\x40\x3b\xfa\x9f\x5a\x36\x25\x68\x44\x74\xa9\x10\x90\xc4\x33\x90\x53\xb5\x71\x94\xa6\x93\xc9\x9c\xe9\xf0\x74\x84\x48\x2b\xd9\x8c\xb8\xb4\x52\x6e\xda\x8c\x6c\x4b\x96\x63\xde\xc0\x0e\x6c\x7b\x23\x9f\x29\xeb\xf9\x3a\x6d\xe3\xab\x31\xad\x6d\x77\x88\xb6\xc4\x28\x7b\x0d\xfc\x3b\xa6\x21\x9e\xec\x47\x5b\x6c\x9f\xaa\xdb\x7f\xf1\x56\x12\xcb\xcf\x65\x9d\x45\x7a\x01\x58\x41\xbe\xe0\xa9\x9f\x6a\x3a\xdb\x0e\x3d\x37\xe9\x26\x7c\xa9\x0e\xf6\x90\x9d\x45\x8b\x3b\x06\x5a\xe2\x6a\x79\x39\x6e\xc7\x08\xe5\xa7\x15\x22\x85\x46\x74\xd3\x0d\x01\xe4\x5e\xa6\x59\x7b\x4d\x2f\xeb\x8c\xa9\x8e\x60\x5f\x6e\xb1\xa7\x6d\x92\x44\x87\xd4\xdb\xf7\xb6\x82\xdb\x06\x2f\x6f\x39\x83\x8e\x6b\x9f\xfd\x7d\x8f\xfd\x8e\x27\xd7\x06\xe6\xe7\xf9\xa2\x17\xbc\xcc\x53\x39\x79\x8c\xd4\x69\x65\xe4\xaf\xa5\x9e\x51\xd1\x17\x6e\x15\x52\x1b\xdb\x6e\x5a\x1e\xd4\xdb\xdc\xe2\xb7\xe1\x20\xd9\x20\xeb\x10\xfb\xec\x2e\x36\x6a\x3d\xea\xe8\x18\x68\xc2\xa2\x27\x4f\x44\xed\xf3\x22\xed\xf8\x17\x77\x05\x53\xee\x25\x3b\x89\x43\x92\x68\xf1\x47\x25\xb6\x58\x89\xd7\x44\xaa\x3f\x0e\x9c\xae\x59\x5e\xcb\x2c\xf4\xc9\x11\xf6\x0d\xf0\xd9\xa1\xe8\xe5\xff\x99\xc7\x8e\x6f\xfa\x39\x8b\xfd\x9e\xe8\x9c\xca\xda\x51\x52\xcb\xf4\x1d\xbc\xdb\x9b\xb7\xe0\x63\x51\xca\xf5\x03\xb6\xe2\x69\xc1\x8c\x0d\xda\xcc\xd2\x68\x20\x38\x90\xb4\x49\x35\xee\x16\x64\xc9\x46\xa8\x59\x69\x15\xe9\x43\x67\x55\x9c\x61\x61\x92\xfb\xe2\x4e\xa3\x68\xcd\xf4\x61\xc0\x66\xd8\x01\xeb\x2d\xff\x78\x30\xb6\xe0\xd0\x0c\xa6\x83\x99\xc4\xdb\x42\x97\xec\x60\x97\x9f\xa7\x8b\x82\x4c\xd9\xe9\x56\x49\x45\xaa\x32\x4e\x42\x39\x68\x65\x1e\xce\xa4\xe5\x99\x7c\x01\xca\xab\xb7\x04\x72\x17\x0d\x6f\x09\xfb\xd0\x01\xf6\xaf\x1b\x72\xf0\x5b\xc6\x2f\xff\x8d\x07\x82\x97\xda\x26\x79\xb2\xc3\x53\xac\x27\x50\x02\x8c\xf2\x24\x5b\x81\x98\x6c\x10\xc7\x28\x41\x0c\xd2\xf7\x21\x21\xa8\x8d\x4e\xb0\xda\x21\x77\x28\x2e\xa5\x46\xc4\x78\x59\xc6\x36\x9e\xe5\x0d\x26\x38\x77\x12\xbe\x7a\x3f\xfb\x8f\x2d\xf6\xc4\x68\x65\x25\x17\x2b\xb0\x21\xc9\xca\xfc\xd7\x6f\xb4\x0d\xab\x2f\x9c\x70\x5f\x0a\x7e\xd7\xab\x5d\xa9\x47\xf7\x58\xf9\xaa\xcd\xf2\xa1\x84\x0f\x4b\x55\x9c\x20\xfe\x01\xbf\x56\x7b\xca\xac\x2f\x40\xd4\xdc\x60\x1d\x84\xcb\xa5\x94\x2f\xf8\xbe\xdc\xb5\x2d\x93\x8c\x42\x55\x41\x22\x0e\x80\x3c\xeb\xb0\xa7\x32\xa3\x57\xd4\x89\x50\x94\x59\xb7\x67\x00\x0b\x16\x42\xed\x8a\xda\x7c\x85\x3b\xe9\xf1\xd3\x51\x57\x2d\x15\xf5\xfb\x77\xca\x9c\xb4\x91\x2b\x80\x3d\x57\xf1\x11\xe7\xc1\xf5\xb8\x36\x28\x4b\x6f\x92\x40\xe7\xd9\xdb\x52\xd3\x42\xdd\x7a\xe2\x36\xb5\x97\x98\x12\x1f\xf1\xee\xdf\x5c\x6f\xbd\xd3\x9f\xbe\x34\x3f\x44\x5d\x3f\x7d\x1d\x73\x36\xef\x06\x09\xd3\xff\xeb\xfd\xc1\x8c\xf5\xdb\x3e\xf9\x0d\x60\xc1\xc0\xe5\x00\xd3\xda\x8b\x05\xc9\x5a\xbd\x5c\xa8\xbc\x77\xbd\xac\x46\x93\xf7\xdf\xf7\x5d\x59\x0f\x3b\x58\x0f\xbf\x66\xdb\x6c\x3e\xb9\x63\x2e\xb1\x87\xbc\x0d\x96\xc4\x63\x06\x77\xff\x73\xcf\xd2\x86\x7e\xc7\xbb\x04\x6d\xe8\x5d\x9e\x35\x55\xcd\x79\x64\x74\xce\xba\xe6\x63\x9c\x05\xb6\x1a\x18\x3e\x16\x04\x89\x57\x0e\xd4\x1d\x1e\xa8\x8f\x78\x0b\x9b\xef\x96\x47\xfc\x50\xef\x96\x41\xa0\xb7\x45\x6b\xe2\xd4\xb7\xc5\x0f\xee\x62\xb7\x5a\x53\x8d\xf8\xb6\x95\x76\xb4\x50\xf5\x08\xfe\x13\x25\xc8\xd4\xbb\x40\x88\x31\xca\xe2\xe1\x7f\x73\x24\xe8\x6c\xfa\x94\x4b\x89\x44\xf7\x10\x5f\x84\x19\xef\xf0\x29\xe5\xa1\x21\x12\x11\xfb\x61\x77\x3b\x7d\x78\x84\xbd\xac\xc5\xf6\x40\x9a\xc7\xc2\x7f\x7e\x2b\xf8\xa8\x87\x7f\x6b\x57\x90\x0a\x54\xa4\xcb\xd9\x32\xe4\x85\x53\x8d\xc4\x2e\x2a\x42\x2e\xc5\x4c\xc8\x0e\x04\x53\x06\xe9\xbb\x32\x0e\x91\xf8\x26\x85\xc5\xe0\x9b\x28\x82\xc2\xf5\xbe\x79\x0e\xb3\x4e\xea\xa0\x09\x08\xe6\x86\xa4\xbd\x48\x8d\x9c\x76\x4c\xce\x2f\x38\x45\x4e\x57\x45\x39\x5f\xa5\x13\xae\xb2\x7b\x1d\x3b\xba\x41\xea\xde\xda\xf8\xcc\x4c\xcd\xcb\x4a\x59\xc9\x76\xc9\x63\xdc\x4f\x82\xe7\xe4\x24\x2a\xbb\x5d\xad\x77\x83\x4e\xdc\x26\xa2\xfd\xa8\x6c\xea\x13\xcd\x36\x43\xba\xe2\x82\x68\x57\x79\x5c\xf6\x27\xb3\xb4\x14\x17\x5c\x1e\x97\x5f\x7b\x32\xfb\x77\x76\x36\x4d\x9d\xf1\x52\xb7\x6f\x2e\x8f\x33\x78\x3b\x89\x8a\xc2\x7f\xfb\x93\x83\xdf\xf3\xac\x48\xd8\x31\x34\x38\x0e\xd0\x0b\x3a\x6f\x61\x30\x9b\x06\x29\x2d\xf5\xad\xcc\x9a\x06\x8a\x34\xee\xbc\x13\xd6\x8a\x50\xd3\xaf\x1b\xf5\x40\xdf\x82\x7d\x30\xc2\x28\xbb\xb8\xec\xf3\x36\x3c\x05\x8a\x28\xed\x0d\xfa\x16\xd9\x0e\x15\x2f\xcb\xa2\x0e\x9b\x27\xfd\x0c\x52\xfb\x01\x5e\x9a\x9e\x0c\x2f\x7a\xbb\xe1\x09\x67\xc6\x7e\xf8\x09\xec\xa7\x47\xd8\xd5\x2b\x49\xb6\x14\x25\x64\x1e\xf5\x5f\x37\x12\xbc\x68\xc4\xb9\x64\x31\xf0\x3b\x3c\xd1\xee\xe7\x58\xa9\x60\x2c\x73\x31\x51\xb9\x51\x41\xfa\x03\x00\x80\xa0\x4f\x84\x4e\xc6\x75\xde\x1e\xd9\x74\xb7\x0b\x28\x0a\x37\x4b\x45\xad\x46\x45\x03\x1e\xe5\xe7\xb1\xaa\x73\x4e\xb3\xcf\xd9\x39\x23\x96\x6b\x01\x40\x4e\x49\xa2\x20\x9a\x00\xbd\x4e\xe2\xbc\x5e\xd8\x60\x8c\x11\x71\x0a\x74\xa3\x24\x91\x3b\xb6\x26\x1f\x2b\xaa\xf6\x2a\xc7\x97\xf5\x87\xd7\xab\x53\x67\x20\x4c\xea\x21\x9d\xe4\xe6\xd0\xbe\x22\xa9\x5d\x91\xd4\x1c\x49\xed\xe1\x16\x7b\x52\x2f\x17\xa2\x0b\xe7\x14\x65\x5e\xf8\x4b\x2f\xf8\x3d\x6f\xae\x76\x55\x6d\xbc\xf4\x0b\xd6\x1e\x3d\x92\xae\xe0\x32\x84\x79\x2f\x0f\xa7\xdc\x4c\x3f\x7e\x06\xf3\x9b\xce\xe2\x12\xa2\x52\x4f\xc9\x87\xe6\xf4\x33\xb6\x53\xa5\xe9\x09\xb9\xf2\x20\x38\xb9\x1e\x48\x2e\xb7\xe2\x31\x32\x3d\xad\xd8\x01\x1a\xb3\x59\x3a\xa7\x5b\xa7\x8b\x59\x16\x91\xec\x91\xb1\x15\x4d\x7c\xa8\x88\x1a\x3d\x86\x3b\x9b\xff\x13\xda\xbd\xf6\x52\x6f\x71\x80\x0d\xb0\xbe\xa7\x28\xaf\x12\x9c\xcb\x80\xc9\x30\x8f\xc0\xa6\x04\xfd\x92\x8b\xb6\x88\xd7\x4c\x16\xfd\x3e\x6e\x52\xae\x85\x30\x2e\x68\xaf\xc6\xd3\x29\xce\xd1\x53\xd7\x13\x6d\x17\x5b\x7d\x45\xd8\xdc\xa1\xf5\xe6\x65\x1e\x3b\x80\xea\x2f\xcc\x6e\xff\x07\x82\xcc\xfa\x49\xe6\x3e\xc3\xcc\x47\x5b\x23\x25\x72\x42\xd4\x0d\x71\xdc\x14\x1c\x82\xbd\x12\xe8\x70\xcc\x1c\x9a\x36\xcd\x13\xeb\x54\x93\x5b\x75\xe8\x88\xbe\xf1\xe6\xa2\xef\x49\x7f\x4a\x8b\xbe\x03\x12\x82\x91\x84\xed\xd3\xa1\x11\x9f\xf8\x81\xfd\x36\x1d\xe9\xa6\x42\x0d\x40\x79\x1e\xde\x1f\xdc\x38\x70\xb5\x09\x82\xed\x7e\xb2\x28\x9a\x51\x3b\x9f\xbc\x82\xda\xd9\xf1\x04\xee\x2b\xd0\x4e\x2f\xf8\xb7\xb1\xc2\x40\xeb\xc0\xeb\xba\x90\x29\x1c\x04\xf4\xd3\xd9\xad\xec\x96\xa1\x22\xf8\x66\x33\xe2\x8a\xfc\xb0\x03\xf9\xe1\x33\xb6\xfc\xf0\xd1\x1d\xa2\x73\x7e\xb0\x19\x9c\xf3\x2d\xcb\x0f\xbf\xc5\x6d\x6b\x28\xb4\xfa\x6f\x3c\xb6\x78\xa9\x88\x4b\x9c\xc8\xcf\x58\x38\x33\xbb\x00\xeb\x7e\x2e\xcf\x7a\xc5\x99\x7c\x42\xae\x08\xff\xcd\x5e\xf0\x06\xaf\xf9\x9e\xed\x7d\x8e\xec\x88\x5c\xa9\x32\x10\xab\x17\x30\xfe\xd6\x5e\xa7\x9c\xa2\xb0\xe2\xe4\x72\xac\xdd\x0e\xf9\xe9\x28\x96\xba\x08\x70\x0b\x00\x64\x57\xe4\x71\x94\x90\xdd\x97\xf7\xaa\xbc\x97\xc9\x0d\x94\xfd\xf0\x13\x1a\x71\x47\x26\x0b\x29\xe0\x8e\xfe\xe0\xea\x60\xd6\xbd\x34\x14\x77\x64\x93\x46\x50\x86\x11\x4d\xf8\x6e\x8a\xb0\x11\x49\x17\x3d\x6d\xc8\x73\xf6\xf1\xaf\x5d\x75\x05\x9c\x04\xe2\xd8\xf7\xb0\x3d\xbd\x48\x9e\xea\xfe\x8d\xc1\xa1\x19\x0b\x81\x4f\x21\xfe\x26\xa5\x13\xc4\xa8\x47\x24\x00\x58\x3a\xd9\xdb\x46\xd8\xbf\xec\xe5\x19\xb8\xa9\xa7\x44\xd4\x91\xe2\x84\xea\xcf\x87\x47\x54\x7f\x7e\xad\xb5\x08\x69\xc3\x2f\x40\x9f\x2a\x76\x21\xbb\x47\x23\xbb\x2e\xc5\x85\xa7\x0a\xb6\xe8\xaa\x06\x72\xf0\x2e\x61\x4e\x3a\x15\x30\x67\x95\x62\xf9\x1e\xa1\xa3\xe4\xef\x38\xad\x9c\xe4\x9e\xf8\xaa\x93\x59\x0b\x98\x6c\xb8\x0e\x1c\x50\x64\x81\x73\xb5\x8f\x9c\xbe\xd0\x86\x44\xa9\xb2\x5b\x0b\x78\x8c\x5c\x97\x55\xbe\x1c\xb5\x8d\x9d\xc6\x6a\x10\x65\xa4\x81\x7c\xa1\x24\x60\xab\x0f\xb4\x73\xb7\x8a\xa2\x8c\x91\xa7\xa6\x53\xe5\xea\x14\x42\xbe\xaa\xe6\x01\x71\xa6\xc6\x8d\x47\x8e\xd4\x72\xe9\xbd\xd6\x0e\x4b\x7e\x91\x9e\xe3\xbd\xd9\x01\xc0\x99\x94\xf7\x77\x04\x36\xab\x51\xe7\xb9\x70\x33\xa7\x51\x9f\xf0\xd8\x53\x72\xb1\x16\xcb\x6d\xee\xae\xb8\x28\xb3\xbc\x7f\x2a\xee\xc6\xa5\xff\x2e\xdd\xc0\xd7\x79\x6e\x20\x67\x96\xd8\xd1\xa0\x05\x52\x2f\xc8\x95\x04\xe8\x0a\xa0\x65\xc8\x29\xb1\xf1\xa3\xf6\x11\x47\xdc\xaf\xf8\x7b\xcf\x02\xae\xfd\x89\x77\x19\x80\x6b\xef\xf0\x4e\x39\x99\xbd\xb5\x99\x28\xe4\xd3\x17\xb0\xf9\x4e\x27\x60\x3e\x76\x50\xd4\xa2\x5c\x45\x47\x5a\xa8\x33\x35\x2d\x01\x92\x25\x25\xd3\x08\xf2\x6d\x59\x4f\x98\x29\xb5\x75\x58\x1a\xfb\xa0\xfc\x70\x15\xa3\xfc\x6e\x8f\x5d\xb7\x69\x98\xb4\xb5\xc9\xd3\x7b\xc1\xc9\xc5\xfa\xfa\x50\x56\xd1\x0c\xb3\xce\x66\x00\x01\x8b\xda\x44\x61\xe9\xaa\xea\xa9\x58\x87\x2f\x0a\x1f\xf1\x46\x37\x8e\xa1\xbe\xda\x3f\x80\x13\xe5\x6e\xd1\x2f\x18\x7b\xc0\x72\xef\x88\x4b\xf0\xee\x1c\x6d\xf0\x43\x6e\xe8\xde\x09\xd9\x5b\x47\xd8\xbf\xd9\x24\xe4\xd4\xff\xc7\x56\xf0\x11\x6f\x62\x20\xc8\xd5\x81\x90\x55\xa9\x9b\xe8\x05\xe6\xa5\x5c\x1a\x29\x90\x3f\x80\x7d\xcf\x40\x1d\xc1\x03\xba\x26\x80\x5d\x57\xe8\x08\xda\xe2\x56\x6c\x64\x5c\x00\xcb\x67\xad\x86\x33\xf3\x9a\xa0\x54\x33\x40\xda\x6c\xd7\x64\xa1\x18\x0c\x73\x96\x2a\xd3\x93\xd3\x5a\xe4\xb1\xab\x3e\xbd\xd9\x63\x6f\xf0\xd8\xe0\x43\xfe\xf3\xbd\xe0\x36\x65\x81\x0f\xf9\xb0\x80\x5f\xac\x05\x33\x8e\xca\x3f\x61\xc2\x9f\x99\x87\x13\xc9\xe8\x08\x37\xb0\xeb\xd8\xd1\x6d\x05\xfb\xca\x36\xb0\x57\x8f\xb0\xeb\xad\xe7\x96\x93\x6c\x9d\xce\x0f\xe3\x73\x41\xb8\xd1\x44\x1b\x80\xa1\x0b\x15\x7c\x95\xff\x1b\xad\x60\xbe\xf1\x0e\x39\xec\x3b\x72\xe6\x25\x70\x1e\x98\xb4\x60\x24\x37\xc9\x97\xc6\x22\x7c\x0b\xa4\x4e\xa9\x12\x80\x1a\x78\xd1\x33\x69\x2c\x2e\x7a\xc0\x73\xe3\x46\xe3\x7a\xac\x4f\xf4\x37\x0f\x04\x9d\x73\xf2\x8f\x73\x1a\x48\x4c\x56\x19\x1d\xe9\xef\x36\x4f\x05\x38\x01\x4f\x50\x70\x6d\x60\x92\x8e\xe6\x62\x25\xca\x3b\x09\x00\xce\x96\xa1\x18\xe3\x18\x71\x0c\x4e\x1d\x3b\xc9\xc6\xbd\xc1\x33\xce\xe9\x5f\x4e\x23\x34\x94\x6d\x93\x96\x0c\xa9\xe5\xa1\x5d\xec\x98\x35\x24\x44\x0f\x67\xab\x77\x77\x2d\x2e\xce\x11\x44\x6e\xbe\x4a\x04\x90\x98\xf8\xbf\x32\x12\xfc\x54\xab\xe9\x8e\x1b\xb3\x23\x15\x0c\x6b\x8e\xc3\x29\x41\xfc\xf9\x4b\x08\x30\x2c\x34\x4b\x1d\xb1\xfb\x69\xf6\x9c\xdb\x56\xb3\xa2\xbc\x7d\xfc\xb6\x5e\x54\xae\xde\x7e\xc7\x6d\x85\x90\x9a\x47\x2f\xca\xcb\xdb\xf9\xd8\xed\xea\x75\x8e\x84\xfd\xf8\x5f\x79\x53\xf3\x2c\x54\xb9\x14\x46\x72\x64\xaa\x06\x21\x06\xf8\x29\x6f\xb9\xf9\xc6\xd1\x21\x4c\x94\x6e\x72\x58\x48\xd4\x5d\x94\x56\x4e\x7b\x8b\xba\x31\x89\x8a\x92\x1f\x1c\xc7\xe4\x41\x16\x7b\x3b\x92\x71\x1f\xbc\xe3\xa0\x1c\xf6\x83\xd7\x1c\x0c\x2f\x7a\xbb\x65\xfb\xdd\x25\xfa\x2a\x8f\xbd\xdc\x63\x78\xc3\x7f\xa1\x17\x5c\x3f\x51\x37\x94\xc8\x3b\x2a\x65\x44\xcf\x56\x5d\x4d\xb7\xd9\xcb\xf1\x0e\xf6\xf4\xe1\xba\xe2\x26\x63\x3a\x17\x95\xab\xec\x2d\x8c\x7d\xff\xce\x74\x27\x37\x64\x6d\x32\x4b\xaa\x6e\x6a\x02\xd7\xfc\x8f\xec\x0f\xee\xde\xf8\x11\xcb\xf9\x03\x76\xa3\xaa\x6b\x56\xb0\xc8\x31\x8b\x66\x2f\xc7\xf9\x13\xd2\x6a\xbd\xe8\xed\x92\x9a\xf4\x45\x6f\x9f\x54\xa0\xe4\x97\xb8\x6c\x31\xfb\xd8\xbb\x3c\xa6\xef\xf9\x6f\xf1\x82\x57\x79\xea\x17\x59\x25\x80\xe1\x01\x33\x66\x41\x7c\xe4\xa1\x38\x14\x21\x89\xa3\xa0\x9d\xa9\x9c\x17\x87\x55\xce\x9c\x42\xe5\xd8\x57\xd9\xdc\xe5\x24\x89\xda\xab\xbc\x0d\xdf\x67\x59\x31\x32\xc5\x9f\x8e\x96\x2a\x37\xbf\x0a\x7e\xa2\xb3\x16\xef\x75\xad\x8e\x77\x05\xb7\xd6\xad\x8e\x7c\xb5\xea\x02\xf3\x7c\xd4\x01\xf5\xc3\xbe\xaf\x4d\xc4\x83\x05\x7f\xa0\xc5\xf6\xe0\xbe\xe8\xff\x6c\x2b\x78\x6b\xcb\x24\x72\xb2\x61\x8b\x67\x7a\x22\x9d\x98\x9b\x41\xcf\xb4\x99\x4b\x03\x4d\x86\xc3\xe1\xa0\xec\xff\x83\x56\x4a\xa8\x88\x88\x9e\x8d\x0b\xb1\x1b\xe5\x7d\x3b\x33\x01\x0d\xaa\x94\x23\x8b\x82\x62\x2d\x15\xdf\x11\x3d\xd6\x47\x58\x11\x3c\x17\xab\x84\x9e\xd4\x9d\xb8\x55\x2e\x08\x61\x9b\x2d\x56\xab\xa5\xb0\x9d\x75\xc7\xcf\x4c\xcc\x8c\x53\xfb\x15\xac\x15\x75\xda\xf1\xa5\x24\x5b\x1a\xef\x46\x45\x29\x72\x95\xaf\xaa\x18\x3f\x16\x1e\x09\xbb\x9d\x6b\x3a\x51\x19\x41\xd4\x2e\xaa\x47\x78\x8a\xb8\x99\xcb\x4e\xd0\x01\x70\x3c\x18\x4b\x15\x91\x7b\x7d\x14\xe0\x86\x42\x7a\x37\x74\xff\x2b\x5a\x6c\x9f\xb2\x7d\xfa\xcf\xd7\xd1\x29\x7f\xea\x19\x3f\x2b\x66\x71\x20\x6f\x2b\xf6\x3d\xe9\x24\xb9\x48\xa2\x32\x5e\x03\x2e\x92\x2c\x2f\xa3\xb4\x2d\x6a\x43\x0d\xbc\xfc\x11\x69\x6a\x00\x7f\x2e\x42\x0e\xce\x11\x92\xeb\x35\x4a\x54\x69\x74\xab\xf1\xca\xaa\xe3\x81\xc1\xc5\x58\x38\x59\x6a\xb2\x6e\x5c\x12\x31\x46\x22\x95\x06\xa1\x12\x05\x15\x6d\x91\x46\x79\x9c\xd9\x46\x6b\x04\x82\x5b\x4e\xe5\x15\x90\xca\x72\x74\x84\xd6\x04\xfa\xf7\x7a\x0c\xd6\xad\xff\xd3\x5e\xf0\x26\xaf\xa4\x54\x5c\x51\xba\xf5\x19\xf8\x58\xcf\x82\xbf\xb8\x9a\xfd\xab\x0d\xc3\xbb\xfc\xcf\x5e\x1d\x3c\xcb\xfc\xe4\x10\xef\xac\xc3\x71\x2d\xf6\x78\x87\x39\xc8\x0d\xbe\xc8\xab\x14\x46\x3d\x42\x43\x06\x76\x29\xb0\xdf\x3a\xbb\xda\x8f\x5c\xc5\xfe\xce\xa3\xa4\xb3\x7f\xee\x6d\x80\x96\x68\x0e\x42\x0b\x3e\xe0\x81\x01\xc8\xcd\xd3\xb5\x0d\x2b\x90\x15\x97\xf6\x18\xa7\x99\x65\x9f\x6a\xe9\x2c\xb3\x1f\x69\x6d\x20\x80\x0e\xa3\x26\x0b\x5e\xdc\x5a\x70\xb2\xc9\x0e\xa1\x43\x32\x41\x24\xf5\x0f\x06\x8d\x17\xcc\xa8\x6a\x95\x54\x20\xe8\x00\xe5\xf5\x52\x1f\xb9\x0c\xd7\xe3\xb4\x93\xad\xc3\xeb\xc0\x5d\x7c\x09\x49\xac\xae\xe0\xd1\xbe\xc5\x3d\x2c\x57\xdc\x1c\x97\xee\xe6\xf8\x74\xcb\x72\x73\x7c\xb8\xb5\x53\x98\xc4\x37\x3d\xca\xbe\x73\x4a\x13\xad\xd9\xd1\xb3\xb0\xb7\x02\x6f\xd8\x28\x7a\xd6\x31\xd0\x0d\xec\x4d\xda\xba\xa9\x21\x6b\x91\x82\x30\x74\x0e\x15\x87\x8d\x8d\xd6\x2a\x8e\xb2\x8d\x87\xfc\x5b\x00\x9c\xf1\x88\xb7\xb8\xb9\x93\xe5\xa8\x3f\x6e\x82\x9f\x7b\xbd\x42\xfb\x55\xcc\x47\xd5\x71\x91\x7f\xbb\xcf\x81\x8b\x8b\x35\x98\x98\x6b\x47\xc3\x69\xf9\x17\x78\x7d\xff\xe7\xbe\xe0\x69\xfa\x97\xab\xf5\xc1\x65\xad\x77\x36\x3a\x79\xff\xcb\x15\x27\xef\x8e\xb7\xa0\x65\xe5\xe4\x7d\x76\x10\xc4\x83\x44\x57\xaa\xab\x68\x18\x6c\x7d\x71\x94\x5d\xcb\x0e\x0d\x3d\x3d\x6b\xa3\x7d\x65\xab\xdb\xc1\x56\xf7\x59\xdb\xa3\xfb\xdf\x76\xe8\xd1\xfd\xa1\xc7\x89\x6e\xc1\xec\x36\xdf\xbf\xf9\x6e\x73\x8b\x7f\x93\xde\x6d\x68\x26\xd5\xdc\xb9\x7a\xd7\xa8\xef\x3a\xef\xda\xcd\xb8\x35\x0f\x97\xa2\xb2\xbd\x2a\x3b\xe0\x19\xd9\x92\x26\x69\xf2\x5f\xb4\x3b\x70\x2e\x58\xf6\x61\x87\x64\x14\x8f\x81\xfb\xb3\xa5\x50\x5b\x09\x48\x76\x74\x36\xa2\x9f\xdf\xc5\xee\x20\x6d\xe4\xa6\xe0\xda\x45\xca\x41\x7d\x7f\xb6\x64\x9c\x53\xa3\x7c\x32\xeb\xf6\x12\x81\x99\x1d\x4f\xa2\x1f\xcc\x1e\xe4\x1e\xbb\x3a\x89\x8a\x72\x2e\xcf\x96\xc4\x62\xdc\x15\xfe\x73\x2e\x3d\xb7\xca\xbf\x3d\x15\x15\x25\x3a\xa2\x28\x28\x4f\x79\xc8\xa2\x82\xb7\x57\x05\xe4\xef\x60\x2f\xf7\x98\x2f\xab\x5c\xcc\xa3\xb4\x80\xfb\x50\xef\xda\xa5\xd7\x7b\xeb\xb0\x7a\x4b\xac\x02\x97\x64\x96\xea\x08\x6b\x13\x6c\x1b\xb2\xef\x65\x7b\xbb\xa2\x28\xa2\x15\xe1\x9f\x0e\xbe\xe7\x2e\x57\x3b\xa6\x3b\x76\xa6\x2a\x52\xb1\x78\xb4\x24\xc5\x67\x30\xa6\x95\xfa\x4b\x9c\xae\x7d\x06\xdb\x83\xae\x3f\xff\x7b\x82\xeb\x0e\x2d\xe5\xb1\x58\x3e\xac\x9c\x81\x46\xe3\xa6\xb6\x82\xeb\x64\x78\x59\xa7\xb4\xf2\x70\x22\xb8\x61\xc1\x11\xf1\xad\xb1\xce\x10\x8c\xb8\x08\xc0\xdb\x93\x51\x52\x88\x51\x7e\x36\x3d\x9f\x66\xeb\x6e\x69\x9f\xf0\x1c\x6f\x83\x61\x54\x5a\x3b\x1a\x9e\xcc\xf2\xef\xcb\x52\xe1\xbf\xd5\x0b\x4e\xd1\xdf\x06\x10\x66\x9b\xa8\xb1\x03\xd0\xb0\xf4\x20\x78\x8e\xcc\x61\x55\x54\x5d\xda\x37\xd5\x26\x18\x36\x19\xa9\x6f\x63\xc7\xc9\x44\x71\x2c\x78\x1a\x25\x76\x73\x9c\x0d\x76\x84\xb1\xac\xc3\xf9\x8a\x2f\x3e\x85\x5d\x3b\xcc\x54\x18\xce\xe2\x2f\x84\x73\x02\x90\xe0\x1d\x4f\x09\xee\x18\xb8\x6a\x3e\x6d\x08\x93\x89\xf3\xc6\x45\xef\x40\x2f\xeb\x2c\x34\xd1\x99\xfc\x8f\x7f\xc1\x3e\xbf\x8b\xed\x11\x18\x93\xff\x4b\xbb\x82\xbf\x19\x51\x84\x43\x78\x8d\x52\xc2\xa1\xc8\x56\x33\x38\x69\xa7\x1c\xfa\xf1\xce\x54\x25\xa5\x6a\x55\x21\xf9\x26\x7f\x53\x0c\x9d\x91\x0b\x4a\x18\xe8\xb4\x2f\x96\x63\x00\x45\xa9\x83\x4c\xea\xe9\x87\x80\x0d\x9e\xe2\x98\x31\x0a\x01\x2d\x2d\xeb\x71\x21\x14\xd7\x1a\x78\x90\xb1\xb6\xc3\xa3\xfc\xcc\x3c\xd5\xa3\x5b\xa0\x28\x6a\x35\x35\xb3\x9c\x16\xd6\x87\xa9\x94\xa9\x90\x98\x9a\x48\x66\xed\x9e\x33\x89\xa5\x95\x3b\x52\xd3\x6f\xa8\xa2\x4b\x95\x8b\x66\x20\x7f\x1d\x12\xe7\x9a\xcc\x93\x6e\xc9\x60\xe0\xa1\x9a\xeb\x1d\x77\x48\x45\xba\xcb\x9e\xc9\x12\x91\x80\xeb\x10\x0d\x1c\x46\x40\x06\xbf\x5c\x5c\x52\xdf\xa1\x41\x23\x2e\x32\xad\xf6\x92\xc0\x7d\x78\x38\x3c\x17\xf3\x76\xdd\x6c\xcb\x29\x27\xd8\xf7\xb0\xdb\xb7\x66\xd7\x76\x27\xeb\xb4\x76\x4a\xb0\x3f\xd8\x65\x68\x1e\x7e\x63\x57\xf0\xf0\x2e\x35\xa5\x14\xe5\xc2\xd6\xe7\xd4\xe2\xe0\x54\x82\xbc\x9d\x90\x74\xe8\xf1\x99\x53\x86\xa6\x80\x8a\x95\x7b\x60\xd6\x8e\x12\x70\xeb\x6d\x79\x16\xda\x7d\xf1\x38\x4e\xc3\x4e\x26\xac\xe4\xe0\x60\x05\x7b\x74\x66\xa1\x3d\xc9\x26\xd9\x04\xbb\xe3\x52\x26\x99\xe5\xfa\x62\xbf\x39\xc2\xec\x6d\xcd\xff\xec\xc8\x65\x80\x29\xbc\x78\x64\x41\x18\x32\x6f\xf4\x7c\x67\x76\x32\xb5\xa6\x71\xa1\x39\x4c\x3e\x5c\x8d\x30\x73\x67\xbb\x6b\xaf\x87\x50\x18\x59\xfa\x00\xb0\x81\x72\xa4\x9c\xae\x92\x32\xee\x25\xc2\x64\x8f\x52\xd3\xba\x1d\xa5\xf4\x96\x15\xf5\x85\x6e\x70\x5c\x33\x33\x3a\xd3\x6d\x41\x81\x2c\x6e\x4b\xe4\x21\x0e\xde\x13\x34\x51\x53\xee\xd0\xa8\x23\x8f\xe3\x35\x91\xf4\xeb\xfb\xc5\xec\x99\x45\xe3\xb1\x90\x73\x62\x39\xc3\x95\x52\x68\xd9\xd8\x85\x76\x14\xa2\x1b\xa5\x65\xdc\x2e\x42\x3e\x91\xd2\xfc\x6b\x9a\xb3\x11\x24\x03\xea\x98\xec\xc5\x26\x9f\x09\xfb\xd9\x3d\x72\x74\x65\x27\x4b\x01\xb1\xf0\xdf\xb2\x27\x78\xfe\x1e\xb5\x8f\xc0\x9a\x41\xf3\xb1\x9e\x87\xee\xc0\x80\x09\x5f\xa0\x9e\x72\x0f\x44\x4b\xa9\x98\x3f\xf9\xd1\xf7\x05\x34\x91\x82\x67\x8f\xf2\xfb\x82\x69\xfd\x77\x96\x5b\xf7\x46\xb9\xbe\xd3\xb0\xac\x1c\x34\x8d\xc9\x2b\xaa\x22\x7d\x96\xa2\x02\x52\x70\x92\x9f\x15\x73\x3b\x80\x50\xa0\xb9\x4f\x72\x3e\x6d\x0d\xcb\xad\x66\x84\x11\xce\x88\x68\x3a\xa9\x5d\xd3\x63\x05\x79\x2b\x81\x6a\xb2\x90\xb2\x0a\x4e\x25\x00\xbe\xd0\x43\xa8\x3a\x63\xc7\x52\x69\x87\x54\x60\x57\x96\x43\xa3\xc1\x20\x63\x95\xae\xda\x43\xc5\x1f\x1e\x52\x3e\x3d\x16\xea\x08\xc6\x08\x01\x6d\xeb\x79\x0c\xa9\x07\xe9\x58\x05\xdb\x2a\xed\xad\xa3\xf0\x20\x00\x6f\x14\x1a\x29\xe9\x53\xa7\xa9\x67\x60\x74\xf9\x7d\xba\xab\xf9\xb3\x43\x7e\x2a\x3e\x2f\xe4\x8e\x0c\xb1\x5d\x0d\x75\xa9\xad\x1b\x69\xae\x2c\x46\x95\xa8\x94\xe7\x80\x30\x9c\x42\x78\x64\x58\xed\x50\x95\x47\x4e\xf5\x16\x8a\x34\x4e\xdb\x49\xd5\x11\xa6\x3d\x87\x8a\x58\x0e\x1c\x44\x7e\xe9\x9a\xd7\x75\xa6\x57\xf5\x7c\xc3\x30\xa5\x1d\x7a\xce\x1c\x31\x6a\x76\x94\x19\xbf\x5f\x36\xe7\x3e\xae\x67\x1b\x7f\xf6\xf6\x0e\xea\x1a\x39\xea\x8b\x02\xf6\x7d\x97\xd3\x9d\x6c\xf1\x18\x4b\x29\xf4\xa7\xbf\x2b\x98\xdb\xe8\x81\x1a\xeb\x0a\x65\x0b\x94\xe3\x56\x50\xdc\x8c\xed\xa3\x8d\x7a\x3d\x11\xe5\x17\xbd\xdd\xa0\xb4\x5e\xf4\x76\xc3\xc2\xbf\xe8\xed\x86\x14\xae\x2e\xab\x3f\x67\x5f\xd8\xcd\xbe\x0d\xc4\xeb\x7c\x4d\x90\x5a\x40\x34\xfa\xbf\xb0\x3b\xf8\x99\xdd\x8d\xb7\x1c\xda\xe5\x48\x59\xc6\x54\x0e\x28\x82\xb9\x52\xee\x6a\xe3\x29\x22\x68\xa3\xf2\x89\x91\x39\xc7\xb8\xdc\x54\x55\x94\x62\x89\x38\x81\x09\x5d\x41\x5c\xba\x21\x37\x16\xb6\x51\x50\xbf\x47\x0d\x10\x5c\xce\x09\x68\xa5\xce\x46\x05\x0e\x42\xeb\x01\xb9\xf6\x30\x3d\x95\xae\x0c\x96\xdc\x32\xaa\x45\xca\x7c\xa6\x32\xda\x28\x02\x08\x80\x9a\x5a\x8c\xc6\x2e\xbc\xaf\xcc\x2b\x81\x34\xf8\x72\xa8\xe1\xe1\xa5\xa8\x7d\x7e\x3d\xca\x3b\x05\xba\x32\xcb\x78\x29\x4e\x28\xea\x4b\x85\xbe\x1e\xb7\x72\xa8\x9a\x64\xce\x80\x4b\x4d\x0a\x2a\x2f\xe4\x73\xd8\x4c\xad\x7b\x54\xa9\xf3\x81\x14\xc8\x39\xd0\xc7\x56\xd2\x69\xea\xe6\xaa\x50\xa2\xda\x39\x17\xf4\x46\xfd\x30\x46\x25\x8f\x61\xc9\xc7\xe1\xab\xce\x71\x3d\x93\x5d\x17\x65\x03\x73\x5a\x19\x15\xe7\x8b\xf1\xa8\xdd\x96\xdb\x94\x55\x41\xd4\x8b\xc7\x11\x48\x30\xa6\x8d\x7e\xf5\x0b\x63\xb6\x5c\x71\x4d\x2f\xaf\xd2\x38\x5d\x01\x2b\x4c\xa5\x5b\x28\xaf\xb8\x6d\xac\x39\x37\x2d\x78\xf1\x7f\xf5\x18\x4e\x76\xff\x5d\x5e\xf0\xe3\x1e\xa6\x2e\x36\x73\xd6\xc4\xe2\x9a\x21\xae\x63\x1d\x20\x34\x0d\x44\xd9\x31\xd8\xda\xd5\xd9\x39\x06\x85\x75\x42\x3e\x41\x02\xb3\xca\xd4\x94\x0b\x7e\x8e\xf8\x4a\xce\xc1\x4c\x3c\x37\xab\xde\xe9\x9c\xd3\x13\x46\x96\xeb\xdc\x70\x34\xf0\x16\xbb\xaa\xa8\x96\x74\x37\xf9\xef\x6b\xb1\xe5\xcb\xc3\xc0\xdc\xb4\x09\x2d\x58\x55\x05\x9f\xf2\xec\x9a\xf5\x4e\x4e\x71\xe5\xd6\x9d\x8d\x3a\x6d\x35\xc2\x13\x8c\xd4\xf5\x51\xfb\x50\x57\xa9\xc7\x64\xe1\x76\x79\x83\x6b\x6b\x31\xeb\xd1\xbe\x0c\xfc\x6b\x22\x57\xf6\x38\xf7\x45\xc8\xb9\x57\x11\x27\xb4\xb8\x20\x47\x2b\x5e\x13\x21\x7b\x17\x26\xfb\xa1\x77\xfc\x1f\xbb\x6c\x2c\xd6\xcd\xb8\x20\x55\x51\x70\x9d\xa9\x54\xdb\xfa\xad\x4b\x85\x28\xe5\x5e\x66\x98\xf6\x26\xe7\xa7\x42\xf6\x55\x8f\xe1\x36\xed\xff\xa6\x17\x7c\xce\xc3\xd8\x79\x52\x7e\xe4\x26\x89\x17\xb4\x03\xbb\xb1\xdb\x51\x30\xae\x5d\x54\xc0\x5e\xd8\x4f\x21\x53\x20\x3f\x37\x2e\x3f\x6b\xfc\x36\x28\xf3\xf6\xf1\x30\x0c\xcf\x85\xc0\x5a\x60\x01\x77\x6d\xdb\xca\xb0\x13\x89\x1f\xa2\x5d\x66\x39\xcb\xbb\xfc\xdc\x6d\xb0\x36\xc2\x5e\x52\xe5\x51\x72\x7b\x48\xc5\x9f\x3b\xec\x4c\xed\x0f\x7a\x0c\x8f\x21\xff\xbd\x1e\x8b\x1f\xbd\xf1\xa8\x53\x8b\x9f\x40\xba\x6f\x35\x9d\x1d\xfc\x0d\x1c\x17\x71\xda\x21\x4a\x70\x6d\x7d\xab\xf5\x2e\x7b\xcb\x3e\xb6\x4f\xcd\x4e\xff\xd5\xfb\x82\xd7\xec\x35\x44\xf3\x6e\x10\x9a\x9c\xc7\x72\xd4\x6c\xe6\xfb\x0d\x07\xee\x8c\x12\xfc\xe3\x65\x7e\x8e\xde\x3a\xe7\x70\xf4\xe1\xe0\xda\xc3\x82\x90\xbc\xb8\x14\x5d\xb5\xdb\x9f\x33\xf4\xef\x68\x47\x77\xc7\xd4\x14\x4c\xb2\x8f\x5d\x17\xec\x54\xe6\x7d\x39\x69\x96\xb2\x72\xd5\x6e\x80\x72\x60\xa5\x9a\x9d\x5d\x33\x7b\x64\xdd\x5e\x45\xd4\x1e\xc8\x63\x1a\xa7\x74\xfc\xd3\xcc\x33\xf4\xfd\x39\x76\x13\x9e\x51\xb2\x93\x2c\xca\xf6\x19\x87\x05\x5f\xf9\x61\xe2\x82\x07\xf2\x20\x19\x4b\xe2\xf3\x22\x30\x4a\x40\x91\xe5\x25\x8f\x96\xb2\x35\x29\x60\xa4\xf6\x33\xb5\x12\x8a\x51\x4b\x16\x81\xf6\x89\x0e\x4f\xc4\x85\xb8\x9d\xad\xe4\x51\x6f\x55\x65\x53\x0c\xee\x1e\x28\xa1\x20\xaa\x0f\x0a\xe3\x08\xd6\x02\x95\x79\x15\xe2\x97\x68\xef\x07\xe2\x3e\x02\xc0\x1c\x02\xf8\x45\x74\x7f\xa6\x93\x04\x1c\xa6\x57\x94\x76\x97\xf4\x15\x8b\x87\xfc\xba\x20\x4a\x7a\xab\x51\x00\x70\x5a\x39\x93\x03\xd4\x2d\x88\xee\xd1\x29\x34\x4e\xad\x42\x61\x42\x14\x68\x96\x91\x3d\x21\xc5\x13\x98\x11\x4b\x7d\x7e\xe7\x04\xbf\x1d\xe4\x5a\x7e\x3b\x87\xe2\x41\x3d\xc9\x85\xbc\x01\x1e\x2e\xd5\x3f\x08\x85\xcf\x38\xd0\xa6\x5e\x20\xf1\x1b\x45\x62\x88\xe4\x92\xef\xda\x69\x0b\x96\xfa\x84\xc9\x92\x2d\x77\x3e\x92\xbe\xd1\x69\x23\x2a\xa6\x88\x7e\x55\x6d\x54\x4b\x44\xf5\xef\x71\xbe\x76\xf4\xc8\x28\x5f\x3b\x36\xca\xd7\x8e\xca\xff\xc3\x72\x86\x5f\x47\xe4\x5f\xd7\x8d\xf2\xb5\xeb\x60\x85\xcb\x4b\xc7\xa0\x45\xf8\x1c\xfc\x79\x6c\x94\x2f\x67\xd9\x51\xfc\xef\x11\xc7\x17\x98\xb1\x2e\x3b\xff\x58\xec\x30\xb4\x2e\xd8\x27\x77\xb1\x6f\x47\xfd\x5e\x8e\xf2\x5c\x0e\xee\x56\x02\xa0\xf9\x3f\xb3\x2b\x78\xd7\xc8\xb0\xbb\x36\x44\x54\x3f\x42\x98\xb0\x82\xe7\xa2\xac\xf2\x14\x17\xcc\x22\x26\xa5\xab\xca\x5e\x55\x6e\x2a\x8a\x69\x92\xc9\x71\x90\xfa\x40\x04\x23\x2f\x18\x92\xdb\x5e\x83\xd1\xf9\xf2\x9e\x3e\x2f\xc6\xa2\x62\x0c\xf2\x63\xb8\x72\xd5\x16\x8e\x73\xd5\xde\xed\x9c\xe4\xea\x9d\x21\x87\x38\xe6\xcc\xe6\xa5\x7e\x3f\xcb\x87\xbe\x6e\x99\x09\x34\x77\x0f\xe1\x08\x3b\x71\xd1\x4b\x22\x9d\x59\x36\x5a\xd1\x9b\x68\x83\xb8\x47\x51\x6a\x66\x22\xa5\x2c\x61\xf7\x3f\x9a\xa2\x83\x8b\x17\x66\xbf\xda\x62\xcc\x08\xee\xfe\xc7\x5a\x8f\xa6\xe0\x72\x8f\xae\x28\xf8\x75\xcf\x52\x17\xdc\xe0\x14\xad\x3c\x90\x12\x64\x3d\x08\x23\x8a\x92\xfa\x90\x4e\x6d\x98\x3b\x83\x7a\x49\x6c\x78\xa2\xe8\xa6\xd8\xba\x38\x48\xea\xda\x30\x49\xf0\xf3\x2d\xa6\x8e\x6a\xff\x13\xad\xe0\xfd\x2d\xf5\xa2\x25\x60\x39\x19\x65\x2f\xb7\x88\x75\x1b\x95\xbe\x05\x61\x6b\xf3\x53\x7d\xbb\xc7\x76\x93\x6c\x51\xd4\x85\x0b\x5b\x1f\xad\x0a\xa7\xd2\x38\x2d\x4a\x11\xb9\x8e\xe1\xff\xb5\x8f\xdd\x60\xc3\x12\xab\x32\x2b\xda\x11\x05\xcf\x87\x77\x65\x79\xfc\x60\x96\x96\x51\x32\x97\x75\x26\xe8\x9e\xc8\x01\x5d\xf3\x63\xfb\x82\x6b\x75\x10\x85\x7e\x0e\xfc\x06\x91\x7e\x72\x63\x88\xcd\x9f\x5c\xc9\x25\xb7\x63\x88\xcd\x8b\x74\xf6\x93\x1f\xd8\xce\x78\x6c\xdd\xbd\xb0\xb5\x29\x71\x05\x82\xb3\x03\x08\xce\x92\x85\xc0\xb9\x67\x67\x00\x9c\x7f\x39\x04\x80\xf3\x88\x97\x6c\x0e\x8c\x99\xf1\xef\x34\x30\x3c\x33\xec\x1a\x16\xb3\xc1\x76\x50\x07\xca\xfc\xc9\x1e\x76\xdb\xb0\x49\x74\x0c\x04\xc3\x70\x52\xc5\xbf\xab\x13\xec\xb4\x28\xf3\xb8\xbd\x80\x1c\xec\x3f\xb3\x27\xf8\xe2\xc8\x86\x8f\x58\xf6\x1f\x62\xae\x86\xe6\xd4\xb2\x74\x77\xe1\x0d\xb2\x22\x96\x99\x45\xbb\x3e\x0a\xa1\xf1\xb6\xa1\x4d\xcf\x15\xb9\xd8\xd1\xe1\x3c\xaa\xce\x4f\x39\x63\xc1\x0b\x04\xae\xd4\x94\x8e\x47\x42\xf3\x40\xbd\x65\x94\xaf\x88\x92\x1f\x12\xe1\x4a\xc8\x27\xe7\xce\x42\x24\xa6\xe8\x66\x79\xff\x70\xc8\x0d\x31\x9d\x89\xc5\x8d\xd6\x44\x0e\x54\xd8\x65\xb6\x22\x88\x88\x01\xe2\xb4\x30\x1f\x96\x1d\x33\x01\xee\x51\x28\x3f\xe4\x7c\x41\x0a\xf7\xf8\x5d\x78\x62\x2d\x55\x71\x82\x79\xc1\x6a\xdf\x97\x76\x90\xa4\x09\xbe\x32\x4a\x38\x0d\x81\x76\xee\x40\x2a\x34\xb2\x46\x64\x52\x05\xd1\xac\x01\x65\xc6\xd3\x2c\xef\xca\x0d\x44\xe4\x63\xf2\x9b\x55\x85\xc6\xee\x18\xf4\xb2\x4e\x11\x70\x75\xa0\x1a\x6e\xba\x00\x9b\x1a\x60\x94\x84\x9d\x50\xa0\x34\x71\x51\x7b\xf0\xa1\x8b\xde\x7e\x4d\x84\xe0\x1c\x0e\xff\xa1\xc5\x96\x98\xb9\xe7\x9f\x0d\xee\x32\x8c\x09\xf1\x20\x70\xc4\xba\x99\x1a\x6f\xa4\x0a\x62\xa5\x0f\xc7\x3a\x37\x89\x9e\xa9\x97\x6c\xd3\xf3\xc3\x04\xa9\xc3\x76\x9e\xc7\xe8\x63\xfc\x62\x03\x5e\x9a\xa6\x35\x80\xf3\x79\x11\xbb\xeb\x46\x9a\x41\x85\x43\x7a\x4f\x17\xed\xd8\x2c\x15\xcc\x82\x43\xc2\x7e\x63\x3f\xbb\xc5\x8e\x6d\x15\x79\x89\xf0\x16\x61\xc9\x8a\xe6\xe2\x42\xbc\x22\x65\xbc\x79\x9c\xec\xfe\x9b\xf7\x07\x07\xa7\x2c\x22\x65\xeb\x75\x5e\xe0\xa3\x6a\x61\x38\xe3\xf3\x47\x57\xf0\xb1\x57\x20\xfa\x8f\xe3\xa1\x79\xb7\x75\x68\xde\xb1\x43\x80\x3e\x7b\x83\x0a\x57\x7a\x85\xc7\xee\x1e\x1e\x35\xbe\xad\x95\x05\xa1\x4c\xb7\x83\x9a\x61\x2d\x29\xea\x5a\x1e\x97\x85\x48\x96\xc9\x44\xd4\xb7\xad\x05\x16\xfa\x2e\x64\x2f\xf0\x34\x24\x70\x9d\x9d\xbe\x5c\x2d\xc3\x50\xa3\xef\x9e\x12\x79\xbc\x56\x0b\x49\x47\xbc\x5f\xb9\xaa\x5b\x1a\x3e\xe2\xad\x6f\x2e\x3a\x2c\xfa\xf3\x5a\x74\x70\x1a\x53\x27\x80\x1f\xd6\xa6\x46\xc2\xa4\x7f\xde\xcf\xbe\xa3\x21\x6a\x9f\xf2\x67\xf8\xbf\xb3\x3f\xf8\x49\x4f\xa5\xd8\x28\x81\xe6\x20\x35\x19\x87\x34\xfa\xf3\x56\x84\x70\xa0\xf9\x6a\x54\xa1\xa1\x0a\xbe\x94\x55\x29\xe1\xa3\x80\x61\x00\x8c\x7f\xc4\xf1\x24\xf2\x7a\xea\xed\xa3\xe1\x4d\xa3\xbc\x97\x88\xa8\x10\xc8\x4a\xb1\x2a\xf8\x12\xa5\x67\xb6\xfd\x18\x3a\xe5\xbe\x52\xb7\xf4\x51\xe7\x6c\x9f\x5f\xb8\xb2\x7d\x5e\xd9\x3e\xaf\x10\xc1\x5e\x5e\x22\x58\x5b\x10\xdb\x9c\xd0\xa5\x9e\xb7\xe9\x8e\x45\x23\x6e\xd9\x69\xcb\x6c\x48\x8d\x5c\xf1\x1a\x7b\xe9\x7e\x71\xf8\x88\x77\x66\xf3\x8d\x72\xd4\xbf\xb6\x89\x01\x5e\xa5\x67\xaf\xa9\x51\x6f\xdf\xcb\x0e\x36\xb4\x7c\xba\xdb\x2b\xfb\x53\x71\x7e\x4f\x96\x54\x5d\x41\x1a\xd3\xdf\xef\x09\xaa\x79\x8b\xec\x4d\x41\xc9\x30\xc9\x4e\x96\xf7\x89\x60\x0b\x60\x8f\xd3\xb5\x5b\x6b\x50\x52\x01\x8c\xe3\x90\x65\x69\x3d\x15\x79\xb1\x1a\xf7\x28\x98\x0c\x88\x79\xe4\x3e\xb0\x30\x7d\x2a\x4e\xab\x0b\x80\x18\x5b\x12\xc9\x40\x1a\xa3\xbf\xda\xcd\x5e\xd4\x62\x7b\xba\xa2\x13\x57\x5d\xff\x11\x2f\xf8\x73\xef\x5e\xc0\x9c\x51\xdc\x02\xc1\x3e\x38\x3e\xa0\x95\x83\xa8\x7d\x9e\x68\x88\x54\x93\x14\x8f\x97\xf6\xb2\x07\x01\x39\x7f\xba\x22\x4a\x0b\x4d\x0e\x44\x2c\x34\x07\x0b\xfd\x2c\x16\x4d\xc6\xb9\x25\x61\x7a\x82\xf6\x85\x43\x0a\x63\x29\x35\xb4\xd3\xa0\xa1\x6d\x3b\x9b\x1c\x7d\xc6\x38\xf5\xdb\x35\x50\x41\x27\xce\xed\x25\xf6\xd5\x11\xb6\xbf\x88\x1f\x14\x48\x68\xf5\x1b\x23\xdb\xd0\xec\x43\x6d\xa7\x7c\x66\x15\xa5\x65\x5c\xf6\x83\x37\x8e\x2c\x66\x65\x94\xf0\xa8\x8b\x9c\x29\xcb\x84\xa2\x55\x1d\x9a\xdb\xd4\xf5\xd0\x95\x6a\x96\xd0\xe0\x62\x87\xca\x06\xa1\x6e\x8b\x88\xaf\x22\x43\x9c\x65\x1b\xd4\xbe\x65\xad\xb3\xea\x5e\xb4\x19\xdb\x2a\x08\x93\xc8\x52\xf7\x19\x53\xd1\xba\xd2\xf4\xc8\xcb\x05\x2f\xe1\x36\xac\x78\xb6\xe4\x9d\x05\xd5\x29\x96\xfa\x8d\xc8\x64\x74\x4f\xf1\xa2\xea\x02\x5f\x0c\xd6\x42\xd0\x6f\x72\xc7\x6a\x3d\x0f\x70\x90\x34\x9d\x6b\x53\x25\x8d\x13\x77\xae\x28\xd4\xa3\xfe\xf0\x2a\x25\xc3\xf0\xc0\xc8\x37\x0f\x7c\x55\x88\x7c\x0c\x88\x72\x07\x86\x9c\x7d\x62\x37\x3b\xd2\xc4\x17\x45\x29\xd0\xd3\x12\x97\xe9\x64\x12\xc5\x5d\x9d\xcb\xe6\x95\xbb\x83\x62\xc3\x27\x6c\x43\xba\x22\xe9\x68\x7c\xc1\x64\x2a\x2f\x80\x5f\x86\x84\x80\xe9\xde\xaa\xe8\x8a\x3c\x4a\xec\x4d\x42\xaa\xdf\xb2\xcf\x9d\x25\xfb\xd0\x2e\xf6\xc7\xf6\x69\xf0\x9b\x3b\x3e\x0d\xde\xec\x9d\x8e\x0c\x68\x12\xc9\xc2\x48\xd4\x55\x64\x25\x75\x8a\xac\xac\x87\x46\x18\xda\x5b\xe7\xee\x99\x44\xd0\x98\x4e\xe5\x13\x97\x21\x9f\x25\xf6\x08\x85\x96\x42\xf8\x17\xba\x6e\x01\x3f\xa8\x01\x58\xf7\x23\x4a\x98\x98\xf3\x8c\x97\x22\x64\xaf\x6f\x91\xa8\xff\xf2\xd6\x16\xb2\xfc\x35\xf6\x38\x48\xf6\x9f\x03\x5a\x3a\x37\x96\x44\xa9\xe7\x8d\x6f\xe1\x2c\x95\xc7\x16\x25\x44\x23\xf6\x3e\xfa\xf4\x2a\xc5\x34\x68\xb5\x4e\x80\x5e\x5a\x11\x65\xd1\x90\x24\xc6\x24\x88\x59\x54\xc8\x66\xd5\x31\xb4\x38\x9a\x27\x0c\x76\x5b\x41\x0e\x1a\x58\x7a\x21\xfb\xbb\x7d\x8d\xb3\xd8\xa5\x6a\x5a\xcc\xce\x8b\x74\x2e\xcf\xee\x47\xd0\xa6\xff\xf1\x7d\xc1\x9f\x7b\x1b\x3e\xe2\xf2\x8f\xf6\xf0\xba\x49\xda\xc7\x89\xf6\x8a\x97\xf2\x35\x6b\xa7\x02\xfe\x69\x5d\x08\xc1\xe2\xd4\x7a\x88\xd3\x42\x0a\xb2\xd1\x90\x52\x74\x07\x22\x71\x79\x95\x42\xd0\xd8\x72\x9c\x08\xa4\x35\x80\x71\x92\x87\x87\x22\xc7\x99\x98\x9b\x29\xf8\x21\x2b\x23\xe3\xc4\xdc\x0c\x49\x80\xf2\x8c\xd0\x80\xd4\xc3\x72\xfd\xf4\xea\x24\x3e\x1f\xde\xc3\x5e\xdb\x62\xfb\xa2\xaa\x13\x4b\x39\xc2\x7f\x51\x2b\xf8\x07\x6f\x82\x7e\x29\x83\x92\xce\xb7\xa9\x1e\x53\xd6\x25\x68\x72\xc8\x27\xa4\x58\x1e\xf7\x40\x8e\x84\x90\x24\xfc\x14\x40\x7e\x28\xea\x19\xa5\x34\x22\x86\x21\xb5\x99\x6b\x06\x00\x83\x8d\xd5\xa0\x28\x6f\xf0\xb5\x74\xfa\x92\x5c\x6f\xb5\x66\xd1\x2e\xa1\x63\x43\x23\xe5\xa7\x98\x6a\xa9\x70\xe3\xb2\x74\xc4\xf3\x11\xf6\x64\x71\xa1\x17\x63\x4e\x6a\xc5\x06\xfa\x53\xc8\x06\x7a\xe3\xf5\xc1\x2b\x46\xa6\xeb\x77\x0d\xa5\x0e\x48\xd0\xb8\x82\xb5\x6a\x03\xd3\x35\x2e\xfb\x86\x9a\xae\x61\xf4\x43\x3e\x51\x98\x4f\x91\x87\x5b\x9e\x45\x80\x9f\x37\x6d\x41\x98\xbf\xdc\xe6\x13\x51\xd2\xa4\xe3\xbd\xa4\x5a\x89\x89\xc0\x13\xde\x41\x78\x3f\xcf\xb3\x52\x67\xbb\x69\xae\x70\xd1\x2a\x0c\x01\x2d\x00\x35\x29\xf3\x3e\x61\x5d\xad\x22\x68\x86\x2e\xdb\x3f\x0a\x9e\x25\x1d\xc5\x44\x73\xf3\x11\xde\x13\x79\x9b\xe6\x81\x3c\xf8\x30\xe4\x31\xe3\x49\xbc\x06\xf1\x9d\x1b\xbc\x7c\xec\x7a\xbe\x9a\x55\x79\x11\x3a\x6c\x95\x70\x0d\xb5\x38\x25\x12\xa9\xd0\x9a\xa3\x47\xe4\x39\x5d\xc9\xa3\xce\x21\xc0\x59\x65\x30\xcf\xfd\x73\xc1\x82\xa2\xa2\x82\x05\x25\xff\xd6\x7c\x3f\x34\x1f\x50\x20\x41\x6d\x48\x3b\x3f\x13\xc5\x2e\xe5\x4e\x2d\x58\x9b\xce\x2c\xf9\x8d\x11\x76\xdd\x26\x56\xd2\xe9\x0b\xa8\x8f\x92\xf5\x1f\xcd\x21\x6f\x1d\x09\xd2\xa6\x1b\x0e\x94\xd9\xd8\xe8\x75\x0a\x84\x48\x25\x24\x21\xcf\x00\x04\xf3\x14\x45\xd6\x8e\x61\x77\xa5\xb5\xd5\xb7\xf3\xb3\x66\x8a\x8c\x6f\x0f\xbe\x73\xd1\xdb\x4b\xc5\x3a\xfb\xc0\x2b\x5a\xec\x61\x8f\xa9\x5b\x7e\x7f\x83\xc0\xb0\xe1\xb6\x60\xa0\xa8\x23\x03\xcd\x4d\xaa\xf1\x74\x92\x36\x7d\x51\xa3\x45\xf8\x21\x8f\x51\x53\xfd\xfe\xf0\xb3\x7c\x83\x56\xcc\xe8\x25\x1e\xdc\x4c\xfd\xa4\x57\xbd\x63\x96\xa6\x9b\x4b\x7d\xb4\x98\x63\x08\x14\xc6\xad\xb0\x5f\xdc\xc5\x36\xab\x6d\x2e\xeb\x14\x8e\xdb\xe7\x95\xbb\x82\xaf\x7a\xf5\xab\x1b\x7a\x7a\xa8\x05\xdb\x76\xd3\x38\x36\x21\x88\xc7\x8d\xe0\xac\x29\xc6\x88\x14\x58\x74\xc6\x7a\x22\x1f\x43\x76\xe2\xc3\xe1\x65\xf3\xe0\x50\xaa\x22\x6b\x36\x35\xd9\x87\x5e\xd4\xfa\x16\x19\xc5\xc7\xd9\xb9\xf1\xf6\x5b\xd8\xff\xaf\x41\x2c\x41\x71\xc6\x7f\xf8\x96\xe0\x3e\xfc\xd3\x95\x33\xe4\x67\x74\xd4\xc6\xae\xd4\x04\x87\x3b\x0c\x71\xed\x04\xf9\x4b\xfb\x8d\xee\xa3\xc6\x68\xe6\xd7\xdc\xcc\x5e\xe5\xb1\xbd\x0f\x54\xd9\x52\xbf\x14\xfe\x43\xde\x16\x52\x5f\x3f\x13\x1f\xb6\x25\xf1\xe0\x6e\xba\xe8\x36\x5c\x5d\x24\x25\x0f\x9b\xb2\x9a\x15\xa5\x4a\x52\x1f\xe5\x02\xd9\x8c\x21\x8e\x32\x5e\x16\xf2\x74\x60\x6f\xf5\xd8\xfe\xe8\xc1\x2a\x17\x27\xe3\x44\xf8\xaf\xf1\xd8\x8d\x9b\xb6\x69\x42\x3d\xee\xb4\xea\x5e\x7d\xd9\x69\x57\xca\xe1\x3a\x87\x1b\x24\xef\x35\xb4\x11\xb8\x26\x63\x79\xce\xd0\xf1\xa8\x7b\x92\xfd\x4f\x8f\xed\x69\xc7\x69\x47\xe4\xfe\x27\x37\xe2\x09\x56\xcd\x9b\x84\x67\x9d\xb6\xbd\xc2\xc3\x8b\x6e\x8f\x61\xa1\x6a\xac\xa3\xb2\x94\x87\x3d\xaa\x03\xd0\x0a\x0c\x2b\xa3\xe3\xb9\xc0\x76\x92\x16\xd3\xa8\xf5\xd3\x9e\xa0\x2c\xd7\xe3\xdd\x7e\xf1\x40\x32\x86\xb5\x8c\xf5\x3a\xe3\xf3\xd3\x13\x53\xa7\xa7\xc3\x6e\x87\xbd\xd4\x03\xff\xe4\x72\xbc\x72\x3a\xea\xf9\xcf\xdd\x42\x9f\x4f\xaa\xa7\x9d\xef\x9a\xd0\x97\x6b\x5f\xa6\x2f\xd3\xd8\x83\xb0\xd6\x23\xaa\x2e\xc2\x5f\x41\x41\xec\x97\x3c\x36\x92\x2e\x17\xfe\x47\xb6\x92\xa6\x72\xf6\xe4\x82\x53\xff\x4b\xbc\xd9\x93\x0b\xb5\xe1\x96\x57\xb6\x37\x07\x77\x6a\x41\x49\x97\x0b\xf6\xab\x1e\x7b\x4a\x6f\x35\x2b\xb3\xd4\x28\x2e\x53\x71\x71\xde\x7f\xbf\xc7\x26\x36\xd7\xd5\x1a\xde\x74\x3e\xb4\xd7\xf4\x84\xdb\xe7\xf8\xc4\xa4\xa1\x8c\xef\xe9\x87\x79\x47\x3e\xbd\xad\x09\xc6\x3e\xbc\x9f\xed\x17\x4a\x11\xf7\x7f\x76\xff\x16\xe6\x48\xa3\xde\x1e\xfc\xcd\x3e\x7d\xbd\x96\xd1\x01\xe7\x3d\x51\x39\xf3\xd5\x28\xed\x24\x0a\xc8\xac\x42\xb7\x95\x89\xa8\x93\xc7\x52\x46\xc7\x93\x0c\xde\xa3\xf1\x6b\xf7\xdb\x94\x94\xd0\xe6\xc7\xcc\x74\x86\x70\x74\x44\xc4\x25\x1f\xd3\x98\x6d\x2b\x6b\xa9\xc5\x2e\x0b\xa9\x0f\xa4\xf0\x4b\xe8\x83\x8e\xec\x13\x15\xff\xa5\x1e\x00\xb7\x45\x37\x5b\x13\x9d\x90\xb1\xb3\x05\xcd\xe4\x78\xf9\x38\x8f\x0e\xa3\xb7\x83\xf6\xed\x82\x43\x74\x64\x8a\x04\xfb\xeb\xab\x20\x54\x52\x21\x79\x95\x16\xa3\x7c\xe9\xb0\x4a\x87\x85\x5c\xc5\x08\x59\x50\xc6\x4c\xc8\x17\x99\x0b\xf9\xf9\x3a\xab\x60\x91\x46\xbd\x62\x35\x2b\xa5\x20\xdd\x8e\x7a\x51\x3b\x2e\xfb\x8c\x73\x29\x01\xb4\xcf\x03\xb7\x61\x2e\xa8\xc6\x51\xd6\x3e\x4c\x86\x5e\xbb\xff\x1c\xc0\x1d\x2f\x57\xf3\xac\x5a\x59\x05\xaf\x03\x3e\x05\xa9\x83\xe8\xf3\x1b\xdf\x27\x1b\x6b\xc1\x3b\xfd\x34\xea\xc6\x6d\xad\x80\xe4\x19\x12\xe1\xa3\xa7\x02\xca\x95\x4d\x1b\xa6\xc6\x1f\x2a\x84\x68\x36\xf3\xa0\x1d\x2f\xcb\x85\x7c\xdd\xf6\xee\xd1\x62\x6e\x67\x69\x4a\x9a\xb5\xb1\xcb\xe9\xdd\x04\x6c\xb5\x50\x71\xda\x69\xae\xfa\x30\x0d\xdc\x10\x7b\x54\xae\x28\x4a\xd0\x75\x95\x76\xb2\x7c\x4c\x19\x4a\x50\xd7\x06\xe8\x29\x8d\x12\x66\x40\xc0\x92\xe0\x46\x92\xa5\x2b\x4a\xa1\x41\xa3\x9d\x9a\xa1\x68\xd9\x92\xd2\xe0\x5a\xdc\xa9\x10\xdd\x46\x4d\x99\x5c\x98\xc1\x97\xe3\x95\xd5\x72\x6c\x5d\xc8\x7f\xc8\x42\xaa\x17\xa0\xae\x92\x34\x28\xf9\x8e\x19\xd3\xae\x50\x36\x7e\x65\x68\x00\x03\x55\xd4\xe7\x63\x5c\xf6\x34\xa0\x49\xb3\x76\xd5\xb5\xbd\x6d\x70\x11\x8b\x50\x7d\xee\x3a\x70\xd9\x04\x4c\xd7\x76\x94\x82\xc5\x01\x30\x9d\x18\x8a\x9d\x2d\x37\xb4\x8c\x10\xb1\x6a\xcb\xd1\x97\xad\xe0\x75\x60\x6c\x64\xcc\x64\x36\xc0\x20\x45\x5c\x06\xa8\xe0\xcb\x55\x63\xb0\x3c\x7a\xf1\xdd\x29\x52\x91\xc7\xed\xda\x94\xd1\xaf\xae\x90\xd5\x51\xa4\xf2\xb5\x4e\xc8\xbe\xe4\xb1\xfd\x2b\xb8\x87\x2c\x17\xfe\x67\xb6\x22\x55\xdc\xa9\x1e\x77\x76\xaf\x57\x79\xfa\xba\xbb\x7b\x99\xcb\xdb\x3b\x6c\xb6\x74\x72\x53\xe7\x8d\xeb\x4f\xb0\xce\xee\x5f\xf6\xd8\x48\xbe\xd4\xf1\xff\xfb\x56\x0e\xcc\xf9\x13\x53\xce\xe7\xbc\xdc\x9b\x3f\x31\xe5\x7e\xc8\x7c\xd4\xc9\x0a\x7e\x22\xc9\xda\xe7\xf9\x94\x18\x22\x1e\x5d\xb6\x2f\xca\x97\x6c\x39\xe4\xc7\x95\xf0\x07\x47\xe5\x2b\xb7\x2c\xfc\x0d\x9c\x8f\x8b\xfa\x72\xa3\xf0\x37\x15\x95\x11\x87\xbb\xdb\x92\xfc\x7e\xc2\x63\x07\x3a\xd9\x7a\xba\x1e\xe5\x9d\x89\xb9\x19\xd9\xc0\x9b\x37\x6d\xe0\x94\x79\xc1\x69\xe2\xbc\x75\xc3\x6e\xa4\xaa\x00\x2c\x77\x06\xc3\xa0\xcf\xb0\x8d\x84\xa7\x5f\x6e\xb1\xbd\x2b\x71\x39\x2f\x7a\x99\xff\xd1\xd6\x16\xc4\xf9\x3b\xf1\x61\xa7\x61\x0f\xb7\xe8\xaa\x3b\x2f\x56\x30\xb5\x42\x56\xc4\xe0\x66\x03\xaa\xdd\x5e\x94\x97\x71\xbb\x4a\x22\x29\xc9\xe2\x8e\x1f\x72\x93\x76\xf7\x38\x57\x25\x39\x99\x75\x43\xbe\x98\x99\x23\x02\xc5\x43\xd2\x58\x28\xa6\x49\xd5\x35\x4a\x83\x10\xa5\xc6\x33\x03\x26\x51\x60\x2f\x88\x4b\x8d\xaa\x24\xe6\x84\x24\x53\x30\x03\xf9\x36\x01\xfc\x56\xe2\x52\x45\x02\xe1\x88\xae\x8a\x5a\x69\x25\x92\x50\x1e\xb4\x32\x19\x85\x72\x2e\xee\x05\x3d\x7b\xe6\x8c\xff\xea\xad\xa8\x46\x0b\xf8\xb0\xd3\x97\xdf\x4b\x17\xdd\xae\x54\x17\x07\xb6\xc7\xa1\x32\x99\x65\xc2\x81\x8c\x17\x21\x7b\xdd\x08\xdb\x27\xe7\x2b\x90\xad\xbf\x64\x84\xdd\xb0\x69\xfb\xee\xa2\xa7\x9d\x06\x7e\xae\xa5\x2e\xd7\xcd\xdb\x62\x4c\xa7\x28\x01\x1b\x58\x96\x5b\x4e\x56\x7b\xc1\x90\x84\xa8\x05\x37\x7c\x0a\xc2\x1d\x7a\x59\x61\xa4\x30\xd3\xb7\x3a\x97\xcd\x8a\xdc\xc6\x21\x34\x42\x87\x71\x90\x5d\x3b\x5a\x81\x86\x28\x93\x35\xef\xe5\xf1\x5a\x9c\x08\xb0\x50\xac\x02\x50\x05\xd9\x9e\x2d\xb7\x49\x99\xe9\xc3\xad\xae\x1a\x15\xa5\xed\x6c\x03\xa9\x6f\xf6\xcc\x22\x08\x47\xb0\x7e\x76\xec\x34\x95\x15\xf6\xa2\x72\x95\xbd\xc7\x23\x14\xe6\x3b\xbd\xe0\x8d\xde\x3d\x4a\x34\x45\x3e\x75\xed\xc6\xe5\x53\xb3\x0b\xcf\x39\x35\x71\x62\xfa\x14\x0c\x74\x95\xc6\x0f\x54\x98\xcf\xdb\x52\xd9\xb7\xdb\xa6\x6c\x4d\x6a\xb3\x62\x7d\x9c\x38\x74\xc6\x64\x79\x63\xe4\x52\x1b\x87\x08\xc9\xf1\x6b\xe0\x1f\xdb\x68\xf9\xee\x16\xfb\xb6\x5e\x93\xf0\xe3\xbf\xb6\xc5\x4e\x5c\x9a\x57\xc9\x99\x61\x9f\xf5\x36\x7d\xc6\x9d\x7a\x3a\x44\x0c\x01\x4d\xcd\x92\x19\xf5\x13\x88\x11\x86\x3c\xe6\x52\x87\xd1\x74\xc0\x98\x1a\x51\x73\x09\xaf\xb4\x65\xb5\x05\x7b\x47\x8b\x3d\x79\xa5\x2d\x6a\x4a\xdd\x2b\x5b\x1b\x58\x48\xf5\x5e\x3b\x39\xbd\x81\x46\xf7\x59\x6f\xe0\x7e\x4d\xc0\x98\x9c\xe6\x74\x55\x03\x7e\x28\x1b\x80\xda\x34\xa0\xbf\x48\x7d\x3b\xe8\xea\x6f\x26\x5e\xb2\xb6\x2a\x2f\x65\xa6\xd5\x67\xff\x4a\x5b\x98\xee\x92\xba\x25\xfb\x0b\x8f\xed\x8e\x8b\x76\x11\xfb\x7f\xe0\xb1\x63\x9b\x76\xcd\xcc\xc2\xe4\x82\x7b\x3a\xbe\xdb\x83\x6b\xb5\xd3\x1b\xaf\x3d\x86\xbd\x30\x4c\x6c\x81\x6f\xb3\x04\x97\x4f\x7a\x6c\x4f\x21\xda\xb9\x28\xfd\x0f\x6d\xc5\x26\xb4\x00\xcf\x3a\x5f\xfc\x42\x0f\x2f\xba\xa3\x8e\x85\x6e\x7a\xf2\xef\x78\x08\xb1\x1e\xf6\x6e\x8f\xb1\xe5\x44\x5c\x20\xa3\xe4\x5b\xbc\x2d\x64\x1e\x3a\xa9\x9f\xa7\x2f\x59\x35\x57\x6a\x22\x04\x4a\xed\xea\xb0\x1b\x18\x42\x2d\x13\x88\xce\xb8\x1e\x4e\x3c\xc4\x23\x39\x64\xa2\x4d\xec\x4a\xe8\xe0\x0a\xd9\x7f\x6e\xb1\xa7\x44\xeb\xc5\x74\x12\x15\x65\xdc\x06\x99\x75\xa1\xcc\x72\xe1\xbf\xa9\xb5\x05\x2b\xcb\xc4\xbd\x0b\x03\x6f\x3a\x1f\xf2\x6b\x5e\xd3\x23\x75\x89\xf2\xde\x85\x6f\xd5\x75\x19\xad\x17\x02\x5b\xbf\x24\x5b\x2f\x6f\x0b\xf6\x21\x8f\x8d\xc8\x85\xf9\xbe\xad\xe8\x0b\xf5\x65\xf9\x83\x72\xfd\x1d\x32\x62\xd7\x02\xd9\x03\x66\x52\xa9\x96\x44\x6d\x71\xd8\xee\x1d\xa3\x14\x2a\xbb\x41\x83\x71\xa7\x2d\x72\xc0\x56\x08\xf2\x80\x59\xba\x6c\xc1\x0f\x9d\xb0\x34\xc2\xc3\x21\x7b\x99\xc7\xf6\x6b\xcf\xbb\xff\x83\x5b\xd0\x0f\xe6\xd4\xd3\xce\x77\x4c\xcd\x00\x87\xb3\x0a\x0b\x8e\x53\xd0\xf3\x2d\x8e\x11\x58\x0e\xc5\x28\x59\x2e\xbb\x51\x4f\xd9\x41\x2c\xe9\x5c\xae\x96\xab\xd7\x8a\xde\xaa\x50\xf3\xc6\xbf\xe8\x6d\x10\x7f\xa6\x2d\xfe\xf4\x4a\x9c\x97\x55\x94\x0c\x9c\x04\xf7\xde\x63\x17\x59\xb3\x91\x2d\xc0\xad\x4b\xb2\x11\xb3\x37\x7b\x6c\x3f\x0d\x44\x56\xf8\x2f\xdb\x8a\x76\x45\xe3\x7b\xc6\x35\xb3\x3e\x53\x5f\xae\xc9\xb5\xfa\xf2\xb6\xc5\xd9\x97\x7b\x6c\x4f\x5b\xf4\x56\x97\x0b\xff\x05\x5b\x32\xaa\x8b\xde\x6a\xcd\xf8\xfb\x0c\xbc\xe6\x36\x49\x5e\xe3\xdb\xb6\x00\xb3\x5f\xf7\xd8\x3e\x41\x3a\x82\xff\xcb\xde\x16\xa4\xeb\x26\x20\x63\xf0\x2a\x4f\x2b\x1a\x4e\xab\x4a\xd1\xed\x65\x90\xce\xdc\x88\xd4\xdb\x56\xa9\x2f\x05\xd4\xc7\xde\xe5\xb1\xd6\x72\xdb\xff\xa9\x8d\x72\x99\xe8\x8d\x7d\xd2\xb5\x39\x9f\x9c\x74\xbf\xe2\x64\xbc\x94\x0b\x3e\xb9\x1a\xa5\xa9\x48\x1e\x85\xed\x8f\x7d\xda\x63\x7b\x97\xe5\xce\x25\x72\xff\x23\x5b\x51\xc1\x4e\xe2\xc3\x4e\xb3\x1f\xf2\xe8\x6a\xad\xf1\x74\xb1\x3e\x53\x37\x68\xac\xca\x48\x22\x7a\x22\xed\x14\x6a\x32\xa9\x82\x28\xb9\x9e\x46\x56\xa0\xe3\x94\xf2\xcc\xb0\x77\x7a\xec\x09\xbd\x2c\x2f\xd7\xb3\x5c\x1d\xae\xaf\xdd\xca\xb4\x9a\x73\xde\xa1\x4f\x7a\x96\x7b\xb5\xa6\xb9\xd1\xbd\x4b\xdb\x23\xfe\xf6\x49\x2c\x68\xca\x75\x19\x89\x6e\x96\xea\xdc\x2e\xfe\xaf\x3c\x29\xb8\xbd\x76\xad\x4e\x85\x6c\x13\x84\x57\x94\x28\xa2\x03\xaf\x50\xf4\xdc\x53\xe9\x09\xcc\xda\xba\x40\xd1\x0a\x9d\x8b\x9e\x8f\x0c\x23\xa7\xe3\xa2\x30\x17\x9f\x4a\x29\x72\x06\x9e\x3e\x80\x4f\x43\xde\x63\xc7\xbd\xf9\x33\x4f\x64\x6f\xf2\x98\x7d\xdb\x7f\xa9\x4e\xc5\x5a\xb8\x99\x58\x61\x17\x72\xa4\xac\x25\x93\x23\x08\x2c\xa3\xd8\x72\x88\x41\x56\xb1\x88\x76\x8e\x4a\x65\x40\x35\x8f\xe9\x0c\x43\x69\x07\x13\x15\xbb\xb0\x94\x4f\x7a\xec\xc9\x58\xff\xd9\x54\x1b\x38\xfd\xf7\xea\x06\xbe\xd9\xbb\x0c\x2d\x4c\x2d\xeb\xf5\x90\xa6\x19\xe3\xea\x21\xcc\xef\x0c\x67\xa2\x02\xd5\x14\x3d\xd1\x0e\x6b\x59\xa5\xdd\x84\xcb\x7f\x87\x94\x56\x18\xf3\x53\xf8\xff\x97\x17\x9c\x9a\x77\x27\x02\x85\x62\x98\x8a\x30\xf5\x0f\x61\x27\x61\x5e\xe8\xa9\x74\xb0\x46\x2c\xef\x44\x77\xdf\xc4\x6e\xd8\x4a\x5a\x56\x55\x96\x66\xad\x7f\xc4\x3b\xc8\xfe\xff\x0d\xe9\x54\xbb\x22\x5f\x11\x63\xe7\x45\xdf\xdf\xeb\xef\x06\x4f\x81\x7c\x72\xc3\xc4\xab\xfb\xfc\x3d\xf0\x16\x63\x7f\xe0\xb1\x21\x13\xd8\xff\xb4\x1e\xc4\xf7\x0d\x1f\xc4\x5a\x12\x2a\xc2\x30\xd5\x47\x11\x58\x1c\xaa\x9e\xde\x1a\xf3\x2a\xad\x0d\xe6\xb6\x8f\x86\xf5\x2c\x3f\x9f\x64\x51\xa7\x18\x37\xe9\xa4\x8b\x71\x2c\xb0\x10\xe5\xb8\x33\xba\x9f\xf1\xd8\x13\xb1\xf9\x13\x7a\x8e\xfe\xbc\xfe\xbc\xb7\x5d\x8e\x39\xba\xf5\x55\xb4\xd3\xa9\xfa\x15\x8f\x35\x6c\x2d\xfe\xff\xd0\xdf\xf3\x73\x5b\x1b\x2e\xb7\x89\xa3\x7c\xa9\x2a\x0d\xa5\xe4\xe3\x38\x58\x7f\xe8\xb1\x27\xb4\xb3\x24\x01\x15\x6a\x52\xee\xf4\xfe\x17\xf4\xb7\x7d\xd8\x9b\x54\x68\xfb\xd5\xa8\x58\xe5\xfa\x41\xc3\x2e\xa6\x57\x0e\xfa\x55\xf5\x4f\x3b\xef\x78\x55\x40\x8f\x68\xae\x9d\x88\x32\x48\x26\x64\xcb\x5d\xcb\xe2\x0e\xa4\xcd\xeb\x8a\xf6\x6a\x94\xc6\x45\x17\x9d\x36\x71\x09\xd6\x36\x40\xf1\xa1\xb7\xd5\x04\x27\xab\xfa\x53\xb1\x2e\x37\x0a\xe3\xb2\x9e\x57\x36\x65\xe7\x33\xbf\xee\xb1\x21\x87\x81\xff\x65\xfd\xb9\x9f\x80\xa1\x2c\x21\xce\xe0\xd2\x26\xe8\x21\x24\x78\x95\x77\xf0\x35\x48\x70\x0a\x86\xcd\xe6\x37\x0e\x3f\xba\xa3\x9b\x30\x5f\xe5\x4c\x03\xef\x17\x32\xf1\xdc\xa3\x20\xa8\x13\x8b\x6e\x8a\x35\xb2\xad\xa2\x77\x4f\xe5\x5a\xa3\x94\x68\xe6\x18\xb6\x86\x36\xac\xd5\xf6\x54\x0a\xf2\xaa\xf7\xf1\xbc\xea\xe2\xa7\x6f\xd2\xc3\xf6\x92\xa1\xb2\xac\xde\x72\x6a\xfb\x94\xc7\xae\x19\x4e\xd4\x01\xe6\x72\x20\xa3\x7d\xab\x17\x1c\xd7\xbf\x6a\x7c\x40\x51\x89\x01\x57\x82\xce\x14\xc4\xc8\x59\xe1\x8c\x6e\x74\xcf\x59\xb6\x60\x25\x91\xbf\x53\x7d\xd4\x31\x95\x89\xcf\x7c\x52\x9c\x16\x90\x09\xd2\x2c\x14\x28\x5a\x07\x4b\x39\x5f\xf2\xa7\x8c\x1d\xb2\xbe\x04\x59\x83\x29\xe7\xf6\x54\x5c\xe4\x15\xf0\x15\x9c\xa8\x3a\x2b\xa2\xf4\x3f\xca\x82\xd5\x86\xeb\x2a\x57\xa8\x8e\xfe\x44\xd8\x02\x22\x54\xa3\x0b\xbc\xa3\x9f\x27\xb7\x07\x42\xca\xdb\x91\x02\x95\x47\xf5\x14\xb7\x59\xc7\xa5\xab\xf9\xfd\x7d\xff\x7b\x46\xcd\xbd\x44\x05\x3f\xff\xd0\x06\x01\x11\x1b\x8e\x09\x04\x44\x4c\x2c\x6c\x27\x47\x63\x43\x29\x21\x20\x1e\x29\xda\xb9\xcf\x6e\xbb\xc4\xb6\x20\x76\xf6\x96\xd3\x5b\x49\x9c\xd8\xd8\x8a\x2b\x71\xb9\x57\xe2\x72\x1f\xaf\xb8\xdc\x47\xbc\xe7\x6c\x1e\x43\x7a\x9b\x7f\x7c\x8c\xe2\x46\x1b\x26\x70\x2d\x86\x94\xab\x68\x53\x5c\x35\x8c\xbd\xf7\x2a\x27\xa1\x8e\xce\x44\x2a\xc5\x91\x74\xe5\x2c\x74\xc6\x94\xe8\x25\x59\xbf\x2b\xd2\xd2\x7f\xfe\x55\xc1\x4d\x70\x70\x00\x3d\x28\x6a\xeb\xc3\x16\x76\x8e\x65\x50\x8f\xba\x47\xc7\x07\x0e\xb0\xaf\xee\x66\xfb\xba\xd1\x85\x85\x2a\x5f\x11\xfe\x97\x76\x6f\x75\xf7\xac\xca\x38\x09\xe3\xb4\x2c\xca\x3c\x9c\x49\xcb\x33\xf9\x02\x74\x55\xf0\x86\xdd\x76\x6c\xa2\x93\xb6\xb6\x70\xf6\x78\x2d\xb5\x12\xc9\xa8\xdd\x7c\xf7\x35\xc8\x7e\x50\x09\xf5\x62\x94\xf2\x68\xa9\xc8\x92\xaa\xd4\x02\xee\x21\x71\xe1\x38\xbf\x01\x42\x47\x23\x15\xa8\x41\x34\x84\xaa\x48\xa8\x1f\x9e\x3b\x7a\xe4\x69\x8a\xa5\x5e\x96\x48\xf3\xed\x08\x8f\x97\xf9\xe9\xe8\x82\xa5\xc2\xca\xf5\x71\x24\xe4\x13\xb5\xca\xe0\xbd\xa4\x4d\xa9\x59\x61\x8e\x5b\x55\x2e\xf5\x79\x9e\x55\xc8\x7e\x50\xf5\x5c\x0a\xf3\x63\x37\x3c\x2d\xe4\xd3\x2a\x5f\xfd\xba\xce\x66\x12\x17\x20\xc0\x94\x19\xbf\xee\xc8\xd3\x46\x95\x00\x69\x27\x8f\xd4\x7d\x06\xa7\x75\xd5\xe3\x71\xb7\x2b\x3a\x71\x54\x8a\xa4\x6f\xa0\x44\xee\x48\x6b\xcc\x1f\xf0\x8e\xea\x68\xcb\xba\x98\x93\x25\xa8\xc1\xc8\x1a\xa1\x93\x3a\x19\xf4\x89\xb8\xd0\x16\xa2\xc3\x8f\x5e\x77\xe4\x69\xf5\x7e\x0c\xf9\x19\x08\x62\x4a\xa8\x5b\x41\xf9\x59\x12\x22\xe5\xe7\xe3\x24\x11\x9d\xd1\x4d\x9b\xbf\x5c\xe5\xe5\xaa\xc8\x47\x31\x13\x0b\x6e\x36\xb2\x7d\xb5\xb6\xa9\x50\x31\x3b\xbf\x31\xc0\x5a\x3b\xea\x25\xb5\x51\xa0\x95\x0e\xa5\xc6\xc6\x26\xb3\xcf\xed\x66\x4f\xe8\x3a\xe3\xeb\x7f\x68\xc7\xb3\xfd\x1b\xbb\xb6\x38\xdb\x2b\x6b\x5a\x0d\x34\xfe\x51\x99\xe0\x97\x3e\x6d\x3b\xd9\x7a\x3a\x7c\x81\xc0\x46\x41\x4b\xe3\x12\x27\xb7\x9c\x38\x43\x67\x47\x87\x38\xc1\x6e\x1a\x1c\xc4\x6d\xcc\x7a\x9a\xa2\x7a\x52\x83\x04\x2f\xd5\xe9\xd1\x2d\xd4\xae\x67\xa7\x4d\x41\xac\xd8\xaa\xaa\x5e\xc3\x02\x1d\x98\xc8\x0d\x0b\x0d\xdb\xa1\x67\x41\x04\xe9\x8a\x60\x3a\x17\x43\xe7\x33\xda\x03\x1a\xba\x22\x64\xdf\xd8\xb7\x49\x88\xd6\xd1\xb0\x91\xc3\xed\xe3\xfb\x82\xcf\x8c\x5c\xa1\x6e\xfb\xdf\x8c\xba\xcd\x39\xd5\xbf\xb2\xeb\xb2\x30\xa8\xfd\x95\xc7\xbe\x1d\x6b\x9e\xc0\x9e\x3d\x5b\xc6\x49\xfc\x20\x6a\xeb\x5f\xd4\xf6\x89\x8f\x7a\xc3\x1e\x52\xb5\x3a\x01\x45\x2a\x3a\x15\x9f\x1e\x68\x0c\xcd\x2f\x2b\x99\x58\x2e\x12\xb1\x16\x41\x30\x63\xa7\x18\x35\x72\xa7\x20\x93\x8d\xbb\x1d\xba\x81\xaa\x4e\x95\xba\x0e\xa5\xfc\xc2\x42\x72\x74\xde\x9f\x6a\x31\xdf\xf9\x1a\xd8\x98\xfd\x97\xb7\x76\x46\x13\xf1\x2b\xde\x60\xa1\x8f\x4a\xe7\x40\x87\xe4\xd1\x3a\x15\x77\x88\xe8\x8e\x40\xd5\xd9\xb0\xaf\x0e\x8f\xf2\x22\xee\xc6\x49\x94\xab\xe5\x41\xb3\x91\xaa\x54\x0a\x40\xbf\x27\x42\xf6\x5f\xaf\x72\xd2\x3c\xe7\x4b\x51\x9b\x84\x55\xa1\x58\xa0\x5e\x73\x55\xf0\x0b\x2d\xeb\x82\x81\x42\x41\x0b\xb3\x44\xa0\xb1\x51\xa7\x6e\x53\xbc\x04\xb1\x5c\x91\x33\xb8\x2d\x1b\xf8\x54\xc4\x65\x59\xcd\x50\x29\x3c\x14\x29\x29\x88\xfd\x18\x85\x94\x5a\x98\xaa\x99\x92\x47\x1d\xc8\x9d\x93\x39\x08\xfc\xb5\x38\xe2\x0b\x95\x62\x6c\x50\xb9\x0a\xa0\x70\xfb\xb1\xa5\x3e\x11\x58\x58\xb7\x4b\x4c\x8c\x55\xf0\x38\x0d\x39\xb7\xbe\x98\x82\xfd\x31\x6e\xce\x6a\xac\x5c\xd4\xb0\x89\x08\xcc\x49\x15\x93\xe9\xc3\x34\xf3\xa2\xb7\x57\x76\xd0\xbc\x58\x76\xc9\xa9\xf6\xb1\xdf\xf5\x98\xba\xe5\xff\x1f\xde\x06\xb9\x98\xed\x21\x99\x17\xcb\xc1\x7f\xf0\xe8\xaf\x0d\xfb\x55\xed\xbf\x97\xd4\xb5\x38\x9d\xac\x6a\x48\x6e\x90\x93\x37\x59\x93\x42\xa1\xbc\x3f\x51\x95\xc0\x83\x2b\x72\x0c\x7b\x46\xf6\x75\xc0\xc4\xe4\x79\x96\x87\xec\x61\x8f\xed\x2b\x68\x28\xfc\x0b\xc1\xd3\xf5\xb0\xac\x66\x89\x14\x06\xcd\x34\xa2\x79\xaa\x88\x36\x48\x14\x50\xc9\x18\x41\x9f\xdc\x7a\xf2\x6a\xd5\x61\x54\xdd\x15\x73\xc3\x15\x73\xc3\xe3\x47\x03\xb6\x6a\xd9\x33\xbf\x7f\xa7\xe6\xcc\xef\xdc\xc0\x9a\xf9\x88\x77\xff\xe6\x86\x8d\x3b\xfd\x69\x4d\x8e\x05\xcb\x24\xa2\x35\x8c\xc1\x34\x35\x2e\x41\x6b\x07\xac\xf3\x66\xfd\x1c\x63\x77\xdb\x12\x6b\xa7\x1b\x17\xf2\x6e\x2e\x56\x62\x70\x4b\xca\xe2\x14\x4f\xa2\x62\xce\x4f\x57\xee\x15\x4b\xab\x59\x76\x7e\x92\x52\x21\xc0\x63\x40\x76\xfe\xbb\xfb\x83\x33\x9b\x3f\xe6\x66\xb7\xdf\xf8\xf9\x66\x46\xf4\x3f\xbb\xc2\x0a\xb8\xe3\xed\xe0\xcd\x9a\x11\xfd\x55\x5e\x70\xf0\xd4\xd6\x46\xc3\xde\xbe\x9f\xc5\xee\x65\x67\x87\x7b\xcc\x77\x30\x97\xae\x6c\x55\x3b\xd8\xaa\x3e\x6f\xfb\x5e\x7e\xd1\xdb\x19\x4f\xfa\x0b\xbd\x21\x44\xe9\x8f\xe1\xc7\x3d\xe2\xfd\xb0\xb7\xf9\x9e\xb8\xec\x77\x0c\x29\x7b\xe3\xdc\xab\x6d\x8b\x9b\xef\x53\x8d\x5c\xab\x0f\x3f\x91\x1d\x1f\xce\x28\xbb\x19\x99\xac\xff\xc9\x27\x04\xaf\xf4\x36\x79\xc8\xf0\x98\x18\xec\x8b\xc5\xe9\x84\x26\x01\x64\xec\x59\x13\x9d\xf1\x8e\x48\x63\xd1\x19\x5f\x8e\xe2\x64\xc0\x71\x43\x13\x56\x67\x34\xe2\x71\x51\x54\xa2\x63\x73\xcf\xba\xe6\xe7\x77\x5e\xcd\x7e\xe4\x00\x3b\x60\xdd\xf7\x1f\x61\xfe\xae\xa5\x7e\x29\x82\x8f\x33\x9b\xa1\x37\x2e\x34\x58\xbc\x63\xa8\x96\x06\x8a\x57\x6e\xe1\x22\x5e\x49\x45\xce\xa3\xe5\x52\xfe\x37\xe5\x13\xd4\x7c\xf3\x8d\x08\xd2\x86\x65\x5a\x4f\x59\x5a\x48\x75\x2c\x8e\xa0\xa0\x71\xfa\x42\xdb\xf9\x8a\xa6\x25\xdd\x9c\xd1\x5a\x52\xdd\xb8\xdb\xad\x20\xc5\x4f\xc8\x18\x49\xc5\x1b\xd0\x77\x63\x3c\x59\x4a\x89\x75\x4c\xf3\x64\x97\x4a\x6d\x3f\x98\x82\x9b\x01\x6c\x49\x9d\x0e\x81\xdf\xac\x1a\x73\xd1\x85\xd1\x03\x5c\xa4\x96\xc3\xa9\x03\x48\x0c\x87\x8e\xaa\xb7\x64\x48\x7d\x27\x61\x64\xb7\x5a\x1f\x63\x26\xc5\x8d\x62\x3b\xec\xca\xad\xef\x38\xe3\x47\x43\xe7\xc3\x41\xde\x57\x6a\x9e\x0d\x95\x99\x9b\x3e\xcd\x11\xd5\x1d\x32\x7e\x0c\x72\x3e\x5a\xd7\xf0\x3d\xd0\x98\x40\x2d\x9d\x9c\x9e\x5f\x9c\x39\x39\x33\x39\xb1\x38\x1d\x20\x8b\xdd\xa8\x2e\x35\xcd\xf8\xaa\x88\x3a\x22\x2f\xcc\x1c\x14\x69\x3b\xeb\x80\xbf\xbe\x8c\x18\x37\x64\x4b\xfc\xc4\xf4\xfc\x98\xba\x39\xb1\x30\x1b\x1e\xb5\x79\x90\xe5\xe6\x5f\xb5\x31\x78\xb7\xd0\xee\x79\xb0\x54\xa9\xdc\xb8\xd7\xcb\x3e\x9b\x3f\x39\x79\xc3\xb1\x9b\x8f\x84\x8c\x5f\x17\xf2\xd9\x2c\x1d\x93\x0d\x57\x3c\x72\x72\xd3\xc7\x34\xb1\xca\x12\x95\xa9\x39\x39\xf8\x29\xd6\x17\x47\x78\x02\x55\xa9\xca\xd5\xd3\x19\x65\x1c\xbc\xe1\x90\xdf\x1c\x49\x72\x7a\x49\x94\x46\x08\xb7\x15\x17\xca\xa1\xad\xbc\x21\x3c\x46\xed\xbc\xe9\xfa\x1b\x6f\xc6\x29\xd9\x45\x66\x80\x08\x87\x41\x57\x6c\x2d\x09\xd3\x7d\x66\x37\x1f\xb4\xae\x00\x4e\x09\x67\xda\xac\x54\xc9\xb5\x32\xaf\xb7\x0d\xcd\x6a\x86\xda\x1f\xa5\x50\x53\x95\x35\x6f\x11\x58\x77\x51\x2d\x15\xb2\xa2\xb4\x54\xbd\x62\xec\x5e\x25\x71\x1c\x00\xa1\x5e\x29\x72\x32\x0a\x3b\x1c\xd7\x94\x39\x49\x59\x8a\xe2\x94\x2f\x9e\x5a\x00\xb0\x7e\xb1\x1a\x9d\x17\x05\x04\x6b\xbb\x2b\x13\xa2\xac\x71\x3e\xc4\x29\x74\x0b\xaa\xfe\x21\x63\xf7\xae\x0a\xd9\xa5\x79\x1c\x25\x20\x4a\x45\x05\x7f\xc6\xc2\x99\x59\x39\x9e\xcf\x9a\x38\x7d\x6a\x94\xb0\x28\x65\x44\xcb\x86\x68\xc3\x93\x3e\x44\x79\xdc\x78\xbd\x9a\x68\xa3\xbc\xc8\x78\x0c\xcb\xa0\x00\xab\x41\xb6\x7c\x9c\x31\xce\x39\x3d\x77\x08\xfe\x1e\x93\xff\x3b\x31\x7d\xe7\xcc\x2c\xb7\xa6\x08\x5c\x85\xfb\x61\x18\x9a\xe7\xa6\x67\xa7\x9a\x9f\x3a\xec\x78\x30\xaf\x61\x4f\x75\x0e\x35\x79\xc0\x8e\xc9\x15\xef\xef\xf7\xf7\x46\x65\xd6\x8d\xdb\x8c\xbd\xbe\xe5\x20\x20\x5f\xdc\x0a\xee\xb3\x0e\x05\x2b\xf5\xbb\x35\x0f\x42\x7e\x37\xd8\x82\xed\x07\x73\xc1\x03\xb5\xe5\x06\xa3\x7a\x0f\xc3\x91\x55\x3b\x8c\x23\xde\x9d\x61\xa7\xb7\xce\xf1\x3e\xfc\xdc\x73\x80\x92\xdf\x31\xf8\xc1\xdd\xa8\x37\x76\x5e\xf4\x0b\xf9\xd1\x63\x9c\x80\x92\x7c\x68\xd7\xec\xf1\x77\x75\xa3\x1e\x63\x2f\x68\xb1\x7f\x37\x2c\xb9\x3f\x8a\x98\x94\x01\x9b\xce\xdd\x2f\x78\xc1\xcd\xce\x15\xbd\x36\x07\xf0\xc4\xda\x10\xa7\x72\x93\x3b\x07\xe4\x4b\x3d\xf6\x22\x8f\x5d\x95\x64\x51\xe7\x44\x94\x44\x69\x5b\xe4\x7e\xb5\x85\x98\x82\x53\xd6\x0b\x84\xbd\xb8\xdd\xbe\xd6\x4c\x5e\xe6\x9e\xe6\xb2\xd2\xb1\x25\x7a\x21\x64\x17\xf7\x3b\x70\x20\x95\x29\x5a\xf3\xda\x2f\xcc\x4c\x41\xa4\x0b\xa8\x66\x7f\xb1\x2f\xb8\xce\xb9\x82\x12\xb5\x8b\xe5\xd1\x0f\x6c\x9c\x90\xea\x03\x57\xd4\xaf\x1d\xab\x5f\x89\xd2\xbe\xda\xc1\xbf\x86\x3f\xea\x39\x55\xf5\x58\xd8\x8b\xf2\x46\x76\xfd\x06\x11\x8f\x43\x67\xc0\x15\x85\x6a\x07\x0a\xd5\x67\x6c\x85\xea\xa3\x3b\x54\xa8\x7e\xb0\x59\x9f\x7a\xac\x40\x6c\x8f\x78\xcb\x9b\xab\x52\x93\xfe\xc4\xd8\xa0\xe6\xa3\x01\x32\x6a\x96\xd5\x53\x56\xd8\x9b\x0b\x63\x7f\xcf\xd8\x3d\x97\x9a\xb7\x71\xe3\xdc\xc6\xfe\x8f\xb1\xe0\x7b\x37\x7c\xa2\xc6\x6d\x89\xf9\x7b\x21\x82\x3f\x5f\xa3\x79\x3c\xec\xfd\x8b\xde\x1e\x4c\xe8\x7c\xd1\x83\x05\xe3\xec\x7b\x6f\xdf\xcf\x1e\x60\xfb\xe4\xc0\xc9\x15\xe4\x8b\xe0\x7b\xd5\xdf\x6a\xf1\x5a\x02\x09\x64\x58\x56\x1b\xb7\xe2\xec\xa1\x7d\x4f\xa9\x2d\xb6\xb7\x3e\x38\x27\xdf\x38\x27\x7b\x2f\x70\x9c\x7e\xaf\x68\x31\x6a\x93\xff\xc2\x56\xf0\x75\x0f\xff\xd6\x54\xa3\xf8\xab\xd1\x8d\xa8\x3e\xf9\x72\x64\x71\x1c\xbf\x8d\x12\x5d\x3f\xba\xb9\xb3\x0d\x8d\x41\x92\xf0\x24\x5b\x17\x79\x5b\x2e\x7d\xbb\x3f\x7e\xcf\x63\xac\x58\xcd\xf2\x12\x67\xc3\xaf\x79\xc1\xfb\x3d\xf3\x1b\xbf\x4a\xfe\xac\xa5\xb7\x56\xdf\x3d\xaa\xa3\xc1\xea\xf9\x98\x35\x6d\x11\xe9\x2a\x15\xf1\x1e\xe2\x9e\x85\x33\x88\x78\xff\xe3\x74\x2d\x6b\x53\x90\x09\xd0\x67\x9d\x93\x4b\xaa\x5d\x26\x7c\x45\x94\xfc\x36\xa8\x5f\x56\x2f\x7b\x6b\xa6\x34\x2a\x4e\xed\xa3\xcc\xc6\x7e\x35\x3b\x60\x7f\xe3\xf3\x3d\xb6\xaf\x88\xd3\x95\x2a\x89\x72\xbf\x0c\x56\xd4\xdf\x7a\x9e\xa9\xdf\x4d\xe3\xbe\x41\x95\xce\x8c\xd3\x97\x3b\x1c\xe7\x9e\xd3\xcd\x5f\xf7\x18\x93\x6b\x68\x25\xcb\x63\x51\xf8\x5f\xf5\x82\x4f\x7b\xe6\xb7\x6b\xc3\x85\xe1\x13\x1d\x6e\x67\xcb\x8f\x8b\x81\x64\xb3\x4b\x22\xc9\x80\x5d\x23\x23\x0c\xc1\xc1\x28\x49\x0e\x1e\x36\x94\x1d\xbd\x6a\x29\x89\x8b\xd5\x47\x73\x6c\xa2\x24\x39\xb7\x51\xcf\xff\x37\x8f\x4e\xca\xf7\x7b\xc1\x7f\xf0\xce\x6f\xbe\xb6\x9d\x5e\x8f\x0b\x02\x15\x24\x7d\x73\x70\xa1\xf6\x44\x23\x16\xd2\x12\xb1\x9d\xfd\x0a\x02\x0e\xb0\x89\x4a\x31\xbd\xe1\xa1\x1c\x61\xe5\x38\x40\x06\x87\xae\x3a\xa8\x1d\x25\x49\xe1\x8c\xdb\x97\x0f\xb0\x70\x4b\x67\x92\x96\xcc\xfd\x9f\x3e\x10\x2c\xea\x5f\x46\x10\xa5\x54\xc8\xb0\x82\xa4\x5a\x1a\x49\xed\xb2\x34\x49\x6f\x07\x44\xe6\x18\x19\xc1\xd5\xea\x0f\x2f\x7a\xbb\xe4\x99\x7a\xd1\x23\xb4\xf2\x45\xcf\x4f\xa2\xa2\x5c\xcc\xa3\xb4\x80\xba\x16\x63\x48\x71\x97\x8b\xa8\x90\x5b\xef\xde\xae\x28\x8a\x68\xc5\x85\x4e\xfc\x30\x63\xa7\x34\xdc\xf9\x44\x70\x83\x2b\x12\x6b\x1d\x67\x54\x91\xa9\x2d\xe6\x52\xec\x3b\x19\x25\x52\xc5\x3d\x9b\x02\x2c\xc6\xe9\xa0\x45\x06\xad\xf2\x4f\x05\x77\xa8\x6c\x1b\x96\x0d\xca\x12\x38\x80\x44\x3a\xe5\xcb\x59\x16\x12\x55\x43\xd8\xce\xba\xe3\x46\x20\xb1\x4b\xfd\x40\x8b\x35\x7c\x9c\xff\x93\x2d\x76\xd3\x25\xc8\x0b\xf2\xdd\xe0\xab\xde\x60\x81\x5a\x4a\x8c\x8a\x92\x18\xaf\xed\x5e\x40\x86\x5e\xf8\x53\x41\xca\x64\xb7\x50\x9f\x99\x5c\x4f\xb4\xe4\x8c\x02\xaf\xb1\x5b\x70\x12\x24\x7d\x84\xe7\xe8\x29\x81\x94\xfb\x21\x47\x63\x56\x44\x13\xbd\x44\xd0\x11\x11\x20\x19\xd8\x0c\xb4\x4b\x97\x28\xa7\x04\xe5\xce\x56\xcc\xfd\x05\xf0\xca\xf6\xc8\x26\xf7\x02\x8f\xa9\x91\xf7\xd7\x82\x98\xfe\xc4\x1d\x66\xb5\xea\x82\x7b\x3c\xea\x00\x68\x47\xdf\xc3\x03\x1e\xb0\x71\x34\x4b\x0d\x9b\x95\xe9\x03\xfa\x4c\xc5\x65\xeb\x26\x38\x71\x86\xef\xd3\xad\xc6\x08\x98\xff\xdc\x52\x21\x30\x3f\xd6\x1a\xbc\x5d\x8f\x4a\x0d\xb5\x79\xdc\x8a\x8f\xd1\xe8\x33\xd3\x9d\xeb\x11\x9a\x34\x91\x6f\xa2\xea\xc9\x86\x9e\x84\xc9\x86\x3b\xc1\x28\x8f\x97\x9b\x0b\x8b\x75\x08\x63\xd2\xe7\x47\x8f\x21\x62\x03\xaa\xc6\x21\x0e\x8d\xce\x7f\xdf\x85\x67\x87\x0d\x4d\x8e\x0b\x7e\xcb\x68\xad\x3d\x52\xae\xaf\x60\x61\x03\xd0\x0d\x8c\xb9\xb9\xc0\xd5\xae\xf8\x95\x9a\x14\x64\xd5\x5e\x17\xb1\xf3\xa5\x16\xa3\x15\xed\x7f\xae\x15\x7c\xac\x85\x7f\x9b\x6d\x05\xd2\x1b\xac\xe4\x51\xb7\x1b\x95\x36\xd5\x72\x6e\x8f\x2a\xee\xac\xf0\xa2\x3a\xc0\x75\x7b\x0f\x16\x34\xfd\xad\x71\x9e\xc3\xd4\x1f\x39\x6c\x0c\x9a\x44\xd1\x5a\x17\xc0\x25\x28\x27\x02\xc5\xbb\x88\x0b\x3d\xcc\xb0\x40\x90\x35\xd0\x13\x45\x94\x02\x4e\x44\x8b\x6a\x30\x6f\xf1\xc4\x59\x5f\x45\x04\x5b\x69\x60\x6e\x11\x66\xa8\x28\xe2\x8e\xc8\x45\x87\x47\x7c\xa5\x8a\xf2\x28\x2d\x85\x00\x0a\x07\x8b\x0b\xdb\x5a\x69\x91\xb5\xc1\xd0\x44\xb4\xad\xdd\xb2\x89\xa4\x05\xa1\x3d\xd7\x9e\xa5\xbf\xd8\x62\xdb\x05\xc4\xfa\xaf\x6c\xf9\x57\xc7\x69\x39\x96\xe5\x63\x58\x4a\xf0\xd7\x9e\x75\x1f\x97\x19\x6c\x84\x1a\x1d\xbb\x8a\x08\x64\x0e\x68\x32\x44\x9c\xa8\x96\xf2\x7b\x71\xa9\xe3\x11\x6d\x5b\xdc\x78\x37\xca\x8b\xd5\x08\x91\x9f\x48\x3c\x65\x5d\x19\xe5\x71\xa9\xf2\xb3\x00\xf3\x96\xec\x37\xe2\xb5\x94\x13\x09\x68\xd6\xfa\x3d\x01\x38\x42\xc8\xb8\x93\x64\xeb\x05\xe4\x94\x2a\x33\xb0\x35\x8f\xd6\xd3\xd3\x41\xe5\xd8\x69\xba\xe5\xb8\xad\x10\xb3\xb5\xac\x06\xc1\x9e\x4e\x27\xfe\xc4\x01\x07\x2b\xa5\x80\xfd\x0b\x72\x66\x2f\x57\xc9\x82\x28\xfd\x7f\x64\xc1\x5b\x5b\xd6\x85\x3a\x6d\x4e\xa9\xd1\xa3\xb0\x56\xc8\x76\x08\x89\x4a\x60\x36\x97\xb1\x28\x42\x3e\xa3\xff\x86\x99\xa2\x52\xac\x47\xc5\x71\xc6\xc7\xf8\x2c\x9a\xac\x8e\xf3\x09\x95\xbc\xbf\x80\xfd\x90\x4f\xcd\x2e\x20\xae\x31\x2b\x40\x86\x0c\xe5\xd3\xc4\x7e\x71\x9c\x4f\xc8\x59\x9c\xf6\xb9\xc5\x57\x05\x79\x4c\xb4\x0d\x38\x04\x2b\xaa\xdd\x78\x3d\x2b\x55\xec\x9c\x82\x40\x61\x0b\x54\x9b\xfb\x28\x7f\x44\xc9\x7a\xd4\x97\x95\xf4\x74\x02\x2f\xd9\x97\x8a\x64\x45\x3d\xec\x5a\xc5\xfe\x66\xef\xe5\x4d\x34\x59\x52\xa8\x55\xb2\x01\x8d\x4c\xc3\xc0\x41\x80\xd5\xcd\x14\xbf\x67\x2c\x50\x0a\xa6\x6b\x06\xc7\xca\x3e\x88\x0b\xbd\x10\x65\xc8\xde\x6b\xe2\xaa\xde\xb1\x11\xb3\x54\x53\xcd\x68\xd2\x4b\x55\x72\x85\x61\x66\xbc\x39\xbb\x52\xeb\x7d\x45\xff\x10\x95\x91\x3a\xae\xec\x2d\x79\xa9\xcf\x8b\x4c\x1e\xaa\x71\xda\xc9\xd6\x61\xff\x05\x7a\xd3\x2b\x66\xb8\x2b\xa0\xa8\xc7\x2f\x06\xeb\xec\xe6\xb6\xa4\x63\xfe\x11\xe3\x96\xef\xf5\x0a\x6d\x2e\xb2\xe6\x7e\x1d\x95\xf4\xb1\x11\x87\x26\xc4\xa5\x35\x9b\x4e\xd7\x08\x36\xff\xa6\x91\xe0\x83\x5e\xed\x22\xe5\x63\x00\xbe\x20\x22\x37\xcb\x6c\x4e\x33\xd9\xe9\x6b\x71\x9e\xa5\x5d\x4c\x0d\x92\xc7\x72\xcb\xc5\x6d\x5c\xf9\x9f\xd0\x55\xa8\x35\x0c\x42\x03\x63\x71\x07\x0b\xa4\x77\xc5\x63\x07\xf6\x4b\x3d\xe2\xf0\xf4\x79\xd1\x1f\xc3\x49\xd3\x8b\xe2\x1c\x76\xe6\xc6\x1a\xdd\xed\xf3\x73\x1e\x7b\x58\x71\x3b\xfe\x40\x90\xcd\x3a\x4a\x3d\xc0\x2b\xcb\xc7\x88\xb1\x71\x8a\xed\x43\xe8\x7c\x94\xf8\x37\x07\xd7\x62\xac\x6a\xdf\x11\x7e\xa8\x63\x95\x81\x81\x8e\x35\x10\x01\x97\xb2\x2c\x11\x51\xca\xfe\xcc\x73\x8e\x58\x4d\x63\x24\x27\x15\x8d\xde\xa7\xbd\xc0\xfe\x6d\xc4\x43\x1b\xde\x0b\x1c\x0c\x29\x17\xf2\x39\xb7\xc7\x7e\xd8\x63\x27\xd9\xfe\x76\xd6\xed\x65\xa9\x48\x4b\xff\x96\x60\x74\x52\xfd\xc0\x15\x86\xb8\x60\x18\xf2\x35\x4a\x21\x46\x82\xb4\xe8\x38\xf2\xc0\x1d\x6c\x97\x3c\x6a\xfd\x9b\x82\x6b\x67\xb3\x8e\x32\x67\xa5\x5b\x2f\xe0\x65\xbb\xd9\x77\x5b\x5f\xbb\x9c\x64\xeb\x14\x01\xa8\x2d\xf1\x04\x62\xf5\x7f\x77\x57\xf0\x5f\x3d\xfa\x81\x16\x34\xda\x9d\xb3\x3c\x5e\x89\xc1\x7b\x8c\x01\xe6\x06\xb8\x51\x18\x09\x59\xc7\xd8\x2b\xa4\x42\x54\x49\xcd\xab\x54\xb1\xc4\x48\x6f\x0a\x62\x67\x2e\x40\xe6\x28\x57\x73\x21\x38\x1c\xe8\xd9\x32\x56\x48\x84\x77\xa6\xc2\x5b\x65\xa9\x55\x21\xf2\x51\x5c\xa8\xa3\x52\x6e\xaa\xa5\x70\x0a\x9b\xcc\xa1\x2f\x68\xb1\x29\xb6\x1b\xde\xf1\x6f\xdd\x20\xe9\x49\x53\x87\xdc\x29\xdf\x52\xd0\xde\x7f\x45\x7b\xf0\xb7\x05\xfb\xe6\x29\x3d\xa3\xdd\xbf\xf7\xb0\x27\x14\x4e\xee\x34\x7f\x6a\x03\xf2\xd0\xc6\xee\x77\x5e\x57\xd5\x9e\x60\xbb\xe4\x67\xfb\xc7\x37\x20\x5a\x6e\x2a\xed\x6c\x21\x72\x2a\xe3\x11\xef\x95\x1e\xfb\x17\xce\x26\x58\xa5\xe0\xa9\x5d\xf7\xab\x31\x4a\x33\x37\x56\x66\x63\x9d\xb8\x68\xe7\x71\x57\xf6\xb8\x38\xd1\x3f\x0e\xee\x60\xda\x16\xa1\x2b\xe0\x82\xfb\x95\xc7\xb9\xdb\x6c\x78\x44\x36\xf8\x38\x97\x2d\x60\x9c\x5b\x85\x66\xf9\x71\xd8\x58\x19\x7b\x25\x63\xdf\xd9\x94\xcd\x22\xeb\x20\xcd\xc1\xd7\xf6\x07\xb7\xab\x1f\xc3\x59\x0e\x48\x50\x84\x84\xcf\xb1\x49\xaa\x07\xfb\xa4\x33\x09\xde\xba\x9f\x7d\xde\x63\x57\x57\x29\x45\x8f\x42\x18\xdf\x47\xbd\xe0\x3d\xde\x59\xfb\x92\x8a\x89\x45\x4e\x36\xae\xef\xc4\x09\x25\x2a\x53\x71\x61\x21\x3f\xd1\x57\xa9\xd4\x46\x75\xfd\x56\x49\xdb\xde\x08\x81\x35\x02\xfe\x3b\x7e\x4d\x37\x4a\xab\x28\x19\x93\x3f\xc6\xa2\x4e\x37\x4e\x35\x3c\xcc\xd9\xbf\x7e\xdd\x63\x57\x21\x39\x1f\xed\x56\x9f\xdc\x0a\x57\xa5\xec\xd5\x49\xeb\xad\xe0\x55\xde\xcc\xb2\x89\xbf\x42\xad\xdb\x98\xe6\xe5\xa9\x02\xdf\xd7\xb6\x81\x67\xb8\x79\x01\x45\x0a\xa6\x3d\xb8\x1b\xa9\xb4\xb0\x60\x97\x84\x5e\x6d\xc1\xc4\x44\xaf\x35\x65\x7a\xc5\xe4\x7e\x55\xda\x25\x7b\xb1\xc7\x98\xe2\x42\x9c\x99\xf2\x2f\x04\xe7\xa7\x2c\xe6\xec\xd9\x0c\x23\xe0\x34\x7b\x17\x66\x69\x03\x8a\x50\x55\x44\xc8\xe7\x21\x29\x85\xa2\x68\x01\xec\xcc\xd1\xf0\xe8\x75\x21\x2f\x84\x30\x23\x02\x28\x12\x4d\x6d\x7a\xe3\xd1\x5b\x6e\xbc\xd1\x5e\xd3\xcf\x64\x7b\x7b\x59\x67\x72\x66\x6a\xde\x3f\x19\xdc\x32\x87\x7f\xd6\xed\x29\xbd\xac\xc3\x67\xe6\x78\x1e\xa5\x2b\x82\x47\x05\xe0\x5a\x34\xd8\x41\x76\x5d\x58\x23\x1b\xde\x47\x65\x16\xfe\x5b\x5b\xc1\x97\x3c\xf5\xab\x5e\xae\x2a\xb3\x68\x2c\x94\xd2\x1e\x52\x0c\x26\x08\xec\xca\x8c\x03\x75\xa2\x0d\xcc\x81\xa7\xb9\x43\x7c\xa4\x5c\xe5\x22\x2d\xf3\x3e\x0e\x90\x71\x94\x50\x7b\x54\x47\xce\x20\x1e\x49\x41\xa5\x74\xb0\xac\x95\xe7\x09\xe2\xf1\xb2\x65\x3e\x33\xb7\x76\x3d\xc8\xd0\x33\x73\x6b\x37\x6e\x60\xbe\xde\x06\xc7\xd4\x0b\x3c\xc6\x80\x13\xb5\x23\xf2\x99\x29\xbf\x08\x96\x67\xa6\x94\xd0\x01\xdd\xa0\xfb\x86\x0e\x9d\x76\x92\x55\x1d\xae\x5e\xe1\x96\x3f\x27\x2a\x8f\xf3\xdb\xe6\xe8\x86\x14\x5e\x6e\x3f\x3e\x3e\xae\x2f\x28\xbe\x0b\xb9\x3c\x66\xa6\x6e\xb7\x87\xac\xcd\xf6\xc8\x4f\x2f\x0b\xff\x59\x01\x1f\x5c\x2b\x94\xb0\x18\x1f\x71\xbe\xfa\x5a\x76\x88\x7d\xf7\xa6\x0b\x72\x51\xbe\xc8\xfe\x76\xa4\x31\x39\xf4\x62\xd6\xcb\x92\x6c\xa5\xbf\x40\x19\xbc\x16\x45\xde\xf5\x3f\x35\x12\xbc\xa6\x35\xc1\x4b\xba\xa7\xd3\x7b\xf1\x52\xe4\xdd\xfa\x34\xca\x45\x51\x25\x98\x62\x38\x5a\x12\x09\x7f\xa0\x12\x39\x28\xfe\x13\x3c\xad\x92\x44\x1e\xa3\x68\x6f\x1c\x52\x9c\x3a\xff\xd3\x4c\xc3\x2d\x60\xe1\xdb\xa0\x3d\x1a\x11\x4c\x46\x3a\x31\x3b\x25\x70\xde\xd0\x28\x80\xa6\x52\x2d\x91\x41\x62\xb9\x4a\xdb\x28\xba\xc9\x3d\x35\x2a\x38\x6c\xf3\xd6\xe7\x19\x47\x4b\x94\xf2\x28\xe9\xad\xba\xf9\x30\x60\x32\x82\x89\x56\x0f\x6e\x25\x6f\xba\x1b\xfe\x3b\x3c\xf6\x93\x1e\xfb\x36\x68\xfc\x29\xf9\xdd\xd3\x17\x64\xaf\x80\xef\xd6\x7f\x89\x17\x5c\x37\xa1\xdd\x42\x83\xdf\xed\x7c\xda\x52\x9f\x72\xde\x3a\x43\x3b\xcd\x26\xb7\x40\xaf\x5b\x1f\x3d\x68\xc9\xbc\x29\x9d\xfd\xd5\x01\x76\xe3\x26\xe7\xf8\x1c\x30\x3d\xcc\x57\x89\x28\xee\x8d\xcb\x55\x15\xd7\xe4\xbf\xff\x40\xf0\xfa\x91\x21\x37\x01\xc0\x46\x47\x66\xc4\x41\xd5\xc5\xa3\x52\x87\x38\x19\xe1\x0d\xed\xed\x56\xd6\x4f\x18\x5d\x78\x47\x59\x0d\xc9\xb3\xa4\x05\xc2\xf3\xc6\xf6\x49\xf2\x1f\xa9\xee\x4b\x8a\xf2\x51\x99\x79\x0c\x1e\xd0\x76\xf7\x42\xc6\xb6\x52\x1b\x95\x61\xb8\x87\x7d\x89\x9a\x7e\xa6\xbd\xf1\xb2\xc9\x8b\x12\x2f\x63\x12\x96\x43\xd1\x61\x13\xf6\x9c\xa5\x82\x77\x85\x0a\x9f\x2e\xea\x25\x39\xa2\x69\xda\xe1\x87\x96\x86\xbe\xab\x1a\x0d\xcd\x02\x43\x5d\x96\xce\x3b\xd7\x1a\x0a\x0d\x2f\x7a\x3a\x12\xcd\x4d\xcd\xbc\x8f\x7d\xb9\xc5\xae\x76\x0a\xf5\x3f\xd5\x0a\x7e\xd5\x3b\xe7\x5c\x3b\x47\xca\x7d\x12\x63\xc6\x57\x55\xa3\xd5\x45\xe4\xde\x50\xa9\x64\xb5\xc8\x6c\x22\xa7\xdb\xed\x2c\xef\x50\xc6\xd2\x72\x55\xc4\x39\x8e\x8f\x1a\x0e\xd2\x17\x8d\x5b\x70\xc2\xee\x81\x6c\x99\xd7\x9b\x24\x5f\x3c\x57\xff\xfc\x73\x7c\x15\x6d\x2a\x4b\x40\xb4\x38\xa6\x6c\xc1\x66\x9d\x4c\xb2\x89\x0d\xe8\x80\x9b\xe6\xfb\xe0\xd7\x6e\x11\x84\xf8\x82\x11\x2b\x02\xf0\xeb\xad\xe0\xc5\x2d\x3d\xf4\x35\xd0\x12\x45\x54\xa3\x36\x41\xe2\x2c\xa9\x10\xa0\x56\x80\xc8\xab\x5c\x22\x71\xc1\xf3\x4a\x8a\x86\x48\x4b\xbb\x94\x55\xa5\xd2\x5d\x06\x12\xb0\x5a\xb3\x47\x9b\xec\xe4\x28\xca\xcd\x16\x87\x13\xc7\x0d\x68\xd5\x44\x41\x09\x84\xe4\xda\x02\x9d\xe8\xb8\xa5\x29\x11\x80\x9a\x6e\x54\xa9\x7b\x4b\x36\x1d\x9b\x69\xa6\xa0\x00\x0f\xb4\x46\x57\x2a\x1d\xc5\x19\x8e\x9b\xd9\x8d\x1b\x70\xc8\x6e\xa0\x13\x6e\x71\x0c\xde\xd6\x62\x4f\xaa\x4f\x12\xff\x65\xad\xe0\x55\x5e\xc3\xdc\x71\x9c\xf3\xb3\xe6\xf6\xa3\x30\xcf\xe5\xe4\xd4\x3b\xd0\xd9\xf9\x53\x4e\xa7\x9c\x64\xdb\xd5\xd4\x1a\x1b\xbb\xc5\x2e\xfa\x85\xfd\xac\x91\xfe\x4a\xed\xf6\x9d\x05\xd1\xae\xf2\xb8\xec\x63\xc9\x00\x8b\x7c\x68\x7f\xf0\xf4\xc6\x3b\x6e\x1f\x0e\x3c\xb2\x31\x40\xf2\x97\xae\x00\x24\x77\x6c\x99\x5d\x57\x00\xc9\x34\x08\x34\x40\xd2\x8c\x88\xea\x2a\x1a\x06\x7b\xd6\x3d\x9d\x6d\x64\x8d\xd8\x6c\x5a\x5c\x31\x09\xef\x00\x2b\xf9\x59\x1b\x2b\xf9\xdf\x76\x88\x95\xfc\xa1\xc7\x29\xf6\xec\x72\x82\x25\x89\x4d\x8c\x1b\x1e\xb2\xc1\xad\x86\xb1\xaf\x86\xdb\xda\xb9\xc0\x8e\xf3\x9f\xc3\xe0\x58\xe3\x1d\x67\x6f\xc1\xa2\xb8\x48\x97\xb3\xbc\x2d\x3a\xe1\x45\x6f\x6f\x21\x4e\xc5\x69\x75\xe1\xa2\xb7\x3f\xaf\xd2\x89\xe2\x6c\x21\xf2\x8b\x9e\x5f\x54\xbd\x5e\x02\xa2\x73\x94\x80\x45\xaa\xb8\xe8\xed\x5d\x2e\xe0\x4f\x67\x6f\xfb\xe0\x18\x7b\x87\xc7\xbe\x1d\x1c\xb4\x73\x2a\x71\xd2\x74\xd1\x8e\x12\x84\x4c\xbc\xc4\x0b\xfa\xc3\x6e\xf2\x8e\x90\x9a\x0f\xa6\xc9\x5c\xa6\x74\xc3\xc8\x7f\x60\x24\x66\x88\xa8\xd1\x29\x99\xb8\xd0\x6f\x83\xe6\x5d\xa5\x96\x92\xe8\xa4\xdc\xcf\x2b\x02\x22\x28\x2b\xce\x2f\xb4\x98\x4f\xf9\x9b\x4c\xd2\x90\xc2\x7f\x5b\x2b\xf8\xa2\x37\x78\x5d\xab\x45\x49\xb6\xae\x36\x19\x79\x9b\x58\xee\x43\x8e\x79\xbd\x40\x56\x8d\x13\x07\x62\x4a\xc4\x41\xd6\xd3\xca\x87\x57\x15\x80\x9a\x01\x39\xbc\x17\xe5\x51\x57\x7e\x3f\x84\xb5\x00\xd5\x04\x64\xaa\x4f\x6d\xea\x24\xb4\x3b\x90\x1a\x6e\x17\xa8\x7c\xe2\x42\x73\xf3\x04\x74\x2b\x20\x7b\xc2\x25\x6f\x81\x13\xf5\xbe\x60\x1f\xf3\xd8\x93\xa8\x36\x95\xc1\xab\xf0\xdf\xe5\x05\xe7\xea\x17\x9b\x3a\x0d\x28\xdf\x7b\xf2\x6e\x48\x5d\xd6\xd0\x57\xe6\x21\xa7\xab\xec\x6f\xb8\x95\xdd\x32\x1c\x3b\x35\xe4\x1b\x54\xc3\xd8\x6b\x47\xd8\x53\x69\x76\x4c\x74\x3a\x93\x51\x0f\x4d\x8d\xb1\x28\xfc\x7f\x68\x05\xff\x67\xab\xf9\x9e\x12\x67\xe9\xae\xf2\xf4\xb7\xed\x47\x30\xdd\xa5\x22\x38\x82\x78\xbc\x7a\x0e\x32\x5e\xa5\x89\x28\x8c\x0d\x4b\xce\x58\x0d\x4a\x01\x6c\x60\x27\xcf\x7a\xe4\x22\x56\x65\xf7\x43\xce\x9f\x95\x55\x1a\x00\x02\xdd\x19\x59\xf7\xe5\xb8\x83\x58\x3b\xa4\xed\xc8\x05\x8f\xa2\xe9\x54\x9e\xf5\xec\x9b\xf2\xc0\xb0\x1f\x85\x66\x6b\x2f\x41\xdc\xed\x25\x71\x3b\x2e\x93\xbe\x9a\x63\xa3\x44\x40\x27\x3a\x0a\x8c\x42\x92\xb5\x9e\x7d\xf4\xa0\x53\xac\x6c\xf2\x46\xd8\xca\x5f\xf0\xd8\xbf\x51\x8d\x1f\xb6\x7d\xfc\xa8\x17\x3c\xec\x6d\xf2\x90\x31\x26\xd7\x06\x0b\x13\xca\x65\xb9\xf6\x57\x01\xd6\xa8\x2d\xc7\x42\xee\x32\x2b\x51\x9c\x62\xa8\x9d\xde\x5e\x0a\x8c\xba\x93\xe7\x6b\x2f\x02\x5f\x3d\xbd\xe0\x6e\x25\xaf\x18\x61\x4f\x5a\xce\xf2\xa5\xb8\xd3\x11\xe9\x42\xbf\x68\x97\x49\xe1\x7f\xa3\x15\xfc\x66\xab\x7e\xd5\x95\x52\xc4\x05\xdd\xb3\xfa\x41\xa9\x79\xc8\x27\xdd\xed\x2b\xcd\x52\x11\xf2\xe9\xa8\xad\x6c\x87\x72\x93\x88\xd5\x47\x24\xb2\xe5\xf8\x9e\x86\xb6\x40\x9e\x88\x38\xe5\xc1\xb5\x81\xfc\x07\xdd\x55\xed\xa8\x00\x0a\x9c\xb8\x70\x90\x49\x94\x75\x6f\x39\xbe\x00\x86\xa2\x7a\x53\x42\xbe\x80\x10\x94\x6b\x01\x03\x85\x44\x46\x74\x0f\x66\x88\x7e\x23\x64\x8c\x18\xe5\x8a\xe3\x1c\x30\xbc\xc1\x72\x96\x8d\x5f\x1b\xd0\x23\x05\xfe\x5e\x8a\xf2\x60\x54\xfd\xf9\x60\x30\xca\x45\xd9\x0e\xcd\xf3\x61\xed\xf9\xd0\x3c\x1f\x9a\xe7\x37\x98\x49\x3d\x76\x40\xee\x20\x84\xa1\xf1\xa3\x60\xc1\xfa\x59\x3b\x65\xac\x63\x90\x50\x45\xb8\xd1\xc2\x36\x7b\x97\xf5\x9a\x49\x8f\x87\x71\x94\xce\x0c\x78\x0e\x63\x26\x4d\xa0\xff\xcc\x60\xd2\x4a\x1a\xb8\x85\x53\x0d\xa9\xc0\xe5\x40\x98\xf7\xdc\x0a\xfe\xbe\xc5\x9e\x9a\x8b\xa8\x73\x26\x4d\xfa\xf3\x59\x56\x9e\x8c\x13\x81\x3a\xaa\xff\x9b\xad\xe0\x57\x5a\xcd\xf7\xf0\xe4\x20\x3a\x3f\x79\x04\xe2\xd6\x04\xa7\xbd\x9d\x96\x90\x18\xe3\x29\x05\x66\x0e\x0c\x54\xf2\xe0\xc9\xb3\xac\xc4\x14\x8c\xca\x79\xa8\xe2\x95\xcd\x6e\xe6\xec\x5c\x96\x14\x6a\x97\x88\x6a\xe0\xb0\x52\xa1\xc0\xb9\x85\x39\xa5\xac\x74\x44\xda\x57\x7d\x0d\xa7\x3a\x7d\xc0\x72\x94\x14\xa2\x56\x3b\xe8\x26\x5b\x69\xba\xec\x7b\x48\xbb\x5d\x48\x9d\x7d\xa9\x2a\x75\x12\x6e\xda\xc2\x50\x04\x42\x16\x22\xab\xe3\x3f\xd7\x62\x57\xe5\x55\x5a\xc6\x00\xa7\x2a\x0a\xff\x23\x2d\x36\xb9\xd5\x73\x67\xde\x7a\x71\x81\x8c\xec\x67\x90\x7b\x2e\xf8\xba\x67\x17\xab\x61\xe4\xf4\x94\x75\x90\x74\xe2\x76\xa9\xf0\x09\x30\x45\xc1\x63\x66\x17\x4d\x71\x0c\x91\xee\x30\xd7\x01\x91\x75\xe3\xb2\x54\x56\x73\xcc\xee\x63\x57\x0d\x78\x02\xfd\xb0\xd4\xf0\xe4\x32\x6a\x83\xd6\x30\x8d\x92\x21\xa0\x13\x32\xa7\xdc\x5a\x2a\x1a\xbb\x39\xae\x1b\x0a\x2d\x93\x3a\x1d\xf2\x3b\x3d\xb6\x97\x44\x13\xff\xcd\x5e\xf0\xbc\xb5\xe1\xf2\x95\xca\xe8\x0d\x19\xd7\x86\x89\x0b\x69\xc6\x1b\xa5\xaa\x45\x25\x2b\xca\xcd\x4a\x3d\xd1\xa7\x13\x54\x2e\xef\x83\xd7\x1e\xdc\x68\x0f\x79\x5f\x8b\xfd\x8b\x86\x53\xcc\xbf\xd8\x0a\xfe\xc9\x6b\x3a\xde\x9c\x9d\x7d\x50\x26\x20\xda\x4a\x13\x8c\x2d\x85\xd9\x4e\x53\x86\x52\xb7\xd4\xd4\xee\x74\x05\x55\xc6\x38\x7f\x93\x9d\x17\x19\x7e\x0e\x16\xe8\xf3\x15\x28\x0e\x83\xb8\x50\x15\xe5\x26\xf2\x42\xd3\xb7\x6c\x28\x2c\x6c\xd0\x69\x5f\xfb\x7f\xd9\x7b\x17\x30\x49\xb2\xaa\x4e\xfc\x8b\xac\xea\xd7\xed\x19\x90\x00\x05\x5d\xf7\xff\xdd\x7f\x0c\x6c\x75\x0d\x99\x59\x55\xdd\xf3\xa2\x19\x86\xa9\xa9\xaa\x66\x8a\xe9\xee\x29\xaa\xaa\x67\x00\x77\x96\x8e\xca\xb8\x95\x15\x53\x91\x11\x49\x44\x64\x55\xe7\xac\x7c\xcb\x63\x17\x84\x05\x59\x56\x50\xe8\xe5\x29\x2f\x1d\x44\x50\x50\x41\x50\x51\x77\xe0\x0f\xe2\xa2\x20\xb8\xa0\x82\x22\xae\xe2\x63\x5d\xdf\xee\xb0\xae\xff\xef\x9e\x73\xee\x2b\x33\x2a\xab\xaa\x7b\x06\x10\x5b\x3e\xa7\x2b\xe3\x71\xe3\x3e\xcf\x3d\xf7\x3c\x7e\xbf\x31\xf6\x18\x2a\xef\x5c\x5a\x84\xeb\x42\x6d\x86\x9f\x1d\x0b\x3e\x30\x56\x75\x67\xc7\x0d\x51\xa9\xb3\x3d\x78\xfa\x1b\xbf\x2b\xaa\xfa\x8c\xda\x13\xdd\xba\xda\x0c\xb1\x4d\xed\x75\x25\xc3\xad\x99\xe8\x21\x44\x55\x56\x35\xd6\xee\x0e\xf9\xca\x56\x16\x47\x64\x88\x41\x56\xf4\x1d\xf6\x5a\xda\xc7\xf6\xba\xd5\x5a\x8f\xef\x7b\xa7\x95\xab\x99\x8e\x81\xfe\xeb\xbc\x11\x4c\xa4\x03\x82\xf1\xd4\x0a\x86\x78\x0c\xc8\xc4\xbb\xa9\xac\x3d\x48\xc3\x6d\x79\x65\xbd\x20\x9b\x71\x5c\xe8\x9c\x1f\x0a\x42\x82\x63\xef\x5c\x96\x96\xe2\x42\xd9\x64\x11\x3b\x04\x8c\xc5\x8b\xf3\xfe\xb3\x82\x3b\xe8\xcf\xfd\x6a\x02\xf2\x95\x91\x5a\xc0\xeb\x3d\x76\x04\xca\xce\xf2\xb2\xf0\xbf\xdf\x0b\x4e\xe9\x5f\xf6\xb7\x70\xd6\xe1\x19\x27\xcb\x4b\xed\x6d\x76\x09\x85\xd7\x84\x4a\x45\x73\x06\xe0\x49\xec\xc6\x11\xdc\x5d\x03\xdd\x7c\x3b\x7d\x7e\x59\x7e\x81\xbd\xdb\x63\xe6\x50\xef\xbf\xc9\x63\xb7\xee\x63\x1f\xc3\xb7\x06\x07\xec\x7b\x74\x79\x97\xb2\x81\xd1\x9b\x14\x2f\x0f\x2f\x90\x84\x83\x80\xdb\x37\x78\x4c\x99\x23\xfc\x57\xed\x63\x72\xad\x2c\xc0\x3b\x83\x75\xbd\x93\xca\xda\x77\x4d\xd1\x0d\x39\x5c\xbf\x4f\x7b\xac\xc2\x30\xe2\x7f\xc8\x63\x8b\x7b\xae\xea\xd0\xeb\x83\xb5\x4e\x87\xbf\xb0\xd7\xd5\x61\xbf\xa9\x9c\x16\x72\x92\x8d\x5c\x29\xaf\x1e\x63\x8f\x52\x5b\x82\xca\xd9\x2d\xfc\xff\x5b\x0b\x7e\xb2\x36\x3b\x78\xb9\x6a\xd3\x8e\xd3\x24\x4e\x85\xc3\xa4\x89\x1d\xa7\xa2\x51\x8c\x4c\x23\xb5\x0e\x72\x19\xd6\x04\xec\x69\xc4\x43\x1d\x9a\x05\xc6\x67\x55\x5e\x0e\x9a\x56\x07\xad\x05\x69\xdf\xfa\x96\x46\xef\x56\x94\xde\x54\x1b\xc3\x06\xaa\xed\x35\xda\xd7\xcd\xd7\x84\x0a\xd9\xac\x2b\x24\x17\x04\xfd\xcc\xd2\x0c\xe2\xc2\xd7\x75\xa2\x12\x7a\x6a\x49\x99\xc1\x41\x98\x5b\x59\x5c\x84\x8f\x10\x21\x9e\xad\xfb\x38\x0b\xf7\x66\x36\x2a\x92\xac\xda\x60\x61\x52\xf4\xdf\x5f\x63\x0c\xd6\x1a\xca\xda\xb7\x8f\x22\x99\xad\x5a\xbc\x95\xe2\xf6\x4b\x9e\xb9\x77\x69\xeb\x17\x5f\xdd\x61\x01\xef\x49\x13\xb5\x8a\x91\x83\x57\x86\x9b\x02\x06\x15\xca\x74\x72\x5f\x48\x21\x29\x94\xbe\xa9\x5e\x73\xb4\x4d\x9a\x4f\x4a\xdb\x7c\xd0\x63\xdf\x4e\xb3\x79\x29\xcf\x5a\x67\xb2\x5e\x5a\xae\xf6\xbb\xa2\xf0\x7f\xd7\x0b\x7e\xd9\x9b\xad\xba\x55\x35\xab\x95\x5c\x76\x9f\x6c\x8e\x34\xfa\xc1\x24\x92\x75\xa5\xac\x5a\xe7\xdd\x01\x65\x15\xfd\x39\x56\xfb\xdc\x87\x55\x13\xd7\x93\xb0\x3d\xd0\xc4\x11\x9b\x33\x6d\x7a\x8b\x4b\x73\x6a\xd3\x5b\x5c\x9a\xdb\xef\xa6\x27\x5f\x19\xb9\xe9\x7d\xcc\x63\x8f\xdb\x49\x57\xf4\xef\xf7\x82\x57\x78\x3b\xdd\xa5\x18\x54\x31\xc2\x82\x16\xe5\x59\xb7\xab\x72\x15\x07\xf4\x64\xbe\xba\x21\x0a\x41\x48\xf1\xf8\x05\xea\x1b\xf5\x96\x5c\xcd\x06\xd8\x16\xb4\xe6\x51\xfd\xf5\xe5\x31\x76\x3b\x2d\xa3\xcd\xde\x9a\x68\x84\xed\x76\x2e\xda\x61\x99\xb9\x60\x04\x95\x90\x85\xb3\x4b\x8b\x14\x8f\x49\x90\x32\xaf\x19\x0b\x66\x07\x2f\xda\xc9\xb3\x72\x59\x47\x4e\x38\x33\xa6\x28\x86\xa9\x25\x69\x1c\xd3\xfa\x2f\xd7\xd8\x47\x5c\xbc\x9f\x9f\xa8\x05\x8f\x9f\x53\x49\x24\x14\x92\xab\x53\xf0\xc2\x6e\x4c\x1f\x77\xda\x7c\x0f\xfb\x1e\xf6\xac\x4a\xd1\x71\x19\x6d\xb6\x60\x7c\x76\x05\xe7\x79\x38\x28\x11\xf7\x8e\x1e\xc4\xfe\xf1\x08\x7b\xc2\x9e\x48\x7d\xfd\xcf\x1e\x09\x5e\xe1\x2d\x0f\x33\xfa\x1a\xeb\x0a\x32\xfb\xc2\x84\x4d\xc2\x42\x71\x4e\x12\x71\x2e\x46\x6a\xcb\x35\x33\x07\xe4\xc2\xfa\x10\x4a\x7c\x1d\x2a\x21\x3d\xdb\x4e\x45\x5e\x6c\xc4\x5d\xde\x09\xd3\xb0\x4d\x67\xed\x9c\x93\x16\xc3\x73\x01\xfa\x47\x9c\xb6\x9b\x17\xbd\xc3\x9d\x2c\x8d\xcb\x2c\x77\x1d\xca\xef\x3a\xcc\x5e\xeb\x51\xb8\xf2\x2b\xbd\xe0\x05\xde\x9d\x14\xa4\x8f\xb1\xc0\x4a\xb4\xe7\x61\x94\x15\x18\xc2\x20\xcf\x43\xfa\x2c\x85\x18\x58\x9d\x38\xdd\x0f\x0d\x3d\x32\x26\x1b\x1e\xfa\x6b\x36\xb2\xed\x46\x99\x35\x7a\x85\x68\xc4\xa5\xbd\xac\xde\xe1\x31\x5d\x6d\x38\xf2\xab\x08\x89\x93\xfc\x0c\x5d\xae\x44\x1b\x92\x9d\xad\xde\x7b\x28\x6b\xb6\xe3\xfa\x17\x6c\xbc\x1b\x96\x1b\xfe\x3d\xc1\x92\xd3\x81\x91\x4a\xb3\x57\x14\xb6\x79\x96\x95\x75\x9e\x87\x94\xf4\x10\xaa\x70\xb8\x24\xc1\x5a\x97\xb9\x70\x7b\x77\xca\xfe\xcc\x7f\xf3\xd8\x61\x65\xae\xf3\x7f\xd1\x0b\x7e\xd2\x1a\x2e\x1b\x80\x01\xcd\x5d\xc0\x37\x39\xb5\x9d\xc7\xa5\x98\x6c\xf2\x65\x7a\x0f\xad\xf3\x96\x31\x0f\xf6\x44\x75\x53\xd9\xba\xe3\x94\x12\x01\x61\x27\xa9\xf6\xd4\x5f\x6a\x2f\x5a\x3b\xc0\xcf\x7b\x8c\x21\x6b\xb9\x5c\x1b\xfe\x7b\xbc\xe0\x2d\x56\x93\x56\xf4\x1d\x0d\x4a\x12\x96\x1b\xb2\x81\x9b\xa2\xcf\x73\x65\x93\x3f\x07\x41\x41\x76\x9f\x89\xb2\x05\xb5\x98\x92\x33\xb6\x89\x1f\x78\x78\x66\xe8\x9f\x78\xec\x08\x96\xbf\x2c\xd6\xfd\xdf\xd9\x0b\x39\xf2\xe9\xac\x15\x26\x98\x92\xb8\xac\x20\xce\x83\xb7\x0e\x35\x7b\x59\xac\xf3\xd8\x42\x41\x57\xe6\x9e\xc1\xd4\x0c\x6c\x5c\x65\x3f\x10\x4e\xe4\x43\xd6\x70\xf6\xe0\x55\x0e\x30\x98\x96\x80\x10\x42\x7e\x26\xec\x3a\x42\xf0\x57\xaf\x0a\x1e\xa8\xcd\x46\x61\x17\x05\xa0\x7a\x86\xc7\x29\xc4\x32\xe2\x27\x47\xe7\x46\xe9\x97\x2a\xd2\xa3\xd6\x84\x8b\xf9\x17\x6a\xea\xe8\x02\x8c\xb7\x36\xdd\x86\x94\xe4\x4a\x15\xb1\xca\xa1\xb5\x09\xa6\x5e\x48\x58\xaa\xdb\x0e\x36\x8c\x0d\x11\x78\x0c\xaa\x40\x25\xd5\xc9\xe0\x9d\xb0\xdb\x85\xec\xee\x6c\x1d\xbf\x54\x66\xca\x4d\x69\x5a\xad\x44\xf8\x48\xd9\x2d\xb5\x8e\x0a\xe1\xed\x48\xec\xbf\x3d\xc2\xfe\x78\x8c\x1d\xa5\x61\x3e\x93\x45\xc2\xff\xc2\x98\x22\xe8\xf8\xaf\x63\x66\x1a\x75\xb2\x48\xf0\xb5\xb8\x34\x10\xaf\xf2\xd4\xd4\x95\x1a\x1c\x06\xd5\xf2\x2c\xd5\xf9\x17\xd8\x63\x6b\x3a\x43\xc2\xc2\xcb\x49\x79\xd6\x2a\x55\x58\x8f\x3c\xf2\x6c\x0b\x91\xf2\xe9\xe9\xe9\x69\xa8\xef\xf4\x8d\x37\xde\x88\xa9\xdc\x91\x68\xc5\x9d\xe1\x07\xe1\xa9\xeb\x67\x66\x9a\x98\xcd\x8d\x99\xd4\x14\x48\x87\x25\xcb\x07\x9c\x97\x8b\x3a\x26\x61\x6b\xbd\xd6\xbd\x0b\xb3\x5d\x37\xcf\xc5\x9e\x99\xbe\xe1\xba\xeb\x9a\x7c\x9e\x08\xea\x63\x4a\xc1\x53\x6a\xa8\x14\x1f\x8a\xf4\x36\x04\x4f\xb9\x3a\xcf\x62\xaa\x6e\x69\xb2\xe6\x3b\x71\x7b\x83\x1c\x94\x90\x48\x91\xc4\xad\x12\x07\x1e\x80\x2e\x34\x11\x0c\x9e\x25\x91\xe0\x41\xcf\x26\x59\xb9\x3a\x82\xc4\x90\x5d\xca\x09\xab\x95\xeb\x93\xce\x9b\x58\x98\x19\x2b\x79\xfa\x71\x50\x0f\xee\x1f\x57\xf1\x4a\x6f\x1e\x0f\xbe\x3c\x36\x18\xa9\x00\x81\xfc\x6e\x72\x60\xc5\x4c\x77\x73\xfe\x5a\x22\xb2\x66\xa6\x59\x4d\xd9\xbd\xd8\x21\xb0\x42\x21\x80\x4c\xaf\xa8\x10\xdb\xb5\x0d\x5c\x37\x36\xcd\x8c\x94\xc4\xa0\x2c\x13\x10\x2a\x5d\xa6\x33\xd8\x70\xe8\xbd\xd4\xae\x44\x84\xeb\x64\xc4\x97\x0d\xb9\x10\xac\x24\xc2\xe6\x49\x87\xde\x26\x05\x5d\xc3\xfb\x2e\x4a\xcd\x49\xd6\xc9\xce\x9e\x20\xb3\x19\x41\x8b\xa8\xac\x4a\xea\x25\xdd\x11\x75\xbb\xc9\x85\x28\x7b\xd4\x35\xc0\x56\xa1\x04\x03\xda\x7a\x3b\x61\xbe\x29\x22\xae\x12\x1a\x9b\x1c\x63\x16\x94\xa1\x42\x2e\x5d\x08\xc1\x50\x21\x70\x36\xeb\x89\xfc\xc8\x44\xb3\x39\x81\x93\x31\xcb\x91\xc5\x0a\x67\x96\xbc\xee\xa8\xdc\x4d\x56\x67\xd7\xee\xba\xa3\xdc\x21\xfa\xab\x19\x44\x27\x7c\x93\x24\x7b\xae\x58\xc9\x9e\x4f\x0b\x9e\x54\x95\xec\x69\xe6\x5f\x96\x83\x97\x1c\xc6\x74\x54\xee\xe7\x2b\x9f\xc2\xbe\xbb\x7a\xf3\xc1\x63\x9d\xff\x3f\x6f\x0e\x66\x35\xe6\x01\xc4\xcd\xb7\x42\x1b\x78\x08\x35\xae\x12\x5c\x39\xdb\x61\x5a\xda\x9e\x46\x65\x39\xaa\x24\x59\x7a\xcd\xcd\xec\x85\x35\x76\x75\x12\x6f\x89\x54\x14\xc5\x52\x9e\xad\x09\xff\x7f\x79\x7b\x48\x14\x81\x47\x83\x07\xbc\x25\x91\xc7\x59\x14\xb7\xe4\x54\x5f\x53\xc8\x40\x54\x27\x55\x2c\xec\x16\x74\x4d\xad\x8c\x5c\xc0\xec\x30\xa6\x24\x7c\x7f\x3d\x8c\x93\xa2\x32\x56\xef\x92\xb9\x9c\xbb\x19\xfe\xa7\x21\x0f\x21\xad\x7e\x2b\x11\xd7\xe8\x2a\x36\xe0\xab\x05\x7b\x4b\x8d\x3d\x42\xea\x94\xb1\xe9\x85\xef\xaf\xed\xb9\x17\x7e\x7f\x64\x2f\xa8\x43\xa8\x2e\xbf\xba\x3b\x3a\x00\xed\x0d\x67\x7a\xf5\x86\x0a\x6d\x2c\xbe\x29\xfa\xe8\xcb\x1e\x3b\xa2\xc3\x4e\xfd\xdf\xd8\x8b\x42\xa8\x63\xac\xad\x1c\x96\xe0\xa2\x37\x97\x75\xba\xbd\x52\xe8\x5c\x82\xc2\xd8\x2a\xd4\x8e\xe5\xb8\xfe\x2e\xb7\x9d\x4e\xb6\xe0\x14\x6a\x25\x3a\x02\xbb\x68\x18\x9f\xff\x14\xfb\x4f\x35\xf6\xc8\xc2\x35\xff\xfa\xff\xc7\x1b\x01\xa9\x61\xa5\xda\xdb\x2f\x05\x1f\xf3\xd4\x15\x6b\x3f\x25\x73\x11\x7a\xf4\xd5\x02\xdd\x77\x73\xd0\x34\x35\xa5\xaa\x09\xf5\x17\x17\xca\xa9\x3d\x96\x53\x86\xc5\xa6\xe9\x13\xd1\x90\xc3\xae\xbb\x60\xb8\x54\xf6\x1b\xe3\xec\x2a\x58\xab\xbd\x2e\xae\x8c\x5f\x1e\xdf\xf3\xca\x78\xed\xf8\x8a\xf5\xe6\xa0\x31\xb0\x44\x9e\x64\x70\xff\x15\xbd\x56\x4b\x14\x85\x3c\x2f\xf6\x39\x14\x8c\xc0\x71\x83\x3b\x6d\x9a\x91\x62\x81\xb3\x12\x74\x1e\x71\x41\xb4\x7a\x90\x89\x90\x96\x71\xa2\x26\x90\x3c\x06\x94\xc2\x2d\xd9\x98\x5f\xad\xa5\x54\xd7\x15\x19\x12\x4e\x75\x7e\xaf\x94\xdb\xa1\x5e\x81\x8e\xa4\xe4\x48\x20\x60\xd1\x4c\x2a\x33\xbb\xd4\x93\x31\xdf\x8c\x47\xf1\x3a\xee\x50\xf4\x49\x1d\xd3\x58\x28\x67\xf5\x9a\x68\xc7\xc8\x0e\x0a\xd6\x91\x25\x30\x01\xeb\x85\x58\xd7\x84\xfd\xa8\xb7\xa1\x31\x98\x27\x99\x3c\x01\x00\x9a\x59\x06\x28\xc7\x08\x84\x92\xe5\x7c\x3b\xcc\x3b\xe0\xd5\x6e\x6d\x00\x62\x79\x98\x2a\x66\x46\xa0\x51\xeb\x37\xc8\x1a\xd6\x25\x7c\x2b\x53\xfd\xaf\xab\x38\x79\x60\x8c\x7d\x07\x1a\x5d\xa1\x16\x67\x10\xa6\x4c\xee\xf5\xfe\xfd\x63\xc1\xeb\x2d\x75\x7f\x09\x74\xdb\xd2\x42\x17\x00\x8d\xad\xcc\xac\x2b\xba\xf8\x89\x82\x5b\xa5\x6a\xf4\x33\x35\xb2\xdb\x79\x5c\x96\x02\xf0\xbb\x94\xe1\x42\x6b\x66\x76\x19\xeb\xda\xa0\xd5\xe4\x67\x54\x19\xe6\x5d\xa9\xc2\xa6\x91\xb6\xad\xae\xe5\xb1\x58\xe7\xeb\x71\x1a\x26\x04\x5c\x43\x84\xb5\x21\x5a\xcd\x8b\x42\xe4\x98\xa9\x1c\xc6\x49\x2f\xd7\xa0\x6c\x4d\x7e\x37\xd5\xab\xcc\x7b\x29\x66\xd3\x90\x0f\x0a\xd3\xb8\xd7\x79\x1b\x8e\x31\x64\x51\xb9\x6e\xfa\x49\x37\xf0\xb5\x7e\x29\x28\xed\x11\xd9\x39\x55\x1b\x13\x91\xb6\x65\x4f\x19\x62\x3d\x2b\x9a\x49\x75\x00\x30\x58\x62\xc5\x67\x8e\x6f\xae\xb9\x47\x8c\xa9\x48\x6c\x4d\x59\xdd\xd7\x48\xb2\x76\x95\x00\xb6\x35\xa2\xbf\xf0\xd8\x55\x5b\x96\x41\xc5\xff\x5d\x2f\xb8\x5d\x2e\x26\x75\x2e\x2c\x33\xb2\x09\xee\xda\xd1\x55\x1f\x32\x1a\xe3\x34\x6b\xb2\xfa\xae\x72\xc7\xb2\xed\x3c\xe8\xd5\x77\x31\xaa\x5e\xe5\x33\xa8\x1a\x68\x98\xfb\x48\x04\xfe\xdc\x18\x3b\x24\xd2\xad\x53\x79\xd6\xf1\x3f\x31\x16\x7c\xdf\x98\xe2\x02\xd2\x58\x9e\x16\x84\x4a\x35\x7c\x8a\x62\xab\x33\xfb\xdc\xaa\x3a\xce\x2b\xd4\x2b\xad\xbd\x29\xe2\x44\xcd\xfa\x30\xf7\x9c\xc5\xf9\x85\xb3\xab\x8b\xa7\x16\x17\x96\x91\x6a\x22\x46\x9a\x05\xf7\xf4\x91\x0b\x79\x20\xa7\xb0\x0d\xc2\x04\x31\x71\xd3\x46\x43\x91\x27\x0a\x29\xef\xe0\x88\x08\x68\x65\x78\xd2\xd0\xa4\x80\xbc\xd3\x4b\xca\xb8\x9b\xa8\x5c\x7c\x12\x99\x0a\x6e\xb3\xc8\x5a\xb1\xb1\x1e\x94\x0a\x6b\x91\xaa\x0d\xb5\x01\xa9\xd5\xcd\x45\x4b\x44\xf2\x94\x46\x64\xc1\xa6\xad\x6b\xf2\xac\xc5\x17\xd2\x2d\x15\xb4\x16\xf5\x50\xcb\xc5\x73\x58\x75\x19\xa3\xe7\xcb\x71\x36\xcd\x9a\xbb\xce\x97\x05\x1c\x46\xb4\xec\xb0\x4f\x79\xec\x40\x51\x46\x71\xea\x3f\xe0\x05\x3f\xed\xdd\xad\xd5\x7a\x5b\x25\x51\x1b\x78\x98\x24\x19\xf2\xca\xf0\xb5\x9e\x14\xf2\x70\x7a\x87\xd7\x87\x86\x57\x05\x97\x99\x0d\x88\xce\x6c\x85\x28\xeb\xa0\x1a\x52\x4a\xcb\x0e\xaf\xdb\x38\x63\x74\xcc\x8e\x53\xbe\x70\xe7\x29\xbd\x80\x65\x81\x60\x1d\x75\x3d\x51\x2f\xf0\xd8\x58\x59\xf6\xfd\xfb\x82\x64\xcf\xad\x59\x5d\x7d\x16\x3a\x8a\xcb\x42\x24\xeb\x75\x1e\x26\x45\x66\x2c\x16\x13\x50\xc5\x09\x12\x7d\x90\x43\xb0\x4b\x1d\xfe\xca\x63\x57\xa3\x34\x98\x17\x52\xb1\x2d\xfc\xdf\xf3\x82\xa7\x39\x57\x06\xb3\x22\x91\x5e\x23\xa2\x9b\xf8\x29\xdb\x45\x6f\xd6\x8d\x3d\xe4\x33\x6c\x8a\x35\xf6\x28\x22\xf0\xc3\x0f\x7a\x8d\x5d\x64\xc4\xd5\xfe\x51\xac\xc6\x7e\x85\xc4\x47\x3c\xc6\xe8\x6c\x39\x1f\xe7\xfe\x4f\x78\xc1\x5b\xbd\x39\x4b\xf2\xd1\x3d\x1e\x91\x45\x07\x95\x13\x98\x13\xae\x61\x61\x68\x12\x4d\x14\xda\x16\xaa\x96\xba\xec\x9b\x3a\xed\x87\xda\xbe\xa3\x75\xbc\x68\x78\x42\xc5\x1d\xd8\x7f\x46\xcb\xf6\x57\xd4\xd8\x01\x78\xd0\x7f\x51\x2d\xf8\x1b\x6f\x3e\x6b\x6d\xaa\x57\xc1\x54\x72\x29\x9a\xb8\x52\xb5\xa1\x94\x62\x80\xb5\x48\x9d\xad\x4d\x56\xcb\x46\xdc\x96\x73\x36\x11\x5b\x22\xa1\x06\xd9\x76\xc5\x32\xd3\x5d\x91\xe5\x5c\x9e\xe9\xf3\x38\x1a\x6a\x27\xc8\x30\xa5\x9e\xa8\x50\xf8\x44\x6e\x8b\x60\xc8\x9a\x17\xdd\x24\xeb\x63\x86\x3d\x18\x2a\x0d\xd0\x96\x0b\x14\xfc\x25\x8f\x8d\x89\x74\xcb\xff\x4d\x2f\x58\x54\x22\xbf\x5a\xbc\x93\x4d\x72\x58\xca\x8f\x96\x59\x4f\x64\x93\x6c\x62\x2f\x32\xeb\xae\x30\xdf\x93\xcf\x50\x8e\xd2\x7e\x26\xed\x8f\x78\xec\x88\x56\xda\xfc\x8b\xde\x1e\x6c\x34\xa7\xd5\xe3\x41\x32\xdb\xb2\x2c\x87\xe0\x1c\x32\x23\x45\xee\x41\x92\x36\x20\xcb\x81\x5d\xbb\xe8\x66\x69\x01\xda\x9c\x6d\x38\xa0\x22\x71\xcf\xaa\x3c\xec\xb2\xd7\x28\x8b\xd0\xcb\xbd\xe0\xdf\xd9\x26\xa1\xa1\x30\x6c\x15\xb8\x38\x7f\x76\xe5\x39\xa7\x67\x6f\x5b\x38\x4d\xf1\x91\xd6\x2c\x51\xe1\x35\x86\xa7\x29\xe4\xbd\x34\x7e\x6e\x8f\x6c\x82\xc7\xf4\xbb\x93\xbb\x2d\x9a\xaf\x8d\xb3\x43\xad\xac\xd3\x09\xd3\xc8\xff\xf3\xf1\xe0\xd3\xe3\x0b\x69\x99\xf7\x31\x47\x11\x86\x19\x51\x63\xf4\xa1\xc5\x6c\xf3\x1b\x22\x49\x50\x0f\x88\xac\x95\x36\x51\xf0\x85\xb3\xab\xcb\xcf\x5a\xba\x73\xf1\xec\xaa\x0e\xea\x8b\xdd\x6d\x84\x4e\x1b\x91\xdc\x58\x71\x0e\xda\x2c\xb3\x8f\x3f\x76\xd7\xec\xf2\x73\xce\xce\x9e\x59\x98\xa4\x03\x53\x37\x04\xf5\xd5\x38\x12\x6c\x9d\xcc\x9a\xd2\x64\x77\x54\x13\x7b\x47\x4a\x5c\xe3\xcc\xa1\x29\x1f\xa7\xdd\x5e\xa9\x12\x40\xb5\x94\x4a\x35\x2c\xb2\x6c\xa5\x5d\xad\xa2\x9f\x96\xe1\x05\x75\x88\x12\x45\x2b\xec\x6a\x92\x34\x1e\x65\x3d\xf9\xf1\xc7\x3f\xbe\xce\x63\x71\x92\x3f\xde\x7a\xb1\xc9\x17\xe8\x59\xab\xbd\x68\x40\x15\x5b\xc0\x9e\xae\x5b\x2b\xf7\xd9\x76\x98\x47\x60\xee\xcc\xd6\x07\xe0\x69\xa9\x81\xa4\xf3\x00\xbc\x42\x79\x19\xc6\x07\x3c\x65\xc7\xe9\xbd\xa2\x55\x36\xe4\xd1\xac\x61\xd9\xed\x70\x49\x89\x06\x4d\x93\x46\x98\xb7\x01\xa9\xdd\x3a\x87\x5f\x93\xf7\xe0\x4c\xd8\x08\xf5\x53\x71\xda\x08\x1b\x30\x49\x46\xf8\x6b\x5f\x52\x63\x8f\x84\x69\xb3\xd4\x4b\x12\xcc\x70\xf4\xff\xca\x0b\xfe\xc0\x5b\x04\xa9\xdd\xed\x25\x09\xc5\xb6\x34\xf9\x9d\x88\xae\x30\x0b\x6a\x45\x9d\x9f\x95\x1d\x56\xe7\x8b\xeb\x67\xb3\x72\x49\x99\x9d\xed\xe3\x01\x3e\x28\xa7\xde\x49\xca\x8c\x2e\xc3\xf6\x00\x9a\x4f\x96\x3b\x05\x18\xf2\xac\x87\xc8\x90\xe3\x6e\x1f\xd7\x40\x49\xb2\x9b\xf0\xb7\xdd\x13\xaf\x3e\xc0\x0e\x74\x21\xe8\xf4\x65\x07\x82\x97\x69\x15\x1d\x2e\xc9\xd6\x60\x20\x69\x65\x14\xcd\x82\xbc\x05\xa8\x6f\x18\x8c\x0a\x8e\xe5\x76\xbc\x45\x71\x48\x24\xca\x0c\x45\x56\x45\xc8\x0a\x9c\xe1\x28\x4b\xa6\x95\xa5\xa9\x20\xd1\x18\xda\x39\x6f\x85\xd4\xa4\x21\xed\x02\x92\x5c\x3a\x61\x1e\x83\xf5\x43\x17\x16\x26\x28\x2c\xb0\x83\xfb\x83\x55\x9a\xbf\x73\x61\x85\x9f\xbd\x73\x55\x6a\xc5\x5b\x42\x85\x5d\xc0\x7d\x68\x16\xa5\x19\x50\xc4\x2c\x9f\x4d\xfb\x78\x53\x7b\x0d\xc0\xeb\x80\xa6\x87\xd4\xc9\x0c\x0b\xa6\x9b\xf0\xbf\x40\xb6\x32\x07\xff\x00\x04\x81\x3b\xf5\xd7\x29\x7d\x60\x60\x89\xe5\xf2\xd1\xbd\x49\x6d\x7f\x68\x94\x74\xad\x36\x2d\x65\x79\xf9\xa0\xf7\xe4\x91\x71\x2d\xff\xd2\xff\x17\x0d\x53\x49\xf9\x06\x6b\x48\xf9\x58\x66\xad\x2c\xd9\x0b\x53\xd6\x83\xde\xf4\x2e\x1b\xeb\xb7\xf9\x8f\x70\x3f\xb0\x8f\x1d\xf6\x37\xc7\xd9\x11\xd0\xa0\xef\x4c\x5b\xc2\xff\xf8\x78\xf0\xb3\xe3\x77\x5b\x82\x68\x48\xd9\xd3\x68\x05\x49\x46\x89\x3e\x78\x44\x90\x92\x34\x15\x09\xc1\x89\xc5\x18\x44\xbf\x26\x44\xca\xb3\xae\x50\x47\x2a\xed\x33\x28\xcb\xb0\xb5\x41\x87\x3b\x3a\x62\x14\x98\xfc\x64\x4a\x2c\xca\x5c\x84\x1d\x05\xd1\xd9\x01\x86\xc3\xae\x3c\x0c\xa2\x41\x41\x9f\x01\xb1\x30\x5e\x10\x82\x11\x5a\xe8\x54\x8b\x14\xf7\x24\xe5\x56\xd5\xcd\xd7\xa8\x5a\x8e\xd7\x02\x8e\x9d\x75\xed\xd1\xd7\x06\x3c\xc5\xb2\x47\xf9\xfc\xf8\x45\x52\xab\x64\x79\xda\xe7\x98\x6a\x2a\x47\xac\x6a\x1a\x69\x37\x2c\xd8\xc3\x4c\x81\x54\x14\xd0\x63\xc0\x72\x2c\xea\x96\x51\x09\x3a\x5a\xd5\x14\xba\x3a\xa2\x84\x0f\x2c\x9d\x2e\x59\xc5\xd9\xa7\x67\x6d\x2f\xb4\xc2\x3b\x13\x14\x8d\xeb\xc8\xaa\x60\x2f\x1b\x4a\x97\x54\x56\xd0\xa1\xc3\x9f\xb5\x7b\xc9\xc3\x2e\xba\xdb\xaa\xcf\x7a\xce\x31\xeb\x7f\x8c\xb1\xc7\x55\x58\xd4\x70\x0f\xf8\xf8\x58\xf0\xa1\xb1\x45\x45\x69\xb8\x91\x6d\x63\x34\x42\x85\xa9\xcc\xe0\xae\xeb\xb0\x80\x26\x04\x78\xd9\x64\x1b\x03\x81\x0d\x95\x76\xbc\x21\x20\x59\x67\xdc\xcb\x5e\xa1\x3f\x99\x51\xda\x0d\x99\x6a\xa1\xe7\xc9\x54\xd6\xe4\xa7\xc2\x24\x59\x0b\x5b\x9b\xab\xd9\xe9\xac\x5d\xdc\x99\x2e\x80\xd7\xd2\xa9\x0b\x98\x1b\x5a\x1b\xbd\x74\x73\xc0\x01\x95\xb5\x79\xd6\x2b\xa5\x26\x42\xf6\xdb\xaa\x06\xaf\x53\x18\x0e\x4e\x41\xe5\xcc\x36\xa5\x88\x0b\xb1\x4d\xd8\x8a\x1c\xff\xa0\xc0\xd8\xe5\x17\xb6\x69\xed\xf8\xf4\x75\x37\xa1\xa1\x4e\x6e\x88\x37\x4d\xf3\x24\x4e\xa5\xac\x87\xd9\x06\x23\x2b\x97\x49\x27\x94\x87\x10\x77\x8f\x95\x1d\xbd\x9b\x86\xf9\xa5\x71\x36\x1e\xe6\xed\xc2\xff\xdc\x78\xf0\xc1\xf1\x59\x52\x1e\x34\x6a\x89\xd0\xfa\x66\xa5\x32\x39\x77\x66\xfe\x8a\x16\x79\x45\x8b\x1c\xa9\x45\x7e\xa2\xc6\x78\x15\x5c\x67\xd8\x11\x45\x37\x6c\x21\x2c\xea\xdb\x6b\xc1\x0d\xce\x95\x9d\xb1\x51\xa5\x5a\xc4\xf5\xb3\x6e\xd8\xcf\x17\x3d\xf6\x5b\x1e\x63\x60\x3d\x8f\xef\x13\x79\xe1\x7f\xd2\x0b\xde\xe3\x9d\xd2\xbf\x29\xf6\x3c\xeb\x86\xf2\x38\xa6\x13\x21\xed\xf8\x7a\x95\x47\x41\xd8\x81\x10\x0b\x14\xa6\xc8\xf9\x81\xae\x55\x05\x2d\x43\x72\x16\xf9\xd8\xf6\x35\x0a\x0a\xfc\x54\xe4\x8d\x56\xd2\x93\xff\x62\x94\x80\x6c\x51\x31\x35\xa2\x33\x3f\x79\x95\x13\x5d\xeb\x10\x6f\x2a\xce\x4d\x4c\xa3\xfd\xe1\xab\x82\xbf\xaa\xd9\x57\x06\xf1\x13\x5b\x70\xd1\x25\xdb\xac\xdb\xc1\x2f\x64\x1e\xa3\x5b\x7c\x05\xb2\x45\xe4\x2a\x39\x1f\xe3\x25\x28\xa1\xe9\x36\x32\x2e\x1a\xa4\xf7\x35\xe0\xf6\x79\x0e\xf3\x95\x42\x0c\x5c\xb7\x96\x66\xc5\xa5\x4c\x13\xee\x54\xd7\xec\x1d\x56\xd2\xa0\x0e\xbc\x22\xd3\x32\xe9\x24\x03\xed\x24\x6b\x31\xa4\x02\x02\x9d\x85\xa9\x82\xa3\x4f\xa4\x62\x5b\x37\xcf\x90\x67\xc9\x25\x0e\x91\xe2\xd4\x45\x56\x84\x8c\x52\x52\x35\x6e\x29\xb0\x06\xd0\x46\x8a\xdd\xe1\xcc\xc7\x9f\x39\x7c\x05\x89\xea\x0a\x47\xc0\x37\x0e\x10\xea\xd3\x36\x20\xd4\x03\xde\x65\xf2\x82\x04\x2f\xf2\x34\x26\x14\x76\xe6\x44\xf1\xf5\xc7\x85\x62\x5f\xf6\x88\x9e\xe4\xf3\xde\x08\x84\x9a\x9d\x45\x23\xd0\x94\xbc\xc1\x83\x5d\x26\x76\x29\x4a\xaa\x08\x88\xe1\x9d\x87\xbd\x75\xb2\x41\x0d\xb9\xa7\xa2\x3a\xfb\xa0\xd7\xda\x1d\xfc\xea\x56\xff\x16\x07\xfc\xca\xe0\x5e\x59\x8d\x1f\xe0\x09\xb5\x1b\xc5\xd8\xa7\x8f\x38\xd1\x62\xf9\x5a\xd8\x32\x69\x6d\x59\x22\xfc\x9f\x38\x12\x7c\xda\x93\x7f\xe1\x9a\xd3\x9b\x54\x54\x97\x0a\x6b\xdc\x52\x89\x8f\x14\x71\x30\x84\x70\xa8\xb3\xf2\xf5\xae\x02\xd6\x53\xd9\x55\x78\xa8\x94\x65\xdf\x26\x37\x82\xb4\x2d\x95\x57\x85\x86\x2d\x95\xb6\xad\x99\xe6\xcc\x8d\x40\x01\x17\x6e\x21\x30\x3f\xd4\x0f\x73\xf1\xe3\xfb\x30\xe0\x40\x85\x66\xcf\x40\x49\xc4\x15\x85\x31\x8f\x10\xd7\x80\x0a\x17\xf1\x6c\x62\xa1\xc7\x8f\xbb\x42\xfa\xcb\x07\xaf\x08\xe9\x2b\x42\xfa\x1b\x27\xa4\x37\x2c\x19\xfd\xaf\x2f\x57\x44\xff\x8b\x11\x12\x9a\xf5\xd9\x81\x1c\x90\x4b\xbb\x41\x03\x17\xe9\x46\x96\x44\x18\xdf\x81\x71\x4b\x66\xf9\x6a\x12\x36\xb9\xae\x6c\x8d\xf4\x3a\x76\x7c\x44\x0c\x9b\x23\x42\x6c\x0c\xd1\x8d\xdd\xe5\xd9\x82\x3f\xd7\x20\x31\x25\x3f\xea\x12\xd3\x0c\x20\xfb\xed\x28\x0a\x18\xfb\xd4\x51\xf6\x78\xab\x46\x6b\x61\xd9\xda\x30\xa4\xdc\x79\x96\x3e\x3d\x5b\x83\x43\xc7\x3b\x8e\x06\xcf\xb2\x7e\x5b\x47\x0e\x65\xd3\xb8\x37\x5b\x23\xe7\x0a\x10\x07\xc6\xc0\xe6\x9a\x6d\xa2\xab\x8f\x68\xe9\x52\x0d\x74\x13\xb6\xca\x1e\xa2\xf4\xf4\x52\x00\x4b\x46\xda\x04\x71\xd1\x3b\x7a\x6f\xb6\xb6\x2a\x3a\x5d\xb9\xaa\x1d\xd9\xf3\x56\xc6\x7e\xc1\x63\xdf\x65\xe2\xca\x9e\x9e\xad\x15\xb7\xc7\xf2\x50\xd1\x3f\x1d\x77\xe2\xd2\x7f\xb3\xa7\xd2\x16\x5e\xe6\x49\xe5\x1b\x29\xd5\x10\x00\x5a\xbd\xc4\xe5\x50\x00\x71\xeb\xbd\xd9\x1a\x62\x03\x09\x79\x6a\xb3\xb3\xb0\x61\x89\xc8\xb5\x93\xf1\x28\x2e\xe4\x12\xec\xc5\xc5\x86\x4e\x40\x50\x69\xe3\xfc\x3e\x91\x67\x08\x3f\x66\x7b\x8f\x5d\xc3\xc2\x09\x37\xf8\xfe\xcd\x1e\x3b\x54\xf4\x8a\xae\x48\x23\xff\xd5\x5e\xf0\x1f\xbc\x55\x6d\xb5\x2a\x45\x42\x38\x61\xc6\x53\x8a\x6c\xb1\xf0\x38\xc2\xa7\x3f\xb7\x27\x97\xac\xee\xe7\x02\xd8\xea\xa2\x4c\xa0\x21\x41\x9e\x52\x11\x9f\x23\xc9\x45\x18\xf5\xb9\x0a\xf6\x35\x2f\x34\xf9\x70\x62\x97\x1b\x36\xf0\xc9\x1a\x7b\x54\x2b\x4b\x91\x11\xac\x45\x70\x8d\xfe\x4f\xd7\x82\x1f\xa9\x11\x40\xbe\x1a\x75\x79\x36\x10\x21\x44\xa2\x2b\xfe\x30\xf3\x21\x8c\xaa\x7b\x7a\xb6\x06\x41\x27\x71\x64\x51\x11\x9e\xe4\x0d\x1e\x40\xbe\x73\xc0\x8f\xd1\x91\x60\xf2\xa4\x4a\xfa\xa5\x69\xa6\x71\x9b\x4c\xe9\x49\xff\xc9\xf2\xcd\x53\x80\xc7\x15\x9c\xd4\xc0\x5c\xd6\xf7\xf3\x9e\xec\x93\x62\x33\x86\x0c\x1a\x9e\x8a\x0b\x70\x8d\xc7\xeb\x60\xac\x8f\xb3\x1e\x00\x0e\xc9\xf3\x4e\x3a\x51\x9a\xc9\xd0\x17\x25\x94\xbd\x2c\xba\x49\xd8\x12\xc1\x49\xb9\x1d\xb7\x44\x62\xb3\x58\xd2\xa1\x1e\x66\x3a\x1a\x29\xe1\xd9\x02\x27\x35\x82\x4b\x89\x6d\x9e\xa5\x62\x00\x4a\xee\x3b\x30\x60\x71\x68\xbe\xbe\x5e\xcf\xd7\x17\x0f\xcc\x57\x7c\xe1\xeb\x3d\x57\x67\xdc\xb9\xfa\x52\x8f\xd9\x8b\xd1\xbf\x8f\xdd\xb0\xa3\x2c\x73\x25\xc7\xd3\xcd\x5b\xa0\x41\xde\x6a\x26\x8e\x12\x15\x4e\x6a\xb5\x26\x6d\xd9\x80\x2a\xc3\x14\x02\x9f\x0b\xcd\x85\x26\xbb\x87\x69\x11\xe1\x3f\x23\x98\x97\xbd\xa5\x7e\x03\x13\x6e\x8e\x1c\x4c\x9d\xb0\xac\xf3\x42\x08\x93\x97\x96\x36\xb7\xe3\xcd\xb8\x2b\xa2\x38\x6c\x66\x79\x7b\x4a\xfe\x9a\x92\x8f\x3b\xa6\xbd\x8f\x79\xec\xb1\x2a\x16\x6b\x5e\x84\x51\x12\xa7\x62\x45\xb4\xb2\x34\x2a\xfc\x77\x79\x8a\x59\xf5\x35\x3a\xa7\x8e\x47\xf4\x90\xfc\x78\x81\x0f\x52\x18\x12\x16\xa2\xdb\x89\x50\x5f\x9d\x18\x0c\xcf\xaa\xca\x11\x5a\xbe\x91\x34\xaa\x4f\xf4\xa1\x4d\xce\xcf\xc8\xc7\x68\xb4\xad\x95\xa4\xbb\x89\x42\x27\xc3\x42\x4d\x90\x2c\x15\x85\x3b\x68\xff\x6d\xac\x3a\xa7\x58\x65\x47\x18\x56\xb2\xb7\x8d\x05\xbf\xe4\x0d\x5f\xb7\x88\xc9\x4c\x4a\xc5\x43\xc5\x4d\x36\x2a\xff\xee\xa1\xa0\x27\xfb\xb5\x6f\x1a\x7a\xb2\xa7\x59\x19\x2b\x4f\x0e\x1a\xa3\x33\x56\x46\x65\xa9\x7c\xf2\x70\x25\x43\x99\x15\x70\xe9\xff\xe8\xe1\xe0\x56\xeb\xb7\xb5\x39\x87\x18\x03\xaa\x83\x9c\x09\x18\x44\xc7\x3e\x18\xe7\x2b\xa5\xa9\x5c\xf4\x8e\xe8\xd0\x4c\xa7\x67\x1f\x38\xc4\x4e\x52\xc7\x1e\x0f\x9e\x80\x09\x6d\x2e\x67\x8c\xea\x6c\xf5\x15\x67\x81\x95\x56\x9e\xf1\x46\xf0\xec\x33\x2a\x7b\x59\x84\x51\x43\xb1\x38\xa0\xa1\x09\x2e\x41\x8e\xb1\x71\x62\xf3\x63\x98\x80\x0c\x69\x53\x5a\x78\x4d\x36\x77\xdb\xca\x5e\x04\xbb\xed\x1a\x44\x37\x5f\x08\x36\xc1\x3b\x62\x65\xef\x51\x6a\xd6\x00\x09\x9b\x6d\x4c\x57\xc9\x5b\xda\xbe\x46\xd1\xcb\xee\x97\x83\x80\x1f\xc3\x27\x27\x0a\x48\xc8\x9e\x74\xda\xfe\x0b\x35\x76\x94\x6a\xb1\x70\xa1\x9b\xe3\x91\x69\x41\x59\xf1\xbb\x0f\x61\xa5\x6e\x13\x1b\xe1\x96\x94\x33\x71\x27\x4e\xc2\x1c\x75\x81\x15\xfc\x34\x38\xbc\xab\x96\xd0\x43\xe5\x6b\xd8\xa5\x47\x54\x3d\x64\x17\x60\xb8\x17\xd5\x2b\x04\x16\x05\x52\x07\xc5\x85\x56\xd2\x2b\xe2\x2d\x77\xf6\x3c\x97\x99\x59\xe9\x47\xc1\xdd\x83\x03\x69\x9c\x46\x4e\xbc\xfa\xce\x1d\x85\xc9\xa8\x76\x16\xdd\xc4\xc9\x09\xe7\x93\x9f\xf5\xd8\xb7\xe1\x37\xf3\xac\x1b\xb6\x11\xf2\xf5\x23\x5e\xf0\x93\xde\xe0\x55\x1b\xc5\x44\xaa\x45\x70\x1f\x33\x24\xba\xf4\x94\x8d\x1a\x02\x58\x5b\x4e\xd8\x95\x72\x7d\x61\x82\xc5\x76\xd8\xe7\x61\x9e\xf5\xd2\x88\x2c\xb7\x3a\x5c\xf5\xcc\xc0\x87\xcf\x66\xa9\x50\x2e\xa5\xe6\x40\x44\x1f\x00\x09\xc5\x29\x9f\x69\xce\x4c\x3b\xed\x7a\xff\x98\x4d\xba\x5f\x6d\xfa\x21\x24\x8d\xdb\xc2\xd6\xa6\xd4\x53\x5f\x30\x16\xcc\x55\xde\xb1\x67\x4e\x08\xa8\x72\x28\x43\x15\x1d\x1c\x1a\x30\xe8\xe1\xca\x44\xb8\x77\xd4\xd8\x05\x92\x2a\xdd\xa0\x75\xd6\x4a\x03\xb5\xcc\x20\x94\x97\x85\x06\x75\x95\xa4\x05\xc2\x07\xfc\x3d\xca\x69\x05\xe4\xbf\xda\xea\xa2\x72\xb1\x95\xcd\x9a\xac\x0b\x76\x57\xfc\xa8\xc7\xc6\xbb\x59\x2e\xcf\x0d\x23\x20\xa8\xdd\x1e\x72\x3b\x60\x29\xcb\xcb\xa0\xb5\x04\xe9\xd7\x43\x09\xb1\xba\xda\xb3\x18\xfd\xa1\x70\xff\xf0\x07\xaa\x7a\xb1\x95\x83\x85\xb0\x99\x95\x1d\xdd\x64\x3f\x73\x90\xcd\x58\x95\x52\x9e\x14\xa5\x70\xa1\xc4\x9d\x05\x7f\x7d\xc7\x50\x57\xbe\xe0\x60\xf0\x3b\x5e\xf5\x3d\x97\x28\x9a\x56\x0a\x28\x65\x16\x01\x38\xfa\xff\xa3\x26\x5f\x86\xd8\xd6\x34\xdb\x46\x24\xa1\x25\x79\xd6\x2c\x4a\x91\x2a\x44\x72\xb2\x5d\xa9\x17\xf8\x56\x1c\x72\xc5\xde\xa6\xae\xe6\x75\x30\x50\x01\x51\x13\xdf\x46\xd4\x21\x05\x8b\x59\x64\x0a\x1e\x4b\x63\x70\xa6\x44\xb2\xb7\x70\x21\x6c\x49\xed\xdb\xe2\x55\xa1\xaf\x61\x66\xb3\x35\x9b\xfe\xf3\x38\xfb\xc8\x18\xfb\xb6\xd8\xc2\xc0\x82\xc3\xeb\xbb\xc6\xf6\x90\x34\xa7\xdb\x54\x9a\x37\x83\xbf\xa8\x0d\x16\x66\xb1\xc3\x93\x25\xc0\x0e\x42\x4a\x85\x3c\x66\x86\x39\x1e\xc2\x30\x60\x23\xe4\x5d\x5d\xb4\xea\x68\x3b\xfe\x9e\xc0\xa7\xa8\xfd\x36\xe2\xc1\xe0\xa2\x36\x78\x01\x30\x0a\x8a\x44\x6f\x6e\x65\xf1\x4c\xdc\x56\xa4\x7c\x08\xcf\x04\xdc\x5b\xba\xaa\xc0\x3f\x9f\x50\x5e\xbe\x48\x54\xdc\xc3\x88\x4f\x23\x3d\x54\x55\x9f\x54\x49\x9a\x06\xc6\x09\x57\x21\x96\xad\xf5\x09\x3f\x88\xac\x9c\x8a\x01\x70\xc7\x8a\xb3\x33\xec\x31\xdd\x81\xef\x4a\xc1\xe0\x5f\x1f\x1c\xb3\xf5\xb9\xe1\x4e\xd5\x5d\xee\xac\xf2\xb7\x1e\x64\xcf\x36\xc3\x2d\x27\x65\x0a\xf1\x33\x0d\xc3\x76\x65\xa3\x0b\x99\x07\x40\x6d\xee\x15\x65\xd6\x51\x09\x93\xf3\x7a\x06\x69\x90\x21\xff\xbf\x1e\x08\x9e\xb5\xeb\x53\x36\xd8\x52\x19\xc6\x49\xa1\xc7\x4e\x9d\x5b\x0d\xff\xbf\xb2\x91\x52\xee\x70\xd9\xef\x8a\x8b\x1e\x91\x7d\x3b\xb3\xfd\x13\xe3\x4c\xb0\x43\x14\x4d\xe1\x3f\x3b\x38\xa3\x02\x2b\xe0\x5c\xb8\xd1\xeb\x84\x08\x74\x0c\x7b\xbc\xbe\x87\x7e\x44\x08\x80\xa7\xaa\x60\xe0\x1c\xc4\x72\xc0\x3c\x81\x6a\x38\x5d\x78\x2f\x3b\x88\x47\x14\xff\x7c\xb0\x82\x7f\xe1\x47\x30\x54\xb7\x2e\xd7\x66\x63\x3b\xcb\xa3\xba\xb1\x10\xd2\xa1\xc6\x34\x54\x35\x70\xa2\x18\xf9\xad\x67\x6b\x62\xf3\xa5\x60\xae\x70\x38\xca\x0d\x37\xb9\x53\x20\x18\x2b\xa5\x3c\x58\x05\xfd\xf1\x14\x46\xfe\x9c\x4b\x37\xd3\x6c\x3b\x1d\x50\x23\xa0\x3b\xfd\x38\xf8\xd7\xf2\x5f\x55\x2e\xfc\x3d\x5c\x2a\x01\xb0\x21\x9a\x3c\x5f\x00\xce\x7b\x38\x8d\xd7\xd1\xa5\x3e\x0b\x01\x4f\x14\xb0\xb4\xaa\x02\x5c\x14\xba\x86\x01\x25\xf5\x65\x73\x57\x75\x6b\x57\xe3\x8e\xf0\xbf\x7f\x84\x3b\x66\x84\xf1\x52\xbe\x1b\xac\x0c\x97\x47\x3d\x0a\x69\x89\x76\x23\xac\x4e\x56\x2a\x88\x14\xa3\xd4\x91\x40\xfa\x06\x4a\x47\x93\xfd\xed\x0d\x95\xc7\xc6\x05\x05\x56\x68\x92\xe2\x3f\x79\x43\xf0\xa2\x03\xb3\x29\x1f\xbe\xa5\x90\x93\x9c\xdc\x78\x07\x26\xb8\x14\x9d\x6e\x96\x63\xb8\x25\x52\xce\xc1\x0e\x2e\x67\x63\x37\x8b\x88\xce\x52\xe4\x0d\x4c\x44\x85\xbe\x6d\x95\xf1\x16\x82\xb1\xa9\xcc\xbe\x48\xac\xf5\xda\x6d\x70\x82\xe8\x3a\xd8\x29\x77\x10\x46\x9e\x66\xc6\x58\x2e\x8f\xe5\x78\xf0\x96\x1f\x6a\xf7\xc2\x3c\x4c\x4b\x21\x0a\x1d\xcd\xd6\x77\xa0\x1f\x4c\x8a\xbc\xca\xd9\x82\x94\x2c\xc8\x74\xd8\x46\x57\xba\xac\x2c\x6c\xdd\x98\x3d\x0e\x74\x81\x76\x28\x9a\x6c\xd8\x70\xd5\x78\x2b\xec\x15\xa2\xa0\xf7\x21\x14\xb6\x25\x44\xc4\xd1\xf8\x4e\x95\xa5\x7c\xa0\x38\x4b\x35\x32\xa1\xea\x43\xb1\xa5\x90\xb0\xab\x9a\xad\x60\x21\x74\x67\xaf\xf5\x29\xc7\x25\xe9\x73\x15\xaf\x6b\x92\xa1\x55\x84\x42\xdf\xe4\xb7\xc1\x5b\x72\xe7\x2e\x35\x22\xa2\x6e\x85\xf5\xa1\xa2\xb7\xa6\x6a\x3b\xd8\x83\x61\xb7\x2b\xc2\x7c\x10\xa3\x8f\xcb\x93\x34\x41\xde\xed\xcc\xeb\xa8\x36\x06\x0a\xa5\x18\x9e\x5e\x85\x03\x3d\x58\xa9\x4e\xbe\x77\xe6\x4a\x8e\xe0\xb7\x6a\x8e\xe0\x95\x08\x7b\xfb\xdc\x02\x47\xa6\x37\x7b\xc1\x7f\xf6\x6c\x9d\xa8\x4a\xe8\xec\x9c\x8c\x03\x4b\x11\x4e\x25\x6a\xfa\x52\xea\x4d\xd8\xc9\xd2\xf6\x40\x26\x73\x1d\xd0\x01\x6c\x81\x23\x97\x7e\xc5\x07\xdd\xd4\xad\x7f\x37\x8c\xeb\x90\x5c\x02\xac\xc3\x4d\x03\x17\x54\xe4\xa4\xc2\x42\x05\x06\xe2\xaa\xba\xb0\x3f\xab\xb1\x47\xa3\xf1\x51\x0b\x12\xd0\x26\x3f\x5b\x0b\x3e\x56\x43\x3e\x07\xa2\xf0\xad\x4c\x65\x82\x3d\x73\x29\x8b\x40\xf5\x37\x6c\x90\x55\x1d\x8d\x5f\xa1\x14\xf1\xaa\x07\xf4\xda\xef\xe9\x4c\x53\x13\xc9\xc6\x8f\x2d\x2e\xcd\xd5\xf9\xd2\xe2\x3c\x00\x9d\x4f\x6a\x3d\xd0\x12\x43\x2a\x4f\x11\x68\xae\x49\x54\x54\x7d\x28\x2e\xd4\x37\xb6\x37\xc2\x12\x22\x29\xad\x0f\x85\xb9\xe0\xc5\x46\x98\x5b\x34\xdc\xc0\xd5\x70\x36\x53\xe1\x65\xd5\x01\xf1\x30\x49\x14\xda\x18\xba\x95\x49\x65\xb7\x07\xfc\x9f\x67\xd2\xe9\x95\xd0\xe0\x2b\xa1\xc1\x0f\x6f\x68\xf0\x95\xf4\xc6\x2b\xb3\xef\x1b\x37\xfb\xbe\x05\x92\xea\x7f\xd1\xc1\xd1\x7a\xdf\x25\xe3\x68\xdd\x67\xe0\xb3\x34\xf0\xe3\x6e\x5a\x48\xf5\x89\xad\x57\x08\x5e\x74\x11\x33\x5c\x17\x49\x81\x1b\x0a\x16\x42\x93\xf2\xc8\x2d\x9a\xdd\x3b\x00\x09\xf5\xec\x3d\x23\x42\x4d\x2f\x19\xdc\xa6\xbd\x29\x4e\xff\x1c\x01\x66\xbe\xf5\x81\x06\x92\x21\xc0\xbd\x87\x73\x0e\x7d\xeb\xe1\xba\x5c\x49\x23\xbd\x92\x46\x7a\x25\x8d\xf4\x4a\x1a\xe9\x65\xa4\x91\x7e\x33\x40\x43\x75\x6c\xb8\x99\xf3\xfb\x42\x9b\x39\xae\xff\xdc\xbb\x11\x66\x73\x10\xeb\xf6\xe1\xdc\x74\xae\x20\x1c\x7e\x6b\x20\x1c\xc6\x0a\x04\xeb\x7c\xb0\xf2\x30\x40\x60\xd9\x9f\xea\x2b\xc8\x92\x6e\x30\x85\x14\x79\x7b\x9e\x6e\x97\x89\xaa\xc1\x7e\xa6\xc6\x26\xf6\xc8\xe9\xe0\xff\xc7\x5a\x50\x54\xdd\x30\xee\x65\x91\x66\xbd\xf6\x86\x13\x92\x50\x66\x3c\x11\x88\x51\x4d\xe2\x64\x20\x4e\x85\xd2\x48\x08\x68\x64\x38\x92\xc6\x8d\xb1\x78\xc9\x37\x4d\x84\xe5\x7b\x6b\xec\x36\xab\xe7\xd6\x93\x6c\x9b\x02\xe7\x4d\x52\x45\x1e\x67\x79\x5c\xf6\x4f\x8b\x2d\x91\xcc\xd9\x70\xc4\xa6\x53\xbf\xea\x05\xf7\xee\xe1\x39\xd3\xc7\x4e\xe7\x22\xf0\x4b\x6c\xd9\xfa\x02\xca\xa3\x69\x74\xa9\xd0\x80\xf0\x60\x20\x4c\xab\xca\x6b\xb5\xc1\xd6\xa9\x43\xff\x4d\xf0\x8c\xf3\xf2\x8f\xf3\xca\x44\x6a\x1b\xa5\x55\x79\x0e\x28\x1b\x55\x93\x3e\x61\x8d\xaa\x22\xb6\x71\x96\xd4\x07\xaf\x66\xd7\x8c\xca\x61\xa3\xec\x32\xff\x55\x57\x07\x3f\x32\x66\x5d\x70\x03\xbd\x72\xc8\x1e\x5b\xeb\x59\x89\x07\x2a\x8a\x2e\x2e\x9b\x1c\x22\x4f\x80\x53\x5a\x75\x1d\xa6\xae\xed\x10\xa7\x05\x51\x4f\x73\x98\xd9\x6d\x3f\xd6\x4e\xb2\xb5\x30\xb1\xa6\xa1\x2c\x37\x8c\xa2\x82\x6f\x6f\x64\xce\x20\x6c\xc5\x21\x5f\xe9\xe1\x6c\xc1\x10\x77\x5d\xb8\xfd\xd8\x5a\x9f\xc4\xba\x75\xbb\x34\x8e\xb4\x26\xb7\x13\xec\x0a\xc4\x26\x6b\xcb\x5d\xcb\xae\x2c\x84\xb6\x84\x5b\x82\x0b\x24\x68\x88\x69\x0e\x58\xd5\xbc\xec\xcc\x3c\xaa\xc2\x5e\x13\xf4\x2e\x7a\x87\xe4\x88\x2c\x8b\x75\x67\x56\xfd\xd6\x61\xf6\x52\x8f\x1d\x2e\xa8\x63\xfc\xe7\x05\x4f\xd1\x9d\x84\xa9\x4c\xd6\xa0\xd2\xdc\xa5\x25\x87\xab\x39\x53\xa0\xf7\x70\x7f\x1f\xb6\x77\x67\x5a\xd1\x37\xaf\xa4\x0d\x5e\x49\x1b\xfc\xe7\x90\x36\xf8\x07\x1e\x53\xab\xd1\xff\xbc\xb7\xd7\x45\xb2\x8c\x6f\x04\xef\xf4\xe8\xaf\x91\x02\x54\xc5\x8c\x5d\x92\x0c\xc5\xbd\xc4\xfa\x4c\xa5\xe1\x7d\x96\xc4\x93\xc8\xd1\xed\x97\x8b\xb2\x97\xa7\xe6\xfc\xf4\xa0\x97\xed\x9e\xa3\x78\xda\x7f\x7a\x63\xf7\x1c\x44\x6e\xa5\x31\x92\xe4\xab\xca\x66\x64\x3f\x58\x63\xc7\xf7\x34\x54\x4b\xb9\xb0\x78\x09\xbf\xe4\x05\xcf\x76\xae\x68\x67\xf7\x7a\x2f\x59\x8f\x13\x08\x39\x11\xeb\x72\x5a\x02\xd8\x09\xa1\xb3\xf3\x63\x38\x81\xeb\x3c\x12\x89\x90\xff\x8a\xb2\xd5\x9c\x04\xfb\x42\x98\xe7\xb1\xd4\x9b\x7a\x03\xe1\xa7\x3d\xd6\x60\x63\xbd\x38\xf2\xff\x55\xf0\x9d\x6e\xc2\x13\x65\xbf\x9c\x5b\x9c\x77\xb6\xe3\x79\xf6\x48\xb5\x34\x95\x5c\x9c\x09\x1e\x5f\xf9\xea\xb2\xfb\x9c\x5d\xca\x1f\x3e\x72\x27\x1a\x13\xcc\x2e\xf1\x3f\xfa\xc8\xe0\x46\x93\x6b\x82\xb2\xdf\xd5\x1e\xc0\xd8\xb2\x0e\xb1\xc9\x51\x41\xc1\xe9\x85\x4e\xe1\x50\xed\xbb\xff\x11\xec\xb5\x63\x8c\xad\xc5\x69\x98\xf7\xe7\xe5\x5a\x7a\xe9\x58\xf0\x07\xb5\xdb\xf4\x6f\x2b\xe0\x74\x43\x70\x7c\x8e\x23\xe0\xc1\x02\xb1\x0a\x61\xef\x03\x4a\x89\x62\x33\xed\x6e\x84\x69\xaf\x23\xf2\xb8\xc5\x5b\x1b\x61\x1e\xb6\x4a\x08\x37\x98\x68\x4c\xd4\xf9\xc4\x73\x26\xe4\xe4\x9e\x68\x4e\x34\xb9\xfd\x9d\x50\x9b\xa1\xe0\xd4\xc2\x31\x31\xb2\xa5\x99\x78\x49\x7b\xa7\x65\x70\x6e\xf5\x54\xe3\x26\xa4\xb6\xb6\x62\x79\x8a\x32\x23\x6f\x82\x55\xb2\x26\xa9\x97\x3a\x69\x02\x64\x46\x14\x37\x93\xa5\xa2\x82\xf2\xab\xae\xad\x8f\x22\x05\xf6\xbb\x48\xa1\xfe\x43\xd0\x0f\x76\x2f\x99\x8c\x9a\xfc\x1c\x39\xc6\x74\xfc\x2c\x59\xeb\x40\x55\x83\x58\xfd\x27\x72\x1d\x96\x0a\x3b\xd1\x26\x52\xb5\x37\xef\xf7\x1e\xcd\x1e\xe5\x8f\xcb\xc6\x5a\x63\x6f\x0d\x0f\xfb\x54\x8d\x8d\x83\x80\xfb\x68\x2d\xf8\x91\xda\xf0\x70\x0c\x8f\xf8\x43\x32\x2a\x14\x2c\x04\xdd\x94\x66\x69\x03\xfb\x7a\x60\x50\xa0\x78\x65\xee\xb1\x7a\x1b\x3a\xa1\x72\x48\x76\x19\x0c\x9b\x7f\x6d\xb0\xbc\x7d\x0d\xc9\xfd\x03\x9e\x2e\xbb\x47\xff\xc8\x63\x47\xe2\x4e\xa7\x57\x86\x6b\x89\xf0\xbf\xe0\x05\xbf\xe2\x2d\xaa\x9f\x75\x79\x84\x76\x2c\xa5\x22\x2d\x7a\xb9\x9a\x80\xb0\xa0\x4c\x6b\xdc\x6c\xaf\x21\xca\x07\x7e\x0c\xf4\x4a\xda\x98\xd5\x66\xa2\xbc\x96\x9d\x2c\x52\xe9\x4e\x76\x00\x88\xfa\x2e\x9a\x2d\xe4\x64\x1a\x78\x9e\x13\x25\x35\xda\xc9\xe9\x34\x8e\x07\xf4\x34\x4e\x5c\x7b\xd0\x15\xe5\xe2\x0a\x70\x8c\x03\x1c\x73\x45\x5d\xbf\x3c\x75\xfd\x41\xef\x19\xbb\x2b\x48\x4d\xbf\xae\x15\xa4\x20\xd0\x9a\x90\x96\x14\xae\x1e\xc4\xd8\x67\xc6\x9d\x24\x20\xed\x1a\x2d\xba\x1b\x22\x17\x77\xc5\x79\xd9\x0b\x93\xf9\xb8\xd8\x74\x68\x33\xdf\x30\x1e\x3c\xc1\xa1\x0e\xde\x5a\x81\xe7\x55\xda\x84\xaa\x7e\xf3\xa2\xc7\xf0\xd2\x50\xf2\xe7\x17\xc6\xd8\x47\x3c\x76\x70\xbd\x58\xed\x77\x85\xff\x53\x5e\xf0\x4e\xcf\xa2\x1e\x86\xf8\x79\xe5\x0d\xb6\x78\x1e\x2d\x5b\x27\x3e\x43\xc1\x63\xc6\x16\x09\xb9\x70\xa4\x73\xa5\x6d\xae\xec\xa2\x0b\x17\x9a\x3c\x10\x17\xca\xeb\x82\x3a\x0f\x2e\xac\x17\xf2\x9f\xb4\x5c\x2f\x82\x26\x5f\xec\x68\xca\x7e\x90\x25\x86\x68\x1b\x5f\x90\x62\xd9\x4a\x11\x75\xd4\xad\x0b\xec\x91\x94\x37\x85\x5e\x95\xc5\x79\x5f\x04\xcf\x5c\xc1\x4b\x04\xe8\xc1\x6f\x0b\x0b\x11\xf1\x33\x06\x40\xfd\xd8\xca\xd2\x6d\x67\x26\xe5\x86\x01\xc6\xe1\xc5\xf9\xca\xa8\xda\x15\xbb\xe0\xb3\xe1\x40\xf6\xeb\x5d\xec\x51\xc5\xe0\x03\xfe\x6c\x70\xdd\x3e\xbf\x9d\x0e\x96\x3b\xc7\xac\x11\xf3\xaf\x0f\x8e\xa1\xe3\x46\xee\x40\x71\x24\x67\x28\xa8\x91\x03\xe3\xbd\xd5\x89\x36\x9d\x8c\xc0\x03\xec\xba\x3d\xe4\x43\xcd\x25\x61\xdc\x71\x26\xd6\xd7\xc6\x83\x37\xd6\x76\x7d\xcc\x31\x33\x20\x9f\x7b\x3e\x51\xf0\xa5\xbb\xe6\xaa\x0d\x42\x14\x97\xaa\xd2\x60\xa5\xb4\x45\x75\x32\xeb\xa5\x11\x5f\xba\x0b\x57\x3c\xe6\x58\x42\x4b\xd5\x93\x76\x2c\xe3\xec\x50\xea\xd2\x70\xbd\xe2\xa2\xce\x45\x01\xfb\x59\x98\x24\xfd\x3a\x0f\xf9\x76\x1e\x76\xbb\x52\xf3\x82\xfc\x4b\x95\x1d\xa1\x13\x44\xec\x2c\x39\xb9\xd7\x6d\x93\xa3\xb6\xc8\x3a\x22\x4b\x05\x17\x40\x92\x5c\x6a\xa8\xea\xc9\xe6\x45\xef\x48\x4b\x7e\xf8\xec\xa0\xcd\xef\x17\x6a\xec\xf7\x3c\x66\x6e\xfa\x9f\xf1\x82\x07\xbc\x39\xf5\x73\xd0\xfe\x37\x9c\x8a\x05\x8f\x8e\x4e\x7d\xec\x66\x26\x14\x4b\xf7\xe8\xbe\x8d\xb3\x34\x71\xa7\x4c\xbe\x55\x83\x22\x40\xae\x31\x97\xf0\x0a\xb4\xc6\xd9\x1b\x9f\x65\xa5\x7d\x9f\x09\x9e\x7a\xf7\x7e\x49\xa2\x95\x17\xab\xc2\x85\xf5\xde\x83\x6c\x72\xcf\x18\x66\xfe\x0b\x0f\x06\xf3\x83\x17\x55\x78\x5b\xb1\x03\x8e\xb8\x46\x7d\x34\x70\x8b\xee\x81\xe8\xdd\x07\xd8\x3b\xc6\x80\x05\x9f\xe0\x5a\xfc\x1f\x1a\x0b\x5e\x3a\x36\x67\xe0\x5b\x60\xee\xeb\x2d\x6c\x30\xc4\x58\x61\xbc\x58\x59\x97\x1b\x61\x1a\x25\xa4\x4b\x21\x48\x22\x2e\x07\xc2\x46\x91\x93\xdc\x30\x9b\x05\xeb\x49\xb8\x95\xe5\x45\x60\x4e\x3d\xba\x58\x2d\x63\x61\x6e\x98\xaf\x35\xf9\xa9\x2c\xe7\x44\xd7\x5c\x07\xb7\x80\xdc\x3e\xc1\xa6\x69\x4a\x5e\x32\x6c\x69\x6a\x5d\x41\x39\xb1\x7c\xab\x43\x2a\xa0\x5d\x28\x54\xd2\xf8\x9e\x07\x82\xce\xa3\xac\x13\xc6\x69\xa3\x9b\x8b\xf5\xf8\x82\xca\x79\x4f\xe5\x8e\x91\x0b\x74\x40\x1d\xbf\x7e\xda\x3a\x67\xc8\x89\x80\x4e\xa7\x3a\x17\xcd\x76\x93\x07\x61\xab\x23\x00\x33\x13\xc7\xa1\x61\xbe\x1d\x0c\x26\x24\x6a\x95\xdd\xf5\xba\xd6\x18\x33\x1c\x70\xfe\x5f\x7a\xec\xd4\x25\xe0\xe1\x99\x7e\x31\x4c\xdb\xef\xf4\xac\xde\x02\xad\x39\x89\xd3\x4d\x4c\xa0\x6c\x41\x66\xa0\xd1\x91\xe9\x44\x06\xe0\x26\x06\xc6\xde\x3d\x9a\x59\x19\x73\x6e\xf7\xda\x44\x2d\xf1\xd0\x2c\xd2\xb6\x78\x75\x9c\x14\x17\xca\x3c\xb4\x78\xef\x9a\xec\xc7\x1e\xc1\x9e\x6c\x35\x33\x8c\x88\xb8\x39\x17\xed\x18\x62\x85\xe2\x2c\x35\x36\xa9\x5e\x22\xee\x8e\xcb\x8d\x3b\x95\x49\xa4\xf0\xff\xf4\xea\xe0\x85\xde\xf0\x75\x6c\x74\xd9\xeb\x26\x30\xbb\xad\x1b\x52\x54\xeb\x70\x39\x30\xe0\x83\x5a\x28\x35\x2e\xed\xe5\xec\x84\x9b\x52\x33\xc8\x15\xb4\x29\x65\xd5\x62\x71\x10\x64\x89\xdc\xd2\x72\x76\xc3\x01\xce\x5d\x83\xff\xfd\x2a\xf6\x7e\x8f\x1d\x09\xbb\x31\xb0\x22\x17\xfe\x3b\xbc\xe0\xa5\xde\xec\xd2\x22\xfe\x54\x82\x74\x76\x69\x11\x35\x2d\x95\x5d\xae\x02\xee\xd6\x04\x52\xfa\x65\x4d\x3e\x71\xed\x04\xc7\xa5\x46\x8f\xc2\x81\x8b\xae\x92\xfe\x44\x9c\xc3\xe8\x10\xa5\xa5\x5c\x24\xb1\x95\x02\x94\xa5\xa2\x69\x7b\x5f\x76\x8c\xa9\xfc\xb0\xc7\x8e\x1a\x15\xbb\xf0\x7f\xcc\x0b\x5e\xe9\x19\x1d\xdb\xa9\xfa\x96\xba\xb6\x97\xca\xab\x87\x1f\xde\xea\xbf\xb9\xc6\x58\x66\xe6\xc6\xab\x6a\xc1\x5f\x7b\xee\x9c\x00\xab\x89\xb9\x22\x7f\xea\x29\xc7\x37\xb2\x6c\x93\xb7\x42\x79\x62\x46\x89\xdb\xe0\x73\xcb\x0b\xb3\xab\x0b\x75\x7e\x6e\x69\x1e\xfe\x9d\x5f\x38\xbd\x20\xff\x9d\xbb\xf3\xec\xd9\x85\xb9\x55\x9e\xe5\xfc\x5a\xcc\x92\x4f\x12\xac\x7c\x56\x38\x5f\x80\xf8\xa1\xb4\xaf\x72\xcc\xcd\xc7\x9c\x5a\x90\xa4\xa4\x7c\xb4\x87\xb3\x8b\x7e\x70\xdc\x0e\x39\xfd\xbe\xf1\xe0\x4f\xc6\x4c\xf0\x28\x49\x0a\xb4\xb7\x98\x21\xc5\x93\x53\xcf\xf5\xbd\x30\x66\x09\xed\x93\x7c\xa2\x9b\x45\xc5\x04\xef\x88\x30\x2d\x28\x4b\x1e\x2e\x4d\x25\x59\x5b\x5d\x2e\x29\xc0\xc5\xca\xd6\x43\x1a\x0e\x78\xfa\x5a\xf5\x58\x08\xf6\x27\x9d\x3a\xb6\xd6\x43\x83\x8b\xf5\x96\x2e\xdc\x79\xc7\x7e\xc0\x2e\x77\xaa\x68\x85\x89\x70\x9e\x94\x17\x06\x0b\xbc\x76\xaa\xba\x06\x2a\x7e\x27\xce\xdd\x37\x18\x5b\x5c\xe7\xdb\x71\x12\xb5\xe4\xb9\x78\x70\xb0\x2c\xbb\x0e\xf4\x1c\xb2\x6c\x83\x3d\xc6\x2a\x3a\xca\x86\x6d\x49\x40\x76\x4e\x29\xb0\x6c\x5e\x74\x05\xba\x3b\x89\x95\x43\xa4\xad\x04\x09\x49\x50\xda\xd4\xdd\x66\x77\x08\x14\x01\x4f\x3b\x18\x28\xb0\xb7\x89\xf1\xd6\x31\x76\xa0\x68\x65\x5d\xe1\xbf\x6e\x2c\xf8\x8f\x63\xf0\xa7\xde\x33\x29\xd9\x19\xae\xe9\xa3\x74\x2f\x11\xc3\x38\x6a\x3c\x20\x9b\xbf\x3c\x20\x69\x98\xef\x28\xc0\x53\x71\x70\x6d\x60\x1e\xd0\xb3\x22\x2c\xd1\x89\x49\x58\xda\x0d\xf8\x4e\xe4\x40\x3a\x27\x89\x46\xf5\xd1\x9f\xd6\xa5\x83\x38\x52\x7e\x42\xd0\x38\x9c\x82\x9a\x4e\x45\x86\xbe\x6a\x40\x51\x77\xfd\xa2\xac\xbe\xf5\x7a\x09\x47\x18\x34\xec\x52\xe7\xe4\x42\x76\x67\x8b\x60\xed\x56\x9c\xa1\xd1\xa8\x44\x56\x3f\xca\x59\xd5\x0d\x11\x26\x4e\x9d\x79\xed\x38\xa9\xe0\xda\xc0\x51\x19\x7e\xf2\x40\x35\x1a\x7b\x16\x09\x93\xff\xff\x8a\x03\xc1\x4d\xce\x15\x63\x75\x35\x69\xd8\xb6\x7e\x89\x30\x1f\x69\x16\x89\xd1\xe9\xfd\xef\x1f\x67\x75\xca\x57\x7f\x7c\xf0\xd8\x55\x3a\x82\x40\xf4\x8e\x49\x52\xb7\xab\xfb\x7c\x8f\x3d\x2a\x09\x8b\xf2\x76\x11\xe6\xe5\x9a\x08\x4b\xc8\x34\xdf\xbc\xf4\x44\xf3\xe9\xd3\x3a\xab\x7c\x5b\xf0\x76\x06\xb8\xe3\x68\x7a\x43\x64\x79\xf4\x8e\x9b\xda\xb0\x97\x57\x67\xbb\x6f\x5d\x7a\x1d\x9e\x7c\x7a\x74\x66\xfb\xc8\xa4\xf6\x67\x1a\x78\x84\x33\xc1\xad\xb7\xf7\x3a\xe0\x54\x7b\x28\x10\x11\x9e\xae\x11\x11\x6e\x0d\x4e\x1c\x83\x28\xad\xc9\x4b\x45\x3c\x38\xad\x11\x0f\x6e\x0b\xae\x5f\xa9\xc6\x38\x00\x88\x05\x79\x75\x57\x8c\x83\x2f\x1c\x66\x37\xd9\x3a\x9e\xe3\x72\x1b\x70\xca\xcf\x42\xbc\xe6\xb2\xd8\x8a\xc5\x36\x9c\x92\xde\x70\x38\xf8\x61\x6f\x87\x9b\xb8\x61\x21\xb4\x58\xd7\x20\x55\x28\x1a\x22\x65\xaa\x6d\x72\x07\xb1\x25\x5b\xd7\x0a\xe0\xac\x5d\x95\x59\x43\x52\x20\x65\xd5\xd9\x2c\xdd\xed\x31\xb5\xfb\x16\xa2\x74\xd6\xc9\x57\x0f\xb2\x8f\x7a\xec\x00\x68\xbb\xfe\x87\xa5\x0e\xb5\x00\x8a\x6f\x2b\xcb\x91\xe5\x2e\xd2\xe7\xaf\x5e\x21\xf2\xe6\x62\xba\x9e\x35\x9f\x26\x4a\x78\xea\xd8\x24\xef\x88\x72\x23\xb3\xf0\x99\x64\x8f\xc9\x03\x4e\x2b\x2c\xb3\xbc\xc9\xf9\x4a\x9c\xb6\xcc\x99\x1f\x13\x90\xa8\xbc\xd0\x78\x49\xe3\x92\xa7\x42\x44\x10\x1e\x23\xd6\x13\xa4\x9d\x02\xb6\xa8\xe6\xfd\xde\x77\xb3\xef\xda\x79\x33\xb0\x3d\x0e\x67\xd8\x01\xd0\x3c\xfd\xf9\xe0\x98\xab\xbf\x92\xee\xda\xcf\x7a\x13\x52\x53\x16\x08\x9a\xb0\x9e\xe5\xa3\xb6\x99\xf7\x78\xec\xdb\x53\xab\x67\x75\x67\xfa\xaf\xf1\xd8\xfc\x8e\xc7\x9f\xea\x39\x73\xb6\xaa\xa0\xe0\x4c\xe5\x65\x0b\x81\xae\x4a\xf4\xa5\x0d\x03\x77\xe0\x4c\x1e\x59\x63\x3f\x1f\xae\xee\x6b\x3d\x36\xbb\xcf\xea\x56\xd4\x75\x65\xb7\x29\x36\xaa\xd6\x3b\xd5\xf8\x16\x74\xf9\xde\x18\x5c\x7b\x6e\x71\x7e\x07\x43\x02\x3d\x4b\x41\x60\xb9\xb3\x5e\xef\xf7\xd8\xb8\xbc\xe8\xbf\xc5\x0b\x7e\xc0\x3b\x57\x60\x70\xb1\x9a\xad\x55\x03\x2e\x55\x56\x79\x6c\x27\x72\x32\x1e\xc8\x97\x02\xad\xba\x05\x30\x71\x82\x3a\xc6\xd7\xc7\x80\x4e\x0a\x46\xf3\x6e\x2e\x08\x70\x20\xb8\x1b\x66\xf3\x3a\x87\xcf\x6d\x0b\x15\xeb\xa8\xf0\x95\xc0\xe4\xd1\xa7\x39\x67\x57\xf6\xcb\x35\xf6\x5d\xc3\x31\x0c\x2a\x7c\xc1\xff\xe5\x5a\xf0\x54\x1d\x59\xb0\xc7\x70\x39\x08\x33\x32\x01\x72\x17\xbd\xc3\xea\x28\x77\xd1\x03\x97\x54\x55\xc4\xdc\x17\x3c\xb6\xc4\xf4\x83\xfe\x7c\x70\xa3\x3a\xf0\x39\xeb\x45\x8b\x62\x3d\x78\x83\x61\x72\x76\xe3\x6e\x23\x17\xd8\xc9\xa0\xa1\x1c\x60\xa5\x85\x0e\xb3\xd7\x32\x20\x90\xef\x64\xd0\xa8\x32\xe3\xed\xa9\x8c\xff\x52\x77\x82\xf4\x0c\xd4\x57\x73\x6e\x65\x71\x3e\x8f\xb7\x44\x0e\xc2\xfa\xaf\x9e\x18\x1c\x77\xae\x68\x9c\x1c\x54\x24\x5b\xc6\xed\xc2\xf5\x73\xee\xe1\xf9\xbd\x4f\x64\xcf\x3f\xa8\xad\xe2\x73\x61\x37\x6c\xc5\x65\xdf\xff\xd3\x03\xc1\xef\x1c\x58\x5c\x1f\xcc\x04\x71\x1e\xd2\x8c\x24\x16\xed\xe8\xdc\xca\xa2\x06\xb8\x82\xaf\xf1\xed\x50\x0e\x35\x00\x81\x18\x04\x16\x8a\x2f\x88\x23\x4a\x9a\xa1\x92\x79\x4b\x15\xad\x0b\xa4\x52\x22\x4d\x14\xab\x91\x42\xb3\x1c\x40\xf1\x01\x38\x56\x96\x39\xb7\xb2\xb8\x32\x50\x41\xa5\xa4\x82\xa2\xdf\x32\xd5\xd6\xd3\x51\x41\x95\x6e\x88\xd6\xa6\x4e\x11\x25\x14\x92\xb8\xd3\x11\x51\x1c\x96\x22\xe9\x23\x2c\x07\xd6\x01\x51\x69\xb1\x5a\xe0\x7d\x24\xe4\x7e\xb9\x1b\x83\x35\x51\x1e\x37\x11\x78\x78\x5b\x27\xca\x41\x05\x20\x8d\x62\x8d\xc2\x29\xa1\x15\xdd\xb0\x57\x08\x2b\x27\x65\xb8\xb1\x1b\x61\xc1\xbb\x3d\x42\x1d\x02\x2b\x33\x2f\x7a\x31\xd8\xb6\x76\x6e\x70\x93\xb1\xd9\x04\x7c\x64\x65\xbc\x25\x92\x7e\xdd\x2e\x9c\x5a\x89\xdf\xb0\xfd\x17\x68\x3d\xeb\xa5\x72\xc8\xb3\x1c\xed\xad\x88\xe7\xa5\x89\x09\xd6\x93\xb8\x2b\x8f\x0a\x09\x84\x8d\x6f\x63\x2e\xd2\xc0\xc8\xd9\x8b\x5d\x67\x34\xe9\x26\x40\x87\x57\x9b\xea\xe8\x0e\xe8\x18\x80\x5d\x88\xcf\xc8\x1a\xc0\xc1\x21\xdc\x0a\xe3\x04\x1a\xae\x41\x52\x2a\x7a\x40\x01\xc4\x80\xef\x1f\x06\x92\x12\x9f\x47\x26\x43\xfc\xc1\x41\x76\x75\x99\x6d\x8a\x74\x99\xbc\xcd\xfe\x67\x0e\x06\x5f\x3d\xb0\x6a\x5f\x72\xa6\x3b\xce\x74\xea\x52\xdc\xf6\xf1\x44\xae\xc0\x09\xc3\x16\x40\xf5\x72\x28\x15\x25\x70\x61\x90\x58\x6d\x87\x45\x06\xc7\x52\x8d\x1a\x67\x29\x1f\x80\x41\x75\x07\x86\x7f\xa8\x09\x53\x90\x48\xa2\x62\x95\xb5\x5c\x83\x62\xe8\x8e\xe1\xf2\x48\xb2\x84\xfd\x4e\x98\xaf\xad\x30\x49\x28\xba\xdf\xaa\x3d\x99\x6c\xbb\x61\x4e\xe3\x4d\x67\x69\x54\xb7\xd7\x33\x79\xaa\x95\x75\x76\x3e\x74\x92\x07\xad\xc2\x48\x26\xf2\xa3\x52\xe3\x67\xb1\xed\x4d\xac\x64\x70\x92\xff\x5b\xc6\x79\x70\x73\xd8\x8b\x62\x29\xea\x6e\xa1\x2b\x9c\x07\xf0\x44\x70\x92\xdf\x0c\x7f\xdc\x52\xc7\xab\xe2\x42\x37\x46\x63\x8d\x3c\x00\x14\x65\xd8\xe9\xca\x67\xcc\x65\x38\x0d\xc0\x75\xd9\xe0\xe5\x53\x73\x27\x4e\x9c\x78\x12\xbc\xfd\x3c\xf9\x9f\x66\xb3\xc9\x9e\xc7\xd8\xd9\xac\x14\x27\xf9\x2c\x7d\x55\x3e\x09\x67\x7d\x7b\x50\x2d\x7b\xb5\xb1\x7c\x83\x0d\xa9\xe4\x1d\xf0\x4c\xa6\xd4\xd7\x26\xbf\x08\x65\x74\x93\xaf\x66\x26\xbb\x0b\x16\x3b\x3e\x87\xe9\x7c\x50\xd7\x7e\x5d\x99\x02\x8a\x65\x41\x4b\x60\x90\xd5\xa9\xcc\xe3\x76\x5b\xe4\x15\xa3\xd5\x15\x79\x9c\xc9\x19\x97\x24\xfd\x8a\xc5\x41\xf3\x7c\xb7\xe5\xe1\x8c\x08\x34\xbd\x6a\x89\xec\x9d\xb1\xc0\xda\x8b\xec\x8e\x7c\xd0\xbb\x66\x47\x72\xcf\x23\xfe\xa1\xb0\xcc\x3a\x71\x8b\xb1\x3f\x3e\xc8\x1e\x83\x73\x5f\xa7\x10\x9d\xc9\x22\x51\xf8\xbf\x7e\x30\x78\xd5\xc1\xaa\x3b\x3a\xce\x60\x5b\x8a\x59\xb9\x3b\x1b\x37\x1c\x99\xca\x86\xf7\x1c\xf2\x32\x17\x03\x4b\x1f\x0f\x2b\x60\x70\xd3\xa3\x29\x0f\xfd\xc6\xb1\x16\xd4\x0d\x43\x2b\x2a\x60\x52\xb6\x59\x30\x48\x6a\x71\xb9\x1b\x2c\x48\x49\xe5\x17\xc1\x78\x1f\x0b\x0a\x55\xe1\x69\xf5\x8a\x5e\x98\xf0\xa5\xbb\xa6\x96\xee\x9a\xe3\x1d\xd1\xda\x08\xd3\xb8\xe8\x60\x1d\xd1\xcb\xd8\x81\xc4\x9c\x82\x07\x3a\x59\x3c\xa0\x2d\x06\x84\x47\x24\xea\xba\xe5\x61\x6e\xea\x45\xe0\x8d\x56\xfa\x86\xc6\xdd\x02\xe9\x3e\xb7\xb2\xe8\xb8\x3d\x8d\x85\x2d\xb1\x13\xb9\xca\xd8\xe4\x9a\x9b\x1b\x70\xc4\x03\x9d\x0d\x9c\xaa\xd4\xc3\x1b\xa1\x82\x69\x09\xb7\x65\x55\x94\x95\x6a\x4d\x00\xc2\x19\xc9\x3b\x98\x98\xed\x8c\x76\xfc\xb6\x90\x0a\x66\xb5\x58\xc2\x44\x5f\x48\x6b\xd2\x5e\xca\x53\x59\x8e\xee\xa1\x61\x95\xda\x71\x42\x59\xbd\x63\xe3\xbe\x5b\x73\x51\x8a\xaa\x76\x5c\x6e\xf4\xd6\xb4\x73\x53\x67\xf2\x34\x92\xac\x15\x26\xca\xa1\xd9\xdc\x28\x3b\x89\x69\xa6\x5c\xac\x0a\xef\x06\xce\xb2\x54\x23\x3c\xf7\x16\x10\x69\x45\xe7\x57\xb8\x8e\x3f\x1d\xc0\x3b\x92\xc8\x68\x90\xae\x42\xce\x1c\xb1\x25\xee\x7c\xb0\xdb\x85\x4c\xb7\x10\x25\x63\x1f\x3f\xc0\x1e\x81\x89\xb7\xca\x20\xe9\xff\xf4\x81\xe0\x9d\x07\xdc\x6b\xce\xb6\x56\xb9\x9a\x74\x92\x61\x98\xaa\xd4\x61\x2b\x48\xd6\x1e\x71\x35\x2a\x66\x87\x34\x8e\x50\x67\xcc\xf5\xa1\x7b\x52\x25\x02\x93\xba\x67\x2d\x1b\xfa\x54\x24\x4a\xc5\x18\x4f\x6e\x2e\x15\x2f\xa4\xfc\x44\xf4\x20\x55\x1a\x0e\x3a\xeb\x61\x4b\xd0\x4a\x06\xdd\x8e\xc2\x94\xe0\x89\x50\xc3\xe0\x2a\x83\x11\x24\x59\x84\x71\x59\x58\xaa\x98\x2a\xad\x30\x88\xb6\x14\x23\x0c\x71\x83\x22\xa2\x49\xad\xb6\x74\xb3\xad\x2a\xd0\xdb\x86\x02\xbd\xe5\xad\x2c\xcb\xa3\x38\x85\x3e\x56\x0b\x72\xa0\x8f\x65\x15\xd0\xae\x36\xba\xaa\x5a\xb6\x0f\x0d\x04\xa4\x8f\xca\x01\x28\x4d\x8c\xb7\xd6\xf9\x97\xd1\xbd\x67\xd4\xa3\xb6\xdc\xdf\xcd\x06\xa0\x93\x66\x31\xcc\xcf\x86\x3d\xd3\xb8\xea\xf5\xea\xef\xaa\xe4\x3f\x20\xdc\x90\xda\xd6\x9d\x1a\xb2\x7d\xe4\xf3\x72\xf8\x46\xea\x83\x8e\x82\xf6\x5b\x35\x76\xf5\x7a\x01\xe7\x3b\x95\x0f\x5d\x0b\x3e\x54\x9b\xa7\xcd\x81\x44\x7b\x2f\x8d\x44\x9e\xf4\x2d\x0d\x4b\xed\x04\x90\x6d\xdf\x06\x3b\xfe\x76\x2a\xf2\x62\x23\xee\x42\x9b\xbb\x22\xd7\x1e\xa2\x75\x7b\xe0\x69\xb0\xf1\x94\xa6\x41\xc3\xc1\xe5\xab\x64\xa4\xda\x03\xf8\xa9\x15\xab\x62\xca\x38\x0f\x36\x03\xe3\xe0\x25\xc3\xe2\xa0\x00\x80\x28\x5b\xc4\xce\xad\xef\x03\x3c\x57\x8d\x2e\xae\x26\xf7\xfb\xf6\x10\x8f\xec\x5e\x0b\x4e\xee\x28\x7b\x44\x37\x8b\x16\xd3\xf5\xec\xce\x14\x09\x05\x7e\xf0\x68\xf0\x92\xa3\x83\x07\x40\xf7\x99\xfd\x48\x0e\xd3\x11\x00\x9c\x69\x09\xf4\x63\xc0\x0e\xd4\xcd\x22\x79\x5a\x86\x4f\x9c\x23\x00\xb4\xe6\xa4\x8a\xda\x45\x90\x11\xe3\xc2\x43\xc4\x02\xac\x19\xcd\xcd\xc1\x62\x6d\x38\x4f\xa9\x35\x23\x70\x01\xc5\xa7\x0d\x65\x46\x0f\xe9\xc4\xda\x11\x33\xd0\x64\x79\x1c\x0b\x11\xeb\x7b\xe8\xb0\x86\xcb\x0e\x3a\x6a\x58\x69\x1f\xac\x5f\x58\xec\x43\x73\x3f\x36\xb9\x83\xee\x8e\xd0\x05\x5d\x79\x94\x06\x0e\xf8\x0c\xdc\x1b\x48\xa0\x6f\x34\x79\x15\xac\x6b\x7f\x9f\xfa\x24\x1e\xae\x09\x7e\xa4\x42\xef\x97\xb5\x54\xab\x57\xbd\xbe\x3e\x34\x27\x1c\xf4\x08\x9a\xee\xa0\x72\xa1\xaf\xac\x9d\x67\xdb\xe8\x64\xc4\x84\x46\xb1\x1e\x5f\x70\x60\x7f\x9a\x95\x27\x0b\xa9\x7d\xa4\x61\x47\x04\x27\x41\x11\x01\xcb\xca\xa8\xe7\xc0\xc3\x64\x3d\x8c\x8e\xab\x9d\xde\xe8\x01\x97\x10\x2e\x86\x63\xf2\xc2\xb9\xc5\xf9\xc9\xca\xa7\xb5\xda\x10\x9c\xe4\x81\x6c\x61\xa0\x64\x8f\xb5\x61\xd8\xd0\xaf\x0e\xa6\x39\x1c\x6f\x46\xfd\x9f\x03\x0a\x3e\xa0\xb6\xd5\x2d\x32\x8c\x00\xa6\x6d\xc0\xd8\xe8\x3a\x12\x0d\xa1\xd8\x36\x3a\xbf\xa3\x99\xce\x34\x67\x6e\x50\x31\x19\x20\x75\x1c\x24\x7a\x9c\x63\x05\xed\xa3\x4a\x0d\x02\x9c\x07\xc8\x72\xb5\xd4\x66\xf4\x36\x1a\xad\x95\x26\x8d\xa3\xca\xd3\xce\xa0\x8b\x95\xba\x55\x22\xc2\x2d\xa1\xd7\x06\x8f\xe2\x42\x6f\x47\x53\x59\xce\xe3\x76\x8a\xe1\x41\x4a\x84\x35\xf9\x6c\x31\xd0\x80\xeb\x21\xec\x25\x9d\x18\x04\x26\xc4\x3c\x00\xfb\x63\xd0\x42\x5b\x9b\x03\x75\xdb\x32\xed\xa0\x8c\x20\x2d\x94\x9c\x9a\x7a\x67\xb4\x8c\x32\x16\xdb\x03\x41\x54\x65\x91\xf6\x0f\xd4\x31\x51\x1c\x1d\xf5\xa0\xfb\x87\x9c\x80\xb6\x00\x44\xc2\x84\xe3\xa8\x1d\x87\x6c\x49\x7b\xdc\x09\xff\x71\x8c\x3d\x2a\x1f\x3c\x55\xfa\x5f\x1d\x0b\xbe\x30\x36\x7c\xd8\xdc\xd1\x64\x81\x56\xb9\xf3\x43\x92\xe6\x3c\xed\x78\xf6\xe1\x93\xb6\x6a\x24\x9f\x02\xc7\x06\xd8\x86\xbb\x59\x81\x52\x07\xa1\xd7\x94\x00\x53\xd0\x07\x4a\x8b\xb7\x1a\x15\x0d\x51\xb5\xe8\x43\x3a\x1c\x9a\x43\x9b\xa4\x0d\x01\xa0\x93\x1d\xce\x0b\x75\x9b\x0b\x0d\x64\xa3\x2c\x74\xf8\x59\xd2\x15\x61\xe8\xc9\x6f\x59\x56\x70\x13\xa9\xca\x9e\x15\x44\xde\xa1\x4c\xd4\xf6\x36\x52\x08\x91\xe2\xca\x54\x34\x60\x06\xf4\xe9\x61\x3f\x9f\x5b\x33\xe0\x4f\x3d\x76\xf6\x92\xe1\xec\x17\x48\x3b\x9d\xcf\x5a\x80\x0c\x87\xac\x26\xaf\xf3\x82\x67\x55\xde\x51\x51\x87\xca\x4e\x8d\x3b\x8b\x21\x76\xd0\xe6\x6c\x9c\xf4\x84\x5c\x11\xd9\x45\xb8\xf6\xe6\x69\xe6\xb3\xb1\x5e\x9e\xf8\x8e\x9b\xea\xbb\xd8\x51\xcb\xad\xe8\xde\x7b\xd1\x21\xf6\xf4\x4b\x6e\xee\xdd\x62\x6d\x23\xcb\x36\xe7\x20\xb7\x00\xf2\x18\xde\x7f\x30\xb8\x79\xe8\xea\x20\x99\x61\x86\xa7\x8b\x90\x92\x12\xe0\x91\x6d\x7c\xe9\xa2\xf7\x38\x73\x11\x7d\xa3\x2a\x5c\xcb\x69\xe8\x27\x0f\xb0\x07\x3c\x76\x15\x66\xb3\x60\x3c\xbf\xff\x7e\x8f\x3d\x7b\x27\xcb\xca\x25\x36\xcc\x2a\x3e\xb8\xcb\xfe\x98\x32\x61\xc4\x69\x51\xe6\x3d\x0c\x91\x80\x51\xb2\x1b\x28\x1f\xa0\x76\x41\x36\x13\xa1\x85\xc9\x77\xcf\xd3\x17\xce\x37\xd9\x0b\xc6\xd9\x8e\x6d\xf6\xbf\x32\x16\x7c\x6c\x6c\xa7\xbb\x8a\x40\x3e\x47\x3e\x72\x15\xeb\xd4\x85\xe9\x24\xaf\x9c\x9f\x1b\x78\xf3\xbc\x1b\xe8\x46\x95\xe0\xe2\x42\x57\xb4\x94\x41\x67\x76\x69\x91\x94\x62\x17\x45\x08\x21\xa7\xd4\x78\x91\x3c\x82\x6f\x92\x51\xa7\xb4\x2c\x43\x90\x48\x95\xea\x60\x5c\xfd\x55\x73\xf0\x89\xc9\xf0\x02\x25\x00\x64\xae\x9d\xbc\x60\x2a\x51\x77\x66\x09\xc4\x37\x87\x71\x62\xf1\x3b\x38\x01\xa0\x04\x7c\xa9\x02\xa7\x23\xdd\x44\x37\x04\xd4\x68\xa0\x0a\x7f\x44\xd7\x50\x8a\x14\x1d\xea\xa9\xc8\x09\xa4\x44\xd6\x4f\x40\x4c\x80\x3a\xa6\xc8\x8a\xae\xa8\x8a\x2a\x49\x69\x0f\xbc\xae\xf2\x28\x47\xf2\x6f\x1f\x65\x27\x46\x78\x5c\x9b\x2b\x22\x59\xaf\x08\x1b\xf0\xdf\x76\x34\xf8\x5b\x6f\x87\x9b\xea\x6c\xae\xf0\x32\x07\x08\x31\xc0\xfb\x29\x37\xee\xae\xc8\xa5\xe2\x0a\xf6\x87\x16\x5a\xc5\x01\xe9\x74\x3d\x4e\x12\x8a\x19\x0f\x11\xce\xde\x04\xc0\x63\xdc\x50\x10\x83\x04\xb3\xb0\x8f\x83\x26\xe7\xb2\x3a\x94\xdc\x26\x7b\x39\x4c\xc8\x7d\xa3\x4c\x19\xf2\xc3\x85\x81\x60\x02\x88\xb8\x35\xc1\xf1\xe0\x95\x91\xb7\xc8\x02\xf9\xec\x57\xd7\xf2\xa2\x07\xc4\xdb\x8e\x54\x78\xcb\x15\x8a\xfb\x2b\x30\x08\xdf\xc0\x4c\xc5\x3b\xac\x44\xc5\xa7\x5e\x66\x9e\x22\x04\x2e\x00\xb5\xfc\x5b\x3c\xb6\xb0\xe7\xe0\x8c\x9d\x44\x05\xb0\x2d\x3d\x13\xbc\xd8\x98\xa0\x3e\x32\x92\x82\xf4\x54\x21\x47\x1b\xbb\x17\xe5\x85\x9c\xb4\x14\x29\xa3\xc2\x85\xc0\xd0\xcf\xde\xe9\xe9\x20\xab\xd7\x7b\x6c\x6e\x1f\xd5\xad\xa8\x2a\x94\x13\x9c\x5b\xd1\xe4\x34\x04\x23\x00\xc9\xe8\x68\x1c\x32\x09\xdc\x46\x09\xb7\x81\x81\x55\x3b\x62\x23\xe1\x11\x1b\xf8\x41\xef\xb9\xbb\xe7\x0d\x9e\xf5\x4f\xeb\xbc\xc1\x91\x98\x0a\x3b\x74\xf6\x60\x5e\xe1\xef\x8c\xb3\x9b\x77\x8f\x19\xdb\x79\xe0\xfc\xd7\x8f\x07\xef\xd8\x49\xce\x7f\x33\xc7\x8e\x7d\xa5\x76\x25\x46\xea\xeb\x10\x23\xf5\x9e\x23\x0e\xcb\x38\x80\x78\x6e\x49\xf9\x02\x58\xb7\x28\x53\x97\xb2\xbc\xf4\x5f\x7c\x24\xb8\xd1\xbe\xe0\x92\xd4\xc1\x15\x45\x0c\x00\x94\x24\xf8\xe4\x4a\x12\xb7\xdc\xf8\xa0\x9f\x3f\xcc\x3e\x5f\x63\x47\xc3\x6e\x77\x29\xcf\xca\xac\x95\x25\x68\x31\x96\xfa\xa3\x05\x98\xcd\xbb\x74\xd7\x30\xb8\x4b\x15\xcf\x39\xb6\xa2\x29\x0c\x58\x58\x30\x29\xdb\x32\x40\x24\xe1\x9a\x48\x08\x63\xbc\xc9\xcf\x59\x09\x4e\xa0\x72\x70\x82\x76\x46\xbc\x26\xf9\x89\xc5\xd9\xb3\xb3\xa6\x24\x15\x2d\x80\x0f\x1f\x0b\x0b\xa9\x45\xf0\xe5\x53\x73\x8d\x1b\x4e\x9c\xb8\x1e\xe6\xb6\xdc\x1c\x4e\x4e\x4d\x6d\x6f\x6f\x37\xe3\x30\x45\x06\xe3\xb0\x28\xe2\x36\xe0\x11\x17\xca\xe7\xde\x80\x22\x26\x9b\x72\x2d\x34\x74\xf9\xaa\x75\x5a\x19\x90\xea\xcd\x40\x15\x15\x98\x60\xa7\xdf\xca\x3a\xdd\x30\xed\x37\x5b\x59\x67\xaa\xd3\x6f\xa0\xe2\xda\x50\x65\x38\x16\xe3\x07\xc6\x28\xcc\xe9\xc3\x63\xc1\x8f\x8f\xad\x3a\x99\x6d\xba\x0f\x67\x81\x8f\x25\x47\x92\x9a\xc1\xd1\xc2\x15\x09\x49\x67\x8a\x45\x8c\x60\xfd\xc8\x79\xe1\x3e\x1d\xcb\x79\x97\x6f\xc5\x8a\xc4\xca\x21\x9b\xa4\x3e\xa8\x2b\x14\xcd\xa1\xb0\x4f\x3a\x66\x37\xa1\x36\xdf\x73\x4f\x13\x3f\x74\x56\x13\x9f\x88\x18\xe4\xf2\x1a\x20\xc0\xd8\x6e\x7e\x60\x6b\x0c\x8b\xc2\x90\xa6\x58\xa9\x06\x27\xf9\xb5\x5a\xae\x38\xa9\x6c\x37\x9c\xb0\x33\xd9\x92\x2c\x6d\x37\xd5\xa3\x16\xc2\x86\x14\xfa\x39\xa8\x9e\x3b\x81\x6d\x00\xc4\x46\x63\x42\xbf\x0c\x20\xb5\xc8\xba\x92\x1a\x3c\xd3\xea\x97\x1d\x2b\xb7\x13\xb9\x60\x8f\xe3\xfb\x14\x01\xe6\xfd\x9a\x88\xfc\xd5\x40\x44\x6e\x53\x54\x2a\x6a\x19\x1a\x90\x61\xc4\x65\x03\xf0\xde\x75\xa0\x13\x55\x78\x3e\x39\x98\x54\x5f\xd9\xb1\x88\x16\x2e\xb3\xb8\xa0\x39\x34\xb5\x6b\x85\x50\x68\x72\x97\xe1\x7a\x8d\x1d\x56\xb3\xd2\xbf\x2b\x58\x94\xf5\x5d\x5c\xda\x71\x29\xab\x6c\xf4\x73\xf3\x4b\x75\xbe\x3a\xb7\x04\x44\x3e\x2b\x73\xab\x4b\x4e\x17\xad\xce\x2d\x39\x3d\xf3\x43\x8f\x76\x92\x4b\xc3\x6e\xb7\xa0\x40\x47\x79\xe6\x38\x07\x4a\xdd\x7c\x28\x3a\x59\xba\x22\x4a\xff\xab\x7e\x70\x1b\x12\xc4\x64\xca\x55\x49\x56\xc3\x02\xec\xa9\x6b\x62\x23\xdc\x8a\x11\xfd\x2d\x82\xb7\xc0\x4c\x9e\x63\x69\xa4\x23\xba\x96\x92\x1f\xf4\xd9\x6f\x32\x76\xb8\x13\x5e\x58\xe9\xe5\x6d\xe1\x7f\x82\xed\x55\x5f\xeb\x95\x71\xd2\x8c\xd3\xb2\x28\xf3\xe6\x62\x5a\xde\x99\xaf\x40\x93\x82\xef\x83\x60\xb7\x4e\x78\x21\xee\xf4\x3a\xd6\xe0\xa6\xe0\xb5\xd6\xf0\xb8\x8a\x8f\xcd\x58\xac\x74\x3b\x91\xb6\x0c\x03\xde\x52\x5a\xbc\xa9\xc6\x30\x71\x1f\x23\xdf\x0d\xfd\xa3\x1f\x23\xbc\x18\xcd\x17\x2a\x75\xbb\x22\x4b\x7a\xa5\x26\xbf\x3f\x26\x2e\x9c\xe4\xd7\x4f\x22\xa4\x55\x57\xe4\x2d\x79\xce\x69\x83\x70\x51\xdd\x09\x20\x45\xf0\xdc\xcc\xf4\x13\x26\x49\x5a\xcb\x12\x49\xe7\x9e\xe6\xf1\x3a\x3f\x13\x5e\x38\x97\x9a\x46\xc4\x05\x9f\x6e\xf2\xd9\x81\x8f\xc1\x7b\x49\x8b\x48\x35\x41\xb4\x58\x9f\x5c\xeb\x73\xc8\x03\xc7\x31\xc2\x84\xce\x4e\x9c\x42\xff\x65\xeb\x7c\xc6\xcc\x20\xed\x38\x9d\x06\xbe\x52\xcc\xd2\x22\x4b\x1f\xae\x14\x72\x8b\x9c\x98\x7e\x42\x5d\x87\x17\x9d\x98\x7e\x82\xa6\x47\x07\xbc\xd5\xc1\x41\x19\xa0\x63\x55\x86\x47\x98\x5a\x38\x8d\x64\x57\x1f\x8b\x9b\xa2\x49\x2e\xe2\x26\xf5\xd1\x59\x28\x69\x45\xd1\xcd\x4f\x9a\x11\xc3\xd0\x0f\xf4\x0b\xc8\xb7\x15\xf5\x3e\xb9\x3c\x21\x67\x2f\x89\x14\xc3\x5d\x27\xcc\x37\x31\x66\x18\x61\xb0\x28\x9e\x8e\x8c\xa9\x20\x91\x0a\xd9\x4f\x49\xd8\x4b\xe5\x24\x6c\xab\x72\x0b\x9e\xa5\xaa\x81\xd0\x98\x26\x07\x7c\x71\x6b\xc2\xd0\x27\xcc\x18\x1d\x5b\x06\xea\x03\xd0\x25\x4a\x9e\x88\x10\xfc\x46\x29\x5c\x25\x32\xfe\x49\x5d\x41\x77\xba\xa9\xd8\xe2\x94\x62\x68\xa8\xde\xba\xd2\xb4\xab\xa8\x96\xad\x89\x56\x26\x77\xbf\x9e\x35\x43\x5c\x32\x7e\x55\x19\x93\xb3\x51\x58\xfe\x46\x29\x54\x91\x8c\x0f\xc4\x89\xdc\x9e\xf2\x30\x4e\x65\x47\x0f\x37\x50\x87\x92\x46\x49\x5f\x77\xb7\x53\x61\xb9\xf8\xe4\x09\x47\x45\xc5\x02\x16\x86\x5c\xf6\x08\xaa\x5b\xc0\x66\x8a\xfe\x38\xbc\x1c\x77\x28\x35\x10\x64\x75\x51\xc4\x6b\x71\xe2\x04\xce\x9a\x4c\x28\x92\xa1\x3a\x7e\x09\x27\x0e\x84\x79\xa6\x18\xe5\x8d\x10\x97\x90\x57\x14\xa6\x8a\x14\x25\x56\x90\xae\xc4\x15\x40\x76\x8f\xf5\x30\x4e\x88\x37\xb1\xb0\x18\x16\x01\xb5\xb8\x88\xb7\xac\xe2\xb5\xd2\x01\xd4\x70\x00\x85\xac\xa3\x22\xa9\x96\x7d\x38\x68\xa3\xd5\x05\xba\x13\x7a\x59\x49\x8e\xb8\xc8\x7b\x5d\xb4\xf7\x0c\x73\x06\xea\xe0\x50\xed\x64\x06\x63\xb9\x7c\x51\x4f\x0c\x94\xd2\x20\x3e\x07\xdc\xe2\x1f\x3c\xc4\x1e\xd1\x71\xe4\x83\xff\x8e\x43\x97\x2b\x5f\xbf\x72\xb0\x5a\xbe\x3a\x13\xb5\x30\xf2\x13\x88\x6b\xcc\xf4\xa3\x66\x97\x7a\x75\x5d\x96\xa8\x1c\x94\x27\x03\x95\xa0\x59\x82\x1a\x05\x89\x20\x5a\xd3\x96\x5c\xbd\x74\x69\x19\x91\x05\xd2\x91\x97\x90\x36\xab\x64\xf5\x80\xa8\xc6\x51\x92\x02\x74\x58\xa6\xce\xfc\x13\x91\xa9\xd0\xb3\x45\x99\x41\x90\x34\x4a\x13\xd5\xa9\x84\xc4\x85\x4b\x0d\xf1\xb8\x2a\xc5\x28\xbc\x0d\x1b\xe6\x60\x73\xb2\x42\x0c\x0d\xa2\xe2\x50\x58\xcb\x01\xb0\xb6\xd7\x05\xe1\x3b\xf0\x14\xaa\x58\xb2\x7a\x09\x80\xab\xdc\x99\x12\xf8\x86\x16\xd4\x90\x0c\xad\xe6\x61\x9d\xc7\x44\x2e\x47\x91\x4e\x52\x90\x97\x19\x85\x28\xba\x65\x4b\x8d\xbb\x57\x60\xa2\x2d\xf6\xa1\x6c\xa7\x92\xdc\x37\x62\xd5\xb3\x3c\x6e\x03\x7c\xf9\xce\x93\xd1\xfe\x3e\x57\x10\x00\xb1\x94\xcf\xc3\x8b\x82\xfd\xea\x38\x1b\x38\xd8\x66\x45\x2b\x4c\x00\xab\xe1\xb8\x3c\xd6\x1e\x6f\xde\xbe\x34\xbb\x82\x97\x28\x5a\xe8\x75\xe3\xc1\xdd\x83\x17\xc9\x6a\x88\x04\x1b\xc8\x1b\xa9\xfc\xb9\x70\x34\x91\x5b\x05\x30\x6c\xe0\xd1\xd6\x38\x06\xba\xa1\xb2\x96\x6e\x85\x89\x49\xe1\x3c\x00\xf3\xf5\xa2\x77\x35\x3a\x4f\x69\xbf\x72\xe9\xc9\xc7\xd8\x27\x3c\xe6\x3e\xe0\x7f\x40\xab\xde\x3f\xec\x2d\xd9\x77\x06\xf2\x81\xb7\xe3\x34\xca\xb6\x61\x32\xc4\x14\x3c\x6e\x40\xea\xa9\xfe\x0a\x43\x44\xd5\xbd\xc9\xdd\x12\x95\x0a\xee\x40\xbf\xdf\x27\xf2\x0c\xe6\x12\x10\x58\xc1\xa5\x2c\xe7\xe2\xb9\xbd\x30\x01\x2c\xf7\x9b\xa6\xa7\xf9\xb1\x13\xd3\x72\x25\x4f\xba\x8a\xf8\xad\x94\x9e\x7a\x53\xf0\xc4\x55\xa2\x53\x56\x81\xcd\x2a\x37\x09\x33\x70\xa1\xdb\x15\x39\xe7\x40\xca\x2a\xf6\x9b\xbf\xad\x7a\x61\x8d\xa4\x9e\x0d\x5d\x18\x52\x08\xd0\xba\xf2\x36\xeb\x30\x5d\x88\xe0\x2a\x2d\x44\x29\xc5\x00\xba\x58\xee\xdc\x5a\xa7\x11\x6f\x1c\x77\x5c\x1b\xf4\xbe\x01\xc1\x48\x67\x31\xf0\x6c\x85\xbc\x63\xc8\x1e\x50\xf8\xff\x63\x2c\x38\xbf\xe3\x5d\xc7\x8e\xaf\xfd\x6a\x90\x49\xa4\x30\x0a\x32\x7a\x52\xf5\x18\x2a\x06\xce\x0b\x72\x72\xe5\xbd\xc4\x35\x6d\xfc\xcf\x1a\xfb\x07\x8f\x1d\x04\x30\xcb\xc2\xff\x4b\x2f\x78\x8f\x87\x7f\xc3\x3a\x82\xde\x22\x83\x22\x5d\xce\xd6\x79\x3b\x56\x1b\x0f\x05\xa7\x62\xa8\x0d\xe5\x91\x6d\xc3\xa4\x81\x40\x2c\xa9\xe1\x00\x3a\x8f\x5e\x19\xed\x98\x84\x4c\xd1\xeb\x76\x13\x8b\x93\x26\xc7\x81\x50\xf9\x23\x80\x0e\xe3\x9c\x50\x4d\x26\x3c\x4c\x56\x79\x0e\x83\xfe\x72\xfc\x4c\x27\xd8\x0c\x9b\xda\xd1\x6a\x35\x30\x18\x8b\xf3\xcb\xf2\xa3\x2c\x61\xd0\x2d\x7e\x14\xdc\x0d\xe9\xfe\xf1\x60\x3f\xcb\x96\x82\x5f\x2b\x8a\x5b\xa5\xea\x55\xe8\x16\x10\x31\x66\xd8\x54\xb8\x9e\xdd\x37\x85\x28\xdd\x04\xbd\xc3\x6c\x96\xea\xb4\xd9\x5b\x13\x8d\xb0\xdd\xce\x45\x1b\x92\x43\x6d\x07\xed\x00\x86\x4a\x73\x76\x49\xb9\xf7\x4f\xc7\x45\xe9\x7f\xe5\x50\x30\xe5\x5e\x72\x01\x20\xcc\x3d\x95\xb7\xd4\xbc\xe8\x1d\x88\x4b\xd1\x71\x65\xc8\x7b\x0e\x5e\x71\x21\x5d\xae\x0b\x49\x30\xec\x58\xff\x5f\xdb\x53\xf1\x4e\x76\x86\xdd\x51\x39\x15\x2f\x6d\xd8\xaf\x78\xaa\x2e\xc3\x53\xb5\x68\x79\xaa\x9e\xc2\x9e\x7c\x09\x9e\x2a\xb9\xc4\xce\x88\x32\x7c\xd0\xbb\x77\x77\x87\xca\xd3\xfc\x05\xe3\x50\x19\x18\xd4\x01\x97\x8a\xbb\x88\x07\x3d\x29\x9f\x3e\x34\xe8\x28\x1f\xd0\x4e\x4c\x0c\xce\x19\x51\xe6\x71\x8b\xa0\xf4\x2e\x1e\x0a\xfe\xb7\x57\x75\xc7\xf2\x1f\x51\xe8\x06\xe2\xa9\x00\xfe\x42\x07\x1e\xc4\xdc\xdd\x01\x4c\x42\xb9\xc5\x58\x36\x52\x9a\x42\xc7\xec\xe8\x34\x03\x71\xf3\xdc\x9e\xe8\x41\x08\x57\x2b\xc9\x7a\x11\x21\x23\xc0\x69\x53\x99\x56\xb3\x9c\x3f\x63\x69\x05\xe7\x57\x92\x85\xd1\x5a\x98\x84\x69\x0b\x69\xce\x40\x7f\xce\x7a\x25\xe4\x9f\xc8\x3d\x1a\x63\xe7\x26\x9b\x8e\x33\x27\x40\x20\xeb\x80\x90\x20\x0d\x52\x98\x28\x9b\x17\x3d\x86\x4d\x19\x82\xc9\x7b\xe1\x01\x76\x9a\x59\x37\xfd\x5b\x82\x19\xf3\xab\x8a\x25\x83\xfa\x24\x4e\x39\xe6\x5c\x0f\x80\x2d\xbc\xd3\x63\x8f\xc0\x47\x56\x44\x02\x54\x95\xfe\xab\x3d\x76\xeb\xa5\x4c\xb0\x70\x4d\x24\xaa\x90\x60\xc9\x2d\xd4\xd6\x85\x08\x89\xb1\x6f\xb4\xc8\x16\x31\x96\x89\x3c\x26\xd3\x9b\x45\x36\x81\x05\x35\xd9\xaf\x78\xcc\xc7\x3e\x9b\xdd\x12\x79\xd8\x16\xa0\x18\xf9\xef\xf7\xf6\xb1\x1c\x9a\x3a\xee\xe4\x19\xbd\x30\x2d\xe3\xb2\x1f\xf4\x86\xcb\xd4\x99\xce\x08\x35\xde\x15\x79\x43\x9e\x81\x50\x40\x49\xf5\x01\x51\xe4\xa9\x67\x8f\x01\xa2\xdb\x73\xa9\xbc\xc9\x26\x3f\xd3\x2b\x7b\x10\x29\x28\x2e\xc8\xa1\x8f\xb7\x48\x2d\x58\x85\xe2\xe0\x0b\x4d\xf6\x41\x8f\x1d\x2d\xcd\x05\xff\x47\x2f\xb3\x19\xf7\x5a\x85\x0d\xd4\x5f\xd7\xdb\x9a\x0e\xfb\xac\xb4\xdd\x3b\x4d\xf6\xa9\x43\xec\xda\x1d\xd1\xe1\xce\xe2\x2f\x3c\x54\x80\x13\xeb\xcd\x87\x82\x1b\x86\xae\x5a\x7e\xb3\x10\xcd\xeb\xf2\x78\x2c\x55\x12\x5e\xe6\xe1\xba\x9c\x13\x84\xea\xae\xa6\xfe\xe7\x0f\xb2\xd7\x8d\xb1\x43\x22\x8d\xa0\xd4\x57\x8c\x29\x0d\xf9\xef\x34\x6d\x79\x45\x0a\x36\xaa\x65\x00\xc8\x24\xcf\x94\x78\x48\xa7\xcf\x51\x51\x75\x0c\x1b\x92\x6d\xae\x5b\x0b\x51\xa9\x8d\x03\x8a\xb4\xe5\x0a\x33\xc7\x76\x9d\x7b\x46\xcc\x34\xf2\x03\x3a\x74\x55\x3e\xa3\x1e\x90\x2b\xa1\xea\x19\x75\x1f\x86\x45\x2e\xdf\x88\x1f\xc3\x15\x3a\xa9\x5d\x70\x42\x55\xd8\xf8\xf2\xe1\x50\x92\xe5\xae\x4a\x6f\xbb\xec\x4c\xf0\x64\x9c\xf2\x59\xb0\x15\x15\xa0\x01\x82\xc5\x4a\xb7\x55\x25\xbe\x18\xa2\xe2\x53\xf4\xe6\xd3\xe4\xc3\x81\x33\x7c\x0b\x58\x8b\xc0\x3d\xfc\xfc\x74\x8d\x7c\x27\xef\xae\x5d\xae\xe5\xe8\x4f\x8c\xcf\x85\x80\xa7\x50\x12\x68\xdf\x9b\xb1\x70\x5b\xae\x2a\x4e\x4e\x1f\xec\x11\xec\x43\x55\x46\x88\x09\x7b\x9a\xcd\xd0\x1e\x1a\xc5\xe9\x4c\xfe\x32\x40\x4a\xc2\x40\x33\x72\xfb\xa0\xeb\x32\x8d\xe8\xc4\x8e\xd1\x72\x1a\x6f\x0b\xc2\x59\xcd\x94\xb5\x1d\x36\xc2\xb8\x1c\xf9\xec\xd9\x79\x2c\x4e\x45\xf7\xe3\x77\xa2\x26\x7b\x81\x67\xf9\x6f\x7a\xc1\x06\xb4\x5d\xbd\x76\x0c\x3c\x34\xe0\xab\x21\x37\xcd\xa4\x3a\xe6\xd2\x27\x61\x2e\x40\x61\xd5\x14\xc3\x95\xf1\xc6\x83\xee\x9d\x7f\x18\x67\x8f\xab\x40\x76\x5a\x0d\xe3\xb4\xf4\x7f\x77\x3c\x38\xbf\xaa\x88\xd2\xa0\x40\xb8\xee\x64\x83\x95\x19\x26\x41\x6e\x08\x1e\x20\x13\x50\xa0\xec\xa9\xda\x49\xa2\xa3\xf4\xca\x2c\x11\xb9\x3a\x86\x40\x59\xcd\x8b\xde\xd8\xa6\xe8\x5f\xf4\x0e\xe2\xcb\xce\xc2\xff\xdd\x31\xf6\x66\x8f\xd1\x1d\xff\x35\x5e\xf0\x12\x4f\x63\x8a\xe1\xb2\x40\xea\x21\x65\xe6\x82\xca\xa1\xdd\x4a\xa1\xcf\x67\xc3\xdf\x85\xc7\x14\x84\x18\x96\x80\x47\xc6\xb3\x99\x32\x69\xd5\xf9\x12\x84\x66\x9a\x2b\x14\x5f\xb1\x80\xa4\xe2\x03\xdc\x15\xb2\x05\xfe\x53\x82\x69\xb7\x72\x58\x9d\x4d\xd1\x57\x19\xa2\x80\x62\x17\xa1\x35\x10\x50\xaf\xec\x52\xde\xed\xb1\x23\x72\x2f\x9c\x8d\x22\x11\xf9\x6f\xf2\x2e\x1d\x28\x2a\x5a\x55\xc5\xd8\x41\x03\xd0\x72\xb9\xd7\x3a\x2c\x7f\x58\xc7\xed\xb0\xd0\x20\x80\x26\x09\x42\x71\xf1\x49\x4d\x49\xb7\x1c\xdf\x28\x9a\x6c\x41\xd9\x2b\x6e\x0e\xa6\x4c\x6b\xb7\xc8\x64\xa1\x3c\xcf\x94\x1d\x58\xda\xdd\xe1\x34\xfb\xbd\x87\x1d\xf7\x62\x65\x40\x04\x78\xbe\xe1\xec\xf8\xc2\xc3\xc1\x0d\x43\x57\xdd\xd0\x88\x44\x93\x15\x93\xde\x0f\x88\x85\x45\xe5\x11\xf2\xe3\x57\x8e\x90\x97\x7d\x84\x5c\x57\x47\xc8\x7b\x82\xc7\x9e\xae\xee\x7b\xfb\x6c\x79\x23\xbb\x9e\x9d\xd8\xd1\xcc\xb1\xf3\xf0\x5f\x39\x43\x5e\xc6\x19\x72\xcd\x3a\x43\xde\x75\x59\x67\xc8\xe0\xb1\x9a\x92\x01\x93\xd9\x14\x1d\xc3\x83\x5e\x7b\xf7\xc3\xe5\xbc\x7f\x9b\x3e\x5c\x9a\xa1\x1e\x38\x56\x0e\xad\xef\xc1\x93\xe5\x0b\x6a\xec\x89\xd6\x9c\x71\xf2\x01\xc8\x3c\x86\x38\xc5\x18\x96\xe8\xff\xba\x17\xdc\xe4\x5c\xd1\x1a\xa8\x13\x66\x8d\xda\x11\x6d\x25\x95\x20\xd7\xdf\xe7\xb1\xff\xe0\xb1\xab\xe4\xa9\xef\x36\x3a\xf5\xf9\xbd\x11\xb3\xd9\x30\x58\x9a\x17\x28\x64\xf2\x16\xfb\xda\x00\x3b\x8d\x55\x1f\x83\x7f\x27\x3f\xda\x50\x67\xcd\x26\x7b\xed\x21\x76\xfd\x25\x05\x6b\xfa\x5f\x3c\x18\x7c\xe7\x8e\x77\x2f\x7a\x87\x48\xf9\x75\xe9\x8e\x0e\xb2\x16\x53\x77\xfc\x67\x06\x4f\x9f\x25\x0d\x39\x2e\x74\xaa\x5c\x13\x00\xf9\x94\x8e\x8b\x91\xdf\x64\x50\x35\x2a\x75\x9d\xe0\x74\x74\x06\x9f\x9b\xd1\xf3\xc2\x1a\x3b\x18\x89\x34\x16\x91\xff\x77\x5e\xf0\x47\xde\x3c\xfc\x6d\xa3\x3d\x8f\xfe\x0a\xbe\x6b\x27\x08\x52\x5a\xeb\xe2\x3a\xe6\xeb\x85\xa6\xde\x06\xd7\x27\xd2\x5f\x31\xf9\xdd\x94\x5c\x6e\x50\xed\xa4\x8e\x93\x66\x3c\xeb\xc6\x29\xc8\xf8\xd4\x04\xb1\x66\xe6\x39\xab\x56\x4d\x4e\xb5\x97\x42\x85\x84\x42\x49\x75\xb7\xba\x0f\x9c\x13\x4e\x27\x7c\xb1\xc6\x1e\x49\xe1\xbc\x71\x86\x24\xd1\xfe\x27\x6a\xc1\x87\x6b\x0b\xee\x45\x72\x03\x2b\xd0\x46\xe5\x46\x07\x6c\x24\xa0\x26\xe3\x59\x0b\xe6\x52\x64\x3b\x8f\x9c\x99\x82\xae\x6c\xb5\xe9\x4b\x39\x92\x8b\xc4\xca\x68\x53\x60\x15\xc4\x75\x06\xbd\x65\x27\x00\x64\x52\xd0\xf6\x84\x49\x04\x1c\x28\x9e\xa6\x70\x9c\xf2\xa2\x1b\xe3\xe2\x8a\x4b\x04\xb4\x88\xd3\xa2\x94\x73\xb9\xce\x97\x6f\x9b\x9d\xd3\x84\x3d\x71\x81\x49\xbb\x16\xb3\x26\x11\xb9\xca\x0b\xa8\xa6\x15\x25\x64\x13\xa3\xf4\xc6\x3a\x01\x47\x01\xe4\xe5\x41\xc4\xc2\x50\x94\xb4\xa3\x72\xdc\xa3\x11\x2b\x57\x82\x53\xcb\xf8\x86\x33\xc5\xa0\x3f\xac\x60\x65\x48\x75\xa3\x30\x65\x50\x95\x4c\x9c\x32\xce\x1d\x37\x60\x6a\x8c\x05\x55\x1a\xf5\xdc\xd2\x4a\xd6\xda\x14\xe5\x2c\x4c\x0f\xff\x7f\xd5\x82\xa7\x0c\x5c\xb3\x4f\xc6\x2a\x79\x82\xaf\x85\x94\xb3\x9d\x75\x05\xa2\xa5\xf3\x02\xde\xb9\xe8\xc1\xa9\xcb\x59\xa8\xff\xa5\xc6\x3e\xa6\x22\xd9\x7e\x7e\xcf\xfc\x3b\x3b\x9d\xc6\x9e\x77\x96\x1c\x95\xb9\xcb\xbe\xaa\xce\xec\x18\xda\x9a\x99\xc8\x35\xcc\x01\xe4\xf4\x9a\x09\x73\xb3\xce\xe3\x33\xf2\xcd\x1b\xae\xbf\xfe\xc4\xf5\x76\xdc\x21\x7a\xf5\x17\x67\xcf\xce\x3e\x67\xe5\xae\xb9\xe7\x9c\x9d\x3d\xb3\xd0\x64\x77\xb2\xf1\x8d\xac\x28\xfd\xa7\x05\x27\x0d\x51\xf5\xed\x59\x81\x07\x33\x9a\x80\xa9\xdc\xcb\xcb\xac\xee\x1c\x72\x14\xf4\xcb\xa2\x7b\xd6\x79\xdf\x63\xd8\x3d\x97\x9a\x68\x86\x1b\xcb\x1c\x84\x82\xaa\xc0\xe0\x79\xdd\xb7\x4a\x7d\xfc\xf5\x47\x07\x37\xef\xf2\x8c\x63\xfe\x50\xd9\x52\x52\xc5\x9e\x5b\x9e\x57\x9c\xb8\x17\xbd\x83\x18\x2a\x7b\xd1\x3b\x44\x49\xcd\xce\x30\xff\xb1\xcf\x5e\x34\xc6\x0e\xa2\xe2\xe8\xff\x7d\x8d\x45\x0f\x4d\x36\x5d\x55\x23\xef\xd2\x61\x9e\xc1\x2b\x6b\xa4\xf8\x9a\x26\xa0\x57\x13\x2e\x82\x91\x4f\x36\xc4\xc2\xa0\x06\x68\x89\xbc\x87\x76\x51\xd2\x96\x55\x9b\x15\xb0\xeb\x60\x5a\xd8\x6a\xd6\x45\x20\x08\x05\x4c\xa1\x74\x08\xad\x28\x4b\x21\xd0\x19\xb2\x5a\x81\x8b\x77\xe8\x59\x4d\x9c\x16\x12\x3c\x07\x46\x4a\xa0\x25\xb2\xa5\xd4\xeb\x82\x1f\x2b\xf5\x67\xad\xfa\x53\xd3\x8c\xb9\xa4\x87\x60\x01\x45\x29\xc2\x68\xb2\xc9\x36\x18\x0d\x94\xff\x6f\x82\x25\xc5\x46\x2b\x07\x76\x3d\x09\xdb\x3a\x10\x67\x0a\xf3\xb9\x0d\xfd\x88\x1a\x75\xa9\x5f\x62\xfe\x06\xbd\xbb\x15\x87\xa8\xb2\xce\x2e\x2d\x16\xce\xae\x70\xbf\xc7\xd4\x54\xf0\xdf\xe8\x05\xaf\xf4\x14\xe0\xdc\x00\xf8\x84\x6e\xbf\x5b\x65\x88\x16\xa1\x5c\x3b\xc8\xd8\x75\x7b\x1d\x56\x8d\x4a\x9f\x97\x87\xd7\xdc\x2c\x4c\x61\x99\xae\x4d\x76\x5f\xb9\xa1\x9e\x7f\xca\xf0\x16\xf6\x1f\xc6\xd8\x55\x36\x3e\xb8\xff\xd7\x35\xb6\xfe\xf0\x4d\x51\x1b\xef\x3a\x78\x69\xcd\x41\x26\x57\xee\x77\x80\xcd\x72\xee\x54\x4d\x46\x65\x8c\x1b\x24\xab\xd8\x08\xb7\x46\xcf\x4c\xbb\xe0\x3d\x4d\x4f\x07\xa2\x7b\xff\x73\xd4\x6d\xe3\x4e\xd3\xf3\x2f\xc6\xd9\xe3\x0c\xe4\xc8\x52\x0e\x67\xca\xb9\x2c\xe9\x75\xd2\xc2\xff\x8d\xf1\xe0\x73\x63\x3b\xdd\xb5\xf3\x2e\x6d\x76\x0e\xbc\x89\x1c\xa8\x18\xb5\xbc\x0a\xda\x40\xd6\x2b\xbb\x3d\x38\xed\x56\x01\x4f\x69\xb4\x29\x0d\xf3\x39\x05\xf6\x46\x39\xe0\xea\x18\x83\x14\x3b\xd7\x20\x94\x9c\xbc\xa7\xdb\xd7\x08\x8b\x06\x00\x00\x10\xe9\x8b\x46\x90\xd9\x71\x38\x54\x3d\xf7\x32\x12\xea\xd9\x4b\x18\x04\xf5\xea\x4e\xfd\x8f\x56\x39\x6e\x5e\xc8\xf2\x1d\xab\x69\x59\xee\x74\x60\x01\xde\x97\x27\xa5\x6e\x12\xf6\xb5\x06\xd7\x16\x3b\xc8\x4e\xe5\x6a\x71\xe2\x0a\x52\x96\xb0\x7b\x1f\xbe\xb5\x87\xf3\xc5\xec\x72\xec\xb7\x3d\xc6\x22\xcd\xfb\xed\xff\xaa\x17\xfc\xbc\x17\xd9\x3c\xe0\x95\xe2\x6a\x87\x06\xcd\x2e\x2d\xa2\x8d\x5c\xbd\xdf\xe4\x77\x43\x08\x86\x8d\xc6\x23\x1f\xb2\x4e\xe1\x6e\xc1\x06\x9a\x70\x3b\xcc\x61\x1f\xda\x10\x61\x24\x72\xcd\x17\x85\xf9\x69\x84\x1e\x63\x50\xf0\x2d\x70\x06\x97\x6b\xa9\xc6\x7c\x55\x9d\x38\x4b\xef\xc6\x42\xfd\xd7\xd5\x82\xff\x58\x1b\xbe\x0e\x14\x0b\x79\x1c\xd1\x4e\xa9\x10\xf8\x54\x55\xf4\x3a\x2a\x33\x68\x05\x9a\x16\x8a\x26\x3f\x13\xf6\xd1\x06\x47\x13\x11\xc4\xf7\x79\xd3\x0d\xe7\xf5\xd1\xc1\x41\xf6\x53\xe5\xee\xd0\xc9\x4e\x4f\x52\xcc\x28\x11\xd0\xc0\xc4\x51\xa3\x90\x8a\x6d\xc0\x84\xa4\x3d\xc9\x0c\xd1\x90\xd7\xa1\x28\x43\x8c\xb7\x05\x12\x50\x20\xfe\x02\x12\xf9\xe6\x00\xbb\x0b\xe6\xc8\xbc\xcf\x0b\xde\xee\xa5\x96\xb7\x52\x15\x9d\x02\xe4\x11\xd0\x1b\x7d\xf9\xf9\xaf\xdf\x9a\xf9\xf2\xf3\xdf\x50\x87\xbf\xd0\x51\x0c\x3f\x45\xd9\xc2\xc6\x0e\x6d\x5d\xb0\x7c\xb0\xae\x00\x7c\xe5\x36\x3a\x2c\xf9\x79\x29\x63\x8a\xa9\x9b\xc1\xf2\x70\xcb\xd4\xcd\x74\xeb\x96\xa9\x66\xb3\x79\x5e\x56\xfc\x3c\xbe\x7e\xde\x3a\x90\x99\xea\x7f\xd5\x35\x37\xac\x27\xd9\x36\x65\x36\xe8\x25\x81\x81\x4f\x78\xa8\xf6\x3f\x58\x0b\x9e\x6a\x5f\xa0\x2c\x4e\x14\x5b\x22\x1a\x4a\x16\x43\x3b\x09\x20\x3a\x12\x43\x7d\xb3\x0a\xe8\xf9\xcb\x1e\xfb\x92\xea\xc8\xcf\x79\xc1\xff\xe7\x74\x24\xa4\x7c\x22\xd0\x33\x05\xf0\x80\x2b\x03\x5c\x07\xc1\xb5\x01\x92\x0b\x95\x2d\x38\x00\x5b\x0f\x17\xae\xc0\x26\x68\xc0\x56\xd6\xb1\x64\xf7\x94\x16\x0c\x53\x6b\x49\xb6\x36\xd5\x09\x8b\x52\xe4\x53\xdd\xcd\xf6\x94\x0b\xd1\x3a\x25\xcb\x85\xff\x34\xdb\x19\xe2\x18\x66\xc0\x97\x90\x24\x0d\x4c\xc4\xc7\x0a\x82\x57\xc5\x21\x07\xb1\x20\xfb\x3d\xa7\xaf\x07\xa2\x9e\xe8\xd8\x7c\x2a\x11\x17\x10\xd6\xc4\xbf\xdf\x0b\x4e\x0f\x5d\x75\xed\xc1\x24\x4b\xe5\xed\x01\xd2\x3a\x75\x8c\x43\xeb\x3c\x08\xce\x8b\xde\x41\x04\x86\x71\xba\x7e\x81\xcd\x31\xba\xee\x3f\x29\xa8\x1b\xcc\xa9\x41\x8f\xbb\xf5\x91\xc8\xc2\x98\xa6\xc6\xbd\xf2\x60\x25\x67\x65\x25\x9d\x9d\x61\xd5\xf8\xfc\x81\xe0\xb6\xd1\x8f\xd0\xd1\x2b\x29\x06\x58\x1b\xb4\x41\xab\xbb\xd5\x1a\xc9\xaf\xf1\xb7\xe3\x2c\x65\x57\x27\x61\x51\x2e\xe5\xd9\x9a\x00\xa2\x8a\x7b\x2e\xdd\xff\x10\x38\x64\x19\x5d\x59\x64\xa4\x8e\x88\x8a\x1e\xe3\x55\xd5\xf4\x18\xff\xf6\xd2\xbf\x7a\xeb\x2e\xf4\x18\x68\xb9\xdf\x27\x47\x46\xe3\xa1\xe1\xc8\xf8\xaa\xa7\x4d\x0e\x5f\xf4\x82\x5f\xf3\xce\x41\x9a\x1f\xf9\xe8\x2c\xbf\xb3\xfc\x3b\x2f\xeb\x9c\xda\x8a\xe2\x0c\x93\x18\x65\x1d\xc8\xd4\x0d\xf3\xb7\x1d\x6f\x09\xc5\x81\xa5\xb9\x36\x46\xf1\x6c\x48\x65\x24\x2e\x09\x30\xbc\xe0\xc1\xb2\x28\xe2\xfb\xc4\x4a\x19\xe6\xa5\x88\x88\x36\xcf\xf0\x25\x59\x08\x82\x86\xda\xd0\xc2\xf6\x52\xa8\xed\xb2\x0c\x77\x09\x7f\xbb\x4e\x2f\x77\x70\x33\x1e\x4d\x11\xb2\xce\xc5\x2f\x30\xf6\x2f\xab\x4c\x25\xe8\xad\x93\xb3\xff\x03\x2c\x78\x05\xf9\x84\x23\xf2\x40\xea\x9b\x83\x6e\x48\xe5\xe4\x2b\x90\xeb\x39\x8c\x55\x82\x85\x72\xec\x82\x17\x2a\x8f\xbb\x89\xe0\x37\x6f\x8a\x7e\x1d\x3d\x2b\xe8\x01\xbc\xc5\xf2\x80\xc3\xf3\xb0\x7b\x03\xd2\x5e\x96\xf3\x9b\xd5\x5f\xb7\xb8\x16\xe1\xd7\x1d\x61\x1f\x30\x0e\xca\x77\x7b\xc1\x9b\xbc\x05\x74\x49\xba\x88\x53\x58\x19\xf2\x56\x2a\x61\xdc\xe4\x0b\x90\x8e\x88\xbd\x6e\xe4\xb3\xfd\x70\xa1\x14\x1e\x4b\x3d\x54\x38\x28\x86\xfc\xe8\x12\x1d\x97\x9f\xf1\xd0\x73\xf9\x2b\x5e\xf0\x73\xde\x1d\xa2\x6f\xa2\x47\xb4\xe3\x52\x05\x53\x94\xa6\xd7\x2d\x32\xae\x91\x0d\xd8\x14\xfd\x42\xa7\x1b\x6d\x62\xe9\x90\x7f\x59\x37\xfd\xaa\xce\x98\x0b\xa0\x35\x3c\x59\xe5\xad\x76\xd6\xe2\x14\x3f\x46\x33\xd2\xde\xbe\x54\xbb\xd3\x08\x7e\xc2\x67\xec\x56\xfd\xad\xc7\x0e\xab\x0f\xf8\x5f\xf5\x82\xdf\x22\x2e\xb6\x2c\x77\x37\x86\x4d\xd1\x9f\x90\x47\x99\x04\xb1\x14\x37\xe2\xae\x32\x1d\xc1\x17\x94\x83\x58\x15\x85\x3d\x8d\x15\x85\x8f\x2f\x48\x65\xc8\xd5\x17\xe9\x12\x3d\x24\xdb\xfb\xdc\x5e\xbc\x15\x26\x02\x00\xd0\x0d\x6b\x17\x59\x49\x80\x4b\x20\xa3\x64\x01\x4c\x41\x0b\x53\xe3\xab\xd6\x5d\x89\xcc\x9b\x00\xb8\x18\xb7\x7a\x49\x98\x73\x39\xb3\xda\x59\xee\xba\x52\xff\xb0\xc6\x1e\x65\xc6\x49\x45\xd5\xff\x7a\x0d\xa2\x65\x6e\xb8\x2e\xf8\x50\x6d\x75\xf0\xee\xa0\x83\x18\x03\xf2\x75\x68\xfd\xc0\xc8\x1f\xb3\xb2\x02\xd6\x60\x67\xa1\x19\xad\xa7\x97\x6d\x7a\x77\xe3\x2d\x10\xc2\x2e\x9a\xb4\x56\xa9\xe5\x8b\xbf\xad\xaf\x74\xd8\x3a\x41\x26\x13\xb9\xbb\xc2\xa1\x56\xf3\x60\xd0\x8d\x2f\xbb\x52\xc8\xdd\xf8\x18\x79\xfa\x21\x7b\x6a\xb2\xc9\x9f\xad\x62\xf9\x53\xd1\x06\xf8\x7f\x35\x6f\x54\x14\x46\x49\xe9\x67\x61\xc1\xa7\xf9\x31\x78\xcd\xa6\x3a\x98\xd4\x00\x16\xc8\xc4\xec\x44\xbc\xfc\xb0\x0e\xd6\x7f\xad\x17\xbc\xcc\x1b\x08\xbd\x32\x7e\xf0\x81\xfe\xd3\x72\x28\x33\x69\x78\x6a\x6a\xc6\x05\x4d\x9b\xba\x99\x82\x76\x98\x0e\x2d\x1c\xdd\xbb\xf7\xca\x41\x08\x79\x2e\xda\x30\x21\x2a\x52\x9a\x7f\xe2\x28\xab\x57\x08\xd7\x65\xa1\x93\xfe\x0d\x28\x31\x40\x57\x3c\xff\x68\x70\xc7\x8e\x77\x47\x30\x6a\xe4\xe6\x1d\x9b\xa9\xd3\x11\x94\x6f\x63\xec\x45\x35\xf6\xc8\x81\x1c\x46\xff\xcf\x75\xca\xc7\xe7\xbd\x33\x94\x1f\x65\xb2\x63\x0a\x9a\xa4\x26\xc3\x03\x92\x35\xad\xdc\x41\xc0\xf7\x36\x19\x4c\x90\xa7\xa8\x52\x08\x21\xb5\x40\xee\x79\x85\xb1\x4d\xf3\x56\x1e\x16\x52\xb4\x23\x3a\x61\x5c\x92\xf2\xa7\xd2\x0d\xe5\x7c\x50\xf9\x37\xee\xd2\x9e\xe6\xc7\xe4\xc7\x34\x6a\x6f\xc5\x0b\x72\x2a\x15\x19\x62\x9a\xc6\xc4\xef\x19\x46\xfd\x49\x67\xea\xbc\xb9\xc6\x0e\x53\x87\x15\xfe\x0f\xd4\x54\xf3\xff\xc1\xa3\x9e\xd7\x34\x47\xa6\x1b\x54\xb2\xaf\x7a\xcd\xca\x02\x44\x78\x3e\x74\x42\x45\x68\xda\xeb\xc5\xc5\x06\x5f\x13\xe5\xb6\x10\x29\x17\x17\x90\x23\xdc\xa4\xb6\xd8\x8c\xe0\x4e\x03\x67\xf6\x4d\x87\xbc\x9d\xe5\x9b\x49\x16\x46\xc5\x94\x19\xf5\x62\xca\x9a\x0d\xe6\xf2\x35\xdb\x1b\x61\xd9\x88\x8b\x46\xd8\xa8\xbc\xef\x74\xd1\x07\xc6\xd8\xe1\x42\x85\xa4\xbe\x6b\x2c\x78\xc5\x98\x1d\x4b\x1a\x12\xd6\xc4\x73\x7b\x22\xef\xc3\xf9\xda\x0a\xf7\xa1\xb9\x60\x38\xef\x74\xaf\x22\x13\x83\x5c\x76\x76\x61\xb4\xac\x70\xb4\x48\x02\x59\xe0\xef\xf2\x43\x9a\x60\x51\x39\x3a\x96\xa4\x26\x22\x3a\xdd\x04\x32\x13\x21\xf6\x15\x36\x21\x85\x34\x6b\xb2\x28\x74\x7c\x16\x8f\x09\xfb\xcd\x4c\x37\x87\x9a\x18\x63\x48\x2a\x16\x11\x1c\xab\x11\xb4\xc0\xa9\x1d\xd5\x2c\x4b\x07\x6a\xb3\xcf\x11\x94\xbd\xb7\x15\x8b\xed\x29\x8a\xe2\x6c\xc8\xb5\xd3\xa0\xac\x8b\x29\xfc\xc8\xd4\x35\xf0\x6f\x43\x8d\x48\x71\xff\x08\xd6\xae\x9f\xab\xb1\xc3\xaa\x36\xfe\x7b\x6b\x23\xf8\x13\xf4\xe9\x27\x8b\x56\xe9\x05\x00\x3e\xfa\x9a\xa7\x7e\x6a\xde\x54\x3c\x45\x63\x38\x97\xe3\x78\xd0\xf1\x65\x7a\x55\x92\x58\x88\xd7\x79\x9c\x16\xbd\xf5\xf5\xb8\x15\x23\xc7\x21\xcd\x02\x64\x0b\x28\x45\x8b\xf2\xb7\xe5\x27\xc2\x4d\x01\x63\xdc\x12\x11\xf0\x63\xc0\x94\x0a\xb9\xaa\xc6\xb2\x58\x7f\x58\x57\x46\x37\x8b\x1a\xaa\xcb\xd8\x27\x3c\xf6\x9d\x15\x9d\xb4\xd2\x2f\x5a\x65\xe2\xff\x98\x17\x3c\x11\xff\xd4\x71\x49\x52\x8d\xc9\x53\x91\x58\x68\xaa\x38\xc5\x0a\x70\x10\xa2\x33\x09\xf7\x2a\x47\x1e\xaf\xb1\x69\xb5\x85\x4d\x04\xdf\x75\x97\x8a\x13\x0e\xe5\x71\xad\x2b\xf2\x12\x62\xd6\x14\x46\x10\x6d\x28\x4d\xb2\x3e\xfc\xab\xe0\x3b\xcf\x6a\x32\xf6\x11\xcf\x7f\xff\x63\x9c\xc3\xbc\xd1\xee\xbb\x59\x92\xb5\xfb\x2b\x5d\x29\x1e\xe7\xb2\xb4\x28\x73\x88\x36\xfc\xe2\xa3\x83\x67\xee\x74\xd3\xb2\x47\xab\xe0\x7f\x78\xc2\xe8\xea\x98\x40\xd9\xc9\x48\x87\xa7\x04\x53\x2a\xae\x79\xd1\x3b\xd4\x09\x2f\xac\x6c\x8a\xed\x8b\xde\x51\x75\xf5\x0e\xd1\xbf\xe8\x3d\x6a\x7b\x43\xa4\xe7\xd2\x22\x2c\xe3\x62\x3d\x96\x72\xdc\x0d\x11\xf3\xd9\x27\x0f\x32\xf5\xb2\xff\x91\x83\x4a\x62\xdf\x7f\xf0\x0c\x5e\x1b\x98\x94\x91\x68\xe7\x02\xbc\x93\xb8\x65\x41\xbd\x54\xb2\x59\x2a\xb6\x44\x9a\xf4\x41\x56\x23\x8c\x90\xb2\x68\x9e\x1f\xaa\xc6\x53\xe6\xb3\xb3\x59\xa9\xd4\xf8\xf3\x4a\x4a\x95\x56\x6a\xb5\xc9\xf9\x53\xac\x2d\x40\xa8\x85\xb2\xdf\xdd\x44\xdc\x7e\x22\xe3\x27\x85\x89\xab\xfe\xd0\x18\xbf\x2a\xcc\x1d\x77\xe4\x01\x9e\x74\x08\xd0\x3f\xd1\xb8\x4f\x9e\xa2\x29\xc1\xa1\xce\x55\x5f\x98\x5c\xe4\x19\x0c\x59\x83\xcf\xb9\xb9\x71\x89\x9d\x2e\xa0\xc6\x31\x2c\xf8\xcc\xd4\xcc\xd4\xf4\x49\xfe\xbd\x5c\x16\x3d\x43\xff\x1e\xa7\x7f\x4f\xf0\xef\xe5\xdf\xcb\x39\x5f\xe2\xdc\xf9\x97\xc3\xbf\x0d\x95\x3c\x4d\x75\x98\x81\xc8\xee\xac\x43\x0d\x36\xb0\xc7\x6b\x42\xd1\x6f\xa1\x20\xc5\xa2\x61\xc9\xb4\xb2\x8e\x80\x3a\xcc\x3c\xd9\xa6\xe8\x8a\x4b\x4c\xfb\x85\x4a\x1d\x83\x2a\x4d\x52\xc4\x09\xf0\x75\xcb\x66\xcd\xb6\xca\x5e\x98\xc8\x8f\x1f\x3b\xde\x98\x9e\x94\x72\xd9\x79\x7c\x2b\xce\x40\xa2\x51\x0d\x8f\xcd\x4c\x36\x87\xaa\x7c\xbc\xa2\xca\x4e\x6d\xa1\x16\x52\xa9\xb9\x0f\xd2\xc7\x77\x9a\x35\x6a\xc2\xcc\xa6\xfd\xed\xb0\xaf\xa7\x8d\x4a\xc1\x90\xeb\x82\x6f\xc4\xed\x0d\xb9\x6f\x1a\xa1\x07\xc7\x67\x98\x05\xb1\xce\x0c\x87\x42\xfb\x10\xb1\xb1\x58\x4e\x14\x14\x04\x81\x69\x8c\x08\x42\x3d\x9c\xa0\x0e\x63\x3e\xad\x14\x78\xc5\x04\xec\x6c\xef\xef\xac\x31\x7b\x05\xfa\x3f\x54\x0b\x5e\x5a\x5b\x35\x17\xd4\x24\x97\x47\x46\x45\xf3\x8a\x5b\x51\x13\x80\x8d\xa9\x7a\x84\x98\x84\xca\x00\x4d\xb0\xb8\x80\xb7\x00\x6c\x6e\xd0\x6f\x03\x04\xbd\x46\x6b\x43\x29\xa9\x9c\x00\x18\x4f\x40\xb2\x82\xdf\x6d\x9e\x44\xaa\x24\xb0\x16\x60\x41\xb7\x60\xa0\x7e\xb0\xd6\x6b\x6d\x8a\x92\xf8\x85\xcb\x1c\xe4\x5f\xb7\x57\x72\x0a\xd1\x8a\xac\xa5\x47\x2b\xae\xcc\xb0\x30\x7c\x73\xa7\x3e\xb5\x05\xe8\xa7\x0e\xb1\x61\xe9\xe4\x7f\xf0\x50\xf0\xae\x43\x77\x0f\x5e\x1e\xce\x8e\x8a\x44\x48\x1d\x83\x67\xcb\x18\xec\x3f\x1a\x24\x9c\x46\x17\x75\x7a\x58\x82\x2d\x2d\x6d\xe5\xec\x74\xa4\x0f\x3f\x46\xea\xc7\x24\x2f\x05\x40\xa7\x6e\x98\xa9\x99\x53\x88\xb5\xbe\x00\x53\xa6\xc1\xdd\x99\x58\xf9\xa2\xfd\x92\xda\xd1\x63\x0c\x1e\x4f\x32\xdc\x2a\xeb\x8c\x43\x18\x50\x1b\xbc\x82\x7b\x9b\xba\xb8\x3c\x37\x44\xd2\xe5\xb9\x88\x7a\x98\xe6\xcf\x38\x2f\x36\xc5\x76\x93\xcd\x5a\x2d\x45\xba\x10\x3d\x2b\x02\xa7\x4f\x03\x85\x5d\xe0\x2c\xcc\x78\xdd\x80\x59\x4b\xed\x6c\x4b\xea\xa1\x3a\x64\x0a\xa6\x2b\xe0\x92\x01\x44\x3a\x42\x30\x21\x6d\x10\x55\x4b\x09\x83\x80\x16\x3f\x84\xcb\x83\xa9\xdc\xcc\xc0\xaf\x8f\xc0\x3d\x21\x85\xdd\x68\x81\xbb\x04\xff\x1b\x16\xbc\x8b\xeb\xbc\x62\x0a\xea\xba\x38\x93\x67\x3f\xb2\xf8\x38\x88\xcc\x13\x93\x96\x48\x3e\x31\x75\x7c\x6a\xe6\x98\xac\xeb\xf1\x49\x59\x6b\x47\xd8\xce\x68\x61\xab\xdf\xa4\x1a\x89\xc2\x11\xb7\x8b\x29\x01\x37\x6c\x67\x79\x44\x87\x6c\x05\x6d\x0f\xec\x46\x25\xe9\x90\x71\x47\x2d\x61\x0c\x3f\x33\x93\x75\x3b\x93\x0b\x07\x84\x7e\x5c\xf2\x6b\x3b\x59\x2e\xae\xb5\x1e\xdf\xcb\x8a\xfe\x9a\xc7\xae\x76\x46\xc3\xff\xea\x43\x91\x72\xf7\x36\xcf\xf9\x6d\xcb\xfb\xf5\x38\x1d\x50\x92\x9a\xf2\xcc\x50\x58\x96\x51\x42\x77\x46\x04\x3f\x55\x04\x8a\x4b\x84\xb0\x07\x61\xa2\x22\xfc\x5c\xb5\xc2\x05\xd6\x18\x8c\xfb\x27\xb5\x22\xca\x3a\x61\x9c\x36\xd9\xf7\x79\xac\xb9\xa7\xd6\x9d\x89\x5b\x79\x06\x0e\x81\xbb\xfc\x23\x51\x58\x8a\x46\x19\x77\x44\x70\x8b\xbe\xce\x5d\xd7\x31\x5c\x82\x39\xdf\x91\x4f\xa0\xdd\x80\xa3\xcf\x5d\x4a\x0a\xe0\xa2\x74\x06\xe2\xdf\x1f\x64\xdf\x5d\xa1\x9b\xde\x21\xfa\xab\xd9\x52\x58\x6e\xf8\xbf\x7f\x20\xa8\x9f\x09\xbb\x56\x84\x39\x25\x72\x84\xbc\x1b\x96\x1b\x26\x55\x91\x20\xf3\x55\x1a\xcb\xb8\xbc\xeb\xda\x88\x0f\xb0\x09\xb4\xb3\xf2\xe0\xd1\xab\xb4\xb1\xc9\xdd\x22\xcf\xc0\xd9\x67\x57\xeb\x43\x63\x6c\xbc\x93\x45\xc2\xff\x49\x9d\xe3\xf6\xfa\x31\x13\xfc\x06\xfc\x0a\x6b\x40\xd0\xa4\xd0\x25\x30\x4b\x91\xb8\x7b\x28\x18\x0f\x71\x58\x85\x41\x7c\x93\x2b\xae\x55\xaa\xbd\x50\x6b\x88\xd3\xd3\xd3\xd3\xb8\x61\xdf\x78\xe3\x8d\x88\x9d\x13\x89\x56\xdc\x19\x7e\x10\x9e\xba\x7e\x66\xa6\xc9\x9f\x35\x7b\xe6\x34\x44\xfe\x75\xcb\x02\x63\x6a\xb1\x64\x0c\xa4\xb5\x5e\x2e\xea\xfc\xe9\x2b\x77\x9e\x35\xb0\x44\xee\x5d\x90\x8c\xba\x3d\xd5\x09\x4c\x9a\x4c\x84\x36\x9f\x33\x88\x10\x65\x73\xa4\xc0\x11\x0e\x19\x55\x70\x3b\x6f\x65\xe9\x7a\x12\xb7\x4a\x9c\x0e\xb8\xe4\x15\xc0\x04\x1a\x5a\xc9\x08\x0f\x38\xe9\x89\x20\xc2\x34\xc0\x7c\x20\x62\xa5\xba\xd6\x83\x73\x51\x48\xf5\x86\x54\x31\x8b\x9b\x0e\xc6\x00\xe1\x11\x2c\xcd\xe6\x3d\x1e\x83\xe1\xf7\xdf\xe1\x05\xaf\x05\xaf\x05\x5a\x97\xb7\x04\xce\x19\xf2\x12\xc2\x67\xc1\xa4\xdd\xd5\x8a\x4e\x99\xa1\xd3\x9f\x02\x85\x6d\x88\x23\xf9\xaa\xb9\x49\xa6\x2c\xdc\x2d\x65\xa1\x02\xa9\xc6\xf8\x44\xb3\x39\x61\x1e\x43\xfc\x09\xb3\x0d\xe0\x14\x86\x67\xec\xf9\xf6\xea\x31\xf6\x84\x2a\x5e\x7f\x05\x13\x6e\xdc\x90\x7f\x5c\x0b\x9e\x32\x7c\xd9\x44\xae\xef\xe0\x7a\xd4\x80\xe3\xa3\x19\xfe\x5f\x5e\x63\xdf\x61\xbc\x6f\x47\x07\xfc\x49\xe4\x3a\x3b\xfa\xf0\x51\xc5\xdf\x4c\xde\xa9\xeb\x82\x89\x55\x22\x39\x36\x10\xea\x16\xe5\x9a\xf1\x60\xda\x6f\xdf\x59\xe9\xcb\x7c\xd2\x25\xfb\x32\xd9\xef\x1d\x61\xff\xaa\x62\x58\xe6\xb2\x4e\x37\x4b\x45\x5a\x62\x7b\x21\x23\xea\xa7\x8f\x04\x2f\xf0\x4c\xfb\x15\x99\x81\xae\x68\x61\x91\xf0\xd3\xdb\xa8\xc1\xaa\x3c\xa9\x81\x42\x35\xe6\x06\x9f\xd7\xa1\x22\x27\x71\x99\x0d\x05\xe3\xc8\xf5\xb6\x35\xd3\x9c\x79\xd2\x13\x2b\xb3\xab\x7e\xee\x10\x4b\x54\x72\x50\x2b\xe0\xa7\x77\xf9\xe0\xde\xb9\x37\x77\xe8\x8f\x2b\x29\x42\x97\x91\x22\xf4\x29\xcf\xca\x11\xfa\xa5\xfd\xa4\xa4\x57\x24\x09\xbd\xd0\xdb\x21\x4b\xe8\xeb\xd8\xb8\x2b\x99\x7d\x97\x99\xd9\xf7\xa0\xf7\x3d\xbb\x67\x74\xdd\xe4\xdf\xa0\x33\xba\x82\x40\xe7\x70\x55\x48\xaa\xc1\x2c\xae\x5f\xba\x8a\x1d\xdb\x6b\x34\x8c\xff\x9a\xab\x82\xb3\x95\x77\x70\x81\xf7\x0a\x91\x4f\xe8\x75\x46\xa7\xb6\x88\xb7\xe0\x09\xd4\xd9\x06\x83\x18\x1c\x49\xf5\x39\x76\x65\xb6\x5c\x61\xa3\xf8\xc6\x09\xdf\x4f\xdb\xc2\xf7\x81\x3d\xe7\xed\xec\xc0\x47\x11\xbc\xc8\x88\x5f\xec\xcc\x89\xe2\xeb\x27\x82\xd5\x87\xd8\xdf\x2b\x56\x8c\x3f\xf7\xd8\xc9\xdd\xfd\x40\x55\xab\x1b\x3c\x42\xef\xf5\xc0\xff\x6c\xaf\x40\xe5\x11\xd5\x20\xdf\x71\x51\xc6\x2d\x0a\x93\xd8\x52\x41\x80\x30\xee\x8a\x44\xb0\x9b\x45\x94\x9c\xb6\x6f\x6f\x0e\xe5\x39\x4c\x19\x19\xa2\x58\x92\xaf\x31\x97\xf0\x0a\x48\x9c\x82\xbd\xb8\xa6\xb5\xd3\xaf\x79\xec\xe6\x4b\x6c\x3c\x66\x8a\xfe\xac\xd2\xee\x06\x42\x35\x54\x9a\xa8\x15\x4e\x3a\x65\x52\x46\x2b\x24\x1e\x8a\xc3\x26\x5f\x16\x61\xd4\xc8\xd2\xa4\xff\xf0\x77\xc4\x83\xde\x3d\xbb\x6f\x21\x27\xfd\x9b\x1a\xb4\x6d\x54\xf6\xc3\xc0\xc6\xc1\xad\xed\x86\xbd\xf2\xa0\xb3\x89\xec\x9c\x0a\xbc\x7a\x7a\xc5\xff\xf2\x81\xe0\x8c\xf9\x39\xe0\xb6\x81\x48\x39\xc8\x6c\x4b\xc2\xbe\xc8\x79\x21\x5a\xbd\x3c\x2e\xfb\x15\x70\x52\xd5\xc9\xc1\xff\xfe\x00\xbb\x58\x63\x07\x36\xb2\xa2\x2c\xfc\xff\x54\x0b\xfe\xca\xbb\x3d\x2b\x08\x58\xc2\x68\xdb\x70\x5b\x91\x55\x69\xd4\x77\x59\x9d\x96\xc8\x4b\x0c\xac\xa0\xa0\x6e\x3a\x27\x3b\xec\x5b\x96\x4b\x59\xc5\x9e\x4e\x15\x2a\xeb\x00\xdb\x91\x14\x2b\xa2\x95\x8b\xd2\xf5\xee\x97\x80\x9b\x49\xe1\x47\xb2\x12\xf2\xf4\x0a\x52\x58\x1d\x0f\x1c\x2c\x2b\xeb\xc8\xb3\xde\x4b\x14\xbf\x14\xd4\x83\x1a\x0f\x9e\xe9\x44\xac\x97\x4e\x44\xc1\x08\xe2\xac\xaf\xd4\x18\x2b\xa0\x66\x80\x5e\xf5\xd9\x5a\xf0\xb1\xda\x8a\xfe\x5d\x15\x4d\x8b\x4f\x6b\x53\x07\x1a\xa0\xe4\xb9\x72\x65\xe5\xb4\x8d\xbb\x72\xdd\x75\x27\x9a\xfc\x94\x0a\x34\x82\x3a\xa9\x5c\x4e\x03\x2d\x24\xdf\xc9\xb3\x1e\x34\x59\xa7\x54\xae\x9c\x5d\x84\xce\x80\xaf\x86\x09\xf8\x55\x28\x30\x47\xdd\x42\xeb\x6b\x02\xb3\x12\x3b\x06\xcc\x0b\x96\x89\x35\x90\xe3\x1c\xa8\xb4\x02\x0c\x78\xb2\xa8\x39\xa8\xbf\x96\xc1\x10\xea\x96\x5c\x98\x9c\x39\xd5\x38\x95\x34\xe7\x20\x37\x41\xce\xa3\x4a\x5b\xb0\x5e\xa2\xf6\x38\x67\xd1\x37\x8d\xb3\xc6\x8e\x08\x4d\xb7\xaf\xae\x2e\x59\xf5\x41\xfc\xa9\x3f\x1b\x0b\xde\x5a\xab\xba\xe3\xc2\x32\x4a\x01\xa1\xcd\x83\x05\x06\x9e\x10\xba\xc7\x5a\xd8\xda\x14\x69\x54\x10\x47\xbf\x50\xa6\xeb\x93\x8a\xb4\xe3\x66\xd9\xde\x5b\xa6\x6e\xee\x86\xe5\xc6\x2d\x4f\xbd\xb9\x10\x72\x13\xe9\x86\x79\x79\x0b\x6f\xdc\xa2\x5e\xe7\xdb\x90\x76\x86\xff\xed\x02\x0e\xb0\xc2\x63\xce\x13\xcb\xb4\x28\xbf\xb8\x7c\x6a\x8e\x9f\x78\xd2\x4d\x37\xd4\x95\xe2\x45\x0a\x84\x6d\x1c\xb2\xa2\x06\xdb\x61\x9c\x16\x25\x9a\xea\x4b\x30\x84\x86\xeb\x25\xf1\x0f\x41\x9c\xec\xc4\xd4\x04\x25\x37\x6b\xe8\x77\x24\xd1\x9b\x78\xea\x04\x90\x4f\x5c\x33\xd1\xbc\xe8\x1d\x90\xf5\x77\xcf\xb8\xef\xf5\xd8\xbb\x3d\x86\x37\xfc\xb7\x7a\xc1\x75\xb3\xbc\x25\xd7\x4d\x4b\x69\x80\x70\x47\x19\x5b\xbb\x4e\x9e\x8a\xee\x36\x7b\xd5\x9c\x64\x37\xb1\x1b\x76\xdc\x30\x76\x1c\xce\xa5\xb0\xdc\x78\xd0\xbb\x66\x47\x2e\xfc\x23\xfe\xa1\xb0\xcc\x3a\x71\x8b\xb1\xd7\x1d\x76\xc2\xd0\x07\x62\xec\x97\xb2\x68\x5e\xe3\x8d\xdf\xd6\x8b\xda\xa2\x04\x3b\xc3\xef\x1f\x0a\x6e\xdd\xe1\x1e\xce\x13\xb7\xd9\x15\x8f\xee\x00\xe3\xf9\xa6\x2b\x18\x2c\x97\xad\x7b\x9f\x53\x66\x96\xd3\xf6\x54\x7a\x2a\x1b\x81\x17\xb9\x87\x71\xbf\xa2\xd2\x7f\x93\xc0\x76\x6e\xec\xae\x44\x2d\xf8\x73\x5a\x89\xaa\x5e\xa5\xae\x1a\x05\x83\x6e\x74\x29\x9c\x0c\x8c\x7d\xf6\x20\x7b\xc6\x25\x53\xb1\x0e\x26\x06\x6a\xaa\xd9\x7f\x3c\x10\x9c\xd9\xe9\x66\x05\xe3\x2c\xad\x4e\x15\xd2\x52\x1a\x3e\x4f\x50\x6c\xe7\x96\x9b\x17\xbd\xc3\x0a\xe2\xd8\xa5\x8a\x39\xc0\x1e\x18\x63\xfa\x9e\xff\x81\xb1\xe0\xfe\x31\x0d\x86\xec\x86\x10\x55\xa6\x91\xd1\xb7\x81\x04\x04\x5d\x1f\xea\xdb\x4d\x0d\xda\x61\xe2\x09\x4e\xf2\x06\x3f\x7f\x36\x4b\xc5\xf9\x93\x98\x99\x46\x6f\xe7\xe8\xdf\x24\x84\x6e\xc8\xd9\xd4\xd2\x0d\x64\x08\x3a\x82\xd1\x6b\x0e\xac\x53\x69\x9f\xbc\x0b\x14\x2f\x9d\x56\xa7\xc6\x37\x0c\x1b\xed\x49\x8b\xcf\x14\xb7\x3d\x24\xb2\xcd\x1c\x5a\x62\x45\x6d\x5a\x66\x3c\xca\x94\x61\x98\x9a\xd4\xe4\xb3\x26\xb3\xd7\x3a\x45\x30\x0e\xe1\x1b\x42\x44\x4a\x37\xd9\xd0\xe8\x18\xe4\x70\xd1\x3e\x1d\x20\x1b\xed\x12\xb1\x17\x19\xd6\x41\x13\x2b\x28\xc0\x82\x10\x55\x00\x73\x50\x3e\x6b\x7d\xde\xaa\x5b\x05\xd6\xf4\xaf\x78\xec\x10\x3d\xe1\xff\x82\xc7\x9e\xf9\x10\xd3\x05\xeb\x6a\x04\x2d\x55\x8f\x6a\xea\x63\xb7\xcf\x54\x87\x5a\x88\xde\x98\x9a\xa9\x26\xd9\x79\xcb\x09\x6e\x31\x07\x7f\xf4\xc8\x80\x9f\x25\xcb\x23\x52\xf7\xb4\x04\x3e\x2d\xc2\x42\xf8\xaf\x3f\x12\xfc\x3f\xf0\x97\x15\xe2\x97\xc0\x6f\x3a\x86\xb9\xa7\x8e\x97\x1c\xbe\x22\xa5\x2f\x43\x4a\xff\x94\x6d\x78\xf9\x91\xcb\x36\xbc\xb4\xbf\x5e\xb6\x95\x4f\x29\xdb\xca\x47\x47\xe0\x04\x8e\x98\x66\x60\x58\x79\x19\x18\x56\x9c\x60\x7e\x39\x8c\xf0\xc0\xc3\x3e\x20\xb2\xf6\x8d\x30\x8d\x1a\x68\xb3\xb8\xa2\x03\x5e\xb6\xb5\xbe\xb5\xbb\x96\x70\xab\x7f\x8b\xb6\xd6\x3b\x93\x63\x00\x82\x0d\xa6\x40\x95\xc2\xc0\xde\x74\xa8\xd2\x6a\x3f\x7b\x5f\x2f\x17\xf3\x71\xb1\x89\x76\x1b\x82\xf2\xfe\xcb\x83\xc1\xaa\xbe\xe3\x24\x5f\xa5\x1c\xae\xf3\xf9\xb0\x0c\x39\xdc\x25\x5e\x0b\xdc\xf8\xe0\x78\x0c\xe7\x31\x88\x5e\x41\xaa\x24\x0d\xeb\x23\xb7\xff\x28\x2e\x36\xcf\x42\x70\xf3\x21\xf9\xe7\xb9\xe5\x45\x47\x2c\xfe\xfd\x01\xf6\x11\x8f\x1d\x5c\x2f\x56\xe5\xe1\xe7\xa7\xbc\xe0\x9d\xde\xa9\x38\x11\x98\xcb\x83\xb8\xdb\xf2\x74\x88\x39\x01\x3a\x4a\x02\x3c\xf3\xf6\x33\x0e\xd1\xb9\xae\x18\xe6\xec\x00\x6a\x0b\xe6\x06\xf1\x85\x0b\x4d\x1e\x88\x0b\xe5\x75\x41\x9d\x07\x17\xd6\x0b\xf9\x4f\x5a\xae\x17\x41\x93\x2f\x76\x30\x03\x23\x21\x01\x6a\x62\x0f\xf1\x05\x1e\xaf\x0f\x58\x50\x8c\x74\xfa\x5d\x8f\x24\xfb\x6f\x7a\xc1\xc7\xbd\x05\xa0\x7e\x37\x0a\xc8\xca\x46\x98\x8b\xe8\x24\xef\xf4\x92\x12\x72\x1a\xd7\x92\x6c\x8d\xcb\xde\x40\xf6\x4c\x05\x10\xa3\xb8\xa6\xf8\xbc\xc0\x08\xc1\xe8\xa4\x4a\x8a\xd6\x6f\x54\xbf\x70\x26\x4c\xc3\xb6\x7c\x3c\x84\xc1\xea\xe0\x4f\x2e\x25\x10\xbe\x75\x0c\x83\xe0\x52\x7d\x8b\x72\x61\x90\x82\xab\x10\xe5\x64\xd3\xc1\x65\x2a\xa0\xca\x76\x13\x2f\xb0\xc3\xb9\x08\xa3\x3b\xd3\xa4\xef\x27\xc1\xbf\x19\x02\x5f\xe0\xc7\xe4\xed\xa9\xed\x3c\x2e\xc5\x24\xda\x2e\xe5\xb3\x1c\x4d\x05\x40\xd8\x9e\xe5\x44\xe3\xa3\x6f\x2a\xd3\x56\x9c\x72\x9c\x8f\x67\x64\x7b\x0a\x17\xc8\xe1\x0e\x76\xb4\x05\x42\xbd\x7d\x26\x8b\x00\xc5\x14\xcc\x2c\x73\x78\x0d\xc2\x3c\x4e\x72\xa9\xdc\xd5\xa1\x60\x2e\x4b\xa6\x3f\xef\x96\xb5\x71\x46\xea\x14\xd3\x33\xd2\x3f\x19\x34\xa4\x32\x78\xd6\xb2\x64\x99\x1e\x23\xcd\x0e\x3a\xde\x46\x76\xa2\x72\x66\x99\x9a\xce\xfe\x0d\xc1\xa4\x2c\xe6\xdc\xf2\xe2\xfe\x8a\xf8\xda\xa3\x5c\xbe\xc6\x0a\xdc\x7d\x42\xd5\x97\xfb\xc7\xaf\x3e\x2a\xf8\x5e\xf3\xb3\x22\xca\x1e\x20\xf6\xb5\xc1\x4c\xa7\xd3\x2b\x30\x71\x98\x00\xe7\xe5\x62\x39\x4f\x51\x91\x3a\x4e\x46\xc5\x9c\xa1\x4a\xeb\xc0\xdc\xf3\x50\x2e\xf5\x96\x98\x54\x51\x21\xce\xe2\xfd\xe0\xb7\xb1\x5f\xf2\xd4\x4f\xff\x67\x3c\xf6\xd4\x51\x64\xbe\x43\xad\xd3\xfb\xb1\x66\x0e\x08\x4a\xad\xda\xac\xcb\x2d\x00\xe9\xb8\xb0\x05\xa4\xf5\x11\xb0\x1a\x36\x6e\x73\x24\x5b\x40\x9d\x6f\xc4\x65\xd1\xe8\x8a\xbc\x41\x81\x66\xa0\xd5\x2b\x43\x1f\xbd\x32\xd9\x64\xaf\x01\x5c\xec\xa8\xf0\x5f\x3e\x02\x17\xbb\xb2\x09\x4b\x59\x54\x38\x0d\xf8\x84\x07\x81\x76\xa3\xeb\x0f\xd1\xc5\x14\x41\x6b\x7b\x08\x70\x0c\x29\xd6\xdf\x6d\x09\x58\xbd\x11\x68\xae\x68\x00\xcd\x55\x51\x88\xc8\x6a\xdb\x64\x93\xdb\xc6\x68\x65\x5f\x0b\x11\x15\x5e\x8a\xb2\xb6\x20\x1c\x6e\xb0\x9c\x61\x5e\x38\x10\xe8\xe6\x26\x91\xca\x86\xa3\x6f\xb2\xd7\x8d\xc9\x45\x8f\x5b\x98\xff\xf2\xb1\xd1\x5c\xcd\x43\x7d\xa3\x8e\x90\x4e\xff\x7c\xb4\xa6\x55\x59\xbb\x8f\xf4\x45\x35\x5d\x15\xc7\x2f\xb2\x88\x19\xb0\xee\x38\x35\xea\x2a\x10\x40\x01\xd9\xe0\x24\x47\xdc\x8a\x32\xb3\x09\x24\xf6\xdd\xe3\x80\x6b\x32\xb7\x74\x8e\x67\x39\xef\x88\x4e\x96\xf7\x27\x9b\x7c\xa5\x07\x59\xad\xb2\x5a\x78\xf4\x5c\xeb\xc5\x09\x58\x9b\x9d\xaf\xa1\xbe\x01\xb1\xee\x50\xdb\x30\xd1\x24\x52\x2a\xaa\x2d\x83\x34\x17\xc3\x8d\x66\xf2\x11\xcb\x8c\xa7\xf2\x54\x97\x68\x22\x03\xf5\x41\x93\xeb\x1e\xc8\x89\x15\x70\x3a\x61\xb2\xb7\xd6\x28\x12\xea\x62\x2d\x78\x79\xad\x24\x2e\x2b\x18\x43\x8a\x8b\xa2\xae\x54\x47\x52\xbe\x68\x73\xc8\x51\xbc\x55\x30\xa7\x12\x2e\xd5\x68\xc9\x1d\x51\x91\x7a\xc8\xbf\x71\x91\xca\xbf\x96\xe0\xfb\x59\x0e\x88\x04\xea\x59\xe8\xd8\x4e\x88\x0c\x70\x38\xdd\x5d\x71\x42\x1d\xae\x94\xbb\xb3\x59\x29\x4e\x56\x7d\x96\xab\x26\x98\x5e\x41\xe8\x4e\x7c\x9f\x50\xf2\x1b\xed\xb0\x14\xfc\xf6\xa5\x59\x5d\xc0\x19\xea\xa8\xb8\x50\x08\xf9\xb6\x8c\x7d\xf3\x38\x7b\x54\x6b\xf0\x5b\xfe\xcb\xc6\xd9\xd3\xf7\x35\x95\x87\xaa\xeb\xcc\xe9\x0f\x8d\x99\xb4\xd5\x6f\xc8\xec\xb6\x70\xa8\x54\x3d\xe2\xd4\xcc\x79\x0d\xd9\xf4\x4f\x7c\xce\x57\x70\x6a\x12\x03\x02\xc4\x90\x60\xec\xa7\xa2\x49\x20\x3d\xb0\x6a\xaa\xa8\xb7\xd6\x93\xb0\xdd\x64\x7f\x5d\x63\x87\x95\x19\xc6\xff\xc3\xda\x3e\x85\x5c\x15\xff\x4d\xf0\x96\x9a\xb6\xeb\xd8\xd3\xc0\xe5\x24\x51\xe0\x36\x7b\x66\xc2\x01\xf4\xd7\x10\x99\xdd\xad\xaa\x98\x3d\xdf\xc6\x2b\xa2\x30\x7e\x38\xff\xeb\x78\xc2\x62\x04\xf5\xcd\xd7\x99\x67\x67\x77\xed\xe7\xf8\x3f\x01\xed\xe7\x72\x36\xc8\xe3\x57\x36\xc8\x2b\x1b\xe4\xb7\xc6\x06\x79\xfc\xca\x06\xf9\x4d\x31\xe7\xbf\xf9\x36\xc8\xe3\x57\x36\xc8\x4b\xdd\x20\x2f\xfd\x64\x7d\xfc\x9f\xfe\xc9\xfa\xf8\xb7\xf8\xc9\xfa\x1d\x87\x2b\xd3\x79\xe6\xe2\x34\x12\xb9\x63\x9a\xfd\x3f\x87\x82\x3f\xf1\x96\x6d\x38\xac\x16\x3c\x64\xa2\x27\x35\x9f\x3d\xbf\xb3\x2b\xd2\xa2\x0c\x5b\x9b\x4d\x3e\xcb\xe7\x9c\xc7\x20\x1e\x0d\x20\x3f\x55\x35\xc1\xa6\xaa\x37\x25\x0b\x14\x7e\xd5\xa4\x73\xc1\x5b\x61\x52\x0c\xa5\x60\xe7\xa2\x1d\x23\x7e\x0e\xe4\x45\xf5\xd6\x44\x22\xca\xa6\xfb\xcd\x42\x59\x65\x79\xb6\x9d\x8a\x1c\x70\xbb\xd0\xfc\xd8\x51\x74\x00\x2b\x0b\xa7\xe3\xb4\x77\x01\xb2\xaf\xd6\x04\x8c\xff\x45\xef\x30\xbe\xbe\x38\xef\x68\x5b\x7f\x7d\x80\xbd\xa8\xa6\x0d\xc5\x7f\xef\x05\x7f\xfc\x30\x1b\x8a\x61\x7a\x14\x27\x1f\x2a\x73\x71\x95\xab\x81\xe6\x60\xa1\xfc\x0d\x9d\x7e\xf1\xdc\xa4\x81\xe3\xdb\xe8\x46\x53\xcb\x0b\xb3\xf3\x67\x16\x9a\x1d\x67\xc7\xfe\x45\xcf\xb2\xc4\xbe\xdf\x0b\xde\xee\x99\xb4\xc3\x87\xd7\x2a\x7b\x99\x4d\xb0\x4c\xba\x6f\xf4\xd8\x11\x0c\x1a\x5c\x16\xeb\xfe\x7f\xf2\xd8\xf5\x7b\xa0\x66\x69\x85\x09\xca\xb5\x65\x85\x4d\x1d\xdc\x6d\x9a\x0e\xde\x4d\x92\x0b\x14\x8f\x48\x82\x8b\xa6\x36\x64\xd5\x2a\xec\x15\x8b\xc3\x5a\x33\x13\xc0\xf2\x59\x81\xe5\xc3\x5e\xec\x31\x3d\x0d\xfd\xfb\x82\x8e\xc2\x53\x8c\x86\x19\x32\xad\xec\x47\xb9\x09\x40\xcb\x1f\xba\xd1\xfe\xe8\x61\x76\x4d\x15\xce\x0c\xb4\x70\x09\x13\x53\xe3\x2c\xf5\xdf\x78\x38\x78\x45\x6d\x36\x0a\xbb\x08\xa5\x8a\x1d\x00\x50\x06\xa1\xca\x5f\x15\x91\x4a\x81\x65\x8c\x82\x20\x4a\x91\x9a\xe0\x3d\x92\x50\x58\xf4\x44\x81\x2e\x1f\xd4\x51\x95\xcc\x23\x29\x84\x8a\xd8\x70\xc1\x52\x1e\xc0\x82\xb3\x34\x14\x00\x5c\x22\xd1\x61\x95\x48\x92\x03\x32\x2c\x09\x67\x56\x6a\xbe\x0a\xc7\x10\xd5\x18\x03\x0d\x61\x0f\x2b\x7d\x4b\x07\x12\x22\x88\x58\x69\xa1\x2b\x77\x34\x65\x9b\x92\x1e\xff\x78\x80\xbd\x6d\x5c\xc5\x5e\x5d\x1c\x0f\x7e\x7b\x6c\xd1\x59\x9e\xa4\xa7\x6f\x8a\x7e\x03\xdd\xf0\xdd\x30\xce\x2b\xaa\x4d\x5d\xa5\xd1\xd1\x23\xea\x2e\xab\x87\x54\x97\x40\xe7\x5b\x93\x03\x72\xf9\xa0\xbd\xdb\xa0\xe8\xd9\xa8\xc0\x0a\x0b\x83\x86\x44\xa3\x2e\x23\xbc\xe1\xe2\xfa\x60\xb6\x2d\x44\xb9\x46\xd8\xb7\x23\xbe\x6c\x71\x1c\x86\xe5\x06\x69\xa3\xbd\x74\xe8\x6d\x72\xf8\xd3\xe8\xc2\x07\x43\x05\x04\x69\xca\xd0\x04\xf6\xc8\xc8\x88\x50\x5b\xd4\x45\xd8\x0b\x4e\x2a\x70\x21\xca\x5e\x17\xcb\x47\x4e\x9a\x5e\x0a\x6c\xfd\x88\x72\xd2\x09\xf3\x4d\xa9\x94\x69\x2a\x97\x25\x08\xbf\x54\x88\x85\x3a\x1d\x57\x39\x71\x07\x33\x6a\x27\x9a\xcd\x09\xca\xd5\xcd\xed\x1c\x5a\x4a\x9c\x35\xb1\x75\x4d\x56\x67\xd7\xee\x2a\x5d\x74\x3a\x39\xfb\xf7\x0a\xba\xf9\x7b\x83\xcc\xf6\x0c\xd1\x90\x97\x0f\x31\x74\x17\xcc\xfd\xa9\x6b\xe0\x1f\x37\x53\xf5\xb0\xea\x1b\x7f\x2e\xb8\x7e\x45\x93\x23\x10\x95\x91\xee\x73\xa0\x2b\x2d\x11\x4e\x45\xf5\x1e\x91\x23\x38\x22\xf7\xfd\x47\x76\xa4\xef\x23\x4b\x16\x45\x88\x00\x73\xeb\x8b\x8f\x04\x37\xda\x17\x5c\x40\x4e\xb8\x62\x45\x4e\x3b\x44\x60\xce\xba\xfb\xf9\xc3\xec\xf3\x35\x76\x34\xec\x76\x97\x14\x7d\xe6\xc7\x6b\xc1\x87\x6a\xab\x1b\xc4\xb2\x48\x11\x0d\x9a\x4c\x53\x87\x31\xd9\x0c\xa9\xb0\xf4\xd6\x33\xd4\xec\x0b\x95\x31\x63\xe9\xff\x04\x89\xd0\x4f\xcb\xf0\x42\x93\x9f\x4b\x1b\xdd\x5c\xac\xc7\x17\x44\xa4\x98\x41\x73\x50\x94\x10\x7a\x5c\x7e\x62\x71\xf6\xec\xac\x29\x89\x34\x75\x7a\xf8\x58\x88\x6e\xd9\xe5\x53\x73\x8d\x1b\x4e\x9c\xb8\x1e\xcf\x70\x18\x1f\xbd\xbd\xbd\xdd\x8c\xc3\x34\x6c\x66\x79\x7b\x0a\xc0\x43\x52\xa9\xcc\x14\x53\x54\x44\x03\x8a\x98\x94\xc2\x2c\x6d\xe8\xf2\x55\xeb\x74\x4c\x43\xaf\x80\xd5\x66\x57\x51\x9d\x78\x3b\x7d\xd0\x1c\xd3\x3e\xa0\x7b\x77\xfa\x0d\x8c\x2d\x6b\x68\x62\x55\x7b\x96\x3c\x30\x46\x93\xf5\xc3\x63\xc1\x8f\x8f\xad\x3a\x61\xf9\xba\x0f\x67\x89\x25\xb5\x40\xc0\x16\x77\xb4\x70\xce\x10\x44\x4f\x0f\xd0\x8e\xa1\x0c\x1d\x5e\xef\x3e\x0d\x59\xc5\x72\x3a\x13\x40\x73\x68\x8f\x82\x3e\xf0\x10\x38\xac\x8a\x03\xd7\x81\x1a\x44\x42\xde\x84\xda\x7c\xcf\x3d\x4d\xfc\x90\x21\x17\xb2\x98\x62\x53\x02\xd3\xa3\xd8\xa8\x2c\xe7\xdd\xb0\x28\xf8\xfc\xd9\x95\xe7\x9c\x9e\xbd\x6d\xe1\xb4\xc5\xfd\x72\x92\x5f\xab\x67\x7e\x2a\x55\x40\x88\x0b\x0f\x53\x7e\xc3\x09\x93\x77\x54\xf0\x24\x4b\xdb\x4d\xf5\x28\x20\xc9\x60\xb8\x7c\x92\x6d\x03\xb2\x88\x3c\x7b\xcb\x33\x33\x51\xd4\xda\xaf\x66\x39\x9f\x68\x4c\xe8\x97\x51\xdc\xc8\x59\x01\xc1\xf0\x94\x6b\x52\xfd\xb2\x81\x5e\x52\x20\x86\x55\x08\xa0\xef\x53\x54\x50\xf7\x6b\x98\xcd\x57\x1b\x82\x5d\x03\xe2\x61\x47\x72\x19\xaa\x5c\x05\xc2\x6a\xf6\x08\x1c\x6e\x39\xeb\xe5\x8d\x5c\xc8\xcf\xb4\x14\x95\x80\x61\x7b\x2a\x45\xde\xcd\x45\x69\x72\x52\x60\xff\xb9\xa0\x69\x5a\x35\xf5\xb7\xec\x2e\xd9\x32\x17\x45\x61\xcd\x22\xc5\xbd\x2b\x58\x94\xf5\x5d\x5c\xda\x71\x29\x2b\x9d\x1c\x88\x72\x81\x32\x97\xd8\x72\x9d\x2e\x1a\x64\xbd\xfd\x89\xef\x66\x7b\x0b\xee\xba\x3b\x2c\x5b\x1b\x0b\x5b\x22\x2d\xfd\x7f\xf8\x17\xc1\x0d\xf0\x57\x25\xbe\xbc\xd8\x22\x90\xdf\x90\x6f\x23\xbf\xaf\x89\xdb\x34\xd0\x07\x28\xc0\x1c\x59\xf6\x9b\x35\xf6\x0b\x35\x7d\x26\x7f\x7f\x6d\xe7\x5c\x39\xb7\x9a\xb9\x3c\x67\x75\x44\x73\x39\xdc\x5e\x50\x21\x8e\xc1\xdf\x78\xa8\xcb\xf2\xb8\x38\xc9\xf8\xb5\x72\x2c\x57\xc9\xbe\x87\x84\xb0\x59\xce\xcf\x64\x11\x8c\xe7\x49\x4c\xb8\x11\xdb\x2e\xf3\x21\x19\x3d\x06\xde\x9e\x97\x27\x31\xf5\x4e\xc5\xf3\x36\x74\xae\x3a\x0a\x46\xf2\x1d\x40\x7b\x77\xcb\x02\xf6\xba\x93\xfc\x5a\xca\x6b\x83\xc0\x2d\xa2\xa1\x10\xd1\x93\xc9\x80\x0e\x01\x7b\xb0\x47\x03\xe0\x4e\x21\x52\x88\x48\xe2\x91\xe8\x0a\x84\x97\x21\xf4\x09\x71\xa1\x6c\x56\xa2\x8b\x3f\xe8\xfd\xca\xe3\x76\x0f\x89\x7a\xe7\xe3\xfc\xb7\x3d\xae\x2a\x85\xd9\x8c\xfc\x40\x02\x5a\xa3\x3a\x1d\x2d\x8c\x08\x84\x65\x30\x98\xca\x2a\xa8\xb1\x9f\x87\x2b\xc2\xaf\x86\xdf\x97\x27\x66\x88\x3d\xdd\x47\x59\x0f\x51\x31\x83\x55\x72\x42\x6d\xf7\x5e\x95\xbd\x7c\x84\x8f\xfc\x88\x5d\x85\xcb\xec\x8f\x4b\x2b\x60\xa8\x27\xba\xc5\xbe\x3e\xba\x87\xc7\x2f\xe5\x13\x60\xf1\xda\xb5\x87\xad\xce\x75\xe8\x3c\x86\x7b\xb7\xf2\xf6\x5e\x2b\xbe\x9f\x4a\x18\x26\xd3\xaa\x3a\x0c\xdd\xdd\x6f\xdf\x19\xb3\xe0\x65\xcf\xcf\xe3\x83\xf3\xd3\x2a\xfb\x52\x3e\x78\x5c\x8d\x19\xbd\xba\x26\x1f\xdb\xc7\x5c\xda\xdb\xf3\x03\x1d\x62\x65\x9e\xee\x67\xe1\x5e\xc6\xdb\x83\x15\x18\x11\x8a\xba\x87\x0a\x5c\xc2\xdb\x03\x15\xd8\x91\x8b\x78\xf7\xaf\xef\xfb\xd5\x81\x4f\x83\xde\x70\x09\xdd\xbe\xbf\xf7\x06\x3f\xaa\x65\xe8\x43\xb4\x7e\x41\x4b\xb5\xd6\x81\x4d\x92\x64\xd2\x32\x06\x57\xf3\xc8\xa7\xf6\xd9\xa4\xb8\x13\xb6\x05\xe5\xb4\xed\xb1\x04\xaa\xf4\x7e\xdb\xa6\x02\xc2\x47\x34\xcc\x4a\xd3\xdc\xf7\xc0\xee\xff\xdd\x81\x9e\x48\xb3\x48\xec\xe3\xb3\x23\x5a\xba\x4b\x49\x97\xf4\x45\x55\xd9\x4a\xe1\x4f\x69\x68\x95\xdf\xda\x35\x79\xad\xf2\xad\xbd\x6e\x3b\xf9\x5a\xd8\x6a\xee\xb0\xf7\x8c\xe8\xa1\x9d\x5f\x1b\xd5\x5f\xfb\x7a\x6b\xd4\x50\x1b\x98\xe2\xfd\xcf\xb3\xfd\xbf\xab\xd7\xcb\x25\x97\x30\x58\x7d\x22\x1c\xdd\x7f\xdd\xf7\xf7\xe2\x50\xc5\xf7\xf7\x3a\xa5\x3e\xfc\xe2\x61\x27\xb3\x7e\x90\x72\xdd\x8d\x4e\x5d\xee\x25\xc2\x7f\xe5\xe1\xe0\xc7\x3c\xfb\x8a\xb2\xc0\xaa\x9c\x7a\xf2\x0f\xe2\xa1\xaa\xa7\x4e\x6e\x36\x31\x59\x57\xe4\xeb\x59\xde\xe1\xc0\x64\x48\x59\x1f\xe8\x4b\xc3\x32\xf2\x48\x80\x25\x23\x46\x50\xdf\xb8\x9d\xc2\x5e\x9c\x02\x89\x54\x5f\xdb\x36\xa3\x1e\x1a\xc5\x54\xec\x00\xc1\xd5\xf6\xf1\xc0\xde\xca\x3a\x5d\x79\xbc\x6b\x5e\xf4\x0e\x6c\x89\x7c\xcd\x4d\xd0\xfe\xf8\x41\xf6\xa2\x1a\x3b\x12\x76\x63\x40\x47\x2c\xfc\xbf\xf1\x82\xff\xee\xcd\x2e\x2d\xe2\xcf\x2a\xe4\x06\x75\x13\xed\xee\x0e\xbb\xbd\xd5\x0a\x79\x26\xd4\xc9\x0b\xb3\x4b\x8b\xc4\x49\x37\x44\x87\x99\xf6\x15\x17\xb6\xc1\x74\x51\x29\xfd\x14\x4f\x83\x16\x8c\x5e\x07\xd8\x61\x22\x2b\xa9\x93\xc0\x84\x75\xe9\xc6\xcf\x4a\xd0\xd4\x1c\xf8\xf1\x90\x5e\x26\x4c\x92\x51\x08\x16\x1f\xf4\xd8\xd5\xaa\x64\x80\x42\xf4\xdf\xe9\x05\x2f\xd3\x03\x0c\x97\x28\x4c\x42\xe3\x4f\x6c\x6f\xc4\xa5\x19\x6f\xb4\xc9\x69\x52\xa5\x1c\xe8\x99\x2c\x3a\x25\x3e\xab\x0d\x54\xc2\xb0\x71\x85\x0e\x72\x81\x99\x1f\xfb\xa9\xfb\x57\x3c\x76\xc4\xd0\xf1\x7e\xce\x0b\x3e\xa8\xeb\x5d\xb8\x38\x0f\x03\x04\xb9\xc3\x75\x74\xbe\xa9\xdd\xb7\xda\x9e\xaf\xe7\x49\x93\xf1\xe0\xda\xa9\xf5\x2c\x0b\x06\xa1\x6b\x2c\xf2\x5a\x3e\xb1\x9e\x65\x13\x88\xd8\x95\x24\xee\xc0\xed\x54\xee\x88\x66\xbe\xc1\x63\x38\x83\xfd\x1f\xf0\x82\xed\xbb\x44\xbe\xe6\x36\xce\x8a\x3f\x70\x38\x46\xe1\x1d\x44\x01\x3d\xc9\xdb\xa2\xac\xc3\x1b\x75\x34\xe5\xd4\x89\x57\xa2\x4e\xb9\x8b\x75\xb4\x6c\x88\x3a\xef\xe6\xd9\x85\xfe\x7e\x86\xe1\x0d\x87\xd8\xc9\x5d\x65\x08\xf1\x46\xce\x02\xbd\xfa\xb2\xd8\x8a\xc5\x36\x9a\x4a\xfc\x2f\x1e\x0c\xbe\x73\xc7\xbb\x17\xbd\x43\x34\x31\x9c\xe5\x7b\xff\x41\xf6\xc2\x1a\x3b\x88\x44\xf5\xfe\xdf\x79\xc1\x1f\x79\xf3\xf0\xb7\xcb\x79\xbf\x9a\xf7\x04\x8f\x71\x25\xd1\x6a\xdb\x56\x41\x6b\xf8\xae\xcd\x3e\x84\xc4\xa8\x72\x01\x03\x04\xac\x12\x58\x71\x41\xfe\x61\x44\x83\x55\x5f\xa1\x24\xe0\x52\x05\x95\xa9\x66\x8b\x9c\x6f\x84\x05\x4f\x33\x9e\x75\xe3\x14\x52\xf6\x52\xe3\x8b\xc8\xcc\x73\x56\xad\x9a\x9c\x6a\xdf\x31\x68\xa9\x25\xd5\x7d\xd6\x54\x63\x98\x93\xfa\x8b\x35\xf6\x48\xb1\x15\x26\x3d\xe8\x6c\xb0\x41\xf9\x9f\xa8\x05\x1f\xae\x2d\xb8\x17\x69\x05\x2b\x9e\x3f\xc8\x48\x0b\x4b\x04\xe8\x46\x8f\x53\xd6\x82\xf8\x8f\x88\x47\xbd\x5c\x93\xf2\xda\x23\xc9\x5b\x1b\xa2\xb5\x09\x71\x43\x10\x1e\x57\xc6\xb9\x48\x2c\x8c\xf0\x32\x93\x73\x0c\xac\xd1\x50\x20\x22\x8f\x70\x15\x9e\x25\xe5\x65\x9c\xf6\x84\x05\xba\xec\x16\x4f\x30\x4f\x71\xca\x8b\x6e\x8c\x96\xb8\xb8\x44\xd0\x70\x29\x14\xc3\xb4\x25\xea\x7c\xf9\xb6\xd9\x39\x15\x9c\x05\x56\x1e\x88\xc3\xc9\xb3\x44\x20\xae\xb5\x48\xb3\x5e\x7b\x03\x2e\x90\xc8\x05\x04\x6c\xe5\x81\x83\x3a\x65\x3d\x84\x5b\x21\x8a\x41\xc4\x76\x45\x29\x0e\x82\xd8\xb1\xa9\xde\xa3\x81\x5a\x57\x82\x53\xcb\xf8\x86\x33\xc5\xa0\x3f\x34\x4a\xfd\xf6\x46\x9f\xb0\xb2\x45\x51\xf2\xed\xd0\x6c\x7b\xc0\xf1\x9c\x0e\x26\xc3\xb5\x98\x9a\xde\xfe\x33\x83\xa7\x5b\x43\xad\xe0\xb6\x47\xcf\x61\x7a\xb7\x4e\x13\x54\x4f\x65\x77\x92\xbc\xf1\xb1\xec\x14\xad\x4f\x29\x2a\x1a\x61\xbb\x9d\x8b\x76\x58\x66\x6e\x4e\xb9\x63\x24\xd2\xec\xa4\x4b\x8b\xe4\x89\x80\xd8\xe2\xcf\x7c\x47\xf0\x56\xcf\xbd\x66\x76\xc2\x41\x0e\x58\x04\xbb\x97\x23\x04\xee\x5a\xc8\x0f\xa5\x2b\x84\xe0\x4f\x27\x0d\x8e\x71\x16\x65\x89\x1b\xaf\x8e\x3b\x91\xab\x0b\xc6\xb3\x9f\xf5\x10\x72\x8a\x26\x13\x52\xcf\x0b\xfb\x98\x2e\xa5\x9d\xce\xfa\x6d\x5e\xf4\x1e\x03\x3b\xe3\x52\x1e\x67\x79\x5c\xf6\x89\x86\xeb\xa2\xf7\x48\x52\x81\xd4\x0d\x47\xaa\xfc\xcd\x63\xd8\x9f\x7a\xec\x70\x2b\xbc\xad\x97\x46\x89\xf0\xbf\xe4\xf9\xe3\x6b\xfd\x52\x04\x6f\xf7\xe6\x66\xf1\x1a\x4a\xde\xa5\x85\x33\x5c\xa4\xad\x2c\x12\x11\x9f\x9b\xe5\x6b\x78\x0b\x9d\xbe\x83\x68\x3d\xe4\x7c\x01\x3f\x8d\x94\xca\xd8\xe6\x09\x72\x01\xa5\x6d\x17\x23\x6b\xd0\xd5\xae\xe2\x71\xf2\x5e\x51\xf2\x3c\xcb\xca\x42\xa5\x93\xea\x83\x1a\xf4\x0c\x31\x64\x5b\x76\xe2\x3d\xc1\xe6\xcc\xb1\x03\xd0\x4f\xfe\xc9\xa0\x81\xca\x0d\x29\x3e\x46\xb7\x00\x15\x08\x39\x3d\xf1\x73\x80\xf6\xe5\xf8\x1d\x0e\xb0\xca\xde\xf6\x5f\x7b\x40\x79\x68\x5e\x78\xe0\x69\x83\x0f\xa4\xbd\x8e\xfa\x58\x97\x2e\xe3\x67\xf0\xb3\xe4\xfd\x43\x6f\x5b\x09\x68\x01\x65\x93\xdf\xae\x88\x12\xe8\x05\x4b\x9b\x90\x05\xb5\x55\x13\xba\xe0\x82\xce\xd1\xeb\x4a\x04\xd4\xc8\x81\x84\x2e\x2c\x5d\x40\x96\xba\xe1\x14\x68\xa7\xb7\xb1\x39\xac\x3a\x21\x24\xb7\x22\xdf\x17\x5b\x22\x55\xcc\x0d\x95\xad\xa3\x20\x38\xf0\x56\xea\x2a\x6e\x6f\x64\x89\xaa\x68\x5b\x80\xb3\x65\xc3\x6d\x14\x6a\xc2\xdd\x3c\xee\x84\x79\x9f\x17\x59\x0e\x02\x57\x07\x66\x0e\x7d\xaa\xd3\xeb\xd4\x51\x67\x16\x11\x96\x55\x68\x3f\x58\x99\x41\x83\x8b\x92\x1f\x3b\x3e\xad\x5c\x18\x33\xd3\x93\xf8\x0d\x8c\xd9\xab\xfc\x0a\xcc\x30\x79\xc2\x58\x13\x18\x55\x82\x31\x7a\x71\x61\x52\xea\x6d\xdd\x58\x05\x95\xf2\x63\x5b\x33\xcd\xb5\x50\xc7\xf7\x6d\xcd\x34\xd7\xb3\x6c\x92\xdf\x2d\x26\x2c\x5e\x6e\xd8\x77\x50\xf1\x43\xe5\xe4\x5a\x3a\xb5\xf0\x63\xe2\x42\x4b\x74\x4b\xcb\x96\x33\x29\x47\x7f\xe6\x26\x05\xea\xbe\x14\x86\x2b\xa2\xe0\xc7\x20\xfe\x68\x23\x5e\x2f\xeb\x7c\x5e\xc4\xf2\x29\x70\x5b\x6b\x8f\x8b\x4b\x85\x72\x7c\x7a\x7a\xba\x70\xfc\x71\xbf\xea\xb1\x6f\x8f\x53\xc0\xc3\x13\x2b\x9b\x71\x77\xf5\xf4\xca\x5d\x52\x80\xf4\xfd\xf7\x79\xc1\xdb\xbc\xc5\xaa\x5b\x4a\xec\x14\x83\xd0\x76\x8e\xec\xc1\x30\xf3\x0a\x71\x67\xad\x21\x13\x7d\x5c\x94\x79\x96\xb6\x91\x3c\xa9\x95\xf5\x20\x4a\xb2\xc9\xf9\xb3\xb2\x9e\xed\xff\x96\x6d\x30\x12\x08\x99\xf8\x5d\x19\xff\xbf\x6b\xec\x10\xf9\x94\xfd\x3f\xab\xb1\xbb\x2a\xdd\x6d\xfb\x96\xfe\x24\xe6\x4d\x10\xd9\x7f\xae\xd1\x25\x94\x83\x3a\xb6\x47\x79\xad\x55\x74\x80\xf6\x67\x1a\x89\x87\x5b\x25\x79\x94\x55\xe7\x40\x5c\x3e\x38\x6e\x01\xef\x4e\xc1\xd4\x99\x6f\xa4\x71\x52\x1f\xa4\xf1\xdd\x08\xd3\x28\xb1\x51\xfe\xb4\xb0\xb2\x38\xe1\xe1\x21\x11\xc1\x26\x94\x24\x7d\xcd\x21\x60\x06\x40\x20\x16\x0a\xc8\xeb\x22\xee\x74\xe5\x20\x88\x44\x40\x52\x00\x35\x87\x62\xca\xb1\xac\x9c\xb7\x36\x42\x8c\x5a\x5f\x13\x0a\x41\x50\x44\x40\xb1\xac\x40\x81\xce\x04\xb7\xde\x65\xea\xa0\xea\xa6\xaa\x35\x24\x45\x9b\xdc\x25\x45\x09\xb6\x66\x02\xe7\x80\x73\x88\x0d\x6e\x58\xfe\xaf\x1d\x52\x42\xf5\x67\x0f\xdd\xe5\xde\x53\x08\x87\x44\x31\xa7\x8e\xd1\x4a\x88\xd9\x55\x89\x53\x15\x45\x1d\x97\x24\xde\x9a\x5c\xfb\x9d\x15\x13\x3e\x84\x06\xdc\x27\xf2\x6c\x17\x99\x34\x50\x8f\x61\x71\xb4\xb3\x1c\x5a\x89\xe5\xf4\x89\xcb\x89\xc2\xaa\x53\x88\x35\xc2\x18\x29\x12\x65\x8a\x3a\xaa\x13\x26\x09\x1c\x52\xd6\xc2\x35\xcc\xd3\x97\x0f\xcd\x4c\x23\x50\x1f\xc4\x26\x68\x52\x7f\xd5\x5a\x12\xad\xb1\x50\x44\xa4\x74\x9d\x22\x26\x06\xb7\x6c\x29\xeb\x7a\x44\xc8\x8a\x0c\x87\x54\xb5\x50\xf5\x14\x4d\xd4\x81\x72\xe2\x82\x07\xb0\xc6\xa4\x54\x0b\x80\xa4\x0a\x67\x97\xec\xaf\x70\x2d\xdb\x92\x33\x2a\xb5\x9f\x19\x28\xa1\x50\xcc\xb0\x52\x9a\xa9\x3e\x4c\xc4\x85\xb8\x95\xb5\xf3\xb0\xbb\x11\xc3\x5c\x6e\xf2\xe0\x8e\xa1\x12\x0a\x3b\xb2\x2b\xe4\xc1\x56\x40\x67\x13\x59\x14\xc6\x03\x29\xd4\x58\xea\xd0\x63\x25\x90\xae\xdd\x9b\xe9\xfd\x6e\x92\x5e\x51\xda\x6d\x42\x4c\x4a\xd8\xba\x00\xf6\x03\x4c\xda\x91\xe2\x21\x40\xb6\x62\x24\x1a\x77\x0b\x8d\x53\xab\x50\x98\x3b\xf2\xf8\x24\xd5\x71\x8c\x27\x46\x18\xc2\xb5\x3e\x7f\xda\x2c\xbf\x85\xcb\xc2\xf8\x2d\x94\x85\x71\x0c\xa1\x12\x9f\x36\x8b\x12\x46\x43\x14\xc9\x66\xa5\x19\x07\xfe\xc3\x0b\x3a\x02\x08\x5e\x85\x63\x76\x77\x23\x9c\xd4\x1c\x17\x29\x6c\xfb\xb8\x63\xa5\x6d\xb7\x91\xd4\x46\xa7\x8e\x4d\xb0\x51\x50\xba\x02\xd5\x51\x9d\xae\x55\xff\x9e\xe4\x5b\x33\xd3\x75\xbe\x75\xbc\xce\xb7\x66\xe4\xff\xa3\x2b\x52\xfe\x35\x2d\xff\x3a\x51\xe7\x5b\x27\x40\x6c\xca\x4b\xc7\xd1\x3c\x07\xcf\xc1\x9f\xc7\xeb\x7c\x3d\xcb\x66\xf0\xbf\xd3\x6e\x70\xc8\xcf\x1c\x65\xff\x6f\x15\x61\x45\x16\x89\x15\xd0\xff\x16\xd3\xf5\xcc\x7f\xd5\xd1\x60\xce\xbd\x44\x90\x48\x02\xea\x19\x47\xc5\x54\xaf\x17\x63\x04\x11\x46\x27\xc9\xe5\x61\x87\xde\x82\x49\xfb\xa2\x77\x84\x62\x2e\x16\xe7\x2f\x7a\x0c\x15\xcc\x73\xe7\xe4\x8f\x83\x6b\x59\x56\xca\x3f\xae\x46\xfe\x45\x5a\xd6\x17\xbd\x43\x59\xb1\xd8\x09\xdb\xe2\xa2\xf7\x58\x93\x00\x85\xa1\x1a\xfa\x99\x47\x50\x64\xbb\xbe\xf0\x6d\xf2\xc2\x52\x9e\x5d\xe8\xeb\x4b\x8f\xd4\xc1\xe3\xd8\x88\x8b\xde\x55\x36\x2c\x8c\xa3\x8c\xff\xf0\x11\x76\x3b\x1b\x2a\xc3\xbf\x2e\x98\xb8\x43\x5d\x53\x72\x87\xf8\xdf\x4d\xa0\x7a\xaa\x83\x5a\x49\x90\xce\xb3\x81\xea\xf9\xc7\x83\x27\xdc\x81\x57\xf6\x5e\xca\x97\x3c\x66\xfa\xce\xff\x75\x2f\xf8\x65\xef\x8c\xfa\x59\xfd\x36\x88\x77\x0a\x15\x53\xfc\xf7\x34\x24\x4a\x5d\x50\xe1\x44\x94\x39\xe3\x12\x4c\x6b\x3d\xb6\xc9\x4f\x8b\x30\x4f\x31\x62\x0b\xc2\xc9\x3a\x61\x7a\xec\xfa\x49\x55\x6a\x23\x8e\x34\x30\x69\x27\x4c\x6f\x84\xa0\xbb\x24\x4e\x7b\x17\xe4\xcf\x46\x37\x6c\x8b\x42\xfe\x75\xfd\x94\x79\xa1\x79\x7d\x73\xa3\xec\x24\x2e\xc0\xdf\xe0\x10\x29\xc8\x8e\x3b\x75\xd8\x3f\x5e\xaf\x6c\xaf\x5d\xd4\xff\xf5\x98\x35\xb9\xfc\x3f\xf7\x82\xdf\xf3\x56\xf4\xef\x4b\xee\x2e\xd3\xe1\x6e\xf7\xac\x3a\xfd\xa6\xa3\xb1\xca\x8c\x2f\x8b\x88\xdf\x1e\x96\x84\x52\xac\xc2\x50\x43\x30\x35\x35\x73\x11\x6d\x84\x25\xc4\x0f\x46\x59\xab\xd7\x51\x38\x4b\x53\x22\x6d\xf4\x8a\xa9\x5c\x44\xcf\xd9\x08\xcb\xe7\x14\xbd\xb5\xa2\x95\xc7\x20\x17\x9f\x63\x12\x33\xa6\x66\xa6\x64\x0f\x4e\xe5\x1b\x45\x07\x16\x9f\xdd\x01\x29\x73\x97\x91\x7f\x4f\xb0\x74\x07\xf2\x9a\x8e\x9a\x71\x38\xba\x13\x3d\x50\xaf\x1b\xf9\x04\x65\xd5\x9d\x68\xce\xdc\xd0\x9c\x6e\x4c\x37\xd7\xba\x59\xf3\xba\x46\xd8\x89\x6e\xb8\x6e\xd2\x99\x9d\xd7\x31\x5a\xbf\xfe\xb5\xc1\xbf\xbc\x2d\xcb\x4a\xbe\x53\x37\xdb\x6f\xbd\xc4\x63\x3b\xad\x69\x3f\x09\x9e\x33\x37\x70\x6b\x74\xd5\xcb\x8d\x1c\xed\x2f\xf4\x70\x2e\x3a\xf2\x64\x25\x15\x0f\x6c\x45\x94\xb5\x36\x45\x7e\x72\x6a\x6a\xa6\x79\x7d\x73\xda\xad\x7f\xca\x94\x98\xf1\x5b\xc1\x5d\x77\xae\x70\xf8\x7b\x44\x1f\x4d\x89\xb2\x35\x95\x15\x8d\x5c\x20\x96\x1c\x7e\x62\x5e\xac\xc5\x61\xca\x9f\x76\xf6\xdc\x14\x26\xcc\xdc\x08\x7b\x8a\xb8\xaf\x3f\xe9\x7e\xef\x36\xe6\x08\x1f\x29\x11\xe4\x44\x9f\xb5\xae\xed\x3a\xc9\xdf\x3e\xce\x6e\xd9\x53\xc8\x1d\x02\x75\xcd\x46\x51\x2e\x8a\xe2\xb6\xfe\x1c\x1c\x49\xe7\x16\xe7\x97\xfd\x2f\x8f\x05\xaf\xf0\x76\xbc\x0d\x7c\x7f\x85\x8d\x44\x37\xc4\x5b\xa6\xac\x00\xf8\xb2\x3e\x69\xf6\xad\x03\x44\xdd\x8d\x30\x33\xa5\xc1\x27\xcc\x1b\x90\x6e\xdb\xbc\xe8\x31\x73\xf7\xa2\x77\x75\x61\x57\xce\x91\xd1\xef\xa8\xb1\xe7\x7b\xcc\x7a\xda\xcf\x03\x21\x3b\x11\xca\x85\x3d\x1b\xf5\x19\x75\x04\x97\x4a\x9c\x46\xfa\x8e\x73\xbe\xb8\x84\x74\x6e\x6d\xd9\xd9\xca\x0e\xb7\x87\x06\x39\x03\xf9\x66\x8f\xb9\x75\xf4\xbf\xdf\x0b\x9e\xef\xd1\x0f\xad\xfe\xe2\x23\x75\x5e\xf4\xe2\x12\xac\x47\x60\x9f\xd7\xdd\xaa\x99\xe3\x08\x90\x0d\xf5\x35\xd9\x10\x12\x2e\xa4\x80\x86\x1a\x5c\xbb\xae\xff\x3a\x29\x67\x49\x5d\xb6\x26\x93\x6d\x82\x9f\x4e\x15\x7f\xa3\x56\x89\x30\x36\x9f\x6d\xa7\xdb\x61\x1e\xcd\x2e\x2d\x5a\xf9\x29\xef\xac\x05\xaf\xb3\xd3\xd8\x22\x7a\x0a\xb9\x8a\xe4\xbe\x2f\x6b\x4e\x39\x0c\x98\x7c\x54\x9d\xbb\xb2\x7b\x9a\x48\x64\x2a\x70\x49\xb9\x22\xcf\x63\xff\x56\x65\x8a\xe4\xc1\xe4\xa2\xfc\xc3\xf5\x4d\x58\x2d\xc4\xfc\x28\x48\xeb\xd8\x3b\x36\x74\x45\x4f\x61\x39\xa7\xe2\x44\xb0\x17\x1e\x62\xd7\xee\xe5\x61\xca\x0f\xfc\xcc\xc1\xe0\x07\xbc\x1d\x6e\xba\xf1\xaf\x8a\x5c\xc0\xa4\x43\x0d\x0d\x42\x53\xb7\x8d\x9b\xde\xbb\xb4\x3c\x3e\xa7\x4b\x7f\xfc\x00\xfb\xb1\x71\x76\xd4\x62\x87\xf3\x5f\x3f\xae\x8e\x7c\x2f\x1e\xaf\xe2\xcd\x93\x0a\x5f\x01\x47\x69\xc5\x15\x8e\x99\x45\x6b\x9a\x60\xdd\x4e\xf3\xdb\x27\xf3\xde\x1e\x8a\xfc\xe6\x27\xe2\xb3\x93\xfd\xa6\x6f\xb8\xee\xba\x26\x9f\x8f\x73\x00\x7d\x8f\x45\xa1\x68\x0f\x4b\xc5\x3e\xa7\x82\xc1\x91\x55\xcf\xe2\xb3\xa7\x6c\xbf\x6f\x32\x86\xbe\xe7\xa9\x25\x58\x06\x4f\xac\x58\x82\xd1\xf0\x34\x7d\x48\x17\xe1\xbb\x0e\xb3\x4a\x1e\x33\x48\xd6\x1b\x24\xbf\xa0\x95\xf8\x77\x57\x32\x75\x61\xb1\xff\xf9\xff\xcf\xde\xb7\x07\x59\x76\x94\xf7\xe5\xdc\x7d\xf7\xea\x79\x48\xc5\x41\x24\xa1\x73\x48\x79\x77\xed\x3b\x77\x77\xf5\x42\x1a\x3d\x60\x76\x67\xd7\x1a\x49\xbb\x3b\xda\x99\x95\xa2\x18\xc2\xf4\xbd\xa7\xef\xbd\x47\x73\xee\xe9\xcb\x79\xcc\xec\x95\xcb\xae\x60\x93\xc4\x2e\xca\x96\x08\xb8\x80\x8d\x1f\x82\x28\x42\x41\x2a\x08\x46\x26\x26\x89\x08\x08\x6c\x12\x83\x95\x82\xb2\x11\x26\x31\x45\x30\x2a\x87\x20\x57\xd9\xd8\xa1\x94\x4d\x5c\x95\xea\xef\xeb\xee\xd3\x7d\xee\xbd\x33\x77\x66\x56\x2b\x0a\xcf\x7f\x33\xe7\x9e\xd3\xa7\x4f\xf7\xd7\x5f\x7f\xfd\x3d\x7e\xbf\x5d\x3f\x14\x35\xaa\x1f\x70\x6a\x54\xdf\xe5\x4d\x40\x73\xb7\xa0\x6f\xff\x6b\x53\x9e\xba\x5d\x92\x2d\x47\xe1\xc5\x5d\xa4\x6e\x89\x83\x9d\x2d\x69\xc0\x7c\xa3\x5e\x94\x9f\x85\x7a\xa8\x8c\xfb\xcf\xec\x0a\xe6\x9d\x2b\x06\x36\x57\xe1\x19\xa1\x77\xd6\x42\x66\x86\xf4\x1c\x96\xe8\x40\x3a\x3f\xcf\x5b\x05\x24\xd0\x80\xbe\x4e\xc4\xea\x48\x88\xa2\xef\xec\x20\x9f\xf3\xc8\x9e\xb7\x17\xbc\x88\x92\x8e\xff\xef\xbc\x35\xc0\x3b\x46\xf5\xfa\x3e\x7c\xf0\xb8\x48\xc0\x9c\x85\x53\x64\x90\x2e\xa9\xf6\x96\x68\x57\x00\x80\x38\x56\x0e\x95\xb7\xd8\x82\x2c\x37\x2d\x75\xbf\x73\xa0\xed\xb1\x01\x16\x6c\x25\x53\x98\x48\xa3\x69\xba\x15\x4a\x53\x94\xd1\xa5\x40\xbe\x9f\x07\x4b\x0d\xf2\x98\x06\xf3\x01\x0e\xfa\xf2\x16\x75\x87\x02\xdd\x01\x20\x9e\x86\xb9\x68\x05\xd2\xd6\x1f\xc8\xa2\x2f\xb5\x64\x9a\x46\x2b\x72\x6b\x4e\xb9\x3c\xa4\xa8\x32\x67\x44\xf8\x90\x3a\x38\x46\x9b\x5d\x23\xa9\xe8\x67\xc1\x0e\x50\x1f\x89\x90\x34\x18\xee\x66\xad\xae\x14\x33\xdd\xb3\x2d\x76\x08\x71\x8c\x65\x83\x1a\xd2\xdc\x0d\x8e\x2e\x91\xd7\x38\xc1\xd1\x22\x91\x53\xec\xcf\xf9\x3f\x31\x05\x91\x98\x34\x02\xe2\x1a\x91\x4e\xc3\xba\x23\x14\x67\x22\x9b\xca\xc5\x94\xf5\x3b\x3f\x36\x98\x26\x94\x52\xfd\x41\xd3\x54\x49\x01\x21\xcf\xec\x23\xe7\x2e\x11\xe9\xc0\xac\x11\x42\x20\x2d\xf9\xfa\xde\xe0\x9e\xb5\x6e\x70\x77\xff\x71\x77\x1a\x86\xd2\x91\xfc\x25\x7f\xb5\xcd\x5f\xb2\x65\xfe\x92\xdf\xf0\xb4\x5d\xf6\xa4\x17\xdc\x0c\x7f\xe1\xac\x44\x49\x18\xad\x44\x61\xc1\xe2\x75\x67\xc7\xb6\xd1\x5a\x84\x91\xb7\x5d\x22\xc6\x80\x71\xef\xdd\xc6\xdd\xff\x01\x61\x47\x59\x59\xbf\xc8\x6f\xc1\xbf\x6f\xb2\x3a\xb5\xb5\x94\x45\x95\xc0\xf4\x0b\xc4\x71\x54\x54\xca\xa3\x56\x8e\x36\x16\xc5\x32\x4f\x30\x43\xcf\xbf\x40\x82\x0f\x7b\xd6\x05\xca\xf2\x5c\x6e\x50\x99\xce\x73\x53\x8f\x4a\x4b\x26\x97\xb7\xa1\x4d\x87\x00\x64\x45\x26\x8d\x2b\x84\x70\xb3\xdb\x30\x33\xad\x76\xbd\x16\xec\x0c\xda\xde\x29\xf9\x35\x64\x73\xd6\x3b\x44\x4a\xfb\x71\xd1\x89\x8c\x43\x1d\x83\xdd\x66\x2d\x5c\xf0\x80\x5b\xc0\xd1\x72\x7f\xbe\x87\xdc\x63\xcd\xd9\x9b\xb6\xc8\x94\x40\x7e\x46\xf1\x17\xac\xac\x41\x0d\xb9\xe6\x88\x02\x83\xc1\x2d\x90\x55\x85\xe6\x82\x9d\x52\x35\x94\xa8\xa6\xd0\x93\x54\xfe\x1f\x0f\xc9\xe3\x9e\x61\x68\xfc\xc0\x5a\x0c\x8d\x6b\xf7\x01\x19\x1a\x1f\x2c\x0b\x59\x31\xce\x2d\xc7\x55\x4d\x82\x76\xd0\x49\xe5\x60\xa5\xbe\x95\x70\x0b\xba\x83\xda\x65\x66\x89\x42\xd8\xd8\xde\x59\xb6\x59\x69\x5f\x35\x25\x7d\xd1\x6b\xaf\xaf\x59\x8f\xfb\x33\xe3\xea\xa1\xd7\x2c\x17\xb5\x56\x11\x21\x1f\xb9\x82\xdc\xba\x6e\x56\x34\x20\x35\x8d\x48\x7e\xf6\x5f\xda\x1f\xfc\x89\x37\xee\x57\x4c\xc5\x2d\x97\x9c\x48\xd1\x5d\x05\x3a\x55\xfe\x87\xe9\x65\x72\xf5\xe9\x52\x0b\x96\xe8\xe4\x51\x30\xd3\x3b\xd1\x0a\x4f\x30\x73\xbf\xcf\x5a\xbc\x41\xef\x62\x2b\x98\x4b\x6b\xae\xd1\xac\x25\xfa\x56\xd9\x01\x94\xac\x03\x24\x4d\xaf\x68\x75\x29\x67\x59\x84\x09\x66\x9d\x94\x25\xf9\xf0\x73\x58\xc0\xa4\x90\x09\x91\x1a\x34\x73\x7c\x8b\xf0\x11\xe8\x1c\x19\x56\xcd\xdf\xdb\x4b\xbe\xaf\xe9\x60\xfe\xd4\x23\x27\xd7\xd4\x65\x93\x65\x9b\x4b\xdd\xfa\x21\x6f\xb3\xca\xb5\x41\x91\xeb\xa9\xfc\x4e\x8d\x0d\x81\xa9\x26\x3a\x63\xc8\xfc\x3c\x10\x05\xed\xb1\x90\x3b\x8d\xaa\x0a\x0f\x2c\x13\x81\xb3\x5c\x5d\x81\xfc\x28\xaf\xaa\xd4\x8f\x4f\x97\x6a\xfc\x83\x1e\xb9\xeb\x12\x7c\x3a\xaa\xf4\x73\x97\x42\xa5\x47\x4e\x4a\x73\x22\xf2\x6d\x75\xbe\xad\xce\x5f\x3d\x9b\xfb\x52\xda\x6f\x17\xbd\xd5\xf5\xf7\x86\x45\xff\xec\x64\x85\xfb\xe3\x94\xf7\xc8\x32\xbc\xf7\x10\xc7\x2b\xa6\x9d\xa4\x67\xb9\x81\x7d\x3a\x6e\xc8\x8b\xc1\x09\xf0\xad\x7d\xc1\x89\xb1\xbf\x8e\xe2\x2e\x4d\xcb\x9b\x2d\x22\xe4\x31\xc7\xff\xc7\xb6\x09\xd8\xb6\x22\x94\xff\xd5\x26\x60\x7b\xce\xdb\xd2\x51\x30\xf8\xd9\x92\xf7\x1e\xd9\xb2\x2f\x17\xe7\xbd\xf5\x71\xdb\x3a\x7e\xab\x3a\xfe\x79\xe3\x0c\xfa\xbc\x17\xfc\xd4\xbd\xa6\x2c\x71\xf4\xa2\xdc\x28\x6e\xde\xaa\x48\x97\x63\xc1\xc2\xec\xb0\xd5\xca\x61\xab\xf5\xf2\xf2\xc6\xa3\x7e\x23\xd5\xcc\x45\x8f\xad\xaf\x2b\xef\xf4\x6f\xd7\xc5\xea\x63\x75\xd5\x5a\x44\xf8\x9f\xbe\xca\x41\xfe\x1d\x4f\x84\xef\xbf\xf7\xaa\xe0\x5d\x3b\x34\xa2\xf2\x28\xed\x57\xc4\xba\x46\x15\x99\xd3\xa3\x04\xeb\xc0\x54\xcc\x08\xe3\xb4\x02\xfd\xd0\x8e\x0e\xca\x34\x42\x20\xe6\xce\x2a\x7a\x6b\x48\x18\xd5\xef\x53\xa7\x5c\xed\xd6\xc7\x48\x8a\xb4\xb0\x75\x3a\x7c\x66\xb8\x4b\xe3\xc1\x14\xbc\x02\xf2\x4f\x8a\x34\xce\xea\x80\x72\x4d\x15\xcc\xb5\x26\x80\xaf\xbb\xbc\xf0\x75\x2a\xda\x52\x4b\x42\x4a\x18\x26\x5d\xaf\x44\x69\x2e\xcd\xce\xae\xc8\x40\xf9\xf2\xbc\xd5\xa0\xb3\x27\xe6\xcf\x9e\x38\x3e\xb3\x78\x62\x96\x4e\x61\xfc\x00\x0f\x02\x3a\x89\x56\xb4\xa9\x35\x46\xa1\x5c\x8f\x70\x24\x97\x9f\x36\x84\xd0\x70\x58\x8d\xb1\x7e\x44\xae\x51\x6d\xcc\x62\xbe\x55\x22\x72\x13\x69\x57\xe2\xaa\xcc\x69\x37\xa3\xe1\xfd\x64\x5b\x7f\x6c\xdb\x88\xaf\xde\x76\xfc\x15\x7b\x3b\xfe\xed\x2d\xf3\xa1\xfe\x5c\xb9\x21\xe3\x60\x1e\xc8\x2e\xdf\xa6\x6c\xc8\x52\xff\x48\x9f\x8e\x7f\x7f\x2d\xb2\xd4\xf1\x2a\x13\x8e\xc3\xef\xc7\xe3\xb0\x2a\x55\x09\x79\x06\xe4\xbf\x0e\x12\x9e\x59\xfd\x97\x99\x3a\xf5\x8f\xcb\x43\xf0\xd7\x3c\x72\xeb\x66\xbe\x10\x4f\xbd\x17\xbc\xf2\xd8\x9b\xdb\x30\xf7\x3f\x00\x5f\x79\xd1\x7b\xcb\xfa\xbb\xe8\xad\xfe\x1b\xd7\xc2\x38\x52\x5d\x1f\x79\xac\xf8\x9c\x47\x4e\x6f\x3a\x46\x74\xf7\xc2\x99\xd3\x0b\xa0\x34\xe7\x53\xd1\xcf\xce\xa4\xc7\x84\x88\xfd\xb7\x07\x62\xe4\x0f\x76\xfe\x5c\xe5\x06\x8c\xf9\xaa\x5c\x11\x0d\xd4\x6c\xa7\xb6\x40\xa9\xbb\x2e\xe6\xd2\xf7\xf5\x53\xd1\xe7\x69\x3e\x68\x90\x97\x9d\xc3\xd1\xfa\x80\x91\xfe\x17\x48\xf0\x29\x62\x5f\x91\x73\xaf\xb3\x3d\xba\x22\x0e\xad\x71\x04\x72\x13\x4d\xb0\x61\x78\xd1\x09\x59\x14\xaa\xf2\x2e\xca\xea\x88\xd6\x68\x00\xbe\x21\xa3\xb5\xcb\x32\xea\xbc\x82\x65\x50\x4a\x85\xcc\x33\x09\x1d\x88\x22\x35\x0d\xd7\xed\x5d\x2d\x4f\x8b\x56\x8e\x3b\x8d\xc6\xb5\x54\xb7\x9b\xcd\x08\xef\x69\x40\x19\x20\x24\x2a\x25\x9c\xab\x9a\xf5\x4e\x04\x65\x02\x70\xff\x0a\x4b\x23\x51\x64\x3a\xf0\x01\xea\xaf\x41\xc8\xe1\xc3\x74\x4e\xb7\xd4\x67\xad\x65\xd6\xe1\x18\xc6\xa6\xa7\x06\x33\xf3\x73\xea\xa5\xf8\x0e\xfa\x53\x64\x9f\x1e\xc3\xc5\x41\x9f\x4b\x0d\x47\x97\x1e\xca\x44\x32\x1d\xd4\xa3\x24\x8e\x12\x1e\x2c\x91\x7d\xa7\x06\xf3\xf8\x0e\x7d\xaf\x6a\x44\xdd\xd9\x53\x3f\x07\x4b\xe4\xa7\xf1\x4d\xf8\xff\x8c\xf5\x96\x19\x4c\xf0\xd1\x3b\x96\x7a\x92\xe1\x55\xf9\x20\x74\x5c\x53\xa0\xbc\x62\x1d\x77\xe6\xec\x92\x77\xff\x0c\xc6\x9e\x56\xa3\x14\xa1\x21\x30\x49\x11\x12\xb3\x62\x21\x96\x2b\x85\xaf\x20\x5d\xd3\xb2\xf5\x40\xae\xe5\x60\x3a\xb0\xbe\x33\xa8\x93\x7d\x41\x69\x33\x05\xd3\xc1\xca\x51\xb8\x66\x7a\x0b\x4f\x9a\x47\x55\x97\xe5\x2d\xfb\x4c\xbf\xa6\x83\xb6\x10\xf2\xd2\x4f\xd7\x65\x0f\x17\x04\x5d\x95\x36\x70\x97\xf5\xfb\x3c\xc9\xde\x44\x67\x79\x0b\xd2\xe9\xa1\x1e\xab\xc8\x78\x46\x1f\x82\x0a\xdf\x94\x0e\x58\x2f\xc6\x4a\xa2\x1e\x4b\xb3\x2e\x8b\xb5\x9b\x30\x62\x31\x58\x43\xc0\xdd\x0a\x99\xc7\x8e\xa8\xdb\x53\xd5\xa0\x8b\x98\xb1\x01\x2d\x83\xe9\xc8\x56\x71\x48\x14\x3f\x7e\x2e\x52\x1e\x22\x74\x83\xb4\x1c\x8a\x44\x4e\x3b\x96\x73\x70\x9a\xf0\xf3\x72\xb6\x39\x16\xa5\x0b\xda\x12\xfd\x01\x3d\x88\x70\xf9\xfd\xe5\xce\xe1\x92\xc1\xfe\x50\x89\xe3\x3e\xb4\x86\x16\x01\x93\x06\xeb\x11\x94\x50\x1d\xc8\xb4\xfa\x01\x2d\xc5\x61\x31\x5b\x7c\xf8\xed\x22\x51\x47\x02\x40\x9e\x00\x57\xa9\x55\xdc\x8f\xbd\x2c\xa7\x17\xbf\x42\xae\x62\x5b\xb8\xea\x34\x2f\x52\x48\x55\x8b\xf2\xb2\x7b\x80\xf4\xdc\x32\x09\x6d\x52\xd8\x50\x15\xc8\x46\xcc\xcd\x70\xab\x1e\xc3\x83\x8b\x67\x66\xcf\x48\x3d\x8f\x0d\x48\xcb\x1b\x6b\xe4\x6c\xa0\xda\x4c\xd9\xc3\x45\xa2\xe8\x9d\xb0\x61\x23\xf6\xe7\xd4\x75\x75\xbf\xae\x78\xd4\xc9\xbd\xba\x07\x3c\x6c\x1c\xb2\x6c\x77\xf2\xbf\x09\x79\xbd\xb5\xd9\x02\x12\x23\xe4\x0f\xa4\x22\xb9\x5b\x34\x01\x13\xe2\xcb\x24\x78\xd0\xfa\x5f\x53\xcc\xe8\x04\xad\x2e\xa7\x0f\x89\xa6\xca\xd5\xc1\x52\x3e\xbd\x1a\x60\x0d\xc8\x57\x43\xc9\xb4\xae\x96\x64\x2d\x79\xb2\x89\x07\xb2\xef\x8d\x0b\xde\x5e\x85\xc8\xc5\x2f\x78\xfb\x1f\x12\xcd\x45\xde\xeb\x4b\xdb\xdd\x39\x61\x3c\xbf\x8f\x7c\xc1\x23\x3f\x02\x15\x90\x51\xd2\x99\xe5\x2c\x94\x0a\x60\x01\xea\xdb\x33\xff\x29\x44\x8a\xbe\xf9\xc6\xe0\x97\x4d\x72\x25\x0d\xd5\x4d\x80\x38\x82\x37\xc2\x1e\xa4\x1b\x31\x3d\x8f\xda\x10\xf4\x88\x32\x29\xc4\xba\x33\x21\x05\x81\x82\x12\x82\x64\xa0\xb0\x44\x1a\x94\x9e\x92\xb7\x85\xf2\xb9\xac\xfc\xe4\x92\x78\x00\x38\xa8\x39\x50\x3a\xb4\x59\x14\x43\xf5\x2c\xcf\xdc\x74\xde\xf7\x79\xe4\xba\xac\x00\x8f\x61\xbb\x88\xef\x16\xcd\xec\xae\x48\xce\xcd\x00\xb2\xe0\xfc\x81\xce\x05\x0f\x17\xcb\xe2\x58\xd1\xa6\xe5\x23\x54\x1a\x4a\x59\x57\x77\x03\xb6\x8d\x9c\x45\x49\x83\xde\x0f\xc7\x84\x12\x00\x3c\x99\x4a\x78\x07\xc9\x03\xd4\xdb\xdd\x8d\xf9\x06\xb7\x67\x8f\x79\x64\x4f\x56\x64\x7d\x9e\x84\xfe\x7b\xbd\xe0\x9f\x7a\x98\xa3\x16\xb3\x0e\xcd\x79\x1c\x9b\xec\x36\x75\xbc\x87\x84\x72\xbc\x5d\x9e\x17\x32\x79\x54\x48\x72\x6b\x58\x20\xf6\x11\x0a\xae\x78\xab\xfa\xfd\x78\x00\x19\x02\x71\xca\x59\x38\xc0\x99\xe0\xa1\xf5\x40\x83\x0e\xa7\xc4\xba\x75\xf0\x5f\xaa\x01\x47\x1b\x1a\x79\xad\xc1\x3c\x04\xa1\xfc\x4f\xd6\x82\x27\x6b\x0b\x55\x22\xc4\x5c\x0a\x3f\x35\x77\xdb\x3d\xc3\x22\xe4\xbb\x45\x13\xc6\x2c\x32\xf4\xe4\x2c\xe5\xd3\x74\x8a\x06\x80\xd4\x12\xd0\x83\x2a\x6a\x73\x68\x5a\x73\x69\xa9\x85\x80\xa3\x5e\x24\x56\xeb\xf1\xe0\x36\xf9\xe4\x49\x91\x36\xa3\x30\x98\x96\xa2\xd3\x8c\xc2\xcc\x7e\x7f\x5a\xc8\x31\xc9\x96\x23\x64\xc0\x03\xfd\x27\x1b\x89\xda\xb4\x9f\xf2\x15\xd8\xeb\xe5\xff\x5d\x06\xc0\x68\x66\x9a\x07\x3c\x87\xb6\xcf\xf2\x7e\xcc\x5a\x3c\x98\xa6\x2d\x96\xb4\x78\x9c\x51\xf3\x6e\xc3\x9f\x25\x25\x5a\x2e\xb9\x14\xef\xcd\x70\xd9\x41\xcd\x70\xc2\x57\xa5\x38\xda\x47\xa7\x47\x3c\xf2\xb7\x50\x50\x87\xe4\xb0\xd0\x72\xb8\xe4\xca\xa1\x92\xeb\x4b\x26\x83\x47\x5d\x19\x7c\xa7\x47\x6c\x35\xe0\x17\xe4\xe8\xd8\xb3\x81\x51\x57\x77\x97\x0f\xc0\xb9\xe7\xcd\xa5\x2c\xe8\x55\x0e\xbe\xa1\xaa\x5a\x04\xbd\xa4\xa4\x02\xa2\xa3\x6a\x7a\x1b\xe4\xad\xc4\xe8\x25\xff\xbe\x60\x16\xd0\x34\xd4\xff\x52\xa1\xc8\xfb\x28\xba\x43\xea\x34\xe3\xbc\xcc\x99\x4d\x1a\xab\xd1\x72\xd4\xe7\x61\x84\xc4\x08\xf2\xbf\xc3\xf2\x76\x97\x24\x7f\xa7\x43\x65\x33\xee\x43\xfc\xdf\xda\x19\xdc\x57\xb9\x66\xe9\xdf\x5c\x53\xac\x83\x28\x3b\x90\x2a\x08\x52\xa1\x4b\x3b\x90\x9e\x20\x1f\xa5\x5a\xbf\xba\x83\xfc\x1f\xfb\xfc\xfc\xd2\x96\xcf\xcf\x1f\x59\xe3\xfc\xac\xcf\x63\x20\x34\x4e\xf7\xc0\x25\xa1\x7b\x78\xf9\x8e\xd9\x2f\xe8\x63\xf6\xf3\x1e\x39\x34\x91\xa0\x81\x80\x3d\xe6\x29\x09\x6b\x19\x67\x95\x7d\xc2\x6e\xf2\x2e\x5b\x89\x44\x6a\x7d\xee\x65\x3f\x60\xbf\x7c\x05\x09\x46\x79\x7b\x8f\xcd\x3a\x95\x1a\x5f\xbe\x22\xf8\x79\xb7\x52\xe3\x2c\x0b\x45\x46\x8f\xc5\xa2\xb5\x4c\x67\x39\x00\x75\x40\xde\x3a\x2e\xa1\x98\x65\xb9\xc6\x83\x6c\x73\xd8\x24\x41\x97\xf6\x45\xd8\xa0\x67\x8f\xcd\x6e\xb5\x8c\xa2\x27\x92\x48\x7e\xf9\x05\x6f\x17\xa0\xe3\x3a\xc2\xfa\xf8\x7e\xf2\xb3\x1e\xd9\x59\x64\x3c\xf5\x1f\x0e\x7a\x60\xfa\x41\x6f\x21\x31\x02\x29\x34\x2c\x02\x05\x16\xf6\xa4\x46\x9a\x20\xb5\x5d\x75\xfa\x70\xda\xb4\xd2\xda\xdf\xd0\x15\xab\x53\xb9\x98\x2a\x32\x3e\x15\xe5\x0e\x47\x45\x99\xea\xff\x64\x2d\xb8\x50\xab\xa6\xfa\xab\x69\x57\xb5\x06\x30\x6e\x03\x51\xd0\x55\x86\xf5\x9d\xaa\x0c\x60\x31\xea\x4f\xd3\x13\x49\x56\xa4\xbc\xc4\x0f\xaa\x56\x04\xd8\x78\x59\x3f\x08\x45\x01\x6b\x85\x29\x14\x44\xa9\x1e\xcd\x37\xa4\x4d\xa7\x34\x20\x25\x38\xa5\x7e\x14\xbc\xa5\x9c\x3a\xb8\xa4\xe6\xee\xd2\xcf\xd4\x53\x1e\xd9\xb3\xcc\x07\xf2\x6f\xff\xd7\xbd\xe0\xdd\xde\x3d\xf8\x8f\x81\xa6\x62\x79\x57\x8e\xc1\x32\x1f\xd0\x54\x63\xce\x9c\x3d\x36\x7b\x2e\xab\xf0\x95\x40\x31\x72\x8b\xf7\xbb\x87\x55\x73\xaf\x44\x6f\x7f\x49\x6a\x62\xb5\x00\xfc\x77\x78\x01\x9f\xa9\xc4\x39\x8e\xf3\x7e\x97\xea\x3b\x2e\x5d\x0f\xc6\x42\x3f\xfe\x13\x20\x63\x11\xb1\x7f\x3e\x58\x2e\xa7\x4c\x5e\x19\x5e\x6d\x69\x73\xb2\x32\x92\x0d\x8e\xc9\x33\x76\xfd\xd4\x87\xbd\xe0\xfd\xde\x16\xab\xa2\x86\x2d\xcc\x4b\xd6\x6b\x1b\xb0\xc9\x29\x99\xfa\xee\xa6\x69\xfd\x3e\xee\x99\x4a\x2a\xc0\x4b\xb2\x40\xb9\xdc\x64\x35\x5d\x4a\xe5\x08\xf0\x9c\xb4\x2c\xc5\x4a\x04\x2c\x2a\x2b\x3c\x4d\xa3\x90\x03\x3f\x16\x4a\xb0\x35\x7b\x49\x14\x5f\xaa\x71\x20\x8f\x5c\xeb\x94\xed\x8e\xe7\xd7\x02\x22\x25\xff\x9b\xd7\x04\xff\xdd\x73\xb9\x95\x5c\xb2\x1a\x79\xb6\xc8\xab\x9c\x3f\x2a\xdc\x17\xc9\xde\xe1\x9e\xa2\xc3\x71\x08\x33\xa1\x93\xe0\x34\x64\x55\x0e\xd2\xa2\x92\x8e\x0d\x82\xaf\xfb\x5a\x95\x95\x2f\x4d\xba\xd8\x54\x86\xc2\xee\x64\x90\x7b\xb4\x61\xfb\x90\x80\xa0\x61\x2e\xe4\x00\x87\x85\x92\xbe\x76\x11\xc7\x1a\xb0\xc5\x74\xb4\x71\xc1\xdb\xaf\x8a\xdd\x17\x81\x51\x67\x9f\xf9\xc9\xd9\xdd\xfe\xf4\x4a\xf2\x67\x35\x62\xdf\xea\x7f\xb3\x16\x7c\xa5\x66\x5d\xb0\xd8\xde\x73\x8b\xbd\x5b\x97\xd2\xb7\x58\x9a\x46\x56\x3d\xab\xf3\x75\xc8\x7e\xa5\x6e\xd5\x60\xb5\x72\x7b\x29\xb9\xaf\x9a\xbc\x2c\x96\x94\x6d\x57\x61\x37\xa2\x5e\xaf\xc0\xda\x7a\xd6\xce\x79\x8a\x16\x1c\xe0\xeb\x48\xe5\x80\x28\x44\x60\x48\xeb\xd2\x7e\xe0\xc3\x61\x29\xb7\x0e\x2a\x66\x37\x9b\xa6\x3f\x46\xe7\xe6\x57\x6e\x84\xe0\xb1\x99\xed\x04\xae\x51\x55\xdc\xdf\xc0\x7b\x6e\x1e\x71\xcf\xcd\xf6\x3d\x27\xef\x9b\x3d\xed\xde\x43\x4f\x16\x71\x3c\xa0\xf7\x15\x2c\x46\x28\xde\x59\xd1\x63\x51\x02\x0c\x5b\x8e\x29\xbe\x1d\xba\xdc\x62\xe8\xf2\xdb\x1e\x29\x05\xda\xff\xaa\x17\x3c\x54\x2e\x51\xa7\x54\x49\x01\xbf\x58\xbf\xda\x12\xd8\xa0\x27\x58\xab\xab\xa5\x11\x42\x95\x90\x54\x0a\x2c\xf1\xe7\xa3\x5e\xd1\x93\x6d\x1c\x3d\x72\xe4\x88\xb5\xb2\xec\xad\xeb\x8d\xe4\x26\x72\xc3\x58\x25\x3b\x5e\x09\x4d\x08\xa5\xb9\x1d\xa1\xdd\x7c\x84\xb6\x6b\x1d\x30\xdf\xb2\xd5\xf3\xe5\xeb\xd6\x08\xcf\x92\x7f\xb3\x83\xec\x02\xc6\x37\xff\xd7\x77\x04\x1f\xad\x21\xf9\x9b\xab\x34\x0d\xae\x39\x66\x44\x28\x82\x38\x7e\xbe\x2f\x14\x8b\x23\xe4\x88\x98\x21\x1f\x25\xa4\x70\xb0\x19\xcb\x16\xf8\x80\x3c\x7b\x2b\x96\xc1\xcc\xce\x02\x36\x89\xb7\xda\xda\x4f\xb9\xc2\x22\x30\x49\x28\xf0\x98\x6a\x82\xe1\x7b\xa2\x32\x45\x45\x3b\x72\x22\x64\x31\xd4\x9a\xc1\x69\x3b\x60\x9a\xe3\x30\x98\x78\x49\xa9\xd7\xda\xab\xe9\x36\x72\xeb\x1a\x71\xe7\xb5\x29\x33\x27\x5b\x51\x17\xbd\xee\xfa\xc1\xd1\x13\xfe\xf1\xb5\x58\x34\xc6\x12\xd9\x38\x3b\x1f\x21\xbf\xb9\xdb\xf1\xb7\x58\xc9\x30\x2b\x26\x9e\xbc\x78\xef\x82\xff\x8b\xbb\x83\x53\xe5\xbf\x15\x57\x0b\xb0\xa3\xc3\xb8\xc7\x6c\xc0\x53\x0a\x10\xa2\x51\x3e\x18\xc1\xc8\x6f\x02\xce\xce\x06\xff\xb1\x5d\xe4\x33\x35\xb2\x0b\x80\xaa\xfc\x4f\xd6\x82\xbf\xf0\xee\x02\xcc\x2a\x80\x3e\x36\x72\x89\x38\x56\x6a\xaa\x0c\x1d\x61\x05\x92\xb4\x61\xd3\xb0\x6b\x11\xc5\xfc\x41\x29\x96\x06\x83\x07\x44\xf2\xb0\x8a\x8e\xaa\xa6\xf2\x38\x43\x9b\xb2\x12\xa5\x85\xc0\x56\x1c\xb6\xe4\xd2\x82\x23\xa6\x36\xa1\x75\xe8\xd6\x21\xec\xb7\xfc\xc0\x0a\x2b\x13\x75\x5e\x94\xe9\x8f\xaf\xcb\xf3\x64\xcc\xdb\xb9\x73\xa8\x1c\x7f\xda\x98\x50\x11\x7f\xa7\x46\x08\xda\xba\x72\x2f\xf7\xbf\x5e\x0b\xbe\x54\x5b\x30\xff\x8f\x62\x76\x50\x96\xb1\x8e\x10\x97\xb9\x57\x72\x50\x55\x4a\x96\x0b\x54\x7a\x52\x5b\x3c\xd0\x7d\x43\x8c\x00\xce\xeb\x58\xac\xc2\x83\xa9\x40\xaf\xa1\x41\xc9\x5c\x38\x3d\x67\x10\x83\x28\x8b\x45\x52\x32\x87\xea\x9f\xb0\x3a\x03\x48\x87\x13\x1c\x43\x40\x15\xc9\x34\x82\x2c\xa7\x81\x14\x89\x80\x76\x39\x0b\xe5\xc8\x42\x3f\x2c\x7a\x59\x35\xb4\x67\x8b\x58\x05\x20\xcb\x96\xd5\x24\xc3\x64\xa9\x2f\x84\xb8\x75\xa2\xcc\x03\x3d\x1a\xf2\x05\xba\x7d\xfb\x21\xf5\x3d\x8e\x71\xf4\xd1\xbd\x8e\x13\x09\x38\x60\x56\x8e\x36\xce\x8a\x98\x1f\x8b\x00\x6f\x0a\xb2\x95\xff\xf9\xde\xe0\x70\xe5\xda\xa8\x2c\x3d\xeb\x96\x6c\x64\x5e\xf2\xf3\xdb\x65\xc9\x5b\x36\xc7\x3a\x3a\x11\xf5\x1f\x07\xaf\x1f\x81\x16\x63\xcf\x81\xbd\x14\x8f\x90\x06\xa9\x8f\xd5\xf7\x23\x26\x7e\xdb\x20\xda\x82\x41\xd4\xb6\x0c\xa2\x7f\xb4\xb5\xfc\xf1\xb5\xcc\xa1\x8b\x5e\xb2\xfe\x16\x7b\x8f\x3f\xb7\x01\x92\xa7\xca\x32\xaf\xd6\x17\xbf\x78\x05\xb9\x7e\x32\xc0\x3c\xf0\x52\xcf\xf2\x9c\x45\x71\xe6\x7f\xf4\x8a\xe0\x3b\x35\xe7\x92\x83\x7d\xca\xc2\x30\x52\x2a\x58\xa5\x0d\x45\xda\x8a\x3a\x35\xf3\x20\x64\x1a\xf0\xbc\x52\xea\x84\x27\xf3\x15\x80\xf5\x2d\x1f\x1f\xae\x09\x63\x34\x55\xc0\x23\xb8\xa7\x2a\x12\x08\xc3\x71\xcf\xa8\xca\x2f\x53\x62\xaa\x35\x10\x24\x5a\xb0\x1c\x85\x82\x97\x21\xe0\x0c\x20\x85\x14\x1e\x1e\x6c\xc6\x51\x27\x01\x54\x4f\x40\x98\xc0\x5e\x87\x02\x42\xa2\xe5\x36\xad\x2d\x3c\x7d\xa2\x07\x1b\xd4\xb4\xae\x52\x08\x50\x63\xb1\x2c\x33\x5e\x65\xa0\x19\xd2\x77\x69\xe7\x86\xb6\x38\x13\xa0\x26\x00\x6e\xe1\x02\x10\x8e\xd4\x4b\x5c\xa3\xe4\x13\xfb\xc8\x2f\xea\x95\xfc\xce\x5a\xf0\x7d\xe0\x5a\x96\xff\x59\x0d\x1b\xde\x77\xb5\x6c\xab\x06\x4f\xae\xf8\x75\x8b\x4c\x0d\xd6\x59\x15\x2f\x3f\x93\x20\x07\x89\x72\x56\x8b\x04\x97\x74\x18\x41\xbe\xb3\x59\xce\x25\x45\x92\x79\x85\xd4\x27\xaf\xd6\xea\x7c\x9f\xe6\xbd\x07\x9c\x41\x43\x25\xbe\xe5\xf1\x00\xa0\xca\x44\x19\xfe\x91\xc5\xc3\x0c\xcd\x2b\x24\x45\x4c\x36\xd7\x96\x67\xe8\x62\x5a\xbe\xaf\x46\xae\x4d\x79\x9e\x0e\x66\xda\x39\x4f\x75\xfe\xc3\x3b\x6a\x3a\x56\xfb\x5d\x6f\xae\x6d\xd3\x50\x81\xb9\x17\xf5\x9c\x24\x08\x85\xa4\x05\xd9\x25\x7a\x5a\xb4\x6c\x35\xe5\x47\xe5\x29\x38\xff\x17\x0c\x79\x8c\xd6\xc3\x78\xc4\xb0\x75\x2e\xc8\x77\x0e\xd9\x73\x09\x65\x31\xec\x90\xb9\xe1\x31\x99\x52\x96\xa3\xc8\x4c\x43\xb9\x8b\x7a\x63\xda\xec\x8a\x55\x60\x25\x97\xcb\x76\x95\x45\x06\xef\x2b\x67\xcb\x86\xad\xa6\xd2\xbc\x1b\x37\xfe\xd7\x1e\xd9\x51\x44\xa1\xff\xab\x5e\xf0\x88\x77\x6e\x6e\xb6\x3a\x47\x8d\xb1\x83\x6f\x66\x71\xdc\x04\x54\xa5\x70\x74\x14\xa4\xc8\x78\x3a\xd5\x29\xa2\x90\x1f\xd6\x90\xb6\x3c\xcd\xde\x50\x44\xae\x6c\x7d\xd3\x23\xbb\x31\x61\xca\xff\x03\x2f\xf8\x39\x90\xae\xe3\x98\x40\x05\x3b\x71\x59\x4b\xdb\x43\x3a\x6a\xd4\x86\xa3\x24\xcc\x11\xad\x36\x8b\xe2\x22\x45\x4c\x48\x60\xa5\xb2\x7f\xc5\x09\xd4\xea\x10\xdb\xe4\xa1\x4a\xdc\x72\x2c\xf2\x63\xe4\xcd\xe4\xce\x4d\x6c\x47\xf8\x36\xf8\x10\xd2\xd4\xa4\x23\x0f\x06\xf7\x2e\x1a\xd6\x8e\xad\x6b\x13\x7b\x18\x7f\xfe\x6a\xa7\x74\x84\xf5\xfb\x88\x7b\x62\x0e\x25\x67\xf9\x4a\x04\x16\xe4\x37\xae\x0a\x3e\xbe\x6b\xf8\x7a\xe9\x38\x46\xe6\x24\xe3\xd9\xcc\x12\xd6\xcf\xba\x02\xf6\x1d\xcc\x21\xc6\xc4\x6f\xad\xd2\x11\x7e\x08\x76\x8c\x48\xa3\x8c\xea\xb4\x39\x4d\x86\x13\x72\xfb\x4a\x99\xc7\x95\x39\xdc\x72\x14\x31\x52\xad\x8c\x36\x38\xd8\x9d\x49\xe4\x98\xd0\x11\x5d\xee\x02\x22\x3a\x4f\xac\x5c\xa0\x78\xa0\xc3\xe8\xe0\x06\xb0\xc0\x93\x8c\xbd\xb3\xa8\x58\x0a\xd0\xa6\x52\xf1\x12\x16\xc5\x9a\xb9\x46\x9b\xc8\xc0\x64\x66\x23\x31\x29\xb4\x0f\x88\x58\x16\xb9\x5e\xf9\xb3\x2c\x57\x99\xb2\x8d\x11\x7d\x04\x49\xab\xcb\xe5\xcc\x01\x8c\xb5\xa9\x18\xd5\x65\x47\x0c\x5a\x69\x9d\x86\x05\xe0\xa1\x29\x68\x4a\xb9\x73\x03\x18\x24\xb6\xcf\x7b\x22\x59\xe0\x2a\x48\x2c\xdf\xdb\x2e\x62\xf9\xbf\x55\xfb\x04\xa3\x8e\x5f\x88\xd9\x2e\x22\x8e\x9b\xac\xb5\x5c\x77\x2c\xca\x08\x01\xe4\x1b\xf4\x2e\xdd\x9d\x28\xd7\x9b\xa4\x66\x2e\xcc\x85\x52\xee\x98\x33\x63\x9f\x1b\x5a\x5d\x96\x74\xf0\x78\xdd\x2e\x14\x5c\x30\x54\xc6\x28\x3e\x42\x0d\x7a\xab\x74\xa7\x1c\x77\x84\xe1\x95\x87\x41\x40\x72\xcc\x59\x33\x8a\x81\xf2\x05\x59\xb5\x90\x60\x21\x8a\x07\xd0\x7f\x33\xf1\x6a\x08\xdc\xb2\xcd\xbd\xa9\x1a\x52\x67\xb7\xfe\xf8\x76\xe5\xe6\x76\xa9\x48\x25\x87\xa5\x49\x8c\xac\xf8\xf7\xeb\x4c\xc8\x99\x52\xd1\x59\x6e\x47\x29\x18\xea\xb2\xf6\x8d\xc0\xc2\x36\x32\x80\x8e\x06\xb9\xc6\xdd\xed\x75\xfb\x58\xbe\xc5\x63\xf9\x80\xec\x04\xa1\x7b\xfb\x78\xec\xa0\xf5\x2b\x1f\x82\x1b\x40\xfb\x2a\x17\x97\x95\xac\x3d\x3c\xb4\x66\x6e\x1b\x1b\x2e\x42\x71\x78\xfa\x87\x55\x7c\xf5\xc8\xf7\x8d\xdd\x84\x8e\xc2\x87\xd5\xd8\xac\xf3\x22\xcd\xfd\x4f\xed\x0e\xee\x74\xae\xb8\x21\x5e\xdb\x17\x8f\x3e\x32\x65\x9c\x95\x08\xaf\x17\xbc\x2b\x5b\x76\x03\x8e\x5a\xfc\xfa\x2e\x32\x43\x76\x77\x45\x96\xcf\xcd\xfb\x6f\x0c\x7e\xec\x81\xae\x22\x04\x50\x08\xe4\xcd\x48\x41\xef\x9a\x34\x76\x78\x53\x2e\x1c\xa3\xe2\x45\x8f\xec\x95\x0f\x41\x8f\xbf\xe6\x69\xa3\xfa\x39\xef\xb4\xc9\x7e\x54\x8f\xa9\x70\x81\x06\x5b\x97\x0f\x81\xaf\xcf\x31\xbd\xa3\xcc\x44\x55\x19\x6e\xb6\xf8\x38\xe6\x52\xd6\xe9\x11\x7a\x3b\x3d\x4f\x6f\xa7\x37\xdf\x74\xd3\x0d\x37\xc3\xe3\x77\x89\x2c\x3f\xad\x86\xa2\x64\x39\x70\x5b\xc3\x33\xa3\x33\x96\x52\xa2\xb3\xbc\x1c\xab\x4c\x9f\x2f\xb1\xac\xa4\x1b\x55\x32\x90\x7f\x47\x9f\x6f\x9e\xf5\x82\x8f\x0d\x9d\x18\xec\x6e\x27\x74\x6e\xe6\xf4\xcc\xdb\x16\xee\x3f\xfe\xb6\xd3\x33\xa7\x4e\xc0\xea\x52\xb1\x0e\x1b\x54\x59\x84\x2a\xd4\x20\x5b\x0d\xad\x59\xec\x8b\x70\x7c\x9c\x04\xdc\xb5\xda\xb7\x8c\x03\xab\x01\x20\xe1\x1c\x62\x65\x28\x0d\x4c\xa9\xad\x33\x61\x0f\x92\xbd\xfd\x54\xe4\xa2\x25\x62\xff\x54\xf0\xe6\x79\xf5\x37\xe2\xa7\xe3\xc0\xa8\x2f\x39\x37\x3b\x5f\xa7\x8b\xc7\xe7\xe1\x34\xbc\x70\x7c\x71\xde\xf5\x7d\x07\x8b\xc7\xe7\x03\xd7\xc0\xf4\x88\x2b\x6f\xfe\xaa\x96\x87\xe6\x7a\xe2\xd0\x17\xe1\x81\x4c\x4a\x1e\xd3\x11\xea\xc5\x0d\x0a\x83\x33\x5d\x4f\x12\x72\xd4\x5a\x60\x9a\x08\x5a\x47\x5e\x8e\x2f\xcc\x2d\xe0\xa5\xe3\xac\xcf\x5a\x51\x3e\x00\x9f\xec\xf7\xf6\x05\x27\x46\xff\x34\xca\x35\x3b\x7c\xe7\xda\x00\x92\x1f\xda\xbb\xbd\x25\x6c\x75\x4b\xf8\x03\x83\x19\xf0\x45\x2f\x38\x62\x7c\xb5\x76\x8c\x72\x8d\x69\xb1\x4f\x6d\x6f\x22\x6b\xe0\x11\x4e\x20\x30\x17\xbd\x03\xe4\xba\xe1\xc8\x4b\x8f\xf5\xa7\x96\xf9\x20\xf3\xf7\xf9\x7b\xa6\x60\xd1\x92\x8b\x1e\x1d\x1b\xa3\xd9\xed\xef\xec\xb1\xfe\x76\xa4\x7c\x2b\x06\xea\xef\xda\x06\xea\xb3\x5b\x84\x16\xf9\x99\xd1\xc8\x22\x97\xcb\x30\xbd\xe8\x89\xf5\x0d\x8f\x7b\xfd\xbb\xd7\xa3\xb8\x1f\xad\xc5\x46\x16\xc4\x3e\x7d\x35\xf9\xf1\x0d\xf8\x2b\xfc\xff\x77\x55\x70\xbc\x2c\x1f\x66\x34\xe5\x79\x91\xaa\x1a\x56\xd8\x45\x5a\x0c\xeb\x5e\xc0\x67\x9b\x1c\xc8\xf5\x1d\x8a\x01\xc0\xac\x45\x4b\x35\xbe\x70\x25\x39\x47\xf6\xf4\x78\x96\xb1\x0e\xf7\xef\x0e\xee\x98\xa1\xdd\xa2\xc7\x92\xa9\x94\xb3\x10\x5c\x0c\xe8\x5b\xea\x57\x4d\xb5\xa2\xe4\x32\x31\x8e\xb9\xc6\x0f\x37\xee\xcc\xb7\x3d\xc3\xbf\xfc\x87\x5e\xf0\x45\x6f\xc6\xf0\x5d\x8d\x1b\xac\xd5\xee\xa0\x32\x44\x90\x98\x86\x1b\x6f\x70\x12\xbd\x60\x81\x1a\x4f\x15\x7f\x8d\x32\x35\xa3\x3a\x1d\xa3\xf4\x02\x26\xc2\x0d\x09\xac\xb0\x28\x96\xaf\x6d\xd0\x19\x1d\x09\x68\xc5\x2c\xc5\xec\x11\x96\xd0\xbb\x16\x17\xe7\xf5\x64\x41\x69\x65\xb3\xb0\x4a\x9c\x74\x8a\x25\x8d\x5c\x7a\x98\xcf\x94\xc5\xee\xbf\xe9\x05\x1f\xd6\x15\xeb\x9a\x5c\xd5\x4c\x36\x3d\x93\x70\x2a\xda\xd3\x34\x58\x40\x0f\x0f\xa2\x79\xeb\xaf\xba\xdc\x35\x04\xdb\x69\x72\x97\x70\xb7\xbf\x9f\xec\x94\x02\xe3\x9f\xd6\x66\xe4\xad\x0b\x45\xa7\x83\x51\x0f\x90\x2a\xa5\x59\xb0\x60\x57\xf3\xab\xe2\x44\x48\xf3\x30\x6a\x83\x88\x0d\xb1\x83\x3c\x5d\x23\x7b\x94\x97\xd8\x7f\xac\x46\xde\xbc\x69\xe7\xad\x0a\xbc\x05\xff\xcd\x83\xf3\x66\xa8\x6b\x80\x47\xb9\x67\x4d\x3d\x24\x58\xfd\x8a\x69\x1d\x22\x3b\x20\x07\xe0\xfd\x12\xab\x58\x79\x8f\x2d\x61\xe3\xd5\x84\x52\x93\x59\xa1\xa9\x51\xe0\x8d\x38\x12\x48\x94\x2e\xbf\xb9\x53\xb0\x94\x25\x39\x37\x34\x10\x00\x79\x99\x0b\x08\x7f\x29\x19\x53\xc4\xc2\xa8\xa9\x4b\x44\x9f\xb2\xb3\x98\xd0\xba\x6d\x9c\x6c\x05\x5b\xf5\xf4\xfa\xfb\xf9\x8f\xfb\x87\xa6\x2c\x8c\x27\xbd\x87\xa3\x88\x55\x5d\x07\xbf\x7a\x05\x99\x5a\x87\x76\xe1\x64\x2c\x56\x11\x6b\x02\x0a\xe2\xbe\xbb\x3f\xf8\x09\xf7\xd2\x88\x7a\xe4\xf2\x86\x03\x25\x55\x20\xea\x9c\x58\x88\xe5\x0c\x0a\x93\x1b\x17\xbc\xeb\x34\x25\xf7\xbd\x72\x64\x1c\x66\x07\x67\x47\xff\x3e\x21\x7f\x59\x23\xbb\x00\x64\xca\xff\x5f\xb5\xe0\x25\x6f\x09\xfe\x5e\xb2\xde\x8d\xc1\x23\x33\x8b\xe0\x65\xd7\xe1\x5d\x28\xa2\x15\xab\x4a\x54\xd5\x1a\x28\x3b\x69\x68\xc9\x58\x89\xc2\xd9\x86\x15\xa1\x79\x20\x34\x41\x3a\x15\x09\xa7\x3d\xae\x4f\x9f\x88\x7a\x65\x93\x9a\xa9\xe7\x1b\xaa\xa8\x39\x82\x3d\x0b\xb7\x3c\xc8\x02\xac\xab\x9d\x4f\x07\xab\x13\x61\xe3\x71\xe7\xad\xae\x16\xf8\xb2\x77\xce\x41\xe3\x2e\x72\x92\xcc\x6e\x88\x36\x03\x2b\x74\xcf\xca\x9e\x3e\x10\xe5\x5d\x05\x98\x98\x4d\x98\xeb\xf5\x44\x8d\xbc\x26\x8c\x00\x02\xab\x88\xb2\x2e\x4f\x4f\xf1\xbc\x2b\x42\xff\x97\x6a\x1b\xec\x86\xfc\x9e\xd9\xe1\x86\x82\xdf\xf6\x96\x46\xb4\xbf\x54\xe5\x20\xb1\x19\x83\x61\x2a\x9d\x87\x30\x7d\xca\x89\x9d\x58\x53\xaf\x67\x7d\x29\x89\xe2\x25\x27\x17\x55\x95\x7c\xb9\x6d\x45\x99\xe6\x21\x0f\x95\x56\x2c\x94\x38\xb1\x78\x95\x0d\x32\x9d\xa4\xaf\x66\x15\x56\x66\x83\x3c\xb2\x83\xf8\x7a\x02\xe7\x53\xde\xe2\x21\x4f\x5a\xdc\x7f\xd9\x44\x86\xbf\x55\x5b\x1a\xfe\x7d\xc9\x06\x4e\x69\x75\x85\xc8\x38\x65\x3d\x31\x24\x03\xce\x47\xe9\xc2\x0a\x23\x6b\x40\xb5\xdd\x15\x19\x4f\x6c\xa1\x96\xb2\xa7\x9a\x92\xcd\x9a\xad\x23\x29\x7a\x3c\x45\xa2\x63\xc3\x19\xad\xc0\x17\x38\x86\x92\xb1\x24\x2d\x16\x1d\x75\x97\x22\x99\x3e\x44\x4f\x0d\x7d\x80\xde\x81\x86\x7f\x51\x9a\x5c\xfb\x5c\x52\x96\x74\x30\x03\xf2\x27\x8f\xd6\x8f\x1e\x39\x72\xe4\xc8\x5b\x6d\xfa\xbc\x08\x2d\xb1\x7e\xf9\xb8\xda\x7a\x2c\xcf\x58\x94\xdb\x39\x1e\x50\xba\x0c\x0c\x68\x06\xdb\xd7\xdd\x97\x3f\x5b\x23\x6b\xe8\x17\xff\x43\x35\x32\xbf\xb1\x85\x34\xb6\xad\xb2\x58\xe8\xf7\xbc\xa5\xf1\xaf\x5c\xd2\xa6\x55\xc9\xea\xce\xe8\xf8\x56\x2b\xc4\xb5\x26\x95\xb1\x7c\xba\x65\x76\x29\xb9\x33\xc6\x2b\x3a\xe1\xc0\x12\x02\x3d\x60\x98\x02\x13\x2a\xe3\x2c\x5d\x46\x88\x04\x95\xa1\x22\xdf\xa4\xc2\x65\x60\xb3\x1b\x4a\x17\xf2\xde\xdd\x0e\x5b\x81\x93\xb6\xeb\x60\x41\x2d\xde\xbb\xe0\xff\xc9\xae\x57\x32\x77\xf7\x17\x76\x91\x0b\x26\x77\xf7\xd1\xed\xdc\xdd\x6a\xa5\xe0\x76\x56\xee\xe5\xcb\xca\xfd\xf4\x7e\xf2\xf7\x46\x44\x5c\xe6\x45\x38\xd3\x06\x7d\x32\xf0\xff\xe5\xfe\xe0\x4d\xf3\x22\xa4\x4c\x5d\x40\x23\x17\x33\x31\x44\x1b\x0f\x4d\xe0\x9d\x37\x37\x28\x78\x03\x39\x76\x60\x57\xb8\xe2\xff\x45\x42\x5e\xda\x45\x0e\x1b\x42\xe6\xd9\x42\xf6\x64\xc1\x3c\x33\x87\x0b\x1c\x2f\x9f\xd0\x38\x1b\xfe\x6f\xed\x0a\x5e\xda\x69\x83\x27\xa8\xfc\x03\x6c\x07\x00\x44\x34\xaa\x42\x5f\x20\xb5\x79\x22\x42\xbd\x39\x66\x2c\x8f\x32\xc5\xdb\x66\xfa\xc9\xcf\x4b\x83\x5b\x51\xe2\x6b\xc9\x34\x15\x6f\x30\x35\x08\x38\xa4\x62\xfd\x7a\x5b\xd3\x0c\xc6\x2c\xa7\x2b\x91\x80\xc3\x23\x98\x53\x1a\xde\x52\x97\x17\x96\xcd\x2b\x94\x22\xf3\x58\x94\xd1\x9e\x9c\x25\x33\x08\x5a\xaa\x65\x33\x46\x54\x3a\x90\x8e\x21\x57\x20\x96\x57\xac\xf2\xa8\xd3\xcd\xe5\x82\x6a\xf0\x06\x4c\x29\xe4\xf6\x95\xcd\xf6\x38\xcf\x01\x74\xdd\x2c\x0c\x6b\x26\x50\x15\x62\x9a\xca\x41\x73\x00\x51\x5b\x6f\x5d\xff\x3e\x34\x1d\x23\x87\xab\x0e\x28\xa2\x87\xea\xc6\x9a\x61\xd0\xc7\xe6\x80\x46\xb9\xae\x25\xd7\x0c\xcf\x30\x14\x3a\x3f\x46\x9f\xdf\x51\xee\xa5\xe8\xb2\x10\xb8\x86\x03\xfc\xb8\x40\xab\x20\xd9\x9c\xda\x4a\xe1\xfb\xba\x2c\xc3\x79\x55\xb5\x93\x96\xa5\x0a\x40\x49\x59\x5f\x20\x69\x71\xbf\x14\xdd\x45\x9e\xf6\x6e\x33\x4d\x1c\xcc\x0e\x95\x43\xab\x0c\x01\x78\x0d\x53\x29\x6c\xee\x8c\x38\x1a\xea\x76\x32\x4d\x6e\x59\xb7\xea\xf6\x01\xf8\x04\x1e\xce\xbb\x5d\x20\x7f\xb8\x93\x34\xc6\x0d\xef\x18\x69\x7f\x62\x67\xf0\xad\x1d\x4a\xb7\x98\x09\x70\xa6\x70\x8c\xc0\x1a\x46\xd2\x1e\xcf\xa5\xb1\x6f\x49\x40\x1e\xf5\x94\x4e\x91\xab\x15\x16\x8f\xda\x74\x4b\xa8\x22\xa1\xd1\xa7\x90\x64\x7d\x53\x3d\x68\x01\xe4\x2b\x9a\x5e\xba\x17\xa2\xc7\x91\xac\x91\x86\xf0\xa5\xd0\x85\x12\xe8\x49\x51\x7e\x63\x2a\x0f\xc6\xfa\xa0\x56\x56\x1d\x5a\x0f\x61\xb7\x15\x98\x81\x5c\x8a\x72\xa9\xb1\x01\xf4\x3f\x4f\x01\x0a\x88\xcb\x53\x27\xa2\x41\xf1\x95\x48\xf1\xa7\xca\x86\xe0\xcc\x2c\x8d\x02\xfc\xa4\x07\xca\xd4\x3d\x39\x54\xa6\x7c\x57\x8b\x68\xdd\x44\x4d\x40\x5a\x51\x87\xb8\x22\x26\xdf\x86\xb5\x5b\xce\x3c\x43\x7b\xa0\x0e\x33\xa8\xf8\x55\xeb\x54\x2e\x47\xa9\xaf\xcb\xa8\x1d\x2a\xa3\xea\x2e\x78\x23\xb9\x7e\x02\x32\xcc\xaa\x6c\x7d\x6c\x0f\xb9\x6e\x44\x76\xbd\x3a\x1c\xf9\x8f\xee\x09\x7e\xc7\x53\xff\xe8\xa8\x2e\x9e\x0e\xb5\xe9\xa5\xe6\x5b\xf9\x20\x44\x8a\x00\x18\x98\x77\x08\xb9\xd1\x8c\xa6\x22\xe6\x10\xf7\x06\x75\xd0\xef\xc7\x70\xe6\x10\x0d\x5a\xb2\x5d\xf3\x08\xbc\xd8\x80\x98\xc8\x68\x08\x8c\xb9\x90\x2a\x66\x7c\x1b\xea\x7d\x75\x84\x78\x2c\xdd\xe2\x89\x48\xa6\x74\x4a\x5b\x56\xc8\x43\x81\xc2\xe0\x90\xca\x01\x77\x19\x60\xca\x68\x5c\xf0\xc0\xdb\x72\xc1\x83\x80\xb3\xb3\xa5\x7c\x64\x17\xb9\x55\xc5\xa1\x8f\x06\xff\xe0\xb4\x65\x19\xa8\xd7\x23\x43\x87\xe9\x84\x43\xf1\x47\x3e\xe7\x91\x7d\x86\x8c\x03\xbd\xaa\xa7\x0d\x37\x87\xa8\x98\xaa\xa1\xf1\x32\xea\xc5\xa1\x5e\xb1\xac\xfc\x3f\x00\x53\xa4\x1f\xaf\x9b\x4f\x0a\xce\x65\x3c\x45\x1f\x2c\x50\xf8\x06\x9a\xc3\xd7\xf6\x28\x4b\x71\x36\x5e\x65\x3a\xa3\x92\xe7\xa5\x8d\xa9\xcd\x6d\xb0\x60\xe4\x78\xa7\xa9\x48\xab\x5f\xb1\x97\xf5\x23\x68\xdc\xff\xa4\x17\x3c\xe9\xcd\xcc\xcf\xc1\x7f\x16\x9f\xa4\x9c\x11\xb3\x73\x57\xbe\x4b\xa5\xb1\x55\xa2\xd9\x01\x4c\xd2\x02\x86\xcc\x67\x5a\x80\x4a\xa6\x6f\xad\x20\x20\x04\x63\x53\xfe\xb1\x91\x73\x7a\x56\xb1\x57\xa6\x91\x4a\x4e\x2b\xfa\xd4\x5e\xf0\x82\xff\xe2\x81\x4f\x4d\xb4\xc7\xce\x22\x22\x44\x65\xae\x97\x2e\xca\xac\xcf\x94\x4b\x12\x87\xbe\xee\x0e\x7c\xe0\x7e\x52\x60\x74\x9d\x35\xea\xc6\x19\x6f\xf9\x7d\x73\x9d\xd2\xae\x7c\xc4\x1b\x9f\xa8\xa7\xf6\x91\x43\x13\xe5\x9b\x42\xec\xfd\xaf\xf6\x06\xe7\x46\xff\xa4\xc3\x4c\x6a\x23\xb7\x08\x6f\x2d\x4a\xc7\xe1\xcc\xcf\x35\x63\xf1\x4f\xef\xd9\xf6\xce\x6f\xd5\x3b\xbf\xaa\x43\xf1\x49\x70\x70\x74\x24\x7e\x38\xd5\x75\xf2\xe2\xf3\xf1\xe2\xb2\xed\x8f\xde\x42\xb0\xfc\x13\x76\x3c\xf4\x89\x2d\xc6\x43\x3b\x97\x2d\x2a\xbe\xb4\xbe\x17\xfd\x0e\xff\xb6\x49\xd3\xf1\x46\x55\x61\xfd\xb3\xfd\xe4\x86\x11\x66\xc8\xcc\x03\x0b\x27\x62\x96\xe5\x51\x0b\xd0\xbd\x16\x72\x91\x72\x07\x0c\xec\x79\x12\x7c\xb0\xe6\xa0\x68\x94\xfc\xee\x74\x36\xca\x96\x1d\xe2\xf6\x99\x07\x16\x1a\x84\xcc\xc0\x1f\xf4\xc4\xb1\x05\x1a\xca\x3b\x36\xc8\xd9\x5e\x3e\x33\x8a\xb1\x5d\xb6\xfc\xb0\x3c\x5e\x55\x39\xdb\xab\x6f\x95\xe6\x0c\x78\xcb\x9b\xea\x7d\xe8\x61\x2a\xd9\xd4\xa9\x00\x77\xa1\x7e\xe8\x95\x20\x7b\x7f\x74\x2f\xf9\x7c\x09\x0c\xf6\xa9\x5a\xf0\xd4\x36\x30\xd8\x68\x60\x30\xb6\x9a\x71\x14\xc4\xa6\x14\x44\x40\xa6\xb5\x17\xf6\x93\x35\xb2\xaf\xcf\xd2\x1c\x16\xb2\x7f\xc1\x38\xb1\xdf\x59\x5b\x04\xcc\x2e\xf5\x8b\x16\x95\x75\x86\x73\xae\x4d\x45\x2f\xca\x73\xed\x9f\x0c\x4b\xd4\x23\x7d\x93\x1c\x40\xd5\x0a\xe6\x26\x96\x43\x76\x52\xa4\xfa\x27\xb9\xda\x0f\x67\x21\x3b\x5a\x87\xd7\xe0\x78\xe0\xc8\x97\x7d\x92\x66\xe3\xd1\xa0\x41\x17\xa2\x5e\x14\xb3\x34\x1e\xd4\xed\x3e\x96\xf7\x49\xe3\x4a\x37\x08\xf4\xdd\x47\x02\x7a\x50\x00\xf2\x37\x48\x73\xcc\xd9\x0a\x57\x5e\x69\x44\x4a\x47\x2b\xf3\x90\xeb\x66\xfe\xb6\x0d\x8f\xf5\x82\x17\xfc\x67\x85\x4c\x38\xa0\x41\x9e\x16\x1c\x8e\xe6\x88\x8e\x05\x25\x84\x1c\x85\xc9\xa0\x64\x99\xb6\x2b\x30\x59\x60\x1a\x42\x03\x6b\x8e\x5f\x00\x00\x5a\xa3\x13\x13\xb6\x2e\x10\x16\x9c\xd6\x33\x36\xcb\xff\x87\xbd\xe0\x03\xde\x39\x4c\x25\x2d\x2b\xbd\xfa\xa5\xaa\x0a\x47\xa8\x2a\x7a\x70\xa6\xc7\x1e\x16\x89\xb5\xfc\x87\x4b\xbb\x2e\xb5\x20\xff\x59\x8d\xfc\xfd\x51\xb9\xd1\xb0\xd7\xce\xcd\xa3\xc3\xdd\xff\xdd\x5a\x70\x9f\x7b\xc9\xce\x8e\xce\xab\x94\xf2\x70\xc4\xc5\xfb\xe9\xdc\xbc\xf2\x74\x66\xe8\xe4\x31\xa7\x7e\xd7\x7d\xf7\x3f\x3d\xf2\xa2\x47\xae\xca\xa3\x1e\x17\x45\xae\xeb\x06\xbf\x62\x52\x9c\xff\xa3\xe7\xfe\x54\x81\x4c\xd1\xa5\x83\xe6\xbd\x73\xf3\xa8\x84\xf4\x5b\xe5\x08\x2c\x0f\xc0\x59\x61\x79\xb7\xcd\xd9\xf9\xce\x23\xf4\x47\x7f\x94\xde\x7e\xc7\x2d\x37\xdf\x78\xe4\xc8\x41\x29\xf9\x47\x69\xc8\x06\x87\xa4\x5e\xd1\x26\xbd\xf6\x56\xdc\x71\x07\x0d\xf4\x4b\x82\x12\xa2\xcc\x1c\xb7\x8e\x1e\xb9\x45\xb5\x71\x03\xed\x8a\x22\xcd\x2a\x0b\xe2\x7b\xf5\x09\x2b\x90\x67\xa1\x2e\x09\xf1\xa2\x33\xff\x3f\xd4\x83\x69\xe7\x8a\x2e\x14\x32\xf8\x69\x50\x3e\x08\xc5\x4c\x58\xe6\x65\x9d\x94\xdd\xc1\x7e\x97\xbf\x6d\x8f\x6f\xd5\x1e\x7f\xac\x46\x76\x87\xe9\xe0\x6c\x91\xf8\xbf\x5c\x0b\x5e\xf6\x10\x53\x07\xc7\xa3\x5e\x45\xd2\xe9\x89\xd0\x44\xf8\x9d\x72\xac\x66\xa9\x15\x90\xd2\x49\x47\x9c\xa0\x24\xda\xfa\x54\x7c\x95\x72\x81\x44\x2b\x2a\x40\x9e\xf2\x0c\xf4\x5c\x62\xce\x84\xa6\x56\x1c\x06\x2e\x11\xb4\x5d\xa4\xe0\x43\xe9\xa7\xa2\x25\xd7\x42\xd2\x29\x0f\xe9\x2a\x3c\x3a\x0a\x60\x7a\x26\x8e\x01\x52\x5a\xbe\x18\x20\x9f\xb3\x9c\x75\xac\x22\x72\xd5\x1c\x0f\xd7\x88\xb8\x7c\xa3\x46\xfc\x4e\xca\x5a\x7c\x9e\xa7\x91\x08\xf5\xa2\xfe\x42\x4d\x97\x00\x7d\x1c\x76\xcb\xd0\x8a\xe7\x8d\x2a\x01\x56\xa4\x0b\xa6\xfe\xd7\x94\xeb\x4d\x02\xe4\x5c\x2e\xf5\x87\x79\x2a\xac\x79\xc1\x56\x68\xd4\xeb\xf1\x30\x62\x39\x8f\x07\x23\x72\xf1\x92\x28\x76\x77\x14\xf8\x1c\x39\x65\x91\x08\x4d\xe4\xaa\xf4\x58\x82\xca\xd1\x43\x54\x64\xb2\x93\xb6\x2b\x83\xc9\x27\xf5\x07\xa9\x97\xb4\xdd\x28\x6e\x03\xfb\xd9\xe3\x2c\x19\xd9\x47\x47\x93\x6c\x1f\xcd\x36\x7f\x34\xfb\x7c\x8d\x5c\x23\xd2\x7e\x97\x25\xb3\x50\x12\x29\xbf\x5a\xaa\xc1\xc7\x6a\xb3\x86\x96\x6c\x9a\xf6\x91\x68\x0c\x89\x58\x38\x9d\x4f\x45\x9f\x75\x40\x5a\x31\x6d\xa4\x6e\x7b\xa8\xf5\xc4\x5b\xbc\x66\x51\x42\x8f\x36\xde\xd8\xa0\x0b\x28\xbd\x28\x4a\xea\x75\xa6\xe4\xb6\xc9\x29\xf6\x04\xc6\xa6\x0d\x6c\x34\x87\xc1\x6e\x41\xe1\x0b\xf0\xd7\x80\xb6\xa3\x04\xca\xa9\x52\xf3\x2a\x16\x86\x60\x09\x1f\x4e\x79\x4f\xac\x94\x50\xd5\xbc\x2c\xf7\x33\x0f\x61\x08\xb7\x41\x4f\x44\x8a\x53\xd7\x74\x5c\xa4\xc3\x5f\x66\xca\x50\x79\x5e\xd2\x63\x34\x45\xde\x75\xe1\xee\x9f\xf3\xc8\x95\xf2\x6b\x45\x82\x08\x16\x99\xff\x6f\xbd\x4d\xa5\xf8\xcd\xdb\x8d\x04\xb1\x2e\x8b\x51\xd1\x5f\x80\xac\x06\x95\xc0\xd4\x0e\x87\x69\xb5\x1a\x4f\x52\x14\x68\x46\xcb\x4e\xf6\x45\x06\x85\xcf\x75\xca\xe8\x8d\x47\x6e\x95\x27\x52\x88\x96\xea\xac\x58\x3d\x76\x3a\x89\xaf\x41\xfe\xef\x0e\x72\x6d\xbf\x3a\x00\xfe\x8b\x3b\x82\x17\x76\x3c\xa0\x18\x88\xa5\x36\xed\x8a\x55\xda\x61\x69\x93\x75\xb8\x5d\x9c\x62\x54\x22\x32\x5d\xcb\x49\x1c\x39\xc4\x67\x2a\xd2\x36\x7e\x84\xf1\xdc\xa9\x54\x8e\xa2\xb1\x06\x90\xb5\x16\xec\xf3\xea\x2c\x05\x47\x58\x88\xa0\x1b\xb1\x90\xd6\xb3\x3a\x72\x98\x6c\x69\x6b\xfe\x75\x0e\xa3\x5e\xfc\x53\x3a\xf5\xac\xf2\xb2\x06\x9d\x69\x49\x73\x12\xd2\x9b\xed\x7d\xe1\x00\x7e\xc3\x01\x3a\xa5\x24\xd6\x95\xe8\xec\x36\x7a\xe0\x18\x6b\x2d\x77\x52\x51\x24\xa1\xbc\x0b\xc3\xde\x10\x75\x74\x07\x4e\x40\x6c\x55\x29\x38\xb7\x11\xfd\x05\x4d\xd3\xd2\x6d\xf4\xc0\x49\x91\x72\xab\x59\xda\x62\x59\x8b\xa9\xc8\x5c\x49\xf3\x8d\xed\x61\xac\x72\xb8\xc1\xb6\x69\xa3\xe1\x24\x0d\xfe\x8f\xd7\xae\xef\xef\x78\xf6\xb5\xfe\xbf\x7f\xed\xa8\xbc\x41\xc7\x24\xab\xb8\x39\x4a\x0f\x49\xa8\x48\xc7\xab\x95\x03\x6b\x3f\x3d\x1e\x56\x6e\xc2\x06\x87\x3b\x80\xfc\x4d\xe9\x48\xe4\x9c\x8d\x7d\xca\x26\x5b\xc2\x0f\x99\x9a\xe0\x95\xe5\xc7\x3a\xc4\x60\xea\x55\x53\x6b\xfe\xba\x81\x8e\x94\xcd\x6c\x7e\x6c\x26\x7c\x19\x5d\xe7\x65\xe3\x38\xff\x6d\xff\xda\xb8\x09\x1e\x7f\xcf\xda\x5f\x3d\xf9\x63\xd7\x13\x87\x77\xba\x04\x76\xde\x9c\x1c\x6d\xb6\x09\xfd\x05\xa3\x87\x6a\x2d\x64\xa8\x71\x43\x37\xf9\x33\x6b\x0e\x65\x91\x8b\xac\xc5\x62\x69\x5c\x6c\x74\x24\x36\xf0\xe0\xf5\xc3\xdf\x7f\x3d\xce\x0e\x9d\xbc\x41\xf3\x6e\xe0\x8d\xd8\x58\x77\x27\x7e\xa4\x32\x3e\x56\x7e\xd9\x46\x96\xe9\x26\x56\xd7\xa8\x37\x95\xdd\x10\x22\x0d\x55\x92\xd3\xa6\x04\x77\x93\x0d\x6c\x42\xef\x0d\x61\x87\x4e\xad\x8b\x2a\x3a\xf9\x74\x40\x62\xc3\x06\x27\x62\xb3\x8f\x4e\xfc\xed\x95\x89\xb4\xc8\x26\x9d\xf5\xce\xe2\x7e\xd7\xbe\xcf\xce\x46\x2d\x89\x25\x27\x5b\xfd\x9b\x78\x76\xad\x61\x05\xb2\x08\x65\x45\x4d\xde\x88\xfa\xa0\xb2\x15\xe5\x04\xd9\x54\x8f\x4c\x63\x1b\x10\xb5\x21\xf2\xe5\x4d\xcc\xd6\xa8\x36\xf4\x4f\x22\x1c\x2a\x9a\x9c\x48\xd4\x36\xf8\x60\x75\x1c\x37\xf8\xf8\x26\xd6\x28\x4e\xf5\x9a\xb6\x9a\xba\x65\x1d\x39\x5c\x1f\xd8\x70\x62\x5b\xb1\xba\x3c\x36\xda\xf4\x5a\x1f\xb3\xf1\xb6\x36\x30\x98\x65\x56\xd9\x90\x04\x0d\xff\xb4\x11\x71\x18\xff\x3d\x93\xb6\xbb\x5e\x09\xf0\x44\xd2\xbc\xf1\x67\xab\x02\xbd\xf1\x16\x54\xdd\xf1\x7b\xa8\x93\xd0\xa5\x54\xf8\xca\xd1\xc6\x09\xf9\x97\xff\x97\xaf\x0f\x3e\xbd\x03\xfe\xd4\xf9\x1f\x18\x74\x04\x97\x2e\xdc\x0c\xc9\x76\x48\xfb\x38\x94\x77\x9f\xd3\x0e\x4f\x78\x0a\x59\x72\x21\x47\x56\x76\xc8\xcd\x43\xec\x1e\x84\xa9\x32\x61\x53\x1d\xf3\x83\x2e\x68\xdc\x8d\x38\xea\x45\x08\xaf\x98\xa3\xef\x06\x51\x01\xe1\xc4\x9a\x46\x9d\x8e\x3e\xbe\xaa\xaa\x65\x3c\x3c\xf3\x15\x11\xaf\xe8\xcc\x56\xf0\xec\x63\xab\xb4\x25\x92\xac\xe8\x59\xee\x67\x4c\xb7\x89\x07\x1a\x00\x23\x8f\x7a\xca\x13\x6a\xbe\x4f\x41\x97\x63\xe9\x88\xaa\xac\x4d\x79\x1b\x4e\xf9\x90\xfd\x22\x1b\x55\xe1\x1b\x40\xab\x8c\x07\xe0\x51\xc3\xde\x41\x02\x9a\x0a\x84\xe4\x51\x52\x00\x6b\x20\xdc\x8d\xd9\x5e\x38\xe0\x3a\x53\x94\xe5\xf4\xac\x29\x50\x5c\xb1\x31\xba\x9a\x1c\x59\x01\x75\xfd\x81\xaa\xfc\x5d\xe1\x75\xda\xe4\x59\x3e\xc5\xdb\x6d\x91\xe6\x75\x88\xac\x62\x6a\x21\x8b\x11\xff\xed\x82\xb7\x0f\x5e\xb2\x18\x55\xd2\xd8\x9e\x7d\x1d\x79\xce\x23\xd7\xe2\x94\x46\x49\x67\x2e\xc9\x72\x96\xb4\xb8\xff\xb4\x17\xfc\x9a\x37\x74\x59\xe7\x95\x94\x71\x2b\x2b\x19\x3f\x52\x37\xd5\x29\xa4\x56\x2e\xa9\x70\xf7\xd4\xf9\xc1\xc3\xed\x25\xa7\x76\xb2\xac\xbd\xc0\xd4\x33\x48\xca\xe3\xab\xfa\x73\xe5\x5c\x2a\x38\x38\x94\x80\x1c\x13\x65\x8f\x5e\x7f\x8b\x94\x97\x94\xb5\x72\x9e\xba\x49\x5c\x5f\xf2\xc8\x6e\x04\x56\xf4\x3f\xeb\x05\x9f\xf0\x14\x86\x63\xa4\x91\x4e\x95\x37\x86\x65\x50\xa4\x93\x1c\x56\x3c\x80\x29\xef\xb0\x54\x27\x58\xa2\xf7\x43\x5f\xd0\xb1\x0a\xc4\x3e\xab\x16\x76\xbf\xc2\x9f\xb3\xed\xbc\xdd\x46\x49\x73\x50\xd2\xbe\xec\x91\x3d\x29\x8f\xe5\x28\xcb\x6f\x5a\x3f\x69\xb7\xca\xc4\xf4\xa8\xa7\x1e\x37\x69\xff\xba\x00\x05\xc3\x2a\x2c\xd5\xe0\x2c\x20\xbe\x50\x54\xd0\x12\xbd\x7e\xcc\xcf\xab\xd5\x93\x35\xe8\x09\xb9\xae\x21\x92\x58\x5d\x27\x96\x22\x36\xbc\x3a\x52\xeb\x19\x7f\xac\x68\x53\xdd\x01\xb5\xb2\xc8\xa7\x3c\xf2\x1a\xa3\x61\xca\xd4\x20\xff\x83\x5e\xf0\x1e\x6f\xc4\x0f\xa3\xca\x70\x6c\x3e\x57\xb9\xd0\x39\x86\xfa\x15\x81\xd0\x0a\xc4\xdb\x4a\x6d\x54\x06\xc6\x95\x6e\xda\x88\x5a\xaa\x02\x2c\x5d\x5d\xba\xf2\x8f\x8b\x22\xb1\x39\x47\x2b\xbf\xe8\x8e\x5b\xbe\x7f\x95\x38\x9f\x65\x98\x9a\xde\x64\xad\xe5\x55\x29\x62\x72\xc8\x59\x1e\x21\xf0\x22\xee\x08\x6a\x46\xd5\xee\x05\x75\xe0\x4e\xa0\xe7\x09\x8f\x5c\x53\xb6\xac\x72\xa1\xde\xed\xad\x81\x87\xae\x65\x04\x5a\xc4\x07\x02\x56\x6d\xe2\x92\x77\x9a\x3c\x5e\xc2\x65\x7c\xc0\x0b\xde\xe5\xa9\xca\x76\xd0\xd1\xaa\x4c\xa6\xa2\xa6\xb5\xf6\x75\x11\x48\x5e\x61\xdd\x7b\xc1\x23\xbb\x33\x9e\x46\x3c\xf3\x1f\xf1\x48\x63\xec\x28\x56\xcc\xa4\x05\x78\x24\x78\x2b\x3e\x0a\x2e\x79\xc0\x1f\x00\x98\x6e\xf9\x71\x38\x14\xea\x67\x90\x4f\xb4\x2d\xac\x64\x09\xd9\xf7\x28\xc6\xf2\xe7\x03\x25\xc8\x6f\x2e\x12\x7c\xba\xb1\x1d\x9a\xdf\x6a\x68\xfe\x7d\x1e\x29\x4d\x21\xff\x17\x3c\x72\xfb\x26\xb6\x87\x53\x51\x2b\x15\xb2\x81\x60\xce\xb4\xa5\xd7\x0b\x98\xa6\x0a\xac\x59\xeb\x20\x90\x68\xa4\xb1\x17\x4d\x38\xb3\x87\x5a\xb4\x53\x53\x2e\xfa\xac\x47\x76\x4a\xf3\xd8\x7f\xc6\x0b\x9e\xf0\xe4\x5f\xb8\xe7\x6f\x01\x7e\x87\x9e\x62\xe7\xa3\x1e\x8b\x69\xcc\x93\x4e\xde\xd5\xf7\xeb\xb6\x8f\x2e\x1f\xc3\xe0\x52\x1c\x35\x53\x06\x72\x59\x5a\x9a\xfd\x94\xf7\x99\x4a\xa5\xeb\xb2\x24\x2c\xa3\x3d\x45\x5f\x5e\xbb\xf9\xc6\xe5\x63\xce\xba\xf9\x64\x8d\xec\x33\xdb\x82\xff\x64\x6d\x13\x9b\xd4\x5f\x78\xe5\xbe\x62\x2a\x47\xac\x38\xbf\x35\xa2\x72\x68\x9a\x18\xd9\x4b\x70\x49\xb7\x18\xf0\xc2\xc1\xc2\x49\x14\x3f\x3d\x35\xdb\x88\x63\xa8\x1a\xf0\x64\xb5\x39\x9c\xe5\xfd\x38\x6a\xb1\x05\x9e\x1f\x1f\x75\x97\xf5\x7b\x56\x96\x50\x70\xdd\x0f\xbd\xe7\x34\x39\x40\x52\x4b\x7d\xc3\x5a\x72\x35\x2b\xf8\x78\x0b\x89\x97\x59\x4d\x99\x7d\xf0\x13\x1e\xd9\x09\xd0\x01\x1f\xf1\x82\x5f\xf1\x74\x7a\x64\x6e\x31\xe4\x59\xef\x3b\x78\x5a\x1a\xfd\x71\x9d\x3e\xc0\x80\xbf\xff\x50\x1d\xd4\x1d\x72\xd5\xb5\xf4\xe4\x61\xe8\x57\x87\xb6\x00\xfe\xf7\x12\x58\xb2\xce\x74\x7f\xd6\x23\x7f\xbb\xdc\x1b\x4e\x4a\xe1\x96\xcb\x20\xcb\x59\xaf\xef\x3f\xee\x8d\xa7\x5f\x5a\x63\x5d\xc1\x92\x8a\xc6\xb5\x7a\xe9\x77\xa4\xff\xe4\x91\x1f\x29\x5b\xbb\x97\xd9\x9f\xf0\xaf\xb6\xf0\x09\xdd\x31\x8d\x5e\xf2\x2f\xb8\xe8\xfd\xc3\xf5\xc3\x93\x37\xf9\x37\x68\x4f\x0b\x3c\x3a\xce\xc3\xe2\xba\x6e\xc9\x6f\xec\x26\xf5\x91\x38\x7c\x0d\x4c\xb5\x9c\xc9\x73\xd6\xea\xf6\x8c\x09\xe1\xbf\x63\x77\xf0\x47\xde\xe8\xdf\x5c\xbc\x54\x3b\xe3\xb5\x54\x38\x0c\x9e\x91\x9a\xf1\x6c\xd4\xe9\xe6\x34\x11\xab\x98\x14\x6d\xb2\xb8\xef\x57\x69\xcf\x0a\x63\x53\x3f\x40\x57\x22\x56\x42\xa3\xaa\xab\x69\xdd\x42\xbe\x5e\x45\x76\x09\x0c\x38\x43\xa6\x76\x94\xc4\x51\xc2\x4d\x22\x75\x94\x40\xa5\x27\x64\xce\xb6\x72\x70\x05\x18\xa8\x12\xf5\x36\x84\x2e\xb2\x8e\xce\xff\x62\x27\xf9\xcc\x0e\x72\x0d\xb6\xa4\x12\xd1\xfb\xbc\xe5\x3f\xb5\x63\x02\xb6\xd4\x32\x33\xbd\x7c\x32\xf8\xf3\x5a\xb5\x31\xab\x7e\x2e\x8e\x41\x74\x6c\xbc\xaf\x84\xb7\x78\x96\x31\x2c\x46\xc4\xef\xc6\x34\x22\xed\x8a\x50\x03\x6d\xd5\x2a\x31\x05\xef\xa9\xbe\xdf\xce\x9f\xaf\xa2\x1b\xf5\x45\xbf\x50\x06\x7b\xa2\x30\xbf\x65\x07\x8e\x2f\xcc\x9d\x8a\x3a\x2a\x2b\xab\xcd\x99\xd1\x2d\xa5\xc2\x4e\x59\x92\xc5\xa5\x74\x67\x9a\xc2\x7d\xec\xab\x31\xff\x69\xd4\x98\x54\x3b\xd5\xe4\x39\x9b\x8a\xa5\x09\x80\xa6\x5d\x86\x9d\xeb\x0a\x44\x68\x50\x50\xab\x3c\x55\xb9\x75\x3c\x41\x28\x92\xb1\x1d\x27\xa7\xc8\xdf\xec\x57\xde\x0b\x10\x00\x37\x05\x07\xed\xa2\xbe\xe1\x41\x35\x43\xee\x68\xc5\x5f\xd9\x43\x5e\x3f\xca\xd2\x4e\x56\xee\x67\xa9\x5a\x27\x2f\xef\x0e\x6e\xb7\x2f\x54\xf8\x62\xf1\x9a\x1e\x6e\x53\x66\xcf\x12\x8a\x0f\xb9\x52\xf8\xd4\x6e\x12\x91\xab\x31\xc3\xf6\x14\xeb\xdf\xc3\x07\x67\x79\xdb\xbf\x7f\x02\x11\x3c\x6e\x3d\xb3\xc0\x31\xef\x22\xf8\xbb\xf8\x97\xec\xc8\x32\x1f\x20\x83\x8c\xb9\xb1\x41\x7e\xad\x46\xf6\xc2\x5c\xc8\x97\xbc\xbb\x46\x6e\x9c\x70\x8b\x07\xec\x03\xf3\x92\xaf\x79\xe5\x5b\x0c\x53\x8d\xaa\x9d\x9d\xd6\x75\x01\xd6\x29\x5b\x1e\xf8\xea\xee\xbf\xaa\xd4\x71\xc9\x5c\x44\x9e\xdb\x9f\x3c\x70\xfb\x3d\x27\x1e\xbc\xf3\xc0\x5b\x97\xec\xdf\x60\x53\xc3\xfc\x4a\xfb\x86\x4c\xca\x57\x22\x42\x98\x70\xf5\x6f\xe6\x94\xe8\xa9\x1f\x10\xd9\x03\xf1\x99\xcd\xbf\x7d\x11\x56\xff\xcb\x1a\xe4\xf1\x1a\xb9\x46\xdb\x9d\x27\xf5\x40\x3d\x52\x23\x37\xaf\x3b\x50\x67\xed\xa7\xcc\x50\xfd\xbe\x35\x54\xc6\xb3\x63\x9d\x7d\xa1\x16\x65\x1a\x17\x81\xb1\x77\xd1\x61\x9a\x29\x56\x00\xe5\xb1\x39\x88\x17\x1b\xad\x7e\x51\x57\x37\x34\x7a\xbc\x27\xd2\x81\xf9\x97\xf7\xbb\xbc\xc7\x53\x16\x4f\x29\x65\x5f\x37\x8f\xe3\x63\xe6\x3f\x7c\xd0\x79\xc1\xf0\xd3\x87\xc6\x71\xe7\x36\xc8\x0a\xb9\x02\x01\x34\x94\xbc\xb6\xc9\xf5\xeb\x0e\xd0\x82\x7e\xc0\x0c\xce\x91\x11\xc2\xaa\x70\x39\x22\x1b\xcb\xd8\x08\x0c\xf9\xe3\xfd\xe4\xef\x8c\x68\xda\xd4\xde\xfa\xcf\xed\x0f\x4e\x95\x95\xb8\x2a\x7b\x1a\x96\x65\x4b\xf4\x71\x55\xc2\xcf\x0d\x7a\x2e\x83\x89\x30\xc5\xdc\xe6\x25\x99\x0d\x0d\xe7\x2e\xd6\x47\x09\xf9\x56\x09\xa6\xf8\xc2\x24\x7e\x1c\xd3\x19\xc4\x20\x0b\x3e\xa4\xe1\x17\x5d\x84\x18\x35\xca\xd6\x51\x80\x51\xf3\xe8\xe5\x46\x5e\xdc\x3e\xa5\x6e\xf5\x94\xba\xed\xff\xdd\xf6\xff\x3a\xfe\xdf\xaf\x7a\x64\xa7\x5c\x65\xfe\xef\xad\xe5\x92\x1a\x56\x1a\xd2\xac\xbc\xe0\x29\xa4\xc1\x72\xd5\x35\x79\x97\xad\x44\x22\xd5\x5b\xc9\xab\xa6\x2a\x2e\x7a\xf7\xad\x7f\x80\x69\xf8\xf5\x51\xd9\x95\xa6\xd3\x95\x03\x4d\xf3\x5a\x72\x35\xd9\x7f\x8c\xb3\x94\xa7\x8b\x62\x99\x27\xfe\xdf\x78\xe8\x0c\x39\xe5\x5e\xba\xd3\xbf\x9d\xec\x66\xfd\xe8\x1e\x3e\xf0\xaf\x74\x62\xd6\xd7\xed\x46\x20\xa3\xe0\x75\x78\x3f\x85\x07\x2a\x39\x69\xff\x3f\x00\x00\xff\xff\x78\xfb\xb7\x2b\xa3\xf0\x34\x00")
+
+func kubernetesapiV1_21_2SwaggerPbBytes() ([]byte, error) {
+	return bindataRead(
+		_kubernetesapiV1_21_2SwaggerPb,
+		"kubernetesapi/v1_21_2/swagger.pb",
+	)
+}
+
+func kubernetesapiV1_21_2SwaggerPb() (*asset, error) {
+	bytes, err := kubernetesapiV1_21_2SwaggerPbBytes()
+	if err != nil {
+		return nil, err
+	}
+
+	info := bindataFileInfo{name: "kubernetesapi/v1_21_2/swagger.pb", size: 3469475, mode: os.FileMode(420), modTime: time.Unix(1658180420, 0)}
+	a := &asset{bytes: bytes, info: info}
+	return a, nil
+}
+
+// Asset loads and returns the asset for the given name.
+// It returns an error if the asset could not be found or
+// could not be loaded.
+func Asset(name string) ([]byte, error) {
+	cannonicalName := strings.Replace(name, "\\", "/", -1)
+	if f, ok := _bindata[cannonicalName]; ok {
+		a, err := f()
+		if err != nil {
+			return nil, fmt.Errorf("Asset %s can't read by error: %v", name, err)
+		}
+		return a.bytes, nil
+	}
+	return nil, fmt.Errorf("Asset %s not found", name)
+}
+
+// MustAsset is like Asset but panics when Asset would return an error.
+// It simplifies safe initialization of global variables.
+func MustAsset(name string) []byte {
+	a, err := Asset(name)
+	if err != nil {
+		panic("asset: Asset(" + name + "): " + err.Error())
+	}
+
+	return a
+}
+
+// AssetInfo loads and returns the asset info for the given name.
+// It returns an error if the asset could not be found or
+// could not be loaded.
+func AssetInfo(name string) (os.FileInfo, error) {
+	cannonicalName := strings.Replace(name, "\\", "/", -1)
+	if f, ok := _bindata[cannonicalName]; ok {
+		a, err := f()
+		if err != nil {
+			return nil, fmt.Errorf("AssetInfo %s can't read by error: %v", name, err)
+		}
+		return a.info, nil
+	}
+	return nil, fmt.Errorf("AssetInfo %s not found", name)
+}
+
+// AssetNames returns the names of the assets.
+func AssetNames() []string {
+	names := make([]string, 0, len(_bindata))
+	for name := range _bindata {
+		names = append(names, name)
+	}
+	return names
+}
+
+// _bindata is a table, holding each asset generator, mapped to its name.
+var _bindata = map[string]func() (*asset, error){
+	"kubernetesapi/v1_21_2/swagger.pb": kubernetesapiV1_21_2SwaggerPb,
+}
+
+// AssetDir returns the file names below a certain
+// directory embedded in the file by go-bindata.
+// For example if you run go-bindata on data/... and data contains the
+// following hierarchy:
+//     data/
+//       foo.txt
+//       img/
+//         a.png
+//         b.png
+// then AssetDir("data") would return []string{"foo.txt", "img"}
+// AssetDir("data/img") would return []string{"a.png", "b.png"}
+// AssetDir("foo.txt") and AssetDir("notexist") would return an error
+// AssetDir("") will return []string{"data"}.
+func AssetDir(name string) ([]string, error) {
+	node := _bintree
+	if len(name) != 0 {
+		cannonicalName := strings.Replace(name, "\\", "/", -1)
+		pathList := strings.Split(cannonicalName, "/")
+		for _, p := range pathList {
+			node = node.Children[p]
+			if node == nil {
+				return nil, fmt.Errorf("Asset %s not found", name)
+			}
+		}
+	}
+	if node.Func != nil {
+		return nil, fmt.Errorf("Asset %s not found", name)
+	}
+	rv := make([]string, 0, len(node.Children))
+	for childName := range node.Children {
+		rv = append(rv, childName)
+	}
+	return rv, nil
+}
+
+type bintree struct {
+	Func     func() (*asset, error)
+	Children map[string]*bintree
+}
+
+var _bintree = &bintree{nil, map[string]*bintree{
+	"kubernetesapi": &bintree{nil, map[string]*bintree{
+		"v1_21_2": &bintree{nil, map[string]*bintree{
+			"swagger.pb": &bintree{kubernetesapiV1_21_2SwaggerPb, map[string]*bintree{}},
+		}},
+	}},
+}}
+
+// RestoreAsset restores an asset under the given directory
+func RestoreAsset(dir, name string) error {
+	data, err := Asset(name)
+	if err != nil {
+		return err
+	}
+	info, err := AssetInfo(name)
+	if err != nil {
+		return err
+	}
+	err = os.MkdirAll(_filePath(dir, filepath.Dir(name)), os.FileMode(0755))
+	if err != nil {
+		return err
+	}
+	err = ioutil.WriteFile(_filePath(dir, name), data, info.Mode())
+	if err != nil {
+		return err
+	}
+	err = os.Chtimes(_filePath(dir, name), info.ModTime(), info.ModTime())
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// RestoreAssets restores an asset under the given directory recursively
+func RestoreAssets(dir, name string) error {
+	children, err := AssetDir(name)
+	// File
+	if err != nil {
+		return RestoreAsset(dir, name)
+	}
+	// Dir
+	for _, child := range children {
+		err = RestoreAssets(dir, filepath.Join(name, child))
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func _filePath(dir, name string) string {
+	cannonicalName := strings.Replace(name, "\\", "/", -1)
+	return filepath.Join(append([]string{dir}, strings.Split(cannonicalName, "/")...)...)
+}
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/openapi/kubernetesapi/v1_21_2/swagger.pb b/vendor/sigs.k8s.io/kustomize/kyaml/openapi/kubernetesapi/v1_21_2/swagger.pb
new file mode 100644
index 0000000000..910436fc58
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/openapi/kubernetesapi/v1_21_2/swagger.pb
@@ -0,0 +1,44195 @@
+
+2.0
+
+Kubernetesv1.21.2BÝè¢
ð&
+/api/v1/limitrangesØ&Ì
+core_v1(list or watch objects of kind LimitRange*$listCoreV1LimitRangeForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*J]
+
+401
+
+Unauthorized
+B
+200;
+9
+OK3
+1
+/#/definitions/io.k8s.api.core.v1.LimitRangeListRhttpsj
+x-kubernetes-actionlist
+jL
+x-kubernetes-group-version-kind)'kind: LimitRange
+version: v1
+group: ""
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

³(
+)/api/v1/watch/namespaces/{namespace}/pods…(—
+core_v1owatch individual changes to a list of Pod. deprecated: use the 'watch' parameter with a list operation instead.*watchCoreV1NamespacedPodList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj#
+x-kubernetes-action
+watchlist
+jE
+x-kubernetes-group-version-kind" group: ""
+kind: Pod
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

ñ(
+@/apis/coordination.k8s.io/v1/watch/namespaces/{namespace}/leases¬(¾
+coordination_v1qwatch individual changes to a list of Lease. deprecated: use the 'watch' parameter with a list operation instead.*&watchCoordinationV1NamespacedLeaseList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj#
+x-kubernetes-action
+watchlist
+jX
+x-kubernetes-group-version-kind53group: coordination.k8s.io
+kind: Lease
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

÷\
+&/apis/storage.k8s.io/v1/storageclassesÌ\‘&
+
+storage_v1*list or watch objects of kind StorageClass*listStorageV1StorageClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Jb
+G
+200@
+>
+OK8
+6
+4#/definitions/io.k8s.api.storage.v1.StorageClassList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+jZ
+x-kubernetes-group-version-kind75group: storage.k8s.io
+kind: StorageClass
+version: v1
+"‰	
+
+storage_v1create a StorageClass*createStorageV1StorageClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BF
+D
+Bbodybody 
*2
+0#/definitions/io.k8s.api.storage.v1.StorageClassBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jó

+C
+200<
+:
+OK4
+2
+0#/definitions/io.k8s.api.storage.v1.StorageClass
+H
+201A
+?
+Created4
+2
+0#/definitions/io.k8s.api.storage.v1.StorageClass
+I
+202B
+@
+Accepted4
+2
+0#/definitions/io.k8s.api.storage.v1.StorageClass
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpost
+jZ
+x-kubernetes-group-version-kind75group: storage.k8s.io
+kind: StorageClass
+version: v1
+*Ø,
+
+storage_v1!delete collection of StorageClass*%deleteStorageV1CollectionStorageClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj*
+x-kubernetes-actiondeletecollection
+jZ
+x-kubernetes-group-version-kind75group: storage.k8s.io
+kind: StorageClass
+version: v1
+JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Ê
+/api/À½
+coreget available API versions*getCoreAPIVersions2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJl
+Q
+200J
+H
+OKB
+@
+>#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIVersions
+
+401
+
+UnauthorizedRhttps©[
+
/api/v1/nodes—[Ü%
+core_v1"list or watch objects of kind Node*listCoreV1Node2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

JW
+<
+2005
+3
+OK-
++
+)#/definitions/io.k8s.api.core.v1.NodeList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+jF
+x-kubernetes-group-version-kind#!group: ""
+kind: Node
+version: v1
+"³
+core_v1
create a Node*createCoreV1Node2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B;
+9
+7bodybody 
*'
+%#/definitions/io.k8s.api.core.v1.NodeBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

JÒ

+8
+2001
+/
+OK)
+'
+%#/definitions/io.k8s.api.core.v1.Node
+=
+2016
+4
+Created)
+'
+%#/definitions/io.k8s.api.core.v1.Node
+>
+2027
+5
+Accepted)
+'
+%#/definitions/io.k8s.api.core.v1.Node
+
+401
+
+UnauthorizedRhttpsjF
+x-kubernetes-group-version-kind#!group: ""
+kind: Node
+version: v1
+j
+x-kubernetes-actionpost
+*®,
+core_v1delete collection of Node*deleteCoreV1CollectionNode2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj*
+x-kubernetes-actiondeletecollection
+jF
+x-kubernetes-group-version-kind#!group: ""
+kind: Node
+version: v1
+JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

ü(
+;/api/v1/watch/namespaces/{namespace}/replicationcontrollers¼(Î
+core_v1�
watch individual changes to a list of ReplicationController. deprecated: use the 'watch' parameter with a list operation instead.*.watchCoreV1NamespacedReplicationControllerList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsjW
+x-kubernetes-group-version-kind42group: ""
+kind: ReplicationController
+version: v1
+j#
+x-kubernetes-action
+watchlist
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Ô)
+@/apis/batch/v1beta1/watch/namespaces/{namespace}/cronjobs/{name}�)ë
+
batch_v1beta1®
watch changes to an object of kind CronJob. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*"watchBatchV1beta1NamespacedCronJob2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionwatch
+jQ
+x-kubernetes-group-version-kind.,group: batch
+kind: CronJob
+version: v1beta1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J4
+20".
pathname of the CronJob"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

—]
+//apis/apps/v1/namespaces/{namespace}/daemonsetsã\ü%
+apps_v1'list or watch objects of kind DaemonSet*listAppsV1NamespacedDaemonSet2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

J\
+A
+200:
+8
+OK2
+0
+.#/definitions/io.k8s.api.apps.v1.DaemonSetList
+
+401
+
+UnauthorizedRhttpsjM
+x-kubernetes-group-version-kind*(version: v1
+group: apps
+kind: DaemonSet
+j
+x-kubernetes-actionlist
+"â
+apps_v1create a DaemonSet*createAppsV1NamespacedDaemonSet2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B@
+>
+<bodybody 
*,
+*#/definitions/io.k8s.api.apps.v1.DaemonSetBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Já

+C
+202<
+:
+Accepted.
+,
+*#/definitions/io.k8s.api.apps.v1.DaemonSet
+
+401
+
+Unauthorized
+=
+2006
+4
+OK.
+,
+*#/definitions/io.k8s.api.apps.v1.DaemonSet
+B
+201;
+9
+Created.
+,
+*#/definitions/io.k8s.api.apps.v1.DaemonSetRhttpsj
+x-kubernetes-actionpost
+jM
+x-kubernetes-group-version-kind*(version: v1
+group: apps
+kind: DaemonSet
+*É,
+apps_v1delete collection of DaemonSet*)deleteAppsV1CollectionNamespacedDaemonSet2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj*
+x-kubernetes-actiondeletecollection
+jM
+x-kubernetes-group-version-kind*(group: apps
+kind: DaemonSet
+version: v1
+J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

ó
+;/api/v1/namespaces/{namespace}/serviceaccounts/{name}/token³"ˆ
+core_v1 create token of a ServiceAccount*)createCoreV1NamespacedServiceAccountToken2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BM
+K
+Ibodybody 
*9
+7#/definitions/io.k8s.api.authentication.v1.TokenRequestJˆ
+P
+202I
+G
+Accepted;
+9
+7#/definitions/io.k8s.api.authentication.v1.TokenRequest
+
+401
+
+Unauthorized
+J
+200C
+A
+OK;
+9
+7#/definitions/io.k8s.api.authentication.v1.TokenRequest
+O
+201H
+F
+Created;
+9
+7#/definitions/io.k8s.api.authentication.v1.TokenRequestRhttpsja
+x-kubernetes-group-version-kind><group: authentication.k8s.io
+kind: TokenRequest
+version: v1
+j
+x-kubernetes-actionpost
+Jž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

J–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J9
+75"3
pathname of the TokenRequest"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

¿(
+=/apis/apiextensions.k8s.io/v1/watch/customresourcedefinitionsý'ñ
+apiextensions_v1„
watch individual changes to a list of CustomResourceDefinition. deprecated: use the 'watch' parameter with a list operation instead.*0watchApiextensionsV1CustomResourceDefinitionList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsjl
+x-kubernetes-group-version-kindIGgroup: apiextensions.k8s.io
+kind: CustomResourceDefinition
+version: v1
+j#
+x-kubernetes-action
+watchlist
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

ð
+/apis/node.k8s.io/v1beta1/ÑÎ
+node_v1beta1get available resources*getNodeV1beta1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp
+U
+200N
+L
+OKF
+D
+B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList
+
+401
+
+UnauthorizedRhttpsþ(
+7/apis/scheduling.k8s.io/v1/watch/priorityclasses/{name}Â(ú
+
scheduling_v1´
watch changes to an object of kind PriorityClass. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*watchSchedulingV1PriorityClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionwatch
+j^
+x-kubernetes-group-version-kind;9group: scheduling.k8s.io
+kind: PriorityClass
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J:
+86"4
pathname of the PriorityClass"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

¿^
+5/api/v1/namespaces/{namespace}/replicationcontrollers…^ª&
+core_v13list or watch objects of kind ReplicationController*)listCoreV1NamespacedReplicationController2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Jh
+M
+200F
+D
+OK>
+<
+:#/definitions/io.k8s.api.core.v1.ReplicationControllerList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+jW
+x-kubernetes-group-version-kind42group: ""
+kind: ReplicationController
+version: v1
+"´	
+core_v1create a ReplicationController*+createCoreV1NamespacedReplicationController2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BL
+J
+Hbodybody 
*8
+6#/definitions/io.k8s.api.core.v1.ReplicationControllerBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J…
+I
+200B
+@
+OK:
+8
+6#/definitions/io.k8s.api.core.v1.ReplicationController
+N
+201G
+E
+Created:
+8
+6#/definitions/io.k8s.api.core.v1.ReplicationController
+O
+202H
+F
+Accepted:
+8
+6#/definitions/io.k8s.api.core.v1.ReplicationController
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpost
+jW
+x-kubernetes-group-version-kind42group: ""
+kind: ReplicationController
+version: v1
+*ë,
+core_v1*delete collection of ReplicationController*5deleteCoreV1CollectionNamespacedReplicationController2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj*
+x-kubernetes-actiondeletecollection
+jW
+x-kubernetes-group-version-kind42group: ""
+kind: ReplicationController
+version: v1
+J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

õ
+?/apis/apps/v1/namespaces/{namespace}/statefulsets/{name}/status±û
+apps_v1(read status of the specified StatefulSet*%readAppsV1NamespacedStatefulSetStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*JZ
+?
+2008
+6
+OK0
+.
+,#/definitions/io.k8s.api.apps.v1.StatefulSet
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+jO
+x-kubernetes-group-version-kind,*group: apps
+kind: StatefulSet
+version: v1
+Æ
+apps_v1+replace status of the specified StatefulSet*(replaceAppsV1NamespacedStatefulSetStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BB
+@
+>bodybody 
*.
+,#/definitions/io.k8s.api.apps.v1.StatefulSetBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J 

+?
+2008
+6
+OK0
+.
+,#/definitions/io.k8s.api.apps.v1.StatefulSet
+D
+201=
+;
+Created0
+.
+,#/definitions/io.k8s.api.apps.v1.StatefulSet
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionput
+jO
+x-kubernetes-group-version-kind,*group: apps
+kind: StatefulSet
+version: v1
+Bú
+apps_v14partially update status of the specified StatefulSet*&patchAppsV1NamespacedStatefulSetStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

JZ
+?
+2008
+6
+OK0
+.
+,#/definitions/io.k8s.api.apps.v1.StatefulSet
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+jO
+x-kubernetes-group-version-kind,*group: apps
+kind: StatefulSet
+version: v1
+J8
+64"2
pathname of the StatefulSet"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

ß
+/apis/autoscaling/ÈÅ
+autoscalingget information of a group*getAutoscalingAPIGroup2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJi
+N
+200G
+E
+OK?
+=
+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup
+
+401
+
+UnauthorizedRhttpsâ
+/api/v1/nodes/{name}/statusÂÓ
+core_v1!read status of the specified Node*readCoreV1NodeStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*JS
+8
+2001
+/
+OK)
+'
+%#/definitions/io.k8s.api.core.v1.Node
+
+401
+
+UnauthorizedRhttpsjF
+x-kubernetes-group-version-kind#!group: ""
+kind: Node
+version: v1
+j
+x-kubernetes-actionget
+�
+core_v1$replace status of the specified Node*replaceCoreV1NodeStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B;
+9
+7bodybody 
*'
+%#/definitions/io.k8s.api.core.v1.NodeBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J’

+8
+2001
+/
+OK)
+'
+%#/definitions/io.k8s.api.core.v1.Node
+=
+2016
+4
+Created)
+'
+%#/definitions/io.k8s.api.core.v1.Node
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionput
+jF
+x-kubernetes-group-version-kind#!kind: Node
+version: v1
+group: ""
+BÒ
+core_v1-partially update status of the specified Node*patchCoreV1NodeStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

JS
+8
+2001
+/
+OK)
+'
+%#/definitions/io.k8s.api.core.v1.Node
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+jF
+x-kubernetes-group-version-kind#!group: ""
+kind: Node
+version: v1
+J1
+/-"+
pathname of the Node"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

ä'
+/apis/apps/v1/watch/deploymentsÀ'´
+apps_v1vwatch individual changes to a list of Deployment. deprecated: use the 'watch' parameter with a list operation instead.*)watchAppsV1DeploymentListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsjN
+x-kubernetes-group-version-kind+)version: v1
+group: apps
+kind: Deployment
+j#
+x-kubernetes-action
+watchlist
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

‹^
+4/apis/rbac.authorization.k8s.io/v1beta1/clusterrolesÒ]½&
+rbacAuthorization_v1beta1)list or watch objects of kind ClusterRole*'listRbacAuthorizationV1beta1ClusterRole2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Jc
+H
+200A
+?
+OK9
+7
+5#/definitions/io.k8s.api.rbac.v1beta1.ClusterRoleList
+
+401
+
+UnauthorizedRhttpsji
+x-kubernetes-group-version-kindFDgroup: rbac.authorization.k8s.io
+kind: ClusterRole
+version: v1beta1
+j
+x-kubernetes-actionlist
+"¸	
+rbacAuthorization_v1beta1create a ClusterRole*)createRbacAuthorizationV1beta1ClusterRole2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BG
+E
+Cbodybody 
*3
+1#/definitions/io.k8s.api.rbac.v1beta1.ClusterRoleBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jö

+I
+201B
+@
+Created5
+3
+1#/definitions/io.k8s.api.rbac.v1beta1.ClusterRole
+J
+202C
+A
+Accepted5
+3
+1#/definitions/io.k8s.api.rbac.v1beta1.ClusterRole
+
+401
+
+Unauthorized
+D
+200=
+;
+OK5
+3
+1#/definitions/io.k8s.api.rbac.v1beta1.ClusterRoleRhttpsj
+x-kubernetes-actionpost
+ji
+x-kubernetes-group-version-kindFDkind: ClusterRole
+version: v1beta1
+group: rbac.authorization.k8s.io
+*ƒ-
+rbacAuthorization_v1beta1 delete collection of ClusterRole*3deleteRbacAuthorizationV1beta1CollectionClusterRole2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj*
+x-kubernetes-actiondeletecollection
+ji
+x-kubernetes-group-version-kindFDkind: ClusterRole
+version: v1beta1
+group: rbac.authorization.k8s.io
+JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

÷(
+>/apis/apps/v1/watch/namespaces/{namespace}/controllerrevisions´(Æ
+apps_v1~watch individual changes to a list of ControllerRevision. deprecated: use the 'watch' parameter with a list operation instead.*+watchAppsV1NamespacedControllerRevisionList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+
+401
+
+Unauthorized
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEventRhttpsjV
+x-kubernetes-group-version-kind31group: apps
+kind: ControllerRevision
+version: v1
+j#
+x-kubernetes-action
+watchlist
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

…)
+E/apis/coordination.k8s.io/v1beta1/watch/namespaces/{namespace}/leases»(Í
+coordination_v1beta1qwatch individual changes to a list of Lease. deprecated: use the 'watch' parameter with a list operation instead.*+watchCoordinationV1beta1NamespacedLeaseList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj]
+x-kubernetes-group-version-kind:8group: coordination.k8s.io
+kind: Lease
+version: v1beta1
+j#
+x-kubernetes-action
+watchlist
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

–(
+'/apis/storage.k8s.io/v1/csinodes/{name}ê'ä
+
+storage_v1read the specified CSINode*readStorageV1CSINode2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*JY
+>
+2007
+5
+OK/
+-
++#/definitions/io.k8s.api.storage.v1.CSINode
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+jU
+x-kubernetes-group-version-kind20group: storage.k8s.io
+kind: CSINode
+version: v1
+­
+
+storage_v1replace the specified CSINode*replaceStorageV1CSINode2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BA
+?
+=bodybody 
*-
++#/definitions/io.k8s.api.storage.v1.CSINodeBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jž

+>
+2007
+5
+OK/
+-
++#/definitions/io.k8s.api.storage.v1.CSINode
+C
+201<
+:
+Created/
+-
++#/definitions/io.k8s.api.storage.v1.CSINode
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionput
+jU
+x-kubernetes-group-version-kind20version: v1
+group: storage.k8s.io
+kind: CSINode
+*ã
+
+storage_v1delete a CSINode*deleteStorageV1CSINode2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

JŸ

+>
+2007
+5
+OK/
+-
++#/definitions/io.k8s.api.storage.v1.CSINode
+D
+202=
+;
+Accepted/
+-
++#/definitions/io.k8s.api.storage.v1.CSINode
+
+401
+
+UnauthorizedRhttpsjU
+x-kubernetes-group-version-kind20version: v1
+group: storage.k8s.io
+kind: CSINode
+j 
+x-kubernetes-action	delete
+Bã
+
+storage_v1&partially update the specified CSINode*patchStorageV1CSINode2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

JY
+>
+2007
+5
+OK/
+-
++#/definitions/io.k8s.api.storage.v1.CSINode
+
+401
+
+UnauthorizedRhttpsjU
+x-kubernetes-group-version-kind20group: storage.k8s.io
+kind: CSINode
+version: v1
+j
+x-kubernetes-actionpatch
+J4
+20".
pathname of the CSINode"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

¥)
+1/api/v1/namespaces/{namespace}/limitranges/{name}ï(å
+core_v1read the specified LimitRange*readCoreV1NamespacedLimitRange2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*JY
+>
+2007
+5
+OK/
+-
++#/definitions/io.k8s.api.core.v1.LimitRange
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+jL
+x-kubernetes-group-version-kind)'version: v1
+group: ""
+kind: LimitRange
+®
+core_v1 replace the specified LimitRange*!replaceCoreV1NamespacedLimitRange2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BA
+?
+=bodybody 
*-
++#/definitions/io.k8s.api.core.v1.LimitRangeBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jž

+>
+2007
+5
+OK/
+-
++#/definitions/io.k8s.api.core.v1.LimitRange
+C
+201<
+:
+Created/
+-
++#/definitions/io.k8s.api.core.v1.LimitRange
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionput
+jL
+x-kubernetes-group-version-kind)'version: v1
+group: ""
+kind: LimitRange
+*€
+core_v1delete a LimitRange* deleteCoreV1NamespacedLimitRange2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J»

+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsjL
+x-kubernetes-group-version-kind)'group: ""
+kind: LimitRange
+version: v1
+j 
+x-kubernetes-action	delete
+Bä
+core_v1)partially update the specified LimitRange*patchCoreV1NamespacedLimitRange2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

JY
+>
+2007
+5
+OK/
+-
++#/definitions/io.k8s.api.core.v1.LimitRange
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+jL
+x-kubernetes-group-version-kind)'group: ""
+kind: LimitRange
+version: v1
+J7
+53"1
pathname of the LimitRange"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Â*
+@/apis/extensions/v1beta1/namespaces/{namespace}/ingresses/{name}ý)‡
+extensions_v1beta1read the specified Ingress*&readExtensionsV1beta1NamespacedIngress2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Ja
+F
+200?
+=
+OK7
+5
+3#/definitions/io.k8s.api.extensions.v1beta1.Ingress
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+jV
+x-kubernetes-group-version-kind31group: extensions
+kind: Ingress
+version: v1beta1
+à
+extensions_v1beta1replace the specified Ingress*)replaceExtensionsV1beta1NamespacedIngress2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BI
+G
+Ebodybody 
*5
+3#/definitions/io.k8s.api.extensions.v1beta1.IngressBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J®

+F
+200?
+=
+OK7
+5
+3#/definitions/io.k8s.api.extensions.v1beta1.Ingress
+K
+201D
+B
+Created7
+5
+3#/definitions/io.k8s.api.extensions.v1beta1.Ingress
+
+401
+
+UnauthorizedRhttpsjV
+x-kubernetes-group-version-kind31group: extensions
+kind: Ingress
+version: v1beta1
+j
+x-kubernetes-actionput
+*›
+extensions_v1beta1delete an Ingress*(deleteExtensionsV1beta1NamespacedIngress2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J»

+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+Unauthorized
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.StatusRhttpsj 
+x-kubernetes-action	delete
+jV
+x-kubernetes-group-version-kind31kind: Ingress
+version: v1beta1
+group: extensions
+B†
+extensions_v1beta1&partially update the specified Ingress*'patchExtensionsV1beta1NamespacedIngress2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

Ja
+F
+200?
+=
+OK7
+5
+3#/definitions/io.k8s.api.extensions.v1beta1.Ingress
+
+401
+
+UnauthorizedRhttpsjV
+x-kubernetes-group-version-kind31group: extensions
+kind: Ingress
+version: v1beta1
+j
+x-kubernetes-actionpatch
+J4
+20".
pathname of the Ingress"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

ƒ)
+A/apis/policy/v1/watch/namespaces/{namespace}/poddisruptionbudgets½(Ï
+	policy_v1watch individual changes to a list of PodDisruptionBudget. deprecated: use the 'watch' parameter with a list operation instead.*.watchPolicyV1NamespacedPodDisruptionBudgetList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsjY
+x-kubernetes-group-version-kind64group: policy
+kind: PodDisruptionBudget
+version: v1
+j#
+x-kubernetes-action
+watchlist
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

×'
+/api/v1/watch/endpoints»'¯
+core_v1uwatch individual changes to a list of Endpoints. deprecated: use the 'watch' parameter with a list operation instead.*(watchCoreV1EndpointsListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsjK
+x-kubernetes-group-version-kind(&group: ""
+kind: Endpoints
+version: v1
+j#
+x-kubernetes-action
+watchlist
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

ß
+
+0/apis/authentication.k8s.io/v1beta1/tokenreviewsª
+"œ
+authentication_v1beta1create a TokenReview*&createAuthenticationV1beta1TokenReview2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BQ
+O
+Mbodybody 
*=
+;#/definitions/io.k8s.api.authentication.v1beta1.TokenReviewJ”
+N
+200G
+E
+OK?
+=
+;#/definitions/io.k8s.api.authentication.v1beta1.TokenReview
+S
+201L
+J
+Created?
+=
+;#/definitions/io.k8s.api.authentication.v1beta1.TokenReview
+T
+202M
+K
+Accepted?
+=
+;#/definitions/io.k8s.api.authentication.v1beta1.TokenReview
+
+401
+
+UnauthorizedRhttpsje
+x-kubernetes-group-version-kindB@group: authentication.k8s.io
+kind: TokenReview
+version: v1beta1
+j
+x-kubernetes-actionpost
+Jž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

J–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

á]
+9/apis/events.k8s.io/v1beta1/namespaces/{namespace}/events£]�&
+events_v1beta1#list or watch objects of kind Event* listEventsV1beta1NamespacedEvent2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

J_
+D
+200=
+;
+OK5
+3
+1#/definitions/io.k8s.api.events.v1beta1.EventList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+jW
+x-kubernetes-group-version-kind42group: events.k8s.io
+kind: Event
+version: v1beta1
+"ÿ
+events_v1beta1create an Event*"createEventsV1beta1NamespacedEvent2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BC
+A
+?bodybody 
*/
+-#/definitions/io.k8s.api.events.v1beta1.EventBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jê

+
+401
+
+Unauthorized
+@
+2009
+7
+OK1
+/
+-#/definitions/io.k8s.api.events.v1beta1.Event
+E
+201>
+<
+Created1
+/
+-#/definitions/io.k8s.api.events.v1beta1.Event
+F
+202?
+=
+Accepted1
+/
+-#/definitions/io.k8s.api.events.v1beta1.EventRhttpsj
+x-kubernetes-actionpost
+jW
+x-kubernetes-group-version-kind42group: events.k8s.io
+kind: Event
+version: v1beta1
+*Ù,
+events_v1beta1delete collection of Event*,deleteEventsV1beta1CollectionNamespacedEvent2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsjW
+x-kubernetes-group-version-kind42group: events.k8s.io
+kind: Event
+version: v1beta1
+j*
+x-kubernetes-actiondeletecollection
+J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

¬)
+C/apis/flowcontrol.apiserver.k8s.io/v1beta1/watch/flowschemas/{name}ä(Ÿ
+flowcontrolApiserver_v1beta1±
watch changes to an object of kind FlowSchema. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.**watchFlowcontrolApiserverV1beta1FlowSchema2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionwatch
+jk
+x-kubernetes-group-version-kindHFkind: FlowSchema
+version: v1beta1
+group: flowcontrol.apiserver.k8s.io
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J7
+53"1
pathname of the FlowSchema"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Ë(
+//api/v1/watch/namespaces/{namespace}/configmaps—(©
+core_v1uwatch individual changes to a list of ConfigMap. deprecated: use the 'watch' parameter with a list operation instead.*"watchCoreV1NamespacedConfigMapList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj#
+x-kubernetes-action
+watchlist
+jK
+x-kubernetes-group-version-kind(&version: v1
+group: ""
+kind: ConfigMap
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

À)
+D/apis/apiextensions.k8s.io/v1/watch/customresourcedefinitions/{name}÷(¤
+apiextensions_v1¿
watch changes to an object of kind CustomResourceDefinition. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*,watchApiextensionsV1CustomResourceDefinition2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsjl
+x-kubernetes-group-version-kindIGgroup: apiextensions.k8s.io
+kind: CustomResourceDefinition
+version: v1
+j
+x-kubernetes-actionwatch
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JE
+CA"?
path$name of the CustomResourceDefinition"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Ð)
+>/apis/apps/v1/watch/namespaces/{namespace}/statefulsets/{name}�)å
+apps_v1²
watch changes to an object of kind StatefulSet. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.* watchAppsV1NamespacedStatefulSet2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsjO
+x-kubernetes-group-version-kind,*group: apps
+kind: StatefulSet
+version: v1
+j
+x-kubernetes-actionwatch
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J8
+64"2
pathname of the StatefulSet"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Ú
+/apis/storage.k8s.io/À½
+storageget information of a group*getStorageAPIGroup2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJi
+
+401
+
+Unauthorized
+N
+200G
+E
+OK?
+=
+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroupRhttps•'
+#/apis/coordination.k8s.io/v1/leasesí&á
+coordination_v1#list or watch objects of kind Lease*'listCoordinationV1LeaseForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*J`
+E
+200>
+<
+OK6
+4
+2#/definitions/io.k8s.api.coordination.v1.LeaseList
+
+401
+
+UnauthorizedRhttpsjX
+x-kubernetes-group-version-kind53group: coordination.k8s.io
+kind: Lease
+version: v1
+j
+x-kubernetes-actionlist
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

«\
+ /apis/storage.k8s.io/v1/csinodes†\ý%
+
+storage_v1%list or watch objects of kind CSINode*listStorageV1CSINode2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

J]
+B
+200;
+9
+OK3
+1
+/#/definitions/io.k8s.api.storage.v1.CSINodeList
+
+401
+
+UnauthorizedRhttpsjU
+x-kubernetes-group-version-kind20kind: CSINode
+version: v1
+group: storage.k8s.io
+j
+x-kubernetes-actionlist
+"æ
+
+storage_v1create a CSINode*createStorageV1CSINode2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BA
+?
+=bodybody 
*-
++#/definitions/io.k8s.api.storage.v1.CSINodeBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jä

+>
+2007
+5
+OK/
+-
++#/definitions/io.k8s.api.storage.v1.CSINode
+C
+201<
+:
+Created/
+-
++#/definitions/io.k8s.api.storage.v1.CSINode
+D
+202=
+;
+Accepted/
+-
++#/definitions/io.k8s.api.storage.v1.CSINode
+
+401
+
+UnauthorizedRhttpsjU
+x-kubernetes-group-version-kind20group: storage.k8s.io
+kind: CSINode
+version: v1
+j
+x-kubernetes-actionpost
+*É,
+
+storage_v1delete collection of CSINode* deleteStorageV1CollectionCSINode2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsjU
+x-kubernetes-group-version-kind20version: v1
+group: storage.k8s.io
+kind: CSINode
+j*
+x-kubernetes-actiondeletecollection
+JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

ñ&
+/api/v1/componentstatusesÓ&Ç
+core_v1$list objects of kind ComponentStatus*listCoreV1ComponentStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jb
+G
+200@
+>
+OK8
+6
+4#/definitions/io.k8s.api.core.v1.ComponentStatusList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+jQ
+x-kubernetes-group-version-kind.,version: v1
+group: ""
+kind: ComponentStatus
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

ä'
+/apis/apps/v1/watch/replicasetsÀ'´
+apps_v1vwatch individual changes to a list of ReplicaSet. deprecated: use the 'watch' parameter with a list operation instead.*)watchAppsV1ReplicaSetListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsjN
+x-kubernetes-group-version-kind+)group: apps
+kind: ReplicaSet
+version: v1
+j#
+x-kubernetes-action
+watchlist
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Ä
+</apis/batch/v1/namespaces/{namespace}/cronjobs/{name}/statusĕ
+batch_v1$read status of the specified CronJob*"readBatchV1NamespacedCronJobStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*JW
+<
+2005
+3
+OK-
++
+)#/definitions/io.k8s.api.batch.v1.CronJob
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+jL
+x-kubernetes-group-version-kind)'group: batch
+kind: CronJob
+version: v1
+´
+batch_v1'replace status of the specified CronJob*%replaceBatchV1NamespacedCronJobStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B?
+=
+;bodybody 
*+
+)#/definitions/io.k8s.api.batch.v1.CronJobBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jš

+<
+2005
+3
+OK-
++
+)#/definitions/io.k8s.api.batch.v1.CronJob
+A
+201:
+8
+Created-
++
+)#/definitions/io.k8s.api.batch.v1.CronJob
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionput
+jL
+x-kubernetes-group-version-kind)'group: batch
+kind: CronJob
+version: v1
+Bî
+batch_v10partially update status of the specified CronJob*#patchBatchV1NamespacedCronJobStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

JW
+<
+2005
+3
+OK-
++
+)#/definitions/io.k8s.api.batch.v1.CronJob
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+jL
+x-kubernetes-group-version-kind)'group: batch
+kind: CronJob
+version: v1
+J4
+20".
pathname of the CronJob"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

�
+A/apis/batch/v1beta1/namespaces/{namespace}/cronjobs/{name}/statusɃ
+
batch_v1beta1$read status of the specified CronJob*'readBatchV1beta1NamespacedCronJobStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J\
+A
+200:
+8
+OK2
+0
+.#/definitions/io.k8s.api.batch.v1beta1.CronJob
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+jQ
+x-kubernetes-group-version-kind.,version: v1beta1
+group: batch
+kind: CronJob
+Ò
+
batch_v1beta1'replace status of the specified CronJob**replaceBatchV1beta1NamespacedCronJobStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BD
+B
+@bodybody 
*0
+.#/definitions/io.k8s.api.batch.v1beta1.CronJobBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J¤

+A
+200:
+8
+OK2
+0
+.#/definitions/io.k8s.api.batch.v1beta1.CronJob
+F
+201?
+=
+Created2
+0
+.#/definitions/io.k8s.api.batch.v1beta1.CronJob
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionput
+jQ
+x-kubernetes-group-version-kind.,group: batch
+kind: CronJob
+version: v1beta1
+B‚
+
batch_v1beta10partially update status of the specified CronJob*(patchBatchV1beta1NamespacedCronJobStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

J\
+A
+200:
+8
+OK2
+0
+.#/definitions/io.k8s.api.batch.v1beta1.CronJob
+
+401
+
+UnauthorizedRhttpsjQ
+x-kubernetes-group-version-kind.,group: batch
+kind: CronJob
+version: v1beta1
+j
+x-kubernetes-actionpatch
+J4
+20".
pathname of the CronJob"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Ê(
+./api/v1/watch/namespaces/{namespace}/endpoints—(©
+core_v1uwatch individual changes to a list of Endpoints. deprecated: use the 'watch' parameter with a list operation instead.*"watchCoreV1NamespacedEndpointsList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj#
+x-kubernetes-action
+watchlist
+jK
+x-kubernetes-group-version-kind(&group: ""
+kind: Endpoints
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

´)
+4/api/v1/watch/namespaces/{namespace}/services/{name}û(×
+core_v1®
watch changes to an object of kind Service. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*watchCoreV1NamespacedService2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionwatch
+jI
+x-kubernetes-group-version-kind&$group: ""
+kind: Service
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J4
+20".
pathname of the Service"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

ð'
+"/apis/batch/v1beta1/watch/cronjobsÉ'½
+
batch_v1beta1swatch individual changes to a list of CronJob. deprecated: use the 'watch' parameter with a list operation instead.*,watchBatchV1beta1CronJobListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj#
+x-kubernetes-action
+watchlist
+jQ
+x-kubernetes-group-version-kind.,kind: CronJob
+version: v1beta1
+group: batch
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

›(
+5/apis/scheduling.k8s.io/v1beta1/watch/priorityclassesá'Õ
+scheduling_v1beta1ywatch individual changes to a list of PriorityClass. deprecated: use the 'watch' parameter with a list operation instead.*'watchSchedulingV1beta1PriorityClassList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsjc
+x-kubernetes-group-version-kind@>group: scheduling.k8s.io
+kind: PriorityClass
+version: v1beta1
+j#
+x-kubernetes-action
+watchlist
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

�*
+N/apis/networking.k8s.io/v1/watch/namespaces/{namespace}/networkpolicies/{name}®)„
+
networking_v1´
watch changes to an object of kind NetworkPolicy. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*(watchNetworkingV1NamespacedNetworkPolicy2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionwatch
+j^
+x-kubernetes-group-version-kind;9group: networking.k8s.io
+kind: NetworkPolicy
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J:
+86"4
pathname of the NetworkPolicy"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Ð\
+%/api/v1/namespaces/{namespace}/events¦\ê%
+core_v1#list or watch objects of kind Event*listCoreV1NamespacedEvent2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

JX
+=
+2006
+4
+OK.
+,
+*#/definitions/io.k8s.api.core.v1.EventList
+
+401
+
+UnauthorizedRhttpsjG
+x-kubernetes-group-version-kind$"group: ""
+kind: Event
+version: v1
+j
+x-kubernetes-actionlist
+"Å
+core_v1create an Event*createCoreV1NamespacedEvent2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B<
+:
+8bodybody 
*(
+&#/definitions/io.k8s.api.core.v1.EventBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

JÕ

+9
+2002
+0
+OK*
+(
+&#/definitions/io.k8s.api.core.v1.Event
+>
+2017
+5
+Created*
+(
+&#/definitions/io.k8s.api.core.v1.Event
+?
+2028
+6
+Accepted*
+(
+&#/definitions/io.k8s.api.core.v1.Event
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpost
+jG
+x-kubernetes-group-version-kind$"group: ""
+kind: Event
+version: v1
+*»,
+core_v1delete collection of Event*%deleteCoreV1CollectionNamespacedEvent2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+
+401
+
+Unauthorized
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.StatusRhttpsj*
+x-kubernetes-actiondeletecollection
+jG
+x-kubernetes-group-version-kind$"group: ""
+kind: Event
+version: v1
+J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

á
+//api/v1/namespaces/{namespace}/pods/{name}/exec­�
+core_v1#connect GET requests to exec of Pod*!connectCoreV1GetNamespacedPodExec2*/*:*/*J7
+
+200
+
+OK
+²

+string
+
+401
+
+UnauthorizedRhttpsj!
+x-kubernetes-action
+connect
+jP
+x-kubernetes-group-version-kind-+group: ""
+kind: PodExecOptions
+version: v1
+"’
+core_v1$connect POST requests to exec of Pod*"connectCoreV1PostNamespacedPodExec2*/*:*/*J7
+
+200
+
+OK
+²

+string
+
+401
+
+UnauthorizedRhttpsjP
+x-kubernetes-group-version-kind-+group: ""
+kind: PodExecOptions
+version: v1
+j!
+x-kubernetes-action
+connect
+Ju
+sqoqueryRCommand is the remote command to execute. argv array. Not executed within a shell."command2string 

J˜

+•
’
�
querypContainer in which to execute the command. Defaults to only container if there is only one container in the pod."	container2string 

J;
+97"5
pathname of the PodExecOptions"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

Jq
+omkqueryNRedirect the standard error stream of the pod for this call. Defaults to true."stderr2boolean 

Jq
+omkqueryORedirect the standard input stream of the pod for this call. Defaults to false."stdin2boolean 

Jr
+pnlqueryORedirect the standard output stream of the pod for this call. Defaults to true."stdout2boolean 

Jx
+vtrqueryXTTY if true indicates that a tty will be allocated for the exec call. Defaults to false."tty2boolean 

¨,
+K/apis/autoscaling/v1/namespaces/{namespace}/horizontalpodautoscalers/{name}Ø+·
+autoscaling_v1*read the specified HorizontalPodAutoscaler*2readAutoscalingV1NamespacedHorizontalPodAutoscaler2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Jm
+R
+200K
+I
+OKC
+A
+?#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscaler
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+jb
+x-kubernetes-group-version-kind?=group: autoscaling
+kind: HorizontalPodAutoscaler
+version: v1
+¨	
+autoscaling_v1-replace the specified HorizontalPodAutoscaler*5replaceAutoscalingV1NamespacedHorizontalPodAutoscaler2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BU
+S
+Qbodybody 
*A
+?#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscalerBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

JÆ

+W
+201P
+N
+CreatedC
+A
+?#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscaler
+
+401
+
+Unauthorized
+R
+200K
+I
+OKC
+A
+?#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscalerRhttpsj
+x-kubernetes-actionput
+jb
+x-kubernetes-group-version-kind?=group: autoscaling
+kind: HorizontalPodAutoscaler
+version: v1
+*¾
+autoscaling_v1 delete a HorizontalPodAutoscaler*4deleteAutoscalingV1NamespacedHorizontalPodAutoscaler2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J»

+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj 
+x-kubernetes-action	delete
+jb
+x-kubernetes-group-version-kind?=group: autoscaling
+kind: HorizontalPodAutoscaler
+version: v1
+B¶
+autoscaling_v16partially update the specified HorizontalPodAutoscaler*3patchAutoscalingV1NamespacedHorizontalPodAutoscaler2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

Jm
+R
+200K
+I
+OKC
+A
+?#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscaler
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+jb
+x-kubernetes-group-version-kind?=group: autoscaling
+kind: HorizontalPodAutoscaler
+version: v1
+JD
+B@">
path#name of the HorizontalPodAutoscaler"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Ú&
+/apis/batch/v1/jobsÂ&¶
+batch_v1!list or watch objects of kind Job*listBatchV1JobForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*JW
+<
+2005
+3
+OK-
++
+)#/definitions/io.k8s.api.batch.v1.JobList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+jH
+x-kubernetes-group-version-kind%#group: batch
+kind: Job
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

ü(
+;/api/v1/watch/namespaces/{namespace}/persistentvolumeclaims¼(Î
+core_v1�
watch individual changes to a list of PersistentVolumeClaim. deprecated: use the 'watch' parameter with a list operation instead.*.watchCoreV1NamespacedPersistentVolumeClaimList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsjW
+x-kubernetes-group-version-kind42version: v1
+group: ""
+kind: PersistentVolumeClaim
+j#
+x-kubernetes-action
+watchlist
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Î-
+C/apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions/{name}†-ò
+apiextensions_v1beta1+read the specified CustomResourceDefinition*0readApiextensionsV1beta1CustomResourceDefinition2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J’

+
+401
+
+Unauthorized
+w
+200p
+n
+OKh
+f
+d#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinitionRhttpsj
+x-kubernetes-actionget
+jq
+x-kubernetes-group-version-kindNLgroup: apiextensions.k8s.io
+kind: CustomResourceDefinition
+version: v1beta1
+¬
+
+apiextensions_v1beta1.replace the specified CustomResourceDefinition*3replaceApiextensionsV1beta1CustomResourceDefinition2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Bz
+x
+vbodybody 
*f
+d#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinitionBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J�
+
+401
+
+Unauthorized
+w
+200p
+n
+OKh
+f
+d#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinition
+|
+201u
+s
+Createdh
+f
+d#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinitionRhttpsj
+x-kubernetes-actionput
+jq
+x-kubernetes-group-version-kindNLgroup: apiextensions.k8s.io
+kind: CustomResourceDefinition
+version: v1beta1
+*Ó
+apiextensions_v1beta1!delete a CustomResourceDefinition*2deleteApiextensionsV1beta1CustomResourceDefinition2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J»

+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj 
+x-kubernetes-action	delete
+jq
+x-kubernetes-group-version-kindNLgroup: apiextensions.k8s.io
+kind: CustomResourceDefinition
+version: v1beta1
+Bñ
+apiextensions_v1beta17partially update the specified CustomResourceDefinition*1patchApiextensionsV1beta1CustomResourceDefinition2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

J’

+w
+200p
+n
+OKh
+f
+d#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinition
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+jq
+x-kubernetes-group-version-kindNLgroup: apiextensions.k8s.io
+kind: CustomResourceDefinition
+version: v1beta1
+JE
+CA"?
path$name of the CustomResourceDefinition"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

‚
+#/apis/flowcontrol.apiserver.k8s.io/Ú×
+flowcontrolApiserverget information of a group*getFlowcontrolApiserverAPIGroup2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJi
+N
+200G
+E
+OK?
+=
+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup
+
+401
+
+UnauthorizedRhttpsõ&
+/api/v1/podtemplatesÜ&Ð
+core_v1)list or watch objects of kind PodTemplate*%listCoreV1PodTemplateForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*J^
+C
+200<
+:
+OK4
+2
+0#/definitions/io.k8s.api.core.v1.PodTemplateList
+
+401
+
+UnauthorizedRhttpsjM
+x-kubernetes-group-version-kind*(group: ""
+kind: PodTemplate
+version: v1
+j
+x-kubernetes-actionlist
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

¾)
+6/api/v1/watch/namespaces/{namespace}/configmaps/{name}ƒ)Ý
+core_v1°
watch changes to an object of kind ConfigMap. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*watchCoreV1NamespacedConfigMap2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsjK
+x-kubernetes-group-version-kind(&group: ""
+kind: ConfigMap
+version: v1
+j
+x-kubernetes-actionwatch
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J6
+42"0
pathname of the ConfigMap"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

ï(
+I/apis/admissionregistration.k8s.io/v1/watch/mutatingwebhookconfigurations¡(•
+admissionregistration_v1ˆ
watch individual changes to a list of MutatingWebhookConfiguration. deprecated: use the 'watch' parameter with a list operation instead.*<watchAdmissionregistrationV1MutatingWebhookConfigurationList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj#
+x-kubernetes-action
+watchlist
+jx
+x-kubernetes-group-version-kindUSversion: v1
+group: admissionregistration.k8s.io
+kind: MutatingWebhookConfiguration
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

„a
+H/apis/admissionregistration.k8s.io/v1beta1/mutatingwebhookconfigurations·`ž'
+admissionregistration_v1beta1:list or watch objects of kind MutatingWebhookConfiguration*<listAdmissionregistrationV1beta1MutatingWebhookConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

J…

+j
+200c
+a
+OK[
+Y
+W#/definitions/io.k8s.api.admissionregistration.v1beta1.MutatingWebhookConfigurationList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+j}
+x-kubernetes-group-version-kindZXgroup: admissionregistration.k8s.io
+kind: MutatingWebhookConfiguration
+version: v1beta1
+"þ
+
+admissionregistration_v1beta1%create a MutatingWebhookConfiguration*>createAdmissionregistrationV1beta1MutatingWebhookConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Bi
+g
+ebodybody 
*U
+S#/definitions/io.k8s.api.admissionregistration.v1beta1.MutatingWebhookConfigurationBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

JÜ
+
+401
+
+Unauthorized
+f
+200_
+]
+OKW
+U
+S#/definitions/io.k8s.api.admissionregistration.v1beta1.MutatingWebhookConfiguration
+k
+201d
+b
+CreatedW
+U
+S#/definitions/io.k8s.api.admissionregistration.v1beta1.MutatingWebhookConfiguration
+l
+202e
+c
+AcceptedW
+U
+S#/definitions/io.k8s.api.admissionregistration.v1beta1.MutatingWebhookConfigurationRhttpsj
+x-kubernetes-actionpost
+j}
+x-kubernetes-group-version-kindZXgroup: admissionregistration.k8s.io
+kind: MutatingWebhookConfiguration
+version: v1beta1
+*Á-
+admissionregistration_v1beta11delete collection of MutatingWebhookConfiguration*HdeleteAdmissionregistrationV1beta1CollectionMutatingWebhookConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj*
+x-kubernetes-actiondeletecollection
+j}
+x-kubernetes-group-version-kindZXgroup: admissionregistration.k8s.io
+kind: MutatingWebhookConfiguration
+version: v1beta1
+JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

È'
+/api/v1/watch/events¯'£
+core_v1qwatch individual changes to a list of Event. deprecated: use the 'watch' parameter with a list operation instead.*$watchCoreV1EventListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj#
+x-kubernetes-action
+watchlist
+jG
+x-kubernetes-group-version-kind$"group: ""
+kind: Event
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Ï_
+</apis/certificates.k8s.io/v1beta1/certificatesigningrequestsŽ_í&
+certificates_v1beta17list or watch objects of kind CertificateSigningRequest*0listCertificatesV1beta1CertificateSigningRequest2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Jy
+^
+200W
+U
+OKO
+M
+K#/definitions/io.k8s.api.certificates.v1beta1.CertificateSigningRequestList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+jq
+x-kubernetes-group-version-kindNLgroup: certificates.k8s.io
+kind: CertificateSigningRequest
+version: v1beta1
+"ª
+
+certificates_v1beta1"create a CertificateSigningRequest*2createCertificatesV1beta1CertificateSigningRequest2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B]
+[
+Ybodybody 
*I
+G#/definitions/io.k8s.api.certificates.v1beta1.CertificateSigningRequestBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J¸
+Z
+200S
+Q
+OKK
+I
+G#/definitions/io.k8s.api.certificates.v1beta1.CertificateSigningRequest
+_
+201X
+V
+CreatedK
+I
+G#/definitions/io.k8s.api.certificates.v1beta1.CertificateSigningRequest
+`
+202Y
+W
+AcceptedK
+I
+G#/definitions/io.k8s.api.certificates.v1beta1.CertificateSigningRequest
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpost
+jq
+x-kubernetes-group-version-kindNLgroup: certificates.k8s.io
+kind: CertificateSigningRequest
+version: v1beta1
+*�-
+certificates_v1beta1.delete collection of CertificateSigningRequest*<deleteCertificatesV1beta1CollectionCertificateSigningRequest2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj*
+x-kubernetes-actiondeletecollection
+jq
+x-kubernetes-group-version-kindNLgroup: certificates.k8s.io
+kind: CertificateSigningRequest
+version: v1beta1
+JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Ú'
+4/apis/rbac.authorization.k8s.io/v1beta1/rolebindings¡'•
+rbacAuthorization_v1beta1)list or watch objects of kind RoleBinding*7listRbacAuthorizationV1beta1RoleBindingForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jc
+H
+200A
+?
+OK9
+7
+5#/definitions/io.k8s.api.rbac.v1beta1.RoleBindingList
+
+401
+
+UnauthorizedRhttpsji
+x-kubernetes-group-version-kindFDgroup: rbac.authorization.k8s.io
+kind: RoleBinding
+version: v1beta1
+j
+x-kubernetes-actionlist
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Ë)
+=/apis/apps/v1/watch/namespaces/{namespace}/deployments/{name}‰)â
+apps_v1±
watch changes to an object of kind Deployment. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*watchAppsV1NamespacedDeployment2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionwatch
+jN
+x-kubernetes-group-version-kind+)group: apps
+kind: Deployment
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J7
+53"1
pathname of the Deployment"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

¹^
+D/apis/rbac.authorization.k8s.io/v1beta1/namespaces/{namespace}/rolesð]«&
+rbacAuthorization_v1beta1"list or watch objects of kind Role**listRbacAuthorizationV1beta1NamespacedRole2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

J\
+A
+200:
+8
+OK2
+0
+.#/definitions/io.k8s.api.rbac.v1beta1.RoleList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+jb
+x-kubernetes-group-version-kind?=group: rbac.authorization.k8s.io
+kind: Role
+version: v1beta1
+"‘	
+rbacAuthorization_v1beta1
create a Role*,createRbacAuthorizationV1beta1NamespacedRole2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B@
+>
+<bodybody 
*,
+*#/definitions/io.k8s.api.rbac.v1beta1.RoleBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Já

+C
+202<
+:
+Accepted.
+,
+*#/definitions/io.k8s.api.rbac.v1beta1.Role
+
+401
+
+Unauthorized
+=
+2006
+4
+OK.
+,
+*#/definitions/io.k8s.api.rbac.v1beta1.Role
+B
+201;
+9
+Created.
+,
+*#/definitions/io.k8s.api.rbac.v1beta1.RoleRhttpsj
+x-kubernetes-actionpost
+jb
+x-kubernetes-group-version-kind?=group: rbac.authorization.k8s.io
+kind: Role
+version: v1beta1
+*ø,
+rbacAuthorization_v1beta1delete collection of Role*6deleteRbacAuthorizationV1beta1CollectionNamespacedRole2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+
+401
+
+Unauthorized
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.StatusRhttpsj*
+x-kubernetes-actiondeletecollection
+jb
+x-kubernetes-group-version-kind?=group: rbac.authorization.k8s.io
+kind: Role
+version: v1beta1
+J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Ž(
+1/apis/apiregistration.k8s.io/v1/watch/apiservicesØ'Ì
+apiregistration_v1vwatch individual changes to a list of APIService. deprecated: use the 'watch' parameter with a list operation instead.*$watchApiregistrationV1APIServiceList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj#
+x-kubernetes-action
+watchlist
+j`
+x-kubernetes-group-version-kind=;kind: APIService
+group: apiregistration.k8s.io
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

þ'
+)/apis/coordination.k8s.io/v1/watch/leasesÐ'Ä
+coordination_v1qwatch individual changes to a list of Lease. deprecated: use the 'watch' parameter with a list operation instead.*,watchCoordinationV1LeaseListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsjX
+x-kubernetes-group-version-kind53group: coordination.k8s.io
+kind: Lease
+version: v1
+j#
+x-kubernetes-action
+watchlist
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

ü
+/apis/authorization.k8s.io/v1/ÙÖ
+authorization_v1get available resources*getAuthorizationV1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp
+U
+200N
+L
+OKF
+D
+B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList
+
+401
+
+UnauthorizedRhttpsù(
+L/apis/flowcontrol.apiserver.k8s.io/v1beta1/watch/prioritylevelconfigurations¨(œ
+flowcontrolApiserver_v1beta1†
watch individual changes to a list of PriorityLevelConfiguration. deprecated: use the 'watch' parameter with a list operation instead.*>watchFlowcontrolApiserverV1beta1PriorityLevelConfigurationList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+
+401
+
+Unauthorized
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEventRhttpsj{
+x-kubernetes-group-version-kindXVkind: PriorityLevelConfiguration
+version: v1beta1
+group: flowcontrol.apiserver.k8s.io
+j#
+x-kubernetes-action
+watchlist
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

—)
+F/apis/policy/v1beta1/watch/namespaces/{namespace}/poddisruptionbudgetsÌ(Þ
+policy_v1beta1watch individual changes to a list of PodDisruptionBudget. deprecated: use the 'watch' parameter with a list operation instead.*3watchPolicyV1beta1NamespacedPodDisruptionBudgetList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj#
+x-kubernetes-action
+watchlist
+j^
+x-kubernetes-group-version-kind;9group: policy
+kind: PodDisruptionBudget
+version: v1beta1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

’)
+0/api/v1/namespaces/{namespace}/configmaps/{name}Ý(á
+core_v1read the specified ConfigMap*readCoreV1NamespacedConfigMap2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*JX
+=
+2006
+4
+OK.
+,
+*#/definitions/io.k8s.api.core.v1.ConfigMap
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+jK
+x-kubernetes-group-version-kind(&group: ""
+kind: ConfigMap
+version: v1
+¨
+core_v1replace the specified ConfigMap* replaceCoreV1NamespacedConfigMap2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B@
+>
+<bodybody 
*,
+*#/definitions/io.k8s.api.core.v1.ConfigMapBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jœ

+=
+2006
+4
+OK.
+,
+*#/definitions/io.k8s.api.core.v1.ConfigMap
+B
+201;
+9
+Created.
+,
+*#/definitions/io.k8s.api.core.v1.ConfigMap
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionput
+jK
+x-kubernetes-group-version-kind(&group: ""
+kind: ConfigMap
+version: v1
+*ý
+core_v1delete a ConfigMap*deleteCoreV1NamespacedConfigMap2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J»

+
+401
+
+Unauthorized
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.StatusRhttpsj 
+x-kubernetes-action	delete
+jK
+x-kubernetes-group-version-kind(&version: v1
+group: ""
+kind: ConfigMap
+Bà
+core_v1(partially update the specified ConfigMap*patchCoreV1NamespacedConfigMap2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

JX
+=
+2006
+4
+OK.
+,
+*#/definitions/io.k8s.api.core.v1.ConfigMap
+
+401
+
+UnauthorizedRhttpsjK
+x-kubernetes-group-version-kind(&group: ""
+kind: ConfigMap
+version: v1
+j
+x-kubernetes-actionpatch
+J6
+42"0
pathname of the ConfigMap"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Ž
+6/api/v1/namespaces/{namespace}/pods/{name}/portforwardÓ¥
+core_v1*connect GET requests to portforward of Pod*(connectCoreV1GetNamespacedPodPortforward2*/*:*/*J7
+
+200
+
+OK
+²

+string
+
+401
+
+UnauthorizedRhttpsjW
+x-kubernetes-group-version-kind42group: ""
+kind: PodPortForwardOptions
+version: v1
+j!
+x-kubernetes-action
+connect
+"§
+core_v1+connect POST requests to portforward of Pod*)connectCoreV1PostNamespacedPodPortforward2*/*:*/*J7
+
+401
+
+Unauthorized
+
+200
+
+OK
+²

+stringRhttpsjW
+x-kubernetes-group-version-kind42group: ""
+kind: PodPortForwardOptions
+version: v1
+j!
+x-kubernetes-action
+connect
+JB
+@>"<
path!name of the PodPortForwardOptions"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JY
+WUSquery7List of ports to forward Required when using WebSockets"ports2integer 

°
+B/api/v1/namespaces/{namespace}/replicationcontrollers/{name}/scaleé�
+core_v11read scale of the specified ReplicationController*.readCoreV1NamespacedReplicationControllerScale2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J[
+@
+2009
+7
+OK1
+/
+-#/definitions/io.k8s.api.autoscaling.v1.Scale
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+jP
+x-kubernetes-group-version-kind-+group: autoscaling
+kind: Scale
+version: v1
+Ü
+core_v14replace scale of the specified ReplicationController*1replaceCoreV1NamespacedReplicationControllerScale2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BC
+A
+?bodybody 
*/
+-#/definitions/io.k8s.api.autoscaling.v1.ScaleBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J¢

+@
+2009
+7
+OK1
+/
+-#/definitions/io.k8s.api.autoscaling.v1.Scale
+E
+201>
+<
+Created1
+/
+-#/definitions/io.k8s.api.autoscaling.v1.Scale
+
+401
+
+UnauthorizedRhttpsjP
+x-kubernetes-group-version-kind-+group: autoscaling
+kind: Scale
+version: v1
+j
+x-kubernetes-actionput
+BŽ
+core_v1=partially update scale of the specified ReplicationController*/patchCoreV1NamespacedReplicationControllerScale2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

J[
+@
+2009
+7
+OK1
+/
+-#/definitions/io.k8s.api.autoscaling.v1.Scale
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+jP
+x-kubernetes-group-version-kind-+group: autoscaling
+kind: Scale
+version: v1
+J2
+0.",
pathname of the Scale"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Ï(
+0/api/v1/watch/namespaces/{namespace}/limitrangesš(¬
+core_v1vwatch individual changes to a list of LimitRange. deprecated: use the 'watch' parameter with a list operation instead.*#watchCoreV1NamespacedLimitRangeList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj#
+x-kubernetes-action
+watchlist
+jL
+x-kubernetes-group-version-kind)'kind: LimitRange
+version: v1
+group: ""
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Ó(
+-/apis/storage.k8s.io/v1/watch/csinodes/{name}¡(ß
+
+storage_v1®
watch changes to an object of kind CSINode. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*watchStorageV1CSINode2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionwatch
+jU
+x-kubernetes-group-version-kind20group: storage.k8s.io
+kind: CSINode
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J4
+20".
pathname of the CSINode"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Ì'
+/api/v1/watch/secrets²'¦
+core_v1rwatch individual changes to a list of Secret. deprecated: use the 'watch' parameter with a list operation instead.*%watchCoreV1SecretListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+
+401
+
+Unauthorized
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEventRhttpsj#
+x-kubernetes-action
+watchlist
+jH
+x-kubernetes-group-version-kind%#group: ""
+kind: Secret
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

¹`
+C/apis/admissionregistration.k8s.io/v1/mutatingwebhookconfigurationsñ_Š'
+admissionregistration_v1:list or watch objects of kind MutatingWebhookConfiguration*7listAdmissionregistrationV1MutatingWebhookConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

J€

+e
+200^
+\
+OKV
+T
+R#/definitions/io.k8s.api.admissionregistration.v1.MutatingWebhookConfigurationList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+jx
+x-kubernetes-group-version-kindUSversion: v1
+group: admissionregistration.k8s.io
+kind: MutatingWebhookConfiguration
+"Û
+
+admissionregistration_v1%create a MutatingWebhookConfiguration*9createAdmissionregistrationV1MutatingWebhookConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Bd
+b
+`bodybody 
*P
+N#/definitions/io.k8s.api.admissionregistration.v1.MutatingWebhookConfigurationBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

JÍ
+a
+200Z
+X
+OKR
+P
+N#/definitions/io.k8s.api.admissionregistration.v1.MutatingWebhookConfiguration
+f
+201_
+]
+CreatedR
+P
+N#/definitions/io.k8s.api.admissionregistration.v1.MutatingWebhookConfiguration
+g
+202`
+^
+AcceptedR
+P
+N#/definitions/io.k8s.api.admissionregistration.v1.MutatingWebhookConfiguration
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpost
+jx
+x-kubernetes-group-version-kindUSgroup: admissionregistration.k8s.io
+kind: MutatingWebhookConfiguration
+version: v1
+*²-
+admissionregistration_v11delete collection of MutatingWebhookConfiguration*CdeleteAdmissionregistrationV1CollectionMutatingWebhookConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj*
+x-kubernetes-actiondeletecollection
+jx
+x-kubernetes-group-version-kindUSgroup: admissionregistration.k8s.io
+kind: MutatingWebhookConfiguration
+version: v1
+JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

–`
+7/apis/apiextensions.k8s.io/v1/customresourcedefinitionsÚ_÷&
+apiextensions_v16list or watch objects of kind CustomResourceDefinition*+listApiextensionsV1CustomResourceDefinition2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

J‘

+v
+200o
+m
+OKg
+e
+c#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+jl
+x-kubernetes-group-version-kindIGkind: CustomResourceDefinition
+version: v1
+group: apiextensions.k8s.io
+"û
+
+apiextensions_v1!create a CustomResourceDefinition*-createApiextensionsV1CustomResourceDefinition2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Bu
+s
+qbodybody 
*a
+_#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J€
+r
+200k
+i
+OKc
+a
+_#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinition
+w
+201p
+n
+Createdc
+a
+_#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinition
+x
+202q
+o
+Acceptedc
+a
+_#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinition
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpost
+jl
+x-kubernetes-group-version-kindIGgroup: apiextensions.k8s.io
+kind: CustomResourceDefinition
+version: v1
+*Ž-
+apiextensions_v1-delete collection of CustomResourceDefinition*7deleteApiextensionsV1CollectionCustomResourceDefinition2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj*
+x-kubernetes-actiondeletecollection
+jl
+x-kubernetes-group-version-kindIGgroup: apiextensions.k8s.io
+kind: CustomResourceDefinition
+version: v1
+JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

ô,
+>/apis/apiextensions.k8s.io/v1/customresourcedefinitions/{name}±,Þ
+apiextensions_v1+read the specified CustomResourceDefinition*+readApiextensionsV1CustomResourceDefinition2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J�

+
+401
+
+Unauthorized
+r
+200k
+i
+OKc
+a
+_#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionRhttpsj
+x-kubernetes-actionget
+jl
+x-kubernetes-group-version-kindIGgroup: apiextensions.k8s.io
+kind: CustomResourceDefinition
+version: v1
+Ž
+
+apiextensions_v1.replace the specified CustomResourceDefinition*.replaceApiextensionsV1CustomResourceDefinition2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Bu
+s
+qbodybody 
*a
+_#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J†
+r
+200k
+i
+OKc
+a
+_#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinition
+w
+201p
+n
+Createdc
+a
+_#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinition
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionput
+jl
+x-kubernetes-group-version-kindIGversion: v1
+group: apiextensions.k8s.io
+kind: CustomResourceDefinition
+*Ä
+apiextensions_v1!delete a CustomResourceDefinition*-deleteApiextensionsV1CustomResourceDefinition2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J»

+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj 
+x-kubernetes-action	delete
+jl
+x-kubernetes-group-version-kindIGgroup: apiextensions.k8s.io
+kind: CustomResourceDefinition
+version: v1
+BÝ
+apiextensions_v17partially update the specified CustomResourceDefinition*,patchApiextensionsV1CustomResourceDefinition2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

J�

+r
+200k
+i
+OKc
+a
+_#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinition
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+jl
+x-kubernetes-group-version-kindIGgroup: apiextensions.k8s.io
+kind: CustomResourceDefinition
+version: v1
+JE
+CA"?
path$name of the CustomResourceDefinition"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

É)
+0/apis/networking.k8s.io/v1/ingressclasses/{name}”)„
+
networking_v1read the specified IngressClass*readNetworkingV1IngressClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Ja
+F
+200?
+=
+OK7
+5
+3#/definitions/io.k8s.api.networking.v1.IngressClass
+
+401
+
+UnauthorizedRhttpsj]
+x-kubernetes-group-version-kind:8group: networking.k8s.io
+kind: IngressClass
+version: v1
+j
+x-kubernetes-actionget
+Ý
+
networking_v1"replace the specified IngressClass*replaceNetworkingV1IngressClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BI
+G
+Ebodybody 
*5
+3#/definitions/io.k8s.api.networking.v1.IngressClassBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J®

+F
+200?
+=
+OK7
+5
+3#/definitions/io.k8s.api.networking.v1.IngressClass
+K
+201D
+B
+Created7
+5
+3#/definitions/io.k8s.api.networking.v1.IngressClass
+
+401
+
+UnauthorizedRhttpsj]
+x-kubernetes-group-version-kind:8group: networking.k8s.io
+kind: IngressClass
+version: v1
+j
+x-kubernetes-actionput
+*˜
+
networking_v1delete an IngressClass*deleteNetworkingV1IngressClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J»

+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj]
+x-kubernetes-group-version-kind:8group: networking.k8s.io
+kind: IngressClass
+version: v1
+j 
+x-kubernetes-action	delete
+Bƒ
+
networking_v1+partially update the specified IngressClass*patchNetworkingV1IngressClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

Ja
+F
+200?
+=
+OK7
+5
+3#/definitions/io.k8s.api.networking.v1.IngressClass
+
+401
+
+UnauthorizedRhttpsj]
+x-kubernetes-group-version-kind:8group: networking.k8s.io
+kind: IngressClass
+version: v1
+j
+x-kubernetes-actionpatch
+J9
+75"3
pathname of the IngressClass"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

ñ)
+L/apis/rbac.authorization.k8s.io/v1/watch/namespaces/{namespace}/roles/{name} )ÿ
+rbacAuthorization_v1«
watch changes to an object of kind Role. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*&watchRbacAuthorizationV1NamespacedRole2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionwatch
+j]
+x-kubernetes-group-version-kind:8group: rbac.authorization.k8s.io
+kind: Role
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J1
+/-"+
pathname of the Role"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

§'
+/api/v1/persistentvolumeclaims„'ø
+core_v13list or watch objects of kind PersistentVolumeClaim*/listCoreV1PersistentVolumeClaimForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jh
+M
+200F
+D
+OK>
+<
+:#/definitions/io.k8s.api.core.v1.PersistentVolumeClaimList
+
+401
+
+UnauthorizedRhttpsjW
+x-kubernetes-group-version-kind42group: ""
+kind: PersistentVolumeClaim
+version: v1
+j
+x-kubernetes-actionlist
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Ã)
+7/api/v1/watch/namespaces/{namespace}/limitranges/{name}‡)à
+core_v1±
watch changes to an object of kind LimitRange. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*watchCoreV1NamespacedLimitRange2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionwatch
+jL
+x-kubernetes-group-version-kind)'group: ""
+kind: LimitRange
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J7
+53"1
pathname of the LimitRange"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

µ(
+3/apis/autoscaling/v1/watch/horizontalpodautoscalersý'ñ
+autoscaling_v1ƒ
watch individual changes to a list of HorizontalPodAutoscaler. deprecated: use the 'watch' parameter with a list operation instead.*=watchAutoscalingV1HorizontalPodAutoscalerListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj#
+x-kubernetes-action
+watchlist
+jb
+x-kubernetes-group-version-kind?=group: autoscaling
+kind: HorizontalPodAutoscaler
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

×(
+6/apis/apps/v1/watch/namespaces/{namespace}/replicasetsœ(®
+apps_v1vwatch individual changes to a list of ReplicaSet. deprecated: use the 'watch' parameter with a list operation instead.*#watchAppsV1NamespacedReplicaSetList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsjN
+x-kubernetes-group-version-kind+)group: apps
+kind: ReplicaSet
+version: v1
+j#
+x-kubernetes-action
+watchlist
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Ð
+
/apis/policy/¾»
+policyget information of a group*getPolicyAPIGroup2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJi
+N
+200G
+E
+OK?
+=
+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup
+
+401
+
+UnauthorizedRhttps�)
+;/apis/networking.k8s.io/v1beta1/watch/ingressclasses/{name}Í(†
+networking_v1beta1³
watch changes to an object of kind IngressClass. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*"watchNetworkingV1beta1IngressClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionwatch
+jb
+x-kubernetes-group-version-kind?=group: networking.k8s.io
+kind: IngressClass
+version: v1beta1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J9
+75"3
pathname of the IngressClass"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

“
+I/apis/policy/v1/namespaces/{namespace}/poddisruptionbudgets/{name}/statusţ
+	policy_v10read status of the specified PodDisruptionBudget*/readPolicyV1NamespacedPodDisruptionBudgetStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Jd
+
+401
+
+Unauthorized
+I
+200B
+@
+OK:
+8
+6#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetRhttpsj
+x-kubernetes-actionget
+jY
+x-kubernetes-group-version-kind64group: policy
+kind: PodDisruptionBudget
+version: v1
+‚	
+	policy_v13replace status of the specified PodDisruptionBudget*2replacePolicyV1NamespacedPodDisruptionBudgetStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BL
+J
+Hbodybody 
*8
+6#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J´

+I
+200B
+@
+OK:
+8
+6#/definitions/io.k8s.api.policy.v1.PodDisruptionBudget
+N
+201G
+E
+Created:
+8
+6#/definitions/io.k8s.api.policy.v1.PodDisruptionBudget
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionput
+jY
+x-kubernetes-group-version-kind64kind: PodDisruptionBudget
+version: v1
+group: policy
+B¢
+	policy_v1<partially update status of the specified PodDisruptionBudget*0patchPolicyV1NamespacedPodDisruptionBudgetStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

Jd
+I
+200B
+@
+OK:
+8
+6#/definitions/io.k8s.api.policy.v1.PodDisruptionBudget
+
+401
+
+UnauthorizedRhttpsjY
+x-kubernetes-group-version-kind64group: policy
+kind: PodDisruptionBudget
+version: v1
+j
+x-kubernetes-actionpatch
+J@
+><":
pathname of the PodDisruptionBudget"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

�(
+./apis/policy/v1beta1/watch/podsecuritypoliciesÚ'Î
+policy_v1beta1}watch individual changes to a list of PodSecurityPolicy. deprecated: use the 'watch' parameter with a list operation instead.*'watchPolicyV1beta1PodSecurityPolicyList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+
+401
+
+Unauthorized
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEventRhttpsj\
+x-kubernetes-group-version-kind97group: policy
+kind: PodSecurityPolicy
+version: v1beta1
+j#
+x-kubernetes-action
+watchlist
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

ñ'
+/api/v1/namespaces/{name}Ó'×
+core_v1read the specified Namespace*readCoreV1Namespace2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*JX
+=
+2006
+4
+OK.
+,
+*#/definitions/io.k8s.api.core.v1.Namespace
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+jK
+x-kubernetes-group-version-kind(&group: ""
+kind: Namespace
+version: v1
+ž
+core_v1replace the specified Namespace*replaceCoreV1Namespace2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B@
+>
+<bodybody 
*,
+*#/definitions/io.k8s.api.core.v1.NamespaceBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jœ

+B
+201;
+9
+Created.
+,
+*#/definitions/io.k8s.api.core.v1.Namespace
+
+401
+
+Unauthorized
+=
+2006
+4
+OK.
+,
+*#/definitions/io.k8s.api.core.v1.NamespaceRhttpsj
+x-kubernetes-actionput
+jK
+x-kubernetes-group-version-kind(&group: ""
+kind: Namespace
+version: v1
+*ó
+core_v1delete a Namespace*deleteCoreV1Namespace2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J»

+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsjK
+x-kubernetes-group-version-kind(&group: ""
+kind: Namespace
+version: v1
+j 
+x-kubernetes-action	delete
+BÖ
+core_v1(partially update the specified Namespace*patchCoreV1Namespace2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

JX
+=
+2006
+4
+OK.
+,
+*#/definitions/io.k8s.api.core.v1.Namespace
+
+401
+
+UnauthorizedRhttpsjK
+x-kubernetes-group-version-kind(&group: ""
+kind: Namespace
+version: v1
+j
+x-kubernetes-actionpatch
+J6
+42"0
pathname of the Namespace"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

¢(
+/api/v1/watch/nodes/{name}ƒ(Ä
+core_v1«
watch changes to an object of kind Node. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*watchCoreV1Node2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionwatch
+jF
+x-kubernetes-group-version-kind#!group: ""
+kind: Node
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J1
+/-"+
pathname of the Node"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

ð
+/apis/discovery.k8s.io/v1/ÑÎ
+discovery_v1get available resources*getDiscoveryV1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp
+U
+200N
+L
+OKF
+D
+B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList
+
+401
+
+UnauthorizedRhttps…)
+E/apis/discovery.k8s.io/v1/watch/namespaces/{namespace}/endpointslices»(Í
+discovery_v1ywatch individual changes to a list of EndpointSlice. deprecated: use the 'watch' parameter with a list operation instead.*+watchDiscoveryV1NamespacedEndpointSliceList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj#
+x-kubernetes-action
+watchlist
+j]
+x-kubernetes-group-version-kind:8kind: EndpointSlice
+version: v1
+group: discovery.k8s.io
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

å*
+2/apis/apiregistration.k8s.io/v1/apiservices/{name}®*¥
+apiregistration_v1read the specified APIService*readApiregistrationV1APIService2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Jy
+^
+200W
+U
+OKO
+M
+K#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIService
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+j`
+x-kubernetes-group-version-kind=;group: apiregistration.k8s.io
+version: v1
+kind: APIService
+®	
+apiregistration_v1 replace the specified APIService*"replaceApiregistrationV1APIService2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Ba
+_
+]bodybody 
*M
+K#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIServiceBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

JÞ

+
+401
+
+Unauthorized
+^
+200W
+U
+OKO
+M
+K#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIService
+c
+201\
+Z
+CreatedO
+M
+K#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIServiceRhttpsj
+x-kubernetes-actionput
+j`
+x-kubernetes-group-version-kind=;version: v1
+kind: APIService
+group: apiregistration.k8s.io
+*¡
+apiregistration_v1delete an APIService*!deleteApiregistrationV1APIService2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J»

+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj 
+x-kubernetes-action	delete
+j`
+x-kubernetes-group-version-kind=;group: apiregistration.k8s.io
+version: v1
+kind: APIService
+B¤
+apiregistration_v1)partially update the specified APIService* patchApiregistrationV1APIService2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

Jy
+
+401
+
+Unauthorized
+^
+200W
+U
+OKO
+M
+K#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIServiceRhttpsj
+x-kubernetes-actionpatch
+j`
+x-kubernetes-group-version-kind=;group: apiregistration.k8s.io
+version: v1
+kind: APIService
+J7
+53"1
pathname of the APIService"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

í(
+?/apis/events.k8s.io/v1beta1/watch/namespaces/{namespace}/events©(»
+events_v1beta1qwatch individual changes to a list of Event. deprecated: use the 'watch' parameter with a list operation instead.*%watchEventsV1beta1NamespacedEventList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj#
+x-kubernetes-action
+watchlist
+jW
+x-kubernetes-group-version-kind42group: events.k8s.io
+kind: Event
+version: v1beta1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Ž
+$/apis/authentication.k8s.io/v1beta1/åâ
+authentication_v1beta1get available resources*$getAuthenticationV1beta1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp
+U
+200N
+L
+OKF
+D
+B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList
+
+401
+
+UnauthorizedRhttps”]
+'/apis/storage.k8s.io/v1beta1/csidriversè\™&
+storage_v1beta1'list or watch objects of kind CSIDriver*listStorageV1beta1CSIDriver2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Jd
+I
+200B
+@
+OK:
+8
+6#/definitions/io.k8s.api.storage.v1beta1.CSIDriverList
+
+401
+
+UnauthorizedRhttpsj\
+x-kubernetes-group-version-kind97group: storage.k8s.io
+kind: CSIDriver
+version: v1beta1
+j
+x-kubernetes-actionlist
+"—	
+storage_v1beta1create a CSIDriver*createStorageV1beta1CSIDriver2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BH
+F
+Dbodybody 
*4
+2#/definitions/io.k8s.api.storage.v1beta1.CSIDriverBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jù

+E
+200>
+<
+OK6
+4
+2#/definitions/io.k8s.api.storage.v1beta1.CSIDriver
+J
+201C
+A
+Created6
+4
+2#/definitions/io.k8s.api.storage.v1beta1.CSIDriver
+K
+202D
+B
+Accepted6
+4
+2#/definitions/io.k8s.api.storage.v1beta1.CSIDriver
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpost
+j\
+x-kubernetes-group-version-kind97kind: CSIDriver
+version: v1beta1
+group: storage.k8s.io
+*Þ,
+storage_v1beta1delete collection of CSIDriver*'deleteStorageV1beta1CollectionCSIDriver2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj*
+x-kubernetes-actiondeletecollection
+j\
+x-kubernetes-group-version-kind97group: storage.k8s.io
+kind: CSIDriver
+version: v1beta1
+JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

¿+
+7/apis/apiregistration.k8s.io/v1beta1/apiservices/{name}ƒ+¹
+apiregistration_v1beta1read the specified APIService*$readApiregistrationV1beta1APIService2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J~
+c
+200\
+Z
+OKT
+R
+P#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.APIService
+
+401
+
+UnauthorizedRhttpsje
+x-kubernetes-group-version-kindB@group: apiregistration.k8s.io
+version: v1beta1
+kind: APIService
+j
+x-kubernetes-actionget
+Ì	
+apiregistration_v1beta1 replace the specified APIService*'replaceApiregistrationV1beta1APIService2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Bf
+d
+bbodybody 
*R
+P#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.APIServiceBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jè

+c
+200\
+Z
+OKT
+R
+P#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.APIService
+h
+201a
+_
+CreatedT
+R
+P#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.APIService
+
+401
+
+UnauthorizedRhttpsje
+x-kubernetes-group-version-kindB@group: apiregistration.k8s.io
+version: v1beta1
+kind: APIService
+j
+x-kubernetes-actionput
+*°
+apiregistration_v1beta1delete an APIService*&deleteApiregistrationV1beta1APIService2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J»

+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsje
+x-kubernetes-group-version-kindB@group: apiregistration.k8s.io
+version: v1beta1
+kind: APIService
+j 
+x-kubernetes-action	delete
+B¸
+apiregistration_v1beta1)partially update the specified APIService*%patchApiregistrationV1beta1APIService2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

J~
+
+401
+
+Unauthorized
+c
+200\
+Z
+OKT
+R
+P#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.APIServiceRhttpsje
+x-kubernetes-group-version-kindB@group: apiregistration.k8s.io
+version: v1beta1
+kind: APIService
+j
+x-kubernetes-actionpatch
+J7
+53"1
pathname of the APIService"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

ã(
+9/apis/batch/v1beta1/watch/namespaces/{namespace}/cronjobs¥(·
+
batch_v1beta1swatch individual changes to a list of CronJob. deprecated: use the 'watch' parameter with a list operation instead.*&watchBatchV1beta1NamespacedCronJobList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj#
+x-kubernetes-action
+watchlist
+jQ
+x-kubernetes-group-version-kind.,group: batch
+kind: CronJob
+version: v1beta1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

ƒ)
+E/apis/rbac.authorization.k8s.io/v1/watch/namespaces/{namespace}/roles¹(Ë
+rbacAuthorization_v1pwatch individual changes to a list of Role. deprecated: use the 'watch' parameter with a list operation instead.**watchRbacAuthorizationV1NamespacedRoleList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+
+401
+
+Unauthorized
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEventRhttpsj]
+x-kubernetes-group-version-kind:8version: v1
+group: rbac.authorization.k8s.io
+kind: Role
+j#
+x-kubernetes-action
+watchlist
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

ö'
++/apis/storage.k8s.io/v1beta1/watch/csinodesÆ'º
+storage_v1beta1swatch individual changes to a list of CSINode. deprecated: use the 'watch' parameter with a list operation instead.*watchStorageV1beta1CSINodeList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj#
+x-kubernetes-action
+watchlist
+jZ
+x-kubernetes-group-version-kind75version: v1beta1
+group: storage.k8s.io
+kind: CSINode
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

š]
+*/api/v1/namespaces/{namespace}/limitrangesë\þ%
+core_v1(list or watch objects of kind LimitRange*listCoreV1NamespacedLimitRange2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

J]
+B
+200;
+9
+OK3
+1
+/#/definitions/io.k8s.api.core.v1.LimitRangeList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+jL
+x-kubernetes-group-version-kind)'group: ""
+kind: LimitRange
+version: v1
+"ç
+core_v1create a LimitRange* createCoreV1NamespacedLimitRange2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BA
+?
+=bodybody 
*-
++#/definitions/io.k8s.api.core.v1.LimitRangeBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jä

+>
+2007
+5
+OK/
+-
++#/definitions/io.k8s.api.core.v1.LimitRange
+C
+201<
+:
+Created/
+-
++#/definitions/io.k8s.api.core.v1.LimitRange
+D
+202=
+;
+Accepted/
+-
++#/definitions/io.k8s.api.core.v1.LimitRange
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpost
+jL
+x-kubernetes-group-version-kind)'group: ""
+kind: LimitRange
+version: v1
+*Ê,
+core_v1delete collection of LimitRange**deleteCoreV1CollectionNamespacedLimitRange2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+
+401
+
+Unauthorized
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.StatusRhttpsjL
+x-kubernetes-group-version-kind)'group: ""
+kind: LimitRange
+version: v1
+j*
+x-kubernetes-actiondeletecollection
+J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

ˆ]
+./apis/batch/v1/namespaces/{namespace}/cronjobsÕ\ø%
+batch_v1%list or watch objects of kind CronJob*listBatchV1NamespacedCronJob2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

J[
+@
+2009
+7
+OK1
+/
+-#/definitions/io.k8s.api.batch.v1.CronJobList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+jL
+x-kubernetes-group-version-kind)'group: batch
+kind: CronJob
+version: v1
+"Û
+batch_v1create a CronJob*createBatchV1NamespacedCronJob2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B?
+=
+;bodybody 
*+
+)#/definitions/io.k8s.api.batch.v1.CronJobBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

JÞ

+A
+201:
+8
+Created-
++
+)#/definitions/io.k8s.api.batch.v1.CronJob
+B
+202;
+9
+Accepted-
++
+)#/definitions/io.k8s.api.batch.v1.CronJob
+
+401
+
+Unauthorized
+<
+2005
+3
+OK-
++
+)#/definitions/io.k8s.api.batch.v1.CronJobRhttpsj
+x-kubernetes-actionpost
+jL
+x-kubernetes-group-version-kind)'group: batch
+kind: CronJob
+version: v1
+*Æ,
+batch_v1delete collection of CronJob*(deleteBatchV1CollectionNamespacedCronJob2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj*
+x-kubernetes-actiondeletecollection
+jL
+x-kubernetes-group-version-kind)'version: v1
+group: batch
+kind: CronJob
+J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Ò
+E/apis/certificates.k8s.io/v1/certificatesigningrequests/{name}/statusˆÐ
+certificates_v16read status of the specified CertificateSigningRequest*1readCertificatesV1CertificateSigningRequestStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Jp
+U
+200N
+L
+OKF
+D
+B#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequest
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+jl
+x-kubernetes-group-version-kindIGgroup: certificates.k8s.io
+kind: CertificateSigningRequest
+version: v1
+Ç	
+certificates_v19replace status of the specified CertificateSigningRequest*4replaceCertificatesV1CertificateSigningRequestStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BX
+V
+Tbodybody 
*D
+B#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequestBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

JÌ

+Z
+201S
+Q
+CreatedF
+D
+B#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequest
+
+401
+
+Unauthorized
+U
+200N
+L
+OKF
+D
+B#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequestRhttpsj
+x-kubernetes-actionput
+jl
+x-kubernetes-group-version-kindIGgroup: certificates.k8s.io
+kind: CertificateSigningRequest
+version: v1
+BÏ
+certificates_v1Bpartially update status of the specified CertificateSigningRequest*2patchCertificatesV1CertificateSigningRequestStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

Jp
+
+401
+
+Unauthorized
+U
+200N
+L
+OKF
+D
+B#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequestRhttpsj
+x-kubernetes-actionpatch
+jl
+x-kubernetes-group-version-kindIGgroup: certificates.k8s.io
+kind: CertificateSigningRequest
+version: v1
+JF
+DB"@
path%name of the CertificateSigningRequest"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

�
+J/apis/certificates.k8s.io/v1beta1/certificatesigningrequests/{name}/statusÎä
+certificates_v1beta16read status of the specified CertificateSigningRequest*6readCertificatesV1beta1CertificateSigningRequestStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Ju
+Z
+200S
+Q
+OKK
+I
+G#/definitions/io.k8s.api.certificates.v1beta1.CertificateSigningRequest
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+jq
+x-kubernetes-group-version-kindNLgroup: certificates.k8s.io
+kind: CertificateSigningRequest
+version: v1beta1
+å	
+certificates_v1beta19replace status of the specified CertificateSigningRequest*9replaceCertificatesV1beta1CertificateSigningRequestStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B]
+[
+Ybodybody 
*I
+G#/definitions/io.k8s.api.certificates.v1beta1.CertificateSigningRequestBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

JÖ

+Z
+200S
+Q
+OKK
+I
+G#/definitions/io.k8s.api.certificates.v1beta1.CertificateSigningRequest
+_
+201X
+V
+CreatedK
+I
+G#/definitions/io.k8s.api.certificates.v1beta1.CertificateSigningRequest
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionput
+jq
+x-kubernetes-group-version-kindNLkind: CertificateSigningRequest
+version: v1beta1
+group: certificates.k8s.io
+Bã
+certificates_v1beta1Bpartially update status of the specified CertificateSigningRequest*7patchCertificatesV1beta1CertificateSigningRequestStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

Ju
+Z
+200S
+Q
+OKK
+I
+G#/definitions/io.k8s.api.certificates.v1beta1.CertificateSigningRequest
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+jq
+x-kubernetes-group-version-kindNLversion: v1beta1
+group: certificates.k8s.io
+kind: CertificateSigningRequest
+JF
+DB"@
path%name of the CertificateSigningRequest"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Û(
+7/apis/apps/v1/watch/namespaces/{namespace}/statefulsetsŸ(±
+apps_v1wwatch individual changes to a list of StatefulSet. deprecated: use the 'watch' parameter with a list operation instead.*$watchAppsV1NamespacedStatefulSetList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj#
+x-kubernetes-action
+watchlist
+jO
+x-kubernetes-group-version-kind,*group: apps
+kind: StatefulSet
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

´/
+/api/v1/namespaces�/ð%
+core_v1'list or watch objects of kind Namespace*listCoreV1Namespace2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

J\
+A
+200:
+8
+OK2
+0
+.#/definitions/io.k8s.api.core.v1.NamespaceList
+
+401
+
+UnauthorizedRhttpsjK
+x-kubernetes-group-version-kind(&group: ""
+kind: Namespace
+version: v1
+j
+x-kubernetes-actionlist
+"Ö
+core_v1create a Namespace*createCoreV1Namespace2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B@
+>
+<bodybody 
*,
+*#/definitions/io.k8s.api.core.v1.NamespaceBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Já

+=
+2006
+4
+OK.
+,
+*#/definitions/io.k8s.api.core.v1.Namespace
+B
+201;
+9
+Created.
+,
+*#/definitions/io.k8s.api.core.v1.Namespace
+C
+202<
+:
+Accepted.
+,
+*#/definitions/io.k8s.api.core.v1.Namespace
+
+401
+
+UnauthorizedRhttpsjK
+x-kubernetes-group-version-kind(&group: ""
+kind: Namespace
+version: v1
+j
+x-kubernetes-actionpost
+JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Ð'
+/api/v1/watch/servicesµ'©
+core_v1swatch individual changes to a list of Service. deprecated: use the 'watch' parameter with a list operation instead.*&watchCoreV1ServiceListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsjI
+x-kubernetes-group-version-kind&$group: ""
+kind: Service
+version: v1
+j#
+x-kubernetes-action
+watchlist
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Â
+S/apis/authorization.k8s.io/v1beta1/namespaces/{namespace}/localsubjectaccessreviewsê"ú
+authorization_v1beta1!create a LocalSubjectAccessReview*<createAuthorizationV1beta1NamespacedLocalSubjectAccessReview2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B]
+[
+Ybodybody 
*I
+G#/definitions/io.k8s.api.authorization.v1beta1.LocalSubjectAccessReviewJ¸
+`
+202Y
+W
+AcceptedK
+I
+G#/definitions/io.k8s.api.authorization.v1beta1.LocalSubjectAccessReview
+
+401
+
+Unauthorized
+Z
+200S
+Q
+OKK
+I
+G#/definitions/io.k8s.api.authorization.v1beta1.LocalSubjectAccessReview
+_
+201X
+V
+CreatedK
+I
+G#/definitions/io.k8s.api.authorization.v1beta1.LocalSubjectAccessReviewRhttpsjq
+x-kubernetes-group-version-kindNLgroup: authorization.k8s.io
+kind: LocalSubjectAccessReview
+version: v1beta1
+j
+x-kubernetes-actionpost
+Jž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

J–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

·-
+M/apis/flowcontrol.apiserver.k8s.io/v1beta1/prioritylevelconfigurations/{name}å,ð
+flowcontrolApiserver_v1beta1-read the specified PriorityLevelConfiguration*9readFlowcontrolApiserverV1beta1PriorityLevelConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Ju
+Z
+200S
+Q
+OKK
+I
+G#/definitions/io.k8s.api.flowcontrol.v1beta1.PriorityLevelConfiguration
+
+401
+
+UnauthorizedRhttpsj{
+x-kubernetes-group-version-kindXVgroup: flowcontrol.apiserver.k8s.io
+kind: PriorityLevelConfiguration
+version: v1beta1
+j
+x-kubernetes-actionget
+ñ	
+flowcontrolApiserver_v1beta10replace the specified PriorityLevelConfiguration*<replaceFlowcontrolApiserverV1beta1PriorityLevelConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B]
+[
+Ybodybody 
*I
+G#/definitions/io.k8s.api.flowcontrol.v1beta1.PriorityLevelConfigurationBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

JÖ

+_
+201X
+V
+CreatedK
+I
+G#/definitions/io.k8s.api.flowcontrol.v1beta1.PriorityLevelConfiguration
+
+401
+
+Unauthorized
+Z
+200S
+Q
+OKK
+I
+G#/definitions/io.k8s.api.flowcontrol.v1beta1.PriorityLevelConfigurationRhttpsj
+x-kubernetes-actionput
+j{
+x-kubernetes-group-version-kindXVgroup: flowcontrol.apiserver.k8s.io
+kind: PriorityLevelConfiguration
+version: v1beta1
+*ï
+flowcontrolApiserver_v1beta1#delete a PriorityLevelConfiguration*;deleteFlowcontrolApiserverV1beta1PriorityLevelConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J»

+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj 
+x-kubernetes-action	delete
+j{
+x-kubernetes-group-version-kindXVgroup: flowcontrol.apiserver.k8s.io
+kind: PriorityLevelConfiguration
+version: v1beta1
+Bï
+flowcontrolApiserver_v1beta19partially update the specified PriorityLevelConfiguration*:patchFlowcontrolApiserverV1beta1PriorityLevelConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

Ju
+Z
+200S
+Q
+OKK
+I
+G#/definitions/io.k8s.api.flowcontrol.v1beta1.PriorityLevelConfiguration
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+j{
+x-kubernetes-group-version-kindXVgroup: flowcontrol.apiserver.k8s.io
+kind: PriorityLevelConfiguration
+version: v1beta1
+JG
+EC"A
path&name of the PriorityLevelConfiguration"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

‹]
+)/api/v1/namespaces/{namespace}/configmapsÝ\ú%
+core_v1'list or watch objects of kind ConfigMap*listCoreV1NamespacedConfigMap2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

J\
+A
+200:
+8
+OK2
+0
+.#/definitions/io.k8s.api.core.v1.ConfigMapList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+jK
+x-kubernetes-group-version-kind(&group: ""
+kind: ConfigMap
+version: v1
+"à
+core_v1create a ConfigMap*createCoreV1NamespacedConfigMap2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B@
+>
+<bodybody 
*,
+*#/definitions/io.k8s.api.core.v1.ConfigMapBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Já

+=
+2006
+4
+OK.
+,
+*#/definitions/io.k8s.api.core.v1.ConfigMap
+B
+201;
+9
+Created.
+,
+*#/definitions/io.k8s.api.core.v1.ConfigMap
+C
+202<
+:
+Accepted.
+,
+*#/definitions/io.k8s.api.core.v1.ConfigMap
+
+401
+
+UnauthorizedRhttpsjK
+x-kubernetes-group-version-kind(&group: ""
+kind: ConfigMap
+version: v1
+j
+x-kubernetes-actionpost
+*Ç,
+core_v1delete collection of ConfigMap*)deleteCoreV1CollectionNamespacedConfigMap2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj*
+x-kubernetes-actiondeletecollection
+jK
+x-kubernetes-group-version-kind(&group: ""
+kind: ConfigMap
+version: v1
+J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

¼)
+O/apis/autoscaling/v2beta2/watch/namespaces/{namespace}/horizontalpodautoscalersè(ú
+autoscaling_v2beta2ƒ
watch individual changes to a list of HorizontalPodAutoscaler. deprecated: use the 'watch' parameter with a list operation instead.*<watchAutoscalingV2beta2NamespacedHorizontalPodAutoscalerList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj#
+x-kubernetes-action
+watchlist
+jg
+x-kubernetes-group-version-kindDBgroup: autoscaling
+kind: HorizontalPodAutoscaler
+version: v2beta2
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

¦)
+N/apis/storage.k8s.io/v1beta1/watch/namespaces/{namespace}/csistoragecapacitiesÓ(å
+storage_v1beta1~watch individual changes to a list of CSIStorageCapacity. deprecated: use the 'watch' parameter with a list operation instead.*3watchStorageV1beta1NamespacedCSIStorageCapacityList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+
+401
+
+Unauthorized
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEventRhttpsje
+x-kubernetes-group-version-kindB@group: storage.k8s.io
+kind: CSIStorageCapacity
+version: v1beta1
+j#
+x-kubernetes-action
+watchlist
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

�*
+Q/apis/discovery.k8s.io/v1beta1/watch/namespaces/{namespace}/endpointslices/{name}º)�
+discovery_v1beta1´
watch changes to an object of kind EndpointSlice. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*,watchDiscoveryV1beta1NamespacedEndpointSlice2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionwatch
+jb
+x-kubernetes-group-version-kind?=group: discovery.k8s.io
+kind: EndpointSlice
+version: v1beta1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J:
+86"4
pathname of the EndpointSlice"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

é)
+F/apis/extensions/v1beta1/watch/namespaces/{namespace}/ingresses/{name}ž)ú
+extensions_v1beta1®
watch changes to an object of kind Ingress. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*'watchExtensionsV1beta1NamespacedIngress2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionwatch
+jV
+x-kubernetes-group-version-kind31group: extensions
+kind: Ingress
+version: v1beta1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J4
+20".
pathname of the Ingress"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

‡+
+=/apis/flowcontrol.apiserver.k8s.io/v1beta1/flowschemas/{name}Å*°
+flowcontrolApiserver_v1beta1read the specified FlowSchema*)readFlowcontrolApiserverV1beta1FlowSchema2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Je
+J
+200C
+A
+OK;
+9
+7#/definitions/io.k8s.api.flowcontrol.v1beta1.FlowSchema
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+jk
+x-kubernetes-group-version-kindHFversion: v1beta1
+group: flowcontrol.apiserver.k8s.io
+kind: FlowSchema
+‘	
+flowcontrolApiserver_v1beta1 replace the specified FlowSchema*,replaceFlowcontrolApiserverV1beta1FlowSchema2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BM
+K
+Ibodybody 
*9
+7#/definitions/io.k8s.api.flowcontrol.v1beta1.FlowSchemaBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J¶

+J
+200C
+A
+OK;
+9
+7#/definitions/io.k8s.api.flowcontrol.v1beta1.FlowSchema
+O
+201H
+F
+Created;
+9
+7#/definitions/io.k8s.api.flowcontrol.v1beta1.FlowSchema
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionput
+jk
+x-kubernetes-group-version-kindHFgroup: flowcontrol.apiserver.k8s.io
+kind: FlowSchema
+version: v1beta1
+*¿
+flowcontrolApiserver_v1beta1delete a FlowSchema*+deleteFlowcontrolApiserverV1beta1FlowSchema2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J»

+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj 
+x-kubernetes-action	delete
+jk
+x-kubernetes-group-version-kindHFgroup: flowcontrol.apiserver.k8s.io
+kind: FlowSchema
+version: v1beta1
+B¯
+flowcontrolApiserver_v1beta1)partially update the specified FlowSchema**patchFlowcontrolApiserverV1beta1FlowSchema2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

Je
+J
+200C
+A
+OK;
+9
+7#/definitions/io.k8s.api.flowcontrol.v1beta1.FlowSchema
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+jk
+x-kubernetes-group-version-kindHFkind: FlowSchema
+version: v1beta1
+group: flowcontrol.apiserver.k8s.io
+J7
+53"1
pathname of the FlowSchema"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

¶)
+//apis/node.k8s.io/v1beta1/runtimeclasses/{name}‚)€
+node_v1beta1read the specified RuntimeClass*readNodeV1beta1RuntimeClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J`
+E
+200>
+<
+OK6
+4
+2#/definitions/io.k8s.api.node.v1beta1.RuntimeClass
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+j\
+x-kubernetes-group-version-kind97group: node.k8s.io
+kind: RuntimeClass
+version: v1beta1
+×
+node_v1beta1"replace the specified RuntimeClass*replaceNodeV1beta1RuntimeClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BH
+F
+Dbodybody 
*4
+2#/definitions/io.k8s.api.node.v1beta1.RuntimeClassBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J¬

+E
+200>
+<
+OK6
+4
+2#/definitions/io.k8s.api.node.v1beta1.RuntimeClass
+J
+201C
+A
+Created6
+4
+2#/definitions/io.k8s.api.node.v1beta1.RuntimeClass
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionput
+j\
+x-kubernetes-group-version-kind97group: node.k8s.io
+kind: RuntimeClass
+version: v1beta1
+*”
+node_v1beta1delete a RuntimeClass*deleteNodeV1beta1RuntimeClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J»

+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj 
+x-kubernetes-action	delete
+j\
+x-kubernetes-group-version-kind97group: node.k8s.io
+kind: RuntimeClass
+version: v1beta1
+Bÿ
+node_v1beta1+partially update the specified RuntimeClass*patchNodeV1beta1RuntimeClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

J`
+E
+200>
+<
+OK6
+4
+2#/definitions/io.k8s.api.node.v1beta1.RuntimeClass
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+j\
+x-kubernetes-group-version-kind97group: node.k8s.io
+kind: RuntimeClass
+version: v1beta1
+J9
+75"3
pathname of the RuntimeClass"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

å*
+G/apis/networking.k8s.io/v1beta1/namespaces/{namespace}/ingresses/{name}™*Ž
+networking_v1beta1read the specified Ingress*&readNetworkingV1beta1NamespacedIngress2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Ja
+F
+200?
+=
+OK7
+5
+3#/definitions/io.k8s.api.networking.v1beta1.Ingress
+
+401
+
+UnauthorizedRhttpsj]
+x-kubernetes-group-version-kind:8group: networking.k8s.io
+kind: Ingress
+version: v1beta1
+j
+x-kubernetes-actionget
+ç
+networking_v1beta1replace the specified Ingress*)replaceNetworkingV1beta1NamespacedIngress2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BI
+G
+Ebodybody 
*5
+3#/definitions/io.k8s.api.networking.v1beta1.IngressBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J®

+F
+200?
+=
+OK7
+5
+3#/definitions/io.k8s.api.networking.v1beta1.Ingress
+K
+201D
+B
+Created7
+5
+3#/definitions/io.k8s.api.networking.v1beta1.Ingress
+
+401
+
+UnauthorizedRhttpsj]
+x-kubernetes-group-version-kind:8group: networking.k8s.io
+kind: Ingress
+version: v1beta1
+j
+x-kubernetes-actionput
+*¢
+networking_v1beta1delete an Ingress*(deleteNetworkingV1beta1NamespacedIngress2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J»

+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj]
+x-kubernetes-group-version-kind:8group: networking.k8s.io
+kind: Ingress
+version: v1beta1
+j 
+x-kubernetes-action	delete
+B�
+networking_v1beta1&partially update the specified Ingress*'patchNetworkingV1beta1NamespacedIngress2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

Ja
+F
+200?
+=
+OK7
+5
+3#/definitions/io.k8s.api.networking.v1beta1.Ingress
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+j]
+x-kubernetes-group-version-kind:8group: networking.k8s.io
+kind: Ingress
+version: v1beta1
+J4
+20".
pathname of the Ingress"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

´)
+C/apis/rbac.authorization.k8s.io/v1/watch/clusterrolebindings/{name}ì(Ÿ
+rbacAuthorization_v1¹
watch changes to an object of kind ClusterRoleBinding. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.**watchRbacAuthorizationV1ClusterRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionwatch
+jk
+x-kubernetes-group-version-kindHFgroup: rbac.authorization.k8s.io
+kind: ClusterRoleBinding
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J?
+=;"9
pathname of the ClusterRoleBinding"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

‘)
+</apis/rbac.authorization.k8s.io/v1/watch/clusterroles/{name}Ð(Š
+rbacAuthorization_v1²
watch changes to an object of kind ClusterRole. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*#watchRbacAuthorizationV1ClusterRole2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+
+401
+
+Unauthorized
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEventRhttpsjd
+x-kubernetes-group-version-kindA?version: v1
+group: rbac.authorization.k8s.io
+kind: ClusterRole
+j
+x-kubernetes-actionwatch
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J8
+64"2
pathname of the ClusterRole"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

¥)
+A/apis/rbac.authorization.k8s.io/v1beta1/watch/clusterroles/{name}ß(™
+rbacAuthorization_v1beta1²
watch changes to an object of kind ClusterRole. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*(watchRbacAuthorizationV1beta1ClusterRole2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+
+401
+
+Unauthorized
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEventRhttpsj
+x-kubernetes-actionwatch
+ji
+x-kubernetes-group-version-kindFDgroup: rbac.authorization.k8s.io
+kind: ClusterRole
+version: v1beta1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J8
+64"2
pathname of the ClusterRole"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

ä'
+/api/v1/watch/persistentvolumesÀ'´
+core_v1|watch individual changes to a list of PersistentVolume. deprecated: use the 'watch' parameter with a list operation instead.*watchCoreV1PersistentVolumeList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj#
+x-kubernetes-action
+watchlist
+jR
+x-kubernetes-group-version-kind/-group: ""
+kind: PersistentVolume
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

è'
+/api/v1/watch/resourcequotasÇ'»
+core_v1ywatch individual changes to a list of ResourceQuota. deprecated: use the 'watch' parameter with a list operation instead.*,watchCoreV1ResourceQuotaListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj#
+x-kubernetes-action
+watchlist
+jO
+x-kubernetes-group-version-kind,*group: ""
+kind: ResourceQuota
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

£
++/apis/admissionregistration.k8s.io/v1beta1/óð
+admissionregistration_v1beta1get available resources*+getAdmissionregistrationV1beta1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp
+U
+200N
+L
+OKF
+D
+B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList
+
+401
+
+UnauthorizedRhttps„(
+'/apis/apps/v1/watch/controllerrevisionsØ'Ì
+apps_v1~watch individual changes to a list of ControllerRevision. deprecated: use the 'watch' parameter with a list operation instead.*1watchAppsV1ControllerRevisionListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj#
+x-kubernetes-action
+watchlist
+jV
+x-kubernetes-group-version-kind31group: apps
+kind: ControllerRevision
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

½)
+5/api/v1/watch/namespaces/{namespace}/endpoints/{name}ƒ)Ý
+core_v1°
watch changes to an object of kind Endpoints. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*watchCoreV1NamespacedEndpoints2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionwatch
+jK
+x-kubernetes-group-version-kind(&group: ""
+kind: Endpoints
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J6
+42"0
pathname of the Endpoints"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

¤)
+./apis/storage.k8s.io/v1beta1/csidrivers/{name}ñ(€
+storage_v1beta1read the specified CSIDriver*readStorageV1beta1CSIDriver2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J`
+E
+200>
+<
+OK6
+4
+2#/definitions/io.k8s.api.storage.v1beta1.CSIDriver
+
+401
+
+UnauthorizedRhttpsj\
+x-kubernetes-group-version-kind97group: storage.k8s.io
+kind: CSIDriver
+version: v1beta1
+j
+x-kubernetes-actionget
+×
+storage_v1beta1replace the specified CSIDriver*replaceStorageV1beta1CSIDriver2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BH
+F
+Dbodybody 
*4
+2#/definitions/io.k8s.api.storage.v1beta1.CSIDriverBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J¬

+E
+200>
+<
+OK6
+4
+2#/definitions/io.k8s.api.storage.v1beta1.CSIDriver
+J
+201C
+A
+Created6
+4
+2#/definitions/io.k8s.api.storage.v1beta1.CSIDriver
+
+401
+
+UnauthorizedRhttpsj\
+x-kubernetes-group-version-kind97group: storage.k8s.io
+kind: CSIDriver
+version: v1beta1
+j
+x-kubernetes-actionput
+*†
+storage_v1beta1delete a CSIDriver*deleteStorageV1beta1CSIDriver2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J­

+E
+200>
+<
+OK6
+4
+2#/definitions/io.k8s.api.storage.v1beta1.CSIDriver
+K
+202D
+B
+Accepted6
+4
+2#/definitions/io.k8s.api.storage.v1beta1.CSIDriver
+
+401
+
+UnauthorizedRhttpsj 
+x-kubernetes-action	delete
+j\
+x-kubernetes-group-version-kind97group: storage.k8s.io
+kind: CSIDriver
+version: v1beta1
+Bÿ
+storage_v1beta1(partially update the specified CSIDriver*patchStorageV1beta1CSIDriver2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

J`
+E
+200>
+<
+OK6
+4
+2#/definitions/io.k8s.api.storage.v1beta1.CSIDriver
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+j\
+x-kubernetes-group-version-kind97group: storage.k8s.io
+kind: CSIDriver
+version: v1beta1
+J6
+42"0
pathname of the CSIDriver"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

”)
+;/apis/storage.k8s.io/v1beta1/watch/volumeattachments/{name}Ô(‰
+storage_v1beta1·
watch changes to an object of kind VolumeAttachment. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*#watchStorageV1beta1VolumeAttachment2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionwatch
+jc
+x-kubernetes-group-version-kind@>kind: VolumeAttachment
+version: v1beta1
+group: storage.k8s.io
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J=
+;9"7
pathname of the VolumeAttachment"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

•]
+(/apis/node.k8s.io/v1beta1/runtimeclassesè\™&
+node_v1beta1*list or watch objects of kind RuntimeClass*listNodeV1beta1RuntimeClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Jd
+I
+200B
+@
+OK:
+8
+6#/definitions/io.k8s.api.node.v1beta1.RuntimeClassList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+j\
+x-kubernetes-group-version-kind97group: node.k8s.io
+kind: RuntimeClass
+version: v1beta1
+"—	
+node_v1beta1create a RuntimeClass*createNodeV1beta1RuntimeClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BH
+F
+Dbodybody 
*4
+2#/definitions/io.k8s.api.node.v1beta1.RuntimeClassBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jù

+K
+202D
+B
+Accepted6
+4
+2#/definitions/io.k8s.api.node.v1beta1.RuntimeClass
+
+401
+
+Unauthorized
+E
+200>
+<
+OK6
+4
+2#/definitions/io.k8s.api.node.v1beta1.RuntimeClass
+J
+201C
+A
+Created6
+4
+2#/definitions/io.k8s.api.node.v1beta1.RuntimeClassRhttpsj\
+x-kubernetes-group-version-kind97group: node.k8s.io
+kind: RuntimeClass
+version: v1beta1
+j
+x-kubernetes-actionpost
+*Þ,
+node_v1beta1!delete collection of RuntimeClass*'deleteNodeV1beta1CollectionRuntimeClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+
+401
+
+Unauthorized
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.StatusRhttpsj*
+x-kubernetes-actiondeletecollection
+j\
+x-kubernetes-group-version-kind97group: node.k8s.io
+kind: RuntimeClass
+version: v1beta1
+JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

”*
+S/apis/rbac.authorization.k8s.io/v1/watch/namespaces/{namespace}/rolebindings/{name}¼)”
+rbacAuthorization_v1²
watch changes to an object of kind RoleBinding. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*-watchRbacAuthorizationV1NamespacedRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionwatch
+jd
+x-kubernetes-group-version-kindA?group: rbac.authorization.k8s.io
+kind: RoleBinding
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J8
+64"2
pathname of the RoleBinding"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

à'
+/api/v1/watch/podtemplatesÁ'µ
+core_v1wwatch individual changes to a list of PodTemplate. deprecated: use the 'watch' parameter with a list operation instead.**watchCoreV1PodTemplateListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsjM
+x-kubernetes-group-version-kind*(kind: PodTemplate
+version: v1
+group: ""
+j#
+x-kubernetes-action
+watchlist
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

‚
+ /apis/apiregistration.k8s.io/v1/ÝÚ
+apiregistration_v1get available resources* getApiregistrationV1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp
+U
+200N
+L
+OKF
+D
+B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList
+
+401
+
+UnauthorizedRhttps‹
+#/apis/authorization.k8s.io/v1beta1/ãà
+authorization_v1beta1get available resources*#getAuthorizationV1beta1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp
+
+401
+
+Unauthorized
+U
+200N
+L
+OKF
+D
+B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceListRhttpsü*
+H/apis/networking.k8s.io/v1/namespaces/{namespace}/networkpolicies/{name}¯*’
+
networking_v1 read the specified NetworkPolicy*'readNetworkingV1NamespacedNetworkPolicy2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Jb
+G
+200@
+>
+OK8
+6
+4#/definitions/io.k8s.api.networking.v1.NetworkPolicy
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+j^
+x-kubernetes-group-version-kind;9kind: NetworkPolicy
+version: v1
+group: networking.k8s.io
+í
+
networking_v1#replace the specified NetworkPolicy**replaceNetworkingV1NamespacedNetworkPolicy2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BJ
+H
+Fbodybody 
*6
+4#/definitions/io.k8s.api.networking.v1.NetworkPolicyBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J°

+G
+200@
+>
+OK8
+6
+4#/definitions/io.k8s.api.networking.v1.NetworkPolicy
+L
+201E
+C
+Created8
+6
+4#/definitions/io.k8s.api.networking.v1.NetworkPolicy
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionput
+j^
+x-kubernetes-group-version-kind;9group: networking.k8s.io
+kind: NetworkPolicy
+version: v1
+*¤
+
networking_v1delete a NetworkPolicy*)deleteNetworkingV1NamespacedNetworkPolicy2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J»

+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj 
+x-kubernetes-action	delete
+j^
+x-kubernetes-group-version-kind;9kind: NetworkPolicy
+version: v1
+group: networking.k8s.io
+B‘
+
networking_v1,partially update the specified NetworkPolicy*(patchNetworkingV1NamespacedNetworkPolicy2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

Jb
+G
+200@
+>
+OK8
+6
+4#/definitions/io.k8s.api.networking.v1.NetworkPolicy
+
+401
+
+UnauthorizedRhttpsj^
+x-kubernetes-group-version-kind;9group: networking.k8s.io
+kind: NetworkPolicy
+version: v1
+j
+x-kubernetes-actionpatch
+J:
+86"4
pathname of the NetworkPolicy"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

†)
+F/apis/networking.k8s.io/v1beta1/watch/namespaces/{namespace}/ingresses»(Í
+networking_v1beta1swatch individual changes to a list of Ingress. deprecated: use the 'watch' parameter with a list operation instead.*+watchNetworkingV1beta1NamespacedIngressList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj#
+x-kubernetes-action
+watchlist
+j]
+x-kubernetes-group-version-kind:8group: networking.k8s.io
+kind: Ingress
+version: v1beta1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

ˆ]
+(/api/v1/namespaces/{namespace}/endpointsÛ\ú%
+core_v1'list or watch objects of kind Endpoints*listCoreV1NamespacedEndpoints2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

J\
+A
+200:
+8
+OK2
+0
+.#/definitions/io.k8s.api.core.v1.EndpointsList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+jK
+x-kubernetes-group-version-kind(&group: ""
+kind: Endpoints
+version: v1
+"Þ
+core_v1create Endpoints*createCoreV1NamespacedEndpoints2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B@
+>
+<bodybody 
*,
+*#/definitions/io.k8s.api.core.v1.EndpointsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Já

+C
+202<
+:
+Accepted.
+,
+*#/definitions/io.k8s.api.core.v1.Endpoints
+
+401
+
+Unauthorized
+=
+2006
+4
+OK.
+,
+*#/definitions/io.k8s.api.core.v1.Endpoints
+B
+201;
+9
+Created.
+,
+*#/definitions/io.k8s.api.core.v1.EndpointsRhttpsj
+x-kubernetes-actionpost
+jK
+x-kubernetes-group-version-kind(&group: ""
+kind: Endpoints
+version: v1
+*Ç,
+core_v1delete collection of Endpoints*)deleteCoreV1CollectionNamespacedEndpoints2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj*
+x-kubernetes-actiondeletecollection
+jK
+x-kubernetes-group-version-kind(&version: v1
+group: ""
+kind: Endpoints
+J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

¿(
+,/api/v1/watch/namespaces/{namespace}/secretsŽ( 
+core_v1rwatch individual changes to a list of Secret. deprecated: use the 'watch' parameter with a list operation instead.*watchCoreV1NamespacedSecretList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj#
+x-kubernetes-action
+watchlist
+jH
+x-kubernetes-group-version-kind%#group: ""
+kind: Secret
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

é
+=/apis/apps/v1/namespaces/{namespace}/deployments/{name}/scale§ù
+apps_v1&read scale of the specified Deployment*#readAppsV1NamespacedDeploymentScale2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J[
+
+401
+
+Unauthorized
+@
+2009
+7
+OK1
+/
+-#/definitions/io.k8s.api.autoscaling.v1.ScaleRhttpsjP
+x-kubernetes-group-version-kind-+group: autoscaling
+kind: Scale
+version: v1
+j
+x-kubernetes-actionget
+Æ
+apps_v1)replace scale of the specified Deployment*&replaceAppsV1NamespacedDeploymentScale2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BC
+A
+?bodybody 
*/
+-#/definitions/io.k8s.api.autoscaling.v1.ScaleBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J¢

+E
+201>
+<
+Created1
+/
+-#/definitions/io.k8s.api.autoscaling.v1.Scale
+
+401
+
+Unauthorized
+@
+2009
+7
+OK1
+/
+-#/definitions/io.k8s.api.autoscaling.v1.ScaleRhttpsj
+x-kubernetes-actionput
+jP
+x-kubernetes-group-version-kind-+group: autoscaling
+kind: Scale
+version: v1
+Bø
+apps_v12partially update scale of the specified Deployment*$patchAppsV1NamespacedDeploymentScale2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

J[
+@
+2009
+7
+OK1
+/
+-#/definitions/io.k8s.api.autoscaling.v1.Scale
+
+401
+
+UnauthorizedRhttpsjP
+x-kubernetes-group-version-kind-+group: autoscaling
+kind: Scale
+version: v1
+j
+x-kubernetes-actionpatch
+J2
+0.",
pathname of the Scale"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

î&
+/apis/batch/v1/cronjobsÒ&Æ
+batch_v1%list or watch objects of kind CronJob*"listBatchV1CronJobForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*J[
+@
+2009
+7
+OK1
+/
+-#/definitions/io.k8s.api.batch.v1.CronJobList
+
+401
+
+UnauthorizedRhttpsjL
+x-kubernetes-group-version-kind)'group: batch
+kind: CronJob
+version: v1
+j
+x-kubernetes-actionlist
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

‰
+C/api/v1/namespaces/{namespace}/replicationcontrollers/{name}/statusÁ¡
+core_v12read status of the specified ReplicationController*/readCoreV1NamespacedReplicationControllerStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Jd
+I
+200B
+@
+OK:
+8
+6#/definitions/io.k8s.api.core.v1.ReplicationController
+
+401
+
+UnauthorizedRhttpsjW
+x-kubernetes-group-version-kind42group: ""
+kind: ReplicationController
+version: v1
+j
+x-kubernetes-actionget
+€	
+core_v15replace status of the specified ReplicationController*2replaceCoreV1NamespacedReplicationControllerStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BL
+J
+Hbodybody 
*8
+6#/definitions/io.k8s.api.core.v1.ReplicationControllerBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J´

+I
+200B
+@
+OK:
+8
+6#/definitions/io.k8s.api.core.v1.ReplicationController
+N
+201G
+E
+Created:
+8
+6#/definitions/io.k8s.api.core.v1.ReplicationController
+
+401
+
+UnauthorizedRhttpsjW
+x-kubernetes-group-version-kind42group: ""
+kind: ReplicationController
+version: v1
+j
+x-kubernetes-actionput
+B 
+core_v1>partially update status of the specified ReplicationController*0patchCoreV1NamespacedReplicationControllerStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

Jd
+I
+200B
+@
+OK:
+8
+6#/definitions/io.k8s.api.core.v1.ReplicationController
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+jW
+x-kubernetes-group-version-kind42version: v1
+group: ""
+kind: ReplicationController
+JB
+@>"<
path!name of the ReplicationController"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

¦]
+0/apis/apps/v1/namespaces/{namespace}/deploymentsñ\€&
+apps_v1(list or watch objects of kind Deployment*listAppsV1NamespacedDeployment2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

J]
+
+401
+
+Unauthorized
+B
+200;
+9
+OK3
+1
+/#/definitions/io.k8s.api.apps.v1.DeploymentListRhttpsj
+x-kubernetes-actionlist
+jN
+x-kubernetes-group-version-kind+)group: apps
+kind: Deployment
+version: v1
+"é
+apps_v1create a Deployment* createAppsV1NamespacedDeployment2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BA
+?
+=bodybody 
*-
++#/definitions/io.k8s.api.apps.v1.DeploymentBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jä

+>
+2007
+5
+OK/
+-
++#/definitions/io.k8s.api.apps.v1.Deployment
+C
+201<
+:
+Created/
+-
++#/definitions/io.k8s.api.apps.v1.Deployment
+D
+202=
+;
+Accepted/
+-
++#/definitions/io.k8s.api.apps.v1.Deployment
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpost
+jN
+x-kubernetes-group-version-kind+)group: apps
+kind: Deployment
+version: v1
+*Ì,
+apps_v1delete collection of Deployment**deleteAppsV1CollectionNamespacedDeployment2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+
+401
+
+Unauthorized
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.StatusRhttpsj*
+x-kubernetes-actiondeletecollection
+jN
+x-kubernetes-group-version-kind+)version: v1
+group: apps
+kind: Deployment
+J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

÷&
+/apis/events.k8s.io/v1/eventsÕ&É
+	events_v1#list or watch objects of kind Event*!listEventsV1EventForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*JZ
+?
+2008
+6
+OK0
+.
+,#/definitions/io.k8s.api.events.v1.EventList
+
+401
+
+UnauthorizedRhttpsjR
+x-kubernetes-group-version-kind/-group: events.k8s.io
+kind: Event
+version: v1
+j
+x-kubernetes-actionlist
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

’*
+F/apis/rbac.authorization.k8s.io/v1/namespaces/{namespace}/roles/{name}Ç)þ
+rbacAuthorization_v1read the specified Role*%readRbacAuthorizationV1NamespacedRole2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*JS
+8
+2001
+/
+OK)
+'
+%#/definitions/io.k8s.api.rbac.v1.Role
+
+401
+
+UnauthorizedRhttpsj]
+x-kubernetes-group-version-kind:8group: rbac.authorization.k8s.io
+kind: Role
+version: v1
+j
+x-kubernetes-actionget
+»
+rbacAuthorization_v1replace the specified Role*(replaceRbacAuthorizationV1NamespacedRole2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B;
+9
+7bodybody 
*'
+%#/definitions/io.k8s.api.rbac.v1.RoleBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J’

+
+401
+
+Unauthorized
+8
+2001
+/
+OK)
+'
+%#/definitions/io.k8s.api.rbac.v1.Role
+=
+2016
+4
+Created)
+'
+%#/definitions/io.k8s.api.rbac.v1.RoleRhttpsj
+x-kubernetes-actionput
+j]
+x-kubernetes-group-version-kind:8group: rbac.authorization.k8s.io
+kind: Role
+version: v1
+*Ÿ
+rbacAuthorization_v1
delete a Role*'deleteRbacAuthorizationV1NamespacedRole2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J»

+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj 
+x-kubernetes-action	delete
+j]
+x-kubernetes-group-version-kind:8group: rbac.authorization.k8s.io
+kind: Role
+version: v1
+Bý
+rbacAuthorization_v1#partially update the specified Role*&patchRbacAuthorizationV1NamespacedRole2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

JS
+8
+2001
+/
+OK)
+'
+%#/definitions/io.k8s.api.rbac.v1.Role
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+j]
+x-kubernetes-group-version-kind:8group: rbac.authorization.k8s.io
+kind: Role
+version: v1
+J1
+/-"+
pathname of the Role"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

¢*
+U/apis/storage.k8s.io/v1beta1/watch/namespaces/{namespace}/csistoragecapacities/{name}È)™
+storage_v1beta1¹
watch changes to an object of kind CSIStorageCapacity. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*/watchStorageV1beta1NamespacedCSIStorageCapacity2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsje
+x-kubernetes-group-version-kindB@group: storage.k8s.io
+kind: CSIStorageCapacity
+version: v1beta1
+j
+x-kubernetes-actionwatch
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J?
+=;"9
pathname of the CSIStorageCapacity"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Ø'
+/api/v1/watch/configmaps»'¯
+core_v1uwatch individual changes to a list of ConfigMap. deprecated: use the 'watch' parameter with a list operation instead.*(watchCoreV1ConfigMapListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+
+401
+
+Unauthorized
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEventRhttpsj#
+x-kubernetes-action
+watchlist
+jK
+x-kubernetes-group-version-kind(&group: ""
+kind: ConfigMap
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Õ
+=/apis/apps/v1/namespaces/{namespace}/daemonsets/{name}/status“ó
+apps_v1&read status of the specified DaemonSet*#readAppsV1NamespacedDaemonSetStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*JX
+=
+2006
+4
+OK.
+,
+*#/definitions/io.k8s.api.apps.v1.DaemonSet
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+jM
+x-kubernetes-group-version-kind*(kind: DaemonSet
+version: v1
+group: apps
+º
+apps_v1)replace status of the specified DaemonSet*&replaceAppsV1NamespacedDaemonSetStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B@
+>
+<bodybody 
*,
+*#/definitions/io.k8s.api.apps.v1.DaemonSetBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jœ

+
+401
+
+Unauthorized
+=
+2006
+4
+OK.
+,
+*#/definitions/io.k8s.api.apps.v1.DaemonSet
+B
+201;
+9
+Created.
+,
+*#/definitions/io.k8s.api.apps.v1.DaemonSetRhttpsjM
+x-kubernetes-group-version-kind*(kind: DaemonSet
+version: v1
+group: apps
+j
+x-kubernetes-actionput
+Bò
+apps_v12partially update status of the specified DaemonSet*$patchAppsV1NamespacedDaemonSetStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

JX
+=
+2006
+4
+OK.
+,
+*#/definitions/io.k8s.api.apps.v1.DaemonSet
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+jM
+x-kubernetes-group-version-kind*(group: apps
+kind: DaemonSet
+version: v1
+J6
+42"0
pathname of the DaemonSet"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

¼*
+V/apis/autoscaling/v2beta2/watch/namespaces/{namespace}/horizontalpodautoscalers/{name}á)­
+autoscaling_v2beta2¾
watch changes to an object of kind HorizontalPodAutoscaler. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*8watchAutoscalingV2beta2NamespacedHorizontalPodAutoscaler2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionwatch
+jg
+x-kubernetes-group-version-kindDBgroup: autoscaling
+kind: HorizontalPodAutoscaler
+version: v2beta2
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JD
+B@">
path#name of the HorizontalPodAutoscaler"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Û)
+1/apis/scheduling.k8s.io/v1/priorityclasses/{name}¥)ˆ
+
scheduling_v1 read the specified PriorityClass*readSchedulingV1PriorityClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Jb
+G
+200@
+>
+OK8
+6
+4#/definitions/io.k8s.api.scheduling.v1.PriorityClass
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+j^
+x-kubernetes-group-version-kind;9group: scheduling.k8s.io
+kind: PriorityClass
+version: v1
+ã
+
scheduling_v1#replace the specified PriorityClass* replaceSchedulingV1PriorityClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BJ
+H
+Fbodybody 
*6
+4#/definitions/io.k8s.api.scheduling.v1.PriorityClassBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J°

+G
+200@
+>
+OK8
+6
+4#/definitions/io.k8s.api.scheduling.v1.PriorityClass
+L
+201E
+C
+Created8
+6
+4#/definitions/io.k8s.api.scheduling.v1.PriorityClass
+
+401
+
+UnauthorizedRhttpsj^
+x-kubernetes-group-version-kind;9group: scheduling.k8s.io
+kind: PriorityClass
+version: v1
+j
+x-kubernetes-actionput
+*š
+
scheduling_v1delete a PriorityClass*deleteSchedulingV1PriorityClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J»

+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj 
+x-kubernetes-action	delete
+j^
+x-kubernetes-group-version-kind;9group: scheduling.k8s.io
+kind: PriorityClass
+version: v1
+B‡
+
scheduling_v1,partially update the specified PriorityClass*patchSchedulingV1PriorityClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

Jb
+G
+200@
+>
+OK8
+6
+4#/definitions/io.k8s.api.scheduling.v1.PriorityClass
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+j^
+x-kubernetes-group-version-kind;9kind: PriorityClass
+version: v1
+group: scheduling.k8s.io
+J:
+86"4
pathname of the PriorityClass"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

ò(
+A/apis/networking.k8s.io/v1/watch/namespaces/{namespace}/ingresses¬(¾
+
networking_v1swatch individual changes to a list of Ingress. deprecated: use the 'watch' parameter with a list operation instead.*&watchNetworkingV1NamespacedIngressList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj#
+x-kubernetes-action
+watchlist
+jX
+x-kubernetes-group-version-kind53kind: Ingress
+version: v1
+group: networking.k8s.io
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

´'
+/api/v1/watch/nodesœ'�
+core_v1pwatch individual changes to a list of Node. deprecated: use the 'watch' parameter with a list operation instead.*watchCoreV1NodeList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj#
+x-kubernetes-action
+watchlist
+jF
+x-kubernetes-group-version-kind#!version: v1
+group: ""
+kind: Node
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

á`
+</apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions `‹'
+apiextensions_v1beta16list or watch objects of kind CustomResourceDefinition*0listApiextensionsV1beta1CustomResourceDefinition2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

J–

+{
+200t
+r
+OKl
+j
+h#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinitionList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+jq
+x-kubernetes-group-version-kindNLversion: v1beta1
+group: apiextensions.k8s.io
+kind: CustomResourceDefinition
+"ž
+apiextensions_v1beta1!create a CustomResourceDefinition*2createApiextensionsV1beta1CustomResourceDefinition2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Bz
+x
+vbodybody 
*f
+d#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinitionBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J�
+w
+200p
+n
+OKh
+f
+d#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinition
+|
+201u
+s
+Createdh
+f
+d#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinition
+}
+202v
+t
+Acceptedh
+f
+d#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinition
+
+401
+
+UnauthorizedRhttpsjq
+x-kubernetes-group-version-kindNLkind: CustomResourceDefinition
+version: v1beta1
+group: apiextensions.k8s.io
+j
+x-kubernetes-actionpost
+*�-
+apiextensions_v1beta1-delete collection of CustomResourceDefinition*<deleteApiextensionsV1beta1CollectionCustomResourceDefinition2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsjq
+x-kubernetes-group-version-kindNLgroup: apiextensions.k8s.io
+kind: CustomResourceDefinition
+version: v1beta1
+j*
+x-kubernetes-actiondeletecollection
+JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Û
+G/apis/extensions/v1beta1/namespaces/{namespace}/ingresses/{name}/status�—
+extensions_v1beta1$read status of the specified Ingress*,readExtensionsV1beta1NamespacedIngressStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Ja
+F
+200?
+=
+OK7
+5
+3#/definitions/io.k8s.api.extensions.v1beta1.Ingress
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+jV
+x-kubernetes-group-version-kind31group: extensions
+kind: Ingress
+version: v1beta1
+ð
+extensions_v1beta1'replace status of the specified Ingress*/replaceExtensionsV1beta1NamespacedIngressStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BI
+G
+Ebodybody 
*5
+3#/definitions/io.k8s.api.extensions.v1beta1.IngressBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J®

+F
+200?
+=
+OK7
+5
+3#/definitions/io.k8s.api.extensions.v1beta1.Ingress
+K
+201D
+B
+Created7
+5
+3#/definitions/io.k8s.api.extensions.v1beta1.Ingress
+
+401
+
+UnauthorizedRhttpsjV
+x-kubernetes-group-version-kind31group: extensions
+kind: Ingress
+version: v1beta1
+j
+x-kubernetes-actionput
+B–
+extensions_v1beta10partially update status of the specified Ingress*-patchExtensionsV1beta1NamespacedIngressStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

Ja
+
+401
+
+Unauthorized
+F
+200?
+=
+OK7
+5
+3#/definitions/io.k8s.api.extensions.v1beta1.IngressRhttpsjV
+x-kubernetes-group-version-kind31kind: Ingress
+version: v1beta1
+group: extensions
+j
+x-kubernetes-actionpatch
+J4
+20".
pathname of the Ingress"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

¬
+I/apis/networking.k8s.io/v1/namespaces/{namespace}/ingresses/{name}/statusÞŠ
+
networking_v1$read status of the specified Ingress*'readNetworkingV1NamespacedIngressStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J\
+A
+200:
+8
+OK2
+0
+.#/definitions/io.k8s.api.networking.v1.Ingress
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+jX
+x-kubernetes-group-version-kind53group: networking.k8s.io
+kind: Ingress
+version: v1
+Ù
+
networking_v1'replace status of the specified Ingress**replaceNetworkingV1NamespacedIngressStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BD
+B
+@bodybody 
*0
+.#/definitions/io.k8s.api.networking.v1.IngressBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J¤

+A
+200:
+8
+OK2
+0
+.#/definitions/io.k8s.api.networking.v1.Ingress
+F
+201?
+=
+Created2
+0
+.#/definitions/io.k8s.api.networking.v1.Ingress
+
+401
+
+UnauthorizedRhttpsjX
+x-kubernetes-group-version-kind53group: networking.k8s.io
+kind: Ingress
+version: v1
+j
+x-kubernetes-actionput
+B‰
+
networking_v10partially update status of the specified Ingress*(patchNetworkingV1NamespacedIngressStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

J\
+A
+200:
+8
+OK2
+0
+.#/definitions/io.k8s.api.networking.v1.Ingress
+
+401
+
+UnauthorizedRhttpsjX
+x-kubernetes-group-version-kind53kind: Ingress
+version: v1
+group: networking.k8s.io
+j
+x-kubernetes-actionpatch
+J4
+20".
pathname of the Ingress"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

ï
+/apis/autoscaling/v1/ÕÒ
+autoscaling_v1get available resources*getAutoscalingV1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp
+U
+200N
+L
+OKF
+D
+B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList
+
+401
+
+UnauthorizedRhttps‚-
+P/apis/autoscaling/v2beta2/namespaces/{namespace}/horizontalpodautoscalers/{name}­,Ë
+autoscaling_v2beta2*read the specified HorizontalPodAutoscaler*7readAutoscalingV2beta2NamespacedHorizontalPodAutoscaler2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Jr
+
+401
+
+Unauthorized
+W
+200P
+N
+OKH
+F
+D#/definitions/io.k8s.api.autoscaling.v2beta2.HorizontalPodAutoscalerRhttpsj
+x-kubernetes-actionget
+jg
+x-kubernetes-group-version-kindDBversion: v2beta2
+group: autoscaling
+kind: HorizontalPodAutoscaler
+Æ	
+autoscaling_v2beta2-replace the specified HorizontalPodAutoscaler*:replaceAutoscalingV2beta2NamespacedHorizontalPodAutoscaler2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BZ
+X
+Vbodybody 
*F
+D#/definitions/io.k8s.api.autoscaling.v2beta2.HorizontalPodAutoscalerBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

JÐ

+W
+200P
+N
+OKH
+F
+D#/definitions/io.k8s.api.autoscaling.v2beta2.HorizontalPodAutoscaler
+\
+201U
+S
+CreatedH
+F
+D#/definitions/io.k8s.api.autoscaling.v2beta2.HorizontalPodAutoscaler
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionput
+jg
+x-kubernetes-group-version-kindDBgroup: autoscaling
+kind: HorizontalPodAutoscaler
+version: v2beta2
+*Í
+autoscaling_v2beta2 delete a HorizontalPodAutoscaler*9deleteAutoscalingV2beta2NamespacedHorizontalPodAutoscaler2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J»

+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj 
+x-kubernetes-action	delete
+jg
+x-kubernetes-group-version-kindDBgroup: autoscaling
+kind: HorizontalPodAutoscaler
+version: v2beta2
+BÊ
+autoscaling_v2beta26partially update the specified HorizontalPodAutoscaler*8patchAutoscalingV2beta2NamespacedHorizontalPodAutoscaler2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

Jr
+W
+200P
+N
+OKH
+F
+D#/definitions/io.k8s.api.autoscaling.v2beta2.HorizontalPodAutoscaler
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+jg
+x-kubernetes-group-version-kindDBgroup: autoscaling
+kind: HorizontalPodAutoscaler
+version: v2beta2
+JD
+B@">
path#name of the HorizontalPodAutoscaler"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

ô)
+L/apis/coordination.k8s.io/v1beta1/watch/namespaces/{namespace}/leases/{name}£)�
+coordination_v1beta1¬
watch changes to an object of kind Lease. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*'watchCoordinationV1beta1NamespacedLease2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionwatch
+j]
+x-kubernetes-group-version-kind:8kind: Lease
+version: v1beta1
+group: coordination.k8s.io
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J2
+0.",
pathname of the Lease"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

¦(
+3/apis/discovery.k8s.io/v1beta1/watch/endpointslicesî'â
+discovery_v1beta1ywatch individual changes to a list of EndpointSlice. deprecated: use the 'watch' parameter with a list operation instead.*6watchDiscoveryV1beta1EndpointSliceListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsjb
+x-kubernetes-group-version-kind?=group: discovery.k8s.io
+kind: EndpointSlice
+version: v1beta1
+j#
+x-kubernetes-action
+watchlist
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

¼^
+@/apis/networking.k8s.io/v1beta1/namespaces/{namespace}/ingresses÷]§&
+networking_v1beta1%list or watch objects of kind Ingress*&listNetworkingV1beta1NamespacedIngress2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Je
+
+401
+
+Unauthorized
+J
+200C
+A
+OK;
+9
+7#/definitions/io.k8s.api.networking.v1beta1.IngressListRhttpsj
+x-kubernetes-actionlist
+j]
+x-kubernetes-group-version-kind:8group: networking.k8s.io
+kind: Ingress
+version: v1beta1
+"©	
+networking_v1beta1create an Ingress*(createNetworkingV1beta1NamespacedIngress2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BI
+G
+Ebodybody 
*5
+3#/definitions/io.k8s.api.networking.v1beta1.IngressBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jü

+F
+200?
+=
+OK7
+5
+3#/definitions/io.k8s.api.networking.v1beta1.Ingress
+K
+201D
+B
+Created7
+5
+3#/definitions/io.k8s.api.networking.v1beta1.Ingress
+L
+202E
+C
+Accepted7
+5
+3#/definitions/io.k8s.api.networking.v1beta1.Ingress
+
+401
+
+UnauthorizedRhttpsj]
+x-kubernetes-group-version-kind:8group: networking.k8s.io
+kind: Ingress
+version: v1beta1
+j
+x-kubernetes-actionpost
+*ë,
+networking_v1beta1delete collection of Ingress*2deleteNetworkingV1beta1CollectionNamespacedIngress2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj*
+x-kubernetes-actiondeletecollection
+j]
+x-kubernetes-group-version-kind:8group: networking.k8s.io
+kind: Ingress
+version: v1beta1
+J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

©0
+'/api/v1/namespaces/{namespace}/servicesý/ò%
+core_v1%list or watch objects of kind Service*listCoreV1NamespacedService2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

JZ
+?
+2008
+6
+OK0
+.
+,#/definitions/io.k8s.api.core.v1.ServiceList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+jI
+x-kubernetes-group-version-kind&$group: ""
+kind: Service
+version: v1
+"Ò
+core_v1create a Service*createCoreV1NamespacedService2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B>
+<
+:bodybody 
**
+(#/definitions/io.k8s.api.core.v1.ServiceBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

JÛ

+;
+2004
+2
+OK,
+*
+(#/definitions/io.k8s.api.core.v1.Service
+@
+2019
+7
+Created,
+*
+(#/definitions/io.k8s.api.core.v1.Service
+A
+202:
+8
+Accepted,
+*
+(#/definitions/io.k8s.api.core.v1.Service
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpost
+jI
+x-kubernetes-group-version-kind&$group: ""
+kind: Service
+version: v1
+J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

È'
+/api/v1/watch/namespaces«'Ÿ
+core_v1uwatch individual changes to a list of Namespace. deprecated: use the 'watch' parameter with a list operation instead.*watchCoreV1NamespaceList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj#
+x-kubernetes-action
+watchlist
+jK
+x-kubernetes-group-version-kind(&group: ""
+kind: Namespace
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Ó(
+1/api/v1/watch/namespaces/{namespace}/podtemplates�(¯
+core_v1wwatch individual changes to a list of PodTemplate. deprecated: use the 'watch' parameter with a list operation instead.*$watchCoreV1NamespacedPodTemplateList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+
+401
+
+Unauthorized
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEventRhttpsj#
+x-kubernetes-action
+watchlist
+jM
+x-kubernetes-group-version-kind*(group: ""
+kind: PodTemplate
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

À'
+/api/v1/watch/pods©'�
+core_v1owatch individual changes to a list of Pod. deprecated: use the 'watch' parameter with a list operation instead.*"watchCoreV1PodListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsjE
+x-kubernetes-group-version-kind" kind: Pod
+version: v1
+group: ""
+j#
+x-kubernetes-action
+watchlist
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

¿(
+=/apis/certificates.k8s.io/v1/watch/certificatesigningrequestsý'ñ
+certificates_v1…
watch individual changes to a list of CertificateSigningRequest. deprecated: use the 'watch' parameter with a list operation instead.*0watchCertificatesV1CertificateSigningRequestList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj#
+x-kubernetes-action
+watchlist
+jl
+x-kubernetes-group-version-kindIGgroup: certificates.k8s.io
+kind: CertificateSigningRequest
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

÷
+N/apis/networking.k8s.io/v1beta1/namespaces/{namespace}/ingresses/{name}/status¤ž
+networking_v1beta1$read status of the specified Ingress*,readNetworkingV1beta1NamespacedIngressStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Ja
+F
+200?
+=
+OK7
+5
+3#/definitions/io.k8s.api.networking.v1beta1.Ingress
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+j]
+x-kubernetes-group-version-kind:8kind: Ingress
+version: v1beta1
+group: networking.k8s.io
+÷
+networking_v1beta1'replace status of the specified Ingress*/replaceNetworkingV1beta1NamespacedIngressStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BI
+G
+Ebodybody 
*5
+3#/definitions/io.k8s.api.networking.v1beta1.IngressBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J®

+F
+200?
+=
+OK7
+5
+3#/definitions/io.k8s.api.networking.v1beta1.Ingress
+K
+201D
+B
+Created7
+5
+3#/definitions/io.k8s.api.networking.v1beta1.Ingress
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionput
+j]
+x-kubernetes-group-version-kind:8version: v1beta1
+group: networking.k8s.io
+kind: Ingress
+B�
+networking_v1beta10partially update status of the specified Ingress*-patchNetworkingV1beta1NamespacedIngressStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

Ja
+F
+200?
+=
+OK7
+5
+3#/definitions/io.k8s.api.networking.v1beta1.Ingress
+
+401
+
+UnauthorizedRhttpsj]
+x-kubernetes-group-version-kind:8version: v1beta1
+group: networking.k8s.io
+kind: Ingress
+j
+x-kubernetes-actionpatch
+J4
+20".
pathname of the Ingress"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Ÿ)
+L/apis/rbac.authorization.k8s.io/v1/watch/namespaces/{namespace}/rolebindingsÎ(à
+rbacAuthorization_v1wwatch individual changes to a list of RoleBinding. deprecated: use the 'watch' parameter with a list operation instead.*1watchRbacAuthorizationV1NamespacedRoleBindingList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+
+401
+
+Unauthorized
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEventRhttpsj#
+x-kubernetes-action
+watchlist
+jd
+x-kubernetes-group-version-kindA?group: rbac.authorization.k8s.io
+kind: RoleBinding
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

‡(
+0/apis/scheduling.k8s.io/v1/watch/priorityclassesÒ'Æ
+
scheduling_v1ywatch individual changes to a list of PriorityClass. deprecated: use the 'watch' parameter with a list operation instead.*"watchSchedulingV1PriorityClassList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj^
+x-kubernetes-group-version-kind;9group: scheduling.k8s.io
+kind: PriorityClass
+version: v1
+j#
+x-kubernetes-action
+watchlist
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Ü(
+*/apis/node.k8s.io/v1/runtimeclasses/{name}­(ì
+node_v1read the specified RuntimeClass*readNodeV1RuntimeClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J[
+@
+2009
+7
+OK1
+/
+-#/definitions/io.k8s.api.node.v1.RuntimeClass
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+jW
+x-kubernetes-group-version-kind42version: v1
+group: node.k8s.io
+kind: RuntimeClass
+¹
+node_v1"replace the specified RuntimeClass*replaceNodeV1RuntimeClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BC
+A
+?bodybody 
*/
+-#/definitions/io.k8s.api.node.v1.RuntimeClassBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J¢

+@
+2009
+7
+OK1
+/
+-#/definitions/io.k8s.api.node.v1.RuntimeClass
+E
+201>
+<
+Created1
+/
+-#/definitions/io.k8s.api.node.v1.RuntimeClass
+
+401
+
+UnauthorizedRhttpsjW
+x-kubernetes-group-version-kind42version: v1
+group: node.k8s.io
+kind: RuntimeClass
+j
+x-kubernetes-actionput
+*…
+node_v1delete a RuntimeClass*deleteNodeV1RuntimeClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J»

+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj 
+x-kubernetes-action	delete
+jW
+x-kubernetes-group-version-kind42group: node.k8s.io
+kind: RuntimeClass
+version: v1
+Bë
+node_v1+partially update the specified RuntimeClass*patchNodeV1RuntimeClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

J[
+@
+2009
+7
+OK1
+/
+-#/definitions/io.k8s.api.node.v1.RuntimeClass
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+jW
+x-kubernetes-group-version-kind42version: v1
+group: node.k8s.io
+kind: RuntimeClass
+J9
+75"3
pathname of the RuntimeClass"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Ç(
+,/api/v1/namespaces/{namespace}/events/{name}–(Ñ
+core_v1read the specified Event*readCoreV1NamespacedEvent2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*JT
+9
+2002
+0
+OK*
+(
+&#/definitions/io.k8s.api.core.v1.Event
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+jG
+x-kubernetes-group-version-kind$"version: v1
+group: ""
+kind: Event
+�
+core_v1replace the specified Event*replaceCoreV1NamespacedEvent2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B<
+:
+8bodybody 
*(
+&#/definitions/io.k8s.api.core.v1.EventBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J”

+9
+2002
+0
+OK*
+(
+&#/definitions/io.k8s.api.core.v1.Event
+>
+2017
+5
+Created*
+(
+&#/definitions/io.k8s.api.core.v1.Event
+
+401
+
+UnauthorizedRhttpsjG
+x-kubernetes-group-version-kind$"group: ""
+kind: Event
+version: v1
+j
+x-kubernetes-actionput
+*ò
+core_v1delete an Event*deleteCoreV1NamespacedEvent2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J»

+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+Unauthorized
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.StatusRhttpsjG
+x-kubernetes-group-version-kind$"group: ""
+kind: Event
+version: v1
+j 
+x-kubernetes-action	delete
+BÐ
+core_v1$partially update the specified Event*patchCoreV1NamespacedEvent2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

JT
+9
+2002
+0
+OK*
+(
+&#/definitions/io.k8s.api.core.v1.Event
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+jG
+x-kubernetes-group-version-kind$"group: ""
+kind: Event
+version: v1
+J2
+0.",
pathname of the Event"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

à)
+G/apis/coordination.k8s.io/v1/watch/namespaces/{namespace}/leases/{name}”)ò
+coordination_v1¬
watch changes to an object of kind Lease. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*"watchCoordinationV1NamespacedLease2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionwatch
+jX
+x-kubernetes-group-version-kind53group: coordination.k8s.io
+kind: Lease
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J2
+0.",
pathname of the Lease"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

’(
+./apis/coordination.k8s.io/v1beta1/watch/leasesß'Ó
+coordination_v1beta1qwatch individual changes to a list of Lease. deprecated: use the 'watch' parameter with a list operation instead.*1watchCoordinationV1beta1LeaseListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj#
+x-kubernetes-action
+watchlist
+j]
+x-kubernetes-group-version-kind:8group: coordination.k8s.io
+kind: Lease
+version: v1beta1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

ã
+/apis/networking.k8s.io/ÆÃ
+
+networkingget information of a group*getNetworkingAPIGroup2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJi
+N
+200G
+E
+OK?
+=
+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup
+
+401
+
+UnauthorizedRhttpsÑ
+/apis/node.k8s.io/º·
+nodeget information of a group*getNodeAPIGroup2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJi
+N
+200G
+E
+OK?
+=
+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup
+
+401
+
+UnauthorizedRhttpsÍ&
+/api/v1/pods¼&°
+core_v1!list or watch objects of kind Pod*listCoreV1PodForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*JV
+;
+2004
+2
+OK,
+*
+(#/definitions/io.k8s.api.core.v1.PodList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+jE
+x-kubernetes-group-version-kind" group: ""
+kind: Pod
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Ì\
+*/apis/batch/v1/namespaces/{namespace}/jobs�\è%
+batch_v1!list or watch objects of kind Job*listBatchV1NamespacedJob2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

JW
+<
+2005
+3
+OK-
++
+)#/definitions/io.k8s.api.batch.v1.JobList
+
+401
+
+UnauthorizedRhttpsjH
+x-kubernetes-group-version-kind%#group: batch
+kind: Job
+version: v1
+j
+x-kubernetes-actionlist
+"¿
+batch_v1create a Job*createBatchV1NamespacedJob2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B;
+9
+7bodybody 
*'
+%#/definitions/io.k8s.api.batch.v1.JobBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

JÒ

+8
+2001
+/
+OK)
+'
+%#/definitions/io.k8s.api.batch.v1.Job
+=
+2016
+4
+Created)
+'
+%#/definitions/io.k8s.api.batch.v1.Job
+>
+2027
+5
+Accepted)
+'
+%#/definitions/io.k8s.api.batch.v1.Job
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpost
+jH
+x-kubernetes-group-version-kind%#group: batch
+kind: Job
+version: v1
+*º,
+batch_v1delete collection of Job*$deleteBatchV1CollectionNamespacedJob2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj*
+x-kubernetes-actiondeletecollection
+jH
+x-kubernetes-group-version-kind%#group: batch
+kind: Job
+version: v1
+J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Õ)
+I/apis/certificates.k8s.io/v1beta1/watch/certificatesigningrequests/{name}‡)³
+certificates_v1beta1À
watch changes to an object of kind CertificateSigningRequest. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*1watchCertificatesV1beta1CertificateSigningRequest2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionwatch
+jq
+x-kubernetes-group-version-kindNLversion: v1beta1
+group: certificates.k8s.io
+kind: CertificateSigningRequest
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JF
+DB"@
path%name of the CertificateSigningRequest"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Ä+
+K/apis/discovery.k8s.io/v1beta1/namespaces/{namespace}/endpointslices/{name}ô*¢
+discovery_v1beta1 read the specified EndpointSlice*+readDiscoveryV1beta1NamespacedEndpointSlice2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Jf
+
+401
+
+Unauthorized
+K
+200D
+B
+OK<
+:
+8#/definitions/io.k8s.api.discovery.v1beta1.EndpointSliceRhttpsjb
+x-kubernetes-group-version-kind?=kind: EndpointSlice
+version: v1beta1
+group: discovery.k8s.io
+j
+x-kubernetes-actionget
+…	
+discovery_v1beta1#replace the specified EndpointSlice*.replaceDiscoveryV1beta1NamespacedEndpointSlice2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.api.discovery.v1beta1.EndpointSliceBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J¸

+P
+201I
+G
+Created<
+:
+8#/definitions/io.k8s.api.discovery.v1beta1.EndpointSlice
+
+401
+
+Unauthorized
+K
+200D
+B
+OK<
+:
+8#/definitions/io.k8s.api.discovery.v1beta1.EndpointSliceRhttpsj
+x-kubernetes-actionput
+jb
+x-kubernetes-group-version-kind?=kind: EndpointSlice
+version: v1beta1
+group: discovery.k8s.io
+*±
+discovery_v1beta1delete an EndpointSlice*-deleteDiscoveryV1beta1NamespacedEndpointSlice2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J»

+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj 
+x-kubernetes-action	delete
+jb
+x-kubernetes-group-version-kind?=group: discovery.k8s.io
+kind: EndpointSlice
+version: v1beta1
+B¡
+discovery_v1beta1,partially update the specified EndpointSlice*,patchDiscoveryV1beta1NamespacedEndpointSlice2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

Jf
+K
+200D
+B
+OK<
+:
+8#/definitions/io.k8s.api.discovery.v1beta1.EndpointSlice
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+jb
+x-kubernetes-group-version-kind?=group: discovery.k8s.io
+kind: EndpointSlice
+version: v1beta1
+J:
+86"4
pathname of the EndpointSlice"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

�
+6/apis/authorization.k8s.io/v1/selfsubjectaccessreviewsÔ
+"Æ
+authorization_v1 create a SelfSubjectAccessReview*,createAuthorizationV1SelfSubjectAccessReview2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BW
+U
+Sbodybody 
*C
+A#/definitions/io.k8s.api.authorization.v1.SelfSubjectAccessReviewJ¦
+T
+200M
+K
+OKE
+C
+A#/definitions/io.k8s.api.authorization.v1.SelfSubjectAccessReview
+Y
+201R
+P
+CreatedE
+C
+A#/definitions/io.k8s.api.authorization.v1.SelfSubjectAccessReview
+Z
+202S
+Q
+AcceptedE
+C
+A#/definitions/io.k8s.api.authorization.v1.SelfSubjectAccessReview
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpost
+jk
+x-kubernetes-group-version-kindHFgroup: authorization.k8s.io
+kind: SelfSubjectAccessReview
+version: v1
+Jž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

J–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

¦
+ /api/v1/componentstatuses/{name}�ï
+core_v1"read the specified ComponentStatus*readCoreV1ComponentStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J^
+C
+200<
+:
+OK4
+2
+0#/definitions/io.k8s.api.core.v1.ComponentStatus
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+jQ
+x-kubernetes-group-version-kind.,group: ""
+kind: ComponentStatus
+version: v1
+J<
+:8"6
pathname of the ComponentStatus"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

á
+/apis/node.k8s.io/v1/ÇÄ
+node_v1get available resources*getNodeV1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp
+U
+200N
+L
+OKF
+D
+B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList
+
+401
+
+UnauthorizedRhttps°(
+:/apis/rbac.authorization.k8s.io/v1beta1/watch/clusterrolesñ'å
+rbacAuthorization_v1beta1wwatch individual changes to a list of ClusterRole. deprecated: use the 'watch' parameter with a list operation instead.*,watchRbacAuthorizationV1beta1ClusterRoleList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj#
+x-kubernetes-action
+watchlist
+ji
+x-kubernetes-group-version-kindFDgroup: rbac.authorization.k8s.io
+kind: ClusterRole
+version: v1beta1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

ì(
+./api/v1/namespaces/{namespace}/services/{name}¹(Ù
+core_v1read the specified Service*readCoreV1NamespacedService2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*JV
+;
+2004
+2
+OK,
+*
+(#/definitions/io.k8s.api.core.v1.Service
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+jI
+x-kubernetes-group-version-kind&$kind: Service
+version: v1
+group: ""
+œ
+core_v1replace the specified Service*replaceCoreV1NamespacedService2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B>
+<
+:bodybody 
**
+(#/definitions/io.k8s.api.core.v1.ServiceBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J˜

+;
+2004
+2
+OK,
+*
+(#/definitions/io.k8s.api.core.v1.Service
+@
+2019
+7
+Created,
+*
+(#/definitions/io.k8s.api.core.v1.Service
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionput
+jI
+x-kubernetes-group-version-kind&$group: ""
+kind: Service
+version: v1
+*÷
+core_v1delete a Service*deleteCoreV1NamespacedService2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J»

+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsjI
+x-kubernetes-group-version-kind&$group: ""
+kind: Service
+version: v1
+j 
+x-kubernetes-action	delete
+BØ
+core_v1&partially update the specified Service*patchCoreV1NamespacedService2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

JV
+;
+2004
+2
+OK,
+*
+(#/definitions/io.k8s.api.core.v1.Service
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+jI
+x-kubernetes-group-version-kind&$group: ""
+kind: Service
+version: v1
+J4
+20".
pathname of the Service"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

–]
+4/apis/events.k8s.io/v1/namespaces/{namespace}/eventsÝ\û%
+	events_v1#list or watch objects of kind Event*listEventsV1NamespacedEvent2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

JZ
+?
+2008
+6
+OK0
+.
+,#/definitions/io.k8s.api.events.v1.EventList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+jR
+x-kubernetes-group-version-kind/-group: events.k8s.io
+kind: Event
+version: v1
+"Ü
+	events_v1create an Event*createEventsV1NamespacedEvent2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B>
+<
+:bodybody 
**
+(#/definitions/io.k8s.api.events.v1.EventBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

JÛ

+@
+2019
+7
+Created,
+*
+(#/definitions/io.k8s.api.events.v1.Event
+A
+202:
+8
+Accepted,
+*
+(#/definitions/io.k8s.api.events.v1.Event
+
+401
+
+Unauthorized
+;
+2004
+2
+OK,
+*
+(#/definitions/io.k8s.api.events.v1.EventRhttpsj
+x-kubernetes-actionpost
+jR
+x-kubernetes-group-version-kind/-group: events.k8s.io
+kind: Event
+version: v1
+*Ê,
+	events_v1delete collection of Event*'deleteEventsV1CollectionNamespacedEvent2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj*
+x-kubernetes-actiondeletecollection
+jR
+x-kubernetes-group-version-kind/-group: events.k8s.io
+kind: Event
+version: v1
+J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

—(
+4/apis/networking.k8s.io/v1beta1/watch/ingressclassesÞ'Ò
+networking_v1beta1xwatch individual changes to a list of IngressClass. deprecated: use the 'watch' parameter with a list operation instead.*&watchNetworkingV1beta1IngressClassList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsjb
+x-kubernetes-group-version-kind?=kind: IngressClass
+version: v1beta1
+group: networking.k8s.io
+j#
+x-kubernetes-action
+watchlist
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

ë'
+)/apis/node.k8s.io/v1/watch/runtimeclasses½'±
+node_v1xwatch individual changes to a list of RuntimeClass. deprecated: use the 'watch' parameter with a list operation instead.*watchNodeV1RuntimeClassList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj#
+x-kubernetes-action
+watchlist
+jW
+x-kubernetes-group-version-kind42version: v1
+group: node.k8s.io
+kind: RuntimeClass
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

À(
+)/apis/storage.k8s.io/v1/csidrivers/{name}’(ì
+
+storage_v1read the specified CSIDriver*readStorageV1CSIDriver2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J[
+@
+2009
+7
+OK1
+/
+-#/definitions/io.k8s.api.storage.v1.CSIDriver
+
+401
+
+UnauthorizedRhttpsjW
+x-kubernetes-group-version-kind42group: storage.k8s.io
+kind: CSIDriver
+version: v1
+j
+x-kubernetes-actionget
+¹
+
+storage_v1replace the specified CSIDriver*replaceStorageV1CSIDriver2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BC
+A
+?bodybody 
*/
+-#/definitions/io.k8s.api.storage.v1.CSIDriverBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J¢

+@
+2009
+7
+OK1
+/
+-#/definitions/io.k8s.api.storage.v1.CSIDriver
+E
+201>
+<
+Created1
+/
+-#/definitions/io.k8s.api.storage.v1.CSIDriver
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionput
+jW
+x-kubernetes-group-version-kind42group: storage.k8s.io
+kind: CSIDriver
+version: v1
+*í
+
+storage_v1delete a CSIDriver*deleteStorageV1CSIDriver2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J£

+F
+202?
+=
+Accepted1
+/
+-#/definitions/io.k8s.api.storage.v1.CSIDriver
+
+401
+
+Unauthorized
+@
+2009
+7
+OK1
+/
+-#/definitions/io.k8s.api.storage.v1.CSIDriverRhttpsj 
+x-kubernetes-action	delete
+jW
+x-kubernetes-group-version-kind42group: storage.k8s.io
+kind: CSIDriver
+version: v1
+Bë
+
+storage_v1(partially update the specified CSIDriver*patchStorageV1CSIDriver2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

J[
+@
+2009
+7
+OK1
+/
+-#/definitions/io.k8s.api.storage.v1.CSIDriver
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+jW
+x-kubernetes-group-version-kind42group: storage.k8s.io
+kind: CSIDriver
+version: v1
+J6
+42"0
pathname of the CSIDriver"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

ÿ&
+/api/v1/resourcequotasä&Ø
+core_v1+list or watch objects of kind ResourceQuota*'listCoreV1ResourceQuotaForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*J`
+E
+200>
+<
+OK6
+4
+2#/definitions/io.k8s.api.core.v1.ResourceQuotaList
+
+401
+
+UnauthorizedRhttpsjO
+x-kubernetes-group-version-kind,*group: ""
+kind: ResourceQuota
+version: v1
+j
+x-kubernetes-actionlist
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

 )
+0/api/v1/watch/namespaces/{namespace}/pods/{name}ë(Ë
+core_v1ª
watch changes to an object of kind Pod. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*watchCoreV1NamespacedPod2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+
+401
+
+Unauthorized
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEventRhttpsjE
+x-kubernetes-group-version-kind" group: ""
+kind: Pod
+version: v1
+j
+x-kubernetes-actionwatch
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J0
+.,"*
pathname of the Pod"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

ÿ
+/apis/authentication.k8s.io/v1/ÛØ
+authentication_v1get available resources*getAuthenticationV1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp
+
+401
+
+Unauthorized
+U
+200N
+L
+OKF
+D
+B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceListRhttpsŒ)
+5/apis/batch/v1/namespaces/{namespace}/cronjobs/{name}Ò(ß
+batch_v1read the specified CronJob*readBatchV1NamespacedCronJob2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*JW
+
+401
+
+Unauthorized
+<
+2005
+3
+OK-
++
+)#/definitions/io.k8s.api.batch.v1.CronJobRhttpsj
+x-kubernetes-actionget
+jL
+x-kubernetes-group-version-kind)'kind: CronJob
+version: v1
+group: batch
+¤
+batch_v1replace the specified CronJob*replaceBatchV1NamespacedCronJob2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B?
+=
+;bodybody 
*+
+)#/definitions/io.k8s.api.batch.v1.CronJobBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jš

+<
+2005
+3
+OK-
++
+)#/definitions/io.k8s.api.batch.v1.CronJob
+A
+201:
+8
+Created-
++
+)#/definitions/io.k8s.api.batch.v1.CronJob
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionput
+jL
+x-kubernetes-group-version-kind)'group: batch
+kind: CronJob
+version: v1
+*ü
+batch_v1delete a CronJob*deleteBatchV1NamespacedCronJob2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J»

+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsjL
+x-kubernetes-group-version-kind)'group: batch
+kind: CronJob
+version: v1
+j 
+x-kubernetes-action	delete
+BÞ
+batch_v1&partially update the specified CronJob*patchBatchV1NamespacedCronJob2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

JW
+<
+2005
+3
+OK-
++
+)#/definitions/io.k8s.api.batch.v1.CronJob
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+jL
+x-kubernetes-group-version-kind)'group: batch
+kind: CronJob
+version: v1
+J4
+20".
pathname of the CronJob"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

ß(
+4/api/v1/watch/namespaces/{namespace}/serviceaccounts¦(¸
+core_v1zwatch individual changes to a list of ServiceAccount. deprecated: use the 'watch' parameter with a list operation instead.*'watchCoreV1NamespacedServiceAccountList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj#
+x-kubernetes-action
+watchlist
+jP
+x-kubernetes-group-version-kind-+group: ""
+kind: ServiceAccount
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Ã(
+-/api/v1/watch/namespaces/{namespace}/services‘(£
+core_v1swatch individual changes to a list of Service. deprecated: use the 'watch' parameter with a list operation instead.* watchCoreV1NamespacedServiceList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj#
+x-kubernetes-action
+watchlist
+jI
+x-kubernetes-group-version-kind&$version: v1
+group: ""
+kind: Service
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

‹
+#/apis/apiextensions.k8s.io/v1beta1/ãà
+apiextensions_v1beta1get available resources*#getApiextensionsV1beta1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp
+U
+200N
+L
+OKF
+D
+B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList
+
+401
+
+UnauthorizedRhttpsö
+/apis/events.k8s.io/v1beta1/ÕÒ
+events_v1beta1get available resources*getEventsV1beta1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp
+U
+200N
+L
+OKF
+D
+B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList
+
+401
+
+UnauthorizedRhttpsù(
+6/apis/networking.k8s.io/v1/watch/ingressclasses/{name}¾(÷
+
networking_v1³
watch changes to an object of kind IngressClass. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*watchNetworkingV1IngressClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionwatch
+j]
+x-kubernetes-group-version-kind:8group: networking.k8s.io
+kind: IngressClass
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J9
+75"3
pathname of the IngressClass"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

”*
+M/apis/policy/v1beta1/watch/namespaces/{namespace}/poddisruptionbudgets/{name}Â)’
+policy_v1beta1º
watch changes to an object of kind PodDisruptionBudget. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*/watchPolicyV1beta1NamespacedPodDisruptionBudget2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj^
+x-kubernetes-group-version-kind;9group: policy
+kind: PodDisruptionBudget
+version: v1beta1
+j
+x-kubernetes-actionwatch
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J@
+><":
pathname of the PodDisruptionBudget"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

€)
+-/apis/storage.k8s.io/v1/storageclasses/{name}Î(ø
+
+storage_v1read the specified StorageClass*readStorageV1StorageClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J^
+C
+200<
+:
+OK4
+2
+0#/definitions/io.k8s.api.storage.v1.StorageClass
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+jZ
+x-kubernetes-group-version-kind75group: storage.k8s.io
+kind: StorageClass
+version: v1
+Ë
+
+storage_v1"replace the specified StorageClass*replaceStorageV1StorageClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BF
+D
+Bbodybody 
*2
+0#/definitions/io.k8s.api.storage.v1.StorageClassBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J¨

+C
+200<
+:
+OK4
+2
+0#/definitions/io.k8s.api.storage.v1.StorageClass
+H
+201A
+?
+Created4
+2
+0#/definitions/io.k8s.api.storage.v1.StorageClass
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionput
+jZ
+x-kubernetes-group-version-kind75group: storage.k8s.io
+kind: StorageClass
+version: v1
+*ü
+
+storage_v1delete a StorageClass*deleteStorageV1StorageClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J©

+C
+200<
+:
+OK4
+2
+0#/definitions/io.k8s.api.storage.v1.StorageClass
+I
+202B
+@
+Accepted4
+2
+0#/definitions/io.k8s.api.storage.v1.StorageClass
+
+401
+
+UnauthorizedRhttpsjZ
+x-kubernetes-group-version-kind75group: storage.k8s.io
+kind: StorageClass
+version: v1
+j 
+x-kubernetes-action	delete
+B÷
+
+storage_v1+partially update the specified StorageClass*patchStorageV1StorageClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

J^
+C
+200<
+:
+OK4
+2
+0#/definitions/io.k8s.api.storage.v1.StorageClass
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+jZ
+x-kubernetes-group-version-kind75group: storage.k8s.io
+kind: StorageClass
+version: v1
+J9
+75"3
pathname of the StorageClass"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

ý]
+./apis/storage.k8s.io/v1beta1/volumeattachmentsÊ]µ&
+storage_v1beta1.list or watch objects of kind VolumeAttachment*"listStorageV1beta1VolumeAttachment2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.api.storage.v1beta1.VolumeAttachmentList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+jc
+x-kubernetes-group-version-kind@>group: storage.k8s.io
+kind: VolumeAttachment
+version: v1beta1
+"È	
+storage_v1beta1create a VolumeAttachment*$createStorageV1beta1VolumeAttachment2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BO
+M
+Kbodybody 
*;
+9#/definitions/io.k8s.api.storage.v1beta1.VolumeAttachmentBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

JŽ
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.api.storage.v1beta1.VolumeAttachment
+Q
+201J
+H
+Created=
+;
+9#/definitions/io.k8s.api.storage.v1beta1.VolumeAttachment
+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.api.storage.v1beta1.VolumeAttachment
+
+401
+
+UnauthorizedRhttpsjc
+x-kubernetes-group-version-kind@>group: storage.k8s.io
+kind: VolumeAttachment
+version: v1beta1
+j
+x-kubernetes-actionpost
+*ó,
+storage_v1beta1%delete collection of VolumeAttachment*.deleteStorageV1beta1CollectionVolumeAttachment2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsjc
+x-kubernetes-group-version-kind@>group: storage.k8s.io
+kind: VolumeAttachment
+version: v1beta1
+j*
+x-kubernetes-actiondeletecollection
+JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Ý)
+5/api/v1/namespaces/{namespace}/serviceaccounts/{name}£)õ
+core_v1!read the specified ServiceAccount*"readCoreV1NamespacedServiceAccount2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J]
+B
+200;
+9
+OK3
+1
+/#/definitions/io.k8s.api.core.v1.ServiceAccount
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+jP
+x-kubernetes-group-version-kind-+version: v1
+group: ""
+kind: ServiceAccount
+Æ
+core_v1$replace the specified ServiceAccount*%replaceCoreV1NamespacedServiceAccount2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BE
+C
+Abodybody 
*1
+/#/definitions/io.k8s.api.core.v1.ServiceAccountBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J¦

+B
+200;
+9
+OK3
+1
+/#/definitions/io.k8s.api.core.v1.ServiceAccount
+G
+201@
+>
+Created3
+1
+/#/definitions/io.k8s.api.core.v1.ServiceAccount
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionput
+jP
+x-kubernetes-group-version-kind-+kind: ServiceAccount
+version: v1
+group: ""
+*ø
+core_v1delete a ServiceAccount*$deleteCoreV1NamespacedServiceAccount2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J§

+B
+200;
+9
+OK3
+1
+/#/definitions/io.k8s.api.core.v1.ServiceAccount
+H
+202A
+?
+Accepted3
+1
+/#/definitions/io.k8s.api.core.v1.ServiceAccount
+
+401
+
+UnauthorizedRhttpsjP
+x-kubernetes-group-version-kind-+group: ""
+kind: ServiceAccount
+version: v1
+j 
+x-kubernetes-action	delete
+Bô
+core_v1-partially update the specified ServiceAccount*#patchCoreV1NamespacedServiceAccount2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

J]
+B
+200;
+9
+OK3
+1
+/#/definitions/io.k8s.api.core.v1.ServiceAccount
+
+401
+
+UnauthorizedRhttpsjP
+x-kubernetes-group-version-kind-+group: ""
+kind: ServiceAccount
+version: v1
+j
+x-kubernetes-actionpatch
+J;
+97"5
pathname of the ServiceAccount"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

»(
++/api/v1/watch/namespaces/{namespace}/events‹(�
+core_v1qwatch individual changes to a list of Event. deprecated: use the 'watch' parameter with a list operation instead.*watchCoreV1NamespacedEventList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj#
+x-kubernetes-action
+watchlist
+jG
+x-kubernetes-group-version-kind$"group: ""
+kind: Event
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Ë*
+?/apis/apps/v1/namespaces/{namespace}/controllerrevisions/{name}‡*‡
+apps_v1%read the specified ControllerRevision*&readAppsV1NamespacedControllerRevision2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Ja
+F
+200?
+=
+OK7
+5
+3#/definitions/io.k8s.api.apps.v1.ControllerRevision
+
+401
+
+UnauthorizedRhttpsjV
+x-kubernetes-group-version-kind31group: apps
+kind: ControllerRevision
+version: v1
+j
+x-kubernetes-actionget
+à
+apps_v1(replace the specified ControllerRevision*)replaceAppsV1NamespacedControllerRevision2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BI
+G
+Ebodybody 
*5
+3#/definitions/io.k8s.api.apps.v1.ControllerRevisionBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J®

+F
+200?
+=
+OK7
+5
+3#/definitions/io.k8s.api.apps.v1.ControllerRevision
+K
+201D
+B
+Created7
+5
+3#/definitions/io.k8s.api.apps.v1.ControllerRevision
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionput
+jV
+x-kubernetes-group-version-kind31kind: ControllerRevision
+version: v1
+group: apps
+*š
+apps_v1delete a ControllerRevision*(deleteAppsV1NamespacedControllerRevision2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J»

+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj 
+x-kubernetes-action	delete
+jV
+x-kubernetes-group-version-kind31group: apps
+kind: ControllerRevision
+version: v1
+B†
+apps_v11partially update the specified ControllerRevision*'patchAppsV1NamespacedControllerRevision2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

Ja
+F
+200?
+=
+OK7
+5
+3#/definitions/io.k8s.api.apps.v1.ControllerRevision
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+jV
+x-kubernetes-group-version-kind31group: apps
+kind: ControllerRevision
+version: v1
+J?
+=;"9
pathname of the ControllerRevision"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

–'
+$/apis/networking.k8s.io/v1/ingressesí&á
+
networking_v1%list or watch objects of kind Ingress*'listNetworkingV1IngressForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*J`
+E
+200>
+<
+OK6
+4
+2#/definitions/io.k8s.api.networking.v1.IngressList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+jX
+x-kubernetes-group-version-kind53version: v1
+group: networking.k8s.io
+kind: Ingress
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

å
+>/apis/apps/v1/namespaces/{namespace}/replicasets/{name}/status¢÷
+apps_v1'read status of the specified ReplicaSet*$readAppsV1NamespacedReplicaSetStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*JY
+>
+2007
+5
+OK/
+-
++#/definitions/io.k8s.api.apps.v1.ReplicaSet
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+jN
+x-kubernetes-group-version-kind+)group: apps
+kind: ReplicaSet
+version: v1
+À
+apps_v1*replace status of the specified ReplicaSet*'replaceAppsV1NamespacedReplicaSetStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BA
+?
+=bodybody 
*-
++#/definitions/io.k8s.api.apps.v1.ReplicaSetBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jž

+>
+2007
+5
+OK/
+-
++#/definitions/io.k8s.api.apps.v1.ReplicaSet
+C
+201<
+:
+Created/
+-
++#/definitions/io.k8s.api.apps.v1.ReplicaSet
+
+401
+
+UnauthorizedRhttpsjN
+x-kubernetes-group-version-kind+)version: v1
+group: apps
+kind: ReplicaSet
+j
+x-kubernetes-actionput
+Bö
+apps_v13partially update status of the specified ReplicaSet*%patchAppsV1NamespacedReplicaSetStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

JY
+>
+2007
+5
+OK/
+-
++#/definitions/io.k8s.api.apps.v1.ReplicaSet
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+jN
+x-kubernetes-group-version-kind+)group: apps
+kind: ReplicaSet
+version: v1
+J7
+53"1
pathname of the ReplicaSet"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

ó)
+E/apis/apps/v1/watch/namespaces/{namespace}/controllerrevisions/{name}©)ú
+apps_v1¹
watch changes to an object of kind ControllerRevision. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*'watchAppsV1NamespacedControllerRevision2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+
+401
+
+Unauthorized
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEventRhttpsj
+x-kubernetes-actionwatch
+jV
+x-kubernetes-group-version-kind31group: apps
+kind: ControllerRevision
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J?
+=;"9
pathname of the ControllerRevision"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

æ'
+#/apis/events.k8s.io/v1/watch/events¾'²
+	events_v1qwatch individual changes to a list of Event. deprecated: use the 'watch' parameter with a list operation instead.*&watchEventsV1EventListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj#
+x-kubernetes-action
+watchlist
+jR
+x-kubernetes-group-version-kind/-group: events.k8s.io
+kind: Event
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

ó
+/apis/scheduling.k8s.io/v1/ÓÐ
+
scheduling_v1get available resources*getSchedulingV1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp
+
+401
+
+Unauthorized
+U
+200N
+L
+OKF
+D
+B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceListRhttpsŒ
+"/.well-known/openid-configuration/å
â

+	WellKnownWget service account issuer OpenID configuration, also known as the 'OIDC discovery doc'**getServiceAccountIssuerOpenIDConfiguration2application/jsonJ7
+
+200
+
+OK
+²

+string
+
+401
+
+UnauthorizedRhttpsö'
+*/api/v1/namespaces/{namespace}/pods/{name}Ç'É
+core_v1read the specified Pod*readCoreV1NamespacedPod2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*JR
+7
+2000
+.
+OK(
+&
+$#/definitions/io.k8s.api.core.v1.Pod
+
+401
+
+UnauthorizedRhttpsjE
+x-kubernetes-group-version-kind" group: ""
+kind: Pod
+version: v1
+j
+x-kubernetes-actionget
+„
+core_v1replace the specified Pod*replaceCoreV1NamespacedPod2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B:
+8
+6bodybody 
*&
+$#/definitions/io.k8s.api.core.v1.PodBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J�

+7
+2000
+.
+OK(
+&
+$#/definitions/io.k8s.api.core.v1.Pod
+<
+2015
+3
+Created(
+&
+$#/definitions/io.k8s.api.core.v1.Pod
+
+401
+
+UnauthorizedRhttpsjE
+x-kubernetes-group-version-kind" group: ""
+kind: Pod
+version: v1
+j
+x-kubernetes-actionput
+*Á
+core_v1delete a Pod*deleteCoreV1NamespacedPod2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J‘

+7
+2000
+.
+OK(
+&
+$#/definitions/io.k8s.api.core.v1.Pod
+=
+2026
+4
+Accepted(
+&
+$#/definitions/io.k8s.api.core.v1.Pod
+
+401
+
+UnauthorizedRhttpsj 
+x-kubernetes-action	delete
+jE
+x-kubernetes-group-version-kind" group: ""
+kind: Pod
+version: v1
+BÈ
+core_v1"partially update the specified Pod*patchCoreV1NamespacedPod2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

JR
+7
+2000
+.
+OK(
+&
+$#/definitions/io.k8s.api.core.v1.Pod
+
+401
+
+UnauthorizedRhttpsjE
+x-kubernetes-group-version-kind" version: v1
+group: ""
+kind: Pod
+j
+x-kubernetes-actionpatch
+J0
+.,"*
pathname of the Pod"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

­
+3/api/v1/namespaces/{namespace}/pods/{name}/evictionõ
+"Î
+core_v1create eviction of a Pod*!createCoreV1NamespacedPodEviction2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BF
+D
+Bbodybody 
*2
+0#/definitions/io.k8s.api.policy.v1beta1.EvictionJó

+
+401
+
+Unauthorized
+C
+200<
+:
+OK4
+2
+0#/definitions/io.k8s.api.policy.v1beta1.Eviction
+H
+201A
+?
+Created4
+2
+0#/definitions/io.k8s.api.policy.v1beta1.Eviction
+I
+202B
+@
+Accepted4
+2
+0#/definitions/io.k8s.api.policy.v1beta1.EvictionRhttpsj
+x-kubernetes-actionpost
+jS
+x-kubernetes-group-version-kind0.group: policy
+kind: Eviction
+version: v1beta1
+Jž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

J–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J5
+31"/
pathname of the Eviction"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

ª
+;/api/v1/namespaces/{namespace}/services/{name}/proxy/{path}ê§
+core_v1(connect GET requests to proxy of Service*.connectCoreV1GetNamespacedServiceProxyWithPath2*/*:*/*J7
+
+200
+
+OK
+²

+string
+
+401
+
+UnauthorizedRhttpsj!
+x-kubernetes-action
+connect
+jU
+x-kubernetes-group-version-kind20kind: ServiceProxyOptions
+version: v1
+group: ""
+§
+core_v1(connect PUT requests to proxy of Service*.connectCoreV1PutNamespacedServiceProxyWithPath2*/*:*/*J7
+
+401
+
+Unauthorized
+
+200
+
+OK
+²

+stringRhttpsj!
+x-kubernetes-action
+connect
+jU
+x-kubernetes-group-version-kind20group: ""
+kind: ServiceProxyOptions
+version: v1
+"©
+core_v1)connect POST requests to proxy of Service*/connectCoreV1PostNamespacedServiceProxyWithPath2*/*:*/*J7
+
+401
+
+Unauthorized
+
+200
+
+OK
+²

+stringRhttpsj!
+x-kubernetes-action
+connect
+jU
+x-kubernetes-group-version-kind20group: ""
+kind: ServiceProxyOptions
+version: v1
+*­
+core_v1+connect DELETE requests to proxy of Service*1connectCoreV1DeleteNamespacedServiceProxyWithPath2*/*:*/*J7
+
+200
+
+OK
+²

+string
+
+401
+
+UnauthorizedRhttpsj!
+x-kubernetes-action
+connect
+jU
+x-kubernetes-group-version-kind20group: ""
+kind: ServiceProxyOptions
+version: v1
+2¯
+core_v1,connect OPTIONS requests to proxy of Service*2connectCoreV1OptionsNamespacedServiceProxyWithPath2*/*:*/*J7
+
+200
+
+OK
+²

+string
+
+401
+
+UnauthorizedRhttpsj!
+x-kubernetes-action
+connect
+jU
+x-kubernetes-group-version-kind20group: ""
+kind: ServiceProxyOptions
+version: v1
+:©
+core_v1)connect HEAD requests to proxy of Service*/connectCoreV1HeadNamespacedServiceProxyWithPath2*/*:*/*J7
+
+200
+
+OK
+²

+string
+
+401
+
+UnauthorizedRhttpsj!
+x-kubernetes-action
+connect
+jU
+x-kubernetes-group-version-kind20group: ""
+kind: ServiceProxyOptions
+version: v1
+B«
+core_v1*connect PATCH requests to proxy of Service*0connectCoreV1PatchNamespacedServiceProxyWithPath2*/*:*/*J7
+
+200
+
+OK
+²

+string
+
+401
+
+UnauthorizedRhttpsj!
+x-kubernetes-action
+connect
+jU
+x-kubernetes-group-version-kind20group: ""
+kind: ServiceProxyOptions
+version: v1
+J@
+><":
pathname of the ServiceProxyOptions"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

J5
+31"/
pathpath to the resource"path*string˜

JÐ
+ÍÊÇquery¬Path is the part of URLs that include service endpoints, suffixes, and parameters to use for the current proxy request to service. For example, the whole request URL is http://localhost/api/v1/namespaces/kube-system/services/elasticsearch-logging/_search?q=user:kimchy. Path is _search?q=user:kimchy."path2string 

û*
+=/apis/rbac.authorization.k8s.io/v1/clusterrolebindings/{name}¹*¬
+rbacAuthorization_v1%read the specified ClusterRoleBinding*)readRbacAuthorizationV1ClusterRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Ja
+F
+200?
+=
+OK7
+5
+3#/definitions/io.k8s.api.rbac.v1.ClusterRoleBinding
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+jk
+x-kubernetes-group-version-kindHFgroup: rbac.authorization.k8s.io
+kind: ClusterRoleBinding
+version: v1
+…	
+rbacAuthorization_v1(replace the specified ClusterRoleBinding*,replaceRbacAuthorizationV1ClusterRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BI
+G
+Ebodybody 
*5
+3#/definitions/io.k8s.api.rbac.v1.ClusterRoleBindingBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J®

+F
+200?
+=
+OK7
+5
+3#/definitions/io.k8s.api.rbac.v1.ClusterRoleBinding
+K
+201D
+B
+Created7
+5
+3#/definitions/io.k8s.api.rbac.v1.ClusterRoleBinding
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionput
+jk
+x-kubernetes-group-version-kindHFgroup: rbac.authorization.k8s.io
+kind: ClusterRoleBinding
+version: v1
+*¿
+rbacAuthorization_v1delete a ClusterRoleBinding*+deleteRbacAuthorizationV1ClusterRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J»

+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsjk
+x-kubernetes-group-version-kindHFgroup: rbac.authorization.k8s.io
+kind: ClusterRoleBinding
+version: v1
+j 
+x-kubernetes-action	delete
+B«
+rbacAuthorization_v11partially update the specified ClusterRoleBinding**patchRbacAuthorizationV1ClusterRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

Ja
+F
+200?
+=
+OK7
+5
+3#/definitions/io.k8s.api.rbac.v1.ClusterRoleBinding
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+jk
+x-kubernetes-group-version-kindHFgroup: rbac.authorization.k8s.io
+kind: ClusterRoleBinding
+version: v1
+J?
+=;"9
pathname of the ClusterRoleBinding"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

¿^
+5/api/v1/namespaces/{namespace}/persistentvolumeclaims…^ª&
+core_v13list or watch objects of kind PersistentVolumeClaim*)listCoreV1NamespacedPersistentVolumeClaim2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Jh
+M
+200F
+D
+OK>
+<
+:#/definitions/io.k8s.api.core.v1.PersistentVolumeClaimList
+
+401
+
+UnauthorizedRhttpsjW
+x-kubernetes-group-version-kind42version: v1
+group: ""
+kind: PersistentVolumeClaim
+j
+x-kubernetes-actionlist
+"´	
+core_v1create a PersistentVolumeClaim*+createCoreV1NamespacedPersistentVolumeClaim2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BL
+J
+Hbodybody 
*8
+6#/definitions/io.k8s.api.core.v1.PersistentVolumeClaimBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J…
+
+401
+
+Unauthorized
+I
+200B
+@
+OK:
+8
+6#/definitions/io.k8s.api.core.v1.PersistentVolumeClaim
+N
+201G
+E
+Created:
+8
+6#/definitions/io.k8s.api.core.v1.PersistentVolumeClaim
+O
+202H
+F
+Accepted:
+8
+6#/definitions/io.k8s.api.core.v1.PersistentVolumeClaimRhttpsj
+x-kubernetes-actionpost
+jW
+x-kubernetes-group-version-kind42group: ""
+kind: PersistentVolumeClaim
+version: v1
+*ë,
+core_v1*delete collection of PersistentVolumeClaim*5deleteCoreV1CollectionNamespacedPersistentVolumeClaim2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj*
+x-kubernetes-actiondeletecollection
+jW
+x-kubernetes-group-version-kind42group: ""
+kind: PersistentVolumeClaim
+version: v1
+J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Ó(
+B/apis/certificates.k8s.io/v1beta1/watch/certificatesigningrequestsŒ(€
+certificates_v1beta1…
watch individual changes to a list of CertificateSigningRequest. deprecated: use the 'watch' parameter with a list operation instead.*5watchCertificatesV1beta1CertificateSigningRequestList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj#
+x-kubernetes-action
+watchlist
+jq
+x-kubernetes-group-version-kindNLgroup: certificates.k8s.io
+kind: CertificateSigningRequest
+version: v1beta1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

ÿ
+/apis/discovery.k8s.io/v1beta1/ÛØ
+discovery_v1beta1get available resources*getDiscoveryV1beta1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp
+U
+200N
+L
+OKF
+D
+B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList
+
+401
+
+UnauthorizedRhttps¡'
+"/apis/extensions/v1beta1/ingressesú&î
+extensions_v1beta1%list or watch objects of kind Ingress*,listExtensionsV1beta1IngressForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Je
+J
+200C
+A
+OK;
+9
+7#/definitions/io.k8s.api.extensions.v1beta1.IngressList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+jV
+x-kubernetes-group-version-kind31group: extensions
+kind: Ingress
+version: v1beta1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

 '
+!/apis/apps/v1/controllerrevisionsú&î
+apps_v10list or watch objects of kind ControllerRevision*,listAppsV1ControllerRevisionForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Je
+J
+200C
+A
+OK;
+9
+7#/definitions/io.k8s.api.apps.v1.ControllerRevisionList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+jV
+x-kubernetes-group-version-kind31group: apps
+kind: ControllerRevision
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

—(
+0/apis/networking.k8s.io/v1/watch/networkpoliciesâ'Ö
+
networking_v1ywatch individual changes to a list of NetworkPolicy. deprecated: use the 'watch' parameter with a list operation instead.*2watchNetworkingV1NetworkPolicyListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj^
+x-kubernetes-group-version-kind;9group: networking.k8s.io
+kind: NetworkPolicy
+version: v1
+j#
+x-kubernetes-action
+watchlist
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

—)
+J/apis/rbac.authorization.k8s.io/v1beta1/watch/namespaces/{namespace}/rolesÈ(Ú
+rbacAuthorization_v1beta1pwatch individual changes to a list of Role. deprecated: use the 'watch' parameter with a list operation instead.*/watchRbacAuthorizationV1beta1NamespacedRoleList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsjb
+x-kubernetes-group-version-kind?=kind: Role
+version: v1beta1
+group: rbac.authorization.k8s.io
+j#
+x-kubernetes-action
+watchlist
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

·*
+5/apis/storage.k8s.io/v1beta1/volumeattachments/{name}ý)œ
+storage_v1beta1#read the specified VolumeAttachment*"readStorageV1beta1VolumeAttachment2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.api.storage.v1beta1.VolumeAttachment
+
+401
+
+UnauthorizedRhttpsjc
+x-kubernetes-group-version-kind@>group: storage.k8s.io
+kind: VolumeAttachment
+version: v1beta1
+j
+x-kubernetes-actionget
+�	
+storage_v1beta1&replace the specified VolumeAttachment*%replaceStorageV1beta1VolumeAttachment2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BO
+M
+Kbodybody 
*;
+9#/definitions/io.k8s.api.storage.v1beta1.VolumeAttachmentBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jº

+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.api.storage.v1beta1.VolumeAttachment
+Q
+201J
+H
+Created=
+;
+9#/definitions/io.k8s.api.storage.v1beta1.VolumeAttachment
+
+401
+
+UnauthorizedRhttpsjc
+x-kubernetes-group-version-kind@>group: storage.k8s.io
+kind: VolumeAttachment
+version: v1beta1
+j
+x-kubernetes-actionput
+*©
+storage_v1beta1delete a VolumeAttachment*$deleteStorageV1beta1VolumeAttachment2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J»

+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.api.storage.v1beta1.VolumeAttachment
+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.api.storage.v1beta1.VolumeAttachment
+
+401
+
+UnauthorizedRhttpsj 
+x-kubernetes-action	delete
+jc
+x-kubernetes-group-version-kind@>group: storage.k8s.io
+kind: VolumeAttachment
+version: v1beta1
+B›
+storage_v1beta1/partially update the specified VolumeAttachment*#patchStorageV1beta1VolumeAttachment2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.api.storage.v1beta1.VolumeAttachment
+
+401
+
+UnauthorizedRhttpsjc
+x-kubernetes-group-version-kind@>version: v1beta1
+group: storage.k8s.io
+kind: VolumeAttachment
+j
+x-kubernetes-actionpatch
+J=
+;9"7
pathname of the VolumeAttachment"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

ª)
+2/api/v1/watch/namespaces/{namespace}/events/{name}ó(Ñ
+core_v1¬
watch changes to an object of kind Event. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*watchCoreV1NamespacedEvent2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionwatch
+jG
+x-kubernetes-group-version-kind$"group: ""
+kind: Event
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J2
+0.",
pathname of the Event"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

»(
+/api/v1/watch/namespaces/{name}—(Ó
+core_v1°
watch changes to an object of kind Namespace. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*watchCoreV1Namespace2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+
+401
+
+Unauthorized
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEventRhttpsj
+x-kubernetes-actionwatch
+jK
+x-kubernetes-group-version-kind(&kind: Namespace
+version: v1
+group: ""
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J6
+42"0
pathname of the Namespace"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

„
+#/apis/admissionregistration.k8s.io/ÜÙ
+admissionregistrationget information of a group* getAdmissionregistrationAPIGroup2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJi
+N
+200G
+E
+OK?
+=
+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup
+
+401
+
+UnauthorizedRhttps÷)
+M/apis/networking.k8s.io/v1beta1/watch/namespaces/{namespace}/ingresses/{name}¥)�
+networking_v1beta1®
watch changes to an object of kind Ingress. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*'watchNetworkingV1beta1NamespacedIngress2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionwatch
+j]
+x-kubernetes-group-version-kind:8group: networking.k8s.io
+kind: Ingress
+version: v1beta1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J4
+20".
pathname of the Ingress"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

ù
+ /apis/rbac.authorization.k8s.io/ÔÑ
+rbacAuthorizationget information of a group*getRbacAuthorizationAPIGroup2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJi
+N
+200G
+E
+OK?
+=
+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup
+
+401
+
+UnauthorizedRhttpsÝ(
+//apis/storage.k8s.io/v1/watch/csidrivers/{name}©(å
+
+storage_v1°
watch changes to an object of kind CSIDriver. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*watchStorageV1CSIDriver2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionwatch
+jW
+x-kubernetes-group-version-kind42group: storage.k8s.io
+kind: CSIDriver
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J6
+42"0
pathname of the CSIDriver"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

ÿ'
+*/apis/networking.k8s.io/v1/watch/ingressesÐ'Ä
+
networking_v1swatch individual changes to a list of Ingress. deprecated: use the 'watch' parameter with a list operation instead.*,watchNetworkingV1IngressListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj#
+x-kubernetes-action
+watchlist
+jX
+x-kubernetes-group-version-kind53group: networking.k8s.io
+kind: Ingress
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

ð]
+./apis/networking.k8s.io/v1beta1/ingressclasses½]±&
+networking_v1beta1*list or watch objects of kind IngressClass*!listNetworkingV1beta1IngressClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Jj
+O
+200H
+F
+OK@
+>
+<#/definitions/io.k8s.api.networking.v1beta1.IngressClassList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+jb
+x-kubernetes-group-version-kind?=group: networking.k8s.io
+kind: IngressClass
+version: v1beta1
+"Â	
+networking_v1beta1create an IngressClass*#createNetworkingV1beta1IngressClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.api.networking.v1beta1.IngressClassBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J‹
+K
+200D
+B
+OK<
+:
+8#/definitions/io.k8s.api.networking.v1beta1.IngressClass
+P
+201I
+G
+Created<
+:
+8#/definitions/io.k8s.api.networking.v1beta1.IngressClass
+Q
+202J
+H
+Accepted<
+:
+8#/definitions/io.k8s.api.networking.v1beta1.IngressClass
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpost
+jb
+x-kubernetes-group-version-kind?=group: networking.k8s.io
+kind: IngressClass
+version: v1beta1
+*ð,
+networking_v1beta1!delete collection of IngressClass*-deleteNetworkingV1beta1CollectionIngressClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsjb
+x-kubernetes-group-version-kind?=group: networking.k8s.io
+kind: IngressClass
+version: v1beta1
+j*
+x-kubernetes-actiondeletecollection
+JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

…*
+Q/apis/rbac.authorization.k8s.io/v1beta1/watch/namespaces/{namespace}/roles/{name}¯)Ž
+rbacAuthorization_v1beta1«
watch changes to an object of kind Role. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*+watchRbacAuthorizationV1beta1NamespacedRole2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionwatch
+jb
+x-kubernetes-group-version-kind?=group: rbac.authorization.k8s.io
+kind: Role
+version: v1beta1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J1
+/-"+
pathname of the Role"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

ƒ)
+N/apis/admissionregistration.k8s.io/v1beta1/watch/mutatingwebhookconfigurations°(¤
+admissionregistration_v1beta1ˆ
watch individual changes to a list of MutatingWebhookConfiguration. deprecated: use the 'watch' parameter with a list operation instead.*AwatchAdmissionregistrationV1beta1MutatingWebhookConfigurationList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj#
+x-kubernetes-action
+watchlist
+j}
+x-kubernetes-group-version-kindZXkind: MutatingWebhookConfiguration
+version: v1beta1
+group: admissionregistration.k8s.io
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

É(
+8/apis/autoscaling/v2beta1/watch/horizontalpodautoscalersŒ(€
+autoscaling_v2beta1ƒ
watch individual changes to a list of HorizontalPodAutoscaler. deprecated: use the 'watch' parameter with a list operation instead.*BwatchAutoscalingV2beta1HorizontalPodAutoscalerListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj#
+x-kubernetes-action
+watchlist
+jg
+x-kubernetes-group-version-kindDBgroup: autoscaling
+kind: HorizontalPodAutoscaler
+version: v2beta1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

è
+0/api/v1/namespaces/{namespace}/pods/{name}/proxy³“
+core_v1$connect GET requests to proxy of Pod*"connectCoreV1GetNamespacedPodProxy2*/*:*/*J7
+
+200
+
+OK
+²

+string
+
+401
+
+UnauthorizedRhttpsj!
+x-kubernetes-action
+connect
+jQ
+x-kubernetes-group-version-kind.,group: ""
+kind: PodProxyOptions
+version: v1
+“
+core_v1$connect PUT requests to proxy of Pod*"connectCoreV1PutNamespacedPodProxy2*/*:*/*J7
+
+200
+
+OK
+²

+string
+
+401
+
+UnauthorizedRhttpsj!
+x-kubernetes-action
+connect
+jQ
+x-kubernetes-group-version-kind.,group: ""
+kind: PodProxyOptions
+version: v1
+"•
+core_v1%connect POST requests to proxy of Pod*#connectCoreV1PostNamespacedPodProxy2*/*:*/*J7
+
+200
+
+OK
+²

+string
+
+401
+
+UnauthorizedRhttpsj!
+x-kubernetes-action
+connect
+jQ
+x-kubernetes-group-version-kind.,group: ""
+kind: PodProxyOptions
+version: v1
+*™
+core_v1'connect DELETE requests to proxy of Pod*%connectCoreV1DeleteNamespacedPodProxy2*/*:*/*J7
+
+200
+
+OK
+²

+string
+
+401
+
+UnauthorizedRhttpsj!
+x-kubernetes-action
+connect
+jQ
+x-kubernetes-group-version-kind.,group: ""
+kind: PodProxyOptions
+version: v1
+2›
+core_v1(connect OPTIONS requests to proxy of Pod*&connectCoreV1OptionsNamespacedPodProxy2*/*:*/*J7
+
+200
+
+OK
+²

+string
+
+401
+
+UnauthorizedRhttpsj!
+x-kubernetes-action
+connect
+jQ
+x-kubernetes-group-version-kind.,version: v1
+group: ""
+kind: PodProxyOptions
+:•
+core_v1%connect HEAD requests to proxy of Pod*#connectCoreV1HeadNamespacedPodProxy2*/*:*/*J7
+
+200
+
+OK
+²

+string
+
+401
+
+UnauthorizedRhttpsj!
+x-kubernetes-action
+connect
+jQ
+x-kubernetes-group-version-kind.,group: ""
+kind: PodProxyOptions
+version: v1
+B—
+core_v1&connect PATCH requests to proxy of Pod*$connectCoreV1PatchNamespacedPodProxy2*/*:*/*J7
+
+401
+
+Unauthorized
+
+200
+
+OK
+²

+stringRhttpsj!
+x-kubernetes-action
+connect
+jQ
+x-kubernetes-group-version-kind.,group: ""
+kind: PodProxyOptions
+version: v1
+J<
+:8"6
pathname of the PodProxyOptions"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

Ja
+_][queryAPath is the URL path to use for the current proxy request to pod."path2string 

Ç]
+-/api/v1/namespaces/{namespace}/resourcequotas•]Š&
+core_v1+list or watch objects of kind ResourceQuota*!listCoreV1NamespacedResourceQuota2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

J`
+E
+200>
+<
+OK6
+4
+2#/definitions/io.k8s.api.core.v1.ResourceQuotaList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+jO
+x-kubernetes-group-version-kind,*group: ""
+kind: ResourceQuota
+version: v1
+"ü
+core_v1create a ResourceQuota*#createCoreV1NamespacedResourceQuota2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BD
+B
+@bodybody 
*0
+.#/definitions/io.k8s.api.core.v1.ResourceQuotaBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jí

+G
+202@
+>
+Accepted2
+0
+.#/definitions/io.k8s.api.core.v1.ResourceQuota
+
+401
+
+Unauthorized
+A
+200:
+8
+OK2
+0
+.#/definitions/io.k8s.api.core.v1.ResourceQuota
+F
+201?
+=
+Created2
+0
+.#/definitions/io.k8s.api.core.v1.ResourceQuotaRhttpsj
+x-kubernetes-actionpost
+jO
+x-kubernetes-group-version-kind,*group: ""
+kind: ResourceQuota
+version: v1
+*Ó,
+core_v1"delete collection of ResourceQuota*-deleteCoreV1CollectionNamespacedResourceQuota2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsjO
+x-kubernetes-group-version-kind,*group: ""
+kind: ResourceQuota
+version: v1
+j*
+x-kubernetes-actiondeletecollection
+J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

®'
+(/apis/discovery.k8s.io/v1/endpointslices�'õ
+discovery_v1+list or watch objects of kind EndpointSlice*,listDiscoveryV1EndpointSliceForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Je
+J
+200C
+A
+OK;
+9
+7#/definitions/io.k8s.api.discovery.v1.EndpointSliceList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+j]
+x-kubernetes-group-version-kind:8group: discovery.k8s.io
+kind: EndpointSlice
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

¤(
+3/apis/rbac.authorization.k8s.io/v1beta1/watch/rolesì'à
+rbacAuthorization_v1beta1pwatch individual changes to a list of Role. deprecated: use the 'watch' parameter with a list operation instead.*5watchRbacAuthorizationV1beta1RoleListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj#
+x-kubernetes-action
+watchlist
+jb
+x-kubernetes-group-version-kind?=group: rbac.authorization.k8s.io
+kind: Role
+version: v1beta1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Í

+	/version/¿
¼

+versionget the code version*getCodeVersion2application/json:application/jsonJ`
+E
+200>
+<
+OK6
+4
+2#/definitions/io.k8s.apimachinery.pkg.version.Info
+
+401
+
+UnauthorizedRhttpsü
+/apis/apiextensions.k8s.io/v1/ÙÖ
+apiextensions_v1get available resources*getApiextensionsV1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp
+
+401
+
+Unauthorized
+U
+200N
+L
+OKF
+D
+B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceListRhttpsÀ(
+1/apis/batch/v1/namespaces/{namespace}/jobs/{name}Š(Ï
+batch_v1read the specified Job*readBatchV1NamespacedJob2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*JS
+8
+2001
+/
+OK)
+'
+%#/definitions/io.k8s.api.batch.v1.Job
+
+401
+
+UnauthorizedRhttpsjH
+x-kubernetes-group-version-kind%#version: v1
+group: batch
+kind: Job
+j
+x-kubernetes-actionget
+Œ
+batch_v1replace the specified Job*replaceBatchV1NamespacedJob2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B;
+9
+7bodybody 
*'
+%#/definitions/io.k8s.api.batch.v1.JobBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J’

+8
+2001
+/
+OK)
+'
+%#/definitions/io.k8s.api.batch.v1.Job
+=
+2016
+4
+Created)
+'
+%#/definitions/io.k8s.api.batch.v1.Job
+
+401
+
+UnauthorizedRhttpsjH
+x-kubernetes-group-version-kind%#group: batch
+kind: Job
+version: v1
+j
+x-kubernetes-actionput
+*ð
+batch_v1delete a Job*deleteBatchV1NamespacedJob2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J»

+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+Unauthorized
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.StatusRhttpsj 
+x-kubernetes-action	delete
+jH
+x-kubernetes-group-version-kind%#group: batch
+kind: Job
+version: v1
+BÎ
+batch_v1"partially update the specified Job*patchBatchV1NamespacedJob2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

JS
+8
+2001
+/
+OK)
+'
+%#/definitions/io.k8s.api.batch.v1.Job
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+jH
+x-kubernetes-group-version-kind%#group: batch
+kind: Job
+version: v1
+J0
+.,"*
pathname of the Job"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

¼,
+C/apis/certificates.k8s.io/v1beta1/certificatesigningrequests/{name}ô+Ô
+certificates_v1beta1,read the specified CertificateSigningRequest*0readCertificatesV1beta1CertificateSigningRequest2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Ju
+Z
+200S
+Q
+OKK
+I
+G#/definitions/io.k8s.api.certificates.v1beta1.CertificateSigningRequest
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+jq
+x-kubernetes-group-version-kindNLgroup: certificates.k8s.io
+kind: CertificateSigningRequest
+version: v1beta1
+Õ	
+certificates_v1beta1/replace the specified CertificateSigningRequest*3replaceCertificatesV1beta1CertificateSigningRequest2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B]
+[
+Ybodybody 
*I
+G#/definitions/io.k8s.api.certificates.v1beta1.CertificateSigningRequestBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

JÖ

+Z
+200S
+Q
+OKK
+I
+G#/definitions/io.k8s.api.certificates.v1beta1.CertificateSigningRequest
+_
+201X
+V
+CreatedK
+I
+G#/definitions/io.k8s.api.certificates.v1beta1.CertificateSigningRequest
+
+401
+
+UnauthorizedRhttpsjq
+x-kubernetes-group-version-kindNLkind: CertificateSigningRequest
+version: v1beta1
+group: certificates.k8s.io
+j
+x-kubernetes-actionput
+*Ó
+certificates_v1beta1"delete a CertificateSigningRequest*2deleteCertificatesV1beta1CertificateSigningRequest2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J»

+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj 
+x-kubernetes-action	delete
+jq
+x-kubernetes-group-version-kindNLkind: CertificateSigningRequest
+version: v1beta1
+group: certificates.k8s.io
+BÓ
+certificates_v1beta18partially update the specified CertificateSigningRequest*1patchCertificatesV1beta1CertificateSigningRequest2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

Ju
+Z
+200S
+Q
+OKK
+I
+G#/definitions/io.k8s.api.certificates.v1beta1.CertificateSigningRequest
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+jq
+x-kubernetes-group-version-kindNLgroup: certificates.k8s.io
+kind: CertificateSigningRequest
+version: v1beta1
+JF
+DB"@
path%name of the CertificateSigningRequest"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

‚

+/logs/{logpath}o8
+logs*logFileHandlerJ
+
+401
+
+UnauthorizedRhttpsJ3
+1/"-
pathpath to the log"logpath*string˜

�`
+I/apis/autoscaling/v2beta2/namespaces/{namespace}/horizontalpodautoscalersÏ_ä&
+autoscaling_v2beta25list or watch objects of kind HorizontalPodAutoscaler*7listAutoscalingV2beta2NamespacedHorizontalPodAutoscaler2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Jv
+[
+200T
+R
+OKL
+J
+H#/definitions/io.k8s.api.autoscaling.v2beta2.HorizontalPodAutoscalerList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+jg
+x-kubernetes-group-version-kindDBgroup: autoscaling
+kind: HorizontalPodAutoscaler
+version: v2beta2
+"˜
+
+autoscaling_v2beta2 create a HorizontalPodAutoscaler*9createAutoscalingV2beta2NamespacedHorizontalPodAutoscaler2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BZ
+X
+Vbodybody 
*F
+D#/definitions/io.k8s.api.autoscaling.v2beta2.HorizontalPodAutoscalerBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J¯
+
+401
+
+Unauthorized
+W
+200P
+N
+OKH
+F
+D#/definitions/io.k8s.api.autoscaling.v2beta2.HorizontalPodAutoscaler
+\
+201U
+S
+CreatedH
+F
+D#/definitions/io.k8s.api.autoscaling.v2beta2.HorizontalPodAutoscaler
+]
+202V
+T
+AcceptedH
+F
+D#/definitions/io.k8s.api.autoscaling.v2beta2.HorizontalPodAutoscalerRhttpsjg
+x-kubernetes-group-version-kindDBgroup: autoscaling
+kind: HorizontalPodAutoscaler
+version: v2beta2
+j
+x-kubernetes-actionpost
+*—-
+autoscaling_v2beta2,delete collection of HorizontalPodAutoscaler*CdeleteAutoscalingV2beta2CollectionNamespacedHorizontalPodAutoscaler2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+
+401
+
+Unauthorized
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.StatusRhttpsjg
+x-kubernetes-group-version-kindDBgroup: autoscaling
+kind: HorizontalPodAutoscaler
+version: v2beta2
+j*
+x-kubernetes-actiondeletecollection
+J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

â'
+&/apis/storage.k8s.io/v1/watch/csinodes·'«
+
+storage_v1swatch individual changes to a list of CSINode. deprecated: use the 'watch' parameter with a list operation instead.*watchStorageV1CSINodeList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj#
+x-kubernetes-action
+watchlist
+jU
+x-kubernetes-group-version-kind20group: storage.k8s.io
+kind: CSINode
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

ù
+/apis/storage.k8s.io/v1beta1/×Ô
+storage_v1beta1get available resources*getStorageV1beta1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp
+
+401
+
+Unauthorized
+U
+200N
+L
+OKF
+D
+B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceListRhttps‰
+C/api/v1/namespaces/{namespace}/persistentvolumeclaims/{name}/statusÁ¡
+core_v12read status of the specified PersistentVolumeClaim*/readCoreV1NamespacedPersistentVolumeClaimStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Jd
+I
+200B
+@
+OK:
+8
+6#/definitions/io.k8s.api.core.v1.PersistentVolumeClaim
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+jW
+x-kubernetes-group-version-kind42group: ""
+kind: PersistentVolumeClaim
+version: v1
+€	
+core_v15replace status of the specified PersistentVolumeClaim*2replaceCoreV1NamespacedPersistentVolumeClaimStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BL
+J
+Hbodybody 
*8
+6#/definitions/io.k8s.api.core.v1.PersistentVolumeClaimBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J´

+I
+200B
+@
+OK:
+8
+6#/definitions/io.k8s.api.core.v1.PersistentVolumeClaim
+N
+201G
+E
+Created:
+8
+6#/definitions/io.k8s.api.core.v1.PersistentVolumeClaim
+
+401
+
+UnauthorizedRhttpsjW
+x-kubernetes-group-version-kind42group: ""
+kind: PersistentVolumeClaim
+version: v1
+j
+x-kubernetes-actionput
+B 
+core_v1>partially update status of the specified PersistentVolumeClaim*0patchCoreV1NamespacedPersistentVolumeClaimStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

Jd
+I
+200B
+@
+OK:
+8
+6#/definitions/io.k8s.api.core.v1.PersistentVolumeClaim
+
+401
+
+UnauthorizedRhttpsjW
+x-kubernetes-group-version-kind42group: ""
+kind: PersistentVolumeClaim
+version: v1
+j
+x-kubernetes-actionpatch
+JB
+@>"<
path!name of the PersistentVolumeClaim"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

”
+&/apis/admissionregistration.k8s.io/v1/éæ
+admissionregistration_v1get available resources*&getAdmissionregistrationV1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp
+U
+200N
+L
+OKF
+D
+B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList
+
+401
+
+UnauthorizedRhttpsÓ(
+B/apis/apiextensions.k8s.io/v1beta1/watch/customresourcedefinitionsŒ(€
+apiextensions_v1beta1„
watch individual changes to a list of CustomResourceDefinition. deprecated: use the 'watch' parameter with a list operation instead.*5watchApiextensionsV1beta1CustomResourceDefinitionList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsjq
+x-kubernetes-group-version-kindNLgroup: apiextensions.k8s.io
+kind: CustomResourceDefinition
+version: v1beta1
+j#
+x-kubernetes-action
+watchlist
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

¼*
+V/apis/autoscaling/v2beta1/watch/namespaces/{namespace}/horizontalpodautoscalers/{name}á)­
+autoscaling_v2beta1¾
watch changes to an object of kind HorizontalPodAutoscaler. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*8watchAutoscalingV2beta1NamespacedHorizontalPodAutoscaler2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsjg
+x-kubernetes-group-version-kindDBgroup: autoscaling
+kind: HorizontalPodAutoscaler
+version: v2beta1
+j
+x-kubernetes-actionwatch
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JD
+B@">
path#name of the HorizontalPodAutoscaler"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

õ'
+2/apis/autoscaling/v2beta1/horizontalpodautoscalers¾'²
+autoscaling_v2beta15list or watch objects of kind HorizontalPodAutoscaler*=listAutoscalingV2beta1HorizontalPodAutoscalerForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jv
+[
+200T
+R
+OKL
+J
+H#/definitions/io.k8s.api.autoscaling.v2beta1.HorizontalPodAutoscalerList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+jg
+x-kubernetes-group-version-kindDBgroup: autoscaling
+kind: HorizontalPodAutoscaler
+version: v2beta1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

à
+G/apis/certificates.k8s.io/v1/certificatesigningrequests/{name}/approval”Ô
+certificates_v18read approval of the specified CertificateSigningRequest*3readCertificatesV1CertificateSigningRequestApproval2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Jp
+U
+200N
+L
+OKF
+D
+B#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequest
+
+401
+
+UnauthorizedRhttpsjl
+x-kubernetes-group-version-kindIGgroup: certificates.k8s.io
+kind: CertificateSigningRequest
+version: v1
+j
+x-kubernetes-actionget
+Ë	
+certificates_v1;replace approval of the specified CertificateSigningRequest*6replaceCertificatesV1CertificateSigningRequestApproval2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BX
+V
+Tbodybody 
*D
+B#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequestBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

JÌ

+U
+200N
+L
+OKF
+D
+B#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequest
+Z
+201S
+Q
+CreatedF
+D
+B#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequest
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionput
+jl
+x-kubernetes-group-version-kindIGgroup: certificates.k8s.io
+kind: CertificateSigningRequest
+version: v1
+BÓ
+certificates_v1Dpartially update approval of the specified CertificateSigningRequest*4patchCertificatesV1CertificateSigningRequestApproval2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

Jp
+U
+200N
+L
+OKF
+D
+B#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequest
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+jl
+x-kubernetes-group-version-kindIGgroup: certificates.k8s.io
+kind: CertificateSigningRequest
+version: v1
+JF
+DB"@
path%name of the CertificateSigningRequest"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

¯'
+$/apis/policy/v1/poddisruptionbudgets†'ú
+	policy_v11list or watch objects of kind PodDisruptionBudget*/listPolicyV1PodDisruptionBudgetForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jh
+M
+200F
+D
+OK>
+<
+:#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+jY
+x-kubernetes-group-version-kind64group: policy
+kind: PodDisruptionBudget
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

©]
++/api/v1/namespaces/{namespace}/podtemplatesù\‚&
+core_v1)list or watch objects of kind PodTemplate*listCoreV1NamespacedPodTemplate2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

J^
+C
+200<
+:
+OK4
+2
+0#/definitions/io.k8s.api.core.v1.PodTemplateList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+jM
+x-kubernetes-group-version-kind*(group: ""
+kind: PodTemplate
+version: v1
+"î
+core_v1create a PodTemplate*!createCoreV1NamespacedPodTemplate2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BB
+@
+>bodybody 
*.
+,#/definitions/io.k8s.api.core.v1.PodTemplateBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jç

+?
+2008
+6
+OK0
+.
+,#/definitions/io.k8s.api.core.v1.PodTemplate
+D
+201=
+;
+Created0
+.
+,#/definitions/io.k8s.api.core.v1.PodTemplate
+E
+202>
+<
+Accepted0
+.
+,#/definitions/io.k8s.api.core.v1.PodTemplate
+
+401
+
+UnauthorizedRhttpsjM
+x-kubernetes-group-version-kind*(group: ""
+kind: PodTemplate
+version: v1
+j
+x-kubernetes-actionpost
+*Í,
+core_v1 delete collection of PodTemplate*+deleteCoreV1CollectionNamespacedPodTemplate2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+
+401
+
+Unauthorized
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.StatusRhttpsj*
+x-kubernetes-actiondeletecollection
+jM
+x-kubernetes-group-version-kind*(version: v1
+group: ""
+kind: PodTemplate
+J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

ö*
+</api/v1/namespaces/{namespace}/replicationcontrollers/{name}µ*‘
+core_v1(read the specified ReplicationController*)readCoreV1NamespacedReplicationController2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Jd
+I
+200B
+@
+OK:
+8
+6#/definitions/io.k8s.api.core.v1.ReplicationController
+
+401
+
+UnauthorizedRhttpsjW
+x-kubernetes-group-version-kind42group: ""
+kind: ReplicationController
+version: v1
+j
+x-kubernetes-actionget
+ð
+core_v1+replace the specified ReplicationController*,replaceCoreV1NamespacedReplicationController2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BL
+J
+Hbodybody 
*8
+6#/definitions/io.k8s.api.core.v1.ReplicationControllerBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J´

+I
+200B
+@
+OK:
+8
+6#/definitions/io.k8s.api.core.v1.ReplicationController
+N
+201G
+E
+Created:
+8
+6#/definitions/io.k8s.api.core.v1.ReplicationController
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionput
+jW
+x-kubernetes-group-version-kind42group: ""
+kind: ReplicationController
+version: v1
+*¡
+core_v1delete a ReplicationController*+deleteCoreV1NamespacedReplicationController2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J»

+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj 
+x-kubernetes-action	delete
+jW
+x-kubernetes-group-version-kind42group: ""
+kind: ReplicationController
+version: v1
+B�
+core_v14partially update the specified ReplicationController**patchCoreV1NamespacedReplicationController2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

Jd
+I
+200B
+@
+OK:
+8
+6#/definitions/io.k8s.api.core.v1.ReplicationController
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+jW
+x-kubernetes-group-version-kind42group: ""
+kind: ReplicationController
+version: v1
+JB
+@>"<
path!name of the ReplicationController"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

’*
+W/apis/admissionregistration.k8s.io/v1beta1/watch/validatingwebhookconfigurations/{name}¶)Ý
+admissionregistration_v1beta1Å
watch changes to an object of kind ValidatingWebhookConfiguration. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*?watchAdmissionregistrationV1beta1ValidatingWebhookConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-group-version-kind\Zgroup: admissionregistration.k8s.io
+kind: ValidatingWebhookConfiguration
+version: v1beta1
+j
+x-kubernetes-actionwatch
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JK
+IG"E
path*name of the ValidatingWebhookConfiguration"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

‡
+5/apis/authorization.k8s.io/v1/selfsubjectrulesreviewsÍ
+"¿
+authorization_v1create a SelfSubjectRulesReview*+createAuthorizationV1SelfSubjectRulesReview2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BV
+T
+Rbodybody 
*B
+@#/definitions/io.k8s.api.authorization.v1.SelfSubjectRulesReviewJ£
+
+401
+
+Unauthorized
+S
+200L
+J
+OKD
+B
+@#/definitions/io.k8s.api.authorization.v1.SelfSubjectRulesReview
+X
+201Q
+O
+CreatedD
+B
+@#/definitions/io.k8s.api.authorization.v1.SelfSubjectRulesReview
+Y
+202R
+P
+AcceptedD
+B
+@#/definitions/io.k8s.api.authorization.v1.SelfSubjectRulesReviewRhttpsj
+x-kubernetes-actionpost
+jj
+x-kubernetes-group-version-kindGEgroup: authorization.k8s.io
+kind: SelfSubjectRulesReview
+version: v1
+Jž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

J–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

�)
+8/apis/storage.k8s.io/v1beta1/watch/storageclasses/{name}Ä(ý
+storage_v1beta1³
watch changes to an object of kind StorageClass. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*watchStorageV1beta1StorageClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionwatch
+j_
+x-kubernetes-group-version-kind<:group: storage.k8s.io
+kind: StorageClass
+version: v1beta1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J9
+75"3
pathname of the StorageClass"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

×)
+;/api/v1/watch/namespaces/{namespace}/serviceaccounts/{name}—)ì
+core_v1µ
watch changes to an object of kind ServiceAccount. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*#watchCoreV1NamespacedServiceAccount2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsjP
+x-kubernetes-group-version-kind-+kind: ServiceAccount
+version: v1
+group: ""
+j
+x-kubernetes-actionwatch
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J;
+97"5
pathname of the ServiceAccount"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

÷(
+K/apis/admissionregistration.k8s.io/v1/watch/validatingwebhookconfigurations§(›
+admissionregistration_v1Š
watch individual changes to a list of ValidatingWebhookConfiguration. deprecated: use the 'watch' parameter with a list operation instead.*>watchAdmissionregistrationV1ValidatingWebhookConfigurationList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsjz
+x-kubernetes-group-version-kindWUgroup: admissionregistration.k8s.io
+kind: ValidatingWebhookConfiguration
+version: v1
+j#
+x-kubernetes-action
+watchlist
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

†_
+D/apis/discovery.k8s.io/v1beta1/namespaces/{namespace}/endpointslices½^»&
+discovery_v1beta1+list or watch objects of kind EndpointSlice*+listDiscoveryV1beta1NamespacedEndpointSlice2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Jj
+O
+200H
+F
+OK@
+>
+<#/definitions/io.k8s.api.discovery.v1beta1.EndpointSliceList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+jb
+x-kubernetes-group-version-kind?=group: discovery.k8s.io
+kind: EndpointSlice
+version: v1beta1
+"Ì	
+discovery_v1beta1create an EndpointSlice*-createDiscoveryV1beta1NamespacedEndpointSlice2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.api.discovery.v1beta1.EndpointSliceBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J‹
+
+401
+
+Unauthorized
+K
+200D
+B
+OK<
+:
+8#/definitions/io.k8s.api.discovery.v1beta1.EndpointSlice
+P
+201I
+G
+Created<
+:
+8#/definitions/io.k8s.api.discovery.v1beta1.EndpointSlice
+Q
+202J
+H
+Accepted<
+:
+8#/definitions/io.k8s.api.discovery.v1beta1.EndpointSliceRhttpsjb
+x-kubernetes-group-version-kind?=kind: EndpointSlice
+version: v1beta1
+group: discovery.k8s.io
+j
+x-kubernetes-actionpost
+*ú,
+discovery_v1beta1"delete collection of EndpointSlice*7deleteDiscoveryV1beta1CollectionNamespacedEndpointSlice2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsjb
+x-kubernetes-group-version-kind?=kind: EndpointSlice
+version: v1beta1
+group: discovery.k8s.io
+j*
+x-kubernetes-actiondeletecollection
+J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

©^
+6/apis/rbac.authorization.k8s.io/v1/clusterrolebindingsî]Å&
+rbacAuthorization_v10list or watch objects of kind ClusterRoleBinding*)listRbacAuthorizationV1ClusterRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Je
+J
+200C
+A
+OK;
+9
+7#/definitions/io.k8s.api.rbac.v1.ClusterRoleBindingList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+jk
+x-kubernetes-group-version-kindHFgroup: rbac.authorization.k8s.io
+kind: ClusterRoleBinding
+version: v1
+"Æ	
+rbacAuthorization_v1create a ClusterRoleBinding*+createRbacAuthorizationV1ClusterRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BI
+G
+Ebodybody 
*5
+3#/definitions/io.k8s.api.rbac.v1.ClusterRoleBindingBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jü

+F
+200?
+=
+OK7
+5
+3#/definitions/io.k8s.api.rbac.v1.ClusterRoleBinding
+K
+201D
+B
+Created7
+5
+3#/definitions/io.k8s.api.rbac.v1.ClusterRoleBinding
+L
+202E
+C
+Accepted7
+5
+3#/definitions/io.k8s.api.rbac.v1.ClusterRoleBinding
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpost
+jk
+x-kubernetes-group-version-kindHFgroup: rbac.authorization.k8s.io
+kind: ClusterRoleBinding
+version: v1
+*‰-
+rbacAuthorization_v1'delete collection of ClusterRoleBinding*5deleteRbacAuthorizationV1CollectionClusterRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj*
+x-kubernetes-actiondeletecollection
+jk
+x-kubernetes-group-version-kindHFkind: ClusterRoleBinding
+version: v1
+group: rbac.authorization.k8s.io
+JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

ð*
+</api/v1/namespaces/{namespace}/persistentvolumeclaims/{name}¯*‘
+core_v1(read the specified PersistentVolumeClaim*)readCoreV1NamespacedPersistentVolumeClaim2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Jd
+I
+200B
+@
+OK:
+8
+6#/definitions/io.k8s.api.core.v1.PersistentVolumeClaim
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+jW
+x-kubernetes-group-version-kind42group: ""
+kind: PersistentVolumeClaim
+version: v1
+ð
+core_v1+replace the specified PersistentVolumeClaim*,replaceCoreV1NamespacedPersistentVolumeClaim2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BL
+J
+Hbodybody 
*8
+6#/definitions/io.k8s.api.core.v1.PersistentVolumeClaimBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J´

+N
+201G
+E
+Created:
+8
+6#/definitions/io.k8s.api.core.v1.PersistentVolumeClaim
+
+401
+
+Unauthorized
+I
+200B
+@
+OK:
+8
+6#/definitions/io.k8s.api.core.v1.PersistentVolumeClaimRhttpsjW
+x-kubernetes-group-version-kind42group: ""
+kind: PersistentVolumeClaim
+version: v1
+j
+x-kubernetes-actionput
+*›
+core_v1delete a PersistentVolumeClaim*+deleteCoreV1NamespacedPersistentVolumeClaim2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Jµ

+O
+202H
+F
+Accepted:
+8
+6#/definitions/io.k8s.api.core.v1.PersistentVolumeClaim
+
+401
+
+Unauthorized
+I
+200B
+@
+OK:
+8
+6#/definitions/io.k8s.api.core.v1.PersistentVolumeClaimRhttpsjW
+x-kubernetes-group-version-kind42group: ""
+kind: PersistentVolumeClaim
+version: v1
+j 
+x-kubernetes-action	delete
+B�
+core_v14partially update the specified PersistentVolumeClaim**patchCoreV1NamespacedPersistentVolumeClaim2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

Jd
+I
+200B
+@
+OK:
+8
+6#/definitions/io.k8s.api.core.v1.PersistentVolumeClaim
+
+401
+
+UnauthorizedRhttpsjW
+x-kubernetes-group-version-kind42group: ""
+kind: PersistentVolumeClaim
+version: v1
+j
+x-kubernetes-actionpatch
+JB
+@>"<
path!name of the PersistentVolumeClaim"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

½-
+J/apis/admissionregistration.k8s.io/v1/mutatingwebhookconfigurations/{name}î,ð
+admissionregistration_v1/read the specified MutatingWebhookConfiguration*7readAdmissionregistrationV1MutatingWebhookConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J|
+a
+200Z
+X
+OKR
+P
+N#/definitions/io.k8s.api.admissionregistration.v1.MutatingWebhookConfiguration
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+jx
+x-kubernetes-group-version-kindUSkind: MutatingWebhookConfiguration
+version: v1
+group: admissionregistration.k8s.io
+ÿ	
+admissionregistration_v12replace the specified MutatingWebhookConfiguration*:replaceAdmissionregistrationV1MutatingWebhookConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Bd
+b
+`bodybody 
*P
+N#/definitions/io.k8s.api.admissionregistration.v1.MutatingWebhookConfigurationBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jä

+f
+201_
+]
+CreatedR
+P
+N#/definitions/io.k8s.api.admissionregistration.v1.MutatingWebhookConfiguration
+
+401
+
+Unauthorized
+a
+200Z
+X
+OKR
+P
+N#/definitions/io.k8s.api.admissionregistration.v1.MutatingWebhookConfigurationRhttpsjx
+x-kubernetes-group-version-kindUSkind: MutatingWebhookConfiguration
+version: v1
+group: admissionregistration.k8s.io
+j
+x-kubernetes-actionput
+*è
+admissionregistration_v1%delete a MutatingWebhookConfiguration*9deleteAdmissionregistrationV1MutatingWebhookConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J»

+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj 
+x-kubernetes-action	delete
+jx
+x-kubernetes-group-version-kindUSgroup: admissionregistration.k8s.io
+kind: MutatingWebhookConfiguration
+version: v1
+Bï
+admissionregistration_v1;partially update the specified MutatingWebhookConfiguration*8patchAdmissionregistrationV1MutatingWebhookConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

J|
+
+401
+
+Unauthorized
+a
+200Z
+X
+OKR
+P
+N#/definitions/io.k8s.api.admissionregistration.v1.MutatingWebhookConfigurationRhttpsj
+x-kubernetes-actionpatch
+jx
+x-kubernetes-group-version-kindUSgroup: admissionregistration.k8s.io
+kind: MutatingWebhookConfiguration
+version: v1
+JI
+GE"C
path(name of the MutatingWebhookConfiguration"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

ä
+E/apis/apiextensions.k8s.io/v1/customresourcedefinitions/{name}/statusšî
+apiextensions_v15read status of the specified CustomResourceDefinition*1readApiextensionsV1CustomResourceDefinitionStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J�

+r
+200k
+i
+OKc
+a
+_#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinition
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+jl
+x-kubernetes-group-version-kindIGkind: CustomResourceDefinition
+version: v1
+group: apiextensions.k8s.io
+ž
+
+apiextensions_v18replace status of the specified CustomResourceDefinition*4replaceApiextensionsV1CustomResourceDefinitionStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Bu
+s
+qbodybody 
*a
+_#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J†
+r
+200k
+i
+OKc
+a
+_#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinition
+w
+201p
+n
+Createdc
+a
+_#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinition
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionput
+jl
+x-kubernetes-group-version-kindIGkind: CustomResourceDefinition
+version: v1
+group: apiextensions.k8s.io
+Bí
+apiextensions_v1Apartially update status of the specified CustomResourceDefinition*2patchApiextensionsV1CustomResourceDefinitionStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

J�

+r
+200k
+i
+OKc
+a
+_#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinition
+
+401
+
+UnauthorizedRhttpsjl
+x-kubernetes-group-version-kindIGgroup: apiextensions.k8s.io
+kind: CustomResourceDefinition
+version: v1
+j
+x-kubernetes-actionpatch
+JE
+CA"?
path$name of the CustomResourceDefinition"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

“(
+//apis/networking.k8s.io/v1beta1/watch/ingressesß'Ó
+networking_v1beta1swatch individual changes to a list of Ingress. deprecated: use the 'watch' parameter with a list operation instead.*1watchNetworkingV1beta1IngressListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj]
+x-kubernetes-group-version-kind:8group: networking.k8s.io
+kind: Ingress
+version: v1beta1
+j#
+x-kubernetes-action
+watchlist
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

²]
+)/apis/storage.k8s.io/v1/volumeattachments„]¡&
+
+storage_v1.list or watch objects of kind VolumeAttachment*listStorageV1VolumeAttachment2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Jf
+K
+200D
+B
+OK<
+:
+8#/definitions/io.k8s.api.storage.v1.VolumeAttachmentList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+j^
+x-kubernetes-group-version-kind;9version: v1
+group: storage.k8s.io
+kind: VolumeAttachment
+"¥	
+
+storage_v1create a VolumeAttachment*createStorageV1VolumeAttachment2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BJ
+H
+Fbodybody 
*6
+4#/definitions/io.k8s.api.storage.v1.VolumeAttachmentBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jÿ

+G
+200@
+>
+OK8
+6
+4#/definitions/io.k8s.api.storage.v1.VolumeAttachment
+L
+201E
+C
+Created8
+6
+4#/definitions/io.k8s.api.storage.v1.VolumeAttachment
+M
+202F
+D
+Accepted8
+6
+4#/definitions/io.k8s.api.storage.v1.VolumeAttachment
+
+401
+
+UnauthorizedRhttpsj^
+x-kubernetes-group-version-kind;9group: storage.k8s.io
+kind: VolumeAttachment
+version: v1
+j
+x-kubernetes-actionpost
+*ä,
+
+storage_v1%delete collection of VolumeAttachment*)deleteStorageV1CollectionVolumeAttachment2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj^
+x-kubernetes-group-version-kind;9kind: VolumeAttachment
+version: v1
+group: storage.k8s.io
+j*
+x-kubernetes-actiondeletecollection
+JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

ä)
+2/apis/storage.k8s.io/v1beta1/storageclasses/{name}­)Œ
+storage_v1beta1read the specified StorageClass*readStorageV1beta1StorageClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Jc
+H
+200A
+?
+OK9
+7
+5#/definitions/io.k8s.api.storage.v1beta1.StorageClass
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+j_
+x-kubernetes-group-version-kind<:group: storage.k8s.io
+kind: StorageClass
+version: v1beta1
+é
+storage_v1beta1"replace the specified StorageClass*!replaceStorageV1beta1StorageClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BK
+I
+Gbodybody 
*7
+5#/definitions/io.k8s.api.storage.v1beta1.StorageClassBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J²

+H
+200A
+?
+OK9
+7
+5#/definitions/io.k8s.api.storage.v1beta1.StorageClass
+M
+201F
+D
+Created9
+7
+5#/definitions/io.k8s.api.storage.v1beta1.StorageClass
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionput
+j_
+x-kubernetes-group-version-kind<:group: storage.k8s.io
+kind: StorageClass
+version: v1beta1
+*•
+storage_v1beta1delete a StorageClass* deleteStorageV1beta1StorageClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J³

+H
+200A
+?
+OK9
+7
+5#/definitions/io.k8s.api.storage.v1beta1.StorageClass
+N
+202G
+E
+Accepted9
+7
+5#/definitions/io.k8s.api.storage.v1beta1.StorageClass
+
+401
+
+UnauthorizedRhttpsj 
+x-kubernetes-action	delete
+j_
+x-kubernetes-group-version-kind<:group: storage.k8s.io
+kind: StorageClass
+version: v1beta1
+B‹
+storage_v1beta1+partially update the specified StorageClass*patchStorageV1beta1StorageClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

Jc
+H
+200A
+?
+OK9
+7
+5#/definitions/io.k8s.api.storage.v1beta1.StorageClass
+
+401
+
+UnauthorizedRhttpsj_
+x-kubernetes-group-version-kind<:group: storage.k8s.io
+kind: StorageClass
+version: v1beta1
+j
+x-kubernetes-actionpatch
+J9
+75"3
pathname of the StorageClass"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Ý\
+/api/v1/persistentvolumes¿\Œ&
+core_v1.list or watch objects of kind PersistentVolume*listCoreV1PersistentVolume2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Jc
+H
+200A
+?
+OK9
+7
+5#/definitions/io.k8s.api.core.v1.PersistentVolumeList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+jR
+x-kubernetes-group-version-kind/-group: ""
+kind: PersistentVolume
+version: v1
+"‡	
+core_v1create a PersistentVolume*createCoreV1PersistentVolume2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BG
+E
+Cbodybody 
*3
+1#/definitions/io.k8s.api.core.v1.PersistentVolumeBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jö

+D
+200=
+;
+OK5
+3
+1#/definitions/io.k8s.api.core.v1.PersistentVolume
+I
+201B
+@
+Created5
+3
+1#/definitions/io.k8s.api.core.v1.PersistentVolume
+J
+202C
+A
+Accepted5
+3
+1#/definitions/io.k8s.api.core.v1.PersistentVolume
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpost
+jR
+x-kubernetes-group-version-kind/-version: v1
+group: ""
+kind: PersistentVolume
+*Ò,
+core_v1%delete collection of PersistentVolume*&deleteCoreV1CollectionPersistentVolume2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+
+401
+
+Unauthorized
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.StatusRhttpsjR
+x-kubernetes-group-version-kind/-group: ""
+kind: PersistentVolume
+version: v1
+j*
+x-kubernetes-actiondeletecollection
+JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Ê
+/apis/apps/º·
+appsget information of a group*getAppsAPIGroup2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJi
+N
+200G
+E
+OK?
+=
+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup
+
+401
+
+UnauthorizedRhttps¿(
+0/apis/batch/v1/watch/namespaces/{namespace}/jobsŠ(œ
+batch_v1owatch individual changes to a list of Job. deprecated: use the 'watch' parameter with a list operation instead.*watchBatchV1NamespacedJobList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsjH
+x-kubernetes-group-version-kind%#group: batch
+kind: Job
+version: v1
+j#
+x-kubernetes-action
+watchlist
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

á*
+F/apis/coordination.k8s.io/v1beta1/namespaces/{namespace}/leases/{name}–*Ž
+coordination_v1beta1read the specified Lease*&readCoordinationV1beta1NamespacedLease2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Ja
+F
+200?
+=
+OK7
+5
+3#/definitions/io.k8s.api.coordination.v1beta1.Lease
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+j]
+x-kubernetes-group-version-kind:8group: coordination.k8s.io
+kind: Lease
+version: v1beta1
+ç
+coordination_v1beta1replace the specified Lease*)replaceCoordinationV1beta1NamespacedLease2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BI
+G
+Ebodybody 
*5
+3#/definitions/io.k8s.api.coordination.v1beta1.LeaseBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J®

+F
+200?
+=
+OK7
+5
+3#/definitions/io.k8s.api.coordination.v1beta1.Lease
+K
+201D
+B
+Created7
+5
+3#/definitions/io.k8s.api.coordination.v1beta1.Lease
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionput
+j]
+x-kubernetes-group-version-kind:8group: coordination.k8s.io
+kind: Lease
+version: v1beta1
+*¡
+coordination_v1beta1delete a Lease*(deleteCoordinationV1beta1NamespacedLease2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J»

+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+Unauthorized
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.StatusRhttpsj]
+x-kubernetes-group-version-kind:8group: coordination.k8s.io
+kind: Lease
+version: v1beta1
+j 
+x-kubernetes-action	delete
+B�
+coordination_v1beta1$partially update the specified Lease*'patchCoordinationV1beta1NamespacedLease2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

Ja
+F
+200?
+=
+OK7
+5
+3#/definitions/io.k8s.api.coordination.v1beta1.Lease
+
+401
+
+UnauthorizedRhttpsj]
+x-kubernetes-group-version-kind:8group: coordination.k8s.io
+kind: Lease
+version: v1beta1
+j
+x-kubernetes-actionpatch
+J2
+0.",
pathname of the Lease"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

ê&
+/api/v1/endpointsÔ&È
+core_v1'list or watch objects of kind Endpoints*#listCoreV1EndpointsForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*J\
+A
+200:
+8
+OK2
+0
+.#/definitions/io.k8s.api.core.v1.EndpointsList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+jK
+x-kubernetes-group-version-kind(&group: ""
+kind: Endpoints
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

×&
+/api/v1/eventsÄ&¸
+core_v1#list or watch objects of kind Event*listCoreV1EventForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*JX
+=
+2006
+4
+OK.
+,
+*#/definitions/io.k8s.api.core.v1.EventList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+jG
+x-kubernetes-group-version-kind$"group: ""
+kind: Event
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

‹)
+P/apis/admissionregistration.k8s.io/v1beta1/watch/validatingwebhookconfigurations¶(ª
+admissionregistration_v1beta1Š
watch individual changes to a list of ValidatingWebhookConfiguration. deprecated: use the 'watch' parameter with a list operation instead.*CwatchAdmissionregistrationV1beta1ValidatingWebhookConfigurationList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj#
+x-kubernetes-action
+watchlist
+j
+x-kubernetes-group-version-kind\Zgroup: admissionregistration.k8s.io
+kind: ValidatingWebhookConfiguration
+version: v1beta1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

ˆ)
+5/apis/policy/v1beta1/watch/podsecuritypolicies/{name}Î(‚
+policy_v1beta1¸
watch changes to an object of kind PodSecurityPolicy. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*#watchPolicyV1beta1PodSecurityPolicy2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionwatch
+j\
+x-kubernetes-group-version-kind97group: policy
+kind: PodSecurityPolicy
+version: v1beta1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J>
+<:"8
pathname of the PodSecurityPolicy"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

ì
+/apis/apiextensions.k8s.io/ÌÉ
+
apiextensionsget information of a group*getApiextensionsAPIGroup2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJi
+N
+200G
+E
+OK?
+=
+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup
+
+401
+
+UnauthorizedRhttps„
+8/apis/batch/v1/namespaces/{namespace}/jobs/{name}/statusÇß
+batch_v1 read status of the specified Job*readBatchV1NamespacedJobStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*JS
+8
+2001
+/
+OK)
+'
+%#/definitions/io.k8s.api.batch.v1.Job
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+jH
+x-kubernetes-group-version-kind%#group: batch
+kind: Job
+version: v1
+œ
+batch_v1#replace status of the specified Job*!replaceBatchV1NamespacedJobStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B;
+9
+7bodybody 
*'
+%#/definitions/io.k8s.api.batch.v1.JobBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J’

+=
+2016
+4
+Created)
+'
+%#/definitions/io.k8s.api.batch.v1.Job
+
+401
+
+Unauthorized
+8
+2001
+/
+OK)
+'
+%#/definitions/io.k8s.api.batch.v1.JobRhttpsj
+x-kubernetes-actionput
+jH
+x-kubernetes-group-version-kind%#kind: Job
+version: v1
+group: batch
+BÞ
+batch_v1,partially update status of the specified Job*patchBatchV1NamespacedJobStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

JS
+8
+2001
+/
+OK)
+'
+%#/definitions/io.k8s.api.batch.v1.Job
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+jH
+x-kubernetes-group-version-kind%#group: batch
+kind: Job
+version: v1
+J0
+.,"*
pathname of the Job"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

ü
+T/apis/flowcontrol.apiserver.k8s.io/v1beta1/prioritylevelconfigurations/{name}/status£€
+flowcontrolApiserver_v1beta17read status of the specified PriorityLevelConfiguration*?readFlowcontrolApiserverV1beta1PriorityLevelConfigurationStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Ju
+Z
+200S
+Q
+OKK
+I
+G#/definitions/io.k8s.api.flowcontrol.v1beta1.PriorityLevelConfiguration
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+j{
+x-kubernetes-group-version-kindXVgroup: flowcontrol.apiserver.k8s.io
+kind: PriorityLevelConfiguration
+version: v1beta1
+�
+
+flowcontrolApiserver_v1beta1:replace status of the specified PriorityLevelConfiguration*BreplaceFlowcontrolApiserverV1beta1PriorityLevelConfigurationStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B]
+[
+Ybodybody 
*I
+G#/definitions/io.k8s.api.flowcontrol.v1beta1.PriorityLevelConfigurationBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

JÖ

+Z
+200S
+Q
+OKK
+I
+G#/definitions/io.k8s.api.flowcontrol.v1beta1.PriorityLevelConfiguration
+_
+201X
+V
+CreatedK
+I
+G#/definitions/io.k8s.api.flowcontrol.v1beta1.PriorityLevelConfiguration
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionput
+j{
+x-kubernetes-group-version-kindXVversion: v1beta1
+group: flowcontrol.apiserver.k8s.io
+kind: PriorityLevelConfiguration
+Bÿ
+flowcontrolApiserver_v1beta1Cpartially update status of the specified PriorityLevelConfiguration*@patchFlowcontrolApiserverV1beta1PriorityLevelConfigurationStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

Ju
+Z
+200S
+Q
+OKK
+I
+G#/definitions/io.k8s.api.flowcontrol.v1beta1.PriorityLevelConfiguration
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+j{
+x-kubernetes-group-version-kindXVgroup: flowcontrol.apiserver.k8s.io
+kind: PriorityLevelConfiguration
+version: v1beta1
+JG
+EC"A
path&name of the PriorityLevelConfiguration"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

�(
+*/apis/policy/v1/watch/poddisruptionbudgetsá'Õ
+	policy_v1watch individual changes to a list of PodDisruptionBudget. deprecated: use the 'watch' parameter with a list operation instead.*4watchPolicyV1PodDisruptionBudgetListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj#
+x-kubernetes-action
+watchlist
+jY
+x-kubernetes-group-version-kind64group: policy
+kind: PodDisruptionBudget
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Ò)
+:/api/v1/watch/namespaces/{namespace}/resourcequotas/{name}“)é
+core_v1´
watch changes to an object of kind ResourceQuota. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*"watchCoreV1NamespacedResourceQuota2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+
+401
+
+Unauthorized
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEventRhttpsjO
+x-kubernetes-group-version-kind,*group: ""
+kind: ResourceQuota
+version: v1
+j
+x-kubernetes-actionwatch
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J:
+86"4
pathname of the ResourceQuota"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

¯)
+3/api/v1/watch/namespaces/{namespace}/secrets/{name}÷(Ô
+core_v1­
watch changes to an object of kind Secret. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*watchCoreV1NamespacedSecret2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionwatch
+jH
+x-kubernetes-group-version-kind%#group: ""
+kind: Secret
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J3
+1/"-
pathname of the Secret"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Í
+/apis/batch/¼¹
+batchget information of a group*getBatchAPIGroup2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJi
+N
+200G
+E
+OK?
+=
+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup
+
+401
+
+UnauthorizedRhttps‡*
+A/apis/coordination.k8s.io/v1/namespaces/{namespace}/leases/{name}Á)ú
+coordination_v1read the specified Lease*!readCoordinationV1NamespacedLease2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J\
+A
+200:
+8
+OK2
+0
+.#/definitions/io.k8s.api.coordination.v1.Lease
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+jX
+x-kubernetes-group-version-kind53group: coordination.k8s.io
+kind: Lease
+version: v1
+É
+coordination_v1replace the specified Lease*$replaceCoordinationV1NamespacedLease2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BD
+B
+@bodybody 
*0
+.#/definitions/io.k8s.api.coordination.v1.LeaseBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J¤

+A
+200:
+8
+OK2
+0
+.#/definitions/io.k8s.api.coordination.v1.Lease
+F
+201?
+=
+Created2
+0
+.#/definitions/io.k8s.api.coordination.v1.Lease
+
+401
+
+UnauthorizedRhttpsjX
+x-kubernetes-group-version-kind53group: coordination.k8s.io
+kind: Lease
+version: v1
+j
+x-kubernetes-actionput
+*’
+coordination_v1delete a Lease*#deleteCoordinationV1NamespacedLease2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J»

+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj 
+x-kubernetes-action	delete
+jX
+x-kubernetes-group-version-kind53group: coordination.k8s.io
+kind: Lease
+version: v1
+Bù
+coordination_v1$partially update the specified Lease*"patchCoordinationV1NamespacedLease2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

J\
+A
+200:
+8
+OK2
+0
+.#/definitions/io.k8s.api.coordination.v1.Lease
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+jX
+x-kubernetes-group-version-kind53group: coordination.k8s.io
+kind: Lease
+version: v1
+J2
+0.",
pathname of the Lease"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

–*
+//apis/policy/v1beta1/podsecuritypolicies/{name}â)•
+policy_v1beta1$read the specified PodSecurityPolicy*"readPolicyV1beta1PodSecurityPolicy2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.api.policy.v1beta1.PodSecurityPolicy
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+j\
+x-kubernetes-group-version-kind97group: policy
+kind: PodSecurityPolicy
+version: v1beta1
+ú
+policy_v1beta1'replace the specified PodSecurityPolicy*%replacePolicyV1beta1PodSecurityPolicy2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BO
+M
+Kbodybody 
*;
+9#/definitions/io.k8s.api.policy.v1beta1.PodSecurityPolicyBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jº

+Q
+201J
+H
+Created=
+;
+9#/definitions/io.k8s.api.policy.v1beta1.PodSecurityPolicy
+
+401
+
+Unauthorized
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.api.policy.v1beta1.PodSecurityPolicyRhttpsj
+x-kubernetes-actionput
+j\
+x-kubernetes-group-version-kind97version: v1beta1
+group: policy
+kind: PodSecurityPolicy
+*¢
+policy_v1beta1delete a PodSecurityPolicy*$deletePolicyV1beta1PodSecurityPolicy2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J»

+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.api.policy.v1beta1.PodSecurityPolicy
+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.api.policy.v1beta1.PodSecurityPolicy
+
+401
+
+UnauthorizedRhttpsj 
+x-kubernetes-action	delete
+j\
+x-kubernetes-group-version-kind97group: policy
+kind: PodSecurityPolicy
+version: v1beta1
+B”
+policy_v1beta10partially update the specified PodSecurityPolicy*#patchPolicyV1beta1PodSecurityPolicy2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.api.policy.v1beta1.PodSecurityPolicy
+
+401
+
+UnauthorizedRhttpsj\
+x-kubernetes-group-version-kind97group: policy
+kind: PodSecurityPolicy
+version: v1beta1
+j
+x-kubernetes-actionpatch
+J>
+<:"8
pathname of the PodSecurityPolicy"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

ú)
+B/api/v1/watch/namespaces/{namespace}/persistentvolumeclaims/{name}³)�
+core_v1¼
watch changes to an object of kind PersistentVolumeClaim. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.**watchCoreV1NamespacedPersistentVolumeClaim2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionwatch
+jW
+x-kubernetes-group-version-kind42group: ""
+kind: PersistentVolumeClaim
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JB
+@>"<
path!name of the PersistentVolumeClaim"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

 )
+6/apis/apps/v1/namespaces/{namespace}/daemonsets/{name}å(ã
+apps_v1read the specified DaemonSet*readAppsV1NamespacedDaemonSet2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*JX
+=
+2006
+4
+OK.
+,
+*#/definitions/io.k8s.api.apps.v1.DaemonSet
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+jM
+x-kubernetes-group-version-kind*(group: apps
+kind: DaemonSet
+version: v1
+ª
+apps_v1replace the specified DaemonSet* replaceAppsV1NamespacedDaemonSet2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B@
+>
+<bodybody 
*,
+*#/definitions/io.k8s.api.apps.v1.DaemonSetBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jœ

+=
+2006
+4
+OK.
+,
+*#/definitions/io.k8s.api.apps.v1.DaemonSet
+B
+201;
+9
+Created.
+,
+*#/definitions/io.k8s.api.apps.v1.DaemonSet
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionput
+jM
+x-kubernetes-group-version-kind*(group: apps
+kind: DaemonSet
+version: v1
+*ÿ
+apps_v1delete a DaemonSet*deleteAppsV1NamespacedDaemonSet2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J»

+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsjM
+x-kubernetes-group-version-kind*(group: apps
+kind: DaemonSet
+version: v1
+j 
+x-kubernetes-action	delete
+Bâ
+apps_v1(partially update the specified DaemonSet*patchAppsV1NamespacedDaemonSet2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

JX
+=
+2006
+4
+OK.
+,
+*#/definitions/io.k8s.api.apps.v1.DaemonSet
+
+401
+
+UnauthorizedRhttpsjM
+x-kubernetes-group-version-kind*(group: apps
+kind: DaemonSet
+version: v1
+j
+x-kubernetes-actionpatch
+J6
+42"0
pathname of the DaemonSet"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

¨*
+Q/apis/autoscaling/v1/watch/namespaces/{namespace}/horizontalpodautoscalers/{name}Ò)ž
+autoscaling_v1¾
watch changes to an object of kind HorizontalPodAutoscaler. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*3watchAutoscalingV1NamespacedHorizontalPodAutoscaler2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsjb
+x-kubernetes-group-version-kind?=group: autoscaling
+kind: HorizontalPodAutoscaler
+version: v1
+j
+x-kubernetes-actionwatch
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JD
+B@">
path#name of the HorizontalPodAutoscaler"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

‚-
+P/apis/autoscaling/v2beta1/namespaces/{namespace}/horizontalpodautoscalers/{name}­,Ë
+autoscaling_v2beta1*read the specified HorizontalPodAutoscaler*7readAutoscalingV2beta1NamespacedHorizontalPodAutoscaler2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Jr
+W
+200P
+N
+OKH
+F
+D#/definitions/io.k8s.api.autoscaling.v2beta1.HorizontalPodAutoscaler
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+jg
+x-kubernetes-group-version-kindDBversion: v2beta1
+group: autoscaling
+kind: HorizontalPodAutoscaler
+Æ	
+autoscaling_v2beta1-replace the specified HorizontalPodAutoscaler*:replaceAutoscalingV2beta1NamespacedHorizontalPodAutoscaler2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BZ
+X
+Vbodybody 
*F
+D#/definitions/io.k8s.api.autoscaling.v2beta1.HorizontalPodAutoscalerBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

JÐ

+\
+201U
+S
+CreatedH
+F
+D#/definitions/io.k8s.api.autoscaling.v2beta1.HorizontalPodAutoscaler
+
+401
+
+Unauthorized
+W
+200P
+N
+OKH
+F
+D#/definitions/io.k8s.api.autoscaling.v2beta1.HorizontalPodAutoscalerRhttpsj
+x-kubernetes-actionput
+jg
+x-kubernetes-group-version-kindDBgroup: autoscaling
+kind: HorizontalPodAutoscaler
+version: v2beta1
+*Í
+autoscaling_v2beta1 delete a HorizontalPodAutoscaler*9deleteAutoscalingV2beta1NamespacedHorizontalPodAutoscaler2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J»

+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsjg
+x-kubernetes-group-version-kindDBgroup: autoscaling
+kind: HorizontalPodAutoscaler
+version: v2beta1
+j 
+x-kubernetes-action	delete
+BÊ
+autoscaling_v2beta16partially update the specified HorizontalPodAutoscaler*8patchAutoscalingV2beta1NamespacedHorizontalPodAutoscaler2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

Jr
+W
+200P
+N
+OKH
+F
+D#/definitions/io.k8s.api.autoscaling.v2beta1.HorizontalPodAutoscaler
+
+401
+
+UnauthorizedRhttpsjg
+x-kubernetes-group-version-kindDBkind: HorizontalPodAutoscaler
+version: v2beta1
+group: autoscaling
+j
+x-kubernetes-actionpatch
+JD
+B@">
path#name of the HorizontalPodAutoscaler"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

È)
+A/apis/events.k8s.io/v1/watch/namespaces/{namespace}/events/{name}‚)à
+	events_v1¬
watch changes to an object of kind Event. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*watchEventsV1NamespacedEvent2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsjR
+x-kubernetes-group-version-kind/-group: events.k8s.io
+kind: Event
+version: v1
+j
+x-kubernetes-actionwatch
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J2
+0.",
pathname of the Event"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

÷'
+,/apis/storage.k8s.io/v1/watch/storageclassesÆ'º
+
+storage_v1xwatch individual changes to a list of StorageClass. deprecated: use the 'watch' parameter with a list operation instead.*watchStorageV1StorageClassList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj#
+x-kubernetes-action
+watchlist
+jZ
+x-kubernetes-group-version-kind75group: storage.k8s.io
+kind: StorageClass
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

²
+ /api/v1/namespaces/{name}/status�ç
+core_v1&read status of the specified Namespace*readCoreV1NamespaceStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*JX
+=
+2006
+4
+OK.
+,
+*#/definitions/io.k8s.api.core.v1.Namespace
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+jK
+x-kubernetes-group-version-kind(&version: v1
+group: ""
+kind: Namespace
+®
+core_v1)replace status of the specified Namespace*replaceCoreV1NamespaceStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B@
+>
+<bodybody 
*,
+*#/definitions/io.k8s.api.core.v1.NamespaceBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jœ

+=
+2006
+4
+OK.
+,
+*#/definitions/io.k8s.api.core.v1.Namespace
+B
+201;
+9
+Created.
+,
+*#/definitions/io.k8s.api.core.v1.Namespace
+
+401
+
+UnauthorizedRhttpsjK
+x-kubernetes-group-version-kind(&group: ""
+kind: Namespace
+version: v1
+j
+x-kubernetes-actionput
+Bæ
+core_v12partially update status of the specified Namespace*patchCoreV1NamespaceStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

JX
+=
+2006
+4
+OK.
+,
+*#/definitions/io.k8s.api.core.v1.Namespace
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+jK
+x-kubernetes-group-version-kind(&version: v1
+group: ""
+kind: Namespace
+J6
+42"0
pathname of the Namespace"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

ó&
+/apis/apps/v1/daemonsetsÖ&Ê
+apps_v1'list or watch objects of kind DaemonSet*#listAppsV1DaemonSetForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*J\
+A
+200:
+8
+OK2
+0
+.#/definitions/io.k8s.api.apps.v1.DaemonSetList
+
+401
+
+UnauthorizedRhttpsjM
+x-kubernetes-group-version-kind*(group: apps
+kind: DaemonSet
+version: v1
+j
+x-kubernetes-actionlist
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Ë)
+=/apis/apps/v1/watch/namespaces/{namespace}/replicasets/{name}‰)â
+apps_v1±
watch changes to an object of kind ReplicaSet. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*watchAppsV1NamespacedReplicaSet2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsjN
+x-kubernetes-group-version-kind+)group: apps
+kind: ReplicaSet
+version: v1
+j
+x-kubernetes-actionwatch
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J7
+53"1
pathname of the ReplicaSet"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Ó]
+3/apis/batch/v1beta1/namespaces/{namespace}/cronjobs›]Œ&
+
batch_v1beta1%list or watch objects of kind CronJob*!listBatchV1beta1NamespacedCronJob2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

J`
+E
+200>
+<
+OK6
+4
+2#/definitions/io.k8s.api.batch.v1beta1.CronJobList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+jQ
+x-kubernetes-group-version-kind.,group: batch
+kind: CronJob
+version: v1beta1
+"þ
+
batch_v1beta1create a CronJob*#createBatchV1beta1NamespacedCronJob2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BD
+B
+@bodybody 
*0
+.#/definitions/io.k8s.api.batch.v1beta1.CronJobBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jí

+G
+202@
+>
+Accepted2
+0
+.#/definitions/io.k8s.api.batch.v1beta1.CronJob
+
+401
+
+Unauthorized
+A
+200:
+8
+OK2
+0
+.#/definitions/io.k8s.api.batch.v1beta1.CronJob
+F
+201?
+=
+Created2
+0
+.#/definitions/io.k8s.api.batch.v1beta1.CronJobRhttpsj
+x-kubernetes-actionpost
+jQ
+x-kubernetes-group-version-kind.,group: batch
+kind: CronJob
+version: v1beta1
+*Õ,
+
batch_v1beta1delete collection of CronJob*-deleteBatchV1beta1CollectionNamespacedCronJob2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+
+401
+
+Unauthorized
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.StatusRhttpsj*
+x-kubernetes-actiondeletecollection
+jQ
+x-kubernetes-group-version-kind.,group: batch
+kind: CronJob
+version: v1beta1
+J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

ç
+/apis/events.k8s.io/v1/ËÈ
+	events_v1get available resources*getEventsV1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp
+U
+200N
+L
+OKF
+D
+B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList
+
+401
+
+UnauthorizedRhttpsþ]
+//apis/scheduling.k8s.io/v1beta1/priorityclassesÊ]µ&
+scheduling_v1beta1+list or watch objects of kind PriorityClass*"listSchedulingV1beta1PriorityClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.api.scheduling.v1beta1.PriorityClassList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+jc
+x-kubernetes-group-version-kind@>version: v1beta1
+group: scheduling.k8s.io
+kind: PriorityClass
+"È	
+scheduling_v1beta1create a PriorityClass*$createSchedulingV1beta1PriorityClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BO
+M
+Kbodybody 
*;
+9#/definitions/io.k8s.api.scheduling.v1beta1.PriorityClassBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

JŽ
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.api.scheduling.v1beta1.PriorityClass
+Q
+201J
+H
+Created=
+;
+9#/definitions/io.k8s.api.scheduling.v1beta1.PriorityClass
+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.api.scheduling.v1beta1.PriorityClass
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpost
+jc
+x-kubernetes-group-version-kind@>group: scheduling.k8s.io
+kind: PriorityClass
+version: v1beta1
+*ó,
+scheduling_v1beta1"delete collection of PriorityClass*.deleteSchedulingV1beta1CollectionPriorityClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj*
+x-kubernetes-actiondeletecollection
+jc
+x-kubernetes-group-version-kind@>version: v1beta1
+group: scheduling.k8s.io
+kind: PriorityClass
+JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

ë&
+/api/v1/configmapsÔ&È
+core_v1'list or watch objects of kind ConfigMap*#listCoreV1ConfigMapForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*J\
+A
+200:
+8
+OK2
+0
+.#/definitions/io.k8s.api.core.v1.ConfigMapList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+jK
+x-kubernetes-group-version-kind(&group: ""
+kind: ConfigMap
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

ÿ
+
+2/api/v1/namespaces/{namespace}/pods/{name}/bindingÈ
+"¢
+core_v1create binding of a Pod* createCoreV1NamespacedPodBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B>
+<
+:bodybody 
**
+(#/definitions/io.k8s.api.core.v1.BindingJÛ

+
+401
+
+Unauthorized
+;
+2004
+2
+OK,
+*
+(#/definitions/io.k8s.api.core.v1.Binding
+@
+2019
+7
+Created,
+*
+(#/definitions/io.k8s.api.core.v1.Binding
+A
+202:
+8
+Accepted,
+*
+(#/definitions/io.k8s.api.core.v1.BindingRhttpsjI
+x-kubernetes-group-version-kind&$group: ""
+kind: Binding
+version: v1
+j
+x-kubernetes-actionpost
+Jž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

J–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J4
+20".
pathname of the Binding"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

é
+W/apis/autoscaling/v2beta1/namespaces/{namespace}/horizontalpodautoscalers/{name}/status�Û
+autoscaling_v2beta14read status of the specified HorizontalPodAutoscaler*=readAutoscalingV2beta1NamespacedHorizontalPodAutoscalerStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Jr
+W
+200P
+N
+OKH
+F
+D#/definitions/io.k8s.api.autoscaling.v2beta1.HorizontalPodAutoscaler
+
+401
+
+UnauthorizedRhttpsjg
+x-kubernetes-group-version-kindDBgroup: autoscaling
+kind: HorizontalPodAutoscaler
+version: v2beta1
+j
+x-kubernetes-actionget
+Ö	
+autoscaling_v2beta17replace status of the specified HorizontalPodAutoscaler*@replaceAutoscalingV2beta1NamespacedHorizontalPodAutoscalerStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BZ
+X
+Vbodybody 
*F
+D#/definitions/io.k8s.api.autoscaling.v2beta1.HorizontalPodAutoscalerBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

JÐ

+W
+200P
+N
+OKH
+F
+D#/definitions/io.k8s.api.autoscaling.v2beta1.HorizontalPodAutoscaler
+\
+201U
+S
+CreatedH
+F
+D#/definitions/io.k8s.api.autoscaling.v2beta1.HorizontalPodAutoscaler
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionput
+jg
+x-kubernetes-group-version-kindDBgroup: autoscaling
+kind: HorizontalPodAutoscaler
+version: v2beta1
+BÚ
+autoscaling_v2beta1@partially update status of the specified HorizontalPodAutoscaler*>patchAutoscalingV2beta1NamespacedHorizontalPodAutoscalerStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

Jr
+W
+200P
+N
+OKH
+F
+D#/definitions/io.k8s.api.autoscaling.v2beta1.HorizontalPodAutoscaler
+
+401
+
+UnauthorizedRhttpsjg
+x-kubernetes-group-version-kindDBgroup: autoscaling
+kind: HorizontalPodAutoscaler
+version: v2beta1
+j
+x-kubernetes-actionpatch
+JD
+B@">
path#name of the HorizontalPodAutoscaler"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Ç'
+-/apis/discovery.k8s.io/v1beta1/endpointslices•'‰
+discovery_v1beta1+list or watch objects of kind EndpointSlice*1listDiscoveryV1beta1EndpointSliceForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jj
+O
+200H
+F
+OK@
+>
+<#/definitions/io.k8s.api.discovery.v1beta1.EndpointSliceList
+
+401
+
+UnauthorizedRhttpsjb
+x-kubernetes-group-version-kind?=kind: EndpointSlice
+version: v1beta1
+group: discovery.k8s.io
+j
+x-kubernetes-actionlist
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

ý

+/openid/v1/jwks/è
å

+openid\get service account issuer OpenID JSON Web Key Set (contains public token verification keys)*#getServiceAccountIssuerOpenIDKeyset2application/jwk-set+jsonJ7
+
+401
+
+Unauthorized
+
+200
+
+OK
+²

+stringRhttpsþ)
+R/apis/admissionregistration.k8s.io/v1/watch/validatingwebhookconfigurations/{name}§)Î
+admissionregistration_v1Å
watch changes to an object of kind ValidatingWebhookConfiguration. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*:watchAdmissionregistrationV1ValidatingWebhookConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsjz
+x-kubernetes-group-version-kindWUgroup: admissionregistration.k8s.io
+kind: ValidatingWebhookConfiguration
+version: v1
+j
+x-kubernetes-actionwatch
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JK
+IG"E
path*name of the ValidatingWebhookConfiguration"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

·
+;/apis/authorization.k8s.io/v1beta1/selfsubjectaccessreviews÷
+"é
+authorization_v1beta1 create a SelfSubjectAccessReview*1createAuthorizationV1beta1SelfSubjectAccessReview2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B\
+Z
+Xbodybody 
*H
+F#/definitions/io.k8s.api.authorization.v1beta1.SelfSubjectAccessReviewJµ
+_
+202X
+V
+AcceptedJ
+H
+F#/definitions/io.k8s.api.authorization.v1beta1.SelfSubjectAccessReview
+
+401
+
+Unauthorized
+Y
+200R
+P
+OKJ
+H
+F#/definitions/io.k8s.api.authorization.v1beta1.SelfSubjectAccessReview
+^
+201W
+U
+CreatedJ
+H
+F#/definitions/io.k8s.api.authorization.v1beta1.SelfSubjectAccessReviewRhttpsj
+x-kubernetes-actionpost
+jp
+x-kubernetes-group-version-kindMKgroup: authorization.k8s.io
+kind: SelfSubjectAccessReview
+version: v1beta1
+Jž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

J–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Ï(
+4/apis/batch/v1/watch/namespaces/{namespace}/cronjobs–(¨
+batch_v1swatch individual changes to a list of CronJob. deprecated: use the 'watch' parameter with a list operation instead.*!watchBatchV1NamespacedCronJobList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+
+401
+
+Unauthorized
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEventRhttpsj#
+x-kubernetes-action
+watchlist
+jL
+x-kubernetes-group-version-kind)'group: batch
+kind: CronJob
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

À)
+;/apis/batch/v1/watch/namespaces/{namespace}/cronjobs/{name}€)Ü
+batch_v1®
watch changes to an object of kind CronJob. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*watchBatchV1NamespacedCronJob2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionwatch
+jL
+x-kubernetes-group-version-kind)'group: batch
+kind: CronJob
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J4
+20".
pathname of the CronJob"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

ž^
+8/apis/apps/v1/namespaces/{namespace}/controllerrevisionsá] &
+apps_v10list or watch objects of kind ControllerRevision*&listAppsV1NamespacedControllerRevision2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Je
+
+401
+
+Unauthorized
+J
+200C
+A
+OK;
+9
+7#/definitions/io.k8s.api.apps.v1.ControllerRevisionListRhttpsj
+x-kubernetes-actionlist
+jV
+x-kubernetes-group-version-kind31group: apps
+kind: ControllerRevision
+version: v1
+"¡	
+apps_v1create a ControllerRevision*(createAppsV1NamespacedControllerRevision2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BI
+G
+Ebodybody 
*5
+3#/definitions/io.k8s.api.apps.v1.ControllerRevisionBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jü

+F
+200?
+=
+OK7
+5
+3#/definitions/io.k8s.api.apps.v1.ControllerRevision
+K
+201D
+B
+Created7
+5
+3#/definitions/io.k8s.api.apps.v1.ControllerRevision
+L
+202E
+C
+Accepted7
+5
+3#/definitions/io.k8s.api.apps.v1.ControllerRevision
+
+401
+
+UnauthorizedRhttpsjV
+x-kubernetes-group-version-kind31group: apps
+kind: ControllerRevision
+version: v1
+j
+x-kubernetes-actionpost
+*ä,
+apps_v1'delete collection of ControllerRevision*2deleteAppsV1CollectionNamespacedControllerRevision2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj*
+x-kubernetes-actiondeletecollection
+jV
+x-kubernetes-group-version-kind31group: apps
+kind: ControllerRevision
+version: v1
+J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Ü'
+-/apis/autoscaling/v1/horizontalpodautoscalersª'ž
+autoscaling_v15list or watch objects of kind HorizontalPodAutoscaler*8listAutoscalingV1HorizontalPodAutoscalerForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jq
+V
+200O
+M
+OKG
+E
+C#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscalerList
+
+401
+
+UnauthorizedRhttpsjb
+x-kubernetes-group-version-kind?=version: v1
+group: autoscaling
+kind: HorizontalPodAutoscaler
+j
+x-kubernetes-actionlist
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

ü
+D/apis/flowcontrol.apiserver.k8s.io/v1beta1/flowschemas/{name}/status³À
+flowcontrolApiserver_v1beta1'read status of the specified FlowSchema*/readFlowcontrolApiserverV1beta1FlowSchemaStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Je
+J
+200C
+A
+OK;
+9
+7#/definitions/io.k8s.api.flowcontrol.v1beta1.FlowSchema
+
+401
+
+UnauthorizedRhttpsjk
+x-kubernetes-group-version-kindHFgroup: flowcontrol.apiserver.k8s.io
+kind: FlowSchema
+version: v1beta1
+j
+x-kubernetes-actionget
+¡	
+flowcontrolApiserver_v1beta1*replace status of the specified FlowSchema*2replaceFlowcontrolApiserverV1beta1FlowSchemaStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BM
+K
+Ibodybody 
*9
+7#/definitions/io.k8s.api.flowcontrol.v1beta1.FlowSchemaBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J¶

+O
+201H
+F
+Created;
+9
+7#/definitions/io.k8s.api.flowcontrol.v1beta1.FlowSchema
+
+401
+
+Unauthorized
+J
+200C
+A
+OK;
+9
+7#/definitions/io.k8s.api.flowcontrol.v1beta1.FlowSchemaRhttpsjk
+x-kubernetes-group-version-kindHFkind: FlowSchema
+version: v1beta1
+group: flowcontrol.apiserver.k8s.io
+j
+x-kubernetes-actionput
+B¿
+flowcontrolApiserver_v1beta13partially update status of the specified FlowSchema*0patchFlowcontrolApiserverV1beta1FlowSchemaStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

Je
+J
+200C
+A
+OK;
+9
+7#/definitions/io.k8s.api.flowcontrol.v1beta1.FlowSchema
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+jk
+x-kubernetes-group-version-kindHFgroup: flowcontrol.apiserver.k8s.io
+kind: FlowSchema
+version: v1beta1
+J7
+53"1
pathname of the FlowSchema"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

­
+1/api/v1/namespaces/{namespace}/pods/{name}/attach÷–
+core_v1%connect GET requests to attach of Pod*#connectCoreV1GetNamespacedPodAttach2*/*:*/*J7
+
+401
+
+Unauthorized
+
+200
+
+OK
+²

+stringRhttpsj!
+x-kubernetes-action
+connect
+jR
+x-kubernetes-group-version-kind/-group: ""
+kind: PodAttachOptions
+version: v1
+"˜
+core_v1&connect POST requests to attach of Pod*$connectCoreV1PostNamespacedPodAttach2*/*:*/*J7
+
+401
+
+Unauthorized
+
+200
+
+OK
+²

+stringRhttpsj!
+x-kubernetes-action
+connect
+jR
+x-kubernetes-group-version-kind/-group: ""
+kind: PodAttachOptions
+version: v1
+Jœ

+™
–
“
querytThe container in which to execute the command. Defaults to only container if there is only one container in the pod."	container2string 

J=
+;9"7
pathname of the PodAttachOptions"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

Jƒ

+€
~|query_Stderr if true indicates that stderr is to be redirected for the attach call. Defaults to true."stderr2boolean 

J�

+}{query_Stdin if true, redirects the standard input stream of the pod for this call. Defaults to false."stdin2boolean 

Jƒ

+€
~|query_Stdout if true indicates that stdout is to be redirected for the attach call. Defaults to true."stdout2boolean 

Jð

+í
ê
ç
queryÌ
TTY if true indicates that a tty will be allocated for the attach call. This is passed through the container runtime so the tty is allocated on the worker node by the container runtime. Defaults to false."tty2boolean 

á&
+/api/v1/servicesÌ&À
+core_v1%list or watch objects of kind Service*!listCoreV1ServiceForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*JZ
+?
+2008
+6
+OK0
+.
+,#/definitions/io.k8s.api.core.v1.ServiceList
+
+401
+
+UnauthorizedRhttpsjI
+x-kubernetes-group-version-kind&$group: ""
+kind: Service
+version: v1
+j
+x-kubernetes-actionlist
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Ü
+/apis/extensions/ÆÃ
+
+extensionsget information of a group*getExtensionsAPIGroup2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJi
+N
+200G
+E
+OK?
+=
+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup
+
+401
+
+UnauthorizedRhttpsâ]
+(/apis/policy/v1beta1/podsecuritypoliciesµ]®&
+policy_v1beta1/list or watch objects of kind PodSecurityPolicy*"listPolicyV1beta1PodSecurityPolicy2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.api.policy.v1beta1.PodSecurityPolicyList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+j\
+x-kubernetes-group-version-kind97version: v1beta1
+group: policy
+kind: PodSecurityPolicy
+"Á	
+policy_v1beta1create a PodSecurityPolicy*$createPolicyV1beta1PodSecurityPolicy2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BO
+M
+Kbodybody 
*;
+9#/definitions/io.k8s.api.policy.v1beta1.PodSecurityPolicyBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

JŽ
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.api.policy.v1beta1.PodSecurityPolicy
+Q
+201J
+H
+Created=
+;
+9#/definitions/io.k8s.api.policy.v1beta1.PodSecurityPolicy
+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.api.policy.v1beta1.PodSecurityPolicy
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpost
+j\
+x-kubernetes-group-version-kind97version: v1beta1
+group: policy
+kind: PodSecurityPolicy
+*ì,
+policy_v1beta1&delete collection of PodSecurityPolicy*.deletePolicyV1beta1CollectionPodSecurityPolicy2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj*
+x-kubernetes-actiondeletecollection
+j\
+x-kubernetes-group-version-kind97group: policy
+kind: PodSecurityPolicy
+version: v1beta1
+JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

È)
+4/api/v1/namespaces/{namespace}/resourcequotas/{name}�)ñ
+core_v1 read the specified ResourceQuota*!readCoreV1NamespacedResourceQuota2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J\
+A
+200:
+8
+OK2
+0
+.#/definitions/io.k8s.api.core.v1.ResourceQuota
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+jO
+x-kubernetes-group-version-kind,*version: v1
+group: ""
+kind: ResourceQuota
+À
+core_v1#replace the specified ResourceQuota*$replaceCoreV1NamespacedResourceQuota2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BD
+B
+@bodybody 
*0
+.#/definitions/io.k8s.api.core.v1.ResourceQuotaBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J¤

+A
+200:
+8
+OK2
+0
+.#/definitions/io.k8s.api.core.v1.ResourceQuota
+F
+201?
+=
+Created2
+0
+.#/definitions/io.k8s.api.core.v1.ResourceQuota
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionput
+jO
+x-kubernetes-group-version-kind,*group: ""
+kind: ResourceQuota
+version: v1
+*ó
+core_v1delete a ResourceQuota*#deleteCoreV1NamespacedResourceQuota2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J¥

+A
+200:
+8
+OK2
+0
+.#/definitions/io.k8s.api.core.v1.ResourceQuota
+G
+202@
+>
+Accepted2
+0
+.#/definitions/io.k8s.api.core.v1.ResourceQuota
+
+401
+
+UnauthorizedRhttpsj 
+x-kubernetes-action	delete
+jO
+x-kubernetes-group-version-kind,*group: ""
+kind: ResourceQuota
+version: v1
+Bð
+core_v1,partially update the specified ResourceQuota*"patchCoreV1NamespacedResourceQuota2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

J\
+
+401
+
+Unauthorized
+A
+200:
+8
+OK2
+0
+.#/definitions/io.k8s.api.core.v1.ResourceQuotaRhttpsj
+x-kubernetes-actionpatch
+jO
+x-kubernetes-group-version-kind,*group: ""
+kind: ResourceQuota
+version: v1
+J:
+86"4
pathname of the ResourceQuota"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

¿.
+Q/apis/admissionregistration.k8s.io/v1beta1/validatingwebhookconfigurations/{name}é-�
+admissionregistration_v1beta11read the specified ValidatingWebhookConfiguration*>readAdmissionregistrationV1beta1ValidatingWebhookConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Jƒ

+h
+200a
+_
+OKY
+W
+U#/definitions/io.k8s.api.admissionregistration.v1beta1.ValidatingWebhookConfiguration
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+j
+x-kubernetes-group-version-kind\Zgroup: admissionregistration.k8s.io
+kind: ValidatingWebhookConfiguration
+version: v1beta1
+©
+
+admissionregistration_v1beta14replace the specified ValidatingWebhookConfiguration*AreplaceAdmissionregistrationV1beta1ValidatingWebhookConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Bk
+i
+gbodybody 
*W
+U#/definitions/io.k8s.api.admissionregistration.v1beta1.ValidatingWebhookConfigurationBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jò

+
+401
+
+Unauthorized
+h
+200a
+_
+OKY
+W
+U#/definitions/io.k8s.api.admissionregistration.v1beta1.ValidatingWebhookConfiguration
+m
+201f
+d
+CreatedY
+W
+U#/definitions/io.k8s.api.admissionregistration.v1beta1.ValidatingWebhookConfigurationRhttpsj
+x-kubernetes-group-version-kind\Zgroup: admissionregistration.k8s.io
+kind: ValidatingWebhookConfiguration
+version: v1beta1
+j
+x-kubernetes-actionput
+*ý
+admissionregistration_v1beta1'delete a ValidatingWebhookConfiguration*@deleteAdmissionregistrationV1beta1ValidatingWebhookConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J»

+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj 
+x-kubernetes-action	delete
+j
+x-kubernetes-group-version-kind\Zgroup: admissionregistration.k8s.io
+kind: ValidatingWebhookConfiguration
+version: v1beta1
+BŒ
+admissionregistration_v1beta1=partially update the specified ValidatingWebhookConfiguration*?patchAdmissionregistrationV1beta1ValidatingWebhookConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

Jƒ

+h
+200a
+_
+OKY
+W
+U#/definitions/io.k8s.api.admissionregistration.v1beta1.ValidatingWebhookConfiguration
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+j
+x-kubernetes-group-version-kind\Zgroup: admissionregistration.k8s.io
+kind: ValidatingWebhookConfiguration
+version: v1beta1
+JK
+IG"E
path*name of the ValidatingWebhookConfiguration"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

¸(
+</apis/flowcontrol.apiserver.k8s.io/v1beta1/watch/flowschemas÷'ë
+flowcontrolApiserver_v1beta1vwatch individual changes to a list of FlowSchema. deprecated: use the 'watch' parameter with a list operation instead.*.watchFlowcontrolApiserverV1beta1FlowSchemaList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj#
+x-kubernetes-action
+watchlist
+jk
+x-kubernetes-group-version-kindHFkind: FlowSchema
+version: v1beta1
+group: flowcontrol.apiserver.k8s.io
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

õ(
+5/apis/node.k8s.io/v1beta1/watch/runtimeclasses/{name}»(ô
+node_v1beta1³
watch changes to an object of kind RuntimeClass. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*watchNodeV1beta1RuntimeClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj\
+x-kubernetes-group-version-kind97group: node.k8s.io
+kind: RuntimeClass
+version: v1beta1
+j
+x-kubernetes-actionwatch
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J9
+75"3
pathname of the RuntimeClass"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Á'
+//apis/rbac.authorization.k8s.io/v1/rolebindings�'�
+rbacAuthorization_v1)list or watch objects of kind RoleBinding*2listRbacAuthorizationV1RoleBindingForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*J^
+C
+200<
+:
+OK4
+2
+0#/definitions/io.k8s.api.rbac.v1.RoleBindingList
+
+401
+
+UnauthorizedRhttpsjd
+x-kubernetes-group-version-kindA?group: rbac.authorization.k8s.io
+kind: RoleBinding
+version: v1
+j
+x-kubernetes-actionlist
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

µ*
+6/apis/scheduling.k8s.io/v1beta1/priorityclasses/{name}ú)œ
+scheduling_v1beta1 read the specified PriorityClass*"readSchedulingV1beta1PriorityClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.api.scheduling.v1beta1.PriorityClass
+
+401
+
+UnauthorizedRhttpsjc
+x-kubernetes-group-version-kind@>group: scheduling.k8s.io
+kind: PriorityClass
+version: v1beta1
+j
+x-kubernetes-actionget
+�	
+scheduling_v1beta1#replace the specified PriorityClass*%replaceSchedulingV1beta1PriorityClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BO
+M
+Kbodybody 
*;
+9#/definitions/io.k8s.api.scheduling.v1beta1.PriorityClassBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jº

+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.api.scheduling.v1beta1.PriorityClass
+Q
+201J
+H
+Created=
+;
+9#/definitions/io.k8s.api.scheduling.v1beta1.PriorityClass
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionput
+jc
+x-kubernetes-group-version-kind@>group: scheduling.k8s.io
+kind: PriorityClass
+version: v1beta1
+*©
+scheduling_v1beta1delete a PriorityClass*$deleteSchedulingV1beta1PriorityClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J»

+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsjc
+x-kubernetes-group-version-kind@>group: scheduling.k8s.io
+kind: PriorityClass
+version: v1beta1
+j 
+x-kubernetes-action	delete
+B›
+scheduling_v1beta1,partially update the specified PriorityClass*#patchSchedulingV1beta1PriorityClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.api.scheduling.v1beta1.PriorityClass
+
+401
+
+UnauthorizedRhttpsjc
+x-kubernetes-group-version-kind@>group: scheduling.k8s.io
+kind: PriorityClass
+version: v1beta1
+j
+x-kubernetes-actionpatch
+J:
+86"4
pathname of the PriorityClass"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

³)
+7/apis/apps/v1/namespaces/{namespace}/deployments/{name}÷(ç
+apps_v1read the specified Deployment*readAppsV1NamespacedDeployment2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*JY
+>
+2007
+5
+OK/
+-
++#/definitions/io.k8s.api.apps.v1.Deployment
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+jN
+x-kubernetes-group-version-kind+)group: apps
+kind: Deployment
+version: v1
+°
+apps_v1 replace the specified Deployment*!replaceAppsV1NamespacedDeployment2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BA
+?
+=bodybody 
*-
++#/definitions/io.k8s.api.apps.v1.DeploymentBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jž

+C
+201<
+:
+Created/
+-
++#/definitions/io.k8s.api.apps.v1.Deployment
+
+401
+
+Unauthorized
+>
+2007
+5
+OK/
+-
++#/definitions/io.k8s.api.apps.v1.DeploymentRhttpsj
+x-kubernetes-actionput
+jN
+x-kubernetes-group-version-kind+)kind: Deployment
+version: v1
+group: apps
+*‚
+apps_v1delete a Deployment* deleteAppsV1NamespacedDeployment2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J»

+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsjN
+x-kubernetes-group-version-kind+)version: v1
+group: apps
+kind: Deployment
+j 
+x-kubernetes-action	delete
+Bæ
+apps_v1)partially update the specified Deployment*patchAppsV1NamespacedDeployment2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

JY
+>
+2007
+5
+OK/
+-
++#/definitions/io.k8s.api.apps.v1.Deployment
+
+401
+
+UnauthorizedRhttpsjN
+x-kubernetes-group-version-kind+)group: apps
+kind: Deployment
+version: v1
+j
+x-kubernetes-actionpatch
+J7
+53"1
pathname of the Deployment"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

ù
+/apis/certificates.k8s.io/v1/×Ô
+certificates_v1get available resources*getCertificatesV1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp
+U
+200N
+L
+OKF
+D
+B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList
+
+401
+
+UnauthorizedRhttpsé
+/apis/coordination.k8s.io/ÊÇ
+coordinationget information of a group*getCoordinationAPIGroup2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJi
+N
+200G
+E
+OK?
+=
+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup
+
+401
+
+UnauthorizedRhttps´'
+*/apis/networking.k8s.io/v1/networkpolicies…'ù
+
networking_v1+list or watch objects of kind NetworkPolicy*-listNetworkingV1NetworkPolicyForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jf
+K
+200D
+B
+OK<
+:
+8#/definitions/io.k8s.api.networking.v1.NetworkPolicyList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+j^
+x-kubernetes-group-version-kind;9group: networking.k8s.io
+kind: NetworkPolicy
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Â]
++/apis/storage.k8s.io/v1beta1/storageclasses’]¥&
+storage_v1beta1*list or watch objects of kind StorageClass*listStorageV1beta1StorageClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Jg
+
+401
+
+Unauthorized
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.api.storage.v1beta1.StorageClassListRhttpsj_
+x-kubernetes-group-version-kind<:group: storage.k8s.io
+kind: StorageClass
+version: v1beta1
+j
+x-kubernetes-actionlist
+"¬	
+storage_v1beta1create a StorageClass* createStorageV1beta1StorageClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BK
+I
+Gbodybody 
*7
+5#/definitions/io.k8s.api.storage.v1beta1.StorageClassBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J‚
+N
+202G
+E
+Accepted9
+7
+5#/definitions/io.k8s.api.storage.v1beta1.StorageClass
+
+401
+
+Unauthorized
+H
+200A
+?
+OK9
+7
+5#/definitions/io.k8s.api.storage.v1beta1.StorageClass
+M
+201F
+D
+Created9
+7
+5#/definitions/io.k8s.api.storage.v1beta1.StorageClassRhttpsj
+x-kubernetes-actionpost
+j_
+x-kubernetes-group-version-kind<:version: v1beta1
+group: storage.k8s.io
+kind: StorageClass
+*ç,
+storage_v1beta1!delete collection of StorageClass**deleteStorageV1beta1CollectionStorageClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj*
+x-kubernetes-actiondeletecollection
+j_
+x-kubernetes-group-version-kind<:group: storage.k8s.io
+kind: StorageClass
+version: v1beta1
+JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Ü'
+/api/v1/watch/limitranges¾'²
+core_v1vwatch individual changes to a list of LimitRange. deprecated: use the 'watch' parameter with a list operation instead.*)watchCoreV1LimitRangeListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsjL
+x-kubernetes-group-version-kind)'version: v1
+group: ""
+kind: LimitRange
+j#
+x-kubernetes-action
+watchlist
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Û(
+3/api/v1/watch/namespaces/{namespace}/resourcequotas£(µ
+core_v1ywatch individual changes to a list of ResourceQuota. deprecated: use the 'watch' parameter with a list operation instead.*&watchCoreV1NamespacedResourceQuotaList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsjO
+x-kubernetes-group-version-kind,*kind: ResourceQuota
+version: v1
+group: ""
+j#
+x-kubernetes-action
+watchlist
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

ê*
+F/apis/discovery.k8s.io/v1/namespaces/{namespace}/endpointslices/{name}Ÿ*Ž
+discovery_v1 read the specified EndpointSlice*&readDiscoveryV1NamespacedEndpointSlice2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Ja
+F
+200?
+=
+OK7
+5
+3#/definitions/io.k8s.api.discovery.v1.EndpointSlice
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+j]
+x-kubernetes-group-version-kind:8group: discovery.k8s.io
+kind: EndpointSlice
+version: v1
+ç
+discovery_v1#replace the specified EndpointSlice*)replaceDiscoveryV1NamespacedEndpointSlice2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BI
+G
+Ebodybody 
*5
+3#/definitions/io.k8s.api.discovery.v1.EndpointSliceBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J®

+F
+200?
+=
+OK7
+5
+3#/definitions/io.k8s.api.discovery.v1.EndpointSlice
+K
+201D
+B
+Created7
+5
+3#/definitions/io.k8s.api.discovery.v1.EndpointSlice
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionput
+j]
+x-kubernetes-group-version-kind:8group: discovery.k8s.io
+kind: EndpointSlice
+version: v1
+*¢
+discovery_v1delete an EndpointSlice*(deleteDiscoveryV1NamespacedEndpointSlice2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J»

+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj 
+x-kubernetes-action	delete
+j]
+x-kubernetes-group-version-kind:8group: discovery.k8s.io
+kind: EndpointSlice
+version: v1
+B�
+discovery_v1,partially update the specified EndpointSlice*'patchDiscoveryV1NamespacedEndpointSlice2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

Ja
+F
+200?
+=
+OK7
+5
+3#/definitions/io.k8s.api.discovery.v1.EndpointSlice
+
+401
+
+UnauthorizedRhttpsj]
+x-kubernetes-group-version-kind:8group: discovery.k8s.io
+kind: EndpointSlice
+version: v1
+j
+x-kubernetes-actionpatch
+J:
+86"4
pathname of the EndpointSlice"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

ú'
+(/apis/events.k8s.io/v1beta1/watch/eventsÍ'Á
+events_v1beta1qwatch individual changes to a list of Event. deprecated: use the 'watch' parameter with a list operation instead.*+watchEventsV1beta1EventListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj#
+x-kubernetes-action
+watchlist
+jW
+x-kubernetes-group-version-kind42group: events.k8s.io
+kind: Event
+version: v1beta1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

©
+5/api/v1/namespaces/{namespace}/services/{name}/statusïé
+core_v1$read status of the specified Service*!readCoreV1NamespacedServiceStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*JV
+;
+2004
+2
+OK,
+*
+(#/definitions/io.k8s.api.core.v1.Service
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+jI
+x-kubernetes-group-version-kind&$group: ""
+kind: Service
+version: v1
+¬
+core_v1'replace status of the specified Service*$replaceCoreV1NamespacedServiceStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B>
+<
+:bodybody 
**
+(#/definitions/io.k8s.api.core.v1.ServiceBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J˜

+;
+2004
+2
+OK,
+*
+(#/definitions/io.k8s.api.core.v1.Service
+@
+2019
+7
+Created,
+*
+(#/definitions/io.k8s.api.core.v1.Service
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionput
+jI
+x-kubernetes-group-version-kind&$group: ""
+kind: Service
+version: v1
+Bè
+core_v10partially update status of the specified Service*"patchCoreV1NamespacedServiceStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

JV
+;
+2004
+2
+OK,
+*
+(#/definitions/io.k8s.api.core.v1.Service
+
+401
+
+UnauthorizedRhttpsjI
+x-kubernetes-group-version-kind&$group: ""
+kind: Service
+version: v1
+j
+x-kubernetes-actionpatch
+J4
+20".
pathname of the Service"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

ã-
+L/apis/admissionregistration.k8s.io/v1/validatingwebhookconfigurations/{name}’-ø
+admissionregistration_v11read the specified ValidatingWebhookConfiguration*9readAdmissionregistrationV1ValidatingWebhookConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J~
+c
+200\
+Z
+OKT
+R
+P#/definitions/io.k8s.api.admissionregistration.v1.ValidatingWebhookConfiguration
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+jz
+x-kubernetes-group-version-kindWUgroup: admissionregistration.k8s.io
+kind: ValidatingWebhookConfiguration
+version: v1
+‹
+
+admissionregistration_v14replace the specified ValidatingWebhookConfiguration*<replaceAdmissionregistrationV1ValidatingWebhookConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Bf
+d
+bbodybody 
*R
+P#/definitions/io.k8s.api.admissionregistration.v1.ValidatingWebhookConfigurationBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jè

+
+401
+
+Unauthorized
+c
+200\
+Z
+OKT
+R
+P#/definitions/io.k8s.api.admissionregistration.v1.ValidatingWebhookConfiguration
+h
+201a
+_
+CreatedT
+R
+P#/definitions/io.k8s.api.admissionregistration.v1.ValidatingWebhookConfigurationRhttpsj
+x-kubernetes-actionput
+jz
+x-kubernetes-group-version-kindWUgroup: admissionregistration.k8s.io
+kind: ValidatingWebhookConfiguration
+version: v1
+*î
+admissionregistration_v1'delete a ValidatingWebhookConfiguration*;deleteAdmissionregistrationV1ValidatingWebhookConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J»

+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+Unauthorized
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.StatusRhttpsj 
+x-kubernetes-action	delete
+jz
+x-kubernetes-group-version-kindWUkind: ValidatingWebhookConfiguration
+version: v1
+group: admissionregistration.k8s.io
+B÷
+admissionregistration_v1=partially update the specified ValidatingWebhookConfiguration*:patchAdmissionregistrationV1ValidatingWebhookConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

J~
+c
+200\
+Z
+OKT
+R
+P#/definitions/io.k8s.api.admissionregistration.v1.ValidatingWebhookConfiguration
+
+401
+
+UnauthorizedRhttpsjz
+x-kubernetes-group-version-kindWUgroup: admissionregistration.k8s.io
+kind: ValidatingWebhookConfiguration
+version: v1
+j
+x-kubernetes-actionpatch
+JK
+IG"E
path*name of the ValidatingWebhookConfiguration"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

®'
+(/apis/coordination.k8s.io/v1beta1/leases�'õ
+coordination_v1beta1#list or watch objects of kind Lease*,listCoordinationV1beta1LeaseForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Je
+J
+200C
+A
+OK;
+9
+7#/definitions/io.k8s.api.coordination.v1beta1.LeaseList
+
+401
+
+UnauthorizedRhttpsj]
+x-kubernetes-group-version-kind:8kind: Lease
+version: v1beta1
+group: coordination.k8s.io
+j
+x-kubernetes-actionlist
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

ü)
+L/apis/discovery.k8s.io/v1/watch/namespaces/{namespace}/endpointslices/{name}«)�
+discovery_v1´
watch changes to an object of kind EndpointSlice. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*'watchDiscoveryV1NamespacedEndpointSlice2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionwatch
+j]
+x-kubernetes-group-version-kind:8group: discovery.k8s.io
+kind: EndpointSlice
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J:
+86"4
pathname of the EndpointSlice"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

ñ]
+;/apis/networking.k8s.io/v1/namespaces/{namespace}/ingresses±]“&
+
networking_v1%list or watch objects of kind Ingress*!listNetworkingV1NamespacedIngress2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

J`
+E
+200>
+<
+OK6
+4
+2#/definitions/io.k8s.api.networking.v1.IngressList
+
+401
+
+UnauthorizedRhttpsjX
+x-kubernetes-group-version-kind53kind: Ingress
+version: v1
+group: networking.k8s.io
+j
+x-kubernetes-actionlist
+"†	
+
networking_v1create an Ingress*#createNetworkingV1NamespacedIngress2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BD
+B
+@bodybody 
*0
+.#/definitions/io.k8s.api.networking.v1.IngressBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jí

+A
+200:
+8
+OK2
+0
+.#/definitions/io.k8s.api.networking.v1.Ingress
+F
+201?
+=
+Created2
+0
+.#/definitions/io.k8s.api.networking.v1.Ingress
+G
+202@
+>
+Accepted2
+0
+.#/definitions/io.k8s.api.networking.v1.Ingress
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpost
+jX
+x-kubernetes-group-version-kind53group: networking.k8s.io
+kind: Ingress
+version: v1
+*Ü,
+
networking_v1delete collection of Ingress*-deleteNetworkingV1CollectionNamespacedIngress2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj*
+x-kubernetes-actiondeletecollection
+jX
+x-kubernetes-group-version-kind53group: networking.k8s.io
+kind: Ingress
+version: v1
+J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

ú)
+B/api/v1/watch/namespaces/{namespace}/replicationcontrollers/{name}³)�
+core_v1¼
watch changes to an object of kind ReplicationController. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.**watchCoreV1NamespacedReplicationController2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+
+401
+
+Unauthorized
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEventRhttpsj
+x-kubernetes-actionwatch
+jW
+x-kubernetes-group-version-kind42version: v1
+group: ""
+kind: ReplicationController
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JB
+@>"<
path!name of the ReplicationController"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

·'
+-/apis/rbac.authorization.k8s.io/v1beta1/roles…'ù
+rbacAuthorization_v1beta1"list or watch objects of kind Role*0listRbacAuthorizationV1beta1RoleForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*J\
+A
+200:
+8
+OK2
+0
+.#/definitions/io.k8s.api.rbac.v1beta1.RoleList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+jb
+x-kubernetes-group-version-kind?=group: rbac.authorization.k8s.io
+kind: Role
+version: v1beta1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

�`
+I/apis/autoscaling/v2beta1/namespaces/{namespace}/horizontalpodautoscalersÏ_ä&
+autoscaling_v2beta15list or watch objects of kind HorizontalPodAutoscaler*7listAutoscalingV2beta1NamespacedHorizontalPodAutoscaler2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Jv
+[
+200T
+R
+OKL
+J
+H#/definitions/io.k8s.api.autoscaling.v2beta1.HorizontalPodAutoscalerList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+jg
+x-kubernetes-group-version-kindDBversion: v2beta1
+group: autoscaling
+kind: HorizontalPodAutoscaler
+"˜
+
+autoscaling_v2beta1 create a HorizontalPodAutoscaler*9createAutoscalingV2beta1NamespacedHorizontalPodAutoscaler2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BZ
+X
+Vbodybody 
*F
+D#/definitions/io.k8s.api.autoscaling.v2beta1.HorizontalPodAutoscalerBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J¯
+W
+200P
+N
+OKH
+F
+D#/definitions/io.k8s.api.autoscaling.v2beta1.HorizontalPodAutoscaler
+\
+201U
+S
+CreatedH
+F
+D#/definitions/io.k8s.api.autoscaling.v2beta1.HorizontalPodAutoscaler
+]
+202V
+T
+AcceptedH
+F
+D#/definitions/io.k8s.api.autoscaling.v2beta1.HorizontalPodAutoscaler
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpost
+jg
+x-kubernetes-group-version-kindDBgroup: autoscaling
+kind: HorizontalPodAutoscaler
+version: v2beta1
+*—-
+autoscaling_v2beta1,delete collection of HorizontalPodAutoscaler*CdeleteAutoscalingV2beta1CollectionNamespacedHorizontalPodAutoscaler2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj*
+x-kubernetes-actiondeletecollection
+jg
+x-kubernetes-group-version-kindDBversion: v2beta1
+group: autoscaling
+kind: HorizontalPodAutoscaler
+J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

ó
+/apis/networking.k8s.io/v1/ÓÐ
+
networking_v1get available resources*getNetworkingV1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp
+U
+200N
+L
+OKF
+D
+B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList
+
+401
+
+UnauthorizedRhttps¢_
+K/apis/rbac.authorization.k8s.io/v1beta1/namespaces/{namespace}/rolebindingsÒ^Ç&
+rbacAuthorization_v1beta1)list or watch objects of kind RoleBinding*1listRbacAuthorizationV1beta1NamespacedRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Jc
+H
+200A
+?
+OK9
+7
+5#/definitions/io.k8s.api.rbac.v1beta1.RoleBindingList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+ji
+x-kubernetes-group-version-kindFDgroup: rbac.authorization.k8s.io
+kind: RoleBinding
+version: v1beta1
+"Â	
+rbacAuthorization_v1beta1create a RoleBinding*3createRbacAuthorizationV1beta1NamespacedRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BG
+E
+Cbodybody 
*3
+1#/definitions/io.k8s.api.rbac.v1beta1.RoleBindingBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jö

+D
+200=
+;
+OK5
+3
+1#/definitions/io.k8s.api.rbac.v1beta1.RoleBinding
+I
+201B
+@
+Created5
+3
+1#/definitions/io.k8s.api.rbac.v1beta1.RoleBinding
+J
+202C
+A
+Accepted5
+3
+1#/definitions/io.k8s.api.rbac.v1beta1.RoleBinding
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpost
+ji
+x-kubernetes-group-version-kindFDversion: v1beta1
+group: rbac.authorization.k8s.io
+kind: RoleBinding
+*�-
+rbacAuthorization_v1beta1 delete collection of RoleBinding*=deleteRbacAuthorizationV1beta1CollectionNamespacedRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj*
+x-kubernetes-actiondeletecollection
+ji
+x-kubernetes-group-version-kindFDkind: RoleBinding
+version: v1beta1
+group: rbac.authorization.k8s.io
+J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

‘
+%/apis/apiregistration.k8s.io/v1beta1/çä
+apiregistration_v1beta1get available resources*%getApiregistrationV1beta1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp
+U
+200N
+L
+OKF
+D
+B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList
+
+401
+
+UnauthorizedRhttpsÓ(
+5/apis/apps/v1/watch/namespaces/{namespace}/daemonsets™(«
+apps_v1uwatch individual changes to a list of DaemonSet. deprecated: use the 'watch' parameter with a list operation instead.*"watchAppsV1NamespacedDaemonSetList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsjM
+x-kubernetes-group-version-kind*(group: apps
+kind: DaemonSet
+version: v1
+j#
+x-kubernetes-action
+watchlist
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

×(
+6/apis/apps/v1/watch/namespaces/{namespace}/deploymentsœ(®
+apps_v1vwatch individual changes to a list of Deployment. deprecated: use the 'watch' parameter with a list operation instead.*#watchAppsV1NamespacedDeploymentList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsjN
+x-kubernetes-group-version-kind+)group: apps
+kind: Deployment
+version: v1
+j#
+x-kubernetes-action
+watchlist
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

ž
+R/apis/autoscaling/v1/namespaces/{namespace}/horizontalpodautoscalers/{name}/statusÇÇ
+autoscaling_v14read status of the specified HorizontalPodAutoscaler*8readAutoscalingV1NamespacedHorizontalPodAutoscalerStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Jm
+R
+200K
+I
+OKC
+A
+?#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscaler
+
+401
+
+UnauthorizedRhttpsjb
+x-kubernetes-group-version-kind?=kind: HorizontalPodAutoscaler
+version: v1
+group: autoscaling
+j
+x-kubernetes-actionget
+¸	
+autoscaling_v17replace status of the specified HorizontalPodAutoscaler*;replaceAutoscalingV1NamespacedHorizontalPodAutoscalerStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BU
+S
+Qbodybody 
*A
+?#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscalerBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

JÆ

+R
+200K
+I
+OKC
+A
+?#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscaler
+W
+201P
+N
+CreatedC
+A
+?#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscaler
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionput
+jb
+x-kubernetes-group-version-kind?=version: v1
+group: autoscaling
+kind: HorizontalPodAutoscaler
+BÆ
+autoscaling_v1@partially update status of the specified HorizontalPodAutoscaler*9patchAutoscalingV1NamespacedHorizontalPodAutoscalerStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

Jm
+R
+200K
+I
+OKC
+A
+?#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscaler
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+jb
+x-kubernetes-group-version-kind?=group: autoscaling
+kind: HorizontalPodAutoscaler
+version: v1
+JD
+B@">
path#name of the HorizontalPodAutoscaler"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

À]
+//apis/rbac.authorization.k8s.io/v1/clusterrolesŒ]©&
+rbacAuthorization_v1)list or watch objects of kind ClusterRole*"listRbacAuthorizationV1ClusterRole2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

J^
+C
+200<
+:
+OK4
+2
+0#/definitions/io.k8s.api.rbac.v1.ClusterRoleList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+jd
+x-kubernetes-group-version-kindA?group: rbac.authorization.k8s.io
+kind: ClusterRole
+version: v1
+"•	
+rbacAuthorization_v1create a ClusterRole*$createRbacAuthorizationV1ClusterRole2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BB
+@
+>bodybody 
*.
+,#/definitions/io.k8s.api.rbac.v1.ClusterRoleBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jç

+E
+202>
+<
+Accepted0
+.
+,#/definitions/io.k8s.api.rbac.v1.ClusterRole
+
+401
+
+Unauthorized
+?
+2008
+6
+OK0
+.
+,#/definitions/io.k8s.api.rbac.v1.ClusterRole
+D
+201=
+;
+Created0
+.
+,#/definitions/io.k8s.api.rbac.v1.ClusterRoleRhttpsj
+x-kubernetes-actionpost
+jd
+x-kubernetes-group-version-kindA?group: rbac.authorization.k8s.io
+kind: ClusterRole
+version: v1
+*ô,
+rbacAuthorization_v1 delete collection of ClusterRole*.deleteRbacAuthorizationV1CollectionClusterRole2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsjd
+x-kubernetes-group-version-kindA?version: v1
+group: rbac.authorization.k8s.io
+kind: ClusterRole
+j*
+x-kubernetes-actiondeletecollection
+JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

³)
+7/apis/apps/v1/namespaces/{namespace}/replicasets/{name}÷(ç
+apps_v1read the specified ReplicaSet*readAppsV1NamespacedReplicaSet2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*JY
+
+401
+
+Unauthorized
+>
+2007
+5
+OK/
+-
++#/definitions/io.k8s.api.apps.v1.ReplicaSetRhttpsj
+x-kubernetes-actionget
+jN
+x-kubernetes-group-version-kind+)group: apps
+kind: ReplicaSet
+version: v1
+°
+apps_v1 replace the specified ReplicaSet*!replaceAppsV1NamespacedReplicaSet2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BA
+?
+=bodybody 
*-
++#/definitions/io.k8s.api.apps.v1.ReplicaSetBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jž

+>
+2007
+5
+OK/
+-
++#/definitions/io.k8s.api.apps.v1.ReplicaSet
+C
+201<
+:
+Created/
+-
++#/definitions/io.k8s.api.apps.v1.ReplicaSet
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionput
+jN
+x-kubernetes-group-version-kind+)kind: ReplicaSet
+version: v1
+group: apps
+*‚
+apps_v1delete a ReplicaSet* deleteAppsV1NamespacedReplicaSet2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J»

+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsjN
+x-kubernetes-group-version-kind+)group: apps
+kind: ReplicaSet
+version: v1
+j 
+x-kubernetes-action	delete
+Bæ
+apps_v1)partially update the specified ReplicaSet*patchAppsV1NamespacedReplicaSet2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

JY
+>
+2007
+5
+OK/
+-
++#/definitions/io.k8s.api.apps.v1.ReplicaSet
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+jN
+x-kubernetes-group-version-kind+)group: apps
+kind: ReplicaSet
+version: v1
+J7
+53"1
pathname of the ReplicaSet"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

‡'
+/apis/batch/v1beta1/cronjobsæ&Ú
+
batch_v1beta1%list or watch objects of kind CronJob*'listBatchV1beta1CronJobForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*J`
+E
+200>
+<
+OK6
+4
+2#/definitions/io.k8s.api.batch.v1beta1.CronJobList
+
+401
+
+UnauthorizedRhttpsjQ
+x-kubernetes-group-version-kind.,group: batch
+kind: CronJob
+version: v1beta1
+j
+x-kubernetes-actionlist
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

£*
+5/apis/networking.k8s.io/v1beta1/ingressclasses/{name}é)˜
+networking_v1beta1read the specified IngressClass*!readNetworkingV1beta1IngressClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Jf
+K
+200D
+B
+OK<
+:
+8#/definitions/io.k8s.api.networking.v1beta1.IngressClass
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+jb
+x-kubernetes-group-version-kind?=group: networking.k8s.io
+kind: IngressClass
+version: v1beta1
+û
+networking_v1beta1"replace the specified IngressClass*$replaceNetworkingV1beta1IngressClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.api.networking.v1beta1.IngressClassBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J¸

+K
+200D
+B
+OK<
+:
+8#/definitions/io.k8s.api.networking.v1beta1.IngressClass
+P
+201I
+G
+Created<
+:
+8#/definitions/io.k8s.api.networking.v1beta1.IngressClass
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionput
+jb
+x-kubernetes-group-version-kind?=group: networking.k8s.io
+kind: IngressClass
+version: v1beta1
+*§
+networking_v1beta1delete an IngressClass*#deleteNetworkingV1beta1IngressClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J»

+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsjb
+x-kubernetes-group-version-kind?=group: networking.k8s.io
+kind: IngressClass
+version: v1beta1
+j 
+x-kubernetes-action	delete
+B—
+networking_v1beta1+partially update the specified IngressClass*"patchNetworkingV1beta1IngressClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

Jf
+K
+200D
+B
+OK<
+:
+8#/definitions/io.k8s.api.networking.v1beta1.IngressClass
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+jb
+x-kubernetes-group-version-kind?=group: networking.k8s.io
+kind: IngressClass
+version: v1beta1
+J9
+75"3
pathname of the IngressClass"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Ü+
+G/apis/policy/v1beta1/namespaces/{namespace}/poddisruptionbudgets/{name}�+§
+policy_v1beta1&read the specified PodDisruptionBudget*.readPolicyV1beta1NamespacedPodDisruptionBudget2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Ji
+N
+200G
+E
+OK?
+=
+;#/definitions/io.k8s.api.policy.v1beta1.PodDisruptionBudget
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+j^
+x-kubernetes-group-version-kind;9group: policy
+kind: PodDisruptionBudget
+version: v1beta1
+�	
+policy_v1beta1)replace the specified PodDisruptionBudget*1replacePolicyV1beta1NamespacedPodDisruptionBudget2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BQ
+O
+Mbodybody 
*=
+;#/definitions/io.k8s.api.policy.v1beta1.PodDisruptionBudgetBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J¾

+
+401
+
+Unauthorized
+N
+200G
+E
+OK?
+=
+;#/definitions/io.k8s.api.policy.v1beta1.PodDisruptionBudget
+S
+201L
+J
+Created?
+=
+;#/definitions/io.k8s.api.policy.v1beta1.PodDisruptionBudgetRhttpsj
+x-kubernetes-actionput
+j^
+x-kubernetes-group-version-kind;9group: policy
+kind: PodDisruptionBudget
+version: v1beta1
+*²
+policy_v1beta1delete a PodDisruptionBudget*0deletePolicyV1beta1NamespacedPodDisruptionBudget2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J»

+
+401
+
+Unauthorized
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.StatusRhttpsj 
+x-kubernetes-action	delete
+j^
+x-kubernetes-group-version-kind;9version: v1beta1
+group: policy
+kind: PodDisruptionBudget
+B¦
+policy_v1beta12partially update the specified PodDisruptionBudget*/patchPolicyV1beta1NamespacedPodDisruptionBudget2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

Ji
+N
+200G
+E
+OK?
+=
+;#/definitions/io.k8s.api.policy.v1beta1.PodDisruptionBudget
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+j^
+x-kubernetes-group-version-kind;9group: policy
+kind: PodDisruptionBudget
+version: v1beta1
+J@
+><":
pathname of the PodDisruptionBudget"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

‹(
+1/apis/storage.k8s.io/v1beta1/watch/storageclassesÕ'É
+storage_v1beta1xwatch individual changes to a list of StorageClass. deprecated: use the 'watch' parameter with a list operation instead.*#watchStorageV1beta1StorageClassList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj#
+x-kubernetes-action
+watchlist
+j_
+x-kubernetes-group-version-kind<:group: storage.k8s.io
+kind: StorageClass
+version: v1beta1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

û
+/apis/extensions/v1beta1/ÝÚ
+extensions_v1beta1get available resources* getExtensionsV1beta1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp
+U
+200N
+L
+OKF
+D
+B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList
+
+401
+
+UnauthorizedRhttps½^
+6/apis/flowcontrol.apiserver.k8s.io/v1beta1/flowschemas‚^É&
+flowcontrolApiserver_v1beta1(list or watch objects of kind FlowSchema*)listFlowcontrolApiserverV1beta1FlowSchema2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Ji
+N
+200G
+E
+OK?
+=
+;#/definitions/io.k8s.api.flowcontrol.v1beta1.FlowSchemaList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+jk
+x-kubernetes-group-version-kindHFgroup: flowcontrol.apiserver.k8s.io
+kind: FlowSchema
+version: v1beta1
+"Ö	
+flowcontrolApiserver_v1beta1create a FlowSchema*+createFlowcontrolApiserverV1beta1FlowSchema2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BM
+K
+Ibodybody 
*9
+7#/definitions/io.k8s.api.flowcontrol.v1beta1.FlowSchemaBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jˆ
+J
+200C
+A
+OK;
+9
+7#/definitions/io.k8s.api.flowcontrol.v1beta1.FlowSchema
+O
+201H
+F
+Created;
+9
+7#/definitions/io.k8s.api.flowcontrol.v1beta1.FlowSchema
+P
+202I
+G
+Accepted;
+9
+7#/definitions/io.k8s.api.flowcontrol.v1beta1.FlowSchema
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpost
+jk
+x-kubernetes-group-version-kindHFgroup: flowcontrol.apiserver.k8s.io
+kind: FlowSchema
+version: v1beta1
+*‰-
+flowcontrolApiserver_v1beta1delete collection of FlowSchema*5deleteFlowcontrolApiserverV1beta1CollectionFlowSchema2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj*
+x-kubernetes-actiondeletecollection
+jk
+x-kubernetes-group-version-kindHFgroup: flowcontrol.apiserver.k8s.io
+kind: FlowSchema
+version: v1beta1
+JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

˜
+(/apis/rbac.authorization.k8s.io/v1beta1/ëè
+rbacAuthorization_v1beta1get available resources*'getRbacAuthorizationV1beta1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp
+
+401
+
+Unauthorized
+U
+200N
+L
+OKF
+D
+B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceListRhttps�(
+./apis/rbac.authorization.k8s.io/v1/watch/rolesÝ'Ñ
+rbacAuthorization_v1pwatch individual changes to a list of Role. deprecated: use the 'watch' parameter with a list operation instead.*0watchRbacAuthorizationV1RoleListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+
+401
+
+Unauthorized
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEventRhttpsj#
+x-kubernetes-action
+watchlist
+j]
+x-kubernetes-group-version-kind:8group: rbac.authorization.k8s.io
+kind: Role
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

ý&
+/apis/apps/v1/statefulsetsÞ&Ò
+apps_v1)list or watch objects of kind StatefulSet*%listAppsV1StatefulSetForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*J^
+C
+200<
+:
+OK4
+2
+0#/definitions/io.k8s.api.apps.v1.StatefulSetList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+jO
+x-kubernetes-group-version-kind,*group: apps
+kind: StatefulSet
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

à
+/apis/discovery.k8s.io/ÄÁ
+	discoveryget information of a group*getDiscoveryAPIGroup2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJi
+N
+200G
+E
+OK?
+=
+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup
+
+401
+
+UnauthorizedRhttps™)
+J/apis/discovery.k8s.io/v1beta1/watch/namespaces/{namespace}/endpointslicesÊ(Ü
+discovery_v1beta1ywatch individual changes to a list of EndpointSlice. deprecated: use the 'watch' parameter with a list operation instead.*0watchDiscoveryV1beta1NamespacedEndpointSliceList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+
+401
+
+Unauthorized
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEventRhttpsj#
+x-kubernetes-action
+watchlist
+jb
+x-kubernetes-group-version-kind?=group: discovery.k8s.io
+kind: EndpointSlice
+version: v1beta1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

‹*
+B/apis/networking.k8s.io/v1/namespaces/{namespace}/ingresses/{name}Ä)ú
+
networking_v1read the specified Ingress*!readNetworkingV1NamespacedIngress2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J\
+A
+200:
+8
+OK2
+0
+.#/definitions/io.k8s.api.networking.v1.Ingress
+
+401
+
+UnauthorizedRhttpsjX
+x-kubernetes-group-version-kind53group: networking.k8s.io
+kind: Ingress
+version: v1
+j
+x-kubernetes-actionget
+É
+
networking_v1replace the specified Ingress*$replaceNetworkingV1NamespacedIngress2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BD
+B
+@bodybody 
*0
+.#/definitions/io.k8s.api.networking.v1.IngressBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J¤

+A
+200:
+8
+OK2
+0
+.#/definitions/io.k8s.api.networking.v1.Ingress
+F
+201?
+=
+Created2
+0
+.#/definitions/io.k8s.api.networking.v1.Ingress
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionput
+jX
+x-kubernetes-group-version-kind53group: networking.k8s.io
+kind: Ingress
+version: v1
+*“
+
networking_v1delete an Ingress*#deleteNetworkingV1NamespacedIngress2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J»

+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj 
+x-kubernetes-action	delete
+jX
+x-kubernetes-group-version-kind53version: v1
+group: networking.k8s.io
+kind: Ingress
+Bù
+
networking_v1&partially update the specified Ingress*"patchNetworkingV1NamespacedIngress2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

J\
+A
+200:
+8
+OK2
+0
+.#/definitions/io.k8s.api.networking.v1.Ingress
+
+401
+
+UnauthorizedRhttpsjX
+x-kubernetes-group-version-kind53kind: Ingress
+version: v1
+group: networking.k8s.io
+j
+x-kubernetes-actionpatch
+J4
+20".
pathname of the Ingress"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Ô
+/api/v1/ÇÄ
+core_v1get available resources*getCoreV1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp
+U
+200N
+L
+OKF
+D
+B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList
+
+401
+
+UnauthorizedRhttps¦]
+0/apis/apps/v1/namespaces/{namespace}/replicasetsñ\€&
+apps_v1(list or watch objects of kind ReplicaSet*listAppsV1NamespacedReplicaSet2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

J]
+B
+200;
+9
+OK3
+1
+/#/definitions/io.k8s.api.apps.v1.ReplicaSetList
+
+401
+
+UnauthorizedRhttpsjN
+x-kubernetes-group-version-kind+)kind: ReplicaSet
+version: v1
+group: apps
+j
+x-kubernetes-actionlist
+"é
+apps_v1create a ReplicaSet* createAppsV1NamespacedReplicaSet2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BA
+?
+=bodybody 
*-
++#/definitions/io.k8s.api.apps.v1.ReplicaSetBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jä

+>
+2007
+5
+OK/
+-
++#/definitions/io.k8s.api.apps.v1.ReplicaSet
+C
+201<
+:
+Created/
+-
++#/definitions/io.k8s.api.apps.v1.ReplicaSet
+D
+202=
+;
+Accepted/
+-
++#/definitions/io.k8s.api.apps.v1.ReplicaSet
+
+401
+
+UnauthorizedRhttpsjN
+x-kubernetes-group-version-kind+)version: v1
+group: apps
+kind: ReplicaSet
+j
+x-kubernetes-actionpost
+*Ì,
+apps_v1delete collection of ReplicaSet**deleteAppsV1CollectionNamespacedReplicaSet2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsjN
+x-kubernetes-group-version-kind+)version: v1
+group: apps
+kind: ReplicaSet
+j*
+x-kubernetes-actiondeletecollection
+J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

â+
+>/apis/certificates.k8s.io/v1/certificatesigningrequests/{name}Ÿ+À
+certificates_v1,read the specified CertificateSigningRequest*+readCertificatesV1CertificateSigningRequest2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Jp
+
+401
+
+Unauthorized
+U
+200N
+L
+OKF
+D
+B#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequestRhttpsj
+x-kubernetes-actionget
+jl
+x-kubernetes-group-version-kindIGgroup: certificates.k8s.io
+kind: CertificateSigningRequest
+version: v1
+·	
+certificates_v1/replace the specified CertificateSigningRequest*.replaceCertificatesV1CertificateSigningRequest2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BX
+V
+Tbodybody 
*D
+B#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequestBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

JÌ

+U
+200N
+L
+OKF
+D
+B#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequest
+Z
+201S
+Q
+CreatedF
+D
+B#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequest
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionput
+jl
+x-kubernetes-group-version-kindIGgroup: certificates.k8s.io
+kind: CertificateSigningRequest
+version: v1
+*Ä
+certificates_v1"delete a CertificateSigningRequest*-deleteCertificatesV1CertificateSigningRequest2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J»

+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj 
+x-kubernetes-action	delete
+jl
+x-kubernetes-group-version-kindIGgroup: certificates.k8s.io
+kind: CertificateSigningRequest
+version: v1
+B¿
+certificates_v18partially update the specified CertificateSigningRequest*,patchCertificatesV1CertificateSigningRequest2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

Jp
+U
+200N
+L
+OKF
+D
+B#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequest
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+jl
+x-kubernetes-group-version-kindIGgroup: certificates.k8s.io
+kind: CertificateSigningRequest
+version: v1
+JF
+DB"@
path%name of the CertificateSigningRequest"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

 ^
+9/apis/extensions/v1beta1/namespaces/{namespace}/ingressesâ] &
+extensions_v1beta1%list or watch objects of kind Ingress*&listExtensionsV1beta1NamespacedIngress2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Je
+J
+200C
+A
+OK;
+9
+7#/definitions/io.k8s.api.extensions.v1beta1.IngressList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+jV
+x-kubernetes-group-version-kind31group: extensions
+kind: Ingress
+version: v1beta1
+"¢	
+extensions_v1beta1create an Ingress*(createExtensionsV1beta1NamespacedIngress2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BI
+G
+Ebodybody 
*5
+3#/definitions/io.k8s.api.extensions.v1beta1.IngressBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jü

+F
+200?
+=
+OK7
+5
+3#/definitions/io.k8s.api.extensions.v1beta1.Ingress
+K
+201D
+B
+Created7
+5
+3#/definitions/io.k8s.api.extensions.v1beta1.Ingress
+L
+202E
+C
+Accepted7
+5
+3#/definitions/io.k8s.api.extensions.v1beta1.Ingress
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpost
+jV
+x-kubernetes-group-version-kind31group: extensions
+kind: Ingress
+version: v1beta1
+*ä,
+extensions_v1beta1delete collection of Ingress*2deleteExtensionsV1beta1CollectionNamespacedIngress2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj*
+x-kubernetes-actiondeletecollection
+jV
+x-kubernetes-group-version-kind31group: extensions
+kind: Ingress
+version: v1beta1
+J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Þ(
+&/api/v1/watch/persistentvolumes/{name}³(è
+core_v1·
watch changes to an object of kind PersistentVolume. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*watchCoreV1PersistentVolume2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+
+401
+
+Unauthorized
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEventRhttpsj
+x-kubernetes-actionwatch
+jR
+x-kubernetes-group-version-kind/-group: ""
+kind: PersistentVolume
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J=
+;9"7
pathname of the PersistentVolume"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

‰(
+$/api/v1/watch/replicationcontrollersà'Ô
+core_v1�
watch individual changes to a list of ReplicationController. deprecated: use the 'watch' parameter with a list operation instead.*4watchCoreV1ReplicationControllerListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsjW
+x-kubernetes-group-version-kind42group: ""
+kind: ReplicationController
+version: v1
+j#
+x-kubernetes-action
+watchlist
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

ø&
+/apis/apps/v1/deploymentsÚ&Î
+apps_v1(list or watch objects of kind Deployment*$listAppsV1DeploymentForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*J]
+B
+200;
+9
+OK3
+1
+/#/definitions/io.k8s.api.apps.v1.DeploymentList
+
+401
+
+UnauthorizedRhttpsjN
+x-kubernetes-group-version-kind+)version: v1
+group: apps
+kind: Deployment
+j
+x-kubernetes-actionlist
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

é
+/apis/certificates.k8s.io/ÊÇ
+certificatesget information of a group*getCertificatesAPIGroup2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJi
+N
+200G
+E
+OK?
+=
+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup
+
+401
+
+UnauthorizedRhttps„_
+7/apis/certificates.k8s.io/v1/certificatesigningrequestsÈ^Ù&
+certificates_v17list or watch objects of kind CertificateSigningRequest*+listCertificatesV1CertificateSigningRequest2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Jt
+Y
+200R
+P
+OKJ
+H
+F#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequestList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+jl
+x-kubernetes-group-version-kindIGgroup: certificates.k8s.io
+kind: CertificateSigningRequest
+version: v1
+"‡
+
+certificates_v1"create a CertificateSigningRequest*-createCertificatesV1CertificateSigningRequest2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BX
+V
+Tbodybody 
*D
+B#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequestBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J©
+U
+200N
+L
+OKF
+D
+B#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequest
+Z
+201S
+Q
+CreatedF
+D
+B#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequest
+[
+202T
+R
+AcceptedF
+D
+B#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequest
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpost
+jl
+x-kubernetes-group-version-kindIGkind: CertificateSigningRequest
+version: v1
+group: certificates.k8s.io
+*Ž-
+certificates_v1.delete collection of CertificateSigningRequest*7deleteCertificatesV1CollectionCertificateSigningRequest2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsjl
+x-kubernetes-group-version-kindIGgroup: certificates.k8s.io
+kind: CertificateSigningRequest
+version: v1
+j*
+x-kubernetes-actiondeletecollection
+JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

ø(
+?/apis/extensions/v1beta1/watch/namespaces/{namespace}/ingresses´(Æ
+extensions_v1beta1swatch individual changes to a list of Ingress. deprecated: use the 'watch' parameter with a list operation instead.*+watchExtensionsV1beta1NamespacedIngressList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+
+401
+
+Unauthorized
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEventRhttpsj#
+x-kubernetes-action
+watchlist
+jV
+x-kubernetes-group-version-kind31group: extensions
+kind: Ingress
+version: v1beta1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

à
+/apis/policy/v1/ËÈ
+	policy_v1get available resources*getPolicyV1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp
+U
+200N
+L
+OKF
+D
+B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList
+
+401
+
+UnauthorizedRhttpsã
+/apis/scheduling.k8s.io/ÆÃ
+
+schedulingget information of a group*getSchedulingAPIGroup2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJi
+N
+200G
+E
+OK?
+=
+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup
+
+401
+
+UnauthorizedRhttps³)
+Q/apis/rbac.authorization.k8s.io/v1beta1/watch/namespaces/{namespace}/rolebindingsÝ(ï
+rbacAuthorization_v1beta1wwatch individual changes to a list of RoleBinding. deprecated: use the 'watch' parameter with a list operation instead.*6watchRbacAuthorizationV1beta1NamespacedRoleBindingList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsji
+x-kubernetes-group-version-kindFDgroup: rbac.authorization.k8s.io
+kind: RoleBinding
+version: v1beta1
+j#
+x-kubernetes-action
+watchlist
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

´
+4/api/v1/namespaces/{namespace}/services/{name}/proxyûŸ
+core_v1(connect GET requests to proxy of Service*&connectCoreV1GetNamespacedServiceProxy2*/*:*/*J7
+
+200
+
+OK
+²

+string
+
+401
+
+UnauthorizedRhttpsj!
+x-kubernetes-action
+connect
+jU
+x-kubernetes-group-version-kind20group: ""
+kind: ServiceProxyOptions
+version: v1
+Ÿ
+core_v1(connect PUT requests to proxy of Service*&connectCoreV1PutNamespacedServiceProxy2*/*:*/*J7
+
+200
+
+OK
+²

+string
+
+401
+
+UnauthorizedRhttpsj!
+x-kubernetes-action
+connect
+jU
+x-kubernetes-group-version-kind20version: v1
+group: ""
+kind: ServiceProxyOptions
+"¡
+core_v1)connect POST requests to proxy of Service*'connectCoreV1PostNamespacedServiceProxy2*/*:*/*J7
+
+200
+
+OK
+²

+string
+
+401
+
+UnauthorizedRhttpsjU
+x-kubernetes-group-version-kind20group: ""
+kind: ServiceProxyOptions
+version: v1
+j!
+x-kubernetes-action
+connect
+*¥
+core_v1+connect DELETE requests to proxy of Service*)connectCoreV1DeleteNamespacedServiceProxy2*/*:*/*J7
+
+200
+
+OK
+²

+string
+
+401
+
+UnauthorizedRhttpsj!
+x-kubernetes-action
+connect
+jU
+x-kubernetes-group-version-kind20group: ""
+kind: ServiceProxyOptions
+version: v1
+2§
+core_v1,connect OPTIONS requests to proxy of Service**connectCoreV1OptionsNamespacedServiceProxy2*/*:*/*J7
+
+200
+
+OK
+²

+string
+
+401
+
+UnauthorizedRhttpsj!
+x-kubernetes-action
+connect
+jU
+x-kubernetes-group-version-kind20group: ""
+kind: ServiceProxyOptions
+version: v1
+:¡
+core_v1)connect HEAD requests to proxy of Service*'connectCoreV1HeadNamespacedServiceProxy2*/*:*/*J7
+
+200
+
+OK
+²

+string
+
+401
+
+UnauthorizedRhttpsjU
+x-kubernetes-group-version-kind20group: ""
+kind: ServiceProxyOptions
+version: v1
+j!
+x-kubernetes-action
+connect
+B£
+core_v1*connect PATCH requests to proxy of Service*(connectCoreV1PatchNamespacedServiceProxy2*/*:*/*J7
+
+200
+
+OK
+²

+string
+
+401
+
+UnauthorizedRhttpsjU
+x-kubernetes-group-version-kind20kind: ServiceProxyOptions
+version: v1
+group: ""
+j!
+x-kubernetes-action
+connect
+J@
+><":
pathname of the ServiceProxyOptions"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JÐ
+ÍÊÇquery¬Path is the part of URLs that include service endpoints, suffixes, and parameters to use for the current proxy request to service. For example, the whole request URL is http://localhost/api/v1/namespaces/kube-system/services/elasticsearch-logging/_search?q=user:kimchy. Path is _search?q=user:kimchy."path2string 

Ü'
+/apis/batch/v1/watch/cronjobsº'®
+batch_v1swatch individual changes to a list of CronJob. deprecated: use the 'watch' parameter with a list operation instead.*'watchBatchV1CronJobListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj#
+x-kubernetes-action
+watchlist
+jL
+x-kubernetes-group-version-kind)'group: batch
+kind: CronJob
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

×
+/apis/events.k8s.io/¾»
+eventsget information of a group*getEventsAPIGroup2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJi
+N
+200G
+E
+OK?
+=
+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup
+
+401
+
+UnauthorizedRhttps…(
+(/apis/extensions/v1beta1/watch/ingressesØ'Ì
+extensions_v1beta1swatch individual changes to a list of Ingress. deprecated: use the 'watch' parameter with a list operation instead.*1watchExtensionsV1beta1IngressListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj#
+x-kubernetes-action
+watchlist
+jV
+x-kubernetes-group-version-kind31group: extensions
+kind: Ingress
+version: v1beta1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

×^
+F/apis/rbac.authorization.k8s.io/v1/namespaces/{namespace}/rolebindingsŒ^³&
+rbacAuthorization_v1)list or watch objects of kind RoleBinding*,listRbacAuthorizationV1NamespacedRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

J^
+C
+200<
+:
+OK4
+2
+0#/definitions/io.k8s.api.rbac.v1.RoleBindingList
+
+401
+
+UnauthorizedRhttpsjd
+x-kubernetes-group-version-kindA?version: v1
+group: rbac.authorization.k8s.io
+kind: RoleBinding
+j
+x-kubernetes-actionlist
+"Ÿ	
+rbacAuthorization_v1create a RoleBinding*.createRbacAuthorizationV1NamespacedRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BB
+@
+>bodybody 
*.
+,#/definitions/io.k8s.api.rbac.v1.RoleBindingBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jç

+D
+201=
+;
+Created0
+.
+,#/definitions/io.k8s.api.rbac.v1.RoleBinding
+E
+202>
+<
+Accepted0
+.
+,#/definitions/io.k8s.api.rbac.v1.RoleBinding
+
+401
+
+Unauthorized
+?
+2008
+6
+OK0
+.
+,#/definitions/io.k8s.api.rbac.v1.RoleBindingRhttpsj
+x-kubernetes-actionpost
+jd
+x-kubernetes-group-version-kindA?kind: RoleBinding
+version: v1
+group: rbac.authorization.k8s.io
+*þ,
+rbacAuthorization_v1 delete collection of RoleBinding*8deleteRbacAuthorizationV1CollectionNamespacedRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj*
+x-kubernetes-actiondeletecollection
+jd
+x-kubernetes-group-version-kindA?group: rbac.authorization.k8s.io
+kind: RoleBinding
+version: v1
+J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

œ(
+5/apis/rbac.authorization.k8s.io/v1/watch/clusterrolesâ'Ö
+rbacAuthorization_v1wwatch individual changes to a list of ClusterRole. deprecated: use the 'watch' parameter with a list operation instead.*'watchRbacAuthorizationV1ClusterRoleList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj#
+x-kubernetes-action
+watchlist
+jd
+x-kubernetes-group-version-kindA?version: v1
+group: rbac.authorization.k8s.io
+kind: ClusterRole
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

æ(
+ /api/v1/persistentvolumes/{name}Á(ó
+core_v1#read the specified PersistentVolume*readCoreV1PersistentVolume2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J_
+D
+200=
+;
+OK5
+3
+1#/definitions/io.k8s.api.core.v1.PersistentVolume
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+jR
+x-kubernetes-group-version-kind/-group: ""
+kind: PersistentVolume
+version: v1
+È
+core_v1&replace the specified PersistentVolume*replaceCoreV1PersistentVolume2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BG
+E
+Cbodybody 
*3
+1#/definitions/io.k8s.api.core.v1.PersistentVolumeBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jª

+D
+200=
+;
+OK5
+3
+1#/definitions/io.k8s.api.core.v1.PersistentVolume
+I
+201B
+@
+Created5
+3
+1#/definitions/io.k8s.api.core.v1.PersistentVolume
+
+401
+
+UnauthorizedRhttpsjR
+x-kubernetes-group-version-kind/-group: ""
+kind: PersistentVolume
+version: v1
+j
+x-kubernetes-actionput
+*ø
+core_v1delete a PersistentVolume*deleteCoreV1PersistentVolume2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J«

+D
+200=
+;
+OK5
+3
+1#/definitions/io.k8s.api.core.v1.PersistentVolume
+J
+202C
+A
+Accepted5
+3
+1#/definitions/io.k8s.api.core.v1.PersistentVolume
+
+401
+
+UnauthorizedRhttpsjR
+x-kubernetes-group-version-kind/-group: ""
+kind: PersistentVolume
+version: v1
+j 
+x-kubernetes-action	delete
+Bò
+core_v1/partially update the specified PersistentVolume*patchCoreV1PersistentVolume2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

J_
+D
+200=
+;
+OK5
+3
+1#/definitions/io.k8s.api.core.v1.PersistentVolume
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+jR
+x-kubernetes-group-version-kind/-group: ""
+kind: PersistentVolume
+version: v1
+J=
+;9"7
pathname of the PersistentVolume"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Æ)
+</apis/apps/v1/watch/namespaces/{namespace}/daemonsets/{name}…)ß
+apps_v1°
watch changes to an object of kind DaemonSet. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*watchAppsV1NamespacedDaemonSet2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+
+401
+
+Unauthorized
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEventRhttpsjM
+x-kubernetes-group-version-kind*(group: apps
+kind: DaemonSet
+version: v1
+j
+x-kubernetes-actionwatch
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J6
+42"0
pathname of the DaemonSet"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Ü)
+F/apis/events.k8s.io/v1beta1/watch/namespaces/{namespace}/events/{name}‘)ï
+events_v1beta1¬
watch changes to an object of kind Event. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*!watchEventsV1beta1NamespacedEvent2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsjW
+x-kubernetes-group-version-kind42group: events.k8s.io
+kind: Event
+version: v1beta1
+j
+x-kubernetes-actionwatch
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J2
+0.",
pathname of the Event"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Ê\
+#/apis/node.k8s.io/v1/runtimeclasses¢\…&
+node_v1*list or watch objects of kind RuntimeClass*listNodeV1RuntimeClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

J_
+D
+200=
+;
+OK5
+3
+1#/definitions/io.k8s.api.node.v1.RuntimeClassList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+jW
+x-kubernetes-group-version-kind42group: node.k8s.io
+kind: RuntimeClass
+version: v1
+"ô
+node_v1create a RuntimeClass*createNodeV1RuntimeClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BC
+A
+?bodybody 
*/
+-#/definitions/io.k8s.api.node.v1.RuntimeClassBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jê

+E
+201>
+<
+Created1
+/
+-#/definitions/io.k8s.api.node.v1.RuntimeClass
+F
+202?
+=
+Accepted1
+/
+-#/definitions/io.k8s.api.node.v1.RuntimeClass
+
+401
+
+Unauthorized
+@
+2009
+7
+OK1
+/
+-#/definitions/io.k8s.api.node.v1.RuntimeClassRhttpsj
+x-kubernetes-actionpost
+jW
+x-kubernetes-group-version-kind42group: node.k8s.io
+kind: RuntimeClass
+version: v1
+*Ï,
+node_v1!delete collection of RuntimeClass*"deleteNodeV1CollectionRuntimeClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsjW
+x-kubernetes-group-version-kind42kind: RuntimeClass
+version: v1
+group: node.k8s.io
+j*
+x-kubernetes-actiondeletecollection
+JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

±\
+#/api/v1/namespaces/{namespace}/pods‰\â%
+core_v1!list or watch objects of kind Pod*listCoreV1NamespacedPod2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

JV
+
+401
+
+Unauthorized
+;
+2004
+2
+OK,
+*
+(#/definitions/io.k8s.api.core.v1.PodListRhttpsj
+x-kubernetes-actionlist
+jE
+x-kubernetes-group-version-kind" group: ""
+kind: Pod
+version: v1
+"¶
+core_v1create a Pod*createCoreV1NamespacedPod2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B:
+8
+6bodybody 
*&
+$#/definitions/io.k8s.api.core.v1.PodBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

JÏ

+
+401
+
+Unauthorized
+7
+2000
+.
+OK(
+&
+$#/definitions/io.k8s.api.core.v1.Pod
+<
+2015
+3
+Created(
+&
+$#/definitions/io.k8s.api.core.v1.Pod
+=
+2026
+4
+Accepted(
+&
+$#/definitions/io.k8s.api.core.v1.PodRhttpsjE
+x-kubernetes-group-version-kind" kind: Pod
+version: v1
+group: ""
+j
+x-kubernetes-actionpost
+*µ,
+core_v1delete collection of Pod*#deleteCoreV1CollectionNamespacedPod2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj*
+x-kubernetes-actiondeletecollection
+jE
+x-kubernetes-group-version-kind" group: ""
+kind: Pod
+version: v1
+J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Þ\
+&/api/v1/namespaces/{namespace}/secrets³\î%
+core_v1$list or watch objects of kind Secret*listCoreV1NamespacedSecret2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

JY
+>
+2007
+5
+OK/
+-
++#/definitions/io.k8s.api.core.v1.SecretList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+jH
+x-kubernetes-group-version-kind%#group: ""
+kind: Secret
+version: v1
+"Ë
+core_v1create a Secret*createCoreV1NamespacedSecret2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B=
+;
+9bodybody 
*)
+'#/definitions/io.k8s.api.core.v1.SecretBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

JØ

+:
+2003
+1
+OK+
+)
+'#/definitions/io.k8s.api.core.v1.Secret
+?
+2018
+6
+Created+
+)
+'#/definitions/io.k8s.api.core.v1.Secret
+@
+2029
+7
+Accepted+
+)
+'#/definitions/io.k8s.api.core.v1.Secret
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpost
+jH
+x-kubernetes-group-version-kind%#version: v1
+group: ""
+kind: Secret
+*¾,
+core_v1delete collection of Secret*&deleteCoreV1CollectionNamespacedSecret2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj*
+x-kubernetes-actiondeletecollection
+jH
+x-kubernetes-group-version-kind%#group: ""
+kind: Secret
+version: v1
+J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Á)
+D/apis/certificates.k8s.io/v1/watch/certificatesigningrequests/{name}ø(¤
+certificates_v1À
watch changes to an object of kind CertificateSigningRequest. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*,watchCertificatesV1CertificateSigningRequest2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionwatch
+jl
+x-kubernetes-group-version-kindIGgroup: certificates.k8s.io
+kind: CertificateSigningRequest
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JF
+DB"@
path%name of the CertificateSigningRequest"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

ï
+/apis/policy/v1beta1/ÕÒ
+policy_v1beta1get available resources*getPolicyV1beta1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp
+U
+200N
+L
+OKF
+D
+B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList
+
+401
+
+UnauthorizedRhttps–)
+=/apis/apiregistration.k8s.io/v1beta1/watch/apiservices/{name}Ô(�
+apiregistration_v1beta1±
watch changes to an object of kind APIService. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*%watchApiregistrationV1beta1APIService2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsje
+x-kubernetes-group-version-kindB@version: v1beta1
+kind: APIService
+group: apiregistration.k8s.io
+j
+x-kubernetes-actionwatch
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J7
+53"1
pathname of the APIService"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Ù(
+:/apis/events.k8s.io/v1/watch/namespaces/{namespace}/eventsš(¬
+	events_v1qwatch individual changes to a list of Event. deprecated: use the 'watch' parameter with a list operation instead.* watchEventsV1NamespacedEventList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj#
+x-kubernetes-action
+watchlist
+jR
+x-kubernetes-group-version-kind/-group: events.k8s.io
+kind: Event
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

ú(
+,/apis/storage.k8s.io/v1beta1/csinodes/{name}É(ø
+storage_v1beta1read the specified CSINode*readStorageV1beta1CSINode2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J^
+C
+200<
+:
+OK4
+2
+0#/definitions/io.k8s.api.storage.v1beta1.CSINode
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+jZ
+x-kubernetes-group-version-kind75group: storage.k8s.io
+kind: CSINode
+version: v1beta1
+Ë
+storage_v1beta1replace the specified CSINode*replaceStorageV1beta1CSINode2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BF
+D
+Bbodybody 
*2
+0#/definitions/io.k8s.api.storage.v1beta1.CSINodeBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J¨

+C
+200<
+:
+OK4
+2
+0#/definitions/io.k8s.api.storage.v1beta1.CSINode
+H
+201A
+?
+Created4
+2
+0#/definitions/io.k8s.api.storage.v1beta1.CSINode
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionput
+jZ
+x-kubernetes-group-version-kind75group: storage.k8s.io
+kind: CSINode
+version: v1beta1
+*ü
+storage_v1beta1delete a CSINode*deleteStorageV1beta1CSINode2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J©

+I
+202B
+@
+Accepted4
+2
+0#/definitions/io.k8s.api.storage.v1beta1.CSINode
+
+401
+
+Unauthorized
+C
+200<
+:
+OK4
+2
+0#/definitions/io.k8s.api.storage.v1beta1.CSINodeRhttpsj 
+x-kubernetes-action	delete
+jZ
+x-kubernetes-group-version-kind75group: storage.k8s.io
+kind: CSINode
+version: v1beta1
+B÷
+storage_v1beta1&partially update the specified CSINode*patchStorageV1beta1CSINode2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

J^
+C
+200<
+:
+OK4
+2
+0#/definitions/io.k8s.api.storage.v1beta1.CSINode
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+jZ
+x-kubernetes-group-version-kind75kind: CSINode
+version: v1beta1
+group: storage.k8s.io
+J4
+20".
pathname of the CSINode"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

ö)
+6/apis/rbac.authorization.k8s.io/v1/clusterroles/{name}»)�
+rbacAuthorization_v1read the specified ClusterRole*"readRbacAuthorizationV1ClusterRole2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*JZ
+?
+2008
+6
+OK0
+.
+,#/definitions/io.k8s.api.rbac.v1.ClusterRole
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+jd
+x-kubernetes-group-version-kindA?group: rbac.authorization.k8s.io
+kind: ClusterRole
+version: v1
+Û
+rbacAuthorization_v1!replace the specified ClusterRole*%replaceRbacAuthorizationV1ClusterRole2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BB
+@
+>bodybody 
*.
+,#/definitions/io.k8s.api.rbac.v1.ClusterRoleBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J 

+?
+2008
+6
+OK0
+.
+,#/definitions/io.k8s.api.rbac.v1.ClusterRole
+D
+201=
+;
+Created0
+.
+,#/definitions/io.k8s.api.rbac.v1.ClusterRole
+
+401
+
+UnauthorizedRhttpsjd
+x-kubernetes-group-version-kindA?group: rbac.authorization.k8s.io
+kind: ClusterRole
+version: v1
+j
+x-kubernetes-actionput
+*ª
+rbacAuthorization_v1delete a ClusterRole*$deleteRbacAuthorizationV1ClusterRole2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J»

+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj 
+x-kubernetes-action	delete
+jd
+x-kubernetes-group-version-kindA?group: rbac.authorization.k8s.io
+kind: ClusterRole
+version: v1
+B�
+rbacAuthorization_v1*partially update the specified ClusterRole*#patchRbacAuthorizationV1ClusterRole2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

JZ
+?
+2008
+6
+OK0
+.
+,#/definitions/io.k8s.api.rbac.v1.ClusterRole
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+jd
+x-kubernetes-group-version-kindA?kind: ClusterRole
+version: v1
+group: rbac.authorization.k8s.io
+J8
+64"2
pathname of the ClusterRole"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

ž'
+(/apis/rbac.authorization.k8s.io/v1/rolesñ&å
+rbacAuthorization_v1"list or watch objects of kind Role*+listRbacAuthorizationV1RoleForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*JW
+<
+2005
+3
+OK-
++
+)#/definitions/io.k8s.api.rbac.v1.RoleList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+j]
+x-kubernetes-group-version-kind:8group: rbac.authorization.k8s.io
+kind: Role
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

À(
+:/apis/rbac.authorization.k8s.io/v1beta1/watch/rolebindings�(õ
+rbacAuthorization_v1beta1wwatch individual changes to a list of RoleBinding. deprecated: use the 'watch' parameter with a list operation instead.*<watchRbacAuthorizationV1beta1RoleBindingListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+
+401
+
+Unauthorized
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEventRhttpsj#
+x-kubernetes-action
+watchlist
+ji
+x-kubernetes-group-version-kindFDgroup: rbac.authorization.k8s.io
+kind: RoleBinding
+version: v1beta1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Æ)
+8/apis/apps/v1/namespaces/{namespace}/statefulsets/{name}‰)ë
+apps_v1read the specified StatefulSet*readAppsV1NamespacedStatefulSet2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*JZ
+?
+2008
+6
+OK0
+.
+,#/definitions/io.k8s.api.apps.v1.StatefulSet
+
+401
+
+UnauthorizedRhttpsjO
+x-kubernetes-group-version-kind,*group: apps
+kind: StatefulSet
+version: v1
+j
+x-kubernetes-actionget
+¶
+apps_v1!replace the specified StatefulSet*"replaceAppsV1NamespacedStatefulSet2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BB
+@
+>bodybody 
*.
+,#/definitions/io.k8s.api.apps.v1.StatefulSetBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J 

+?
+2008
+6
+OK0
+.
+,#/definitions/io.k8s.api.apps.v1.StatefulSet
+D
+201=
+;
+Created0
+.
+,#/definitions/io.k8s.api.apps.v1.StatefulSet
+
+401
+
+UnauthorizedRhttpsjO
+x-kubernetes-group-version-kind,*group: apps
+kind: StatefulSet
+version: v1
+j
+x-kubernetes-actionput
+*…
+apps_v1delete a StatefulSet*!deleteAppsV1NamespacedStatefulSet2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J»

+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj 
+x-kubernetes-action	delete
+jO
+x-kubernetes-group-version-kind,*group: apps
+kind: StatefulSet
+version: v1
+Bê
+apps_v1*partially update the specified StatefulSet* patchAppsV1NamespacedStatefulSet2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

JZ
+?
+2008
+6
+OK0
+.
+,#/definitions/io.k8s.api.apps.v1.StatefulSet
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+jO
+x-kubernetes-group-version-kind,*version: v1
+group: apps
+kind: StatefulSet
+J8
+64"2
pathname of the StatefulSet"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

è'
+ /apis/apps/v1/watch/statefulsetsÃ'·
+apps_v1wwatch individual changes to a list of StatefulSet. deprecated: use the 'watch' parameter with a list operation instead.**watchAppsV1StatefulSetListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsjO
+x-kubernetes-group-version-kind,*group: apps
+kind: StatefulSet
+version: v1
+j#
+x-kubernetes-action
+watchlist
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

é
+W/apis/autoscaling/v2beta2/namespaces/{namespace}/horizontalpodautoscalers/{name}/status�Û
+autoscaling_v2beta24read status of the specified HorizontalPodAutoscaler*=readAutoscalingV2beta2NamespacedHorizontalPodAutoscalerStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Jr
+W
+200P
+N
+OKH
+F
+D#/definitions/io.k8s.api.autoscaling.v2beta2.HorizontalPodAutoscaler
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+jg
+x-kubernetes-group-version-kindDBgroup: autoscaling
+kind: HorizontalPodAutoscaler
+version: v2beta2
+Ö	
+autoscaling_v2beta27replace status of the specified HorizontalPodAutoscaler*@replaceAutoscalingV2beta2NamespacedHorizontalPodAutoscalerStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BZ
+X
+Vbodybody 
*F
+D#/definitions/io.k8s.api.autoscaling.v2beta2.HorizontalPodAutoscalerBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

JÐ

+W
+200P
+N
+OKH
+F
+D#/definitions/io.k8s.api.autoscaling.v2beta2.HorizontalPodAutoscaler
+\
+201U
+S
+CreatedH
+F
+D#/definitions/io.k8s.api.autoscaling.v2beta2.HorizontalPodAutoscaler
+
+401
+
+UnauthorizedRhttpsjg
+x-kubernetes-group-version-kindDBkind: HorizontalPodAutoscaler
+version: v2beta2
+group: autoscaling
+j
+x-kubernetes-actionput
+BÚ
+autoscaling_v2beta2@partially update status of the specified HorizontalPodAutoscaler*>patchAutoscalingV2beta2NamespacedHorizontalPodAutoscalerStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

Jr
+W
+200P
+N
+OKH
+F
+D#/definitions/io.k8s.api.autoscaling.v2beta2.HorizontalPodAutoscaler
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+jg
+x-kubernetes-group-version-kindDBgroup: autoscaling
+kind: HorizontalPodAutoscaler
+version: v2beta2
+JD
+B@">
path#name of the HorizontalPodAutoscaler"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Ý
+/apis/batch/v1/ÉÆ
+batch_v1get available resources*getBatchV1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp
+U
+200N
+L
+OKF
+D
+B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList
+
+401
+
+UnauthorizedRhttpsú
+./api/v1/namespaces/{namespace}/pods/{name}/logÇÄ
+core_v1read log of the specified Pod*readCoreV1NamespacedPodLog2
+text/plain2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J7
+
+200
+
+OK
+²

+string
+
+401
+
+UnauthorizedRhttpsjE
+x-kubernetes-group-version-kind" kind: Pod
+version: v1
+group: ""
+j
+x-kubernetes-actionget
+J�

+�
Š
‡
queryhThe container for which to stream logs. Defaults to only container if there is one container in the pod."	container2string 

JW
+USQquery4Follow the log stream of the pod. Defaults to false."follow2boolean 

JŒ
+‰†ƒqueryÏinsecureSkipTLSVerifyBackend indicates that the apiserver should not confirm the validity of the serving certificate of the backend it is connecting to.  This will make the HTTPS connection between the apiserver and the backend insecure. This means the apiserver cannot verify the log data it is receiving came from the real kubelet.  If the kubelet is configured to verify the apiserver's TLS credentials, it does not mean the connection to the real kubelet is vulnerable to a man in the middle attack (e.g. an attacker could not intercept the actual log data coming from the real kubelet)."insecureSkipTLSVerifyBackend2boolean 

J€
+ý
ú
÷
queryÕ
If set, the number of bytes to read from the server before terminating the log output. This may not display a complete final line of logging, and may return slightly more or slightly less than the specified limit."
+limitBytes2integer 

J0
+.,"*
pathname of the Pod"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jb
+`^\query=Return previous terminated container logs. Defaults to false."previous2boolean 

JÍ
+ÊÇÄquery A relative time in seconds before the current time from which to show logs. If this value precedes the time a pod was started, only logs since the pod start will be returned. If this value is in the future, no logs will be returned. Only one of sinceSeconds or sinceTime may be specified."sinceSeconds2integer 

JÈ

+Å
Â
¿
queryž
If set, the number of lines from the end of the logs to show. If not specified, logs are shown from the creation of the container or sinceSeconds or sinceTime"	tailLines2integer 

J›

+˜
•
’
queryqIf true, add an RFC3339 or RFC3339Nano timestamp at the beginning of every line of log output. Defaults to false."
+timestamps2boolean 

×'
+1/apis/storage.k8s.io/v1beta1/csistoragecapacities¡'•
+storage_v1beta10list or watch objects of kind CSIStorageCapacity*4listStorageV1beta1CSIStorageCapacityForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jm
+R
+200K
+I
+OKC
+A
+?#/definitions/io.k8s.api.storage.v1beta1.CSIStorageCapacityList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+je
+x-kubernetes-group-version-kindB@group: storage.k8s.io
+kind: CSIStorageCapacity
+version: v1beta1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

³_
+H/apis/storage.k8s.io/v1beta1/namespaces/{namespace}/csistoragecapacitiesæ^Ç&
+storage_v1beta10list or watch objects of kind CSIStorageCapacity*.listStorageV1beta1NamespacedCSIStorageCapacity2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Jm
+R
+200K
+I
+OKC
+A
+?#/definitions/io.k8s.api.storage.v1beta1.CSIStorageCapacityList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+je
+x-kubernetes-group-version-kindB@version: v1beta1
+group: storage.k8s.io
+kind: CSIStorageCapacity
+"à	
+storage_v1beta1create a CSIStorageCapacity*0createStorageV1beta1NamespacedCSIStorageCapacity2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BQ
+O
+Mbodybody 
*=
+;#/definitions/io.k8s.api.storage.v1beta1.CSIStorageCapacityBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J”
+N
+200G
+E
+OK?
+=
+;#/definitions/io.k8s.api.storage.v1beta1.CSIStorageCapacity
+S
+201L
+J
+Created?
+=
+;#/definitions/io.k8s.api.storage.v1beta1.CSIStorageCapacity
+T
+202M
+K
+Accepted?
+=
+;#/definitions/io.k8s.api.storage.v1beta1.CSIStorageCapacity
+
+401
+
+UnauthorizedRhttpsje
+x-kubernetes-group-version-kindB@group: storage.k8s.io
+kind: CSIStorageCapacity
+version: v1beta1
+j
+x-kubernetes-actionpost
+*ƒ-
+storage_v1beta1'delete collection of CSIStorageCapacity*:deleteStorageV1beta1CollectionNamespacedCSIStorageCapacity2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsje
+x-kubernetes-group-version-kindB@group: storage.k8s.io
+kind: CSIStorageCapacity
+version: v1beta1
+j*
+x-kubernetes-actiondeletecollection
+J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

·
+!/api/v1/nodes/{name}/proxy/{path}‘”
+core_v1%connect GET requests to proxy of Node*!connectCoreV1GetNodeProxyWithPath2*/*:*/*J7
+
+200
+
+OK
+²

+string
+
+401
+
+UnauthorizedRhttpsj!
+x-kubernetes-action
+connect
+jR
+x-kubernetes-group-version-kind/-group: ""
+kind: NodeProxyOptions
+version: v1
+”
+core_v1%connect PUT requests to proxy of Node*!connectCoreV1PutNodeProxyWithPath2*/*:*/*J7
+
+200
+
+OK
+²

+string
+
+401
+
+UnauthorizedRhttpsj!
+x-kubernetes-action
+connect
+jR
+x-kubernetes-group-version-kind/-version: v1
+group: ""
+kind: NodeProxyOptions
+"–
+core_v1&connect POST requests to proxy of Node*"connectCoreV1PostNodeProxyWithPath2*/*:*/*J7
+
+200
+
+OK
+²

+string
+
+401
+
+UnauthorizedRhttpsj!
+x-kubernetes-action
+connect
+jR
+x-kubernetes-group-version-kind/-version: v1
+group: ""
+kind: NodeProxyOptions
+*š
+core_v1(connect DELETE requests to proxy of Node*$connectCoreV1DeleteNodeProxyWithPath2*/*:*/*J7
+
+200
+
+OK
+²

+string
+
+401
+
+UnauthorizedRhttpsj!
+x-kubernetes-action
+connect
+jR
+x-kubernetes-group-version-kind/-group: ""
+kind: NodeProxyOptions
+version: v1
+2œ
+core_v1)connect OPTIONS requests to proxy of Node*%connectCoreV1OptionsNodeProxyWithPath2*/*:*/*J7
+
+200
+
+OK
+²

+string
+
+401
+
+UnauthorizedRhttpsjR
+x-kubernetes-group-version-kind/-group: ""
+kind: NodeProxyOptions
+version: v1
+j!
+x-kubernetes-action
+connect
+:–
+core_v1&connect HEAD requests to proxy of Node*"connectCoreV1HeadNodeProxyWithPath2*/*:*/*J7
+
+200
+
+OK
+²

+string
+
+401
+
+UnauthorizedRhttpsjR
+x-kubernetes-group-version-kind/-group: ""
+kind: NodeProxyOptions
+version: v1
+j!
+x-kubernetes-action
+connect
+B˜
+core_v1'connect PATCH requests to proxy of Node*#connectCoreV1PatchNodeProxyWithPath2*/*:*/*J7
+
+200
+
+OK
+²

+string
+
+401
+
+UnauthorizedRhttpsj!
+x-kubernetes-action
+connect
+jR
+x-kubernetes-group-version-kind/-group: ""
+kind: NodeProxyOptions
+version: v1
+J=
+;9"7
pathname of the NodeProxyOptions"name*string˜

J5
+31"/
pathpath to the resource"path*string˜

Jb
+`^\queryBPath is the URL path to use for the current proxy request to node."path2string 

»^
+?/apis/discovery.k8s.io/v1/namespaces/{namespace}/endpointslices÷]§&
+discovery_v1+list or watch objects of kind EndpointSlice*&listDiscoveryV1NamespacedEndpointSlice2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Je
+J
+200C
+A
+OK;
+9
+7#/definitions/io.k8s.api.discovery.v1.EndpointSliceList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+j]
+x-kubernetes-group-version-kind:8group: discovery.k8s.io
+kind: EndpointSlice
+version: v1
+"©	
+discovery_v1create an EndpointSlice*(createDiscoveryV1NamespacedEndpointSlice2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BI
+G
+Ebodybody 
*5
+3#/definitions/io.k8s.api.discovery.v1.EndpointSliceBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jü

+F
+200?
+=
+OK7
+5
+3#/definitions/io.k8s.api.discovery.v1.EndpointSlice
+K
+201D
+B
+Created7
+5
+3#/definitions/io.k8s.api.discovery.v1.EndpointSlice
+L
+202E
+C
+Accepted7
+5
+3#/definitions/io.k8s.api.discovery.v1.EndpointSlice
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpost
+j]
+x-kubernetes-group-version-kind:8group: discovery.k8s.io
+kind: EndpointSlice
+version: v1
+*ë,
+discovery_v1"delete collection of EndpointSlice*2deleteDiscoveryV1CollectionNamespacedEndpointSlice2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj*
+x-kubernetes-actiondeletecollection
+j]
+x-kubernetes-group-version-kind:8group: discovery.k8s.io
+kind: EndpointSlice
+version: v1
+J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

³]
+*/apis/scheduling.k8s.io/v1/priorityclasses„]¡&
+
scheduling_v1+list or watch objects of kind PriorityClass*listSchedulingV1PriorityClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Jf
+K
+200D
+B
+OK<
+:
+8#/definitions/io.k8s.api.scheduling.v1.PriorityClassList
+
+401
+
+UnauthorizedRhttpsj^
+x-kubernetes-group-version-kind;9group: scheduling.k8s.io
+kind: PriorityClass
+version: v1
+j
+x-kubernetes-actionlist
+"¥	
+
scheduling_v1create a PriorityClass*createSchedulingV1PriorityClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BJ
+H
+Fbodybody 
*6
+4#/definitions/io.k8s.api.scheduling.v1.PriorityClassBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jÿ

+G
+200@
+>
+OK8
+6
+4#/definitions/io.k8s.api.scheduling.v1.PriorityClass
+L
+201E
+C
+Created8
+6
+4#/definitions/io.k8s.api.scheduling.v1.PriorityClass
+M
+202F
+D
+Accepted8
+6
+4#/definitions/io.k8s.api.scheduling.v1.PriorityClass
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpost
+j^
+x-kubernetes-group-version-kind;9group: scheduling.k8s.io
+kind: PriorityClass
+version: v1
+*ä,
+
scheduling_v1"delete collection of PriorityClass*)deleteSchedulingV1CollectionPriorityClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj^
+x-kubernetes-group-version-kind;9group: scheduling.k8s.io
+kind: PriorityClass
+version: v1
+j*
+x-kubernetes-actiondeletecollection
+JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

‚
+ /apis/scheduling.k8s.io/v1beta1/ÝÚ
+scheduling_v1beta1get available resources* getSchedulingV1beta1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp
+U
+200N
+L
+OKF
+D
+B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList
+
+401
+
+UnauthorizedRhttps¯
+J/apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions/{name}/statusà‚
+apiextensions_v1beta15read status of the specified CustomResourceDefinition*6readApiextensionsV1beta1CustomResourceDefinitionStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J’

+w
+200p
+n
+OKh
+f
+d#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinition
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+jq
+x-kubernetes-group-version-kindNLgroup: apiextensions.k8s.io
+kind: CustomResourceDefinition
+version: v1beta1
+¼
+
+apiextensions_v1beta18replace status of the specified CustomResourceDefinition*9replaceApiextensionsV1beta1CustomResourceDefinitionStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Bz
+x
+vbodybody 
*f
+d#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinitionBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J�
+w
+200p
+n
+OKh
+f
+d#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinition
+|
+201u
+s
+Createdh
+f
+d#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinition
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionput
+jq
+x-kubernetes-group-version-kindNLversion: v1beta1
+group: apiextensions.k8s.io
+kind: CustomResourceDefinition
+B�
+apiextensions_v1beta1Apartially update status of the specified CustomResourceDefinition*7patchApiextensionsV1beta1CustomResourceDefinitionStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

J’

+w
+200p
+n
+OKh
+f
+d#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinition
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+jq
+x-kubernetes-group-version-kindNLversion: v1beta1
+group: apiextensions.k8s.io
+kind: CustomResourceDefinition
+JE
+CA"?
path$name of the CustomResourceDefinition"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

ï
+/apis/authentication.k8s.io/ÎË
+authenticationget information of a group*getAuthenticationAPIGroup2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJi
+N
+200G
+E
+OK?
+=
+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup
+
+401
+
+UnauthorizedRhttpsñ(
+4/apis/storage.k8s.io/v1beta1/watch/csidrivers/{name}¸(ô
+storage_v1beta1°
watch changes to an object of kind CSIDriver. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*watchStorageV1beta1CSIDriver2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionwatch
+j\
+x-kubernetes-group-version-kind97group: storage.k8s.io
+kind: CSIDriver
+version: v1beta1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J6
+42"0
pathname of the CSIDriver"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

÷
+7/apis/storage.k8s.io/v1/volumeattachments/{name}/status»˜
+
+storage_v1-read status of the specified VolumeAttachment*#readStorageV1VolumeAttachmentStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Jb
+G
+200@
+>
+OK8
+6
+4#/definitions/io.k8s.api.storage.v1.VolumeAttachment
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+j^
+x-kubernetes-group-version-kind;9group: storage.k8s.io
+kind: VolumeAttachment
+version: v1
+ó
+
+storage_v10replace status of the specified VolumeAttachment*&replaceStorageV1VolumeAttachmentStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BJ
+H
+Fbodybody 
*6
+4#/definitions/io.k8s.api.storage.v1.VolumeAttachmentBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J°

+G
+200@
+>
+OK8
+6
+4#/definitions/io.k8s.api.storage.v1.VolumeAttachment
+L
+201E
+C
+Created8
+6
+4#/definitions/io.k8s.api.storage.v1.VolumeAttachment
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionput
+j^
+x-kubernetes-group-version-kind;9group: storage.k8s.io
+kind: VolumeAttachment
+version: v1
+B—
+
+storage_v19partially update status of the specified VolumeAttachment*$patchStorageV1VolumeAttachmentStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

Jb
+G
+200@
+>
+OK8
+6
+4#/definitions/io.k8s.api.storage.v1.VolumeAttachment
+
+401
+
+UnauthorizedRhttpsj^
+x-kubernetes-group-version-kind;9kind: VolumeAttachment
+version: v1
+group: storage.k8s.io
+j
+x-kubernetes-actionpatch
+J=
+;9"7
pathname of the VolumeAttachment"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

í(
+3/apis/storage.k8s.io/v1/watch/storageclasses/{name}µ(î
+
+storage_v1³
watch changes to an object of kind StorageClass. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*watchStorageV1StorageClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsjZ
+x-kubernetes-group-version-kind75group: storage.k8s.io
+kind: StorageClass
+version: v1
+j
+x-kubernetes-actionwatch
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J9
+75"3
pathname of the StorageClass"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

¢a
+J/apis/admissionregistration.k8s.io/v1beta1/validatingwebhookconfigurationsÓ`¦'
+admissionregistration_v1beta1<list or watch objects of kind ValidatingWebhookConfiguration*>listAdmissionregistrationV1beta1ValidatingWebhookConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

J‡

+l
+200e
+c
+OK]
+[
+Y#/definitions/io.k8s.api.admissionregistration.v1beta1.ValidatingWebhookConfigurationList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+j
+x-kubernetes-group-version-kind\Zgroup: admissionregistration.k8s.io
+kind: ValidatingWebhookConfiguration
+version: v1beta1
+"Œ
+admissionregistration_v1beta1'create a ValidatingWebhookConfiguration*@createAdmissionregistrationV1beta1ValidatingWebhookConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Bk
+i
+gbodybody 
*W
+U#/definitions/io.k8s.api.admissionregistration.v1beta1.ValidatingWebhookConfigurationBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jâ
+h
+200a
+_
+OKY
+W
+U#/definitions/io.k8s.api.admissionregistration.v1beta1.ValidatingWebhookConfiguration
+m
+201f
+d
+CreatedY
+W
+U#/definitions/io.k8s.api.admissionregistration.v1beta1.ValidatingWebhookConfiguration
+n
+202g
+e
+AcceptedY
+W
+U#/definitions/io.k8s.api.admissionregistration.v1beta1.ValidatingWebhookConfiguration
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpost
+j
+x-kubernetes-group-version-kind\Zgroup: admissionregistration.k8s.io
+kind: ValidatingWebhookConfiguration
+version: v1beta1
+*Ç-
+admissionregistration_v1beta13delete collection of ValidatingWebhookConfiguration*JdeleteAdmissionregistrationV1beta1CollectionValidatingWebhookConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj*
+x-kubernetes-actiondeletecollection
+j
+x-kubernetes-group-version-kind\Zkind: ValidatingWebhookConfiguration
+version: v1beta1
+group: admissionregistration.k8s.io
+JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

·
+
++/apis/authentication.k8s.io/v1/tokenreviews‡
+"ù
+authentication_v1create a TokenReview*!createAuthenticationV1TokenReview2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BL
+J
+Hbodybody 
*8
+6#/definitions/io.k8s.api.authentication.v1.TokenReviewJ…
+I
+200B
+@
+OK:
+8
+6#/definitions/io.k8s.api.authentication.v1.TokenReview
+N
+201G
+E
+Created:
+8
+6#/definitions/io.k8s.api.authentication.v1.TokenReview
+O
+202H
+F
+Accepted:
+8
+6#/definitions/io.k8s.api.authentication.v1.TokenReview
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpost
+j`
+x-kubernetes-group-version-kind=;group: authentication.k8s.io
+kind: TokenReview
+version: v1
+Jž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

J–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

õ'
+2/apis/autoscaling/v2beta2/horizontalpodautoscalers¾'²
+autoscaling_v2beta25list or watch objects of kind HorizontalPodAutoscaler*=listAutoscalingV2beta2HorizontalPodAutoscalerForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jv
+[
+200T
+R
+OKL
+J
+H#/definitions/io.k8s.api.autoscaling.v2beta2.HorizontalPodAutoscalerList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+jg
+x-kubernetes-group-version-kindDBgroup: autoscaling
+kind: HorizontalPodAutoscaler
+version: v2beta2
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

–_
+@/apis/policy/v1beta1/namespaces/{namespace}/poddisruptionbudgetsÑ^À&
+policy_v1beta11list or watch objects of kind PodDisruptionBudget*.listPolicyV1beta1NamespacedPodDisruptionBudget2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Jm
+R
+200K
+I
+OKC
+A
+?#/definitions/io.k8s.api.policy.v1beta1.PodDisruptionBudgetList
+
+401
+
+UnauthorizedRhttpsj^
+x-kubernetes-group-version-kind;9group: policy
+kind: PodDisruptionBudget
+version: v1beta1
+j
+x-kubernetes-actionlist
+"Ù	
+policy_v1beta1create a PodDisruptionBudget*0createPolicyV1beta1NamespacedPodDisruptionBudget2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BQ
+O
+Mbodybody 
*=
+;#/definitions/io.k8s.api.policy.v1beta1.PodDisruptionBudgetBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J”
+
+401
+
+Unauthorized
+N
+200G
+E
+OK?
+=
+;#/definitions/io.k8s.api.policy.v1beta1.PodDisruptionBudget
+S
+201L
+J
+Created?
+=
+;#/definitions/io.k8s.api.policy.v1beta1.PodDisruptionBudget
+T
+202M
+K
+Accepted?
+=
+;#/definitions/io.k8s.api.policy.v1beta1.PodDisruptionBudgetRhttpsj^
+x-kubernetes-group-version-kind;9kind: PodDisruptionBudget
+version: v1beta1
+group: policy
+j
+x-kubernetes-actionpost
+*ü,
+policy_v1beta1(delete collection of PodDisruptionBudget*:deletePolicyV1beta1CollectionNamespacedPodDisruptionBudget2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj^
+x-kubernetes-group-version-kind;9group: policy
+kind: PodDisruptionBudget
+version: v1beta1
+j*
+x-kubernetes-actiondeletecollection
+J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

ô^
+;/apis/rbac.authorization.k8s.io/v1beta1/clusterrolebindings´^Ù&
+rbacAuthorization_v1beta10list or watch objects of kind ClusterRoleBinding*.listRbacAuthorizationV1beta1ClusterRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Jj
+O
+200H
+F
+OK@
+>
+<#/definitions/io.k8s.api.rbac.v1beta1.ClusterRoleBindingList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+jp
+x-kubernetes-group-version-kindMKgroup: rbac.authorization.k8s.io
+kind: ClusterRoleBinding
+version: v1beta1
+"é	
+rbacAuthorization_v1beta1create a ClusterRoleBinding*0createRbacAuthorizationV1beta1ClusterRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.api.rbac.v1beta1.ClusterRoleBindingBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J‹
+K
+200D
+B
+OK<
+:
+8#/definitions/io.k8s.api.rbac.v1beta1.ClusterRoleBinding
+P
+201I
+G
+Created<
+:
+8#/definitions/io.k8s.api.rbac.v1beta1.ClusterRoleBinding
+Q
+202J
+H
+Accepted<
+:
+8#/definitions/io.k8s.api.rbac.v1beta1.ClusterRoleBinding
+
+401
+
+UnauthorizedRhttpsjp
+x-kubernetes-group-version-kindMKkind: ClusterRoleBinding
+version: v1beta1
+group: rbac.authorization.k8s.io
+j
+x-kubernetes-actionpost
+*˜-
+rbacAuthorization_v1beta1'delete collection of ClusterRoleBinding*:deleteRbacAuthorizationV1beta1CollectionClusterRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj*
+x-kubernetes-actiondeletecollection
+jp
+x-kubernetes-group-version-kindMKkind: ClusterRoleBinding
+version: v1beta1
+group: rbac.authorization.k8s.io
+JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

´
+
+'/api/v1/namespaces/{namespace}/bindingsˆ
+"˜
+core_v1create a Binding*createCoreV1NamespacedBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B>
+<
+:bodybody 
**
+(#/definitions/io.k8s.api.core.v1.BindingJÛ

+;
+2004
+2
+OK,
+*
+(#/definitions/io.k8s.api.core.v1.Binding
+@
+2019
+7
+Created,
+*
+(#/definitions/io.k8s.api.core.v1.Binding
+A
+202:
+8
+Accepted,
+*
+(#/definitions/io.k8s.api.core.v1.Binding
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpost
+jI
+x-kubernetes-group-version-kind&$version: v1
+group: ""
+kind: Binding
+Jž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

J–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

ô)
+P/apis/admissionregistration.k8s.io/v1/watch/mutatingwebhookconfigurations/{name}Ÿ)È
+admissionregistration_v1Ã
watch changes to an object of kind MutatingWebhookConfiguration. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*8watchAdmissionregistrationV1MutatingWebhookConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionwatch
+jx
+x-kubernetes-group-version-kindUSgroup: admissionregistration.k8s.io
+kind: MutatingWebhookConfiguration
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JI
+GE"C
path(name of the MutatingWebhookConfiguration"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

¼)
+O/apis/autoscaling/v2beta1/watch/namespaces/{namespace}/horizontalpodautoscalersè(ú
+autoscaling_v2beta1ƒ
watch individual changes to a list of HorizontalPodAutoscaler. deprecated: use the 'watch' parameter with a list operation instead.*<watchAutoscalingV2beta1NamespacedHorizontalPodAutoscalerList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsjg
+x-kubernetes-group-version-kindDBgroup: autoscaling
+kind: HorizontalPodAutoscaler
+version: v2beta1
+j#
+x-kubernetes-action
+watchlist
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

¬)
+7/apis/batch/v1/watch/namespaces/{namespace}/jobs/{name}ð(Ð
+batch_v1ª
watch changes to an object of kind Job. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*watchBatchV1NamespacedJob2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionwatch
+jH
+x-kubernetes-group-version-kind%#group: batch
+kind: Job
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J0
+.,"*
pathname of the Job"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

¢(
+6/apis/apiregistration.k8s.io/v1beta1/watch/apiservicesç'Û
+apiregistration_v1beta1vwatch individual changes to a list of APIService. deprecated: use the 'watch' parameter with a list operation instead.*)watchApiregistrationV1beta1APIServiceList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsje
+x-kubernetes-group-version-kindB@version: v1beta1
+kind: APIService
+group: apiregistration.k8s.io
+j#
+x-kubernetes-action
+watchlist
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Ë^
+;/apis/policy/v1/namespaces/{namespace}/poddisruptionbudgets‹^¬&
+	policy_v11list or watch objects of kind PodDisruptionBudget*)listPolicyV1NamespacedPodDisruptionBudget2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Jh
+M
+200F
+D
+OK>
+<
+:#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetList
+
+401
+
+UnauthorizedRhttpsjY
+x-kubernetes-group-version-kind64group: policy
+kind: PodDisruptionBudget
+version: v1
+j
+x-kubernetes-actionlist
+"¶	
+	policy_v1create a PodDisruptionBudget*+createPolicyV1NamespacedPodDisruptionBudget2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BL
+J
+Hbodybody 
*8
+6#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J…
+
+401
+
+Unauthorized
+I
+200B
+@
+OK:
+8
+6#/definitions/io.k8s.api.policy.v1.PodDisruptionBudget
+N
+201G
+E
+Created:
+8
+6#/definitions/io.k8s.api.policy.v1.PodDisruptionBudget
+O
+202H
+F
+Accepted:
+8
+6#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetRhttpsj
+x-kubernetes-actionpost
+jY
+x-kubernetes-group-version-kind64group: policy
+kind: PodDisruptionBudget
+version: v1
+*í,
+	policy_v1(delete collection of PodDisruptionBudget*5deletePolicyV1CollectionNamespacedPodDisruptionBudget2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsjY
+x-kubernetes-group-version-kind64version: v1
+group: policy
+kind: PodDisruptionBudget
+j*
+x-kubernetes-actiondeletecollection
+J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Ò_
+D/apis/autoscaling/v1/namespaces/{namespace}/horizontalpodautoscalers‰_Ð&
+autoscaling_v15list or watch objects of kind HorizontalPodAutoscaler*2listAutoscalingV1NamespacedHorizontalPodAutoscaler2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Jq
+V
+200O
+M
+OKG
+E
+C#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscalerList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+jb
+x-kubernetes-group-version-kind?=group: autoscaling
+kind: HorizontalPodAutoscaler
+version: v1
+"õ	
+autoscaling_v1 create a HorizontalPodAutoscaler*4createAutoscalingV1NamespacedHorizontalPodAutoscaler2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BU
+S
+Qbodybody 
*A
+?#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscalerBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J 
+R
+200K
+I
+OKC
+A
+?#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscaler
+W
+201P
+N
+CreatedC
+A
+?#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscaler
+X
+202Q
+O
+AcceptedC
+A
+?#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscaler
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpost
+jb
+x-kubernetes-group-version-kind?=kind: HorizontalPodAutoscaler
+version: v1
+group: autoscaling
+*ˆ-
+autoscaling_v1,delete collection of HorizontalPodAutoscaler*>deleteAutoscalingV1CollectionNamespacedHorizontalPodAutoscaler2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj*
+x-kubernetes-actiondeletecollection
+jb
+x-kubernetes-group-version-kind?=group: autoscaling
+kind: HorizontalPodAutoscaler
+version: v1
+J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

¬(
+5/apis/rbac.authorization.k8s.io/v1/watch/rolebindingsò'æ
+rbacAuthorization_v1wwatch individual changes to a list of RoleBinding. deprecated: use the 'watch' parameter with a list operation instead.*7watchRbacAuthorizationV1RoleBindingListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+
+401
+
+Unauthorized
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEventRhttpsj#
+x-kubernetes-action
+watchlist
+jd
+x-kubernetes-group-version-kindA?group: rbac.authorization.k8s.io
+kind: RoleBinding
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

É\
+"/apis/storage.k8s.io/v1/csidrivers¢\…&
+
+storage_v1'list or watch objects of kind CSIDriver*listStorageV1CSIDriver2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

J_
+D
+200=
+;
+OK5
+3
+1#/definitions/io.k8s.api.storage.v1.CSIDriverList
+
+401
+
+UnauthorizedRhttpsjW
+x-kubernetes-group-version-kind42group: storage.k8s.io
+kind: CSIDriver
+version: v1
+j
+x-kubernetes-actionlist
+"ô
+
+storage_v1create a CSIDriver*createStorageV1CSIDriver2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BC
+A
+?bodybody 
*/
+-#/definitions/io.k8s.api.storage.v1.CSIDriverBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jê

+@
+2009
+7
+OK1
+/
+-#/definitions/io.k8s.api.storage.v1.CSIDriver
+E
+201>
+<
+Created1
+/
+-#/definitions/io.k8s.api.storage.v1.CSIDriver
+F
+202?
+=
+Accepted1
+/
+-#/definitions/io.k8s.api.storage.v1.CSIDriver
+
+401
+
+UnauthorizedRhttpsjW
+x-kubernetes-group-version-kind42group: storage.k8s.io
+kind: CSIDriver
+version: v1
+j
+x-kubernetes-actionpost
+*Ï,
+
+storage_v1delete collection of CSIDriver*"deleteStorageV1CollectionCSIDriver2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj*
+x-kubernetes-actiondeletecollection
+jW
+x-kubernetes-group-version-kind42version: v1
+group: storage.k8s.io
+kind: CSIDriver
+JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

å	
+"/api/v1/namespaces/{name}/finalize¾	ø
+core_v1+replace finalize of the specified Namespace*replaceCoreV1NamespaceFinalize2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B@
+>
+<bodybody 
*,
+*#/definitions/io.k8s.api.core.v1.NamespaceJœ

+=
+2006
+4
+OK.
+,
+*#/definitions/io.k8s.api.core.v1.Namespace
+B
+201;
+9
+Created.
+,
+*#/definitions/io.k8s.api.core.v1.Namespace
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionput
+jK
+x-kubernetes-group-version-kind(&group: ""
+kind: Namespace
+version: v1
+Jž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

J–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J6
+42"0
pathname of the Namespace"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

È
+/apis/½º
+apisget available API versions*getAPIVersions2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJm
+R
+200K
+I
+OKC
+A
+?#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroupList
+
+401
+
+UnauthorizedRhttpsˆ*
+U/apis/admissionregistration.k8s.io/v1beta1/watch/mutatingwebhookconfigurations/{name}®)×
+admissionregistration_v1beta1Ã
watch changes to an object of kind MutatingWebhookConfiguration. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*=watchAdmissionregistrationV1beta1MutatingWebhookConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+
+401
+
+Unauthorized
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEventRhttpsj
+x-kubernetes-actionwatch
+j}
+x-kubernetes-group-version-kindZXversion: v1beta1
+group: admissionregistration.k8s.io
+kind: MutatingWebhookConfiguration
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JI
+GE"C
path(name of the MutatingWebhookConfiguration"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

¯
+:/apis/authorization.k8s.io/v1beta1/selfsubjectrulesreviewsð
+"â
+authorization_v1beta1create a SelfSubjectRulesReview*0createAuthorizationV1beta1SelfSubjectRulesReview2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B[
+Y
+Wbodybody 
*G
+E#/definitions/io.k8s.api.authorization.v1beta1.SelfSubjectRulesReviewJ²
+X
+200Q
+O
+OKI
+G
+E#/definitions/io.k8s.api.authorization.v1beta1.SelfSubjectRulesReview
+]
+201V
+T
+CreatedI
+G
+E#/definitions/io.k8s.api.authorization.v1beta1.SelfSubjectRulesReview
+^
+202W
+U
+AcceptedI
+G
+E#/definitions/io.k8s.api.authorization.v1beta1.SelfSubjectRulesReview
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpost
+jo
+x-kubernetes-group-version-kindLJgroup: authorization.k8s.io
+kind: SelfSubjectRulesReview
+version: v1beta1
+Jž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

J–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

É(
+8/apis/autoscaling/v2beta2/watch/horizontalpodautoscalersŒ(€
+autoscaling_v2beta2ƒ
watch individual changes to a list of HorizontalPodAutoscaler. deprecated: use the 'watch' parameter with a list operation instead.*BwatchAutoscalingV2beta2HorizontalPodAutoscalerListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+
+401
+
+Unauthorized
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEventRhttpsj#
+x-kubernetes-action
+watchlist
+jg
+x-kubernetes-group-version-kindDBgroup: autoscaling
+kind: HorizontalPodAutoscaler
+version: v2beta2
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

¡
++/apis/flowcontrol.apiserver.k8s.io/v1beta1/ñî
+flowcontrolApiserver_v1beta1get available resources**getFlowcontrolApiserverV1beta1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp
+U
+200N
+L
+OKF
+D
+B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList
+
+401
+
+UnauthorizedRhttpsñ+
+R/apis/rbac.authorization.k8s.io/v1beta1/namespaces/{namespace}/rolebindings/{name}š+®
+rbacAuthorization_v1beta1read the specified RoleBinding*1readRbacAuthorizationV1beta1NamespacedRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J_
+
+401
+
+Unauthorized
+D
+200=
+;
+OK5
+3
+1#/definitions/io.k8s.api.rbac.v1beta1.RoleBindingRhttpsji
+x-kubernetes-group-version-kindFDversion: v1beta1
+group: rbac.authorization.k8s.io
+kind: RoleBinding
+j
+x-kubernetes-actionget
+ƒ	
+rbacAuthorization_v1beta1!replace the specified RoleBinding*4replaceRbacAuthorizationV1beta1NamespacedRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BG
+E
+Cbodybody 
*3
+1#/definitions/io.k8s.api.rbac.v1beta1.RoleBindingBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jª

+D
+200=
+;
+OK5
+3
+1#/definitions/io.k8s.api.rbac.v1beta1.RoleBinding
+I
+201B
+@
+Created5
+3
+1#/definitions/io.k8s.api.rbac.v1beta1.RoleBinding
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionput
+ji
+x-kubernetes-group-version-kindFDgroup: rbac.authorization.k8s.io
+kind: RoleBinding
+version: v1beta1
+*Ã
+rbacAuthorization_v1beta1delete a RoleBinding*3deleteRbacAuthorizationV1beta1NamespacedRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J»

+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj 
+x-kubernetes-action	delete
+ji
+x-kubernetes-group-version-kindFDgroup: rbac.authorization.k8s.io
+kind: RoleBinding
+version: v1beta1
+B­
+rbacAuthorization_v1beta1*partially update the specified RoleBinding*2patchRbacAuthorizationV1beta1NamespacedRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

J_
+D
+200=
+;
+OK5
+3
+1#/definitions/io.k8s.api.rbac.v1beta1.RoleBinding
+
+401
+
+UnauthorizedRhttpsji
+x-kubernetes-group-version-kindFDgroup: rbac.authorization.k8s.io
+kind: RoleBinding
+version: v1beta1
+j
+x-kubernetes-actionpatch
+J8
+64"2
pathname of the RoleBinding"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

™.
+O/apis/admissionregistration.k8s.io/v1beta1/mutatingwebhookconfigurations/{name}Å-…
+admissionregistration_v1beta1/read the specified MutatingWebhookConfiguration*<readAdmissionregistrationV1beta1MutatingWebhookConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J�

+f
+200_
+]
+OKW
+U
+S#/definitions/io.k8s.api.admissionregistration.v1beta1.MutatingWebhookConfiguration
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+j}
+x-kubernetes-group-version-kindZXgroup: admissionregistration.k8s.io
+kind: MutatingWebhookConfiguration
+version: v1beta1
+�
+
+admissionregistration_v1beta12replace the specified MutatingWebhookConfiguration*?replaceAdmissionregistrationV1beta1MutatingWebhookConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Bi
+g
+ebodybody 
*U
+S#/definitions/io.k8s.api.admissionregistration.v1beta1.MutatingWebhookConfigurationBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jî

+f
+200_
+]
+OKW
+U
+S#/definitions/io.k8s.api.admissionregistration.v1beta1.MutatingWebhookConfiguration
+k
+201d
+b
+CreatedW
+U
+S#/definitions/io.k8s.api.admissionregistration.v1beta1.MutatingWebhookConfiguration
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionput
+j}
+x-kubernetes-group-version-kindZXgroup: admissionregistration.k8s.io
+kind: MutatingWebhookConfiguration
+version: v1beta1
+*÷
+admissionregistration_v1beta1%delete a MutatingWebhookConfiguration*>deleteAdmissionregistrationV1beta1MutatingWebhookConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J»

+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj 
+x-kubernetes-action	delete
+j}
+x-kubernetes-group-version-kindZXversion: v1beta1
+group: admissionregistration.k8s.io
+kind: MutatingWebhookConfiguration
+B„
+admissionregistration_v1beta1;partially update the specified MutatingWebhookConfiguration*=patchAdmissionregistrationV1beta1MutatingWebhookConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

J�

+f
+200_
+]
+OKW
+U
+S#/definitions/io.k8s.api.admissionregistration.v1beta1.MutatingWebhookConfiguration
+
+401
+
+UnauthorizedRhttpsj}
+x-kubernetes-group-version-kindZXgroup: admissionregistration.k8s.io
+kind: MutatingWebhookConfiguration
+version: v1beta1
+j
+x-kubernetes-actionpatch
+JI
+GE"C
path(name of the MutatingWebhookConfiguration"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

—+
+M/apis/rbac.authorization.k8s.io/v1/namespaces/{namespace}/rolebindings/{name}Å*š
+rbacAuthorization_v1read the specified RoleBinding*,readRbacAuthorizationV1NamespacedRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*JZ
+?
+2008
+6
+OK0
+.
+,#/definitions/io.k8s.api.rbac.v1.RoleBinding
+
+401
+
+UnauthorizedRhttpsjd
+x-kubernetes-group-version-kindA?group: rbac.authorization.k8s.io
+kind: RoleBinding
+version: v1
+j
+x-kubernetes-actionget
+å
+rbacAuthorization_v1!replace the specified RoleBinding*/replaceRbacAuthorizationV1NamespacedRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BB
+@
+>bodybody 
*.
+,#/definitions/io.k8s.api.rbac.v1.RoleBindingBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J 

+?
+2008
+6
+OK0
+.
+,#/definitions/io.k8s.api.rbac.v1.RoleBinding
+D
+201=
+;
+Created0
+.
+,#/definitions/io.k8s.api.rbac.v1.RoleBinding
+
+401
+
+UnauthorizedRhttpsjd
+x-kubernetes-group-version-kindA?group: rbac.authorization.k8s.io
+kind: RoleBinding
+version: v1
+j
+x-kubernetes-actionput
+*´
+rbacAuthorization_v1delete a RoleBinding*.deleteRbacAuthorizationV1NamespacedRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J»

+
+401
+
+Unauthorized
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.StatusRhttpsjd
+x-kubernetes-group-version-kindA?group: rbac.authorization.k8s.io
+kind: RoleBinding
+version: v1
+j 
+x-kubernetes-action	delete
+B™
+rbacAuthorization_v1*partially update the specified RoleBinding*-patchRbacAuthorizationV1NamespacedRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

JZ
+?
+2008
+6
+OK0
+.
+,#/definitions/io.k8s.api.rbac.v1.RoleBinding
+
+401
+
+UnauthorizedRhttpsjd
+x-kubernetes-group-version-kindA?group: rbac.authorization.k8s.io
+kind: RoleBinding
+version: v1
+j
+x-kubernetes-actionpatch
+J8
+64"2
pathname of the RoleBinding"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

ì*
+K/apis/rbac.authorization.k8s.io/v1beta1/namespaces/{namespace}/roles/{name}œ*’
+rbacAuthorization_v1beta1read the specified Role**readRbacAuthorizationV1beta1NamespacedRole2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*JX
+=
+2006
+4
+OK.
+,
+*#/definitions/io.k8s.api.rbac.v1beta1.Role
+
+401
+
+UnauthorizedRhttpsjb
+x-kubernetes-group-version-kind?=kind: Role
+version: v1beta1
+group: rbac.authorization.k8s.io
+j
+x-kubernetes-actionget
+Ù
+rbacAuthorization_v1beta1replace the specified Role*-replaceRbacAuthorizationV1beta1NamespacedRole2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B@
+>
+<bodybody 
*,
+*#/definitions/io.k8s.api.rbac.v1beta1.RoleBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jœ

+=
+2006
+4
+OK.
+,
+*#/definitions/io.k8s.api.rbac.v1beta1.Role
+B
+201;
+9
+Created.
+,
+*#/definitions/io.k8s.api.rbac.v1beta1.Role
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionput
+jb
+x-kubernetes-group-version-kind?=group: rbac.authorization.k8s.io
+kind: Role
+version: v1beta1
+*®
+rbacAuthorization_v1beta1
delete a Role*,deleteRbacAuthorizationV1beta1NamespacedRole2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J»

+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsjb
+x-kubernetes-group-version-kind?=group: rbac.authorization.k8s.io
+kind: Role
+version: v1beta1
+j 
+x-kubernetes-action	delete
+B‘
+rbacAuthorization_v1beta1#partially update the specified Role*+patchRbacAuthorizationV1beta1NamespacedRole2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

JX
+=
+2006
+4
+OK.
+,
+*#/definitions/io.k8s.api.rbac.v1beta1.Role
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+jb
+x-kubernetes-group-version-kind?=group: rbac.authorization.k8s.io
+kind: Role
+version: v1beta1
+J1
+/-"+
pathname of the Role"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

þ'
+-/apis/storage.k8s.io/v1beta1/watch/csidriversÌ'À
+storage_v1beta1uwatch individual changes to a list of CSIDriver. deprecated: use the 'watch' parameter with a list operation instead.* watchStorageV1beta1CSIDriverList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj#
+x-kubernetes-action
+watchlist
+j\
+x-kubernetes-group-version-kind97group: storage.k8s.io
+kind: CSIDriver
+version: v1beta1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Õ+
+B/apis/rbac.authorization.k8s.io/v1beta1/clusterrolebindings/{name}Ž+À
+rbacAuthorization_v1beta1%read the specified ClusterRoleBinding*.readRbacAuthorizationV1beta1ClusterRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Jf
+
+401
+
+Unauthorized
+K
+200D
+B
+OK<
+:
+8#/definitions/io.k8s.api.rbac.v1beta1.ClusterRoleBindingRhttpsjp
+x-kubernetes-group-version-kindMKgroup: rbac.authorization.k8s.io
+kind: ClusterRoleBinding
+version: v1beta1
+j
+x-kubernetes-actionget
+£	
+rbacAuthorization_v1beta1(replace the specified ClusterRoleBinding*1replaceRbacAuthorizationV1beta1ClusterRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.api.rbac.v1beta1.ClusterRoleBindingBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J¸

+P
+201I
+G
+Created<
+:
+8#/definitions/io.k8s.api.rbac.v1beta1.ClusterRoleBinding
+
+401
+
+Unauthorized
+K
+200D
+B
+OK<
+:
+8#/definitions/io.k8s.api.rbac.v1beta1.ClusterRoleBindingRhttpsj
+x-kubernetes-actionput
+jp
+x-kubernetes-group-version-kindMKversion: v1beta1
+group: rbac.authorization.k8s.io
+kind: ClusterRoleBinding
+*Î
+rbacAuthorization_v1beta1delete a ClusterRoleBinding*0deleteRbacAuthorizationV1beta1ClusterRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J»

+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj 
+x-kubernetes-action	delete
+jp
+x-kubernetes-group-version-kindMKgroup: rbac.authorization.k8s.io
+kind: ClusterRoleBinding
+version: v1beta1
+B¿
+rbacAuthorization_v1beta11partially update the specified ClusterRoleBinding*/patchRbacAuthorizationV1beta1ClusterRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

Jf
+K
+200D
+B
+OK<
+:
+8#/definitions/io.k8s.api.rbac.v1beta1.ClusterRoleBinding
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+jp
+x-kubernetes-group-version-kindMKgroup: rbac.authorization.k8s.io
+kind: ClusterRoleBinding
+version: v1beta1
+J?
+=;"9
pathname of the ClusterRoleBinding"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

‰
+;/api/v1/namespaces/{namespace}/resourcequotas/{name}/status�
+core_v1*read status of the specified ResourceQuota*'readCoreV1NamespacedResourceQuotaStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J\
+A
+200:
+8
+OK2
+0
+.#/definitions/io.k8s.api.core.v1.ResourceQuota
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+jO
+x-kubernetes-group-version-kind,*kind: ResourceQuota
+version: v1
+group: ""
+Ð
+core_v1-replace status of the specified ResourceQuota**replaceCoreV1NamespacedResourceQuotaStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BD
+B
+@bodybody 
*0
+.#/definitions/io.k8s.api.core.v1.ResourceQuotaBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J¤

+A
+200:
+8
+OK2
+0
+.#/definitions/io.k8s.api.core.v1.ResourceQuota
+F
+201?
+=
+Created2
+0
+.#/definitions/io.k8s.api.core.v1.ResourceQuota
+
+401
+
+UnauthorizedRhttpsjO
+x-kubernetes-group-version-kind,*version: v1
+group: ""
+kind: ResourceQuota
+j
+x-kubernetes-actionput
+B€
+core_v16partially update status of the specified ResourceQuota*(patchCoreV1NamespacedResourceQuotaStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

J\
+A
+200:
+8
+OK2
+0
+.#/definitions/io.k8s.api.core.v1.ResourceQuota
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+jO
+x-kubernetes-group-version-kind,*group: ""
+kind: ResourceQuota
+version: v1
+J:
+86"4
pathname of the ResourceQuota"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

å
+>/apis/apps/v1/namespaces/{namespace}/deployments/{name}/status¢÷
+apps_v1'read status of the specified Deployment*$readAppsV1NamespacedDeploymentStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*JY
+>
+2007
+5
+OK/
+-
++#/definitions/io.k8s.api.apps.v1.Deployment
+
+401
+
+UnauthorizedRhttpsjN
+x-kubernetes-group-version-kind+)group: apps
+kind: Deployment
+version: v1
+j
+x-kubernetes-actionget
+À
+apps_v1*replace status of the specified Deployment*'replaceAppsV1NamespacedDeploymentStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BA
+?
+=bodybody 
*-
++#/definitions/io.k8s.api.apps.v1.DeploymentBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jž

+>
+2007
+5
+OK/
+-
++#/definitions/io.k8s.api.apps.v1.Deployment
+C
+201<
+:
+Created/
+-
++#/definitions/io.k8s.api.apps.v1.Deployment
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionput
+jN
+x-kubernetes-group-version-kind+)group: apps
+kind: Deployment
+version: v1
+Bö
+apps_v13partially update status of the specified Deployment*%patchAppsV1NamespacedDeploymentStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

JY
+>
+2007
+5
+OK/
+-
++#/definitions/io.k8s.api.apps.v1.Deployment
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+jN
+x-kubernetes-group-version-kind+)kind: Deployment
+version: v1
+group: apps
+J7
+53"1
pathname of the Deployment"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

¨)
+J/apis/autoscaling/v1/watch/namespaces/{namespace}/horizontalpodautoscalersÙ(ë
+autoscaling_v1ƒ
watch individual changes to a list of HorizontalPodAutoscaler. deprecated: use the 'watch' parameter with a list operation instead.*7watchAutoscalingV1NamespacedHorizontalPodAutoscalerList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsjb
+x-kubernetes-group-version-kind?=group: autoscaling
+kind: HorizontalPodAutoscaler
+version: v1
+j#
+x-kubernetes-action
+watchlist
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

œ)
+;/apis/events.k8s.io/v1/namespaces/{namespace}/events/{name}Ü(â
+	events_v1read the specified Event*readEventsV1NamespacedEvent2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*JV
+;
+2004
+2
+OK,
+*
+(#/definitions/io.k8s.api.events.v1.Event
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+jR
+x-kubernetes-group-version-kind/-group: events.k8s.io
+kind: Event
+version: v1
+¥
+	events_v1replace the specified Event*replaceEventsV1NamespacedEvent2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B>
+<
+:bodybody 
**
+(#/definitions/io.k8s.api.events.v1.EventBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J˜

+
+401
+
+Unauthorized
+;
+2004
+2
+OK,
+*
+(#/definitions/io.k8s.api.events.v1.Event
+@
+2019
+7
+Created,
+*
+(#/definitions/io.k8s.api.events.v1.EventRhttpsj
+x-kubernetes-actionput
+jR
+x-kubernetes-group-version-kind/-group: events.k8s.io
+kind: Event
+version: v1
+*�
+	events_v1delete an Event*deleteEventsV1NamespacedEvent2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J»

+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+Unauthorized
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.StatusRhttpsj 
+x-kubernetes-action	delete
+jR
+x-kubernetes-group-version-kind/-kind: Event
+version: v1
+group: events.k8s.io
+Bá
+	events_v1$partially update the specified Event*patchEventsV1NamespacedEvent2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

JV
+;
+2004
+2
+OK,
+*
+(#/definitions/io.k8s.api.events.v1.Event
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+jR
+x-kubernetes-group-version-kind/-group: events.k8s.io
+kind: Event
+version: v1
+J2
+0.",
pathname of the Event"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

ï]
+:/apis/coordination.k8s.io/v1/namespaces/{namespace}/leases°]“&
+coordination_v1#list or watch objects of kind Lease*!listCoordinationV1NamespacedLease2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

J`
+
+401
+
+Unauthorized
+E
+200>
+<
+OK6
+4
+2#/definitions/io.k8s.api.coordination.v1.LeaseListRhttpsj
+x-kubernetes-actionlist
+jX
+x-kubernetes-group-version-kind53version: v1
+group: coordination.k8s.io
+kind: Lease
+"…	
+coordination_v1create a Lease*#createCoordinationV1NamespacedLease2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BD
+B
+@bodybody 
*0
+.#/definitions/io.k8s.api.coordination.v1.LeaseBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jí

+
+401
+
+Unauthorized
+A
+200:
+8
+OK2
+0
+.#/definitions/io.k8s.api.coordination.v1.Lease
+F
+201?
+=
+Created2
+0
+.#/definitions/io.k8s.api.coordination.v1.Lease
+G
+202@
+>
+Accepted2
+0
+.#/definitions/io.k8s.api.coordination.v1.LeaseRhttpsj
+x-kubernetes-actionpost
+jX
+x-kubernetes-group-version-kind53group: coordination.k8s.io
+kind: Lease
+version: v1
+*Ü,
+coordination_v1delete collection of Lease*-deleteCoordinationV1CollectionNamespacedLease2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj*
+x-kubernetes-actiondeletecollection
+jX
+x-kubernetes-group-version-kind53group: coordination.k8s.io
+kind: Lease
+version: v1
+J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

È'
+)/apis/policy/v1beta1/poddisruptionbudgetsš'Ž
+policy_v1beta11list or watch objects of kind PodDisruptionBudget*4listPolicyV1beta1PodDisruptionBudgetForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jm
+R
+200K
+I
+OKC
+A
+?#/definitions/io.k8s.api.policy.v1beta1.PodDisruptionBudgetList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+j^
+x-kubernetes-group-version-kind;9group: policy
+kind: PodDisruptionBudget
+version: v1beta1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

€)
+6/apis/storage.k8s.io/v1/watch/volumeattachments/{name}Å(ú
+
+storage_v1·
watch changes to an object of kind VolumeAttachment. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*watchStorageV1VolumeAttachment2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj^
+x-kubernetes-group-version-kind;9group: storage.k8s.io
+kind: VolumeAttachment
+version: v1
+j
+x-kubernetes-actionwatch
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J=
+;9"7
pathname of the VolumeAttachment"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Þ
+7/api/v1/namespaces/{namespace}/pods/{name}/proxy/{path}¢›
+core_v1$connect GET requests to proxy of Pod**connectCoreV1GetNamespacedPodProxyWithPath2*/*:*/*J7
+
+200
+
+OK
+²

+string
+
+401
+
+UnauthorizedRhttpsj!
+x-kubernetes-action
+connect
+jQ
+x-kubernetes-group-version-kind.,version: v1
+group: ""
+kind: PodProxyOptions
+›
+core_v1$connect PUT requests to proxy of Pod**connectCoreV1PutNamespacedPodProxyWithPath2*/*:*/*J7
+
+200
+
+OK
+²

+string
+
+401
+
+UnauthorizedRhttpsjQ
+x-kubernetes-group-version-kind.,group: ""
+kind: PodProxyOptions
+version: v1
+j!
+x-kubernetes-action
+connect
+"�
+core_v1%connect POST requests to proxy of Pod*+connectCoreV1PostNamespacedPodProxyWithPath2*/*:*/*J7
+
+200
+
+OK
+²

+string
+
+401
+
+UnauthorizedRhttpsj!
+x-kubernetes-action
+connect
+jQ
+x-kubernetes-group-version-kind.,group: ""
+kind: PodProxyOptions
+version: v1
+*¡
+core_v1'connect DELETE requests to proxy of Pod*-connectCoreV1DeleteNamespacedPodProxyWithPath2*/*:*/*J7
+
+200
+
+OK
+²

+string
+
+401
+
+UnauthorizedRhttpsj!
+x-kubernetes-action
+connect
+jQ
+x-kubernetes-group-version-kind.,group: ""
+kind: PodProxyOptions
+version: v1
+2£
+core_v1(connect OPTIONS requests to proxy of Pod*.connectCoreV1OptionsNamespacedPodProxyWithPath2*/*:*/*J7
+
+200
+
+OK
+²

+string
+
+401
+
+UnauthorizedRhttpsj!
+x-kubernetes-action
+connect
+jQ
+x-kubernetes-group-version-kind.,kind: PodProxyOptions
+version: v1
+group: ""
+:�
+core_v1%connect HEAD requests to proxy of Pod*+connectCoreV1HeadNamespacedPodProxyWithPath2*/*:*/*J7
+
+200
+
+OK
+²

+string
+
+401
+
+UnauthorizedRhttpsj!
+x-kubernetes-action
+connect
+jQ
+x-kubernetes-group-version-kind.,group: ""
+kind: PodProxyOptions
+version: v1
+BŸ
+core_v1&connect PATCH requests to proxy of Pod*,connectCoreV1PatchNamespacedPodProxyWithPath2*/*:*/*J7
+
+200
+
+OK
+²

+string
+
+401
+
+UnauthorizedRhttpsj!
+x-kubernetes-action
+connect
+jQ
+x-kubernetes-group-version-kind.,group: ""
+kind: PodProxyOptions
+version: v1
+J<
+:8"6
pathname of the PodProxyOptions"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

J5
+31"/
pathpath to the resource"path*string˜

Ja
+_][queryAPath is the URL path to use for the current proxy request to pod."path2string 

„'
+/api/v1/serviceaccountsè&Ü
+core_v1,list or watch objects of kind ServiceAccount*(listCoreV1ServiceAccountForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Ja
+F
+200?
+=
+OK7
+5
+3#/definitions/io.k8s.api.core.v1.ServiceAccountList
+
+401
+
+UnauthorizedRhttpsjP
+x-kubernetes-group-version-kind-+version: v1
+group: ""
+kind: ServiceAccount
+j
+x-kubernetes-actionlist
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

º^
++/apis/apiregistration.k8s.io/v1/apiservicesŠ^¾&
+apiregistration_v1(list or watch objects of kind APIService*listApiregistrationV1APIService2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

J}
+
+401
+
+Unauthorized
+b
+200[
+Y
+OKS
+Q
+O#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIServiceListRhttpsj`
+x-kubernetes-group-version-kind=;group: apiregistration.k8s.io
+version: v1
+kind: APIService
+j
+x-kubernetes-actionlist
+"ˆ
+
+apiregistration_v1create an APIService*!createApiregistrationV1APIService2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Ba
+_
+]bodybody 
*M
+K#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIServiceBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

JÄ
+^
+200W
+U
+OKO
+M
+K#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIService
+c
+201\
+Z
+CreatedO
+M
+K#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIService
+d
+202]
+[
+AcceptedO
+M
+K#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIService
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpost
+j`
+x-kubernetes-group-version-kind=;kind: APIService
+group: apiregistration.k8s.io
+version: v1
+*ê,
+apiregistration_v1delete collection of APIService*+deleteApiregistrationV1CollectionAPIService2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj*
+x-kubernetes-actiondeletecollection
+j`
+x-kubernetes-group-version-kind=;group: apiregistration.k8s.io
+version: v1
+kind: APIService
+JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

«
+L/apis/certificates.k8s.io/v1beta1/certificatesigningrequests/{name}/approvalÚè
+certificates_v1beta18read approval of the specified CertificateSigningRequest*8readCertificatesV1beta1CertificateSigningRequestApproval2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Ju
+Z
+200S
+Q
+OKK
+I
+G#/definitions/io.k8s.api.certificates.v1beta1.CertificateSigningRequest
+
+401
+
+UnauthorizedRhttpsjq
+x-kubernetes-group-version-kindNLgroup: certificates.k8s.io
+kind: CertificateSigningRequest
+version: v1beta1
+j
+x-kubernetes-actionget
+é	
+certificates_v1beta1;replace approval of the specified CertificateSigningRequest*;replaceCertificatesV1beta1CertificateSigningRequestApproval2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B]
+[
+Ybodybody 
*I
+G#/definitions/io.k8s.api.certificates.v1beta1.CertificateSigningRequestBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

JÖ

+Z
+200S
+Q
+OKK
+I
+G#/definitions/io.k8s.api.certificates.v1beta1.CertificateSigningRequest
+_
+201X
+V
+CreatedK
+I
+G#/definitions/io.k8s.api.certificates.v1beta1.CertificateSigningRequest
+
+401
+
+UnauthorizedRhttpsjq
+x-kubernetes-group-version-kindNLgroup: certificates.k8s.io
+kind: CertificateSigningRequest
+version: v1beta1
+j
+x-kubernetes-actionput
+Bç
+certificates_v1beta1Dpartially update approval of the specified CertificateSigningRequest*9patchCertificatesV1beta1CertificateSigningRequestApproval2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

Ju
+Z
+200S
+Q
+OKK
+I
+G#/definitions/io.k8s.api.certificates.v1beta1.CertificateSigningRequest
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+jq
+x-kubernetes-group-version-kindNLversion: v1beta1
+group: certificates.k8s.io
+kind: CertificateSigningRequest
+JF
+DB"@
path%name of the CertificateSigningRequest"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

ç(
+2/apis/storage.k8s.io/v1beta1/watch/csinodes/{name}°(î
+storage_v1beta1®
watch changes to an object of kind CSINode. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*watchStorageV1beta1CSINode2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionwatch
+jZ
+x-kubernetes-group-version-kind75group: storage.k8s.io
+kind: CSINode
+version: v1beta1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J4
+20".
pathname of the CSINode"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

¯'
+)/apis/networking.k8s.io/v1beta1/ingresses�'õ
+networking_v1beta1%list or watch objects of kind Ingress*,listNetworkingV1beta1IngressForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Je
+
+401
+
+Unauthorized
+J
+200C
+A
+OK;
+9
+7#/definitions/io.k8s.api.networking.v1beta1.IngressListRhttpsj
+x-kubernetes-actionlist
+j]
+x-kubernetes-group-version-kind:8group: networking.k8s.io
+kind: Ingress
+version: v1beta1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

€*
+H/apis/policy/v1/watch/namespaces/{namespace}/poddisruptionbudgets/{name}³)ƒ
+	policy_v1º
watch changes to an object of kind PodDisruptionBudget. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.**watchPolicyV1NamespacedPodDisruptionBudget2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionwatch
+jY
+x-kubernetes-group-version-kind64version: v1
+group: policy
+kind: PodDisruptionBudget
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J@
+><":
pathname of the PodDisruptionBudget"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Þ
+N/apis/policy/v1beta1/namespaces/{namespace}/poddisruptionbudgets/{name}/status‹·
+policy_v1beta10read status of the specified PodDisruptionBudget*4readPolicyV1beta1NamespacedPodDisruptionBudgetStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Ji
+N
+200G
+E
+OK?
+=
+;#/definitions/io.k8s.api.policy.v1beta1.PodDisruptionBudget
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+j^
+x-kubernetes-group-version-kind;9group: policy
+kind: PodDisruptionBudget
+version: v1beta1
+ 	
+policy_v1beta13replace status of the specified PodDisruptionBudget*7replacePolicyV1beta1NamespacedPodDisruptionBudgetStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BQ
+O
+Mbodybody 
*=
+;#/definitions/io.k8s.api.policy.v1beta1.PodDisruptionBudgetBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J¾

+N
+200G
+E
+OK?
+=
+;#/definitions/io.k8s.api.policy.v1beta1.PodDisruptionBudget
+S
+201L
+J
+Created?
+=
+;#/definitions/io.k8s.api.policy.v1beta1.PodDisruptionBudget
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionput
+j^
+x-kubernetes-group-version-kind;9group: policy
+kind: PodDisruptionBudget
+version: v1beta1
+B¶
+policy_v1beta1<partially update status of the specified PodDisruptionBudget*5patchPolicyV1beta1NamespacedPodDisruptionBudgetStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

Ji
+N
+200G
+E
+OK?
+=
+;#/definitions/io.k8s.api.policy.v1beta1.PodDisruptionBudget
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+j^
+x-kubernetes-group-version-kind;9group: policy
+kind: PodDisruptionBudget
+version: v1beta1
+J@
+><":
pathname of the PodDisruptionBudget"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

’)
+</apis/scheduling.k8s.io/v1beta1/watch/priorityclasses/{name}Ñ(‰
+scheduling_v1beta1´
watch changes to an object of kind PriorityClass. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*#watchSchedulingV1beta1PriorityClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsjc
+x-kubernetes-group-version-kind@>group: scheduling.k8s.io
+kind: PriorityClass
+version: v1beta1
+j
+x-kubernetes-actionwatch
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J:
+86"4
pathname of the PriorityClass"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

ˆ
+"/apis/coordination.k8s.io/v1beta1/áÞ
+coordination_v1beta1get available resources*"getCoordinationV1beta1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp
+U
+200N
+L
+OKF
+D
+B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList
+
+401
+
+UnauthorizedRhttpsã)
+H/apis/networking.k8s.io/v1/watch/namespaces/{namespace}/ingresses/{name}–)ò
+
networking_v1®
watch changes to an object of kind Ingress. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*"watchNetworkingV1NamespacedIngress2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionwatch
+jX
+x-kubernetes-group-version-kind53group: networking.k8s.io
+kind: Ingress
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J4
+20".
pathname of the Ingress"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Š)
+G/apis/networking.k8s.io/v1/watch/namespaces/{namespace}/networkpolicies¾(Ð
+
networking_v1ywatch individual changes to a list of NetworkPolicy. deprecated: use the 'watch' parameter with a list operation instead.*,watchNetworkingV1NamespacedNetworkPolicyList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj^
+x-kubernetes-group-version-kind;9kind: NetworkPolicy
+version: v1
+group: networking.k8s.io
+j#
+x-kubernetes-action
+watchlist
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

‰
+#/apis/rbac.authorization.k8s.io/v1/áÞ
+rbacAuthorization_v1get available resources*"getRbacAuthorizationV1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp
+U
+200N
+L
+OKF
+D
+B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList
+
+401
+
+UnauthorizedRhttpsé
+1/api/v1/namespaces/{namespace}/pods/{name}/status³Ù
+core_v1 read status of the specified Pod*readCoreV1NamespacedPodStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*JR
+7
+2000
+.
+OK(
+&
+$#/definitions/io.k8s.api.core.v1.Pod
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+jE
+x-kubernetes-group-version-kind" group: ""
+kind: Pod
+version: v1
+”
+core_v1#replace status of the specified Pod* replaceCoreV1NamespacedPodStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B:
+8
+6bodybody 
*&
+$#/definitions/io.k8s.api.core.v1.PodBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J�

+7
+2000
+.
+OK(
+&
+$#/definitions/io.k8s.api.core.v1.Pod
+<
+2015
+3
+Created(
+&
+$#/definitions/io.k8s.api.core.v1.Pod
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionput
+jE
+x-kubernetes-group-version-kind" version: v1
+group: ""
+kind: Pod
+BØ
+core_v1,partially update status of the specified Pod*patchCoreV1NamespacedPodStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

JR
+7
+2000
+.
+OK(
+&
+$#/definitions/io.k8s.api.core.v1.Pod
+
+401
+
+UnauthorizedRhttpsjE
+x-kubernetes-group-version-kind" kind: Pod
+version: v1
+group: ""
+j
+x-kubernetes-actionpatch
+J0
+.,"*
pathname of the Pod"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

ì'
+/api/v1/watch/serviceaccountsÊ'¾
+core_v1zwatch individual changes to a list of ServiceAccount. deprecated: use the 'watch' parameter with a list operation instead.*-watchCoreV1ServiceAccountListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj#
+x-kubernetes-action
+watchlist
+jP
+x-kubernetes-group-version-kind-+kind: ServiceAccount
+version: v1
+group: ""
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

µ]
+1/apis/apps/v1/namespaces/{namespace}/statefulsetsÿ\„&
+apps_v1)list or watch objects of kind StatefulSet*listAppsV1NamespacedStatefulSet2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

J^
+C
+200<
+:
+OK4
+2
+0#/definitions/io.k8s.api.apps.v1.StatefulSetList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+jO
+x-kubernetes-group-version-kind,*group: apps
+kind: StatefulSet
+version: v1
+"ð
+apps_v1create a StatefulSet*!createAppsV1NamespacedStatefulSet2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BB
+@
+>bodybody 
*.
+,#/definitions/io.k8s.api.apps.v1.StatefulSetBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jç

+
+401
+
+Unauthorized
+?
+2008
+6
+OK0
+.
+,#/definitions/io.k8s.api.apps.v1.StatefulSet
+D
+201=
+;
+Created0
+.
+,#/definitions/io.k8s.api.apps.v1.StatefulSet
+E
+202>
+<
+Accepted0
+.
+,#/definitions/io.k8s.api.apps.v1.StatefulSetRhttpsj
+x-kubernetes-actionpost
+jO
+x-kubernetes-group-version-kind,*group: apps
+kind: StatefulSet
+version: v1
+*Ï,
+apps_v1 delete collection of StatefulSet*+deleteAppsV1CollectionNamespacedStatefulSet2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsjO
+x-kubernetes-group-version-kind,*kind: StatefulSet
+version: v1
+group: apps
+j*
+x-kubernetes-actiondeletecollection
+J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

þ
+/apis/autoscaling/v2beta2/ßÜ
+autoscaling_v2beta2get available resources*!getAutoscalingV2beta2APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp
+U
+200N
+L
+OKF
+D
+B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList
+
+401
+
+UnauthorizedRhttps¨*
+X/apis/rbac.authorization.k8s.io/v1beta1/watch/namespaces/{namespace}/rolebindings/{name}Ë)£
+rbacAuthorization_v1beta1²
watch changes to an object of kind RoleBinding. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*2watchRbacAuthorizationV1beta1NamespacedRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsji
+x-kubernetes-group-version-kindFDgroup: rbac.authorization.k8s.io
+kind: RoleBinding
+version: v1beta1
+j
+x-kubernetes-actionwatch
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J8
+64"2
pathname of the RoleBinding"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

³(
+7/apis/storage.k8s.io/v1beta1/watch/csistoragecapacities÷'ë
+storage_v1beta1~watch individual changes to a list of CSIStorageCapacity. deprecated: use the 'watch' parameter with a list operation instead.*9watchStorageV1beta1CSIStorageCapacityListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsje
+x-kubernetes-group-version-kindB@group: storage.k8s.io
+kind: CSIStorageCapacity
+version: v1beta1
+j#
+x-kubernetes-action
+watchlist
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

H
+/logs/><
+logs*logFileListHandlerJ
+
+401
+
+UnauthorizedRhttpsÿ+
+O/apis/storage.k8s.io/v1beta1/namespaces/{namespace}/csistoragecapacities/{name}«+®
+storage_v1beta1%read the specified CSIStorageCapacity*.readStorageV1beta1NamespacedCSIStorageCapacity2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Ji
+N
+200G
+E
+OK?
+=
+;#/definitions/io.k8s.api.storage.v1beta1.CSIStorageCapacity
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+je
+x-kubernetes-group-version-kindB@group: storage.k8s.io
+kind: CSIStorageCapacity
+version: v1beta1
+—	
+storage_v1beta1(replace the specified CSIStorageCapacity*1replaceStorageV1beta1NamespacedCSIStorageCapacity2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BQ
+O
+Mbodybody 
*=
+;#/definitions/io.k8s.api.storage.v1beta1.CSIStorageCapacityBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J¾

+N
+200G
+E
+OK?
+=
+;#/definitions/io.k8s.api.storage.v1beta1.CSIStorageCapacity
+S
+201L
+J
+Created?
+=
+;#/definitions/io.k8s.api.storage.v1beta1.CSIStorageCapacity
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionput
+je
+x-kubernetes-group-version-kindB@kind: CSIStorageCapacity
+version: v1beta1
+group: storage.k8s.io
+*¹
+storage_v1beta1delete a CSIStorageCapacity*0deleteStorageV1beta1NamespacedCSIStorageCapacity2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J»

+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj 
+x-kubernetes-action	delete
+je
+x-kubernetes-group-version-kindB@version: v1beta1
+group: storage.k8s.io
+kind: CSIStorageCapacity
+B­
+storage_v1beta11partially update the specified CSIStorageCapacity*/patchStorageV1beta1NamespacedCSIStorageCapacity2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

Ji
+N
+200G
+E
+OK?
+=
+;#/definitions/io.k8s.api.storage.v1beta1.CSIStorageCapacity
+
+401
+
+UnauthorizedRhttpsje
+x-kubernetes-group-version-kindB@version: v1beta1
+group: storage.k8s.io
+kind: CSIStorageCapacity
+j
+x-kubernetes-actionpatch
+J?
+=;"9
pathname of the CSIStorageCapacity"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Ö]
+./api/v1/namespaces/{namespace}/serviceaccounts£]Ž&
+core_v1,list or watch objects of kind ServiceAccount*"listCoreV1NamespacedServiceAccount2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Ja
+
+401
+
+Unauthorized
+F
+200?
+=
+OK7
+5
+3#/definitions/io.k8s.api.core.v1.ServiceAccountListRhttpsjP
+x-kubernetes-group-version-kind-+version: v1
+group: ""
+kind: ServiceAccount
+j
+x-kubernetes-actionlist
+"ƒ	
+core_v1create a ServiceAccount*$createCoreV1NamespacedServiceAccount2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BE
+C
+Abodybody 
*1
+/#/definitions/io.k8s.api.core.v1.ServiceAccountBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jð

+B
+200;
+9
+OK3
+1
+/#/definitions/io.k8s.api.core.v1.ServiceAccount
+G
+201@
+>
+Created3
+1
+/#/definitions/io.k8s.api.core.v1.ServiceAccount
+H
+202A
+?
+Accepted3
+1
+/#/definitions/io.k8s.api.core.v1.ServiceAccount
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpost
+jP
+x-kubernetes-group-version-kind-+kind: ServiceAccount
+version: v1
+group: ""
+*Ö,
+core_v1#delete collection of ServiceAccount*.deleteCoreV1CollectionNamespacedServiceAccount2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj*
+x-kubernetes-actiondeletecollection
+jP
+x-kubernetes-group-version-kind-+group: ""
+kind: ServiceAccount
+version: v1
+J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Á
+/api/v1/nodes/{name}/proxy¢Œ
+core_v1%connect GET requests to proxy of Node*connectCoreV1GetNodeProxy2*/*:*/*J7
+
+200
+
+OK
+²

+string
+
+401
+
+UnauthorizedRhttpsj!
+x-kubernetes-action
+connect
+jR
+x-kubernetes-group-version-kind/-kind: NodeProxyOptions
+version: v1
+group: ""
+Œ
+core_v1%connect PUT requests to proxy of Node*connectCoreV1PutNodeProxy2*/*:*/*J7
+
+200
+
+OK
+²

+string
+
+401
+
+UnauthorizedRhttpsj!
+x-kubernetes-action
+connect
+jR
+x-kubernetes-group-version-kind/-group: ""
+kind: NodeProxyOptions
+version: v1
+"Ž
+core_v1&connect POST requests to proxy of Node*connectCoreV1PostNodeProxy2*/*:*/*J7
+
+200
+
+OK
+²

+string
+
+401
+
+UnauthorizedRhttpsj!
+x-kubernetes-action
+connect
+jR
+x-kubernetes-group-version-kind/-group: ""
+kind: NodeProxyOptions
+version: v1
+*’
+core_v1(connect DELETE requests to proxy of Node*connectCoreV1DeleteNodeProxy2*/*:*/*J7
+
+200
+
+OK
+²

+string
+
+401
+
+UnauthorizedRhttpsjR
+x-kubernetes-group-version-kind/-group: ""
+kind: NodeProxyOptions
+version: v1
+j!
+x-kubernetes-action
+connect
+2”
+core_v1)connect OPTIONS requests to proxy of Node*connectCoreV1OptionsNodeProxy2*/*:*/*J7
+
+200
+
+OK
+²

+string
+
+401
+
+UnauthorizedRhttpsjR
+x-kubernetes-group-version-kind/-group: ""
+kind: NodeProxyOptions
+version: v1
+j!
+x-kubernetes-action
+connect
+:Ž
+core_v1&connect HEAD requests to proxy of Node*connectCoreV1HeadNodeProxy2*/*:*/*J7
+
+200
+
+OK
+²

+string
+
+401
+
+UnauthorizedRhttpsjR
+x-kubernetes-group-version-kind/-group: ""
+kind: NodeProxyOptions
+version: v1
+j!
+x-kubernetes-action
+connect
+B�
+core_v1'connect PATCH requests to proxy of Node*connectCoreV1PatchNodeProxy2*/*:*/*J7
+
+200
+
+OK
+²

+string
+
+401
+
+UnauthorizedRhttpsjR
+x-kubernetes-group-version-kind/-kind: NodeProxyOptions
+version: v1
+group: ""
+j!
+x-kubernetes-action
+connect
+J=
+;9"7
pathname of the NodeProxyOptions"name*string˜

Jb
+`^\queryBPath is the URL path to use for the current proxy request to node."path2string 

­`
+F/apis/flowcontrol.apiserver.k8s.io/v1beta1/prioritylevelconfigurationsâ_‰'
+flowcontrolApiserver_v1beta18list or watch objects of kind PriorityLevelConfiguration*9listFlowcontrolApiserverV1beta1PriorityLevelConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Jy
+
+401
+
+Unauthorized
+^
+200W
+U
+OKO
+M
+K#/definitions/io.k8s.api.flowcontrol.v1beta1.PriorityLevelConfigurationListRhttpsj{
+x-kubernetes-group-version-kindXVgroup: flowcontrol.apiserver.k8s.io
+kind: PriorityLevelConfiguration
+version: v1beta1
+j
+x-kubernetes-actionlist
+"Æ
+
+flowcontrolApiserver_v1beta1#create a PriorityLevelConfiguration*;createFlowcontrolApiserverV1beta1PriorityLevelConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B]
+[
+Ybodybody 
*I
+G#/definitions/io.k8s.api.flowcontrol.v1beta1.PriorityLevelConfigurationBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J¸
+Z
+200S
+Q
+OKK
+I
+G#/definitions/io.k8s.api.flowcontrol.v1beta1.PriorityLevelConfiguration
+_
+201X
+V
+CreatedK
+I
+G#/definitions/io.k8s.api.flowcontrol.v1beta1.PriorityLevelConfiguration
+`
+202Y
+W
+AcceptedK
+I
+G#/definitions/io.k8s.api.flowcontrol.v1beta1.PriorityLevelConfiguration
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpost
+j{
+x-kubernetes-group-version-kindXVversion: v1beta1
+group: flowcontrol.apiserver.k8s.io
+kind: PriorityLevelConfiguration
+*¹-
+flowcontrolApiserver_v1beta1/delete collection of PriorityLevelConfiguration*EdeleteFlowcontrolApiserverV1beta1CollectionPriorityLevelConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj*
+x-kubernetes-actiondeletecollection
+j{
+x-kubernetes-group-version-kindXVgroup: flowcontrol.apiserver.k8s.io
+kind: PriorityLevelConfiguration
+version: v1beta1
+JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

¤(
+//apis/policy/v1beta1/watch/poddisruptionbudgetsð'ä
+policy_v1beta1watch individual changes to a list of PodDisruptionBudget. deprecated: use the 'watch' parameter with a list operation instead.*9watchPolicyV1beta1PodDisruptionBudgetListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj#
+x-kubernetes-action
+watchlist
+j^
+x-kubernetes-group-version-kind;9group: policy
+kind: PodDisruptionBudget
+version: v1beta1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

î]
+?/apis/rbac.authorization.k8s.io/v1/namespaces/{namespace}/rolesª]—&
+rbacAuthorization_v1"list or watch objects of kind Role*%listRbacAuthorizationV1NamespacedRole2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

JW
+
+401
+
+Unauthorized
+<
+2005
+3
+OK-
++
+)#/definitions/io.k8s.api.rbac.v1.RoleListRhttpsj]
+x-kubernetes-group-version-kind:8group: rbac.authorization.k8s.io
+kind: Role
+version: v1
+j
+x-kubernetes-actionlist
+"î
+rbacAuthorization_v1
create a Role*'createRbacAuthorizationV1NamespacedRole2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B;
+9
+7bodybody 
*'
+%#/definitions/io.k8s.api.rbac.v1.RoleBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

JÒ

+
+401
+
+Unauthorized
+8
+2001
+/
+OK)
+'
+%#/definitions/io.k8s.api.rbac.v1.Role
+=
+2016
+4
+Created)
+'
+%#/definitions/io.k8s.api.rbac.v1.Role
+>
+2027
+5
+Accepted)
+'
+%#/definitions/io.k8s.api.rbac.v1.RoleRhttpsj
+x-kubernetes-actionpost
+j]
+x-kubernetes-group-version-kind:8group: rbac.authorization.k8s.io
+kind: Role
+version: v1
+*é,
+rbacAuthorization_v1delete collection of Role*1deleteRbacAuthorizationV1CollectionNamespacedRole2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj]
+x-kubernetes-group-version-kind:8group: rbac.authorization.k8s.io
+kind: Role
+version: v1
+j*
+x-kubernetes-actiondeletecollection
+J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

’(
+./apis/discovery.k8s.io/v1/watch/endpointslicesß'Ó
+discovery_v1ywatch individual changes to a list of EndpointSlice. deprecated: use the 'watch' parameter with a list operation instead.*1watchDiscoveryV1EndpointSliceListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj#
+x-kubernetes-action
+watchlist
+j]
+x-kubernetes-group-version-kind:8group: discovery.k8s.io
+kind: EndpointSlice
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

¥]
+)/apis/networking.k8s.io/v1/ingressclasses÷\�&
+
networking_v1*list or watch objects of kind IngressClass*listNetworkingV1IngressClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Je
+J
+200C
+A
+OK;
+9
+7#/definitions/io.k8s.api.networking.v1.IngressClassList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+j]
+x-kubernetes-group-version-kind:8group: networking.k8s.io
+kind: IngressClass
+version: v1
+"Ÿ	
+
networking_v1create an IngressClass*createNetworkingV1IngressClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BI
+G
+Ebodybody 
*5
+3#/definitions/io.k8s.api.networking.v1.IngressClassBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jü

+F
+200?
+=
+OK7
+5
+3#/definitions/io.k8s.api.networking.v1.IngressClass
+K
+201D
+B
+Created7
+5
+3#/definitions/io.k8s.api.networking.v1.IngressClass
+L
+202E
+C
+Accepted7
+5
+3#/definitions/io.k8s.api.networking.v1.IngressClass
+
+401
+
+UnauthorizedRhttpsj]
+x-kubernetes-group-version-kind:8group: networking.k8s.io
+kind: IngressClass
+version: v1
+j
+x-kubernetes-actionpost
+*á,
+
networking_v1!delete collection of IngressClass*(deleteNetworkingV1CollectionIngressClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj]
+x-kubernetes-group-version-kind:8group: networking.k8s.io
+kind: IngressClass
+version: v1
+j*
+x-kubernetes-actiondeletecollection
+JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

ž)
+2/api/v1/namespaces/{namespace}/podtemplates/{name}ç(é
+core_v1read the specified PodTemplate*readCoreV1NamespacedPodTemplate2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*JZ
+?
+2008
+6
+OK0
+.
+,#/definitions/io.k8s.api.core.v1.PodTemplate
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+jM
+x-kubernetes-group-version-kind*(version: v1
+group: ""
+kind: PodTemplate
+´
+core_v1!replace the specified PodTemplate*"replaceCoreV1NamespacedPodTemplate2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BB
+@
+>bodybody 
*.
+,#/definitions/io.k8s.api.core.v1.PodTemplateBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J 

+?
+2008
+6
+OK0
+.
+,#/definitions/io.k8s.api.core.v1.PodTemplate
+D
+201=
+;
+Created0
+.
+,#/definitions/io.k8s.api.core.v1.PodTemplate
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionput
+jM
+x-kubernetes-group-version-kind*(group: ""
+kind: PodTemplate
+version: v1
+*é
+core_v1delete a PodTemplate*!deleteCoreV1NamespacedPodTemplate2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J¡

+E
+202>
+<
+Accepted0
+.
+,#/definitions/io.k8s.api.core.v1.PodTemplate
+
+401
+
+Unauthorized
+?
+2008
+6
+OK0
+.
+,#/definitions/io.k8s.api.core.v1.PodTemplateRhttpsj 
+x-kubernetes-action	delete
+jM
+x-kubernetes-group-version-kind*(group: ""
+kind: PodTemplate
+version: v1
+Bè
+core_v1*partially update the specified PodTemplate* patchCoreV1NamespacedPodTemplate2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

JZ
+?
+2008
+6
+OK0
+.
+,#/definitions/io.k8s.api.core.v1.PodTemplate
+
+401
+
+UnauthorizedRhttpsjM
+x-kubernetes-group-version-kind*(version: v1
+group: ""
+kind: PodTemplate
+j
+x-kubernetes-actionpatch
+J8
+64"2
pathname of the PodTemplate"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Ù(
+-/api/v1/namespaces/{namespace}/secrets/{name}§(Õ
+core_v1read the specified Secret*readCoreV1NamespacedSecret2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*JU
+:
+2003
+1
+OK+
+)
+'#/definitions/io.k8s.api.core.v1.Secret
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+jH
+x-kubernetes-group-version-kind%#kind: Secret
+version: v1
+group: ""
+–
+core_v1replace the specified Secret*replaceCoreV1NamespacedSecret2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B=
+;
+9bodybody 
*)
+'#/definitions/io.k8s.api.core.v1.SecretBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J–

+:
+2003
+1
+OK+
+)
+'#/definitions/io.k8s.api.core.v1.Secret
+?
+2018
+6
+Created+
+)
+'#/definitions/io.k8s.api.core.v1.Secret
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionput
+jH
+x-kubernetes-group-version-kind%#group: ""
+kind: Secret
+version: v1
+*ô
+core_v1delete a Secret*deleteCoreV1NamespacedSecret2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J»

+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj 
+x-kubernetes-action	delete
+jH
+x-kubernetes-group-version-kind%#version: v1
+group: ""
+kind: Secret
+BÔ
+core_v1%partially update the specified Secret*patchCoreV1NamespacedSecret2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

JU
+:
+2003
+1
+OK+
+)
+'#/definitions/io.k8s.api.core.v1.Secret
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+jH
+x-kubernetes-group-version-kind%#group: ""
+kind: Secret
+version: v1
+J3
+1/"-
pathname of the Secret"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

‰(
+$/api/v1/watch/persistentvolumeclaimsà'Ô
+core_v1�
watch individual changes to a list of PersistentVolumeClaim. deprecated: use the 'watch' parameter with a list operation instead.*4watchCoreV1PersistentVolumeClaimListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj#
+x-kubernetes-action
+watchlist
+jW
+x-kubernetes-group-version-kind42group: ""
+kind: PersistentVolumeClaim
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Ã
+>/apis/apiregistration.k8s.io/v1beta1/apiservices/{name}/statusۃ
+apiregistration_v1beta1'read status of the specified APIService**readApiregistrationV1beta1APIServiceStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J~
+c
+200\
+Z
+OKT
+R
+P#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.APIService
+
+401
+
+UnauthorizedRhttpsje
+x-kubernetes-group-version-kindB@group: apiregistration.k8s.io
+version: v1beta1
+kind: APIService
+j
+x-kubernetes-actionget
+Ü	
+apiregistration_v1beta1*replace status of the specified APIService*-replaceApiregistrationV1beta1APIServiceStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Bf
+d
+bbodybody 
*R
+P#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.APIServiceBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jè

+c
+200\
+Z
+OKT
+R
+P#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.APIService
+h
+201a
+_
+CreatedT
+R
+P#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.APIService
+
+401
+
+UnauthorizedRhttpsje
+x-kubernetes-group-version-kindB@group: apiregistration.k8s.io
+version: v1beta1
+kind: APIService
+j
+x-kubernetes-actionput
+BÈ
+apiregistration_v1beta13partially update status of the specified APIService*+patchApiregistrationV1beta1APIServiceStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

J~
+c
+200\
+Z
+OKT
+R
+P#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.APIService
+
+401
+
+UnauthorizedRhttpsje
+x-kubernetes-group-version-kindB@group: apiregistration.k8s.io
+version: v1beta1
+kind: APIService
+j
+x-kubernetes-actionpatch
+J7
+53"1
pathname of the APIService"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Ü&
+/api/v1/secretsÈ&¼
+core_v1$list or watch objects of kind Secret* listCoreV1SecretForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*JY
+>
+2007
+5
+OK/
+-
++#/definitions/io.k8s.api.core.v1.SecretList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+jH
+x-kubernetes-group-version-kind%#kind: Secret
+version: v1
+group: ""
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Ê^
+A/apis/networking.k8s.io/v1/namespaces/{namespace}/networkpolicies„^«&
+
networking_v1+list or watch objects of kind NetworkPolicy*'listNetworkingV1NamespacedNetworkPolicy2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Jf
+K
+200D
+B
+OK<
+:
+8#/definitions/io.k8s.api.networking.v1.NetworkPolicyList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+j^
+x-kubernetes-group-version-kind;9kind: NetworkPolicy
+version: v1
+group: networking.k8s.io
+"¯	
+
networking_v1create a NetworkPolicy*)createNetworkingV1NamespacedNetworkPolicy2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BJ
+H
+Fbodybody 
*6
+4#/definitions/io.k8s.api.networking.v1.NetworkPolicyBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jÿ

+G
+200@
+>
+OK8
+6
+4#/definitions/io.k8s.api.networking.v1.NetworkPolicy
+L
+201E
+C
+Created8
+6
+4#/definitions/io.k8s.api.networking.v1.NetworkPolicy
+M
+202F
+D
+Accepted8
+6
+4#/definitions/io.k8s.api.networking.v1.NetworkPolicy
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpost
+j^
+x-kubernetes-group-version-kind;9group: networking.k8s.io
+kind: NetworkPolicy
+version: v1
+*î,
+
networking_v1"delete collection of NetworkPolicy*3deleteNetworkingV1CollectionNamespacedNetworkPolicy2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj^
+x-kubernetes-group-version-kind;9group: networking.k8s.io
+kind: NetworkPolicy
+version: v1
+j*
+x-kubernetes-actiondeletecollection
+J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

¢
+'/api/v1/persistentvolumes/{name}/statusöƒ
+core_v1-read status of the specified PersistentVolume* readCoreV1PersistentVolumeStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J_
+D
+200=
+;
+OK5
+3
+1#/definitions/io.k8s.api.core.v1.PersistentVolume
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+jR
+x-kubernetes-group-version-kind/-group: ""
+kind: PersistentVolume
+version: v1
+Ø
+core_v10replace status of the specified PersistentVolume*#replaceCoreV1PersistentVolumeStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BG
+E
+Cbodybody 
*3
+1#/definitions/io.k8s.api.core.v1.PersistentVolumeBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jª

+D
+200=
+;
+OK5
+3
+1#/definitions/io.k8s.api.core.v1.PersistentVolume
+I
+201B
+@
+Created5
+3
+1#/definitions/io.k8s.api.core.v1.PersistentVolume
+
+401
+
+UnauthorizedRhttpsjR
+x-kubernetes-group-version-kind/-group: ""
+kind: PersistentVolume
+version: v1
+j
+x-kubernetes-actionput
+B‚
+core_v19partially update status of the specified PersistentVolume*!patchCoreV1PersistentVolumeStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

J_
+D
+200=
+;
+OK5
+3
+1#/definitions/io.k8s.api.core.v1.PersistentVolume
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+jR
+x-kubernetes-group-version-kind/-kind: PersistentVolume
+version: v1
+group: ""
+J=
+;9"7
pathname of the PersistentVolume"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Ð*
+;/apis/rbac.authorization.k8s.io/v1beta1/clusterroles/{name}�*¤
+rbacAuthorization_v1beta1read the specified ClusterRole*'readRbacAuthorizationV1beta1ClusterRole2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J_
+
+401
+
+Unauthorized
+D
+200=
+;
+OK5
+3
+1#/definitions/io.k8s.api.rbac.v1beta1.ClusterRoleRhttpsj
+x-kubernetes-actionget
+ji
+x-kubernetes-group-version-kindFDgroup: rbac.authorization.k8s.io
+kind: ClusterRole
+version: v1beta1
+ù
+rbacAuthorization_v1beta1!replace the specified ClusterRole**replaceRbacAuthorizationV1beta1ClusterRole2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BG
+E
+Cbodybody 
*3
+1#/definitions/io.k8s.api.rbac.v1beta1.ClusterRoleBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jª

+D
+200=
+;
+OK5
+3
+1#/definitions/io.k8s.api.rbac.v1beta1.ClusterRole
+I
+201B
+@
+Created5
+3
+1#/definitions/io.k8s.api.rbac.v1beta1.ClusterRole
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionput
+ji
+x-kubernetes-group-version-kindFDgroup: rbac.authorization.k8s.io
+kind: ClusterRole
+version: v1beta1
+*¹
+rbacAuthorization_v1beta1delete a ClusterRole*)deleteRbacAuthorizationV1beta1ClusterRole2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J»

+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj 
+x-kubernetes-action	delete
+ji
+x-kubernetes-group-version-kindFDgroup: rbac.authorization.k8s.io
+kind: ClusterRole
+version: v1beta1
+B£
+rbacAuthorization_v1beta1*partially update the specified ClusterRole*(patchRbacAuthorizationV1beta1ClusterRole2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

J_
+D
+200=
+;
+OK5
+3
+1#/definitions/io.k8s.api.rbac.v1beta1.ClusterRole
+
+401
+
+UnauthorizedRhttpsji
+x-kubernetes-group-version-kindFDgroup: rbac.authorization.k8s.io
+kind: ClusterRole
+version: v1beta1
+j
+x-kubernetes-actionpatch
+J8
+64"2
pathname of the ClusterRole"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Ó)
+0/apis/storage.k8s.io/v1/volumeattachments/{name}ž)ˆ
+
+storage_v1#read the specified VolumeAttachment*readStorageV1VolumeAttachment2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Jb
+
+401
+
+Unauthorized
+G
+200@
+>
+OK8
+6
+4#/definitions/io.k8s.api.storage.v1.VolumeAttachmentRhttpsj^
+x-kubernetes-group-version-kind;9group: storage.k8s.io
+kind: VolumeAttachment
+version: v1
+j
+x-kubernetes-actionget
+ã
+
+storage_v1&replace the specified VolumeAttachment* replaceStorageV1VolumeAttachment2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BJ
+H
+Fbodybody 
*6
+4#/definitions/io.k8s.api.storage.v1.VolumeAttachmentBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J°

+L
+201E
+C
+Created8
+6
+4#/definitions/io.k8s.api.storage.v1.VolumeAttachment
+
+401
+
+Unauthorized
+G
+200@
+>
+OK8
+6
+4#/definitions/io.k8s.api.storage.v1.VolumeAttachmentRhttpsj
+x-kubernetes-actionput
+j^
+x-kubernetes-group-version-kind;9group: storage.k8s.io
+kind: VolumeAttachment
+version: v1
+*�
+
+storage_v1delete a VolumeAttachment*deleteStorageV1VolumeAttachment2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J±

+G
+200@
+>
+OK8
+6
+4#/definitions/io.k8s.api.storage.v1.VolumeAttachment
+M
+202F
+D
+Accepted8
+6
+4#/definitions/io.k8s.api.storage.v1.VolumeAttachment
+
+401
+
+UnauthorizedRhttpsj 
+x-kubernetes-action	delete
+j^
+x-kubernetes-group-version-kind;9version: v1
+group: storage.k8s.io
+kind: VolumeAttachment
+B‡
+
+storage_v1/partially update the specified VolumeAttachment*patchStorageV1VolumeAttachment2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

Jb
+G
+200@
+>
+OK8
+6
+4#/definitions/io.k8s.api.storage.v1.VolumeAttachment
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+j^
+x-kubernetes-group-version-kind;9group: storage.k8s.io
+kind: VolumeAttachment
+version: v1
+J=
+;9"7
pathname of the VolumeAttachment"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

§'
+/api/v1/replicationcontrollers„'ø
+core_v13list or watch objects of kind ReplicationController*/listCoreV1ReplicationControllerForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jh
+M
+200F
+D
+OK>
+<
+:#/definitions/io.k8s.api.core.v1.ReplicationControllerList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+jW
+x-kubernetes-group-version-kind42group: ""
+kind: ReplicationController
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

ö\
+%/apis/storage.k8s.io/v1beta1/csinodesÌ\‘&
+storage_v1beta1%list or watch objects of kind CSINode*listStorageV1beta1CSINode2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Jb
+
+401
+
+Unauthorized
+G
+200@
+>
+OK8
+6
+4#/definitions/io.k8s.api.storage.v1beta1.CSINodeListRhttpsj
+x-kubernetes-actionlist
+jZ
+x-kubernetes-group-version-kind75group: storage.k8s.io
+kind: CSINode
+version: v1beta1
+"‰	
+storage_v1beta1create a CSINode*createStorageV1beta1CSINode2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BF
+D
+Bbodybody 
*2
+0#/definitions/io.k8s.api.storage.v1beta1.CSINodeBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jó

+
+401
+
+Unauthorized
+C
+200<
+:
+OK4
+2
+0#/definitions/io.k8s.api.storage.v1beta1.CSINode
+H
+201A
+?
+Created4
+2
+0#/definitions/io.k8s.api.storage.v1beta1.CSINode
+I
+202B
+@
+Accepted4
+2
+0#/definitions/io.k8s.api.storage.v1beta1.CSINodeRhttpsj
+x-kubernetes-actionpost
+jZ
+x-kubernetes-group-version-kind75version: v1beta1
+group: storage.k8s.io
+kind: CSINode
+*Ø,
+storage_v1beta1delete collection of CSINode*%deleteStorageV1beta1CollectionCSINode2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj*
+x-kubernetes-actiondeletecollection
+jZ
+x-kubernetes-group-version-kind75group: storage.k8s.io
+kind: CSINode
+version: v1beta1
+JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

ê
+/apis/storage.k8s.io/v1/ÍÊ
+
+storage_v1get available resources*getStorageV1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp
+U
+200N
+L
+OKF
+D
+B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList
+
+401
+
+UnauthorizedRhttpsÔ)
+I/apis/apiextensions.k8s.io/v1beta1/watch/customresourcedefinitions/{name}†)³
+apiextensions_v1beta1¿
watch changes to an object of kind CustomResourceDefinition. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*1watchApiextensionsV1beta1CustomResourceDefinition2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+
+401
+
+Unauthorized
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEventRhttpsj
+x-kubernetes-actionwatch
+jq
+x-kubernetes-group-version-kindNLversion: v1beta1
+group: apiextensions.k8s.io
+kind: CustomResourceDefinition
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JE
+CA"?
path$name of the CustomResourceDefinition"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

†_
+0/apis/apiregistration.k8s.io/v1beta1/apiservicesÑ^Ó&
+apiregistration_v1beta1(list or watch objects of kind APIService*$listApiregistrationV1beta1APIService2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

J‚

+g
+200`
+^
+OKX
+V
+T#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.APIServiceList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+je
+x-kubernetes-group-version-kindB@group: apiregistration.k8s.io
+version: v1beta1
+kind: APIService
+"«
+
+apiregistration_v1beta1create an APIService*&createApiregistrationV1beta1APIService2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Bf
+d
+bbodybody 
*R
+P#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.APIServiceBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

JÓ
+
+401
+
+Unauthorized
+c
+200\
+Z
+OKT
+R
+P#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.APIService
+h
+201a
+_
+CreatedT
+R
+P#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.APIService
+i
+202b
+`
+AcceptedT
+R
+P#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.APIServiceRhttpsje
+x-kubernetes-group-version-kindB@version: v1beta1
+kind: APIService
+group: apiregistration.k8s.io
+j
+x-kubernetes-actionpost
+*ù,
+apiregistration_v1beta1delete collection of APIService*0deleteApiregistrationV1beta1CollectionAPIService2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+
+401
+
+Unauthorized
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.StatusRhttpsj*
+x-kubernetes-actiondeletecollection
+je
+x-kubernetes-group-version-kindB@group: apiregistration.k8s.io
+version: v1beta1
+kind: APIService
+JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

à'
+/apis/apps/v1/watch/daemonsets½'±
+apps_v1uwatch individual changes to a list of DaemonSet. deprecated: use the 'watch' parameter with a list operation instead.*(watchAppsV1DaemonSetListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj#
+x-kubernetes-action
+watchlist
+jM
+x-kubernetes-group-version-kind*(group: apps
+kind: DaemonSet
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

š
+N/apis/authorization.k8s.io/v1/namespaces/{namespace}/localsubjectaccessreviewsÇ"×
+authorization_v1!create a LocalSubjectAccessReview*7createAuthorizationV1NamespacedLocalSubjectAccessReview2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BX
+V
+Tbodybody 
*D
+B#/definitions/io.k8s.api.authorization.v1.LocalSubjectAccessReviewJ©
+[
+202T
+R
+AcceptedF
+D
+B#/definitions/io.k8s.api.authorization.v1.LocalSubjectAccessReview
+
+401
+
+Unauthorized
+U
+200N
+L
+OKF
+D
+B#/definitions/io.k8s.api.authorization.v1.LocalSubjectAccessReview
+Z
+201S
+Q
+CreatedF
+D
+B#/definitions/io.k8s.api.authorization.v1.LocalSubjectAccessReviewRhttpsj
+x-kubernetes-actionpost
+jl
+x-kubernetes-group-version-kindIGgroup: authorization.k8s.io
+kind: LocalSubjectAccessReview
+version: v1
+Jž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

J–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

ò
+/apis/apiregistration.k8s.io/ÐÍ
+apiregistrationget information of a group*getApiregistrationAPIGroup2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJi
+N
+200G
+E
+OK?
+=
+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup
+
+401
+
+UnauthorizedRhttpsì
+/apis/batch/v1beta1/ÓÐ
+
batch_v1beta1get available resources*getBatchV1beta1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp
+U
+200N
+L
+OKF
+D
+B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList
+
+401
+
+UnauthorizedRhttpsø
+9/apis/apiregistration.k8s.io/v1/apiservices/{name}/statusºµ
+apiregistration_v1'read status of the specified APIService*%readApiregistrationV1APIServiceStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Jy
+^
+200W
+U
+OKO
+M
+K#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIService
+
+401
+
+UnauthorizedRhttpsj`
+x-kubernetes-group-version-kind=;group: apiregistration.k8s.io
+version: v1
+kind: APIService
+j
+x-kubernetes-actionget
+¾	
+apiregistration_v1*replace status of the specified APIService*(replaceApiregistrationV1APIServiceStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Ba
+_
+]bodybody 
*M
+K#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIServiceBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

JÞ

+
+401
+
+Unauthorized
+^
+200W
+U
+OKO
+M
+K#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIService
+c
+201\
+Z
+CreatedO
+M
+K#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIServiceRhttpsj
+x-kubernetes-actionput
+j`
+x-kubernetes-group-version-kind=;group: apiregistration.k8s.io
+version: v1
+kind: APIService
+B´
+apiregistration_v13partially update status of the specified APIService*&patchApiregistrationV1APIServiceStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

Jy
+^
+200W
+U
+OKO
+M
+K#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIService
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+j`
+x-kubernetes-group-version-kind=;group: apiregistration.k8s.io
+version: v1
+kind: APIService
+J7
+53"1
pathname of the APIService"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

ì
+/apis/authorization.k8s.io/ÌÉ
+
authorizationget information of a group*getAuthorizationAPIGroup2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJi
+N
+200G
+E
+OK?
+=
+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup
+
+401
+
+UnauthorizedRhttpsá(
+0/apis/node.k8s.io/v1/watch/runtimeclasses/{name}¬(å
+node_v1³
watch changes to an object of kind RuntimeClass. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*watchNodeV1RuntimeClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionwatch
+jW
+x-kubernetes-group-version-kind42kind: RuntimeClass
+version: v1
+group: node.k8s.io
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J9
+75"3
pathname of the RuntimeClass"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

ÿ'
+./apis/node.k8s.io/v1beta1/watch/runtimeclassesÌ'À
+node_v1beta1xwatch individual changes to a list of RuntimeClass. deprecated: use the 'watch' parameter with a list operation instead.* watchNodeV1beta1RuntimeClassList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj#
+x-kubernetes-action
+watchlist
+j\
+x-kubernetes-group-version-kind97group: node.k8s.io
+kind: RuntimeClass
+version: v1beta1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

’'
+/api/v1/nodes/{name}ù&Ã
+core_v1read the specified Node*readCoreV1Node2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*JS
+8
+2001
+/
+OK)
+'
+%#/definitions/io.k8s.api.core.v1.Node
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+jF
+x-kubernetes-group-version-kind#!group: ""
+kind: Node
+version: v1
+€
+core_v1replace the specified Node*replaceCoreV1Node2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B;
+9
+7bodybody 
*'
+%#/definitions/io.k8s.api.core.v1.NodeBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J’

+8
+2001
+/
+OK)
+'
+%#/definitions/io.k8s.api.core.v1.Node
+=
+2016
+4
+Created)
+'
+%#/definitions/io.k8s.api.core.v1.Node
+
+401
+
+UnauthorizedRhttpsjF
+x-kubernetes-group-version-kind#!group: ""
+kind: Node
+version: v1
+j
+x-kubernetes-actionput
+*ä
+core_v1
delete a Node*deleteCoreV1Node2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J»

+
+401
+
+Unauthorized
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.StatusRhttpsjF
+x-kubernetes-group-version-kind#!group: ""
+kind: Node
+version: v1
+j 
+x-kubernetes-action	delete
+BÂ
+core_v1#partially update the specified Node*patchCoreV1Node2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

JS
+8
+2001
+/
+OK)
+'
+%#/definitions/io.k8s.api.core.v1.Node
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+jF
+x-kubernetes-group-version-kind#!kind: Node
+version: v1
+group: ""
+J1
+/-"+
pathname of the Node"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Ú
+/apis/apps/v1/ÇÄ
+apps_v1get available resources*getAppsV1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp
+U
+200N
+L
+OKF
+D
+B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList
+
+401
+
+UnauthorizedRhttpsï
+
+2/apis/authorization.k8s.io/v1/subjectaccessreviews¸
+"ª
+authorization_v1create a SubjectAccessReview*(createAuthorizationV1SubjectAccessReview2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BS
+Q
+Obodybody 
*?
+=#/definitions/io.k8s.api.authorization.v1.SubjectAccessReviewJš
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.api.authorization.v1.SubjectAccessReview
+U
+201N
+L
+CreatedA
+?
+=#/definitions/io.k8s.api.authorization.v1.SubjectAccessReview
+V
+202O
+M
+AcceptedA
+?
+=#/definitions/io.k8s.api.authorization.v1.SubjectAccessReview
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpost
+jg
+x-kubernetes-group-version-kindDBversion: v1
+group: authorization.k8s.io
+kind: SubjectAccessReview
+Jž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

J–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

—
+7/apis/authorization.k8s.io/v1beta1/subjectaccessreviewsÛ
+"Í
+authorization_v1beta1create a SubjectAccessReview*-createAuthorizationV1beta1SubjectAccessReview2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BX
+V
+Tbodybody 
*D
+B#/definitions/io.k8s.api.authorization.v1beta1.SubjectAccessReviewJ©
+[
+202T
+R
+AcceptedF
+D
+B#/definitions/io.k8s.api.authorization.v1beta1.SubjectAccessReview
+
+401
+
+Unauthorized
+U
+200N
+L
+OKF
+D
+B#/definitions/io.k8s.api.authorization.v1beta1.SubjectAccessReview
+Z
+201S
+Q
+CreatedF
+D
+B#/definitions/io.k8s.api.authorization.v1beta1.SubjectAccessReviewRhttpsjl
+x-kubernetes-group-version-kindIGkind: SubjectAccessReview
+version: v1beta1
+group: authorization.k8s.io
+j
+x-kubernetes-actionpost
+Jž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

J–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

æ)
+:/apis/batch/v1beta1/namespaces/{namespace}/cronjobs/{name}§)ó
+
batch_v1beta1read the specified CronJob*!readBatchV1beta1NamespacedCronJob2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J\
+A
+200:
+8
+OK2
+0
+.#/definitions/io.k8s.api.batch.v1beta1.CronJob
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+jQ
+x-kubernetes-group-version-kind.,group: batch
+kind: CronJob
+version: v1beta1
+Â
+
batch_v1beta1replace the specified CronJob*$replaceBatchV1beta1NamespacedCronJob2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BD
+B
+@bodybody 
*0
+.#/definitions/io.k8s.api.batch.v1beta1.CronJobBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J¤

+F
+201?
+=
+Created2
+0
+.#/definitions/io.k8s.api.batch.v1beta1.CronJob
+
+401
+
+Unauthorized
+A
+200:
+8
+OK2
+0
+.#/definitions/io.k8s.api.batch.v1beta1.CronJobRhttpsj
+x-kubernetes-actionput
+jQ
+x-kubernetes-group-version-kind.,group: batch
+kind: CronJob
+version: v1beta1
+*‹
+
batch_v1beta1delete a CronJob*#deleteBatchV1beta1NamespacedCronJob2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J»

+
+401
+
+Unauthorized
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.StatusRhttpsjQ
+x-kubernetes-group-version-kind.,group: batch
+kind: CronJob
+version: v1beta1
+j 
+x-kubernetes-action	delete
+Bò
+
batch_v1beta1&partially update the specified CronJob*"patchBatchV1beta1NamespacedCronJob2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

J\
+A
+200:
+8
+OK2
+0
+.#/definitions/io.k8s.api.batch.v1beta1.CronJob
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+jQ
+x-kubernetes-group-version-kind.,group: batch
+kind: CronJob
+version: v1beta1
+J4
+20".
pathname of the CronJob"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

¸(
+</apis/rbac.authorization.k8s.io/v1/watch/clusterrolebindings÷'ë
+rbacAuthorization_v1~watch individual changes to a list of ClusterRoleBinding. deprecated: use the 'watch' parameter with a list operation instead.*.watchRbacAuthorizationV1ClusterRoleBindingList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj#
+x-kubernetes-action
+watchlist
+jk
+x-kubernetes-group-version-kindHFgroup: rbac.authorization.k8s.io
+kind: ClusterRoleBinding
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Ì(
+A/apis/rbac.authorization.k8s.io/v1beta1/watch/clusterrolebindings†(ú
+rbacAuthorization_v1beta1~watch individual changes to a list of ClusterRoleBinding. deprecated: use the 'watch' parameter with a list operation instead.*3watchRbacAuthorizationV1beta1ClusterRoleBindingList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj#
+x-kubernetes-action
+watchlist
+jp
+x-kubernetes-group-version-kindMKgroup: rbac.authorization.k8s.io
+kind: ClusterRoleBinding
+version: v1beta1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

�)
+//api/v1/namespaces/{namespace}/endpoints/{name}Û(á
+core_v1read the specified Endpoints*readCoreV1NamespacedEndpoints2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*JX
+=
+2006
+4
+OK.
+,
+*#/definitions/io.k8s.api.core.v1.Endpoints
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+jK
+x-kubernetes-group-version-kind(&group: ""
+kind: Endpoints
+version: v1
+¨
+core_v1replace the specified Endpoints* replaceCoreV1NamespacedEndpoints2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B@
+>
+<bodybody 
*,
+*#/definitions/io.k8s.api.core.v1.EndpointsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jœ

+=
+2006
+4
+OK.
+,
+*#/definitions/io.k8s.api.core.v1.Endpoints
+B
+201;
+9
+Created.
+,
+*#/definitions/io.k8s.api.core.v1.Endpoints
+
+401
+
+UnauthorizedRhttpsjK
+x-kubernetes-group-version-kind(&group: ""
+kind: Endpoints
+version: v1
+j
+x-kubernetes-actionput
+*û
+core_v1delete Endpoints*deleteCoreV1NamespacedEndpoints2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J»

+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsjK
+x-kubernetes-group-version-kind(&group: ""
+kind: Endpoints
+version: v1
+j 
+x-kubernetes-action	delete
+Bà
+core_v1(partially update the specified Endpoints*patchCoreV1NamespacedEndpoints2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

JX
+=
+2006
+4
+OK.
+,
+*#/definitions/io.k8s.api.core.v1.Endpoints
+
+401
+
+UnauthorizedRhttpsjK
+x-kubernetes-group-version-kind(&group: ""
+kind: Endpoints
+version: v1
+j
+x-kubernetes-actionpatch
+J6
+42"0
pathname of the Endpoints"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Ì'
+/apis/batch/v1/watch/jobs®'¢
+batch_v1owatch individual changes to a list of Job. deprecated: use the 'watch' parameter with a list operation instead.*#watchBatchV1JobListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj#
+x-kubernetes-action
+watchlist
+jH
+x-kubernetes-group-version-kind%#group: batch
+kind: Job
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

ö)
+@/apis/events.k8s.io/v1beta1/namespaces/{namespace}/events/{name}±)ö
+events_v1beta1read the specified Event* readEventsV1beta1NamespacedEvent2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J[
+@
+2009
+7
+OK1
+/
+-#/definitions/io.k8s.api.events.v1beta1.Event
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionget
+jW
+x-kubernetes-group-version-kind42group: events.k8s.io
+kind: Event
+version: v1beta1
+Ã
+events_v1beta1replace the specified Event*#replaceEventsV1beta1NamespacedEvent2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BC
+A
+?bodybody 
*/
+-#/definitions/io.k8s.api.events.v1beta1.EventBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J¢

+@
+2009
+7
+OK1
+/
+-#/definitions/io.k8s.api.events.v1beta1.Event
+E
+201>
+<
+Created1
+/
+-#/definitions/io.k8s.api.events.v1beta1.Event
+
+401
+
+UnauthorizedRhttpsjW
+x-kubernetes-group-version-kind42kind: Event
+version: v1beta1
+group: events.k8s.io
+j
+x-kubernetes-actionput
+*�
+events_v1beta1delete an Event*"deleteEventsV1beta1NamespacedEvent2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J»

+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj 
+x-kubernetes-action	delete
+jW
+x-kubernetes-group-version-kind42group: events.k8s.io
+kind: Event
+version: v1beta1
+Bõ
+events_v1beta1$partially update the specified Event*!patchEventsV1beta1NamespacedEvent2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

J[
+@
+2009
+7
+OK1
+/
+-#/definitions/io.k8s.api.events.v1beta1.Event
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+jW
+x-kubernetes-group-version-kind42group: events.k8s.io
+kind: Event
+version: v1beta1
+J2
+0.",
pathname of the Event"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

‚+
+B/apis/policy/v1/namespaces/{namespace}/poddisruptionbudgets/{name}»*“
+	policy_v1&read the specified PodDisruptionBudget*)readPolicyV1NamespacedPodDisruptionBudget2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Jd
+I
+200B
+@
+OK:
+8
+6#/definitions/io.k8s.api.policy.v1.PodDisruptionBudget
+
+401
+
+UnauthorizedRhttpsjY
+x-kubernetes-group-version-kind64group: policy
+kind: PodDisruptionBudget
+version: v1
+j
+x-kubernetes-actionget
+ò
+	policy_v1)replace the specified PodDisruptionBudget*,replacePolicyV1NamespacedPodDisruptionBudget2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BL
+J
+Hbodybody 
*8
+6#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J´

+I
+200B
+@
+OK:
+8
+6#/definitions/io.k8s.api.policy.v1.PodDisruptionBudget
+N
+201G
+E
+Created:
+8
+6#/definitions/io.k8s.api.policy.v1.PodDisruptionBudget
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionput
+jY
+x-kubernetes-group-version-kind64group: policy
+kind: PodDisruptionBudget
+version: v1
+*£
+	policy_v1delete a PodDisruptionBudget*+deletePolicyV1NamespacedPodDisruptionBudget2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

J»

+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+R
+202K
+I
+Accepted=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj 
+x-kubernetes-action	delete
+jY
+x-kubernetes-group-version-kind64group: policy
+kind: PodDisruptionBudget
+version: v1
+B’
+	policy_v12partially update the specified PodDisruptionBudget**patchPolicyV1NamespacedPodDisruptionBudget2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

Jd
+I
+200B
+@
+OK:
+8
+6#/definitions/io.k8s.api.policy.v1.PodDisruptionBudget
+
+401
+
+UnauthorizedRhttpsjY
+x-kubernetes-group-version-kind64group: policy
+kind: PodDisruptionBudget
+version: v1
+j
+x-kubernetes-actionpatch
+J@
+><":
pathname of the PodDisruptionBudget"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

×`
+E/apis/admissionregistration.k8s.io/v1/validatingwebhookconfigurations�`’'
+admissionregistration_v1<list or watch objects of kind ValidatingWebhookConfiguration*9listAdmissionregistrationV1ValidatingWebhookConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

J‚

+g
+200`
+^
+OKX
+V
+T#/definitions/io.k8s.api.admissionregistration.v1.ValidatingWebhookConfigurationList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+jz
+x-kubernetes-group-version-kindWUversion: v1
+group: admissionregistration.k8s.io
+kind: ValidatingWebhookConfiguration
+"é
+
+admissionregistration_v1'create a ValidatingWebhookConfiguration*;createAdmissionregistrationV1ValidatingWebhookConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Bf
+d
+bbodybody 
*R
+P#/definitions/io.k8s.api.admissionregistration.v1.ValidatingWebhookConfigurationBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

JÓ
+c
+200\
+Z
+OKT
+R
+P#/definitions/io.k8s.api.admissionregistration.v1.ValidatingWebhookConfiguration
+h
+201a
+_
+CreatedT
+R
+P#/definitions/io.k8s.api.admissionregistration.v1.ValidatingWebhookConfiguration
+i
+202b
+`
+AcceptedT
+R
+P#/definitions/io.k8s.api.admissionregistration.v1.ValidatingWebhookConfiguration
+
+401
+
+UnauthorizedRhttpsjz
+x-kubernetes-group-version-kindWUgroup: admissionregistration.k8s.io
+kind: ValidatingWebhookConfiguration
+version: v1
+j
+x-kubernetes-actionpost
+*¸-
+admissionregistration_v13delete collection of ValidatingWebhookConfiguration*EdeleteAdmissionregistrationV1CollectionValidatingWebhookConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj*
+x-kubernetes-actiondeletecollection
+jz
+x-kubernetes-group-version-kindWUkind: ValidatingWebhookConfiguration
+version: v1
+group: admissionregistration.k8s.io
+JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

ø&
+/apis/apps/v1/replicasetsÚ&Î
+apps_v1(list or watch objects of kind ReplicaSet*$listAppsV1ReplicaSetForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*J]
+B
+200;
+9
+OK3
+1
+/#/definitions/io.k8s.api.apps.v1.ReplicaSetList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+jN
+x-kubernetes-group-version-kind+)group: apps
+kind: ReplicaSet
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

ƒ(
+//apis/networking.k8s.io/v1/watch/ingressclassesÏ'Ã
+
networking_v1xwatch individual changes to a list of IngressClass. deprecated: use the 'watch' parameter with a list operation instead.*!watchNetworkingV1IngressClassList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj#
+x-kubernetes-action
+watchlist
+j]
+x-kubernetes-group-version-kind:8group: networking.k8s.io
+kind: IngressClass
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

ù
+/apis/coordination.k8s.io/v1/×Ô
+coordination_v1get available resources*getCoordinationV1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp
+U
+200N
+L
+OKF
+D
+B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList
+
+401
+
+UnauthorizedRhttpsº^
+?/apis/coordination.k8s.io/v1beta1/namespaces/{namespace}/leasesö]§&
+coordination_v1beta1#list or watch objects of kind Lease*&listCoordinationV1beta1NamespacedLease2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Bï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

B±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

Je
+J
+200C
+A
+OK;
+9
+7#/definitions/io.k8s.api.coordination.v1beta1.LeaseList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+j]
+x-kubernetes-group-version-kind:8group: coordination.k8s.io
+kind: Lease
+version: v1beta1
+"¨	
+coordination_v1beta1create a Lease*(createCoordinationV1beta1NamespacedLease2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BI
+G
+Ebodybody 
*5
+3#/definitions/io.k8s.api.coordination.v1beta1.LeaseBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

Jü

+K
+201D
+B
+Created7
+5
+3#/definitions/io.k8s.api.coordination.v1beta1.Lease
+L
+202E
+C
+Accepted7
+5
+3#/definitions/io.k8s.api.coordination.v1beta1.Lease
+
+401
+
+Unauthorized
+F
+200?
+=
+OK7
+5
+3#/definitions/io.k8s.api.coordination.v1beta1.LeaseRhttpsj
+x-kubernetes-actionpost
+j]
+x-kubernetes-group-version-kind:8group: coordination.k8s.io
+kind: Lease
+version: v1beta1
+*ë,
+coordination_v1beta1delete collection of Lease*2deleteCoordinationV1beta1CollectionNamespacedLease2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT
+R
+Pbodybody*B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

Bž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

Bä
+áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer 

B‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Bú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

BÑ
+ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean 

Bˆ
+…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string 

Bû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

BÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Bž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

Jg
+L
+200E
+C
+OK=
+;
+9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status
+
+401
+
+UnauthorizedRhttpsj]
+x-kubernetes-group-version-kind:8group: coordination.k8s.io
+kind: Lease
+version: v1beta1
+j*
+x-kubernetes-actiondeletecollection
+J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

†(
+//apis/storage.k8s.io/v1/watch/volumeattachmentsÒ'Æ
+
+storage_v1|watch individual changes to a list of VolumeAttachment. deprecated: use the 'watch' parameter with a list operation instead.*"watchStorageV1VolumeAttachmentList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+
+401
+
+Unauthorized
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEventRhttpsj#
+x-kubernetes-action
+watchlist
+j^
+x-kubernetes-group-version-kind;9group: storage.k8s.io
+kind: VolumeAttachment
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

ð
+>/apis/apps/v1/namespaces/{namespace}/statefulsets/{name}/scale­û
+apps_v1'read scale of the specified StatefulSet*$readAppsV1NamespacedStatefulSetScale2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J[
+@
+2009
+7
+OK1
+/
+-#/definitions/io.k8s.api.autoscaling.v1.Scale
+
+401
+
+UnauthorizedRhttpsjP
+x-kubernetes-group-version-kind-+group: autoscaling
+kind: Scale
+version: v1
+j
+x-kubernetes-actionget
+È
+apps_v1*replace scale of the specified StatefulSet*'replaceAppsV1NamespacedStatefulSetScale2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BC
+A
+?bodybody 
*/
+-#/definitions/io.k8s.api.autoscaling.v1.ScaleBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J¢

+@
+2009
+7
+OK1
+/
+-#/definitions/io.k8s.api.autoscaling.v1.Scale
+E
+201>
+<
+Created1
+/
+-#/definitions/io.k8s.api.autoscaling.v1.Scale
+
+401
+
+UnauthorizedRhttpsjP
+x-kubernetes-group-version-kind-+group: autoscaling
+kind: Scale
+version: v1
+j
+x-kubernetes-actionput
+Bú
+apps_v13partially update scale of the specified StatefulSet*%patchAppsV1NamespacedStatefulSetScale2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

J[
+@
+2009
+7
+OK1
+/
+-#/definitions/io.k8s.api.autoscaling.v1.Scale
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+jP
+x-kubernetes-group-version-kind-+version: v1
+group: autoscaling
+kind: Scale
+J2
+0.",
pathname of the Scale"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

�'
+"/apis/events.k8s.io/v1beta1/eventsé&Ý
+events_v1beta1#list or watch objects of kind Event*&listEventsV1beta1EventForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*J_
+D
+200=
+;
+OK5
+3
+1#/definitions/io.k8s.api.events.v1beta1.EventList
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionlist
+jW
+x-kubernetes-group-version-kind42group: events.k8s.io
+kind: Event
+version: v1beta1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

‚
+ /apis/networking.k8s.io/v1beta1/ÝÚ
+networking_v1beta1get available resources* getNetworkingV1beta1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp
+U
+200N
+L
+OKF
+D
+B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList
+
+401
+
+UnauthorizedRhttpsê'
+(/apis/storage.k8s.io/v1/watch/csidrivers½'±
+
+storage_v1uwatch individual changes to a list of CSIDriver. deprecated: use the 'watch' parameter with a list operation instead.*watchStorageV1CSIDriverList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj#
+x-kubernetes-action
+watchlist
+jW
+x-kubernetes-group-version-kind42group: storage.k8s.io
+kind: CSIDriver
+version: v1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

‚)
+8/apis/apiregistration.k8s.io/v1/watch/apiservices/{name}Å(€
+apiregistration_v1±
watch changes to an object of kind APIService. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.* watchApiregistrationV1APIService2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionwatch
+j`
+x-kubernetes-group-version-kind=;group: apiregistration.k8s.io
+version: v1
+kind: APIService
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J7
+53"1
pathname of the APIService"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

þ
+/apis/autoscaling/v2beta1/ßÜ
+autoscaling_v2beta1get available resources*!getAutoscalingV2beta1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp
+U
+200N
+L
+OKF
+D
+B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList
+
+401
+
+UnauthorizedRhttpsˆ
+"/apis/certificates.k8s.io/v1beta1/áÞ
+certificates_v1beta1get available resources*"getCertificatesV1beta1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp
+U
+200N
+L
+OKF
+D
+B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList
+
+401
+
+UnauthorizedRhttpsü)
+S/apis/flowcontrol.apiserver.k8s.io/v1beta1/watch/prioritylevelconfigurations/{name}¤)Ï
+flowcontrolApiserver_v1beta1Á
watch changes to an object of kind PriorityLevelConfiguration. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*:watchFlowcontrolApiserverV1beta1PriorityLevelConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+
+401
+
+Unauthorized
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEventRhttpsj{
+x-kubernetes-group-version-kindXVgroup: flowcontrol.apiserver.k8s.io
+kind: PriorityLevelConfiguration
+version: v1beta1
+j
+x-kubernetes-actionwatch
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JG
+EC"A
path&name of the PriorityLevelConfiguration"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

È)
+H/apis/rbac.authorization.k8s.io/v1beta1/watch/clusterrolebindings/{name}û(®
+rbacAuthorization_v1beta1¹
watch changes to an object of kind ClusterRoleBinding. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*/watchRbacAuthorizationV1beta1ClusterRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionwatch
+jp
+x-kubernetes-group-version-kindMKgroup: rbac.authorization.k8s.io
+kind: ClusterRoleBinding
+version: v1beta1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J?
+=;"9
pathname of the ClusterRoleBinding"name*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

È)
+8/api/v1/watch/namespaces/{namespace}/podtemplates/{name}‹)ã
+core_v1²
watch changes to an object of kind PodTemplate. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.* watchCoreV1NamespacedPodTemplate2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionwatch
+jM
+x-kubernetes-group-version-kind*(version: v1
+group: ""
+kind: PodTemplate
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

J8
+64"2
pathname of the PodTemplate"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

é
+=/apis/apps/v1/namespaces/{namespace}/replicasets/{name}/scale§ù
+apps_v1&read scale of the specified ReplicaSet*#readAppsV1NamespacedReplicaSetScale2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J[
+@
+2009
+7
+OK1
+/
+-#/definitions/io.k8s.api.autoscaling.v1.Scale
+
+401
+
+UnauthorizedRhttpsjP
+x-kubernetes-group-version-kind-+group: autoscaling
+kind: Scale
+version: v1
+j
+x-kubernetes-actionget
+Æ
+apps_v1)replace scale of the specified ReplicaSet*&replaceAppsV1NamespacedReplicaSetScale2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BC
+A
+?bodybody 
*/
+-#/definitions/io.k8s.api.autoscaling.v1.ScaleBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B–
+“��queryê
fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint."fieldManager2string 

J¢

+@
+2009
+7
+OK1
+/
+-#/definitions/io.k8s.api.autoscaling.v1.Scale
+E
+201>
+<
+Created1
+/
+-#/definitions/io.k8s.api.autoscaling.v1.Scale
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionput
+jP
+x-kubernetes-group-version-kind-+group: autoscaling
+kind: Scale
+version: v1
+Bø
+apps_v12partially update scale of the specified ReplicaSet*$patchAppsV1NamespacedReplicaSetScale2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN
+L
+Jbodybody 
*:
+8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž
+›˜•queryø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string 

B¯
+¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)."fieldManager2string 

BÎ

+Ë
È
Å
query¨
Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean 

J[
+@
+2009
+7
+OK1
+/
+-#/definitions/io.k8s.api.autoscaling.v1.Scale
+
+401
+
+UnauthorizedRhttpsj
+x-kubernetes-actionpatch
+jP
+x-kubernetes-group-version-kind-+group: autoscaling
+kind: Scale
+version: v1
+J2
+0.",
pathname of the Scale"name*string˜

J`
+^\"Z
path:object name and auth scope, such as for teams and projects"	namespace*string˜

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

š(
+4/apis/storage.k8s.io/v1beta1/watch/volumeattachmentsá'Õ
+storage_v1beta1|watch individual changes to a list of VolumeAttachment. deprecated: use the 'watch' parameter with a list operation instead.*'watchStorageV1beta1VolumeAttachmentList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk
+P
+200I
+G
+OKA
+?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent
+
+401
+
+UnauthorizedRhttpsj#
+x-kubernetes-action
+watchlist
+jc
+x-kubernetes-group-version-kind@>group: storage.k8s.io
+kind: VolumeAttachment
+version: v1beta1
+J‚
+ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean 

Jï	
+ì	é	æ	queryÇ	The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key".
+
+This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their fields. Defaults to everything."
fieldSelector2string 

J‡

+„
�
query\A selector to restrict the list of returned objects by their labels. Defaults to everything."
labelSelector2string 

Jú
+
+÷
+ô
+ñ
+queryÔ
+limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.
+
+The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer 

JO
+MKIquery-If 'true', then the output is pretty printed."pretty2string 

Jû

+ø
õ
ò
queryÌ
resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersion2string 

JÚ
+×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.
+
+Defaults to unset"resourceVersionMatch2string 

Jž

+›
˜
•
querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer 

J±

+®
«
¨
query‹
Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean 

J½÷0
+§
+"io.k8s.api.core.v1.NFSVolumeSource€"€
Represents an NFS mount that lasts the lifetime of a pod. NFS volumes do not support ownership management or SELinux relabeling.š
serverš
path²

+objectÊ
Þ
+€

+pathx"kPath that is exported by the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs²

+string
+Ã

+readOnly¶
"§
ReadOnly here will force the NFS export to be mounted with read-only permissions. Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs²
	
+boolean
+’

+server‡
"zServer is the hostname or IP address of the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs²

+string
+È

+$io.k8s.api.discovery.v1beta1.ForZoneŸ
"LForZone provides information about which zones should consume this endpoint.š
name²

+objectÊ
<
+:
+name2"%name represents the name of the zone.²

+string
+¦
+io.k8s.api.events.v1beta1.Event‚"¾Event is a report of an event somewhere in the cluster. It generally denotes some state change in the system. Events have a limited retention time and triggers and messages may evolve with time.  Event consumers should not rely on the timing of an event with a given Reason reflecting a consistent underlying trigger, or the continued existence of events with that Reason.  Events should be treated as informative, best-effort, supplemental data.š
	eventTime²

+objectÊ
Æ
+|
+reasonr"ereason is why the action was taken. It is human-readable. This field can have at most 128 characters.²

+string
+Ñ

+relatedÅ

+0#/definitions/io.k8s.api.core.v1.ObjectReference"�
related is the optional secondary object for more complex actions. E.g. when regarding object triggers a creation or deletion of related object.
+¹

+reportingController¡
"“
reportingController is the name of the controller that emitted this Event, e.g. `kubernetes.io/kubelet`. This field cannot be empty for new Events.²

+string
+¦

+action›
"�
action is what action was taken/failed regarding to the regarding object. It is machine-readable. This field can have at most 128 characters.²

+string
+ˆ

+deprecatedCountuint32"`deprecatedCount is the deprecated field assuring backward compatibility with core.v1 Event type.²
	
+integer
+¿

+deprecatedLastTimestamp£

+7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"hdeprecatedLastTimestamp is the deprecated field assuring backward compatibility with core.v1 Event type.
+Ò

+metadataÅ

+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒ
Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+Á

+deprecatedFirstTimestamp¤

+7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"ideprecatedFirstTimestamp is the deprecated field assuring backward compatibility with core.v1 Event type.
+—

+	eventTime‰

+<#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.MicroTime"IeventTime is the time when this Event was first observed. It is required.
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¦

+deprecatedSource‘

+,#/definitions/io.k8s.api.core.v1.EventSource"adeprecatedSource is the deprecated field assuring backward compatibility with core.v1 Event type.
+¶
+	regarding¨
+0#/definitions/io.k8s.api.core.v1.ObjectReference"ó
regarding contains the object this Event is about. In most cases it's an Object reporting controller implements, e.g. ReplicaSetController implements ReplicaSets and this event is emitted because it acts on some changes in a ReplicaSet object.
+Ÿ

+series”

+3#/definitions/io.k8s.api.events.v1beta1.EventSeries"]series is data about the Event series this event represents or nil if it's a singleton Event.
+½

+note´
"¦
note is a human-readable description of the status of this operation. Maximal length of the note is 1kB, but libraries should be prepared to handle values up to 64kB.²

+string
+Â

+reportingInstance¬
"ž
reportingInstance is the ID of the controller instance, e.g. `kubelet-xyzf`. This field cannot be empty for new Events and it can have at most 128 characters.²

+string
+†

+type~"qtype is the type of this event (Normal, Warning), new types could be added in the future. It is machine-readable.²

+stringú
]
+x-kubernetes-group-version-kind:8- group: events.k8s.io
+  kind: Event
+  version: v1beta1
+
+î
+?io.k8s.api.certificates.v1beta1.CertificateSigningRequestStatusª²

+objectÊ
›
+˜

+certificateˆ
byte"OIf request was approved, the controller will place the issued certificate here.²

+stringú
#
+x-kubernetes-list-type	atomic
+
+ý

+
+conditionsî
">Conditions applied to the request, such as approval or denial.²

+arrayº
T
+R
+P#/definitions/io.k8s.api.certificates.v1beta1.CertificateSigningRequestConditionú
'
+x-kubernetes-list-map-keys	- type
+ú
 
+x-kubernetes-list-typemap
+
+®
+
+"io.k8s.api.core.v1.ComponentStatus‡
+"yComponentStatus (and ComponentStatusList) holds the cluster validation info. Deprecated: This API is deprecated in v1.19+²

+objectÊ
£
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+Î

+
+conditions¿
"%List of component conditions observed²

+arrayº
7
+5
+3#/definitions/io.k8s.api.core.v1.ComponentConditionú
'
+x-kubernetes-patch-merge-keytype
+ú
'
+x-kubernetes-patch-strategymerge
+
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ò

+metadataÅ

+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒ
Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadataú
W
+x-kubernetes-group-version-kind42- group: ""
+  kind: ComponentStatus
+  version: v1
+
+˜
+*io.k8s.api.core.v1.NodeSelectorRequirementé"wA node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.š
keyš
operator²

+objectÊ
Ð
+û
+valuesð"ÓAn array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.²

+arrayº

+²

+string
+?
+key8"+The label key that the selector applies to.²

+string
+Ž

+operator�
"tRepresents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.²

+string
+’5
+'io.k8s.api.core.v1.PersistentVolumeSpecæ4"APersistentVolumeSpec is the specification of a persistent volume.²

+objectÊ
”4
+¥

+portworxVolume’

+5#/definitions/io.k8s.api.core.v1.PortworxVolumeSource"YPortworxVolume represents a portworx volume attached and mounted on kubelets host machine
+¦

+scaleIOš

+>#/definitions/io.k8s.api.core.v1.ScaleIOPersistentVolumeSource"XScaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.
+�
+	storageosó

+@#/definitions/io.k8s.api.core.v1.StorageOSPersistentVolumeSource"®
StorageOS represents a StorageOS volume that is attached to the kubelet's host machine and mounted into the pod More info: https://examples.k8s.io/volumes/storageos/README.md
+î

+mountOptionsÝ
"À
A list of mount options, e.g. ["ro", "soft"]. Not validated - mount will simply fail if one is invalid. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes/#mount-options²

+arrayº

+²

+string
+Á

+nfs¹

+0#/definitions/io.k8s.api.core.v1.NFSVolumeSource"„
NFS represents an NFS mount on the host. Provisioned by an admin. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+–

+cephfs‹

+=#/definitions/io.k8s.api.core.v1.CephFSPersistentVolumeSource"JCephFS represents a Ceph FS mount on the host that shares a pod's lifetime
+½
+gcePersistentDisk§
+>#/definitions/io.k8s.api.core.v1.GCEPersistentDiskVolumeSource"ä
GCEPersistentDisk represents a GCE Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Provisioned by an admin. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+ä

+nodeAffinityÓ

+3#/definitions/io.k8s.api.core.v1.VolumeNodeAffinity"›
NodeAffinity defines constraints that limit what nodes this volume can be accessed from. This field influences the scheduling of pods that use this volume.
+±
+awsElasticBlockStore˜
+A#/definitions/io.k8s.api.core.v1.AWSElasticBlockStoreVolumeSource"Ò
AWSElasticBlockStore represents an AWS Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+Ö
+claimRefÉ
+0#/definitions/io.k8s.api.core.v1.ObjectReference"”ClaimRef is part of a bi-directional binding between PersistentVolume and PersistentVolumeClaim. Expected to be non-nil when bound. claim.VolumeName is the authoritative bind between PV and PVC. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#binding
+ª

+fc£

+/#/definitions/io.k8s.api.core.v1.FCVolumeSource"pFC represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod.
+í

+flockerá

+4#/definitions/io.k8s.api.core.v1.FlockerVolumeSource"¨
Flocker represents a Flocker volume attached to a kubelet's host machine and exposed to the pod for its usage. This depends on the Flocker control service being running
+…
+	glusterfs÷

+@#/definitions/io.k8s.api.core.v1.GlusterfsPersistentVolumeSource"²
Glusterfs represents a Glusterfs volume that is attached to a host and exposed to the pod. Provisioned by an admin. More info: https://examples.k8s.io/volumes/glusterfs/README.md
+|
+locals
+2#/definitions/io.k8s.api.core.v1.LocalVolumeSource"=Local represents directly-attached storage with node affinity
+É

+
+volumeModeº
"¬
volumeMode defines if a volume is intended to be used with a formatted filesystem or to remain in raw block state. Value of Filesystem is implied when not included in spec.²

+string
+ð

+capacityã
"“
A description of the persistent volume's resources and capacity. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#capacityª
?
+=
+;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity²

+object
+Ú

+cinderÏ

+=#/definitions/io.k8s.api.core.v1.CinderPersistentVolumeSource"�
Cinder represents a cinder volume attached and mounted on kubelets host machine. More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+�

+quobyteƒ

+4#/definitions/io.k8s.api.core.v1.QuobyteVolumeSource"KQuobyte represents a Quobyte mount on the host that shares a pod's lifetime
+œ

+	azureDiskŽ

+6#/definitions/io.k8s.api.core.v1.AzureDiskVolumeSource"TAzureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
+Õ

+iscsiË

+<#/definitions/io.k8s.api.core.v1.ISCSIPersistentVolumeSource"Š
ISCSI represents an ISCSI Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Provisioned by an admin.
+¨

+storageClassName“
"…
Name of StorageClass to which this persistent volume belongs. Empty value means that this volume does not belong to any StorageClass.²

+string
+¼

+accessModes¬
"�
AccessModes contains all ways the volume can be mounted. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes²

+arrayº

+²

+string
+õ
+hostPathè
+5#/definitions/io.k8s.api.core.v1.HostPathVolumeSource"®HostPath represents a directory on the host. Provisioned by a developer or tester. This is useful for single-node development and testing only! On-host storage is not supported in any way and WILL NOT WORK in a multi-node cluster. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+Ó

+rbdË

+:#/definitions/io.k8s.api.core.v1.RBDPersistentVolumeSource"Œ
RBD represents a Rados Block Device mount on the host that shares a pod's lifetime. More info: https://examples.k8s.io/volumes/rbd/README.md
+¶

+
+flexVolume§

+;#/definitions/io.k8s.api.core.v1.FlexPersistentVolumeSource"hFlexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin.
+¼
+persistentVolumeReclaimPolicyš"ŒWhat happens to a persistent volume when released from its claim. Valid options are Retain (default for manually created PersistentVolumes), Delete (default for dynamically provisioned PersistentVolumes), and Recycle (deprecated). Recycle must be supported by the volume plugin underlying this PersistentVolume. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#reclaiming²

+string
+Î

+photonPersistentDiskµ

+A#/definitions/io.k8s.api.core.v1.PhotonPersistentDiskVolumeSource"pPhotonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine
+¬

+
vsphereVolumeš

+?#/definitions/io.k8s.api.core.v1.VsphereVirtualDiskVolumeSource"WVsphereVolume represents a vSphere volume attached and mounted on kubelets host machine
+©

+	azureFile›

+@#/definitions/io.k8s.api.core.v1.AzureFilePersistentVolumeSource"WAzureFile represents an Azure File Service mount on the host and bind mount to the pod.
+–

+csiŽ

+:#/definitions/io.k8s.api.core.v1.CSIPersistentVolumeSource"PCSI represents storage that is handled by an external CSI driver (Beta feature).
+¶
+io.k8s.api.core.v1.Pod›"wPod is a collection of containers that can run on a host. This resource is created by clients and scheduled onto hosts.²

+objectÊ
Å
+
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ò

+metadataÅ

+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒ
Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+Ö

+specÍ

+(#/definitions/io.k8s.api.core.v1.PodSpec" 
Specification of the desired behavior of the pod. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+—
+statusŒ
+*#/definitions/io.k8s.api.core.v1.PodStatus"Ý
Most recently observed status of the pod. This data may not be up to date. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statusú
K
+x-kubernetes-group-version-kind(&- kind: Pod
+  version: v1
+  group: ""
+
+—
+io.k8s.api.core.v1.PodConditionó"DPodCondition contains details for the current condition of this pod.š
typeš
status²

+objectÊ
Ž
+X
+messageM"@Human-readable message indicating details about last transition.²

+string
+^
+reasonT"GUnique, one-word, CamelCase reason for the condition's last transition.²

+string
+·

+status¬
"ž
Status is the status of the condition. Can be True, False, Unknown. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditions²

+string
+“

+typeŠ
"}Type is the type of the condition. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditions²

+string
+n
+
lastProbeTime]
+7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time""Last time we probed the condition.
+‘

+lastTransitionTime{
+7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"@Last time the condition transitioned from one status to another.
+é
+/io.k8s.api.authentication.v1.TokenRequestStatusµ"4TokenRequestStatus is the result of a token request.š
tokenš
expirationTimestamp²

+objectÊ
Ò

+–

+expirationTimestamp
+7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"DExpirationTimestamp is the time of expiration of the returned token.
+7
+token."!Token is the opaque bearer token.²

+string
+©
+0io.k8s.api.autoscaling.v2beta2.MetricValueStatusô"6MetricValueStatus holds the current value for a metric²

+objectÊ
­
+ì

+averageUtilizationÕ
int32"¿
currentAverageUtilization is the current value of the average of the resource metric across all relevant pods, represented as a percentage of the requested value of the resource for the pods.²
	
+integer
+·

+averageValue¦

+;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"gaverageValue is the current value of the average of the metric across all relevant pods (as a quantity)
+�

+valuex
+;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"9value is the current value of the metric (as a quantity).
+¼
+!io.k8s.api.core.v1.SELinuxOptions–"<SELinuxOptions are the labels to be applied to the container²

+objectÊ
É
+Q
+levelH";Level is SELinux level label that applies to the container.²

+string
+P
+roleH";Role is a SELinux role label that applies to the container.²

+string
+P
+typeH";Type is a SELinux type label that applies to the container.²

+string
+P
+userH";User is a SELinux user label that applies to the container.²

+string
+à
+%io.k8s.api.discovery.v1.EndpointHints¶"KEndpointHints provides hints describing how an endpoint should be consumed.²

+objectÊ
Ú

+×

+forZonesÊ
"dforZones indicates the zone(s) this endpoint should be consumed by to enable topology aware routing.²

+arrayº
1
+/
+-#/definitions/io.k8s.api.discovery.v1.ForZoneú
#
+x-kubernetes-list-type	atomic
+
+ã
+Bio.k8s.api.certificates.v1beta1.CertificateSigningRequestConditionœš
type²

+objectÊ
†
+¶
+lastTransitionTimeŸ
+7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"ã
lastTransitionTime is the time the condition last transitioned from one status to another. If unset, when a new condition type is added or an existing condition's status is changed, the server defaults this to the current time.
+|
+lastUpdateTimej
+7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"/timestamp for the last update to this condition
+S
+messageH";human readable message with details about the request state²

+string
+9
+reason/""brief reason for the request state²

+string
+Ò

+statusÇ
"¹
Status of the condition, one of True, False, Unknown. Approved, Denied, and Failed conditions may not be "False" or "Unknown". Defaults to "True". If unset, should be treated as "True".²

+string
+h
+type`"Stype of the condition. Known conditions include "Approved", "Denied", and "Failed".²

+string
+„
+
+/io.k8s.api.core.v1.CephFSPersistentVolumeSourceÐ	"�
Represents a Ceph Filesystem mount that lasts the lifetime of a pod Cephfs volumes do not support ownership management or SELinux relabeling.š
monitors²

+objectÊ
¦
+¦

+monitors™
"}Required: Monitors is a collection of Ceph monitors More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it²

+arrayº

+²

+string
+e
+path]"POptional: Used as the mounted root, rather than the full Ceph tree, default is /²

+string
+Î

+readOnlyÁ
"²
Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it²
	
+boolean
+¾

+
+secretFile¯
"¡
Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it²

+string
+æ

+	secretRefØ

+0#/definitions/io.k8s.api.core.v1.SecretReference"£
Optional: SecretRef is reference to the authentication secret for User, default is empty. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+˜

+user�
"�
Optional: User is the rados user name, default is admin More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it²

+string
+û
+io.k8s.api.core.v1.HandlerÜ"6Handler defines a specific action that should be taken²

+objectÊ
•
+‘

+	tcpSocketƒ

+0#/definitions/io.k8s.api.core.v1.TCPSocketAction"OTCPSocket specifies an action involving a TCP port. TCP hooks not yet supported
+‘

+execˆ

++#/definitions/io.k8s.api.core.v1.ExecAction"YOne and only one of the following should be specified. Exec specifies the action to take.
+k
+httpGet`
+.#/definitions/io.k8s.api.core.v1.HTTPGetAction".HTTPGet specifies the http request to perform.
+ç
+io.k8s.api.rbac.v1beta1.RoleRefÃ"?RoleRef contains information that points to the role being usedš
apiGroupš
kindš
name²

+objectÊ
Ú

+P
+apiGroupD"7APIGroup is the group for the resource being referenced²

+string
+B
+kind:"-Kind is the type of resource being referenced²

+string
+B
+name:"-Name is the name of resource being referenced²

+string
+Ù
+&io.k8s.api.storage.v1beta1.CSINodeSpec®"\CSINodeSpec holds information about the specification of all CSI drivers installed on a nodeš
drivers²

+objectÊ
·
+´
+drivers¨"Š
drivers is a list of information of all CSI Drivers existing on a node. If all drivers in the list are uninstalled, this can become empty.²

+arrayº
:
+8
+6#/definitions/io.k8s.api.storage.v1beta1.CSINodeDriverú
'
+x-kubernetes-patch-strategymerge
+ú
'
+x-kubernetes-patch-merge-keyname
+
+‚
+=io.k8s.api.certificates.v1beta1.CertificateSigningRequestListÀš
items²

+objectÊ
«
+a
+itemsX²

+arrayº
K
+I
+G#/definitions/io.k8s.api.certificates.v1beta1.CertificateSigningRequest
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+I
+metadata=
+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+stringú
{
+x-kubernetes-group-version-kindXV- group: certificates.k8s.io
+  kind: CertificateSigningRequestList
+  version: v1beta1
+
+ô
+io.k8s.api.core.v1.Event×"‰Event is a report of an event somewhere in the cluster.  Events have a limited retention time and triggers and messages may evolve with time.  Event consumers should not rely on the timing of an event with a given Reason reflecting a consistent underlying trigger, or the continued existence of events with that Reason.  Events should be treated as informative, best-effort, supplemental data.š
metadataš
involvedObject²

+objectÊ
Ð
+J
+countAint32",The number of times this event has occurred.²
	
+integer
+U
+messageJ"=A human-readable description of the status of this operation.²

+string
+Ò

+metadataÅ

+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒ
Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+�

+source„

+,#/definitions/io.k8s.api.core.v1.EventSource"TThe component reporting this event. Should be a short machine understandable string.
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+•

+
lastTimestampƒ

+7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"HThe time at which the most recent occurrence of this event was recorded.
+r
+relatedg
+0#/definitions/io.k8s.api.core.v1.ObjectReference"3Optional secondary object for more complex actions.
+p
+reportingComponentZ"MName of the controller that emitted this Event, e.g. `kubernetes.io/kubelet`.²

+string
+U
+reportingInstance@"3ID of the controller instance, e.g. `kubelet-xyzf`.²

+string
+Ž

+seriesƒ

+,#/definitions/io.k8s.api.core.v1.EventSeries"SData about the Event series this event represents or nil if it's a singleton Event.
+V
+actionL"?What action was taken/failed regarding to the Regarding object.²

+string
+a
+typeY"LType of this event (Normal, Warning), new types could be added in the future²

+string
+™

+reasonŽ
"€
This should be a short, machine understandable string that gives the reason for the transition into the object's current status.²

+string
+¦

+firstTimestamp“

+7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"XThe time at which the event was first recorded. (Time of server receipt is in TypeMeta.)
+j
+involvedObjectX
+0#/definitions/io.k8s.api.core.v1.ObjectReference"$The object that this event is about.
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+u
+	eventTimeh
+<#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.MicroTime"(Time when this Event was first observed.ú
M
+x-kubernetes-group-version-kind*(- kind: Event
+  version: v1
+  group: ""
+
+º
+.io.k8s.api.networking.v1beta1.IngressClassSpec‡"DIngressClassSpec provides information about the class of an Ingress.²

+objectÊ
²
+¦
+
+controller—"‰Controller refers to the name of the controller that should handle this class. This allows for different "flavors" that are controlled by the same controller. For example, you may have different Parameters for the same implementing controller. This should be specified as a domain-prefixed path no more than 250 characters in length, e.g. "acme.io/ingress-controller". This field is immutable.²

+string
+†
+
+parameters÷

+K#/definitions/io.k8s.api.networking.v1beta1.IngressClassParametersReference"§
Parameters is a link to a custom resource containing additional configuration for the controller. This is optional if the controller does not require extra parameters.
+æ
+*io.k8s.api.discovery.v1.EndpointConditions·"CEndpointConditions represents the current condition of an endpoint.²

+objectÊ
ã
+Ó
+readyÉ"ºready indicates that this endpoint is prepared to receive traffic, according to whatever system is managing the endpoint. A nil value indicates an unknown state. In most cases consumers should interpret this unknown state as ready. For compatibility reasons, ready should never be "true" for terminating endpoints.²
	
+boolean
+Ù
+servingÍ"¾serving is identical to ready except that it is set regardless of the terminating state of endpoints. This condition should be set to true for a ready endpoint that is terminating. If nil, consumers should defer to the ready condition. This field can be enabled with the EndpointSliceTerminatingCondition feature gate.²
	
+boolean
+®
+terminatingž"�terminating indicates that this endpoint is terminating. A nil value indicates an unknown state. Consumers should interpret this unknown state to mean that the endpoint is not terminating. This field can be enabled with the EndpointSliceTerminatingCondition feature gate.²
	
+boolean
+ë
+/io.k8s.api.discovery.v1beta1.EndpointConditions·"CEndpointConditions represents the current condition of an endpoint.²

+objectÊ
ã
+Ù
+servingÍ"¾serving is identical to ready except that it is set regardless of the terminating state of endpoints. This condition should be set to true for a ready endpoint that is terminating. If nil, consumers should defer to the ready condition. This field can be enabled with the EndpointSliceTerminatingCondition feature gate.²
	
+boolean
+®
+terminatingž"�terminating indicates that this endpoint is terminating. A nil value indicates an unknown state. Consumers should interpret this unknown state to mean that the endpoint is not terminating. This field can be enabled with the EndpointSliceTerminatingCondition feature gate.²
	
+boolean
+Ó
+readyÉ"ºready indicates that this endpoint is prepared to receive traffic, according to whatever system is managing the endpoint. A nil value indicates an unknown state. In most cases consumers should interpret this unknown state as ready. For compatibility reasons, ready should never be "true" for terminating endpoints.²
	
+boolean
+°
+io.k8s.api.node.v1.Overhead�"ROverhead structure represents the resource overhead associated with running a pod.²

+objectÊ
­

+ª

+podFixed�
"NPodFixed represents the fixed resource overhead associated with running a pod.ª
?
+=
+;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity²

+object
+Ó
+3io.k8s.api.authentication.v1beta1.TokenReviewStatus›"DTokenReviewStatus is the result of the token authentication request.²

+objectÊ
Æ
+’
+	audiences„"çAudiences are audience identifiers chosen by the authenticator that are compatible with both the TokenReview and token. An identifier is any identifier in the intersection of the TokenReviewSpec audiences and the token's audiences. A client of the TokenReview API that sets the spec.audiences field should validate that a compatible audience identifier is returned in the status.audiences field to ensure that the TokenReview server is audience aware. If a TokenReview returns an empty status.audience field where status.authenticated is "true", the token is valid against the audience of the Kubernetes API server.²

+arrayº

+²

+string
+g
+
authenticatedV"HAuthenticated indicates that the token was associated with a known user.²
	
+boolean
+H
+error?"2Error indicates that the token couldn't be checked²

+string
+|
+usert
+8#/definitions/io.k8s.api.authentication.v1beta1.UserInfo"8User is the UserInfo associated with the provided token.
+ó
+=io.k8s.api.certificates.v1.CertificateSigningRequestCondition±"^CertificateSigningRequestCondition describes a condition of a CertificateSigningRequest objectš
typeš
status²

+objectÊ
²
+f
+message["Nmessage contains a human readable message with details about the request state²

+string
+L
+reasonB"5reason indicates a brief reason for the request state²

+string
+–

+status‹
"~status of the condition, one of True, False, Unknown. Approved, Denied, and Failed conditions may not be "False" or "Unknown".²

+string
+˜
+type�"�type of the condition. Known conditions are "Approved", "Denied", and "Failed".
+
+An "Approved" condition is added via the /approval subresource, indicating the request was approved and should be issued by the signer.
+
+A "Denied" condition is added via the /approval subresource, indicating the request was denied and should not be issued by the signer.
+
+A "Failed" condition is added via the /status subresource, indicating the signer failed to issue the certificate.
+
+Approved and Denied conditions are mutually exclusive. Approved, Denied, and Failed conditions cannot be removed once added.
+
+Only one condition of a given type is allowed.²

+string
+¶
+lastTransitionTimeŸ
+7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"ã
lastTransitionTime is the time the condition last transitioned from one status to another. If unset, when a new condition type is added or an existing condition's status is changed, the server defaults this to the current time.
+Œ

+lastUpdateTimez
+7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"?lastUpdateTime is the time of the last update to this condition
+à	
+!io.k8s.api.core.v1.LimitRangeListº	"-LimitRangeList is a list of LimitRange items.š
items²

+objectÊ
›
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+É

+items¿
"€
Items is a list of LimitRange objects. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/²

+arrayº
/
+-
++#/definitions/io.k8s.api.core.v1.LimitRange
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ï

+metadataÂ

+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"‚
Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kindsú
V
+x-kubernetes-group-version-kind31- group: ""
+  kind: LimitRangeList
+  version: v1
+
+¤,
+5io.k8s.api.admissionregistration.v1.ValidatingWebhookê+"`ValidatingWebhook describes an admission webhook and the resources and operations it applies to.š
nameš
clientConfigš
sideEffectsš
admissionReviewVersions²

+objectÊ
»*
+õ
+sideEffectså"×SideEffects states whether this webhook has side effects. Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission chain and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some.²

+string
+œ
+timeoutSeconds‰int32"ó
TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, the webhook call will be ignored or the API call will fail based on the failure policy. The timeout value must be between 1 and 30 seconds. Default to 10 seconds.²
	
+integer
+–
+admissionReviewVersionsú"ÝAdmissionReviewVersions is an ordered list of preferred `AdmissionReview` versions the Webhook expects. API server will try to use first version in the list which it supports. If none of the versions specified in this list supported by API server, validation will fail for this object. If a persisted webhook configuration specifies allowed versions and does not include any versions known to the API Server, calls to the webhook will fail and be subject to the failure policy.²

+arrayº

+²

+string
+¬

+
failurePolicyš
"Œ
FailurePolicy defines how unrecognized errors from the admission endpoint are handled - allowed values are Ignore or Fail. Defaults to Fail.²

+string
+ç

+nameÞ
"Ð
The name of the admission webhook. Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where "imagepolicy" is the name of the webhook, and kubernetes.io is the name of the organization. Required.²

+string
+é
+objectSelectorÖ
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"‘ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything.
+é
+rulesß"‡Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches _any_ Rule. However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks from putting the cluster in a state which cannot be recovered from without completely disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.²

+arrayº
H
+F
+D#/definitions/io.k8s.api.admissionregistration.v1.RuleWithOperations
+™

+clientConfigˆ

+E#/definitions/io.k8s.api.admissionregistration.v1.WebhookClientConfig"?ClientConfig defines how to communicate with the hook. Required
+œ
+matchPolicyŒ"þmatchPolicy defines how the "rules" list is used to match incoming requests. Allowed values are "Exact" or "Equivalent".
+
+- Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
+
+- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
+
+Defaults to "Equivalent"²

+string
+Ü	
+namespaceSelectorÆ	
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"�	NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the webhook.
+
+For example, to run the webhook on any objects whose namespace is not associated with "runlevel" of "0" or "1";  you will set the selector as follows: "namespaceSelector": {
+  "matchExpressions": [
+    {
+      "key": "runlevel",
+      "operator": "NotIn",
+      "values": [
+        "0",
+        "1"
+      ]
+    }
+  ]
+}
+
+If instead you want to only run the webhook on any objects whose namespace is associated with the "environment" of "prod" or "staging"; you will set the selector as follows: "namespaceSelector": {
+  "matchExpressions": [
+    {
+      "key": "environment",
+      "operator": "In",
+      "values": [
+        "prod",
+        "staging"
+      ]
+    }
+  ]
+}
+
+See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels for more examples of label selectors.
+
+Default to the empty LabelSelector, which matches everything.
+ï
+io.k8s.api.batch.v1.CronJobListË")CronJobList is a collection of cron jobs.š
items²

+objectÊ
°
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+c
+itemsZ"items is the list of CronJobs.²

+arrayº
-
++
+)#/definitions/io.k8s.api.batch.v1.CronJob
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ë

+metadata¾

+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadataú
V
+x-kubernetes-group-version-kind31- group: batch
+  kind: CronJobList
+  version: v1
+
+·
+2io.k8s.api.flowcontrol.v1beta1.FlowSchemaCondition€":FlowSchemaCondition describes conditions for a FlowSchema.²

+objectÊ
µ
+®

+lastTransitionTime—

+7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"\`lastTransitionTime` is the last time the condition transitioned from one status to another.
+g
+message\"O`message` is a human-readable message indicating details about last transition.²

+string
+l
+reasonb"U`reason` is a unique, one-word, CamelCase reason for the condition's last transition.²

+string
+f
+status\"O`status` is the status of the condition. Can be True, False, Unknown. Required.²

+string
+C
+type;".`type` is the type of the condition. Required.²

+string
+…
+)io.k8s.api.policy.v1beta1.AllowedHostPath×"�
AllowedHostPath defines the host volume conditions that will be enabled by a policy for pods to use. It requires the path prefix to be defined.²

+objectÊ
¶
+­
+
+pathPrefixž"�pathPrefix is the path prefix that the host volume must match. It does not support `*`. Trailing slashes are trimmed when validating the path prefix with a host path.
+
+Examples: `/foo` would allow `/foo`, `/foo/` and `/foo/bar` `/foo` would not allow `/food` or `/etc/foo`²

+string
+ƒ

+readOnlyw"iwhen set to true, will allow host volumes matching the pathPrefix only if all volume mounts are readOnly.²
	
+boolean
+ã	
+1io.k8s.api.policy.v1beta1.PodDisruptionBudgetSpec­	"BPodDisruptionBudgetSpec is a description of a PodDisruptionBudget.²

+objectÊ
Ú
+ð
+maxUnavailableÝ
+=#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString"›An eviction is allowed if at most "maxUnavailable" pods selected by "selector" are unavailable after the eviction, i.e. even in absence of the evicted pod. For example, one can prevent all voluntary evictions by specifying 0. This is a mutually exclusive setting with "minAvailable".
+Ç
+minAvailable¶
+=#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString"ô
An eviction is allowed if at least "minAvailable" pods selected by "selector" will still be available after the eviction, i.e. even in the absence of the evicted pod.  So for example you can prevent all voluntary evictions by specifying "100%".
+š
+selector�
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"œLabel query over pods whose evictions are managed by the disruption budget. A null selector selects no pods. An empty selector ({}) also selects no pods, which differs from standard behavior of selecting all pods. In policy/v1, an empty selector will select all pods in the namespace.ú
)
+x-kubernetes-patch-strategy
+replace
+
+­
+/io.k8s.api.autoscaling.v2beta2.MetricIdentifierù"FMetricIdentifier defines the name and optionally selector for a metricš
name²

+objectÊ
›
+9
+name1"$name is the name of the given metric²

+string
+Ý
+selectorÐ
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"‹selector is the string-encoded form of a standard kubernetes label selector for the given metric When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping. When unset, just the metricName will be used to gather metrics.
+ˆ
+2io.k8s.api.core.v1.GlusterfsPersistentVolumeSourceÑ"‹
Represents a Glusterfs mount that lasts the lifetime of a pod. Glusterfs volumes do not support ownership management or SELinux relabeling.š
	endpointsš
path²

+objectÊ
¡
+•
+endpointsNamespaceþ
"ð
EndpointsNamespace is the namespace that contains Glusterfs endpoint. If this field is empty, the EndpointNamespace defaults to the same namespace as the bound PVC. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod²

+string
+ƒ

+path{"nPath is the Glusterfs volume path. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod²

+string
+Ò

+readOnlyÅ
"¶
ReadOnly here will force the Glusterfs volume to be mounted with read-only permissions. Defaults to false. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod²
	
+boolean
+«

+	endpoints�
"�
EndpointsName is the endpoint name that details Glusterfs topology. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod²

+string
+�
+Lio.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.WebhookClientConfig¼
"WWebhookClientConfig contains the information to make a TLS connection with the webhook.²

+objectÊ
Ô
+ò
+urlê"Üurl gives the location of the webhook, in standard URL form (`scheme://host:port/path`). Exactly one of `url` or `service` must be specified.
+
+The `host` should not refer to a service running in the cluster; use the `service` field instead. The host might be resolved via external DNS in some apiservers (e.g., `kube-apiserver` cannot resolve in-cluster DNS as that would be a layering violation). `host` may also be an IP address.
+
+Please note that using `localhost` or `127.0.0.1` as a `host` is risky unless you take great care to run this webhook on all hosts which run an apiserver which might need to make calls to this webhook. Such installs are likely to be non-portable, i.e., not easy to turn up in a new cluster.
+
+The scheme must be "https"; the URL must begin with "https://".
+
+A path is optional, and if present may be any string permissible in a URL. You may use the path to pass an arbitrary string to the webhook, for example, a cluster identifier.
+
+Attempting to use a user or basic auth e.g. "user:password@" is not allowed. Fragments ("#...") and query parameters ("?...") are not allowed, either.²

+string
+Ã

+caBundle¶
byte"¢
caBundle is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. If unspecified, system trust roots on the apiserver are used.²

+string
+–
+serviceŠ
+W#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.ServiceReference"®
service is a reference to the service for this webhook. Either service or url must be specified.
+
+If the webhook is running within the cluster, then you should use `service`.
+ú
+Vio.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceValidationŸ"MCustomResourceValidation is a list of validation methods for CustomResources.²

+objectÊ
Á

+¾

+openAPIV3Schemaª

+[#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.JSONSchemaProps"KopenAPIV3Schema is the OpenAPI v3 schema to use for validation and pruning.
+š
+0io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceå"JAPIResource specifies the name of a resource and whether it is namespaced.š
nameš
singularNameš

+namespacedš
kindš
verbs²

+objectÊ
Ø
+h
+
+shortNamesZ">shortNames is a list of suggested short names of the resource.²

+arrayº

+²

+string
+Ì
+storageVersionHashµ"§The hash value of the storage version, the version this resource is converted to when written to the data store. Value must be treated as opaque by clients. Only equality comparison on the value is valid. This is an alpha feature and may change or be removed in the future. The field is populated by the apiserver only if the StorageVersionHash feature gate is enabled. This field will remain optional even if it graduates.²

+string
+«

+verbs¡
"„
verbs is a list of supported kube verbs (this includes get, list, watch, create, update, patch, delete, deletecollection, and proxy)²

+arrayº

+²

+string
+=
+name5"(name is the plural name of the resource.²

+string
+T
+
+namespacedF"8namespaced indicates if a resource is namespaced or not.²
	
+boolean
+d
+kind\"Okind is the kind for the resource (e.g. 'Foo' is the kind for a resource 'foo')²

+string
+ž
+singularName�"ÿ
singularName is the singular name of the resource.  This allows clients to handle plural and singular opaquely. The singularName is more correct for reporting status on a single item and both singular and plural are allowed from the kubectl CLI interface.²

+string
+‰
+versioný
"ï
version is the preferred version of the resource.  Empty implies the version of the containing resource list For subresources, this may have a different value, for example: v1 (while inside a v1beta1 version of the core resource's group)".²

+string
+}
+
+categorieso"Scategories is a list of the grouped resources this resource belongs to (e.g. 'all')²

+arrayº

+²

+string
+Ç

+group½
"¯
group is the preferred group of the resource.  Empty implies the group of the containing resource list. For subresources, this may have a different value, for example: Scale".²

+string
+Ÿ
+=io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelectorRequirementÝ"xA label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.š
keyš
operator²

+objectÊ
Ã
+š

+key’
"2key is the label key that the selector applies to.²

+stringú
'
+x-kubernetes-patch-strategymerge
+ú
&
+x-kubernetes-patch-merge-keykey
+
+Ž

+operator�
"toperator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.²

+string
+’
+values‡"ê
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.²

+arrayº

+²

+string
+µ
+6io.k8s.api.authorization.v1beta1.NonResourceAttributesú
"{NonResourceAttributes includes the authorization attributes available for non-resource requests to the Authorizer interface²

+objectÊ
o
+8
+path0"#Path is the URL path of the request²

+string
+3
+verb+"Verb is the standard HTTP verb²

+string
+°
+Xio.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceSubresourceStatusÓ"ÅCustomResourceSubresourceStatus defines how to serve the status subresource for CustomResources. Status is represented by the `.status` JSON path inside of a CustomResource. When set, * exposes a /status subresource for the custom resource * PUT requests to the /status subresource take a custom resource object, and ignore changes to anything except the status stanza * PUT/POST/PATCH requests to the custom resource ignore changes to the status stanza²

+object
+Ð
+
+.io.k8s.api.autoscaling.v2beta2.HPAScalingRules�
+"”HPAScalingRules configures the scaling behavior for one direction. These Rules are applied after calculating DesiredReplicas from metrics for the HPA. They can limit the scaling velocity by specifying scaling policies. They can prevent flapping by specifying the stabilization window, so that the number of replicas is not set instantly, instead, the safest value from the stabilization window is chosen.²

+objectÊ
÷
+Ì
+stabilizationWindowSeconds­int32"—StabilizationWindowSeconds is the number of seconds for which past recommendations should be considered while scaling up or scaling down. StabilizationWindowSeconds must be greater than or equal to zero and less than or equal to 3600 (one hour). If not set, use the default values: - For scale up: 0 (i.e. no stabilization is done). - For scale down: 300 (i.e. the stabilization window is 300 seconds long).²
	
+integer
+‘
+policies„"³
policies is a list of potential scaling polices which can be used during scaling. At least one policy must be specified, otherwise the HPAScalingRules will be discarded as invalid²

+arrayº
A
+?
+=#/definitions/io.k8s.api.autoscaling.v2beta2.HPAScalingPolicy
+‘

+selectPolicy€
"sselectPolicy is used to specify which policy should be used. If not set, the default value MaxPolicySelect is used.²

+string
+Ò
+4io.k8s.api.core.v1.ScopedResourceSelectorRequirement™"�
A scoped-resource selector requirement is a selector that contains values, a scope name, and an operator that relates the scope name and values.š
	scopeNameš
operator²

+objectÊ
à
+ƒ

+operatorw"jRepresents a scope's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist.²

+string
+M
+	scopeName@"3The name of the scope that the selector applies to.²

+string
+ˆ
+valuesý
"à
An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.²

+arrayº

+²

+string
+À
+Wio.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceSubresourceScaleä"^CustomResourceSubresourceScale defines how to serve the scale subresource for CustomResources.š
specReplicasPathš
statusReplicasPath²

+objectÊ
Í
+á
+labelSelectorPathË"½labelSelectorPath defines the JSON path inside of a custom resource that corresponds to Scale `status.selector`. Only JSON paths without the array notation are allowed. Must be a JSON Path under `.status` or `.spec`. Must be set to work with HorizontalPodAutoscaler. The field pointed by this JSON path must be a string field (not a complex selector struct) which contains a serialized label selector in string form. More info: https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions#scale-subresource If there is no value under the given path in the custom resource, the `status.selector` value in the `/scale` subresource will default to the empty string.²

+string
+ã
+specReplicasPathÎ"ÀspecReplicasPath defines the JSON path inside of a custom resource that corresponds to Scale `spec.replicas`. Only JSON paths without the array notation are allowed. Must be a JSON Path under `.spec`. If there is no value under the given path in the custom resource, the `/scale` subresource will return an error on GET.²

+string
+€
+statusReplicasPathé"ÛstatusReplicasPath defines the JSON path inside of a custom resource that corresponds to Scale `status.replicas`. Only JSON paths without the array notation are allowed. Must be a JSON Path under `.status`. If there is no value under the given path in the custom resource, the `status.replicas` value in the `/scale` subresource will default to 0.²

+string
+ì
+*io.k8s.api.authentication.v1beta1.UserInfo½"ZUserInfo holds the information about the user needed to implement the user.Info interface.²

+objectÊ
Ò
+n
+extrae"9Any additional information provided by the authenticator.ª

+²

+arrayº

+²

+string²

+object
+Q
+groupsG"+The names of groups this user is a part of.²

+arrayº

+²

+string
+®

+uid¦
"˜
A unique value that identifies this user across time. If this user is deleted and another user by the same name is added, they will have different UIDs.²

+string
+\
+usernameP"CThe name that uniquely identifies this user among all active users.²

+string
+ü
+5io.k8s.api.autoscaling.v1.CrossVersionObjectReferenceÂ"bCrossVersionObjectReference contains enough information to let you identify the referred resource.š
kindš
name²

+objectÊ
Á
+˜

+kind�
"�
Kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"²

+string
+l
+named"WName of the referent; More info: http://kubernetes.io/docs/user-guide/identifiers#names²

+string
+6
+
+apiVersion("API version of the referent²

+string
+Ü
+"io.k8s.api.apps.v1.StatefulSetListµ"0StatefulSetList is a collection of StatefulSets.š
items²

+objectÊ
�
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+F
+items=²

+arrayº
0
+.
+,#/definitions/io.k8s.api.apps.v1.StatefulSet
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+I
+metadata=
+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMetaú
Y
+x-kubernetes-group-version-kind64- group: apps
+  kind: StatefulSetList
+  version: v1
+
+ã
+io.k8s.api.storage.v1.CSIDriver¿
"ÎCSIDriver captures information about a Container Storage Interface (CSI) volume driver deployed on the cluster. Kubernetes attach detach controller uses this object to determine whether attach is required. Kubelet uses this object to determine whether pod information needs to be passed on mount. CSIDriver objects are non-namespaced.š
spec²

+objectÊ
ø	
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+™
+metadataŒ
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ÊStandard object metadata. metadata.Name indicates the name of the CSI driver that this object refers to; it MUST be the same name returned by the CSI GetPluginName() call for that driver. The driver name must be 63 characters or less, beginning and ending with an alphanumeric character ([a-z0-9A-Z]) with dashes (-), dots (.), and alphanumerics between. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+]
+specU
+1#/definitions/io.k8s.api.storage.v1.CSIDriverSpec" Specification of the CSI Driver.ú
]
+x-kubernetes-group-version-kind:8- group: storage.k8s.io
+  kind: CSIDriver
+  version: v1
+
+½
+-io.k8s.api.extensions.v1beta1.HTTPIngressPath‹"oHTTPIngressPath associates a path with a backend. Incoming urls matching the path are forwarded to the backend.š
backend²

+objectÊ
�
+¤

+backend˜

+:#/definitions/io.k8s.api.extensions.v1beta1.IngressBackend"ZBackend defines the referenced service endpoint to which the traffic will be forwarded to.
+ž
+path•"‡Path is matched against the path of an incoming request. Currently it can contain characters disallowed from the conventional "path" part of a URL as defined by RFC 3986. Paths must begin with a '/'. When unspecified, all paths from incoming requests are matched.²

+string
+¶
+pathType©"›PathType determines the interpretation of the Path matching. PathType can be one of the following values: * Exact: Matches the URL path exactly. * Prefix: Matches based on a URL path prefix split by '/'. Matching is
+  done on a path element by element basis. A path element refers is the
+  list of labels in the path split by the '/' separator. A request is a
+  match for path p if every p is an element-wise prefix of p of the
+  request path. Note that if the last element of the path is a substring
+  of the last element in request path, it is not a match (e.g. /foo/bar
+  matches /foo/bar/baz, but does not match /foo/barbaz).
+* ImplementationSpecific: Interpretation of the Path matching is up to
+  the IngressClass. Implementations can treat this as a separate PathType
+  or treat it identically to Prefix or Exact path types.
+Implementations are required to support all path types. Defaults to ImplementationSpecific.²

+string
+¤
+
+=io.k8s.api.flowcontrol.v1beta1.PriorityLevelConfigurationListâ	"OPriorityLevelConfigurationList is a list of PriorityLevelConfiguration objects.š
items²

+objectÊ
ñ
+â

+metadataÕ

+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"•
`metadata` is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+Œ

+items‚
"(`items` is a list of request-priorities.²

+arrayº
K
+I
+G#/definitions/io.k8s.api.flowcontrol.v1beta1.PriorityLevelConfiguration
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+stringú
…

+x-kubernetes-group-version-kindb`- group: flowcontrol.apiserver.k8s.io
+  kind: PriorityLevelConfigurationList
+  version: v1beta1
+
+�
+(io.k8s.api.core.v1.ContainerStateWaitingã
"8ContainerStateWaiting is a waiting state of a container.²

+objectÊ
š

+O
+messageD"7Message regarding why the container is not yet running.²

+string
+G
+reason="0(brief) reason the container is not yet running.²

+string
+»
+#io.k8s.api.core.v1.PersistentVolume“
"±
PersistentVolume (PV) is a storage resource provisioned by an administrator. It is analogous to a node. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes²

+objectÊ
õ
+
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ò

+metadataÅ

+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒ
Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+Š
+spec�
+5#/definitions/io.k8s.api.core.v1.PersistentVolumeSpec"Ç
Spec defines a specification of a persistent volume owned by the cluster. Provisioned by an administrator. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistent-volumes
+“
+statusˆ
+7#/definitions/io.k8s.api.core.v1.PersistentVolumeStatus"Ì
Status represents the current information/status for the persistent volume. Populated by the system. Read-only. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistent-volumesú
X
+x-kubernetes-group-version-kind53- group: ""
+  kind: PersistentVolume
+  version: v1
+
+Á
+>io.k8s.api.autoscaling.v2beta2.HorizontalPodAutoscalerBehaviorþ"™
HorizontalPodAutoscalerBehavior configures the scaling behavior of the target in both Up and Down directions (scaleUp and scaleDown fields respectively).²

+objectÊ
Ó
+°
+	scaleDown¢
+<#/definitions/io.k8s.api.autoscaling.v2beta2.HPAScalingRules"á
scaleDown is scaling policy for scaling Down. If not set, the default value is to allow to scale down to minReplicas pods, with a 300 second stabilization window (i.e., the highest recommendation for the last 300sec is used).
+�
+scaleUp‘
+<#/definitions/io.k8s.api.autoscaling.v2beta2.HPAScalingRules"Ð
scaleUp is scaling policy for scaling Up. If not set, the default value is the higher of:
+  * increase no more than 4 pods per 60 seconds
+  * double the number of pods per 60 seconds
+No stabilization is used.
+þ
+$io.k8s.api.batch.v1beta1.CronJobListÕ")CronJobList is a collection of cron jobs.š
items²

+objectÊ
µ
+Ë

+metadata¾

+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+h
+items_"items is the list of CronJobs.²

+arrayº
2
+0
+.#/definitions/io.k8s.api.batch.v1beta1.CronJob
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+stringú
[
+x-kubernetes-group-version-kind86- group: batch
+  kind: CronJobList
+  version: v1beta1
+
+Õ	
+!io.k8s.api.core.v1.LimitRangeItem¯	"SLimitRangeItem defines a min/max usage limit for any resource that matches on kind.š
type²

+objectÊ
Ä
+²

+default¦
"WDefault resource requirement limit value by resource name if resource limit is omitted.ª
?
+=
+;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity²

+object
+Ó

+defaultRequestÀ
"qDefaultRequest is the default resource requirement request value by resource name if resource request is omitted.ª
?
+=
+;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity²

+object
+‹

+maxƒ
"4Max usage constraints on this kind by resource name.ª
?
+=
+;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity²

+object
+×
+maxLimitRequestRatio¾"î
MaxLimitRequestRatio if specified, the named resource must have a request and limit that are both non-zero where limit divided by request is less than or equal to the enumerated value; this represents the max burst for the named resource.ª
?
+=
+;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity²

+object
+‹

+minƒ
"4Min usage constraints on this kind by resource name.ª
?
+=
+;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity²

+object
+A
+type9",Type of resource that this limit applies to.²

+string
+Ä
+"io.k8s.api.storage.v1.StorageClass�"ã
StorageClass describes the parameters for a class of storage for which PersistentVolumes can be dynamically provisioned.
+
+StorageClasses are non-namespaced; the name of the storage class according to etcd is in ObjectMeta.Name.š
provisioner²

+objectÊ
·
+n
+allowVolumeExpansionV"HAllowVolumeExpansion shows whether the storage class allow volume expand²
	
+boolean
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+ì

+mountOptionsÛ
"¾
Dynamically provisioned PersistentVolumes of this storage class are created with these mountOptions, e.g. ["ro", "soft"]. Not validated - mount of the PVs will simply fail if one is invalid.²

+arrayº

+²

+string
+ø

+volumeBindingModeâ
"Ô
VolumeBindingMode indicates how PersistentVolumeClaims should be provisioned and bound.  When unset, VolumeBindingImmediate is used. This field is only honored by servers that enable the VolumeScheduling feature.²

+string
+Š
+allowedTopologiesô"«Restrict the node topologies where volumes can be dynamically provisioned. Each volume plugin defines its own supported topology specifications. An empty TopologySelectorTerm list means there is no topology restriction. This field is only honored by servers that enable the VolumeScheduling feature.²

+arrayº
9
+7
+5#/definitions/io.k8s.api.core.v1.TopologySelectorTerm
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ò

+metadataÅ

+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒ
Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+‘

+
+parameters‚
"eParameters holds the parameters for the provisioner that should create volumes of this storage class.ª

+²

+string²

+object
+N
+provisioner?"2Provisioner indicates the type of the provisioner.²

+string
+—

+
reclaimPolicy…
"xDynamically provisioned PersistentVolumes of this storage class are created with this reclaimPolicy. Defaults to Delete.²

+stringú
`
+x-kubernetes-group-version-kind=;- group: storage.k8s.io
+  kind: StorageClass
+  version: v1
+
+ 
+
+=io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIServiceÞ	"[APIService represents a server for a particular GroupVersion. Name must be "version.group".²

+objectÊ
‰
+K
+metadata?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta
+¢

+spec™

+O#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIServiceSpec"FSpec contains information for locating and communicating with a server
+—

+statusŒ

+Q#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIServiceStatus"7Status contains derived information about an API server
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+stringú
f
+x-kubernetes-group-version-kindCA- kind: APIService
+  version: v1
+  group: apiregistration.k8s.io
+
+Ó
+"io.k8s.api.apps.v1.StatefulSetSpec¬"8A StatefulSetSpec is the specification of a StatefulSet.š
selectorš
templateš
serviceName²

+objectÊ
¿
+�
+replicas‚int32"ì
replicas is the desired number of replicas of the given Template. These are replicas in the sense that they are instantiations of the same Template, but individual replicas also have a consistent identity. If unspecified, defaults to 1.²
	
+integer
+­
+revisionHistoryLimit”int32"þ
revisionHistoryLimit is the maximum number of revisions that will be maintained in the StatefulSet's revision history. The revision history consists of all revisions not represented by a currently applied StatefulSetSpec version. The default value is 10.²
	
+integer
+¨
+selector›
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"Ö
selector is a label query over pods that should match the replica count. It must match the pod template's labels. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+û
+serviceNameë"ÝserviceName is the name of the service that governs this StatefulSet. This service must exist before the StatefulSet, and is responsible for the network identity of the set. Pods get DNS/hostnames that follow the pattern: pod-specific-string.serviceName.default.svc.cluster.local where "pod-specific-string" is managed by the StatefulSet controller.²

+string
+¬
+templateŸ
+0#/definitions/io.k8s.api.core.v1.PodTemplateSpec"ê
template is the object that describes the pod that will be created if insufficient replicas are detected. Each pod stamped out by the StatefulSet will fulfill this Template, but have a unique identity from the rest of the StatefulSet.
+å

+updateStrategyÒ

+:#/definitions/io.k8s.api.apps.v1.StatefulSetUpdateStrategy"“
updateStrategy indicates the StatefulSetUpdateStrategy that will be employed to update Pods in the StatefulSet when a revision is made to Template.
+þ
+volumeClaimTemplateså"›volumeClaimTemplates is a list of claims that pods are allowed to reference. The StatefulSet controller is responsible for mapping network identities to claims in a way that maintains the identity of a pod. Every claim in this list must have at least one matching (by name) volumeMount in one container in the template. A claim in this list takes precedence over any volumes in the template, with the same name.²

+arrayº
:
+8
+6#/definitions/io.k8s.api.core.v1.PersistentVolumeClaim
+¹
+podManagementPolicy¡"“podManagementPolicy controls how pods are created during initial scale up, when replacing pods on nodes, or when scaling down. The default policy is `OrderedReady`, where pods are created in increasing order (pod-0, then pod-1, etc) and the controller will wait until each pod is ready before continuing. When scaling down, the pods are removed in the opposite order. The alternative policy is `Parallel` which will create pods in parallel to match the desired scale without waiting, and on scale down will delete all pods at once.²

+string
+¶
+,io.k8s.api.authentication.v1.TokenReviewSpec…"ETokenReviewSpec is a description of the token authentication request.²

+objectÊ
¯
+ó
+	audienceså"ÈAudiences is a list of the identifiers that the resource server presented with the token identifies as. Audience-aware token authenticators will verify that the token was intended for at least one of the audiences in this list. If no audiences are provided, the audience will default to the audience of the Kubernetes apiserver.²

+arrayº

+²

+string
+7
+token."!Token is the opaque bearer token.²

+string
+†
+io.k8s.api.core.v1.ServicePortã"3ServicePort contains information on service's port.š
port²

+objectÊ
˜
+â
+
+targetPortÓ
+=#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString"‘Number or name of the port to access on the pods targeted by the service. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. If this is a string, it will be looked up as a named port in the target Pod's container ports. If this is not specified, the value of the 'port' field is used (an identity map). This field is ignored for services with clusterIP=None, and should be omitted or set equal to the 'port' field. More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
+½
+appProtocol­"ŸThe application protocol for this port. This field follows standard Kubernetes label syntax. Un-prefixed names are reserved for IANA standard service names (as per RFC-6335 and http://www.iana.org/assignments/service-names). Non-standard protocols should use prefixed names such as mycompany.com/my-custom-protocol. This is a beta field that is guarded by the ServiceAppProtocol feature gate and enabled by default.²

+string
+²
+name©"›The name of this port within the service. This must be a DNS_LABEL. All ports within a ServiceSpec must have unique names. When considering the endpoints for a Service, this must match the 'name' field in the EndpointPort. Optional if only one ServicePort is defined on this service.²

+string
+‚
+nodePortõint32"ßThe port on each node on which this service is exposed when type is NodePort or LoadBalancer.  Usually assigned by the system. If a value is specified, in-range, and not in use it will be used, otherwise the operation will fail.  If not specified, a port will be allocated if this Service requires one.  If this field is specified when creating a Service which does not need it, creation will fail. This field will be wiped when updating a Service to no longer need it (e.g. changing type from NodePort to ClusterIP). More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport²
	
+integer
+K
+portCint32".The port that will be exposed by this service.²
	
+integer
+j
+protocol^"QThe IP protocol for this port. Supports "TCP", "UDP", and "SCTP". Default is TCP.²

+string
+ç

+*io.k8s.api.flowcontrol.v1beta1.UserSubject¸
"=UserSubject holds detailed information for user-kind subject.š
name²

+objectÊ
d
+b
+nameZ"M`name` is the username that matches, or "*" to match all usernames. Required.²

+string
+Ÿ
+$io.k8s.api.node.v1beta1.RuntimeClassö"ØRuntimeClass defines a class of container runtime supported in the cluster. The RuntimeClass is used to determine which container runtime is used to run all containers in a pod. RuntimeClasses are (currently) manually defined by a user or cluster provisioner, and referenced in the PodSpec. The Kubelet is responsible for resolving the RuntimeClassName reference before running the pod.  For more details, see https://git.k8s.io/enhancements/keps/sig-node/runtime-class.mdš
handler²

+objectÊ
�
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+Ð
+handlerÄ"¶Handler specifies the underlying runtime and configuration that the CRI implementation will use to handle pods of this class. The possible values are specific to the node & CRI configuration.  It is assumed that all handlers are available on every node, and handlers of the same name are equivalent on every node. For example, a handler called "runc" might specify that the runc OCI runtime (using native Linux containers) will be used to run the containers in a pod. The Handler must be lowercase, conform to the DNS Label (RFC 1123) requirements, and is immutable.²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+µ

+metadata¨

+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"gMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+ô
+overheadç
+.#/definitions/io.k8s.api.node.v1beta1.Overhead"´Overhead represents the resource overhead associated with running a pod for a given RuntimeClass. For more details, see https://git.k8s.io/enhancements/keps/sig-node/20190226-pod-overhead.md This field is alpha-level as of Kubernetes v1.15, and is only honored by servers that enable the PodOverhead feature.
+›
+
+schedulingŒ
+0#/definitions/io.k8s.api.node.v1beta1.Scheduling"×
Scheduling holds the scheduling constraints to ensure that pods running with this RuntimeClass are scheduled to nodes that support it. If scheduling is nil, this RuntimeClass is assumed to be supported by all nodes.ú
b
+x-kubernetes-group-version-kind?=- group: node.k8s.io
+  kind: RuntimeClass
+  version: v1beta1
+
+Ø
+io.k8s.api.rbac.v1.Role¼"hRole is a namespaced, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding.²

+objectÊ
Ý
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+h
+metadata\
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"Standard object's metadata.
+t
+rulesk"-Rules holds all the PolicyRules for this Role²

+arrayº
/
+-
++#/definitions/io.k8s.api.rbac.v1.PolicyRuleú
c
+x-kubernetes-group-version-kind@>- version: v1
+  group: rbac.authorization.k8s.io
+  kind: Role
+
+µ
+]io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceSubresourceStatusÓ"ÅCustomResourceSubresourceStatus defines how to serve the status subresource for CustomResources. Status is represented by the `.status` JSON path inside of a CustomResource. When set, * exposes a /status subresource for the custom resource * PUT requests to the /status subresource take a custom resource object, and ignore changes to anything except the status stanza * PUT/POST/PATCH requests to the custom resource ignore changes to the status stanza²

+object
+Ã
+?io.k8s.api.autoscaling.v2beta1.HorizontalPodAutoscalerConditionÿ"eHorizontalPodAutoscalerCondition describes the state of a HorizontalPodAutoscaler at a certain point.š
typeš
status²

+objectÊ
ù
+«

+lastTransitionTime”

+7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"YlastTransitionTime is the last time the condition transitioned from one status to another
+g
+message\"Omessage is a human-readable explanation containing details about the transition²

+string
+P
+reasonF"9reason is the reason for the condition's last transition.²

+string
+S
+statusI"<status is the status of the condition (True, False, Unknown)²

+string
+9
+type1"$type describes the current condition²

+string
+à
+"io.k8s.api.core.v1.PodAntiAffinity¹"IPod anti affinity is a group of inter pod anti affinity scheduling rules.²

+objectÊ
ß
+
+ã
+.requiredDuringSchedulingIgnoredDuringExecution°"ìIf the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.²

+arrayº
4
+2
+0#/definitions/io.k8s.api.core.v1.PodAffinityTerm
+ö
+/preferredDuringSchedulingIgnoredDuringExecutionÂ"öThe scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.²

+arrayº
<
+:
+8#/definitions/io.k8s.api.core.v1.WeightedPodAffinityTerm
+¼
+(io.k8s.api.core.v1.ReplicationController�"OReplicationController represents the configuration of a replication controller.²

+objectÊ
Ï
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+ß
+metadataÒ
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"�If the Labels of a ReplicationController are empty, they are defaulted to be the same as the Pod(s) that the replication controller manages. Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+Œ
+specƒ
+:#/definitions/io.k8s.api.core.v1.ReplicationControllerSpec"Ä
Spec defines the specification of the desired behavior of the replication controller. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+Þ
+statusÓ
+<#/definitions/io.k8s.api.core.v1.ReplicationControllerStatus"’Status is the most recently observed status of the replication controller. This data may be out of date by some window of time. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statusú
]
+x-kubernetes-group-version-kind:8- group: ""
+  kind: ReplicationController
+  version: v1
+
+…
+!io.k8s.api.policy.v1beta1.IDRangeß
"6IDRange provides a min/max of an allowed range of IDs.š
minš
max²

+objectÊ
Œ

+E
+min>int64")min is the start of the range, inclusive.²
	
+integer
+C
+max<int64"'max is the end of the range, inclusive.²
	
+integer
+—
+Qio.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.WebhookClientConfigÁ
"WWebhookClientConfig contains the information to make a TLS connection with the webhook.²

+objectÊ
Ù
+Ã

+caBundle¶
byte"¢
caBundle is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. If unspecified, system trust roots on the apiserver are used.²

+string
+›
+service�
+\#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.ServiceReference"®
service is a reference to the service for this webhook. Either service or url must be specified.
+
+If the webhook is running within the cluster, then you should use `service`.
+ò
+urlê"Üurl gives the location of the webhook, in standard URL form (`scheme://host:port/path`). Exactly one of `url` or `service` must be specified.
+
+The `host` should not refer to a service running in the cluster; use the `service` field instead. The host might be resolved via external DNS in some apiservers (e.g., `kube-apiserver` cannot resolve in-cluster DNS as that would be a layering violation). `host` may also be an IP address.
+
+Please note that using `localhost` or `127.0.0.1` as a `host` is risky unless you take great care to run this webhook on all hosts which run an apiserver which might need to make calls to this webhook. Such installs are likely to be non-portable, i.e., not easy to turn up in a new cluster.
+
+The scheme must be "https"; the URL must begin with "https://".
+
+A path is optional, and if present may be any string permissible in a URL. You may use the path to pass an arbitrary string to the webhook, for example, a cluster identifier.
+
+Attempting to use a user or basic auth e.g. "user:password@" is not allowed. Fragments ("#...") and query parameters ("?...") are not allowed, either.²

+string
+ð
+4io.k8s.api.certificates.v1.CertificateSigningRequest·"¬CertificateSigningRequest objects provide a mechanism to obtain x509 certificates by submitting a certificate signing request, and having it asynchronously approved and issued.
+
+Kubelets use this API to obtain:
+ 1. client certificates to authenticate to kube-apiserver (with the "kubernetes.io/kube-apiserver-client-kubelet" signerName).
+ 2. serving certificates for TLS endpoints kube-apiserver can connect to securely (with the "kubernetes.io/kubelet-serving" signerName).
+
+This API can be used to request client certificates to authenticate to kube-apiserver (with the "kubernetes.io/kube-apiserver-client" signerName), or to obtain certificates from custom non-Kubernetes signers.š
spec²

+objectÊ
ý	
+K
+metadata?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta
+«
+spec¢
+F#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequestSpec"×
spec contains the certificate request, and is immutable after creation. Only the request, signerName, and usages fields can be set on creation. Other fields are derived by Kubernetes and cannot be modified by users.
+‚
+status÷

+H#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequestStatus"ª
status contains information about whether the request is approved or denied, and the certificate issued by the signer, or the failure condition indicating signer failure.
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+stringú
r
+x-kubernetes-group-version-kindOM- group: certificates.k8s.io
+  kind: CertificateSigningRequest
+  version: v1
+
+·
+"io.k8s.api.core.v1.PodTemplateSpec�"QPodTemplateSpec describes the data a pod should have when created from a template²

+objectÊ
®
+Ö

+specÍ

+(#/definitions/io.k8s.api.core.v1.PodSpec" 
Specification of the desired behavior of the pod. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+Ò

+metadataÅ

+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒ
Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+ì
+#io.k8s.api.core.v1.NodeConfigStatusÄ"WNodeConfigStatus describes the status of the config assigned by Node.Spec.ConfigSource.²

+objectÊ
Ü
+Á
+active¶
+1#/definitions/io.k8s.api.core.v1.NodeConfigSource"€Active reports the checkpointed config the node is actively using. Active will represent either the current version of the Assigned config, or the current LastKnownGood config, depending on whether attempting to use the Assigned config results in an error.
+ù
+assignedì
+1#/definitions/io.k8s.api.core.v1.NodeConfigSource"¶Assigned reports the checkpointed config the node will try to use. When Node.Spec.ConfigSource is updated, the node checkpoints the associated config payload to local disk, along with a record indicating intended config. The node refers to this record to choose its config checkpoint, and reports this record in Assigned. Assigned only updates in the status after the record has been checkpointed to disk. When the Kubelet is restarted, it tries to make the Assigned config the Active config by loading and validating the checkpointed payload identified by Assigned.
+ 
+error–"ˆError describes any problems reconciling the Spec.ConfigSource to the Active config. Errors may occur, for example, attempting to checkpoint Spec.ConfigSource to the local Assigned record, attempting to checkpoint the payload associated with Spec.ConfigSource, attempting to load or validate the Assigned config, etc. Errors may occur at different points while syncing config. Earlier errors (e.g. download or checkpointing errors) will not result in a rollback to LastKnownGood, and may resolve across Kubelet retries. Later errors (e.g. loading or validating a checkpointed config) will result in a rollback to LastKnownGood. In the latter case, it is usually possible to resolve the error by fixing the config assigned in Spec.ConfigSource. You can find additional information for debugging by searching the error message in the Kubelet log. Error is a human-readable description of the error state; machines can check whether or not Error is empty, but should not rely on the stability of the Error text across Kubelet versions.²

+string
+ö
+
lastKnownGoodä
+1#/definitions/io.k8s.api.core.v1.NodeConfigSource"®LastKnownGood reports the checkpointed config the node will fall back to when it encounters an error attempting to use the Assigned config. The Assigned config becomes the LastKnownGood config when the node determines that the Assigned config is stable and correct. This is currently implemented as a 10-minute soak period starting when the local record of Assigned config is updated. If the Assigned config is Active at the end of this period, it becomes the LastKnownGood. Note that if Spec.ConfigSource is reset to nil (use local defaults), the LastKnownGood is also immediately reset to nil, because the local default config is always assumed good. You should not make assumptions about the node's method of determining config stability and correctness, as this may change or become configurable in the future.
+•
+0io.k8s.apimachinery.pkg.apis.meta.v1.APIVersionsà
"�
APIVersions lists the versions that are available, to allow clients to discover the API at /api, which is the root path of the legacy v1 API.š
versionsš
serverAddressByClientCIDRs²

+objectÊ
Ã
+Y
+versionsM"1versions are the api versions that are available.²

+arrayº

+²

+string
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+è
+serverAddressByClientCIDRsÉ"éa map of client CIDR to server address that is serving this group. This is to help clients reach servers in the most network-efficient way possible. Clients can use the appropriate server address as per the CIDR that they match. In case of multiple matches, clients should use the longest matching CIDR. The server returns only those CIDRs that it thinks that the client can match. For example: the master will return an internal IP CIDR only, if the client reaches the server using an internal IP. Server looks at X-Forwarded-For header or X-Real-Ip header or request.RemoteAddr (in that order) to get the client IP.²

+arrayº
P
+N
+L#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ServerAddressByClientCIDRú
S
+x-kubernetes-group-version-kind0.- group: ""
+  kind: APIVersions
+  version: v1
+
+•
+&io.k8s.api.storage.v1beta1.VolumeErrorê"DVolumeError captures an error encountered during a volume operation.²

+objectÊ
•
+®

+message¢
"”
String detailing the error encountered during Attach or Detach operation. This string may be logged, so it should not contain sensitive information.²

+string
+b
+timeZ
+7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"Time the error was encountered.
+È

+Sio.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.JSONSchemaPropsOrBoolq"oJSONSchemaPropsOrBool represents JSONSchemaProps or a boolean value. Defaults to true for the boolean property.
+�
+!io.k8s.api.apps.v1.DeploymentListç"(DeploymentList is a list of Deployments.š
items²

+objectÊ
Ë
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+h
+items_"!Items is the list of Deployments.²

+arrayº
/
+-
++#/definitions/io.k8s.api.apps.v1.Deployment
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+b
+metadataV
+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"Standard list metadata.ú
X
+x-kubernetes-group-version-kind53- group: apps
+  kind: DeploymentList
+  version: v1
+
+Ö
+.io.k8s.api.policy.v1.PodDisruptionBudgetStatus£"Š
PodDisruptionBudgetStatus represents information about the status of a PodDisruptionBudget. Status may trail the actual state of a system.š
disruptionsAllowedš
currentHealthyš
desiredHealthyš
expectedPods²

+objectÊ
Á
+â

+observedGenerationË
int64"µ
Most recent generation observed when updating this PDB status. DisruptionsAllowed and other status information is valid only if observedGeneration equals to PDB's object generation.²
	
+integer
+ô
+
+conditionså"ôConditions contain conditions for PDB. The disruption controller sets the DisruptionAllowed condition. The following are known values for the reason field (additional reasons could be added in the future): - SyncFailed: The controller encountered an error and wasn't able to compute
+              the number of allowed disruptions. Therefore no disruptions are
+              allowed and the status of the condition will be False.
+- InsufficientPods: The number of pods are either at or below the number
+                    required by the PodDisruptionBudget. No disruptions are
+                    allowed and the status of the condition will be False.
+- SufficientPods: There are more pods than required by the PodDisruptionBudget.
+                  The condition will be True, and the number of allowed
+                  disruptions are provided by the disruptionsAllowed property.²

+arrayº
@
+>
+<#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Conditionú
'
+x-kubernetes-list-map-keys	- type
+ú
 
+x-kubernetes-list-typemap
+ú
'
+x-kubernetes-patch-merge-keytype
+ú
'
+x-kubernetes-patch-strategymerge
+
+E
+currentHealthy3int32"current number of healthy pods²
	
+integer
+M
+desiredHealthy;int32"&minimum desired number of healthy pods²
	
+integer
+�
+
disruptedPodsû"¯DisruptedPods contains information about pods whose eviction was processed by the API server eviction subresource handler but has not yet been observed by the PodDisruptionBudget controller. A pod will be in this map from the time when the API server processed the eviction request to the time when the pod is seen by PDB controller as having been marked for deletion (or after a timeout). The key in the map is the name of the pod and the value is the time when the API server processed the eviction request. If the deletion didn't occur and a pod is still there it will be removed from the list automatically by PodDisruptionBudget controller after some time. If everything goes smooth this map should be empty for the most of the time. Large number of entries in the map may indicate problems with pod deletions.ª
;
+9
+7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time²

+object
+`
+disruptionsAllowedJint32"5Number of pod disruptions that are currently allowed.²
	
+integer
+[
+expectedPodsKint32"6total number of pods counted by this disruption budget²
	
+integer
+á

+io.k8s.api.core.v1.Capabilities½
"<Adds and removes POSIX capabilities from running containers.²

+objectÊ
q
+5
+add."Added capabilities²

+arrayº

+²

+string
+8
+drop0"Removed capabilities²

+arrayº

+²

+string
+�
+#io.k8s.api.storage.v1.CSINodeDriverå
"]CSINodeDriver holds information about the specification of one CSI driver installed on a nodeš
nameš
nodeID²

+objectÊ
ç
+¸
+nodeID­"ŸnodeID of the node from the driver point of view. This field enables Kubernetes to communicate with storage systems that do not share the same nomenclature for nodes. For example, Kubernetes may refer to a given node as "node1", but the storage system may refer to the same node as "nodeA". When Kubernetes issues a command to the storage system to attach a volume to a specific node, it can use this field to refer to the node name using the ID that the storage system will understand, e.g. "nodeA" instead of "node1". This field is required.²

+string
+Â
+topologyKeys±"”topologyKeys is the list of keys supported by the driver. When a driver is initialized on a cluster, it provides a set of topology keys that it understands (e.g. "company.com/zone", "company.com/region"). When a driver is initialized on a node, it provides the same topology keys along with values. Kubelet will expose these topology keys as labels on its own node object. When Kubernetes does topology aware provisioning, it can use this list to determine which labels it should retrieve from the node object and pass back to the driver. It is possible for different nodes to use different topology keys. This can be empty if driver does not support topology.²

+arrayº

+²

+string
+·

+allocatable§

+7#/definitions/io.k8s.api.storage.v1.VolumeNodeResources"lallocatable represents the volume resources of a node that are available for scheduling. This field is beta.
+ª

+name¡
"“
This is the name of the CSI driver that this object refers to. This MUST be the same name returned by the CSI GetPluginName() call for that driver.²

+string
+ë
+1io.k8s.api.storage.v1beta1.VolumeAttachmentStatusµ"CVolumeAttachmentStatus is the status of a VolumeAttachment request.š
attached²

+objectÊ
Ö
+ë

+detachErrorÛ

+4#/definitions/io.k8s.api.storage.v1beta1.VolumeError"¢
The last error encountered during detach operation, if any. This field must only be set by the entity completing the detach operation, i.e. the external-attacher.
+ë

+attachErrorÛ

+4#/definitions/io.k8s.api.storage.v1beta1.VolumeError"¢
The last error encountered during attach operation, if any. This field must only be set by the entity completing the attach operation, i.e. the external-attacher.
+±

+attached¤
"•
Indicates the volume is successfully attached. This field must only be set by the entity completing the attach operation, i.e. the external-attacher.²
	
+boolean
+Ã
+attachmentMetadata¬"ŽUpon successful attach, this field is populated with any information returned by the attach operation that must be passed into subsequent WaitForAttach or Mount calls. This field must only be set by the entity completing the attach operation, i.e. the external-attacher.ª

+²

+string²

+object
+í@
+Mio.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.JSONSchemaProps›@"[JSONSchemaProps is a JSON-Schema following Specification Draft 4 (http://json-schema.org/).²

+objectÊ
¯?
+ 
+x-kubernetes-map-type†"øx-kubernetes-map-type annotates an object to further describe its topology. This extension must only be used when type is object and may have 2 possible values:
+
+1) `granular`:
+     These maps are actual maps (key-value pairs) and each fields are independent
+     from each other (they can each be manipulated by separate actors). This is
+     the default behaviour for all maps.
+2) `atomic`: the list is treated as a single entity, like a scalar.
+     Atomic maps will be entirely replaced when updated.²

+string
+
+id²

+string
+m
+itemsd
+b#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.JSONSchemaPropsOrArray
+
+maxItemsint64²
	
+integer
+ 
+	maxLengthint64²
	
+integer
+$
+
maxPropertiesint64²
	
+integer
+u
+oneOfl²

+arrayº
_
+]
+[#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.JSONSchemaProps
+
+title²

+string
+
+$schema²

+string
+v
+additionalItemsc
+a#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.JSONSchemaPropsOrBool
+
+description²

+string
+ 
+exclusiveMinimum²
	
+boolean
+d
+not]
+[#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.JSONSchemaProps
+
+pattern²

+string
+
+$ref²

+string
+{
+additionalPropertiesc
+a#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.JSONSchemaPropsOrBool
+u
+allOfl²

+arrayº
_
+]
+[#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.JSONSchemaProps
+
+maximumdouble²

+number
+&
+required²

+arrayº

+²

+string
+
+type²

+string
+Þ
+x-kubernetes-list-typeÃ"µx-kubernetes-list-type annotates an array to further describe its topology. This extension must only be used on lists and may have 3 possible values:
+
+1) `atomic`: the list is treated as a single entity, like a scalar.
+     Atomic lists will be entirely replaced when updated. This extension
+     may be used on any type of list (struct, scalar, ...).
+2) `set`:
+     Sets are lists that must not have multiple items with the same value. Each
+     value must be a scalar, an object with x-kubernetes-map-type `atomic` or an
+     array with x-kubernetes-list-type `atomic`.
+3) `map`:
+     These lists are like maps in that their elements have a non-index key
+     used to identify them. Order is preserved upon merge. The map tag
+     must only be used on a list with elements of type object.
+Defaults to atomic for arrays.²

+string
+Ô
+defaultÈ
+P#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.JSON"ó
default is a default value for undefined object fields. Defaulting is a beta feature under the CustomResourceDefaulting feature gate. CustomResourceDefinitions with defaults must be created using the v1 (or newer) CustomResourceDefinition API.
+ 
+	minLengthint64²
	
+integer
+«
+x-kubernetes-list-map-keysŒ"ïx-kubernetes-list-map-keys annotates an array with the x-kubernetes-list-type `map` by specifying the keys used as the index of the map.
+
+This tag MUST only be used on lists that have the "x-kubernetes-list-type" extension set to "map". Also, the values specified for this attribute must be a scalar typed field of the child structure (no nesting is supported).
+
+The properties specified must either be required or have a default value, to ensure those properties are present for all list items.²

+arrayº

+²

+string
+‚

+patternPropertiesmª
_
+]
+[#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.JSONSchemaProps²

+object
+{
+
+propertiesmª
_
+]
+[#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.JSONSchemaProps²

+object
+Ó
+x-kubernetes-embedded-resource°"¡x-kubernetes-embedded-resource defines that the value is an embedded Kubernetes runtime.Object, with TypeMeta and ObjectMeta. The type must be object. It is allowed to further restrict the embedded object. kind, apiVersion and metadata are validated automatically. x-kubernetes-preserve-unknown-fields is allowed to be true, but does not have to be if the object is fully specified (up to kind, apiVersion, metadata).²
	
+boolean
+i
+enuma²

+arrayº
T
+R
+P#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.JSON
+s
+externalDocsc
+a#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.ExternalDocumentation
+¶
+format«"�format is an OpenAPI v3 format string. Unknown formats are ignored. The following formats are validated:
+
+- bsonobjectid: a bson object ID, i.e. a 24 characters hex string - uri: an URI as parsed by Golang net/url.ParseRequestURI - email: an email address as parsed by Golang net/mail.ParseAddress - hostname: a valid representation for an Internet host name, as defined by RFC 1034, section 3.1 [RFC1034]. - ipv4: an IPv4 IP as parsed by Golang net.ParseIP - ipv6: an IPv6 IP as parsed by Golang net.ParseIP - cidr: a CIDR as parsed by Golang net.ParseCIDR - mac: a MAC address as parsed by Golang net.ParseMAC - uuid: an UUID that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?[0-9a-f]{4}-?[0-9a-f]{4}-?[0-9a-f]{12}$ - uuid3: an UUID3 that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?3[0-9a-f]{3}-?[0-9a-f]{4}-?[0-9a-f]{12}$ - uuid4: an UUID4 that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?4[0-9a-f]{3}-?[89ab][0-9a-f]{3}-?[0-9a-f]{12}$ - uuid5: an UUID5 that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?5[0-9a-f]{3}-?[89ab][0-9a-f]{3}-?[0-9a-f]{12}$ - isbn: an ISBN10 or ISBN13 number string like "0321751043" or "978-0321751041" - isbn10: an ISBN10 number string like "0321751043" - isbn13: an ISBN13 number string like "978-0321751041" - creditcard: a credit card number defined by the regex ^(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|(?:2131|1800|35\d{3})\d{11})$ with any non digit characters mixed in - ssn: a U.S. social security number following the regex ^\d{3}[- ]?\d{2}[- ]?\d{4}$ - hexcolor: an hexadecimal color code like "#FFFFFF: following the regex ^#?([0-9a-fA-F]{3}|[0-9a-fA-F]{6})$ - rgbcolor: an RGB color code like rgb like "rgb(255,255,2559" - byte: base64 encoded binary data - password: any kind of string - date: a date string like "2006-01-02" as defined by full-date in RFC3339 - duration: a duration string like "22 ns" as parsed by Golang time.ParseDuration or compatible with Scala duration format - datetime: a date time string like "2014-12-15T19:30:20.000Z" as defined by date-time in RFC3339.²

+string
+
+nullable²
	
+boolean
+u
+anyOfl²

+arrayº
_
+]
+[#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.JSONSchemaProps
+]
+exampleR
+P#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.JSON
+ 
+exclusiveMaximum²
	
+boolean
+
+minItemsint64²
	
+integer
+
+minimumdouble²

+number
+‡
+x-kubernetes-int-or-stringè"Ùx-kubernetes-int-or-string specifies that this value is either an integer or a string. If this is true, an empty type is allowed and type as child of anyOf is permitted if following one of the following patterns:
+
+1) anyOf:
+   - type: integer
+   - type: string
+2) allOf:
+   - anyOf:
+     - type: integer
+     - type: string
+   - ... zero or more²
	
+boolean
+˜
+$x-kubernetes-preserve-unknown-fieldsï"àx-kubernetes-preserve-unknown-fields stops the API server decoding step from pruning fields which are not specified in the validation schema. This affects fields recursively, but switches back to normal pruning behaviour if nested properties or additionalProperties are specified in the schema. This can either be true or undefined. False is forbidden.²
	
+boolean
+|
+definitionsmª
_
+]
+[#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.JSONSchemaProps²

+object
+Š

+dependencieszª
l
+j
+h#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.JSONSchemaPropsOrStringArray²

+object
+$
+
minPropertiesint64²
	
+integer
+!
+
+multipleOfdouble²

+number
+
+uniqueItems²
	
+boolean
+±
+:io.k8s.api.autoscaling.v2beta1.HorizontalPodAutoscalerSpecò"_HorizontalPodAutoscalerSpec describes the desired functionality of the HorizontalPodAutoscaler.š
scaleTargetRefš
maxReplicas²

+objectÊ
ã
+
+©

+maxReplicas™
int32"ƒ
maxReplicas is the upper limit for the number of replicas to which the autoscaler can scale up. It cannot be less that minReplicas.²
	
+integer
+¶
+metricsª"ßmetrics contains the specifications for which to use to calculate the desired replica count (the maximum replica count across all metrics will be used).  The desired replica count is calculated multiplying the ratio between the target value and the current value by the current number of pods.  Ergo, metrics used must decrease as the pod count is increased, and vice-versa.  See the individual metric source types for more information about how each type of metric must respond.²

+arrayº
;
+9
+7#/definitions/io.k8s.api.autoscaling.v2beta1.MetricSpec
+ò
+minReplicasâint32"ÌminReplicas is the lower limit for the number of replicas to which the autoscaler can scale down.  It defaults to 1 pod.  minReplicas is allowed to be 0 if the alpha feature gate HPAScaleToZero is enabled and at least one Object or External metric is configured.  Scaling is active as long as at least one metric value is available.²
	
+integer
+†
+scaleTargetRefó

+H#/definitions/io.k8s.api.autoscaling.v2beta1.CrossVersionObjectReference"¦
scaleTargetRef points to the target resource to scale, and is used to the pods for which metrics should be collected, as well as to actually change the replica count.
+í
+1io.k8s.api.autoscaling.v2beta1.ObjectMetricSource·"‰
ObjectMetricSource indicates how to scale on a metric describing a kubernetes object (for example, hits-per-second on an Ingress object).š
targetš

+metricNameš
targetValue²

+objectÊ
ø
+Ü
+selectorÏ
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"Šselector is the string-encoded form of a standard kubernetes label selector for the given metric When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping When unset, just the metricName will be used to gather metrics.
+€

+targetv
+H#/definitions/io.k8s.api.autoscaling.v2beta1.CrossVersionObjectReference"*target is the described Kubernetes object.
+Œ

+targetValue}
+;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity">targetValue is the target value of the metric (as a quantity).
+¶

+averageValue¥

+;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"faverageValue is the target value of the average of the metric across all relevant pods (as a quantity)
+L
+
+metricName>"1metricName is the name of the metric in question.²

+string
+�	
+)io.k8s.api.extensions.v1beta1.IngressListá"'IngressList is a collection of Ingress.š
items²

+objectÊ
¾
+Ð

+metadataÃ

+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"ƒ
Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+l
+itemsc"Items is the list of Ingress.²

+arrayº
7
+5
+3#/definitions/io.k8s.api.extensions.v1beta1.Ingress
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+stringú
`
+x-kubernetes-group-version-kind=;- group: extensions
+  kind: IngressList
+  version: v1beta1
+
+ç
+%io.k8s.api.authentication.v1.UserInfo½"ZUserInfo holds the information about the user needed to implement the user.Info interface.²

+objectÊ
Ò
+n
+extrae"9Any additional information provided by the authenticator.ª

+²

+arrayº

+²

+string²

+object
+Q
+groupsG"+The names of groups this user is a part of.²

+arrayº

+²

+string
+®

+uid¦
"˜
A unique value that identifies this user across time. If this user is deleted and another user by the same name is added, they will have different UIDs.²

+string
+\
+usernameP"CThe name that uniquely identifies this user among all active users.²

+string
+„
+
+io.k8s.api.core.v1.NodeAffinityà	";Node affinity is a group of node affinity scheduling rules.²

+objectÊ
”	
+Þ
+/preferredDuringSchedulingIgnoredDuringExecutionª"ÞThe scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.²

+arrayº
<
+:
+8#/definitions/io.k8s.api.core.v1.PreferredSchedulingTerm
+°
+.requiredDuringSchedulingIgnoredDuringExecutioný
+-#/definitions/io.k8s.api.core.v1.NodeSelector"ËIf the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.
+‡	
+$io.k8s.api.networking.v1.IngressListÞ"'IngressList is a collection of Ingress.š
items²

+objectÊ
¹
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+g
+items^"Items is the list of Ingress.²

+arrayº
2
+0
+.#/definitions/io.k8s.api.networking.v1.Ingress
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ð

+metadataÃ

+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"ƒ
Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadataú
b
+x-kubernetes-group-version-kind?=- group: networking.k8s.io
+  kind: IngressList
+  version: v1
+
+À
+!io.k8s.api.core.v1.ContainerImageš"Describe a container imageš
names²

+objectÊ
ç

+¡

+names—
"{Names by which this image is known. e.g. ["k8s.gcr.io/hyperkube:v1.0.7", "dockerhub.io/google_containers/hyperkube:v1.0.7"]²

+arrayº

+²

+string
+A
+	sizeBytes4int64"The size of the image in bytes.²
	
+integer
+¼
+&io.k8s.api.core.v1.GitRepoVolumeSource‘"÷Represents a volume that is populated with the contents of a git repository. Git repo volumes do not support ownership management. Git repo volumes support SELinux relabeling.
+
+DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir into the Pod's container.š

+repository²

+objectÊ
û
+‹
+	directoryý
"ï
Target directory name. Must not contain or start with '..'.  If '.' is supplied, the volume directory will be the git repository.  Otherwise, if specified, the volume will contain the git repository in the subdirectory with the given name.²

+string
+)
+
+repository"Repository URL²

+string
+@
+revision4"'Commit hash for the specified revision.²

+string
+¿
+.io.k8s.api.discovery.v1beta1.EndpointSliceListŒ"6EndpointSliceList represents a list of endpoint slicesš
items²

+objectÊ
Î
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+k
+itemsb"List of endpoint slices²

+arrayº
<
+:
+8#/definitions/io.k8s.api.discovery.v1beta1.EndpointSlice
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+b
+metadataV
+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"Standard list metadata.ú
l
+x-kubernetes-group-version-kindIG- kind: EndpointSliceList
+  version: v1beta1
+  group: discovery.k8s.io
+
+Â	
+&io.k8s.api.networking.v1.NetworkPolicy—	"INetworkPolicy describes what network traffic is allowed for a set of Pods²

+objectÊ
Ö
+Ò

+metadataÅ

+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒ
Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+�

+specy
+8#/definitions/io.k8s.api.networking.v1.NetworkPolicySpec"=Specification of the desired behavior for this NetworkPolicy.
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+stringú
d
+x-kubernetes-group-version-kindA?- kind: NetworkPolicy
+  version: v1
+  group: networking.k8s.io
+
+Ã
+!io.k8s.api.batch.v1.CronJobStatus�"9CronJobStatus represents the current state of a cron job.²

+objectÊ
Ó
+¡

+active–
"-A list of pointers to currently running jobs.²

+arrayº
4
+2
+0#/definitions/io.k8s.api.core.v1.ObjectReferenceú
#
+x-kubernetes-list-type	atomic
+
+–

+lastScheduleTime�

+7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"FInformation when was the last time the job was successfully scheduled.
+“

+lastSuccessfulTime}
+7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"BInformation when was the last time the job successfully completed.
+Ö
+io.k8s.api.batch.v1.JobList¶" JobList is a collection of jobs.š
items²

+objectÊ
¨
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+[
+itemsR"items is the list of Jobs.²

+arrayº
)
+'
+%#/definitions/io.k8s.api.batch.v1.Job
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ë

+metadata¾

+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadataú
R
+x-kubernetes-group-version-kind/-- group: batch
+  kind: JobList
+  version: v1
+
+ˆ
+
+/io.k8s.api.authorization.v1.SubjectAccessReviewÔ	"PSubjectAccessReview checks whether or not a user or group can perform an action.š
spec²

+objectÊ
ü
+§

+statusœ

+C#/definitions/io.k8s.api.authorization.v1.SubjectAccessReviewStatus"UStatus is filled in by the server and indicates whether the request is allowed or not
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+K
+metadata?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta
+…

+spec}
+A#/definitions/io.k8s.api.authorization.v1.SubjectAccessReviewSpec"8Spec holds information about the request being evaluatedú
m
+x-kubernetes-group-version-kindJH- group: authorization.k8s.io
+  kind: SubjectAccessReview
+  version: v1
+
+‰
+1io.k8s.api.autoscaling.v1.HorizontalPodAutoscalerÓ
+"-configuration of a horizontal pod autoscaler.²

+objectÊ
ª	
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ð

+metadataÃ

+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"�
Standard object metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+Ù

+specÐ

+C#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscalerSpec"ˆ
behaviour of autoscaler. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status.
+|
+statusr
+E#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscalerStatus")current information about the autoscaler.ú
h
+x-kubernetes-group-version-kindEC- version: v1
+  group: autoscaling
+  kind: HorizontalPodAutoscaler
+
+ƒ
+0io.k8s.api.policy.v1beta1.FSGroupStrategyOptionsÎ"YFSGroupStrategyOptions defines the strategy type and options used to create the strategy.²

+objectÊ
ä
+÷

+rangesì
"©
ranges are the allowed ranges of fs groups.  If you would like to force a single fs group then supply a single range with the same start and end. Required for MustRunAs.²

+arrayº
3
+1
+/#/definitions/io.k8s.api.policy.v1beta1.IDRange
+h
+rule`"Srule is the strategy that will dictate what FSGroup is used in the SecurityContext.²

+string
+³	
+'io.k8s.api.rbac.v1beta1.RoleBindingList‡	"¤
RoleBindingList is a collection of RoleBindings Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 RoleBindingList, and will no longer be served in v1.22.š
items²

+objectÊ
Ó
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+l
+itemsc"Items is a list of RoleBindings²

+arrayº
5
+3
+1#/definitions/io.k8s.api.rbac.v1beta1.RoleBinding
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+f
+metadataZ
+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"Standard object's metadata.ú
s
+x-kubernetes-group-version-kindPN- group: rbac.authorization.k8s.io
+  kind: RoleBindingList
+  version: v1beta1
+
+˜
+
+Wio.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceColumnDefinition¼	"KCustomResourceColumnDefinition specifies a column for server side printing.š
nameš
typeš
jsonPath²

+objectÊ
Ç
+�
+priority€int32"ê
priority is an integer defining the relative importance of this column compared to others. Lower numbers are considered higher priority. Columns that may be omitted in limited space scenarios should be given a priority greater than 0.²
	
+integer
+¯

+type¦
"˜
type is an OpenAPI type definition for this column. See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types for details.²

+string
+W
+descriptionH";description is a human readable description of this column.²

+string
+¸
+format­"Ÿformat is an optional OpenAPI type definition for this column. The 'name' format is applied to the primary identifier column to assist in clients identifying column is the resource name. See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types for details.²

+string
+ª

+jsonPath�
"�
jsonPath is a simple JSON path (i.e. with array notation) which is evaluated against each custom resource to produce the value for this column.²

+string
+B
+name:"-name is a human readable name for the column.²

+string
+è
+=io.k8s.apimachinery.pkg.apis.meta.v1.GroupVersionForDiscovery¦"wGroupVersion contains the "group/version" and "version" string of a version. It is made a struct to keep extensibility.š
groupVersionš
version²

+objectÊ
…
+i
+groupVersionY"LgroupVersion specifies the API group and version in the form "group/version"²

+string
+—

+version‹
"~version specifies the version in the form of "version". This is to save the clients the trouble of splitting the GroupVersion.²

+string
+Æ
+)io.k8s.api.authentication.v1.TokenRequest˜":TokenRequest requests a token for a given service account.š
spec²

+objectÊ
Ü
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+K
+metadata?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta
+E
+spec=
+;#/definitions/io.k8s.api.authentication.v1.TokenRequestSpec
+I
+status?
+=#/definitions/io.k8s.api.authentication.v1.TokenRequestStatus
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+stringú
g
+x-kubernetes-group-version-kindDB- group: authentication.k8s.io
+  kind: TokenRequest
+  version: v1
+
+–
+3io.k8s.api.core.v1.PhotonPersistentDiskVolumeSourceÞ"8Represents a Photon Controller persistent disk resource.š
pdID²

+objectÊ
Ž
+I
+pdIDA"4ID that identifies Photon Controller persistent disk²

+string
+À

+fsTypeµ
"§
Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.²

+string
+£	
+:io.k8s.api.autoscaling.v2beta2.HorizontalPodAutoscalerListä"KHorizontalPodAutoscalerList is a list of horizontal pod autoscaler objects.š
items²

+objectÊ
Œ
+˜

+itemsŽ
"7items is the list of horizontal pod autoscaler objects.²

+arrayº
H
+F
+D#/definitions/io.k8s.api.autoscaling.v2beta2.HorizontalPodAutoscaler
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+r
+metadataf
+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"'metadata is the standard list metadata.
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+stringú
q
+x-kubernetes-group-version-kindNL- group: autoscaling
+  kind: HorizontalPodAutoscalerList
+  version: v2beta2
+
+ž
+8io.k8s.api.certificates.v1.CertificateSigningRequestSpecá"?CertificateSigningRequestSpec contains the certificate request.š
requestš

+signerName²

+objectÊ
ú
+ò

+requestæ
byte"¬
request contains an x509 certificate signing request encoded in a "CERTIFICATE REQUEST" PEM block. When serialized as JSON or YAML, the data is additionally base64-encoded.²

+stringú
#
+x-kubernetes-list-type	atomic
+
+�
+
+signerName�"ósignerName indicates the requested signer, and is a qualified name.
+
+List/watch requests for CertificateSigningRequests can filter on this field using a "spec.signerName=NAME" fieldSelector.
+
+Well-known Kubernetes signers are:
+ 1. "kubernetes.io/kube-apiserver-client": issues client certificates that can be used to authenticate to kube-apiserver.
+  Requests for this signer are never auto-approved by kube-controller-manager, can be issued by the "csrsigning" controller in kube-controller-manager.
+ 2. "kubernetes.io/kube-apiserver-client-kubelet": issues client certificates that kubelets use to authenticate to kube-apiserver.
+  Requests for this signer can be auto-approved by the "csrapproving" controller in kube-controller-manager, and can be issued by the "csrsigning" controller in kube-controller-manager.
+ 3. "kubernetes.io/kubelet-serving" issues serving certificates that kubelets use to serve TLS endpoints, which kube-apiserver can connect to securely.
+  Requests for this signer are never auto-approved by kube-controller-manager, and can be issued by the "csrsigning" controller in kube-controller-manager.
+
+More details are available at https://k8s.io/docs/reference/access-authn-authz/certificate-signing-requests/#kubernetes-signers
+
+Custom signerNames can also be specified. The signer defines:
+ 1. Trust distribution: how trust (CA bundles) are distributed.
+ 2. Permitted subjects: and behavior when a disallowed subject is requested.
+ 3. Required, permitted, or forbidden x509 extensions in the request (including whether subjectAltNames are allowed, which types, restrictions on allowed values) and behavior when a disallowed extension is requested.
+ 4. Required, permitted, or forbidden key usages / extended key usages.
+ 5. Expiration/certificate lifetime: whether it is fixed by the signer, configurable by the admin.
+ 6. Whether or not requests for CA certificates are allowed.²

+string
+™

+uid‘
"ƒ
uid contains the uid of the user that created the CertificateSigningRequest. Populated by the API server on creation and immutable.²

+string
+„
+usagesù"¶usages specifies a set of key usages requested in the issued certificate.
+
+Requests for TLS client certificates typically request: "digital signature", "key encipherment", "client auth".
+
+Requests for TLS serving certificates typically request: "key encipherment", "digital signature", "server auth".
+
+Valid values are:
+ "signing", "digital signature", "content commitment",
+ "key encipherment", "key agreement", "data encipherment",
+ "cert sign", "crl sign", "encipher only", "decipher only", "any",
+ "server auth", "client auth",
+ "code signing", "email protection", "s/mime",
+ "ipsec end system", "ipsec tunnel", "ipsec user",
+ "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"²

+arrayº

+²

+stringú
#
+x-kubernetes-list-type	atomic
+
+¤

+username—
"‰
username contains the name of the user that created the CertificateSigningRequest. Populated by the API server on creation and immutable.²

+string
+Å

+extra»
"Ž
extra contains extra attributes of the user that created the CertificateSigningRequest. Populated by the API server on creation and immutable.ª

+²

+arrayº

+²

+string²

+object
+Ý

+groupsÒ
"�
groups contains group membership of the user that created the CertificateSigningRequest. Populated by the API server on creation and immutable.²

+arrayº

+²

+stringú
#
+x-kubernetes-list-type	atomic
+
+â	
+'io.k8s.api.core.v1.PersistentVolumeList¶	"9PersistentVolumeList is a list of PersistentVolume items.š
items²

+objectÊ
…
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+³

+items©
"eList of persistent volumes. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes²

+arrayº
5
+3
+1#/definitions/io.k8s.api.core.v1.PersistentVolume
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ï

+metadataÂ

+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"‚
Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kindsú
\
+x-kubernetes-group-version-kind97- group: ""
+  kind: PersistentVolumeList
+  version: v1
+
+¢
+Kio.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.APIServiceConditionÒ"NAPIServiceCondition describes the state of an APIService at a particular pointš
typeš
status²

+objectÊ
ã
+X
+messageM"@Human-readable message indicating details about last transition.²

+string
+^
+reasonT"GUnique, one-word, CamelCase reason for the condition's last transition.²

+string
+Z
+statusP"CStatus is the status of the condition. Can be True, False, Unknown.²

+string
+7
+type/""Type is the type of the condition.²

+string
+‘

+lastTransitionTime{
+7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"@Last time the condition transitioned from one status to another.
+°
+1io.k8s.api.authorization.v1.NonResourceAttributesú
"{NonResourceAttributes includes the authorization attributes available for non-resource requests to the Authorizer interface²

+objectÊ
o
+8
+path0"#Path is the URL path of the request²

+string
+3
+verb+"Verb is the standard HTTP verb²

+string
+Î
+7io.k8s.api.authorization.v1.SelfSubjectAccessReviewSpec’"¦
SelfSubjectAccessReviewSpec is a description of the access request.  Exactly one of ResourceAuthorizationAttributes and NonResourceAuthorizationAttributes must be set²

+objectÊ
Ú
+ª

+nonResourceAttributes�

+?#/definitions/io.k8s.api.authorization.v1.NonResourceAttributes"MNonResourceAttributes describes information for a non-resource access request
+ª

+resourceAttributes“

+<#/definitions/io.k8s.api.authorization.v1.ResourceAttributes"SResourceAuthorizationAttributes describes information for a resource access request
+ÿ
+!io.k8s.api.storage.v1.CSINodeListÙ"/CSINodeList is a collection of CSINode objects.š
items²

+objectÊ
¯
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+c
+itemsZ"items is the list of CSINode²

+arrayº
/
+-
++#/definitions/io.k8s.api.storage.v1.CSINode
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ê

+metadata½

+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"~Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadataú
_
+x-kubernetes-group-version-kind<:- group: storage.k8s.io
+  kind: CSINodeList
+  version: v1
+
+Á
+Vio.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceConversionæ
+"MCustomResourceConversion describes how to convert different versions of a CR.š
strategy²

+objectÊ
ý	
+œ
+conversionReviewVersionsÿ"âconversionReviewVersions is an ordered list of preferred `ConversionReview` versions the Webhook expects. The API server will use the first version in the list which it supports. If none of the versions specified in this list are supported by API server, conversion will fail for the custom resource. If a persisted Webhook configuration specifies allowed versions and does not include any versions known to the API Server, calls to the webhook will fail. Defaults to `["v1beta1"]`.²

+arrayº

+²

+string
+Ñ
+strategyÄ"¶strategy specifies how custom resources are converted between versions. Allowed values are: - `None`: The converter only change the apiVersion and would not touch any other field in the custom resource. - `Webhook`: API Server will call to an external webhook to do the conversion. Additional information
+  is needed for this option. This requires spec.preserveUnknownFields to be false, and spec.conversion.webhookClientConfig to be set.²

+string
+‡
+webhookClientConfigï

+_#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.WebhookClientConfig"‹
webhookClientConfig is the instructions for how to call the webhook if strategy is `Webhook`. Required when `strategy` is set to `Webhook`.
+ð
+"io.k8s.api.core.v1.PodAffinityTermÉ
"ßDefines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> matches that of any node on which a pod of the set of pods is runningš
topologyKey²

+objectÊ
Ê
+
+Ž

+
labelSelector}
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"9A label query over a set of resources, in this case pods.
+õ
+namespaceSelectorß
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"šA label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
+Å
+
+namespaces¶"™namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"²

+arrayº

+²

+string
+ö
+topologyKeyæ"ØThis pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.²

+string
+¬	
+1io.k8s.api.networking.v1.NetworkPolicyIngressRuleö"´
NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from.²

+objectÊ
°
+Ù
+fromÐ"„List of sources which should be able to access the pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all sources (traffic not restricted by source). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the from list.²

+arrayº
<
+:
+8#/definitions/io.k8s.api.networking.v1.NetworkPolicyPeer
+Ñ
+portsÇ"ûList of ports which should be made accessible on the pods selected for this rule. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.²

+arrayº
<
+:
+8#/definitions/io.k8s.api.networking.v1.NetworkPolicyPort
+Ý
+
+&io.k8s.api.core.v1.ScaleIOVolumeSource²
+":ScaleIOVolumeSource represents a persistent ScaleIO volumeš
gatewayš
systemš
	secretRef²

+objectÊ
È	
+Ð

+	secretRefÂ

+5#/definitions/io.k8s.api.core.v1.LocalObjectReference"ˆ
SecretRef references to the secret for ScaleIO user and other sensitive information. If this is not provided, Login operation will fail.
+’

+storageMode‚
"uIndicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. Default is ThinProvisioned.²

+string
+¡

+fsType–
"ˆ
Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Default is "xfs".²

+string
+D
+gateway9",The host address of the ScaleIO API Gateway.²

+string
+`
+
+sslEnabledR"DFlag to enable/disable SSL communication with Gateway, default false²
	
+boolean
+[
+storagePoolL"?The ScaleIO Storage Pool associated with the protection domain.²

+string
+O
+systemE"8The name of the storage system as configured in ScaleIO.²

+string
+�

+
+volumeNames"fThe name of a volume already created in the ScaleIO system that is associated with this volume source.²

+string
+f
+protectionDomainR"EThe name of the ScaleIO Protection Domain for the configured storage.²

+string
+x
+readOnlyl"^Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.²
	
+boolean
+�
+"io.k8s.api.core.v1.SecurityContextè"Ü
SecurityContext holds security configuration that will be applied to a container. Some fields are present in both SecurityContext and PodSecurityContext.  When both are set, the values in SecurityContext take precedence.²

+objectÊ
ú
+¥

+
+privileged–
"‡
Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false.²
	
+boolean
+Š
+	procMountü
"î
procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled.²

+string
+½
+runAsNonRoot¬"�Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.²
	
+boolean
+°
+	runAsUser¢int64"ŒThe UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.²
	
+integer
+ô
+seLinuxOptionsá
+/#/definitions/io.k8s.api.core.v1.SELinuxOptions"­The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container.  May also be set in PodSecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+ç

+seccompProfileÔ

+/#/definitions/io.k8s.api.core.v1.SeccompProfile" 
The seccomp options to use by this container. If seccomp options are provided at both the pod & container level, the container options override the pod options.
+Õ
+allowPrivilegeEscalation¸"©AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN²
	
+boolean
+Æ

+capabilitiesµ

+-#/definitions/io.k8s.api.core.v1.Capabilities"ƒ
The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime.
+Ä
+windowsOptions±
+>#/definitions/io.k8s.api.core.v1.WindowsSecurityContextOptions"î
The Windows specific settings applied to all containers. If unspecified, the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+q
+readOnlyRootFilesystemW"IWhether this container has a read-only root filesystem. Default is false.²
	
+boolean
+“
+
+runAsGroup„int64"î
The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in PodSecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.²
	
+integer
+†
+ io.k8s.api.networking.v1.IPBlocká"ã
IPBlock describes a particular CIDR (Ex. "192.168.1.1/24","2001:db9::/64") that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs that should not be included within this rule.š
cidr²

+objectÊ
å
+v
+cidrn"aCIDR is a string representing the IP Block Valid examples are "192.168.1.1/24" or "2001:db9::/64"²

+string
+ê

+exceptß
"Â
Except is a slice of CIDRs that should not be included within an IP Block Valid examples are "192.168.1.1/24" or "2001:db9::/64" Except values will be rejected if they are outside the CIDR range²

+arrayº

+²

+string
+·	
+ io.k8s.api.coordination.v1.Lease’	"Lease defines a lease concept.²

+objectÊ
‚
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+µ

+metadata¨

+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"gMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+Ê

+specÁ

+2#/definitions/io.k8s.api.coordination.v1.LeaseSpec"Š
Specification of the Lease. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statusú
^
+x-kubernetes-group-version-kind;9- group: coordination.k8s.io
+  kind: Lease
+  version: v1
+
+“
+"io.k8s.api.core.v1.NamespaceStatusì"GNamespaceStatus is information about the current status of a Namespace.²

+objectÊ
”
+õ

+
+conditionsæ
"LRepresents the latest available observations of a namespace's current state.²

+arrayº
7
+5
+3#/definitions/io.k8s.api.core.v1.NamespaceConditionú
'
+x-kubernetes-patch-merge-keytype
+ú
'
+x-kubernetes-patch-strategymerge
+
+™

+phase�
"�
Phase is the current lifecycle phase of the namespace. More info: https://kubernetes.io/docs/tasks/administer-cluster/namespaces/²

+string
+‘
+io.k8s.api.batch.v1.JobStatusï"0JobStatus represents the current state of a Job.²

+objectÊ
®
+¶
+
+conditions§"ëThe latest available observations of an object's current state. When a Job fails, one of the conditions will have type "Failed" and status true. When a Job is suspended, one of the conditions will have type "Suspended" and status true; when the Job is resumed, the status of this condition will become false. When a Job is completed, one of the conditions will have type "Complete" and status true. More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/²

+arrayº
2
+0
+.#/definitions/io.k8s.api.batch.v1.JobConditionú
#
+x-kubernetes-list-type	atomic
+ú
'
+x-kubernetes-patch-merge-keytype
+ú
'
+x-kubernetes-patch-strategymerge
+
+M
+failedCint32".The number of pods which reached phase Failed.²
	
+integer
+å
+	startTime×
+7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"›Represents time when the job controller started processing a job. When a Job is created in the suspended state, this field is not set until the first time it is resumed. This field is reset every time a Job is resumed from suspension. It is represented in RFC3339 form and is in UTC.
+S
+	succeededFint32"1The number of pods which reached phase Succeeded.²
	
+integer
+C
+active9int32"$The number of actively running pods.²
	
+integer
+Ü
+completedIndexesÇ"¹CompletedIndexes holds the completed indexes when .spec.completionMode = "Indexed" in a text format. The indexes are represented as decimal integers separated by commas. The numbers are listed in increasing order. Three or more consecutive numbers are compressed and represented by the first and last element of the series, separated by a hyphen. For example, if the completed indexes are 1, 3, 4, 5 and 7, they are represented as "1,3-5,7".²

+string
+Â
+completionTime¯
+7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"ó
Represents time when the job was completed. It is not guaranteed to be set in happens-before order across separate operations. It is represented in RFC3339 form and is in UTC. The completion time is only set when the job finishes successfully.
+Ã
+4io.k8s.api.flowcontrol.v1beta1.NonResourcePolicyRuleŠ"·NonResourcePolicyRule is a predicate that matches non-resource requests according to their verb and the target non-resource URL. A NonResourcePolicyRule matches a request if and only if both (a) at least one member of verbs matches the request and (b) at least one member of nonResourceURLs matches the request.š
verbsš
nonResourceURLs²

+objectÊ
§
+Ð
+nonResourceURLs¼"ü`nonResourceURLs` is a set of url prefixes that a user should have access to and may not be empty. For example:
+  - "/healthz" is legal
+  - "/hea*" is illegal
+  - "/hea" is legal but matches nothing
+  - "/hea/*" also matches nothing
+  - "/healthz/*" matches all per-component health checks.
+"*" matches all non-resource urls. if it is present, it must be the only entry. Required.²

+arrayº

+²

+stringú
 
+x-kubernetes-list-typeset
+
+Ñ

+verbsÇ
"‡
`verbs` is a list of matching verbs and may not be empty. "*" matches all verbs. If it is present, it must be the only entry. Required.²

+arrayº

+²

+stringú
 
+x-kubernetes-list-typeset
+
+û
+
+[io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinitionNames›
+"XCustomResourceDefinitionNames indicates the names to serve this CustomResourceDefinitionš
pluralš
kind²

+objectÊ
¢	
+ô

+
+categorieså
"È
categories is a list of grouped resources this custom resource belongs to (e.g. 'all'). This is published in API discovery documents, and used by clients to support invocations like `kubectl get all`.²

+arrayº

+²

+string
+¾

+kindµ
"§
kind is the serialized kind of the resource. It is normally CamelCase and singular. Custom resource instances will use this value as the `kind` attribute in API calls.²

+string
+q
+listKinde"XlistKind is the serialized kind of the list for this resource. Defaults to "`kind`List".²

+string
+�
+plural‚"ô
plural is the plural name of the resource to serve. The custom resources are served under `/apis/<group>/<version>/.../<plural>`. Must match the name of the CustomResourceDefinition (in the form `<names.plural>.<group>`). Must be all lowercase.²

+string
+á

+
+shortNamesÒ
"µ
shortNames are short names for the resource, exposed in API discovery documents, and used by clients to support invocations like `kubectl get <shortname>`. It must be all lowercase.²

+arrayº

+²

+string
+€

+singulart"gsingular is the singular name of the resource. It must be all lowercase. Defaults to lowercased `kind`.²

+string
+Ì
+%io.k8s.api.apps.v1.DaemonSetCondition¢"IDaemonSetCondition describes the state of a DaemonSet at a certain point.š
typeš
status²

+objectÊ
¸
+‘

+lastTransitionTime{
+7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"@Last time the condition transitioned from one status to another.
+Y
+messageN"AA human readable message indicating details about the transition.²

+string
+F
+reason<"/The reason for the condition's last transition.²

+string
+L
+statusB"5Status of the condition, one of True, False, Unknown.²

+string
+1
+type)"Type of DaemonSet condition.²

+string
+ž
+io.k8s.api.batch.v1.Job‚"1Job represents the configuration of a single job.²

+objectÊ
ï	
+Ò

+metadataÅ

+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒ
Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+Õ

+specÌ

+)#/definitions/io.k8s.api.batch.v1.JobSpec"ž
Specification of the desired behavior of a job. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+Â

+status·

++#/definitions/io.k8s.api.batch.v1.JobStatus"‡
Current status of a job. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+stringú
N
+x-kubernetes-group-version-kind+)- group: batch
+  kind: Job
+  version: v1
+
+Òg
+io.k8s.api.core.v1.ServiceSpec¯g"FServiceSpec describes the attributes that a user creates on a service.²

+objectÊ
Øf
+×
+loadBalancerClassÁ"³loadBalancerClass is the class of the load balancer implementation this Service belongs to. If specified, the value of this field must be a label-style identifier, with an optional prefix, e.g. "internal-vip" or "example.com/internal-vip". Unprefixed names are reserved for end-users. This field can only be set when the Service type is 'LoadBalancer'. If not set, the default load balancer implementation is used, today this is typically done through the cloud provider integration, but should apply for any default implementation. If set, it is assumed that a load balancer implementation is watching for Services with a matching class. Any default load balancer implementation (e.g. cloud providers) should ignore Services that set this field. This field can only be set when creating or updating a Service to type 'LoadBalancer'. Once set, it can not be changed. This field will be wiped when a service is updated to a non 'LoadBalancer' type.²

+string
+ã
+loadBalancerIPÐ"ÂOnly applies to Service Type: LoadBalancer LoadBalancer will get created with the IP specified in this field. This feature depends on whether the underlying cloud-provider supports specifying the loadBalancerIP when a load balancer is created. This field will be ignored if the cloud-provider does not support the feature.²

+string
+“
+loadBalancerSourceRangesö"ÙIf specified and supported by the platform, this will restrict traffic through the cloud-provider load-balancer will be restricted to the specified client IPs. This field will be ignored if the cloud-provider does not support the feature." More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/²

+arrayº

+²

+string
+«
+selectorž"€Route service traffic to pods with label keys and values matching this selector. If empty or not present, the service is assumed to have an external process managing its endpoints, which Kubernetes will not modify. Only applies to types ClusterIP, NodePort, and LoadBalancer. Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/ª

+²

+string²

+object
+¥
+sessionAffinity‘"ƒSupports "ClientIP" and "None". Used to maintain session affinity. Enable client IP based session affinity. Must be ClientIP or None. Defaults to None. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies²

+string
+Õ
+topologyKeysÄ"§topologyKeys is a preference-order list of topology keys which implementations of services should use to preferentially sort endpoints when accessing this Service, it can not be used at the same time as externalTrafficPolicy=Local. Topology keys must be valid label keys and at most 16 keys may be specified. Endpoints are chosen based on the first topology key with available backends. If this field is specified and all entries have no backends that match the topology of the client, the service has no backends for that client and connections should fail. The special value "*" may be used to mean "any topology". This catch-all value, if used, only makes sense as the last value in the list. If this is not specified or empty, no topology constraints will be applied. This field is alpha-level and is only honored by servers that enable the ServiceTopology feature. This field is deprecated and will be removed in a future version.²

+arrayº

+²

+string
+Á
+externalTrafficPolicy§"™externalTrafficPolicy denotes if this Service desires to route external traffic to node-local or cluster-wide endpoints. "Local" preserves the client source IP and avoids a second hop for LoadBalancer and Nodeport type services, but risks potentially imbalanced traffic spreading. "Cluster" obscures the client source IP and may cause a second hop to another node, but should have good overall load-spreading.²

+string
+ë
+
+clusterIPsÜ
"™
ClusterIPs is a list of IP addresses assigned to this service, and are usually assigned randomly.  If an address is specified manually, is in-range (as per system configuration), and is not in use, it will be allocated to the service; otherwise creation of the service will fail. This field may not be changed through updates unless the type field is also being changed to ExternalName (which requires this field to be empty) or the type field is being changed from ExternalName (in which case this field may optionally be specified, as describe above).  Valid values are "None", empty string (""), or a valid IP address.  Setting this to "None" makes a "headless service" (no virtual IP), which is useful when direct endpoint connections are preferred and proxying is not required.  Only applies to types ClusterIP, NodePort, and LoadBalancer. If this field is specified when creating a Service of type ExternalName, creation will fail. This field will be wiped when updating a Service to type ExternalName.  If this field is not specified, it will be initialized from the clusterIP field.  If this field is specified, clients must ensure that clusterIPs[0] and clusterIP have the same value.
+
+Unless the "IPv6DualStack" feature gate is enabled, this field is limited to one value, which must be the same as the clusterIP field.  If the feature gate is enabled, this field may hold a maximum of two entries (dual-stack IPs, in either order).  These IPs must correspond to the values of the ipFamilies field. Both clusterIPs and ipFamilies are governed by the ipFamilyPolicy field. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies²

+arrayº

+²

+stringú
#
+x-kubernetes-list-type	atomic
+
+•
+healthCheckNodePortýint32"çhealthCheckNodePort specifies the healthcheck nodePort for the service. This only applies when type is set to LoadBalancer and externalTrafficPolicy is set to Local. If a value is specified, is in-range, and is not in use, it will be used.  If not specified, a value will be automatically allocated.  External systems (e.g. load-balancers) can use this port to determine if a given node holds endpoints for this service or not.  If this field is specified when creating a Service which does not need it, creation will fail. This field will be wiped when updating a Service to no longer need it (e.g. changing type).²
	
+integer
+ö
+internalTrafficPolicyÜ"ÎInternalTrafficPolicy specifies if the cluster internal traffic should be routed to all endpoints or node-local endpoints only. "Cluster" routes internal traffic to a Service to all endpoints. "Local" routes traffic to node-local endpoints only, traffic is dropped if no node-local endpoints are ready. The default value is "Cluster".²

+string
+ˆ
+ipFamilyPolicyõ"çIPFamilyPolicy represents the dual-stack-ness requested or required by this Service, and is gated by the "IPv6DualStack" feature gate.  If there is no value provided, then this field will be set to SingleStack. Services can be "SingleStack" (a single IP family), "PreferDualStack" (two IP families on dual-stack configured clusters or a single IP family on single-stack clusters), or "RequireDualStack" (two IP families on dual-stack configured clusters, otherwise fail). The ipFamilies and clusterIPs fields depend on the value of this field.  This field will be wiped when updating a service to type ExternalName.²

+string
+¬
+publishNotReadyAddresses�"€publishNotReadyAddresses indicates that any agent which deals with endpoints for this Service should disregard any indications of ready/not-ready. The primary use case for setting this field is for a StatefulSet's Headless Service to propagate SRV DNS records for its Pods for the purpose of peer discovery. The Kubernetes controllers that generate Endpoints and EndpointSlice resources for Services interpret this to mean that all endpoints are considered "ready" even if the Pods themselves are not. Agents which consume only Kubernetes generated endpoints through the Endpoints or EndpointSlice resources can safely assume this behavior.²
	
+boolean
+‰
+allocateLoadBalancerNodePortsç"ØallocateLoadBalancerNodePorts defines if NodePorts will be automatically allocated for services with type LoadBalancer.  Default is "true". It may be set to "false" if the cluster load-balancer does not rely on NodePorts. allocateLoadBalancerNodePorts may only be set for services with type LoadBalancer and will be cleared if the type is changed to any other type. This field is alpha-level and is only honored by servers that enable the ServiceLBNodePortControl feature.²
	
+boolean
+š

+sessionAffinityConfig€

+6#/definitions/io.k8s.api.core.v1.SessionAffinityConfig"FsessionAffinityConfig contains the configurations of session affinity.
+ñ
+
+ipFamiliesâ"ŸIPFamilies is a list of IP families (e.g. IPv4, IPv6) assigned to this service, and is gated by the "IPv6DualStack" feature gate.  This field is usually assigned automatically based on cluster configuration and the ipFamilyPolicy field. If this field is specified manually, the requested family is available in the cluster, and ipFamilyPolicy allows it, it will be used; otherwise creation of the service will fail.  This field is conditionally mutable: it allows for adding or removing a secondary IP family, but it does not allow changing the primary IP family of the Service.  Valid values are "IPv4" and "IPv6".  This field only applies to Services of types ClusterIP, NodePort, and LoadBalancer, and does apply to "headless" services.  This field will be wiped when updating a Service to type ExternalName.
+
+This field may hold a maximum of two entries (dual-stack families, in either order).  These families must correspond to the values of the clusterIPs field, if specified. Both clusterIPs and ipFamilies are governed by the ipFamilyPolicy field.²

+arrayº

+²

+stringú
#
+x-kubernetes-list-type	atomic
+
+ò
+externalIPsâ"ÅexternalIPs is a list of IP addresses for which nodes in the cluster will also accept traffic for this service.  These IPs are not managed by Kubernetes.  The user is responsible for ensuring that traffic arrives at a node with this IP.  A common example is external load-balancers that are not part of the Kubernetes system.²

+arrayº

+²

+string
+¸
+externalName§"™externalName is the external reference that discovery mechanisms will return as an alias for this service (e.g. a DNS CNAME record). No proxying will be involved.  Must be a lowercase RFC-1123 hostname (https://tools.ietf.org/html/rfc1123) and requires `type` to be "ExternalName".²

+string
+•
+ports‹"Ÿ
The list of ports that are exposed by this service. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies²

+arrayº
0
+.
+,#/definitions/io.k8s.api.core.v1.ServicePortú
2
+x-kubernetes-list-map-keys- port
+- protocol
+ú
 
+x-kubernetes-list-typemap
+ú
'
+x-kubernetes-patch-merge-keyport
+ú
'
+x-kubernetes-patch-strategymerge
+
+‹
+type‚"ôtype determines how the Service is exposed. Defaults to ClusterIP. Valid options are ExternalName, ClusterIP, NodePort, and LoadBalancer. "ClusterIP" allocates a cluster-internal IP address for load-balancing to endpoints. Endpoints are determined by the selector or if that is not specified, by manual construction of an Endpoints object or EndpointSlice objects. If clusterIP is "None", no virtual IP is allocated and the endpoints are published as a set of endpoints rather than a virtual IP. "NodePort" builds on ClusterIP and allocates a port on every node which routes to the same endpoints as the clusterIP. "LoadBalancer" builds on NodePort and creates an external load-balancer (if supported in the current cloud) which routes to the same endpoints as the clusterIP. "ExternalName" aliases this service to the specified externalName. Several other fields do not apply to ExternalName services. More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types²

+string
+á
+	clusterIPÓ"ÅclusterIP is the IP address of the service and is usually assigned randomly. If an address is specified manually, is in-range (as per system configuration), and is not in use, it will be allocated to the service; otherwise creation of the service will fail. This field may not be changed through updates unless the type field is also being changed to ExternalName (which requires this field to be blank) or the type field is being changed from ExternalName (in which case this field may optionally be specified, as describe above).  Valid values are "None", empty string (""), or a valid IP address. Setting this to "None" makes a "headless service" (no virtual IP), which is useful when direct endpoint connections are preferred and proxying is not required.  Only applies to types ClusterIP, NodePort, and LoadBalancer. If this field is specified when creating a Service of type ExternalName, creation will fail. This field will be wiped when updating a Service to type ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies²

+string
+™
+-io.k8s.apimachinery.pkg.api.resource.Quantityç"ÙQuantity is a fixed-point representation of a number. It provides convenient marshaling/unmarshaling in JSON and YAML, in addition to String() and AsInt64() accessors.
+
+The serialization format is:
+
+<quantity>        ::= <signedNumber><suffix>
+  (Note that <suffix> may be empty, from the "" case in <decimalSI>.)
+<digit>           ::= 0 | 1 | ... | 9 <digits>          ::= <digit> | <digit><digits> <number>          ::= <digits> | <digits>.<digits> | <digits>. | .<digits> <sign>            ::= "+" | "-" <signedNumber>    ::= <number> | <sign><number> <suffix>          ::= <binarySI> | <decimalExponent> | <decimalSI> <binarySI>        ::= Ki | Mi | Gi | Ti | Pi | Ei
+  (International System of units; See: http://physics.nist.gov/cuu/Units/binary.html)
+<decimalSI>       ::= m | "" | k | M | G | T | P | E
+  (Note that 1024 = 1Ki but 1000 = 1k; I didn't choose the capitalization.)
+<decimalExponent> ::= "e" <signedNumber> | "E" <signedNumber>
+
+No matter which of the three exponent forms is used, no quantity may represent a number greater than 2^63-1 in magnitude, nor may it have more than 3 decimal places. Numbers larger or more precise will be capped or rounded up. (E.g.: 0.1m will rounded up to 1m.) This may be extended in the future if we require larger or smaller quantities.
+
+When a Quantity is parsed from a string, it will remember the type of suffix it had, and will use the same type again when it is serialized.
+
+Before serializing, Quantity will be put in "canonical form". This means that Exponent/suffix will be adjusted up or down (with a corresponding increase or decrease in Mantissa) such that:
+  a. No precision is lost
+  b. No fractional digits will be emitted
+  c. The exponent (or suffix) is as large as possible.
+The sign will be omitted unless the number is negative.
+
+Examples:
+  1.5 will be serialized as "1500m"
+  1.5Gi will be serialized as "1536Mi"
+
+Note that the quantity will NEVER be internally represented by a floating point number. That is the whole point of this exercise.
+
+Non-canonical values will still parse as long as they are well formed, but will be re-emitted in their canonical form. (So always use canonical form, or don't diff.)
+
+This format is intended to make it difficult to use these numbers without writing some sort of special handling code in the hopes that that will cause implementors to also use a fixed point implementation.²

+string
+Ù
+1io.k8s.api.autoscaling.v2beta2.ObjectMetricSource£"‰
ObjectMetricSource indicates how to scale on a metric describing a kubernetes object (for example, hits-per-second on an Ingress object).š
describedObjectš
targetš
metric²

+objectÊ
ä
+]
+describedObjectJ
+H#/definitions/io.k8s.api.autoscaling.v2beta2.CrossVersionObjectReference
+ƒ

+metricy
+=#/definitions/io.k8s.api.autoscaling.v2beta2.MetricIdentifier"8metric identifies the target metric by name and selector
+}
+targets
+9#/definitions/io.k8s.api.autoscaling.v2beta2.MetricTarget"6target specifies the target value for the given metric
+®
+(io.k8s.api.core.v1.AzureFileVolumeSource�"WAzureFile represents an Azure File Service mount on the host and bind mount to the pod.š

+secretNameš
	shareName²

+objectÊ
€
+x
+readOnlyl"^Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.²
	
+boolean
+^
+
+secretNameP"Cthe name of secret that contains Azure Storage Account Name and Key²

+string
+$
+	shareName"
+Share Name²

+string
+ƒ
+,io.k8s.api.core.v1.PersistentVolumeClaimSpecÒ
"�
PersistentVolumeClaimSpec describes the common attributes of storage devices and allows a Source for provider-specific attributes²

+objectÊ
¿
+Ë

+accessModes»
"ž
AccessModes contains the desired access modes the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1²

+arrayº

+²

+string
+Ô
+
+dataSourceÅ
+:#/definitions/io.k8s.api.core.v1.TypedLocalObjectReference"†This field can be used to specify either: * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) * An existing PVC (PersistentVolumeClaim) * An existing custom resource that implements data population (Alpha) In order to use custom resource types that implement data population, the AnyVolumeDataSource feature gate must be enabled. If the provisioner or an external controller can support the specified data source, it will create a new volume based on the contents of the specified data source.
+Þ

+	resourcesÐ

+5#/definitions/io.k8s.api.core.v1.ResourceRequirements"–
Resources represents the minimum resources the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
+ƒ

+selectorw
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"3A label query over volumes to consider for binding.
+¤

+storageClassName�
"�
Name of the StorageClass required by the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1²

+string
+�

+
+volumeModeŽ
"€
volumeMode defines what type of volume is required by the claim. Value of Filesystem is implied when not included in claim spec.²

+string
+j
+
+volumeName\"OVolumeName is the binding reference to the PersistentVolume backing this claim.²

+string
+Æ	
+-io.k8s.api.flowcontrol.v1beta1.FlowSchemaList”	"/FlowSchemaList is a list of FlowSchema objects.š
items²

+objectÊ
Ô
+Þ

+metadataÑ

+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"‘
`metadata` is the standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+t
+itemsk"!`items` is a list of FlowSchemas.²

+arrayº
;
+9
+7#/definitions/io.k8s.api.flowcontrol.v1beta1.FlowSchema
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+stringú
u
+x-kubernetes-group-version-kindRP- group: flowcontrol.apiserver.k8s.io
+  kind: FlowSchemaList
+  version: v1beta1
+
+Ó
+$io.k8s.api.networking.v1.IngressRuleª
"ì
IngressRule represents the rules mapping the paths under a specified host to the related backend services. Incoming requests are first evaluated for a host match, then routed to the backend associated with the matching IngressRuleValue.²

+objectÊ
¬
+â
+
+hostÙ
+"Ë
+Host is the fully qualified domain name of a network host, as defined by RFC 3986. Note the following deviations from the "host" part of the URI as defined in RFC 3986: 1. IPs are not allowed. Currently an IngressRuleValue can only apply to
+   the IP in the Spec of the parent Ingress.
+2. The `:` delimiter is not respected because ports are not allowed.
+	  Currently the port of an Ingress is implicitly :80 for http and
+	  :443 for https.
+Both these may change in the future. Incoming requests are matched against the host before the IngressRuleValue. If the host is unspecified, the Ingress routes all traffic based on the specified IngressRuleValue.
+
+Host can be "precise" which is a domain name without the terminating dot of a network host (e.g. "foo.bar.com") or "wildcard", which is a domain name prefixed with a single wildcard label (e.g. "*.foo.com"). The wildcard character '*' must appear by itself as the first DNS label and matches only a single label. You cannot have a wildcard label by itself (e.g. Host == "*"). Requests will be matched against the Host field in the following way: 1. If Host is precise, the request matches this rule if the http host header is equal to Host. 2. If Host is a wildcard, then the request matches this rule if the http host header is to equal to the suffix (removing the first label) of the wildcard rule.²

+string
+E
+http=
+;#/definitions/io.k8s.api.networking.v1.HTTPIngressRuleValue
+º
+%io.k8s.api.networking.v1beta1.Ingress�
"€Ingress is a collection of rules that allow inbound connections to reach the endpoints defined by a backend. An Ingress can be configured to give services externally-reachable urls, load balance traffic, terminate SSL, offer name based virtual hosting etc.²

+objectÊ
˜
+
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ò

+metadataÅ

+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒ
Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+Ý

+specÔ

+7#/definitions/io.k8s.api.networking.v1beta1.IngressSpec"˜
Spec is the desired state of the Ingress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+ã

+statusØ

+9#/definitions/io.k8s.api.networking.v1beta1.IngressStatus"š
Status is the current state of the Ingress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statusú
c
+x-kubernetes-group-version-kind@>- group: networking.k8s.io
+  kind: Ingress
+  version: v1beta1
+
+ä
+ io.k8s.api.core.v1.EndpointsList¿"%EndpointsList is a list of endpoints.š
items²

+objectÊ
©
+Ï

+metadataÂ

+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"‚
Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+X
+itemsO"List of endpoints.²

+arrayº
.
+,
+*#/definitions/io.k8s.api.core.v1.Endpoints
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+stringú
U
+x-kubernetes-group-version-kind20- version: v1
+  group: ""
+  kind: EndpointsList
+
+Ä
+"io.k8s.api.core.v1.ObjectReference�"]ObjectReference contains enough information to let you inspect or modify the referred object.²

+objectÊ
¯
+„

+name|"oName of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names²

+string
+Ž

+	namespace€
"sNamespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/²

+string
+æ

+resourceVersionÒ
"Ä
Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency²

+string
+�

+uidz"mUID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids²

+string
+7
+
+apiVersion)"API version of the referent.²

+string
+Ô
+	fieldPathÆ"¸If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object.²

+string
+—

+kindŽ
"€
Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+°	
+.io.k8s.api.core.v1.ReplicationControllerStatusý"VReplicationControllerStatus represents the current status of a replication controller.š
replicas²

+objectÊ
‹
+�

+availableReplicas{int32"fThe number of available replicas (ready for at least minReadySeconds) for this replication controller.²
	
+integer
+Ž
+
+conditionsÿ
"YRepresents the latest available observations of a replication controller's current state.²

+arrayº
C
+A
+?#/definitions/io.k8s.api.core.v1.ReplicationControllerConditionú
'
+x-kubernetes-patch-merge-keytype
+ú
'
+x-kubernetes-patch-strategymerge
+
+—

+fullyLabeledReplicasint32"jThe number of pods that have labels matching the labels of the pod template of the replication controller.²
	
+integer
+‹

+observedGenerationuint64"`ObservedGeneration reflects the generation of the most recently observed replication controller.²
	
+integer
+c
+
readyReplicasRint32"=The number of ready replicas for this replication controller.²
	
+integer
+×

+replicasÊ
int32"´
Replicas is the most recently oberved number of replicas. More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#what-is-a-replicationcontroller²
	
+integer
+Û
+*io.k8s.api.networking.v1beta1.IngressClass¬"óIngressClass represents the class of the Ingress, referenced by the Ingress Spec. The `ingressclass.kubernetes.io/is-default-class` annotation can be used to indicate that an IngressClass should be considered default. When a single IngressClass resource has this annotation set to true, new Ingress resources without a class specified will be assigned this default class.²

+objectÊ
¼
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ò

+metadataÅ

+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒ
Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+ç

+specÞ

+<#/definitions/io.k8s.api.networking.v1beta1.IngressClassSpec"�
Spec is the desired state of the IngressClass. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statusú
h
+x-kubernetes-group-version-kindEC- version: v1beta1
+  group: networking.k8s.io
+  kind: IngressClass
+
+æ
+'io.k8s.api.policy.v1beta1.HostPortRangeº"�
HostPortRange defines a range of host ports that will be enabled by a policy for pods to use.  It requires both the start and end to be defined.š
minš
max²

+objectÊ
Œ

+C
+max<int32"'max is the end of the range, inclusive.²
	
+integer
+E
+min>int32")min is the start of the range, inclusive.²
	
+integer
+î	
+4io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceListµ	"¦
APIResourceList is a list of APIResource, it is used to expose the name of the resources supported in a specific group and version, and if the resource is namespaced.š
groupVersionš
	resources²

+objectÊ
ˆ
+§

+	resources™
"Hresources contains the name of the resources and if they are namespaced.²

+arrayº
B
+@
+>#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResource
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+_
+groupVersionO"BgroupVersion is the group and version this APIResourceList is for.²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+stringú
W
+x-kubernetes-group-version-kind42- version: v1
+  group: ""
+  kind: APIResourceList
+
+Í
+io.k8s.api.core.v1.EventList¬"EventList is a list of events.š
items²

+objectÊ
¡
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+P
+itemsG"List of events²

+arrayº
*
+(
+&#/definitions/io.k8s.api.core.v1.Event
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ï

+metadataÂ

+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"‚
Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kindsú
Q
+x-kubernetes-group-version-kind.,- group: ""
+  kind: EventList
+  version: v1
+
+õ

+#io.k8s.api.core.v1.PodReadinessGateÍ
":PodReadinessGate contains the reference to a pod conditionš

conditionType²

+objectÊ
s
+q
+
conditionType`"SConditionType refers to a condition in the pod's condition list with matching type.²

+string
+Å
+\io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceSubresourceScaleä"^CustomResourceSubresourceScale defines how to serve the scale subresource for CustomResources.š
specReplicasPathš
statusReplicasPath²

+objectÊ
Í
+€
+statusReplicasPathé"ÛstatusReplicasPath defines the JSON path inside of a custom resource that corresponds to Scale `status.replicas`. Only JSON paths without the array notation are allowed. Must be a JSON Path under `.status`. If there is no value under the given path in the custom resource, the `status.replicas` value in the `/scale` subresource will default to 0.²

+string
+á
+labelSelectorPathË"½labelSelectorPath defines the JSON path inside of a custom resource that corresponds to Scale `status.selector`. Only JSON paths without the array notation are allowed. Must be a JSON Path under `.status` or `.spec`. Must be set to work with HorizontalPodAutoscaler. The field pointed by this JSON path must be a string field (not a complex selector struct) which contains a serialized label selector in string form. More info: https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions#scale-subresource If there is no value under the given path in the custom resource, the `status.selector` value in the `/scale` subresource will default to the empty string.²

+string
+ã
+specReplicasPathÎ"ÀspecReplicasPath defines the JSON path inside of a custom resource that corresponds to Scale `spec.replicas`. Only JSON paths without the array notation are allowed. Must be a JSON Path under `.spec`. If there is no value under the given path in the custom resource, the `/scale` subresource will return an error on GET.²

+string
+†
+0io.k8s.apimachinery.pkg.apis.meta.v1.StatusCauseÑ"xStatusCause provides more information about an api.Status failure, including cases when multiple errors are encountered.²

+objectÊ
È
+¶
+field¬"žThe field of the resource that has caused this error, as named by its JSON serialization. May include dot and postfix notation for nested attributes. Arrays are zero-indexed.  Fields may appear more than once in an array of causes due to fields having multiple errors. Optional.
+
+Examples:
+  "name" - the field "name" on the current resource
+  "items[0].name" - the field "name" on the first array entry in "items"²

+string
+
+messaget"gA human-readable description of the cause of the error.  This field may be presented as-is to a reader.²

+string
+‹

+reason€
"sA machine-readable description of the cause of the error. If this value is empty there is no information available.²

+string
+ª
+io.k8s.api.core.v1.SecretŒ"‚
Secret holds secret data of a certain type. The total bytes of the values in the Data field must be less than MaxSecretSize bytes.²

+objectÊ
§
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ò

+metadataÅ

+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒ
Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+Ê
+
+stringData»"�stringData allows specifying non-binary secret data in string form. It is provided as a write-only input field for convenience. All keys and values are merged into the data field on write, overwriting any existing values. The stringData field is never output when reading from the API.ª

+²

+string²

+object
+M
+typeE"8Used to facilitate programmatic handling of secret data.²

+string
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+Î
+dataÅ"¡Data contains the secret data. Each key must consist of alphanumeric characters, '-', '_' or '.'. The serialized form of the secret data is a base64 encoded string, representing the arbitrary (possibly non-string) data value here. Described in https://tools.ietf.org/html/rfc4648#section-4ª

+byte²

+string²

+object
+å

+	immutable×
"È
Immutable, if set to true, ensures that data stored in the Secret cannot be updated (only object metadata can be modified). If not set to true, the field can be modified at any time. Defaulted to nil.²
	
+booleanú
N
+x-kubernetes-group-version-kind+)- version: v1
+  group: ""
+  kind: Secret
+
+å	
+2io.k8s.api.core.v1.StorageOSPersistentVolumeSource®	"2Represents a StorageOS persistent volume resource.²

+objectÊ
ë
+À

+fsTypeµ
"§
Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.²

+string
+x
+readOnlyl"^Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.²
	
+boolean
+Ê

+	secretRef¼

+0#/definitions/io.k8s.api.core.v1.ObjectReference"‡
SecretRef specifies the secret to use for obtaining the StorageOS API credentials.  If not specified, default values will be attempted.
+‹

+
+volumeName}"pVolumeName is the human-readable name of the StorageOS volume.  Volume names are only unique within a namespace.²

+string
+Ð
+volumeNamespace¼"®VolumeNamespace specifies the scope of the volume within StorageOS.  If no namespace is specified then the Pod's namespace will be used.  This allows the Kubernetes name scoping to be mirrored within StorageOS for tighter integration. Set VolumeName to any name to override the default behaviour. Set to "default" if you are not using namespaces within StorageOS. Namespaces that do not pre-exist within StorageOS will be created.²

+string
+ñ
+io.k8s.api.node.v1.RuntimeClassÍ"ËRuntimeClass defines a class of container runtime supported in the cluster. The RuntimeClass is used to determine which container runtime is used to run all containers in a pod. RuntimeClasses are manually defined by a user or cluster provisioner, and referenced in the PodSpec. The Kubelet is responsible for resolving the RuntimeClassName reference before running the pod.  For more details, see https://kubernetes.io/docs/concepts/containers/runtime-class/š
handler²

+objectÊ
†
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+Ð
+handlerÄ"¶Handler specifies the underlying runtime and configuration that the CRI implementation will use to handle pods of this class. The possible values are specific to the node & CRI configuration.  It is assumed that all handlers are available on every node, and handlers of the same name are equivalent on every node. For example, a handler called "runc" might specify that the runc OCI runtime (using native Linux containers) will be used to run the containers in a pod. The Handler must be lowercase, conform to the DNS Label (RFC 1123) requirements, and is immutable.²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+µ

+metadata¨

+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"gMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+â
+overheadÕ
+)#/definitions/io.k8s.api.node.v1.Overhead"§Overhead represents the resource overhead associated with running a pod for a given RuntimeClass. For more details, see
+ https://kubernetes.io/docs/concepts/scheduling-eviction/pod-overhead/
+This field is in beta starting v1.18 and is only honored by servers that enable the PodOverhead feature.
+–
+
+scheduling‡
++#/definitions/io.k8s.api.node.v1.Scheduling"×
Scheduling holds the scheduling constraints to ensure that pods running with this RuntimeClass are scheduled to nodes that support it. If scheduling is nil, this RuntimeClass is assumed to be supported by all nodes.ú
]
+x-kubernetes-group-version-kind:8- group: node.k8s.io
+  kind: RuntimeClass
+  version: v1
+
+û

+io.k8s.api.core.v1.NodeAddressØ
"8NodeAddress contains information for the node's address.š
typeš
address²

+objectÊ

+)
+address"The node address.²

+string
+R
+typeJ"=Node address type, one of Hostname, ExternalIP or InternalIP.²

+string
+›
+
+,io.k8s.api.core.v1.PersistentVolumeClaimListê	"CPersistentVolumeClaimList is a list of PersistentVolumeClaim items.š
items²

+objectÊ
ª
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+Ø

+itemsÎ
"„
A list of persistent volume claims. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims²

+arrayº
:
+8
+6#/definitions/io.k8s.api.core.v1.PersistentVolumeClaim
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ï

+metadataÂ

+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"‚
Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kindsú
a
+x-kubernetes-group-version-kind><- kind: PersistentVolumeClaimList
+  version: v1
+  group: ""
+
+ž
+*io.k8s.api.apps.v1.DaemonSetUpdateStrategyï"XDaemonSetUpdateStrategy is a struct used to control the update strategy for a DaemonSet.²

+objectÊ
†
+o
+typeg"ZType of daemon set update. Can be "RollingUpdate" or "OnDelete". Default is RollingUpdate.²

+string
+’

+
rollingUpdate€

+7#/definitions/io.k8s.api.apps.v1.RollingUpdateDaemonSet"ERolling update config params. Present only if type = "RollingUpdate".
+ä
+,io.k8s.api.core.v1.CSIPersistentVolumeSource³"RRepresents storage that is managed by an external CSI volume driver (Beta feature)š
driverš
volumeHandle²

+objectÊ
¸
+­
+controllerPublishSecretRefŽ
+0#/definitions/io.k8s.api.core.v1.SecretReference"ÙControllerPublishSecretRef is a reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI ControllerPublishVolume and ControllerUnpublishVolume calls. This field is optional, and may be empty if no secret is required. If the secret object contains more than one secret, all secrets are passed.
+²

+volumeHandle¡
"“
VolumeHandle is the unique volume name returned by the CSI volume plugin’s CreateVolume to refer to the volume on all subsequent calls. Required.²

+string
+Ž

+fsTypeƒ
"vFilesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs".²

+string
+•
+nodePublishSecretRefü
+0#/definitions/io.k8s.api.core.v1.SecretReference"ÇNodePublishSecretRef is a reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI NodePublishVolume and NodeUnpublishVolume calls. This field is optional, and may be empty if no secret is required. If the secret object contains more than one secret, all secrets are passed.
+¡
+nodeStageSecretRefŠ
+0#/definitions/io.k8s.api.core.v1.SecretReference"ÕNodeStageSecretRef is a reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI NodeStageVolume and NodeStageVolume and NodeUnstageVolume calls. This field is optional, and may be empty if no secret is required. If the secret object contains more than one secret, all secrets are passed.
+x
+readOnlyl"^Optional: The value to pass to ControllerPublishVolumeRequest. Defaults to false (read/write).²
	
+boolean
+U
+volumeAttributesA"$Attributes of the volume to publish.ª

+²

+string²

+object
+×
+controllerExpandSecretRef¹
+0#/definitions/io.k8s.api.core.v1.SecretReference"„ControllerExpandSecretRef is a reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI ControllerExpandVolume call. This is an alpha field and requires enabling ExpandCSIVolumes feature gate. This field is optional, and may be empty if no secret is required. If the secret object contains more than one secret, all secrets are passed.
+Y
+driverO"BDriver is the name of the driver to use for this volume. Required.²

+string
+Ù
+Bio.k8s.api.flowcontrol.v1beta1.PriorityLevelConfigurationCondition’"LPriorityLevelConfigurationCondition defines the condition of priority level.²

+objectÊ
µ
+g
+message\"O`message` is a human-readable message indicating details about last transition.²

+string
+l
+reasonb"U`reason` is a unique, one-word, CamelCase reason for the condition's last transition.²

+string
+f
+status\"O`status` is the status of the condition. Can be True, False, Unknown. Required.²

+string
+C
+type;".`type` is the type of the condition. Required.²

+string
+®

+lastTransitionTime—

+7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"\`lastTransitionTime` is the last time the condition transitioned from one status to another.
+•
+/io.k8s.api.storage.v1beta1.VolumeAttachmentSpecá"HVolumeAttachmentSpec is the specification of a VolumeAttachment request.š
attacherš
sourceš
nodeName²

+objectÊ
é
+—

+attacherŠ
"}Attacher indicates the name of the volume driver that MUST handle this request. This is the name returned by GetPluginName().²

+string
+H
+nodeName<"/The node that the volume should be attached to.²

+string
+‚

+sourcex
+?#/definitions/io.k8s.api.storage.v1beta1.VolumeAttachmentSource"5Source represents the volume that should be attached.
+û
+%io.k8s.api.discovery.v1.EndpointSliceÑ"Ü
EndpointSlice represents a subset of the endpoints that implement a service. For a given service there may be multiple EndpointSlice objects, selected by labels, which must be joined to produce the full set of endpoints.š
addressTypeš
	endpoints²

+objectÊ
ã
+ð
+addressTypeà"ÒaddressType specifies the type of address carried by this EndpointSlice. All addresses in this slice must be the same type. This field is immutable after creation. The following address types are currently supported: * IPv4: Represents an IPv4 Address. * IPv6: Represents an IPv6 Address. * FQDN: Represents a Fully Qualified Domain Name.²

+string
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+ß

+	endpointsÑ
"jendpoints is a list of unique endpoints in this slice. Each slice may include a maximum of 1000 endpoints.²

+arrayº
2
+0
+.#/definitions/io.k8s.api.discovery.v1.Endpointú
#
+x-kubernetes-list-type	atomic
+
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+h
+metadata\
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"Standard object's metadata.
+¤
+portsš"®ports specifies the list of network ports exposed by each endpoint in this slice. Each port must have a unique name. When ports is empty, it indicates that there are no defined ports. When a port is defined with a nil port value, it indicates "all ports". Each slice may include a maximum of 100 ports.²

+arrayº
6
+4
+2#/definitions/io.k8s.api.discovery.v1.EndpointPortú
#
+x-kubernetes-list-type	atomic
+ú
c
+x-kubernetes-group-version-kind@>- group: discovery.k8s.io
+  kind: EndpointSlice
+  version: v1
+
+å
+'io.k8s.api.storage.v1beta1.TokenRequest¹"<TokenRequest contains parameters of a service account token.š
audience²

+objectÊ
á
+È

+expirationSeconds²
int64"œ
ExpirationSeconds is the duration of validity of the token in "TokenRequestSpec". It has the same default value of "ExpirationSeconds" in "TokenRequestSpec"²
	
+integer
+“

+audience†
"yAudience is the intended audience of the token in "TokenRequestSpec". It will default to the audiences of kube apiserver.²

+string
+ç
+.io.k8s.api.core.v1.ISCSIPersistentVolumeSource´
"®
ISCSIPersistentVolumeSource represents an ISCSI disk. ISCSI volumes can only be mounted as read/write once. ISCSI volumes support ownership management and SELinux relabeling.š
targetPortalš
iqnš
lun²

+objectÊ
Ù
+V
+chapAuthDiscoveryA"3whether support iSCSI Discovery CHAP authentication²
	
+boolean
+µ
+fsTypeª"œFilesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi²

+string
+Ô

+
initiatorNameÂ
"´
Custom iSCSI Initiator Name. If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface <target portal>:<volume name> will be created for the connection.²

+string
+0
+iqn)"Target iSCSI Qualified Name.²

+string
+n
+iscsiInterface\"OiSCSI Interface Name that uses an iSCSI transport. Defaults to 'default' (tcp).²

+string
+4
+lun-int32"iSCSI Target Lun number.²
	
+integer
+³

+portals§
"Š
iSCSI Target Portal List. The Portal is either an IP or ip_addr:port if the port is other than default (typically TCP ports 860 and 3260).²

+arrayº

+²

+string
+k
+readOnly_"QReadOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false.²
	
+boolean
+z
+	secretRefm
+0#/definitions/io.k8s.api.core.v1.SecretReference"9CHAP Secret for iSCSI target and initiator authentication
+¤

+targetPortal“
"…
iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port is other than default (typically TCP ports 860 and 3260).²

+string
+R
+chapAuthSession?"1whether support iSCSI Session CHAP authentication²
	
+boolean
+â	
+ io.k8s.api.core.v1.NamespaceList½	"&NamespaceList is a list of Namespaces.š
items²

+objectÊ
¦
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+Ô

+itemsÊ
"Œ
Items is the list of Namespace objects in the list. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/²

+arrayº
.
+,
+*#/definitions/io.k8s.api.core.v1.Namespace
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ï

+metadataÂ

+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"‚
Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kindsú
U
+x-kubernetes-group-version-kind20- kind: NamespaceList
+  version: v1
+  group: ""
+
+¥	
+0io.k8s.api.networking.v1.NetworkPolicyEgressRuleð"Ð
NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to. This type is beta-level in 1.8²

+objectÊ
Ž
+¯
+ports¥"ÙList of destination ports for outgoing traffic. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.²

+arrayº
<
+:
+8#/definitions/io.k8s.api.networking.v1.NetworkPolicyPort
+Ù
+toÒ"†List of destinations for outgoing traffic of pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all destinations (traffic not restricted by destination). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the to list.²

+arrayº
<
+:
+8#/definitions/io.k8s.api.networking.v1.NetworkPolicyPeer
+Ž

+6io.k8s.api.authorization.v1.SelfSubjectRulesReviewSpecT²

+objectÊ
F
+D
+	namespace7"*Namespace to evaluate rules for. Required.²

+string
+ú
+io.k8s.api.core.v1.NodeListÚ"ONodeList is the whole list of all Nodes which have been registered with master.š
items²

+objectÊ
Ÿ
+Ï

+metadataÂ

+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"‚
Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+N
+itemsE"
List of nodes²

+arrayº
)
+'
+%#/definitions/io.k8s.api.core.v1.Node
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+stringú
P
+x-kubernetes-group-version-kind-+- group: ""
+  kind: NodeList
+  version: v1
+
+•
+$io.k8s.api.core.v1.LocalVolumeSourceì"LLocal represents directly-attached storage with node affinity (Beta feature)š
path²

+objectÊ
ˆ
+€
+fsTypeõ
"ç
Filesystem type to mount. It applies only when the Path is a block device. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". The default value is to auto-select a fileystem if unspecified.²

+string
+‚

+pathz"mThe full path to the volume on the node. It can be either a directory or block device (disk, partition, ...).²

+string
+Ý
+)io.k8s.api.networking.v1beta1.IngressRule¯
"ì
IngressRule represents the rules mapping the paths under a specified host to the related backend services. Incoming requests are first evaluated for a host match, then routed to the backend associated with the matching IngressRuleValue.²

+objectÊ
±
+â
+
+hostÙ
+"Ë
+Host is the fully qualified domain name of a network host, as defined by RFC 3986. Note the following deviations from the "host" part of the URI as defined in RFC 3986: 1. IPs are not allowed. Currently an IngressRuleValue can only apply to
+   the IP in the Spec of the parent Ingress.
+2. The `:` delimiter is not respected because ports are not allowed.
+	  Currently the port of an Ingress is implicitly :80 for http and
+	  :443 for https.
+Both these may change in the future. Incoming requests are matched against the host before the IngressRuleValue. If the host is unspecified, the Ingress routes all traffic based on the specified IngressRuleValue.
+
+Host can be "precise" which is a domain name without the terminating dot of a network host (e.g. "foo.bar.com") or "wildcard", which is a domain name prefixed with a single wildcard label (e.g. "*.foo.com"). The wildcard character '*' must appear by itself as the first DNS label and matches only a single label. You cannot have a wildcard label by itself (e.g. Host == "*"). Requests will be matched against the Host field in the following way: 1. If Host is precise, the request matches this rule if the http host header is equal to Host. 2. If Host is a wildcard, then the request matches this rule if the http host header is to equal to the suffix (removing the first label) of the wildcard rule.²

+string
+J
+httpB
+@#/definitions/io.k8s.api.networking.v1beta1.HTTPIngressRuleValue
+‚	
+ io.k8s.api.rbac.v1beta1.RoleListÝ"�
RoleList is a collection of Roles Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 RoleList, and will no longer be served in v1.22.š
items²

+objectÊ
Å
+f
+metadataZ
+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"Standard object's metadata.
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+^
+itemsU"Items is a list of Roles²

+arrayº
.
+,
+*#/definitions/io.k8s.api.rbac.v1beta1.Role
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+stringú
l
+x-kubernetes-group-version-kindIG- group: rbac.authorization.k8s.io
+  kind: RoleList
+  version: v1beta1
+
+Ž	
+&io.k8s.api.storage.v1beta1.CSINodeListã"/CSINodeList is a collection of CSINode objects.š
items²

+objectÊ
´
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+h
+items_"items is the list of CSINode²

+arrayº
4
+2
+0#/definitions/io.k8s.api.storage.v1beta1.CSINode
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ê

+metadata½

+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"~Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadataú
d
+x-kubernetes-group-version-kindA?- kind: CSINodeList
+  version: v1beta1
+  group: storage.k8s.io
+
+Í
+3io.k8s.api.authorization.v1.SubjectAccessReviewSpec•"¢
SubjectAccessReviewSpec is a description of the access request.  Exactly one of ResourceAuthorizationAttributes and NonResourceAuthorizationAttributes must be set²

+objectÊ
á
+ª

+nonResourceAttributes�

+?#/definitions/io.k8s.api.authorization.v1.NonResourceAttributes"MNonResourceAttributes describes information for a non-resource access request
+ª

+resourceAttributes“

+<#/definitions/io.k8s.api.authorization.v1.ResourceAttributes"SResourceAuthorizationAttributes describes information for a resource access request
+>
+uid7"*UID information about the requesting user.²

+string
+«

+user¢
"”
User is the user you're testing for. If you specify "User" but not "Groups", then is it interpreted as "What if User were not a member of any groups²

+string
+Æ

+extra¼
"�
Extra corresponds to the user.Info.GetExtra() method from the authenticator.  Since that is input to the authorizer it needs a reflection here.ª

+²

+arrayº

+²

+string²

+object
+N
+groupsD"(Groups is the groups you're testing for.²

+arrayº

+²

+string
+�
+io.k8s.api.core.v1.EventSeriesÞ"qEventSeries contain information on series of events, i.e. thing that was/is happening continuously for some time.²

+objectÊ
Ü

+`
+countWint32"BNumber of occurrences in this series up to the last heartbeat time²
	
+integer
+x
+lastObservedTimed
+<#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.MicroTime"$Time of the last occurrence observed
+Ò
+)io.k8s.api.extensions.v1beta1.IngressSpec¤
";IngressSpec describes the Ingress the user wishes to exist.²

+objectÊ
Ø
+º
+backend®
+:#/definitions/io.k8s.api.extensions.v1beta1.IngressBackend"ï
A default backend capable of servicing requests that don't match any rule. At least one of 'backend' or 'rules' must be specified. This field is optional to allow the loadbalancer controller or defaulting logic to specify a global default.
+´
+ingressClassNameŸ"‘IngressClassName is the name of the IngressClass cluster resource. The associated IngressClass defines which controller will implement the resource. This replaces the deprecated `kubernetes.io/ingress.class` annotation. For backwards compatibility, when that annotation is set, it must be given precedence over this field. The controller may emit a warning if the field and annotation have different values. Implementations of this API should ignore Ingresses without a class specified. An IngressClass resource may be marked as default, which can be used to set a default value for this field. For more information, refer to the IngressClass documentation.²

+string
+Ø

+rulesÎ
"ƒ
A list of host rules used to configure the Ingress. If unspecified, or no rule matches, all traffic is sent to the default backend.²

+arrayº
;
+9
+7#/definitions/io.k8s.api.extensions.v1beta1.IngressRule
+†
+tlsþ"´TLS configuration. Currently the Ingress only supports a single TLS port, 443. If multiple members of this list specify different hosts, they will be multiplexed on the same port according to the hostname specified through the SNI TLS extension, if the ingress controller fulfilling the ingress supports SNI.²

+arrayº
:
+8
+6#/definitions/io.k8s.api.extensions.v1beta1.IngressTLS
+§	
+*io.k8s.api.networking.v1.NetworkPolicyListø"5NetworkPolicyList is a list of NetworkPolicy objects.š
items²

+objectÊ
¿
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+r
+itemsi""Items is a list of schema objects.²

+arrayº
8
+6
+4#/definitions/io.k8s.api.networking.v1.NetworkPolicy
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ë

+metadata¾

+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadataú
h
+x-kubernetes-group-version-kindEC- group: networking.k8s.io
+  kind: NetworkPolicyList
+  version: v1
+
+Ò

+=io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSON�
"�
JSON represents any valid JSON value. These types are supported: bool, int64, float64, string, []interface{}, map[string]interface{} and nil.
+µ
+2io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelectorþ"Ë
A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.²

+objectÊ
ü
+É

+matchExpressions´
"VmatchExpressions is a list of label selector requirements. The requirements are ANDed.²

+arrayº
O
+M
+K#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelectorRequirement
+­
+matchLabels�"ÿ
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.ª

+²

+string²

+objectú
"
+x-kubernetes-map-type	atomic
+
+Š
+&io.k8s.api.core.v1.ResourceQuotaStatusß"FResourceQuotaStatus defines the enforced hard limits and observed use.²

+objectÊ
ˆ
+à

+hard×
"‡
Hard is the set of enforced hard limits for each named resource. More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/ª
?
+=
+;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity²

+object
+¢

+used™
"JUsed is the current observed total usage of the resource in the namespace.ª
?
+=
+;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity²

+object
+Ú
+*io.k8s.api.core.v1.WeightedPodAffinityTerm«"vThe weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)š
weightš
podAffinityTerm²

+objectÊ
‰
+u
+weightkint32"Vweight associated with matching the corresponding podAffinityTerm, in the range 1-100.²
	
+integer
+�

+podAffinityTerm|
+0#/definitions/io.k8s.api.core.v1.PodAffinityTerm"HRequired. A pod affinity term, associated with the corresponding weight.
+¹
+1io.k8s.api.flowcontrol.v1beta1.ResourcePolicyRuleƒ" ResourcePolicyRule is a predicate that matches some resource requests, testing the request's verb and the target resource. A ResourcePolicyRule matches a resource request if and only if: (a) at least one member of verbs matches the request, (b) at least one member of apiGroups matches the request, (c) at least one member of resources matches the request, and (d) least one member of namespaces matches the request.š
verbsš
	apiGroupsš
	resources²

+objectÊ
±
+´
+clusterScope£"”`clusterScope` indicates whether to match requests that do not specify a namespace (which happens either because the resource is not namespaced or the request targets all namespaces). If this field is omitted or false then the `namespaces` field must contain a non-empty list.²
	
+boolean
+÷
+
+namespacesè"¨`namespaces` is a list of target namespaces that restricts matches.  A request that specifies a target namespace matches only if either (a) this list contains that target namespace or (b) this list contains "*".  Note that "*" matches any specified namespace but does not match a request that _does not specify_ a namespace (see the `clusterScope` field for that). This list may be empty, but only if `clusterScope` is true.²

+arrayº

+²

+stringú
 
+x-kubernetes-list-typeset
+
+Í
+	resources¿"ÿ
`resources` is a list of matching resources (i.e., lowercase and plural) with, if desired, subresource.  For example, [ "services", "nodes/status" ].  This list may not be empty. "*" matches all resources and, if present, must be the only entry. Required.²

+arrayº

+²

+stringú
 
+x-kubernetes-list-typeset
+
+Ì

+verbsÂ
"‚
`verbs` is a list of matching verbs and may not be empty. "*" matches all verbs and, if present, must be the only entry. Required.²

+arrayº

+²

+stringú
 
+x-kubernetes-list-typeset
+
+Þ

+	apiGroupsÐ
"�
`apiGroups` is a list of matching API groups and may not be empty. "*" matches all API groups and, if present, must be the only entry. Required.²

+arrayº

+²

+stringú
 
+x-kubernetes-list-typeset
+
+÷	
+-io.k8s.api.policy.v1beta1.PodDisruptionBudgetÅ	"hPodDisruptionBudget is an object to define the max disruption that can be caused to a collection of pods²

+objectÊ
å
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+K
+metadata?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta
+�

+spec„

+?#/definitions/io.k8s.api.policy.v1beta1.PodDisruptionBudgetSpec"ASpecification of the desired behavior of the PodDisruptionBudget.
+ˆ

+status~
+A#/definitions/io.k8s.api.policy.v1beta1.PodDisruptionBudgetStatus"9Most recently observed status of the PodDisruptionBudget.ú
d
+x-kubernetes-group-version-kindA?- group: policy
+  kind: PodDisruptionBudget
+  version: v1beta1
+
+…,
+:io.k8s.api.admissionregistration.v1beta1.ValidatingWebhookÆ+"`ValidatingWebhook describes an admission webhook and the resources and operations it applies to.š
nameš
clientConfig²

+objectÊ
¿*
+é
+objectSelectorÖ
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"‘ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything.
+î
+rulesä"‡Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches _any_ Rule. However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks from putting the cluster in a state which cannot be recovered from without completely disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.²

+arrayº
M
+K
+I#/definitions/io.k8s.api.admissionregistration.v1beta1.RuleWithOperations
+œ
+timeoutSeconds‰int32"ó
TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, the webhook call will be ignored or the API call will fail based on the failure policy. The timeout value must be between 1 and 30 seconds. Default to 30 seconds.²
	
+integer
+°
+admissionReviewVersions”"÷AdmissionReviewVersions is an ordered list of preferred `AdmissionReview` versions the Webhook expects. API server will try to use first version in the list which it supports. If none of the versions specified in this list supported by API server, validation will fail for this object. If a persisted webhook configuration specifies allowed versions and does not include any versions known to the API Server, calls to the webhook will fail and be subject to the failure policy. Default to `['v1beta1']`.²

+arrayº

+²

+string
+ž

+clientConfig�

+J#/definitions/io.k8s.api.admissionregistration.v1beta1.WebhookClientConfig"?ClientConfig defines how to communicate with the hook. Required
+—
+matchPolicy‡"ùmatchPolicy defines how the "rules" list is used to match incoming requests. Allowed values are "Exact" or "Equivalent".
+
+- Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
+
+- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
+
+Defaults to "Exact"²

+string
+Ø
+sideEffectsÈ"ºSideEffects states whether this webhook has side effects. Acceptable values are: Unknown, None, Some, NoneOnDryRun Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission chain and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some. Defaults to Unknown.²

+string
+®

+
failurePolicyœ
"Ž
FailurePolicy defines how unrecognized errors from the admission endpoint are handled - allowed values are Ignore or Fail. Defaults to Ignore.²

+string
+ç

+nameÞ
"Ð
The name of the admission webhook. Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where "imagepolicy" is the name of the webhook, and kubernetes.io is the name of the organization. Required.²

+string
+Ü	
+namespaceSelectorÆ	
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"�	NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the webhook.
+
+For example, to run the webhook on any objects whose namespace is not associated with "runlevel" of "0" or "1";  you will set the selector as follows: "namespaceSelector": {
+  "matchExpressions": [
+    {
+      "key": "runlevel",
+      "operator": "NotIn",
+      "values": [
+        "0",
+        "1"
+      ]
+    }
+  ]
+}
+
+If instead you want to only run the webhook on any objects whose namespace is associated with the "environment" of "prod" or "staging"; you will set the selector as follows: "namespaceSelector": {
+  "matchExpressions": [
+    {
+      "key": "environment",
+      "operator": "In",
+      "values": [
+        "prod",
+        "staging"
+      ]
+    }
+  ]
+}
+
+See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels for more examples of label selectors.
+
+Default to the empty LabelSelector, which matches everything.
+…	
+$io.k8s.api.coordination.v1.LeaseListÜ"%LeaseList is a list of Lease objects.š
items²

+objectÊ
¹
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+l
+itemsc""Items is a list of schema objects.²

+arrayº
2
+0
+.#/definitions/io.k8s.api.coordination.v1.Lease
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ë

+metadata¾

+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadataú
b
+x-kubernetes-group-version-kind?=- version: v1
+  group: coordination.k8s.io
+  kind: LeaseList
+
+«	
+io.k8s.api.core.v1.SecretList‰	"SecretList is a list of Secret.š
items²

+objectÊ
ü
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+ª

+items 
"fItems is a list of secret objects. More info: https://kubernetes.io/docs/concepts/configuration/secret²

+arrayº
+
+)
+'#/definitions/io.k8s.api.core.v1.Secret
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ï

+metadataÂ

+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"‚
Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kindsú
R
+x-kubernetes-group-version-kind/-- group: ""
+  kind: SecretList
+  version: v1
+
+�	
+#io.k8s.api.node.v1.RuntimeClassListè"3RuntimeClassList is a list of RuntimeClass objects.š
items²

+objectÊ
¸
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+k
+itemsb""Items is a list of schema objects.²

+arrayº
1
+/
+-#/definitions/io.k8s.api.node.v1.RuntimeClass
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ë

+metadata¾

+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadataú
a
+x-kubernetes-group-version-kind><- group: node.k8s.io
+  kind: RuntimeClassList
+  version: v1
+
+Ÿ
+3io.k8s.api.autoscaling.v2beta1.ExternalMetricStatusç"nExternalMetricStatus indicates the current value of a global metric not associated with any Kubernetes object.š

+metricNameš
currentValue²

+objectÊ
Ì
+Ž

+currentValue~
+;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"?currentValue is the current value of the metric (as a quantity)
+d
+
+metricNameV"ImetricName is the name of a metric used for autoscaling in metric system.²

+string
+§

+metricSelector”

+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"PmetricSelector is used to identify a specific time series within a given metric.
+¨

+currentAverageValue�

+;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"QcurrentAverageValue is the current value of metric averaged over autoscaled pods.
+ì
++io.k8s.api.autoscaling.v2beta2.MetricStatus¼">MetricStatus describes the last-read state of a single metric.š
type²

+objectÊ
æ
+Ë
+containerResourceµ
+J#/definitions/io.k8s.api.autoscaling.v2beta2.ContainerResourceMetricStatus"æcontainer resource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing a single container in each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the "pods" source.
+ô
+externalç
+A#/definitions/io.k8s.api.autoscaling.v2beta2.ExternalMetricStatus"¡external refers to a global metric that is not associated with any Kubernetes object. It allows autoscaling based on information coming from components running outside of cluster (for example length of queue in cloud messaging service, or QPS from loadbalancer running outside of cluster).
+Â

+object·

+?#/definitions/io.k8s.api.autoscaling.v2beta2.ObjectMetricStatus"tobject refers to a metric describing a single kubernetes object (for example, hits-per-second on an Ingress object).
+•
+podsŒ
+=#/definitions/io.k8s.api.autoscaling.v2beta2.PodsMetricStatus"Ê
pods refers to a metric describing each pod in the current scale target (for example, transactions-processed-per-second).  The values will be averaged together before being compared to the target value.
+™
+resourceŒ
+A#/definitions/io.k8s.api.autoscaling.v2beta2.ResourceMetricStatus"Æresource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the "pods" source.
+¥
+typeœ"Žtype is the type of metric source.  It will be one of "ContainerResource", "External", "Object", "Pods" or "Resource", each corresponds to a matching field in the object. Note: "ContainerResource" type is available on when the feature-gate HPAContainerMetrics is enabled²

+string
+î
+#io.k8s.api.core.v1.FlexVolumeSourceÆ"hFlexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin.š
driver²

+objectÊ
Ä
+Ä

+fsType¹
"«
Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script.²

+string
+O
+optionsD"'Optional: Extra command options if any.ª

+²

+string²

+object
+‚

+readOnlyv"hOptional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.²
	
+boolean
+Ó
+	secretRefÅ
+5#/definitions/io.k8s.api.core.v1.LocalObjectReference"‹Optional: SecretRef is reference to the secret object containing sensitive information to pass to the plugin scripts. This may be empty if no secret object is specified. If the secret object contains more than one secret, all secrets are passed to the plugin scripts.
+O
+driverE"8Driver is the name of the driver to use for this volume.²

+string
+¥
+?io.k8s.api.flowcontrol.v1beta1.PriorityLevelConfigurationStatusá"VPriorityLevelConfigurationStatus represents the current state of a "request-priority".²

+objectÊ
ú

+÷

+
+conditionsè
"8`conditions` is the current state of "request-priority".²

+arrayº
T
+R
+P#/definitions/io.k8s.api.flowcontrol.v1beta1.PriorityLevelConfigurationConditionú
'
+x-kubernetes-list-map-keys	- type
+ú
 
+x-kubernetes-list-typemap
+
+Œ
+%io.k8s.api.rbac.v1.ClusterRoleBindingâ
+"Ÿ
ClusterRoleBinding references a ClusterRole, but not contain it.  It can reference a ClusterRole in the global namespace, and adds who information via Subject.š
roleRef²

+objectÊ
³
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+h
+metadata\
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"Standard object's metadata.
+Â

+roleRef¶

+(#/definitions/io.k8s.api.rbac.v1.RoleRef"‰
RoleRef can only reference a ClusterRole in the global namespace. If the RoleRef cannot be resolved, the Authorizer must return an error.
+„

+subjectsx"=Subjects holds references to the objects the role applies to.²

+arrayº
,
+*
+(#/definitions/io.k8s.api.rbac.v1.Subjectú
q
+x-kubernetes-group-version-kindNL- group: rbac.authorization.k8s.io
+  kind: ClusterRoleBinding
+  version: v1
+
+ý
+
+io.k8s.api.rbac.v1.PolicyRuleÛ
+"¡
PolicyRule holds information that describes a policy rule, but does not contain information about who the rule applies to or which namespace the rule applies to.š
verbs²

+objectÊ
 	
+ó

+	apiGroupså
"È
APIGroups is the name of the APIGroup that contains the resources.  If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed.²

+arrayº

+²

+string
+¼
+nonResourceURLs¨"‹NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full, final step in the path Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"),  but not both.²

+arrayº

+²

+string
+¨

+
resourceNames–
"zResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.²

+arrayº

+²

+string
+†

+	resourcesy"]Resources is a list of resources this rule applies to.  ResourceAll represents all resources.²

+arrayº

+²

+string
+´

+verbsª
"�
Verbs is a list of Verbs that apply to ALL the ResourceKinds and AttributeRestrictions contained in this rule.  VerbAll represents all kinds.²

+arrayº

+²

+string
+à
+7io.k8s.api.authorization.v1beta1.SelfSubjectRulesReview¤"ˆSelfSubjectRulesReview enumerates the set of actions the current user can perform within a namespace. The returned list of actions may be incomplete depending on the server's authorization mode, and any errors experienced during the evaluation. SelfSubjectRulesReview should be used by UIs to show/hide actions, or to quickly let an end user reason about their permissions. It should NOT Be used by external systems to drive authorization decisions as this raises confused deputy, cache lifetime/revocation, and correctness concerns. SubjectAccessReview, and LocalAccessReview are the correct way to defer authorization decisions to the API server.š
spec²

+objectÊ
‹
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+K
+metadata?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta
+�

+spec†

+I#/definitions/io.k8s.api.authorization.v1beta1.SelfSubjectRulesReviewSpec"9Spec holds information about the request being evaluated.
+¬

+status¡

+G#/definitions/io.k8s.api.authorization.v1beta1.SubjectRulesReviewStatus"VStatus is filled in by the server and indicates the set of actions a user can perform.ú
u
+x-kubernetes-group-version-kindRP- group: authorization.k8s.io
+  kind: SelfSubjectRulesReview
+  version: v1beta1
+
+Â
+io.k8s.api.autoscaling.v1.Scalež"2Scale represents a scaling request for a resource.²

+objectÊ
‚
+
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ñ

+metadataÄ

+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"‚
Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
+Ñ

+specÈ

+1#/definitions/io.k8s.api.autoscaling.v1.ScaleSpec"’
defines the behavior of the scale. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status.
+Ú

+statusÏ

+3#/definitions/io.k8s.api.autoscaling.v1.ScaleStatus"—
current status of the scale. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status. Read-only.
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+stringú
V
+x-kubernetes-group-version-kind31- group: autoscaling
+  kind: Scale
+  version: v1
+
+è
+Iio.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.ServiceReferenceš";ServiceReference holds a reference to Service.legacy.k8s.ioš
	namespaceš
name²

+objectÊ
»
+>
+name6")name is the name of the service. Required²

+string
+M
+	namespace@"3namespace is the namespace of the service. Required²

+string
+Y
+pathQ"Dpath is an optional URL path at which the webhook will be contacted.²

+string
+Î

+portÅ
int32"¯
port is an optional service port at which the webhook will be contacted. `port` should be a valid port number (1-65535, inclusive). Defaults to 443 for backward compatibility.²
	
+integer
+Ò
+Cio.k8s.kube-aggregator.pkg.apis.apiregistration.v1.ServiceReferenceŠ";ServiceReference holds a reference to Service.legacy.k8s.io²

+objectÊ
¾
+4
+name,"Name is the name of the service²

+string
+C
+	namespace6")Namespace is the namespace of the service²

+string
+À

+port·
int32"¡
If specified, the port on the service that hosting webhook. Default to 443 for backward compatibility. `port` should be a valid port number (1-65535, inclusive).²
	
+integer
+¾	
+-io.k8s.api.authentication.v1.TokenRequestSpecŒ	"HTokenRequestSpec contains client provided parameters of a token request.š
	audiences²

+objectÊ
§
+•
+	audiences‡"êAudiences are the intendend audiences of the token. A recipient of a token must identitfy themself with an identifier in the list of audiences of the token, and otherwise should reject the token. A token issued for multiple audiences may be used to authenticate against any of the audiences listed but implies a high degree of trust between the target audiences.²

+arrayº

+²

+string
+Ž
+boundObjectRefû
+?#/definitions/io.k8s.api.authentication.v1.BoundObjectReference"·BoundObjectRef is a reference to an object that the token will be bound to. The token will only be valid for as long as the bound object exists. NOTE: The API server's TokenReview endpoint will validate the BoundObjectRef, but other audiences may not. Keep ExpirationSeconds small if you want prompt revocation.
+û

+expirationSecondså
int64"Ï
ExpirationSeconds is the requested duration of validity of the request. The token issuer may return a token with a different validity duration so a client needs to check the 'expiration' field in a response.²
	
+integer
+æ
+8io.k8s.api.networking.v1.IngressClassParametersReference©"}IngressClassParametersReference identifies an API object. This can be used to specify a cluster or namespace-scoped resource.š
kindš
name²

+objectÊ
�
+Â

+	namespace´
"¦
Namespace is the namespace of the resource being referenced. This field is required when scope is set to "Namespace" and must be unset when scope is set to "Cluster".²

+string
+Þ

+scopeÔ
"Æ
Scope represents if this refers to a cluster or namespace scoped resource. This may be set to "Cluster" (default) or "Namespace". Field can be enabled with IngressClassNamespacedParams feature gate.²

+string
+Ú

+apiGroupÍ
"¿
APIGroup is the group for the resource being referenced. If APIGroup is not specified, the specified Kind must be in the core API group. For any other third-party types, APIGroup is required.²

+string
+C
+kind;".Kind is the type of resource being referenced.²

+string
+C
+name;".Name is the name of resource being referenced.²

+string
+�
+io.k8s.api.core.v1.Probeä"€
Probe describes a health check to be performed against a container to determine whether it is alive or ready to receive traffic.²

+objectÊ
Ò
+‘

+execˆ

++#/definitions/io.k8s.api.core.v1.ExecAction"YOne and only one of the following should be specified. Exec specifies the action to take.
+§

+failureThreshold’
int32"}Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.²
	
+integer
+k
+httpGet`
+.#/definitions/io.k8s.api.core.v1.HTTPGetAction".HTTPGet specifies the http request to perform.
+}
+
periodSecondslint32"WHow often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1.²
	
+integer
+â

+timeoutSecondsÏ
int32"¹
Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes²
	
+integer
+â

+initialDelaySecondsÊ
int32"´
Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes²
	
+integer
+Î

+successThreshold¹
int32"£
Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.²
	
+integer
+‘

+	tcpSocketƒ

+0#/definitions/io.k8s.api.core.v1.TCPSocketAction"OTCPSocket specifies an action involving a TCP port. TCP hooks not yet supported
+ö
+terminationGracePeriodSecondsÔint64"¾Optional duration in seconds the pod needs to terminate gracefully upon probe failure. The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process. If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this value overrides the value provided by the pod spec. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down). This is an alpha field and requires enabling ProbeTerminationGracePeriod feature gate.²
	
+integer
+Ü
+,io.k8s.api.storage.v1.VolumeAttachmentStatus«"CVolumeAttachmentStatus is the status of a VolumeAttachment request.š
attached²

+objectÊ
Ì
+æ

+attachErrorÖ

+/#/definitions/io.k8s.api.storage.v1.VolumeError"¢
The last error encountered during attach operation, if any. This field must only be set by the entity completing the attach operation, i.e. the external-attacher.
+±

+attached¤
"•
Indicates the volume is successfully attached. This field must only be set by the entity completing the attach operation, i.e. the external-attacher.²
	
+boolean
+Ã
+attachmentMetadata¬"ŽUpon successful attach, this field is populated with any information returned by the attach operation that must be passed into subsequent WaitForAttach or Mount calls. This field must only be set by the entity completing the attach operation, i.e. the external-attacher.ª

+²

+string²

+object
+æ

+detachErrorÖ

+/#/definitions/io.k8s.api.storage.v1.VolumeError"¢
The last error encountered during detach operation, if any. This field must only be set by the entity completing the detach operation, i.e. the external-attacher.
+‰
+'io.k8s.api.core.v1.HostPathVolumeSourceÝ"vRepresents a host path mapped into a pod. Host path volumes do not support ownership management or SELinux relabeling.š
path²

+objectÊ
Ï
+Å

+path¼
"®
Path of the directory on the host. If the path is a symlink, it will follow the link to the real path. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath²

+string
+„

+type|"oType for HostPath Volume Defaults to "" More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath²

+string
+Æ
+$io.k8s.api.core.v1.ISCSIVolumeSource�
"’
Represents an ISCSI disk. ISCSI volumes can only be mounted as read/write once. ISCSI volumes support ownership management and SELinux relabeling.š
targetPortalš
iqnš
lun²

+objectÊ
Þ
+n
+iscsiInterface\"OiSCSI Interface Name that uses an iSCSI transport. Defaults to 'default' (tcp).²

+string
+4
+lun-int32"iSCSI Target Lun number.²
	
+integer
+
+	secretRefr
+5#/definitions/io.k8s.api.core.v1.LocalObjectReference"9CHAP Secret for iSCSI target and initiator authentication
+0
+iqn)"Target iSCSI Qualified Name.²

+string
+³

+portals§
"Š
iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port is other than default (typically TCP ports 860 and 3260).²

+arrayº

+²

+string
+k
+readOnly_"QReadOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false.²
	
+boolean
+¤

+targetPortal“
"…
iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port is other than default (typically TCP ports 860 and 3260).²

+string
+V
+chapAuthDiscoveryA"3whether support iSCSI Discovery CHAP authentication²
	
+boolean
+R
+chapAuthSession?"1whether support iSCSI Session CHAP authentication²
	
+boolean
+µ
+fsTypeª"œFilesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi²

+string
+Ô

+
initiatorNameÂ
"´
Custom iSCSI Initiator Name. If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface <target portal>:<volume name> will be created for the connection.²

+string
+–
+'io.k8s.api.core.v1.PortworxVolumeSourceê";PortworxVolumeSource represents a Portworx volume resource.š
volumeID²

+objectÊ
“
+Í

+fsTypeÂ
"´
FSType represents the filesystem type to mount Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified.²

+string
+x
+readOnlyl"^Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.²
	
+boolean
+G
+volumeID;".VolumeID uniquely identifies a Portworx volume²

+string
+¬
+@io.k8s.api.admissionregistration.v1.MutatingWebhookConfigurationç
+"‚
MutatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and may change the object.²

+objectÊ
Ò
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ñ

+metadataÄ

+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"‚
Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
+þ

+webhooksñ
"IWebhooks is a list of webhooks and the affected resources and operations.²

+arrayº
E
+C
+A#/definitions/io.k8s.api.admissionregistration.v1.MutatingWebhookú
'
+x-kubernetes-patch-strategymerge
+ú
'
+x-kubernetes-patch-merge-keyname
+
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+stringú
~
+x-kubernetes-group-version-kind[Y- group: admissionregistration.k8s.io
+  kind: MutatingWebhookConfiguration
+  version: v1
+
+¼
+)io.k8s.api.coordination.v1beta1.LeaseSpecŽ"(LeaseSpec is a specification of a Lease.²

+objectÊ
Õ
+e
+holderIdentityS"FholderIdentity contains the identity of the holder of a current lease.²

+string
+È

+leaseDurationSeconds¯
int32"™
leaseDurationSeconds is a duration that candidates for a lease need to wait to force acquire it. This is measure against time of last observed RenewTime.²
	
+integer
+r
+leaseTransitions^int32"IleaseTransitions is the number of transitions of a lease between holders.²
	
+integer
+ 

+	renewTime’

+<#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.MicroTime"RrenewTime is a time when the current holder of a lease has last updated the lease.
+‰

+acquireTimez
+<#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.MicroTime":acquireTime is a time when the current lease was acquired.
+¸
+,io.k8s.api.apps.v1.StatefulSetUpdateStrategy‡"Ï
StatefulSetUpdateStrategy indicates the strategy that the StatefulSet controller will use to perform updates. It includes any additional parameters necessary to perform the update for the indicated strategy.²

+objectÊ
¦
+¹

+
rollingUpdate§

+A#/definitions/io.k8s.api.apps.v1.RollingUpdateStatefulSetStrategy"bRollingUpdate is used to communicate parameters when Type is RollingUpdateStatefulSetStrategyType.
+h
+type`"SType indicates the type of the StatefulSetUpdateStrategy. Default is RollingUpdate.²

+string
+²
+=io.k8s.api.certificates.v1beta1.CertificateSigningRequestSpecð"¾
This information is immutable after the request is created. Only the Request and Usages fields can be set on creation, other fields are derived by Kubernetes and cannot be modified by users.š
request²

+objectÊ
–
+¤
+usages™"ÖallowedUsages specifies a set of usage contexts the key will be valid for. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3
+     https://tools.ietf.org/html/rfc5280#section-4.2.1.12
+Valid values are:
+ "signing",
+ "digital signature",
+ "content commitment",
+ "key encipherment",
+ "key agreement",
+ "data encipherment",
+ "cert sign",
+ "crl sign",
+ "encipher only",
+ "decipher only",
+ "any",
+ "server auth",
+ "client auth",
+ "code signing",
+ "email protection",
+ "s/mime",
+ "ipsec end system",
+ "ipsec tunnel",
+ "ipsec user",
+ "timestamping",
+ "ocsp signing",
+ "microsoft sgc",
+ "netscape sgc"²

+arrayº

+²

+stringú
#
+x-kubernetes-list-type	atomic
+
+d
+usernameX"KInformation about the requesting user. See user.Info interface for details.²

+string
+†

+extra}"QExtra information about the requesting user. See user.Info interface for details.ª

+²

+arrayº

+²

+string²

+object
+ž

+groups“
"QGroup information about the requesting user. See user.Info interface for details.²

+arrayº

+²

+stringú
#
+x-kubernetes-list-type	atomic
+
+c
+requestXbyte"Base64-encoded PKCS#10 CSR data²

+stringú
#
+x-kubernetes-list-type	atomic
+
+’
+
+signerNameƒ"õRequested signer for the request. It is a qualified name in the form: `scope-hostname.io/name`. If empty, it will be defaulted:
+ 1. If it's a kubelet client certificate, it is assigned
+    "kubernetes.io/kube-apiserver-client-kubelet".
+ 2. If it's a kubelet serving certificate, it is assigned
+    "kubernetes.io/kubelet-serving".
+ 3. Otherwise, it is assigned "kubernetes.io/legacy-unknown".
+Distribution of trust for signers happens out of band. You can select on this field using `spec.signerName`.²

+string
+c
+uid\"OUID information about the requesting user. See user.Info interface for details.²

+string
+õ
+#io.k8s.api.core.v1.VolumeProjectionÍ"HProjection that may be projected along with other supported volume types²

+objectÊ
ô
+’

+serviceAccountToken{
+>#/definitions/io.k8s.api.core.v1.ServiceAccountTokenProjection"9information about the serviceAccountToken data to project
+t
+	configMapg
+4#/definitions/io.k8s.api.core.v1.ConfigMapProjection"/information about the configMap data to project
+z
+downwardAPIk
+6#/definitions/io.k8s.api.core.v1.DownwardAPIProjection"1information about the downwardAPI data to project
+k
+secreta
+1#/definitions/io.k8s.api.core.v1.SecretProjection",information about the secret data to project
+¹
+Eio.k8s.api.admissionregistration.v1beta1.MutatingWebhookConfigurationï"ÿ
MutatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and may change the object. Deprecated in v1.16, planned for removal in v1.19. Use admissionregistration.k8s.io/v1 MutatingWebhookConfiguration instead.²

+objectÊ
×
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ñ

+metadataÄ

+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"‚
Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
+ƒ
+webhooksö
"IWebhooks is a list of webhooks and the affected resources and operations.²

+arrayº
J
+H
+F#/definitions/io.k8s.api.admissionregistration.v1beta1.MutatingWebhookú
'
+x-kubernetes-patch-merge-keyname
+ú
'
+x-kubernetes-patch-strategymerge
+ú
ƒ

+x-kubernetes-group-version-kind`^- group: admissionregistration.k8s.io
+  kind: MutatingWebhookConfiguration
+  version: v1beta1
+
+È
+Gio.k8s.api.admissionregistration.v1beta1.ValidatingWebhookConfigurationü"ˆValidatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and object without changing it. Deprecated in v1.16, planned for removal in v1.19. Use admissionregistration.k8s.io/v1 ValidatingWebhookConfiguration instead.²

+objectÊ
Ù
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ñ

+metadataÄ

+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"‚
Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
+…
+webhooksø
"IWebhooks is a list of webhooks and the affected resources and operations.²

+arrayº
L
+J
+H#/definitions/io.k8s.api.admissionregistration.v1beta1.ValidatingWebhookú
'
+x-kubernetes-patch-strategymerge
+ú
'
+x-kubernetes-patch-merge-keyname
+ú
…

+x-kubernetes-group-version-kindb`- version: v1beta1
+  group: admissionregistration.k8s.io
+  kind: ValidatingWebhookConfiguration
+
+©	
++io.k8s.api.storage.v1beta1.StorageClassListù"4StorageClassList is a collection of storage classes.š
items²

+objectÊ
À
+Ê

+metadata½

+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"~Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+t
+itemsk"#Items is the list of StorageClasses²

+arrayº
9
+7
+5#/definitions/io.k8s.api.storage.v1beta1.StorageClass
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+stringú
i
+x-kubernetes-group-version-kindFD- group: storage.k8s.io
+  kind: StorageClassList
+  version: v1beta1
+
+´
+
+Bio.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.APIServiceí	"[APIService represents a server for a particular GroupVersion. Name must be "version.group".²

+objectÊ
“
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+K
+metadata?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta
+§

+specž

+T#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.APIServiceSpec"FSpec contains information for locating and communicating with a server
+œ

+status‘

+V#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.APIServiceStatus"7Status contains derived information about an API serverú
k
+x-kubernetes-group-version-kindHF- group: apiregistration.k8s.io
+  kind: APIService
+  version: v1beta1
+
+±
+3io.k8s.api.autoscaling.v2beta2.ExternalMetricSourceù"Ð
ExternalMetricSource indicates how to scale on a metric not associated with any Kubernetes object (for example length of queue in cloud messaging service, or QPS from loadbalancer running outside of cluster).š
metricš
target²

+objectÊ
…
+ƒ

+metricy
+=#/definitions/io.k8s.api.autoscaling.v2beta2.MetricIdentifier"8metric identifies the target metric by name and selector
+}
+targets
+9#/definitions/io.k8s.api.autoscaling.v2beta2.MetricTarget"6target specifies the target value for the given metric
+Ž
+
+*io.k8s.api.networking.v1.NetworkPolicyPeerß	"lNetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of fields are allowed²

+objectÊ
â
+«

+ipBlockŸ

+.#/definitions/io.k8s.api.networking.v1.IPBlock"mIPBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be.
+Ú
+namespaceSelectorÄ
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"ÿSelects Namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces.
+
+If PodSelector is also set, then the NetworkPolicyPeer as a whole selects the Pods matching PodSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects all Pods in the Namespaces selected by NamespaceSelector.
+Ô
+podSelectorÄ
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"ÿThis is a label selector which selects Pods. This field follows standard label selector semantics; if present but empty, it selects all pods.
+
+If NamespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the Pods matching PodSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the Pods matching PodSelector in the policy's own Namespace.
+è	
+(io.k8s.api.core.v1.EphemeralVolumeSource»	"JRepresents an ephemeral volume that is handled by a normal storage driver.²

+objectÊ
à
+Ý
+volumeClaimTemplateÅ
+>#/definitions/io.k8s.api.core.v1.PersistentVolumeClaimTemplate"‚Will be used to create a stand-alone PVC to provision the volume. The pod in which this EphemeralVolumeSource is embedded will be the owner of the PVC, i.e. the PVC will be deleted together with the pod.  The name of the PVC will be `<pod name>-<volume name>` where `<volume name>` is the name from the `PodSpec.Volumes` array entry. Pod validation will reject the pod if the concatenated name is not valid for a PVC (for example, too long).
+
+An existing PVC with that name that is not owned by the pod will *not* be used for the pod to avoid using an unrelated volume by mistake. Starting the pod is then blocked until the unrelated PVC is removed. If such a pre-created PVC is meant to be used by the pod, the PVC has to updated with an owner reference to the pod once the pod exists. Normally this should not be necessary, but it may be useful when manually reconstructing a broken cluster.
+
+This field is read-only and no changes will be made by Kubernetes to the PVC after it has been created.
+
+Required, must not be nil.
+ö
+io.k8s.api.core.v1.LifecycleÕ"ªLifecycle describes actions that the management system should take in response to container lifecycle events. For the PostStart and PreStop lifecycle handlers, management of the container blocks until the action is complete, unless the container process fails, in which case the handler is aborted.²

+objectÊ
™	
+�
+	postStartó
+(#/definitions/io.k8s.api.core.v1.Handler"ÆPostStart is called immediately after a container is created. If the handler fails, the container is terminated and restarted according to its restart policy. Other management of the container blocks until the hook completes. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
+’
+preStop†
+(#/definitions/io.k8s.api.core.v1.Handler"ÙPreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. The reason for termination is passed to the handler. The Pod's termination grace period countdown begins before the PreStop hooked is executed. Regardless of the outcome of the handler, the container will eventually terminate within the Pod's termination grace period. Other management of the container blocks until the hook completes or until the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
+Ü

+*io.k8s.api.policy.v1beta1.AllowedCSIDriver­
"RAllowedCSIDriver represents a single inline CSI Driver that is allowed to be used.š
name²

+objectÊ
D
+B
+name:"-Name is the registered name of the CSI driver²

+string
+Š
+*io.k8s.api.storage.v1.VolumeAttachmentSpecÛ"HVolumeAttachmentSpec is the specification of a VolumeAttachment request.š
attacherš
sourceš
nodeName²

+objectÊ
ã
+—

+attacherŠ
"}Attacher indicates the name of the volume driver that MUST handle this request. This is the name returned by GetPluginName().²

+string
+H
+nodeName<"/The node that the volume should be attached to.²

+string
+}
+sources
+:#/definitions/io.k8s.api.storage.v1.VolumeAttachmentSource"5Source represents the volume that should be attached.
+º
+Bio.k8s.api.admissionregistration.v1.ValidatingWebhookConfigurationó
+"‰
ValidatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and object without changing it.²

+objectÊ
Ô
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ñ

+metadataÄ

+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"‚
Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
+€
+webhooksó
"IWebhooks is a list of webhooks and the affected resources and operations.²

+arrayº
G
+E
+C#/definitions/io.k8s.api.admissionregistration.v1.ValidatingWebhookú
'
+x-kubernetes-patch-merge-keyname
+ú
'
+x-kubernetes-patch-strategymerge
+ú
€

+x-kubernetes-group-version-kind][- group: admissionregistration.k8s.io
+  kind: ValidatingWebhookConfiguration
+  version: v1
+
+Ø	
+3io.k8s.api.autoscaling.v2beta1.ResourceMetricStatus 	"ÝResourceMetricStatus indicates the current value of a resource metric known to Kubernetes, as specified in requests and limits, describing each pod in the current scale target (e.g. CPU or memory).  Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the "pods" source.š
nameš
currentAverageValue²

+objectÊ
”
+×
+currentAverageUtilization¹int32"£currentAverageUtilization is the current value of the average of the resource metric across all relevant pods, represented as a percentage of the requested value of the resource for the pods.  It will only be present if `targetAverageValue` was set in the corresponding metric specification.²
	
+integer
+ó
+currentAverageValueÛ
+;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"›currentAverageValue is the current value of the average of the resource metric across all relevant pods, as a raw value (instead of as a percentage of the request), similar to the "pods" metric source type. It will always be set, regardless of the corresponding metric specification.
+B
+name:"-name is the name of the resource in question.²

+string
+‘
+%io.k8s.api.core.v1.VolumeNodeAffinityç
"^VolumeNodeAffinity defines constraints that limit what nodes this volume can be accessed from.²

+objectÊ
y
+w
+requiredk
+-#/definitions/io.k8s.api.core.v1.NodeSelector":Required specifies hard node constraints that must be met.
+µ
+ io.k8s.api.node.v1beta1.Overhead�"ROverhead structure represents the resource overhead associated with running a pod.²

+objectÊ
­

+ª

+podFixed�
"NPodFixed represents the fixed resource overhead associated with running a pod.ª
?
+=
+;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity²

+object
+˜
+$io.k8s.api.apps.v1.StatefulSetStatusï
"@StatefulSetStatus represents the current state of a StatefulSet.š
replicas²

+objectÊ
“
+ù

+
+conditionsê
"NRepresents the latest available observations of a statefulset's current state.²

+arrayº
9
+7
+5#/definitions/io.k8s.api.apps.v1.StatefulSetConditionú
'
+x-kubernetes-patch-merge-keytype
+ú
'
+x-kubernetes-patch-strategymerge
+
+¤

+currentRevision�
"‚
currentRevision, if not empty, indicates the version of the StatefulSet used to generate Pods in the sequence [0,currentReplicas).²

+string
+¯

+updatedReplicas›
int32"…
updatedReplicas is the number of Pods created by the StatefulSet controller from the StatefulSet version indicated by updateRevision.²
	
+integer
+f
+replicasZint32"Ereplicas is the number of Pods created by the StatefulSet controller.²
	
+integer
+±

+updateRevisionž
"�
updateRevision, if not empty, indicates the version of the StatefulSet used to generate Pods in the sequence [replicas-updatedReplicas,replicas)²

+string
+þ

+collisionCountë
int32"Õ
collisionCount is the count of hash collisions for the StatefulSet. The StatefulSet controller uses this field as a collision avoidance mechanism when it needs to create the name for the newest ControllerRevision.²
	
+integer
+°

+currentReplicasœ
int32"†
currentReplicas is the number of Pods created by the StatefulSet controller from the StatefulSet version indicated by currentRevision.²
	
+integer
+Ü

+observedGenerationÅ
int64"¯
observedGeneration is the most recent generation observed for this StatefulSet. It corresponds to the StatefulSet's generation, which is updated on mutation by the API Server.²
	
+integer
+Œ

+
readyReplicas{int32"freadyReplicas is the number of Pods created by the StatefulSet controller that have a Ready Condition.²
	
+integer
+“

+;io.k8s.api.authorization.v1beta1.SelfSubjectRulesReviewSpecT²

+objectÊ
F
+D
+	namespace7"*Namespace to evaluate rules for. Required.²

+string
+„
+=io.k8s.api.flowcontrol.v1beta1.PriorityLevelConfigurationSpecÂ"OPriorityLevelConfigurationSpec specifies the configuration of a priority level.š
type²

+objectÊ
ø
+ì

+limitedà

+N#/definitions/io.k8s.api.flowcontrol.v1beta1.LimitedPriorityLevelConfiguration"�
`limited` specifies how requests are handled for a Limited priority level. This field must be non-empty if and only if `type` is `"Limited"`.
+†
+typeý"ï`type` indicates whether this priority level is subject to limitation on request execution.  A value of `"Exempt"` means that requests of this priority level are not subject to a limit (and thus are never queued) and do not detract from the capacity made available to other priority levels.  A value of `"Limited"` means that (a) requests of this priority level _are_ subject to limits and (b) some of the server's limited capacity is made available exclusively to this priority level. Required.²

+stringú
`
+x-kubernetes-unionsIG- discriminator: type
+  fields-to-discriminateBy:
+    limited: Limited
+
+›
+2io.k8s.api.policy.v1beta1.RunAsUserStrategyOptionsä"_RunAsUserStrategyOptions defines the strategy type and any options used to create the strategy.š
rule²

+objectÊ
í
+ý

+rangesò
"¯
ranges are the allowed ranges of uids that may be used. If you would like to force a single uid then supply a single range with the same start and end. Required for MustRunAs.²

+arrayº
3
+1
+/#/definitions/io.k8s.api.policy.v1beta1.IDRange
+k
+rulec"Vrule is the strategy that will dictate the allowable RunAsUser values that may be set.²

+string
+Ù

+io.k8s.api.core.v1.HTTPHeader·
">HTTPHeader describes a custom header to be used in HTTP probesš
nameš
value²

+objectÊ
Z
+*
+name""The header field name²

+string
+,
+value#"The header field value²

+string
+ð

+&io.k8s.api.core.v1.NodeDaemonEndpointsÅ
"FNodeDaemonEndpoints lists ports opened by daemons running on the Node.²

+objectÊ
o
+m
+kubeletEndpointZ
+/#/definitions/io.k8s.api.core.v1.DaemonEndpoint"'Endpoint on which Kubelet is listening.
+˜
+!io.k8s.api.core.v1.AttachedVolumeò
"4AttachedVolume describes a volume attached to a nodeš
nameš

+devicePath²

+objectÊ
™

+e
+
+devicePathW"JDevicePath represents the device path where the volume should be available²

+string
+0
+name("Name of the attached volume²

+string
+Ö	
+(io.k8s.api.core.v1.DownwardAPIVolumeFile©	"XDownwardAPIVolumeFile represents information to create the file containing the pod fieldš
path²

+objectÊ
¹
+î

+resourceFieldRefÙ

+6#/definitions/io.k8s.api.core.v1.ResourceFieldSelector"ž
Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
+¦

+fieldRef™

+4#/definitions/io.k8s.api.core.v1.ObjectFieldSelector"aRequired: Selects a field of the pod: only annotations, labels, name and namespace are supported.
+»
+mode²int32"œOptional: mode bits used to set permissions on this file, must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.²
	
+integer
+Þ

+pathÕ
"Ç
Required: Path is  the relative path name of the file to be created. Must not be absolute or contain the '..' path. Must be utf-8 encoded. The first item of the relative path must not start with '..'²

+string
+¦
+!io.k8s.api.core.v1.ServiceAccount€"º
ServiceAccount binds together: * a name, understood by users, and perhaps by peripheral systems, for an identity * a principal that can be authenticated and authorized * a set of secrets²

+objectÊ
Û
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+×

+automountServiceAccountToken¶
"§
AutomountServiceAccountToken indicates whether pods running as this service account should have an API token automatically mounted. Can be overridden at the pod level.²
	
+boolean
+å
+imagePullSecretsÐ"‡ImagePullSecrets is a list of references to secrets in the same namespace to use for pulling any images in pods that reference this ServiceAccount. ImagePullSecrets are distinct from Secrets because Secrets can be mounted in the pod, but ImagePullSecrets are only accessed by the kubelet. More info: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod²

+arrayº
9
+7
+5#/definitions/io.k8s.api.core.v1.LocalObjectReference
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ò

+metadataÅ

+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒ
Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+Ä
+secrets¸" 
Secrets is the list of secrets allowed to be used by pods running using this ServiceAccount. More info: https://kubernetes.io/docs/concepts/configuration/secret²

+arrayº
4
+2
+0#/definitions/io.k8s.api.core.v1.ObjectReferenceú
'
+x-kubernetes-patch-strategymerge
+ú
'
+x-kubernetes-patch-merge-keyname
+ú
V
+x-kubernetes-group-version-kind31- kind: ServiceAccount
+  version: v1
+  group: ""
+
+®
+"io.k8s.api.rbac.v1.ClusterRoleList‡"/ClusterRoleList is a collection of ClusterRolesš
items²

+objectÊ
Î
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+g
+items^"Items is a list of ClusterRoles²

+arrayº
0
+.
+,#/definitions/io.k8s.api.rbac.v1.ClusterRole
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+f
+metadataZ
+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"Standard object's metadata.ú
n
+x-kubernetes-group-version-kindKI- version: v1
+  group: rbac.authorization.k8s.io
+  kind: ClusterRoleList
+
+Ã	
+Zio.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinitionListä"KCustomResourceDefinitionList is a list of CustomResourceDefinition objects.š
items²

+objectÊ
‚
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+·

+items­
"6items list individual CustomResourceDefinition objects²

+arrayº
h
+f
+d#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinition
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+I
+metadata=
+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMetaú
{
+x-kubernetes-group-version-kindXV- group: apiextensions.k8s.io
+  kind: CustomResourceDefinitionList
+  version: v1beta1
+
+§
+6io.k8s.api.admissionregistration.v1.RuleWithOperationsì
"‚
RuleWithOperations is a tuple of Operations and Resources. It is recommended to make sure that all the tuple expansions are valid.²

+objectÊ
Ø
+¼

+apiVersions¬
"�
APIVersions is the API versions the resources belong to. '*' is all versions. If '*' is present, the length of the slice must be one. Required.²

+arrayº

+²

+string
+ 
+
+operations‘"ô
Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.²

+arrayº

+²

+string
+–
+	resourcesˆ"ëResources is a list of resources this rule applies to.
+
+For example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources.
+
+If wildcard is present, the validation rule will ensure resources do not overlap with each other.
+
+Depending on the enclosing object, subresources might not be allowed. Required.²

+arrayº

+²

+string
+£
+scope™"‹scope specifies the scope of this rule. Valid values are "Cluster", "Namespaced", and "*" "Cluster" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. "Namespaced" means that only namespaced resources will match this rule. "*" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is "*".²

+string
+´

+	apiGroups¦
"‰
APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.²

+arrayº

+²

+string
+¼
+3io.k8s.api.apps.v1.RollingUpdateStatefulSetStrategy„"kRollingUpdateStatefulSetStrategy is used to communicate parameter for RollingUpdateStatefulSetStrategyType.²

+objectÊ
ˆ

+…

+	partitionxint32"cPartition indicates the ordinal at which the StatefulSet should be partitioned. Default value is 0.²
	
+integer
+Ü
+io.k8s.api.core.v1.ServiceList¹"%ServiceList holds a list of services.š
items²

+objectÊ
¥
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ï

+metadataÂ

+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"‚
Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+T
+itemsK"List of services²

+arrayº
,
+*
+(#/definitions/io.k8s.api.core.v1.Serviceú
S
+x-kubernetes-group-version-kind0.- kind: ServiceList
+  version: v1
+  group: ""
+
+Î
+"io.k8s.api.storage.v1beta1.CSINode§
"ÊDEPRECATED - This group version of CSINode is deprecated by storage/v1/CSINode. See the release notes for more information. CSINode holds information about all CSI drivers installed on a node. CSI drivers do not need to create the CSINode object directly. As long as they use the node-driver-registrar sidecar container, the kubelet will automatically populate the CSINode object for the CSI driver as part of kubelet plugin registration. CSINode has the same name as a node. If the object is missing, it means either there are no CSI Drivers available on the node, or the Kubelet version is low enough that it doesn't create this object. CSINode has an OwnerReference that points to the corresponding node object.š
spec²

+objectÊ
á
+|
+metadatap
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"/metadata.name must be the Kubernetes node name.
+d
+spec\
+4#/definitions/io.k8s.api.storage.v1beta1.CSINodeSpec"$spec is the specification of CSINode
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+stringú
`
+x-kubernetes-group-version-kind=;- group: storage.k8s.io
+  kind: CSINode
+  version: v1beta1
+
+·
+$io.k8s.api.coordination.v1.LeaseSpecŽ"(LeaseSpec is a specification of a Lease.²

+objectÊ
Õ
+‰

+acquireTimez
+<#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.MicroTime":acquireTime is a time when the current lease was acquired.
+e
+holderIdentityS"FholderIdentity contains the identity of the holder of a current lease.²

+string
+È

+leaseDurationSeconds¯
int32"™
leaseDurationSeconds is a duration that candidates for a lease need to wait to force acquire it. This is measure against time of last observed RenewTime.²
	
+integer
+r
+leaseTransitions^int32"IleaseTransitions is the number of transitions of a lease between holders.²
	
+integer
+ 

+	renewTime’

+<#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.MicroTime"RrenewTime is a time when the current holder of a lease has last updated the lease.
+¦
+io.k8s.api.core.v1.HostAlias…"oHostAlias holds the mapping between IP and hostnames that will be injected as an entry in the pod's hosts file.²

+objectÊ
…

+L
+	hostnames?"#Hostnames for the above IP address.²

+arrayº

+²

+string
+5
+ip/""IP address of the host file entry.²

+string
+ƒ
+3io.k8s.api.autoscaling.v2beta2.ResourceMetricStatusË"ÝResourceMetricStatus indicates the current value of a resource metric known to Kubernetes, as specified in requests and limits, describing each pod in the current scale target (e.g. CPU or memory).  Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the "pods" source.š
nameš
current²

+objectÊ
Ë

+„

+currenty
+>#/definitions/io.k8s.api.autoscaling.v2beta2.MetricValueStatus"7current contains the current value for the given metric
+B
+name:"-Name is the name of the resource in question.²

+string
+ð

+(io.k8s.api.core.v1.ContainerStateRunningÃ
"8ContainerStateRunning is a running state of a container.²

+objectÊ
{
+y
+	startedAtl
+7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"1Time at which the container was last (re-)started
+‚
++io.k8s.api.networking.v1.ServiceBackendPortÒ"8ServiceBackendPort is the service port being referenced.²

+objectÊ
‰
+�

+number„
int32"oNumber is the numerical port number (e.g. 80) on the Service. This is a mutually exclusive setting with "Name".²
	
+integer
+u
+namem"`Name is the name of the port on the Service. This is a mutually exclusive setting with "Number".²

+string
+Ë
+,io.k8s.api.networking.v1beta1.IngressBackendš"DIngressBackend describes all endpoints for a given service and port.²

+objectÊ
Å
+ø

+resourceë

+:#/definitions/io.k8s.api.core.v1.TypedLocalObjectReference"¬
Resource is an ObjectRef to another Kubernetes resource in the namespace of the Ingress object. If resource is specified, serviceName and servicePort must not be specified.
+I
+serviceName:"-Specifies the name of the referenced service.²

+string
+}
+servicePortn
+=#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString"-Specifies the port of the referenced service.
+´
+io.k8s.api.rbac.v1beta1.Subject�"Æ
Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference, or a value for non-objects such as user and group names.š
kindš
name²

+objectÊ
ª
+Ã

+apiGroup¶
"¨
APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects.²

+string
+à

+kind×
"É
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error.²

+string
+9
+name1"$Name of the object being referenced.²

+string
+Ã

+	namespaceµ
"§
Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error.²

+string
+”
+Aio.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIServiceSpecÎ"£
APIServiceSpec contains information for locating and communicating with a server. Only https is supported, though you are able to disable certificate verification.š
groupPriorityMinimumš
versionPriority²

+objectÊ
ð
+ì

+caBundleß
byte"¥
CABundle is a PEM encoded CA bundle which will be used to validate an API server's serving certificate. If unspecified, system trust roots on the apiserver are used.²

+stringú
#
+x-kubernetes-list-type	atomic
+
+C
+group:"-Group is the API group name this server hosts²

+string
+±
+groupPriorityMinimum˜int32"‚GroupPriorityMininum is the priority this group should have at least. Higher priority means that the group is preferred by clients over lower priority ones. Note that other versions of this group might specify even higher GroupPriorityMininum values such that the whole group gets a higher priority. The primary sort is based on GroupPriorityMinimum, ordered highest number to lowest (20 before 10). The secondary sort is based on the alphabetical comparison of the name of the object.  (v1.bar before v1.foo) We'd recommend something like: *.k8s.io (except extensions) at 18000 and PaaSes (OpenShift, Deis) are recommended to be in the 2000s²
	
+integer
+Í

+insecureSkipTLSVerify³
"¤
InsecureSkipTLSVerify disables TLS certificate verification when communicating with this server. This is strongly discouraged.  You should use the CABundle instead.²
	
+boolean
+ô
+serviceè
+Q#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.ServiceReference"’Service is a reference to the service for this API server.  It must communicate on port 443. If the Service is nil, that means the handling for the API groupversion is handled locally on this server. The call will simply delegate to the normal handler chain to be fulfilled.
+X
+versionM"@Version is the API version this server hosts.  For example, "v1"²

+string
+ä
+versionPriorityÐint32"ºVersionPriority controls the ordering of this API version inside of its group.  Must be greater than zero. The primary sort is based on VersionPriority, ordered highest to lowest (20 before 10). Since it's inside of a group, the number can be small, probably in the 10s. In case of equal version priorities, the version string will be used to compute the order inside a group. If the version string is "kube-like", it will sort above non "kube-like" version strings, which are ordered lexicographically. "Kube-like" versions start with a "v", then are followed by a number (the major version), then optionally the string "alpha" or "beta" and another number (the minor version). These are sorted first by GA > beta > alpha (where GA is a version with no suffix such as beta or alpha), and then by comparing major version, then minor version. An example sorted list of versions: v10, v2, v1, v11beta2, v10beta3, v3beta1, v12alpha1, v11alpha2, foo1, foo10.²
	
+integer
+ö
+<io.k8s.api.admissionregistration.v1beta1.WebhookClientConfigµ
"VWebhookClientConfig contains the information to make a TLS connection with the webhook²

+objectÊ
Î
+Å

+caBundle¸
byte"¤
`caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. If unspecified, system trust roots on the apiserver are used.²

+string
+Œ
+service€
+G#/definitions/io.k8s.api.admissionregistration.v1beta1.ServiceReference"´
`service` is a reference to the service for this webhook. Either `service` or `url` must be specified.
+
+If the webhook is running within the cluster, then you should use `service`.
+ô
+urlì"Þ`url` gives the location of the webhook, in standard URL form (`scheme://host:port/path`). Exactly one of `url` or `service` must be specified.
+
+The `host` should not refer to a service running in the cluster; use the `service` field instead. The host might be resolved via external DNS in some apiservers (e.g., `kube-apiserver` cannot resolve in-cluster DNS as that would be a layering violation). `host` may also be an IP address.
+
+Please note that using `localhost` or `127.0.0.1` as a `host` is risky unless you take great care to run this webhook on all hosts which run an apiserver which might need to make calls to this webhook. Such installs are likely to be non-portable, i.e., not easy to turn up in a new cluster.
+
+The scheme must be "https"; the URL must begin with "https://".
+
+A path is optional, and if present may be any string permissible in a URL. You may use the path to pass an arbitrary string to the webhook, for example, a cluster identifier.
+
+Attempting to use a user or basic auth e.g. "user:password@" is not allowed. Fragments ("#...") and query parameters ("?...") are not allowed, either.²

+string
+Ô
+'io.k8s.api.apps.v1.StatefulSetCondition¨"MStatefulSetCondition describes the state of a statefulset at a certain point.š
typeš
status²

+objectÊ
º
+3
+type+"Type of statefulset condition.²

+string
+‘

+lastTransitionTime{
+7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"@Last time the condition transitioned from one status to another.
+Y
+messageN"AA human readable message indicating details about the transition.²

+string
+F
+reason<"/The reason for the condition's last transition.²

+string
+L
+statusB"5Status of the condition, one of True, False, Unknown.²

+string
+ò

+)io.k8s.apimachinery.pkg.apis.meta.v1.TimeÄ
	date-time"«
Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON.  Wrappers are provided for many of the factory methods that the time package offers.²

+string
+×
+Hio.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.ServiceReferenceŠ";ServiceReference holds a reference to Service.legacy.k8s.io²

+objectÊ
¾
+4
+name,"Name is the name of the service²

+string
+C
+	namespace6")Namespace is the namespace of the service²

+string
+À

+port·
int32"¡
If specified, the port on the service that hosting webhook. Default to 443 for backward compatibility. `port` should be a valid port number (1-65535, inclusive).²
	
+integer
+ô
+ io.k8s.api.core.v1.ConfigMapListÏ"CConfigMapList is a resource containing a list of ConfigMap objects.š
items²

+objectÊ
›
+f
+items]" Items is the list of ConfigMaps.²

+arrayº
.
+,
+*#/definitions/io.k8s.api.core.v1.ConfigMap
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+³

+metadata¦

+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"gMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+stringú
U
+x-kubernetes-group-version-kind20- kind: ConfigMapList
+  version: v1
+  group: ""
+
+Ã
+io.k8s.api.storage.v1.CSINode¡"ÎCSINode holds information about all CSI drivers installed on a node. CSI drivers do not need to create the CSINode object directly. As long as they use the node-driver-registrar sidecar container, the kubelet will automatically populate the CSINode object for the CSI driver as part of kubelet plugin registration. CSINode has the same name as a node. If the object is missing, it means either there are no CSI Drivers available on the node, or the Kubelet version is low enough that it doesn't create this object. CSINode has an OwnerReference that points to the corresponding node object.š
spec²

+objectÊ
Ü
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+|
+metadatap
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"/metadata.name must be the Kubernetes node name.
+_
+specW
+/#/definitions/io.k8s.api.storage.v1.CSINodeSpec"$spec is the specification of CSINodeú
[
+x-kubernetes-group-version-kind86- group: storage.k8s.io
+  kind: CSINode
+  version: v1
+
+æ
+0io.k8s.api.policy.v1beta1.SELinuxStrategyOptions±"]SELinuxStrategyOptions defines the strategy type and any options used to create the strategy.š
rule²

+objectÊ
¼
+a
+ruleY"Lrule is the strategy that will dictate the allowable labels that may be set.²

+string
+Ö

+seLinuxOptionsÃ

+/#/definitions/io.k8s.api.core.v1.SELinuxOptions"�
seLinuxOptions required to run as; required for MustRunAs More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+í
+Nio.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.ServiceReferenceš";ServiceReference holds a reference to Service.legacy.k8s.ioš
	namespaceš
name²

+objectÊ
»
+>
+name6")name is the name of the service. Required²

+string
+M
+	namespace@"3namespace is the namespace of the service. Required²

+string
+Y
+pathQ"Dpath is an optional URL path at which the webhook will be contacted.²

+string
+Î

+portÅ
int32"¯
port is an optional service port at which the webhook will be contacted. `port` should be a valid port number (1-65535, inclusive). Defaults to 443 for backward compatibility.²
	
+integer
+Ñ
+ io.k8s.api.core.v1.ScopeSelector¬"nA scope selector represents the AND of the selectors represented by the scoped-resource selector requirements.²

+objectÊ
­

+ª

+matchExpressions•
"@A list of scope selector requirements by scope of the resources.²

+arrayº
F
+D
+B#/definitions/io.k8s.api.core.v1.ScopedResourceSelectorRequirement
+Å	
+/io.k8s.api.storage.v1beta1.VolumeAttachmentList‘	"AVolumeAttachmentList is a collection of VolumeAttachment objects.š
items²

+objectÊ
Ç
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+{
+itemsr"&Items is the list of VolumeAttachments²

+arrayº
=
+;
+9#/definitions/io.k8s.api.storage.v1beta1.VolumeAttachment
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ê

+metadata½

+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"~Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadataú
m
+x-kubernetes-group-version-kindJH- group: storage.k8s.io
+  kind: VolumeAttachmentList
+  version: v1beta1
+
+ð
+
+<io.k8s.api.autoscaling.v2beta1.ContainerResourceMetricStatus¯
+"üContainerResourceMetricStatus indicates the current value of a resource metric known to Kubernetes, as specified in requests and limits, describing a single container in each pod in the current scale target (e.g. CPU or memory).  Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the "pods" source.š
nameš
currentAverageValueš
	container²

+objectÊ
ø
+×
+currentAverageUtilization¹int32"£currentAverageUtilization is the current value of the average of the resource metric across all relevant pods, represented as a percentage of the requested value of the resource for the pods.  It will only be present if `targetAverageValue` was set in the corresponding metric specification.²
	
+integer
+ó
+currentAverageValueÛ
+;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"›currentAverageValue is the current value of the average of the resource metric across all relevant pods, as a raw value (instead of as a percentage of the request), similar to the "pods" metric source type. It will always be set, regardless of the corresponding metric specification.
+B
+name:"-name is the name of the resource in question.²

+string
+b
+	containerU"Hcontainer is the name of the container in the pods of the scaling target²

+string
+ä	
+"io.k8s.api.core.v1.CSIVolumeSource½	"TRepresents a source location of a volume to mount, managed by an external CSI driverš
driver²

+objectÊ
Ï
+¢

+driver—
"‰
Driver is the name of the CSI driver that handles this volume. Consult with your admin for the correct name as registered in the cluster.²

+string
+Ë

+fsTypeÀ
"²
Filesystem type to mount. Ex. "ext4", "xfs", "ntfs". If not provided, the empty value is passed to the associated CSI driver which will determine the default filesystem to apply.²

+string
+¥
+nodePublishSecretRefŒ
+5#/definitions/io.k8s.api.core.v1.LocalObjectReference"ÒNodePublishSecretRef is a reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI NodePublishVolume and NodeUnpublishVolume calls. This field is optional, and  may be empty if no secret is required. If the secret object contains more than one secret, all secret references are passed.
+m
+readOnlya"SSpecifies a read-only configuration for the volume. Defaults to false (read/write).²
	
+boolean
+Â

+volumeAttributes­
"�
VolumeAttributes stores driver-specific properties that are passed to the CSI driver. Consult your driver's documentation for supported values.ª

+²

+string²

+object
+…	
+8io.k8s.api.certificates.v1.CertificateSigningRequestListÈ"RCertificateSigningRequestList is a collection of CertificateSigningRequest objectsš
items²

+objectÊ
ä
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+™

+items�
":items is a collection of CertificateSigningRequest objects²

+arrayº
F
+D
+B#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequest
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+I
+metadata=
+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMetaú
v
+x-kubernetes-group-version-kindSQ- group: certificates.k8s.io
+  kind: CertificateSigningRequestList
+  version: v1
+
+Þ	
+$io.k8s.api.core.v1.ResourceQuotaListµ	"3ResourceQuotaList is a list of ResourceQuota items.š
items²

+objectÊ
�
+»

+items±
"pItems is a list of ResourceQuota objects. More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/²

+arrayº
2
+0
+.#/definitions/io.k8s.api.core.v1.ResourceQuota
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ï

+metadataÂ

+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"‚
Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+stringú
Y
+x-kubernetes-group-version-kind64- group: ""
+  kind: ResourceQuotaList
+  version: v1
+
+–	
+)io.k8s.api.networking.v1beta1.IngressListè"'IngressList is a collection of Ingress.š
items²

+objectÊ
¾
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+l
+itemsc"Items is the list of Ingress.²

+arrayº
7
+5
+3#/definitions/io.k8s.api.networking.v1beta1.Ingress
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ð

+metadataÃ

+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"ƒ
Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadataú
g
+x-kubernetes-group-version-kindDB- kind: IngressList
+  version: v1beta1
+  group: networking.k8s.io
+
+’	
+1io.k8s.api.autoscaling.v2beta1.ObjectMetricStatusÜ"Ž
ObjectMetricStatus indicates the current value of a metric describing a kubernetes object (for example, hits-per-second on an Ingress object).š
targetš

+metricNameš
currentValue²

+objectÊ
—
+·

+averageValue¦

+;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"gaverageValue is the current value of the average of the metric across all relevant pods (as a quantity)
+�

+currentValue
+;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"@currentValue is the current value of the metric (as a quantity).
+L
+
+metricName>"1metricName is the name of the metric in question.²

+string
+÷
+selectorê
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"¥selector is the string-encoded form of a standard kubernetes label selector for the given metric When set in the ObjectMetricSource, it is passed as an additional parameter to the metrics server for more specific metrics scoping. When unset, just the metricName will be used to gather metrics.
+€

+targetv
+H#/definitions/io.k8s.api.autoscaling.v2beta1.CrossVersionObjectReference"*target is the described Kubernetes object.
+€
+/io.k8s.api.autoscaling.v2beta2.PodsMetricStatusÌ"š
PodsMetricStatus indicates the current value of a metric describing each pod in the current scale target (for example, transactions-processed-per-second).š
metricš
current²

+objectÊ
�
+„

+currenty
+>#/definitions/io.k8s.api.autoscaling.v2beta2.MetricValueStatus"7current contains the current value for the given metric
+ƒ

+metricy
+=#/definitions/io.k8s.api.autoscaling.v2beta2.MetricIdentifier"8metric identifies the target metric by name and selector
+²
+0io.k8s.api.core.v1.WindowsSecurityContextOptionsý"OWindowsSecurityContextOptions contain Windows-specific options and credentials.²

+objectÊ
�
+m
+gmsaCredentialSpecNameS"FGMSACredentialSpecName is the name of the GMSA credential spec to use.²

+string
+¿
+
runAsUserName­"ŸThe UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.²

+string
+é

+gmsaCredentialSpecÒ
"Ä
GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field.²

+string
+¢
+io.k8s.api.node.v1.Scheduling€"TScheduling specifies the scheduling constraints for nodes supporting a RuntimeClass.²

+objectÊ
›
+ç
+nodeSelectorÖ"¸nodeSelector lists labels that must be present on nodes that support this RuntimeClass. Pods using this RuntimeClass can only be scheduled to a node matched by this selector. The RuntimeClass nodeSelector is merged with a pod's existing nodeSelector. Any conflicts will cause the pod to be rejected in admission.ª

+²

+string²

+object
+®
+tolerationsž"¹
tolerations are appended (excluding duplicates) to pods running with this RuntimeClass during admission, effectively unioning the set of nodes tolerated by the pod and the RuntimeClass.²

+arrayº
/
+-
++#/definitions/io.k8s.api.core.v1.Tolerationú
#
+x-kubernetes-list-type	atomic
+
+‡	
+3io.k8s.apimachinery.pkg.apis.meta.v1.OwnerReferenceÏ"Ç
OwnerReference contains enough information to let you identify an owning object. An owning object must be in the same namespace as the dependent, or be cluster-scoped, so there is no namespace field.š

+apiVersionš
kindš
nameš
uid²

+objectÊ
Õ
+l
+named"WName of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#names²

+string
+i
+uidb"UUID of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#uids²

+string
+7
+
+apiVersion)"API version of the referent.²

+string
+Î
+blockOwnerDeletion·"¨If true, AND if the owner has the "foregroundDeletion" finalizer, then the owner cannot be deleted from the key-value store until this reference is removed. Defaults to false. To set this field, a user needs "delete" permission of the owner, otherwise 422 (Unprocessable Entity) will be returned.²
	
+boolean
+V
+
+controllerH":If true, this reference points to the managing controller.²
	
+boolean
+—

+kindŽ
"€
Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+«	
+&io.k8s.api.core.v1.ConfigMapProjection€	"åAdapts a ConfigMap into a projected volume.
+
+The contents of the target ConfigMap's Data field will be presented in a projected volume as files using the keys in the Data field as the file names, unless the items element is populated with specific mappings of keys to paths. Note that this is identical to a configmap volume source without the default mode.²

+objectÊ
‰
+ª
+items "âIf unspecified, each key-value pair in the Data field of the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the ConfigMap, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'.²

+arrayº
.
+,
+*#/definitions/io.k8s.api.core.v1.KeyToPath
+„

+name|"oName of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names²

+string
+S
+optionalG"9Specify whether the ConfigMap or its keys must be defined²
	
+boolean
+¨
+#io.k8s.api.core.v1.NodeConfigSource€"uNodeConfigSource specifies a source of node configuration. Exactly one subfield (excluding metadata) must be non-nil.²

+objectÊ
{
+y
+	configMapl
+:#/definitions/io.k8s.api.core.v1.ConfigMapNodeConfigSource".ConfigMap is a reference to a Node's ConfigMap
+æ
++io.k8s.api.autoscaling.v2beta2.MetricTarget¶"aMetricTarget defines the target value, average value, or average utilization of a specific metricš
type²

+objectÊ
½
+€

+valuew
+;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"8value is the target value of the metric (as a quantity).
+™
+averageUtilization‚int32"ì
averageUtilization is the target value of the average of the resource metric across all relevant pods, represented as a percentage of the requested value of the resource for the pods. Currently only valid for Resource metric source type²
	
+integer
+¶

+averageValue¥

+;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"faverageValue is the target value of the average of the metric across all relevant pods (as a quantity)
+c
+type["Ntype represents whether the metric type is Utilization, Value, or AverageValue²

+string
+ï
+-io.k8s.api.storage.v1beta1.CSIStorageCapacity½"ÞCSIStorageCapacity stores the result of one CSI GetCapacity call. For a given StorageClass, this describes the available capacity in a particular topology segment.  This can be used when considering where to instantiate new PersistentVolumes.
+
+For example this can express things like: - StorageClass "standard" has "1234 GiB" available in "topology.kubernetes.io/zone=us-east1" - StorageClass "localssd" has "10 GiB" available in "kubernetes.io/hostname=knode-abc123"
+
+The following three cases all imply that no capacity is available for a certain combination: - no object exists with suitable topology and storage class name - such an object exists, but the capacity is unset - such an object exists, but the capacity is zero
+
+The producer of these objects can decide which approach is more suitable.
+
+They are consumed by the kube-scheduler if the CSIStorageCapacity beta feature gate is enabled there and a CSI driver opts into capacity-aware scheduling with CSIDriver.StorageCapacity.š
storageClassName²

+objectÊ
Ì
+Ç
+nodeTopology¶
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"ñ
NodeTopology defines which nodes have access to the storage for which capacity was reported. If not set, the storage is not accessible from any node in the cluster. If empty, the storage is accessible from all nodes. This field is immutable.
+Ô
+storageClassName¿"±The name of the StorageClass that the reported capacity applies to. It must meet the same requirements as the name of a StorageClass object (non-empty, DNS subdomain). If that object no longer exists, the CSIStorageCapacity object is obsolete and should be removed by its creator. This field is immutable.²

+string
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+Ò
+capacityÅ
+;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"…Capacity is the value reported by the CSI driver in its GetCapacityResponse for a GetCapacityRequest with topology and parameters that match the previous fields.
+
+The semantic is currently (CSI spec 1.2) defined as: The available capacity, in bytes, of the storage that can be used to provision volumes. If not set, that information is currently unavailable and treated like zero capacity.
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+¶
+maximumVolumeSize 
+;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"àMaximumVolumeSize is the value reported by the CSI driver in its GetCapacityResponse for a GetCapacityRequest with topology and parameters that match the previous fields.
+
+This is defined since CSI spec 1.4.0 as the largest size that may be used in a CreateVolumeRequest.capacity_range.required_bytes field to create a volume with the same parameters as those in GetCapacityRequest. The corresponding value in the Kubernetes API is ResourceRequirements.Requests in a volume claim.
+�
+metadata�
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ÎStandard object's metadata. The name has no particular meaning. It must be be a DNS subdomain (dots allowed, 253 characters). To ensure that there are no conflicts with other CSI drivers on the cluster, the recommendation is to use csisc-<uuid>, a generated name, or a reverse-domain name which ends with the unique CSI driver name.
+
+Objects are namespaced.
+
+More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadataú
k
+x-kubernetes-group-version-kindHF- group: storage.k8s.io
+  kind: CSIStorageCapacity
+  version: v1beta1
+
+ì
+!io.k8s.api.core.v1.SeccompProfileÆ"fSeccompProfile defines a pod/container's seccomp profile settings. Only one profile source may be set.š
type²

+objectÊ
Ó
+¯
+localhostProfileš"ŒlocalhostProfile indicates a profile defined in a file on the node should be used. The profile must be preconfigured on the node to work. Must be a descending path, relative to the kubelet's configured seccomp profile location. Must only be set if type is "Localhost".²

+string
+ž
+type•"‡type indicates which kind of seccomp profile will be applied. Valid options are:
+
+Localhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile should be used. Unconfined - no profile should be applied.²

+stringú
r
+x-kubernetes-unions[Y- discriminator: type
+  fields-to-discriminateBy:
+    localhostProfile: LocalhostProfile
+
+è
+%io.k8s.api.discovery.v1beta1.Endpoint¾"FEndpoint represents a single logical "backend" implementing a service.š
	addresses²

+objectÊ
Û
+”

+hintsŠ

+8#/definitions/io.k8s.api.discovery.v1beta1.EndpointHints"Nhints contains information associated with how an endpoint should be consumed.
+Î
+hostnameÁ"³hostname of this endpoint. This field may be used by consumers of endpoints to distinguish endpoints from each other (e.g. in DNS names). Multiple endpoints which use the same hostname should be considered fungible (e.g. multiple A values in DNS). Must be lowercase and pass DNS Label (RFC 1123) validation.²

+string
+Ú

+nodeNameÍ
"¿
nodeName represents the name of the Node hosting this endpoint. This can be used to determine endpoints local to a Node. This field can be enabled with the EndpointSliceNodeName feature gate.²

+string
+�

+	targetRef‚

+0#/definitions/io.k8s.api.core.v1.ObjectReference"NtargetRef is a reference to a Kubernetes object that represents this endpoint.
+ó
+topologyæ"Ètopology contains arbitrary topology information associated with the endpoint. These key/value pairs must conform with the label format. https://kubernetes.io/docs/concepts/overview/working-with-objects/labels Topology may include a maximum of 16 key/value pairs. This includes, but is not limited to the following well known keys: * kubernetes.io/hostname: the value indicates the hostname of the node
+  where the endpoint is located. This should match the corresponding
+  node label.
+* topology.kubernetes.io/zone: the value indicates the zone where the
+  endpoint is located. This should match the corresponding node label.
+* topology.kubernetes.io/region: the value indicates the region where the
+  endpoint is located. This should match the corresponding node label.
+This field is deprecated and will be removed in future api versions.ª

+²

+string²

+object
+î
+	addressesà" addresses of this endpoint. The contents of this field are interpreted according to the corresponding EndpointSlice addressType field. Consumers must handle different types of addresses in the context of their own capabilities. This must contain at least one address but no more than 100.²

+arrayº

+²

+stringú
 
+x-kubernetes-list-typeset
+
+™

+
+conditionsŠ

+=#/definitions/io.k8s.api.discovery.v1beta1.EndpointConditions"Iconditions contains information about the current status of the endpoint.
+Ÿ	
+(io.k8s.api.node.v1beta1.RuntimeClassListò"3RuntimeClassList is a list of RuntimeClass objects.š
items²

+objectÊ
½
+p
+itemsg""Items is a list of schema objects.²

+arrayº
6
+4
+2#/definitions/io.k8s.api.node.v1beta1.RuntimeClass
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ë

+metadata¾

+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+stringú
f
+x-kubernetes-group-version-kindCA- group: node.k8s.io
+  kind: RuntimeClassList
+  version: v1beta1
+
+»	
+,io.k8s.api.policy.v1.PodDisruptionBudgetListŠ	"@PodDisruptionBudgetList is a collection of PodDisruptionBudgets.š
items²

+objectÊ
Ë
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ð

+metadataÃ

+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"ƒ
Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+y
+itemsp"'Items is a list of PodDisruptionBudgets²

+arrayº
:
+8
+6#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetú
c
+x-kubernetes-group-version-kind@>- group: policy
+  kind: PodDisruptionBudgetList
+  version: v1
+
+á
+"io.k8s.api.storage.v1.TokenRequestº"<TokenRequest contains parameters of a service account token.š
audience²

+objectÊ
â
+“

+audience†
"yAudience is the intended audience of the token in "TokenRequestSpec". It will default to the audiences of kube apiserver.²

+string
+É

+expirationSeconds³
int64"�
ExpirationSeconds is the duration of validity of the token in "TokenRequestSpec". It has the same default value of "ExpirationSeconds" in "TokenRequestSpec".²
	
+integer
+ò
+"io.k8s.api.core.v1.PodTemplateListË"*PodTemplateList is a list of PodTemplates.š
items²

+objectÊ
®
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+]
+itemsT"List of pod templates²

+arrayº
0
+.
+,#/definitions/io.k8s.api.core.v1.PodTemplate
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ï

+metadataÂ

+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"‚
Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kindsú
W
+x-kubernetes-group-version-kind42- group: ""
+  kind: PodTemplateList
+  version: v1
+
+£
+io.k8s.api.core.v1.PortStatus�š
portš
protocol²

+objectÊ
à
+i
+portaint32"LPort is the port number of the service port of which status is recorded here²
	
+integer
+–

+protocol‰
"|Protocol is the protocol of the service port of which status is recorded here The supported values are: "TCP", "UDP", "SCTP"²

+string
+Ù
+errorÏ"ÁError is to record the problem with the service port The format of the error shall comply with the following rules: - built-in error values shall be specified in this file and those shall use
+  CamelCase names
+- cloud provider specific error values must have names that comply with the
+  format foo.example.com/CamelCase.²

+string
+î+
+(io.k8s.api.storage.v1beta1.CSIDriverSpecÁ+"2CSIDriverSpec is the specification of a CSIDriver.²

+objectÊ
þ*
+©
+podInfoOnMount–"‡If set to true, podInfoOnMount indicates this CSI volume driver requires additional pod information (like podName, podUID, etc.) during mount operations. If set to false, pod information will not be passed on mount. Default is false. The CSI driver specifies podInfoOnMount as part of driver deployment. If true, Kubelet will pass pod information as VolumeContext in the CSI NodePublishVolume() calls. The CSI driver is responsible for parsing and validating the information passed in as VolumeContext. The following VolumeConext will be passed if podInfoOnMount is set to true. This list might grow, but the prefix will be used. "csi.storage.k8s.io/pod.name": pod.Name "csi.storage.k8s.io/pod.namespace": pod.Namespace "csi.storage.k8s.io/pod.uid": string(pod.UID) "csi.storage.k8s.io/ephemeral": "true" if the volume is an ephemeral inline volume
+                                defined by a CSIVolumeSource, otherwise "false"
+
+"csi.storage.k8s.io/ephemeral" is a new feature in Kubernetes 1.16. It is only required for drivers which support both the "Persistent" and "Ephemeral" VolumeLifecycleMode. Other drivers can leave pod info disabled and/or ignore this field. As Kubernetes 1.15 doesn't support this field, drivers can only support one mode when deployed on such a cluster and the deployment determines which mode that is, for example via a command line parameter of the driver.
+
+This field is immutable.²
	
+boolean
+ÿ
+requiresRepublishé"ÚRequiresRepublish indicates the CSI driver wants `NodePublishVolume` being periodically called to reflect any possible change in the mounted volume. This field defaults to false.
+
+Note: After a successful initial NodePublishVolume call, subsequent calls to NodePublishVolume should only update the contents of the volume. New mount points will not be seen by a running container.
+
+This is a beta feature and only available when the CSIServiceAccountToken feature is enabled.²
	
+boolean
+€
+storageCapacityì"ÝIf set to true, storageCapacity indicates that the CSI volume driver wants pod scheduling to consider the storage capacity that the driver deployment will report by creating CSIStorageCapacity objects with capacity information.
+
+The check can be enabled immediately when deploying a driver. In that case, provisioning new volumes with late binding will pause until the driver deployment has published some suitable CSIStorageCapacity object.
+
+Alternatively, the driver can be deployed with the field unset or false and it can be flipped later when storage capacity information has been published.
+
+This field is immutable.
+
+This is a beta field and only available when the CSIStorageCapacity feature is enabled. The default is false.²
	
+boolean
+ê
+
tokenRequestsØ"éTokenRequests indicates the CSI driver needs pods' service account tokens it is mounting volume for to do necessary authentication. Kubelet will pass the tokens in VolumeContext in the CSI NodePublishVolume calls. The CSI driver should parse and validate the following VolumeContext: "csi.storage.k8s.io/serviceAccount.tokens": {
+  "<audience>": {
+    "token": <token>,
+    "expirationTimestamp": <expiration timestamp in RFC3339>,
+  },
+  ...
+}
+
+Note: Audience in each TokenRequest should be different and at most one token is empty string. To receive a new token after expiry, RequiresRepublish can be used to trigger NodePublishVolume periodically.
+
+This is a beta feature and only available when the CSIServiceAccountToken feature is enabled.²

+arrayº
9
+7
+5#/definitions/io.k8s.api.storage.v1beta1.TokenRequestú
#
+x-kubernetes-list-type	atomic
+
+³
+volumeLifecycleModesš"ýVolumeLifecycleModes defines what kind of volumes this CSI volume driver supports. The default if the list is empty is "Persistent", which is the usage defined by the CSI specification and implemented in Kubernetes via the usual PV/PVC mechanism. The other mode is "Ephemeral". In this mode, volumes are defined inline inside the pod spec with CSIVolumeSource and their lifecycle is tied to the lifecycle of that pod. A driver has to be aware of this because it is only going to get a NodePublishVolume call for such a volume. For more information about implementing this mode, see https://kubernetes-csi.github.io/docs/ephemeral-local-volumes.html A driver can support one or more of these modes and more modes may be added in the future.
+
+This field is immutable.²

+arrayº

+²

+string
+É
+attachRequired¶"§attachRequired indicates this CSI volume driver requires an attach operation (because it implements the CSI ControllerPublishVolume() method), and that the Kubernetes attach detach controller should call the attach volume interface which checks the volumeattachment status and waits until the volume is attached before proceeding to mounting. The CSI external-attacher coordinates with CSI volume driver and updates the volumeattachment status when the attach operation is complete. If the CSIDriverRegistry feature gate is enabled and the value is specified to false, the attach operation will be skipped. Otherwise the attach operation will be called.
+
+This field is immutable.²
	
+boolean
+Û
+
fsGroupPolicyÉ"»Defines if the underlying volume supports changing ownership and permission of the volume before being mounted. Refer to the specific FSGroupPolicy values for additional details. This field is alpha-level, and is only honored by servers that enable the CSIVolumeFSGroupPolicy feature gate.
+
+This field is immutable.²

+string
+Î
+'io.k8s.api.storage.v1beta1.StorageClass¢"ã
StorageClass describes the parameters for a class of storage for which PersistentVolumes can be dynamically provisioned.
+
+StorageClasses are non-namespaced; the name of the storage class according to etcd is in ObjectMeta.Name.š
provisioner²

+objectÊ
·
+n
+allowVolumeExpansionV"HAllowVolumeExpansion shows whether the storage class allow volume expand²
	
+boolean
+Š
+allowedTopologiesô"«Restrict the node topologies where volumes can be dynamically provisioned. Each volume plugin defines its own supported topology specifications. An empty TopologySelectorTerm list means there is no topology restriction. This field is only honored by servers that enable the VolumeScheduling feature.²

+arrayº
9
+7
+5#/definitions/io.k8s.api.core.v1.TopologySelectorTerm
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+ì

+mountOptionsÛ
"¾
Dynamically provisioned PersistentVolumes of this storage class are created with these mountOptions, e.g. ["ro", "soft"]. Not validated - mount of the PVs will simply fail if one is invalid.²

+arrayº

+²

+string
+Ò

+metadataÅ

+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒ
Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+‘

+
+parameters‚
"eParameters holds the parameters for the provisioner that should create volumes of this storage class.ª

+²

+string²

+object
+N
+provisioner?"2Provisioner indicates the type of the provisioner.²

+string
+—

+
reclaimPolicy…
"xDynamically provisioned PersistentVolumes of this storage class are created with this reclaimPolicy. Defaults to Delete.²

+string
+ø

+volumeBindingModeâ
"Ô
VolumeBindingMode indicates how PersistentVolumeClaims should be provisioned and bound.  When unset, VolumeBindingImmediate is used. This field is only honored by servers that enable the VolumeScheduling feature.²

+stringú
e
+x-kubernetes-group-version-kindB@- group: storage.k8s.io
+  kind: StorageClass
+  version: v1beta1
+
+¬

+Zio.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.JSONSchemaPropsOrStringArrayN"LJSONSchemaPropsOrStringArray represents a JSONSchemaProps or a string array.
+ì
+7io.k8s.api.admissionregistration.v1.WebhookClientConfig°
"VWebhookClientConfig contains the information to make a TLS connection with the webhook²

+objectÊ
É
+Å

+caBundle¸
byte"¤
`caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. If unspecified, system trust roots on the apiserver are used.²

+string
+‡
+serviceû

+B#/definitions/io.k8s.api.admissionregistration.v1.ServiceReference"´
`service` is a reference to the service for this webhook. Either `service` or `url` must be specified.
+
+If the webhook is running within the cluster, then you should use `service`.
+ô
+urlì"Þ`url` gives the location of the webhook, in standard URL form (`scheme://host:port/path`). Exactly one of `url` or `service` must be specified.
+
+The `host` should not refer to a service running in the cluster; use the `service` field instead. The host might be resolved via external DNS in some apiservers (e.g., `kube-apiserver` cannot resolve in-cluster DNS as that would be a layering violation). `host` may also be an IP address.
+
+Please note that using `localhost` or `127.0.0.1` as a `host` is risky unless you take great care to run this webhook on all hosts which run an apiserver which might need to make calls to this webhook. Such installs are likely to be non-portable, i.e., not easy to turn up in a new cluster.
+
+The scheme must be "https"; the URL must begin with "https://".
+
+A path is optional, and if present may be any string permissible in a URL. You may use the path to pass an arbitrary string to the webhook, for example, a cluster identifier.
+
+Attempting to use a user or basic auth e.g. "user:password@" is not allowed. Fragments ("#...") and query parameters ("?...") are not allowed, either.²

+string
+„
++io.k8s.api.authorization.v1.NonResourceRuleÔ"LNonResourceRule holds information that describes a rule for the non-resourceš
verbs²

+objectÊ
ï
+Ë

+nonResourceURLs·
"š
NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full, final step in the path.  "*" means all.²

+arrayº

+²

+string
+ž

+verbs”
"xVerb is a list of kubernetes non-resource API verbs, like: get, post, put, delete, patch, head, options.  "*" means all.²

+arrayº

+²

+string
+¡
+ io.k8s.api.core.v1.EnvFromSourceü":EnvFromSource represents the source of a set of ConfigMaps²

+objectÊ
±
+c
+configMapRefS
+3#/definitions/io.k8s.api.core.v1.ConfigMapEnvSource"The ConfigMap to select from
+n
+prefixd"WAn optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER.²

+string
+Z
+	secretRefM
+0#/definitions/io.k8s.api.core.v1.SecretEnvSource"The Secret to select from
+›
+io.k8s.api.core.v1.ExecActionù"1ExecAction describes a "run in container" action.²

+objectÊ
·
+´
+command¨"‹Command is the command line to execute inside the container, the working directory for the command  is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy.²

+arrayº

+²

+string
+ù	
+io.k8s.api.core.v1.LimitRange×	"OLimitRange sets resource usage limits for each kind of resource in a Namespace.²

+objectÊ
¢
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ò

+metadataÅ

+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒ
Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+Í

+specÄ

+/#/definitions/io.k8s.api.core.v1.LimitRangeSpec"�
Spec defines the limits enforced. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statusú
R
+x-kubernetes-group-version-kind/-- group: ""
+  kind: LimitRange
+  version: v1
+
+É
+.io.k8s.api.networking.v1beta1.IngressClassList–"3IngressClassList is a collection of IngressClasses.š
items²

+objectÊ
Û
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+x
+itemso"$Items is the list of IngressClasses.²

+arrayº
<
+:
+8#/definitions/io.k8s.api.networking.v1beta1.IngressClass
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+b
+metadataV
+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"Standard list metadata.ú
l
+x-kubernetes-group-version-kindIG- group: networking.k8s.io
+  kind: IngressClassList
+  version: v1beta1
+
+ˆ
+-io.k8s.apimachinery.pkg.apis.meta.v1.APIGroupÖ"YAPIGroup contains the name, the supported versions, and the preferred version of a group.š
nameš
versions²

+objectÊ
‡
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+3
+name+"name is the name of the group.²

+string
+Ç

+preferredVersion²

+K#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.GroupVersionForDiscovery"cpreferredVersion is the version preferred by the API server, which probably is the storage version.
+è
+serverAddressByClientCIDRsÉ"éa map of client CIDR to server address that is serving this group. This is to help clients reach servers in the most network-efficient way possible. Clients can use the appropriate server address as per the CIDR that they match. In case of multiple matches, clients should use the longest matching CIDR. The server returns only those CIDRs that it thinks that the client can match. For example: the master will return an internal IP CIDR only, if the client reaches the server using an internal IP. Server looks at X-Forwarded-For header or X-Real-Ip header or request.RemoteAddr (in that order) to get the client IP.²

+arrayº
P
+N
+L#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ServerAddressByClientCIDR
+�

+versions�
"2versions are the versions supported in this group.²

+arrayº
O
+M
+K#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.GroupVersionForDiscoveryú
P
+x-kubernetes-group-version-kind-+- group: ""
+  kind: APIGroup
+  version: v1
+
+Ø
+$io.k8s.apimachinery.pkg.version.Info¯"TInfo contains versioning information. how we'll want to distribute that information.š
majorš
minorš

+gitVersionš
	gitCommitš
gitTreeStateš
	buildDateš
	goVersionš
compilerš
platform²

+objectÊ
ä

+
+	buildDate²

+string
+
+	gitCommit²

+string
+
+gitTreeState²

+string
+
+
+gitVersion²

+string
+
+major²

+string
+
+compiler²

+string
+
+	goVersion²

+string
+
+minor²

+string
+
+platform²

+string
+È
+&io.k8s.api.apps.v1.DeploymentCondition�"KDeploymentCondition describes the state of a deployment at a certain point.š
typeš
status²

+objectÊ
±
+Y
+messageN"AA human readable message indicating details about the transition.²

+string
+F
+reason<"/The reason for the condition's last transition.²

+string
+L
+statusB"5Status of the condition, one of True, False, Unknown.²

+string
+2
+type*"Type of deployment condition.²

+string
+‘

+lastTransitionTime{
+7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"@Last time the condition transitioned from one status to another.
+v
+lastUpdateTimed
+7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time")The last time this condition was updated.
+Õ&
+io.k8s.api.batch.v1.JobSpecµ&"7JobSpec describes how the job execution will look like.š
template²

+objectÊ
â%
+Û

+templateÎ

+0#/definitions/io.k8s.api.core.v1.PodTemplateSpec"™
Describes the pod that will be created when executing a job. More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/
+ó
+ttlSecondsAfterFinished×int32"ÁttlSecondsAfterFinished limits the lifetime of a Job that has finished execution (either Complete or Failed). If this field is set, ttlSecondsAfterFinished after the Job finishes, it is eligible to be automatically deleted. When the Job is being deleted, its lifecycle guarantees (e.g. finalizers) will be honored. If this field is unset, the Job won't be automatically deleted. If this field is set to zero, the Job becomes eligible to be deleted immediately after it finishes. This field is alpha-level and is only honored by servers that enable the TTLAfterFinished feature.²
	
+integer
+¿
+completionMode¬"žCompletionMode specifies how Pod completions are tracked. It can be `NonIndexed` (default) or `Indexed`.
+
+`NonIndexed` means that the Job is considered complete when there have been .spec.completions successfully completed Pods. Each Pod completion is homologous to each other.
+
+`Indexed` means that the Pods of a Job get an associated completion index from 0 to (.spec.completions - 1), available in the annotation batch.kubernetes.io/job-completion-index. The Job is considered complete when there is one successfully completed Pod for each index. When value is `Indexed`, .spec.completions must be specified and `.spec.parallelism` must be less than or equal to 10^5.
+
+This field is alpha-level and is only honored by servers that enable the IndexedJob feature gate. More completion modes can be added in the future. If the Job controller observes a mode that it doesn't recognize, the controller skips updates for the Job.²

+string
+Ð
+completionsÀint32"ªSpecifies the desired number of successfully finished pods the job should be run with.  Setting to nil means that the success of any pod signals the success of all pods, and allows parallelism to have any positive value.  Setting to 1 means that parallelism is limited to 1 and the success of that pod signals the success of the job. More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/²
	
+integer
+¹
+manualSelector¦"—manualSelector controls generation of pod labels and pod selectors. Leave `manualSelector` unset unless you are certain what you are doing. When false or unset, the system pick labels unique to this job and appends those labels to the pod template.  When true, the user is responsible for picking unique labels and specifying the selector.  Failure to pick a unique label may cause this and other jobs to not function correctly.  However, You may see `manualSelector=true` in jobs that were created with the old `extensions/v1beta1` API. More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/#specifying-your-own-pod-selector²
	
+boolean
+¦
+parallelism–int32"€Specifies the maximum desired number of pods the job should run at any given time. The actual number of pods running in steady state will be less than this number when ((.spec.completions - .status.successful) < .spec.parallelism), i.e. when the work left to do is less than max parallelism. More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/²
	
+integer
+�
+selector�
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"Ë
A label query over pods that should match the pod count. Normally, the system sets this field for you. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+”
+suspendˆ"ùSuspend specifies whether the Job controller should create Pods or not. If a Job is created with suspend set to true, no Pods are created by the Job controller. If a Job is suspended after creation (i.e. the flag goes from false to true), the Job controller will delete all active Pods associated with this Job. Users must design their workload to gracefully handle this. Suspending a Job will reset the StartTime field of the Job, effectively resetting the ActiveDeadlineSeconds timer too. This is an alpha field and requires the SuspendJob feature gate to be enabled; otherwise this field may not be set to true. Defaults to false.²
	
+boolean
+æ
+activeDeadlineSecondsÌint64"¶Specifies the duration in seconds relative to the startTime that the job may be continuously active before the system tries to terminate it; value must be positive integer. If a Job is suspended (at creation or through an update), this timer will effectively be stopped and reset when the Job is resumed again.²
	
+integer
+r
+backoffLimitbint32"MSpecifies the number of retries before marking this job failed. Defaults to 6²
	
+integer
+’
+Xio.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionVersionµ"<CustomResourceDefinitionVersion describes a version for CRD.š
nameš
servedš
storage²

+objectÊ
Î
+±
+additionalPrinterColumns”"›additionalPrinterColumns specifies additional columns returned in Table output. See https://kubernetes.io/docs/reference/using-api/api-concepts/#receiving-resources-as-tables for details. If no columns are specified, a single column displaying the age of the custom resource is used.²

+arrayº
i
+g
+e#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceColumnDefinition
+Ü

+
+deprecatedÍ
"¾
deprecated indicates this version of the custom resource API is deprecated. When set to true, API requests to this version receive a warning header in the server response. Defaults to false.²
	
+boolean
+°
+deprecationWarning™"‹deprecationWarning overrides the default warning returned to API clients. May only be set when `deprecated` is true. The default warning indicates this version is deprecated and recommends use of the newest served version of equal or greater stability, if one exists.²

+string
+¼

+name³
"¥
name is the version name, e.g. “v1â€�, “v2beta1â€�, etc. The custom resources are served under this version at `/apis/<group>/<version>/...` if `served` is true.²

+string
+Þ

+schemaÓ

+_#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceValidation"pschema describes the schema used for validation, pruning, and defaulting of this version of the custom resource.
+h
+served^"Pserved is a flag enabling/disabling this version from being served via REST APIs²
	
+boolean
+ª

+storagež
"�
storage indicates this version should be used when persisting custom resources to storage. There must be exactly one version with storage=true.²
	
+boolean
+Î

+subresources½

+a#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceSubresources"Xsubresources specify what subresources this version of the defined custom resource have.
+¹
+Fio.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.APIServiceListî"/APIServiceList is a list of APIService objects.š
items²

+objectÊ
´
+j
+itemsa²

+arrayº
T
+R
+P#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.APIService
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+I
+metadata=
+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+stringú
o
+x-kubernetes-group-version-kindLJ- kind: APIServiceList
+  version: v1beta1
+  group: apiregistration.k8s.io
+
+�
+/io.k8s.api.autoscaling.v2beta1.PodsMetricStatusÜ"š
PodsMetricStatus indicates the current value of a metric describing each pod in the current scale target (for example, transactions-processed-per-second).š

+metricNameš
currentAverageValue²

+objectÊ
�
+Å

+currentAverageValue­

+;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"ncurrentAverageValue is the current value of the average of the metric across all relevant pods (as a quantity)
+K
+
+metricName="0metricName is the name of the metric in question²

+string
+õ
+selectorè
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"£selector is the string-encoded form of a standard kubernetes label selector for the given metric When set in the PodsMetricSource, it is passed as an additional parameter to the metrics server for more specific metrics scoping. When unset, just the metricName will be used to gather metrics.
+ð
+/io.k8s.api.flowcontrol.v1beta1.FlowSchemaStatus¼">FlowSchemaStatus represents the current state of a FlowSchema.²

+objectÊ
í

+ê

+
+conditionsÛ
";`conditions` is a list of the current states of FlowSchema.²

+arrayº
D
+B
+@#/definitions/io.k8s.api.flowcontrol.v1beta1.FlowSchemaConditionú
'
+x-kubernetes-list-map-keys	- type
+ú
 
+x-kubernetes-list-typemap
+
+¹
+%io.k8s.api.autoscaling.v1.ScaleStatus�"AScaleStatus represents the current status of a scale subresource.š
replicas²

+objectÊ
²
+Z
+replicasNint32"9actual number of observed instances of the scaled object.²
	
+integer
+Ó
+selectorÆ"¸label query over pods that should match the replicas count. This is same as the label selector but in the string format to avoid introspection by clients. The string will be in the same format as the query-param syntax. More info about label selectors: http://kubernetes.io/docs/user-guide/labels#label-selectors²

+string
+Ã
+)io.k8s.api.core.v1.PersistentVolumeStatus•"DPersistentVolumeStatus is the current status of a persistent volume.²

+objectÊ
À
+j
+message_"RA human-readable message indicating details about why the volume is in this state.²

+string
+»

+phase±
"£
Phase indicates if a volume is available, bound to a claim, or released by a claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#phase²

+string
+“

+reasonˆ
"{Reason is a brief CamelCase string that describes any failure and is meant for machine parsing and tidy display in the CLI.²

+string
+¿
+'io.k8s.api.rbac.v1beta1.AggregationRule“"VAggregationRule describes how to locate ClusterRoles to aggregate into the ClusterRole²

+objectÊ
¬
+©
+clusterRoleSelectors�"¼
ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules. If any of the selectors match, then the ClusterRole's permissions will be added²

+arrayº
D
+B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector
+±	
+'io.k8s.api.rbac.v1beta1.ClusterRoleList…	"¢
ClusterRoleList is a collection of ClusterRoles. Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 ClusterRoles, and will no longer be served in v1.22.š
items²

+objectÊ
Ó
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+l
+itemsc"Items is a list of ClusterRoles²

+arrayº
5
+3
+1#/definitions/io.k8s.api.rbac.v1beta1.ClusterRole
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+f
+metadataZ
+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"Standard object's metadata.ú
s
+x-kubernetes-group-version-kindPN- group: rbac.authorization.k8s.io
+  kind: ClusterRoleList
+  version: v1beta1
+
+˜
+io.k8s.api.apps.v1.DaemonSet÷"7DaemonSet represents the configuration of a daemon set.²

+objectÊ
Ù
+
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ò

+metadataÅ

+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒ
Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+Ó

+specÊ

+.#/definitions/io.k8s.api.apps.v1.DaemonSetSpec"—
The desired behavior of this daemon set. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+®
+status£
+0#/definitions/io.k8s.api.apps.v1.DaemonSetStatus"î
The current status of this daemon set. This data may be out of date by some window of time. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+stringú
S
+x-kubernetes-group-version-kind0.- group: apps
+  kind: DaemonSet
+  version: v1
+
+•	
+io.k8s.api.apps.v1.Deploymentó"@Deployment enables declarative updates for Pods and ReplicaSets.²

+objectÊ
Ë
+o
+statuse
+1#/definitions/io.k8s.api.apps.v1.DeploymentStatus"0Most recently observed status of the Deployment.
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+f
+metadataZ
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"Standard object metadata.
+s
+speck
+/#/definitions/io.k8s.api.apps.v1.DeploymentSpec"8Specification of the desired behavior of the Deployment.ú
T
+x-kubernetes-group-version-kind1/- group: apps
+  kind: Deployment
+  version: v1
+
+í[
+io.k8s.api.core.v1.PodSpecÎ[""PodSpec is a description of a pod.š

+containers²

+objectÊ
Ž[
+ÿ
+ephemeralContainersç"ÌList of ephemeral containers run in this pod. Ephemeral containers may be run in an existing pod to perform user-initiated actions such as debugging. This list cannot be specified when creating a pod, and it cannot be modified by updating the pod spec. In order to add an ephemeral container to an existing pod, use the pod's ephemeralcontainers subresource. This field is alpha-level and is only honored by servers that enable the EphemeralContainers feature.²

+arrayº
7
+5
+3#/definitions/io.k8s.api.core.v1.EphemeralContainerú
'
+x-kubernetes-patch-merge-keyname
+ú
'
+x-kubernetes-patch-strategymerge
+
+†

+hostnamez"mSpecifies the hostname of the Pod If not specified, the pod's hostname will be set to a system-defined value.²

+string
+‰
+initContainersö"äList of initialization containers belonging to the pod. Init containers are executed in order prior to containers being started. If any init container fails, the pod is considered to have failed and is handled according to its restartPolicy. The name for an init container or normal container must be unique among all containers. Init containers may not have Lifecycle actions, Readiness probes, Liveness probes, or Startup probes. The resourceRequirements of an init container are taken into account during scheduling by finding the highest request/limit for each resource type, and then using the max of of that value or the sum of the normal containers. Limits are applied to init containers in a similar fashion. Init containers cannot currently be added or removed. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/²

+arrayº
.
+,
+*#/definitions/io.k8s.api.core.v1.Containerú
'
+x-kubernetes-patch-merge-keyname
+ú
'
+x-kubernetes-patch-strategymerge
+
+û
+setHostnameAsFQDNå"ÖIf true the pod's hostname will be configured as the pod's FQDN, rather than the leaf name (the default). In Linux containers, this means setting the FQDN in the hostname field of the kernel (the nodename field of struct utsname). In Windows containers, this means setting the registry value of hostname for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters to FQDN. If a pod does not have FQDN, this has no effect. Default to false.²
	
+boolean
+ö
+	dnsPolicyè"ÚSet DNS policy for the pod. Defaults to "ClusterFirst". Valid values are 'ClusterFirstWithHostNet', 'ClusterFirst', 'Default' or 'None'. DNS parameters given in DNSConfig will be merged with the policy selected with DNSPolicy. To have DNS options set along with hostNetwork, you have to specify DNS policy explicitly to 'ClusterFirstWithHostNet'.²

+string
+Û

+enableServiceLinksÄ
"µ
EnableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. Optional: Defaults to true.²
	
+boolean
+“

+serviceAccount€
"sDeprecatedServiceAccount is a depreciated alias for ServiceAccountName. Deprecated: Use serviceAccountName instead.²

+string
+ý
+terminationGracePeriodSecondsÛint64"ÅOptional duration in seconds the pod needs to terminate gracefully. May be decreased in delete request. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down). If this value is nil, the default grace period will be used instead. The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process. Defaults to 30 seconds.²
	
+integer
+”
+priorityClassNameþ"ðIf specified, indicates the pod's priority. "system-node-critical" and "system-cluster-critical" are two special keywords which indicate the highest priorities with the former being the highest priority. Any other name must be defined by creating a PriorityClass object with that name. If not specified, the pod priority will be default or zero if there is no default.²

+string
+ñ
+runtimeClassNameÜ"ÎRuntimeClassName refers to a RuntimeClass object in the node.k8s.io group, which should be used to run this pod.  If no RuntimeClass resource matches the named class, the pod will not be run. If unset or empty, the "legacy" RuntimeClass will be used, which is an implicit class with an empty definition that uses the default runtime handler. More info: https://git.k8s.io/enhancements/keps/sig-node/runtime-class.md This is a beta feature as of Kubernetes v1.14.²

+string
+g
+affinity[
+)#/definitions/io.k8s.api.core.v1.Affinity".If specified, the pod's scheduling constraints
+À

+hostNetwork°
"¡
Host networking requested for this pod. Use the host's network namespace. If this option is set, the ports that will be used must be specified. Default to false.²
	
+boolean
+R
+hostPIDG"9Use the host's pid namespace. Optional: Default to false.²
	
+boolean
+Ï
+priorityÂint32"¬The priority value. Various system components use this field to find the priority of the pod. When Priority Admission Controller is enabled, it prevents users from setting this field. The admission controller populates this field from PriorityClassName. The higher the value, the higher the priority.²
	
+integer
+q
+tolerationsb"$If specified, the pod's tolerations.²

+arrayº
/
+-
++#/definitions/io.k8s.api.core.v1.Toleration
+»
+hostAliases«"›
HostAliases is an optional list of hosts and IPs that will be injected into the pod's hosts file if specified. This is only valid for non-hostNetwork pods.²

+arrayº
.
+,
+*#/definitions/io.k8s.api.core.v1.HostAliasú
%
+x-kubernetes-patch-merge-keyip
+ú
'
+x-kubernetes-patch-strategymerge
+
+R
+hostIPCG"9Use the host's ipc namespace. Optional: Default to false.²
	
+boolean
+×
+imagePullSecretsÂ"¥ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec. If specified, these secrets will be passed to individual puller implementations for them to use. For example, in the case of docker, only DockerConfig type secrets are honored. More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod²

+arrayº
9
+7
+5#/definitions/io.k8s.api.core.v1.LocalObjectReferenceú
'
+x-kubernetes-patch-strategymerge
+ú
'
+x-kubernetes-patch-merge-keyname
+
+œ
+nodeSelector‹"í
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ª

+²

+string²

+object
+„
+preemptionPolicyï
"á
PreemptionPolicy is the Policy for preempting pods with lower priority. One of Never, PreemptLowerPriority. Defaults to PreemptLowerPriority if unset. This field is beta-level, gated by the NonPreemptingPriority feature-gate.²

+string
+ô
+shareProcessNamespaceÚ"ËShare a single process namespace between all of the containers in a pod. When this is set containers will be able to view and signal processes from other containers in the same pod, and the first process in each container will not be assigned PID 1. HostPID and ShareProcessNamespace cannot both be set. Optional: Default to false.²
	
+boolean
+þ
+topologySpreadConstraintsà"Ð
TopologySpreadConstraints describes how a group of pods ought to spread across topology domains. Scheduler will schedule pods in a way which abides by the constraints. All topologySpreadConstraints are ANDed.²

+arrayº
=
+;
+9#/definitions/io.k8s.api.core.v1.TopologySpreadConstraintú
B
+x-kubernetes-list-map-keys$"- topologyKey
+- whenUnsatisfiable
+ú
 
+x-kubernetes-list-typemap
+ú
.
+x-kubernetes-patch-merge-keytopologyKey
+ú
'
+x-kubernetes-patch-strategymerge
+
+•

+automountServiceAccountTokenu"gAutomountServiceAccountToken indicates whether a service account token should be automatically mounted.²
	
+boolean
+Æ

+	dnsConfig¸

+-#/definitions/io.k8s.api.core.v1.PodDNSConfig"†
Specifies the DNS parameters of a pod. Parameters specified here will be merged to the generated DNS configuration based on DNSPolicy.
+Î

+	subdomainÀ
"²
If specified, the fully qualified Pod hostname will be "<hostname>.<subdomain>.<pod namespace>.svc.<cluster domain>". If not specified, the pod will not have a domainname at all.²

+string
+á

+
restartPolicyÏ
"Á
Restart policy for all containers within the pod. One of Always, OnFailure, Never. Default to Always. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy²

+string
+£

+
schedulerName‘
"ƒ
If specified, the pod will be dispatched by specified scheduler. If not specified, the pod will be dispatched by default scheduler.²

+string
+ó
+readinessGatesà"›If specified, all readiness gates will be evaluated for pod readiness. A pod is ready when all its containers are ready AND all conditions specified in the readiness gates have status equal to "True" More info: https://git.k8s.io/enhancements/keps/sig-network/0007-pod-ready%2B%2B.md²

+arrayº
5
+3
+1#/definitions/io.k8s.api.core.v1.PodReadinessGate
+Ð

+serviceAccountName¹
"«
ServiceAccountName is the name of the ServiceAccount to use to run this pod. More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/²

+string
+Ô

+nodeNameÇ
"¹
NodeName is a request to schedule this pod onto a specific node. If it is non-empty, the scheduler simply schedules this pod onto that node, assuming that it fits resource requirements.²

+string
+ð
+overheadã"“Overhead represents the resource overhead associated with running a pod for a given RuntimeClass. This field will be autopopulated at admission time by the RuntimeClass admission controller. If the RuntimeClass admission controller is enabled, overhead must not be set in Pod create requests. The RuntimeClass admission controller will reject Pod create requests which have the overhead already set. If RuntimeClass is configured and selected in the PodSpec, Overhead will be set to the value defined in the corresponding RuntimeClass, otherwise it will remain unset and treated as zero. More info: https://git.k8s.io/enhancements/keps/sig-node/20190226-pod-overhead.md This field is alpha-level as of Kubernetes v1.16, and is only honored by servers that enable the PodOverhead feature.ª
?
+=
+;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity²

+object
+ó

+securityContextß

+3#/definitions/io.k8s.api.core.v1.PodSecurityContext"§
SecurityContext holds pod-level security attributes and common container settings. Optional: Defaults to empty.  See type description for default values of each field.
+¬
+volumes "†
List of volumes that can be mounted by containers belonging to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes²

+arrayº
+
+)
+'#/definitions/io.k8s.api.core.v1.Volumeú
'
+x-kubernetes-patch-merge-keyname
+ú
2
+x-kubernetes-patch-strategymerge,retainKeys
+
+ü

+activeDeadlineSecondsâ
int64"Ì
Optional duration in seconds the pod may be active on the node relative to StartTime before the system will actively try to mark it failed and kill associated containers. Value must be a positive integer.²
	
+integer
+¼
+
+containers­"›
List of containers belonging to the pod. Containers cannot currently be added or removed. There must be at least one container in a Pod. Cannot be updated.²

+arrayº
.
+,
+*#/definitions/io.k8s.api.core.v1.Containerú
'
+x-kubernetes-patch-merge-keyname
+ú
'
+x-kubernetes-patch-strategymerge
+
+º
+)io.k8s.api.networking.v1.IngressClassListŒ"3IngressClassList is a collection of IngressClasses.š
items²

+objectÊ
Ö
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+b
+metadataV
+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"Standard list metadata.
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+s
+itemsj"$Items is the list of IngressClasses.²

+arrayº
7
+5
+3#/definitions/io.k8s.api.networking.v1.IngressClassú
g
+x-kubernetes-group-version-kindDB- group: networking.k8s.io
+  kind: IngressClassList
+  version: v1
+
+î
+"io.k8s.api.rbac.v1beta1.PolicyRuleÇ"¡
PolicyRule holds information that describes a policy rule, but does not contain information about who the rule applies to or which namespace the rule applies to.š
verbs²

+objectÊ
Œ
+
+ó

+	apiGroupså
"È
APIGroups is the name of the APIGroup that contains the resources.  If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed.²

+arrayº

+²

+string
+¼
+nonResourceURLs¨"‹NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full, final step in the path Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"),  but not both.²

+arrayº

+²

+string
+¨

+
resourceNames–
"zResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.²

+arrayº

+²

+string
+ò

+	resourcesä
"Ç
Resources is a list of resources this rule applies to.  '*' represents all resources in the specified apiGroups. '*/foo' represents the subresource 'foo' for all resources in the specified apiGroups.²

+arrayº

+²

+string
+´

+verbsª
"�
Verbs is a list of Verbs that apply to ALL the ResourceKinds and AttributeRestrictions contained in this rule.  VerbAll represents all kinds.²

+arrayº

+²

+string
+Ï
+!io.k8s.api.storage.v1.CSINodeSpec©"\CSINodeSpec holds information about the specification of all CSI drivers installed on a nodeš
drivers²

+objectÊ
²
+¯
+drivers£"Š
drivers is a list of information of all CSI Drivers existing on a node. If all drivers in the list are uninstalled, this can become empty.²

+arrayº
5
+3
+1#/definitions/io.k8s.api.storage.v1.CSINodeDriverú
'
+x-kubernetes-patch-merge-keyname
+ú
'
+x-kubernetes-patch-strategymerge
+
+í

+Oio.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaPropsOrArray™
"–
JSONSchemaPropsOrArray represents a value that can either be a JSONSchemaProps or an array of JSONSchemaProps. Mainly here for serialization purposes.
+Æ
+2io.k8s.api.core.v1.AzureFilePersistentVolumeSource�"WAzureFile represents an Azure File Service mount on the host and bind mount to the pod.š

+secretNameš
	shareName²

+objectÊ
Ž
+x
+readOnlyl"^Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.²
	
+boolean
+^
+
+secretNameP"Cthe name of secret that contains Azure Storage Account Name and Key²

+string
+‹

+secretNamespacex"kthe namespace of the secret that contains Azure Storage Account Name and Key default is the same as the Pod²

+string
+$
+	shareName"
+Share Name²

+string
+£	
+io.k8s.api.core.v1.PodList„	"PodList is a list of Pods.š
items²

+objectÊ
ÿ
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+­

+items£
"lList of pods. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md²

+arrayº
(
+&
+$#/definitions/io.k8s.api.core.v1.Pod
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ï

+metadataÂ

+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"‚
Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kindsú
O
+x-kubernetes-group-version-kind,*- group: ""
+  kind: PodList
+  version: v1
+
+‚	
+#io.k8s.api.events.v1beta1.EventListÚ"%EventList is a list of Event objects.š
items²

+objectÊ
¸
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+k
+itemsb""items is a list of schema objects.²

+arrayº
1
+/
+-#/definitions/io.k8s.api.events.v1beta1.Event
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ë

+metadata¾

+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadataú
a
+x-kubernetes-group-version-kind><- version: v1beta1
+  group: events.k8s.io
+  kind: EventList
+
+à	
+@io.k8s.api.flowcontrol.v1beta1.LimitedPriorityLevelConfiguration›	"è
LimitedPriorityLevelConfiguration specifies how to handle requests that are subject to limits. It addresses two issues:
+ * How are requests for this priority level limited?
+ * What should be done with requests that exceed the limit?²

+objectÊ
¡
+ö
+assuredConcurrencySharesÙint32"Ã`assuredConcurrencyShares` (ACS) configures the execution limit, which is a limit on the number of requests of this priority level that may be exeucting at a given time.  ACS must be a positive number. The server's concurrency limit (SCL) is divided among the concurrency-controlled priority levels in proportion to their assured concurrency shares. This produces the assured concurrency value (ACV) --- the number of requests that may be executing at a time --- for each such priority level:
+
+            ACV(l) = ceil( SCL * ACS(l) / ( sum[priority levels k] ACS(k) ) )
+
+bigger numbers of ACS mean more reserved concurrent requests (at the expense of every other PL). This field has a default value of 30.²
	
+integer
+¥

+
limitResponse“

+:#/definitions/io.k8s.api.flowcontrol.v1beta1.LimitResponse"U`limitResponse` indicates what to do with requests that can not be executed right now
+´
+$io.k8s.api.networking.v1.IngressSpec‹";IngressSpec describes the Ingress the user wishes to exist.²

+objectÊ
¿
+ß
+defaultBackendÌ
+5#/definitions/io.k8s.api.networking.v1.IngressBackend"’DefaultBackend is the backend that should handle requests that don't match any rule. If Rules are not specified, DefaultBackend must be specified. If DefaultBackend is not set, the handling of requests that do not match any of the rules will be up to the Ingress controller.
+´
+ingressClassNameŸ"‘IngressClassName is the name of the IngressClass cluster resource. The associated IngressClass defines which controller will implement the resource. This replaces the deprecated `kubernetes.io/ingress.class` annotation. For backwards compatibility, when that annotation is set, it must be given precedence over this field. The controller may emit a warning if the field and annotation have different values. Implementations of this API should ignore Ingresses without a class specified. An IngressClass resource may be marked as default, which can be used to set a default value for this field. For more information, refer to the IngressClass documentation.²

+string
+ù

+rulesï
"ƒ
A list of host rules used to configure the Ingress. If unspecified, or no rule matches, all traffic is sent to the default backend.²

+arrayº
6
+4
+2#/definitions/io.k8s.api.networking.v1.IngressRuleú
#
+x-kubernetes-list-type	atomic
+
+§
+tlsŸ"´TLS configuration. Currently the Ingress only supports a single TLS port, 443. If multiple members of this list specify different hosts, they will be multiplexed on the same port according to the hostname specified through the SNI TLS extension, if the ingress controller fulfilling the ingress supports SNI.²

+arrayº
5
+3
+1#/definitions/io.k8s.api.networking.v1.IngressTLSú
#
+x-kubernetes-list-type	atomic
+
+ƒ
+(io.k8s.api.storage.v1beta1.CSINodeDriverÖ
"]CSINodeDriver holds information about the specification of one CSI driver installed on a nodeš
nameš
nodeID²

+objectÊ
Ø
+¨

+allocatable˜

+<#/definitions/io.k8s.api.storage.v1beta1.VolumeNodeResources"Xallocatable represents the volume resources of a node that are available for scheduling.
+ª

+name¡
"“
This is the name of the CSI driver that this object refers to. This MUST be the same name returned by the CSI GetPluginName() call for that driver.²

+string
+¸
+nodeID­"ŸnodeID of the node from the driver point of view. This field enables Kubernetes to communicate with storage systems that do not share the same nomenclature for nodes. For example, Kubernetes may refer to a given node as "node1", but the storage system may refer to the same node as "nodeA". When Kubernetes issues a command to the storage system to attach a volume to a specific node, it can use this field to refer to the node name using the ID that the storage system will understand, e.g. "nodeA" instead of "node1". This field is required.²

+string
+Â
+topologyKeys±"”topologyKeys is the list of keys supported by the driver. When a driver is initialized on a cluster, it provides a set of topology keys that it understands (e.g. "company.com/zone", "company.com/region"). When a driver is initialized on a node, it provides the same topology keys along with values. Kubelet will expose these topology keys as labels on its own node object. When Kubernetes does topology aware provisioning, it can use this list to determine which labels it should retrieve from the node object and pass back to the driver. It is possible for different nodes to use different topology keys. This can be empty if driver does not support topology.²

+arrayº

+²

+string
+§

+Uio.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaPropsOrStringArrayN"LJSONSchemaPropsOrStringArray represents a JSONSchemaProps or a string array.
+–
+4io.k8s.api.authorization.v1.LocalSubjectAccessReviewÝ"ç
LocalSubjectAccessReview checks whether or not a user or group can perform an action in a given namespace. Having a namespace scoped resource makes it much easier to grant namespace scoped policy that includes permissions checking.š
spec²

+objectÊ
è
+§

+statusœ

+C#/definitions/io.k8s.api.authorization.v1.SubjectAccessReviewStatus"UStatus is filled in by the server and indicates whether the request is allowed or not
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+K
+metadata?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta
+ñ

+specè

+A#/definitions/io.k8s.api.authorization.v1.SubjectAccessReviewSpec"¢
Spec holds information about the request being evaluated.  spec.namespace must be equal to the namespace you made the request against.  If empty, it is defaulted.ú
r
+x-kubernetes-group-version-kindOM- group: authorization.k8s.io
+  kind: LocalSubjectAccessReview
+  version: v1
+
+�	
+3io.k8s.api.authorization.v1beta1.ResourceAttributeså"tResourceAttributes includes the authorization attributes available for resource requests to the Authorizer interface²

+objectÊ
à
+‚

+namez"mName is the name of the resource being requested for a "get" or deleted for a "delete". "" (empty) means all.²

+string
+ô
+	namespaceæ"ØNamespace is the namespace of the action being requested.  Currently, there is no distinction between no namespace and all namespaces "" (empty) is defaulted for LocalSubjectAccessReviews "" (empty) is empty for cluster-scoped resources "" (empty) means "all" for namespace scoped resources from a SubjectAccessReview or SelfSubjectAccessReview²

+string
+X
+resourceL"?Resource is one of the existing resource types.  "*" means all.²

+string
+^
+subresourceO"BSubresource is one of the existing resource types.  "" means none.²

+string
+ƒ

+verb{"nVerb is a kubernetes resource API verb, like: get, list, watch, create, update, delete, proxy.  "*" means all.²

+string
+S
+versionH";Version is the API Version of the Resource.  "*" means all.²

+string
+M
+groupD"7Group is the API Group of the Resource.  "*" means all.²

+string
+ü

+&io.k8s.api.networking.v1.IngressStatusÑ
"8IngressStatus describe the current state of the Ingress.²

+objectÊ
ˆ

+…

+loadBalanceru
+3#/definitions/io.k8s.api.core.v1.LoadBalancerStatus">LoadBalancer contains the current status of the load-balancer.
+Û
+3io.k8s.api.policy.v1beta1.PodDisruptionBudgetStatus£"Š
PodDisruptionBudgetStatus represents information about the status of a PodDisruptionBudget. Status may trail the actual state of a system.š
disruptionsAllowedš
currentHealthyš
desiredHealthyš
expectedPods²

+objectÊ
Á
+ô
+
+conditionså"ôConditions contain conditions for PDB. The disruption controller sets the DisruptionAllowed condition. The following are known values for the reason field (additional reasons could be added in the future): - SyncFailed: The controller encountered an error and wasn't able to compute
+              the number of allowed disruptions. Therefore no disruptions are
+              allowed and the status of the condition will be False.
+- InsufficientPods: The number of pods are either at or below the number
+                    required by the PodDisruptionBudget. No disruptions are
+                    allowed and the status of the condition will be False.
+- SufficientPods: There are more pods than required by the PodDisruptionBudget.
+                  The condition will be True, and the number of allowed
+                  disruptions are provided by the disruptionsAllowed property.²

+arrayº
@
+>
+<#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Conditionú
'
+x-kubernetes-list-map-keys	- type
+ú
 
+x-kubernetes-list-typemap
+ú
'
+x-kubernetes-patch-merge-keytype
+ú
'
+x-kubernetes-patch-strategymerge
+
+E
+currentHealthy3int32"current number of healthy pods²
	
+integer
+M
+desiredHealthy;int32"&minimum desired number of healthy pods²
	
+integer
+�
+
disruptedPodsû"¯DisruptedPods contains information about pods whose eviction was processed by the API server eviction subresource handler but has not yet been observed by the PodDisruptionBudget controller. A pod will be in this map from the time when the API server processed the eviction request to the time when the pod is seen by PDB controller as having been marked for deletion (or after a timeout). The key in the map is the name of the pod and the value is the time when the API server processed the eviction request. If the deletion didn't occur and a pod is still there it will be removed from the list automatically by PodDisruptionBudget controller after some time. If everything goes smooth this map should be empty for the most of the time. Large number of entries in the map may indicate problems with pod deletions.ª
;
+9
+7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time²

+object
+`
+disruptionsAllowedJint32"5Number of pod disruptions that are currently allowed.²
	
+integer
+[
+expectedPodsKint32"6total number of pods counted by this disruption budget²
	
+integer
+â

+observedGenerationË
int64"µ
Most recent generation observed when updating this PDB status. DisruptionsAllowed and other status information is valid only if observedGeneration equals to PDB's object generation.²
	
+integer
+Ý
+$io.k8s.api.storage.v1beta1.CSIDriver´"¹CSIDriver captures information about a Container Storage Interface (CSI) volume driver deployed on the cluster. CSI drivers do not need to create the CSIDriver object directly. Instead they may use the cluster-driver-registrar sidecar container. When deployed with a CSI driver it automatically creates a CSIDriver object representing the driver. Kubernetes attach detach controller uses this object to determine whether attach is required. Kubelet uses this object to determine whether pod information needs to be passed on mount. CSIDriver objects are non-namespaced.š
spec²

+objectÊ
ý	
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+™
+metadataŒ
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ÊStandard object metadata. metadata.Name indicates the name of the CSI driver that this object refers to; it MUST be the same name returned by the CSI GetPluginName() call for that driver. The driver name must be 63 characters or less, beginning and ending with an alphanumeric character ([a-z0-9A-Z]) with dashes (-), dots (.), and alphanumerics between. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+b
+specZ
+6#/definitions/io.k8s.api.storage.v1beta1.CSIDriverSpec" Specification of the CSI Driver.ú
b
+x-kubernetes-group-version-kind?=- group: storage.k8s.io
+  kind: CSIDriver
+  version: v1beta1
+
+…
+9io.k8s.api.authorization.v1beta1.SubjectRulesReviewStatusÇ"çSubjectRulesReviewStatus contains the result of a rules check. This check can be incomplete depending on the set of authorizers the server is configured with and any errors experienced during evaluation. Because authorization rules are additive, if a rule appears in a list it's safe to assume the subject has that permission, even if that list is incomplete.š

resourceRulesš
nonResourceRulesš

+incomplete²

+objectÊ
ž
+Œ
+evaluationErrorø
"ê
EvaluationError can appear in combination with Rules. It indicates an error occurred during rule evaluation, such as an authorizer that doesn't support rule evaluation, and that ResourceRules and/or NonResourceRules may be incomplete.²

+string
+Ý

+
+incompleteÎ
"¿
Incomplete is true when the rules returned by this call are incomplete. This is most commonly encountered when an authorizer, such as an external authorizer, doesn't support rules evaluation.²
	
+boolean
+›
+nonResourceRules†"´
NonResourceRules is the list of actions the subject is allowed to perform on non-resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete.²

+arrayº
B
+@
+>#/definitions/io.k8s.api.authorization.v1beta1.NonResourceRule
+Ž
+
resourceRulesü
"­
ResourceRules is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete.²

+arrayº
?
+=
+;#/definitions/io.k8s.api.authorization.v1beta1.ResourceRule
+�
+(io.k8s.api.networking.v1.HTTPIngressPathâ"oHTTPIngressPath associates a path with a backend. Incoming urls matching the path are forwarded to the backend.š
backend²

+objectÊ
Ø
+
+Ÿ

+backend“

+5#/definitions/io.k8s.api.networking.v1.IngressBackend"ZBackend defines the referenced service endpoint to which the traffic will be forwarded to.
+ž
+path•"‡Path is matched against the path of an incoming request. Currently it can contain characters disallowed from the conventional "path" part of a URL as defined by RFC 3986. Paths must begin with a '/'. When unspecified, all paths from incoming requests are matched.²

+string
+’
+pathType…"÷PathType determines the interpretation of the Path matching. PathType can be one of the following values: * Exact: Matches the URL path exactly. * Prefix: Matches based on a URL path prefix split by '/'. Matching is
+  done on a path element by element basis. A path element refers is the
+  list of labels in the path split by the '/' separator. A request is a
+  match for path p if every p is an element-wise prefix of p of the
+  request path. Note that if the last element of the path is a substring
+  of the last element in request path, it is not a match (e.g. /foo/bar
+  matches /foo/bar/baz, but does not match /foo/barbaz).
+* ImplementationSpecific: Interpretation of the Path matching is up to
+  the IngressClass. Implementations can treat this as a separate PathType
+  or treat it identically to Prefix or Exact path types.
+Implementations are required to support all path types.²

+string
+Þ
+ io.k8s.api.events.v1.EventSeries¹"èEventSeries contain information on series of events, i.e. thing that was/is happening continuously for some time. How often to update the EventSeries is up to the event reporters. The default event reporter in "k8s.io/client-go/tools/events/event_broadcaster.go" shows how this struct is updated on heartbeats and can guide customized reporter implementations.š
countš
lastObservedTime²

+objectÊ
¤
+n
+counteint32"Pcount is the number of occurrences in this series up to the last heartbeat time.²
	
+integer
+±

+lastObservedTimeœ

+<#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.MicroTime"\lastObservedTime is the time when last Event from the series was seen before last heartbeat.
+‹	
+#io.k8s.api.storage.v1.CSIDriverListã"3CSIDriverList is a collection of CSIDriver objects.š
items²

+objectÊ
³
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ê

+metadata½

+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"~Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+g
+items^"items is the list of CSIDriver²

+arrayº
1
+/
+-#/definitions/io.k8s.api.storage.v1.CSIDriverú
a
+x-kubernetes-group-version-kind><- group: storage.k8s.io
+  kind: CSIDriverList
+  version: v1
+
+ñ

+Sio.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.ExternalDocumentation™
"YExternalDocumentation allows referencing an external resource for extended documentation.²

+objectÊ
0
+
+description²

+string
+
+url²

+string
+ÿ
+5io.k8s.api.autoscaling.v1.HorizontalPodAutoscalerSpecÅ"-specification of a horizontal pod autoscaler.š
scaleTargetRefš
maxReplicas²

+objectÊ
è
+×

+targetCPUUtilizationPercentage´
int32"ž
target average CPU utilization (represented as a percentage of requested CPU) over all the pods; if not specified the default autoscaling policy will be used.²
	
+integer
+�

+maxReplicas~int32"iupper limit for the number of pods that can be set by the autoscaler; cannot be smaller than MinReplicas.²
	
+integer
+ò
+minReplicasâint32"ÌminReplicas is the lower limit for the number of replicas to which the autoscaler can scale down.  It defaults to 1 pod.  minReplicas is allowed to be 0 if the alpha feature gate HPAScaleToZero is enabled and at least one Object or External metric is configured.  Scaling is active as long as at least one metric value is available.²
	
+integer
+†
+scaleTargetRefó

+C#/definitions/io.k8s.api.autoscaling.v1.CrossVersionObjectReference"«
reference to scaled resource; horizontal pod autoscaler will learn the current resource consumption and will set the desired number of pods by using its Scale subresource.
+º
+
+<io.k8s.api.autoscaling.v2beta2.HorizontalPodAutoscalerStatusù	"ZHorizontalPodAutoscalerStatus describes the current status of a horizontal pod autoscaler.š
currentReplicasš
desiredReplicasš

+conditions²

+objectÊ
Ý
+¤

+desiredReplicas�
int32"{desiredReplicas is the desired number of replicas of pods managed by this autoscaler, as last calculated by the autoscaler.²
	
+integer
+î

+
lastScaleTimeÜ

+7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time" 
lastScaleTime is the last time the HorizontalPodAutoscaler scaled the number of pods, used by the autoscaler to control how often the number of pods is changed.
+x
+observedGenerationbint64"MobservedGeneration is the most recent generation observed by this autoscaler.²
	
+integer
+ü

+
+conditionsí
"Œ
conditions is the set of conditions required for this autoscaler to scale its target, and indicates whether or not those conditions are met.²

+arrayº
Q
+O
+M#/definitions/io.k8s.api.autoscaling.v2beta2.HorizontalPodAutoscalerCondition
+¬

+currentMetrics™
"McurrentMetrics is the last read state of the metrics used by this autoscaler.²

+arrayº
=
+;
+9#/definitions/io.k8s.api.autoscaling.v2beta2.MetricStatus
+š

+currentReplicas†
int32"qcurrentReplicas is current number of replicas of pods managed by this autoscaler, as last seen by the autoscaler.²
	
+integer
+õ
+!io.k8s.api.core.v1.FCVolumeSourceÏ"«
Represents a Fibre Channel volume. Fibre Channel volumes can only be mounted as read/write once. Fibre Channel volumes support ownership management and SELinux relabeling.²

+objectÊ
’
+À

+fsTypeµ
"§
Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.²

+string
+:
+lun3int32"Optional: FC target lun number²
	
+integer
+‚

+readOnlyv"hOptional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.²
	
+boolean
+T
+
+targetWWNsF"*Optional: FC target worldwide names (WWNs)²

+arrayº

+²

+string
+µ

+wwids«
"Ž
Optional: FC volume world wide identifiers (wwids) Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously.²

+arrayº

+²

+string
+˜
+*io.k8s.api.rbac.v1beta1.ClusterRoleBindingé"—ClusterRoleBinding references a ClusterRole, but not contain it.  It can reference a ClusterRole in the global namespace, and adds who information via Subject. Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 ClusterRoleBinding, and will no longer be served in v1.22.š
roleRef²

+objectÊ
½
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+h
+metadata\
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"Standard object's metadata.
+Ç

+roleRef»

+-#/definitions/io.k8s.api.rbac.v1beta1.RoleRef"‰
RoleRef can only reference a ClusterRole in the global namespace. If the RoleRef cannot be resolved, the Authorizer must return an error.
+‰

+subjects}"=Subjects holds references to the objects the role applies to.²

+arrayº
1
+/
+-#/definitions/io.k8s.api.rbac.v1beta1.Subjectú
v
+x-kubernetes-group-version-kindSQ- group: rbac.authorization.k8s.io
+  kind: ClusterRoleBinding
+  version: v1beta1
+
+ƒ
+#io.k8s.api.apps.v1.DeploymentStatusÛ"HDeploymentStatus is the most recently observed status of the Deployment.²

+objectÊ
‚
+]
+
readyReplicasLint32"7Total number of ready pods targeted by this deployment.²
	
+integer
+ƒ

+replicaswint32"bTotal number of non-terminated pods targeted by this deployment (their labels match the selector).²
	
+integer
+Á
+unavailableReplicas©int32"“Total number of unavailable pods targeted by this deployment. This is the total number of pods that are still required for the deployment to have 100% available capacity. They may either be pods that are running but not yet available or pods that still have not been created.²
	
+integer
+Œ

+updatedReplicasyint32"dTotal number of non-terminated pods targeted by this deployment that have the desired template spec.²
	
+integer
+Š

+availableReplicasuint32"`Total number of available pods (ready for at least minReadySeconds) targeted by this deployment.²
	
+integer
+Þ

+collisionCountË
int32"µ
Count of hash collisions for the Deployment. The Deployment controller uses this field as a collision avoidance mechanism when it needs to create the name for the newest ReplicaSet.²
	
+integer
+÷

+
+conditionsè
"MRepresents the latest available observations of a deployment's current state.²

+arrayº
8
+6
+4#/definitions/io.k8s.api.apps.v1.DeploymentConditionú
'
+x-kubernetes-patch-merge-keytype
+ú
'
+x-kubernetes-patch-strategymerge
+
+`
+observedGenerationJint64"5The generation observed by the deployment controller.²
	
+integer
+Á

+!io.k8s.api.core.v1.DaemonEndpoint›
"CDaemonEndpoint contains information about a single Daemon endpoint.š
Port²

+objectÊ
A
+?
+Port7int32""Port number of the given endpoint.²
	
+integer
+Æ
+&io.k8s.api.core.v1.ObjectFieldSelector›"?ObjectFieldSelector selects an APIVersioned field of an object.š
	fieldPath²

+objectÊ
¿

+h
+
+apiVersionZ"MVersion of the schema the FieldPath is written in terms of, defaults to "v1".²

+string
+S
+	fieldPathF"9Path of the field to select in the specified API version.²

+string
+ä
+$io.k8s.api.core.v1.ResourceQuotaSpec»"GResourceQuotaSpec defines the desired hard limits to enforce for Quota.²

+objectÊ
ã
+ß

+hardÖ
"†
hard is the set of desired hard limits for each named resource. More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/ª
?
+=
+;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity²

+object
+Ü
+
scopeSelectorÊ
+.#/definitions/io.k8s.api.core.v1.ScopeSelector"—scopeSelector is also a collection of filters like scopes that must match each object tracked by a quota but expressed using ScopeSelectorOperator in combination with possible values. For a resource to match, both scopes AND scopeSelector (if specified in spec), must be matched.
+Ÿ

+scopes”
"xA collection of filters that must match each object tracked by a quota. If not specified, the quota matches all objects.²

+arrayº

+²

+string
+ð
+ io.k8s.api.discovery.v1.EndpointË"FEndpoint represents a single logical "backend" implementing a service.š
	addresses²

+objectÊ
è
+î
+	addressesà" addresses of this endpoint. The contents of this field are interpreted according to the corresponding EndpointSlice addressType field. Consumers must handle different types of addresses in the context of their own capabilities. This must contain at least one address but no more than 100.²

+arrayº

+²

+stringú
 
+x-kubernetes-list-typeset
+
+”

+
+conditions…

+8#/definitions/io.k8s.api.discovery.v1.EndpointConditions"Iconditions contains information about the current status of the endpoint.
+¾
+deprecatedTopology§"‰deprecatedTopology contains topology information part of the v1beta1 API. This field is deprecated, and will be removed when the v1beta1 API is removed (no sooner than kubernetes v1.24).  While this field can hold values, it is not writable through the v1 API, and any attempts to write to it will be silently ignored. Topology information can be found in the zone and nodeName fields instead.ª

+²

+string²

+object
+�

+hints…

+3#/definitions/io.k8s.api.discovery.v1.EndpointHints"Nhints contains information associated with how an endpoint should be consumed.
+Î
+hostnameÁ"³hostname of this endpoint. This field may be used by consumers of endpoints to distinguish endpoints from each other (e.g. in DNS names). Multiple endpoints which use the same hostname should be considered fungible (e.g. multiple A values in DNS). Must be lowercase and pass DNS Label (RFC 1123) validation.²

+string
+Ú

+nodeNameÍ
"¿
nodeName represents the name of the Node hosting this endpoint. This can be used to determine endpoints local to a Node. This field can be enabled with the EndpointSliceNodeName feature gate.²

+string
+�

+	targetRef‚

+0#/definitions/io.k8s.api.core.v1.ObjectReference"NtargetRef is a reference to a Kubernetes object that represents this endpoint.
+J
+zoneB"5zone is the name of the Zone this endpoint exists in.²

+string
+�
+6io.k8s.api.flowcontrol.v1beta1.FlowDistinguisherMethodâ
"EFlowDistinguisherMethod specifies the method of a flow distinguisher.š
type²

+objectÊ
…

+‚

+typez"m`type` is the type of flow distinguisher method The supported types are "ByUser" and "ByNamespace". Required.²

+string
+ð
+Qio.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceValidationš"MCustomResourceValidation is a list of validation methods for CustomResources.²

+objectÊ
¼

+¹

+openAPIV3Schema¥

+V#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaProps"KopenAPIV3Schema is the OpenAPI v3 schema to use for validation and pruning.
+Ñ	
+!io.k8s.api.apps.v1.ReplicaSetList«	".ReplicaSetList is a collection of ReplicaSets.š
items²

+objectÊ
‰
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+·

+items­
"oList of ReplicaSets. More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller²

+arrayº
/
+-
++#/definitions/io.k8s.api.apps.v1.ReplicaSet
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ï

+metadataÂ

+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"‚
Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kindsú
X
+x-kubernetes-group-version-kind53- group: apps
+  kind: ReplicaSetList
+  version: v1
+
+í
+ io.k8s.api.batch.v1beta1.CronJobÈ":CronJob represents the configuration of a single cron job.²

+objectÊ
£
+
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ò

+metadataÅ

+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒ
Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+û

+specò

+2#/definitions/io.k8s.api.batch.v1beta1.CronJobSpec"»
Specification of the desired behavior of a cron job, including the schedule. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+Ð

+statusÅ

+4#/definitions/io.k8s.api.batch.v1beta1.CronJobStatus"Œ
Current status of a cron job. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+stringú
W
+x-kubernetes-group-version-kind42- group: batch
+  kind: CronJob
+  version: v1beta1
+
+Ø
+)io.k8s.api.rbac.v1.ClusterRoleBindingListª"=ClusterRoleBindingList is a collection of ClusterRoleBindingsš
items²

+objectÊ
Ü
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+u
+itemsl"&Items is a list of ClusterRoleBindings²

+arrayº
7
+5
+3#/definitions/io.k8s.api.rbac.v1.ClusterRoleBinding
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+f
+metadataZ
+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"Standard object's metadata.ú
u
+x-kubernetes-group-version-kindRP- group: rbac.authorization.k8s.io
+  kind: ClusterRoleBindingList
+  version: v1
+
+¨
+_io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinitionConditionÄ"YCustomResourceDefinitionCondition contains details for the current condition of this pod.š
typeš
status²

+objectÊ
Ê
+q
+typei"\type is the type of the condition. Types include Established, NamesAccepted and Terminating.²

+string
+¥

+lastTransitionTimeŽ

+7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"SlastTransitionTime last time the condition transitioned from one status to another.
+e
+messageZ"Mmessage is a human-readable message indicating details about last transition.²

+string
+j
+reason`"Sreason is a unique, one-word, CamelCase reason for the condition's last transition.²

+string
+Z
+statusP"Cstatus is the status of the condition. Can be True, False, Unknown.²

+string
+ç
+1io.k8s.api.autoscaling.v2beta2.ObjectMetricStatus±"Ž
ObjectMetricStatus indicates the current value of a metric describing a kubernetes object (for example, hits-per-second on an Ingress object).š
metricš
currentš
describedObject²

+objectÊ
ì
+„

+currenty
+>#/definitions/io.k8s.api.autoscaling.v2beta2.MetricValueStatus"7current contains the current value for the given metric
+]
+describedObjectJ
+H#/definitions/io.k8s.api.autoscaling.v2beta2.CrossVersionObjectReference
+ƒ

+metricy
+=#/definitions/io.k8s.api.autoscaling.v2beta2.MetricIdentifier"8metric identifies the target metric by name and selector
+™
+io.k8s.api.core.v1.EnvVarû"AEnvVar represents an environment variable present in a Container.š
name²

+objectÊ
¢
+N
+nameF"9Name of the environment variable. Must be a C_IDENTIFIER.²

+string
+»
+value±"£Variable references $(VAR_NAME) are expanded using the previous defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".²

+string
+‘

+	valueFromƒ

+-#/definitions/io.k8s.api.core.v1.EnvVarSource"RSource for the environment variable's value. Cannot be used if value is not empty.
+ä
+ io.k8s.api.core.v1.HTTPGetAction¿"=HTTPGetAction describes an action based on HTTP Get requests.š
port²

+objectÊ
ê
+7
+path/""Path to access on the HTTP server.²

+string
+Ç

+port¾

+=#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString"}Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
+R
+schemeH";Scheme to use for connecting to the host. Defaults to HTTP.²

+string
+}
+hostu"hHost name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead.²

+string
+‘

+httpHeaders�
"CCustom headers to set in the request. HTTP allows repeated headers.²

+arrayº
/
+-
++#/definitions/io.k8s.api.core.v1.HTTPHeader
+ž
+.io.k8s.api.core.v1.PersistentVolumeClaimStatusë"OPersistentVolumeClaimStatus is the current status of a persistent volume claim.²

+objectÊ
‹
+Ò

+accessModesÂ
"¥
AccessModes contains the actual access modes the volume backing the PVC has. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1²

+arrayº

+²

+string
+•

+capacityˆ
"9Represents the actual resources of the underlying volume.ª
?
+=
+;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity²

+object
+Ç
+
+conditions¸"‘
Current Condition of persistent volume claim. If underlying persistent volume is being resized then the Condition will be set to 'ResizeStarted'.²

+arrayº
C
+A
+?#/definitions/io.k8s.api.core.v1.PersistentVolumeClaimConditionú
'
+x-kubernetes-patch-merge-keytype
+ú
'
+x-kubernetes-patch-strategymerge
+
+R
+phaseI"<Phase represents the current phase of PersistentVolumeClaim.²

+string
+â
+&io.k8s.api.core.v1.QuobyteVolumeSource·"‡
Represents a Quobyte mount that lasts the lifetime of a pod. Quobyte volumes do not support ownership management or SELinux relabeling.š
registryš
volume²

+objectÊ
Š
+Q
+userI"<User to map volume access to Defaults to serivceaccount user²

+string
+d
+volumeZ"MVolume is a string that references an already created Quobyte volume by name.²

+string
+G
+group>"1Group to map volume access to Default is no group²

+string
+‚

+readOnlyv"hReadOnly here will force the Quobyte volume to be mounted with read-only permissions. Defaults to false.²
	
+boolean
+á

+registryÔ
"Æ
Registry represents a single or multiple Quobyte Registry services specified as a string as host:port pair (multiple entries are separated with commas) which acts as the central registry for volumes²

+string
+œ

+tenant‘
"ƒ
Tenant owning the given Quobyte volume in the Backend Used with dynamically provisioned Quobyte volumes, value is set by the plugin²

+string
+ê?
+Hio.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaProps�?"[JSONSchemaProps is a JSON-Schema following Specification Draft 4 (http://json-schema.org/).²

+objectÊ
±>
+$
+
minPropertiesint64²
	
+integer
+p
+anyOfg²

+arrayº
Z
+X
+V#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaProps
+
+description²

+string
+X
+exampleM
+K#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSON
+h
+items_
+]#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaPropsOrArray
+
+maxItemsint64²
	
+integer
+ 
+	maxLengthint64²
	
+integer
+}
+patternPropertieshª
Z
+X
+V#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaProps²

+object
+n
+externalDocs^
+\#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.ExternalDocumentation
+$
+
maxPropertiesint64²
	
+integer
+
+minItemsint64²
	
+integer
+
+minimumdouble²

+number
+!
+
+multipleOfdouble²

+number
+
+pattern²

+string
+
+$ref²

+string
+d
+enum\²

+arrayº
O
+M
+K#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSON
+&
+required²

+arrayº

+²

+string
+
+maximumdouble²

+number
+ 
+	minLengthint64²
	
+integer
+
+type²

+string
+‡
+x-kubernetes-int-or-stringè"Ùx-kubernetes-int-or-string specifies that this value is either an integer or a string. If this is true, an empty type is allowed and type as child of anyOf is permitted if following one of the following patterns:
+
+1) anyOf:
+   - type: integer
+   - type: string
+2) allOf:
+   - anyOf:
+     - type: integer
+     - type: string
+   - ... zero or more²
	
+boolean
+Þ
+x-kubernetes-list-typeÃ"µx-kubernetes-list-type annotates an array to further describe its topology. This extension must only be used on lists and may have 3 possible values:
+
+1) `atomic`: the list is treated as a single entity, like a scalar.
+     Atomic lists will be entirely replaced when updated. This extension
+     may be used on any type of list (struct, scalar, ...).
+2) `set`:
+     Sets are lists that must not have multiple items with the same value. Each
+     value must be a scalar, an object with x-kubernetes-map-type `atomic` or an
+     array with x-kubernetes-list-type `atomic`.
+3) `map`:
+     These lists are like maps in that their elements have a non-index key
+     used to identify them. Order is preserved upon merge. The map tag
+     must only be used on a list with elements of type object.
+Defaults to atomic for arrays.²

+string
+w
+definitionshª
Z
+X
+V#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaProps²

+object
+v
+
+propertieshª
Z
+X
+V#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaProps²

+object
+
+title²

+string
+«
+x-kubernetes-list-map-keysŒ"ïx-kubernetes-list-map-keys annotates an array with the x-kubernetes-list-type `map` by specifying the keys used as the index of the map.
+
+This tag MUST only be used on lists that have the "x-kubernetes-list-type" extension set to "map". Also, the values specified for this attribute must be a scalar typed field of the child structure (no nesting is supported).
+
+The properties specified must either be required or have a default value, to ensure those properties are present for all list items.²

+arrayº

+²

+string
+…

+dependenciesuª
g
+e
+c#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaPropsOrStringArray²

+object
+ 
+exclusiveMinimum²
	
+boolean
+p
+oneOfg²

+arrayº
Z
+X
+V#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaProps
+˜
+$x-kubernetes-preserve-unknown-fieldsï"àx-kubernetes-preserve-unknown-fields stops the API server decoding step from pruning fields which are not specified in the validation schema. This affects fields recursively, but switches back to normal pruning behaviour if nested properties or additionalProperties are specified in the schema. This can either be true or undefined. False is forbidden.²
	
+boolean
+q
+additionalItems^
+\#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaPropsOrBool
+p
+allOfg²

+arrayº
Z
+X
+V#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaProps
+�
+default‘
+K#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSON"Á
default is a default value for undefined object fields. Defaulting is a beta feature under the CustomResourceDefaulting feature gate. Defaulting requires spec.preserveUnknownFields to be false.
+
+id²

+string
+
+nullable²
	
+boolean
+Ó
+x-kubernetes-embedded-resource°"¡x-kubernetes-embedded-resource defines that the value is an embedded Kubernetes runtime.Object, with TypeMeta and ObjectMeta. The type must be object. It is allowed to further restrict the embedded object. kind, apiVersion and metadata are validated automatically. x-kubernetes-preserve-unknown-fields is allowed to be true, but does not have to be if the object is fully specified (up to kind, apiVersion, metadata).²
	
+boolean
+ 
+x-kubernetes-map-type†"øx-kubernetes-map-type annotates an object to further describe its topology. This extension must only be used when type is object and may have 2 possible values:
+
+1) `granular`:
+     These maps are actual maps (key-value pairs) and each fields are independent
+     from each other (they can each be manipulated by separate actors). This is
+     the default behaviour for all maps.
+2) `atomic`: the list is treated as a single entity, like a scalar.
+     Atomic maps will be entirely replaced when updated.²

+string
+
+$schema²

+string
+v
+additionalProperties^
+\#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaPropsOrBool
+ 
+exclusiveMaximum²
	
+boolean
+¶
+format«"�format is an OpenAPI v3 format string. Unknown formats are ignored. The following formats are validated:
+
+- bsonobjectid: a bson object ID, i.e. a 24 characters hex string - uri: an URI as parsed by Golang net/url.ParseRequestURI - email: an email address as parsed by Golang net/mail.ParseAddress - hostname: a valid representation for an Internet host name, as defined by RFC 1034, section 3.1 [RFC1034]. - ipv4: an IPv4 IP as parsed by Golang net.ParseIP - ipv6: an IPv6 IP as parsed by Golang net.ParseIP - cidr: a CIDR as parsed by Golang net.ParseCIDR - mac: a MAC address as parsed by Golang net.ParseMAC - uuid: an UUID that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?[0-9a-f]{4}-?[0-9a-f]{4}-?[0-9a-f]{12}$ - uuid3: an UUID3 that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?3[0-9a-f]{3}-?[0-9a-f]{4}-?[0-9a-f]{12}$ - uuid4: an UUID4 that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?4[0-9a-f]{3}-?[89ab][0-9a-f]{3}-?[0-9a-f]{12}$ - uuid5: an UUID5 that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?5[0-9a-f]{3}-?[89ab][0-9a-f]{3}-?[0-9a-f]{12}$ - isbn: an ISBN10 or ISBN13 number string like "0321751043" or "978-0321751041" - isbn10: an ISBN10 number string like "0321751043" - isbn13: an ISBN13 number string like "978-0321751041" - creditcard: a credit card number defined by the regex ^(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|(?:2131|1800|35\d{3})\d{11})$ with any non digit characters mixed in - ssn: a U.S. social security number following the regex ^\d{3}[- ]?\d{2}[- ]?\d{4}$ - hexcolor: an hexadecimal color code like "#FFFFFF: following the regex ^#?([0-9a-fA-F]{3}|[0-9a-fA-F]{6})$ - rgbcolor: an RGB color code like rgb like "rgb(255,255,2559" - byte: base64 encoded binary data - password: any kind of string - date: a date string like "2006-01-02" as defined by full-date in RFC3339 - duration: a duration string like "22 ns" as parsed by Golang time.ParseDuration or compatible with Scala duration format - datetime: a date time string like "2014-12-15T19:30:20.000Z" as defined by date-time in RFC3339.²

+string
+_
+notX
+V#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaProps
+
+uniqueItems²
	
+boolean
+Œ
+7io.k8s.api.autoscaling.v1.HorizontalPodAutoscalerStatusÐ"-current status of a horizontal pod autoscalerš
currentReplicasš
desiredReplicas²

+objectÊ
î
+ß

+currentCPUUtilizationPercentage»
int32"¥
current average CPU utilization over all pods, represented as a percentage of requested CPU, e.g. 70 means that an average pod is using now 70% of its requested CPU.²
	
+integer
+f
+currentReplicasSint32">current number of replicas of pods managed by this autoscaler.²
	
+integer
+f
+desiredReplicasSint32">desired number of replicas of pods managed by this autoscaler.²
	
+integer
+Ù

+
lastScaleTimeÇ

+7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"‹
last time the HorizontalPodAutoscaler scaled the number of pods; used by the autoscaler to control how often the number of pods is changed.
+^
+observedGenerationHint64"3most recent generation observed by this autoscaler.²
	
+integer
+Ã
+?io.k8s.api.autoscaling.v2beta2.HorizontalPodAutoscalerConditionÿ"eHorizontalPodAutoscalerCondition describes the state of a HorizontalPodAutoscaler at a certain point.š
typeš
status²

+objectÊ
ù
+«

+lastTransitionTime”

+7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"YlastTransitionTime is the last time the condition transitioned from one status to another
+g
+message\"Omessage is a human-readable explanation containing details about the transition²

+string
+P
+reasonF"9reason is the reason for the condition's last transition.²

+string
+S
+statusI"<status is the status of the condition (True, False, Unknown)²

+string
+9
+type1"$type describes the current condition²

+string
+›
+<io.k8s.api.autoscaling.v2beta2.ContainerResourceMetricStatusÚ"üContainerResourceMetricStatus indicates the current value of a resource metric known to Kubernetes, as specified in requests and limits, describing a single container in each pod in the current scale target (e.g. CPU or memory).  Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the "pods" source.š
nameš
currentš
	container²

+objectÊ
¯
+„

+currenty
+>#/definitions/io.k8s.api.autoscaling.v2beta2.MetricValueStatus"7current contains the current value for the given metric
+B
+name:"-Name is the name of the resource in question.²

+string
+b
+	containerU"HContainer is the name of the container in the pods of the scaling target²

+string
+ä
+'io.k8s.api.networking.v1.IngressBackend¸"DIngressBackend describes all endpoints for a given service and port.²

+objectÊ
ã
+±
+resource¤
+:#/definitions/io.k8s.api.core.v1.TypedLocalObjectReference"å
Resource is an ObjectRef to another Kubernetes resource in the namespace of the Ingress object. If resource is specified, a service.Name and service.Port must not be specified. This is a mutually exclusive setting with "Service".
+¬

+service 

+<#/definitions/io.k8s.api.networking.v1.IngressServiceBackend"`Service references a Service as a Backend. This is a mutually exclusive setting with "Resource".
+Ù
+io.k8s.api.core.v1.Affinity¹"1Affinity is a group of affinity scheduling rules.²

+objectÊ
÷
+´

+podAffinity¤

+,#/definitions/io.k8s.api.core.v1.PodAffinity"tDescribes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
+Å

+podAntiAffinity±

+0#/definitions/io.k8s.api.core.v1.PodAntiAffinity"}Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
+v
+nodeAffinityf
+-#/definitions/io.k8s.api.core.v1.NodeAffinity"5Describes node affinity scheduling rules for the pod.
+æ
+(io.k8s.api.core.v1.GlusterfsVolumeSource¹"‹
Represents a Glusterfs mount that lasts the lifetime of a pod. Glusterfs volumes do not support ownership management or SELinux relabeling.š
	endpointsš
path²

+objectÊ
‰
+«

+	endpoints�
"�
EndpointsName is the endpoint name that details Glusterfs topology. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod²

+string
+ƒ

+path{"nPath is the Glusterfs volume path. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod²

+string
+Ò

+readOnlyÅ
"¶
ReadOnly here will force the Glusterfs volume to be mounted with read-only permissions. Defaults to false. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod²
	
+boolean
+ë	
+%io.k8s.api.core.v1.ServiceAccountListÁ	"6ServiceAccountList is a list of ServiceAccount objectsš
items²

+objectÊ
•
+Ã

+items¹
"wList of ServiceAccounts. More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/²

+arrayº
3
+1
+/#/definitions/io.k8s.api.core.v1.ServiceAccount
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ï

+metadataÂ

+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"‚
Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+stringú
Z
+x-kubernetes-group-version-kind75- version: v1
+  group: ""
+  kind: ServiceAccountList
+
+Ò
+)io.k8s.api.networking.v1beta1.IngressSpec¤
";IngressSpec describes the Ingress the user wishes to exist.²

+objectÊ
Ø
+´
+ingressClassNameŸ"‘IngressClassName is the name of the IngressClass cluster resource. The associated IngressClass defines which controller will implement the resource. This replaces the deprecated `kubernetes.io/ingress.class` annotation. For backwards compatibility, when that annotation is set, it must be given precedence over this field. The controller may emit a warning if the field and annotation have different values. Implementations of this API should ignore Ingresses without a class specified. An IngressClass resource may be marked as default, which can be used to set a default value for this field. For more information, refer to the IngressClass documentation.²

+string
+Ø

+rulesÎ
"ƒ
A list of host rules used to configure the Ingress. If unspecified, or no rule matches, all traffic is sent to the default backend.²

+arrayº
;
+9
+7#/definitions/io.k8s.api.networking.v1beta1.IngressRule
+†
+tlsþ"´TLS configuration. Currently the Ingress only supports a single TLS port, 443. If multiple members of this list specify different hosts, they will be multiplexed on the same port according to the hostname specified through the SNI TLS extension, if the ingress controller fulfilling the ingress supports SNI.²

+arrayº
:
+8
+6#/definitions/io.k8s.api.networking.v1beta1.IngressTLS
+º
+backend®
+:#/definitions/io.k8s.api.networking.v1beta1.IngressBackend"ï
A default backend capable of servicing requests that don't match any rule. At least one of 'backend' or 'rules' must be specified. This field is optional to allow the loadbalancer controller or defaulting logic to specify a global default.
+˜	
+.io.k8s.api.authorization.v1.ResourceAttributeså"tResourceAttributes includes the authorization attributes available for resource requests to the Authorizer interface²

+objectÊ
à
+ƒ

+verb{"nVerb is a kubernetes resource API verb, like: get, list, watch, create, update, delete, proxy.  "*" means all.²

+string
+S
+versionH";Version is the API Version of the Resource.  "*" means all.²

+string
+M
+groupD"7Group is the API Group of the Resource.  "*" means all.²

+string
+‚

+namez"mName is the name of the resource being requested for a "get" or deleted for a "delete". "" (empty) means all.²

+string
+ô
+	namespaceæ"ØNamespace is the namespace of the action being requested.  Currently, there is no distinction between no namespace and all namespaces "" (empty) is defaulted for LocalSubjectAccessReviews "" (empty) is empty for cluster-scoped resources "" (empty) means "all" for namespace scoped resources from a SubjectAccessReview or SelfSubjectAccessReview²

+string
+X
+resourceL"?Resource is one of the existing resource types.  "*" means all.²

+string
+^
+subresourceO"BSubresource is one of the existing resource types.  "" means none.²

+string
+”	
+)io.k8s.api.coordination.v1beta1.LeaseListæ"%LeaseList is a list of Lease objects.š
items²

+objectÊ
¾
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+q
+itemsh""Items is a list of schema objects.²

+arrayº
7
+5
+3#/definitions/io.k8s.api.coordination.v1beta1.Lease
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ë

+metadata¾

+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadataú
g
+x-kubernetes-group-version-kindDB- group: coordination.k8s.io
+  kind: LeaseList
+  version: v1beta1
+
+¨

+%io.k8s.api.core.v1.PodDNSConfigOption"9PodDNSConfigOption defines DNS resolver options of a pod.²

+objectÊ
6
+
+name"	Required.²

+string
+
+value²

+string
+Ö
+ io.k8s.api.core.v1.ResourceQuota±"FResourceQuota sets aggregate quota restrictions enforced per namespace²

+objectÊ
‚
+
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ò

+metadataÅ

+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒ
Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+Ã

+specº

+2#/definitions/io.k8s.api.core.v1.ResourceQuotaSpec"ƒ
Spec defines the desired quota. https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+ç

+statusÜ

+4#/definitions/io.k8s.api.core.v1.ResourceQuotaStatus"£
Status defines the actual enforced quota and its current usage. https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statusú
U
+x-kubernetes-group-version-kind20- group: ""
+  kind: ResourceQuota
+  version: v1
+
+¥
+%io.k8s.api.core.v1.SecretVolumeSourceû"í
Adapts a Secret into a volume.
+
+The contents of the target Secret's Data field will be presented in a volume as files using the keys in the Data field as the file names. Secret volumes support ownership management and SELinux relabeling.²

+objectÊ
ü	
+ê
+defaultModeÚint32"ÄOptional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.²
	
+integer
+¤
+itemsš"ÜIf unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'.²

+arrayº
.
+,
+*#/definitions/io.k8s.api.core.v1.KeyToPath
+P
+optionalD"6Specify whether the Secret or its keys must be defined²
	
+boolean
+“

+
+secretName„
"wName of the secret in the pod's namespace to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret²

+string
+…
+io.k8s.api.core.v1.Serviceæ"ç
Service is a named abstraction of software service (for example, mysql) consisting of local port (for example 3306) that the proxy listens on, and the selector that determines which pods will answer requests sent through the proxy.²

+objectÊ
›
+
+þ

+statusó

+.#/definitions/io.k8s.api.core.v1.ServiceStatus"À
Most recently observed status of the service. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ò

+metadataÅ

+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒ
Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+Å

+spec¼

+,#/definitions/io.k8s.api.core.v1.ServiceSpec"‹
Spec defines the behavior of a service. https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statusú
O
+x-kubernetes-group-version-kind,*- group: ""
+  kind: Service
+  version: v1
+
+Ý
+)io.k8s.api.extensions.v1beta1.IngressRule¯
"ì
IngressRule represents the rules mapping the paths under a specified host to the related backend services. Incoming requests are first evaluated for a host match, then routed to the backend associated with the matching IngressRuleValue.²

+objectÊ
±
+J
+httpB
+@#/definitions/io.k8s.api.extensions.v1beta1.HTTPIngressRuleValue
+â
+
+hostÙ
+"Ë
+Host is the fully qualified domain name of a network host, as defined by RFC 3986. Note the following deviations from the "host" part of the URI as defined in RFC 3986: 1. IPs are not allowed. Currently an IngressRuleValue can only apply to
+   the IP in the Spec of the parent Ingress.
+2. The `:` delimiter is not respected because ports are not allowed.
+	  Currently the port of an Ingress is implicitly :80 for http and
+	  :443 for https.
+Both these may change in the future. Incoming requests are matched against the host before the IngressRuleValue. If the host is unspecified, the Ingress routes all traffic based on the specified IngressRuleValue.
+
+Host can be "precise" which is a domain name without the terminating dot of a network host (e.g. "foo.bar.com") or "wildcard", which is a domain name prefixed with a single wildcard label (e.g. "*.foo.com"). The wildcard character '*' must appear by itself as the first DNS label and matches only a single label. You cannot have a wildcard label by itself (e.g. Host == "*"). Requests will be matched against the Host field in the following way: 1. If Host is precise, the request matches this rule if the http host header is equal to Host. 2. If Host is a wildcard, then the request matches this rule if the http host header is to equal to the suffix (removing the first label) of the wildcard rule.²

+string
+ƒ	
+!io.k8s.api.core.v1.EndpointSubsetÝ"³EndpointSubset is a group of addresses with a common set of ports. The expanded set of endpoints is the Cartesian product of Addresses x Ports. For example, given:
+  {
+    Addresses: [{"ip": "10.10.1.1"}, {"ip": "10.10.2.2"}],
+    Ports:     [{"name": "a", "port": 8675}, {"name": "b", "port": 309}]
+  }
+The resulting set of endpoints can be viewed as:
+    a: [ 10.10.1.1:8675, 10.10.2.2:8675 ],
+    b: [ 10.10.1.1:309, 10.10.2.2:309 ]²

+objectÊ
˜
+ë

+	addressesÝ
"™
IP addresses which offer the related ports that are marked as ready. These endpoints should be considered safe for load balancers and clients to utilize.²

+arrayº
4
+2
+0#/definitions/io.k8s.api.core.v1.EndpointAddress
+©
+notReadyAddresses“"Ï
IP addresses which offer the related ports but are not currently marked as ready because they have not yet finished starting, have recently failed a readiness check, or have recently failed a liveness check.²

+arrayº
4
+2
+0#/definitions/io.k8s.api.core.v1.EndpointAddress
+|
+portss"3Port numbers available on the related IP addresses.²

+arrayº
1
+/
+-#/definitions/io.k8s.api.core.v1.EndpointPort
+ì
+&io.k8s.api.core.v1.FlockerVolumeSourceÁ"Ã
Represents a Flocker volume mounted by the Flocker agent. One and only one of datasetName and datasetUUID should be set. Flocker volumes do not support ownership management or SELinux relabeling.²

+objectÊ
ì

+ˆ

+datasetNamey"lName of the dataset stored as metadata -> name on the dataset for Flocker should be considered as deprecated²

+string
+_
+datasetUUIDP"CUUID of the dataset. This is unique identifier of a Flocker dataset²

+string
+Œ
+&io.k8s.api.storage.v1.VolumeAttachmentá"—
VolumeAttachment captures the intent to attach or detach the specified volume to/from the specified node.
+
+VolumeAttachment objects are non-namespaced.š
spec²

+objectÊ
Ê	
+Ð

+metadataÃ

+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"�
Standard object metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+¤

+spec›

+8#/definitions/io.k8s.api.storage.v1.VolumeAttachmentSpec"_Specification of the desired attach/detach volume behavior. Populated by the Kubernetes system.
+Ð

+statusÅ

+:#/definitions/io.k8s.api.storage.v1.VolumeAttachmentStatus"†
Status of the VolumeAttachment request. Populated by the entity completing the attach or detach operation, i.e. the external-attacher.
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+stringú
d
+x-kubernetes-group-version-kindA?- group: storage.k8s.io
+  kind: VolumeAttachment
+  version: v1
+
+�
+!io.k8s.api.storage.v1.VolumeErrorê"DVolumeError captures an error encountered during a volume operation.²

+objectÊ
•
+®

+message¢
"”
String detailing the error encountered during Attach or Detach operation. This string may be logged, so it should not contain sensitive information.²

+string
+b
+timeZ
+7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"Time the error was encountered.
+í
+1io.k8s.apimachinery.pkg.apis.meta.v1.APIGroupList·"RAPIGroupList is a list of APIGroup, to allow clients to discover the API at /apis.š
groups²

+objectÊ
ô
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+u
+groupsk"groups is a list of APIGroup.²

+arrayº
?
+=
+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+stringú
T
+x-kubernetes-group-version-kind1/- group: ""
+  kind: APIGroupList
+  version: v1
+
+‡
+io.k8s.api.core.v1.Endpointsæ"ýEndpoints is a collection of endpoints that implement the actual service. Example:
+  Name: "mysvc",
+  Subsets: [
+    {
+      Addresses: [{"ip": "10.10.1.1"}, {"ip": "10.10.2.2"}],
+      Ports: [{"name": "a", "port": 8675}, {"name": "b", "port": 309}]
+    },
+    {
+      Addresses: [{"ip": "10.10.3.3"}],
+      Ports: [{"name": "a", "port": 93}, {"name": "b", "port": 76}]
+    },
+ ]²

+objectÊ
ƒ
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ò

+metadataÅ

+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒ
Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+®
+subsets¢"ßThe set of all endpoints is the union of all subsets. Addresses are placed into subsets according to the IPs they share. A single address with multiple ports, some of which are ready and some of which are not (because they come from different containers) will result in the address being displayed in different subsets for the different ports. No address will appear in both Addresses and NotReadyAddresses in the same subset. Sets of addresses and ports that comprise a service.²

+arrayº
3
+1
+/#/definitions/io.k8s.api.core.v1.EndpointSubsetú
Q
+x-kubernetes-group-version-kind.,- group: ""
+  kind: Endpoints
+  version: v1
+
+¢
+ io.k8s.api.core.v1.ServiceStatusý"9ServiceStatus represents the current status of a service.²

+objectÊ
³
+”
+
+conditions…"Current service state²

+arrayº
@
+>
+<#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Conditionú
'
+x-kubernetes-list-map-keys	- type
+ú
 
+x-kubernetes-list-typemap
+ú
'
+x-kubernetes-patch-merge-keytype
+ú
'
+x-kubernetes-patch-strategymerge
+
+™

+loadBalancerˆ

+3#/definitions/io.k8s.api.core.v1.LoadBalancerStatus"QLoadBalancer contains the current status of the load-balancer, if one is present.
+�
+!io.k8s.api.core.v1.LimitRangeSpec÷
"NLimitRangeSpec defines a min/max usage limit for resources that match on kind.š
limits²

+objectÊ
�

+Œ

+limits�
"?Limits is the list of LimitRangeItem objects that are enforced.²

+arrayº
3
+1
+/#/definitions/io.k8s.api.core.v1.LimitRangeItem
+½
+-io.k8s.api.networking.v1beta1.HTTPIngressPath‹"oHTTPIngressPath associates a path with a backend. Incoming urls matching the path are forwarded to the backend.š
backend²

+objectÊ
�
+¤

+backend˜

+:#/definitions/io.k8s.api.networking.v1beta1.IngressBackend"ZBackend defines the referenced service endpoint to which the traffic will be forwarded to.
+ž
+path•"‡Path is matched against the path of an incoming request. Currently it can contain characters disallowed from the conventional "path" part of a URL as defined by RFC 3986. Paths must begin with a '/'. When unspecified, all paths from incoming requests are matched.²

+string
+¶
+pathType©"›PathType determines the interpretation of the Path matching. PathType can be one of the following values: * Exact: Matches the URL path exactly. * Prefix: Matches based on a URL path prefix split by '/'. Matching is
+  done on a path element by element basis. A path element refers is the
+  list of labels in the path split by the '/' separator. A request is a
+  match for path p if every p is an element-wise prefix of p of the
+  request path. Note that if the last element of the path is a substring
+  of the last element in request path, it is not a match (e.g. /foo/bar
+  matches /foo/bar/baz, but does not match /foo/barbaz).
+* ImplementationSpecific: Interpretation of the Path matching is up to
+  the IngressClass. Implementations can treat this as a separate PathType
+  or treat it identically to Prefix or Exact path types.
+Implementations are required to support all path types. Defaults to ImplementationSpecific.²

+string
+ý	
++io.k8s.api.policy.v1beta1.PodSecurityPolicyÍ	"˜
PodSecurityPolicy governs the ability to make requests that affect the Security Context that will be applied to a pod and container. Deprecated in 1.21.²

+objectÊ
¾
+j
+specb
+=#/definitions/io.k8s.api.policy.v1beta1.PodSecurityPolicySpec"!spec defines the policy enforced.
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ò

+metadataÅ

+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒ
Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadataú
b
+x-kubernetes-group-version-kind?=- group: policy
+  kind: PodSecurityPolicy
+  version: v1beta1
+
+á
+&io.k8s.api.scheduling.v1.PriorityClass¶"{PriorityClass defines mapping from a priority class name to the priority integer value. The value can be any valid integer.š
value²

+objectÊ
»
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ò

+metadataÅ

+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒ
Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+„
+preemptionPolicyï
"á
PreemptionPolicy is the Policy for preempting pods with lower priority. One of Never, PreemptLowerPriority. Defaults to PreemptLowerPriority if unset. This field is beta-level, gated by the NonPreemptingPriority feature-gate.²

+string
+¨

+valuež
int32"ˆ
The value of this priority class. This is the actual priority that pods receive when they have the name of this class in their pod spec.²
	
+integer
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+‹

+description|"odescription is an arbitrary string that usually provides guidelines on when this priority class should be used.²

+string
+¦
+
globalDefault”"…globalDefault specifies whether this PriorityClass should be considered as the default priority for pods that do not have any priority class. Only one PriorityClass can be marked as `globalDefault`. However, if more than one PriorityClasses exists with their `globalDefault` field set to true, the smallest value of such global default PriorityClasses will be used as the default priority.²
	
+booleanú
d
+x-kubernetes-group-version-kindA?- group: scheduling.k8s.io
+  kind: PriorityClass
+  version: v1
+
+ö
+4io.k8s.api.authorization.v1.SubjectRulesReviewStatus½"çSubjectRulesReviewStatus contains the result of a rules check. This check can be incomplete depending on the set of authorizers the server is configured with and any errors experienced during evaluation. Because authorization rules are additive, if a rule appears in a list it's safe to assume the subject has that permission, even if that list is incomplete.š

resourceRulesš
nonResourceRulesš

+incomplete²

+objectÊ
”
+Œ
+evaluationErrorø
"ê
EvaluationError can appear in combination with Rules. It indicates an error occurred during rule evaluation, such as an authorizer that doesn't support rule evaluation, and that ResourceRules and/or NonResourceRules may be incomplete.²

+string
+Ý

+
+incompleteÎ
"¿
Incomplete is true when the rules returned by this call are incomplete. This is most commonly encountered when an authorizer, such as an external authorizer, doesn't support rules evaluation.²
	
+boolean
+–
+nonResourceRules�"´
NonResourceRules is the list of actions the subject is allowed to perform on non-resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete.²

+arrayº
=
+;
+9#/definitions/io.k8s.api.authorization.v1.NonResourceRule
+‰
+
resourceRules÷
"­
ResourceRules is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete.²

+arrayº
:
+8
+6#/definitions/io.k8s.api.authorization.v1.ResourceRule
+‰
+0io.k8s.api.authorization.v1beta1.NonResourceRuleÔ"LNonResourceRule holds information that describes a rule for the non-resourceš
verbs²

+objectÊ
ï
+Ë

+nonResourceURLs·
"š
NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full, final step in the path.  "*" means all.²

+arrayº

+²

+string
+ž

+verbs”
"xVerb is a list of kubernetes non-resource API verbs, like: get, post, put, delete, patch, head, options.  "*" means all.²

+arrayº

+²

+string
+­
+:io.k8s.api.autoscaling.v2beta2.HorizontalPodAutoscalerSpecî"_HorizontalPodAutoscalerSpec describes the desired functionality of the HorizontalPodAutoscaler.š
scaleTargetRefš
maxReplicas²

+objectÊ
ß
+®
+behavior¡
+L#/definitions/io.k8s.api.autoscaling.v2beta2.HorizontalPodAutoscalerBehavior"Ð
behavior configures the scaling behavior of the target in both Up and Down directions (scaleUp and scaleDown fields respectively). If not set, the default HPAScalingRules for scale up and scale down are used.
+©

+maxReplicas™
int32"ƒ
maxReplicas is the upper limit for the number of replicas to which the autoscaler can scale up. It cannot be less that minReplicas.²
	
+integer
+�
+metricsõ"ªmetrics contains the specifications for which to use to calculate the desired replica count (the maximum replica count across all metrics will be used).  The desired replica count is calculated multiplying the ratio between the target value and the current value by the current number of pods.  Ergo, metrics used must decrease as the pod count is increased, and vice-versa.  See the individual metric source types for more information about how each type of metric must respond. If not set, the default metric will be set to 80% average CPU utilization.²

+arrayº
;
+9
+7#/definitions/io.k8s.api.autoscaling.v2beta2.MetricSpec
+ò
+minReplicasâint32"ÌminReplicas is the lower limit for the number of replicas to which the autoscaler can scale down.  It defaults to 1 pod.  minReplicas is allowed to be 0 if the alpha feature gate HPAScaleToZero is enabled and at least one Object or External metric is configured.  Scaling is active as long as at least one metric value is available.²
	
+integer
+†
+scaleTargetRefó

+H#/definitions/io.k8s.api.autoscaling.v2beta2.CrossVersionObjectReference"¦
scaleTargetRef points to the target resource to scale, and is used to the pods for which metrics should be collected, as well as to actually change the replica count.
+»
+"io.k8s.api.core.v1.EndpointAddress”"<EndpointAddress is a tuple that describes single IP address.š
ip²

+objectÊ
Â
+6
+hostname*"The Hostname of this endpoint²

+string
+ 
+ip™"‹The IP of this endpoint. May not be loopback (127.0.0.0/8), link-local (169.254.0.0/16), or link-local multicast ((224.0.0.0/24). IPv6 is also accepted but not fully supported on all platforms. Also, certain kubernetes components, like kube-proxy, are not IPv6 ready.²

+string
+w
+nodeNamek"^Optional: Node hosting this endpoint. This can be used to determine endpoints local to a node.²

+string
+l
+	targetRef_
+0#/definitions/io.k8s.api.core.v1.ObjectReference"+Reference to object providing the endpoint.
+§
+"io.k8s.api.node.v1beta1.Scheduling€"TScheduling specifies the scheduling constraints for nodes supporting a RuntimeClass.²

+objectÊ
›
+ç
+nodeSelectorÖ"¸nodeSelector lists labels that must be present on nodes that support this RuntimeClass. Pods using this RuntimeClass can only be scheduled to a node matched by this selector. The RuntimeClass nodeSelector is merged with a pod's existing nodeSelector. Any conflicts will cause the pod to be rejected in admission.ª

+²

+string²

+object
+®
+tolerationsž"¹
tolerations are appended (excluding duplicates) to pods running with this RuntimeClass during admission, effectively unioning the set of nodes tolerated by the pod and the RuntimeClass.²

+arrayº
/
+-
++#/definitions/io.k8s.api.core.v1.Tolerationú
#
+x-kubernetes-list-type	atomic
+
+¡
+
+Fio.k8s.api.admissionregistration.v1.ValidatingWebhookConfigurationListÖ	"OValidatingWebhookConfigurationList is a list of ValidatingWebhookConfiguration.š
items²

+objectÊ
æ
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+”

+itemsŠ
"'List of ValidatingWebhookConfiguration.²

+arrayº
T
+R
+P#/definitions/io.k8s.api.admissionregistration.v1.ValidatingWebhookConfiguration
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ï

+metadataÂ

+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"‚
Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kindsú
„

+x-kubernetes-group-version-kinda_- version: v1
+  group: admissionregistration.k8s.io
+  kind: ValidatingWebhookConfigurationList
+
+Ì
+2io.k8s.api.authorization.v1.SelfSubjectRulesReview•"ˆSelfSubjectRulesReview enumerates the set of actions the current user can perform within a namespace. The returned list of actions may be incomplete depending on the server's authorization mode, and any errors experienced during the evaluation. SelfSubjectRulesReview should be used by UIs to show/hide actions, or to quickly let an end user reason about their permissions. It should NOT Be used by external systems to drive authorization decisions as this raises confused deputy, cache lifetime/revocation, and correctness concerns. SubjectAccessReview, and LocalAccessReview are the correct way to defer authorization decisions to the API server.š
spec²

+objectÊ
�
+K
+metadata?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta
+Š

+spec�

+D#/definitions/io.k8s.api.authorization.v1.SelfSubjectRulesReviewSpec"9Spec holds information about the request being evaluated.
+§

+statusœ

+B#/definitions/io.k8s.api.authorization.v1.SubjectRulesReviewStatus"VStatus is filled in by the server and indicates the set of actions a user can perform.
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+stringú
p
+x-kubernetes-group-version-kindMK- kind: SelfSubjectRulesReview
+  version: v1
+  group: authorization.k8s.io
+
+À
+#io.k8s.api.rbac.v1beta1.ClusterRole˜"ù
ClusterRole is a cluster level, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding or ClusterRoleBinding. Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 ClusterRole, and will no longer be served in v1.22.²

+objectÊ
›	
+®
+aggregationRuleš
+5#/definitions/io.k8s.api.rbac.v1beta1.AggregationRule"à
AggregationRule is an optional field that describes how to build the Rules for this ClusterRole. If AggregationRule is set, then the Rules are controller managed and direct changes to Rules will be stomped by the controller.
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+h
+metadata\
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"Standard object's metadata.
+€

+rulesw"4Rules holds all the PolicyRules for this ClusterRole²

+arrayº
4
+2
+0#/definitions/io.k8s.api.rbac.v1beta1.PolicyRuleú
o
+x-kubernetes-group-version-kindLJ- group: rbac.authorization.k8s.io
+  kind: ClusterRole
+  version: v1beta1
+
+ù
+Xio.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceSubresourcesœ"YCustomResourceSubresources defines the status and scale subresources for CustomResources.²

+objectÊ
²
+î

+scaleä

+j#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceSubresourceScale"vscale indicates the custom resource should serve a `/scale` subresource that returns an `autoscaling/v1` Scale object.
+¾
+status³
+k#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceSubresourceStatus"Ãstatus indicates the custom resource should serve a `/status` subresource. When enabled: 1. requests to the custom resource primary endpoint ignore changes to the `status` stanza of the object. 2. requests to the custom resource `/status` subresource ignore changes to anything other than the `status` stanza of the object.
+É
+.io.k8s.api.authentication.v1.TokenReviewStatus–"DTokenReviewStatus is the result of the token authentication request.²

+objectÊ
Á
+’
+	audiences„"çAudiences are audience identifiers chosen by the authenticator that are compatible with both the TokenReview and token. An identifier is any identifier in the intersection of the TokenReviewSpec audiences and the token's audiences. A client of the TokenReview API that sets the spec.audiences field should validate that a compatible audience identifier is returned in the status.audiences field to ensure that the TokenReview server is audience aware. If a TokenReview returns an empty status.audience field where status.authenticated is "true", the token is valid against the audience of the Kubernetes API server.²

+arrayº

+²

+string
+g
+
authenticatedV"HAuthenticated indicates that the token was associated with a known user.²
	
+boolean
+H
+error?"2Error indicates that the token couldn't be checked²

+string
+w
+usero
+3#/definitions/io.k8s.api.authentication.v1.UserInfo"8User is the UserInfo associated with the provided token.
+‚
+1io.k8s.api.core.v1.ReplicationControllerConditionÌ"bReplicationControllerCondition describes the state of a replication controller at a certain point.š
typeš
status²

+objectÊ
É
+L
+statusB"5Status of the condition, one of True, False, Unknown.²

+string
+>
+type6")Type of replication controller condition.²

+string
+•

+lastTransitionTime
+7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"DThe last time the condition transitioned from one status to another.
+Y
+messageN"AA human readable message indicating details about the transition.²

+string
+F
+reason<"/The reason for the condition's last transition.²

+string
+å
+'io.k8s.api.core.v1.ConfigMapKeySelector¹"Selects a key from a ConfigMap.š
key²

+objectÊ
ƒ
+&
+key"The key to select.²

+string
+„

+name|"oName of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names²

+string
+R
+optionalF"8Specify whether the ConfigMap or its key must be defined²
	
+boolean
+Æ
+,io.k8s.api.core.v1.ConfigMapNodeConfigSource•"lConfigMapNodeConfigSource contains the information to reference a ConfigMap as a config source for the Node.š
	namespaceš
nameš
kubeletConfigKey²

+objectÊ
ò
+¹

+kubeletConfigKey¤
"–
KubeletConfigKey declares which key of the referenced ConfigMap corresponds to the KubeletConfiguration structure This field is required in all cases.²

+string
+p
+nameh"[Name is the metadata.name of the referenced ConfigMap. This field is required in all cases.²

+string
+
+	namespacer"eNamespace is the metadata.namespace of the referenced ConfigMap. This field is required in all cases.²

+string
+±

+resourceVersion�
"�
ResourceVersion is the metadata.ResourceVersion of the referenced ConfigMap. This field is forbidden in Node.Spec, and required in Node.Status.²

+string
+Œ

+uid„
"wUID is the metadata.UID of the referenced ConfigMap. This field is forbidden in Node.Spec, and required in Node.Status.²

+string
+à	
+(io.k8s.api.core.v1.StorageOSVolumeSource³	"2Represents a StorageOS persistent volume resource.²

+objectÊ
ð
+À

+fsTypeµ
"§
Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.²

+string
+x
+readOnlyl"^Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.²
	
+boolean
+Ï

+	secretRefÁ

+5#/definitions/io.k8s.api.core.v1.LocalObjectReference"‡
SecretRef specifies the secret to use for obtaining the StorageOS API credentials.  If not specified, default values will be attempted.
+‹

+
+volumeName}"pVolumeName is the human-readable name of the StorageOS volume.  Volume names are only unique within a namespace.²

+string
+Ð
+volumeNamespace¼"®VolumeNamespace specifies the scope of the volume within StorageOS.  If no namespace is specified then the Pod's namespace will be used.  This allows the Kubernetes name scoping to be mirrored within StorageOS for tighter integration. Set VolumeName to any name to override the default behaviour. Set to "default" if you are not using namespaces within StorageOS. Namespaces that do not pre-exist within StorageOS will be created.²

+string
+Û	
+"io.k8s.api.policy.v1beta1.Eviction´	"Ò
Eviction evicts a pod from its node subject to certain policies and safety constraints. This is a subresource of Pod.  A request to cause such an eviction is created by POSTing to .../pods/<pod name>/evictions.²

+objectÊ
ô
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+r
+
deleteOptionsa
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptions"DeleteOptions may be provided
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+€

+metadatat
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"3ObjectMeta describes the pod that is being evicted.ú
Y
+x-kubernetes-group-version-kind64- group: policy
+  kind: Eviction
+  version: v1beta1
+
+ 
++io.k8s.api.storage.v1beta1.VolumeAttachmentð"—
VolumeAttachment captures the intent to attach or detach the specified volume to/from the specified node.
+
+VolumeAttachment objects are non-namespaced.š
spec²

+objectÊ
Ô	
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ð

+metadataÃ

+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"�
Standard object metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+©

+spec 

+=#/definitions/io.k8s.api.storage.v1beta1.VolumeAttachmentSpec"_Specification of the desired attach/detach volume behavior. Populated by the Kubernetes system.
+Õ

+statusÊ

+?#/definitions/io.k8s.api.storage.v1beta1.VolumeAttachmentStatus"†
Status of the VolumeAttachment request. Populated by the entity completing the attach or detach operation, i.e. the external-attacher.ú
i
+x-kubernetes-group-version-kindFD- group: storage.k8s.io
+  kind: VolumeAttachment
+  version: v1beta1
+
+å
+Uio.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionSpec‹"PCustomResourceDefinitionSpec describes how a user wants their resource to appearš
groupš
namesš
scopeš
versions²

+objectÊ
‡
+¥

+
+conversion–

+_#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceConversion"3conversion defines conversion settings for the CRD.
+å

+groupÛ
"Í
group is the API group of the defined custom resource. The custom resources are served under `/apis/<group>/...`. Must match the name of the CustomResourceDefinition (in the form `<names.plural>.<group>`).²

+string
+´

+namesª

+d#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionNames"Bnames specify the resource and kind names for the custom resource.
+©
+preserveUnknownFields�"€preserveUnknownFields indicates that object fields which are not specified in the OpenAPI schema should be preserved when persisting to storage. apiVersion, kind, metadata and known fields inside metadata are always preserved. This field is deprecated in favor of setting `x-preserve-unknown-fields` to true in `spec.versions[*].schema.openAPIV3Schema`. See https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions/#pruning-versus-preserving-unknown-fields for details.²
	
+boolean
+›

+scope‘
"ƒ
scope indicates whether the defined custom resource is cluster- or namespace-scoped. Allowed values are `Cluster` and `Namespaced`.²

+string
+ó
+versionsæ"ìversions is the list of all API versions of the defined custom resource. Version names are used to compute the order in which served versions are listed in API discovery. If the version string is "kube-like", it will sort above non "kube-like" version strings, which are ordered lexicographically. "Kube-like" versions start with a "v", then are followed by a number (the major version), then optionally the string "alpha" or "beta" and another number (the minor version). These are sorted first by GA > beta > alpha (where GA is a version with no suffix such as beta or alpha), and then by comparing major version, then minor version. An example sorted list of versions: v10, v2, v1, v11beta2, v10beta3, v3beta1, v12alpha1, v11alpha2, foo1, foo10.²

+arrayº
j
+h
+f#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionVersion
+Ö
+4io.k8s.api.admissionregistration.v1.ServiceReference�";ServiceReference holds a reference to Service.legacy.k8s.ioš
	namespaceš
name²

+objectÊ
¾
+@
+name8"+`name` is the name of the service. Required²

+string
+O
+	namespaceB"5`namespace` is the namespace of the service. Required²

+string
+f
+path^"Q`path` is an optional URL path which will be sent in any request to this service.²

+string
+À

+port·
int32"¡
If specified, the port on the service that hosting webhook. Default to 443 for backward compatibility. `port` should be a valid port number (1-65535, inclusive).²
	
+integer
+¾
+/io.k8s.api.autoscaling.v2beta1.PodsMetricSourceŠ"å
PodsMetricSource indicates how to scale on a metric describing each pod in the current scale target (for example, transactions-processed-per-second). The values will be averaged together before being compared to the target value.š

+metricNameš
targetAverageValue²

+objectÊ
ñ
+K
+
+metricName="0metricName is the name of the metric in question²

+string
+Ü
+selectorÏ
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"Šselector is the string-encoded form of a standard kubernetes label selector for the given metric When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping When unset, just the metricName will be used to gather metrics.
+Â

+targetAverageValue«

+;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"ltargetAverageValue is the target value of the average of the metric across all relevant pods (as a quantity)
+Å
+-io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta“"£
ListMeta describes metadata that synthetic resources must have, including lists and various status objects. A resource may have only one of {ObjectMeta, ListMeta}.²

+objectÊ
Þ
+ä
+continue×"Écontinue may be set if the user set a limit on the number of items returned, and indicates that the server has more data available. The value is opaque and may be used to issue another request to the endpoint that served this list to retrieve the next set of available objects. Continuing a consistent list may not be possible if the server configuration has changed or more than a few minutes have passed. The resourceVersion field returned when using this continue value will be identical to the value in the first response, unless you have received this token from an error message.²

+string
+ß
+remainingItemCountÈint64"²remainingItemCount is the number of subsequent items in the list which are not included in this list response. If the list request contained label or field selectors, then the number of remaining items is unknown and the field will be left unset and omitted during serialization. If the list is complete (either because it is not chunking or because this is the last chunk), then there are no more remaining items and this field will be left unset and omitted during serialization. Servers older than v1.15 do not set this field. The intended use of the remainingItemCount is *estimating* the size of a collection. Clients should not rely on the remainingItemCount to be set or to be exact.²
	
+integer
+¥
+resourceVersion‘"ƒString that identifies the server's internal version of this object that can be used by clients to determine when objects have changed. Value must be treated as opaque by clients and passed unmodified back to the server. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency²

+string
+ê

+selfLinkÝ
"Ï
selfLink is a URL representing this object. Populated by the system. Read-only.
+
+DEPRECATED Kubernetes will stop propagating this field in 1.20 release and the field is planned to be removed in 1.21 release.²

+string
+ô
+io.k8s.api.core.v1.NodeØ"iNode is a worker node in Kubernetes. Each node will have a unique identifier in the cache (i.e. in etcd).²

+objectÊ
�
+
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ò

+metadataÅ

+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒ
Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+¿

+spec¶

+)#/definitions/io.k8s.api.core.v1.NodeSpec"ˆ
Spec defines the behavior of a node. https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+ø

+statusí

++#/definitions/io.k8s.api.core.v1.NodeStatus"½
Most recently observed status of the node. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statusú
L
+x-kubernetes-group-version-kind)'- group: ""
+  kind: Node
+  version: v1
+
+ý
+,io.k8s.api.core.v1.RBDPersistentVolumeSourceÌ"ˆ
Represents a Rados Block Device mount that lasts the lifetime of a pod. RBD volumes support ownership management and SELinux relabeling.š
monitorsš
image²

+objectÊ
Ÿ
+€

+poolx"kThe rados pool name. Default is rbd. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it²

+string
+´

+readOnly§
"˜
ReadOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it²
	
+boolean
+ô

+	secretRefæ

+0#/definitions/io.k8s.api.core.v1.SecretReference"±
SecretRef is name of the authentication secret for RBDUser. If provided overrides keyring. Default is nil. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+‚

+userz"mThe rados user name. Default is admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it²

+string
+³
+fsType¨"šFilesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd²

+string
+r
+imagei"\The rados image name. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it²

+string
+«

+keyringŸ
"‘
Keyring is the path to key ring for RBDUser. Default is /etc/ceph/keyring. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it²

+string
+Ž

+monitors�
"eA collection of Ceph monitors. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it²

+arrayº

+²

+string
+ë
+%io.k8s.api.events.v1beta1.EventSeriesÁ"qEventSeries contain information on series of events, i.e. thing that was/is happening continuously for some time.š
countš
lastObservedTime²

+objectÊ
¤
+n
+counteint32"Pcount is the number of occurrences in this series up to the last heartbeat time.²
	
+integer
+±

+lastObservedTimeœ

+<#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.MicroTime"\lastObservedTime is the time when last Event from the series was seen before last heartbeat.
+ù
+,io.k8s.api.policy.v1.PodDisruptionBudgetSpecÈ"BPodDisruptionBudgetSpec is a description of a PodDisruptionBudget.²

+objectÊ
õ
+Ç
+minAvailable¶
+=#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString"ô
An eviction is allowed if at least "minAvailable" pods selected by "selector" will still be available after the eviction, i.e. even in the absence of the evicted pod.  So for example you can prevent all voluntary evictions by specifying "100%".
+µ
+selector¨
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"·
Label query over pods whose evictions are managed by the disruption budget. A null selector will match no pods, while an empty ({}) selector will select all pods within the namespace.ú
)
+x-kubernetes-patch-strategy
+replace
+
+ð
+maxUnavailableÝ
+=#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString"›An eviction is allowed if at most "maxUnavailable" pods selected by "selector" are unavailable after the eviction, i.e. even in absence of the evicted pod. For example, one can prevent all voluntary evictions by specifying 0. This is a mutually exclusive setting with "minAvailable".
+ê
+Sio.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceSubresources’"YCustomResourceSubresources defines the status and scale subresources for CustomResources.²

+objectÊ
¨
+é

+scaleß

+e#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceSubresourceScale"vscale indicates the custom resource should serve a `/scale` subresource that returns an `autoscaling/v1` Scale object.
+¹
+status®
+f#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceSubresourceStatus"Ãstatus indicates the custom resource should serve a `/status` subresource. When enabled: 1. requests to the custom resource primary endpoint ignore changes to the `status` stanza of the object. 2. requests to the custom resource `/status` subresource ignore changes to anything other than the `status` stanza of the object.
+�
+Fio.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIServiceConditionÒ"NAPIServiceCondition describes the state of an APIService at a particular pointš
typeš
status²

+objectÊ
ã
+‘

+lastTransitionTime{
+7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"@Last time the condition transitioned from one status to another.
+X
+messageM"@Human-readable message indicating details about last transition.²

+string
+^
+reasonT"GUnique, one-word, CamelCase reason for the condition's last transition.²

+string
+Z
+statusP"CStatus is the status of the condition. Can be True, False, Unknown.²

+string
+7
+type/""Type is the type of the condition.²

+string
+Ù
+io.k8s.api.batch.v1.CronJob¹":CronJob represents the configuration of a single cron job.²

+objectÊ
™
+
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ò

+metadataÅ

+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒ
Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+ö

+specí

+-#/definitions/io.k8s.api.batch.v1.CronJobSpec"»
Specification of the desired behavior of a cron job, including the schedule. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+Ë

+statusÀ

+/#/definitions/io.k8s.api.batch.v1.CronJobStatus"Œ
Current status of a cron job. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+stringú
R
+x-kubernetes-group-version-kind/-- group: batch
+  kind: CronJob
+  version: v1
+
+¦
++io.k8s.api.core.v1.ContainerStateTerminatedö">ContainerStateTerminated is a terminated state of a container.š
exitCode²

+objectÊ
œ
+�

+	startedAtt
+7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"9Time at which previous execution of the container started
+R
+containerIDC"6Container's ID in the format 'docker://<container_id>'²

+string
+W
+exitCodeKint32"6Exit status from the last termination of the container²
	
+integer
+t
+
+finishedAtf
+7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"+Time at which the container last terminated
+O
+messageD"7Message regarding the last termination of the container²

+string
+P
+reasonF"9(brief) reason from the last termination of the container²

+string
+P
+signalFint32"1Signal from the last termination of the container²
	
+integer
+�$
+io.k8s.api.core.v1.PodStatusï#"¶
PodStatus represents information about the status of a pod. Status may trail the actual state of a system, especially if the node that hosts the pod cannot contact the control plane.²

+objectÊ
§"
+g
+hostIP]"PIP address of the host to which the pod is assigned. Empty if not yet scheduled.²

+string
+Û

+	startTimeÍ

+7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"‘
RFC 3339 date and time at which the object was acknowledged by the Kubelet. This is before the Kubelet pulled the container image(s) for the pod.
+x
+podIPo"bIP address allocated to the pod. Routable at least within the cluster. Empty if not yet allocated.²

+string
+›
+
+conditionsŒ"xCurrent service state of pod. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditions²

+arrayº
1
+/
+-#/definitions/io.k8s.api.core.v1.PodConditionú
'
+x-kubernetes-patch-merge-keytype
+ú
'
+x-kubernetes-patch-strategymerge
+
+¬
+containerStatuses–"Ò
The list has one entry per container in the manifest. Each entry is currently the output of `docker inspect`. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status²

+arrayº
4
+2
+0#/definitions/io.k8s.api.core.v1.ContainerStatus
+‰
+ephemeralContainerStatusesê
"¦
Status for any ephemeral containers that have run in this pod. This field is alpha-level and is only populated by servers that enable the EphemeralContainers feature.²

+arrayº
4
+2
+0#/definitions/io.k8s.api.core.v1.ContainerStatus
+ü
+initContainerStatusesâ"žThe list has one entry per init container in the manifest. The most recent successful init container will have ready = true, the most recently started container will have startTime set. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status²

+arrayº
4
+2
+0#/definitions/io.k8s.api.core.v1.ContainerStatus
+k
+message`"SA human readable message indicating details about why the pod is in this condition.²

+string
+Í
+nominatedNodeName·"©nominatedNodeName is set only when this pod preempts other pods on the node, but it cannot be scheduled right away as preemption victims receive their graceful termination periods. This field does not guarantee that the pod will be scheduled on this node. Scheduler may decide to place the pod elsewhere if other nodes become available sooner. Scheduler may also decide to give the resources on this node to a higher priority pod that is created after preemption. As a result, this field may be different than PodSpec.nodeName when the pod is scheduled.²

+string
+Æ	
+phase¼	"®	The phase of a Pod is a simple, high-level summary of where the Pod is in its lifecycle. The conditions array, the reason and message fields, and the individual container status arrays contain more detail about the pod's status. There are five possible phase values:
+
+Pending: The pod has been accepted by the Kubernetes system, but one or more of the container images has not been created. This includes time before being scheduled as well as time spent downloading images over the network, which could take a while. Running: The pod has been bound to a node, and all of the containers have been created. At least one container is still running, or is in the process of starting or restarting. Succeeded: All containers in the pod have terminated in success, and will not be restarted. Failed: All containers in the pod have terminated, and at least one container has terminated in failure. The container either exited with non-zero status or was terminated by the system. Unknown: For some reason the state of the pod could not be obtained, typically due to an error in communicating with the host of the pod.
+
+More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-phase²

+string
+‡
+podIPsü"ð
podIPs holds the IP addresses allocated to the pod. If this field is specified, the 0th entry must match the podIP field. Pods may be allocated at most 1 value for each of IPv4 and IPv6. This list is empty if no IPs have been allocated yet.²

+arrayº
*
+(
+&#/definitions/io.k8s.api.core.v1.PodIPú
%
+x-kubernetes-patch-merge-keyip
+ú
'
+x-kubernetes-patch-strategymerge
+
+ƒ
+qosClassö
"è
The Quality of Service (QOS) classification assigned to the pod based on resource requirements See PodQOSClass type for available QOS classes More info: https://git.k8s.io/community/contributors/design-proposals/node/resource-qos.md²

+string
+v
+reasonl"_A brief CamelCase message indicating details about why the pod is in this state. e.g. 'Evicted'²

+string
+Ì	
+\io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinitionStatusë"RCustomResourceDefinitionStatus indicates the state of the CustomResourceDefinition²

+objectÊ
ˆ
+ù

+
acceptedNamesç

+i#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinitionNames"zacceptedNames are the names that are actually being used to serve discovery. They may be different than the names in spec.
+ª
+
+conditions›"Nconditions indicate state for particular aspects of a CustomResourceDefinition²

+arrayº
q
+o
+m#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinitionConditionú
 
+x-kubernetes-list-typemap
+ú
'
+x-kubernetes-list-map-keys	- type
+
+Ü
+storedVersionsÉ"¬storedVersions lists all versions of CustomResources that were ever persisted. Tracking these versions allows a migration path for stored versions in etcd. The field is mutable so a migration controller can finish a migration to another version (ensuring no old objects are left in storage), and then remove the rest of the versions from this list. Versions may not be removed from `spec.versions` while they exist in this list.²

+arrayº

+²

+string
+´4
+3io.k8s.api.admissionregistration.v1.MutatingWebhookü3"^MutatingWebhook describes an admission webhook and the resources and operations it applies to.š
nameš
clientConfigš
sideEffectsš
admissionReviewVersions²

+objectÊ
Ï2
+œ
+timeoutSeconds‰int32"ó
TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, the webhook call will be ignored or the API call will fail based on the failure policy. The timeout value must be between 1 and 30 seconds. Default to 10 seconds.²
	
+integer
+–
+admissionReviewVersionsú"ÝAdmissionReviewVersions is an ordered list of preferred `AdmissionReview` versions the Webhook expects. API server will try to use first version in the list which it supports. If none of the versions specified in this list supported by API server, validation will fail for this object. If a persisted webhook configuration specifies allowed versions and does not include any versions known to the API Server, calls to the webhook will fail and be subject to the failure policy.²

+arrayº

+²

+string
+¬

+
failurePolicyš
"Œ
FailurePolicy defines how unrecognized errors from the admission endpoint are handled - allowed values are Ignore or Fail. Defaults to Fail.²

+string
+é
+objectSelectorÖ
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"‘ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything.
+é
+rulesß"‡Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches _any_ Rule. However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks from putting the cluster in a state which cannot be recovered from without completely disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.²

+arrayº
H
+F
+D#/definitions/io.k8s.api.admissionregistration.v1.RuleWithOperations
+�
+reinvocationPolicyù"ëreinvocationPolicy indicates whether this webhook should be called multiple times as part of a single admission evaluation. Allowed values are "Never" and "IfNeeded".
+
+Never: the webhook will not be called more than once in a single admission evaluation.
+
+IfNeeded: the webhook will be called at least one additional time as part of the admission evaluation if the object being admitted is modified by other admission plugins after the initial webhook call. Webhooks that specify this option *must* be idempotent, able to process objects they previously admitted. Note: * the number of additional invocations is not guaranteed to be exactly one. * if additional invocations result in further modifications to the object, webhooks are not guaranteed to be invoked again. * webhooks that use this option may be reordered to minimize the number of additional invocations. * to validate an object after all mutations are guaranteed complete, use a validating admission webhook instead.
+
+Defaults to "Never".²

+string
+õ
+sideEffectså"×SideEffects states whether this webhook has side effects. Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission chain and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some.²

+string
+™

+clientConfigˆ

+E#/definitions/io.k8s.api.admissionregistration.v1.WebhookClientConfig"?ClientConfig defines how to communicate with the hook. Required
+œ
+matchPolicyŒ"þmatchPolicy defines how the "rules" list is used to match incoming requests. Allowed values are "Exact" or "Equivalent".
+
+- Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
+
+- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
+
+Defaults to "Equivalent"²

+string
+ç

+nameÞ
"Ð
The name of the admission webhook. Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where "imagepolicy" is the name of the webhook, and kubernetes.io is the name of the organization. Required.²

+string
+Ý	
+namespaceSelectorÇ	
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"‚	NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the webhook.
+
+For example, to run the webhook on any objects whose namespace is not associated with "runlevel" of "0" or "1";  you will set the selector as follows: "namespaceSelector": {
+  "matchExpressions": [
+    {
+      "key": "runlevel",
+      "operator": "NotIn",
+      "values": [
+        "0",
+        "1"
+      ]
+    }
+  ]
+}
+
+If instead you want to only run the webhook on any objects whose namespace is associated with the "environment" of "prod" or "staging"; you will set the selector as follows: "namespaceSelector": {
+  "matchExpressions": [
+    {
+      "key": "environment",
+      "operator": "In",
+      "values": [
+        "prod",
+        "staging"
+      ]
+    }
+  ]
+}
+
+See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ for more examples of label selectors.
+
+Default to the empty LabelSelector, which matches everything.
+·
+ io.k8s.api.apps.v1.DaemonSetSpec’"3DaemonSetSpec is the specification of a daemon set.š
selectorš
template²

+objectÊ
¸
+
+’
+minReadySecondsþ
int32"è
The minimum number of seconds for which a newly created DaemonSet pod should be ready without any of its container crashing, for it to be considered available. Defaults to 0 (pod will be considered available as soon as it is ready).²
	
+integer
+¿

+revisionHistoryLimit¦
int32"�
The number of old history to retain to allow rollback. This is a pointer to distinguish between explicit zero and not specified. Defaults to 10.²
	
+integer
+Á
+selector´
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"ï
A label query over pods that are managed by the daemon set. Must match in order to be controlled. It must match the pod template's labels. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+„
+template÷
+0#/definitions/io.k8s.api.core.v1.PodTemplateSpec"ÂAn object that describes the pod that will be created. The DaemonSet will create exactly one copy of this pod on every node that matches the template's node selector (or on every node if no node selector is specified). More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template
+“

+updateStrategy€

+8#/definitions/io.k8s.api.apps.v1.DaemonSetUpdateStrategy"DAn update strategy to replace existing DaemonSet pods with new pods.
+Ö
+io.k8s.api.core.v1.VolumeDevice²"JvolumeDevice describes a mapping of a raw block device within a container.š
nameš

+devicePath²

+objectÊ
Ã

+l
+
+devicePath^"QdevicePath is the path inside of the container that the device will be mapped to.²

+string
+S
+nameK">name must match the name of a persistentVolumeClaim in the pod²

+string
+©	
+*io.k8s.api.scheduling.v1.PriorityClassListú"6PriorityClassList is a collection of priority classes.š
items²

+objectÊ
À
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+t
+itemsk"$items is the list of PriorityClasses²

+arrayº
8
+6
+4#/definitions/io.k8s.api.scheduling.v1.PriorityClass
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ê

+metadata½

+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"~Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadataú
h
+x-kubernetes-group-version-kindEC- version: v1
+  group: scheduling.k8s.io
+  kind: PriorityClassList
+
+¶	
+*io.k8s.api.storage.v1.VolumeAttachmentList‡	"AVolumeAttachmentList is a collection of VolumeAttachment objects.š
items²

+objectÊ
Â
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+v
+itemsm"&Items is the list of VolumeAttachments²

+arrayº
8
+6
+4#/definitions/io.k8s.api.storage.v1.VolumeAttachment
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ê

+metadata½

+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"~Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadataú
h
+x-kubernetes-group-version-kindEC- group: storage.k8s.io
+  kind: VolumeAttachmentList
+  version: v1
+
+«
+Vio.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinitionÐ"…CustomResourceDefinition represents a resource that should be exposed on the API server.  Its name MUST be in the format <.spec.name>.<.spec.group>. Deprecated in v1.16, planned for removal in v1.22. Use apiextensions.k8s.io/v1 CustomResourceDefinition instead.š
spec²

+objectÊ
¸
+K
+metadata?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta
+®

+spec¥

+h#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinitionSpec"9spec describes how the user wants the resources to appear
+º

+status¯

+j#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinitionStatus"Astatus indicates the actual state of the CustomResourceDefinition
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+stringú
w
+x-kubernetes-group-version-kindTR- kind: CustomResourceDefinition
+  version: v1beta1
+  group: apiextensions.k8s.io
+
+Ü
+
+-io.k8s.api.authentication.v1beta1.TokenReviewª
+"§
TokenReview attempts to authenticate a token to a known user. Note: TokenReview requests may be cached by the webhook token authenticator plugin in the kube-apiserver.š
spec²

+objectÊ
ü
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+K
+metadata?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta
+ƒ

+spec{
+?#/definitions/io.k8s.api.authentication.v1beta1.TokenReviewSpec"8Spec holds information about the request being evaluated
+©

+statusž

+A#/definitions/io.k8s.api.authentication.v1beta1.TokenReviewStatus"YStatus is filled in by the server and indicates whether the request can be authenticated.ú
k
+x-kubernetes-group-version-kindHF- group: authentication.k8s.io
+  kind: TokenReview
+  version: v1beta1
+
+ì
++io.k8s.api.autoscaling.v2beta1.MetricStatus¼">MetricStatus describes the last-read state of a single metric.š
type²

+objectÊ
æ
+ô
+externalç
+A#/definitions/io.k8s.api.autoscaling.v2beta1.ExternalMetricStatus"¡external refers to a global metric that is not associated with any Kubernetes object. It allows autoscaling based on information coming from components running outside of cluster (for example length of queue in cloud messaging service, or QPS from loadbalancer running outside of cluster).
+Â

+object·

+?#/definitions/io.k8s.api.autoscaling.v2beta1.ObjectMetricStatus"tobject refers to a metric describing a single kubernetes object (for example, hits-per-second on an Ingress object).
+•
+podsŒ
+=#/definitions/io.k8s.api.autoscaling.v2beta1.PodsMetricStatus"Ê
pods refers to a metric describing each pod in the current scale target (for example, transactions-processed-per-second).  The values will be averaged together before being compared to the target value.
+™
+resourceŒ
+A#/definitions/io.k8s.api.autoscaling.v2beta1.ResourceMetricStatus"Æresource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the "pods" source.
+¥
+typeœ"Žtype is the type of metric source.  It will be one of "ContainerResource", "External", "Object", "Pods" or "Resource", each corresponds to a matching field in the object. Note: "ContainerResource" type is available on when the feature-gate HPAContainerMetrics is enabled²

+string
+Ë
+containerResourceµ
+J#/definitions/io.k8s.api.autoscaling.v2beta1.ContainerResourceMetricStatus"æcontainer resource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing a single container in each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the "pods" source.
+ 
+%io.k8s.api.core.v1.ComponentConditionö"/Information about the condition of a component.š
typeš
status²

+objectÊ
¦
+s
+messageh"[Message about the condition for a component. For example, information about a health check.²

+string
+z
+statusp"cStatus of the condition for a component. Valid values for "Healthy": "True", "False", or "Unknown".²

+string
+N
+typeF"9Type of condition for a component. Valid value: "Healthy"²

+string
+c
+errorZ"MCondition error code for a component. For example, a health check error code.²

+string
+ž
+(io.k8s.api.core.v1.ProjectedVolumeSourceñ"$Represents a projected volume source²

+objectÊ
¼
+Î
+defaultMode¾int32"¨Mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.²
	
+integer
+i
+sources^"list of volume projections²

+arrayº
5
+3
+1#/definitions/io.k8s.api.core.v1.VolumeProjection
+�
+*io.k8s.api.discovery.v1beta1.EndpointHintsà"KEndpointHints provides hints describing how an endpoint should be consumed.²

+objectÊ
„
+�
+forZonesô
"ˆ
forZones indicates the zone(s) this endpoint should be consumed by to enable topology aware routing. May contain a maximum of 8 entries.²

+arrayº
6
+4
+2#/definitions/io.k8s.api.discovery.v1beta1.ForZoneú
#
+x-kubernetes-list-type	atomic
+
+Ÿ
+3io.k8s.api.flowcontrol.v1beta1.QueuingConfigurationç
+"CQueuingConfiguration holds the configuration parameters for queuing²

+objectÊ
“
+
+¢
+handSize•int32"ÿ`handSize` is a small positive number that configures the shuffle sharding of requests into queues.  When enqueuing a request at this priority level the request's flow identifier (a string pair) is hashed and the hash value is used to shuffle the list of queues and deal a hand of the size specified here.  The request is put into one of the shortest queues in that hand. `handSize` must be no larger than `queues`, and should be significantly smaller (so that a few heavy flows do not saturate most of the queues).  See the user-facing documentation for more extensive guidance on setting this field.  This field has a default value of 8.²
	
+integer
+“
+queueLengthLimitþ
int32"è
`queueLengthLimit` is the maximum number of requests allowed to be waiting in a given queue of this priority level at a time; excess requests are rejected.  This value must be positive.  If not specified, it will be defaulted to 50.²
	
+integer
+Õ
+queuesÊint32"´`queues` is the number of queues for this priority level. The queues exist independently at each apiserver. The value must be positive.  Setting it to 1 effectively precludes shufflesharding and thus makes the distinguisher method of associated flow schemas irrelevant.  This field has a default value of 64.²
	
+integer
+š	
+&io.k8s.api.storage.v1.StorageClassListï"4StorageClassList is a collection of storage classes.š
items²

+objectÊ
»
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ê

+metadata½

+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"~Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+o
+itemsf"#Items is the list of StorageClasses²

+arrayº
4
+2
+0#/definitions/io.k8s.api.storage.v1.StorageClassú
d
+x-kubernetes-group-version-kindA?- group: storage.k8s.io
+  kind: StorageClassList
+  version: v1
+
+ú	
+<io.k8s.api.autoscaling.v2beta1.ContainerResourceMetricSource¹	"ÓContainerResourceMetricSource indicates how to scale on a resource metric known to Kubernetes, as specified in requests and limits, describing each pod in the current scale target (e.g. CPU or memory).  The values will be averaged together before being compared to the target.  Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the "pods" source.  Only one "target" type should be set.š
nameš
	container²

+objectÊ
Á
+b
+	containerU"Hcontainer is the name of the container in the pods of the scaling target²

+string
+B
+name:"-name is the name of the resource in question.²

+string
+ð

+targetAverageUtilizationÓ
int32"½
targetAverageUtilization is the target value of the average of the resource metric across all relevant pods, represented as a percentage of the requested value of the resource for the pods.²
	
+integer
+£
+targetAverageValueŒ
+;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"Ì
targetAverageValue is the target value of the average of the resource metric across all relevant pods, as a raw value (instead of as a percentage of the request), similar to the "pods" metric source type.
+Ÿ	
+:io.k8s.api.autoscaling.v2beta1.HorizontalPodAutoscalerListà"GHorizontalPodAutoscaler is a list of horizontal pod autoscaler objects.š
items²

+objectÊ
Œ
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+˜

+itemsŽ
"7items is the list of horizontal pod autoscaler objects.²

+arrayº
H
+F
+D#/definitions/io.k8s.api.autoscaling.v2beta1.HorizontalPodAutoscaler
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+r
+metadataf
+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"'metadata is the standard list metadata.ú
q
+x-kubernetes-group-version-kindNL- group: autoscaling
+  kind: HorizontalPodAutoscalerList
+  version: v2beta1
+
+å
+(io.k8s.api.batch.v1beta1.JobTemplateSpec¸"QJobTemplateSpec describes the data a Job should have when created from a template²

+objectÊ
Ö
+ù

+metadataì

+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ª
Standard object's metadata of the jobs created from this template. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+×

+specÎ

+)#/definitions/io.k8s.api.batch.v1.JobSpec" 
Specification of the desired behavior of the job. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+Ÿ
+io.k8s.api.core.v1.PodIP‚"¦
IP address information for entries in the (plural) PodIPs field. Each entry includes:
+   IP: An IP address allocated to the pod. Routable at least within the cluster.²

+objectÊ
K
+I
+ipC"6ip is an IP address (IPv4 or IPv6) assigned to the pod²

+string
+ë
+)io.k8s.api.flowcontrol.v1beta1.FlowSchema½
"æ
FlowSchema defines the schema of a group of flows. Note that a flow is made up of a set of inbound API requests with similar attributes and is identified by a pair of strings: the name of the FlowSchema and a "flow distinguisher".²

+objectÊ
Ñ
+
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+ä

+metadata×

+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"•
`metadata` is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+ü

+specó

+;#/definitions/io.k8s.api.flowcontrol.v1beta1.FlowSchemaSpec"³
`spec` is the specification of the desired behavior of a FlowSchema. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+ë

+statusà

+=#/definitions/io.k8s.api.flowcontrol.v1beta1.FlowSchemaStatus"ž
`status` is the current status of a FlowSchema. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statusú
q
+x-kubernetes-group-version-kindNL- version: v1beta1
+  group: flowcontrol.apiserver.k8s.io
+  kind: FlowSchema
+
+×

+Bio.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.JSON�
"�
JSON represents any valid JSON value. These types are supported: bool, int64, float64, string, []interface{}, map[string]interface{} and nil.
+ð
+1io.k8s.api.authentication.v1.BoundObjectReferenceº"JBoundObjectReference is a reference to an object that a token is bound to.²

+objectÊ
ß

+7
+
+apiVersion)"API version of the referent.²

+string
+N
+kindF"9Kind of the referent. Valid kinds are 'Pod' and 'Secret'.²

+string
+*
+name""Name of the referent.²

+string
+(
+uid!"UID of the referent.²

+string
+�
+
+4io.k8s.api.authorization.v1beta1.SubjectAccessReviewä	"PSubjectAccessReview checks whether or not a user or group can perform an action.š
spec²

+objectÊ
‡
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+K
+metadata?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta
+‹

+spec‚

+F#/definitions/io.k8s.api.authorization.v1beta1.SubjectAccessReviewSpec"8Spec holds information about the request being evaluated
+¬

+status¡

+H#/definitions/io.k8s.api.authorization.v1beta1.SubjectAccessReviewStatus"UStatus is filled in by the server and indicates whether the request is allowed or notú
r
+x-kubernetes-group-version-kindOM- version: v1beta1
+  group: authorization.k8s.io
+  kind: SubjectAccessReview
+
+î
+ io.k8s.api.apps.v1.DaemonSetListÉ"-DaemonSetList is a collection of daemon sets.š
items²

+objectÊ
©
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+\
+itemsS"A list of daemon sets.²

+arrayº
.
+,
+*#/definitions/io.k8s.api.apps.v1.DaemonSet
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ë

+metadata¾

+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadataú
W
+x-kubernetes-group-version-kind42- group: apps
+  kind: DaemonSetList
+  version: v1
+
+¡
+9io.k8s.api.flowcontrol.v1beta1.PriorityLevelConfigurationã"LPriorityLevelConfiguration represents the configuration of a priority level.²

+objectÊ
�
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+ä

+metadata×

+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"•
`metadata` is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+”
+spec‹
+K#/definitions/io.k8s.api.flowcontrol.v1beta1.PriorityLevelConfigurationSpec"»
`spec` is the specification of the desired behavior of a "request-priority". More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+ƒ
+statusø

+M#/definitions/io.k8s.api.flowcontrol.v1beta1.PriorityLevelConfigurationStatus"¦
`status` is the current status of a "request-priority". More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statusú
�

+x-kubernetes-group-version-kind^\- group: flowcontrol.apiserver.k8s.io
+  kind: PriorityLevelConfiguration
+  version: v1beta1
+
+ë
+=io.k8s.api.networking.v1beta1.IngressClassParametersReference©"}IngressClassParametersReference identifies an API object. This can be used to specify a cluster or namespace-scoped resource.š
kindš
name²

+objectÊ
�
+Â

+	namespace´
"¦
Namespace is the namespace of the resource being referenced. This field is required when scope is set to "Namespace" and must be unset when scope is set to "Cluster".²

+string
+Þ

+scopeÔ
"Æ
Scope represents if this refers to a cluster or namespace scoped resource. This may be set to "Cluster" (default) or "Namespace". Field can be enabled with IngressClassNamespacedParams feature gate.²

+string
+Ú

+apiGroupÍ
"¿
APIGroup is the group for the resource being referenced. If APIGroup is not specified, the specified Kind must be in the core API group. For any other third-party types, APIGroup is required.²

+string
+C
+kind;".Kind is the type of resource being referenced.²

+string
+C
+name;".Name is the name of resource being referenced.²

+string
+í
+5io.k8s.api.policy.v1beta1.RuntimeClassStrategyOptions³"iRuntimeClassStrategyOptions define the strategy that will dictate the allowable RuntimeClasses for a pod.š
allowedRuntimeClassNames²

+objectÊ
ž
+º
+allowedRuntimeClassNames�"€allowedRuntimeClassNames is an allowlist of RuntimeClass names that may be specified on a pod. A value of "*" means that any RuntimeClass name is allowed, and must be the only item in the list. An empty list requires the RuntimeClassName field to be unset.²

+arrayº

+²

+string
+Þ

+defaultRuntimeClassNameÂ
"´
defaultRuntimeClassName is the default RuntimeClassName to set on the pod. The default MUST be allowed by the allowedRuntimeClassNames list. A value of nil does not mutate the Pod.²

+string
+¦
+Qio.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionÐ
+"”
CustomResourceDefinition represents a resource that should be exposed on the API server.  Its name MUST be in the format <.spec.name>.<.spec.group>.š
spec²

+objectÊ
®
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+K
+metadata?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta
+©

+spec 

+c#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionSpec"9spec describes how the user wants the resources to appear
+µ

+statusª

+e#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionStatus"Astatus indicates the actual state of the CustomResourceDefinition
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+stringú
r
+x-kubernetes-group-version-kindOM- group: apiextensions.k8s.io
+  kind: CustomResourceDefinition
+  version: v1
+
+”
+-io.k8s.apimachinery.pkg.apis.meta.v1.FieldsV1â"ÔFieldsV1 stores a set of fields in a data structure like a Trie, in JSON format.
+
+Each key is either a '.' representing the field itself, and will always map to an empty set, or a string representing a sub-field or item. The string will follow one of these four formats: 'f:<name>', where <name> is the name of a field in a struct, or key in a map 'v:<value>', where <value> is the exact json formatted value of a list item 'i:<index>', where <index> is position of a item in a list 'k:<keys>', where <keys> is a map of  a list item's key fields to their unique values If a key maps to an empty Fields value, the field that key represents is part of the set.
+
+The exact format is defined in sigs.k8s.io/structured-merge-diff²

+object
+»
+1io.k8s.api.authentication.v1beta1.TokenReviewSpec…"ETokenReviewSpec is a description of the token authentication request.²

+objectÊ
¯
+ó
+	audienceså"ÈAudiences is a list of the identifiers that the resource server presented with the token identifies as. Audience-aware token authenticators will verify that the token was intended for at least one of the audiences in this list. If no audiences are provided, the audience will default to the audience of the Kubernetes apiserver.²

+arrayº

+²

+string
+7
+token."!Token is the opaque bearer token.²

+string
+…
+6io.k8s.api.autoscaling.v2beta2.HorizontalPodAutoscalerÊ"Î
HorizontalPodAutoscaler is the configuration for a horizontal pod autoscaler, which automatically manages the replica count of any resource implementing the scale subresource based on the metrics specified.²

+objectÊ
ú	
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+à

+metadataÓ

+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"‘
metadata is the standard object metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+„
+specû

+H#/definitions/io.k8s.api.autoscaling.v2beta2.HorizontalPodAutoscalerSpec"®
spec is the specification for the behaviour of the autoscaler. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status.
+�

+status…

+J#/definitions/io.k8s.api.autoscaling.v2beta2.HorizontalPodAutoscalerStatus"7status is the current information about the autoscaler.ú
m
+x-kubernetes-group-version-kindJH- group: autoscaling
+  kind: HorizontalPodAutoscaler
+  version: v2beta2
+
+È
+(io.k8s.api.core.v1.ResourceFieldSelector›"ZResourceFieldSelector represents container resources (cpu, memory) and their output formatš
resource²

+objectÊ
¥
+Y
+
containerNameH";Container name: required for volumes, optional for env vars²

+string
+�

+divisor„

+;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"ESpecifies the output format of the exposed resources, defaults to "1"
+5
+resource)"Required: resource to select²

+string
+‚
+'io.k8s.api.core.v1.ResourceRequirementsÖ"AResourceRequirements describes the compute resource requirements.²

+objectÊ
„
+ö

+limitsë
"›
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ª
?
+=
+;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity²

+object
+ˆ
+requestsû"«Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ª
?
+=
+;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity²

+object
+¨
+3io.k8s.api.core.v1.TopologySelectorLabelRequirementð"~A topology selector requirement is a selector that matches given label. This is an alpha feature and may change in the future.š
keyš
values²

+objectÊ
Ò

+?
+key8"+The label key that the selector applies to.²

+string
+Ž

+valuesƒ
"gAn array of string values. One value must match the label to be selected. Each entry in Values is ORed.²

+arrayº

+²

+string
+ƒ
+2io.k8s.api.extensions.v1beta1.HTTPIngressRuleValueÌ"£HTTPIngressRuleValue is a list of http selectors pointing to backends. In the example: http://<host>/<path>?<searchpart> -> backend where where parts of the url correspond to RFC 3986, this resource will be used to match against everything after the last '/' and before the first '?' or '#'.š
paths²

+objectÊ
�

+Œ

+paths‚
"4A collection of paths that map requests to backends.²

+arrayº
?
+=
+;#/definitions/io.k8s.api.extensions.v1beta1.HTTPIngressPath
+¦
+ io.k8s.api.networking.v1.Ingress�
"€Ingress is a collection of rules that allow inbound connections to reach the endpoints defined by a backend. An Ingress can be configured to give services externally-reachable urls, load balance traffic, terminate SSL, offer name based virtual hosting etc.²

+objectÊ
Ž
+
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ò

+metadataÅ

+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒ
Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+Ø

+specÏ

+2#/definitions/io.k8s.api.networking.v1.IngressSpec"˜
Spec is the desired state of the Ingress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+Þ

+statusÓ

+4#/definitions/io.k8s.api.networking.v1.IngressStatus"š
Status is the current state of the Ingress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statusú
^
+x-kubernetes-group-version-kind;9- group: networking.k8s.io
+  kind: Ingress
+  version: v1
+
+Ö
+&io.k8s.api.apps.v1.ReplicaSetCondition«"LReplicaSetCondition describes the state of a replica set at a certain point.š
typeš
status²

+objectÊ
¾
+•

+lastTransitionTime
+7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"DThe last time the condition transitioned from one status to another.
+Y
+messageN"AA human readable message indicating details about the transition.²

+string
+F
+reason<"/The reason for the condition's last transition.²

+string
+L
+statusB"5Status of the condition, one of True, False, Unknown.²

+string
+3
+type+"Type of replica set condition.²

+string
+¼
+(io.k8s.api.authorization.v1.ResourceRule�"¬
ResourceRule is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete.š
verbs²

+objectÊ
É
+¹

+
resourceNames§
"Š
ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.  "*" means all.²

+arrayº

+²

+string
+ä

+	resourcesÖ
"¹
Resources is a list of resources this rule applies to.  "*" means all in the specified apiGroups.
+ "*/foo" represents the subresource 'foo' for all resources in the specified apiGroups.²

+arrayº

+²

+string
+�

+verbs“
"wVerb is a list of kubernetes resource API verbs, like: get, list, watch, create, update, delete, proxy.  "*" means all.²

+arrayº

+²

+string
+ƒ
+	apiGroupsõ
"Ø
APIGroups is the name of the APIGroup that contains the resources.  If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed.  "*" means all.²

+arrayº

+²

+string
+ð
+8io.k8s.api.authorization.v1beta1.SelfSubjectAccessReview³"ö
SelfSubjectAccessReview checks whether or the current user can perform an action.  Not filling in a spec.namespace means "in all namespaces".  Self is a special case, because users should always be able to check whether they can perform an actionš
spec²

+objectÊ
«
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+K
+metadata?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta
+¯

+spec¦

+J#/definitions/io.k8s.api.authorization.v1beta1.SelfSubjectAccessReviewSpec"XSpec holds information about the request being evaluated.  user and groups must be empty
+¬

+status¡

+H#/definitions/io.k8s.api.authorization.v1beta1.SubjectAccessReviewStatus"UStatus is filled in by the server and indicates whether the request is allowed or notú
v
+x-kubernetes-group-version-kindSQ- group: authorization.k8s.io
+  kind: SelfSubjectAccessReview
+  version: v1beta1
+
+�
+:io.k8s.api.autoscaling.v2beta2.CrossVersionObjectReferenceÂ"bCrossVersionObjectReference contains enough information to let you identify the referred resource.š
kindš
name²

+objectÊ
Á
+˜

+kind�
"�
Kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"²

+string
+l
+named"WName of the referent; More info: http://kubernetes.io/docs/user-guide/identifiers#names²

+string
+6
+
+apiVersion("API version of the referent²

+string
+Ç
+0io.k8s.api.core.v1.GCEPersistentDiskVolumeSource’"ÁRepresents a Persistent Disk resource in Google Compute Engine.
+
+A GCE PD must exist before mounting to a container. The disk must also be in the same GCE project and zone as the kubelet. A GCE PD can only be mounted as read/write once or read-only many times. GCE PDs support ownership management and SELinux relabeling.š
pdName²

+objectÊ
¶
+²

+pdName§
"™
Unique name of the PD resource in GCE. Used to identify the disk in GCE. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk²

+string
+¾

+readOnly±
"¢
ReadOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk²
	
+boolean
+Á
+fsType¶"¨Filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk²

+string
+ù
+	partitionëint32"ÕThe partition in the volume that you want to mount. If omitted, the default is to mount by volume name. Examples: For volume /dev/sda1, you specify the partition as "1". Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk²
	
+integer
+ä
+io.k8s.api.core.v1.PodDNSConfigÀ"_PodDNSConfig defines the DNS parameters of a pod in addition to those generated from DNSPolicy.²

+objectÊ
Ð
+Ä

+nameservers´
"—
A list of DNS name server IP addresses. This will be appended to the base nameservers generated from DNSPolicy. Duplicated nameservers will be removed.²

+arrayº

+²

+string
+µ
+options©"â
A list of DNS resolver options. This will be merged with the base options generated from DNSPolicy. Duplicated entries will be removed. Resolution options given in Options will override those that appear in the base DNSPolicy.²

+arrayº
7
+5
+3#/definitions/io.k8s.api.core.v1.PodDNSConfigOption
+Î

+searchesÁ
"¤
A list of DNS search domains for host-name lookup. This will be appended to the base search paths generated from DNSPolicy. Duplicated search paths will be removed.²

+arrayº

+²

+string
+ë
+
+0io.k8s.api.core.v1.ScaleIOPersistentVolumeSource¶
+"DScaleIOPersistentVolumeSource represents a persistent ScaleIO volumeš
gatewayš
systemš
	secretRef²

+objectÊ
Â	
+[
+storagePoolL"?The ScaleIO Storage Pool associated with the protection domain.²

+string
+�

+
+volumeNames"fThe name of a volume already created in the ScaleIO system that is associated with this volume source.²

+string
+f
+protectionDomainR"EThe name of the ScaleIO Protection Domain for the configured storage.²

+string
+x
+readOnlyl"^Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.²
	
+boolean
+`
+
+sslEnabledR"DFlag to enable/disable SSL communication with Gateway, default false²
	
+boolean
+’

+storageMode‚
"uIndicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. Default is ThinProvisioned.²

+string
+O
+systemE"8The name of the storage system as configured in ScaleIO.²

+string
+ 

+fsType•
"‡
Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Default is "xfs"²

+string
+D
+gateway9",The host address of the ScaleIO API Gateway.²

+string
+Ë

+	secretRef½

+0#/definitions/io.k8s.api.core.v1.SecretReference"ˆ
SecretRef references to the secret for ScaleIO user and other sensitive information. If this is not provided, Login operation will fail.
+³
+,io.k8s.api.core.v1.TypedLocalObjectReference‚"~TypedLocalObjectReference contains enough information to let you locate the typed referenced object inside the same namespace.š
kindš
name²

+objectÊ
å
+Ú

+apiGroupÍ
"¿
APIGroup is the group for the resource being referenced. If APIGroup is not specified, the specified Kind must be in the core API group. For any other third-party types, APIGroup is required.²

+string
+B
+kind:"-Kind is the type of resource being referenced²

+string
+B
+name:"-Name is the name of resource being referenced²

+string
+Û
+9io.k8s.api.admissionregistration.v1beta1.ServiceReference�";ServiceReference holds a reference to Service.legacy.k8s.ioš
	namespaceš
name²

+objectÊ
¾
+@
+name8"+`name` is the name of the service. Required²

+string
+O
+	namespaceB"5`namespace` is the namespace of the service. Required²

+string
+f
+path^"Q`path` is an optional URL path which will be sent in any request to this service.²

+string
+À

+port·
int32"¡
If specified, the port on the service that hosting webhook. Default to 443 for backward compatibility. `port` should be a valid port number (1-65535, inclusive).²
	
+integer
+“
+%io.k8s.api.apps.v1.DeploymentStrategyé"HDeploymentStrategy describes how to replace existing pods with new ones.²

+objectÊ
�
+h
+type`"SType of deployment. Can be "Recreate" or "RollingUpdate". Default is RollingUpdate.²

+string
+£

+
rollingUpdate‘

+8#/definitions/io.k8s.api.apps.v1.RollingUpdateDeployment"URolling update config params. Present only if DeploymentStrategyType = RollingUpdate.
+“

+*io.k8s.apimachinery.pkg.apis.meta.v1.Patche"XPatch is provided to give a concrete name and type to the Kubernetes PATCH request body.²

+object
+Ú
+io.k8s.api.core.v1.NodeStatus¸"=NodeStatus is information about the current status of a node.²

+objectÊ
ê
+q
+imagesg"%List of container images on this node²

+arrayº
3
+1
+/#/definitions/io.k8s.api.core.v1.ContainerImage
+¯

+nodeInfo¢

+/#/definitions/io.k8s.api.core.v1.NodeSystemInfo"oSet of ids/uuids to uniquely identify the node. More info: https://kubernetes.io/docs/concepts/nodes/node/#info
+d
+volumesInUseT"8List of attachable volumes in use (mounted) by the node.²

+arrayº

+²

+string
+¥
+
+conditions–"€
Conditions is an array of current observed node conditions. More info: https://kubernetes.io/docs/concepts/nodes/node/#condition²

+arrayº
2
+0
+.#/definitions/io.k8s.api.core.v1.NodeConditionú
'
+x-kubernetes-patch-merge-keytype
+ú
'
+x-kubernetes-patch-strategymerge
+
+t
+daemonEndpointsa
+4#/definitions/io.k8s.api.core.v1.NodeDaemonEndpoints")Endpoints of daemons running on the Node.
+â

+capacityÕ
"…
Capacity represents the total resources of a node. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#capacityª
?
+=
+;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity²

+object
+‘

+config†

+1#/definitions/io.k8s.api.core.v1.NodeConfigStatus"QStatus of the config assigned to the node via the dynamic Kubelet config feature.
+Í

+phaseÃ
"µ
NodePhase is the recently observed lifecycle phase of the node. More info: https://kubernetes.io/docs/concepts/nodes/node/#phase The field is never populated, and now is deprecated.²

+string
+ƒ

+volumesAttachedp".List of volumes that are attached to the node.²

+arrayº
3
+1
+/#/definitions/io.k8s.api.core.v1.AttachedVolume
+¦
+	addresses˜"„List of addresses reachable to the node. Queried from cloud provider, if available. More info: https://kubernetes.io/docs/concepts/nodes/node/#addresses Note: This field is declared as mergeable, but the merge key is not sufficiently unique, which can cause data corruption when it is merged. Callers should instead use a full-replacement patch. See http://pr.k8s.io/79391 for an example.²

+arrayº
0
+.
+,#/definitions/io.k8s.api.core.v1.NodeAddressú
'
+x-kubernetes-patch-strategymerge
+ú
'
+x-kubernetes-patch-merge-keytype
+
+Æ

+allocatable¶
"gAllocatable represents the resources of a node that are available for scheduling. Defaults to Capacity.ª
?
+=
+;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity²

+object
+º
+"io.k8s.api.rbac.v1.AggregationRule“"VAggregationRule describes how to locate ClusterRoles to aggregate into the ClusterRole²

+objectÊ
¬
+©
+clusterRoleSelectors�"¼
ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules. If any of the selectors match, then the ClusterRole's permissions will be added²

+arrayº
D
+B
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector
+à
+"io.k8s.api.core.v1.SecretReference¹"lSecretReference represents a Secret Reference. It has enough information to retrieve secret in any namespace²

+objectÊ
¼

+V
+nameN"AName is unique within a namespace to reference a secret resource.²

+string
+b
+	namespaceU"HNamespace defines the space within which the secret name must be unique.²

+string
+¤
+
+Iio.k8s.api.admissionregistration.v1beta1.MutatingWebhookConfigurationListÖ	"KMutatingWebhookConfigurationList is a list of MutatingWebhookConfiguration.š
items²

+objectÊ
ç
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+•

+items‹
"%List of MutatingWebhookConfiguration.²

+arrayº
W
+U
+S#/definitions/io.k8s.api.admissionregistration.v1beta1.MutatingWebhookConfiguration
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ï

+metadataÂ

+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"‚
Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kindsú
‡

+x-kubernetes-group-version-kinddb- version: v1beta1
+  group: admissionregistration.k8s.io
+  kind: MutatingWebhookConfigurationList
+
+Ø
+Cio.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIServiceStatus�"AAPIServiceStatus contains derived information about an API server²

+objectÊ
¾
+»
+
+conditions¬"$Current service state of apiService.²

+arrayº
X
+V
+T#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIServiceConditionú
'
+x-kubernetes-list-map-keys	- type
+ú
 
+x-kubernetes-list-typemap
+ú
'
+x-kubernetes-patch-merge-keytype
+ú
'
+x-kubernetes-patch-strategymerge
+
+ê
+%io.k8s.api.core.v1.PodSecurityContextÀ"ô
PodSecurityContext holds pod-level security attributes and common container settings. Some fields are also present in container.securityContext.  Field values of container.securityContext take precedence over field values of PodSecurityContext.²

+objectÊ
º
+È
+fsGroup¼int64"¦A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod:
+
+1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw----
+
+If unset, the Kubelet will not modify the ownership and permissions of any volume.²
	
+integer
+°
+fsGroupChangePolicy˜"ŠfsGroupChangePolicy defines behavior of changing ownership and permission of the volume before being exposed inside Pod. This field will only apply to volume types which support fsGroup based ownership(and permissions). It will have no effect on ephemeral volume types such as: secret, configmaps and emptydir. Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.²

+string
+À
+	runAsUser²int64"œThe UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container.²
	
+integer
+…
+seLinuxOptionsò
+/#/definitions/io.k8s.api.core.v1.SELinuxOptions"¾The SELinux context to be applied to all containers. If unspecified, the container runtime will allocate a random SELinux context for each container.  May also be set in SecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container.
+Í
+windowsOptionsº
+>#/definitions/io.k8s.api.core.v1.WindowsSecurityContextOptions"÷
The Windows specific settings applied to all containers. If unspecified, the options within a container's SecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+£
+
+runAsGroup”int64"þ
The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in SecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container.²
	
+integer
+º
+runAsNonRoot©"šIndicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in SecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.²
	
+boolean
+~
+seccompProfilel
+/#/definitions/io.k8s.api.core.v1.SeccompProfile"9The seccomp options to use by the containers in this pod.
+ç

+supplementalGroupsÐ
"«
A list of groups applied to the first process run in each container, in addition to the container's primary GID.  If unspecified, no groups will be added to any container.²

+arrayº

+int64²
	
+integer
+Ñ

+sysctlsÅ
"Š
Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch.²

+arrayº
+
+)
+'#/definitions/io.k8s.api.core.v1.Sysctl
+œ
+$io.k8s.api.core.v1.SecretKeySelectoró",SecretKeySelector selects a key of a Secret.š
key²

+objectÊ
°
+„

+name|"oName of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names²

+string
+O
+optionalC"5Specify whether the Secret or its key must be defined²
	
+boolean
+V
+keyO"BThe key of the secret to select from.  Must be a valid secret key.²

+string
+‘
+(io.k8s.api.core.v1.SessionAffinityConfigä
"HSessionAffinityConfig represents the configurations of session affinity.²

+objectÊ
‹

+ˆ

+clientIP|
+/#/definitions/io.k8s.api.core.v1.ClientIPConfig"IclientIP contains the configurations of Client IP based session affinity.
+ 
+)io.k8s.api.storage.v1.VolumeNodeResourcesò"JVolumeNodeResources is a set of resource limits for scheduling of volumes.²

+objectÊ
—
+”
+countŠint32"ôMaximum number of unique volumes managed by the CSI driver that can be used on a node. A volume that is both attached and mounted on a node is considered to be used once, not twice. The same rule applies for a unique volume that is shared among multiple pods on the same node. If this field is not specified, then the supported number of volumes on this node is unbounded.²
	
+integer
+ç
+3io.k8s.api.autoscaling.v2beta2.ResourceMetricSource¯"ÊResourceMetricSource indicates how to scale on a resource metric known to Kubernetes, as specified in requests and limits, describing each pod in the current scale target (e.g. CPU or memory).  The values will be averaged together before being compared to the target.  Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the "pods" source.  Only one "target" type should be set.š
nameš
target²

+objectÊ
Ã

+B
+name:"-name is the name of the resource in question.²

+string
+}
+targets
+9#/definitions/io.k8s.api.autoscaling.v2beta2.MetricTarget"6target specifies the target value for the given metric
+È
+&io.k8s.api.batch.v1beta1.CronJobStatus�"9CronJobStatus represents the current state of a cron job.²

+objectÊ
Ó
+“

+lastSuccessfulTime}
+7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"BInformation when was the last time the job successfully completed.
+¡

+active–
"-A list of pointers to currently running jobs.²

+arrayº
4
+2
+0#/definitions/io.k8s.api.core.v1.ObjectReferenceú
#
+x-kubernetes-list-type	atomic
+
+–

+lastScheduleTime�

+7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"FInformation when was the last time the job was successfully scheduled.
+�
+-io.k8s.api.core.v1.FlexPersistentVolumeSourceÝ"ƒ
FlexPersistentVolumeSource represents a generic persistent volume resource that is provisioned/attached using an exec based plugin.š
driver²

+objectÊ
¿
+O
+driverE"8Driver is the name of the driver to use for this volume.²

+string
+Ä

+fsType¹
"«
Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script.²

+string
+O
+optionsD"'Optional: Extra command options if any.ª

+²

+string²

+object
+‚

+readOnlyv"hOptional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.²
	
+boolean
+Î
+	secretRefÀ
+0#/definitions/io.k8s.api.core.v1.SecretReference"‹Optional: SecretRef is reference to the secret object containing sensitive information to pass to the plugin scripts. This may be empty if no secret object is specified. If the secret object contains more than one secret, all secrets are passed to the plugin scripts.
+„
+io.k8s.api.rbac.v1.RoleListä"!RoleList is a collection of Rolesš
items²

+objectÊ
À
+f
+metadataZ
+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"Standard object's metadata.
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+Y
+itemsP"Items is a list of Roles²

+arrayº
)
+'
+%#/definitions/io.k8s.api.rbac.v1.Role
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+stringú
g
+x-kubernetes-group-version-kindDB- group: rbac.authorization.k8s.io
+  kind: RoleList
+  version: v1
+
+�
+:io.k8s.api.autoscaling.v2beta1.CrossVersionObjectReferenceÂ"bCrossVersionObjectReference contains enough information to let you identify the referred resource.š
kindš
name²

+objectÊ
Á
+l
+named"WName of the referent; More info: http://kubernetes.io/docs/user-guide/identifiers#names²

+string
+6
+
+apiVersion("API version of the referent²

+string
+˜

+kind�
"�
Kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"²

+string
+ƒ
+io.k8s.api.core.v1.EndpointPortß"5EndpointPort is a tuple that describes a single port.š
port²

+objectÊ
’
+b
+protocolV"IThe IP protocol for this port. Must be UDP, TCP, or SCTP. Default is TCP.²

+string
+½
+appProtocol­"ŸThe application protocol for this port. This field follows standard Kubernetes label syntax. Un-prefixed names are reserved for IANA standard service names (as per RFC-6335 and http://www.iana.org/assignments/service-names). Non-standard protocols should use prefixed names such as mycompany.com/my-custom-protocol. This is a beta field that is guarded by the ServiceAppProtocol feature gate and enabled by default.²

+string
+¬

+name£
"•
The name of this port.  This must match the 'name' field in the corresponding ServicePort. Must be a DNS_LABEL. Optional only if one port is defined.²

+string
+=
+port5int32" The port number of the endpoint.²
	
+integer
+º
+
+<io.k8s.api.autoscaling.v2beta1.HorizontalPodAutoscalerStatusù	"ZHorizontalPodAutoscalerStatus describes the current status of a horizontal pod autoscaler.š
currentReplicasš
desiredReplicasš

+conditions²

+objectÊ
Ý
+ü

+
+conditionsí
"Œ
conditions is the set of conditions required for this autoscaler to scale its target, and indicates whether or not those conditions are met.²

+arrayº
Q
+O
+M#/definitions/io.k8s.api.autoscaling.v2beta1.HorizontalPodAutoscalerCondition
+¬

+currentMetrics™
"McurrentMetrics is the last read state of the metrics used by this autoscaler.²

+arrayº
=
+;
+9#/definitions/io.k8s.api.autoscaling.v2beta1.MetricStatus
+š

+currentReplicas†
int32"qcurrentReplicas is current number of replicas of pods managed by this autoscaler, as last seen by the autoscaler.²
	
+integer
+¤

+desiredReplicas�
int32"{desiredReplicas is the desired number of replicas of pods managed by this autoscaler, as last calculated by the autoscaler.²
	
+integer
+î

+
lastScaleTimeÜ

+7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time" 
lastScaleTime is the last time the HorizontalPodAutoscaler scaled the number of pods, used by the autoscaler to control how often the number of pods is changed.
+x
+observedGenerationbint64"MobservedGeneration is the most recent generation observed by this autoscaler.²
	
+integer
+ž
+!io.k8s.api.core.v1.ContainerStateø"¥
ContainerState holds a possible state of container. Only one of its members may be specified. If none of them is specified, the default one is ContainerStateWaiting.²

+objectÊ
Á
+f
+running[
+6#/definitions/io.k8s.api.core.v1.ContainerStateRunning"!Details about a running container
+o
+
+terminateda
+9#/definitions/io.k8s.api.core.v1.ContainerStateTerminated"$Details about a terminated container
+f
+waiting[
+6#/definitions/io.k8s.api.core.v1.ContainerStateWaiting"!Details about a waiting container
+è
+"io.k8s.api.core.v1.ContainerStatusÁ"JContainerStatus contains details for the current status of this container.š
nameš
readyš
restartCountš
imageš
imageID²

+objectÊ
¶
+
+S
+containerIDD"7Container's ID in the format 'docker://<container_id>'.²

+string
+z
+imageq"dThe image the container is running. More info: https://kubernetes.io/docs/concepts/containers/images²

+string
+¿
+restartCount®int32"˜The number of times the container has been restarted, currently based on the number of dead containers that have not yet been removed. Note that this is calculated from dead containers. But those containers are subject to garbage collection. This value will get capped at 5 by GC.²
	
+integer
+9
+imageID."!ImageID of the container's image.²

+string
+y
+	lastStatel
+/#/definitions/io.k8s.api.core.v1.ContainerState"9Details about the container's last termination condition.
+r
+namej"]This must be a DNS_LABEL. Each container in a pod must have a unique name. Cannot be updated.²

+string
+V
+readyM"?Specifies whether the container has passed its readiness probe.²
	
+boolean
+°
+started¤"•Specifies whether the container has passed its startup probe. Initialized as false, becomes true after startupProbe is considered successful. Resets to false when the container is restarted, or if kubelet loses state temporarily. Is always true when no startupProbe is defined.²
	
+boolean
+l
+statec
+/#/definitions/io.k8s.api.core.v1.ContainerState"0Details about the container's current condition.
+©
+&io.k8s.api.core.v1.LoadBalancerIngressþ"�
LoadBalancerIngress represents the status of a load-balancer ingress point: traffic intended for the service should be sent to an ingress point.²

+objectÊ
Ü
+{
+hostnameo"bHostname is set for load-balancer ingress points that are DNS based (typically AWS load-balancers)²

+string
+{
+ipu"hIP is set for load-balancer ingress points that are IP based (typically GCE or OpenStack load-balancers)²

+string
+ß

+portsÕ
"qPorts is a list of records of service ports If used, every port defined in the service should have an entry in it²

+arrayº
/
+-
++#/definitions/io.k8s.api.core.v1.PortStatusú
#
+x-kubernetes-list-type	atomic
+
+‚
+*io.k8s.api.core.v1.PreferredSchedulingTermÓ"®
An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).š
weightš

+preference²

+objectÊ
ý

+‚

+
+preferencet
+1#/definitions/io.k8s.api.core.v1.NodeSelectorTerm"?A node selector term, associated with the corresponding weight.
+v
+weightlint32"WWeight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.²
	
+integer
+›
+.io.k8s.api.storage.v1beta1.VolumeNodeResourcesè"JVolumeNodeResources is a set of resource limits for scheduling of volumes.²

+objectÊ
�
+Š
+count€int32"êMaximum number of unique volumes managed by the CSI driver that can be used on a node. A volume that is both attached and mounted on a node is considered to be used once, not twice. The same rule applies for a unique volume that is shared among multiple pods on the same node. If this field is nil, then the supported number of volumes on this node is unbounded.²
	
+integer
+•4
+8io.k8s.api.admissionregistration.v1beta1.MutatingWebhookØ3"^MutatingWebhook describes an admission webhook and the resources and operations it applies to.š
nameš
clientConfig²

+objectÊ
Ó2
+°
+admissionReviewVersions”"÷AdmissionReviewVersions is an ordered list of preferred `AdmissionReview` versions the Webhook expects. API server will try to use first version in the list which it supports. If none of the versions specified in this list supported by API server, validation will fail for this object. If a persisted webhook configuration specifies allowed versions and does not include any versions known to the API Server, calls to the webhook will fail and be subject to the failure policy. Default to `['v1beta1']`.²

+arrayº

+²

+string
+ž

+clientConfig�

+J#/definitions/io.k8s.api.admissionregistration.v1beta1.WebhookClientConfig"?ClientConfig defines how to communicate with the hook. Required
+ç

+nameÞ
"Ð
The name of the admission webhook. Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where "imagepolicy" is the name of the webhook, and kubernetes.io is the name of the organization. Required.²

+string
+Ý	
+namespaceSelectorÇ	
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"‚	NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the webhook.
+
+For example, to run the webhook on any objects whose namespace is not associated with "runlevel" of "0" or "1";  you will set the selector as follows: "namespaceSelector": {
+  "matchExpressions": [
+    {
+      "key": "runlevel",
+      "operator": "NotIn",
+      "values": [
+        "0",
+        "1"
+      ]
+    }
+  ]
+}
+
+If instead you want to only run the webhook on any objects whose namespace is associated with the "environment" of "prod" or "staging"; you will set the selector as follows: "namespaceSelector": {
+  "matchExpressions": [
+    {
+      "key": "environment",
+      "operator": "In",
+      "values": [
+        "prod",
+        "staging"
+      ]
+    }
+  ]
+}
+
+See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ for more examples of label selectors.
+
+Default to the empty LabelSelector, which matches everything.
+é
+objectSelectorÖ
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"‘ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything.
+�
+reinvocationPolicyù"ëreinvocationPolicy indicates whether this webhook should be called multiple times as part of a single admission evaluation. Allowed values are "Never" and "IfNeeded".
+
+Never: the webhook will not be called more than once in a single admission evaluation.
+
+IfNeeded: the webhook will be called at least one additional time as part of the admission evaluation if the object being admitted is modified by other admission plugins after the initial webhook call. Webhooks that specify this option *must* be idempotent, able to process objects they previously admitted. Note: * the number of additional invocations is not guaranteed to be exactly one. * if additional invocations result in further modifications to the object, webhooks are not guaranteed to be invoked again. * webhooks that use this option may be reordered to minimize the number of additional invocations. * to validate an object after all mutations are guaranteed complete, use a validating admission webhook instead.
+
+Defaults to "Never".²

+string
+î
+rulesä"‡Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches _any_ Rule. However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks from putting the cluster in a state which cannot be recovered from without completely disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.²

+arrayº
M
+K
+I#/definitions/io.k8s.api.admissionregistration.v1beta1.RuleWithOperations
+œ
+timeoutSeconds‰int32"ó
TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, the webhook call will be ignored or the API call will fail based on the failure policy. The timeout value must be between 1 and 30 seconds. Default to 30 seconds.²
	
+integer
+®

+
failurePolicyœ
"Ž
FailurePolicy defines how unrecognized errors from the admission endpoint are handled - allowed values are Ignore or Fail. Defaults to Ignore.²

+string
+—
+matchPolicy‡"ùmatchPolicy defines how the "rules" list is used to match incoming requests. Allowed values are "Exact" or "Equivalent".
+
+- Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
+
+- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
+
+Defaults to "Exact"²

+string
+Ø
+sideEffectsÈ"ºSideEffects states whether this webhook has side effects. Acceptable values are: Unknown, None, Some, NoneOnDryRun Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission chain and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some. Defaults to Unknown.²

+string
+…
+6io.k8s.api.autoscaling.v2beta1.HorizontalPodAutoscalerÊ"Î
HorizontalPodAutoscaler is the configuration for a horizontal pod autoscaler, which automatically manages the replica count of any resource implementing the scale subresource based on the metrics specified.²

+objectÊ
ú	
+„
+specû

+H#/definitions/io.k8s.api.autoscaling.v2beta1.HorizontalPodAutoscalerSpec"®
spec is the specification for the behaviour of the autoscaler. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status.
+�

+status…

+J#/definitions/io.k8s.api.autoscaling.v2beta1.HorizontalPodAutoscalerStatus"7status is the current information about the autoscaler.
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+à

+metadataÓ

+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"‘
metadata is the standard object metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadataú
m
+x-kubernetes-group-version-kindJH- group: autoscaling
+  kind: HorizontalPodAutoscaler
+  version: v2beta1
+
+Ó	
+7io.k8s.apimachinery.pkg.apis.meta.v1.ManagedFieldsEntry—	"sManagedFieldsEntry is a workflow-id, a FieldSet and the group version of the resource that the fieldset applies to.²

+objectÊ
“
+�

+fieldsV1�

+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.FieldsV1"QFieldsV1 holds the first JSON version format as described in the "FieldsV1" type.
+W
+managerL"?Manager is an identifier of the workflow managing these fields.²

+string
+²

+	operation¤
"–
Operation is the type of operation which lead to this ManagedFieldsEntry being created. The only valid values for this field are 'Apply' and 'Update'.²

+string
+¦

+time�

+7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"bTime is timestamp of when these fields were set. It should always be empty if Operation is 'Apply'
+–
+
+apiVersion‡"ù
APIVersion defines the version of this resource that this field set applies to. The format is "group/version" just like the top-level APIVersion field. It is necessary to track the version of a field set because it cannot be automatically converted.²

+string
+ 

+
+fieldsType‘
"ƒ
FieldsType is the discriminator for the different fields format and version. There is currently only one possible value: "FieldsV1"²

+string
+¨A
+/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMetaô@"lObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.²

+objectÊ
÷?
+¢
+	namespace”"†Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the "default" namespace, but "default" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.
+
+Must be a DNS_LABEL. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/namespaces²

+string
+³
+uid«"�UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations.
+
+Populated by the system. Read-only. More info: http://kubernetes.io/docs/user-guide/identifiers#uids²

+string
+À
+annotations°"’Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotationsª

+²

+string²

+object
+�
+clusterName�"ÿ
The name of the cluster which the object belongs to. This is used to distinguish resources with same name and namespace in different clusters. This field is not set anywhere right now and apiserver is going to ignore it if set in create or update request.²

+string
+î
+creationTimestampØ
+7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"œCreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
+
+Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+Þ
+
+finalizersÏ"ˆMust be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order.  Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list.²

+arrayº

+²

+stringú
'
+x-kubernetes-patch-strategymerge
+
+¶
+generateName¥"—GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server.
+
+If this field is specified and the generated name exists, the server will NOT return a 409 - instead, it will either return 201 Created or 500 with Reason ServerTimeout indicating a unique name could not be found in the time allotted, and the client should retry (optionally after the time indicated in the Retry-After header).
+
+Applied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency²

+string
+‚
+labels÷
"Ù
Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labelsª

+²

+string²

+object
+ê

+selfLinkÝ
"Ï
SelfLink is a URL representing this object. Populated by the system. Read-only.
+
+DEPRECATED Kubernetes will stop propagating this field in 1.20 release and the field is planned to be removed in 1.21 release.²

+string
+ð

+deletionGracePeriodSecondsÑ
int64"»
Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only.²
	
+integer
+¤
+deletionTimestampŽ
+7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"Ò
+DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted. This field is set by the server when a graceful deletion is requested by the user, and is not directly settable by a client. The resource is expected to be deleted (no longer visible from resource lists, and not reachable by name) after the time in this field, once the finalizers list is empty. As long as the finalizers list contains items, deletion is blocked. Once the deletionTimestamp is set, this value may not be unset or be set further into the future, although it may be shortened or the resource may be deleted prior to this time. For example, a user may request that a pod is deleted in 30 seconds. The Kubelet will react by sending a graceful termination signal to the containers in the pod. After that 30 seconds, the Kubelet will send a hard termination signal (SIGKILL) to the container and after cleanup, remove the pod from the API. In the presence of network partitions, this object may still exist after this timestamp, until an administrator or automated process can determine the resource is fully terminated. If not set, graceful deletion of the object has not been requested.
+
+Populated by the system when a graceful deletion is requested. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+’

+
+generationƒ
int64"nA sequence number representing a specific generation of the desired state. Populated by the system. Read-only.²
	
+integer
+ø
+ownerReferencesä"¼List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.²

+arrayº
E
+C
+A#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.OwnerReferenceú
'
+x-kubernetes-patch-strategymerge
+ú
&
+x-kubernetes-patch-merge-keyuid
+
+ƒ
+
managedFieldsñ"˜ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like "ci-cd". The set of fields is always in the version that the workflow used when modifying the object.²

+arrayº
I
+G
+E#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ManagedFieldsEntry
+õ
+nameì"ÞName must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/identifiers#names²

+string
+‘
+resourceVersioný"ïAn opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources.
+
+Populated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency²

+string
+Ê
+#io.k8s.api.apps.v1.ReplicaSetStatus¢"?ReplicaSetStatus represents the current status of a ReplicaSet.š
replicas²

+objectÊ
Ç
+Ø

+replicasË
int32"µ
Replicas is the most recently oberved number of replicas. More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller/#what-is-a-replicationcontroller²
	
+integer
+…

+availableReplicaspint32"[The number of available replicas (ready for at least minReadySeconds) for this replica set.²
	
+integer
+ø

+
+conditionsé
"NRepresents the latest available observations of a replica set's current state.²

+arrayº
8
+6
+4#/definitions/io.k8s.api.apps.v1.ReplicaSetConditionú
'
+x-kubernetes-patch-merge-keytype
+ú
'
+x-kubernetes-patch-strategymerge
+
+‹

+fullyLabeledReplicassint32"^The number of pods that have labels matching the labels of the pod template of the replicaset.²
	
+integer
+
+observedGenerationiint64"TObservedGeneration reflects the generation of the most recently observed ReplicaSet.²
	
+integer
+X
+
readyReplicasGint32"2The number of ready replicas for this replica set.²
	
+integer
+Œ
+#io.k8s.api.core.v1.NodeSelectorTermä"¥
A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.²

+objectÊ
­
+–

+matchExpressions�
"6A list of node selector requirements by node's labels.²

+arrayº
<
+:
+8#/definitions/io.k8s.api.core.v1.NodeSelectorRequirement
+‘

+matchFields�
"6A list of node selector requirements by node's fields.²

+arrayº
<
+:
+8#/definitions/io.k8s.api.core.v1.NodeSelectorRequirement
+å	
+.io.k8s.api.rbac.v1beta1.ClusterRoleBindingList²	"º
ClusterRoleBindingList is a collection of ClusterRoleBindings. Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 ClusterRoleBindingList, and will no longer be served in v1.22.š
items²

+objectÊ
á
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+z
+itemsq"&Items is a list of ClusterRoleBindings²

+arrayº
<
+:
+8#/definitions/io.k8s.api.rbac.v1beta1.ClusterRoleBinding
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+f
+metadataZ
+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"Standard object's metadata.ú
z
+x-kubernetes-group-version-kindWU- group: rbac.authorization.k8s.io
+  kind: ClusterRoleBindingList
+  version: v1beta1
+
+½	
+Wio.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionStatusá"RCustomResourceDefinitionStatus indicates the state of the CustomResourceDefinition²

+objectÊ
þ
+¥
+
+conditions–"Nconditions indicate state for particular aspects of a CustomResourceDefinition²

+arrayº
l
+j
+h#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionConditionú
'
+x-kubernetes-list-map-keys	- type
+ú
 
+x-kubernetes-list-typemap
+
+Ü
+storedVersionsÉ"¬storedVersions lists all versions of CustomResources that were ever persisted. Tracking these versions allows a migration path for stored versions in etcd. The field is mutable so a migration controller can finish a migration to another version (ensuring no old objects are left in storage), and then remove the rest of the versions from this list. Versions may not be removed from `spec.versions` while they exist in this list.²

+arrayº

+²

+string
+ô

+
acceptedNamesâ

+d#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionNames"zacceptedNames are the names that are actually being used to serve discovery. They may be different than the names in spec.
+•
+
+Dio.k8s.api.admissionregistration.v1.MutatingWebhookConfigurationListÌ	"KMutatingWebhookConfigurationList is a list of MutatingWebhookConfiguration.š
items²

+objectÊ
â
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+�

+items†
"%List of MutatingWebhookConfiguration.²

+arrayº
R
+P
+N#/definitions/io.k8s.api.admissionregistration.v1.MutatingWebhookConfiguration
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ï

+metadataÂ

+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"‚
Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kindsú
‚

+x-kubernetes-group-version-kind_]- group: admissionregistration.k8s.io
+  kind: MutatingWebhookConfigurationList
+  version: v1
+
+¶
+
+!io.k8s.api.apps.v1.ReplicaSetSpec�
+"4ReplicaSetSpec is the specification of a ReplicaSet.š
selector²

+objectÊ
À	
+ƒ
+minReadySecondsï
int32"Ù
Minimum number of seconds for which a newly created pod should be ready without any of its container crashing, for it to be considered available. Defaults to 0 (pod will be considered available as soon as it is ready)²
	
+integer
+¡
+replicas”int32"þ
Replicas is the number of desired replicas. This is a pointer to distinguish between explicit zero and unspecified. Defaults to 1. More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller/#what-is-a-replicationcontroller²
	
+integer
+ý
+selectorð
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"«Selector is a label query over pods that should match the replica count. Label keys and values that must match in order to be controlled by this replica set. It must match the pod template's labels. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+“
+template†
+0#/definitions/io.k8s.api.core.v1.PodTemplateSpec"Ñ
Template is the object that describes the pod that will be created if insufficient replicas are detected. More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template
+Ù
+%io.k8s.api.core.v1.LoadBalancerStatus¯"<LoadBalancerStatus represents the status of a load-balancer.²

+objectÊ
â

+ß

+ingressÓ
"‹
Ingress is a list containing ingress points for the load-balancer. Traffic intended for the service should be sent to these ingress points.²

+arrayº
8
+6
+4#/definitions/io.k8s.api.core.v1.LoadBalancerIngress
+Ë
+,io.k8s.api.extensions.v1beta1.IngressBackendš"DIngressBackend describes all endpoints for a given service and port.²

+objectÊ
Å
+ø

+resourceë

+:#/definitions/io.k8s.api.core.v1.TypedLocalObjectReference"¬
Resource is an ObjectRef to another Kubernetes resource in the namespace of the Ingress object. If resource is specified, serviceName and servicePort must not be specified.
+I
+serviceName:"-Specifies the name of the referenced service.²

+string
+}
+servicePortn
+=#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString"-Specifies the port of the referenced service.
+º
+io.k8s.api.rbac.v1.ClusterRole—"ˆ
ClusterRole is a cluster level, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding or ClusterRoleBinding.²

+objectÊ
�	
+©
+aggregationRule•
+0#/definitions/io.k8s.api.rbac.v1.AggregationRule"à
AggregationRule is an optional field that describes how to build the Rules for this ClusterRole. If AggregationRule is set, then the Rules are controller managed and direct changes to Rules will be stomped by the controller.
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+h
+metadata\
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"Standard object's metadata.
+{
+rulesr"4Rules holds all the PolicyRules for this ClusterRole²

+arrayº
/
+-
++#/definitions/io.k8s.api.rbac.v1.PolicyRuleú
j
+x-kubernetes-group-version-kindGE- group: rbac.authorization.k8s.io
+  kind: ClusterRole
+  version: v1
+
+”
+
+io.k8s.api.core.v1.PodTemplateñ	"IPodTemplate describes a template for creating copies of a predefined pod.²

+objectÊ
Á
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ò

+metadataÅ

+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒ
Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+ì

+templateß

+0#/definitions/io.k8s.api.core.v1.PodTemplateSpec"ª
Template defines the pods that will be created from this pod template. https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+stringú
S
+x-kubernetes-group-version-kind0.- group: ""
+  kind: PodTemplate
+  version: v1
+
+¹
+;io.k8s.api.policy.v1beta1.SupplementalGroupsStrategyOptionsù"dSupplementalGroupsStrategyOptions defines the strategy type and options used to create the strategy.²

+objectÊ
„
+‹
+ranges€"½
ranges are the allowed ranges of supplemental groups.  If you would like to force a single supplemental group then supply a single range with the same start and end. Required for MustRunAs.²

+arrayº
3
+1
+/#/definitions/io.k8s.api.policy.v1beta1.IDRange
+t
+rulel"_rule is the strategy that will dictate what supplemental groups is used in the SecurityContext.²

+string
+Ò
++io.k8s.api.scheduling.v1beta1.PriorityClass¢"á
DEPRECATED - This group version of PriorityClass is deprecated by scheduling.k8s.io/v1/PriorityClass. PriorityClass defines mapping from a priority class name to the priority integer value. The value can be any valid integer.š
value²

+objectÊ
»
+¦
+
globalDefault”"…globalDefault specifies whether this PriorityClass should be considered as the default priority for pods that do not have any priority class. Only one PriorityClass can be marked as `globalDefault`. However, if more than one PriorityClasses exists with their `globalDefault` field set to true, the smallest value of such global default PriorityClasses will be used as the default priority.²
	
+boolean
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ò

+metadataÅ

+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒ
Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+„
+preemptionPolicyï
"á
PreemptionPolicy is the Policy for preempting pods with lower priority. One of Never, PreemptLowerPriority. Defaults to PreemptLowerPriority if unset. This field is beta-level, gated by the NonPreemptingPriority feature-gate.²

+string
+¨

+valuež
int32"ˆ
The value of this priority class. This is the actual priority that pods receive when they have the name of this class in their pod spec.²
	
+integer
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+‹

+description|"odescription is an arbitrary string that usually provides guidelines on when this priority class should be used.²

+stringú
i
+x-kubernetes-group-version-kindFD- group: scheduling.k8s.io
+  kind: PriorityClass
+  version: v1beta1
+
+¸	
+/io.k8s.api.scheduling.v1beta1.PriorityClassList„	"6PriorityClassList is a collection of priority classes.š
items²

+objectÊ
Å
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+y
+itemsp"$items is the list of PriorityClasses²

+arrayº
=
+;
+9#/definitions/io.k8s.api.scheduling.v1beta1.PriorityClass
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ê

+metadata½

+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"~Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadataú
m
+x-kubernetes-group-version-kindJH- group: scheduling.k8s.io
+  kind: PriorityClassList
+  version: v1beta1
+
+ò

+Tio.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.JSONSchemaPropsOrArray™
"–
JSONSchemaPropsOrArray represents a value that can either be a JSONSchemaProps or an array of JSONSchemaProps. Mainly here for serialization purposes.
+‰
+!io.k8s.api.apps.v1.DeploymentSpecã
"NDeploymentSpec is the specification of the desired behavior of the Deployment.š
selectorš
template²

+objectÊ
î
+ƒ
+minReadySecondsï
int32"Ù
Minimum number of seconds for which a newly created pod should be ready without any of its container crashing, for it to be considered available. Defaults to 0 (pod will be considered available as soon as it is ready)²
	
+integer
+@
+paused6"(Indicates that the deployment is paused.²
	
+boolean
+ 
+progressDeadlineSeconds„int32"îThe maximum time in seconds for a deployment to make progress before it is considered to be failed. The deployment controller will continue to process failed deployments and a condition with a ProgressDeadlineExceeded reason will be surfaced in the deployment status. Note that progress will not be estimated during the time a deployment is paused. Defaults to 600s.²
	
+integer
+’

+replicas…
int32"pNumber of desired pods. This is a pointer to distinguish between explicit zero and not specified. Defaults to 1.²
	
+integer
+Ã

+revisionHistoryLimitª
int32"”
The number of old ReplicaSets to retain to allow rollback. This is a pointer to distinguish between explicit zero and not specified. Defaults to 10.²
	
+integer
+ö

+selectoré

+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"¤
Label selector for pods. Existing ReplicaSets whose pods are selected by this will be the ones affected by this deployment. It must match the pod template's labels.
+¹

+strategy¬

+3#/definitions/io.k8s.api.apps.v1.DeploymentStrategy"FThe deployment strategy to use to replace existing pods with new ones.ú
,
+x-kubernetes-patch-strategy
retainKeys
+
+q
+templatee
+0#/definitions/io.k8s.api.core.v1.PodTemplateSpec"1Template describes the pods that will be created.
+Ÿ
+io.k8s.api.core.v1.NodeSelectorû"¼
A node selector represents the union of the results of one or more label queries over a set of nodes; that is, it represents the OR of the selectors represented by the node selector terms.š
nodeSelectorTerms²

+objectÊ
™

+–

+nodeSelectorTerms€
"<Required. A list of node selector terms. The terms are ORed.²

+arrayº
5
+3
+1#/definitions/io.k8s.api.core.v1.NodeSelectorTerm
+�
+4io.k8s.api.flowcontrol.v1beta1.ServiceAccountSubject×"RServiceAccountSubject holds detailed information for service-account-kind subject.š
	namespaceš
name²

+objectÊ
á

+y
+nameq"d`name` is the name of matching ServiceAccount objects, or "*" to match regardless of name. Required.²

+string
+d
+	namespaceW"J`namespace` is the namespace of matching ServiceAccount objects. Required.²

+string
+ƒ
+2io.k8s.api.networking.v1beta1.HTTPIngressRuleValueÌ"£HTTPIngressRuleValue is a list of http selectors pointing to backends. In the example: http://<host>/<path>?<searchpart> -> backend where where parts of the url correspond to RFC 3986, this resource will be used to match against everything after the last '/' and before the first '?' or '#'.š
paths²

+objectÊ
�

+Œ

+paths‚
"4A collection of paths that map requests to backends.²

+arrayº
?
+=
+;#/definitions/io.k8s.api.networking.v1beta1.HTTPIngressPath
+�
+
+\io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceColumnDefinition¼	"KCustomResourceColumnDefinition specifies a column for server side printing.š
nameš
typeš
JSONPath²

+objectÊ
Ç
+ª

+JSONPath�
"�
JSONPath is a simple JSON path (i.e. with array notation) which is evaluated against each custom resource to produce the value for this column.²

+string
+W
+descriptionH";description is a human readable description of this column.²

+string
+¸
+format­"Ÿformat is an optional OpenAPI type definition for this column. The 'name' format is applied to the primary identifier column to assist in clients identifying column is the resource name. See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types for details.²

+string
+B
+name:"-name is a human readable name for the column.²

+string
+�
+priority€int32"ê
priority is an integer defining the relative importance of this column compared to others. Lower numbers are considered higher priority. Columns that may be omitted in limited space scenarios should be given a priority greater than 0.²
	
+integer
+¯

+type¦
"˜
type is an OpenAPI type definition for this column. See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types for details.²

+string
+í
+io.k8s.api.apps.v1.ReplicaSetË
"YReplicaSet ensures that a specified number of pod replicas are running at any given time.²

+objectÊ
Š
+õ

+specì

+/#/definitions/io.k8s.api.apps.v1.ReplicaSetSpec"¸
Spec defines the specification of the desired behavior of the ReplicaSet. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+Ç
+status¼
+1#/definitions/io.k8s.api.apps.v1.ReplicaSetStatus"†Status is the most recently observed status of the ReplicaSet. This data may be out of date by some window of time. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+È
+metadata»
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ù
If the Labels of a ReplicaSet are empty, they are defaulted to be the same as the Pod(s) that the ReplicaSet manages. Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadataú
T
+x-kubernetes-group-version-kind1/- group: apps
+  kind: ReplicaSet
+  version: v1
+
+ó
+io.k8s.api.events.v1.EventListÐ"%EventList is a list of Event objects.š
items²

+objectÊ
³
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+f
+items]""items is a list of schema objects.²

+arrayº
,
+*
+(#/definitions/io.k8s.api.events.v1.Event
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ë

+metadata¾

+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadataú
\
+x-kubernetes-group-version-kind97- group: events.k8s.io
+  kind: EventList
+  version: v1
+
+ª
+ io.k8s.api.batch.v1.JobCondition…".JobCondition describes current state of a job.š
typeš
status²

+objectÊ
¶
+?
+type7"*Type of job condition, Complete or Failed.²

+string
+p
+
lastProbeTime_
+7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"$Last time the condition was checked.
+Œ

+lastTransitionTimev
+7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time";Last time the condition transit from one status to another.
+X
+messageM"@Human readable message indicating details about last transition.²

+string
+J
+reason@"3(brief) reason for the condition's last transition.²

+string
+L
+statusB"5Status of the condition, one of True, False, Unknown.²

+string
+Ã

+io.k8s.api.discovery.v1.ForZoneŸ
"LForZone provides information about which zones should consume this endpoint.š
name²

+objectÊ
<
+:
+name2"%name represents the name of the zone.²

+string
+Ó
+*io.k8s.api.networking.v1.NetworkPolicySpec¤"?NetworkPolicySpec provides the specification of a NetworkPolicyš
podSelector²

+objectÊ
Æ
+Ï
+egressÄ"òList of egress rules to be applied to the selected pods. Outgoing traffic is allowed if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic matches at least one egress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy limits all outgoing traffic (and serves solely to ensure that the pods it selects are isolated by default). This field is beta-level in 1.8²

+arrayº
B
+@
+>#/definitions/io.k8s.api.networking.v1.NetworkPolicyEgressRule
+ã
+ingress×"„List of ingress rules to be applied to the selected pods. Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic source is the pod's local node, OR if the traffic matches at least one ingress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy does not allow any traffic (and serves solely to ensure that the pods it selects are isolated by default)²

+arrayº
C
+A
+?#/definitions/io.k8s.api.networking.v1.NetworkPolicyIngressRule
+Û
+podSelectorË
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"†Selects the pods to which this NetworkPolicy object applies. The array of ingress rules is applied to any pods selected by this field. Multiple network policies can select the same set of pods. In this case, the ingress rules for each are combined additively. This field is NOT optional and follows standard label selector semantics. An empty podSelector matches all pods in this namespace.
+­
+policyTypes�"€List of rule types that the NetworkPolicy relates to. Valid options are ["Ingress"], ["Egress"], or ["Ingress", "Egress"]. If this field is not specified, it will default based on the existence of Ingress or Egress rules; policies that contain an Egress section are assumed to affect Egress, and all policies (whether or not they contain an Ingress section) are assumed to affect Ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include "Egress" (since such a policy would not include an Egress section and would otherwise default to just [ "Ingress" ]). This field is beta-level in 1.8²

+arrayº

+²

+string
+…"
+Zio.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinitionSpec¦!"PCustomResourceDefinitionSpec describes how a user wants their resource to appearš
groupš
namesš
scope²

+objectÊ
­ 
+Ñ
+preserveUnknownFields·"¨preserveUnknownFields indicates that object fields which are not specified in the OpenAPI schema should be preserved when persisting to storage. apiVersion, kind, metadata and known fields inside metadata are always preserved. If false, schemas must be defined for all versions. Defaults to true in v1beta for backwards compatibility. Deprecated: will be required to be false in v1. Preservation of unknown fields can be specified in the validation schema using the `x-kubernetes-preserve-unknown-fields: true` extension. See https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions/#pruning-versus-preserving-unknown-fields for details.²
	
+boolean
+´

+scopeª
"œ
scope indicates whether the defined custom resource is cluster- or namespace-scoped. Allowed values are `Cluster` and `Namespaced`. Default is `Namespaced`.²

+string
+Ã
+subresources²
+f#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceSubresources"Ç
subresources specify what subresources the defined custom resource has. If present, this field configures subresources for all versions. Top-level and per-version subresources are mutually exclusive.
+ª

+
+conversion›

+d#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceConversion"3conversion defines conversion settings for the CRD.
+å

+groupÛ
"Í
group is the API group of the defined custom resource. The custom resources are served under `/apis/<group>/...`. Must match the name of the CustomResourceDefinition (in the form `<names.plural>.<group>`).²

+string
+¹

+names¯

+i#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinitionNames"Bnames specify the resource and kind names for the custom resource.
+�
+versions�"‘versions is the list of all API versions of the defined custom resource. Optional if `version` is specified. The name of the first item in the `versions` list must match the `version` field if `version` and `versions` are both specified. Version names are used to compute the order in which served versions are listed in API discovery. If the version string is "kube-like", it will sort above non "kube-like" version strings, which are ordered lexicographically. "Kube-like" versions start with a "v", then are followed by a number (the major version), then optionally the string "alpha" or "beta" and another number (the minor version). These are sorted first by GA > beta > alpha (where GA is a version with no suffix such as beta or alpha), and then by comparing major version, then minor version. An example sorted list of versions: v10, v2, v1, v11beta2, v10beta3, v3beta1, v12alpha1, v11alpha2, foo1, foo10.²

+arrayº
o
+m
+k#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinitionVersion
+Å
+additionalPrinterColumns¨"ªadditionalPrinterColumns specifies additional columns returned in Table output. See https://kubernetes.io/docs/reference/using-api/api-concepts/#receiving-resources-as-tables for details. If present, this field configures columns for all versions. Top-level and per-version columns are mutually exclusive. If no top-level or per-version columns are specified, a single column displaying the age of the custom resource is used.²

+arrayº
n
+l
+j#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceColumnDefinition
+Î
+
+validation¿
+d#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceValidation"Ö
validation describes the schema used for validation and pruning of the custom resource. If present, this validation schema is used to validate all versions. Top-level and per-version schemas are mutually exclusive.
+Ï
+versionÃ"µversion is the API version of the defined custom resource. The custom resources are served under `/apis/<group>/<version>/...`. Must match the name of the first item in the `versions` list if `version` and `versions` are both specified. Optional if `versions` is specified. Deprecated: use `versions` instead.²

+string
+Õ
+5io.k8s.api.autoscaling.v1.HorizontalPodAutoscalerList›"*list of horizontal pod autoscaler objects.š
items²

+objectÊ
é
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+…

+items|"*list of horizontal pod autoscaler objects.²

+arrayº
C
+A
+?#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscaler
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+b
+metadataV
+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"Standard list metadata.ú
l
+x-kubernetes-group-version-kindIG- group: autoscaling
+  kind: HorizontalPodAutoscalerList
+  version: v1
+
+é
+<io.k8s.api.autoscaling.v2beta2.ContainerResourceMetricSource¨"ÓContainerResourceMetricSource indicates how to scale on a resource metric known to Kubernetes, as specified in requests and limits, describing each pod in the current scale target (e.g. CPU or memory).  The values will be averaged together before being compared to the target.  Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the "pods" source.  Only one "target" type should be set.š
nameš
targetš
	container²

+objectÊ
§
+b
+	containerU"Hcontainer is the name of the container in the pods of the scaling target²

+string
+B
+name:"-name is the name of the resource in question.²

+string
+}
+targets
+9#/definitions/io.k8s.api.autoscaling.v2beta2.MetricTarget"6target specifies the target value for the given metric
+×	
+9io.k8s.api.certificates.v1beta1.CertificateSigningRequest™	"'Describes a certificate signing request²

+objectÊ
ç
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+K
+metadata?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta
+–

+spec�

+K#/definitions/io.k8s.api.certificates.v1beta1.CertificateSigningRequestSpec">The certificate request itself and any additional information.
+�

+statusw
+M#/definitions/io.k8s.api.certificates.v1beta1.CertificateSigningRequestStatus"&Derived information about the request.ú
w
+x-kubernetes-group-version-kindTR- group: certificates.k8s.io
+  kind: CertificateSigningRequest
+  version: v1beta1
+
+þ	
+io.k8s.api.core.v1.Bindingß	"¡
Binding ties one object to another; for example, a pod is bound to a node by a scheduler. Deprecated in 1.7, please use the bindings subresource of pods instead.š
target²

+objectÊ
Ñ
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ò

+metadataÅ

+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒ
Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+}
+targets
+0#/definitions/io.k8s.api.core.v1.ObjectReference"?The target object that you want to bind to the standard object.ú
O
+x-kubernetes-group-version-kind,*- group: ""
+  kind: Binding
+  version: v1
+
+¢
+'io.k8s.api.core.v1.EmptyDirVolumeSourceö"uRepresents an empty directory for a pod. Empty directory volumes support ownership management and SELinux relabeling.²

+objectÊ
ð
+…
+mediumú
"ì
What type of storage medium should back this directory. The default is "" which means to use the node's default medium. Must be an empty string (default) or Memory. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir²

+string
+å
+	sizeLimit×
+;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"—Total amount of local storage required for this EmptyDir volume. The size limit is also applicable for memory medium. The maximum usage on memory medium EmptyDir would be the minimum value between the SizeLimit specified here and the sum of memory limits of all containers in a pod. The default is nil which means that the limit is undefined. More info: http://kubernetes.io/docs/user-guide/volumes#emptydir
+Ã
+0io.k8s.api.core.v1.PersistentVolumeClaimTemplateŽ"sPersistentVolumeClaimTemplate is used to produce PersistentVolumeClaim objects as part of an EphemeralVolumeSource.š
spec²

+objectÊ
ƒ
+è

+metadataÛ

+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"™
May contain labels and annotations that will be copied into the PVC when creating it. No other fields are allowed and will be rejected during validation.
+•
+specŒ
+:#/definitions/io.k8s.api.core.v1.PersistentVolumeClaimSpec"Í
The specification for the PersistentVolumeClaim. The entire content is copied unchanged into the PVC that gets created from this template. The same fields as in a PersistentVolumeClaim are also valid here.
+õ
+0io.k8s.api.core.v1.ServiceAccountTokenProjectionÀ"ì
ServiceAccountTokenProjection represents a projected service account token volume. This projection can be used to insert a service account token into the pods runtime filesystem for use against APIs (Kubernetes API Server or otherwise).š
path²

+objectÊ
»
+’
+audience…"÷
Audience is the intended audience of the token. A recipient of a token must identify itself with an identifier specified in the audience of the token, and otherwise should reject the token. The audience defaults to the identifier of the apiserver.²

+string
+¹
+expirationSeconds£int64"�ExpirationSeconds is the requested duration of validity of the service account token. As the token approaches expiration, the kubelet volume plugin will proactively rotate the service account token. The kubelet will start trying to rotate the token if the token is older than 80 percent of its time to live or if the token is older than 24 hours.Defaults to 1 hour and must be at least 10 minutes.²
	
+integer
+h
+path`"SPath is the path relative to the mount point of the file to project the token into.²

+string
+×
+3io.k8s.api.autoscaling.v2beta2.ExternalMetricStatusŸ"nExternalMetricStatus indicates the current value of a global metric not associated with any Kubernetes object.š
metricš
current²

+objectÊ
�
+„

+currenty
+>#/definitions/io.k8s.api.autoscaling.v2beta2.MetricValueStatus"7current contains the current value for the given metric
+ƒ

+metricy
+=#/definitions/io.k8s.api.autoscaling.v2beta2.MetricIdentifier"8metric identifies the target metric by name and selector
+Â
+/io.k8s.api.autoscaling.v2beta2.PodsMetricSourceŽ"å
PodsMetricSource indicates how to scale on a metric describing each pod in the current scale target (for example, transactions-processed-per-second). The values will be averaged together before being compared to the target value.š
metricš
target²

+objectÊ
…
+ƒ

+metricy
+=#/definitions/io.k8s.api.autoscaling.v2beta2.MetricIdentifier"8metric identifies the target metric by name and selector
+}
+targets
+9#/definitions/io.k8s.api.autoscaling.v2beta2.MetricTarget"6target specifies the target value for the given metric
+¢9
+io.k8s.api.core.v1.Volume„9"[Volume represents a named volume in a pod that may be accessed by any container in the pod.š
name²

+objectÊ
‘8
+�

+quobyteƒ

+4#/definitions/io.k8s.api.core.v1.QuobyteVolumeSource"KQuobyte represents a Quobyte mount on the host that shares a pod's lifetime
+Ÿ

+	azureFile‘

+6#/definitions/io.k8s.api.core.v1.AzureFileVolumeSource"WAzureFile represents an Azure File Service mount on the host and bind mount to the pod.
+Ð

+cinderÅ

+3#/definitions/io.k8s.api.core.v1.CinderVolumeSource"�
Cinder represents a cinder volume attached and mounted on kubelets host machine. More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+ˆ

+	configMap{
+6#/definitions/io.k8s.api.core.v1.ConfigMapVolumeSource"AConfigMap represents a configMap that should populate this volume
+Ä

+nfs¼

+0#/definitions/io.k8s.api.core.v1.NFSVolumeSource"‡
NFS represents an NFS mount on the host that shares a pod's lifetime More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+Î

+photonPersistentDiskµ

+A#/definitions/io.k8s.api.core.v1.PhotonPersistentDiskVolumeSource"pPhotonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine
+»	
+	ephemeral­	
+6#/definitions/io.k8s.api.core.v1.EphemeralVolumeSource"òEphemeral represents a volume that is handled by a cluster storage driver. The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, and deleted when the pod is removed.
+
+Use this if: a) the volume is only needed while the pod runs, b) features of normal volumes like restoring from snapshot or capacity
+   tracking are needed,
+c) the storage driver is specified through a storage class, and d) the storage driver supports dynamic volume provisioning through
+   a PersistentVolumeClaim (see EphemeralVolumeSource for more
+   information on the connection between this volume type
+   and PersistentVolumeClaim).
+
+Use PersistentVolumeClaim or one of the vendor-specific APIs for volumes that persist for longer than the lifecycle of an individual pod.
+
+Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to be used that way - see the documentation of the driver for more information.
+
+A pod can use both types of ephemeral volumes and persistent volumes at the same time.
+
+This is a beta feature and only available when the GenericEphemeralVolume feature gate is enabled.
+Ø

+	glusterfsÊ

+6#/definitions/io.k8s.api.core.v1.GlusterfsVolumeSource"�
Glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. More info: https://examples.k8s.io/volumes/glusterfs/README.md
+É

+rbdÁ

+0#/definitions/io.k8s.api.core.v1.RBDVolumeSource"Œ
RBD represents a Rados Block Device mount on the host that shares a pod's lifetime. More info: https://examples.k8s.io/volumes/rbd/README.md
+œ

+	azureDiskŽ

+6#/definitions/io.k8s.api.core.v1.AzureDiskVolumeSource"TAzureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
+ž

+downwardAPIŽ

+8#/definitions/io.k8s.api.core.v1.DownwardAPIVolumeSource"RDownwardAPI represents downward API about the pod that should populate this volume
+É
+gitRepo½
+4#/definitions/io.k8s.api.core.v1.GitRepoVolumeSource"„GitRepo represents a git repository at a particular revision. DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir into the Pod's container.
+œ

+scaleIO�

+4#/definitions/io.k8s.api.core.v1.ScaleIOVolumeSource"XScaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.
+”
+hostPath‡
+5#/definitions/io.k8s.api.core.v1.HostPathVolumeSource"ÍHostPath represents a pre-existing file or directory on the host machine that is directly exposed to the container. This is generally used for system agents or other privileged things that are allowed to see the host machine. Most containers will NOT need this. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+®

+name¥
"—
Volume's name. Must be a DNS_LABEL and unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names²

+string
+¬
+persistentVolumeClaim’
+B#/definitions/io.k8s.api.core.v1.PersistentVolumeClaimVolumeSource"Ë
PersistentVolumeClaimVolumeSource represents a reference to a PersistentVolumeClaim in the same namespace. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+¤
+gcePersistentDiskŽ
+>#/definitions/io.k8s.api.core.v1.GCEPersistentDiskVolumeSource"Ë
GCEPersistentDisk represents a GCE Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+í

+iscsiã

+2#/definitions/io.k8s.api.core.v1.ISCSIVolumeSource"¬
ISCSI represents an ISCSI Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://examples.k8s.io/volumes/iscsi/README.md
+Å

+secretº

+3#/definitions/io.k8s.api.core.v1.SecretVolumeSource"‚
Secret represents a secret that should populate this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
+¬

+
+flexVolume�

+1#/definitions/io.k8s.api.core.v1.FlexVolumeSource"hFlexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin.
+±
+awsElasticBlockStore˜
+A#/definitions/io.k8s.api.core.v1.AWSElasticBlockStoreVolumeSource"Ò
AWSElasticBlockStore represents an AWS Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+º

+csi²

+0#/definitions/io.k8s.api.core.v1.CSIVolumeSource"~CSI (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers (Beta feature).
+‹

+	projected~
+6#/definitions/io.k8s.api.core.v1.ProjectedVolumeSource"DItems for all in one resources secrets, configmaps, and downward API
+¬

+
vsphereVolumeš

+?#/definitions/io.k8s.api.core.v1.VsphereVirtualDiskVolumeSource"WVsphereVolume represents a vSphere volume attached and mounted on kubelets host machine
+™

+	storageos‹

+6#/definitions/io.k8s.api.core.v1.StorageOSVolumeSource"QStorageOS represents a StorageOS volume attached and mounted on Kubernetes nodes.
+Œ

+cephfs�

+3#/definitions/io.k8s.api.core.v1.CephFSVolumeSource"JCephFS represents a Ceph FS mount on the host that shares a pod's lifetime
+Ö

+emptyDirÉ

+5#/definitions/io.k8s.api.core.v1.EmptyDirVolumeSource"�
EmptyDir represents a temporary directory that shares a pod's lifetime. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+ª

+fc£

+/#/definitions/io.k8s.api.core.v1.FCVolumeSource"pFC represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod.
+È

+flocker¼

+4#/definitions/io.k8s.api.core.v1.FlockerVolumeSource"ƒ
Flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running
+¥

+portworxVolume’

+5#/definitions/io.k8s.api.core.v1.PortworxVolumeSource"YPortworxVolume represents a portworx volume attached and mounted on kubelets host machine
+ó
+"io.k8s.api.apps.v1.DaemonSetStatusÌ">DaemonSetStatus represents the current status of a daemon set.š
currentNumberScheduledš
numberMisscheduledš
desiredNumberScheduledš
numberReady²

+objectÊ
¨
+˜

+numberReadyˆ
int32"sThe number of nodes that should be running the daemon pod and have one or more of the daemon pod running and ready.²
	
+integer
+Å

+numberUnavailable¯
int32"™
The number of nodes that should be running the daemon pod and have none of the daemon pod running and available (ready for at least spec.minReadySeconds)²
	
+integer
+õ

+
+conditionsæ
"LRepresents the latest available observations of a DaemonSet's current state.²

+arrayº
7
+5
+3#/definitions/io.k8s.api.apps.v1.DaemonSetConditionú
'
+x-kubernetes-patch-merge-keytype
+ú
'
+x-kubernetes-patch-strategymerge
+
+ã

+currentNumberScheduledÈ
int32"²
The number of nodes that are running at least 1 daemon pod and are supposed to run the daemon pod. More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/²
	
+integer
+Ê

+numberAvailable¶
int32" 
The number of nodes that should be running the daemon pod and have one or more of the daemon pod running and available (ready for at least spec.minReadySeconds)²
	
+integer
+Ý

+numberMisscheduledÆ
int32"°
The number of nodes that are running the daemon pod, but are not supposed to run the daemon pod. More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/²
	
+integer
+ä

+collisionCountÑ
int32"»
Count of hash collisions for the DaemonSet. The DaemonSet controller uses this field as a collision avoidance mechanism when it needs to create the name for the newest ControllerRevision.²
	
+integer
+ô

+desiredNumberScheduledÙ
int32"Ã
The total number of nodes that should be running the daemon pod (including nodes correctly running the daemon pod). More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/²
	
+integer
+l
+observedGenerationVint64"AThe most recent generation observed by the daemon set controller.²
	
+integer
+l
+updatedNumberScheduledRint32"=The total number of nodes that are running updated daemon pod²
	
+integer
+Ç

+#io.k8s.api.autoscaling.v1.ScaleSpecŸ
":ScaleSpec describes the attributes of a scale subresource.²

+objectÊ
U
+S
+replicasGint32"2desired number of instances for the scaled object.²
	
+integer
+ê
+
+(io.k8s.api.policy.v1.PodDisruptionBudget½
+"hPodDisruptionBudget is an object to define the max disruption that can be caused to a collection of pods²

+objectÊ
â
+Ò

+metadataÅ

+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒ
Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+‡

+spec
+:#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetSpec"ASpecification of the desired behavior of the PodDisruptionBudget.
+ƒ

+statusy
+<#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetStatus"9Most recently observed status of the PodDisruptionBudget.
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+stringú
_
+x-kubernetes-group-version-kind<:- kind: PodDisruptionBudget
+  version: v1
+  group: policy
+
+¯
+*io.k8s.api.apps.v1.RollingUpdateDeployment€"7Spec to control the desired behavior of rolling update.²

+objectÊ
¸
+å
+maxSurgeØ
+=#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString"–The maximum number of pods that can be scheduled above the desired number of pods. Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). This can not be 0 if MaxUnavailable is 0. Absolute number is calculated from percentage by rounding up. Defaults to 25%. Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when the rolling update starts, such that the total number of old and new pods do not exceed 130% of desired pods. Once old pods have been killed, new ReplicaSet can be scaled up further, ensuring that total number of pods running at any time during the update is at most 130% of desired pods.
+Í
+maxUnavailableº
+=#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString"øThe maximum number of pods that can be unavailable during the update. Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). Absolute number is calculated from percentage by rounding down. This can not be 0 if MaxSurge is 0. Defaults to 25%. Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods immediately when the rolling update starts. Once new pods are ready, old ReplicaSet can be scaled down further, followed by scaling up the new ReplicaSet, ensuring that the total number of pods available at all times during the update is at least 70% of desired pods.
+ø
+3io.k8s.api.autoscaling.v2beta1.ResourceMetricSourceÀ"ÊResourceMetricSource indicates how to scale on a resource metric known to Kubernetes, as specified in requests and limits, describing each pod in the current scale target (e.g. CPU or memory).  The values will be averaged together before being compared to the target.  Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the "pods" source.  Only one "target" type should be set.š
name²

+objectÊ
Ý
+B
+name:"-name is the name of the resource in question.²

+string
+ð

+targetAverageUtilizationÓ
int32"½
targetAverageUtilization is the target value of the average of the resource metric across all relevant pods, represented as a percentage of the requested value of the resource for the pods.²
	
+integer
+£
+targetAverageValueŒ
+;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"Ì
targetAverageValue is the target value of the average of the resource metric across all relevant pods, as a raw value (instead of as a percentage of the request), similar to the "pods" metric source type.
+´
+io.k8s.api.rbac.v1.RoleBinding‘"·RoleBinding references a role, but does not contain it.  It can reference a Role in the same namespace or a ClusterRole in the global namespace. It adds who information via Subjects and namespace information by which namespace it exists in.  RoleBindings in a given namespace only have effect in that namespace.š
roleRef²

+objectÊ
Ñ
+à

+roleRefÔ

+(#/definitions/io.k8s.api.rbac.v1.RoleRef"§
RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace. If the RoleRef cannot be resolved, the Authorizer must return an error.
+„

+subjectsx"=Subjects holds references to the objects the role applies to.²

+arrayº
,
+*
+(#/definitions/io.k8s.api.rbac.v1.Subject
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+h
+metadata\
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"Standard object's metadata.ú
j
+x-kubernetes-group-version-kindGE- group: rbac.authorization.k8s.io
+  kind: RoleBinding
+  version: v1
+
+°
+
+Kio.k8s.api.admissionregistration.v1beta1.ValidatingWebhookConfigurationListà	"OValidatingWebhookConfigurationList is a list of ValidatingWebhookConfiguration.š
items²

+objectÊ
ë
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+™

+items�
"'List of ValidatingWebhookConfiguration.²

+arrayº
Y
+W
+U#/definitions/io.k8s.api.admissionregistration.v1beta1.ValidatingWebhookConfiguration
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ï

+metadataÂ

+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"‚
Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kindsú
‰

+x-kubernetes-group-version-kindfd- group: admissionregistration.k8s.io
+  kind: ValidatingWebhookConfigurationList
+  version: v1beta1
+
+„
+:io.k8s.api.certificates.v1.CertificateSigningRequestStatusÅ"Ž
CertificateSigningRequestStatus contains conditions used to indicate approved/denied/failed status of the request, and the issued certificate.²

+objectÊ
¥
+Š
+certificateú
+byte"À
+certificate is populated with an issued certificate by the signer after an Approved condition is present. This field is set via the /status subresource. Once populated, this field is immutable.
+
+If the certificate signing request is denied, a condition of type "Denied" is added and this field remains empty. If the signer cannot issue the certificate, a condition of type "Failed" is added and this field remains empty.
+
+Validation requirements:
+ 1. certificate must contain one or more PEM blocks.
+ 2. All PEM blocks must have the "CERTIFICATE" label, contain no headers, and the encoded data
+  must be a BER-encoded ASN.1 Certificate structure as described in section 4 of RFC5280.
+ 3. Non-PEM content may appear before or after the "CERTIFICATE" PEM blocks and is unvalidated,
+  to allow for explanatory text as described in section 5.2 of RFC7468.
+
+If more than one PEM block is present, and the definition of the requested spec.signerName does not indicate otherwise, the first block is the issued certificate, and subsequent blocks should be treated as intermediate certificates and presented in TLS handshakes.
+
+The certificate is encoded in PEM format.
+
+When serialized as JSON or YAML, the data is additionally base64-encoded, so it consists of:
+
+    base64(
+    -----BEGIN CERTIFICATE-----
+    ...
+    -----END CERTIFICATE-----
+    )²

+stringú
#
+x-kubernetes-list-type	atomic
+
+•
+
+conditions†"[conditions applied to the request. Known conditions are "Approved", "Denied", and "Failed".²

+arrayº
O
+M
+K#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequestConditionú
'
+x-kubernetes-list-map-keys	- type
+ú
 
+x-kubernetes-list-typemap
+
+�
++io.k8s.api.networking.v1beta1.IngressStatusÑ
"8IngressStatus describe the current state of the Ingress.²

+objectÊ
ˆ

+…

+loadBalanceru
+3#/definitions/io.k8s.api.core.v1.LoadBalancerStatus">LoadBalancer contains the current status of the load-balancer.
+š	
+(io.k8s.api.storage.v1beta1.CSIDriverListí"3CSIDriverList is a collection of CSIDriver objects.š
items²

+objectÊ
¸
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+l
+itemsc"items is the list of CSIDriver²

+arrayº
6
+4
+2#/definitions/io.k8s.api.storage.v1beta1.CSIDriver
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ê

+metadata½

+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"~Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadataú
f
+x-kubernetes-group-version-kindCA- version: v1beta1
+  group: storage.k8s.io
+  kind: CSIDriverList
+
+ö
+
+Vio.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionNames›
+"XCustomResourceDefinitionNames indicates the names to serve this CustomResourceDefinitionš
pluralš
kind²

+objectÊ
¢	
+q
+listKinde"XlistKind is the serialized kind of the list for this resource. Defaults to "`kind`List".²

+string
+�
+plural‚"ô
plural is the plural name of the resource to serve. The custom resources are served under `/apis/<group>/<version>/.../<plural>`. Must match the name of the CustomResourceDefinition (in the form `<names.plural>.<group>`). Must be all lowercase.²

+string
+á

+
+shortNamesÒ
"µ
shortNames are short names for the resource, exposed in API discovery documents, and used by clients to support invocations like `kubectl get <shortname>`. It must be all lowercase.²

+arrayº

+²

+string
+€

+singulart"gsingular is the singular name of the resource. It must be all lowercase. Defaults to lowercased `kind`.²

+string
+ô

+
+categorieså
"È
categories is a list of grouped resources this custom resource belongs to (e.g. 'all'). This is published in API discovery documents, and used by clients to support invocations like `kubectl get all`.²

+arrayº

+²

+string
+¾

+kindµ
"§
kind is the serialized kind of the resource. It is normally CamelCase and singular. Custom resource instances will use this value as the `kind` attribute in API calls.²

+string
+Ù
+.io.k8s.apimachinery.pkg.apis.meta.v1.Condition¦"TCondition contains details for one aspect of the current state of this API Resource.š
typeš
statusš
lastTransitionTimeš
reasonš
message²

+objectÊ
‰
+
+L
+statusB"5status of the condition, one of True, False, Unknown.²

+string
+T
+typeL"?type of condition in CamelCase or in foo.example.com/CamelCase.²

+string
+¸
+lastTransitionTime¡
+7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"å
lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+�

+messagev"imessage is a human readable message indicating details about the transition. This may be an empty string.²

+string
+È
+observedGeneration±int64"›observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.²
	
+integer
+Ø
+reasonÍ"¿reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.²

+string
+Â
+/io.k8s.apimachinery.pkg.util.intstr.IntOrStringŽ
int-or-string"ñ
IntOrString is a type that can hold an int32 or a string.  When used in JSON or YAML marshalling and unmarshalling, it produces or consumes the inner type.  This allows you to have, for example, a JSON field that can accept a name or number.²

+string
+ž
+io.k8s.api.apps.v1.StatefulSetû
+"ŸStatefulSet represents a set of pods with consistent identities. Identities are defined as:
+ - Network: A single stable DNS and hostname.
+ - Storage: As many VolumeClaims as requested.
+The StatefulSet guarantees that a given network identity will always map to the same storage identity.²

+objectÊ
ò
+K
+metadata?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta
+t
+specl
+0#/definitions/io.k8s.api.apps.v1.StatefulSetSpec"8Spec defines the desired identities of pods in this set.
+¯

+status¤

+2#/definitions/io.k8s.api.apps.v1.StatefulSetStatus"nStatus is the current status of Pods in this StatefulSet. This data may be out of date by some window of time.
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+stringú
U
+x-kubernetes-group-version-kind20- group: apps
+  kind: StatefulSet
+  version: v1
+
+¿
+"io.k8s.api.core.v1.SecretEnvSource˜"¹
SecretEnvSource selects a Secret to populate the environment variables with.
+
+The contents of the target Secret's Data field will represent the key-value pairs as environment variables.²

+objectÊ
Í

+„

+name|"oName of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names²

+string
+D
+optional8"*Specify whether the Secret must be defined²
	
+boolean
+ë

+io.k8s.api.core.v1.EventSourceÈ
".EventSource contains information for an event.²

+objectÊ
‰

+F
+	component9",Component from which the event is generated.²

+string
+?
+host7"*Node name on which the event is generated.²

+string
+‹
+&io.k8s.api.flowcontrol.v1beta1.Subjectà"´
Subject matches the originator of a request, as identified by the request authentication system. There are three ways of matching an originator; by user, group, or service account.š
kind²

+objectÊ
�
+D
+group;
+9#/definitions/io.k8s.api.flowcontrol.v1beta1.GroupSubject
+
+kind"Required²

+string
+V
+serviceAccountD
+B#/definitions/io.k8s.api.flowcontrol.v1beta1.ServiceAccountSubject
+B
+user:
+8#/definitions/io.k8s.api.flowcontrol.v1beta1.UserSubjectú
Ž

+x-kubernetes-unionswu- fields-to-discriminateBy:
+    group: Group
+    serviceAccount: ServiceAccount
+    user: User
+  discriminator: kind
+
+Ž
+
+io.k8s.api.core.v1.NodeSpecî	">NodeSpec describes the attributes that a node is created with.²

+objectÊ
Ÿ	
+Ï

+
unschedulable½
"®
Unschedulable controls node schedulability of new pods. By default, node is schedulable. More info: https://kubernetes.io/docs/concepts/nodes/node/#manual-node-administration²
	
+boolean
+Ö

+configSourceÅ

+1#/definitions/io.k8s.api.core.v1.NodeConfigSource"�
If specified, the source to get node configuration from The DynamicKubeletConfig feature gate must be enabled for the Kubelet to use this field
+†

+
+externalIDx"kDeprecated. Not all kubelets will set this field. Remove field after 1.13. see: https://issues.k8s.io/61966²

+string
+Q
+podCIDRF"9PodCIDR represents the pod IP range assigned to the node.²

+string
+¬
+podCIDRsŸ"Ø
podCIDRs represents the IP ranges assigned to the node for usage by Pods on that node. If this field is specified, the 0th entry must match the podCIDR field. It may contain at most 1 value for each of IPv4 and IPv6.²

+arrayº

+²

+stringú
'
+x-kubernetes-patch-strategymerge
+
+�

+
+providerIDs"fID of the node assigned by the cloud provider in the format: <ProviderName>://<ProviderSpecificNodeID>²

+string
+c
+taintsY" If specified, the node's taints.²

+arrayº
*
+(
+&#/definitions/io.k8s.api.core.v1.Taint
+ó
+'io.k8s.api.core.v1.TopologySelectorTermÇ"‘A topology selector term represents the result of label queries. A null or empty topology selector term matches no objects. The requirements of them are ANDed. It provides a subset of functionality as NodeSelectorTerm. This is an alpha feature and may change in the future.²

+objectÊ
¤

+¡

+matchLabelExpressions‡
"3A list of topology selector requirements by labels.²

+arrayº
E
+C
+A#/definitions/io.k8s.api.core.v1.TopologySelectorLabelRequirement
+ð
+6io.k8s.api.flowcontrol.v1beta1.PolicyRulesWithSubjectsµ"•PolicyRulesWithSubjects prescribes a test that applies to a request to an apiserver. The test considers the subject making the request, the verb being requested, and the resource to be acted upon. This PolicyRulesWithSubjects matches a request if and only if both (a) at least one member of subjects matches the request and (b) at least one member of resourceRules or nonResourceRules matches the request.š
subjects²

+objectÊ
ƒ
+Ù
+
resourceRulesÇ"Î
`resourceRules` is a slice of ResourcePolicyRules that identify matching requests according to their verb and the target resource. At least one of `resourceRules` and `nonResourceRules` has to be non-empty.²

+arrayº
C
+A
+?#/definitions/io.k8s.api.flowcontrol.v1beta1.ResourcePolicyRuleú
#
+x-kubernetes-list-type	atomic
+
+�
+subjectsô"†subjects is the list of normal user, serviceaccount, or group that this rule cares about. There must be at least one member in this slice. A slice that includes both the system:authenticated and system:unauthenticated user groups matches every request. Required.²

+arrayº
8
+6
+4#/definitions/io.k8s.api.flowcontrol.v1beta1.Subjectú
#
+x-kubernetes-list-type	atomic
+
+ 
+nonResourceRules‹"�
`nonResourceRules` is a list of NonResourcePolicyRules that identify matching requests according to their verb and the target non-resource URL.²

+arrayº
F
+D
+B#/definitions/io.k8s.api.flowcontrol.v1beta1.NonResourcePolicyRuleú
#
+x-kubernetes-list-type	atomic
+
+·	
+/io.k8s.api.policy.v1beta1.PodSecurityPolicyListƒ	"=PodSecurityPolicyList is a list of PodSecurityPolicy objects.š
items²

+objectÊ
Ä
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+w
+itemsn""items is a list of schema objects.²

+arrayº
=
+;
+9#/definitions/io.k8s.api.policy.v1beta1.PodSecurityPolicy
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ë

+metadata¾

+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadataú
f
+x-kubernetes-group-version-kindCA- version: v1beta1
+  group: policy
+  kind: PodSecurityPolicyList
+
+å.
+/io.k8s.api.policy.v1beta1.PodSecurityPolicySpec±."2PodSecurityPolicySpec defines the policy enforced.š
seLinuxš
	runAsUserš
supplementalGroupsš
fsGroup²

+objectÊ
¹-
+¤

+allowPrivilegeEscalation‡
"yallowPrivilegeEscalation determines if a pod can request to allow privilege escalation. If unspecified, defaults to true.²
	
+boolean
+·
+allowedFlexVolumes "Ó
allowedFlexVolumes is an allowlist of Flexvolumes.  Empty or nil indicates that all Flexvolumes may be used.  This parameter is effective only when the usage of the Flexvolumes is allowed in the "volumes" field.²

+arrayº
=
+;
+9#/definitions/io.k8s.api.policy.v1beta1.AllowedFlexVolume
+¿

+allowedHostPathsª
"`allowedHostPaths is an allowlist of host paths. Empty indicates that all host paths may be used.²

+arrayº
;
+9
+7#/definitions/io.k8s.api.policy.v1beta1.AllowedHostPath
+’
+defaultAddCapabilities÷"ÚdefaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability.  You may not list a capability in both defaultAddCapabilities and requiredDropCapabilities. Capabilities added here are implicitly allowed, and need not be included in the allowedCapabilities list.²

+arrayº

+²

+string
+·

+defaultAllowPrivilegeEscalation“
"„
defaultAllowPrivilegeEscalation controls the default setting for whether a process can gain more privileges than its parent process.²
	
+boolean
+�
+forbiddenSysctlsø"ÛforbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. Each entry is either a plain sysctl name or ends in "*" in which case it is considered as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.
+
+Examples: e.g. "foo/*" forbids "foo/bar", "foo/baz", etc. e.g. "foo.*" forbids "foo.bar", "foo.baz", etc.²

+arrayº

+²

+string
+p
+hostNetworka"ShostNetwork determines if the policy allows the use of HostNetwork in the pod spec.²
	
+boolean
+_
+
+privilegedQ"Cprivileged determines if a pod can request to be run as privileged.²
	
+boolean
+ö
+readOnlyRootFilesystemÛ"ÌreadOnlyRootFilesystem when set to true will force containers to run with a read only root file system.  If the container specifically requests to run with a non-read only root file system the PSP should deny the pod. If set to false the container may run with a read only root file system if it wishes but it will not be forced to.²
	
+boolean
+Í
+runtimeClass¼
+C#/definitions/io.k8s.api.policy.v1beta1.RuntimeClassStrategyOptions"ô
runtimeClass is the strategy that will dictate the allowable RuntimeClasses for a pod. If this field is omitted, the pod's runtimeClassName field is unrestricted. Enforcement of this field depends on the RuntimeClass feature gate being enabled.
+¥

+volumes™
"}volumes is an allowlist of volume plugins. Empty indicates that no volumes may be used. To allow all volumes you may use '*'.²

+arrayº

+²

+string
+²
+allowedCapabilitiesš"ý
allowedCapabilities is a list of capabilities that can be requested to add to the container. Capabilities in this field may be added at the pod author's discretion. You must not list a capability in both allowedCapabilities and requiredDropCapabilities.²

+arrayº

+²

+string
+î
+allowedUnsafeSysctlsÕ"¸allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in "*" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to allowlist all allowed unsafe sysctls explicitly to avoid rejection.
+
+Examples: e.g. "foo/*" allows "foo/bar", "foo/baz", etc. e.g. "foo.*" allows "foo.bar", "foo.baz", etc.²

+arrayº

+²

+string
+¥

+fsGroup™

+>#/definitions/io.k8s.api.policy.v1beta1.FSGroupStrategyOptions"WfsGroup is the strategy that will dictate what fs group is used by the SecurityContext.
+d
+hostPIDY"KhostPID determines if the policy allows the use of HostPID in the pod spec.²
	
+boolean
+œ

+	hostPortsŽ
"FhostPorts determines which host port ranges are allowed to be exposed.²

+arrayº
9
+7
+5#/definitions/io.k8s.api.policy.v1beta1.HostPortRange
+­

+	runAsUserŸ

+@#/definitions/io.k8s.api.policy.v1beta1.RunAsUserStrategyOptions"[runAsUser is the strategy that will dictate the allowable RunAsUser values that may be set.
+�

+seLinux‘

+>#/definitions/io.k8s.api.policy.v1beta1.SELinuxStrategyOptions"OseLinux is the strategy that will dictate the allowable labels that may be set.
+Ò

+supplementalGroups»

+I#/definitions/io.k8s.api.policy.v1beta1.SupplementalGroupsStrategyOptions"nsupplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext.
+”
+allowedCSIDriversþ"²AllowedCSIDrivers is an allowlist of inline CSI drivers that must be explicitly set to be embedded within a pod spec. An empty value indicates that any CSI driver can be used for inline ephemeral volumes. This is a beta field, and is only honored if the API server enables the CSIInlineVolume feature gate.²

+arrayº
<
+:
+8#/definitions/io.k8s.api.policy.v1beta1.AllowedCSIDriver
+´
+
+runAsGroup¥
+A#/definitions/io.k8s.api.policy.v1beta1.RunAsGroupStrategyOptions"ß
RunAsGroup is the strategy that will dictate the allowable RunAsGroup values that may be set. If this field is omitted, the pod's RunAsGroup can take any value. This field requires the RunAsGroup feature gate to be enabled.
+ú

+allowedProcMountTypesà
"Ã
AllowedProcMountTypes is an allowlist of allowed ProcMountTypes. Empty or nil indicates that only the DefaultProcMountType may be used. This requires the ProcMountType feature flag to be enabled.²

+arrayº

+²

+string
+d
+hostIPCY"KhostIPC determines if the policy allows the use of HostIPC in the pod spec.²
	
+boolean
+Ç

+requiredDropCapabilitiesª
"�
requiredDropCapabilities are the capabilities that will be dropped from the container.  These are required to be dropped and cannot be added.²

+arrayº

+²

+string
+â
+Hio.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.APIServiceStatus•"AAPIServiceStatus contains derived information about an API server²

+objectÊ
Ã
+À
+
+conditions±"$Current service state of apiService.²

+arrayº
]
+[
+Y#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.APIServiceConditionú
 
+x-kubernetes-list-typemap
+ú
'
+x-kubernetes-patch-merge-keytype
+ú
'
+x-kubernetes-patch-strategymerge
+ú
'
+x-kubernetes-list-map-keys	- type
+
+ÿ	
+%io.k8s.api.core.v1.CephFSVolumeSourceÕ	"�
Represents a Ceph Filesystem mount that lasts the lifetime of a pod Cephfs volumes do not support ownership management or SELinux relabeling.š
monitors²

+objectÊ
«
+˜

+user�
"�
Optional: User is the rados user name, default is admin More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it²

+string
+¦

+monitors™
"}Required: Monitors is a collection of Ceph monitors More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it²

+arrayº

+²

+string
+e
+path]"POptional: Used as the mounted root, rather than the full Ceph tree, default is /²

+string
+Î

+readOnlyÁ
"²
Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it²
	
+boolean
+¾

+
+secretFile¯
"¡
Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it²

+string
+ë

+	secretRefÝ

+5#/definitions/io.k8s.api.core.v1.LocalObjectReference"£
Optional: SecretRef is reference to the authentication secret for User, default is empty. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+ú
+(io.k8s.api.core.v1.ConfigMapVolumeSourceÍ"ÅAdapts a ConfigMap into a volume.
+
+The contents of the target ConfigMap's Data field will be presented in a volume as files using the keys in the Data field as the file names, unless the items element is populated with specific mappings of keys to paths. ConfigMap volumes support ownership management and SELinux relabeling.²

+objectÊ
ö	
+ê
+defaultModeÚint32"ÄOptional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.²
	
+integer
+ª
+items "âIf unspecified, each key-value pair in the Data field of the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the ConfigMap, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'.²

+arrayº
.
+,
+*#/definitions/io.k8s.api.core.v1.KeyToPath
+„

+name|"oName of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names²

+string
+S
+optionalG"9Specify whether the ConfigMap or its keys must be defined²
	
+boolean
+�=
+io.k8s.api.core.v1.Containerî<"AA single application container that you want to run within a pod.š
name²

+objectÊ
•<
+‚
+
livenessProbeð

+&#/definitions/io.k8s.api.core.v1.Probe"Å
Periodic probe of container liveness. Container will be restarted if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+¡
+readinessProbeŽ
+&#/definitions/io.k8s.api.core.v1.Probe"ã
Periodic probe of container service readiness. Container will be removed from service endpoints if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+â

+	resourcesÔ

+5#/definitions/io.k8s.api.core.v1.ResourceRequirements"š
Compute Resources required by this container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+�
+securityContextü

+0#/definitions/io.k8s.api.core.v1.SecurityContext"Ç
Security options the pod should run with. More info: https://kubernetes.io/docs/concepts/policy/security-context/ More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+Ô
+startupProbeÃ
+&#/definitions/io.k8s.api.core.v1.Probe"˜StartupProbe indicates that the Pod has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. This can be used to provide different probe parameters at the beginning of a Pod's lifecycle, when it might take a long time to load data or warm a cache, than during steady-state operation. This cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+Å
+terminationMessagePathª"œOptional: Path at which the file to which the container's termination message will be written is mounted into the container's filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated.²

+string
+ñ

+volumeMountsà
"HPod volumes to mount into the container's filesystem. Cannot be updated.²

+arrayº
0
+.
+,#/definitions/io.k8s.api.core.v1.VolumeMountú
,
+x-kubernetes-patch-merge-key
+mountPath
+ú
'
+x-kubernetes-patch-strategymerge
+
+Ö
+envFromÊ"ˆList of sources to populate environment variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated.²

+arrayº
2
+0
+.#/definitions/io.k8s.api.core.v1.EnvFromSource
+Ï

+stdinÅ
"¶
Whether this container should allocate a buffer for stdin in the container runtime. If this is not set, reads from stdin in the container will always result in EOF. Default is false.²
	
+boolean
+�

+ttyz"lWhether this container should allocate a TTY for itself, also requires 'stdin' to be true. Default is false.²
	
+boolean
+ó

+
volumeDevicesá
"GvolumeDevices is the list of block devices to be used by the container.²

+arrayº
1
+/
+-#/definitions/io.k8s.api.core.v1.VolumeDeviceú
-
+x-kubernetes-patch-merge-key
devicePath
+ú
'
+x-kubernetes-patch-strategymerge
+
+À

+
+workingDir±
"£
Container's working directory. If not specified, the container runtime's default will be used, which might be configured in the container image. Cannot be updated.²

+string
+�
+imageƒ"õ
Docker image name. More info: https://kubernetes.io/docs/concepts/containers/images This field is optional to allow higher level config management to default or override container images in workload controllers like Deployments and StatefulSets.²

+string
+ß

+env×
"IList of environment variables to set in the container. Cannot be updated.²

+arrayº
+
+)
+'#/definitions/io.k8s.api.core.v1.EnvVarú
'
+x-kubernetes-patch-merge-keyname
+ú
'
+x-kubernetes-patch-strategymerge
+
+¨

+	lifecycleš

+*#/definitions/io.k8s.api.core.v1.Lifecycle"lActions that the management system should take in response to container lifecycle events. Cannot be updated.
+•

+nameŒ
"Name of the container specified as a DNS_LABEL. Each container in a pod must have a unique name (DNS_LABEL). Cannot be updated.²

+string
+û
+commandï"ÒEntrypoint array. Not executed within a shell. The docker image's ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell²

+arrayº

+²

+string
+‡
+imagePullPolicyó
"å
Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images²

+string
+”
+portsŠ"ŠList of ports to expose from the container. Exposing a port here gives the system additional information about the network connections a container uses, but is primarily informational. Not specifying a port here DOES NOT prevent that port from being exposed. Any port which is listening on the default "0.0.0.0" address inside a container will be accessible from the network. Cannot be updated.²

+arrayº
2
+0
+.#/definitions/io.k8s.api.core.v1.ContainerPortú
;
+x-kubernetes-list-map-keys- containerPort
+- protocol
+ú
 
+x-kubernetes-list-typemap
+ú
0
+x-kubernetes-patch-merge-keycontainerPort
+ú
'
+x-kubernetes-patch-strategymerge
+
+×
+	stdinOnceÉ"ºWhether the container runtime should close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the first client attaches to stdin, and then remains open and accepts data until the client disconnects, at which time stdin is closed and remains closed until the container is restarted. If this flag is false, a container processes that reads from stdin will never receive an EOF. Default is false²
	
+boolean
+æ
+terminationMessagePolicyÉ"»Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container status message on both success and failure. FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error. The log output is limited to 2048 bytes or 80 lines, whichever is smaller. Defaults to File. Cannot be updated.²

+string
+ß
+argsÖ"¹Arguments to the entrypoint. The docker image's CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell²

+arrayº

+²

+string
+Ê
+ io.k8s.api.core.v1.NamespaceSpec¥"6NamespaceSpec describes the attributes on a Namespace.²

+objectÊ
Þ

+Û

+
+finalizersÌ
"¯
Finalizers is an opaque list of values that must be empty to permanently remove object from storage. More info: https://kubernetes.io/docs/tasks/administer-cluster/namespaces/²

+arrayº

+²

+string
+Ì
+%io.k8s.api.networking.v1.IngressClass¢"óIngressClass represents the class of the Ingress, referenced by the Ingress Spec. The `ingressclass.kubernetes.io/is-default-class` annotation can be used to indicate that an IngressClass should be considered default. When a single IngressClass resource has this annotation set to true, new Ingress resources without a class specified will be assigned this default class.²

+objectÊ
·
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ò

+metadataÅ

+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒ
Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+â

+specÙ

+7#/definitions/io.k8s.api.networking.v1.IngressClassSpec"�
Spec is the desired state of the IngressClass. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statusú
c
+x-kubernetes-group-version-kind@>- version: v1
+  group: networking.k8s.io
+  kind: IngressClass
+
+Ò	
+io.k8s.api.rbac.v1beta1.Role±	"Ò
Role is a namespaced, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding. Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 Role, and will no longer be served in v1.22.²

+objectÊ
â
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+h
+metadata\
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"Standard object's metadata.
+y
+rulesp"-Rules holds all the PolicyRules for this Role²

+arrayº
4
+2
+0#/definitions/io.k8s.api.rbac.v1beta1.PolicyRuleú
h
+x-kubernetes-group-version-kindEC- kind: Role
+  version: v1beta1
+  group: rbac.authorization.k8s.io
+
+Ï
+$io.k8s.api.batch.v1beta1.CronJobSpec¦"YCronJobSpec describes how the job execution will look like and when it will actually run.š
scheduleš
jobTemplate²

+objectÊ
£
+
+¿

+successfulJobsHistoryLimit 
int32"Š
The number of successful finished jobs to retain. This is a pointer to distinguish between explicit zero and not specified. Defaults to 3.²
	
+integer
+ 

+suspend”
"…
This flag tells the controller to suspend subsequent executions, it does not apply to already started executions.  Defaults to false.²
	
+boolean
+Ì
+concurrencyPolicy¶"¨Specifies how to treat concurrent executions of a Job. Valid values are: - "Allow" (default): allows CronJobs to run concurrently; - "Forbid": forbids concurrent runs, skipping next run if previous run hasn't finished yet; - "Replace": cancels currently running job and replaces it with a new one²

+string
+·

+failedJobsHistoryLimitœ
int32"†
The number of failed finished jobs to retain. This is a pointer to distinguish between explicit zero and not specified. Defaults to 1.²
	
+integer
+‰

+jobTemplatez
+6#/definitions/io.k8s.api.batch.v1beta1.JobTemplateSpec"@Specifies the job that will be created when executing a CronJob.
+]
+scheduleQ"DThe schedule in Cron format, see https://en.wikipedia.org/wiki/Cron.²

+string
+Ç

+startingDeadlineSeconds«
int64"•
Optional deadline in seconds for starting the job if it misses scheduled time for any reason.  Missed jobs executions will be counted as failed ones.²
	
+integer
+Î
+%io.k8s.api.core.v1.ConfigMapEnvSource¤"Â
ConfigMapEnvSource selects a ConfigMap to populate the environment variables with.
+
+The contents of the target ConfigMap's Data field will represent the key-value pairs as environment variables.²

+objectÊ
Ð

+„

+name|"oName of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names²

+string
+G
+optional;"-Specify whether the ConfigMap must be defined²
	
+boolean
+Ì
+io.k8s.api.core.v1.VolumeMount©"@VolumeMount describes a mounting of a Volume within a container.š
nameš
	mountPath²

+objectÊ
Å
+:
+name2"%This must match the Name of a Volume.²

+string
+t
+readOnlyh"ZMounted read-only if true, read-write otherwise (false or unspecified). Defaults to false.²
	
+boolean
+ƒ

+subPathx"kPath within the volume from which the container's volume should be mounted. Defaults to "" (volume's root).²

+string
+¿
+subPathExpr¯"¡Expanded path within the volume from which the container's volume should be mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. Defaults to "" (volume's root). SubPathExpr and SubPath are mutually exclusive.²

+string
+q
+	mountPathd"WPath within the container at which the volume should be mounted.  Must not contain ':'.²

+string
+Õ

+mountPropagationÀ
"²
mountPropagation determines how mounts are propagated from the host to container and the other way around. When not set, MountPropagationNone is used. This field is beta in 1.10.²

+string
+´
+.io.k8s.api.networking.v1.IngressServiceBackend�"CIngressServiceBackend references a Kubernetes Service as a Backend.š
name²

+objectÊ
¦
+x
+namep"cName is the referenced service. The service must exist in the same namespace as the Ingress object.²

+string
+©

+port 

+9#/definitions/io.k8s.api.networking.v1.ServiceBackendPort"cPort of the referenced service. A port name or port number is required for a IngressServiceBackend.
+·
+1io.k8s.api.storage.v1beta1.VolumeAttachmentSource�"Ý
VolumeAttachmentSource represents a volume that should be attached. Right now only PersistenVolumes can be attached via external attacher, in future we may allow also inline volumes in pods. Exactly one member can be set.²

+objectÊ
’
+À
+inlineVolumeSpec«
+5#/definitions/io.k8s.api.core.v1.PersistentVolumeSpec"ñinlineVolumeSpec contains all the information necessary to attach a persistent volume defined by a pod's inline VolumeSource. This field is populated only for the CSIMigration feature. It contains translated fields from a pod's inline VolumeSource to a PersistentVolumeSpec. This field is beta-level and is only honored by servers that enabled the CSIMigration feature.
+M
+persistentVolumeName5"(Name of the persistent volume to attach.²

+string
+£
+Zio.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionConditionÄ"YCustomResourceDefinitionCondition contains details for the current condition of this pod.š
typeš
status²

+objectÊ
Ê
+e
+messageZ"Mmessage is a human-readable message indicating details about last transition.²

+string
+j
+reason`"Sreason is a unique, one-word, CamelCase reason for the condition's last transition.²

+string
+Z
+statusP"Cstatus is the status of the condition. Can be True, False, Unknown.²

+string
+q
+typei"\type is the type of the condition. Types include Established, NamesAccepted and Terminating.²

+string
+¥

+lastTransitionTimeŽ

+7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"SlastTransitionTime last time the condition transitioned from one status to another.
+ö6
+%io.k8s.api.core.v1.EphemeralContainerÌ6"ƒAn EphemeralContainer is a container that may be added temporarily to an existing pod for user-initiated activities such as debugging. Ephemeral containers have no resource or scheduling guarantees, and they will not be restarted when they exit or when a pod is removed or restarted. If an ephemeral container causes a pod to exceed its resource allocation, the pod may be evicted. Ephemeral containers may not be added by directly updating the pod spec. They must be added via the pod's ephemeralcontainers subresource, and they will appear in the pod spec once added. This is an alpha feature enabled by the EphemeralContainers feature flag.š
name²

+objectÊ
°1
+Ö
+envFromÊ"ˆList of sources to populate environment variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated.²

+arrayº
2
+0
+.#/definitions/io.k8s.api.core.v1.EnvFromSource
+‡
+imagePullPolicyó
"å
Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images²

+string
+©

+name 
"’
Name of the ephemeral container specified as a DNS_LABEL. This name must be unique among all containers, init containers and ephemeral containers.²

+string
+
+securityContextl
+0#/definitions/io.k8s.api.core.v1.SecurityContext"8SecurityContext is not allowed for ephemeral containers.
+í
+targetContainerNameÕ"ÇIf set, the name of the container from PodSpec that this ephemeral container targets. The ephemeral container will be run in the namespaces (IPC, PID, etc) of this container. If not set then the ephemeral container is run in whatever namespaces are shared for the pod. Note that the container runtime must support this feature.²

+string
+ó

+
volumeDevicesá
"GvolumeDevices is the list of block devices to be used by the container.²

+arrayº
1
+/
+-#/definitions/io.k8s.api.core.v1.VolumeDeviceú
-
+x-kubernetes-patch-merge-key
devicePath
+ú
'
+x-kubernetes-patch-strategymerge
+
+ß
+argsÖ"¹Arguments to the entrypoint. The docker image's CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell²

+arrayº

+²

+string
+û
+commandï"ÒEntrypoint array. Not executed within a shell. The docker image's ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell²

+arrayº

+²

+string
+À

+
+workingDir±
"£
Container's working directory. If not specified, the container runtime's default will be used, which might be configured in the container image. Cannot be updated.²

+string
+Á

+	resources³

+5#/definitions/io.k8s.api.core.v1.ResourceRequirements"zResources are not allowed for ephemeral containers. Ephemeral containers use spare resources already allocated to the pod.
+j
+startupProbeZ
+&#/definitions/io.k8s.api.core.v1.Probe"0Probes are not allowed for ephemeral containers.
+ñ

+volumeMountsà
"HPod volumes to mount into the container's filesystem. Cannot be updated.²

+arrayº
0
+.
+,#/definitions/io.k8s.api.core.v1.VolumeMountú
,
+x-kubernetes-patch-merge-key
+mountPath
+ú
'
+x-kubernetes-patch-strategymerge
+
+ß

+env×
"IList of environment variables to set in the container. Cannot be updated.²

+arrayº
+
+)
+'#/definitions/io.k8s.api.core.v1.EnvVarú
'
+x-kubernetes-patch-merge-keyname
+ú
'
+x-kubernetes-patch-strategymerge
+
+l
+readinessProbeZ
+&#/definitions/io.k8s.api.core.v1.Probe"0Probes are not allowed for ephemeral containers.
+Ï

+stdinÅ
"¶
Whether this container should allocate a buffer for stdin in the container runtime. If this is not set, reads from stdin in the container will always result in EOF. Default is false.²
	
+boolean
+×
+	stdinOnceÉ"ºWhether the container runtime should close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the first client attaches to stdin, and then remains open and accepts data until the client disconnects, at which time stdin is closed and remains closed until the container is restarted. If this flag is false, a container processes that reads from stdin will never receive an EOF. Default is false²
	
+boolean
+æ
+terminationMessagePolicyÉ"»Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container status message on both success and failure. FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error. The log output is limited to 2048 bytes or 80 lines, whichever is smaller. Defaults to File. Cannot be updated.²

+string
+�

+ttyz"lWhether this container should allocate a TTY for itself, also requires 'stdin' to be true. Default is false.²
	
+boolean
+m
+	lifecycle`
+*#/definitions/io.k8s.api.core.v1.Lifecycle"2Lifecycle is not allowed for ephemeral containers.
+k
+
livenessProbeZ
+&#/definitions/io.k8s.api.core.v1.Probe"0Probes are not allowed for ephemeral containers.
+Å
+terminationMessagePathª"œOptional: Path at which the file to which the container's termination message will be written is mounted into the container's filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated.²

+string
+i
+image`"SDocker image name. More info: https://kubernetes.io/docs/concepts/containers/images²

+string
+y
+portsp"/Ports are not allowed for ephemeral containers.²

+arrayº
2
+0
+.#/definitions/io.k8s.api.core.v1.ContainerPort
+·
+'io.k8s.api.core.v1.LocalObjectReference‹"sLocalObjectReference contains enough information to let you locate the referenced object inside the same namespace.²

+objectÊ
‡

+„

+name|"oName of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names²

+string
+°
+Bio.k8s.api.flowcontrol.v1beta1.PriorityLevelConfigurationReferenceé
"jPriorityLevelConfigurationReference contains information that points to the "request-priority" being used.š
name²

+objectÊ
h
+f
+name^"Q`name` is the name of the priority level configuration being referenced Required.²

+string
+¹
+#io.k8s.api.rbac.v1beta1.RoleBinding‘
"¨RoleBinding references a role, but does not contain it.  It can reference a Role in the same namespace or a ClusterRole in the global namespace. It adds who information via Subjects and namespace information by which namespace it exists in.  RoleBindings in a given namespace only have effect in that namespace. Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 RoleBinding, and will no longer be served in v1.22.š
roleRef²

+objectÊ
Û
+‰

+subjects}"=Subjects holds references to the objects the role applies to.²

+arrayº
1
+/
+-#/definitions/io.k8s.api.rbac.v1beta1.Subject
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+h
+metadata\
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"Standard object's metadata.
+å

+roleRefÙ

+-#/definitions/io.k8s.api.rbac.v1beta1.RoleRef"§
RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace. If the RoleRef cannot be resolved, the Authorizer must return an error.ú
o
+x-kubernetes-group-version-kindLJ- group: rbac.authorization.k8s.io
+  kind: RoleBinding
+  version: v1beta1
+
+–
+2io.k8s.apimachinery.pkg.apis.meta.v1.Preconditionsß
"ZPreconditions must be fulfilled before an operation (update, delete, etc.) is carried out.²

+objectÊ
u
+-
+uid&"Specifies the target UID.²

+string
+D
+resourceVersion1"$Specifies the target ResourceVersion²

+string
+ç
+io.k8s.api.core.v1.ConfigMapÆ"7ConfigMap holds configuration data for pods to consume.²

+objectÊ
ª
+˜
+
+binaryData‰"åBinaryData contains the binary data. Each key must consist of alphanumeric characters, '-', '_' or '.'. BinaryData can contain byte sequences that are not in the UTF-8 range. The keys stored in BinaryData must not overlap with the ones in the Data field, this is enforced during validation process. Using this field will require 1.10+ apiserver and kubelet.ª

+byte²

+string²

+object
+Ï
+dataÆ"¨Data contains the configuration data. Each key must consist of alphanumeric characters, '-', '_' or '.'. Values with non-UTF-8 byte sequences must use the BinaryData field. The keys stored in Data must not overlap with the keys in the BinaryData field, this is enforced during validation process.ª

+²

+string²

+object
+è

+	immutableÚ
"Ë
Immutable, if set to true, ensures that data stored in the ConfigMap cannot be updated (only object metadata can be modified). If not set to true, the field can be modified at any time. Defaulted to nil.²
	
+boolean
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ò

+metadataÅ

+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒ
Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+stringú
Q
+x-kubernetes-group-version-kind.,- group: ""
+  kind: ConfigMap
+  version: v1
+
+Ó
+1io.k8s.api.core.v1.VsphereVirtualDiskVolumeSource�"%Represents a vSphere volume resource.š

+volumePath²

+objectÊ
Ú
+À

+fsTypeµ
"§
Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.²

+string
+x
+storagePolicyIDe"XStorage Policy Based Management (SPBM) profile ID associated with the StoragePolicyName.²

+string
+V
+storagePolicyNameA"4Storage Policy Based Management (SPBM) profile name.²

+string
+C
+
+volumePath5"(Path that identifies vSphere volume vmdk²

+string
+´
+4io.k8s.api.core.v1.PersistentVolumeClaimVolumeSourceû"žPersistentVolumeClaimVolumeSource references the user's PVC in the same namespace. This volume finds the bound PV and mounts that volume for the pod. A PersistentVolumeClaimVolumeSource is, essentially, a wrapper around another type of volume that is owned by someone else (the system).š
	claimName²

+objectÊ
¿
+á

+	claimNameÓ
"Å
ClaimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims²

+string
+Y
+readOnlyM"?Will force the ReadOnly setting in VolumeMounts. Default false.²
	
+boolean
+°
+)io.k8s.api.networking.v1.IngressClassSpec‚"DIngressClassSpec provides information about the class of an Ingress.²

+objectÊ
­
+¦
+
+controller—"‰Controller refers to the name of the controller that should handle this class. This allows for different "flavors" that are controlled by the same controller. For example, you may have different Parameters for the same implementing controller. This should be specified as a domain-prefixed path no more than 250 characters in length, e.g. "acme.io/ingress-controller". This field is immutable.²

+string
+�
+
+parametersò

+F#/definitions/io.k8s.api.networking.v1.IngressClassParametersReference"§
Parameters is a link to a custom resource containing additional configuration for the controller. This is optional if the controller does not require extra parameters.
+¬
+;io.k8s.api.admissionregistration.v1beta1.RuleWithOperationsì
"‚
RuleWithOperations is a tuple of Operations and Resources. It is recommended to make sure that all the tuple expansions are valid.²

+objectÊ
Ø
+´

+	apiGroups¦
"‰
APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.²

+arrayº

+²

+string
+¼

+apiVersions¬
"�
APIVersions is the API versions the resources belong to. '*' is all versions. If '*' is present, the length of the slice must be one. Required.²

+arrayº

+²

+string
+ 
+
+operations‘"ô
Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.²

+arrayº

+²

+string
+–
+	resourcesˆ"ëResources is a list of resources this rule applies to.
+
+For example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources.
+
+If wildcard is present, the validation rule will ensure resources do not overlap with each other.
+
+Depending on the enclosing object, subresources might not be allowed. Required.²

+arrayº

+²

+string
+£
+scope™"‹scope specifies the scope of this rule. Valid values are "Cluster", "Namespaced", and "*" "Cluster" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. "Namespaced" means that only namespaced resources will match this rule. "*" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is "*".²

+string
+²
+ io.k8s.api.core.v1.NodeCondition�"8NodeCondition contains condition information for a node.š
typeš
status²

+objectÊ
´
+,
+type$"Type of node condition.²

+string
+€

+lastHeartbeatTimek
+7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"0Last time we got an update on a given condition.
+Œ

+lastTransitionTimev
+7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time";Last time the condition transit from one status to another.
+X
+messageM"@Human readable message indicating details about last transition.²

+string
+J
+reason@"3(brief) reason for the condition's last transition.²

+string
+L
+statusB"5Status of the condition, one of True, False, Unknown.²

+string
+Ú
+8io.k8s.api.authorization.v1beta1.SubjectAccessReviewSpec�"¢
SubjectAccessReviewSpec is a description of the access request.  Exactly one of ResourceAuthorizationAttributes and NonResourceAuthorizationAttributes must be set²

+objectÊ
é
+Æ

+extra¼
"�
Extra corresponds to the user.Info.GetExtra() method from the authenticator.  Since that is input to the authorizer it needs a reflection here.ª

+²

+arrayº

+²

+string²

+object
+M
+groupD"(Groups is the groups you're testing for.²

+arrayº

+²

+string
+¯

+nonResourceAttributes•

+D#/definitions/io.k8s.api.authorization.v1beta1.NonResourceAttributes"MNonResourceAttributes describes information for a non-resource access request
+¯

+resourceAttributes˜

+A#/definitions/io.k8s.api.authorization.v1beta1.ResourceAttributes"SResourceAuthorizationAttributes describes information for a resource access request
+>
+uid7"*UID information about the requesting user.²

+string
+ª

+user¡
"“
User is the user you're testing for. If you specify "User" but not "Group", then is it interpreted as "What if User were not a member of any groups²

+string
+â
+io.k8s.api.rbac.v1.RoleRefÃ"?RoleRef contains information that points to the role being usedš
apiGroupš
kindš
name²

+objectÊ
Ú

+P
+apiGroupD"7APIGroup is the group for the resource being referenced²

+string
+B
+kind:"-Kind is the type of resource being referenced²

+string
+B
+name:"-Name is the name of resource being referenced²

+string
+›,
+#io.k8s.api.storage.v1.CSIDriverSpecó+"2CSIDriverSpec is the specification of a CSIDriver.²

+objectÊ
°+
+€
+storageCapacityì"ÝIf set to true, storageCapacity indicates that the CSI volume driver wants pod scheduling to consider the storage capacity that the driver deployment will report by creating CSIStorageCapacity objects with capacity information.
+
+The check can be enabled immediately when deploying a driver. In that case, provisioning new volumes with late binding will pause until the driver deployment has published some suitable CSIStorageCapacity object.
+
+Alternatively, the driver can be deployed with the field unset or false and it can be flipped later when storage capacity information has been published.
+
+This field is immutable.
+
+This is a beta field and only available when the CSIStorageCapacity feature is enabled. The default is false.²
	
+boolean
+å
+
tokenRequestsÓ"éTokenRequests indicates the CSI driver needs pods' service account tokens it is mounting volume for to do necessary authentication. Kubelet will pass the tokens in VolumeContext in the CSI NodePublishVolume calls. The CSI driver should parse and validate the following VolumeContext: "csi.storage.k8s.io/serviceAccount.tokens": {
+  "<audience>": {
+    "token": <token>,
+    "expirationTimestamp": <expiration timestamp in RFC3339>,
+  },
+  ...
+}
+
+Note: Audience in each TokenRequest should be different and at most one token is empty string. To receive a new token after expiry, RequiresRepublish can be used to trigger NodePublishVolume periodically.
+
+This is a beta feature and only available when the CSIServiceAccountToken feature is enabled.²

+arrayº
4
+2
+0#/definitions/io.k8s.api.storage.v1.TokenRequestú
#
+x-kubernetes-list-type	atomic
+
+ê
+volumeLifecycleModesÑ"‘volumeLifecycleModes defines what kind of volumes this CSI volume driver supports. The default if the list is empty is "Persistent", which is the usage defined by the CSI specification and implemented in Kubernetes via the usual PV/PVC mechanism. The other mode is "Ephemeral". In this mode, volumes are defined inline inside the pod spec with CSIVolumeSource and their lifecycle is tied to the lifecycle of that pod. A driver has to be aware of this because it is only going to get a NodePublishVolume call for such a volume. For more information about implementing this mode, see https://kubernetes-csi.github.io/docs/ephemeral-local-volumes.html A driver can support one or more of these modes and more modes may be added in the future. This field is beta.
+
+This field is immutable.²

+arrayº

+²

+stringú
 
+x-kubernetes-list-typeset
+
+É
+attachRequired¶"§attachRequired indicates this CSI volume driver requires an attach operation (because it implements the CSI ControllerPublishVolume() method), and that the Kubernetes attach detach controller should call the attach volume interface which checks the volumeattachment status and waits until the volume is attached before proceeding to mounting. The CSI external-attacher coordinates with CSI volume driver and updates the volumeattachment status when the attach operation is complete. If the CSIDriverRegistry feature gate is enabled and the value is specified to false, the attach operation will be skipped. Otherwise the attach operation will be called.
+
+This field is immutable.²
	
+boolean
+Û
+
fsGroupPolicyÉ"»Defines if the underlying volume supports changing ownership and permission of the volume before being mounted. Refer to the specific FSGroupPolicy values for additional details. This field is alpha-level, and is only honored by servers that enable the CSIVolumeFSGroupPolicy feature gate.
+
+This field is immutable.²

+string
+©
+podInfoOnMount–"‡If set to true, podInfoOnMount indicates this CSI volume driver requires additional pod information (like podName, podUID, etc.) during mount operations. If set to false, pod information will not be passed on mount. Default is false. The CSI driver specifies podInfoOnMount as part of driver deployment. If true, Kubelet will pass pod information as VolumeContext in the CSI NodePublishVolume() calls. The CSI driver is responsible for parsing and validating the information passed in as VolumeContext. The following VolumeConext will be passed if podInfoOnMount is set to true. This list might grow, but the prefix will be used. "csi.storage.k8s.io/pod.name": pod.Name "csi.storage.k8s.io/pod.namespace": pod.Namespace "csi.storage.k8s.io/pod.uid": string(pod.UID) "csi.storage.k8s.io/ephemeral": "true" if the volume is an ephemeral inline volume
+                                defined by a CSIVolumeSource, otherwise "false"
+
+"csi.storage.k8s.io/ephemeral" is a new feature in Kubernetes 1.16. It is only required for drivers which support both the "Persistent" and "Ephemeral" VolumeLifecycleMode. Other drivers can leave pod info disabled and/or ignore this field. As Kubernetes 1.15 doesn't support this field, drivers can only support one mode when deployed on such a cluster and the deployment determines which mode that is, for example via a command line parameter of the driver.
+
+This field is immutable.²
	
+boolean
+ÿ
+requiresRepublishé"ÚRequiresRepublish indicates the CSI driver wants `NodePublishVolume` being periodically called to reflect any possible change in the mounted volume. This field defaults to false.
+
+Note: After a successful initial NodePublishVolume call, subsequent calls to NodePublishVolume should only update the contents of the volume. New mount points will not be seen by a running container.
+
+This is a beta feature and only available when the CSIServiceAccountToken feature is enabled.²
	
+boolean
+ì

+Nio.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.ExternalDocumentation™
"YExternalDocumentation allows referencing an external resource for extended documentation.²

+objectÊ
0
+
+url²

+string
+
+description²

+string
+ƒ
+Jio.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.WebhookConversion´"<WebhookConversion describes how to call a conversion webhookš
conversionReviewVersions²

+objectÊ
Ì
+Å

+clientConfig´

+Z#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.WebhookClientConfig"VclientConfig is the instructions for how to call the webhook if strategy is `Webhook`.
+�
+conversionReviewVersionsä"ÇconversionReviewVersions is an ordered list of preferred `ConversionReview` versions the Webhook expects. The API server will use the first version in the list which it supports. If none of the versions specified in this list are supported by API server, conversion will fail for the custom resource. If a persisted Webhook configuration specifies allowed versions and does not include any versions known to the API Server, calls to the webhook will fail.²

+arrayº

+²

+string
+Ü
+3io.k8s.api.authorization.v1.SelfSubjectAccessReview¤"ö
SelfSubjectAccessReview checks whether or the current user can perform an action.  Not filling in a spec.namespace means "in all namespaces".  Self is a special case, because users should always be able to check whether they can perform an actionš
spec²

+objectÊ
¡
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+K
+metadata?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta
+ª

+spec¡

+E#/definitions/io.k8s.api.authorization.v1.SelfSubjectAccessReviewSpec"XSpec holds information about the request being evaluated.  user and groups must be empty
+§

+statusœ

+C#/definitions/io.k8s.api.authorization.v1.SubjectAccessReviewStatus"UStatus is filled in by the server and indicates whether the request is allowed or notú
q
+x-kubernetes-group-version-kindNL- group: authorization.k8s.io
+  kind: SelfSubjectAccessReview
+  version: v1
+
+Ý
+<io.k8s.api.authorization.v1beta1.SelfSubjectAccessReviewSpecœ"¦
SelfSubjectAccessReviewSpec is a description of the access request.  Exactly one of ResourceAuthorizationAttributes and NonResourceAuthorizationAttributes must be set²

+objectÊ
ä
+¯

+nonResourceAttributes•

+D#/definitions/io.k8s.api.authorization.v1beta1.NonResourceAttributes"MNonResourceAttributes describes information for a non-resource access request
+¯

+resourceAttributes˜

+A#/definitions/io.k8s.api.authorization.v1beta1.ResourceAttributes"SResourceAuthorizationAttributes describes information for a resource access request
+¯	
+$io.k8s.api.discovery.v1.EndpointPort†	"7EndpointPort represents a Port used by an EndpointSlice²

+objectÊ
¾
+Ù
+appProtocolÉ"»The application protocol for this port. This field follows standard Kubernetes label syntax. Un-prefixed names are reserved for IANA standard service names (as per RFC-6335 and http://www.iana.org/assignments/service-names). Non-standard protocols should use prefixed names such as mycompany.com/my-custom-protocol.²

+string
+Å
+name¼"®The name of this port. All ports in an EndpointSlice must have a unique name. If the EndpointSlice is dervied from a Kubernetes service, this corresponds to the Service.ports[].name. Name must either be an empty string or pass DNS_LABEL validation: * must be no more than 63 characters long. * must consist of lower case alphanumeric characters or '-'. * must start and end with an alphanumeric character. Default is empty string.²

+string
+³

+portª
int32"”
The port number of the endpoint. If this is not specified, ports are not restricted and must be interpreted in the context of the specific consumer.²
	
+integer
+b
+protocolV"IThe IP protocol for this port. Must be UDP, TCP, or SCTP. Default is TCP.²

+string
+—
+)io.k8s.api.apps.v1.RollingUpdateDaemonSeté"BSpec to control the desired behavior of daemon set rolling update.²

+objectÊ
–
+×
+
+maxSurgeÊ
+
+=#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString"ˆ
+The maximum number of nodes with an existing available DaemonSet pod that can have an updated DaemonSet pod during during an update. Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). This can not be 0 if MaxUnavailable is 0. Absolute number is calculated from percentage by rounding up to a minimum of 1. Default value is 0. Example: when this is set to 30%, at most 30% of the total number of nodes that should be running the daemon pod (i.e. status.desiredNumberScheduled) can have their a new pod created before the old pod is marked as deleted. The update starts by launching new pods on 30% of nodes. Once an updated pod is available (Ready for at least minReadySeconds) the old DaemonSet pod on that node is marked deleted. If the old pod becomes unavailable for any reason (Ready transitions to false, is evicted, or is drained) an updated pod is immediatedly created on that node without considering surge limits. Allowing surge implies the possibility that the resources consumed by the daemonset on any given node can double if the readiness check fails, and so resource intensive daemonsets should take into account that they may cause evictions during disruption. This is an alpha field and requires enabling DaemonSetUpdateSurge feature gate.
+¹
+maxUnavailable¦
+=#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString"äThe maximum number of DaemonSet pods that can be unavailable during the update. Value can be an absolute number (ex: 5) or a percentage of total number of DaemonSet pods at the start of the update (ex: 10%). Absolute number is calculated from percentage by rounding down to a minimum of one. This cannot be 0 if MaxSurge is 0 Default value is 1. Example: when this is set to 30%, at most 30% of the total number of nodes that should be running the daemon pod (i.e. status.desiredNumberScheduled) can have their pods stopped for an update at any given time. The update starts by stopping at most 30% of those DaemonSet pods and then brings up new DaemonSet pods in their place. Once the new pods are available, it then proceeds onto other DaemonSet pods, thus ensuring that at least 70% of original number of DaemonSet pods are available at all times during the update.
+Í
+/io.k8s.api.autoscaling.v2beta2.HPAScalingPolicy™"WHPAScalingPolicy is a single policy which must hold true for a specified past interval.š
typeš
valueš

periodSeconds²

+objectÊ
’
+Ê

+
periodSeconds¸
int32"¢
PeriodSeconds specifies the window of time for which the policy should hold true. PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min).²
	
+integer
+@
+type8"+Type is used to specify the scaling policy.²

+string
+€

+valuewint32"bValue contains the amount of change which is permitted by the policy. It must be greater than zero²
	
+integer
+ž
+3io.k8s.api.policy.v1beta1.RunAsGroupStrategyOptionsæ"`RunAsGroupStrategyOptions defines the strategy type and any options used to create the strategy.š
rule²

+objectÊ
î
+ý

+rangesò
"¯
ranges are the allowed ranges of gids that may be used. If you would like to force a single gid then supply a single range with the same start and end. Required for MustRunAs.²

+arrayº
3
+1
+/#/definitions/io.k8s.api.policy.v1beta1.IDRange
+l
+ruled"Wrule is the strategy that will dictate the allowable RunAsGroup values that may be set.²

+string
+ª
+Aio.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIServiceListä"/APIServiceList is a list of APIService objects.š
items²

+objectÊ
¯
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+e
+items\²

+arrayº
O
+M
+K#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIService
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+I
+metadata=
+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMetaú
j
+x-kubernetes-group-version-kindGE- group: apiregistration.k8s.io
+  kind: APIServiceList
+  version: v1
+
+Ò
+3io.k8s.api.autoscaling.v2beta1.ExternalMetricSourceš"ù
ExternalMetricSource indicates how to scale on a metric not associated with any Kubernetes object (for example length of queue in cloud messaging service, or QPS from loadbalancer running outside of cluster). Exactly one "target" type should be set.š

+metricName²

+objectÊ
‚
+L
+
+metricName>"1metricName is the name of the metric in question.²

+string
+§

+metricSelector”

+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"PmetricSelector is used to identify a specific time series within a given metric.
+Ë

+targetAverageValue´

+;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"utargetAverageValue is the target per-pod value of global metric (as a quantity). Mutually exclusive with TargetValue.
+¹

+targetValue©

+;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"jtargetValue is the target value of the metric (as a quantity). Mutually exclusive with TargetAverageValue.
+Ï
+*io.k8s.api.networking.v1.NetworkPolicyPort "6NetworkPolicyPort describes a port to allow traffic on²

+objectÊ
Ù
+™
+endPort�int32"÷If set, indicates that the range of ports from port to endPort, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port. This feature is in Alpha state and should be enabled using the Feature Gate "NetworkPolicyEndPort".²
	
+integer
+¶
+port­
+=#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString"ë
The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.
+�

+protocolu"hThe protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.²

+string
+ý
+io.k8s.api.core.v1.Taintà"`The node this Taint is attached to has the "effect" on any pod that does not tolerate the Taint.š
keyš
effect²

+objectÊ
à
+ 

+effect•
"‡
Required. The effect of the taint on pods that do not tolerate the taint. Valid effects are NoSchedule, PreferNoSchedule and NoExecute.²

+string
+D
+key="0Required. The taint key to be applied to a node.²

+string
+­

+	timeAddedŸ

+7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"dTimeAdded represents the time at which the taint was added. It is only written for NoExecute taints.
+E
+value<"/The taint value corresponding to the taint key.²

+string
+°
+)io.k8s.api.discovery.v1.EndpointSliceList‚"6EndpointSliceList represents a list of endpoint slicesš
items²

+objectÊ
É
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+f
+items]"List of endpoint slices²

+arrayº
7
+5
+3#/definitions/io.k8s.api.discovery.v1.EndpointSlice
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+b
+metadataV
+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"Standard list metadata.ú
g
+x-kubernetes-group-version-kindDB- group: discovery.k8s.io
+  kind: EndpointSliceList
+  version: v1
+
+�
++io.k8s.api.extensions.v1beta1.IngressStatusÑ
"8IngressStatus describe the current state of the Ingress.²

+objectÊ
ˆ

+…

+loadBalanceru
+3#/definitions/io.k8s.api.core.v1.LoadBalancerStatus">LoadBalancer contains the current status of the load-balancer.
+˜
+5io.k8s.api.authorization.v1.SubjectAccessReviewStatusÞ"SubjectAccessReviewStatusš
allowed²

+objectÊ
ª
+c
+allowedX"JAllowed is required. True if the action would be allowed, false otherwise.²
	
+boolean
+‚
+denied÷
"è
Denied is optional. True if the action would be denied, otherwise false. If both allowed is false and denied is false, then the authorizer has no opinion on whether to authorize the action. Denied may not be true if Allowed is true.²
	
+boolean
+Þ
+evaluationErrorÊ"¼EvaluationError is an indication that some error occurred during the authorization check. It is entirely possible to get an error and be able to continue determine authorization status in spite of it. For instance, RBAC can be missing a role, but enough roles are still present and bound to reason about the request.²

+string
+]
+reasonS"FReason is optional.  It indicates why a request was allowed or denied.²

+string
+—
+"io.k8s.api.core.v1.TCPSocketActionð"=TCPSocketAction describes an action based on opening a socketš
port²

+objectÊ
›
+Ç

+port¾

+=#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString"}Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
+O
+hostG":Optional: Host name to connect to, defaults to the pod IP.²

+string
+³
+]io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinitionVersionÑ"<CustomResourceDefinitionVersion describes a version for CRD.š
nameš
servedš
storage²

+objectÊ
ê
+ƒ
+schemaø
+d#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceValidation"�schema describes the schema used for validation and pruning of this version of the custom resource. Top-level and per-version schemas are mutually exclusive. Per-version schemas must not all be set to identical values (top-level validation schema should be used instead).
+h
+served^"Pserved is a flag enabling/disabling this version from being served via REST APIs²
	
+boolean
+ª

+storagež
"�
storage indicates this version should be used when persisting custom resources to storage. There must be exactly one version with storage=true.²
	
+boolean
+…
+subresourcesô
+f#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceSubresources"‰subresources specify what subresources this version of the defined custom resource have. Top-level and per-version subresources are mutually exclusive. Per-version subresources must not all be set to identical values (top-level subresources should be used instead).
+ñ
+additionalPrinterColumnsÔ"ÖadditionalPrinterColumns specifies additional columns returned in Table output. See https://kubernetes.io/docs/reference/using-api/api-concepts/#receiving-resources-as-tables for details. Top-level and per-version columns are mutually exclusive. Per-version columns must not all be set to identical values (top-level columns should be used instead). If no top-level or per-version columns are specified, a single column displaying the age of the custom resource is used.²

+arrayº
n
+l
+j#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceColumnDefinition
+Ü

+
+deprecatedÍ
"¾
deprecated indicates this version of the custom resource API is deprecated. When set to true, API requests to this version receive a warning header in the server response. Defaults to false.²
	
+boolean
+°
+deprecationWarning™"‹deprecationWarning overrides the default warning returned to API clients. May only be set when `deprecated` is true. The default warning indicates this version is deprecated and recommends use of the newest served version of equal or greater stability, if one exists.²

+string
+¼

+name³
"¥
name is the version name, e.g. “v1â€�, “v2beta1â€�, etc. The custom resources are served under this version at `/apis/<group>/<version>/...` if `served` is true.²

+string
+é
++io.k8s.api.flowcontrol.v1beta1.GroupSubject¹"?GroupSubject holds detailed information for group-kind subject.š
name²

+objectÊ
â

+ß

+nameÖ
"È
name is the user group that matches, or "*" to match all user groups. See https://github.com/kubernetes/apiserver/blob/master/pkg/authentication/user/user.go for some well-known group names. Required.²

+string
+Ú

++io.k8s.api.policy.v1beta1.AllowedFlexVolumeª
"LAllowedFlexVolume represents a single Flexvolume that is allowed to be used.š
driver²

+objectÊ
E
+C
+driver9",driver is the name of the Flexvolume driver.²

+string
+�
+1io.k8s.api.core.v1.PersistentVolumeClaimConditionÙ"BPersistentVolumeClaimCondition contails details about state of pvcš
typeš
status²

+objectÊ
ö
+n
+
lastProbeTime]
+7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time""Last time we probed the condition.
+‘

+lastTransitionTime{
+7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"@Last time the condition transitioned from one status to another.
+X
+messageM"@Human-readable message indicating details about last transition.²

+string
+é

+reasonÞ
"Ð
Unique, this should be a short, machine understandable string that gives the reason for condition's last transition. If it reports "ResizeStarted" that means the underlying persistent volume is being resized.²

+string
+
+status²

+string
+
+type²

+string
+Ú
+
+io.k8s.api.core.v1.Toleration¸
+"�
The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.²

+objectÊ
™	
+¸

+effect­
"Ÿ
Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.²

+string
+Ó

+keyË
"½
Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.²

+string
+ö

+operatoré
"Û
Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.²

+string
+ç
+tolerationSecondsÑint64"»TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.²
	
+integer
+¢

+value˜
"Š
Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.²

+string
+±
+,io.k8s.api.core.v1.ReplicationControllerSpec€"KReplicationControllerSpec is the specification of a replication controller.²

+objectÊ
¤
+
+ƒ
+minReadySecondsï
int32"Ù
Minimum number of seconds for which a newly created pod should be ready without any of its container crashing, for it to be considered available. Defaults to 0 (pod will be considered available as soon as it is ready)²
	
+integer
+ 
+replicas“int32"ý
Replicas is the number of desired replicas. This is a pointer to distinguish between explicit zero and unspecified. Defaults to 1. More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#what-is-a-replicationcontroller²
	
+integer
+¸
+selector«"�Selector is a label query over pods that should match the Replicas count. If Selector is empty, it is defaulted to the labels present on the Pod template. Label keys and values that must match in order to be controlled by this replication controller, if empty defaulted to labels on Pod template. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectorsª

+²

+string²

+object
+½
+template°
+0#/definitions/io.k8s.api.core.v1.PodTemplateSpec"û
Template is the object that describes the pod that will be created if insufficient replicas are detected. This takes precedence over a TemplateRef. More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template
+Ê

+io.k8s.api.core.v1.Sysctl¬
"+Sysctl defines a kernel parameter to be setš
nameš
value²

+objectÊ
b
+0
+value'"Value of a property to set²

+string
+.
+name&"Name of a property to set²

+string
+Ž
++io.k8s.api.core.v1.TopologySpreadConstraintÞ"XTopologySpreadConstraint specifies how to spread matching pods among the given topology.š
maxSkewš
topologyKeyš
whenUnsatisfiable²

+objectÊ
É
+Ì
+maxSkewÀint32"ªMaxSkew describes the degree to which pods may be unevenly distributed. When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference between the number of matching pods in the target topology and the global minimum. For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same labelSelector spread as 1/1/0: | zone1 | zone2 | zone3 | |   P   |   P   |       | - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 1/1/1; scheduling it onto zone1(zone2) would make the ActualSkew(2-0) on zone1(zone2) violate MaxSkew(1). - if MaxSkew is 2, incoming pod can be scheduled onto any zone. When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence to topologies that satisfy it. It's a required field. Default value is 1 and 0 is not allowed.²
	
+integer
+§
+topologyKey—"‰TopologyKey is the key of node labels. Nodes that have a label with this key and identical values are considered to be in the same topology. We consider each <key, value> as a "bucket", and try to put balanced number of pods into each bucket. It's a required field.²

+string
+Ï
+whenUnsatisfiable¹"«WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy the spread constraint. - DoNotSchedule (default) tells the scheduler not to schedule it. - ScheduleAnyway tells the scheduler to schedule the pod in any location,
+  but giving higher precedence to topologies that would help reduce the
+  skew.
+A constraint is considered "Unsatisfiable" for an incoming pod if and only if every possible node assigment for that pod would violate "MaxSkew" on some topology. For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same labelSelector spread as 3/1/1: | zone1 | zone2 | zone3 | | P P P |   P   |   P   | If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler won't make it *more* imbalanced. It's a required field.²

+string
+û

+
labelSelectoré

+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"¤
LabelSelector is used to find matching pods. Pods that match this label selector are counted to determine the number of pods in their corresponding topology domain.
+ˆ

+.io.k8s.apimachinery.pkg.apis.meta.v1.MicroTimeV	date-time">MicroTime is version of Time with microsecond level precision.²

+string
+„
+io.k8s.api.core.v1.KeyToPathã",Maps a string key to a path within a volume.š
keyš
path²

+objectÊ
™
+'
+key "The key to project.²

+string
+»
+mode²int32"œOptional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.²
	
+integer
+¯

+path¦
"˜
The relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'.²

+string
+”
+%io.k8s.api.core.v1.NamespaceConditionê"=NamespaceCondition contains details about state of namespace.š
typeš
status²

+objectÊ
Œ
+
+message²

+string
+
+reason²

+string
+L
+statusB"5Status of the condition, one of True, False, Unknown.²

+string
+<
+type4"'Type of namespace controller condition.²

+string
+O
+lastTransitionTime9
+7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time
+á	
+&io.k8s.api.core.v1.ComponentStatusList¶	"�
Status of all the conditions for the component as a list of ComponentStatus objects. Deprecated: This API is deprecated in v1.19+š
items²

+objectÊ
½
+l
+itemsc" List of ComponentStatus objects.²

+arrayº
4
+2
+0#/definitions/io.k8s.api.core.v1.ComponentStatus
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ï

+metadataÂ

+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"‚
Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+stringú
[
+x-kubernetes-group-version-kind86- group: ""
+  kind: ComponentStatusList
+  version: v1
+
+Â
+(io.k8s.api.core.v1.PersistentVolumeClaim•"NPersistentVolumeClaim is a user's request for and claim to a persistent volume²

+objectÊ
Ö
+
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ò

+metadataÅ

+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒ
Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+ø

+specï

+:#/definitions/io.k8s.api.core.v1.PersistentVolumeClaimSpec"°
Spec defines the desired characteristics of a volume requested by a pod author. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+†
+statusû

+<#/definitions/io.k8s.api.core.v1.PersistentVolumeClaimStatus"º
Status represents the current information/status of a persistent volume claim. Read-only. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaimsú
]
+x-kubernetes-group-version-kind:8- kind: PersistentVolumeClaim
+  version: v1
+  group: ""
+
+�
+(io.k8s.api.extensions.v1beta1.IngressTLSâ"MIngressTLS describes the transport layer security associated with an Ingress.²

+objectÊ
„
+š
+hosts�"ó
Hosts are a list of hosts included in the TLS certificate. The values in this list must match the name/s used in the tlsSecret. Defaults to the wildcard host setting for the loadbalancer controller fulfilling this Ingress, if left unspecified.²

+arrayº

+²

+string
+ä
+
+secretNameÕ"ÇSecretName is the name of the secret used to terminate SSL traffic on 443. Field is left optional to allow SSL routing based on SNI hostname alone. If the SNI host in a listener conflicts with the "Host" header field used by an IngressRule, the SNI host is used for termination and value of the Host header is used for routing.²

+string
+Ÿ
+-io.k8s.api.networking.v1.HTTPIngressRuleValueí"£HTTPIngressRuleValue is a list of http selectors pointing to backends. In the example: http://<host>/<path>?<searchpart> -> backend where where parts of the url correspond to RFC 3986, this resource will be used to match against everything after the last '/' and before the first '?' or '#'.š
paths²

+objectÊ
°

+­

+paths£
"4A collection of paths that map requests to backends.²

+arrayº
:
+8
+6#/definitions/io.k8s.api.networking.v1.HTTPIngressPathú
#
+x-kubernetes-list-type	atomic
+
+™
+1io.k8s.api.policy.v1beta1.PodDisruptionBudgetListã"@PodDisruptionBudgetList is a collection of PodDisruptionBudgets.š
items²

+objectÊ
Ÿ
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+U
+itemsL²

+arrayº
?
+=
+;#/definitions/io.k8s.api.policy.v1beta1.PodDisruptionBudget
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+I
+metadata=
+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMetaú
h
+x-kubernetes-group-version-kindEC- kind: PodDisruptionBudgetList
+  version: v1beta1
+  group: policy
+
+Õ
+Qio.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceConversionÿ"MCustomResourceConversion describes how to convert different versions of a CR.š
strategy²

+objectÊ
–
+Å
+strategy¸"ªstrategy specifies how custom resources are converted between versions. Allowed values are: - `None`: The converter only change the apiVersion and would not touch any other field in the custom resource. - `Webhook`: API Server will call to an external webhook to do the conversion. Additional information
+  is needed for this option. This requires spec.preserveUnknownFields to be false, and spec.conversion.webhook to be set.²

+string
+Ë

+webhook¿

+X#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.WebhookConversion"cwebhook describes how to call the conversion webhook. Required when `strategy` is set to `Webhook`.
+Æ	
+%io.k8s.api.coordination.v1beta1.Leaseœ	"Lease defines a lease concept.²

+objectÊ
‡
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+µ

+metadata¨

+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"gMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+Ï

+specÆ

+7#/definitions/io.k8s.api.coordination.v1beta1.LeaseSpec"Š
Specification of the Lease. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+stringú
c
+x-kubernetes-group-version-kind@>- group: coordination.k8s.io
+  kind: Lease
+  version: v1beta1
+
+Ÿ
+(io.k8s.api.core.v1.AzureDiskVolumeSourceò"TAzureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.š
diskNameš
diskURI²

+objectÊ
ø
+À

+fsTypeµ
"§
Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.²

+string
+à

+kind×
"É
Expected values Shared: multiple blob disks per storage account  Dedicated: single blob disk per storage account  Managed: azure managed data disk (only in managed availability set). defaults to shared²

+string
+x
+readOnlyl"^Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.²
	
+boolean
+K
+cachingMode<"/Host Caching mode: None, Read Only, Read Write.²

+string
+F
+diskName:"-The Name of the data disk in the blob storage²

+string
+A
+diskURI6")The URI the data disk in the blob storage²

+string
+û
+)io.k8s.api.autoscaling.v2beta1.MetricSpecÍ"|MetricSpec specifies how to scale based on a single metric (only `type` and one other matching field should be set at once).š
type²

+objectÊ
¹
+Â

+object·

+?#/definitions/io.k8s.api.autoscaling.v2beta1.ObjectMetricSource"tobject refers to a metric describing a single kubernetes object (for example, hits-per-second on an Ingress object).
+•
+podsŒ
+=#/definitions/io.k8s.api.autoscaling.v2beta1.PodsMetricSource"Ê
pods refers to a metric describing each pod in the current scale target (for example, transactions-processed-per-second).  The values will be averaged together before being compared to the target value.
+™
+resourceŒ
+A#/definitions/io.k8s.api.autoscaling.v2beta1.ResourceMetricSource"Æresource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the "pods" source.
+£
+typeš"Œtype is the type of metric source.  It should be one of "ContainerResource", "External", "Object", "Pods" or "Resource", each mapping to a matching field in the object. Note: "ContainerResource" type is available on when the feature-gate HPAContainerMetrics is enabled²

+string
+ 
+containerResourceŠ
+J#/definitions/io.k8s.api.autoscaling.v2beta1.ContainerResourceMetricSource"»container resource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing a single container in each pod of the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the "pods" source. This is an alpha feature and can be enabled by the HPAContainerMetrics feature flag.
+ô
+externalç
+A#/definitions/io.k8s.api.autoscaling.v2beta1.ExternalMetricSource"¡external refers to a global metric that is not associated with any Kubernetes object. It allows autoscaling based on information coming from components running outside of cluster (for example length of queue in cloud messaging service, or QPS from loadbalancer running outside of cluster).
+û
+)io.k8s.api.autoscaling.v2beta2.MetricSpecÍ"|MetricSpec specifies how to scale based on a single metric (only `type` and one other matching field should be set at once).š
type²

+objectÊ
¹
+™
+resourceŒ
+A#/definitions/io.k8s.api.autoscaling.v2beta2.ResourceMetricSource"Æresource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the "pods" source.
+£
+typeš"Œtype is the type of metric source.  It should be one of "ContainerResource", "External", "Object", "Pods" or "Resource", each mapping to a matching field in the object. Note: "ContainerResource" type is available on when the feature-gate HPAContainerMetrics is enabled²

+string
+ 
+containerResourceŠ
+J#/definitions/io.k8s.api.autoscaling.v2beta2.ContainerResourceMetricSource"»container resource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing a single container in each pod of the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the "pods" source. This is an alpha feature and can be enabled by the HPAContainerMetrics feature flag.
+ô
+externalç
+A#/definitions/io.k8s.api.autoscaling.v2beta2.ExternalMetricSource"¡external refers to a global metric that is not associated with any Kubernetes object. It allows autoscaling based on information coming from components running outside of cluster (for example length of queue in cloud messaging service, or QPS from loadbalancer running outside of cluster).
+Â

+object·

+?#/definitions/io.k8s.api.autoscaling.v2beta2.ObjectMetricSource"tobject refers to a metric describing a single kubernetes object (for example, hits-per-second on an Ingress object).
+•
+podsŒ
+=#/definitions/io.k8s.api.autoscaling.v2beta2.PodsMetricSource"Ê
pods refers to a metric describing each pod in the current scale target (for example, transactions-processed-per-second).  The values will be averaged together before being compared to the target value.
+¦
+%io.k8s.api.core.v1.CinderVolumeSourceü"ë
Represents a cinder volume resource in Openstack. A Cinder volume must exist before mounting to a container. The volume must also be in the same region as the kubelet. Cinder volumes support ownership management and SELinux relabeling.š
volumeID²

+objectÊ
ô
+ƒ
+fsTypeø
"ê
Filesystem type to mount. Must be a filesystem type supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://examples.k8s.io/mysql-cinder-pd/README.md²

+string
+Á

+readOnly´
"¥
Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. More info: https://examples.k8s.io/mysql-cinder-pd/README.md²
	
+boolean
+ž

+	secretRef�

+5#/definitions/io.k8s.api.core.v1.LocalObjectReference"WOptional: points to a secret object containing parameters used to connect to OpenStack.
+†

+volumeIDz"mvolume id used to identify the volume in cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md²

+string
+Æ
+#io.k8s.api.core.v1.SecretProjectionž"�Adapts a secret into a projected volume.
+
+The contents of the target Secret's Data field will be presented in a projected volume as files using the keys in the Data field as the file names. Note that this is identical to a secret volume source without the default mode.²

+objectÊ
ÿ
+¤
+itemsš"ÜIf unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'.²

+arrayº
.
+,
+*#/definitions/io.k8s.api.core.v1.KeyToPath
+„

+name|"oName of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names²

+string
+O
+optionalC"5Specify whether the Secret or its key must be defined²
	
+boolean
+´	
+)io.k8s.api.discovery.v1beta1.EndpointPort†	"7EndpointPort represents a Port used by an EndpointSlice²

+objectÊ
¾
+Ù
+appProtocolÉ"»The application protocol for this port. This field follows standard Kubernetes label syntax. Un-prefixed names are reserved for IANA standard service names (as per RFC-6335 and http://www.iana.org/assignments/service-names). Non-standard protocols should use prefixed names such as mycompany.com/my-custom-protocol.²

+string
+Å
+name¼"®The name of this port. All ports in an EndpointSlice must have a unique name. If the EndpointSlice is dervied from a Kubernetes service, this corresponds to the Service.ports[].name. Name must either be an empty string or pass DNS_LABEL validation: * must be no more than 63 characters long. * must consist of lower case alphanumeric characters or '-'. * must start and end with an alphanumeric character. Default is empty string.²

+string
+³

+portª
int32"”
The port number of the endpoint. If this is not specified, ports are not restricted and must be interpreted in the context of the specific consumer.²
	
+integer
+b
+protocolV"IThe IP protocol for this port. Must be UDP, TCP, or SCTP. Default is TCP.²

+string
+±
+/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEventý"6Event represents a single event to a watched resource.š
typeš
object²

+objectÊ
×
+¿
+object´
+:#/definitions/io.k8s.apimachinery.pkg.runtime.RawExtension"õ
Object is:
+ * If Type is Added or Modified: the new state of the object.
+ * If Type is Deleted: the state of the object immediately before deletion.
+ * If Type is Error: *Status is recommended; other types may make sense
+   depending on context.
+
+type²

+stringú
Ë
+x-kubernetes-group-version-kind§¤- group: ""
+  kind: WatchEvent
+  version: v1
+- version: v1
+  group: admission.k8s.io
+  kind: WatchEvent
+- group: admission.k8s.io
+  kind: WatchEvent
+  version: v1beta1
+- group: admissionregistration.k8s.io
+  kind: WatchEvent
+  version: v1
+- group: admissionregistration.k8s.io
+  kind: WatchEvent
+  version: v1beta1
+- group: apiextensions.k8s.io
+  kind: WatchEvent
+  version: v1
+- kind: WatchEvent
+  version: v1beta1
+  group: apiextensions.k8s.io
+- group: apiregistration.k8s.io
+  kind: WatchEvent
+  version: v1
+- group: apiregistration.k8s.io
+  kind: WatchEvent
+  version: v1beta1
+- group: apps
+  kind: WatchEvent
+  version: v1
+- group: apps
+  kind: WatchEvent
+  version: v1beta1
+- group: apps
+  kind: WatchEvent
+  version: v1beta2
+- kind: WatchEvent
+  version: v1
+  group: authentication.k8s.io
+- group: authentication.k8s.io
+  kind: WatchEvent
+  version: v1beta1
+- kind: WatchEvent
+  version: v1
+  group: authorization.k8s.io
+- group: authorization.k8s.io
+  kind: WatchEvent
+  version: v1beta1
+- group: autoscaling
+  kind: WatchEvent
+  version: v1
+- kind: WatchEvent
+  version: v2beta1
+  group: autoscaling
+- group: autoscaling
+  kind: WatchEvent
+  version: v2beta2
+- group: batch
+  kind: WatchEvent
+  version: v1
+- group: batch
+  kind: WatchEvent
+  version: v1beta1
+- group: certificates.k8s.io
+  kind: WatchEvent
+  version: v1
+- group: certificates.k8s.io
+  kind: WatchEvent
+  version: v1beta1
+- group: coordination.k8s.io
+  kind: WatchEvent
+  version: v1
+- group: coordination.k8s.io
+  kind: WatchEvent
+  version: v1beta1
+- group: discovery.k8s.io
+  kind: WatchEvent
+  version: v1
+- group: discovery.k8s.io
+  kind: WatchEvent
+  version: v1beta1
+- group: events.k8s.io
+  kind: WatchEvent
+  version: v1
+- group: events.k8s.io
+  kind: WatchEvent
+  version: v1beta1
+- group: extensions
+  kind: WatchEvent
+  version: v1beta1
+- kind: WatchEvent
+  version: v1alpha1
+  group: flowcontrol.apiserver.k8s.io
+- group: flowcontrol.apiserver.k8s.io
+  kind: WatchEvent
+  version: v1beta1
+- group: imagepolicy.k8s.io
+  kind: WatchEvent
+  version: v1alpha1
+- kind: WatchEvent
+  version: v1alpha1
+  group: internal.apiserver.k8s.io
+- group: networking.k8s.io
+  kind: WatchEvent
+  version: v1
+- group: networking.k8s.io
+  kind: WatchEvent
+  version: v1beta1
+- group: node.k8s.io
+  kind: WatchEvent
+  version: v1
+- version: v1alpha1
+  group: node.k8s.io
+  kind: WatchEvent
+- group: node.k8s.io
+  kind: WatchEvent
+  version: v1beta1
+- version: v1
+  group: policy
+  kind: WatchEvent
+- version: v1beta1
+  group: policy
+  kind: WatchEvent
+- kind: WatchEvent
+  version: v1
+  group: rbac.authorization.k8s.io
+- version: v1alpha1
+  group: rbac.authorization.k8s.io
+  kind: WatchEvent
+- group: rbac.authorization.k8s.io
+  kind: WatchEvent
+  version: v1beta1
+- group: scheduling.k8s.io
+  kind: WatchEvent
+  version: v1
+- group: scheduling.k8s.io
+  kind: WatchEvent
+  version: v1alpha1
+- group: scheduling.k8s.io
+  kind: WatchEvent
+  version: v1beta1
+- group: storage.k8s.io
+  kind: WatchEvent
+  version: v1
+- group: storage.k8s.io
+  kind: WatchEvent
+  version: v1alpha1
+- group: storage.k8s.io
+  kind: WatchEvent
+  version: v1beta1
+
+Á
+-io.k8s.api.authorization.v1beta1.ResourceRule�"¬
ResourceRule is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete.š
verbs²

+objectÊ
É
+ƒ
+	apiGroupsõ
"Ø
APIGroups is the name of the APIGroup that contains the resources.  If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed.  "*" means all.²

+arrayº

+²

+string
+¹

+
resourceNames§
"Š
ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.  "*" means all.²

+arrayº

+²

+string
+ä

+	resourcesÖ
"¹
Resources is a list of resources this rule applies to.  "*" means all in the specified apiGroups.
+ "*/foo" represents the subresource 'foo' for all resources in the specified apiGroups.²

+arrayº

+²

+string
+�

+verbs“
"wVerb is a list of kubernetes resource API verbs, like: get, list, watch, create, update, delete, proxy.  "*" means all.²

+arrayº

+²

+string
+�
+:io.k8s.api.authorization.v1beta1.SubjectAccessReviewStatusÞ"SubjectAccessReviewStatusš
allowed²

+objectÊ
ª
+‚
+denied÷
"è
Denied is optional. True if the action would be denied, otherwise false. If both allowed is false and denied is false, then the authorizer has no opinion on whether to authorize the action. Denied may not be true if Allowed is true.²
	
+boolean
+Þ
+evaluationErrorÊ"¼EvaluationError is an indication that some error occurred during the authorization check. It is entirely possible to get an error and be able to continue determine authorization status in spite of it. For instance, RBAC can be missing a role, but enough roles are still present and bound to reason about the request.²

+string
+]
+reasonS"FReason is optional.  It indicates why a request was allowed or denied.²

+string
+c
+allowedX"JAllowed is required. True if the action would be allowed, false otherwise.²
	
+boolean
+ž
+Fio.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.APIServiceSpecÓ"£
APIServiceSpec contains information for locating and communicating with a server. Only https is supported, though you are able to disable certificate verification.š
groupPriorityMinimumš
versionPriority²

+objectÊ
õ
+ì

+caBundleß
byte"¥
CABundle is a PEM encoded CA bundle which will be used to validate an API server's serving certificate. If unspecified, system trust roots on the apiserver are used.²

+stringú
#
+x-kubernetes-list-type	atomic
+
+C
+group:"-Group is the API group name this server hosts²

+string
+±
+groupPriorityMinimum˜int32"‚GroupPriorityMininum is the priority this group should have at least. Higher priority means that the group is preferred by clients over lower priority ones. Note that other versions of this group might specify even higher GroupPriorityMininum values such that the whole group gets a higher priority. The primary sort is based on GroupPriorityMinimum, ordered highest number to lowest (20 before 10). The secondary sort is based on the alphabetical comparison of the name of the object.  (v1.bar before v1.foo) We'd recommend something like: *.k8s.io (except extensions) at 18000 and PaaSes (OpenShift, Deis) are recommended to be in the 2000s²
	
+integer
+Í

+insecureSkipTLSVerify³
"¤
InsecureSkipTLSVerify disables TLS certificate verification when communicating with this server. This is strongly discouraged.  You should use the CABundle instead.²
	
+boolean
+ù
+serviceí
+V#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.ServiceReference"’Service is a reference to the service for this API server.  It must communicate on port 443. If the Service is nil, that means the handling for the API groupversion is handled locally on this server. The call will simply delegate to the normal handler chain to be fulfilled.
+X
+versionM"@Version is the API version this server hosts.  For example, "v1"²

+string
+ä
+versionPriorityÐint32"ºVersionPriority controls the ordering of this API version inside of its group.  Must be greater than zero. The primary sort is based on VersionPriority, ordered highest to lowest (20 before 10). Since it's inside of a group, the number can be small, probably in the 10s. In case of equal version priorities, the version string will be used to compute the order inside a group. If the version string is "kube-like", it will sort above non "kube-like" version strings, which are ordered lexicographically. "Kube-like" versions start with a "v", then are followed by a number (the major version), then optionally the string "alpha" or "beta" and another number (the minor version). These are sorted first by GA > beta > alpha (where GA is a version with no suffix such as beta or alpha), and then by comparing major version, then minor version. An example sorted list of versions: v10, v2, v1, v11beta2, v10beta3, v3beta1, v12alpha1, v11alpha2, foo1, foo10.²
	
+integer
+·
+!io.k8s.api.core.v1.NodeSystemInfo‘"CNodeSystemInfo is a set of ids/uuids to uniquely identify the node.š
	machineIDš

+systemUUIDš
bootIDš

kernelVersionš
osImageš
containerRuntimeVersionš
kubeletVersionš
kubeProxyVersionš
operatingSystemš
architecture²

+objectÊ
¢	
+H
+kubeProxyVersion4"'KubeProxy Version reported by the node.²

+string
+D
+kubeletVersion2"%Kubelet Version reported by the node.²

+string
+ß

+	machineIDÑ
"Ã
MachineID reported by the node. For unique machine identification in the cluster this field is preferred. Learn more from man(5) machine-id: http://man7.org/linux/man-pages/man5/machine-id.5.html²

+string
+I
+operatingSystem6")The Operating System reported by the node²

+string
+þ

+
+systemUUIDï
"á
SystemUUID reported by the node. For unique machine identification MachineID is preferred. This field is specific to Red Hat hosts https://access.redhat.com/documentation/en-us/red_hat_subscription_management/1/html/rhsm/uuid²

+string
+n
+
kernelVersion]"PKernel Version reported by the node from 'uname -r' (e.g. 3.16.0-0.bpo.4-amd64).²

+string
+4
+bootID*"Boot ID reported by the node.²

+string
+‡

+containerRuntimeVersionl"_ContainerRuntime Version reported by the node through runtime remote API (e.g. docker://1.5.0).²

+string
+n
+osImagec"VOS Image reported by the node from /etc/os-release (e.g. Debian GNU/Linux 7 (wheezy)).²

+string
+B
+architecture2"%The Architecture reported by the node²

+string
+¥
+>io.k8s.apimachinery.pkg.apis.meta.v1.ServerAddressByClientCIDRâ"�
ServerAddressByClientCIDR helps the client to determine the server address that they should use, depending on the clientCIDR that they match.š

+clientCIDRš

serverAddress²

+objectÊ
¦
+€

+
+clientCIDRr"eThe CIDR with which clients can match their IP to figure out the server address that they should use.²

+string
+ 

+
serverAddressŽ
"€
Address of this server, suitable for a client that matches the above CIDR. This can be a hostname, hostname:port, IP or IP:port.²

+string
+Ô
+(io.k8s.api.core.v1.DownwardAPIProjection§"™
Represents downward API info for projecting into a projected volume. Note that this is identical to a downwardAPI volume source without the default mode.²

+objectÊ
}
+{
+itemsr")Items is a list of DownwardAPIVolume file²

+arrayº
:
+8
+6#/definitions/io.k8s.api.core.v1.DownwardAPIVolumeFile
+‚
+*io.k8s.api.core.v1.DownwardAPIVolumeSourceÓ"“
DownwardAPIVolumeSource represents a volume containing downward API info. Downward API volumes support ownership management and SELinux relabeling.²

+objectÊ
®
+¬
+defaultModeœint32"†Optional: mode bits to use on created files by default. Must be a Optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.²
	
+integer
+}
+itemst"+Items is a list of downward API volume file²

+arrayº
:
+8
+6#/definitions/io.k8s.api.core.v1.DownwardAPIVolumeFile
+«
+/io.k8s.api.core.v1.CinderPersistentVolumeSource÷"ë
Represents a cinder volume resource in Openstack. A Cinder volume must exist before mounting to a container. The volume must also be in the same region as the kubelet. Cinder volumes support ownership management and SELinux relabeling.š
volumeID²

+objectÊ
ï
+Á

+readOnly´
"¥
Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. More info: https://examples.k8s.io/mysql-cinder-pd/README.md²
	
+boolean
+™

+	secretRef‹

+0#/definitions/io.k8s.api.core.v1.SecretReference"WOptional: points to a secret object containing parameters used to connect to OpenStack.
+†

+volumeIDz"mvolume id used to identify the volume in cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md²

+string
+ƒ
+fsTypeø
"ê
Filesystem type to mount. Must be a filesystem type supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://examples.k8s.io/mysql-cinder-pd/README.md²

+string
+å
+,io.k8s.api.flowcontrol.v1beta1.LimitResponse´"PLimitResponse defines how to handle requests that can not be executed right now.š
type²

+objectÊ
é
+Ã

+queuing·

+A#/definitions/io.k8s.api.flowcontrol.v1beta1.QueuingConfiguration"r`queuing` holds the configuration parameters for queuing. This field may be non-empty only if `type` is `"Queue"`.
+ 
+type—"‰`type` is "Queue" or "Reject". "Queue" means that requests that can not be executed upon arrival are held in a queue until they can be executed or a queuing limit is reached. "Reject" means that requests that can not be executed upon arrival are rejected. Required.²

+stringú
`
+x-kubernetes-unionsIG- discriminator: type
+  fields-to-discriminateBy:
+    queuing: Queuing
+
+´	
+Uio.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionListÚ"KCustomResourceDefinitionList is a list of CustomResourceDefinition objects.š
items²

+objectÊ
ý
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+²

+items¨
"6items list individual CustomResourceDefinition objects²

+arrayº
c
+a
+_#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinition
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+I
+metadata=
+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMetaú
v
+x-kubernetes-group-version-kindSQ- group: apiextensions.k8s.io
+  kind: CustomResourceDefinitionList
+  version: v1
+
+Ç
+
+(io.k8s.api.authentication.v1.TokenReviewš
+"§
TokenReview attempts to authenticate a token to a known user. Note: TokenReview requests may be cached by the webhook token authenticator plugin in the kube-apiserver.š
spec²

+objectÊ
ñ
+K
+metadata?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta
+~
+specv
+:#/definitions/io.k8s.api.authentication.v1.TokenReviewSpec"8Spec holds information about the request being evaluated
+¤

+status™

+<#/definitions/io.k8s.api.authentication.v1.TokenReviewStatus"YStatus is filled in by the server and indicates whether the request can be authenticated.
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+stringú
f
+x-kubernetes-group-version-kindCA- version: v1
+  group: authentication.k8s.io
+  kind: TokenReview
+
+ª
+9io.k8s.api.authorization.v1beta1.LocalSubjectAccessReviewì"ç
LocalSubjectAccessReview checks whether or not a user or group can perform an action in a given namespace. Having a namespace scoped resource makes it much easier to grant namespace scoped policy that includes permissions checking.š
spec²

+objectÊ
ò
+ö

+specí

+F#/definitions/io.k8s.api.authorization.v1beta1.SubjectAccessReviewSpec"¢
Spec holds information about the request being evaluated.  spec.namespace must be equal to the namespace you made the request against.  If empty, it is defaulted.
+¬

+status¡

+H#/definitions/io.k8s.api.authorization.v1beta1.SubjectAccessReviewStatus"UStatus is filled in by the server and indicates whether the request is allowed or not
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+K
+metadata?
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMetaú
w
+x-kubernetes-group-version-kindTR- group: authorization.k8s.io
+  kind: LocalSubjectAccessReview
+  version: v1beta1
+
+“
+
+,io.k8s.api.core.v1.ReplicationControllerListâ	"EReplicationControllerList is a collection of replication controllers.š
items²

+objectÊ
 
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ï

+metadataÂ

+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"‚
Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+Î

+itemsÄ
"{List of replication controllers. More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller²

+arrayº
:
+8
+6#/definitions/io.k8s.api.core.v1.ReplicationControllerú
a
+x-kubernetes-group-version-kind><- kind: ReplicationControllerList
+  version: v1
+  group: ""
+
+¾
+%io.k8s.api.extensions.v1beta1.Ingress”"‹Ingress is a collection of rules that allow inbound connections to reach the endpoints defined by a backend. An Ingress can be configured to give services externally-reachable urls, load balance traffic, terminate SSL, offer name based virtual hosting etc. DEPRECATED - This group version of Ingress is deprecated by networking.k8s.io/v1beta1 Ingress. See the release notes for more information.²

+objectÊ
˜
+
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ò

+metadataÅ

+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒ
Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+Ý

+specÔ

+7#/definitions/io.k8s.api.extensions.v1beta1.IngressSpec"˜
Spec is the desired state of the Ingress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+ã

+statusØ

+9#/definitions/io.k8s.api.extensions.v1beta1.IngressStatus"š
Status is the current state of the Ingress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statusú
\
+x-kubernetes-group-version-kind97- group: extensions
+  kind: Ingress
+  version: v1beta1
+
+Ã

+Nio.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaPropsOrBoolq"oJSONSchemaPropsOrBool represents JSONSchemaProps or a boolean value. Defaults to true for the boolean property.
+ø
+
+,io.k8s.apimachinery.pkg.runtime.RawExtensionÇ
+"¹
+RawExtension is used to hold extensions in external versions.
+
+To use this, make a field which has RawExtension as its type in your external, versioned struct, and Object in your internal struct. You also need to register your various plugin types.
+
+// Internal package: type MyAPIObject struct {
+	runtime.TypeMeta `json:",inline"`
+	MyPlugin runtime.Object `json:"myPlugin"`
+} type PluginA struct {
+	AOption string `json:"aOption"`
+}
+
+// External package: type MyAPIObject struct {
+	runtime.TypeMeta `json:",inline"`
+	MyPlugin runtime.RawExtension `json:"myPlugin"`
+} type PluginA struct {
+	AOption string `json:"aOption"`
+}
+
+// On the wire, the JSON will look something like this: {
+	"kind":"MyAPIObject",
+	"apiVersion":"v1",
+	"myPlugin": {
+		"kind":"PluginA",
+		"aOption":"foo",
+	},
+}
+
+So what happens? Decode first uses json or yaml to unmarshal the serialized data into your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked. The next step is to copy (using pkg/conversion) into the internal struct. The runtime package's DefaultScheme has conversion functions installed which will unpack the JSON stored in RawExtension, turning it into the correct object type, and storing it in the Object. (TODO: In the case where the object is of an unknown type, a runtime.Unknown object will be created and stored.)²

+object
+õ
+
+io.k8s.api.batch.v1.CronJobSpecÑ
+"YCronJobSpec describes how the job execution will look like and when it will actually run.š
scheduleš
jobTemplate²

+objectÊ
Î	
+Ç

+startingDeadlineSeconds«
int64"•
Optional deadline in seconds for starting the job if it misses scheduled time for any reason.  Missed jobs executions will be counted as failed ones.²
	
+integer
+—

+successfulJobsHistoryLimityint32"dThe number of successful finished jobs to retain. Value must be non-negative integer. Defaults to 3.²
	
+integer
+ 

+suspend”
"…
This flag tells the controller to suspend subsequent executions, it does not apply to already started executions.  Defaults to false.²
	
+boolean
+Ì
+concurrencyPolicy¶"¨Specifies how to treat concurrent executions of a Job. Valid values are: - "Allow" (default): allows CronJobs to run concurrently; - "Forbid": forbids concurrent runs, skipping next run if previous run hasn't finished yet; - "Replace": cancels currently running job and replaces it with a new one²

+string
+�

+failedJobsHistoryLimituint32"`The number of failed finished jobs to retain. Value must be non-negative integer. Defaults to 1.²
	
+integer
+„

+jobTemplateu
+1#/definitions/io.k8s.api.batch.v1.JobTemplateSpec"@Specifies the job that will be created when executing a CronJob.
+]
+scheduleQ"DThe schedule in Cron format, see https://en.wikipedia.org/wiki/Cron.²

+string
+à
+#io.k8s.api.batch.v1.JobTemplateSpec¸"QJobTemplateSpec describes the data a Job should have when created from a template²

+objectÊ
Ö
+ù

+metadataì

+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ª
Standard object's metadata of the jobs created from this template. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+×

+specÎ

+)#/definitions/io.k8s.api.batch.v1.JobSpec" 
Specification of the desired behavior of the job. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+ø
+"io.k8s.api.core.v1.RBDVolumeSourceÑ"ˆ
Represents a Rados Block Device mount that lasts the lifetime of a pod. RBD volumes support ownership management and SELinux relabeling.š
monitorsš
image²

+objectÊ
¤
+‚

+userz"mThe rados user name. Default is admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it²

+string
+³
+fsType¨"šFilesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd²

+string
+r
+imagei"\The rados image name. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it²

+string
+«

+keyringŸ
"‘
Keyring is the path to key ring for RBDUser. Default is /etc/ceph/keyring. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it²

+string
+Ž

+monitors�
"eA collection of Ceph monitors. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it²

+arrayº

+²

+string
+€

+poolx"kThe rados pool name. Default is rbd. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it²

+string
+´

+readOnly§
"˜
ReadOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it²
	
+boolean
+ù

+	secretRefë

+5#/definitions/io.k8s.api.core.v1.LocalObjectReference"±
SecretRef is name of the authentication secret for RBDUser. If provided overrides keyring. Default is nil. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+�
+*io.k8s.api.discovery.v1beta1.EndpointSliceà"Ü
EndpointSlice represents a subset of the endpoints that implement a service. For a given service there may be multiple EndpointSlice objects, selected by labels, which must be joined to produce the full set of endpoints.š
addressTypeš
	endpoints²

+objectÊ
í
+ð
+addressTypeà"ÒaddressType specifies the type of address carried by this EndpointSlice. All addresses in this slice must be the same type. This field is immutable after creation. The following address types are currently supported: * IPv4: Represents an IPv4 Address. * IPv6: Represents an IPv6 Address. * FQDN: Represents a Fully Qualified Domain Name.²

+string
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+ä

+	endpointsÖ
"jendpoints is a list of unique endpoints in this slice. Each slice may include a maximum of 1000 endpoints.²

+arrayº
7
+5
+3#/definitions/io.k8s.api.discovery.v1beta1.Endpointú
#
+x-kubernetes-list-type	atomic
+
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+h
+metadata\
+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"Standard object's metadata.
+©
+portsŸ"®ports specifies the list of network ports exposed by each endpoint in this slice. Each port must have a unique name. When ports is empty, it indicates that there are no defined ports. When a port is defined with a nil port value, it indicates "all ports". Each slice may include a maximum of 100 ports.²

+arrayº
;
+9
+7#/definitions/io.k8s.api.discovery.v1beta1.EndpointPortú
#
+x-kubernetes-list-type	atomic
+ú
h
+x-kubernetes-group-version-kindEC- version: v1beta1
+  group: discovery.k8s.io
+  kind: EndpointSlice
+
+µ
+#io.k8s.api.networking.v1.IngressTLS�"MIngressTLS describes the transport layer security associated with an Ingress.²

+objectÊ
¯
+À
+hosts¶"ó
Hosts are a list of hosts included in the TLS certificate. The values in this list must match the name/s used in the tlsSecret. Defaults to the wildcard host setting for the loadbalancer controller fulfilling this Ingress, if left unspecified.²

+arrayº

+²

+stringú
#
+x-kubernetes-list-type	atomic
+
+é
+
+secretNameÚ"ÌSecretName is the name of the secret used to terminate TLS traffic on port 443. Field is left optional to allow TLS routing based on SNI hostname alone. If the SNI host in a listener conflicts with the "Host" header field used by an IngressRule, the SNI host is used for termination and value of the Host header is used for routing.²

+string
+®
+"io.k8s.api.rbac.v1.RoleBindingList‡"/RoleBindingList is a collection of RoleBindingsš
items²

+objectÊ
Î
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+g
+items^"Items is a list of RoleBindings²

+arrayº
0
+.
+,#/definitions/io.k8s.api.rbac.v1.RoleBinding
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+f
+metadataZ
+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"Standard object's metadata.ú
n
+x-kubernetes-group-version-kindKI- group: rbac.authorization.k8s.io
+  kind: RoleBindingList
+  version: v1
+
+å
+2io.k8s.apimachinery.pkg.apis.meta.v1.StatusDetails®"éStatusDetails is a set of additional properties that MAY be set by the server to provide additional information about a response. The Reason field of a Status object defines what attributes will be set. Clients must ignore fields that do not match the defined type of each attribute, and should assume that any attribute may be empty, invalid, or under defined.²

+objectÊ
³	
+�
+kind„"ö
The kind attribute of the resource associated with the status StatusReason. On some operations may differ from the requested resource Kind. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+—

+nameŽ
"€
The name attribute of the resource associated with the status StatusReason (when there is a single name which can be described).²

+string
+—
+retryAfterSeconds�int32"ë
If specified, the time in seconds before the operation should be retried. Some errors may indicate the client must take an alternate action - for those errors this field may indicate how long to wait before taking the alternate action.²
	
+integer
+¥

+uid�
"�
UID of the resource. (when there is a single resource which can be described). More info: http://kubernetes.io/docs/user-guide/identifiers#uids²

+string
+à

+causesÕ
"ƒ
The Causes array includes more details associated with the StatusReason failure. Not all StatusReasons may provide detailed causes.²

+arrayº
B
+@
+>#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.StatusCause
+b
+groupY"LThe group attribute of the resource associated with the status StatusReason.²

+string
+ˆ
+%io.k8s.api.apps.v1.ControllerRevisionÞ"±ControllerRevision implements an immutable snapshot of state data. Clients are responsible for serializing and deserializing the objects that contain their internal state. Once a ControllerRevision has been successfully created, it can not be updated. The API Server will fail validation of all requests that attempt to mutate the Data field. ControllerRevisions may, however, be deleted. Note that, due to its use by both the DaemonSet and StatefulSet controllers for update and rollback, this object is beta. However, it may be subject to name and representation changes in future releases, and clients should not depend on its stability. It is primarily for internal use by controllers.š
revision²

+objectÊ
±
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ò

+metadataÅ

+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒ
Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+b
+revisionVint64"ARevision indicates the revision of the state represented by Data.²
	
+integer
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+y
+dataq
+:#/definitions/io.k8s.apimachinery.pkg.runtime.RawExtension"3Data is the serialized representation of the state.ú
\
+x-kubernetes-group-version-kind97- group: apps
+  kind: ControllerRevision
+  version: v1
+
+Þ
+ io.k8s.api.core.v1.ContainerPort¹">ContainerPort represents a network port in a single container.š

containerPort²

+objectÊ
Ú
+A
+hostIP7"*What host IP to bind the external port to.²

+string
+å

+hostPortØ
int32"Â
Number of port to expose on the host. If specified, this must be a valid port number, 0 < x < 65536. If HostNetwork is specified, this must match ContainerPort. Most containers do not need this.²
	
+integer
+Æ

+name½
"¯
If specified, this must be an IANA_SVC_NAME and unique within the pod. Each named port in a pod must have a unique name. Name for the port that can be referred to by services.²

+string
+Y
+protocolM"@Protocol for port. Must be UDP, TCP, or SCTP. Defaults to "TCP".²

+string
+ˆ

+
containerPortwint32"bNumber of port to expose on the pod's IP address. This must be a valid port number, 0 < x < 65536.²
	
+integer
+¨
+
+1io.k8s.api.storage.v1beta1.CSIStorageCapacityListò	"ECSIStorageCapacityList is a collection of CSIStorageCapacity objects.š
items²

+objectÊ
¢
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+Õ

+itemsË
"0Items is the list of CSIStorageCapacity objects.²

+arrayº
?
+=
+;#/definitions/io.k8s.api.storage.v1beta1.CSIStorageCapacityú
'
+x-kubernetes-list-map-keys	- name
+ú
 
+x-kubernetes-list-typemap
+
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ê

+metadata½

+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"~Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadataú
o
+x-kubernetes-group-version-kindLJ- group: storage.k8s.io
+  kind: CSIStorageCapacityList
+  version: v1beta1
+
+¬
++io.k8s.apimachinery.pkg.apis.meta.v1.Statusü"CStatus is a return value for calls that don't return other objects.²

+objectÊ
×
+U
+messageJ"=A human-readable description of the status of this operation.²

+string
+Ï

+metadataÂ

+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"‚
Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ä

+reasonÙ
"Ë
A machine-readable description of why this operation is in the "Failure" status. If this value is empty there is no information available. A Reason clarifies an HTTP status code but does not override it.²

+string
+À

+statusµ
"§
Status of the operation. One of: "Success" or "Failure". More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status²

+string
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+V
+codeNint32"9Suggested HTTP return code for this status, 0 if not set.²
	
+integer
+¬
+details 
+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.StatusDetails"Û
Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type.
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+stringú
N
+x-kubernetes-group-version-kind+)- group: ""
+  kind: Status
+  version: v1
+
+�
+-io.k8s.api.flowcontrol.v1beta1.FlowSchemaSpecë"GFlowSchemaSpec describes how the FlowSchema's specification looks like.š
priorityLevelConfiguration²

+objectÊ
ö
+
+ô
+rulesê"ì
`rules` describes which requests will match this flow schema. This FlowSchema matches a request if and only if at least one member of rules matches the request. if it is an empty slice, there will be no requests matching the FlowSchema.²

+arrayº
H
+F
+D#/definitions/io.k8s.api.flowcontrol.v1beta1.PolicyRulesWithSubjectsú
#
+x-kubernetes-list-type	atomic
+
+¦
+distinguisherMethodŽ
+D#/definitions/io.k8s.api.flowcontrol.v1beta1.FlowDistinguisherMethod"Å
`distinguisherMethod` defines how to compute the flow distinguisher for requests that match this schema. `nil` specifies that the distinguisher is disabled and thus will always be the empty string.
+�
+matchingPrecedenceøint32"â`matchingPrecedence` is used to choose among the FlowSchemas that match a given request. The chosen FlowSchema is among those with the numerically lowest (which we take to be logically highest) MatchingPrecedence.  Each MatchingPrecedence value must be ranged in [1,10000]. Note that if the precedence is not specified, it will be set to 1000 as default.²
	
+integer
+Á
+priorityLevelConfiguration¢
+P#/definitions/io.k8s.api.flowcontrol.v1beta1.PriorityLevelConfigurationReference"Í
`priorityLevelConfiguration` should reference a PriorityLevelConfiguration in the cluster. If the reference cannot be resolved, the FlowSchema will be ignored and marked as invalid in its status. Required.
+”
+(io.k8s.api.networking.v1beta1.IngressTLSç"MIngressTLS describes the transport layer security associated with an Ingress.²

+objectÊ
‰
+š
+hosts�"ó
Hosts are a list of hosts included in the TLS certificate. The values in this list must match the name/s used in the tlsSecret. Defaults to the wildcard host setting for the loadbalancer controller fulfilling this Ingress, if left unspecified.²

+arrayº

+²

+string
+é
+
+secretNameÚ"ÌSecretName is the name of the secret used to terminate TLS traffic on port 443. Field is left optional to allow TLS routing based on SNI hostname alone. If the SNI host in a listener conflicts with the "Host" header field used by an IngressRule, the SNI host is used for termination and value of the Host header is used for routing.²

+string
+¾
+io.k8s.api.core.v1.PodAffinity›"?Pod affinity is a group of inter pod affinity scheduling rules.²

+objectÊ
Ë
+
+ì
+/preferredDuringSchedulingIgnoredDuringExecution¸"ìThe scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.²

+arrayº
<
+:
+8#/definitions/io.k8s.api.core.v1.WeightedPodAffinityTerm
+Ù
+.requiredDuringSchedulingIgnoredDuringExecution¦"âIf the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.²

+arrayº
4
+2
+0#/definitions/io.k8s.api.core.v1.PodAffinityTerm
+¯
+io.k8s.api.rbac.v1.Subject�"Æ
Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference, or a value for non-objects such as user and group names.š
kindš
name²

+objectÊ
ª
+9
+name1"$Name of the object being referenced.²

+string
+Ã

+	namespaceµ
"§
Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error.²

+string
+Ã

+apiGroup¶
"¨
APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects.²

+string
+à

+kind×
"É
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error.²

+string
+«	
+)io.k8s.api.apps.v1.ControllerRevisionListý"UControllerRevisionList is a resource containing a list of ControllerRevision objects.š
items²

+objectÊ
¬
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+w
+itemsn"(Items is the list of ControllerRevisions²

+arrayº
7
+5
+3#/definitions/io.k8s.api.apps.v1.ControllerRevision
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+³

+metadata¦

+;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"gMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadataú
`
+x-kubernetes-group-version-kind=;- group: apps
+  kind: ControllerRevisionList
+  version: v1
+
+†
+3io.k8s.api.core.v1.AWSElasticBlockStoreVolumeSourceÎ
+"¡Represents a Persistent Disk resource in AWS.
+
+An AWS EBS disk must exist before mounting to a container. The disk must also be in the same AWS zone as the kubelet. An AWS EBS disk can only be mounted as read/write once. AWS EBS volumes support ownership management and SELinux relabeling.š
volumeID²

+objectÊ
�
+Ä
+fsType¹"«Filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore²

+string
+¨
+	partitionšint32"„The partition in the volume that you want to mount. If omitted, the default is to mount by volume name. Examples: For volume /dev/sda1, you specify the partition as "1". Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).²
	
+integer
+ä

+readOnly×
"È
Specify "true" to force and set the ReadOnly property in VolumeMounts to "true". If omitted, the default is "false". More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore²
	
+boolean
+´

+volumeID§
"™
Unique ID of the persistent disk resource in AWS (Amazon EBS volume). More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore²

+string
+ð
+!io.k8s.api.core.v1.ClientIPConfigÊ"QClientIPConfig represents the configurations of Client IP based session affinity.²

+objectÊ
è

+å

+timeoutSecondsÒ
int32"¼
timeoutSeconds specifies the seconds of ClientIP type session sticky time. The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP". Default value is 10800(for 3 hours).²
	
+integer
+ò,
+2io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptions»,":DeleteOptions may be provided when deleting an API object.²

+objectÊ
‹
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+ 
+dryRun•"ø
When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed²

+arrayº

+²

+string
+Þ
+gracePeriodSecondsÇint64"±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately.²
	
+integer
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ä
+orphanDependents¯" Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both.²
	
+boolean
+Â

+
preconditions°

+@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Preconditions"lMust be fulfilled before a deletion is carried out. If not possible, a 409 Conflict status will be returned.
+û
+propagationPolicyå"×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground.²

+stringú
á
+x-kubernetes-group-version-kind½º- group: ""
+  kind: DeleteOptions
+  version: v1
+- group: admission.k8s.io
+  kind: DeleteOptions
+  version: v1
+- version: v1beta1
+  group: admission.k8s.io
+  kind: DeleteOptions
+- group: admissionregistration.k8s.io
+  kind: DeleteOptions
+  version: v1
+- group: admissionregistration.k8s.io
+  kind: DeleteOptions
+  version: v1beta1
+- kind: DeleteOptions
+  version: v1
+  group: apiextensions.k8s.io
+- group: apiextensions.k8s.io
+  kind: DeleteOptions
+  version: v1beta1
+- group: apiregistration.k8s.io
+  kind: DeleteOptions
+  version: v1
+- kind: DeleteOptions
+  version: v1beta1
+  group: apiregistration.k8s.io
+- version: v1
+  group: apps
+  kind: DeleteOptions
+- group: apps
+  kind: DeleteOptions
+  version: v1beta1
+- group: apps
+  kind: DeleteOptions
+  version: v1beta2
+- group: authentication.k8s.io
+  kind: DeleteOptions
+  version: v1
+- group: authentication.k8s.io
+  kind: DeleteOptions
+  version: v1beta1
+- version: v1
+  group: authorization.k8s.io
+  kind: DeleteOptions
+- group: authorization.k8s.io
+  kind: DeleteOptions
+  version: v1beta1
+- group: autoscaling
+  kind: DeleteOptions
+  version: v1
+- group: autoscaling
+  kind: DeleteOptions
+  version: v2beta1
+- version: v2beta2
+  group: autoscaling
+  kind: DeleteOptions
+- group: batch
+  kind: DeleteOptions
+  version: v1
+- group: batch
+  kind: DeleteOptions
+  version: v1beta1
+- group: certificates.k8s.io
+  kind: DeleteOptions
+  version: v1
+- kind: DeleteOptions
+  version: v1beta1
+  group: certificates.k8s.io
+- group: coordination.k8s.io
+  kind: DeleteOptions
+  version: v1
+- group: coordination.k8s.io
+  kind: DeleteOptions
+  version: v1beta1
+- kind: DeleteOptions
+  version: v1
+  group: discovery.k8s.io
+- group: discovery.k8s.io
+  kind: DeleteOptions
+  version: v1beta1
+- group: events.k8s.io
+  kind: DeleteOptions
+  version: v1
+- group: events.k8s.io
+  kind: DeleteOptions
+  version: v1beta1
+- kind: DeleteOptions
+  version: v1beta1
+  group: extensions
+- version: v1alpha1
+  group: flowcontrol.apiserver.k8s.io
+  kind: DeleteOptions
+- group: flowcontrol.apiserver.k8s.io
+  kind: DeleteOptions
+  version: v1beta1
+- group: imagepolicy.k8s.io
+  kind: DeleteOptions
+  version: v1alpha1
+- group: internal.apiserver.k8s.io
+  kind: DeleteOptions
+  version: v1alpha1
+- kind: DeleteOptions
+  version: v1
+  group: networking.k8s.io
+- kind: DeleteOptions
+  version: v1beta1
+  group: networking.k8s.io
+- group: node.k8s.io
+  kind: DeleteOptions
+  version: v1
+- group: node.k8s.io
+  kind: DeleteOptions
+  version: v1alpha1
+- group: node.k8s.io
+  kind: DeleteOptions
+  version: v1beta1
+- kind: DeleteOptions
+  version: v1
+  group: policy
+- version: v1beta1
+  group: policy
+  kind: DeleteOptions
+- group: rbac.authorization.k8s.io
+  kind: DeleteOptions
+  version: v1
+- version: v1alpha1
+  group: rbac.authorization.k8s.io
+  kind: DeleteOptions
+- version: v1beta1
+  group: rbac.authorization.k8s.io
+  kind: DeleteOptions
+- kind: DeleteOptions
+  version: v1
+  group: scheduling.k8s.io
+- group: scheduling.k8s.io
+  kind: DeleteOptions
+  version: v1alpha1
+- version: v1beta1
+  group: scheduling.k8s.io
+  kind: DeleteOptions
+- group: storage.k8s.io
+  kind: DeleteOptions
+  version: v1
+- group: storage.k8s.io
+  kind: DeleteOptions
+  version: v1alpha1
+- group: storage.k8s.io
+  kind: DeleteOptions
+  version: v1beta1
+
+“ 
+io.k8s.api.events.v1.Eventô"¾Event is a report of an event somewhere in the cluster. It generally denotes some state change in the system. Events have a limited retention time and triggers and messages may evolve with time.  Event consumers should not rely on the timing of an event with a given Reason reflecting a consistent underlying trigger, or the continued existence of events with that Reason.  Events should be treated as informative, best-effort, supplemental data.š
	eventTime²

+objectÊ
½
+Â

+reportingInstance¬
"ž
reportingInstance is the ID of the controller instance, e.g. `kubelet-xyzf`. This field cannot be empty for new Events and it can have at most 128 characters.²

+string
+Ì

+actionÁ
"³
action is what action was taken/failed regarding to the regarding object. It is machine-readable. This field cannot be empty for new Events and it can have at most 128 characters.²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ò

+metadataÅ

+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒ
Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+Ñ

+relatedÅ

+0#/definitions/io.k8s.api.core.v1.ObjectReference"�
related is the optional secondary object for more complex actions. E.g. when regarding object triggers a creation or deletion of related object.
+¹

+reportingController¡
"“
reportingController is the name of the controller that emitted this Event, e.g. `kubernetes.io/kubelet`. This field cannot be empty for new Events.²

+string
+ˆ

+deprecatedCountuint32"`deprecatedCount is the deprecated field assuring backward compatibility with core.v1 Event type.²
	
+integer
+¦

+deprecatedSource‘

+,#/definitions/io.k8s.api.core.v1.EventSource"adeprecatedSource is the deprecated field assuring backward compatibility with core.v1 Event type.
+¤

+reason™
"‹
reason is why the action was taken. It is human-readable. This field cannot be empty for new Events and it can have at most 128 characters.²

+string
+š

+series�

+.#/definitions/io.k8s.api.events.v1.EventSeries"]series is data about the Event series this event represents or nil if it's a singleton Event.
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+—

+	eventTime‰

+<#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.MicroTime"IeventTime is the time when this Event was first observed. It is required.
+½

+note´
"¦
note is a human-readable description of the status of this operation. Maximal length of the note is 1kB, but libraries should be prepared to handle values up to 64kB.²

+string
+¶
+	regarding¨
+0#/definitions/io.k8s.api.core.v1.ObjectReference"ó
regarding contains the object this Event is about. In most cases it's an Object reporting controller implements, e.g. ReplicaSetController implements ReplicaSets and this event is emitted because it acts on some changes in a ReplicaSet object.
+³

+typeª
"œ
type is the type of this event (Normal, Warning), new types could be added in the future. It is machine-readable. This field cannot be empty for new Events.²

+string
+Á

+deprecatedFirstTimestamp¤

+7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"ideprecatedFirstTimestamp is the deprecated field assuring backward compatibility with core.v1 Event type.
+¿

+deprecatedLastTimestamp£

+7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"hdeprecatedLastTimestamp is the deprecated field assuring backward compatibility with core.v1 Event type.ú
X
+x-kubernetes-group-version-kind53- kind: Event
+  version: v1
+  group: events.k8s.io
+
+²
+,io.k8s.api.storage.v1.VolumeAttachmentSource�"Ý
VolumeAttachmentSource represents a volume that should be attached. Right now only PersistenVolumes can be attached via external attacher, in future we may allow also inline volumes in pods. Exactly one member can be set.²

+objectÊ
’
+À
+inlineVolumeSpec«
+5#/definitions/io.k8s.api.core.v1.PersistentVolumeSpec"ñinlineVolumeSpec contains all the information necessary to attach a persistent volume defined by a pod's inline VolumeSource. This field is populated only for the CSIMigration feature. It contains translated fields from a pod's inline VolumeSource to a PersistentVolumeSpec. This field is beta-level and is only honored by servers that enabled the CSIMigration feature.
+M
+persistentVolumeName5"(Name of the persistent volume to attach.²

+string
+œ
+io.k8s.api.core.v1.EnvVarSourceø"<EnvVarSource represents a source for the value of an EnvVar.²

+objectÊ
«
+i
+configMapKeyRefV
+5#/definitions/io.k8s.api.core.v1.ConfigMapKeySelector"Selects a key of a ConfigMap.
+ž
+fieldRef‘
+4#/definitions/io.k8s.api.core.v1.ObjectFieldSelector"Ø
Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['<KEY>']`, `metadata.annotations['<KEY>']`, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.
+¤
+resourceFieldRef�
+6#/definitions/io.k8s.api.core.v1.ResourceFieldSelector"Ô
Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.
+v
+secretKeyReff
+2#/definitions/io.k8s.api.core.v1.SecretKeySelector"0Selects a key of a secret in the pod's namespace
+ã
+io.k8s.api.core.v1.NamespaceÂ"MNamespace provides a scope for Names. Use of multiple namespaces is optional.²

+objectÊ
�
+
+â

+status×

+0#/definitions/io.k8s.api.core.v1.NamespaceStatus"¢
Status describes the current status of a Namespace. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+¾
+
+apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources²

+string
+¹
+kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds²

+string
+Ò

+metadataÅ

+=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒ
Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+Ö

+specÍ

+.#/definitions/io.k8s.api.core.v1.NamespaceSpec"š
Spec defines the behavior of the Namespace. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statusú
Q
+x-kubernetes-group-version-kind.,- group: ""
+  kind: Namespace
+  version: v1
+b
+
+BearerTokenjO
+M
+BearerToken><
+apiKey
authorizationheader"Bearer Token authentication
\ No newline at end of file
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/openapi/kustomizationapi/swagger.go b/vendor/sigs.k8s.io/kustomize/kyaml/openapi/kustomizationapi/swagger.go
new file mode 100644
index 0000000000..421f70f7c2
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/openapi/kustomizationapi/swagger.go
@@ -0,0 +1,248 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+// Code generated for package kustomizationapi by go-bindata DO NOT EDIT. (@generated)
+// sources:
+// kustomizationapi/swagger.json
+package kustomizationapi
+
+import (
+	"bytes"
+	"compress/gzip"
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+	"strings"
+	"time"
+)
+
+func bindataRead(data []byte, name string) ([]byte, error) {
+	gz, err := gzip.NewReader(bytes.NewBuffer(data))
+	if err != nil {
+		return nil, fmt.Errorf("Read %q: %v", name, err)
+	}
+
+	var buf bytes.Buffer
+	_, err = io.Copy(&buf, gz)
+	clErr := gz.Close()
+
+	if err != nil {
+		return nil, fmt.Errorf("Read %q: %v", name, err)
+	}
+	if clErr != nil {
+		return nil, err
+	}
+
+	return buf.Bytes(), nil
+}
+
+type asset struct {
+	bytes []byte
+	info  os.FileInfo
+}
+
+type bindataFileInfo struct {
+	name    string
+	size    int64
+	mode    os.FileMode
+	modTime time.Time
+}
+
+// Name return file name
+func (fi bindataFileInfo) Name() string {
+	return fi.name
+}
+
+// Size return file size
+func (fi bindataFileInfo) Size() int64 {
+	return fi.size
+}
+
+// Mode return file mode
+func (fi bindataFileInfo) Mode() os.FileMode {
+	return fi.mode
+}
+
+// ModTime return file modify time
+func (fi bindataFileInfo) ModTime() time.Time {
+	return fi.modTime
+}
+
+// IsDir return file whether a directory
+func (fi bindataFileInfo) IsDir() bool {
+	return fi.mode&os.ModeDir != 0
+}
+
+// Sys return file is sys mode
+func (fi bindataFileInfo) Sys() interface{} {
+	return nil
+}
+
+var _kustomizationapiSwaggerJson = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xe4\x56\xc1\x6e\xdb\x30\x0c\xbd\xe7\x2b\x04\x6d\xc7\xd8\x45\x6e\x43\x6e\xc3\x0e\x3b\x14\x05\x0a\x74\xb7\xa1\x07\xc6\xa1\x5d\xce\x8e\xa4\x51\xb4\xb1\x6c\xc8\xbf\x0f\xd6\x62\xd7\x4a\xec\x75\x0b\x1a\xac\x4b\x0f\x06\x0c\x99\x7c\x4f\xe4\x7b\x24\xfc\x63\xa6\x94\x5e\x63\x4e\x86\x84\xac\xf1\x7a\xa9\xda\x23\xa5\x34\xd9\xb4\x7c\xe7\x53\x70\x94\x82\x73\x3e\x6d\x16\xe9\x07\x6b\x72\x2a\x6e\xc0\xbd\xe7\xe2\x31\x52\x29\xed\xd8\x3a\x64\x21\x1c\x9e\x2a\xa5\x3f\xa2\x41\x06\xb1\x7c\x90\x10\x3e\xbe\x65\xcc\xf5\x52\xe9\x37\x57\x03\xfe\xab\x11\xda\x18\xa5\x87\xd8\xed\xdf\x76\xf3\xee\x1a\xb0\x5e\x07\x14\xa8\x6e\x87\x17\xca\xa1\xf2\xd8\x07\xc9\xd6\x61\x4b\x6b\x57\x5f\x30\x13\xdd\x9f\x7f\x4b\xca\x7a\x85\x6c\x50\xd0\x27\x05\xdb\xda\x25\x0d\xb2\x27\x6b\x92\x92\xcc\x5a\x2f\xd5\xe7\x9e\x3a\xaa\x23\xc4\xb6\x88\x65\xed\xc5\x6e\xe8\x3b\xa6\x59\x68\x54\x28\x84\x6c\x4f\x11\xa2\xf7\x58\x3a\xee\x65\x14\xb2\xa7\x6d\xa3\x9a\xc5\x0a\x05\x16\xc7\x45\xdf\xcf\x06\xa5\x8f\x69\x75\x87\x19\xa3\xbc\x0c\xa1\x1e\xab\xeb\xba\x1f\xe1\x77\x8a\x78\x61\x32\xc5\xa5\x08\x3c\x10\xe0\xf9\xd5\x9d\xd2\x6b\x52\x60\x03\x1b\xf4\x0e\xb2\x3f\x6f\xfe\x3c\x4e\x3e\x25\x6f\x85\x0f\xd0\x90\xe5\x53\x72\xaf\x9b\x5b\x20\xbe\xb3\x35\x67\x78\xba\x23\x63\x94\x0b\x71\x56\x2c\xfe\xf3\x9b\xeb\x7a\x7f\x19\x90\x5f\x50\xbd\xb9\x18\xbf\xd6\xc4\x18\x17\xa4\x3f\x6d\x1d\xde\xa0\x40\xc7\x74\x3f\x7f\xca\x8c\x59\xb7\xfb\xfa\x4a\x0e\x05\x26\xc1\xcd\xa1\xea\x7f\xa3\x7b\xbc\x5d\x07\x20\xbb\xf9\x98\x11\x81\x19\xb6\x71\x27\x23\x4d\x1d\x48\xf6\x90\x6c\x90\x0b\x4c\x4a\xdc\xb6\x29\x61\x26\x9e\xca\xf0\xc2\x20\x58\x84\x84\x90\x3d\xee\x75\x1f\x56\xc5\xd9\x9a\x31\xd8\x44\x2f\xb2\x13\xff\xf5\x30\xc6\xc3\x72\x86\x61\x9c\xd8\x83\x93\xc3\x55\x91\x20\x43\x75\xb4\x33\x27\x5c\x34\xb5\x8b\x7f\x6f\x90\x51\x1b\xe7\x54\x1d\xaf\xea\xf3\xd3\xa2\x69\xfe\x0d\xeb\xeb\xf8\x8f\x89\x0d\x78\xaa\xc1\x67\xed\xb3\xfb\x19\x00\x00\xff\xff\x2f\x39\x79\xd0\x6e\x0c\x00\x00")
+
+func kustomizationapiSwaggerJsonBytes() ([]byte, error) {
+	return bindataRead(
+		_kustomizationapiSwaggerJson,
+		"kustomizationapi/swagger.json",
+	)
+}
+
+func kustomizationapiSwaggerJson() (*asset, error) {
+	bytes, err := kustomizationapiSwaggerJsonBytes()
+	if err != nil {
+		return nil, err
+	}
+
+	info := bindataFileInfo{name: "kustomizationapi/swagger.json", size: 3182, mode: os.FileMode(420), modTime: time.Unix(1615228558, 0)}
+	a := &asset{bytes: bytes, info: info}
+	return a, nil
+}
+
+// Asset loads and returns the asset for the given name.
+// It returns an error if the asset could not be found or
+// could not be loaded.
+func Asset(name string) ([]byte, error) {
+	cannonicalName := strings.Replace(name, "\\", "/", -1)
+	if f, ok := _bindata[cannonicalName]; ok {
+		a, err := f()
+		if err != nil {
+			return nil, fmt.Errorf("Asset %s can't read by error: %v", name, err)
+		}
+		return a.bytes, nil
+	}
+	return nil, fmt.Errorf("Asset %s not found", name)
+}
+
+// MustAsset is like Asset but panics when Asset would return an error.
+// It simplifies safe initialization of global variables.
+func MustAsset(name string) []byte {
+	a, err := Asset(name)
+	if err != nil {
+		panic("asset: Asset(" + name + "): " + err.Error())
+	}
+
+	return a
+}
+
+// AssetInfo loads and returns the asset info for the given name.
+// It returns an error if the asset could not be found or
+// could not be loaded.
+func AssetInfo(name string) (os.FileInfo, error) {
+	cannonicalName := strings.Replace(name, "\\", "/", -1)
+	if f, ok := _bindata[cannonicalName]; ok {
+		a, err := f()
+		if err != nil {
+			return nil, fmt.Errorf("AssetInfo %s can't read by error: %v", name, err)
+		}
+		return a.info, nil
+	}
+	return nil, fmt.Errorf("AssetInfo %s not found", name)
+}
+
+// AssetNames returns the names of the assets.
+func AssetNames() []string {
+	names := make([]string, 0, len(_bindata))
+	for name := range _bindata {
+		names = append(names, name)
+	}
+	return names
+}
+
+// _bindata is a table, holding each asset generator, mapped to its name.
+var _bindata = map[string]func() (*asset, error){
+	"kustomizationapi/swagger.json": kustomizationapiSwaggerJson,
+}
+
+// AssetDir returns the file names below a certain
+// directory embedded in the file by go-bindata.
+// For example if you run go-bindata on data/... and data contains the
+// following hierarchy:
+//     data/
+//       foo.txt
+//       img/
+//         a.png
+//         b.png
+// then AssetDir("data") would return []string{"foo.txt", "img"}
+// AssetDir("data/img") would return []string{"a.png", "b.png"}
+// AssetDir("foo.txt") and AssetDir("notexist") would return an error
+// AssetDir("") will return []string{"data"}.
+func AssetDir(name string) ([]string, error) {
+	node := _bintree
+	if len(name) != 0 {
+		cannonicalName := strings.Replace(name, "\\", "/", -1)
+		pathList := strings.Split(cannonicalName, "/")
+		for _, p := range pathList {
+			node = node.Children[p]
+			if node == nil {
+				return nil, fmt.Errorf("Asset %s not found", name)
+			}
+		}
+	}
+	if node.Func != nil {
+		return nil, fmt.Errorf("Asset %s not found", name)
+	}
+	rv := make([]string, 0, len(node.Children))
+	for childName := range node.Children {
+		rv = append(rv, childName)
+	}
+	return rv, nil
+}
+
+type bintree struct {
+	Func     func() (*asset, error)
+	Children map[string]*bintree
+}
+
+var _bintree = &bintree{nil, map[string]*bintree{
+	"kustomizationapi": &bintree{nil, map[string]*bintree{
+		"swagger.json": &bintree{kustomizationapiSwaggerJson, map[string]*bintree{}},
+	}},
+}}
+
+// RestoreAsset restores an asset under the given directory
+func RestoreAsset(dir, name string) error {
+	data, err := Asset(name)
+	if err != nil {
+		return err
+	}
+	info, err := AssetInfo(name)
+	if err != nil {
+		return err
+	}
+	err = os.MkdirAll(_filePath(dir, filepath.Dir(name)), os.FileMode(0755))
+	if err != nil {
+		return err
+	}
+	err = os.WriteFile(_filePath(dir, name), data, info.Mode())
+	if err != nil {
+		return err
+	}
+	err = os.Chtimes(_filePath(dir, name), info.ModTime(), info.ModTime())
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// RestoreAssets restores an asset under the given directory recursively
+func RestoreAssets(dir, name string) error {
+	children, err := AssetDir(name)
+	// File
+	if err != nil {
+		return RestoreAsset(dir, name)
+	}
+	// Dir
+	for _, child := range children {
+		err = RestoreAssets(dir, filepath.Join(name, child))
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func _filePath(dir, name string) string {
+	cannonicalName := strings.Replace(name, "\\", "/", -1)
+	return filepath.Join(append([]string{dir}, strings.Split(cannonicalName, "/")...)...)
+}
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/openapi/kustomizationapi/swagger.json b/vendor/sigs.k8s.io/kustomize/kyaml/openapi/kustomizationapi/swagger.json
new file mode 100644
index 0000000000..7441a5ee64
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/openapi/kustomizationapi/swagger.json
@@ -0,0 +1,130 @@
+{
+  "definitions": {
+    "io.k8s.api.apps.v1.ConfigMapArgs": {
+      "properties": {
+        "GeneratorArgs": {
+          "$ref": "#/definitions/io.k8s.api.apps.v1.GeneratorArgs"
+        }
+      },
+      "additionalProperties": false,
+      "type": "object",
+      "x-kubernetes-group-version-kind": [
+        {
+          "group": "kustomize.config.k8s.io",
+          "kind": "ConfigMapArgs",
+          "version": "v1beta1"
+        }
+      ]
+    },
+    "io.k8s.api.apps.v1.SecretArgs": {
+      "properties": {
+        "GeneratorArgs": {
+          "$ref": "#/definitions/io.k8s.api.apps.v1.GeneratorArgs"
+        },
+        "type": {
+          "type": "string"
+        }
+      },
+      "additionalProperties": false,
+      "type": "object",
+      "x-kubernetes-group-version-kind": [
+        {
+          "group": "kustomize.config.k8s.io",
+          "kind": "SecretArgs",
+          "version": "v1beta1"
+        }
+      ]
+    },
+    "io.k8s.api.apps.v1.GeneratorArgs": {
+      "properties": {
+        "namespace": {
+          "type": "string"
+        },
+        "name": {
+          "type": "string"
+        },
+        "behavior": {
+          "type": "string"
+        },
+        "KvPairSources": {
+          "$ref": "#/definitions/io.k8s.api.apps.v1.KvPairSources"
+        }
+      },
+      "additionalProperties": false,
+      "type": "object",
+      "x-kubernetes-group-version-kind": [
+        {
+          "group": "kustomize.config.k8s.io",
+          "kind": "GeneratorArgs",
+          "version": "v1beta1"
+        }
+      ]
+    },
+    "io.k8s.api.apps.v1.Kustomization": {
+      "required": [
+        "TypeMeta"
+      ],
+      "properties": {
+        "configMapGenerator": {
+          "items": {
+            "$ref": "#/definitions/io.k8s.api.apps.v1.ConfigMapArgs"
+          },
+          "type": "array",
+          "x-kubernetes-patch-merge-key": "name",
+          "x-kubernetes-patch-strategy": "merge"
+        },
+        "secretGenerator": {
+          "items": {
+            "$ref": "#/definitions/io.k8s.api.apps.v1.SecretArgs"
+          },
+          "type": "array",
+          "x-kubernetes-patch-merge-key": "name",
+          "x-kubernetes-patch-strategy": "merge"
+        }
+      },
+      "additionalProperties": false,
+      "type": "object",
+      "x-kubernetes-group-version-kind": [
+        {
+          "group": "kustomize.config.k8s.io",
+          "kind": "Kustomization",
+          "version": "v1beta1"
+        }
+      ]
+    },
+    "io.k8s.api.apps.v1.KvPairSources": {
+      "properties": {
+        "literals": {
+          "items": {
+            "type": "string"
+          },
+          "type": "array"
+        },
+        "files": {
+          "items": {
+            "type": "string"
+          },
+          "type": "array"
+        },
+        "envs": {
+          "items": {
+            "type": "string"
+          },
+          "type": "array"
+        },
+        "env": {
+          "type": "string"
+        }
+      },
+      "additionalProperties": false,
+      "type": "object",
+      "x-kubernetes-group-version-kind": [
+        {
+          "group": "kustomize.config.k8s.io",
+          "kind": "KvPairSources",
+          "version": "v1beta1"
+        }
+      ]
+    }
+  }
+}
\ No newline at end of file
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/openapi/openapi.go b/vendor/sigs.k8s.io/kustomize/kyaml/openapi/openapi.go
new file mode 100644
index 0000000000..aa1c8d4a85
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/openapi/openapi.go
@@ -0,0 +1,823 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package openapi
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+	"path/filepath"
+	"reflect"
+	"strings"
+	"sync"
+
+	openapi_v2 "github.com/google/gnostic-models/openapiv2"
+	"google.golang.org/protobuf/proto"
+	"k8s.io/kube-openapi/pkg/validation/spec"
+	"sigs.k8s.io/kustomize/kyaml/errors"
+	"sigs.k8s.io/kustomize/kyaml/openapi/kubernetesapi"
+	"sigs.k8s.io/kustomize/kyaml/openapi/kustomizationapi"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+	k8syaml "sigs.k8s.io/yaml"
+)
+
+var (
+	// schemaLock is the lock for schema related globals.
+	//
+	// NOTE: This lock helps with preventing panics that might occur due to the data
+	// race that concurrent access on this variable might cause but it doesn't
+	// fully fix the issue described in https://github.com/kubernetes-sigs/kustomize/issues/4824.
+	// For instance concurrently running goroutines where each of them calls SetSchema()
+	// and/or GetSchemaVersion might end up received nil errors (success) whereas the
+	// seconds one would overwrite the global variable that has been written by the
+	// first one.
+	schemaLock sync.RWMutex //nolint:gochecknoglobals
+
+	// kubernetesOpenAPIVersion specifies which builtin kubernetes schema to use.
+	kubernetesOpenAPIVersion string //nolint:gochecknoglobals
+
+	// globalSchema contains global state information about the openapi
+	globalSchema openapiData //nolint:gochecknoglobals
+
+	// customSchemaFile stores the custom OpenApi schema if it is provided
+	customSchema []byte //nolint:gochecknoglobals
+)
+
+// schemaParseStatus is used in cases when a schema should be parsed, but the
+// parsing may be delayed to a later time.
+type schemaParseStatus uint32
+
+const (
+	schemaNotParsed schemaParseStatus = iota
+	schemaParseDelayed
+	schemaParsed
+)
+
+// openapiData contains the parsed openapi state.  this is in a struct rather than
+// a list of vars so that it can be reset from tests.
+type openapiData struct {
+	// schema holds the OpenAPI schema data
+	schema spec.Schema
+
+	// schemaForResourceType is a map of Resource types to their schemas
+	schemaByResourceType map[yaml.TypeMeta]*spec.Schema
+
+	// namespaceabilityByResourceType stores whether a given Resource type
+	// is namespaceable or not
+	namespaceabilityByResourceType map[yaml.TypeMeta]bool
+
+	// noUseBuiltInSchema stores whether we want to prevent using the built-in
+	// Kubernetes schema as part of the global schema
+	noUseBuiltInSchema bool
+
+	// schemaInit stores whether or not we've parsed the schema already,
+	// so that we only reparse the when necessary (to speed up performance)
+	schemaInit bool
+
+	// defaultBuiltInSchemaParseStatus stores the parse status of the default
+	// built-in schema.
+	defaultBuiltInSchemaParseStatus schemaParseStatus
+}
+
+type format string
+
+const (
+	JsonOrYaml format = "jsonOrYaml"
+	Proto      format = "proto"
+)
+
+// precomputedIsNamespaceScoped precomputes IsNamespaceScoped for known types. This avoids Schema creation,
+// which is expensive
+// The test output from TestIsNamespaceScopedPrecompute shows the expected map in go syntax,and can be copy and pasted
+// from the failure if it changes.
+var precomputedIsNamespaceScoped = map[yaml.TypeMeta]bool{
+	{APIVersion: "admissionregistration.k8s.io/v1", Kind: "MutatingWebhookConfiguration"}:        false,
+	{APIVersion: "admissionregistration.k8s.io/v1", Kind: "ValidatingWebhookConfiguration"}:      false,
+	{APIVersion: "admissionregistration.k8s.io/v1beta1", Kind: "MutatingWebhookConfiguration"}:   false,
+	{APIVersion: "admissionregistration.k8s.io/v1beta1", Kind: "ValidatingWebhookConfiguration"}: false,
+	{APIVersion: "apiextensions.k8s.io/v1", Kind: "CustomResourceDefinition"}:                    false,
+	{APIVersion: "apiextensions.k8s.io/v1beta1", Kind: "CustomResourceDefinition"}:               false,
+	{APIVersion: "apiregistration.k8s.io/v1", Kind: "APIService"}:                                false,
+	{APIVersion: "apiregistration.k8s.io/v1beta1", Kind: "APIService"}:                           false,
+	{APIVersion: "apps/v1", Kind: "ControllerRevision"}:                                          true,
+	{APIVersion: "apps/v1", Kind: "DaemonSet"}:                                                   true,
+	{APIVersion: "apps/v1", Kind: "Deployment"}:                                                  true,
+	{APIVersion: "apps/v1", Kind: "ReplicaSet"}:                                                  true,
+	{APIVersion: "apps/v1", Kind: "StatefulSet"}:                                                 true,
+	{APIVersion: "autoscaling/v1", Kind: "HorizontalPodAutoscaler"}:                              true,
+	{APIVersion: "autoscaling/v1", Kind: "Scale"}:                                                true,
+	{APIVersion: "autoscaling/v2beta1", Kind: "HorizontalPodAutoscaler"}:                         true,
+	{APIVersion: "autoscaling/v2beta2", Kind: "HorizontalPodAutoscaler"}:                         true,
+	{APIVersion: "batch/v1", Kind: "CronJob"}:                                                    true,
+	{APIVersion: "batch/v1", Kind: "Job"}:                                                        true,
+	{APIVersion: "batch/v1beta1", Kind: "CronJob"}:                                               true,
+	{APIVersion: "certificates.k8s.io/v1", Kind: "CertificateSigningRequest"}:                    false,
+	{APIVersion: "certificates.k8s.io/v1beta1", Kind: "CertificateSigningRequest"}:               false,
+	{APIVersion: "coordination.k8s.io/v1", Kind: "Lease"}:                                        true,
+	{APIVersion: "coordination.k8s.io/v1beta1", Kind: "Lease"}:                                   true,
+	{APIVersion: "discovery.k8s.io/v1", Kind: "EndpointSlice"}:                                   true,
+	{APIVersion: "discovery.k8s.io/v1beta1", Kind: "EndpointSlice"}:                              true,
+	{APIVersion: "events.k8s.io/v1", Kind: "Event"}:                                              true,
+	{APIVersion: "events.k8s.io/v1beta1", Kind: "Event"}:                                         true,
+	{APIVersion: "extensions/v1beta1", Kind: "Ingress"}:                                          true,
+	{APIVersion: "flowcontrol.apiserver.k8s.io/v1beta1", Kind: "FlowSchema"}:                     false,
+	{APIVersion: "flowcontrol.apiserver.k8s.io/v1beta1", Kind: "PriorityLevelConfiguration"}:     false,
+	{APIVersion: "networking.k8s.io/v1", Kind: "Ingress"}:                                        true,
+	{APIVersion: "networking.k8s.io/v1", Kind: "IngressClass"}:                                   false,
+	{APIVersion: "networking.k8s.io/v1", Kind: "NetworkPolicy"}:                                  true,
+	{APIVersion: "networking.k8s.io/v1beta1", Kind: "Ingress"}:                                   true,
+	{APIVersion: "networking.k8s.io/v1beta1", Kind: "IngressClass"}:                              false,
+	{APIVersion: "node.k8s.io/v1", Kind: "RuntimeClass"}:                                         false,
+	{APIVersion: "node.k8s.io/v1beta1", Kind: "RuntimeClass"}:                                    false,
+	{APIVersion: "policy/v1", Kind: "PodDisruptionBudget"}:                                       true,
+	{APIVersion: "policy/v1beta1", Kind: "PodDisruptionBudget"}:                                  true,
+	{APIVersion: "policy/v1beta1", Kind: "PodSecurityPolicy"}:                                    false, // remove after openapi upgrades to v1.25.
+	{APIVersion: "rbac.authorization.k8s.io/v1", Kind: "ClusterRole"}:                            false,
+	{APIVersion: "rbac.authorization.k8s.io/v1", Kind: "ClusterRoleBinding"}:                     false,
+	{APIVersion: "rbac.authorization.k8s.io/v1", Kind: "Role"}:                                   true,
+	{APIVersion: "rbac.authorization.k8s.io/v1", Kind: "RoleBinding"}:                            true,
+	{APIVersion: "rbac.authorization.k8s.io/v1beta1", Kind: "ClusterRole"}:                       false,
+	{APIVersion: "rbac.authorization.k8s.io/v1beta1", Kind: "ClusterRoleBinding"}:                false,
+	{APIVersion: "rbac.authorization.k8s.io/v1beta1", Kind: "Role"}:                              true,
+	{APIVersion: "rbac.authorization.k8s.io/v1beta1", Kind: "RoleBinding"}:                       true,
+	{APIVersion: "scheduling.k8s.io/v1", Kind: "PriorityClass"}:                                  false,
+	{APIVersion: "scheduling.k8s.io/v1beta1", Kind: "PriorityClass"}:                             false,
+	{APIVersion: "storage.k8s.io/v1", Kind: "CSIDriver"}:                                         false,
+	{APIVersion: "storage.k8s.io/v1", Kind: "CSINode"}:                                           false,
+	{APIVersion: "storage.k8s.io/v1", Kind: "StorageClass"}:                                      false,
+	{APIVersion: "storage.k8s.io/v1", Kind: "VolumeAttachment"}:                                  false,
+	{APIVersion: "storage.k8s.io/v1beta1", Kind: "CSIDriver"}:                                    false,
+	{APIVersion: "storage.k8s.io/v1beta1", Kind: "CSINode"}:                                      false,
+	{APIVersion: "storage.k8s.io/v1beta1", Kind: "CSIStorageCapacity"}:                           true,
+	{APIVersion: "storage.k8s.io/v1beta1", Kind: "StorageClass"}:                                 false,
+	{APIVersion: "storage.k8s.io/v1beta1", Kind: "VolumeAttachment"}:                             false,
+	{APIVersion: "v1", Kind: "ComponentStatus"}:                                                  false,
+	{APIVersion: "v1", Kind: "ConfigMap"}:                                                        true,
+	{APIVersion: "v1", Kind: "Endpoints"}:                                                        true,
+	{APIVersion: "v1", Kind: "Event"}:                                                            true,
+	{APIVersion: "v1", Kind: "LimitRange"}:                                                       true,
+	{APIVersion: "v1", Kind: "Namespace"}:                                                        false,
+	{APIVersion: "v1", Kind: "Node"}:                                                             false,
+	{APIVersion: "v1", Kind: "NodeProxyOptions"}:                                                 false,
+	{APIVersion: "v1", Kind: "PersistentVolume"}:                                                 false,
+	{APIVersion: "v1", Kind: "PersistentVolumeClaim"}:                                            true,
+	{APIVersion: "v1", Kind: "Pod"}:                                                              true,
+	{APIVersion: "v1", Kind: "PodAttachOptions"}:                                                 true,
+	{APIVersion: "v1", Kind: "PodExecOptions"}:                                                   true,
+	{APIVersion: "v1", Kind: "PodPortForwardOptions"}:                                            true,
+	{APIVersion: "v1", Kind: "PodProxyOptions"}:                                                  true,
+	{APIVersion: "v1", Kind: "PodTemplate"}:                                                      true,
+	{APIVersion: "v1", Kind: "ReplicationController"}:                                            true,
+	{APIVersion: "v1", Kind: "ResourceQuota"}:                                                    true,
+	{APIVersion: "v1", Kind: "Secret"}:                                                           true,
+	{APIVersion: "v1", Kind: "Service"}:                                                          true,
+	{APIVersion: "v1", Kind: "ServiceAccount"}:                                                   true,
+	{APIVersion: "v1", Kind: "ServiceProxyOptions"}:                                              true,
+}
+
+// ResourceSchema wraps the OpenAPI Schema.
+type ResourceSchema struct {
+	// Schema is the OpenAPI schema for a Resource or field
+	Schema *spec.Schema
+}
+
+// IsMissingOrNull returns true if the ResourceSchema is missing or null
+func (rs *ResourceSchema) IsMissingOrNull() bool {
+	if rs == nil || rs.Schema == nil {
+		return true
+	}
+	return reflect.DeepEqual(*rs.Schema, spec.Schema{})
+}
+
+// SchemaForResourceType returns the Schema for the given Resource
+// TODO(pwittrock): create a version of this function that will return a schema
+// which can be used for duck-typed Resources -- e.g. contains common fields such
+// as metadata, replicas and spec.template.spec
+func SchemaForResourceType(t yaml.TypeMeta) *ResourceSchema {
+	initSchema()
+	rs, found := globalSchema.schemaByResourceType[t]
+	if !found {
+		return nil
+	}
+	return &ResourceSchema{Schema: rs}
+}
+
+// SupplementaryOpenAPIFieldName is the conventional field name (JSON/YAML) containing
+// supplementary OpenAPI definitions.
+const SupplementaryOpenAPIFieldName = "openAPI"
+
+const Definitions = "definitions"
+
+// AddSchemaFromFile reads the file at path and parses the OpenAPI definitions
+// from the field "openAPI", also returns a function to clean the added definitions
+// The returned clean function is a no-op on error, or else it's a function
+// that the caller should use to remove the added openAPI definitions from
+// global schema
+func SchemaFromFile(path string) (*spec.Schema, error) {
+	object, err := parseOpenAPI(path)
+	if err != nil {
+		return nil, err
+	}
+
+	return schemaUsingField(object, SupplementaryOpenAPIFieldName)
+}
+
+// DefinitionRefs returns the list of openAPI definition references present in the
+// input openAPIPath
+func DefinitionRefs(openAPIPath string) ([]string, error) {
+	object, err := parseOpenAPI(openAPIPath)
+	if err != nil {
+		return nil, err
+	}
+	return definitionRefsFromRNode(object)
+}
+
+// definitionRefsFromRNode returns the list of openAPI definitions keys from input
+// yaml RNode
+func definitionRefsFromRNode(object *yaml.RNode) ([]string, error) {
+	definitions, err := object.Pipe(yaml.Lookup(SupplementaryOpenAPIFieldName, Definitions))
+	if definitions == nil {
+		return nil, err
+	}
+	if err != nil {
+		return nil, err
+	}
+	return definitions.Fields()
+}
+
+// parseOpenAPI reads openAPIPath yaml and converts it to RNode
+func parseOpenAPI(openAPIPath string) (*yaml.RNode, error) {
+	b, err := os.ReadFile(openAPIPath)
+	if err != nil {
+		return nil, err
+	}
+
+	object, err := yaml.Parse(string(b))
+	if err != nil {
+		return nil, errors.Errorf("invalid file %q: %v", openAPIPath, err)
+	}
+	return object, nil
+}
+
+// addSchemaUsingField parses the OpenAPI definitions from the specified field.
+// If field is the empty string, use the whole document as OpenAPI.
+func schemaUsingField(object *yaml.RNode, field string) (*spec.Schema, error) {
+	if field != "" {
+		// get the field containing the openAPI
+		m := object.Field(field)
+		if m.IsNilOrEmpty() {
+			// doesn't contain openAPI definitions
+			return nil, nil
+		}
+		object = m.Value
+	}
+
+	oAPI, err := object.String()
+	if err != nil {
+		return nil, err
+	}
+
+	// convert the yaml openAPI to a JSON string by unmarshalling it to an
+	// interface{} and the marshalling it to a string
+	var o interface{}
+	err = yaml.Unmarshal([]byte(oAPI), &o)
+	if err != nil {
+		return nil, err
+	}
+	j, err := json.Marshal(o)
+	if err != nil {
+		return nil, err
+	}
+
+	var sc spec.Schema
+	err = sc.UnmarshalJSON(j)
+	if err != nil {
+		return nil, err
+	}
+
+	return &sc, nil
+}
+
+// AddSchema parses s, and adds definitions from s to the global schema.
+func AddSchema(s []byte) error {
+	return parse(s, JsonOrYaml)
+}
+
+// ResetOpenAPI resets the openapi data to empty
+func ResetOpenAPI() {
+	schemaLock.Lock()
+	defer schemaLock.Unlock()
+
+	globalSchema = openapiData{}
+	customSchema = nil
+	kubernetesOpenAPIVersion = ""
+}
+
+// AddDefinitions adds the definitions to the global schema.
+func AddDefinitions(definitions spec.Definitions) {
+	// initialize values if they have not yet been set
+	if globalSchema.schemaByResourceType == nil {
+		globalSchema.schemaByResourceType = map[yaml.TypeMeta]*spec.Schema{}
+	}
+	if globalSchema.schema.Definitions == nil {
+		globalSchema.schema.Definitions = spec.Definitions{}
+	}
+
+	// index the schema definitions so we can lookup them up for Resources
+	for k := range definitions {
+		// index by GVK, if no GVK is found then it is the schema for a subfield
+		// of a Resource
+		d := definitions[k]
+
+		// copy definitions to the schema
+		globalSchema.schema.Definitions[k] = d
+		gvk, found := d.VendorExtensible.Extensions[kubernetesGVKExtensionKey]
+		if !found {
+			continue
+		}
+		// cast the extension to a []map[string]string
+		exts, ok := gvk.([]interface{})
+		if !ok {
+			continue
+		}
+
+		for i := range exts {
+			typeMeta, ok := toTypeMeta(exts[i])
+			if !ok {
+				continue
+			}
+			globalSchema.schemaByResourceType[typeMeta] = &d
+		}
+	}
+}
+
+func toTypeMeta(ext interface{}) (yaml.TypeMeta, bool) {
+	m, ok := ext.(map[string]interface{})
+	if !ok {
+		return yaml.TypeMeta{}, false
+	}
+
+	apiVersion := m[versionKey].(string)
+	if g, ok := m[groupKey].(string); ok && g != "" {
+		apiVersion = g + "/" + apiVersion
+	}
+	return yaml.TypeMeta{Kind: m[kindKey].(string), APIVersion: apiVersion}, true
+}
+
+// Resolve resolves the reference against the global schema
+func Resolve(ref *spec.Ref, schema *spec.Schema) (*spec.Schema, error) {
+	return resolve(schema, ref)
+}
+
+// Schema returns the global schema
+func Schema() *spec.Schema {
+	return rootSchema()
+}
+
+// GetSchema parses s into a ResourceSchema, resolving References within the
+// global schema.
+func GetSchema(s string, schema *spec.Schema) (*ResourceSchema, error) {
+	var sc spec.Schema
+	if err := sc.UnmarshalJSON([]byte(s)); err != nil {
+		return nil, errors.Wrap(err)
+	}
+	if sc.Ref.String() != "" {
+		r, err := Resolve(&sc.Ref, schema)
+		if err != nil {
+			return nil, errors.Wrap(err)
+		}
+		sc = *r
+	}
+
+	return &ResourceSchema{Schema: &sc}, nil
+}
+
+// IsNamespaceScoped determines whether a resource is namespace or
+// cluster-scoped by looking at the information in the openapi schema.
+// The second return value tells whether the provided type could be found
+// in the openapi schema. If the value is false here, the scope of the
+// resource is not known. If the type is found, the first return value will
+// be true if the resource is namespace-scoped, and false if the type is
+// cluster-scoped.
+func IsNamespaceScoped(typeMeta yaml.TypeMeta) (bool, bool) {
+	if isNamespaceScoped, found := precomputedIsNamespaceScoped[typeMeta]; found {
+		return isNamespaceScoped, found
+	}
+	if isInitSchemaNeededForNamespaceScopeCheck() {
+		initSchema()
+	}
+	isNamespaceScoped, found := globalSchema.namespaceabilityByResourceType[typeMeta]
+	return isNamespaceScoped, found
+}
+
+// isInitSchemaNeededForNamespaceScopeCheck returns true if initSchema is needed
+// to ensure globalSchema.namespaceabilityByResourceType is fully populated for
+// cases where a custom or non-default built-in schema is in use.
+func isInitSchemaNeededForNamespaceScopeCheck() bool {
+	schemaLock.Lock()
+	defer schemaLock.Unlock()
+
+	if globalSchema.schemaInit {
+		return false // globalSchema already is initialized.
+	}
+	if customSchema != nil {
+		return true // initSchema is needed.
+	}
+	if kubernetesOpenAPIVersion == "" || kubernetesOpenAPIVersion == kubernetesOpenAPIDefaultVersion {
+		// The default built-in schema is in use. Since
+		// precomputedIsNamespaceScoped aligns with the default built-in schema
+		// (verified by TestIsNamespaceScopedPrecompute), there is no need to
+		// call initSchema.
+		if globalSchema.defaultBuiltInSchemaParseStatus == schemaNotParsed {
+			// The schema may be needed for purposes other than namespace scope
+			// checks. Flag it to be parsed when that need arises.
+			globalSchema.defaultBuiltInSchemaParseStatus = schemaParseDelayed
+		}
+		return false
+	}
+	// A non-default built-in schema is in use. initSchema is needed.
+	return true
+}
+
+// IsCertainlyClusterScoped returns true for Node, Namespace, etc. and
+// false for Pod, Deployment, etc. and kinds that aren't recognized in the
+// openapi data. See:
+// https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces
+func IsCertainlyClusterScoped(typeMeta yaml.TypeMeta) bool {
+	nsScoped, found := IsNamespaceScoped(typeMeta)
+	return found && !nsScoped
+}
+
+// SuppressBuiltInSchemaUse can be called to prevent using the built-in Kubernetes
+// schema as part of the global schema.
+// Must be called before the schema is used.
+func SuppressBuiltInSchemaUse() {
+	globalSchema.noUseBuiltInSchema = true
+}
+
+// Elements returns the Schema for the elements of an array.
+func (rs *ResourceSchema) Elements() *ResourceSchema {
+	// load the schema from swagger files
+	initSchema()
+
+	if len(rs.Schema.Type) != 1 || rs.Schema.Type[0] != "array" {
+		// either not an array, or array has multiple types
+		return nil
+	}
+	if rs == nil || rs.Schema == nil || rs.Schema.Items == nil {
+		// no-scheme for the items
+		return nil
+	}
+	s := *rs.Schema.Items.Schema
+	for s.Ref.String() != "" {
+		sc, e := Resolve(&s.Ref, Schema())
+		if e != nil {
+			return nil
+		}
+		s = *sc
+	}
+	return &ResourceSchema{Schema: &s}
+}
+
+const Elements = "[]"
+
+// Lookup calls either Field or Elements for each item in the path.
+// If the path item is "[]", then Elements is called, otherwise
+// Field is called.
+// If any Field or Elements call returns nil, then Lookup returns
+// nil immediately.
+func (rs *ResourceSchema) Lookup(path ...string) *ResourceSchema {
+	s := rs
+	for _, p := range path {
+		if s == nil {
+			break
+		}
+		if p == Elements {
+			s = s.Elements()
+			continue
+		}
+		s = s.Field(p)
+	}
+	return s
+}
+
+// Field returns the Schema for a field.
+func (rs *ResourceSchema) Field(field string) *ResourceSchema {
+	// load the schema from swagger files
+	initSchema()
+
+	// locate the Schema
+	s, found := rs.Schema.Properties[field]
+	switch {
+	case found:
+		// no-op, continue with s as the schema
+	case rs.Schema.AdditionalProperties != nil && rs.Schema.AdditionalProperties.Schema != nil:
+		// map field type -- use Schema of the value
+		// (the key doesn't matter, they all have the same value type)
+		s = *rs.Schema.AdditionalProperties.Schema
+	default:
+		// no Schema found from either swagger files or line comments
+		return nil
+	}
+
+	// resolve the reference to the Schema if the Schema has one
+	for s.Ref.String() != "" {
+		sc, e := Resolve(&s.Ref, Schema())
+		if e != nil {
+			return nil
+		}
+		s = *sc
+	}
+
+	// return the merged Schema
+	return &ResourceSchema{Schema: &s}
+}
+
+// PatchStrategyAndKeyList returns the patch strategy and complete merge key list
+func (rs *ResourceSchema) PatchStrategyAndKeyList() (string, []string) {
+	ps, found := rs.Schema.Extensions[kubernetesPatchStrategyExtensionKey]
+	if !found {
+		// empty patch strategy
+		return "", []string{}
+	}
+	mkList, found := rs.Schema.Extensions[kubernetesMergeKeyMapList]
+	if found {
+		// mkList is []interface, convert to []string
+		mkListStr := make([]string, len(mkList.([]interface{})))
+		for i, v := range mkList.([]interface{}) {
+			mkListStr[i] = v.(string)
+		}
+		return ps.(string), mkListStr
+	}
+	mk, found := rs.Schema.Extensions[kubernetesMergeKeyExtensionKey]
+	if !found {
+		// no mergeKey -- may be a primitive associative list (e.g. finalizers)
+		return ps.(string), []string{}
+	}
+	return ps.(string), []string{mk.(string)}
+}
+
+// PatchStrategyAndKey returns the patch strategy and merge key extensions
+func (rs *ResourceSchema) PatchStrategyAndKey() (string, string) {
+	ps, found := rs.Schema.Extensions[kubernetesPatchStrategyExtensionKey]
+	if !found {
+		// empty patch strategy
+		return "", ""
+	}
+
+	mk, found := rs.Schema.Extensions[kubernetesMergeKeyExtensionKey]
+	if !found {
+		// no mergeKey -- may be a primitive associative list (e.g. finalizers)
+		mk = ""
+	}
+	return ps.(string), mk.(string)
+}
+
+const (
+	// kubernetesOpenAPIDefaultVersion is the latest version number of the statically compiled in
+	// OpenAPI schema for kubernetes built-in types
+	kubernetesOpenAPIDefaultVersion = kubernetesapi.DefaultOpenAPI
+
+	// kustomizationAPIAssetName is the name of the asset containing the statically compiled in
+	// OpenAPI definitions for Kustomization built-in types
+	kustomizationAPIAssetName = "kustomizationapi/swagger.json"
+
+	// kubernetesGVKExtensionKey is the key to lookup the kubernetes group version kind extension
+	// -- the extension is an array of objects containing a gvk
+	kubernetesGVKExtensionKey = "x-kubernetes-group-version-kind"
+
+	// kubernetesMergeKeyExtensionKey is the key to lookup the kubernetes merge key extension
+	// -- the extension is a string
+	kubernetesMergeKeyExtensionKey = "x-kubernetes-patch-merge-key"
+
+	// kubernetesPatchStrategyExtensionKey is the key to lookup the kubernetes patch strategy
+	// extension -- the extension is a string
+	kubernetesPatchStrategyExtensionKey = "x-kubernetes-patch-strategy"
+
+	// kubernetesMergeKeyMapList is the list of merge keys when there needs to be multiple
+	// -- the extension is an array of strings
+	kubernetesMergeKeyMapList = "x-kubernetes-list-map-keys"
+
+	// groupKey is the key to lookup the group from the GVK extension
+	groupKey = "group"
+	// versionKey is the key to lookup the version from the GVK extension
+	versionKey = "version"
+	// kindKey is the to lookup the kind from the GVK extension
+	kindKey = "kind"
+)
+
+// SetSchema sets the kubernetes OpenAPI schema version to use
+func SetSchema(openAPIField map[string]string, schema []byte, reset bool) error {
+	schemaLock.Lock()
+	defer schemaLock.Unlock()
+
+	// this should only be set once
+	schemaIsSet := (kubernetesOpenAPIVersion != "") || customSchema != nil
+	if schemaIsSet && !reset {
+		return nil
+	}
+
+	version, versionProvided := openAPIField["version"]
+
+	// use custom schema
+	if schema != nil {
+		if versionProvided {
+			return fmt.Errorf("builtin version and custom schema provided, cannot use both")
+		}
+		customSchema = schema
+		kubernetesOpenAPIVersion = "custom"
+		// if the schema is changed, initSchema should parse the new schema
+		globalSchema.schemaInit = false
+		return nil
+	}
+
+	// use builtin version
+	kubernetesOpenAPIVersion = version
+	if kubernetesOpenAPIVersion == "" {
+		return nil
+	}
+	if _, ok := kubernetesapi.OpenAPIMustAsset[kubernetesOpenAPIVersion]; !ok {
+		return fmt.Errorf("the specified OpenAPI version is not built in")
+	}
+
+	customSchema = nil
+	// if the schema is changed, initSchema should parse the new schema
+	globalSchema.schemaInit = false
+	return nil
+}
+
+// GetSchemaVersion returns what kubernetes OpenAPI version is being used
+func GetSchemaVersion() string {
+	schemaLock.RLock()
+	defer schemaLock.RUnlock()
+
+	switch {
+	case kubernetesOpenAPIVersion == "" && customSchema == nil:
+		return kubernetesOpenAPIDefaultVersion
+	case customSchema != nil:
+		return "using custom schema from file provided"
+	default:
+		return kubernetesOpenAPIVersion
+	}
+}
+
+// initSchema parses the json schema
+func initSchema() {
+	schemaLock.Lock()
+	defer schemaLock.Unlock()
+
+	if globalSchema.schemaInit {
+		return
+	}
+	globalSchema.schemaInit = true
+
+	// TODO(natasha41575): Accept proto-formatted schema files
+	if customSchema != nil {
+		err := parse(customSchema, JsonOrYaml)
+		if err != nil {
+			panic(fmt.Errorf("invalid schema file: %w", err))
+		}
+	} else {
+		if kubernetesOpenAPIVersion == "" || kubernetesOpenAPIVersion == kubernetesOpenAPIDefaultVersion {
+			parseBuiltinSchema(kubernetesOpenAPIDefaultVersion)
+			globalSchema.defaultBuiltInSchemaParseStatus = schemaParsed
+		} else {
+			parseBuiltinSchema(kubernetesOpenAPIVersion)
+		}
+	}
+
+	if globalSchema.defaultBuiltInSchemaParseStatus == schemaParseDelayed {
+		parseBuiltinSchema(kubernetesOpenAPIDefaultVersion)
+		globalSchema.defaultBuiltInSchemaParseStatus = schemaParsed
+	}
+
+	if err := parse(kustomizationapi.MustAsset(kustomizationAPIAssetName), JsonOrYaml); err != nil {
+		// this should never happen
+		panic(err)
+	}
+}
+
+// parseBuiltinSchema calls parse to parse the json or proto schemas
+func parseBuiltinSchema(version string) {
+	if globalSchema.noUseBuiltInSchema {
+		// don't parse the built in schema
+		return
+	}
+	// parse the swagger, this should never fail
+	assetName := filepath.Join(
+		"kubernetesapi",
+		strings.ReplaceAll(version, ".", "_"),
+		"swagger.pb")
+
+	if err := parse(kubernetesapi.OpenAPIMustAsset[version](assetName), Proto); err != nil {
+		// this should never happen
+		panic(err)
+	}
+}
+
+// parse parses and indexes a single json or proto schema
+func parse(b []byte, format format) error {
+	var swagger spec.Swagger
+	switch {
+	case format == Proto:
+		doc := &openapi_v2.Document{}
+		// We parse protobuf and get an openapi_v2.Document here.
+		if err := proto.Unmarshal(b, doc); err != nil {
+			return fmt.Errorf("openapi proto unmarshalling failed: %w", err)
+		}
+		// convert the openapi_v2.Document back to Swagger
+		_, err := swagger.FromGnostic(doc)
+		if err != nil {
+			return errors.Wrap(err)
+		}
+
+	case format == JsonOrYaml:
+		if len(b) > 0 && b[0] != byte('{') {
+			var err error
+			b, err = k8syaml.YAMLToJSON(b)
+			if err != nil {
+				return errors.Wrap(err)
+			}
+		}
+		if err := swagger.UnmarshalJSON(b); err != nil {
+			return errors.Wrap(err)
+		}
+	}
+
+	AddDefinitions(swagger.Definitions)
+	findNamespaceability(swagger.Paths)
+	return nil
+}
+
+// findNamespaceability looks at the api paths for the resource to determine
+// if it is cluster-scoped or namespace-scoped. The gvk of the resource
+// for each path is found by looking at the x-kubernetes-group-version-kind
+// extension. If a path exists for the resource that contains a namespace path
+// parameter, the resource is namespace-scoped.
+func findNamespaceability(paths *spec.Paths) {
+	if globalSchema.namespaceabilityByResourceType == nil {
+		globalSchema.namespaceabilityByResourceType = make(map[yaml.TypeMeta]bool)
+	}
+
+	if paths == nil {
+		return
+	}
+
+	for path, pathInfo := range paths.Paths {
+		if pathInfo.Get == nil {
+			continue
+		}
+		gvk, found := pathInfo.Get.VendorExtensible.Extensions[kubernetesGVKExtensionKey]
+		if !found {
+			continue
+		}
+		typeMeta, found := toTypeMeta(gvk)
+		if !found {
+			continue
+		}
+
+		if strings.Contains(path, "namespaces/{namespace}") {
+			// if we find a namespace path parameter, we just update the map
+			// directly
+			globalSchema.namespaceabilityByResourceType[typeMeta] = true
+		} else if _, found := globalSchema.namespaceabilityByResourceType[typeMeta]; !found {
+			// if the resource doesn't have the namespace path parameter, we
+			// only add it to the map if it doesn't already exist.
+			globalSchema.namespaceabilityByResourceType[typeMeta] = false
+		}
+	}
+}
+
+func resolve(root interface{}, ref *spec.Ref) (*spec.Schema, error) {
+	if s, ok := root.(*spec.Schema); ok && s == nil {
+		return nil, nil
+	}
+	res, _, err := ref.GetPointer().Get(root)
+	if err != nil {
+		return nil, errors.Wrap(err)
+	}
+	switch sch := res.(type) {
+	case spec.Schema:
+		return &sch, nil
+	case *spec.Schema:
+		return sch, nil
+	case map[string]interface{}:
+		b, err := json.Marshal(sch)
+		if err != nil {
+			return nil, err
+		}
+		newSch := new(spec.Schema)
+		if err = json.Unmarshal(b, newSch); err != nil {
+			return nil, err
+		}
+		return newSch, nil
+	default:
+		return nil, errors.Wrap(fmt.Errorf("unknown type for the resolved reference"))
+	}
+}
+
+func rootSchema() *spec.Schema {
+	initSchema()
+	return &globalSchema.schema
+}
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/order/syncorder.go b/vendor/sigs.k8s.io/kustomize/kyaml/order/syncorder.go
new file mode 100644
index 0000000000..57bc865039
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/order/syncorder.go
@@ -0,0 +1,121 @@
+// Copyright 2021 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package order
+
+import (
+	"sigs.k8s.io/kustomize/kyaml/errors"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+// SyncOrder recursively sorts the map node keys in 'to' node to match the order of
+// map node keys in 'from' node at same tree depth, additional keys are moved to the end
+// Field order might be altered due to round-tripping in arbitrary functions.
+// This functionality helps to retain the original order of fields to avoid unnecessary diffs.
+func SyncOrder(from, to *yaml.RNode) error {
+	// from node should not be modified, it should be just used as a reference
+	fromCopy := from.Copy()
+	if err := syncOrder(fromCopy, to); err != nil {
+		return errors.Errorf("failed to sync field order: %q", err.Error())
+	}
+	rearrangeHeadCommentOfSeqNode(to.YNode())
+	return nil
+}
+
+func syncOrder(from, to *yaml.RNode) error {
+	if from.IsNilOrEmpty() || to.IsNilOrEmpty() {
+		return nil
+	}
+	switch from.YNode().Kind {
+	case yaml.DocumentNode:
+		// Traverse the child of the documents
+		return syncOrder(yaml.NewRNode(from.YNode()), yaml.NewRNode(to.YNode()))
+	case yaml.MappingNode:
+		return VisitFields(from, to, func(fNode, tNode *yaml.MapNode) error {
+			// Traverse each field value
+			if fNode == nil || tNode == nil {
+				return nil
+			}
+			return syncOrder(fNode.Value, tNode.Value)
+		})
+	case yaml.SequenceNode:
+		return VisitElements(from, to, syncOrder) // Traverse each list element
+	}
+	return nil
+}
+
+// VisitElements calls fn for each element in a SequenceNode.
+// Returns an error for non-SequenceNodes
+func VisitElements(from, to *yaml.RNode, fn func(fNode, tNode *yaml.RNode) error) error {
+	fElements, err := from.Elements()
+	if err != nil {
+		return errors.Wrap(err)
+	}
+
+	tElements, err := to.Elements()
+	if err != nil {
+		return errors.Wrap(err)
+	}
+	for i := range fElements {
+		if i >= len(tElements) {
+			return nil
+		}
+		if err := fn(fElements[i], tElements[i]); err != nil {
+			return errors.Wrap(err)
+		}
+	}
+	return nil
+}
+
+// VisitFields calls fn for each field in the RNode.
+// Returns an error for non-MappingNodes.
+func VisitFields(from, to *yaml.RNode, fn func(fNode, tNode *yaml.MapNode) error) error {
+	srcFieldNames, err := from.Fields()
+	if err != nil {
+		return nil
+	}
+	yaml.SyncMapNodesOrder(from, to)
+	// visit each field
+	for _, fieldName := range srcFieldNames {
+		if err := fn(from.Field(fieldName), to.Field(fieldName)); err != nil {
+			return errors.Wrap(err)
+		}
+	}
+	return nil
+}
+
+// rearrangeHeadCommentOfSeqNode addresses a remote corner case due to moving a
+// map node in a sequence node with a head comment to the top
+func rearrangeHeadCommentOfSeqNode(node *yaml.Node) {
+	if node == nil {
+		return
+	}
+	switch node.Kind {
+	case yaml.DocumentNode:
+		for _, node := range node.Content {
+			rearrangeHeadCommentOfSeqNode(node)
+		}
+
+	case yaml.MappingNode:
+		for _, node := range node.Content {
+			rearrangeHeadCommentOfSeqNode(node)
+		}
+
+	case yaml.SequenceNode:
+		for _, node := range node.Content {
+			// for each child mapping node, transfer the head comment of it's
+			// first child scalar node to the head comment of itself
+			if len(node.Content) > 0 && node.Content[0].Kind == yaml.ScalarNode {
+				if node.HeadComment == "" {
+					node.HeadComment = node.Content[0].HeadComment
+					continue
+				}
+
+				if node.Content[0].HeadComment != "" {
+					node.HeadComment += "\n" + node.Content[0].HeadComment
+					node.Content[0].HeadComment = ""
+				}
+			}
+		}
+	}
+}
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/resid/gvk.go b/vendor/sigs.k8s.io/kustomize/kyaml/resid/gvk.go
new file mode 100644
index 0000000000..0289cadd78
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/resid/gvk.go
@@ -0,0 +1,255 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package resid
+
+import (
+	"strings"
+
+	"sigs.k8s.io/kustomize/kyaml/openapi"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+// Gvk identifies a Kubernetes API type.
+// https://git.k8s.io/design-proposals-archive/api-machinery/api-group.md
+type Gvk struct {
+	Group   string `json:"group,omitempty" yaml:"group,omitempty"`
+	Version string `json:"version,omitempty" yaml:"version,omitempty"`
+	Kind    string `json:"kind,omitempty" yaml:"kind,omitempty"`
+	// isClusterScoped is true if the object is known, per the openapi
+	// data in use, to be cluster scoped, and false otherwise.
+	isClusterScoped bool
+}
+
+func NewGvk(g, v, k string) Gvk {
+	result := Gvk{Group: g, Version: v, Kind: k}
+	result.isClusterScoped =
+		openapi.IsCertainlyClusterScoped(result.AsTypeMeta())
+	return result
+}
+
+func GvkFromNode(r *yaml.RNode) Gvk {
+	g, v := ParseGroupVersion(r.GetApiVersion())
+	return NewGvk(g, v, r.GetKind())
+}
+
+// FromKind makes a Gvk with only the kind specified.
+func FromKind(k string) Gvk {
+	return NewGvk("", "", k)
+}
+
+// ParseGroupVersion parses a KRM metadata apiVersion field.
+func ParseGroupVersion(apiVersion string) (group, version string) {
+	if i := strings.Index(apiVersion, "/"); i > -1 {
+		return apiVersion[:i], apiVersion[i+1:]
+	}
+	return "", apiVersion
+}
+
+// GvkFromString makes a Gvk from the output of Gvk.String().
+func GvkFromString(s string) Gvk {
+	values := strings.Split(s, fieldSep)
+	if len(values) < 3 {
+		// ...then the string didn't come from Gvk.String().
+		return Gvk{
+			Group:   noGroup,
+			Version: noVersion,
+			Kind:    noKind,
+		}
+	}
+	k := values[0]
+	if k == noKind {
+		k = ""
+	}
+	v := values[1]
+	if v == noVersion {
+		v = ""
+	}
+	g := strings.Join(values[2:], fieldSep)
+	if g == noGroup {
+		g = ""
+	}
+	return NewGvk(g, v, k)
+}
+
+// Values that are brief but meaningful in logs.
+const (
+	noGroup   = "[noGrp]"
+	noVersion = "[noVer]"
+	noKind    = "[noKind]"
+	fieldSep  = "."
+)
+
+// String returns a string representation of the GVK.
+func (x Gvk) String() string {
+	g := x.Group
+	if g == "" {
+		g = noGroup
+	}
+	v := x.Version
+	if v == "" {
+		v = noVersion
+	}
+	k := x.Kind
+	if k == "" {
+		k = noKind
+	}
+	return strings.Join([]string{k, v, g}, fieldSep)
+}
+
+// stableSortString returns a GVK representation that ensures determinism and
+// backwards-compatibility in testing, logging, ...
+func (x Gvk) stableSortString() string {
+	stableNoGroup := "~G"
+	stableNoVersion := "~V"
+	stableNoKind := "~K"
+	stableFieldSeparator := "_"
+
+	g := x.Group
+	if g == "" {
+		g = stableNoGroup
+	}
+	v := x.Version
+	if v == "" {
+		v = stableNoVersion
+	}
+	k := x.Kind
+	if k == "" {
+		k = stableNoKind
+	}
+	return strings.Join([]string{g, v, k}, stableFieldSeparator)
+}
+
+// ApiVersion returns the combination of Group and Version
+func (x Gvk) ApiVersion() string {
+	if x.Group != "" {
+		return x.Group + "/" + x.Version
+	}
+	return x.Version
+}
+
+// StringWoEmptyField returns a string representation of the GVK. Non-exist
+// fields will be omitted. This is called when generating a filename for the
+// resource.
+func (x Gvk) StringWoEmptyField() string {
+	var s []string
+	if x.Group != "" {
+		s = append(s, x.Group)
+	}
+	if x.Version != "" {
+		s = append(s, x.Version)
+	}
+	if x.Kind != "" {
+		s = append(s, x.Kind)
+	}
+	return strings.Join(s, "_")
+}
+
+// Equals returns true if the Gvk's have equal fields.
+func (x Gvk) Equals(o Gvk) bool {
+	return x.Group == o.Group && x.Version == o.Version && x.Kind == o.Kind
+}
+
+// An attempt to order things to help k8s, e.g.
+// a Service should come before things that refer to it.
+// Namespace should be first.
+// In some cases order just specified to provide determinism.
+var orderFirst = []string{
+	"Namespace",
+	"ResourceQuota",
+	"StorageClass",
+	"CustomResourceDefinition",
+	"ServiceAccount",
+	"PodSecurityPolicy",
+	"Role",
+	"ClusterRole",
+	"RoleBinding",
+	"ClusterRoleBinding",
+	"ConfigMap",
+	"Secret",
+	"Endpoints",
+	"Service",
+	"LimitRange",
+	"PriorityClass",
+	"PersistentVolume",
+	"PersistentVolumeClaim",
+	"Deployment",
+	"StatefulSet",
+	"CronJob",
+	"PodDisruptionBudget",
+}
+var orderLast = []string{
+	"MutatingWebhookConfiguration",
+	"ValidatingWebhookConfiguration",
+}
+var typeOrders = func() map[string]int {
+	m := map[string]int{}
+	for i, n := range orderFirst {
+		m[n] = -len(orderFirst) + i
+	}
+	for i, n := range orderLast {
+		m[n] = 1 + i
+	}
+	return m
+}()
+
+// IsLessThan returns true if self is less than the argument.
+func (x Gvk) IsLessThan(o Gvk) bool {
+	indexI := typeOrders[x.Kind]
+	indexJ := typeOrders[o.Kind]
+	if indexI != indexJ {
+		return indexI < indexJ
+	}
+	return x.stableSortString() < o.stableSortString()
+}
+
+// IsSelected returns true if `selector` selects `x`; otherwise, false.
+// If `selector` and `x` are the same, return true.
+// If `selector` is nil, it is considered a wildcard match, returning true.
+// If selector fields are empty, they are considered wildcards matching
+// anything in the corresponding fields, e.g.
+//
+// this item:
+//       <Group: "extensions", Version: "v1beta1", Kind: "Deployment">
+//
+// is selected by
+//       <Group: "",           Version: "",        Kind: "Deployment">
+//
+// but rejected by
+//       <Group: "apps",       Version: "",        Kind: "Deployment">
+//
+func (x Gvk) IsSelected(selector *Gvk) bool {
+	if selector == nil {
+		return true
+	}
+	if len(selector.Group) > 0 {
+		if x.Group != selector.Group {
+			return false
+		}
+	}
+	if len(selector.Version) > 0 {
+		if x.Version != selector.Version {
+			return false
+		}
+	}
+	if len(selector.Kind) > 0 {
+		if x.Kind != selector.Kind {
+			return false
+		}
+	}
+	return true
+}
+
+// AsTypeMeta returns a yaml.TypeMeta from x's information.
+func (x Gvk) AsTypeMeta() yaml.TypeMeta {
+	return yaml.TypeMeta{
+		APIVersion: x.ApiVersion(),
+		Kind:       x.Kind,
+	}
+}
+
+// IsClusterScoped returns true if the Gvk is certainly cluster scoped
+// with respect to the available openapi data.
+func (x Gvk) IsClusterScoped() bool {
+	return x.isClusterScoped
+}
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/resid/resid.go b/vendor/sigs.k8s.io/kustomize/kyaml/resid/resid.go
new file mode 100644
index 0000000000..cddbcdde60
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/resid/resid.go
@@ -0,0 +1,145 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package resid
+
+import (
+	"reflect"
+	"strings"
+
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+// ResId is an identifier of a k8s resource object.
+type ResId struct {
+	// Gvk of the resource.
+	Gvk `json:",inline,omitempty" yaml:",inline,omitempty"`
+
+	// Name of the resource.
+	Name string `json:"name,omitempty" yaml:"name,omitempty"`
+
+	// Namespace the resource belongs to, if it can belong to a namespace.
+	Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"`
+}
+
+// NewResIdWithNamespace creates new ResId
+// in a given namespace.
+func NewResIdWithNamespace(k Gvk, n, ns string) ResId {
+	return ResId{Gvk: k, Name: n, Namespace: ns}
+}
+
+// NewResId creates new ResId.
+func NewResId(k Gvk, n string) ResId {
+	return NewResIdWithNamespace(k, n, "")
+}
+
+// NewResIdKindOnly creates a new ResId.
+func NewResIdKindOnly(k string, n string) ResId {
+	return NewResId(FromKind(k), n)
+}
+
+const (
+	noNamespace          = "[noNs]"
+	noName               = "[noName]"
+	separator            = "/"
+	TotallyNotANamespace = "_non_namespaceable_"
+	DefaultNamespace     = "default"
+)
+
+// String of ResId based on GVK, name and prefix
+func (id ResId) String() string {
+	ns := id.Namespace
+	if ns == "" {
+		ns = noNamespace
+	}
+	nm := id.Name
+	if nm == "" {
+		nm = noName
+	}
+	return strings.Join(
+		[]string{id.Gvk.String(), strings.Join([]string{nm, ns}, fieldSep)}, separator)
+}
+
+func FromString(s string) ResId {
+	values := strings.Split(s, separator)
+	gvk := GvkFromString(values[0])
+
+	values = strings.Split(values[1], fieldSep)
+	last := len(values) - 1
+
+	ns := values[last]
+	if ns == noNamespace {
+		ns = ""
+	}
+	nm := strings.Join(values[:last], fieldSep)
+	if nm == noName {
+		nm = ""
+	}
+	return ResId{
+		Gvk:       gvk,
+		Namespace: ns,
+		Name:      nm,
+	}
+}
+
+// FromRNode returns the ResId for the RNode
+func FromRNode(rn *yaml.RNode) ResId {
+	group, version := ParseGroupVersion(rn.GetApiVersion())
+	return NewResIdWithNamespace(
+		Gvk{Group: group, Version: version, Kind: rn.GetKind()}, rn.GetName(), rn.GetNamespace())
+}
+
+// GvknEquals returns true if the other id matches
+// Group/Version/Kind/name.
+func (id ResId) GvknEquals(o ResId) bool {
+	return id.Name == o.Name && id.Gvk.Equals(o.Gvk)
+}
+
+// IsSelectedBy returns true if self is selected by the argument.
+func (id ResId) IsSelectedBy(selector ResId) bool {
+	return (selector.Name == "" || selector.Name == id.Name) &&
+		(selector.Namespace == "" || selector.IsNsEquals(id)) &&
+		id.Gvk.IsSelected(&selector.Gvk)
+}
+
+// Equals returns true if the other id matches
+// namespace/Group/Version/Kind/name.
+func (id ResId) Equals(o ResId) bool {
+	return id.IsNsEquals(o) && id.GvknEquals(o)
+}
+
+// IsNsEquals returns true if the id is in
+// the same effective namespace.
+func (id ResId) IsNsEquals(o ResId) bool {
+	return id.EffectiveNamespace() == o.EffectiveNamespace()
+}
+
+// IsInDefaultNs returns true if id is a namespaceable
+// ResId and the Namespace is either not set or set
+// to DefaultNamespace.
+func (id ResId) IsInDefaultNs() bool {
+	return !id.IsClusterScoped() && id.isPutativelyDefaultNs()
+}
+
+func (id ResId) isPutativelyDefaultNs() bool {
+	return id.Namespace == "" || id.Namespace == DefaultNamespace
+}
+
+// EffectiveNamespace returns a non-ambiguous, non-empty
+// namespace for use in reporting and equality tests.
+func (id ResId) EffectiveNamespace() string {
+	// The order of these checks matters.
+	if id.IsClusterScoped() {
+		return TotallyNotANamespace
+	}
+	if id.isPutativelyDefaultNs() {
+		return DefaultNamespace
+	}
+	return id.Namespace
+}
+
+// IsEmpty returns true of all of the id's fields are
+// empty strings
+func (id ResId) IsEmpty() bool {
+	return reflect.DeepEqual(id, ResId{})
+}
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/runfn/runfn.go b/vendor/sigs.k8s.io/kustomize/kyaml/runfn/runfn.go
new file mode 100644
index 0000000000..bf8863c572
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/runfn/runfn.go
@@ -0,0 +1,532 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package runfn
+
+import (
+	"fmt"
+	"io"
+	"os"
+	"os/user"
+	"path"
+	"path/filepath"
+	"sort"
+	"strconv"
+	"strings"
+	"sync/atomic"
+
+	"sigs.k8s.io/kustomize/kyaml/errors"
+	"sigs.k8s.io/kustomize/kyaml/fn/runtime/container"
+	"sigs.k8s.io/kustomize/kyaml/fn/runtime/exec"
+	"sigs.k8s.io/kustomize/kyaml/fn/runtime/runtimeutil"
+	"sigs.k8s.io/kustomize/kyaml/kio"
+	"sigs.k8s.io/kustomize/kyaml/kio/kioutil"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+// RunFns runs the set of configuration functions in a local directory against
+// the Resources in that directory
+type RunFns struct {
+	StorageMounts []runtimeutil.StorageMount
+
+	// Path is the path to the directory containing functions
+	Path string
+
+	// FunctionPaths Paths allows functions to be specified outside the configuration
+	// directory.
+	// Functions provided on FunctionPaths are globally scoped.
+	// If FunctionPaths length is > 0, then NoFunctionsFromInput defaults to true
+	FunctionPaths []string
+
+	// Functions is an explicit list of functions to run against the input.
+	// Functions provided on Functions are globally scoped.
+	// If Functions length is > 0, then NoFunctionsFromInput defaults to true
+	Functions []*yaml.RNode
+
+	// GlobalScope if true, functions read from input will be scoped globally rather
+	// than only to Resources under their subdirs.
+	GlobalScope bool
+
+	// Input can be set to read the Resources from Input rather than from a directory
+	Input io.Reader
+
+	// Network enables network access for functions that declare it
+	Network bool
+
+	// Output can be set to write the result to Output rather than back to the directory
+	Output io.Writer
+
+	// NoFunctionsFromInput if set to true will not read any functions from the input,
+	// and only use explicit sources
+	NoFunctionsFromInput *bool
+
+	// EnableExec will enable exec functions
+	EnableExec bool
+
+	// DisableContainers will disable functions run as containers
+	DisableContainers bool
+
+	// ResultsDir is where to write each functions results
+	ResultsDir string
+
+	// LogSteps enables logging the function that is running.
+	LogSteps bool
+
+	// LogWriter can be set to write the logs to LogWriter rather than stderr if LogSteps is enabled.
+	LogWriter io.Writer
+
+	// resultsCount is used to generate the results filename for each container
+	resultsCount uint32
+
+	// functionFilterProvider provides a filter to perform the function.
+	// this is a variable so it can be mocked in tests
+	functionFilterProvider func(
+		filter runtimeutil.FunctionSpec, api *yaml.RNode, currentUser currentUserFunc) (kio.Filter, error)
+
+	// AsCurrentUser is a boolean to indicate whether docker container should use
+	// the uid and gid that run the command
+	AsCurrentUser bool
+
+	// Env contains environment variables that will be exported to container
+	Env []string
+
+	// ContinueOnEmptyResult configures what happens when the underlying pipeline
+	// returns an empty result.
+	// If it is false (default), subsequent functions will be skipped and the
+	// result will be returned immediately.
+	// If it is true, the empty result will be provided as input to the next
+	// function in the list.
+	ContinueOnEmptyResult bool
+
+	// WorkingDir specifies which working directory an exec function should run in.
+	WorkingDir string
+}
+
+// Execute runs the command
+func (r RunFns) Execute() error {
+	// make the path absolute so it works on mac
+	var err error
+	r.Path, err = filepath.Abs(r.Path)
+	if err != nil {
+		return errors.Wrap(err)
+	}
+
+	// default the containerFilterProvider if it hasn't been override.  Split out for testing.
+	(&r).init()
+	nodes, fltrs, output, err := r.getNodesAndFilters()
+	if err != nil {
+		return err
+	}
+	return r.runFunctions(nodes, output, fltrs)
+}
+
+func (r RunFns) getNodesAndFilters() (
+	*kio.PackageBuffer, []kio.Filter, *kio.LocalPackageReadWriter, error) {
+	// Read Resources from Directory or Input
+	buff := &kio.PackageBuffer{}
+	p := kio.Pipeline{Outputs: []kio.Writer{buff}}
+	// save the output dir because we will need it to write back
+	// the same one for reading must be used for writing if deleting Resources
+	var outputPkg *kio.LocalPackageReadWriter
+	if r.Path != "" {
+		outputPkg = &kio.LocalPackageReadWriter{PackagePath: r.Path, MatchFilesGlob: kio.MatchAll}
+	}
+
+	if r.Input == nil {
+		p.Inputs = []kio.Reader{outputPkg}
+	} else {
+		p.Inputs = []kio.Reader{&kio.ByteReader{Reader: r.Input}}
+	}
+	if err := p.Execute(); err != nil {
+		return nil, nil, outputPkg, err
+	}
+
+	fltrs, err := r.getFilters(buff.Nodes)
+	if err != nil {
+		return nil, nil, outputPkg, err
+	}
+	return buff, fltrs, outputPkg, nil
+}
+
+func (r RunFns) getFilters(nodes []*yaml.RNode) ([]kio.Filter, error) {
+	var fltrs []kio.Filter
+
+	// fns from annotations on the input resources
+	f, err := r.getFunctionsFromInput(nodes)
+	if err != nil {
+		return nil, err
+	}
+	fltrs = append(fltrs, f...)
+
+	// fns from directories specified on the struct
+	f, err = r.getFunctionsFromFunctionPaths()
+	if err != nil {
+		return nil, err
+	}
+	fltrs = append(fltrs, f...)
+
+	// explicit fns specified on the struct
+	f, err = r.getFunctionsFromFunctions()
+	if err != nil {
+		return nil, err
+	}
+	fltrs = append(fltrs, f...)
+
+	return fltrs, nil
+}
+
+// runFunctions runs the fltrs against the input and writes to either r.Output or output
+func (r RunFns) runFunctions(
+	input kio.Reader, output kio.Writer, fltrs []kio.Filter) error {
+	// use the previously read Resources as input
+	var outputs []kio.Writer
+	if r.Output == nil {
+		// write back to the package
+		outputs = append(outputs, output)
+	} else {
+		// write to the output instead of the directory if r.Output is specified or
+		// the output is nil (reading from Input)
+		outputs = append(outputs, kio.ByteWriter{Writer: r.Output})
+	}
+
+	var err error
+	pipeline := kio.Pipeline{
+		Inputs:                []kio.Reader{input},
+		Filters:               fltrs,
+		Outputs:               outputs,
+		ContinueOnEmptyResult: r.ContinueOnEmptyResult,
+	}
+	if r.LogSteps {
+		err = pipeline.ExecuteWithCallback(func(op kio.Filter) {
+			var identifier string
+
+			switch filter := op.(type) {
+			case *container.Filter:
+				identifier = filter.Image
+			case *exec.Filter:
+				identifier = filter.Path
+			default:
+				identifier = "unknown-type function"
+			}
+
+			_, _ = fmt.Fprintf(r.LogWriter, "Running %s\n", identifier)
+		})
+	} else {
+		err = pipeline.Execute()
+	}
+	if err != nil {
+		return err
+	}
+
+	// check for deferred function errors
+	var errs []string
+	for i := range fltrs {
+		cf, ok := fltrs[i].(runtimeutil.DeferFailureFunction)
+		if !ok {
+			continue
+		}
+		if cf.GetExit() != nil {
+			errs = append(errs, cf.GetExit().Error())
+		}
+	}
+	if len(errs) > 0 {
+		return fmt.Errorf(strings.Join(errs, "\n---\n"))
+	}
+	return nil
+}
+
+// getFunctionsFromInput scans the input for functions and runs them
+func (r RunFns) getFunctionsFromInput(nodes []*yaml.RNode) ([]kio.Filter, error) {
+	if *r.NoFunctionsFromInput {
+		return nil, nil
+	}
+
+	buff := &kio.PackageBuffer{}
+	err := kio.Pipeline{
+		Inputs:  []kio.Reader{&kio.PackageBuffer{Nodes: nodes}},
+		Filters: []kio.Filter{&runtimeutil.IsReconcilerFilter{}},
+		Outputs: []kio.Writer{buff},
+	}.Execute()
+	if err != nil {
+		return nil, err
+	}
+	err = sortFns(buff)
+	if err != nil {
+		return nil, err
+	}
+	return r.getFunctionFilters(false, buff.Nodes...)
+}
+
+// getFunctionsFromFunctionPaths returns the set of functions read from r.FunctionPaths
+// as a slice of Filters
+func (r RunFns) getFunctionsFromFunctionPaths() ([]kio.Filter, error) {
+	buff := &kio.PackageBuffer{}
+	for i := range r.FunctionPaths {
+		err := kio.Pipeline{
+			Inputs: []kio.Reader{
+				kio.LocalPackageReader{PackagePath: r.FunctionPaths[i]},
+			},
+			Outputs: []kio.Writer{buff},
+		}.Execute()
+		if err != nil {
+			return nil, err
+		}
+	}
+	return r.getFunctionFilters(true, buff.Nodes...)
+}
+
+// getFunctionsFromFunctions returns the set of explicitly provided functions as
+// Filters
+func (r RunFns) getFunctionsFromFunctions() ([]kio.Filter, error) {
+	return r.getFunctionFilters(true, r.Functions...)
+}
+
+// mergeContainerEnv is container-specific and will merge the envs specified by command line (imperative)
+// and config file (declarative). If they have same key, the imperative value will be respected.
+func (r RunFns) mergeContainerEnv(envs []string) []string {
+	imperative := runtimeutil.NewContainerEnvFromStringSlice(r.Env)
+	declarative := runtimeutil.NewContainerEnvFromStringSlice(envs)
+	for key, value := range imperative.EnvVars {
+		declarative.AddKeyValue(key, value)
+	}
+
+	for _, key := range imperative.VarsToExport {
+		declarative.AddKey(key)
+	}
+
+	return declarative.Raw()
+}
+
+// mergeExecEnv will merge the envs specified by command line (imperative) and config
+// file (declarative). If they have same key, the imperative value will be respected.
+func (r RunFns) mergeExecEnv(envs []string) []string {
+	envMap := map[string]string{}
+
+	for _, env := range append(envs, r.Env...) {
+		res := strings.Split(env, "=")
+		//nolint:gomnd
+		if len(res) == 2 {
+			envMap[res[0]] = res[1]
+		}
+	}
+
+	mergedEnv := []string{}
+	for key, value := range envMap {
+		mergedEnv = append(mergedEnv, fmt.Sprintf("%s=%s", key, value))
+	}
+	// Sort the envs to make the output deterministic
+	sort.Strings(mergedEnv)
+	return mergedEnv
+}
+
+func (r RunFns) getFunctionFilters(global bool, fns ...*yaml.RNode) (
+	[]kio.Filter, error) {
+	var fltrs []kio.Filter
+	for i := range fns {
+		api := fns[i]
+		spec, err := runtimeutil.GetFunctionSpec(api)
+		if err != nil {
+			return nil, fmt.Errorf("failed to get FunctionSpec: %w", err)
+		}
+		if spec == nil {
+			// resource doesn't have function spec
+			continue
+		}
+		if spec.Container.Network && !r.Network {
+			// TODO(eddiezane): Provide error info about which function needs the network
+			return fltrs, errors.Errorf("network required but not enabled with --network")
+		}
+		// merge envs from imperative and declarative
+		spec.Container.Env = r.mergeContainerEnv(spec.Container.Env)
+
+		c, err := r.functionFilterProvider(*spec, api, user.Current)
+		if err != nil {
+			return nil, err
+		}
+
+		if c == nil {
+			continue
+		}
+		cf, ok := c.(*container.Filter)
+		if ok {
+			if global {
+				cf.Exec.GlobalScope = true
+			}
+			cf.Exec.WorkingDir = r.WorkingDir
+		}
+		fltrs = append(fltrs, c)
+	}
+	return fltrs, nil
+}
+
+// sortFns sorts functions so that functions with the longest paths come first
+func sortFns(buff *kio.PackageBuffer) error {
+	var outerErr error
+	// sort the nodes so that we traverse them depth first
+	// functions deeper in the file system tree should be run first
+	sort.Slice(buff.Nodes, func(i, j int) bool {
+		if err := kioutil.CopyLegacyAnnotations(buff.Nodes[i]); err != nil {
+			return false
+		}
+		if err := kioutil.CopyLegacyAnnotations(buff.Nodes[j]); err != nil {
+			return false
+		}
+		mi, _ := buff.Nodes[i].GetMeta()
+		pi := filepath.ToSlash(mi.Annotations[kioutil.PathAnnotation])
+
+		mj, _ := buff.Nodes[j].GetMeta()
+		pj := filepath.ToSlash(mj.Annotations[kioutil.PathAnnotation])
+
+		// If the path is the same, we decide the ordering based on the
+		// index annotation.
+		if pi == pj {
+			iIndex, err := strconv.Atoi(mi.Annotations[kioutil.IndexAnnotation])
+			if err != nil {
+				outerErr = err
+				return false
+			}
+			jIndex, err := strconv.Atoi(mj.Annotations[kioutil.IndexAnnotation])
+			if err != nil {
+				outerErr = err
+				return false
+			}
+			return iIndex < jIndex
+		}
+
+		if filepath.Base(path.Dir(pi)) == "functions" {
+			// don't count the functions dir, the functions are scoped 1 level above
+			pi = filepath.Dir(path.Dir(pi))
+		} else {
+			pi = filepath.Dir(pi)
+		}
+
+		if filepath.Base(path.Dir(pj)) == "functions" {
+			// don't count the functions dir, the functions are scoped 1 level above
+			pj = filepath.Dir(path.Dir(pj))
+		} else {
+			pj = filepath.Dir(pj)
+		}
+
+		// i is "less" than j (comes earlier) if its depth is greater -- e.g. run
+		// i before j if it is deeper in the directory structure
+		li := len(strings.Split(pi, "/"))
+		if pi == "." {
+			// local dir should have 0 path elements instead of 1
+			li = 0
+		}
+		lj := len(strings.Split(pj, "/"))
+		if pj == "." {
+			// local dir should have 0 path elements instead of 1
+			lj = 0
+		}
+		if li != lj {
+			// use greater-than because we want to sort with the longest
+			// paths FIRST rather than last
+			return li > lj
+		}
+
+		// sort by path names if depths are equal
+		return pi < pj
+	})
+	return outerErr
+}
+
+// init initializes the RunFns with a containerFilterProvider.
+func (r *RunFns) init() {
+	if r.NoFunctionsFromInput == nil {
+		// default no functions from input if any function sources are explicitly provided
+		nfn := len(r.FunctionPaths) > 0 || len(r.Functions) > 0
+		r.NoFunctionsFromInput = &nfn
+	}
+
+	// if no path is specified, default reading from stdin and writing to stdout
+	if r.Path == "" {
+		if r.Output == nil {
+			r.Output = os.Stdout
+		}
+		if r.Input == nil {
+			r.Input = os.Stdin
+		}
+	}
+
+	// functionFilterProvider set the filter provider
+	if r.functionFilterProvider == nil {
+		r.functionFilterProvider = r.ffp
+	}
+
+	// if LogSteps is enabled and LogWriter is not specified, use stderr
+	if r.LogSteps && r.LogWriter == nil {
+		r.LogWriter = os.Stderr
+	}
+}
+
+type currentUserFunc func() (*user.User, error)
+
+// getUIDGID will return "nobody" if asCurrentUser is false. Otherwise
+// return "uid:gid" according to the return from currentUser function.
+func getUIDGID(asCurrentUser bool, currentUser currentUserFunc) (string, error) {
+	if !asCurrentUser {
+		return "nobody", nil
+	}
+
+	u, err := currentUser()
+	if err != nil {
+		return "", err
+	}
+	return fmt.Sprintf("%s:%s", u.Uid, u.Gid), nil
+}
+
+// ffp provides function filters
+func (r *RunFns) ffp(spec runtimeutil.FunctionSpec, api *yaml.RNode, currentUser currentUserFunc) (kio.Filter, error) {
+	var resultsFile string
+	if r.ResultsDir != "" {
+		resultsFile = filepath.Join(r.ResultsDir, fmt.Sprintf(
+			"results-%v.yaml", r.resultsCount))
+		atomic.AddUint32(&r.resultsCount, 1)
+	}
+	if !r.DisableContainers && spec.Container.Image != "" {
+		// TODO: Add a test for this behavior
+		uidgid, err := getUIDGID(r.AsCurrentUser, currentUser)
+		if err != nil {
+			return nil, err
+		}
+
+		// Storage mounts can either come from kustomize fn run --mounts,
+		// or from the declarative function mounts field.
+		storageMounts := spec.Container.StorageMounts
+		storageMounts = append(storageMounts, r.StorageMounts...)
+
+		c := container.NewContainer(
+			runtimeutil.ContainerSpec{
+				Image:         spec.Container.Image,
+				Network:       spec.Container.Network,
+				StorageMounts: storageMounts,
+				Env:           spec.Container.Env,
+			},
+			uidgid,
+		)
+		cf := &c
+		cf.Exec.FunctionConfig = api
+		cf.Exec.GlobalScope = r.GlobalScope
+		cf.Exec.ResultsFile = resultsFile
+		cf.Exec.DeferFailure = spec.DeferFailure
+		return cf, nil
+	}
+
+	if r.EnableExec && spec.Exec.Path != "" {
+		ef := &exec.Filter{
+			Path:       spec.Exec.Path,
+			Args:       spec.Exec.Args,
+			Env:        r.mergeExecEnv(spec.Exec.Env),
+			WorkingDir: r.WorkingDir,
+		}
+
+		ef.FunctionConfig = api
+		ef.GlobalScope = r.GlobalScope
+		ef.ResultsFile = resultsFile
+		ef.DeferFailure = spec.DeferFailure
+		return ef, nil
+	}
+
+	return nil, nil
+}
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/sets/string.go b/vendor/sigs.k8s.io/kustomize/kyaml/sets/string.go
new file mode 100644
index 0000000000..d590e53288
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/sets/string.go
@@ -0,0 +1,64 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package sets
+
+type String map[string]interface{}
+
+func (s String) Len() int {
+	return len(s)
+}
+
+func (s String) List() []string {
+	val := make([]string, 0, len(s))
+	for k := range s {
+		val = append(val, k)
+	}
+	return val
+}
+
+func (s String) Has(val string) bool {
+	_, found := s[val]
+	return found
+}
+
+func (s String) Insert(vals ...string) {
+	for _, val := range vals {
+		s[val] = nil
+	}
+}
+
+func (s String) Difference(s2 String) String {
+	s3 := String{}
+	for k := range s {
+		if _, found := s2[k]; !found {
+			s3.Insert(k)
+		}
+	}
+	return s3
+}
+
+func (s String) SymmetricDifference(s2 String) String {
+	s3 := String{}
+	for k := range s {
+		if _, found := s2[k]; !found {
+			s3.Insert(k)
+		}
+	}
+	for k := range s2 {
+		if _, found := s[k]; !found {
+			s3.Insert(k)
+		}
+	}
+	return s3
+}
+
+func (s String) Intersection(s2 String) String {
+	s3 := String{}
+	for k := range s {
+		if _, found := s2[k]; found {
+			s3.Insert(k)
+		}
+	}
+	return s3
+}
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/sets/stringlist.go b/vendor/sigs.k8s.io/kustomize/kyaml/sets/stringlist.go
new file mode 100644
index 0000000000..2d75978fcf
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/sets/stringlist.go
@@ -0,0 +1,44 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package sets
+
+// StringList is a set, where each element of
+// the set is a string slice.
+type StringList [][]string
+
+func (s StringList) Len() int {
+	return len(s)
+}
+
+func (s StringList) Insert(val []string) StringList {
+	if !s.Has(val) {
+		return append(s, val)
+	}
+	return s
+}
+
+func (s StringList) Has(val []string) bool {
+	if len(s) == 0 {
+		return false
+	}
+
+	for i := range s {
+		if isStringSliceEqual(s[i], val) {
+			return true
+		}
+	}
+	return false
+}
+
+func isStringSliceEqual(s []string, t []string) bool {
+	if len(s) != len(t) {
+		return false
+	}
+	for i := range s {
+		if s[i] != t[i] {
+			return false
+		}
+	}
+	return true
+}
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/sliceutil/slice.go b/vendor/sigs.k8s.io/kustomize/kyaml/sliceutil/slice.go
new file mode 100644
index 0000000000..23e3ad7c21
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/sliceutil/slice.go
@@ -0,0 +1,25 @@
+// Copyright 2021 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package sliceutil
+
+// Contains return true if string e is present in slice s
+func Contains(s []string, e string) bool {
+	for _, a := range s {
+		if a == e {
+			return true
+		}
+	}
+	return false
+}
+
+// Remove removes the first occurrence of r in slice s
+// and returns remaining slice
+func Remove(s []string, r string) []string {
+	for i, v := range s {
+		if v == r {
+			return append(s[:i], s[i+1:]...)
+		}
+	}
+	return s
+}
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/utils/pathsplitter.go b/vendor/sigs.k8s.io/kustomize/kyaml/utils/pathsplitter.go
new file mode 100644
index 0000000000..6ce1f899d5
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/utils/pathsplitter.go
@@ -0,0 +1,71 @@
+// Copyright 2021 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package utils
+
+import "strings"
+
+// TODO: Move these to kyaml
+
+// PathSplitter splits a delimited string, permitting escaped delimiters.
+func PathSplitter(path string, delimiter string) []string {
+	ps := strings.Split(path, delimiter)
+	var res []string
+
+	// allow path to start with forward slash
+	// i.e. /a/b/c
+	if len(ps) > 1 && ps[0] == "" {
+		ps = ps[1:]
+	}
+
+	res = append(res, ps[0])
+	for i := 1; i < len(ps); i++ {
+		last := len(res) - 1
+		if strings.HasSuffix(res[last], `\`) {
+			res[last] = strings.TrimSuffix(res[last], `\`) + delimiter + ps[i]
+		} else {
+			res = append(res, ps[i])
+		}
+	}
+	return res
+}
+
+// SmarterPathSplitter splits a path, retaining bracketed elements.
+// If the element is a list entry identifier (defined by the '='),
+// it will retain the brackets.
+// E.g. "[name=com.foo.someapp]" survives as one thing after splitting
+// "spec.template.spec.containers.[name=com.foo.someapp].image"
+// See kyaml/yaml/match.go for use of list entry identifiers.
+// If the element is a mapping entry identifier, it will remove the
+// brackets.
+// E.g. "a.b.c" survives as one thing after splitting
+// "metadata.annotations.[a.b.c]
+// This function uses `PathSplitter`, so it also respects escaped delimiters.
+func SmarterPathSplitter(path string, delimiter string) []string {
+	var result []string
+	split := PathSplitter(path, delimiter)
+
+	for i := 0; i < len(split); i++ {
+		elem := split[i]
+		if strings.HasPrefix(elem, "[") && !strings.HasSuffix(elem, "]") {
+			// continue until we find the matching "]"
+			bracketed := []string{elem}
+			for i < len(split)-1 {
+				i++
+				bracketed = append(bracketed, split[i])
+				if strings.HasSuffix(split[i], "]") {
+					break
+				}
+			}
+			bracketedStr := strings.Join(bracketed, delimiter)
+			if strings.Contains(bracketedStr, "=") {
+				result = append(result, bracketedStr)
+			} else {
+				result = append(result, strings.Trim(bracketedStr, "[]"))
+			}
+		} else {
+			result = append(result, elem)
+		}
+	}
+	return result
+}
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/alias.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/alias.go
new file mode 100644
index 0000000000..3e6c68314a
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/alias.go
@@ -0,0 +1,109 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package yaml
+
+import (
+	"bytes"
+	"io"
+
+	yaml "go.yaml.in/yaml/v3"
+)
+
+const (
+	WideSequenceStyle    SequenceIndentStyle = "wide"
+	CompactSequenceStyle SequenceIndentStyle = "compact"
+	DefaultIndent                            = 2
+	// BareSeqNodeWrappingKey kyaml uses reader annotations to track resources, it is not possible to
+	// add them to bare sequence nodes, this key is used to wrap such bare
+	// sequence nodes into map node, byteio_writer unwraps it while writing back
+	BareSeqNodeWrappingKey = "bareSeqNodeWrappingKey"
+)
+
+// SequenceIndentStyle holds the indentation style for sequence nodes
+type SequenceIndentStyle string
+
+// EncoderOptions are options that can be used to configure the encoder,
+// do not expose new options without considerable justification
+type EncoderOptions struct {
+	// SeqIndent is the indentation style for YAML Sequence nodes
+	SeqIndent SequenceIndentStyle
+}
+
+// Expose the yaml.v3 functions so this package can be used as a replacement
+
+type Decoder = yaml.Decoder
+type Encoder = yaml.Encoder
+type IsZeroer = yaml.IsZeroer
+type Kind = yaml.Kind
+type Marshaler = yaml.Marshaler
+type Node = yaml.Node
+type Style = yaml.Style
+type TypeError = yaml.TypeError
+type Unmarshaler = yaml.Unmarshaler
+
+var Marshal = func(in interface{}) ([]byte, error) {
+	var buf bytes.Buffer
+	err := NewEncoder(&buf).Encode(in)
+	if err != nil {
+		return nil, err
+	}
+	return buf.Bytes(), nil
+}
+var Unmarshal = yaml.Unmarshal
+var NewDecoder = yaml.NewDecoder
+var NewEncoder = func(w io.Writer) *yaml.Encoder {
+	e := yaml.NewEncoder(w)
+	e.SetIndent(DefaultIndent)
+	e.CompactSeqIndent()
+	return e
+}
+
+// MarshalWithOptions marshals the input interface with provided options
+func MarshalWithOptions(in interface{}, opts *EncoderOptions) ([]byte, error) {
+	var buf bytes.Buffer
+	err := NewEncoderWithOptions(&buf, opts).Encode(in)
+	if err != nil {
+		return nil, err
+	}
+	return buf.Bytes(), nil
+}
+
+// NewEncoderWithOptions returns the encoder with provided options
+func NewEncoderWithOptions(w io.Writer, opts *EncoderOptions) *yaml.Encoder {
+	encoder := NewEncoder(w)
+	encoder.SetIndent(DefaultIndent)
+	if opts.SeqIndent == WideSequenceStyle {
+		encoder.DefaultSeqIndent()
+	} else {
+		encoder.CompactSeqIndent()
+	}
+	return encoder
+}
+
+var AliasNode yaml.Kind = yaml.AliasNode
+var DocumentNode yaml.Kind = yaml.DocumentNode
+var MappingNode yaml.Kind = yaml.MappingNode
+var ScalarNode yaml.Kind = yaml.ScalarNode
+var SequenceNode yaml.Kind = yaml.SequenceNode
+
+func nodeKindString(k yaml.Kind) string {
+	return map[yaml.Kind]string{
+		yaml.SequenceNode: "SequenceNode",
+		yaml.MappingNode:  "MappingNode",
+		yaml.ScalarNode:   "ScalarNode",
+		yaml.DocumentNode: "DocumentNode",
+		yaml.AliasNode:    "AliasNode",
+	}[k]
+}
+
+var DoubleQuotedStyle yaml.Style = yaml.DoubleQuotedStyle
+var FlowStyle yaml.Style = yaml.FlowStyle
+var FoldedStyle yaml.Style = yaml.FoldedStyle
+var LiteralStyle yaml.Style = yaml.LiteralStyle
+var SingleQuotedStyle yaml.Style = yaml.SingleQuotedStyle
+var TaggedStyle yaml.Style = yaml.TaggedStyle
+
+const (
+	MergeTag = "!!merge"
+)
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/compatibility.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/compatibility.go
new file mode 100644
index 0000000000..b8533c1133
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/compatibility.go
@@ -0,0 +1,100 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package yaml
+
+import (
+	"reflect"
+	"strings"
+
+	y1_1 "go.yaml.in/yaml/v2"
+	y1_2 "go.yaml.in/yaml/v3"
+	"k8s.io/kube-openapi/pkg/validation/spec"
+)
+
+// typeToTag maps OpenAPI schema types to yaml 1.2 tags
+var typeToTag = map[string]string{
+	"string":  NodeTagString,
+	"integer": NodeTagInt,
+	"boolean": NodeTagBool,
+	"number":  NodeTagFloat,
+}
+
+// FormatNonStringStyle makes sure that values which parse as non-string values in yaml 1.1
+// are correctly formatted given the Schema type.
+func FormatNonStringStyle(node *Node, schema spec.Schema) {
+	if len(schema.Type) != 1 {
+		return
+	}
+	t := schema.Type[0]
+
+	if !IsYaml1_1NonString(node) {
+		return
+	}
+	switch {
+	case t == "string" && schema.Format != "int-or-string":
+		if (node.Style&DoubleQuotedStyle == 0) && (node.Style&SingleQuotedStyle == 0) {
+			// must quote values so they are parsed as strings
+			node.Style = DoubleQuotedStyle
+		}
+	case t == "boolean" || t == "integer" || t == "number":
+		if (node.Style&DoubleQuotedStyle != 0) || (node.Style&SingleQuotedStyle != 0) {
+			// must NOT quote the values so they aren't parsed as strings
+			node.Style = 0
+		}
+	default:
+		return
+	}
+
+	// if the node tag is null, make sure we don't add any non-null tags
+	// https://github.com/kptdev/kpt/issues/2321
+	if node.Tag == NodeTagNull {
+		// must NOT quote null values
+		node.Style = 0
+		return
+	}
+	if tag, found := typeToTag[t]; found {
+		// make sure the right tag is set
+		node.Tag = tag
+	}
+}
+
+// IsYaml1_1NonString returns true if the value parses as a non-string value in yaml 1.1
+// when unquoted.
+//
+// Note: yaml 1.2 uses different keywords than yaml 1.1.  Example: yaml 1.2 interprets
+// `field: on` and `field: "on"` as equivalent (both strings).  However Yaml 1.1 interprets
+// `field: on` as on being a bool and `field: "on"` as on being a string.
+// If an input is read with `field: "on"`, and the style is changed from DoubleQuote to 0,
+// it will change the type of the field from a string  to a bool.  For this reason, fields
+// which are keywords in yaml 1.1 should never have their style changed, as it would break
+// backwards compatibility with yaml 1.1 -- which is what is used by the Kubernetes apiserver.
+func IsYaml1_1NonString(node *Node) bool {
+	if node.Kind != y1_2.ScalarNode {
+		// not a keyword
+		return false
+	}
+	return IsValueNonString(node.Value)
+}
+
+func IsValueNonString(value string) bool {
+	if value == "" {
+		return false
+	}
+	if strings.Contains(value, "\n") {
+		// multi-line strings will fail to unmarshal
+		return false
+	}
+	// check if the value will unmarshal into a non-string value using a yaml 1.1 parser
+	var i1 interface{}
+	if err := y1_1.Unmarshal([]byte(value), &i1); err != nil {
+		return false
+	}
+	if reflect.TypeOf(i1) != stringType {
+		return true
+	}
+
+	return false
+}
+
+var stringType = reflect.TypeOf("string")
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/const.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/const.go
new file mode 100644
index 0000000000..6a2cc45166
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/const.go
@@ -0,0 +1,30 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package yaml
+
+const (
+	// NodeTagNull is the tag set for a yaml.Document that contains no data;
+	// e.g. it isn't a Map, Slice, Document, etc
+	NodeTagNull   = "!!null"
+	NodeTagFloat  = "!!float"
+	NodeTagString = "!!str"
+	NodeTagBool   = "!!bool"
+	NodeTagInt    = "!!int"
+	NodeTagMap    = "!!map"
+	NodeTagSeq    = "!!seq"
+	NodeTagEmpty  = ""
+)
+
+// Field names
+const (
+	AnnotationsField = "annotations"
+	APIVersionField  = "apiVersion"
+	KindField        = "kind"
+	MetadataField    = "metadata"
+	DataField        = "data"
+	BinaryDataField  = "binaryData"
+	NameField        = "name"
+	NamespaceField   = "namespace"
+	LabelsField      = "labels"
+)
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/datamap.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/datamap.go
new file mode 100644
index 0000000000..f4b7e6664e
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/datamap.go
@@ -0,0 +1,121 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package yaml
+
+import (
+	"encoding/base64"
+	"sort"
+	"strings"
+	"unicode/utf8"
+)
+
+// SortedMapKeys returns a sorted slice of keys to the given map.
+// Writing this function never gets old.
+func SortedMapKeys(m map[string]string) []string {
+	keys := make([]string, len(m))
+	i := 0
+	for k := range m {
+		keys[i] = k
+		i++
+	}
+	sort.Strings(keys)
+	return keys
+}
+
+func (rn *RNode) LoadMapIntoConfigMapData(m map[string]string) error {
+	for _, k := range SortedMapKeys(m) {
+		fldName, vrN := makeConfigMapValueRNode(m[k])
+		if _, err := rn.Pipe(
+			LookupCreate(MappingNode, fldName),
+			SetField(k, vrN)); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (rn *RNode) LoadMapIntoConfigMapBinaryData(m map[string]string) error {
+	for _, k := range SortedMapKeys(m) {
+		_, vrN := makeConfigMapValueRNode(m[k])
+		// we know this is binary data
+		fldName := BinaryDataField
+		if _, err := rn.Pipe(
+			LookupCreate(MappingNode, fldName),
+			SetField(k, vrN)); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func makeConfigMapValueRNode(s string) (field string, rN *RNode) {
+	yN := &Node{Kind: ScalarNode}
+	yN.Tag = NodeTagString
+	if utf8.ValidString(s) {
+		field = DataField
+		yN.Value = s
+	} else {
+		field = BinaryDataField
+		yN.Value = encodeBase64(s)
+	}
+	if strings.Contains(yN.Value, "\n") {
+		yN.Style = LiteralStyle
+	}
+	return field, NewRNode(yN)
+}
+
+func (rn *RNode) LoadMapIntoSecretData(m map[string]string) error {
+	mapNode, err := rn.Pipe(LookupCreate(MappingNode, DataField))
+	if err != nil {
+		return err
+	}
+	for _, k := range SortedMapKeys(m) {
+		vrN := makeSecretValueRNode(m[k])
+		if _, err := mapNode.Pipe(SetField(k, vrN)); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// In a secret, all data is base64 encoded, regardless of its conformance
+// or lack thereof to UTF-8.
+func makeSecretValueRNode(s string) *RNode {
+	yN := &Node{Kind: ScalarNode}
+	// Purposely don't use YAML tags to identify the data as being plain text or
+	// binary.  It kubernetes Secrets the values in the `data` map are expected
+	// to be base64 encoded, and in ConfigMaps that same can be said for the
+	// values in the `binaryData` field.
+	yN.Tag = NodeTagString
+	yN.Value = encodeBase64(s)
+	if strings.Contains(yN.Value, "\n") {
+		yN.Style = LiteralStyle
+	}
+	return NewRNode(yN)
+}
+
+// encodeBase64 encodes s as base64 that is broken up into multiple lines
+// as appropriate for the resulting length.
+func encodeBase64(s string) string {
+	const lineLen = 70
+	encLen := base64.StdEncoding.EncodedLen(len(s))
+	lines := encLen/lineLen + 1
+	buf := make([]byte, encLen*2+lines)
+	in := buf[0:encLen]
+	out := buf[encLen:]
+	base64.StdEncoding.Encode(in, []byte(s))
+	k := 0
+	for i := 0; i < len(in); i += lineLen {
+		j := i + lineLen
+		if j > len(in) {
+			j = len(in)
+		}
+		k += copy(out[k:], in[i:j])
+		if lines > 1 {
+			out[k] = '\n'
+			k++
+		}
+	}
+	return string(out[:k])
+}
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/doc.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/doc.go
new file mode 100644
index 0000000000..b58811cf8b
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/doc.go
@@ -0,0 +1,49 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+// Package yaml contains libraries for manipulating individual Kubernetes Resource
+// Configuration as yaml, keeping yaml structure and comments.
+//
+// Parsing Resources
+//
+// Typically Resources will be initialized as collections through the kio package libraries.
+// However it is possible to directly initialize Resources using Parse.
+//  resource, err := yaml.Parse("apiVersion: apps/v1\nkind: Deployment")
+//
+// Processing Resources
+//
+// Individual Resources are manipulated using the Pipe and PipeE to apply Filter functions
+// to transform the Resource data.
+//  err := resource.PipeE(yaml.SetAnnotation("key", "value"))
+//
+// If multiple Filter functions are provided to Pipe or PipeE, each function is applied to
+// the result of the last function -- e.g. yaml.Lookup(...), yaml.SetField(...)
+//
+// Field values may also be retrieved using Pipe.
+//  annotationValue, err := resource.Pipe(yaml.GetAnnotation("key"))
+//
+// See http://www.linfo.org/filters.html for a definition of filters.
+//
+// Common Filters
+//
+// There are a number of standard filter functions provided by the yaml package.
+//
+// Working with annotations:
+//  [AnnotationSetter{}, AnnotationGetter{}, AnnotationClearer{}]
+//
+// Working with fields by path:
+//  [PathMatcher{}, PathGetter{}]
+//
+// Working with individual fields on Maps and Objects:
+//  [FieldMatcher{}, FieldSetter{}, FieldGetter{}]
+//
+// Working with individual elements in Sequences:
+//  [ElementAppender{}, ElementSetter{}, ElementMatcher{}]
+//
+// Writing Filters
+//
+// Users may implement their own filter functions.  When doing so, can be necessary to work with
+// the RNode directly rather than through Pipe.  RNode provides a number of functions for doing
+// so. See:
+//  [GetMeta(), Fields(), Elements(), String()]
+package yaml
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/filters.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/filters.go
new file mode 100644
index 0000000000..e7d4b5f7b8
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/filters.go
@@ -0,0 +1,146 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package yaml
+
+import (
+	"fmt"
+	"regexp"
+	"sort"
+	"strings"
+)
+
+// Filters is the list of serializable Pipeline Filters
+var Filters = map[string]func() Filter{
+	"AnnotationClearer": func() Filter { return &AnnotationClearer{} },
+	"AnnotationGetter":  func() Filter { return &AnnotationGetter{} },
+	"AnnotationSetter":  func() Filter { return &AnnotationSetter{} },
+	"LabelSetter":       func() Filter { return &LabelSetter{} },
+	"ElementAppender":   func() Filter { return &ElementAppender{} },
+	"ElementMatcher":    func() Filter { return &ElementMatcher{} },
+	"FieldClearer":      func() Filter { return &FieldClearer{} },
+	"FilterMatcher":     func() Filter { return &FilterMatcher{} },
+	"FieldMatcher":      func() Filter { return &FieldMatcher{} },
+	"FieldSetter":       func() Filter { return &FieldSetter{} },
+	"PathGetter":        func() Filter { return &PathGetter{} },
+	"PathMatcher":       func() Filter { return &PathMatcher{} },
+	"Parser":            func() Filter { return &Parser{} },
+	"PrefixSetter":      func() Filter { return &PrefixSetter{} },
+	"ValueReplacer":     func() Filter { return &ValueReplacer{} },
+	"SuffixSetter":      func() Filter { return &SuffixSetter{} },
+	"TeePiper":          func() Filter { return &TeePiper{} },
+}
+
+// YFilter wraps the Filter interface so the filter can be represented as
+// data and can be unmarshalled into a struct from a yaml config file.
+// This allows Pipelines to be expressed as data rather than code.
+type YFilter struct {
+	Filter
+}
+
+func (y YFilter) MarshalYAML() (interface{}, error) {
+	return y.Filter, nil
+}
+
+func (y *YFilter) UnmarshalYAML(unmarshal func(interface{}) error) error {
+	meta := &ResourceMeta{}
+	if err := unmarshal(meta); err != nil {
+		return err
+	}
+	filter, found := Filters[meta.Kind]
+	if !found {
+		var knownFilters []string
+		for k := range Filters {
+			knownFilters = append(knownFilters, k)
+		}
+		sort.Strings(knownFilters)
+		return fmt.Errorf("unsupported Filter Kind %s:  may be one of: [%s]",
+			meta.Kind, strings.Join(knownFilters, ","))
+	}
+	y.Filter = filter()
+
+	if err := unmarshal(y.Filter); err != nil {
+		return err
+	}
+	return nil
+}
+
+type YFilters []YFilter
+
+func (y YFilters) Filters() []Filter {
+	f := make([]Filter, 0, len(y))
+	for i := range y {
+		f = append(f, y[i].Filter)
+	}
+	return f
+}
+
+type FilterMatcher struct {
+	Kind string `yaml:"kind"`
+
+	// Filters are the set of Filters run by TeePiper.
+	Filters YFilters `yaml:"pipeline,omitempty"`
+}
+
+func (t FilterMatcher) Filter(rn *RNode) (*RNode, error) {
+	v, err := rn.Pipe(t.Filters.Filters()...)
+	if v == nil || err != nil {
+		return nil, err
+	}
+	// return the original input if the pipeline resolves to true
+	return rn, err
+}
+
+type ValueReplacer struct {
+	Kind string `yaml:"kind"`
+
+	StringMatch string `yaml:"stringMatch"`
+	RegexMatch  string `yaml:"regexMatch"`
+	Replace     string `yaml:"replace"`
+	Count       int    `yaml:"count"`
+}
+
+func (s ValueReplacer) Filter(object *RNode) (*RNode, error) {
+	if s.Count == 0 {
+		s.Count = -1
+	}
+	switch {
+	case s.StringMatch != "":
+		object.value.Value = strings.Replace(object.value.Value, s.StringMatch, s.Replace, s.Count)
+	case s.RegexMatch != "":
+		r, err := regexp.Compile(s.RegexMatch)
+		if err != nil {
+			return nil, fmt.Errorf("ValueReplacer RegexMatch does not compile: %v", err)
+		}
+		object.value.Value = r.ReplaceAllString(object.value.Value, s.Replace)
+	default:
+		return nil, fmt.Errorf("ValueReplacer missing StringMatch and RegexMatch")
+	}
+	return object, nil
+}
+
+type PrefixSetter struct {
+	Kind string `yaml:"kind"`
+
+	Value string `yaml:"value"`
+}
+
+func (s PrefixSetter) Filter(object *RNode) (*RNode, error) {
+	if !strings.HasPrefix(object.value.Value, s.Value) {
+		object.value.Value = s.Value + object.value.Value
+	}
+	return object, nil
+}
+
+type SuffixSetter struct {
+	Kind string `yaml:"kind"`
+
+	Value string `yaml:"value"`
+}
+
+func (s SuffixSetter) Filter(object *RNode) (*RNode, error) {
+	if !strings.HasSuffix(object.value.Value, s.Value) {
+		object.value.Value += s.Value
+	}
+	return object, nil
+}
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/fns.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/fns.go
new file mode 100644
index 0000000000..740a28ed02
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/fns.go
@@ -0,0 +1,889 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package yaml
+
+import (
+	"fmt"
+	"regexp"
+	"strconv"
+	"strings"
+
+	"github.com/davecgh/go-spew/spew"
+	yaml "go.yaml.in/yaml/v3"
+	"sigs.k8s.io/kustomize/kyaml/errors"
+)
+
+// Append creates an ElementAppender
+func Append(elements ...*yaml.Node) ElementAppender {
+	return ElementAppender{Elements: elements}
+}
+
+// ElementAppender adds all element to a SequenceNode's Content.
+// Returns Elements[0] if len(Elements) == 1, otherwise returns nil.
+type ElementAppender struct {
+	Kind string `yaml:"kind,omitempty"`
+
+	// Elem is the value to append.
+	Elements []*yaml.Node `yaml:"elements,omitempty"`
+}
+
+func (a ElementAppender) Filter(rn *RNode) (*RNode, error) {
+	if err := ErrorIfInvalid(rn, yaml.SequenceNode); err != nil {
+		return nil, err
+	}
+	for i := range a.Elements {
+		rn.YNode().Content = append(rn.Content(), a.Elements[i])
+	}
+	if len(a.Elements) == 1 {
+		return NewRNode(a.Elements[0]), nil
+	}
+	return nil, nil
+}
+
+// ElementSetter sets the value for an Element in an associative list.
+// ElementSetter will append, replace or delete an element in an associative list.
+// To append, user a key-value pair that doesn't exist in the sequence. this
+// behavior is intended to handle the case that not matching element found. It's
+// not designed for this purpose. To append an element, please use ElementAppender.
+// To replace, set the key-value pair and a non-nil Element.
+// To delete, set the key-value pair and leave the Element as nil.
+// Every key must have a corresponding value.
+type ElementSetter struct {
+	Kind string `yaml:"kind,omitempty"`
+
+	// Element is the new value to set -- remove the existing element if nil
+	Element *Node
+
+	// Key is a list of fields on the elements. It is used to find matching elements to
+	// update / delete
+	Keys []string
+
+	// Value is a list of field values on the elements corresponding to the keys. It is
+	// used to find matching elements to update / delete.
+	Values []string
+}
+
+// isMappingNode returns whether node is a mapping node
+func (e ElementSetter) isMappingNode(node *RNode) bool {
+	return ErrorIfInvalid(node, yaml.MappingNode) == nil
+}
+
+// isMappingSetter returns is this setter intended to set a mapping node
+func (e ElementSetter) isMappingSetter() bool {
+	return len(e.Keys) > 0 && e.Keys[0] != "" &&
+		len(e.Values) > 0 && e.Values[0] != ""
+}
+
+func (e ElementSetter) Filter(rn *RNode) (*RNode, error) {
+	if len(e.Keys) == 0 {
+		e.Keys = append(e.Keys, "")
+	}
+
+	if err := ErrorIfInvalid(rn, SequenceNode); err != nil {
+		return nil, err
+	}
+
+	// build the new Content slice
+	var newContent []*yaml.Node
+	matchingElementFound := false
+	for i := range rn.YNode().Content {
+		elem := rn.Content()[i]
+		newNode := NewRNode(elem)
+
+		// empty elements are not valid -- they at least need an associative key
+		if IsMissingOrNull(newNode) || IsEmptyMap(newNode) {
+			continue
+		}
+		// keep non-mapping node in the Content when we want to match a mapping.
+		if !e.isMappingNode(newNode) && e.isMappingSetter() {
+			newContent = append(newContent, elem)
+			continue
+		}
+
+		// check if this is the element we are matching
+		var val *RNode
+		var err error
+		found := true
+		for j := range e.Keys {
+			if j < len(e.Values) {
+				val, err = newNode.Pipe(FieldMatcher{Name: e.Keys[j], StringValue: e.Values[j]})
+			}
+			if err != nil {
+				return nil, err
+			}
+			if val == nil {
+				found = false
+				break
+			}
+		}
+		if !found {
+			// not the element we are looking for, keep it in the Content
+			if len(e.Values) > 0 {
+				newContent = append(newContent, elem)
+			}
+			continue
+		}
+		matchingElementFound = true
+
+		// deletion operation -- remove the element from the new Content
+		if e.Element == nil {
+			continue
+		}
+		// replace operation -- replace the element in the Content
+		newContent = append(newContent, e.Element)
+	}
+	rn.YNode().Content = newContent
+
+	// deletion operation -- return nil
+	if IsMissingOrNull(NewRNode(e.Element)) {
+		return nil, nil
+	}
+
+	// append operation -- add the element to the Content
+	if !matchingElementFound {
+		rn.YNode().Content = append(rn.YNode().Content, e.Element)
+	}
+
+	return NewRNode(e.Element), nil
+}
+
+// GetElementByIndex will return a Filter which can be applied to a sequence
+// node to get the element specified by the index
+func GetElementByIndex(index int) ElementIndexer {
+	return ElementIndexer{Index: index}
+}
+
+// ElementIndexer picks the element with a specified index. Index starts from
+// 0 to len(list) - 1. a hyphen ("-") means the last index.
+type ElementIndexer struct {
+	Index int
+}
+
+// Filter implements Filter
+func (i ElementIndexer) Filter(rn *RNode) (*RNode, error) {
+	// rn.Elements will return error if rn is not a sequence node.
+	elems, err := rn.Elements()
+	if err != nil {
+		return nil, err
+	}
+	if i.Index < 0 {
+		return elems[len(elems)-1], nil
+	}
+	if i.Index >= len(elems) {
+		return nil, nil
+	}
+	return elems[i.Index], nil
+}
+
+// Clear returns a FieldClearer
+func Clear(name string) FieldClearer {
+	return FieldClearer{Name: name}
+}
+
+// FieldClearer removes the field or map key.
+// Returns a RNode with the removed field or map entry.
+type FieldClearer struct {
+	Kind string `yaml:"kind,omitempty"`
+
+	// Name is the name of the field or key in the map.
+	Name string `yaml:"name,omitempty"`
+
+	IfEmpty bool `yaml:"ifEmpty,omitempty"`
+}
+
+func (c FieldClearer) Filter(rn *RNode) (*RNode, error) {
+	if err := ErrorIfInvalid(rn, yaml.MappingNode); err != nil {
+		return nil, err
+	}
+
+	var removed *RNode
+	visitFieldsWhileTrue(rn.Content(), func(key, value *yaml.Node, keyIndex int) bool {
+		if key.Value != c.Name {
+			return true
+		}
+
+		// the name matches: remove these 2 elements from the list because
+		// they are treated as a fieldName/fieldValue pair.
+		if c.IfEmpty {
+			if len(value.Content) > 0 {
+				return true
+			}
+		}
+
+		// save the item we are about to remove
+		removed = NewRNode(value)
+		if len(rn.YNode().Content) > keyIndex+2 {
+			l := len(rn.YNode().Content)
+			// remove from the middle of the list
+			rn.YNode().Content = rn.Content()[:keyIndex]
+			rn.YNode().Content = append(
+				rn.YNode().Content,
+				rn.Content()[keyIndex+2:l]...)
+		} else {
+			// remove from the end of the list
+			rn.YNode().Content = rn.Content()[:keyIndex]
+		}
+		return false
+	})
+
+	return removed, nil
+}
+
+func MatchElement(field, value string) ElementMatcher {
+	return ElementMatcher{Keys: []string{field}, Values: []string{value}}
+}
+
+func MatchElementList(keys []string, values []string) ElementMatcher {
+	return ElementMatcher{Keys: keys, Values: values}
+}
+
+func GetElementByKey(key string) ElementMatcher {
+	return ElementMatcher{Keys: []string{key}, MatchAnyValue: true}
+}
+
+// ElementMatcher returns the first element from a Sequence matching the
+// specified key-value pairs. If there's no match, and no configuration error,
+// the matcher returns nil, nil.
+type ElementMatcher struct {
+	Kind string `yaml:"kind,omitempty"`
+
+	// Keys are the list of fields upon which to match this element.
+	Keys []string
+
+	// Values are the list of values upon which to match this element.
+	Values []string
+
+	// Create will create the Element if it is not found
+	Create *RNode `yaml:"create,omitempty"`
+
+	// MatchAnyValue indicates that matcher should only consider the key and ignore
+	// the actual value in the list. Values must be empty when MatchAnyValue is
+	// set to true.
+	MatchAnyValue bool `yaml:"noValue,omitempty"`
+}
+
+func (e ElementMatcher) Filter(rn *RNode) (*RNode, error) {
+	if len(e.Keys) == 0 {
+		e.Keys = append(e.Keys, "")
+	}
+	if len(e.Values) == 0 {
+		e.Values = append(e.Values, "")
+	}
+
+	if err := ErrorIfInvalid(rn, yaml.SequenceNode); err != nil {
+		return nil, err
+	}
+	if e.MatchAnyValue && len(e.Values) != 0 && e.Values[0] != "" {
+		return nil, fmt.Errorf("Values must be empty when MatchAnyValue is set to true")
+	}
+
+	// SequenceNode Content is a slice of ScalarNodes.  Each ScalarNode has a
+	// YNode containing the primitive data.
+	if len(e.Keys) == 0 || len(e.Keys[0]) == 0 {
+		for i := range rn.Content() {
+			if rn.Content()[i].Value == e.Values[0] {
+				return &RNode{value: rn.Content()[i]}, nil
+			}
+		}
+		if e.Create != nil {
+			return rn.Pipe(Append(e.Create.YNode()))
+		}
+		return nil, nil
+	}
+
+	// SequenceNode Content is a slice of MappingNodes.  Each MappingNode has Content
+	// with a slice of key-value pairs containing the fields.
+	for i := range rn.Content() {
+		// cast the entry to a RNode so we can operate on it
+		elem := NewRNode(rn.Content()[i])
+		var field *RNode
+		var err error
+
+		// only check mapping node
+		if err = ErrorIfInvalid(elem, yaml.MappingNode); err != nil {
+			continue
+		}
+
+		if !e.MatchAnyValue && len(e.Keys) != len(e.Values) {
+			return nil, fmt.Errorf("length of keys must equal length of values when MatchAnyValue is false")
+		}
+
+		matchesElement := true
+		for i := range e.Keys {
+			if e.MatchAnyValue {
+				field, err = elem.Pipe(Get(e.Keys[i]))
+			} else {
+				field, err = elem.Pipe(MatchField(e.Keys[i], e.Values[i]))
+			}
+			if !IsFoundOrError(field, err) {
+				// this is not the element we are looking for
+				matchesElement = false
+				break
+			}
+		}
+		if matchesElement {
+			return elem, err
+		}
+	}
+
+	// create the element
+	if e.Create != nil {
+		return rn.Pipe(Append(e.Create.YNode()))
+	}
+
+	return nil, nil
+}
+
+func Get(name string) FieldMatcher {
+	return FieldMatcher{Name: name}
+}
+
+func MatchField(name, value string) FieldMatcher {
+	return FieldMatcher{Name: name, Value: NewScalarRNode(value)}
+}
+
+func Match(value string) FieldMatcher {
+	return FieldMatcher{Value: NewScalarRNode(value)}
+}
+
+// FieldMatcher returns the value of a named field or map entry.
+type FieldMatcher struct {
+	Kind string `yaml:"kind,omitempty"`
+
+	// Name of the field to return
+	Name string `yaml:"name,omitempty"`
+
+	// YNode of the field to return.
+	// Optional.  Will only need to match field name if unset.
+	Value *RNode `yaml:"value,omitempty"`
+
+	StringValue string `yaml:"stringValue,omitempty"`
+
+	StringRegexValue string `yaml:"stringRegexValue,omitempty"`
+
+	// Create will cause the field to be created with this value
+	// if it is set.
+	Create *RNode `yaml:"create,omitempty"`
+}
+
+func (f FieldMatcher) Filter(rn *RNode) (*RNode, error) {
+	if f.StringValue != "" && f.Value == nil {
+		f.Value = NewScalarRNode(f.StringValue)
+	}
+
+	// never match nil or null fields
+	if IsMissingOrNull(rn) {
+		return nil, nil
+	}
+
+	if f.Name == "" {
+		if err := ErrorIfInvalid(rn, yaml.ScalarNode); err != nil {
+			return nil, err
+		}
+		switch {
+		case f.StringRegexValue != "":
+			// TODO(pwittrock): pre-compile this when unmarshalling and cache to a field
+			rg, err := regexp.Compile(f.StringRegexValue)
+			if err != nil {
+				return nil, err
+			}
+			if match := rg.MatchString(rn.value.Value); match {
+				return rn, nil
+			}
+			return nil, nil
+		case GetValue(rn) == GetValue(f.Value):
+			return rn, nil
+		default:
+			return nil, nil
+		}
+	}
+
+	if err := ErrorIfInvalid(rn, yaml.MappingNode); err != nil {
+		return nil, err
+	}
+
+	var returnNode *RNode
+	requireMatchFieldValue := f.Value != nil
+	visitMappingNodeFields(rn.Content(), func(key, value *yaml.Node) {
+		if !requireMatchFieldValue || value.Value == f.Value.YNode().Value {
+			returnNode = NewRNode(value)
+		}
+	}, f.Name)
+	if returnNode != nil {
+		return returnNode, nil
+	}
+
+	if f.Create != nil {
+		return rn.Pipe(SetField(f.Name, f.Create))
+	}
+
+	return nil, nil
+}
+
+// Lookup returns a PathGetter to lookup a field by its path.
+func Lookup(path ...string) PathGetter {
+	return PathGetter{Path: path}
+}
+
+// LookupCreate returns a PathGetter to lookup a field by its path and create it if it doesn't already
+// exist.
+func LookupCreate(kind yaml.Kind, path ...string) PathGetter {
+	return PathGetter{Path: path, Create: kind}
+}
+
+// ConventionalContainerPaths is a list of paths at which containers typically appear in workload APIs.
+// It is intended for use with LookupFirstMatch.
+var ConventionalContainerPaths = [][]string{
+	// e.g. Deployment, ReplicaSet, DaemonSet, Job, StatefulSet
+	{"spec", "template", "spec", "containers"},
+	// e.g. CronJob
+	{"spec", "jobTemplate", "spec", "template", "spec", "containers"},
+	// e.g. Pod
+	{"spec", "containers"},
+	// e.g. PodTemplate
+	{"template", "spec", "containers"},
+}
+
+// LookupFirstMatch returns a Filter for locating a value that may exist at one of several possible paths.
+// For example, it can be used with ConventionalContainerPaths to find the containers field in a standard workload resource.
+// If more than one of the paths exists in the resource, the first will be returned. If none exist,
+// nil will be returned. If an error is encountered during lookup, it will be returned.
+func LookupFirstMatch(paths [][]string) Filter {
+	return FilterFunc(func(object *RNode) (*RNode, error) {
+		var result *RNode
+		var err error
+		for _, path := range paths {
+			result, err = object.Pipe(PathGetter{Path: path})
+			if err != nil {
+				return nil, errors.Wrap(err)
+			}
+			if result != nil {
+				return result, nil
+			}
+		}
+		return nil, nil
+	})
+}
+
+// PathGetter returns the RNode under Path.
+type PathGetter struct {
+	Kind string `yaml:"kind,omitempty"`
+
+	// Path is a slice of parts leading to the RNode to lookup.
+	// Each path part may be one of:
+	// * FieldMatcher -- e.g. "spec"
+	// * Map Key -- e.g. "app.k8s.io/version"
+	// * List Entry -- e.g. "[name=nginx]" or "[=-jar]" or "0" or "-"
+	//
+	// Map Keys and Fields are equivalent.
+	// See FieldMatcher for more on Fields and Map Keys.
+	//
+	// List Entries can be specified as map entry to match [fieldName=fieldValue]
+	// or a positional index like 0 to get the element. - (unquoted hyphen) is
+	// special and means the last element.
+	//
+	// See Elem for more on List Entries.
+	//
+	// Examples:
+	// * spec.template.spec.container with matching name: [name=nginx]
+	// * spec.template.spec.container.argument matching a value: [=-jar]
+	Path []string `yaml:"path,omitempty"`
+
+	// Create will cause missing path parts to be created as they are walked.
+	//
+	// * The leaf Node (final path) will be created with a Kind matching Create
+	// * Intermediary Nodes will be created as either a MappingNodes or
+	//   SequenceNodes as appropriate for each's Path location.
+	// * If a list item is specified by a index (an offset or "-"), this item will
+	//   not be created even Create is set.
+	Create yaml.Kind `yaml:"create,omitempty"`
+
+	// Style is the style to apply to created value Nodes.
+	// Created key Nodes keep an unspecified Style.
+	Style yaml.Style `yaml:"style,omitempty"`
+}
+
+func (l PathGetter) Filter(rn *RNode) (*RNode, error) {
+	var err error
+	fieldPath := append([]string{}, rn.FieldPath()...)
+	match := rn
+
+	// iterate over path until encountering an error or missing value
+	l.Path = cleanPath(l.Path)
+	for i := range l.Path {
+		var part, nextPart string
+		part = l.Path[i]
+		if len(l.Path) > i+1 {
+			nextPart = l.Path[i+1]
+		}
+		var fltr Filter
+		fltr, err = l.getFilter(part, nextPart, &fieldPath)
+		if err != nil {
+			return nil, err
+		}
+		match, err = match.Pipe(fltr)
+		if IsMissingOrError(match, err) {
+			return nil, err
+		}
+		match.AppendToFieldPath(fieldPath...)
+	}
+	return match, nil
+}
+
+func (l PathGetter) getFilter(part, nextPart string, fieldPath *[]string) (Filter, error) {
+	idx, err := strconv.Atoi(part)
+	switch {
+	case err == nil:
+		// part is a number
+		if idx < 0 {
+			return nil, fmt.Errorf("array index %d cannot be negative", idx)
+		}
+		return GetElementByIndex(idx), nil
+	case part == "-":
+		// part is a hyphen
+		return GetElementByIndex(-1), nil
+	case part == "*":
+		// PathGetter is not support for wildcard matching
+		return nil, errors.Errorf("wildcard is not supported in PathGetter")
+	case IsListIndex(part):
+		// part is surrounded by brackets
+		return l.elemFilter(part)
+	default:
+		// mapping node
+		*fieldPath = append(*fieldPath, part)
+		return l.fieldFilter(part, getPathPartKind(nextPart, l.Create))
+	}
+}
+
+func (l PathGetter) elemFilter(part string) (Filter, error) {
+	name, value, err := SplitIndexNameValue(part)
+	if err != nil {
+		return nil, errors.Wrap(err)
+	}
+	if !IsCreate(l.Create) {
+		return MatchElement(name, value), nil
+	}
+
+	var elem *RNode
+	primitiveElement := len(name) == 0
+	if primitiveElement {
+		// append a ScalarNode
+		elem = NewScalarRNode(value)
+		elem.YNode().Style = l.Style
+	} else {
+		// append a MappingNode
+		match := NewRNode(&yaml.Node{Kind: yaml.ScalarNode, Value: value, Style: l.Style})
+		elem = NewRNode(&yaml.Node{
+			Kind:    yaml.MappingNode,
+			Content: []*yaml.Node{{Kind: yaml.ScalarNode, Value: name}, match.YNode()},
+			Style:   l.Style,
+		})
+	}
+	// Append the Node
+	return ElementMatcher{Keys: []string{name}, Values: []string{value}, Create: elem}, nil
+}
+
+func (l PathGetter) fieldFilter(
+	name string, kind yaml.Kind) (Filter, error) {
+	if !IsCreate(l.Create) {
+		return Get(name), nil
+	}
+	return FieldMatcher{Name: name, Create: &RNode{value: &yaml.Node{Kind: kind, Style: l.Style}}}, nil
+}
+
+func getPathPartKind(nextPart string, defaultKind yaml.Kind) yaml.Kind {
+	if IsListIndex(nextPart) {
+		// if nextPart is of the form [a=b], then it is an index into a Sequence
+		// so the current part must be a SequenceNode
+		return yaml.SequenceNode
+	}
+	if IsIdxNumber(nextPart) {
+		return yaml.SequenceNode
+	}
+	if nextPart == "" {
+		// final name in the path, use the default kind provided
+		return defaultKind
+	}
+
+	// non-sequence intermediate Node
+	return yaml.MappingNode
+}
+
+func SetField(name string, value *RNode) FieldSetter {
+	return FieldSetter{Name: name, Value: value}
+}
+
+func Set(value *RNode) FieldSetter {
+	return FieldSetter{Value: value}
+}
+
+// MapEntrySetter sets a map entry to a value. If it finds a key with the same
+// value, it will override both Key and Value RNodes, including style and any
+// other metadata. If it doesn't find the key, it will insert a new map entry.
+// It will set the field, even if it's empty or nil, unlike the FieldSetter.
+// This is useful for rebuilding some pre-existing RNode structure.
+type MapEntrySetter struct {
+	// Name is the name of the field or key to lookup in a MappingNode.
+	// If Name is unspecified, it will use the Key's Value
+	Name string `yaml:"name,omitempty"`
+
+	// Value is the value to set.
+	Value *RNode `yaml:"value,omitempty"`
+
+	// Key is the map key to set.
+	Key *RNode `yaml:"key,omitempty"`
+}
+
+func (s MapEntrySetter) Filter(rn *RNode) (*RNode, error) {
+	if rn == nil {
+		return nil, errors.Errorf("Can't set map entry on a nil RNode")
+	}
+	if err := ErrorIfInvalid(rn, yaml.MappingNode); err != nil {
+		return nil, err
+	}
+	if s.Name == "" {
+		s.Name = GetValue(s.Key)
+	}
+
+	content := rn.Content()
+	fieldStillNotFound := true
+	visitFieldsWhileTrue(content, func(key, value *yaml.Node, keyIndex int) bool {
+		if key.Value == s.Name {
+			content[keyIndex] = s.Key.YNode()
+			content[keyIndex+1] = s.Value.YNode()
+			fieldStillNotFound = false
+		}
+		return fieldStillNotFound
+	})
+	if !fieldStillNotFound {
+		return rn, nil
+	}
+
+	// create the field
+	rn.YNode().Content = append(
+		rn.YNode().Content,
+		s.Key.YNode(),
+		s.Value.YNode())
+	return rn, nil
+}
+
+// FieldSetter sets a field or map entry to a value.
+type FieldSetter struct {
+	Kind string `yaml:"kind,omitempty"`
+
+	// Name is the name of the field or key to lookup in a MappingNode.
+	// If Name is unspecified, and the input is a ScalarNode, FieldSetter will set the
+	// value on the ScalarNode.
+	Name string `yaml:"name,omitempty"`
+
+	// Comments for the field
+	Comments Comments `yaml:"comments,omitempty"`
+
+	// Value is the value to set.
+	// Optional if Kind is set.
+	Value *RNode `yaml:"value,omitempty"`
+
+	StringValue string `yaml:"stringValue,omitempty"`
+
+	// OverrideStyle can be set to override the style of the existing node
+	// when setting it.  Otherwise, if an existing node is found, the style is
+	// retained.
+	OverrideStyle bool `yaml:"overrideStyle,omitempty"`
+
+	// AppendKeyStyle defines the style of the key when no existing node is
+	// found, and a new node is appended.
+	AppendKeyStyle Style `yaml:"appendKeyStyle,omitempty"`
+}
+
+func (s FieldSetter) Filter(rn *RNode) (*RNode, error) {
+	if s.StringValue != "" && s.Value == nil {
+		s.Value = NewScalarRNode(s.StringValue)
+	}
+
+	// need to set style for strings not recognized by yaml 1.1 to quoted if not previously set
+	// TODO: fix in upstream yaml library so this can be handled with yaml SetString
+	if s.Value.IsStringValue() && !s.OverrideStyle && s.Value.YNode().Style == 0 && IsYaml1_1NonString(s.Value.YNode()) {
+		s.Value.YNode().Style = yaml.DoubleQuotedStyle
+	}
+
+	if s.Name == "" {
+		if err := ErrorIfInvalid(rn, yaml.ScalarNode); err != nil {
+			return rn, err
+		}
+		if IsMissingOrNull(s.Value) {
+			return rn, nil
+		}
+		// only apply the style if there is not an existing style
+		// or we want to override it
+		if !s.OverrideStyle || s.Value.YNode().Style == 0 {
+			// keep the original style if it exists
+			s.Value.YNode().Style = rn.YNode().Style
+		}
+		rn.SetYNode(s.Value.YNode())
+		return rn, nil
+	}
+
+	// Clearing nil fields:
+	//   1. Clear any fields with no value
+	//   2. Clear any "null" YAML fields unless we explicitly want to keep them
+	// This is to balance
+	//   1. Persisting 'null' values passed by the user (see issue #4628)
+	//   2. Avoiding producing noisy documents that add any field defaulting to
+	//   'nil' even if they weren't present in the source document
+	if s.Value == nil || (s.Value.IsTaggedNull() && !s.Value.ShouldKeep) {
+		return rn.Pipe(Clear(s.Name))
+	}
+
+	field, err := rn.Pipe(FieldMatcher{Name: s.Name})
+	if err != nil {
+		return nil, err
+	}
+	if field != nil {
+		// only apply the style if there is not an existing style
+		// or we want to override it
+		if !s.OverrideStyle || field.YNode().Style == 0 {
+			// keep the original style if it exists
+			s.Value.YNode().Style = field.YNode().Style
+		}
+		// need to def ref the Node since field is ephemeral
+		field.SetYNode(s.Value.YNode())
+		return field, nil
+	}
+
+	// create the field
+	rn.YNode().Content = append(
+		rn.YNode().Content,
+		&yaml.Node{
+			Kind:        yaml.ScalarNode,
+			Value:       s.Name,
+			Style:       s.AppendKeyStyle,
+			HeadComment: s.Comments.HeadComment,
+			LineComment: s.Comments.LineComment,
+			FootComment: s.Comments.FootComment,
+		},
+		s.Value.YNode())
+	return s.Value, nil
+}
+
+// Tee calls the provided Filters, and returns its argument rather than the result
+// of the filters.
+// May be used to fork sub-filters from a call.
+// e.g. locate field, set value; locate another field, set another value
+func Tee(filters ...Filter) Filter {
+	return TeePiper{Filters: filters}
+}
+
+// TeePiper Calls a slice of Filters and returns its input.
+// May be used to fork sub-filters from a call.
+// e.g. locate field, set value; locate another field, set another value
+type TeePiper struct {
+	Kind string `yaml:"kind,omitempty"`
+
+	// Filters are the set of Filters run by TeePiper.
+	Filters []Filter `yaml:"filters,omitempty"`
+}
+
+func (t TeePiper) Filter(rn *RNode) (*RNode, error) {
+	_, err := rn.Pipe(t.Filters...)
+	return rn, err
+}
+
+// IsCreate returns true if kind is specified
+func IsCreate(kind yaml.Kind) bool {
+	return kind != 0
+}
+
+// IsMissingOrError returns true if rn is NOT found or err is non-nil
+func IsMissingOrError(rn *RNode, err error) bool {
+	return rn == nil || err != nil
+}
+
+// IsFoundOrError returns true if rn is found or err is non-nil
+func IsFoundOrError(rn *RNode, err error) bool {
+	return rn != nil || err != nil
+}
+
+func ErrorIfAnyInvalidAndNonNull(kind yaml.Kind, rn ...*RNode) error {
+	for i := range rn {
+		if IsMissingOrNull(rn[i]) {
+			continue
+		}
+		if err := ErrorIfInvalid(rn[i], kind); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+type InvalidNodeKindError struct {
+	expectedKind yaml.Kind
+	node         *RNode
+}
+
+func (e *InvalidNodeKindError) Error() string {
+	msg := fmt.Sprintf("wrong node kind: expected %s but got %s",
+		nodeKindString(e.expectedKind), nodeKindString(e.node.YNode().Kind))
+	if content, err := e.node.String(); err == nil {
+		msg += fmt.Sprintf(": node contents:\n%s", content)
+	}
+	return msg
+}
+
+func (e *InvalidNodeKindError) ActualNodeKind() Kind {
+	return e.node.YNode().Kind
+}
+
+func ErrorIfInvalid(rn *RNode, kind yaml.Kind) error {
+	if IsMissingOrNull(rn) {
+		// node has no type, pass validation
+		return nil
+	}
+
+	if rn.YNode().Kind != kind {
+		return &InvalidNodeKindError{node: rn, expectedKind: kind}
+	}
+
+	if kind == yaml.MappingNode {
+		if len(rn.YNode().Content)%2 != 0 {
+			return errors.Errorf(
+				"yaml MappingNodes must have even length contents: %v", spew.Sdump(rn))
+		}
+	}
+
+	return nil
+}
+
+// IsListIndex returns true if p is an index into a Val.
+// e.g. [fieldName=fieldValue]
+// e.g. [=primitiveValue]
+func IsListIndex(p string) bool {
+	return strings.HasPrefix(p, "[") && strings.HasSuffix(p, "]")
+}
+
+// IsIdxNumber returns true if p is an index number.
+// e.g. 1
+func IsIdxNumber(p string) bool {
+	idx, err := strconv.Atoi(p)
+	return err == nil && idx >= 0
+}
+
+// IsWildcard returns true if p is matching every elements.
+// e.g. "*"
+func IsWildcard(p string) bool {
+	return p == "*"
+}
+
+// SplitIndexNameValue splits a lookup part Val index into the field name
+// and field value to match.
+// e.g. splits [name=nginx] into (name, nginx)
+// e.g. splits [=-jar] into ("", -jar)
+func SplitIndexNameValue(p string) (string, string, error) {
+	elem := strings.TrimSuffix(p, "]")
+	elem = strings.TrimPrefix(elem, "[")
+	parts := strings.SplitN(elem, "=", 2)
+	if len(parts) == 1 {
+		return "", "", fmt.Errorf("list path element must contain fieldName=fieldValue for element to match")
+	}
+	return parts[0], parts[1], nil
+}
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/labels/copied.deepcopy.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/labels/copied.deepcopy.go
new file mode 100644
index 0000000000..52f32be88a
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/labels/copied.deepcopy.go
@@ -0,0 +1,44 @@
+// Code generated by k8scopy from k8s.io/apimachinery@v0.19.8; DO NOT EDIT.
+// File content copied from k8s.io/apimachinery@v0.19.8/pkg/labels/zz_generated.deepcopy.go
+
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package labels
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Requirement) DeepCopyInto(out *Requirement) {
+	*out = *in
+	if in.strValues != nil {
+		in, out := &in.strValues, &out.strValues
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Requirement.
+func (in *Requirement) DeepCopy() *Requirement {
+	if in == nil {
+		return nil
+	}
+	out := new(Requirement)
+	in.DeepCopyInto(out)
+	return out
+}
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/labels/labels.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/labels/labels.go
new file mode 100644
index 0000000000..300014eac0
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/labels/labels.go
@@ -0,0 +1,192 @@
+// Code generated by k8scopy from k8s.io/apimachinery@v0.19.8; DO NOT EDIT.
+// File content copied from k8s.io/apimachinery@v0.19.8/pkg/labels/labels.go
+
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package labels
+
+import (
+	"fmt"
+	"sort"
+	"strings"
+)
+
+// Labels allows you to present labels independently from their storage.
+type Labels interface {
+	// Has returns whether the provided label exists.
+	Has(label string) (exists bool)
+
+	// Get returns the value for the provided label.
+	Get(label string) (value string)
+}
+
+// Set is a map of label:value. It implements Labels.
+type Set map[string]string
+
+// String returns all labels listed as a human readable string.
+// Conveniently, exactly the format that ParseSelector takes.
+func (ls Set) String() string {
+	selector := make([]string, 0, len(ls))
+	for key, value := range ls {
+		selector = append(selector, key+"="+value)
+	}
+	// Sort for determinism.
+	sort.StringSlice(selector).Sort()
+	return strings.Join(selector, ",")
+}
+
+// Has returns whether the provided label exists in the map.
+func (ls Set) Has(label string) bool {
+	_, exists := ls[label]
+	return exists
+}
+
+// Get returns the value in the map for the provided label.
+func (ls Set) Get(label string) string {
+	return ls[label]
+}
+
+// AsSelector converts labels into a selectors. It does not
+// perform any validation, which means the server will reject
+// the request if the Set contains invalid values.
+func (ls Set) AsSelector() Selector {
+	return SelectorFromSet(ls)
+}
+
+// AsValidatedSelector converts labels into a selectors.
+// The Set is validated client-side, which allows to catch errors early.
+func (ls Set) AsValidatedSelector() (Selector, error) {
+	return ValidatedSelectorFromSet(ls)
+}
+
+// AsSelectorPreValidated converts labels into a selector, but
+// assumes that labels are already validated and thus doesn't
+// perform any validation.
+// According to our measurements this is significantly faster
+// in codepaths that matter at high scale.
+func (ls Set) AsSelectorPreValidated() Selector {
+	return SelectorFromValidatedSet(ls)
+}
+
+// FormatLabels convert label map into plain string
+func FormatLabels(labelMap map[string]string) string {
+	l := Set(labelMap).String()
+	if l == "" {
+		l = "<none>"
+	}
+	return l
+}
+
+// Conflicts takes 2 maps and returns true if there a key match between
+// the maps but the value doesn't match, and returns false in other cases
+func Conflicts(labels1, labels2 Set) bool {
+	small := labels1
+	big := labels2
+	if len(labels2) < len(labels1) {
+		small = labels2
+		big = labels1
+	}
+
+	for k, v := range small {
+		if val, match := big[k]; match {
+			if val != v {
+				return true
+			}
+		}
+	}
+
+	return false
+}
+
+// Merge combines given maps, and does not check for any conflicts
+// between the maps. In case of conflicts, second map (labels2) wins
+func Merge(labels1, labels2 Set) Set {
+	mergedMap := Set{}
+
+	for k, v := range labels1 {
+		mergedMap[k] = v
+	}
+	for k, v := range labels2 {
+		mergedMap[k] = v
+	}
+	return mergedMap
+}
+
+// Equals returns true if the given maps are equal
+func Equals(labels1, labels2 Set) bool {
+	if len(labels1) != len(labels2) {
+		return false
+	}
+
+	for k, v := range labels1 {
+		value, ok := labels2[k]
+		if !ok {
+			return false
+		}
+		if value != v {
+			return false
+		}
+	}
+	return true
+}
+
+// AreLabelsInWhiteList verifies if the provided label list
+// is in the provided whitelist and returns true, otherwise false.
+func AreLabelsInWhiteList(labels, whitelist Set) bool {
+	if len(whitelist) == 0 {
+		return true
+	}
+
+	for k, v := range labels {
+		value, ok := whitelist[k]
+		if !ok {
+			return false
+		}
+		if value != v {
+			return false
+		}
+	}
+	return true
+}
+
+// ConvertSelectorToLabelsMap converts selector string to labels map
+// and validates keys and values
+func ConvertSelectorToLabelsMap(selector string) (Set, error) {
+	labelsMap := Set{}
+
+	if len(selector) == 0 {
+		return labelsMap, nil
+	}
+
+	labels := strings.Split(selector, ",")
+	for _, label := range labels {
+		l := strings.Split(label, "=")
+		if len(l) != 2 {
+			return labelsMap, fmt.Errorf("invalid selector: %s", l)
+		}
+		key := strings.TrimSpace(l[0])
+		if err := validateLabelKey(key); err != nil {
+			return labelsMap, err
+		}
+		value := strings.TrimSpace(l[1])
+		if err := validateLabelValue(key, value); err != nil {
+			return labelsMap, err
+		}
+		labelsMap[key] = value
+	}
+	return labelsMap, nil
+}
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/labels/selector.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/labels/selector.go
new file mode 100644
index 0000000000..73c5ae6a65
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/labels/selector.go
@@ -0,0 +1,925 @@
+// Code generated by k8scopy from k8s.io/apimachinery@v0.19.8; DO NOT EDIT.
+// File content copied from k8s.io/apimachinery@v0.19.8/pkg/labels/selector.go
+
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package labels
+
+import (
+	"bytes"
+	"fmt"
+	"sort"
+	"strconv"
+	"strings"
+
+	"log"
+	"sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/selection"
+	"sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/util/sets"
+	"sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/util/validation"
+)
+
+// Requirements is AND of all requirements.
+type Requirements []Requirement
+
+// Selector represents a label selector.
+type Selector interface {
+	// Matches returns true if this selector matches the given set of labels.
+	Matches(Labels) bool
+
+	// Empty returns true if this selector does not restrict the selection space.
+	Empty() bool
+
+	// String returns a human readable string that represents this selector.
+	String() string
+
+	// Add adds requirements to the Selector
+	Add(r ...Requirement) Selector
+
+	// Requirements converts this interface into Requirements to expose
+	// more detailed selection information.
+	// If there are querying parameters, it will return converted requirements and selectable=true.
+	// If this selector doesn't want to select anything, it will return selectable=false.
+	Requirements() (requirements Requirements, selectable bool)
+
+	// Make a deep copy of the selector.
+	DeepCopySelector() Selector
+
+	// RequiresExactMatch allows a caller to introspect whether a given selector
+	// requires a single specific label to be set, and if so returns the value it
+	// requires.
+	RequiresExactMatch(label string) (value string, found bool)
+}
+
+// Everything returns a selector that matches all labels.
+func Everything() Selector {
+	return internalSelector{}
+}
+
+type nothingSelector struct{}
+
+func (n nothingSelector) Matches(_ Labels) bool              { return false }
+func (n nothingSelector) Empty() bool                        { return false }
+func (n nothingSelector) String() string                     { return "" }
+func (n nothingSelector) Add(_ ...Requirement) Selector      { return n }
+func (n nothingSelector) Requirements() (Requirements, bool) { return nil, false }
+func (n nothingSelector) DeepCopySelector() Selector         { return n }
+func (n nothingSelector) RequiresExactMatch(label string) (value string, found bool) {
+	return "", false
+}
+
+// Nothing returns a selector that matches no labels
+func Nothing() Selector {
+	return nothingSelector{}
+}
+
+// NewSelector returns a nil selector
+func NewSelector() Selector {
+	return internalSelector(nil)
+}
+
+type internalSelector []Requirement
+
+func (s internalSelector) DeepCopy() internalSelector {
+	if s == nil {
+		return nil
+	}
+	result := make([]Requirement, len(s))
+	for i := range s {
+		s[i].DeepCopyInto(&result[i])
+	}
+	return result
+}
+
+func (s internalSelector) DeepCopySelector() Selector {
+	return s.DeepCopy()
+}
+
+// ByKey sorts requirements by key to obtain deterministic parser
+type ByKey []Requirement
+
+func (a ByKey) Len() int { return len(a) }
+
+func (a ByKey) Swap(i, j int) { a[i], a[j] = a[j], a[i] }
+
+func (a ByKey) Less(i, j int) bool { return a[i].key < a[j].key }
+
+// Requirement contains values, a key, and an operator that relates the key and values.
+// The zero value of Requirement is invalid.
+// Requirement implements both set based match and exact match
+// Requirement should be initialized via NewRequirement constructor for creating a valid Requirement.
+type Requirement struct {
+	key      string
+	operator selection.Operator
+	// In huge majority of cases we have at most one value here.
+	// It is generally faster to operate on a single-element slice
+	// than on a single-element map, so we have a slice here.
+	strValues []string
+}
+
+// NewRequirement is the constructor for a Requirement.
+// If any of these rules is violated, an error is returned:
+// (1) The operator can only be In, NotIn, Equals, DoubleEquals, NotEquals, Exists, or DoesNotExist.
+// (2) If the operator is In or NotIn, the values set must be non-empty.
+// (3) If the operator is Equals, DoubleEquals, or NotEquals, the values set must contain one value.
+// (4) If the operator is Exists or DoesNotExist, the value set must be empty.
+// (5) If the operator is Gt or Lt, the values set must contain only one value, which will be interpreted as an integer.
+// (6) The key is invalid due to its length, or sequence
+//     of characters. See validateLabelKey for more details.
+//
+// The empty string is a valid value in the input values set.
+func NewRequirement(key string, op selection.Operator, vals []string) (*Requirement, error) {
+	if err := validateLabelKey(key); err != nil {
+		return nil, err
+	}
+	switch op {
+	case selection.In, selection.NotIn:
+		if len(vals) == 0 {
+			return nil, fmt.Errorf("for 'in', 'notin' operators, values set can't be empty")
+		}
+	case selection.Equals, selection.DoubleEquals, selection.NotEquals:
+		if len(vals) != 1 {
+			return nil, fmt.Errorf("exact-match compatibility requires one single value")
+		}
+	case selection.Exists, selection.DoesNotExist:
+		if len(vals) != 0 {
+			return nil, fmt.Errorf("values set must be empty for exists and does not exist")
+		}
+	case selection.GreaterThan, selection.LessThan:
+		if len(vals) != 1 {
+			return nil, fmt.Errorf("for 'Gt', 'Lt' operators, exactly one value is required")
+		}
+		for i := range vals {
+			if _, err := strconv.ParseInt(vals[i], 10, 64); err != nil {
+				return nil, fmt.Errorf("for 'Gt', 'Lt' operators, the value must be an integer")
+			}
+		}
+	default:
+		return nil, fmt.Errorf("operator '%v' is not recognized", op)
+	}
+
+	for i := range vals {
+		if err := validateLabelValue(key, vals[i]); err != nil {
+			return nil, err
+		}
+	}
+	return &Requirement{key: key, operator: op, strValues: vals}, nil
+}
+
+func (r *Requirement) hasValue(value string) bool {
+	for i := range r.strValues {
+		if r.strValues[i] == value {
+			return true
+		}
+	}
+	return false
+}
+
+// Matches returns true if the Requirement matches the input Labels.
+// There is a match in the following cases:
+// (1) The operator is Exists and Labels has the Requirement's key.
+// (2) The operator is In, Labels has the Requirement's key and Labels'
+//     value for that key is in Requirement's value set.
+// (3) The operator is NotIn, Labels has the Requirement's key and
+//     Labels' value for that key is not in Requirement's value set.
+// (4) The operator is DoesNotExist or NotIn and Labels does not have the
+//     Requirement's key.
+// (5) The operator is GreaterThanOperator or LessThanOperator, and Labels has
+//     the Requirement's key and the corresponding value satisfies mathematical inequality.
+func (r *Requirement) Matches(ls Labels) bool {
+	switch r.operator {
+	case selection.In, selection.Equals, selection.DoubleEquals:
+		if !ls.Has(r.key) {
+			return false
+		}
+		return r.hasValue(ls.Get(r.key))
+	case selection.NotIn, selection.NotEquals:
+		if !ls.Has(r.key) {
+			return true
+		}
+		return !r.hasValue(ls.Get(r.key))
+	case selection.Exists:
+		return ls.Has(r.key)
+	case selection.DoesNotExist:
+		return !ls.Has(r.key)
+	case selection.GreaterThan, selection.LessThan:
+		if !ls.Has(r.key) {
+			return false
+		}
+		lsValue, err := strconv.ParseInt(ls.Get(r.key), 10, 64)
+		if err != nil {
+			log.Printf("ParseInt failed for value %+v in label %+v, %+v", ls.Get(r.key), ls, err)
+			return false
+		}
+
+		// There should be only one strValue in r.strValues, and can be converted to an integer.
+		if len(r.strValues) != 1 {
+			log.Printf("Invalid values count %+v of requirement %#v, for 'Gt', 'Lt' operators, exactly one value is required", len(r.strValues), r)
+			return false
+		}
+
+		var rValue int64
+		for i := range r.strValues {
+			rValue, err = strconv.ParseInt(r.strValues[i], 10, 64)
+			if err != nil {
+				log.Printf("ParseInt failed for value %+v in requirement %#v, for 'Gt', 'Lt' operators, the value must be an integer", r.strValues[i], r)
+				return false
+			}
+		}
+		return (r.operator == selection.GreaterThan && lsValue > rValue) || (r.operator == selection.LessThan && lsValue < rValue)
+	default:
+		return false
+	}
+}
+
+// Key returns requirement key
+func (r *Requirement) Key() string {
+	return r.key
+}
+
+// Operator returns requirement operator
+func (r *Requirement) Operator() selection.Operator {
+	return r.operator
+}
+
+// Values returns requirement values
+func (r *Requirement) Values() sets.String {
+	ret := sets.String{}
+	for i := range r.strValues {
+		ret.Insert(r.strValues[i])
+	}
+	return ret
+}
+
+// Empty returns true if the internalSelector doesn't restrict selection space
+func (lsel internalSelector) Empty() bool {
+	if lsel == nil {
+		return true
+	}
+	return len(lsel) == 0
+}
+
+// String returns a human-readable string that represents this
+// Requirement. If called on an invalid Requirement, an error is
+// returned. See NewRequirement for creating a valid Requirement.
+func (r *Requirement) String() string {
+	var buffer bytes.Buffer
+	if r.operator == selection.DoesNotExist {
+		buffer.WriteString("!")
+	}
+	buffer.WriteString(r.key)
+
+	switch r.operator {
+	case selection.Equals:
+		buffer.WriteString("=")
+	case selection.DoubleEquals:
+		buffer.WriteString("==")
+	case selection.NotEquals:
+		buffer.WriteString("!=")
+	case selection.In:
+		buffer.WriteString(" in ")
+	case selection.NotIn:
+		buffer.WriteString(" notin ")
+	case selection.GreaterThan:
+		buffer.WriteString(">")
+	case selection.LessThan:
+		buffer.WriteString("<")
+	case selection.Exists, selection.DoesNotExist:
+		return buffer.String()
+	}
+
+	switch r.operator {
+	case selection.In, selection.NotIn:
+		buffer.WriteString("(")
+	}
+	if len(r.strValues) == 1 {
+		buffer.WriteString(r.strValues[0])
+	} else { // only > 1 since == 0 prohibited by NewRequirement
+		// normalizes value order on output, without mutating the in-memory selector representation
+		// also avoids normalization when it is not required, and ensures we do not mutate shared data
+		buffer.WriteString(strings.Join(safeSort(r.strValues), ","))
+	}
+
+	switch r.operator {
+	case selection.In, selection.NotIn:
+		buffer.WriteString(")")
+	}
+	return buffer.String()
+}
+
+// safeSort sort input strings without modification
+func safeSort(in []string) []string {
+	if sort.StringsAreSorted(in) {
+		return in
+	}
+	out := make([]string, len(in))
+	copy(out, in)
+	sort.Strings(out)
+	return out
+}
+
+// Add adds requirements to the selector. It copies the current selector returning a new one
+func (lsel internalSelector) Add(reqs ...Requirement) Selector {
+	var sel internalSelector
+	for ix := range lsel {
+		sel = append(sel, lsel[ix])
+	}
+	for _, r := range reqs {
+		sel = append(sel, r)
+	}
+	sort.Sort(ByKey(sel))
+	return sel
+}
+
+// Matches for a internalSelector returns true if all
+// its Requirements match the input Labels. If any
+// Requirement does not match, false is returned.
+func (lsel internalSelector) Matches(l Labels) bool {
+	for ix := range lsel {
+		if matches := lsel[ix].Matches(l); !matches {
+			return false
+		}
+	}
+	return true
+}
+
+func (lsel internalSelector) Requirements() (Requirements, bool) { return Requirements(lsel), true }
+
+// String returns a comma-separated string of all
+// the internalSelector Requirements' human-readable strings.
+func (lsel internalSelector) String() string {
+	var reqs []string
+	for ix := range lsel {
+		reqs = append(reqs, lsel[ix].String())
+	}
+	return strings.Join(reqs, ",")
+}
+
+// RequiresExactMatch introspect whether a given selector requires a single specific field
+// to be set, and if so returns the value it requires.
+func (lsel internalSelector) RequiresExactMatch(label string) (value string, found bool) {
+	for ix := range lsel {
+		if lsel[ix].key == label {
+			switch lsel[ix].operator {
+			case selection.Equals, selection.DoubleEquals, selection.In:
+				if len(lsel[ix].strValues) == 1 {
+					return lsel[ix].strValues[0], true
+				}
+			}
+			return "", false
+		}
+	}
+	return "", false
+}
+
+// Token represents constant definition for lexer token
+type Token int
+
+const (
+	// ErrorToken represents scan error
+	ErrorToken Token = iota
+	// EndOfStringToken represents end of string
+	EndOfStringToken
+	// ClosedParToken represents close parenthesis
+	ClosedParToken
+	// CommaToken represents the comma
+	CommaToken
+	// DoesNotExistToken represents logic not
+	DoesNotExistToken
+	// DoubleEqualsToken represents double equals
+	DoubleEqualsToken
+	// EqualsToken represents equal
+	EqualsToken
+	// GreaterThanToken represents greater than
+	GreaterThanToken
+	// IdentifierToken represents identifier, e.g. keys and values
+	IdentifierToken
+	// InToken represents in
+	InToken
+	// LessThanToken represents less than
+	LessThanToken
+	// NotEqualsToken represents not equal
+	NotEqualsToken
+	// NotInToken represents not in
+	NotInToken
+	// OpenParToken represents open parenthesis
+	OpenParToken
+)
+
+// string2token contains the mapping between lexer Token and token literal
+// (except IdentifierToken, EndOfStringToken and ErrorToken since it makes no sense)
+var string2token = map[string]Token{
+	")":     ClosedParToken,
+	",":     CommaToken,
+	"!":     DoesNotExistToken,
+	"==":    DoubleEqualsToken,
+	"=":     EqualsToken,
+	">":     GreaterThanToken,
+	"in":    InToken,
+	"<":     LessThanToken,
+	"!=":    NotEqualsToken,
+	"notin": NotInToken,
+	"(":     OpenParToken,
+}
+
+// ScannedItem contains the Token and the literal produced by the lexer.
+type ScannedItem struct {
+	tok     Token
+	literal string
+}
+
+// isWhitespace returns true if the rune is a space, tab, or newline.
+func isWhitespace(ch byte) bool {
+	return ch == ' ' || ch == '\t' || ch == '\r' || ch == '\n'
+}
+
+// isSpecialSymbol detect if the character ch can be an operator
+func isSpecialSymbol(ch byte) bool {
+	switch ch {
+	case '=', '!', '(', ')', ',', '>', '<':
+		return true
+	}
+	return false
+}
+
+// Lexer represents the Lexer struct for label selector.
+// It contains necessary informationt to tokenize the input string
+type Lexer struct {
+	// s stores the string to be tokenized
+	s string
+	// pos is the position currently tokenized
+	pos int
+}
+
+// read return the character currently lexed
+// increment the position and check the buffer overflow
+func (l *Lexer) read() (b byte) {
+	b = 0
+	if l.pos < len(l.s) {
+		b = l.s[l.pos]
+		l.pos++
+	}
+	return b
+}
+
+// unread 'undoes' the last read character
+func (l *Lexer) unread() {
+	l.pos--
+}
+
+// scanIDOrKeyword scans string to recognize literal token (for example 'in') or an identifier.
+func (l *Lexer) scanIDOrKeyword() (tok Token, lit string) {
+	var buffer []byte
+IdentifierLoop:
+	for {
+		switch ch := l.read(); {
+		case ch == 0:
+			break IdentifierLoop
+		case isSpecialSymbol(ch) || isWhitespace(ch):
+			l.unread()
+			break IdentifierLoop
+		default:
+			buffer = append(buffer, ch)
+		}
+	}
+	s := string(buffer)
+	if val, ok := string2token[s]; ok { // is a literal token?
+		return val, s
+	}
+	return IdentifierToken, s // otherwise is an identifier
+}
+
+// scanSpecialSymbol scans string starting with special symbol.
+// special symbol identify non literal operators. "!=", "==", "="
+func (l *Lexer) scanSpecialSymbol() (Token, string) {
+	lastScannedItem := ScannedItem{}
+	var buffer []byte
+SpecialSymbolLoop:
+	for {
+		switch ch := l.read(); {
+		case ch == 0:
+			break SpecialSymbolLoop
+		case isSpecialSymbol(ch):
+			buffer = append(buffer, ch)
+			if token, ok := string2token[string(buffer)]; ok {
+				lastScannedItem = ScannedItem{tok: token, literal: string(buffer)}
+			} else if lastScannedItem.tok != 0 {
+				l.unread()
+				break SpecialSymbolLoop
+			}
+		default:
+			l.unread()
+			break SpecialSymbolLoop
+		}
+	}
+	if lastScannedItem.tok == 0 {
+		return ErrorToken, fmt.Sprintf("error expected: keyword found '%s'", buffer)
+	}
+	return lastScannedItem.tok, lastScannedItem.literal
+}
+
+// skipWhiteSpaces consumes all blank characters
+// returning the first non blank character
+func (l *Lexer) skipWhiteSpaces(ch byte) byte {
+	for {
+		if !isWhitespace(ch) {
+			return ch
+		}
+		ch = l.read()
+	}
+}
+
+// Lex returns a pair of Token and the literal
+// literal is meaningfull only for IdentifierToken token
+func (l *Lexer) Lex() (tok Token, lit string) {
+	switch ch := l.skipWhiteSpaces(l.read()); {
+	case ch == 0:
+		return EndOfStringToken, ""
+	case isSpecialSymbol(ch):
+		l.unread()
+		return l.scanSpecialSymbol()
+	default:
+		l.unread()
+		return l.scanIDOrKeyword()
+	}
+}
+
+// Parser data structure contains the label selector parser data structure
+type Parser struct {
+	l            *Lexer
+	scannedItems []ScannedItem
+	position     int
+}
+
+// ParserContext represents context during parsing:
+// some literal for example 'in' and 'notin' can be
+// recognized as operator for example 'x in (a)' but
+// it can be recognized as value for example 'value in (in)'
+type ParserContext int
+
+const (
+	// KeyAndOperator represents key and operator
+	KeyAndOperator ParserContext = iota
+	// Values represents values
+	Values
+)
+
+// lookahead func returns the current token and string. No increment of current position
+func (p *Parser) lookahead(context ParserContext) (Token, string) {
+	tok, lit := p.scannedItems[p.position].tok, p.scannedItems[p.position].literal
+	if context == Values {
+		switch tok {
+		case InToken, NotInToken:
+			tok = IdentifierToken
+		}
+	}
+	return tok, lit
+}
+
+// consume returns current token and string. Increments the position
+func (p *Parser) consume(context ParserContext) (Token, string) {
+	p.position++
+	tok, lit := p.scannedItems[p.position-1].tok, p.scannedItems[p.position-1].literal
+	if context == Values {
+		switch tok {
+		case InToken, NotInToken:
+			tok = IdentifierToken
+		}
+	}
+	return tok, lit
+}
+
+// scan runs through the input string and stores the ScannedItem in an array
+// Parser can now lookahead and consume the tokens
+func (p *Parser) scan() {
+	for {
+		token, literal := p.l.Lex()
+		p.scannedItems = append(p.scannedItems, ScannedItem{token, literal})
+		if token == EndOfStringToken {
+			break
+		}
+	}
+}
+
+// parse runs the left recursive descending algorithm
+// on input string. It returns a list of Requirement objects.
+func (p *Parser) parse() (internalSelector, error) {
+	p.scan() // init scannedItems
+
+	var requirements internalSelector
+	for {
+		tok, lit := p.lookahead(Values)
+		switch tok {
+		case IdentifierToken, DoesNotExistToken:
+			r, err := p.parseRequirement()
+			if err != nil {
+				return nil, fmt.Errorf("unable to parse requirement: %v", err)
+			}
+			requirements = append(requirements, *r)
+			t, l := p.consume(Values)
+			switch t {
+			case EndOfStringToken:
+				return requirements, nil
+			case CommaToken:
+				t2, l2 := p.lookahead(Values)
+				if t2 != IdentifierToken && t2 != DoesNotExistToken {
+					return nil, fmt.Errorf("found '%s', expected: identifier after ','", l2)
+				}
+			default:
+				return nil, fmt.Errorf("found '%s', expected: ',' or 'end of string'", l)
+			}
+		case EndOfStringToken:
+			return requirements, nil
+		default:
+			return nil, fmt.Errorf("found '%s', expected: !, identifier, or 'end of string'", lit)
+		}
+	}
+}
+
+func (p *Parser) parseRequirement() (*Requirement, error) {
+	key, operator, err := p.parseKeyAndInferOperator()
+	if err != nil {
+		return nil, err
+	}
+	if operator == selection.Exists || operator == selection.DoesNotExist { // operator found lookahead set checked
+		return NewRequirement(key, operator, []string{})
+	}
+	operator, err = p.parseOperator()
+	if err != nil {
+		return nil, err
+	}
+	var values sets.String
+	switch operator {
+	case selection.In, selection.NotIn:
+		values, err = p.parseValues()
+	case selection.Equals, selection.DoubleEquals, selection.NotEquals, selection.GreaterThan, selection.LessThan:
+		values, err = p.parseExactValue()
+	}
+	if err != nil {
+		return nil, err
+	}
+	return NewRequirement(key, operator, values.List())
+
+}
+
+// parseKeyAndInferOperator parse literals.
+// in case of no operator '!, in, notin, ==, =, !=' are found
+// the 'exists' operator is inferred
+func (p *Parser) parseKeyAndInferOperator() (string, selection.Operator, error) {
+	var operator selection.Operator
+	tok, literal := p.consume(Values)
+	if tok == DoesNotExistToken {
+		operator = selection.DoesNotExist
+		tok, literal = p.consume(Values)
+	}
+	if tok != IdentifierToken {
+		err := fmt.Errorf("found '%s', expected: identifier", literal)
+		return "", "", err
+	}
+	if err := validateLabelKey(literal); err != nil {
+		return "", "", err
+	}
+	if t, _ := p.lookahead(Values); t == EndOfStringToken || t == CommaToken {
+		if operator != selection.DoesNotExist {
+			operator = selection.Exists
+		}
+	}
+	return literal, operator, nil
+}
+
+// parseOperator return operator and eventually matchType
+// matchType can be exact
+func (p *Parser) parseOperator() (op selection.Operator, err error) {
+	tok, lit := p.consume(KeyAndOperator)
+	switch tok {
+	// DoesNotExistToken shouldn't be here because it's a unary operator, not a binary operator
+	case InToken:
+		op = selection.In
+	case EqualsToken:
+		op = selection.Equals
+	case DoubleEqualsToken:
+		op = selection.DoubleEquals
+	case GreaterThanToken:
+		op = selection.GreaterThan
+	case LessThanToken:
+		op = selection.LessThan
+	case NotInToken:
+		op = selection.NotIn
+	case NotEqualsToken:
+		op = selection.NotEquals
+	default:
+		return "", fmt.Errorf("found '%s', expected: '=', '!=', '==', 'in', notin'", lit)
+	}
+	return op, nil
+}
+
+// parseValues parses the values for set based matching (x,y,z)
+func (p *Parser) parseValues() (sets.String, error) {
+	tok, lit := p.consume(Values)
+	if tok != OpenParToken {
+		return nil, fmt.Errorf("found '%s' expected: '('", lit)
+	}
+	tok, lit = p.lookahead(Values)
+	switch tok {
+	case IdentifierToken, CommaToken:
+		s, err := p.parseIdentifiersList() // handles general cases
+		if err != nil {
+			return s, err
+		}
+		if tok, _ = p.consume(Values); tok != ClosedParToken {
+			return nil, fmt.Errorf("found '%s', expected: ')'", lit)
+		}
+		return s, nil
+	case ClosedParToken: // handles "()"
+		p.consume(Values)
+		return sets.NewString(""), nil
+	default:
+		return nil, fmt.Errorf("found '%s', expected: ',', ')' or identifier", lit)
+	}
+}
+
+// parseIdentifiersList parses a (possibly empty) list of
+// of comma separated (possibly empty) identifiers
+func (p *Parser) parseIdentifiersList() (sets.String, error) {
+	s := sets.NewString()
+	for {
+		tok, lit := p.consume(Values)
+		switch tok {
+		case IdentifierToken:
+			s.Insert(lit)
+			tok2, lit2 := p.lookahead(Values)
+			switch tok2 {
+			case CommaToken:
+				continue
+			case ClosedParToken:
+				return s, nil
+			default:
+				return nil, fmt.Errorf("found '%s', expected: ',' or ')'", lit2)
+			}
+		case CommaToken: // handled here since we can have "(,"
+			if s.Len() == 0 {
+				s.Insert("") // to handle (,
+			}
+			tok2, _ := p.lookahead(Values)
+			if tok2 == ClosedParToken {
+				s.Insert("") // to handle ,)  Double "" removed by StringSet
+				return s, nil
+			}
+			if tok2 == CommaToken {
+				p.consume(Values)
+				s.Insert("") // to handle ,, Double "" removed by StringSet
+			}
+		default: // it can be operator
+			return s, fmt.Errorf("found '%s', expected: ',', or identifier", lit)
+		}
+	}
+}
+
+// parseExactValue parses the only value for exact match style
+func (p *Parser) parseExactValue() (sets.String, error) {
+	s := sets.NewString()
+	tok, lit := p.lookahead(Values)
+	if tok == EndOfStringToken || tok == CommaToken {
+		s.Insert("")
+		return s, nil
+	}
+	tok, lit = p.consume(Values)
+	if tok == IdentifierToken {
+		s.Insert(lit)
+		return s, nil
+	}
+	return nil, fmt.Errorf("found '%s', expected: identifier", lit)
+}
+
+// Parse takes a string representing a selector and returns a selector
+// object, or an error. This parsing function differs from ParseSelector
+// as they parse different selectors with different syntaxes.
+// The input will cause an error if it does not follow this form:
+//
+//  <selector-syntax>         ::= <requirement> | <requirement> "," <selector-syntax>
+//  <requirement>             ::= [!] KEY [ <set-based-restriction> | <exact-match-restriction> ]
+//  <set-based-restriction>   ::= "" | <inclusion-exclusion> <value-set>
+//  <inclusion-exclusion>     ::= <inclusion> | <exclusion>
+//  <exclusion>               ::= "notin"
+//  <inclusion>               ::= "in"
+//  <value-set>               ::= "(" <values> ")"
+//  <values>                  ::= VALUE | VALUE "," <values>
+//  <exact-match-restriction> ::= ["="|"=="|"!="] VALUE
+//
+// KEY is a sequence of one or more characters following [ DNS_SUBDOMAIN "/" ] DNS_LABEL. Max length is 63 characters.
+// VALUE is a sequence of zero or more characters "([A-Za-z0-9_-\.])". Max length is 63 characters.
+// Delimiter is white space: (' ', '\t')
+// Example of valid syntax:
+//  "x in (foo,,baz),y,z notin ()"
+//
+// Note:
+//  (1) Inclusion - " in " - denotes that the KEY exists and is equal to any of the
+//      VALUEs in its requirement
+//  (2) Exclusion - " notin " - denotes that the KEY is not equal to any
+//      of the VALUEs in its requirement or does not exist
+//  (3) The empty string is a valid VALUE
+//  (4) A requirement with just a KEY - as in "y" above - denotes that
+//      the KEY exists and can be any VALUE.
+//  (5) A requirement with just !KEY requires that the KEY not exist.
+//
+func Parse(selector string) (Selector, error) {
+	parsedSelector, err := parse(selector)
+	if err == nil {
+		return parsedSelector, nil
+	}
+	return nil, err
+}
+
+// parse parses the string representation of the selector and returns the internalSelector struct.
+// The callers of this method can then decide how to return the internalSelector struct to their
+// callers. This function has two callers now, one returns a Selector interface and the other
+// returns a list of requirements.
+func parse(selector string) (internalSelector, error) {
+	p := &Parser{l: &Lexer{s: selector, pos: 0}}
+	items, err := p.parse()
+	if err != nil {
+		return nil, err
+	}
+	sort.Sort(ByKey(items)) // sort to grant determistic parsing
+	return internalSelector(items), err
+}
+
+func validateLabelKey(k string) error {
+	if errs := validation.IsQualifiedName(k); len(errs) != 0 {
+		return fmt.Errorf("invalid label key %q: %s", k, strings.Join(errs, "; "))
+	}
+	return nil
+}
+
+func validateLabelValue(k, v string) error {
+	if errs := validation.IsValidLabelValue(v); len(errs) != 0 {
+		return fmt.Errorf("invalid label value: %q: at key: %q: %s", v, k, strings.Join(errs, "; "))
+	}
+	return nil
+}
+
+// SelectorFromSet returns a Selector which will match exactly the given Set. A
+// nil and empty Sets are considered equivalent to Everything().
+// It does not perform any validation, which means the server will reject
+// the request if the Set contains invalid values.
+func SelectorFromSet(ls Set) Selector {
+	return SelectorFromValidatedSet(ls)
+}
+
+// ValidatedSelectorFromSet returns a Selector which will match exactly the given Set. A
+// nil and empty Sets are considered equivalent to Everything().
+// The Set is validated client-side, which allows to catch errors early.
+func ValidatedSelectorFromSet(ls Set) (Selector, error) {
+	if ls == nil || len(ls) == 0 {
+		return internalSelector{}, nil
+	}
+	requirements := make([]Requirement, 0, len(ls))
+	for label, value := range ls {
+		r, err := NewRequirement(label, selection.Equals, []string{value})
+		if err != nil {
+			return nil, err
+		}
+		requirements = append(requirements, *r)
+	}
+	// sort to have deterministic string representation
+	sort.Sort(ByKey(requirements))
+	return internalSelector(requirements), nil
+}
+
+// SelectorFromValidatedSet returns a Selector which will match exactly the given Set.
+// A nil and empty Sets are considered equivalent to Everything().
+// It assumes that Set is already validated and doesn't do any validation.
+func SelectorFromValidatedSet(ls Set) Selector {
+	if ls == nil || len(ls) == 0 {
+		return internalSelector{}
+	}
+	requirements := make([]Requirement, 0, len(ls))
+	for label, value := range ls {
+		requirements = append(requirements, Requirement{key: label, operator: selection.Equals, strValues: []string{value}})
+	}
+	// sort to have deterministic string representation
+	sort.Sort(ByKey(requirements))
+	return internalSelector(requirements)
+}
+
+// ParseToRequirements takes a string representing a selector and returns a list of
+// requirements. This function is suitable for those callers that perform additional
+// processing on selector requirements.
+// See the documentation for Parse() function for more details.
+// TODO: Consider exporting the internalSelector type instead.
+func ParseToRequirements(selector string) ([]Requirement, error) {
+	return parse(selector)
+}
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/selection/operator.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/selection/operator.go
new file mode 100644
index 0000000000..29c443df45
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/selection/operator.go
@@ -0,0 +1,36 @@
+// Code generated by k8scopy from k8s.io/apimachinery@v0.19.8; DO NOT EDIT.
+// File content copied from k8s.io/apimachinery@v0.19.8/pkg/selection/operator.go
+
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package selection
+
+// Operator represents a key/field's relationship to value(s).
+// See labels.Requirement and fields.Requirement for more details.
+type Operator string
+
+const (
+	DoesNotExist Operator = "!"
+	Equals       Operator = "="
+	DoubleEquals Operator = "=="
+	In           Operator = "in"
+	NotEquals    Operator = "!="
+	NotIn        Operator = "notin"
+	Exists       Operator = "exists"
+	GreaterThan  Operator = "gt"
+	LessThan     Operator = "lt"
+)
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/util/errors/errors.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/util/errors/errors.go
new file mode 100644
index 0000000000..24d040e06c
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/util/errors/errors.go
@@ -0,0 +1,252 @@
+// Code generated by k8scopy from k8s.io/apimachinery@v0.19.8; DO NOT EDIT.
+// File content copied from k8s.io/apimachinery@v0.19.8/pkg/util/errors/errors.go
+
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package errors
+
+import (
+	"errors"
+	"fmt"
+
+	"sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/util/sets"
+)
+
+// MessageCountMap contains occurrence for each error message.
+type MessageCountMap map[string]int
+
+// Aggregate represents an object that contains multiple errors, but does not
+// necessarily have singular semantic meaning.
+// The aggregate can be used with `errors.Is()` to check for the occurrence of
+// a specific error type.
+// Errors.As() is not supported, because the caller presumably cares about a
+// specific error of potentially multiple that match the given type.
+type Aggregate interface {
+	error
+	Errors() []error
+	Is(error) bool
+}
+
+// NewAggregate converts a slice of errors into an Aggregate interface, which
+// is itself an implementation of the error interface.  If the slice is empty,
+// this returns nil.
+// It will check if any of the element of input error list is nil, to avoid
+// nil pointer panic when call Error().
+func NewAggregate(errlist []error) Aggregate {
+	if len(errlist) == 0 {
+		return nil
+	}
+	// In case of input error list contains nil
+	var errs []error
+	for _, e := range errlist {
+		if e != nil {
+			errs = append(errs, e)
+		}
+	}
+	if len(errs) == 0 {
+		return nil
+	}
+	return aggregate(errs)
+}
+
+// This helper implements the error and Errors interfaces.  Keeping it private
+// prevents people from making an aggregate of 0 errors, which is not
+// an error, but does satisfy the error interface.
+type aggregate []error
+
+// Error is part of the error interface.
+func (agg aggregate) Error() string {
+	if len(agg) == 0 {
+		// This should never happen, really.
+		return ""
+	}
+	if len(agg) == 1 {
+		return agg[0].Error()
+	}
+	seenerrs := sets.NewString()
+	result := ""
+	agg.visit(func(err error) bool {
+		msg := err.Error()
+		if seenerrs.Has(msg) {
+			return false
+		}
+		seenerrs.Insert(msg)
+		if len(seenerrs) > 1 {
+			result += ", "
+		}
+		result += msg
+		return false
+	})
+	if len(seenerrs) == 1 {
+		return result
+	}
+	return "[" + result + "]"
+}
+
+func (agg aggregate) Is(target error) bool {
+	return agg.visit(func(err error) bool {
+		return errors.Is(err, target)
+	})
+}
+
+func (agg aggregate) visit(f func(err error) bool) bool {
+	for _, err := range agg {
+		switch err := err.(type) {
+		case aggregate:
+			if match := err.visit(f); match {
+				return match
+			}
+		case Aggregate:
+			for _, nestedErr := range err.Errors() {
+				if match := f(nestedErr); match {
+					return match
+				}
+			}
+		default:
+			if match := f(err); match {
+				return match
+			}
+		}
+	}
+
+	return false
+}
+
+// Errors is part of the Aggregate interface.
+func (agg aggregate) Errors() []error {
+	return []error(agg)
+}
+
+// Matcher is used to match errors.  Returns true if the error matches.
+type Matcher func(error) bool
+
+// FilterOut removes all errors that match any of the matchers from the input
+// error.  If the input is a singular error, only that error is tested.  If the
+// input implements the Aggregate interface, the list of errors will be
+// processed recursively.
+//
+// This can be used, for example, to remove known-OK errors (such as io.EOF or
+// os.PathNotFound) from a list of errors.
+func FilterOut(err error, fns ...Matcher) error {
+	if err == nil {
+		return nil
+	}
+	if agg, ok := err.(Aggregate); ok {
+		return NewAggregate(filterErrors(agg.Errors(), fns...))
+	}
+	if !matchesError(err, fns...) {
+		return err
+	}
+	return nil
+}
+
+// matchesError returns true if any Matcher returns true
+func matchesError(err error, fns ...Matcher) bool {
+	for _, fn := range fns {
+		if fn(err) {
+			return true
+		}
+	}
+	return false
+}
+
+// filterErrors returns any errors (or nested errors, if the list contains
+// nested Errors) for which all fns return false. If no errors
+// remain a nil list is returned. The resulting silec will have all
+// nested slices flattened as a side effect.
+func filterErrors(list []error, fns ...Matcher) []error {
+	result := []error{}
+	for _, err := range list {
+		r := FilterOut(err, fns...)
+		if r != nil {
+			result = append(result, r)
+		}
+	}
+	return result
+}
+
+// Flatten takes an Aggregate, which may hold other Aggregates in arbitrary
+// nesting, and flattens them all into a single Aggregate, recursively.
+func Flatten(agg Aggregate) Aggregate {
+	result := []error{}
+	if agg == nil {
+		return nil
+	}
+	for _, err := range agg.Errors() {
+		if a, ok := err.(Aggregate); ok {
+			r := Flatten(a)
+			if r != nil {
+				result = append(result, r.Errors()...)
+			}
+		} else {
+			if err != nil {
+				result = append(result, err)
+			}
+		}
+	}
+	return NewAggregate(result)
+}
+
+// CreateAggregateFromMessageCountMap converts MessageCountMap Aggregate
+func CreateAggregateFromMessageCountMap(m MessageCountMap) Aggregate {
+	if m == nil {
+		return nil
+	}
+	result := make([]error, 0, len(m))
+	for errStr, count := range m {
+		var countStr string
+		if count > 1 {
+			countStr = fmt.Sprintf(" (repeated %v times)", count)
+		}
+		result = append(result, fmt.Errorf("%v%v", errStr, countStr))
+	}
+	return NewAggregate(result)
+}
+
+// Reduce will return err or, if err is an Aggregate and only has one item,
+// the first item in the aggregate.
+func Reduce(err error) error {
+	if agg, ok := err.(Aggregate); ok && err != nil {
+		switch len(agg.Errors()) {
+		case 1:
+			return agg.Errors()[0]
+		case 0:
+			return nil
+		}
+	}
+	return err
+}
+
+// AggregateGoroutines runs the provided functions in parallel, stuffing all
+// non-nil errors into the returned Aggregate.
+// Returns nil if all the functions complete successfully.
+func AggregateGoroutines(funcs ...func() error) Aggregate {
+	errChan := make(chan error, len(funcs))
+	for _, f := range funcs {
+		go func(f func() error) { errChan <- f() }(f)
+	}
+	errs := make([]error, 0)
+	for i := 0; i < cap(errChan); i++ {
+		if err := <-errChan; err != nil {
+			errs = append(errs, err)
+		}
+	}
+	return NewAggregate(errs)
+}
+
+// ErrPreconditionViolated is returned when the precondition is violated
+var ErrPreconditionViolated = errors.New("precondition is violated")
diff --git a/vendor/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1/generated.protomessage.pb.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/util/sets/empty.go
similarity index 57%
rename from vendor/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1/generated.protomessage.pb.go
rename to vendor/sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/util/sets/empty.go
index f72b7ec30b..ef404add15 100644
--- a/vendor/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1/generated.protomessage.pb.go
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/util/sets/empty.go
@@ -1,5 +1,5 @@
-//go:build kubernetes_protomessage_one_more_release
-// +build kubernetes_protomessage_one_more_release
+// Code generated by k8scopy from k8s.io/apimachinery@v0.19.8; DO NOT EDIT.
+// File content copied from k8s.io/apimachinery@v0.19.8/pkg/util/sets/empty.go
 
 /*
 Copyright The Kubernetes Authors.
@@ -17,18 +17,8 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-// Code generated by go-to-protobuf. DO NOT EDIT.
+package sets
 
-package v1
-
-func (*APIService) ProtoMessage() {}
-
-func (*APIServiceCondition) ProtoMessage() {}
-
-func (*APIServiceList) ProtoMessage() {}
-
-func (*APIServiceSpec) ProtoMessage() {}
-
-func (*APIServiceStatus) ProtoMessage() {}
-
-func (*ServiceReference) ProtoMessage() {}
+// Empty is public since it is used by some internal API objects for conversions between external
+// string arrays and internal sets, and conversion logic requires public types today.
+type Empty struct{}
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/util/sets/string.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/util/sets/string.go
new file mode 100644
index 0000000000..8af1bac2a2
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/util/sets/string.go
@@ -0,0 +1,206 @@
+// Code generated by k8scopy from k8s.io/apimachinery@v0.19.8; DO NOT EDIT.
+// File content copied from k8s.io/apimachinery@v0.19.8/pkg/util/sets/string.go
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package sets
+
+import (
+	"reflect"
+	"sort"
+)
+
+// sets.String is a set of strings, implemented via map[string]struct{} for minimal memory consumption.
+type String map[string]Empty
+
+// NewString creates a String from a list of values.
+func NewString(items ...string) String {
+	ss := String{}
+	ss.Insert(items...)
+	return ss
+}
+
+// StringKeySet creates a String from a keys of a map[string](? extends interface{}).
+// If the value passed in is not actually a map, this will panic.
+func StringKeySet(theMap interface{}) String {
+	v := reflect.ValueOf(theMap)
+	ret := String{}
+
+	for _, keyValue := range v.MapKeys() {
+		ret.Insert(keyValue.Interface().(string))
+	}
+	return ret
+}
+
+// Insert adds items to the set.
+func (s String) Insert(items ...string) String {
+	for _, item := range items {
+		s[item] = Empty{}
+	}
+	return s
+}
+
+// Delete removes all items from the set.
+func (s String) Delete(items ...string) String {
+	for _, item := range items {
+		delete(s, item)
+	}
+	return s
+}
+
+// Has returns true if and only if item is contained in the set.
+func (s String) Has(item string) bool {
+	_, contained := s[item]
+	return contained
+}
+
+// HasAll returns true if and only if all items are contained in the set.
+func (s String) HasAll(items ...string) bool {
+	for _, item := range items {
+		if !s.Has(item) {
+			return false
+		}
+	}
+	return true
+}
+
+// HasAny returns true if any items are contained in the set.
+func (s String) HasAny(items ...string) bool {
+	for _, item := range items {
+		if s.Has(item) {
+			return true
+		}
+	}
+	return false
+}
+
+// Difference returns a set of objects that are not in s2
+// For example:
+// s1 = {a1, a2, a3}
+// s2 = {a1, a2, a4, a5}
+// s1.Difference(s2) = {a3}
+// s2.Difference(s1) = {a4, a5}
+func (s String) Difference(s2 String) String {
+	result := NewString()
+	for key := range s {
+		if !s2.Has(key) {
+			result.Insert(key)
+		}
+	}
+	return result
+}
+
+// Union returns a new set which includes items in either s1 or s2.
+// For example:
+// s1 = {a1, a2}
+// s2 = {a3, a4}
+// s1.Union(s2) = {a1, a2, a3, a4}
+// s2.Union(s1) = {a1, a2, a3, a4}
+func (s1 String) Union(s2 String) String {
+	result := NewString()
+	for key := range s1 {
+		result.Insert(key)
+	}
+	for key := range s2 {
+		result.Insert(key)
+	}
+	return result
+}
+
+// Intersection returns a new set which includes the item in BOTH s1 and s2
+// For example:
+// s1 = {a1, a2}
+// s2 = {a2, a3}
+// s1.Intersection(s2) = {a2}
+func (s1 String) Intersection(s2 String) String {
+	var walk, other String
+	result := NewString()
+	if s1.Len() < s2.Len() {
+		walk = s1
+		other = s2
+	} else {
+		walk = s2
+		other = s1
+	}
+	for key := range walk {
+		if other.Has(key) {
+			result.Insert(key)
+		}
+	}
+	return result
+}
+
+// IsSuperset returns true if and only if s1 is a superset of s2.
+func (s1 String) IsSuperset(s2 String) bool {
+	for item := range s2 {
+		if !s1.Has(item) {
+			return false
+		}
+	}
+	return true
+}
+
+// Equal returns true if and only if s1 is equal (as a set) to s2.
+// Two sets are equal if their membership is identical.
+// (In practice, this means same elements, order doesn't matter)
+func (s1 String) Equal(s2 String) bool {
+	return len(s1) == len(s2) && s1.IsSuperset(s2)
+}
+
+type sortableSliceOfString []string
+
+func (s sortableSliceOfString) Len() int           { return len(s) }
+func (s sortableSliceOfString) Less(i, j int) bool { return lessString(s[i], s[j]) }
+func (s sortableSliceOfString) Swap(i, j int)      { s[i], s[j] = s[j], s[i] }
+
+// List returns the contents as a sorted string slice.
+func (s String) List() []string {
+	res := make(sortableSliceOfString, 0, len(s))
+	for key := range s {
+		res = append(res, key)
+	}
+	sort.Sort(res)
+	return []string(res)
+}
+
+// UnsortedList returns the slice with contents in random order.
+func (s String) UnsortedList() []string {
+	res := make([]string, 0, len(s))
+	for key := range s {
+		res = append(res, key)
+	}
+	return res
+}
+
+// Returns a single element from the set.
+func (s String) PopAny() (string, bool) {
+	for key := range s {
+		s.Delete(key)
+		return key, true
+	}
+	var zeroValue string
+	return zeroValue, false
+}
+
+// Len returns the size of the set.
+func (s String) Len() int {
+	return len(s)
+}
+
+func lessString(lhs, rhs string) bool {
+	return lhs < rhs
+}
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/util/validation/field/errors.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/util/validation/field/errors.go
new file mode 100644
index 0000000000..20229a5b6c
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/util/validation/field/errors.go
@@ -0,0 +1,275 @@
+// Code generated by k8scopy from k8s.io/apimachinery@v0.19.8; DO NOT EDIT.
+// File content copied from k8s.io/apimachinery@v0.19.8/pkg/util/validation/field/errors.go
+
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package field
+
+import (
+	"fmt"
+	"reflect"
+	"strconv"
+	"strings"
+
+	utilerrors "sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/util/errors"
+	"sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/util/sets"
+)
+
+// Error is an implementation of the 'error' interface, which represents a
+// field-level validation error.
+type Error struct {
+	Type     ErrorType
+	Field    string
+	BadValue interface{}
+	Detail   string
+}
+
+var _ error = &Error{}
+
+// Error implements the error interface.
+func (v *Error) Error() string {
+	return fmt.Sprintf("%s: %s", v.Field, v.ErrorBody())
+}
+
+// ErrorBody returns the error message without the field name.  This is useful
+// for building nice-looking higher-level error reporting.
+func (v *Error) ErrorBody() string {
+	var s string
+	switch v.Type {
+	case ErrorTypeRequired, ErrorTypeForbidden, ErrorTypeTooLong, ErrorTypeInternal:
+		s = v.Type.String()
+	default:
+		value := v.BadValue
+		valueType := reflect.TypeOf(value)
+		if value == nil || valueType == nil {
+			value = "null"
+		} else if valueType.Kind() == reflect.Ptr {
+			if reflectValue := reflect.ValueOf(value); reflectValue.IsNil() {
+				value = "null"
+			} else {
+				value = reflectValue.Elem().Interface()
+			}
+		}
+		switch t := value.(type) {
+		case int64, int32, float64, float32, bool:
+			// use simple printer for simple types
+			s = fmt.Sprintf("%s: %v", v.Type, value)
+		case string:
+			s = fmt.Sprintf("%s: %q", v.Type, t)
+		case fmt.Stringer:
+			// anything that defines String() is better than raw struct
+			s = fmt.Sprintf("%s: %s", v.Type, t.String())
+		default:
+			// fallback to raw struct
+			// TODO: internal types have panic guards against json.Marshalling to prevent
+			// accidental use of internal types in external serialized form.  For now, use
+			// %#v, although it would be better to show a more expressive output in the future
+			s = fmt.Sprintf("%s: %#v", v.Type, value)
+		}
+	}
+	if len(v.Detail) != 0 {
+		s += fmt.Sprintf(": %s", v.Detail)
+	}
+	return s
+}
+
+// ErrorType is a machine readable value providing more detail about why
+// a field is invalid.  These values are expected to match 1-1 with
+// CauseType in api/types.go.
+type ErrorType string
+
+// TODO: These values are duplicated in api/types.go, but there's a circular dep.  Fix it.
+const (
+	// ErrorTypeNotFound is used to report failure to find a requested value
+	// (e.g. looking up an ID).  See NotFound().
+	ErrorTypeNotFound ErrorType = "FieldValueNotFound"
+	// ErrorTypeRequired is used to report required values that are not
+	// provided (e.g. empty strings, null values, or empty arrays).  See
+	// Required().
+	ErrorTypeRequired ErrorType = "FieldValueRequired"
+	// ErrorTypeDuplicate is used to report collisions of values that must be
+	// unique (e.g. unique IDs).  See Duplicate().
+	ErrorTypeDuplicate ErrorType = "FieldValueDuplicate"
+	// ErrorTypeInvalid is used to report malformed values (e.g. failed regex
+	// match, too long, out of bounds).  See Invalid().
+	ErrorTypeInvalid ErrorType = "FieldValueInvalid"
+	// ErrorTypeNotSupported is used to report unknown values for enumerated
+	// fields (e.g. a list of valid values).  See NotSupported().
+	ErrorTypeNotSupported ErrorType = "FieldValueNotSupported"
+	// ErrorTypeForbidden is used to report valid (as per formatting rules)
+	// values which would be accepted under some conditions, but which are not
+	// permitted by the current conditions (such as security policy).  See
+	// Forbidden().
+	ErrorTypeForbidden ErrorType = "FieldValueForbidden"
+	// ErrorTypeTooLong is used to report that the given value is too long.
+	// This is similar to ErrorTypeInvalid, but the error will not include the
+	// too-long value.  See TooLong().
+	ErrorTypeTooLong ErrorType = "FieldValueTooLong"
+	// ErrorTypeTooMany is used to report "too many". This is used to
+	// report that a given list has too many items. This is similar to FieldValueTooLong,
+	// but the error indicates quantity instead of length.
+	ErrorTypeTooMany ErrorType = "FieldValueTooMany"
+	// ErrorTypeInternal is used to report other errors that are not related
+	// to user input.  See InternalError().
+	ErrorTypeInternal ErrorType = "InternalError"
+)
+
+// String converts a ErrorType into its corresponding canonical error message.
+func (t ErrorType) String() string {
+	switch t {
+	case ErrorTypeNotFound:
+		return "Not found"
+	case ErrorTypeRequired:
+		return "Required value"
+	case ErrorTypeDuplicate:
+		return "Duplicate value"
+	case ErrorTypeInvalid:
+		return "Invalid value"
+	case ErrorTypeNotSupported:
+		return "Unsupported value"
+	case ErrorTypeForbidden:
+		return "Forbidden"
+	case ErrorTypeTooLong:
+		return "Too long"
+	case ErrorTypeTooMany:
+		return "Too many"
+	case ErrorTypeInternal:
+		return "Internal error"
+	default:
+		panic(fmt.Sprintf("unrecognized validation error: %q", string(t)))
+	}
+}
+
+// NotFound returns a *Error indicating "value not found".  This is
+// used to report failure to find a requested value (e.g. looking up an ID).
+func NotFound(field *Path, value interface{}) *Error {
+	return &Error{ErrorTypeNotFound, field.String(), value, ""}
+}
+
+// Required returns a *Error indicating "value required".  This is used
+// to report required values that are not provided (e.g. empty strings, null
+// values, or empty arrays).
+func Required(field *Path, detail string) *Error {
+	return &Error{ErrorTypeRequired, field.String(), "", detail}
+}
+
+// Duplicate returns a *Error indicating "duplicate value".  This is
+// used to report collisions of values that must be unique (e.g. names or IDs).
+func Duplicate(field *Path, value interface{}) *Error {
+	return &Error{ErrorTypeDuplicate, field.String(), value, ""}
+}
+
+// Invalid returns a *Error indicating "invalid value".  This is used
+// to report malformed values (e.g. failed regex match, too long, out of bounds).
+func Invalid(field *Path, value interface{}, detail string) *Error {
+	return &Error{ErrorTypeInvalid, field.String(), value, detail}
+}
+
+// NotSupported returns a *Error indicating "unsupported value".
+// This is used to report unknown values for enumerated fields (e.g. a list of
+// valid values).
+func NotSupported(field *Path, value interface{}, validValues []string) *Error {
+	detail := ""
+	if validValues != nil && len(validValues) > 0 {
+		quotedValues := make([]string, len(validValues))
+		for i, v := range validValues {
+			quotedValues[i] = strconv.Quote(v)
+		}
+		detail = "supported values: " + strings.Join(quotedValues, ", ")
+	}
+	return &Error{ErrorTypeNotSupported, field.String(), value, detail}
+}
+
+// Forbidden returns a *Error indicating "forbidden".  This is used to
+// report valid (as per formatting rules) values which would be accepted under
+// some conditions, but which are not permitted by current conditions (e.g.
+// security policy).
+func Forbidden(field *Path, detail string) *Error {
+	return &Error{ErrorTypeForbidden, field.String(), "", detail}
+}
+
+// TooLong returns a *Error indicating "too long".  This is used to
+// report that the given value is too long.  This is similar to
+// Invalid, but the returned error will not include the too-long
+// value.
+func TooLong(field *Path, value interface{}, maxLength int) *Error {
+	return &Error{ErrorTypeTooLong, field.String(), value, fmt.Sprintf("must have at most %d bytes", maxLength)}
+}
+
+// TooMany returns a *Error indicating "too many". This is used to
+// report that a given list has too many items. This is similar to TooLong,
+// but the returned error indicates quantity instead of length.
+func TooMany(field *Path, actualQuantity, maxQuantity int) *Error {
+	return &Error{ErrorTypeTooMany, field.String(), actualQuantity, fmt.Sprintf("must have at most %d items", maxQuantity)}
+}
+
+// InternalError returns a *Error indicating "internal error".  This is used
+// to signal that an error was found that was not directly related to user
+// input.  The err argument must be non-nil.
+func InternalError(field *Path, err error) *Error {
+	return &Error{ErrorTypeInternal, field.String(), nil, err.Error()}
+}
+
+// ErrorList holds a set of Errors.  It is plausible that we might one day have
+// non-field errors in this same umbrella package, but for now we don't, so
+// we can keep it simple and leave ErrorList here.
+type ErrorList []*Error
+
+// NewErrorTypeMatcher returns an errors.Matcher that returns true
+// if the provided error is a Error and has the provided ErrorType.
+func NewErrorTypeMatcher(t ErrorType) utilerrors.Matcher {
+	return func(err error) bool {
+		if e, ok := err.(*Error); ok {
+			return e.Type == t
+		}
+		return false
+	}
+}
+
+// ToAggregate converts the ErrorList into an errors.Aggregate.
+func (list ErrorList) ToAggregate() utilerrors.Aggregate {
+	errs := make([]error, 0, len(list))
+	errorMsgs := sets.NewString()
+	for _, err := range list {
+		msg := fmt.Sprintf("%v", err)
+		if errorMsgs.Has(msg) {
+			continue
+		}
+		errorMsgs.Insert(msg)
+		errs = append(errs, err)
+	}
+	return utilerrors.NewAggregate(errs)
+}
+
+func fromAggregate(agg utilerrors.Aggregate) ErrorList {
+	errs := agg.Errors()
+	list := make(ErrorList, len(errs))
+	for i := range errs {
+		list[i] = errs[i].(*Error)
+	}
+	return list
+}
+
+// Filter removes items from the ErrorList that match the provided fns.
+func (list ErrorList) Filter(fns ...utilerrors.Matcher) ErrorList {
+	err := utilerrors.FilterOut(list.ToAggregate(), fns...)
+	if err == nil {
+		return nil
+	}
+	// FilterOut takes an Aggregate and returns an Aggregate
+	return fromAggregate(err.(utilerrors.Aggregate))
+}
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/util/validation/field/path.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/util/validation/field/path.go
new file mode 100644
index 0000000000..44cdf997a3
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/util/validation/field/path.go
@@ -0,0 +1,94 @@
+// Code generated by k8scopy from k8s.io/apimachinery@v0.19.8; DO NOT EDIT.
+// File content copied from k8s.io/apimachinery@v0.19.8/pkg/util/validation/field/path.go
+
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package field
+
+import (
+	"bytes"
+	"fmt"
+	"strconv"
+)
+
+// Path represents the path from some root to a particular field.
+type Path struct {
+	name   string // the name of this field or "" if this is an index
+	index  string // if name == "", this is a subscript (index or map key) of the previous element
+	parent *Path  // nil if this is the root element
+}
+
+// NewPath creates a root Path object.
+func NewPath(name string, moreNames ...string) *Path {
+	r := &Path{name: name, parent: nil}
+	for _, anotherName := range moreNames {
+		r = &Path{name: anotherName, parent: r}
+	}
+	return r
+}
+
+// Root returns the root element of this Path.
+func (p *Path) Root() *Path {
+	for ; p.parent != nil; p = p.parent {
+		// Do nothing.
+	}
+	return p
+}
+
+// Child creates a new Path that is a child of the method receiver.
+func (p *Path) Child(name string, moreNames ...string) *Path {
+	r := NewPath(name, moreNames...)
+	r.Root().parent = p
+	return r
+}
+
+// Index indicates that the previous Path is to be subscripted by an int.
+// This sets the same underlying value as Key.
+func (p *Path) Index(index int) *Path {
+	return &Path{index: strconv.Itoa(index), parent: p}
+}
+
+// Key indicates that the previous Path is to be subscripted by a string.
+// This sets the same underlying value as Index.
+func (p *Path) Key(key string) *Path {
+	return &Path{index: key, parent: p}
+}
+
+// String produces a string representation of the Path.
+func (p *Path) String() string {
+	// make a slice to iterate
+	elems := []*Path{}
+	for ; p != nil; p = p.parent {
+		elems = append(elems, p)
+	}
+
+	// iterate, but it has to be backwards
+	buf := bytes.NewBuffer(nil)
+	for i := range elems {
+		p := elems[len(elems)-1-i]
+		if p.parent != nil && len(p.name) > 0 {
+			// This is either the root or it is a subscript.
+			buf.WriteString(".")
+		}
+		if len(p.name) > 0 {
+			buf.WriteString(p.name)
+		} else {
+			fmt.Fprintf(buf, "[%s]", p.index)
+		}
+	}
+	return buf.String()
+}
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/util/validation/validation.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/util/validation/validation.go
new file mode 100644
index 0000000000..5e1ddbc469
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/util/validation/validation.go
@@ -0,0 +1,506 @@
+// Code generated by k8scopy from k8s.io/apimachinery@v0.19.8; DO NOT EDIT.
+// File content copied from k8s.io/apimachinery@v0.19.8/pkg/util/validation/validation.go
+
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package validation
+
+import (
+	"fmt"
+	"math"
+	"net"
+	"regexp"
+	"strconv"
+	"strings"
+
+	"sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/util/validation/field"
+)
+
+const qnameCharFmt string = "[A-Za-z0-9]"
+const qnameExtCharFmt string = "[-A-Za-z0-9_.]"
+const qualifiedNameFmt string = "(" + qnameCharFmt + qnameExtCharFmt + "*)?" + qnameCharFmt
+const qualifiedNameErrMsg string = "must consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character"
+const qualifiedNameMaxLength int = 63
+
+var qualifiedNameRegexp = regexp.MustCompile("^" + qualifiedNameFmt + "$")
+
+// IsQualifiedName tests whether the value passed is what Kubernetes calls a
+// "qualified name".  This is a format used in various places throughout the
+// system.  If the value is not valid, a list of error strings is returned.
+// Otherwise an empty list (or nil) is returned.
+func IsQualifiedName(value string) []string {
+	var errs []string
+	parts := strings.Split(value, "/")
+	var name string
+	switch len(parts) {
+	case 1:
+		name = parts[0]
+	case 2:
+		var prefix string
+		prefix, name = parts[0], parts[1]
+		if len(prefix) == 0 {
+			errs = append(errs, "prefix part "+EmptyError())
+		} else if msgs := IsDNS1123Subdomain(prefix); len(msgs) != 0 {
+			errs = append(errs, prefixEach(msgs, "prefix part ")...)
+		}
+	default:
+		return append(errs, "a qualified name "+RegexError(qualifiedNameErrMsg, qualifiedNameFmt, "MyName", "my.name", "123-abc")+
+			" with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')")
+	}
+
+	if len(name) == 0 {
+		errs = append(errs, "name part "+EmptyError())
+	} else if len(name) > qualifiedNameMaxLength {
+		errs = append(errs, "name part "+MaxLenError(qualifiedNameMaxLength))
+	}
+	if !qualifiedNameRegexp.MatchString(name) {
+		errs = append(errs, "name part "+RegexError(qualifiedNameErrMsg, qualifiedNameFmt, "MyName", "my.name", "123-abc"))
+	}
+	return errs
+}
+
+// IsFullyQualifiedName checks if the name is fully qualified. This is similar
+// to IsFullyQualifiedDomainName but requires a minimum of 3 segments instead of
+// 2 and does not accept a trailing . as valid.
+// TODO: This function is deprecated and preserved until all callers migrate to
+// IsFullyQualifiedDomainName; please don't add new callers.
+func IsFullyQualifiedName(fldPath *field.Path, name string) field.ErrorList {
+	var allErrors field.ErrorList
+	if len(name) == 0 {
+		return append(allErrors, field.Required(fldPath, ""))
+	}
+	if errs := IsDNS1123Subdomain(name); len(errs) > 0 {
+		return append(allErrors, field.Invalid(fldPath, name, strings.Join(errs, ",")))
+	}
+	if len(strings.Split(name, ".")) < 3 {
+		return append(allErrors, field.Invalid(fldPath, name, "should be a domain with at least three segments separated by dots"))
+	}
+	return allErrors
+}
+
+// IsFullyQualifiedDomainName checks if the domain name is fully qualified. This
+// is similar to IsFullyQualifiedName but only requires a minimum of 2 segments
+// instead of 3 and accepts a trailing . as valid.
+func IsFullyQualifiedDomainName(fldPath *field.Path, name string) field.ErrorList {
+	var allErrors field.ErrorList
+	if len(name) == 0 {
+		return append(allErrors, field.Required(fldPath, ""))
+	}
+	if strings.HasSuffix(name, ".") {
+		name = name[:len(name)-1]
+	}
+	if errs := IsDNS1123Subdomain(name); len(errs) > 0 {
+		return append(allErrors, field.Invalid(fldPath, name, strings.Join(errs, ",")))
+	}
+	if len(strings.Split(name, ".")) < 2 {
+		return append(allErrors, field.Invalid(fldPath, name, "should be a domain with at least two segments separated by dots"))
+	}
+	for _, label := range strings.Split(name, ".") {
+		if errs := IsDNS1123Label(label); len(errs) > 0 {
+			return append(allErrors, field.Invalid(fldPath, label, strings.Join(errs, ",")))
+		}
+	}
+	return allErrors
+}
+
+// Allowed characters in an HTTP Path as defined by RFC 3986. A HTTP path may
+// contain:
+// * unreserved characters (alphanumeric, '-', '.', '_', '~')
+// * percent-encoded octets
+// * sub-delims ("!", "$", "&", "'", "(", ")", "*", "+", ",", ";", "=")
+// * a colon character (":")
+const httpPathFmt string = `[A-Za-z0-9/\-._~%!$&'()*+,;=:]+`
+
+var httpPathRegexp = regexp.MustCompile("^" + httpPathFmt + "$")
+
+// IsDomainPrefixedPath checks if the given string is a domain-prefixed path
+// (e.g. acme.io/foo). All characters before the first "/" must be a valid
+// subdomain as defined by RFC 1123. All characters trailing the first "/" must
+// be valid HTTP Path characters as defined by RFC 3986.
+func IsDomainPrefixedPath(fldPath *field.Path, dpPath string) field.ErrorList {
+	var allErrs field.ErrorList
+	if len(dpPath) == 0 {
+		return append(allErrs, field.Required(fldPath, ""))
+	}
+
+	segments := strings.SplitN(dpPath, "/", 2)
+	if len(segments) != 2 || len(segments[0]) == 0 || len(segments[1]) == 0 {
+		return append(allErrs, field.Invalid(fldPath, dpPath, "must be a domain-prefixed path (such as \"acme.io/foo\")"))
+	}
+
+	host := segments[0]
+	for _, err := range IsDNS1123Subdomain(host) {
+		allErrs = append(allErrs, field.Invalid(fldPath, host, err))
+	}
+
+	path := segments[1]
+	if !httpPathRegexp.MatchString(path) {
+		return append(allErrs, field.Invalid(fldPath, path, RegexError("Invalid path", httpPathFmt)))
+	}
+
+	return allErrs
+}
+
+const labelValueFmt string = "(" + qualifiedNameFmt + ")?"
+const labelValueErrMsg string = "a valid label must be an empty string or consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character"
+
+// LabelValueMaxLength is a label's max length
+const LabelValueMaxLength int = 63
+
+var labelValueRegexp = regexp.MustCompile("^" + labelValueFmt + "$")
+
+// IsValidLabelValue tests whether the value passed is a valid label value.  If
+// the value is not valid, a list of error strings is returned.  Otherwise an
+// empty list (or nil) is returned.
+func IsValidLabelValue(value string) []string {
+	var errs []string
+	if len(value) > LabelValueMaxLength {
+		errs = append(errs, MaxLenError(LabelValueMaxLength))
+	}
+	if !labelValueRegexp.MatchString(value) {
+		errs = append(errs, RegexError(labelValueErrMsg, labelValueFmt, "MyValue", "my_value", "12345"))
+	}
+	return errs
+}
+
+const dns1123LabelFmt string = "[a-z0-9]([-a-z0-9]*[a-z0-9])?"
+const dns1123LabelErrMsg string = "a DNS-1123 label must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character"
+
+// DNS1123LabelMaxLength is a label's max length in DNS (RFC 1123)
+const DNS1123LabelMaxLength int = 63
+
+var dns1123LabelRegexp = regexp.MustCompile("^" + dns1123LabelFmt + "$")
+
+// IsDNS1123Label tests for a string that conforms to the definition of a label in
+// DNS (RFC 1123).
+func IsDNS1123Label(value string) []string {
+	var errs []string
+	if len(value) > DNS1123LabelMaxLength {
+		errs = append(errs, MaxLenError(DNS1123LabelMaxLength))
+	}
+	if !dns1123LabelRegexp.MatchString(value) {
+		errs = append(errs, RegexError(dns1123LabelErrMsg, dns1123LabelFmt, "my-name", "123-abc"))
+	}
+	return errs
+}
+
+const dns1123SubdomainFmt string = dns1123LabelFmt + "(\\." + dns1123LabelFmt + ")*"
+const dns1123SubdomainErrorMsg string = "a DNS-1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character"
+
+// DNS1123SubdomainMaxLength is a subdomain's max length in DNS (RFC 1123)
+const DNS1123SubdomainMaxLength int = 253
+
+var dns1123SubdomainRegexp = regexp.MustCompile("^" + dns1123SubdomainFmt + "$")
+
+// IsDNS1123Subdomain tests for a string that conforms to the definition of a
+// subdomain in DNS (RFC 1123).
+func IsDNS1123Subdomain(value string) []string {
+	var errs []string
+	if len(value) > DNS1123SubdomainMaxLength {
+		errs = append(errs, MaxLenError(DNS1123SubdomainMaxLength))
+	}
+	if !dns1123SubdomainRegexp.MatchString(value) {
+		errs = append(errs, RegexError(dns1123SubdomainErrorMsg, dns1123SubdomainFmt, "example.com"))
+	}
+	return errs
+}
+
+const dns1035LabelFmt string = "[a-z]([-a-z0-9]*[a-z0-9])?"
+const dns1035LabelErrMsg string = "a DNS-1035 label must consist of lower case alphanumeric characters or '-', start with an alphabetic character, and end with an alphanumeric character"
+
+// DNS1035LabelMaxLength is a label's max length in DNS (RFC 1035)
+const DNS1035LabelMaxLength int = 63
+
+var dns1035LabelRegexp = regexp.MustCompile("^" + dns1035LabelFmt + "$")
+
+// IsDNS1035Label tests for a string that conforms to the definition of a label in
+// DNS (RFC 1035).
+func IsDNS1035Label(value string) []string {
+	var errs []string
+	if len(value) > DNS1035LabelMaxLength {
+		errs = append(errs, MaxLenError(DNS1035LabelMaxLength))
+	}
+	if !dns1035LabelRegexp.MatchString(value) {
+		errs = append(errs, RegexError(dns1035LabelErrMsg, dns1035LabelFmt, "my-name", "abc-123"))
+	}
+	return errs
+}
+
+// wildcard definition - RFC 1034 section 4.3.3.
+// examples:
+// - valid: *.bar.com, *.foo.bar.com
+// - invalid: *.*.bar.com, *.foo.*.com, *bar.com, f*.bar.com, *
+const wildcardDNS1123SubdomainFmt = "\\*\\." + dns1123SubdomainFmt
+const wildcardDNS1123SubdomainErrMsg = "a wildcard DNS-1123 subdomain must start with '*.', followed by a valid DNS subdomain, which must consist of lower case alphanumeric characters, '-' or '.' and end with an alphanumeric character"
+
+// IsWildcardDNS1123Subdomain tests for a string that conforms to the definition of a
+// wildcard subdomain in DNS (RFC 1034 section 4.3.3).
+func IsWildcardDNS1123Subdomain(value string) []string {
+	wildcardDNS1123SubdomainRegexp := regexp.MustCompile("^" + wildcardDNS1123SubdomainFmt + "$")
+
+	var errs []string
+	if len(value) > DNS1123SubdomainMaxLength {
+		errs = append(errs, MaxLenError(DNS1123SubdomainMaxLength))
+	}
+	if !wildcardDNS1123SubdomainRegexp.MatchString(value) {
+		errs = append(errs, RegexError(wildcardDNS1123SubdomainErrMsg, wildcardDNS1123SubdomainFmt, "*.example.com"))
+	}
+	return errs
+}
+
+const cIdentifierFmt string = "[A-Za-z_][A-Za-z0-9_]*"
+const identifierErrMsg string = "a valid C identifier must start with alphabetic character or '_', followed by a string of alphanumeric characters or '_'"
+
+var cIdentifierRegexp = regexp.MustCompile("^" + cIdentifierFmt + "$")
+
+// IsCIdentifier tests for a string that conforms the definition of an identifier
+// in C. This checks the format, but not the length.
+func IsCIdentifier(value string) []string {
+	if !cIdentifierRegexp.MatchString(value) {
+		return []string{RegexError(identifierErrMsg, cIdentifierFmt, "my_name", "MY_NAME", "MyName")}
+	}
+	return nil
+}
+
+// IsValidPortNum tests that the argument is a valid, non-zero port number.
+func IsValidPortNum(port int) []string {
+	if 1 <= port && port <= 65535 {
+		return nil
+	}
+	return []string{InclusiveRangeError(1, 65535)}
+}
+
+// IsInRange tests that the argument is in an inclusive range.
+func IsInRange(value int, min int, max int) []string {
+	if value >= min && value <= max {
+		return nil
+	}
+	return []string{InclusiveRangeError(min, max)}
+}
+
+// Now in libcontainer UID/GID limits is 0 ~ 1<<31 - 1
+// TODO: once we have a type for UID/GID we should make these that type.
+const (
+	minUserID  = 0
+	maxUserID  = math.MaxInt32
+	minGroupID = 0
+	maxGroupID = math.MaxInt32
+)
+
+// IsValidGroupID tests that the argument is a valid Unix GID.
+func IsValidGroupID(gid int64) []string {
+	if minGroupID <= gid && gid <= maxGroupID {
+		return nil
+	}
+	return []string{InclusiveRangeError(minGroupID, maxGroupID)}
+}
+
+// IsValidUserID tests that the argument is a valid Unix UID.
+func IsValidUserID(uid int64) []string {
+	if minUserID <= uid && uid <= maxUserID {
+		return nil
+	}
+	return []string{InclusiveRangeError(minUserID, maxUserID)}
+}
+
+var portNameCharsetRegex = regexp.MustCompile("^[-a-z0-9]+$")
+var portNameOneLetterRegexp = regexp.MustCompile("[a-z]")
+
+// IsValidPortName check that the argument is valid syntax. It must be
+// non-empty and no more than 15 characters long. It may contain only [-a-z0-9]
+// and must contain at least one letter [a-z]. It must not start or end with a
+// hyphen, nor contain adjacent hyphens.
+//
+// Note: We only allow lower-case characters, even though RFC 6335 is case
+// insensitive.
+func IsValidPortName(port string) []string {
+	var errs []string
+	if len(port) > 15 {
+		errs = append(errs, MaxLenError(15))
+	}
+	if !portNameCharsetRegex.MatchString(port) {
+		errs = append(errs, "must contain only alpha-numeric characters (a-z, 0-9), and hyphens (-)")
+	}
+	if !portNameOneLetterRegexp.MatchString(port) {
+		errs = append(errs, "must contain at least one letter or number (a-z, 0-9)")
+	}
+	if strings.Contains(port, "--") {
+		errs = append(errs, "must not contain consecutive hyphens")
+	}
+	if len(port) > 0 && (port[0] == '-' || port[len(port)-1] == '-') {
+		errs = append(errs, "must not begin or end with a hyphen")
+	}
+	return errs
+}
+
+// IsValidIP tests that the argument is a valid IP address.
+func IsValidIP(value string) []string {
+	if net.ParseIP(value) == nil {
+		return []string{"must be a valid IP address, (e.g. 10.9.8.7)"}
+	}
+	return nil
+}
+
+// IsValidIPv4Address tests that the argument is a valid IPv4 address.
+func IsValidIPv4Address(fldPath *field.Path, value string) field.ErrorList {
+	var allErrors field.ErrorList
+	ip := net.ParseIP(value)
+	if ip == nil || ip.To4() == nil {
+		allErrors = append(allErrors, field.Invalid(fldPath, value, "must be a valid IPv4 address"))
+	}
+	return allErrors
+}
+
+// IsValidIPv6Address tests that the argument is a valid IPv6 address.
+func IsValidIPv6Address(fldPath *field.Path, value string) field.ErrorList {
+	var allErrors field.ErrorList
+	ip := net.ParseIP(value)
+	if ip == nil || ip.To4() != nil {
+		allErrors = append(allErrors, field.Invalid(fldPath, value, "must be a valid IPv6 address"))
+	}
+	return allErrors
+}
+
+const percentFmt string = "[0-9]+%"
+const percentErrMsg string = "a valid percent string must be a numeric string followed by an ending '%'"
+
+var percentRegexp = regexp.MustCompile("^" + percentFmt + "$")
+
+// IsValidPercent checks that string is in the form of a percentage
+func IsValidPercent(percent string) []string {
+	if !percentRegexp.MatchString(percent) {
+		return []string{RegexError(percentErrMsg, percentFmt, "1%", "93%")}
+	}
+	return nil
+}
+
+const httpHeaderNameFmt string = "[-A-Za-z0-9]+"
+const httpHeaderNameErrMsg string = "a valid HTTP header must consist of alphanumeric characters or '-'"
+
+var httpHeaderNameRegexp = regexp.MustCompile("^" + httpHeaderNameFmt + "$")
+
+// IsHTTPHeaderName checks that a string conforms to the Go HTTP library's
+// definition of a valid header field name (a stricter subset than RFC7230).
+func IsHTTPHeaderName(value string) []string {
+	if !httpHeaderNameRegexp.MatchString(value) {
+		return []string{RegexError(httpHeaderNameErrMsg, httpHeaderNameFmt, "X-Header-Name")}
+	}
+	return nil
+}
+
+const envVarNameFmt = "[-._a-zA-Z][-._a-zA-Z0-9]*"
+const envVarNameFmtErrMsg string = "a valid environment variable name must consist of alphabetic characters, digits, '_', '-', or '.', and must not start with a digit"
+
+var envVarNameRegexp = regexp.MustCompile("^" + envVarNameFmt + "$")
+
+// IsEnvVarName tests if a string is a valid environment variable name.
+func IsEnvVarName(value string) []string {
+	var errs []string
+	if !envVarNameRegexp.MatchString(value) {
+		errs = append(errs, RegexError(envVarNameFmtErrMsg, envVarNameFmt, "my.env-name", "MY_ENV.NAME", "MyEnvName1"))
+	}
+
+	errs = append(errs, hasChDirPrefix(value)...)
+	return errs
+}
+
+const configMapKeyFmt = `[-._a-zA-Z0-9]+`
+const configMapKeyErrMsg string = "a valid config key must consist of alphanumeric characters, '-', '_' or '.'"
+
+var configMapKeyRegexp = regexp.MustCompile("^" + configMapKeyFmt + "$")
+
+// IsConfigMapKey tests for a string that is a valid key for a ConfigMap or Secret
+func IsConfigMapKey(value string) []string {
+	var errs []string
+	if len(value) > DNS1123SubdomainMaxLength {
+		errs = append(errs, MaxLenError(DNS1123SubdomainMaxLength))
+	}
+	if !configMapKeyRegexp.MatchString(value) {
+		errs = append(errs, RegexError(configMapKeyErrMsg, configMapKeyFmt, "key.name", "KEY_NAME", "key-name"))
+	}
+	errs = append(errs, hasChDirPrefix(value)...)
+	return errs
+}
+
+// MaxLenError returns a string explanation of a "string too long" validation
+// failure.
+func MaxLenError(length int) string {
+	return fmt.Sprintf("must be no more than %d characters", length)
+}
+
+// RegexError returns a string explanation of a regex validation failure.
+func RegexError(msg string, fmt string, examples ...string) string {
+	if len(examples) == 0 {
+		return msg + " (regex used for validation is '" + fmt + "')"
+	}
+	msg += " (e.g. "
+	for i := range examples {
+		if i > 0 {
+			msg += " or "
+		}
+		msg += "'" + examples[i] + "', "
+	}
+	msg += "regex used for validation is '" + fmt + "')"
+	return msg
+}
+
+// EmptyError returns a string explanation of a "must not be empty" validation
+// failure.
+func EmptyError() string {
+	return "must be non-empty"
+}
+
+func prefixEach(msgs []string, prefix string) []string {
+	for i := range msgs {
+		msgs[i] = prefix + msgs[i]
+	}
+	return msgs
+}
+
+// InclusiveRangeError returns a string explanation of a numeric "must be
+// between" validation failure.
+func InclusiveRangeError(lo, hi int) string {
+	return fmt.Sprintf(`must be between %d and %d, inclusive`, lo, hi)
+}
+
+func hasChDirPrefix(value string) []string {
+	var errs []string
+	switch {
+	case value == ".":
+		errs = append(errs, `must not be '.'`)
+	case value == "..":
+		errs = append(errs, `must not be '..'`)
+	case strings.HasPrefix(value, ".."):
+		errs = append(errs, `must not start with '..'`)
+	}
+	return errs
+}
+
+// IsValidSocketAddr checks that string represents a valid socket address
+// as defined in RFC 789. (e.g 0.0.0.0:10254 or [::]:10254))
+func IsValidSocketAddr(value string) []string {
+	var errs []string
+	ip, port, err := net.SplitHostPort(value)
+	if err != nil {
+		errs = append(errs, "must be a valid socket address format, (e.g. 0.0.0.0:10254 or [::]:10254)")
+		return errs
+	}
+	portInt, _ := strconv.Atoi(port)
+	errs = append(errs, IsValidPortNum(portInt)...)
+	errs = append(errs, IsValidIP(ip)...)
+	return errs
+}
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/kfns.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/kfns.go
new file mode 100644
index 0000000000..5d0f4b2dcb
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/kfns.go
@@ -0,0 +1,137 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package yaml
+
+import (
+	yaml "go.yaml.in/yaml/v3"
+	"sigs.k8s.io/kustomize/kyaml/errors"
+)
+
+// AnnotationClearer removes an annotation at metadata.annotations.
+// Returns nil if the annotation or field does not exist.
+type AnnotationClearer struct {
+	Kind string `yaml:"kind,omitempty"`
+	Key  string `yaml:"key,omitempty"`
+}
+
+func (c AnnotationClearer) Filter(rn *RNode) (*RNode, error) {
+	return rn.Pipe(
+		PathGetter{Path: []string{MetadataField, AnnotationsField}},
+		FieldClearer{Name: c.Key})
+}
+
+func ClearAnnotation(key string) AnnotationClearer {
+	return AnnotationClearer{Key: key}
+}
+
+// ClearEmptyAnnotations clears the keys, annotations
+// and metadata if they are empty/null
+func ClearEmptyAnnotations(rn *RNode) error {
+	_, err := rn.Pipe(Lookup(MetadataField), FieldClearer{
+		Name: AnnotationsField, IfEmpty: true})
+	if err != nil {
+		return errors.Wrap(err)
+	}
+	_, err = rn.Pipe(FieldClearer{Name: MetadataField, IfEmpty: true})
+	if err != nil {
+		return errors.Wrap(err)
+	}
+	return nil
+}
+
+// k8sMetaSetter sets a name at metadata.{key}.
+// Creates metadata if does not exist.
+type k8sMetaSetter struct {
+	Key   string `yaml:"key,omitempty"`
+	Value string `yaml:"value,omitempty"`
+}
+
+func (s k8sMetaSetter) Filter(rn *RNode) (*RNode, error) {
+	_, err := rn.Pipe(
+		PathGetter{Path: []string{MetadataField}, Create: yaml.MappingNode},
+		FieldSetter{Name: s.Key, Value: NewStringRNode(s.Value)})
+	return rn, err
+}
+
+func SetK8sName(value string) k8sMetaSetter {
+	return k8sMetaSetter{Key: NameField, Value: value}
+}
+
+func SetK8sNamespace(value string) k8sMetaSetter {
+	return k8sMetaSetter{Key: NamespaceField, Value: value}
+}
+
+// AnnotationSetter sets an annotation at metadata.annotations.
+// Creates metadata.annotations if does not exist.
+type AnnotationSetter struct {
+	Kind  string `yaml:"kind,omitempty"`
+	Key   string `yaml:"key,omitempty"`
+	Value string `yaml:"value,omitempty"`
+}
+
+func (s AnnotationSetter) Filter(rn *RNode) (*RNode, error) {
+	v := NewStringRNode(s.Value)
+	// some tools get confused about the type if annotations are not quoted
+	v.YNode().Style = yaml.SingleQuotedStyle
+	if err := ClearEmptyAnnotations(rn); err != nil {
+		return nil, err
+	}
+	return addMetadataNode(rn, AnnotationsField, s.Key, v)
+}
+
+func SetAnnotation(key, value string) AnnotationSetter {
+	return AnnotationSetter{Key: key, Value: value}
+}
+
+// AnnotationGetter gets an annotation at metadata.annotations.
+// Returns nil if metadata.annotations does not exist.
+type AnnotationGetter struct {
+	Kind  string `yaml:"kind,omitempty"`
+	Key   string `yaml:"key,omitempty"`
+	Value string `yaml:"value,omitempty"`
+}
+
+// AnnotationGetter returns the annotation value.
+// Returns "", nil if the annotation does not exist.
+func (g AnnotationGetter) Filter(rn *RNode) (*RNode, error) {
+	v, err := rn.Pipe(
+		PathGetter{Path: []string{MetadataField, AnnotationsField, g.Key}})
+	if v == nil || err != nil {
+		return v, err
+	}
+	if g.Value == "" || v.value.Value == g.Value {
+		return v, err
+	}
+	return nil, err
+}
+
+func GetAnnotation(key string) AnnotationGetter {
+	return AnnotationGetter{Key: key}
+}
+
+// LabelSetter sets a label at metadata.labels.
+// Creates metadata.labels if does not exist.
+type LabelSetter struct {
+	Kind  string `yaml:"kind,omitempty"`
+	Key   string `yaml:"key,omitempty"`
+	Value string `yaml:"value,omitempty"`
+}
+
+func (s LabelSetter) Filter(rn *RNode) (*RNode, error) {
+	v := NewStringRNode(s.Value)
+	// some tools get confused about the type if labels are not quoted
+	v.YNode().Style = yaml.SingleQuotedStyle
+	return addMetadataNode(rn, LabelsField, s.Key, v)
+}
+
+func addMetadataNode(rn *RNode, field, key string, v *RNode) (*RNode, error) {
+	return rn.Pipe(
+		PathGetter{
+			Path: []string{MetadataField, field}, Create: yaml.MappingNode},
+		FieldSetter{Name: key, Value: v})
+}
+
+func SetLabel(key, value string) LabelSetter {
+	return LabelSetter{Key: key, Value: value}
+}
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/mapnode.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/mapnode.go
new file mode 100644
index 0000000000..31b41b40fb
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/mapnode.go
@@ -0,0 +1,40 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package yaml
+
+// MapNode wraps a field key and value.
+type MapNode struct {
+	Key   *RNode
+	Value *RNode
+}
+
+// IsNilOrEmpty returns true if the MapNode is nil,
+// has no value, or has a value that appears empty.
+func (mn *MapNode) IsNilOrEmpty() bool {
+	return mn == nil || mn.Value.IsNilOrEmpty()
+}
+
+type MapNodeSlice []*MapNode
+
+func (m MapNodeSlice) Keys() []*RNode {
+	var keys []*RNode
+	for i := range m {
+		if m[i] != nil {
+			keys = append(keys, m[i].Key)
+		}
+	}
+	return keys
+}
+
+func (m MapNodeSlice) Values() []*RNode {
+	var values []*RNode
+	for i := range m {
+		if m[i] != nil {
+			values = append(values, m[i].Value)
+		} else {
+			values = append(values, nil)
+		}
+	}
+	return values
+}
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/match.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/match.go
new file mode 100644
index 0000000000..28ea03ca6f
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/match.go
@@ -0,0 +1,333 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package yaml
+
+import (
+	"fmt"
+	"regexp"
+	"strconv"
+	"strings"
+
+	yaml "go.yaml.in/yaml/v3"
+	"sigs.k8s.io/kustomize/kyaml/errors"
+)
+
+// PathMatcher returns all RNodes matching the path wrapped in a SequenceNode.
+// Lists may have multiple elements matching the path, and each matching element
+// is added to the return result.
+// If Path points to a SequenceNode, the SequenceNode is wrapped in another SequenceNode
+// If Path does not contain any lists, the result is still wrapped in a SequenceNode of len == 1
+type PathMatcher struct {
+	Kind string `yaml:"kind,omitempty"`
+
+	// Path is a slice of parts leading to the RNode to lookup.
+	// Each path part may be one of:
+	// * FieldMatcher -- e.g. "spec"
+	// * Map Key -- e.g. "app.k8s.io/version"
+	// * List Entry -- e.g. "[name=nginx]" or "[=-jar]" or "0"
+	//
+	// Map Keys and Fields are equivalent.
+	// See FieldMatcher for more on Fields and Map Keys.
+	//
+	// List Entries are specified as map entry to match [fieldName=fieldValue].
+	// See Elem for more on List Entries.
+	//
+	// Examples:
+	// * spec.template.spec.container with matching name: [name=nginx] -- match 'name': 'nginx'
+	// * spec.template.spec.container.argument matching a value: [=-jar] -- match '-jar'
+	Path []string `yaml:"path,omitempty"`
+
+	// Matches is set by PathMatch to publish the matched element values for each node.
+	// After running  PathMatcher.Filter, each node from the SequenceNode result may be
+	// looked up in Matches to find the field values that were matched.
+	Matches map[*Node][]string
+
+	// StripComments may be set to remove the comments on the matching Nodes.
+	// This is useful for if the nodes are to be printed in FlowStyle.
+	StripComments bool
+
+	// Create will cause missing path parts to be created as they are walked.
+	//
+	// * The leaf Node (final path) will be created with a Kind matching Create
+	// * Intermediary Nodes will be created as either a MappingNodes or
+	//   SequenceNodes as appropriate for each's Path location.
+	// * Nodes identified by an index will only be created if the index indicates
+	//   an append operation (i.e. index=len(list))
+	Create yaml.Kind `yaml:"create,omitempty"`
+
+	val        *RNode
+	field      string
+	matchRegex string
+}
+
+func (p *PathMatcher) stripComments(n *Node) {
+	if n == nil {
+		return
+	}
+	if p.StripComments {
+		n.LineComment = ""
+		n.HeadComment = ""
+		n.FootComment = ""
+		for i := range n.Content {
+			p.stripComments(n.Content[i])
+		}
+	}
+}
+
+func (p *PathMatcher) Filter(rn *RNode) (*RNode, error) {
+	val, err := p.filter(rn)
+	if err != nil {
+		return nil, err
+	}
+	p.stripComments(val.YNode())
+	return val, err
+}
+
+func (p *PathMatcher) filter(rn *RNode) (*RNode, error) {
+	p.Matches = map[*Node][]string{}
+
+	if len(p.Path) == 0 {
+		// return the element wrapped in a SequenceNode
+		p.appendRNode("", rn)
+		return p.val, nil
+	}
+
+	if IsIdxNumber(p.Path[0]) {
+		return p.doIndexSeq(rn)
+	}
+
+	if IsListIndex(p.Path[0]) {
+		// match seq elements
+		return p.doSeq(rn)
+	}
+
+	if IsWildcard(p.Path[0]) {
+		// match every elements (*)
+		return p.doMatchEvery(rn)
+	}
+	// match a field
+	return p.doField(rn)
+}
+
+func (p *PathMatcher) doMatchEvery(rn *RNode) (*RNode, error) {
+	if err := rn.VisitElements(p.visitEveryElem); err != nil {
+		return nil, err
+	}
+
+	return p.val, nil
+}
+
+func (p *PathMatcher) visitEveryElem(elem *RNode) error {
+	fieldName := p.Path[0]
+	// recurse on the matching element
+	pm := &PathMatcher{Path: p.Path[1:], Create: p.Create}
+	add, err := pm.filter(elem)
+	for k, v := range pm.Matches {
+		p.Matches[k] = v
+	}
+	if err != nil || add == nil {
+		return err
+	}
+	p.append(fieldName, add.Content()...)
+
+	return nil
+}
+
+func (p *PathMatcher) doField(rn *RNode) (*RNode, error) {
+	// lookup the field
+	field, err := rn.Pipe(Get(p.Path[0]))
+	if err != nil || (!IsCreate(p.Create) && field == nil) {
+		return nil, err
+	}
+
+	if IsCreate(p.Create) && field == nil {
+		var nextPart string
+		if len(p.Path) > 1 {
+			nextPart = p.Path[1]
+		}
+		nextPartKind := getPathPartKind(nextPart, p.Create)
+		field = &RNode{value: &yaml.Node{Kind: nextPartKind}}
+		err := rn.PipeE(SetField(p.Path[0], field))
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	// recurse on the field, removing the first element of the path
+	pm := &PathMatcher{Path: p.Path[1:], Create: p.Create}
+	p.val, err = pm.filter(field)
+	p.Matches = pm.Matches
+	return p.val, err
+}
+
+// doIndexSeq iterates over a sequence and appends elements matching the index p.Val
+func (p *PathMatcher) doIndexSeq(rn *RNode) (*RNode, error) {
+	// parse to index number
+	idx, err := strconv.Atoi(p.Path[0])
+	if err != nil {
+		return nil, err
+	}
+
+	elements, err := rn.Elements()
+	if err != nil {
+		return nil, err
+	}
+
+	if len(elements) == idx && IsCreate(p.Create) {
+		var nextPart string
+		if len(p.Path) > 1 {
+			nextPart = p.Path[1]
+		}
+		elem := &yaml.Node{Kind: getPathPartKind(nextPart, p.Create)}
+		err = rn.PipeE(Append(elem))
+		if err != nil {
+			return nil, errors.WrapPrefixf(err, "failed to append element for %q", p.Path[0])
+		}
+		elements = append(elements, NewRNode(elem))
+	}
+
+	if len(elements) < idx+1 {
+		return nil, fmt.Errorf("index %d specified but only %d elements found", idx, len(elements))
+	}
+	// get target element
+	element := elements[idx]
+
+	// recurse on the matching element
+	pm := &PathMatcher{Path: p.Path[1:], Create: p.Create}
+	add, err := pm.filter(element)
+	for k, v := range pm.Matches {
+		p.Matches[k] = v
+	}
+	if err != nil || add == nil {
+		return nil, err
+	}
+	p.append("", add.Content()...)
+	return p.val, nil
+}
+
+// doSeq iterates over a sequence and appends elements matching the path regex to p.Val
+func (p *PathMatcher) doSeq(rn *RNode) (*RNode, error) {
+	// parse the field + match pair
+	var err error
+	p.field, p.matchRegex, err = SplitIndexNameValue(p.Path[0])
+	if err != nil {
+		return nil, err
+	}
+
+	primitiveElement := len(p.field) == 0
+	if primitiveElement {
+		err = rn.VisitElements(p.visitPrimitiveElem)
+	} else {
+		err = rn.VisitElements(p.visitElem)
+	}
+	if err != nil {
+		return nil, err
+	}
+	if !p.val.IsNil() && len(p.val.YNode().Content) == 0 {
+		p.val = nil
+	}
+
+	if !IsCreate(p.Create) || p.val != nil {
+		return p.val, nil
+	}
+
+	var elem *yaml.Node
+	valueNode := NewScalarRNode(p.matchRegex).YNode()
+	if primitiveElement {
+		elem = valueNode
+	} else {
+		elem = &yaml.Node{
+			Kind:    yaml.MappingNode,
+			Content: []*yaml.Node{{Kind: yaml.ScalarNode, Value: p.field}, valueNode},
+		}
+	}
+	err = rn.PipeE(Append(elem))
+	if err != nil {
+		return nil, errors.WrapPrefixf(err, "failed to create element for %q", p.Path[0])
+	}
+	// re-do the sequence search; this time we'll find the element we just created
+	return p.doSeq(rn)
+}
+
+func (p *PathMatcher) visitPrimitiveElem(elem *RNode) error {
+	r, err := regexp.Compile(p.matchRegex)
+	if err != nil {
+		return err
+	}
+
+	str, err := elem.String()
+	if err != nil {
+		return err
+	}
+	str = strings.TrimSpace(str)
+	if !r.MatchString(str) {
+		return nil
+	}
+
+	p.appendRNode("", elem)
+	return nil
+}
+
+func (p *PathMatcher) visitElem(elem *RNode) error {
+	r, err := regexp.Compile(p.matchRegex)
+	if err != nil {
+		return err
+	}
+
+	// check if this elements field matches the regex
+	val := elem.Field(p.field)
+	if val == nil || val.Value == nil {
+		return nil
+	}
+	str, err := val.Value.String()
+	if err != nil {
+		return err
+	}
+	str = strings.TrimSpace(str)
+	if !r.MatchString(str) {
+		return nil
+	}
+
+	// recurse on the matching element
+	pm := &PathMatcher{Path: p.Path[1:], Create: p.Create}
+	add, err := pm.filter(elem)
+	for k, v := range pm.Matches {
+		p.Matches[k] = v
+	}
+	if err != nil || add == nil {
+		return err
+	}
+	p.append(str, add.Content()...)
+	return nil
+}
+
+func (p *PathMatcher) appendRNode(path string, node *RNode) {
+	p.append(path, node.YNode())
+}
+
+func (p *PathMatcher) append(path string, nodes ...*Node) {
+	if p.val == nil {
+		p.val = NewRNode(&Node{Kind: SequenceNode})
+	}
+	for i := range nodes {
+		node := nodes[i]
+		p.val.YNode().Content = append(p.val.YNode().Content, node)
+		// record the path if specified
+		if path != "" {
+			p.Matches[node] = append(p.Matches[node], path)
+		}
+	}
+}
+
+func cleanPath(path []string) []string {
+	var p []string
+	for _, elem := range path {
+		elem = strings.TrimSpace(elem)
+		if len(elem) == 0 {
+			continue
+		}
+		p = append(p, elem)
+	}
+	return p
+}
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/merge2/merge2.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/merge2/merge2.go
new file mode 100644
index 0000000000..3b23019e1a
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/merge2/merge2.go
@@ -0,0 +1,187 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+// Package merge2 contains libraries for merging fields from one RNode to another
+// RNode
+package merge2
+
+import (
+	"sigs.k8s.io/kustomize/kyaml/openapi"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+	"sigs.k8s.io/kustomize/kyaml/yaml/walk"
+)
+
+// Merge merges fields from src into dest.
+func Merge(src, dest *yaml.RNode, mergeOptions yaml.MergeOptions) (*yaml.RNode, error) {
+	return walk.Walker{
+		Sources:      []*yaml.RNode{dest, src},
+		Visitor:      Merger{},
+		MergeOptions: mergeOptions,
+	}.Walk()
+}
+
+// MergeStrings parses the arguments, and merges fields from srcStr into destStr.
+func MergeStrings(srcStr, destStr string, infer bool, mergeOptions yaml.MergeOptions) (string, error) {
+	src, err := yaml.Parse(srcStr)
+	if err != nil {
+		return "", err
+	}
+	dest, err := yaml.Parse(destStr)
+	if err != nil {
+		return "", err
+	}
+
+	result, err := walk.Walker{
+		Sources:               []*yaml.RNode{dest, src},
+		Visitor:               Merger{},
+		InferAssociativeLists: infer,
+		MergeOptions:          mergeOptions,
+	}.Walk()
+	if err != nil {
+		return "", err
+	}
+
+	return result.String()
+}
+
+type Merger struct {
+}
+
+// for forwards compatibility when new functions are added to the interface
+var _ walk.Visitor = Merger{}
+
+func (m Merger) VisitMap(nodes walk.Sources, s *openapi.ResourceSchema) (*yaml.RNode, error) {
+	if err := m.SetComments(nodes); err != nil {
+		return nil, err
+	}
+	if err := m.SetStyle(nodes); err != nil {
+		return nil, err
+	}
+	if yaml.IsMissingOrNull(nodes.Dest()) {
+		// Add
+		ps, _ := determineSmpDirective(nodes.Origin())
+		if ps == smpDelete {
+			return walk.ClearNode, nil
+		}
+
+		// If Origin is missing, preserve explicitly set null in Dest ("null", "~", etc)
+		if nodes.Origin().IsNil() && !nodes.Dest().IsNil() && len(nodes.Dest().YNode().Value) > 0 {
+			return yaml.MakePersistentNullNode(nodes.Dest().YNode().Value), nil
+		}
+
+		return nodes.Origin(), nil
+	}
+	if nodes.Origin().IsTaggedNull() {
+		// clear the value
+		return walk.ClearNode, nil
+	}
+
+	ps, err := determineSmpDirective(nodes.Origin())
+	if err != nil {
+		return nil, err
+	}
+
+	switch ps {
+	case smpDelete:
+		return walk.ClearNode, nil
+	case smpReplace:
+		return nodes.Origin(), nil
+	default:
+		return nodes.Dest(), nil
+	}
+}
+
+func (m Merger) VisitScalar(nodes walk.Sources, s *openapi.ResourceSchema) (*yaml.RNode, error) {
+	if err := m.SetComments(nodes); err != nil {
+		return nil, err
+	}
+	if err := m.SetStyle(nodes); err != nil {
+		return nil, err
+	}
+	// Override value
+	if nodes.Origin() != nil {
+		return nodes.Origin(), nil
+	}
+	// Keep
+	return nodes.Dest(), nil
+}
+
+func (m Merger) VisitList(nodes walk.Sources, s *openapi.ResourceSchema, kind walk.ListKind) (*yaml.RNode, error) {
+	if err := m.SetComments(nodes); err != nil {
+		return nil, err
+	}
+	if err := m.SetStyle(nodes); err != nil {
+		return nil, err
+	}
+	if kind == walk.NonAssociateList {
+		// Override value
+		if nodes.Origin() != nil {
+			return nodes.Origin(), nil
+		}
+		// Keep
+		return nodes.Dest(), nil
+	}
+
+	// Add
+	if yaml.IsMissingOrNull(nodes.Dest()) {
+		return nodes.Origin(), nil
+	}
+	// Clear
+	if nodes.Origin().IsTaggedNull() {
+		return walk.ClearNode, nil
+	}
+
+	ps, err := determineSmpDirective(nodes.Origin())
+	if err != nil {
+		return nil, err
+	}
+
+	switch ps {
+	case smpDelete:
+		return walk.ClearNode, nil
+	case smpReplace:
+		return nodes.Origin(), nil
+	default:
+		return nodes.Dest(), nil
+	}
+}
+
+func (m Merger) SetStyle(sources walk.Sources) error {
+	source := sources.Origin()
+	dest := sources.Dest()
+	if dest == nil || dest.YNode() == nil || source == nil || source.YNode() == nil {
+		// avoid panic
+		return nil
+	}
+
+	// copy the style from the source.
+	// special case: if the dest was an empty map or seq, then it probably had
+	// folded style applied, but we actually want to keep the style of the origin
+	// in this case (even if it was the default).  otherwise the merged elements
+	// will get folded even though this probably isn't what is desired.
+	if dest.YNode().Kind != yaml.ScalarNode && len(dest.YNode().Content) == 0 {
+		dest.YNode().Style = source.YNode().Style
+	}
+	return nil
+}
+
+// SetComments copies the dest comments to the source comments if they are present
+// on the source.
+func (m Merger) SetComments(sources walk.Sources) error {
+	source := sources.Origin()
+	dest := sources.Dest()
+	if dest == nil || dest.YNode() == nil || source == nil || source.YNode() == nil {
+		// avoid panic
+		return nil
+	}
+	if source.YNode().FootComment != "" {
+		dest.YNode().FootComment = source.YNode().FootComment
+	}
+	if source.YNode().HeadComment != "" {
+		dest.YNode().HeadComment = source.YNode().HeadComment
+	}
+	if source.YNode().LineComment != "" {
+		dest.YNode().LineComment = source.YNode().LineComment
+	}
+	return nil
+}
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/merge2/smpdirective.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/merge2/smpdirective.go
new file mode 100644
index 0000000000..f38b188eac
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/merge2/smpdirective.go
@@ -0,0 +1,101 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package merge2
+
+import (
+	"fmt"
+
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+// A strategic merge patch directive.
+// See https://github.com/kubernetes/community/blob/master/contributors/devel/sig-api-machinery/strategic-merge-patch.md
+//
+//go:generate stringer -type=smpDirective -linecomment
+type smpDirective int
+
+const (
+	smpUnknown smpDirective = iota // unknown
+	smpReplace                     // replace
+	smpDelete                      // delete
+	smpMerge                       // merge
+)
+
+const strategicMergePatchDirectiveKey = "$patch"
+
+// Examine patch for a strategic merge patch directive.
+// If found, return it, and remove the directive from the patch.
+func determineSmpDirective(patch *yaml.RNode) (smpDirective, error) {
+	if patch == nil {
+		return smpMerge, nil
+	}
+	switch patch.YNode().Kind {
+	case yaml.SequenceNode:
+		return determineSequenceNodePatchStrategy(patch)
+	case yaml.MappingNode:
+		return determineMappingNodePatchStrategy(patch)
+	default:
+		return smpUnknown, fmt.Errorf(
+			"no implemented strategic merge patch strategy for '%s' ('%s')",
+			patch.YNode().ShortTag(), patch.MustString())
+	}
+}
+
+func determineSequenceNodePatchStrategy(patch *yaml.RNode) (smpDirective, error) {
+	// get the $patch element
+	node, err := patch.Pipe(yaml.GetElementByKey(strategicMergePatchDirectiveKey))
+	// if there are more than 1 key/value pair in the map, then this $patch
+	// is not for the sequence
+	if err != nil || node == nil || node.YNode() == nil || len(node.Content()) > 2 {
+		return smpMerge, nil
+	}
+	// get the value
+	value, err := node.Pipe(yaml.Get(strategicMergePatchDirectiveKey))
+	if err != nil || value == nil || value.YNode() == nil {
+		return smpMerge, nil
+	}
+	v := value.YNode().Value
+	if v == smpDelete.String() {
+		return smpDelete, elideSequencePatchDirective(patch, v)
+	}
+	if v == smpReplace.String() {
+		return smpReplace, elideSequencePatchDirective(patch, v)
+	}
+	if v == smpMerge.String() {
+		return smpMerge, elideSequencePatchDirective(patch, v)
+	}
+	return smpUnknown, fmt.Errorf(
+		"unknown patch strategy '%s'", v)
+}
+
+func determineMappingNodePatchStrategy(patch *yaml.RNode) (smpDirective, error) {
+	node, err := patch.Pipe(yaml.Get(strategicMergePatchDirectiveKey))
+	if err != nil || node == nil || node.YNode() == nil {
+		return smpMerge, nil
+	}
+	v := node.YNode().Value
+	if v == smpDelete.String() {
+		return smpDelete, elideMappingPatchDirective(patch)
+	}
+	if v == smpReplace.String() {
+		return smpReplace, elideMappingPatchDirective(patch)
+	}
+	if v == smpMerge.String() {
+		return smpMerge, elideMappingPatchDirective(patch)
+	}
+	return smpUnknown, fmt.Errorf(
+		"unknown patch strategy '%s'", v)
+}
+
+func elideMappingPatchDirective(patch *yaml.RNode) error {
+	return patch.PipeE(yaml.Clear(strategicMergePatchDirectiveKey))
+}
+
+func elideSequencePatchDirective(patch *yaml.RNode, value string) error {
+	return patch.PipeE(yaml.ElementSetter{
+		Element: nil,
+		Keys:    []string{strategicMergePatchDirectiveKey},
+		Values:  []string{value},
+	})
+}
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/merge2/smpdirective_string.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/merge2/smpdirective_string.go
new file mode 100644
index 0000000000..b4f937f0e1
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/merge2/smpdirective_string.go
@@ -0,0 +1,26 @@
+// Code generated by "stringer -type=smpDirective -linecomment"; DO NOT EDIT.
+
+package merge2
+
+import "strconv"
+
+func _() {
+	// An "invalid array index" compiler error signifies that the constant values have changed.
+	// Re-run the stringer command to generate them again.
+	var x [1]struct{}
+	_ = x[smpUnknown-0]
+	_ = x[smpReplace-1]
+	_ = x[smpDelete-2]
+	_ = x[smpMerge-3]
+}
+
+const _smpDirective_name = "unknownreplacedeletemerge"
+
+var _smpDirective_index = [...]uint8{0, 7, 14, 20, 25}
+
+func (i smpDirective) String() string {
+	if i < 0 || i >= smpDirective(len(_smpDirective_index)-1) {
+		return "smpDirective(" + strconv.FormatInt(int64(i), 10) + ")"
+	}
+	return _smpDirective_name[_smpDirective_index[i]:_smpDirective_index[i+1]]
+}
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/order.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/order.go
new file mode 100644
index 0000000000..4e01c64895
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/order.go
@@ -0,0 +1,107 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package yaml
+
+// fieldSortOrder contains the relative ordering of fields when formatting an
+// object.
+var fieldSortOrder = []string{
+	// top-level metadata
+	"name", "generateName", "namespace", "clusterName",
+	"apiVersion", "kind", "metadata", "type",
+	"labels", "annotations",
+	"spec", "status",
+
+	// secret and configmap
+	"stringData", "data", "binaryData",
+
+	// cronjobspec,  daemonsetspec, deploymentspec, statefulsetspec,
+	// jobspec fields
+	"parallelism", "completions", "activeDeadlineSeconds", "backoffLimit",
+	"replicas", "selector", "manualSelector", "template",
+	"ttlSecondsAfterFinished", "volumeClaimTemplates", "service", "serviceName",
+	"podManagementPolicy", "updateStrategy", "strategy", "minReadySeconds",
+	"revision", "revisionHistoryLimit", "paused", "progressDeadlineSeconds",
+
+	// podspec
+	// podspec scalars
+	"restartPolicy", "terminationGracePeriodSeconds",
+	"activeDeadlineSeconds", "dnsPolicy", "serviceAccountName",
+	"serviceAccount", "automountServiceAccountToken", "nodeName",
+	"hostNetwork", "hostPID", "hostIPC", "shareProcessNamespace", "hostname",
+	"subdomain", "schedulerName", "priorityClassName", "priority",
+	"runtimeClassName", "enableServiceLinks",
+
+	// podspec lists and maps
+	"nodeSelector", "hostAliases",
+
+	// podspec objects
+	"initContainers", "containers", "volumes", "securityContext",
+	"imagePullSecrets", "affinity", "tolerations", "dnsConfig",
+	"readinessGates",
+
+	// containers
+	"image", "command", "args", "workingDir", "ports", "envFrom", "env",
+	"resources", "volumeMounts", "volumeDevices", "livenessProbe",
+	"readinessProbe", "lifecycle", "terminationMessagePath",
+	"terminationMessagePolicy", "imagePullPolicy", "securityContext",
+	"stdin", "stdinOnce", "tty",
+
+	// service
+	"clusterIP", "externalIPs", "loadBalancerIP", "loadBalancerSourceRanges",
+	"externalName", "externalTrafficPolicy", "sessionAffinity",
+
+	// ports
+	"protocol", "port", "targetPort", "hostPort", "containerPort", "hostIP",
+
+	// volumemount
+	"readOnly", "mountPath", "subPath", "subPathExpr", "mountPropagation",
+
+	// envvar + envvarsource
+	"value", "valueFrom", "fieldRef", "resourceFieldRef", "configMapKeyRef",
+	"secretKeyRef", "prefix", "configMapRef", "secretRef",
+}
+
+type set map[string]interface{}
+
+func newSet(values ...string) set {
+	m := map[string]interface{}{}
+	for _, value := range values {
+		m[value] = nil
+	}
+	return m
+}
+
+func (s set) Has(key string) bool {
+	_, found := s[key]
+	return found
+}
+
+// WhitelistedListSortKinds contains the set of kinds that are whitelisted
+// for sorting list field elements
+var WhitelistedListSortKinds = newSet(
+	"CronJob", "DaemonSet", "Deployment", "Job", "ReplicaSet", "StatefulSet",
+	"ValidatingWebhookConfiguration")
+
+// WhitelistedListSortApis contains the set of apis that are whitelisted for
+// sorting list field elements
+var WhitelistedListSortApis = newSet(
+	"apps/v1", "apps/v1beta1", "apps/v1beta2", "batch/v1", "batch/v1beta1",
+	"extensions/v1beta1", "v1", "admissionregistration.k8s.io/v1")
+
+// WhitelistedListSortFields contains json paths to list fields that should
+// be sorted, and the field they should be sorted by
+var WhitelistedListSortFields = map[string]string{
+	".spec.template.spec.containers": "name",
+	".webhooks.rules.operations":     "",
+}
+
+// FieldOrder indexes fields and maps them to relative precedence
+var FieldOrder = func() map[string]int {
+	// create an index of field orderings
+	fo := map[string]int{}
+	for i, f := range fieldSortOrder {
+		fo[f] = i + 1
+	}
+	return fo
+}()
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/rnode.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/rnode.go
new file mode 100644
index 0000000000..0059ec2eb9
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/rnode.go
@@ -0,0 +1,1385 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package yaml
+
+import (
+	"encoding/json"
+	"fmt"
+	"log"
+	"os"
+	"regexp"
+	"strconv"
+	"strings"
+
+	yaml "go.yaml.in/yaml/v3"
+	"sigs.k8s.io/kustomize/kyaml/errors"
+	"sigs.k8s.io/kustomize/kyaml/sliceutil"
+	"sigs.k8s.io/kustomize/kyaml/utils"
+	"sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/labels"
+)
+
+// MakeNullNode returns an RNode that represents an empty document.
+func MakeNullNode() *RNode {
+	return NewRNode(&Node{Tag: NodeTagNull})
+}
+
+// MakePersistentNullNode returns an RNode that should be persisted,
+// even when merging
+func MakePersistentNullNode(value string) *RNode {
+	n := NewRNode(
+		&Node{
+			Tag:   NodeTagNull,
+			Value: value,
+			Kind:  yaml.ScalarNode,
+		},
+	)
+	n.ShouldKeep = true
+	return n
+}
+
+// IsMissingOrNull is true if the RNode is nil or explicitly tagged null.
+// TODO: make this a method on RNode.
+func IsMissingOrNull(node *RNode) bool {
+	return node.IsNil() || node.YNode().Tag == NodeTagNull
+}
+
+// IsEmptyMap returns true if the RNode is an empty node or an empty map.
+// TODO: make this a method on RNode.
+func IsEmptyMap(node *RNode) bool {
+	return IsMissingOrNull(node) || IsYNodeEmptyMap(node.YNode())
+}
+
+// GetValue returns underlying yaml.Node Value field
+func GetValue(node *RNode) string {
+	if IsMissingOrNull(node) {
+		return ""
+	}
+	return node.YNode().Value
+}
+
+// Parse parses a yaml string into an *RNode.
+// To parse multiple resources, consider a kio.ByteReader
+func Parse(value string) (*RNode, error) {
+	return Parser{Value: value}.Filter(nil)
+}
+
+// ReadFile parses a single Resource from a yaml file.
+// To parse multiple resources, consider a kio.ByteReader
+func ReadFile(path string) (*RNode, error) {
+	b, err := os.ReadFile(path)
+	if err != nil {
+		return nil, err
+	}
+	return Parse(string(b))
+}
+
+// WriteFile writes a single Resource to a yaml file
+func WriteFile(node *RNode, path string) error {
+	out, err := node.String()
+	if err != nil {
+		return err
+	}
+	return errors.WrapPrefixf(os.WriteFile(path, []byte(out), 0600), "writing RNode to file")
+}
+
+// UpdateFile reads the file at path, applies the filter to it, and write the result back.
+// path must contain a exactly 1 resource (YAML).
+func UpdateFile(filter Filter, path string) error {
+	// Read the yaml
+	y, err := ReadFile(path)
+	if err != nil {
+		return err
+	}
+
+	// Update the yaml
+	if err := y.PipeE(filter); err != nil {
+		return err
+	}
+
+	// Write the yaml
+	return WriteFile(y, path)
+}
+
+// MustParse parses a yaml string into an *RNode and panics if there is an error
+func MustParse(value string) *RNode {
+	v, err := Parser{Value: value}.Filter(nil)
+	if err != nil {
+		panic(err)
+	}
+	return v
+}
+
+// NewScalarRNode returns a new Scalar *RNode containing the provided scalar value.
+func NewScalarRNode(value string) *RNode {
+	return &RNode{
+		value: &yaml.Node{
+			Kind:  yaml.ScalarNode,
+			Value: value,
+		}}
+}
+
+// NewStringRNode returns a new Scalar *RNode containing the provided string.
+// If the string is non-utf8, it will be base64 encoded, and the tag
+// will indicate binary data.
+func NewStringRNode(value string) *RNode {
+	n := yaml.Node{Kind: yaml.ScalarNode}
+	n.SetString(value)
+	return NewRNode(&n)
+}
+
+// NewListRNode returns a new List *RNode containing the provided scalar values.
+func NewListRNode(values ...string) *RNode {
+	seq := &RNode{value: &yaml.Node{Kind: yaml.SequenceNode}}
+	for _, v := range values {
+		seq.value.Content = append(seq.value.Content, &yaml.Node{
+			Kind:  yaml.ScalarNode,
+			Value: v,
+		})
+	}
+	return seq
+}
+
+// NewMapRNode returns a new Map *RNode containing the provided values
+func NewMapRNode(values *map[string]string) *RNode {
+	m := &RNode{value: &yaml.Node{
+		Kind: yaml.MappingNode,
+	}}
+	if values == nil {
+		return m
+	}
+
+	for k, v := range *values {
+		m.value.Content = append(m.value.Content, &yaml.Node{
+			Kind:  yaml.ScalarNode,
+			Value: k,
+		}, &yaml.Node{
+			Kind:  yaml.ScalarNode,
+			Value: v,
+		})
+	}
+
+	return m
+}
+
+// SyncMapNodesOrder sorts the map node keys in 'to' node to match the order of
+// map node keys in 'from' node, additional keys are moved to the end
+func SyncMapNodesOrder(from, to *RNode) {
+	to.Copy()
+	res := &RNode{value: &yaml.Node{
+		Kind:        to.YNode().Kind,
+		Style:       to.YNode().Style,
+		Tag:         to.YNode().Tag,
+		Anchor:      to.YNode().Anchor,
+		Alias:       to.YNode().Alias,
+		HeadComment: to.YNode().HeadComment,
+		LineComment: to.YNode().LineComment,
+		FootComment: to.YNode().FootComment,
+		Line:        to.YNode().Line,
+		Column:      to.YNode().Column,
+	}}
+
+	fromFieldNames, err := from.Fields()
+	if err != nil {
+		return
+	}
+
+	toFieldNames, err := to.Fields()
+	if err != nil {
+		return
+	}
+
+	for _, fieldName := range fromFieldNames {
+		if !sliceutil.Contains(toFieldNames, fieldName) {
+			continue
+		}
+		// append the common nodes in the order defined in 'from' node
+		res.value.Content = append(res.value.Content, to.Field(fieldName).Key.YNode(), to.Field(fieldName).Value.YNode())
+		toFieldNames = sliceutil.Remove(toFieldNames, fieldName)
+	}
+
+	for _, fieldName := range toFieldNames {
+		// append the residual nodes which are not present in 'from' node
+		res.value.Content = append(res.value.Content, to.Field(fieldName).Key.YNode(), to.Field(fieldName).Value.YNode())
+	}
+
+	to.SetYNode(res.YNode())
+}
+
+// NewRNode returns a new RNode pointer containing the provided Node.
+func NewRNode(value *yaml.Node) *RNode {
+	return &RNode{value: value}
+}
+
+// RNode provides functions for manipulating Kubernetes Resources
+// Objects unmarshalled into *yaml.Nodes
+type RNode struct {
+	// fieldPath contains the path from the root of the KubernetesObject to
+	// this field.
+	// Only field names are captured in the path.
+	// e.g. a image field in a Deployment would be
+	// 'spec.template.spec.containers.image'
+	fieldPath []string
+
+	// FieldValue contains the value.
+	// FieldValue is always set:
+	// field: field value
+	// list entry: list entry value
+	// object root: object root
+	value *yaml.Node
+
+	// Whether we should keep this node, even if otherwise we would clear it
+	ShouldKeep bool
+
+	Match []string
+}
+
+// Copy returns a distinct copy.
+func (rn *RNode) Copy() *RNode {
+	if rn == nil {
+		return nil
+	}
+	result := *rn
+	result.value = CopyYNode(rn.value)
+	return &result
+}
+
+var ErrMissingMetadata = fmt.Errorf("missing Resource metadata")
+
+// IsNil is true if the node is nil, or its underlying YNode is nil.
+func (rn *RNode) IsNil() bool {
+	return rn == nil || rn.YNode() == nil
+}
+
+// IsTaggedNull is true if a non-nil node is explicitly tagged Null.
+func (rn *RNode) IsTaggedNull() bool {
+	return !rn.IsNil() && IsYNodeTaggedNull(rn.YNode())
+}
+
+// IsNilOrEmpty is true if the node is nil,
+// has no YNode, or has YNode that appears empty.
+func (rn *RNode) IsNilOrEmpty() bool {
+	return rn.IsNil() || IsYNodeNilOrEmpty(rn.YNode())
+}
+
+// IsStringValue is true if the RNode is not nil and is scalar string node
+func (rn *RNode) IsStringValue() bool {
+	return !rn.IsNil() && IsYNodeString(rn.YNode())
+}
+
+// GetMeta returns the ResourceMeta for an RNode
+func (rn *RNode) GetMeta() (ResourceMeta, error) {
+	if IsMissingOrNull(rn) {
+		return ResourceMeta{}, nil
+	}
+	missingMeta := true
+	n := rn
+	if n.YNode().Kind == DocumentNode {
+		// get the content is this is the document node
+		n = NewRNode(n.Content()[0])
+	}
+
+	// don't decode into the struct directly or it will fail on UTF-8 issues
+	// which appear in comments
+	m := ResourceMeta{}
+
+	// TODO: consider optimizing this parsing
+	if f := n.Field(APIVersionField); !f.IsNilOrEmpty() {
+		m.APIVersion = GetValue(f.Value)
+		missingMeta = false
+	}
+	if f := n.Field(KindField); !f.IsNilOrEmpty() {
+		m.Kind = GetValue(f.Value)
+		missingMeta = false
+	}
+
+	mf := n.Field(MetadataField)
+	if mf.IsNilOrEmpty() {
+		if missingMeta {
+			return m, ErrMissingMetadata
+		}
+		return m, nil
+	}
+	meta := mf.Value
+
+	if f := meta.Field(NameField); !f.IsNilOrEmpty() {
+		m.Name = f.Value.YNode().Value
+		missingMeta = false
+	}
+	if f := meta.Field(NamespaceField); !f.IsNilOrEmpty() {
+		m.Namespace = GetValue(f.Value)
+		missingMeta = false
+	}
+
+	if f := meta.Field(LabelsField); !f.IsNilOrEmpty() {
+		m.Labels = map[string]string{}
+		_ = f.Value.VisitFields(func(node *MapNode) error {
+			m.Labels[GetValue(node.Key)] = GetValue(node.Value)
+			return nil
+		})
+		missingMeta = false
+	}
+	if f := meta.Field(AnnotationsField); !f.IsNilOrEmpty() {
+		m.Annotations = map[string]string{}
+		_ = f.Value.VisitFields(func(node *MapNode) error {
+			m.Annotations[GetValue(node.Key)] = GetValue(node.Value)
+			return nil
+		})
+		missingMeta = false
+	}
+
+	if missingMeta {
+		return m, ErrMissingMetadata
+	}
+	return m, nil
+}
+
+// Pipe sequentially invokes each Filter, and passes the result to the next
+// Filter.
+//
+// Analogous to http://www.linfo.org/pipes.html
+//
+// * rn is provided as input to the first Filter.
+// * if any Filter returns an error, immediately return the error
+// * if any Filter returns a nil RNode, immediately return nil, nil
+// * if all Filters succeed with non-empty results, return the final result
+func (rn *RNode) Pipe(functions ...Filter) (*RNode, error) {
+	// check if rn is nil to make chaining Pipe calls easier
+	if rn == nil {
+		return nil, nil
+	}
+
+	var v *RNode
+	var err error
+	if rn.value != nil && rn.value.Kind == yaml.DocumentNode {
+		// the first node may be a DocumentNode containing a single MappingNode
+		v = &RNode{value: rn.value.Content[0]}
+	} else {
+		v = rn
+	}
+
+	// return each fn in sequence until encountering an error or missing value
+	for _, c := range functions {
+		v, err = c.Filter(v)
+		if err != nil || v == nil {
+			return v, errors.Wrap(err)
+		}
+	}
+	return v, err
+}
+
+// PipeE runs Pipe, dropping the *RNode return value.
+// Useful for directly returning the Pipe error value from functions.
+func (rn *RNode) PipeE(functions ...Filter) error {
+	_, err := rn.Pipe(functions...)
+	return errors.Wrap(err)
+}
+
+// Document returns the Node for the value.
+func (rn *RNode) Document() *yaml.Node {
+	return rn.value
+}
+
+// YNode returns the yaml.Node value.  If the yaml.Node value is a DocumentNode,
+// YNode will return the DocumentNode Content entry instead of the DocumentNode.
+func (rn *RNode) YNode() *yaml.Node {
+	if rn == nil || rn.value == nil {
+		return nil
+	}
+	if rn.value.Kind == yaml.DocumentNode {
+		return rn.value.Content[0]
+	}
+	return rn.value
+}
+
+// SetYNode sets the yaml.Node value on an RNode.
+func (rn *RNode) SetYNode(node *yaml.Node) {
+	if rn.value == nil || node == nil {
+		rn.value = node
+		return
+	}
+	*rn.value = *node
+}
+
+// GetKind returns the kind, if it exists, else empty string.
+func (rn *RNode) GetKind() string {
+	if node := rn.getMapFieldValue(KindField); node != nil {
+		return node.Value
+	}
+	return ""
+}
+
+// SetKind sets the kind.
+func (rn *RNode) SetKind(k string) {
+	rn.SetMapField(NewScalarRNode(k), KindField)
+}
+
+// GetApiVersion returns the apiversion, if it exists, else empty string.
+func (rn *RNode) GetApiVersion() string {
+	if node := rn.getMapFieldValue(APIVersionField); node != nil {
+		return node.Value
+	}
+	return ""
+}
+
+// SetApiVersion sets the apiVersion.
+func (rn *RNode) SetApiVersion(av string) {
+	rn.SetMapField(NewScalarRNode(av), APIVersionField)
+}
+
+// getMapFieldValue returns the value (*yaml.Node) of a mapping field.
+// The value might be nil.  Also, the function returns nil, not an error,
+// if this node is not a mapping node, or if this node does not have the
+// given field, so this function cannot be used to make distinctions
+// between these cases.
+func (rn *RNode) getMapFieldValue(field string) *yaml.Node {
+	var result *yaml.Node
+	visitMappingNodeFields(rn.Content(), func(key, value *yaml.Node) {
+		result = value
+	}, field)
+	return result
+}
+
+// GetName returns the name, or empty string if
+// field not found.  The setter is more restrictive.
+func (rn *RNode) GetName() string {
+	return rn.getMetaStringField(NameField)
+}
+
+// getMetaStringField returns the value of a string field in metadata.
+func (rn *RNode) getMetaStringField(fName string) string {
+	md := rn.getMetaData()
+	if md == nil {
+		return ""
+	}
+	var result string
+	visitMappingNodeFields(md.Content, func(key, value *yaml.Node) {
+		if !IsYNodeNilOrEmpty(value) {
+			result = value.Value
+		}
+	}, fName)
+	return result
+}
+
+// getMetaData returns the *yaml.Node of the metadata field.
+// Return nil if field not found (no error).
+func (rn *RNode) getMetaData() *yaml.Node {
+	if IsMissingOrNull(rn) {
+		return nil
+	}
+	content := rn.Content()
+	if rn.YNode().Kind == DocumentNode {
+		// get the content if this is the document node
+		content = content[0].Content
+	}
+	var mf *yaml.Node
+	visitMappingNodeFields(content, func(key, value *yaml.Node) {
+		if !IsYNodeNilOrEmpty(value) {
+			mf = value
+		}
+	}, MetadataField)
+	return mf
+}
+
+// SetName sets the metadata name field.
+func (rn *RNode) SetName(name string) error {
+	return rn.SetMapField(NewScalarRNode(name), MetadataField, NameField)
+}
+
+// GetNamespace gets the metadata namespace field, or empty string if
+// field not found.  The setter is more restrictive.
+func (rn *RNode) GetNamespace() string {
+	return rn.getMetaStringField(NamespaceField)
+}
+
+// SetNamespace tries to set the metadata namespace field.  If the argument
+// is empty, the field is dropped.
+func (rn *RNode) SetNamespace(ns string) error {
+	meta, err := rn.Pipe(Lookup(MetadataField))
+	if err != nil {
+		return err
+	}
+	if ns == "" {
+		if rn == nil {
+			return nil
+		}
+		return meta.PipeE(Clear(NamespaceField))
+	}
+	return rn.SetMapField(
+		NewScalarRNode(ns), MetadataField, NamespaceField)
+}
+
+// GetAnnotations gets the metadata annotations field.
+// If the annotations field is missing, returns an empty map.
+// Use another method to check for missing metadata.
+// If specific annotations are provided, then the map is
+// restricted to only those entries with keys that match
+// one of the specific annotations. If no annotations are
+// provided, then the map will contain all entries.
+func (rn *RNode) GetAnnotations(annotations ...string) map[string]string {
+	return rn.getMapFromMeta(AnnotationsField, annotations...)
+}
+
+// SetAnnotations tries to set the metadata annotations field.
+func (rn *RNode) SetAnnotations(m map[string]string) error {
+	return rn.setMapInMetadata(m, AnnotationsField)
+}
+
+// GetLabels gets the metadata labels field.
+// If the labels field is missing, returns an empty map.
+// Use another method to check for missing metadata.
+// If specific labels are provided, then the map is
+// restricted to only those entries with keys that match
+// one of the specific labels. If no labels are
+// provided, then the map will contain all entries.
+func (rn *RNode) GetLabels(labels ...string) map[string]string {
+	return rn.getMapFromMeta(LabelsField, labels...)
+}
+
+// getMapFromMeta returns a map, sometimes empty, from the fName
+// field in the node's metadata field.
+// If specific fields are provided, then the map is
+// restricted to only those entries with keys that match
+// one of the specific fields. If no fields are
+// provided, then the map will contain all entries.
+func (rn *RNode) getMapFromMeta(fName string, fields ...string) map[string]string {
+	meta := rn.getMetaData()
+	if meta == nil {
+		return make(map[string]string)
+	}
+
+	var result map[string]string
+
+	visitMappingNodeFields(meta.Content, func(_, fNameValue *yaml.Node) {
+		// fName is found in metadata; create the map from its content
+		expectedSize := len(fields)
+		if expectedSize == 0 {
+			expectedSize = len(fNameValue.Content) / 2 //nolint: gomnd
+		}
+		result = make(map[string]string, expectedSize)
+
+		visitMappingNodeFields(fNameValue.Content, func(key, value *yaml.Node) {
+			result[key.Value] = value.Value
+		}, fields...)
+	}, fName)
+
+	if result == nil {
+		return make(map[string]string)
+	}
+	return result
+}
+
+// SetLabels sets the metadata labels field.
+func (rn *RNode) SetLabels(m map[string]string) error {
+	return rn.setMapInMetadata(m, LabelsField)
+}
+
+// This established proper quoting on string values, and sorts by key.
+func (rn *RNode) setMapInMetadata(m map[string]string, field string) error {
+	meta, err := rn.Pipe(LookupCreate(MappingNode, MetadataField))
+	if err != nil {
+		return err
+	}
+	if err = meta.PipeE(Clear(field)); err != nil {
+		return err
+	}
+	if len(m) == 0 {
+		return nil
+	}
+	mapNode, err := meta.Pipe(LookupCreate(MappingNode, field))
+	if err != nil {
+		return err
+	}
+	for _, k := range SortedMapKeys(m) {
+		if _, err := mapNode.Pipe(
+			SetField(k, NewStringRNode(m[k]))); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (rn *RNode) SetMapField(value *RNode, path ...string) error {
+	return rn.PipeE(
+		LookupCreate(yaml.MappingNode, path[0:len(path)-1]...),
+		SetField(path[len(path)-1], value),
+	)
+}
+
+func (rn *RNode) GetDataMap() map[string]string {
+	n, err := rn.Pipe(Lookup(DataField))
+	if err != nil {
+		return nil
+	}
+	result := map[string]string{}
+	_ = n.VisitFields(func(node *MapNode) error {
+		result[GetValue(node.Key)] = GetValue(node.Value)
+		return nil
+	})
+	return result
+}
+
+func (rn *RNode) GetBinaryDataMap() map[string]string {
+	n, err := rn.Pipe(Lookup(BinaryDataField))
+	if err != nil {
+		return nil
+	}
+	result := map[string]string{}
+	_ = n.VisitFields(func(node *MapNode) error {
+		result[GetValue(node.Key)] = GetValue(node.Value)
+		return nil
+	})
+	return result
+}
+
+// GetValidatedDataMap retrieves the data map and returns an error if the data
+// map contains entries which are not included in the expectedKeys set.
+func (rn *RNode) GetValidatedDataMap(expectedKeys []string) (map[string]string, error) {
+	dataMap := rn.GetDataMap()
+	err := rn.validateDataMap(dataMap, expectedKeys)
+	return dataMap, err
+}
+
+func (rn *RNode) validateDataMap(dataMap map[string]string, expectedKeys []string) error {
+	if dataMap == nil {
+		return fmt.Errorf("The datamap is unassigned")
+	}
+	for key := range dataMap {
+		found := false
+		for _, expected := range expectedKeys {
+			if expected == key {
+				found = true
+			}
+		}
+		if !found {
+			return fmt.Errorf("an unexpected key (%v) was found", key)
+		}
+	}
+	return nil
+}
+
+func (rn *RNode) SetDataMap(m map[string]string) {
+	if rn == nil {
+		log.Fatal("cannot set data map on nil Rnode")
+	}
+	if err := rn.PipeE(Clear(DataField)); err != nil {
+		log.Fatal(err)
+	}
+	if len(m) == 0 {
+		return
+	}
+	if err := rn.LoadMapIntoConfigMapData(m); err != nil {
+		log.Fatal(err)
+	}
+}
+
+func (rn *RNode) SetBinaryDataMap(m map[string]string) {
+	if rn == nil {
+		log.Fatal("cannot set binaryData map on nil Rnode")
+	}
+	if err := rn.PipeE(Clear(BinaryDataField)); err != nil {
+		log.Fatal(err)
+	}
+	if len(m) == 0 {
+		return
+	}
+	if err := rn.LoadMapIntoConfigMapBinaryData(m); err != nil {
+		log.Fatal(err)
+	}
+}
+
+// AppendToFieldPath appends a field name to the FieldPath.
+func (rn *RNode) AppendToFieldPath(parts ...string) {
+	rn.fieldPath = append(rn.fieldPath, parts...)
+}
+
+// FieldPath returns the field path from the Resource root node, to rn.
+// Does not include list indexes.
+func (rn *RNode) FieldPath() []string {
+	return rn.fieldPath
+}
+
+// String returns string representation of the RNode
+func (rn *RNode) String() (string, error) {
+	if rn == nil {
+		return "", nil
+	}
+	return String(rn.value)
+}
+
+// MustString returns string representation of the RNode or panics if there is an error
+func (rn *RNode) MustString() string {
+	s, err := rn.String()
+	if err != nil {
+		panic(err)
+	}
+	return s
+}
+
+// Content returns Node Content field.
+func (rn *RNode) Content() []*yaml.Node {
+	if rn == nil {
+		return nil
+	}
+	return rn.YNode().Content
+}
+
+// Fields returns the list of field names for a MappingNode.
+// Returns an error for non-MappingNodes.
+func (rn *RNode) Fields() ([]string, error) {
+	if err := ErrorIfInvalid(rn, yaml.MappingNode); err != nil {
+		return nil, errors.Wrap(err)
+	}
+	var fields []string
+	visitMappingNodeFields(rn.Content(), func(key, value *yaml.Node) {
+		fields = append(fields, key.Value)
+	})
+	return fields, nil
+}
+
+// FieldRNodes returns the list of field key RNodes for a MappingNode.
+// Returns an error for non-MappingNodes.
+func (rn *RNode) FieldRNodes() ([]*RNode, error) {
+	if err := ErrorIfInvalid(rn, yaml.MappingNode); err != nil {
+		return nil, errors.Wrap(err)
+	}
+	var fields []*RNode
+	visitMappingNodeFields(rn.Content(), func(key, value *yaml.Node) {
+		// for each key node in the input mapping node contents create equivalent rNode
+		rNode := &RNode{}
+		rNode.SetYNode(key)
+		fields = append(fields, rNode)
+	})
+	return fields, nil
+}
+
+// Field returns a fieldName, fieldValue pair for MappingNodes.
+// Returns nil for non-MappingNodes.
+func (rn *RNode) Field(field string) *MapNode {
+	if rn.YNode().Kind != yaml.MappingNode {
+		return nil
+	}
+	var result *MapNode
+	visitMappingNodeFields(rn.Content(), func(key, value *yaml.Node) {
+		result = &MapNode{Key: NewRNode(key), Value: NewRNode(value)}
+	}, field)
+	return result
+}
+
+// VisitFields calls fn for each field in the RNode.
+// Returns an error for non-MappingNodes.
+func (rn *RNode) VisitFields(fn func(node *MapNode) error) error {
+	// get the list of srcFieldNames
+	srcFieldNames, err := rn.Fields()
+	if err != nil {
+		return errors.Wrap(err)
+	}
+
+	// visit each field
+	for _, fieldName := range srcFieldNames {
+		if err := fn(rn.Field(fieldName)); err != nil {
+			return errors.Wrap(err)
+		}
+	}
+	return nil
+}
+
+// visitMappingNodeFields calls fn for fields in the content, in content order.
+// The caller is responsible to ensure the node is a mapping node. If fieldNames
+// are specified, then fn is called only for the fields that match the given
+// fieldNames.
+func visitMappingNodeFields(content []*yaml.Node, fn func(key, value *yaml.Node), fieldNames ...string) {
+	switch len(fieldNames) {
+	case 0: // visit all fields
+		visitFieldsWhileTrue(content, func(key, value *yaml.Node, _ int) bool {
+			fn(key, value)
+			return true
+		})
+	case 1: // visit single field
+		visitFieldsWhileTrue(content, func(key, value *yaml.Node, _ int) bool {
+			if key == nil {
+				return true
+			}
+			if fieldNames[0] == key.Value {
+				fn(key, value)
+				return false
+			}
+			return true
+		})
+	default: // visit specified fields
+		fieldsStillToVisit := make(map[string]bool, len(fieldNames))
+		for _, fieldName := range fieldNames {
+			fieldsStillToVisit[fieldName] = true
+		}
+		visitFieldsWhileTrue(content, func(key, value *yaml.Node, _ int) bool {
+			if key == nil {
+				return true
+			}
+			if fieldsStillToVisit[key.Value] {
+				fn(key, value)
+				delete(fieldsStillToVisit, key.Value)
+			}
+			return len(fieldsStillToVisit) > 0
+		})
+	}
+}
+
+// visitFieldsWhileTrue calls fn for the fields in content, in content order,
+// until either fn returns false or all fields have been visited. The caller
+// should ensure that content is from a mapping node, or fits the same expected
+// pattern (consecutive key/value entries in the slice).
+func visitFieldsWhileTrue(content []*yaml.Node, fn func(key, value *yaml.Node, keyIndex int) bool) {
+	for i := 0; i < len(content); i += 2 {
+		continueVisiting := fn(content[i], content[i+1], i)
+		if !continueVisiting {
+			return
+		}
+	}
+}
+
+// Elements returns the list of elements in the RNode.
+// Returns an error for non-SequenceNodes.
+func (rn *RNode) Elements() ([]*RNode, error) {
+	if err := ErrorIfInvalid(rn, yaml.SequenceNode); err != nil {
+		return nil, errors.Wrap(err)
+	}
+	var elements []*RNode
+	for i := 0; i < len(rn.Content()); i++ {
+		elements = append(elements, NewRNode(rn.Content()[i]))
+	}
+	return elements, nil
+}
+
+// ElementValues returns a list of all observed values for a given field name
+// in a list of elements.
+// Returns error for non-SequenceNodes.
+func (rn *RNode) ElementValues(key string) ([]string, error) {
+	if err := ErrorIfInvalid(rn, yaml.SequenceNode); err != nil {
+		return nil, errors.Wrap(err)
+	}
+	var elements []string
+	for i := 0; i < len(rn.Content()); i++ {
+		field := NewRNode(rn.Content()[i]).Field(key)
+		if !field.IsNilOrEmpty() {
+			elements = append(elements, field.Value.YNode().Value)
+		}
+	}
+	return elements, nil
+}
+
+// ElementValuesList returns a list of lists, where each list is a set of
+// values corresponding to each key in keys.
+// Returns error for non-SequenceNodes.
+func (rn *RNode) ElementValuesList(keys []string) ([][]string, error) {
+	if err := ErrorIfInvalid(rn, yaml.SequenceNode); err != nil {
+		return nil, errors.Wrap(err)
+	}
+	elements := make([][]string, len(rn.Content()))
+
+	for i := 0; i < len(rn.Content()); i++ {
+		for _, key := range keys {
+			field := NewRNode(rn.Content()[i]).Field(key)
+			if field.IsNilOrEmpty() {
+				elements[i] = append(elements[i], "")
+			} else {
+				elements[i] = append(elements[i], field.Value.YNode().Value)
+			}
+		}
+	}
+	return elements, nil
+}
+
+// Element returns the element in the list which contains the field matching the value.
+// Returns nil for non-SequenceNodes or if no Element matches.
+func (rn *RNode) Element(key, value string) *RNode {
+	if rn.YNode().Kind != yaml.SequenceNode {
+		return nil
+	}
+	elem, err := rn.Pipe(MatchElement(key, value))
+	if err != nil {
+		return nil
+	}
+	return elem
+}
+
+// ElementList returns the element in the list in which all fields keys[i] matches all
+// corresponding values[i].
+// Returns nil for non-SequenceNodes or if no Element matches.
+func (rn *RNode) ElementList(keys []string, values []string) *RNode {
+	if rn.YNode().Kind != yaml.SequenceNode {
+		return nil
+	}
+	elem, err := rn.Pipe(MatchElementList(keys, values))
+	if err != nil {
+		return nil
+	}
+	return elem
+}
+
+// VisitElements calls fn for each element in a SequenceNode.
+// Returns an error for non-SequenceNodes
+func (rn *RNode) VisitElements(fn func(node *RNode) error) error {
+	elements, err := rn.Elements()
+	if err != nil {
+		return errors.Wrap(err)
+	}
+
+	for i := range elements {
+		if err := fn(elements[i]); err != nil {
+			return errors.Wrap(err)
+		}
+	}
+	return nil
+}
+
+// AssociativeSequenceKeys is a map of paths to sequences that have associative keys.
+// The order sets the precedence of the merge keys -- if multiple keys are present
+// in Resources in a list, then the FIRST key which ALL elements in the list have is used as the
+// associative key for merging that list.
+// Only infer name as a merge key.
+var AssociativeSequenceKeys = []string{"name"}
+
+// IsAssociative returns true if the RNode contains an AssociativeSequenceKey as a field.
+func (rn *RNode) IsAssociative() bool {
+	return rn.GetAssociativeKey() != ""
+}
+
+// GetAssociativeKey returns the AssociativeSequenceKey used to merge the elements in the
+// SequenceNode, or "" if the  list is not associative.
+func (rn *RNode) GetAssociativeKey() string {
+	// look for any associative keys in the first element
+	for _, key := range AssociativeSequenceKeys {
+		if checkKey(key, rn.Content()) {
+			return key
+		}
+	}
+
+	// element doesn't have an associative keys
+	return ""
+}
+
+// MarshalJSON creates a byte slice from the RNode.
+func (rn *RNode) MarshalJSON() ([]byte, error) {
+	s, err := rn.String()
+	if err != nil {
+		return nil, err
+	}
+
+	if rn.YNode().Kind == SequenceNode {
+		var a []interface{}
+		if err := Unmarshal([]byte(s), &a); err != nil {
+			return nil, err
+		}
+		return json.Marshal(a)
+	}
+
+	m := map[string]interface{}{}
+	if err := Unmarshal([]byte(s), &m); err != nil {
+		return nil, err
+	}
+	return json.Marshal(m)
+}
+
+// UnmarshalJSON overwrites this RNode with data from []byte.
+func (rn *RNode) UnmarshalJSON(b []byte) error {
+	m := map[string]interface{}{}
+	if err := json.Unmarshal(b, &m); err != nil {
+		return err
+	}
+	r, err := FromMap(m)
+	if err != nil {
+		return err
+	}
+	rn.value = r.value
+	return nil
+}
+
+// DeAnchor inflates all YAML aliases with their anchor values.
+// All YAML anchor data is permanently removed (feel free to call Copy first).
+func (rn *RNode) DeAnchor() (err error) {
+	rn.value, err = deAnchor(rn.value)
+	return
+}
+
+// deAnchor removes all AliasNodes from the yaml.Node's tree, replacing
+// them with what they point to.  All Anchor fields (these are used to mark
+// anchor definitions) are cleared.
+func deAnchor(yn *yaml.Node) (res *yaml.Node, err error) {
+	if yn == nil {
+		return nil, nil
+	}
+	if yn.Anchor != "" {
+		// This node defines an anchor. Clear the field so that it
+		// doesn't show up when marshalling.
+		if yn.Kind == yaml.AliasNode {
+			// Maybe this is OK, but for now treating it as a bug.
+			return nil, fmt.Errorf(
+				"anchor %q defined using alias %v", yn.Anchor, yn.Alias)
+		}
+		yn.Anchor = ""
+	}
+	switch yn.Kind {
+	case yaml.ScalarNode:
+		return yn, nil
+	case yaml.AliasNode:
+		result, err := deAnchor(yn.Alias)
+		if err != nil {
+			return nil, err
+		}
+		return CopyYNode(result), nil
+	case yaml.MappingNode:
+		toMerge, err := removeMergeTags(yn)
+		if err != nil {
+			return nil, err
+		}
+		err = mergeAll(yn, toMerge)
+		if err != nil {
+			return nil, err
+		}
+		fallthrough
+	case yaml.DocumentNode, yaml.SequenceNode:
+		for i := range yn.Content {
+			yn.Content[i], err = deAnchor(yn.Content[i])
+			if err != nil {
+				return nil, err
+			}
+		}
+		return yn, nil
+	default:
+		return nil, fmt.Errorf("cannot deAnchor kind %q", yn.Kind)
+	}
+}
+
+// isMerge returns if the node is tagged with !!merge
+func isMerge(yn *yaml.Node) bool {
+	return yn.Tag == MergeTag
+}
+
+// findMergeValues receives either a MappingNode, a AliasNode or a potentially
+// mixed list of MappingNodes and AliasNodes. It returns a list of MappingNodes.
+func findMergeValues(yn *yaml.Node) ([]*yaml.Node, error) {
+	if yn == nil {
+		return []*yaml.Node{}, nil
+	}
+	switch yn.Kind {
+	case MappingNode:
+		return []*yaml.Node{yn}, nil
+	case AliasNode:
+		if yn.Alias != nil && yn.Alias.Kind != MappingNode {
+			return nil, errors.Errorf("invalid map merge: received alias for a non-map value")
+		}
+		return []*yaml.Node{yn.Alias}, nil
+	case SequenceNode:
+		mergeValues := []*yaml.Node{}
+		for i := 0; i < len(yn.Content); i++ {
+			if yn.Content[i].Kind == SequenceNode {
+				return nil, errors.Errorf("invalid map merge: received a nested sequence")
+			}
+			newMergeValues, err := findMergeValues(yn.Content[i])
+			if err != nil {
+				return nil, err
+			}
+			mergeValues = append(newMergeValues, mergeValues...)
+		}
+		return mergeValues, nil
+	default:
+		return nil, errors.Errorf("map merge requires map or sequence of maps as the value")
+	}
+}
+
+// getMergeTagValue receives a MappingNode yaml node, and it searches for
+// merge tagged keys and return its value yaml node. If the key is duplicated,
+// it fails.
+func getMergeTagValue(yn *yaml.Node) (*yaml.Node, error) {
+	var result *yaml.Node
+	var err error
+	visitFieldsWhileTrue(yn.Content, func(key, value *yaml.Node, _ int) bool {
+		if isMerge(key) {
+			if result != nil {
+				err = fmt.Errorf("duplicate merge key")
+				result = nil
+				return false
+			}
+			result = value
+		}
+		return true
+	})
+	return result, err
+}
+
+// removeMergeTags removes all merge tags and returns a ordered list of yaml
+// nodes to merge and a error
+func removeMergeTags(yn *yaml.Node) ([]*yaml.Node, error) {
+	if yn == nil || yn.Content == nil {
+		return nil, nil
+	}
+	if yn.Kind != yaml.MappingNode {
+		return nil, nil
+	}
+	value, err := getMergeTagValue(yn)
+	if err != nil {
+		return nil, err
+	}
+	toMerge, err := findMergeValues(value)
+	if err != nil {
+		return nil, err
+	}
+	err = NewRNode(yn).PipeE(Clear("<<"))
+	if err != nil {
+		return nil, err
+	}
+	return toMerge, nil
+}
+
+func mergeAll(yn *yaml.Node, toMerge []*yaml.Node) error {
+	// We only need to start with a copy of the existing node because we need to
+	// maintain duplicated keys and style
+	rn := NewRNode(yn).Copy()
+	toMerge = append(toMerge, yn)
+	for i := range toMerge {
+		rnToMerge := NewRNode(toMerge[i]).Copy()
+		err := rnToMerge.VisitFields(func(node *MapNode) error {
+			return rn.PipeE(MapEntrySetter{Key: node.Key, Value: node.Value})
+		})
+		if err != nil {
+			return err
+		}
+	}
+	*yn = *rn.value
+	return nil
+}
+
+// GetValidatedMetadata returns metadata after subjecting it to some tests.
+func (rn *RNode) GetValidatedMetadata() (ResourceMeta, error) {
+	m, err := rn.GetMeta()
+	if err != nil {
+		return m, err
+	}
+	if m.Kind == "" {
+		return m, fmt.Errorf("missing kind in object %v", m)
+	}
+	if strings.HasSuffix(m.Kind, "List") {
+		// A list doesn't require a name.
+		return m, nil
+	}
+	if m.NameMeta.Name == "" {
+		return m, fmt.Errorf("missing metadata.name in object %v", m)
+	}
+	return m, nil
+}
+
+// MatchesAnnotationSelector returns true on a selector match to annotations.
+func (rn *RNode) MatchesAnnotationSelector(selector string) (bool, error) {
+	s, err := labels.Parse(selector)
+	if err != nil {
+		return false, err
+	}
+	return s.Matches(labels.Set(rn.GetAnnotations())), nil
+}
+
+// MatchesLabelSelector returns true on a selector match to labels.
+func (rn *RNode) MatchesLabelSelector(selector string) (bool, error) {
+	s, err := labels.Parse(selector)
+	if err != nil {
+		return false, err
+	}
+	return s.Matches(labels.Set(rn.GetLabels())), nil
+}
+
+// HasNilEntryInList returns true if the RNode contains a list which has
+// a nil item, along with the path to the missing item.
+// TODO(broken): This doesn't do what it claims to do.
+// (see TODO in unit test and pr 1513).
+func (rn *RNode) HasNilEntryInList() (bool, string) {
+	return hasNilEntryInList(rn.value)
+}
+
+func hasNilEntryInList(in interface{}) (bool, string) {
+	switch v := in.(type) {
+	case map[string]interface{}:
+		for key, s := range v {
+			if result, path := hasNilEntryInList(s); result {
+				return result, key + "/" + path
+			}
+		}
+	case []interface{}:
+		for index, s := range v {
+			if s == nil {
+				return true, ""
+			}
+			if result, path := hasNilEntryInList(s); result {
+				return result, "[" + strconv.Itoa(index) + "]/" + path
+			}
+		}
+	}
+	return false, ""
+}
+
+func FromMap(m map[string]interface{}) (*RNode, error) {
+	c, err := Marshal(m)
+	if err != nil {
+		return nil, err
+	}
+	return Parse(string(c))
+}
+
+func (rn *RNode) Map() (map[string]interface{}, error) {
+	if rn == nil || rn.value == nil {
+		return make(map[string]interface{}), nil
+	}
+	var result map[string]interface{}
+	if err := rn.value.Decode(&result); err != nil {
+		// Should not be able to create an RNode that cannot be decoded;
+		// this is an unrecoverable error.
+		str, _ := rn.String()
+		return nil, fmt.Errorf("received error %w for the following resource:\n%s", err, str)
+	}
+	return result, nil
+}
+
+// ConvertJSONToYamlNode parses input json string and returns equivalent yaml node
+func ConvertJSONToYamlNode(jsonStr string) (*RNode, error) {
+	var body map[string]interface{}
+	err := json.Unmarshal([]byte(jsonStr), &body)
+	if err != nil {
+		return nil, err
+	}
+	yml, err := yaml.Marshal(body)
+	if err != nil {
+		return nil, err
+	}
+	node, err := Parse(string(yml))
+	if err != nil {
+		return nil, err
+	}
+	return node, nil
+}
+
+// checkKey returns true if all elems have the key
+func checkKey(key string, elems []*Node) bool {
+	count := 0
+	for i := range elems {
+		elem := NewRNode(elems[i])
+		if elem.Field(key) != nil {
+			count++
+		}
+	}
+	return count == len(elems)
+}
+
+// GetSlice returns the contents of the slice field at the given path.
+func (rn *RNode) GetSlice(path string) ([]interface{}, error) {
+	value, err := rn.GetFieldValue(path)
+	if err != nil {
+		return nil, err
+	}
+	if sliceValue, ok := value.([]interface{}); ok {
+		return sliceValue, nil
+	}
+	return nil, fmt.Errorf("node %s is not a slice", path)
+}
+
+// GetString returns the contents of the string field at the given path.
+func (rn *RNode) GetString(path string) (string, error) {
+	value, err := rn.GetFieldValue(path)
+	if err != nil {
+		return "", err
+	}
+	if v, ok := value.(string); ok {
+		return v, nil
+	}
+	return "", fmt.Errorf("node %s is not a string: %v", path, value)
+}
+
+// GetFieldValue finds period delimited fields.
+// TODO: When doing kustomize var replacement, which is likely a
+// a primary use of this function and the reason it returns interface{}
+// rather than string, we do conversion from Nodes to Go types and back
+// to nodes.  We should figure out how to do replacement using raw nodes,
+// assuming we keep the var feature in kustomize.
+// The other end of this is: refvar.go:updateNodeValue.
+func (rn *RNode) GetFieldValue(path string) (interface{}, error) {
+	fields := convertSliceIndex(utils.SmarterPathSplitter(path, "."))
+	rn, err := rn.Pipe(Lookup(fields...))
+	if err != nil {
+		return nil, err
+	}
+	if rn == nil {
+		return nil, NoFieldError{path}
+	}
+	yn := rn.YNode()
+
+	// If this is an alias node, resolve it
+	if yn.Kind == yaml.AliasNode {
+		yn = yn.Alias
+	}
+
+	// Return value as map for DocumentNode and MappingNode kinds
+	if yn.Kind == yaml.DocumentNode || yn.Kind == yaml.MappingNode {
+		var result map[string]interface{}
+		if err := yn.Decode(&result); err != nil {
+			return nil, err
+		}
+		return result, err
+	}
+
+	// Return value as slice for SequenceNode kind
+	if yn.Kind == yaml.SequenceNode {
+		var result []interface{}
+		if err := yn.Decode(&result); err != nil {
+			return nil, err
+		}
+		return result, nil
+	}
+	if yn.Kind != yaml.ScalarNode {
+		return nil, fmt.Errorf("expected ScalarNode, got Kind=%d", yn.Kind)
+	}
+
+	switch yn.Tag {
+	case NodeTagString:
+		return yn.Value, nil
+	case NodeTagInt:
+		return strconv.Atoi(yn.Value)
+	case NodeTagFloat:
+		return strconv.ParseFloat(yn.Value, 64)
+	case NodeTagBool:
+		return strconv.ParseBool(yn.Value)
+	default:
+		// Possibly this should be an error or log.
+		return yn.Value, nil
+	}
+}
+
+// convertSliceIndex traverses the items in `fields` and find
+// if there is a slice index in the item and change it to a
+// valid Lookup field path. For example, 'ports[0]' will be
+// converted to 'ports' and '0'.
+func convertSliceIndex(fields []string) []string {
+	var res []string
+	for _, s := range fields {
+		if !strings.HasSuffix(s, "]") {
+			res = append(res, s)
+			continue
+		}
+		re := regexp.MustCompile(`^(.*)\[(\d+)\]$`)
+		groups := re.FindStringSubmatch(s)
+		if len(groups) == 0 {
+			// no match, add to result
+			res = append(res, s)
+			continue
+		}
+		if groups[1] != "" {
+			res = append(res, groups[1])
+		}
+		res = append(res, groups[2])
+	}
+	return res
+}
+
+type NoFieldError struct {
+	Field string
+}
+
+func (e NoFieldError) Error() string {
+	return fmt.Sprintf("no field named '%s'", e.Field)
+}
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/schema/schema.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/schema/schema.go
new file mode 100644
index 0000000000..9ee592f847
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/schema/schema.go
@@ -0,0 +1,44 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+// Package schema contains libraries for working with the yaml and openapi packages.
+package schema
+
+import (
+	"strings"
+
+	"sigs.k8s.io/kustomize/kyaml/openapi"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+// IsAssociative returns true if all elements in the list contain an
+// AssociativeSequenceKey as a field.
+func IsAssociative(schema *openapi.ResourceSchema, nodes []*yaml.RNode, infer bool) bool {
+	if schema != nil {
+		return schemaHasMergeStrategy(schema)
+	}
+	if !infer {
+		return false
+	}
+	for i := range nodes {
+		node := nodes[i]
+		if yaml.IsMissingOrNull(node) {
+			continue
+		}
+		if node.IsAssociative() {
+			return true
+		}
+	}
+	return false
+}
+
+func schemaHasMergeStrategy(schema *openapi.ResourceSchema) bool {
+	tmp, _ := schema.PatchStrategyAndKey()
+	strategies := strings.Split(tmp, ",")
+	for _, s := range strategies {
+		if s == "merge" {
+			return true
+		}
+	}
+	return false
+}
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/types.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/types.go
new file mode 100644
index 0000000000..7435344d23
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/types.go
@@ -0,0 +1,299 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package yaml
+
+import (
+	"bytes"
+	"strings"
+
+	yaml "go.yaml.in/yaml/v3"
+	"sigs.k8s.io/kustomize/kyaml/errors"
+	"sigs.k8s.io/kustomize/kyaml/sets"
+)
+
+// CopyYNode returns a distinct copy of its argument.
+// Use https://github.com/jinzhu/copier instead?
+func CopyYNode(n *yaml.Node) *yaml.Node {
+	if n == nil {
+		return nil
+	}
+	c := *n
+	if len(n.Content) > 0 {
+		// Using Go 'copy' here doesn't yield independent slices.
+		c.Content = make([]*Node, len(n.Content))
+		for i, item := range n.Content {
+			c.Content[i] = CopyYNode(item)
+		}
+	}
+	return &c
+}
+
+// IsYNodeTaggedNull returns true if the node is explicitly tagged Null.
+func IsYNodeTaggedNull(n *yaml.Node) bool {
+	return n != nil && n.Tag == NodeTagNull
+}
+
+// IsYNodeEmptyMap is true if the Node is a non-nil empty map.
+func IsYNodeEmptyMap(n *yaml.Node) bool {
+	return n != nil && n.Kind == yaml.MappingNode && len(n.Content) == 0
+}
+
+// IsYNodeEmptySeq is true if the Node is a non-nil empty sequence.
+func IsYNodeEmptySeq(n *yaml.Node) bool {
+	return n != nil && n.Kind == yaml.SequenceNode && len(n.Content) == 0
+}
+
+// IsYNodeNilOrEmpty is true if the Node is nil or appears empty.
+func IsYNodeNilOrEmpty(n *yaml.Node) bool {
+	return n == nil ||
+		IsYNodeTaggedNull(n) ||
+		IsYNodeEmptyMap(n) ||
+		IsYNodeEmptySeq(n) ||
+		IsYNodeZero(n)
+}
+
+// IsYNodeEmptyDoc is true if the node is a Document with no content.
+// E.g.: "---\n---"
+func IsYNodeEmptyDoc(n *yaml.Node) bool {
+	return n.Kind == yaml.DocumentNode && n.Content[0].Tag == NodeTagNull
+}
+
+func IsYNodeString(n *yaml.Node) bool {
+	return n.Kind == yaml.ScalarNode &&
+		(n.Tag == NodeTagString || n.Tag == NodeTagEmpty)
+}
+
+// IsYNodeZero is true if all the public fields in the Node are empty.
+// Which means it's not initialized and should be omitted when marshal.
+// The Node itself has a method IsZero but it is not released
+// in yaml.v3. https://pkg.go.dev/gopkg.in/yaml.v3#Node.IsZero
+func IsYNodeZero(n *yaml.Node) bool {
+	// TODO: Change this to use IsZero when it's avaialable.
+	return n != nil && n.Kind == 0 && n.Style == 0 && n.Tag == "" && n.Value == "" &&
+		n.Anchor == "" && n.Alias == nil && n.Content == nil &&
+		n.HeadComment == "" && n.LineComment == "" && n.FootComment == "" &&
+		n.Line == 0 && n.Column == 0
+}
+
+// Parser parses values into configuration.
+type Parser struct {
+	Kind  string `yaml:"kind,omitempty"`
+	Value string `yaml:"value,omitempty"`
+}
+
+func (p Parser) Filter(_ *RNode) (*RNode, error) {
+	d := yaml.NewDecoder(bytes.NewBuffer([]byte(p.Value)))
+	o := &RNode{value: &yaml.Node{}}
+	return o, d.Decode(o.value)
+}
+
+// TODO(pwittrock): test this
+func GetStyle(styles ...string) Style {
+	var style Style
+	for _, s := range styles {
+		switch s {
+		case "TaggedStyle":
+			style |= TaggedStyle
+		case "DoubleQuotedStyle":
+			style |= DoubleQuotedStyle
+		case "SingleQuotedStyle":
+			style |= SingleQuotedStyle
+		case "LiteralStyle":
+			style |= LiteralStyle
+		case "FoldedStyle":
+			style |= FoldedStyle
+		case "FlowStyle":
+			style |= FlowStyle
+		}
+	}
+	return style
+}
+
+// Filter defines a function to manipulate an individual RNode such as by changing
+// its values, or returning a field.
+//
+// When possible, Filters should be serializable to yaml so that they can be described
+// declaratively as data.
+//
+// Analogous to http://www.linfo.org/filters.html
+type Filter interface {
+	Filter(object *RNode) (*RNode, error)
+}
+
+type FilterFunc func(object *RNode) (*RNode, error)
+
+func (f FilterFunc) Filter(object *RNode) (*RNode, error) {
+	return f(object)
+}
+
+// TypeMeta partially copies apimachinery/pkg/apis/meta/v1.TypeMeta
+// No need for a direct dependence; the fields are stable.
+type TypeMeta struct {
+	// APIVersion is the apiVersion field of a Resource
+	APIVersion string `json:"apiVersion,omitempty" yaml:"apiVersion,omitempty"`
+	// Kind is the kind field of a Resource
+	Kind string `json:"kind,omitempty" yaml:"kind,omitempty"`
+}
+
+// NameMeta contains name information.
+type NameMeta struct {
+	// Name is the metadata.name field of a Resource
+	Name string `json:"name,omitempty" yaml:"name,omitempty"`
+	// Namespace is the metadata.namespace field of a Resource
+	Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"`
+}
+
+// ResourceMeta contains the metadata for a both Resource Type and Resource.
+type ResourceMeta struct {
+	TypeMeta `json:",inline" yaml:",inline"`
+	// ObjectMeta is the metadata field of a Resource
+	ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty"`
+}
+
+// ObjectMeta contains metadata about a Resource
+type ObjectMeta struct {
+	NameMeta `json:",inline" yaml:",inline"`
+	// Labels is the metadata.labels field of a Resource
+	Labels map[string]string `json:"labels,omitempty" yaml:"labels,omitempty"`
+	// Annotations is the metadata.annotations field of a Resource.
+	Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"`
+}
+
+// GetIdentifier returns a ResourceIdentifier that includes
+// the information needed to uniquely identify a resource in a cluster.
+func (m *ResourceMeta) GetIdentifier() ResourceIdentifier {
+	return ResourceIdentifier{
+		TypeMeta: m.TypeMeta,
+		NameMeta: m.NameMeta,
+	}
+}
+
+// ResourceIdentifier contains the information needed to uniquely
+// identify a resource in a cluster.
+type ResourceIdentifier struct {
+	TypeMeta `json:",inline" yaml:",inline"`
+	NameMeta `json:",inline" yaml:",inline"`
+}
+
+// Comments struct is comment yaml comment types
+type Comments struct {
+	LineComment string `yaml:"lineComment,omitempty"`
+	HeadComment string `yaml:"headComment,omitempty"`
+	FootComment string `yaml:"footComment,omitempty"`
+}
+
+func (r *ResourceIdentifier) GetName() string {
+	return r.Name
+}
+
+func (r *ResourceIdentifier) GetNamespace() string {
+	return r.Namespace
+}
+
+func (r *ResourceIdentifier) GetAPIVersion() string {
+	return r.APIVersion
+}
+
+func (r *ResourceIdentifier) GetKind() string {
+	return r.Kind
+}
+
+const (
+	Trim = "Trim"
+	Flow = "Flow"
+)
+
+// String returns a string value for a Node, applying the supplied formatting options
+func String(node *yaml.Node, opts ...string) (string, error) {
+	if node == nil {
+		return "", nil
+	}
+	optsSet := sets.String{}
+	optsSet.Insert(opts...)
+	if optsSet.Has(Flow) {
+		oldStyle := node.Style
+		defer func() {
+			node.Style = oldStyle
+		}()
+		node.Style = yaml.FlowStyle
+	}
+
+	b := &bytes.Buffer{}
+	e := NewEncoder(b)
+	err := e.Encode(node)
+	errClose := e.Close()
+	if err == nil {
+		err = errClose
+	}
+	val := b.String()
+	if optsSet.Has(Trim) {
+		val = strings.TrimSpace(val)
+	}
+	return val, errors.Wrap(err)
+}
+
+// MergeOptionsListIncreaseDirection is the type of list growth in merge
+type MergeOptionsListIncreaseDirection int
+
+const (
+	MergeOptionsListAppend MergeOptionsListIncreaseDirection = iota
+	MergeOptionsListPrepend
+)
+
+// MergeOptions is a struct which contains the options for merge
+type MergeOptions struct {
+	// ListIncreaseDirection indicates should merge function prepend the items from
+	// source list to destination or append.
+	ListIncreaseDirection MergeOptionsListIncreaseDirection
+}
+
+// Since ObjectMeta and TypeMeta are stable, we manually create DeepCopy funcs for ResourceMeta and ObjectMeta.
+// For TypeMeta and NameMeta no DeepCopy funcs are required, as they only contain basic types.
+
+// DeepCopyInto copies the receiver, writing into out. in must be non-nil.
+func (in *ObjectMeta) DeepCopyInto(out *ObjectMeta) {
+	*out = *in
+	out.NameMeta = in.NameMeta
+	if in.Labels != nil {
+		in, out := &in.Labels, &out.Labels
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	if in.Annotations != nil {
+		in, out := &in.Annotations, &out.Annotations
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+}
+
+// DeepCopy copies the receiver, creating a new ObjectMeta.
+func (in *ObjectMeta) DeepCopy() *ObjectMeta {
+	if in == nil {
+		return nil
+	}
+	out := new(ObjectMeta)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto copies the receiver, writing into out. in must be non-nil.
+func (in *ResourceMeta) DeepCopyInto(out *ResourceMeta) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+}
+
+// DeepCopy copies the receiver, creating a new ResourceMeta.
+func (in *ResourceMeta) DeepCopy() *ResourceMeta {
+	if in == nil {
+		return nil
+	}
+	out := new(ResourceMeta)
+	in.DeepCopyInto(out)
+	return out
+}
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/util.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/util.go
new file mode 100644
index 0000000000..8c9439342f
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/util.go
@@ -0,0 +1,70 @@
+// Copyright 2021 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package yaml
+
+import (
+	"strings"
+)
+
+// DeriveSeqIndentStyle derives the sequence indentation annotation value for the resource,
+// originalYAML is the input yaml string,
+// the style is decided by deriving the existing sequence indentation of first sequence node
+func DeriveSeqIndentStyle(originalYAML string) string {
+	lines := strings.Split(originalYAML, "\n")
+	for i, line := range lines {
+		elems := strings.SplitN(line, "- ", 2)
+		if len(elems) != 2 {
+			continue
+		}
+		// prefix of "- " must be sequence of spaces
+		if strings.Trim(elems[0], " ") != "" {
+			continue
+		}
+		numSpacesBeforeSeqElem := len(elems[0])
+
+		// keyLine is the line before the first sequence element
+		keyLine := keyLineBeforeSeqElem(lines, i)
+		if keyLine == "" {
+			// there is no keyLine for this sequence node
+			// all of those lines are comments
+			continue
+		}
+		numSpacesBeforeKeyElem := len(keyLine) - len(strings.TrimLeft(keyLine, " "))
+		trimmedKeyLine := strings.Trim(keyLine, " ")
+		if strings.Count(trimmedKeyLine, ":") != 1 || !strings.HasSuffix(trimmedKeyLine, ":") {
+			// if the key line doesn't contain only one : that too at the end,
+			// this is not a sequence node, it is a wrapped sequence node string
+			// ignore it
+			continue
+		}
+
+		if numSpacesBeforeSeqElem == numSpacesBeforeKeyElem {
+			return string(CompactSequenceStyle)
+		}
+
+		if numSpacesBeforeSeqElem-numSpacesBeforeKeyElem == 2 {
+			return string(WideSequenceStyle)
+		}
+	}
+
+	return string(CompactSequenceStyle)
+}
+
+// keyLineBeforeSeqElem iterates through the lines before the first seqElement
+// and tries to find the non-comment key line for the sequence node
+func keyLineBeforeSeqElem(lines []string, seqElemIndex int) string {
+	// start with the previous line of sequence element
+	i := seqElemIndex - 1
+	for ; i >= 0; i-- {
+		line := lines[i]
+		trimmedLine := strings.Trim(line, " ")
+		if strings.HasPrefix(trimmedLine, "#") { // commented line
+			continue
+		}
+		// we have a non-commented line which can have a trailing comment
+		parts := strings.SplitN(line, "#", 2)
+		return parts[0] // throw away the trailing comment part
+	}
+	return ""
+}
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/walk/associative_sequence.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/walk/associative_sequence.go
new file mode 100644
index 0000000000..5cea8d92f6
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/walk/associative_sequence.go
@@ -0,0 +1,385 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package walk
+
+import (
+	"strings"
+
+	"github.com/go-errors/errors"
+	"sigs.k8s.io/kustomize/kyaml/openapi"
+	"sigs.k8s.io/kustomize/kyaml/sets"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+// appendListNode will append the nodes from src to dst and return dst.
+// src and dst should be both sequence node. key is used to call ElementSetter.
+// ElementSetter will use key-value pair to find and set the element in sequence
+// node.
+func appendListNode(dst, src *yaml.RNode, keys []string) (*yaml.RNode, error) {
+	var err error
+	for _, elem := range src.Content() {
+		// If key is empty, we know this is a scalar value and we can directly set the
+		// node
+		if keys[0] == "" {
+			_, err = dst.Pipe(yaml.ElementSetter{
+				Element: elem,
+				Keys:    []string{""},
+				Values:  []string{elem.Value},
+			})
+			if err != nil {
+				return nil, err
+			}
+			continue
+		}
+
+		// we need to get the value for key so that we can find the element to set
+		// in sequence.
+		v := []string{}
+		for _, key := range keys {
+			tmpNode := yaml.NewRNode(elem)
+			valueNode, err := tmpNode.Pipe(yaml.Get(key))
+			if err != nil {
+				return nil, err
+			}
+			if valueNode.IsNil() {
+				// no key found, directly append to dst
+				err = dst.PipeE(yaml.Append(elem))
+				if err != nil {
+					return nil, err
+				}
+				continue
+			}
+			v = append(v, valueNode.YNode().Value)
+		}
+
+		// When there are multiple keys, ElementSetter appends the node to dst
+		// even if the output is already in dst. We remove the node from dst to
+		// prevent duplicates.
+		if len(keys) > 1 {
+			_, err = dst.Pipe(yaml.ElementSetter{
+				Keys:   keys,
+				Values: v,
+			})
+			if err != nil {
+				return nil, err
+			}
+		}
+
+		// We use the key and value from elem to find the corresponding element in dst.
+		// Then we will use ElementSetter to replace the element with elem. If we cannot
+		// find the item, the element will be appended.
+		_, err = dst.Pipe(yaml.ElementSetter{
+			Element: elem,
+			Keys:    keys,
+			Values:  v,
+		})
+		if err != nil {
+			return nil, err
+		}
+	}
+	return dst, nil
+}
+
+// validateKeys returns a list of valid key-value pairs
+// if secondary merge key values are missing, use only the available merge keys
+func validateKeys(valuesList [][]string, values []string, keys []string) ([]string, []string) {
+	validKeys := make([]string, 0)
+	validValues := make([]string, 0)
+	validKeySet := sets.String{}
+	for _, values := range valuesList {
+		for i, v := range values {
+			if v != "" {
+				validKeySet.Insert(keys[i])
+			}
+		}
+	}
+	if validKeySet.Len() == 0 { // if values missing, fall back to primary keys
+		return keys, values
+	}
+	for _, k := range keys {
+		if validKeySet.Has(k) {
+			validKeys = append(validKeys, k)
+		}
+	}
+	for i, v := range values {
+		if v != "" || validKeySet.Has(keys[i]) {
+			validValues = append(validValues, v)
+		}
+	}
+	return validKeys, validValues
+}
+
+// mergeValues merges values together - e.g. if two containerPorts
+// have the same port and targetPort but one has an empty protocol
+// and the other doesn't, they are treated as the same containerPort
+func mergeValues(valuesList [][]string) [][]string {
+	for i, values1 := range valuesList {
+		for j, values2 := range valuesList {
+			if matched, values := match(values1, values2); matched {
+				valuesList[i] = values
+				valuesList[j] = values
+			}
+		}
+	}
+	return valuesList
+}
+
+// two values match if they have at least one common element and
+// corresponding elements only differ if one is an empty string
+func match(values1 []string, values2 []string) (bool, []string) {
+	if len(values1) != len(values2) {
+		return false, nil
+	}
+	var commonElement bool
+	var res []string
+	for i := range values1 {
+		if values1[i] == values2[i] {
+			commonElement = true
+			res = append(res, values1[i])
+			continue
+		}
+		if values1[i] != "" && values2[i] != "" {
+			return false, nil
+		}
+		if values1[i] != "" {
+			res = append(res, values1[i])
+		} else {
+			res = append(res, values2[i])
+		}
+	}
+	return commonElement, res
+}
+
+// setAssociativeSequenceElements recursively set the elements in the list
+func (l *Walker) setAssociativeSequenceElements(valuesList [][]string, keys []string, dest *yaml.RNode) (*yaml.RNode, error) {
+	// itemsToBeAdded contains the items that will be added to dest
+	itemsToBeAdded := yaml.NewListRNode()
+	var schema *openapi.ResourceSchema
+	if l.Schema != nil {
+		schema = l.Schema.Elements()
+	}
+	if len(keys) > 1 {
+		valuesList = mergeValues(valuesList)
+	}
+
+	// each element in valuesList is a list of values corresponding to the keys
+	// for example, for the following yaml:
+	//        - containerPort: 8080
+	//          protocol: UDP
+	//        - containerPort: 8080
+	//          protocol: TCP
+	// `keys` would be [containerPort, protocol]
+	// and `valuesList` would be [ [8080, UDP], [8080, TCP] ]
+	var validKeys []string
+	var validValues []string
+	for _, values := range valuesList {
+		if len(values) == 0 {
+			continue
+		}
+
+		validKeys, validValues = validateKeys(valuesList, values, keys)
+		val, err := Walker{
+			VisitKeysAsScalars:    l.VisitKeysAsScalars,
+			InferAssociativeLists: l.InferAssociativeLists,
+			Visitor:               l,
+			Schema:                schema,
+			Sources:               l.elementValueList(validKeys, validValues),
+			MergeOptions:          l.MergeOptions,
+		}.Walk()
+		if err != nil {
+			return nil, err
+		}
+
+		exit := false
+		for i, key := range validKeys {
+			// delete the node from **dest** if it's null or empty
+			if yaml.IsMissingOrNull(val) || yaml.IsEmptyMap(val) {
+				_, err = dest.Pipe(yaml.ElementSetter{
+					Keys:   validKeys,
+					Values: validValues,
+				})
+				if err != nil {
+					return nil, err
+				}
+				exit = true
+			} else if val.Field(key) == nil && validValues[i] != "" {
+				// make sure the key is set on the field
+				_, err = val.Pipe(yaml.SetField(key, yaml.NewScalarRNode(validValues[i])))
+				if err != nil {
+					return nil, err
+				}
+			}
+		}
+		if exit {
+			continue
+		}
+
+		// Add the val to the sequence. val will replace the item in the sequence if
+		// there is an item that matches all key-value pairs. Otherwise val will be appended
+		// the sequence.
+		_, err = itemsToBeAdded.Pipe(yaml.ElementSetter{
+			Element: val.YNode(),
+			Keys:    validKeys,
+			Values:  validValues,
+		})
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	var err error
+	if len(valuesList) > 0 {
+		if l.MergeOptions.ListIncreaseDirection == yaml.MergeOptionsListPrepend {
+			// items from patches are needed to be prepended. so we append the
+			// dest to itemsToBeAdded
+			dest, err = appendListNode(itemsToBeAdded, dest, validKeys)
+		} else {
+			// append the items
+			dest, err = appendListNode(dest, itemsToBeAdded, validKeys)
+		}
+	}
+
+	if err != nil {
+		return nil, err
+	}
+	// sequence is empty
+	if yaml.IsMissingOrNull(dest) {
+		return nil, nil
+	}
+	return dest, nil
+}
+
+func (l *Walker) walkAssociativeSequence() (*yaml.RNode, error) {
+	// may require initializing the dest node
+	dest, err := l.Sources.setDestNode(l.VisitList(l.Sources, l.Schema, AssociativeList))
+	if dest == nil || err != nil {
+		return nil, err
+	}
+
+	// get the merge key(s) from schema
+	var strategy string
+	var keys []string
+	if l.Schema != nil {
+		strategy, keys = l.Schema.PatchStrategyAndKeyList()
+	}
+	if strategy == "" && len(keys) == 0 { // neither strategy nor keys present in the schema -- infer the key
+		// find the list of elements we need to recursively walk
+		key, err := l.elementKey()
+		if err != nil {
+			return nil, err
+		}
+		if key != "" {
+			keys = append(keys, key)
+		}
+	}
+
+	// non-primitive associative list -- merge the elements
+	values := l.elementValues(keys)
+	if len(values) != 0 || len(keys) > 0 {
+		return l.setAssociativeSequenceElements(values, keys, dest)
+	}
+
+	// primitive associative list -- merge the values
+	return l.setAssociativeSequenceElements(l.elementPrimitiveValues(), []string{""}, dest)
+}
+
+// elementKey returns the merge key to use for the associative list
+func (l Walker) elementKey() (string, error) {
+	var key string
+	for i := range l.Sources {
+		if l.Sources[i] != nil && len(l.Sources[i].Content()) > 0 {
+			newKey := l.Sources[i].GetAssociativeKey()
+			if key != "" && key != newKey {
+				return "", errors.Errorf(
+					"conflicting merge keys [%s,%s] for field %s",
+					key, newKey, strings.Join(l.Path, "."))
+			}
+			key = newKey
+		}
+	}
+	if key == "" {
+		return "", errors.Errorf("no merge key found for field %s",
+			strings.Join(l.Path, "."))
+	}
+	return key, nil
+}
+
+// elementValues returns a slice containing all values for the field across all elements
+// from all sources.
+// Return value slice is ordered using the original ordering from the elements, where
+// elements missing from earlier sources appear later.
+func (l Walker) elementValues(keys []string) [][]string {
+	// use slice to to keep elements in the original order
+	var returnValues [][]string
+	var seen sets.StringList
+
+	// if we are doing append, dest node should be the first.
+	// otherwise dest node should be the last.
+	beginIdx := 0
+	if l.MergeOptions.ListIncreaseDirection == yaml.MergeOptionsListPrepend {
+		beginIdx = 1
+	}
+	for i := range l.Sources {
+		src := l.Sources[(i+beginIdx)%len(l.Sources)]
+		if src == nil {
+			continue
+		}
+
+		// add the value of the field for each element
+		// don't check error, we know this is a list node
+		values, _ := src.ElementValuesList(keys)
+		for _, s := range values {
+			if len(s) == 0 || seen.Has(s) {
+				continue
+			}
+			returnValues = append(returnValues, s)
+			seen = seen.Insert(s)
+		}
+	}
+	return returnValues
+}
+
+// elementPrimitiveValues returns the primitive values in an associative list -- eg. finalizers
+func (l Walker) elementPrimitiveValues() [][]string {
+	// use slice to to keep elements in the original order
+	var returnValues [][]string
+	seen := sets.String{}
+	// if we are doing append, dest node should be the first.
+	// otherwise dest node should be the last.
+	beginIdx := 0
+	if l.MergeOptions.ListIncreaseDirection == yaml.MergeOptionsListPrepend {
+		beginIdx = 1
+	}
+	for i := range l.Sources {
+		src := l.Sources[(i+beginIdx)%len(l.Sources)]
+		if src == nil {
+			continue
+		}
+
+		// add the value of the field for each element
+		// don't check error, we know this is a list node
+		for _, item := range src.YNode().Content {
+			if seen.Has(item.Value) {
+				continue
+			}
+			returnValues = append(returnValues, []string{item.Value})
+			seen.Insert(item.Value)
+		}
+	}
+	return returnValues
+}
+
+// fieldValue returns a slice containing each source's value for fieldName
+func (l Walker) elementValueList(keys []string, values []string) []*yaml.RNode {
+	keys, values = validateKeys([][]string{values}, values, keys)
+	var fields []*yaml.RNode
+	for i := range l.Sources {
+		if l.Sources[i] == nil {
+			fields = append(fields, nil)
+			continue
+		}
+		fields = append(fields, l.Sources[i].ElementList(keys, values))
+	}
+	return fields
+}
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/walk/map.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/walk/map.go
new file mode 100644
index 0000000000..afeec0a5a7
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/walk/map.go
@@ -0,0 +1,184 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package walk
+
+import (
+	"sort"
+
+	"sigs.k8s.io/kustomize/kyaml/fieldmeta"
+	"sigs.k8s.io/kustomize/kyaml/openapi"
+	"sigs.k8s.io/kustomize/kyaml/sets"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+// walkMap returns the value of VisitMap
+//
+// - call VisitMap
+// - set the return value on l.Dest
+// - walk each source field
+// - set each source field value on l.Dest
+func (l Walker) walkMap() (*yaml.RNode, error) {
+	// get the new map value
+	dest, err := l.Sources.setDestNode(l.VisitMap(l.Sources, l.Schema))
+	if dest == nil || err != nil {
+		return nil, err
+	}
+
+	// recursively set the field values on the map
+	for _, key := range l.fieldNames() {
+		var res *yaml.RNode
+		var keys []*yaml.RNode
+		if l.VisitKeysAsScalars {
+			// visit the map keys as if they were scalars,
+			// this is necessary if doing things such as copying
+			// comments
+			for i := range l.Sources {
+				// construct the sources from the keys
+				if l.Sources[i] == nil {
+					keys = append(keys, nil)
+					continue
+				}
+				field := l.Sources[i].Field(key)
+				if field == nil || yaml.IsMissingOrNull(field.Key) {
+					keys = append(keys, nil)
+					continue
+				}
+				keys = append(keys, field.Key)
+			}
+			// visit the sources as a scalar
+			// keys don't have any schema --pass in nil
+			res, err = l.Visitor.VisitScalar(keys, nil)
+			if err != nil {
+				return nil, err
+			}
+		}
+
+		var s *openapi.ResourceSchema
+		if l.Schema != nil {
+			s = l.Schema.Field(key)
+		}
+		fv, commentSch, keyStyles := l.fieldValue(key)
+		if commentSch != nil {
+			s = commentSch
+		}
+		val, err := Walker{
+			VisitKeysAsScalars:    l.VisitKeysAsScalars,
+			InferAssociativeLists: l.InferAssociativeLists,
+			Visitor:               l,
+			Schema:                s,
+			Sources:               fv,
+			MergeOptions:          l.MergeOptions,
+			Path:                  append(l.Path, key)}.Walk()
+		if err != nil {
+			return nil, err
+		}
+
+		// transfer the comments of res to dest node
+		var comments yaml.Comments
+		if !yaml.IsMissingOrNull(res) {
+			comments = yaml.Comments{
+				LineComment: res.YNode().LineComment,
+				HeadComment: res.YNode().HeadComment,
+				FootComment: res.YNode().FootComment,
+			}
+			if len(keys) > 0 && !yaml.IsMissingOrNull(keys[DestIndex]) {
+				keys[DestIndex].YNode().HeadComment = res.YNode().HeadComment
+				keys[DestIndex].YNode().LineComment = res.YNode().LineComment
+				keys[DestIndex].YNode().FootComment = res.YNode().FootComment
+			}
+		}
+
+		// this handles empty and non-empty values
+		fieldSetter := yaml.FieldSetter{
+			Name:           key,
+			Comments:       comments,
+			AppendKeyStyle: keyStyles[val],
+			Value:          val,
+		}
+		_, err = dest.Pipe(fieldSetter)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return dest, nil
+}
+
+// valueIfPresent returns node.Value if node is non-nil, otherwise returns nil
+func (l Walker) valueIfPresent(node *yaml.MapNode) (*yaml.RNode, *openapi.ResourceSchema) {
+	if node == nil {
+		return nil, nil
+	}
+
+	// parse the schema for the field if present
+	var s *openapi.ResourceSchema
+	fm := fieldmeta.FieldMeta{}
+	var err error
+	// check the value for a schema
+	if err = fm.Read(node.Value); err == nil {
+		s = &openapi.ResourceSchema{Schema: &fm.Schema}
+		if fm.Schema.Ref.String() != "" {
+			r, err := openapi.Resolve(&fm.Schema.Ref, openapi.Schema())
+			if err == nil && r != nil {
+				s.Schema = r
+			}
+		}
+	}
+	// check the key for a schema -- this will be used
+	// when the value is a Sequence (comments are attached)
+	// to the key
+	if fm.IsEmpty() {
+		if err = fm.Read(node.Key); err == nil {
+			s = &openapi.ResourceSchema{Schema: &fm.Schema}
+		}
+		if fm.Schema.Ref.String() != "" {
+			r, err := openapi.Resolve(&fm.Schema.Ref, openapi.Schema())
+			if err == nil && r != nil {
+				s.Schema = r
+			}
+		}
+	}
+	return node.Value, s
+}
+
+// fieldNames returns a sorted slice containing the names of all fields that appear in any of
+// the sources
+func (l Walker) fieldNames() []string {
+	fields := sets.String{}
+	for _, s := range l.Sources {
+		if s == nil {
+			continue
+		}
+		// don't check error, we know this is a mapping node
+		sFields, _ := s.Fields()
+		fields.Insert(sFields...)
+	}
+	result := fields.List()
+	sort.Strings(result)
+	return result
+}
+
+// fieldValue returns a slice containing each source's value for fieldName, the
+// schema, and a map of each source's value to the style for the source's key.
+func (l Walker) fieldValue(fieldName string) ([]*yaml.RNode, *openapi.ResourceSchema, map[*yaml.RNode]yaml.Style) {
+	var fields []*yaml.RNode
+	var sch *openapi.ResourceSchema
+	keyStyles := make(map[*yaml.RNode]yaml.Style, len(l.Sources))
+	for i := range l.Sources {
+		if l.Sources[i] == nil {
+			fields = append(fields, nil)
+			continue
+		}
+		field := l.Sources[i].Field(fieldName)
+		f, s := l.valueIfPresent(field)
+		fields = append(fields, f)
+		if field != nil && field.Key != nil && field.Key.YNode() != nil {
+			keyStyles[f] = field.Key.YNode().Style
+		}
+		if sch == nil && !s.IsMissingOrNull() {
+			sch = s
+		}
+	}
+	return fields, sch, keyStyles
+}
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/walk/nonassociative_sequence.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/walk/nonassociative_sequence.go
new file mode 100644
index 0000000000..91b187e5bf
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/walk/nonassociative_sequence.go
@@ -0,0 +1,13 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package walk
+
+import (
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+// walkNonAssociativeSequence returns the value of VisitList
+func (l Walker) walkNonAssociativeSequence() (*yaml.RNode, error) {
+	return l.VisitList(l.Sources, l.Schema, NonAssociateList)
+}
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/walk/scalar.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/walk/scalar.go
new file mode 100644
index 0000000000..1a26f6dffe
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/walk/scalar.go
@@ -0,0 +1,11 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package walk
+
+import "sigs.k8s.io/kustomize/kyaml/yaml"
+
+// walkScalar returns the value of VisitScalar
+func (l Walker) walkScalar() (*yaml.RNode, error) {
+	return l.VisitScalar(l.Sources, l.Schema)
+}
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/walk/visitor.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/walk/visitor.go
new file mode 100644
index 0000000000..153ac29455
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/walk/visitor.go
@@ -0,0 +1,28 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package walk
+
+import (
+	"sigs.k8s.io/kustomize/kyaml/openapi"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+type ListKind int32
+
+const (
+	AssociativeList ListKind = 1 + iota
+	NonAssociateList
+)
+
+// Visitor is invoked by walk with source and destination node pairs
+type Visitor interface {
+	VisitMap(Sources, *openapi.ResourceSchema) (*yaml.RNode, error)
+
+	VisitScalar(Sources, *openapi.ResourceSchema) (*yaml.RNode, error)
+
+	VisitList(Sources, *openapi.ResourceSchema, ListKind) (*yaml.RNode, error)
+}
+
+// ClearNode is returned if GrepFilter should do nothing after calling Set
+var ClearNode *yaml.RNode
diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/walk/walk.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/walk/walk.go
new file mode 100644
index 0000000000..68de1324e0
--- /dev/null
+++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/walk/walk.go
@@ -0,0 +1,186 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package walk
+
+import (
+	"fmt"
+	"os"
+	"strings"
+
+	"sigs.k8s.io/kustomize/kyaml/fieldmeta"
+	"sigs.k8s.io/kustomize/kyaml/openapi"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+	"sigs.k8s.io/kustomize/kyaml/yaml/schema"
+)
+
+// Walker walks the Source RNode and modifies the RNode provided to GrepFilter.
+type Walker struct {
+	// Visitor is invoked by GrepFilter
+	Visitor
+
+	Schema *openapi.ResourceSchema
+
+	// Source is the RNode to walk.  All Source fields and associative list elements
+	// will be visited.
+	Sources Sources
+
+	// Path is the field path to the current Source Node.
+	Path []string
+
+	// InferAssociativeLists if set to true will infer merge strategies for
+	// fields which it doesn't have the schema based on the fields in the
+	// list elements.
+	InferAssociativeLists bool
+
+	// VisitKeysAsScalars if true will call VisitScalar on map entry keys,
+	// providing nil as the OpenAPI schema.
+	VisitKeysAsScalars bool
+
+	// MergeOptions is a struct to store options for merge
+	MergeOptions yaml.MergeOptions
+}
+
+// Kind returns the kind of the first non-null node in Sources.
+func (l Walker) Kind() yaml.Kind {
+	for _, s := range l.Sources {
+		if !yaml.IsMissingOrNull(s) {
+			return s.YNode().Kind
+		}
+	}
+	return 0
+}
+
+// Walk will recursively traverse every item in the Sources and perform corresponding
+// actions on them
+func (l Walker) Walk() (*yaml.RNode, error) {
+	l.Schema = l.GetSchema()
+
+	// invoke the handler for the corresponding node type
+	switch l.Kind() {
+	case yaml.MappingNode:
+		if err := yaml.ErrorIfAnyInvalidAndNonNull(yaml.MappingNode, l.Sources...); err != nil {
+			return nil, err
+		}
+		return l.walkMap()
+	case yaml.SequenceNode:
+		if err := yaml.ErrorIfAnyInvalidAndNonNull(yaml.SequenceNode, l.Sources...); err != nil {
+			return nil, err
+		}
+		// AssociativeSequence means the items in the sequence are associative. They can be merged
+		// according to merge key.
+		if schema.IsAssociative(l.Schema, l.Sources, l.InferAssociativeLists) {
+			return l.walkAssociativeSequence()
+		}
+		return l.walkNonAssociativeSequence()
+
+	case yaml.ScalarNode:
+		if err := yaml.ErrorIfAnyInvalidAndNonNull(yaml.ScalarNode, l.Sources...); err != nil {
+			return nil, err
+		}
+		return l.walkScalar()
+	case 0:
+		// walk empty nodes as maps
+		return l.walkMap()
+	default:
+		return nil, nil
+	}
+}
+
+func (l Walker) GetSchema() *openapi.ResourceSchema {
+	for i := range l.Sources {
+		r := l.Sources[i]
+		if yaml.IsMissingOrNull(r) {
+			continue
+		}
+
+		fm := fieldmeta.FieldMeta{}
+		if err := fm.Read(r); err == nil && !fm.IsEmpty() {
+			// per-field schema, this is fine
+			if fm.Schema.Ref.String() != "" {
+				// resolve the reference
+				s, err := openapi.Resolve(&fm.Schema.Ref, openapi.Schema())
+				if err == nil && s != nil {
+					fm.Schema = *s
+				}
+			}
+			return &openapi.ResourceSchema{Schema: &fm.Schema}
+		}
+	}
+
+	if l.Schema != nil {
+		return l.Schema
+	}
+	for i := range l.Sources {
+		r := l.Sources[i]
+		if yaml.IsMissingOrNull(r) {
+			continue
+		}
+
+		m, _ := r.GetMeta()
+		if m.Kind == "" || m.APIVersion == "" {
+			continue
+		}
+
+		s := openapi.SchemaForResourceType(yaml.TypeMeta{Kind: m.Kind, APIVersion: m.APIVersion})
+		if s != nil {
+			return s
+		}
+	}
+	return nil
+}
+
+const (
+	DestIndex = iota
+	OriginIndex
+	UpdatedIndex
+)
+
+// Sources are a list of RNodes. First item is the dest node, followed by
+// multiple source nodes.
+type Sources []*yaml.RNode
+
+// Dest returns the destination node
+func (s Sources) Dest() *yaml.RNode {
+	if len(s) <= DestIndex {
+		return nil
+	}
+	return s[DestIndex]
+}
+
+// Origin returns the origin node
+func (s Sources) Origin() *yaml.RNode {
+	if len(s) <= OriginIndex {
+		return nil
+	}
+	return s[OriginIndex]
+}
+
+// Updated returns the updated node
+func (s Sources) Updated() *yaml.RNode {
+	if len(s) <= UpdatedIndex {
+		return nil
+	}
+	return s[UpdatedIndex]
+}
+
+func (s Sources) String() string {
+	var values []string
+	for i := range s {
+		str, err := s[i].String()
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "%v\n", err)
+		}
+		values = append(values, str)
+	}
+	return strings.Join(values, "\n")
+}
+
+// setDestNode sets the destination source node
+func (s Sources) setDestNode(node *yaml.RNode, err error) (*yaml.RNode, error) {
+	if err != nil {
+		return nil, err
+	}
+	s[0] = node
+	return node, nil
+}
diff --git a/vendor/sigs.k8s.io/yaml/goyaml.v3/README.md b/vendor/sigs.k8s.io/yaml/goyaml.v3/README.md
new file mode 100644
index 0000000000..318a00923b
--- /dev/null
+++ b/vendor/sigs.k8s.io/yaml/goyaml.v3/README.md
@@ -0,0 +1,70 @@
+# goyaml.v3
+
+This package provides type and function aliases for the `go.yaml.in/yaml/v3` package (which is compatible with `gopkg.in/yaml.v3`).
+
+## Purpose
+
+The purpose of this package is to:
+
+1. Provide a transition path for users migrating from the sigs.k8s.io/yaml package to direct usage of go.yaml.in/yaml/v3
+2. Maintain compatibility with existing code while encouraging migration to the upstream package
+3. Reduce maintenance overhead by delegating to the upstream implementation
+
+## Usage
+
+Instead of importing this package directly, you should migrate to using `go.yaml.in/yaml/v3` directly:
+
+```go
+// Old way
+import "sigs.k8s.io/yaml/goyaml.v3"
+
+// Recommended way
+import "go.yaml.in/yaml/v3"
+```
+
+## Available Types and Functions
+
+All public types and functions from `go.yaml.in/yaml/v3` are available through this package:
+
+### Types
+
+- `Unmarshaler` - Interface for custom unmarshaling behavior
+- `Marshaler` - Interface for custom marshaling behavior
+- `IsZeroer` - Interface to check if an object is zero
+- `Decoder` - Reads and decodes YAML values from an input stream
+- `Encoder` - Writes YAML values to an output stream
+- `TypeError` - Error returned by Unmarshal for decoding issues
+- `Node` - Represents a YAML node in the document
+- `Kind` - Represents the kind of a YAML node
+- `Style` - Represents the style of a YAML node
+
+### Functions
+
+- `Unmarshal` - Decodes YAML data into a Go value
+- `Marshal` - Serializes a Go value into YAML
+- `NewDecoder` - Creates a new Decoder
+- `NewEncoder` - Creates a new Encoder
+
+## Migration Guide
+
+To migrate from this package to `go.yaml.in/yaml/v3`:
+
+1. Update your import statements:
+   ```go
+   // From
+   import "sigs.k8s.io/yaml/goyaml.v3"
+   
+   // To
+   import "go.yaml.in/yaml/v3"
+   ```
+
+2. No code changes should be necessary as the API is identical
+
+3. Update your go.mod file to include the dependency:
+   ```
+   require go.yaml.in/yaml/v3 v3.0.3
+   ```
+
+## Deprecation Notice
+
+All types and functions in this package are marked as deprecated. You should migrate to using `go.yaml.in/yaml/v3` directly.
diff --git a/vendor/sigs.k8s.io/yaml/goyaml.v3/yaml_aliases.go b/vendor/sigs.k8s.io/yaml/goyaml.v3/yaml_aliases.go
new file mode 100644
index 0000000000..8826ffefeb
--- /dev/null
+++ b/vendor/sigs.k8s.io/yaml/goyaml.v3/yaml_aliases.go
@@ -0,0 +1,130 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package yaml
+
+import (
+	gopkg_yaml "go.yaml.in/yaml/v3"
+)
+
+// Type aliases for public types from go.yaml.in/yaml/v3
+type (
+	// Unmarshaler is implemented by types to customize their behavior when being unmarshaled from a YAML document.
+	// Deprecated: Use go.yaml.in/yaml/v3.Unmarshaler directly.
+	Unmarshaler = gopkg_yaml.Unmarshaler
+
+	// Marshaler is implemented by types to customize their behavior when being marshaled into a YAML document.
+	// Deprecated: Use go.yaml.in/yaml/v3.Marshaler directly.
+	Marshaler = gopkg_yaml.Marshaler
+
+	// IsZeroer is used to check whether an object is zero to determine whether it should be omitted when
+	// marshaling with the omitempty flag. One notable implementation is time.Time.
+	// Deprecated: Use go.yaml.in/yaml/v3.IsZeroer directly.
+	IsZeroer = gopkg_yaml.IsZeroer
+
+	// Decoder reads and decodes YAML values from an input stream.
+	// Deprecated: Use go.yaml.in/yaml/v3.Decoder directly.
+	Decoder = gopkg_yaml.Decoder
+
+	// Encoder writes YAML values to an output stream.
+	// Deprecated: Use go.yaml.in/yaml/v3.Encoder directly.
+	Encoder = gopkg_yaml.Encoder
+
+	// TypeError is returned by Unmarshal when one or more fields in the YAML document cannot be properly decoded.
+	// Deprecated: Use go.yaml.in/yaml/v3.TypeError directly.
+	TypeError = gopkg_yaml.TypeError
+
+	// Node represents a YAML node in the document.
+	// Deprecated: Use go.yaml.in/yaml/v3.Node directly.
+	Node = gopkg_yaml.Node
+
+	// Kind represents the kind of a YAML node.
+	// Deprecated: Use go.yaml.in/yaml/v3.Kind directly.
+	Kind = gopkg_yaml.Kind
+
+	// Style represents the style of a YAML node.
+	// Deprecated: Use go.yaml.in/yaml/v3.Style directly.
+	Style = gopkg_yaml.Style
+)
+
+// Constants for Kind type from go.yaml.in/yaml/v3
+const (
+	// DocumentNode represents a YAML document node.
+	// Deprecated: Use go.yaml.in/yaml/v3.DocumentNode directly.
+	DocumentNode = gopkg_yaml.DocumentNode
+
+	// SequenceNode represents a YAML sequence node.
+	// Deprecated: Use go.yaml.in/yaml/v3.SequenceNode directly.
+	SequenceNode = gopkg_yaml.SequenceNode
+
+	// MappingNode represents a YAML mapping node.
+	// Deprecated: Use go.yaml.in/yaml/v3.MappingNode directly.
+	MappingNode = gopkg_yaml.MappingNode
+
+	// ScalarNode represents a YAML scalar node.
+	// Deprecated: Use go.yaml.in/yaml/v3.ScalarNode directly.
+	ScalarNode = gopkg_yaml.ScalarNode
+
+	// AliasNode represents a YAML alias node.
+	// Deprecated: Use go.yaml.in/yaml/v3.AliasNode directly.
+	AliasNode = gopkg_yaml.AliasNode
+)
+
+// Constants for Style type from go.yaml.in/yaml/v3
+const (
+	// TaggedStyle represents a tagged YAML style.
+	// Deprecated: Use go.yaml.in/yaml/v3.TaggedStyle directly.
+	TaggedStyle = gopkg_yaml.TaggedStyle
+
+	// DoubleQuotedStyle represents a double-quoted YAML style.
+	// Deprecated: Use go.yaml.in/yaml/v3.DoubleQuotedStyle directly.
+	DoubleQuotedStyle = gopkg_yaml.DoubleQuotedStyle
+
+	// SingleQuotedStyle represents a single-quoted YAML style.
+	// Deprecated: Use go.yaml.in/yaml/v3.SingleQuotedStyle directly.
+	SingleQuotedStyle = gopkg_yaml.SingleQuotedStyle
+
+	// LiteralStyle represents a literal YAML style.
+	// Deprecated: Use go.yaml.in/yaml/v3.LiteralStyle directly.
+	LiteralStyle = gopkg_yaml.LiteralStyle
+
+	// FoldedStyle represents a folded YAML style.
+	// Deprecated: Use go.yaml.in/yaml/v3.FoldedStyle directly.
+	FoldedStyle = gopkg_yaml.FoldedStyle
+
+	// FlowStyle represents a flow YAML style.
+	// Deprecated: Use go.yaml.in/yaml/v3.FlowStyle directly.
+	FlowStyle = gopkg_yaml.FlowStyle
+)
+
+// Function aliases for public functions from go.yaml.in/yaml/v3
+var (
+	// Unmarshal decodes the first document found within the in byte slice and assigns decoded values into the out value.
+	// Deprecated: Use go.yaml.in/yaml/v3.Unmarshal directly.
+	Unmarshal = gopkg_yaml.Unmarshal
+
+	// Marshal serializes the value provided into a YAML document.
+	// Deprecated: Use go.yaml.in/yaml/v3.Marshal directly.
+	Marshal = gopkg_yaml.Marshal
+
+	// NewDecoder returns a new decoder that reads from r.
+	// Deprecated: Use go.yaml.in/yaml/v3.NewDecoder directly.
+	NewDecoder = gopkg_yaml.NewDecoder
+
+	// NewEncoder returns a new encoder that writes to w.
+	// Deprecated: Use go.yaml.in/yaml/v3.NewEncoder directly.
+	NewEncoder = gopkg_yaml.NewEncoder
+)
diff --git a/vendor/sigs.k8s.io/yaml/kyaml/kyaml.go b/vendor/sigs.k8s.io/yaml/kyaml/kyaml.go
new file mode 100644
index 0000000000..f07b0b3e96
--- /dev/null
+++ b/vendor/sigs.k8s.io/yaml/kyaml/kyaml.go
@@ -0,0 +1,828 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package kyaml provides an encoder for KYAML, a strict subset of YAML that is
+// designed to be explicit and unambiguous.  KYAML is YAML, so any YAML parser
+// should be able to read it.
+//
+// KYAML is designed to be halfway between YAML and JSON, with the following
+// properties:
+//   - Not whitespace-sensitive
+//   - Allows comments
+//   - Allows trailing commas
+//   - Does not require quoted keys
+//
+// KYAML is an output format, and will follow these conventions:
+//   - Always double-quote strings, even if they are not ambiguous.
+//   - Only quote keys that might be ambiguously interpreted (e.g. "no" is
+//     always quoted).
+//   - Always use `{}` for structs and maps, and `[]` for lists.
+//   - Economize on vertical space by cuddling some kinds of brackets together.
+//   - Render multi-line strings with YAML's line folding, which is close to
+//     the Go string literal format.
+//
+// KYAML also includes a document-separator "header" (still valid YAML), which
+// helps to disambiguate a KYAML document from an ill-formed JSON document.
+//
+// Because KYAML is YAML, a KYAML multi-document is a YAML multi-document.
+package kyaml
+
+import (
+	"bytes"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"regexp"
+	"strconv"
+	"strings"
+	"time"
+	"unicode"
+	"unicode/utf8"
+
+	yaml "go.yaml.in/yaml/v3"
+)
+
+// Encoder formats objects or YAML data (JSON is valid YAML) into KYAML. KYAML
+// is halfway between YAML and JSON, but is a strict subset of YAML, so it
+// should should be readable by any YAML parser. It is designed to be explicit
+// and unambiguous, and eschews significant whitespace.
+type Encoder struct {
+	// Compact tells the encoder to use compact formatting. This puts all the
+	// data on one line, with no extra newlines, no comments, and no multi-line
+	// formatting.
+	Compact bool
+}
+
+// FromYAML renders a KYAML (multi-)document from YAML bytes (JSON is YAML),
+// including the KYAML header. The result always has a trailing newline.
+func (ky *Encoder) FromYAML(in io.Reader, out io.Writer) error {
+	// We need a YAML decoder to handle multi-document streams.
+	dec := yaml.NewDecoder(in)
+
+	// Process each document in the stream.
+	for {
+		var doc yaml.Node
+		err := dec.Decode(&doc)
+		if err == io.EOF {
+			break
+		}
+		if err != nil {
+			return fmt.Errorf("error decoding: %v", err)
+		}
+		if doc.Kind != yaml.DocumentNode {
+			return fmt.Errorf("kyaml internal error: line %d: expected a document node, got %s", doc.Line, ky.nodeKindString(doc.Kind))
+		}
+
+		// Always emit a document separator, which helps disambiguate between YAML
+		// and JSON.
+		if _, err := fmt.Fprintln(out, "---"); err != nil {
+			return err
+		}
+
+		if err := ky.renderDocument(&doc, 0, ky.flags(), out); err != nil {
+			return err
+		}
+		fmt.Fprintf(out, "\n")
+	}
+
+	return nil
+}
+
+// FromObject renders a KYAML document from a Go object, including the KYAML
+// header. The result always has a trailing newline.
+func (ky *Encoder) FromObject(obj any, out io.Writer) error {
+	jb, err := json.Marshal(obj)
+	if err != nil {
+		return fmt.Errorf("error marshaling to JSON: %v", err)
+	}
+	// JSON is YAML.
+	return ky.FromYAML(bytes.NewReader(jb), out)
+}
+
+// Marshal renders a single Go object as KYAML, without the header or trailing
+// newline.
+func (ky *Encoder) Marshal(obj any) ([]byte, error) {
+	// Convert the object to JSON bytes to take advantage of all the JSON tag
+	// handling and things like that.
+	jb, err := json.Marshal(obj)
+	if err != nil {
+		return nil, fmt.Errorf("error marshaling to JSON: %v", err)
+	}
+
+	buf := &bytes.Buffer{}
+	// JSON is YAML.
+	if err := ky.fromObjectYAML(bytes.NewReader(jb), buf); err != nil {
+		return nil, fmt.Errorf("error rendering object: %v", err)
+	}
+	return buf.Bytes(), nil
+}
+
+func (ky *Encoder) fromObjectYAML(in io.Reader, out io.Writer) error {
+	yb, err := io.ReadAll(in)
+	if err != nil {
+		return err
+	}
+
+	var doc yaml.Node
+	if err := yaml.Unmarshal(yb, &doc); err != nil {
+		return fmt.Errorf("error decoding: %v", err)
+	}
+	if doc.Kind != yaml.DocumentNode {
+		return fmt.Errorf("kyaml internal error: line %d: expected document node, got %s", doc.Line, ky.nodeKindString(doc.Kind))
+	}
+
+	if err := ky.renderNode(&doc, 0, ky.flags(), out); err != nil {
+		return fmt.Errorf("error rendering document: %v", err)
+	}
+
+	return nil
+}
+
+// From the YAML spec.
+const (
+	intTag       = "!!int"
+	floatTag     = "!!float"
+	boolTag      = "!!bool"
+	strTag       = "!!str"
+	timestampTag = "!!timestamp"
+	seqTag       = "!!seq"
+	mapTag       = "!!map"
+	nullTag      = "!!null"
+	binaryTag    = "!!binary"
+	mergeTag     = "!!merge"
+)
+
+type flagMask uint64
+
+const (
+	flagsNone     flagMask = 0
+	flagLazyQuote flagMask = 0x01
+	flagCompact   flagMask = 0x02
+)
+
+// flags returns a flagMask representing the current encoding options. It can
+// be used directly or OR'ed with another mask.
+func (ky *Encoder) flags() flagMask {
+	flags := flagsNone
+	if ky.Compact {
+		flags |= flagCompact
+	}
+	return flags
+}
+
+// renderNode processes a YAML node, calling the appropriate render function
+// for its type.  Each render function should assume that the output "cursor"
+// is positioned at the start of the node and should not emit a final newline.
+// If a render function needs to linewrap or indent (e.g. a struct), it should
+// assume the indent level is currently correct for the node type itself, and
+// may need to indent more.
+func (ky *Encoder) renderNode(node *yaml.Node, indent int, flags flagMask, out io.Writer) error {
+	if node == nil {
+		return nil
+	}
+
+	switch node.Kind {
+	case yaml.DocumentNode:
+		return ky.renderDocument(node, indent, flags, out)
+	case yaml.ScalarNode:
+		return ky.renderScalar(node, indent, flags, out)
+	case yaml.SequenceNode:
+		return ky.renderSequence(node, indent, flags, out)
+	case yaml.MappingNode:
+		return ky.renderMapping(node, indent, flags, out)
+	case yaml.AliasNode:
+		return ky.renderAlias(node, indent, flags, out)
+	}
+	return fmt.Errorf("kyaml internal error: line %d: unknown node kind %v", node.Line, node.Kind)
+}
+
+// renderDocument processes a YAML document node, rendering it to the output.
+// This function assumes that the output "cursor" is positioned at the start of
+// the document. This does not emit a final newline.
+func (ky *Encoder) renderDocument(doc *yaml.Node, indent int, flags flagMask, out io.Writer) error {
+	if len(doc.Content) == 0 {
+		return fmt.Errorf("kyaml internal error: line %d: document has no content node (%d)", doc.Line, len(doc.Content))
+	}
+	if len(doc.Content) > 1 {
+		return fmt.Errorf("kyaml internal error: line %d: document has more than one content node (%d)", doc.Line, len(doc.Content))
+	}
+	if indent != 0 {
+		return fmt.Errorf("kyaml internal error: line %d: document non-zero indent (%d)", doc.Line, indent)
+	}
+
+	compact := flags&flagCompact != 0
+
+	// For document nodes, the cursor is assumed to be ready to render.
+	child := doc.Content[0]
+	if !compact {
+		if len(doc.HeadComment) > 0 {
+			ky.renderComments(doc.HeadComment, indent, out)
+			fmt.Fprint(out, "\n")
+		}
+		if len(child.HeadComment) > 0 {
+			ky.renderComments(child.HeadComment, indent, out)
+			fmt.Fprint(out, "\n")
+		}
+	}
+	if err := ky.renderNode(child, indent, flags, out); err != nil {
+		return err
+	}
+	if !compact {
+		if len(child.LineComment) > 0 {
+			ky.renderComments(" "+child.LineComment, 0, out)
+		}
+		if len(child.FootComment) > 0 {
+			fmt.Fprint(out, "\n")
+			ky.renderComments(child.FootComment, indent, out)
+		}
+		if len(doc.LineComment) > 0 {
+			fmt.Fprint(out, "\n")
+			ky.renderComments(" "+doc.LineComment, 0, out)
+		}
+		if len(doc.FootComment) > 0 {
+			fmt.Fprint(out, "\n")
+			ky.renderComments(doc.FootComment, indent, out)
+		}
+	}
+	return nil
+}
+
+// renderScalar processes a YAML scalar node, rendering it to the output.  This
+// DOES NOT render a trailing newline or head/line/foot comments, as those
+// require the parent context.
+func (ky *Encoder) renderScalar(node *yaml.Node, indent int, flags flagMask, out io.Writer) error {
+	switch node.Tag {
+	case intTag, floatTag, boolTag, nullTag:
+		fmt.Fprint(out, node.Value)
+	case strTag, timestampTag:
+		return ky.renderString(node.Value, indent+1, flags, out)
+	default:
+		return fmt.Errorf("kyaml internal error: line %d: unknown tag %q on scalar node %q", node.Line, node.Tag, node.Value)
+	}
+	return nil
+}
+
+const kyamlFoldStr = "\\\n"
+
+var regularEscapeMap = map[rune]string{
+	'\n': "\\n" + kyamlFoldStr, // use YAML's line folding to make the output more readable
+	'\t': "\t",                 // literal tab
+}
+var compactEscapeMap = map[rune]string{
+	'\n': "\\n",
+	'\t': "\\t",
+}
+
+// renderString processes a string (either single-line or multi-line),
+// rendering it to the output.  This DOES NOT render a trailing newline.
+func (ky *Encoder) renderString(val string, indent int, flags flagMask, out io.Writer) error {
+	lazyQuote := flags&flagLazyQuote != 0
+	compact := flags&flagCompact != 0
+	multi := strings.Contains(val, "\n")
+
+	if !multi && lazyQuote && !needsQuotes(val) {
+		fmt.Fprint(out, val)
+		return nil
+	}
+
+	// Special cases for certain input.
+	escapeOverrides := regularEscapeMap
+	if compact {
+		escapeOverrides = compactEscapeMap
+	}
+
+	//
+	// The rest of this is borrowed from Go's strconv.Quote implementation.
+	//
+
+	// accumulate into a buffer
+	buf := &bytes.Buffer{}
+
+	// opening quote
+	fmt.Fprint(buf, `"`)
+	if multi && !compact {
+		fmt.Fprint(buf, kyamlFoldStr)
+	}
+
+	// Iterating a string with invalid UTF8 returns RuneError rather than the
+	// bytes, so we iterate the string and decode the runes. This is a bit
+	// slower, but gives us a better result.
+	s := val
+	for width := 0; len(s) > 0; s = s[width:] {
+		r := rune(s[0])
+		width = 1
+		if r >= utf8.RuneSelf {
+			r, width = utf8.DecodeRuneInString(s)
+		}
+		if width == 1 && r == utf8.RuneError {
+			fmt.Fprint(buf, `\x`)
+			fmt.Fprintf(buf, "%02x", s[0])
+			continue
+		}
+		ky.appendEscapedRune(r, indent, escapeOverrides, buf)
+	}
+
+	// closing quote
+	afterNewline := buf.Bytes()[len(buf.Bytes())-1] == '\n'
+	if multi && !compact {
+		if !afterNewline {
+			fmt.Fprint(buf, kyamlFoldStr)
+		}
+		ky.writeIndent(indent, buf)
+	}
+	fmt.Fprint(buf, `"`)
+
+	fmt.Fprint(out, buf.String())
+
+	return nil
+}
+
+var allowedUnquotedAnywhere = map[rune]bool{
+	'_': true,
+}
+
+var allowedUnquotedInterior = map[rune]bool{
+	'-': true,
+	'.': true,
+	'/': true,
+}
+
+func needsQuotes(s string) bool {
+	if s == "" {
+		return true
+	}
+	if isTypeAmbiguous(s) {
+		return true
+	}
+	runes := []rune(s)
+	for i, r := range runes {
+		if unicode.IsLetter(r) || unicode.IsNumber(r) || allowedUnquotedAnywhere[r] {
+			continue
+		}
+		if i > 0 && i < len(runes)-1 && allowedUnquotedInterior[r] {
+			continue
+		}
+		// it's something we don't explicitly allow
+		return true
+	}
+	return false
+}
+
+// From https://yaml.org/type/int.html and https://yaml.org/type/float.html
+var sexagesimalRE = regexp.MustCompile(`^[+-]?[1-9][0-9_]*(:[0-5]?[0-9])+(\.[0-9_]*)?$`)
+
+// isTypeAmbiguous returns true if a YAML parser might interpret the unquoted
+// form of the string argument as a YAML type other than string (e.g. `true`
+// would be interpreted as a boolean).
+func isTypeAmbiguous(s string) bool {
+	// Null-like strings: https://yaml.org/type/null.html
+	if len(s) <= 5 {
+		switch strings.ToLower(s) {
+		case "null", "~", "":
+			return true
+		}
+	}
+
+	// Boolean-like strings: https://yaml.org/type/bool.html
+	if _, err := strconv.ParseBool(s); err == nil {
+		return true
+	}
+	if len(s) <= 5 {
+		switch strings.ToLower(s) {
+		case "true", "y", "yes", "on", "false", "n", "no", "off":
+			return true
+		}
+	}
+
+	// Number-like strings: https://yaml.org/type/int.html and
+	// https://yaml.org/type/float.html
+	//
+	// NOTE: the stripping of underscores is gross.
+	sWithoutUnderscores := strings.ReplaceAll(s, "_", "")
+	// Handles binary ("0b"), octal ("0" or "0o"), decimal, and hex ("0x")
+	if _, err := strconv.ParseInt(sWithoutUnderscores, 0, 64); err == nil && !isSyntaxError(err) {
+		return true
+	}
+	// Handles standard and scientific notation.
+	if _, err := strconv.ParseFloat(sWithoutUnderscores, 64); err == nil && !isSyntaxError(err) {
+		return true
+	}
+
+	// Sexagesimal strings like "11:00" (in YAML 1.1, removed in 1.2):
+	// https://yaml.org/type/int.html and https://yaml.org/type/float.html
+	if sexagesimalRE.MatchString(s) {
+		return true
+	}
+
+	// Infinity and NaN: https://yaml.org/type/float.html
+	if len(s) <= 5 {
+		switch strings.ToLower(s) {
+		case ".inf", "-.inf", "+.inf", ".nan":
+			return true
+		}
+	}
+
+	// Time-like strings
+	if _, matches := parseTimestamp(s); matches {
+		return true
+	}
+
+	return false
+}
+
+func isSyntaxError(err error) bool {
+	var numerr *strconv.NumError
+	if ok := errors.As(err, &numerr); ok {
+		return errors.Is(numerr.Err, strconv.ErrSyntax)
+	}
+	return false
+}
+
+// This is a subset of the formats allowed by the regular expression
+// defined at http://yaml.org/type/timestamp.html.
+//
+// NOTE: This was copied from go.yaml.in/yaml/v2
+var allowedTimestampFormats = []string{
+	"2006-1-2T15:4:5.999999999Z07:00", // RCF3339Nano with short date fields.
+	"2006-1-2t15:4:5.999999999Z07:00", // RFC3339Nano with short date fields and lower-case "t".
+	"2006-1-2 15:4:5.999999999",       // space separated with no time zone
+	"2006-1-2",                        // date only
+	// Notable exception: time.Parse cannot handle: "2001-12-14 21:59:43.10 -5"
+	// from the set of examples.
+}
+
+// parseTimestamp parses s as a timestamp string and
+// returns the timestamp and reports whether it succeeded.
+// Timestamp formats are defined at http://yaml.org/type/timestamp.html
+//
+// NOTE: This was copied from go.yaml.in/yaml/v2
+func parseTimestamp(s string) (time.Time, bool) {
+	// TODO write code to check all the formats supported by
+	// http://yaml.org/type/timestamp.html instead of using time.Parse.
+
+	// Quick check: all date formats start with YYYY-.
+	i := 0
+	for ; i < len(s); i++ {
+		if c := s[i]; c < '0' || c > '9' {
+			break
+		}
+	}
+	if i != 4 || i == len(s) || s[i] != '-' {
+		return time.Time{}, false
+	}
+	for _, format := range allowedTimestampFormats {
+		if t, err := time.Parse(format, s); err == nil {
+			return t, true
+		}
+	}
+	return time.Time{}, false
+}
+
+// We use a buffer here so we can peek backwards.
+func (ky *Encoder) appendEscapedRune(r rune, indent int, escapeOverrides map[rune]string, buf *bytes.Buffer) {
+	afterNewline := buf.Bytes()[len(buf.Bytes())-1] == '\n'
+
+	if afterNewline {
+		ky.writeIndent(indent, buf)
+		// We want to preserve leading whitespace in the source string, so if
+		// we find whitespace, we need to escape it.  We don't want to
+		// escape lines without leading whitespace, but we DO want to render
+		// the result with fidelity to vertical alignment, so we write an extra
+		// space.  This is OK, because all whitespace before the first
+		// non-whitespace character is dropped, as per YAML spec. If there are
+		// no lines with leading whitespace it looks like the indent is one too
+		// many, which seems OK.
+		if unicode.IsSpace(r) && r != '\n' {
+			buf.WriteRune('\\')
+		} else {
+			buf.WriteRune(' ')
+		}
+	}
+	if s, found := escapeOverrides[r]; found {
+		buf.WriteString(s)
+		return
+	}
+	if r == '"' || r == '\\' { // always escaped
+		buf.WriteRune('\\')
+		buf.WriteRune(r)
+		return
+	}
+	if unicode.IsPrint(r) {
+		buf.WriteRune(r)
+		return
+	}
+	switch r {
+	case '\a':
+		buf.WriteString(`\a`)
+	case '\b':
+		buf.WriteString(`\b`)
+	case '\f':
+		buf.WriteString(`\f`)
+	case '\n':
+		buf.WriteString(`\n`)
+	case '\r':
+		buf.WriteString(`\r`)
+	case '\t':
+		buf.WriteString(`\t`)
+	case '\v':
+		buf.WriteString(`\v`)
+	case '\x00':
+		buf.WriteString(`\0`)
+	case '\x1b':
+		buf.WriteString(`\e`)
+	case '\x85':
+		buf.WriteString(`\N`)
+	case '\xa0':
+		buf.WriteString(`\_`)
+	case '\u2028':
+		buf.WriteString(`\L`)
+	case '\u2029':
+		buf.WriteString(`\P`)
+	default:
+		const hexits = "0123456789abcdef"
+		switch {
+		case r < ' ' || r == 0x7f:
+			buf.WriteString(`\x`)
+			buf.WriteByte(hexits[byte(r)>>4])
+			buf.WriteByte(hexits[byte(r)&0xF])
+		case !utf8.ValidRune(r):
+			r = utf8.RuneError
+			fallthrough
+		case r < 0x10000:
+			buf.WriteString(`\u`)
+			for s := 12; s >= 0; s -= 4 {
+				buf.WriteByte(hexits[r>>uint(s)&0xF])
+			}
+		default:
+			buf.WriteString(`\U`)
+			for s := 28; s >= 0; s -= 4 {
+				buf.WriteByte(hexits[r>>uint(s)&0xF])
+			}
+		}
+	}
+}
+
+// renderSequence processes a YAML sequence node, rendering it to the output.  This
+// DOES NOT render a trailing newline or head/line/foot comments of the sequence
+// itself, but DOES render comments of the child nodes.
+func (ky *Encoder) renderSequence(node *yaml.Node, indent int, flags flagMask, out io.Writer) error {
+	if len(node.Content) == 0 {
+		fmt.Fprint(out, "[]")
+		return nil
+	}
+	if flags&flagCompact != 0 {
+		return ky.renderCompactSequence(node, flags, out)
+	}
+
+	// See if this list can use cuddled formatting.
+	cuddle := true
+	for _, child := range node.Content {
+		if !isCuddledKind(child) {
+			cuddle = false
+			break
+		}
+		if len(child.HeadComment)+len(child.LineComment)+len(child.FootComment) > 0 {
+			cuddle = false
+			break
+		}
+	}
+
+	if cuddle {
+		return ky.renderCuddledSequence(node, indent, flags, out)
+	}
+	return ky.renderUncuddledSequence(node, indent, flags, out)
+}
+
+// renderCompactSequence renders a YAML sequence node in compact form.
+func (ky *Encoder) renderCompactSequence(node *yaml.Node, flags flagMask, out io.Writer) error {
+	fmt.Fprint(out, "[")
+	for i, child := range node.Content {
+		if i > 0 {
+			fmt.Fprint(out, ", ")
+		}
+		if err := ky.renderNode(child, 0, flags, out); err != nil {
+			return err
+		}
+	}
+	fmt.Fprint(out, "]")
+	return nil
+}
+
+// renderCuddledSequence processes a YAML sequence node which has already been
+// determined to be cuddled.  We only cuddle sequences of structs or lists
+// which have no comments.
+func (ky *Encoder) renderCuddledSequence(node *yaml.Node, indent int, flags flagMask, out io.Writer) error {
+	fmt.Fprint(out, "[")
+	for i, child := range node.Content {
+		// Each iteration should leave us cuddled for the next item.
+		if i > 0 {
+			fmt.Fprint(out, ", ")
+		}
+		if err := ky.renderNode(child, indent, flags, out); err != nil {
+			return err
+		}
+	}
+	fmt.Fprint(out, "]")
+	return nil
+}
+
+func (ky *Encoder) renderUncuddledSequence(node *yaml.Node, indent int, flags flagMask, out io.Writer) error {
+	// Get into the right state for the first item.
+	fmt.Fprint(out, "[\n")
+	ky.writeIndent(indent, out)
+	for _, child := range node.Content {
+		// Each iteration should leave us ready to close the list. Since we
+		// have an item to render, we need 1 more indent.
+		ky.writeIndent(1, out)
+
+		if len(child.HeadComment) > 0 {
+			ky.renderComments(child.HeadComment, indent+1, out)
+			fmt.Fprint(out, "\n")
+			ky.writeIndent(indent+1, out)
+		}
+
+		if err := ky.renderNode(child, indent+1, flags, out); err != nil {
+			return err
+		}
+
+		fmt.Fprint(out, ",")
+		if len(child.LineComment) > 0 {
+			ky.renderComments(" "+child.LineComment, 0, out)
+		}
+		fmt.Fprint(out, "\n")
+		ky.writeIndent(indent, out)
+		if len(child.FootComment) > 0 {
+			ky.writeIndent(1, out)
+			ky.renderComments(child.FootComment, indent+1, out)
+			fmt.Fprint(out, "\n")
+			ky.writeIndent(indent, out)
+		}
+	}
+	fmt.Fprint(out, "]")
+
+	return nil
+}
+
+func (ky *Encoder) nodeKindString(kind yaml.Kind) string {
+	switch kind {
+	case yaml.DocumentNode:
+		return "document"
+	case yaml.ScalarNode:
+		return "scalar"
+	case yaml.MappingNode:
+		return "mapping"
+	case yaml.SequenceNode:
+		return "sequence"
+	case yaml.AliasNode:
+		return "alias"
+	default:
+		return "unknown"
+	}
+}
+
+func isCuddledKind(node *yaml.Node) bool {
+	if node == nil {
+		return false
+	}
+	switch node.Kind {
+	case yaml.SequenceNode, yaml.MappingNode:
+		return true
+	case yaml.AliasNode:
+		return isCuddledKind(node.Alias)
+	}
+	return false
+}
+
+// renderMapping processes a YAML mapping node, rendering it to the output.  This
+// DOES NOT render a trailing newline or head/line/foot comments of the mapping
+// itself, but DOES render comments of the child nodes.
+func (ky *Encoder) renderMapping(node *yaml.Node, indent int, flags flagMask, out io.Writer) error {
+	if len(node.Content) == 0 {
+		fmt.Fprint(out, "{}")
+		return nil
+	}
+
+	if flags&flagCompact != 0 {
+		return ky.renderCompactMapping(node, flags, out)
+	}
+
+	joinComments := func(a, b string) string {
+		if len(a) > 0 && len(b) > 0 {
+			return a + "\n" + b
+		}
+		return a + b
+	}
+
+	fmt.Fprint(out, "{\n")
+	for i := 0; i < len(node.Content); i += 2 {
+		key := node.Content[i]
+		val := node.Content[i+1]
+
+		ky.writeIndent(indent+1, out)
+
+		// Only one of these should be set.
+		if comments := joinComments(key.HeadComment, val.HeadComment); len(comments) > 0 {
+			ky.renderComments(comments, indent+1, out)
+			fmt.Fprint(out, "\n")
+			ky.writeIndent(indent+1, out)
+		}
+
+		// Mapping keys are always strings in KYAML, even if the YAML node says
+		// otherwise.
+		if err := ky.renderString(key.Value, indent+1, flagLazyQuote|flagCompact, out); err != nil {
+			return err
+		}
+		fmt.Fprint(out, ": ")
+		if err := ky.renderNode(val, indent+1, flags, out); err != nil {
+			return err
+		}
+		fmt.Fprint(out, ",")
+		if len(key.LineComment) > 0 && len(val.LineComment) > 0 {
+			return fmt.Errorf("kyaml internal error: line %d: both key and value have line comments", key.Line)
+		}
+		if len(key.LineComment) > 0 {
+			ky.renderComments(" "+key.LineComment, 0, out)
+		} else if len(val.LineComment) > 0 {
+			ky.renderComments(" "+val.LineComment, 0, out)
+		}
+		fmt.Fprint(out, "\n")
+		// Only one of these should be set.
+		if comments := joinComments(key.FootComment, val.FootComment); len(comments) > 0 {
+			ky.writeIndent(indent+1, out)
+			ky.renderComments(comments, indent+1, out)
+			fmt.Fprint(out, "\n")
+		}
+	}
+	ky.writeIndent(indent, out)
+	fmt.Fprint(out, "}")
+	return nil
+}
+
+// renderCompactMapping renders a YAML mapping node in compact form.
+func (ky *Encoder) renderCompactMapping(node *yaml.Node, flags flagMask, out io.Writer) error {
+	fmt.Fprint(out, "{")
+	for i := 0; i < len(node.Content); i += 2 {
+		key := node.Content[i]
+		val := node.Content[i+1]
+
+		if i > 0 {
+			fmt.Fprint(out, ", ")
+		}
+		// Mapping keys are always strings in KYAML, even if the YAML node says
+		// otherwise.
+		if err := ky.renderString(key.Value, 0, flags|flagLazyQuote|flagCompact, out); err != nil {
+			return err
+		}
+		fmt.Fprint(out, ": ")
+		if err := ky.renderNode(val, 0, flags, out); err != nil {
+			return err
+		}
+	}
+	fmt.Fprint(out, "}")
+	return nil
+}
+
+func (ky *Encoder) writeIndent(level int, out io.Writer) {
+	const indentString = "  "
+	for range level {
+		fmt.Fprint(out, indentString)
+	}
+}
+
+// renderCommentBlock writes the comments node to the output.  This assumes the
+// cursor is at the right place to start writing and DOES NOT render a trailing
+// newline.
+func (ky *Encoder) renderComments(comments string, indent int, out io.Writer) {
+	if len(comments) == 0 {
+		return
+	}
+	lines := strings.Split(comments, "\n")
+	for i, line := range lines {
+		if i > 0 {
+			fmt.Fprint(out, "\n")
+			ky.writeIndent(indent, out)
+		}
+		fmt.Fprint(out, line)
+	}
+}
+
+func (ky *Encoder) renderAlias(node *yaml.Node, indent int, flags flagMask, out io.Writer) error {
+	if node.Alias != nil {
+		return ky.renderNode(node.Alias, indent+1, flags, out)
+	}
+	return nil
+}